@agentbridge1/cli 0.0.4 → 0.0.6

package/dist/build-info.json

@@ -1,6 +1,6 @@
 {
-  "builtAt": "2026-06-02T04:55:04.008Z",
-  "gitHead": "86fed7f",
-  "sourceLatestMtime": "2026-06-02T04:51:46.614Z",
-  "sourceLatestFile": "src/commands/connect.ts"
+  "builtAt": "2026-06-06T12:05:27.957Z",
+  "gitHead": "ec17ba8",
+  "sourceLatestMtime": "2026-06-06T11:59:41.649Z",
+  "sourceLatestFile": "src/commands/watch.ts"
 }

package/dist/commands/accept.js

@@ -10,6 +10,7 @@ const server_sync_1 = require("../server-sync");
 const operator_snapshot_1 = require("../operator-snapshot");
 const work_context_resolver_1 = require("../work-context-resolver");
 const error_catalog_1 = require("../error-catalog");
+const proof_obligations_1 = require("../proof-obligations");
 const acceptance_preflight_1 = require("../acceptance-preflight");
 const acceptance_block_1 = require("../acceptance-block");
 function resolveNetworkContext() {
@@ -36,10 +37,9 @@ function blockedErrorCode(report) {
     if ((report.out_of_scope_files ?? []).length > 0 || report.scope_status === "drift") {
         return "SCOPE_DRIFT_OUT_OF_SCOPE_FILE";
     }
-    if (report.decision === "needs_proof")
-        return "PROOF_MISSING";
-    if (report.decision === "stale_evidence")
-        return "PROOF_STALE_AFTER_CHANGE";
+    const proofCode = (0, proof_obligations_1.resolveProofBlockingErrorCode)(report);
+    if (proofCode)
+        return proofCode;
     return "ACCEPTANCE_BLOCKED";
 }
 function buildStructuredBlockedOutput(report) {

package/dist/commands/check.js

@@ -9,6 +9,7 @@ const acceptance_preflight_1 = require("../acceptance-preflight");
 const work_context_resolver_1 = require("../work-context-resolver");
 const operator_snapshot_1 = require("../operator-snapshot");
 const proof_guidance_1 = require("../proof-guidance");
+const proof_obligations_1 = require("../proof-obligations");
 const memory_context_render_1 = require("../memory-context-render");
 const acceptance_block_1 = require("../acceptance-block");
 function resolveNetworkContext() {
@@ -184,8 +185,16 @@ function renderAcceptanceReport(report) {
             }
         }
     }
+    const obligationSection = (0, proof_obligations_1.renderProofObligationSection)(report);
+    if (obligationSection.length > 0) {
+        lines.push(...obligationSection);
+    }
     lines.push(`Decision: ${report.decision}`);
-    if (report.decision === "needs_proof") {
+    const obligationErrorLines = (0, proof_obligations_1.renderProofObligationErrorLines)(report);
+    if (obligationErrorLines.length > 0) {
+        lines.push(...obligationErrorLines);
+    }
+    else if (report.decision === "needs_proof") {
         lines.push("✗ Error code: PROOF_MISSING");
         lines.push("  What happened: No verification proof exists for this work session.");
         lines.push("  Why it matters: Unverified work cannot be accepted — proof is required.");

package/dist/commands/connect.js

@@ -84,6 +84,113 @@ async function listAgents(projectId, apiKey, apiBaseUrl) {
     const body = (await res.json());
     return Array.isArray(body.agents) ? body.agents : [];
 }
+async function resolveExecutionSurfaceFromHello(projectId, apiKey, apiBaseUrl) {
+    const url = `${apiBaseUrl}/v1/dev/projects/${projectId}/hello`;
+    try {
+        const res = await fetch(url, {
+            method: "POST",
+            headers: {
+                Authorization: `Bearer ${apiKey}`,
+                "Content-Type": "application/json",
+            },
+            body: JSON.stringify({ tool_type: "cli" }),
+        });
+        if (!res.ok) {
+            return {
+                executionSurfaceId: null,
+                identityModel: "unknown",
+                status: `http_${res.status}`,
+            };
+        }
+        const body = (await res.json());
+        if (body.identity_model !== "work_identity") {
+            if (body.identity_model === "legacy") {
+                return {
+                    executionSurfaceId: null,
+                    identityModel: "legacy",
+                    status: "legacy_identity",
+                };
+            }
+            return {
+                executionSurfaceId: null,
+                identityModel: "unknown",
+                status: "unknown_identity_model",
+            };
+        }
+        const surfaceId = body.execution_surface?.id?.trim();
+        return {
+            executionSurfaceId: surfaceId || null,
+            identityModel: "work_identity",
+            status: surfaceId ? "ok" : "missing_execution_surface",
+        };
+    }
+    catch {
+        return {
+            executionSurfaceId: null,
+            identityModel: "unknown",
+            status: "network_error",
+        };
+    }
+}
+async function bootstrapDefaultConnection(projectId, apiKey, apiBaseUrl) {
+    const url = `${apiBaseUrl}/v1/dev/projects/${projectId}/connections/bootstrap-default`;
+    try {
+        const res = await fetch(url, {
+            method: "POST",
+            headers: {
+                Authorization: `Bearer ${apiKey}`,
+                "Content-Type": "application/json",
+            },
+            body: JSON.stringify({}),
+        });
+        if (!res.ok)
+            return { ok: false, status: res.status, reason: `http_${res.status}` };
+        const body = (await res.json());
+        const nextApiKey = body.api_key?.trim();
+        const executionSurfaceId = body.execution_surface_id?.trim();
+        if (!nextApiKey || !executionSurfaceId) {
+            return { ok: false, status: 200, reason: "invalid_payload" };
+        }
+        return { ok: true, apiKey: nextApiKey, executionSurfaceId };
+    }
+    catch {
+        return { ok: false, status: 0, reason: "network_error" };
+    }
+}
+async function rotateActiveConnectionKey(projectId, apiKey, apiBaseUrl) {
+    const listUrl = `${apiBaseUrl}/v1/dev/projects/${projectId}/connections`;
+    try {
+        const listRes = await fetch(listUrl, {
+            headers: { Authorization: `Bearer ${apiKey}` },
+        });
+        if (!listRes.ok)
+            return { ok: false, reason: `list_http_${listRes.status}` };
+        const listBody = (await listRes.json());
+        const activeConnection = (listBody.connections ?? []).find((connection) => connection?.id && connection?.status === "active");
+        if (!activeConnection?.id)
+            return { ok: false, reason: "no_active_connection" };
+        const rotateUrl = `${apiBaseUrl}/v1/dev/projects/${projectId}/connections/${activeConnection.id}/rotate-key`;
+        const rotateRes = await fetch(rotateUrl, {
+            method: "POST",
+            headers: {
+                Authorization: `Bearer ${apiKey}`,
+                "Content-Type": "application/json",
+            },
+            body: JSON.stringify({}),
+        });
+        if (!rotateRes.ok)
+            return { ok: false, reason: `rotate_http_${rotateRes.status}` };
+        const rotateBody = (await rotateRes.json());
+        const rotatedApiKey = rotateBody.api_key?.trim();
+        const executionSurfaceId = rotateBody.connection?.execution_surface?.id?.trim();
+        if (!rotatedApiKey || !executionSurfaceId)
+            return { ok: false, reason: "invalid_payload" };
+        return { ok: true, apiKey: rotatedApiKey, executionSurfaceId };
+    }
+    catch {
+        return { ok: false, reason: "network_error" };
+    }
+}
 async function runConnect(options = {}) {
     process.stdout.write("AgentBridge connect\n");
     process.stdout.write("─────────────────────────────────────────\n");
@@ -142,13 +249,86 @@ async function runConnect(options = {}) {
         throw err;
     }
     process.stdout.write("OK\n");
+    let effectiveApiKey = apiKey;
+    const diagnostics = {
+        helloIdentityModel: "unknown",
+        helloStatus: "not_attempted",
+        bootstrapStatus: "not_attempted",
+        rotateStatus: "not_attempted",
+    };
+    const helloResolution = await resolveExecutionSurfaceFromHello(projectId, effectiveApiKey, apiBaseUrl);
+    diagnostics.helloIdentityModel = helloResolution.identityModel;
+    diagnostics.helloStatus = helloResolution.status;
+    let executionSurfaceId = helloResolution.executionSurfaceId;
+    let connectionUpgraded = false;
+    if (!executionSurfaceId) {
+        diagnostics.bootstrapStatus = "attempted";
+        const bootstrapAttempt = await bootstrapDefaultConnection(projectId, effectiveApiKey, apiBaseUrl);
+        if (bootstrapAttempt.ok) {
+            effectiveApiKey = bootstrapAttempt.apiKey;
+            executionSurfaceId = bootstrapAttempt.executionSurfaceId;
+            diagnostics.bootstrapStatus = "ok";
+            diagnostics.rotateStatus = "skipped";
+            connectionUpgraded = true;
+        }
+        else if (bootstrapAttempt.status === 409) {
+            diagnostics.bootstrapStatus = "http_409_existing_connection";
+            const rotated = await rotateActiveConnectionKey(projectId, effectiveApiKey, apiBaseUrl);
+            if (rotated.ok) {
+                diagnostics.rotateStatus = "ok";
+                effectiveApiKey = rotated.apiKey;
+                executionSurfaceId = rotated.executionSurfaceId;
+                connectionUpgraded = true;
+            }
+            else {
+                diagnostics.rotateStatus = rotated.reason;
+            }
+        }
+        else {
+            diagnostics.bootstrapStatus = bootstrapAttempt.reason;
+            diagnostics.rotateStatus = "skipped";
+        }
+    }
+    else {
+        diagnostics.bootstrapStatus = "skipped";
+        diagnostics.rotateStatus = "skipped";
+    }
+    if (!executionSurfaceId) {
+        (0, config_1.updateConfig)({
+            projectId,
+            apiKey: effectiveApiKey,
+            apiBaseUrl,
+        });
+        throw new errors_1.SafeCliError([
+            "Connection incomplete.",
+            "Project access was verified, but AgentBridge could not create or resolve an execution surface.",
+            "Tracked work cannot start yet.",
+            "",
+            `hello identity model: ${diagnostics.helloIdentityModel}`,
+            `hello status: ${diagnostics.helloStatus}`,
+            `bootstrap-default status: ${diagnostics.bootstrapStatus}`,
+            `rotate-key status: ${diagnostics.rotateStatus}`,
+            `backend URL: ${apiBaseUrl}`,
+        ].join("\n"));
+    }
     // Persist credentials
-    (0, config_1.updateConfig)({ projectId, apiKey, apiBaseUrl });
+    (0, config_1.updateConfig)({
+        projectId,
+        apiKey: effectiveApiKey,
+        apiBaseUrl,
+        ...(executionSurfaceId ? { executionSurfaceId } : {}),
+    });
     process.stdout.write("Credentials saved to .agentbridge/config.json\n");
+    if (connectionUpgraded) {
+        process.stdout.write("Auto-configured an AgentConnection key and execution surface for this project.\n");
+    }
+    else {
+        process.stdout.write(`Execution surface: ${executionSurfaceId}\n`);
+    }
     // Pick or auto-select an agent identity
     let activeAgentId = options.agentId ?? cfg.activeAgentId;
     if (!activeAgentId) {
-        const agents = await listAgents(projectId, apiKey, apiBaseUrl);
+        const agents = await listAgents(projectId, effectiveApiKey, apiBaseUrl);
         if (agents.length === 1 && agents[0]) {
             activeAgentId = agents[0].id;
             (0, config_1.updateConfig)({ activeAgentId });
@@ -159,7 +339,7 @@ async function runConnect(options = {}) {
             for (const a of agents) {
                 process.stdout.write(`  ${a.id}  ${a.name ?? ""}  ${a.role ?? ""}\n`.trimEnd() + "\n");
             }
-            process.stdout.write('\nRun `agentbridge use <agent-id>` to select one, then `agentbridge watch` to start.\n');
+            process.stdout.write('\nRun `agentbridge use <agent-id>` to select one.\n');
         }
     }
     else {
@@ -169,24 +349,23 @@ async function runConnect(options = {}) {
     process.stdout.write("\n");
     process.stdout.write(`Project:  ${projectName}\n`);
     process.stdout.write(`Agents:   ${agentCount}\n`);
+    process.stdout.write(`Execution surface: ${executionSurfaceId}\n`);
     process.stdout.write(`Server:   ${apiBaseUrl}\n`);
     process.stdout.write("\n");
     if (activeAgentId) {
-        process.stdout.write("✓ Connected. Next steps:\n");
+        process.stdout.write("✓ Connected and ready.\n");
         process.stdout.write([
             "",
-            "  1. Start a work session:",
-            "       agentbridge start --summary \"your task\" --scope \"src/\"",
-            "",
-            "  2. Run the watcher (keep it running in a terminal):",
-            "       agentbridge watch",
-            "",
-            "  3. Code normally — AgentBridge watches in the background.",
-            "     Approvals surface when you cross domain boundaries.",
+            "Next:",
+            "  agentbridge doctor",
+            "  agentbridge watch",
             "",
         ].join("\n"));
     }
     else {
-        process.stdout.write("✓ Connected. Run `agentbridge use <agent-id>` then `agentbridge watch`.\n");
+        process.stdout.write("✓ Connected.\n");
+        process.stdout.write("Run `agentbridge use <agent-id>` and then:\n");
+        process.stdout.write("  agentbridge doctor\n");
+        process.stdout.write("  agentbridge watch\n");
     }
 }

package/dist/commands/doctor.js

@@ -10,6 +10,7 @@ const http_1 = require("../http");
 const dist_freshness_1 = require("./dist-freshness");
 const session_state_1 = require("../session-state");
 const server_sync_1 = require("../server-sync");
+const recovery_reconcile_1 = require("../recovery-reconcile");
 function cliRootFromCommandDir() {
     return (0, node_path_1.resolve)(__dirname, "..", "..");
 }
@@ -86,11 +87,27 @@ function extractHttpReason(error) {
     }
     return `http_${error.status}`;
 }
-function recoveryRequiredByPacket(packet) {
-    if (!packet || packet.project_mode !== "recovery")
-        return false;
-    const status = packet.recovery_status ?? null;
-    return status === "baseline_required" || status === "pending" || status === null;
+function detectGovernanceSignals(workspaceRoot) {
+    const rulesMdcPath = (0, node_path_1.resolve)(workspaceRoot, ".cursor", "rules", "agentbridge.mdc");
+    const rulesMarkdownPath = (0, node_path_1.resolve)(workspaceRoot, "AGENTBRIDGE.md");
+    const mcpConfigPath = (0, node_path_1.resolve)(workspaceRoot, ".cursor", "mcp.json");
+    const rulesInstalled = (0, node_fs_1.existsSync)(rulesMdcPath) && (0, node_fs_1.existsSync)(rulesMarkdownPath);
+    let mcpConfigured = false;
+    if ((0, node_fs_1.existsSync)(mcpConfigPath)) {
+        try {
+            const parsed = JSON.parse((0, node_fs_1.readFileSync)(mcpConfigPath, "utf8"));
+            mcpConfigured = Boolean(parsed?.mcpServers &&
+                (parsed.mcpServers["agentbridge"] || parsed.mcpServers["agentbridge-mcp"]));
+        }
+        catch {
+            mcpConfigured = false;
+        }
+    }
+    return {
+        rulesInstalled,
+        mcpConfigured,
+        governanceStatus: rulesInstalled && mcpConfigured ? "active" : "inactive",
+    };
 }
 async function checkProjectAccess(ctx) {
     if (!ctx.configComplete) {
@@ -146,7 +163,39 @@ async function checkProjectAccess(ctx) {
 }
 async function checkIdentityAccess(ctx) {
     if (!ctx.configComplete) {
-        return { status: "skipped", reason: "config_incomplete" };
+        return {
+            status: "skipped",
+            reason: "config_incomplete",
+            identityModel: "unknown",
+            executionSurfaceId: null,
+            startCapable: false,
+        };
+    }
+    const helloUrl = `${ctx.apiBaseUrl}/v1/dev/projects/${ctx.projectId}/hello`;
+    let identityModel = "unknown";
+    let executionSurfaceId = null;
+    try {
+        const helloRes = await fetch(helloUrl, {
+            method: "POST",
+            headers: {
+                Authorization: `Bearer ${ctx.apiKey}`,
+                "Content-Type": "application/json",
+            },
+            body: JSON.stringify({ tool_type: "cli" }),
+        });
+        if (helloRes.ok) {
+            const hello = (await helloRes.json());
+            if (hello.identity_model === "work_identity") {
+                identityModel = "work_identity";
+            }
+            else if (hello.identity_model === "legacy") {
+                identityModel = "legacy";
+            }
+            executionSurfaceId = hello.execution_surface?.id?.trim() || null;
+        }
+    }
+    catch {
+        // Keep default unknown/null and continue with identity resolution checks.
     }
     try {
         const syncCtx = {
@@ -160,18 +209,34 @@ async function checkIdentityAccess(ctx) {
             (0, server_sync_1.listWorkIdentities)(syncCtx),
         ]);
         const callerId = callerPacket?.work_identity?.id ?? null;
-        if (callerId)
-            return { status: "ok" };
-        if (identities.length === 1)
-            return { status: "ok" };
-        return { status: "failed", reason: "caller_identity_unresolved" };
+        const startCapable = Boolean(executionSurfaceId);
+        if (callerId) {
+            return { status: "ok", identityModel, executionSurfaceId, startCapable };
+        }
+        if (identities.length === 1) {
+            return { status: "ok", identityModel, executionSurfaceId, startCapable };
+        }
+        return {
+            status: "failed",
+            reason: "caller_identity_unresolved",
+            identityModel,
+            executionSurfaceId,
+            startCapable,
+        };
     }
     catch {
-        return { status: "failed", reason: "caller_identity_unresolved" };
+        return {
+            status: "failed",
+            reason: "caller_identity_unresolved",
+            identityModel,
+            executionSurfaceId,
+            startCapable: Boolean(executionSurfaceId),
+        };
     }
 }
 async function runDoctor(cliRootOverride) {
     const cliRoot = cliRootOverride ?? cliRootFromCommandDir();
+    const workspaceRoot = process.cwd();
     const cfg = (0, config_1.readConfig)();
     const freshness = (0, dist_freshness_1.getDistFreshnessReport)(cliRoot);
     const configPath = cliRootOverride
@@ -191,6 +256,7 @@ async function runDoctor(cliRootOverride) {
     const projectConfigPresent = projectIdPresent && apiKeyPresent && baseUrlPresent;
     const activeSession = (0, session_state_1.readSessionState)();
     const hasActiveWork = Boolean(activeSession?.id || activeSession?.serverSessionId);
+    const governance = detectGovernanceSignals(workspaceRoot);
     const envContributed = Boolean(process.env.AGENTBRIDGE_PROJECT_ID) ||
         Boolean(process.env.AGENTBRIDGE_API_KEY) ||
         Boolean(process.env.AGENTBRIDGE_BASE_URL) ||
@@ -230,10 +296,10 @@ async function runDoctor(cliRootOverride) {
         apiBaseUrl: resolvedBaseUrl,
         configComplete: projectConfigPresent && projectAccess.status === "ok",
     });
-    lines.push(`Caller identity access: ${identityAccess.status}`);
-    if (identityAccess.reason) {
-        lines.push(`Caller identity reason: ${identityAccess.reason}`);
-    }
+    lines.push(`Rules installed: ${governance.rulesInstalled ? "yes" : "no"}`);
+    lines.push(`MCP configured: ${governance.mcpConfigured ? "yes" : "no"}`);
+    lines.push(`Agent governance: ${governance.governanceStatus}`);
+    lines.push(`Start capable: ${identityAccess.startCapable ? "yes" : "no"}`);
     if (projectAccess.status === "failed" && projectAccess.reason) {
         const view = (0, error_catalog_1.catalogViewForDoctorReason)(projectAccess.reason, projectAccess.suggestedNextAction);
         lines.push("");
@@ -252,54 +318,122 @@ async function runDoctor(cliRootOverride) {
         lines.push("Suggested next action: run npm run dogfood:check before external dogfood.");
     }
     let productStatus = "not_ready";
-    if (projectAccess.status === "ok" && identityAccess.status === "ok") {
+    if (projectAccess.status === "ok" &&
+        identityAccess.status === "ok" &&
+        identityAccess.startCapable) {
         if (hasActiveWork) {
             productStatus = "active_work_found";
         }
         else {
-            productStatus = recoveryRequiredByPacket(projectAccess.packet)
-                ? "needs_recover"
-                : "ready";
+            if ((0, recovery_reconcile_1.recoveryBaselineRequired)(projectAccess.packet)) {
+                productStatus = "needs_recover";
+            }
+            else if ((0, recovery_reconcile_1.recoveryIsBasicPacket)(projectAccess.packet)) {
+                productStatus = "ready_basic_recovery";
+            }
+            else {
+                productStatus = "ready";
+            }
         }
     }
+    const localSupervisionReady = true;
+    const cloudSyncReady = projectAccess.status === "ok";
+    const strictTrackedReady = projectAccess.status === "ok" && identityAccess.status === "ok" && identityAccess.startCapable;
+    lines.push("");
+    lines.push("Capability levels:");
+    lines.push(`- Local supervision: ${localSupervisionReady ? "ready" : "unavailable"}`);
+    lines.push(`- Cloud sync: ${cloudSyncReady ? "ready" : "unavailable"}`);
+    lines.push(`- Strict tracked work: ${strictTrackedReady ? "ready" : "unavailable"}`);
+    if (!cloudSyncReady && projectAccess.reason) {
+        lines.push(`  Cloud sync note: ${projectAccess.reason}`);
+    }
+    if (!strictTrackedReady && identityAccess.reason) {
+        lines.push(`  Strict tracked note: ${identityAccess.reason}`);
+    }
     lines.push("");
     lines.push("Product status:");
     if (productStatus === "ready") {
         lines.push("- Connection: ready");
+        lines.push("- Governance: " + governance.governanceStatus);
         lines.push("- Recovery: ready");
-        lines.push("- Next: agentbridge start");
+        lines.push(`- Rules: ${governance.rulesInstalled ? "installed" : "missing"}`);
+        lines.push(`- MCP: ${governance.mcpConfigured ? "configured" : "missing"}`);
+        lines.push("- Next: run `agentbridge watch` beside Cursor for live supervision");
+    }
+    else if (productStatus === "ready_basic_recovery") {
+        lines.push("- Connection: ready");
+        lines.push("- Governance: " + governance.governanceStatus);
+        lines.push("- Recovery: basic");
+        lines.push(`- Rules: ${governance.rulesInstalled ? "installed" : "missing"}`);
+        lines.push(`- MCP: ${governance.mcpConfigured ? "configured" : "missing"}`);
+        lines.push("- Note: Project context exists, but domains are not fully mapped yet.");
+        lines.push("- Next: run `agent recover --force` for a full domain rebuild, or `agentbridge watch` for live supervision");
     }
     else if (productStatus === "active_work_found") {
+        const recoveryBasic = (0, recovery_reconcile_1.recoveryIsBasicPacket)(projectAccess.packet);
         lines.push("- Connection: ready");
-        lines.push("- Recovery: ready");
+        lines.push("- Governance: " + governance.governanceStatus);
+        lines.push("- Recovery: " + (recoveryBasic ? "basic" : "ready"));
+        lines.push(`- Rules: ${governance.rulesInstalled ? "installed" : "missing"}`);
+        lines.push(`- MCP: ${governance.mcpConfigured ? "configured" : "missing"}`);
+        if (recoveryBasic) {
+            lines.push("- Note: Project context exists, but domains are not fully mapped yet.");
+        }
         lines.push("- Active work: found");
-        lines.push("- Next: agentbridge start");
+        lines.push("- Next: run `agentbridge watch` beside Cursor for live supervision");
     }
     else if (productStatus === "needs_recover") {
         lines.push("- Connection: ready");
+        lines.push("- Governance: " + governance.governanceStatus);
         lines.push("- Recovery: required");
+        lines.push(`- Rules: ${governance.rulesInstalled ? "installed" : "missing"}`);
+        lines.push(`- MCP: ${governance.mcpConfigured ? "configured" : "missing"}`);
         lines.push("- Next: agentbridge recover");
     }
     else {
-        lines.push("- Connection: required");
+        lines.push("- Connection: incomplete");
+        lines.push("- Governance: " + governance.governanceStatus);
         lines.push("- Recovery: pending");
+        lines.push(`- Rules: ${governance.rulesInstalled ? "installed" : "missing"}`);
+        lines.push(`- MCP: ${governance.mcpConfigured ? "configured" : "missing"}`);
         if (!projectConfigPresent) {
             lines.push("- Note: Connection details are missing. Add credentials, then rerun agentbridge doctor.");
         }
-        else if (identityAccess.status !== "ok") {
-            lines.push("- Note: Caller identity is unresolved. Run agentbridge identity list and set a valid active agent.");
+        else if (!identityAccess.startCapable) {
+            lines.push("- Reason: execution surface missing.");
+            lines.push("- Next: agentbridge connect");
         }
         else {
             lines.push("- Note: Connection check failed. Verify credentials/network, then rerun agentbridge doctor.");
         }
-        lines.push("- Next: agentbridge doctor");
+        if (identityAccess.startCapable) {
+            lines.push("- Next: agentbridge doctor");
+        }
+    }
+    lines.push("");
+    lines.push("Advanced details:");
+    lines.push(`- Caller identity access: ${identityAccess.status}`);
+    if (identityAccess.reason) {
+        lines.push(`- Caller identity reason: ${identityAccess.reason}`);
+    }
+    lines.push(`- Caller identity model: ${identityAccess.identityModel}`);
+    lines.push(`- Execution surface present: ${identityAccess.executionSurfaceId ? "yes" : "no"}`);
+    lines.push(`- Start capable (strict/session modes): ${identityAccess.startCapable ? "yes" : "no"}`);
+    if (identityAccess.status !== "ok") {
+        lines.push("- Note: internal identity mismatch affects strict/resume flows, not room-level inferred watch startup.");
+    }
+    if (governance.governanceStatus === "inactive") {
+        lines.push("");
+        lines.push("Governance note: AgentBridge can review in terminal, but your AI agent may not stop automatically until rules and MCP are both configured.");
+    }
+    else {
+        lines.push("");
+        lines.push("Governance note: AgentBridge rules are installed and MCP is configured. The AI agent should stop when AgentBridge flags blocked work.");
     }
     process.stdout.write(`${lines.join("\n")}\n`);
     if (freshness.state === "stale")
         return 1;
     if (projectAccess.status === "failed")
         return 1;
-    if (identityAccess.status === "failed")
-        return 1;
     return 0;
 }

package/dist/commands/proof-guidance.js

@@ -0,0 +1,30 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runProofGuidance = runProofGuidance;
+const config_1 = require("../config");
+const errors_1 = require("../errors");
+const server_sync_1 = require("../server-sync");
+function resolveNetworkContext() {
+    const cfg = (0, config_1.readConfig)();
+    const projectId = process.env.AGENTBRIDGE_PROJECT_ID ?? cfg.projectId;
+    const apiKey = process.env.AGENTBRIDGE_API_KEY ?? cfg.apiKey ?? "";
+    const apiBaseUrl = process.env.AGENTBRIDGE_BASE_URL ?? cfg.apiBaseUrl ?? "https://agentauth-api-production.up.railway.app";
+    if (!projectId) {
+        throw new errors_1.SafeCliError("Missing AGENTBRIDGE_PROJECT_ID. Set AGENTBRIDGE_PROJECT_ID (or run `agentbridge init --project ...`).");
+    }
+    if (!apiKey) {
+        throw new errors_1.SafeCliError("Missing AGENTBRIDGE_API_KEY. Provide --api-key, set AGENTBRIDGE_API_KEY, or save apiKey in .agentbridge/config.json.");
+    }
+    return { projectId, apiKey, apiBaseUrl };
+}
+async function runProofGuidance(options = {}) {
+    const ctx = resolveNetworkContext();
+    const guidance = await (0, server_sync_1.fetchAgentProofGuidance)(ctx, {
+        workSessionId: options.workSessionId,
+        changeRequestId: options.changeRequestId,
+        rolloutProofTooWeak: options.rolloutProofTooWeak,
+        rolloutProofNotRelevant: options.rolloutProofNotRelevant,
+        rolloutImpactCoverageGap: options.rolloutImpactCoverageGap,
+    });
+    process.stdout.write(`${JSON.stringify(guidance, null, 2)}\n`);
+}