opena2a-cli 0.3.2 → 0.3.3

package/dist/commands/init.js

@@ -2,8 +2,8 @@
 /**
  * opena2a init -- Initialize security posture assessment for a project.
  *
- * Detects project type, scans for credentials, checks hygiene,
- * calculates trust score, and generates prioritized next steps.
+ * Findings-first design: shows what was found, explains why it matters,
+ * calculates a unified security score, and generates prioritized actions.
  */
 var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
     if (k2 === undefined) k2 = k;
@@ -39,6 +39,7 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.calculateSecurityScore = void 0;
 exports.init = init;
 const fs = __importStar(require("node:fs"));
 const path = __importStar(require("node:path"));
@@ -46,9 +47,13 @@ const colors_js_1 = require("../util/colors.js");
 const detect_js_1 = require("../util/detect.js");
 const credential_patterns_js_1 = require("../util/credential-patterns.js");
 const advisories_js_1 = require("../util/advisories.js");
+const format_js_1 = require("../util/format.js");
 const version_js_1 = require("../util/version.js");
+const spinner_js_1 = require("../util/spinner.js");
 const events_js_1 = require("../shield/events.js");
 const status_js_1 = require("../shield/status.js");
+const ai_config_js_1 = require("../util/ai-config.js");
+const scoring_js_1 = require("../util/scoring.js");
 // --- Core ---
 async function init(options) {
     const targetDir = path.resolve(options.targetDir ?? process.cwd());
@@ -56,54 +61,86 @@ async function init(options) {
         process.stderr.write((0, colors_js_1.red)(`Directory not found: ${targetDir}\n`));
         return 1;
     }
+    const startTime = Date.now();
+    const isTTY = process.stderr.isTTY && options.format !== 'json';
+    const spinner = new spinner_js_1.Spinner('Scanning project...');
+    if (isTTY)
+        spinner.start();
     // 1. Detect project type
     const project = (0, detect_js_1.detectProject)(targetDir);
-    // 2. Quick credential scan
+    // 2. Quick credential scan (source files + MCP configs)
+    if (isTTY)
+        spinner.update('Scanning for credentials...');
     const credentialMatches = (0, credential_patterns_js_1.quickCredentialScan)(targetDir);
+    // Scan MCP config files for credentials (these are skipped by walkFiles)
+    const mcpCreds = (0, ai_config_js_1.scanMcpCredentials)(targetDir);
+    const seenCredValues = new Set(credentialMatches.map(m => m.value));
+    for (const mc of mcpCreds) {
+        if (!seenCredValues.has(mc.value)) {
+            credentialMatches.push(mc);
+            seenCredValues.add(mc.value);
+        }
+    }
     const credsBySeverity = {};
     for (const m of credentialMatches) {
         credsBySeverity[m.severity] = (credsBySeverity[m.severity] || 0) + 1;
     }
     // 3. Security hygiene checks
-    const checks = runHygieneChecks(targetDir, project, credentialMatches.length);
+    if (isTTY)
+        spinner.update('Checking environment...');
+    const checks = await runHygieneChecks(targetDir, project, credentialMatches.length);
     // 4. Check advisories (non-blocking)
     let advisoryCheck = { advisories: [], matchedPackages: [], total: 0, fromCache: false };
     try {
         advisoryCheck = await (0, advisories_js_1.checkAdvisories)(targetDir);
     }
     catch {
-        // Advisory check is best-effort, don't fail init
+        // Advisory check is best-effort
+    }
+    // 5. HMA integration (optional dynamic import)
+    if (isTTY)
+        spinner.update('Scanning shell environment...');
+    let hmaAvailable = false;
+    const hmaFindings = [];
+    try {
+        const hma = await import('hackmyagent');
+        hmaAvailable = true;
+        if (typeof hma.checkShellEnvironment === 'function') {
+            const shellEnv = await hma.checkShellEnvironment();
+            if (Array.isArray(shellEnv))
+                hmaFindings.push(...shellEnv);
+        }
+        if (typeof hma.checkShellHistory === 'function') {
+            const shellHistory = await hma.checkShellHistory();
+            if (Array.isArray(shellHistory))
+                hmaFindings.push(...shellHistory);
+        }
+    }
+    catch {
+        // HMA not installed -- skip silently
     }
-    // 5. Calculate trust score
-    const { score, grade } = calculateTrustScore(credsBySeverity, checks, targetDir);
-    // 6. Generate next steps
+    // 6. Group findings
+    const groupedFindings = groupFindings(credentialMatches, checks, hmaFindings);
+    // 7. Calculate unified security score
+    if (isTTY)
+        spinner.update('Assessing security posture...');
+    const hmaBySeverity = {};
+    for (const f of hmaFindings) {
+        hmaBySeverity[f.severity] = (hmaBySeverity[f.severity] || 0) + 1;
+    }
+    const { score, grade, breakdown } = (0, exports.calculateSecurityScore)(credsBySeverity, checks, hmaBySeverity);
+    // 8. Generate actions
+    const actions = generateActions(credentialMatches, credsBySeverity, checks, groupedFindings);
+    // 9. Generate legacy next steps (backward compat)
     const nextSteps = generateNextSteps(credentialMatches.length, credsBySeverity, checks, project.type);
-    // 6.5. Compute posture score from Shield product detection
+    // 10. Shield tool status (for backward compat and tip line)
     const shieldStatus = (0, status_js_1.getShieldStatus)(targetDir);
-    const activeProducts = shieldStatus.products.filter(p => p.active).length;
-    const totalProducts = shieldStatus.products.length;
-    let postureScore = 0;
-    postureScore += Math.min(activeProducts * 10, 60);
-    if (shieldStatus.policyLoaded)
-        postureScore += 10;
-    if (shieldStatus.shellIntegration)
-        postureScore += 5;
-    if (credentialMatches.length === 0)
-        postureScore += 15;
-    const sigDir = path.join(targetDir, '.opena2a', 'signatures');
-    if (fs.existsSync(sigDir))
-        postureScore += 10;
-    postureScore = Math.max(0, Math.min(100, postureScore));
-    const riskLevel = postureScore < 30 ? 'CRITICAL'
-        : postureScore < 50 ? 'HIGH'
-            : postureScore < 70 ? 'MEDIUM'
-                : postureScore < 90 ? 'LOW'
-                    : 'SECURE';
-    // 6.6. Write shield events for posture and credential findings
-    // Events are written to the project-local .opena2a/shield/ when available,
-    // falling back to the global ~/.opena2a/shield/.
+    const activeTools = shieldStatus.tools.filter(p => p.active).length;
+    const totalTools = shieldStatus.tools.length;
+    // 11. Write shield events
     try {
         (0, events_js_1.getShieldDir)(targetDir);
+        const riskLevel = scoreToRiskLevel(score);
         (0, events_js_1.writeEvent)({
             source: 'shield',
             category: 'shield.posture',
@@ -113,7 +150,7 @@ async function init(options) {
             action: 'posture-assessment',
             target: targetDir,
             outcome: 'monitored',
-            detail: { score: postureScore, riskLevel, activeProducts, totalProducts, trustScore: score, grade },
+            detail: { score, grade, breakdown, activeTools, totalTools },
             orgId: null,
             managed: false,
             agentId: null,
@@ -138,8 +175,13 @@ async function init(options) {
     catch {
         // Shield event writing is best-effort
     }
-    // 7. Build report
+    if (isTTY)
+        spinner.stop();
+    const elapsed = ((Date.now() - startTime) / 1000).toFixed(1);
+    // 12. Build report
+    const riskLevel = scoreToRiskLevel(score);
     const report = {
+        version: 2,
         projectName: project.name,
         projectVersion: project.version,
         projectType: formatProjectType(project),
@@ -147,41 +189,31 @@ async function init(options) {
         credentialFindings: credentialMatches.length,
         credentialsBySeverity: credsBySeverity,
         hygieneChecks: checks,
-        trustScore: score,
-        grade,
+        securityScore: score,
+        securityGrade: grade,
+        scoreBreakdown: breakdown,
+        findings: groupedFindings,
+        actions,
         nextSteps,
         advisories: {
             count: advisoryCheck.advisories.length,
             matchedPackages: advisoryCheck.matchedPackages,
         },
-        postureScore,
+        hmaAvailable,
+        // Backward compat aliases
+        trustScore: score,
+        grade,
+        postureScore: score,
         riskLevel,
-        activeProducts,
-        totalProducts,
+        activeTools,
+        totalTools,
     };
-    // 8. Output
+    // 13. Output
     if (options.format === 'json') {
         process.stdout.write(JSON.stringify(report, null, 2) + '\n');
     }
     else {
-        printReport(report, options.verbose);
-        // Verbose: show individual credential findings
-        if (options.verbose && credentialMatches.length > 0) {
-            process.stdout.write((0, colors_js_1.bold)('  Credential Details') + '\n');
-            process.stdout.write((0, colors_js_1.gray)('  ' + '-'.repeat(47)) + '\n');
-            for (const m of credentialMatches) {
-                const sev = m.severity === 'critical' ? (0, colors_js_1.red)('[CRITICAL]')
-                    : m.severity === 'high' ? (0, colors_js_1.yellow)('[HIGH]')
-                        : (0, colors_js_1.cyan)('[MEDIUM]');
-                const relPath = path.relative(targetDir, m.filePath);
-                process.stdout.write(`  ${sev} ${(0, colors_js_1.bold)(m.findingId)}: ${m.title}\n`);
-                process.stdout.write(`  ${(0, colors_js_1.dim)('  File:')} ${relPath}:${m.line}\n`);
-                if (m.explanation) {
-                    process.stdout.write(`  ${(0, colors_js_1.dim)('  Why:')} ${m.explanation}\n`);
-                }
-                process.stdout.write('\n');
-            }
-        }
+        printReport(report, elapsed, options.verbose);
         // Drift detection callout (always shown when drift findings exist)
         const driftFindings = credentialMatches.filter(m => m.findingId.startsWith('DRIFT'));
         if (driftFindings.length > 0) {
@@ -208,7 +240,7 @@ async function init(options) {
     return hasCritical ? 1 : 0;
 }
 // --- Hygiene checks ---
-function runHygieneChecks(dir, project, credCount) {
+async function runHygieneChecks(dir, project, credCount) {
     const checks = [];
     // Credential scan result
     if (credCount === 0) {
@@ -268,48 +300,287 @@ function runHygieneChecks(dir, project, credCount) {
     if (project.hasMcp) {
         checks.push({ label: 'MCP config', status: 'info', detail: 'found' });
     }
+    // LLM server exposure (lightweight probe of common ports)
+    const llmCheck = await checkLLMServerExposure();
+    if (llmCheck) {
+        checks.push(llmCheck);
+    }
+    // AI-specific configuration scans
+    for (const f of (0, ai_config_js_1.scanMcpConfig)(dir)) {
+        checks.push({ label: f.label, status: f.status, detail: f.detail });
+    }
+    const aiCfg = (0, ai_config_js_1.scanAiConfigFiles)(dir);
+    if (aiCfg)
+        checks.push({ label: aiCfg.label, status: aiCfg.status, detail: aiCfg.detail });
+    const skills = (0, ai_config_js_1.scanSkillFiles)(dir);
+    if (skills)
+        checks.push({ label: skills.label, status: skills.status, detail: skills.detail });
+    const soul = (0, ai_config_js_1.scanSoulFile)(dir);
+    if (soul)
+        checks.push({ label: soul.label, status: soul.status, detail: soul.detail });
     return checks;
 }
-// --- Trust score ---
-function calculateTrustScore(credsBySeverity, checks, dir) {
-    let score = 100;
-    // Credential penalties
-    score -= (credsBySeverity['critical'] || 0) * 25;
-    score -= (credsBySeverity['high'] || 0) * 15;
-    score -= (credsBySeverity['medium'] || 0) * 8;
-    score -= (credsBySeverity['low'] || 0) * 3;
-    // Hygiene penalties
-    const gitignoreCheck = checks.find(c => c.label === '.gitignore');
-    if (gitignoreCheck?.status !== 'pass')
-        score -= 15;
+// --- LLM server exposure check ---
+const LLM_PROBE_PORTS = [
+    { name: 'Ollama', port: 11434, path: '/api/tags' },
+    { name: 'LM Studio', port: 1234, path: '/v1/models' },
+];
+async function checkLLMServerExposure() {
+    for (const server of LLM_PROBE_PORTS) {
+        const controller = new AbortController();
+        const timer = setTimeout(() => controller.abort(), 2000);
+        try {
+            const resp = await fetch(`http://127.0.0.1:${server.port}${server.path}`, {
+                signal: controller.signal,
+            });
+            clearTimeout(timer);
+            if (resp.ok || resp.status < 500) {
+                // Check if no auth required
+                const noAuth = resp.status !== 401 && resp.status !== 403;
+                if (noAuth) {
+                    return {
+                        label: 'LLM server exposure',
+                        status: 'warn',
+                        detail: `${server.name} on :${server.port} (no auth)`,
+                    };
+                }
+                return {
+                    label: 'LLM server exposure',
+                    status: 'info',
+                    detail: `${server.name} on :${server.port}`,
+                };
+            }
+        }
+        catch {
+            clearTimeout(timer);
+            // Server not running on this port, continue
+        }
+    }
+    return null;
+}
+// --- Finding grouping ---
+function groupFindings(creds, checks, hmaFindings) {
+    const groups = new Map();
+    // Group credential findings by findingId
+    for (const cred of creds) {
+        const existing = groups.get(cred.findingId);
+        if (existing) {
+            existing.count++;
+            existing.locations.push({
+                file: cred.filePath,
+                line: cred.line,
+            });
+        }
+        else {
+            groups.set(cred.findingId, {
+                findingId: cred.findingId,
+                title: cred.title,
+                severity: cred.severity,
+                count: 1,
+                explanation: cred.explanation ?? '',
+                businessImpact: cred.businessImpact ?? '',
+                locations: [{ file: cred.filePath, line: cred.line }],
+            });
+        }
+    }
+    // Add hygiene findings as grouped findings
+    const llmCheck = checks.find(c => c.label === 'LLM server exposure' && c.status === 'warn');
+    if (llmCheck) {
+        groups.set('ENV-LLM', {
+            findingId: 'ENV-LLM',
+            title: llmCheck.detail,
+            severity: 'high',
+            count: 1,
+            explanation: 'Local LLM server is responding without authentication. Adding auth limits access to authorized users.',
+            businessImpact: 'Unauthenticated model access. Adding auth ensures only intended users can query.',
+            locations: [],
+        });
+    }
+    const envCheck = checks.find(c => c.label === '.env protection' && c.status === 'warn');
+    if (envCheck) {
+        groups.set('ENV-DOTENV', {
+            findingId: 'ENV-DOTENV',
+            title: '.env not in .gitignore',
+            severity: 'medium',
+            count: 1,
+            explanation: 'Environment files may be committed to version control.',
+            businessImpact: 'Adding .env to .gitignore keeps secrets out of version control.',
+            locations: [],
+        });
+    }
+    // Add AI config findings
+    const mcpToolsCheck = checks.find(c => c.label === 'MCP high-risk tools' && c.status === 'warn');
+    if (mcpToolsCheck) {
+        groups.set('MCP-TOOLS', {
+            findingId: 'MCP-TOOLS',
+            title: mcpToolsCheck.detail,
+            severity: 'high',
+            count: 1,
+            explanation: 'MCP servers with filesystem or shell access can read, modify, or delete files on your system when invoked by an AI assistant.',
+            businessImpact: 'Review server permissions to ensure each server has only the access it needs.',
+            locations: [],
+        });
+    }
+    const mcpCredCheck = checks.find(c => c.label === 'MCP credentials' && c.status === 'warn');
+    if (mcpCredCheck) {
+        groups.set('MCP-CRED', {
+            findingId: 'MCP-CRED',
+            title: mcpCredCheck.detail,
+            severity: 'high',
+            count: 1,
+            explanation: 'API keys hardcoded in MCP config files are readable by anyone with access to the project directory.',
+            businessImpact: 'Move credentials to environment variables so they are not stored in plaintext.',
+            locations: [],
+        });
+    }
+    const aiConfigCheck = checks.find(c => c.label === 'AI config exposure' && c.status === 'warn');
+    if (aiConfigCheck) {
+        groups.set('AI-CONFIG', {
+            findingId: 'AI-CONFIG',
+            title: aiConfigCheck.detail,
+            severity: 'medium',
+            count: 1,
+            explanation: 'AI instruction files (CLAUDE.md, .cursorrules, etc.) reveal tooling choices and system prompts when committed to a public repository.',
+            businessImpact: 'Add these files to .git/info/exclude to keep them local without modifying .gitignore.',
+            locations: [],
+        });
+    }
+    // Add HMA findings
+    for (const f of hmaFindings) {
+        const key = `HMA-${f.checkId}`;
+        const existing = groups.get(key);
+        if (existing) {
+            existing.count++;
+        }
+        else {
+            groups.set(key, {
+                findingId: key,
+                title: f.message,
+                severity: f.severity,
+                count: 1,
+                explanation: '',
+                businessImpact: '',
+                locations: [],
+            });
+        }
+    }
+    // Sort by severity order: critical > high > medium > low
+    const severityOrder = { critical: 0, high: 1, medium: 2, low: 3 };
+    return Array.from(groups.values()).sort((a, b) => {
+        const sa = severityOrder[a.severity] ?? 4;
+        const sb = severityOrder[b.severity] ?? 4;
+        if (sa !== sb)
+            return sa - sb;
+        return b.count - a.count;
+    });
+}
+// --- Unified Security Score ---
+/**
+ * Re-export from shared module for backward compatibility.
+ * Tests (security-score.test.ts) import this from init.ts.
+ */
+exports.calculateSecurityScore = scoring_js_1.calculateSecurityScore;
+const scoreToRiskLevel = scoring_js_1.scoreToRiskLevel;
+// --- Actions ---
+function generateActions(creds, credsBySeverity, checks, findings) {
+    const actions = [];
+    // Credential migration action
+    if (creds.length > 0) {
+        // Build breakdown string
+        const byTitle = new Map();
+        for (const c of creds) {
+            byTitle.set(c.title, (byTitle.get(c.title) || 0) + 1);
+        }
+        const breakdownParts = Array.from(byTitle.entries())
+            .map(([title, count]) => `${count} ${title.replace(/ \(.*\)/, '')}`)
+            .join(', ');
+        actions.push({
+            description: `Migrate ${creds.length} hardcoded credential${creds.length === 1 ? '' : 's'} to a vault`,
+            command: 'opena2a protect',
+            why: 'Credentials in source files are readable by anyone with repo access. A vault stores them encrypted, rotates them automatically, and provides an audit trail.',
+            approach: 'Moves keys to environment variables backed by an encrypted vault. Keys rotate without code changes, and access is auditable.',
+            detail: `Keys found: ${breakdownParts}`,
+        });
+    }
+    // .env protection
     const envCheck = checks.find(c => c.label === '.env protection');
-    if (envCheck?.status === 'warn')
-        score -= 10;
-    const lockCheck = checks.find(c => c.label === 'Lock file');
-    if (lockCheck?.status !== 'pass')
-        score -= 5;
-    // Bonus for security config
+    if (envCheck?.status === 'warn') {
+        actions.push({
+            description: 'Add .env to .gitignore',
+            command: 'opena2a protect',
+            why: 'Adding .env to .gitignore prevents secrets from entering version control. Existing tracked .env files also need `git rm --cached .env`.',
+        });
+    }
+    // .gitignore
+    const gitignoreCheck = checks.find(c => c.label === '.gitignore');
+    if (gitignoreCheck?.status !== 'pass') {
+        actions.push({
+            description: 'Create .gitignore with .env exclusion',
+            command: 'opena2a protect',
+            why: 'Without a .gitignore, build artifacts and sensitive files can be committed accidentally. Protect creates one with .env exclusion to prevent secret leaks.',
+        });
+    }
+    // Shell environment findings (from HMA)
+    const hmaFindings = findings.filter(f => f.findingId.startsWith('HMA-'));
+    if (hmaFindings.length > 0) {
+        const totalHma = hmaFindings.reduce((n, f) => n + f.count, 0);
+        actions.push({
+            description: `Clean ${totalHma} shell environment finding${totalHma === 1 ? '' : 's'}`,
+            command: 'opena2a scan secure',
+            why: 'Shell config files and history can contain API keys in plaintext. Rotating exposed keys and clearing history entries removes persistent exposure.',
+        });
+    }
+    // LLM server exposure
+    const llmCheck = checks.find(c => c.label === 'LLM server exposure' && c.status === 'warn');
+    if (llmCheck) {
+        actions.push({
+            description: 'Secure LLM server',
+            command: 'opena2a shield status',
+            why: 'A local LLM server without authentication accepts requests from any process on the network. Binding to localhost or adding auth limits access.',
+        });
+    }
+    // MCP high-risk tools
+    const mcpToolsFinding = findings.find(f => f.findingId === 'MCP-TOOLS');
+    if (mcpToolsFinding) {
+        actions.push({
+            description: 'Review MCP server permissions',
+            command: 'opena2a shield status',
+            why: 'MCP servers with filesystem or shell access can read, modify, or delete files when invoked by an AI assistant. Review each server to confirm it has only the access it needs.',
+        });
+    }
+    // MCP credentials
+    const mcpCredFinding = findings.find(f => f.findingId === 'MCP-CRED');
+    if (mcpCredFinding) {
+        actions.push({
+            description: 'Move MCP config credentials to environment variables',
+            command: 'opena2a protect',
+            why: 'API keys hardcoded in MCP config files are stored in plaintext. Environment variables keep credentials out of the project directory and version control.',
+        });
+    }
+    // AI config exposure
+    const aiConfigFinding = findings.find(f => f.findingId === 'AI-CONFIG');
+    if (aiConfigFinding) {
+        actions.push({
+            description: 'Exclude AI instruction files from git',
+            command: 'opena2a protect',
+            why: 'AI instruction files reveal tooling choices and system prompts when committed to a public repository. Adding them to .git/info/exclude keeps them local without modifying .gitignore.',
+        });
+    }
+    // Config signing (only suggest if fewer than 5 actions already -- lower priority)
     const secConfig = checks.find(c => c.label === 'Security config');
-    if (secConfig?.status === 'pass')
-        score += 5;
-    score = Math.max(0, Math.min(100, score));
-    let grade;
-    if (score >= 90)
-        grade = 'A';
-    else if (score >= 80)
-        grade = 'B';
-    else if (score >= 70)
-        grade = 'C';
-    else if (score >= 60)
-        grade = 'D';
-    else
-        grade = 'F';
-    return { score, grade };
+    if (actions.length < 5 && secConfig?.status !== 'pass') {
+        actions.push({
+            description: 'Sign config files for integrity monitoring',
+            command: 'opena2a protect',
+            why: 'Signed baselines let you detect unintended config changes before they affect runtime behavior.',
+        });
+    }
+    // Cap at 5 actions
+    return actions.slice(0, 5);
 }
-// --- Next steps ---
+// --- Legacy next steps (backward compat) ---
 function generateNextSteps(credCount, credsBySeverity, checks, projectType) {
     const steps = [];
-    // Credentials -> protect
     if (credCount > 0) {
         steps.push({
             severity: 'critical',
@@ -317,34 +588,27 @@ function generateNextSteps(credCount, credsBySeverity, checks, projectType) {
             command: 'opena2a protect',
         });
     }
-    // .env protection
     const envCheck = checks.find(c => c.label === '.env protection');
     if (envCheck?.status === 'warn') {
         steps.push({
             severity: 'high',
             description: 'Add .env to .gitignore',
-            command: "echo '.env' >> .gitignore",
+            command: 'opena2a protect',
         });
     }
-    // No .gitignore
     const gitignoreCheck = checks.find(c => c.label === '.gitignore');
     if (gitignoreCheck?.status !== 'pass') {
-        const gitignoreTemplate = projectType === 'python' ? 'python'
-            : projectType === 'go' ? 'go'
-                : 'node';
         steps.push({
             severity: 'high',
-            description: 'Create .gitignore',
-            command: `npx gitignore ${gitignoreTemplate}`,
+            description: 'Create .gitignore with .env exclusion',
+            command: 'opena2a protect',
         });
     }
-    // Sign config files
     steps.push({
         severity: 'medium',
         description: 'Sign config files for integrity',
-        command: 'opena2a guard sign',
+        command: 'opena2a protect',
     });
-    // Runtime protection
     steps.push({
         severity: 'low',
         description: 'Start runtime protection',
@@ -352,84 +616,270 @@ function generateNextSteps(credCount, credsBySeverity, checks, projectType) {
     });
     return steps;
 }
+// --- Verification & Recommendation helpers ---
+function getVerificationCommand(finding, reportDir) {
+    // Credential/drift findings with file locations
+    if ((finding.findingId.startsWith('CRED-') || finding.findingId.startsWith('DRIFT-')) &&
+        finding.locations.length > 0) {
+        const loc = finding.locations[0];
+        const rel = path.relative(reportDir, loc.file);
+        return `sed -n '${loc.line}p' ${rel}`;
+    }
+    // HMA findings -- title contains "~/.zshrc:132 contains ..." pattern
+    if (finding.findingId.startsWith('HMA-')) {
+        const match = finding.title.match(/^(.+?):(\d+)\s+contains\s+/);
+        if (match) {
+            return `sed -n '${match[2]}p' ${match[1]}`;
+        }
+    }
+    if (finding.findingId === 'ENV-LLM') {
+        return 'curl -s http://127.0.0.1:11434/api/tags | head -c 200';
+    }
+    if (finding.findingId === 'ENV-DOTENV') {
+        return "cat .gitignore | grep -c '.env'";
+    }
+    if (finding.findingId === 'MCP-TOOLS') {
+        // Show the first MCP config file found
+        for (const f of ['mcp.json', '.mcp.json', '.claude/settings.json', '.cursor/mcp.json']) {
+            if (fs.existsSync(path.join(reportDir, f))) {
+                return `cat ${f}`;
+            }
+        }
+        return 'cat mcp.json';
+    }
+    if (finding.findingId === 'MCP-CRED') {
+        for (const f of ['mcp.json', '.mcp.json', '.claude/settings.json', '.cursor/mcp.json']) {
+            if (fs.existsSync(path.join(reportDir, f))) {
+                return `cat ${f}`;
+            }
+        }
+        return 'cat mcp.json';
+    }
+    if (finding.findingId === 'AI-CONFIG') {
+        return 'cat .gitignore';
+    }
+    if (finding.findingId === 'AI-SKILLS') {
+        return 'ls *.skill.md SKILL.md 2>/dev/null';
+    }
+    if (finding.findingId === 'AI-SOUL') {
+        return 'head -20 soul.md';
+    }
+    return null;
+}
+function getToolRecommendation(findingId) {
+    if (findingId.startsWith('CRED-') || findingId.startsWith('DRIFT-')) {
+        return { command: 'opena2a protect', label: 'opena2a protect' };
+    }
+    if (findingId === 'ENV-LLM') {
+        return { command: 'opena2a shield status', label: 'opena2a shield status' };
+    }
+    if (findingId === 'ENV-DOTENV') {
+        return { command: 'opena2a protect', label: 'opena2a protect' };
+    }
+    if (findingId.startsWith('HMA-')) {
+        return { command: 'opena2a scan secure', label: 'opena2a scan secure' };
+    }
+    if (findingId === 'MCP-TOOLS') {
+        return { command: 'opena2a shield status', label: 'opena2a shield status' };
+    }
+    if (findingId === 'MCP-CRED') {
+        return { command: 'opena2a protect', label: 'opena2a protect' };
+    }
+    if (findingId === 'AI-CONFIG') {
+        return { command: 'opena2a protect', label: 'opena2a protect' };
+    }
+    if (findingId === 'AI-SKILLS') {
+        return { command: 'opena2a guard sign --skills', label: 'opena2a guard sign --skills' };
+    }
+    if (findingId === 'AI-SOUL') {
+        return { command: 'opena2a guard sign', label: 'opena2a guard sign' };
+    }
+    return null;
+}
+function getContextualTip(report) {
+    const hasAnyCreds = report.findings.some(f => f.findingId.startsWith('CRED-') || f.findingId.startsWith('DRIFT-'));
+    if (hasAnyCreds) {
+        return {
+            text: 'Migrate credentials out of source files',
+            command: 'opena2a protect',
+        };
+    }
+    const hasMcpCred = report.findings.some(f => f.findingId === 'MCP-CRED');
+    if (hasMcpCred) {
+        return {
+            text: 'Move credentials out of MCP config files',
+            command: 'opena2a protect',
+        };
+    }
+    const hasAiConfig = report.findings.some(f => f.findingId === 'AI-CONFIG');
+    if (hasAiConfig) {
+        return {
+            text: 'Fix all auto-fixable findings',
+            command: 'opena2a protect',
+        };
+    }
+    const hasLLM = report.findings.some(f => f.findingId === 'ENV-LLM');
+    if (hasLLM) {
+        return {
+            text: 'Add authentication to your LLM server',
+            command: 'opena2a shield status',
+        };
+    }
+    const hasEnv = report.findings.some(f => f.findingId === 'ENV-DOTENV');
+    if (hasEnv) {
+        return {
+            text: 'Fix all auto-fixable findings',
+            command: 'opena2a protect',
+        };
+    }
+    if (report.securityScore >= 90) {
+        return {
+            text: 'Strong baseline. Run a full scan for deeper coverage',
+            command: 'opena2a scan secure',
+        };
+    }
+    if (report.securityScore >= 70) {
+        return {
+            text: 'Good posture. Lock it in with config file integrity signing',
+            command: 'opena2a guard sign',
+        };
+    }
+    return {
+        text: 'See all available security tools',
+        command: 'opena2a shield status',
+    };
+}
 // --- Output ---
 function formatProjectType(project) {
-    const parts = [];
-    switch (project.type) {
-        case 'node':
-            parts.push('Node.js');
-            break;
-        case 'go':
-            parts.push('Go');
-            break;
-        case 'python':
-            parts.push('Python');
-            break;
-        default: parts.push('Unknown');
-    }
-    if (project.hasMcp)
-        parts.push('+ MCP server');
+    const primary = {
+        node: 'Node.js',
+        go: 'Go',
+        python: 'Python',
+        rust: 'Rust',
+        java: 'Java',
+        ruby: 'Ruby',
+        docker: 'Docker',
+        generic: 'Project',
+    };
+    const parts = [primary[project.type]];
+    for (const hint of project.frameworkHints) {
+        parts.push(`+ ${hint}`);
+    }
     return parts.join(' ');
 }
-function printReport(report, _verbose) {
+function printReport(report, elapsed, verbose) {
     const VERSION = (0, version_js_1.getVersion)();
     process.stdout.write('\n');
-    process.stdout.write((0, colors_js_1.bold)('  OpenA2A Security Initialization') + (0, colors_js_1.dim)(`  v${VERSION}`) + '\n\n');
+    process.stdout.write((0, colors_js_1.bold)('  OpenA2A Security Assessment') + (0, colors_js_1.dim)(`  v${VERSION}`) + (0, colors_js_1.dim)(`         ${elapsed}s`) + '\n\n');
     // Project info
     const projectDisplay = report.projectName
         ? `${report.projectName}${report.projectVersion ? ' v' + report.projectVersion : ''}`
         : path.basename(report.directory);
     process.stdout.write(`  ${(0, colors_js_1.dim)('Project')}      ${projectDisplay}\n`);
-    process.stdout.write(`  ${(0, colors_js_1.dim)('Type')}         ${report.projectType}\n`);
+    process.stdout.write(`  ${(0, colors_js_1.dim)('Stack')}        ${report.projectType}\n`);
     process.stdout.write(`  ${(0, colors_js_1.dim)('Directory')}    ${report.directory}\n`);
     process.stdout.write('\n');
-    // Security posture
-    process.stdout.write((0, colors_js_1.bold)('  Security Posture') + '\n');
-    process.stdout.write((0, colors_js_1.gray)('  ' + '-'.repeat(47)) + '\n');
-    for (const check of report.hygieneChecks) {
-        const statusDisplay = check.status === 'pass' ? (0, colors_js_1.green)(check.detail)
-            : check.status === 'fail' ? (0, colors_js_1.red)(check.detail)
-                : check.status === 'warn' ? (0, colors_js_1.yellow)(check.detail)
-                    : (0, colors_js_1.dim)(check.detail);
-        process.stdout.write(`  ${(0, colors_js_1.dim)(check.label.padEnd(20))} ${statusDisplay}\n`);
-    }
-    process.stdout.write((0, colors_js_1.gray)('  ' + '-'.repeat(47)) + '\n');
-    // Trust score
-    const scoreColor = report.trustScore >= 80 ? colors_js_1.green
-        : report.trustScore >= 60 ? colors_js_1.yellow
-            : colors_js_1.red;
-    process.stdout.write(`  ${(0, colors_js_1.dim)('Trust Score')}      ${scoreColor(`${report.trustScore} / 100`)}  ${(0, colors_js_1.dim)('[Grade:')} ${scoreColor(report.grade)}${(0, colors_js_1.dim)(']')}\n`);
-    // Shield posture
-    const postureColor = report.postureScore >= 70 ? colors_js_1.green
-        : report.postureScore >= 40 ? colors_js_1.yellow
-            : colors_js_1.red;
-    const riskColor = report.riskLevel === 'SECURE' || report.riskLevel === 'LOW' ? colors_js_1.green
-        : report.riskLevel === 'MEDIUM' ? colors_js_1.yellow
+    // --- Findings section ---
+    if (report.findings.length > 0) {
+        process.stdout.write((0, colors_js_1.bold)('  Findings') + '\n');
+        process.stdout.write((0, colors_js_1.gray)('  ' + '-'.repeat(47)) + '\n');
+        const maxFindings = verbose ? report.findings.length : 5;
+        const displayFindings = report.findings.slice(0, maxFindings);
+        for (const finding of displayFindings) {
+            const sevTag = finding.severity === 'critical' ? (0, colors_js_1.red)('CRITICAL')
+                : finding.severity === 'high' ? (0, colors_js_1.yellow)('HIGH    ')
+                    : finding.severity === 'medium' ? (0, colors_js_1.cyan)('MEDIUM  ')
+                        : (0, colors_js_1.dim)('LOW     ');
+            const countPrefix = finding.count > 1 ? `${finding.count} ` : '';
+            process.stdout.write(`  ${sevTag}  ${countPrefix}${(0, colors_js_1.bold)(finding.title)}\n`);
+            if (finding.explanation) {
+                const wrapped = (0, format_js_1.wordWrap)(finding.explanation, 70, 12);
+                process.stdout.write((0, colors_js_1.dim)(wrapped) + '\n');
+            }
+            // Show file locations (max 3 unless verbose)
+            if (finding.locations.length > 0) {
+                const maxLocs = verbose ? finding.locations.length : 3;
+                const locs = finding.locations.slice(0, maxLocs);
+                const locStrings = locs.map(l => {
+                    const rel = path.relative(report.directory, l.file);
+                    return `${rel}:${l.line}`;
+                });
+                process.stdout.write((0, colors_js_1.dim)('            ' + locStrings.join('  ')) + '\n');
+                if (finding.locations.length > maxLocs) {
+                    process.stdout.write((0, colors_js_1.dim)(`            +${finding.locations.length - maxLocs} more`) + '\n');
+                }
+            }
+            // Verification command
+            const verifyCmd = getVerificationCommand(finding, report.directory);
+            if (verifyCmd) {
+                process.stdout.write(`            ${(0, colors_js_1.dim)('Verify:')} ${(0, colors_js_1.cyan)(verifyCmd)}\n`);
+            }
+            // Tool recommendation
+            const toolRec = getToolRecommendation(finding.findingId);
+            if (toolRec) {
+                process.stdout.write(`            ${(0, colors_js_1.dim)('Fix:')}    ${(0, colors_js_1.cyan)(toolRec.command)}\n`);
+            }
+            process.stdout.write('\n');
+        }
+        if (!verbose && report.findings.length > maxFindings) {
+            const remaining = report.findings.length - maxFindings;
+            process.stdout.write((0, colors_js_1.dim)(`  [+${remaining} more finding${remaining === 1 ? '' : 's'} -- run with --verbose to see all]`) + '\n');
+            process.stdout.write('\n');
+        }
+    }
+    else {
+        process.stdout.write((0, colors_js_1.green)('  No security findings detected.') + '\n\n');
+    }
+    // --- Security Score ---
+    const scoreColor = report.securityScore >= 80 ? colors_js_1.green
+        : report.securityScore >= 60 ? colors_js_1.yellow
             : colors_js_1.red;
-    process.stdout.write(`  ${(0, colors_js_1.dim)('Shield Posture')}   ${postureColor(`${report.postureScore} / 100`)}  ${(0, colors_js_1.dim)('[Risk:')} ${riskColor(report.riskLevel)}${(0, colors_js_1.dim)(']')}\n`);
-    process.stdout.write(`  ${(0, colors_js_1.dim)('Products')}        ${report.activeProducts} / ${report.totalProducts} active\n`);
+    const breakdown = report.scoreBreakdown;
+    process.stdout.write(`  ${(0, colors_js_1.bold)('Security Score:')} ${scoreColor(`${report.securityScore}`)} ${(0, colors_js_1.dim)('/ 100')}\n`);
     process.stdout.write('\n');
-    // Next steps
-    if (report.nextSteps.length > 0) {
-        process.stdout.write((0, colors_js_1.bold)('  Next Steps') + '\n');
+    // Breakdown as factual deductions
+    if (breakdown.credentials.deduction > 0) {
+        process.stdout.write(`  ${(0, colors_js_1.dim)('Credentials')}    ${(0, colors_js_1.red)(`-${breakdown.credentials.deduction}`)}  ${(0, colors_js_1.dim)(breakdown.credentials.detail)}\n`);
+    }
+    if (breakdown.environment.deduction > 0) {
+        process.stdout.write(`  ${(0, colors_js_1.dim)('Environment')}    ${(0, colors_js_1.red)(`-${breakdown.environment.deduction}`)}  ${(0, colors_js_1.dim)(breakdown.environment.detail)}\n`);
+    }
+    if (breakdown.configuration.deduction > 0) {
+        process.stdout.write(`  ${(0, colors_js_1.dim)('Configuration')}  ${(0, colors_js_1.red)(`-${breakdown.configuration.deduction}`)}  ${(0, colors_js_1.dim)(breakdown.configuration.detail)}\n`);
+    }
+    else if (breakdown.configuration.deduction < 0) {
+        process.stdout.write(`  ${(0, colors_js_1.dim)('Configuration')}  ${(0, colors_js_1.green)(`+${Math.abs(breakdown.configuration.deduction)}`)}  ${(0, colors_js_1.dim)(breakdown.configuration.detail)}\n`);
+    }
+    // "After fixes" line when improvements are possible
+    const totalRecoverable = breakdown.credentials.deduction
+        + breakdown.environment.deduction
+        + Math.max(0, breakdown.configuration.deduction);
+    const potentialScore = Math.min(100, report.securityScore + totalRecoverable);
+    if (totalRecoverable > 0 && potentialScore > report.securityScore) {
+        process.stdout.write('\n');
+        process.stdout.write(`  ${(0, colors_js_1.dim)('After fixes:')}   ${report.securityScore} ${(0, colors_js_1.dim)('->')} ${(0, colors_js_1.green)(String(potentialScore))}\n`);
+    }
+    process.stdout.write('\n');
+    // --- Recommendations section ---
+    if (report.actions.length > 0) {
+        process.stdout.write((0, colors_js_1.bold)('  Recommendations') + '\n');
         process.stdout.write((0, colors_js_1.gray)('  ' + '-'.repeat(47)) + '\n');
-        for (const step of report.nextSteps) {
-            const severityTag = step.severity === 'critical' ? (0, colors_js_1.red)(`[CRITICAL]`)
-                : step.severity === 'high' ? (0, colors_js_1.yellow)(`[HIGH]`)
-                    : step.severity === 'medium' ? (0, colors_js_1.cyan)(`[MEDIUM]`)
-                        : (0, colors_js_1.dim)(`[LOW]`);
-            process.stdout.write(`  ${severityTag.padEnd(22)} ${step.description}\n`);
-            process.stdout.write(`  ${' '.repeat(12)} ${(0, colors_js_1.dim)(step.command)}\n\n`);
+        for (let i = 0; i < report.actions.length; i++) {
+            const action = report.actions[i];
+            process.stdout.write(`  ${(0, colors_js_1.bold)(`${i + 1}.`)} ${action.description}\n`);
+            // Prose explanation as a paragraph (word-wrapped)
+            const wrapped = (0, format_js_1.wordWrap)(action.why, 70, 5);
+            process.stdout.write((0, colors_js_1.dim)(wrapped) + '\n');
+            // Command at bottom with $ prefix
+            process.stdout.write(`     ${(0, colors_js_1.cyan)('$ ' + action.command)}\n`);
+            process.stdout.write('\n');
         }
         process.stdout.write((0, colors_js_1.gray)('  ' + '-'.repeat(47)) + '\n');
     }
     process.stdout.write('\n');
-    // Quick start hints for new users
-    process.stdout.write((0, colors_js_1.dim)('  Tip: Try these commands to explore further:') + '\n');
-    process.stdout.write((0, colors_js_1.dim)('    opena2a shield status   View Shield product status') + '\n');
-    process.stdout.write((0, colors_js_1.dim)('    opena2a shield report   Generate security posture report') + '\n');
-    process.stdout.write((0, colors_js_1.dim)('    opena2a shield monitor  Start ARP runtime monitoring') + '\n');
-    process.stdout.write((0, colors_js_1.dim)('    opena2a ~<query>        Search commands (e.g. opena2a ~drift)') + '\n');
+    // Contextual tip
+    const tip = getContextualTip(report);
+    process.stdout.write((0, colors_js_1.dim)(`  Tip: ${tip.command} -- ${tip.text}`) + '\n');
     process.stdout.write('\n');
 }
 //# sourceMappingURL=init.js.map