agentaudit 3.9.47 → 3.10.0

package/cli.mjs

@@ -1,18 +1,22 @@
 #!/usr/bin/env node
 /**
- * AgentAudit CLI — Security scanner for AI tools
+ * AgentAudit CLI — Security scanner for AI packages
  * 
- * Scan & Audit:  scan <url>, audit <url>, discover
- * Registry:      check <name|url>, lookup <name>
- * Setup:         status, setup, config
+ * Usage:
+ *   agentaudit                                     Discover local MCP servers
+ *   agentaudit discover [--quick|--deep]            Find MCP servers in AI editors
+ *   agentaudit scan <repo-url> [--deep]             Quick scan (or deep audit with --deep)
+ *   agentaudit audit <repo-url>                     Deep LLM-powered security audit
+ *   agentaudit lookup <name>                        Look up package in registry
+ *   agentaudit setup                                Register + configure API key
  * 
- * Global flags: --json, --quiet, --no-color, --provider, --debug, --export
+ * Global flags: --json, --quiet, --no-color
  */
 
 import fs from 'fs';
 import os from 'os';
 import path from 'path';
-import { execSync } from 'child_process';
+import { execSync, execFileSync } from 'child_process';
 import { createInterface } from 'readline';
 import { fileURLToPath } from 'url';
 
@@ -20,62 +24,30 @@ const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const SKILL_DIR = path.resolve(__dirname);
 const REGISTRY_URL = 'https://agentaudit.dev';
 
-// ── Provider resolution ────
-function resolveProvider(flagOverride, keys) {
-  const orModel = process.env.OPENROUTER_MODEL || 'anthropic/claude-sonnet-4';
-  const ollamaModel = process.env.OLLAMA_MODEL || 'llama3.1';
-  const ollamaHost = process.env.OLLAMA_HOST || 'http://localhost:11434';
-  const customUrl = process.env.LLM_API_URL;
-  const customKey = process.env.LLM_API_KEY;
-  const customModel = process.env.LLM_MODEL || 'default';
-
-  const providers = {
-    anthropic: keys.anthropicKey ? { id: 'anthropic', label: 'Anthropic (Claude)', key: keys.anthropicKey } : null,
-    openai: keys.openaiKey ? { id: 'openai', label: 'OpenAI (GPT-4o)', key: keys.openaiKey } : null,
-    openrouter: keys.openrouterKey ? { id: 'openrouter', label: `OpenRouter (${orModel})`, key: keys.openrouterKey } : null,
-    ollama: process.env.OLLAMA_MODEL || process.env.OLLAMA_HOST ? { id: 'ollama', label: `Ollama (${ollamaModel})`, key: null, host: ollamaHost, model: ollamaModel } : null,
-    custom: customUrl ? { id: 'custom', label: `Custom (${customModel})`, key: customKey, url: customUrl, model: customModel } : null,
-  };
-  // Aliases
-  const aliases = { claude: 'anthropic', gpt: 'openai', 'gpt-4o': 'openai', 'gpt4': 'openai', or: 'openrouter', local: 'ollama' };
-
-  // Priority: --provider flag > AGENTAUDIT_PROVIDER env > config file > model-inferred > auto-detect
-  const preferred = flagOverride
-    || process.env.AGENTAUDIT_PROVIDER?.toLowerCase()
-    || loadConfig()?.preferred_provider
-    || null;
-
-  if (preferred) {
-    const resolved = aliases[preferred] || preferred;
-    const p = providers[resolved];
-    if (p) return p;
-    // Preferred provider not available (no API key) — fall through to inference
-  }
-  
-  // Smart inference: if model is set, try to match it to a provider
-  const activeModel = globalModelOverride || process.env.AGENTAUDIT_MODEL || loadConfig()?.preferred_model;
-  if (activeModel) {
-    const lm = activeModel.toLowerCase();
-    // Direct provider models (no slash = native format)
-    if (!lm.includes('/')) {
-      if (lm.startsWith('claude') && providers.anthropic) return providers.anthropic;
-      if ((lm.startsWith('gpt') || lm.startsWith('o3') || lm.startsWith('o4') || lm.startsWith('o1')) && providers.openai) return providers.openai;
-      if (providers.ollama && (process.env.OLLAMA_MODEL || process.env.OLLAMA_HOST)) return providers.ollama;
-    }
-    // Slash format = OpenRouter convention (provider/model)
-    if (lm.includes('/') && providers.openrouter) return providers.openrouter;
-  }
-  
-  // Auto-detect priority: Anthropic > OpenAI > OpenRouter > Custom > Ollama (local last — usually weaker)
-  return providers.anthropic || providers.openai || providers.openrouter || providers.custom || providers.ollama || null;
-}
-
 // ── Global flags (set in main before command routing) ────
 let jsonMode = false;
 let quietMode = false;
-let modelOverride = null; // --model flag or AGENTAUDIT_MODEL env or config
-let globalModelOverride = null; // same, but set early for resolveProvider
-let llmTimeoutMs = null; // --timeout flag (seconds → ms)
+
+// ── LLM Provider Registry ───────────────────────────────
+const LLM_PROVIDERS = [
+  // Native APIs (unique formats)
+  { key: 'ANTHROPIC_API_KEY',   name: 'Anthropic (Claude)',   provider: 'anthropic',   type: 'anthropic', model: 'claude-sonnet-4-20250514',  url: 'https://api.anthropic.com/v1/messages' },
+  { key: 'GEMINI_API_KEY',      name: 'Google (Gemini)',       provider: 'google',      type: 'gemini',    model: 'gemini-2.5-flash',          url: 'https://generativelanguage.googleapis.com/v1beta/models' },
+  { key: 'GOOGLE_API_KEY',      name: 'Google (Gemini)',       provider: 'google',      type: 'gemini',    model: 'gemini-2.5-flash',          url: 'https://generativelanguage.googleapis.com/v1beta/models' },
+  // OpenAI-compatible APIs
+  { key: 'OPENAI_API_KEY',      name: 'OpenAI (GPT-4o)',       provider: 'openai',      type: 'openai',    model: 'gpt-4o',                    url: 'https://api.openai.com/v1/chat/completions' },
+  { key: 'DEEPSEEK_API_KEY',    name: 'DeepSeek',              provider: 'deepseek',    type: 'openai',    model: 'deepseek-chat',             url: 'https://api.deepseek.com/v1/chat/completions' },
+  { key: 'MISTRAL_API_KEY',     name: 'Mistral',               provider: 'mistral',     type: 'openai',    model: 'mistral-large-latest',      url: 'https://api.mistral.ai/v1/chat/completions' },
+  { key: 'GROQ_API_KEY',        name: 'Groq',                  provider: 'groq',        type: 'openai',    model: 'llama-3.3-70b-versatile',   url: 'https://api.groq.com/openai/v1/chat/completions' },
+  { key: 'XAI_API_KEY',         name: 'xAI (Grok)',            provider: 'xai',         type: 'openai',    model: 'grok-3',                    url: 'https://api.x.ai/v1/chat/completions' },
+  { key: 'TOGETHER_API_KEY',    name: 'Together AI',           provider: 'together',    type: 'openai',    model: 'meta-llama/Llama-3.3-70B-Instruct-Turbo', url: 'https://api.together.xyz/v1/chat/completions' },
+  { key: 'FIREWORKS_API_KEY',   name: 'Fireworks AI',          provider: 'fireworks',   type: 'openai',    model: 'accounts/fireworks/models/llama-v3p3-70b-instruct', url: 'https://api.fireworks.ai/inference/v1/chat/completions' },
+  { key: 'CEREBRAS_API_KEY',    name: 'Cerebras',              provider: 'cerebras',    type: 'openai',    model: 'llama-3.3-70b',             url: 'https://api.cerebras.ai/v1/chat/completions' },
+  { key: 'ZAI_API_KEY',         name: 'Zhipu AI (GLM)',        provider: 'zhipu',       type: 'openai',    model: 'glm-4.7',                   url: 'https://api.z.ai/api/paas/v4/chat/completions' },
+  { key: 'ZHIPUAI_API_KEY',     name: 'Zhipu AI (GLM)',        provider: 'zhipu',       type: 'openai',    model: 'glm-4.7',                   url: 'https://api.z.ai/api/paas/v4/chat/completions' },
+  // Meta-provider (routes to any model)
+  { key: 'OPENROUTER_API_KEY',  name: 'OpenRouter',            provider: 'openrouter',  type: 'openai',    model: 'anthropic/claude-sonnet-4', url: 'https://openrouter.ai/api/v1/chat/completions' },
+];
 
 // ── ANSI Colors (respects NO_COLOR and --no-color) ───────
 
@@ -137,55 +109,47 @@ function loadCredentials() {
   return null;
 }
 
-function saveCredentials(data) {
-  const json = JSON.stringify(data, null, 2);
+function loadLlmConfig() {
+  for (const f of [SKILL_CRED_FILE, USER_CRED_FILE]) {
+    if (fs.existsSync(f)) {
+      try {
+        const data = JSON.parse(fs.readFileSync(f, 'utf8'));
+        if (data.llm_model) return { llm_model: data.llm_model };
+      } catch {}
+    }
+  }
+  return null;
+}
+
+function saveLlmConfig(model) {
+  // Merge into existing credentials
+  let existing = {};
+  if (fs.existsSync(USER_CRED_FILE)) {
+    try { existing = JSON.parse(fs.readFileSync(USER_CRED_FILE, 'utf8')); } catch {}
+  }
+  existing.llm_model = model;
+  const json = JSON.stringify(existing, null, 2);
   fs.mkdirSync(USER_CRED_DIR, { recursive: true });
   fs.writeFileSync(USER_CRED_FILE, json, { mode: 0o600 });
   try {
+    let skillExisting = {};
+    if (fs.existsSync(SKILL_CRED_FILE)) {
+      try { skillExisting = JSON.parse(fs.readFileSync(SKILL_CRED_FILE, 'utf8')); } catch {}
+    }
+    skillExisting.llm_model = model;
     fs.mkdirSync(path.dirname(SKILL_CRED_FILE), { recursive: true });
-    fs.writeFileSync(SKILL_CRED_FILE, json, { mode: 0o600 });
+    fs.writeFileSync(SKILL_CRED_FILE, JSON.stringify(skillExisting, null, 2), { mode: 0o600 });
   } catch {}
 }
 
-const USER_CONFIG_FILE = path.join(USER_CRED_DIR, 'config.json');
-const USER_STATS_FILE = path.join(USER_CRED_DIR, 'stats-cache.json');
-
-function loadStatsCache() {
-  try { return fs.existsSync(USER_STATS_FILE) ? JSON.parse(fs.readFileSync(USER_STATS_FILE, 'utf8')) : null; } catch { return null; }
-}
-
-function saveStatsCache(stats) {
-  try { fs.mkdirSync(USER_CRED_DIR, { recursive: true }); fs.writeFileSync(USER_STATS_FILE, JSON.stringify({ ...stats, _ts: Date.now() })); } catch {}
-}
-
-async function refreshStatsCache(agentName) {
-  try {
-    const lbRes = await fetch(`${REGISTRY_URL}/api/leaderboard`, { signal: AbortSignal.timeout(5000) });
-    if (!lbRes.ok) return null;
-    const agents = await lbRes.json();
-    const idx = Array.isArray(agents) ? agents.findIndex(a => (a.agent_name || '').toLowerCase() === agentName.toLowerCase()) : -1;
-    if (idx < 0) return null;
-    const me = agents[idx];
-    const stats = { rank: idx + 1, total: agents.length, pts: me.total_points || 0, reports: me.total_reports || 0, official: !!me.is_official };
-    saveStatsCache(stats);
-    return stats;
-  } catch { return null; }
-}
-
-function loadConfig() {
+function saveCredentials(data) {
+  const json = JSON.stringify(data, null, 2);
+  fs.mkdirSync(USER_CRED_DIR, { recursive: true });
+  fs.writeFileSync(USER_CRED_FILE, json, { mode: 0o600 });
   try {
-    if (fs.existsSync(USER_CONFIG_FILE)) {
-      return JSON.parse(fs.readFileSync(USER_CONFIG_FILE, 'utf8'));
-    }
+    fs.mkdirSync(path.dirname(SKILL_CRED_FILE), { recursive: true });
+    fs.writeFileSync(SKILL_CRED_FILE, json, { mode: 0o600 });
   } catch {}
-  return {};
-}
-
-function saveConfig(data) {
-  const existing = loadConfig();
-  const merged = { ...existing, ...data };
-  fs.mkdirSync(USER_CRED_DIR, { recursive: true });
-  fs.writeFileSync(USER_CONFIG_FILE, JSON.stringify(merged, null, 2), { mode: 0o600 });
 }
 
 function askQuestion(question) {
@@ -298,6 +262,77 @@ function multiSelect(items, { title = 'Select items', hint = 'Space=toggle  ↑
   });
 }
 
+/**
+ * Interactive single-select in terminal. No dependencies.
+ * items: [{ label, sublabel?, value }]
+ * Returns: selected value (or null if cancelled)
+ */
+function singleSelect(items, { title = 'Select', hint = '↑↓=move  Enter=select  Esc=cancel' } = {}) {
+  return new Promise((resolve) => {
+    if (!process.stdin.isTTY) {
+      resolve(items[0]?.value || null);
+      return;
+    }
+
+    let cursor = 0;
+
+    const render = () => {
+      process.stdout.write(`\x1b[${items.length + 3}A\x1b[J`);
+      draw();
+    };
+
+    const draw = () => {
+      console.log(`  ${c.bold}${title}${c.reset}`);
+      console.log(`  ${c.dim}${hint}${c.reset}`);
+      console.log();
+      for (let i = 0; i < items.length; i++) {
+        const item = items[i];
+        const isCursor = i === cursor;
+        const pointer = isCursor ? `${c.cyan}❯${c.reset}` : ' ';
+        const label = isCursor ? `${c.bold}${c.cyan}${item.label}${c.reset}` : item.label;
+        const sub = item.sublabel ? `  ${c.dim}${item.sublabel}${c.reset}` : '';
+        console.log(` ${pointer}  ${label}${sub}`);
+      }
+    };
+
+    draw();
+
+    process.stdin.setRawMode(true);
+    process.stdin.resume();
+    process.stdin.setEncoding('utf8');
+
+    const onData = (key) => {
+      if (key === '\x03' || key === '\x1b') {
+        process.stdin.setRawMode(false);
+        process.stdin.pause();
+        process.stdin.removeListener('data', onData);
+        console.log();
+        resolve(null);
+        return;
+      }
+      if (key === '\r' || key === '\n') {
+        process.stdin.setRawMode(false);
+        process.stdin.pause();
+        process.stdin.removeListener('data', onData);
+        resolve(items[cursor].value);
+        return;
+      }
+      if (key === '\x1b[A' || key === 'k') {
+        cursor = (cursor - 1 + items.length) % items.length;
+        render();
+        return;
+      }
+      if (key === '\x1b[B' || key === 'j') {
+        cursor = (cursor + 1) % items.length;
+        render();
+        return;
+      }
+    };
+
+    process.stdin.on('data', onData);
+  });
+}
+
 async function registerAgent(agentName) {
   const res = await fetch(`${REGISTRY_URL}/api/register`, {
     method: 'POST',
@@ -354,8 +389,6 @@ async function setupCommand() {
       console.log(`  ${icons.safe}  Registered as ${c.bold}${data.agent_name}${c.reset}`);
       console.log(`  ${c.dim}Key: ${data.api_key.slice(0, 12)}...${c.reset}`);
       console.log(`  ${c.dim}Saved to: ${USER_CRED_FILE}${c.reset}`);
-      // Initialize stats cache
-      refreshStatsCache(data.agent_name).catch(() => {});
     } catch (err) {
       console.log(` ${c.red}failed${c.reset}`);
       console.log(`  ${c.red}${err.message}${c.reset}`);
@@ -364,6 +397,34 @@ async function setupCommand() {
   }
 
   console.log();
+
+  // ── LLM model configuration ──
+  const llmConfig = loadLlmConfig();
+  console.log(`  ${c.bold}LLM Model Configuration${c.reset}`);
+  console.log(`  ${c.dim}Used for deep audits. Requires an LLM API key in your environment.${c.reset}`);
+  console.log();
+  if (llmConfig) {
+    console.log(`  ${icons.safe}  Current model: ${c.bold}${llmConfig.llm_model}${c.reset}`);
+    console.log();
+  }
+  console.log(`  ${c.dim}Examples:${c.reset}`);
+  console.log(`    ${c.dim}claude-sonnet-4-20250514${c.reset}        ${c.dim}(Anthropic)${c.reset}`);
+  console.log(`    ${c.dim}gpt-4o${c.reset}                          ${c.dim}(OpenAI)${c.reset}`);
+  console.log(`    ${c.dim}gemini-2.5-flash${c.reset}                ${c.dim}(Google)${c.reset}`);
+  console.log(`    ${c.dim}qwen/qwen3.5-coder-32b${c.reset}         ${c.dim}(OpenRouter)${c.reset}`);
+  console.log(`    ${c.dim}deepseek-chat${c.reset}                   ${c.dim}(DeepSeek)${c.reset}`);
+  console.log();
+  const modelAnswer = await askQuestion(`  Model ${c.dim}(Enter to keep default, or type model name)${c.reset}: `);
+  if (modelAnswer) {
+    saveLlmConfig(modelAnswer);
+    console.log(`  ${icons.safe}  Model set to ${c.bold}${modelAnswer}${c.reset}`);
+  } else if (llmConfig) {
+    console.log(`  ${c.dim}Keeping: ${llmConfig.llm_model}${c.reset}`);
+  } else {
+    console.log(`  ${c.dim}No custom model — will use provider default${c.reset}`);
+  }
+  console.log();
+
   console.log(`  ${c.bold}Ready!${c.reset} You can now:`);
   console.log(`  ${c.dim}•${c.reset} Discover servers: ${c.cyan}agentaudit discover${c.reset}`);
   console.log(`  ${c.dim}•${c.reset} Audit packages:   ${c.cyan}agentaudit audit <repo-url>${c.reset}  ${c.dim}(deep LLM analysis)${c.reset}`);
@@ -373,30 +434,27 @@ async function setupCommand() {
   console.log();
 }
 
-// ── Structured error output ─────────────────────────────
+// ── Helpers ──────────────────────────────────────────────
 
-function emitError(code, message, hint, exitCode = 2) {
-  if (jsonMode) {
-    process.stderr.write(JSON.stringify({ error: true, code, message, hint: hint || undefined, exitCode }) + '\n');
+function validateGitUrl(url) {
+  // Reject URLs with shell metacharacters to prevent command injection
+  if (/[;&|`$(){}!\n\r]/.test(url)) {
+    throw new Error(`Rejected URL with suspicious characters: ${url.slice(0, 80)}`);
+  }
+  // Must look like a URL (http/https/git/ssh) or a GitHub shorthand
+  if (!/^(https?:\/\/|git@|git:\/\/|ssh:\/\/)/.test(url) && !/^[a-zA-Z0-9_.-]+\/[a-zA-Z0-9_.-]+$/.test(url)) {
+    throw new Error(`Invalid repository URL: ${url.slice(0, 80)}`);
   }
-  process.exitCode = exitCode;
 }
 
-// ── Levenshtein distance for typo correction ────────────
-
-function levenshtein(a, b) {
-  const m = a.length, n = b.length;
-  const dp = Array.from({ length: m + 1 }, () => Array(n + 1).fill(0));
-  for (let i = 0; i <= m; i++) dp[i][0] = i;
-  for (let j = 0; j <= n; j++) dp[0][j] = j;
-  for (let i = 1; i <= m; i++)
-    for (let j = 1; j <= n; j++)
-      dp[i][j] = Math.min(dp[i-1][j] + 1, dp[i][j-1] + 1, dp[i-1][j-1] + (a[i-1] !== b[j-1] ? 1 : 0));
-  return dp[m][n];
+function safeGitClone(url, destPath, timeoutMs = 30_000) {
+  validateGitUrl(url);
+  execFileSync('git', ['clone', '--depth', '1', url, destPath], {
+    timeout: timeoutMs,
+    stdio: 'pipe',
+  });
 }
 
-// ── Helpers ──────────────────────────────────────────────
-
 function getVersion() {
   try {
     const pkg = JSON.parse(fs.readFileSync(path.join(__dirname, 'package.json'), 'utf8'));
@@ -404,38 +462,17 @@ function getVersion() {
   } catch { return '0.0.0'; }
 }
 
-async function banner() {
+function banner() {
   if (quietMode || jsonMode) return;
-  const creds = loadCredentials();
-  const agentInfo = creds?.agent_name ? `  ${c.dim}·${c.reset}  ${c.green}${creds.agent_name}${c.reset}` : '';
   console.log();
-  console.log(`  🛡  ${c.bold}${c.cyan}AgentAudit${c.reset} ${c.dim}v${getVersion()}${c.reset}${agentInfo}`);
-  if (creds?.agent_name) {
-    let cached = loadStatsCache();
-    // Auto-fetch if no cache or cache older than 1h
-    if (!cached || !cached._ts || (Date.now() - cached._ts > 3600000)) {
-      cached = await refreshStatsCache(creds.agent_name).catch(() => null) || cached;
-    }
-    if (cached && cached.rank) {
-      const medal = cached.rank === 1 ? '🥇' : cached.rank === 2 ? '🥈' : cached.rank === 3 ? '🥉' : `#${cached.rank}`;
-      console.log(`  ${c.dim}${medal} of ${cached.total} · ${c.reset}${c.cyan}${cached.pts}${c.reset}${c.dim} pts · ${cached.reports} audits${c.reset}`);
-    }
-  } else {
-    console.log(`  ${c.dim}Security scanner for AI tools${c.reset}`);
-  }
+  console.log(`  ${c.bold}${c.cyan}AgentAudit${c.reset} ${c.dim}v${getVersion()}${c.reset}`);
+  console.log(`  ${c.dim}Security scanner for AI packages${c.reset}`);
   console.log();
 }
 
 function slugFromUrl(url) {
   const match = url.match(/github\.com\/([^/]+)\/([^/.\s]+)/);
-  if (match) {
-    const owner = match[1].toLowerCase().replace(/[^a-z0-9-]/g, '-');
-    const repo = match[2].toLowerCase().replace(/[^a-z0-9-]/g, '-');
-    // Generic repo names get owner prefix to avoid collisions
-    const generic = ['mcp', 'server', 'plugin', 'tool', 'agent', 'sdk', 'api', 'app', 'cli', 'lib', 'core'];
-    if (generic.includes(repo)) return `${owner}-${repo}`;
-    return repo;
-  }
+  if (match) return match[2].toLowerCase().replace(/[^a-z0-9-]/g, '-');
   return url.replace(/[^a-z0-9]/gi, '-').toLowerCase().slice(0, 60);
 }
 
@@ -474,6 +511,46 @@ function severityIcon(sev) {
 
 // ── File Collection (same logic as MCP server) ──────────
 
+function formatApiError(error, provider, statusCode) {
+  // Extract error message from various API response formats
+  const msg = (typeof error === 'string' ? error : error?.message || error?.error?.message || JSON.stringify(error)).toLowerCase();
+
+  // Authentication errors
+  if (statusCode === 401 || statusCode === 403 || msg.includes('invalid api key') || msg.includes('invalid x-api-key') ||
+      msg.includes('incorrect api key') || msg.includes('authentication') || msg.includes('unauthorized') ||
+      msg.includes('invalid_api_key') || msg.includes('permission denied')) {
+    return { text: 'Invalid or expired API key', hint: `Check your ${provider} API key. Run: echo $${provider}_API_KEY` };
+  }
+
+  // Rate limits / quota
+  if (statusCode === 429 || msg.includes('rate limit') || msg.includes('rate_limit') || msg.includes('too many requests') ||
+      msg.includes('quota') || msg.includes('insufficient_quota') || msg.includes('billing') ||
+      msg.includes('exceeded') || msg.includes('no credits') || msg.includes('credit') ||
+      msg.includes('overloaded') || msg.includes('capacity')) {
+    return { text: 'Rate limit or quota exceeded', hint: 'Wait a moment and retry, or check your billing/credits at your provider dashboard' };
+  }
+
+  // Model not found
+  if (statusCode === 404 || msg.includes('not found') || msg.includes('not a valid model') ||
+      msg.includes('model_not_found') || msg.includes('does not exist') || msg.includes('invalid model')) {
+    return { text: 'Model not found', hint: `"${msg}" — check model name with: agentaudit model` };
+  }
+
+  // Context length / payload too large
+  if (statusCode === 413 || msg.includes('context length') || msg.includes('too long') ||
+      msg.includes('maximum') || msg.includes('token limit') || msg.includes('content_too_large')) {
+    return { text: 'Input too large for model', hint: 'The repository has too many files. Try a smaller repo or a model with larger context window' };
+  }
+
+  // Server errors
+  if (statusCode >= 500) {
+    return { text: `Provider server error (HTTP ${statusCode})`, hint: `${provider} might be experiencing issues. Try again later` };
+  }
+
+  // Fallback
+  return null;
+}
+
 function extractJSON(text) {
   // 1. Try parsing the entire text as JSON directly
   try { return JSON.parse(text.trim()); } catch {}
@@ -526,60 +603,36 @@ function extractJSON(text) {
 
 const MAX_FILE_SIZE = 50_000;
 const MAX_TOTAL_SIZE = 300_000;
-// Directories safe to skip: dependencies, caches, build artifacts, editor config.
-// SECURITY RULE: If a directory can contain source code, workflow files, or
-// prose (prompt injection), it MUST be scanned.
-// Reviewed 2026-02-17:
-//   - RESTORED: test/tests/__tests__/spec/specs/e2e (malware in test hooks)
-//   - RESTORED: .github (workflow injection, supply chain attacks)
-//   - RESTORED: examples/example (hidden backdoors in "example" code)
-//   - RESTORED: docs/doc (prompt injection in documentation)
-//   - RESTORED: fixtures (test data can contain malicious payloads)
 const SKIP_DIRS = new Set([
-  'node_modules', '.git', '__pycache__', '.venv', 'venv', 'vendor',
-  'dist', 'build', '.next', '.nuxt',
-  'coverage', '.pytest_cache', '.mypy_cache', '.tox', '.eggs', 'htmlcov',
-  '.vscode', '.idea',
+  'node_modules', '.git', '__pycache__', '.venv', 'venv', 'dist', 'build',
+  '.next', '.nuxt', 'coverage', '.pytest_cache', '.mypy_cache', 'vendor',
+  'test', 'tests', '__tests__', 'spec', 'specs', 'docs', 'doc',
+  'examples', 'example', 'fixtures', '.github', '.vscode', '.idea',
+  'e2e', 'benchmark', 'benchmarks', '.tox', '.eggs', 'htmlcov',
 ]);
 const SKIP_EXTENSIONS = new Set([
   '.lock', '.png', '.jpg', '.jpeg', '.gif', '.svg', '.ico', '.woff',
   '.woff2', '.ttf', '.eot', '.mp3', '.mp4', '.zip', '.tar', '.gz',
   '.map', '.min.js', '.min.css', '.d.ts', '.pyc', '.pyo', '.so',
   '.dylib', '.dll', '.exe', '.bin', '.dat', '.db', '.sqlite',
-  '.snap', '.patch', '.diff', '.log', '.csv', '.tsv', '.parquet',
-]);
-// Files safe to skip: ONLY inert line-based config that cannot execute code
-// and cannot contain prompt injections (no prose, no markdown, no scripts).
-// SECURITY RULE: When in doubt, SCAN IT. False positives > false negatives.
-// Reviewed 2026-02-17: All .md files removed from skip list (prompt injection vector).
-// All executable configs removed (malware vector). Only line-based dotfiles remain.
-const SKIP_FILES = new Set([
-  '.gitignore', '.gitattributes', '.npmignore', '.dockerignore',
-  '.editorconfig', '.browserslistrc', '.nvmrc', '.node-version',
-  '.prettierignore', '.eslintignore',
 ]);
 
-function collectFiles(dir, basePath = '', collected = [], totalSize = { bytes: 0, truncated: false, skippedPaths: [] }) {
-  if (totalSize.bytes >= MAX_TOTAL_SIZE) { totalSize.truncated = true; return collected; }
+function collectFiles(dir, basePath = '', collected = [], totalSize = { bytes: 0 }) {
+  if (totalSize.bytes >= MAX_TOTAL_SIZE) return collected;
   let entries;
   try { entries = fs.readdirSync(dir, { withFileTypes: true }); }
   catch { return collected; }
   entries.sort((a, b) => a.name.localeCompare(b.name));
   for (const entry of entries) {
+    if (totalSize.bytes >= MAX_TOTAL_SIZE) break;
     const relPath = basePath ? `${basePath}/${entry.name}` : entry.name;
-    if (totalSize.bytes >= MAX_TOTAL_SIZE) { totalSize.truncated = true; totalSize.skippedPaths.push(relPath); continue; }
     const fullPath = path.join(dir, entry.name);
-    // SECURITY: Never follow symlinks — attacker could link to /etc/passwd or ~/.ssh/
-    if (entry.isSymbolicLink()) continue;
     if (entry.isDirectory()) {
-      // Allow .github (workflow security), skip other dot-dirs (editor/system config)
-      if (SKIP_DIRS.has(entry.name)) continue;
-      if (entry.name.startsWith('.') && entry.name !== '.github') continue;
+      if (SKIP_DIRS.has(entry.name) || entry.name.startsWith('.')) continue;
       collectFiles(fullPath, relPath, collected, totalSize);
     } else {
       const ext = path.extname(entry.name).toLowerCase();
       if (SKIP_EXTENSIONS.has(ext)) continue;
-      if (SKIP_FILES.has(entry.name.toLowerCase())) continue;
       try {
         const stat = fs.statSync(fullPath);
         if (stat.size > MAX_FILE_SIZE || stat.size === 0) continue;
@@ -924,10 +977,7 @@ async function scanRepo(url) {
   const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'agentaudit-'));
   const repoPath = path.join(tmpDir, 'repo');
   try {
-    execSync(`git clone --depth 1 "${url}" "${repoPath}"`, {
-      timeout: 30_000,
-      stdio: 'pipe',
-    });
+    safeGitClone(url, repoPath);
   } catch (err) {
     if (!jsonMode) {
       process.stdout.write(`  ${c.red}✖ clone failed${c.reset}\n`);
@@ -1437,9 +1487,7 @@ async function auditRepo(url) {
   const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'agentaudit-'));
   const repoPath = path.join(tmpDir, 'repo');
   try {
-    execSync(`git clone --depth 1 "${url}" "${repoPath}"`, {
-      timeout: 30_000, stdio: 'pipe',
-    });
+    safeGitClone(url, repoPath);
     console.log(` ${c.green}done${c.reset}`);
   } catch (err) {
     console.log(` ${c.red}failed${c.reset}`);
@@ -1449,161 +1497,62 @@ async function auditRepo(url) {
     return null;
   }
   
-  // Capture version + commit from cloned repo
-  let repoCommitSha = null;
-  let repoPackageVersion = null;
-  try { repoCommitSha = execSync('git rev-parse HEAD', { cwd: repoPath, stdio: 'pipe' }).toString().trim(); } catch {}
-  try {
-    const pkgPath = path.join(repoPath, 'package.json');
-    if (fs.existsSync(pkgPath)) {
-      repoPackageVersion = JSON.parse(fs.readFileSync(pkgPath, 'utf-8')).version || null;
-    }
-  } catch {}
-  
   // Step 2: Collect files
   process.stdout.write(`  ${c.dim}[2/4]${c.reset} Collecting source files...`);
-  const _collectMeta = { bytes: 0, truncated: false, skippedPaths: [] };
-  const files = collectFiles(repoPath, '', [], _collectMeta);
+  const files = collectFiles(repoPath);
   console.log(` ${c.green}${files.length} files${c.reset}`);
-  if (_collectMeta.truncated) {
-    console.log(`  ${c.yellow}⚠  Size limit reached (${(MAX_TOTAL_SIZE / 1000).toFixed(0)}KB) — ${_collectMeta.skippedPaths.length} files NOT collected:${c.reset}`);
-    const shown = _collectMeta.skippedPaths.slice(0, 5);
-    for (const p of shown) console.log(`  ${c.dim}    • ${p}${c.reset}`);
-    if (_collectMeta.skippedPaths.length > 5) console.log(`  ${c.dim}    ... and ${_collectMeta.skippedPaths.length - 5} more${c.reset}`);
-  }
-  
-  // Step 3: Resolve provider + model FIRST (needed for dynamic chunk sizing)
-  const anthropicKey = process.env.ANTHROPIC_API_KEY;
-  const openaiKey = process.env.OPENAI_API_KEY;
-  const openrouterKey = process.env.OPENROUTER_API_KEY;
-  const openrouterModel = process.env.OPENROUTER_MODEL || 'anthropic/claude-sonnet-4';
-  const providerFlag = process.argv.find(a => a.startsWith('--provider='))?.split('=')[1]?.toLowerCase()
-    || (process.argv.includes('--provider') ? process.argv[process.argv.indexOf('--provider') + 1]?.toLowerCase() : null);
-  const resolvedProvider = resolveProvider(providerFlag, { anthropicKey, openaiKey, openrouterKey });
-  // Determine actual model name
-  let actualModel;
-  if (!resolvedProvider) {
-    actualModel = 'unknown';
-  } else if (resolvedProvider.id === 'anthropic') {
-    actualModel = modelOverride || 'claude-sonnet-4-20250514';
-  } else if (resolvedProvider.id === 'openrouter') {
-    actualModel = modelOverride || process.env.OPENROUTER_MODEL || 'anthropic/claude-sonnet-4';
-  } else if (resolvedProvider.id === 'openai') {
-    actualModel = modelOverride || 'gpt-4o';
-  } else if (resolvedProvider.id === 'ollama') {
-    actualModel = modelOverride || resolvedProvider.model;
-  } else {
-    actualModel = modelOverride || resolvedProvider.model || 'unknown';
-  }
-
-  // Step 3b: Determine model context for dynamic chunk sizing
-  let modelContextTokens = 64_000; // conservative default
-  let outputTokenBudget = 4096;
   
-  if (resolvedProvider) {
-    if (resolvedProvider.id === 'openrouter') {
-      try {
-        const modelInfoRes = await fetch(`https://openrouter.ai/api/v1/models`, {
-          signal: AbortSignal.timeout(5000),
-          headers: { 'HTTP-Referer': 'https://agentaudit.dev' },
-        });
-        if (modelInfoRes.ok) {
-          const modelData = await modelInfoRes.json();
-          const modelInfo = modelData.data?.find(m => m.id === actualModel);
-          if (modelInfo?.context_length) {
-            modelContextTokens = modelInfo.context_length;
-          }
-        }
-      } catch { /* ignore — use default */ }
-    } else if (resolvedProvider.id === 'anthropic') {
-      modelContextTokens = 200_000;
-    } else if (resolvedProvider.id === 'openai') {
-      modelContextTokens = 128_000;
-    } else if (resolvedProvider.id === 'ollama') {
-      modelContextTokens = 32_000;
-    }
-  }
-  
-  outputTokenBudget = modelContextTokens >= 128_000 ? 8192 : modelContextTokens >= 64_000 ? 4096 : modelContextTokens >= 32_000 ? 2048 : 2048;
-  const dynamicChunkChars = Math.floor(modelContextTokens * 0.5 * 4);
-  const MAX_CHUNK_CHARS = Math.max(40_000, Math.min(dynamicChunkChars, 600_000));
-
-  // Step 3c: Build audit payload
+  // Step 3: Build audit payload
   process.stdout.write(`  ${c.dim}[3/4]${c.reset} Preparing audit payload...`);
   const auditPrompt = loadAuditPrompt();
-  // Sort files by directory to keep related files in the same chunk.
-  // This preserves cross-file context (imports, shared modules) within each pass.
-  const sortedFiles = [...files].sort((a, b) => {
-    const dirA = a.path.includes('/') ? a.path.substring(0, a.path.lastIndexOf('/')) : '';
-    const dirB = b.path.includes('/') ? b.path.substring(0, b.path.lastIndexOf('/')) : '';
-    return dirA.localeCompare(dirB) || a.path.localeCompare(b.path);
-  });
-  const chunks = []; // array of code block strings
-  const chunkFileNames = []; // track which files are in each chunk for error reporting
-  let currentChunk = '';
-  let currentChars = 0;
-  let currentFiles = [];
-  for (const file of sortedFiles) {
-    const entry = `\n### FILE: ${file.path}\n\`\`\`\n${file.content}\n\`\`\`\n`;
-    if (currentChars + entry.length > MAX_CHUNK_CHARS && currentChars > 0) {
-      chunks.push(currentChunk);
-      chunkFileNames.push([...currentFiles]);
-      currentFiles = [];
-      currentChunk = '';
-      currentChars = 0;
-    }
-    // If a single file exceeds chunk limit, truncate it
-    if (entry.length > MAX_CHUNK_CHARS) {
-      const truncContent = file.content.substring(0, MAX_CHUNK_CHARS - 200);
-      currentChunk += `\n### FILE: ${file.path}\n\`\`\`\n${truncContent}\n[... file truncated, ${file.content.length} chars total ...]\n\`\`\`\n`;
-      currentChars += MAX_CHUNK_CHARS;
-    } else {
-      currentChunk += entry;
-      currentChars += entry.length;
-    }
-    currentFiles.push(file.path);
-  }
-  if (currentChunk) { chunks.push(currentChunk); chunkFileNames.push([...currentFiles]); }
   
-  const needsMultiPass = chunks.length > 1;
-  if (needsMultiPass) {
-    console.log(` ${c.green}done${c.reset} ${c.yellow}(${chunks.length} passes needed — ${files.length} files across ${chunks.length} chunks)${c.reset}`);
-  } else {
-    console.log(` ${c.green}done${c.reset}`);
+  let codeBlock = '';
+  for (const file of files) {
+    codeBlock += `\n### FILE: ${file.path}\n\`\`\`\n${file.content}\n\`\`\`\n`;
   }
-  // For single-pass, use the only chunk as codeBlock
-  const codeBlock = chunks[0] || '';
+  console.log(` ${c.green}done${c.reset}`);
   
   // Step 4: LLM Analysis
-  const activeProvider = resolvedProvider?.label || null;
-  
-  if (!resolvedProvider) {
+  // Detect provider from environment variables (first match wins)
+  const activeLlm = LLM_PROVIDERS.find(p => process.env[p.key]);
+  const llmApiKey = activeLlm ? process.env[activeLlm.key] : null;
+  const activeProvider = activeLlm ? activeLlm.name : null;
+
+  // Model override: --model flag > AGENTAUDIT_MODEL env > credentials.json > provider default
+  const modelArgIdx = process.argv.indexOf('--model');
+  const modelFlag = modelArgIdx !== -1 ? process.argv[modelArgIdx + 1] : null;
+  const modelEnv = process.env.AGENTAUDIT_MODEL;
+  const modelConfig = loadLlmConfig()?.llm_model;
+  const modelOverride = modelFlag || modelEnv || modelConfig || null;
+  if (activeLlm && modelOverride) {
+    activeLlm.model = modelOverride;
+  }
+  
+  if (!activeLlm) {
     // No LLM API key — clear explanation
     console.log();
-    console.log(`  ${c.yellow}No LLM provider configured.${c.reset} The ${c.bold}audit${c.reset} command needs an LLM to analyze code.`);
+    console.log(`  ${c.yellow}No LLM API key found.${c.reset} The ${c.bold}audit${c.reset} command needs an LLM to analyze code.`);
     console.log();
-    console.log(`  ${c.bold}Option 1: Set an API key${c.reset} ${c.dim}(any one of these)${c.reset}`);
-    console.log(`  ${c.cyan}ANTHROPIC_API_KEY${c.reset}    Anthropic Claude ${c.dim}(recommended)${c.reset}`);
+    console.log(`  ${c.bold}Option 1: Set an API key${c.reset} (any one of these):`);
+    console.log(`  ${c.cyan}ANTHROPIC_API_KEY${c.reset}    Anthropic Claude`);
     console.log(`  ${c.cyan}OPENAI_API_KEY${c.reset}       OpenAI GPT-4o`);
-    console.log(`  ${c.cyan}OPENROUTER_API_KEY${c.reset}   OpenRouter ${c.dim}(200+ models)${c.reset}`);
-    console.log(`  ${c.cyan}OLLAMA_MODEL${c.reset}         Ollama ${c.dim}(local, free, set model name)${c.reset}`);
-    console.log(`  ${c.cyan}LLM_API_URL${c.reset}          Any OpenAI-compatible API ${c.dim}(+ LLM_API_KEY, LLM_MODEL)${c.reset}`);
+    console.log(`  ${c.cyan}GEMINI_API_KEY${c.reset}       Google Gemini`);
+    console.log(`  ${c.cyan}DEEPSEEK_API_KEY${c.reset}     DeepSeek`);
+    console.log(`  ${c.cyan}MISTRAL_API_KEY${c.reset}      Mistral`);
+    console.log(`  ${c.cyan}XAI_API_KEY${c.reset}          xAI Grok`);
+    console.log(`  ${c.cyan}GROQ_API_KEY${c.reset}         Groq`);
+    console.log(`  ${c.cyan}TOGETHER_API_KEY${c.reset}     Together AI`);
+    console.log(`  ${c.cyan}FIREWORKS_API_KEY${c.reset}    Fireworks AI`);
+    console.log(`  ${c.cyan}CEREBRAS_API_KEY${c.reset}     Cerebras`);
+    console.log(`  ${c.cyan}ZAI_API_KEY${c.reset}          Zhipu AI (GLM)`);
+    console.log(`  ${c.cyan}OPENROUTER_API_KEY${c.reset}   OpenRouter (any model)`);
     console.log();
-    console.log(`  ${c.dim}# Linux / macOS:${c.reset}`);
     console.log(`  ${c.dim}export ANTHROPIC_API_KEY=sk-ant-...${c.reset}`);
     console.log(`  ${c.dim}export OPENAI_API_KEY=sk-...${c.reset}`);
     console.log();
-    console.log(`  ${c.dim}# Windows (PowerShell):${c.reset}`);
-    console.log(`  ${c.dim}$env:ANTHROPIC_API_KEY = "sk-ant-..."${c.reset}`);
-    console.log(`  ${c.dim}$env:OPENAI_API_KEY = "sk-..."${c.reset}`);
-    console.log();
-    console.log(`  ${c.dim}# Windows (CMD):${c.reset}`);
-    console.log(`  ${c.dim}set ANTHROPIC_API_KEY=sk-ant-...${c.reset}`);
-    console.log(`  ${c.dim}set OPENAI_API_KEY=sk-...${c.reset}`);
-    console.log();
     console.log(`  ${c.bold}Option 2: Export for manual review${c.reset}`);
     console.log(`  ${c.cyan}agentaudit audit ${url} --export${c.reset}`);
-    console.log(`  ${c.dim}Creates a markdown file you can paste into any LLM (Claude, ChatGPT, etc.)${c.reset}`);
+    console.log(`  ${c.dim}Creates a markdown file you can paste into any LLM${c.reset}`);
     console.log();
     console.log(`  ${c.bold}Option 3: Use MCP in Claude/Cursor/Windsurf (no API key needed)${c.reset}`);
     console.log(`  ${c.dim}Add AgentAudit as MCP server — your editor's agent runs the audit using its own LLM.${c.reset}`);
@@ -1643,319 +1592,181 @@ async function auditRepo(url) {
     return null;
   }
   
-  // actualModel already resolved in Step 3
-  
-  // ── LLM call helper (reused for multi-pass) ──
-  async function callLLM(codeContent, passLabel) {
-    const systemPrompt = auditPrompt || 'You are a security auditor. Analyze the code and report findings as JSON.';
-    const userMessage = [
-      `Audit this package: **${slug}** (${url})`,
-      ``,
-      `After analysis, respond with ONLY a valid JSON object. No markdown fences, no explanation, no text before or after. Just the raw JSON:`,
-      `{ "skill_slug": "${slug}", "source_url": "${url}", "package_type": "<mcp-server|agent-skill|library|cli-tool>",`,
-      `  "risk_score": <0-100>, "result": "<safe|caution|unsafe>", "max_severity": "<none|low|medium|high|critical>",`,
-      `  "findings_count": <n>, "findings": [{ "id": "...", "title": "...", "severity": "...", "category": "...",`,
-      `  "description": "...", "file": "...", "line": <n>, "remediation": "...", "confidence": "...", "is_by_design": false }] }`,
-      ``,
-      `## Source Code`,
-      codeContent,
-    ].join('\n');
-    
-    let _lastLlmText = '';
-    let result = null;
-    let meta = {};
-    
-    try {
-      if (resolvedProvider.id === 'anthropic') {
-        const res = await fetch('https://api.anthropic.com/v1/messages', {
-          method: 'POST',
-          headers: {
-            'x-api-key': resolvedProvider.key,
-            'anthropic-version': '2023-06-01',
-            'content-type': 'application/json',
-          },
-          body: JSON.stringify({
-            model: modelOverride || 'claude-sonnet-4-20250514',
-            max_tokens: outputTokenBudget,
-            system: systemPrompt,
-            messages: [{ role: 'user', content: userMessage }],
-          }),
-          signal: AbortSignal.timeout(llmTimeoutMs || 180_000),
-        });
-        const data = await res.json();
-        if (data.error) {
-          return { error: data.error.message || JSON.stringify(data.error) };
-        }
-        const text = data.content?.[0]?.text || '';
-        _lastLlmText = text;
-        result = extractJSON(text);
-        meta = {
-          provider_msg_id: data.id || null,
-          input_tokens: data.usage?.input_tokens || null,
-          output_tokens: data.usage?.output_tokens || null,
-          reported_model: data.model || null,
-        };
-      } else {
-        let apiUrl, modelName, authHeaders;
-        switch (resolvedProvider.id) {
-          case 'openrouter':
-            apiUrl = 'https://openrouter.ai/api/v1/chat/completions';
-            modelName = modelOverride || process.env.OPENROUTER_MODEL || 'anthropic/claude-sonnet-4';
-            authHeaders = { 'Authorization': `Bearer ${resolvedProvider.key}`, 'HTTP-Referer': 'https://agentaudit.dev', 'X-Title': 'AgentAudit' };
-            break;
-          case 'ollama':
-            apiUrl = `${resolvedProvider.host}/v1/chat/completions`;
-            modelName = modelOverride || resolvedProvider.model;
-            authHeaders = {};
-            break;
-          case 'custom':
-            apiUrl = resolvedProvider.url.endsWith('/chat/completions') ? resolvedProvider.url : `${resolvedProvider.url.replace(/\/$/, '')}/chat/completions`;
-            modelName = modelOverride || resolvedProvider.model;
-            authHeaders = resolvedProvider.key ? { 'Authorization': `Bearer ${resolvedProvider.key}` } : {};
-            break;
-          default:
-            apiUrl = 'https://api.openai.com/v1/chat/completions';
-            modelName = modelOverride || 'gpt-4o';
-            authHeaders = { 'Authorization': `Bearer ${resolvedProvider.key}` };
-        }
+  // We have an API key — run LLM audit
+  const modelLabel = modelOverride ? `${activeProvider} → ${activeLlm.model}` : activeProvider;
+  process.stdout.write(`  ${c.dim}[4/4]${c.reset} Running LLM analysis ${c.dim}(${modelLabel})${c.reset}...`);
+
+  const systemPrompt = auditPrompt || 'You are a security auditor. Analyze the code and report findings as JSON.';
+  const userMessage = [
+    `Audit this package: **${slug}** (${url})`,
+    ``,
+    `After analysis, respond with ONLY a valid JSON object. No markdown fences, no explanation, no text before or after. Just the raw JSON:`,
+    `{ "skill_slug": "${slug}", "source_url": "${url}", "package_type": "<mcp-server|agent-skill|library|cli-tool>",`,
+    `  "risk_score": <0-100>, "result": "<safe|caution|unsafe>", "max_severity": "<none|low|medium|high|critical>",`,
+    `  "findings_count": <n>, "findings": [{ "id": "...", "title": "...", "severity": "...", "category": "...",`,
+    `  "description": "...", "file": "...", "line": <n>, "remediation": "...", "confidence": "...", "is_by_design": false }] }`,
+    ``,
+    `## Source Code`,
+    codeBlock,
+  ].join('\n');
 
-        const res = await fetch(apiUrl, {
-          method: 'POST',
-          headers: { 'Content-Type': 'application/json', ...authHeaders },
-          body: JSON.stringify({
-            model: modelName,
-            max_tokens: outputTokenBudget,
-            messages: [
-              { role: 'system', content: systemPrompt },
-              { role: 'user', content: userMessage },
-            ],
-          }),
-          signal: AbortSignal.timeout(llmTimeoutMs || (resolvedProvider.id === 'ollama' ? 300_000 : 180_000)),
-        });
-        const data = await res.json();
-        if (data.error) {
-          return { error: data.error.message || JSON.stringify(data.error) };
-        }
-        const text = data.choices?.[0]?.message?.content || '';
-        _lastLlmText = text;
-        result = extractJSON(text);
-        meta = {
-          provider_msg_id: data.id || null,
-          provider_fingerprint: data.system_fingerprint || null,
-          input_tokens: data.usage?.prompt_tokens || null,
-          output_tokens: data.usage?.completion_tokens || null,
-          reported_model: data.model || null,
-        };
-      }
-    } catch (err) {
-      return { error: err.message };
-    }
-    
-    return { report: result, meta, rawText: _lastLlmText };
-  }
-
-  // ── Run LLM analysis (single or multi-pass) ──
   let report = null;
-  let providerMeta = {};
   let _lastLlmText = '';
-  
-  if (needsMultiPass) {
-    // Multi-pass: analyze each chunk, merge findings
-    console.log(`  ${c.dim}[4/4]${c.reset} Running LLM analysis ${c.dim}(${resolvedProvider.id}: ${actualModel})${c.reset} — ${c.yellow}${chunks.length} passes${c.reset}`);
-    const allFindings = [];
-    let totalInput = 0, totalOutput = 0;
-    let lastMeta = {};
-    let baseReport = null;
-    
-    for (let i = 0; i < chunks.length; i++) {
-      process.stdout.write(`  ${c.dim}  Pass ${i + 1}/${chunks.length}...${c.reset}`);
-      const passStart = Date.now();
-      const result = await callLLM(chunks[i], `pass ${i + 1}`);
-      
-      if (result.error) {
-        const failedFiles = chunkFileNames[i] || [];
-        console.log(` ${c.red}failed${c.reset} ${c.dim}(${result.error.slice(0, 80)})${c.reset}`);
-        if (failedFiles.length > 0) {
-          console.log(`  ${c.yellow}⚠  ${failedFiles.length} files NOT analyzed:${c.reset} ${c.dim}${failedFiles.slice(0, 5).join(', ')}${failedFiles.length > 5 ? ` (+${failedFiles.length - 5} more)` : ''}${c.reset}`);
+
+  try {
+    let data;
+    if (activeLlm.type === 'anthropic') {
+      // Anthropic Messages API (unique format)
+      const res = await fetch(activeLlm.url, {
+        method: 'POST',
+        headers: {
+          'x-api-key': llmApiKey,
+          'anthropic-version': '2023-06-01',
+          'content-type': 'application/json',
+        },
+        body: JSON.stringify({
+          model: activeLlm.model,
+          max_tokens: 8192,
+          system: systemPrompt,
+          messages: [{ role: 'user', content: userMessage }],
+        }),
+        signal: AbortSignal.timeout(120_000),
+      });
+      data = await res.json();
+      if (data.error) {
+        console.log(` ${c.red}failed${c.reset}`);
+        const friendly = formatApiError(data.error, activeLlm.provider, res.status);
+        if (friendly) {
+          console.log(`  ${c.red}${friendly.text}${c.reset}`);
+          console.log(`  ${c.dim}${friendly.hint}${c.reset}`);
+        } else {
+          console.log(`  ${c.red}API error: ${data.error.message || JSON.stringify(data.error)}${c.reset}`);
         }
-        continue;
-      }
-      
-      if (!result.report) {
-        console.log(` ${c.yellow}no findings (empty/unparseable)${c.reset}`);
-        _lastLlmText = result.rawText || '';
-        continue;
+        try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch {}
+        return null;
       }
-      
-      const passElapsed = ((Date.now() - passStart) / 1000).toFixed(1);
-      const passFindings = result.report.findings?.length || 0;
-      console.log(` ${c.green}done${c.reset} ${c.dim}(${passElapsed}s, ${passFindings} findings)${c.reset}`);
-      
-      if (!baseReport) baseReport = result.report;
-      if (result.report.findings) allFindings.push(...result.report.findings);
-      lastMeta = result.meta;
-      totalInput += result.meta.input_tokens || 0;
-      totalOutput += result.meta.output_tokens || 0;
-    }
-    
-    if (!baseReport) {
-      console.log(`  ${c.red}✖ All passes failed to produce a report${c.reset}`);
-      try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch {}
-      return null;
-    }
-    
-    // Merge: deduplicate findings by title+file, recalculate risk score
-    const seen = new Set();
-    const mergedFindings = [];
-    for (const f of allFindings) {
-      const key = `${f.title}::${f.file || ''}`;
-      if (!seen.has(key)) {
-        seen.add(key);
-        mergedFindings.push(f);
+      _lastLlmText = data.content?.[0]?.text || '';
+      report = extractJSON(_lastLlmText);
+      if (report) {
+        report.audit_model = data.model || activeLlm.model;
+        report.audit_provider = activeLlm.provider;
+        if (data.id) report.provider_msg_id = data.id;
+        if (data.usage) {
+          report.input_tokens = data.usage.input_tokens;
+          report.output_tokens = data.usage.output_tokens;
+        }
       }
-    }
-    
-    // Recalculate severity-based risk
-    const sevWeights = { critical: 25, high: 15, medium: 5, low: 1 };
-    const mergedRisk = Math.min(100, mergedFindings.reduce((s, f) => s + (sevWeights[f.severity] || 0), 0));
-    const maxSev = mergedFindings.length === 0 ? 'none' : 
-      mergedFindings.some(f => f.severity === 'critical') ? 'critical' :
-      mergedFindings.some(f => f.severity === 'high') ? 'high' :
-      mergedFindings.some(f => f.severity === 'medium') ? 'medium' : 'low';
-    
-    report = {
-      ...baseReport,
-      findings: mergedFindings,
-      findings_count: mergedFindings.length,
-      risk_score: mergedRisk,
-      result: mergedRisk === 0 ? 'safe' : mergedRisk <= 20 ? 'caution' : 'unsafe',
-      max_severity: maxSev,
-    };
-    providerMeta = { ...lastMeta, input_tokens: totalInput || null, output_tokens: totalOutput || null };
-    
-    console.log(`  ${c.dim}  Merged: ${mergedFindings.length} unique findings from ${chunks.length} passes${c.reset}`);
-    
-    // ── Cross-file correlation pass ──
-    // Build lightweight import/export map and ask LLM to check for multi-file attack patterns
-    // that individual chunk passes couldn't detect (e.g., credential read in file A + exfil in file B)
-    process.stdout.write(`  ${c.dim}  Cross-file correlation...${c.reset}`);
-    try {
-      const importMap = sortedFiles.map(f => {
-        const imports = [];
-        const exports = [];
-        // JS/TS imports
-        for (const m of f.content.matchAll(/(?:import|require)\s*\(?['"]([^'"]+)['"]\)?/g)) imports.push(m[1]);
-        for (const m of f.content.matchAll(/(?:from)\s+['"]([^'"]+)['"]/g)) imports.push(m[1]);
-        // Python imports
-        for (const m of f.content.matchAll(/(?:from|import)\s+([\w.]+)/g)) imports.push(m[1]);
-        // Exports
-        for (const m of f.content.matchAll(/(?:module\.exports|export\s+(?:default\s+)?(?:function|class|const|let|var)\s+)(\w+)/g)) exports.push(m[1]);
-        // Dangerous function calls (brief)
-        const dangerousCalls = [];
-        if (/\b(?:exec|spawn|execSync|system|eval|Function)\s*\(/.test(f.content)) dangerousCalls.push('exec/eval');
-        if (/\b(?:fetch|https?\.request|axios|got)\s*\(/.test(f.content)) dangerousCalls.push('network');
-        if (/\b(?:readFile|writeFile|createReadStream|open)\s*\(/.test(f.content)) dangerousCalls.push('fs');
-        if (/process\.env|os\.environ|getenv/.test(f.content)) dangerousCalls.push('env-read');
-        return { path: f.path, imports: [...new Set(imports)].slice(0, 10), exports: exports.slice(0, 10), calls: dangerousCalls };
-      }).filter(f => f.imports.length > 0 || f.exports.length > 0 || f.calls.length > 0);
-      
-      if (importMap.length > 2) {
-        const correlationPrompt = [
-          `You previously analyzed ${chunks.length} code chunks from package "${slug}" (${url}).`,
-          `Here is a cross-file map showing imports, exports, and dangerous function calls.`,
-          `Check for MULTI-FILE ATTACK PATTERNS that individual chunk analysis could miss:`,
-          `- File A reads credentials/env → File B sends them to network (credential exfiltration pipeline)`,
-          `- File A defines a function with exec/eval → File B calls it with user input (indirect RCE)`,
-          `- Config file grants broad permissions → Code file exploits them`,
-          `- Install hook in scripts/ triggers code in src/ that exfiltrates data`,
-          ``,
-          `Respond with ONLY a JSON object: { "cross_file_findings": [...] } where each finding has:`,
-          `{ "title": "...", "severity": "...", "description": "...", "file": "...", "confidence": "...", "pattern_id": "CORR_001", "remediation": "..." }`,
-          `If no cross-file issues found, respond: { "cross_file_findings": [] }`,
-          ``,
-          `## File Map`,
-          JSON.stringify(importMap, null, 2),
-        ].join('\n');
-        
-        const corrResult = await callLLM(correlationPrompt, 'correlation');
-        if (corrResult.report?.cross_file_findings?.length > 0) {
-          const corrFindings = corrResult.report.cross_file_findings;
-          for (const f of corrFindings) {
-            const key = `${f.title}::${f.file || ''}`;
-            if (!seen.has(key)) {
-              seen.add(key);
-              mergedFindings.push(f);
-            }
-          }
-          console.log(` ${c.yellow}${corrFindings.length} cross-file issues found${c.reset}`);
-          // Re-merge into report
-          const newRisk = Math.min(100, mergedFindings.reduce((s, f) => s + (sevWeights[f.severity] || 0), 0));
-          report.findings = mergedFindings;
-          report.findings_count = mergedFindings.length;
-          report.risk_score = newRisk;
-          report.result = newRisk === 0 ? 'safe' : newRisk <= 20 ? 'caution' : 'unsafe';
-          totalInput += corrResult.meta?.input_tokens || 0;
-          totalOutput += corrResult.meta?.output_tokens || 0;
-          providerMeta = { ...providerMeta, input_tokens: totalInput || null, output_tokens: totalOutput || null };
+    } else if (activeLlm.type === 'gemini') {
+      // Google Gemini API (unique format)
+      const res = await fetch(`${activeLlm.url}/${activeLlm.model}:generateContent?key=${llmApiKey}`, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          systemInstruction: { parts: [{ text: systemPrompt }] },
+          contents: [{ role: 'user', parts: [{ text: userMessage }] }],
+          generationConfig: { maxOutputTokens: 8192 },
+        }),
+        signal: AbortSignal.timeout(120_000),
+      });
+      data = await res.json();
+      if (data.error) {
+        console.log(` ${c.red}failed${c.reset}`);
+        const friendly = formatApiError(data.error, activeLlm.provider, res.status);
+        if (friendly) {
+          console.log(`  ${c.red}${friendly.text}${c.reset}`);
+          console.log(`  ${c.dim}${friendly.hint}${c.reset}`);
         } else {
-          console.log(` ${c.green}clean${c.reset}`);
+          console.log(`  ${c.red}API error: ${data.error.message || JSON.stringify(data.error)}${c.reset}`);
         }
-      } else {
-        console.log(` ${c.dim}skipped (too few files with imports)${c.reset}`);
+        try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch {}
+        return null;
       }
-    } catch (corrErr) {
-      console.log(` ${c.dim}skipped (${corrErr.message?.slice(0, 40)})${c.reset}`);
-    }
-    
-    console.log(` ${c.green}done${c.reset} ${c.dim}(${elapsed(start)})${c.reset}`);
-  } else {
-    // Single-pass (original flow)
-    process.stdout.write(`  ${c.dim}[4/4]${c.reset} Running LLM analysis ${c.dim}(${resolvedProvider.id}: ${actualModel})${c.reset}...`);
-    const result = await callLLM(codeBlock);
-    
-    if (result.error) {
-      console.log(` ${c.red}failed${c.reset}`);
-      const errMsg = result.error;
-      console.log(`  ${c.red}API error: ${errMsg}${c.reset}`);
-      if (/abort|timeout/i.test(errMsg)) {
-        const currentTimeout = llmTimeoutMs ? (llmTimeoutMs / 1000) : 180;
-        console.log(`  ${c.dim}The model took longer than ${currentTimeout}s to respond.${c.reset}`);
-        console.log(`  ${c.dim}Try increasing the timeout: --timeout 300 (or --timeout 600 for reasoning models)${c.reset}`);
-        console.log(`  ${c.dim}You can also set AGENTAUDIT_TIMEOUT=300 as environment variable.${c.reset}`);
+      _lastLlmText = data.candidates?.[0]?.content?.parts?.[0]?.text || '';
+      report = extractJSON(_lastLlmText);
+      if (report) {
+        report.audit_model = data.modelVersion || activeLlm.model;
+        report.audit_provider = activeLlm.provider;
+        if (data.usageMetadata) {
+          report.input_tokens = data.usageMetadata.promptTokenCount;
+          report.output_tokens = data.usageMetadata.candidatesTokenCount;
+        }
+      }
+    } else {
+      // OpenAI-compatible API (OpenAI, Mistral, Groq, OpenRouter, etc.)
+      const headers = {
+        'Authorization': `Bearer ${llmApiKey}`,
+        'Content-Type': 'application/json',
+      };
+      // OpenRouter requires additional headers
+      if (activeLlm.provider === 'openrouter') {
+        headers['HTTP-Referer'] = 'https://agentaudit.dev';
+        headers['X-Title'] = 'AgentAudit CLI';
+      }
+      const res = await fetch(activeLlm.url, {
+        method: 'POST',
+        headers,
+        body: JSON.stringify({
+          model: activeLlm.model,
+          max_tokens: 8192,
+          messages: [
+            { role: 'system', content: systemPrompt },
+            { role: 'user', content: userMessage },
+          ],
+        }),
+        signal: AbortSignal.timeout(120_000),
+      });
+      data = await res.json();
+      if (data.error) {
+        console.log(` ${c.red}failed${c.reset}`);
+        const friendly = formatApiError(data.error, activeLlm.provider, res.status);
+        if (friendly) {
+          console.log(`  ${c.red}${friendly.text}${c.reset}`);
+          console.log(`  ${c.dim}${friendly.hint}${c.reset}`);
+        } else {
+          console.log(`  ${c.red}API error: ${data.error.message || JSON.stringify(data.error)}${c.reset}`);
+        }
+        try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch {}
+        return null;
       }
-      if (/context.length|maximum.*tokens|too.many.tokens/i.test(errMsg)) {
-        console.log(`  ${c.dim}This model's context window is too small for this repository.${c.reset}`);
-        console.log(`  ${c.dim}Try a model with a larger context: --model anthropic/claude-sonnet-4 (200k) or --model openai/gpt-4o (128k)${c.reset}`);
+      _lastLlmText = data.choices?.[0]?.message?.content || '';
+      report = extractJSON(_lastLlmText);
+      if (report) {
+        report.audit_model = data.model || activeLlm.model;
+        report.audit_provider = activeLlm.provider;
+        if (data.id) report.provider_msg_id = data.id;
+        if (data.system_fingerprint) report.provider_fingerprint = data.system_fingerprint;
+        if (data.usage) {
+          report.input_tokens = data.usage.prompt_tokens;
+          report.output_tokens = data.usage.completion_tokens;
+        }
       }
-      try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch {}
-      return null;
     }
     
-    report = result.report;
-    providerMeta = result.meta;
-    _lastLlmText = result.rawText || '';
     console.log(` ${c.green}done${c.reset} ${c.dim}(${elapsed(start)})${c.reset}`);
+  } catch (err) {
+    console.log(` ${c.red}failed${c.reset}`);
+    if (err.name === 'TimeoutError' || err.message?.includes('timeout')) {
+      console.log(`  ${c.red}Request timed out (120s)${c.reset}`);
+      console.log(`  ${c.dim}The provider took too long to respond. Try again or use a faster model${c.reset}`);
+    } else if (err.code === 'ENOTFOUND' || err.code === 'ECONNREFUSED' || err.message?.includes('fetch failed')) {
+      console.log(`  ${c.red}Network error: could not reach ${activeProvider}${c.reset}`);
+      console.log(`  ${c.dim}Check your internet connection or provider status${c.reset}`);
+    } else {
+      console.log(`  ${c.red}${err.message}${c.reset}`);
+    }
+    try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch {}
+    return null;
   }
   
   // Cleanup repo
   try { fs.rmSync(tmpDir, { recursive: true, force: true }); } catch {}
   
   if (!report) {
-    const rawLen = typeof _lastLlmText === 'string' ? _lastLlmText.length : 0;
-    if (rawLen === 0) {
-      console.log(`  ${c.red}✖ Model returned an empty response${c.reset}`);
-      console.log(`  ${c.dim}This model may not support structured JSON output or the prompt was too large.${c.reset}`);
-      console.log(`  ${c.dim}Try a different model: --model anthropic/claude-sonnet-4 or --model openai/gpt-4o${c.reset}`);
-    } else {
-      console.log(`  ${c.red}✖ Could not parse LLM response as JSON${c.reset}`);
-      console.log(`  ${c.dim}The model returned ${rawLen} chars but not valid JSON. Try a stronger model.${c.reset}`);
-      if (!process.argv.includes('--debug')) {
-        console.log(`  ${c.dim}Hint: run with --debug to see the raw LLM response${c.reset}`);
-      }
-    }
-    if (process.argv.includes('--debug') && rawLen > 0) {
+    console.log(`  ${c.red}Could not parse LLM response as JSON${c.reset}`);
+    console.log(`  ${c.dim}Hint: run with --debug to see the raw LLM response${c.reset}`);
+    if (process.argv.includes('--debug')) {
       console.log(`  ${c.dim}--- Raw LLM response (first 2000 chars) ---${c.reset}`);
-      console.log(_lastLlmText.slice(0, 2000));
+      console.log((typeof _lastLlmText === 'string' ? _lastLlmText : '(empty)').slice(0, 2000));
       console.log(`  ${c.dim}--- end ---${c.reset}`);
     }
     return null;
@@ -1963,19 +1774,8 @@ async function auditRepo(url) {
   
   // Display results
   console.log();
-  // Always recalculate risk_score from findings severities (never trust LLM's score)
-  const _sevW = { critical: 25, high: 15, medium: 5, low: 1 };
-  const recalcRisk = report.findings && report.findings.length > 0
-    ? Math.min(100, report.findings.reduce((s, f) => s + (_sevW[f.severity] || 0), 0))
-    : 0;
-  report.risk_score = recalcRisk;
-  report.result = recalcRisk === 0 ? 'safe' : recalcRisk <= 20 ? 'caution' : 'unsafe';
-  const riskScore = recalcRisk;
-  const trustScore = 100 - riskScore;
-  const trustColor = trustScore >= 70 ? c.green : trustScore >= 40 ? c.yellow : c.red;
-  const trustLabel = trustScore >= 70 ? 'SAFE' : trustScore >= 40 ? 'CAUTION' : 'UNSAFE';
-  console.log(`  ${trustColor}${c.bold}${trustLabel}${c.reset}  ${trustColor}Trust Score: ${trustScore}/100${c.reset}  ${c.dim}(Risk: ${riskScore}/100)${c.reset}`);
-  console.log(`  ${c.dim}Model: ${resolvedProvider.id}/${actualModel}  Duration: ${elapsed(start)}${c.reset}`);
+  const riskScore = report.risk_score || 0;
+  console.log(`  ${riskBadge(riskScore)} Risk ${riskScore}/100  ${c.bold}${report.result || 'unknown'}${c.reset}`);
   console.log();
   
   if (report.findings && report.findings.length > 0) {
@@ -1995,17 +1795,6 @@ async function auditRepo(url) {
   
   // Upload to registry
   const creds = loadCredentials();
-  const finalModel = providerMeta.reported_model || actualModel;
-  const finalProvider = resolvedProvider.id;
-  if (!finalModel || finalModel === 'unknown') {
-    console.log(`  ${c.yellow}⚠  Model not detected — report will not include model attestation.${c.reset}`);
-    console.log(`  ${c.dim}   This usually means the LLM API did not return model info.${c.reset}`);
-    console.log(`  ${c.dim}   Try: agentaudit config set model <model-name>${c.reset}`);
-    if (process.argv.includes('--debug')) {
-      console.log(`  ${c.dim}   providerMeta: ${JSON.stringify(providerMeta)}${c.reset}`);
-      console.log(`  ${c.dim}   actualModel: ${actualModel}, resolvedProvider: ${resolvedProvider.id}${c.reset}`);
-    }
-  }
   if (creds) {
     process.stdout.write(`  Uploading report to registry...`);
     try {
@@ -2015,83 +1804,18 @@ async function auditRepo(url) {
           'Authorization': `Bearer ${creds.api_key}`,
           'Content-Type': 'application/json',
         },
-        body: JSON.stringify({
-          ...report,
-          commit_sha: report.commit_sha || repoCommitSha || undefined,
-          package_version: report.package_version || repoPackageVersion || undefined,
-          audit_model: finalModel !== 'unknown' ? finalModel : undefined,
-          audit_provider: finalProvider,
-          provider_msg_id: providerMeta.provider_msg_id || undefined,
-          provider_fingerprint: providerMeta.provider_fingerprint || undefined,
-          input_tokens: providerMeta.input_tokens || undefined,
-          output_tokens: providerMeta.output_tokens || undefined,
-          audit_duration_ms: Date.now() - start,
-          files_scanned: files.length,
-        }),
+        body: JSON.stringify(report),
         signal: AbortSignal.timeout(15_000),
       });
       if (res.ok) {
         const data = await res.json();
-        const reportSlug = data?.skill_slug || data?.slug || slug;
         console.log(` ${c.green}done${c.reset}`);
-        console.log(`  ${c.dim}Report: ${REGISTRY_URL}/skills/${reportSlug}${c.reset}`);
-        // Show API warnings
-        if (data?.warnings?.length) {
-          for (const w of data.warnings) {
-            console.log(`  ${c.yellow}⚠  ${w}${c.reset}`);
-          }
-        }
-        // Refresh stats cache in background
-        if (creds.agent_name) refreshStatsCache(creds.agent_name).catch(() => {});
-        // Fetch registry consensus after upload
-        try {
-          const regData = await checkRegistry(reportSlug);
-          if (regData) {
-            const regRisk = regData.latest_risk_score ?? regData.risk_score ?? 0;
-            const regTrust = regData.trust_score ?? (100 - regRisk);
-            const totalReports = regData.total_reports ?? 1;
-            const uniqueAgents = regData.unique_agents ?? 1;
-            const confidence = regData.confidence ?? 'unverified';
-            const totalFindings = regData.total_findings ?? 0;
-            const hasOfficial = regData.has_official_audit;
-
-            // Show registry consensus if different from own report or multiple reports exist
-            if (totalReports > 1 || regRisk !== report.risk_score) {
-              console.log();
-              console.log(`  ${c.bold}Registry Consensus${c.reset}`);
-              const trustColor = regTrust >= 70 ? c.green : regTrust >= 40 ? c.yellow : c.red;
-              const trustLabel = regTrust >= 70 ? 'SAFE' : regTrust >= 40 ? 'CAUTION' : 'UNSAFE';
-              console.log(`  ${trustColor}${c.bold}${trustLabel}${c.reset}  Trust Score: ${trustColor}${regTrust}/100${c.reset}  ${c.dim}(across ${totalReports} reports from ${uniqueAgents} auditor${uniqueAgents !== 1 ? 's' : ''})${c.reset}`);
-              if (totalFindings > 0) {
-                console.log(`  ${c.dim}Total findings across all reports: ${totalFindings}${c.reset}`);
-              }
-              const confDisplay = {
-                consensus: { icon: '🟢', label: 'Consensus Certified', color: c.green },
-                verified: { icon: '🟢', label: 'Verified', color: c.green },
-                low: { icon: '🟡', label: 'Low Confidence', color: c.yellow },
-                unverified: { icon: '🔴', label: 'Unverified', color: c.yellow },
-              }[confidence] || { icon: '⚪', label: confidence, color: c.dim };
-              console.log(`  ${confDisplay.icon}  ${confDisplay.color}${confDisplay.label}${c.reset}`);
-              if (hasOfficial) console.log(`  ${c.green}✔ Officially audited${c.reset}`);
-
-              // Warn if own report disagrees with consensus
-              const ownRisk = report.risk_score || 0;
-              if (Math.abs(ownRisk - regRisk) > 10) {
-                console.log();
-                console.log(`  ${c.yellow}⚠  Your audit (risk ${ownRisk}) differs from registry consensus (risk ${regRisk}).${c.reset}`);
-                console.log(`  ${c.dim}   This may indicate model-specific blind spots or a changing codebase.${c.reset}`);
-              }
-            }
-          }
-        } catch {}
+        console.log(`  ${c.dim}Report: ${REGISTRY_URL}/skills/${slug}${c.reset}`);
       } else {
-        const errBody = await res.text().catch(() => '');
         console.log(` ${c.yellow}failed (HTTP ${res.status})${c.reset}`);
-        if (process.argv.includes('--debug')) console.log(`  ${c.dim}Response: ${errBody.slice(0, 500)}${c.reset}`);
       }
     } catch (err) {
       console.log(` ${c.yellow}failed${c.reset}`);
-      if (process.argv.includes('--debug')) console.log(`  ${c.dim}Error: ${err.message}${c.reset}`);
     }
   } else {
     console.log(`  ${c.dim}Run ${c.cyan}agentaudit setup${c.dim} to upload reports to the registry${c.reset}`);
@@ -2103,89 +1827,28 @@ async function auditRepo(url) {
 
 // ── Check command ───────────────────────────────────────
 
-async function checkPackage(name, { autoAudit = false } = {}) {
-  // Derive slug from URL for registry lookup (URLs won't match as-is)
-  const slug = (name.includes('github.com') || name.includes('://')) ? slugFromUrl(name) : name.toLowerCase();
+async function checkPackage(name) {
   if (!jsonMode) {
     console.log(`${icons.info}  Looking up ${c.bold}${name}${c.reset} in registry...`);
     console.log();
   }
   
-  const data = await checkRegistry(slug);
+  const data = await checkRegistry(name);
   if (!data) {
     if (!jsonMode) {
-      // Auto-audit: only when called from 'check' command AND input looks like a URL
-      if (autoAudit && (name.includes('github.com') || name.includes('://'))) {
-        console.log(`  ${c.yellow}Not found in registry.${c.reset}`);
-        console.log(`  ${c.dim}Starting audit for ${name}...${c.reset}`);
-        console.log();
-        return await auditRepo(name);
-      }
-      console.log(`  ${c.yellow}✖  Not found${c.reset} — "${name}" hasn't been audited yet.`);
-      console.log();
-      console.log(`  ${c.dim}Next steps:${c.reset}`);
-      console.log(`    ${c.cyan}agentaudit check <repo-url>${c.reset}    ${c.dim}Auto-lookup + audit if not found${c.reset}`);
-      console.log(`    ${c.cyan}agentaudit audit <repo-url>${c.reset}    ${c.dim}Deep LLM audit${c.reset}`);
-      console.log(`    ${c.cyan}agentaudit scan <repo-url>${c.reset}     ${c.dim}Quick static check (no API key)${c.reset}`);
+      console.log(`  ${c.yellow}Not found${c.reset} — package "${name}" hasn't been audited yet.`);
+      console.log(`  ${c.dim}Run: agentaudit audit <repo-url> for a deep LLM audit${c.reset}`);
     }
     return null;
   }
   
   if (!jsonMode) {
     const riskScore = data.risk_score ?? data.latest_risk_score ?? 0;
-    const trustScore = data.trust_score ?? (100 - riskScore);
-    const totalFindings = data.total_findings ?? 0;
-    const totalReports = data.total_reports ?? 0;
-
-    // Package name + verdict
-    console.log(`  ${c.bold}${data.display_name || name}${c.reset}  ${riskBadge(riskScore)}`);
-    if (data.description) console.log(`  ${c.dim}${data.description}${c.reset}`);
-    console.log();
-
-    // Trust Score (the main metric)
-    const trustColor = trustScore >= 70 ? c.green : trustScore >= 40 ? c.yellow : c.red;
-    const trustLabel = trustScore >= 70 ? 'SAFE' : trustScore >= 40 ? 'CAUTION' : 'UNSAFE';
-    console.log(`  ${trustColor}${c.bold}${trustLabel}${c.reset}  ${trustColor}Trust Score: ${trustScore}/100${c.reset}  ${c.dim}(Risk: ${riskScore}/100)${c.reset}`);
-
-    // Findings summary
-    if (totalFindings > 0) {
-      const maxSev = data.latest_max_severity;
-      const sevStr = maxSev ? `max severity: ${severityColor(maxSev)}${maxSev}${c.reset}` : '';
-      console.log(`  ${c.dim}Findings: ${totalFindings}${sevStr ? ` (${sevStr}${c.dim})` : ''}${c.reset}`);
-    } else {
-      console.log(`  ${c.dim}Findings: 0 (clean)${c.reset}`);
-    }
-
-    // Consensus / Confidence
-    const uniqueAgents = data.unique_agents ?? 0;
-    const confidence = data.confidence ?? 'unverified';
-    const confidenceDisplay = {
-      consensus: { icon: '🟢', label: 'Consensus Certified', color: c.green, desc: `${totalReports} reports from ${uniqueAgents} independent auditors agree` },
-      verified: { icon: '🟢', label: 'Verified', color: c.green, desc: `${totalReports} reports from ${uniqueAgents} auditors` },
-      low: { icon: '🟡', label: 'Low Confidence', color: c.yellow, desc: `${totalReports} reports but ${uniqueAgents <= 1 ? 'only 1 auditor' : `only ${uniqueAgents} auditors`}` },
-      unverified: { icon: '🔴', label: 'Unverified', color: c.yellow, desc: 'Single audit, no independent confirmation' },
-    }[confidence] || { icon: '⚪', label: confidence, color: c.dim, desc: '' };
-    console.log(`  ${confidenceDisplay.icon}  ${confidenceDisplay.color}${confidenceDisplay.label}${c.reset}  ${c.dim}${confidenceDisplay.desc}${c.reset}`);
-
-    // Audit info
-    console.log(`  ${c.dim}Reports: ${totalReports} | Auditors: ${uniqueAgents} | Last: ${data.last_audited_at ? new Date(data.last_audited_at).toLocaleDateString() : 'unknown'}${c.reset}`);
+    console.log(`  ${c.bold}${name}${c.reset}  ${riskBadge(riskScore)}`);
+    console.log(`  ${c.dim}Risk Score: ${riskScore}/100${c.reset}`);
+    if (data.source_url) console.log(`  ${c.dim}Source: ${data.source_url}${c.reset}`);
+    console.log(`  ${c.dim}Registry: ${REGISTRY_URL}/skills/${name}${c.reset}`);
     if (data.has_official_audit) console.log(`  ${c.green}✔ Officially audited${c.reset}`);
-
-    // Recommendation
-    if (confidence === 'unverified' && trustScore >= 70) {
-      console.log();
-      console.log(`  ${c.yellow}⚠  Score looks good but only 1 audit exists.${c.reset}`);
-      console.log(`  ${c.dim}   Consider running your own audit: agentaudit audit ${data.source_url || name}${c.reset}`);
-    } else if (confidence === 'low') {
-      console.log();
-      console.log(`  ${c.yellow}⚠  Limited independent verification.${c.reset}`);
-      console.log(`  ${c.dim}   More auditors needed for consensus. Run: agentaudit audit ${data.source_url || name}${c.reset}`);
-    }
-
-    // Links
-    console.log();
-    if (data.source_url) console.log(`  ${c.dim}Source:   ${data.source_url}${c.reset}`);
-    console.log(`  ${c.dim}Registry: ${REGISTRY_URL}/skills/${encodeURIComponent(name)}${c.reset}`);
     console.log();
   }
   return data;
@@ -2207,40 +1870,12 @@ async function main() {
   quietMode = rawArgs.includes('--quiet') || rawArgs.includes('-q');
   // --no-color already handled at top level for `c` object
   
-  // --model flag: --model=<name> or --model <name>
-  const modelFlagIdx = rawArgs.findIndex(a => a === '--model');
-  const modelFlagEq = rawArgs.find(a => a.startsWith('--model='));
-  modelOverride = modelFlagEq?.split('=')[1]
-    || (modelFlagIdx >= 0 ? rawArgs[modelFlagIdx + 1] : null)
-    || process.env.AGENTAUDIT_MODEL
-    || loadConfig()?.preferred_model
-    || null;
-  globalModelOverride = modelOverride;
-  
-  // --timeout flag: --timeout=<seconds> or --timeout <seconds>
-  const timeoutFlagIdx = rawArgs.findIndex(a => a === '--timeout');
-  const timeoutFlagEq = rawArgs.find(a => a.startsWith('--timeout='));
-  const timeoutVal = timeoutFlagEq?.split('=')[1]
-    || (timeoutFlagIdx >= 0 ? rawArgs[timeoutFlagIdx + 1] : null)
-    || process.env.AGENTAUDIT_TIMEOUT
-    || null;
-  if (timeoutVal) {
-    const secs = parseInt(timeoutVal, 10);
-    if (secs > 0) llmTimeoutMs = secs * 1000;
-  }
-  
-  // Strip global flags from args
+  // Strip global flags from args (including --model <value>)
   const globalFlags = new Set(['--json', '--quiet', '-q', '--no-color']);
   let args = rawArgs.filter(a => !globalFlags.has(a));
-  // Strip --model and its value
-  args = args.filter((a, i, arr) => {
-    if (a.startsWith('--model=')) return false;
-    if (a === '--model') { arr[i + 1] = '__skip__'; return false; }
-    if (a.startsWith('--timeout=')) return false;
-    if (a === '--timeout') { arr[i + 1] = '__skip__'; return false; }
-    if (a === '__skip__') return false;
-    return true;
-  });
+  // Remove --model <value> pair
+  const modelIdx = args.indexOf('--model');
+  if (modelIdx !== -1) args.splice(modelIdx, 2);
   
   if (args[0] === '-v' || args[0] === '--version') {
     console.log(`agentaudit ${getVersion()}`);
@@ -2248,46 +1883,48 @@ async function main() {
   }
   
   if (args[0] === '--help' || args[0] === '-h') {
-    await banner();
-    console.log(`  ${c.bold}USAGE${c.reset}`);
-    console.log(`    ${c.cyan}agentaudit${c.reset} <command> [options]`);
+    banner();
+    console.log(`  ${c.bold}Commands:${c.reset}`);
+    console.log();
+    console.log(`    ${c.cyan}agentaudit${c.reset}                                   Discover MCP servers (same as discover)`);
+    console.log(`    ${c.cyan}agentaudit discover${c.reset}                          Find MCP servers in your AI editors (Cursor, Claude, VS Code, Windsurf)`);
+    console.log(`    ${c.cyan}agentaudit discover --quick${c.reset}                  Discover + auto-scan all servers`);
+    console.log(`    ${c.cyan}agentaudit discover --deep${c.reset}                   Discover + select servers to deep-audit`);
+    console.log(`    ${c.cyan}agentaudit scan${c.reset} <url> [url...]               Quick static scan (regex, local)`);
+    console.log(`    ${c.cyan}agentaudit scan${c.reset} <url> ${c.dim}--deep${c.reset}                Deep audit (same as audit)`);
+    console.log(`    ${c.cyan}agentaudit audit${c.reset} <url> [url...]              Deep LLM-powered security audit`);
+    console.log(`    ${c.cyan}agentaudit lookup${c.reset} <name>                     Look up package in registry`);
+    console.log(`    ${c.cyan}agentaudit model${c.reset} [name|reset]               View or set default LLM model`);
+    console.log(`    ${c.cyan}agentaudit setup${c.reset}                             Register + configure API key`);
     console.log();
-    console.log(`  ${c.bold}SCAN & AUDIT${c.reset}`);
-    console.log(`    ${c.cyan}scan${c.reset} <url> [url...]          Quick static analysis ${c.dim}(~2s, no API key)${c.reset}`);
-    console.log(`    ${c.cyan}audit${c.reset} <url> [url...]         Deep LLM security audit ${c.dim}(~30s)${c.reset}`);
-    console.log(`    ${c.cyan}discover${c.reset}                     Find MCP servers in your editors`);
+    console.log(`  ${c.bold}Global flags:${c.reset}`);
+    console.log(`    ${c.dim}--json           Output JSON to stdout (machine-readable)${c.reset}`);
+    console.log(`    ${c.dim}--quiet          Suppress banner and tree visualization${c.reset}`);
+    console.log(`    ${c.dim}--no-color       Disable ANSI colors (also: NO_COLOR env)${c.reset}`);
+    console.log(`    ${c.dim}--model <name>   Override LLM model (e.g. qwen/qwen3.5-coder-32b)${c.reset}`);
     console.log();
-    console.log(`  ${c.bold}REGISTRY${c.reset}`);
-    console.log(`    ${c.cyan}check${c.reset} <name|url>             Look up or auto-audit package`);
-    console.log(`    ${c.cyan}lookup${c.reset} <name>                Look up package in registry`);
+    console.log(`  ${c.bold}Quick Scan${c.reset} vs ${c.bold}Deep Audit${c.reset}:`);
+    console.log(`    ${c.dim}scan  = fast regex-based static analysis (~2s)${c.reset}`);
+    console.log(`    ${c.dim}audit = deep LLM analysis with 3-pass methodology (~30s)${c.reset}`);
     console.log();
-    console.log(`  ${c.bold}SETUP${c.reset}`);
-    console.log(`    ${c.cyan}status${c.reset}                       Check providers & API keys`);
-    console.log(`    ${c.cyan}setup${c.reset}                        Register & configure`);
-    console.log(`    ${c.cyan}models${c.reset}                       List available LLM models`);
-    console.log(`    ${c.cyan}config set${c.reset} <key> <value>     Set default provider/options`);
+    console.log(`  ${c.bold}Exit codes:${c.reset}`);
+    console.log(`    ${c.dim}0 = clean / success    1 = findings detected    2 = error${c.reset}`);
     console.log();
-    console.log(`  ${c.bold}OPTIONS${c.reset}`);
-    console.log(`    ${c.dim}--json         Machine-readable JSON output${c.reset}`);
-    console.log(`    ${c.dim}--quiet        Suppress banner${c.reset}`);
-    console.log(`    ${c.dim}--no-color     Disable colors ${c.reset}${c.dim}(also: NO_COLOR=1)${c.reset}`);
-    console.log(`    ${c.dim}--provider <p> Force provider ${c.reset}${c.dim}(anthropic|openai|openrouter|ollama|custom)${c.reset}`);
-    console.log(`    ${c.dim}--model <m>    Override model ${c.reset}${c.dim}(e.g. gpt-4o-mini, claude-3.5-sonnet)${c.reset}`);
-    console.log(`    ${c.dim}--export       Export audit payload to markdown${c.reset}`);
-    console.log(`    ${c.dim}--debug        Show raw LLM response on errors${c.reset}`);
+    console.log(`  ${c.bold}Examples:${c.reset}`);
+    console.log(`    agentaudit`);
+    console.log(`    agentaudit discover --quick`);
+    console.log(`    agentaudit scan https://github.com/owner/repo`);
+    console.log(`    agentaudit audit https://github.com/owner/repo`);
+    console.log(`    agentaudit lookup fastmcp --json`);
     console.log();
-    console.log(`  ${c.bold}EXAMPLES${c.reset}`);
-    console.log(`    ${c.dim}$${c.reset} agentaudit scan https://github.com/owner/repo`);
-    console.log(`    ${c.dim}$${c.reset} agentaudit audit https://github.com/owner/repo`);
-    console.log(`    ${c.dim}$${c.reset} agentaudit check fastmcp`);
-    console.log(`    ${c.dim}$${c.reset} agentaudit status`);
+    console.log(`  ${c.bold}For deep audits,${c.reset} set any LLM API key:`);
+    console.log(`    ${c.dim}ANTHROPIC_API_KEY, OPENAI_API_KEY, GEMINI_API_KEY, DEEPSEEK_API_KEY,${c.reset}`);
+    console.log(`    ${c.dim}MISTRAL_API_KEY, XAI_API_KEY, GROQ_API_KEY, TOGETHER_API_KEY,${c.reset}`);
+    console.log(`    ${c.dim}FIREWORKS_API_KEY, CEREBRAS_API_KEY, ZAI_API_KEY, or OPENROUTER_API_KEY${c.reset}`);
     console.log();
-    console.log(`  ${c.bold}PROVIDERS${c.reset} ${c.dim}(set any one for deep audits)${c.reset}`);
-    console.log(`    ${c.dim}ANTHROPIC_API_KEY · OPENAI_API_KEY · OPENROUTER_API_KEY · OLLAMA_MODEL · LLM_API_URL${c.reset}`);
-    console.log(`    ${c.dim}Set default: AGENTAUDIT_PROVIDER=openai  AGENTAUDIT_MODEL=gpt-4o-mini${c.reset}`);
-    console.log(`    ${c.dim}Or persist: agentaudit config set provider openai${c.reset}`);
-    console.log(`    ${c.dim}            agentaudit config set model gpt-4o-mini${c.reset}`);
-    console.log(`    ${c.dim}Run ${c.cyan}agentaudit status${c.dim} to check configuration.${c.reset}`);
+    console.log(`  ${c.bold}Or use as MCP server${c.reset} in Cursor/Claude ${c.dim}(no extra API key needed):${c.reset}`);
+    console.log(`    ${c.dim}Add to your MCP config:${c.reset}`);
+    console.log(`    ${c.dim}{ "agentaudit": { "command": "npx", "args": ["-y", "agentaudit"] } }${c.reset}`);
     console.log();
     process.exitCode = 0; return;
   }
@@ -2296,312 +1933,166 @@ async function main() {
   const command = args.length === 0 ? 'discover' : args[0];
   const targets = args.slice(1);
   
-  await banner();
+  banner();
   
   if (command === 'setup') {
     await setupCommand();
     return;
   }
-  
-  if (command === 'status') {
-    console.log(`  ${c.bold}LLM Providers:${c.reset}`);
-    console.log();
-    const keys = {
-      anthropicKey: process.env.ANTHROPIC_API_KEY,
-      openaiKey: process.env.OPENAI_API_KEY,
-      openrouterKey: process.env.OPENROUTER_API_KEY,
-    };
-    const ollamaHost = process.env.OLLAMA_HOST || 'http://localhost:11434';
-    const ollamaModel = process.env.OLLAMA_MODEL;
-    const customUrl = process.env.LLM_API_URL;
-
-    const checks = [
-      { name: 'Anthropic', env: 'ANTHROPIC_API_KEY', key: keys.anthropicKey, testUrl: 'https://api.anthropic.com/v1/messages', testHeaders: (k) => ({ 'x-api-key': k, 'anthropic-version': '2023-06-01', 'content-type': 'application/json' }), testBody: JSON.stringify({ model: 'claude-sonnet-4-20250514', max_tokens: 1, messages: [{ role: 'user', content: 'hi' }] }) },
-      { name: 'OpenAI', env: 'OPENAI_API_KEY', key: keys.openaiKey, testUrl: 'https://api.openai.com/v1/chat/completions', testHeaders: (k) => ({ 'Authorization': `Bearer ${k}`, 'Content-Type': 'application/json' }), testBody: JSON.stringify({ model: 'gpt-4o-mini', max_tokens: 1, messages: [{ role: 'user', content: 'hi' }] }) },
-      { name: 'OpenRouter', env: 'OPENROUTER_API_KEY', key: keys.openrouterKey, testUrl: 'https://openrouter.ai/api/v1/chat/completions', testHeaders: (k) => ({ 'Authorization': `Bearer ${k}`, 'Content-Type': 'application/json', 'HTTP-Referer': 'https://agentaudit.dev', 'X-Title': 'AgentAudit' }), testBody: JSON.stringify({ model: 'openai/gpt-4o-mini', max_tokens: 1, messages: [{ role: 'user', content: 'hi' }] }) },
-      { name: 'Ollama', env: 'OLLAMA_MODEL', key: ollamaModel, testUrl: `${ollamaHost}/api/tags`, testHeaders: () => ({}), testBody: null },
-      { name: 'Custom', env: 'LLM_API_URL', key: customUrl, testUrl: customUrl ? `${customUrl.replace(/\/$/, '')}/models` : null, testHeaders: (k) => process.env.LLM_API_KEY ? ({ 'Authorization': `Bearer ${process.env.LLM_API_KEY}` }) : {}, testBody: null },
-    ];
 
-    for (const p of checks) {
-      if (!p.key) {
-        console.log(`    ${c.dim}○${c.reset}  ${p.name.padEnd(12)} ${c.dim}not set${c.reset}  ${c.dim}(${p.env})${c.reset}`);
-        continue;
-      }
-      const masked = p.key.substring(0, 8) + '...' + p.key.substring(p.key.length - 4);
-      process.stdout.write(`    ${c.yellow}●${c.reset}  ${p.name.padEnd(12)} ${c.dim}${masked}${c.reset}  checking...`);
-      try {
-        const res = await fetch(p.testUrl, {
-          method: p.testBody ? 'POST' : 'GET',
-          headers: p.testHeaders(p.key),
-          ...(p.testBody ? { body: p.testBody } : {}),
-          signal: AbortSignal.timeout(10_000),
-        });
-        if (res.ok || res.status === 200 || res.status === 201) {
-          process.stdout.write(`\r    ${c.green}●${c.reset}  ${p.name.padEnd(12)} ${c.dim}${masked}${c.reset}  ${c.green}valid ✓${c.reset}  \n`);
-        } else {
-          const body = await res.json().catch(() => ({}));
-          const rawMsg = body?.error?.message || body?.message || `HTTP ${res.status}`;
-          // Detect specific error types for clearer messages
-          const lcMsg = rawMsg.toLowerCase();
-          let errMsg = rawMsg;
-          let hint = '';
-          if (lcMsg.includes('credit') || lcMsg.includes('balance') || lcMsg.includes('quota') || lcMsg.includes('billing') || lcMsg.includes('exceeded') || lcMsg.includes('insufficient')) {
-            errMsg = 'no credits';
-            if (p.name === 'Anthropic') hint = `\n       ${c.dim}└─ Add credits: console.anthropic.com/settings/plans${c.reset}`;
-            else if (p.name === 'OpenAI') hint = `\n       ${c.dim}└─ Check usage: platform.openai.com/usage${c.reset}`;
-            else if (p.name === 'OpenRouter') hint = `\n       ${c.dim}└─ Check balance: openrouter.ai/credits${c.reset}`;
-          } else if (res.status === 401 || lcMsg.includes('invalid') || lcMsg.includes('unauthorized') || lcMsg.includes('authentication')) {
-            errMsg = 'invalid key';
-            if (p.name === 'Anthropic') hint = `\n       ${c.dim}└─ Check key: console.anthropic.com/settings/keys${c.reset}`;
-            else if (p.name === 'OpenAI') hint = `\n       ${c.dim}└─ Check key: platform.openai.com/api-keys${c.reset}`;
-          } else if (res.status === 429) {
-            errMsg = 'rate limited';
-            hint = `\n       ${c.dim}└─ Try again in a moment${c.reset}`;
-          }
-          process.stdout.write(`\r    ${c.red}●${c.reset}  ${p.name.padEnd(12)} ${c.dim}${masked}${c.reset}  ${c.red}✖ ${errMsg}${c.reset}${hint}  \n`);
+  if (command === 'model') {
+    const newModel = targets.filter(t => !t.startsWith('--'))[0];
+    const current = loadLlmConfig()?.llm_model;
+
+    // Direct set: agentaudit model <name>
+    if (newModel === 'reset' || newModel === 'clear') {
+      for (const f of [USER_CRED_FILE, SKILL_CRED_FILE]) {
+        if (fs.existsSync(f)) {
+          try {
+            const data = JSON.parse(fs.readFileSync(f, 'utf8'));
+            delete data.llm_model;
+            fs.writeFileSync(f, JSON.stringify(data, null, 2), { mode: 0o600 });
+          } catch {}
         }
-      } catch (e) {
-        process.stdout.write(`\r    ${c.red}●${c.reset}  ${p.name.padEnd(12)} ${c.dim}${masked}${c.reset}  ${c.red}error ✗${c.reset} ${c.dim}(${e.message})${c.reset}  \n`);
       }
+      console.log(`  ${icons.safe}  Model reset to provider default`);
+      return;
     }
 
-    const resolved = resolveProvider(null, keys);
-    console.log();
-    if (resolved) {
-      const activeModel = modelOverride || process.env.AGENTAUDIT_MODEL || loadConfig()?.preferred_model;
-      console.log(`    ${c.bold}Active:${c.reset} ${c.green}${resolved.label}${c.reset}${activeModel ? `  ${c.dim}model: ${activeModel}${c.reset}` : ''}`);
-      console.log(`    ${c.dim}Override: --provider=<name> --model=<name>${c.reset}`);
-      console.log(`    ${c.dim}Set default: agentaudit config set provider <name>${c.reset}`);
-      console.log(`    ${c.dim}             agentaudit config set model <name>${c.reset}`);
-    } else {
-      console.log(`    ${c.yellow}⚠  No working LLM provider.${c.reset} Deep audits require one.`);
-      console.log(`    ${c.dim}Set a key: export ANTHROPIC_API_KEY=sk-ant-...${c.reset}`);
-      console.log(`    ${c.dim}Or scan without LLM: agentaudit scan <url>${c.reset}`);
+    if (newModel) {
+      saveLlmConfig(newModel);
+      console.log(`  ${icons.safe}  Model set to ${c.bold}${newModel}${c.reset}`);
+      if (current) console.log(`  ${c.dim}Was: ${current}${c.reset}`);
+      return;
     }
 
-    // AgentAudit registry key
+    // No argument — interactive menu
+    const activeLlm = LLM_PROVIDERS.find(p => process.env[p.key]);
+    console.log(`  ${c.bold}LLM Model Configuration${c.reset}`);
     console.log();
-    console.log(`  ${c.bold}Registry:${c.reset}`);
-    const creds = loadCredentials();
-    if (creds?.api_key) {
-      const masked = creds.api_key.substring(0, 8) + '...' + creds.api_key.substring(creds.api_key.length - 4);
-      console.log(`    ${c.green}●${c.reset}  AgentAudit  ${c.dim}${masked}${c.reset}  ${c.dim}(${creds.agent_name || 'unknown'})${c.reset}`);
-      // Fetch agent stats from leaderboard
-      try {
-        const lbRes = await fetch(`${REGISTRY_URL}/api/leaderboard`, { signal: AbortSignal.timeout(5000) });
-        if (lbRes.ok) {
-          const agents = await lbRes.json();
-          const myName = creds.agent_name?.toLowerCase();
-          const idx = Array.isArray(agents) ? agents.findIndex((a) => (a.agent_name || '').toLowerCase() === myName) : -1;
-          if (idx >= 0) {
-            const me = agents[idx];
-            const pts = me.total_points || 0;
-            const reports = me.total_reports || 0;
-            const rank = idx + 1;
-            const medal = rank === 1 ? '🥇' : rank === 2 ? '🥈' : rank === 3 ? '🥉' : '  ';
-            console.log();
-            console.log(`  ${c.bold}Your Stats:${c.reset}`);
-            console.log(`    ${medal} Rank #${rank} of ${agents.length}  ${c.dim}│${c.reset}  ${c.cyan}${pts}${c.reset} points  ${c.dim}│${c.reset}  ${reports} reports`);
-            if (me.is_official) console.log(`    ${c.green}✔ Official Auditor${c.reset}`);
-            // Update stats cache
-            saveStatsCache({ rank, total: agents.length, pts, reports, official: !!me.is_official });
-          }
-        }
-      } catch {}
+    if (current) {
+      console.log(`  Current: ${c.bold}${c.cyan}${current}${c.reset}`);
     } else {
-      console.log(`    ${c.dim}○${c.reset}  AgentAudit   ${c.dim}not set${c.reset}  ${c.dim}(run: agentaudit setup)${c.reset}`);
+      console.log(`  Current: ${c.dim}(provider default${activeLlm ? `: ${activeLlm.model}` : ''})${c.reset}`);
+    }
+    if (activeLlm) {
+      console.log(`  Provider: ${c.dim}${activeLlm.name} (${activeLlm.key})${c.reset}`);
     }
     console.log();
-    return;
-  }
-  
-  if (command === 'discover') {
-    const scanFlag = targets.includes('--quick') || targets.includes('--scan') || targets.includes('-s');
-    const auditFlag = targets.includes('--deep') || targets.includes('--audit') || targets.includes('-a');
-    await discoverCommand({ scan: scanFlag, audit: auditFlag });
-    return;
-  }
-  
-  if (command === 'models') {
-    const anthropicKey = process.env.ANTHROPIC_API_KEY;
-    const openaiKey = process.env.OPENAI_API_KEY;
-    const openrouterKey = process.env.OPENROUTER_API_KEY;
-    
-    console.log(`  ${c.bold}Available models by provider:${c.reset}`);
-    console.log();
-    
-    // Static lists for Anthropic (no list API)
-    console.log(`  ${c.bold}Anthropic${c.reset}${anthropicKey ? ` ${c.green}(configured)${c.reset}` : ` ${c.dim}(not configured)${c.reset}`}`);
-    console.log(`    ${c.dim}claude-sonnet-4-20250514${c.reset}      ${c.dim}(default)${c.reset}`);
-    console.log(`    ${c.dim}claude-opus-4-20250514${c.reset}`);
-    console.log(`    ${c.dim}claude-haiku-3-20250514${c.reset}`);
-    console.log();
-    
-    // Static list for OpenAI
-    console.log(`  ${c.bold}OpenAI${c.reset}${openaiKey ? ` ${c.green}(configured)${c.reset}` : ` ${c.dim}(not configured)${c.reset}`}`);
-    console.log(`    ${c.dim}gpt-4o${c.reset}                        ${c.dim}(default)${c.reset}`);
-    console.log(`    ${c.dim}gpt-4o-mini${c.reset}`);
-    console.log(`    ${c.dim}gpt-4.1${c.reset}`);
-    console.log(`    ${c.dim}gpt-4.1-mini${c.reset}`);
-    console.log(`    ${c.dim}o3${c.reset}`);
-    console.log(`    ${c.dim}o4-mini${c.reset}`);
-    console.log();
-    
-    // OpenRouter — fetch from API
-    console.log(`  ${c.bold}OpenRouter${c.reset}${openrouterKey ? ` ${c.green}(configured)${c.reset}` : ` ${c.dim}(not configured)${c.reset}`}`);
-    if (openrouterKey || targets.includes('--all')) {
-      process.stdout.write(`    ${c.dim}Fetching models...${c.reset}`);
-      try {
-        const res = await fetch('https://openrouter.ai/api/v1/models', {
-          headers: openrouterKey ? { 'Authorization': `Bearer ${openrouterKey}` } : {},
-          signal: AbortSignal.timeout(10_000),
-        });
-        const data = await res.json();
-        const models = (data.data || [])
-          .filter(m => m.id && !m.id.includes(':free') && !m.id.includes('/extended'))
-          .sort((a, b) => (a.id || '').localeCompare(b.id || ''));
-        
-        // Group by provider prefix
-        const groups = {};
-        for (const m of models) {
-          const [prefix] = m.id.split('/');
-          if (!groups[prefix]) groups[prefix] = [];
-          groups[prefix].push(m);
-        }
-        
-        // Show popular ones first
-        const popular = ['anthropic', 'openai', 'google', 'meta-llama', 'mistralai', 'deepseek'];
-        const shown = new Set();
-        process.stdout.write(`\r    ${c.green}${models.length} models available${c.reset}                    \n`);
-        console.log();
-        
-        for (const prefix of popular) {
-          if (!groups[prefix]) continue;
-          shown.add(prefix);
-          console.log(`    ${c.bold}${prefix}${c.reset}`);
-          for (const m of groups[prefix].slice(0, 5)) {
-            console.log(`      ${c.dim}${m.id}${c.reset}`);
-          }
-          if (groups[prefix].length > 5) {
-            console.log(`      ${c.dim}... and ${groups[prefix].length - 5} more${c.reset}`);
-          }
-        }
-        
-        const otherCount = Object.keys(groups).filter(k => !shown.has(k)).length;
-        if (otherCount > 0) {
-          console.log();
-          console.log(`    ${c.dim}+ ${otherCount} more providers. Use --model=<provider/model>${c.reset}`);
-          console.log(`    ${c.dim}Full list: https://openrouter.ai/models${c.reset}`);
+
+    // Build menu items — deduplicate providers, show popular models
+    const modelChoices = [
+      { label: 'claude-sonnet-4-20250514',                      sublabel: 'Anthropic — fast + smart',         value: 'claude-sonnet-4-20250514' },
+      { label: 'claude-opus-4-20250514',                        sublabel: 'Anthropic — most capable',         value: 'claude-opus-4-20250514' },
+      { label: 'gpt-4o',                                        sublabel: 'OpenAI — fast multimodal',         value: 'gpt-4o' },
+      { label: 'gpt-4.1',                                       sublabel: 'OpenAI — latest',                  value: 'gpt-4.1' },
+      { label: 'gemini-2.5-flash',                               sublabel: 'Google — fast + cheap',            value: 'gemini-2.5-flash' },
+      { label: 'gemini-2.5-pro',                                 sublabel: 'Google — most capable',            value: 'gemini-2.5-pro' },
+      { label: 'deepseek-chat',                                  sublabel: 'DeepSeek — cost-effective',        value: 'deepseek-chat' },
+      { label: 'qwen/qwen3-coder',                              sublabel: 'OpenRouter — code specialist',     value: 'qwen/qwen3-coder' },
+      { label: 'mistral-large-latest',                           sublabel: 'Mistral — EU-hosted',              value: 'mistral-large-latest' },
+      { label: 'grok-3',                                         sublabel: 'xAI — real-time knowledge',        value: 'grok-3' },
+      { label: 'meta-llama/Llama-3.3-70B-Instruct-Turbo',      sublabel: 'Together AI — open source',        value: 'meta-llama/Llama-3.3-70B-Instruct-Turbo' },
+      { label: 'llama-3.3-70b-versatile',                        sublabel: 'Groq — ultra-fast inference',      value: 'llama-3.3-70b-versatile' },
+      { label: '(reset to provider default)',                     sublabel: '',                                 value: '__reset__' },
+      { label: '(enter custom model name)',                       sublabel: '',                                 value: '__custom__' },
+    ];
+
+    const selected = await singleSelect(modelChoices, {
+      title: 'Choose default model',
+      hint: '↑↓=move  Enter=select  Esc=cancel',
+    });
+
+    if (selected === null) {
+      console.log(`  ${c.dim}Cancelled${c.reset}`);
+      return;
+    }
+
+    if (selected === '__reset__') {
+      for (const f of [USER_CRED_FILE, SKILL_CRED_FILE]) {
+        if (fs.existsSync(f)) {
+          try {
+            const data = JSON.parse(fs.readFileSync(f, 'utf8'));
+            delete data.llm_model;
+            fs.writeFileSync(f, JSON.stringify(data, null, 2), { mode: 0o600 });
+          } catch {}
         }
-      } catch (e) {
-        process.stdout.write(`\r    ${c.red}Failed to fetch: ${e.message}${c.reset}                    \n`);
       }
-    } else {
-      console.log(`    ${c.dim}anthropic/claude-sonnet-4${c.reset}    ${c.dim}(default)${c.reset}`);
-      console.log(`    ${c.dim}Set OPENROUTER_API_KEY to see all ${c.bold}200+${c.reset}${c.dim} models${c.reset}`);
-      console.log(`    ${c.dim}Or browse: https://openrouter.ai/models${c.reset}`);
+      console.log();
+      console.log(`  ${icons.safe}  Model reset to provider default`);
+      return;
     }
-    console.log();
-    
-    // Ollama
-    const ollamaModel = process.env.OLLAMA_MODEL;
-    const ollamaHost = process.env.OLLAMA_HOST || 'http://localhost:11434';
-    console.log(`  ${c.bold}Ollama${c.reset}${ollamaModel ? ` ${c.green}(configured: ${ollamaModel})${c.reset}` : ` ${c.dim}(not configured)${c.reset}`}`);
-    if (ollamaModel || process.env.OLLAMA_HOST) {
-      try {
-        const res = await fetch(`${ollamaHost}/api/tags`, { signal: AbortSignal.timeout(5_000) });
-        const data = await res.json();
-        for (const m of (data.models || []).slice(0, 10)) {
-          console.log(`    ${c.dim}${m.name}${c.reset}`);
-        }
-      } catch {
-        console.log(`    ${c.dim}(Ollama not running at ${ollamaHost})${c.reset}`);
+
+    if (selected === '__custom__') {
+      console.log();
+      const custom = await askQuestion(`  Model name: `);
+      if (!custom) {
+        console.log(`  ${c.dim}Cancelled${c.reset}`);
+        return;
       }
-    } else {
-      console.log(`    ${c.dim}Set OLLAMA_MODEL to use local models${c.reset}`);
+      saveLlmConfig(custom);
+      console.log(`  ${icons.safe}  Model set to ${c.bold}${custom}${c.reset}`);
+      if (current) console.log(`  ${c.dim}Was: ${current}${c.reset}`);
+      return;
     }
+
+    saveLlmConfig(selected);
     console.log();
-    
-    console.log(`  ${c.bold}Set model:${c.reset}`);
-    console.log(`    ${c.cyan}agentaudit config set model <name>${c.reset}`);
-    console.log(`    ${c.cyan}agentaudit audit <url> --model <name>${c.reset}`);
-    console.log(`    ${c.dim}Or env: AGENTAUDIT_MODEL=<name>${c.reset}`);
+    console.log(`  ${icons.safe}  Model set to ${c.bold}${selected}${c.reset}`);
+    if (current) console.log(`  ${c.dim}Was: ${current}${c.reset}`);
+    console.log();
+    console.log(`  ${c.dim}Tip: agentaudit model <name>  to set directly, or  agentaudit model reset${c.reset}`);
     return;
   }
   
-  if (command === 'config') {
-    const subCmd = targets[0];
-    if (subCmd === 'set' && targets[1] === 'provider' && targets[2]) {
-      const validProviders = ['anthropic', 'openai', 'openrouter', 'ollama', 'custom', 'claude', 'gpt'];
-      const val = targets[2].toLowerCase();
-      if (!validProviders.includes(val)) {
-        console.log(`  ${c.red}✖  Unknown provider: ${val}${c.reset}`);
-        console.log(`     ${c.dim}Valid: anthropic, openai, openrouter, ollama, custom${c.reset}`);
-        process.exitCode = 2; return;
-      }
-      saveConfig({ preferred_provider: val });
-      console.log(`  ${c.green}✔${c.reset}  Default provider set to: ${c.bold}${val}${c.reset}`);
-      console.log(`     ${c.dim}Override per-command: --provider=<name>${c.reset}`);
-      console.log(`     ${c.dim}Or env: AGENTAUDIT_PROVIDER=<name>${c.reset}`);
-    } else if (subCmd === 'set' && targets[1] === 'model' && targets[2]) {
-      const val = targets[2];
-      saveConfig({ preferred_model: val });
-      console.log(`  ${c.green}✔${c.reset}  Default model set to: ${c.bold}${val}${c.reset}`);
-      console.log(`     ${c.dim}Override per-command: --model=<name>${c.reset}`);
-      console.log(`     ${c.dim}Or env: AGENTAUDIT_MODEL=<name>${c.reset}`);
-    } else if (subCmd === 'get' || !subCmd) {
-      const cfg = loadConfig();
-      console.log(`  ${c.bold}Config:${c.reset} ${USER_CONFIG_FILE}`);
-      if (Object.keys(cfg).length === 0) {
-        console.log(`  ${c.dim}(empty — using defaults)${c.reset}`);
-      } else {
-        for (const [k, v] of Object.entries(cfg)) {
-          console.log(`  ${c.dim}${k}:${c.reset} ${v}`);
-        }
-      }
-    } else if (subCmd === 'reset') {
-      try { fs.unlinkSync(USER_CONFIG_FILE); } catch {}
-      console.log(`  ${c.green}✔${c.reset}  Config reset to defaults.`);
-    } else {
-      console.log(`  ${c.red}✖  Unknown config command${c.reset}`);
-      console.log(`     ${c.dim}Usage: agentaudit config set provider <name>${c.reset}`);
-      console.log(`     ${c.dim}       agentaudit config get${c.reset}`);
-      console.log(`     ${c.dim}       agentaudit config reset${c.reset}`);
-    }
+  if (command === 'discover') {
+    const scanFlag = targets.includes('--quick') || targets.includes('--scan') || targets.includes('-s');
+    const auditFlag = targets.includes('--deep') || targets.includes('--audit') || targets.includes('-a');
+    await discoverCommand({ scan: scanFlag, audit: auditFlag });
     return;
   }
   
   if (command === 'lookup' || command === 'check') {
     const names = targets.filter(t => !t.startsWith('--'));
     if (names.length === 0) {
-      console.log(`  ${c.red}✖  Package name or URL required${c.reset}`);
-      console.log(`     ${c.dim}Usage: agentaudit check <name|url>${c.reset}`);
+      console.log(`  ${c.red}Error: package name required${c.reset}`);
       process.exitCode = 2;
       return;
     }
     const results = [];
-    const allowAutoAudit = command === 'check'; // only 'check' auto-audits, 'lookup' never does
     for (const t of names) {
-      const data = await checkPackage(t, { autoAudit: allowAutoAudit });
+      const data = await checkPackage(t);
       results.push(data);
     }
     if (jsonMode) {
       console.log(JSON.stringify(results.length === 1 ? (results[0] || { error: 'not_found' }) : results, null, 2));
     }
     process.exitCode = 0; return;
+    return;
   }
   
   if (command === 'scan') {
+    const deepFlag = targets.includes('--deep');
     const urls = targets.filter(t => !t.startsWith('--'));
     if (urls.length === 0) {
-      console.log(`  ${c.red}✖  Repository URL required${c.reset}`);
-      console.log(`     ${c.dim}Usage: agentaudit scan <url>${c.reset}`);
-      console.log(`     ${c.dim}Or discover local servers: ${c.cyan}agentaudit discover${c.reset}`);
+      console.log(`  ${c.red}Error: at least one repository URL required${c.reset}`);
+      console.log(`  ${c.dim}Tip: use ${c.cyan}agentaudit discover${c.dim} to find & check locally installed MCP servers${c.reset}`);
+      console.log(`  ${c.dim}Tip: use ${c.cyan}agentaudit audit <url>${c.dim} for a deep LLM-powered audit${c.reset}`);
       process.exitCode = 2;
       return;
     }
     
+    // --deep redirects to audit flow
+    if (deepFlag) {
+      let hasFindings = false;
+      for (const url of urls) {
+        const report = await auditRepo(url);
+        if (report?.findings?.length > 0) hasFindings = true;
+      }
+      process.exitCode = hasFindings ? 1 : 0;
+      return;
+    }
+    
     const results = [];
     let hadErrors = false;
     for (const url of urls) {
@@ -2638,8 +2129,7 @@ async function main() {
   if (command === 'audit') {
     const urls = targets.filter(t => !t.startsWith('--'));
     if (urls.length === 0) {
-      console.log(`  ${c.red}✖  Repository URL required${c.reset}`);
-      console.log(`     ${c.dim}Usage: agentaudit audit <url>${c.reset}`);
+      console.log(`  ${c.red}Error: at least one repository URL required${c.reset}`);
       process.exitCode = 2;
       return;
     }
@@ -2653,18 +2143,8 @@ async function main() {
     return;
   }
   
-  // Typo correction via Levenshtein distance
-  const knownCommands = ['discover', 'scan', 'audit', 'check', 'lookup', 'status', 'setup', 'config', 'models'];
-  const suggestion = knownCommands
-    .map(cmd => ({ cmd, dist: levenshtein(command, cmd) }))
-    .filter(x => x.dist <= 3)
-    .sort((a, b) => a.dist - b.dist)[0];
-  
-  console.log(`  ${c.red}✖  Unknown command: ${command}${c.reset}`);
-  if (suggestion) {
-    console.log(`     ${c.dim}Did you mean: ${c.cyan}agentaudit ${suggestion.cmd}${c.reset}${c.dim}?${c.reset}`);
-  }
-  console.log(`     ${c.dim}Run ${c.cyan}agentaudit --help${c.dim} for usage${c.reset}`);
+  console.log(`  ${c.red}Unknown command: ${command}${c.reset}`);
+  console.log(`  ${c.dim}Run agentaudit --help for usage${c.reset}`);
   process.exitCode = 2;
 }