hackmyagent 0.10.0 → 0.11.0

package/dist/cli.js

@@ -40,6 +40,7 @@ var __importStar = (this && this.__importStar) || (function () {
 Object.defineProperty(exports, "__esModule", { value: true });
 const commander_1 = require("commander");
 const index_1 = require("./index");
+const resolve_mcp_1 = require("./resolve-mcp");
 const program = new commander_1.Command();
 // Write JSON to stdout synchronously with retry for pipe backpressure.
 // process.stdout.write() is async and gets truncated when process.exit()
@@ -80,7 +81,7 @@ function resolveCliPrefix() {
 }
 const CLI_PREFIX = resolveCliPrefix();
 // Check for NO_COLOR env or non-TTY to disable colors by default
-const noColorEnv = process.env.NO_COLOR !== undefined || process.stdout.isTTY === false;
+const noColorEnv = process.env.NO_COLOR !== undefined || !process.stdout.isTTY;
 // Color codes - will be cleared if --no-color is passed
 let colors = {
     green: '\x1b[32m',
@@ -102,7 +103,7 @@ program
     .name('hackmyagent')
     .description(`Find it. Break it. Fix it.
 
-The hacker's toolkit for AI agents. 147+ security checks, 75 attack
+The hacker's toolkit for AI agents. 147+ security checks, 115 attack
 payloads, auto-fix with rollback, and OASB benchmark compliance.
 
 Documentation: https://hackmyagent.com/docs
@@ -115,11 +116,11 @@ Updates (v${index_1.VERSION}):
 
 Examples:
   $ hackmyagent secure                         Find vulnerabilities (147+ checks)
-  $ hackmyagent attack --local                 Break it with 75 attack payloads
+  $ hackmyagent attack --local                 Break it with 115 attack payloads
   $ hackmyagent secure --fix                   Fix issues automatically
   $ hackmyagent fix-all                        Run all security plugins
   $ hackmyagent scan example.com               Scan external infrastructure`)
-    .version(index_1.VERSION, '-V, --version', 'Output the version number')
+    .version(index_1.VERSION, '-v, --version', 'Output the version number')
     .option('--no-color', 'Disable colored output (also respects NO_COLOR env)')
     .hook('preAction', (thisCommand) => {
     const opts = thisCommand.opts();
@@ -572,21 +573,15 @@ function generateHtmlReport(result) {
         .sort((a, b) => a.compliance - b.compliance)[0];
     // Security grade based on compliance
     const getGrade = (pct) => {
-        if (pct >= 95)
-            return { letter: 'A+', color: '#22c55e' };
         if (pct >= 90)
-            return { letter: 'A', color: '#22c55e' };
-        if (pct >= 85)
-            return { letter: 'B+', color: '#84cc16' };
+            return { letter: 'strong', color: '#22c55e' };
         if (pct >= 80)
-            return { letter: 'B', color: '#84cc16' };
-        if (pct >= 75)
-            return { letter: 'C+', color: '#eab308' };
+            return { letter: 'good', color: '#84cc16' };
         if (pct >= 70)
-            return { letter: 'C', color: '#eab308' };
+            return { letter: 'moderate', color: '#eab308' };
         if (pct >= 60)
-            return { letter: 'D', color: '#f97316' };
-        return { letter: 'F', color: '#ef4444' };
+            return { letter: 'improving', color: '#f97316' };
+        return { letter: 'needs-attention', color: '#ef4444' };
     };
     const grade = getGrade(result.compliance);
     // Generate executive summary items
@@ -766,15 +761,15 @@ function generateHtmlReport(result) {
       border-bottom: 1px solid var(--border);
     }
     .score-grade {
-      width: 56px;
-      height: 56px;
+      width: 72px;
+      height: 72px;
       border-radius: 12px;
       border: 2px solid;
       display: flex;
       align-items: center;
       justify-content: center;
     }
-    .grade-letter { font-size: 1.75rem; font-weight: 800; }
+    .grade-letter { font-size: 0.65rem; font-weight: 800; text-transform: uppercase; text-align: center; line-height: 1.2; }
     .score-main { flex: 1; }
     .score-pct { font-size: 2rem; font-weight: 700; color: var(--text-primary); line-height: 1; }
     .score-label { font-size: 0.75rem; color: var(--text-muted); text-transform: uppercase; letter-spacing: 0.05em; margin-top: 0.25rem; }
@@ -1233,7 +1228,7 @@ function generateScanHtmlReport(scanResult, targetDir) {
     const fixedFindings = scanResult.findings.filter(f => f.fixed);
     const score = scanResult.score;
     const scoreColor = score >= 90 ? '#22c55e' : score >= 70 ? '#eab308' : score >= 50 ? '#f97316' : '#ef4444';
-    const gradeLetters = score >= 90 ? 'A' : score >= 80 ? 'B' : score >= 70 ? 'C' : score >= 60 ? 'D' : 'F';
+    const gradeLetters = score >= 90 ? 'strong' : score >= 80 ? 'good' : score >= 70 ? 'moderate' : score >= 60 ? 'improving' : 'needs-attention';
     const severityOrder = ['critical', 'high', 'medium', 'low'];
     const severityColors = {
         critical: '#ef4444', high: '#f97316', medium: '#eab308', low: '#22c55e',
@@ -1274,7 +1269,7 @@ function generateScanHtmlReport(scanResult, targetDir) {
     h1 { font-size: 1.5rem; margin-bottom: 0.5rem; }
     .meta { color: var(--text-secondary); margin-bottom: 2rem; }
     .score-card { display: flex; align-items: center; gap: 2rem; background: var(--bg-secondary); border: 1px solid var(--border); border-radius: 12px; padding: 1.5rem; margin-bottom: 2rem; }
-    .grade { font-size: 3rem; font-weight: 700; width: 80px; height: 80px; display: flex; align-items: center; justify-content: center; border-radius: 50%; border: 3px solid ${scoreColor}; }
+    .grade { font-size: 0.75rem; font-weight: 700; width: 100px; height: 100px; display: flex; align-items: center; justify-content: center; border-radius: 50%; border: 3px solid ${scoreColor}; text-transform: uppercase; text-align: center; line-height: 1.2; padding: 0.5rem; }
     .score-details { flex: 1; }
     .score-num { font-size: 2rem; font-weight: 700; }
     .stats { display: flex; gap: 2rem; margin-top: 0.5rem; }
@@ -1537,6 +1532,95 @@ function resolvePackageVersion(targetDir) {
     catch { /* ignore */ }
     return null;
 }
+/**
+ * Handle community contribution after a scan completes.
+ *
+ * Determines whether to contribute based on:
+ *   1. --contribute / --no-contribute CLI flags (highest priority)
+ *   2. ~/.opena2a/config.json contribute.enabled setting
+ *   3. Interactive opt-in prompt (first scan or scan #10)
+ *
+ * If contributing, builds an anonymized payload and submits it
+ * asynchronously (non-blocking). Failures are logged as warnings.
+ */
+async function handleContribution(contributeFlag, targetDir, findings, registryUrl, format) {
+    try {
+        const { isContributeEnabled, shouldPromptContribute, showContributePrompt, incrementScanCount, buildContributionPayloadFromDir, submitContribution, } = await Promise.resolve().then(() => __importStar(require('./telemetry')));
+        // Always increment scan count
+        incrementScanCount();
+        // Determine whether to contribute
+        let shouldContribute;
+        if (contributeFlag === true) {
+            // --contribute flag: always contribute this scan
+            shouldContribute = true;
+        }
+        else if (contributeFlag === false) {
+            // --no-contribute flag: skip this scan
+            shouldContribute = false;
+        }
+        else {
+            // Check config
+            const configSetting = isContributeEnabled();
+            if (configSetting === true) {
+                shouldContribute = true;
+            }
+            else if (configSetting === false) {
+                shouldContribute = false;
+            }
+            else {
+                // Not configured -- prompt after 3 scans (interactive TTY only)
+                if (format === 'text' && process.stdout.isTTY && shouldPromptContribute()) {
+                    shouldContribute = await showContributePrompt();
+                }
+                else {
+                    shouldContribute = false;
+                }
+            }
+        }
+        if (!shouldContribute)
+            return;
+        // Build and submit contribution (non-blocking)
+        const packageName = resolvePackageName(targetDir);
+        if (!packageName)
+            return;
+        const payload = buildContributionPayloadFromDir(packageName, targetDir, findings);
+        const result = await submitContribution(payload, registryUrl);
+        if (result.success && format === 'text') {
+            console.log('Contributed anonymized scan summary to OpenA2A Registry (--no-contribute to opt out)');
+        }
+        // Failures are silently ignored -- contribution is best-effort
+    }
+    catch {
+        // Non-fatal: contribution failure must never crash the scan
+    }
+}
+/**
+ * Handle community contribution for scan-soul results.
+ *
+ * Converts SoulScanResult controls into SecurityFinding-like objects
+ * for the contribution module, then delegates to handleContribution.
+ */
+async function handleSoulContribution(contributeFlag, targetDir, result, registryUrl, format) {
+    // Convert soul controls into SecurityFinding-shaped objects
+    const findings = [];
+    for (const domain of result.domains) {
+        if (domain.skippedByProfile || domain.skippedByTier)
+            continue;
+        for (const ctrl of domain.controls) {
+            findings.push({
+                checkId: ctrl.id,
+                name: ctrl.name,
+                description: '',
+                category: domain.domain,
+                severity: 'medium',
+                passed: ctrl.passed,
+                message: '',
+                fixable: false,
+            });
+        }
+    }
+    await handleContribution(contributeFlag, targetDir, findings, registryUrl, format);
+}
 program
     .command('secure')
     .description(`Scan and harden your agent setup
@@ -1592,8 +1676,10 @@ Examples:
     .option('--registry-report', 'Post results to OpenA2A Registry')
     .option('--no-registry', 'Skip auto-publishing results to OpenA2A Registry')
     .option('--version-id <id>', 'Registry version ID to report against')
-    .option('--registry-url <url>', 'Registry URL (default: REGISTRY_URL env)', process.env.REGISTRY_URL || 'https://registry.opena2a.org')
+    .option('--registry-url <url>', 'Registry URL (default: REGISTRY_URL env)', process.env.REGISTRY_URL || 'https://api.oa2a.org')
     .option('--registry-key <key>', 'Registry API key (default: REGISTRY_API_KEY env)')
+    .option('--contribute', 'Share anonymized scan findings with OpenA2A Registry (overrides config)')
+    .option('--no-contribute', 'Do not share findings for this scan (overrides config)')
     .action(async (directory, options) => {
     try {
         const targetDir = directory.startsWith('/') ? directory : process.cwd() + '/' + directory;
@@ -1768,7 +1854,7 @@ Examples:
             if (options.publish && options.registry !== false) {
                 try {
                     const { publishScanResults } = await Promise.resolve().then(() => __importStar(require('./registry/publish')));
-                    const registryUrl = options.registryUrl || process.env.REGISTRY_URL || 'https://registry.opena2a.org';
+                    const registryUrl = options.registryUrl || process.env.REGISTRY_URL || 'https://api.oa2a.org';
                     const packageName = resolvePackageName(targetDir);
                     if (packageName) {
                         const publishData = {
@@ -1797,6 +1883,8 @@ Examples:
             else {
                 writeJsonStdout(jsonOutput);
             }
+            // Community contribution (non-blocking, runs in JSON mode too)
+            await handleContribution(options.contribute, targetDir, result.findings, options.registryUrl, format);
             const critHigh = result.findings.filter((f) => !f.passed && !f.fixed && (f.severity === 'critical' || f.severity === 'high'));
             if (critHigh.length > 0)
                 process.exitCode = 1;
@@ -1936,7 +2024,7 @@ Examples:
         if (options.versionId || options.registryReport) {
             try {
                 const core = await Promise.resolve().then(() => __importStar(require('./index')));
-                const registryUrl = options.registryUrl || process.env.REGISTRY_URL || 'https://registry.opena2a.org';
+                const registryUrl = options.registryUrl || process.env.REGISTRY_URL || 'https://api.oa2a.org';
                 if (options.versionId) {
                     // Authenticated path: existing behavior (version-id + API key)
                     const registryKey = options.registryKey || process.env.REGISTRY_API_KEY;
@@ -1983,7 +2071,7 @@ Examples:
         else if (options.publish) {
             try {
                 const { publishScanResults, formatPublishOutput } = await Promise.resolve().then(() => __importStar(require('./registry/publish')));
-                const registryUrl = options.registryUrl || process.env.REGISTRY_URL || 'https://registry.opena2a.org';
+                const registryUrl = options.registryUrl || process.env.REGISTRY_URL || 'https://api.oa2a.org';
                 const packageName = resolvePackageName(targetDir);
                 if (!packageName) {
                     console.error('\nCould not determine package name. Publish requires a package.json with a name field.');
@@ -2015,6 +2103,8 @@ Examples:
                 console.error('Scan results are still available locally.');
             }
         }
+        // Community contribution: share anonymized findings with OpenA2A Registry
+        await handleContribution(options.contribute, targetDir, result.findings, options.registryUrl, format);
         // Star prompt (interactive TTY only, text format only)
         if (process.stdout.isTTY) {
             console.log(`${colors.cyan}Helpful?${RESET()} Star the project: https://github.com/opena2a-org/opena2a\n`);
@@ -2270,7 +2360,7 @@ Detects externally exposed:
   • API keys in responses
   • Debug/admin interfaces
 
-Scoring: A (90-100), B (80-89), C (70-79), D (60-69), Needs Improvement (<60)
+Scoring: strong (90-100), good (80-89), moderate (70-79), improving (60-69), needs-attention (<60)
 Exit code 1 if critical/high issues found.
 
 Examples:
@@ -2299,13 +2389,11 @@ Examples:
             return;
         }
         // Print header
-        const gradeColor = result.grade === 'A'
+        const gradeColor = result.grade === 'strong' || result.grade === 'good'
             ? colors.green
-            : result.grade === 'B'
-                ? colors.green
-                : result.grade === 'C'
-                    ? colors.yellow
-                    : colors.red;
+            : result.grade === 'moderate'
+                ? colors.yellow
+                : colors.red;
         console.log(`Target: ${result.target}`);
         console.log(`Score: ${gradeColor}${result.score}/100 (${result.grade})${RESET()}`);
         console.log(`Open Ports: ${result.openPorts.length > 0 ? result.openPorts.join(', ') : 'None detected'}`);
@@ -2435,7 +2523,7 @@ Examples:
     .option('--registry-report', 'Post results to OpenA2A Registry')
     .option('--no-registry', 'Skip auto-publishing results to OpenA2A Registry')
     .option('--version-id <id>', 'Registry version ID to report against')
-    .option('--registry-url <url>', 'Registry URL (default: REGISTRY_URL env)', process.env.REGISTRY_URL || 'https://registry.opena2a.org')
+    .option('--registry-url <url>', 'Registry URL (default: REGISTRY_URL env)', process.env.REGISTRY_URL || 'https://api.oa2a.org')
     .option('--registry-key <key>', 'Registry API key (default: REGISTRY_API_KEY env)')
     .action(async (targetUrl, options) => {
     try {
@@ -2591,7 +2679,7 @@ Examples:
         if (shouldReport) {
             try {
                 const core = await Promise.resolve().then(() => __importStar(require('./index')));
-                const registryUrl = options.registryUrl || process.env.REGISTRY_URL || 'https://registry.opena2a.org';
+                const registryUrl = options.registryUrl || process.env.REGISTRY_URL || 'https://api.oa2a.org';
                 if (options.versionId) {
                     // Authenticated path: existing behavior (version-id + API key)
                     const registryKey = options.registryKey || process.env.REGISTRY_API_KEY;
@@ -2638,7 +2726,7 @@ Examples:
         else if (options.publish && targetType !== 'local') {
             try {
                 const { publishScanResults, formatPublishOutput } = await Promise.resolve().then(() => __importStar(require('./registry/publish')));
-                const regUrl = options.registryUrl || process.env.REGISTRY_URL || 'https://registry.opena2a.org';
+                const regUrl = options.registryUrl || process.env.REGISTRY_URL || 'https://api.oa2a.org';
                 const packageName = target.url || targetUrl || 'unknown';
                 if (format === 'text') {
                     console.log('\nPublishing results to registry...\n');
@@ -2792,14 +2880,14 @@ function generateAttackHtmlReport(report) {
     // Risk grade based on score
     const getGrade = (score) => {
         if (score <= 10)
-            return { letter: 'A', color: '#22c55e' };
+            return { letter: 'strong', color: '#22c55e' };
         if (score <= 25)
-            return { letter: 'B', color: '#84cc16' };
+            return { letter: 'good', color: '#84cc16' };
         if (score <= 50)
-            return { letter: 'C', color: '#eab308' };
+            return { letter: 'moderate', color: '#eab308' };
         if (score <= 70)
-            return { letter: 'D', color: '#f97316' };
-        return { letter: 'F', color: '#ef4444' };
+            return { letter: 'improving', color: '#f97316' };
+        return { letter: 'needs-attention', color: '#ef4444' };
     };
     const grade = getGrade(report.riskScore);
     const ratingColor = {
@@ -2834,6 +2922,10 @@ function generateAttackHtmlReport(report) {
         'context-manipulation': 'CM',
         'mcp-exploitation': 'MCP',
         'a2a-attack': 'A2A',
+        'memory-weaponization': 'MEM',
+        'context-window': 'CTX',
+        'supply-chain': 'SUP',
+        'tool-shadow': 'SHADOW',
     };
     // Donut chart for attack results
     const donutRadius = 60;
@@ -3069,15 +3161,15 @@ function generateAttackHtmlReport(report) {
       border-bottom: 1px solid var(--border);
     }
     .score-grade {
-      width: 56px;
-      height: 56px;
+      width: 72px;
+      height: 72px;
       border-radius: 12px;
       border: 2px solid;
       display: flex;
       align-items: center;
       justify-content: center;
     }
-    .grade-letter { font-size: 1.75rem; font-weight: 800; }
+    .grade-letter { font-size: 0.65rem; font-weight: 800; text-transform: uppercase; text-align: center; line-height: 1.2; }
     .score-main { flex: 1; }
     .score-pct { font-size: 2rem; font-weight: 700; color: var(--text-primary); line-height: 1; }
     .score-label { font-size: 0.75rem; color: var(--text-muted); text-transform: uppercase; letter-spacing: 0.05em; margin-top: 0.25rem; }
@@ -3524,6 +3616,7 @@ function generateAttackHtmlReport(report) {
 }
 // --- fix-all: Run all OpenClaw plugins to scan and remediate ---
 const credvault_1 = require("./plugins/credvault");
+const secretless_1 = require("./plugins/secretless");
 const signcrypt_1 = require("./plugins/signcrypt");
 const skillguard_1 = require("./plugins/skillguard");
 const aim_core_1 = require("@opena2a/aim-core");
@@ -3539,27 +3632,35 @@ program
     .description(`Run all OpenA2A security plugins to scan and auto-fix agent issues
 
 Runs the full plugin suite in order:
-  1. SkillGuard  — hash pinning, tamper detection, dangerous patterns
-  2. SignCrypt   — Ed25519 signing, heartbeat hash pins
-  3. CredVault   — credential detection, env var replacement
+  1. Credential Protection     — find hardcoded secrets, replace with env vars
+  2. AI Visibility Protection  — block .env from AI tools, encrypt MCP keys
+  3. File Signing              — sign skills and heartbeats with Ed25519
+  4. Skill Safety Scanner      — detect dangerous patterns, pin hashes
 
 Each plugin scans for findings, then auto-fixes what it can.
 Dangerous patterns (reverse shells, exfil, etc.) require manual review.
 
+Step 2 requires secretless-ai (npm install -g secretless-ai). If not
+installed, the plugin reports this and continues with the remaining steps.
+
+Use --with-aim to create a cryptographic identity for your agent.
+This enables automatic file signing, audit logging, and trust scoring
+so you don't need to manage keys or track files manually.
+
 Exit code 1 if critical/high issues remain after fixing.
 
 Examples:
   $ hackmyagent fix-all                     Scan and fix current directory
   $ hackmyagent fix-all ./my-agent          Scan specific directory
+  $ hackmyagent fix-all --with-aim          Create identity + sign + audit (recommended)
   $ hackmyagent fix-all --dry-run           Preview fixes without applying
   $ hackmyagent fix-all --scan-only         Scan without fixing
-  $ hackmyagent fix-all --json              JSON output for CI
-  $ hackmyagent fix-all --with-aim          Enable AIM identity and audit`)
+  $ hackmyagent fix-all --json              JSON output for CI`)
     .argument('[directory]', 'Agent directory to scan (default: current directory)', '')
     .option('--dry-run', 'Preview fixes without applying them')
     .option('--scan-only', 'Only scan, do not fix')
     .option('--json', 'Output as JSON (for scripting/CI)')
-    .option('--with-aim', 'Initialize AIM Core for identity-aware audit logging')
+    .option('--with-aim', 'Create agent identity for automatic signing, audit logging, and trust scoring')
     .option('-v, --verbose', 'Show all findings including passed plugins')
     .action(async (directory, options) => {
     try {
@@ -3607,12 +3708,15 @@ Examples:
             });
         }
         // Create and initialize plugins in execution order
-        // Order matters: CredVault replaces creds, SignCrypt signs skills,
-        // SkillGuard pins last so hashes reflect the final file state.
+        // 1. CredVault finds hardcoded secrets, replaces with ${VAR}
+        // 2. Secretless blocks .env from AI visibility (completes the credential lifecycle)
+        // 3. SignCrypt signs skill and heartbeat files
+        // 4. SkillGuard pins hashes last so they reflect the final file state
         const pluginFactories = [
-            { name: 'CredVault', create: credvault_1.createPlugin },
-            { name: 'SignCrypt', create: signcrypt_1.createPlugin },
-            { name: 'SkillGuard', create: skillguard_1.createPlugin },
+            { name: 'Credential Protection', create: credvault_1.createPlugin },
+            { name: 'AI Visibility Protection', create: secretless_1.createPlugin },
+            { name: 'File Signing', create: signcrypt_1.createPlugin },
+            { name: 'Skill Safety Scanner', create: skillguard_1.createPlugin },
         ];
         const plugins = [];
         for (const factory of pluginFactories) {
@@ -3818,16 +3922,6 @@ Examples:
         process.exit(1);
     }
 });
-// Grade display colors
-function gradeColor(grade) {
-    switch (grade) {
-        case 'A': return colors.green;
-        case 'B': return colors.green;
-        case 'C': return colors.yellow;
-        case 'D': return colors.red;
-        case 'F': return colors.brightRed;
-    }
-}
 function levelColor(level) {
     switch (level) {
         case 'hardened': return colors.green;
@@ -3906,7 +4000,9 @@ Examples:
     .option('--fail-below <score>', 'Exit 1 if score below threshold (0-100)')
     .option('--deep', 'Enable LLM semantic analysis for ambiguous controls (requires claude CLI or ANTHROPIC_API_KEY)')
     .option('--publish', 'Push scan results to the OpenA2A Registry')
-    .option('--registry-url <url>', 'Registry URL (default: REGISTRY_URL env)', process.env.REGISTRY_URL || 'https://registry.opena2a.org')
+    .option('--registry-url <url>', 'Registry URL (default: REGISTRY_URL env)', process.env.REGISTRY_URL || 'https://api.oa2a.org')
+    .option('--contribute', 'Share anonymized scan findings with OpenA2A Registry (overrides config)')
+    .option('--no-contribute', 'Do not share findings for this scan (overrides config)')
     .action(async (directory, options) => {
     try {
         const targetDir = directory.startsWith('/') ? directory : process.cwd() + '/' + directory;
@@ -3929,7 +4025,7 @@ Examples:
             if (options.publish) {
                 try {
                     const { publishScanResults } = await Promise.resolve().then(() => __importStar(require('./registry/publish')));
-                    const registryUrl = options.registryUrl || process.env.REGISTRY_URL || 'https://registry.opena2a.org';
+                    const registryUrl = options.registryUrl || process.env.REGISTRY_URL || 'https://api.oa2a.org';
                     const packageName = resolvePackageName(targetDir);
                     if (packageName) {
                         const publishData = {
@@ -4043,7 +4139,7 @@ Examples:
         if (options.publish) {
             try {
                 const { publishScanResults, formatPublishOutput } = await Promise.resolve().then(() => __importStar(require('./registry/publish')));
-                const registryUrl = options.registryUrl || process.env.REGISTRY_URL || 'https://registry.opena2a.org';
+                const registryUrl = options.registryUrl || process.env.REGISTRY_URL || 'https://api.oa2a.org';
                 const packageName = resolvePackageName(targetDir);
                 if (!packageName) {
                     process.stderr.write('Could not determine package name. Publish requires a package.json with a name field.\n');
@@ -4070,6 +4166,9 @@ Examples:
                 process.stderr.write('Scan results are still available locally.\n');
             }
         }
+        // Community contribution: share anonymized findings with OpenA2A Registry
+        const soulFormat = options.json ? 'json' : 'text';
+        await handleSoulContribution(options.contribute, targetDir, result, options.registryUrl, soulFormat);
         // Check fail threshold
         if (options.failBelow) {
             const threshold = parseInt(options.failBelow, 10);
@@ -4175,5 +4274,321 @@ Examples:
         process.exit(1);
     }
 });
+// ---------------------------------------------------------------------------
+// trust — Trust verification via OpenA2A Registry (powered by ai-trust)
+// ---------------------------------------------------------------------------
+const REGISTRY_DEFAULT_URL = 'https://api.oa2a.org';
+async function trustCheck(name, registryUrl, type) {
+    const params = new URLSearchParams({ name, includeProfile: 'true', includeDeps: 'true' });
+    if (type)
+        params.set('type', type);
+    const url = `${registryUrl}/api/v1/trust/query?${params.toString()}`;
+    const res = await fetch(url, {
+        method: 'GET',
+        headers: { 'Accept': 'application/json', 'User-Agent': `hackmyagent/${index_1.VERSION}` },
+    });
+    if (!res.ok) {
+        if (res.status === 404) {
+            throw new Error(`Package "${name}" not found in the OpenA2A Registry.`);
+        }
+        const body = await res.text();
+        throw new Error(`Registry API returned ${res.status}: ${body}`);
+    }
+    const data = (await res.json());
+    data.found = !!data.packageId;
+    return data;
+}
+async function trustBatch(packages, registryUrl) {
+    const url = `${registryUrl}/api/v1/trust/batch`;
+    const res = await fetch(url, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'Accept': 'application/json',
+            'User-Agent': `hackmyagent/${index_1.VERSION}`,
+        },
+        body: JSON.stringify({ packages }),
+    });
+    if (!res.ok) {
+        if (res.status === 404) {
+            throw new Error('Registry batch endpoint not found. The registry may be unavailable.');
+        }
+        const body = await res.text();
+        throw new Error(`Registry API returned ${res.status}: ${body}`);
+    }
+    const raw = (await res.json());
+    const NULL_UUID = '00000000-0000-0000-0000-000000000000';
+    for (const r of raw.results) {
+        r.found = !!r.packageId && r.packageId !== NULL_UUID;
+    }
+    const found = raw.results.filter((r) => r.found).length;
+    return {
+        results: raw.results,
+        meta: { total: raw.total, found, notFound: raw.total - found },
+    };
+}
+function trustLevelLabel(level) {
+    switch (level) {
+        case 0: return 'Blocked';
+        case 1: return 'Warning';
+        case 2: return 'Listed';
+        case 3: return 'Scanned';
+        case 4: return 'Verified';
+        default: return `Unknown (${level})`;
+    }
+}
+function trustLevelColor(level) {
+    if (level >= 3)
+        return colors.green;
+    if (level >= 1)
+        return colors.yellow;
+    return colors.red;
+}
+function trustVerdictColor(verdict) {
+    switch (verdict) {
+        case 'safe': return colors.green;
+        case 'warning': return colors.yellow;
+        case 'blocked': return colors.red;
+        default: return colors.dim;
+    }
+}
+function formatTrustCheck(answer) {
+    if (!answer.found) {
+        return [
+            '',
+            `  ${answer.name}`,
+            `  ${colors.dim}Type: ${answer.packageType || 'unknown'}${colors.reset}`,
+            `  ${colors.dim}Status: Not found in registry${colors.reset}`,
+            '',
+        ].join('\n');
+    }
+    const vc = trustVerdictColor(answer.verdict);
+    const tc = trustLevelColor(answer.trustLevel);
+    const lines = [
+        '',
+        `  ${answer.name}`,
+        `  Type:           ${answer.packageType || 'unknown'}`,
+        `  Verdict:        ${vc}${answer.verdict.toUpperCase()}${colors.reset}`,
+        `  Trust Level:    ${tc}${trustLevelLabel(answer.trustLevel)}${colors.reset} (${answer.trustLevel}/4)`,
+        `  Trust Score:    ${Math.round(answer.trustScore * 100)}/100`,
+        `  Scan Status:    ${answer.scanStatus || 'unknown'}`,
+    ];
+    if (answer.dependencies && answer.dependencies.totalDeps > 0) {
+        const deps = answer.dependencies;
+        lines.push('');
+        lines.push('  Dependencies');
+        lines.push(`  Total:          ${deps.totalDeps}`);
+        lines.push(`  Vulnerable:     ${deps.vulnerableDeps > 0 ? colors.red + deps.vulnerableDeps + colors.reset : colors.green + '0' + colors.reset}`);
+        lines.push(`  Min Trust:      ${deps.minTrustLevel}/4`);
+    }
+    lines.push('');
+    return lines.join('\n');
+}
+function formatTrustBatch(response, minTrust) {
+    const lines = [];
+    lines.push('');
+    lines.push(`  Trust Audit: ${response.meta.total} packages queried, ${response.meta.found} found, ${response.meta.notFound} not found`);
+    lines.push('');
+    const nameW = 40, typeW = 14, verdictW = 10, levelW = 12, scoreW = 8, scanW = 10;
+    lines.push('  ' +
+        'PACKAGE'.padEnd(nameW) +
+        'TYPE'.padEnd(typeW) +
+        'VERDICT'.padEnd(verdictW) +
+        'TRUST'.padEnd(levelW) +
+        'SCORE'.padEnd(scoreW) +
+        'SCAN'.padEnd(scanW));
+    lines.push('  ' + '-'.repeat(nameW + typeW + verdictW + levelW + scoreW + scanW));
+    for (const result of response.results) {
+        const vc = trustVerdictColor(result.verdict);
+        const tc = trustLevelColor(result.trustLevel);
+        const name = result.name.length > nameW - 2
+            ? result.name.substring(0, nameW - 5) + '...'
+            : result.name;
+        lines.push('  ' +
+            name.padEnd(nameW) +
+            (result.packageType || '-').padEnd(typeW) +
+            vc + result.verdict.toUpperCase().padEnd(verdictW) + colors.reset +
+            tc + trustLevelLabel(result.trustLevel).padEnd(levelW) + colors.reset +
+            (result.found ? `${Math.round(result.trustScore * 100)}/100` : '-').padEnd(scoreW) +
+            (result.scanStatus || '-').padEnd(scanW));
+    }
+    const belowThreshold = response.results.filter((r) => r.found && r.trustLevel < minTrust);
+    const notFound = response.results.filter((r) => !r.found);
+    lines.push('');
+    if (belowThreshold.length > 0) {
+        lines.push(`  ${colors.yellow}[!] ${belowThreshold.length} package(s) below minimum trust level ${minTrust}:${colors.reset}`);
+        for (const pkg of belowThreshold) {
+            lines.push(`  ${colors.yellow}    - ${pkg.name} (trust level ${pkg.trustLevel}, verdict: ${pkg.verdict})${colors.reset}`);
+        }
+    }
+    if (notFound.length > 0) {
+        lines.push(`  ${colors.dim}[?] ${notFound.length} package(s) not found in registry:${colors.reset}`);
+        for (const pkg of notFound) {
+            lines.push(`  ${colors.dim}    - ${pkg.name}${colors.reset}`);
+        }
+    }
+    if (belowThreshold.length === 0 && notFound.length === 0) {
+        lines.push(`  ${colors.green}All ${response.meta.found} packages meet minimum trust level ${minTrust}.${colors.reset}`);
+    }
+    lines.push('');
+    return lines.join('\n');
+}
+async function parseDepsFile(filePath) {
+    const fs = require('fs');
+    const path = require('path');
+    let content;
+    try {
+        content = fs.readFileSync(filePath, 'utf-8');
+    }
+    catch (err) {
+        if (err && typeof err === 'object' && 'code' in err && err.code === 'ENOENT') {
+            throw new Error(`File not found: ${filePath}`);
+        }
+        throw err;
+    }
+    const fileName = path.basename(filePath);
+    if (fileName === 'package.json') {
+        const pkg = JSON.parse(content);
+        const packages = [];
+        const seen = new Set();
+        for (const deps of [pkg.dependencies, pkg.devDependencies]) {
+            if (!deps)
+                continue;
+            for (const name of Object.keys(deps)) {
+                if (!seen.has(name)) {
+                    seen.add(name);
+                    packages.push({ name });
+                }
+            }
+        }
+        return packages;
+    }
+    if (fileName === 'requirements.txt') {
+        const packages = [];
+        const seen = new Set();
+        for (const rawLine of content.split('\n')) {
+            const line = rawLine.trim();
+            if (!line || line.startsWith('#') || line.startsWith('-'))
+                continue;
+            const match = line.match(/^([a-zA-Z0-9_-]+(?:\[[a-zA-Z0-9_,-]+\])?)/);
+            if (match) {
+                const name = match[1].replace(/\[.*\]/, '');
+                if (!seen.has(name)) {
+                    seen.add(name);
+                    packages.push({ name });
+                }
+            }
+        }
+        return packages;
+    }
+    throw new Error(`Unsupported dependency file: ${fileName}. Supported: package.json, requirements.txt`);
+}
+program
+    .command('trust')
+    .description(`Check trust level for AI packages before installing
+
+Query the OpenA2A Registry to verify trust scores, vulnerability status,
+and dependency risk for MCP servers, A2A agents, and AI tools.
+
+Modes:
+  trust <package>           Single package lookup
+  trust --audit <file>      Audit a dependency file (package.json, requirements.txt)
+  trust --batch pkg1 pkg2   Batch lookup for multiple packages
+
+Examples:
+  $ ${CLI_PREFIX} trust @anthropic/claude-mcp
+  $ ${CLI_PREFIX} trust server-filesystem          (resolves to @modelcontextprotocol/server-filesystem)
+  $ ${CLI_PREFIX} trust mcp-server-fetch            (resolves to @modelcontextprotocol/server-fetch)
+  $ ${CLI_PREFIX} trust my-mcp-server --type mcp_server
+  $ ${CLI_PREFIX} trust --audit package.json
+  $ ${CLI_PREFIX} trust --audit requirements.txt --min-trust 3
+  $ ${CLI_PREFIX} trust --batch langchain openai anthropic`)
+    .argument('[package]', 'Package name to look up')
+    .option('-t, --type <type>', 'Package type (mcp_server, a2a_agent, ai_tool, etc.)')
+    .option('--audit <file>', 'Audit a dependency file (package.json or requirements.txt)')
+    .option('--batch <names...>', 'Batch trust lookup for multiple packages')
+    .option('--min-trust <level>', 'Minimum trust level threshold (0-4)', '3')
+    .option('--registry-url <url>', 'Registry base URL', REGISTRY_DEFAULT_URL)
+    .option('--json', 'Output as JSON')
+    .action(async (packageName, opts) => {
+    const registryUrl = opts.registryUrl.replace(/\/+$/, '');
+    const minTrust = parseInt(opts.minTrust, 10);
+    if (isNaN(minTrust) || minTrust < 0 || minTrust > 4) {
+        process.stderr.write('Error: --min-trust must be a number between 0 and 4\n');
+        process.exit(1);
+    }
+    try {
+        // Mode: audit a dependency file
+        if (opts.audit) {
+            const rawPackages = await parseDepsFile(opts.audit);
+            const packages = rawPackages.map((pkg) => ({
+                ...pkg,
+                name: (0, resolve_mcp_1.resolveAndLogMcpShorthand)(pkg.name),
+            }));
+            if (packages.length === 0) {
+                process.stdout.write('No dependencies found in the specified file.\n');
+                return;
+            }
+            if (packages.length > 100) {
+                process.stderr.write(`Error: Too many dependencies (${packages.length}). Maximum 100 per request.\n`);
+                process.exit(1);
+            }
+            const response = await trustBatch(packages, registryUrl);
+            if (opts.json) {
+                writeJsonStdout(response);
+            }
+            else {
+                process.stdout.write(formatTrustBatch(response, minTrust));
+            }
+            const belowThreshold = response.results.some((r) => r.found && r.trustLevel < minTrust);
+            if (belowThreshold)
+                process.exitCode = 1;
+            return;
+        }
+        // Mode: batch lookup
+        if (opts.batch && opts.batch.length > 0) {
+            if (opts.batch.length > 100) {
+                process.stderr.write(`Error: Too many packages (${opts.batch.length}). Maximum 100 per request.\n`);
+                process.exit(1);
+            }
+            const packages = opts.batch.map((name) => ({
+                name: (0, resolve_mcp_1.resolveAndLogMcpShorthand)(name),
+                ...(opts.type ? { type: opts.type } : {}),
+            }));
+            const response = await trustBatch(packages, registryUrl);
+            if (opts.json) {
+                writeJsonStdout(response);
+            }
+            else {
+                process.stdout.write(formatTrustBatch(response, minTrust));
+            }
+            const belowThreshold = response.results.some((r) => r.found && r.trustLevel < minTrust);
+            if (belowThreshold)
+                process.exitCode = 1;
+            return;
+        }
+        // Mode: single package lookup
+        if (!packageName) {
+            process.stderr.write(`Error: Provide a package name or use --audit/--batch.\n`);
+            process.stderr.write(`Usage: ${CLI_PREFIX} trust <package>\n`);
+            process.exit(1);
+        }
+        packageName = (0, resolve_mcp_1.resolveAndLogMcpShorthand)(packageName);
+        const result = await trustCheck(packageName, registryUrl, opts.type);
+        if (opts.json) {
+            writeJsonStdout(result);
+        }
+        else {
+            process.stdout.write(formatTrustCheck(result));
+        }
+        if (result.found && (result.verdict === 'blocked' || result.verdict === 'warning')) {
+            process.exitCode = 1;
+        }
+    }
+    catch (error) {
+        process.stderr.write(`Error: ${error instanceof Error ? error.message : 'Unknown error'}\n`);
+        process.exit(1);
+    }
+});
 program.parse();
 //# sourceMappingURL=cli.js.map