Update docs: entity-level report commands, compliance guidance

- Rewrite reports.md with all 4 report levels (project, org, assessment, experiment)
- Document report content, options, and compliance use cases
- Update commands.md reference: remove deprecated hb report, add entity-level commands

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: dgerog

docs/docs/reference/commands.md

@@ -58,9 +58,12 @@ Complete reference of all available commands, organized by category.
 | `hb findings` | List persistent vulnerability findings |
 | `hb findings update <id>` | Update finding status or severity |
 | `hb findings assign <id>` | Assign finding to a team member |
-| `hb report` | Generate HTML security report (project, org, or assessment) |
 | `hb assessments` | List past security assessments |
 | `hb assessments show <id>` | View assessment detail (posture before/after, drift, test count) |
+| `hb assessments report <id>` | Generate assessment HTML report with full test logs |
+| `hb projects report` | Generate project HTML security report |
+| `hb orgs report` | Generate organisation-wide HTML report |
+| `hb experiments report <id>` | Generate experiment HTML report with methodology context |
 
 ## Security
 

docs/docs/testing/reports.md

@@ -1,33 +1,87 @@
 # Reports
 
-Generate HTML security assessment reports for projects, assessments, or the entire organisation.
+Generate branded HTML security reports at four levels. Reports are generated by the backend and downloaded locally — they open automatically in your browser.
 
-## Project Report
+All reports include:
+
+- **Methodology section** — testing approach, posture scoring, continuous monitoring
+- **Technology disclaimer** — LLM stochastic nature, limitations
+- **Legal notice** — copyright, confidentiality, no tampering
+- **Print-ready CSS** — use browser "Print to PDF" for compliance submissions
+
+## Report Levels
+
+### Project Report
+
+The standing security posture of an agent — findings, threat landscape, monitoring status, and assessment history.
 
 ```bash
-# Generate report for current project
-hb report
+# Current project
+hb projects report
+
+# Save without opening browser
+hb projects report --no-open
 
-# Save to file
-hb report --output report.html
+# Custom output path
+hb projects report -o ./reports/q1-security.html
 ```
 
-## Organisation Report
+**Includes:** Agent scope (permitted/restricted operations), posture donuts (overall + security + quality), findings with severity and threat class, threat landscape, assessment history (last 90 days), human feedback audit summary.
+
+### Organisation Report
+
+Executive overview across all projects in the organisation.
 
 ```bash
-# Org-level report (all projects + inventory)
-hb report --org
+hb orgs report
+hb orgs report -o org-report.html
 ```
 
-## Assessment Report
+**Includes:** Organisation posture donuts, findings summary with severity bar, all projects with grade, score, last assessed date, and monitoring status.
+
+### Assessment Report
+
+What happened in a specific test run — results, findings, and full conversation evidence.
 
 ```bash
-# Report for a specific assessment
-hb report --assessment <assessment-id>
+# Get assessment ID from list
+hb assessments
+
+# Generate report
+hb assessments report <assessment-id>
+hb assessments report abc123 -o assessment.html
 ```
 
-## JSON Output
+**Includes:** Overview (tests, pass rate, status), test suite (engines, level, language), posture before/after donuts, findings, and a full appendix of every test conversation with verdict, severity, explanation, and multi-turn dialogue.
+
+### Experiment Report
+
+Deep dive into a single test engine's run, with orchestrator-specific methodology context.
 
 ```bash
-hb report --json
+# Get experiment ID from list
+hb experiments list
+
+# Generate report
+hb experiments report <experiment-id>
+hb experiments report abc123 -o experiment.html
 ```
+
+**Includes:** Orchestrator-specific context (OWASP methodology for adversarial, QA evaluation dimensions for behavioral), metrics (TPI, reliability, pass rate), vulnerabilities identified, and full conversation appendix with feedback badges.
+
+## Options
+
+| Option | Description |
+|--------|-------------|
+| `-o`, `--output PATH` | Custom output file path |
+| `--no-open` | Save file without opening in browser |
+
+## For Compliance
+
+Reports are designed for submission to auditors and compliance frameworks including DORA, PCI-DSS, ISO/IEC 42001, NIS2, and the EU AI Act.
+
+- **Project reports** prove ongoing monitoring and scope definition
+- **Assessment reports** provide test evidence with full conversation logs
+- **Experiment reports** document specific testing methodology
+
+Use browser "Print to PDF" to generate PDF versions suitable for formal submissions.