opena2a-cli 0.1.2 → 0.3.0

package/dist/shield/findings.js

@@ -0,0 +1,336 @@
+"use strict";
+/**
+ * Shield Finding Taxonomy and Classification Engine.
+ *
+ * Maps Shield events to standardized finding IDs with:
+ * - OWASP Agentic Security Index (ASI) compliance references
+ * - MITRE ATLAS technique references
+ * - Actionable remediation commands
+ * - Severity classification
+ *
+ * Finding ID format: SHIELD-{CATEGORY}-{NUMBER}
+ *   Categories: CRED (credential), POL (policy), PROC (process/runtime),
+ *               INT (integrity), SUP (supply chain), BAS (behavioral)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FINDING_CATALOG = void 0;
+exports.classifyEvent = classifyEvent;
+exports.classifyEvents = classifyEvents;
+exports.classifyViolation = classifyViolation;
+exports.getRemediation = getRemediation;
+// ---------------------------------------------------------------------------
+// Finding Catalog
+// ---------------------------------------------------------------------------
+exports.FINDING_CATALOG = {
+    'SHIELD-CRED-001': {
+        id: 'SHIELD-CRED-001',
+        title: 'Anthropic API key exposed in source',
+        severity: 'critical',
+        category: 'cred',
+        owaspAgentic: 'ASI04',
+        mitreAtlas: 'AML.T0025',
+        remediation: 'opena2a protect --dir . && git filter-repo --path <file> --invert-paths',
+        description: 'An Anthropic API key was found hardcoded in source files. This key grants full API access and can result in unauthorized billing.',
+    },
+    'SHIELD-CRED-002': {
+        id: 'SHIELD-CRED-002',
+        title: 'OpenAI API key exposed in source',
+        severity: 'critical',
+        category: 'cred',
+        owaspAgentic: 'ASI04',
+        mitreAtlas: 'AML.T0025',
+        remediation: 'opena2a protect --dir . && git filter-repo --path <file> --invert-paths',
+        description: 'An OpenAI API key was found hardcoded in source files. Exposed keys are exploited within minutes of public disclosure.',
+    },
+    'SHIELD-CRED-003': {
+        id: 'SHIELD-CRED-003',
+        title: 'GitHub token exposed in source',
+        severity: 'high',
+        category: 'cred',
+        owaspAgentic: 'ASI04',
+        mitreAtlas: 'AML.T0025',
+        remediation: 'opena2a protect --dir . && gh auth refresh',
+        description: 'A GitHub token was found hardcoded in source files. This token may grant repository access including private repos and org resources.',
+    },
+    'SHIELD-CRED-004': {
+        id: 'SHIELD-CRED-004',
+        title: 'Generic API key or secret exposed',
+        severity: 'medium',
+        category: 'cred',
+        owaspAgentic: 'ASI04',
+        mitreAtlas: 'AML.T0025',
+        remediation: 'opena2a protect --dir .',
+        description: 'A generic API key or secret was found in a variable assignment. Move it to environment variables or a secrets manager.',
+    },
+    'SHIELD-POL-001': {
+        id: 'SHIELD-POL-001',
+        title: 'No security policy defined',
+        severity: 'high',
+        category: 'pol',
+        owaspAgentic: 'ASI03',
+        mitreAtlas: 'AML.T0040',
+        remediation: 'opena2a shield init',
+        description: 'No Shield security policy is configured. Without a policy, all agent actions are unmonitored and unrestricted.',
+    },
+    'SHIELD-POL-002': {
+        id: 'SHIELD-POL-002',
+        title: 'Policy violation -- action blocked',
+        severity: 'high',
+        category: 'pol',
+        owaspAgentic: 'ASI02',
+        mitreAtlas: 'AML.T0040',
+        remediation: 'opena2a shield policy',
+        description: 'An agent action was blocked by the security policy. Review the policy to confirm the block is intentional or adjust rules.',
+    },
+    'SHIELD-POL-003': {
+        id: 'SHIELD-POL-003',
+        title: 'Policy in monitor-only mode',
+        severity: 'medium',
+        category: 'pol',
+        owaspAgentic: 'ASI03',
+        mitreAtlas: 'AML.T0040',
+        remediation: 'opena2a shield policy --enforce',
+        description: 'The security policy is in monitor-only mode. Violations are logged but not blocked. Consider enabling enforcement.',
+    },
+    'SHIELD-PROC-001': {
+        id: 'SHIELD-PROC-001',
+        title: 'Suspicious process spawned by agent',
+        severity: 'high',
+        category: 'proc',
+        owaspAgentic: 'ASI05',
+        mitreAtlas: 'AML.T0006',
+        remediation: 'opena2a shield evaluate --action process.spawn --target <binary>',
+        description: 'An AI agent spawned a process that was flagged as suspicious by the runtime protection engine.',
+    },
+    'SHIELD-PROC-002': {
+        id: 'SHIELD-PROC-002',
+        title: 'Network connection anomaly detected',
+        severity: 'medium',
+        category: 'proc',
+        owaspAgentic: 'ASI07',
+        mitreAtlas: 'AML.T0007',
+        remediation: 'opena2a shield evaluate --action network.connect --target <host>',
+        description: 'An anomalous network connection was made by an AI agent. This may indicate data exfiltration or C2 communication.',
+    },
+    'SHIELD-INT-001': {
+        id: 'SHIELD-INT-001',
+        title: 'Configuration file tampered',
+        severity: 'critical',
+        category: 'int',
+        owaspAgentic: 'ASI10',
+        mitreAtlas: 'AML.T0011',
+        remediation: 'opena2a guard diff && opena2a guard resign',
+        description: 'A monitored configuration file has been modified without authorization. The file signature no longer matches the stored hash.',
+    },
+    'SHIELD-INT-002': {
+        id: 'SHIELD-INT-002',
+        title: 'Event hash chain integrity broken',
+        severity: 'critical',
+        category: 'int',
+        owaspAgentic: 'ASI10',
+        mitreAtlas: 'AML.T0006',
+        remediation: 'opena2a shield selfcheck && opena2a shield recover --forensic',
+        description: 'The tamper-evident event log hash chain has been broken. This indicates log tampering or corruption.',
+    },
+    'SHIELD-INT-003': {
+        id: 'SHIELD-INT-003',
+        title: 'Configuration files not signed',
+        severity: 'medium',
+        category: 'int',
+        owaspAgentic: 'ASI09',
+        mitreAtlas: 'AML.T0011',
+        remediation: 'opena2a guard snapshot',
+        description: 'Monitored configuration files do not have cryptographic signatures. Enable ConfigGuard signing to detect unauthorized changes.',
+    },
+    'SHIELD-SUP-001': {
+        id: 'SHIELD-SUP-001',
+        title: 'Security advisory found in dependency',
+        severity: 'high',
+        category: 'sup',
+        owaspAgentic: 'ASI04',
+        mitreAtlas: 'AML.T0024',
+        remediation: 'npm audit fix || go get -u <package>',
+        description: 'A known security vulnerability was found in an installed dependency. Update the package to a patched version.',
+    },
+    'SHIELD-SUP-002': {
+        id: 'SHIELD-SUP-002',
+        title: 'Low-trust package installed',
+        severity: 'medium',
+        category: 'sup',
+        owaspAgentic: 'ASI04',
+        mitreAtlas: 'AML.T0024',
+        remediation: 'opena2a registry check <package>',
+        description: 'A package with a low trust score was installed. Review the package for legitimacy before use in production.',
+    },
+    'SHIELD-BAS-001': {
+        id: 'SHIELD-BAS-001',
+        title: 'Behavioral anomaly detected',
+        severity: 'medium',
+        category: 'bas',
+        owaspAgentic: 'ASI10',
+        mitreAtlas: 'AML.T0043',
+        remediation: 'opena2a shield baseline --agent <agent>',
+        description: 'An agent exhibited behavior that deviates significantly from its established baseline. Review the agent activity log.',
+    },
+};
+// ---------------------------------------------------------------------------
+// Classification Logic
+// ---------------------------------------------------------------------------
+/**
+ * Map a single Shield event to its finding definition.
+ * Returns null if the event does not match any known finding pattern.
+ */
+function classifyEvent(event) {
+    // Credential findings
+    if (event.source === 'secretless' || event.category === 'credential-finding') {
+        const target = (event.target ?? '').toLowerCase();
+        const action = (event.action ?? '').toLowerCase();
+        if (target.includes('anthropic') || action.includes('anthropic') ||
+            event.detail?.findingId === 'CRED-001') {
+            return exports.FINDING_CATALOG['SHIELD-CRED-001'];
+        }
+        if (target.includes('openai') || action.includes('openai') ||
+            event.detail?.findingId === 'CRED-002') {
+            return exports.FINDING_CATALOG['SHIELD-CRED-002'];
+        }
+        if (target.includes('github') || action.includes('github') ||
+            event.detail?.findingId === 'CRED-003') {
+            return exports.FINDING_CATALOG['SHIELD-CRED-003'];
+        }
+        // Generic credential
+        return exports.FINDING_CATALOG['SHIELD-CRED-004'];
+    }
+    // ConfigGuard integrity findings
+    if (event.source === 'configguard') {
+        if (event.outcome === 'blocked' || event.action === 'tamper-detected' ||
+            event.detail?.outcome === 'tampered') {
+            return exports.FINDING_CATALOG['SHIELD-INT-001'];
+        }
+        if (event.action === 'unsigned' || event.category === 'config-unsigned') {
+            return exports.FINDING_CATALOG['SHIELD-INT-003'];
+        }
+    }
+    // Shield diagnostic events: only integrity failures are real findings.
+    // All other shield-source events (posture-assessment, credential-finding,
+    // shield.init, shield.posture, shield.credential) are internal scans.
+    if (event.source === 'shield') {
+        if (event.category === 'integrity' && event.severity === 'critical') {
+            return exports.FINDING_CATALOG['SHIELD-INT-002'];
+        }
+        return null; // All other shield events are diagnostic, not findings
+    }
+    // ARP runtime findings
+    if (event.source === 'arp') {
+        if (event.category === 'process.spawn' || event.category?.startsWith('process')) {
+            return exports.FINDING_CATALOG['SHIELD-PROC-001'];
+        }
+        if (event.category?.startsWith('network')) {
+            return exports.FINDING_CATALOG['SHIELD-PROC-002'];
+        }
+        if (event.category === 'anomaly' || event.category === 'behavioral-anomaly') {
+            return exports.FINDING_CATALOG['SHIELD-BAS-001'];
+        }
+    }
+    // Registry / supply chain findings
+    if (event.source === 'registry' || event.category?.includes('supply-chain')) {
+        if (event.severity === 'high' || event.severity === 'critical') {
+            return exports.FINDING_CATALOG['SHIELD-SUP-001'];
+        }
+        return exports.FINDING_CATALOG['SHIELD-SUP-002'];
+    }
+    // Policy findings
+    if (event.outcome === 'blocked') {
+        return exports.FINDING_CATALOG['SHIELD-POL-002'];
+    }
+    if (event.outcome === 'monitored' && (event.severity === 'high' || event.severity === 'critical')) {
+        return exports.FINDING_CATALOG['SHIELD-POL-003'];
+    }
+    return null;
+}
+/**
+ * Classify a batch of events into deduplicated findings with counts.
+ * Returns findings sorted by severity (critical first), then by count.
+ */
+function classifyEvents(events) {
+    const map = new Map();
+    for (const event of events) {
+        const finding = classifyEvent(event);
+        if (!finding)
+            continue;
+        const existing = map.get(finding.id);
+        if (existing) {
+            existing.count += 1;
+            if (event.timestamp < existing.firstSeen)
+                existing.firstSeen = event.timestamp;
+            if (event.timestamp > existing.lastSeen)
+                existing.lastSeen = event.timestamp;
+            if (existing.examples.length < 3)
+                existing.examples.push(event);
+        }
+        else {
+            map.set(finding.id, {
+                finding,
+                count: 1,
+                firstSeen: event.timestamp,
+                lastSeen: event.timestamp,
+                examples: [event],
+            });
+        }
+    }
+    const severityOrder = {
+        critical: 0, high: 1, medium: 2, low: 3, info: 4,
+    };
+    return Array.from(map.values()).sort((a, b) => {
+        const sevDiff = severityOrder[a.finding.severity] - severityOrder[b.finding.severity];
+        if (sevDiff !== 0)
+            return sevDiff;
+        return b.count - a.count;
+    });
+}
+/**
+ * Map a PolicyViolation to a finding definition.
+ * Used to enrich violation data in reports.
+ */
+function classifyViolation(violation) {
+    const action = (violation.action ?? '').toLowerCase();
+    const target = (violation.target ?? '').toLowerCase();
+    // Credential-related violations
+    if (action.includes('credential') || action.includes('secret') || action.includes('key')) {
+        if (target.includes('anthropic'))
+            return exports.FINDING_CATALOG['SHIELD-CRED-001'];
+        if (target.includes('openai'))
+            return exports.FINDING_CATALOG['SHIELD-CRED-002'];
+        if (target.includes('github'))
+            return exports.FINDING_CATALOG['SHIELD-CRED-003'];
+        return exports.FINDING_CATALOG['SHIELD-CRED-004'];
+    }
+    // Process violations
+    if (action.includes('process') || action.includes('spawn') || action.includes('exec')) {
+        return exports.FINDING_CATALOG['SHIELD-PROC-001'];
+    }
+    // Network violations
+    if (action.includes('network') || action.includes('connect') || action.includes('http')) {
+        return exports.FINDING_CATALOG['SHIELD-PROC-002'];
+    }
+    // Config integrity violations
+    if (action.includes('config') || action.includes('tamper')) {
+        return exports.FINDING_CATALOG['SHIELD-INT-001'];
+    }
+    // Supply chain violations
+    if (action.includes('install') || action.includes('package') || action.includes('dependency')) {
+        return exports.FINDING_CATALOG['SHIELD-SUP-001'];
+    }
+    // Default: policy violation
+    if (violation.severity === 'critical' || violation.severity === 'high') {
+        return exports.FINDING_CATALOG['SHIELD-POL-002'];
+    }
+    return exports.FINDING_CATALOG['SHIELD-POL-003'];
+}
+/**
+ * Get the remediation command for a finding ID.
+ */
+function getRemediation(findingId) {
+    const finding = exports.FINDING_CATALOG[findingId];
+    return finding?.remediation ?? 'opena2a shield selfcheck';
+}
+//# sourceMappingURL=findings.js.map

package/dist/shield/findings.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"findings.js","sourceRoot":"","sources":["../../src/shield/findings.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG;;;AAgMH,sCAyEC;AAMD,wCAiCC;AAMD,8CAqCC;AAKD,wCAGC;AAxUD,8EAA8E;AAC9E,kBAAkB;AAClB,8EAA8E;AAEjE,QAAA,eAAe,GAAsC;IAChE,iBAAiB,EAAE;QACjB,EAAE,EAAE,iBAAiB;QACrB,KAAK,EAAE,qCAAqC;QAC5C,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,MAAM;QAChB,YAAY,EAAE,OAAO;QACrB,UAAU,EAAE,WAAW;QACvB,WAAW,EAAE,yEAAyE;QACtF,WAAW,EAAE,mIAAmI;KACjJ;IACD,iBAAiB,EAAE;QACjB,EAAE,EAAE,iBAAiB;QACrB,KAAK,EAAE,kCAAkC;QACzC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,MAAM;QAChB,YAAY,EAAE,OAAO;QACrB,UAAU,EAAE,WAAW;QACvB,WAAW,EAAE,yEAAyE;QACtF,WAAW,EAAE,wHAAwH;KACtI;IACD,iBAAiB,EAAE;QACjB,EAAE,EAAE,iBAAiB;QACrB,KAAK,EAAE,gCAAgC;QACvC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,MAAM;QAChB,YAAY,EAAE,OAAO;QACrB,UAAU,EAAE,WAAW;QACvB,WAAW,EAAE,4CAA4C;QACzD,WAAW,EAAE,uIAAuI;KACrJ;IACD,iBAAiB,EAAE;QACjB,EAAE,EAAE,iBAAiB;QACrB,KAAK,EAAE,mCAAmC;QAC1C,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,MAAM;QAChB,YAAY,EAAE,OAAO;QACrB,UAAU,EAAE,WAAW;QACvB,WAAW,EAAE,yBAAyB;QACtC,WAAW,EAAE,wHAAwH;KACtI;IACD,gBAAgB,EAAE;QAChB,EAAE,EAAE,gBAAgB;QACpB,KAAK,EAAE,4BAA4B;QACnC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,KAAK;QACf,YAAY,EAAE,OAAO;QACrB,UAAU,EAAE,WAAW;QACvB,WAAW,EAAE,qBAAqB;QAClC,WAAW,EAAE,gHAAgH;KAC9H;IACD,gBAAgB,EAAE;QAChB,EAAE,EAAE,gBAAgB;QACpB,KAAK,EAAE,oCAAoC;QAC3C,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,KAAK;QACf,YAAY,EAAE,OAAO;QACrB,UAAU,EAAE,WAAW;QACvB,WAAW,EAAE,uBAAuB;QACpC,WAAW,EAAE,4HAA4H;KAC1I;IACD,gBAAgB,EAAE;QAChB,EAAE,EAAE,gBAAgB;QACpB,KAAK,EAAE,6BAA6B;QACpC,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,KAAK;QACf,YAAY,EAAE,OAAO;QACrB,UAAU,EAAE,WAAW;QACvB,WAAW,EAAE,iCAAiC;QAC9C,WAAW,EAAE,oHAAoH;KAClI;IACD,iBAAiB,EAAE;QACjB,EAAE,EAAE,iBAAiB;QACrB,KAAK,EAAE,qCAAqC;QAC5C,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,MAAM;QAChB,YAAY,EAAE,OAAO;QACrB,UAAU,EAAE,WAAW;QACvB,WAAW,EAAE,kEAAkE;QAC/E,WAAW,EAAE,gGAAgG;KAC9G;IACD,iBAAiB,EAAE;QACjB,EAAE,EAAE,iBAAiB;QACrB,KAAK,EAAE,qCAAqC;QAC5C,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,MAAM;QAChB,YAAY,EAAE,OAAO;QACrB,UAAU,EAAE,WAAW;QACvB,WAAW,EAAE,kEAAkE;QAC/E,WAAW,EAAE,mHAAmH;KACjI;IACD,gBAAgB,EAAE;QAChB,EAAE,EAAE,gBAAgB;QACpB,KAAK,EAAE,6BAA6B;QACpC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;QACf,YAAY,EAAE,OAAO;QACrB,UAAU,EAAE,WAAW;QACvB,WAAW,EAAE,4CAA4C;QACzD,WAAW,EAAE,+HAA+H;KAC7I;IACD,gBAAgB,EAAE;QAChB,EAAE,EAAE,gBAAgB;QACpB,KAAK,EAAE,mCAAmC;QAC1C,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,KAAK;QACf,YAAY,EAAE,OAAO;QACrB,UAAU,EAAE,WAAW;QACvB,WAAW,EAAE,+DAA+D;QAC5E,WAAW,EAAE,sGAAsG;KACpH;IACD,gBAAgB,EAAE;QAChB,EAAE,EAAE,gBAAgB;QACpB,KAAK,EAAE,gCAAgC;QACvC,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,KAAK;QACf,YAAY,EAAE,OAAO;QACrB,UAAU,EAAE,WAAW;QACvB,WAAW,EAAE,wBAAwB;QACrC,WAAW,EAAE,gIAAgI;KAC9I;IACD,gBAAgB,EAAE;QAChB,EAAE,EAAE,gBAAgB;QACpB,KAAK,EAAE,uCAAuC;QAC9C,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,KAAK;QACf,YAAY,EAAE,OAAO;QACrB,UAAU,EAAE,WAAW;QACvB,WAAW,EAAE,sCAAsC;QACnD,WAAW,EAAE,+GAA+G;KAC7H;IACD,gBAAgB,EAAE;QAChB,EAAE,EAAE,gBAAgB;QACpB,KAAK,EAAE,6BAA6B;QACpC,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,KAAK;QACf,YAAY,EAAE,OAAO;QACrB,UAAU,EAAE,WAAW;QACvB,WAAW,EAAE,kCAAkC;QAC/C,WAAW,EAAE,6GAA6G;KAC3H;IACD,gBAAgB,EAAE;QAChB,EAAE,EAAE,gBAAgB;QACpB,KAAK,EAAE,6BAA6B;QACpC,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,KAAK;QACf,YAAY,EAAE,OAAO;QACrB,UAAU,EAAE,WAAW;QACvB,WAAW,EAAE,yCAAyC;QACtD,WAAW,EAAE,uHAAuH;KACrI;CACF,CAAC;AAEF,8EAA8E;AAC9E,uBAAuB;AACvB,8EAA8E;AAE9E;;;GAGG;AACH,SAAgB,aAAa,CAAC,KAAkB;IAC9C,sBAAsB;IACtB,IAAI,KAAK,CAAC,MAAM,KAAK,YAAY,IAAI,KAAK,CAAC,QAAQ,KAAK,oBAAoB,EAAE,CAAC;QAC7E,MAAM,MAAM,GAAG,CAAC,KAAK,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;QAClD,MAAM,MAAM,GAAG,CAAC,KAAK,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;QAElD,IAAI,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC;YAC3D,KAAK,CAAC,MAAkC,EAAE,SAAS,KAAK,UAAU,EAAE,CAAC;YACxE,OAAO,uBAAe,CAAC,iBAAiB,CAAC,CAAC;QAC5C,CAAC;QACD,IAAI,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACrD,KAAK,CAAC,MAAkC,EAAE,SAAS,KAAK,UAAU,EAAE,CAAC;YACxE,OAAO,uBAAe,CAAC,iBAAiB,CAAC,CAAC;QAC5C,CAAC;QACD,IAAI,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACrD,KAAK,CAAC,MAAkC,EAAE,SAAS,KAAK,UAAU,EAAE,CAAC;YACxE,OAAO,uBAAe,CAAC,iBAAiB,CAAC,CAAC;QAC5C,CAAC;QACD,qBAAqB;QACrB,OAAO,uBAAe,CAAC,iBAAiB,CAAC,CAAC;IAC5C,CAAC;IAED,iCAAiC;IACjC,IAAI,KAAK,CAAC,MAAM,KAAK,aAAa,EAAE,CAAC;QACnC,IAAI,KAAK,CAAC,OAAO,KAAK,SAAS,IAAI,KAAK,CAAC,MAAM,KAAK,iBAAiB;YAChE,KAAK,CAAC,MAAkC,EAAE,OAAO,KAAK,UAAU,EAAE,CAAC;YACtE,OAAO,uBAAe,CAAC,gBAAgB,CAAC,CAAC;QAC3C,CAAC;QACD,IAAI,KAAK,CAAC,MAAM,KAAK,UAAU,IAAI,KAAK,CAAC,QAAQ,KAAK,iBAAiB,EAAE,CAAC;YACxE,OAAO,uBAAe,CAAC,gBAAgB,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IAED,uEAAuE;IACvE,0EAA0E;IAC1E,sEAAsE;IACtE,IAAI,KAAK,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC9B,IAAI,KAAK,CAAC,QAAQ,KAAK,WAAW,IAAI,KAAK,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;YACpE,OAAO,uBAAe,CAAC,gBAAgB,CAAC,CAAC;QAC3C,CAAC;QACD,OAAO,IAAI,CAAC,CAAC,uDAAuD;IACtE,CAAC;IAED,uBAAuB;IACvB,IAAI,KAAK,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;QAC3B,IAAI,KAAK,CAAC,QAAQ,KAAK,eAAe,IAAI,KAAK,CAAC,QAAQ,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAChF,OAAO,uBAAe,CAAC,iBAAiB,CAAC,CAAC;QAC5C,CAAC;QACD,IAAI,KAAK,CAAC,QAAQ,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAC1C,OAAO,uBAAe,CAAC,iBAAiB,CAAC,CAAC;QAC5C,CAAC;QACD,IAAI,KAAK,CAAC,QAAQ,KAAK,SAAS,IAAI,KAAK,CAAC,QAAQ,KAAK,oBAAoB,EAAE,CAAC;YAC5E,OAAO,uBAAe,CAAC,gBAAgB,CAAC,CAAC;QAC3C,CAAC;IACH,CAAC;IAED,mCAAmC;IACnC,IAAI,KAAK,CAAC,MAAM,KAAK,UAAU,IAAI,KAAK,CAAC,QAAQ,EAAE,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;QAC5E,IAAI,KAAK,CAAC,QAAQ,KAAK,MAAM,IAAI,KAAK,CAAC,QAAQ,KAAK,UAAU,EAAE,CAAC;YAC/D,OAAO,uBAAe,CAAC,gBAAgB,CAAC,CAAC;QAC3C,CAAC;QACD,OAAO,uBAAe,CAAC,gBAAgB,CAAC,CAAC;IAC3C,CAAC;IAED,kBAAkB;IAClB,IAAI,KAAK,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QAChC,OAAO,uBAAe,CAAC,gBAAgB,CAAC,CAAC;IAC3C,CAAC;IACD,IAAI,KAAK,CAAC,OAAO,KAAK,WAAW,IAAI,CAAC,KAAK,CAAC,QAAQ,KAAK,MAAM,IAAI,KAAK,CAAC,QAAQ,KAAK,UAAU,CAAC,EAAE,CAAC;QAClG,OAAO,uBAAe,CAAC,gBAAgB,CAAC,CAAC;IAC3C,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAgB,cAAc,CAAC,MAAqB;IAClD,MAAM,GAAG,GAAG,IAAI,GAAG,EAA6B,CAAC;IAEjD,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,OAAO,GAAG,aAAa,CAAC,KAAK,CAAC,CAAC;QACrC,IAAI,CAAC,OAAO;YAAE,SAAS;QAEvB,MAAM,QAAQ,GAAG,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;QACrC,IAAI,QAAQ,EAAE,CAAC;YACb,QAAQ,CAAC,KAAK,IAAI,CAAC,CAAC;YACpB,IAAI,KAAK,CAAC,SAAS,GAAG,QAAQ,CAAC,SAAS;gBAAE,QAAQ,CAAC,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC;YAC/E,IAAI,KAAK,CAAC,SAAS,GAAG,QAAQ,CAAC,QAAQ;gBAAE,QAAQ,CAAC,QAAQ,GAAG,KAAK,CAAC,SAAS,CAAC;YAC7E,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC;gBAAE,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAClE,CAAC;aAAM,CAAC;YACN,GAAG,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,EAAE;gBAClB,OAAO;gBACP,KAAK,EAAE,CAAC;gBACR,SAAS,EAAE,KAAK,CAAC,SAAS;gBAC1B,QAAQ,EAAE,KAAK,CAAC,SAAS;gBACzB,QAAQ,EAAE,CAAC,KAAK,CAAC;aAClB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,MAAM,aAAa,GAAkC;QACnD,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC;KACjD,CAAC;IAEF,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QAC5C,MAAM,OAAO,GAAG,aAAa,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,aAAa,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QACtF,IAAI,OAAO,KAAK,CAAC;YAAE,OAAO,OAAO,CAAC;QAClC,OAAO,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC;IAC3B,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,SAAgB,iBAAiB,CAAC,SAA0B;IAC1D,MAAM,MAAM,GAAG,CAAC,SAAS,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IACtD,MAAM,MAAM,GAAG,CAAC,SAAS,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IAEtD,gCAAgC;IAChC,IAAI,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACzF,IAAI,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC;YAAE,OAAO,uBAAe,CAAC,iBAAiB,CAAC,CAAC;QAC5E,IAAI,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAAE,OAAO,uBAAe,CAAC,iBAAiB,CAAC,CAAC;QACzE,IAAI,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAAE,OAAO,uBAAe,CAAC,iBAAiB,CAAC,CAAC;QACzE,OAAO,uBAAe,CAAC,iBAAiB,CAAC,CAAC;IAC5C,CAAC;IAED,qBAAqB;IACrB,IAAI,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACtF,OAAO,uBAAe,CAAC,iBAAiB,CAAC,CAAC;IAC5C,CAAC;IAED,qBAAqB;IACrB,IAAI,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACxF,OAAO,uBAAe,CAAC,iBAAiB,CAAC,CAAC;IAC5C,CAAC;IAED,8BAA8B;IAC9B,IAAI,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC3D,OAAO,uBAAe,CAAC,gBAAgB,CAAC,CAAC;IAC3C,CAAC;IAED,0BAA0B;IAC1B,IAAI,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;QAC9F,OAAO,uBAAe,CAAC,gBAAgB,CAAC,CAAC;IAC3C,CAAC;IAED,4BAA4B;IAC5B,IAAI,SAAS,CAAC,QAAQ,KAAK,UAAU,IAAI,SAAS,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;QACvE,OAAO,uBAAe,CAAC,gBAAgB,CAAC,CAAC;IAC3C,CAAC;IACD,OAAO,uBAAe,CAAC,gBAAgB,CAAC,CAAC;AAC3C,CAAC;AAED;;GAEG;AACH,SAAgB,cAAc,CAAC,SAAiB;IAC9C,MAAM,OAAO,GAAG,uBAAe,CAAC,SAAS,CAAC,CAAC;IAC3C,OAAO,OAAO,EAAE,WAAW,IAAI,0BAA0B,CAAC;AAC5D,CAAC"}

package/dist/shield/init.d.ts

@@ -4,6 +4,9 @@ interface InitResult {
     policy: ShieldPolicy;
     shellHookInstalled: boolean;
     policyPath: string;
+    secretlessConfigured: boolean;
+    identityCreated: boolean;
+    aiToolsConfigured: boolean;
     steps: {
         name: string;
         status: 'done' | 'skipped' | 'warn';

package/dist/shield/init.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../src/shield/init.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,eAAe,EACf,YAAY,EAKb,MAAM,YAAY,CAAC;AAUpB,UAAU,UAAU;IAClB,IAAI,EAAE,eAAe,CAAC;IACtB,MAAM,EAAE,YAAY,CAAC;IACrB,kBAAkB,EAAE,OAAO,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,CAAA;KAAE,EAAE,CAAC;CAChE;AAED,wBAAsB,UAAU,CAAC,OAAO,EAAE;IACxC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,EAAE,CAAC,EAAE,OAAO,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,GAAG,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,UAAU,CAAA;CAAE,CAAC,CAoQpD"}
+{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../src/shield/init.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,eAAe,EACf,YAAY,EAKb,MAAM,YAAY,CAAC;AAYpB,UAAU,UAAU;IAClB,IAAI,EAAE,eAAe,CAAC;IACtB,MAAM,EAAE,YAAY,CAAC;IACrB,kBAAkB,EAAE,OAAO,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC;IACnB,oBAAoB,EAAE,OAAO,CAAC;IAC9B,eAAe,EAAE,OAAO,CAAC;IACzB,iBAAiB,EAAE,OAAO,CAAC;IAC3B,KAAK,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,CAAA;KAAE,EAAE,CAAC;CAChE;AAED,wBAAsB,UAAU,CAAC,OAAO,EAAE;IACxC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,EAAE,CAAC,EAAE,OAAO,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB,GAAG,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,UAAU,CAAA;CAAE,CAAC,CA8XpD"}

package/dist/shield/init.js

@@ -10,6 +10,7 @@ const policy_js_1 = require("./policy.js");
 const events_js_1 = require("./events.js");
 const integrity_js_1 = require("./integrity.js");
 const signing_js_1 = require("./signing.js");
+const ai_tool_config_js_1 = require("./ai-tool-config.js");
 const colors_js_1 = require("../util/colors.js");
 const spinner_js_1 = require("../util/spinner.js");
 async function shieldInit(options) {
@@ -84,9 +85,102 @@ async function shieldInit(options) {
     steps.push({ name: 'Credential audit', status: credentialFindings > 0 ? 'warn' : 'done' });
     if (isText)
         process.stdout.write('\n');
-    // --- Step 3: Config Integrity Baseline ---
+    // --- Step 3: Credential Protection (Secretless) ---
     if (isText)
-        process.stdout.write((0, colors_js_1.bold)('Step 3: Config Integrity Baseline\n'));
+        process.stdout.write((0, colors_js_1.bold)('Step 3: Credential Protection\n'));
+    let secretlessConfigured = false;
+    try {
+        const secretless = await import('secretless-ai');
+        if (typeof secretless.init === 'function') {
+            const result = secretless.init(targetDir);
+            secretlessConfigured = true;
+            if (isText) {
+                process.stdout.write((0, colors_js_1.green)('  Secretless configured\n'));
+                if (result && typeof result === 'object') {
+                    if ('toolsConfigured' in result && Array.isArray(result.toolsConfigured)) {
+                        process.stdout.write(`  Tools: ${result.toolsConfigured.join(', ')}\n`);
+                    }
+                    if ('secretsFound' in result && typeof result.secretsFound === 'number' && result.secretsFound > 0) {
+                        process.stdout.write(`  Secrets protected: ${result.secretsFound}\n`);
+                    }
+                }
+            }
+        }
+        else {
+            // Secretless module found but no init function -- try CLI fallback
+            secretlessConfigured = false;
+            if (isText)
+                process.stdout.write((0, colors_js_1.dim)('  Secretless module found but init not available\n'));
+        }
+    }
+    catch {
+        if (isText) {
+            process.stdout.write((0, colors_js_1.dim)('  Secretless not installed (optional)\n'));
+            process.stdout.write((0, colors_js_1.dim)('  Install: npm install -g secretless-ai\n'));
+        }
+    }
+    steps.push({ name: 'Credential protection', status: secretlessConfigured ? 'done' : 'skipped' });
+    if (isText)
+        process.stdout.write('\n');
+    // --- Step 4: Agent Identity (aim-core) ---
+    if (isText)
+        process.stdout.write((0, colors_js_1.bold)('Step 4: Agent Identity\n'));
+    let identityCreated = false;
+    let identityPublicKey = null;
+    try {
+        const aimCore = await import('@opena2a/aim-core');
+        if (typeof aimCore.getOrCreateIdentity === 'function') {
+            const identity = aimCore.getOrCreateIdentity({
+                agentName: 'shield',
+                dataDir: (0, node_path_1.join)((0, node_os_1.homedir)(), '.opena2a', 'aim-core'),
+            });
+            identityCreated = true;
+            if (identity && typeof identity === 'object' && 'publicKey' in identity) {
+                const pk = String(identity.publicKey);
+                identityPublicKey = pk.length > 16 ? pk.slice(0, 8) + '...' + pk.slice(-8) : pk;
+            }
+            if (isText) {
+                process.stdout.write((0, colors_js_1.green)('  Local Ed25519 identity ready\n'));
+                if (identityPublicKey) {
+                    process.stdout.write(`  Public key: ${identityPublicKey}\n`);
+                }
+                process.stdout.write(`  Storage: ~/.opena2a/aim-core/\n`);
+            }
+            // Log identity event
+            if (typeof aimCore.logEvent === 'function') {
+                aimCore.logEvent({
+                    type: 'shield.init',
+                    agent: 'shield',
+                    detail: { targetDir },
+                });
+            }
+        }
+        else if (typeof aimCore.createIdentity === 'function') {
+            // Alternative API shape
+            const identity = aimCore.createIdentity('shield');
+            identityCreated = true;
+            if (isText) {
+                process.stdout.write((0, colors_js_1.green)('  Local Ed25519 identity created\n'));
+                process.stdout.write(`  Storage: ~/.opena2a/aim-core/\n`);
+            }
+        }
+        else {
+            if (isText)
+                process.stdout.write((0, colors_js_1.dim)('  aim-core module found but identity API not available\n'));
+        }
+    }
+    catch {
+        if (isText) {
+            process.stdout.write((0, colors_js_1.dim)('  aim-core not installed (optional)\n'));
+            process.stdout.write((0, colors_js_1.dim)('  Install: npm install @opena2a/aim-core\n'));
+        }
+    }
+    steps.push({ name: 'Agent identity', status: identityCreated ? 'done' : 'skipped' });
+    if (isText)
+        process.stdout.write('\n');
+    // --- Step 5: Config Integrity Baseline ---
+    if (isText)
+        process.stdout.write((0, colors_js_1.bold)('Step 5: Config Integrity Baseline\n'));
     try {
         const { guard } = await import('../commands/guard.js');
         await guard({
@@ -107,9 +201,9 @@ async function shieldInit(options) {
     }
     if (isText)
         process.stdout.write('\n');
-    // --- Step 4: Generate Policy ---
+    // --- Step 6: Generate Policy ---
     if (isText)
-        process.stdout.write((0, colors_js_1.bold)('Step 4: Generate Policy\n'));
+        process.stdout.write((0, colors_js_1.bold)('Step 6: Generate Policy\n'));
     const policy = (0, policy_js_1.generatePolicyFromScan)(scan);
     const shieldDir = (0, events_js_1.getShieldDir)();
     const policyPath = (0, node_path_1.join)(shieldDir, types_js_1.SHIELD_POLICY_FILE);
@@ -134,9 +228,9 @@ async function shieldInit(options) {
     steps.push({ name: 'Policy generation', status: 'done' });
     if (isText)
         process.stdout.write('\n');
-    // --- Step 5: Shell Integration ---
+    // --- Step 7: Shell Integration ---
     if (isText)
-        process.stdout.write((0, colors_js_1.bold)('Step 5: Shell Integration\n'));
+        process.stdout.write((0, colors_js_1.bold)('Step 7: Shell Integration\n'));
     let shellHookInstalled = false;
     const shell = process.env.SHELL?.includes('zsh') ? 'zsh'
         : process.env.SHELL?.includes('bash') ? 'bash'
@@ -184,9 +278,9 @@ async function shieldInit(options) {
     steps.push({ name: 'Shell integration', status: shellHookInstalled ? 'done' : 'skipped' });
     if (isText)
         process.stdout.write('\n');
-    // --- Step 6: ARP Initialization ---
+    // --- Step 8: ARP Initialization ---
     if (isText)
-        process.stdout.write((0, colors_js_1.bold)('Step 6: Runtime Protection\n'));
+        process.stdout.write((0, colors_js_1.bold)('Step 8: Runtime Protection\n'));
     try {
         const { runtime } = await import('../commands/runtime.js');
         await runtime({
@@ -207,9 +301,39 @@ async function shieldInit(options) {
     }
     if (isText)
         process.stdout.write('\n');
-    // --- Step 7: Browser Guard ---
+    // --- Step 9: AI Tool Configuration ---
+    if (isText)
+        process.stdout.write((0, colors_js_1.bold)('Step 9: AI Tool Configuration\n'));
+    let aiToolsConfigured = false;
+    let aiToolResult = null;
+    if (!ci) {
+        const detectedAssistants = scan.assistants
+            .filter((a) => a.detected)
+            .map((a) => a.name);
+        aiToolResult = (0, ai_tool_config_js_1.configureAiTools)(targetDir, detectedAssistants);
+        aiToolsConfigured = aiToolResult.toolsConfigured.length > 0;
+        if (isText) {
+            if (aiToolResult.toolsConfigured.length > 0) {
+                process.stdout.write((0, colors_js_1.green)(`  Configured: ${aiToolResult.toolsConfigured.join(', ')}\n`));
+            }
+            if (aiToolResult.toolsSkipped.length > 0) {
+                process.stdout.write((0, colors_js_1.dim)(`  Skipped: ${aiToolResult.toolsSkipped.join(', ')}\n`));
+            }
+            if (aiToolResult.toolsConfigured.length === 0 && aiToolResult.toolsSkipped.length === 0) {
+                process.stdout.write((0, colors_js_1.dim)('  No AI tools detected\n'));
+            }
+        }
+    }
+    else {
+        if (isText)
+            process.stdout.write((0, colors_js_1.dim)('  AI tool configuration skipped (CI mode)\n'));
+    }
+    steps.push({ name: 'AI tool config', status: aiToolsConfigured ? 'done' : 'skipped' });
+    if (isText)
+        process.stdout.write('\n');
+    // --- Step 10: Browser Guard ---
     if (isText)
-        process.stdout.write((0, colors_js_1.bold)('Step 7: Browser Guard\n'));
+        process.stdout.write((0, colors_js_1.bold)('Step 10: Browser Guard\n'));
     const hasBrowserGuard = (0, node_fs_1.existsSync)((0, node_path_1.join)((0, node_os_1.homedir)(), '.config', 'opena2a', 'browser-guard.json')) ||
         (0, node_fs_1.existsSync)((0, node_path_1.join)((0, node_os_1.homedir)(), '.opena2a', 'browser-guard.json'));
     if (hasBrowserGuard) {
@@ -226,7 +350,7 @@ async function shieldInit(options) {
     }
     if (isText)
         process.stdout.write('\n');
-    // --- Step 8: Summary ---
+    // --- Step 11: Summary ---
     // Save scan results
     const scanPath = (0, node_path_1.join)(shieldDir, types_js_1.SHIELD_SCAN_FILE);
     (0, node_fs_1.writeFileSync)(scanPath, JSON.stringify(scan, null, 2) + '\n', { mode: 0o600 });
@@ -249,6 +373,9 @@ async function shieldInit(options) {
             oauthSessions: scan.oauthSessions.filter((s) => s.hasActiveSession).length,
             credentialFindings,
             shellHookInstalled,
+            secretlessConfigured,
+            identityCreated,
+            aiToolsConfigured,
         },
         orgId: null,
         managed: false,
@@ -256,12 +383,15 @@ async function shieldInit(options) {
     });
     steps.push({ name: 'Summary', status: 'done' });
     if (isText) {
-        process.stdout.write((0, colors_js_1.bold)('Step 8: Summary\n'));
+        process.stdout.write((0, colors_js_1.bold)('Step 11: Summary\n'));
         const doneCount = steps.filter(s => s.status === 'done').length;
         const warnCount = steps.filter(s => s.status === 'warn').length;
+        const skippedCount = steps.filter(s => s.status === 'skipped').length;
         process.stdout.write(`  ${(0, colors_js_1.green)(`${doneCount} steps completed`)}`);
         if (warnCount > 0)
             process.stdout.write(`, ${(0, colors_js_1.yellow)(`${warnCount} warnings`)}`);
+        if (skippedCount > 0)
+            process.stdout.write(`, ${(0, colors_js_1.dim)(`${skippedCount} skipped`)}`);
         process.stdout.write('\n');
         process.stdout.write(`  Policy: ${policyPath}\n`);
         process.stdout.write(`  Events: ${(0, node_path_1.join)(shieldDir, 'events.jsonl')}\n`);
@@ -279,6 +409,9 @@ async function shieldInit(options) {
         policy,
         shellHookInstalled,
         policyPath,
+        secretlessConfigured,
+        identityCreated,
+        aiToolsConfigured,
         steps,
     };
     if (format === 'json' || ci) {