@illumiarq/lumis 1.2.8 → 1.2.10

package/dist/commands/doctor.command.js

@@ -0,0 +1,922 @@
+/**
+ * Project diagnostics command.
+ *
+ * This command verifies core runtime readiness for Lumis by checking config,
+ * pack/adapter detection, command inventory availability, and persisted IR state.
+ */
+import fs from 'node:fs';
+import path from 'node:path';
+import { diffIR, loadIR } from '@lumiarq/context';
+import { createPlanWithAdapter } from '@lumiarq/planner';
+import { collectNormalizedCommands } from './commands.command.js';
+import { parseRawIntent } from './intent.command.js';
+import { resolveRuntimePolicy } from '../runtime/policy.js';
+import { validateRuntimeProfileStore } from '../runtime/profiles.js';
+import { loadRuntimeTranscriptIndex, summarizeRuntimeTranscripts } from '../runtime/transcripts.js';
+/**
+ * Parse doctor command options.
+ *
+ * Supported flags:
+ * - --intent <raw intent text>
+ * - --intent-file <path to file with one intent per line>
+ * - --strict-intent-conflicts (fail command when conflicts are found)
+ *
+ * @param commandArgs - Raw doctor command arguments.
+ * @param projectRoot - Project root used to resolve relative intent-file paths.
+ * @returns Parsed doctor options.
+ */
+function parseDoctorOptions(commandArgs, projectRoot) {
+    const intentTexts = [];
+    let strictIntentConflicts = false;
+    let index = 0;
+    while (index < commandArgs.length) {
+        const token = commandArgs[index];
+        if (token === '--strict-intent-conflicts') {
+            strictIntentConflicts = true;
+            index += 1;
+            continue;
+        }
+        if (token === '--intent') {
+            index += 1;
+            const parts = [];
+            while (index < commandArgs.length && !commandArgs[index]?.startsWith('--')) {
+                const part = commandArgs[index];
+                if (part) {
+                    parts.push(part);
+                }
+                index += 1;
+            }
+            const intent = parts.join(' ').trim();
+            if (intent) {
+                intentTexts.push(intent);
+            }
+            continue;
+        }
+        if (token === '--intent-file') {
+            const rawPath = commandArgs[index + 1];
+            if (!rawPath) {
+                index += 1;
+                continue;
+            }
+            const resolvedPath = path.isAbsolute(rawPath) ? rawPath : path.join(projectRoot, rawPath);
+            if (fs.existsSync(resolvedPath)) {
+                const fileIntents = fs
+                    .readFileSync(resolvedPath, 'utf8')
+                    .split(/\r?\n/g)
+                    .map((line) => line.trim())
+                    .filter((line) => line.length > 0 && !line.startsWith('#'));
+                intentTexts.push(...fileIntents);
+            }
+            index += 2;
+            continue;
+        }
+        index += 1;
+    }
+    return { intentTexts, strictIntentConflicts };
+}
+function normalizeTargetFile(targetFile) {
+    return path.resolve(targetFile).replaceAll('\\', '/');
+}
+function hasSensitiveInlineEnv(env) {
+    if (!env || typeof env !== 'object') {
+        return false;
+    }
+    for (const [key, value] of Object.entries(env)) {
+        if (!/token|secret|password|key/i.test(key)) {
+            continue;
+        }
+        if (typeof value === 'string' && value.trim().length > 0) {
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Identify deterministic conflicts across multiple planned intents.
+ *
+ * @param plannedIntents - Planned intent summaries including write targets.
+ * @returns List of target-level conflicts.
+ */
+function detectIntentConflicts(plannedIntents) {
+    const byTarget = new Map();
+    for (const planned of plannedIntents) {
+        for (const step of planned.stepSummaries) {
+            const normalizedTarget = normalizeTargetFile(step.targetFile);
+            const bucket = byTarget.get(normalizedTarget) ?? [];
+            bucket.push({ operation: step.operation, raw: planned.raw });
+            byTarget.set(normalizedTarget, bucket);
+        }
+    }
+    const conflicts = [];
+    for (const [targetFile, writes] of byTarget.entries()) {
+        if (writes.length <= 1) {
+            continue;
+        }
+        const operations = Array.from(new Set(writes.map((write) => write.operation))).sort();
+        const intents = Array.from(new Set(writes.map((write) => write.raw)));
+        const hasDelete = operations.includes('delete');
+        const hasCreate = operations.includes('create');
+        const mixedOperations = operations.length > 1;
+        if (hasDelete && operations.some((operation) => operation !== 'delete')) {
+            conflicts.push({
+                targetFile,
+                operations,
+                intents,
+                reason: 'delete overlaps with non-delete operations on the same target',
+            });
+            continue;
+        }
+        if (hasCreate && writes.length > 1) {
+            conflicts.push({
+                targetFile,
+                operations,
+                intents,
+                reason: 'multiple steps attempt to create the same target',
+            });
+            continue;
+        }
+        if (mixedOperations) {
+            conflicts.push({
+                targetFile,
+                operations,
+                intents,
+                reason: 'mixed operations target the same file',
+            });
+            continue;
+        }
+        if (operations[0] === 'append' || operations[0] === 'update') {
+            conflicts.push({
+                targetFile,
+                operations,
+                intents,
+                reason: 'multiple write operations target the same file',
+            });
+        }
+    }
+    return conflicts;
+}
+/**
+ * Render one diagnostic line in a stable format.
+ *
+ * @param result - Single diagnostic result row.
+ * @returns Formatted diagnostic line.
+ */
+function formatCheck(result) {
+    return `[${result.status.toUpperCase()}][${result.severity.toUpperCase()}] ${result.name}: ${result.detail}`;
+}
+/**
+ * Security baseline checks: secret hygiene, env documentation, command boundary.
+ *
+ * All checks are non-blocking (warn/pass) unless a plaintext secret pattern is
+ * found directly in a committed env file, which is a critical failure.
+ */
+function appendSecurityBaselineChecks(projectRoot, config, checks) {
+    // --- .env.example presence ---
+    const envExamplePath = path.join(projectRoot, '.env.example');
+    checks.push(fs.existsSync(envExamplePath)
+        ? {
+            name: 'security/env-example',
+            status: 'pass',
+            severity: 'info',
+            detail: '.env.example present — secret surface is documented',
+        }
+        : {
+            name: 'security/env-example',
+            status: 'warn',
+            severity: 'warning',
+            detail: '.env.example not found — secret surface is undocumented',
+            suggestion: 'Create .env.example with all required env var names (values redacted) so collaborators know what secrets to provision.',
+        });
+    // --- .env plaintext secret scan ---
+    const envPath = path.join(projectRoot, '.env');
+    if (fs.existsSync(envPath)) {
+        const envContent = fs.readFileSync(envPath, 'utf8');
+        // Heuristic: lines where the value looks like a real secret (long, non-placeholder, non-empty).
+        const PLACEHOLDER_RE = /^(your[-_]|<|YOUR_|REPLACE|todo|placeholder|xxx|changeme)/i;
+        const SECRET_KEY_RE = /(?:secret|token|password|key|private|api[-_]?key|auth)/i;
+        const suspiciousLines = [];
+        envContent.split(/\r?\n/).forEach((line, idx) => {
+            const match = /^([A-Z_][A-Z0-9_]*)=(.+)$/i.exec(line.trim());
+            if (!match)
+                return;
+            const keyName = match[1];
+            const value = match[2];
+            if (keyName && value && SECRET_KEY_RE.test(keyName) && value.length >= 16 && !PLACEHOLDER_RE.test(value)) {
+                suspiciousLines.push(idx + 1);
+            }
+        });
+        checks.push(suspiciousLines.length === 0
+            ? {
+                name: 'security/env-secret-scan',
+                status: 'pass',
+                severity: 'info',
+                detail: '.env present — no obvious plaintext secrets detected',
+            }
+            : {
+                name: 'security/env-secret-scan',
+                status: 'fail',
+                severity: 'critical',
+                detail: `.env may contain plaintext secrets on line(s): ${suspiciousLines.join(', ')}. Ensure .env is gitignored.`,
+                suggestion: 'Add .env to .gitignore immediately. Rotate any exposed credentials. Use .env.example for documentation.',
+            });
+    }
+    else {
+        checks.push({
+            name: 'security/env-secret-scan',
+            status: 'pass',
+            severity: 'info',
+            detail: 'no .env file at project root — nothing to scan',
+        });
+    }
+    // --- .env in .gitignore ---
+    const gitignorePath = path.join(projectRoot, '.gitignore');
+    if (fs.existsSync(gitignorePath)) {
+        const gitignoreContent = fs.readFileSync(gitignorePath, 'utf8');
+        const envIgnored = gitignoreContent.split(/\r?\n/).some((line) => {
+            const trimmed = line.trim();
+            return trimmed === '.env' || trimmed === '*.env' || trimmed === '.env*';
+        });
+        checks.push(envIgnored
+            ? {
+                name: 'security/env-gitignored',
+                status: 'pass',
+                severity: 'info',
+                detail: '.env is gitignored',
+            }
+            : {
+                name: 'security/env-gitignored',
+                status: 'warn',
+                severity: 'critical',
+                detail: '.env is NOT listed in .gitignore — secrets may be committed',
+                suggestion: 'Add ".env" to .gitignore immediately.',
+            });
+    }
+    // --- commandAllowlist configured when runtime is enabled ---
+    const runtimeEnabled = config.runtime?.enabled !== false;
+    const hasAllowlist = (config.runtime?.policy?.commandAllowlist ?? []).length > 0;
+    if (runtimeEnabled && !hasAllowlist) {
+        checks.push({
+            name: 'security/command-allowlist',
+            status: 'warn',
+            severity: 'warning',
+            detail: 'No commandAllowlist configured — all commands are permitted in runtime profiles',
+            suggestion: 'Set runtime.policy.commandAllowlist in pkg/lumis.config.ts to restrict which commands the lumis runtime may execute. ' +
+                'Example: ["pnpm *", "node *"]. Use mode: "strict" to block unlisted commands.',
+        });
+    }
+    else if (runtimeEnabled) {
+        checks.push({
+            name: 'security/command-allowlist',
+            status: 'pass',
+            severity: 'info',
+            detail: `commandAllowlist configured with ${config.runtime?.policy?.commandAllowlist?.length} entry(s)`,
+        });
+    }
+}
+/**
+ * Supply-chain policy checks: license allowlist compliance and cached audit result.
+ *
+ * License check: scans direct dependencies from package.json against
+ * node_modules/<pkg>/package.json license fields and the configured allowedLicenses list.
+ *
+ * Audit check: reads a cached .lumis/audit.json produced by `pnpm audit --json`
+ * or `npm audit --json`. When absent, emits an advisory suggesting the file be generated.
+ */
+function appendSupplyChainChecks(projectRoot, config, checks) {
+    const pkgPath = path.join(projectRoot, 'package.json');
+    if (!fs.existsSync(pkgPath)) {
+        return;
+    }
+    let pkg;
+    try {
+        pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+    }
+    catch {
+        checks.push({
+            name: 'supply-chain/package-json',
+            status: 'warn',
+            severity: 'warning',
+            detail: 'package.json could not be parsed — supply-chain checks skipped',
+        });
+        return;
+    }
+    // --- License allowlist check ---
+    const allowedLicenses = config.supply?.allowedLicenses;
+    if (allowedLicenses && allowedLicenses.length > 0) {
+        const directDeps = Object.keys({
+            ...pkg.dependencies,
+            ...pkg.devDependencies,
+        });
+        const violations = [];
+        for (const depName of directDeps) {
+            const depPkgPath = path.join(projectRoot, 'node_modules', depName, 'package.json');
+            if (!fs.existsSync(depPkgPath))
+                continue;
+            try {
+                const depPkg = JSON.parse(fs.readFileSync(depPkgPath, 'utf8'));
+                const license = typeof depPkg.license === 'string' ? depPkg.license : undefined;
+                if (license && !allowedLicenses.includes(license)) {
+                    violations.push(`${depName} (${license})`);
+                }
+            }
+            catch {
+                // skip unreadable dep packages
+            }
+        }
+        checks.push(violations.length === 0
+            ? {
+                name: 'supply-chain/license-allowlist',
+                status: 'pass',
+                severity: 'info',
+                detail: `all direct dependencies use permitted licenses (${allowedLicenses.join(', ')})`,
+            }
+            : {
+                name: 'supply-chain/license-allowlist',
+                status: 'fail',
+                severity: 'critical',
+                detail: `${violations.length} dependency(s) use disallowed licenses: ${violations.slice(0, 5).join('; ')}${violations.length > 5 ? ` …and ${violations.length - 5} more` : ''}`,
+                suggestion: `Add missing licenses to supply.allowedLicenses in pkg/lumis.config.ts, ` +
+                    `or replace the offending dependencies with licensed-compatible alternatives.`,
+            });
+    }
+    else {
+        checks.push({
+            name: 'supply-chain/license-allowlist',
+            status: 'warn',
+            severity: 'warning',
+            detail: 'No supply.allowedLicenses configured — license compliance is unchecked',
+            suggestion: 'Set supply.allowedLicenses in pkg/lumis.config.ts (e.g. ["MIT","ISC","Apache-2.0"]) to enforce license policy for direct dependencies.',
+        });
+    }
+    // --- Cached audit result check ---
+    const auditCachePath = path.join(projectRoot, '.lumis', 'audit.json');
+    if (!fs.existsSync(auditCachePath)) {
+        checks.push({
+            name: 'supply-chain/audit-cache',
+            status: 'warn',
+            severity: 'warning',
+            detail: 'No cached audit result found at .lumis/audit.json',
+            suggestion: 'Run `pnpm audit --json > .lumis/audit.json` (or `npm audit --json > .lumis/audit.json`) ' +
+                'and commit .lumis/audit.json to surface vulnerability counts in `lumis doctor`.',
+        });
+        return;
+    }
+    let auditResult;
+    try {
+        auditResult = JSON.parse(fs.readFileSync(auditCachePath, 'utf8'));
+    }
+    catch {
+        checks.push({
+            name: 'supply-chain/audit-cache',
+            status: 'warn',
+            severity: 'warning',
+            detail: '.lumis/audit.json could not be parsed — regenerate with `pnpm audit --json`',
+        });
+        return;
+    }
+    const SEVERITY_ORDER = ['info', 'low', 'moderate', 'high', 'critical'];
+    const failOnSeverity = config.supply?.failOnSeverity ?? 'critical';
+    const maxVulnerabilities = config.supply?.maxVulnerabilities ?? 0;
+    const failSeverityIndex = SEVERITY_ORDER.indexOf(failOnSeverity);
+    const vulnMap = auditResult.metadata?.vulnerabilities ??
+        auditResult.vulnerabilities ??
+        {};
+    const totalAtOrAbove = SEVERITY_ORDER.slice(failSeverityIndex).reduce((sum, sev) => sum + (vulnMap[sev] ?? 0), 0);
+    checks.push(totalAtOrAbove <= maxVulnerabilities
+        ? {
+            name: 'supply-chain/audit-cache',
+            status: 'pass',
+            severity: 'info',
+            detail: `audit cache: ${totalAtOrAbove} vulnerability(s) at or above "${failOnSeverity}" (threshold: ${maxVulnerabilities})`,
+        }
+        : {
+            name: 'supply-chain/audit-cache',
+            status: 'fail',
+            severity: 'critical',
+            detail: `audit cache: ${totalAtOrAbove} vulnerability(s) at or above "${failOnSeverity}" ` +
+                `exceed threshold of ${maxVulnerabilities}`,
+            suggestion: 'Run `pnpm audit --fix` or update offending packages. ' +
+                'Adjust supply.maxVulnerabilities or supply.failOnSeverity in pkg/lumis.config.ts if needed.',
+        });
+}
+const ROOT_TOOL_CONFIG_PATTERNS = [
+    { pattern: /^drizzle\.config\.(ts|js|mjs|cjs)$/, canonical: 'pkg/drizzle.config.ts', checkName: 'drizzle-config-root' },
+    { pattern: /^vitest\.config\.(ts|js|mjs|cjs)$/, canonical: 'pkg/vitest.config.ts', checkName: 'vitest-config-root' },
+    { pattern: /^prettier\.config\.(ts|js|cjs|mjs)$/, canonical: 'pkg/prettier.config.ts', checkName: 'prettier-config-root' },
+    { pattern: /^eslint\.config\.(ts|js|mjs|cjs)$/, canonical: 'pkg/eslint.config.ts', checkName: 'eslint-config-root' },
+    { pattern: /^\.eslintrc(\.(json|js|cjs|yaml|yml))?$/, canonical: 'pkg/eslint.config.ts', checkName: 'eslintrc-root' },
+    { pattern: /^tailwind\.config\.(ts|js|mjs|cjs)$/, canonical: 'pkg/tailwind.config.ts', checkName: 'tailwind-config-root' },
+    { pattern: /^lumis\.config\.(ts|json)$/, canonical: 'pkg/lumis.config.ts', checkName: 'lumis-config-root' },
+];
+/**
+ * Warn when legacy root-level tool configs exist without a pkg/ canonical counterpart.
+ */
+function appendConfigHygieneChecks(projectRoot, checks) {
+    let entries = [];
+    try {
+        entries = fs.readdirSync(projectRoot);
+    }
+    catch {
+        return;
+    }
+    for (const { pattern, canonical, checkName } of ROOT_TOOL_CONFIG_PATTERNS) {
+        const matches = entries.filter((name) => pattern.test(name));
+        if (matches.length === 0)
+            continue;
+        const canonicalPath = path.join(projectRoot, canonical);
+        if (fs.existsSync(canonicalPath)) {
+            checks.push({
+                name: checkName,
+                status: 'warn',
+                severity: 'warning',
+                detail: `legacy root config ${matches.join(', ')} — canonical ${canonical} also exists`,
+                suggestion: `Remove root ${matches[0]} once you confirm ${canonical} is wired via lumis.`,
+            });
+            continue;
+        }
+        checks.push({
+            name: checkName,
+            status: 'warn',
+            severity: 'warning',
+            detail: `root-level ${matches.join(', ')} detected`,
+            suggestion: `Move tool config to ${canonical} (flat pkg/ layout). Lumis proxies tools from pkg/.`,
+        });
+    }
+}
+/**
+ * Non-blocking Vercel deploy hygiene checks when vercel.json is present at project root.
+ */
+function appendVercelDeploymentChecks(projectRoot, checks) {
+    const vercelPath = path.join(projectRoot, 'vercel.json');
+    if (!fs.existsSync(vercelPath)) {
+        checks.push({
+            name: 'vercel-config',
+            status: 'pass',
+            severity: 'info',
+            detail: 'no vercel.json in project root',
+        });
+        return;
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(fs.readFileSync(vercelPath, 'utf8'));
+    }
+    catch {
+        checks.push({
+            name: 'vercel-config',
+            status: 'warn',
+            severity: 'warning',
+            detail: 'vercel.json exists but is not valid JSON',
+            suggestion: 'Fix JSON syntax in vercel.json.',
+        });
+        return;
+    }
+    if (!parsed || typeof parsed !== 'object') {
+        checks.push({
+            name: 'vercel-config',
+            status: 'warn',
+            severity: 'warning',
+            detail: 'vercel.json is not a JSON object',
+        });
+        return;
+    }
+    const cfg = parsed;
+    const routes = cfg.routes;
+    const usesFilesystemHandle = Array.isArray(routes) &&
+        routes.some((entry) => {
+            if (!entry || typeof entry !== 'object') {
+                return false;
+            }
+            return entry.handle === 'filesystem';
+        });
+    const rewrites = cfg.rewrites;
+    const hasRewrites = Array.isArray(rewrites) && rewrites.length > 0;
+    if (usesFilesystemHandle) {
+        checks.push({
+            name: 'vercel-routing',
+            status: 'warn',
+            severity: 'warning',
+            detail: 'vercel.json uses deprecated routes with handle: filesystem; prefer rewrites for current Vercel routing',
+            suggestion: 'Replace routes with rewrites so static files resolve first and dynamic traffic hits api/index.',
+        });
+    }
+    else if (hasRewrites) {
+        checks.push({
+            name: 'vercel-routing',
+            status: 'pass',
+            severity: 'info',
+            detail: 'vercel.json uses rewrites for catch-all routing',
+        });
+    }
+    else {
+        checks.push({
+            name: 'vercel-routing',
+            status: 'pass',
+            severity: 'info',
+            detail: 'vercel.json has no rewrites array (fine when not using a serverless catch-all)',
+        });
+    }
+    const installCommand = typeof cfg.installCommand === 'string' && cfg.installCommand.trim().length > 0
+        ? cfg.installCommand.trim()
+        : '';
+    checks.push(installCommand
+        ? {
+            name: 'vercel-install-command',
+            status: 'pass',
+            severity: 'info',
+            detail: `installCommand is set (${installCommand})`,
+        }
+        : {
+            name: 'vercel-install-command',
+            status: 'warn',
+            severity: 'warning',
+            detail: 'vercel.json has no installCommand; Vercel may default to npm install',
+            suggestion: 'Set installCommand to pnpm install --frozen-lockfile when using pnpm.',
+        });
+    const pkgPath = path.join(projectRoot, 'package.json');
+    let packageManager = '';
+    if (fs.existsSync(pkgPath)) {
+        try {
+            const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+            packageManager = typeof pkg.packageManager === 'string' ? pkg.packageManager : '';
+        }
+        catch {
+            // ignore malformed package.json here; other tooling will surface it
+        }
+    }
+    checks.push(packageManager
+        ? {
+            name: 'package-manager-field',
+            status: 'pass',
+            severity: 'info',
+            detail: `package.json declares packageManager=${packageManager}`,
+        }
+        : {
+            name: 'package-manager-field',
+            status: 'warn',
+            severity: 'warning',
+            detail: 'package.json has no packageManager field; Vercel may pick a different pnpm than local',
+            suggestion: 'Add "packageManager": "pnpm@x.y.z" to package.json to pin pnpm via Corepack.',
+        });
+    const apiBundle = path.join(projectRoot, 'api', 'index.js');
+    checks.push(fs.existsSync(apiBundle)
+        ? {
+            name: 'vercel-api-bundle',
+            status: 'pass',
+            severity: 'info',
+            detail: 'api/index.js exists (Vercel serverless entry present)',
+        }
+        : {
+            name: 'vercel-api-bundle',
+            status: 'pass',
+            severity: 'info',
+            detail: 'api/index.js not found yet; run pnpm run build:vercel before deploy to confirm output',
+        });
+}
+/**
+ * Run diagnostic checks for host readiness and print a summary.
+ *
+ * @param context - Shared command runtime context.
+ * @returns Exit code 0 when no failing checks exist, otherwise 1.
+ */
+export async function executeDoctorCommand(context) {
+    const options = parseDoctorOptions(context.commandArgs, context.projectRoot);
+    const isCI = process.env.CI === 'true';
+    const checks = [];
+    checks.push({
+        name: 'config',
+        status: 'pass',
+        severity: 'info',
+        detail: context.config.adapter
+            ? `configured adapter preference = ${context.config.adapter}`
+            : 'no configured adapter preference',
+    });
+    const pack = await context.resolvePack();
+    const packFramework = pack?.manifest.frameworks?.[0] ?? 'unknown';
+    checks.push(pack
+        ? {
+            name: 'pack-detection',
+            status: 'pass',
+            severity: 'info',
+            detail: `${pack.manifest.name} (${packFramework})`,
+        }
+        : {
+            name: 'pack-detection',
+            status: 'warn',
+            severity: 'critical',
+            detail: 'no compatible pack detected for this project root (critical in CI)',
+            suggestion: 'Install a supported pack dependency (for example @lumiarq/framework or @lumiarq/pack-nextjs), then run "lumis init" to refresh local config.',
+        });
+    const adapter = await context.resolveAdapter();
+    checks.push(adapter
+        ? {
+            name: 'adapter-resolution',
+            status: 'pass',
+            severity: 'info',
+            detail: adapter.name,
+        }
+        : {
+            name: 'adapter-resolution',
+            status: 'warn',
+            severity: 'critical',
+            detail: 'no adapter resolved (critical in CI)',
+            suggestion: 'Set "adapter" in .lumis/config.json or add a pack fingerprint dependency, then rerun "lumis doctor".',
+        });
+    const commands = await collectNormalizedCommands(context);
+    checks.push({
+        name: 'command-inventory',
+        status: commands.length > 0 ? 'pass' : 'warn',
+        severity: commands.length > 0 ? 'info' : 'warning',
+        detail: `${commands.length} command(s) available from pack/project sources`,
+        ...(commands.length === 0 && {
+            suggestion: 'Define commands in your pack manifest or project command map so Lumis can route intents.',
+        }),
+    });
+    appendConfigHygieneChecks(context.projectRoot, checks);
+    appendVercelDeploymentChecks(context.projectRoot, checks);
+    const ir = loadIR(context.projectRoot);
+    checks.push(ir
+        ? {
+            name: 'ir-state',
+            status: 'pass',
+            severity: 'info',
+            detail: `framework=${ir.framework}, modules=${ir.modules.length}`,
+        }
+        : {
+            name: 'ir-state',
+            status: 'warn',
+            severity: 'warning',
+            detail: 'no persisted IR found (.lumis/ir.json)',
+            suggestion: 'Run "lumis ir rebuild" to create a baseline IR snapshot before generation.',
+        });
+    const runtimeProfilesPath = path.join(context.projectRoot, '.lumis', 'runtime-profiles.json');
+    const runtimePolicy = resolveRuntimePolicy(context.config);
+    checks.push({
+        name: 'runtime-policy',
+        status: 'pass',
+        severity: 'info',
+        detail: `mode=${runtimePolicy.mode}, requireApprovalForRemote=${runtimePolicy.requireApprovalForRemote}, ` +
+            `approvalEnvVar=${runtimePolicy.approvalEnvVar}`,
+    });
+    if (!fs.existsSync(runtimeProfilesPath)) {
+        checks.push({
+            name: 'runtime-profiles',
+            status: 'pass',
+            severity: 'info',
+            detail: 'runtime profile store not found; default local profile will be used',
+        });
+    }
+    else {
+        try {
+            const rawProfiles = fs.readFileSync(runtimeProfilesPath, 'utf8');
+            const parsedProfiles = JSON.parse(rawProfiles);
+            const validation = validateRuntimeProfileStore(parsedProfiles);
+            if (!validation.ok) {
+                checks.push({
+                    name: 'runtime-profiles',
+                    status: 'fail',
+                    severity: 'critical',
+                    detail: `invalid runtime profile store: ${validation.errors.join('; ')}`,
+                    suggestion: 'Fix .lumis/runtime-profiles.json to match schema version 1.0 before running runtime orchestration.',
+                });
+            }
+            else {
+                checks.push({
+                    name: 'runtime-profiles',
+                    status: 'pass',
+                    severity: 'info',
+                    detail: `${validation.value.profiles.length} profile(s) configured`,
+                });
+                const missingDefault = validation.value.defaultProfileId &&
+                    !validation.value.profiles.some((profile) => profile.id === validation.value.defaultProfileId);
+                if (missingDefault) {
+                    checks.push({
+                        name: 'runtime-default-profile',
+                        status: 'fail',
+                        severity: 'critical',
+                        detail: `defaultProfileId=${validation.value.defaultProfileId} does not reference an existing profile`,
+                        suggestion: 'Set defaultProfileId to an existing profile id or remove it to use explicit selection.',
+                    });
+                }
+                else {
+                    checks.push({
+                        name: 'runtime-default-profile',
+                        status: 'pass',
+                        severity: 'info',
+                        detail: validation.value.defaultProfileId
+                            ? `default profile = ${validation.value.defaultProfileId}`
+                            : 'no default profile set',
+                    });
+                }
+                const hasInlineSecrets = validation.value.profiles.some((profile) => hasSensitiveInlineEnv(profile.env));
+                const hasRemoteProfiles = validation.value.profiles.some((profile) => profile.kind !== 'local');
+                if (hasRemoteProfiles && !runtimePolicy.requireApprovalForRemote) {
+                    checks.push({
+                        name: 'runtime-policy-approval',
+                        status: 'warn',
+                        severity: 'critical',
+                        detail: 'remote runtime profiles exist but approval gate is disabled',
+                        suggestion: 'Enable runtime.policy.requireApprovalForRemote or restrict execution to local profile only.',
+                    });
+                }
+                else {
+                    checks.push({
+                        name: 'runtime-policy-approval',
+                        status: 'pass',
+                        severity: 'info',
+                        detail: hasRemoteProfiles
+                            ? 'remote profile approval gate is enabled'
+                            : 'no remote profiles configured',
+                    });
+                }
+                checks.push(hasInlineSecrets
+                    ? {
+                        name: 'runtime-secret-safety',
+                        status: 'warn',
+                        severity: 'critical',
+                        detail: 'runtime profiles contain inline sensitive env values',
+                        suggestion: 'Move sensitive values to environment variables and reference those variables from secure runtime context only.',
+                    }
+                    : {
+                        name: 'runtime-secret-safety',
+                        status: 'pass',
+                        severity: 'info',
+                        detail: 'no inline sensitive env values detected in runtime profiles',
+                    });
+            }
+        }
+        catch (error) {
+            checks.push({
+                name: 'runtime-profiles',
+                status: 'fail',
+                severity: 'critical',
+                detail: `unable to parse runtime profile store: ${error instanceof Error ? error.message : 'unknown error'}`,
+                suggestion: 'Ensure .lumis/runtime-profiles.json is valid JSON.',
+            });
+        }
+    }
+    const runtimeTranscriptsDir = path.join(context.projectRoot, '.lumis', 'transcripts');
+    if (!fs.existsSync(runtimeTranscriptsDir)) {
+        checks.push({
+            name: 'runtime-transcripts-index',
+            status: 'pass',
+            severity: 'info',
+            detail: 'no runtime transcripts recorded yet',
+        });
+        checks.push({
+            name: 'runtime-transcripts-summary',
+            status: 'pass',
+            severity: 'info',
+            detail: 'latest=none, success=0, failed=0, total=0',
+        });
+    }
+    else {
+        const index = loadRuntimeTranscriptIndex(context.projectRoot);
+        const summary = summarizeRuntimeTranscripts(index);
+        const missingFiles = index.entries.filter((entry) => !fs.existsSync(path.join(context.projectRoot, entry.transcriptFile)));
+        checks.push({
+            name: 'runtime-transcripts-index',
+            status: 'pass',
+            severity: 'info',
+            detail: `${index.entries.length} runtime transcript entr${index.entries.length === 1 ? 'y' : 'ies'} indexed`,
+        });
+        checks.push({
+            name: 'runtime-transcripts-summary',
+            status: 'pass',
+            severity: 'info',
+            detail: `latest=${summary.latestEntry ? `${summary.latestEntry.label}:${summary.latestEntry.success ? 'ok' : 'fail'}` : 'none'}, ` +
+                `success=${summary.successful}, failed=${summary.failed}, total=${summary.total}`,
+        });
+        if (missingFiles.length > 0) {
+            checks.push({
+                name: 'runtime-transcripts-integrity',
+                status: 'warn',
+                severity: 'warning',
+                detail: `${missingFiles.length} transcript file(s) referenced by index are missing`,
+                suggestion: 'Prune stale transcript index entries or regenerate index by rerunning runtime tasks.',
+            });
+        }
+        else {
+            checks.push({
+                name: 'runtime-transcripts-integrity',
+                status: 'pass',
+                severity: 'info',
+                detail: 'runtime transcript index matches on-disk transcript files',
+            });
+        }
+    }
+    if (ir && adapter) {
+        try {
+            const rebuilt = await adapter.buildIR(context.projectRoot);
+            const moduleDiff = diffIR(ir, rebuilt);
+            const frameworkChanged = ir.framework !== rebuilt.framework;
+            const versionChanged = ir.irVersion !== rebuilt.irVersion;
+            const hasDrift = frameworkChanged ||
+                versionChanged ||
+                moduleDiff.addedModules.length > 0 ||
+                moduleDiff.removedModules.length > 0 ||
+                moduleDiff.changedModules.length > 0;
+            checks.push(hasDrift
+                ? {
+                    name: 'ir-drift',
+                    status: 'warn',
+                    severity: 'warning',
+                    detail: `persisted IR differs from current project ` +
+                        `(added=${moduleDiff.addedModules.length}, removed=${moduleDiff.removedModules.length}, ` +
+                        `changed=${moduleDiff.changedModules.length}, frameworkChanged=${frameworkChanged}, ` +
+                        `versionChanged=${versionChanged}). Run "lumis ir rebuild".`,
+                    suggestion: 'Review the drift summary, then run "lumis ir rebuild" and commit the updated .lumis/ir.json file.',
+                }
+                : {
+                    name: 'ir-drift',
+                    status: 'pass',
+                    severity: 'info',
+                    detail: 'persisted IR is in sync with current project state',
+                });
+        }
+        catch (error) {
+            checks.push({
+                name: 'ir-drift',
+                status: 'warn',
+                severity: 'warning',
+                detail: `unable to compare persisted IR with project state: ` +
+                    (error instanceof Error ? error.message : 'unknown error'),
+                suggestion: 'Run "lumis ir rebuild" to refresh IR manually, then rerun "lumis doctor".',
+            });
+        }
+    }
+    if (adapter && options.intentTexts.length > 0) {
+        const parsedIntents = options.intentTexts
+            .map((raw) => ({ raw, parsed: parseRawIntent(raw) }));
+        const invalidIntents = parsedIntents.filter((entry) => !entry.parsed).map((entry) => entry.raw);
+        if (invalidIntents.length > 0) {
+            checks.push({
+                name: 'intent-conflicts',
+                status: 'fail',
+                severity: 'critical',
+                detail: `invalid intent input(s): ${invalidIntents.join(' | ')}`,
+                suggestion: 'Use fully formed intents (for example "create action LoginAction in Auth") or move batch intents to --intent-file.',
+            });
+        }
+        else {
+            const baseIR = ir ?? await adapter.buildIR(context.projectRoot);
+            const plannedIntents = [];
+            for (const parsed of parsedIntents) {
+                if (!parsed.parsed) {
+                    continue;
+                }
+                const plan = await createPlanWithAdapter(parsed.parsed, baseIR, adapter);
+                plannedIntents.push({
+                    raw: parsed.raw,
+                    stepSummaries: plan.steps.map((step) => ({ targetFile: step.targetFile, operation: step.operation })),
+                });
+            }
+            const conflicts = detectIntentConflicts(plannedIntents);
+            if (conflicts.length === 0) {
+                checks.push({
+                    name: 'intent-conflicts',
+                    status: 'pass',
+                    severity: 'info',
+                    detail: `no intent conflicts detected across ${plannedIntents.length} intent(s)`,
+                });
+            }
+            else {
+                const strictMode = options.strictIntentConflicts || isCI;
+                const severity = strictMode ? 'fail' : 'warn';
+                const preview = conflicts
+                    .slice(0, 3)
+                    .map((conflict) => `${conflict.targetFile} [${conflict.operations.join(',')}]`)
+                    .join('; ');
+                checks.push({
+                    name: 'intent-conflicts',
+                    status: severity,
+                    severity: strictMode ? 'critical' : 'warning',
+                    detail: `${conflicts.length} conflict(s) detected. ` +
+                        `${strictMode ? `failing (${isCI ? 'CI mode' : 'strict mode'}).` : 'run with --strict-intent-conflicts to fail locally; CI fails critical conflicts by default.'} ` +
+                        `Examples: ${preview}`,
+                    suggestion: 'Split or reorder overlapping intents so each target file has one deterministic write path. ' +
+                        'Run "lumis make --dry-run <intent>" on each intent individually to preview its plan, then rerun "lumis doctor --intent <intent1> --intent <intent2>" to confirm conflicts are resolved.',
+                });
+            }
+        }
+    }
+    appendSecurityBaselineChecks(context.projectRoot, context.config, checks);
+    appendSupplyChainChecks(context.projectRoot, context.config, checks);
+    context.write('Lumis doctor report:\n');
+    for (const check of checks) {
+        context.write(`${formatCheck(check)}\n`);
+        if (check.status !== 'pass' && check.suggestion) {
+            context.write(`  -> Suggestion: ${check.suggestion}\n`);
+        }
+    }
+    const failedChecks = checks.filter((check) => check.status === 'fail').length;
+    const issueChecks = checks.filter((check) => check.status !== 'pass');
+    const criticalChecks = issueChecks.filter((check) => check.severity === 'critical').length;
+    const warningChecks = issueChecks.filter((check) => check.severity === 'warning').length;
+    const infoChecks = issueChecks.filter((check) => check.severity === 'info').length;
+    const ciFailures = isCI ? criticalChecks : 0;
+    context.write(`Summary: ${checks.length} checks, ${criticalChecks} critical, ${warningChecks} warning, ` +
+        `${infoChecks} info issue(s), ${failedChecks} hard failure(s)\n`);
+    return failedChecks > 0 || ciFailures > 0 ? 1 : 0;
+}
+//# sourceMappingURL=doctor.command.js.map