skilltest 0.4.0 → 0.6.0

package/dist/index.js

@@ -1,11 +1,15 @@
 #!/usr/bin/env node
 
 // src/index.ts
-import fs7 from "node:fs";
+import fs11 from "node:fs";
 import path6 from "node:path";
 import { fileURLToPath } from "node:url";
 import { Command } from "commander";
 
+// src/commands/lint.ts
+import fs6 from "node:fs/promises";
+import { z as z6 } from "zod";
+
 // src/core/skill-parser.ts
 import fs from "node:fs/promises";
 import path from "node:path";
@@ -239,6 +243,171 @@ function runCompatibilityChecks(context) {
   return issues;
 }
 
+// src/core/linter/markdown-zones.ts
+function splitLines(raw) {
+  return raw.split(/\r?\n/);
+}
+function stripTopFrontmatter(raw) {
+  const lines = splitLines(raw);
+  if (lines[0] !== "---") {
+    return {
+      bodyLines: lines,
+      bodyStartLine: 1
+    };
+  }
+  for (let index = 1; index < lines.length; index += 1) {
+    if (lines[index] === "---") {
+      return {
+        bodyLines: lines.slice(index + 1),
+        bodyStartLine: index + 2
+      };
+    }
+  }
+  return {
+    bodyLines: lines,
+    bodyStartLine: 1
+  };
+}
+function matchCodeFenceOpener(line) {
+  const match = line.match(/^\s*(`{3,}|~{3,})(.*)$/);
+  return match?.[1] ?? null;
+}
+function isExactCodeFenceCloser(line, delimiter) {
+  return line.trim() === delimiter;
+}
+function appendZone(zones, type, content, startLine, endLine) {
+  if (content === "") {
+    return;
+  }
+  const previous = zones[zones.length - 1];
+  if (previous && previous.type === type && startLine <= previous.endLine + 1) {
+    const separator = startLine > previous.endLine ? "\n" : "";
+    previous.content += `${separator}${content}`;
+    previous.endLine = endLine;
+    return;
+  }
+  zones.push({
+    type,
+    content,
+    startLine,
+    endLine
+  });
+}
+function appendToOpenZone(zone, content, lineNumber) {
+  if (content === "") {
+    if (lineNumber > zone.endLine) {
+      zone.content += "\n";
+      zone.endLine = lineNumber;
+    }
+    return;
+  }
+  const separator = lineNumber > zone.endLine ? "\n" : "";
+  zone.content += `${separator}${content}`;
+  zone.endLine = lineNumber;
+}
+function addInlineAwareText(zones, text, lineNumber, baseType) {
+  if (text === "") {
+    return;
+  }
+  let cursor = 0;
+  while (cursor < text.length) {
+    const inlineStart = text.indexOf("`", cursor);
+    if (inlineStart === -1) {
+      appendZone(zones, baseType, text.slice(cursor), lineNumber, lineNumber);
+      return;
+    }
+    if (inlineStart > cursor) {
+      appendZone(zones, baseType, text.slice(cursor, inlineStart), lineNumber, lineNumber);
+    }
+    const inlineEnd = text.indexOf("`", inlineStart + 1);
+    if (inlineEnd === -1) {
+      appendZone(zones, baseType, text.slice(inlineStart), lineNumber, lineNumber);
+      return;
+    }
+    appendZone(zones, "inline-code", text.slice(inlineStart, inlineEnd + 1), lineNumber, lineNumber);
+    cursor = inlineEnd + 1;
+  }
+}
+function parseZones(raw) {
+  const { bodyLines, bodyStartLine } = stripTopFrontmatter(raw);
+  const zones = [];
+  let openCodeFence = null;
+  let openComment = null;
+  for (const [index, line] of bodyLines.entries()) {
+    const lineNumber = bodyStartLine + index;
+    if (openCodeFence) {
+      appendToOpenZone(openCodeFence.zone, line, lineNumber);
+      if (isExactCodeFenceCloser(line, openCodeFence.delimiter)) {
+        zones.push(openCodeFence.zone);
+        openCodeFence = null;
+      }
+      continue;
+    }
+    if (!openComment) {
+      const fenceDelimiter = matchCodeFenceOpener(line);
+      if (fenceDelimiter) {
+        openCodeFence = {
+          delimiter: fenceDelimiter,
+          zone: {
+            type: "code-fence",
+            content: line,
+            startLine: lineNumber,
+            endLine: lineNumber
+          }
+        };
+        continue;
+      }
+    }
+    const baseType = /^\s*>/.test(line) ? "blockquote" : "prose";
+    let cursor = 0;
+    while (cursor < line.length || openComment) {
+      if (openComment) {
+        const closeIndex = line.indexOf("-->", cursor);
+        if (closeIndex === -1) {
+          appendToOpenZone(openComment, line.slice(cursor), lineNumber);
+          cursor = line.length;
+          break;
+        }
+        appendToOpenZone(openComment, line.slice(cursor, closeIndex + 3), lineNumber);
+        zones.push(openComment);
+        openComment = null;
+        cursor = closeIndex + 3;
+        continue;
+      }
+      if (cursor >= line.length) {
+        break;
+      }
+      const commentStart = line.indexOf("<!--", cursor);
+      const textEnd = commentStart === -1 ? line.length : commentStart;
+      if (textEnd > cursor) {
+        addInlineAwareText(zones, line.slice(cursor, textEnd), lineNumber, baseType);
+      }
+      if (commentStart === -1) {
+        break;
+      }
+      const commentEnd = line.indexOf("-->", commentStart + 4);
+      if (commentEnd === -1) {
+        openComment = {
+          type: "html-comment",
+          content: line.slice(commentStart),
+          startLine: lineNumber,
+          endLine: lineNumber
+        };
+        break;
+      }
+      appendZone(zones, "html-comment", line.slice(commentStart, commentEnd + 3), lineNumber, lineNumber);
+      cursor = commentEnd + 3;
+    }
+  }
+  if (openComment) {
+    zones.push(openComment);
+  }
+  if (openCodeFence) {
+    zones.push(openCodeFence.zone);
+  }
+  return zones;
+}
+
 // src/core/linter/content.ts
 var VAGUE_PATTERNS = [
   /\bdo something appropriate\b/i,
@@ -255,6 +424,102 @@ var SECRET_PATTERNS = [
   { label: "Slack token", regex: /\bxox[baprs]-[A-Za-z0-9-]{20,}\b/ },
   { label: "Generic private key header", regex: /-----BEGIN (?:RSA |EC |OPENSSH )?PRIVATE KEY-----/ }
 ];
+function summarizeLineRange(matches) {
+  if (matches.length === 0) {
+    return {};
+  }
+  return {
+    startLine: Math.min(...matches.map((match) => match.startLine)),
+    endLine: Math.max(...matches.map((match) => match.endLine))
+  };
+}
+function uniqueLabels(matches) {
+  const labels = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const match of matches) {
+    if (seen.has(match.label)) {
+      continue;
+    }
+    seen.add(match.label);
+    labels.push(match.label);
+  }
+  return labels;
+}
+function collectSecretMatches(zones) {
+  const prose = [];
+  const nonProse = [];
+  for (const zone of zones) {
+    for (const pattern of SECRET_PATTERNS) {
+      if (!pattern.regex.test(zone.content)) {
+        continue;
+      }
+      const occurrence = {
+        label: pattern.label,
+        zoneType: zone.type,
+        startLine: zone.startLine,
+        endLine: zone.endLine
+      };
+      if (zone.type === "prose") {
+        prose.push(occurrence);
+      } else {
+        nonProse.push(occurrence);
+      }
+    }
+  }
+  return { prose, nonProse };
+}
+function buildSkippedPatterns(matches) {
+  if (matches.length === 0) {
+    return void 0;
+  }
+  return matches.map((match) => ({
+    label: match.label,
+    zoneType: match.zoneType,
+    startLine: match.startLine,
+    endLine: match.endLine
+  }));
+}
+function buildSecretsIssue(context) {
+  if (context.suppressedCheckIds.has("content:secrets")) {
+    return null;
+  }
+  const { prose, nonProse } = collectSecretMatches(parseZones(context.skill.raw));
+  const proseLabels = uniqueLabels(prose);
+  const nonProseLabels = uniqueLabels(nonProse);
+  const skippedPatterns = buildSkippedPatterns(nonProse);
+  if (proseLabels.length > 0) {
+    return {
+      id: "content.secrets",
+      checkId: "content:secrets",
+      title: "Hardcoded Secrets",
+      status: "fail",
+      message: `Potential secrets detected (${proseLabels.join(", ")}).`,
+      suggestion: "Remove secrets from skill files and use environment variables or secret managers.",
+      ...summarizeLineRange(prose),
+      skippedPatterns
+    };
+  }
+  if (nonProseLabels.length > 0) {
+    const codeFenceOnly = nonProse.every((match) => match.zoneType === "code-fence");
+    return {
+      id: "content.secrets",
+      checkId: "content:secrets",
+      title: "Hardcoded Secrets",
+      status: "warn",
+      message: codeFenceOnly ? `Possible secret in code example \u2014 verify this is a placeholder, not a real key (${nonProseLabels.join(", ")}).` : `Possible secrets found outside prose instructions (${nonProseLabels.join(", ")}). Verify these are placeholders, not real credentials.`,
+      suggestion: "Replace real-looking credentials in examples with explicit placeholders such as YOUR_API_KEY.",
+      ...summarizeLineRange(nonProse),
+      skippedPatterns
+    };
+  }
+  return {
+    id: "content.secrets",
+    checkId: "content:secrets",
+    title: "Hardcoded Secrets",
+    status: "pass",
+    message: "No obvious API keys or secrets patterns were detected."
+  };
+}
 function runContentChecks(context) {
   const issues = [];
   const body = context.frontmatter.content;
@@ -334,29 +599,9 @@ function runContentChecks(context) {
       message: "No angle bracket tokens detected in frontmatter."
     });
   }
-  const secretHits = /* @__PURE__ */ new Set();
-  for (const pattern of SECRET_PATTERNS) {
-    if (pattern.regex.test(context.skill.raw)) {
-      secretHits.add(pattern.label);
-    }
-  }
-  if (secretHits.size > 0) {
-    issues.push({
-      id: "content.secrets",
-      checkId: "content:secrets",
-      title: "Hardcoded Secrets",
-      status: "fail",
-      message: `Potential secrets detected (${Array.from(secretHits).join(", ")}).`,
-      suggestion: "Remove secrets from skill files and use environment variables or secret managers."
-    });
-  } else {
-    issues.push({
-      id: "content.secrets",
-      checkId: "content:secrets",
-      title: "Hardcoded Secrets",
-      status: "pass",
-      message: "No obvious API keys or secrets patterns were detected."
-    });
+  const secretsIssue = buildSecretsIssue(context);
+  if (secretsIssue) {
+    issues.push(secretsIssue);
   }
   if (bodyLines.length < 10) {
     issues.push({
@@ -776,93 +1021,159 @@ var SHELL_ACTIVITY_PATTERNS = [
   /\b(?:npm|pnpm|yarn|pip|git|docker|kubectl)\s+[A-Za-z0-9-]/i
 ];
 var SAFETY_GUARDRAIL_PATTERN = /\b(?:ask before|confirm|approval|dry[- ]run|sandbox|least privilege|redact|never expose|do not reveal)\b/i;
-function collectMatches(content, patterns) {
-  const matches = [];
-  for (const pattern of patterns) {
-    if (pattern.regex.test(content)) {
-      matches.push(pattern.label);
+function buildOccurrence(zone, pattern) {
+  return {
+    label: pattern.label,
+    zoneType: zone.type,
+    startLine: zone.startLine,
+    endLine: zone.endLine
+  };
+}
+function collectZoneAwareMatches(zones, patterns) {
+  const flagged = [];
+  const skipped = [];
+  for (const zone of zones) {
+    for (const pattern of patterns) {
+      if (!pattern.regex.test(zone.content)) {
+        continue;
+      }
+      const occurrence = buildOccurrence(zone, pattern);
+      if (zone.type === "prose") {
+        flagged.push(occurrence);
+      } else {
+        skipped.push(occurrence);
+      }
+    }
+  }
+  return { flagged, skipped };
+}
+function uniqueLabels2(matches) {
+  const labels = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const match of matches) {
+    if (seen.has(match.label)) {
+      continue;
     }
+    seen.add(match.label);
+    labels.push(match.label);
+  }
+  return labels;
+}
+function summarizeLineRange2(matches) {
+  if (matches.length === 0) {
+    return {};
+  }
+  return {
+    startLine: Math.min(...matches.map((match) => match.startLine)),
+    endLine: Math.max(...matches.map((match) => match.endLine))
+  };
+}
+function buildSkippedPatterns2(matches) {
+  if (matches.length === 0) {
+    return void 0;
   }
-  return matches;
+  return matches.map((match) => ({
+    label: match.label,
+    zoneType: match.zoneType,
+    startLine: match.startLine,
+    endLine: match.endLine
+  }));
+}
+function isSuppressed(context, checkId) {
+  return context.suppressedCheckIds.has(checkId);
+}
+function runZoneAwareSecurityCheck(context, zones, options) {
+  if (isSuppressed(context, options.checkId)) {
+    return null;
+  }
+  const matches = collectZoneAwareMatches(zones, options.patterns);
+  const labels = uniqueLabels2(matches.flagged);
+  const skippedPatterns = buildSkippedPatterns2(matches.skipped);
+  if (labels.length > 0) {
+    return {
+      id: options.id,
+      checkId: options.checkId,
+      title: options.title,
+      status: options.statusOnMatch,
+      message: `${options.matchMessagePrefix}: ${labels.join(", ")}.`,
+      suggestion: options.suggestion,
+      ...summarizeLineRange2(matches.flagged),
+      skippedPatterns
+    };
+  }
+  return {
+    id: options.id,
+    checkId: options.checkId,
+    title: options.title,
+    status: "pass",
+    message: options.passMessage,
+    skippedPatterns
+  };
 }
 function runSecurityChecks(context) {
   const issues = [];
   const skillText = context.skill.raw;
-  const dangerousCommandHits = collectMatches(skillText, DANGEROUS_COMMAND_PATTERNS);
-  if (dangerousCommandHits.length > 0) {
-    issues.push({
-      id: "security.dangerous-command-patterns",
-      checkId: "security:dangerous-commands",
-      title: "Dangerous Command Patterns",
-      status: "fail",
-      message: `Potentially dangerous command instruction patterns found: ${dangerousCommandHits.join(", ")}.`,
-      suggestion: "Remove destructive/pipe-exec command examples or wrap them with explicit safety constraints."
-    });
-  } else {
-    issues.push({
-      id: "security.dangerous-command-patterns",
-      checkId: "security:dangerous-commands",
-      title: "Dangerous Command Patterns",
-      status: "pass",
-      message: "No high-risk destructive or direct pipe-to-shell patterns detected."
-    });
-  }
-  const exfiltrationHits = collectMatches(skillText, EXFILTRATION_PATTERNS);
-  if (exfiltrationHits.length > 0) {
-    issues.push({
-      id: "security.exfiltration-patterns",
-      checkId: "security:exfiltration",
-      title: "Sensitive Data Exfiltration",
-      status: "fail",
-      message: `Possible sensitive data exfiltration patterns found: ${exfiltrationHits.join(", ")}.`,
-      suggestion: "Remove instructions that access or transmit secrets/credential files."
-    });
-  } else {
-    issues.push({
-      id: "security.exfiltration-patterns",
-      checkId: "security:exfiltration",
-      title: "Sensitive Data Exfiltration",
-      status: "pass",
-      message: "No obvious credential access/exfiltration instructions detected."
-    });
-  }
-  const escalationHits = collectMatches(skillText, PRIVILEGE_ESCALATION_PATTERNS);
-  if (escalationHits.length > 0) {
-    issues.push({
-      id: "security.privilege-escalation",
-      checkId: "security:privilege-escalation",
-      title: "Privilege Escalation Language",
-      status: "warn",
-      message: `Potentially risky privilege/execution language detected: ${escalationHits.join(", ")}.`,
-      suggestion: "Prefer least-privilege execution and explicit approval steps for elevated commands."
-    });
-  } else {
-    issues.push({
-      id: "security.privilege-escalation",
-      checkId: "security:privilege-escalation",
-      title: "Privilege Escalation Language",
-      status: "pass",
-      message: "No obvious privilege-escalation language detected."
-    });
+  const needsZoneParsing = !isSuppressed(context, "security:dangerous-commands") || !isSuppressed(context, "security:exfiltration") || !isSuppressed(context, "security:privilege-escalation");
+  const zones = needsZoneParsing ? parseZones(skillText) : [];
+  const dangerousCommandsIssue = runZoneAwareSecurityCheck(context, zones, {
+    id: "security.dangerous-command-patterns",
+    checkId: "security:dangerous-commands",
+    title: "Dangerous Command Patterns",
+    statusOnMatch: "fail",
+    patterns: DANGEROUS_COMMAND_PATTERNS,
+    matchMessagePrefix: "Potentially dangerous command instruction patterns found",
+    passMessage: "No high-risk destructive or direct pipe-to-shell patterns detected.",
+    suggestion: "Remove destructive/pipe-exec command examples or wrap them with explicit safety constraints."
+  });
+  if (dangerousCommandsIssue) {
+    issues.push(dangerousCommandsIssue);
+  }
+  const exfiltrationIssue = runZoneAwareSecurityCheck(context, zones, {
+    id: "security.exfiltration-patterns",
+    checkId: "security:exfiltration",
+    title: "Sensitive Data Exfiltration",
+    statusOnMatch: "fail",
+    patterns: EXFILTRATION_PATTERNS,
+    matchMessagePrefix: "Possible sensitive data exfiltration patterns found",
+    passMessage: "No obvious credential access/exfiltration instructions detected.",
+    suggestion: "Remove instructions that access or transmit secrets/credential files."
+  });
+  if (exfiltrationIssue) {
+    issues.push(exfiltrationIssue);
+  }
+  const privilegeEscalationIssue = runZoneAwareSecurityCheck(context, zones, {
+    id: "security.privilege-escalation",
+    checkId: "security:privilege-escalation",
+    title: "Privilege Escalation Language",
+    statusOnMatch: "warn",
+    patterns: PRIVILEGE_ESCALATION_PATTERNS,
+    matchMessagePrefix: "Potentially risky privilege/execution language detected",
+    passMessage: "No obvious privilege-escalation language detected.",
+    suggestion: "Prefer least-privilege execution and explicit approval steps for elevated commands."
+  });
+  if (privilegeEscalationIssue) {
+    issues.push(privilegeEscalationIssue);
   }
-  const hasShellActivity = SHELL_ACTIVITY_PATTERNS.some((pattern) => pattern.test(skillText));
-  if (hasShellActivity && !SAFETY_GUARDRAIL_PATTERN.test(skillText)) {
-    issues.push({
-      id: "security.safety-guardrails",
-      checkId: "security:missing-guardrails",
-      title: "Execution Safety Guardrails",
-      status: "warn",
-      message: "Shell/tool execution is present, but no explicit safety guardrails were detected.",
-      suggestion: "Add guidance such as approval requirements, dry-run mode, scope checks, and redaction rules."
-    });
-  } else {
-    issues.push({
-      id: "security.safety-guardrails",
-      checkId: "security:missing-guardrails",
-      title: "Execution Safety Guardrails",
-      status: "pass",
-      message: hasShellActivity ? "Shell/tool execution instructions include at least one safety guardrail." : "No shell/tool execution instructions detected."
-    });
+  if (!isSuppressed(context, "security:missing-guardrails")) {
+    const hasShellActivity = SHELL_ACTIVITY_PATTERNS.some((pattern) => pattern.test(skillText));
+    if (hasShellActivity && !SAFETY_GUARDRAIL_PATTERN.test(skillText)) {
+      issues.push({
+        id: "security.safety-guardrails",
+        checkId: "security:missing-guardrails",
+        title: "Execution Safety Guardrails",
+        status: "warn",
+        message: "Shell/tool execution is present, but no explicit safety guardrails were detected.",
+        suggestion: "Add guidance such as approval requirements, dry-run mode, scope checks, and redaction rules."
+      });
+    } else {
+      issues.push({
+        id: "security.safety-guardrails",
+        checkId: "security:missing-guardrails",
+        title: "Execution Safety Guardrails",
+        status: "pass",
+        message: hasShellActivity ? "Shell/tool execution instructions include at least one safety guardrail." : "No shell/tool execution instructions detected."
+      });
+    }
   }
   return issues;
 }
@@ -1038,9 +1349,11 @@ function lintFails(report, failOn) {
 async function runLinter(inputPath, options = {}) {
   const skill = await loadSkillFile(inputPath);
   const frontmatter = parseFrontmatter(skill.raw);
+  const suppressedCheckIds = new Set(options.suppress ?? []);
   const context = {
     skill,
-    frontmatter
+    frontmatter,
+    suppressedCheckIds
   };
   const issues = [];
   issues.push(...runFrontmatterChecks(context));
@@ -1049,8 +1362,7 @@ async function runLinter(inputPath, options = {}) {
   issues.push(...runSecurityChecks(context));
   issues.push(...await runDisclosureChecks(context));
   issues.push(...runCompatibilityChecks(context));
-  const suppress = new Set(options.suppress ?? []);
-  const filteredIssues = issues.filter((issue) => !suppress.has(issue.checkId));
+  const filteredIssues = issues.filter((issue) => !suppressedCheckIds.has(issue.checkId));
   return {
     target: inputPath,
     issues: filteredIssues,
@@ -1058,6 +1370,739 @@ async function runLinter(inputPath, options = {}) {
   };
 }
 
+// src/reporters/html.ts
+function escapeHtml(value) {
+  return String(value ?? "").replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
+}
+function formatPercent(value) {
+  return `${(value * 100).toFixed(1)}%`;
+}
+function formatLineRange(startLine, endLine) {
+  if (startLine === void 0) {
+    return null;
+  }
+  if (endLine === void 0 || endLine === startLine) {
+    return `line ${startLine}`;
+  }
+  return `lines ${startLine}-${endLine}`;
+}
+function badgeLabel(status) {
+  if (status === "pass") {
+    return "PASS";
+  }
+  if (status === "warn") {
+    return "WARN";
+  }
+  if (status === "fail") {
+    return "FAIL";
+  }
+  return "SKIP";
+}
+function renderBadge(status) {
+  return `<span class="badge ${status}">${badgeLabel(status)}</span>`;
+}
+function renderStatCards(stats) {
+  return `<div class="stats-grid">${stats.map(
+    (stat) => `
+        <div class="stat-card${stat.status ? ` status-${stat.status}` : ""}">
+          <div class="stat-label">${escapeHtml(stat.label)}</div>
+          <div class="stat-value">${escapeHtml(stat.value)}</div>
+          ${stat.note ? `<div class="stat-note">${escapeHtml(stat.note)}</div>` : ""}
+        </div>
+      `
+  ).join("")}</div>`;
+}
+function renderMetaItems(items) {
+  if (items.length === 0) {
+    return "";
+  }
+  return `<div class="meta-grid">${items.map(
+    (item) => `
+        <div class="meta-item">
+          <span class="meta-label">${escapeHtml(item.label)}</span>
+          <span class="meta-value">${escapeHtml(item.value)}</span>
+        </div>
+      `
+  ).join("")}</div>`;
+}
+function renderHeaderCard(commandName, heading, target, stats, metaItems) {
+  return `
+    <section class="card header-card">
+      <div class="eyebrow">skilltest ${escapeHtml(commandName)}</div>
+      <h1>${escapeHtml(heading)}</h1>
+      <div class="target-line">target: ${escapeHtml(target)}</div>
+      ${renderMetaItems(metaItems)}
+      ${renderStatCards(stats)}
+    </section>
+  `;
+}
+function renderSectionCard(title, body) {
+  return `
+    <section class="card">
+      <h2>${escapeHtml(title)}</h2>
+      ${body}
+    </section>
+  `;
+}
+function renderMessageRow(status, title, message, details) {
+  return `
+    <div class="row">
+      <div class="row-header">
+        <div class="row-title">${escapeHtml(title)}</div>
+        ${renderBadge(status)}
+      </div>
+      <div class="row-body">${escapeHtml(message)}</div>
+      ${details ?? ""}
+    </div>
+  `;
+}
+function renderDetails(summary, content) {
+  return `
+    <details class="detail-block">
+      <summary>${escapeHtml(summary)}</summary>
+      <div class="detail-content">${content}</div>
+    </details>
+  `;
+}
+function renderPreBlock(content) {
+  return `<pre>${escapeHtml(content)}</pre>`;
+}
+function renderDefinitionList(items) {
+  return `<div class="definition-list">${items.map(
+    (item) => `
+        <div class="definition-item">
+          <div class="definition-label">${escapeHtml(item.label)}</div>
+          <div class="definition-value">${escapeHtml(item.value)}</div>
+        </div>
+      `
+  ).join("")}</div>`;
+}
+function countSkippedSecurityPatterns(issues) {
+  return issues.reduce((total, issue) => total + (issue.skippedPatterns?.length ?? 0), 0);
+}
+function renderLintIssueRow(issue) {
+  const lineRange = formatLineRange(issue.startLine, issue.endLine);
+  const detailBlocks = [];
+  if (issue.suggestion) {
+    detailBlocks.push(renderDetails("Suggestion", `<p>${escapeHtml(issue.suggestion)}</p>`));
+  }
+  if (issue.skippedPatterns && issue.skippedPatterns.length > 0) {
+    const patternItems = issue.skippedPatterns.map(
+      (pattern) => `
+          <div class="definition-item">
+            <div class="definition-label">${escapeHtml(pattern.label)}</div>
+            <div class="definition-value">${escapeHtml(
+        `${pattern.zoneType} lines ${pattern.startLine}-${pattern.endLine}`
+      )}</div>
+          </div>
+        `
+    ).join("");
+    detailBlocks.push(renderDetails("Skipped security patterns", `<div class="definition-list">${patternItems}</div>`));
+  }
+  return `
+    <div class="row">
+      <div class="row-header">
+        <div>
+          <div class="row-title">${escapeHtml(issue.title)}</div>
+          <div class="row-subtitle">${escapeHtml(issue.checkId)}</div>
+        </div>
+        ${renderBadge(issue.status)}
+      </div>
+      <div class="row-body">${escapeHtml(issue.message)}</div>
+      ${renderDefinitionList(
+    [
+      lineRange ? { label: "Location", value: lineRange } : null,
+      { label: "Check ID", value: issue.checkId }
+    ].filter((item) => item !== null)
+  )}
+      ${detailBlocks.join("")}
+    </div>
+  `;
+}
+function renderLintIssueList(report) {
+  const skippedSecurityPatterns = countSkippedSecurityPatterns(report.issues);
+  const rows = report.issues.map((issue) => renderLintIssueRow(issue)).join("");
+  const info = skippedSecurityPatterns > 0 ? `<p class="info-line">Skipped security patterns in examples/comments: ${escapeHtml(skippedSecurityPatterns)}</p>` : "";
+  return `<div class="row-list">${rows}</div>${info}`;
+}
+function renderTriggerCaseRow(testCase) {
+  const details = testCase.rawModelResponse ? renderDetails("Model response", renderPreBlock(testCase.rawModelResponse)) : "";
+  return `
+    <div class="row">
+      <div class="row-header">
+        <div>
+          <div class="row-title">${escapeHtml(testCase.query)}</div>
+          <div class="row-subtitle">${escapeHtml(
+    `expected=${testCase.expected} actual=${testCase.actual} should_trigger=${String(testCase.shouldTrigger)}`
+  )}</div>
+        </div>
+        ${renderBadge(testCase.matched ? "pass" : "fail")}
+      </div>
+      ${renderDefinitionList([
+    { label: "Expected", value: testCase.expected },
+    { label: "Actual", value: testCase.actual }
+  ])}
+      ${details}
+    </div>
+  `;
+}
+function promptStatus(promptResult) {
+  if (promptResult.totalAssertions === 0) {
+    return "skip";
+  }
+  if (promptResult.passedAssertions === promptResult.totalAssertions) {
+    return "pass";
+  }
+  if (promptResult.passedAssertions === 0) {
+    return "fail";
+  }
+  return "warn";
+}
+function renderAssertionRow(assertion) {
+  return renderDetails(
+    `${badgeLabel(assertion.passed ? "pass" : "fail")} ${assertion.assertion}`,
+    renderPreBlock(assertion.evidence)
+  );
+}
+function renderEvalPromptRow(promptResult) {
+  const assertionDetails = promptResult.assertions.map((assertion) => renderAssertionRow(assertion)).join("");
+  const responseDetails = renderDetails("Full model response", renderPreBlock(promptResult.response));
+  return `
+    <div class="row">
+      <div class="row-header">
+        <div>
+          <div class="row-title">${escapeHtml(promptResult.prompt)}</div>
+          <div class="row-subtitle">${escapeHtml(
+    `${promptResult.passedAssertions}/${promptResult.totalAssertions} assertions passed`
+  )}</div>
+        </div>
+        ${renderBadge(promptStatus(promptResult))}
+      </div>
+      <div class="row-body">${escapeHtml(promptResult.responseSummary)}</div>
+      ${renderDefinitionList([
+    { label: "Passed assertions", value: String(promptResult.passedAssertions) },
+    { label: "Total assertions", value: String(promptResult.totalAssertions) }
+  ])}
+      ${renderDetails("Assertion evidence", assertionDetails || `<p>No assertions.</p>`)}
+      ${responseDetails}
+    </div>
+  `;
+}
+function gateStatus(value) {
+  if (value === null) {
+    return "skip";
+  }
+  return value ? "pass" : "fail";
+}
+function renderGateCard(title, status, message) {
+  return `
+    <div class="gate-card">
+      <div class="row-header">
+        <div class="row-title">${escapeHtml(title)}</div>
+        ${renderBadge(status)}
+      </div>
+      <div class="row-body">${escapeHtml(message)}</div>
+    </div>
+  `;
+}
+function renderCollapsibleSection(title, summary, body, status) {
+  return `
+    <details class="section-card" open>
+      <summary>
+        <span class="section-title">${escapeHtml(title)}</span>
+        <span class="section-summary">${renderBadge(status)} ${escapeHtml(summary)}</span>
+      </summary>
+      <div class="section-body">${body}</div>
+    </details>
+  `;
+}
+function resolveOptionalTarget(result, fallback) {
+  return result.target ?? fallback;
+}
+function renderHtmlDocument(title, body) {
+  return `<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <title>${escapeHtml(title)}</title>
+    <style>
+      :root {
+        color-scheme: light;
+        --bg: #f5f5f5;
+        --surface: #ffffff;
+        --surface-muted: #fafafa;
+        --border: #d4d4d8;
+        --text: #111827;
+        --muted: #6b7280;
+        --pass: #22c55e;
+        --warn: #eab308;
+        --fail: #ef4444;
+        --skip: #6b7280;
+        --shadow: 0 10px 30px rgba(15, 23, 42, 0.08);
+      }
+
+      * {
+        box-sizing: border-box;
+      }
+
+      body {
+        margin: 0;
+        background: linear-gradient(180deg, #fafafa 0%, #f4f4f5 100%);
+        color: var(--text);
+        font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, "Liberation Mono", "Courier New", monospace;
+        line-height: 1.5;
+      }
+
+      .container {
+        max-width: 1120px;
+        margin: 0 auto;
+        padding: 24px 16px 40px;
+      }
+
+      .card,
+      .section-card {
+        background: var(--surface);
+        border: 1px solid var(--border);
+        border-radius: 16px;
+        box-shadow: var(--shadow);
+        margin-bottom: 16px;
+      }
+
+      .card {
+        padding: 20px;
+      }
+
+      .header-card h1,
+      .card h2 {
+        margin: 0 0 10px;
+        font-size: 1.25rem;
+      }
+
+      .eyebrow {
+        margin-bottom: 10px;
+        color: var(--muted);
+        font-size: 0.78rem;
+        letter-spacing: 0.08em;
+        text-transform: uppercase;
+      }
+
+      .target-line,
+      .info-line {
+        color: var(--muted);
+        overflow-wrap: anywhere;
+      }
+
+      .meta-grid,
+      .stats-grid,
+      .gate-grid,
+      .definition-list {
+        display: grid;
+        gap: 12px;
+      }
+
+      .meta-grid,
+      .gate-grid,
+      .definition-list {
+        grid-template-columns: repeat(auto-fit, minmax(220px, 1fr));
+      }
+
+      .stats-grid {
+        grid-template-columns: repeat(auto-fit, minmax(140px, 1fr));
+        margin-top: 16px;
+      }
+
+      .meta-grid {
+        margin-top: 14px;
+      }
+
+      .meta-item,
+      .definition-item,
+      .stat-card,
+      .gate-card {
+        background: var(--surface-muted);
+        border: 1px solid var(--border);
+        border-radius: 12px;
+        padding: 12px;
+      }
+
+      .meta-item,
+      .definition-item {
+        display: flex;
+        justify-content: space-between;
+        gap: 12px;
+      }
+
+      .meta-label,
+      .definition-label,
+      .stat-label {
+        color: var(--muted);
+        font-size: 0.82rem;
+      }
+
+      .meta-value,
+      .definition-value {
+        text-align: right;
+        overflow-wrap: anywhere;
+      }
+
+      .stat-value {
+        margin-top: 4px;
+        font-size: 1.3rem;
+        font-weight: 700;
+      }
+
+      .stat-note {
+        margin-top: 6px;
+        color: var(--muted);
+        font-size: 0.82rem;
+      }
+
+      .status-pass {
+        border-color: rgba(34, 197, 94, 0.35);
+      }
+
+      .status-warn {
+        border-color: rgba(234, 179, 8, 0.35);
+      }
+
+      .status-fail {
+        border-color: rgba(239, 68, 68, 0.35);
+      }
+
+      .status-skip {
+        border-color: rgba(107, 114, 128, 0.35);
+      }
+
+      .row-list {
+        display: grid;
+        gap: 12px;
+      }
+
+      .row {
+        border: 1px solid var(--border);
+        border-radius: 12px;
+        padding: 14px;
+        background: var(--surface-muted);
+      }
+
+      .row-header {
+        display: flex;
+        justify-content: space-between;
+        align-items: flex-start;
+        gap: 12px;
+      }
+
+      .row-title {
+        font-weight: 700;
+        overflow-wrap: anywhere;
+      }
+
+      .row-subtitle {
+        margin-top: 4px;
+        color: var(--muted);
+        font-size: 0.84rem;
+        overflow-wrap: anywhere;
+      }
+
+      .row-body {
+        margin-top: 10px;
+        overflow-wrap: anywhere;
+      }
+
+      .badge {
+        display: inline-flex;
+        align-items: center;
+        justify-content: center;
+        min-width: 58px;
+        padding: 3px 10px;
+        border-radius: 999px;
+        border: 1px solid currentColor;
+        font-size: 0.76rem;
+        font-weight: 700;
+        letter-spacing: 0.04em;
+        white-space: nowrap;
+      }
+
+      .badge.pass {
+        color: #15803d;
+        background: rgba(34, 197, 94, 0.14);
+      }
+
+      .badge.warn {
+        color: #a16207;
+        background: rgba(234, 179, 8, 0.18);
+      }
+
+      .badge.fail {
+        color: #b91c1c;
+        background: rgba(239, 68, 68, 0.14);
+      }
+
+      .badge.skip {
+        color: #4b5563;
+        background: rgba(107, 114, 128, 0.14);
+      }
+
+      details {
+        margin-top: 10px;
+      }
+
+      details summary {
+        cursor: pointer;
+        color: var(--muted);
+      }
+
+      .detail-block {
+        border-top: 1px dashed var(--border);
+        padding-top: 10px;
+      }
+
+      .detail-content p {
+        margin: 0;
+      }
+
+      .section-card summary {
+        display: flex;
+        justify-content: space-between;
+        align-items: center;
+        gap: 12px;
+        padding: 18px 20px;
+        list-style: none;
+      }
+
+      .section-card summary::-webkit-details-marker {
+        display: none;
+      }
+
+      .section-title {
+        font-size: 1rem;
+        font-weight: 700;
+        color: var(--text);
+      }
+
+      .section-summary {
+        display: inline-flex;
+        align-items: center;
+        gap: 8px;
+        color: var(--muted);
+        text-align: right;
+      }
+
+      .section-body {
+        padding: 0 20px 20px;
+      }
+
+      .gate-grid {
+        margin-top: 12px;
+      }
+
+      pre {
+        margin: 0;
+        padding: 12px;
+        background: #f8fafc;
+        border: 1px solid var(--border);
+        border-radius: 10px;
+        white-space: pre-wrap;
+        word-break: break-word;
+        overflow-wrap: anywhere;
+      }
+
+      ul {
+        margin: 0;
+        padding-left: 20px;
+      }
+
+      @media (max-width: 720px) {
+        .container {
+          padding: 16px 12px 28px;
+        }
+
+        .row-header,
+        .section-card summary,
+        .meta-item,
+        .definition-item {
+          flex-direction: column;
+          align-items: flex-start;
+        }
+
+        .meta-value,
+        .definition-value,
+        .section-summary {
+          text-align: left;
+        }
+      }
+    </style>
+  </head>
+  <body>
+    <main class="container">
+      ${body}
+    </main>
+  </body>
+</html>`;
+}
+function renderLintHtml(report) {
+  const passRate = report.summary.total === 0 ? 0 : report.summary.passed / report.summary.total;
+  const body = [
+    renderHeaderCard(
+      "lint",
+      "Static Analysis Report",
+      report.target,
+      [
+        { label: "Pass rate", value: formatPercent(passRate), note: `${report.summary.passed}/${report.summary.total} passed` },
+        { label: "Warnings", value: String(report.summary.warnings), status: report.summary.warnings > 0 ? "warn" : "pass" },
+        { label: "Failures", value: String(report.summary.failures), status: report.summary.failures > 0 ? "fail" : "pass" },
+        { label: "Checks", value: String(report.summary.total) }
+      ],
+      [{ label: "Target", value: report.target }]
+    ),
+    renderSectionCard("Lint Issues", renderLintIssueList(report))
+  ].join("");
+  return renderHtmlDocument(`skilltest lint - ${report.target}`, body);
+}
+function renderTriggerHtml(result) {
+  const htmlResult = result;
+  const target = resolveOptionalTarget(htmlResult, result.skillName);
+  const matchedCount = result.cases.filter((testCase) => testCase.matched).length;
+  const matchRate = result.cases.length === 0 ? 0 : matchedCount / result.cases.length;
+  const body = [
+    renderHeaderCard(
+      "trigger",
+      result.skillName,
+      target,
+      [
+        { label: "Match rate", value: formatPercent(matchRate), note: `${matchedCount}/${result.cases.length} matched` },
+        { label: "Precision", value: formatPercent(result.metrics.precision) },
+        { label: "Recall", value: formatPercent(result.metrics.recall) },
+        { label: "F1", value: formatPercent(result.metrics.f1), status: result.metrics.f1 >= 0.8 ? "pass" : "warn" }
+      ],
+      [
+        { label: "Provider", value: result.provider },
+        { label: "Model", value: result.model },
+        { label: "Seed", value: result.seed !== void 0 ? String(result.seed) : "none" },
+        { label: "Queries", value: String(result.queries.length) }
+      ]
+    ),
+    renderSectionCard("Trigger Cases", `<div class="row-list">${result.cases.map((testCase) => renderTriggerCaseRow(testCase)).join("")}</div>`),
+    renderSectionCard(
+      "Suggestions",
+      `<ul>${result.suggestions.map((suggestion) => `<li>${escapeHtml(suggestion)}</li>`).join("")}</ul>`
+    )
+  ].join("");
+  return renderHtmlDocument(`skilltest trigger - ${result.skillName}`, body);
+}
+function renderEvalHtml(result) {
+  const htmlResult = result;
+  const target = resolveOptionalTarget(htmlResult, result.skillName);
+  const passRate = result.summary.totalAssertions === 0 ? 0 : result.summary.passedAssertions / result.summary.totalAssertions;
+  const body = [
+    renderHeaderCard(
+      "eval",
+      result.skillName,
+      target,
+      [
+        {
+          label: "Assertion pass rate",
+          value: formatPercent(passRate),
+          note: `${result.summary.passedAssertions}/${result.summary.totalAssertions} passed`
+        },
+        { label: "Prompts", value: String(result.summary.totalPrompts) },
+        { label: "Model", value: result.model },
+        { label: "Grader", value: result.graderModel }
+      ],
+      [
+        { label: "Provider", value: result.provider },
+        { label: "Execution model", value: result.model },
+        { label: "Grader model", value: result.graderModel },
+        { label: "Prompts", value: String(result.prompts.length) }
+      ]
+    ),
+    renderSectionCard("Eval Prompts", `<div class="row-list">${result.results.map((promptResult) => renderEvalPromptRow(promptResult)).join("")}</div>`)
+  ].join("");
+  return renderHtmlDocument(`skilltest eval - ${result.skillName}`, body);
+}
+function renderCheckHtml(result) {
+  const skillName = result.trigger?.skillName ?? result.eval?.skillName ?? result.target;
+  const triggerBody = result.trigger ? `<div class="row-list">${result.trigger.cases.map((testCase) => renderTriggerCaseRow(testCase)).join("")}</div>
+       <div class="card" style="margin-top: 16px;">
+         <h2>Trigger Suggestions</h2>
+         <ul>${result.trigger.suggestions.map((suggestion) => `<li>${escapeHtml(suggestion)}</li>`).join("")}</ul>
+       </div>` : renderMessageRow("skip", "Trigger skipped", result.triggerSkippedReason ?? "Skipped.");
+  const evalBody = result.eval ? `<div class="row-list">${result.eval.results.map((promptResult) => renderEvalPromptRow(promptResult)).join("")}</div>` : renderMessageRow("skip", "Eval skipped", result.evalSkippedReason ?? "Skipped.");
+  const lintStatus = result.gates.lintPassed ? "pass" : "fail";
+  const triggerStatus = gateStatus(result.gates.triggerPassed);
+  const evalStatus = gateStatus(result.gates.evalPassed);
+  const overallStatus = result.gates.overallPassed ? "pass" : "fail";
+  const header = renderHeaderCard(
+    "check",
+    skillName,
+    result.target,
+    [
+      { label: "Overall gate", value: badgeLabel(overallStatus), status: overallStatus },
+      {
+        label: "Trigger F1",
+        value: result.gates.triggerF1 !== null ? formatPercent(result.gates.triggerF1) : "skipped",
+        status: triggerStatus
+      },
+      {
+        label: "Eval pass rate",
+        value: result.gates.evalAssertPassRate !== null ? formatPercent(result.gates.evalAssertPassRate) : "skipped",
+        status: evalStatus
+      },
+      {
+        label: "Lint result",
+        value: `${result.lint.summary.failures} fail / ${result.lint.summary.warnings} warn`,
+        status: lintStatus
+      }
+    ],
+    [
+      { label: "Provider", value: result.provider },
+      { label: "Model", value: result.model },
+      { label: "Grader model", value: result.graderModel },
+      {
+        label: "Thresholds",
+        value: `min-f1=${result.thresholds.minF1.toFixed(2)} min-assert-pass-rate=${result.thresholds.minAssertPassRate.toFixed(2)}`
+      }
+    ]
+  );
+  const lintSection = renderCollapsibleSection(
+    "Lint",
+    `${result.lint.summary.passed}/${result.lint.summary.total} passed, ${result.lint.summary.warnings} warnings, ${result.lint.summary.failures} failures`,
+    renderLintIssueList(result.lint),
+    lintStatus
+  );
+  const triggerSection = renderCollapsibleSection(
+    "Trigger",
+    result.trigger ? `f1=${formatPercent(result.trigger.metrics.f1)} precision=${formatPercent(result.trigger.metrics.precision)} recall=${formatPercent(result.trigger.metrics.recall)}` : result.triggerSkippedReason ?? "Skipped.",
+    triggerBody,
+    triggerStatus
+  );
+  const evalSection = renderCollapsibleSection(
+    "Eval",
+    result.eval ? `assertion pass rate=${formatPercent(result.gates.evalAssertPassRate ?? 0)} (${result.eval.summary.passedAssertions}/${result.eval.summary.totalAssertions})` : result.evalSkippedReason ?? "Skipped.",
+    evalBody,
+    evalStatus
+  );
+  const qualityGate = renderSectionCard(
+    "Quality Gate",
+    `<div class="gate-grid">
+      ${renderGateCard("Lint gate", lintStatus, result.gates.lintPassed ? "Lint passed." : "Lint failed.")}
+      ${renderGateCard(
+      "Trigger gate",
+      triggerStatus,
+      result.gates.triggerPassed === null ? result.triggerSkippedReason ?? "Skipped." : `required ${result.thresholds.minF1.toFixed(2)}, actual ${result.gates.triggerF1?.toFixed(2) ?? "n/a"}`
+    )}
+      ${renderGateCard(
+      "Eval gate",
+      evalStatus,
+      result.gates.evalPassed === null ? result.evalSkippedReason ?? "Skipped." : `required ${result.thresholds.minAssertPassRate.toFixed(2)}, actual ${result.gates.evalAssertPassRate?.toFixed(2) ?? "n/a"}`
+    )}
+      ${renderGateCard("Overall", overallStatus, result.gates.overallPassed ? "All quality gates passed." : "One or more gates failed.")}
+    </div>`
+  );
+  return renderHtmlDocument(`skilltest check - ${skillName}`, [header, lintSection, triggerSection, evalSection, qualityGate].join(""));
+}
+
 // src/reporters/terminal.ts
 import { Chalk } from "chalk";
 function getChalkInstance(enableColor) {
@@ -1070,6 +2115,14 @@ function renderIssueLine(issue, c) {
   return `  ${label} ${issue.title}
       ${issue.message}${detail}`;
 }
+function countSkippedSecurityPatterns2(issues) {
+  return issues.reduce((total, issue) => {
+    if (!issue.checkId.startsWith("security:")) {
+      return total;
+    }
+    return total + (issue.skippedPatterns?.length ?? 0);
+  }, 0);
+}
 function renderLintReport(report, enableColor) {
   const c = getChalkInstance(enableColor);
   const { passed, warnings, failures, total } = report.summary;
@@ -1082,10 +2135,13 @@ function renderLintReport(report, enableColor) {
     `\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518`
   ];
   const renderedIssues = report.issues.map((issue) => renderIssueLine(issue, c)).join("\n");
+  const skippedSecurityPatterns = countSkippedSecurityPatterns2(report.issues);
+  const infoLine = skippedSecurityPatterns > 0 ? `
+  ${c.cyan("\u2139")} ${skippedSecurityPatterns} security pattern(s) found in code examples/comments (not flagged)` : "";
   return `${headerLines.join("\n")}
-${renderedIssues}`;
+${renderedIssues}${infoLine}`;
 }
-function formatPercent(value) {
+function formatPercent2(value) {
   return `${(value * 100).toFixed(1)}%`;
 }
 function renderTriggerReport(result, enableColor, verbose) {
@@ -1097,7 +2153,7 @@ function renderTriggerReport(result, enableColor, verbose) {
   lines.push(`\u2502 skill: ${result.skillName}`);
   lines.push(`\u2502 provider/model: ${result.provider}/${result.model}`);
   lines.push(
-    `\u2502 precision: ${formatPercent(result.metrics.precision)}  recall: ${formatPercent(result.metrics.recall)}  f1: ${formatPercent(result.metrics.f1)}`
+    `\u2502 precision: ${formatPercent2(result.metrics.precision)}  recall: ${formatPercent2(result.metrics.recall)}  f1: ${formatPercent2(result.metrics.f1)}`
   );
   lines.push(
     `\u2502 TP ${result.metrics.truePositives}  TN ${result.metrics.trueNegatives}  FP ${result.metrics.falsePositives}  FN ${result.metrics.falseNegatives}`
@@ -1171,11 +2227,15 @@ function renderCheckReport(result, enableColor, verbose) {
   for (const issue of lintIssues) {
     lines.push(renderIssueLine(issue, c));
   }
+  const skippedSecurityPatterns = countSkippedSecurityPatterns2(result.lint.issues);
+  if (skippedSecurityPatterns > 0) {
+    lines.push(`  ${c.cyan("\u2139")} ${skippedSecurityPatterns} security pattern(s) found in code examples/comments (not flagged)`);
+  }
   lines.push("");
   lines.push("Trigger");
   if (result.trigger) {
     lines.push(
-      `- ${triggerGate} f1=${formatPercent(result.trigger.metrics.f1)} (precision=${formatPercent(result.trigger.metrics.precision)} recall=${formatPercent(result.trigger.metrics.recall)})`
+      `- ${triggerGate} f1=${formatPercent2(result.trigger.metrics.f1)} (precision=${formatPercent2(result.trigger.metrics.precision)} recall=${formatPercent2(result.trigger.metrics.recall)})`
     );
     lines.push(
       `  TP ${result.trigger.metrics.truePositives} TN ${result.trigger.metrics.trueNegatives} FP ${result.trigger.metrics.falsePositives} FN ${result.trigger.metrics.falseNegatives}`
@@ -1194,7 +2254,7 @@ function renderCheckReport(result, enableColor, verbose) {
   if (result.eval) {
     const passRate = result.gates.evalAssertPassRate ?? 0;
     lines.push(
-      `- ${evalGate} assertion pass rate=${formatPercent(passRate)} (${result.eval.summary.passedAssertions}/${result.eval.summary.totalAssertions})`
+      `- ${evalGate} assertion pass rate=${formatPercent2(passRate)} (${result.eval.summary.passedAssertions}/${result.eval.summary.totalAssertions})`
     );
     for (const promptResult of result.eval.results) {
       const failedAssertions = promptResult.assertions.filter((assertion) => !assertion.passed);
@@ -1286,6 +2346,58 @@ async function gradeResponse(options) {
   return parsed.data.assertions;
 }
 
+// src/utils/concurrency.ts
+async function pMap(items, fn, concurrency) {
+  if (!Number.isInteger(concurrency) || concurrency < 1) {
+    throw new Error("pMap concurrency must be an integer greater than or equal to 1.");
+  }
+  if (items.length === 0) {
+    return [];
+  }
+  const results = new Array(items.length);
+  return new Promise((resolve, reject) => {
+    let nextIndex = 0;
+    let completed = 0;
+    let rejected = false;
+    const launchNext = () => {
+      if (rejected) {
+        return;
+      }
+      if (completed === items.length) {
+        resolve(results);
+        return;
+      }
+      if (nextIndex >= items.length) {
+        return;
+      }
+      const currentIndex = nextIndex;
+      nextIndex += 1;
+      Promise.resolve().then(() => fn(items[currentIndex], currentIndex)).then((result) => {
+        if (rejected) {
+          return;
+        }
+        results[currentIndex] = result;
+        completed += 1;
+        if (completed === items.length) {
+          resolve(results);
+          return;
+        }
+        launchNext();
+      }).catch((error) => {
+        if (rejected) {
+          return;
+        }
+        rejected = true;
+        reject(error);
+      });
+    };
+    const initialWorkers = Math.min(concurrency, items.length);
+    for (let workerIndex = 0; workerIndex < initialWorkers; workerIndex += 1) {
+      launchNext();
+    }
+  });
+}
+
 // src/core/eval-runner.ts
 var evalPromptSchema = z3.object({
   prompt: z3.string().min(1),
@@ -1332,34 +2444,37 @@ async function generatePrompts(skill, provider, model, count) {
 }
 async function runEval(skill, options) {
   const prompts = options.prompts && options.prompts.length > 0 ? evalPromptArraySchema.parse(options.prompts) : await generatePrompts(skill, options.provider, options.model, options.numRuns);
-  const results = [];
-  for (const evalPrompt of prompts) {
-    const systemPrompt = [
-      "You are an AI assistant with an activated skill.",
-      "Follow this SKILL.md content exactly where applicable.",
-      "",
-      skill.raw
-    ].join("\n");
-    const response = await options.provider.sendMessage(systemPrompt, evalPrompt.prompt, { model: options.model });
-    const gradedAssertions = await gradeResponse({
-      provider: options.provider,
-      model: options.graderModel,
-      skillName: skill.frontmatter.name,
-      skillBody: skill.content,
-      userPrompt: evalPrompt.prompt,
-      modelResponse: response,
-      assertions: evalPrompt.assertions
-    });
-    const passedAssertions2 = gradedAssertions.filter((assertion) => assertion.passed).length;
-    results.push({
-      prompt: evalPrompt.prompt,
-      assertions: gradedAssertions,
-      responseSummary: response.slice(0, 200),
-      response,
-      passedAssertions: passedAssertions2,
-      totalAssertions: gradedAssertions.length
-    });
-  }
+  const systemPrompt = [
+    "You are an AI assistant with an activated skill.",
+    "Follow this SKILL.md content exactly where applicable.",
+    "",
+    skill.raw
+  ].join("\n");
+  const results = await pMap(
+    prompts,
+    async (evalPrompt) => {
+      const response = await options.provider.sendMessage(systemPrompt, evalPrompt.prompt, { model: options.model });
+      const gradedAssertions = await gradeResponse({
+        provider: options.provider,
+        model: options.graderModel,
+        skillName: skill.frontmatter.name,
+        skillBody: skill.content,
+        userPrompt: evalPrompt.prompt,
+        modelResponse: response,
+        assertions: evalPrompt.assertions
+      });
+      const passedAssertions2 = gradedAssertions.filter((assertion) => assertion.passed).length;
+      return {
+        prompt: evalPrompt.prompt,
+        assertions: gradedAssertions,
+        responseSummary: response.slice(0, 200),
+        response,
+        passedAssertions: passedAssertions2,
+        totalAssertions: gradedAssertions.length
+      };
+    },
+    options.concurrency ?? 5
+  );
   const totalAssertions = results.reduce((total, result) => total + result.totalAssertions, 0);
   const passedAssertions = results.reduce((total, result) => total + result.passedAssertions, 0);
   return {
@@ -1401,23 +2516,28 @@ var FAKE_SKILLS = [
   { name: "test-generator", description: "Generates unit and integration test cases from feature requirements." },
   { name: "prompt-tuner", description: "Improves prompts for reliability, formatting, and failure handling." }
 ];
-function createSeededRandom(seed) {
-  let state = seed >>> 0;
+function mulberry32(seed) {
   return () => {
-    state = state * 1664525 + 1013904223 >>> 0;
-    return state / 4294967296;
+    seed |= 0;
+    seed = seed + 1831565813 | 0;
+    let t = Math.imul(seed ^ seed >>> 15, 1 | seed);
+    t = t + Math.imul(t ^ t >>> 7, 61 | t) ^ t;
+    return ((t ^ t >>> 14) >>> 0) / 4294967296;
   };
 }
-function shuffle(values, random = Math.random) {
+function createRng(seed) {
+  return seed !== void 0 ? mulberry32(seed) : Math.random;
+}
+function shuffle(values, rng) {
   const copy = [...values];
   for (let index = copy.length - 1; index > 0; index -= 1) {
-    const swapIndex = Math.floor(random() * (index + 1));
+    const swapIndex = Math.floor(rng() * (index + 1));
     [copy[index], copy[swapIndex]] = [copy[swapIndex], copy[index]];
   }
   return copy;
 }
-function sample(values, count, random = Math.random) {
-  return shuffle(values, random).slice(0, Math.max(0, Math.min(count, values.length)));
+function sample(values, count, rng) {
+  return shuffle(values, rng).slice(0, Math.max(0, Math.min(count, values.length)));
 }
 function parseJsonArrayFromModelOutput(raw) {
   const trimmed = raw.trim();
@@ -1529,48 +2649,61 @@ function buildSuggestions(metrics) {
   return suggestions;
 }
 async function runTriggerTest(skill, options) {
-  const random = options.seed === void 0 ? Math.random : createSeededRandom(options.seed);
+  const rng = createRng(options.seed);
   const queries = options.queries && options.queries.length > 0 ? triggerQueryArraySchema.parse(options.queries) : await generateQueriesWithModel(skill, options.provider, options.model, options.numQueries);
-  const results = [];
   const skillName = skill.frontmatter.name;
-  for (const testQuery of queries) {
-    const fakeCount = 5 + Math.floor(random() * 4);
-    const fakeSkills = sample(FAKE_SKILLS, fakeCount, random);
+  const preparedQueries = queries.map((testQuery) => {
+    const fakeCount = 5 + Math.floor(rng() * 5);
+    const fakeSkills = sample(FAKE_SKILLS, fakeCount, rng);
     const allSkills = shuffle([
       ...fakeSkills,
       {
         name: skill.frontmatter.name,
         description: skill.frontmatter.description
       }
-    ], random);
+    ], rng);
     const skillListText = allSkills.map((entry) => `- ${entry.name}: ${entry.description}`).join("\n");
-    const systemPrompt = [
-      "You are selecting one skill to activate for a user query.",
-      "Choose the single best matching skill name from the provided list, or 'none' if no skill is a good fit.",
-      "Respond with only the skill name or 'none'."
-    ].join(" ");
-    const userPrompt = [`Available skills:`, skillListText, "", `User query: ${testQuery.query}`].join("\n");
-    const rawResponse = await options.provider.sendMessage(systemPrompt, userPrompt, { model: options.model });
-    const decision = parseDecision(
-      rawResponse,
-      allSkills.map((entry) => entry.name)
-    );
-    const expected = testQuery.should_trigger ? skillName : "none";
-    const matched = testQuery.should_trigger ? decision === skillName : decision !== skillName;
-    results.push({
-      query: testQuery.query,
-      shouldTrigger: testQuery.should_trigger,
-      expected,
-      actual: decision,
-      matched,
-      rawModelResponse: options.verbose ? rawResponse : void 0
-    });
-  }
+    return {
+      testQuery,
+      fakeCount,
+      fakeSkills,
+      allSkills,
+      skillListText
+    };
+  });
+  const systemPrompt = [
+    "You are selecting one skill to activate for a user query.",
+    "Choose the single best matching skill name from the provided list, or 'none' if no skill is a good fit.",
+    "Respond with only the skill name or 'none'."
+  ].join(" ");
+  const results = await pMap(
+    preparedQueries,
+    async ({ testQuery, allSkills, skillListText }) => {
+      const userPrompt = [`Available skills:`, skillListText, "", `User query: ${testQuery.query}`].join("\n");
+      const rawResponse = await options.provider.sendMessage(systemPrompt, userPrompt, { model: options.model });
+      const decision = parseDecision(
+        rawResponse,
+        allSkills.map((entry) => entry.name)
+      );
+      const expected = testQuery.should_trigger ? skillName : "none";
+      const matched = testQuery.should_trigger ? decision === skillName : decision !== skillName;
+      return {
+        query: testQuery.query,
+        shouldTrigger: testQuery.should_trigger,
+        expected,
+        actual: decision,
+        matched,
+        rawModelResponse: options.verbose ? rawResponse : void 0
+      };
+    },
+    options.concurrency ?? 5
+  );
   const metrics = calculateMetrics(skillName, results);
   return {
     skillName,
     model: options.model,
     provider: options.provider.name,
+    seed: options.seed,
     queries,
     cases: results,
     metrics,
@@ -1730,6 +2863,9 @@ function writeError(error, asJson) {
 }
 
 // src/commands/lint.ts
+var lintCliSchema = z6.object({
+  html: z6.string().optional()
+});
 async function handleLintCommand(targetPath, options) {
   try {
     const report = await runLinter(targetPath, { suppress: options.suppress });
@@ -1738,6 +2874,9 @@ async function handleLintCommand(targetPath, options) {
     } else {
       writeResult(renderLintReport(report, options.color), false);
     }
+    if (options.html) {
+      await fs6.writeFile(options.html, renderLintHtml(report), "utf8");
+    }
     if (lintFails(report, options.failOn)) {
       process.exitCode = 1;
     }
@@ -1747,74 +2886,85 @@ async function handleLintCommand(targetPath, options) {
   }
 }
 function registerLintCommand(program) {
-  program.command("lint").description("Run static lint checks against a SKILL.md file or skill directory.").argument("<path-to-skill>", "Path to SKILL.md or skill directory").action(async (targetPath, _commandOptions, command) => {
+  program.command("lint").description("Run static lint checks against a SKILL.md file or skill directory.").argument("<path-to-skill>", "Path to SKILL.md or skill directory").option("--html <path>", "Write an HTML report to the given file path").action(async (targetPath, _commandOptions, command) => {
     const globalOptions = getGlobalCliOptions(command);
     const config = getResolvedConfig(command);
+    const parsedCli = lintCliSchema.safeParse(command.opts());
+    if (!parsedCli.success) {
+      writeError(new Error(parsedCli.error.issues[0]?.message ?? "Invalid lint options."), globalOptions.json);
+      process.exitCode = 2;
+      return;
+    }
     await handleLintCommand(targetPath, {
       ...globalOptions,
       failOn: config.lint.failOn,
-      suppress: config.lint.suppress
+      suppress: config.lint.suppress,
+      html: parsedCli.data.html
     });
   });
 }
 
 // src/commands/trigger.ts
+import fs8 from "node:fs/promises";
 import ora from "ora";
-import { z as z7 } from "zod";
+import { z as z8 } from "zod";
 
 // src/utils/config.ts
-import fs6 from "node:fs/promises";
+import fs7 from "node:fs/promises";
 import path5 from "node:path";
-import { z as z6 } from "zod";
-var providerNameSchema = z6.enum(["anthropic", "openai"]);
-var lintFailOnSchema = z6.enum(["error", "warn"]);
-var lintConfigSchema = z6.object({
+import { z as z7 } from "zod";
+var providerNameSchema = z7.enum(["anthropic", "openai"]);
+var lintFailOnSchema = z7.enum(["error", "warn"]);
+var lintConfigSchema = z7.object({
   failOn: lintFailOnSchema.optional(),
-  suppress: z6.array(z6.string().min(1)).optional()
+  suppress: z7.array(z7.string().min(1)).optional()
 }).strict();
-var triggerConfigSchema = z6.object({
-  numQueries: z6.number().int().min(2).refine((value) => value % 2 === 0, "trigger.numQueries must be an even number."),
-  threshold: z6.number().min(0).max(1).optional(),
-  seed: z6.number().int().optional()
+var triggerConfigSchema = z7.object({
+  numQueries: z7.number().int().min(2).refine((value) => value % 2 === 0, "trigger.numQueries must be an even number."),
+  threshold: z7.number().min(0).max(1).optional(),
+  seed: z7.number().int().optional()
 }).strict().partial();
-var evalConfigSchema = z6.object({
-  numRuns: z6.number().int().min(1).optional(),
-  threshold: z6.number().min(0).max(1).optional(),
-  promptFile: z6.string().min(1).optional(),
-  assertionsFile: z6.string().min(1).optional()
+var evalConfigSchema = z7.object({
+  numRuns: z7.number().int().min(1).optional(),
+  threshold: z7.number().min(0).max(1).optional(),
+  promptFile: z7.string().min(1).optional(),
+  assertionsFile: z7.string().min(1).optional()
 }).strict().partial();
-var skilltestConfigSchema = z6.object({
+var skilltestConfigSchema = z7.object({
   provider: providerNameSchema.optional(),
-  model: z6.string().min(1).optional(),
-  json: z6.boolean().optional(),
+  model: z7.string().min(1).optional(),
+  json: z7.boolean().optional(),
+  concurrency: z7.number().int().min(1).optional(),
   lint: lintConfigSchema.optional(),
   trigger: triggerConfigSchema.optional(),
   eval: evalConfigSchema.optional()
 }).strict();
-var resolvedSkilltestConfigSchema = z6.object({
+var resolvedSkilltestConfigSchema = z7.object({
   provider: providerNameSchema,
-  model: z6.string().min(1),
-  json: z6.boolean(),
-  lint: z6.object({
+  model: z7.string().min(1),
+  json: z7.boolean(),
+  concurrency: z7.number().int().min(1),
+  lint: z7.object({
     failOn: lintFailOnSchema,
-    suppress: z6.array(z6.string().min(1))
+    suppress: z7.array(z7.string().min(1))
   }),
-  trigger: z6.object({
-    numQueries: z6.number().int().min(2).refine((value) => value % 2 === 0, "trigger.numQueries must be an even number."),
-    threshold: z6.number().min(0).max(1),
-    seed: z6.number().int().optional()
+  trigger: z7.object({
+    numQueries: z7.number().int().min(2).refine((value) => value % 2 === 0, "trigger.numQueries must be an even number."),
+    threshold: z7.number().min(0).max(1),
+    seed: z7.number().int().optional()
   }),
-  eval: z6.object({
-    numRuns: z6.number().int().min(1),
-    threshold: z6.number().min(0).max(1),
-    promptFile: z6.string().min(1).optional(),
-    assertionsFile: z6.string().min(1).optional()
+  eval: z7.object({
+    numRuns: z7.number().int().min(1),
+    threshold: z7.number().min(0).max(1),
+    promptFile: z7.string().min(1).optional(),
+    assertionsFile: z7.string().min(1).optional()
   })
 });
 var DEFAULT_SKILLTEST_CONFIG = {
   provider: "anthropic",
   model: "claude-sonnet-4-5-20250929",
   json: false,
+  concurrency: 5,
   lint: {
     failOn: "error",
     suppress: []
@@ -1843,7 +2993,7 @@ function buildConfigValidationError(error, sourceLabel) {
 async function readJsonObject(filePath, label) {
   let raw;
   try {
-    raw = await fs6.readFile(filePath, "utf8");
+    raw = await fs7.readFile(filePath, "utf8");
   } catch (error) {
     const message = error instanceof Error ? error.message : String(error);
     throw new Error(`Failed to read ${label}: ${message}`);
@@ -1876,7 +3026,7 @@ async function loadConfigFromNearestPackageJson(startDirectory) {
     const packageJsonPath = path5.join(currentDirectory, "package.json");
     if (await pathExists(packageJsonPath)) {
       const raw = await readJsonObject(packageJsonPath, packageJsonPath);
-      const packageJsonSchema = z6.object({
+      const packageJsonSchema = z7.object({
         skilltestrc: skilltestConfigSchema.optional()
       }).passthrough();
       const parsed = packageJsonSchema.safeParse(raw);
@@ -1921,6 +3071,7 @@ function mergeConfigLayers(configFile = {}, cliFlags = {}, baseDirectory = proce
     provider: cliFlags.provider ?? configFile.provider ?? DEFAULT_SKILLTEST_CONFIG.provider,
     model: cliFlags.model ?? configFile.model ?? DEFAULT_SKILLTEST_CONFIG.model,
     json: cliFlags.json ?? configFile.json ?? DEFAULT_SKILLTEST_CONFIG.json,
+    concurrency: cliFlags.concurrency ?? configFile.concurrency ?? DEFAULT_SKILLTEST_CONFIG.concurrency,
     lint: {
       failOn: cliFlags.lint?.failOn ?? configFile.lint?.failOn ?? DEFAULT_SKILLTEST_CONFIG.lint.failOn,
       suppress: cliFlags.lint?.suppress ?? configFile.lint?.suppress ?? DEFAULT_SKILLTEST_CONFIG.lint.suppress
@@ -1964,6 +3115,9 @@ function extractCliConfigOverrides(command) {
   if (command.getOptionValueSource("model") === "cli") {
     overrides.model = getTypedOptionValue(command, "model");
   }
+  if ((command.name() === "trigger" || command.name() === "eval" || command.name() === "check") && command.getOptionValueSource("concurrency") === "cli") {
+    overrides.concurrency = getTypedOptionValue(command, "concurrency");
+  }
   if ((command.name() === "trigger" || command.name() === "check") && command.getOptionValueSource("numQueries") === "cli") {
     overrides.trigger = {
       ...overrides.trigger,
@@ -1993,7 +3147,6 @@ async function resolveConfigContext(targetPath, cliFlags) {
   const skillDirectoryConfig = await resolveSkillDirectoryConfig(targetPath);
   if (skillDirectoryConfig) {
     return {
-      configFile: skillDirectoryConfig.configFile,
       ...skillDirectoryConfig,
       config: mergeConfigLayers(skillDirectoryConfig.configFile, cliFlags, skillDirectoryConfig.sourceDirectory)
     };
@@ -2002,7 +3155,6 @@ async function resolveConfigContext(targetPath, cliFlags) {
   const cwdConfig = await loadConfigFromJsonFile(cwdConfigPath);
   if (cwdConfig) {
     return {
-      configFile: cwdConfig.configFile,
       ...cwdConfig,
       config: mergeConfigLayers(cwdConfig.configFile, cliFlags, cwdConfig.sourceDirectory)
     };
@@ -2010,7 +3162,6 @@ async function resolveConfigContext(targetPath, cliFlags) {
   const packageJsonConfig = await loadConfigFromNearestPackageJson(cwd);
   if (packageJsonConfig) {
     return {
-      configFile: packageJsonConfig.configFile,
       ...packageJsonConfig,
       config: mergeConfigLayers(packageJsonConfig.configFile, cliFlags, packageJsonConfig.sourceDirectory)
     };
@@ -2218,11 +3369,14 @@ function createProvider(providerName, apiKeyOverride) {
 }
 
 // src/commands/trigger.ts
-var triggerCliSchema = z7.object({
-  queries: z7.string().optional(),
-  saveQueries: z7.string().optional(),
-  verbose: z7.boolean().optional(),
-  apiKey: z7.string().optional()
+var triggerCliSchema = z8.object({
+  queries: z8.string().optional(),
+  saveQueries: z8.string().optional(),
+  seed: z8.number().int().optional(),
+  concurrency: z8.number().int().min(1).optional(),
+  html: z8.string().optional(),
+  verbose: z8.boolean().optional(),
+  apiKey: z8.string().optional()
 });
 var DEFAULT_ANTHROPIC_MODEL = "claude-sonnet-4-5-20250929";
 var DEFAULT_OPENAI_MODEL = "gpt-4.1-mini";
@@ -2232,6 +3386,13 @@ function resolveModel(provider, model) {
   }
   return model;
 }
+function renderTriggerOutputWithSeed(output, seed) {
+  if (seed === void 0) {
+    return output;
+  }
+  return `${output}
+Seed: ${seed}`;
+}
 async function handleTriggerCommand(targetPath, options) {
   const spinner = options.json || !process.stdout.isTTY ? null : ora("Preparing trigger evaluation...").start();
   try {
@@ -2260,6 +3421,7 @@ async function handleTriggerCommand(targetPath, options) {
       queries,
       numQueries: options.numQueries,
       seed: options.seed,
+      concurrency: options.concurrency,
       verbose: options.verbose
     });
     if (options.saveQueries) {
@@ -2269,7 +3431,14 @@ async function handleTriggerCommand(targetPath, options) {
     if (options.json) {
       writeResult(result, true);
     } else {
-      writeResult(renderTriggerReport(result, options.color, options.verbose), false);
+      writeResult(renderTriggerOutputWithSeed(renderTriggerReport(result, options.color, options.verbose), result.seed), false);
+    }
+    if (options.html) {
+      const htmlResult = {
+        ...result,
+        target: targetPath
+      };
+      await fs8.writeFile(options.html, renderTriggerHtml(htmlResult), "utf8");
     }
   } catch (error) {
     spinner?.stop();
@@ -2278,7 +3447,7 @@ async function handleTriggerCommand(targetPath, options) {
   }
 }
 function registerTriggerCommand(program) {
-  program.command("trigger").description("Evaluate whether a skill description triggers correctly.").argument("<path-to-skill>", "Path to SKILL.md or skill directory").option("--model <model>", "Model to use").option("--provider <provider>", "LLM provider: anthropic|openai").option("--queries <path>", "Path to custom test queries JSON").option("--num-queries <n>", "Number of auto-generated queries", (value) => Number.parseInt(value, 10)).option("--save-queries <path>", "Save generated queries to a JSON file").option("--api-key <key>", "API key override").option("--verbose", "Show full model decisions").action(async (targetPath, _commandOptions, command) => {
+  program.command("trigger").description("Evaluate whether a skill description triggers correctly.").argument("<path-to-skill>", "Path to SKILL.md or skill directory").option("--model <model>", "Model to use").option("--provider <provider>", "LLM provider: anthropic|openai").option("--queries <path>", "Path to custom test queries JSON").option("--num-queries <n>", "Number of auto-generated queries", (value) => Number.parseInt(value, 10)).option("--seed <number>", "RNG seed for reproducible results", (value) => Number.parseInt(value, 10)).option("--concurrency <n>", "Maximum in-flight trigger requests", (value) => Number.parseInt(value, 10)).option("--html <path>", "Write an HTML report to the given file path").option("--save-queries <path>", "Save generated queries to a JSON file").option("--api-key <key>", "API key override").option("--verbose", "Show full model decisions").action(async (targetPath, _commandOptions, command) => {
     const globalOptions = getGlobalCliOptions(command);
     const config = getResolvedConfig(command);
     const parsedCli = triggerCliSchema.safeParse(command.opts());
@@ -2294,7 +3463,9 @@ function registerTriggerCommand(program) {
       queries: parsedCli.data.queries,
       numQueries: config.trigger.numQueries,
       saveQueries: parsedCli.data.saveQueries,
-      seed: config.trigger.seed,
+      seed: parsedCli.data.seed ?? config.trigger.seed,
+      concurrency: config.concurrency,
+      html: parsedCli.data.html,
       verbose: Boolean(parsedCli.data.verbose),
       apiKey: parsedCli.data.apiKey
     });
@@ -2302,14 +3473,17 @@ function registerTriggerCommand(program) {
 }
 
 // src/commands/eval.ts
+import fs9 from "node:fs/promises";
 import ora2 from "ora";
-import { z as z8 } from "zod";
-var evalCliSchema = z8.object({
-  prompts: z8.string().optional(),
-  graderModel: z8.string().optional(),
-  saveResults: z8.string().optional(),
-  verbose: z8.boolean().optional(),
-  apiKey: z8.string().optional()
+import { z as z9 } from "zod";
+var evalCliSchema = z9.object({
+  prompts: z9.string().optional(),
+  graderModel: z9.string().optional(),
+  saveResults: z9.string().optional(),
+  concurrency: z9.number().int().min(1).optional(),
+  html: z9.string().optional(),
+  verbose: z9.boolean().optional(),
+  apiKey: z9.string().optional()
 });
 var DEFAULT_ANTHROPIC_MODEL2 = "claude-sonnet-4-5-20250929";
 var DEFAULT_OPENAI_MODEL2 = "gpt-4.1-mini";
@@ -2349,6 +3523,7 @@ async function handleEvalCommand(targetPath, options, command) {
       model,
       graderModel,
       numRuns: options.numRuns,
+      concurrency: options.concurrency,
       prompts
     });
     if (options.saveResults) {
@@ -2360,6 +3535,13 @@ async function handleEvalCommand(targetPath, options, command) {
     } else {
       writeResult(renderEvalReport(result, options.color, options.verbose), false);
     }
+    if (options.html) {
+      const htmlResult = {
+        ...result,
+        target: targetPath
+      };
+      await fs9.writeFile(options.html, renderEvalHtml(htmlResult), "utf8");
+    }
   } catch (error) {
     spinner?.stop();
     writeError(error, options.json);
@@ -2367,7 +3549,7 @@ async function handleEvalCommand(targetPath, options, command) {
   }
 }
 function registerEvalCommand(program) {
-  program.command("eval").description("Run end-to-end skill execution and quality evaluation.").argument("<path-to-skill>", "Path to SKILL.md or skill directory").option("--prompts <path>", "Path to eval prompts JSON").option("--model <model>", "Model to execute prompts").option("--grader-model <model>", "Model used for grading (defaults to --model)").option("--provider <provider>", "LLM provider: anthropic|openai").option("--save-results <path>", "Save full evaluation results to JSON").option("--api-key <key>", "API key override").option("--verbose", "Show full model responses").action(async (targetPath, _commandOptions, command) => {
+  program.command("eval").description("Run end-to-end skill execution and quality evaluation.").argument("<path-to-skill>", "Path to SKILL.md or skill directory").option("--prompts <path>", "Path to eval prompts JSON").option("--model <model>", "Model to execute prompts").option("--grader-model <model>", "Model used for grading (defaults to --model)").option("--provider <provider>", "LLM provider: anthropic|openai").option("--concurrency <n>", "Maximum in-flight eval prompt runs", (value) => Number.parseInt(value, 10)).option("--html <path>", "Write an HTML report to the given file path").option("--save-results <path>", "Save full evaluation results to JSON").option("--api-key <key>", "API key override").option("--verbose", "Show full model responses").action(async (targetPath, _commandOptions, command) => {
     const globalOptions = getGlobalCliOptions(command);
     const config = getResolvedConfig(command);
     const parsedCli = evalCliSchema.safeParse(command.opts());
@@ -2385,9 +3567,11 @@ function registerEvalCommand(program) {
         graderModel: parsedCli.data.graderModel,
         provider: config.provider,
         saveResults: parsedCli.data.saveResults,
+        html: parsedCli.data.html,
         verbose: Boolean(parsedCli.data.verbose),
         apiKey: parsedCli.data.apiKey,
-        numRuns: config.eval.numRuns
+        numRuns: config.eval.numRuns,
+        concurrency: config.concurrency
       },
       command
     );
@@ -2395,8 +3579,9 @@ function registerEvalCommand(program) {
 }
 
 // src/commands/check.ts
+import fs10 from "node:fs/promises";
 import ora3 from "ora";
-import { z as z9 } from "zod";
+import { z as z10 } from "zod";
 
 // src/core/check-runner.ts
 function calculateEvalAssertPassRate(result) {
@@ -2427,23 +3612,33 @@ async function runCheck(inputPath, options) {
       evalSkippedReason = `Skipped: skill could not be parsed strictly (${message}).`;
     }
     if (parsedSkill) {
-      options.onStage?.("trigger");
-      trigger = await runTriggerTest(parsedSkill, {
+      const triggerOptions = {
         provider: options.provider,
         model: options.model,
         queries: options.queries,
         numQueries: options.numQueries,
         seed: options.triggerSeed,
+        concurrency: options.concurrency,
         verbose: options.verbose
-      });
-      options.onStage?.("eval");
-      evalResult = await runEval(parsedSkill, {
+      };
+      const evalOptions = {
         provider: options.provider,
         model: options.model,
         graderModel: options.graderModel,
         numRuns: options.evalNumRuns,
-        prompts: options.prompts
-      });
+        prompts: options.prompts,
+        concurrency: options.concurrency
+      };
+      if ((options.concurrency ?? 5) === 1) {
+        options.onStage?.("trigger");
+        trigger = await runTriggerTest(parsedSkill, triggerOptions);
+        options.onStage?.("eval");
+        evalResult = await runEval(parsedSkill, evalOptions);
+      } else {
+        options.onStage?.("trigger");
+        options.onStage?.("eval");
+        [trigger, evalResult] = await Promise.all([runTriggerTest(parsedSkill, triggerOptions), runEval(parsedSkill, evalOptions)]);
+      }
     }
   }
   const triggerF1 = trigger ? trigger.metrics.f1 : null;
@@ -2478,14 +3673,17 @@ async function runCheck(inputPath, options) {
 }
 
 // src/commands/check.ts
-var checkCliSchema = z9.object({
-  graderModel: z9.string().optional(),
-  apiKey: z9.string().optional(),
-  queries: z9.string().optional(),
-  prompts: z9.string().optional(),
-  saveResults: z9.string().optional(),
-  continueOnLintFail: z9.boolean().optional(),
-  verbose: z9.boolean().optional()
+var checkCliSchema = z10.object({
+  graderModel: z10.string().optional(),
+  apiKey: z10.string().optional(),
+  queries: z10.string().optional(),
+  seed: z10.number().int().optional(),
+  prompts: z10.string().optional(),
+  concurrency: z10.number().int().min(1).optional(),
+  html: z10.string().optional(),
+  saveResults: z10.string().optional(),
+  continueOnLintFail: z10.boolean().optional(),
+  verbose: z10.boolean().optional()
 });
 var DEFAULT_ANTHROPIC_MODEL3 = "claude-sonnet-4-5-20250929";
 var DEFAULT_OPENAI_MODEL3 = "gpt-4.1-mini";
@@ -2495,6 +3693,19 @@ function resolveModel3(provider, model) {
   }
   return model;
 }
+function renderCheckOutputWithSeed(output, seed) {
+  if (seed === void 0) {
+    return output;
+  }
+  const lines = output.split("\n");
+  const triggerIndex = lines.indexOf("Trigger");
+  if (triggerIndex === -1) {
+    return `${output}
+Seed: ${seed}`;
+  }
+  lines.splice(triggerIndex + 1, 0, `Seed: ${seed}`);
+  return lines.join("\n");
+}
 async function handleCheckCommand(targetPath, options, command) {
   const spinner = options.json || !process.stdout.isTTY ? null : ora3("Preparing check run...").start();
   try {
@@ -2531,6 +3742,7 @@ async function handleCheckCommand(targetPath, options, command) {
       triggerSeed: options.triggerSeed,
       prompts,
       evalNumRuns: options.numRuns,
+      concurrency: options.concurrency,
       minF1: options.minF1,
       minAssertPassRate: options.minAssertPassRate,
       continueOnLintFail: options.continueOnLintFail,
@@ -2543,10 +3755,8 @@ async function handleCheckCommand(targetPath, options, command) {
           spinner.text = "Running lint checks...";
         } else if (stage === "parse") {
           spinner.text = "Parsing skill for model evaluations...";
-        } else if (stage === "trigger") {
-          spinner.text = "Running trigger test suite...";
-        } else if (stage === "eval") {
-          spinner.text = "Running end-to-end eval suite...";
+        } else if (stage === "trigger" || stage === "eval") {
+          spinner.text = "Running trigger and eval suites...";
         }
       }
     });
@@ -2557,7 +3767,13 @@ async function handleCheckCommand(targetPath, options, command) {
     if (options.json) {
       writeResult(result, true);
     } else {
-      writeResult(renderCheckReport(result, options.color, options.verbose), false);
+      writeResult(
+        renderCheckOutputWithSeed(renderCheckReport(result, options.color, options.verbose), result.trigger?.seed),
+        false
+      );
+    }
+    if (options.html) {
+      await fs10.writeFile(options.html, renderCheckHtml(result), "utf8");
     }
     process.exitCode = result.gates.overallPassed ? 0 : 1;
   } catch (error) {
@@ -2567,7 +3783,7 @@ async function handleCheckCommand(targetPath, options, command) {
   }
 }
 function registerCheckCommand(program) {
-  program.command("check").description("Run lint + trigger + eval with threshold-based quality gates.").argument("<path-to-skill>", "Path to SKILL.md or skill directory").option("--provider <provider>", "LLM provider: anthropic|openai").option("--model <model>", "Model for trigger/eval runs").option("--grader-model <model>", "Model used for grading (defaults to --model)").option("--api-key <key>", "API key override").option("--queries <path>", "Path to custom trigger queries JSON").option("--num-queries <n>", "Number of auto-generated trigger queries", (value) => Number.parseInt(value, 10)).option("--prompts <path>", "Path to eval prompts JSON").option("--min-f1 <n>", "Minimum required trigger F1 score (0-1)", (value) => Number.parseFloat(value)).option("--min-assert-pass-rate <n>", "Minimum required eval assertion pass rate (0-1)", (value) => Number.parseFloat(value)).option("--save-results <path>", "Save combined check results to JSON").option("--continue-on-lint-fail", "Continue trigger/eval stages even when lint has failures").option("--verbose", "Show detailed trigger/eval output sections").action(async (targetPath, _commandOptions, command) => {
+  program.command("check").description("Run lint + trigger + eval with threshold-based quality gates.").argument("<path-to-skill>", "Path to SKILL.md or skill directory").option("--provider <provider>", "LLM provider: anthropic|openai").option("--model <model>", "Model for trigger/eval runs").option("--grader-model <model>", "Model used for grading (defaults to --model)").option("--api-key <key>", "API key override").option("--queries <path>", "Path to custom trigger queries JSON").option("--num-queries <n>", "Number of auto-generated trigger queries", (value) => Number.parseInt(value, 10)).option("--seed <number>", "RNG seed for reproducible results", (value) => Number.parseInt(value, 10)).option("--prompts <path>", "Path to eval prompts JSON").option("--concurrency <n>", "Maximum in-flight trigger/eval tasks", (value) => Number.parseInt(value, 10)).option("--html <path>", "Write an HTML report to the given file path").option("--min-f1 <n>", "Minimum required trigger F1 score (0-1)", (value) => Number.parseFloat(value)).option("--min-assert-pass-rate <n>", "Minimum required eval assertion pass rate (0-1)", (value) => Number.parseFloat(value)).option("--save-results <path>", "Save combined check results to JSON").option("--continue-on-lint-fail", "Continue trigger/eval stages even when lint has failures").option("--verbose", "Show detailed trigger/eval output sections").action(async (targetPath, _commandOptions, command) => {
     const globalOptions = getGlobalCliOptions(command);
     const config = getResolvedConfig(command);
     const parsedCli = checkCliSchema.safeParse(command.opts());
@@ -2590,9 +3806,11 @@ function registerCheckCommand(program) {
         minF1: config.trigger.threshold,
         minAssertPassRate: config.eval.threshold,
         numRuns: config.eval.numRuns,
+        concurrency: config.concurrency,
+        html: parsedCli.data.html,
         lintFailOn: config.lint.failOn,
         lintSuppress: config.lint.suppress,
-        triggerSeed: config.trigger.seed,
+        triggerSeed: parsedCli.data.seed ?? config.trigger.seed,
         saveResults: parsedCli.data.saveResults,
         continueOnLintFail: Boolean(parsedCli.data.continueOnLintFail),
         verbose: Boolean(parsedCli.data.verbose)
@@ -2607,7 +3825,7 @@ function resolveVersion() {
   try {
     const currentFilePath = fileURLToPath(import.meta.url);
     const packageJsonPath = path6.resolve(path6.dirname(currentFilePath), "..", "package.json");
-    const raw = fs7.readFileSync(packageJsonPath, "utf8");
+    const raw = fs11.readFileSync(packageJsonPath, "utf8");
     const parsed = JSON.parse(raw);
     return parsed.version ?? "0.0.0";
   } catch {