opena2a-cli 0.3.6 → 0.3.8

package/README.md

@@ -4,7 +4,7 @@
 
 **Open-source security platform for AI agents**
 
-Credential detection, scope drift analysis, config integrity, runtime monitoring, and supply chain verification -- one CLI.
+Credential detection, scope drift analysis, config integrity, runtime monitoring, behavioral governance scanning, and supply chain verification -- one CLI.
 
 [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/opena2a-org/opena2a/blob/main/LICENSE)
 [![Node](https://img.shields.io/badge/node-%3E%3D18-brightgreen.svg)]()
@@ -36,7 +36,7 @@ No configuration required. Works with Node.js, Python, Go, and MCP server projec
 Run `opena2a init` in any project directory to get an instant security assessment:
 
 ```
-  OpenA2A Security Report  v0.3.6
+  OpenA2A Security Report  v0.3.7
 
   Project      myapp v2.1.0
   Type         Node.js + MCP server
@@ -435,6 +435,8 @@ The CLI orchestrates these specialized tools through a unified interface:
 | Command | Tool | Description |
 |---------|------|-------------|
 | `opena2a scan` | [HackMyAgent](https://github.com/opena2a-org/hackmyagent) | 150+ security checks, attack simulation, auto-fix |
+| `opena2a scan-soul` | [HackMyAgent](https://github.com/opena2a-org/hackmyagent) | Behavioral governance scan against AGS (SOUL.md) |
+| `opena2a harden-soul` | [HackMyAgent](https://github.com/opena2a-org/hackmyagent) | Generate or improve SOUL.md governance file |
 | `opena2a secrets` | [Secretless AI](https://github.com/opena2a-org/secretless-ai) | Credential management for AI coding tools |
 | `opena2a benchmark` | [OASB](https://github.com/opena2a-org/oasb) | 222 attack scenarios, compliance scoring |
 | `opena2a registry` | [AI Trust](https://github.com/opena2a-org/ai-trust) | Trust Registry queries, package verification |
@@ -446,32 +448,91 @@ The CLI orchestrates these specialized tools through a unified interface:
 
 Adapters install tools on first use. Each tool works standalone or through the CLI.
 
+## Behavioral Governance
+
+The [Agent Governance Specification (AGS)](https://github.com/opena2a-org/agent-governance-spec) defines a tiered behavioral safety framework for AI agents across 8 domains and 68 controls (OASB v2). OpenA2A CLI integrates AGS scanning through HackMyAgent.
+
+### `opena2a scan-soul`
+
+Scan your governance file (SOUL.md or equivalent) against AGS controls for your agent's capability tier. Auto-detects tier from file content.
+
+```bash
+opena2a scan-soul                          # Scan SOUL.md in current directory
+opena2a scan-soul ./agent/                 # Scan specific directory
+opena2a scan-soul --tier TOOL-USING        # Force TOOL-USING tier (54 controls)
+opena2a scan-soul --tier AGENTIC           # Force AGENTIC tier (65 controls)
+opena2a scan-soul --tier MULTI-AGENT       # Force MULTI-AGENT tier (68 controls)
+opena2a scan-soul --json                   # Machine-readable output for CI
+opena2a scan-soul --deep                   # Enable LLM semantic analysis (requires ANTHROPIC_API_KEY)
+opena2a scan-soul --fail-below 60          # Exit 1 if score below threshold
+```
+
+Tier-to-control mapping:
+
+| Tier | Controls | Use Case |
+|------|----------|----------|
+| `BASIC` | 27 | Single-turn chatbots, no tool use |
+| `TOOL-USING` | 54 | Agents with tool/function calling |
+| `AGENTIC` | 65 | Long-running, multi-step autonomous agents |
+| `MULTI-AGENT` | 68 | Orchestrators and sub-agent systems |
+
+Governance file search order: `SOUL.md` > `system-prompt.md` > `CLAUDE.md` > `.cursorrules` > `agent-config.yaml` (and more).
+
+Conformance levels shown in output:
+- `none` — a critical control is missing (grade capped at C)
+- `essential` — all critical controls pass
+- `standard` — all critical + high controls pass, score ≥ 60
+- `hardened` — all controls pass, score ≥ 75
+
+### `opena2a harden-soul`
+
+Generate a SOUL.md governance file, or add missing sections to an existing one. Existing content is always preserved.
+
+```bash
+opena2a harden-soul                # Add missing sections to SOUL.md
+opena2a harden-soul ./agent/       # Target specific directory
+opena2a harden-soul --dry-run      # Preview what would be added, no writes
+opena2a harden-soul --json         # Machine-readable output
+```
+
+The 8 AGS behavioral domains (OASB v2, domains 7–14):
+
+| Domain | What it governs |
+|--------|----------------|
+| Trust Hierarchy | Principal relationships, conflict resolution |
+| Capability Boundaries | Allowed/denied actions, least privilege |
+| Injection Hardening | Prompt injection defense, encoded payload rejection |
+| Data Handling | PII protection, credential handling, data minimization |
+| Hardcoded Behaviors | Immutable safety rules (no exfiltration, kill switch) |
+| Agentic Safety | Iteration limits, budget caps, rollback, plan disclosure |
+| Honesty and Transparency | Uncertainty acknowledgment, identity disclosure |
+| Human Oversight | Approval gates, override mechanisms, monitoring |
+
 ## CI/CD Integration
 
-All commands support `--format json` and `--ci` flags for pipeline integration:
+Several commands support `--json` output and `--fail-below` for pipeline gates:
 
 ```yaml
 # GitHub Actions example
-- name: Security assessment
-  run: npx opena2a-cli init --ci --format json > security-report.json
-
 - name: Credential check
   run: |
-    npx opena2a-cli protect --dry-run --ci --format json > cred-report.json
-    # Fail if credentials found
+    npx opena2a-cli protect --dry-run --json > cred-report.json
     jq -e '.totalFound == 0' cred-report.json
 
+- name: Behavioral governance gate
+  run: npx opena2a-cli scan-soul --json --fail-below 60
+
 - name: Config integrity
-  run: npx opena2a-cli guard verify --ci
+  run: npx opena2a-cli guard verify
 ```
 
 ## Output Formats
 
 | Format | Flag | Use Case |
 |--------|------|----------|
-| Text | `--format text` (default) | Human-readable terminal output |
-| JSON | `--format json` | CI pipelines, programmatic consumption |
-| HTML | `--report <path>` | Interactive report with filtering (protect and shield report) |
+| Text | (default) | Human-readable terminal output |
+| JSON | `--json` | CI pipelines, programmatic consumption |
+| HTML | `--report <path>` | Interactive report (protect and shield commands) |
 
 ## Credential Patterns
 

package/dist/adapters/registry.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../../src/adapters/registry.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAE/D,eAAO,MAAM,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CAqD1D,CAAC;AAEF,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS,CAElE;AAED,wBAAgB,YAAY,IAAI,aAAa,EAAE,CAE9C;AAED,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,aAAa,GAAG,aAAa,EAAE,CAE1E"}
+{"version":3,"file":"registry.d.ts","sourceRoot":"","sources":["../../src/adapters/registry.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAE/D,eAAO,MAAM,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,aAAa,CA4D1D,CAAC;AAEF,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS,CAElE;AAED,wBAAgB,YAAY,IAAI,aAAa,EAAE,CAE9C;AAED,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,aAAa,GAAG,aAAa,EAAE,CAE1E"}

package/dist/adapters/registry.js

@@ -24,6 +24,18 @@ exports.ADAPTER_REGISTRY = {
         packageName: 'hackmyagent',
         description: 'Run security benchmark against AI agent (OASB)',
     },
+    'scan-soul': {
+        name: 'scan-soul',
+        method: 'import',
+        packageName: 'hackmyagent',
+        description: 'Scan governance file for behavioral safety coverage (AGS)',
+    },
+    'harden-soul': {
+        name: 'harden-soul',
+        method: 'import',
+        packageName: 'hackmyagent',
+        description: 'Generate or improve governance file with AGS templates',
+    },
     registry: {
         name: 'registry',
         method: 'import',
@@ -42,12 +54,7 @@ exports.ADAPTER_REGISTRY = {
         pythonModule: 'cryptoserve',
         description: 'Cryptographic inventory and PQC readiness (CryptoServe)',
     },
-    identity: {
-        name: 'identity',
-        method: 'spawn',
-        command: 'aim',
-        description: 'Agent identity management (AIM SDK)',
-    },
+    // identity is now handled directly by packages/cli/src/commands/identity.ts
     // guard is now handled directly by packages/cli/src/commands/guard.ts (ConfigGuard)
     broker: {
         name: 'broker',

package/dist/adapters/registry.js.map

@@ -1 +1 @@
-{"version":3,"file":"registry.js","sourceRoot":"","sources":["../../src/adapters/registry.ts"],"names":[],"mappings":";;;AAyDA,gCAEC;AAED,oCAEC;AAED,kDAEC;AAjEY,QAAA,gBAAgB,GAAkC;IAC7D,IAAI,EAAE;QACJ,IAAI,EAAE,MAAM;QACZ,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,aAAa;QAC1B,WAAW,EAAE,0DAA0D;KACxE;IACD,OAAO,EAAE;QACP,IAAI,EAAE,SAAS;QACf,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,eAAe;QAC5B,WAAW,EAAE,qDAAqD;KACnE;IACD,0EAA0E;IAC1E,SAAS,EAAE;QACT,IAAI,EAAE,WAAW;QACjB,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,aAAa;QAC1B,WAAW,EAAE,gDAAgD;KAC9D;IACD,QAAQ,EAAE;QACR,IAAI,EAAE,UAAU;QAChB,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,UAAU;QACvB,WAAW,EAAE,wDAAwD;KACtE;IACD,KAAK,EAAE;QACL,IAAI,EAAE,OAAO;QACb,MAAM,EAAE,QAAQ;QAChB,KAAK,EAAE,cAAc;QACrB,WAAW,EAAE,gDAAgD;KAC9D;IACD,MAAM,EAAE;QACN,IAAI,EAAE,QAAQ;QACd,MAAM,EAAE,QAAQ;QAChB,YAAY,EAAE,aAAa;QAC3B,WAAW,EAAE,yDAAyD;KACvE;IACD,QAAQ,EAAE;QACR,IAAI,EAAE,UAAU;QAChB,MAAM,EAAE,OAAO;QACf,OAAO,EAAE,KAAK;QACd,WAAW,EAAE,qCAAqC;KACnD;IACD,oFAAoF;IACpF,MAAM,EAAE;QACN,IAAI,EAAE,QAAQ;QACd,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,eAAe;QAC5B,UAAU,EAAE,QAAQ;QACpB,WAAW,EAAE,yCAAyC;KACvD;IACD,iFAAiF;CAClF,CAAC;AAEF,SAAgB,UAAU,CAAC,IAAY;IACrC,OAAO,wBAAgB,CAAC,IAAI,CAAC,CAAC;AAChC,CAAC;AAED,SAAgB,YAAY;IAC1B,OAAO,MAAM,CAAC,MAAM,CAAC,wBAAgB,CAAC,CAAC;AACzC,CAAC;AAED,SAAgB,mBAAmB,CAAC,MAAqB;IACvD,OAAO,MAAM,CAAC,MAAM,CAAC,wBAAgB,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC;AAC1E,CAAC"}
+{"version":3,"file":"registry.js","sourceRoot":"","sources":["../../src/adapters/registry.ts"],"names":[],"mappings":";;;AAgEA,gCAEC;AAED,oCAEC;AAED,kDAEC;AAxEY,QAAA,gBAAgB,GAAkC;IAC7D,IAAI,EAAE;QACJ,IAAI,EAAE,MAAM;QACZ,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,aAAa;QAC1B,WAAW,EAAE,0DAA0D;KACxE;IACD,OAAO,EAAE;QACP,IAAI,EAAE,SAAS;QACf,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,eAAe;QAC5B,WAAW,EAAE,qDAAqD;KACnE;IACD,0EAA0E;IAC1E,SAAS,EAAE;QACT,IAAI,EAAE,WAAW;QACjB,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,aAAa;QAC1B,WAAW,EAAE,gDAAgD;KAC9D;IACD,WAAW,EAAE;QACX,IAAI,EAAE,WAAW;QACjB,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,aAAa;QAC1B,WAAW,EAAE,2DAA2D;KACzE;IACD,aAAa,EAAE;QACb,IAAI,EAAE,aAAa;QACnB,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,aAAa;QAC1B,WAAW,EAAE,wDAAwD;KACtE;IACD,QAAQ,EAAE;QACR,IAAI,EAAE,UAAU;QAChB,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,UAAU;QACvB,WAAW,EAAE,wDAAwD;KACtE;IACD,KAAK,EAAE;QACL,IAAI,EAAE,OAAO;QACb,MAAM,EAAE,QAAQ;QAChB,KAAK,EAAE,cAAc;QACrB,WAAW,EAAE,gDAAgD;KAC9D;IACD,MAAM,EAAE;QACN,IAAI,EAAE,QAAQ;QACd,MAAM,EAAE,QAAQ;QAChB,YAAY,EAAE,aAAa;QAC3B,WAAW,EAAE,yDAAyD;KACvE;IACD,4EAA4E;IAC5E,oFAAoF;IACpF,MAAM,EAAE;QACN,IAAI,EAAE,QAAQ;QACd,MAAM,EAAE,QAAQ;QAChB,WAAW,EAAE,eAAe;QAC5B,UAAU,EAAE,QAAQ;QACpB,WAAW,EAAE,yCAAyC;KACvD;IACD,iFAAiF;CAClF,CAAC;AAEF,SAAgB,UAAU,CAAC,IAAY;IACrC,OAAO,wBAAgB,CAAC,IAAI,CAAC,CAAC;AAChC,CAAC;AAED,SAAgB,YAAY;IAC1B,OAAO,MAAM,CAAC,MAAM,CAAC,wBAAgB,CAAC,CAAC;AACzC,CAAC;AAED,SAAgB,mBAAmB,CAAC,MAAqB;IACvD,OAAO,MAAM,CAAC,MAAM,CAAC,wBAAgB,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC;AAC1E,CAAC"}

package/dist/commands/identity.d.ts

@@ -0,0 +1,12 @@
+interface IdentityOptions {
+    subcommand: string;
+    name?: string;
+    limit?: number;
+    dir?: string;
+    ci?: boolean;
+    format?: string;
+    verbose?: boolean;
+}
+export declare function identity(options: IdentityOptions): Promise<number>;
+export {};
+//# sourceMappingURL=identity.d.ts.map

package/dist/commands/identity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity.d.ts","sourceRoot":"","sources":["../../src/commands/identity.ts"],"names":[],"mappings":"AAGA,UAAU,eAAe;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,EAAE,CAAC,EAAE,OAAO,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,wBAAsB,QAAQ,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC,CAqBxE"}

package/dist/commands/identity.js

@@ -0,0 +1,157 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.identity = identity;
+const colors_js_1 = require("../util/colors.js");
+async function identity(options) {
+    const sub = options.subcommand;
+    switch (sub) {
+        case 'list':
+        case 'show':
+            return handleList(options);
+        case 'create':
+            return handleCreate(options);
+        case 'trust':
+            return handleTrust(options);
+        case 'audit':
+            return handleAudit(options);
+        default:
+            process.stderr.write(`Unknown identity subcommand: ${sub}\n`);
+            process.stderr.write('\nUsage: opena2a identity <list|create|trust|audit>\n\n');
+            process.stderr.write('  list               Show local agent identity\n');
+            process.stderr.write('  create --name <n>  Create a new agent identity\n');
+            process.stderr.write('  trust              Show trust score\n');
+            process.stderr.write('  audit [--limit N]  Show recent audit events\n');
+            return 1;
+    }
+}
+async function loadAimCore() {
+    try {
+        return await import('@opena2a/aim-core');
+    }
+    catch {
+        process.stderr.write('aim-core is not available.\n');
+        process.stderr.write('Install: npm install @opena2a/aim-core\n');
+        return null;
+    }
+}
+async function handleList(options) {
+    const mod = await loadAimCore();
+    if (!mod)
+        return 1;
+    const isJson = options.format === 'json';
+    try {
+        const aim = new mod.AIMCore({ agentName: 'default' });
+        const id = aim.getIdentity();
+        if (isJson) {
+            process.stdout.write(JSON.stringify(id, null, 2) + '\n');
+            return 0;
+        }
+        process.stdout.write((0, colors_js_1.bold)('Agent Identity') + '\n');
+        process.stdout.write((0, colors_js_1.gray)('-'.repeat(50)) + '\n');
+        process.stdout.write(`  Agent ID:    ${(0, colors_js_1.cyan)(id.agentId)}\n`);
+        process.stdout.write(`  Name:        ${id.agentName}\n`);
+        process.stdout.write(`  Public Key:  ${(0, colors_js_1.dim)(id.publicKey.slice(0, 32) + '...')}\n`);
+        process.stdout.write(`  Created:     ${id.createdAt}\n`);
+        process.stdout.write((0, colors_js_1.gray)('-'.repeat(50)) + '\n');
+        return 0;
+    }
+    catch (err) {
+        process.stderr.write(`Failed to load identity: ${err instanceof Error ? err.message : String(err)}\n`);
+        return 1;
+    }
+}
+async function handleCreate(options) {
+    const mod = await loadAimCore();
+    if (!mod)
+        return 1;
+    const name = options.name;
+    if (!name) {
+        process.stderr.write('Missing required option: --name <name>\n');
+        process.stderr.write('Usage: opena2a identity create --name my-agent\n');
+        return 1;
+    }
+    const isJson = options.format === 'json';
+    try {
+        const aim = new mod.AIMCore({ agentName: name });
+        const id = aim.getIdentity();
+        if (isJson) {
+            process.stdout.write(JSON.stringify(id, null, 2) + '\n');
+            return 0;
+        }
+        process.stdout.write((0, colors_js_1.green)('Identity created') + '\n');
+        process.stdout.write(`  Agent ID:    ${(0, colors_js_1.cyan)(id.agentId)}\n`);
+        process.stdout.write(`  Name:        ${id.agentName}\n`);
+        process.stdout.write(`  Public Key:  ${(0, colors_js_1.dim)(id.publicKey.slice(0, 32) + '...')}\n`);
+        process.stdout.write(`  Stored in:   ${(0, colors_js_1.dim)(aim.getDataDir())}\n`);
+        return 0;
+    }
+    catch (err) {
+        process.stderr.write(`Failed to create identity: ${err instanceof Error ? err.message : String(err)}\n`);
+        return 1;
+    }
+}
+async function handleTrust(options) {
+    const mod = await loadAimCore();
+    if (!mod)
+        return 1;
+    const isJson = options.format === 'json';
+    try {
+        const aim = new mod.AIMCore({ agentName: 'default' });
+        aim.getIdentity(); // ensure identity exists
+        const trust = aim.calculateTrust();
+        if (isJson) {
+            process.stdout.write(JSON.stringify(trust, null, 2) + '\n');
+            return 0;
+        }
+        process.stdout.write((0, colors_js_1.bold)('Trust Score') + '\n');
+        process.stdout.write((0, colors_js_1.gray)('-'.repeat(50)) + '\n');
+        process.stdout.write(`  Score:  ${(0, colors_js_1.bold)(String(trust.score))}  Grade: ${(0, colors_js_1.bold)(trust.grade)}\n`);
+        process.stdout.write('\n');
+        process.stdout.write('  Factors:\n');
+        for (const [factor, value] of Object.entries(trust.factors)) {
+            const label = factor.replace(/([A-Z])/g, ' $1').toLowerCase().trim();
+            const status = value > 0 ? (0, colors_js_1.green)('active') : (0, colors_js_1.dim)('inactive');
+            process.stdout.write(`    ${label.padEnd(22)} ${status}\n`);
+        }
+        process.stdout.write((0, colors_js_1.gray)('-'.repeat(50)) + '\n');
+        return 0;
+    }
+    catch (err) {
+        process.stderr.write(`Failed to calculate trust: ${err instanceof Error ? err.message : String(err)}\n`);
+        return 1;
+    }
+}
+async function handleAudit(options) {
+    const mod = await loadAimCore();
+    if (!mod)
+        return 1;
+    const isJson = options.format === 'json';
+    const limit = options.limit ?? 10;
+    try {
+        const aim = new mod.AIMCore({ agentName: 'default' });
+        const events = aim.readAuditLog({ limit });
+        if (isJson) {
+            process.stdout.write(JSON.stringify(events, null, 2) + '\n');
+            return 0;
+        }
+        if (events.length === 0) {
+            process.stdout.write((0, colors_js_1.dim)('No audit events recorded yet.') + '\n');
+            process.stdout.write((0, colors_js_1.dim)('Events are logged when using aim-core in your agent.') + '\n');
+            return 0;
+        }
+        process.stdout.write((0, colors_js_1.bold)(`Audit Log (last ${events.length})`) + '\n');
+        process.stdout.write((0, colors_js_1.gray)('-'.repeat(70)) + '\n');
+        for (const e of events) {
+            const ts = e.timestamp.slice(0, 19).replace('T', ' ');
+            const resultColor = e.result === 'allowed' ? colors_js_1.green : e.result === 'denied' ? colors_js_1.yellow : colors_js_1.dim;
+            process.stdout.write(`  ${(0, colors_js_1.dim)(ts)}  ${e.action.padEnd(16)} ${e.target.padEnd(16)} ${resultColor(e.result)}\n`);
+        }
+        process.stdout.write((0, colors_js_1.gray)('-'.repeat(70)) + '\n');
+        return 0;
+    }
+    catch (err) {
+        process.stderr.write(`Failed to read audit log: ${err instanceof Error ? err.message : String(err)}\n`);
+        return 1;
+    }
+}
+//# sourceMappingURL=identity.js.map

package/dist/commands/identity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/commands/identity.ts"],"names":[],"mappings":";;AAaA,4BAqBC;AAjCD,iDAAyE;AAYlE,KAAK,UAAU,QAAQ,CAAC,OAAwB;IACrD,MAAM,GAAG,GAAG,OAAO,CAAC,UAAU,CAAC;IAC/B,QAAQ,GAAG,EAAE,CAAC;QACZ,KAAK,MAAM,CAAC;QACZ,KAAK,MAAM;YACT,OAAO,UAAU,CAAC,OAAO,CAAC,CAAC;QAC7B,KAAK,QAAQ;YACX,OAAO,YAAY,CAAC,OAAO,CAAC,CAAC;QAC/B,KAAK,OAAO;YACV,OAAO,WAAW,CAAC,OAAO,CAAC,CAAC;QAC9B,KAAK,OAAO;YACV,OAAO,WAAW,CAAC,OAAO,CAAC,CAAC;QAC9B;YACE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,gCAAgC,GAAG,IAAI,CAAC,CAAC;YAC9D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,yDAAyD,CAAC,CAAC;YAChF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,kDAAkD,CAAC,CAAC;YACzE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,oDAAoD,CAAC,CAAC;YAC3E,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,yCAAyC,CAAC,CAAC;YAChE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,iDAAiD,CAAC,CAAC;YACxE,OAAO,CAAC,CAAC;IACb,CAAC;AACH,CAAC;AAED,KAAK,UAAU,WAAW;IACxB,IAAI,CAAC;QACH,OAAO,MAAM,MAAM,CAAC,mBAAmB,CAAC,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC;QACrD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;QACjE,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,OAAwB;IAChD,MAAM,GAAG,GAAG,MAAM,WAAW,EAAE,CAAC;IAChC,IAAI,CAAC,GAAG;QAAE,OAAO,CAAC,CAAC;IAEnB,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,KAAK,MAAM,CAAC;IAEzC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC,CAAC;QACtD,MAAM,EAAE,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;QAE7B,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;YACzD,OAAO,CAAC,CAAC;QACX,CAAC;QAED,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,gBAAI,EAAC,gBAAgB,CAAC,GAAG,IAAI,CAAC,CAAC;QACpD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,gBAAI,EAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;QAClD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,kBAAkB,IAAA,gBAAI,EAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC7D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,kBAAkB,EAAE,CAAC,SAAS,IAAI,CAAC,CAAC;QACzD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,kBAAkB,IAAA,eAAG,EAAC,EAAE,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC;QACnF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,kBAAkB,EAAE,CAAC,SAAS,IAAI,CAAC,CAAC;QACzD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,gBAAI,EAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;QAClD,OAAO,CAAC,CAAC;IACX,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,4BAA4B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACvG,OAAO,CAAC,CAAC;IACX,CAAC;AACH,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,OAAwB;IAClD,MAAM,GAAG,GAAG,MAAM,WAAW,EAAE,CAAC;IAChC,IAAI,CAAC,GAAG;QAAE,OAAO,CAAC,CAAC;IAEnB,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAC1B,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,0CAA0C,CAAC,CAAC;QACjE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACzE,OAAO,CAAC,CAAC;IACX,CAAC;IAED,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,KAAK,MAAM,CAAC;IAEzC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QACjD,MAAM,EAAE,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC;QAE7B,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;YACzD,OAAO,CAAC,CAAC;QACX,CAAC;QAED,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,iBAAK,EAAC,kBAAkB,CAAC,GAAG,IAAI,CAAC,CAAC;QACvD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,kBAAkB,IAAA,gBAAI,EAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAC7D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,kBAAkB,EAAE,CAAC,SAAS,IAAI,CAAC,CAAC;QACzD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,kBAAkB,IAAA,eAAG,EAAC,EAAE,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC;QACnF,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,kBAAkB,IAAA,eAAG,EAAC,GAAG,CAAC,UAAU,EAAE,CAAC,IAAI,CAAC,CAAC;QAClE,OAAO,CAAC,CAAC;IACX,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,8BAA8B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACzG,OAAO,CAAC,CAAC;IACX,CAAC;AACH,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,OAAwB;IACjD,MAAM,GAAG,GAAG,MAAM,WAAW,EAAE,CAAC;IAChC,IAAI,CAAC,GAAG;QAAE,OAAO,CAAC,CAAC;IAEnB,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,KAAK,MAAM,CAAC;IAEzC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC,CAAC;QACtD,GAAG,CAAC,WAAW,EAAE,CAAC,CAAC,yBAAyB;QAC5C,MAAM,KAAK,GAAG,GAAG,CAAC,cAAc,EAAE,CAAC;QAEnC,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;YAC5D,OAAO,CAAC,CAAC;QACX,CAAC;QAED,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,gBAAI,EAAC,aAAa,CAAC,GAAG,IAAI,CAAC,CAAC;QACjD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,gBAAI,EAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;QAClD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,aAAa,IAAA,gBAAI,EAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,YAAY,IAAA,gBAAI,EAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC9F,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC3B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;QACrC,KAAK,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;YAC5D,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC,IAAI,EAAE,CAAC;YACrE,MAAM,MAAM,GAAG,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,IAAA,iBAAK,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAA,eAAG,EAAC,UAAU,CAAC,CAAC;YAC7D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,MAAM,IAAI,CAAC,CAAC;QAC9D,CAAC;QACD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,gBAAI,EAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;QAClD,OAAO,CAAC,CAAC;IACX,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,8BAA8B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACzG,OAAO,CAAC,CAAC;IACX,CAAC;AACH,CAAC;AAED,KAAK,UAAU,WAAW,CAAC,OAAwB;IACjD,MAAM,GAAG,GAAG,MAAM,WAAW,EAAE,CAAC;IAChC,IAAI,CAAC,GAAG;QAAE,OAAO,CAAC,CAAC;IAEnB,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,KAAK,MAAM,CAAC;IACzC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,EAAE,CAAC;IAElC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC,CAAC;QACtD,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;QAE3C,IAAI,MAAM,EAAE,CAAC;YACX,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;YAC7D,OAAO,CAAC,CAAC;QACX,CAAC;QAED,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,eAAG,EAAC,+BAA+B,CAAC,GAAG,IAAI,CAAC,CAAC;YAClE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,eAAG,EAAC,sDAAsD,CAAC,GAAG,IAAI,CAAC,CAAC;YACzF,OAAO,CAAC,CAAC;QACX,CAAC;QAED,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,gBAAI,EAAC,mBAAmB,MAAM,CAAC,MAAM,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC;QACvE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,gBAAI,EAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;QAClD,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;YACvB,MAAM,EAAE,GAAG,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;YACtD,MAAM,WAAW,GAAG,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,iBAAK,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,kBAAM,CAAC,CAAC,CAAC,eAAG,CAAC;YAC1F,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,IAAA,eAAG,EAAC,EAAE,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QACjH,CAAC;QACD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAA,gBAAI,EAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC;QAClD,OAAO,CAAC,CAAC;IACX,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,6BAA6B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACxG,OAAO,CAAC,CAAC;IACX,CAAC;AACH,CAAC"}

package/dist/commands/init.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../src/commands/init.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAeH,OAAO,EACL,sBAAsB,IAAI,4BAA4B,EAKvD,MAAM,oBAAoB,CAAC;AAI5B,MAAM,WAAW,WAAW;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,EAAE,CAAC,EAAE,OAAO,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACzB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AA0DD,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,CAiMhE;AAmQD;;;GAGG;AACH,eAAO,MAAM,sBAAsB,qCAA+B,CAAC"}
+{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../src/commands/init.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAeH,OAAO,EACL,sBAAsB,IAAI,4BAA4B,EAKvD,MAAM,oBAAoB,CAAC;AAI5B,MAAM,WAAW,WAAW;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,EAAE,CAAC,EAAE,OAAO,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IACzB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AA0DD,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,CAwOhE;AAmQD;;;GAGG;AACH,eAAO,MAAM,sBAAsB,qCAA+B,CAAC"}

package/dist/commands/init.js

@@ -219,22 +219,58 @@ async function init(options) {
         if (driftFindings.length > 0) {
             process.stdout.write((0, colors_js_1.yellow)((0, colors_js_1.bold)('  Scope Drift Detected')) + '\n');
             process.stdout.write((0, colors_js_1.gray)('  ' + '-'.repeat(47)) + '\n');
+            // Group by drift type and show once per type with count
+            const driftByType = new Map();
             for (const d of driftFindings) {
-                const relPath = path.relative(targetDir, d.filePath);
-                const driftType = d.findingId === 'DRIFT-001' ? 'Google Maps key may access Gemini AI' : 'AWS key may access Bedrock AI';
-                process.stdout.write(`  ${(0, colors_js_1.yellow)(d.findingId)} ${driftType}\n`);
-                process.stdout.write(`  ${(0, colors_js_1.dim)('  ' + relPath + ':' + d.line)}\n`);
+                const existing = driftByType.get(d.findingId) ?? [];
+                existing.push(d);
+                driftByType.set(d.findingId, existing);
+            }
+            for (const [findingId, items] of driftByType) {
+                const first = items[0];
+                const relPath = path.relative(targetDir, first.filePath);
+                const extra = items.length > 1 ? ` (+${items.length - 1} more)` : '';
+                if (findingId === 'DRIFT-001') {
+                    process.stdout.write(`  ${(0, colors_js_1.yellow)(findingId)}  Google Maps key may access Gemini AI  (${items.length} location${items.length === 1 ? '' : 's'})\n`);
+                    process.stdout.write(`  ${(0, colors_js_1.dim)('  ' + relPath + ':' + first.line + extra)}\n`);
+                    process.stdout.write(`  ${(0, colors_js_1.dim)('  Keys provisioned for Maps silently authenticate to Gemini if the')}\n`);
+                    process.stdout.write(`  ${(0, colors_js_1.dim)('  Generative Language API is enabled in the same GCP project.')}\n`);
+                    process.stdout.write(`  ${(0, colors_js_1.dim)('  Verify:  opena2a protect --dry-run')}\n`);
+                    process.stdout.write(`  ${(0, colors_js_1.dim)('           (runs live Gemini API access check, no changes made)')}\n`);
+                    process.stdout.write(`  ${(0, colors_js_1.dim)('  Fix:     opena2a protect')}\n`);
+                }
+                else if (findingId === 'DRIFT-002') {
+                    process.stdout.write(`  ${(0, colors_js_1.yellow)(findingId)}  AWS key may access Bedrock AI  (${items.length} location${items.length === 1 ? '' : 's'})\n`);
+                    process.stdout.write(`  ${(0, colors_js_1.dim)('  ' + relPath + ':' + first.line + extra)}\n`);
+                    process.stdout.write(`  ${(0, colors_js_1.dim)('  IAM policies frequently over-provision. A key scoped for S3/EC2')}\n`);
+                    process.stdout.write(`  ${(0, colors_js_1.dim)('  may also pass STS auth and call Bedrock LLM endpoints.')}\n`);
+                    process.stdout.write(`  ${(0, colors_js_1.dim)('  Verify:  opena2a protect --dry-run')}\n`);
+                    process.stdout.write(`  ${(0, colors_js_1.dim)('           (runs live STS + Bedrock access check, no changes made)')}\n`);
+                    process.stdout.write(`  ${(0, colors_js_1.dim)('  Fix:     opena2a protect')}\n`);
+                }
+                else {
+                    process.stdout.write(`  ${(0, colors_js_1.yellow)(findingId)}  Credential scope drift  (${items.length} location${items.length === 1 ? '' : 's'})\n`);
+                    process.stdout.write(`  ${(0, colors_js_1.dim)('  ' + relPath + ':' + first.line + extra)}\n`);
+                    process.stdout.write(`  ${(0, colors_js_1.dim)('  Verify:  opena2a protect --dry-run')}\n`);
+                    process.stdout.write(`  ${(0, colors_js_1.dim)('  Fix:     opena2a protect')}\n`);
+                }
+                process.stdout.write('\n');
             }
-            process.stdout.write('\n');
-            process.stdout.write((0, colors_js_1.dim)('  Scope drift: keys provisioned for one service silently') + '\n');
-            process.stdout.write((0, colors_js_1.dim)('  gain access to AI services, expanding attack surface.') + '\n');
-            process.stdout.write((0, colors_js_1.dim)('  Run: opena2a protect') + '\n');
-            process.stdout.write('\n');
         }
         // Show advisory warnings after main report
         if (advisoryCheck.advisories.length > 0) {
             (0, advisories_js_1.printAdvisoryWarnings)(advisoryCheck);
         }
+        // Contextual tip
+        const tip = getContextualTip(report);
+        process.stdout.write((0, colors_js_1.dim)(`  Tip: ${tip.command}`) + '\n');
+        const wrappedTipText = (0, format_js_1.wordWrap)(tip.text, 68, 7);
+        process.stdout.write((0, colors_js_1.dim)(wrappedTipText) + '\n');
+        process.stdout.write('\n');
+        // OpenA2A footer
+        process.stdout.write((0, colors_js_1.cyan)('  OpenA2A -- open-source security for AI agents') + '\n');
+        process.stdout.write((0, colors_js_1.cyan)('  opena2a.org  |  github.com/opena2a-org') + '\n');
+        process.stdout.write('\n');
     }
     const hasCritical = nextSteps.some(s => s.severity === 'critical');
     return hasCritical ? 1 : 0;
@@ -697,55 +733,71 @@ function getToolRecommendation(findingId) {
     return null;
 }
 function getContextualTip(report) {
-    const hasAnyCreds = report.findings.some(f => f.findingId.startsWith('CRED-') || f.findingId.startsWith('DRIFT-'));
-    if (hasAnyCreds) {
+    const credCount = report.credentialFindings;
+    const criticalCount = report.credentialsBySeverity['critical'] ?? 0;
+    const driftFindings = report.findings.filter(f => f.findingId.startsWith('DRIFT-'));
+    const hasDrift = driftFindings.length > 0;
+    const hasAwsDrift = report.findings.some(f => f.findingId === 'DRIFT-002');
+    const hasGcpDrift = report.findings.some(f => f.findingId === 'DRIFT-001');
+    if (credCount > 0) {
+        if (hasDrift && hasAwsDrift) {
+            return {
+                text: `${credCount} credential${credCount === 1 ? '' : 's'} in source files, including AWS keys with potential Bedrock access. opena2a protect moves them to Secretless AI (encrypted local vault) and runs a live STS + Bedrock check to confirm actual exposure.`,
+                command: 'opena2a protect',
+            };
+        }
+        if (hasDrift && hasGcpDrift) {
+            return {
+                text: `${credCount} credential${credCount === 1 ? '' : 's'} in source files, including Google keys with potential Gemini access. opena2a protect moves them to Secretless AI (encrypted local vault) and verifies live Generative Language API access.`,
+                command: 'opena2a protect',
+            };
+        }
+        if (criticalCount > 0) {
+            return {
+                text: `${criticalCount} critical credential${criticalCount === 1 ? '' : 's'} in source files — anyone with repo access can use them now. opena2a protect moves them to Secretless AI (encrypted local vault) and rewrites the source files to reference env vars.`,
+                command: 'opena2a protect',
+            };
+        }
         return {
-            text: 'Migrate credentials out of source files',
+            text: `${credCount} credential${credCount === 1 ? '' : 's'} in source files. opena2a protect moves them to Secretless AI, rewrites the source to use env var references, and updates .gitignore.`,
             command: 'opena2a protect',
         };
     }
     const hasMcpCred = report.findings.some(f => f.findingId === 'MCP-CRED');
     if (hasMcpCred) {
         return {
-            text: 'Move credentials out of MCP config files',
+            text: 'Credentials in MCP config files are read by every AI tool that loads the config. opena2a protect moves them to Secretless AI and injects them as env vars at runtime — no more plaintext in config files.',
             command: 'opena2a protect',
         };
     }
     const hasAiConfig = report.findings.some(f => f.findingId === 'AI-CONFIG');
     if (hasAiConfig) {
         return {
-            text: 'Fix all auto-fixable findings',
+            text: 'AI tool config files (Claude, Cursor, Copilot) have fixable issues. opena2a protect applies all auto-fixable changes in one pass and signs the files so Guard can detect future unauthorized changes.',
             command: 'opena2a protect',
         };
     }
     const hasLLM = report.findings.some(f => f.findingId === 'ENV-LLM');
     if (hasLLM) {
         return {
-            text: 'Add authentication to your LLM server',
+            text: 'An unauthenticated LLM server is running locally. opena2a shield status shows which Shield modules are active and what ARP is monitoring at the process and network level.',
             command: 'opena2a shield status',
         };
     }
-    const hasEnv = report.findings.some(f => f.findingId === 'ENV-DOTENV');
-    if (hasEnv) {
-        return {
-            text: 'Fix all auto-fixable findings',
-            command: 'opena2a protect',
-        };
-    }
     if (report.securityScore >= 90) {
         return {
-            text: 'Strong baseline. Run a full scan for deeper coverage',
-            command: 'opena2a scan secure',
+            text: 'Strong baseline. HackMyAgent runs 147 checks including agent-layer attacks, MCP exploitation, and OASB-1 + OASB-2 compliance scoring.',
+            command: 'npx hackmyagent secure',
         };
     }
     if (report.securityScore >= 70) {
         return {
-            text: 'Good posture. Lock it in with config file integrity signing',
+            text: 'Good posture. opena2a guard sign creates signed baselines for your config files — Guard will alert if anything changes without a new signature.',
             command: 'opena2a guard sign',
         };
     }
     return {
-        text: 'See all available security tools',
+        text: 'opena2a shield status shows all active protections: ARP runtime monitoring, Guard config integrity, Secretless credential management, and HackMyAgent scan coverage.',
         command: 'opena2a shield status',
     };
 }
@@ -783,13 +835,18 @@ function printReport(report, elapsed, verbose) {
     if (report.findings.length > 0) {
         process.stdout.write((0, colors_js_1.bold)('  Findings') + '\n');
         process.stdout.write((0, colors_js_1.gray)('  ' + '-'.repeat(47)) + '\n');
-        const maxFindings = verbose ? report.findings.length : 5;
-        const displayFindings = report.findings.slice(0, maxFindings);
+        // Always show all critical + high; truncate medium/low at 2 (unless verbose)
+        const important = report.findings.filter(f => f.severity === 'critical' || f.severity === 'high');
+        const minor = report.findings.filter(f => f.severity !== 'critical' && f.severity !== 'high');
+        const maxMinor = verbose ? minor.length : 2;
+        const displayFindings = [...important, ...minor.slice(0, maxMinor)];
+        const hiddenCount = verbose ? 0 : minor.length - maxMinor;
         for (const finding of displayFindings) {
-            const sevTag = finding.severity === 'critical' ? (0, colors_js_1.red)('CRITICAL')
-                : finding.severity === 'high' ? (0, colors_js_1.yellow)('HIGH    ')
-                    : finding.severity === 'medium' ? (0, colors_js_1.cyan)('MEDIUM  ')
-                        : (0, colors_js_1.dim)('LOW     ');
+            const sevPad = finding.severity === 'critical' ? ''
+                : finding.severity === 'high' ? '    '
+                    : finding.severity === 'medium' ? '  '
+                        : '     ';
+            const sevTag = (0, format_js_1.severityColor)(finding.severity)(finding.severity.toUpperCase()) + sevPad;
             const countPrefix = finding.count > 1 ? `${finding.count} ` : '';
             process.stdout.write(`  ${sevTag}  ${countPrefix}${(0, colors_js_1.bold)(finding.title)}\n`);
             if (finding.explanation) {
@@ -821,9 +878,8 @@ function printReport(report, elapsed, verbose) {
             }
             process.stdout.write('\n');
         }
-        if (!verbose && report.findings.length > maxFindings) {
-            const remaining = report.findings.length - maxFindings;
-            process.stdout.write((0, colors_js_1.dim)(`  [+${remaining} more finding${remaining === 1 ? '' : 's'} -- run with --verbose to see all]`) + '\n');
+        if (hiddenCount > 0) {
+            process.stdout.write((0, colors_js_1.dim)(`  [+${hiddenCount} lower-severity finding${hiddenCount === 1 ? '' : 's'} -- run with --verbose to see all]`) + '\n');
             process.stdout.write('\n');
         }
     }
@@ -877,9 +933,5 @@ function printReport(report, elapsed, verbose) {
         process.stdout.write((0, colors_js_1.gray)('  ' + '-'.repeat(47)) + '\n');
     }
     process.stdout.write('\n');
-    // Contextual tip
-    const tip = getContextualTip(report);
-    process.stdout.write((0, colors_js_1.dim)(`  Tip: ${tip.command} -- ${tip.text}`) + '\n');
-    process.stdout.write('\n');
 }
 //# sourceMappingURL=init.js.map