ship-safe 7.0.0 → 9.0.0

package/cli/agents/managed-agent-scanner.js

@@ -0,0 +1,333 @@
+/**
+ * ManagedAgentScanner
+ * ====================
+ *
+ * Detect security misconfigurations in Claude Managed Agents definitions.
+ *
+ * Claude Managed Agents (beta, April 2026) introduces a hosted agent
+ * infrastructure with Agents, Environments, Sessions, and Vaults.
+ * Misconfigurations in these definitions — unrestricted networking,
+ * always_allow permission policies, all tools enabled by default —
+ * map directly to OWASP Agentic AI Top 10 risks (ASI-03, ASI-04, ASI-05).
+ *
+ * Scans: Python, TypeScript, JavaScript, JSON, YAML, shell scripts, and
+ *        any file containing Managed Agents API calls or SDK usage.
+ *
+ * Maps to: OWASP Agentic AI ASI-03 (Excessive Agency),
+ *          ASI-04 (Inadequate Sandboxing), ASI-05 (Improper Tool Use),
+ *          ASI-07 (Lack of Human Oversight)
+ */
+
+import path from 'path';
+import { BaseAgent, createFinding } from './base-agent.js';
+
+// =============================================================================
+// SINGLE-LINE REGEX PATTERNS
+// =============================================================================
+
+const PATTERNS = [
+  // ── ASI-03: Excessive Agency — Permission Policies ─────────────────────────
+  {
+    rule: 'MANAGED_AGENT_ALWAYS_ALLOW',
+    title: 'Managed Agent: All Tools Set to always_allow',
+    regex: /permission_policy['":\s]*\{?\s*['"]?type['"]?\s*[:=]\s*['"]always_allow['"]/g,
+    severity: 'critical',
+    cwe: 'CWE-269',
+    owasp: 'ASI03',
+    description: 'Claude Managed Agent permission policy is set to always_allow. All tools — including bash and file write — execute without human confirmation. Any prompt injection in the session can run arbitrary commands ungateed.',
+    fix: 'Set permission_policy to {type: "always_ask"} for the agent toolset, or at minimum require confirmation for bash and write tools using per-tool configs.',
+  },
+
+  // ── ASI-04: Inadequate Sandboxing — Networking ─────────────────────────────
+  {
+    rule: 'MANAGED_AGENT_UNRESTRICTED_NET',
+    title: 'Managed Agent: Unrestricted Network Access',
+    regex: /networking['":\s]*\{?\s*['"]?type['"]?\s*[:=]\s*['"]unrestricted['"]/g,
+    severity: 'high',
+    cwe: 'CWE-284',
+    owasp: 'ASI04',
+    description: 'Managed Agent environment has unrestricted outbound networking. An agent with bash and web_fetch tools can exfiltrate code, secrets, or PII to any external endpoint.',
+    fix: 'Use networking: {type: "limited", allowed_hosts: ["api.example.com"]} with an explicit allowlist. Only grant allow_mcp_servers and allow_package_managers if needed.',
+  },
+
+  // ── ASI-05: Improper Tool Use — Full Toolset Default ───────────────────────
+  {
+    rule: 'MANAGED_AGENT_ALL_TOOLS_DEFAULT',
+    title: 'Managed Agent: Full Toolset Enabled With No Restrictions',
+    regex: /['"]?type['"]?\s*[:=]\s*['"]agent_toolset_20260401['"]/g,
+    severity: 'high',
+    cwe: 'CWE-250',
+    owasp: 'ASI05',
+    confidence: 'medium',
+    description: 'agent_toolset_20260401 enables all 8 built-in tools (bash, read, write, edit, glob, grep, web_fetch, web_search) by default. Without a configs array or default_config, the agent has maximum tool access.',
+    fix: 'Use default_config: {enabled: false} and explicitly enable only the tools your agent needs. Disable web_fetch and web_search if the agent does not need internet access.',
+  },
+
+  // ── ASI-05: MCP Toolset Permission Override ────────────────────────────────
+  {
+    rule: 'MANAGED_AGENT_MCP_ALWAYS_ALLOW',
+    title: 'Managed Agent: MCP Toolset Set to always_allow',
+    regex: /mcp_toolset['",\s]*[\s\S]{0,200}permission_policy['":\s]*\{?\s*['"]?type['"]?\s*[:=]\s*['"]always_allow['"]/g,
+    severity: 'high',
+    cwe: 'CWE-269',
+    owasp: 'ASI05',
+    description: 'MCP toolset permission policy overridden from the safe default (always_ask) to always_allow. Third-party MCP server tools will execute without human confirmation — if the MCP server adds new tools, they auto-execute too.',
+    fix: 'Keep MCP toolset at the default always_ask policy, or audit the MCP server tools before setting always_allow.',
+  },
+
+  // ── ASI-04: MCP Server Over HTTP ───────────────────────────────────────────
+  {
+    rule: 'MANAGED_AGENT_MCP_HTTP',
+    title: 'Managed Agent: MCP Server URL Uses Plain HTTP',
+    regex: /mcp_server(?:_url|s)?['":\s]*[\s\S]{0,100}['"]http:\/\/(?!localhost|127\.0\.0\.1|::1)/g,
+    severity: 'critical',
+    cwe: 'CWE-319',
+    owasp: 'ASI04',
+    description: 'MCP server URL uses unencrypted HTTP for a non-localhost endpoint. All tool calls, results, and credentials are transmitted in cleartext.',
+    fix: 'Use https:// for all MCP server URLs. Only http://localhost is acceptable for local development.',
+  },
+
+  // ── ASI-03: Callable Agents (Multi-Agent Escalation) ───────────────────────
+  {
+    rule: 'MANAGED_AGENT_CALLABLE_AGENTS',
+    title: 'Managed Agent: Multi-Agent Orchestration Enabled',
+    regex: /callable_agents\s*[:=]/g,
+    severity: 'medium',
+    cwe: 'CWE-269',
+    owasp: 'ASI03',
+    confidence: 'medium',
+    description: 'Agent has callable_agents configured, enabling multi-agent orchestration. A compromised child agent can escalate privileges through the parent if tool access is not scoped per-agent.',
+    fix: 'Apply least-privilege tool access to each callable agent independently. Do not grant child agents broader tool access than their parent.',
+  },
+
+  // ── ASI-07: No System Prompt ───────────────────────────────────────────────
+  {
+    rule: 'MANAGED_AGENT_NO_SYSTEM_PROMPT',
+    title: 'Managed Agent: No System Prompt Defined',
+    regex: /(?:agents\.create|\/v1\/agents)\s*\([^)]*\)/g,
+    severity: 'low',
+    cwe: 'CWE-1188',
+    owasp: 'ASI07',
+    confidence: 'low',
+    description: 'Agent created without a system prompt. Without behavioral constraints, the agent is more susceptible to prompt injection and goal hijacking.',
+    fix: 'Add a system prompt that defines the agent\'s role, boundaries, and what it must refuse to do.',
+  },
+
+  // ── Credential Exposure — Hardcoded Tokens ─────────────────────────────────
+  {
+    rule: 'MANAGED_AGENT_HARDCODED_TOKEN',
+    title: 'Managed Agent: Hardcoded Credential in Config',
+    regex: /(?:access_token|refresh_token|client_secret)\s*[:=]\s*['"][a-zA-Z0-9_\-/.]{20,}['"]/g,
+    severity: 'critical',
+    cwe: 'CWE-798',
+    owasp: 'ASI04',
+    description: 'Vault credential (access_token, refresh_token, or client_secret) appears hardcoded in source code. These should be injected from environment variables or a secrets manager, not committed to the repository.',
+    fix: 'Move tokens to environment variables or a secrets manager. Use vault_ids at session creation to inject credentials at runtime.',
+  },
+
+  // ── ASI-04: Static Bearer Token in Source ──────────────────────────────────
+  {
+    rule: 'MANAGED_AGENT_STATIC_BEARER_INLINE',
+    title: 'Managed Agent: Static Bearer Token in Source',
+    regex: /['"]?type['"]?\s*[:=]\s*['"]static_bearer['"][\s\S]{0,150}['"]?token['"]?\s*[:=]\s*['"][a-zA-Z0-9_\-/.]{20,}['"]/g,
+    severity: 'critical',
+    cwe: 'CWE-798',
+    owasp: 'ASI04',
+    description: 'A static_bearer credential with an inline token is defined in source code. This token is visible to anyone with repository access.',
+    fix: 'Store the token in a secrets manager or environment variable. Reference it at runtime: token: process.env.LINEAR_API_KEY.',
+  },
+];
+
+// =============================================================================
+// MULTI-LINE / STRUCTURAL PATTERNS (checked via content analysis)
+// =============================================================================
+
+/**
+ * Check for environment configs missing network restrictions entirely.
+ * Pattern: environment creation with no networking field → defaults to unrestricted.
+ */
+function checkMissingNetworkConfig(content, filePath, agent) {
+  const findings = [];
+  // Match environment creation calls that have a config block but no networking field
+  const envCreateRe = /(?:environments\.create|\/v1\/environments)\s*\(/g;
+  let match;
+  while ((match = envCreateRe.exec(content)) !== null) {
+    // Look ahead up to 500 chars for a config block
+    const snippet = content.slice(match.index, match.index + 500);
+    if (snippet.includes('config') && !snippet.includes('networking')) {
+      const line = content.slice(0, match.index).split('\n').length;
+      findings.push(createFinding({
+        file: filePath,
+        line,
+        severity: 'medium',
+        category: agent.category,
+        rule: 'MANAGED_AGENT_NO_NETWORK_LIMIT',
+        title: 'Managed Agent: Environment Created Without Network Config',
+        description: 'Environment created without a networking field. Defaults to unrestricted outbound access. For production, explicitly set networking: {type: "limited"} with an allowed_hosts list.',
+        matched: snippet.slice(0, 120),
+        confidence: 'medium',
+        cwe: 'CWE-284',
+        owasp: 'ASI04',
+        fix: 'Add networking: {type: "limited", allowed_hosts: ["your-api.example.com"]} to the environment config.',
+      }));
+    }
+  }
+  return findings;
+}
+
+/**
+ * Check for bash + web tools enabled with always_allow — exfiltration combo.
+ */
+function checkExfilCombo(content, filePath, agent) {
+  const findings = [];
+  // Only flag if we see the toolset AND always_allow AND no bash restriction
+  const hasToolset = /agent_toolset_20260401/.test(content);
+  const hasAlwaysAllow = /always_allow/.test(content);
+  const hasBashRestriction = /['"]bash['"][\s\S]{0,100}always_ask/.test(content);
+  const disablesBash = /['"]bash['"][\s\S]{0,50}enabled['"]?\s*[:=]\s*false/.test(content);
+
+  if (hasToolset && hasAlwaysAllow && !hasBashRestriction && !disablesBash) {
+    // Find the line of always_allow for positioning
+    const idx = content.indexOf('always_allow');
+    const line = idx >= 0 ? content.slice(0, idx).split('\n').length : 1;
+    findings.push(createFinding({
+      file: filePath,
+      line,
+      severity: 'critical',
+      category: agent.category,
+      rule: 'MANAGED_AGENT_BASH_NO_CONFIRM',
+      title: 'Managed Agent: Bash Executes Without Human Confirmation',
+      description: 'Agent toolset uses always_allow and bash is not restricted to always_ask. Any prompt injection can execute shell commands without confirmation. This is equivalent to --dangerously-skip-permissions in Claude Code.',
+      matched: 'permission_policy: always_allow (bash unrestricted)',
+      confidence: 'high',
+      cwe: 'CWE-78',
+      owasp: 'ASI03',
+      fix: 'Add a per-tool override: configs: [{name: "bash", permission_policy: {type: "always_ask"}}].',
+    }));
+  }
+  return findings;
+}
+
+/**
+ * Check for unpinned packages in environment config.
+ */
+function checkUnpinnedPackages(content, filePath, agent) {
+  const findings = [];
+  // Look for packages blocks with items that lack version pins
+  const packagesRe = /packages['":\s]*\{[\s\S]{0,500}\}/g;
+  let match;
+  while ((match = packagesRe.exec(content)) !== null) {
+    const block = match[0];
+    // Check for pip packages without ==, npm without @, etc.
+    const unpinnedPip = /pip['":\s]*\[([^\]]+)\]/.exec(block);
+    const unpinnedNpm = /npm['":\s]*\[([^\]]+)\]/.exec(block);
+
+    const checkList = (listMatch, manager) => {
+      if (!listMatch) return;
+      const items = listMatch[1].match(/['"][^'"]+['"]/g) || [];
+      const unpinned = items.filter(item => {
+        const clean = item.replace(/['"]/g, '');
+        if (manager === 'pip') return !clean.includes('==') && !clean.includes('>=');
+        return !clean.includes('@');
+      });
+      if (unpinned.length > 0) {
+        const line = content.slice(0, match.index).split('\n').length;
+        findings.push(createFinding({
+          file: filePath,
+          line,
+          severity: 'medium',
+          category: agent.category,
+          rule: 'MANAGED_AGENT_UNPINNED_PACKAGE',
+          title: `Managed Agent: Unpinned ${manager} Packages in Environment`,
+          description: `Environment installs ${manager} packages without version pins: ${unpinned.join(', ')}. Unpinned packages can be hijacked via supply chain attacks.`,
+          matched: unpinned.join(', '),
+          confidence: 'medium',
+          cwe: 'CWE-829',
+          owasp: 'ASI04',
+          fix: `Pin package versions: ${manager === 'pip' ? '"pandas==2.2.0"' : '"express@4.18.0"'}.`,
+        }));
+      }
+    };
+
+    checkList(unpinnedPip, 'pip');
+    checkList(unpinnedNpm, 'npm');
+  }
+  return findings;
+}
+
+// =============================================================================
+// AGENT CLASS
+// =============================================================================
+
+export class ManagedAgentScanner extends BaseAgent {
+  constructor() {
+    super(
+      'ManagedAgentScanner',
+      'Detect security misconfigurations in Claude Managed Agents (environments, tools, permissions, networking)',
+      'agentic',
+    );
+  }
+
+  /**
+   * Only run if the codebase references Managed Agents API/SDK.
+   */
+  shouldRun(recon) {
+    return true; // Lightweight patterns — always run, regex will short-circuit on non-matching files
+  }
+
+  async analyze(context) {
+    const { rootPath, files } = context;
+
+    // Filter to files likely containing Managed Agent configs
+    const targetFiles = files.filter(f => {
+      const ext = path.extname(f).toLowerCase();
+      const basename = path.basename(f).toLowerCase();
+      return (
+        ['.js', '.ts', '.mjs', '.mts', '.py', '.json', '.yaml', '.yml', '.sh', '.bash', '.go', '.java', '.cs', '.php', '.rb'].includes(ext) ||
+        basename === 'dockerfile' ||
+        basename === 'docker-compose.yml' ||
+        basename === 'docker-compose.yaml'
+      );
+    });
+
+    if (targetFiles.length === 0) return [];
+
+    let findings = [];
+
+    for (const file of targetFiles) {
+      const content = this.readFile(file);
+      if (!content) continue;
+
+      // Quick relevance check — skip files with no Managed Agent signals
+      const hasSignal =
+        content.includes('agent_toolset_20260401') ||
+        content.includes('managed-agents') ||
+        content.includes('/v1/agents') ||
+        content.includes('/v1/environments') ||
+        content.includes('/v1/sessions') ||
+        content.includes('/v1/vaults') ||
+        content.includes('beta.agents') ||
+        content.includes('beta.environments') ||
+        content.includes('beta.sessions') ||
+        content.includes('beta.vaults') ||
+        content.includes('callable_agents') ||
+        content.includes('mcp_toolset') ||
+        content.includes('static_bearer') ||
+        content.includes('mcp_oauth');
+
+      if (!hasSignal) continue;
+
+      // Run single-line patterns
+      findings = findings.concat(this.scanFileWithPatterns(file, PATTERNS));
+
+      // Run structural checks
+      findings = findings.concat(checkMissingNetworkConfig(content, file, this));
+      findings = findings.concat(checkExfilCombo(content, file, this));
+      findings = findings.concat(checkUnpinnedPackages(content, file, this));
+    }
+
+    return findings;
+  }
+}
+
+export default ManagedAgentScanner;

package/cli/agents/orchestrator.js

@@ -234,9 +234,19 @@ export class Orchestrator {
           allFindings = await analyzer.analyze(allFindings, { rootPath: absolutePath, recon });
           const stats = analyzer.getStats();
           if (deepSpinner) {
-            deepSpinner.succeed(chalk.green(
-              `Deep analysis: ${stats.analyzedCount} findings analyzed (${stats.spentCents}c spent)`
-            ));
+            if (stats.multiTier) {
+              const tierNote = stats.tier3Count > 0
+                ? `, ${stats.tier3Count} escalated to Opus`
+                : stats.tier2Count > 0 ? `, ${stats.tier2Count} via Sonnet` : '';
+              const skipNote = stats.skippedCount > 0 ? `, ${stats.skippedCount} triaged away` : '';
+              deepSpinner.succeed(chalk.green(
+                `Deep analysis (Haiku→Sonnet→Opus): ${stats.analyzedCount} analyzed${tierNote}${skipNote} (${stats.spentCents}¢)`
+              ));
+            } else {
+              deepSpinner.succeed(chalk.green(
+                `Deep analysis: ${stats.analyzedCount} findings analyzed (${stats.spentCents}¢)`
+              ));
+            }
           }
         } catch (err) {
           if (deepSpinner) deepSpinner.fail(chalk.yellow(`Deep analysis failed: ${err.message}`));

package/cli/agents/supply-chain-agent.js

@@ -26,7 +26,7 @@ const COMPROMISED_PACKAGES = [
   {
     name: 'axios',
     badVersions: ['1.8.2'],
-    note: 'TeamPCP/CanisterWorm campaign (Mar 31 2026). Malicious publish delivered a Remote Access Trojan with persistence.',
+    note: 'TeamPCP/CanisterWorm campaign (Mar 31 2026). Attributed to Sapphire Sleet (North Korean state actor) by Microsoft Threat Intelligence. Malicious publish connected to C2 domain delivering a second-stage RAT with persistence.',
   },
   {
     name: 'telnyx',

package/cli/bin/ship-safe.js

@@ -48,6 +48,11 @@ import { updateIntelCommand } from '../commands/update-intel.js';
 import { hooksCommand } from '../commands/hooks.js';
 import { legalCommand } from '../commands/legal.js';
 import { runLiveAdvisories } from '../commands/live-advisories.js';
+import { envAuditCommand } from '../commands/env-audit.js';
+import { autofixCommand } from '../commands/autofix.js';
+import { memoryCommand } from '../utils/security-memory.js';
+import { playbookCommand } from '../utils/scan-playbook.js';
+import { listPluginFiles, scaffoldPlugin } from '../utils/plugin-loader.js';
 import { ABOMGenerator } from '../agents/abom-generator.js';
 import { PolicyEngine } from '../agents/policy-engine.js';
 import { SBOMGenerator } from '../agents/sbom-generator.js';
@@ -120,6 +125,8 @@ program
   .option('--headers', 'Only copy security headers config')
   .option('--agents', 'Only add security rules to AI agent instruction files (CLAUDE.md, .cursor/rules/, .windsurfrules, copilot-instructions.md)')
   .option('--openclaw', 'Generate a hardened openclaw.json template')
+  .option('--hermes', 'Bootstrap Hermes Agent security config (allowlist, integrity hashes, CI)')
+  .option('--from <url>', 'Fetch a pre-built Hermes config bundle from a setup URL (used with --hermes)')
   .action(initCommand);
 
 // -----------------------------------------------------------------------------
@@ -203,7 +210,7 @@ program
 // -----------------------------------------------------------------------------
 program
   .command('audit [path]')
-  .description('Full security audit: secrets + 18 agents + deps + score + deep analysis + remediation plan')
+  .description('Full security audit: secrets + 22 agents + deps + score + deep analysis + remediation plan')
   .option('--json', 'Output results as JSON')
   .option('--sarif', 'Output results in SARIF format')
   .option('--csv', 'Output results as CSV')
@@ -224,6 +231,10 @@ program
   .option('--budget <cents>', 'Max spend in cents for deep analysis (default: 50)', parseInt)
   .option('--verify', 'Check if leaked secrets are still active (probes provider APIs)')
   .option('--include-legal', 'Also run the legal risk scan (DMCA, leaked source, IP disputes)')
+  .option('--agentic [iterations]', 'Agentic scan→fix→verify loop (default: 3 iterations, target score: 75)', (v) => v ? parseInt(v) : true)
+  .option('--agentic-target <score>', 'Target security score for agentic loop (default: 75)', parseInt)
+  .option('--hermes-only', 'Run only Hermes-relevant agents (llm + supply-chain categories) for fast CI')
+  .option('--fail-below <threshold>', 'Exit 1 if score is below threshold (number or "baseline")')
   .option('-v, --verbose', 'Verbose output')
   .action(auditCommand);
 
@@ -244,7 +255,7 @@ program
 // -----------------------------------------------------------------------------
 program
   .command('red-team [path]')
-  .description('Multi-agent security audit: 18 agents scan for 80+ attack classes')
+  .description('Multi-agent security audit: 22 agents scan for 80+ attack classes')
   .option('--agents <list>', 'Comma-separated list of agents to run')
   .option('--json', 'Output results as JSON')
   .option('--sarif', 'Output results in SARIF format')
@@ -273,6 +284,8 @@ program
   .option('--status', 'Show current watch status and exit')
   .option('--threshold <score>', 'Alert when score drops below threshold', parseInt)
   .option('--debounce <ms>', 'Debounce interval in ms (default: 1500)', parseInt)
+  .option('--slack [webhook]', 'Post findings to Slack webhook URL (or set SHIP_SAFE_SLACK_WEBHOOK env var)')
+  .option('--pr-comment', 'Post inline findings as GitHub PR review comments (requires gh CLI)')
   .action(watchCommand);
 
 // -----------------------------------------------------------------------------
@@ -457,6 +470,15 @@ How it works:
 `)
   .action(hooksCommand);
 
+// -----------------------------------------------------------------------------
+// ENV AUDIT COMMAND
+// -----------------------------------------------------------------------------
+program
+  .command('env-audit [path]')
+  .description('Credential health check: verify .env coverage, cross-reference source, check git history')
+  .option('--json', 'Output results as JSON')
+  .action(envAuditCommand);
+
 // -----------------------------------------------------------------------------
 // LEGAL COMMAND
 // -----------------------------------------------------------------------------
@@ -483,6 +505,100 @@ program
   .description('Diagnose environment: check Node.js, git, API keys, cache, and dependencies')
   .action(doctorCommand);
 
+// -----------------------------------------------------------------------------
+// AUTOFIX COMMAND
+// -----------------------------------------------------------------------------
+program
+  .command('autofix [path]')
+  .description('Apply LLM-generated security fixes from a deep analysis report and open a GitHub PR')
+  .option('--report <file>', 'Path to ship-safe JSON report (default: ship-safe-report.json)')
+  .option('--severity <level>', 'Minimum severity to fix: critical, high, medium (default: high)')
+  .option('--dry-run', 'Preview fixes without applying them or creating a branch')
+  .option('--yes', 'Skip confirmation prompt')
+  .action((targetPath, options) => autofixCommand({ ...options, path: targetPath }));
+
+// -----------------------------------------------------------------------------
+// MEMORY COMMAND
+// -----------------------------------------------------------------------------
+program
+  .command('memory [subcommand]')
+  .description('Manage security memory: false-positive learning that auto-suppresses known safe findings')
+  .addHelpText('after', `
+Subcommands:
+  list           Show all suppressed findings in memory (default)
+  forget <key>   Remove a specific entry by key
+  clear          Wipe all memory entries
+
+How it works:
+  When --deep analysis confirms a finding is a false positive, it is added to
+  .ship-safe/memory.json and suppressed automatically on all future scans.
+`)
+  .argument('[args...]')
+  .action((subcommand, args, options) => memoryCommand(subcommand, args, options));
+
+// -----------------------------------------------------------------------------
+// PLAYBOOK COMMAND
+// -----------------------------------------------------------------------------
+program
+  .command('playbook [subcommand]')
+  .description('Manage scan playbooks: repo-specific context injected into every LLM analysis')
+  .addHelpText('after', `
+Subcommands:
+  show                Show the current playbook (default)
+  add-note "text"     Add a custom note to the playbook
+
+How it works:
+  After 2+ scans, a playbook is auto-generated in .ship-safe/playbook.md with
+  your repo's tech stack, auth patterns, and score history. This is injected
+  into the LLM system prompt so deep analysis is more accurate for your project.
+`)
+  .argument('[args...]')
+  .action((subcommand, args, options) => playbookCommand(subcommand, args, options));
+
+// -----------------------------------------------------------------------------
+// PLUGINS COMMAND
+// -----------------------------------------------------------------------------
+program
+  .command('plugins [action]')
+  .description('Manage custom security agent plugins from .ship-safe/agents/')
+  .addHelpText('after', `
+Actions:
+  list              List loaded plugins (default)
+  new <name>        Scaffold a new plugin in .ship-safe/agents/<name>.js
+
+How it works:
+  Drop any .js file into .ship-safe/agents/ that exports a default class
+  extending BaseAgent with an analyze() method. It will be loaded automatically
+  on every audit or watch --deep run.
+`)
+  .action((action, options) => {
+    const rootPath = path.resolve(process.cwd());
+    if (action === 'new') {
+      const pluginName = options.args?.[0] || options._name || 'my-rule';
+      try {
+        const filePath = scaffoldPlugin(rootPath, pluginName);
+        console.log(chalk.green(`  ✔ Plugin scaffolded: ${filePath}`));
+        console.log(chalk.gray('  Edit the file to implement your custom rule, then run ship-safe audit to activate it.'));
+      } catch (err) {
+        console.error(chalk.red(`  Error: ${err.message}`));
+        process.exit(1);
+      }
+    } else {
+      // list
+      const plugins = listPluginFiles(rootPath);
+      if (plugins.length === 0) {
+        console.log('\n  No custom plugins found in .ship-safe/agents/');
+        console.log(chalk.gray('  Create one with: npx ship-safe plugins new my-rule\n'));
+      } else {
+        console.log(`\n  ${chalk.cyan.bold('Custom Plugins')} — ${plugins.length} found\n`);
+        for (const p of plugins) {
+          console.log(`  ${chalk.white(p.name)}  ${chalk.gray(`(${(p.size / 1024).toFixed(1)} KB)  ${p.path}`)}`);
+        }
+        console.log();
+      }
+    }
+  });
+
 // -----------------------------------------------------------------------------
 // PARSE AND RUN
 // -----------------------------------------------------------------------------
@@ -491,10 +607,10 @@ program
 if (process.argv.length === 2) {
   console.log(banner);
   console.log(chalk.yellow('\nQuick start:\n'));
-  console.log(chalk.cyan.bold('  v6.0 — Full Security Audit'));
-  console.log(chalk.white('  npx ship-safe audit .       ') + chalk.gray('# Full audit: secrets + 18 agents + deps + remediation'));
+  console.log(chalk.cyan.bold('  v8.0 — Ship Safe × Hermes Agent'));
+  console.log(chalk.white('  npx ship-safe audit .       ') + chalk.gray('# Full audit: secrets + 22 agents + deps + remediation'));
   console.log(chalk.white('  npx ship-safe audit . --deep') + chalk.gray('# LLM-powered taint analysis (Anthropic/Ollama)'));
-  console.log(chalk.white('  npx ship-safe red-team .    ') + chalk.gray('# 18-agent red team scan (80+ attack classes)'));
+  console.log(chalk.white('  npx ship-safe red-team .    ') + chalk.gray('# 22-agent red team scan (80+ attack classes)'));
   console.log(chalk.white('  npx ship-safe vibe-check .  ') + chalk.gray('# Fun security check with emoji & shareable badge'));
   console.log(chalk.white('  npx ship-safe benchmark .   ') + chalk.gray('# Compare score against industry averages'));
   console.log(chalk.white('  npx ship-safe ci .          ') + chalk.gray('# CI/CD mode: scan, score, exit code'));
@@ -517,9 +633,17 @@ if (process.argv.length === 2) {
   console.log(chalk.white('  npx ship-safe rotate .      ') + chalk.gray('# Revoke exposed keys (provider guides)'));
   console.log(chalk.white('  npx ship-safe deps .        ') + chalk.gray('# Audit dependencies for CVEs'));
   console.log(chalk.white('  npx ship-safe score .       ') + chalk.gray('# Security health score (0-100)'));
+  console.log(chalk.white('  npx ship-safe env-audit .   ') + chalk.gray('# Credential health check (after stripe projects env --pull)'));
   console.log(chalk.white('  npx ship-safe hooks install ') + chalk.gray('# Real-time security gate inside Claude Code (PreToolUse/PostToolUse)'));
   console.log(chalk.white('  npx ship-safe guard         ') + chalk.gray('# Block git push if secrets found'));
   console.log(chalk.white('  npx ship-safe init          ') + chalk.gray('# Add security configs to your project'));
+  console.log();
+  console.log(chalk.gray('  Intelligence commands:'));
+  console.log(chalk.white('  npx ship-safe autofix .     ') + chalk.gray('# Apply LLM fixes from --deep report, open PR'));
+  console.log(chalk.white('  npx ship-safe memory list   ') + chalk.gray('# View / manage false-positive memory'));
+  console.log(chalk.white('  npx ship-safe playbook show ') + chalk.gray('# View repo-specific LLM context playbook'));
+  console.log(chalk.white('  npx ship-safe plugins list  ') + chalk.gray('# Manage custom agent plugins'));
+  console.log(chalk.white('  npx ship-safe watch . --deep --slack ') + chalk.gray('# Guardian mode with Slack alerts + PR comments'));
   console.log(chalk.white('\n  npx ship-safe --help        ') + chalk.gray('# Show all options'));
   console.log();
   process.exit(0);