ai-trust 0.6.0 → 0.7.1

package/README.md

@@ -1,99 +1,106 @@
-> **[OpenA2A](https://github.com/opena2a-org/opena2a)**: [CLI](https://github.com/opena2a-org/opena2a) · [HackMyAgent](https://github.com/opena2a-org/hackmyagent) · [Secretless](https://github.com/opena2a-org/secretless-ai) · [AIM](https://github.com/opena2a-org/agent-identity-management) · [Browser Guard](https://github.com/opena2a-org/AI-BrowserGuard) · [DVAA](https://github.com/opena2a-org/damn-vulnerable-ai-agent)
 # ai-trust
 
-Trust verification CLI **for AI packages** — MCP servers, A2A agents, skills, AI tools, and LLMs. Queries the OpenA2A Registry trust graph for security scans, community consensus, dependency risk, and known advisories.
+> **[OpenA2A](https://github.com/opena2a-org/opena2a)**: [CLI](https://github.com/opena2a-org/opena2a) · [HackMyAgent](https://github.com/opena2a-org/hackmyagent) · [Secretless](https://github.com/opena2a-org/secretless-ai) · [AIM](https://github.com/opena2a-org/agent-identity-management) · [Browser Guard](https://github.com/opena2a-org/AI-BrowserGuard) · [DVAA](https://github.com/opena2a-org/damn-vulnerable-ai-agent)
 
-For general-purpose libraries (express, typescript, chalk, etc.) use [HackMyAgent](https://github.com/opena2a-org/hackmyagent) instead — ai-trust is scoped to AI-native packages only.
+Trust verification CLI for AI packages. MCP servers, A2A agents, skills, AI tools, LLMs. Queries the OpenA2A Registry trust graph for security scans, community consensus, dependency risk, and known advisories. Apache 2.0.
 
-[![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 [![npm version](https://img.shields.io/npm/v/ai-trust.svg)](https://www.npmjs.com/package/ai-trust)
+[![License: Apache-2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
+[![Tests](https://img.shields.io/badge/tests-201%20passing-brightgreen)](https://github.com/opena2a-org/ai-trust)
 
-## Installation
+[Website](https://opena2a.org/ai-trust) · [Registry](https://registry.opena2a.org) · [Discord](https://discord.gg/uRZa3KXgEn)
 
-```bash
-brew install opena2a-org/tap/ai-trust
-```
+For general-purpose libraries (express, typescript, chalk, etc.) use [HackMyAgent](https://github.com/opena2a-org/hackmyagent) instead. ai-trust is scoped to AI-native packages only.
 
-Or via npm:
+## Quick start
 
 ```bash
-npm install -g ai-trust
+npx ai-trust check @modelcontextprotocol/server-filesystem
 ```
 
-Or run directly with npx:
+```
+  @modelcontextprotocol/server-filesystem  mcp_server · scanned 2 days ago
+  No known issues
 
-```bash
-npx ai-trust check @modelcontextprotocol/server-filesystem
+  Trust     ━━━━━━━━━━━━━━━━━━━━ 87/100
+  Level     Scanned (3/4)
+  Blocked > Warning > Listed > Scanned > Verified
+
+  ── Next Steps ──────────────────────────────────────────────
+  Fresh scan:         ai-trust check @modelcontextprotocol/server-filesystem
+  Full project audit: ai-trust audit package.json
 ```
 
-For a full security dashboard covering trust, credentials, shadow AI, and more:
+![ai-trust demo](docs/ai-trust-demo.gif)
+
+## Install
+
+### npm
 
 ```bash
-npx opena2a-cli review
+npx ai-trust check <pkg>     # run once, no install
+npm install -g ai-trust      # install globally
 ```
 
-## Quick Start
+Requires Node.js 18 or later.
+
+### Homebrew
 
 ```bash
-ai-trust check @modelcontextprotocol/server-filesystem
+brew install opena2a-org/tap/ai-trust
 ```
 
-Expected output:
+### From source
 
+```bash
+git clone https://github.com/opena2a-org/ai-trust.git
+cd ai-trust
+npm install
+npm run build
+node dist/index.js check express
 ```
-  @modelcontextprotocol/server-filesystem  mcp_server · scanned 2 days ago
-  No known issues
 
-  Trust     ━━━━━━━━━━━━━━━━━━━━ 87/100
-  Level     Scanned (3/4)
-  Blocked > Warning > Listed > Scanned > Verified
+### Verifying what was installed
 
-  ── Next Steps ──────────────────────────────────────────────
-  Fresh scan:         ai-trust check @modelcontextprotocol/server-filesystem
-  Full project audit: ai-trust audit package.json
+Every release publishes via npm Trusted Publishing with SLSA v1 provenance. No long-lived `NPM_TOKEN`. GitHub Actions exchanges its OIDC token with npm at publish time.
+
+```bash
+npm view ai-trust dist.attestations --json
+# Expects non-empty result with predicateType "https://slsa.dev/provenance/v1"
 ```
 
 ## Scope: AI packages only
 
-ai-trust verifies trust for **AI-native** packages. For everything else, use HMA:
+ai-trust verifies trust for AI-native packages. For everything else, use HMA.
 
 | Your package is... | Use |
 |---|---|
-| MCP server / A2A agent / skill / AI tool / LLM | `ai-trust` |
+| MCP server, A2A agent, skill, AI tool, LLM | `ai-trust` |
 | General-purpose library (express, chalk, typescript, etc.) | `hackmyagent check <pkg>` |
 | Full codebase security audit | `hackmyagent secure .` |
 
 `ai-trust audit package.json` audits AI packages in the trust table and separately lists libraries in an "Out of scope" section with an HMA pointer.
 
-![ai-trust audit](docs/ai-trust-demo.gif)
-
-## Built-in Help
-
-```bash
-ai-trust --help          # All commands and flags
-ai-trust --version       # Current version
-ai-trust [command] -h    # Help for a specific command
-```
-
----
+Running `ai-trust check express` on a general-purpose library returns an "out of scope" verdict with a redirect to `hackmyagent check express`. Intentional. ai-trust is for AI packages only.
 
 ## Commands
 
-### check
+### `check`
 
 Look up the trust verdict for a single AI package.
 
 ```bash
 ai-trust check @modelcontextprotocol/server-filesystem
 ai-trust check my-custom-agent --type a2a_agent
-ai-trust check @modelcontextprotocol/server-postgres --json     # JSON output for scripting
+ai-trust check @modelcontextprotocol/server-postgres --json
+ai-trust check mcp-server-xyz --scan-if-missing --contribute  # download + scan + share
+ai-trust check server-filesystem --no-scan                    # registry lookup only
+ai-trust check /path/to/local --scan-path /path/to/local      # scan a local directory
 ```
 
-Running `check` on a general-purpose library (e.g. `ai-trust check express`) returns an "out of scope" message with a redirect to `hackmyagent check express`. This is intentional — ai-trust is for AI packages only.
-
-### MCP Server Trust
+Flags: `--type`, `--scan-if-missing`, `--contribute`, `--no-scan`, `--no-deep`, `--scan-path`, `--json`.
 
-MCP servers are the most common trust query. Use shorthand to skip the full `@modelcontextprotocol/` scope:
+### MCP server shorthand
 
 ```bash
 # These are equivalent:
@@ -106,29 +113,28 @@ ai-trust check @supabase/mcp-server-supabase
 ai-trust check @cloudflare/mcp-server-cloudflare
 ```
 
-Shorthand rule: `server-*` resolves to `@modelcontextprotocol/server-*`. Third-party `mcp-server-*` packages are looked up by their actual name.
+`server-*` resolves to `@modelcontextprotocol/server-*`. Third-party `mcp-server-*` packages are looked up by their actual name.
 
-#### Scan on demand
+### Scan on demand
 
-When a package is not in the registry, ai-trust can download and scan it locally using [HackMyAgent](https://github.com/opena2a-org/hackmyagent). In interactive mode, you will be prompted. In CI, use flags:
+When a package is not in the registry, ai-trust can download and scan it locally using [HackMyAgent](https://github.com/opena2a-org/hackmyagent). In interactive mode, you are prompted. In CI:
 
 ```bash
-# Auto-scan unknown packages, contribute results to the community registry
-ai-trust check mcp-server-xyz --scan-if-missing --contribute
-
-# Registry lookup only (skip local scan)
-ai-trust check server-filesystem --no-scan
+ai-trust check mcp-server-xyz --scan-if-missing --contribute   # auto-scan + share
+ai-trust check server-filesystem --no-scan                     # skip scanning entirely
 ```
 
-### audit
+Local scans run HMA with NanoMind semantic analysis enabled by default. Pass `--no-deep` for static-only.
+
+### `audit`
 
-Parse dependency files and audit AI packages. Supports any `.json` file (package.json format) or `.txt` file (requirements.txt format). Libraries in the file are partitioned into an "Out of scope" section with a pointer to HMA for general security scanning.
+Parse dependency files and audit AI packages. Supports `.json` (package.json format) and `.txt` (requirements.txt format). Libraries get partitioned into an "Out of scope" section.
 
 ```bash
 ai-trust audit package.json
 ai-trust audit requirements.txt
-ai-trust audit package.json --min-trust 2         # set minimum trust threshold (default: 3)
-ai-trust audit package.json --scan-missing --contribute  # scan unknown AI packages
+ai-trust audit package.json --min-trust 2                      # custom threshold (default 3)
+ai-trust audit package.json --scan-missing --contribute        # scan unknown AI packages
 ```
 
 Example output (mixed AI + libraries):
@@ -139,7 +145,7 @@ Example output (mixed AI + libraries):
   PACKAGE                    TYPE          VERDICT   TRUST       SCORE         SCAN
   ──────────────────────────────────────────────────────────────────────────────────────
   @modelcontextprotocol/sdk  mcp_server    SAFE      Scanned     ━━━━━━━━ 87  passed
-  @opena2a/aim-core          a2a_agent    SAFE      Scanned     ━━━━━━━━ 81  passed
+  @opena2a/aim-core          a2a_agent     SAFE      Scanned     ━━━━━━━━ 81  passed
   ...
 
   ── Out of scope (libraries) ────────────────────────────────
@@ -150,97 +156,99 @@ Example output (mixed AI + libraries):
   Library security:  npx hackmyagent secure .
 ```
 
-### batch
+### `batch`
 
 Look up trust verdicts for multiple AI packages at once. Non-AI packages get partitioned into the "Out of scope" footer.
 
 ```bash
 ai-trust batch @modelcontextprotocol/server-filesystem @modelcontextprotocol/server-postgres
 ai-trust batch my-server-a my-server-b --type mcp_server
+ai-trust batch react vue express lodash chalk
 ```
 
----
+Flags: `--type`, `--min-trust`.
 
-## Output Options
+## Output options
 
 ```bash
-ai-trust check express --json          # JSON output for scripting
-ai-trust audit package.json --json     # JSON audit output
-ai-trust check express --no-color      # disable colored output
-ai-trust check express --registry-url http://localhost:8080  # custom registry
-```
-
----
-
-## Community Contribution
-
-Every scan you run can improve trust data for the entire community. Scan results are shared as anonymized telemetry (check pass/fail and severity only -- no file paths, source code, or descriptions).
-
-On first scan, ai-trust asks whether you want to contribute. Your choice is saved in `~/.opena2a/config.json` and shared across all OpenA2A tools (opena2a-cli, hackmyagent).
-
-```bash
-# Contribute for this scan (non-interactive / CI)
-ai-trust check chalk --contribute
-
-# Configure globally via opena2a-cli
-opena2a config set contribute true    # opt in
-opena2a config set contribute false   # opt out
+ai-trust check express --json                                    # JSON output for scripting
+ai-trust audit package.json --json                               # JSON audit output
+ai-trust check express --no-color                                # disable colored output
+ai-trust check express --registry-url http://localhost:8080      # custom registry endpoint
 ```
 
-The more scans contributed, the faster packages move from "Listed" to "Scanned" trust level, reducing risk for everyone.
-
----
-
-## Trust Levels
+## Trust levels
 
 | Level | Label | Description |
-|-------|-------|-------------|
+|---|---|---|
 | 0 | Blocked | Package is blocked due to security concerns |
 | 1 | Warning | Package has known issues |
 | 2 | Listed | Package is listed but not yet scanned |
 | 3 | Scanned | Package has been scanned by HackMyAgent |
 | 4 | Verified | Package is verified by the publisher |
 
-## Exit Codes
+## Exit codes
 
 | Code | Meaning |
-|------|---------|
-| 0 | All queried packages are safe / meet the trust threshold |
+|---|---|
+| 0 | All queried packages are safe and meet the trust threshold |
 | 1 | Operational error (network failure, file not found, server error) |
-| 2 | Policy signal: one or more packages have warning/blocked verdict or fall below `--min-trust` |
+| 2 | Policy signal: one or more packages have warning or blocked verdict, or fall below `--min-trust` |
 
----
+## Community contribution
 
-## Requirements
+Every scan you run can improve trust data for the entire community. Scan results are shared as anonymised telemetry: check pass/fail and severity only. No file paths, source code, or descriptions.
 
-- Node.js 18 or later
-- [HackMyAgent](https://github.com/opena2a-org/hackmyagent) (optional, required for local scanning)
+On first scan, ai-trust asks whether you want to contribute. Your choice is saved in `~/.opena2a/config.json` and shared across all OpenA2A tools (`opena2a-cli`, `hackmyagent`).
 
-## Development
+```bash
+ai-trust check chalk --contribute              # contribute for this scan (non-interactive / CI)
+opena2a config set contribute true             # opt in globally
+opena2a config set contribute false            # opt out globally
+```
+
+More scans contributed means packages move from "Listed" to "Scanned" faster, reducing risk for everyone.
+
+## Using with opena2a-cli
+
+[`opena2a-cli`](https://github.com/opena2a-org/opena2a) is the unified CLI for the OpenA2A security toolchain. ai-trust powers `opena2a trust`.
 
 ```bash
-git clone https://github.com/opena2a-org/ai-trust.git
-cd ai-trust && npm install && npm run build
-node dist/index.js check express    # run locally without installing
+npm install -g opena2a-cli
+opena2a trust @modelcontextprotocol/server-filesystem
+opena2a review                              # full security dashboard
 ```
 
-## Use Cases
+## Use cases
 
-Step-by-step guides for common workflows:
+| Guide | Time |
+|---|---|
+| [Check if a package is safe before installing](docs/use-cases/check-before-install.md) | 2 min |
+| [Verify an MCP server's trust score](docs/use-cases/check-mcp-server.md) | 3 min |
+| [Contribute trust data to the community](docs/use-cases/contribute-scans.md) | 3 min |
+
+Full index: [docs/USE-CASES.md](docs/USE-CASES.md).
+
+## Contributing
+
+Apache 2.0. PRs from outside the org welcome.
 
-- [Check if a package is safe before installing](docs/use-cases/check-before-install.md)
-- [Verify an MCP server's trust score](docs/use-cases/check-mcp-server.md)
-- [Contribute trust data to the community](docs/use-cases/contribute-scans.md)
+```bash
+git clone https://github.com/opena2a-org/ai-trust.git
+cd ai-trust && npm install && npm run build && npm test
+```
 
-See [docs/USE-CASES.md](docs/USE-CASES.md) for the full index.
+Security issues: `security@opena2a.org` (coordinated disclosure, response within 24 hours).
 
 ## Links
 
-- [OpenA2A Registry](https://registry.opena2a.org) — trust scores and scan data
-- [OpenA2A CLI](https://github.com/opena2a-org/opena2a) — unified security CLI
-- [HackMyAgent](https://github.com/opena2a-org/hackmyagent) — local scanning for unverified packages
-- [opena2a.org](https://opena2a.org) — full platform
+- [Website](https://opena2a.org/ai-trust)
+- [OpenA2A Registry](https://registry.opena2a.org). Trust scores and scan data.
+- [OpenA2A CLI](https://github.com/opena2a-org/opena2a). Unified security CLI.
+- [HackMyAgent](https://github.com/opena2a-org/hackmyagent). Local scanning for unverified packages.
+
+Part of the [OpenA2A](https://opena2a.org) security platform.
 
 ## License
 
-Apache-2.0
+Apache-2.0.

package/dist/check/narrative-fetch.d.ts

@@ -0,0 +1,50 @@
+/**
+ * Narrative fetch helper — GET /api/v1/trust/narrative.
+ *
+ * Brief: opena2a-org/briefs/check-rich-context-skills-mcp-v1.md (§8 task 3a).
+ *
+ * Returns the parsed `PackageNarrative` shape, or `null` on any
+ * non-success response (404 narrative_not_available, 4xx, 5xx, network
+ * timeout). Always best-effort — the caller falls back to the legacy
+ * check block + v1 footer when the registry has no fresh narrative.
+ *
+ * Wire shape mirrors `packageNarrativeResponse` from the Registry's
+ * `internal/interfaces/http/handlers/package_narrative_handler.go`.
+ * Inner JSON fields (`hardcodedSecrets`, `skillNarrative`, `mcpNarrative`,
+ * `verdictReasoning`, `nextSteps`) ship as opaque JSON values; the
+ * adapter parses + validates them before they reach cli-ui renderers.
+ */
+/**
+ * Wire shape for `GET /api/v1/trust/narrative`. Inner JSON fields are
+ * left as `unknown` because the registry handler ships them as raw
+ * `json.RawMessage` — the adapter is responsible for shape validation.
+ */
+export interface FetchedPackageNarrative {
+    artifactType: "skill" | "mcp";
+    packageName: string;
+    packageVersion: string;
+    schemaVersion: number;
+    generatedAt: string;
+    summary: string;
+    hardcodedSecrets: unknown;
+    skillNarrative?: unknown;
+    mcpNarrative?: unknown;
+    verdictReasoning: unknown;
+    nextSteps: unknown;
+}
+export interface NarrativeFetchOptions {
+    registryUrl: string;
+    artifactType: "skill" | "mcp";
+    name: string;
+    version: string;
+    userAgent: string;
+    /** Override timeout (defaults to 5000ms). */
+    timeoutMs?: number;
+}
+/**
+ * Fetch a fresh narrative for the given (type, name, version) tuple.
+ * Returns null on 404 (no narrative available) or any error condition.
+ * Never throws.
+ */
+export declare function fetchNarrative(options: NarrativeFetchOptions): Promise<FetchedPackageNarrative | null>;
+//# sourceMappingURL=narrative-fetch.d.ts.map

package/dist/check/narrative-fetch.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"narrative-fetch.d.ts","sourceRoot":"","sources":["../../src/check/narrative-fetch.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAIH;;;;GAIG;AACH,MAAM,WAAW,uBAAuB;IACtC,YAAY,EAAE,OAAO,GAAG,KAAK,CAAC;IAC9B,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,gBAAgB,EAAE,OAAO,CAAC;IAC1B,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,YAAY,CAAC,EAAE,OAAO,CAAC;IACvB,gBAAgB,EAAE,OAAO,CAAC;IAC1B,SAAS,EAAE,OAAO,CAAC;CACpB;AAED,MAAM,WAAW,qBAAqB;IACpC,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,OAAO,GAAG,KAAK,CAAC;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,6CAA6C;IAC7C,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;GAIG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,qBAAqB,GAC7B,OAAO,CAAC,uBAAuB,GAAG,IAAI,CAAC,CAqCzC"}

package/dist/check/narrative-fetch.js

@@ -0,0 +1,99 @@
+/**
+ * Narrative fetch helper — GET /api/v1/trust/narrative.
+ *
+ * Brief: opena2a-org/briefs/check-rich-context-skills-mcp-v1.md (§8 task 3a).
+ *
+ * Returns the parsed `PackageNarrative` shape, or `null` on any
+ * non-success response (404 narrative_not_available, 4xx, 5xx, network
+ * timeout). Always best-effort — the caller falls back to the legacy
+ * check block + v1 footer when the registry has no fresh narrative.
+ *
+ * Wire shape mirrors `packageNarrativeResponse` from the Registry's
+ * `internal/interfaces/http/handlers/package_narrative_handler.go`.
+ * Inner JSON fields (`hardcodedSecrets`, `skillNarrative`, `mcpNarrative`,
+ * `verdictReasoning`, `nextSteps`) ship as opaque JSON values; the
+ * adapter parses + validates them before they reach cli-ui renderers.
+ */
+const NARRATIVE_FETCH_TIMEOUT_MS = 5000;
+/**
+ * Fetch a fresh narrative for the given (type, name, version) tuple.
+ * Returns null on 404 (no narrative available) or any error condition.
+ * Never throws.
+ */
+export async function fetchNarrative(options) {
+    const { registryUrl, artifactType, name, version, userAgent } = options;
+    const timeoutMs = options.timeoutMs ?? NARRATIVE_FETCH_TIMEOUT_MS;
+    const url = new URL("/api/v1/trust/narrative", registryUrl);
+    url.searchParams.set("type", artifactType);
+    url.searchParams.set("name", name);
+    url.searchParams.set("version", version);
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), timeoutMs);
+    try {
+        const res = await fetch(url.toString(), {
+            method: "GET",
+            headers: {
+                accept: "application/json",
+                "user-agent": userAgent,
+            },
+            signal: controller.signal,
+        });
+        if (!res.ok) {
+            // 404 narrative_not_available is the documented "graceful
+            // degrade" signal. Any other 4xx / 5xx is also treated as a
+            // miss — caller falls back to legacy block.
+            return null;
+        }
+        const body = (await res.json());
+        const parsed = validateWireShape(body);
+        return parsed;
+    }
+    catch {
+        // Network error, JSON parse error, abort timeout — all degrade to
+        // null and let the caller render the legacy block.
+        return null;
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}
+/**
+ * Minimal shape validation. The handler ships well-formed responses,
+ * so this is defense-in-depth. Returns null when required top-level
+ * fields are missing or the artifactType isn't skill/mcp.
+ */
+function validateWireShape(body) {
+    const artifactType = body.artifactType;
+    if (artifactType !== "skill" && artifactType !== "mcp")
+        return null;
+    if (typeof body.packageName !== "string" || body.packageName.length === 0) {
+        return null;
+    }
+    if (typeof body.packageVersion !== "string" ||
+        body.packageVersion.length === 0) {
+        return null;
+    }
+    if (typeof body.schemaVersion !== "number")
+        return null;
+    if (typeof body.generatedAt !== "string")
+        return null;
+    if (typeof body.summary !== "string")
+        return null;
+    return {
+        artifactType,
+        packageName: body.packageName,
+        packageVersion: body.packageVersion,
+        schemaVersion: body.schemaVersion,
+        generatedAt: body.generatedAt,
+        summary: body.summary,
+        hardcodedSecrets: body.hardcodedSecrets,
+        // Wire shape uses `skill` / `mcp` (matches the registry handler's
+        // `json:"skill,omitempty"` tag); the typed value carries the same
+        // payload as the internal `SkillNarrative` / `McpNarrative` fields.
+        skillNarrative: body.skill,
+        mcpNarrative: body.mcp,
+        verdictReasoning: body.verdictReasoning,
+        nextSteps: body.nextSteps,
+    };
+}
+//# sourceMappingURL=narrative-fetch.js.map

package/dist/check/narrative-fetch.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"narrative-fetch.js","sourceRoot":"","sources":["../../src/check/narrative-fetch.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,MAAM,0BAA0B,GAAG,IAAI,CAAC;AA+BxC;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,OAA8B;IAE9B,MAAM,EAAE,WAAW,EAAE,YAAY,EAAE,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;IACxE,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,0BAA0B,CAAC;IAElE,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,yBAAyB,EAAE,WAAW,CAAC,CAAC;IAC5D,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,YAAY,CAAC,CAAC;IAC3C,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IACnC,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IAEzC,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;IACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,SAAS,CAAC,CAAC;IAE9D,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE;YACtC,MAAM,EAAE,KAAK;YACb,OAAO,EAAE;gBACP,MAAM,EAAE,kBAAkB;gBAC1B,YAAY,EAAE,SAAS;aACxB;YACD,MAAM,EAAE,UAAU,CAAC,MAAM;SAC1B,CAAC,CAAC;QACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;YACZ,0DAA0D;YAC1D,4DAA4D;YAC5D,4CAA4C;YAC5C,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAA4B,CAAC;QAC3D,MAAM,MAAM,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;QACvC,OAAO,MAAM,CAAC;IAChB,CAAC;IAAC,MAAM,CAAC;QACP,kEAAkE;QAClE,mDAAmD;QACnD,OAAO,IAAI,CAAC;IACd,CAAC;YAAS,CAAC;QACT,YAAY,CAAC,KAAK,CAAC,CAAC;IACtB,CAAC;AACH,CAAC;AAED;;;;GAIG;AACH,SAAS,iBAAiB,CACxB,IAA6B;IAE7B,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC;IACvC,IAAI,YAAY,KAAK,OAAO,IAAI,YAAY,KAAK,KAAK;QAAE,OAAO,IAAI,CAAC;IACpE,IAAI,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ,IAAI,IAAI,CAAC,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1E,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IACE,OAAO,IAAI,CAAC,cAAc,KAAK,QAAQ;QACvC,IAAI,CAAC,cAAc,CAAC,MAAM,KAAK,CAAC,EAChC,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,OAAO,IAAI,CAAC,aAAa,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACxD,IAAI,OAAO,IAAI,CAAC,WAAW,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IACtD,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAClD,OAAO;QACL,YAAY;QACZ,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,cAAc,EAAE,IAAI,CAAC,cAAc;QACnC,aAAa,EAAE,IAAI,CAAC,aAAa;QACjC,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;QACvC,kEAAkE;QAClE,kEAAkE;QAClE,oEAAoE;QACpE,cAAc,EAAE,IAAI,CAAC,KAAK;QAC1B,YAAY,EAAE,IAAI,CAAC,GAAG;QACtB,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;QACvC,SAAS,EAAE,IAAI,CAAC,SAAS;KAC1B,CAAC;AACJ,CAAC"}

package/dist/check/render-rich-block.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Terminal-side renderer for `RenderedRichBlock` — applies HMA's
+ * chalk palette to the structured tone-tagged output produced by
+ * `renderCheckRichBlock` from `@opena2a/cli-ui`.
+ *
+ * Brief: opena2a-org/briefs/check-rich-context-skills-mcp-v1.md (§3).
+ *
+ * cli-ui returns tone-tagged lines (no chalk imports); this module
+ * paints them in HMA's terminal style and writes to stdout. ai-trust
+ * has a parallel module — the dividers, indents, and labels are
+ * byte-identical across CLIs (parity F12 / F13).
+ */
+import type { RenderedRichBlock } from "@opena2a/cli-ui";
+type ColorFn = (s: string) => string;
+/**
+ * Color palette interface — kept structural so callers can pass HMA's
+ * existing `colors` object without dragging chalk into this module's
+ * imports.
+ */
+export interface RichBlockPalette {
+    reset: string;
+    dim: ColorFn;
+    bold: ColorFn;
+    white: ColorFn;
+    green: ColorFn;
+    yellow: ColorFn;
+    red: ColorFn;
+    brightRed: ColorFn;
+    cyan: ColorFn;
+}
+export interface PrintRichBlockOptions {
+    palette: RichBlockPalette;
+    /** Width of section divider rule. Defaults to 62 chars. */
+    dividerWidth?: number;
+}
+/**
+ * Print the rich block to stdout. The input is the typed render output
+ * from cli-ui; this function only translates tones to ANSI and writes.
+ */
+export declare function printRichBlock(block: RenderedRichBlock, options: PrintRichBlockOptions): void;
+export {};
+//# sourceMappingURL=render-rich-block.d.ts.map

package/dist/check/render-rich-block.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"render-rich-block.d.ts","sourceRoot":"","sources":["../../src/check/render-rich-block.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAEzD,KAAK,OAAO,GAAG,CAAC,CAAC,EAAE,MAAM,KAAK,MAAM,CAAC;AAErC;;;;GAIG;AACH,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,OAAO,CAAC;IACb,IAAI,EAAE,OAAO,CAAC;IACd,KAAK,EAAE,OAAO,CAAC;IACf,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,OAAO,CAAC;IAChB,GAAG,EAAE,OAAO,CAAC;IACb,SAAS,EAAE,OAAO,CAAC;IACnB,IAAI,EAAE,OAAO,CAAC;CACf;AAED,MAAM,WAAW,qBAAqB;IACpC,OAAO,EAAE,gBAAgB,CAAC;IAC1B,2DAA2D;IAC3D,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAC5B,KAAK,EAAE,iBAAiB,EACxB,OAAO,EAAE,qBAAqB,GAC7B,IAAI,CAoBN"}

package/dist/check/render-rich-block.js

@@ -0,0 +1,59 @@
+/**
+ * Terminal-side renderer for `RenderedRichBlock` — applies HMA's
+ * chalk palette to the structured tone-tagged output produced by
+ * `renderCheckRichBlock` from `@opena2a/cli-ui`.
+ *
+ * Brief: opena2a-org/briefs/check-rich-context-skills-mcp-v1.md (§3).
+ *
+ * cli-ui returns tone-tagged lines (no chalk imports); this module
+ * paints them in HMA's terminal style and writes to stdout. ai-trust
+ * has a parallel module — the dividers, indents, and labels are
+ * byte-identical across CLIs (parity F12 / F13).
+ */
+/**
+ * Print the rich block to stdout. The input is the typed render output
+ * from cli-ui; this function only translates tones to ANSI and writes.
+ */
+export function printRichBlock(block, options) {
+    const { palette } = options;
+    const dividerWidth = options.dividerWidth ?? 62;
+    // -- Header --------------------------------------------------------------
+    console.log();
+    console.log(`  ${palette.bold(palette.white(block.header.name))}`);
+    for (const line of block.header.metaLines) {
+        console.log(`  ${paintTone(line.text, line.tone, palette)}`);
+    }
+    // -- Sections ------------------------------------------------------------
+    for (const section of block.sections) {
+        printDivider(section.divider, section.dividerTone, palette, dividerWidth);
+        for (const line of section.lines) {
+            const indent = "  " + "  ".repeat(line.indent);
+            console.log(`${indent}${paintTone(line.text, line.tone, palette)}`);
+        }
+    }
+    console.log();
+}
+function printDivider(label, tone, palette, width) {
+    const dashCount = Math.max(1, width - label.length - 4);
+    const labelPainted = paintTone(label, tone, palette);
+    const dashesLeft = palette.dim("──");
+    const dashesRight = palette.dim("─".repeat(dashCount));
+    console.log();
+    console.log(`  ${dashesLeft} ${palette.bold(labelPainted)} ${dashesRight}`);
+}
+function paintTone(text, tone, palette) {
+    switch (tone) {
+        case "good":
+            return palette.green(text);
+        case "warning":
+            return palette.yellow(text);
+        case "critical":
+            return palette.brightRed(text);
+        case "dim":
+            return palette.dim(text);
+        case "default":
+        default:
+            return text;
+    }
+}
+//# sourceMappingURL=render-rich-block.js.map

package/dist/check/render-rich-block.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"render-rich-block.js","sourceRoot":"","sources":["../../src/check/render-rich-block.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AA6BH;;;GAGG;AACH,MAAM,UAAU,cAAc,CAC5B,KAAwB,EACxB,OAA8B;IAE9B,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC;IAC5B,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,EAAE,CAAC;IAEhD,2EAA2E;IAC3E,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,OAAO,CAAC,GAAG,CAAC,KAAK,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC,CAAC;IACnE,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;QAC1C,OAAO,CAAC,GAAG,CAAC,KAAK,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;IAC/D,CAAC;IAED,2EAA2E;IAC3E,KAAK,MAAM,OAAO,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;QACrC,YAAY,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,WAAW,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC;QAC1E,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;YACjC,MAAM,MAAM,GAAG,IAAI,GAAG,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC/C,OAAO,CAAC,GAAG,CAAC,GAAG,MAAM,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC,CAAC;QACtE,CAAC;IACH,CAAC;IACD,OAAO,CAAC,GAAG,EAAE,CAAC;AAChB,CAAC;AAED,SAAS,YAAY,CACnB,KAAa,EACb,IAA0D,EAC1D,OAAyB,EACzB,KAAa;IAEb,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,GAAG,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACxD,MAAM,YAAY,GAAG,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;IACrD,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;IACrC,MAAM,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;IACvD,OAAO,CAAC,GAAG,EAAE,CAAC;IACd,OAAO,CAAC,GAAG,CAAC,KAAK,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,WAAW,EAAE,CAAC,CAAC;AAC9E,CAAC;AAED,SAAS,SAAS,CAChB,IAAY,EACZ,IAAoE,EACpE,OAAyB;IAEzB,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,MAAM;YACT,OAAO,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC7B,KAAK,SAAS;YACZ,OAAO,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAC9B,KAAK,UAAU;YACb,OAAO,OAAO,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QACjC,KAAK,KAAK;YACR,OAAO,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QAC3B,KAAK,SAAS,CAAC;QACf;YACE,OAAO,IAAI,CAAC;IAChB,CAAC;AACH,CAAC"}