@bookedsolid/rea 0.1.0 → 0.2.1

package/dist/cli/doctor.d.ts

@@ -1 +1,60 @@
-export declare function runDoctor(): void;
+import { type CodexProbeState } from '../gateway/observability/codex-probe.js';
+export interface CheckResult {
+    label: string;
+    /**
+     * `info` is purely informational — not a pass, fail, or warning. Used to
+     * print a one-line note about why a check was skipped (e.g. "codex:
+     * disabled via policy.review.codex_required").
+     */
+    status: 'pass' | 'fail' | 'warn' | 'info';
+    detail?: string;
+}
+/**
+ * Translate a `CodexProbeState` into two doctor CheckResults: one for
+ * responsiveness (pass/warn) and one informational line about the last
+ * probe time. Extracted so tests can feed a stub state without running
+ * the real probe.
+ */
+export declare function checksFromProbeState(state: CodexProbeState): CheckResult[];
+/**
+ * Assemble the full checklist for a given baseDir. Exported so tests can
+ * exercise the conditional branching without capturing stdout from
+ * `runDoctor`.
+ *
+ * `codexProbeState` is consulted ONLY when Codex is required by policy.
+ * Callers that already have a fresh probe state (e.g. `runDoctor`) should
+ * pass it; callers that don't (e.g. unit tests of the existing doctor
+ * surface) can omit it and the probe-derived fields are skipped.
+ */
+export declare function collectChecks(baseDir: string, codexProbeState?: CodexProbeState): CheckResult[];
+export interface RunDoctorOptions {
+    /** When true, print a 7-day telemetry summary after the checks (G11.5). */
+    metrics?: boolean;
+    /**
+     * G12 — when true, append a read-only drift report comparing on-disk SHAs
+     * to the install manifest + canonical sources. Never mutates; never fails
+     * the exit code on its own (drift is information, not a hard error — use
+     * `rea upgrade` to reconcile).
+     */
+    drift?: boolean;
+}
+export interface DriftRow {
+    path: string;
+    status: 'unmodified' | 'drifted-from-canonical' | 'drifted-from-manifest' | 'missing' | 'untracked' | 'removed-upstream';
+    detail?: string;
+}
+export interface DriftReport {
+    hasManifest: boolean;
+    bootstrap: boolean;
+    manifestVersion: string | null;
+    reaVersion: string;
+    rows: DriftRow[];
+}
+/**
+ * Compute drift between the install manifest and the current state of the
+ * consumer's tree. Strictly read-only — no file writes. Synthetic entries
+ * (settings subset, managed CLAUDE.md fragment) are checked by hashing the
+ * computed values against the manifest SHA.
+ */
+export declare function collectDriftReport(baseDir: string): Promise<DriftReport>;
+export declare function runDoctor(opts?: RunDoctorOptions): Promise<void>;

package/dist/cli/doctor.js

@@ -1,7 +1,15 @@
 import fs from 'node:fs';
 import path from 'node:path';
 import { loadPolicy } from '../policy/loader.js';
-import { POLICY_FILE, REA_DIR, REGISTRY_FILE, log, reaPath } from './utils.js';
+import { loadRegistry } from '../registry/loader.js';
+import { CodexProbe, } from '../gateway/observability/codex-probe.js';
+import { summarizeTelemetry } from '../gateway/observability/codex-telemetry.js';
+import { CLAUDE_MD_MANIFEST_PATH, SETTINGS_MANIFEST_PATH, enumerateCanonicalFiles, } from './install/canonical.js';
+import { buildFragment } from './install/claude-md.js';
+import { canonicalSettingsSubsetHash, defaultDesiredHooks, } from './install/settings-merge.js';
+import { manifestExists, readManifest } from './install/manifest-io.js';
+import { sha256OfBuffer, sha256OfFile } from './install/sha.js';
+import { POLICY_FILE, REA_DIR, REGISTRY_FILE, getPkgVersion, log, reaPath } from './utils.js';
 function checkFileExists(label, filePath, fatal) {
     const exists = fs.existsSync(filePath);
     if (exists)
@@ -32,46 +40,453 @@ function checkPolicyParses(baseDir, policyPath) {
         };
     }
 }
-function checkCodexPlugin(baseDir) {
-    const commandsDir = path.join(baseDir, '.claude', 'commands');
-    if (!fs.existsSync(commandsDir)) {
+function checkRegistryParses(baseDir, registryPath) {
+    if (!fs.existsSync(registryPath)) {
         return {
-            label: 'Codex plugin command(s)',
+            label: 'registry.yaml parses',
             status: 'warn',
-            detail: 'no .claude/commands/ directory — Codex adversarial review not wired',
+            detail: `missing: ${registryPath}`,
         };
     }
-    const entries = fs.readdirSync(commandsDir);
-    const codexEntry = entries.find((name) => name.toLowerCase().startsWith('codex'));
-    if (codexEntry !== undefined) {
-        return { label: 'Codex plugin command(s)', status: 'pass', detail: codexEntry };
+    try {
+        const registry = loadRegistry(baseDir);
+        return {
+            label: 'registry.yaml parses',
+            status: 'pass',
+            detail: `${registry.servers.length} server(s) declared`,
+        };
+    }
+    catch (e) {
+        return {
+            label: 'registry.yaml parses',
+            status: 'fail',
+            detail: e instanceof Error ? e.message : String(e),
+        };
+    }
+}
+const EXPECTED_AGENTS = [
+    'accessibility-engineer.md',
+    'backend-engineer.md',
+    'code-reviewer.md',
+    'codex-adversarial.md',
+    'frontend-specialist.md',
+    'qa-engineer.md',
+    'rea-orchestrator.md',
+    'security-engineer.md',
+    'technical-writer.md',
+    'typescript-specialist.md',
+];
+const EXPECTED_HOOKS = [
+    'architecture-review-gate.sh',
+    'attribution-advisory.sh',
+    'blocked-paths-enforcer.sh',
+    'changeset-security-gate.sh',
+    'commit-review-gate.sh',
+    'dangerous-bash-interceptor.sh',
+    'dependency-audit-gate.sh',
+    'env-file-protection.sh',
+    'pr-issue-link-gate.sh',
+    'push-review-gate.sh',
+    'secret-scanner.sh',
+    'security-disclosure-gate.sh',
+    'settings-protection.sh',
+];
+function checkAgentsPresent(baseDir) {
+    const agentsDir = path.join(baseDir, '.claude', 'agents');
+    if (!fs.existsSync(agentsDir)) {
+        return { label: 'curated agents installed', status: 'fail', detail: `missing: ${agentsDir}` };
+    }
+    const missing = EXPECTED_AGENTS.filter((name) => !fs.existsSync(path.join(agentsDir, name)));
+    if (missing.length === 0) {
+        return {
+            label: 'curated agents installed',
+            status: 'pass',
+            detail: `${EXPECTED_AGENTS.length} agents present`,
+        };
+    }
+    return {
+        label: 'curated agents installed',
+        status: 'fail',
+        detail: `missing: ${missing.join(', ')}`,
+    };
+}
+function checkHooksInstalled(baseDir) {
+    const hooksDir = path.join(baseDir, '.claude', 'hooks');
+    if (!fs.existsSync(hooksDir)) {
+        return { label: 'hooks installed + executable', status: 'fail', detail: `missing: ${hooksDir}` };
+    }
+    const issues = [];
+    for (const name of EXPECTED_HOOKS) {
+        const p = path.join(hooksDir, name);
+        if (!fs.existsSync(p)) {
+            issues.push(`missing ${name}`);
+            continue;
+        }
+        const stat = fs.statSync(p);
+        if ((stat.mode & 0o111) === 0)
+            issues.push(`${name} not executable (mode=${(stat.mode & 0o777).toString(8)})`);
+    }
+    if (issues.length === 0) {
+        return {
+            label: 'hooks installed + executable',
+            status: 'pass',
+            detail: `${EXPECTED_HOOKS.length} hooks present`,
+        };
+    }
+    return { label: 'hooks installed + executable', status: 'fail', detail: issues.join('; ') };
+}
+function checkSettingsJson(baseDir) {
+    const settingsPath = path.join(baseDir, '.claude', 'settings.json');
+    if (!fs.existsSync(settingsPath)) {
+        return {
+            label: 'settings.json matchers cover Bash + Write|Edit',
+            status: 'fail',
+            detail: `missing: ${settingsPath}`,
+        };
+    }
+    try {
+        const raw = fs.readFileSync(settingsPath, 'utf8');
+        const parsed = JSON.parse(raw);
+        const pre = parsed.hooks?.PreToolUse ?? [];
+        const matchers = new Set(pre.map((g) => g.matcher).filter((m) => typeof m === 'string'));
+        const needs = [];
+        if (!matchers.has('Bash'))
+            needs.push('Bash');
+        if (!matchers.has('Write|Edit'))
+            needs.push('Write|Edit');
+        if (needs.length === 0) {
+            return {
+                label: 'settings.json matchers cover Bash + Write|Edit',
+                status: 'pass',
+            };
+        }
+        return {
+            label: 'settings.json matchers cover Bash + Write|Edit',
+            status: 'fail',
+            detail: `missing PreToolUse matchers: ${needs.join(', ')}`,
+        };
+    }
+    catch (e) {
+        return {
+            label: 'settings.json matchers cover Bash + Write|Edit',
+            status: 'fail',
+            detail: e instanceof Error ? e.message : String(e),
+        };
+    }
+}
+function checkCommitMsgHook(baseDir) {
+    const hookPath = path.join(baseDir, '.git', 'hooks', 'commit-msg');
+    if (!fs.existsSync(hookPath)) {
+        return {
+            label: 'commit-msg hook installed',
+            status: 'warn',
+            detail: `missing: ${hookPath} (block_ai_attribution will not be enforced at commit time)`,
+        };
+    }
+    try {
+        const stat = fs.statSync(hookPath);
+        if (stat.size === 0) {
+            return { label: 'commit-msg hook installed', status: 'fail', detail: 'file is empty' };
+        }
+        return { label: 'commit-msg hook installed', status: 'pass' };
+    }
+    catch (e) {
+        return {
+            label: 'commit-msg hook installed',
+            status: 'fail',
+            detail: e instanceof Error ? e.message : String(e),
+        };
     }
+}
+function checkCodexAgent(baseDir) {
+    const agentPath = path.join(baseDir, '.claude', 'agents', 'codex-adversarial.md');
+    if (fs.existsSync(agentPath))
+        return { label: 'codex-adversarial agent installed', status: 'pass' };
+    return {
+        label: 'codex-adversarial agent installed',
+        status: 'warn',
+        detail: `missing: ${agentPath}`,
+    };
+}
+function checkCodexCommand(baseDir) {
+    const cmdPath = path.join(baseDir, '.claude', 'commands', 'codex-review.md');
+    if (fs.existsSync(cmdPath))
+        return { label: '/codex-review command installed', status: 'pass' };
     return {
-        label: 'Codex plugin command(s)',
+        label: '/codex-review command installed',
         status: 'warn',
-        detail: 'no .claude/commands/codex* found — /codex-review will not be available',
+        detail: `missing: ${cmdPath}`,
     };
 }
+/**
+ * Translate a `CodexProbeState` into two doctor CheckResults: one for
+ * responsiveness (pass/warn) and one informational line about the last
+ * probe time. Extracted so tests can feed a stub state without running
+ * the real probe.
+ */
+export function checksFromProbeState(state) {
+    const responsive = state.cli_responsive
+        ? state.version !== undefined
+            ? {
+                label: 'codex.cli_responsive',
+                status: 'pass',
+                detail: `version: ${state.version}`,
+            }
+            : { label: 'codex.cli_responsive', status: 'pass' }
+        : {
+            label: 'codex.cli_responsive',
+            status: 'warn',
+            detail: state.last_error ?? 'Codex CLI did not respond',
+        };
+    const lastProbe = {
+        label: 'codex.last_probe_at',
+        status: 'info',
+        detail: state.last_probe_at,
+    };
+    return [responsive, lastProbe];
+}
 function formatSymbol(status) {
     if (status === 'pass')
         return '[ok]  ';
     if (status === 'warn')
         return '[warn]';
+    if (status === 'info')
+        return '[info]';
     return '[fail]';
 }
-export function runDoctor() {
-    const baseDir = process.cwd();
+/**
+ * Return whether Codex adversarial review is required. Read from the parsed
+ * policy; default is `true` when the field is absent. Isolated so tests can
+ * stub a policy without having to touch disk.
+ */
+function codexRequiredFromPolicy(baseDir) {
+    try {
+        const policy = loadPolicy(baseDir);
+        return policy.review?.codex_required !== false;
+    }
+    catch {
+        // If the policy itself is unreadable, checkPolicyParses will already
+        // report a fail. Default to "Codex required" so we still run those
+        // checks and surface the full picture.
+        return true;
+    }
+}
+/**
+ * Assemble the full checklist for a given baseDir. Exported so tests can
+ * exercise the conditional branching without capturing stdout from
+ * `runDoctor`.
+ *
+ * `codexProbeState` is consulted ONLY when Codex is required by policy.
+ * Callers that already have a fresh probe state (e.g. `runDoctor`) should
+ * pass it; callers that don't (e.g. unit tests of the existing doctor
+ * surface) can omit it and the probe-derived fields are skipped.
+ */
+export function collectChecks(baseDir, codexProbeState) {
     const policyPath = reaPath(baseDir, POLICY_FILE);
     const registryPath = reaPath(baseDir, REGISTRY_FILE);
-    const reaDir = path.join(baseDir, REA_DIR);
-    const commitMsgHook = path.join(baseDir, '.git', 'hooks', 'commit-msg');
+    const reaDirPath = path.join(baseDir, REA_DIR);
     const checks = [
-        checkFileExists('.rea/ directory exists', reaDir, true),
+        checkFileExists('.rea/ directory exists', reaDirPath, true),
         checkPolicyParses(baseDir, policyPath),
-        checkFileExists('.rea/registry.yaml exists', registryPath, false),
-        checkFileExists('.git/hooks/commit-msg installed', commitMsgHook, false),
-        checkCodexPlugin(baseDir),
+        checkRegistryParses(baseDir, registryPath),
+        checkAgentsPresent(baseDir),
+        checkHooksInstalled(baseDir),
+        checkSettingsJson(baseDir),
+        checkCommitMsgHook(baseDir),
     ];
+    if (codexRequiredFromPolicy(baseDir)) {
+        checks.push(checkCodexAgent(baseDir), checkCodexCommand(baseDir));
+        if (codexProbeState !== undefined) {
+            checks.push(...checksFromProbeState(codexProbeState));
+        }
+    }
+    else {
+        // Single informational line replaces the two Codex-specific checks.
+        // The `codex-adversarial.md` agent is still expected to be present by
+        // checkAgentsPresent — that's deliberate; the agent is cheap to ship
+        // and flipping the flag should not require a re-install.
+        checks.push({
+            label: 'codex',
+            status: 'info',
+            detail: 'disabled via policy.review.codex_required — skipping Codex-related checks',
+        });
+    }
+    return checks;
+}
+/**
+ * Compute drift between the install manifest and the current state of the
+ * consumer's tree. Strictly read-only — no file writes. Synthetic entries
+ * (settings subset, managed CLAUDE.md fragment) are checked by hashing the
+ * computed values against the manifest SHA.
+ */
+export async function collectDriftReport(baseDir) {
+    const reaVersion = getPkgVersion();
+    const rows = [];
+    if (!manifestExists(baseDir)) {
+        return {
+            hasManifest: false,
+            bootstrap: false,
+            manifestVersion: null,
+            reaVersion,
+            rows,
+        };
+    }
+    const manifest = await readManifest(baseDir);
+    if (manifest === null) {
+        return {
+            hasManifest: false,
+            bootstrap: false,
+            manifestVersion: null,
+            reaVersion,
+            rows,
+        };
+    }
+    const manifestByPath = new Map(manifest.files.map((e) => [e.path, e]));
+    const canonical = await enumerateCanonicalFiles();
+    const canonicalByPath = new Map(canonical.map((c) => [c.destRelPath, c]));
+    // Canonical files: compare on-disk against canonical + manifest.
+    for (const c of canonical) {
+        const abs = path.join(baseDir, c.destRelPath);
+        if (!fs.existsSync(abs)) {
+            rows.push({
+                path: c.destRelPath,
+                status: 'missing',
+                detail: 'file not installed',
+            });
+            continue;
+        }
+        const localSha = await sha256OfFile(abs);
+        const canonicalSha = await sha256OfFile(c.sourceAbsPath);
+        const entry = manifestByPath.get(c.destRelPath);
+        if (localSha === canonicalSha) {
+            rows.push({ path: c.destRelPath, status: 'unmodified' });
+            continue;
+        }
+        if (entry !== undefined && localSha === entry.sha256) {
+            rows.push({
+                path: c.destRelPath,
+                status: 'drifted-from-canonical',
+                detail: `local matches manifest but differs from rea v${reaVersion} canonical — run \`rea upgrade\``,
+            });
+            continue;
+        }
+        rows.push({
+            path: c.destRelPath,
+            status: 'drifted-from-manifest',
+            detail: 'file modified locally since install',
+        });
+    }
+    // Manifest entries no longer in canonical (removed upstream), excluding
+    // synthetic entries handled below.
+    for (const entry of manifest.files) {
+        if (entry.path === CLAUDE_MD_MANIFEST_PATH ||
+            entry.path === SETTINGS_MANIFEST_PATH)
+            continue;
+        if (!canonicalByPath.has(entry.path)) {
+            rows.push({
+                path: entry.path,
+                status: 'removed-upstream',
+                detail: 'no longer shipped — run `rea upgrade` to remove',
+            });
+        }
+    }
+    // Synthetic: rea-owned settings subset.
+    const settingsEntry = manifestByPath.get(SETTINGS_MANIFEST_PATH);
+    const settingsSha = canonicalSettingsSubsetHash(defaultDesiredHooks());
+    if (settingsEntry === undefined) {
+        rows.push({ path: SETTINGS_MANIFEST_PATH, status: 'untracked' });
+    }
+    else if (settingsEntry.sha256 !== settingsSha) {
+        rows.push({
+            path: SETTINGS_MANIFEST_PATH,
+            status: 'drifted-from-canonical',
+            detail: 'desired-hooks set has changed since install',
+        });
+    }
+    else {
+        rows.push({ path: SETTINGS_MANIFEST_PATH, status: 'unmodified' });
+    }
+    // Synthetic: managed CLAUDE.md fragment. Render the fragment from the
+    // current policy and compare. If policy is unreadable, skip gracefully.
+    const mdEntry = manifestByPath.get(CLAUDE_MD_MANIFEST_PATH);
+    try {
+        const policy = loadPolicy(baseDir);
+        const fragment = buildFragment({
+            policyPath: '.rea/policy.yaml',
+            profile: policy.profile,
+            autonomyLevel: policy.autonomy_level,
+            maxAutonomyLevel: policy.max_autonomy_level,
+            blockedPathsCount: policy.blocked_paths.length,
+            blockAiAttribution: policy.block_ai_attribution,
+        });
+        const currentSha = sha256OfBuffer(fragment);
+        if (mdEntry === undefined) {
+            rows.push({ path: CLAUDE_MD_MANIFEST_PATH, status: 'untracked' });
+        }
+        else if (mdEntry.sha256 !== currentSha) {
+            rows.push({
+                path: CLAUDE_MD_MANIFEST_PATH,
+                status: 'drifted-from-canonical',
+                detail: 'policy values or fragment template changed since install',
+            });
+        }
+        else {
+            rows.push({ path: CLAUDE_MD_MANIFEST_PATH, status: 'unmodified' });
+        }
+    }
+    catch {
+        // Policy unreadable — drift of the fragment is meaningless to compute.
+        // The main doctor checks will already surface the policy failure.
+    }
+    return {
+        hasManifest: true,
+        bootstrap: manifest.bootstrap === true,
+        manifestVersion: manifest.version,
+        reaVersion,
+        rows,
+    };
+}
+function printDriftReport(report) {
+    console.log('');
+    log('Drift report');
+    if (!report.hasManifest) {
+        console.log('  no .rea/install-manifest.json — run `rea upgrade` once to bootstrap a manifest.');
+        console.log('');
+        return;
+    }
+    console.log(`  manifest v${report.manifestVersion ?? '?'} — running rea v${report.reaVersion}${report.bootstrap ? ' (bootstrap)' : ''}`);
+    console.log('');
+    let clean = 0;
+    for (const row of report.rows) {
+        if (row.status === 'unmodified') {
+            clean += 1;
+            continue;
+        }
+        const detail = row.detail !== undefined ? `  — ${row.detail}` : '';
+        console.log(`  [${row.status}] ${row.path}${detail}`);
+    }
+    console.log('');
+    console.log(`  ${clean} clean, ${report.rows.length - clean} with drift/issues.`);
+    console.log('');
+}
+export async function runDoctor(opts = {}) {
+    const baseDir = process.cwd();
+    // G11.3 — one-shot probe when Codex is required by policy. Doctor may be
+    // invoked without a running gateway, so we don't share state with
+    // `rea serve`; we just run a fresh probe here. Failure is observational —
+    // a warn row, never a hard failure of `rea doctor`.
+    let probeState;
+    if (codexRequiredFromPolicy(baseDir)) {
+        try {
+            probeState = await new CodexProbe().probe();
+        }
+        catch {
+            // `probe()` is documented as never-throws, but belt-and-suspenders:
+            // missing probe data should never crash doctor.
+            probeState = undefined;
+        }
+    }
+    const checks = collectChecks(baseDir, probeState);
     console.log('');
     log(`Doctor — ${baseDir}`);
     console.log('');
@@ -82,6 +497,17 @@ export function runDoctor() {
         if (c.status === 'fail')
             hardFail = true;
     }
+    // G11.5 — optional telemetry summary. Prints AFTER the main checks and
+    // NEVER contributes to the exit code. Purely observational.
+    if (opts.metrics === true) {
+        await printTelemetrySummary(baseDir);
+    }
+    // G12 — optional drift report. Also purely observational; `rea upgrade`
+    // is the action path.
+    if (opts.drift === true) {
+        const report = await collectDriftReport(baseDir);
+        printDriftReport(report);
+    }
     console.log('');
     if (hardFail) {
         log('Doctor: one or more hard checks failed.');
@@ -91,3 +517,16 @@ export function runDoctor() {
     log('Doctor: OK (warnings do not fail the check).');
     console.log('');
 }
+/**
+ * Render the telemetry summary after the doctor checks. Compact by
+ * design — the exact shape may evolve as G5 formalizes metrics export.
+ */
+async function printTelemetrySummary(baseDir) {
+    const summary = await summarizeTelemetry(baseDir);
+    console.log('');
+    log(`Telemetry — last ${summary.window_days} days`);
+    console.log(`  invocations/day:        ${summary.invocations_per_day.join(', ')}`);
+    console.log(`  total estimated tokens: ${summary.total_estimated_tokens}`);
+    console.log(`  rate-limited responses: ${summary.rate_limited_count}`);
+    console.log(`  avg latency:            ${Math.round(summary.avg_latency_ms)} ms`);
+}

package/dist/cli/index.js

@@ -5,6 +5,7 @@ import { runDoctor } from './doctor.js';
 import { runFreeze, runUnfreeze } from './freeze.js';
 import { runInit } from './init.js';
 import { runServe } from './serve.js';
+import { runUpgrade } from './upgrade.js';
 import { err, getPkgVersion } from './utils.js';
 async function main() {
     const program = new Command();
@@ -14,15 +15,39 @@ async function main() {
         .version(getPkgVersion(), '-v, --version', 'print rea version');
     program
         .command('init')
-        .description('Interactive wizard — write .rea/policy.yaml and .rea/registry.yaml')
-        .option('-y, --yes', 'non-interactive mode — accept defaults for all prompts')
+        .description('Interactive wizard — write .rea/policy.yaml, install .claude/, commit-msg hook, and CLAUDE.md fragment')
+        .option('-y, --yes', 'non-interactive mode — accept defaults, skip existing files')
         .option('--from-reagent', 'migrate from a .reagent/ directory if present')
-        .option('--profile <name>', 'profile: minimal | client-engagement | bst-internal | lit-wc | open-source')
+        .option('--profile <name>', 'profile: minimal | client-engagement | bst-internal | bst-internal-no-codex | lit-wc | open-source | open-source-no-codex')
+        .option('--force', 'overwrite existing .claude/ artifacts and .rea/policy.yaml')
+        .option('--accept-dropped-fields', 'allow reagent translation when drop-list fields are present (security-adjacent)')
+        // Commander's boolean-with-negation pair: `--codex` sets codex=true,
+        // `--no-codex` sets codex=false. Leaving both unset produces
+        // `opts.codex === undefined`, and runInit derives the value from the
+        // profile name.
+        .option('--codex', 'require Codex adversarial review (writes review.codex_required: true)')
+        .option('--no-codex', 'disable Codex adversarial review (writes review.codex_required: false)')
         .action(async (opts) => {
         await runInit({
             yes: opts.yes,
             fromReagent: opts.fromReagent,
             profile: opts.profile,
+            force: opts.force,
+            acceptDroppedFields: opts.acceptDroppedFields,
+            codex: opts.codex,
+        });
+    });
+    program
+        .command('upgrade')
+        .description('Sync .claude/, .husky/, and managed fragments with this rea version. Prompts on drift; auto-updates unmodified files.')
+        .option('--dry-run', 'show what would change; write nothing')
+        .option('-y, --yes', 'non-interactive — keep drifted files, skip removed-upstream')
+        .option('--force', 'non-interactive — overwrite drift, delete removed-upstream')
+        .action(async (opts) => {
+        await runUpgrade({
+            dryRun: opts.dryRun,
+            yes: opts.yes,
+            force: opts.force,
         });
     });
     program
@@ -54,8 +79,13 @@ async function main() {
     program
         .command('doctor')
         .description('Validate the install: policy parses, .rea/ layout, hooks, Codex plugin.')
-        .action(() => {
-        runDoctor();
+        .option('--metrics', 'also print a 7-day summary of Codex telemetry (G11.5)')
+        .option('--drift', 'report drift vs. the install manifest (read-only; does not mutate)')
+        .action(async (opts) => {
+        await runDoctor({
+            ...(opts.metrics === true ? { metrics: true } : {}),
+            ...(opts.drift === true ? { drift: true } : {}),
+        });
     });
     await program.parseAsync(process.argv);
 }

package/dist/cli/init.d.ts

@@ -2,5 +2,18 @@ export interface InitOptions {
     yes?: boolean | undefined;
     fromReagent?: boolean | undefined;
     profile?: string | undefined;
+    force?: boolean | undefined;
+    acceptDroppedFields?: boolean | undefined;
+    /**
+     * G11.4: explicit override for Codex adversarial review. `true` forces
+     * `review.codex_required: true` in the written policy; `false` forces
+     * `false`. Undefined → derive default from the chosen profile name
+     * (profiles whose name ends with `-no-codex` default to no-codex).
+     *
+     * Non-interactive semantics: in `--yes` mode the flag is honored
+     * directly. Interactive mode confirms the flag value as the prompt's
+     * initial value (but still prompts for a final answer).
+     */
+    codex?: boolean | undefined;
 }
 export declare function runInit(options: InitOptions): Promise<void>;