feat: Add standardized --json output support across all CLI commands.

CHANGELOG.md

@@ -12,6 +12,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 
 ### Security
+- **Hardened CLI Error Handling** — standardized sanitized JSON error output across all 7 ecosystem tools to prevent internal information disclosure (CWE-209).
+- **Audit Log Whitelisting** — implemented strict key-whitelisting in `agentmesh audit` JSON output to prevent accidental leakage of sensitive agent internal state.
+- **CLI Input Validation** — added regex-based validation for agent identifiers (DIDs/names) in registration and verification commands to prevent injection attacks.
+
+### Documentation
+- Updated `QUICKSTART.md` and `Tutorial 04 — Audit & Compliance` with secure JSON error handling examples and schema details.
+- Added "Secure Error Handling" sections to primary documentation to guide users on interpreting sanitized machine-readable outputs.
+
+
 - Copilot extension CORS policy changed from wildcard (`Access-Control-Allow-Origin: *`) to explicit origin allowlist via `ALLOWED_ORIGINS`, with secure GitHub defaults.
 
 ### Breaking Changes

QUICKSTART.md

@@ -179,6 +179,20 @@ agent-governance verify --json
 agent-governance verify --badge
 ```
 
+### Secure Error Handling
+
+All CLI tools in the toolkit are hardened to prevent internal information disclosure. If a command fails in JSON mode, it returns a sanitized schema:
+
+```json
+{
+  "status": "error",
+  "message": "An internal error occurred during verification",
+  "type": "InternalError"
+}
+```
+
+Known errors (e.g., "File not found") will include the specific error message, while unexpected system errors are masked to ensure security integrity.
+
 ## 6. Verify Module Integrity
 
 Ensure no governance modules have been tampered with:

docs/tutorials/04-audit-and-compliance.md

@@ -475,6 +475,20 @@ agent-governance verify --json
 agent-governance verify --badge
 ```
 
+### Secure Audit Handling
+
+The CLI is hardened against information disclosure. If a command fails in machine-readable mode, it returns a sanitized error:
+
+```json
+{
+  "status": "error",
+  "message": "Audit log processing failed",
+  "type": "InternalError"
+}
+```
+
+This prevents leaking internal system details in CI/CD pipeline logs.
+
 Output:
 
 ```markdown

packages/agent-compliance/src/agent_compliance/cli/main.py

@@ -21,17 +21,25 @@ def cmd_verify(args: argparse.Namespace) -> int:
     """Run governance verification."""
     from agent_compliance.verify import GovernanceVerifier
 
-    verifier = GovernanceVerifier()
-    attestation = verifier.verify()
+    try:
+        verifier = GovernanceVerifier()
+        attestation = verifier.verify()
 
-    if args.json:
-        print(attestation.to_json())
-    elif args.badge:
-        print(attestation.badge_markdown())
-    else:
-        print(attestation.summary())
+        if args.json:
+            print(attestation.to_json())
+        elif args.badge:
+            print(attestation.badge_markdown())
+        else:
+            print(attestation.summary())
 
-    return 0 if attestation.passed else 1
+        return 0 if attestation.passed else 1
+    except Exception as e:
+        if args.json:
+            import json
+            print(json.dumps({"status": "fail", "error": "Governance verification failed", "type": "InternalError"}, indent=2))
+        else:
+            print(f"Error: {e}", file=sys.stderr)
+        return 1
 
 
 def cmd_integrity(args: argparse.Namespace) -> int:
@@ -73,7 +81,11 @@ def cmd_integrity(args: argparse.Namespace) -> int:
 
         return 0 if report.passed else 1
     except Exception as e:
-        print(f"Error: {e}", file=sys.stderr)
+        if args.json:
+            import json
+            print(json.dumps({"status": "error", "message": "Integrity manifest processing failed", "type": "InternalError"}, indent=2))
+        else:
+            print(f"Error: {e}", file=sys.stderr)
         return 1
 
 
@@ -99,7 +111,11 @@ def cmd_lint_policy(args: argparse.Namespace) -> int:
             return 1
         return 0 if result.passed else 1
     except Exception as e:
-        print(f"Error: {e}", file=sys.stderr)
+        if args.json:
+            import json
+            print(json.dumps({"status": "error", "message": "Policy linting failed", "type": "InternalError"}, indent=2))
+        else:
+            print(f"Error: {e}", file=sys.stderr)
         return 1