trickle-cli 0.1.190 → 0.1.192

package/dist/commands/compliance.d.ts

@@ -0,0 +1,17 @@
+/**
+ * trickle audit --compliance — Generate compliance audit report.
+ *
+ * Exports trickle's JSONL data as a structured compliance report for
+ * EU AI Act and Colorado AI Act requirements:
+ * - Decision lineage (LLM call → tool call → output)
+ * - Timestamped event log
+ * - Risk classification
+ * - Security scan results
+ * - Data processing summary
+ *
+ * Local-first: sensitive audit data never leaves the developer's machine.
+ */
+export declare function generateComplianceReport(opts: {
+    json?: boolean;
+    out?: string;
+}): void;

package/dist/commands/compliance.js

@@ -0,0 +1,251 @@
+"use strict";
+/**
+ * trickle audit --compliance — Generate compliance audit report.
+ *
+ * Exports trickle's JSONL data as a structured compliance report for
+ * EU AI Act and Colorado AI Act requirements:
+ * - Decision lineage (LLM call → tool call → output)
+ * - Timestamped event log
+ * - Risk classification
+ * - Security scan results
+ * - Data processing summary
+ *
+ * Local-first: sensitive audit data never leaves the developer's machine.
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateComplianceReport = generateComplianceReport;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const chalk_1 = __importDefault(require("chalk"));
+function readJsonl(fp) {
+    if (!fs.existsSync(fp))
+        return [];
+    return fs.readFileSync(fp, 'utf-8').split('\n').filter(Boolean)
+        .map(l => { try {
+        return JSON.parse(l);
+    }
+    catch {
+        return null;
+    } }).filter(Boolean);
+}
+function generateComplianceReport(opts) {
+    const dir = process.env.TRICKLE_LOCAL_DIR || path.join(process.cwd(), '.trickle');
+    if (!fs.existsSync(dir)) {
+        console.log(chalk_1.default.yellow('  No .trickle/ data. Run trickle first.'));
+        return;
+    }
+    const llmCalls = readJsonl(path.join(dir, 'llm.jsonl'));
+    const agentEvents = readJsonl(path.join(dir, 'agents.jsonl'));
+    const mcpCalls = readJsonl(path.join(dir, 'mcp.jsonl'));
+    const errors = readJsonl(path.join(dir, 'errors.jsonl'));
+    const observations = readJsonl(path.join(dir, 'observations.jsonl'));
+    const calltrace = readJsonl(path.join(dir, 'calltrace.jsonl'));
+    // Build decision lineage — chronological event log
+    const lineage = [];
+    for (const e of agentEvents) {
+        lineage.push({
+            timestamp: e.timestamp || 0,
+            event: `agent:${e.event}`,
+            description: buildAgentDescription(e),
+            data: { framework: e.framework, tool: e.tool, chain: e.chain },
+        });
+    }
+    for (const c of llmCalls) {
+        lineage.push({
+            timestamp: c.timestamp || 0,
+            event: 'llm:call',
+            description: `${c.provider}/${c.model}: ${(c.inputPreview || '').substring(0, 80)} → ${(c.outputPreview || '').substring(0, 80)}`,
+            data: { model: c.model, tokens: c.totalTokens, cost: c.estimatedCostUsd, error: c.error },
+        });
+    }
+    for (const m of mcpCalls) {
+        if (m.tool === '__list_tools')
+            continue;
+        lineage.push({
+            timestamp: m.timestamp || 0,
+            event: `mcp:${m.direction}`,
+            description: `${m.tool}(${JSON.stringify(m.args || {}).substring(0, 60)}) → ${(m.resultPreview || '').substring(0, 60)}`,
+            data: { tool: m.tool, direction: m.direction, isError: m.isError },
+        });
+    }
+    lineage.sort((a, b) => a.timestamp - b.timestamp);
+    // Data processing summary
+    const providers = [...new Set(llmCalls.map(c => c.provider).filter(Boolean))];
+    const models = [...new Set(llmCalls.map(c => `${c.provider}/${c.model}`).filter(Boolean))];
+    const totalTokens = llmCalls.reduce((s, c) => s + (c.totalTokens || 0), 0);
+    const totalCost = llmCalls.reduce((s, c) => s + (c.estimatedCostUsd || 0), 0);
+    const agentTools = [...new Set(agentEvents.filter(e => e.tool).map(e => e.tool))];
+    const mcpTools = [...new Set(mcpCalls.filter(c => c.tool && c.tool !== '__list_tools').map(c => c.tool))];
+    const dataSources = [...new Set(observations.map(o => o.module).filter(Boolean))];
+    // Security scan
+    let securityFindings = [];
+    try {
+        const { runSecurityScan } = require('./security');
+        const origLog = console.log;
+        console.log = () => { };
+        const result = runSecurityScan({ dir });
+        console.log = origLog;
+        securityFindings = result.findings.map((f) => ({
+            severity: f.severity, category: f.category,
+            message: f.message, evidence: (f.evidence || '').substring(0, 100),
+        }));
+    }
+    catch { }
+    // Eval score
+    let evalScore = null;
+    try {
+        const { evalCommand } = require('./eval');
+        // We can't easily call evalCommand and get the result, so build a lightweight score
+        const completionRate = agentEvents.filter(e => e.event === 'crew_end').length /
+            Math.max(1, agentEvents.filter(e => e.event === 'crew_start').length);
+        const errorRate = errors.length / Math.max(1, lineage.length);
+        evalScore = {
+            overall: Math.round(Math.max(0, (1 - errorRate) * completionRate * 100)),
+            grade: completionRate >= 0.9 && errorRate < 0.1 ? 'A' : completionRate >= 0.7 ? 'B' : 'C',
+            dimensions: { completion: Math.round(completionRate * 100), errorRate: Math.round((1 - errorRate) * 100) },
+        };
+    }
+    catch { }
+    // Risk classification
+    const riskFactors = [];
+    if (llmCalls.length > 0)
+        riskFactors.push('Uses AI/LLM for decision-making');
+    if (agentEvents.length > 0)
+        riskFactors.push('Autonomous agent workflow');
+    if (agentTools.length > 0)
+        riskFactors.push(`Executes ${agentTools.length} tools autonomously`);
+    if (securityFindings.filter(f => f.severity === 'critical').length > 0)
+        riskFactors.push('Critical security findings');
+    if (errors.length > 0)
+        riskFactors.push(`${errors.length} runtime errors`);
+    const riskLevel = riskFactors.length >= 3 ? 'high' : riskFactors.length >= 1 ? 'medium' : 'low';
+    // Human oversight
+    const permissionEvents = agentEvents.filter(e => e.event === 'permission_request' || (e.tool || '').toLowerCase().includes('approval'));
+    const escalationEvents = agentEvents.filter(e => e.event?.includes('error') || e.event === 'crew_error');
+    const report = {
+        meta: {
+            generatedAt: new Date().toISOString(),
+            trickleVersion: 'CLI 0.1.191',
+            framework: [...new Set(agentEvents.map(e => e.framework).filter(Boolean))].join(', ') || 'N/A',
+            dataDir: dir,
+        },
+        riskClassification: { level: riskLevel, factors: riskFactors },
+        decisionLineage: lineage,
+        dataProcessing: {
+            llmProviders: providers, modelsUsed: models,
+            totalLlmCalls: llmCalls.length, totalTokens, estimatedCost: Math.round(totalCost * 10000) / 10000,
+            toolsUsed: agentTools, mcpToolsUsed: mcpTools,
+            dataSourcesAccessed: dataSources.slice(0, 20),
+        },
+        securityFindings,
+        evalScore,
+        humanOversight: {
+            hasHumanInLoop: permissionEvents.length > 0,
+            approvalCheckpoints: permissionEvents.length,
+            escalationEvents: escalationEvents.length,
+        },
+    };
+    // Output
+    if (opts.out) {
+        fs.writeFileSync(opts.out, JSON.stringify(report, null, 2), 'utf-8');
+        console.log(chalk_1.default.green(`  Compliance report written to ${opts.out}`));
+        return;
+    }
+    if (opts.json) {
+        console.log(JSON.stringify(report, null, 2));
+        return;
+    }
+    // Pretty print
+    console.log('');
+    console.log(chalk_1.default.bold('  trickle audit --compliance'));
+    console.log(chalk_1.default.gray('  ' + '─'.repeat(60)));
+    const riskColor = riskLevel === 'high' ? chalk_1.default.red : riskLevel === 'medium' ? chalk_1.default.yellow : chalk_1.default.green;
+    console.log(`  Risk: ${riskColor(riskLevel.toUpperCase())} (${riskFactors.length} factors)`);
+    for (const f of riskFactors)
+        console.log(chalk_1.default.gray(`    • ${f}`));
+    console.log(chalk_1.default.gray('\n  ' + '─'.repeat(60)));
+    console.log(chalk_1.default.bold('  Data Processing'));
+    console.log(`  LLM providers: ${providers.join(', ') || 'none'}`);
+    console.log(`  Models: ${models.join(', ') || 'none'}`);
+    console.log(`  Calls: ${llmCalls.length}  Tokens: ${totalTokens}  Cost: $${totalCost.toFixed(4)}`);
+    console.log(`  Tools: ${agentTools.join(', ') || 'none'}`);
+    if (mcpTools.length > 0)
+        console.log(`  MCP tools: ${mcpTools.join(', ')}`);
+    console.log(chalk_1.default.gray('\n  ' + '─'.repeat(60)));
+    console.log(chalk_1.default.bold('  Decision Lineage'));
+    console.log(`  ${lineage.length} events recorded`);
+    for (const e of lineage.slice(0, 10)) {
+        const ts = new Date(e.timestamp).toISOString().substring(11, 23);
+        console.log(chalk_1.default.gray(`  ${ts}`) + ` ${e.event.padEnd(20)} ${e.description.substring(0, 60)}`);
+    }
+    if (lineage.length > 10)
+        console.log(chalk_1.default.gray(`  ... and ${lineage.length - 10} more`));
+    if (securityFindings.length > 0) {
+        console.log(chalk_1.default.gray('\n  ' + '─'.repeat(60)));
+        console.log(chalk_1.default.bold('  Security'));
+        const crit = securityFindings.filter(f => f.severity === 'critical').length;
+        const warn = securityFindings.filter(f => f.severity === 'warning').length;
+        console.log(`  ${chalk_1.default.red(String(crit))} critical, ${chalk_1.default.yellow(String(warn))} warnings`);
+    }
+    console.log(chalk_1.default.gray('\n  ' + '─'.repeat(60)));
+    console.log(chalk_1.default.bold('  Human Oversight'));
+    console.log(`  Human-in-the-loop: ${report.humanOversight.hasHumanInLoop ? chalk_1.default.green('Yes') : chalk_1.default.yellow('No')}`);
+    console.log(`  Approval checkpoints: ${report.humanOversight.approvalCheckpoints}`);
+    console.log(`  Escalation events: ${report.humanOversight.escalationEvents}`);
+    console.log(chalk_1.default.gray('\n  ' + '─'.repeat(60)));
+    console.log(chalk_1.default.gray('  Export: trickle audit --compliance --json > audit-report.json'));
+    console.log(chalk_1.default.gray('  Export: trickle audit --compliance -o audit-report.json'));
+    console.log('');
+}
+function buildAgentDescription(e) {
+    const parts = [];
+    if (e.chain)
+        parts.push(e.chain);
+    if (e.tool)
+        parts.push(`tool:${e.tool}`);
+    if (e.toolInput)
+        parts.push(`input:${String(e.toolInput).substring(0, 40)}`);
+    if (e.output)
+        parts.push(`output:${String(e.output).substring(0, 40)}`);
+    if (e.error)
+        parts.push(`error:${String(e.error).substring(0, 40)}`);
+    if (e.thought)
+        parts.push(`thought:${String(e.thought).substring(0, 40)}`);
+    return parts.join(' | ') || e.event || '?';
+}

package/dist/commands/security.d.ts

@@ -21,12 +21,7 @@ interface SecurityFinding {
 }
 export interface SecurityResult {
     findings: SecurityFinding[];
-    scanned: {
-        variables: number;
-        queries: number;
-        logs: number;
-        observations: number;
-    };
+    scanned: Record<string, number>;
     summary: {
         critical: number;
         warning: number;

package/dist/commands/security.js

@@ -154,6 +154,90 @@ function runSecurityScan(opts) {
         if (o.sampleOutput)
             findings.push(...scanValue(o.sampleOutput, 'function_output', `${o.module}.${o.functionName}`));
     }
+    // ── Agent Security: The "Lethal Trifecta" ──
+    // Scan LLM calls for prompt injection and data exfiltration
+    const llmCalls = readJsonl(path.join(trickleDir, 'llm.jsonl'));
+    for (const c of llmCalls) {
+        // Prompt injection patterns in LLM inputs
+        const input = String(c.inputPreview || '').toLowerCase();
+        const INJECTION_PATTERNS = [
+            { pattern: /ignore\s+(all\s+)?previous\s+instructions/i, name: 'Instruction override' },
+            { pattern: /you\s+are\s+now\s+a\s+/i, name: 'Role hijacking' },
+            { pattern: /system\s*:\s*you\s+are/i, name: 'System prompt injection' },
+            { pattern: /\bdo\s+not\s+follow\s+(any|the)\s+(previous|above)/i, name: 'Instruction bypass' },
+            { pattern: /forget\s+(all|everything|your)\s+(previous|prior|instructions)/i, name: 'Memory wipe attempt' },
+            { pattern: /pretend\s+you\s+(are|have)\s+(no|unrestricted)/i, name: 'Jailbreak attempt' },
+        ];
+        for (const inj of INJECTION_PATTERNS) {
+            if (inj.pattern.test(c.inputPreview || '') || inj.pattern.test(c.systemPrompt || '')) {
+                findings.push({
+                    severity: 'critical', category: 'prompt_injection',
+                    message: `${inj.name} detected in LLM input`,
+                    source: 'llm_call', location: c.model || 'unknown',
+                    evidence: (c.inputPreview || '').substring(0, 100),
+                });
+                break;
+            }
+        }
+        // Secrets in LLM outputs (data exfiltration)
+        const output = String(c.outputPreview || '');
+        if (output) {
+            const outputFindings = scanValue(output, 'llm_output', `${c.provider}/${c.model}`);
+            for (const f of outputFindings) {
+                f.category = 'data_exfiltration';
+                f.message = `LLM output contains ${f.message.toLowerCase()}`;
+                findings.push(f);
+            }
+        }
+        // Secrets in LLM inputs
+        const inputStr = String(c.inputPreview || '');
+        if (inputStr) {
+            const inputFindings = scanValue(inputStr, 'llm_input', `${c.provider}/${c.model}`);
+            for (const f of inputFindings) {
+                f.message = `Secret passed to LLM: ${f.message}`;
+                findings.push(f);
+            }
+        }
+    }
+    // Scan agent events for unauthorized tool calls
+    const agentEvents = readJsonl(path.join(trickleDir, 'agents.jsonl'));
+    const toolErrors = agentEvents.filter(e => e.event === 'tool_error');
+    const toolStarts = agentEvents.filter(e => e.event === 'tool_start');
+    // Detect privilege escalation: agent calling dangerous tools
+    const DANGEROUS_TOOLS = ['Bash', 'bash', 'shell', 'exec', 'eval', 'rm', 'sudo', 'chmod', 'kill'];
+    for (const t of toolStarts) {
+        const toolName = String(t.tool || '');
+        if (DANGEROUS_TOOLS.some(d => toolName.toLowerCase().includes(d.toLowerCase()))) {
+            // Check if tool input contains dangerous commands
+            const toolInput = String(t.toolInput || '').toLowerCase();
+            if (toolInput.includes('rm -rf') || toolInput.includes('sudo') || toolInput.includes('chmod 777') ||
+                toolInput.includes('curl') && toolInput.includes('|') || toolInput.includes('wget') && toolInput.includes('|')) {
+                findings.push({
+                    severity: 'critical', category: 'privilege_escalation',
+                    message: `Agent executed dangerous command via ${toolName}`,
+                    source: 'agent_tool', location: t.framework || 'agent',
+                    evidence: (t.toolInput || '').substring(0, 100),
+                });
+            }
+        }
+    }
+    // Scan MCP tool calls for secrets in args/responses
+    const mcpCalls = readJsonl(path.join(trickleDir, 'mcp.jsonl'));
+    for (const m of mcpCalls) {
+        if (m.args) {
+            const argsStr = typeof m.args === 'string' ? m.args : JSON.stringify(m.args);
+            const argsFindings = scanValue(argsStr, 'mcp_tool_args', `MCP: ${m.tool}`);
+            findings.push(...argsFindings);
+        }
+        if (m.resultPreview) {
+            const resultFindings = scanValue(m.resultPreview, 'mcp_tool_result', `MCP: ${m.tool}`);
+            for (const f of resultFindings) {
+                f.category = 'data_exfiltration';
+                f.message = `MCP tool response contains ${f.message.toLowerCase()}`;
+                findings.push(f);
+            }
+        }
+    }
     // Deduplicate
     const seen = new Set();
     const deduped = findings.filter(f => {
@@ -168,6 +252,9 @@ function runSecurityScan(opts) {
         warning: deduped.filter(f => f.severity === 'warning').length,
         info: deduped.filter(f => f.severity === 'info').length,
     };
+    scanned.llmCalls = llmCalls.length;
+    scanned.agentEvents = agentEvents.length;
+    scanned.mcpCalls = mcpCalls.length;
     const result = { findings: deduped, scanned, summary };
     if (opts?.json) {
         console.log(JSON.stringify(result, null, 2));
@@ -177,7 +264,14 @@ function runSecurityScan(opts) {
     console.log('');
     console.log(chalk_1.default.bold('  trickle security'));
     console.log(chalk_1.default.gray('  ' + '─'.repeat(50)));
-    console.log(chalk_1.default.gray(`  Scanned: ${scanned.variables} vars, ${scanned.queries} queries, ${scanned.logs} logs, ${scanned.observations} functions`));
+    const scanParts = [`${scanned.variables} vars`, `${scanned.queries} queries`, `${scanned.logs} logs`, `${scanned.observations} functions`];
+    if (scanned.llmCalls)
+        scanParts.push(`${scanned.llmCalls} LLM calls`);
+    if (scanned.agentEvents)
+        scanParts.push(`${scanned.agentEvents} agent events`);
+    if (scanned.mcpCalls)
+        scanParts.push(`${scanned.mcpCalls} MCP calls`);
+    console.log(chalk_1.default.gray(`  Scanned: ${scanParts.join(', ')}`));
     if (deduped.length === 0) {
         console.log(chalk_1.default.green('  No security issues found. ✓'));
     }

package/dist/index.js

@@ -396,8 +396,15 @@ program
     .option("--json", "Output raw JSON (for CI integration)")
     .option("--fail-on-error", "Exit 1 if any errors are found")
     .option("--fail-on-warning", "Exit 1 if any errors or warnings are found")
+    .option("--compliance", "Generate compliance audit report (EU AI Act / Colorado AI Act)")
+    .option("-o, --out <file>", "Write compliance report to file")
     .option("--local", "Read from local .trickle/observations.jsonl instead of backend")
     .action(async (opts) => {
+    if (opts.compliance) {
+        const { generateComplianceReport } = await Promise.resolve().then(() => __importStar(require("./commands/compliance")));
+        generateComplianceReport({ json: opts.json, out: opts.out });
+        return;
+    }
     await (0, audit_1.auditCommand)(opts);
 });
 // trickle capture <method> <url>

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "trickle-cli",
-  "version": "0.1.190",
+  "version": "0.1.192",
   "description": "CLI for trickle runtime type observability",
   "bin": {
     "trickle": "dist/index.js"

package/src/commands/compliance.ts

@@ -0,0 +1,262 @@
+/**
+ * trickle audit --compliance — Generate compliance audit report.
+ *
+ * Exports trickle's JSONL data as a structured compliance report for
+ * EU AI Act and Colorado AI Act requirements:
+ * - Decision lineage (LLM call → tool call → output)
+ * - Timestamped event log
+ * - Risk classification
+ * - Security scan results
+ * - Data processing summary
+ *
+ * Local-first: sensitive audit data never leaves the developer's machine.
+ */
+
+import * as fs from 'fs';
+import * as path from 'path';
+import chalk from 'chalk';
+
+function readJsonl(fp: string): any[] {
+  if (!fs.existsSync(fp)) return [];
+  return fs.readFileSync(fp, 'utf-8').split('\n').filter(Boolean)
+    .map(l => { try { return JSON.parse(l); } catch { return null; } }).filter(Boolean);
+}
+
+interface ComplianceReport {
+  meta: {
+    generatedAt: string;
+    trickleVersion: string;
+    framework: string;
+    dataDir: string;
+  };
+  riskClassification: {
+    level: 'high' | 'medium' | 'low';
+    factors: string[];
+  };
+  decisionLineage: Array<{
+    timestamp: number;
+    event: string;
+    description: string;
+    data?: Record<string, unknown>;
+  }>;
+  dataProcessing: {
+    llmProviders: string[];
+    modelsUsed: string[];
+    totalLlmCalls: number;
+    totalTokens: number;
+    estimatedCost: number;
+    toolsUsed: string[];
+    mcpToolsUsed: string[];
+    dataSourcesAccessed: string[];
+  };
+  securityFindings: Array<{
+    severity: string;
+    category: string;
+    message: string;
+    evidence: string;
+  }>;
+  evalScore: {
+    overall: number;
+    grade: string;
+    dimensions: Record<string, number>;
+  } | null;
+  humanOversight: {
+    hasHumanInLoop: boolean;
+    approvalCheckpoints: number;
+    escalationEvents: number;
+  };
+}
+
+export function generateComplianceReport(opts: { json?: boolean; out?: string }): void {
+  const dir = process.env.TRICKLE_LOCAL_DIR || path.join(process.cwd(), '.trickle');
+
+  if (!fs.existsSync(dir)) {
+    console.log(chalk.yellow('  No .trickle/ data. Run trickle first.'));
+    return;
+  }
+
+  const llmCalls = readJsonl(path.join(dir, 'llm.jsonl'));
+  const agentEvents = readJsonl(path.join(dir, 'agents.jsonl'));
+  const mcpCalls = readJsonl(path.join(dir, 'mcp.jsonl'));
+  const errors = readJsonl(path.join(dir, 'errors.jsonl'));
+  const observations = readJsonl(path.join(dir, 'observations.jsonl'));
+  const calltrace = readJsonl(path.join(dir, 'calltrace.jsonl'));
+
+  // Build decision lineage — chronological event log
+  const lineage: ComplianceReport['decisionLineage'] = [];
+
+  for (const e of agentEvents) {
+    lineage.push({
+      timestamp: e.timestamp || 0,
+      event: `agent:${e.event}`,
+      description: buildAgentDescription(e),
+      data: { framework: e.framework, tool: e.tool, chain: e.chain },
+    });
+  }
+
+  for (const c of llmCalls) {
+    lineage.push({
+      timestamp: c.timestamp || 0,
+      event: 'llm:call',
+      description: `${c.provider}/${c.model}: ${(c.inputPreview || '').substring(0, 80)} → ${(c.outputPreview || '').substring(0, 80)}`,
+      data: { model: c.model, tokens: c.totalTokens, cost: c.estimatedCostUsd, error: c.error },
+    });
+  }
+
+  for (const m of mcpCalls) {
+    if (m.tool === '__list_tools') continue;
+    lineage.push({
+      timestamp: m.timestamp || 0,
+      event: `mcp:${m.direction}`,
+      description: `${m.tool}(${JSON.stringify(m.args || {}).substring(0, 60)}) → ${(m.resultPreview || '').substring(0, 60)}`,
+      data: { tool: m.tool, direction: m.direction, isError: m.isError },
+    });
+  }
+
+  lineage.sort((a, b) => a.timestamp - b.timestamp);
+
+  // Data processing summary
+  const providers = [...new Set(llmCalls.map(c => c.provider).filter(Boolean))];
+  const models = [...new Set(llmCalls.map(c => `${c.provider}/${c.model}`).filter(Boolean))];
+  const totalTokens = llmCalls.reduce((s: number, c: any) => s + (c.totalTokens || 0), 0);
+  const totalCost = llmCalls.reduce((s: number, c: any) => s + (c.estimatedCostUsd || 0), 0);
+  const agentTools = [...new Set(agentEvents.filter(e => e.tool).map(e => e.tool))];
+  const mcpTools = [...new Set(mcpCalls.filter(c => c.tool && c.tool !== '__list_tools').map(c => c.tool))];
+  const dataSources = [...new Set(observations.map(o => o.module).filter(Boolean))];
+
+  // Security scan
+  let securityFindings: ComplianceReport['securityFindings'] = [];
+  try {
+    const { runSecurityScan } = require('./security');
+    const origLog = console.log;
+    console.log = () => {};
+    const result = runSecurityScan({ dir });
+    console.log = origLog;
+    securityFindings = result.findings.map((f: any) => ({
+      severity: f.severity, category: f.category,
+      message: f.message, evidence: (f.evidence || '').substring(0, 100),
+    }));
+  } catch {}
+
+  // Eval score
+  let evalScore: ComplianceReport['evalScore'] = null;
+  try {
+    const { evalCommand } = require('./eval');
+    // We can't easily call evalCommand and get the result, so build a lightweight score
+    const completionRate = agentEvents.filter(e => e.event === 'crew_end').length /
+      Math.max(1, agentEvents.filter(e => e.event === 'crew_start').length);
+    const errorRate = errors.length / Math.max(1, lineage.length);
+    evalScore = {
+      overall: Math.round(Math.max(0, (1 - errorRate) * completionRate * 100)),
+      grade: completionRate >= 0.9 && errorRate < 0.1 ? 'A' : completionRate >= 0.7 ? 'B' : 'C',
+      dimensions: { completion: Math.round(completionRate * 100), errorRate: Math.round((1 - errorRate) * 100) },
+    };
+  } catch {}
+
+  // Risk classification
+  const riskFactors: string[] = [];
+  if (llmCalls.length > 0) riskFactors.push('Uses AI/LLM for decision-making');
+  if (agentEvents.length > 0) riskFactors.push('Autonomous agent workflow');
+  if (agentTools.length > 0) riskFactors.push(`Executes ${agentTools.length} tools autonomously`);
+  if (securityFindings.filter(f => f.severity === 'critical').length > 0) riskFactors.push('Critical security findings');
+  if (errors.length > 0) riskFactors.push(`${errors.length} runtime errors`);
+  const riskLevel: 'high' | 'medium' | 'low' = riskFactors.length >= 3 ? 'high' : riskFactors.length >= 1 ? 'medium' : 'low';
+
+  // Human oversight
+  const permissionEvents = agentEvents.filter(e =>
+    e.event === 'permission_request' || (e.tool || '').toLowerCase().includes('approval'));
+  const escalationEvents = agentEvents.filter(e =>
+    e.event?.includes('error') || e.event === 'crew_error');
+
+  const report: ComplianceReport = {
+    meta: {
+      generatedAt: new Date().toISOString(),
+      trickleVersion: 'CLI 0.1.191',
+      framework: [...new Set(agentEvents.map(e => e.framework).filter(Boolean))].join(', ') || 'N/A',
+      dataDir: dir,
+    },
+    riskClassification: { level: riskLevel, factors: riskFactors },
+    decisionLineage: lineage,
+    dataProcessing: {
+      llmProviders: providers, modelsUsed: models,
+      totalLlmCalls: llmCalls.length, totalTokens, estimatedCost: Math.round(totalCost * 10000) / 10000,
+      toolsUsed: agentTools, mcpToolsUsed: mcpTools,
+      dataSourcesAccessed: dataSources.slice(0, 20),
+    },
+    securityFindings,
+    evalScore,
+    humanOversight: {
+      hasHumanInLoop: permissionEvents.length > 0,
+      approvalCheckpoints: permissionEvents.length,
+      escalationEvents: escalationEvents.length,
+    },
+  };
+
+  // Output
+  if (opts.out) {
+    fs.writeFileSync(opts.out, JSON.stringify(report, null, 2), 'utf-8');
+    console.log(chalk.green(`  Compliance report written to ${opts.out}`));
+    return;
+  }
+
+  if (opts.json) {
+    console.log(JSON.stringify(report, null, 2));
+    return;
+  }
+
+  // Pretty print
+  console.log('');
+  console.log(chalk.bold('  trickle audit --compliance'));
+  console.log(chalk.gray('  ' + '─'.repeat(60)));
+
+  const riskColor = riskLevel === 'high' ? chalk.red : riskLevel === 'medium' ? chalk.yellow : chalk.green;
+  console.log(`  Risk: ${riskColor(riskLevel.toUpperCase())} (${riskFactors.length} factors)`);
+  for (const f of riskFactors) console.log(chalk.gray(`    • ${f}`));
+
+  console.log(chalk.gray('\n  ' + '─'.repeat(60)));
+  console.log(chalk.bold('  Data Processing'));
+  console.log(`  LLM providers: ${providers.join(', ') || 'none'}`);
+  console.log(`  Models: ${models.join(', ') || 'none'}`);
+  console.log(`  Calls: ${llmCalls.length}  Tokens: ${totalTokens}  Cost: $${totalCost.toFixed(4)}`);
+  console.log(`  Tools: ${agentTools.join(', ') || 'none'}`);
+  if (mcpTools.length > 0) console.log(`  MCP tools: ${mcpTools.join(', ')}`);
+
+  console.log(chalk.gray('\n  ' + '─'.repeat(60)));
+  console.log(chalk.bold('  Decision Lineage'));
+  console.log(`  ${lineage.length} events recorded`);
+  for (const e of lineage.slice(0, 10)) {
+    const ts = new Date(e.timestamp).toISOString().substring(11, 23);
+    console.log(chalk.gray(`  ${ts}`) + ` ${e.event.padEnd(20)} ${e.description.substring(0, 60)}`);
+  }
+  if (lineage.length > 10) console.log(chalk.gray(`  ... and ${lineage.length - 10} more`));
+
+  if (securityFindings.length > 0) {
+    console.log(chalk.gray('\n  ' + '─'.repeat(60)));
+    console.log(chalk.bold('  Security'));
+    const crit = securityFindings.filter(f => f.severity === 'critical').length;
+    const warn = securityFindings.filter(f => f.severity === 'warning').length;
+    console.log(`  ${chalk.red(String(crit))} critical, ${chalk.yellow(String(warn))} warnings`);
+  }
+
+  console.log(chalk.gray('\n  ' + '─'.repeat(60)));
+  console.log(chalk.bold('  Human Oversight'));
+  console.log(`  Human-in-the-loop: ${report.humanOversight.hasHumanInLoop ? chalk.green('Yes') : chalk.yellow('No')}`);
+  console.log(`  Approval checkpoints: ${report.humanOversight.approvalCheckpoints}`);
+  console.log(`  Escalation events: ${report.humanOversight.escalationEvents}`);
+
+  console.log(chalk.gray('\n  ' + '─'.repeat(60)));
+  console.log(chalk.gray('  Export: trickle audit --compliance --json > audit-report.json'));
+  console.log(chalk.gray('  Export: trickle audit --compliance -o audit-report.json'));
+  console.log('');
+}
+
+function buildAgentDescription(e: any): string {
+  const parts: string[] = [];
+  if (e.chain) parts.push(e.chain);
+  if (e.tool) parts.push(`tool:${e.tool}`);
+  if (e.toolInput) parts.push(`input:${String(e.toolInput).substring(0, 40)}`);
+  if (e.output) parts.push(`output:${String(e.output).substring(0, 40)}`);
+  if (e.error) parts.push(`error:${String(e.error).substring(0, 40)}`);
+  if (e.thought) parts.push(`thought:${String(e.thought).substring(0, 40)}`);
+  return parts.join(' | ') || e.event || '?';
+}

package/src/commands/security.ts

@@ -82,14 +82,14 @@ function scanValue(value: unknown, source: string, location: string): SecurityFi
 
 export interface SecurityResult {
   findings: SecurityFinding[];
-  scanned: { variables: number; queries: number; logs: number; observations: number };
+  scanned: Record<string, number>;
   summary: { critical: number; warning: number; info: number };
 }
 
 export function runSecurityScan(opts?: { dir?: string; json?: boolean }): SecurityResult {
   const trickleDir = opts?.dir || process.env.TRICKLE_LOCAL_DIR || path.join(process.cwd(), '.trickle');
   const findings: SecurityFinding[] = [];
-  const scanned = { variables: 0, queries: 0, logs: 0, observations: 0 };
+  const scanned: Record<string, number> = { variables: 0, queries: 0, logs: 0, observations: 0 };
 
   // Scan variables
   const variables = readJsonl(path.join(trickleDir, 'variables.jsonl'));
@@ -133,6 +133,97 @@ export function runSecurityScan(opts?: { dir?: string; json?: boolean }): Securi
     if (o.sampleOutput) findings.push(...scanValue(o.sampleOutput, 'function_output', `${o.module}.${o.functionName}`));
   }
 
+  // ── Agent Security: The "Lethal Trifecta" ──
+
+  // Scan LLM calls for prompt injection and data exfiltration
+  const llmCalls = readJsonl(path.join(trickleDir, 'llm.jsonl'));
+  for (const c of llmCalls) {
+    // Prompt injection patterns in LLM inputs
+    const input = String(c.inputPreview || '').toLowerCase();
+    const INJECTION_PATTERNS = [
+      { pattern: /ignore\s+(all\s+)?previous\s+instructions/i, name: 'Instruction override' },
+      { pattern: /you\s+are\s+now\s+a\s+/i, name: 'Role hijacking' },
+      { pattern: /system\s*:\s*you\s+are/i, name: 'System prompt injection' },
+      { pattern: /\bdo\s+not\s+follow\s+(any|the)\s+(previous|above)/i, name: 'Instruction bypass' },
+      { pattern: /forget\s+(all|everything|your)\s+(previous|prior|instructions)/i, name: 'Memory wipe attempt' },
+      { pattern: /pretend\s+you\s+(are|have)\s+(no|unrestricted)/i, name: 'Jailbreak attempt' },
+    ];
+    for (const inj of INJECTION_PATTERNS) {
+      if (inj.pattern.test(c.inputPreview || '') || inj.pattern.test(c.systemPrompt || '')) {
+        findings.push({
+          severity: 'critical', category: 'prompt_injection',
+          message: `${inj.name} detected in LLM input`,
+          source: 'llm_call', location: c.model || 'unknown',
+          evidence: (c.inputPreview || '').substring(0, 100),
+        });
+        break;
+      }
+    }
+
+    // Secrets in LLM outputs (data exfiltration)
+    const output = String(c.outputPreview || '');
+    if (output) {
+      const outputFindings = scanValue(output, 'llm_output', `${c.provider}/${c.model}`);
+      for (const f of outputFindings) {
+        f.category = 'data_exfiltration';
+        f.message = `LLM output contains ${f.message.toLowerCase()}`;
+        findings.push(f);
+      }
+    }
+
+    // Secrets in LLM inputs
+    const inputStr = String(c.inputPreview || '');
+    if (inputStr) {
+      const inputFindings = scanValue(inputStr, 'llm_input', `${c.provider}/${c.model}`);
+      for (const f of inputFindings) {
+        f.message = `Secret passed to LLM: ${f.message}`;
+        findings.push(f);
+      }
+    }
+  }
+
+  // Scan agent events for unauthorized tool calls
+  const agentEvents = readJsonl(path.join(trickleDir, 'agents.jsonl'));
+  const toolErrors = agentEvents.filter(e => e.event === 'tool_error');
+  const toolStarts = agentEvents.filter(e => e.event === 'tool_start');
+
+  // Detect privilege escalation: agent calling dangerous tools
+  const DANGEROUS_TOOLS = ['Bash', 'bash', 'shell', 'exec', 'eval', 'rm', 'sudo', 'chmod', 'kill'];
+  for (const t of toolStarts) {
+    const toolName = String(t.tool || '');
+    if (DANGEROUS_TOOLS.some(d => toolName.toLowerCase().includes(d.toLowerCase()))) {
+      // Check if tool input contains dangerous commands
+      const toolInput = String(t.toolInput || '').toLowerCase();
+      if (toolInput.includes('rm -rf') || toolInput.includes('sudo') || toolInput.includes('chmod 777') ||
+          toolInput.includes('curl') && toolInput.includes('|') || toolInput.includes('wget') && toolInput.includes('|')) {
+        findings.push({
+          severity: 'critical', category: 'privilege_escalation',
+          message: `Agent executed dangerous command via ${toolName}`,
+          source: 'agent_tool', location: t.framework || 'agent',
+          evidence: (t.toolInput || '').substring(0, 100),
+        });
+      }
+    }
+  }
+
+  // Scan MCP tool calls for secrets in args/responses
+  const mcpCalls = readJsonl(path.join(trickleDir, 'mcp.jsonl'));
+  for (const m of mcpCalls) {
+    if (m.args) {
+      const argsStr = typeof m.args === 'string' ? m.args : JSON.stringify(m.args);
+      const argsFindings = scanValue(argsStr, 'mcp_tool_args', `MCP: ${m.tool}`);
+      findings.push(...argsFindings);
+    }
+    if (m.resultPreview) {
+      const resultFindings = scanValue(m.resultPreview, 'mcp_tool_result', `MCP: ${m.tool}`);
+      for (const f of resultFindings) {
+        f.category = 'data_exfiltration';
+        f.message = `MCP tool response contains ${f.message.toLowerCase()}`;
+        findings.push(f);
+      }
+    }
+  }
+
   // Deduplicate
   const seen = new Set<string>();
   const deduped = findings.filter(f => {
@@ -148,6 +239,9 @@ export function runSecurityScan(opts?: { dir?: string; json?: boolean }): Securi
     info: deduped.filter(f => f.severity === 'info').length,
   };
 
+  scanned.llmCalls = llmCalls.length;
+  scanned.agentEvents = agentEvents.length;
+  scanned.mcpCalls = mcpCalls.length;
   const result: SecurityResult = { findings: deduped, scanned, summary };
 
   if (opts?.json) {
@@ -159,7 +253,11 @@ export function runSecurityScan(opts?: { dir?: string; json?: boolean }): Securi
   console.log('');
   console.log(chalk.bold('  trickle security'));
   console.log(chalk.gray('  ' + '─'.repeat(50)));
-  console.log(chalk.gray(`  Scanned: ${scanned.variables} vars, ${scanned.queries} queries, ${scanned.logs} logs, ${scanned.observations} functions`));
+  const scanParts = [`${scanned.variables} vars`, `${scanned.queries} queries`, `${scanned.logs} logs`, `${scanned.observations} functions`];
+  if (scanned.llmCalls) scanParts.push(`${scanned.llmCalls} LLM calls`);
+  if (scanned.agentEvents) scanParts.push(`${scanned.agentEvents} agent events`);
+  if (scanned.mcpCalls) scanParts.push(`${scanned.mcpCalls} MCP calls`);
+  console.log(chalk.gray(`  Scanned: ${scanParts.join(', ')}`));
 
   if (deduped.length === 0) {
     console.log(chalk.green('  No security issues found. ✓'));

package/src/index.ts

@@ -384,8 +384,15 @@ program
   .option("--json", "Output raw JSON (for CI integration)")
   .option("--fail-on-error", "Exit 1 if any errors are found")
   .option("--fail-on-warning", "Exit 1 if any errors or warnings are found")
+  .option("--compliance", "Generate compliance audit report (EU AI Act / Colorado AI Act)")
+  .option("-o, --out <file>", "Write compliance report to file")
   .option("--local", "Read from local .trickle/observations.jsonl instead of backend")
   .action(async (opts) => {
+    if (opts.compliance) {
+      const { generateComplianceReport } = await import("./commands/compliance");
+      generateComplianceReport({ json: opts.json, out: opts.out });
+      return;
+    }
     await auditCommand(opts);
   });