@0dai-dev/cli 3.10.1 → 4.0.0

package/lib/commands/audit.js

@@ -0,0 +1,129 @@
+"use strict";
+const shared = require("../shared");
+const { T, R, D, fs, path } = shared;
+
+function cmdAudit(target) {
+  const W = process.stdout.isTTY ? "\x1b[33m" : "";   // yellow
+  const RE = process.stdout.isTTY ? "\x1b[31m" : "";  // red
+  const G = process.stdout.isTTY ? "\x1b[32m" : "";   // green
+
+  // Secret patterns: [label, regex, severity]
+  const PATTERNS = [
+    ["Anthropic API key",  /sk-ant-api[0-9A-Za-z_-]{20,}/g,         "critical"],
+    ["OpenAI API key",     /sk-[A-Za-z0-9]{20,}/g,                   "critical"],
+    ["GitHub PAT (ghp)",   /ghp_[A-Za-z0-9]{36}/g,                   "critical"],
+    ["GitHub PAT (gho)",   /gho_[A-Za-z0-9]{36}/g,                   "critical"],
+    ["GitHub fine-grained",/github_pat_[A-Za-z0-9_]{59}/g,           "critical"],
+    ["AWS access key",     /AKIA[0-9A-Z]{16}/g,                       "critical"],
+    ["AWS secret key",     /aws_secret_access_key\s*[=:]\s*\S{20,}/gi,"critical"],
+    ["Google API key",     /AIza[0-9A-Za-z_-]{35}/g,                  "high"],
+    ["Bearer token",       /Bearer\s+[A-Za-z0-9_-]{32,}/g,           "high"],
+    ["Private key block",  /-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY/g, "critical"],
+    ["Generic secret var", /(?:secret|password|passwd|pwd)\s*[=:]\s*["']?[A-Za-z0-9+/=_-]{12,}["']?/gi, "medium"],
+  ];
+
+  // Files to scan
+  const SCAN_FILES = [
+    "CLAUDE.md", "AGENTS.md", "GEMINI.md", ".cursorrules",
+    ".codex/config.md", ".codex/instructions.md",
+    "opencode.json", ".mcp.json",
+  ];
+
+  // Walk a directory recursively, return all file paths
+  function walk(dir, maxDepth = 6, _depth = 0) {
+    if (_depth > maxDepth) return [];
+    let results = [];
+    try {
+      for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+        if (entry.name.startsWith(".git") || entry.name === "node_modules") continue;
+        const full = path.join(dir, entry.name);
+        if (entry.isDirectory()) results = results.concat(walk(full, maxDepth, _depth + 1));
+        else results.push(full);
+      }
+    } catch { /* skip unreadable */ }
+    return results;
+  }
+
+  const findings = []; // {file, line, label, severity, excerpt}
+
+  function scanContent(filePath, content) {
+    const lines = content.split("\n");
+    for (const [label, regex, severity] of PATTERNS) {
+      regex.lastIndex = 0;
+      for (let i = 0; i < lines.length; i++) {
+        let m;
+        regex.lastIndex = 0;
+        while ((m = regex.exec(lines[i])) !== null) {
+          const val = m[0];
+          // Redact: show first 6 + ... + last 4 chars
+          const excerpt = val.length > 14 ? val.slice(0, 6) + "..." + val.slice(-4) : val.slice(0, 4) + "...";
+          findings.push({ file: filePath, line: i + 1, label, severity, excerpt });
+        }
+      }
+    }
+  }
+
+  // Collect files to scan
+  const toScan = new Set();
+
+  for (const rel of SCAN_FILES) {
+    const p = path.join(target, rel);
+    if (fs.existsSync(p)) toScan.add(p);
+  }
+
+  const aiDir = path.join(target, "ai");
+  if (fs.existsSync(aiDir)) {
+    for (const f of walk(aiDir)) {
+      if (/\.(md|json|yaml|yml|txt|toml)$/.test(f)) toScan.add(f);
+    }
+  }
+
+  // Warn about .env files (don't scan content, just flag existence)
+  const envFiles = [".env", ".env.local", ".env.production", ".env.development"];
+  const foundEnv = envFiles.filter(e => fs.existsSync(path.join(target, e)));
+
+  console.log(`\n  ${T}0dai audit${R} — scanning for leaked secrets\n`);
+  console.log(`  ${D}target: ${target}${R}`);
+  console.log(`  ${D}files:  ${toScan.size} scanned${R}\n`);
+
+  for (const filePath of toScan) {
+    try {
+      const content = fs.readFileSync(filePath, "utf8");
+      scanContent(filePath, content);
+    } catch { /* skip */ }
+  }
+
+  if (foundEnv.length > 0) {
+    console.log(`  ${W}WARN${R}  .env files detected — ensure they are in .gitignore`);
+    for (const e of foundEnv) console.log(`         ${D}${e}${R}`);
+    console.log();
+  }
+
+  if (findings.length === 0) {
+    console.log(`  ${G}✓ No secrets found${R} in scanned files\n`);
+    return;
+  }
+
+  const critical = findings.filter(f => f.severity === "critical");
+  const high = findings.filter(f => f.severity === "high");
+  const medium = findings.filter(f => f.severity === "medium");
+
+  const colorFor = (s) => s === "critical" ? RE : s === "high" ? W : D;
+
+  for (const f of findings) {
+    const c = colorFor(f.severity);
+    const rel = path.relative(target, f.file);
+    console.log(`  ${c}${f.severity.toUpperCase().padEnd(8)}${R} ${rel}:${f.line}`);
+    console.log(`           ${D}${f.label}: ${f.excerpt}${R}`);
+  }
+
+  console.log();
+  if (critical.length > 0) console.log(`  ${RE}${critical.length} critical${R} · ${W}${high.length} high${R} · ${D}${medium.length} medium${R}\n`);
+  else console.log(`  ${W}${high.length} high${R} · ${D}${medium.length} medium${R}\n`);
+
+  console.log(`  ${D}Tip: add secrets to .gitignore or use env vars, not plaintext files${R}\n`);
+
+  if (critical.length > 0) process.exit(1);
+}
+
+module.exports = { cmdAudit };

package/lib/commands/auth.js

@@ -0,0 +1,241 @@
+"use strict";
+const shared = require("../shared");
+const {
+  T, R, D, log,
+  fs, os,
+  CONFIG_DIR, AUTH_FILE, API_URL,
+  apiCall, loadAuthState, fetchAuthStatus, updateAuthState,
+  makeEnsureAuthenticated, ensureLicenseActivation,
+} = shared;
+
+async function cmdAuthLogin() {
+  const isTTY = process.stdout.isTTY && process.stdin.isTTY;
+
+  // Check if already authenticated
+  try {
+    const existing = JSON.parse(fs.readFileSync(AUTH_FILE, "utf8"));
+    if (existing.access_token || existing.email) {
+      if (isTTY) {
+        const p = require("@clack/prompts");
+        p.intro(`${T}0dai${R} authentication`);
+        p.log.success(`Already logged in as ${T}${existing.email || "unknown"}${R} (${existing.plan || "free"} plan)`);
+        const reauth = await p.confirm({ message: "Sign in with a different account?" });
+        if (p.isCancel(reauth) || !reauth) {
+          p.outro("Current session kept");
+          return;
+        }
+      } else {
+        log(`Already logged in as ${existing.email || "unknown"} (${existing.plan || "free"} plan)`);
+        log("To switch accounts, delete ~/.0dai/auth.json and run again");
+        return;
+      }
+    }
+  } catch {}
+
+  if (isTTY) {
+    // Interactive TUI flow
+    const p = require("@clack/prompts");
+    if (!p._intro_shown) p.intro(`${T}0dai${R} authentication`);
+
+    p.note(
+      "0dai auth is separate from agent CLIs (Claude Code, Codex).\n" +
+      "It tracks your projects, usage limits, and team features.\n" +
+      "Your agent CLIs keep their own auth (subscription/API key).",
+      "Why sign in?"
+    );
+
+    const method = await p.select({
+      message: "How would you like to sign in?",
+      options: [
+        { value: "github", label: "GitHub", hint: "recommended" },
+        { value: "google", label: "Google" },
+        { value: "device", label: "Device code", hint: "no browser needed" },
+      ],
+    });
+    if (p.isCancel(method)) { p.cancel("Cancelled"); process.exit(0); }
+
+    if (method === "github" || method === "google") {
+      const url = `${API_URL}/v1/auth/${method}?cli=true`;
+      p.log.info(`Opening browser: ${url}`);
+      try {
+        const { execFileSync } = require("child_process");
+        const cmd = os.platform() === "darwin" ? "open" : os.platform() === "win32" ? "start" : "xdg-open";
+        // MED: use execFileSync to avoid shell injection via URL metacharacters
+        execFileSync(cmd, [url], { stdio: "ignore" });
+      } catch {
+        p.log.warn(`Could not open browser. Visit manually:\n  ${url}`);
+      }
+
+      const s = p.spinner();
+      s.start("Waiting for browser confirmation...");
+
+      // Poll auth/status until we get a new token (check every 3s, 5min timeout)
+      // For now, ask user to paste token from success page
+      s.stop("Browser opened");
+      const token = await p.text({
+        message: "Paste your token from the success page (or press Enter to skip):",
+        placeholder: "0dai_at_...",
+      });
+      if (token && !p.isCancel(token) && token.startsWith("0dai_at_")) {
+        fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+        fs.writeFileSync(AUTH_FILE, JSON.stringify({
+          access_token: token,
+          authenticated_at: new Date().toISOString(),
+        }, null, 2) + "\n", { mode: 0o600 });
+        // Fetch profile
+        const status = await apiCall("/v1/auth/status");
+        if (status.email) {
+          const auth = JSON.parse(fs.readFileSync(AUTH_FILE, "utf8"));
+          auth.email = status.email;
+          auth.plan = status.plan;
+          auth.name = status.name;
+          fs.writeFileSync(AUTH_FILE, JSON.stringify(auth, null, 2) + "\n", { mode: 0o600 });
+          p.outro(`${T}Logged in${R} as ${status.email} (${status.plan} plan)`);
+        } else {
+          p.outro(`${T}Token saved${R}`);
+        }
+        return;
+      }
+      p.log.info("Skipped. You can also use device code flow:");
+    }
+
+    // Device code fallback
+    const result = await apiCall("/v1/auth/device", { client_id: "cli" });
+    if (result.error) { p.log.error(result.error); process.exit(1); }
+
+    p.log.step(`Open: ${result.verification_uri}`);
+    p.log.step(`Code: ${T}${result.user_code}${R}`);
+
+    const s = p.spinner();
+    s.start("Waiting for confirmation...");
+
+    const interval = (result.interval || 5) * 1000;
+    const deadline = Date.now() + (result.expires_in || 600) * 1000;
+    while (Date.now() < deadline) {
+      await new Promise(r => setTimeout(r, interval));
+      const poll = await apiCall("/v1/auth/token", { device_code: result.device_code });
+      if (poll.access_token) {
+        s.stop("Authorized!");
+        fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+        fs.writeFileSync(AUTH_FILE, JSON.stringify({
+          access_token: poll.access_token, email: poll.email,
+          plan: poll.plan || "free", authenticated_at: new Date().toISOString(),
+          expires_at: poll.expires_at,
+        }, null, 2) + "\n", { mode: 0o600 });
+        p.outro(`${T}Logged in${R} as ${poll.email} (${poll.plan} plan)`);
+        return;
+      }
+      if (poll.error && poll.error !== "authorization_pending") {
+        s.stop("Failed");
+        p.log.error(poll.error);
+        process.exit(1);
+      }
+    }
+    s.stop("Timed out");
+    p.log.error("Try again.");
+    process.exit(1);
+
+  } else {
+    // Non-interactive: device code only
+    log("0dai auth is separate from agent CLIs. It tracks projects, limits, and team features.");
+    const result = await apiCall("/v1/auth/device", { client_id: "cli" });
+    if (result.error) { log(`error: ${result.error}`); process.exit(1); }
+    log(`Open: ${result.verification_uri}`);
+    log(`Code: ${result.user_code}`);
+    log("Waiting...");
+    const interval = (result.interval || 5) * 1000;
+    const deadline = Date.now() + (result.expires_in || 600) * 1000;
+    while (Date.now() < deadline) {
+      await new Promise(r => setTimeout(r, interval));
+      const poll = await apiCall("/v1/auth/token", { device_code: result.device_code });
+      if (poll.access_token) {
+        fs.mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });
+        fs.writeFileSync(AUTH_FILE, JSON.stringify({
+          access_token: poll.access_token, email: poll.email,
+          plan: poll.plan || "free", authenticated_at: new Date().toISOString(),
+        }, null, 2) + "\n", { mode: 0o600 });
+        log(`Logged in as ${poll.email}`);
+        return;
+      }
+    }
+    log("Timed out");
+    process.exit(1);
+  }
+}
+
+function cmdAuthLogout() {
+  try { fs.unlinkSync(AUTH_FILE); } catch {}
+  log("Logged out");
+}
+
+async function cmdRedeem(code) {
+  if (!code) {
+    console.log("Usage: 0dai redeem <CODE>");
+    console.log("Example: 0dai redeem ESSE-ABCD-1234");
+    process.exit(1);
+  }
+  try {
+    JSON.parse(fs.readFileSync(AUTH_FILE, "utf8"));
+  } catch {
+    log("Not logged in. Run: 0dai auth login");
+    process.exit(1);
+  }
+  log(`Redeeming code ${T}${code.toUpperCase()}${R}...`);
+  const result = await apiCall("/v1/redeem", { code: code.toUpperCase().trim() });
+  if (result.ok) {
+    log(`${T}✓${R} ${result.message}`);
+    if (result.duration_days) {
+      log(`  Plan active for ${result.duration_days} days`);
+    }
+    log(`  Run ${D}0dai auth status${R} to see updated limits`);
+  } else {
+    log(`error: ${result.error || "unknown"}`);
+    if (result.hint) log(`hint: ${result.hint}`);
+    process.exit(1);
+  }
+}
+
+async function cmdAuthStatus() {
+  try {
+    const auth = loadAuthState();
+    if (!auth) throw new Error("missing auth");
+    // Backwards compat: old auth.json used `user`, new uses `email`
+    const email = auth.email || auth.user || "unknown";
+    log(`${email} (${auth.plan || "free"} plan)`);
+    // Get usage from API
+    const status = await fetchAuthStatus();
+    if (status.usage_today) {
+      console.log("  Usage today:");
+      for (const [k, v] of Object.entries(status.usage_today))
+        console.log(`    ${k}: ${v} / ${status.limits[k]}`);
+    }
+    const license = status.license || auth.license || { status: "inactive" };
+    console.log(`  Activation: ${license.status || "inactive"}${license.activation_id ? ` (${license.activation_id})` : ""}`);
+    if (status.projects && status.projects.length) {
+      console.log(`  Projects bound: ${status.projects.length} / ${status.project_limit || "?"}`);
+    }
+  } catch {
+    log("Not logged in. Run: 0dai auth login");
+  }
+}
+
+async function cmdActivateFree() {
+  const ensureAuthenticated = makeEnsureAuthenticated(cmdAuthLogin);
+  await ensureAuthenticated("activation");
+  const license = await ensureLicenseActivation();
+  log(`license ${license.status}`);
+  console.log(`  activation id: ${license.activation_id}`);
+  console.log(`  plan: ${license.plan || "free"}`);
+}
+
+async function cmdActivateStatus() {
+  const ensureAuthenticated = makeEnsureAuthenticated(cmdAuthLogin);
+  const status = await ensureAuthenticated("activation status");
+  const license = status.license || (await apiCall("/v1/licenses/status")).license || { status: "inactive" };
+  updateAuthState({ license });
+  log(`license ${license.status || "inactive"}`);
+  if (license.activation_id) console.log(`  activation id: ${license.activation_id}`);
+  console.log(`  plan: ${license.plan || status.plan || "free"}`);
+}
+
+module.exports = { cmdAuthLogin, cmdAuthLogout, cmdRedeem, cmdAuthStatus, cmdActivateFree, cmdActivateStatus };

package/lib/commands/detect.js

@@ -0,0 +1,31 @@
+"use strict";
+const shared = require("../shared");
+const { D, R, log, apiCall, collectMetadata } = shared;
+
+async function cmdDetect(target) {
+  const OPTIONAL_CLIS = ["gemini", "aider", "opencode"];
+  const { projectFiles, manifestContents, clis: localClis } = collectMetadata(target);
+  // Send file contents AND local CLI inventory so server can do content-based detection
+  const result = await apiCall("/v1/detect", {
+    project_files: projectFiles,
+    manifest_contents: manifestContents,
+    available_clis: localClis,
+  });
+  if (result.error) { log(`error: ${result.error}`); return; }
+  console.log(`stack: ${result.stack || "?"}`);
+  // Use local CLIs if server didn't return any (server can't detect locally installed binaries)
+  const clis = (result.available_clis && result.available_clis.length && result.available_clis[0]) ? result.available_clis : localClis;
+  if (clis.length) {
+    console.log(`clis:  ${clis.join(", ")}`);
+  } else {
+    console.log(`clis:  none detected`);
+    console.log(`       ${D}install claude, codex, or opencode to use 0dai${R}`);
+  }
+  // Explain optional CLIs so missing doesn't alarm users
+  const missing = OPTIONAL_CLIS.filter(c => !clis.includes(c));
+  if (missing.length && clis.length) {
+    console.log(`       ${D}optional (not installed): ${missing.join(", ")}${R}`);
+  }
+}
+
+module.exports = { cmdDetect };

package/lib/commands/doctor.js

@@ -0,0 +1,194 @@
+"use strict";
+const shared = require("../shared");
+const { log, T, R, D, fs, path, spawnSync, findRepoScript, SUPPORTED_CLIS, recordExperienceEvent } = shared;
+
+function cmdDoctor(target) {
+  const ai = path.join(target, "ai");
+  if (!fs.existsSync(ai)) { log("No 0dai config found. Run: 0dai init"); return; }
+  let v = "?", stack = "generic";
+  try { v = fs.readFileSync(path.join(ai, "VERSION"), "utf8").trim(); } catch {}
+  try { stack = JSON.parse(fs.readFileSync(path.join(ai, "manifest", "discovery.json"), "utf8")).stack || "generic"; } catch {}
+
+  const W = process.stdout.isTTY ? "\x1b[33m" : "";  // yellow
+  const E = process.stdout.isTTY ? "\x1b[31m" : "";  // red
+  const G = process.stdout.isTTY ? "\x1b[32m" : "";  // green
+  const R2 = process.stdout.isTTY ? "\x1b[0m" : "";
+
+  // --- ai/ layer checks ---
+  const layerChecks = {
+    "ai/VERSION":                  { path: path.join(ai, "VERSION"),                   sev: "error" },
+    "ai/manifest/project.yaml":    { path: path.join(ai, "manifest", "project.yaml"),  sev: "error" },
+    "ai/manifest/commands.yaml":   { path: path.join(ai, "manifest", "commands.yaml"), sev: "warn"  },
+    "ai/manifest/discovery.json":  { path: path.join(ai, "manifest", "discovery.json"),sev: "warn"  },
+    ".claude/settings.json":       { path: path.join(target, ".claude", "settings.json"), sev: "warn" },
+    "AGENTS.md":                   { path: path.join(target, "AGENTS.md"),             sev: "warn"  },
+  };
+
+  // --- credentials checklist ---
+  // Detect subscription-based auth (not just env API keys)
+  const { execFileSync: _execFile } = require("child_process");
+  function cliAuthed(cli) {
+    try {
+      if (cli === "claude") {
+        const out = _execFile("claude", ["auth", "status"], { timeout: 5000 }).toString();
+        try { return JSON.parse(out).loggedIn === true; } catch {}
+        return out.includes("loggedIn");
+      }
+      _execFile("which", [cli], { timeout: 2000 });
+      return true;
+    } catch { return false; }
+  }
+
+  const claudeAuth = cliAuthed("claude");
+  const codexAuth = cliAuthed("codex");
+
+  const credChecks = [
+    {
+      name: "Claude Code",
+      present: claudeAuth || !!process.env.ANTHROPIC_API_KEY,
+      sev: (claudeAuth || process.env.ANTHROPIC_API_KEY) ? "ok" : "warn",
+      hint: claudeAuth ? "authenticated via subscription" : "run: claude auth login (or set ANTHROPIC_API_KEY)",
+    },
+    {
+      name: "Codex CLI",
+      present: codexAuth || !!process.env.OPENAI_API_KEY,
+      sev: (codexAuth || process.env.OPENAI_API_KEY) ? "ok" : "warn",
+      hint: codexAuth ? "installed (uses ChatGPT subscription)" : "run: npm i -g @openai/codex (or set OPENAI_API_KEY)",
+    },
+    {
+      name: "GITHUB_TOKEN",
+      present: !!process.env.GITHUB_TOKEN,
+      sev: process.env.GITHUB_TOKEN ? "ok" : "info",
+      hint: "Optional — for gh CLI, PR creation",
+    },
+  ];
+
+  // Stack-specific creds
+  if (stack.includes("vercel") || stack.includes("next")) {
+    credChecks.push({ name: "VERCEL_TOKEN", present: !!process.env.VERCEL_TOKEN, sev: process.env.VERCEL_TOKEN ? "ok" : "info", hint: "Optional — for Vercel deployments" });
+  }
+  if (stack.includes("aws") || stack.includes("lambda") || stack.includes("cdk")) {
+    credChecks.push({ name: "AWS_ACCESS_KEY_ID", present: !!process.env.AWS_ACCESS_KEY_ID, sev: process.env.AWS_ACCESS_KEY_ID ? "ok" : "info", hint: "Optional — for AWS deployments" });
+  }
+  if (stack.includes("gcp") || stack.includes("firebase") || stack.includes("flutter")) {
+    credChecks.push({ name: "GCP_CREDENTIALS", present: !!process.env.GOOGLE_APPLICATION_CREDENTIALS, sev: process.env.GOOGLE_APPLICATION_CREDENTIALS ? "ok" : "info", hint: "Optional — for GCP/Firebase" });
+  }
+
+  // --- run checks ---
+  let errors = 0, warnings = 0;
+  log(`v${v} | stack: ${stack}\n`);
+
+  const missingConfigs = [];
+  console.log("  ai/ layer:");
+  for (const [name, { path: p, sev }] of Object.entries(layerChecks)) {
+    const exists = fs.existsSync(p);
+    if (!exists) {
+      sev === "error" ? errors++ : warnings++;
+      if (sev === "warn") missingConfigs.push(name);
+    }
+    const mark = exists ? `${G}ok${R2}` : sev === "error" ? `${E}MISSING${R2}` : `${W}missing${R2}`;
+    console.log(`    ${mark.padEnd(22)} ${name}`);
+  }
+  // Explain WHY native configs are missing and what to do
+  if (missingConfigs.length > 0) {
+    const hasDiscovery = fs.existsSync(path.join(ai, "manifest", "discovery.json"));
+    if (hasDiscovery) {
+      console.log(`\n    ${W}→ Native configs not generated yet.${R2}`);
+      console.log(`      ${D}Run: 0dai sync --target .${R2}`);
+    } else {
+      console.log(`\n    ${W}→ ai/ layer incomplete — run '0dai init' first.${R2}`);
+    }
+  }
+
+  console.log("\n  credentials:");
+  for (const c of credChecks) {
+    if (!c.present && c.sev === "warn") warnings++;
+    const mark = c.present ? `${G}ok${R2}` : c.sev === "warn" ? `${W}not set${R2}` : `${D}not set${R2}`;
+    const hint = c.present && c.hint.includes("subscription") ? ` ${D}(${c.hint})${R2}` : (!c.present ? `\n      ${D}→ ${c.hint}${R2}` : "");
+    console.log(`    ${mark.padEnd(22)} ${c.name}${hint}`);
+  }
+
+  // --- agent CLIs check ---
+  const { execFileSync: _ef2 } = require("child_process");
+  let updatesAvailable = 0;
+  console.log("\n  agent CLIs:");
+  for (const cli of SUPPORTED_CLIS) {
+    let installed = false, ver = null;
+    try {
+      const out = _ef2(cli.bin, ["--version"], { timeout: 8000 }).toString().trim();
+      installed = true;
+      const m = out.match(/(\d+\.\d+\.\d+)/);
+      if (m) ver = m[1];
+    } catch {}
+
+    if (installed) {
+      let latest = null;
+      if (cli.pkg) {
+        try {
+          const npmOut = _ef2("npm", ["view", cli.pkg, "version"], { timeout: 5000 }).toString().trim();
+          if (npmOut.match(/^\d+\.\d+\.\d+$/)) latest = npmOut;
+        } catch {}
+      }
+      if (latest && ver && latest !== ver) {
+        updatesAvailable++;
+        console.log(`    ${W}update${R2}  ${cli.name} ${D}${ver} → ${latest}${R2}`);
+        console.log(`      ${D}→ ${cli.install}${R2}`);
+      } else {
+        console.log(`    ${G}ok${R2}      ${cli.name}${ver ? ` ${D}v${ver}${R2}` : ""}`);
+      }
+    } else {
+      console.log(`    ${D}—${R2}       ${cli.name} ${D}not installed${R2}`);
+      console.log(`      ${D}→ ${cli.install}${cli.altAuth ? ` (or ${cli.altAuth})` : ""}${R2}`);
+    }
+  }
+  if (updatesAvailable) {
+    console.log(`\n    ${D}Run: 0dai update${R2} to update all`);
+  }
+
+  // --- swarm check ---
+  const swarmDir = path.join(ai, "swarm");
+  const countDir = (d) => { try { return fs.readdirSync(d).filter(f => f.endsWith(".json")).length; } catch { return 0; } };
+  const qCount = countDir(path.join(swarmDir, "queue"));
+  const dCount = countDir(path.join(swarmDir, "done"));
+  if (qCount || dCount) {
+    console.log(`\n  swarm: ${qCount} queued, ${dCount} done`);
+    if (qCount) console.log(`    ${W}→ run '0dai reflect' to review pending tasks${R2}`);
+  }
+
+  const summary = errors ? `${E}${errors} error(s)${R2}` : warnings ? `${W}${warnings} warning(s)${R2}` : `${G}healthy${R2}`;
+  console.log(`\n  status: ${summary}`);
+  recordExperienceEvent(target, {
+    event_type: "doctor_run",
+    agent: "cli",
+    model: "0dai-cli",
+    effort: "low",
+    task: { goal: "doctor health check", task_type: "review", result: errors ? "failure" : "success", elapsed_seconds: 0, cost_usd: 0 },
+    context: { stack, files_touched: 0, tests_passed: errors === 0 },
+    quality: {
+      lint_clean: errors === 0,
+      no_secrets: true,
+      commit_message_valid: true,
+      acceptance_criteria_met: errors === 0,
+      review_needed: warnings > 0,
+    },
+  });
+  if (errors) process.exitCode = 1;
+
+  // Drift summary (lightweight — full report via --drift flag)
+  try {
+    const ds = findRepoScript(target, "drift_detector.py");
+    if (ds) {
+      const dr = spawnSync("python3", [ds, "report", "--target", target],
+                           { stdio: ["ignore", "pipe", "ignore"], encoding: "utf8", timeout: 5000 });
+      if (dr.stdout && dr.stdout.includes("MODIFIED")) {
+        const lines = dr.stdout.trim().split("\n");
+        const driftCount = lines.filter(l => l.includes("MODIFIED") || l.includes("CONTRADICTS")).length;
+        if (driftCount > 0) {
+          console.log(`\n  config drift: ${driftCount} issue(s) — run: 0dai doctor --drift`);
+        }
+      }
+    }
+  } catch {}
+}
+
+module.exports = { cmdDoctor };

package/lib/commands/experience.js

@@ -0,0 +1,65 @@
+"use strict";
+const shared = require("../shared");
+const { log, D, R, spawnSync, findRepoScript } = shared;
+
+function cmdExperience(target, sub, args) {
+  const experienceScript = findRepoScript(target, "experience_pipeline.py");
+  if (!experienceScript) {
+    log("experience pipeline unavailable in this environment");
+    console.log(`  ${D}Expected scripts/experience_pipeline.py in repo checkout${R}`);
+    process.exit(1);
+  }
+
+  const command = sub || "list";
+  const forwarded = [experienceScript, command, "--target", target];
+  if (command === "list") {
+    if (args.includes("--json")) forwarded.push("--json");
+    const sinceIdx = args.indexOf("--since");
+    if (sinceIdx >= 0 && args[sinceIdx + 1]) forwarded.push("--since", args[sinceIdx + 1]);
+    const agentIdx = args.indexOf("--agent");
+    if (agentIdx >= 0 && args[agentIdx + 1]) forwarded.push("--agent", args[agentIdx + 1]);
+    const typeIdx = args.indexOf("--type");
+    if (typeIdx >= 0 && args[typeIdx + 1]) forwarded.push("--type", args[typeIdx + 1]);
+    const resultIdx = args.indexOf("--result");
+    if (resultIdx >= 0 && args[resultIdx + 1]) forwarded.push("--result", args[resultIdx + 1]);
+    const limitIdx = args.indexOf("--limit");
+    if (limitIdx >= 0 && args[limitIdx + 1]) forwarded.push("--limit", args[limitIdx + 1]);
+  } else if (command === "stats") {
+    if (args.includes("--json")) forwarded.push("--json");
+    const periodIdx = args.indexOf("--period");
+    if (periodIdx >= 0 && args[periodIdx + 1]) forwarded.push("--period", args[periodIdx + 1]);
+    const byIdx = args.indexOf("--by");
+    if (byIdx >= 0 && args[byIdx + 1]) forwarded.push("--by", args[byIdx + 1]);
+  } else if (command === "warnings") {
+    const detectorScript = findRepoScript(target, "anti_pattern_detector.py");
+    if (!detectorScript) { log("anti-pattern detector unavailable"); process.exit(1); }
+    const fwd = [detectorScript, "warnings", "--target", target];
+    if (args.includes("--json")) fwd.push("--json");
+    if (args.includes("--refresh")) fwd.push("--refresh");
+    if (args.includes("--verbose")) fwd.push("--verbose");
+    const sevIdx = args.indexOf("--severity");
+    if (sevIdx >= 0 && args[sevIdx + 1]) fwd.push("--severity", args[sevIdx + 1]);
+    const wr = spawnSync("python3", fwd, { stdio: "inherit" });
+    if (typeof wr.status === "number") process.exit(wr.status);
+    process.exit(1);
+  } else if (command === "dismiss") {
+    const detectorScript = findRepoScript(target, "anti_pattern_detector.py");
+    if (!detectorScript) { log("anti-pattern detector unavailable"); process.exit(1); }
+    const patternId = args.find(a => a && !a.startsWith("-")) || "";
+    if (!patternId) { console.log("Usage: 0dai experience dismiss <pattern_id>"); process.exit(1); }
+    const fwd = [detectorScript, "dismiss", patternId, "--target", target];
+    if (args.includes("--json")) fwd.push("--json");
+    const dr = spawnSync("python3", fwd, { stdio: "inherit" });
+    if (typeof dr.status === "number") process.exit(dr.status);
+    process.exit(1);
+  } else {
+    console.log("Usage: 0dai experience [list|stats|warnings|dismiss]");
+    process.exit(1);
+  }
+
+  const result = spawnSync("python3", forwarded, { stdio: "inherit" });
+  if (typeof result.status === "number") process.exit(result.status);
+  process.exit(1);
+}
+
+module.exports = { cmdExperience };