shield-llm 0.1.0

package/dist/cli.js

@@ -0,0 +1,1396 @@
+import { createRequire as __cjs_createRequire } from "module"; import { fileURLToPath as __cjs_fileURLToPath } from "url"; import { dirname as __cjs_dirname } from "path"; const __filename = __cjs_fileURLToPath(import.meta.url); const __dirname = __cjs_dirname(__filename); const require = __cjs_createRequire(import.meta.url);
+import {
+  ConfigError,
+  ConfigSchema,
+  Scanner,
+  analyzeJudgeHealth,
+  buildTargetConfig,
+  calculateComplianceScore,
+  deserializeAttack,
+  deserializeMultiTurnAttack,
+  evaluateThresholds,
+  formatComplianceTerminal,
+  formatJson,
+  formatMarkdown,
+  formatSarif,
+  generatePdf,
+  loadConfig,
+  loadSystemPrompt
+} from "./chunk-6HLD55BG.js";
+import "./chunk-7D5WVZW5.js";
+
+// src/cli.ts
+import "dotenv/config";
+import { Command, CommanderError } from "commander";
+
+// src/credentials.ts
+import {
+  readFileSync,
+  writeFileSync,
+  mkdirSync,
+  existsSync,
+  unlinkSync
+} from "fs";
+import { join } from "path";
+import { homedir } from "os";
+var DEFAULT_API_URL = "https://shield-llm.com";
+function getConfigDir() {
+  const home = process.env.SHIELD_LLM_HOME ?? homedir();
+  return join(home, ".shield-llm");
+}
+function getCredentialsFile() {
+  return join(getConfigDir(), "credentials.json");
+}
+function loadCredentials() {
+  const file = getCredentialsFile();
+  if (!existsSync(file)) return null;
+  try {
+    const content = readFileSync(file, "utf-8");
+    const parsed = JSON.parse(content);
+    if (!parsed.apiKey || typeof parsed.apiKey !== "string") return null;
+    return {
+      apiKey: parsed.apiKey,
+      apiUrl: parsed.apiUrl ?? DEFAULT_API_URL
+    };
+  } catch {
+    return null;
+  }
+}
+function resolveApiUrl(stored, override) {
+  const raw = override ?? process.env.SHIELD_API_URL ?? stored ?? DEFAULT_API_URL;
+  return raw.trim().replace(/\/+$/, "");
+}
+function saveCredentials(creds) {
+  const dir = getConfigDir();
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true });
+  }
+  const content = JSON.stringify(
+    { apiKey: creds.apiKey, apiUrl: creds.apiUrl },
+    null,
+    2
+  );
+  writeFileSync(getCredentialsFile(), content, {
+    encoding: "utf-8",
+    mode: 384
+  });
+}
+function clearCredentials() {
+  const file = getCredentialsFile();
+  if (existsSync(file)) {
+    unlinkSync(file);
+  }
+}
+function getCredentialsPath() {
+  return getCredentialsFile();
+}
+
+// src/attacks-loader.ts
+async function fetchAttacks(args) {
+  const params = new URLSearchParams({ preset: args.preset });
+  if (args.includeMultiTurn) params.set("includeMultiTurn", "true");
+  const url = `${args.apiUrl}/api/cli/attacks?${params.toString()}`;
+  let res;
+  try {
+    res = await fetch(url, {
+      headers: { Authorization: `Bearer ${args.apiKey}` }
+    });
+  } catch (err) {
+    const reason = err instanceof Error ? err.message : "Unknown error";
+    throw new Error(
+      `Could not reach the Shield LLM backend at ${args.apiUrl} (${reason}). The CLI needs a backend connection to fetch the attack catalogue.`
+    );
+  }
+  if (res.status === 401) {
+    throw new Error(
+      "API key is invalid or revoked. Run `shield-llm login` to re-authenticate."
+    );
+  }
+  if (res.status === 403) {
+    const body = await res.json().catch(() => ({}));
+    throw new Error(
+      body.error ?? "Plan does not allow this preset. Upgrade required."
+    );
+  }
+  if (!res.ok) {
+    throw new Error(
+      `Backend returned HTTP ${res.status} fetching the attack catalogue.`
+    );
+  }
+  try {
+    const body = await res.json();
+    return {
+      attacks: body.attacks.map(deserializeAttack),
+      multiTurnAttacks: (body.multiTurnAttacks ?? []).map(
+        deserializeMultiTurnAttack
+      ),
+      source: "backend",
+      catalogVersion: body.catalogVersion
+    };
+  } catch (err) {
+    const reason = err instanceof Error ? err.message : "Unknown error";
+    throw new Error(
+      `Received a malformed attack catalogue from the backend (${reason}).`
+    );
+  }
+}
+
+// src/lib/exit.ts
+function setExitCode(code) {
+  process.exitCode = code;
+}
+
+// src/commands/attacks.ts
+async function attacksCommand(opts) {
+  const stored = loadCredentials();
+  if (!stored) {
+    console.error("Not logged in. Run: shield-llm login --key <your-key>\n");
+    setExitCode(2);
+    return;
+  }
+  const apiUrl = resolveApiUrl(stored.apiUrl, opts.apiUrl);
+  let fetched;
+  try {
+    fetched = await fetchAttacks({
+      apiUrl,
+      apiKey: stored.apiKey,
+      preset: "full",
+      includeMultiTurn: true
+    });
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : "Unknown error";
+    console.error(`Failed to fetch attacks: ${msg}`);
+    setExitCode(3);
+    return;
+  }
+  const wanted = opts.severity?.toLowerCase();
+  const singleTurn = fetched.attacks.filter(
+    (a) => !wanted || a.severity.toLowerCase() === wanted
+  );
+  const multiTurn = fetched.multiTurnAttacks.filter(
+    (a) => !wanted || a.severity.toLowerCase() === wanted
+  );
+  const total = singleTurn.length + multiTurn.length;
+  console.log(
+    `
+Available attacks (${total}) \u2014 catalog ${fetched.catalogVersion}:
+`
+  );
+  for (const attack of [...singleTurn, ...multiTurn]) {
+    const flags = [];
+    if (attack.requiresMcpHarness) flags.push("mcp");
+    if (attack.requiresVisionTarget) flags.push("vision");
+    if (attack.requiresMultiAgent) flags.push("multi-agent");
+    const flagStr = flags.length ? `  [needs: ${flags.join(", ")}]` : "";
+    console.log(
+      `  ${attack.id.padEnd(38)} ${attack.severity.padEnd(10)} ${attack.name}${flagStr}`
+    );
+  }
+  console.log("");
+}
+
+// src/commands/init.ts
+import { existsSync as existsSync2, writeFileSync as writeFileSync2 } from "fs";
+import { resolve } from "path";
+import { select, input, confirm } from "@inquirer/prompts";
+var CONFIG_FILENAME = "shield.config.json";
+async function initCommand() {
+  console.log("\nShield LLM \u2014 Configuration wizard\n");
+  if (!process.stdin.isTTY) {
+    console.error(
+      "`shield-llm init` is interactive and needs a terminal (TTY).\nRun it directly in your terminal, or write shield.config.json by hand\nand check it with `shield-llm validate`."
+    );
+    setExitCode(2);
+    return;
+  }
+  const configPath = resolve(CONFIG_FILENAME);
+  if (existsSync2(configPath)) {
+    const overwrite = await confirm({
+      message: `${CONFIG_FILENAME} already exists. Overwrite?`,
+      default: false
+    });
+    if (!overwrite) {
+      console.log("Aborted.");
+      return;
+    }
+  }
+  const url = await input({
+    message: "Endpoint URL of your chatbot:",
+    validate: (value) => {
+      try {
+        new URL(value);
+        return true;
+      } catch {
+        return "Please enter a valid URL (e.g. https://api.example.com/chat)";
+      }
+    }
+  });
+  const method = await select({
+    message: "HTTP method:",
+    choices: [
+      { value: "POST", name: "POST (most chatbots)" },
+      { value: "GET", name: "GET" },
+      { value: "PUT", name: "PUT" }
+    ],
+    default: "POST"
+  });
+  const auth = await collectAuth();
+  const { body, responseField } = await collectBodyShape();
+  const customHeaders = await collectCustomHeaders();
+  const preset = await select({
+    message: "Default scan preset:",
+    choices: [
+      { value: "owasp", name: "owasp     \u2014 OWASP LLM Top 10 (10 tests)" },
+      { value: "quick", name: "quick     \u2014 Find flaws fast (7 tests)" },
+      { value: "standard", name: "standard  \u2014 Recommended (39 tests)" },
+      {
+        value: "full",
+        name: "full      \u2014 Comprehensive (all tests + crescendo)"
+      }
+    ],
+    default: "standard"
+  });
+  const endpoint = {
+    url,
+    request: {
+      method,
+      ...Object.keys(customHeaders).length > 0 && { headers: customHeaders },
+      body
+    },
+    response: { field: responseField }
+  };
+  if (auth.type !== "none") {
+    endpoint.auth = auth;
+  } else {
+    endpoint.auth = { type: "none" };
+  }
+  const config = { endpoint, preset };
+  const result = ConfigSchema.safeParse(config);
+  if (!result.success) {
+    const issues = result.error.issues.map((i) => `  - ${i.path.join(".")}: ${i.message}`).join("\n");
+    console.error(`
+Generated config is invalid:
+${issues}`);
+    console.error(
+      "This is a bug \u2014 please report it at https://github.com/anthropics/shield-llm/issues"
+    );
+    setExitCode(3);
+    return;
+  }
+  writeFileSync2(configPath, JSON.stringify(result.data, null, 2) + "\n");
+  console.log(`
+\u2713 Config written to ${CONFIG_FILENAME}
+`);
+  console.log("  Next steps:");
+  console.log(
+    "    shield-llm login             Authenticate (SaaS or License)"
+  );
+  console.log("    shield-llm validate          Verify your configuration");
+  console.log("    shield-llm scan              Run a scan with your preset");
+  console.log("");
+}
+async function collectAuth() {
+  const authType = await select({
+    message: "How does your endpoint authenticate?",
+    choices: [
+      { value: "none", name: "No authentication" },
+      { value: "bearer", name: "Bearer token" },
+      { value: "api-key", name: "API key in header" },
+      { value: "oauth2", name: "OAuth2 client credentials" }
+    ]
+  });
+  if (authType === "none") return { type: "none" };
+  if (authType === "bearer") {
+    const token = await input({
+      message: "Bearer token (use $ENV_VAR to read from env):",
+      validate: (v) => v.length >= 1 ? true : "Token is required"
+    });
+    warnIfHardcodedSecret(token);
+    return { type: "bearer", token };
+  }
+  if (authType === "api-key") {
+    const header = await input({
+      message: "Header name:",
+      default: "X-API-Key"
+    });
+    const value = await input({
+      message: "API key value (use $ENV_VAR to read from env):",
+      validate: (v) => v.length >= 1 ? true : "Value is required"
+    });
+    warnIfHardcodedSecret(value);
+    return { type: "api-key", header, value };
+  }
+  const clientId = await input({
+    message: "Client ID (use $ENV_VAR to read from env):"
+  });
+  const clientSecret = await input({
+    message: "Client secret (use $ENV_VAR to read from env):"
+  });
+  warnIfHardcodedSecret(clientSecret);
+  const tokenUrl = await input({
+    message: "Token URL:",
+    validate: (v) => {
+      try {
+        new URL(v);
+        return true;
+      } catch {
+        return "Must be a valid URL";
+      }
+    }
+  });
+  return { type: "oauth2", clientId, clientSecret, tokenUrl };
+}
+async function collectBodyShape() {
+  const shape = await select({
+    message: "Request body shape:",
+    choices: [
+      {
+        value: "wrapper",
+        name: "JSON wrapper (most chatbots \u2014 { message: '{{prompt}}', ...fixed }) "
+      },
+      {
+        value: "literal",
+        name: "Literal prompt-only ({ prompt: '{{prompt}}' })"
+      }
+    ],
+    default: "wrapper"
+  });
+  if (shape === "literal") {
+    const responseField2 = await input({
+      message: "Response field (dot-notation):",
+      default: "response"
+    });
+    return { body: { prompt: "{{prompt}}" }, responseField: responseField2 };
+  }
+  const promptField = await input({
+    message: "Field name that carries the user prompt:",
+    default: "message"
+  });
+  const body = { [promptField]: "{{prompt}}" };
+  const addExtra = await confirm({
+    message: "Add extra fixed fields to the request body (assistant_id, thread_id, ...) ?",
+    default: false
+  });
+  if (addExtra) {
+    let more = true;
+    while (more) {
+      const key = await input({
+        message: "Field name:",
+        validate: (v) => v.length >= 1 ? true : "Required"
+      });
+      const value = await input({
+        message: `Value for "${key}":`
+      });
+      body[key] = value;
+      more = await confirm({ message: "Another field?", default: false });
+    }
+  }
+  const responseField = await input({
+    message: "Response field path (e.g. response, data.reply, choices[0].message.content):",
+    default: "response"
+  });
+  return { body, responseField };
+}
+async function collectCustomHeaders() {
+  const add = await confirm({
+    message: "Add custom request headers?",
+    default: false
+  });
+  if (!add) return {};
+  const headers = {};
+  let more = true;
+  while (more) {
+    const name = await input({
+      message: "Header name:",
+      validate: (v) => v.length >= 1 ? true : "Required"
+    });
+    const value = await input({
+      message: `Value for "${name}" (use $ENV_VAR to read from env):`
+    });
+    warnIfHardcodedSecret(value);
+    headers[name] = value;
+    more = await confirm({ message: "Another header?", default: false });
+  }
+  return headers;
+}
+function warnIfHardcodedSecret(value) {
+  if (value && !value.startsWith("$")) {
+    console.warn(
+      "\n  Tip: prefer $ENV_VAR (e.g. $BEARER_TOKEN) so secrets stay out of shield.config.json.\n"
+    );
+  }
+}
+
+// src/commands/login.ts
+async function loginCommand(opts) {
+  const key = opts.key;
+  if (!key.startsWith("sk_shield_")) {
+    console.error('Invalid key format. API keys start with "sk_shield_".');
+    setExitCode(2);
+    return;
+  }
+  const apiUrl = resolveApiUrl(void 0, opts.apiUrl);
+  saveCredentials({ apiKey: key, apiUrl });
+  console.log(`Credentials saved to ${getCredentialsPath()}`);
+  try {
+    const res = await fetch(`${apiUrl}/api/cli/scans`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${key}`
+      }
+    });
+    if (res.status === 401) {
+      console.warn(
+        "Warning: API key appears to be invalid. Check your key and try again."
+      );
+    } else if (res.ok) {
+      const data = await res.json();
+      console.log(
+        `Authenticated to ${apiUrl}! Plan: ${data.plan} (${data.remaining}/${data.limit} scans remaining)`
+      );
+    }
+  } catch {
+    console.log(
+      "Credentials saved. Could not verify \u2014 the backend may be unreachable."
+    );
+  }
+}
+
+// src/commands/logout.ts
+function logoutCommand() {
+  clearCredentials();
+  console.log("Credentials removed.");
+}
+
+// src/commands/presets.ts
+async function presetsCommand(opts) {
+  const stored = loadCredentials();
+  if (!stored) {
+    console.error("Not logged in. Run: shield-llm login --key <your-key>\n");
+    setExitCode(2);
+    return;
+  }
+  const apiUrl = resolveApiUrl(stored.apiUrl, opts.apiUrl);
+  let presets;
+  try {
+    const res = await fetch(`${apiUrl}/api/cli/presets`, {
+      headers: { Authorization: `Bearer ${stored.apiKey}` }
+    });
+    if (res.status === 401) {
+      console.error(
+        "API key is invalid or revoked. Run `shield-llm login` to re-authenticate."
+      );
+      setExitCode(2);
+      return;
+    }
+    if (!res.ok) {
+      const body = await res.json().catch(() => ({}));
+      console.error(
+        `Failed to fetch presets: ${body.error ?? `HTTP ${res.status}`}`
+      );
+      setExitCode(3);
+      return;
+    }
+    ({ presets } = await res.json());
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : "Unknown error";
+    console.error(`Failed to fetch presets: ${msg}`);
+    setExitCode(3);
+    return;
+  }
+  console.log("\nAvailable presets:\n");
+  for (const preset of presets) {
+    const lock = preset.allowed ? "" : "  (upgrade required)";
+    console.log(
+      `  ${preset.id.padEnd(12)} ${preset.name.padEnd(20)} ${preset.description}${lock}`
+    );
+  }
+  console.log("");
+}
+
+// src/commands/report.ts
+import { writeFileSync as writeFileSync3 } from "fs";
+import { resolve as resolve2 } from "path";
+function renderScanMarkdown(scan) {
+  const detected = scan.vulns.filter((v) => v.status === "DETECTED");
+  const passed = scan.vulns.length - detected.length;
+  const lines = [
+    `# Shield LLM scan ${scan.id}`,
+    "",
+    `- Target: \`${scan.targetUrl}\``,
+    `- Score: **${scan.score}** (${scan.grade})`,
+    `- Date: ${scan.createdAt}`,
+    `- Tests: ${scan.testsRun}/${scan.testsTotal} run, ${detected.length} vulnerable, ${passed} secure`,
+    "",
+    "## Vulnerabilities detected",
+    ""
+  ];
+  if (detected.length === 0) {
+    lines.push("_None_");
+  } else {
+    lines.push("| Severity | Name | Notes |");
+    lines.push("|---|---|---|");
+    for (const v of detected) {
+      lines.push(
+        `| ${v.severity} | ${v.name} | ${(v.description ?? "").slice(0, 80)} |`
+      );
+    }
+  }
+  return lines.join("\n") + "\n";
+}
+async function reportCommand(scanId, opts) {
+  const stored = loadCredentials();
+  if (!stored) {
+    console.error("Not logged in. Run `shield-llm login` first.");
+    process.exitCode = 2;
+    return;
+  }
+  const apiUrl = resolveApiUrl(stored.apiUrl, opts.apiUrl);
+  let res;
+  try {
+    res = await fetch(
+      `${apiUrl}/api/cli/reports/${encodeURIComponent(scanId)}`,
+      {
+        headers: { Authorization: `Bearer ${stored.apiKey}` }
+      }
+    );
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    console.error(`Failed to reach backend: ${msg}`);
+    process.exitCode = 3;
+    return;
+  }
+  if (res.status === 401) {
+    await res.text().catch(() => void 0);
+    console.error(
+      "API key invalid. Run `shield-llm login` to re-authenticate."
+    );
+    process.exitCode = 2;
+    return;
+  }
+  if (res.status === 404) {
+    await res.text().catch(() => void 0);
+    console.error(`Scan "${scanId}" not found.`);
+    process.exitCode = 2;
+    return;
+  }
+  if (!res.ok) {
+    await res.text().catch(() => void 0);
+    console.error(`Backend returned HTTP ${res.status}`);
+    process.exitCode = 3;
+    return;
+  }
+  const scan = await res.json();
+  let content;
+  if (opts.output === "markdown") {
+    content = renderScanMarkdown(scan);
+  } else {
+    content = JSON.stringify(scan, null, 2);
+  }
+  if (opts.outputFile) {
+    writeFileSync3(resolve2(opts.outputFile), content, "utf-8");
+    console.error(`Report written to ${opts.outputFile}`);
+  } else {
+    console.log(content);
+  }
+}
+
+// src/commands/scan.ts
+import { writeFileSync as writeFileSync4 } from "fs";
+import { resolve as resolve3 } from "path";
+
+// src/custom-tests-loader.ts
+async function fetchCustomTests(apiUrl, apiKey) {
+  const res = await fetch(`${apiUrl}/api/cli/tests`, {
+    headers: {
+      Authorization: `Bearer ${apiKey}`
+    }
+  });
+  if (res.status === 401) {
+    throw new Error(
+      "API key is invalid or revoked. Run `shield-llm login` to re-authenticate."
+    );
+  }
+  if (!res.ok) {
+    throw new Error(`Failed to fetch custom tests: HTTP ${res.status}`);
+  }
+  const scans = await res.json();
+  return scans.filter((scan) => scan.isActive).flatMap(
+    (scan) => scan.tests.map((test) => ({
+      name: test.name,
+      prompt: test.prompt,
+      acceptanceCriteria: test.acceptanceCriteria
+    }))
+  );
+}
+
+// src/evaluators/backend-evaluator.ts
+var MAX_RESPONSE_CHARS = 19500;
+var HEAD_CHARS = 15e3;
+var TAIL_CHARS = 4e3;
+function truncateResponse(text) {
+  if (text.length <= MAX_RESPONSE_CHARS) return text;
+  const cut = text.length - HEAD_CHARS - TAIL_CHARS;
+  return `${text.slice(0, HEAD_CHARS)}
+
+[...TRUNCATED ${cut} chars...]
+
+${text.slice(-TAIL_CHARS)}`;
+}
+function truncateInput(input2) {
+  return {
+    ...input2,
+    response: truncateResponse(input2.response),
+    turns: input2.turns?.map((t) => ({
+      prompt: t.prompt,
+      response: truncateResponse(t.response)
+    }))
+  };
+}
+var BackendEvaluator = class {
+  constructor(apiUrl, apiKey) {
+    this.apiUrl = apiUrl;
+    this.apiKey = apiKey;
+  }
+  async evaluate(input2) {
+    const response = await fetch(`${this.apiUrl}/api/cli/evaluate`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${this.apiKey}`
+      },
+      body: JSON.stringify(truncateInput(input2))
+    });
+    if (response.status === 401) {
+      throw new Error(
+        "Invalid API key. Run `shield-llm login` to re-authenticate."
+      );
+    }
+    if (response.status === 403) {
+      const body = await response.json().catch(() => ({}));
+      throw new Error(
+        body.error ?? `Scan quota exceeded. Upgrade your plan at ${DEFAULT_API_URL}/settings`
+      );
+    }
+    if (response.status === 429) {
+      throw new Error("Rate limit exceeded. Please wait and try again.");
+    }
+    if (!response.ok) {
+      const body = await response.text().catch(() => "");
+      let userMessage = `Backend evaluation failed (HTTP ${response.status}). Please try again.`;
+      try {
+        const parsed = JSON.parse(body);
+        if (typeof parsed.error === "string" && parsed.error.length > 0) {
+          userMessage = `Backend evaluation failed (${response.status}): ${parsed.error}`;
+        }
+      } catch {
+        if (body) {
+          console.error(
+            `[BackendEvaluator] Non-JSON ${response.status} response body (first 500 chars): ${body.slice(0, 500)}`
+          );
+        }
+      }
+      throw new Error(userMessage);
+    }
+    return response.json();
+  }
+};
+
+// src/display/progress.ts
+import chalk from "chalk";
+import ora from "ora";
+var spinner = ora();
+var currentAttackName = "";
+function handleEvent(event) {
+  switch (event.type) {
+    case "scan:start":
+      spinner.start(
+        chalk.cyan(`Starting scan (${event.totalAttacks} attacks)...`)
+      );
+      break;
+    case "attack:start":
+      currentAttackName = event.attack.name;
+      spinner.text = chalk.cyan(
+        `[${event.index + 1}/${event.total}] ${event.attack.name} (${severityColor(event.attack.severity)})`
+      );
+      break;
+    case "attack:complete": {
+      const { result } = event;
+      const prefix = `[${event.index + 1}/${event.total}]`;
+      if (result.error) {
+        spinner.warn(
+          `${prefix} ${result.name} \u2014 ${chalk.yellow("error")}: ${result.error}`
+        );
+      } else if (result.vulnerable) {
+        spinner.fail(
+          `${prefix} ${result.name} \u2014 ${chalk.red("VULNERABLE")} (${severityColor(result.severity)})`
+        );
+      } else {
+        spinner.succeed(`${prefix} ${result.name} \u2014 ${chalk.green("secure")}`);
+      }
+      if (event.index < event.total - 1) {
+        spinner.start();
+      }
+      break;
+    }
+    case "crescendo:turn":
+      spinner.text = chalk.cyan(
+        `${currentAttackName} \u2014 turn ${event.turn}/${event.totalTurns}`
+      );
+      break;
+    case "scan:rate_limited":
+      spinner.fail(
+        chalk.red(
+          `Rate limited by target \u2014 skipping remaining attacks${event.retryAfterSec ? ` (retry after ${event.retryAfterSec}s)` : ""}`
+        )
+      );
+      spinner.start();
+      break;
+    case "scan:complete":
+      spinner.stop();
+      break;
+  }
+}
+function printSummary(report, thresholds) {
+  console.log("");
+  console.log(chalk.bold("\u2550\u2550\u2550 Shield LLM Scan Results \u2550\u2550\u2550"));
+  console.log("");
+  console.log(`  Target:   ${chalk.white(report.target)}`);
+  console.log(`  Score:    ${scoreColor(report.score)}`);
+  console.log(`  Grade:    ${gradeColor(report.grade)}`);
+  console.log(`  Duration: ${(report.durationMs / 1e3).toFixed(1)}s`);
+  console.log("");
+  const vulnerable = report.attacks.filter((a) => a.vulnerable);
+  const secure = report.attacks.filter((a) => !a.vulnerable && !a.error);
+  const errors = report.attacks.filter((a) => a.error);
+  console.log(
+    `  ${chalk.red(`${vulnerable.length} vulnerable`)} \xB7 ${chalk.green(`${secure.length} secure`)} \xB7 ${chalk.yellow(`${errors.length} errors`)}`
+  );
+  if (vulnerable.length > 0) {
+    console.log("");
+    console.log(chalk.red.bold("  Vulnerabilities:"));
+    for (const a of vulnerable) {
+      const conf = a.llmEvaluation ? ` (${(a.llmEvaluation.confidence * 100).toFixed(0)}% confidence)` : "";
+      console.log(
+        `    ${chalk.red("\u2717")} ${a.name} \u2014 ${severityColor(a.severity)}${conf}`
+      );
+    }
+  }
+  const judge = analyzeJudgeHealth(report);
+  if (judge.degraded) {
+    console.log("");
+    console.log(
+      chalk.bgYellow.black.bold(" JUDGE DEGRADED ") + chalk.yellow(
+        `  ${judge.degradedCount}/${judge.totalEvaluated} verdicts fell back to regex (${judge.errorSummary}).`
+      )
+    );
+    console.log(
+      chalk.yellow(
+        "  Regex-only verdicts are less reliable than LLM-assisted ones. False positives likely. Fix the LLM provider config and re-run."
+      )
+    );
+  }
+  console.log("");
+  if (thresholds.passed) {
+    console.log(chalk.green.bold("  \u2713 PASSED \u2014 all thresholds met"));
+  } else {
+    console.log(chalk.red.bold("  \u2717 FAILED \u2014 threshold violations:"));
+    for (const reason of thresholds.reasons) {
+      console.log(`    - ${reason}`);
+    }
+  }
+  console.log("");
+}
+function severityColor(severity) {
+  switch (severity) {
+    case "CRITICAL":
+      return chalk.red.bold(severity);
+    case "HIGH":
+    case "CRESCENDO":
+    case "COMBO":
+      return chalk.yellow(severity);
+    case "MEDIUM":
+      return chalk.blue(severity);
+    default:
+      return chalk.gray(severity);
+  }
+}
+function scoreColor(score) {
+  if (score >= 90) return chalk.green.bold(`${score}/100`);
+  if (score >= 75) return chalk.green(`${score}/100`);
+  if (score >= 60) return chalk.yellow(`${score}/100`);
+  if (score >= 40) return chalk.red(`${score}/100`);
+  return chalk.red.bold(`${score}/100`);
+}
+function gradeColor(grade) {
+  switch (grade) {
+    case "A":
+      return chalk.green.bold(grade);
+    case "B":
+      return chalk.green(grade);
+    case "C":
+      return chalk.yellow(grade);
+    case "D":
+      return chalk.red(grade);
+    default:
+      return chalk.red.bold(grade);
+  }
+}
+
+// src/lib/sanitize.ts
+var DEFAULTS = {
+  responseMaxChars: 500,
+  reasoningMaxChars: 500,
+  evidenceItemMaxChars: 200,
+  evidenceMaxItems: 5,
+  errorMaxChars: 200
+};
+function truncateString(value, max) {
+  if (value.length <= max) return value;
+  return value.slice(0, max - 1) + "\u2026";
+}
+function sanitizeReportForDisk(report, opts = {}) {
+  const cfg = { ...DEFAULTS, ...opts };
+  return {
+    ...report,
+    attacks: report.attacks.map((attack) => {
+      const sanitized = { ...attack };
+      if (typeof attack.response === "string") {
+        sanitized.response = truncateString(
+          attack.response,
+          cfg.responseMaxChars
+        );
+      }
+      if (attack.error) {
+        sanitized.error = truncateString(attack.error, cfg.errorMaxChars);
+      }
+      if (attack.llmEvaluation) {
+        const ev = attack.llmEvaluation;
+        sanitized.llmEvaluation = {
+          ...ev,
+          reasoning: ev.reasoning ? truncateString(ev.reasoning, cfg.reasoningMaxChars) : ev.reasoning,
+          evidence: ev.evidence ? ev.evidence.slice(0, cfg.evidenceMaxItems).map((e) => truncateString(e, cfg.evidenceItemMaxChars)) : ev.evidence
+        };
+      }
+      return sanitized;
+    })
+  };
+}
+
+// src/lib/format.ts
+function truncate(str, max) {
+  const oneLine = str.replace(/\n/g, " ").trim();
+  return oneLine.length <= max ? oneLine : oneLine.slice(0, max - 3) + "...";
+}
+
+// src/commands/scan.ts
+function buildAuthFromFlags(opts) {
+  if (!opts.auth) return void 0;
+  switch (opts.auth) {
+    case "bearer":
+      if (!opts.token)
+        throw new ConfigError("--token is required with --auth bearer");
+      return { type: "bearer", token: opts.token };
+    case "api-key":
+      if (!opts.token)
+        throw new ConfigError("--token is required with --auth api-key");
+      return {
+        type: "api-key",
+        header: opts.authHeader ?? "X-API-Key",
+        value: opts.token
+      };
+    // oauth2 requires too many params for CLI flags — use config file instead
+    default:
+      throw new ConfigError(
+        `Unknown or unsupported auth type for CLI flags: "${opts.auth}". OAuth2 must be configured via shield.config.json.`
+      );
+  }
+}
+async function uploadReportToBackend(report, credentials, scanId) {
+  const vulnerabilities = report.attacks.filter((a) => !a.error && !a.rateLimited).map((a) => ({
+    // attackId lets the backend validate against its known catalogue + the
+    // user's custom tests, rejecting fabricated vulnerability rows.
+    attackId: a.id,
+    name: a.name,
+    severity: a.severity,
+    vulnerabilityType: a.id,
+    vulnerable: a.vulnerable,
+    description: a.name,
+    evidence: a.prompt && a.response ? JSON.stringify({
+      prompt: a.prompt,
+      response: truncate(a.response, 2e3)
+    }) : a.response ? JSON.stringify({
+      prompt: "",
+      response: truncate(a.response, 2e3)
+    }) : void 0,
+    status: a.vulnerable ? "DETECTED" : "PASSED",
+    evaluationMethod: a.llmEvaluation?.evaluationMethod,
+    confidence: a.llmEvaluation?.confidence,
+    reasoning: a.llmEvaluation?.reasoning,
+    captureStatus: a.captureStatus ?? "captured"
+  }));
+  const testsRun = report.attacks.filter(
+    (a) => !a.error && !a.rateLimited
+  ).length;
+  const payload = {
+    scanId,
+    targetUrl: report.target,
+    chatbotType: "api",
+    summary: `CLI scan \u2014 ${report.config.preset} preset \u2014 ${testsRun}/${report.config.totalAttacks} tests`,
+    testsRun,
+    testsTotal: report.config.totalAttacks,
+    durationMs: report.durationMs,
+    vulnerabilities
+  };
+  const res = await fetch(`${credentials.apiUrl}/api/cli/reports`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${credentials.apiKey}`
+    },
+    body: JSON.stringify(payload)
+  });
+  if (!res.ok) {
+    const body = await res.text().catch(() => "");
+    throw new Error(`HTTP ${res.status}: ${body.slice(0, 200)}`);
+  }
+}
+async function scanCommand(opts) {
+  try {
+    if (opts.ci) {
+      opts.output = opts.output ?? "json";
+      opts.progress = false;
+    }
+    const info = (msg) => {
+      if (opts.ci) console.error(msg);
+      else console.log(msg);
+    };
+    const stored = loadCredentials();
+    const credentials = stored ? { ...stored, apiUrl: resolveApiUrl(stored.apiUrl, opts.apiUrl) } : null;
+    if (!credentials) {
+      console.error(
+        `Not logged in. Run \`shield-llm login\` to authenticate.
+  SaaS:    shield-llm login
+  License: shield-llm login --key <license-key> --api-url https://your-instance
+`
+      );
+      setExitCode(2);
+      return;
+    }
+    let reservedScanId = null;
+    try {
+      const res = await fetch(`${credentials.apiUrl}/api/cli/scans`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          Authorization: `Bearer ${credentials.apiKey}`
+        }
+      });
+      if (res.status === 401) {
+        console.error(
+          "API key is invalid or revoked. Run `shield-llm login` to re-authenticate."
+        );
+        setExitCode(2);
+        return;
+      }
+      if (res.status === 403) {
+        const body = await res.json().catch(() => ({}));
+        console.error(
+          body.error ?? `Monthly scan limit reached. Upgrade at ${DEFAULT_API_URL}/settings`
+        );
+        setExitCode(2);
+        return;
+      }
+      if (!res.ok) {
+        console.error(`Failed to start scan: HTTP ${res.status}`);
+        setExitCode(3);
+        return;
+      }
+      const scanSlot = await res.json();
+      reservedScanId = scanSlot.scanId;
+      info(
+        `Scan reserved (${scanSlot.remaining}/${scanSlot.limit} remaining this month)`
+      );
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : "Unknown error";
+      console.error(`Failed to connect to backend: ${msg}`);
+      setExitCode(3);
+      return;
+    }
+    const evaluator = new BackendEvaluator(
+      credentials.apiUrl,
+      credentials.apiKey
+    );
+    const cliOverrides = {};
+    if (opts.endpoint) {
+      cliOverrides.endpoint = {
+        url: opts.endpoint,
+        auth: buildAuthFromFlags(opts),
+        request: {
+          method: "POST",
+          body: opts.requestBody ? JSON.parse(opts.requestBody) : { message: "{{prompt}}" }
+        },
+        response: {
+          field: opts.responseField ?? "response"
+        }
+      };
+    } else if (opts.provider || opts.model) {
+      cliOverrides.target = {
+        provider: opts.provider,
+        model: opts.model
+      };
+    }
+    if (opts.preset) cliOverrides.preset = opts.preset;
+    if (opts.systemPrompt) cliOverrides.systemPrompt = opts.systemPrompt;
+    if (opts.crescendo) cliOverrides.includeCrescendo = true;
+    if (opts.minScore !== void 0 || opts.failOnCritical) {
+      cliOverrides.thresholds = {
+        ...opts.minScore !== void 0 ? { minScore: opts.minScore } : {},
+        ...opts.failOnCritical ? { failOnCritical: true } : {}
+      };
+    }
+    if (opts.output || opts.outputFile) {
+      cliOverrides.output = {
+        ...opts.output ? { format: opts.output } : {},
+        ...opts.outputFile ? { file: opts.outputFile } : {}
+      };
+    }
+    const config = loadConfig({
+      configPath: opts.config,
+      cliOverrides
+    });
+    if (opts.loadCustomTests) {
+      try {
+        const remoteTests = await fetchCustomTests(
+          credentials.apiUrl,
+          credentials.apiKey
+        );
+        if (remoteTests.length === 0) {
+          info(
+            `No custom tests found in your dashboard. Create them at ${DEFAULT_API_URL}/tests`
+          );
+        } else {
+          info(`Loaded ${remoteTests.length} custom test(s) from dashboard`);
+          config.customTests = [...config.customTests ?? [], ...remoteTests];
+        }
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : "Unknown error";
+        console.error(`Failed to fetch custom tests: ${msg}`);
+        setExitCode(3);
+        return;
+      }
+    }
+    if (opts.systemPromptFile) {
+      config.systemPrompt = opts.systemPromptFile;
+    }
+    const systemPrompt = loadSystemPrompt(config);
+    const presetForScan = config.preset ?? "standard";
+    const includeCrescendo = config.includeCrescendo ?? config.preset === "full";
+    const fetched = await fetchAttacks({
+      apiUrl: credentials.apiUrl,
+      apiKey: credentials.apiKey,
+      preset: presetForScan,
+      includeMultiTurn: includeCrescendo
+    });
+    const multiTurnNote = fetched.multiTurnAttacks.length > 0 ? ` + ${fetched.multiTurnAttacks.length} multi-turn` : "";
+    info(
+      `Loaded ${fetched.attacks.length} attacks${multiTurnNote} from ${fetched.source} (catalog ${fetched.catalogVersion})`
+    );
+    const scanOptions = {
+      target: buildTargetConfig(config),
+      systemPrompt,
+      preset: presetForScan,
+      attacks: fetched.attacks,
+      multiTurnAttacks: fetched.multiTurnAttacks,
+      includeCrescendo,
+      customTests: config.customTests,
+      concurrency: config.concurrency,
+      delayMs: config.delayMs,
+      attackTimeoutMs: config.attackTimeoutMs,
+      maxConsecutiveFailures: config.maxConsecutiveFailures,
+      evaluator
+    };
+    const onEvent = opts.progress !== false ? handleEvent : void 0;
+    const scanner = new Scanner(scanOptions, onEvent);
+    const report = await scanner.run();
+    try {
+      if (!reservedScanId) {
+        throw new Error(
+          "Missing scan reservation id (server returned no scanId)."
+        );
+      }
+      await uploadReportToBackend(report, credentials, reservedScanId);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : String(err);
+      console.warn(`Warning: Could not save scan to dashboard: ${msg}`);
+    }
+    let thresholdResult = evaluateThresholds(report, config.thresholds);
+    if (!opts.ci) {
+      printSummary(report, thresholdResult);
+    }
+    let complianceResult;
+    if (opts.euAiAct || opts.complianceThreshold !== void 0) {
+      const testOutcomes = report.attacks.filter((a) => !a.error).map((a) => ({
+        testId: a.id,
+        testName: a.name,
+        vulnerable: a.vulnerable,
+        severity: a.severity
+      }));
+      complianceResult = calculateComplianceScore(testOutcomes);
+      if (!opts.ci) {
+        console.log(formatComplianceTerminal(complianceResult, report.target));
+      }
+      if (opts.complianceThreshold !== void 0 && complianceResult.overallScore < opts.complianceThreshold) {
+        thresholdResult = {
+          passed: false,
+          reasons: [
+            ...thresholdResult.reasons,
+            `Compliance score ${complianceResult.overallScore}% is below minimum threshold ${opts.complianceThreshold}%`
+          ]
+        };
+      }
+    }
+    const format = config.output?.format ?? opts.output;
+    const outputFile = config.output?.file ?? opts.outputFile;
+    if (format || outputFile) {
+      if (format === "pdf") {
+        const pdfPath = outputFile ?? `shield-report-${report.id.slice(0, 8)}.pdf`;
+        const pdfBuffer = await generatePdf(report);
+        writeFileSync4(resolve3(pdfPath), pdfBuffer);
+        info(`PDF report written to ${pdfPath}`);
+      } else {
+        let content;
+        switch (format) {
+          case "sarif":
+            content = formatSarif(report);
+            break;
+          case "markdown":
+            content = formatMarkdown(report, thresholdResult, complianceResult);
+            break;
+          case "json":
+          default:
+            content = formatJson({
+              report,
+              thresholds: thresholdResult,
+              compliance: complianceResult
+            });
+            break;
+        }
+        if (outputFile) {
+          writeFileSync4(resolve3(outputFile), content, "utf-8");
+          info(`Report written to ${outputFile}`);
+        } else {
+          console.log(content);
+        }
+      }
+    }
+    if (opts.writeJson) {
+      const jsonPath = resolve3(opts.writeJson);
+      const reportForDisk = opts.includeFullPayloads ? report : sanitizeReportForDisk(report);
+      const jsonContent = formatJson({
+        report: reportForDisk,
+        thresholds: thresholdResult,
+        compliance: complianceResult
+      });
+      writeFileSync4(jsonPath, jsonContent, "utf-8");
+      info(
+        `JSON copy written to ${jsonPath}${opts.includeFullPayloads ? " (full payloads)" : " (sanitized)"}`
+      );
+    }
+    setExitCode(thresholdResult.passed ? 0 : 1);
+    return;
+  } catch (error) {
+    if (error instanceof ConfigError) {
+      console.error(`Configuration error: ${error.message}`);
+      setExitCode(2);
+      return;
+    }
+    const msg = error instanceof Error ? error.message : "Unknown error";
+    console.error(`Runtime error: ${msg}`);
+    setExitCode(3);
+    return;
+  }
+}
+
+// src/commands/tests.ts
+async function testsCommand(opts) {
+  let localTests = [];
+  let remoteTests = [];
+  try {
+    const config = loadConfig({ configPath: opts.config });
+    if (config.customTests?.length) {
+      localTests = config.customTests;
+    }
+  } catch {
+  }
+  if (opts.remote) {
+    const stored = loadCredentials();
+    if (!stored) {
+      console.error("Not logged in. Run: shield-llm login --key <your-key>\n");
+      setExitCode(2);
+      return;
+    }
+    const apiUrl = resolveApiUrl(stored.apiUrl, opts.apiUrl);
+    try {
+      remoteTests = await fetchCustomTests(apiUrl, stored.apiKey);
+    } catch (err) {
+      const msg = err instanceof Error ? err.message : "Unknown error";
+      console.error(`Failed to fetch remote tests: ${msg}`);
+      setExitCode(3);
+      return;
+    }
+  }
+  const hasLocal = localTests.length > 0;
+  const hasRemote = remoteTests.length > 0;
+  if (!hasLocal && !hasRemote) {
+    console.log("\nNo custom tests found.\n");
+    if (!opts.remote) {
+      console.log("  Tip: use --remote to check your Shield LLM dashboard\n");
+    }
+    console.log("  Create tests via:");
+    console.log(
+      "    shield-llm init                 Add tests to shield.config.json"
+    );
+    console.log(
+      `    ${DEFAULT_API_URL}/tests  Create tests on the dashboard
+`
+    );
+    return;
+  }
+  if (hasLocal) {
+    console.log(`
+Local tests (shield.config.json): ${localTests.length}
+`);
+    for (const test of localTests) {
+      console.log(`  ${test.name}`);
+      console.log(`    Prompt: ${truncate(test.prompt, 80)}`);
+      console.log(`    Criteria: ${truncate(test.acceptanceCriteria, 80)}
+`);
+    }
+  }
+  if (hasRemote) {
+    console.log(`
+Dashboard tests (remote): ${remoteTests.length}
+`);
+    for (const test of remoteTests) {
+      console.log(`  ${test.name}`);
+      console.log(`    Prompt: ${truncate(test.prompt, 80)}`);
+      console.log(`    Criteria: ${truncate(test.acceptanceCriteria, 80)}
+`);
+    }
+  }
+  const total = localTests.length + remoteTests.length;
+  console.log(
+    `Total: ${total} custom test(s) will be added to your next scan.
+`
+  );
+}
+
+// src/commands/validate.ts
+function validateCommand(opts) {
+  try {
+    const config = loadConfig({ configPath: opts.config });
+    console.log("Configuration is valid.");
+    if (config.endpoint) {
+      console.log(`  Mode: HTTP Endpoint`);
+      console.log(`  URL: ${config.endpoint.url}`);
+      console.log(`  Auth: ${config.endpoint.auth?.type ?? "none"}`);
+      console.log(`  Response field: ${config.endpoint.response.field}`);
+    } else {
+      console.log(`  Mode: LLM Provider`);
+      console.log(
+        `  Target: ${config.target.provider}/${config.target.model ?? "default"}`
+      );
+    }
+    console.log(
+      `  Judge: ${config.judge?.provider ?? "mistral"}/${config.judge?.model ?? "mistral-small-latest"}`
+    );
+    console.log(`  Preset: ${config.preset ?? "standard"}`);
+    if (config.customTests?.length) {
+      console.log(`  Custom tests: ${config.customTests.length}`);
+    }
+    setExitCode(0);
+    return;
+  } catch (error) {
+    if (error instanceof ConfigError) {
+      console.error(`Invalid configuration: ${error.message}`);
+      setExitCode(2);
+      return;
+    }
+    throw error;
+  }
+}
+
+// src/cli.ts
+function reportFatal(label, err) {
+  console.error(`
+${label}:`);
+  if (err instanceof Error) {
+    console.error(err.stack ?? err.message);
+  } else {
+    console.error(String(err));
+  }
+  console.error(
+    "\nThis is an unexpected error. Please rerun with the stack trace above attached if you report it."
+  );
+  process.exit(3);
+}
+process.on("unhandledRejection", (reason) => {
+  reportFatal("Unhandled promise rejection", reason);
+});
+process.on("uncaughtException", (err) => {
+  reportFatal("Uncaught exception", err);
+});
+var program = new Command();
+program.exitOverride();
+program.name("shield-llm").description("AI chatbot security scanner \u2014 automated red teaming for LLMs").version("0.1.0");
+program.command("scan").description("Run a security scan against a target chatbot").option("-c, --config <path>", "Path to shield.config.json").option("-p, --provider <name>", "Target provider (openai, mistral)").option("-m, --model <name>", "Target model name").option("-e, --endpoint <url>", "Target chatbot HTTP endpoint URL").option("--auth <type>", "Auth type: bearer, api-key, oauth2").option("--token <value>", "Bearer token or API key value").option("--auth-header <name>", "Custom auth header name (for api-key auth)").option(
+  "--response-field <path>",
+  "Dot-notation path to response text in JSON (default: response)"
+).option(
+  "--request-body <json>",
+  "JSON request body template (use {{prompt}} placeholder)"
+).option("--preset <name>", "Scan preset (dev, quick, owasp, standard, full)").option("--system-prompt <text>", "System prompt for target chatbot").option("--system-prompt-file <path>", "Path to system prompt file").option("--crescendo", "Include crescendo (multi-turn) attacks").option("--min-score <n>", "Minimum score threshold", parseFloat).option("--fail-on-critical", "Fail if any CRITICAL vulnerability found").option("-o, --output <format>", "Output format (json, markdown, sarif, pdf)").option("--output-file <path>", "Write report to file").option(
+  "--write-json <path>",
+  "Always write a parseable JSON copy here, regardless of --output (useful for CI to extract score/grade alongside SARIF)"
+).option(
+  "--include-full-payloads",
+  "Keep full chatbot responses / LLM reasoning in the on-disk JSON (default: truncate to protect against artifact leaks in public CI runs)"
+).option("--no-progress", "Disable progress spinner").option(
+  "--ci",
+  "CI mode: JSON to stdout, no spinner. Exit 0=pass, 1=threshold, 2=config/auth, 3=infra"
+).option(
+  "--load-custom-tests",
+  "Fetch custom tests from your Shield LLM dashboard"
+).option("--eu-ai-act", "Show EU AI Act compliance assessment after scan").option(
+  "--compliance-threshold <n>",
+  "Minimum compliance score (0-100)",
+  parseFloat
+).option(
+  "--api-url <url>",
+  "Backend API URL (overrides SHIELD_API_URL env var and stored credentials)"
+).action(scanCommand);
+program.command("init").description("Generate a shield.config.json interactively").action(initCommand);
+program.command("attacks").description("List all available attacks (fetched from your backend)").option("--severity <level>", "Filter by severity").option("--api-url <url>", "Backend API URL override").action(attacksCommand);
+program.command("presets").description("List available scan presets (fetched from your backend)").option("--api-url <url>", "Backend API URL override").action(presetsCommand);
+program.command("tests").description("List custom tests (local config and/or remote dashboard)").option("-c, --config <path>", "Path to shield.config.json").option("--remote", "Fetch custom tests from your Shield LLM dashboard").option(
+  "--api-url <url>",
+  "Backend API URL (overrides SHIELD_API_URL env var)"
+).action(testsCommand);
+program.command("validate").description("Validate a shield.config.json file").option("-c, --config <path>", "Path to config file").action(validateCommand);
+program.command("report <scanId>").description("Fetch a past scan report from your dashboard").option("-o, --output <format>", "Output format (json, markdown)", "json").option("--output-file <path>", "Write report to file").option("--api-url <url>", "Backend API URL override").action(reportCommand);
+program.command("login").description("Authenticate with your Shield LLM API key").requiredOption("--key <api-key>", "Your API key (sk_shield_...)").option(
+  "--api-url <url>",
+  "Backend API URL (defaults to SHIELD_API_URL env var or https://shield-llm.com)"
+).action(loginCommand);
+program.command("logout").description("Remove stored API key credentials").action(logoutCommand);
+try {
+  program.parse();
+} catch (err) {
+  if (err instanceof CommanderError) {
+    const code = err.code === "commander.helpDisplayed" || err.code === "commander.version" ? 0 : 2;
+    process.exit(code);
+  }
+  reportFatal("Error", err);
+}