npm - agentaudit - Versions diffs - 3.9.28 → 3.9.30 - Mend

agentaudit 3.9.28 → 3.9.30

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/cli.mjs CHANGED Viewed

@@ -1,2251 +1,2302 @@
-#!/usr/bin/env node
-/**
- * AgentAudit CLI — Security scanner for AI tools
- *
- * Scan & Audit:  scan <url>, audit <url>, discover
- * Registry:      check <name|url>, lookup <name>
- * Setup:         status, setup, config
- *
- * Global flags: --json, --quiet, --no-color, --provider, --debug, --export
- */
-import fs from 'fs';
-import os from 'os';
-import path from 'path';
-import { execSync } from 'child_process';
-import { createInterface } from 'readline';
-import { fileURLToPath } from 'url';
-const __dirname = path.dirname(fileURLToPath(import.meta.url));
-const SKILL_DIR = path.resolve(__dirname);
-const REGISTRY_URL = 'https://agentaudit.dev';
-// ── Provider resolution ────
-function resolveProvider(flagOverride, keys) {
-  const orModel = process.env.OPENROUTER_MODEL || 'anthropic/claude-sonnet-4';
-  const ollamaModel = process.env.OLLAMA_MODEL || 'llama3.1';
-  const ollamaHost = process.env.OLLAMA_HOST || 'http://localhost:11434';
-  const customUrl = process.env.LLM_API_URL;
-  const customKey = process.env.LLM_API_KEY;
-  const customModel = process.env.LLM_MODEL || 'default';
-  const providers = {
-    anthropic: keys.anthropicKey ? { id: 'anthropic', label: 'Anthropic (Claude)', key: keys.anthropicKey } : null,
-    openai: keys.openaiKey ? { id: 'openai', label: 'OpenAI (GPT-4o)', key: keys.openaiKey } : null,
-    openrouter: keys.openrouterKey ? { id: 'openrouter', label: `OpenRouter (${orModel})`, key: keys.openrouterKey } : null,
-    ollama: process.env.OLLAMA_MODEL || process.env.OLLAMA_HOST ? { id: 'ollama', label: `Ollama (${ollamaModel})`, key: null, host: ollamaHost, model: ollamaModel } : null,
-    custom: customUrl ? { id: 'custom', label: `Custom (${customModel})`, key: customKey, url: customUrl, model: customModel } : null,
-  };
-  // Aliases
-  const aliases = { claude: 'anthropic', gpt: 'openai', 'gpt-4o': 'openai', 'gpt4': 'openai', or: 'openrouter', local: 'ollama' };
-  // Priority: --provider flag > AGENTAUDIT_PROVIDER env > config file > model-inferred > auto-detect
-  const preferred = flagOverride
-    || process.env.AGENTAUDIT_PROVIDER?.toLowerCase()
-    || loadConfig()?.preferred_provider
-    || null;
-  if (preferred) {
-    const resolved = aliases[preferred] || preferred;
-    const p = providers[resolved];
-    if (!p) return null;
-    return p;
-  }
-  // Smart inference: if model is set, try to match it to a provider
-  const activeModel = globalModelOverride || process.env.AGENTAUDIT_MODEL || loadConfig()?.preferred_model;
-  if (activeModel) {
-    const lm = activeModel.toLowerCase();
-    // Direct provider models (no slash = native format)
-    if (!lm.includes('/')) {
-      if (lm.startsWith('claude') && providers.anthropic) return providers.anthropic;
-      if ((lm.startsWith('gpt') || lm.startsWith('o3') || lm.startsWith('o4') || lm.startsWith('o1')) && providers.openai) return providers.openai;
-      if (providers.ollama && (process.env.OLLAMA_MODEL || process.env.OLLAMA_HOST)) return providers.ollama;
-    }
-    // Slash format = OpenRouter convention (provider/model)
-    if (lm.includes('/') && providers.openrouter) return providers.openrouter;
-  }
-  // Auto-detect priority: Anthropic > OpenAI > OpenRouter > Custom > Ollama (local last — usually weaker)
-  return providers.anthropic || providers.openai || providers.openrouter || providers.custom || providers.ollama || null;
-}
-// ── Global flags (set in main before command routing) ────
-let jsonMode = false;
-let quietMode = false;
-let modelOverride = null; // --model flag or AGENTAUDIT_MODEL env or config
-let globalModelOverride = null; // same, but set early for resolveProvider
-// ── ANSI Colors (respects NO_COLOR and --no-color) ───────
-const noColor = !!(process.env.NO_COLOR || process.argv.includes('--no-color'));
-const c = noColor ? {
-  reset: '', bold: '', dim: '', red: '', green: '', yellow: '',
-  blue: '', magenta: '', cyan: '', white: '', gray: '',
-  bgRed: '', bgGreen: '', bgYellow: '',
-} : {
-  reset: '\x1b[0m',
-  bold: '\x1b[1m',
-  dim: '\x1b[2m',
-  red: '\x1b[31m',
-  green: '\x1b[32m',
-  yellow: '\x1b[33m',
-  blue: '\x1b[34m',
-  magenta: '\x1b[35m',
-  cyan: '\x1b[36m',
-  white: '\x1b[37m',
-  gray: '\x1b[90m',
-  bgRed: '\x1b[41m',
-  bgGreen: '\x1b[42m',
-  bgYellow: '\x1b[43m',
-};
-const icons = {
-  safe: `${c.green}✔${c.reset}`,
-  caution: `${c.yellow}⚠${c.reset}`,
-  unsafe: `${c.red}✖${c.reset}`,
-  info: `${c.blue}ℹ${c.reset}`,
-  scan: `${c.cyan}◉${c.reset}`,
-  tree: `${c.gray}├──${c.reset}`,
-  treeLast: `${c.gray}└──${c.reset}`,
-  pipe: `${c.gray}│${c.reset}`,
-  bullet: `${c.gray}•${c.reset}`,
-};
-// ── Credentials ─────────────────────────────────────────
-const home = process.env.HOME || process.env.USERPROFILE || '';
-const xdgConfig = process.env.XDG_CONFIG_HOME || path.join(home, '.config');
-const USER_CRED_DIR = path.join(xdgConfig, 'agentaudit');
-const USER_CRED_FILE = path.join(USER_CRED_DIR, 'credentials.json');
-const SKILL_CRED_FILE = path.join(SKILL_DIR, 'config', 'credentials.json');
-function loadCredentials() {
-  for (const f of [SKILL_CRED_FILE, USER_CRED_FILE]) {
-    if (fs.existsSync(f)) {
-      try {
-        const data = JSON.parse(fs.readFileSync(f, 'utf8'));
-        if (data.api_key) return data;
-      } catch {}
-    }
-  }
-  if (process.env.AGENTAUDIT_API_KEY) {
-    return { api_key: process.env.AGENTAUDIT_API_KEY, agent_name: 'env' };
-  }
-  return null;
-}
-function saveCredentials(data) {
-  const json = JSON.stringify(data, null, 2);
-  fs.mkdirSync(USER_CRED_DIR, { recursive: true });
-  fs.writeFileSync(USER_CRED_FILE, json, { mode: 0o600 });
-  try {
-    fs.mkdirSync(path.dirname(SKILL_CRED_FILE), { recursive: true });
-    fs.writeFileSync(SKILL_CRED_FILE, json, { mode: 0o600 });
-  } catch {}
-}
-const USER_CONFIG_FILE = path.join(USER_CRED_DIR, 'config.json');
-function loadConfig() {
-  try {
-    if (fs.existsSync(USER_CONFIG_FILE)) {
-      return JSON.parse(fs.readFileSync(USER_CONFIG_FILE, 'utf8'));
-    }
-  } catch {}
-  return {};
-}
-function saveConfig(data) {
-  const existing = loadConfig();
-  const merged = { ...existing, ...data };
-  fs.mkdirSync(USER_CRED_DIR, { recursive: true });
-  fs.writeFileSync(USER_CONFIG_FILE, JSON.stringify(merged, null, 2), { mode: 0o600 });
-}
-function askQuestion(question) {
-  const rl = createInterface({ input: process.stdin, output: process.stdout });
-  return new Promise(resolve => rl.question(question, answer => { rl.close(); resolve(answer.trim()); }));
-}
-/**
- * Interactive multi-select in terminal. No dependencies.
- * items: [{ label, sublabel?, value, checked? }]
- * Returns: array of selected values
- */
-function multiSelect(items, { title = 'Select items', hint = 'Space=toggle  ↑↓=move  a=all  n=none  Enter=confirm' } = {}) {
-  return new Promise((resolve) => {
-    if (!process.stdin.isTTY) {
-      // Non-interactive: return all items
-      resolve(items.map(i => i.value));
-      return;
-    }
-    const selected = new Set(items.filter(i => i.checked).map((_, idx) => idx));
-    let cursor = 0;
-    const render = () => {
-      // Move cursor up to overwrite previous render
-      process.stdout.write(`\x1b[${items.length + 3}A\x1b[J`);
-      draw();
-    };
-    const draw = () => {
-      console.log(`  ${c.bold}${title}${c.reset}  ${c.dim}(${selected.size}/${items.length} selected)${c.reset}`);
-      console.log(`  ${c.dim}${hint}${c.reset}`);
-      console.log();
-      for (let i = 0; i < items.length; i++) {
-        const item = items[i];
-        const isCursor = i === cursor;
-        const isSelected = selected.has(i);
-        const pointer = isCursor ? `${c.cyan}❯${c.reset}` : ' ';
-        const checkbox = isSelected ? `${c.green}◉${c.reset}` : `${c.dim}○${c.reset}`;
-        const label = isCursor ? `${c.bold}${item.label}${c.reset}` : item.label;
-        const sub = item.sublabel ? `  ${c.dim}${item.sublabel}${c.reset}` : '';
-        console.log(` ${pointer} ${checkbox}  ${label}${sub}`);
-      }
-    };
-    // Initial draw
-    draw();
-    process.stdin.setRawMode(true);
-    process.stdin.resume();
-    process.stdin.setEncoding('utf8');
-    const onData = (key) => {
-      // Ctrl+C
-      if (key === '\x03') {
-        process.stdin.setRawMode(false);
-        process.stdin.pause();
-        process.stdin.removeListener('data', onData);
-        console.log();
-        process.exitCode = 0; return;
-      }
-      // Enter
-      if (key === '\r' || key === '\n') {
-        process.stdin.setRawMode(false);
-        process.stdin.pause();
-        process.stdin.removeListener('data', onData);
-        resolve(items.filter((_, i) => selected.has(i)).map(i => i.value));
-        return;
-      }
-      // Space — toggle
-      if (key === ' ') {
-        if (selected.has(cursor)) selected.delete(cursor);
-        else selected.add(cursor);
-        render();
-        return;
-      }
-      // a — select all
-      if (key === 'a') {
-        for (let i = 0; i < items.length; i++) selected.add(i);
-        render();
-        return;
-      }
-      // n — select none
-      if (key === 'n') {
-        selected.clear();
-        render();
-        return;
-      }
-      // Arrow up / k
-      if (key === '\x1b[A' || key === 'k') {
-        cursor = (cursor - 1 + items.length) % items.length;
-        render();
-        return;
-      }
-      // Arrow down / j
-      if (key === '\x1b[B' || key === 'j') {
-        cursor = (cursor + 1) % items.length;
-        render();
-        return;
-      }
-    };
-    process.stdin.on('data', onData);
-  });
-}
-async function registerAgent(agentName) {
-  const res = await fetch(`${REGISTRY_URL}/api/register`, {
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
-    body: JSON.stringify({ agent_name: agentName }),
-    signal: AbortSignal.timeout(15_000),
-  });
-  if (!res.ok) throw new Error(`Registration failed (HTTP ${res.status}): ${await res.text()}`);
-  return res.json();
-}
-async function setupCommand() {
-  console.log(`  ${c.bold}Setup${c.reset}`);
-  console.log();
-  const existing = loadCredentials();
-  if (existing) {
-    console.log(`  ${icons.safe}  Already configured as ${c.bold}${existing.agent_name}${c.reset}`);
-    console.log(`  ${c.dim}Key: ${existing.api_key.slice(0, 8)}...${c.reset}`);
-    console.log();
-    const answer = await askQuestion(`  Reconfigure? ${c.dim}(y/N)${c.reset} `);
-    if (answer.toLowerCase() !== 'y') {
-      console.log(`  ${c.dim}Keeping existing config.${c.reset}`);
-      return;
-    }
-    console.log();
-  }
-  console.log(`  ${c.bold}1)${c.reset} Register new agent ${c.dim}(free, creates API key automatically)${c.reset}`);
-  console.log(`  ${c.bold}2)${c.reset} Enter existing API key`);
-  console.log();
-  const choice = await askQuestion(`  Choice ${c.dim}(1/2)${c.reset}: `);
-  console.log();
-  if (choice === '2') {
-    const key = await askQuestion(`  API Key: `);
-    if (!key) { console.log(`  ${c.red}No key entered.${c.reset}`); return; }
-    const name = await askQuestion(`  Agent name ${c.dim}(optional)${c.reset}: `);
-    saveCredentials({ api_key: key, agent_name: name || 'custom' });
-    console.log();
-    console.log(`  ${icons.safe}  Saved! Key stored in ${c.dim}${USER_CRED_FILE}${c.reset}`);
-  } else {
-    const name = await askQuestion(`  Agent name ${c.dim}(e.g. my-scanner, claude-desktop)${c.reset}: `);
-    if (!name || !/^[a-zA-Z0-9._-]{2,64}$/.test(name)) {
-      console.log(`  ${c.red}Invalid name. Use 2-64 chars: letters, numbers, dash, underscore, dot.${c.reset}`);
-      return;
-    }
-    process.stdout.write(`  Registering ${c.bold}${name}${c.reset}...`);
-    try {
-      const data = await registerAgent(name);
-      saveCredentials({ api_key: data.api_key, agent_name: data.agent_name });
-      console.log(` ${c.green}done!${c.reset}`);
-      console.log();
-      console.log(`  ${icons.safe}  Registered as ${c.bold}${data.agent_name}${c.reset}`);
-      console.log(`  ${c.dim}Key: ${data.api_key.slice(0, 12)}...${c.reset}`);
-      console.log(`  ${c.dim}Saved to: ${USER_CRED_FILE}${c.reset}`);
-    } catch (err) {
-      console.log(` ${c.red}failed${c.reset}`);
-      console.log(`  ${c.red}${err.message}${c.reset}`);
-      return;
-    }
-  }
-  console.log();
-  console.log(`  ${c.bold}Ready!${c.reset} You can now:`);
-  console.log(`  ${c.dim}•${c.reset} Discover servers: ${c.cyan}agentaudit discover${c.reset}`);
-  console.log(`  ${c.dim}•${c.reset} Audit packages:   ${c.cyan}agentaudit audit <repo-url>${c.reset}  ${c.dim}(deep LLM analysis)${c.reset}`);
-  console.log(`  ${c.dim}•${c.reset} Quick scan:        ${c.cyan}agentaudit scan <repo-url>${c.reset}  ${c.dim}(regex-based)${c.reset}`);
-  console.log(`  ${c.dim}•${c.reset} Check registry:    ${c.cyan}agentaudit check <name>${c.reset}`);
-  console.log(`  ${c.dim}•${c.reset} Submit reports via MCP in Claude/Cursor/Windsurf`);
-  console.log();
-}
-// ── Structured error output ─────────────────────────────
-function emitError(code, message, hint, exitCode = 2) {
-  if (jsonMode) {
-    process.stderr.write(JSON.stringify({ error: true, code, message, hint: hint || undefined, exitCode }) + '\n');
-  }
-  process.exitCode = exitCode;
-}
-// ── Levenshtein distance for typo correction ────────────
-function levenshtein(a, b) {
-  const m = a.length, n = b.length;
-  const dp = Array.from({ length: m + 1 }, () => Array(n + 1).fill(0));
-  for (let i = 0; i <= m; i++) dp[i][0] = i;
-  for (let j = 0; j <= n; j++) dp[0][j] = j;
-  for (let i = 1; i <= m; i++)
-    for (let j = 1; j <= n; j++)
-      dp[i][j] = Math.min(dp[i-1][j] + 1, dp[i][j-1] + 1, dp[i-1][j-1] + (a[i-1] !== b[j-1] ? 1 : 0));
-  return dp[m][n];
-}
-// ── Helpers ──────────────────────────────────────────────
-function getVersion() {
-  try {
-    const pkg = JSON.parse(fs.readFileSync(path.join(__dirname, 'package.json'), 'utf8'));
-    return pkg.version || '0.0.0';
-  } catch { return '0.0.0'; }
-}
-function banner() {
-  if (quietMode || jsonMode) return;
-  const creds = loadCredentials();
-  const agentInfo = creds?.agent_name ? `  ${c.dim}·${c.reset}  ${c.green}${creds.agent_name}${c.reset}` : '';
-  console.log();
-  console.log(`  🛡  ${c.bold}${c.cyan}AgentAudit${c.reset} ${c.dim}v${getVersion()}${c.reset}${agentInfo}`);
-  console.log(`  ${c.dim}Security scanner for AI tools${c.reset}`);
-  console.log();
-}
-function slugFromUrl(url) {
-  const match = url.match(/github\.com\/([^/]+)\/([^/.\s]+)/);
-  if (match) {
-    const owner = match[1].toLowerCase().replace(/[^a-z0-9-]/g, '-');
-    const repo = match[2].toLowerCase().replace(/[^a-z0-9-]/g, '-');
-    // Generic repo names get owner prefix to avoid collisions
-    const generic = ['mcp', 'server', 'plugin', 'tool', 'agent', 'sdk', 'api', 'app', 'cli', 'lib', 'core'];
-    if (generic.includes(repo)) return `${owner}-${repo}`;
-    return repo;
-  }
-  return url.replace(/[^a-z0-9]/gi, '-').toLowerCase().slice(0, 60);
-}
-function elapsed(startMs) {
-  const ms = Date.now() - startMs;
-  if (ms < 1000) return `${ms}ms`;
-  return `${(ms / 1000).toFixed(1)}s`;
-}
-function riskBadge(score) {
-  if (score === 0) return `${c.bgGreen}${c.bold}${c.white} SAFE ${c.reset}`;
-  if (score <= 10) return `${c.bgGreen}${c.white} LOW ${c.reset}`;
-  if (score <= 30) return `${c.bgYellow}${c.bold} CAUTION ${c.reset}`;
-  return `${c.bgRed}${c.bold}${c.white} UNSAFE ${c.reset}`;
-}
-function severityColor(sev) {
-  switch (sev) {
-    case 'critical': return c.red;
-    case 'high': return c.red;
-    case 'medium': return c.yellow;
-    case 'low': return c.blue;
-    default: return c.gray;
-  }
-}
-function severityIcon(sev) {
-  switch (sev) {
-    case 'critical': return `${c.red}●${c.reset}`;
-    case 'high': return `${c.red}●${c.reset}`;
-    case 'medium': return `${c.yellow}●${c.reset}`;
-    case 'low': return `${c.blue}●${c.reset}`;
-    default: return `${c.green}●${c.reset}`;
-  }
-}
-// ── File Collection (same logic as MCP server) ──────────
-function extractJSON(text) {
-  // 1. Try parsing the entire text as JSON directly
-  try { return JSON.parse(text.trim()); } catch {}
-  // 2. Strip markdown code fences — try last fence first (report is usually at the end)
-  const fenceMatches = [...text.matchAll(/```(?:json)?\s*\n?([\s\S]*?)\n?\s*```/g)];
-  for (let i = fenceMatches.length - 1; i >= 0; i--) {
-    try {
-      const parsed = JSON.parse(fenceMatches[i][1].trim());
-      if (parsed && typeof parsed === 'object' && ('risk_score' in parsed || 'findings' in parsed || 'result' in parsed)) return parsed;
-    } catch {}
-  }
-  // Try any fence even without report keys
-  for (let i = fenceMatches.length - 1; i >= 0; i--) {
-    try { return JSON.parse(fenceMatches[i][1].trim()); } catch {}
-  }
-  // 3. Find ALL balanced top-level { ... } blocks, try each (prefer largest valid one)
-  const blocks = [];
-  let searchFrom = 0;
-  while (searchFrom < text.length) {
-    const start = text.indexOf('{', searchFrom);
-    if (start === -1) break;
-    let depth = 0, inStr = false, esc = false;
-    let end = -1;
-    for (let i = start; i < text.length; i++) {
-      const ch = text[i];
-      if (esc) { esc = false; continue; }
-      if (ch === '\\' && inStr) { esc = true; continue; }
-      if (ch === '"') { inStr = !inStr; continue; }
-      if (inStr) continue;
-      if (ch === '{') depth++;
-      else if (ch === '}') { depth--; if (depth === 0) { end = i; break; } }
-    }
-    if (end > start) {
-      blocks.push(text.slice(start, end + 1));
-      searchFrom = end + 1;
-    } else {
-      searchFrom = start + 1;
-    }
-  }
-  // Try largest block first (the report JSON is usually the biggest)
-  blocks.sort((a, b) => b.length - a.length);
-  for (const block of blocks) {
-    try { return JSON.parse(block); } catch {}
-  }
-  return null;
-}
-const MAX_FILE_SIZE = 50_000;
-const MAX_TOTAL_SIZE = 300_000;
-const SKIP_DIRS = new Set([
-  'node_modules', '.git', '__pycache__', '.venv', 'venv', 'dist', 'build',
-  '.next', '.nuxt', 'coverage', '.pytest_cache', '.mypy_cache', 'vendor',
-  'test', 'tests', '__tests__', 'spec', 'specs', 'docs', 'doc',
-  'examples', 'example', 'fixtures', '.github', '.vscode', '.idea',
-  'e2e', 'benchmark', 'benchmarks', '.tox', '.eggs', 'htmlcov',
-]);
-const SKIP_EXTENSIONS = new Set([
-  '.lock', '.png', '.jpg', '.jpeg', '.gif', '.svg', '.ico', '.woff',
-  '.woff2', '.ttf', '.eot', '.mp3', '.mp4', '.zip', '.tar', '.gz',
-  '.map', '.min.js', '.min.css', '.d.ts', '.pyc', '.pyo', '.so',
-  '.dylib', '.dll', '.exe', '.bin', '.dat', '.db', '.sqlite',
-]);
-function collectFiles(dir, basePath = '', collected = [], totalSize = { bytes: 0 }) {
-  if (totalSize.bytes >= MAX_TOTAL_SIZE) return collected;
-  let entries;
-  try { entries = fs.readdirSync(dir, { withFileTypes: true }); }
-  catch { return collected; }
-  entries.sort((a, b) => a.name.localeCompare(b.name));
-  for (const entry of entries) {
-    if (totalSize.bytes >= MAX_TOTAL_SIZE) break;
-    const relPath = basePath ? `${basePath}/${entry.name}` : entry.name;
-    const fullPath = path.join(dir, entry.name);
-    if (entry.isDirectory()) {
-      if (SKIP_DIRS.has(entry.name) || entry.name.startsWith('.')) continue;
-      collectFiles(fullPath, relPath, collected, totalSize);
-    } else {
-      const ext = path.extname(entry.name).toLowerCase();
-      if (SKIP_EXTENSIONS.has(ext)) continue;
-      try {
-        const stat = fs.statSync(fullPath);
-        if (stat.size > MAX_FILE_SIZE || stat.size === 0) continue;
-        const content = fs.readFileSync(fullPath, 'utf8');
-        totalSize.bytes += content.length;
-        collected.push({ path: relPath, content, size: stat.size });
-      } catch {}
-    }
-  }
-  return collected;
-}
-// ── Detect package properties ───────────────────────────
-function detectPackageInfo(repoPath, files) {
-  const info = { type: 'unknown', tools: [], prompts: [], language: 'unknown', entrypoint: null };
-  // Detect language
-  const exts = files.map(f => path.extname(f.path).toLowerCase());
-  const extCounts = {};
-  exts.forEach(e => { extCounts[e] = (extCounts[e] || 0) + 1; });
-  const topExt = Object.entries(extCounts).sort((a, b) => b[1] - a[1])[0]?.[0];
-  const langMap = { '.py': 'Python', '.js': 'JavaScript', '.ts': 'TypeScript', '.mjs': 'JavaScript', '.rs': 'Rust', '.go': 'Go', '.java': 'Java', '.rb': 'Ruby' };
-  info.language = langMap[topExt] || topExt || 'unknown';
-  // Detect package type
-  const allContent = files.map(f => f.content).join('\n');
-  if (allContent.includes('@modelcontextprotocol') || allContent.includes('FastMCP') || allContent.includes('mcp.server') || allContent.includes('mcp_server')) {
-    info.type = 'mcp-server';
-  } else if (files.some(f => f.path.toLowerCase() === 'skill.md')) {
-    info.type = 'agent-skill';
-  } else if (allContent.includes('#!/usr/bin/env') || allContent.includes('argparse') || allContent.includes('commander')) {
-    info.type = 'cli-tool';
-  } else {
-    info.type = 'library';
-  }
-  // Extract MCP tools (look for tool definitions)
-  const toolPatterns = [
-    // JS/TS: name: 'tool_name' or "tool_name" in tool definitions
-    /(?:name|tool_name)['":\s]+['"]([a-z_][a-z0-9_]*)['"]/gi,
-    // Python: @mcp.tool() def func_name or Tool(name="...")
-    /(?:@(?:mcp|server)\.tool\(\)[\s\S]*?def\s+([a-z_][a-z0-9_]*))|(?:Tool\s*\(\s*name\s*=\s*['"]([a-z_][a-z0-9_]*)['"])/gi,
-    // Direct: tool names in ListTools handlers
-    /['"]name['"]\s*:\s*['"]([a-z_][a-z0-9_]*)['"]/gi,
-  ];
-  const toolSet = new Set();
-  for (const file of files) {
-    for (const pattern of toolPatterns) {
-      pattern.lastIndex = 0;
-      let m;
-      while ((m = pattern.exec(file.content)) !== null) {
-        const name = m[1] || m[2];
-        if (name && name.length > 2 && name.length < 50 && !['type', 'name', 'string', 'object', 'number', 'boolean', 'array', 'required', 'description', 'default', 'null', 'true', 'false', 'none'].includes(name)) {
-          toolSet.add(name);
-        }
-      }
-    }
-  }
-  info.tools = [...toolSet];
-  // Extract prompts (look for prompt definitions)
-  const promptPatterns = [
-    /(?:prompt|PROMPT)['":\s]+['"]([a-z_][a-z0-9_]*)['"]/gi,
-    /@(?:mcp|server)\.prompt\(\)[\s\S]*?def\s+([a-z_][a-z0-9_]*)/gi,
-  ];
-  const promptSet = new Set();
-  for (const file of files) {
-    for (const pattern of promptPatterns) {
-      pattern.lastIndex = 0;
-      let m;
-      while ((m = pattern.exec(file.content)) !== null) {
-        if (m[1] && m[1].length > 2) promptSet.add(m[1]);
-      }
-    }
-  }
-  info.prompts = [...promptSet];
-  // Detect entrypoint
-  const entryFiles = ['index.js', 'index.ts', 'index.mjs', 'main.py', 'server.py', 'app.py', 'src/index.ts', 'src/main.ts', 'src/index.js'];
-  for (const ef of entryFiles) {
-    if (files.some(f => f.path === ef)) { info.entrypoint = ef; break; }
-  }
-  return info;
-}
-// ── Quick static checks ─────────────────────────────────
-function quickChecks(files) {
-  const findings = [];
-  const checks = [
-    {
-      id: 'EXEC_INJECTION',
-      title: 'Command injection risk',
-      severity: 'high',
-      pattern: /(?:exec(?:Sync)?|spawn|child_process|subprocess|os\.system|os\.popen|Popen)\s*\([^)]*(?:\$\{|`|\+\s*(?:req|input|args|param|user|query))/i,
-      category: 'injection',
-    },
-    {
-      id: 'EVAL_USAGE',
-      title: 'Dynamic code evaluation',
-      severity: 'high',
-      pattern: /(?:^|[^a-z])eval\s*\([^)]*(?:input|req|user|param|arg|query)/im,
-      category: 'injection',
-    },
-    {
-      id: 'HARDCODED_SECRET',
-      title: 'Potential hardcoded secret',
-      severity: 'medium',
-      pattern: /(?:api[_-]?key|password|secret|token)\s*[:=]\s*['"][A-Za-z0-9+/=_-]{16,}['"]/i,
-      category: 'secrets',
-    },
-    {
-      id: 'SSL_DISABLED',
-      title: 'SSL/TLS verification disabled',
-      severity: 'medium',
-      pattern: /(?:rejectUnauthorized\s*:\s*false|verify\s*=\s*False|VERIFY_SSL\s*=\s*false|NODE_TLS_REJECT_UNAUTHORIZED|InsecureRequestWarning)/i,
-      category: 'crypto',
-    },
-    {
-      id: 'PATH_TRAVERSAL',
-      title: 'Potential path traversal',
-      severity: 'medium',
-      pattern: /(?:\.\.\/|\.\.\\|path\.join|os\.path\.join)\s*\([^)]*(?:input|req|user|param|arg|query)/i,
-      category: 'filesystem',
-    },
-    {
-      id: 'CORS_WILDCARD',
-      title: 'Wildcard CORS origin',
-      severity: 'low',
-      pattern: /(?:Access-Control-Allow-Origin|cors)\s*[:({]\s*['"]\*/i,
-      category: 'network',
-    },
-    {
-      id: 'TELEMETRY',
-      title: 'Undisclosed telemetry',
-      severity: 'low',
-      pattern: /(?:posthog|mixpanel|analytics|telemetry|tracking|sentry).*(?:init|setup|track|capture)/i,
-      category: 'privacy',
-    },
-    {
-      id: 'SHELL_EXEC',
-      title: 'Shell command execution',
-      severity: 'high',
-      pattern: /(?:subprocess\.(?:run|call|Popen)|os\.system|os\.popen|execSync|child_process\.exec)\s*\(/i,
-      category: 'injection',
-    },
-    {
-      id: 'SQL_INJECTION',
-      title: 'Potential SQL injection',
-      severity: 'high',
-      pattern: /(?:execute|query|raw)\s*\(\s*(?:f['"]|['"].*?%s|['"].*?\{|['"].*?\+)/i,
-      category: 'injection',
-    },
-    {
-      id: 'YAML_UNSAFE',
-      title: 'Unsafe YAML loading',
-      severity: 'medium',
-      pattern: /yaml\.(?:load|unsafe_load)\s*\(/i,
-      category: 'deserialization',
-    },
-    {
-      id: 'PICKLE_LOAD',
-      title: 'Unsafe deserialization (pickle)',
-      severity: 'high',
-      pattern: /pickle\.loads?\s*\(/i,
-      category: 'deserialization',
-    },
-    {
-      id: 'PROMPT_INJECTION',
-      title: 'Prompt injection vector',
-      severity: 'high',
-      pattern: /(?:<IMPORTANT>|<SYSTEM>|ignore previous|you are now|new instructions)/i,
-      category: 'prompt-injection',
-    },
-  ];
-  for (const file of files) {
-    for (const check of checks) {
-      const match = check.pattern.exec(file.content);
-      if (match) {
-        // Find line number
-        const lines = file.content.slice(0, match.index).split('\n');
-        findings.push({
-          ...check,
-          file: file.path,
-          line: lines.length,
-          snippet: match[0].trim().slice(0, 80),
-          confidence: 'medium',
-        });
-      }
-    }
-  }
-  return findings;
-}
-// ── Registry check ──────────────────────────────────────
-async function checkRegistry(slug) {
-  try {
-    const res = await fetch(`${REGISTRY_URL}/api/skills/${encodeURIComponent(slug)}`, {
-      signal: AbortSignal.timeout(5000),
-    });
-    if (res.ok) return await res.json();
-  } catch {}
-  return null;
-}
-// ── Print results ───────────────────────────────────────
-function printScanResult(url, info, files, findings, registryData, duration) {
-  if (jsonMode) return; // JSON mode handles output separately
-  const slug = slugFromUrl(url);
-  // Quiet mode: compact one-line-per-package output
-  if (quietMode) {
-    if (findings.length > 0) {
-      const bySev = {};
-      for (const f of findings) { bySev[f.severity] = (bySev[f.severity] || 0) + 1; }
-      const sevStr = Object.entries(bySev).map(([s, n]) => {
-        const sc = severityColor(s);
-        return `${sc}${n} ${s}${c.reset}`;
-      }).join(', ');
-      console.log(`${icons.caution}  ${c.bold}${slug}${c.reset}  ${findings.length} findings (${sevStr})  ${c.dim}${duration}${c.reset}`);
-      for (const f of findings) {
-        const sc = severityColor(f.severity);
-        console.log(`   ${severityIcon(f.severity)} ${sc}${f.severity.toUpperCase().padEnd(8)}${c.reset} ${f.title}  ${c.dim}${f.file}:${f.line}${c.reset}`);
-      }
-    } else {
-      console.log(`${icons.safe}  ${c.bold}${slug}${c.reset}  ${c.green}clean${c.reset}  ${c.dim}${files.length} files, ${duration}${c.reset}`);
-    }
-    return;
-  }
-  // Header
-  console.log(`${icons.scan}  ${c.bold}${slug}${c.reset}  ${c.dim}${url}${c.reset}`);
-  console.log(`${icons.pipe}  ${c.dim}${info.language} ${info.type}${c.reset}  ${c.dim}${files.length} files scanned in ${duration}${c.reset}`);
-  // Tools & prompts tree
-  const items = [
-    ...info.tools.map(t => ({ kind: 'tool', name: t })),
-    ...info.prompts.map(p => ({ kind: 'prompt', name: p })),
-  ];
-  if (items.length > 0) {
-    console.log(`${icons.pipe}`);
-    for (let i = 0; i < items.length; i++) {
-      const isLast = i === items.length - 1 && findings.length === 0;
-      const branch = isLast ? icons.treeLast : icons.tree;
-      const item = items[i];
-      const kindLabel = item.kind === 'tool' ? `${c.dim}tool${c.reset}  ` : `${c.dim}prompt${c.reset}`;
-      const padName = item.name.padEnd(28);
-      // Check if this tool has a finding associated
-      const toolFinding = findings.find(f =>
-        f.snippet && f.snippet.toLowerCase().includes(item.name.toLowerCase())
-      );
-      if (toolFinding) {
-        const sc = severityColor(toolFinding.severity);
-        console.log(`${branch}  ${kindLabel}  ${c.bold}${padName}${c.reset} ${sc}⚠ flagged${c.reset} — ${toolFinding.title}`);
-      } else {
-        console.log(`${branch}  ${kindLabel}  ${c.bold}${padName}${c.reset} ${c.green}✔ ok${c.reset}`);
-      }
-    }
-  } else {
-    console.log(`${icons.pipe}  ${c.dim}(no tools or prompts detected)${c.reset}`);
-  }
-  // Findings
-  if (findings.length > 0) {
-    console.log(`${icons.pipe}`);
-    console.log(`${icons.pipe}  ${c.bold}Findings (${findings.length})${c.reset}  ${c.dim}static analysis — may include false positives${c.reset}`);
-    for (let i = 0; i < findings.length; i++) {
-      const f = findings[i];
-      const isLast = i === findings.length - 1;
-      const branch = isLast ? icons.treeLast : icons.tree;
-      const pipeOrSpace = isLast ? '   ' : `${icons.pipe}  `;
-      const sc = severityColor(f.severity);
-      console.log(`${branch}  ${severityIcon(f.severity)} ${sc}${f.severity.toUpperCase().padEnd(8)}${c.reset} ${f.title}`);
-      console.log(`${pipeOrSpace}   ${c.dim}${f.file}:${f.line}${c.reset}  ${c.dim}${f.snippet || ''}${c.reset}`);
-    }
-  }
-  // Registry status
-  console.log(`${icons.pipe}`);
-  if (registryData) {
-    const rd = registryData;
-    const riskScore = rd.risk_score ?? rd.latest_risk_score ?? 0;
-    console.log(`${icons.treeLast}  ${c.dim}registry${c.reset}  ${riskBadge(riskScore)} Risk ${riskScore}  ${c.dim}${REGISTRY_URL}/skills/${slug}${c.reset}`);
-  } else {
-    console.log(`${icons.treeLast}  ${c.dim}registry${c.reset}  ${c.dim}not audited yet${c.reset}`);
-  }
-  console.log();
-}
-function printSummary(results) {
-  const total = results.length;
-  const safe = results.filter(r => r.findings.length === 0).length;
-  const withFindings = total - safe;
-  const totalFindings = results.reduce((sum, r) => sum + r.findings.length, 0);
-  console.log(`${c.dim}${'─'.repeat(60)}${c.reset}`);
-  console.log(`  ${c.bold}Summary${c.reset}  ${total} packages scanned`);
-  console.log();
-  if (safe > 0) console.log(`  ${icons.safe}  ${c.green}${safe} clean${c.reset}`);
-  if (withFindings > 0) console.log(`  ${icons.caution}  ${c.yellow}${withFindings} with findings${c.reset} (${totalFindings} total)`);
-  // Breakdown by severity
-  const bySev = {};
-  results.forEach(r => r.findings.forEach(f => {
-    bySev[f.severity] = (bySev[f.severity] || 0) + 1;
-  }));
-  if (Object.keys(bySev).length > 0) {
-    console.log();
-    for (const sev of ['critical', 'high', 'medium', 'low']) {
-      if (bySev[sev]) {
-        console.log(`    ${severityIcon(sev)} ${bySev[sev]}× ${severityColor(sev)}${sev}${c.reset}`);
-      }
-    }
-  }
-  console.log();
-}
-// ── Clone & Scan ────────────────────────────────────────
-async function scanRepo(url) {
-  const start = Date.now();
-  const slug = slugFromUrl(url);
-  if (!jsonMode) process.stdout.write(`${icons.scan}  Scanning ${c.bold}${slug}${c.reset} ${c.dim}...${c.reset}`);
-  // Clone
-  const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'agentaudit-'));
-  const repoPath = path.join(tmpDir, 'repo');
-  try {
-    execSync(`git clone --depth 1 "${url}" "${repoPath}"`, {
-      timeout: 30_000,
-      stdio: 'pipe',
-    });
-  } catch (err) {
-    if (!jsonMode) {
-      process.stdout.write(`  ${c.red}✖ clone failed${c.reset}\n`);
-      const msg = err.stderr?.toString().trim() || err.message?.split('\n')[0] || '';
-      if (msg) console.log(`    ${c.dim}${msg}${c.reset}`);
-      console.log(`    ${c.dim}Make sure git is installed and the URL is accessible.${c.reset}`);
-    }
-    return null;
-  }
-  // Collect files
-  const files = collectFiles(repoPath);
-  // Detect info
-  const info = detectPackageInfo(repoPath, files);
-  // Quick checks
-  const findings = quickChecks(files);
-  // Registry lookup
-  const registryData = await checkRegistry(slug);
-  // Cleanup
-  try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch {}
-  const duration = elapsed(start);
-  if (!jsonMode) {
-    // Clear the "Scanning..." line
-    process.stdout.write('\r\x1b[K');
-    // Print result
-    printScanResult(url, info, files, findings, registryData, duration);
-  }
-  return { slug, url, info, files: files.length, findings, registryData, duration };
-}
-// ── Discover local MCP configs ──────────────────────────
-function findMcpConfigs() {
-  const home = process.env.HOME || process.env.USERPROFILE || '';
-  const platform = process.platform;
-  // All known MCP config locations
-  const candidates = [
-    // Claude Desktop
-    { name: 'Claude Desktop', path: path.join(home, '.claude', 'mcp.json') },
-    { name: 'Claude Desktop', path: path.join(home, 'Library', 'Application Support', 'Claude', 'claude_desktop_config.json') },
-    { name: 'Claude Desktop', path: path.join(home, 'AppData', 'Roaming', 'Claude', 'claude_desktop_config.json') },
-    { name: 'Claude Desktop', path: path.join(home, '.config', 'claude', 'claude_desktop_config.json') },
-    // Cursor
-    { name: 'Cursor', path: path.join(home, '.cursor', 'mcp.json') },
-    // Windsurf / Codeium
-    { name: 'Windsurf', path: path.join(home, '.codeium', 'windsurf', 'mcp_config.json') },
-    // VS Code
-    { name: 'VS Code', path: path.join(home, '.vscode', 'mcp.json') },
-    // Continue.dev
-    { name: 'Continue', path: path.join(home, '.continue', 'config.json') },
-  ];
-  // Also check AGENTAUDIT_TEST_CONFIG env for testing
-  if (process.env.AGENTAUDIT_TEST_CONFIG) {
-    candidates.push({ name: 'Test Config', path: process.env.AGENTAUDIT_TEST_CONFIG });
-  }
-  // Also scan workspace .cursor/mcp.json, .vscode/mcp.json in cwd
-  const cwd = process.cwd();
-  candidates.push(
-    { name: 'Cursor (project)', path: path.join(cwd, '.cursor', 'mcp.json') },
-    { name: 'VS Code (project)', path: path.join(cwd, '.vscode', 'mcp.json') },
-  );
-  const found = [];
-  for (const c of candidates) {
-    if (fs.existsSync(c.path)) {
-      try {
-        const content = JSON.parse(fs.readFileSync(c.path, 'utf8'));
-        found.push({ ...c, content });
-      } catch {}
-    }
-  }
-  return found;
-}
-function extractServersFromConfig(config) {
-  // Handle both { mcpServers: {...} } and { servers: {...} } formats
-  const servers = config.mcpServers || config.servers || {};
-  const result = [];
-  for (const [name, serverConfig] of Object.entries(servers)) {
-    const info = {
-      name,
-      command: serverConfig.command || null,
-      args: serverConfig.args || [],
-      url: serverConfig.url || null,
-      sourceUrl: null,
-    };
-    // Try to extract source URL from args (common patterns)
-    const allArgs = [info.command, ...info.args].filter(Boolean).join(' ');
-    // npx package-name → npm package
-    const npxMatch = allArgs.match(/npx\s+(?:-y\s+)?(@?[a-z0-9][\w./-]*)/i);
-    if (npxMatch) info.npmPackage = npxMatch[1];
-    // node /path/to/something → try to find package.json
-    const nodePathMatch = allArgs.match(/node\s+["']?([^"'\s]+)/);
-    if (nodePathMatch) {
-      const scriptPath = nodePathMatch[1];
-      // Walk up to find package.json with repository
-      let dir = path.dirname(path.resolve(scriptPath));
-      for (let i = 0; i < 5; i++) {
-        const pkgPath = path.join(dir, 'package.json');
-        if (fs.existsSync(pkgPath)) {
-          try {
-            const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
-            if (pkg.repository?.url) {
-              info.sourceUrl = pkg.repository.url.replace(/^git\+/, '').replace(/\.git$/, '');
-            }
-            if (pkg.name) info.npmPackage = pkg.name;
-          } catch {}
-          break;
-        }
-        const parent = path.dirname(dir);
-        if (parent === dir) break;
-        dir = parent;
-      }
-    }
-    // python/uvx with package name
-    const pyMatch = allArgs.match(/(?:uvx|pip run|python -m)\s+(@?[a-z0-9][\w./-]*)/i);
-    if (pyMatch) info.pyPackage = pyMatch[1];
-    // URL-based MCP server (remote HTTP)
-    if (info.url && !info.npmPackage && !info.pyPackage) {
-      try {
-        const parsed = new URL(info.url);
-        // Extract service name from hostname: mcp.supabase.com → supabase
-        const hostParts = parsed.hostname.split('.');
-        if (hostParts.length >= 2) {
-          const serviceName = hostParts.length === 3 ? hostParts[1] : hostParts[0];
-          info.remoteService = serviceName;
-        }
-      } catch {}
-    }
-    result.push(info);
-  }
-  return result;
-}
-function serverSlug(server) {
-  // Try to derive a slug for registry lookup
-  if (server.npmPackage) return server.npmPackage.replace(/^@/, '').replace(/\//g, '-');
-  if (server.pyPackage) return server.pyPackage.replace(/[^a-z0-9-]/gi, '-');
-  return server.name.toLowerCase().replace(/[^a-z0-9-]/gi, '-');
-}
-async function searchGitHub(query) {
-  try {
-    const res = await fetch(`https://api.github.com/search/repositories?q=${encodeURIComponent(query)}&per_page=1`, {
-      signal: AbortSignal.timeout(5000),
-      headers: { 'Accept': 'application/vnd.github+json' },
-    });
-    if (res.ok) {
-      const data = await res.json();
-      if (data.items?.length > 0) {
-        return data.items[0].html_url;
-      }
-    }
-  } catch {}
-  return null;
-}
-async function resolveSourceUrl(server) {
-  // Already have it
-  if (server.sourceUrl) return server.sourceUrl;
-  // Try npm registry
-  if (server.npmPackage) {
-    try {
-      const res = await fetch(`https://registry.npmjs.org/${encodeURIComponent(server.npmPackage)}`, {
-        signal: AbortSignal.timeout(5000),
-      });
-      if (res.ok) {
-        const data = await res.json();
-        let repoUrl = data.repository?.url;
-        if (repoUrl) {
-          repoUrl = repoUrl.replace(/^git\+/, '').replace(/\.git$/, '').replace(/^ssh:\/\/git@github\.com/, 'https://github.com');
-          if (repoUrl.startsWith('http')) return repoUrl;
-        }
-      }
-    } catch {}
-    // Fallback: try GitHub search for the package name
-    const ghUrl = await searchGitHub(server.npmPackage);
-    if (ghUrl) return ghUrl;
-    return `https://www.npmjs.com/package/${server.npmPackage}`;
-  }
-  // Try PyPI
-  if (server.pyPackage) {
-    try {
-      const res = await fetch(`https://pypi.org/pypi/${encodeURIComponent(server.pyPackage)}/json`, {
-        signal: AbortSignal.timeout(5000),
-      });
-      if (res.ok) {
-        const data = await res.json();
-        const urls = data.info?.project_urls || {};
-        const source = urls.Source || urls.Repository || urls.Homepage || urls['Source Code'] || data.info?.home_page;
-        if (source && source.startsWith('http')) return source;
-      }
-    } catch {}
-    // Fallback: GitHub search
-    const ghUrl = await searchGitHub(server.pyPackage);
-    if (ghUrl) return ghUrl;
-    return `https://pypi.org/project/${server.pyPackage}/`;
-  }
-  // URL-based remote MCP server — try GitHub search by service name
-  if (server.remoteService) {
-    // Try npm registry with common MCP naming patterns
-    for (const tryName of [
-      `@${server.remoteService}/mcp-server-${server.remoteService}`,
-      `${server.remoteService}-mcp`,
-      `mcp-server-${server.remoteService}`,
-      server.remoteService,
-    ]) {
-      try {
-        const res = await fetch(`https://registry.npmjs.org/${encodeURIComponent(tryName)}`, {
-          signal: AbortSignal.timeout(3000),
-        });
-        if (res.ok) {
-          const data = await res.json();
-          let repoUrl = data.repository?.url;
-          if (repoUrl) {
-            repoUrl = repoUrl.replace(/^git\+/, '').replace(/\.git$/, '').replace(/^ssh:\/\/git@github\.com/, 'https://github.com');
-            if (repoUrl.startsWith('http')) return repoUrl;
-          }
-        }
-      } catch {}
-    }
-  }
-  // Last resort: if server has a url, show it as context
-  if (server.url) {
-    try {
-      const parsed = new URL(server.url);
-      return `https://github.com/search?q=${encodeURIComponent(parsed.hostname + ' MCP')}&type=repositories`;
-    } catch {}
-  }
-  return null;
-}
-async function discoverCommand(options = {}) {
-  const autoScan = options.scan || false;
-  const interactiveAudit = options.audit || false;
-  if (!jsonMode) {
-    console.log(`  ${c.bold}Discovering MCP servers in your AI editors...${c.reset}`);
-    console.log();
-  }
-  const configs = findMcpConfigs();
-  if (configs.length === 0) {
-    console.log(`  ${c.yellow}No MCP configurations found.${c.reset}`);
-    console.log(`  ${c.dim}Searched: Claude Desktop, Cursor, Windsurf, VS Code${c.reset}`);
-    console.log();
-    console.log(`  ${c.dim}MCP config locations:${c.reset}`);
-    console.log(`  ${c.dim}  Claude:   ~/.claude/mcp.json${c.reset}`);
-    console.log(`  ${c.dim}  Cursor:   ~/.cursor/mcp.json${c.reset}`);
-    console.log(`  ${c.dim}  Windsurf: ~/.codeium/windsurf/mcp_config.json${c.reset}`);
-    console.log(`  ${c.dim}  VS Code:  ~/.vscode/mcp.json${c.reset}`);
-    console.log();
-    return;
-  }
-  let totalServers = 0;
-  let checkedServers = 0;
-  let auditedServers = 0;
-  let unauditedServers = 0;
-  const unauditedWithUrls = [];
-  const allServersWithUrls = []; // For --scan: all servers we can scan
-  for (const config of configs) {
-    const servers = extractServersFromConfig(config.content);
-    const serverCount = servers.length;
-    totalServers += serverCount;
-    const countLabel = serverCount === 0
-      ? `${c.dim}no servers${c.reset}`
-      : `found ${c.bold}${serverCount}${c.reset} server${serverCount > 1 ? 's' : ''}`;
-    console.log(`${icons.bullet}  Scanning ${c.bold}${config.name}${c.reset}  ${c.dim}${config.path}${c.reset}    ${countLabel}`);
-    if (serverCount === 0) {
-      console.log();
-      continue;
-    }
-    console.log();
-    for (let i = 0; i < servers.length; i++) {
-      const server = servers[i];
-      const isLast = i === servers.length - 1;
-      const branch = isLast ? icons.treeLast : icons.tree;
-      const pipe = isLast ? '   ' : `${icons.pipe}  `;
-      const slug = serverSlug(server);
-      checkedServers++;
-      // Registry lookup
-      const registryData = await checkRegistry(slug);
-      // Also try with server name directly
-      let regData = registryData;
-      if (!regData && slug !== server.name.toLowerCase()) {
-        regData = await checkRegistry(server.name.toLowerCase());
-      }
-      // Determine source display
-      let sourceLabel = '';
-      if (server.npmPackage) sourceLabel = `${c.dim}npm:${server.npmPackage}${c.reset}`;
-      else if (server.pyPackage) sourceLabel = `${c.dim}pip:${server.pyPackage}${c.reset}`;
-      else if (server.url) sourceLabel = `${c.dim}${server.url.length > 60 ? server.url.slice(0, 57) + '...' : server.url}${c.reset}`;
-      else if (server.command) sourceLabel = `${c.dim}${[server.command, ...server.args.slice(0, 2)].join(' ')}${c.reset}`;
-      // Always resolve source URL (needed for --scan)
-      const resolvedUrl = await resolveSourceUrl(server);
-      if (regData) {
-        auditedServers++;
-        const riskScore = regData.risk_score ?? regData.latest_risk_score ?? 0;
-        const hasOfficial = regData.has_official_audit;
-        console.log(`${branch}  ${c.bold}${server.name}${c.reset}    ${sourceLabel}`);
-        console.log(`${pipe}  ${riskBadge(riskScore)} Risk ${riskScore}  ${hasOfficial ? `${c.green}✔ official${c.reset}  ` : ''}${c.dim}${REGISTRY_URL}/skills/${slug}${c.reset}`);
-        if (resolvedUrl) allServersWithUrls.push({ name: server.name, sourceUrl: resolvedUrl, hasAudit: true, regData });
-      } else {
-        unauditedServers++;
-        console.log(`${branch}  ${c.bold}${server.name}${c.reset}    ${sourceLabel}`);
-        if (resolvedUrl) {
-          console.log(`${pipe}  ${c.yellow}⚠ not audited${c.reset}  ${c.dim}Run: ${c.cyan}agentaudit audit ${resolvedUrl}${c.reset}`);
-          unauditedWithUrls.push({ name: server.name, sourceUrl: resolvedUrl });
-          allServersWithUrls.push({ name: server.name, sourceUrl: resolvedUrl, hasAudit: false });
-        } else {
-          console.log(`${pipe}  ${c.yellow}⚠ not audited${c.reset}  ${c.dim}Source URL unknown — check the package's GitHub/npm page${c.reset}`);
-        }
-      }
-      if (server.sourceUrl && !server.sourceUrl.includes('npmjs.com')) {
-        console.log(`${pipe}  ${c.dim}source: ${server.sourceUrl}${c.reset}`);
-      }
-    }
-    console.log();
-  }
-  // Summary
-  console.log(`${c.dim}${'─'.repeat(60)}${c.reset}`);
-  console.log(`  ${c.bold}Summary${c.reset}  ${totalServers} server${totalServers !== 1 ? 's' : ''} across ${configs.length} config${configs.length !== 1 ? 's' : ''}`);
-  console.log();
-  if (auditedServers > 0) console.log(`  ${icons.safe}  ${c.green}${auditedServers} audited${c.reset}`);
-  if (unauditedServers > 0) console.log(`  ${icons.caution}  ${c.yellow}${unauditedServers} not audited${c.reset}`);
-  console.log();
-  // --scan: automatically scan all servers with resolved source URLs (git-cloneable only)
-  if (autoScan) {
-    const isCloneable = (url) => /^https?:\/\/(github\.com|gitlab\.com|bitbucket\.org)\//i.test(url);
-    const scanTargets = allServersWithUrls.filter(s => s.sourceUrl && isCloneable(s.sourceUrl));
-    // Deduplicate by sourceUrl
-    const seen = new Set();
-    const dedupedTargets = scanTargets.filter(s => {
-      if (seen.has(s.sourceUrl)) return false;
-      seen.add(s.sourceUrl);
-      return true;
-    });
-    const skipped = allServersWithUrls.filter(s => s.sourceUrl && !isCloneable(s.sourceUrl));
-    if (dedupedTargets.length > 0) {
-      console.log(`${c.dim}${'─'.repeat(60)}${c.reset}`);
-      console.log(`  ${c.bold}${icons.scan}  Auto-scanning ${dedupedTargets.length} server${dedupedTargets.length !== 1 ? 's' : ''}...${c.reset}`);
-      if (skipped.length > 0) {
-        console.log(`  ${c.dim}(${skipped.length} skipped — no cloneable source URL)${c.reset}`);
-      }
-      console.log();
-      const scanResults = [];
-      for (const target of dedupedTargets) {
-        const result = await scanRepo(target.sourceUrl);
-        if (result) scanResults.push({ ...result, serverName: target.name });
-      }
-      if (scanResults.length > 1) {
-        // Print combined scan summary
-        console.log(`${c.dim}${'─'.repeat(60)}${c.reset}`);
-        console.log(`  ${c.bold}Scan Summary${c.reset}  ${scanResults.length} server${scanResults.length !== 1 ? 's' : ''} scanned`);
-        console.log();
-        let totalFindings = 0;
-        let serversWithFindings = 0;
-        for (const r of scanResults) {
-          const findingCount = r.findings ? r.findings.length : 0;
-          totalFindings += findingCount;
-          if (findingCount > 0) serversWithFindings++;
-          const status = findingCount === 0
-            ? `${icons.safe}  ${c.green}clean${c.reset}`
-            : `${icons.caution}  ${c.yellow}${findingCount} finding${findingCount !== 1 ? 's' : ''}${c.reset}`;
-          console.log(`  ${status}  ${c.bold}${r.serverName || r.slug}${c.reset}  ${c.dim}(${r.duration})${c.reset}`);
-        }
-        console.log();
-        if (serversWithFindings > 0) {
-          console.log(`  ${c.yellow}${serversWithFindings}/${scanResults.length} server${scanResults.length !== 1 ? 's' : ''} with findings (${totalFindings} total)${c.reset}`);
-          console.log(`  ${c.dim}Run ${c.cyan}agentaudit scan <url> --deep${c.dim} for deep LLM analysis on flagged servers${c.reset}`);
-        } else {
-          console.log(`  ${c.green}All servers passed quick scan${c.reset}`);
-          console.log(`  ${c.dim}Run ${c.cyan}agentaudit scan <url> --deep${c.dim} for thorough LLM-powered analysis${c.reset}`);
-        }
-        console.log();
-      }
-    } else {
-      console.log(`  ${c.dim}No scannable source URLs found.${c.reset}`);
-      console.log();
-    }
-  } else if (interactiveAudit && allServersWithUrls.length > 0) {
-    // Interactive multi-select for audit
-    const isCloneable = (url) => /^https?:\/\/(github\.com|gitlab\.com|bitbucket\.org)\//i.test(url);
-    const auditCandidates = [];
-    const seen = new Set();
-    for (const s of allServersWithUrls) {
-      if (!s.sourceUrl || !isCloneable(s.sourceUrl)) continue;
-      if (seen.has(s.sourceUrl)) continue;
-      seen.add(s.sourceUrl);
-      auditCandidates.push(s);
-    }
-    if (auditCandidates.length > 0) {
-      console.log();
-      const items = auditCandidates.map(s => ({
-        label: s.name,
-        sublabel: s.hasAudit ? `${c.green}✔ audited${c.reset}  ${s.sourceUrl}` : s.sourceUrl,
-        value: s,
-        checked: !s.hasAudit, // Pre-select unaudited
-      }));
-      const selected = await multiSelect(items, {
-        title: 'Select servers to audit',
-        hint: 'Space=toggle  ↑↓=move  a=all  n=none  Enter=confirm',
-      });
-      if (selected.length > 0) {
-        console.log();
-        console.log(`  ${c.bold}Auditing ${selected.length} server${selected.length !== 1 ? 's' : ''}...${c.reset}`);
-        console.log();
-        for (const s of selected) {
-          await auditRepo(s.sourceUrl);
-          console.log();
-        }
-      } else {
-        console.log();
-        console.log(`  ${c.dim}No servers selected.${c.reset}`);
-      }
-    }
-  } else if (unauditedServers > 0) {
-    if (unauditedWithUrls.length > 0) {
-      console.log(`  ${c.dim}To audit unaudited servers:${c.reset}`);
-      for (const { name, sourceUrl } of unauditedWithUrls) {
-        console.log(`  ${c.cyan}agentaudit audit ${sourceUrl}${c.reset}  ${c.dim}(${name})${c.reset}`);
-      }
-    } else {
-      console.log(`  ${c.dim}To audit unaudited servers, run:${c.reset}`);
-      console.log(`  ${c.cyan}agentaudit audit <source-url>${c.reset}`);
-    }
-    console.log();
-    console.log(`  ${c.dim}Or run ${c.cyan}agentaudit discover --quick${c.dim} to quick-scan all servers${c.reset}`);
-    console.log(`  ${c.dim}Or run ${c.cyan}agentaudit discover --deep${c.dim} to select & deep-audit interactively${c.reset}`);
-    console.log();
-  }
-  if (!autoScan && !interactiveAudit && !jsonMode) {
-    console.log(`  ${c.dim}Looking for general package scanning? Try ${c.cyan}pip audit${c.dim} or ${c.cyan}npm audit${c.dim}.${c.reset}`);
-    console.log();
-  }
-}
-// ── Audit command (deep LLM-powered) ────────────────────
-function loadAuditPrompt() {
-  const promptPath = path.join(SKILL_DIR, 'prompts', 'audit-prompt.md');
-  if (fs.existsSync(promptPath)) return fs.readFileSync(promptPath, 'utf8');
-  return null;
-}
-async function auditRepo(url) {
-  const start = Date.now();
-  const slug = slugFromUrl(url);
-  console.log(`${icons.scan}  ${c.bold}Auditing ${slug}${c.reset}  ${c.dim}${url}${c.reset}`);
-  console.log(`${icons.pipe}  ${c.dim}Deep LLM-powered analysis (3-pass: UNDERSTAND → DETECT → CLASSIFY)${c.reset}`);
-  console.log();
-  // Step 1: Clone
-  process.stdout.write(`  ${c.dim}[1/4]${c.reset} Cloning repository...`);
-  const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'agentaudit-'));
-  const repoPath = path.join(tmpDir, 'repo');
-  try {
-    execSync(`git clone --depth 1 "${url}" "${repoPath}"`, {
-      timeout: 30_000, stdio: 'pipe',
-    });
-    console.log(` ${c.green}done${c.reset}`);
-  } catch (err) {
-    console.log(` ${c.red}failed${c.reset}`);
-    const msg = err.stderr?.toString().trim() || err.message?.split('\n')[0] || '';
-    if (msg) console.log(`    ${c.dim}${msg}${c.reset}`);
-    console.log(`    ${c.dim}Make sure git is installed and the URL is accessible.${c.reset}`);
-    return null;
-  }
-  // Step 2: Collect files
-  process.stdout.write(`  ${c.dim}[2/4]${c.reset} Collecting source files...`);
-  const files = collectFiles(repoPath);
-  console.log(` ${c.green}${files.length} files${c.reset}`);
-  // Step 3: Build audit payload
-  process.stdout.write(`  ${c.dim}[3/4]${c.reset} Preparing audit payload...`);
-  const auditPrompt = loadAuditPrompt();
-  let codeBlock = '';
-  for (const file of files) {
-    codeBlock += `\n### FILE: ${file.path}\n\`\`\`\n${file.content}\n\`\`\`\n`;
-  }
-  console.log(` ${c.green}done${c.reset}`);
-  // Step 4: LLM Analysis
-  // Check for API keys to determine which LLM to use
-  const anthropicKey = process.env.ANTHROPIC_API_KEY;
-  const openaiKey = process.env.OPENAI_API_KEY;
-  const openrouterKey = process.env.OPENROUTER_API_KEY;
-  const openrouterModel = process.env.OPENROUTER_MODEL || 'anthropic/claude-sonnet-4';
-  // --provider flag overrides auto-detection
-  const providerFlag = process.argv.find(a => a.startsWith('--provider='))?.split('=')[1]?.toLowerCase()
-    || (process.argv.includes('--provider') ? process.argv[process.argv.indexOf('--provider') + 1]?.toLowerCase() : null);
-  const resolvedProvider = resolveProvider(providerFlag, { anthropicKey, openaiKey, openrouterKey });
-  const activeProvider = resolvedProvider?.label || null;
-  if (!resolvedProvider) {
-    // No LLM API key — clear explanation
-    console.log();
-    console.log(`  ${c.yellow}No LLM provider configured.${c.reset} The ${c.bold}audit${c.reset} command needs an LLM to analyze code.`);
-    console.log();
-    console.log(`  ${c.bold}Option 1: Set an API key${c.reset} ${c.dim}(any one of these)${c.reset}`);
-    console.log(`  ${c.cyan}ANTHROPIC_API_KEY${c.reset}    Anthropic Claude ${c.dim}(recommended)${c.reset}`);
-    console.log(`  ${c.cyan}OPENAI_API_KEY${c.reset}       OpenAI GPT-4o`);
-    console.log(`  ${c.cyan}OPENROUTER_API_KEY${c.reset}   OpenRouter ${c.dim}(200+ models)${c.reset}`);
-    console.log(`  ${c.cyan}OLLAMA_MODEL${c.reset}         Ollama ${c.dim}(local, free, set model name)${c.reset}`);
-    console.log(`  ${c.cyan}LLM_API_URL${c.reset}          Any OpenAI-compatible API ${c.dim}(+ LLM_API_KEY, LLM_MODEL)${c.reset}`);
-    console.log();
-    console.log(`  ${c.dim}# Linux / macOS:${c.reset}`);
-    console.log(`  ${c.dim}export ANTHROPIC_API_KEY=sk-ant-...${c.reset}`);
-    console.log(`  ${c.dim}export OPENAI_API_KEY=sk-...${c.reset}`);
-    console.log();
-    console.log(`  ${c.dim}# Windows (PowerShell):${c.reset}`);
-    console.log(`  ${c.dim}$env:ANTHROPIC_API_KEY = "sk-ant-..."${c.reset}`);
-    console.log(`  ${c.dim}$env:OPENAI_API_KEY = "sk-..."${c.reset}`);
-    console.log();
-    console.log(`  ${c.dim}# Windows (CMD):${c.reset}`);
-    console.log(`  ${c.dim}set ANTHROPIC_API_KEY=sk-ant-...${c.reset}`);
-    console.log(`  ${c.dim}set OPENAI_API_KEY=sk-...${c.reset}`);
-    console.log();
-    console.log(`  ${c.bold}Option 2: Export for manual review${c.reset}`);
-    console.log(`  ${c.cyan}agentaudit audit ${url} --export${c.reset}`);
-    console.log(`  ${c.dim}Creates a markdown file you can paste into any LLM (Claude, ChatGPT, etc.)${c.reset}`);
-    console.log();
-    console.log(`  ${c.bold}Option 3: Use MCP in Claude/Cursor/Windsurf (no API key needed)${c.reset}`);
-    console.log(`  ${c.dim}Add AgentAudit as MCP server — your editor's agent runs the audit using its own LLM.${c.reset}`);
-    console.log(`  ${c.dim}Config: { "mcpServers": { "agentaudit": { "command": "npx", "args": ["-y", "agentaudit"] } } }${c.reset}`);
-    console.log();
-    // Check if --export flag
-    if (process.argv.includes('--export')) {
-      const exportPath = path.join(process.cwd(), `audit-${slug}.md`);
-      const exportContent = [
-        `# Security Audit: ${slug}`,
-        `**Source:** ${url}`,
-        `**Files:** ${files.length}`,
-        ``,
-        `## Audit Instructions`,
-        ``,
-        auditPrompt || '(audit prompt not found)',
-        ``,
-        `## Report Format`,
-        ``,
-        `After analysis, produce a JSON report:`,
-        '```json',
-        `{ "skill_slug": "${slug}", "source_url": "${url}", "risk_score": 0, "result": "safe", "findings": [] }`,
-        '```',
-        ``,
-        `## Source Code`,
-        ``,
-        codeBlock,
-      ].join('\n');
-      fs.writeFileSync(exportPath, exportContent);
-      console.log(`  ${icons.safe}  Exported to ${c.bold}${exportPath}${c.reset}`);
-      console.log(`  ${c.dim}Paste this into any LLM (Claude, ChatGPT, etc.) for analysis${c.reset}`);
-    }
-    // Cleanup
-    try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch {}
-    return null;
-  }
-  // Determine actual model name for display
-  let actualModel;
-  if (resolvedProvider.id === 'anthropic') {
-    actualModel = modelOverride || 'claude-sonnet-4-20250514';
-  } else if (resolvedProvider.id === 'openrouter') {
-    actualModel = modelOverride || process.env.OPENROUTER_MODEL || 'anthropic/claude-sonnet-4';
-  } else if (resolvedProvider.id === 'openai') {
-    actualModel = modelOverride || 'gpt-4o';
-  } else if (resolvedProvider.id === 'ollama') {
-    actualModel = modelOverride || resolvedProvider.model;
-  } else {
-    actualModel = modelOverride || resolvedProvider.model || 'unknown';
-  }
-  // We have an API key — run LLM audit
-  process.stdout.write(`  ${c.dim}[4/4]${c.reset} Running LLM analysis ${c.dim}(${resolvedProvider.id}: ${actualModel})${c.reset}...`);
-  const systemPrompt = auditPrompt || 'You are a security auditor. Analyze the code and report findings as JSON.';
-  const userMessage = [
-    `Audit this package: **${slug}** (${url})`,
-    ``,
-    `After analysis, respond with ONLY a valid JSON object. No markdown fences, no explanation, no text before or after. Just the raw JSON:`,
-    `{ "skill_slug": "${slug}", "source_url": "${url}", "package_type": "<mcp-server|agent-skill|library|cli-tool>",`,
-    `  "risk_score": <0-100>, "result": "<safe|caution|unsafe>", "max_severity": "<none|low|medium|high|critical>",`,
-    `  "findings_count": <n>, "findings": [{ "id": "...", "title": "...", "severity": "...", "category": "...",`,
-    `  "description": "...", "file": "...", "line": <n>, "remediation": "...", "confidence": "...", "is_by_design": false }] }`,
-    ``,
-    `## Source Code`,
-    codeBlock,
-  ].join('\n');
-  let report = null;
-  let _lastLlmText = '';
-  let providerMeta = {}; // Collect provider metadata for attestation
-  try {
-    if (resolvedProvider.id === 'anthropic') {
-      const res = await fetch('https://api.anthropic.com/v1/messages', {
-        method: 'POST',
-        headers: {
-          'x-api-key': resolvedProvider.key,
-          'anthropic-version': '2023-06-01',
-          'content-type': 'application/json',
-        },
-        body: JSON.stringify({
-          model: modelOverride || 'claude-sonnet-4-20250514',
-          max_tokens: 8192,
-          system: systemPrompt,
-          messages: [{ role: 'user', content: userMessage }],
-        }),
-        signal: AbortSignal.timeout(120_000),
-      });
-      const data = await res.json();
-      if (data.error) {
-        console.log(` ${c.red}failed${c.reset}`);
-        console.log(`  ${c.red}API error: ${data.error.message || JSON.stringify(data.error)}${c.reset}`);
-        try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch {}
-        return null;
-      }
-      const text = data.content?.[0]?.text || '';
-      _lastLlmText = text;
-      report = extractJSON(text);
-      providerMeta = {
-        provider_msg_id: data.id || null,
-        input_tokens: data.usage?.input_tokens || null,
-        output_tokens: data.usage?.output_tokens || null,
-        reported_model: data.model || null,
-      };
-    } else {
-      // OpenAI, OpenRouter, Ollama, or Custom (all use OpenAI-compatible chat completions API)
-      let apiUrl, modelName, authHeaders;
-      switch (resolvedProvider.id) {
-        case 'openrouter':
-          apiUrl = 'https://openrouter.ai/api/v1/chat/completions';
-          modelName = modelOverride || process.env.OPENROUTER_MODEL || 'anthropic/claude-sonnet-4';
-          authHeaders = { 'Authorization': `Bearer ${resolvedProvider.key}`, 'HTTP-Referer': 'https://agentaudit.dev', 'X-Title': 'AgentAudit' };
-          break;
-        case 'ollama':
-          apiUrl = `${resolvedProvider.host}/v1/chat/completions`;
-          modelName = modelOverride || resolvedProvider.model;
-          authHeaders = {};
-          break;
-        case 'custom':
-          apiUrl = resolvedProvider.url.endsWith('/chat/completions') ? resolvedProvider.url : `${resolvedProvider.url.replace(/\/$/, '')}/chat/completions`;
-          modelName = modelOverride || resolvedProvider.model;
-          authHeaders = resolvedProvider.key ? { 'Authorization': `Bearer ${resolvedProvider.key}` } : {};
-          break;
-        default: // openai
-          apiUrl = 'https://api.openai.com/v1/chat/completions';
-          modelName = modelOverride || 'gpt-4o';
-          authHeaders = { 'Authorization': `Bearer ${resolvedProvider.key}` };
-      }
-      const res = await fetch(apiUrl, {
-        method: 'POST',
-        headers: { 'Content-Type': 'application/json', ...authHeaders },
-        body: JSON.stringify({
-          model: modelName,
-          max_tokens: 8192,
-          messages: [
-            { role: 'system', content: systemPrompt },
-            { role: 'user', content: userMessage },
-          ],
-        }),
-        signal: AbortSignal.timeout(resolvedProvider.id === 'ollama' ? 300_000 : 120_000), // Ollama: 5min (local can be slow)
-      });
-      const data = await res.json();
-      if (data.error) {
-        console.log(` ${c.red}failed${c.reset}`);
-        console.log(`  ${c.red}API error: ${data.error.message || JSON.stringify(data.error)}${c.reset}`);
-        try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch {}
-        return null;
-      }
-      const text = data.choices?.[0]?.message?.content || '';
-      _lastLlmText = text;
-      report = extractJSON(text);
-      providerMeta = {
-        provider_msg_id: data.id || null,
-        provider_fingerprint: data.system_fingerprint || null,
-        input_tokens: data.usage?.prompt_tokens || null,
-        output_tokens: data.usage?.completion_tokens || null,
-        reported_model: data.model || null,
-      };
-    }
-    console.log(` ${c.green}done${c.reset} ${c.dim}(${elapsed(start)})${c.reset}`);
-  } catch (err) {
-    console.log(` ${c.red}failed${c.reset}`);
-    console.log(`  ${c.red}${err.message}${c.reset}`);
-    try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch {}
-    return null;
-  }
-  // Cleanup repo
-  try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch {}
-  if (!report) {
-    console.log(`  ${c.red}Could not parse LLM response as JSON${c.reset}`);
-    console.log(`  ${c.dim}Hint: run with --debug to see the raw LLM response${c.reset}`);
-    if (process.argv.includes('--debug')) {
-      console.log(`  ${c.dim}--- Raw LLM response (first 2000 chars) ---${c.reset}`);
-      console.log((typeof _lastLlmText === 'string' ? _lastLlmText : '(empty)').slice(0, 2000));
-      console.log(`  ${c.dim}--- end ---${c.reset}`);
-    }
-    return null;
-  }
-  // Display results
-  console.log();
-  const riskScore = report.risk_score || 0;
-  const trustScore = 100 - riskScore;
-  const trustColor = trustScore >= 70 ? c.green : trustScore >= 40 ? c.yellow : c.red;
-  const trustLabel = trustScore >= 70 ? 'SAFE' : trustScore >= 40 ? 'CAUTION' : 'UNSAFE';
-  console.log(`  ${trustColor}${c.bold}${trustLabel}${c.reset}  ${trustColor}Trust Score: ${trustScore}/100${c.reset}  ${c.dim}(Risk: ${riskScore}/100)${c.reset}`);
-  console.log(`  ${c.dim}Model: ${resolvedProvider.id}/${actualModel}  Duration: ${elapsed(start)}${c.reset}`);
-  console.log();
-  if (report.findings && report.findings.length > 0) {
-    console.log(`  ${c.bold}Findings (${report.findings.length})${c.reset}`);
-    console.log();
-    for (const f of report.findings) {
-      const sc = severityColor(f.severity);
-      console.log(`  ${severityIcon(f.severity)} ${sc}${(f.severity || '').toUpperCase().padEnd(8)}${c.reset} ${f.title}`);
-      if (f.file) console.log(`    ${c.dim}${f.file}${f.line ? ':' + f.line : ''}${c.reset}`);
-      if (f.description) console.log(`    ${c.dim}${f.description.slice(0, 120)}${c.reset}`);
-      console.log();
-    }
-  } else {
-    console.log(`  ${c.green}No findings — package looks clean.${c.reset}`);
-    console.log();
-  }
-  // Upload to registry
-  const creds = loadCredentials();
-  if (creds) {
-    process.stdout.write(`  Uploading report to registry...`);
-    try {
-      const res = await fetch(`${REGISTRY_URL}/api/reports`, {
-        method: 'POST',
-        headers: {
-          'Authorization': `Bearer ${creds.api_key}`,
-          'Content-Type': 'application/json',
-        },
-        body: JSON.stringify({
-          ...report,
-          audit_model: providerMeta.reported_model || actualModel,
-          audit_provider: resolvedProvider.id,
-          provider_msg_id: providerMeta.provider_msg_id || undefined,
-          provider_fingerprint: providerMeta.provider_fingerprint || undefined,
-          input_tokens: providerMeta.input_tokens || undefined,
-          output_tokens: providerMeta.output_tokens || undefined,
-          audit_duration_ms: Date.now() - start,
-        }),
-        signal: AbortSignal.timeout(15_000),
-      });
-      if (res.ok) {
-        const data = await res.json();
-        const reportSlug = data?.skill_slug || data?.slug || slug;
-        console.log(` ${c.green}done${c.reset}`);
-        console.log(`  ${c.dim}Report: ${REGISTRY_URL}/skills/${reportSlug}${c.reset}`);
-      } else {
-        console.log(` ${c.yellow}failed (HTTP ${res.status})${c.reset}`);
-      }
-    } catch (err) {
-      console.log(` ${c.yellow}failed${c.reset}`);
-    }
-  } else {
-    console.log(`  ${c.dim}Run ${c.cyan}agentaudit setup${c.dim} to upload reports to the registry${c.reset}`);
-  }
-  console.log();
-  return report;
-}
-// ── Check command ───────────────────────────────────────
-async function checkPackage(name, { autoAudit = false } = {}) {
-  if (!jsonMode) {
-    console.log(`${icons.info}  Looking up ${c.bold}${name}${c.reset} in registry...`);
-    console.log();
-  }
-  const data = await checkRegistry(name);
-  if (!data) {
-    if (!jsonMode) {
-      // Auto-audit: only when called from 'check' command AND input looks like a URL
-      if (autoAudit && (name.includes('github.com') || name.includes('://'))) {
-        console.log(`  ${c.yellow}Not found in registry.${c.reset}`);
-        console.log(`  ${c.dim}Starting audit for ${name}...${c.reset}`);
-        console.log();
-        return await auditRepo(name);
-      }
-      console.log(`  ${c.yellow}✖  Not found${c.reset} — "${name}" hasn't been audited yet.`);
-      console.log();
-      console.log(`  ${c.dim}Next steps:${c.reset}`);
-      console.log(`    ${c.cyan}agentaudit check <repo-url>${c.reset}    ${c.dim}Auto-lookup + audit if not found${c.reset}`);
-      console.log(`    ${c.cyan}agentaudit audit <repo-url>${c.reset}    ${c.dim}Deep LLM audit${c.reset}`);
-      console.log(`    ${c.cyan}agentaudit scan <repo-url>${c.reset}     ${c.dim}Quick static check (no API key)${c.reset}`);
-    }
-    return null;
-  }
-  if (!jsonMode) {
-    const riskScore = data.risk_score ?? data.latest_risk_score ?? 0;
-    const trustScore = data.trust_score ?? (100 - riskScore);
-    const totalFindings = data.total_findings ?? 0;
-    const totalReports = data.total_reports ?? 0;
-    // Package name + verdict
-    console.log(`  ${c.bold}${data.display_name || name}${c.reset}  ${riskBadge(riskScore)}`);
-    if (data.description) console.log(`  ${c.dim}${data.description}${c.reset}`);
-    console.log();
-    // Trust Score (the main metric)
-    const trustColor = trustScore >= 70 ? c.green : trustScore >= 40 ? c.yellow : c.red;
-    const trustLabel = trustScore >= 70 ? 'SAFE' : trustScore >= 40 ? 'CAUTION' : 'UNSAFE';
-    console.log(`  ${trustColor}${c.bold}${trustLabel}${c.reset}  ${trustColor}Trust Score: ${trustScore}/100${c.reset}  ${c.dim}(Risk: ${riskScore}/100)${c.reset}`);
-    // Findings summary
-    if (totalFindings > 0) {
-      const maxSev = data.latest_max_severity;
-      const sevStr = maxSev ? `max severity: ${severityColor(maxSev)}${maxSev}${c.reset}` : '';
-      console.log(`  ${c.dim}Findings: ${totalFindings}${sevStr ? ` (${sevStr}${c.dim})` : ''}${c.reset}`);
-    } else {
-      console.log(`  ${c.dim}Findings: 0 (clean)${c.reset}`);
-    }
-    // Consensus / Confidence
-    const uniqueAgents = data.unique_agents ?? 0;
-    const confidence = data.confidence ?? 'unverified';
-    const confidenceDisplay = {
-      consensus: { icon: '🟢', label: 'Consensus Certified', color: c.green, desc: `${totalReports} reports from ${uniqueAgents} independent auditors agree` },
-      verified: { icon: '🟢', label: 'Verified', color: c.green, desc: `${totalReports} reports from ${uniqueAgents} auditors` },
-      low: { icon: '🟡', label: 'Low Confidence', color: c.yellow, desc: `${totalReports} reports but ${uniqueAgents <= 1 ? 'only 1 auditor' : `only ${uniqueAgents} auditors`}` },
-      unverified: { icon: '🔴', label: 'Unverified', color: c.yellow, desc: 'Single audit, no independent confirmation' },
-    }[confidence] || { icon: '⚪', label: confidence, color: c.dim, desc: '' };
-    console.log(`  ${confidenceDisplay.icon}  ${confidenceDisplay.color}${confidenceDisplay.label}${c.reset}  ${c.dim}${confidenceDisplay.desc}${c.reset}`);
-    // Audit info
-    console.log(`  ${c.dim}Reports: ${totalReports} | Auditors: ${uniqueAgents} | Last: ${data.last_audited_at ? new Date(data.last_audited_at).toLocaleDateString() : 'unknown'}${c.reset}`);
-    if (data.has_official_audit) console.log(`  ${c.green}✔ Officially audited${c.reset}`);
-    // Recommendation
-    if (confidence === 'unverified' && trustScore >= 70) {
-      console.log();
-      console.log(`  ${c.yellow}⚠  Score looks good but only 1 audit exists.${c.reset}`);
-      console.log(`  ${c.dim}   Consider running your own audit: agentaudit audit ${data.source_url || name}${c.reset}`);
-    } else if (confidence === 'low') {
-      console.log();
-      console.log(`  ${c.yellow}⚠  Limited independent verification.${c.reset}`);
-      console.log(`  ${c.dim}   More auditors needed for consensus. Run: agentaudit audit ${data.source_url || name}${c.reset}`);
-    }
-    // Links
-    console.log();
-    if (data.source_url) console.log(`  ${c.dim}Source:   ${data.source_url}${c.reset}`);
-    console.log(`  ${c.dim}Registry: ${REGISTRY_URL}/skills/${encodeURIComponent(name)}${c.reset}`);
-    console.log();
-  }
-  return data;
-}
-// ── Main ────────────────────────────────────────────────
-async function main() {
-  const rawArgs = process.argv.slice(2);
-  // MCP server mode: launched by an editor (no TTY + no args) or explicit --stdio flag
-  if (rawArgs.includes('--stdio') || (!process.stdin.isTTY && rawArgs.length === 0)) {
-    await import('./index.mjs');
-    return;
-  }
-  // Parse global flags early
-  jsonMode = rawArgs.includes('--json');
-  quietMode = rawArgs.includes('--quiet') || rawArgs.includes('-q');
-  // --no-color already handled at top level for `c` object
-  // --model flag: --model=<name> or --model <name>
-  const modelFlagIdx = rawArgs.findIndex(a => a === '--model');
-  const modelFlagEq = rawArgs.find(a => a.startsWith('--model='));
-  modelOverride = modelFlagEq?.split('=')[1]
-    || (modelFlagIdx >= 0 ? rawArgs[modelFlagIdx + 1] : null)
-    || process.env.AGENTAUDIT_MODEL
-    || loadConfig()?.preferred_model
-    || null;
-  globalModelOverride = modelOverride;
-  // Strip global flags from args
-  const globalFlags = new Set(['--json', '--quiet', '-q', '--no-color']);
-  let args = rawArgs.filter(a => !globalFlags.has(a));
-  // Strip --model and its value
-  args = args.filter((a, i, arr) => {
-    if (a.startsWith('--model=')) return false;
-    if (a === '--model') { arr[i + 1] = '__skip__'; return false; }
-    if (a === '__skip__') return false;
-    return true;
-  });
-  if (args[0] === '-v' || args[0] === '--version') {
-    console.log(`agentaudit ${getVersion()}`);
-    process.exitCode = 0; return;
-  }
-  if (args[0] === '--help' || args[0] === '-h') {
-    banner();
-    console.log(`  ${c.bold}USAGE${c.reset}`);
-    console.log(`    ${c.cyan}agentaudit${c.reset} <command> [options]`);
-    console.log();
-    console.log(`  ${c.bold}SCAN & AUDIT${c.reset}`);
-    console.log(`    ${c.cyan}scan${c.reset} <url> [url...]          Quick static analysis ${c.dim}(~2s, no API key)${c.reset}`);
-    console.log(`    ${c.cyan}audit${c.reset} <url> [url...]         Deep LLM security audit ${c.dim}(~30s)${c.reset}`);
-    console.log(`    ${c.cyan}discover${c.reset}                     Find MCP servers in your editors`);
-    console.log();
-    console.log(`  ${c.bold}REGISTRY${c.reset}`);
-    console.log(`    ${c.cyan}check${c.reset} <name|url>             Look up or auto-audit package`);
-    console.log(`    ${c.cyan}lookup${c.reset} <name>                Look up package in registry`);
-    console.log();
-    console.log(`  ${c.bold}SETUP${c.reset}`);
-    console.log(`    ${c.cyan}status${c.reset}                       Check providers & API keys`);
-    console.log(`    ${c.cyan}setup${c.reset}                        Register & configure`);
-    console.log(`    ${c.cyan}models${c.reset}                       List available LLM models`);
-    console.log(`    ${c.cyan}config set${c.reset} <key> <value>     Set default provider/options`);
-    console.log();
-    console.log(`  ${c.bold}OPTIONS${c.reset}`);
-    console.log(`    ${c.dim}--json         Machine-readable JSON output${c.reset}`);
-    console.log(`    ${c.dim}--quiet        Suppress banner${c.reset}`);
-    console.log(`    ${c.dim}--no-color     Disable colors ${c.reset}${c.dim}(also: NO_COLOR=1)${c.reset}`);
-    console.log(`    ${c.dim}--provider <p> Force provider ${c.reset}${c.dim}(anthropic|openai|openrouter|ollama|custom)${c.reset}`);
-    console.log(`    ${c.dim}--model <m>    Override model ${c.reset}${c.dim}(e.g. gpt-4o-mini, claude-3.5-sonnet)${c.reset}`);
-    console.log(`    ${c.dim}--export       Export audit payload to markdown${c.reset}`);
-    console.log(`    ${c.dim}--debug        Show raw LLM response on errors${c.reset}`);
-    console.log();
-    console.log(`  ${c.bold}EXAMPLES${c.reset}`);
-    console.log(`    ${c.dim}$${c.reset} agentaudit scan https://github.com/owner/repo`);
-    console.log(`    ${c.dim}$${c.reset} agentaudit audit https://github.com/owner/repo`);
-    console.log(`    ${c.dim}$${c.reset} agentaudit check fastmcp`);
-    console.log(`    ${c.dim}$${c.reset} agentaudit status`);
-    console.log();
-    console.log(`  ${c.bold}PROVIDERS${c.reset} ${c.dim}(set any one for deep audits)${c.reset}`);
-    console.log(`    ${c.dim}ANTHROPIC_API_KEY · OPENAI_API_KEY · OPENROUTER_API_KEY · OLLAMA_MODEL · LLM_API_URL${c.reset}`);
-    console.log(`    ${c.dim}Set default: AGENTAUDIT_PROVIDER=openai  AGENTAUDIT_MODEL=gpt-4o-mini${c.reset}`);
-    console.log(`    ${c.dim}Or persist: agentaudit config set provider openai${c.reset}`);
-    console.log(`    ${c.dim}            agentaudit config set model gpt-4o-mini${c.reset}`);
-    console.log(`    ${c.dim}Run ${c.cyan}agentaudit status${c.dim} to check configuration.${c.reset}`);
-    console.log();
-    process.exitCode = 0; return;
-  }
-  // Default no-arg → discover
-  const command = args.length === 0 ? 'discover' : args[0];
-  const targets = args.slice(1);
-  banner();
-  if (command === 'setup') {
-    await setupCommand();
-    return;
-  }
-  if (command === 'status') {
-    console.log(`  ${c.bold}LLM Providers:${c.reset}`);
-    console.log();
-    const keys = {
-      anthropicKey: process.env.ANTHROPIC_API_KEY,
-      openaiKey: process.env.OPENAI_API_KEY,
-      openrouterKey: process.env.OPENROUTER_API_KEY,
-    };
-    const ollamaHost = process.env.OLLAMA_HOST || 'http://localhost:11434';
-    const ollamaModel = process.env.OLLAMA_MODEL;
-    const customUrl = process.env.LLM_API_URL;
-    const checks = [
-      { name: 'Anthropic', env: 'ANTHROPIC_API_KEY', key: keys.anthropicKey, testUrl: 'https://api.anthropic.com/v1/messages', testHeaders: (k) => ({ 'x-api-key': k, 'anthropic-version': '2023-06-01', 'content-type': 'application/json' }), testBody: JSON.stringify({ model: 'claude-sonnet-4-20250514', max_tokens: 1, messages: [{ role: 'user', content: 'hi' }] }) },
-      { name: 'OpenAI', env: 'OPENAI_API_KEY', key: keys.openaiKey, testUrl: 'https://api.openai.com/v1/chat/completions', testHeaders: (k) => ({ 'Authorization': `Bearer ${k}`, 'Content-Type': 'application/json' }), testBody: JSON.stringify({ model: 'gpt-4o-mini', max_tokens: 1, messages: [{ role: 'user', content: 'hi' }] }) },
-      { name: 'OpenRouter', env: 'OPENROUTER_API_KEY', key: keys.openrouterKey, testUrl: 'https://openrouter.ai/api/v1/chat/completions', testHeaders: (k) => ({ 'Authorization': `Bearer ${k}`, 'Content-Type': 'application/json', 'HTTP-Referer': 'https://agentaudit.dev', 'X-Title': 'AgentAudit' }), testBody: JSON.stringify({ model: 'openai/gpt-4o-mini', max_tokens: 1, messages: [{ role: 'user', content: 'hi' }] }) },
-      { name: 'Ollama', env: 'OLLAMA_MODEL', key: ollamaModel, testUrl: `${ollamaHost}/api/tags`, testHeaders: () => ({}), testBody: null },
-      { name: 'Custom', env: 'LLM_API_URL', key: customUrl, testUrl: customUrl ? `${customUrl.replace(/\/$/, '')}/models` : null, testHeaders: (k) => process.env.LLM_API_KEY ? ({ 'Authorization': `Bearer ${process.env.LLM_API_KEY}` }) : {}, testBody: null },
-    ];
-    for (const p of checks) {
-      if (!p.key) {
-        console.log(`    ${c.dim}○${c.reset}  ${p.name.padEnd(12)} ${c.dim}not set${c.reset}  ${c.dim}(${p.env})${c.reset}`);
-        continue;
-      }
-      const masked = p.key.substring(0, 8) + '...' + p.key.substring(p.key.length - 4);
-      process.stdout.write(`    ${c.yellow}●${c.reset}  ${p.name.padEnd(12)} ${c.dim}${masked}${c.reset}  checking...`);
-      try {
-        const res = await fetch(p.testUrl, {
-          method: p.testBody ? 'POST' : 'GET',
-          headers: p.testHeaders(p.key),
-          ...(p.testBody ? { body: p.testBody } : {}),
-          signal: AbortSignal.timeout(10_000),
-        });
-        if (res.ok || res.status === 200 || res.status === 201) {
-          process.stdout.write(`\r    ${c.green}●${c.reset}  ${p.name.padEnd(12)} ${c.dim}${masked}${c.reset}  ${c.green}valid ✓${c.reset}  \n`);
-        } else {
-          const body = await res.json().catch(() => ({}));
-          const rawMsg = body?.error?.message || body?.message || `HTTP ${res.status}`;
-          // Detect specific error types for clearer messages
-          const lcMsg = rawMsg.toLowerCase();
-          let errMsg = rawMsg;
-          let hint = '';
-          if (lcMsg.includes('credit') || lcMsg.includes('balance') || lcMsg.includes('quota') || lcMsg.includes('billing') || lcMsg.includes('exceeded') || lcMsg.includes('insufficient')) {
-            errMsg = 'no credits';
-            if (p.name === 'Anthropic') hint = `\n       ${c.dim}└─ Add credits: console.anthropic.com/settings/plans${c.reset}`;
-            else if (p.name === 'OpenAI') hint = `\n       ${c.dim}└─ Check usage: platform.openai.com/usage${c.reset}`;
-            else if (p.name === 'OpenRouter') hint = `\n       ${c.dim}└─ Check balance: openrouter.ai/credits${c.reset}`;
-          } else if (res.status === 401 || lcMsg.includes('invalid') || lcMsg.includes('unauthorized') || lcMsg.includes('authentication')) {
-            errMsg = 'invalid key';
-            if (p.name === 'Anthropic') hint = `\n       ${c.dim}└─ Check key: console.anthropic.com/settings/keys${c.reset}`;
-            else if (p.name === 'OpenAI') hint = `\n       ${c.dim}└─ Check key: platform.openai.com/api-keys${c.reset}`;
-          } else if (res.status === 429) {
-            errMsg = 'rate limited';
-            hint = `\n       ${c.dim}└─ Try again in a moment${c.reset}`;
-          }
-          process.stdout.write(`\r    ${c.red}●${c.reset}  ${p.name.padEnd(12)} ${c.dim}${masked}${c.reset}  ${c.red}✖ ${errMsg}${c.reset}${hint}  \n`);
-        }
-      } catch (e) {
-        process.stdout.write(`\r    ${c.red}●${c.reset}  ${p.name.padEnd(12)} ${c.dim}${masked}${c.reset}  ${c.red}error ✗${c.reset} ${c.dim}(${e.message})${c.reset}  \n`);
-      }
-    }
-    const resolved = resolveProvider(null, keys);
-    console.log();
-    if (resolved) {
-      const activeModel = modelOverride || process.env.AGENTAUDIT_MODEL || loadConfig()?.preferred_model;
-      console.log(`    ${c.bold}Active:${c.reset} ${c.green}${resolved.label}${c.reset}${activeModel ? `  ${c.dim}model: ${activeModel}${c.reset}` : ''}`);
-      console.log(`    ${c.dim}Override: --provider=<name> --model=<name>${c.reset}`);
-      console.log(`    ${c.dim}Set default: agentaudit config set provider <name>${c.reset}`);
-      console.log(`    ${c.dim}             agentaudit config set model <name>${c.reset}`);
-    } else {
-      console.log(`    ${c.yellow}⚠  No working LLM provider.${c.reset} Deep audits require one.`);
-      console.log(`    ${c.dim}Set a key: export ANTHROPIC_API_KEY=sk-ant-...${c.reset}`);
-      console.log(`    ${c.dim}Or scan without LLM: agentaudit scan <url>${c.reset}`);
-    }
-    // AgentAudit registry key
-    console.log();
-    console.log(`  ${c.bold}Registry:${c.reset}`);
-    const creds = loadCredentials();
-    if (creds?.api_key) {
-      const masked = creds.api_key.substring(0, 8) + '...' + creds.api_key.substring(creds.api_key.length - 4);
-      console.log(`    ${c.green}●${c.reset}  AgentAudit  ${c.dim}${masked}${c.reset}  ${c.dim}(${creds.agent_name || 'unknown'})${c.reset}`);
-      // Fetch agent stats from leaderboard
-      try {
-        const lbRes = await fetch(`${REGISTRY_URL}/api/leaderboard`, { signal: AbortSignal.timeout(5000) });
-        if (lbRes.ok) {
-          const agents = await lbRes.json();
-          const myName = creds.agent_name?.toLowerCase();
-          const idx = Array.isArray(agents) ? agents.findIndex((a) => (a.agent_name || '').toLowerCase() === myName) : -1;
-          if (idx >= 0) {
-            const me = agents[idx];
-            const pts = me.total_points || 0;
-            const reports = me.total_reports || 0;
-            const rank = idx + 1;
-            const medal = rank === 1 ? '🥇' : rank === 2 ? '🥈' : rank === 3 ? '🥉' : '  ';
-            console.log();
-            console.log(`  ${c.bold}Your Stats:${c.reset}`);
-            console.log(`    ${medal} Rank #${rank} of ${agents.length}  ${c.dim}│${c.reset}  ${c.cyan}${pts}${c.reset} points  ${c.dim}│${c.reset}  ${reports} reports`);
-            if (me.is_official) console.log(`    ${c.green}✔ Official Auditor${c.reset}`);
-          }
-        }
-      } catch {}
-    } else {
-      console.log(`    ${c.dim}○${c.reset}  AgentAudit   ${c.dim}not set${c.reset}  ${c.dim}(run: agentaudit setup)${c.reset}`);
-    }
-    console.log();
-    return;
-  }
-  if (command === 'discover') {
-    const scanFlag = targets.includes('--quick') || targets.includes('--scan') || targets.includes('-s');
-    const auditFlag = targets.includes('--deep') || targets.includes('--audit') || targets.includes('-a');
-    await discoverCommand({ scan: scanFlag, audit: auditFlag });
-    return;
-  }
-  if (command === 'models') {
-    const anthropicKey = process.env.ANTHROPIC_API_KEY;
-    const openaiKey = process.env.OPENAI_API_KEY;
-    const openrouterKey = process.env.OPENROUTER_API_KEY;
-    console.log(`  ${c.bold}Available models by provider:${c.reset}`);
-    console.log();
-    // Static lists for Anthropic (no list API)
-    console.log(`  ${c.bold}Anthropic${c.reset}${anthropicKey ? ` ${c.green}(configured)${c.reset}` : ` ${c.dim}(not configured)${c.reset}`}`);
-    console.log(`    ${c.dim}claude-sonnet-4-20250514${c.reset}      ${c.dim}(default)${c.reset}`);
-    console.log(`    ${c.dim}claude-opus-4-20250514${c.reset}`);
-    console.log(`    ${c.dim}claude-haiku-3-20250514${c.reset}`);
-    console.log();
-    // Static list for OpenAI
-    console.log(`  ${c.bold}OpenAI${c.reset}${openaiKey ? ` ${c.green}(configured)${c.reset}` : ` ${c.dim}(not configured)${c.reset}`}`);
-    console.log(`    ${c.dim}gpt-4o${c.reset}                        ${c.dim}(default)${c.reset}`);
-    console.log(`    ${c.dim}gpt-4o-mini${c.reset}`);
-    console.log(`    ${c.dim}gpt-4.1${c.reset}`);
-    console.log(`    ${c.dim}gpt-4.1-mini${c.reset}`);
-    console.log(`    ${c.dim}o3${c.reset}`);
-    console.log(`    ${c.dim}o4-mini${c.reset}`);
-    console.log();
-    // OpenRouter — fetch from API
-    console.log(`  ${c.bold}OpenRouter${c.reset}${openrouterKey ? ` ${c.green}(configured)${c.reset}` : ` ${c.dim}(not configured)${c.reset}`}`);
-    if (openrouterKey || targets.includes('--all')) {
-      process.stdout.write(`    ${c.dim}Fetching models...${c.reset}`);
-      try {
-        const res = await fetch('https://openrouter.ai/api/v1/models', {
-          headers: openrouterKey ? { 'Authorization': `Bearer ${openrouterKey}` } : {},
-          signal: AbortSignal.timeout(10_000),
-        });
-        const data = await res.json();
-        const models = (data.data || [])
-          .filter(m => m.id && !m.id.includes(':free') && !m.id.includes('/extended'))
-          .sort((a, b) => (a.id || '').localeCompare(b.id || ''));
-        // Group by provider prefix
-        const groups = {};
-        for (const m of models) {
-          const [prefix] = m.id.split('/');
-          if (!groups[prefix]) groups[prefix] = [];
-          groups[prefix].push(m);
-        }
-        // Show popular ones first
-        const popular = ['anthropic', 'openai', 'google', 'meta-llama', 'mistralai', 'deepseek'];
-        const shown = new Set();
-        process.stdout.write(`\r    ${c.green}${models.length} models available${c.reset}                    \n`);
-        console.log();
-        for (const prefix of popular) {
-          if (!groups[prefix]) continue;
-          shown.add(prefix);
-          console.log(`    ${c.bold}${prefix}${c.reset}`);
-          for (const m of groups[prefix].slice(0, 5)) {
-            console.log(`      ${c.dim}${m.id}${c.reset}`);
-          }
-          if (groups[prefix].length > 5) {
-            console.log(`      ${c.dim}... and ${groups[prefix].length - 5} more${c.reset}`);
-          }
-        }
-        const otherCount = Object.keys(groups).filter(k => !shown.has(k)).length;
-        if (otherCount > 0) {
-          console.log();
-          console.log(`    ${c.dim}+ ${otherCount} more providers. Use --model=<provider/model>${c.reset}`);
-          console.log(`    ${c.dim}Full list: https://openrouter.ai/models${c.reset}`);
-        }
-      } catch (e) {
-        process.stdout.write(`\r    ${c.red}Failed to fetch: ${e.message}${c.reset}                    \n`);
-      }
-    } else {
-      console.log(`    ${c.dim}anthropic/claude-sonnet-4${c.reset}    ${c.dim}(default)${c.reset}`);
-      console.log(`    ${c.dim}Set OPENROUTER_API_KEY to see all ${c.bold}200+${c.reset}${c.dim} models${c.reset}`);
-      console.log(`    ${c.dim}Or browse: https://openrouter.ai/models${c.reset}`);
-    }
-    console.log();
-    // Ollama
-    const ollamaModel = process.env.OLLAMA_MODEL;
-    const ollamaHost = process.env.OLLAMA_HOST || 'http://localhost:11434';
-    console.log(`  ${c.bold}Ollama${c.reset}${ollamaModel ? ` ${c.green}(configured: ${ollamaModel})${c.reset}` : ` ${c.dim}(not configured)${c.reset}`}`);
-    if (ollamaModel || process.env.OLLAMA_HOST) {
-      try {
-        const res = await fetch(`${ollamaHost}/api/tags`, { signal: AbortSignal.timeout(5_000) });
-        const data = await res.json();
-        for (const m of (data.models || []).slice(0, 10)) {
-          console.log(`    ${c.dim}${m.name}${c.reset}`);
-        }
-      } catch {
-        console.log(`    ${c.dim}(Ollama not running at ${ollamaHost})${c.reset}`);
-      }
-    } else {
-      console.log(`    ${c.dim}Set OLLAMA_MODEL to use local models${c.reset}`);
-    }
-    console.log();
-    console.log(`  ${c.bold}Set model:${c.reset}`);
-    console.log(`    ${c.cyan}agentaudit config set model <name>${c.reset}`);
-    console.log(`    ${c.cyan}agentaudit audit <url> --model <name>${c.reset}`);
-    console.log(`    ${c.dim}Or env: AGENTAUDIT_MODEL=<name>${c.reset}`);
-    return;
-  }
-  if (command === 'config') {
-    const subCmd = targets[0];
-    if (subCmd === 'set' && targets[1] === 'provider' && targets[2]) {
-      const validProviders = ['anthropic', 'openai', 'openrouter', 'ollama', 'custom', 'claude', 'gpt'];
-      const val = targets[2].toLowerCase();
-      if (!validProviders.includes(val)) {
-        console.log(`  ${c.red}✖  Unknown provider: ${val}${c.reset}`);
-        console.log(`     ${c.dim}Valid: anthropic, openai, openrouter, ollama, custom${c.reset}`);
-        process.exitCode = 2; return;
-      }
-      saveConfig({ preferred_provider: val });
-      console.log(`  ${c.green}✔${c.reset}  Default provider set to: ${c.bold}${val}${c.reset}`);
-      console.log(`     ${c.dim}Override per-command: --provider=<name>${c.reset}`);
-      console.log(`     ${c.dim}Or env: AGENTAUDIT_PROVIDER=<name>${c.reset}`);
-    } else if (subCmd === 'set' && targets[1] === 'model' && targets[2]) {
-      const val = targets[2];
-      saveConfig({ preferred_model: val });
-      console.log(`  ${c.green}✔${c.reset}  Default model set to: ${c.bold}${val}${c.reset}`);
-      console.log(`     ${c.dim}Override per-command: --model=<name>${c.reset}`);
-      console.log(`     ${c.dim}Or env: AGENTAUDIT_MODEL=<name>${c.reset}`);
-    } else if (subCmd === 'get' || !subCmd) {
-      const cfg = loadConfig();
-      console.log(`  ${c.bold}Config:${c.reset} ${USER_CONFIG_FILE}`);
-      if (Object.keys(cfg).length === 0) {
-        console.log(`  ${c.dim}(empty — using defaults)${c.reset}`);
-      } else {
-        for (const [k, v] of Object.entries(cfg)) {
-          console.log(`  ${c.dim}${k}:${c.reset} ${v}`);
-        }
-      }
-    } else if (subCmd === 'reset') {
-      try { fs.unlinkSync(USER_CONFIG_FILE); } catch {}
-      console.log(`  ${c.green}✔${c.reset}  Config reset to defaults.`);
-    } else {
-      console.log(`  ${c.red}✖  Unknown config command${c.reset}`);
-      console.log(`     ${c.dim}Usage: agentaudit config set provider <name>${c.reset}`);
-      console.log(`     ${c.dim}       agentaudit config get${c.reset}`);
-      console.log(`     ${c.dim}       agentaudit config reset${c.reset}`);
-    }
-    return;
-  }
-  if (command === 'lookup' || command === 'check') {
-    const names = targets.filter(t => !t.startsWith('--'));
-    if (names.length === 0) {
-      console.log(`  ${c.red}✖  Package name or URL required${c.reset}`);
-      console.log(`     ${c.dim}Usage: agentaudit check <name|url>${c.reset}`);
-      process.exitCode = 2;
-      return;
-    }
-    const results = [];
-    const allowAutoAudit = command === 'check'; // only 'check' auto-audits, 'lookup' never does
-    for (const t of names) {
-      const data = await checkPackage(t, { autoAudit: allowAutoAudit });
-      results.push(data);
-    }
-    if (jsonMode) {
-      console.log(JSON.stringify(results.length === 1 ? (results[0] || { error: 'not_found' }) : results, null, 2));
-    }
-    process.exitCode = 0; return;
-  }
-  if (command === 'scan') {
-    const urls = targets.filter(t => !t.startsWith('--'));
-    if (urls.length === 0) {
-      console.log(`  ${c.red}✖  Repository URL required${c.reset}`);
-      console.log(`     ${c.dim}Usage: agentaudit scan <url>${c.reset}`);
-      console.log(`     ${c.dim}Or discover local servers: ${c.cyan}agentaudit discover${c.reset}`);
-      process.exitCode = 2;
-      return;
-    }
-    const results = [];
-    let hadErrors = false;
-    for (const url of urls) {
-      const result = await scanRepo(url);
-      if (result) results.push(result);
-      else hadErrors = true;
-    }
-    if (jsonMode) {
-      const jsonOut = results.map(r => ({
-        slug: r.slug,
-        url: r.url,
-        findings: r.findings.map(f => ({
-          severity: f.severity,
-          title: f.title,
-          file: f.file,
-          line: f.line,
-          snippet: f.snippet,
-        })),
-        fileCount: r.files,
-        duration: r.duration,
-      }));
-      console.log(JSON.stringify(jsonOut.length === 1 ? jsonOut[0] : jsonOut, null, 2));
-    } else if (results.length > 1) {
-      printSummary(results);
-    }
-    if (hadErrors && results.length === 0) { process.exitCode = 2; return; }
-    const totalFindings = results.reduce((sum, r) => sum + r.findings.length, 0);
-    process.exitCode = totalFindings > 0 ? 1 : 0;
-    return;
-  }
-  if (command === 'audit') {
-    const urls = targets.filter(t => !t.startsWith('--'));
-    if (urls.length === 0) {
-      console.log(`  ${c.red}✖  Repository URL required${c.reset}`);
-      console.log(`     ${c.dim}Usage: agentaudit audit <url>${c.reset}`);
-      process.exitCode = 2;
-      return;
-    }
-    let hasFindings = false;
-    for (const url of urls) {
-      const report = await auditRepo(url);
-      if (report?.findings?.length > 0) hasFindings = true;
-    }
-    process.exitCode = hasFindings ? 1 : 0;
-    return;
-  }
-  // Typo correction via Levenshtein distance
-  const knownCommands = ['discover', 'scan', 'audit', 'check', 'lookup', 'status', 'setup', 'config', 'models'];
-  const suggestion = knownCommands
-    .map(cmd => ({ cmd, dist: levenshtein(command, cmd) }))
-    .filter(x => x.dist <= 3)
-    .sort((a, b) => a.dist - b.dist)[0];
-  console.log(`  ${c.red}✖  Unknown command: ${command}${c.reset}`);
-  if (suggestion) {
-    console.log(`     ${c.dim}Did you mean: ${c.cyan}agentaudit ${suggestion.cmd}${c.reset}${c.dim}?${c.reset}`);
-  }
-  console.log(`     ${c.dim}Run ${c.cyan}agentaudit --help${c.dim} for usage${c.reset}`);
-  process.exitCode = 2;
-}
-main().catch(err => {
-  console.error(`${c.red}Error: ${err.message}${c.reset}`);
-  process.exitCode = 2;
-});
+#!/usr/bin/env node
+/**
+ * AgentAudit CLI — Security scanner for AI tools
+ *
+ * Scan & Audit:  scan <url>, audit <url>, discover
+ * Registry:      check <name|url>, lookup <name>
+ * Setup:         status, setup, config
+ *
+ * Global flags: --json, --quiet, --no-color, --provider, --debug, --export
+ */
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { execSync } from 'child_process';
+import { createInterface } from 'readline';
+import { fileURLToPath } from 'url';
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const SKILL_DIR = path.resolve(__dirname);
+const REGISTRY_URL = 'https://agentaudit.dev';
+// ── Provider resolution ────
+function resolveProvider(flagOverride, keys) {
+  const orModel = process.env.OPENROUTER_MODEL || 'anthropic/claude-sonnet-4';
+  const ollamaModel = process.env.OLLAMA_MODEL || 'llama3.1';
+  const ollamaHost = process.env.OLLAMA_HOST || 'http://localhost:11434';
+  const customUrl = process.env.LLM_API_URL;
+  const customKey = process.env.LLM_API_KEY;
+  const customModel = process.env.LLM_MODEL || 'default';
+  const providers = {
+    anthropic: keys.anthropicKey ? { id: 'anthropic', label: 'Anthropic (Claude)', key: keys.anthropicKey } : null,
+    openai: keys.openaiKey ? { id: 'openai', label: 'OpenAI (GPT-4o)', key: keys.openaiKey } : null,
+    openrouter: keys.openrouterKey ? { id: 'openrouter', label: `OpenRouter (${orModel})`, key: keys.openrouterKey } : null,
+    ollama: process.env.OLLAMA_MODEL || process.env.OLLAMA_HOST ? { id: 'ollama', label: `Ollama (${ollamaModel})`, key: null, host: ollamaHost, model: ollamaModel } : null,
+    custom: customUrl ? { id: 'custom', label: `Custom (${customModel})`, key: customKey, url: customUrl, model: customModel } : null,
+  };
+  // Aliases
+  const aliases = { claude: 'anthropic', gpt: 'openai', 'gpt-4o': 'openai', 'gpt4': 'openai', or: 'openrouter', local: 'ollama' };
+  // Priority: --provider flag > AGENTAUDIT_PROVIDER env > config file > model-inferred > auto-detect
+  const preferred = flagOverride
+    || process.env.AGENTAUDIT_PROVIDER?.toLowerCase()
+    || loadConfig()?.preferred_provider
+    || null;
+  if (preferred) {
+    const resolved = aliases[preferred] || preferred;
+    const p = providers[resolved];
+    if (!p) return null;
+    return p;
+  }
+  // Smart inference: if model is set, try to match it to a provider
+  const activeModel = globalModelOverride || process.env.AGENTAUDIT_MODEL || loadConfig()?.preferred_model;
+  if (activeModel) {
+    const lm = activeModel.toLowerCase();
+    // Direct provider models (no slash = native format)
+    if (!lm.includes('/')) {
+      if (lm.startsWith('claude') && providers.anthropic) return providers.anthropic;
+      if ((lm.startsWith('gpt') || lm.startsWith('o3') || lm.startsWith('o4') || lm.startsWith('o1')) && providers.openai) return providers.openai;
+      if (providers.ollama && (process.env.OLLAMA_MODEL || process.env.OLLAMA_HOST)) return providers.ollama;
+    }
+    // Slash format = OpenRouter convention (provider/model)
+    if (lm.includes('/') && providers.openrouter) return providers.openrouter;
+  }
+  // Auto-detect priority: Anthropic > OpenAI > OpenRouter > Custom > Ollama (local last — usually weaker)
+  return providers.anthropic || providers.openai || providers.openrouter || providers.custom || providers.ollama || null;
+}
+// ── Global flags (set in main before command routing) ────
+let jsonMode = false;
+let quietMode = false;
+let modelOverride = null; // --model flag or AGENTAUDIT_MODEL env or config
+let globalModelOverride = null; // same, but set early for resolveProvider
+// ── ANSI Colors (respects NO_COLOR and --no-color) ───────
+const noColor = !!(process.env.NO_COLOR || process.argv.includes('--no-color'));
+const c = noColor ? {
+  reset: '', bold: '', dim: '', red: '', green: '', yellow: '',
+  blue: '', magenta: '', cyan: '', white: '', gray: '',
+  bgRed: '', bgGreen: '', bgYellow: '',
+} : {
+  reset: '\x1b[0m',
+  bold: '\x1b[1m',
+  dim: '\x1b[2m',
+  red: '\x1b[31m',
+  green: '\x1b[32m',
+  yellow: '\x1b[33m',
+  blue: '\x1b[34m',
+  magenta: '\x1b[35m',
+  cyan: '\x1b[36m',
+  white: '\x1b[37m',
+  gray: '\x1b[90m',
+  bgRed: '\x1b[41m',
+  bgGreen: '\x1b[42m',
+  bgYellow: '\x1b[43m',
+};
+const icons = {
+  safe: `${c.green}✔${c.reset}`,
+  caution: `${c.yellow}⚠${c.reset}`,
+  unsafe: `${c.red}✖${c.reset}`,
+  info: `${c.blue}ℹ${c.reset}`,
+  scan: `${c.cyan}◉${c.reset}`,
+  tree: `${c.gray}├──${c.reset}`,
+  treeLast: `${c.gray}└──${c.reset}`,
+  pipe: `${c.gray}│${c.reset}`,
+  bullet: `${c.gray}•${c.reset}`,
+};
+// ── Credentials ─────────────────────────────────────────
+const home = process.env.HOME || process.env.USERPROFILE || '';
+const xdgConfig = process.env.XDG_CONFIG_HOME || path.join(home, '.config');
+const USER_CRED_DIR = path.join(xdgConfig, 'agentaudit');
+const USER_CRED_FILE = path.join(USER_CRED_DIR, 'credentials.json');
+const SKILL_CRED_FILE = path.join(SKILL_DIR, 'config', 'credentials.json');
+function loadCredentials() {
+  for (const f of [SKILL_CRED_FILE, USER_CRED_FILE]) {
+    if (fs.existsSync(f)) {
+      try {
+        const data = JSON.parse(fs.readFileSync(f, 'utf8'));
+        if (data.api_key) return data;
+      } catch {}
+    }
+  }
+  if (process.env.AGENTAUDIT_API_KEY) {
+    return { api_key: process.env.AGENTAUDIT_API_KEY, agent_name: 'env' };
+  }
+  return null;
+}
+function saveCredentials(data) {
+  const json = JSON.stringify(data, null, 2);
+  fs.mkdirSync(USER_CRED_DIR, { recursive: true });
+  fs.writeFileSync(USER_CRED_FILE, json, { mode: 0o600 });
+  try {
+    fs.mkdirSync(path.dirname(SKILL_CRED_FILE), { recursive: true });
+    fs.writeFileSync(SKILL_CRED_FILE, json, { mode: 0o600 });
+  } catch {}
+}
+const USER_CONFIG_FILE = path.join(USER_CRED_DIR, 'config.json');
+const USER_STATS_FILE = path.join(USER_CRED_DIR, 'stats-cache.json');
+function loadStatsCache() {
+  try { return fs.existsSync(USER_STATS_FILE) ? JSON.parse(fs.readFileSync(USER_STATS_FILE, 'utf8')) : null; } catch { return null; }
+}
+function saveStatsCache(stats) {
+  try { fs.mkdirSync(USER_CRED_DIR, { recursive: true }); fs.writeFileSync(USER_STATS_FILE, JSON.stringify({ ...stats, _ts: Date.now() })); } catch {}
+}
+async function refreshStatsCache(agentName) {
+  try {
+    const lbRes = await fetch(`${REGISTRY_URL}/api/leaderboard`, { signal: AbortSignal.timeout(5000) });
+    if (!lbRes.ok) return null;
+    const agents = await lbRes.json();
+    const idx = Array.isArray(agents) ? agents.findIndex(a => (a.agent_name || '').toLowerCase() === agentName.toLowerCase()) : -1;
+    if (idx < 0) return null;
+    const me = agents[idx];
+    const stats = { rank: idx + 1, total: agents.length, pts: me.total_points || 0, reports: me.total_reports || 0, official: !!me.is_official };
+    saveStatsCache(stats);
+    return stats;
+  } catch { return null; }
+}
+function loadConfig() {
+  try {
+    if (fs.existsSync(USER_CONFIG_FILE)) {
+      return JSON.parse(fs.readFileSync(USER_CONFIG_FILE, 'utf8'));
+    }
+  } catch {}
+  return {};
+}
+function saveConfig(data) {
+  const existing = loadConfig();
+  const merged = { ...existing, ...data };
+  fs.mkdirSync(USER_CRED_DIR, { recursive: true });
+  fs.writeFileSync(USER_CONFIG_FILE, JSON.stringify(merged, null, 2), { mode: 0o600 });
+}
+function askQuestion(question) {
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise(resolve => rl.question(question, answer => { rl.close(); resolve(answer.trim()); }));
+}
+/**
+ * Interactive multi-select in terminal. No dependencies.
+ * items: [{ label, sublabel?, value, checked? }]
+ * Returns: array of selected values
+ */
+function multiSelect(items, { title = 'Select items', hint = 'Space=toggle  ↑↓=move  a=all  n=none  Enter=confirm' } = {}) {
+  return new Promise((resolve) => {
+    if (!process.stdin.isTTY) {
+      // Non-interactive: return all items
+      resolve(items.map(i => i.value));
+      return;
+    }
+    const selected = new Set(items.filter(i => i.checked).map((_, idx) => idx));
+    let cursor = 0;
+    const render = () => {
+      // Move cursor up to overwrite previous render
+      process.stdout.write(`\x1b[${items.length + 3}A\x1b[J`);
+      draw();
+    };
+    const draw = () => {
+      console.log(`  ${c.bold}${title}${c.reset}  ${c.dim}(${selected.size}/${items.length} selected)${c.reset}`);
+      console.log(`  ${c.dim}${hint}${c.reset}`);
+      console.log();
+      for (let i = 0; i < items.length; i++) {
+        const item = items[i];
+        const isCursor = i === cursor;
+        const isSelected = selected.has(i);
+        const pointer = isCursor ? `${c.cyan}❯${c.reset}` : ' ';
+        const checkbox = isSelected ? `${c.green}◉${c.reset}` : `${c.dim}○${c.reset}`;
+        const label = isCursor ? `${c.bold}${item.label}${c.reset}` : item.label;
+        const sub = item.sublabel ? `  ${c.dim}${item.sublabel}${c.reset}` : '';
+        console.log(` ${pointer} ${checkbox}  ${label}${sub}`);
+      }
+    };
+    // Initial draw
+    draw();
+    process.stdin.setRawMode(true);
+    process.stdin.resume();
+    process.stdin.setEncoding('utf8');
+    const onData = (key) => {
+      // Ctrl+C
+      if (key === '\x03') {
+        process.stdin.setRawMode(false);
+        process.stdin.pause();
+        process.stdin.removeListener('data', onData);
+        console.log();
+        process.exitCode = 0; return;
+      }
+      // Enter
+      if (key === '\r' || key === '\n') {
+        process.stdin.setRawMode(false);
+        process.stdin.pause();
+        process.stdin.removeListener('data', onData);
+        resolve(items.filter((_, i) => selected.has(i)).map(i => i.value));
+        return;
+      }
+      // Space — toggle
+      if (key === ' ') {
+        if (selected.has(cursor)) selected.delete(cursor);
+        else selected.add(cursor);
+        render();
+        return;
+      }
+      // a — select all
+      if (key === 'a') {
+        for (let i = 0; i < items.length; i++) selected.add(i);
+        render();
+        return;
+      }
+      // n — select none
+      if (key === 'n') {
+        selected.clear();
+        render();
+        return;
+      }
+      // Arrow up / k
+      if (key === '\x1b[A' || key === 'k') {
+        cursor = (cursor - 1 + items.length) % items.length;
+        render();
+        return;
+      }
+      // Arrow down / j
+      if (key === '\x1b[B' || key === 'j') {
+        cursor = (cursor + 1) % items.length;
+        render();
+        return;
+      }
+    };
+    process.stdin.on('data', onData);
+  });
+}
+async function registerAgent(agentName) {
+  const res = await fetch(`${REGISTRY_URL}/api/register`, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' },
+    body: JSON.stringify({ agent_name: agentName }),
+    signal: AbortSignal.timeout(15_000),
+  });
+  if (!res.ok) throw new Error(`Registration failed (HTTP ${res.status}): ${await res.text()}`);
+  return res.json();
+}
+async function setupCommand() {
+  console.log(`  ${c.bold}Setup${c.reset}`);
+  console.log();
+  const existing = loadCredentials();
+  if (existing) {
+    console.log(`  ${icons.safe}  Already configured as ${c.bold}${existing.agent_name}${c.reset}`);
+    console.log(`  ${c.dim}Key: ${existing.api_key.slice(0, 8)}...${c.reset}`);
+    console.log();
+    const answer = await askQuestion(`  Reconfigure? ${c.dim}(y/N)${c.reset} `);
+    if (answer.toLowerCase() !== 'y') {
+      console.log(`  ${c.dim}Keeping existing config.${c.reset}`);
+      return;
+    }
+    console.log();
+  }
+  console.log(`  ${c.bold}1)${c.reset} Register new agent ${c.dim}(free, creates API key automatically)${c.reset}`);
+  console.log(`  ${c.bold}2)${c.reset} Enter existing API key`);
+  console.log();
+  const choice = await askQuestion(`  Choice ${c.dim}(1/2)${c.reset}: `);
+  console.log();
+  if (choice === '2') {
+    const key = await askQuestion(`  API Key: `);
+    if (!key) { console.log(`  ${c.red}No key entered.${c.reset}`); return; }
+    const name = await askQuestion(`  Agent name ${c.dim}(optional)${c.reset}: `);
+    saveCredentials({ api_key: key, agent_name: name || 'custom' });
+    console.log();
+    console.log(`  ${icons.safe}  Saved! Key stored in ${c.dim}${USER_CRED_FILE}${c.reset}`);
+  } else {
+    const name = await askQuestion(`  Agent name ${c.dim}(e.g. my-scanner, claude-desktop)${c.reset}: `);
+    if (!name || !/^[a-zA-Z0-9._-]{2,64}$/.test(name)) {
+      console.log(`  ${c.red}Invalid name. Use 2-64 chars: letters, numbers, dash, underscore, dot.${c.reset}`);
+      return;
+    }
+    process.stdout.write(`  Registering ${c.bold}${name}${c.reset}...`);
+    try {
+      const data = await registerAgent(name);
+      saveCredentials({ api_key: data.api_key, agent_name: data.agent_name });
+      console.log(` ${c.green}done!${c.reset}`);
+      console.log();
+      console.log(`  ${icons.safe}  Registered as ${c.bold}${data.agent_name}${c.reset}`);
+      console.log(`  ${c.dim}Key: ${data.api_key.slice(0, 12)}...${c.reset}`);
+      console.log(`  ${c.dim}Saved to: ${USER_CRED_FILE}${c.reset}`);
+      // Initialize stats cache
+      refreshStatsCache(data.agent_name).catch(() => {});
+    } catch (err) {
+      console.log(` ${c.red}failed${c.reset}`);
+      console.log(`  ${c.red}${err.message}${c.reset}`);
+      return;
+    }
+  }
+  console.log();
+  console.log(`  ${c.bold}Ready!${c.reset} You can now:`);
+  console.log(`  ${c.dim}•${c.reset} Discover servers: ${c.cyan}agentaudit discover${c.reset}`);
+  console.log(`  ${c.dim}•${c.reset} Audit packages:   ${c.cyan}agentaudit audit <repo-url>${c.reset}  ${c.dim}(deep LLM analysis)${c.reset}`);
+  console.log(`  ${c.dim}•${c.reset} Quick scan:        ${c.cyan}agentaudit scan <repo-url>${c.reset}  ${c.dim}(regex-based)${c.reset}`);
+  console.log(`  ${c.dim}•${c.reset} Check registry:    ${c.cyan}agentaudit check <name>${c.reset}`);
+  console.log(`  ${c.dim}•${c.reset} Submit reports via MCP in Claude/Cursor/Windsurf`);
+  console.log();
+}
+// ── Structured error output ─────────────────────────────
+function emitError(code, message, hint, exitCode = 2) {
+  if (jsonMode) {
+    process.stderr.write(JSON.stringify({ error: true, code, message, hint: hint || undefined, exitCode }) + '\n');
+  }
+  process.exitCode = exitCode;
+}
+// ── Levenshtein distance for typo correction ────────────
+function levenshtein(a, b) {
+  const m = a.length, n = b.length;
+  const dp = Array.from({ length: m + 1 }, () => Array(n + 1).fill(0));
+  for (let i = 0; i <= m; i++) dp[i][0] = i;
+  for (let j = 0; j <= n; j++) dp[0][j] = j;
+  for (let i = 1; i <= m; i++)
+    for (let j = 1; j <= n; j++)
+      dp[i][j] = Math.min(dp[i-1][j] + 1, dp[i][j-1] + 1, dp[i-1][j-1] + (a[i-1] !== b[j-1] ? 1 : 0));
+  return dp[m][n];
+}
+// ── Helpers ──────────────────────────────────────────────
+function getVersion() {
+  try {
+    const pkg = JSON.parse(fs.readFileSync(path.join(__dirname, 'package.json'), 'utf8'));
+    return pkg.version || '0.0.0';
+  } catch { return '0.0.0'; }
+}
+function banner() {
+  if (quietMode || jsonMode) return;
+  const creds = loadCredentials();
+  const agentInfo = creds?.agent_name ? `  ${c.dim}·${c.reset}  ${c.green}${creds.agent_name}${c.reset}` : '';
+  console.log();
+  console.log(`  🛡  ${c.bold}${c.cyan}AgentAudit${c.reset} ${c.dim}v${getVersion()}${c.reset}${agentInfo}`);
+  // Show cached stats inline
+  if (creds?.agent_name) {
+    const cached = loadStatsCache();
+    if (cached && cached.pts !== undefined) {
+      const medal = cached.rank === 1 ? '🥇' : cached.rank === 2 ? '🥈' : cached.rank === 3 ? '🥉' : `#${cached.rank}`;
+      console.log(`  ${c.dim}${medal} · ${cached.pts} pts · ${cached.reports} reports${cached.official ? ` · ${c.green}Official${c.reset}${c.dim}` : ''}${c.reset}`);
+    }
+  } else {
+    console.log(`  ${c.dim}Security scanner for AI tools${c.reset}`);
+  }
+  console.log();
+}
+function slugFromUrl(url) {
+  const match = url.match(/github\.com\/([^/]+)\/([^/.\s]+)/);
+  if (match) {
+    const owner = match[1].toLowerCase().replace(/[^a-z0-9-]/g, '-');
+    const repo = match[2].toLowerCase().replace(/[^a-z0-9-]/g, '-');
+    // Generic repo names get owner prefix to avoid collisions
+    const generic = ['mcp', 'server', 'plugin', 'tool', 'agent', 'sdk', 'api', 'app', 'cli', 'lib', 'core'];
+    if (generic.includes(repo)) return `${owner}-${repo}`;
+    return repo;
+  }
+  return url.replace(/[^a-z0-9]/gi, '-').toLowerCase().slice(0, 60);
+}
+function elapsed(startMs) {
+  const ms = Date.now() - startMs;
+  if (ms < 1000) return `${ms}ms`;
+  return `${(ms / 1000).toFixed(1)}s`;
+}
+function riskBadge(score) {
+  if (score === 0) return `${c.bgGreen}${c.bold}${c.white} SAFE ${c.reset}`;
+  if (score <= 10) return `${c.bgGreen}${c.white} LOW ${c.reset}`;
+  if (score <= 30) return `${c.bgYellow}${c.bold} CAUTION ${c.reset}`;
+  return `${c.bgRed}${c.bold}${c.white} UNSAFE ${c.reset}`;
+}
+function severityColor(sev) {
+  switch (sev) {
+    case 'critical': return c.red;
+    case 'high': return c.red;
+    case 'medium': return c.yellow;
+    case 'low': return c.blue;
+    default: return c.gray;
+  }
+}
+function severityIcon(sev) {
+  switch (sev) {
+    case 'critical': return `${c.red}●${c.reset}`;
+    case 'high': return `${c.red}●${c.reset}`;
+    case 'medium': return `${c.yellow}●${c.reset}`;
+    case 'low': return `${c.blue}●${c.reset}`;
+    default: return `${c.green}●${c.reset}`;
+  }
+}
+// ── File Collection (same logic as MCP server) ──────────
+function extractJSON(text) {
+  // 1. Try parsing the entire text as JSON directly
+  try { return JSON.parse(text.trim()); } catch {}
+  // 2. Strip markdown code fences — try last fence first (report is usually at the end)
+  const fenceMatches = [...text.matchAll(/```(?:json)?\s*\n?([\s\S]*?)\n?\s*```/g)];
+  for (let i = fenceMatches.length - 1; i >= 0; i--) {
+    try {
+      const parsed = JSON.parse(fenceMatches[i][1].trim());
+      if (parsed && typeof parsed === 'object' && ('risk_score' in parsed || 'findings' in parsed || 'result' in parsed)) return parsed;
+    } catch {}
+  }
+  // Try any fence even without report keys
+  for (let i = fenceMatches.length - 1; i >= 0; i--) {
+    try { return JSON.parse(fenceMatches[i][1].trim()); } catch {}
+  }
+  // 3. Find ALL balanced top-level { ... } blocks, try each (prefer largest valid one)
+  const blocks = [];
+  let searchFrom = 0;
+  while (searchFrom < text.length) {
+    const start = text.indexOf('{', searchFrom);
+    if (start === -1) break;
+    let depth = 0, inStr = false, esc = false;
+    let end = -1;
+    for (let i = start; i < text.length; i++) {
+      const ch = text[i];
+      if (esc) { esc = false; continue; }
+      if (ch === '\\' && inStr) { esc = true; continue; }
+      if (ch === '"') { inStr = !inStr; continue; }
+      if (inStr) continue;
+      if (ch === '{') depth++;
+      else if (ch === '}') { depth--; if (depth === 0) { end = i; break; } }
+    }
+    if (end > start) {
+      blocks.push(text.slice(start, end + 1));
+      searchFrom = end + 1;
+    } else {
+      searchFrom = start + 1;
+    }
+  }
+  // Try largest block first (the report JSON is usually the biggest)
+  blocks.sort((a, b) => b.length - a.length);
+  for (const block of blocks) {
+    try { return JSON.parse(block); } catch {}
+  }
+  return null;
+}
+const MAX_FILE_SIZE = 50_000;
+const MAX_TOTAL_SIZE = 300_000;
+const SKIP_DIRS = new Set([
+  'node_modules', '.git', '__pycache__', '.venv', 'venv', 'dist', 'build',
+  '.next', '.nuxt', 'coverage', '.pytest_cache', '.mypy_cache', 'vendor',
+  'test', 'tests', '__tests__', 'spec', 'specs', 'docs', 'doc',
+  'examples', 'example', 'fixtures', '.github', '.vscode', '.idea',
+  'e2e', 'benchmark', 'benchmarks', '.tox', '.eggs', 'htmlcov',
+]);
+const SKIP_EXTENSIONS = new Set([
+  '.lock', '.png', '.jpg', '.jpeg', '.gif', '.svg', '.ico', '.woff',
+  '.woff2', '.ttf', '.eot', '.mp3', '.mp4', '.zip', '.tar', '.gz',
+  '.map', '.min.js', '.min.css', '.d.ts', '.pyc', '.pyo', '.so',
+  '.dylib', '.dll', '.exe', '.bin', '.dat', '.db', '.sqlite',
+]);
+function collectFiles(dir, basePath = '', collected = [], totalSize = { bytes: 0 }) {
+  if (totalSize.bytes >= MAX_TOTAL_SIZE) return collected;
+  let entries;
+  try { entries = fs.readdirSync(dir, { withFileTypes: true }); }
+  catch { return collected; }
+  entries.sort((a, b) => a.name.localeCompare(b.name));
+  for (const entry of entries) {
+    if (totalSize.bytes >= MAX_TOTAL_SIZE) break;
+    const relPath = basePath ? `${basePath}/${entry.name}` : entry.name;
+    const fullPath = path.join(dir, entry.name);
+    if (entry.isDirectory()) {
+      if (SKIP_DIRS.has(entry.name) || entry.name.startsWith('.')) continue;
+      collectFiles(fullPath, relPath, collected, totalSize);
+    } else {
+      const ext = path.extname(entry.name).toLowerCase();
+      if (SKIP_EXTENSIONS.has(ext)) continue;
+      try {
+        const stat = fs.statSync(fullPath);
+        if (stat.size > MAX_FILE_SIZE || stat.size === 0) continue;
+        const content = fs.readFileSync(fullPath, 'utf8');
+        totalSize.bytes += content.length;
+        collected.push({ path: relPath, content, size: stat.size });
+      } catch {}
+    }
+  }
+  return collected;
+}
+// ── Detect package properties ───────────────────────────
+function detectPackageInfo(repoPath, files) {
+  const info = { type: 'unknown', tools: [], prompts: [], language: 'unknown', entrypoint: null };
+  // Detect language
+  const exts = files.map(f => path.extname(f.path).toLowerCase());
+  const extCounts = {};
+  exts.forEach(e => { extCounts[e] = (extCounts[e] || 0) + 1; });
+  const topExt = Object.entries(extCounts).sort((a, b) => b[1] - a[1])[0]?.[0];
+  const langMap = { '.py': 'Python', '.js': 'JavaScript', '.ts': 'TypeScript', '.mjs': 'JavaScript', '.rs': 'Rust', '.go': 'Go', '.java': 'Java', '.rb': 'Ruby' };
+  info.language = langMap[topExt] || topExt || 'unknown';
+  // Detect package type
+  const allContent = files.map(f => f.content).join('\n');
+  if (allContent.includes('@modelcontextprotocol') || allContent.includes('FastMCP') || allContent.includes('mcp.server') || allContent.includes('mcp_server')) {
+    info.type = 'mcp-server';
+  } else if (files.some(f => f.path.toLowerCase() === 'skill.md')) {
+    info.type = 'agent-skill';
+  } else if (allContent.includes('#!/usr/bin/env') || allContent.includes('argparse') || allContent.includes('commander')) {
+    info.type = 'cli-tool';
+  } else {
+    info.type = 'library';
+  }
+  // Extract MCP tools (look for tool definitions)
+  const toolPatterns = [
+    // JS/TS: name: 'tool_name' or "tool_name" in tool definitions
+    /(?:name|tool_name)['":\s]+['"]([a-z_][a-z0-9_]*)['"]/gi,
+    // Python: @mcp.tool() def func_name or Tool(name="...")
+    /(?:@(?:mcp|server)\.tool\(\)[\s\S]*?def\s+([a-z_][a-z0-9_]*))|(?:Tool\s*\(\s*name\s*=\s*['"]([a-z_][a-z0-9_]*)['"])/gi,
+    // Direct: tool names in ListTools handlers
+    /['"]name['"]\s*:\s*['"]([a-z_][a-z0-9_]*)['"]/gi,
+  ];
+  const toolSet = new Set();
+  for (const file of files) {
+    for (const pattern of toolPatterns) {
+      pattern.lastIndex = 0;
+      let m;
+      while ((m = pattern.exec(file.content)) !== null) {
+        const name = m[1] || m[2];
+        if (name && name.length > 2 && name.length < 50 && !['type', 'name', 'string', 'object', 'number', 'boolean', 'array', 'required', 'description', 'default', 'null', 'true', 'false', 'none'].includes(name)) {
+          toolSet.add(name);
+        }
+      }
+    }
+  }
+  info.tools = [...toolSet];
+  // Extract prompts (look for prompt definitions)
+  const promptPatterns = [
+    /(?:prompt|PROMPT)['":\s]+['"]([a-z_][a-z0-9_]*)['"]/gi,
+    /@(?:mcp|server)\.prompt\(\)[\s\S]*?def\s+([a-z_][a-z0-9_]*)/gi,
+  ];
+  const promptSet = new Set();
+  for (const file of files) {
+    for (const pattern of promptPatterns) {
+      pattern.lastIndex = 0;
+      let m;
+      while ((m = pattern.exec(file.content)) !== null) {
+        if (m[1] && m[1].length > 2) promptSet.add(m[1]);
+      }
+    }
+  }
+  info.prompts = [...promptSet];
+  // Detect entrypoint
+  const entryFiles = ['index.js', 'index.ts', 'index.mjs', 'main.py', 'server.py', 'app.py', 'src/index.ts', 'src/main.ts', 'src/index.js'];
+  for (const ef of entryFiles) {
+    if (files.some(f => f.path === ef)) { info.entrypoint = ef; break; }
+  }
+  return info;
+}
+// ── Quick static checks ─────────────────────────────────
+function quickChecks(files) {
+  const findings = [];
+  const checks = [
+    {
+      id: 'EXEC_INJECTION',
+      title: 'Command injection risk',
+      severity: 'high',
+      pattern: /(?:exec(?:Sync)?|spawn|child_process|subprocess|os\.system|os\.popen|Popen)\s*\([^)]*(?:\$\{|`|\+\s*(?:req|input|args|param|user|query))/i,
+      category: 'injection',
+    },
+    {
+      id: 'EVAL_USAGE',
+      title: 'Dynamic code evaluation',
+      severity: 'high',
+      pattern: /(?:^|[^a-z])eval\s*\([^)]*(?:input|req|user|param|arg|query)/im,
+      category: 'injection',
+    },
+    {
+      id: 'HARDCODED_SECRET',
+      title: 'Potential hardcoded secret',
+      severity: 'medium',
+      pattern: /(?:api[_-]?key|password|secret|token)\s*[:=]\s*['"][A-Za-z0-9+/=_-]{16,}['"]/i,
+      category: 'secrets',
+    },
+    {
+      id: 'SSL_DISABLED',
+      title: 'SSL/TLS verification disabled',
+      severity: 'medium',
+      pattern: /(?:rejectUnauthorized\s*:\s*false|verify\s*=\s*False|VERIFY_SSL\s*=\s*false|NODE_TLS_REJECT_UNAUTHORIZED|InsecureRequestWarning)/i,
+      category: 'crypto',
+    },
+    {
+      id: 'PATH_TRAVERSAL',
+      title: 'Potential path traversal',
+      severity: 'medium',
+      pattern: /(?:\.\.\/|\.\.\\|path\.join|os\.path\.join)\s*\([^)]*(?:input|req|user|param|arg|query)/i,
+      category: 'filesystem',
+    },
+    {
+      id: 'CORS_WILDCARD',
+      title: 'Wildcard CORS origin',
+      severity: 'low',
+      pattern: /(?:Access-Control-Allow-Origin|cors)\s*[:({]\s*['"]\*/i,
+      category: 'network',
+    },
+    {
+      id: 'TELEMETRY',
+      title: 'Undisclosed telemetry',
+      severity: 'low',
+      pattern: /(?:posthog|mixpanel|analytics|telemetry|tracking|sentry).*(?:init|setup|track|capture)/i,
+      category: 'privacy',
+    },
+    {
+      id: 'SHELL_EXEC',
+      title: 'Shell command execution',
+      severity: 'high',
+      pattern: /(?:subprocess\.(?:run|call|Popen)|os\.system|os\.popen|execSync|child_process\.exec)\s*\(/i,
+      category: 'injection',
+    },
+    {
+      id: 'SQL_INJECTION',
+      title: 'Potential SQL injection',
+      severity: 'high',
+      pattern: /(?:execute|query|raw)\s*\(\s*(?:f['"]|['"].*?%s|['"].*?\{|['"].*?\+)/i,
+      category: 'injection',
+    },
+    {
+      id: 'YAML_UNSAFE',
+      title: 'Unsafe YAML loading',
+      severity: 'medium',
+      pattern: /yaml\.(?:load|unsafe_load)\s*\(/i,
+      category: 'deserialization',
+    },
+    {
+      id: 'PICKLE_LOAD',
+      title: 'Unsafe deserialization (pickle)',
+      severity: 'high',
+      pattern: /pickle\.loads?\s*\(/i,
+      category: 'deserialization',
+    },
+    {
+      id: 'PROMPT_INJECTION',
+      title: 'Prompt injection vector',
+      severity: 'high',
+      pattern: /(?:<IMPORTANT>|<SYSTEM>|ignore previous|you are now|new instructions)/i,
+      category: 'prompt-injection',
+    },
+  ];
+  for (const file of files) {
+    for (const check of checks) {
+      const match = check.pattern.exec(file.content);
+      if (match) {
+        // Find line number
+        const lines = file.content.slice(0, match.index).split('\n');
+        findings.push({
+          ...check,
+          file: file.path,
+          line: lines.length,
+          snippet: match[0].trim().slice(0, 80),
+          confidence: 'medium',
+        });
+      }
+    }
+  }
+  return findings;
+}
+// ── Registry check ──────────────────────────────────────
+async function checkRegistry(slug) {
+  try {
+    const res = await fetch(`${REGISTRY_URL}/api/skills/${encodeURIComponent(slug)}`, {
+      signal: AbortSignal.timeout(5000),
+    });
+    if (res.ok) return await res.json();
+  } catch {}
+  return null;
+}
+// ── Print results ───────────────────────────────────────
+function printScanResult(url, info, files, findings, registryData, duration) {
+  if (jsonMode) return; // JSON mode handles output separately
+  const slug = slugFromUrl(url);
+  // Quiet mode: compact one-line-per-package output
+  if (quietMode) {
+    if (findings.length > 0) {
+      const bySev = {};
+      for (const f of findings) { bySev[f.severity] = (bySev[f.severity] || 0) + 1; }
+      const sevStr = Object.entries(bySev).map(([s, n]) => {
+        const sc = severityColor(s);
+        return `${sc}${n} ${s}${c.reset}`;
+      }).join(', ');
+      console.log(`${icons.caution}  ${c.bold}${slug}${c.reset}  ${findings.length} findings (${sevStr})  ${c.dim}${duration}${c.reset}`);
+      for (const f of findings) {
+        const sc = severityColor(f.severity);
+        console.log(`   ${severityIcon(f.severity)} ${sc}${f.severity.toUpperCase().padEnd(8)}${c.reset} ${f.title}  ${c.dim}${f.file}:${f.line}${c.reset}`);
+      }
+    } else {
+      console.log(`${icons.safe}  ${c.bold}${slug}${c.reset}  ${c.green}clean${c.reset}  ${c.dim}${files.length} files, ${duration}${c.reset}`);
+    }
+    return;
+  }
+  // Header
+  console.log(`${icons.scan}  ${c.bold}${slug}${c.reset}  ${c.dim}${url}${c.reset}`);
+  console.log(`${icons.pipe}  ${c.dim}${info.language} ${info.type}${c.reset}  ${c.dim}${files.length} files scanned in ${duration}${c.reset}`);
+  // Tools & prompts tree
+  const items = [
+    ...info.tools.map(t => ({ kind: 'tool', name: t })),
+    ...info.prompts.map(p => ({ kind: 'prompt', name: p })),
+  ];
+  if (items.length > 0) {
+    console.log(`${icons.pipe}`);
+    for (let i = 0; i < items.length; i++) {
+      const isLast = i === items.length - 1 && findings.length === 0;
+      const branch = isLast ? icons.treeLast : icons.tree;
+      const item = items[i];
+      const kindLabel = item.kind === 'tool' ? `${c.dim}tool${c.reset}  ` : `${c.dim}prompt${c.reset}`;
+      const padName = item.name.padEnd(28);
+      // Check if this tool has a finding associated
+      const toolFinding = findings.find(f =>
+        f.snippet && f.snippet.toLowerCase().includes(item.name.toLowerCase())
+      );
+      if (toolFinding) {
+        const sc = severityColor(toolFinding.severity);
+        console.log(`${branch}  ${kindLabel}  ${c.bold}${padName}${c.reset} ${sc}⚠ flagged${c.reset} — ${toolFinding.title}`);
+      } else {
+        console.log(`${branch}  ${kindLabel}  ${c.bold}${padName}${c.reset} ${c.green}✔ ok${c.reset}`);
+      }
+    }
+  } else {
+    console.log(`${icons.pipe}  ${c.dim}(no tools or prompts detected)${c.reset}`);
+  }
+  // Findings
+  if (findings.length > 0) {
+    console.log(`${icons.pipe}`);
+    console.log(`${icons.pipe}  ${c.bold}Findings (${findings.length})${c.reset}  ${c.dim}static analysis — may include false positives${c.reset}`);
+    for (let i = 0; i < findings.length; i++) {
+      const f = findings[i];
+      const isLast = i === findings.length - 1;
+      const branch = isLast ? icons.treeLast : icons.tree;
+      const pipeOrSpace = isLast ? '   ' : `${icons.pipe}  `;
+      const sc = severityColor(f.severity);
+      console.log(`${branch}  ${severityIcon(f.severity)} ${sc}${f.severity.toUpperCase().padEnd(8)}${c.reset} ${f.title}`);
+      console.log(`${pipeOrSpace}   ${c.dim}${f.file}:${f.line}${c.reset}  ${c.dim}${f.snippet || ''}${c.reset}`);
+    }
+  }
+  // Registry status
+  console.log(`${icons.pipe}`);
+  if (registryData) {
+    const rd = registryData;
+    const riskScore = rd.risk_score ?? rd.latest_risk_score ?? 0;
+    console.log(`${icons.treeLast}  ${c.dim}registry${c.reset}  ${riskBadge(riskScore)} Risk ${riskScore}  ${c.dim}${REGISTRY_URL}/skills/${slug}${c.reset}`);
+  } else {
+    console.log(`${icons.treeLast}  ${c.dim}registry${c.reset}  ${c.dim}not audited yet${c.reset}`);
+  }
+  console.log();
+}
+function printSummary(results) {
+  const total = results.length;
+  const safe = results.filter(r => r.findings.length === 0).length;
+  const withFindings = total - safe;
+  const totalFindings = results.reduce((sum, r) => sum + r.findings.length, 0);
+  console.log(`${c.dim}${'─'.repeat(60)}${c.reset}`);
+  console.log(`  ${c.bold}Summary${c.reset}  ${total} packages scanned`);
+  console.log();
+  if (safe > 0) console.log(`  ${icons.safe}  ${c.green}${safe} clean${c.reset}`);
+  if (withFindings > 0) console.log(`  ${icons.caution}  ${c.yellow}${withFindings} with findings${c.reset} (${totalFindings} total)`);
+  // Breakdown by severity
+  const bySev = {};
+  results.forEach(r => r.findings.forEach(f => {
+    bySev[f.severity] = (bySev[f.severity] || 0) + 1;
+  }));
+  if (Object.keys(bySev).length > 0) {
+    console.log();
+    for (const sev of ['critical', 'high', 'medium', 'low']) {
+      if (bySev[sev]) {
+        console.log(`    ${severityIcon(sev)} ${bySev[sev]}× ${severityColor(sev)}${sev}${c.reset}`);
+      }
+    }
+  }
+  console.log();
+}
+// ── Clone & Scan ────────────────────────────────────────
+async function scanRepo(url) {
+  const start = Date.now();
+  const slug = slugFromUrl(url);
+  if (!jsonMode) process.stdout.write(`${icons.scan}  Scanning ${c.bold}${slug}${c.reset} ${c.dim}...${c.reset}`);
+  // Clone
+  const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'agentaudit-'));
+  const repoPath = path.join(tmpDir, 'repo');
+  try {
+    execSync(`git clone --depth 1 "${url}" "${repoPath}"`, {
+      timeout: 30_000,
+      stdio: 'pipe',
+    });
+  } catch (err) {
+    if (!jsonMode) {
+      process.stdout.write(`  ${c.red}✖ clone failed${c.reset}\n`);
+      const msg = err.stderr?.toString().trim() || err.message?.split('\n')[0] || '';
+      if (msg) console.log(`    ${c.dim}${msg}${c.reset}`);
+      console.log(`    ${c.dim}Make sure git is installed and the URL is accessible.${c.reset}`);
+    }
+    return null;
+  }
+  // Collect files
+  const files = collectFiles(repoPath);
+  // Detect info
+  const info = detectPackageInfo(repoPath, files);
+  // Quick checks
+  const findings = quickChecks(files);
+  // Registry lookup
+  const registryData = await checkRegistry(slug);
+  // Cleanup
+  try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch {}
+  const duration = elapsed(start);
+  if (!jsonMode) {
+    // Clear the "Scanning..." line
+    process.stdout.write('\r\x1b[K');
+    // Print result
+    printScanResult(url, info, files, findings, registryData, duration);
+  }
+  return { slug, url, info, files: files.length, findings, registryData, duration };
+}
+// ── Discover local MCP configs ──────────────────────────
+function findMcpConfigs() {
+  const home = process.env.HOME || process.env.USERPROFILE || '';
+  const platform = process.platform;
+  // All known MCP config locations
+  const candidates = [
+    // Claude Desktop
+    { name: 'Claude Desktop', path: path.join(home, '.claude', 'mcp.json') },
+    { name: 'Claude Desktop', path: path.join(home, 'Library', 'Application Support', 'Claude', 'claude_desktop_config.json') },
+    { name: 'Claude Desktop', path: path.join(home, 'AppData', 'Roaming', 'Claude', 'claude_desktop_config.json') },
+    { name: 'Claude Desktop', path: path.join(home, '.config', 'claude', 'claude_desktop_config.json') },
+    // Cursor
+    { name: 'Cursor', path: path.join(home, '.cursor', 'mcp.json') },
+    // Windsurf / Codeium
+    { name: 'Windsurf', path: path.join(home, '.codeium', 'windsurf', 'mcp_config.json') },
+    // VS Code
+    { name: 'VS Code', path: path.join(home, '.vscode', 'mcp.json') },
+    // Continue.dev
+    { name: 'Continue', path: path.join(home, '.continue', 'config.json') },
+  ];
+  // Also check AGENTAUDIT_TEST_CONFIG env for testing
+  if (process.env.AGENTAUDIT_TEST_CONFIG) {
+    candidates.push({ name: 'Test Config', path: process.env.AGENTAUDIT_TEST_CONFIG });
+  }
+  // Also scan workspace .cursor/mcp.json, .vscode/mcp.json in cwd
+  const cwd = process.cwd();
+  candidates.push(
+    { name: 'Cursor (project)', path: path.join(cwd, '.cursor', 'mcp.json') },
+    { name: 'VS Code (project)', path: path.join(cwd, '.vscode', 'mcp.json') },
+  );
+  const found = [];
+  for (const c of candidates) {
+    if (fs.existsSync(c.path)) {
+      try {
+        const content = JSON.parse(fs.readFileSync(c.path, 'utf8'));
+        found.push({ ...c, content });
+      } catch {}
+    }
+  }
+  return found;
+}
+function extractServersFromConfig(config) {
+  // Handle both { mcpServers: {...} } and { servers: {...} } formats
+  const servers = config.mcpServers || config.servers || {};
+  const result = [];
+  for (const [name, serverConfig] of Object.entries(servers)) {
+    const info = {
+      name,
+      command: serverConfig.command || null,
+      args: serverConfig.args || [],
+      url: serverConfig.url || null,
+      sourceUrl: null,
+    };
+    // Try to extract source URL from args (common patterns)
+    const allArgs = [info.command, ...info.args].filter(Boolean).join(' ');
+    // npx package-name → npm package
+    const npxMatch = allArgs.match(/npx\s+(?:-y\s+)?(@?[a-z0-9][\w./-]*)/i);
+    if (npxMatch) info.npmPackage = npxMatch[1];
+    // node /path/to/something → try to find package.json
+    const nodePathMatch = allArgs.match(/node\s+["']?([^"'\s]+)/);
+    if (nodePathMatch) {
+      const scriptPath = nodePathMatch[1];
+      // Walk up to find package.json with repository
+      let dir = path.dirname(path.resolve(scriptPath));
+      for (let i = 0; i < 5; i++) {
+        const pkgPath = path.join(dir, 'package.json');
+        if (fs.existsSync(pkgPath)) {
+          try {
+            const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+            if (pkg.repository?.url) {
+              info.sourceUrl = pkg.repository.url.replace(/^git\+/, '').replace(/\.git$/, '');
+            }
+            if (pkg.name) info.npmPackage = pkg.name;
+          } catch {}
+          break;
+        }
+        const parent = path.dirname(dir);
+        if (parent === dir) break;
+        dir = parent;
+      }
+    }
+    // python/uvx with package name
+    const pyMatch = allArgs.match(/(?:uvx|pip run|python -m)\s+(@?[a-z0-9][\w./-]*)/i);
+    if (pyMatch) info.pyPackage = pyMatch[1];
+    // URL-based MCP server (remote HTTP)
+    if (info.url && !info.npmPackage && !info.pyPackage) {
+      try {
+        const parsed = new URL(info.url);
+        // Extract service name from hostname: mcp.supabase.com → supabase
+        const hostParts = parsed.hostname.split('.');
+        if (hostParts.length >= 2) {
+          const serviceName = hostParts.length === 3 ? hostParts[1] : hostParts[0];
+          info.remoteService = serviceName;
+        }
+      } catch {}
+    }
+    result.push(info);
+  }
+  return result;
+}
+function serverSlug(server) {
+  // Try to derive a slug for registry lookup
+  if (server.npmPackage) return server.npmPackage.replace(/^@/, '').replace(/\//g, '-');
+  if (server.pyPackage) return server.pyPackage.replace(/[^a-z0-9-]/gi, '-');
+  return server.name.toLowerCase().replace(/[^a-z0-9-]/gi, '-');
+}
+async function searchGitHub(query) {
+  try {
+    const res = await fetch(`https://api.github.com/search/repositories?q=${encodeURIComponent(query)}&per_page=1`, {
+      signal: AbortSignal.timeout(5000),
+      headers: { 'Accept': 'application/vnd.github+json' },
+    });
+    if (res.ok) {
+      const data = await res.json();
+      if (data.items?.length > 0) {
+        return data.items[0].html_url;
+      }
+    }
+  } catch {}
+  return null;
+}
+async function resolveSourceUrl(server) {
+  // Already have it
+  if (server.sourceUrl) return server.sourceUrl;
+  // Try npm registry
+  if (server.npmPackage) {
+    try {
+      const res = await fetch(`https://registry.npmjs.org/${encodeURIComponent(server.npmPackage)}`, {
+        signal: AbortSignal.timeout(5000),
+      });
+      if (res.ok) {
+        const data = await res.json();
+        let repoUrl = data.repository?.url;
+        if (repoUrl) {
+          repoUrl = repoUrl.replace(/^git\+/, '').replace(/\.git$/, '').replace(/^ssh:\/\/git@github\.com/, 'https://github.com');
+          if (repoUrl.startsWith('http')) return repoUrl;
+        }
+      }
+    } catch {}
+    // Fallback: try GitHub search for the package name
+    const ghUrl = await searchGitHub(server.npmPackage);
+    if (ghUrl) return ghUrl;
+    return `https://www.npmjs.com/package/${server.npmPackage}`;
+  }
+  // Try PyPI
+  if (server.pyPackage) {
+    try {
+      const res = await fetch(`https://pypi.org/pypi/${encodeURIComponent(server.pyPackage)}/json`, {
+        signal: AbortSignal.timeout(5000),
+      });
+      if (res.ok) {
+        const data = await res.json();
+        const urls = data.info?.project_urls || {};
+        const source = urls.Source || urls.Repository || urls.Homepage || urls['Source Code'] || data.info?.home_page;
+        if (source && source.startsWith('http')) return source;
+      }
+    } catch {}
+    // Fallback: GitHub search
+    const ghUrl = await searchGitHub(server.pyPackage);
+    if (ghUrl) return ghUrl;
+    return `https://pypi.org/project/${server.pyPackage}/`;
+  }
+  // URL-based remote MCP server — try GitHub search by service name
+  if (server.remoteService) {
+    // Try npm registry with common MCP naming patterns
+    for (const tryName of [
+      `@${server.remoteService}/mcp-server-${server.remoteService}`,
+      `${server.remoteService}-mcp`,
+      `mcp-server-${server.remoteService}`,
+      server.remoteService,
+    ]) {
+      try {
+        const res = await fetch(`https://registry.npmjs.org/${encodeURIComponent(tryName)}`, {
+          signal: AbortSignal.timeout(3000),
+        });
+        if (res.ok) {
+          const data = await res.json();
+          let repoUrl = data.repository?.url;
+          if (repoUrl) {
+            repoUrl = repoUrl.replace(/^git\+/, '').replace(/\.git$/, '').replace(/^ssh:\/\/git@github\.com/, 'https://github.com');
+            if (repoUrl.startsWith('http')) return repoUrl;
+          }
+        }
+      } catch {}
+    }
+  }
+  // Last resort: if server has a url, show it as context
+  if (server.url) {
+    try {
+      const parsed = new URL(server.url);
+      return `https://github.com/search?q=${encodeURIComponent(parsed.hostname + ' MCP')}&type=repositories`;
+    } catch {}
+  }
+  return null;
+}
+async function discoverCommand(options = {}) {
+  const autoScan = options.scan || false;
+  const interactiveAudit = options.audit || false;
+  if (!jsonMode) {
+    console.log(`  ${c.bold}Discovering MCP servers in your AI editors...${c.reset}`);
+    console.log();
+  }
+  const configs = findMcpConfigs();
+  if (configs.length === 0) {
+    console.log(`  ${c.yellow}No MCP configurations found.${c.reset}`);
+    console.log(`  ${c.dim}Searched: Claude Desktop, Cursor, Windsurf, VS Code${c.reset}`);
+    console.log();
+    console.log(`  ${c.dim}MCP config locations:${c.reset}`);
+    console.log(`  ${c.dim}  Claude:   ~/.claude/mcp.json${c.reset}`);
+    console.log(`  ${c.dim}  Cursor:   ~/.cursor/mcp.json${c.reset}`);
+    console.log(`  ${c.dim}  Windsurf: ~/.codeium/windsurf/mcp_config.json${c.reset}`);
+    console.log(`  ${c.dim}  VS Code:  ~/.vscode/mcp.json${c.reset}`);
+    console.log();
+    return;
+  }
+  let totalServers = 0;
+  let checkedServers = 0;
+  let auditedServers = 0;
+  let unauditedServers = 0;
+  const unauditedWithUrls = [];
+  const allServersWithUrls = []; // For --scan: all servers we can scan
+  for (const config of configs) {
+    const servers = extractServersFromConfig(config.content);
+    const serverCount = servers.length;
+    totalServers += serverCount;
+    const countLabel = serverCount === 0
+      ? `${c.dim}no servers${c.reset}`
+      : `found ${c.bold}${serverCount}${c.reset} server${serverCount > 1 ? 's' : ''}`;
+    console.log(`${icons.bullet}  Scanning ${c.bold}${config.name}${c.reset}  ${c.dim}${config.path}${c.reset}    ${countLabel}`);
+    if (serverCount === 0) {
+      console.log();
+      continue;
+    }
+    console.log();
+    for (let i = 0; i < servers.length; i++) {
+      const server = servers[i];
+      const isLast = i === servers.length - 1;
+      const branch = isLast ? icons.treeLast : icons.tree;
+      const pipe = isLast ? '   ' : `${icons.pipe}  `;
+      const slug = serverSlug(server);
+      checkedServers++;
+      // Registry lookup
+      const registryData = await checkRegistry(slug);
+      // Also try with server name directly
+      let regData = registryData;
+      if (!regData && slug !== server.name.toLowerCase()) {
+        regData = await checkRegistry(server.name.toLowerCase());
+      }
+      // Determine source display
+      let sourceLabel = '';
+      if (server.npmPackage) sourceLabel = `${c.dim}npm:${server.npmPackage}${c.reset}`;
+      else if (server.pyPackage) sourceLabel = `${c.dim}pip:${server.pyPackage}${c.reset}`;
+      else if (server.url) sourceLabel = `${c.dim}${server.url.length > 60 ? server.url.slice(0, 57) + '...' : server.url}${c.reset}`;
+      else if (server.command) sourceLabel = `${c.dim}${[server.command, ...server.args.slice(0, 2)].join(' ')}${c.reset}`;
+      // Always resolve source URL (needed for --scan)
+      const resolvedUrl = await resolveSourceUrl(server);
+      if (regData) {
+        auditedServers++;
+        const riskScore = regData.risk_score ?? regData.latest_risk_score ?? 0;
+        const hasOfficial = regData.has_official_audit;
+        console.log(`${branch}  ${c.bold}${server.name}${c.reset}    ${sourceLabel}`);
+        console.log(`${pipe}  ${riskBadge(riskScore)} Risk ${riskScore}  ${hasOfficial ? `${c.green}✔ official${c.reset}  ` : ''}${c.dim}${REGISTRY_URL}/skills/${slug}${c.reset}`);
+        if (resolvedUrl) allServersWithUrls.push({ name: server.name, sourceUrl: resolvedUrl, hasAudit: true, regData });
+      } else {
+        unauditedServers++;
+        console.log(`${branch}  ${c.bold}${server.name}${c.reset}    ${sourceLabel}`);
+        if (resolvedUrl) {
+          console.log(`${pipe}  ${c.yellow}⚠ not audited${c.reset}  ${c.dim}Run: ${c.cyan}agentaudit audit ${resolvedUrl}${c.reset}`);
+          unauditedWithUrls.push({ name: server.name, sourceUrl: resolvedUrl });
+          allServersWithUrls.push({ name: server.name, sourceUrl: resolvedUrl, hasAudit: false });
+        } else {
+          console.log(`${pipe}  ${c.yellow}⚠ not audited${c.reset}  ${c.dim}Source URL unknown — check the package's GitHub/npm page${c.reset}`);
+        }
+      }
+      if (server.sourceUrl && !server.sourceUrl.includes('npmjs.com')) {
+        console.log(`${pipe}  ${c.dim}source: ${server.sourceUrl}${c.reset}`);
+      }
+    }
+    console.log();
+  }
+  // Summary
+  console.log(`${c.dim}${'─'.repeat(60)}${c.reset}`);
+  console.log(`  ${c.bold}Summary${c.reset}  ${totalServers} server${totalServers !== 1 ? 's' : ''} across ${configs.length} config${configs.length !== 1 ? 's' : ''}`);
+  console.log();
+  if (auditedServers > 0) console.log(`  ${icons.safe}  ${c.green}${auditedServers} audited${c.reset}`);
+  if (unauditedServers > 0) console.log(`  ${icons.caution}  ${c.yellow}${unauditedServers} not audited${c.reset}`);
+  console.log();
+  // --scan: automatically scan all servers with resolved source URLs (git-cloneable only)
+  if (autoScan) {
+    const isCloneable = (url) => /^https?:\/\/(github\.com|gitlab\.com|bitbucket\.org)\//i.test(url);
+    const scanTargets = allServersWithUrls.filter(s => s.sourceUrl && isCloneable(s.sourceUrl));
+    // Deduplicate by sourceUrl
+    const seen = new Set();
+    const dedupedTargets = scanTargets.filter(s => {
+      if (seen.has(s.sourceUrl)) return false;
+      seen.add(s.sourceUrl);
+      return true;
+    });
+    const skipped = allServersWithUrls.filter(s => s.sourceUrl && !isCloneable(s.sourceUrl));
+    if (dedupedTargets.length > 0) {
+      console.log(`${c.dim}${'─'.repeat(60)}${c.reset}`);
+      console.log(`  ${c.bold}${icons.scan}  Auto-scanning ${dedupedTargets.length} server${dedupedTargets.length !== 1 ? 's' : ''}...${c.reset}`);
+      if (skipped.length > 0) {
+        console.log(`  ${c.dim}(${skipped.length} skipped — no cloneable source URL)${c.reset}`);
+      }
+      console.log();
+      const scanResults = [];
+      for (const target of dedupedTargets) {
+        const result = await scanRepo(target.sourceUrl);
+        if (result) scanResults.push({ ...result, serverName: target.name });
+      }
+      if (scanResults.length > 1) {
+        // Print combined scan summary
+        console.log(`${c.dim}${'─'.repeat(60)}${c.reset}`);
+        console.log(`  ${c.bold}Scan Summary${c.reset}  ${scanResults.length} server${scanResults.length !== 1 ? 's' : ''} scanned`);
+        console.log();
+        let totalFindings = 0;
+        let serversWithFindings = 0;
+        for (const r of scanResults) {
+          const findingCount = r.findings ? r.findings.length : 0;
+          totalFindings += findingCount;
+          if (findingCount > 0) serversWithFindings++;
+          const status = findingCount === 0
+            ? `${icons.safe}  ${c.green}clean${c.reset}`
+            : `${icons.caution}  ${c.yellow}${findingCount} finding${findingCount !== 1 ? 's' : ''}${c.reset}`;
+          console.log(`  ${status}  ${c.bold}${r.serverName || r.slug}${c.reset}  ${c.dim}(${r.duration})${c.reset}`);
+        }
+        console.log();
+        if (serversWithFindings > 0) {
+          console.log(`  ${c.yellow}${serversWithFindings}/${scanResults.length} server${scanResults.length !== 1 ? 's' : ''} with findings (${totalFindings} total)${c.reset}`);
+          console.log(`  ${c.dim}Run ${c.cyan}agentaudit scan <url> --deep${c.dim} for deep LLM analysis on flagged servers${c.reset}`);
+        } else {
+          console.log(`  ${c.green}All servers passed quick scan${c.reset}`);
+          console.log(`  ${c.dim}Run ${c.cyan}agentaudit scan <url> --deep${c.dim} for thorough LLM-powered analysis${c.reset}`);
+        }
+        console.log();
+      }
+    } else {
+      console.log(`  ${c.dim}No scannable source URLs found.${c.reset}`);
+      console.log();
+    }
+  } else if (interactiveAudit && allServersWithUrls.length > 0) {
+    // Interactive multi-select for audit
+    const isCloneable = (url) => /^https?:\/\/(github\.com|gitlab\.com|bitbucket\.org)\//i.test(url);
+    const auditCandidates = [];
+    const seen = new Set();
+    for (const s of allServersWithUrls) {
+      if (!s.sourceUrl || !isCloneable(s.sourceUrl)) continue;
+      if (seen.has(s.sourceUrl)) continue;
+      seen.add(s.sourceUrl);
+      auditCandidates.push(s);
+    }
+    if (auditCandidates.length > 0) {
+      console.log();
+      const items = auditCandidates.map(s => ({
+        label: s.name,
+        sublabel: s.hasAudit ? `${c.green}✔ audited${c.reset}  ${s.sourceUrl}` : s.sourceUrl,
+        value: s,
+        checked: !s.hasAudit, // Pre-select unaudited
+      }));
+      const selected = await multiSelect(items, {
+        title: 'Select servers to audit',
+        hint: 'Space=toggle  ↑↓=move  a=all  n=none  Enter=confirm',
+      });
+      if (selected.length > 0) {
+        console.log();
+        console.log(`  ${c.bold}Auditing ${selected.length} server${selected.length !== 1 ? 's' : ''}...${c.reset}`);
+        console.log();
+        for (const s of selected) {
+          await auditRepo(s.sourceUrl);
+          console.log();
+        }
+      } else {
+        console.log();
+        console.log(`  ${c.dim}No servers selected.${c.reset}`);
+      }
+    }
+  } else if (unauditedServers > 0) {
+    if (unauditedWithUrls.length > 0) {
+      console.log(`  ${c.dim}To audit unaudited servers:${c.reset}`);
+      for (const { name, sourceUrl } of unauditedWithUrls) {
+        console.log(`  ${c.cyan}agentaudit audit ${sourceUrl}${c.reset}  ${c.dim}(${name})${c.reset}`);
+      }
+    } else {
+      console.log(`  ${c.dim}To audit unaudited servers, run:${c.reset}`);
+      console.log(`  ${c.cyan}agentaudit audit <source-url>${c.reset}`);
+    }
+    console.log();
+    console.log(`  ${c.dim}Or run ${c.cyan}agentaudit discover --quick${c.dim} to quick-scan all servers${c.reset}`);
+    console.log(`  ${c.dim}Or run ${c.cyan}agentaudit discover --deep${c.dim} to select & deep-audit interactively${c.reset}`);
+    console.log();
+  }
+  if (!autoScan && !interactiveAudit && !jsonMode) {
+    console.log(`  ${c.dim}Looking for general package scanning? Try ${c.cyan}pip audit${c.dim} or ${c.cyan}npm audit${c.dim}.${c.reset}`);
+    console.log();
+  }
+}
+// ── Audit command (deep LLM-powered) ────────────────────
+function loadAuditPrompt() {
+  const promptPath = path.join(SKILL_DIR, 'prompts', 'audit-prompt.md');
+  if (fs.existsSync(promptPath)) return fs.readFileSync(promptPath, 'utf8');
+  return null;
+}
+async function auditRepo(url) {
+  const start = Date.now();
+  const slug = slugFromUrl(url);
+  console.log(`${icons.scan}  ${c.bold}Auditing ${slug}${c.reset}  ${c.dim}${url}${c.reset}`);
+  console.log(`${icons.pipe}  ${c.dim}Deep LLM-powered analysis (3-pass: UNDERSTAND → DETECT → CLASSIFY)${c.reset}`);
+  console.log();
+  // Step 1: Clone
+  process.stdout.write(`  ${c.dim}[1/4]${c.reset} Cloning repository...`);
+  const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'agentaudit-'));
+  const repoPath = path.join(tmpDir, 'repo');
+  try {
+    execSync(`git clone --depth 1 "${url}" "${repoPath}"`, {
+      timeout: 30_000, stdio: 'pipe',
+    });
+    console.log(` ${c.green}done${c.reset}`);
+  } catch (err) {
+    console.log(` ${c.red}failed${c.reset}`);
+    const msg = err.stderr?.toString().trim() || err.message?.split('\n')[0] || '';
+    if (msg) console.log(`    ${c.dim}${msg}${c.reset}`);
+    console.log(`    ${c.dim}Make sure git is installed and the URL is accessible.${c.reset}`);
+    return null;
+  }
+  // Capture version + commit from cloned repo
+  let repoCommitSha = null;
+  let repoPackageVersion = null;
+  try { repoCommitSha = execSync('git rev-parse HEAD', { cwd: repoPath, stdio: 'pipe' }).toString().trim(); } catch {}
+  try {
+    const pkgPath = path.join(repoPath, 'package.json');
+    if (fs.existsSync(pkgPath)) {
+      repoPackageVersion = JSON.parse(fs.readFileSync(pkgPath, 'utf-8')).version || null;
+    }
+  } catch {}
+  // Step 2: Collect files
+  process.stdout.write(`  ${c.dim}[2/4]${c.reset} Collecting source files...`);
+  const files = collectFiles(repoPath);
+  console.log(` ${c.green}${files.length} files${c.reset}`);
+  // Step 3: Build audit payload
+  process.stdout.write(`  ${c.dim}[3/4]${c.reset} Preparing audit payload...`);
+  const auditPrompt = loadAuditPrompt();
+  let codeBlock = '';
+  for (const file of files) {
+    codeBlock += `\n### FILE: ${file.path}\n\`\`\`\n${file.content}\n\`\`\`\n`;
+  }
+  console.log(` ${c.green}done${c.reset}`);
+  // Step 4: LLM Analysis
+  // Check for API keys to determine which LLM to use
+  const anthropicKey = process.env.ANTHROPIC_API_KEY;
+  const openaiKey = process.env.OPENAI_API_KEY;
+  const openrouterKey = process.env.OPENROUTER_API_KEY;
+  const openrouterModel = process.env.OPENROUTER_MODEL || 'anthropic/claude-sonnet-4';
+  // --provider flag overrides auto-detection
+  const providerFlag = process.argv.find(a => a.startsWith('--provider='))?.split('=')[1]?.toLowerCase()
+    || (process.argv.includes('--provider') ? process.argv[process.argv.indexOf('--provider') + 1]?.toLowerCase() : null);
+  const resolvedProvider = resolveProvider(providerFlag, { anthropicKey, openaiKey, openrouterKey });
+  const activeProvider = resolvedProvider?.label || null;
+  if (!resolvedProvider) {
+    // No LLM API key — clear explanation
+    console.log();
+    console.log(`  ${c.yellow}No LLM provider configured.${c.reset} The ${c.bold}audit${c.reset} command needs an LLM to analyze code.`);
+    console.log();
+    console.log(`  ${c.bold}Option 1: Set an API key${c.reset} ${c.dim}(any one of these)${c.reset}`);
+    console.log(`  ${c.cyan}ANTHROPIC_API_KEY${c.reset}    Anthropic Claude ${c.dim}(recommended)${c.reset}`);
+    console.log(`  ${c.cyan}OPENAI_API_KEY${c.reset}       OpenAI GPT-4o`);
+    console.log(`  ${c.cyan}OPENROUTER_API_KEY${c.reset}   OpenRouter ${c.dim}(200+ models)${c.reset}`);
+    console.log(`  ${c.cyan}OLLAMA_MODEL${c.reset}         Ollama ${c.dim}(local, free, set model name)${c.reset}`);
+    console.log(`  ${c.cyan}LLM_API_URL${c.reset}          Any OpenAI-compatible API ${c.dim}(+ LLM_API_KEY, LLM_MODEL)${c.reset}`);
+    console.log();
+    console.log(`  ${c.dim}# Linux / macOS:${c.reset}`);
+    console.log(`  ${c.dim}export ANTHROPIC_API_KEY=sk-ant-...${c.reset}`);
+    console.log(`  ${c.dim}export OPENAI_API_KEY=sk-...${c.reset}`);
+    console.log();
+    console.log(`  ${c.dim}# Windows (PowerShell):${c.reset}`);
+    console.log(`  ${c.dim}$env:ANTHROPIC_API_KEY = "sk-ant-..."${c.reset}`);
+    console.log(`  ${c.dim}$env:OPENAI_API_KEY = "sk-..."${c.reset}`);
+    console.log();
+    console.log(`  ${c.dim}# Windows (CMD):${c.reset}`);
+    console.log(`  ${c.dim}set ANTHROPIC_API_KEY=sk-ant-...${c.reset}`);
+    console.log(`  ${c.dim}set OPENAI_API_KEY=sk-...${c.reset}`);
+    console.log();
+    console.log(`  ${c.bold}Option 2: Export for manual review${c.reset}`);
+    console.log(`  ${c.cyan}agentaudit audit ${url} --export${c.reset}`);
+    console.log(`  ${c.dim}Creates a markdown file you can paste into any LLM (Claude, ChatGPT, etc.)${c.reset}`);
+    console.log();
+    console.log(`  ${c.bold}Option 3: Use MCP in Claude/Cursor/Windsurf (no API key needed)${c.reset}`);
+    console.log(`  ${c.dim}Add AgentAudit as MCP server — your editor's agent runs the audit using its own LLM.${c.reset}`);
+    console.log(`  ${c.dim}Config: { "mcpServers": { "agentaudit": { "command": "npx", "args": ["-y", "agentaudit"] } } }${c.reset}`);
+    console.log();
+    // Check if --export flag
+    if (process.argv.includes('--export')) {
+      const exportPath = path.join(process.cwd(), `audit-${slug}.md`);
+      const exportContent = [
+        `# Security Audit: ${slug}`,
+        `**Source:** ${url}`,
+        `**Files:** ${files.length}`,
+        ``,
+        `## Audit Instructions`,
+        ``,
+        auditPrompt || '(audit prompt not found)',
+        ``,
+        `## Report Format`,
+        ``,
+        `After analysis, produce a JSON report:`,
+        '```json',
+        `{ "skill_slug": "${slug}", "source_url": "${url}", "risk_score": 0, "result": "safe", "findings": [] }`,
+        '```',
+        ``,
+        `## Source Code`,
+        ``,
+        codeBlock,
+      ].join('\n');
+      fs.writeFileSync(exportPath, exportContent);
+      console.log(`  ${icons.safe}  Exported to ${c.bold}${exportPath}${c.reset}`);
+      console.log(`  ${c.dim}Paste this into any LLM (Claude, ChatGPT, etc.) for analysis${c.reset}`);
+    }
+    // Cleanup
+    try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch {}
+    return null;
+  }
+  // Determine actual model name for display
+  let actualModel;
+  if (resolvedProvider.id === 'anthropic') {
+    actualModel = modelOverride || 'claude-sonnet-4-20250514';
+  } else if (resolvedProvider.id === 'openrouter') {
+    actualModel = modelOverride || process.env.OPENROUTER_MODEL || 'anthropic/claude-sonnet-4';
+  } else if (resolvedProvider.id === 'openai') {
+    actualModel = modelOverride || 'gpt-4o';
+  } else if (resolvedProvider.id === 'ollama') {
+    actualModel = modelOverride || resolvedProvider.model;
+  } else {
+    actualModel = modelOverride || resolvedProvider.model || 'unknown';
+  }
+  // We have an API key — run LLM audit
+  process.stdout.write(`  ${c.dim}[4/4]${c.reset} Running LLM analysis ${c.dim}(${resolvedProvider.id}: ${actualModel})${c.reset}...`);
+  const systemPrompt = auditPrompt || 'You are a security auditor. Analyze the code and report findings as JSON.';
+  const userMessage = [
+    `Audit this package: **${slug}** (${url})`,
+    ``,
+    `After analysis, respond with ONLY a valid JSON object. No markdown fences, no explanation, no text before or after. Just the raw JSON:`,
+    `{ "skill_slug": "${slug}", "source_url": "${url}", "package_type": "<mcp-server|agent-skill|library|cli-tool>",`,
+    `  "risk_score": <0-100>, "result": "<safe|caution|unsafe>", "max_severity": "<none|low|medium|high|critical>",`,
+    `  "findings_count": <n>, "findings": [{ "id": "...", "title": "...", "severity": "...", "category": "...",`,
+    `  "description": "...", "file": "...", "line": <n>, "remediation": "...", "confidence": "...", "is_by_design": false }] }`,
+    ``,
+    `## Source Code`,
+    codeBlock,
+  ].join('\n');
+  let report = null;
+  let _lastLlmText = '';
+  let providerMeta = {}; // Collect provider metadata for attestation
+  try {
+    if (resolvedProvider.id === 'anthropic') {
+      const res = await fetch('https://api.anthropic.com/v1/messages', {
+        method: 'POST',
+        headers: {
+          'x-api-key': resolvedProvider.key,
+          'anthropic-version': '2023-06-01',
+          'content-type': 'application/json',
+        },
+        body: JSON.stringify({
+          model: modelOverride || 'claude-sonnet-4-20250514',
+          max_tokens: 8192,
+          system: systemPrompt,
+          messages: [{ role: 'user', content: userMessage }],
+        }),
+        signal: AbortSignal.timeout(120_000),
+      });
+      const data = await res.json();
+      if (data.error) {
+        console.log(` ${c.red}failed${c.reset}`);
+        console.log(`  ${c.red}API error: ${data.error.message || JSON.stringify(data.error)}${c.reset}`);
+        try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch {}
+        return null;
+      }
+      const text = data.content?.[0]?.text || '';
+      _lastLlmText = text;
+      report = extractJSON(text);
+      providerMeta = {
+        provider_msg_id: data.id || null,
+        input_tokens: data.usage?.input_tokens || null,
+        output_tokens: data.usage?.output_tokens || null,
+        reported_model: data.model || null,
+      };
+    } else {
+      // OpenAI, OpenRouter, Ollama, or Custom (all use OpenAI-compatible chat completions API)
+      let apiUrl, modelName, authHeaders;
+      switch (resolvedProvider.id) {
+        case 'openrouter':
+          apiUrl = 'https://openrouter.ai/api/v1/chat/completions';
+          modelName = modelOverride || process.env.OPENROUTER_MODEL || 'anthropic/claude-sonnet-4';
+          authHeaders = { 'Authorization': `Bearer ${resolvedProvider.key}`, 'HTTP-Referer': 'https://agentaudit.dev', 'X-Title': 'AgentAudit' };
+          break;
+        case 'ollama':
+          apiUrl = `${resolvedProvider.host}/v1/chat/completions`;
+          modelName = modelOverride || resolvedProvider.model;
+          authHeaders = {};
+          break;
+        case 'custom':
+          apiUrl = resolvedProvider.url.endsWith('/chat/completions') ? resolvedProvider.url : `${resolvedProvider.url.replace(/\/$/, '')}/chat/completions`;
+          modelName = modelOverride || resolvedProvider.model;
+          authHeaders = resolvedProvider.key ? { 'Authorization': `Bearer ${resolvedProvider.key}` } : {};
+          break;
+        default: // openai
+          apiUrl = 'https://api.openai.com/v1/chat/completions';
+          modelName = modelOverride || 'gpt-4o';
+          authHeaders = { 'Authorization': `Bearer ${resolvedProvider.key}` };
+      }
+      const res = await fetch(apiUrl, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', ...authHeaders },
+        body: JSON.stringify({
+          model: modelName,
+          max_tokens: 8192,
+          messages: [
+            { role: 'system', content: systemPrompt },
+            { role: 'user', content: userMessage },
+          ],
+        }),
+        signal: AbortSignal.timeout(resolvedProvider.id === 'ollama' ? 300_000 : 120_000), // Ollama: 5min (local can be slow)
+      });
+      const data = await res.json();
+      if (data.error) {
+        console.log(` ${c.red}failed${c.reset}`);
+        console.log(`  ${c.red}API error: ${data.error.message || JSON.stringify(data.error)}${c.reset}`);
+        try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch {}
+        return null;
+      }
+      const text = data.choices?.[0]?.message?.content || '';
+      _lastLlmText = text;
+      report = extractJSON(text);
+      providerMeta = {
+        provider_msg_id: data.id || null,
+        provider_fingerprint: data.system_fingerprint || null,
+        input_tokens: data.usage?.prompt_tokens || null,
+        output_tokens: data.usage?.completion_tokens || null,
+        reported_model: data.model || null,
+      };
+    }
+    console.log(` ${c.green}done${c.reset} ${c.dim}(${elapsed(start)})${c.reset}`);
+  } catch (err) {
+    console.log(` ${c.red}failed${c.reset}`);
+    console.log(`  ${c.red}${err.message}${c.reset}`);
+    try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch {}
+    return null;
+  }
+  // Cleanup repo
+  try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch {}
+  if (!report) {
+    console.log(`  ${c.red}Could not parse LLM response as JSON${c.reset}`);
+    console.log(`  ${c.dim}Hint: run with --debug to see the raw LLM response${c.reset}`);
+    if (process.argv.includes('--debug')) {
+      console.log(`  ${c.dim}--- Raw LLM response (first 2000 chars) ---${c.reset}`);
+      console.log((typeof _lastLlmText === 'string' ? _lastLlmText : '(empty)').slice(0, 2000));
+      console.log(`  ${c.dim}--- end ---${c.reset}`);
+    }
+    return null;
+  }
+  // Display results
+  console.log();
+  const riskScore = report.risk_score || 0;
+  const trustScore = 100 - riskScore;
+  const trustColor = trustScore >= 70 ? c.green : trustScore >= 40 ? c.yellow : c.red;
+  const trustLabel = trustScore >= 70 ? 'SAFE' : trustScore >= 40 ? 'CAUTION' : 'UNSAFE';
+  console.log(`  ${trustColor}${c.bold}${trustLabel}${c.reset}  ${trustColor}Trust Score: ${trustScore}/100${c.reset}  ${c.dim}(Risk: ${riskScore}/100)${c.reset}`);
+  console.log(`  ${c.dim}Model: ${resolvedProvider.id}/${actualModel}  Duration: ${elapsed(start)}${c.reset}`);
+  console.log();
+  if (report.findings && report.findings.length > 0) {
+    console.log(`  ${c.bold}Findings (${report.findings.length})${c.reset}`);
+    console.log();
+    for (const f of report.findings) {
+      const sc = severityColor(f.severity);
+      console.log(`  ${severityIcon(f.severity)} ${sc}${(f.severity || '').toUpperCase().padEnd(8)}${c.reset} ${f.title}`);
+      if (f.file) console.log(`    ${c.dim}${f.file}${f.line ? ':' + f.line : ''}${c.reset}`);
+      if (f.description) console.log(`    ${c.dim}${f.description.slice(0, 120)}${c.reset}`);
+      console.log();
+    }
+  } else {
+    console.log(`  ${c.green}No findings — package looks clean.${c.reset}`);
+    console.log();
+  }
+  // Upload to registry
+  const creds = loadCredentials();
+  if (creds) {
+    process.stdout.write(`  Uploading report to registry...`);
+    try {
+      const res = await fetch(`${REGISTRY_URL}/api/reports`, {
+        method: 'POST',
+        headers: {
+          'Authorization': `Bearer ${creds.api_key}`,
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({
+          ...report,
+          commit_sha: report.commit_sha || repoCommitSha || undefined,
+          package_version: report.package_version || repoPackageVersion || undefined,
+          audit_model: providerMeta.reported_model || actualModel,
+          audit_provider: resolvedProvider.id,
+          provider_msg_id: providerMeta.provider_msg_id || undefined,
+          provider_fingerprint: providerMeta.provider_fingerprint || undefined,
+          input_tokens: providerMeta.input_tokens || undefined,
+          output_tokens: providerMeta.output_tokens || undefined,
+          audit_duration_ms: Date.now() - start,
+        }),
+        signal: AbortSignal.timeout(15_000),
+      });
+      if (res.ok) {
+        const data = await res.json();
+        const reportSlug = data?.skill_slug || data?.slug || slug;
+        console.log(` ${c.green}done${c.reset}`);
+        console.log(`  ${c.dim}Report: ${REGISTRY_URL}/skills/${reportSlug}${c.reset}`);
+        // Refresh stats cache in background
+        if (creds.agent_name) refreshStatsCache(creds.agent_name).catch(() => {});
+      } else {
+        console.log(` ${c.yellow}failed (HTTP ${res.status})${c.reset}`);
+      }
+    } catch (err) {
+      console.log(` ${c.yellow}failed${c.reset}`);
+    }
+  } else {
+    console.log(`  ${c.dim}Run ${c.cyan}agentaudit setup${c.dim} to upload reports to the registry${c.reset}`);
+  }
+  console.log();
+  return report;
+}
+// ── Check command ───────────────────────────────────────
+async function checkPackage(name, { autoAudit = false } = {}) {
+  if (!jsonMode) {
+    console.log(`${icons.info}  Looking up ${c.bold}${name}${c.reset} in registry...`);
+    console.log();
+  }
+  const data = await checkRegistry(name);
+  if (!data) {
+    if (!jsonMode) {
+      // Auto-audit: only when called from 'check' command AND input looks like a URL
+      if (autoAudit && (name.includes('github.com') || name.includes('://'))) {
+        console.log(`  ${c.yellow}Not found in registry.${c.reset}`);
+        console.log(`  ${c.dim}Starting audit for ${name}...${c.reset}`);
+        console.log();
+        return await auditRepo(name);
+      }
+      console.log(`  ${c.yellow}✖  Not found${c.reset} — "${name}" hasn't been audited yet.`);
+      console.log();
+      console.log(`  ${c.dim}Next steps:${c.reset}`);
+      console.log(`    ${c.cyan}agentaudit check <repo-url>${c.reset}    ${c.dim}Auto-lookup + audit if not found${c.reset}`);
+      console.log(`    ${c.cyan}agentaudit audit <repo-url>${c.reset}    ${c.dim}Deep LLM audit${c.reset}`);
+      console.log(`    ${c.cyan}agentaudit scan <repo-url>${c.reset}     ${c.dim}Quick static check (no API key)${c.reset}`);
+    }
+    return null;
+  }
+  if (!jsonMode) {
+    const riskScore = data.risk_score ?? data.latest_risk_score ?? 0;
+    const trustScore = data.trust_score ?? (100 - riskScore);
+    const totalFindings = data.total_findings ?? 0;
+    const totalReports = data.total_reports ?? 0;
+    // Package name + verdict
+    console.log(`  ${c.bold}${data.display_name || name}${c.reset}  ${riskBadge(riskScore)}`);
+    if (data.description) console.log(`  ${c.dim}${data.description}${c.reset}`);
+    console.log();
+    // Trust Score (the main metric)
+    const trustColor = trustScore >= 70 ? c.green : trustScore >= 40 ? c.yellow : c.red;
+    const trustLabel = trustScore >= 70 ? 'SAFE' : trustScore >= 40 ? 'CAUTION' : 'UNSAFE';
+    console.log(`  ${trustColor}${c.bold}${trustLabel}${c.reset}  ${trustColor}Trust Score: ${trustScore}/100${c.reset}  ${c.dim}(Risk: ${riskScore}/100)${c.reset}`);
+    // Findings summary
+    if (totalFindings > 0) {
+      const maxSev = data.latest_max_severity;
+      const sevStr = maxSev ? `max severity: ${severityColor(maxSev)}${maxSev}${c.reset}` : '';
+      console.log(`  ${c.dim}Findings: ${totalFindings}${sevStr ? ` (${sevStr}${c.dim})` : ''}${c.reset}`);
+    } else {
+      console.log(`  ${c.dim}Findings: 0 (clean)${c.reset}`);
+    }
+    // Consensus / Confidence
+    const uniqueAgents = data.unique_agents ?? 0;
+    const confidence = data.confidence ?? 'unverified';
+    const confidenceDisplay = {
+      consensus: { icon: '🟢', label: 'Consensus Certified', color: c.green, desc: `${totalReports} reports from ${uniqueAgents} independent auditors agree` },
+      verified: { icon: '🟢', label: 'Verified', color: c.green, desc: `${totalReports} reports from ${uniqueAgents} auditors` },
+      low: { icon: '🟡', label: 'Low Confidence', color: c.yellow, desc: `${totalReports} reports but ${uniqueAgents <= 1 ? 'only 1 auditor' : `only ${uniqueAgents} auditors`}` },
+      unverified: { icon: '🔴', label: 'Unverified', color: c.yellow, desc: 'Single audit, no independent confirmation' },
+    }[confidence] || { icon: '⚪', label: confidence, color: c.dim, desc: '' };
+    console.log(`  ${confidenceDisplay.icon}  ${confidenceDisplay.color}${confidenceDisplay.label}${c.reset}  ${c.dim}${confidenceDisplay.desc}${c.reset}`);
+    // Audit info
+    console.log(`  ${c.dim}Reports: ${totalReports} | Auditors: ${uniqueAgents} | Last: ${data.last_audited_at ? new Date(data.last_audited_at).toLocaleDateString() : 'unknown'}${c.reset}`);
+    if (data.has_official_audit) console.log(`  ${c.green}✔ Officially audited${c.reset}`);
+    // Recommendation
+    if (confidence === 'unverified' && trustScore >= 70) {
+      console.log();
+      console.log(`  ${c.yellow}⚠  Score looks good but only 1 audit exists.${c.reset}`);
+      console.log(`  ${c.dim}   Consider running your own audit: agentaudit audit ${data.source_url || name}${c.reset}`);
+    } else if (confidence === 'low') {
+      console.log();
+      console.log(`  ${c.yellow}⚠  Limited independent verification.${c.reset}`);
+      console.log(`  ${c.dim}   More auditors needed for consensus. Run: agentaudit audit ${data.source_url || name}${c.reset}`);
+    }
+    // Links
+    console.log();
+    if (data.source_url) console.log(`  ${c.dim}Source:   ${data.source_url}${c.reset}`);
+    console.log(`  ${c.dim}Registry: ${REGISTRY_URL}/skills/${encodeURIComponent(name)}${c.reset}`);
+    console.log();
+  }
+  return data;
+}
+// ── Main ────────────────────────────────────────────────
+async function main() {
+  const rawArgs = process.argv.slice(2);
+  // MCP server mode: launched by an editor (no TTY + no args) or explicit --stdio flag
+  if (rawArgs.includes('--stdio') || (!process.stdin.isTTY && rawArgs.length === 0)) {
+    await import('./index.mjs');
+    return;
+  }
+  // Parse global flags early
+  jsonMode = rawArgs.includes('--json');
+  quietMode = rawArgs.includes('--quiet') || rawArgs.includes('-q');
+  // --no-color already handled at top level for `c` object
+  // --model flag: --model=<name> or --model <name>
+  const modelFlagIdx = rawArgs.findIndex(a => a === '--model');
+  const modelFlagEq = rawArgs.find(a => a.startsWith('--model='));
+  modelOverride = modelFlagEq?.split('=')[1]
+    || (modelFlagIdx >= 0 ? rawArgs[modelFlagIdx + 1] : null)
+    || process.env.AGENTAUDIT_MODEL
+    || loadConfig()?.preferred_model
+    || null;
+  globalModelOverride = modelOverride;
+  // Strip global flags from args
+  const globalFlags = new Set(['--json', '--quiet', '-q', '--no-color']);
+  let args = rawArgs.filter(a => !globalFlags.has(a));
+  // Strip --model and its value
+  args = args.filter((a, i, arr) => {
+    if (a.startsWith('--model=')) return false;
+    if (a === '--model') { arr[i + 1] = '__skip__'; return false; }
+    if (a === '__skip__') return false;
+    return true;
+  });
+  if (args[0] === '-v' || args[0] === '--version') {
+    console.log(`agentaudit ${getVersion()}`);
+    process.exitCode = 0; return;
+  }
+  if (args[0] === '--help' || args[0] === '-h') {
+    banner();
+    console.log(`  ${c.bold}USAGE${c.reset}`);
+    console.log(`    ${c.cyan}agentaudit${c.reset} <command> [options]`);
+    console.log();
+    console.log(`  ${c.bold}SCAN & AUDIT${c.reset}`);
+    console.log(`    ${c.cyan}scan${c.reset} <url> [url...]          Quick static analysis ${c.dim}(~2s, no API key)${c.reset}`);
+    console.log(`    ${c.cyan}audit${c.reset} <url> [url...]         Deep LLM security audit ${c.dim}(~30s)${c.reset}`);
+    console.log(`    ${c.cyan}discover${c.reset}                     Find MCP servers in your editors`);
+    console.log();
+    console.log(`  ${c.bold}REGISTRY${c.reset}`);
+    console.log(`    ${c.cyan}check${c.reset} <name|url>             Look up or auto-audit package`);
+    console.log(`    ${c.cyan}lookup${c.reset} <name>                Look up package in registry`);
+    console.log();
+    console.log(`  ${c.bold}SETUP${c.reset}`);
+    console.log(`    ${c.cyan}status${c.reset}                       Check providers & API keys`);
+    console.log(`    ${c.cyan}setup${c.reset}                        Register & configure`);
+    console.log(`    ${c.cyan}models${c.reset}                       List available LLM models`);
+    console.log(`    ${c.cyan}config set${c.reset} <key> <value>     Set default provider/options`);
+    console.log();
+    console.log(`  ${c.bold}OPTIONS${c.reset}`);
+    console.log(`    ${c.dim}--json         Machine-readable JSON output${c.reset}`);
+    console.log(`    ${c.dim}--quiet        Suppress banner${c.reset}`);
+    console.log(`    ${c.dim}--no-color     Disable colors ${c.reset}${c.dim}(also: NO_COLOR=1)${c.reset}`);
+    console.log(`    ${c.dim}--provider <p> Force provider ${c.reset}${c.dim}(anthropic|openai|openrouter|ollama|custom)${c.reset}`);
+    console.log(`    ${c.dim}--model <m>    Override model ${c.reset}${c.dim}(e.g. gpt-4o-mini, claude-3.5-sonnet)${c.reset}`);
+    console.log(`    ${c.dim}--export       Export audit payload to markdown${c.reset}`);
+    console.log(`    ${c.dim}--debug        Show raw LLM response on errors${c.reset}`);
+    console.log();
+    console.log(`  ${c.bold}EXAMPLES${c.reset}`);
+    console.log(`    ${c.dim}$${c.reset} agentaudit scan https://github.com/owner/repo`);
+    console.log(`    ${c.dim}$${c.reset} agentaudit audit https://github.com/owner/repo`);
+    console.log(`    ${c.dim}$${c.reset} agentaudit check fastmcp`);
+    console.log(`    ${c.dim}$${c.reset} agentaudit status`);
+    console.log();
+    console.log(`  ${c.bold}PROVIDERS${c.reset} ${c.dim}(set any one for deep audits)${c.reset}`);
+    console.log(`    ${c.dim}ANTHROPIC_API_KEY · OPENAI_API_KEY · OPENROUTER_API_KEY · OLLAMA_MODEL · LLM_API_URL${c.reset}`);
+    console.log(`    ${c.dim}Set default: AGENTAUDIT_PROVIDER=openai  AGENTAUDIT_MODEL=gpt-4o-mini${c.reset}`);
+    console.log(`    ${c.dim}Or persist: agentaudit config set provider openai${c.reset}`);
+    console.log(`    ${c.dim}            agentaudit config set model gpt-4o-mini${c.reset}`);
+    console.log(`    ${c.dim}Run ${c.cyan}agentaudit status${c.dim} to check configuration.${c.reset}`);
+    console.log();
+    process.exitCode = 0; return;
+  }
+  // Default no-arg → discover
+  const command = args.length === 0 ? 'discover' : args[0];
+  const targets = args.slice(1);
+  banner();
+  if (command === 'setup') {
+    await setupCommand();
+    return;
+  }
+  if (command === 'status') {
+    console.log(`  ${c.bold}LLM Providers:${c.reset}`);
+    console.log();
+    const keys = {
+      anthropicKey: process.env.ANTHROPIC_API_KEY,
+      openaiKey: process.env.OPENAI_API_KEY,
+      openrouterKey: process.env.OPENROUTER_API_KEY,
+    };
+    const ollamaHost = process.env.OLLAMA_HOST || 'http://localhost:11434';
+    const ollamaModel = process.env.OLLAMA_MODEL;
+    const customUrl = process.env.LLM_API_URL;
+    const checks = [
+      { name: 'Anthropic', env: 'ANTHROPIC_API_KEY', key: keys.anthropicKey, testUrl: 'https://api.anthropic.com/v1/messages', testHeaders: (k) => ({ 'x-api-key': k, 'anthropic-version': '2023-06-01', 'content-type': 'application/json' }), testBody: JSON.stringify({ model: 'claude-sonnet-4-20250514', max_tokens: 1, messages: [{ role: 'user', content: 'hi' }] }) },
+      { name: 'OpenAI', env: 'OPENAI_API_KEY', key: keys.openaiKey, testUrl: 'https://api.openai.com/v1/chat/completions', testHeaders: (k) => ({ 'Authorization': `Bearer ${k}`, 'Content-Type': 'application/json' }), testBody: JSON.stringify({ model: 'gpt-4o-mini', max_tokens: 1, messages: [{ role: 'user', content: 'hi' }] }) },
+      { name: 'OpenRouter', env: 'OPENROUTER_API_KEY', key: keys.openrouterKey, testUrl: 'https://openrouter.ai/api/v1/chat/completions', testHeaders: (k) => ({ 'Authorization': `Bearer ${k}`, 'Content-Type': 'application/json', 'HTTP-Referer': 'https://agentaudit.dev', 'X-Title': 'AgentAudit' }), testBody: JSON.stringify({ model: 'openai/gpt-4o-mini', max_tokens: 1, messages: [{ role: 'user', content: 'hi' }] }) },
+      { name: 'Ollama', env: 'OLLAMA_MODEL', key: ollamaModel, testUrl: `${ollamaHost}/api/tags`, testHeaders: () => ({}), testBody: null },
+      { name: 'Custom', env: 'LLM_API_URL', key: customUrl, testUrl: customUrl ? `${customUrl.replace(/\/$/, '')}/models` : null, testHeaders: (k) => process.env.LLM_API_KEY ? ({ 'Authorization': `Bearer ${process.env.LLM_API_KEY}` }) : {}, testBody: null },
+    ];
+    for (const p of checks) {
+      if (!p.key) {
+        console.log(`    ${c.dim}○${c.reset}  ${p.name.padEnd(12)} ${c.dim}not set${c.reset}  ${c.dim}(${p.env})${c.reset}`);
+        continue;
+      }
+      const masked = p.key.substring(0, 8) + '...' + p.key.substring(p.key.length - 4);
+      process.stdout.write(`    ${c.yellow}●${c.reset}  ${p.name.padEnd(12)} ${c.dim}${masked}${c.reset}  checking...`);
+      try {
+        const res = await fetch(p.testUrl, {
+          method: p.testBody ? 'POST' : 'GET',
+          headers: p.testHeaders(p.key),
+          ...(p.testBody ? { body: p.testBody } : {}),
+          signal: AbortSignal.timeout(10_000),
+        });
+        if (res.ok || res.status === 200 || res.status === 201) {
+          process.stdout.write(`\r    ${c.green}●${c.reset}  ${p.name.padEnd(12)} ${c.dim}${masked}${c.reset}  ${c.green}valid ✓${c.reset}  \n`);
+        } else {
+          const body = await res.json().catch(() => ({}));
+          const rawMsg = body?.error?.message || body?.message || `HTTP ${res.status}`;
+          // Detect specific error types for clearer messages
+          const lcMsg = rawMsg.toLowerCase();
+          let errMsg = rawMsg;
+          let hint = '';
+          if (lcMsg.includes('credit') || lcMsg.includes('balance') || lcMsg.includes('quota') || lcMsg.includes('billing') || lcMsg.includes('exceeded') || lcMsg.includes('insufficient')) {
+            errMsg = 'no credits';
+            if (p.name === 'Anthropic') hint = `\n       ${c.dim}└─ Add credits: console.anthropic.com/settings/plans${c.reset}`;
+            else if (p.name === 'OpenAI') hint = `\n       ${c.dim}└─ Check usage: platform.openai.com/usage${c.reset}`;
+            else if (p.name === 'OpenRouter') hint = `\n       ${c.dim}└─ Check balance: openrouter.ai/credits${c.reset}`;
+          } else if (res.status === 401 || lcMsg.includes('invalid') || lcMsg.includes('unauthorized') || lcMsg.includes('authentication')) {
+            errMsg = 'invalid key';
+            if (p.name === 'Anthropic') hint = `\n       ${c.dim}└─ Check key: console.anthropic.com/settings/keys${c.reset}`;
+            else if (p.name === 'OpenAI') hint = `\n       ${c.dim}└─ Check key: platform.openai.com/api-keys${c.reset}`;
+          } else if (res.status === 429) {
+            errMsg = 'rate limited';
+            hint = `\n       ${c.dim}└─ Try again in a moment${c.reset}`;
+          }
+          process.stdout.write(`\r    ${c.red}●${c.reset}  ${p.name.padEnd(12)} ${c.dim}${masked}${c.reset}  ${c.red}✖ ${errMsg}${c.reset}${hint}  \n`);
+        }
+      } catch (e) {
+        process.stdout.write(`\r    ${c.red}●${c.reset}  ${p.name.padEnd(12)} ${c.dim}${masked}${c.reset}  ${c.red}error ✗${c.reset} ${c.dim}(${e.message})${c.reset}  \n`);
+      }
+    }
+    const resolved = resolveProvider(null, keys);
+    console.log();
+    if (resolved) {
+      const activeModel = modelOverride || process.env.AGENTAUDIT_MODEL || loadConfig()?.preferred_model;
+      console.log(`    ${c.bold}Active:${c.reset} ${c.green}${resolved.label}${c.reset}${activeModel ? `  ${c.dim}model: ${activeModel}${c.reset}` : ''}`);
+      console.log(`    ${c.dim}Override: --provider=<name> --model=<name>${c.reset}`);
+      console.log(`    ${c.dim}Set default: agentaudit config set provider <name>${c.reset}`);
+      console.log(`    ${c.dim}             agentaudit config set model <name>${c.reset}`);
+    } else {
+      console.log(`    ${c.yellow}⚠  No working LLM provider.${c.reset} Deep audits require one.`);
+      console.log(`    ${c.dim}Set a key: export ANTHROPIC_API_KEY=sk-ant-...${c.reset}`);
+      console.log(`    ${c.dim}Or scan without LLM: agentaudit scan <url>${c.reset}`);
+    }
+    // AgentAudit registry key
+    console.log();
+    console.log(`  ${c.bold}Registry:${c.reset}`);
+    const creds = loadCredentials();
+    if (creds?.api_key) {
+      const masked = creds.api_key.substring(0, 8) + '...' + creds.api_key.substring(creds.api_key.length - 4);
+      console.log(`    ${c.green}●${c.reset}  AgentAudit  ${c.dim}${masked}${c.reset}  ${c.dim}(${creds.agent_name || 'unknown'})${c.reset}`);
+      // Fetch agent stats from leaderboard
+      try {
+        const lbRes = await fetch(`${REGISTRY_URL}/api/leaderboard`, { signal: AbortSignal.timeout(5000) });
+        if (lbRes.ok) {
+          const agents = await lbRes.json();
+          const myName = creds.agent_name?.toLowerCase();
+          const idx = Array.isArray(agents) ? agents.findIndex((a) => (a.agent_name || '').toLowerCase() === myName) : -1;
+          if (idx >= 0) {
+            const me = agents[idx];
+            const pts = me.total_points || 0;
+            const reports = me.total_reports || 0;
+            const rank = idx + 1;
+            const medal = rank === 1 ? '🥇' : rank === 2 ? '🥈' : rank === 3 ? '🥉' : '  ';
+            console.log();
+            console.log(`  ${c.bold}Your Stats:${c.reset}`);
+            console.log(`    ${medal} Rank #${rank} of ${agents.length}  ${c.dim}│${c.reset}  ${c.cyan}${pts}${c.reset} points  ${c.dim}│${c.reset}  ${reports} reports`);
+            if (me.is_official) console.log(`    ${c.green}✔ Official Auditor${c.reset}`);
+            // Update stats cache
+            saveStatsCache({ rank, total: agents.length, pts, reports, official: !!me.is_official });
+          }
+        }
+      } catch {}
+    } else {
+      console.log(`    ${c.dim}○${c.reset}  AgentAudit   ${c.dim}not set${c.reset}  ${c.dim}(run: agentaudit setup)${c.reset}`);
+    }
+    console.log();
+    return;
+  }
+  if (command === 'discover') {
+    const scanFlag = targets.includes('--quick') || targets.includes('--scan') || targets.includes('-s');
+    const auditFlag = targets.includes('--deep') || targets.includes('--audit') || targets.includes('-a');
+    await discoverCommand({ scan: scanFlag, audit: auditFlag });
+    return;
+  }
+  if (command === 'models') {
+    const anthropicKey = process.env.ANTHROPIC_API_KEY;
+    const openaiKey = process.env.OPENAI_API_KEY;
+    const openrouterKey = process.env.OPENROUTER_API_KEY;
+    console.log(`  ${c.bold}Available models by provider:${c.reset}`);
+    console.log();
+    // Static lists for Anthropic (no list API)
+    console.log(`  ${c.bold}Anthropic${c.reset}${anthropicKey ? ` ${c.green}(configured)${c.reset}` : ` ${c.dim}(not configured)${c.reset}`}`);
+    console.log(`    ${c.dim}claude-sonnet-4-20250514${c.reset}      ${c.dim}(default)${c.reset}`);
+    console.log(`    ${c.dim}claude-opus-4-20250514${c.reset}`);
+    console.log(`    ${c.dim}claude-haiku-3-20250514${c.reset}`);
+    console.log();
+    // Static list for OpenAI
+    console.log(`  ${c.bold}OpenAI${c.reset}${openaiKey ? ` ${c.green}(configured)${c.reset}` : ` ${c.dim}(not configured)${c.reset}`}`);
+    console.log(`    ${c.dim}gpt-4o${c.reset}                        ${c.dim}(default)${c.reset}`);
+    console.log(`    ${c.dim}gpt-4o-mini${c.reset}`);
+    console.log(`    ${c.dim}gpt-4.1${c.reset}`);
+    console.log(`    ${c.dim}gpt-4.1-mini${c.reset}`);
+    console.log(`    ${c.dim}o3${c.reset}`);
+    console.log(`    ${c.dim}o4-mini${c.reset}`);
+    console.log();
+    // OpenRouter — fetch from API
+    console.log(`  ${c.bold}OpenRouter${c.reset}${openrouterKey ? ` ${c.green}(configured)${c.reset}` : ` ${c.dim}(not configured)${c.reset}`}`);
+    if (openrouterKey || targets.includes('--all')) {
+      process.stdout.write(`    ${c.dim}Fetching models...${c.reset}`);
+      try {
+        const res = await fetch('https://openrouter.ai/api/v1/models', {
+          headers: openrouterKey ? { 'Authorization': `Bearer ${openrouterKey}` } : {},
+          signal: AbortSignal.timeout(10_000),
+        });
+        const data = await res.json();
+        const models = (data.data || [])
+          .filter(m => m.id && !m.id.includes(':free') && !m.id.includes('/extended'))
+          .sort((a, b) => (a.id || '').localeCompare(b.id || ''));
+        // Group by provider prefix
+        const groups = {};
+        for (const m of models) {
+          const [prefix] = m.id.split('/');
+          if (!groups[prefix]) groups[prefix] = [];
+          groups[prefix].push(m);
+        }
+        // Show popular ones first
+        const popular = ['anthropic', 'openai', 'google', 'meta-llama', 'mistralai', 'deepseek'];
+        const shown = new Set();
+        process.stdout.write(`\r    ${c.green}${models.length} models available${c.reset}                    \n`);
+        console.log();
+        for (const prefix of popular) {
+          if (!groups[prefix]) continue;
+          shown.add(prefix);
+          console.log(`    ${c.bold}${prefix}${c.reset}`);
+          for (const m of groups[prefix].slice(0, 5)) {
+            console.log(`      ${c.dim}${m.id}${c.reset}`);
+          }
+          if (groups[prefix].length > 5) {
+            console.log(`      ${c.dim}... and ${groups[prefix].length - 5} more${c.reset}`);
+          }
+        }
+        const otherCount = Object.keys(groups).filter(k => !shown.has(k)).length;
+        if (otherCount > 0) {
+          console.log();
+          console.log(`    ${c.dim}+ ${otherCount} more providers. Use --model=<provider/model>${c.reset}`);
+          console.log(`    ${c.dim}Full list: https://openrouter.ai/models${c.reset}`);
+        }
+      } catch (e) {
+        process.stdout.write(`\r    ${c.red}Failed to fetch: ${e.message}${c.reset}                    \n`);
+      }
+    } else {
+      console.log(`    ${c.dim}anthropic/claude-sonnet-4${c.reset}    ${c.dim}(default)${c.reset}`);
+      console.log(`    ${c.dim}Set OPENROUTER_API_KEY to see all ${c.bold}200+${c.reset}${c.dim} models${c.reset}`);
+      console.log(`    ${c.dim}Or browse: https://openrouter.ai/models${c.reset}`);
+    }
+    console.log();
+    // Ollama
+    const ollamaModel = process.env.OLLAMA_MODEL;
+    const ollamaHost = process.env.OLLAMA_HOST || 'http://localhost:11434';
+    console.log(`  ${c.bold}Ollama${c.reset}${ollamaModel ? ` ${c.green}(configured: ${ollamaModel})${c.reset}` : ` ${c.dim}(not configured)${c.reset}`}`);
+    if (ollamaModel || process.env.OLLAMA_HOST) {
+      try {
+        const res = await fetch(`${ollamaHost}/api/tags`, { signal: AbortSignal.timeout(5_000) });
+        const data = await res.json();
+        for (const m of (data.models || []).slice(0, 10)) {
+          console.log(`    ${c.dim}${m.name}${c.reset}`);
+        }
+      } catch {
+        console.log(`    ${c.dim}(Ollama not running at ${ollamaHost})${c.reset}`);
+      }
+    } else {
+      console.log(`    ${c.dim}Set OLLAMA_MODEL to use local models${c.reset}`);
+    }
+    console.log();
+    console.log(`  ${c.bold}Set model:${c.reset}`);
+    console.log(`    ${c.cyan}agentaudit config set model <name>${c.reset}`);
+    console.log(`    ${c.cyan}agentaudit audit <url> --model <name>${c.reset}`);
+    console.log(`    ${c.dim}Or env: AGENTAUDIT_MODEL=<name>${c.reset}`);
+    return;
+  }
+  if (command === 'config') {
+    const subCmd = targets[0];
+    if (subCmd === 'set' && targets[1] === 'provider' && targets[2]) {
+      const validProviders = ['anthropic', 'openai', 'openrouter', 'ollama', 'custom', 'claude', 'gpt'];
+      const val = targets[2].toLowerCase();
+      if (!validProviders.includes(val)) {
+        console.log(`  ${c.red}✖  Unknown provider: ${val}${c.reset}`);
+        console.log(`     ${c.dim}Valid: anthropic, openai, openrouter, ollama, custom${c.reset}`);
+        process.exitCode = 2; return;
+      }
+      saveConfig({ preferred_provider: val });
+      console.log(`  ${c.green}✔${c.reset}  Default provider set to: ${c.bold}${val}${c.reset}`);
+      console.log(`     ${c.dim}Override per-command: --provider=<name>${c.reset}`);
+      console.log(`     ${c.dim}Or env: AGENTAUDIT_PROVIDER=<name>${c.reset}`);
+    } else if (subCmd === 'set' && targets[1] === 'model' && targets[2]) {
+      const val = targets[2];
+      saveConfig({ preferred_model: val });
+      console.log(`  ${c.green}✔${c.reset}  Default model set to: ${c.bold}${val}${c.reset}`);
+      console.log(`     ${c.dim}Override per-command: --model=<name>${c.reset}`);
+      console.log(`     ${c.dim}Or env: AGENTAUDIT_MODEL=<name>${c.reset}`);
+    } else if (subCmd === 'get' || !subCmd) {
+      const cfg = loadConfig();
+      console.log(`  ${c.bold}Config:${c.reset} ${USER_CONFIG_FILE}`);
+      if (Object.keys(cfg).length === 0) {
+        console.log(`  ${c.dim}(empty — using defaults)${c.reset}`);
+      } else {
+        for (const [k, v] of Object.entries(cfg)) {
+          console.log(`  ${c.dim}${k}:${c.reset} ${v}`);
+        }
+      }
+    } else if (subCmd === 'reset') {
+      try { fs.unlinkSync(USER_CONFIG_FILE); } catch {}
+      console.log(`  ${c.green}✔${c.reset}  Config reset to defaults.`);
+    } else {
+      console.log(`  ${c.red}✖  Unknown config command${c.reset}`);
+      console.log(`     ${c.dim}Usage: agentaudit config set provider <name>${c.reset}`);
+      console.log(`     ${c.dim}       agentaudit config get${c.reset}`);
+      console.log(`     ${c.dim}       agentaudit config reset${c.reset}`);
+    }
+    return;
+  }
+  if (command === 'lookup' || command === 'check') {
+    const names = targets.filter(t => !t.startsWith('--'));
+    if (names.length === 0) {
+      console.log(`  ${c.red}✖  Package name or URL required${c.reset}`);
+      console.log(`     ${c.dim}Usage: agentaudit check <name|url>${c.reset}`);
+      process.exitCode = 2;
+      return;
+    }
+    const results = [];
+    const allowAutoAudit = command === 'check'; // only 'check' auto-audits, 'lookup' never does
+    for (const t of names) {
+      const data = await checkPackage(t, { autoAudit: allowAutoAudit });
+      results.push(data);
+    }
+    if (jsonMode) {
+      console.log(JSON.stringify(results.length === 1 ? (results[0] || { error: 'not_found' }) : results, null, 2));
+    }
+    process.exitCode = 0; return;
+  }
+  if (command === 'scan') {
+    const urls = targets.filter(t => !t.startsWith('--'));
+    if (urls.length === 0) {
+      console.log(`  ${c.red}✖  Repository URL required${c.reset}`);
+      console.log(`     ${c.dim}Usage: agentaudit scan <url>${c.reset}`);
+      console.log(`     ${c.dim}Or discover local servers: ${c.cyan}agentaudit discover${c.reset}`);
+      process.exitCode = 2;
+      return;
+    }
+    const results = [];
+    let hadErrors = false;
+    for (const url of urls) {
+      const result = await scanRepo(url);
+      if (result) results.push(result);
+      else hadErrors = true;
+    }
+    if (jsonMode) {
+      const jsonOut = results.map(r => ({
+        slug: r.slug,
+        url: r.url,
+        findings: r.findings.map(f => ({
+          severity: f.severity,
+          title: f.title,
+          file: f.file,
+          line: f.line,
+          snippet: f.snippet,
+        })),
+        fileCount: r.files,
+        duration: r.duration,
+      }));
+      console.log(JSON.stringify(jsonOut.length === 1 ? jsonOut[0] : jsonOut, null, 2));
+    } else if (results.length > 1) {
+      printSummary(results);
+    }
+    if (hadErrors && results.length === 0) { process.exitCode = 2; return; }
+    const totalFindings = results.reduce((sum, r) => sum + r.findings.length, 0);
+    process.exitCode = totalFindings > 0 ? 1 : 0;
+    return;
+  }
+  if (command === 'audit') {
+    const urls = targets.filter(t => !t.startsWith('--'));
+    if (urls.length === 0) {
+      console.log(`  ${c.red}✖  Repository URL required${c.reset}`);
+      console.log(`     ${c.dim}Usage: agentaudit audit <url>${c.reset}`);
+      process.exitCode = 2;
+      return;
+    }
+    let hasFindings = false;
+    for (const url of urls) {
+      const report = await auditRepo(url);
+      if (report?.findings?.length > 0) hasFindings = true;
+    }
+    process.exitCode = hasFindings ? 1 : 0;
+    return;
+  }
+  // Typo correction via Levenshtein distance
+  const knownCommands = ['discover', 'scan', 'audit', 'check', 'lookup', 'status', 'setup', 'config', 'models'];
+  const suggestion = knownCommands
+    .map(cmd => ({ cmd, dist: levenshtein(command, cmd) }))
+    .filter(x => x.dist <= 3)
+    .sort((a, b) => a.dist - b.dist)[0];
+  console.log(`  ${c.red}✖  Unknown command: ${command}${c.reset}`);
+  if (suggestion) {
+    console.log(`     ${c.dim}Did you mean: ${c.cyan}agentaudit ${suggestion.cmd}${c.reset}${c.dim}?${c.reset}`);
+  }
+  console.log(`     ${c.dim}Run ${c.cyan}agentaudit --help${c.dim} for usage${c.reset}`);
+  process.exitCode = 2;
+}
+main().catch(err => {
+  console.error(`${c.red}Error: ${err.message}${c.reset}`);
+  process.exitCode = 2;
+});