@chainpatrol/cli 0.3.3 → 0.4.0

package/CHANGELOG.md

@@ -1,5 +1,55 @@
 # @chainpatrol/cli
 
+## 0.4.0
+
+### Minor Changes
+
+- b5de201: Add a `healthchecks` namespace to the public API and CLI.
+
+  The new `healthchecks list` returns a registry of every check the platform
+  exposes today, including planned checks that are not yet implemented on the
+  backend (marked `implemented: false` with a `notImplementedReason`). The new
+  `healthchecks run <id|--all> --org <slug>` runs a single check or every
+  implemented check in parallel and returns each result in a uniform shape
+  (`id`, `severity`, `observed`, `threshold`, `findings`, `suggestedAction`).
+
+  Implemented checks in this release:
+
+  - `detections.silent-configs` — the existing detection-config healthcheck,
+    wrapped in the uniform shape. The original `detections healthcheck`
+    command continues to work.
+  - `reviewing.backlog` — counts pending review proposals and grades severity
+    against per-org thresholds (default warn=50, fail=100).
+  - `reviewing.old-proposals` — counts proposals older than the warn / fail
+    age thresholds (default 7 / 14 days) and lists the oldest offenders.
+  - `takedowns.stale-in-progress` — counts takedowns sitting in IN_PROGRESS
+    past the staleness threshold (default 7 days).
+
+  Planned but not yet implemented (still returned by `list` with
+  `implemented: false`): `detections.coverage-gaps`, `detections.spike`,
+  `detections.drop`, `reviewing.auto-approval-spike`,
+  `blocklisting.gsb-cancelled-rate`, `takedowns.todo-volume`,
+  `takedowns.cancelled-rate`, `takedowns.automation-off`.
+
+  The bundled Claude Code skill is updated to (a) document the new namespace,
+  (b) recommend `healthchecks run --all` as the canonical entrypoint when a
+  user asks to run a healthcheck on an org, and (c) mark every not-yet-
+  implemented check in the HealthCheck Guide with a "manual check, no API
+  yet" note so the agent surfaces that gap explicitly.
+
+## 0.3.4
+
+### Patch Changes
+
+- e30617f: Update the bundled Claude Code skill to document the `detections healthcheck`,
+  `queues snapshot`, `metrics summary | found | breakdown`, and `presets`
+  subcommands, plus the `--no-input` / `--no-color` / `--output` / `--quiet`
+  global flags. The existing soft / manual signals in the Organization
+  HealthCheck Guide are preserved verbatim; each subsection now also points at
+  the matching CLI command via a "Run via CLI" note, and a new "Quick Path"
+  block lists the commands an agent should reach for first when asked to run
+  a health check.
+
 ## 0.3.3
 
 ### Patch Changes

package/dist/{breakdown-FFNYSXRQ.js → breakdown-EBSACUST.js}

@@ -4,7 +4,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-44FSS3CZ.js";
+} from "./chunk-MXUZR2BV.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{chunk-44FSS3CZ.js → chunk-MXUZR2BV.js}

@@ -141,6 +141,12 @@ function createApiClient(options) {
         searchQuery: input.searchQuery,
         reportedByCustomer: input.reportedByCustomer
       });
+    },
+    listHealthchecks() {
+      return request("/healthchecks/list", {});
+    },
+    runHealthcheck(endpoint, input) {
+      return request(endpoint, input);
     }
   };
 }

package/dist/{chunk-WBKCXGLV.js → chunk-PIYOWGBZ.js}

@@ -8,7 +8,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-44FSS3CZ.js";
+} from "./chunk-MXUZR2BV.js";
 import {
   DateTime
 } from "./chunk-TFCNKBRC.js";

package/dist/{chunk-R7BPW32M.js → chunk-S65NM7FF.js}

@@ -264,6 +264,166 @@ You can also compare with the non-customer set using
 \`--no-reported-by-customer\` to gauge detection coverage on the same time
 window.
 
+### \`detections healthcheck\` \u2014 Validate enabled detection configs produce recent results
+
+Server-side check. The CLI calls the ChainPatrol API; the server fetches each
+enabled detection config for the org, counts results produced in the lookback
+window, and FAILs configs that fall under \`--min-results\` (or whose run
+errored when \`--run\` is set).
+
+\`\`\`bash
+chainpatrol --json detections healthcheck --org <slug>
+\`\`\`
+
+Flags:
+- \`--source <key>\` only validate one source (e.g. \`twitter_search\`)
+- \`--min-results <n>\` minimum results required in the window to pass
+- \`--lookback-hours <n>\` size of the lookback window
+- \`--run\` ask the server to run each config first, then validate the fresh output
+- \`--include-disabled\` also validate disabled configs
+
+What this command covers:
+- Configs that have gone silent (recentResultCount below threshold)
+- Configs that error when run (runOk=false) when \`--run\` is set
+
+What it does NOT cover:
+- Reviewing backlog / SLA breaches \u2192 use \`queues snapshot\`
+- Takedown ToDo / In Progress / Cancelled volumes \u2192 use \`queues snapshot\`
+- Spikes or drops in detection volume over time \u2192 use \`metrics breakdown\`
+- Customer-reported gaps \u2192 use \`reports list --reported-by-customer\`
+- Google Safe Browsing submission errors (not yet exposed in CLI)
+
+Use it as the first signal in the Detection part of an org healthcheck, then
+fall back to the manual checks in the HealthCheck Guide below for everything
+else.
+
+> Prefer the newer \`healthchecks\` namespace below. \`detections healthcheck\`
+> is the original single-purpose command; the \`healthchecks\` namespace is
+> the canonical place to discover and run every check we expose.
+
+### \`healthchecks list | run\` \u2014 Run uniform org healthchecks via the public API
+
+The \`healthchecks\` namespace is the canonical way to run the named checks
+from the Organization HealthCheck Guide below. Each implemented endpoint
+returns the same uniform shape \u2014 \`{ id, ok, severity, observed, threshold,
+findings, suggestedAction }\` \u2014 so the CLI / agent can render every check the
+same way regardless of category.
+
+\`\`\`bash
+# Discover every check the platform exposes today, including planned checks
+# that are not yet implemented on the backend.
+chainpatrol --json healthchecks list
+
+# Run a single named check.
+chainpatrol --json healthchecks run reviewing.backlog --org <slug>
+
+# Run every implemented check in parallel and aggregate the results.
+chainpatrol --json healthchecks run --all --org <slug>
+\`\`\`
+
+Each implemented check has a stable id of the form \`category.name\`, e.g.
+\`detections.silent-configs\`, \`reviewing.backlog\`,
+\`reviewing.old-proposals\`, \`takedowns.stale-in-progress\`.
+
+Implemented checks today:
+
+- **detections.silent-configs** \u2014 equivalent to \`detections healthcheck\`,
+  exposed under the uniform shape.
+- **reviewing.backlog** \u2014 counts proposals in PENDING review state and grades
+  severity against per-org thresholds (default warn=50, fail=100).
+- **reviewing.old-proposals** \u2014 counts proposals older than the warn / fail
+  age thresholds (default 7 / 14 days) and lists the oldest offenders.
+- **takedowns.stale-in-progress** \u2014 counts takedowns sitting in IN_PROGRESS
+  past the staleness threshold (default 7 days) and lists the oldest.
+
+The following checks are listed by \`healthchecks list\` (\`implemented: false\`)
+but **not yet implemented on the backend** \u2014 when the agent surfaces them in
+a healthcheck report, mark them explicitly as "manual check, no API yet":
+
+- **detections.coverage-gaps** \u2014 blocked assets vs. enabled-source correlation.
+  Still requires manual reasoning with \`configs list\` + \`reports list\`.
+- **detections.spike** / **detections.drop** \u2014 require server-side baseline
+  modeling. Use \`metrics breakdown --by day\` as an interim signal.
+- **reviewing.auto-approval-spike** \u2014 needs distinguishing automation vs.
+  human approvers in the review history. Use \`metrics breakdown\` as a proxy.
+- **blocklisting.gsb-cancelled-rate** \u2014 Google Safe Browsing submission state
+  is not yet exposed in the public API.
+- **takedowns.todo-volume** / **takedowns.cancelled-rate** /
+  **takedowns.automation-off** \u2014 the underlying read paths are not yet exposed.
+
+When the user asks to "run a healthcheck on org X", the canonical command is:
+
+\`\`\`bash
+chainpatrol --json healthchecks run --all --org X
+\`\`\`
+
+This iterates the implemented entries in \`healthchecks list\`, runs them in
+parallel, and aggregates the uniform results. Combine with the manual checks
+in the HealthCheck Guide below for everything still marked
+\`implemented: false\`.
+
+### \`queues snapshot\` \u2014 Operations review/takedown queue snapshot
+
+Server-side aggregation of the operations review queue (pending proposals,
+SLA breaches, age buckets) and the takedown queue (open, in-progress, stale).
+
+\`\`\`bash
+chainpatrol --json queues snapshot --org <slug>
+\`\`\`
+
+Useful for the **Reviewing** and **Takedowns** sections of the HealthCheck
+Guide. Key signals in the response:
+- \`reviewQueue.totalPendingProposals\` and \`reviewQueue.distinctReports\` \u2014
+  backlog size
+- \`reviewQueue.slaBuckets.breached\` \u2014 SLA breaches (treat any breach as a
+  finding)
+- \`reviewQueue.ageBuckets.gte168h\` \u2014 proposals older than 7 days (anything
+  >14 days from the manual guide should always be in here)
+- \`takedownQueue.totalOpen\` and \`takedownQueue.staleInProgress\` \u2014 open
+  and stuck takedowns
+
+Use \`--all\` to snapshot every org you have access to instead of a single slug.
+
+### \`metrics summary | found | breakdown\` \u2014 Org metrics for spike/drop analysis
+
+\`\`\`bash
+chainpatrol --json metrics summary  --org <slug> --this-week
+chainpatrol --json metrics breakdown --org <slug> --by day --this-week
+chainpatrol --json metrics found    --org <slug> --from <YYYY-MM-DD> --to <YYYY-MM-DD>
+\`\`\`
+
+\`breakdown\` is the one you usually want for healthchecks: it returns a
+time series (by day or week) of reports, new threats, watchlisted threats,
+and takedowns filed/completed. Compare the latest period against a prior
+window to spot the **spike** or **drop** signals described in the manual
+HealthCheck Guide. \`summary\` returns a single window total; \`found\` is
+oriented around when threats were first discovered.
+
+### \`presets list | run\` \u2014 Packaged workflows for common jobs
+
+\`\`\`bash
+chainpatrol presets list
+chainpatrol presets run cs-weekly-health --org <slug>
+\`\`\`
+
+Use \`presets list\` to discover packaged multi-step workflows. The bundled
+\`cs-weekly-health\` preset runs the standard customer-success weekly health
+sweep; prefer it over hand-rolling the same sequence of commands.
+
+## Headless / agent-mode tips
+
+When running these commands from an agent or CI:
+
+- Prefer \`--json\` (or \`--output json\`) so output is structured and the
+  update-check stderr nudge is suppressed automatically.
+- Pass \`--no-input\` to forbid any interactive prompt (the CLI will error
+  out instead of waiting on a TTY).
+- Pass \`--no-color\` or set \`NO_COLOR=1\` if your sink can't render ANSI.
+- Set \`CHAINPATROL_NO_UPDATE_CHECK=1\` to silence the skill/npm freshness
+  nudge entirely.
+- For \`login\` specifically, see the headless runbook in the login section
+  above \u2014 login is the one command that needs background + tail handling.
+
 ## Checking Auth Status
 
 To check if the user is logged in, read the credentials file:
@@ -303,12 +463,16 @@ machine-readable output is never polluted.
 
 ## Global Flags
 
-| Flag        | Description                          |
-|-------------|--------------------------------------|
-| \`--json\`    | Machine-readable JSON output         |
-| \`--org\`     | Organization slug (saved for later)  |
-| \`--help\`    | Show help                            |
-| \`--version\` | Show version                         |
+| Flag             | Description                                            |
+|------------------|--------------------------------------------------------|
+| \`--json\`         | Machine-readable JSON output (shortcut for \`--output json\`) |
+| \`--output <fmt>\` | Output format: \`human\` (default), \`json\`, \`markdown\`, \`csv\` |
+| \`--quiet\`, \`-q\`  | Suppress non-essential output and the update-check nudge |
+| \`--no-color\`     | Disable ANSI colors (also respects the \`NO_COLOR\` env var) |
+| \`--no-input\`     | Disable interactive prompts (use in scripts and agents) |
+| \`--org <slug>\`   | Organization slug (saved as the default for later commands) |
+| \`--help\`, \`-h\`   | Show help                                              |
+| \`--version\`      | Show version                                           |
 
 ## Workflow
 
@@ -336,7 +500,99 @@ When the user asks for a "health check", "audit", "what's wrong with org X",
 "review org X's setup", or similar, walk through each section below and surface
 findings.
 
-In each section there are things you can look for that may be wrong.
+In each section there are things you can look for that may be wrong. Some
+checks have a dedicated CLI command that does most of the work server-side;
+others are soft / qualitative signals that still need you to fetch data with
+\`configs list\` or \`reports list\` and reason about it manually.
+
+### Quick Path: CLI commands that automate parts of this guide
+
+The canonical first step is now the \`healthchecks\` namespace, which runs
+every implemented check via the public API and returns a uniform shape per
+check (\`id\`, \`severity\`, \`observed\`, \`threshold\`, \`findings\`,
+\`suggestedAction\`):
+
+\`\`\`bash
+# Discover every check the platform exposes, implemented or planned.
+chainpatrol --json healthchecks list
+
+# Run every implemented healthcheck in parallel and aggregate the results.
+chainpatrol --json healthchecks run --all --org <slug>
+
+# Run a single named check.
+chainpatrol --json healthchecks run reviewing.backlog --org <slug>
+\`\`\`
+
+After \`healthchecks run --all\`, use these complementary commands to cover
+the signals that are not yet exposed as a uniform healthcheck endpoint:
+
+\`\`\`bash
+# Spikes / drops in detection volume over time (compare windows)
+chainpatrol --json metrics breakdown --org <slug> --by day --this-week
+
+# Customer-reported threats \u2014 gaps in our own detection
+chainpatrol --json reports list --org <slug> --reported-by-customer
+
+# What's enabled vs disabled vs not configured for the org
+chainpatrol --json configs list --org <slug>
+
+# Snapshot of review/takedown queues \u2014 raw counts behind several healthchecks
+chainpatrol --json queues snapshot --org <slug>
+
+# Packaged weekly customer-success sweep (preferred when it covers the ask)
+chainpatrol presets run cs-weekly-health --org <slug>
+\`\`\`
+
+Treat each command's output as one input to the healthcheck. The manual
+checks below still apply \u2014 especially for signals the CLI cannot infer on
+its own (e.g. "lots of Twitter assets are blocked but Twitter Post Search
+is disabled", or "this drop is fine because the config isn't relevant
+to this org"). Each subsection of the guide notes whether a healthcheck
+endpoint exists today and what to fall back on when it doesn't.
+
+### Reporting progress while running a healthcheck
+
+When the user asks for a healthcheck, narrate each step in real time so they
+can watch the run unfold. Do NOT batch results and dump everything at the
+end. For every check you run (Quick Path CLI command, or a manual signal
+where you're fetching data with \`configs list\` / \`reports list\` to
+reason about):
+
+1. **Before** you call the command, emit ONE short sentence stating what
+   you're about to check, including the org slug. Examples:
+   - "Running detection config healthcheck for morpho\u2026"
+   - "Snapshotting review and takedown queues for morpho\u2026"
+   - "Fetching customer-reported reports for morpho to look for detection gaps\u2026"
+
+2. **As soon as** the command returns, emit ONE short result line that
+   starts with a status word and ends with a key number or finding:
+   - \`DONE\` \u2014 ran cleanly, nothing to flag
+   - \`WARN\` \u2014 soft signal worth surfacing (e.g. a borderline backlog,
+     mild spike or drop, a config you'd want a human to confirm)
+   - \`FAIL\` \u2014 concrete failure that the user should act on
+   - Examples:
+     - "DONE \u2014 14/14 detection configs passing."
+     - "WARN \u2014 23 proposals in the review queue; 4 are older than 7 days."
+     - "FAIL \u2014 twitter_post_search returned 0 results in the last 24h with --run."
+
+3. Run **independent** checks in **parallel** (single message, multiple
+   Bash tool calls) so progress lines arrive quickly. \`detections
+   healthcheck\`, \`queues snapshot\`, \`metrics breakdown\`,
+   \`reports list --reported-by-customer\`, and \`configs list\` are all
+   independent of each other and safe to fire concurrently. Dependent
+   follow-ups (e.g. paginating \`reports list\` with a returned cursor,
+   or fetching extra detail on a single failing config) run after the
+   first round.
+
+4. After every check is reported, emit a short final **Summary** section:
+   - A one-line status per check (\u2713 / \u26A0 / \u2717 + name + key number).
+   - A short "Top issues" list of the highest-priority FAIL / WARN
+     findings, in priority order, with the concrete next action for each.
+
+Keep each progress line to one sentence. The goal is for the user to see
+the healthcheck happening, not to read a wall of text mid-run \u2014 full
+detail belongs in the final Summary or in a follow-up when the user asks
+about a specific finding.
 
 ### Detection
 
@@ -347,18 +603,45 @@ turned off. For example: lots of Twitter assets are on the blocklist, but
 detection sources like "Twitter / X User Search" or "Twitter Post Search" are
 disabled. Those should be turned on.
 
+**Run via CLI:** **Not yet implemented as a healthcheck endpoint.** Listed in
+\`healthchecks list\` as \`detections.coverage-gaps\` with
+\`implemented: false\` \u2014 when reporting this signal in a healthcheck, note
+"manual check, no API yet". Until the endpoint lands, do the correlation
+manually: \`chainpatrol --json configs list --org <slug>\` for enabled vs
+disabled configs, then \`chainpatrol --json reports list --org <slug>\` for
+recent blocked-item asset types. Flag any asset type where blocked items
+exist but the matching detection source has \`status: "disabled"\` (or
+appears in the "Not configured" group).
+
 #### Spike in Detections
 
 A spike in recent detections is worth investigating. It could be a bad config
 change, or it could be a legitimate new attack push in this area \u2014 useful
 intel to surface to the security team as a targeted spike.
 
+**Run via CLI:** **Not yet implemented as a healthcheck endpoint.** Listed
+in \`healthchecks list\` as \`detections.spike\` with \`implemented: false\`.
+Until the endpoint lands, use \`chainpatrol --json metrics breakdown --org <slug> --by day --this-week\`
+(and a comparison window via \`--from\`/\`--to\`) to see daily detection
+volume. Anything notably above the recent baseline is a spike \u2014 cross-reference
+against recent config changes for that source.
+
 #### Drop in Detections
 
 A drop is also worth looking into. It may be a bad config change, or it may
 mean the config is not really relevant and can be safely turned off (not all
 default-on configs are relevant to every org).
 
+**Run via CLI:** the extreme case ("this source went silent") is covered
+today by \`chainpatrol --json healthchecks run detections.silent-configs --org <slug>\`,
+which is the canonical replacement for the older \`detections healthcheck\`.
+It fails any config whose \`recentResultCount\` is below \`--min-results\`
+in the \`--lookback-hours\` window; pass \`--run\` (via the lower-level
+\`detections healthcheck --run\`) to also catch configs that error when
+executed. For soft drops (still producing results but below baseline),
+\`detections.drop\` is marked \`implemented: false\` in \`healthchecks list\`
+\u2014 use \`metrics breakdown --by day\` and compare windows manually.
+
 ### Reviewing
 
 #### Pile Up / Backlog of Unreviewed Proposals
@@ -368,6 +651,17 @@ reports, but really the threshold is relative to the average number of
 confirmed threats per week. Example: if an org only adds 5 blocked threats per
 week, then a 7-day backlog of even 10 proposals is a really big deal.
 
+**Run via CLI:** **Implemented as \`healthchecks run reviewing.backlog\`.**
+The endpoint counts proposals in PENDING review state and grades severity
+against per-org thresholds (default warn=50, fail=100; override with
+\`--warn-threshold\` / \`--fail-threshold\` via the run payload). For raw
+counts plus SLA / age breakdowns, \`chainpatrol --json queues snapshot --org <slug>\`
+remains useful and exposes \`reviewQueue.totalPendingProposals\` and
+\`reviewQueue.distinctReports\`. Compare against the org's typical weekly
+throughput (use \`metrics summary --this-week\` for that baseline) \u2014 a
+backlog that exceeds a week of typical confirmed-threat volume is a finding
+regardless of the absolute number.
+
 #### Really Old Proposals
 
 Any proposal waiting for review longer than 14 days is a sign something has
@@ -375,6 +669,13 @@ gone wrong. Even complex investigations rarely take longer than this. Except
 for rare cases, these should be rejected or approved to prevent a backlog
 from building.
 
+**Run via CLI:** **Implemented as \`healthchecks run reviewing.old-proposals\`.**
+The endpoint counts pending proposals older than the warn / fail age
+thresholds (default 7 / 14 days) and lists the oldest offenders in
+\`findings\`. \`queues snapshot\` (\`reviewQueue.ageBuckets.gte168h\`) still
+works as a raw view, and \`reviewQueue.slaBuckets.breached\` captures the
+strictest SLA breaches separately \u2014 any non-zero value is worth raising.
+
 #### Spike in Auto Approved Reports
 
 If suddenly a lot of proposals in an org are being approved by automation,
@@ -385,6 +686,14 @@ cases, notify an engineer at ChainPatrol and check any detection configs you
 adjusted recently, since those may be the cause of spam combined with a weak
 rule.
 
+**Run via CLI:** **Not yet implemented as a healthcheck endpoint.** Listed
+in \`healthchecks list\` as \`reviewing.auto-approval-spike\` with
+\`implemented: false\`. As a proxy until the endpoint lands, use
+\`chainpatrol --json metrics breakdown --org <slug> --by day --this-week\`
+and look for a sudden surge in \`newThreats\` / \`threatsWatchlisted\` that
+isn't matched by a parallel rise in reviewer activity \u2014 that gap usually
+points at automation doing the approving.
+
 ### Blocklisting
 
 #### Google Safe Browsing (Coming Soon)
@@ -398,6 +707,11 @@ also take a look at the org's custom detection sources \u2014 it's possible ther
 are too many false positives landing on the blocklist, indicating issues with
 detection and reviewing rules.
 
+**Run via CLI:** **Not yet implemented as a healthcheck endpoint.** Listed
+in \`healthchecks list\` as \`blocklisting.gsb-cancelled-rate\` with
+\`implemented: false\`. Until Google Safe Browsing submission state is
+exposed in the public API, this remains a manual / engineering-team check.
+
 ### Takedowns
 
 #### Too Many Takedowns in ToDo
@@ -406,12 +720,27 @@ Can mean a gap in automated takedowns not being implemented for some new area
 of threats. It can also mean the areas that require manual takedowns are
 being missed by the takedown team.
 
+**Run via CLI:** **Not yet implemented as a healthcheck endpoint.** Listed
+in \`healthchecks list\` as \`takedowns.todo-volume\` with
+\`implemented: false\` (needs a per-org throughput baseline). As an interim
+signal, \`chainpatrol --json queues snapshot --org <slug>\` returns
+\`takedownQueue.totalOpen\` and breakdowns by status; a persistently large
+ToDo bucket relative to the org's typical takedown rate (use
+\`metrics summary\` for that baseline) is the finding.
+
 #### Too Many Takedowns In Progress
 
 Typically means something is wrong with the submission itself. The takedown
 may need to be resubmitted, the vendor asked for more evidence, or we may
 have submitted it in the wrong place.
 
+**Run via CLI:** **Implemented as \`healthchecks run takedowns.stale-in-progress\`.**
+The endpoint counts takedowns sitting in IN_PROGRESS past the staleness
+threshold (default 7 days) and lists the oldest offenders in \`findings\`.
+\`queues snapshot\` (\`takedownQueue.staleInProgress\`) still works as a raw
+view. Any non-zero value is worth investigating; a growing number across
+snapshots strongly suggests a vendor-side or submission-format problem.
+
 #### Too Many Cancelled Takedowns
 
 Takedowns should rarely be cancelled. A cancelled takedown means "we will not
@@ -419,11 +748,27 @@ do this takedown" for some reason. Cases like adding an item to the blocklist
 when it's already taken down are treated as completed, not cancelled. So even
 3 cancelled takedowns in a 7-day period is too many.
 
+**Run via CLI:** **Not yet implemented as a healthcheck endpoint.** Listed
+in \`healthchecks list\` as \`takedowns.cancelled-rate\` with
+\`implemented: false\` (public API does not yet expose CANCELLED takedown
+counts over a rolling window). As an interim signal, use
+\`chainpatrol --json metrics breakdown --org <slug> --by day --this-week\`
+and compare \`takedownsFiled\` vs \`takedownsCompleted\` for a sudden
+divergence \u2014 a widening gap with no In-Progress growth often shows up as
+cancellations.
+
 #### Automated Takedowns Turned Off for Over 30 Days
 
 Automated takedowns should be on by default for nearly every organization.
 Any issue that would make you want to turn off automated takedowns should be
 resolved within 30 days.
+
+**Run via CLI:** **Not yet implemented as a healthcheck endpoint.** Listed
+in \`healthchecks list\` as \`takedowns.automation-off\` with
+\`implemented: false\` (public API does not yet expose automated-takedown
+enablement state). Check this manually with the org's takedown automation
+settings; the CLI's role here is mostly to highlight stale state in
+\`queues snapshot\` so you know to ask.
 `;
 }
 function getBundledSkillVersion() {

package/dist/cli.js

@@ -13,7 +13,7 @@ import {
   getCliVersion,
   isSkillInstalled,
   readInstalledSkillVersion
-} from "./chunk-R7BPW32M.js";
+} from "./chunk-S65NM7FF.js";
 import "./chunk-IUZB3DQW.js";
 import {
   DateTime
@@ -281,6 +281,35 @@ var HELP = {
       "--window-hours <n>    Hours used for staleness windows"
     ]
   },
+  healthchecks: {
+    description: "Run organization healthchecks via the public API. Use `list` to see every available check (including planned ones not yet implemented on the backend) and `run` to execute one or all implemented checks.",
+    usage: "chainpatrol healthchecks <list|run <id>|run --all>",
+    options: ["--org <slug>          Organization slug (required for `run`)"],
+    examples: [
+      "chainpatrol healthchecks list",
+      "chainpatrol healthchecks run --all --org acme",
+      "chainpatrol healthchecks run reviewing.backlog --org acme",
+      "chainpatrol healthchecks run takedowns.stale-in-progress --org acme"
+    ]
+  },
+  "healthchecks list": {
+    description: "List every healthcheck the platform exposes. Each entry reports whether it is implemented today; not-yet-implemented entries include a `notImplementedReason` you can surface to users.",
+    usage: "chainpatrol healthchecks list"
+  },
+  "healthchecks run": {
+    description: "Run a single healthcheck by id, or pass `--all` to run every implemented check in parallel and aggregate the results. Returns the uniform healthcheck shape (id, severity, observed, threshold, findings, suggestedAction).",
+    usage: "chainpatrol healthchecks run <id|--all> --org <slug>",
+    options: [
+      "--org <slug>          Organization slug (required)",
+      "--all                 Run every implemented healthcheck in parallel",
+      "--min-results <n>     Pass through to detections.silent-configs",
+      "--lookback-hours <n>  Pass through to detections.silent-configs"
+    ],
+    examples: [
+      "chainpatrol healthchecks run reviewing.backlog --org acme",
+      "chainpatrol healthchecks run --all --org acme"
+    ]
+  },
   presets: {
     description: "Run saved workflows for common jobs.",
     usage: "chainpatrol presets <list|run <id>>",
@@ -336,6 +365,7 @@ function getTopLevelHelp() {
     "    logout        Clear stored credentials",
     "    configs       Manage detection configs",
     "    detections    Validate, run, update detection configs",
+    "    healthchecks  List and run organization healthchecks",
     "    metrics       Query organization metrics and breakdowns",
     "    reports       Create and list reports from terminal",
     "    queues        Snapshot operations review/takedown queues",
@@ -504,6 +534,7 @@ var COMMANDS = [
   "logout",
   "configs",
   "detections",
+  "healthchecks",
   "metrics",
   "reports",
   "queues",
@@ -686,12 +717,12 @@ function parseAttachmentUrls() {
 }
 async function handleConfigsList(org) {
   if (jsonMode) {
-    const { listConfigsJson } = await import("./list-json-SUZL2GBJ.js");
+    const { listConfigsJson } = await import("./list-json-WTMYLZGY.js");
     await listConfigsJson({ org });
     return;
   }
   const { render } = await import("ink");
-  const { default: ConfigsList } = await import("./list-TMFLCS5U.js");
+  const { default: ConfigsList } = await import("./list-GEMCFDD5.js");
   const { default: React } = await import("react");
   render(React.createElement(ConfigsList, { org }));
 }
@@ -789,7 +820,7 @@ async function main() {
     case "detections": {
       const org = await resolveOrg();
       if (subcommand === "healthcheck") {
-        const { runDetectionsHealthcheck } = await import("./healthcheck-SIE5EXN3.js");
+        const { runDetectionsHealthcheck } = await import("./healthcheck-KAONRGSS.js");
         await runDetectionsHealthcheck({
           org,
           source: cli.flags.source,
@@ -804,7 +835,7 @@ async function main() {
         break;
       }
       if (subcommand === "validate") {
-        const { runDetectionsValidate } = await import("./validate-II6GH6H6.js");
+        const { runDetectionsValidate } = await import("./validate-BJFEKI2N.js");
         await runDetectionsValidate({
           org,
           source: cli.flags.source,
@@ -819,7 +850,7 @@ async function main() {
         break;
       }
       if (subcommand === "drift") {
-        const { runDetectionsDrift } = await import("./drift-PASGDEEX.js");
+        const { runDetectionsDrift } = await import("./drift-DZ6A7JL5.js");
         await runDetectionsDrift({
           org,
           source: cli.flags.source,
@@ -833,7 +864,7 @@ async function main() {
         break;
       }
       if (subcommand === "run") {
-        const { runDetectionsRun } = await import("./run-MGOASUON.js");
+        const { runDetectionsRun } = await import("./run-43CC5AXR.js");
         await runDetectionsRun({
           org,
           configId: cli.flags.configId,
@@ -852,7 +883,7 @@ async function main() {
           break;
         }
         if (action === "run") {
-          const { runDetectionsRun } = await import("./run-MGOASUON.js");
+          const { runDetectionsRun } = await import("./run-43CC5AXR.js");
           await runDetectionsRun({
             org,
             configId: cli.flags.configId,
@@ -870,7 +901,7 @@ async function main() {
             throw new Error("detections configs update requires --config-id");
           }
           const configPatch = getConfigPatchFromSetFlags();
-          const { runDetectionsConfigsUpdate } = await import("./configs-update-VOWH674W.js");
+          const { runDetectionsConfigsUpdate } = await import("./configs-update-RPN32YTL.js");
           await runDetectionsConfigsUpdate({
             org,
             configId: cli.flags.configId,
@@ -897,7 +928,7 @@ async function main() {
     case "metrics": {
       const org = await resolveOrg();
       if (subcommand === "summary") {
-        const { runMetricsSummary } = await import("./summary-QORQFCMW.js");
+        const { runMetricsSummary } = await import("./summary-6NCA7PDP.js");
         await runMetricsSummary({
           org,
           from: cli.flags.from,
@@ -909,7 +940,7 @@ async function main() {
         break;
       }
       if (subcommand === "found") {
-        const { runMetricsFound } = await import("./found-TIW7T4VX.js");
+        const { runMetricsFound } = await import("./found-AOPBSLRD.js");
         await runMetricsFound({
           org,
           from: cli.flags.from,
@@ -926,7 +957,7 @@ async function main() {
         if (!by || !["day", "type", "brand"].includes(by)) {
           throw new Error("metrics breakdown requires --by <day|type|brand>");
         }
-        const { runMetricsBreakdown } = await import("./breakdown-FFNYSXRQ.js");
+        const { runMetricsBreakdown } = await import("./breakdown-EBSACUST.js");
         await runMetricsBreakdown({
           org,
           by,
@@ -946,7 +977,7 @@ async function main() {
     case "reports": {
       if (subcommand === "list") {
         const org = await resolveOrg();
-        const { runReportsList } = await import("./list-CEWBMKJ3.js");
+        const { runReportsList } = await import("./list-MWDFCHMJ.js");
         await runReportsList({
           org,
           limit: cli.flags.limit,
@@ -962,7 +993,7 @@ async function main() {
       }
       if (subcommand === "create") {
         const org = await tryResolveOrg();
-        const { runReportsCreate } = await import("./create-ASGUBKZ7.js");
+        const { runReportsCreate } = await import("./create-QP3M7EZM.js");
         await runReportsCreate({
           org,
           title: cli.flags.title,
@@ -986,7 +1017,7 @@ async function main() {
     }
     case "queues": {
       if (subcommand === "snapshot") {
-        const { runQueuesSnapshot } = await import("./snapshot-MQ6DWDFG.js");
+        const { runQueuesSnapshot } = await import("./snapshot-E3TPZOKT.js");
         await runQueuesSnapshot({
           org: cli.flags.org,
           all: cli.flags.all,
@@ -1002,9 +1033,41 @@ async function main() {
         subcommand ? `Unknown subcommand: queues ${subcommand}${hint ? `. Did you mean "queues ${hint}"?` : ""}` : "Usage: chainpatrol queues snapshot [--org <slug>|--all]"
       );
     }
+    case "healthchecks": {
+      if (subcommand === "list") {
+        const { runHealthchecksList } = await import("./list-UW63DIKX.js");
+        await runHealthchecksList({
+          json: jsonMode,
+          outputFormat: cliContext.outputFormat
+        });
+        break;
+      }
+      if (subcommand === "run") {
+        const org = await resolveOrg();
+        const thresholds = {};
+        if (cli.flags.minResults !== void 0)
+          thresholds.minResults = cli.flags.minResults;
+        if (cli.flags.lookbackHours !== void 0)
+          thresholds.lookbackHours = cli.flags.lookbackHours;
+        const { runHealthchecksRun } = await import("./run-7THXM7GF.js");
+        await runHealthchecksRun({
+          org,
+          id: action,
+          all: cli.flags.all,
+          thresholds,
+          json: jsonMode,
+          outputFormat: cliContext.outputFormat
+        });
+        break;
+      }
+      const hint = subcommand ? suggest(subcommand, ["list", "run"]) : null;
+      throw new Error(
+        subcommand ? `Unknown subcommand: healthchecks ${subcommand}${hint ? `. Did you mean "healthchecks ${hint}"?` : ""}` : "Usage: chainpatrol healthchecks <list|run <id>>"
+      );
+    }
     case "presets": {
       if (subcommand === "list") {
-        const { runPresetsList } = await import("./list-KTIZ3UHA.js");
+        const { runPresetsList } = await import("./list-LN6NOZIJ.js");
         await runPresetsList({ outputFormat: cliContext.outputFormat });
         break;
       }
@@ -1015,7 +1078,7 @@ async function main() {
           );
         }
         const org = await resolveOrg();
-        const { runPresetsRun } = await import("./run-3TTLZ6HA.js");
+        const { runPresetsRun } = await import("./run-MH5RYPWA.js");
         await runPresetsRun({
           presetId: action,
           org,
@@ -1032,12 +1095,12 @@ async function main() {
     case "setup":
     case "install":
     case "i": {
-      const { setupSkill } = await import("./setup-skill-KKWETU4A.js");
+      const { setupSkill } = await import("./setup-skill-Z5RVCWCU.js");
       setupSkill({ json: jsonMode });
       break;
     }
     case "uninstall": {
-      const { uninstallSkill } = await import("./setup-skill-KKWETU4A.js");
+      const { uninstallSkill } = await import("./setup-skill-Z5RVCWCU.js");
       uninstallSkill({ json: jsonMode });
       break;
     }

package/dist/{configs-update-VOWH674W.js → configs-update-RPN32YTL.js}

@@ -7,7 +7,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-44FSS3CZ.js";
+} from "./chunk-MXUZR2BV.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{create-ASGUBKZ7.js → create-QP3M7EZM.js}

@@ -8,7 +8,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-44FSS3CZ.js";
+} from "./chunk-MXUZR2BV.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{drift-PASGDEEX.js → drift-DZ6A7JL5.js}

@@ -8,7 +8,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-44FSS3CZ.js";
+} from "./chunk-MXUZR2BV.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{found-TIW7T4VX.js → found-AOPBSLRD.js}

@@ -4,7 +4,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-44FSS3CZ.js";
+} from "./chunk-MXUZR2BV.js";
 import "./chunk-EEG7T6WT.js";
 import {
   DateTime

package/dist/{healthcheck-SIE5EXN3.js → healthcheck-KAONRGSS.js}

@@ -8,7 +8,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-44FSS3CZ.js";
+} from "./chunk-MXUZR2BV.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{list-TMFLCS5U.js → list-GEMCFDD5.js}

@@ -4,7 +4,7 @@ import {
 } from "./chunk-JCMWDZYY.js";
 import {
   createApiClient
-} from "./chunk-44FSS3CZ.js";
+} from "./chunk-MXUZR2BV.js";
 import {
   AuthCorruptedError,
   AuthExpiredError,

package/dist/{list-KTIZ3UHA.js → list-LN6NOZIJ.js}

@@ -1,12 +1,12 @@
 import {
   PRESETS
-} from "./chunk-WBKCXGLV.js";
+} from "./chunk-PIYOWGBZ.js";
 import "./chunk-E2LAMILJ.js";
 import {
   printOutput,
   toCsvRows
 } from "./chunk-VFT3TD3E.js";
-import "./chunk-44FSS3CZ.js";
+import "./chunk-MXUZR2BV.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{list-CEWBMKJ3.js → list-MWDFCHMJ.js}

@@ -8,7 +8,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-44FSS3CZ.js";
+} from "./chunk-MXUZR2BV.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/list-UW63DIKX.js

@@ -0,0 +1,73 @@
+import {
+  printOutput,
+  toCsvRows
+} from "./chunk-VFT3TD3E.js";
+import {
+  createApiClient
+} from "./chunk-MXUZR2BV.js";
+import "./chunk-EEG7T6WT.js";
+import "./chunk-TFCNKBRC.js";
+import "./chunk-U73SABXK.js";
+
+// src/commands/healthchecks/list.ts
+async function runHealthchecksList(options) {
+  const client = options.apiClient ?? createApiClient();
+  const outputFormat = options.outputFormat ?? (options.json ? "json" : "human");
+  const result = await client.listHealthchecks();
+  printOutput({
+    outputFormat,
+    json: result,
+    markdown: [
+      "# Healthchecks",
+      "",
+      ...result.checks.map((entry) => {
+        const status = entry.implemented ? "implemented" : "not-implemented";
+        const lines = [
+          `## ${entry.id}  _(${status})_`,
+          `- Title: ${entry.title}`,
+          `- Category: ${entry.category}`,
+          `- Description: ${entry.description}`
+        ];
+        if (entry.endpoint) {
+          lines.push(`- Endpoint: \`${entry.endpoint}\``);
+        }
+        if (entry.notImplementedReason) {
+          lines.push(`- Not yet implemented: ${entry.notImplementedReason}`);
+        }
+        return lines.join("\n");
+      })
+    ].join("\n\n"),
+    csv: toCsvRows(
+      result.checks.map((entry) => ({
+        id: entry.id,
+        category: entry.category,
+        implemented: entry.implemented,
+        title: entry.title,
+        endpoint: entry.endpoint ?? ""
+      }))
+    ),
+    human: () => {
+      const implemented = result.checks.filter((entry) => entry.implemented);
+      const notImplemented = result.checks.filter((entry) => !entry.implemented);
+      console.log(
+        `Healthchecks: ${implemented.length} implemented, ${notImplemented.length} not yet implemented (planned)`
+      );
+      console.log("");
+      console.log("Implemented:");
+      for (const entry of implemented) {
+        console.log(`  \u2713 ${entry.id}  [${entry.category}]  ${entry.title}`);
+      }
+      console.log("");
+      console.log("Not yet implemented (data gaps; follow-up tracked):");
+      for (const entry of notImplemented) {
+        console.log(`  \xB7 ${entry.id}  [${entry.category}]  ${entry.title}`);
+        if (entry.notImplementedReason) {
+          console.log(`      ${entry.notImplementedReason}`);
+        }
+      }
+    }
+  });
+}
+export {
+  runHealthchecksList
+};

package/dist/{list-json-SUZL2GBJ.js → list-json-WTMYLZGY.js}

@@ -1,6 +1,6 @@
 import {
   createApiClient
-} from "./chunk-44FSS3CZ.js";
+} from "./chunk-MXUZR2BV.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{run-MGOASUON.js → run-43CC5AXR.js}

@@ -8,7 +8,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-44FSS3CZ.js";
+} from "./chunk-MXUZR2BV.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/run-7THXM7GF.js

@@ -0,0 +1,209 @@
+import {
+  CliExitError,
+  ExitCode
+} from "./chunk-E2LAMILJ.js";
+import {
+  printOutput,
+  toCsvRows
+} from "./chunk-VFT3TD3E.js";
+import {
+  createApiClient
+} from "./chunk-MXUZR2BV.js";
+import "./chunk-EEG7T6WT.js";
+import "./chunk-TFCNKBRC.js";
+import "./chunk-U73SABXK.js";
+
+// src/commands/healthchecks/run.ts
+function buildPayload(entry, org, thresholds) {
+  const payload = { slug: org };
+  const allowedKeys = /* @__PURE__ */ new Set([
+    ...Object.keys(entry.defaultThreshold ?? {}),
+    "source",
+    "minResults",
+    "lookbackHours",
+    "runBeforeValidate",
+    "includeDisabled",
+    "warnThreshold",
+    "failThreshold",
+    "warnAgeHours",
+    "failAgeHours",
+    "staleThresholdHours"
+  ]);
+  for (const [key, value] of Object.entries(thresholds)) {
+    if (allowedKeys.has(key)) {
+      payload[key] = value;
+    }
+  }
+  return payload;
+}
+function statusSymbol(severity) {
+  if (severity === "ok") return "\u2713";
+  if (severity === "warn") return "\u26A0";
+  return "\u2717";
+}
+function statusLabel(severity) {
+  if (severity === "ok") return "DONE";
+  if (severity === "warn") return "WARN";
+  return "FAIL";
+}
+function summariseObserved(result) {
+  const parts = Object.entries(result.observed).slice(0, 4).map(([key, value]) => `${key}=${value}`);
+  return parts.join(", ");
+}
+async function runHealthchecksRun(options) {
+  const client = options.apiClient ?? createApiClient();
+  const outputFormat = options.outputFormat ?? (options.json ? "json" : "human");
+  const thresholds = options.thresholds ?? {};
+  const isMachineFormat = outputFormat !== "human";
+  const registry = await client.listHealthchecks();
+  const targets = [];
+  if (options.all) {
+    for (const entry of registry.checks) {
+      if (entry.implemented && entry.endpoint) targets.push(entry);
+    }
+  } else if (options.id) {
+    const entry = registry.checks.find((item) => item.id === options.id);
+    if (!entry) {
+      throw new CliExitError(
+        `Unknown healthcheck id: '${options.id}'. Run 'chainpatrol healthchecks list' to see available checks.`,
+        ExitCode.USAGE
+      );
+    }
+    if (!entry.implemented || !entry.endpoint) {
+      throw new CliExitError(
+        `Healthcheck '${entry.id}' is not yet implemented on the backend.${entry.notImplementedReason ? ` Reason: ${entry.notImplementedReason}` : ""}`,
+        ExitCode.USAGE
+      );
+    }
+    targets.push(entry);
+  } else {
+    throw new CliExitError(
+      "Provide a healthcheck id or --all. Example: 'chainpatrol healthchecks run reviewing.backlog --org acme' or 'chainpatrol healthchecks run --all --org acme'.",
+      ExitCode.USAGE
+    );
+  }
+  if (targets.length === 0) {
+    throw new CliExitError(
+      "No implemented healthchecks available to run.",
+      ExitCode.USAGE
+    );
+  }
+  const tasks = targets.map(async (entry) => {
+    if (!isMachineFormat) {
+      console.log(`Running ${entry.id} for ${options.org}\u2026`);
+    }
+    try {
+      const result = await client.runHealthcheck(
+        entry.endpoint,
+        buildPayload(entry, options.org, thresholds)
+      );
+      if (!isMachineFormat) {
+        const detail = summariseObserved(result);
+        console.log(
+          `${statusLabel(result.severity)} \u2014 ${entry.id} ${statusSymbol(result.severity)} (${detail})`
+        );
+      }
+      return { entry, result, error: null };
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      if (!isMachineFormat) {
+        console.log(`FAIL \u2014 ${entry.id} \u2717 (error: ${message})`);
+      }
+      return { entry, result: null, error: message };
+    }
+  });
+  const settled = await Promise.all(tasks);
+  const results = settled.filter(
+    (entry) => entry.result !== null
+  );
+  const errors = settled.filter((entry) => entry.error !== null);
+  const overallOk = results.every((entry) => entry.result.ok) && errors.length === 0;
+  printOutput({
+    outputFormat,
+    json: {
+      org: options.org,
+      ok: overallOk,
+      results: results.map((entry) => entry.result),
+      errors: errors.map((entry) => ({ id: entry.entry.id, error: entry.error }))
+    },
+    markdown: [
+      `# Healthchecks (${options.org})`,
+      "",
+      `Overall: ${overallOk ? "OK" : "ISSUES FOUND"}`,
+      "",
+      ...results.map((entry) => {
+        const lines = [
+          `## ${entry.result.id} \u2014 ${statusLabel(entry.result.severity)}`,
+          `- Title: ${entry.result.title}`,
+          `- Severity: ${entry.result.severity}`,
+          `- Observed: ${JSON.stringify(entry.result.observed)}`,
+          `- Threshold: ${JSON.stringify(entry.result.threshold)}`
+        ];
+        if (entry.result.findings.length > 0) {
+          lines.push("- Findings:");
+          for (const finding of entry.result.findings) {
+            lines.push(
+              `  - [${finding.severity}] ${finding.kind}${finding.ref ? ` (${finding.ref})` : ""}: ${finding.message}`
+            );
+          }
+        }
+        if (entry.result.suggestedAction) {
+          lines.push(`- Suggested action: ${entry.result.suggestedAction}`);
+        }
+        return lines.join("\n");
+      }),
+      ...errors.map((entry) => `## ${entry.entry.id} \u2014 ERROR
+- ${entry.error}`)
+    ].join("\n\n"),
+    csv: toCsvRows(
+      results.map((entry) => ({
+        id: entry.result.id,
+        severity: entry.result.severity,
+        ok: entry.result.ok,
+        observed: JSON.stringify(entry.result.observed),
+        threshold: JSON.stringify(entry.result.threshold),
+        findings: entry.result.findings.length
+      }))
+    ),
+    human: () => {
+      if (targets.length > 1) {
+        console.log("");
+        console.log("Summary:");
+        for (const entry of results) {
+          console.log(
+            `  ${statusSymbol(entry.result.severity)} ${entry.result.id}  ${statusLabel(entry.result.severity)}  ${summariseObserved(entry.result)}`
+          );
+        }
+        for (const entry of errors) {
+          console.log(`  \u2717 ${entry.entry.id}  FAIL  error=${entry.error}`);
+        }
+      }
+      for (const entry of results) {
+        if (entry.result.findings.length > 0) {
+          console.log("");
+          console.log(`Findings for ${entry.result.id}:`);
+          for (const finding of entry.result.findings) {
+            const ref = finding.ref ? ` (${finding.ref})` : "";
+            console.log(
+              `  [${finding.severity}] ${finding.kind}${ref}: ${finding.message}`
+            );
+          }
+        }
+        if (entry.result.suggestedAction) {
+          console.log("");
+          console.log(`Suggested action for ${entry.result.id}:`);
+          console.log(`  ${entry.result.suggestedAction}`);
+        }
+      }
+    }
+  });
+  if (!overallOk) {
+    throw new CliExitError(
+      "One or more healthchecks failed or errored.",
+      ExitCode.CHECK_FAILED
+    );
+  }
+}
+export {
+  runHealthchecksRun
+};

package/dist/{run-3TTLZ6HA.js → run-MH5RYPWA.js}

@@ -1,13 +1,13 @@
 import {
   getPresetDefinition,
   runPreset
-} from "./chunk-WBKCXGLV.js";
+} from "./chunk-PIYOWGBZ.js";
 import {
   CliExitError,
   ExitCode
 } from "./chunk-E2LAMILJ.js";
 import "./chunk-VFT3TD3E.js";
-import "./chunk-44FSS3CZ.js";
+import "./chunk-MXUZR2BV.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{setup-skill-KKWETU4A.js → setup-skill-Z5RVCWCU.js}

@@ -6,7 +6,7 @@ import {
   readInstalledSkillVersion,
   setupSkill,
   uninstallSkill
-} from "./chunk-R7BPW32M.js";
+} from "./chunk-S65NM7FF.js";
 import "./chunk-IUZB3DQW.js";
 export {
   getBundledSkillContent,

package/dist/{snapshot-MQ6DWDFG.js → snapshot-E3TPZOKT.js}

@@ -8,7 +8,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-44FSS3CZ.js";
+} from "./chunk-MXUZR2BV.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{summary-QORQFCMW.js → summary-6NCA7PDP.js}

@@ -4,7 +4,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-44FSS3CZ.js";
+} from "./chunk-MXUZR2BV.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{validate-II6GH6H6.js → validate-BJFEKI2N.js}

@@ -8,7 +8,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-44FSS3CZ.js";
+} from "./chunk-MXUZR2BV.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/package.json

@@ -2,7 +2,7 @@
   "name": "@chainpatrol/cli",
   "description": "The official ChainPatrol CLI — terminal interface for threat detection",
   "author": "Umar Ahmed <umar@chainpatrol.io>",
-  "version": "0.3.3",
+  "version": "0.4.0",
   "license": "UNLICENSED",
   "homepage": "https://chainpatrol.com/docs/cli",
   "keywords": [