aigis-cli 1.0.0__py3-none-any.whl

aigis_cli/SKILL.md

@@ -0,0 +1,74 @@
+---
+name: aigis
+description: AI governance skill for coding agents. Provides framework-aligned security and compliance patterns from NIST AI RMF, OWASP Top 10 for LLMs, and ISO/IEC 42001. Use before building any AI/LLM feature or when auditing existing AI systems.
+---
+
+# Aigis — AI Governance Skill
+
+Use the aigis CLI for governance patterns when building or auditing AI/LLM features.
+
+## Quick start — new feature
+\`\`\`bash
+# 1. Classify your system to get relevant controls
+aigis classify --traits uses-llm,accepts-user-input,processes-pii,is-external --json
+
+# 2. Fetch implementation patterns for each recommended file
+aigis get input-validation pii-handling prompt-security audit-logging
+
+# 3. Write code applying the patterns from the fetched files
+
+# 4. After writing code, run verification
+aigis verify input-validation pii-handling prompt-security audit-logging
+
+# 5. If risk tier is HIGH or MEDIUM, generate compliance docs
+aigis template ai-impact-assessment intended-purpose-doc
+\`\`\`
+
+## Quick start — audit existing project
+\`\`\`bash
+# 1. Get the structured audit scan prompt
+aigis audit --scan
+
+# 2. Follow the scan instructions: inventory the project, detect traits, classify
+
+# 3. Run the full audit with detected traits
+aigis audit --traits uses-llm,processes-pii,is-external
+
+# 4. Evaluate existing code against each check, produce gap report
+\`\`\`
+
+## When to use
+- Before writing any LLM API call or AI feature (new code)
+- When auditing an existing AI system for governance gaps (existing code)
+- Before processing any sensitive data through an AI system
+- Before deploying any AI feature to production
+- When onboarding to a new AI project to understand what controls exist
+
+## Commands
+- \`aigis classify --traits <comma-separated>\` — get risk tier and relevant files
+- \`aigis classify "<description>"\` — same, using natural language (keyword matching)
+- \`aigis get <file-id> [file-id...]\` — fetch implementation patterns (one or more)
+- \`aigis get <file-id> --lang py|js\` — fetch filtered to one language
+- \`aigis verify <file-id> [file-id...]\` — fetch verification checklists
+- \`aigis template <template-id> [template-id...]\` — fetch compliance documentation templates
+- \`aigis audit --scan\` — get structured audit prompt for scanning existing codebases
+- \`aigis audit --traits <comma-separated>\` — get bundled classification + all checklists for audit
+- \`aigis search <query>\` — search across all content by keyword or control ID
+- \`aigis search --list\` — list all available files
+- \`aigis annotate <file-id> "<note>"\` — attach a local note for future sessions
+- \`aigis annotate --list\` — list all annotations
+- \`aigis init cursor|claude-code|windsurf|copilot\` — set up aigis for your IDE
+
+## Available traits (22)
+AI architecture: uses-llm, uses-rag, uses-finetuned, uses-thirdparty-api, is-agentic, is-multimodal
+Data sensitivity: processes-pii, handles-financial, handles-health, handles-proprietary, handles-minors
+Impact scope: influences-decisions, accepts-user-input, is-external, is-internal, is-high-volume
+Output type: generates-code, generates-content, multi-model-pipeline
+Jurisdiction: jurisdiction-eu, jurisdiction-us-regulated, jurisdiction-global
+
+## Integration
+- Claude Code: place this file in ~/.claude/skills/aigis/SKILL.md
+- Cursor: run \`aigis init cursor\` in your project root
+- Windsurf: run \`aigis init windsurf\` in your project root
+- GitHub Copilot: run \`aigis init copilot\` in your project root
+- Any agent: include aigis usage instructions in system prompt

aigis_cli/__init__.py

@@ -0,0 +1,3 @@
+"""aigis-cli: AI governance guardrails for coding agents."""
+
+__version__ = "1.0.0"

aigis_cli/annotate.py

@@ -0,0 +1,45 @@
+from __future__ import annotations
+
+import json
+from datetime import date
+from pathlib import Path
+
+AIGIS_DIR = Path.home() / ".aigis"
+ANNOTATIONS_FILE = AIGIS_DIR / "annotations.json"
+
+
+def _load_annotations() -> dict:
+    if not ANNOTATIONS_FILE.exists():
+        return {}
+    try:
+        return json.loads(ANNOTATIONS_FILE.read_text(encoding="utf-8"))
+    except (json.JSONDecodeError, OSError):
+        return {}
+
+
+def _save_annotations(data: dict) -> None:
+    AIGIS_DIR.mkdir(parents=True, exist_ok=True)
+    ANNOTATIONS_FILE.write_text(json.dumps(data, indent=2), encoding="utf-8")
+
+
+def annotate(file_id: str, note: str) -> None:
+    data = _load_annotations()
+    data.setdefault(file_id, []).append({
+        "note": note,
+        "date": date.today().isoformat(),
+    })
+    _save_annotations(data)
+
+
+def get_annotations(file_id: str) -> list[dict]:
+    return _load_annotations().get(file_id, [])
+
+
+def list_annotations() -> dict:
+    return _load_annotations()
+
+
+def clear_annotation(file_id: str) -> None:
+    data = _load_annotations()
+    data.pop(file_id, None)
+    _save_annotations(data)

aigis_cli/classify.py

@@ -0,0 +1,192 @@
+from __future__ import annotations
+
+ALL_TRAITS = [
+    "uses-llm", "uses-rag", "uses-finetuned", "uses-thirdparty-api", "is-agentic", "is-multimodal",
+    "processes-pii", "handles-financial", "handles-health", "handles-proprietary", "handles-minors",
+    "influences-decisions", "accepts-user-input", "is-external", "is-internal", "is-high-volume",
+    "generates-code", "generates-content", "multi-model-pipeline",
+    "jurisdiction-eu", "jurisdiction-us-regulated", "jurisdiction-global",
+]
+
+TRAIT_FILES: dict[str, list[str]] = {
+    "uses-llm": ["input-validation", "output-sanitization", "prompt-security", "audit-logging", "monitoring"],
+    "uses-rag": ["rag-security", "data-integrity"],
+    "uses-finetuned": ["data-integrity", "supply-chain"],
+    "uses-thirdparty-api": ["supply-chain"],
+    "is-agentic": ["human-oversight", "rate-limiting", "fallback-patterns", "audit-logging"],
+    "is-multimodal": ["input-validation", "output-sanitization", "pii-handling"],
+    "processes-pii": ["pii-handling", "audit-logging"],
+    "handles-financial": ["pii-handling", "audit-logging", "bias-monitoring"],
+    "handles-health": ["pii-handling", "audit-logging", "bias-monitoring", "explainability"],
+    "handles-proprietary": ["pii-handling", "prompt-security"],
+    "handles-minors": ["pii-handling", "bias-monitoring", "human-oversight"],
+    "influences-decisions": ["bias-monitoring", "confidence-scoring", "human-oversight", "explainability"],
+    "accepts-user-input": ["input-validation", "output-sanitization"],
+    "is-external": ["rate-limiting", "confidence-scoring"],
+    "is-internal": [],
+    "is-high-volume": ["rate-limiting", "monitoring", "fallback-patterns"],
+    "generates-code": ["output-sanitization", "human-oversight", "fallback-patterns"],
+    "generates-content": ["confidence-scoring", "bias-monitoring", "audit-logging"],
+    "multi-model-pipeline": ["audit-logging", "monitoring", "fallback-patterns", "data-integrity"],
+    "jurisdiction-eu": [],
+    "jurisdiction-us-regulated": [],
+    "jurisdiction-global": [],
+}
+
+FILE_CONTROLS: dict[str, dict[str, list[str]]] = {
+    "input-validation": {"owasp": ["LLM01"], "nist": ["MEASURE-2.7", "MANAGE-1.3"], "iso": ["Clause-8.2", "Annex-A.6"]},
+    "output-sanitization": {"owasp": ["LLM05"], "nist": ["MEASURE-2.6", "MEASURE-2.7"], "iso": ["Clause-8.2"]},
+    "pii-handling": {"owasp": ["LLM02"], "nist": ["MAP-2.1", "MEASURE-2.10"], "iso": ["Annex-A.7", "Annex-A.4"]},
+    "prompt-security": {"owasp": ["LLM07"], "nist": ["MEASURE-2.7", "MEASURE-2.8"], "iso": ["Clause-8.2"]},
+    "human-oversight": {"owasp": ["LLM06"], "nist": ["MAP-3.5", "MANAGE-1.3", "MANAGE-4.1"], "iso": ["Annex-A.9", "Clause-8.4"]},
+    "supply-chain": {"owasp": ["LLM03"], "nist": ["GOVERN-6.1", "GOVERN-6.2", "MANAGE-3.1", "MANAGE-3.2"], "iso": ["Annex-A.10"]},
+    "data-integrity": {"owasp": ["LLM04"], "nist": ["MAP-2.3", "MEASURE-2.6"], "iso": ["Annex-A.7"]},
+    "rag-security": {"owasp": ["LLM08"], "nist": ["MEASURE-2.7"], "iso": ["Clause-8.2", "Annex-A.7"]},
+    "confidence-scoring": {"owasp": ["LLM09"], "nist": ["MAP-2.2", "MEASURE-2.5", "MEASURE-2.9"], "iso": ["Annex-A.8"]},
+    "rate-limiting": {"owasp": ["LLM10"], "nist": ["MEASURE-2.6", "MANAGE-2.4"], "iso": ["Clause-8.2"]},
+    "audit-logging": {"owasp": [], "nist": ["MEASURE-2.8", "MANAGE-4.1", "MANAGE-4.3"], "iso": ["Clause-9.1", "Annex-A.6"]},
+    "bias-monitoring": {"owasp": [], "nist": ["MAP-2.3", "MEASURE-2.11", "MEASURE-3.1"], "iso": ["Clause-6.1", "Annex-C"]},
+    "fallback-patterns": {"owasp": [], "nist": ["MEASURE-2.6", "MANAGE-2.3", "MANAGE-2.4"], "iso": ["Clause-8.2"]},
+    "monitoring": {"owasp": [], "nist": ["MEASURE-2.4", "MEASURE-3.1", "MANAGE-4.1", "MANAGE-4.2"], "iso": ["Clause-9.1", "Clause-10"]},
+    "explainability": {"owasp": [], "nist": ["MEASURE-2.8", "MEASURE-2.9"], "iso": ["Annex-A.8", "Clause-7.4"]},
+}
+
+
+def classify(trait_list: list[str]) -> dict:
+    ts = set(trait_list)
+    warnings: list[str] = []
+
+    invalid = [t for t in trait_list if t not in ALL_TRAITS]
+    if invalid:
+        raise ValueError(
+            f'Unknown traits: {", ".join(invalid)}. Run "aigis traits" to see available traits.'
+        )
+
+    # Constraint C1: is-internal + is-external
+    if "is-internal" in ts and "is-external" in ts:
+        warnings.append("Both is-internal and is-external selected. Treating as is-external (stricter).")
+        ts.discard("is-internal")
+
+    # Step 1: trait-based file selection
+    files: set[str] = set()
+    for t in ts:
+        for f in TRAIT_FILES.get(t, []):
+            files.add(f)
+
+    # Step 2: risk tier
+    sens_data = bool(
+        ts & {"processes-pii", "handles-financial", "handles-health", "handles-proprietary", "handles-minors"}
+    )
+
+    tier = "LOW"
+    reason = "no high/medium triggers"
+
+    if "influences-decisions" in ts:
+        tier, reason = "HIGH", "influences-decisions"
+    elif "handles-health" in ts:
+        tier, reason = "HIGH", "handles-health"
+    elif "handles-financial" in ts and "accepts-user-input" in ts:
+        tier, reason = "HIGH", "handles-financial + accepts-user-input"
+    elif "handles-minors" in ts:
+        tier, reason = "HIGH", "handles-minors"
+    elif ("jurisdiction-eu" in ts or "jurisdiction-global" in ts) and sens_data:
+        tier, reason = "HIGH", "jurisdiction-eu + sensitive data"
+    elif "generates-code" in ts and "is-external" in ts:
+        tier, reason = "HIGH", "generates-code + is-external"
+    elif "generates-code" in ts and "is-agentic" in ts:
+        tier, reason = "HIGH", "generates-code + is-agentic"
+    elif "processes-pii" in ts:
+        tier, reason = "MEDIUM", "processes-pii"
+    elif "is-external" in ts:
+        tier, reason = "MEDIUM", "is-external"
+    elif "is-agentic" in ts:
+        tier, reason = "MEDIUM", "is-agentic"
+    elif "handles-proprietary" in ts:
+        tier, reason = "MEDIUM", "handles-proprietary"
+    elif "generates-content" in ts:
+        tier, reason = "MEDIUM", "generates-content"
+    elif "multi-model-pipeline" in ts:
+        tier, reason = "MEDIUM", "multi-model-pipeline"
+    elif "jurisdiction-us-regulated" in ts:
+        tier, reason = "MEDIUM", "jurisdiction-us-regulated"
+    elif "generates-code" in ts:
+        tier, reason = "MEDIUM", "generates-code"
+
+    # Jurisdiction modifier
+    if ("jurisdiction-eu" in ts or "jurisdiction-global" in ts) and tier != "HIGH":
+        old_tier = tier
+        tier = "MEDIUM" if tier == "LOW" else "HIGH"
+        reason += f" (elevated from {old_tier} by EU/global jurisdiction)"
+
+    # Step 3: guardrails
+    guardrails_fired: list[dict] = []
+
+    # G12 removal guardrail fires first
+    if "uses-llm" in ts and "uses-thirdparty-api" not in ts and "supply-chain" in files:
+        files.discard("supply-chain")
+        guardrails_fired.append({
+            "id": "G12",
+            "action": "REMOVE supply-chain",
+            "rationale": "Self-hosted models skip third-party controls",
+        })
+
+    guardrails = [
+        ("G1", lambda: sens_data and "audit-logging" not in files, "audit-logging", "Sensitive data requires traceability"),
+        ("G2", lambda: "handles-health" in ts and "bias-monitoring" not in files, "bias-monitoring", "Health data has demographic bias risks"),
+        ("G3", lambda: "handles-financial" in ts and "influences-decisions" in ts and "fallback-patterns" not in files, "fallback-patterns", "Financial decisions need safe failure"),
+        ("G4", lambda: "is-agentic" in ts and "human-oversight" not in files, "human-oversight", "Autonomous systems need oversight"),
+        ("G5", lambda: "generates-code" in ts and "output-sanitization" not in files, "output-sanitization", "Generated code is execution risk"),
+        ("G6", lambda: "jurisdiction-eu" in ts and "explainability" not in files, "explainability", "EU AI Act requires explainability"),
+        ("G7", lambda: "jurisdiction-eu" in ts and "bias-monitoring" not in files, "bias-monitoring", "EU AI Act mandates non-discrimination"),
+        ("G8", lambda: "handles-minors" in ts and "human-oversight" not in files, "human-oversight", "Systems affecting children require review"),
+        ("G9", lambda: "multi-model-pipeline" in ts and "monitoring" not in files, "monitoring", "Multi-model compounding failures"),
+        ("G10", lambda: tier == "HIGH" and "monitoring" not in files, "monitoring", "High-risk systems need monitoring"),
+        ("G11", lambda: tier == "HIGH" and "fallback-patterns" not in files, "fallback-patterns", "High-risk systems must fail safely"),
+        ("G13", lambda: "jurisdiction-us-regulated" in ts and "audit-logging" not in files, "audit-logging", "US regulated industries need audit trails"),
+        ("G14", lambda: "jurisdiction-us-regulated" in ts and "human-oversight" not in files, "human-oversight", "US regulated industries need human review"),
+        ("G15", lambda: "generates-code" in ts and "human-oversight" not in files, "human-oversight", "Code generation needs human review"),
+    ]
+
+    for gid, cond, file, rationale in guardrails:
+        if cond():
+            files.add(file)
+            guardrails_fired.append({"id": gid, "action": f"ADD {file}", "rationale": rationale})
+
+    # Step 4: templates
+    templates: list[str] = []
+    if tier == "HIGH" or "jurisdiction-eu" in ts or "jurisdiction-global" in ts or "influences-decisions" in ts:
+        templates.extend(["ai-impact-assessment", "intended-purpose-doc", "risk-characterization"])
+    elif tier == "MEDIUM" or "jurisdiction-us-regulated" in ts:
+        templates.append("intended-purpose-doc")
+
+    if "uses-thirdparty-api" in ts and tier != "LOW":
+        templates.append("third-party-assessment")
+
+    if "jurisdiction-us-regulated" in ts and "ai-impact-assessment" not in templates:
+        templates.insert(0, "ai-impact-assessment")
+
+    # Step 5: collect control IDs
+    all_owasp: set[str] = set()
+    all_nist: set[str] = set()
+    all_iso: set[str] = set()
+    for f in files:
+        c = FILE_CONTROLS.get(f)
+        if c:
+            all_owasp.update(c["owasp"])
+            all_nist.update(c["nist"])
+            all_iso.update(c["iso"])
+
+    return {
+        "risk_tier": tier,
+        "reason": reason,
+        "traits": list(ts),
+        "implement_files": sorted(files),
+        "templates": list(dict.fromkeys(templates)),
+        "guardrails_fired": guardrails_fired,
+        "warnings": warnings,
+        "controls": {
+            "owasp": sorted(all_owasp),
+            "nist": sorted(all_nist),
+            "iso": sorted(all_iso),
+        },
+    }

aigis_cli/cli.py

@@ -0,0 +1,280 @@
+from __future__ import annotations
+
+import json
+import sys
+
+import click
+from rich.console import Console
+
+from . import __version__
+from .classify import classify as run_classify
+from .fetch import get as fetch_get, get_audit_scan, get_template, verify as fetch_verify
+from .keywords import detect_traits_from_text
+from .search import list_all, search as run_search
+from .annotate import annotate as add_annotation, clear_annotation, list_annotations
+from .init_ide import init as run_init
+
+console = Console(highlight=False)
+
+
+@click.group()
+@click.version_option(__version__, prog_name="aigis")
+def cli() -> None:
+    """AI governance guardrails for coding agents."""
+
+
+# ── classify ────────────────────────────────────────────────────────
+@cli.command()
+@click.argument("description", required=False, default=None)
+@click.option("--traits", "traits_str", default=None, help="Comma-separated trait IDs")
+@click.option("--interactive", is_flag=True, help="Confirm detected traits before classifying")
+@click.option("--json", "as_json", is_flag=True, help="Output as JSON")
+def classify(description: str | None, traits_str: str | None,
+             interactive: bool, as_json: bool) -> None:
+    """Classify an AI system and get recommended governance files."""
+    traits: list[str] | None = None
+
+    if traits_str:
+        traits = [t.strip() for t in traits_str.split(",")]
+    elif description:
+        detected = detect_traits_from_text(description)
+        if interactive:
+            console.print("\n[bold]Detected traits from description:[/bold]\n")
+            for d in detected:
+                icon = "[green]✓[/green]" if d["confidence"] == "high" else "[yellow]?[/yellow]"
+                console.print(f"  {icon} [cyan]{d['trait']}[/cyan]  (matched: \"{d['keyword']}\")")
+            trait_list = ",".join(d["trait"] for d in detected)
+            console.print("[dim]\nTo classify with these traits, run:[/dim]")
+            console.print(f"[green]  aigis classify --traits {trait_list}[/green]\n")
+            console.print("[dim]Add or remove traits as needed before running.\n[/dim]")
+            return
+        traits = [d["trait"] for d in detected]
+        if not traits:
+            console.print("[red]No traits detected from description.[/red]")
+            console.print('[dim]Run "aigis traits" to see available traits, or use --traits flag.\n[/dim]')
+            sys.exit(1)
+        console.print(f"[dim]Detected traits: {', '.join(traits)}\n[/dim]")
+    else:
+        console.print("[red]Provide --traits or a quoted description.[/red]")
+        console.print("[dim]Example: aigis classify --traits uses-llm,processes-pii[/dim]")
+        console.print('[dim]Example: aigis classify "customer chatbot with RAG"\n[/dim]')
+        sys.exit(1)
+
+    try:
+        result = run_classify(traits)
+    except ValueError as exc:
+        console.print(f"[red]{exc}[/red]")
+        sys.exit(1)
+
+    if as_json:
+        click.echo(json.dumps(result, indent=2))
+        return
+
+    tier = result["risk_tier"]
+    tier_color = "red" if tier == "HIGH" else "yellow" if tier == "MEDIUM" else "green"
+    console.print(f"[bold]Risk tier:[/bold] [bold {tier_color}]{tier}[/bold {tier_color}]")
+    console.print(f"[bold]Reason:[/bold] {result['reason']}\n")
+
+    for w in result["warnings"]:
+        console.print(f"[yellow]⚠ {w}[/yellow]")
+    if result["warnings"]:
+        console.print()
+
+    console.print(f"[bold]Implement files ({len(result['implement_files'])}):[/bold]")
+    for f in result["implement_files"]:
+        console.print(f"[green]  aigis get {f}[/green]")
+
+    if result["templates"]:
+        console.print(f"\n[bold]Templates ({len(result['templates'])}):[/bold]")
+        for t in result["templates"]:
+            console.print(f"[yellow]  aigis template {t}[/yellow]")
+
+    if result["guardrails_fired"]:
+        console.print("\n[bold]Guardrails fired:[/bold]")
+        for g in result["guardrails_fired"]:
+            console.print(f"[yellow]  {g['id']}: {g['action']} — {g['rationale']}[/yellow]")
+
+    console.print("\n[bold]Verify after implementation:[/bold]")
+    for f in result["implement_files"]:
+        console.print(f"[green]  aigis verify {f}[/green]")
+
+    c = result["controls"]
+    console.print(f"\n[dim]Controls: {len(c['owasp'])} OWASP, {len(c['nist'])} NIST, {len(c['iso'])} ISO[/dim]")
+
+
+# ── get ─────────────────────────────────────────────────────────────
+@cli.command("get")
+@click.argument("files", nargs=-1)
+@click.option("--all", "all_files", is_flag=True, help="Fetch all implement files")
+@click.option("--lang", type=click.Choice(["py", "js"]), default=None, help="Filter code to py or js only")
+@click.option("--no-frontmatter", "no_frontmatter", is_flag=True, help="Strip YAML frontmatter")
+def get_cmd(files: tuple[str, ...], all_files: bool, lang: str | None,
+            no_frontmatter: bool) -> None:
+    """Fetch implementation pattern files."""
+    content = fetch_get(list(files) or None, all_files=all_files,
+                        strip_fm=not no_frontmatter, lang=lang)
+    click.echo(content)
+
+
+# ── verify ──────────────────────────────────────────────────────────
+@cli.command()
+@click.argument("files", nargs=-1, required=True)
+def verify(files: tuple[str, ...]) -> None:
+    """Fetch verification checklists."""
+    click.echo(fetch_verify(list(files)))
+
+
+# ── template ────────────────────────────────────────────────────────
+@cli.command()
+@click.argument("templates", nargs=-1, required=True)
+def template(templates: tuple[str, ...]) -> None:
+    """Fetch compliance documentation templates."""
+    click.echo(get_template(list(templates)))
+
+
+# ── audit ───────────────────────────────────────────────────────────
+@cli.command()
+@click.option("--scan", is_flag=True, help="Get structured scan prompt for the agent")
+@click.option("--traits", "traits_str", default=None, help="Run audit with detected traits")
+@click.option("--json", "as_json", is_flag=True, help="Output as JSON")
+def audit(scan: bool, traits_str: str | None, as_json: bool) -> None:
+    """Audit an existing codebase for governance gaps."""
+    if scan:
+        click.echo(get_audit_scan())
+        return
+
+    if traits_str:
+        traits = [t.strip() for t in traits_str.split(",")]
+        classification = run_classify(traits)
+
+        if as_json:
+            checklists = {}
+            for f in classification["implement_files"]:
+                checklists[f] = fetch_verify([f])
+            click.echo(json.dumps({"classification": classification, "checklists": checklists}, indent=2))
+            return
+
+        tier = classification["risk_tier"]
+        tier_color = "red" if tier == "HIGH" else "yellow" if tier == "MEDIUM" else "green"
+        console.print("[bold]═══ AIGIS GOVERNANCE AUDIT ═══[/bold]\n")
+        console.print(f"[bold]Risk tier:[/bold] [bold {tier_color}]{tier}[/bold {tier_color}]")
+        console.print(f"[bold]Controls to assess:[/bold] {len(classification['implement_files'])} areas\n")
+
+        console.print("[bold]Instructions for agent:[/bold]")
+        console.print("[dim]Evaluate the existing codebase against each check below.[/dim]")
+        console.print('[dim]Mark PASS / FAIL / PARTIAL with evidence (file:line or "not found").\n[/dim]')
+
+        for f in classification["implement_files"]:
+            checklist = fetch_verify([f])
+            click.echo(checklist)
+            click.echo()
+
+        if classification["templates"]:
+            console.print("[bold]Required documentation:[/bold]")
+            for t in classification["templates"]:
+                console.print(f"[yellow]  aigis template {t}[/yellow]")
+        return
+
+    console.print("[red]Provide --scan or --traits.[/red]")
+    console.print("[dim]  aigis audit --scan                    # get scan prompt[/dim]")
+    console.print("[dim]  aigis audit --traits uses-llm,...      # run audit\n[/dim]")
+    sys.exit(1)
+
+
+# ── search ──────────────────────────────────────────────────────────
+@cli.command()
+@click.argument("query", required=False, default=None)
+@click.option("--list", "list_files", is_flag=True, help="List all available files")
+def search(query: str | None, list_files: bool) -> None:
+    """Search across all content."""
+    if list_files:
+        results = list_all()
+        console.print("[bold]Available content:\n[/bold]")
+        console.print("[bold]Implement files (governance patterns):[/bold]")
+        for r in results["implement"]:
+            console.print(f"  [cyan]{r['id']:<25}[/cyan] {r['title']}")
+        console.print("\n[bold]Templates (compliance documentation):[/bold]")
+        for r in results["templates"]:
+            console.print(f"  [yellow]{r['id']:<25}[/yellow] {r['title']}")
+        console.print("\n[bold]Verify checklists:[/bold]")
+        console.print("[dim]  (one per implement file, auto-fetched via aigis verify <id>)[/dim]")
+        return
+
+    if not query:
+        console.print("[red]Provide a search query or use --list.[/red]")
+        sys.exit(1)
+
+    results = run_search(query)
+    if not results:
+        console.print(f'[dim]No results found for "{query}"[/dim]')
+        return
+    console.print(f'[bold]Results for "{query}":\n[/bold]')
+    for r in results:
+        console.print(f"  [cyan]{r['id']:<25}[/cyan] {r['title']}")
+        if r["matched_controls"]:
+            console.print(f"  [dim]{'':<25} controls: {', '.join(r['matched_controls'])}[/dim]")
+
+
+# ── annotate ────────────────────────────────────────────────────────
+@cli.command()
+@click.argument("file_id", required=False, default=None)
+@click.argument("note", required=False, default=None)
+@click.option("--list", "list_all_annotations", is_flag=True, help="List all annotations")
+@click.option("--clear", is_flag=True, help="Clear annotations for a file")
+def annotate(file_id: str | None, note: str | None,
+             list_all_annotations: bool, clear: bool) -> None:
+    """Attach or manage local notes on content files."""
+    if list_all_annotations:
+        all_notes = list_annotations()
+        if not all_notes:
+            console.print("[dim]No annotations yet.[/dim]")
+            return
+        console.print("[bold]Annotations:\n[/bold]")
+        for fid, notes in all_notes.items():
+            console.print(f"  [cyan]{fid}:[/cyan]")
+            for n in notes:
+                console.print(f'  [dim]  "{n["note"]}" ({n["date"]})[/dim]')
+        return
+
+    if not file_id:
+        console.print("[red]Provide a file ID. Use --list to see annotations.[/red]")
+        sys.exit(1)
+
+    if clear:
+        clear_annotation(file_id)
+        console.print(f"[green]Cleared annotations for {file_id}[/green]")
+        return
+
+    if not note:
+        console.print("[red]Provide a note in quotes.[/red]")
+        console.print('[dim]Example: aigis annotate input-validation "Needs raw body for webhooks"[/dim]')
+        sys.exit(1)
+
+    add_annotation(file_id, note)
+    console.print(f"[green]Annotation added to {file_id}[/green]")
+
+
+# ── init ────────────────────────────────────────────────────────────
+@cli.command("init")
+@click.argument("ide")
+def init_cmd(ide: str) -> None:
+    """Set up aigis for your IDE."""
+    run_init(ide)
+
+
+# ── traits ──────────────────────────────────────────────────────────
+@cli.command()
+def traits() -> None:
+    """List all available classification traits."""
+    console.print("[bold]Available traits (22):\n[/bold]")
+    groups = {
+        "AI architecture": ["uses-llm", "uses-rag", "uses-finetuned", "uses-thirdparty-api", "is-agentic", "is-multimodal"],
+        "Data sensitivity": ["processes-pii", "handles-financial", "handles-health", "handles-proprietary", "handles-minors"],
+        "Impact scope": ["influences-decisions", "accepts-user-input", "is-external", "is-internal", "is-high-volume"],
+        "Output type": ["generates-code", "generates-content", "multi-model-pipeline"],
+        "Jurisdiction": ["jurisdiction-eu", "jurisdiction-us-regulated", "jurisdiction-global"],
+    }
+    for group, trait_list in groups.items():
+        console.print(f"  [dim]{group}:[/dim]")
+        formatted = ", ".join(f"[cyan]{t}[/cyan]" for t in trait_list)
+        console.print(f"  {formatted}\n")