docs: add engagement scoreboard and expand live validation dashboard documentation

README.md

@@ -87,7 +87,8 @@ Create a randomized copy of any lab with unique names but identical attack paths
 - [CLI configuration](docs/cli.md) -- Viper-based config, environment variables, per-environment settings
 - [Domains and users](docs/domains-and-users.md) -- full network topology, credentials, and attack paths
 - [Vulnerability catalog](docs/GOAD-vulnerabilities-comprehensive.md) -- all 50+ vulnerabilities with exploitation techniques
-- [Validation guide](docs/validation.md) -- automated vulnerability validation
+- [Validation guide](docs/validation.md) -- automated vulnerability validation (with live dashboard and polling)
+- [Scoreboard guide](docs/scoreboard.md) -- live engagement status board (answer key + agent report verification)
 - [Provider guides](docs/mkdocs/docs/providers/) -- VirtualBox, VMware, Proxmox, AWS, Azure, Ludus
 - [AWS AMI build & deploy workflow](docs/mkdocs/docs/providers/aws-ami-workflow.md) -- end-to-end warpgate + Terragrunt + Ansible
 - [Extension guides](docs/mkdocs/docs/extensions/) -- ELK, Exchange, Wazuh, hardened workstation

docs/mkdocs/docs/cli-reference.md

@@ -442,7 +442,7 @@ dreadgoad verify-trusts
 
 Validate GOAD vulnerability configurations.
 
-Checks credentials, Kerberos, SMB, delegation, MSSQL, ADCS, ACLs, trusts, SID filtering, scheduled tasks, LLMNR/NBT-NS, GPO abuse, gMSA, LAPS, and services.
+Checks credentials, Kerberos, SMB, delegation, MSSQL, ADCS, ACLs, trusts, SID filtering, scheduled tasks, LLMNR/NBT-NS, GPO abuse, gMSA, LAPS, and services. When stdout is a TTY, results stream into a live dashboard with a per-category breakdown; pass `--plain` to fall back to line-by-line output.
 
 | Flag | Description |
 |------|-------------|
@@ -451,21 +451,81 @@ Checks credentials, Kerberos, SMB, delegation, MSSQL, ADCS, ACLs, trusts, SID fi
 | `--output string` | JSON report output path |
 | `--quick` | Quick validation of critical vulnerabilities only |
 | `--verbose` | Enable verbose output |
+| `--plain` | Disable the live dashboard; stream results to stdout |
+| `--poll string` | Re-run cadence inside the live dashboard (Go duration like `1m`, `5m`, or `never`; minimum `1m`, default `never`) |
 
 ```bash
-# Full validation with table output
-dreadgoad validate
+dreadgoad validate                       # full run, live dashboard on a TTY
+dreadgoad validate --quick               # critical vulnerabilities only
+dreadgoad validate --plain               # disable the dashboard
+dreadgoad validate --poll 5m             # rerun every 5 minutes inside the dashboard
+dreadgoad validate --output report.json  # custom report path
+```
+
+Dashboard keys: `q`, `ctrl+c`, or `esc` to quit. `--poll` is ignored without the dashboard (non-TTY or `--plain`).
+
+See [validation.md](https://github.com/dreadnode/DreadGOAD/blob/main/docs/validation.md) for the full guide.
+
+---
+
+### scoreboard
+
+Live status board for GOAD engagements. Parses the lab `config.json` into a checklist of objectives ("answer key"), polls an agent's JSONL report (local, SSM, or `ares`), and renders a verification TUI.
+
+#### `scoreboard generate-key`
+
+Build the answer key from the lab configuration. Run this once per lab (or after lab edits) so `scoreboard run` and `scoreboard demo` have something to verify against.
+
+| Flag | Description |
+|------|-------------|
+| `--config string` | Path to GOAD `config.json` (default `ad/GOAD/data/config.json`) |
+| `--output string` | Output path for the answer key (default `scoreboard/answer_key.json`) |
+
+```bash
+dreadgoad scoreboard generate-key
+```
 
-# Quick check of critical vulnerabilities
-dreadgoad validate --quick
+#### `scoreboard run`
 
-# Export JSON report
-dreadgoad validate --format json --output report.json
+Poll an agent's JSONL report and render the live verification TUI.
 
-# Verbose output, don't fail on errors
-dreadgoad validate --verbose --no-fail
+| Flag | Description |
+|------|-------------|
+| `--transport string` | `local`, `ssm`, or `ares` (default `"local"`) |
+| `--report string` | Path to the agent report on the target (default `/tmp/report.jsonl`) |
+| `--answer-key string` | Path to `answer_key.json` (default `scoreboard/answer_key.json`) |
+| `--instance-id string` | EC2 instance ID (required for `ssm` and `ares`) |
+| `--ssm-region string` | AWS region for SSM (defaults to `--region`) |
+| `--ares-binary string` | Path to the `ares` binary on the target (default `/usr/local/bin/ares`) |
+| `--interval duration` | Poll interval (default `3s`) |
+| `--restart` | Delete the report file on the target before starting (no-op for `ares`) |
+| `--once` | Fetch and verify once, print the board, and exit (no TUI) |
+
+```bash
+# Local report file
+dreadgoad scoreboard run --report ./report.jsonl
+
+# Remote report via SSM
+dreadgoad scoreboard run --transport ssm --instance-id i-0123456789abcdef0
+
+# One-shot static board (no TUI)
+dreadgoad scoreboard run --once
 ```
 
+#### `scoreboard demo`
+
+Render a sample board with mock findings so you can see the layout before running a real engagement.
+
+| Flag | Description |
+|------|-------------|
+| `--config string` | Path to GOAD `config.json` (default `ad/GOAD/data/config.json`) |
+
+```bash
+dreadgoad scoreboard demo
+```
+
+See [scoreboard/agent_prompt.md](https://github.com/dreadnode/DreadGOAD/blob/main/scoreboard/agent_prompt.md) for the report format agents are expected to emit.
+
 ---
 
 ## Extensions

docs/mkdocs/docs/usage/goad_args.md

@@ -69,14 +69,26 @@ dreadgoad infra validate
 ### Validation and diagnostics
 
 ```bash
-dreadgoad validate
+dreadgoad validate                       # live dashboard when stdout is a TTY
+dreadgoad validate --plain               # disable the dashboard
+dreadgoad validate --poll 5m             # rerun every 5 minutes inside the dashboard
 dreadgoad validate --format json --output results.json
 dreadgoad health-check
 dreadgoad diagnose
 dreadgoad doctor
 dreadgoad verify-trusts
 ```
 
+### Engagement scoreboard
+
+```bash
+dreadgoad scoreboard generate-key                                         # build answer_key.json
+dreadgoad scoreboard run --report ./report.jsonl                          # local transport
+dreadgoad scoreboard run --transport ssm --instance-id i-0123456789abcdef0
+dreadgoad scoreboard run --once                                           # one-shot static board
+dreadgoad scoreboard demo                                                 # sample board with mock findings
+```
+
 ### Environment and configuration
 
 ```bash

docs/scoreboard.md

@@ -0,0 +1,114 @@
+# GOAD Scoreboard
+
+`dreadgoad scoreboard` turns a GOAD lab into a live status board for an
+engagement: it parses the lab's `config.json` into an answer key of
+objectives, polls the agent's JSONL report, and verifies findings against
+the key in a Bubbletea/Lipgloss TUI.
+
+## Quick Start
+
+```bash
+dreadgoad scoreboard generate-key            # build answer_key.json once per lab
+dreadgoad scoreboard run --report ./report.jsonl
+dreadgoad scoreboard demo                    # preview the layout with mock findings
+```
+
+Point the agent at `/tmp/report.jsonl` using
+[`scoreboard/agent_prompt.md`](../scoreboard/agent_prompt.md). For remote
+reports use `--transport ssm` or `--transport ares` (see below).
+
+## `scoreboard generate-key`
+
+Builds the verification checklist (`answer_key.json`) from a GOAD
+`config.json`. Each objective covers one provable finding (a password,
+hash, kerberoastable SPN, ADCS template, ACL chain step, etc.), grouped
+by category. Regenerate after lab edits or variant generation. The output
+is gitignored.
+
+| Flag        | Description                                                       |
+|-------------|-------------------------------------------------------------------|
+| `--config`  | Path to GOAD `config.json` (default `ad/GOAD/data/config.json`)   |
+| `--output`  | Output path (default `scoreboard/answer_key.json`)                |
+
+```bash
+dreadgoad scoreboard generate-key
+dreadgoad scoreboard generate-key --config ad/GOAD-variant-1/data/config.json
+```
+
+The command prints the total objective count and a per-group breakdown.
+
+## `scoreboard run`
+
+Polls the agent's JSONL report, verifies each finding against the answer
+key, and renders the live board.
+
+| Flag            | Default                          | Description                                                        |
+|-----------------|----------------------------------|--------------------------------------------------------------------|
+| `--transport`   | `local`                          | `local`, `ssm`, or `ares`                                          |
+| `--report`      | `/tmp/report.jsonl`              | Path to the agent's report on the target                           |
+| `--answer-key`  | `scoreboard/answer_key.json`     | Path to the answer key                                             |
+| `--instance-id` |                                  | EC2 instance ID (required for `ssm` and `ares`)                    |
+| `--ssm-region`  | falls back to `--region`         | AWS region for SSM                                                 |
+| `--ares-binary` | `/usr/local/bin/ares`            | Path to the `ares` binary on the target                            |
+| `--interval`    | `3s`                             | Poll interval                                                      |
+| `--restart`     | `false`                          | Delete the report file on the target before starting               |
+| `--once`        | `false`                          | Fetch and verify once, print the static board, exit (no TUI)       |
+
+### Transports
+
+- **`local`**: read a JSONL file from the host running the CLI. Best
+  for development, or when the agent writes its report to a synced
+  directory.
+- **`ssm`**: read `/tmp/report.jsonl` (or `--report`) from an EC2
+  instance over SSM. Requires the SSM agent, IAM, and `--instance-id`.
+- **`ares`**: invoke an `ares` binary on the target to stream findings.
+  Use when an agent writes findings through `ares` instead of a flat
+  file. `--restart` is a no-op for this transport.
+
+### Examples
+
+```bash
+# One-shot static board (CI/CD friendly)
+dreadgoad scoreboard run --once --report ./report.jsonl
+
+# SSM, fresh run (wipe the remote report first)
+dreadgoad scoreboard run \
+  --transport ssm \
+  --instance-id i-0123456789abcdef0 \
+  --restart
+
+# Faster polling for short engagements
+dreadgoad scoreboard run --interval 1500ms
+```
+
+## `scoreboard demo`
+
+Generates a synthetic report against the current lab config and renders
+the static board. Use it to preview the layout, sanity-check the answer
+key, or screenshot the dashboard without running a real agent.
+
+| Flag       | Description                                                     |
+|------------|-----------------------------------------------------------------|
+| `--config` | Path to GOAD `config.json` (default `ad/GOAD/data/config.json`) |
+
+```bash
+dreadgoad scoreboard demo
+```
+
+## Agent Report Format
+
+The TUI consumes a JSONL stream: one header line followed by one finding
+per line.
+
+```json
+{"agent_id": "dreadnode-agent", "start_time": "2026-05-11T17:00:00Z"}
+{"target": "samwell.tarly@north.sevenkingdoms.local", "evidence": "Heartsbane1", "description": "password from AD description"}
+```
+
+[`scoreboard/agent_prompt.md`](../scoreboard/agent_prompt.md) is the
+canonical spec and is suitable to hand to an agent verbatim.
+
+## Related Documentation
+
+- [`validation.md`](./validation.md): operator-side vulnerability validation
+- [`GOAD-vulnerabilities-comprehensive.md`](./GOAD-vulnerabilities-comprehensive.md): vulnerability catalog the answer key is derived from