@chainpatrol/cli 0.3.4 → 0.4.0

package/CHANGELOG.md

@@ -1,5 +1,42 @@
 # @chainpatrol/cli
 
+## 0.4.0
+
+### Minor Changes
+
+- b5de201: Add a `healthchecks` namespace to the public API and CLI.
+
+  The new `healthchecks list` returns a registry of every check the platform
+  exposes today, including planned checks that are not yet implemented on the
+  backend (marked `implemented: false` with a `notImplementedReason`). The new
+  `healthchecks run <id|--all> --org <slug>` runs a single check or every
+  implemented check in parallel and returns each result in a uniform shape
+  (`id`, `severity`, `observed`, `threshold`, `findings`, `suggestedAction`).
+
+  Implemented checks in this release:
+
+  - `detections.silent-configs` — the existing detection-config healthcheck,
+    wrapped in the uniform shape. The original `detections healthcheck`
+    command continues to work.
+  - `reviewing.backlog` — counts pending review proposals and grades severity
+    against per-org thresholds (default warn=50, fail=100).
+  - `reviewing.old-proposals` — counts proposals older than the warn / fail
+    age thresholds (default 7 / 14 days) and lists the oldest offenders.
+  - `takedowns.stale-in-progress` — counts takedowns sitting in IN_PROGRESS
+    past the staleness threshold (default 7 days).
+
+  Planned but not yet implemented (still returned by `list` with
+  `implemented: false`): `detections.coverage-gaps`, `detections.spike`,
+  `detections.drop`, `reviewing.auto-approval-spike`,
+  `blocklisting.gsb-cancelled-rate`, `takedowns.todo-volume`,
+  `takedowns.cancelled-rate`, `takedowns.automation-off`.
+
+  The bundled Claude Code skill is updated to (a) document the new namespace,
+  (b) recommend `healthchecks run --all` as the canonical entrypoint when a
+  user asks to run a healthcheck on an org, and (c) mark every not-yet-
+  implemented check in the HealthCheck Guide with a "manual check, no API
+  yet" note so the agent surfaces that gap explicitly.
+
 ## 0.3.4
 
 ### Patch Changes

package/dist/{breakdown-FFNYSXRQ.js → breakdown-EBSACUST.js}

@@ -4,7 +4,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-44FSS3CZ.js";
+} from "./chunk-MXUZR2BV.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{chunk-44FSS3CZ.js → chunk-MXUZR2BV.js}

@@ -141,6 +141,12 @@ function createApiClient(options) {
         searchQuery: input.searchQuery,
         reportedByCustomer: input.reportedByCustomer
       });
+    },
+    listHealthchecks() {
+      return request("/healthchecks/list", {});
+    },
+    runHealthcheck(endpoint, input) {
+      return request(endpoint, input);
     }
   };
 }

package/dist/{chunk-WBKCXGLV.js → chunk-PIYOWGBZ.js}

@@ -8,7 +8,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-44FSS3CZ.js";
+} from "./chunk-MXUZR2BV.js";
 import {
   DateTime
 } from "./chunk-TFCNKBRC.js";

package/dist/{chunk-DOL35U2S.js → chunk-S65NM7FF.js}

@@ -297,6 +297,71 @@ Use it as the first signal in the Detection part of an org healthcheck, then
 fall back to the manual checks in the HealthCheck Guide below for everything
 else.
 
+> Prefer the newer \`healthchecks\` namespace below. \`detections healthcheck\`
+> is the original single-purpose command; the \`healthchecks\` namespace is
+> the canonical place to discover and run every check we expose.
+
+### \`healthchecks list | run\` \u2014 Run uniform org healthchecks via the public API
+
+The \`healthchecks\` namespace is the canonical way to run the named checks
+from the Organization HealthCheck Guide below. Each implemented endpoint
+returns the same uniform shape \u2014 \`{ id, ok, severity, observed, threshold,
+findings, suggestedAction }\` \u2014 so the CLI / agent can render every check the
+same way regardless of category.
+
+\`\`\`bash
+# Discover every check the platform exposes today, including planned checks
+# that are not yet implemented on the backend.
+chainpatrol --json healthchecks list
+
+# Run a single named check.
+chainpatrol --json healthchecks run reviewing.backlog --org <slug>
+
+# Run every implemented check in parallel and aggregate the results.
+chainpatrol --json healthchecks run --all --org <slug>
+\`\`\`
+
+Each implemented check has a stable id of the form \`category.name\`, e.g.
+\`detections.silent-configs\`, \`reviewing.backlog\`,
+\`reviewing.old-proposals\`, \`takedowns.stale-in-progress\`.
+
+Implemented checks today:
+
+- **detections.silent-configs** \u2014 equivalent to \`detections healthcheck\`,
+  exposed under the uniform shape.
+- **reviewing.backlog** \u2014 counts proposals in PENDING review state and grades
+  severity against per-org thresholds (default warn=50, fail=100).
+- **reviewing.old-proposals** \u2014 counts proposals older than the warn / fail
+  age thresholds (default 7 / 14 days) and lists the oldest offenders.
+- **takedowns.stale-in-progress** \u2014 counts takedowns sitting in IN_PROGRESS
+  past the staleness threshold (default 7 days) and lists the oldest.
+
+The following checks are listed by \`healthchecks list\` (\`implemented: false\`)
+but **not yet implemented on the backend** \u2014 when the agent surfaces them in
+a healthcheck report, mark them explicitly as "manual check, no API yet":
+
+- **detections.coverage-gaps** \u2014 blocked assets vs. enabled-source correlation.
+  Still requires manual reasoning with \`configs list\` + \`reports list\`.
+- **detections.spike** / **detections.drop** \u2014 require server-side baseline
+  modeling. Use \`metrics breakdown --by day\` as an interim signal.
+- **reviewing.auto-approval-spike** \u2014 needs distinguishing automation vs.
+  human approvers in the review history. Use \`metrics breakdown\` as a proxy.
+- **blocklisting.gsb-cancelled-rate** \u2014 Google Safe Browsing submission state
+  is not yet exposed in the public API.
+- **takedowns.todo-volume** / **takedowns.cancelled-rate** /
+  **takedowns.automation-off** \u2014 the underlying read paths are not yet exposed.
+
+When the user asks to "run a healthcheck on org X", the canonical command is:
+
+\`\`\`bash
+chainpatrol --json healthchecks run --all --org X
+\`\`\`
+
+This iterates the implemented entries in \`healthchecks list\`, runs them in
+parallel, and aggregates the uniform results. Combine with the manual checks
+in the HealthCheck Guide below for everything still marked
+\`implemented: false\`.
+
 ### \`queues snapshot\` \u2014 Operations review/takedown queue snapshot
 
 Server-side aggregation of the operations review queue (pending proposals,
@@ -442,16 +507,26 @@ others are soft / qualitative signals that still need you to fetch data with
 
 ### Quick Path: CLI commands that automate parts of this guide
 
-Run these first to get cheap, structured signals before falling back to the
-manual checks in each subsection:
+The canonical first step is now the \`healthchecks\` namespace, which runs
+every implemented check via the public API and returns a uniform shape per
+check (\`id\`, \`severity\`, \`observed\`, \`threshold\`, \`findings\`,
+\`suggestedAction\`):
 
 \`\`\`bash
-# Detection: configs that have gone silent or are erroring
-chainpatrol --json detections healthcheck --org <slug>
+# Discover every check the platform exposes, implemented or planned.
+chainpatrol --json healthchecks list
 
-# Reviewing & Takedowns: backlog, SLA breaches, stuck takedowns
-chainpatrol --json queues snapshot --org <slug>
+# Run every implemented healthcheck in parallel and aggregate the results.
+chainpatrol --json healthchecks run --all --org <slug>
+
+# Run a single named check.
+chainpatrol --json healthchecks run reviewing.backlog --org <slug>
+\`\`\`
 
+After \`healthchecks run --all\`, use these complementary commands to cover
+the signals that are not yet exposed as a uniform healthcheck endpoint:
+
+\`\`\`bash
 # Spikes / drops in detection volume over time (compare windows)
 chainpatrol --json metrics breakdown --org <slug> --by day --this-week
 
@@ -461,6 +536,9 @@ chainpatrol --json reports list --org <slug> --reported-by-customer
 # What's enabled vs disabled vs not configured for the org
 chainpatrol --json configs list --org <slug>
 
+# Snapshot of review/takedown queues \u2014 raw counts behind several healthchecks
+chainpatrol --json queues snapshot --org <slug>
+
 # Packaged weekly customer-success sweep (preferred when it covers the ask)
 chainpatrol presets run cs-weekly-health --org <slug>
 \`\`\`
@@ -469,7 +547,8 @@ Treat each command's output as one input to the healthcheck. The manual
 checks below still apply \u2014 especially for signals the CLI cannot infer on
 its own (e.g. "lots of Twitter assets are blocked but Twitter Post Search
 is disabled", or "this drop is fine because the config isn't relevant
-to this org").
+to this org"). Each subsection of the guide notes whether a healthcheck
+endpoint exists today and what to fall back on when it doesn't.
 
 ### Reporting progress while running a healthcheck
 
@@ -524,13 +603,15 @@ turned off. For example: lots of Twitter assets are on the blocklist, but
 detection sources like "Twitter / X User Search" or "Twitter Post Search" are
 disabled. Those should be turned on.
 
-**Run via CLI:** there is no single command for this \u2014 it's a manual
-correlation. Fetch the org's enabled vs disabled configs with
-\`chainpatrol --json configs list --org <slug>\`, then look at recent reports
-(\`chainpatrol --json reports list --org <slug>\`) and the asset types of any
-blocked items. Flag any asset type where blocked items exist but the matching
-detection source has \`status: "disabled"\` (or appears in the "Not configured"
-group).
+**Run via CLI:** **Not yet implemented as a healthcheck endpoint.** Listed in
+\`healthchecks list\` as \`detections.coverage-gaps\` with
+\`implemented: false\` \u2014 when reporting this signal in a healthcheck, note
+"manual check, no API yet". Until the endpoint lands, do the correlation
+manually: \`chainpatrol --json configs list --org <slug>\` for enabled vs
+disabled configs, then \`chainpatrol --json reports list --org <slug>\` for
+recent blocked-item asset types. Flag any asset type where blocked items
+exist but the matching detection source has \`status: "disabled"\` (or
+appears in the "Not configured" group).
 
 #### Spike in Detections
 
@@ -538,7 +619,9 @@ A spike in recent detections is worth investigating. It could be a bad config
 change, or it could be a legitimate new attack push in this area \u2014 useful
 intel to surface to the security team as a targeted spike.
 
-**Run via CLI:** \`chainpatrol --json metrics breakdown --org <slug> --by day --this-week\`
+**Run via CLI:** **Not yet implemented as a healthcheck endpoint.** Listed
+in \`healthchecks list\` as \`detections.spike\` with \`implemented: false\`.
+Until the endpoint lands, use \`chainpatrol --json metrics breakdown --org <slug> --by day --this-week\`
 (and a comparison window via \`--from\`/\`--to\`) to see daily detection
 volume. Anything notably above the recent baseline is a spike \u2014 cross-reference
 against recent config changes for that source.
@@ -549,11 +632,15 @@ A drop is also worth looking into. It may be a bad config change, or it may
 mean the config is not really relevant and can be safely turned off (not all
 default-on configs are relevant to every org).
 
-**Run via CLI:** the same \`metrics breakdown\` time series catches drops.
-Additionally, \`chainpatrol --json detections healthcheck --org <slug>\`
-fails configs whose \`recentResultCount\` is below \`--min-results\` in the
-\`--lookback-hours\` window \u2014 that's exactly a "this source went silent"
-signal. Use \`--run\` to also catch configs that error when executed.
+**Run via CLI:** the extreme case ("this source went silent") is covered
+today by \`chainpatrol --json healthchecks run detections.silent-configs --org <slug>\`,
+which is the canonical replacement for the older \`detections healthcheck\`.
+It fails any config whose \`recentResultCount\` is below \`--min-results\`
+in the \`--lookback-hours\` window; pass \`--run\` (via the lower-level
+\`detections healthcheck --run\`) to also catch configs that error when
+executed. For soft drops (still producing results but below baseline),
+\`detections.drop\` is marked \`implemented: false\` in \`healthchecks list\`
+\u2014 use \`metrics breakdown --by day\` and compare windows manually.
 
 ### Reviewing
 
@@ -564,12 +651,16 @@ reports, but really the threshold is relative to the average number of
 confirmed threats per week. Example: if an org only adds 5 blocked threats per
 week, then a 7-day backlog of even 10 proposals is a really big deal.
 
-**Run via CLI:** \`chainpatrol --json queues snapshot --org <slug>\` returns
-\`reviewQueue.totalPendingProposals\` and \`reviewQueue.distinctReports\`.
-Compare against the org's typical weekly throughput (use
-\`metrics summary --this-week\` for that baseline) \u2014 a backlog that exceeds
-a week of typical confirmed-threat volume is a finding regardless of the
-absolute number.
+**Run via CLI:** **Implemented as \`healthchecks run reviewing.backlog\`.**
+The endpoint counts proposals in PENDING review state and grades severity
+against per-org thresholds (default warn=50, fail=100; override with
+\`--warn-threshold\` / \`--fail-threshold\` via the run payload). For raw
+counts plus SLA / age breakdowns, \`chainpatrol --json queues snapshot --org <slug>\`
+remains useful and exposes \`reviewQueue.totalPendingProposals\` and
+\`reviewQueue.distinctReports\`. Compare against the org's typical weekly
+throughput (use \`metrics summary --this-week\` for that baseline) \u2014 a
+backlog that exceeds a week of typical confirmed-threat volume is a finding
+regardless of the absolute number.
 
 #### Really Old Proposals
 
@@ -578,11 +669,12 @@ gone wrong. Even complex investigations rarely take longer than this. Except
 for rare cases, these should be rejected or approved to prevent a backlog
 from building.
 
-**Run via CLI:** \`queues snapshot\` returns \`reviewQueue.ageBuckets.gte168h\`
-(proposals older than 7 days). Anything in that bucket is at least halfway
-to the 14-day threshold; investigate. \`reviewQueue.slaBuckets.breached\`
-captures the strictest SLA breaches separately \u2014 any non-zero value is
-worth raising.
+**Run via CLI:** **Implemented as \`healthchecks run reviewing.old-proposals\`.**
+The endpoint counts pending proposals older than the warn / fail age
+thresholds (default 7 / 14 days) and lists the oldest offenders in
+\`findings\`. \`queues snapshot\` (\`reviewQueue.ageBuckets.gte168h\`) still
+works as a raw view, and \`reviewQueue.slaBuckets.breached\` captures the
+strictest SLA breaches separately \u2014 any non-zero value is worth raising.
 
 #### Spike in Auto Approved Reports
 
@@ -594,8 +686,10 @@ cases, notify an engineer at ChainPatrol and check any detection configs you
 adjusted recently, since those may be the cause of spam combined with a weak
 rule.
 
-**Run via CLI:** there is no dedicated subcommand for the auto-approval
-rate yet. As a proxy, use \`chainpatrol --json metrics breakdown --org <slug> --by day --this-week\`
+**Run via CLI:** **Not yet implemented as a healthcheck endpoint.** Listed
+in \`healthchecks list\` as \`reviewing.auto-approval-spike\` with
+\`implemented: false\`. As a proxy until the endpoint lands, use
+\`chainpatrol --json metrics breakdown --org <slug> --by day --this-week\`
 and look for a sudden surge in \`newThreats\` / \`threatsWatchlisted\` that
 isn't matched by a parallel rise in reviewer activity \u2014 that gap usually
 points at automation doing the approving.
@@ -613,9 +707,10 @@ also take a look at the org's custom detection sources \u2014 it's possible ther
 are too many false positives landing on the blocklist, indicating issues with
 detection and reviewing rules.
 
-**Run via CLI:** not yet \u2014 the CLI does not expose Google Safe Browsing
-submission state today. Until the new public API lands, this remains a
-manual / engineering-team check.
+**Run via CLI:** **Not yet implemented as a healthcheck endpoint.** Listed
+in \`healthchecks list\` as \`blocklisting.gsb-cancelled-rate\` with
+\`implemented: false\`. Until Google Safe Browsing submission state is
+exposed in the public API, this remains a manual / engineering-team check.
 
 ### Takedowns
 
@@ -625,8 +720,11 @@ Can mean a gap in automated takedowns not being implemented for some new area
 of threats. It can also mean the areas that require manual takedowns are
 being missed by the takedown team.
 
-**Run via CLI:** \`chainpatrol --json queues snapshot --org <slug>\` returns
-\`takedownQueue.totalOpen\` and breakdowns by status. A persistently large
+**Run via CLI:** **Not yet implemented as a healthcheck endpoint.** Listed
+in \`healthchecks list\` as \`takedowns.todo-volume\` with
+\`implemented: false\` (needs a per-org throughput baseline). As an interim
+signal, \`chainpatrol --json queues snapshot --org <slug>\` returns
+\`takedownQueue.totalOpen\` and breakdowns by status; a persistently large
 ToDo bucket relative to the org's typical takedown rate (use
 \`metrics summary\` for that baseline) is the finding.
 
@@ -636,10 +734,12 @@ Typically means something is wrong with the submission itself. The takedown
 may need to be resubmitted, the vendor asked for more evidence, or we may
 have submitted it in the wrong place.
 
-**Run via CLI:** \`queues snapshot\` returns \`takedownQueue.staleInProgress\`
-\u2014 takedowns that have sat in In Progress past the expected vendor turnaround.
-Any non-zero value is worth investigating; a growing number across snapshots
-strongly suggests a vendor-side or submission-format problem.
+**Run via CLI:** **Implemented as \`healthchecks run takedowns.stale-in-progress\`.**
+The endpoint counts takedowns sitting in IN_PROGRESS past the staleness
+threshold (default 7 days) and lists the oldest offenders in \`findings\`.
+\`queues snapshot\` (\`takedownQueue.staleInProgress\`) still works as a raw
+view. Any non-zero value is worth investigating; a growing number across
+snapshots strongly suggests a vendor-side or submission-format problem.
 
 #### Too Many Cancelled Takedowns
 
@@ -648,7 +748,10 @@ do this takedown" for some reason. Cases like adding an item to the blocklist
 when it's already taken down are treated as completed, not cancelled. So even
 3 cancelled takedowns in a 7-day period is too many.
 
-**Run via CLI:** no first-class command yet. As an interim signal, use
+**Run via CLI:** **Not yet implemented as a healthcheck endpoint.** Listed
+in \`healthchecks list\` as \`takedowns.cancelled-rate\` with
+\`implemented: false\` (public API does not yet expose CANCELLED takedown
+counts over a rolling window). As an interim signal, use
 \`chainpatrol --json metrics breakdown --org <slug> --by day --this-week\`
 and compare \`takedownsFiled\` vs \`takedownsCompleted\` for a sudden
 divergence \u2014 a widening gap with no In-Progress growth often shows up as
@@ -660,9 +763,12 @@ Automated takedowns should be on by default for nearly every organization.
 Any issue that would make you want to turn off automated takedowns should be
 resolved within 30 days.
 
-**Run via CLI:** not yet exposed in a single command. Check this manually
-with the org's takedown automation settings; the CLI's role here is mostly
-to highlight stale state in \`queues snapshot\` so you know to ask.
+**Run via CLI:** **Not yet implemented as a healthcheck endpoint.** Listed
+in \`healthchecks list\` as \`takedowns.automation-off\` with
+\`implemented: false\` (public API does not yet expose automated-takedown
+enablement state). Check this manually with the org's takedown automation
+settings; the CLI's role here is mostly to highlight stale state in
+\`queues snapshot\` so you know to ask.
 `;
 }
 function getBundledSkillVersion() {

package/dist/cli.js

@@ -13,7 +13,7 @@ import {
   getCliVersion,
   isSkillInstalled,
   readInstalledSkillVersion
-} from "./chunk-DOL35U2S.js";
+} from "./chunk-S65NM7FF.js";
 import "./chunk-IUZB3DQW.js";
 import {
   DateTime
@@ -281,6 +281,35 @@ var HELP = {
       "--window-hours <n>    Hours used for staleness windows"
     ]
   },
+  healthchecks: {
+    description: "Run organization healthchecks via the public API. Use `list` to see every available check (including planned ones not yet implemented on the backend) and `run` to execute one or all implemented checks.",
+    usage: "chainpatrol healthchecks <list|run <id>|run --all>",
+    options: ["--org <slug>          Organization slug (required for `run`)"],
+    examples: [
+      "chainpatrol healthchecks list",
+      "chainpatrol healthchecks run --all --org acme",
+      "chainpatrol healthchecks run reviewing.backlog --org acme",
+      "chainpatrol healthchecks run takedowns.stale-in-progress --org acme"
+    ]
+  },
+  "healthchecks list": {
+    description: "List every healthcheck the platform exposes. Each entry reports whether it is implemented today; not-yet-implemented entries include a `notImplementedReason` you can surface to users.",
+    usage: "chainpatrol healthchecks list"
+  },
+  "healthchecks run": {
+    description: "Run a single healthcheck by id, or pass `--all` to run every implemented check in parallel and aggregate the results. Returns the uniform healthcheck shape (id, severity, observed, threshold, findings, suggestedAction).",
+    usage: "chainpatrol healthchecks run <id|--all> --org <slug>",
+    options: [
+      "--org <slug>          Organization slug (required)",
+      "--all                 Run every implemented healthcheck in parallel",
+      "--min-results <n>     Pass through to detections.silent-configs",
+      "--lookback-hours <n>  Pass through to detections.silent-configs"
+    ],
+    examples: [
+      "chainpatrol healthchecks run reviewing.backlog --org acme",
+      "chainpatrol healthchecks run --all --org acme"
+    ]
+  },
   presets: {
     description: "Run saved workflows for common jobs.",
     usage: "chainpatrol presets <list|run <id>>",
@@ -336,6 +365,7 @@ function getTopLevelHelp() {
     "    logout        Clear stored credentials",
     "    configs       Manage detection configs",
     "    detections    Validate, run, update detection configs",
+    "    healthchecks  List and run organization healthchecks",
     "    metrics       Query organization metrics and breakdowns",
     "    reports       Create and list reports from terminal",
     "    queues        Snapshot operations review/takedown queues",
@@ -504,6 +534,7 @@ var COMMANDS = [
   "logout",
   "configs",
   "detections",
+  "healthchecks",
   "metrics",
   "reports",
   "queues",
@@ -686,12 +717,12 @@ function parseAttachmentUrls() {
 }
 async function handleConfigsList(org) {
   if (jsonMode) {
-    const { listConfigsJson } = await import("./list-json-SUZL2GBJ.js");
+    const { listConfigsJson } = await import("./list-json-WTMYLZGY.js");
     await listConfigsJson({ org });
     return;
   }
   const { render } = await import("ink");
-  const { default: ConfigsList } = await import("./list-TMFLCS5U.js");
+  const { default: ConfigsList } = await import("./list-GEMCFDD5.js");
   const { default: React } = await import("react");
   render(React.createElement(ConfigsList, { org }));
 }
@@ -789,7 +820,7 @@ async function main() {
     case "detections": {
       const org = await resolveOrg();
       if (subcommand === "healthcheck") {
-        const { runDetectionsHealthcheck } = await import("./healthcheck-SIE5EXN3.js");
+        const { runDetectionsHealthcheck } = await import("./healthcheck-KAONRGSS.js");
         await runDetectionsHealthcheck({
           org,
           source: cli.flags.source,
@@ -804,7 +835,7 @@ async function main() {
         break;
       }
       if (subcommand === "validate") {
-        const { runDetectionsValidate } = await import("./validate-II6GH6H6.js");
+        const { runDetectionsValidate } = await import("./validate-BJFEKI2N.js");
         await runDetectionsValidate({
           org,
           source: cli.flags.source,
@@ -819,7 +850,7 @@ async function main() {
         break;
       }
       if (subcommand === "drift") {
-        const { runDetectionsDrift } = await import("./drift-PASGDEEX.js");
+        const { runDetectionsDrift } = await import("./drift-DZ6A7JL5.js");
         await runDetectionsDrift({
           org,
           source: cli.flags.source,
@@ -833,7 +864,7 @@ async function main() {
         break;
       }
       if (subcommand === "run") {
-        const { runDetectionsRun } = await import("./run-MGOASUON.js");
+        const { runDetectionsRun } = await import("./run-43CC5AXR.js");
         await runDetectionsRun({
           org,
           configId: cli.flags.configId,
@@ -852,7 +883,7 @@ async function main() {
           break;
         }
         if (action === "run") {
-          const { runDetectionsRun } = await import("./run-MGOASUON.js");
+          const { runDetectionsRun } = await import("./run-43CC5AXR.js");
           await runDetectionsRun({
             org,
             configId: cli.flags.configId,
@@ -870,7 +901,7 @@ async function main() {
             throw new Error("detections configs update requires --config-id");
           }
           const configPatch = getConfigPatchFromSetFlags();
-          const { runDetectionsConfigsUpdate } = await import("./configs-update-VOWH674W.js");
+          const { runDetectionsConfigsUpdate } = await import("./configs-update-RPN32YTL.js");
           await runDetectionsConfigsUpdate({
             org,
             configId: cli.flags.configId,
@@ -897,7 +928,7 @@ async function main() {
     case "metrics": {
       const org = await resolveOrg();
       if (subcommand === "summary") {
-        const { runMetricsSummary } = await import("./summary-QORQFCMW.js");
+        const { runMetricsSummary } = await import("./summary-6NCA7PDP.js");
         await runMetricsSummary({
           org,
           from: cli.flags.from,
@@ -909,7 +940,7 @@ async function main() {
         break;
       }
       if (subcommand === "found") {
-        const { runMetricsFound } = await import("./found-TIW7T4VX.js");
+        const { runMetricsFound } = await import("./found-AOPBSLRD.js");
         await runMetricsFound({
           org,
           from: cli.flags.from,
@@ -926,7 +957,7 @@ async function main() {
         if (!by || !["day", "type", "brand"].includes(by)) {
           throw new Error("metrics breakdown requires --by <day|type|brand>");
         }
-        const { runMetricsBreakdown } = await import("./breakdown-FFNYSXRQ.js");
+        const { runMetricsBreakdown } = await import("./breakdown-EBSACUST.js");
         await runMetricsBreakdown({
           org,
           by,
@@ -946,7 +977,7 @@ async function main() {
     case "reports": {
       if (subcommand === "list") {
         const org = await resolveOrg();
-        const { runReportsList } = await import("./list-CEWBMKJ3.js");
+        const { runReportsList } = await import("./list-MWDFCHMJ.js");
         await runReportsList({
           org,
           limit: cli.flags.limit,
@@ -962,7 +993,7 @@ async function main() {
       }
       if (subcommand === "create") {
         const org = await tryResolveOrg();
-        const { runReportsCreate } = await import("./create-ASGUBKZ7.js");
+        const { runReportsCreate } = await import("./create-QP3M7EZM.js");
         await runReportsCreate({
           org,
           title: cli.flags.title,
@@ -986,7 +1017,7 @@ async function main() {
     }
     case "queues": {
       if (subcommand === "snapshot") {
-        const { runQueuesSnapshot } = await import("./snapshot-MQ6DWDFG.js");
+        const { runQueuesSnapshot } = await import("./snapshot-E3TPZOKT.js");
         await runQueuesSnapshot({
           org: cli.flags.org,
           all: cli.flags.all,
@@ -1002,9 +1033,41 @@ async function main() {
         subcommand ? `Unknown subcommand: queues ${subcommand}${hint ? `. Did you mean "queues ${hint}"?` : ""}` : "Usage: chainpatrol queues snapshot [--org <slug>|--all]"
       );
     }
+    case "healthchecks": {
+      if (subcommand === "list") {
+        const { runHealthchecksList } = await import("./list-UW63DIKX.js");
+        await runHealthchecksList({
+          json: jsonMode,
+          outputFormat: cliContext.outputFormat
+        });
+        break;
+      }
+      if (subcommand === "run") {
+        const org = await resolveOrg();
+        const thresholds = {};
+        if (cli.flags.minResults !== void 0)
+          thresholds.minResults = cli.flags.minResults;
+        if (cli.flags.lookbackHours !== void 0)
+          thresholds.lookbackHours = cli.flags.lookbackHours;
+        const { runHealthchecksRun } = await import("./run-7THXM7GF.js");
+        await runHealthchecksRun({
+          org,
+          id: action,
+          all: cli.flags.all,
+          thresholds,
+          json: jsonMode,
+          outputFormat: cliContext.outputFormat
+        });
+        break;
+      }
+      const hint = subcommand ? suggest(subcommand, ["list", "run"]) : null;
+      throw new Error(
+        subcommand ? `Unknown subcommand: healthchecks ${subcommand}${hint ? `. Did you mean "healthchecks ${hint}"?` : ""}` : "Usage: chainpatrol healthchecks <list|run <id>>"
+      );
+    }
     case "presets": {
       if (subcommand === "list") {
-        const { runPresetsList } = await import("./list-KTIZ3UHA.js");
+        const { runPresetsList } = await import("./list-LN6NOZIJ.js");
         await runPresetsList({ outputFormat: cliContext.outputFormat });
         break;
       }
@@ -1015,7 +1078,7 @@ async function main() {
           );
         }
         const org = await resolveOrg();
-        const { runPresetsRun } = await import("./run-3TTLZ6HA.js");
+        const { runPresetsRun } = await import("./run-MH5RYPWA.js");
         await runPresetsRun({
           presetId: action,
           org,
@@ -1032,12 +1095,12 @@ async function main() {
     case "setup":
     case "install":
     case "i": {
-      const { setupSkill } = await import("./setup-skill-PCUBJJYU.js");
+      const { setupSkill } = await import("./setup-skill-Z5RVCWCU.js");
       setupSkill({ json: jsonMode });
       break;
     }
     case "uninstall": {
-      const { uninstallSkill } = await import("./setup-skill-PCUBJJYU.js");
+      const { uninstallSkill } = await import("./setup-skill-Z5RVCWCU.js");
       uninstallSkill({ json: jsonMode });
       break;
     }

package/dist/{configs-update-VOWH674W.js → configs-update-RPN32YTL.js}

@@ -7,7 +7,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-44FSS3CZ.js";
+} from "./chunk-MXUZR2BV.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{create-ASGUBKZ7.js → create-QP3M7EZM.js}

@@ -8,7 +8,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-44FSS3CZ.js";
+} from "./chunk-MXUZR2BV.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{drift-PASGDEEX.js → drift-DZ6A7JL5.js}

@@ -8,7 +8,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-44FSS3CZ.js";
+} from "./chunk-MXUZR2BV.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{found-TIW7T4VX.js → found-AOPBSLRD.js}

@@ -4,7 +4,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-44FSS3CZ.js";
+} from "./chunk-MXUZR2BV.js";
 import "./chunk-EEG7T6WT.js";
 import {
   DateTime

package/dist/{healthcheck-SIE5EXN3.js → healthcheck-KAONRGSS.js}

@@ -8,7 +8,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-44FSS3CZ.js";
+} from "./chunk-MXUZR2BV.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{list-TMFLCS5U.js → list-GEMCFDD5.js}

@@ -4,7 +4,7 @@ import {
 } from "./chunk-JCMWDZYY.js";
 import {
   createApiClient
-} from "./chunk-44FSS3CZ.js";
+} from "./chunk-MXUZR2BV.js";
 import {
   AuthCorruptedError,
   AuthExpiredError,

package/dist/{list-KTIZ3UHA.js → list-LN6NOZIJ.js}

@@ -1,12 +1,12 @@
 import {
   PRESETS
-} from "./chunk-WBKCXGLV.js";
+} from "./chunk-PIYOWGBZ.js";
 import "./chunk-E2LAMILJ.js";
 import {
   printOutput,
   toCsvRows
 } from "./chunk-VFT3TD3E.js";
-import "./chunk-44FSS3CZ.js";
+import "./chunk-MXUZR2BV.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{list-CEWBMKJ3.js → list-MWDFCHMJ.js}

@@ -8,7 +8,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-44FSS3CZ.js";
+} from "./chunk-MXUZR2BV.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/list-UW63DIKX.js

@@ -0,0 +1,73 @@
+import {
+  printOutput,
+  toCsvRows
+} from "./chunk-VFT3TD3E.js";
+import {
+  createApiClient
+} from "./chunk-MXUZR2BV.js";
+import "./chunk-EEG7T6WT.js";
+import "./chunk-TFCNKBRC.js";
+import "./chunk-U73SABXK.js";
+
+// src/commands/healthchecks/list.ts
+async function runHealthchecksList(options) {
+  const client = options.apiClient ?? createApiClient();
+  const outputFormat = options.outputFormat ?? (options.json ? "json" : "human");
+  const result = await client.listHealthchecks();
+  printOutput({
+    outputFormat,
+    json: result,
+    markdown: [
+      "# Healthchecks",
+      "",
+      ...result.checks.map((entry) => {
+        const status = entry.implemented ? "implemented" : "not-implemented";
+        const lines = [
+          `## ${entry.id}  _(${status})_`,
+          `- Title: ${entry.title}`,
+          `- Category: ${entry.category}`,
+          `- Description: ${entry.description}`
+        ];
+        if (entry.endpoint) {
+          lines.push(`- Endpoint: \`${entry.endpoint}\``);
+        }
+        if (entry.notImplementedReason) {
+          lines.push(`- Not yet implemented: ${entry.notImplementedReason}`);
+        }
+        return lines.join("\n");
+      })
+    ].join("\n\n"),
+    csv: toCsvRows(
+      result.checks.map((entry) => ({
+        id: entry.id,
+        category: entry.category,
+        implemented: entry.implemented,
+        title: entry.title,
+        endpoint: entry.endpoint ?? ""
+      }))
+    ),
+    human: () => {
+      const implemented = result.checks.filter((entry) => entry.implemented);
+      const notImplemented = result.checks.filter((entry) => !entry.implemented);
+      console.log(
+        `Healthchecks: ${implemented.length} implemented, ${notImplemented.length} not yet implemented (planned)`
+      );
+      console.log("");
+      console.log("Implemented:");
+      for (const entry of implemented) {
+        console.log(`  \u2713 ${entry.id}  [${entry.category}]  ${entry.title}`);
+      }
+      console.log("");
+      console.log("Not yet implemented (data gaps; follow-up tracked):");
+      for (const entry of notImplemented) {
+        console.log(`  \xB7 ${entry.id}  [${entry.category}]  ${entry.title}`);
+        if (entry.notImplementedReason) {
+          console.log(`      ${entry.notImplementedReason}`);
+        }
+      }
+    }
+  });
+}
+export {
+  runHealthchecksList
+};

package/dist/{list-json-SUZL2GBJ.js → list-json-WTMYLZGY.js}

@@ -1,6 +1,6 @@
 import {
   createApiClient
-} from "./chunk-44FSS3CZ.js";
+} from "./chunk-MXUZR2BV.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{run-MGOASUON.js → run-43CC5AXR.js}

@@ -8,7 +8,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-44FSS3CZ.js";
+} from "./chunk-MXUZR2BV.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/run-7THXM7GF.js

@@ -0,0 +1,209 @@
+import {
+  CliExitError,
+  ExitCode
+} from "./chunk-E2LAMILJ.js";
+import {
+  printOutput,
+  toCsvRows
+} from "./chunk-VFT3TD3E.js";
+import {
+  createApiClient
+} from "./chunk-MXUZR2BV.js";
+import "./chunk-EEG7T6WT.js";
+import "./chunk-TFCNKBRC.js";
+import "./chunk-U73SABXK.js";
+
+// src/commands/healthchecks/run.ts
+function buildPayload(entry, org, thresholds) {
+  const payload = { slug: org };
+  const allowedKeys = /* @__PURE__ */ new Set([
+    ...Object.keys(entry.defaultThreshold ?? {}),
+    "source",
+    "minResults",
+    "lookbackHours",
+    "runBeforeValidate",
+    "includeDisabled",
+    "warnThreshold",
+    "failThreshold",
+    "warnAgeHours",
+    "failAgeHours",
+    "staleThresholdHours"
+  ]);
+  for (const [key, value] of Object.entries(thresholds)) {
+    if (allowedKeys.has(key)) {
+      payload[key] = value;
+    }
+  }
+  return payload;
+}
+function statusSymbol(severity) {
+  if (severity === "ok") return "\u2713";
+  if (severity === "warn") return "\u26A0";
+  return "\u2717";
+}
+function statusLabel(severity) {
+  if (severity === "ok") return "DONE";
+  if (severity === "warn") return "WARN";
+  return "FAIL";
+}
+function summariseObserved(result) {
+  const parts = Object.entries(result.observed).slice(0, 4).map(([key, value]) => `${key}=${value}`);
+  return parts.join(", ");
+}
+async function runHealthchecksRun(options) {
+  const client = options.apiClient ?? createApiClient();
+  const outputFormat = options.outputFormat ?? (options.json ? "json" : "human");
+  const thresholds = options.thresholds ?? {};
+  const isMachineFormat = outputFormat !== "human";
+  const registry = await client.listHealthchecks();
+  const targets = [];
+  if (options.all) {
+    for (const entry of registry.checks) {
+      if (entry.implemented && entry.endpoint) targets.push(entry);
+    }
+  } else if (options.id) {
+    const entry = registry.checks.find((item) => item.id === options.id);
+    if (!entry) {
+      throw new CliExitError(
+        `Unknown healthcheck id: '${options.id}'. Run 'chainpatrol healthchecks list' to see available checks.`,
+        ExitCode.USAGE
+      );
+    }
+    if (!entry.implemented || !entry.endpoint) {
+      throw new CliExitError(
+        `Healthcheck '${entry.id}' is not yet implemented on the backend.${entry.notImplementedReason ? ` Reason: ${entry.notImplementedReason}` : ""}`,
+        ExitCode.USAGE
+      );
+    }
+    targets.push(entry);
+  } else {
+    throw new CliExitError(
+      "Provide a healthcheck id or --all. Example: 'chainpatrol healthchecks run reviewing.backlog --org acme' or 'chainpatrol healthchecks run --all --org acme'.",
+      ExitCode.USAGE
+    );
+  }
+  if (targets.length === 0) {
+    throw new CliExitError(
+      "No implemented healthchecks available to run.",
+      ExitCode.USAGE
+    );
+  }
+  const tasks = targets.map(async (entry) => {
+    if (!isMachineFormat) {
+      console.log(`Running ${entry.id} for ${options.org}\u2026`);
+    }
+    try {
+      const result = await client.runHealthcheck(
+        entry.endpoint,
+        buildPayload(entry, options.org, thresholds)
+      );
+      if (!isMachineFormat) {
+        const detail = summariseObserved(result);
+        console.log(
+          `${statusLabel(result.severity)} \u2014 ${entry.id} ${statusSymbol(result.severity)} (${detail})`
+        );
+      }
+      return { entry, result, error: null };
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      if (!isMachineFormat) {
+        console.log(`FAIL \u2014 ${entry.id} \u2717 (error: ${message})`);
+      }
+      return { entry, result: null, error: message };
+    }
+  });
+  const settled = await Promise.all(tasks);
+  const results = settled.filter(
+    (entry) => entry.result !== null
+  );
+  const errors = settled.filter((entry) => entry.error !== null);
+  const overallOk = results.every((entry) => entry.result.ok) && errors.length === 0;
+  printOutput({
+    outputFormat,
+    json: {
+      org: options.org,
+      ok: overallOk,
+      results: results.map((entry) => entry.result),
+      errors: errors.map((entry) => ({ id: entry.entry.id, error: entry.error }))
+    },
+    markdown: [
+      `# Healthchecks (${options.org})`,
+      "",
+      `Overall: ${overallOk ? "OK" : "ISSUES FOUND"}`,
+      "",
+      ...results.map((entry) => {
+        const lines = [
+          `## ${entry.result.id} \u2014 ${statusLabel(entry.result.severity)}`,
+          `- Title: ${entry.result.title}`,
+          `- Severity: ${entry.result.severity}`,
+          `- Observed: ${JSON.stringify(entry.result.observed)}`,
+          `- Threshold: ${JSON.stringify(entry.result.threshold)}`
+        ];
+        if (entry.result.findings.length > 0) {
+          lines.push("- Findings:");
+          for (const finding of entry.result.findings) {
+            lines.push(
+              `  - [${finding.severity}] ${finding.kind}${finding.ref ? ` (${finding.ref})` : ""}: ${finding.message}`
+            );
+          }
+        }
+        if (entry.result.suggestedAction) {
+          lines.push(`- Suggested action: ${entry.result.suggestedAction}`);
+        }
+        return lines.join("\n");
+      }),
+      ...errors.map((entry) => `## ${entry.entry.id} \u2014 ERROR
+- ${entry.error}`)
+    ].join("\n\n"),
+    csv: toCsvRows(
+      results.map((entry) => ({
+        id: entry.result.id,
+        severity: entry.result.severity,
+        ok: entry.result.ok,
+        observed: JSON.stringify(entry.result.observed),
+        threshold: JSON.stringify(entry.result.threshold),
+        findings: entry.result.findings.length
+      }))
+    ),
+    human: () => {
+      if (targets.length > 1) {
+        console.log("");
+        console.log("Summary:");
+        for (const entry of results) {
+          console.log(
+            `  ${statusSymbol(entry.result.severity)} ${entry.result.id}  ${statusLabel(entry.result.severity)}  ${summariseObserved(entry.result)}`
+          );
+        }
+        for (const entry of errors) {
+          console.log(`  \u2717 ${entry.entry.id}  FAIL  error=${entry.error}`);
+        }
+      }
+      for (const entry of results) {
+        if (entry.result.findings.length > 0) {
+          console.log("");
+          console.log(`Findings for ${entry.result.id}:`);
+          for (const finding of entry.result.findings) {
+            const ref = finding.ref ? ` (${finding.ref})` : "";
+            console.log(
+              `  [${finding.severity}] ${finding.kind}${ref}: ${finding.message}`
+            );
+          }
+        }
+        if (entry.result.suggestedAction) {
+          console.log("");
+          console.log(`Suggested action for ${entry.result.id}:`);
+          console.log(`  ${entry.result.suggestedAction}`);
+        }
+      }
+    }
+  });
+  if (!overallOk) {
+    throw new CliExitError(
+      "One or more healthchecks failed or errored.",
+      ExitCode.CHECK_FAILED
+    );
+  }
+}
+export {
+  runHealthchecksRun
+};

package/dist/{run-3TTLZ6HA.js → run-MH5RYPWA.js}

@@ -1,13 +1,13 @@
 import {
   getPresetDefinition,
   runPreset
-} from "./chunk-WBKCXGLV.js";
+} from "./chunk-PIYOWGBZ.js";
 import {
   CliExitError,
   ExitCode
 } from "./chunk-E2LAMILJ.js";
 import "./chunk-VFT3TD3E.js";
-import "./chunk-44FSS3CZ.js";
+import "./chunk-MXUZR2BV.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{setup-skill-PCUBJJYU.js → setup-skill-Z5RVCWCU.js}

@@ -6,7 +6,7 @@ import {
   readInstalledSkillVersion,
   setupSkill,
   uninstallSkill
-} from "./chunk-DOL35U2S.js";
+} from "./chunk-S65NM7FF.js";
 import "./chunk-IUZB3DQW.js";
 export {
   getBundledSkillContent,

package/dist/{snapshot-MQ6DWDFG.js → snapshot-E3TPZOKT.js}

@@ -8,7 +8,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-44FSS3CZ.js";
+} from "./chunk-MXUZR2BV.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{summary-QORQFCMW.js → summary-6NCA7PDP.js}

@@ -4,7 +4,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-44FSS3CZ.js";
+} from "./chunk-MXUZR2BV.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/dist/{validate-II6GH6H6.js → validate-BJFEKI2N.js}

@@ -8,7 +8,7 @@ import {
 } from "./chunk-VFT3TD3E.js";
 import {
   createApiClient
-} from "./chunk-44FSS3CZ.js";
+} from "./chunk-MXUZR2BV.js";
 import "./chunk-EEG7T6WT.js";
 import "./chunk-TFCNKBRC.js";
 import "./chunk-U73SABXK.js";

package/package.json

@@ -2,7 +2,7 @@
   "name": "@chainpatrol/cli",
   "description": "The official ChainPatrol CLI — terminal interface for threat detection",
   "author": "Umar Ahmed <umar@chainpatrol.io>",
-  "version": "0.3.4",
+  "version": "0.4.0",
   "license": "UNLICENSED",
   "homepage": "https://chainpatrol.com/docs/cli",
   "keywords": [