navada-edge-cli 3.4.0 → 3.5.0

package/lib/agent.js

@@ -32,6 +32,8 @@ You also connect to the NAVADA Edge Network (4 nodes via Tailscale VPN):
   - send_email / generate_image: communications and AI image generation
   - founder_info: information about Lee Akpareva, the creator of NAVADA
 When users ask you to DO something — DO IT. Use write_file to create files. Use shell to run commands. Never say "I can't" when you have a tool for it.
+When asked to generate diagrams — use write_file to create Mermaid (.mmd), SVG, or HTML files. You can also use python_exec with matplotlib/graphviz for complex diagrams.
+When asked to create, edit, or delete files — use the file tools directly. You are a terminal agent with FULL access.
 Keep responses short. Code blocks when needed. No fluff.`,
   founder: {
     name: 'Leslie (Lee) Akpareva',
@@ -65,6 +67,7 @@ Keep responses short. Code blocks when needed. No fluff.`,
 };
 
 function getSystemPrompt() {
+  // Learning mode overrides everything
   if (sessionState.learningMode) {
     try {
       const { MODES } = require('./commands/learn');
@@ -72,9 +75,41 @@ function getSystemPrompt() {
       if (mode) return mode.system;
     } catch {}
   }
+
+  // Load user's agent.md customisation if it exists
+  const agentMdPath = path.join(config.CONFIG_DIR, 'agent.md');
+  let userPrompt = '';
+  try {
+    if (fs.existsSync(agentMdPath)) {
+      userPrompt = fs.readFileSync(agentMdPath, 'utf-8').trim();
+    }
+  } catch {}
+
+  // Load active sub-agent if selected
+  if (sessionState.subAgent) {
+    const subPath = path.join(config.CONFIG_DIR, 'agents', `${sessionState.subAgent}.md`);
+    try {
+      if (fs.existsSync(subPath)) {
+        return fs.readFileSync(subPath, 'utf-8').trim();
+      }
+    } catch {}
+  }
+
+  // Combine: base personality + user customisation
+  if (userPrompt) {
+    return `${IDENTITY.personality}\n\n--- USER CUSTOMISATION (from agent.md) ---\n${userPrompt}`;
+  }
   return IDENTITY.personality;
 }
 
+function listSubAgents() {
+  const dir = path.join(config.CONFIG_DIR, 'agents');
+  try {
+    if (!fs.existsSync(dir)) return [];
+    return fs.readdirSync(dir).filter(f => f.endsWith('.md')).map(f => f.replace('.md', ''));
+  } catch { return []; }
+}
+
 // ---------------------------------------------------------------------------
 // Session state — exposed for UI panels
 // ---------------------------------------------------------------------------
@@ -86,6 +121,7 @@ const sessionState = {
   messages: 0,
   startTime: Date.now(),
   learningMode: null,  // 'python' | 'csharp' | 'node' | null
+  subAgent: null,      // active sub-agent name (loads from ~/.navada/agents/<name>.md)
   history: [],         // conversation history for context continuity
 };
 
@@ -650,13 +686,16 @@ function streamGemini(key, messages, model = 'gemini-2.0-flash') {
 
 function openAITools() {
   const defs = [
-    { name: 'shell', description: 'Execute a shell command on the user\'s machine', parameters: { type: 'object', properties: { command: { type: 'string' } }, required: ['command'] } },
-    { name: 'read_file', description: 'Read a file', parameters: { type: 'object', properties: { path: { type: 'string' } }, required: ['path'] } },
-    { name: 'write_file', description: 'Write to a file', parameters: { type: 'object', properties: { path: { type: 'string' }, content: { type: 'string' } }, required: ['path', 'content'] } },
-    { name: 'list_files', description: 'List directory contents', parameters: { type: 'object', properties: { path: { type: 'string' } } } },
-    { name: 'system_info', description: 'Get system info (CPU, RAM, OS)', parameters: { type: 'object', properties: {} } },
-    { name: 'python_exec', description: 'Execute Python code', parameters: { type: 'object', properties: { code: { type: 'string' } }, required: ['code'] } },
-    { name: 'python_pip', description: 'Install a Python package', parameters: { type: 'object', properties: { package: { type: 'string' } }, required: ['package'] } },
+    { name: 'shell', description: 'Execute a shell command on the user\'s machine. Use for: file operations, git, npm, docker, system commands, creating directories, running scripts.', parameters: { type: 'object', properties: { command: { type: 'string', description: 'The shell command to run' } }, required: ['command'] } },
+    { name: 'read_file', description: 'Read the contents of a file on the user\'s machine.', parameters: { type: 'object', properties: { path: { type: 'string', description: 'Absolute or relative file path' } }, required: ['path'] } },
+    { name: 'write_file', description: 'Write content to a file. Creates parent directories if needed. Use for creating new files, scripts, configs, diagrams (Mermaid, SVG, HTML), code files.', parameters: { type: 'object', properties: { path: { type: 'string', description: 'File path to write' }, content: { type: 'string', description: 'Full content to write to the file' } }, required: ['path', 'content'] } },
+    { name: 'list_files', description: 'List files and directories.', parameters: { type: 'object', properties: { path: { type: 'string', description: 'Directory path (default: current dir)' } } } },
+    { name: 'system_info', description: 'Get local system information (CPU, RAM, disk, OS, hostname).', parameters: { type: 'object', properties: {} } },
+    { name: 'python_exec', description: 'Execute Python code inline. Use for data analysis, calculations, generating content, processing files, ML tasks.', parameters: { type: 'object', properties: { code: { type: 'string', description: 'Python code to execute' } }, required: ['code'] } },
+    { name: 'python_pip', description: 'Install a Python package via pip.', parameters: { type: 'object', properties: { package: { type: 'string', description: 'Package name' } }, required: ['package'] } },
+    { name: 'python_script', description: 'Run a Python script file.', parameters: { type: 'object', properties: { path: { type: 'string', description: 'Path to .py file' } }, required: ['path'] } },
+    { name: 'sandbox_run', description: 'Run code in an isolated sandbox with syntax highlighting. Supports javascript, python, typescript.', parameters: { type: 'object', properties: { code: { type: 'string' }, language: { type: 'string', description: 'javascript, python, or typescript' } }, required: ['code'] } },
+    { name: 'founder_info', description: 'Get information about Lee Akpareva, founder of NAVADA Edge.', parameters: { type: 'object', properties: {} } },
   ];
   return defs.map(d => ({ type: 'function', function: d }));
 }
@@ -997,13 +1036,72 @@ async function grokChat(userMessage, conversationHistory = []) {
     { role: 'user', content: userMessage },
   ];
 
-  // Try streaming first
-  const result = await callFreeTier(messages, true);
-  if (result.streamed) {
-    // Already printed to stdout, return for history
+  // Send tools with the request — free tier now supports tool use
+  const tools = openAITools();
+  const endpoint = FREE_TIER_ENDPOINTS[0];
+
+  // Non-streaming request with tools (streaming + tools is complex, use non-streaming for tool calls)
+  let response;
+  try {
+    const r = await navada.request(endpoint, {
+      method: 'POST',
+      body: { messages, tools },
+      timeout: 120000,
+    });
+
+    if (r.status === 429) {
+      return `Free tier limit reached. /login <key> for unlimited access.`;
+    }
+    if (r.status !== 200) {
+      // Fall back to streaming without tools
+      const result = await callFreeTier(messages, true);
+      return result.content || 'No response from free tier.';
+    }
+
+    rateTracker.record();
+    response = r.data;
+  } catch {
+    // Network error — try streaming fallback
+    const result = await callFreeTier(messages, true);
     return result.content || 'No response from free tier. Try /login <key> for full agent.';
   }
-  return result.content || 'No response from free tier. Try /login <key> for full agent.';
+
+  // Handle tool use loop (same as OpenAI path)
+  let iterations = 0;
+  while (response?.choices?.[0]?.finish_reason === 'tool_calls' && iterations < 10) {
+    iterations++;
+    const toolCalls = response.choices[0].message.tool_calls || [];
+    if (toolCalls.length === 0) break;
+
+    const toolResults = [];
+    for (const tc of toolCalls) {
+      let input;
+      try { input = JSON.parse(tc.function.arguments); } catch { input = {}; }
+      console.log(ui.dim(`  [${tc.function.name}] ${JSON.stringify(input).slice(0, 80)}`));
+      const result = await executeTool(tc.function.name, input);
+      toolResults.push({ role: 'tool', tool_call_id: tc.id, content: typeof result === 'string' ? result : JSON.stringify(result) });
+    }
+
+    // Add assistant message with tool_calls + results, then call again
+    messages.push({ role: 'assistant', content: response.choices[0].message.content || null, tool_calls: toolCalls });
+    messages.push(...toolResults);
+
+    try {
+      const r = await navada.request(endpoint, {
+        method: 'POST',
+        body: { messages, tools },
+        timeout: 120000,
+      });
+      if (r.status !== 200) break;
+      rateTracker.record();
+      response = r.data;
+    } catch { break; }
+  }
+
+  // Extract final text
+  const content = response?.choices?.[0]?.message?.content || '';
+  if (content) console.log(`  ${content}`);
+  return content || 'No response.';
 }
 
 async function fallbackChat(msg) {
@@ -1078,4 +1176,4 @@ async function reportTelemetry(event, data = {}) {
   }
 }
 
-module.exports = { IDENTITY, chat, localTools, reportTelemetry, fallbackChat, checkForUpdate, getUpdateInfo, rateTracker, sessionState, addToHistory, getConversationHistory, clearHistory };
+module.exports = { IDENTITY, chat, localTools, reportTelemetry, fallbackChat, checkForUpdate, getUpdateInfo, rateTracker, sessionState, addToHistory, getConversationHistory, clearHistory, listSubAgents };

package/lib/commands/audit.js

@@ -0,0 +1,355 @@
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const ui = require('../ui');
+const config = require('../config');
+
+// ─────────────────────────────────────────────
+// CONFIG
+// ─────────────────────────────────────────────
+const NAVADA_DIR = path.join(os.homedir(), '.navada');
+const REPORTS_DIR = path.join(NAVADA_DIR, 'audit-reports');
+const CONFIG_FILE = path.join(NAVADA_DIR, 'config.json');
+
+// ─────────────────────────────────────────────
+// SOURCE SCANNER
+// ─────────────────────────────────────────────
+function findInSource(pattern, dir) {
+  const searchDirs = dir ? [dir] : ['src', 'lib', 'bin', 'server', 'api', 'routes', '.'];
+  const extensions = ['js', 'ts', 'mjs', 'cjs'];
+
+  for (const d of searchDirs) {
+    if (!fs.existsSync(d)) continue;
+    const files = walkDir(d, extensions);
+    for (const file of files) {
+      try {
+        const content = fs.readFileSync(file, 'utf8');
+        if (new RegExp(pattern, 'i').test(content)) return { found: true, file };
+      } catch { continue; }
+    }
+  }
+  return { found: false };
+}
+
+function walkDir(dir, extensions, files = []) {
+  try {
+    for (const entry of fs.readdirSync(dir)) {
+      if (entry === 'node_modules' || entry.startsWith('.')) continue;
+      const full = path.join(dir, entry);
+      try {
+        const stat = fs.statSync(full);
+        if (stat.isDirectory()) walkDir(full, extensions, files);
+        else if (extensions.some(ext => full.endsWith(`.${ext}`))) files.push(full);
+      } catch { continue; }
+    }
+  } catch {}
+  return files;
+}
+
+// ─────────────────────────────────────────────
+// STATIC CHECKS — current real-world state
+// ─────────────────────────────────────────────
+const CHECKS = {
+
+  cli: [
+    { id: 'CLI-01', name: 'Entry file has shebang', severity: 'CRITICAL', check: () => {
+      for (const f of ['bin/navada.js', 'bin/index.js', 'index.js']) {
+        if (fs.existsSync(f)) return fs.readFileSync(f, 'utf8').split('\n')[0].startsWith('#!/usr/bin/env node');
+      }
+      return { skipped: true, reason: 'No entry file found' };
+    }},
+    { id: 'CLI-02', name: 'package.json has bin field', severity: 'CRITICAL', check: () => {
+      if (!fs.existsSync('package.json')) return { skipped: true, reason: 'No package.json' };
+      const pkg = JSON.parse(fs.readFileSync('package.json', 'utf8'));
+      return !!(pkg.bin && Object.keys(pkg.bin).length > 0);
+    }},
+    { id: 'CLI-03', name: 'NO_COLOR respected', severity: 'MEDIUM', check: () => findInSource('NO_COLOR').found },
+    { id: 'CLI-04', name: 'Semantic versioning', severity: 'HIGH', check: () => {
+      if (!fs.existsSync('package.json')) return false;
+      return /^\d+\.\d+\.\d+/.test(JSON.parse(fs.readFileSync('package.json', 'utf8')).version || '');
+    }},
+    { id: 'CLI-05', name: 'Config in ~/.navada/', severity: 'HIGH', check: () => findInSource('.navada').found },
+    { id: 'CLI-06', name: 'Non-zero exit on failure', severity: 'HIGH', check: () => findInSource('process.exit\\(1\\)').found },
+    { id: 'CLI-07', name: 'README exists and >500 chars', severity: 'MEDIUM', check: () => {
+      if (!fs.existsSync('README.md')) return false;
+      return fs.readFileSync('README.md', 'utf8').length > 500;
+    }},
+    { id: 'CLI-08', name: 'LICENSE file exists', severity: 'LOW', check: () => fs.existsSync('LICENSE') || fs.existsSync('LICENSE.md') },
+  ],
+
+  security: [
+    { id: 'SEC-01', name: 'No hardcoded API keys in source', severity: 'CRITICAL', check: () => {
+      for (const p of ['sk-ant-api', 'sk-proj-', 'xai-[a-zA-Z]']) {
+        const r = findInSource(p);
+        if (r.found) return { pass: false, detail: `Pattern ${p} in ${r.file}` };
+      }
+      return true;
+    }},
+    { id: 'SEC-02', name: 'No plaintext passwords in source', severity: 'CRITICAL', check: () => !findInSource('password.*=.*["\'][^"\']{8,}["\']').found },
+    { id: 'SEC-03', name: '.gitignore covers .env', severity: 'CRITICAL', check: () => {
+      if (!fs.existsSync('.gitignore')) return { pass: false, detail: 'No .gitignore' };
+      return fs.readFileSync('.gitignore', 'utf8').includes('.env');
+    }},
+    { id: 'SEC-04', name: 'Config file permissions 600', severity: 'HIGH', check: () => {
+      if (!fs.existsSync(CONFIG_FILE)) return { skipped: true, reason: 'No config file' };
+      try { return (fs.statSync(CONFIG_FILE).mode & 0o777).toString(8) === '600'; }
+      catch { return { skipped: true, reason: 'Cannot read permissions' }; }
+    }},
+    { id: 'SEC-05', name: 'crypto.randomBytes for key gen', severity: 'CRITICAL', check: () => findInSource('randomBytes').found },
+    { id: 'SEC-06', name: 'IP sanitiser strips internal IPs', severity: 'CRITICAL', check: () => findInSource('100\\\\.\\d|192\\\\.168|sanitise').found },
+    { id: 'SEC-07', name: 'No Tailscale IPs in published npm files', severity: 'CRITICAL', check: () => {
+      const r = findInSource('100\\.88\\.118\\.128|100\\.98\\.118\\.33|100\\.77\\.206\\.9|100\\.121\\.187\\.67');
+      return !r.found;
+    }},
+  ],
+
+  api: [
+    { id: 'API-01', name: 'Versioned routes (/v1/)', severity: 'HIGH', check: () => findInSource('/v1/').found },
+    { id: 'API-02', name: 'Rate limiting implemented', severity: 'HIGH', check: () => findInSource('rateLimit|rate.*limit|rateTracker').found },
+    { id: 'API-03', name: 'Health endpoint exists', severity: 'HIGH', check: () => findInSource('/health').found },
+    { id: 'API-04', name: 'CORS configured', severity: 'HIGH', check: () => findInSource('Access-Control-Allow-Origin|cors').found },
+    { id: 'API-05', name: 'Clerk auth on user routes', severity: 'HIGH', check: () => findInSource('requireUser|clerkUser|verifySession').found },
+    { id: 'API-06', name: 'WebSocket server implemented', severity: 'MEDIUM', check: () => findInSource('WebSocketServer|wss|/ws').found },
+  ],
+
+  data: [
+    { id: 'DATA-01', name: 'User keys file-based (PG migration pending)', severity: 'MEDIUM', check: () => findInSource('user-keys.json').found },
+    { id: 'DATA-02', name: 'Key validation endpoint exists', severity: 'HIGH', check: () => findInSource('validate-key|validateKey').found },
+    { id: 'DATA-03', name: 'Keys masked in API responses', severity: 'CRITICAL', check: () => findInSource('substring.*12|slice\\(-4\\)').found },
+    { id: 'DATA-04', name: 'User-scoped key queries (userId filter)', severity: 'CRITICAL', check: () => findInSource('userId.*filter|filter.*userId').found },
+    { id: 'DATA-05', name: 'Azure Key Vault sync on key ops', severity: 'HIGH', check: () => findInSource('keyvault|syncKeyToVault|navada-edge-vault').found },
+    { id: 'DATA-06', name: 'Telemetry hashes hostname (no PII)', severity: 'HIGH', check: () => findInSource('createHash.*hostname|sha256.*hostname').found },
+  ],
+
+  docker: [
+    { id: 'DOCK-01', name: 'Docker Compose exists', severity: 'HIGH', check: () => fs.existsSync('docker-compose.yml') || fs.existsSync('Dockerfile') },
+    { id: 'DOCK-02', name: 'Restart policy: always', severity: 'HIGH', check: () => {
+      if (!fs.existsSync('docker-compose.yml')) return { skipped: true, reason: 'No compose file' };
+      return fs.readFileSync('docker-compose.yml', 'utf8').includes('restart: always');
+    }},
+    { id: 'DOCK-03', name: 'Healthchecks defined', severity: 'MEDIUM', check: () => {
+      if (!fs.existsSync('docker-compose.yml') && !fs.existsSync('Dockerfile')) return { skipped: true, reason: 'No Docker files' };
+      const content = fs.existsSync('docker-compose.yml') ? fs.readFileSync('docker-compose.yml', 'utf8') : fs.readFileSync('Dockerfile', 'utf8');
+      return content.toLowerCase().includes('healthcheck');
+    }},
+    { id: 'DOCK-04', name: 'Non-root user in Dockerfile', severity: 'MEDIUM', check: () => {
+      if (!fs.existsSync('Dockerfile')) return { skipped: true, reason: 'No Dockerfile' };
+      const content = fs.readFileSync('Dockerfile', 'utf8');
+      return content.includes('USER ') && !content.includes('USER root');
+    }},
+  ],
+
+  compliance: [
+    { id: 'COMP-01', name: 'Privacy Policy exists', severity: 'HIGH', check: () => fs.existsSync('privacy.md') || fs.existsSync('PRIVACY.md') || findInSource('/privacy').found },
+    { id: 'COMP-02', name: 'Terms of Service exists', severity: 'HIGH', check: () => fs.existsSync('terms.md') || fs.existsSync('TERMS.md') || findInSource('/terms').found },
+    { id: 'COMP-03', name: 'CHANGELOG exists', severity: 'MEDIUM', check: () => fs.existsSync('CHANGELOG.md') },
+  ],
+};
+
+// ─────────────────────────────────────────────
+// AI AUDIT PROMPT — matches current deployed state
+// ─────────────────────────────────────────────
+const AI_PROMPT = `You are auditing the NAVADA Edge Platform as deployed TODAY. Be precise — only reference what actually exists.
+
+CURRENT STATE (March 2026):
+- CLI: navada-edge-cli v3.4.1 on npm, 75 commands, 10 local tools (shell, files, python, sandbox)
+- SDK: navada-edge-sdk v1.2.0 on npm, zero deps
+- AI Providers: 6 (NAVADA free via OpenAI proxy, Anthropic, OpenAI, Gemini, NVIDIA, HuggingFace)
+- Free tier: Full tool use via GPT-4o-mini proxied through NAVADA dashboard, no API key needed
+- Auth: Clerk on portal (portal.navada-edge-server.uk), API keys (nv_edge_ format, 56 chars)
+- Key storage: File-based JSON (data/user-keys.json) — NOT in a database yet
+- Keys: Generated with crypto.randomBytes(24), stored as plaintext JSON — NOT hashed with bcrypt yet
+- IP sanitiser: Strips 100.x.x.x, 192.168.x.x, 10.x.x.x from user-facing responses
+- Dashboard: Express on :7900, WebSocket on /ws, SSE for metrics
+- Portal: Next.js + Clerk on :3500, via Cloudflare tunnel
+- Infrastructure: 4 Docker nodes (ASUS 9, EC2 7, Oracle 8, HP 2 = 26 containers)
+- Networking: Tailscale VPN mesh, Cloudflare tunnel (18 subdomains), navada-edge Docker network
+- Database: PostgreSQL 17 on HP :5433 (host, not Docker) — used for projects, NOT for user data yet
+- Registry: Private Docker registry at ASUS:5000
+- Portainer: Oracle :9000 managing all 4 nodes via agents
+- Azure Key Vault: navada-edge-vault stores all secrets, user keys synced on create/revoke
+
+NOT YET BUILT:
+- Edge Compute MCP (/offload, /sessions, /attach)
+- Agent customisation (agent.md, sub-agents)
+- Azure compute node
+- Billing/metering
+- User data in PostgreSQL (still file-based)
+- bcrypt key hashing
+- GDPR endpoints (deletion, export)
+- OpenAPI spec
+- Privacy Policy / Terms of Service
+
+Based on the static check results, audit:
+1. SECURITY: Key handling, auth, IP exposure, file permissions, secret management
+2. API DESIGN: Versioning, rate limiting, error handling, CORS, WebSocket auth
+3. DATA: User isolation, key masking, storage security, vault sync
+4. DOCKER: Compose management, healthchecks, restart policies, network isolation
+5. GAPS: What must be fixed before first paying customer (prioritised)
+
+For each finding: [PASS/FAIL/PARTIAL] — ID — Item — Severity — One-line fix
+End with: Top 5 priorities before first customer (numbered, actionable).`;
+
+// ─────────────────────────────────────────────
+// RUN CHECKS
+// ─────────────────────────────────────────────
+function runCheck(check) {
+  try {
+    const r = check.check();
+    if (r === true) return 'PASS';
+    if (r === false) return 'FAIL';
+    if (r && r.skipped) return 'SKIP';
+    if (r && r.pass === false) return 'FAIL';
+    return 'PASS';
+  } catch { return 'ERROR'; }
+}
+
+async function runAIAudit(staticSummary) {
+  const apiKey = config.get('anthropicKey') || process.env.ANTHROPIC_API_KEY;
+  if (!apiKey) return null;
+
+  const https = require('https');
+  const body = JSON.stringify({
+    model: 'claude-sonnet-4-20250514',
+    max_tokens: 4000,
+    messages: [{ role: 'user', content: `${AI_PROMPT}\n\nSTATIC RESULTS:\n${staticSummary}` }],
+  });
+
+  return new Promise((resolve) => {
+    const req = https.request('https://api.anthropic.com/v1/messages', {
+      method: 'POST',
+      headers: { 'x-api-key': apiKey, 'anthropic-version': '2023-06-01', 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(body) },
+      timeout: 60000,
+    }, (res) => {
+      let data = '';
+      res.on('data', c => data += c);
+      res.on('end', () => {
+        try {
+          const d = JSON.parse(data);
+          resolve(d.content?.[0]?.text || d.error?.message || 'No response');
+        } catch { resolve('Failed to parse AI response'); }
+      });
+    });
+    req.on('error', (e) => resolve(`AI audit error: ${e.message}`));
+    req.on('timeout', () => { req.destroy(); resolve('AI audit timed out'); });
+    req.write(body);
+    req.end();
+  });
+}
+
+// ─────────────────────────────────────────────
+// CLI COMMAND REGISTRATION
+// ─────────────────────────────────────────────
+module.exports = function(reg) {
+
+  reg('audit', 'Enterprise security and compliance audit', async (args) => {
+    const section = args[0];
+    const saveFlag = args.includes('--save');
+    const jsonFlag = args.includes('--json');
+
+    if (section === 'help') {
+      console.log(ui.header('NAVADA ENTERPRISE AUDIT'));
+      console.log(ui.cmd('audit', 'Full audit (all sections)'));
+      console.log(ui.cmd('audit cli', 'CLI standards checks'));
+      console.log(ui.cmd('audit security', 'Security checks'));
+      console.log(ui.cmd('audit api', 'API design checks'));
+      console.log(ui.cmd('audit data', 'Data management checks'));
+      console.log(ui.cmd('audit docker', 'Docker/infrastructure checks'));
+      console.log(ui.cmd('audit compliance', 'Compliance checks'));
+      console.log('');
+      console.log(ui.dim('Flags: --save (save report)  --json (machine output)'));
+      return;
+    }
+
+    const startTime = Date.now();
+    if (!jsonFlag) console.log(ui.header('NAVADA ENTERPRISE AUDIT'));
+
+    // Determine sections to run
+    const validSections = Object.keys(CHECKS);
+    const sections = section && validSections.includes(section) ? { [section]: CHECKS[section] } : CHECKS;
+
+    if (section && !validSections.includes(section) && section !== '--save' && section !== '--json') {
+      console.log(ui.error(`Unknown section: ${section}`));
+      console.log(ui.dim(`Available: ${validSections.join(', ')}`));
+      return;
+    }
+
+    // Run static checks
+    const results = {};
+    let pass = 0, fail = 0, skip = 0;
+    const criticals = [];
+
+    for (const [name, checks] of Object.entries(sections)) {
+      results[name] = [];
+      if (!jsonFlag) console.log(`\n  ${ui.dim(name.toUpperCase())}`);
+
+      for (const check of checks) {
+        const status = runCheck(check);
+        results[name].push({ id: check.id, name: check.name, severity: check.severity, status });
+
+        if (status === 'PASS') pass++;
+        else if (status === 'FAIL') { fail++; if (check.severity === 'CRITICAL') criticals.push(check); }
+        else skip++;
+
+        if (!jsonFlag) {
+          const icon = status === 'PASS' ? '\x1b[32mPASS\x1b[0m' : status === 'FAIL' ? '\x1b[31mFAIL\x1b[0m' : '\x1b[2mSKIP\x1b[0m';
+          const sev = check.severity === 'CRITICAL' ? '\x1b[31m' : check.severity === 'HIGH' ? '\x1b[33m' : '\x1b[2m';
+          console.log(`    ${icon}  ${sev}${check.severity.padEnd(8)}\x1b[0m  ${check.id}  ${check.name}`);
+        }
+      }
+    }
+
+    // Summary
+    const total = pass + fail + skip;
+    const rate = Math.round((pass / (total - skip)) * 100);
+    const elapsed = ((Date.now() - startTime) / 1000).toFixed(1);
+
+    if (!jsonFlag) {
+      console.log(ui.header('SUMMARY'));
+      console.log(ui.label('PASS', String(pass)));
+      console.log(ui.label('FAIL', String(fail)));
+      console.log(ui.label('SKIP', String(skip)));
+      console.log(ui.label('Pass rate', `${rate}%`));
+      console.log(ui.label('Time', `${elapsed}s`));
+
+      if (criticals.length > 0) {
+        console.log('');
+        console.log(ui.error('CRITICAL FAILURES:'));
+        for (const c of criticals) console.log(ui.error(`  ${c.id} — ${c.name}`));
+      }
+    }
+
+    // AI audit (if no specific section and API key available)
+    let aiResult = null;
+    if (!section || section === '--save') {
+      const summary = Object.entries(results).map(([s, checks]) =>
+        `[${s.toUpperCase()}]\n` + checks.map(c => `  ${c.status.padEnd(5)} ${c.id} — ${c.name}`).join('\n')
+      ).join('\n');
+
+      if (!jsonFlag) console.log(ui.dim('\n  Running AI audit...'));
+      aiResult = await runAIAudit(summary);
+      if (aiResult && !jsonFlag) {
+        console.log(ui.header('AI AUDIT FINDINGS'));
+        console.log(`  ${aiResult}`);
+      }
+    }
+
+    // Save report
+    if (saveFlag) {
+      const report = { meta: { date: new Date().toISOString(), elapsed, cwd: process.cwd() }, summary: { total, pass, fail, skip, rate }, results, aiAudit: aiResult };
+      try {
+        fs.mkdirSync(REPORTS_DIR, { recursive: true });
+        const file = path.join(REPORTS_DIR, `audit-${new Date().toISOString().replace(/[:.]/g, '-')}.json`);
+        fs.writeFileSync(file, JSON.stringify(report, null, 2));
+        if (!jsonFlag) console.log(ui.success(`Report saved: ${file}`));
+      } catch (e) { if (!jsonFlag) console.log(ui.warn(`Could not save: ${e.message}`)); }
+    }
+
+    if (jsonFlag) {
+      console.log(JSON.stringify({ summary: { total, pass, fail, skip, rate }, results, aiAudit: aiResult }, null, 2));
+    }
+
+  }, { category: 'SYSTEM', subs: ['cli', 'security', 'api', 'data', 'docker', 'compliance', 'help'] });
+};

package/lib/commands/compute.js

@@ -0,0 +1,225 @@
+'use strict';
+
+const navada = require('navada-edge-sdk');
+const ui = require('../ui');
+const config = require('../config');
+const https = require('https');
+const http = require('http');
+
+const COMPUTE_ENDPOINT = 'https://edge-compute.navada-edge-server.uk';
+
+function getEdgeKey() {
+  return config.get('edgeKey') || '';
+}
+
+function request(method, path, body) {
+  const key = getEdgeKey();
+  if (!key) return Promise.reject(new Error('Not connected. Run /edge login <key> first.'));
+
+  const url = new URL(COMPUTE_ENDPOINT + path);
+  const transport = url.protocol === 'https:' ? https : http;
+  const payload = body ? JSON.stringify(body) : '';
+
+  return new Promise((resolve, reject) => {
+    const req = transport.request(url, {
+      method,
+      headers: {
+        'Content-Type': 'application/json',
+        'x-api-key': key,
+        ...(payload ? { 'Content-Length': Buffer.byteLength(payload) } : {}),
+      },
+      timeout: 30000,
+    }, (res) => {
+      let data = '';
+      res.on('data', c => data += c);
+      res.on('end', () => {
+        try { resolve({ status: res.statusCode, data: JSON.parse(data) }); }
+        catch { resolve({ status: res.statusCode, data }); }
+      });
+    });
+    req.on('error', reject);
+    req.on('timeout', () => { req.destroy(); reject(new Error('Timeout')); });
+    if (payload) req.write(payload);
+    req.end();
+  });
+}
+
+module.exports = function(reg) {
+
+  // ── /offload ── Send a task to the cloud
+  reg('offload', 'Run a task on the Edge Network (24/7 cloud)', async (args) => {
+    if (!args.length) {
+      console.log(ui.header('EDGE COMPUTE — OFFLOAD'));
+      console.log(ui.cmd('offload <command>', 'Run a shell command on EC2'));
+      console.log(ui.cmd('offload --python <code>', 'Run Python code on EC2'));
+      console.log(ui.cmd('offload --js <code>', 'Run JavaScript on EC2'));
+      console.log(ui.cmd('offload --name <name> <cmd>', 'Name the task'));
+      console.log('');
+      console.log(ui.dim('Examples:'));
+      console.log(ui.dim('  /offload npm test'));
+      console.log(ui.dim('  /offload --python "import time; time.sleep(60); print(\'done\')"'));
+      console.log(ui.dim('  /offload --name "nightly-backup" tar czf backup.tar.gz /data'));
+      console.log('');
+      console.log(ui.dim('Requires Edge Network connection: /edge login <key>'));
+      return;
+    }
+
+    const isPython = args.includes('--python');
+    const isJs = args.includes('--js');
+    const nameIdx = args.indexOf('--name');
+    let name = 'task';
+    let filteredArgs = [...args];
+
+    if (nameIdx >= 0) {
+      name = args[nameIdx + 1] || 'task';
+      filteredArgs.splice(nameIdx, 2);
+    }
+    filteredArgs = filteredArgs.filter(a => a !== '--python' && a !== '--js');
+
+    const body = {};
+    if (isPython) {
+      body.code = filteredArgs.join(' ');
+      body.language = 'python';
+    } else if (isJs) {
+      body.code = filteredArgs.join(' ');
+      body.language = 'javascript';
+    } else {
+      body.command = filteredArgs.join(' ');
+    }
+    body.name = name;
+
+    const ora = require('ora');
+    const spinner = ora({ text: '  Offloading to Edge Network...', color: 'white' }).start();
+
+    try {
+      const r = await request('POST', '/offload', body);
+      spinner.stop();
+
+      if (r.status === 201) {
+        console.log(ui.success(`Task offloaded: ${r.data.session.id}`));
+        console.log(ui.label('Session', r.data.session.id));
+        console.log(ui.label('Task', r.data.session.task));
+        console.log(ui.label('Status', r.data.session.status));
+        console.log('');
+        console.log(ui.dim(`Track: /sessions`));
+        console.log(ui.dim(`Output: /attach ${r.data.session.id}`));
+      } else if (r.status === 401) {
+        console.log(ui.error('Invalid API key. Run /edge login <key>'));
+      } else if (r.status === 429) {
+        console.log(ui.warn(r.data.error || 'Concurrent task limit reached'));
+      } else {
+        console.log(ui.error(r.data.error || `HTTP ${r.status}`));
+      }
+    } catch (e) {
+      spinner.stop();
+      console.log(ui.error(`Edge Compute unreachable: ${e.message}`));
+      console.log(ui.dim('The Edge Network may be offline. Try /doctor'));
+    }
+  }, { category: 'EDGE' });
+
+  // ── /sessions ── List cloud sessions
+  reg('sessions', 'View Edge Network task sessions', async () => {
+    const ora = require('ora');
+    const spinner = ora({ text: '  Loading sessions...', color: 'white' }).start();
+
+    try {
+      const r = await request('GET', '/sessions');
+      spinner.stop();
+
+      if (r.status === 401) { console.log(ui.error('Not connected. /edge login <key>')); return; }
+      if (r.status !== 200) { console.log(ui.error(r.data.error || `HTTP ${r.status}`)); return; }
+
+      console.log(ui.header('EDGE SESSIONS'));
+      const sessions = r.data.sessions || [];
+
+      if (sessions.length === 0) {
+        console.log(ui.dim('No sessions yet. /offload <command> to start one.'));
+        return;
+      }
+
+      for (const s of sessions) {
+        const statusColor = s.status === 'completed' ? '\x1b[32m' : s.status === 'running' ? '\x1b[33m' : '\x1b[31m';
+        const statusLabel = `${statusColor}${s.status.toUpperCase()}\x1b[0m`;
+        const age = s.completedAt ? timeSince(s.completedAt) : timeSince(s.createdAt);
+        console.log(`  ${statusLabel}  ${s.id.slice(0, 16)}  ${(s.task || '').padEnd(20)}  ${age}`);
+      }
+
+      console.log('');
+      console.log(ui.label('Total', String(r.data.total)));
+      console.log(ui.label('Limits', `${r.data.limits.concurrent} concurrent, ${Math.round(r.data.limits.maxRuntime / 60000)}min max`));
+      console.log('');
+      console.log(ui.dim('Details: /attach <session-id>'));
+    } catch (e) {
+      spinner.stop();
+      console.log(ui.error(`Edge Compute unreachable: ${e.message}`));
+    }
+  }, { category: 'EDGE' });
+
+  // ── /attach ── Stream session output
+  reg('attach', 'Attach to a running Edge session (stream output)', async (args) => {
+    const id = args[0];
+    if (!id) {
+      console.log(ui.dim('Usage: /attach <session-id>'));
+      console.log(ui.dim('List sessions: /sessions'));
+      return;
+    }
+
+    // If short ID, try to match
+    const sessionId = id.startsWith('ses_') ? id : `ses_${id}`;
+
+    try {
+      const r = await request('GET', `/session/${sessionId}`);
+      if (r.status === 404) { console.log(ui.error('Session not found')); return; }
+      if (r.status === 401) { console.log(ui.error('Not connected. /edge login <key>')); return; }
+
+      const s = r.data;
+      console.log(ui.header(`SESSION ${s.id}`));
+      console.log(ui.label('Task', s.task?.name || s.task?.command?.slice(0, 60) || '?'));
+      console.log(ui.label('Status', s.status));
+      console.log(ui.label('Created', s.createdAt));
+      if (s.completedAt) console.log(ui.label('Completed', s.completedAt));
+      if (s.exitCode !== null) console.log(ui.label('Exit code', String(s.exitCode)));
+      if (s.error) console.log(ui.label('Error', s.error));
+
+      if (s.output) {
+        console.log('');
+        console.log(ui.dim('── OUTPUT ──'));
+        console.log(s.output);
+      }
+
+      if (s.status === 'running') {
+        console.log('');
+        console.log(ui.dim('Session is running. Output will update on refresh.'));
+        console.log(ui.dim('Kill: /kill ' + s.id));
+      }
+    } catch (e) {
+      console.log(ui.error(`Edge Compute unreachable: ${e.message}`));
+    }
+  }, { category: 'EDGE' });
+
+  // ── /kill ── Kill a running session
+  reg('kill', 'Kill a running Edge session', async (args) => {
+    const id = args[0];
+    if (!id) { console.log(ui.dim('Usage: /kill <session-id>')); return; }
+    const sessionId = id.startsWith('ses_') ? id : `ses_${id}`;
+
+    try {
+      const r = await request('DELETE', `/session/${sessionId}`);
+      if (r.status === 200) {
+        console.log(ui.success(`Session ${sessionId} killed`));
+      } else {
+        console.log(ui.error(r.data.error || `HTTP ${r.status}`));
+      }
+    } catch (e) {
+      console.log(ui.error(e.message));
+    }
+  }, { category: 'EDGE' });
+};
+
+function timeSince(iso) {
+  const ms = Date.now() - new Date(iso).getTime();
+  if (ms < 60000) return `${Math.round(ms / 1000)}s ago`;
+  if (ms < 3600000) return `${Math.round(ms / 60000)}m ago`;
+  if (ms < 86400000) return `${Math.round(ms / 3600000)}h ago`;
+  return `${Math.round(ms / 86400000)}d ago`;
+}

package/lib/commands/edge.js

@@ -9,6 +9,8 @@ const VALIDATE_ENDPOINTS = [
   'https://api.navada-edge-server.uk/api/v1/public/validate-key',
 ];
 
+const { sessionState, listSubAgents } = require('../agent');
+
 module.exports = function(reg) {
 
   // /onboard — open portal in browser
@@ -51,9 +53,10 @@ module.exports = function(reg) {
       console.log(ui.cmd('edge status', 'Check your Edge Network connection'));
       console.log(ui.cmd('edge logout', 'Disconnect from Edge Network'));
       console.log(ui.cmd('edge tier', 'Show your current tier and limits'));
+      console.log(ui.cmd('edge setup', 'Create agent.md and sub-agents directory'));
       console.log(ui.cmd('onboard', 'Create account and get API key'));
       console.log('');
-      console.log(ui.dim('Get started: /onboard'));
+      console.log(ui.dim('Get started: /onboard  |  Customise: /edge setup'));
       return;
     }
 
@@ -179,8 +182,133 @@ module.exports = function(reg) {
       return;
     }
 
+    // /edge setup — create agent.md and agents/ directory
+    if (sub === 'setup') {
+      const fs = require('fs');
+      const path = require('path');
+      const agentDir = path.join(config.CONFIG_DIR, 'agents');
+      const agentMd = path.join(config.CONFIG_DIR, 'agent.md');
+
+      console.log(ui.header('NAVADA EDGE — AGENT SETUP'));
+
+      // Create directories
+      if (!fs.existsSync(config.CONFIG_DIR)) fs.mkdirSync(config.CONFIG_DIR, { recursive: true });
+      if (!fs.existsSync(agentDir)) fs.mkdirSync(agentDir, { recursive: true });
+
+      // Create agent.md if it doesn't exist
+      if (!fs.existsSync(agentMd)) {
+        fs.writeFileSync(agentMd, `# My NAVADA Agent
+
+## About Me
+<!-- Tell the agent who you are, what you do, what stack you use -->
+I am a developer working on...
+
+## My Infrastructure
+<!-- Describe your servers, services, databases -->
+- ...
+
+## Preferences
+<!-- How should the agent behave? What tone? What conventions? -->
+- Be concise and technical
+- Use TypeScript for new code
+- Always explain changes before making them
+
+## Automation Rules
+<!-- What should the agent do automatically? -->
+- ...
+`);
+        console.log(ui.success('Created ~/.navada/agent.md'));
+        console.log(ui.dim('  Edit this file to customise your agent\'s personality and context.'));
+      } else {
+        console.log(ui.dim('  agent.md already exists'));
+      }
+
+      // Create example sub-agent
+      const exampleAgent = path.join(agentDir, 'deploy-bot.md');
+      if (!fs.existsSync(exampleAgent)) {
+        fs.writeFileSync(exampleAgent, `You are a deployment specialist agent. When the user asks you to deploy, you:
+1. Check the current git status
+2. Run tests if a test script exists
+3. Build the Docker image
+4. Push to the registry at 100.88.118.128:5000
+5. Deploy to the target node via SSH
+
+Be methodical. Confirm each step before proceeding. Report any failures immediately.
+`);
+        console.log(ui.success('Created ~/.navada/agents/deploy-bot.md (example)'));
+      }
+
+      console.log('');
+      console.log(ui.label('Agent config', agentMd));
+      console.log(ui.label('Sub-agents', agentDir));
+      console.log('');
+      console.log(ui.dim('Your agent.md is loaded every time you chat.'));
+      console.log(ui.dim('Sub-agents: /agent list | /agent use deploy-bot'));
+      return;
+    }
+
     console.log(ui.dim('Unknown subcommand. Try /edge help'));
 
-  }, { category: 'EDGE', subs: ['login', 'status', 'logout', 'tier', 'help'] });
+  }, { category: 'EDGE', subs: ['login', 'status', 'logout', 'tier', 'setup', 'help'] });
+
+  // ── /agent ── Manage sub-agents
+  reg('agent', 'Manage NAVADA sub-agents', (args) => {
+    const sub = args[0];
+    const fs = require('fs');
+    const path = require('path');
+
+    if (!sub || sub === 'list') {
+      const agents = listSubAgents();
+      console.log(ui.header('SUB-AGENTS'));
+      if (agents.length === 0) {
+        console.log(ui.dim('No sub-agents. Create one: /edge setup'));
+        return;
+      }
+      for (const a of agents) {
+        const active = sessionState.subAgent === a ? ' \x1b[32m(active)\x1b[0m' : '';
+        console.log(ui.label(a, active));
+      }
+      console.log('');
+      console.log(ui.dim('Use: /agent use <name>  |  Off: /agent off'));
+      return;
+    }
+
+    if (sub === 'use' && args[1]) {
+      const name = args[1];
+      const agentFile = path.join(config.CONFIG_DIR, 'agents', `${name}.md`);
+      if (!fs.existsSync(agentFile)) {
+        console.log(ui.error(`Sub-agent not found: ${name}`));
+        console.log(ui.dim('Available: ' + (listSubAgents().join(', ') || 'none')));
+        return;
+      }
+      sessionState.subAgent = name;
+      console.log(ui.success(`Sub-agent activated: ${name}`));
+      console.log(ui.dim('The agent will now use this persona. /agent off to reset.'));
+      return;
+    }
+
+    if (sub === 'off' || sub === 'reset') {
+      sessionState.subAgent = null;
+      console.log(ui.success('Sub-agent deactivated. Using default NAVADA agent.'));
+      return;
+    }
+
+    if (sub === 'show' && args[1]) {
+      const agentFile = path.join(config.CONFIG_DIR, 'agents', `${args[1]}.md`);
+      if (!fs.existsSync(agentFile)) { console.log(ui.error('Not found')); return; }
+      console.log(ui.header(`AGENT: ${args[1]}`));
+      console.log(fs.readFileSync(agentFile, 'utf-8'));
+      return;
+    }
+
+    console.log(ui.header('AGENT COMMANDS'));
+    console.log(ui.cmd('agent list', 'List all sub-agents'));
+    console.log(ui.cmd('agent use <name>', 'Activate a sub-agent'));
+    console.log(ui.cmd('agent off', 'Deactivate sub-agent'));
+    console.log(ui.cmd('agent show <name>', 'View sub-agent prompt'));
+    console.log('');
+    console.log(ui.dim('Create agents: /edge setup'));
+    console.log(ui.dim('Agents live in: ~/.navada/agents/<name>.md'));
+  }, { category: 'EDGE', subs: ['list', 'use', 'off', 'show', 'reset'] });
 
 };

package/lib/commands/index.js

@@ -6,7 +6,7 @@ const { register } = require('../registry');
 const moduleNames = [
   'network', 'mcp', 'lucas', 'docker', 'database', 'cloudflare',
   'ai', 'azure', 'agents', 'tasks', 'keys', 'setup', 'system',
-  'learn', 'sandbox', 'nvidia', 'edge', 'conversations',
+  'learn', 'sandbox', 'nvidia', 'edge', 'conversations', 'audit', 'compute',
 ];
 
 function loadAll() {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "navada-edge-cli",
-  "version": "3.4.0",
+  "version": "3.5.0",
   "description": "Interactive CLI for the NAVADA Edge Network — explore nodes, agents, Cloudflare, AI, Docker, and MCP from your terminal",
   "main": "lib/cli.js",
   "bin": {