hackmyagent 0.16.7 → 0.17.1

package/dist/cli.js

@@ -112,15 +112,21 @@ const noColorEnv = process.env.NO_COLOR !== undefined || !process.stdout.isTTY;
 // Color codes - will be cleared if --no-color is passed
 let colors = {
     green: '\x1b[32m',
+    brightGreen: '\x1b[92m',
     yellow: '\x1b[33m',
     red: '\x1b[31m',
     brightRed: '\x1b[91m',
     cyan: '\x1b[36m',
+    blue: '\x1b[34m',
+    magenta: '\x1b[35m',
     dim: '\x1b[2m',
+    bold: '\x1b[1m',
+    white: '\x1b[97m',
+    underline: '\x1b[4m',
     reset: '\x1b[0m',
 };
 if (noColorEnv) {
-    colors = { green: '', yellow: '', red: '', brightRed: '', cyan: '', dim: '', reset: '' };
+    colors = { green: '', brightGreen: '', yellow: '', red: '', brightRed: '', cyan: '', blue: '', magenta: '', dim: '', bold: '', white: '', underline: '', reset: '' };
 }
 // Deprecation warning for removed HMAC auth
 if (process.env.HMA_COMMUNITY_SECRET) {
@@ -128,36 +134,29 @@ if (process.env.HMA_COMMUNITY_SECRET) {
 }
 program
     .name('hackmyagent')
-    .description(`Find it. Break it. Fix it.
+    .description(`Security scanner for AI agents. ${CHECK_COUNT} checks, ${index_1.PAYLOAD_STATS.total} attack payloads, auto-fix.
 
-The hacker's toolkit for AI agents. ${CHECK_COUNT} security checks, ${index_1.PAYLOAD_STATS.total} attack
-payloads, auto-fix with rollback, and OASB benchmark compliance.
-
-Documentation: https://hackmyagent.com/docs
-
-Updates (v${index_1.VERSION}):
-  - 10 new static analysis patterns (NEMO series)
-  - Community trust contributions
-  - ${CHECK_COUNT} checks across 60 categories
+Scan before you install. Harden before you deploy. Red-team before you ship.
 
 Examples:
-  $ hackmyagent secure                         Find vulnerabilities (${CHECK_COUNT} checks)
-  $ hackmyagent attack --local                 Break it with ${index_1.PAYLOAD_STATS.total} attack payloads
-  $ hackmyagent secure --fix                   Fix issues automatically
-  $ hackmyagent fix-all                        Run all security plugins
-  $ hackmyagent scan example.com               Scan external infrastructure`)
-    .version('hackmyagent ' + index_1.VERSION, '-v, --version', 'Output the version number')
+  $ hackmyagent check <package>                Is this package safe to install?
+  $ hackmyagent secure                         Full project scan (${CHECK_COUNT} checks)
+  $ hackmyagent secure --fix                   Auto-fix with rollback
+  $ hackmyagent attack --local                 Red-team with ${index_1.PAYLOAD_STATS.total} payloads
+  $ hackmyagent scan-soul                      Governance compliance scan
+  $ hackmyagent scan example.com               External infrastructure scan`)
+    .version(`hackmyagent ${index_1.VERSION} — security scanner for AI agents`, '-v, --version', 'Output the version number')
     .option('--no-color', 'Disable colored output (also respects NO_COLOR env)');
 program.addHelpText('beforeAll', `
 Quick start:
+  $ hackmyagent check <package>     Is this safe to install?
   $ hackmyagent secure              Scan current directory (${CHECK_COUNT} checks)
-  $ hackmyagent fix-all --with-aim  Auto-fix + create agent identity
-  $ hackmyagent attack              Red-team your agent
+  $ hackmyagent secure --fix        Auto-fix with rollback
 `);
 program.hook('preAction', (thisCommand) => {
     const opts = thisCommand.opts();
     if (opts.color === false) {
-        colors = { green: '', yellow: '', red: '', brightRed: '', cyan: '', dim: '', reset: '' };
+        colors = { green: '', brightGreen: '', yellow: '', red: '', brightRed: '', cyan: '', blue: '', magenta: '', dim: '', bold: '', white: '', underline: '', reset: '' };
     }
 });
 // Risk level colors and symbols
@@ -172,37 +171,44 @@ program
     .command('check')
     .description(`Check if a package, repo, or skill is safe
 
-Accepts npm packages, GitHub repos, local paths, or skill identifiers:
-  • npm package: queries the registry; downloads + scans (${CHECK_COUNT} checks + NanoMind) if data is missing or stale (>${STALE_SCAN_DAYS}d)
-  • PyPI package: downloads + scans (${CHECK_COUNT} checks + NanoMind)
-  • GitHub repo: queries the registry; shallow clones + scans if data is missing or stale (>${STALE_SCAN_DAYS}d)
-  • Local path: runs NanoMind semantic analysis
-  • Skill identifier: verifies publisher, permissions, revocation
+Downloads + scans (${CHECK_COUNT} checks + NanoMind) by default, with trust context from the OpenA2A registry.
+
+Accepts:
+  • npm package: hackmyagent check express
+  • PyPI package: hackmyagent check pip:requests
+  • GitHub repo:  hackmyagent check getsentry/sentry-mcp
+  • Local path:   hackmyagent check ./my-agent/
+  • Skill:        hackmyagent check @publisher/skill
+  • URL:          hackmyagent check https://example.com/agent-v1.tar.gz
 
-Use --rescan to skip the registry cache and force a fresh local scan.
+Output includes: verdict, security score, findings with fix commands, registry trust context, and path forward for recovery.
 
 Risk levels: low, medium, high, critical
 Exit code 1 if high/critical risk detected.
 
 Examples:
-  $ hackmyagent check express
-  $ hackmyagent check @modelcontextprotocol/server-filesystem
-  $ hackmyagent check @sentry/mcp-server --rescan
-  $ hackmyagent check modelcontextprotocol/servers
-  $ hackmyagent check https://github.com/punkpeye/awesome-mcp-servers
-  $ hackmyagent check ./my-agent/
-  $ hackmyagent check @publisher/skill --verbose
-  $ hackmyagent check pip:requests
-  $ hackmyagent check pypi:flask
-  $ hackmyagent check modelcontextprotocol/servers --json
-  $ hackmyagent check https://gitlab.com/org/repo
-  $ hackmyagent check https://example.com/agent-v1.tar.gz`)
+  $ hackmyagent check @sentry/mcp-server
+  $ hackmyagent check pip:flask
+  $ hackmyagent check getsentry/sentry-mcp --verbose
+  $ hackmyagent check ./my-agent/ --json
+  $ hackmyagent check express --no-scan    # registry only (fast)
+  $ hackmyagent check express --no-registry # offline mode`)
     .argument('<target>', 'npm package, PyPI package (pip: or pypi: prefix), local path, GitHub repo, or skill identifier')
-    .option('-v, --verbose', 'Show detailed verification info')
+    .option('-v, --verbose', 'Show detailed verification info (check IDs, categories)')
     .option('--json', 'Output as JSON (for scripting/CI)')
-    .option('--offline', 'Skip DNS verification (offline mode)')
-    .option('--rescan', 'Force a fresh local scan, bypassing cached registry data')
+    .option('--no-scan', 'Registry only, skip local scan (fast mode for CI)')
+    .option('--no-registry', 'Local scan only, skip registry lookup (offline mode)')
+    .option('--offline', 'Alias for --no-registry')
+    .option('--rescan', 'Deprecated: local scan is now the default')
     .action(async (skill, options) => {
+    // Commander parses --no-scan as scan:false, --no-registry as registry:false
+    // Normalize: --offline is alias for --no-registry
+    if (options.offline)
+        options.registry = false;
+    // --rescan deprecation
+    if (options.rescan && !options.json && !globalCiMode) {
+        console.error(`${colors.yellow}Note: --rescan is deprecated. Local scan is now the default.${RESET()}`);
+    }
     try {
         // Detect local file/directory paths - run NanoMind scan instead of registry lookup
         const { existsSync, statSync } = await Promise.resolve().then(() => __importStar(require('node:fs')));
@@ -212,7 +218,6 @@ Examples:
         if (isLocalPath) {
             // Local path: run NanoMind semantic analysis directly
             const targetDir = statSync(resolved).isFile() ? dirname(resolved) : resolved;
-            const targetFile = statSync(resolved).isFile() ? resolved : null;
             const { orchestrateNanoMind } = await Promise.resolve().then(() => __importStar(require('./nanomind-core/orchestrate.js')));
             const nmResult = await orchestrateNanoMind(targetDir, [], { silent: !!options.json });
             const issues = nmResult.mergedFindings.filter((f) => !f.passed);
@@ -232,27 +237,16 @@ Examples:
                 });
                 return;
             }
+            displayUnifiedCheck({
+                name: resolved,
+                sourceLabel: 'local',
+                nanomindScan: {
+                    compiledArtifacts: nmResult.compiledArtifacts,
+                    findings: issues,
+                },
+                verbose: !!options.verbose,
+            });
             const risk = critical.length > 0 ? 'critical' : high.length > 0 ? 'high' : issues.length > 0 ? 'medium' : 'low';
-            const riskDisplay = RISK_DISPLAY[risk];
-            console.log(`\n${riskDisplay.color()}${riskDisplay.symbol} ${risk.toUpperCase()} RISK${RESET()}\n`);
-            console.log(`Path: ${resolved}`);
-            console.log(`Semantic analysis: ${nmResult.compiledArtifacts} file(s) analyzed\n`);
-            if (issues.length === 0) {
-                console.log(`${colors.green}No security issues detected.${RESET()}\n`);
-            }
-            else {
-                console.log(`Findings: ${critical.length} critical, ${high.length} high, ${issues.length - critical.length - high.length} other\n`);
-                for (const f of issues.slice(0, 10)) {
-                    const sev = SEVERITY_DISPLAY[f.severity];
-                    console.log(`${sev.color()}${sev.symbol} [${f.checkId}] ${f.description}${RESET()}`);
-                    if (f.fix)
-                        console.log(`  Fix: ${f.fix}`);
-                }
-                if (issues.length > 10)
-                    console.log(`\n  ... and ${issues.length - 10} more`);
-                console.log();
-            }
-            printCheckNextSteps(resolved);
             if (risk === 'critical' || risk === 'high')
                 process.exit(1);
             return;
@@ -273,9 +267,23 @@ Examples:
             return;
         }
         // npm package name: download, run full HMA scan, clean up
+        // On npm 404, fall through to skill check (skill identifiers look like @scope/name)
         if (looksLikeNpmPackage(skill)) {
-            await checkNpmPackage(skill, options);
-            return;
+            try {
+                await checkNpmPackage(skill, options);
+                return;
+            }
+            catch (npmErr) {
+                if (npmErr instanceof Error && npmErr.name === 'NpmNotFoundError') {
+                    // Not on npm — fall through to skill check
+                    if (!options.json && !globalCiMode) {
+                        console.error(`Package "${skill}" not found on npm. Trying as skill identifier...`);
+                    }
+                }
+                else {
+                    throw npmErr; // Re-throw non-404 errors
+                }
+            }
         }
         // --rescan only applies to targets that otherwise hit the registry cache.
         // For skill identifiers we fall through to the registry lookup below.
@@ -366,10 +374,10 @@ Examples:
 });
 // Severity colors and symbols for secure command
 const SEVERITY_DISPLAY = {
-    critical: { symbol: '[!!]', color: () => colors.brightRed },
-    high: { symbol: '[!]', color: () => colors.red },
-    medium: { symbol: '[~]', color: () => colors.yellow },
-    low: { symbol: '[.]', color: () => colors.green },
+    critical: { symbol: '[!!]', label: 'CRITICAL', color: () => colors.brightRed },
+    high: { symbol: '[!]', label: 'HIGH', color: () => colors.red },
+    medium: { symbol: '[~]', label: 'MEDIUM', color: () => colors.yellow },
+    low: { symbol: '[.]', label: 'LOW', color: () => colors.green },
 };
 /**
  * Display check command findings with optional verbose details.
@@ -408,6 +416,378 @@ function displayCheckFindings(failed, verbose) {
         console.log(`\n  ${colors.green}No security issues found.${RESET()}`);
     }
 }
+function stripAnsi(s) {
+    return s.replace(/\x1b\[[0-9;]*m/g, '');
+}
+/** Right-align a value at a fixed column width */
+function rightAlign(left, right, width = 68) {
+    const leftLen = stripAnsi(left).length;
+    const rightLen = stripAnsi(right).length;
+    const pad = Math.max(1, width - leftLen - rightLen);
+    return `${left}${' '.repeat(pad)}${right}`;
+}
+/** Extract the actionable core of a fix/guidance string.
+ *  Takes the first sentence, strips file path prefixes that duplicate
+ *  the finding header, and wraps at terminal width. Never truncates with "...".
+ */
+function cleanFixText(text, fileAlreadyShown) {
+    // Take first meaningful line (skip blank lines)
+    let line = text.split('\n').map(l => l.trim()).filter(Boolean)[0] || text;
+    // Strip "In <file>," prefix when file is already shown in the finding header
+    if (fileAlreadyShown) {
+        const escapedFile = fileAlreadyShown.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+        line = line.replace(new RegExp(`^In ${escapedFile},?\\s*`, 'i'), '');
+        // Capitalize first letter after stripping
+        if (line.length > 0)
+            line = line[0].toUpperCase() + line.slice(1);
+    }
+    return line;
+}
+/** Shorten a file path for display — show filename + parent dir only */
+function shortenPath(filePath) {
+    const parts = filePath.split('/');
+    if (parts.length <= 2)
+        return filePath;
+    return parts.slice(-2).join('/');
+}
+function displayUnifiedCheck(opts) {
+    const { name, sourceLabel, projectType, localScan, registry, verbose, version, nanomindScan } = opts;
+    // ── Visual helpers ──────────────────────────────────────────────────
+    const METER_WIDTH = 20;
+    const divider = (label) => {
+        if (label) {
+            console.log(`\n  ${colors.dim}──${RESET()} ${colors.bold}${label}${RESET()} ${colors.dim}${'─'.repeat(Math.max(1, 56 - label.length))}${RESET()}`);
+        }
+        else {
+            console.log(`  ${colors.dim}${'─'.repeat(62)}${RESET()}`);
+        }
+    };
+    const scoreMeter = (value, max = 100) => {
+        const pct = Math.round((value / max) * METER_WIDTH);
+        const meterColor = value >= 70 ? colors.green : value >= 40 ? colors.yellow : colors.red;
+        const filled = '━'.repeat(pct);
+        const empty = '━'.repeat(METER_WIDTH - pct);
+        return `${meterColor}${filled}${RESET()}${colors.dim}${empty}${RESET()} ${meterColor}${colors.bold}${value}${RESET()}${colors.dim}/${max}${RESET()}`;
+    };
+    const sevBadge = (sev) => {
+        const d = SEVERITY_DISPLAY[sev];
+        return `${d.color()}${colors.bold}${d.label}${RESET()}`;
+    };
+    // ── Compute findings ────────────────────────────────────────────────
+    let failed = [];
+    let score = 0;
+    let maxScore = 100;
+    let critical = 0, high = 0, medium = 0, low = 0;
+    if (localScan) {
+        failed = localScan.findings.filter(f => !f.passed);
+        score = localScan.score;
+        maxScore = localScan.maxScore;
+        critical = failed.filter(f => f.severity === 'critical').length;
+        high = failed.filter(f => f.severity === 'high').length;
+        medium = failed.filter(f => f.severity === 'medium').length;
+        low = failed.filter(f => f.severity === 'low').length;
+    }
+    else if (nanomindScan) {
+        const issues = nanomindScan.findings.filter(f => !f.passed);
+        critical = issues.filter(f => f.severity === 'critical').length;
+        high = issues.filter(f => f.severity === 'high').length;
+        medium = issues.filter(f => f.severity === 'medium').length;
+        low = issues.filter(f => f.severity === 'low').length;
+        failed = issues.map(f => ({
+            checkId: f.checkId || '',
+            name: f.name || f.description || '',
+            description: f.description || '',
+            category: f.category || '',
+            severity: f.severity,
+            passed: false,
+            message: f.message || f.description || '',
+            fixable: false,
+            file: f.file,
+            line: f.line,
+            fix: f.fix,
+            guidance: f.guidance,
+            attackClass: f.attackClass,
+        }));
+        // Use the canonical scoring formula (exponential decay + 0.4x governance weight)
+        const scoreResult = (0, index_1.calculateSecurityScore)(issues);
+        score = scoreResult.score;
+        maxScore = scoreResult.maxScore;
+    }
+    else if (registry?.found) {
+        score = Math.round(registry.trustScore * 100);
+        maxScore = 100;
+    }
+    const totalFindings = critical + high + medium + low;
+    // ── Header ──────────────────────────────────────────────────────────
+    const typeLabel = (registry?.packageType || projectType || 'unknown').replace(/_/g, ' ');
+    const meta = [typeLabel];
+    if (version)
+        meta.unshift(`v${version}`);
+    if (sourceLabel)
+        meta.push(sourceLabel);
+    if (nanomindScan)
+        meta.push(`${nanomindScan.compiledArtifacts} files analyzed`);
+    if (localScan?.filesScanned)
+        meta.push(`${localScan.filesScanned} files scanned`);
+    console.log();
+    console.log(`  ${colors.bold}${colors.white}${name}${RESET()}  ${colors.dim}${meta.join(' · ')}${RESET()}`);
+    // ── Verdict + Score ─────────────────────────────────────────────────
+    if (localScan || nanomindScan) {
+        let verdictText;
+        let verdictColor;
+        if (critical > 0) {
+            verdictColor = colors.brightRed;
+            verdictText = `${critical} critical issue${critical > 1 ? 's' : ''} found`;
+        }
+        else if (high > 0) {
+            verdictColor = colors.red;
+            verdictText = `${high} high-severity issue${high > 1 ? 's' : ''} found`;
+        }
+        else if (totalFindings > 0) {
+            verdictColor = colors.yellow;
+            verdictText = `${totalFindings} issue${totalFindings > 1 ? 's' : ''} found`;
+        }
+        else {
+            verdictColor = colors.green;
+            verdictText = 'No security issues found';
+        }
+        console.log(`  ${verdictColor}${colors.bold}${verdictText}${RESET()}`);
+        console.log();
+        console.log(`  Security  ${scoreMeter(score, maxScore)}`);
+    }
+    else if (registry?.found) {
+        const normalized = normalizeTrustVerdict(registry.verdict);
+        let verdictText;
+        let verdictColor;
+        if (normalized === 'blocked') {
+            verdictColor = colors.brightRed;
+            verdictText = 'Blocked by registry';
+        }
+        else if (normalized === 'warning') {
+            verdictColor = colors.yellow;
+            verdictText = 'Warning — review before installing';
+        }
+        else {
+            verdictColor = colors.green;
+            verdictText = 'No known issues';
+        }
+        console.log(`  ${verdictColor}${colors.bold}${verdictText}${RESET()}`);
+        console.log();
+        console.log(`  Trust     ${scoreMeter(score, maxScore)}`);
+    }
+    // ── Findings ────────────────────────────────────────────────────────
+    if (failed.length > 0) {
+        // Severity summary as colored pills
+        const summaryParts = [];
+        if (critical > 0)
+            summaryParts.push(`${colors.brightRed}${colors.bold}${critical} critical${RESET()}`);
+        if (high > 0)
+            summaryParts.push(`${colors.red}${colors.bold}${high} high${RESET()}`);
+        if (medium > 0)
+            summaryParts.push(`${colors.yellow}${medium} medium${RESET()}`);
+        if (low > 0)
+            summaryParts.push(`${colors.dim}${low} low${RESET()}`);
+        divider('Findings');
+        console.log(`  ${summaryParts.join('  ')}`);
+        // High-count mode: group by category when > 20 findings
+        if (totalFindings > 20 && !verbose) {
+            const groups = new Map();
+            for (const f of failed) {
+                const key = f.category || f.name || 'Other';
+                if (!groups.has(key))
+                    groups.set(key, { critical: 0, high: 0, medium: 0, low: 0, files: new Set() });
+                const g = groups.get(key);
+                g[f.severity]++;
+                if (f.file)
+                    g.files.add(f.file.split('/')[0] || f.file);
+            }
+            const sorted = [...groups.entries()].sort((a, b) => {
+                const wa = a[1].critical * 4 + a[1].high * 3 + a[1].medium * 2 + a[1].low;
+                const wb = b[1].critical * 4 + b[1].high * 3 + b[1].medium * 2 + b[1].low;
+                return wb - wa;
+            });
+            console.log();
+            for (const [cat, g] of sorted.slice(0, 8)) {
+                const counts = [];
+                if (g.critical > 0)
+                    counts.push(`${colors.brightRed}${g.critical} crit${RESET()}`);
+                if (g.high > 0)
+                    counts.push(`${colors.red}${g.high} high${RESET()}`);
+                if (g.medium > 0)
+                    counts.push(`${colors.dim}${g.medium} med${RESET()}`);
+                if (g.low > 0)
+                    counts.push(`${colors.dim}${g.low} low${RESET()}`);
+                const fileHint = g.files.size <= 3 ? `  ${colors.dim}${[...g.files].join(', ')}${RESET()}` : '';
+                console.log(`  ${colors.dim}│${RESET()} ${cat.padEnd(26)} ${counts.join(', ')}${fileHint}`);
+            }
+            if (sorted.length > 8) {
+                console.log(`  ${colors.dim}│ + ${sorted.length - 8} more categories${RESET()}`);
+            }
+            // Top 3 issues with full detail
+            divider('Top Issues');
+            const topFindings = [...failed]
+                .sort((a, b) => {
+                const sw = { critical: 4, high: 3, medium: 2, low: 1 };
+                return (sw[b.severity] || 0) - (sw[a.severity] || 0);
+            })
+                .slice(0, 3);
+            for (const f of topFindings) {
+                const shortFile = f.file ? shortenPath(f.file) : '';
+                const loc = shortFile + (f.line ? `:${f.line}` : '');
+                const borderColor = SEVERITY_DISPLAY[f.severity].color();
+                console.log();
+                console.log(`  ${borderColor}│${RESET()} ${sevBadge(f.severity)}  ${colors.bold}${colors.white}${f.name || f.message}${RESET()}`);
+                if (loc)
+                    console.log(`  ${borderColor}│${RESET()} ${colors.dim}${loc}${RESET()}`);
+                if (f.guidance) {
+                    console.log(`  ${borderColor}│${RESET()} ${cleanFixText(f.guidance, f.file)}`);
+                }
+                if (f.fix) {
+                    console.log(`  ${borderColor}│${RESET()} ${colors.cyan}Fix:${RESET()} ${cleanFixText(f.fix, f.file)}`);
+                }
+            }
+        }
+        else {
+            // Normal mode: individual findings sorted by severity, with collapse
+            const sevWeight = { critical: 4, high: 3, medium: 2, low: 1 };
+            failed.sort((a, b) => (sevWeight[b.severity] || 0) - (sevWeight[a.severity] || 0));
+            const skipped = new Set();
+            let shown = 0;
+            const limit = verbose ? failed.length : 10;
+            for (let i = 0; i < failed.length; i++) {
+                if (shown >= limit)
+                    break;
+                if (skipped.has(i))
+                    continue;
+                const f = failed[i];
+                const shortFile = f.file ? shortenPath(f.file) : '';
+                const loc = shortFile + (f.line ? `:${f.line}` : '');
+                const borderColor = SEVERITY_DISPLAY[f.severity].color();
+                console.log();
+                console.log(`  ${borderColor}│${RESET()} ${sevBadge(f.severity)}  ${colors.bold}${colors.white}${f.name || f.message}${RESET()}`);
+                if (loc)
+                    console.log(`  ${borderColor}│${RESET()} ${colors.dim}${loc}${RESET()}`);
+                if (f.guidance) {
+                    console.log(`  ${borderColor}│${RESET()} ${cleanFixText(f.guidance, f.file)}`);
+                }
+                if (f.fix) {
+                    console.log(`  ${borderColor}│${RESET()} ${colors.cyan}Fix:${RESET()} ${cleanFixText(f.fix, f.file)}`);
+                }
+                if (verbose) {
+                    if (f.checkId)
+                        console.log(`  ${borderColor}│${RESET()} ${colors.dim}Check: ${f.checkId}${RESET()}`);
+                    if (f.category)
+                        console.log(`  ${borderColor}│${RESET()} ${colors.dim}Category: ${f.category}${RESET()}`);
+                }
+                shown++;
+                // Collapse similar
+                if (!verbose) {
+                    const dir = f.file?.split('/').slice(0, -1).join('/') || '';
+                    let similarCount = 0;
+                    for (let j = i + 1; j < failed.length; j++) {
+                        if (skipped.has(j))
+                            continue;
+                        const other = failed[j];
+                        if (other.name === f.name) {
+                            const otherDir = other.file?.split('/').slice(0, -1).join('/') || '';
+                            if (otherDir === dir) {
+                                skipped.add(j);
+                                similarCount++;
+                            }
+                        }
+                    }
+                    if (similarCount > 0) {
+                        console.log(`  ${borderColor}│${RESET()} ${colors.dim}+ ${similarCount} similar${dir ? ` in ${shortenPath(dir)}` : ''}${RESET()}`);
+                    }
+                }
+            }
+            const remaining = failed.length - shown - skipped.size;
+            if (remaining > 0) {
+                console.log(`\n  ${colors.dim}+ ${remaining} more findings (use --verbose to see all)${RESET()}`);
+            }
+        }
+        // Path forward with recovery math
+        if (critical > 0 || high > 0) {
+            const recoveryParts = [];
+            if (critical > 0)
+                recoveryParts.push(`${critical} critical`);
+            if (high > 0)
+                recoveryParts.push(`${high} high`);
+            // Estimate recovered score: governance findings recover less per fix
+            const govFindings = failed.filter(f => {
+                const cat = (f.category || '').toLowerCase();
+                const id = f.checkId || '';
+                return cat === 'governance' || cat === 'injection-hardening' || cat === 'trust-hierarchy'
+                    || id.startsWith('AST-GOV') || id.startsWith('AST-GOVERN')
+                    || id.startsWith('AST-PROMPT') || id.startsWith('AST-HEARTBEAT');
+            });
+            const isGovernanceOnly = govFindings.length === failed.length;
+            const estRecovery = isGovernanceOnly
+                ? Math.min(100, score + (critical * 8 + high * 5))
+                : Math.min(100, score + (critical * 15 + high * 8));
+            console.log();
+            console.log(`  ${colors.cyan}${colors.bold}Path forward:${RESET()} ${colors.cyan}${score} ${colors.dim}->${RESET()} ${colors.green}${colors.bold}${estRecovery}${RESET()} ${colors.cyan}by fixing ${recoveryParts.join(' + ')}${RESET()}`);
+        }
+    }
+    // ── Registry ────────────────────────────────────────────────────────
+    if (registry?.found) {
+        const trustScore = Math.round(registry.trustScore * 100);
+        if (localScan || nanomindScan) {
+            divider('Registry');
+            console.log(`  Trust     ${scoreMeter(trustScore)}`);
+        }
+        const tlColor = trustLevelColor(registry.trustLevel);
+        const tlLabel = trustLevelLabel(registry.trustLevel);
+        console.log(`  Level     ${tlColor}${colors.bold}${tlLabel}${RESET()} ${colors.dim}(${registry.trustLevel}/4)${RESET()}`);
+        if (registry.communityScans !== undefined) {
+            console.log(`  Community ${registry.communityScans > 0 ? colors.green : colors.dim}${registry.communityScans} scan${registry.communityScans !== 1 ? 's' : ''} shared${RESET()}`);
+        }
+        if (registry.cveCount !== undefined && registry.cveCount > 0) {
+            console.log(`  CVEs      ${colors.brightRed}${colors.bold}${registry.cveCount}${RESET()}`);
+        }
+        if (registry.dependencies) {
+            const d = registry.dependencies;
+            const depParts = [];
+            if (d.totalDeps !== undefined)
+                depParts.push(`${d.totalDeps} total`);
+            if (d.vulnerableDeps !== undefined && d.vulnerableDeps > 0)
+                depParts.push(`${colors.red}${d.vulnerableDeps} vulnerable${RESET()}`);
+            if (d.minTrustLevel !== undefined)
+                depParts.push(`min trust ${d.minTrustLevel}/4`);
+            if (depParts.length > 0) {
+                console.log(`  Deps      ${depParts.join(`${colors.dim} · ${RESET()}`)}`);
+            }
+        }
+        // Trust level legend (when not fully verified)
+        if (registry.trustLevel < 4) {
+            const levels = ['Blocked', 'Warning', 'Listed', 'Scanned', 'Verified'];
+            const legend = levels.map((l, i) => {
+                if (i === registry.trustLevel)
+                    return `${tlColor}${colors.bold}${l}${RESET()}`;
+                if (i < registry.trustLevel)
+                    return `${colors.dim}${l}${RESET()}`;
+                return `${colors.dim}${l}${RESET()}`;
+            }).join(`${colors.dim} > ${RESET()}`);
+            console.log(`  ${colors.dim}${legend}${RESET()}`);
+        }
+    }
+    // ── Next steps ──────────────────────────────────────────────────────
+    const hasGovIssues = failed.some(f => f.category === 'governance' || f.category === 'Governance' || f.checkId?.startsWith('AST-GOV') || f.checkId?.startsWith('AST-PROMPT'));
+    const hasCredIssues = failed.some(f => f.checkId?.startsWith('CRED-') || f.name?.toLowerCase().includes('credential') || f.name?.toLowerCase().includes('api key') || f.name?.toLowerCase().includes('hardcoded'));
+    const hasCodeVulns = failed.some(f => {
+        const cat = (f.category || '').toLowerCase();
+        return cat !== 'governance' && cat !== 'injection-hardening' && cat !== 'trust-hierarchy'
+            && !f.checkId?.startsWith('AST-GOV') && !f.checkId?.startsWith('AST-GOVERN')
+            && !f.checkId?.startsWith('AST-PROMPT') && !f.checkId?.startsWith('AST-HEARTBEAT');
+    });
+    printCheckNextSteps(name, {
+        hasGovernanceIssues: hasGovIssues,
+        hasFindings: totalFindings > 0,
+        hasCredentialFindings: hasCredIssues,
+        hasCodeVulns,
+        isCleanScan: totalFindings === 0 && (!!localScan || !!nanomindScan),
+    });
+}
 function groupFindingsBySeverity(findings) {
     const grouped = {
         critical: [],
@@ -2862,7 +3242,7 @@ Examples:
     .argument('<target>', 'Target hostname or IP address')
     .option('--json', 'Output as JSON (for scripting/CI)')
     .option('-p, --ports <ports>', 'Comma-separated ports to scan (default: common MCP ports)')
-    .option('-t, --timeout <ms>', 'Connection timeout in milliseconds', '5000')
+    .option('-t, --timeout <ms>', 'Connection timeout in milliseconds', '2000')
     .option('-v, --verbose', 'Show detailed finding information')
     .action(async (target, options) => {
     try {
@@ -2878,11 +3258,11 @@ Examples:
                 `\n`);
             process.exit(1);
         }
-        const timeoutMs = parseInt(options.timeout ?? '5000', 10);
+        const timeoutMs = parseInt(options.timeout ?? '2000', 10);
         const customPorts = options.ports
             ? options.ports.split(',').map((p) => parseInt(p.trim(), 10))
             : undefined;
-        const portCount = customPorts?.length ?? 5;
+        const portCount = customPorts?.length ?? 2;
         if (!options.json) {
             console.log(`\nScanning ${target} (${portCount} ports, ${timeoutMs}ms timeout)...\n`);
         }
@@ -5197,6 +5577,28 @@ Examples:
         if (opts.json) {
             writeJsonStdout(result);
         }
+        else if (result.found) {
+            // Use the unified display (same as `check --no-scan`) for visual consistency
+            const registryData = {
+                found: true,
+                name: result.name,
+                trustScore: result.trustScore,
+                trustLevel: result.trustLevel,
+                verdict: result.verdict,
+                scanStatus: result.scanStatus,
+                lastScannedAt: result.lastScannedAt,
+                packageType: result.packageType,
+                recommendation: result.recommendation,
+                cveCount: result.cveCount,
+                communityScans: result.communityScans,
+                dependencies: result.dependencies ? {
+                    totalDeps: result.dependencies.totalDeps,
+                    vulnerableDeps: result.dependencies.vulnerableDeps,
+                    minTrustLevel: result.dependencies.minTrustLevel,
+                } : undefined,
+            };
+            displayUnifiedCheck({ name: packageName, registry: registryData, verbose: false });
+        }
         else {
             process.stdout.write(formatTrustCheck(result));
         }
@@ -5215,7 +5617,7 @@ program
     .option('-d, --directory <dir>', 'Scan a specific directory to collect check metadata from findings')
     .option('--json', 'Output as JSON (default)')
     .action(async (options) => {
-    const { getAttackClass, getTaxonomyMap } = require('./hardening/taxonomy');
+    const { getAttackClass, getTaxonomyMap, getCheckSeverity } = require('./hardening/taxonomy');
     // Build static registry from taxonomy map (covers all known checks)
     const taxMap = getTaxonomyMap();
     const metadata = {};
@@ -5227,7 +5629,7 @@ program
             name: checkId,
             category: prefix.toLowerCase(),
             attackClass: taxMap[checkId] || '',
-            severity: '',
+            severity: getCheckSeverity(checkId),
         };
     }
     // If a directory is provided, enrich with actual finding data (names, severity, etc.)
@@ -5912,6 +6314,7 @@ async function queryRegistry(name) {
         const data = await response.json();
         if (!data.packageId)
             return null;
+        const deps = data.dependencies;
         return {
             found: true,
             name: data.name ?? name,
@@ -5921,6 +6324,15 @@ async function queryRegistry(name) {
             scanStatus: data.scanStatus,
             lastScannedAt: data.lastScannedAt,
             packageType: data.packageType,
+            recommendation: data.recommendation,
+            cveCount: typeof data.cveCount === 'number' ? data.cveCount : undefined,
+            communityScans: typeof data.communityScans === 'number' ? data.communityScans : undefined,
+            dependencies: deps ? {
+                totalDeps: typeof deps.totalDeps === 'number' ? deps.totalDeps : undefined,
+                vulnerableDeps: typeof deps.vulnerableDeps === 'number' ? deps.vulnerableDeps : undefined,
+                minTrustLevel: typeof deps.minTrustLevel === 'number' ? deps.minTrustLevel : undefined,
+                riskSummary: deps.riskSummary,
+            } : undefined,
         };
     }
     catch {
@@ -5954,7 +6366,9 @@ async function publishToRegistry(name, result) {
                 score: result.score,
                 maxScore: result.maxScore,
                 projectType: result.projectType,
-                findings: result.findings.map(f => ({
+                findings: result.findings
+                    .filter(f => !PACKAGE_SCAN_LOCAL_ONLY_CATEGORIES.has(f.category))
+                    .map(f => ({
                     checkId: f.checkId,
                     name: f.name,
                     severity: f.severity,
@@ -6020,6 +6434,90 @@ function getFullScanHint() {
         return override;
     return `${CLI_PREFIX} secure <dir>`;
 }
+/**
+ * Categories that describe local dev-environment setup, not package security.
+ * Findings in these categories are filtered from display when scanning a
+ * *downloaded* package (npm pack, pip download, git clone to temp dir).
+ * They remain visible when scanning a user's own project directory.
+ */
+const PACKAGE_SCAN_LOCAL_ONLY_CATEGORIES = new Set([
+    'git',
+    'permissions',
+    'environment',
+    'logging',
+    'claude-code',
+    'cursor',
+    'vscode',
+]);
+/**
+ * Paths that are AI tooling artifacts, not package source code.
+ * Governance findings on these files are noise when scanning a downloaded
+ * package or cloned repo — they're instructions to an AI assistant, not
+ * security vulnerabilities in the package itself.
+ */
+const AI_TOOLING_PATH_PATTERNS = [
+    /^\.claude\//,
+    /^CLAUDE\.md$/i,
+    /^\.cursorrules$/i,
+    /^\.aider/,
+    /^\.copilot\//,
+    /^\.github\/copilot/,
+    /\.env\.example$/i, // Example env files are not real credentials
+    /\.env\.sample$/i,
+    /\.env\.template$/i,
+];
+/** Governance-related categories/checkId prefixes that are noise on AI tooling files */
+const GOVERNANCE_CATEGORIES = new Set([
+    'governance',
+    'injection-hardening',
+    'trust-hierarchy',
+]);
+const GOVERNANCE_CHECK_PREFIXES = ['AST-GOV', 'AST-GOVERN', 'AST-PROMPT'];
+/** Test file path patterns — findings here are lower risk */
+const TEST_FILE_PATTERNS = [
+    /\btests?\//i,
+    /\b__tests__\//,
+    /\btest_[^/]+$/,
+    /[^/]+_test\.\w+$/,
+    /[^/]+\.test\.\w+$/,
+    /[^/]+\.spec\.\w+$/,
+    /\bfixtures?\//i,
+];
+function isTestFile(filePath) {
+    return TEST_FILE_PATTERNS.some(p => p.test(filePath));
+}
+function isAiToolingFile(filePath) {
+    return AI_TOOLING_PATH_PATTERNS.some(p => p.test(filePath));
+}
+/**
+ * Filter out local-dev-only findings that are meaningless for downloaded
+ * packages (e.g. "Missing .gitignore" on an npm tarball).  Also filters
+ * governance findings on AI tooling files and demotes test file findings.
+ * Mutates `result.findings` in place and recalculates the score.
+ */
+function filterLocalOnlyFindings(result, scanner) {
+    result.findings = result.findings.filter(f => {
+        // Remove local-only categories (git, permissions, env, etc.)
+        if (PACKAGE_SCAN_LOCAL_ONLY_CATEGORIES.has(f.category))
+            return false;
+        // Exclude ALL findings on AI tooling files (CLAUDE.md, .claude/, .cursorrules, etc.)
+        // These files contain instructions to AI assistants, not package source code.
+        // Credential patterns, injection patterns, and governance findings in these
+        // files are false positives — they describe security practices, not vulnerabilities.
+        if (f.file && isAiToolingFile(f.file))
+            return false;
+        return true;
+    });
+    // Demote test file findings to low severity (test code patterns are
+    // lower risk — pickle.load in a test file is not an attack surface)
+    for (const f of result.findings) {
+        if (f.file && isTestFile(f.file) && (f.severity === 'critical' || f.severity === 'high')) {
+            f.originalSeverity = f.severity;
+            f.severity = 'low';
+        }
+    }
+    result.score = scanner.calculateScore(result.findings.filter((f) => !f.passed && !f.fixed)).score;
+}
 /**
  * Print the standard 3-line next-steps footer shown after every `check`
  * invocation. Lines:
@@ -6031,13 +6529,30 @@ function getFullScanHint() {
  *
  * Suppressed in --ci so machine-readable output stays clean.
  */
-function printCheckNextSteps(target) {
+function printCheckNextSteps(target, context) {
     if (globalCiMode)
         return;
     console.log();
-    console.log(`  ${colors.dim}Run a fresh local scan: ${getCheckCommand()} ${target} --rescan${RESET()}`);
-    console.log(`  ${colors.dim}Full project scan:      ${getFullScanHint()}${RESET()}`);
-    console.log(`  ${colors.dim}Also accepts: pip:<pkg> · <owner>/<repo> · ./<dir> · @publisher/skill${RESET()}`);
+    console.log(`  ${colors.dim}──${RESET()} ${colors.bold}Next Steps${RESET()} ${colors.dim}${'─'.repeat(49)}${RESET()}`);
+    if (context?.hasGovernanceIssues) {
+        console.log(`  ${colors.cyan}Auto-fix governance:${RESET()}  ${CLI_PREFIX} harden-soul ${target}`);
+    }
+    if (context?.hasCredentialFindings) {
+        console.log(`  ${colors.cyan}Protect credentials:${RESET()}  npx secretless-ai scan`);
+    }
+    if (context?.hasCodeVulns) {
+        console.log(`  ${colors.cyan}Auto-fix all issues:${RESET()}  ${CLI_PREFIX} secure --fix`);
+    }
+    if (context?.hasFindings) {
+        console.log(`  ${colors.cyan}Full project audit:${RESET()}   ${getFullScanHint()}`);
+    }
+    else if (context?.isCleanScan) {
+        console.log(`  ${colors.cyan}Governance scan:${RESET()}      ${CLI_PREFIX} scan-soul ${target}`);
+        console.log(`  ${colors.cyan}Red-team test:${RESET()}        ${CLI_PREFIX} attack --local`);
+    }
+    else {
+        console.log(`  ${colors.cyan}Deep scan:${RESET()}            ${CLI_PREFIX} check ${target} --rescan`);
+    }
     console.log();
 }
 /**
@@ -6106,27 +6621,23 @@ async function suggestSimilarPackages(name) {
 async function checkGitHubRepo(target, options) {
     const { org, repo, cloneUrl } = parseGitHubTarget(target);
     const displayName = `${org}/${repo}`;
-    // Step 1: Check registry for existing trust data (unless --rescan forces a fresh scan)
-    if (!options.offline && !options.rescan) {
-        const registryData = await queryRegistry(displayName);
-        if (registryData?.found && !isScanStale(registryData.lastScannedAt)) {
+    // Fetch registry data in parallel with clone (unless --no-registry)
+    const registryPromise = options.registry === false ? Promise.resolve(null) : queryRegistry(displayName);
+    // Registry-only mode (--no-scan): skip local scan
+    if (options.scan === false) {
+        const registryData = await registryPromise;
+        if (registryData?.found) {
             if (options.json) {
                 writeJsonStdout({ ...registryData, source: 'registry' });
                 return;
             }
-            displayRegistryResult(registryData);
+            displayUnifiedCheck({ name: displayName, sourceLabel: 'GitHub', registry: registryData, verbose: !!options.verbose });
             return;
         }
-        if (registryData?.found && registryData.lastScannedAt) {
-            if (!options.json && !globalCiMode) {
-                const days = Math.floor((Date.now() - new Date(registryData.lastScannedAt).getTime()) / (1000 * 60 * 60 * 24));
-                console.error(`\nRegistry data is ${days} day(s) old. Re-scanning...`);
-            }
+        if (!options.json && !globalCiMode) {
+            console.error(`No registry data found for ${displayName}. Running local scan...`);
         }
     }
-    else if (options.rescan && !options.json && !globalCiMode) {
-        console.error(`Forcing fresh local scan (--rescan)...`);
-    }
     // Step 2: Clone and scan
     const { mkdtemp, rm } = await Promise.resolve().then(() => __importStar(require('node:fs/promises')));
     const { tmpdir } = await Promise.resolve().then(() => __importStar(require('node:os')));
@@ -6157,6 +6668,8 @@ async function checkGitHubRepo(target, options) {
         catch {
             // NanoMind unavailable — use base scan results
         }
+        // Filter local-dev-only findings irrelevant to cloned repos
+        filterLocalOnlyFindings(result, scanner);
         const failed = result.findings.filter(f => !f.passed);
         const critical = failed.filter(f => f.severity === 'critical');
         const high = failed.filter(f => f.severity === 'high');
@@ -6174,19 +6687,21 @@ async function checkGitHubRepo(target, options) {
             });
             return;
         }
-        // Display results
-        const scoreRatio = result.score / result.maxScore;
-        const scoreColor = scoreRatio >= 0.7 ? colors.green : scoreRatio >= 0.4 ? colors.yellow : colors.red;
-        console.log(`\n  ${displayName} ${colors.dim}(GitHub)${RESET()}`);
-        console.log(`  Type:       ${result.projectType}`);
-        console.log(`  Score:      ${scoreColor}${result.score}/${result.maxScore}${RESET()}`);
-        console.log(`  Findings:   ${critical.length} critical, ${high.length} high, ${medium.length} medium, ${low.length} low`);
-        displayCheckFindings(failed, !!options.verbose);
-        // Step 3: Community contribution
+        // Await registry data (started in parallel with clone)
+        const registryData = await registryPromise;
+        // Display results using unified display
+        displayUnifiedCheck({
+            name: displayName,
+            sourceLabel: 'GitHub',
+            projectType: result.projectType,
+            localScan: { score: result.score, maxScore: result.maxScore, findings: result.findings },
+            registry: registryData,
+            verbose: !!options.verbose,
+        });
+        // Community contribution
         if (process.stdin.isTTY && !globalCiMode) {
             const scanCount = incrementScanCounter();
             if (scanCount >= 3 && !hasContributeChoice()) {
-                console.log();
                 console.log(`  ${colors.dim}Your scans help other developers make safer choices.`);
                 console.log(`  Sharing adds anonymized results to the OpenA2A trust registry`);
                 console.log(`  so others can check packages before installing.${RESET()}`);
@@ -6201,7 +6716,7 @@ async function checkGitHubRepo(target, options) {
                 if (wantsToShare) {
                     const ok = await publishToRegistry(displayName, result);
                     if (ok) {
-                        console.error(`  ${colors.green}Shared. Future scans will auto-share.${RESET()}`);
+                        console.error(`\n  ${colors.green}Thanks for sharing! Future scans will auto-contribute.${RESET()}\n`);
                     }
                     else {
                         queuePendingScan(displayName, result);
@@ -6215,7 +6730,6 @@ async function checkGitHubRepo(target, options) {
                     queuePendingScan(displayName, result);
             }
         }
-        printCheckNextSteps(displayName);
         if (critical.length > 0 || high.length > 0)
             process.exit(1);
     }
@@ -6317,6 +6831,8 @@ async function checkPyPiPackage(target, options) {
         catch {
             // NanoMind unavailable -- use base scan results
         }
+        // Filter local-dev-only findings irrelevant to downloaded packages
+        filterLocalOnlyFindings(result, scanner);
         const failed = result.findings.filter(f => !f.passed);
         const critical = failed.filter(f => f.severity === 'critical');
         const high = failed.filter(f => f.severity === 'high');
@@ -6335,32 +6851,18 @@ async function checkPyPiPackage(target, options) {
             });
             return;
         }
-        // Display results
-        const scoreRatio = result.score / result.maxScore;
-        const scoreColor = scoreRatio >= 0.7 ? colors.green : scoreRatio >= 0.4 ? colors.yellow : colors.red;
-        console.log(`\n  ${name} (PyPI)`);
-        console.log(`  Version:    ${meta.info.version}`);
-        console.log(`  Type:       ${result.projectType}`);
-        console.log(`  Score:      ${scoreColor}${result.score}/${result.maxScore}${RESET()}`);
-        console.log(`  Findings:   ${critical.length} critical, ${high.length} high, ${medium.length} medium, ${low.length} low`);
-        if (failed.length > 0) {
-            console.log();
-            const limit = options.verbose ? failed.length : 15;
-            for (const f of failed.slice(0, limit)) {
-                const sev = SEVERITY_DISPLAY[f.severity];
-                const attackClass = f.attackClass ? ` (${f.attackClass})` : '';
-                console.log(`  ${sev.color()}${sev.symbol}${RESET()} ${f.name}: ${f.message}${colors.dim}${attackClass}${RESET()}`);
-            }
-            if (failed.length > limit) {
-                console.log(`\n  ... and ${failed.length - limit} more (use --verbose to see all)`);
-            }
-        }
-        else {
-            console.log(`\n  ${colors.green}No security issues found.${RESET()}`);
-        }
-        // Pass the original target (with pip: / pypi: prefix preserved) so the
-        // rescan hint stays runnable — `hackmyagent check requests` would try npm.
-        printCheckNextSteps(target);
+        // Display results using unified display
+        // Query registry for trust context (PyPI packages have pip: prefix in registry)
+        const registryData = options.registry === false ? null : await queryRegistry(`pip:${name}`);
+        displayUnifiedCheck({
+            name,
+            sourceLabel: 'PyPI',
+            projectType: result.projectType,
+            version: meta.info.version,
+            localScan: { score: result.score, maxScore: result.maxScore, findings: result.findings },
+            registry: registryData,
+            verbose: !!options.verbose,
+        });
         if (critical.length > 0 || high.length > 0)
             process.exit(1);
     }
@@ -6484,6 +6986,8 @@ async function checkRawUrl(url, options) {
         catch {
             // NanoMind unavailable — use base scan results
         }
+        // Filter local-dev-only findings irrelevant to downloaded URLs
+        filterLocalOnlyFindings(result, scanner);
         const failed = result.findings.filter(f => !f.passed);
         const critical = failed.filter(f => f.severity === 'critical');
         const high = failed.filter(f => f.severity === 'high');
@@ -6502,14 +7006,14 @@ async function checkRawUrl(url, options) {
             });
             return;
         }
-        // Display results
-        const scoreRatio = result.score / result.maxScore;
-        const scoreColor = scoreRatio >= 0.7 ? colors.green : scoreRatio >= 0.4 ? colors.yellow : colors.red;
-        console.log(`\n  ${displayName} ${colors.dim}(URL)${RESET()}`);
-        console.log(`  Type:       ${result.projectType}`);
-        console.log(`  Score:      ${scoreColor}${result.score}/${result.maxScore}${RESET()}`);
-        console.log(`  Findings:   ${critical.length} critical, ${high.length} high, ${medium.length} medium, ${low.length} low`);
-        displayCheckFindings(failed, !!options.verbose);
+        // Display results using unified display
+        displayUnifiedCheck({
+            name: displayName,
+            sourceLabel: 'URL',
+            projectType: result.projectType,
+            localScan: { score: result.score, maxScore: result.maxScore, findings: result.findings },
+            verbose: !!options.verbose,
+        });
         // Community contribution (auto-share if opted in, no first-time prompt for URLs)
         if (process.stdin.isTTY && !globalCiMode) {
             if (isContributeEnabled()) {
@@ -6519,7 +7023,6 @@ async function checkRawUrl(url, options) {
                     queuePendingScan(displayName, result);
             }
         }
-        printCheckNextSteps(displayName);
         if (critical.length > 0 || high.length > 0)
             process.exit(1);
     }
@@ -6544,30 +7047,24 @@ async function checkRawUrl(url, options) {
     }
 }
 async function checkNpmPackage(name, options) {
-    // Step 1: Check registry for existing trust data (unless --rescan forces a fresh scan)
-    if (!options.offline && !options.rescan) {
-        const registryData = await queryRegistry(name);
-        if (registryData?.found && !isScanStale(registryData.lastScannedAt)) {
-            // Fresh data in registry — show it
+    // Fetch registry data in parallel with download+scan (unless --no-registry)
+    const registryPromise = options.registry === false ? Promise.resolve(null) : queryRegistry(name);
+    // Registry-only mode (--no-scan): skip local scan
+    if (options.scan === false) {
+        const registryData = await registryPromise;
+        if (registryData?.found) {
             if (options.json) {
                 writeJsonStdout({ ...registryData, source: 'registry' });
                 return;
             }
-            displayRegistryResult(registryData);
+            displayUnifiedCheck({ name, registry: registryData, verbose: !!options.verbose });
             return;
         }
-        // Stale or missing — tell the user we're scanning
-        if (registryData?.found && registryData.lastScannedAt) {
-            if (!options.json && !globalCiMode) {
-                const days = Math.floor((Date.now() - new Date(registryData.lastScannedAt).getTime()) / (1000 * 60 * 60 * 24));
-                console.error(`\nRegistry data is ${days} day(s) old. Re-scanning...`);
-            }
+        if (!options.json && !globalCiMode) {
+            console.error(`No registry data found for ${name}. Running local scan...`);
         }
     }
-    else if (options.rescan && !options.json && !globalCiMode) {
-        console.error(`Forcing fresh local scan (--rescan)...`);
-    }
-    // Step 2: Download and scan
+    // Download and scan
     const { mkdtemp, rm } = await Promise.resolve().then(() => __importStar(require('node:fs/promises')));
     const { tmpdir } = await Promise.resolve().then(() => __importStar(require('node:os')));
     const { join } = await Promise.resolve().then(() => __importStar(require('node:path')));
@@ -6583,7 +7080,35 @@ async function checkNpmPackage(name, options) {
         const { stdout } = await execAsync('npm', ['pack', name, '--pack-destination', tempDir], { timeout: 60000 });
         const tarball = stdout.trim().split('\n').pop();
         await execAsync('tar', ['xzf', join(tempDir, tarball), '-C', tempDir], { timeout: 30000 });
-        const packageDir = join(tempDir, 'package');
+        // npm tarballs normally extract to 'package/', but some packages (e.g. @types/*)
+        // may use a different directory name. Detect the actual extracted directory.
+        const { readdir, stat } = await Promise.resolve().then(() => __importStar(require('node:fs/promises')));
+        let packageDir = join(tempDir, 'package');
+        try {
+            await stat(packageDir);
+        }
+        catch {
+            // 'package/' doesn't exist — find the extracted directory (skip the .tgz file)
+            const entries = await readdir(tempDir);
+            const dirs = [];
+            for (const entry of entries) {
+                if (entry.endsWith('.tgz') || entry.endsWith('.tar.gz'))
+                    continue;
+                const s = await stat(join(tempDir, entry));
+                if (s.isDirectory())
+                    dirs.push(entry);
+            }
+            if (dirs.length === 1) {
+                packageDir = join(tempDir, dirs[0]);
+            }
+            else if (dirs.length === 0) {
+                throw new Error(`Tarball extraction produced no directory in ${tempDir}`);
+            }
+            else {
+                // Multiple dirs — pick the first non-hidden one
+                packageDir = join(tempDir, dirs.find(d => !d.startsWith('.')) || dirs[0]);
+            }
+        }
         // Run full HMA scan + NanoMind (same pipeline as `secure`)
         const scanner = new index_1.HardeningScanner();
         const result = await scanner.scan({ targetDir: packageDir, autoFix: false });
@@ -6599,11 +7124,11 @@ async function checkNpmPackage(name, options) {
         catch {
             // NanoMind unavailable — use base scan results
         }
+        // Filter local-dev-only findings irrelevant to downloaded packages
+        filterLocalOnlyFindings(result, scanner);
         const failed = result.findings.filter(f => !f.passed);
         const critical = failed.filter(f => f.severity === 'critical');
         const high = failed.filter(f => f.severity === 'high');
-        const medium = failed.filter(f => f.severity === 'medium');
-        const low = failed.filter(f => f.severity === 'low');
         if (options.json) {
             writeJsonStdout({
                 name,
@@ -6616,19 +7141,20 @@ async function checkNpmPackage(name, options) {
             });
             return;
         }
-        // Display results
-        const scoreRatio = result.score / result.maxScore;
-        const scoreColor = scoreRatio >= 0.7 ? colors.green : scoreRatio >= 0.4 ? colors.yellow : colors.red;
-        console.log(`\n  ${name}`);
-        console.log(`  Type:       ${result.projectType}`);
-        console.log(`  Score:      ${scoreColor}${result.score}/${result.maxScore}${RESET()}`);
-        console.log(`  Findings:   ${critical.length} critical, ${high.length} high, ${medium.length} medium, ${low.length} low`);
-        displayCheckFindings(failed, !!options.verbose);
-        // Step 3: Community contribution (after 3 scans, interactive only)
+        // Await registry data (started in parallel with download)
+        const registryData = await registryPromise;
+        // Display results using unified display
+        displayUnifiedCheck({
+            name,
+            projectType: result.projectType,
+            localScan: { score: result.score, maxScore: result.maxScore, findings: result.findings },
+            registry: registryData,
+            verbose: !!options.verbose,
+        });
+        // Community contribution (after 3 scans, interactive only)
         if (process.stdin.isTTY && !globalCiMode) {
             const scanCount = incrementScanCounter();
             if (scanCount >= 3 && !hasContributeChoice()) {
-                console.log();
                 console.log(`  ${colors.dim}Your scans help other developers make safer choices.`);
                 console.log(`  Sharing adds anonymized results to the OpenA2A trust registry`);
                 console.log(`  so others can check packages before installing.${RESET()}`);
@@ -6643,10 +7169,9 @@ async function checkNpmPackage(name, options) {
                 if (wantsToShare) {
                     const ok = await publishToRegistry(name, result);
                     if (ok) {
-                        console.error(`  ${colors.green}Shared. Future scans will auto-share.${RESET()}`);
+                        console.error(`\n  ${colors.green}Thanks for sharing! Future scans will auto-contribute.${RESET()}\n`);
                     }
                     else {
-                        // Silent — queue locally and retry on next scan
                         queuePendingScan(name, result);
                     }
                 }
@@ -6659,7 +7184,6 @@ async function checkNpmPackage(name, options) {
                     queuePendingScan(name, result);
             }
         }
-        printCheckNextSteps(name);
         if (critical.length > 0 || high.length > 0)
             process.exit(1);
     }
@@ -6667,21 +7191,10 @@ async function checkNpmPackage(name, options) {
         const message = err instanceof Error ? err.message : String(err);
         // Clean npm error messages
         if (message.includes('404') || message.includes('Not Found')) {
-            console.error(`Error: Package "${name}" not found on npm.`);
-            // Suggest similar packages via npm registry search
-            try {
-                const suggestions = await suggestSimilarPackages(name);
-                if (suggestions.length > 0) {
-                    console.error(`\nDid you mean?`);
-                    for (const s of suggestions) {
-                        console.error(`  ${s}`);
-                    }
-                    console.error();
-                }
-            }
-            catch {
-                // Search failed — just show the original error
-            }
+            // Throw a typed error so the router can fall through to skill check
+            const notFound = new Error(`NPM_NOT_FOUND:${name}`);
+            notFound.name = 'NpmNotFoundError';
+            throw notFound;
         }
         else {
             console.error(`Error: ${message}`);