@spacebar_ai/moldclaw-core 2026.3.43 → 2026.3.44

package/dist/prompt-select-styled-DH0pVoc0.js

@@ -0,0 +1,2673 @@
+import { o as getResolvedLoggerSettings } from "./logger-BFfIIIKH.js";
+import { _ as resolveStateDir, d as resolveIsNixMode, h as resolveOAuthDir, t as CONFIG_PATH, u as resolveGatewayPort, x as resolveRequiredHomeDir } from "./paths-D6AgsMTU.js";
+import { n as defaultRuntime } from "./runtime-_tQz41uA.js";
+import { t as isTruthyEnvValue$1 } from "./env-D42cffog.js";
+import { C as sleep, S as shortenHomePath, y as resolveUserPath } from "./utils-C7ykRPCQ.js";
+import { h as isWSLEnv, p as isWSL } from "./setup-binary-CcAv8NXz.js";
+import { $a as DEFAULT_OAUTH_WARN_MS, AE as updateAuthProfileStoreWithLock, Ad as resolveDmAllowState, Fn as loadmoldClawPlugins, LC as loadCronStore, Pn as resolvePluginProviders, RC as resolveCronStorePath, T as listChannelPlugins, Vb as loadModelCatalog, Xc as analyzeBootstrapBudget, Zc as buildBootstrapInjectionStats, ch as hasConfiguredMemorySecretInput, d as resolveProfileUnusableUntilForDisplay, eo as buildAuthHealthSummary, fE as resolveBootstrapMaxChars, hE as repairOAuthProfileIdMismatch, km as noteOpenAIOAuthTlsPrerequisites, mE as resolveApiKeyForProfile, mf as resolveBootstrapContextForRun, pE as resolveBootstrapTotalMaxChars, rC as loadSessionStore, sx as resolveApiKeyForProvider, to as formatRemainingShort, wE as ensureAuthProfileStore, y as resolveAgentSessionDirs, zC as saveCronStore } from "./auth-profiles-smABVXzp.js";
+import { O as DEFAULT_MODEL, g as resolveHooksGmailModel, i as getModelRefStatus, k as DEFAULT_PROVIDER, m as resolveConfiguredModelRef } from "./model-selection-bBBxfXdb.js";
+import { a as resolveAgentDir, m as resolveDefaultAgentId, p as resolveAgentWorkspaceDir } from "./agent-scope-lZlwP1At.js";
+import { S as parseAgentSessionKey } from "./session-key-UoG7Kfw5.js";
+import { n as runCommandWithTimeout, r as runExec } from "./exec-CvEtXqTZ.js";
+import { t as resolvemoldClawPackageRoot } from "./moldclaw-root-Cb6HRlUO.js";
+import { t as DEFAULT_AGENTS_FILENAME } from "./workspace-DJ_S272u.js";
+import { f as readConfigFileSnapshot, y as writeConfigFile } from "./io-BaBxjB1v.js";
+import { a as hasConfiguredSecretInput, d as resolveSecretInputRef } from "./types.secrets-Ca-9L8vU.js";
+import { P as cleanStaleLockFiles, at as DEFAULT_SANDBOX_IMAGE, rt as DEFAULT_SANDBOX_BROWSER_IMAGE, z as resolveSandboxScope } from "./workspace-dirs-CGeIPpGN.js";
+import { m as resolveGatewayAuth } from "./config-BwkGZjD5.js";
+import { t as formatCliCommand } from "./command-format-C_z0Ru-7.js";
+import { r as isLoopbackHost, u as resolveGatewayBindHost } from "./net-K181nxTH.js";
+import { d as readGatewayTokenEnv } from "./credentials-D-5Pb-aZ.js";
+import { C as parseBrowserMajorVersion, T as resolveGoogleChromeExecutableForPlatform, at as resolveConfiguredSecretInputWithFallback, ct as hasAmbiguousGatewayAuthModeConfig, w as readBrowserVersion } from "./routes-CcJNnwTF.js";
+import { a as inspectPortUsage, c as formatPortDiagnostics } from "./ports-Ca74cFb2.js";
+import { n as isPrimarySessionTranscriptFileName, t as formatSessionArchiveTimestamp } from "./artifacts-CeyjTq21.js";
+import { f as resolveMainSessionKey } from "./lazy-runtime-BoGB4usD.js";
+import { c as resolveSessionTranscriptsDirForAgent, i as resolveSessionFilePathOptions, l as resolveStorePath, r as resolveSessionFilePath } from "./paths-ApLcu1Uu.js";
+import { n as callGateway, t as buildGatewayConnectionDetails } from "./call-gdDAt07d.js";
+import { t as resolveMemorySearchConfig } from "./memory-search-tTD5o_rU.js";
+import { r as resolveMemoryBackendConfig } from "./search-manager-BS5Db0A6.js";
+import { n as logConfigUpdated } from "./logging-CdisccbY.js";
+import { i as stylePromptTitle, n as stylePromptHint, r as stylePromptMessage, t as note$1 } from "./note-dOl5kPAy.js";
+import { f as resolveGatewaySystemdServiceName, h as resolveNodeLaunchAgentLabel, l as resolveGatewayLaunchAgentLabel, p as resolveGatewayWindowsTaskName } from "./constants-BHwb0DmS.js";
+import { a as resolveSystemNodeInfo, r as renderSystemNodeWarning } from "./runtime-paths-BfFqPvDh.js";
+import { n as buildGatewayInstallPlan, r as gatewayInstallErrorHint, t as resolveGatewayInstallToken } from "./gateway-install-token-1PwJvrBY.js";
+import { n as GATEWAY_DAEMON_RUNTIME_OPTIONS, t as DEFAULT_GATEWAY_DAEMON_RUNTIME } from "./daemon-runtime-BR9EstPe.js";
+import { f as printWizardHeader, m as randomToken, n as applyWizardMetadata, s as guardCancel } from "./onboard-helpers-DiSRTpZC.js";
+import { i as launchAgentPlistExists, n as isLaunchAgentListed, r as isLaunchAgentLoaded, s as repairLaunchAgentBootstrap } from "./launchd-DTK8FAln.js";
+import { n as resolveGatewayService, t as describeGatewayServiceRestart } from "./service-D-iBQb7Y.js";
+import { i as isSystemdUserServiceAvailable, u as uninstallLegacySystemdUnits } from "./systemd-C3JL-Eyf.js";
+import { c as buildPlatformRuntimeLogHints, i as auditGatewayServiceConfig, n as renderSystemdUnavailableHints, o as needsNodeRuntimeMigration, r as SERVICE_AUDIT_CODES, s as readEmbeddedGatewayToken, t as isSystemdUnavailableDetail, u as formatRuntimeStatus } from "./systemd-hints-DabP9g6b.js";
+import { t as readLastGatewayErrorLine } from "./diagnostics-BKzgYuW7.js";
+import { n as renderGatewayServiceCleanupHints, t as findExtraGatewayServices } from "./inspect-kDEu5Qgf.js";
+import { t as buildWorkspaceSkillStatus } from "./skills-status-CzM008aB.js";
+import { r as healthCommand } from "./health-C9DYGyRe.js";
+import { i as resolveControlUiDistIndexPathForRoot, r as resolveControlUiDistIndexHealth } from "./control-ui-assets-C1YDYi82.js";
+import { p as normalizeStoredCronJobs, t as runGatewayUpdate } from "./update-runner-GbKfoCHs.js";
+import { t as collectChannelStatusIssues } from "./channels-status-issues-CzIHODg2.js";
+import { n as resolveProviderAuthLoginCommand, t as buildProviderAuthRecoveryHint } from "./provider-auth-guidance-BaAUiNr_.js";
+import { t as ensureSystemdUserLingerInteractive } from "./systemd-linger-C6Aja8xE.js";
+import { t as formatHealthCheckFailure } from "./health-format-BN81wqbV.js";
+import { n as doctorShellCompletion } from "./doctor-completion-D3GeVcFP.js";
+import { a as runLegacyStateMigrations, i as detectLegacyStateMigrations, r as loadAndMaybeMigrateDoctorConfig } from "./doctor-config-flow-BUe7JpV3.js";
+import { t as resolveDefaultChannelAccountContext } from "./channel-account-context-Bjur9nlh.js";
+import fs from "node:fs";
+import path from "node:path";
+import { execFile } from "node:child_process";
+import os from "node:os";
+import { promisify } from "node:util";
+import fs$1 from "node:fs/promises";
+import { confirm, intro, outro, select } from "@clack/prompts";
+//#region src/commands/doctor-auth.ts
+async function maybeRepairAnthropicOAuthProfileId(cfg, prompter) {
+	const repair = repairOAuthProfileIdMismatch({
+		cfg,
+		store: ensureAuthProfileStore(),
+		provider: "anthropic",
+		legacyProfileId: "anthropic:default"
+	});
+	if (!repair.migrated || repair.changes.length === 0) return cfg;
+	note$1(repair.changes.map((c) => `- ${c}`).join("\n"), "Auth profiles");
+	if (!await prompter.confirm({
+		message: "Update Anthropic OAuth profile id in config now?",
+		initialValue: true
+	})) return cfg;
+	return repair.config;
+}
+function pruneAuthOrder(order, profileIds) {
+	if (!order) return {
+		next: order,
+		changed: false
+	};
+	let changed = false;
+	const next = {};
+	for (const [provider, list] of Object.entries(order)) {
+		const filtered = list.filter((id) => !profileIds.has(id));
+		if (filtered.length !== list.length) changed = true;
+		if (filtered.length > 0) next[provider] = filtered;
+	}
+	return {
+		next: Object.keys(next).length > 0 ? next : void 0,
+		changed
+	};
+}
+function pruneAuthProfiles(cfg, profileIds) {
+	const profiles = cfg.auth?.profiles;
+	const order = cfg.auth?.order;
+	const nextProfiles = profiles ? { ...profiles } : void 0;
+	let changed = false;
+	if (nextProfiles) {
+		for (const id of profileIds) if (id in nextProfiles) {
+			delete nextProfiles[id];
+			changed = true;
+		}
+	}
+	const prunedOrder = pruneAuthOrder(order, profileIds);
+	if (prunedOrder.changed) changed = true;
+	if (!changed) return {
+		next: cfg,
+		changed: false
+	};
+	const nextAuth = nextProfiles || prunedOrder.next ? {
+		...cfg.auth,
+		profiles: nextProfiles && Object.keys(nextProfiles).length > 0 ? nextProfiles : void 0,
+		order: prunedOrder.next
+	} : void 0;
+	return {
+		next: {
+			...cfg,
+			auth: nextAuth
+		},
+		changed: true
+	};
+}
+async function maybeRemoveDeprecatedCliAuthProfiles(cfg, prompter) {
+	const store = ensureAuthProfileStore(void 0, { allowKeychainPrompt: false });
+	const deprecatedEntries = resolvePluginProviders({
+		config: cfg,
+		env: process.env,
+		bundledProviderAllowlistCompat: true,
+		bundledProviderVitestCompat: true
+	}).flatMap((provider) => (provider.deprecatedProfileIds ?? []).filter((profileId) => store.profiles[profileId] || cfg.auth?.profiles?.[profileId]).map((profileId) => ({
+		profileId,
+		providerId: provider.id,
+		providerLabel: provider.label
+	})));
+	const deprecated = new Set(deprecatedEntries.map((entry) => entry.profileId));
+	if (deprecated.size === 0) return cfg;
+	const lines = ["Deprecated external CLI auth profiles detected (no longer supported):"];
+	for (const entry of deprecatedEntries) {
+		const authCommand = resolveProviderAuthLoginCommand({
+			provider: entry.providerId,
+			config: cfg,
+			env: process.env
+		}) ?? formatCliCommand("moldclaw configure");
+		lines.push(`- ${entry.profileId} (${entry.providerLabel}): use ${authCommand}`);
+	}
+	note$1(lines.join("\n"), "Auth profiles");
+	if (!await prompter.confirmRepair({
+		message: "Remove deprecated CLI auth profiles now?",
+		initialValue: true
+	})) return cfg;
+	await updateAuthProfileStoreWithLock({ updater: (nextStore) => {
+		let mutated = false;
+		for (const id of deprecated) {
+			if (nextStore.profiles[id]) {
+				delete nextStore.profiles[id];
+				mutated = true;
+			}
+			if (nextStore.usageStats?.[id]) {
+				delete nextStore.usageStats[id];
+				mutated = true;
+			}
+		}
+		if (nextStore.order) for (const [provider, list] of Object.entries(nextStore.order)) {
+			const filtered = list.filter((id) => !deprecated.has(id));
+			if (filtered.length !== list.length) {
+				mutated = true;
+				if (filtered.length > 0) nextStore.order[provider] = filtered;
+				else delete nextStore.order[provider];
+			}
+		}
+		if (nextStore.lastGood) {
+			for (const [provider, profileId] of Object.entries(nextStore.lastGood)) if (deprecated.has(profileId)) {
+				delete nextStore.lastGood[provider];
+				mutated = true;
+			}
+		}
+		return mutated;
+	} });
+	const pruned = pruneAuthProfiles(cfg, deprecated);
+	if (pruned.changed) note$1(Array.from(deprecated.values()).map((id) => `- removed ${id} from config`).join("\n"), "Doctor changes");
+	return pruned.next;
+}
+function resolveUnusableProfileHint(params) {
+	if (params.kind === "disabled") {
+		if (params.reason === "billing") return "Top up credits (provider billing) or switch provider.";
+		if (params.reason === "auth_permanent" || params.reason === "auth") return "Refresh or replace credentials, then retry.";
+	}
+	return "Wait for cooldown or switch provider.";
+}
+function formatAuthIssueHint(issue) {
+	if (issue.reasonCode === "invalid_expires") return "Invalid token expires metadata. Set a future Unix ms timestamp or remove expires.";
+	if (issue.provider === "anthropic" && issue.profileId === "anthropic:claude-cli") return `Deprecated profile. ${buildProviderAuthRecoveryHint({ provider: "anthropic" })}`;
+	if (issue.provider === "openai-codex" && issue.profileId === "openai-codex:codex-cli") return `Deprecated profile. ${buildProviderAuthRecoveryHint({ provider: "openai-codex" })}`;
+	return buildProviderAuthRecoveryHint({ provider: issue.provider }).replace(/^Run /, "Re-auth via ");
+}
+function formatAuthIssueLine(issue) {
+	const remaining = issue.remainingMs !== void 0 ? ` (${formatRemainingShort(issue.remainingMs)})` : "";
+	const hint = formatAuthIssueHint(issue);
+	const reason = issue.reasonCode ? ` [${issue.reasonCode}]` : "";
+	return `- ${issue.profileId}: ${issue.status}${reason}${remaining}${hint ? ` — ${hint}` : ""}`;
+}
+async function noteAuthProfileHealth(params) {
+	const store = ensureAuthProfileStore(void 0, { allowKeychainPrompt: params.allowKeychainPrompt });
+	const unusable = (() => {
+		const now = Date.now();
+		const out = [];
+		for (const profileId of Object.keys(store.usageStats ?? {})) {
+			const until = resolveProfileUnusableUntilForDisplay(store, profileId);
+			if (!until || now >= until) continue;
+			const stats = store.usageStats?.[profileId];
+			const remaining = formatRemainingShort(until - now);
+			const disabledActive = typeof stats?.disabledUntil === "number" && now < stats.disabledUntil;
+			const kind = disabledActive ? `disabled${stats.disabledReason ? `:${stats.disabledReason}` : ""}` : "cooldown";
+			const hint = resolveUnusableProfileHint({
+				kind: disabledActive ? "disabled" : "cooldown",
+				reason: stats?.disabledReason
+			});
+			out.push(`- ${profileId}: ${kind} (${remaining})${hint ? ` — ${hint}` : ""}`);
+		}
+		return out;
+	})();
+	if (unusable.length > 0) note$1(unusable.join("\n"), "Auth profile cooldowns");
+	let summary = buildAuthHealthSummary({
+		store,
+		cfg: params.cfg,
+		warnAfterMs: DEFAULT_OAUTH_WARN_MS
+	});
+	const findIssues = () => summary.profiles.filter((profile) => (profile.type === "oauth" || profile.type === "token") && (profile.status === "expired" || profile.status === "expiring" || profile.status === "missing"));
+	let issues = findIssues();
+	if (issues.length === 0) return;
+	if (await params.prompter.confirmRepair({
+		message: "Refresh expiring OAuth tokens now? (static tokens need re-auth)",
+		initialValue: true
+	})) {
+		const refreshTargets = issues.filter((issue) => issue.type === "oauth" && [
+			"expired",
+			"expiring",
+			"missing"
+		].includes(issue.status));
+		const errors = [];
+		for (const profile of refreshTargets) try {
+			await resolveApiKeyForProfile({
+				cfg: params.cfg,
+				store,
+				profileId: profile.profileId
+			});
+		} catch (err) {
+			errors.push(`- ${profile.profileId}: ${err instanceof Error ? err.message : String(err)}`);
+		}
+		if (errors.length > 0) note$1(errors.join("\n"), "OAuth refresh errors");
+		summary = buildAuthHealthSummary({
+			store: ensureAuthProfileStore(void 0, { allowKeychainPrompt: false }),
+			cfg: params.cfg,
+			warnAfterMs: DEFAULT_OAUTH_WARN_MS
+		});
+		issues = findIssues();
+	}
+	if (issues.length > 0) note$1(issues.map((issue) => formatAuthIssueLine({
+		profileId: issue.profileId,
+		provider: issue.provider,
+		status: issue.status,
+		reasonCode: issue.reasonCode,
+		remainingMs: issue.remainingMs
+	})).join("\n"), "Model auth");
+}
+//#endregion
+//#region src/commands/doctor-bootstrap-size.ts
+function formatInt(value) {
+	return new Intl.NumberFormat("en-US").format(Math.max(0, Math.floor(value)));
+}
+function formatPercent(numerator, denominator) {
+	if (!Number.isFinite(denominator) || denominator <= 0) return "0%";
+	return `${Math.min(100, Math.max(0, Math.round(numerator / denominator * 100)))}%`;
+}
+function formatCauses(causes) {
+	if (causes.length === 0) return "unknown";
+	return causes.map((cause) => cause === "per-file-limit" ? "max/file" : "max/total").join(", ");
+}
+async function noteBootstrapFileSize(cfg) {
+	const workspaceDir = resolveAgentWorkspaceDir(cfg, resolveDefaultAgentId(cfg));
+	const bootstrapMaxChars = resolveBootstrapMaxChars(cfg);
+	const bootstrapTotalMaxChars = resolveBootstrapTotalMaxChars(cfg);
+	const { bootstrapFiles, contextFiles } = await resolveBootstrapContextForRun({
+		workspaceDir,
+		config: cfg
+	});
+	const analysis = analyzeBootstrapBudget({
+		files: buildBootstrapInjectionStats({
+			bootstrapFiles,
+			injectedFiles: contextFiles
+		}),
+		bootstrapMaxChars,
+		bootstrapTotalMaxChars
+	});
+	if (!analysis.hasTruncation && analysis.nearLimitFiles.length === 0 && !analysis.totalNearLimit) return analysis;
+	const lines = [];
+	if (analysis.hasTruncation) {
+		lines.push("Workspace bootstrap files exceed limits and will be truncated:");
+		for (const file of analysis.truncatedFiles) {
+			const truncatedChars = Math.max(0, file.rawChars - file.injectedChars);
+			lines.push(`- ${file.name}: ${formatInt(file.rawChars)} raw / ${formatInt(file.injectedChars)} injected (${formatPercent(truncatedChars, file.rawChars)} truncated; ${formatCauses(file.causes)})`);
+		}
+	} else lines.push("Workspace bootstrap files are near configured limits:");
+	const nonTruncatedNearLimit = analysis.nearLimitFiles.filter((file) => !file.truncated);
+	if (nonTruncatedNearLimit.length > 0) for (const file of nonTruncatedNearLimit) lines.push(`- ${file.name}: ${formatInt(file.rawChars)} chars (${formatPercent(file.rawChars, bootstrapMaxChars)} of max/file ${formatInt(bootstrapMaxChars)})`);
+	lines.push(`Total bootstrap injected chars: ${formatInt(analysis.totals.injectedChars)} (${formatPercent(analysis.totals.injectedChars, bootstrapTotalMaxChars)} of max/total ${formatInt(bootstrapTotalMaxChars)}).`);
+	lines.push(`Total bootstrap raw chars (before truncation): ${formatInt(analysis.totals.rawChars)}.`);
+	const needsPerFileTip = analysis.truncatedFiles.some((file) => file.causes.includes("per-file-limit")) || analysis.nearLimitFiles.length > 0;
+	const needsTotalTip = analysis.truncatedFiles.some((file) => file.causes.includes("total-limit")) || analysis.totalNearLimit;
+	if (needsPerFileTip || needsTotalTip) lines.push("");
+	if (needsPerFileTip) lines.push("- Tip: tune `agents.defaults.bootstrapMaxChars` for per-file limits.");
+	if (needsTotalTip) lines.push("- Tip: tune `agents.defaults.bootstrapTotalMaxChars` for total-budget limits.");
+	note$1(lines.join("\n"), "Bootstrap file size");
+	return analysis;
+}
+//#endregion
+//#region src/commands/doctor-browser.ts
+const CHROME_MCP_MIN_MAJOR = 144;
+const REMOTE_DEBUGGING_PAGES = [
+	"chrome://inspect/#remote-debugging",
+	"brave://inspect/#remote-debugging",
+	"edge://inspect/#remote-debugging"
+].join(", ");
+function asRecord(value) {
+	return value && typeof value === "object" && !Array.isArray(value) ? value : null;
+}
+function collectChromeMcpProfiles(cfg) {
+	const browser = asRecord(cfg.browser);
+	if (!browser) return [];
+	const profiles = /* @__PURE__ */ new Map();
+	if ((typeof browser.defaultProfile === "string" ? browser.defaultProfile.trim() : "") === "user") profiles.set("user", { name: "user" });
+	const configuredProfiles = asRecord(browser.profiles);
+	if (!configuredProfiles) return [...profiles.values()].toSorted((a, b) => a.name.localeCompare(b.name));
+	for (const [profileName, rawProfile] of Object.entries(configuredProfiles)) {
+		const profile = asRecord(rawProfile);
+		if ((typeof profile?.driver === "string" ? profile.driver.trim() : "") === "existing-session") {
+			const userDataDir = typeof profile?.userDataDir === "string" ? profile.userDataDir.trim() : void 0;
+			profiles.set(profileName, {
+				name: profileName,
+				userDataDir: userDataDir || void 0
+			});
+		}
+	}
+	return [...profiles.values()].toSorted((a, b) => a.name.localeCompare(b.name));
+}
+async function noteChromeMcpBrowserReadiness(cfg, deps) {
+	const profiles = collectChromeMcpProfiles(cfg);
+	if (profiles.length === 0) return;
+	const noteFn = deps?.noteFn ?? note$1;
+	const platform = deps?.platform ?? process.platform;
+	const resolveChromeExecutable = deps?.resolveChromeExecutable ?? resolveGoogleChromeExecutableForPlatform;
+	const readVersion = deps?.readVersion ?? readBrowserVersion;
+	const explicitProfiles = profiles.filter((profile) => profile.userDataDir);
+	const autoConnectProfiles = profiles.filter((profile) => !profile.userDataDir);
+	const profileLabel = profiles.map((profile) => profile.name).join(", ");
+	if (autoConnectProfiles.length === 0) {
+		noteFn([
+			`- Chrome MCP existing-session is configured for profile(s): ${profileLabel}.`,
+			"- These profiles use an explicit Chromium user data directory instead of Chrome's default auto-connect path.",
+			`- Verify the matching Chromium-based browser is version ${CHROME_MCP_MIN_MAJOR}+ on the same host as the Gateway or node.`,
+			`- Enable remote debugging in that browser's inspect page (${REMOTE_DEBUGGING_PAGES}).`,
+			"- Keep the browser running and accept the attach consent prompt the first time moldClaw connects."
+		].join("\n"), "Browser");
+		return;
+	}
+	const chrome = resolveChromeExecutable(platform);
+	const autoProfileLabel = autoConnectProfiles.map((profile) => profile.name).join(", ");
+	if (!chrome) {
+		const lines = [
+			`- Chrome MCP existing-session is configured for profile(s): ${profileLabel}.`,
+			`- Google Chrome was not found on this host for auto-connect profile(s): ${autoProfileLabel}. moldClaw does not bundle Chrome.`,
+			`- Install Google Chrome ${CHROME_MCP_MIN_MAJOR}+ on the same host as the Gateway or node, or set browser.profiles.<name>.userDataDir for a different Chromium-based browser.`,
+			`- Enable remote debugging in the browser inspect page (${REMOTE_DEBUGGING_PAGES}).`,
+			"- Keep the browser running and accept the attach consent prompt the first time moldClaw connects.",
+			"- Docker, headless, and sandbox browser flows stay on raw CDP; this check only applies to host-local Chrome MCP attach."
+		];
+		if (explicitProfiles.length > 0) lines.push(`- Profiles with explicit userDataDir skip Chrome auto-detection: ${explicitProfiles.map((profile) => profile.name).join(", ")}.`);
+		noteFn(lines.join("\n"), "Browser");
+		return;
+	}
+	const versionRaw = readVersion(chrome.path);
+	const major = parseBrowserMajorVersion(versionRaw);
+	const lines = [`- Chrome MCP existing-session is configured for profile(s): ${profileLabel}.`, `- Chrome path: ${chrome.path}`];
+	if (!versionRaw || major === null) lines.push(`- Could not determine the installed Chrome version. Chrome MCP requires Google Chrome ${CHROME_MCP_MIN_MAJOR}+ on this host.`);
+	else if (major < CHROME_MCP_MIN_MAJOR) lines.push(`- Detected Chrome ${versionRaw}, which is too old for Chrome MCP existing-session attach. Upgrade to Chrome ${CHROME_MCP_MIN_MAJOR}+.`);
+	else lines.push(`- Detected Chrome ${versionRaw}.`);
+	lines.push(`- Enable remote debugging in the browser inspect page (${REMOTE_DEBUGGING_PAGES}).`);
+	lines.push("- Keep the browser running and accept the attach consent prompt the first time moldClaw connects.");
+	if (explicitProfiles.length > 0) lines.push(`- Profiles with explicit userDataDir still need manual validation of the matching Chromium-based browser: ${explicitProfiles.map((profile) => profile.name).join(", ")}.`);
+	noteFn(lines.join("\n"), "Browser");
+}
+//#endregion
+//#region src/commands/doctor-cron.ts
+function pluralize(count, noun) {
+	return `${count} ${noun}${count === 1 ? "" : "s"}`;
+}
+function formatLegacyIssuePreview(issues) {
+	const lines = [];
+	if (issues.jobId) lines.push(`- ${pluralize(issues.jobId, "job")} still uses legacy \`jobId\``);
+	if (issues.legacyScheduleString) lines.push(`- ${pluralize(issues.legacyScheduleString, "job")} stores schedule as a bare string`);
+	if (issues.legacyScheduleCron) lines.push(`- ${pluralize(issues.legacyScheduleCron, "job")} still uses \`schedule.cron\``);
+	if (issues.legacyPayloadKind) lines.push(`- ${pluralize(issues.legacyPayloadKind, "job")} needs payload kind normalization`);
+	if (issues.legacyPayloadProvider) lines.push(`- ${pluralize(issues.legacyPayloadProvider, "job")} still uses payload \`provider\` as a delivery alias`);
+	if (issues.legacyTopLevelPayloadFields) lines.push(`- ${pluralize(issues.legacyTopLevelPayloadFields, "job")} still uses top-level payload fields`);
+	if (issues.legacyTopLevelDeliveryFields) lines.push(`- ${pluralize(issues.legacyTopLevelDeliveryFields, "job")} still uses top-level delivery fields`);
+	if (issues.legacyDeliveryMode) lines.push(`- ${pluralize(issues.legacyDeliveryMode, "job")} still uses delivery mode \`deliver\``);
+	return lines;
+}
+function trimString(value) {
+	return typeof value === "string" && value.trim() ? value.trim() : void 0;
+}
+function migrateLegacyNotifyFallback(params) {
+	let changed = false;
+	const warnings = [];
+	for (const raw of params.jobs) {
+		if (!("notify" in raw)) continue;
+		const jobName = trimString(raw.name) ?? trimString(raw.id) ?? "<unnamed>";
+		if (!(raw.notify === true)) {
+			delete raw.notify;
+			changed = true;
+			continue;
+		}
+		const delivery = raw.delivery && typeof raw.delivery === "object" && !Array.isArray(raw.delivery) ? raw.delivery : null;
+		const mode = trimString(delivery?.mode)?.toLowerCase();
+		const to = trimString(delivery?.to);
+		if (mode === "webhook" && to) {
+			delete raw.notify;
+			changed = true;
+			continue;
+		}
+		if ((mode === void 0 || mode === "none" || mode === "webhook") && params.legacyWebhook) {
+			raw.delivery = {
+				...delivery,
+				mode: "webhook",
+				to: mode === "none" ? params.legacyWebhook : to ?? params.legacyWebhook
+			};
+			delete raw.notify;
+			changed = true;
+			continue;
+		}
+		if (!params.legacyWebhook) {
+			warnings.push(`Cron job "${jobName}" still uses legacy notify fallback, but cron.webhook is unset so doctor cannot migrate it automatically.`);
+			continue;
+		}
+		warnings.push(`Cron job "${jobName}" uses legacy notify fallback alongside delivery mode "${mode}". Migrate it manually so webhook delivery does not replace existing announce behavior.`);
+	}
+	return {
+		changed,
+		warnings
+	};
+}
+async function maybeRepairLegacyCronStore(params) {
+	const storePath = resolveCronStorePath(params.cfg.cron?.store);
+	const rawJobs = (await loadCronStore(storePath)).jobs ?? [];
+	if (rawJobs.length === 0) return;
+	const normalized = normalizeStoredCronJobs(rawJobs);
+	const legacyWebhook = trimString(params.cfg.cron?.webhook);
+	const notifyCount = rawJobs.filter((job) => job.notify === true).length;
+	const previewLines = formatLegacyIssuePreview(normalized.issues);
+	if (notifyCount > 0) previewLines.push(`- ${pluralize(notifyCount, "job")} still uses legacy \`notify: true\` webhook fallback`);
+	if (previewLines.length === 0) return;
+	note$1([
+		`Legacy cron job storage detected at ${shortenHomePath(storePath)}.`,
+		...previewLines,
+		`Repair with ${formatCliCommand("moldclaw doctor --fix")} to normalize the store before the next scheduler run.`
+	].join("\n"), "Cron");
+	if (!await params.prompter.confirm({
+		message: "Repair legacy cron jobs now?",
+		initialValue: true
+	})) return;
+	const notifyMigration = migrateLegacyNotifyFallback({
+		jobs: rawJobs,
+		legacyWebhook
+	});
+	const changed = normalized.mutated || notifyMigration.changed;
+	if (!changed && notifyMigration.warnings.length === 0) return;
+	if (changed) {
+		await saveCronStore(storePath, {
+			version: 1,
+			jobs: rawJobs
+		});
+		note$1(`Cron store normalized at ${shortenHomePath(storePath)}.`, "Doctor changes");
+	}
+	if (notifyMigration.warnings.length > 0) note$1(notifyMigration.warnings.join("\n"), "Doctor warnings");
+}
+//#endregion
+//#region src/commands/doctor-format.ts
+function formatGatewayRuntimeSummary(runtime) {
+	return formatRuntimeStatus(runtime);
+}
+function buildGatewayRuntimeHints(runtime, options = {}) {
+	const hints = [];
+	if (!runtime) return hints;
+	const platform = options.platform ?? process.platform;
+	const env = options.env ?? process.env;
+	const fileLog = (() => {
+		try {
+			return getResolvedLoggerSettings().file;
+		} catch {
+			return null;
+		}
+	})();
+	if (platform === "linux" && isSystemdUnavailableDetail(runtime.detail)) {
+		hints.push(...renderSystemdUnavailableHints({ wsl: isWSLEnv() }));
+		if (fileLog) hints.push(`File logs: ${fileLog}`);
+		return hints;
+	}
+	if (runtime.cachedLabel && platform === "darwin") {
+		const label = resolveGatewayLaunchAgentLabel(env.MOLDCLAW_PROFILE);
+		hints.push(`LaunchAgent label cached but plist missing. Clear with: launchctl bootout gui/$UID/${label}`);
+		hints.push(`Then reinstall: ${formatCliCommand("moldclaw gateway install", env)}`);
+	}
+	if (runtime.missingUnit) {
+		hints.push(`Service not installed. Run: ${formatCliCommand("moldclaw gateway install", env)}`);
+		if (fileLog) hints.push(`File logs: ${fileLog}`);
+		return hints;
+	}
+	if (runtime.status === "stopped") {
+		hints.push("Service is loaded but not running (likely exited immediately).");
+		if (fileLog) hints.push(`File logs: ${fileLog}`);
+		hints.push(...buildPlatformRuntimeLogHints({
+			platform,
+			env,
+			systemdServiceName: resolveGatewaySystemdServiceName(env.MOLDCLAW_PROFILE),
+			windowsTaskName: resolveGatewayWindowsTaskName(env.MOLDCLAW_PROFILE)
+		}));
+	}
+	return hints;
+}
+//#endregion
+//#region src/commands/doctor-gateway-daemon-flow.ts
+async function maybeRepairLaunchAgentBootstrap(params) {
+	if (process.platform !== "darwin") return false;
+	if (!await isLaunchAgentListed({ env: params.env })) return false;
+	if (await isLaunchAgentLoaded({ env: params.env })) return false;
+	if (!await launchAgentPlistExists(params.env)) return false;
+	note$1("LaunchAgent is listed but not loaded in launchd.", `${params.title} LaunchAgent`);
+	if (!await params.prompter.confirmSkipInNonInteractive({
+		message: `Repair ${params.title} LaunchAgent bootstrap now?`,
+		initialValue: true
+	})) return false;
+	params.runtime.log(`Bootstrapping ${params.title} LaunchAgent...`);
+	const repair = await repairLaunchAgentBootstrap({ env: params.env });
+	if (!repair.ok) {
+		params.runtime.error(`${params.title} LaunchAgent bootstrap failed: ${repair.detail ?? "unknown error"}`);
+		return false;
+	}
+	if (!await isLaunchAgentLoaded({ env: params.env })) {
+		params.runtime.error(`${params.title} LaunchAgent still not loaded after repair.`);
+		return false;
+	}
+	note$1(`${params.title} LaunchAgent repaired.`, `${params.title} LaunchAgent`);
+	return true;
+}
+async function maybeRepairGatewayDaemon(params) {
+	if (params.healthOk) return;
+	const service = resolveGatewayService();
+	let loaded = false;
+	try {
+		loaded = await service.isLoaded({ env: process.env });
+	} catch {
+		loaded = false;
+	}
+	let serviceRuntime;
+	if (loaded) serviceRuntime = await service.readRuntime(process.env).catch(() => void 0);
+	if (process.platform === "darwin" && params.cfg.gateway?.mode !== "remote") {
+		const gatewayRepaired = await maybeRepairLaunchAgentBootstrap({
+			env: process.env,
+			title: "Gateway",
+			runtime: params.runtime,
+			prompter: params.prompter
+		});
+		await maybeRepairLaunchAgentBootstrap({
+			env: {
+				...process.env,
+				MOLDCLAW_LAUNCHD_LABEL: resolveNodeLaunchAgentLabel()
+			},
+			title: "Node",
+			runtime: params.runtime,
+			prompter: params.prompter
+		});
+		if (gatewayRepaired) {
+			loaded = await service.isLoaded({ env: process.env });
+			if (loaded) serviceRuntime = await service.readRuntime(process.env).catch(() => void 0);
+		}
+	}
+	if (params.cfg.gateway?.mode !== "remote") {
+		const diagnostics = await inspectPortUsage(resolveGatewayPort(params.cfg, process.env));
+		if (diagnostics.status === "busy") note$1(formatPortDiagnostics(diagnostics).join("\n"), "Gateway port");
+		else if (loaded && serviceRuntime?.status === "running") {
+			const lastError = await readLastGatewayErrorLine(process.env);
+			if (lastError) note$1(`Last gateway error: ${lastError}`, "Gateway");
+		}
+	}
+	if (!loaded) {
+		if (process.platform === "linux") {
+			if (!await isSystemdUserServiceAvailable().catch(() => false)) {
+				note$1(renderSystemdUnavailableHints({ wsl: await isWSL() }).join("\n"), "Gateway");
+				return;
+			}
+		}
+		note$1("Gateway service not installed.", "Gateway");
+		if (params.cfg.gateway?.mode !== "remote") {
+			if (await params.prompter.confirmSkipInNonInteractive({
+				message: "Install gateway service now?",
+				initialValue: true
+			})) {
+				const daemonRuntime = await params.prompter.select({
+					message: "Gateway service runtime",
+					options: GATEWAY_DAEMON_RUNTIME_OPTIONS,
+					initialValue: DEFAULT_GATEWAY_DAEMON_RUNTIME
+				}, DEFAULT_GATEWAY_DAEMON_RUNTIME);
+				const tokenResolution = await resolveGatewayInstallToken({
+					config: params.cfg,
+					env: process.env
+				});
+				for (const warning of tokenResolution.warnings) note$1(warning, "Gateway");
+				if (tokenResolution.unavailableReason) {
+					note$1([
+						"Gateway service install aborted.",
+						tokenResolution.unavailableReason,
+						"Fix gateway auth config/token input and rerun doctor."
+					].join("\n"), "Gateway");
+					return;
+				}
+				const port = resolveGatewayPort(params.cfg, process.env);
+				const { programArguments, workingDirectory, environment } = await buildGatewayInstallPlan({
+					env: process.env,
+					port,
+					runtime: daemonRuntime,
+					warn: (message, title) => note$1(message, title),
+					config: params.cfg
+				});
+				try {
+					await service.install({
+						env: process.env,
+						stdout: process.stdout,
+						programArguments,
+						workingDirectory,
+						environment
+					});
+				} catch (err) {
+					note$1(`Gateway service install failed: ${String(err)}`, "Gateway");
+					note$1(gatewayInstallErrorHint(), "Gateway");
+				}
+			}
+		}
+		return;
+	}
+	const summary = formatGatewayRuntimeSummary(serviceRuntime);
+	const hints = buildGatewayRuntimeHints(serviceRuntime, {
+		platform: process.platform,
+		env: process.env
+	});
+	if (summary || hints.length > 0) {
+		const lines = [];
+		if (summary) lines.push(`Runtime: ${summary}`);
+		lines.push(...hints);
+		note$1(lines.join("\n"), "Gateway");
+	}
+	if (serviceRuntime?.status !== "running") {
+		if (await params.prompter.confirmSkipInNonInteractive({
+			message: "Start gateway service now?",
+			initialValue: true
+		})) {
+			const restartStatus = describeGatewayServiceRestart("Gateway", await service.restart({
+				env: process.env,
+				stdout: process.stdout
+			}));
+			if (!restartStatus.scheduled) await sleep(1500);
+			else note$1(restartStatus.message, "Gateway");
+		}
+	}
+	if (process.platform === "darwin") {
+		const label = resolveGatewayLaunchAgentLabel(process.env.MOLDCLAW_PROFILE);
+		note$1(`LaunchAgent loaded; stopping requires "${formatCliCommand("moldclaw gateway stop")}" or launchctl bootout gui/$UID/${label}.`, "Gateway");
+	}
+	if (serviceRuntime?.status === "running") {
+		if (await params.prompter.confirmSkipInNonInteractive({
+			message: "Restart gateway service now?",
+			initialValue: true
+		})) {
+			const restartStatus = describeGatewayServiceRestart("Gateway", await service.restart({
+				env: process.env,
+				stdout: process.stdout
+			}));
+			if (restartStatus.scheduled) {
+				note$1(restartStatus.message, "Gateway");
+				return;
+			}
+			await sleep(1500);
+			try {
+				await healthCommand({
+					json: false,
+					timeoutMs: 1e4
+				}, params.runtime);
+			} catch (err) {
+				if (String(err).includes("gateway closed")) {
+					note$1("Gateway not running.", "Gateway");
+					note$1(params.gatewayDetailsMessage, "Gateway connection");
+				} else params.runtime.error(formatHealthCheckFailure(err));
+			}
+		}
+	}
+}
+//#endregion
+//#region src/commands/doctor-gateway-health.ts
+async function checkGatewayHealth(params) {
+	const gatewayDetails = buildGatewayConnectionDetails({ config: params.cfg });
+	const timeoutMs = typeof params.timeoutMs === "number" && params.timeoutMs > 0 ? params.timeoutMs : 1e4;
+	let healthOk = false;
+	try {
+		await healthCommand({
+			json: false,
+			timeoutMs,
+			config: params.cfg
+		}, params.runtime);
+		healthOk = true;
+	} catch (err) {
+		if (String(err).includes("gateway closed")) {
+			note$1("Gateway not running.", "Gateway");
+			note$1(gatewayDetails.message, "Gateway connection");
+		} else params.runtime.error(formatHealthCheckFailure(err));
+	}
+	if (healthOk) try {
+		const issues = collectChannelStatusIssues(await callGateway({
+			method: "channels.status",
+			params: {
+				probe: true,
+				timeoutMs: 5e3
+			},
+			timeoutMs: 6e3
+		}));
+		if (issues.length > 0) note$1(issues.map((issue) => `- ${issue.channel} ${issue.accountId}: ${issue.message}${issue.fix ? ` (${issue.fix})` : ""}`).join("\n"), "Channel warnings");
+	} catch {}
+	return { healthOk };
+}
+async function probeGatewayMemoryStatus(params) {
+	const timeoutMs = typeof params.timeoutMs === "number" && params.timeoutMs > 0 ? params.timeoutMs : 8e3;
+	try {
+		const payload = await callGateway({
+			method: "doctor.memory.status",
+			timeoutMs,
+			config: params.cfg
+		});
+		return {
+			checked: true,
+			ready: payload.embedding.ok,
+			error: payload.embedding.error
+		};
+	} catch (err) {
+		return {
+			checked: true,
+			ready: false,
+			error: `gateway memory probe unavailable: ${err instanceof Error ? err.message : String(err)}`
+		};
+	}
+}
+//#endregion
+//#region src/commands/doctor-gateway-auth-token.ts
+async function resolveGatewayAuthTokenForService(cfg, env) {
+	const resolved = await resolveConfiguredSecretInputWithFallback({
+		config: cfg,
+		env,
+		value: cfg.gateway?.auth?.token,
+		path: "gateway.auth.token",
+		unresolvedReasonStyle: "detailed",
+		readFallback: () => readGatewayTokenEnv(env)
+	});
+	if (resolved.value) return { token: resolved.value };
+	if (!resolved.secretRefConfigured) return {};
+	if (resolved.unresolvedRefReason?.includes("resolved to an empty value")) return { unavailableReason: resolved.unresolvedRefReason };
+	return { unavailableReason: `gateway.auth.token SecretRef is configured but unresolved (${resolved.unresolvedRefReason ?? "unknown reason"}).` };
+}
+//#endregion
+//#region src/commands/doctor-gateway-services.ts
+const execFileAsync$1 = promisify(execFile);
+function detectGatewayRuntime(programArguments) {
+	const first = programArguments?.[0];
+	if (first) {
+		const base = path.basename(first).toLowerCase();
+		if (base === "bun" || base === "bun.exe") return "bun";
+		if (base === "node" || base === "node.exe") return "node";
+	}
+	return DEFAULT_GATEWAY_DAEMON_RUNTIME;
+}
+function findGatewayEntrypoint(programArguments) {
+	if (!programArguments || programArguments.length === 0) return null;
+	const gatewayIndex = programArguments.indexOf("gateway");
+	if (gatewayIndex <= 0) return null;
+	return programArguments[gatewayIndex - 1] ?? null;
+}
+async function normalizeExecutablePath(value) {
+	const resolvedPath = path.resolve(value);
+	try {
+		return await fs$1.realpath(resolvedPath);
+	} catch {
+		return resolvedPath;
+	}
+}
+function extractDetailPath(detail, prefix) {
+	if (!detail.startsWith(prefix)) return null;
+	const value = detail.slice(prefix.length).trim();
+	return value.length > 0 ? value : null;
+}
+async function cleanupLegacyLaunchdService(params) {
+	if (typeof process.getuid !== "function") return null;
+	await execFileAsync$1("launchctl", [
+		"bootout",
+		`gui/${process.getuid()}`,
+		params.plistPath
+	]).catch(() => void 0);
+	await execFileAsync$1("launchctl", ["unload", params.plistPath]).catch(() => void 0);
+	const trashDir = path.join(os.homedir(), ".Trash");
+	try {
+		await fs$1.mkdir(trashDir, { recursive: true });
+	} catch {}
+	try {
+		await fs$1.access(params.plistPath);
+	} catch {
+		return null;
+	}
+	const dest = path.join(trashDir, `${params.label}-${Date.now()}.plist`);
+	try {
+		await fs$1.rename(params.plistPath, dest);
+		return dest;
+	} catch {
+		return null;
+	}
+}
+function classifyLegacyServices(legacyServices) {
+	const darwinUserServices = [];
+	const linuxUserServices = [];
+	const failed = [];
+	for (const svc of legacyServices) {
+		if (svc.platform === "darwin") {
+			if (svc.scope === "user") darwinUserServices.push(svc);
+			else failed.push(`${svc.label} (${svc.scope})`);
+			continue;
+		}
+		if (svc.platform === "linux") {
+			if (svc.scope === "user") linuxUserServices.push(svc);
+			else failed.push(`${svc.label} (${svc.scope})`);
+			continue;
+		}
+		failed.push(`${svc.label} (${svc.platform})`);
+	}
+	return {
+		darwinUserServices,
+		linuxUserServices,
+		failed
+	};
+}
+async function cleanupLegacyDarwinServices(services) {
+	const removed = [];
+	const failed = [];
+	for (const svc of services) {
+		const plistPath = extractDetailPath(svc.detail, "plist:");
+		if (!plistPath) {
+			failed.push(`${svc.label} (missing plist path)`);
+			continue;
+		}
+		const dest = await cleanupLegacyLaunchdService({
+			label: svc.label,
+			plistPath
+		});
+		removed.push(dest ? `${svc.label} -> ${dest}` : svc.label);
+	}
+	return {
+		removed,
+		failed
+	};
+}
+async function cleanupLegacyLinuxUserServices(services, runtime) {
+	const removed = [];
+	const failed = [];
+	try {
+		const removedUnits = await uninstallLegacySystemdUnits({
+			env: process.env,
+			stdout: process.stdout
+		});
+		const removedByLabel = new Map(removedUnits.map((unit) => [`${unit.name}.service`, unit]));
+		for (const svc of services) {
+			const removedUnit = removedByLabel.get(svc.label);
+			if (!removedUnit) {
+				failed.push(`${svc.label} (legacy unit name not recognized)`);
+				continue;
+			}
+			removed.push(`${svc.label} -> ${removedUnit.unitPath}`);
+		}
+	} catch (err) {
+		runtime.error(`Legacy Linux gateway cleanup failed: ${String(err)}`);
+		for (const svc of services) failed.push(`${svc.label} (linux cleanup failed)`);
+	}
+	return {
+		removed,
+		failed
+	};
+}
+async function maybeRepairGatewayServiceConfig(cfg, mode, runtime, prompter) {
+	if (resolveIsNixMode(process.env)) {
+		note$1("Nix mode detected; skip service updates.", "Gateway");
+		return;
+	}
+	if (mode === "remote") {
+		note$1("Gateway mode is remote; skipped local service audit.", "Gateway");
+		return;
+	}
+	const service = resolveGatewayService();
+	let command = null;
+	try {
+		command = await service.readCommand(process.env);
+	} catch {
+		command = null;
+	}
+	if (!command) return;
+	const tokenRefConfigured = Boolean(resolveSecretInputRef({
+		value: cfg.gateway?.auth?.token,
+		defaults: cfg.secrets?.defaults
+	}).ref);
+	const gatewayTokenResolution = await resolveGatewayAuthTokenForService(cfg, process.env);
+	if (gatewayTokenResolution.unavailableReason) note$1(`Unable to verify gateway service token drift: ${gatewayTokenResolution.unavailableReason}`, "Gateway service config");
+	const expectedGatewayToken = tokenRefConfigured ? void 0 : gatewayTokenResolution.token;
+	const audit = await auditGatewayServiceConfig({
+		env: process.env,
+		command,
+		expectedGatewayToken
+	});
+	const serviceToken = readEmbeddedGatewayToken(command);
+	if (tokenRefConfigured && serviceToken) audit.issues.push({
+		code: SERVICE_AUDIT_CODES.gatewayTokenMismatch,
+		message: "Gateway service MOLDCLAW_GATEWAY_TOKEN should be unset when gateway.auth.token is SecretRef-managed",
+		detail: "service token is stale",
+		level: "recommended"
+	});
+	const needsNodeRuntime = needsNodeRuntimeMigration(audit.issues);
+	const systemNodeInfo = needsNodeRuntime ? await resolveSystemNodeInfo({ env: process.env }) : null;
+	const systemNodePath = systemNodeInfo?.supported ? systemNodeInfo.path : null;
+	if (needsNodeRuntime && !systemNodePath) {
+		const warning = renderSystemNodeWarning(systemNodeInfo);
+		if (warning) note$1(warning, "Gateway runtime");
+		note$1("System Node 22 LTS (22.16+) or Node 24 not found. Install via Homebrew/apt/choco and rerun doctor to migrate off Bun/version managers.", "Gateway runtime");
+	}
+	const port = resolveGatewayPort(cfg, process.env);
+	const runtimeChoice = detectGatewayRuntime(command.programArguments);
+	const { programArguments } = await buildGatewayInstallPlan({
+		env: process.env,
+		port,
+		runtime: needsNodeRuntime && systemNodePath ? "node" : runtimeChoice,
+		nodePath: systemNodePath ?? void 0,
+		warn: (message, title) => note$1(message, title),
+		config: cfg
+	});
+	const expectedEntrypoint = findGatewayEntrypoint(programArguments);
+	const currentEntrypoint = findGatewayEntrypoint(command.programArguments);
+	const normalizedExpectedEntrypoint = expectedEntrypoint ? await normalizeExecutablePath(expectedEntrypoint) : null;
+	const normalizedCurrentEntrypoint = currentEntrypoint ? await normalizeExecutablePath(currentEntrypoint) : null;
+	if (normalizedExpectedEntrypoint && normalizedCurrentEntrypoint && normalizedExpectedEntrypoint !== normalizedCurrentEntrypoint) audit.issues.push({
+		code: SERVICE_AUDIT_CODES.gatewayEntrypointMismatch,
+		message: "Gateway service entrypoint does not match the current install.",
+		detail: `${currentEntrypoint} -> ${expectedEntrypoint}`,
+		level: "recommended"
+	});
+	if (audit.issues.length === 0) return;
+	note$1(audit.issues.map((issue) => issue.detail ? `- ${issue.message} (${issue.detail})` : `- ${issue.message}`).join("\n"), "Gateway service config");
+	const needsAggressive = audit.issues.filter((issue) => issue.level === "aggressive").length > 0;
+	if (needsAggressive && !prompter.shouldForce) note$1("Custom or unexpected service edits detected. Rerun with --force to overwrite.", "Gateway service config");
+	if (!(needsAggressive ? await prompter.confirmAggressive({
+		message: "Overwrite gateway service config with current defaults now?",
+		initialValue: Boolean(prompter.shouldForce)
+	}) : await prompter.confirmRepair({
+		message: "Update gateway service config to the recommended defaults now?",
+		initialValue: true
+	}))) return;
+	const serviceEmbeddedToken = readEmbeddedGatewayToken(command);
+	const gatewayTokenForRepair = expectedGatewayToken ?? serviceEmbeddedToken;
+	const configuredGatewayToken = typeof cfg.gateway?.auth?.token === "string" ? cfg.gateway.auth.token.trim() || void 0 : void 0;
+	let cfgForServiceInstall = cfg;
+	if (!tokenRefConfigured && !configuredGatewayToken && gatewayTokenForRepair) {
+		const nextCfg = {
+			...cfg,
+			gateway: {
+				...cfg.gateway,
+				auth: {
+					...cfg.gateway?.auth,
+					mode: cfg.gateway?.auth?.mode ?? "token",
+					token: gatewayTokenForRepair
+				}
+			}
+		};
+		try {
+			await writeConfigFile(nextCfg);
+			cfgForServiceInstall = nextCfg;
+			note$1(expectedGatewayToken ? "Persisted gateway.auth.token from environment before reinstalling service." : "Persisted gateway.auth.token from existing service definition before reinstalling service.", "Gateway");
+		} catch (err) {
+			runtime.error(`Failed to persist gateway.auth.token before service repair: ${String(err)}`);
+			return;
+		}
+	}
+	const updatedPort = resolveGatewayPort(cfgForServiceInstall, process.env);
+	const updatedPlan = await buildGatewayInstallPlan({
+		env: process.env,
+		port: updatedPort,
+		runtime: needsNodeRuntime && systemNodePath ? "node" : runtimeChoice,
+		nodePath: systemNodePath ?? void 0,
+		warn: (message, title) => note$1(message, title),
+		config: cfgForServiceInstall
+	});
+	try {
+		await service.install({
+			env: process.env,
+			stdout: process.stdout,
+			programArguments: updatedPlan.programArguments,
+			workingDirectory: updatedPlan.workingDirectory,
+			environment: updatedPlan.environment
+		});
+	} catch (err) {
+		runtime.error(`Gateway service update failed: ${String(err)}`);
+	}
+}
+async function maybeScanExtraGatewayServices(options, runtime, prompter) {
+	const extraServices = await findExtraGatewayServices(process.env, { deep: options.deep });
+	if (extraServices.length === 0) return;
+	note$1(extraServices.map((svc) => `- ${svc.label} (${svc.scope}, ${svc.detail})`).join("\n"), "Other gateway-like services detected");
+	const legacyServices = extraServices.filter((svc) => svc.legacy === true);
+	if (legacyServices.length > 0) {
+		if (await prompter.confirmSkipInNonInteractive({
+			message: "Remove legacy gateway services (clawdbot/moltbot) now?",
+			initialValue: true
+		})) {
+			const removed = [];
+			const { darwinUserServices, linuxUserServices, failed } = classifyLegacyServices(legacyServices);
+			if (darwinUserServices.length > 0) {
+				const result = await cleanupLegacyDarwinServices(darwinUserServices);
+				removed.push(...result.removed);
+				failed.push(...result.failed);
+			}
+			if (linuxUserServices.length > 0) {
+				const result = await cleanupLegacyLinuxUserServices(linuxUserServices, runtime);
+				removed.push(...result.removed);
+				failed.push(...result.failed);
+			}
+			if (removed.length > 0) note$1(removed.map((line) => `- ${line}`).join("\n"), "Legacy gateway removed");
+			if (failed.length > 0) note$1(failed.map((line) => `- ${line}`).join("\n"), "Legacy gateway cleanup skipped");
+			if (removed.length > 0) runtime.log("Legacy gateway services removed. Installing moldClaw gateway next.");
+		}
+	}
+	const cleanupHints = renderGatewayServiceCleanupHints();
+	if (cleanupHints.length > 0) note$1(cleanupHints.map((hint) => `- ${hint}`).join("\n"), "Cleanup hints");
+	note$1([
+		"Recommendation: run a single gateway per machine for most setups.",
+		"One gateway supports multiple agents.",
+		"If you need multiple gateways (e.g., a rescue bot on the same host), isolate ports + config/state (see docs: /gateway#multiple-gateways-same-host)."
+	].join("\n"), "Gateway recommendation");
+}
+//#endregion
+//#region src/commands/doctor-install.ts
+function noteSourceInstallIssues(root) {
+	if (!root) return;
+	const workspaceMarker = path.join(root, "pnpm-workspace.yaml");
+	if (!fs.existsSync(workspaceMarker)) return;
+	const warnings = [];
+	const nodeModules = path.join(root, "node_modules");
+	const pnpmStore = path.join(nodeModules, ".pnpm");
+	const tsxBin = path.join(nodeModules, ".bin", "tsx");
+	const srcEntry = path.join(root, "src", "entry.ts");
+	if (fs.existsSync(nodeModules) && !fs.existsSync(pnpmStore)) warnings.push("- node_modules was not installed by pnpm (missing node_modules/.pnpm). Run: pnpm install");
+	if (fs.existsSync(path.join(root, "package-lock.json"))) warnings.push("- package-lock.json present in a pnpm workspace. If you ran npm install, remove it and reinstall with pnpm.");
+	if (fs.existsSync(srcEntry) && !fs.existsSync(tsxBin)) warnings.push("- tsx binary is missing for source runs. Run: pnpm install");
+	if (warnings.length > 0) note$1(warnings.join("\n"), "Install");
+}
+//#endregion
+//#region src/commands/doctor-memory-search.ts
+/**
+* Check whether memory search has a usable embedding provider.
+* Runs as part of `moldclaw doctor` — config-only, no network calls.
+*/
+async function noteMemorySearchHealth(cfg, opts) {
+	const agentId = resolveDefaultAgentId(cfg);
+	const agentDir = resolveAgentDir(cfg, agentId);
+	const resolved = resolveMemorySearchConfig(cfg, agentId);
+	const hasRemoteApiKey = hasConfiguredMemorySecretInput(resolved?.remote?.apiKey);
+	if (!resolved) {
+		note$1("Memory search is explicitly disabled (enabled: false).", "Memory search");
+		return;
+	}
+	if (resolveMemoryBackendConfig({
+		cfg,
+		agentId
+	}).backend === "qmd") return;
+	if (resolved.provider !== "auto") {
+		if (resolved.provider === "local") {
+			if (hasLocalEmbeddings(resolved.local, true)) {
+				if (opts?.gatewayMemoryProbe?.checked && !opts.gatewayMemoryProbe.ready) {
+					const detail = opts.gatewayMemoryProbe.error?.trim();
+					note$1([
+						"Memory search provider is set to \"local\" and a model path is configured,",
+						"but the gateway reports local embeddings are not ready.",
+						detail ? `Gateway probe: ${detail}` : null,
+						"",
+						`Verify: ${formatCliCommand("moldclaw memory status --deep")}`
+					].filter(Boolean).join("\n"), "Memory search");
+				}
+				return;
+			}
+			note$1([
+				"Memory search provider is set to \"local\" but no local model file was found.",
+				"",
+				"Fix (pick one):",
+				`- Install node-llama-cpp and set a local model path in config`,
+				`- Switch to a remote provider: ${formatCliCommand("moldclaw config set agents.defaults.memorySearch.provider openai")}`,
+				"",
+				`Verify: ${formatCliCommand("moldclaw memory status --deep")}`
+			].join("\n"), "Memory search");
+			return;
+		}
+		if (hasRemoteApiKey || await hasApiKeyForProvider(resolved.provider, cfg, agentDir)) return;
+		if (opts?.gatewayMemoryProbe?.checked && opts.gatewayMemoryProbe.ready) {
+			note$1([
+				`Memory search provider is set to "${resolved.provider}" but the API key was not found in the CLI environment.`,
+				"The running gateway reports memory embeddings are ready for the default agent.",
+				`Verify: ${formatCliCommand("moldclaw memory status --deep")}`
+			].join("\n"), "Memory search");
+			return;
+		}
+		const gatewayProbeWarning = buildGatewayProbeWarning(opts?.gatewayMemoryProbe);
+		const envVar = providerEnvVar(resolved.provider);
+		note$1([
+			`Memory search provider is set to "${resolved.provider}" but no API key was found.`,
+			`Semantic recall will not work without a valid API key.`,
+			gatewayProbeWarning ? gatewayProbeWarning : null,
+			"",
+			"Fix (pick one):",
+			`- Set ${envVar} in your environment`,
+			`- Configure credentials: ${formatCliCommand("moldclaw configure --section model")}`,
+			`- To disable: ${formatCliCommand("moldclaw config set agents.defaults.memorySearch.enabled false")}`,
+			"",
+			`Verify: ${formatCliCommand("moldclaw memory status --deep")}`
+		].join("\n"), "Memory search");
+		return;
+	}
+	if (hasLocalEmbeddings(resolved.local)) return;
+	for (const provider of [
+		"openai",
+		"gemini",
+		"voyage",
+		"mistral"
+	]) if (hasRemoteApiKey || await hasApiKeyForProvider(provider, cfg, agentDir)) return;
+	if (opts?.gatewayMemoryProbe?.checked && opts.gatewayMemoryProbe.ready) {
+		note$1([
+			"Memory search provider is set to \"auto\" but the API key was not found in the CLI environment.",
+			"The running gateway reports memory embeddings are ready for the default agent.",
+			`Verify: ${formatCliCommand("moldclaw memory status --deep")}`
+		].join("\n"), "Memory search");
+		return;
+	}
+	const gatewayProbeWarning = buildGatewayProbeWarning(opts?.gatewayMemoryProbe);
+	note$1([
+		"Memory search is enabled but no embedding provider is configured.",
+		"Semantic recall will not work without an embedding provider.",
+		gatewayProbeWarning ? gatewayProbeWarning : null,
+		"",
+		"Fix (pick one):",
+		"- Set OPENAI_API_KEY, GEMINI_API_KEY, VOYAGE_API_KEY, or MISTRAL_API_KEY in your environment",
+		`- Configure credentials: ${formatCliCommand("moldclaw configure --section model")}`,
+		`- For local embeddings: configure agents.defaults.memorySearch.provider and local model path`,
+		`- To disable: ${formatCliCommand("moldclaw config set agents.defaults.memorySearch.enabled false")}`,
+		"",
+		`Verify: ${formatCliCommand("moldclaw memory status --deep")}`
+	].join("\n"), "Memory search");
+}
+/**
+* Check whether local embeddings are available.
+*
+* When `useDefaultFallback` is true (explicit `provider: "local"`), an empty
+* modelPath is treated as available because the runtime falls back to
+* DEFAULT_LOCAL_MODEL (an auto-downloaded HuggingFace model).
+*
+* When false (provider: "auto"), we only consider local available if the user
+* explicitly configured a local file path — matching `canAutoSelectLocal()`
+* in the runtime, which skips local for empty/hf: model paths.
+*/
+function hasLocalEmbeddings(local, useDefaultFallback = false) {
+	const modelPath = local.modelPath?.trim() || (useDefaultFallback ? "hf:ggml-org/embeddinggemma-300m-qat-q8_0-GGUF/embeddinggemma-300m-qat-Q8_0.gguf" : void 0);
+	if (!modelPath) return false;
+	if (/^(hf:|https?:)/i.test(modelPath)) return true;
+	const resolved = resolveUserPath(modelPath);
+	try {
+		return fs.statSync(resolved).isFile();
+	} catch {
+		return false;
+	}
+}
+async function hasApiKeyForProvider(provider, cfg, agentDir) {
+	const authProvider = provider === "gemini" ? "google" : provider;
+	try {
+		await resolveApiKeyForProvider({
+			provider: authProvider,
+			cfg,
+			agentDir
+		});
+		return true;
+	} catch {
+		return false;
+	}
+}
+function providerEnvVar(provider) {
+	switch (provider) {
+		case "openai": return "OPENAI_API_KEY";
+		case "gemini": return "GEMINI_API_KEY";
+		case "voyage": return "VOYAGE_API_KEY";
+		default: return `${provider.toUpperCase()}_API_KEY`;
+	}
+}
+function buildGatewayProbeWarning(probe) {
+	if (!probe?.checked || probe.ready) return null;
+	const detail = probe.error?.trim();
+	return detail ? `Gateway memory probe for default agent is not ready: ${detail}` : "Gateway memory probe for default agent is not ready.";
+}
+//#endregion
+//#region src/commands/doctor-platform-notes.ts
+const execFileAsync = promisify(execFile);
+function resolveHomeDir() {
+	return process.env.HOME ?? os.homedir();
+}
+async function noteMacLaunchAgentOverrides() {
+	if (process.platform !== "darwin") return;
+	const home = resolveHomeDir();
+	const markerPath = [path.join(home, ".moldclaw", "disable-launchagent")].find((candidate) => fs.existsSync(candidate));
+	if (!markerPath) return;
+	const displayMarkerPath = shortenHomePath(markerPath);
+	note$1([
+		`- LaunchAgent writes are disabled via ${displayMarkerPath}.`,
+		"- To restore default behavior:",
+		`  rm ${displayMarkerPath}`
+	].filter((line) => Boolean(line)).join("\n"), "Gateway (macOS)");
+}
+async function launchctlGetenv(name) {
+	try {
+		const result = await execFileAsync("/bin/launchctl", ["getenv", name], { encoding: "utf8" });
+		const value = String(result.stdout ?? "").trim();
+		return value.length > 0 ? value : void 0;
+	} catch {
+		return;
+	}
+}
+function hasConfigGatewayCreds(cfg) {
+	const localPassword = cfg.gateway?.auth?.password;
+	const remoteToken = cfg.gateway?.remote?.token;
+	const remotePassword = cfg.gateway?.remote?.password;
+	return Boolean(hasConfiguredSecretInput(cfg.gateway?.auth?.token, cfg.secrets?.defaults) || hasConfiguredSecretInput(localPassword, cfg.secrets?.defaults) || hasConfiguredSecretInput(remoteToken, cfg.secrets?.defaults) || hasConfiguredSecretInput(remotePassword, cfg.secrets?.defaults));
+}
+async function noteMacLaunchctlGatewayEnvOverrides(cfg, deps) {
+	if ((deps?.platform ?? process.platform) !== "darwin") return;
+	if (!hasConfigGatewayCreds(cfg)) return;
+	const getenv = deps?.getenv ?? launchctlGetenv;
+	const deprecatedLaunchctlEntries = [["MOLDCLAW_GATEWAY_TOKEN", await getenv("MOLDCLAW_GATEWAY_TOKEN")], ["MOLDCLAW_GATEWAY_PASSWORD", await getenv("MOLDCLAW_GATEWAY_PASSWORD")]].filter((entry) => Boolean(entry[1]?.trim()));
+	if (deprecatedLaunchctlEntries.length > 0) {
+		const lines = ["- Deprecated launchctl environment variables detected (ignored).", ...deprecatedLaunchctlEntries.map(([key]) => `- \`${key}\` is set; use \`MOLDCLAW_${key.slice(key.indexOf("_") + 1)}\` instead.`)];
+		(deps?.noteFn ?? note$1)(lines.join("\n"), "Gateway (macOS)");
+	}
+	const tokenEntries = [["MOLDCLAW_GATEWAY_TOKEN", await getenv("MOLDCLAW_GATEWAY_TOKEN")]];
+	const passwordEntries = [["MOLDCLAW_GATEWAY_PASSWORD", await getenv("MOLDCLAW_GATEWAY_PASSWORD")]];
+	const tokenEntry = tokenEntries.find(([, value]) => value?.trim());
+	const passwordEntry = passwordEntries.find(([, value]) => value?.trim());
+	const envToken = tokenEntry?.[1]?.trim() ?? "";
+	const envPassword = passwordEntry?.[1]?.trim() ?? "";
+	const envTokenKey = tokenEntry?.[0];
+	const envPasswordKey = passwordEntry?.[0];
+	if (!envToken && !envPassword) return;
+	const lines = [
+		"- launchctl environment overrides detected (can cause confusing unauthorized errors).",
+		envToken && envTokenKey ? `- \`${envTokenKey}\` is set; it overrides config tokens.` : void 0,
+		envPassword ? `- \`${envPasswordKey ?? "MOLDCLAW_GATEWAY_PASSWORD"}\` is set; it overrides config passwords.` : void 0,
+		"- Clear overrides and restart the app/gateway:",
+		envTokenKey ? `  launchctl unsetenv ${envTokenKey}` : void 0,
+		envPasswordKey ? `  launchctl unsetenv ${envPasswordKey}` : void 0
+	].filter((line) => Boolean(line));
+	(deps?.noteFn ?? note$1)(lines.join("\n"), "Gateway (macOS)");
+}
+function noteDeprecatedLegacyEnvVars(env = process.env, deps) {
+	const entries = Object.entries(env).filter(([key, value]) => key.startsWith("MOLDCLAW_") && value?.trim()).map(([key]) => key);
+	if (entries.length === 0) return;
+	const lines = [
+		"- Deprecated legacy environment variables detected (ignored).",
+		"- Use MOLDCLAW_* equivalents instead:",
+		...entries.map((key) => {
+			return `  ${key} -> MOLDCLAW_${key.slice(key.indexOf("_") + 1)}`;
+		})
+	];
+	(deps?.noteFn ?? note$1)(lines.join("\n"), "Environment");
+}
+function isTruthyEnvValue(value) {
+	return typeof value === "string" && value.trim().length > 0;
+}
+function isTmpCompileCachePath(cachePath) {
+	const normalized = cachePath.trim().replace(/\/+$/, "");
+	return normalized === "/tmp" || normalized.startsWith("/tmp/") || normalized === "/private/tmp" || normalized.startsWith("/private/tmp/");
+}
+function noteStartupOptimizationHints(env = process.env, deps) {
+	const platform = deps?.platform ?? process.platform;
+	if (platform === "win32") return;
+	const arch = deps?.arch ?? os.arch();
+	const totalMemBytes = deps?.totalMemBytes ?? os.totalmem();
+	if (!(platform === "linux" && (arch === "arm" || arch === "arm64" || platform === "linux" && totalMemBytes > 0 && totalMemBytes <= 8 * 1024 ** 3))) return;
+	const noteFn = deps?.noteFn ?? note$1;
+	const compileCache = env.NODE_COMPILE_CACHE?.trim() ?? "";
+	const disableCompileCache = env.NODE_DISABLE_COMPILE_CACHE?.trim() ?? "";
+	const noRespawn = env.MOLDCLAW_NO_RESPAWN?.trim() ?? "";
+	const lines = [];
+	if (!compileCache) lines.push("- NODE_COMPILE_CACHE is not set; repeated CLI runs can be slower on small hosts (Pi/VM).");
+	else if (isTmpCompileCachePath(compileCache)) lines.push("- NODE_COMPILE_CACHE points to /tmp; use /var/tmp so cache survives reboots and warms startup reliably.");
+	if (isTruthyEnvValue(disableCompileCache)) lines.push("- NODE_DISABLE_COMPILE_CACHE is set; startup compile cache is disabled.");
+	if (noRespawn !== "1") lines.push("- MOLDCLAW_NO_RESPAWN is not set to 1; set it to avoid extra startup overhead from self-respawn.");
+	if (lines.length === 0) return;
+	const suggestions = [
+		"- Suggested env for low-power hosts:",
+		"  export NODE_COMPILE_CACHE=/var/tmp/moldclaw-compile-cache",
+		"  mkdir -p /var/tmp/moldclaw-compile-cache",
+		"  export MOLDCLAW_NO_RESPAWN=1",
+		isTruthyEnvValue(disableCompileCache) ? "  unset NODE_DISABLE_COMPILE_CACHE" : void 0
+	].filter((line) => Boolean(line));
+	noteFn([...lines, ...suggestions].join("\n"), "Startup optimization");
+}
+//#endregion
+//#region src/commands/doctor-prompter.ts
+function createDoctorPrompter(params) {
+	const yes = params.options.yes === true;
+	const requestedNonInteractive = params.options.nonInteractive === true;
+	const shouldRepair = params.options.repair === true || yes;
+	const shouldForce = params.options.force === true;
+	const isTty = Boolean(process.stdin.isTTY);
+	const nonInteractive = requestedNonInteractive || !isTty && !yes;
+	const canPrompt = isTty && !yes && !nonInteractive;
+	const confirmDefault = async (p) => {
+		if (nonInteractive) return false;
+		if (shouldRepair) return true;
+		if (!canPrompt) return Boolean(p.initialValue ?? false);
+		return guardCancel(await confirm({
+			...p,
+			message: stylePromptMessage(p.message)
+		}), params.runtime);
+	};
+	return {
+		confirm: confirmDefault,
+		confirmRepair: async (p) => {
+			if (nonInteractive) return false;
+			return confirmDefault(p);
+		},
+		confirmAggressive: async (p) => {
+			if (nonInteractive) return false;
+			if (shouldRepair && shouldForce) return true;
+			if (shouldRepair && !shouldForce) return false;
+			if (!canPrompt) return Boolean(p.initialValue ?? false);
+			return guardCancel(await confirm({
+				...p,
+				message: stylePromptMessage(p.message)
+			}), params.runtime);
+		},
+		confirmSkipInNonInteractive: async (p) => {
+			if (nonInteractive) return false;
+			if (shouldRepair) return true;
+			return confirmDefault(p);
+		},
+		select: async (p, fallback) => {
+			if (!canPrompt || shouldRepair) return fallback;
+			return guardCancel(await select({
+				...p,
+				message: stylePromptMessage(p.message),
+				options: p.options.map((opt) => opt.hint === void 0 ? opt : {
+					...opt,
+					hint: stylePromptHint(opt.hint)
+				})
+			}), params.runtime);
+		},
+		shouldRepair,
+		shouldForce
+	};
+}
+//#endregion
+//#region src/commands/doctor-sandbox.ts
+function resolveSandboxScript(scriptRel) {
+	const candidates = /* @__PURE__ */ new Set();
+	candidates.add(process.cwd());
+	const argv1 = process.argv[1];
+	if (argv1) {
+		const normalized = path.resolve(argv1);
+		candidates.add(path.resolve(path.dirname(normalized), ".."));
+		candidates.add(path.resolve(path.dirname(normalized)));
+	}
+	for (const root of candidates) {
+		const scriptPath = path.join(root, scriptRel);
+		if (fs.existsSync(scriptPath)) return {
+			scriptPath,
+			cwd: root
+		};
+	}
+	return null;
+}
+async function runSandboxScript(scriptRel, runtime) {
+	const script = resolveSandboxScript(scriptRel);
+	if (!script) {
+		note$1(`Unable to locate ${scriptRel}. Run it from the repo root.`, "Sandbox");
+		return false;
+	}
+	runtime.log(`Running ${scriptRel}...`);
+	const result = await runCommandWithTimeout(["bash", script.scriptPath], {
+		timeoutMs: 1200 * 1e3,
+		cwd: script.cwd
+	});
+	if (result.code !== 0) {
+		runtime.error(`Failed running ${scriptRel}: ${result.stderr.trim() || result.stdout.trim() || "unknown error"}`);
+		return false;
+	}
+	runtime.log(`Completed ${scriptRel}.`);
+	return true;
+}
+async function isDockerAvailable() {
+	try {
+		await runExec("docker", [
+			"version",
+			"--format",
+			"{{.Server.Version}}"
+		], { timeoutMs: 5e3 });
+		return true;
+	} catch {
+		return false;
+	}
+}
+async function dockerImageExists(image) {
+	try {
+		await runExec("docker", [
+			"image",
+			"inspect",
+			image
+		], { timeoutMs: 5e3 });
+		return true;
+	} catch (error) {
+		const stderr = error?.stderr || error?.message || "";
+		if (String(stderr).includes("No such image")) return false;
+		throw error;
+	}
+}
+function resolveSandboxDockerImage(cfg) {
+	const image = cfg.agents?.defaults?.sandbox?.docker?.image?.trim();
+	return image ? image : DEFAULT_SANDBOX_IMAGE;
+}
+function resolveSandboxBackend(cfg) {
+	return cfg.agents?.defaults?.sandbox?.backend?.trim() || "docker";
+}
+function resolveSandboxBrowserImage(cfg) {
+	const image = cfg.agents?.defaults?.sandbox?.browser?.image?.trim();
+	return image ? image : DEFAULT_SANDBOX_BROWSER_IMAGE;
+}
+function updateSandboxDockerImage(cfg, image) {
+	return {
+		...cfg,
+		agents: {
+			...cfg.agents,
+			defaults: {
+				...cfg.agents?.defaults,
+				sandbox: {
+					...cfg.agents?.defaults?.sandbox,
+					docker: {
+						...cfg.agents?.defaults?.sandbox?.docker,
+						image
+					}
+				}
+			}
+		}
+	};
+}
+function updateSandboxBrowserImage(cfg, image) {
+	return {
+		...cfg,
+		agents: {
+			...cfg.agents,
+			defaults: {
+				...cfg.agents?.defaults,
+				sandbox: {
+					...cfg.agents?.defaults?.sandbox,
+					browser: {
+						...cfg.agents?.defaults?.sandbox?.browser,
+						image
+					}
+				}
+			}
+		}
+	};
+}
+async function handleMissingSandboxImage(params, runtime, prompter) {
+	if (await dockerImageExists(params.image)) return;
+	const buildHint = params.buildScript ? `Build it with ${params.buildScript}.` : "Build or pull it first.";
+	note$1(`Sandbox ${params.kind} image missing: ${params.image}. ${buildHint}`, "Sandbox");
+	let built = false;
+	if (params.buildScript) {
+		if (await prompter.confirmSkipInNonInteractive({
+			message: `Build ${params.kind} sandbox image now?`,
+			initialValue: true
+		})) built = await runSandboxScript(params.buildScript, runtime);
+	}
+	if (built) return;
+}
+async function maybeRepairSandboxImages(cfg, runtime, prompter) {
+	const sandbox = cfg.agents?.defaults?.sandbox;
+	const mode = sandbox?.mode ?? "off";
+	if (!sandbox || mode === "off") return cfg;
+	const backend = resolveSandboxBackend(cfg);
+	if (backend !== "docker") {
+		if (sandbox.browser?.enabled) note$1(`Sandbox backend "${backend}" selected. Docker browser health checks are skipped; browser sandbox currently requires the docker backend.`, "Sandbox");
+		return cfg;
+	}
+	if (!await isDockerAvailable()) {
+		note$1([
+			`Sandbox mode is enabled (mode: "${mode}") but Docker is not available.`,
+			"Docker is required for sandbox mode to function.",
+			"Isolated sessions (cron jobs, sub-agents) will fail without Docker.",
+			"",
+			"Options:",
+			"- Install Docker and restart the gateway",
+			"- Disable sandbox mode: moldclaw config set agents.defaults.sandbox.mode off"
+		].join("\n"), "Sandbox");
+		return cfg;
+	}
+	let next = cfg;
+	const changes = [];
+	const dockerImage = resolveSandboxDockerImage(cfg);
+	await handleMissingSandboxImage({
+		kind: "base",
+		image: dockerImage,
+		buildScript: dockerImage === "moldclaw-sandbox-common:bookworm-slim" ? "scripts/sandbox-common-setup.sh" : dockerImage === "moldclaw-sandbox:bookworm-slim" ? "scripts/sandbox-setup.sh" : void 0,
+		updateConfig: (image) => {
+			next = updateSandboxDockerImage(next, image);
+			changes.push(`Updated agents.defaults.sandbox.docker.image → ${image}`);
+		}
+	}, runtime, prompter);
+	if (sandbox.browser?.enabled) await handleMissingSandboxImage({
+		kind: "browser",
+		image: resolveSandboxBrowserImage(cfg),
+		buildScript: "scripts/sandbox-browser-setup.sh",
+		updateConfig: (image) => {
+			next = updateSandboxBrowserImage(next, image);
+			changes.push(`Updated agents.defaults.sandbox.browser.image → ${image}`);
+		}
+	}, runtime, prompter);
+	if (changes.length > 0) note$1(changes.join("\n"), "Doctor changes");
+	return next;
+}
+function noteSandboxScopeWarnings(cfg) {
+	const globalSandbox = cfg.agents?.defaults?.sandbox;
+	const agents = Array.isArray(cfg.agents?.list) ? cfg.agents.list : [];
+	const warnings = [];
+	for (const agent of agents) {
+		const agentId = agent.id;
+		const agentSandbox = agent.sandbox;
+		if (!agentSandbox) continue;
+		if (resolveSandboxScope({
+			scope: agentSandbox.scope ?? globalSandbox?.scope,
+			perSession: agentSandbox.perSession ?? globalSandbox?.perSession
+		}) !== "shared") continue;
+		const overrides = [];
+		if (agentSandbox.docker && Object.keys(agentSandbox.docker).length > 0) overrides.push("docker");
+		if (agentSandbox.browser && Object.keys(agentSandbox.browser).length > 0) overrides.push("browser");
+		if (agentSandbox.prune && Object.keys(agentSandbox.prune).length > 0) overrides.push("prune");
+		if (overrides.length === 0) continue;
+		warnings.push([`- agents.list (id "${agentId}") sandbox ${overrides.join("/")} overrides ignored.`, `  scope resolves to "shared".`].join("\n"));
+	}
+	if (warnings.length > 0) note$1(warnings.join("\n"), "Sandbox");
+}
+//#endregion
+//#region src/commands/doctor-security.ts
+function collectImplicitHeartbeatDirectPolicyWarnings(cfg) {
+	const warnings = [];
+	const maybeWarn = (params) => {
+		const heartbeat = params.heartbeat;
+		if (!heartbeat || heartbeat.target === void 0 || heartbeat.target === "none") return;
+		if (heartbeat.directPolicy !== void 0) return;
+		warnings.push(`- ${params.label}: heartbeat delivery is configured while ${params.pathHint} is unset.`, "  Heartbeat now allows direct/DM targets by default. Set it explicitly to \"allow\" or \"block\" to pin upgrade behavior.");
+	};
+	maybeWarn({
+		label: "Heartbeat defaults",
+		heartbeat: cfg.agents?.defaults?.heartbeat,
+		pathHint: "agents.defaults.heartbeat.directPolicy"
+	});
+	for (const agent of cfg.agents?.list ?? []) maybeWarn({
+		label: `Heartbeat agent "${agent.id}"`,
+		heartbeat: agent.heartbeat,
+		pathHint: `heartbeat.directPolicy for agent "${agent.id}"`
+	});
+	return warnings;
+}
+async function noteSecurityWarnings(cfg) {
+	const warnings = [];
+	const auditHint = `- Run: ${formatCliCommand("moldclaw security audit --deep")}`;
+	if (cfg.approvals?.exec?.enabled === false) warnings.push("- Note: approvals.exec.enabled=false disables approval forwarding only.", "  Host exec gating still comes from ~/.moldclaw/exec-approvals.json.", `  Check local policy with: ${formatCliCommand("moldclaw approvals get --gateway")}`);
+	warnings.push(...collectImplicitHeartbeatDirectPolicyWarnings(cfg));
+	const gatewayBind = cfg.gateway?.bind ?? "loopback";
+	const customBindHost = cfg.gateway?.customBindHost?.trim();
+	const bindMode = [
+		"auto",
+		"lan",
+		"loopback",
+		"custom",
+		"tailnet"
+	].includes(gatewayBind) ? gatewayBind : void 0;
+	const resolvedBindHost = bindMode ? await resolveGatewayBindHost(bindMode, customBindHost) : "0.0.0.0";
+	const isExposed = !isLoopbackHost(resolvedBindHost);
+	const resolvedAuth = resolveGatewayAuth({
+		authConfig: cfg.gateway?.auth,
+		env: process.env,
+		tailscaleMode: cfg.gateway?.tailscale?.mode ?? "off"
+	});
+	const authToken = resolvedAuth.token?.trim() ?? "";
+	const authPassword = resolvedAuth.password?.trim() ?? "";
+	const hasToken = authToken.length > 0 || hasConfiguredSecretInput(cfg.gateway?.auth?.token, cfg.secrets?.defaults);
+	const hasPassword = authPassword.length > 0 || hasConfiguredSecretInput(cfg.gateway?.auth?.password, cfg.secrets?.defaults);
+	const hasSharedSecret = resolvedAuth.mode === "token" && hasToken || resolvedAuth.mode === "password" && hasPassword;
+	const bindDescriptor = `"${gatewayBind}" (${resolvedBindHost})`;
+	const saferRemoteAccessLines = [
+		"  Safer remote access: keep bind loopback and use Tailscale Serve/Funnel or an SSH tunnel.",
+		"  Example tunnel: ssh -N -L 28789:127.0.0.1:28789 user@gateway-host",
+		"  Docs: https://docs.moldclaw.ai/gateway/remote"
+	];
+	if (isExposed) if (!hasSharedSecret) {
+		const authFixLines = resolvedAuth.mode === "password" ? [`  Fix: ${formatCliCommand("moldclaw configure")} to set a password`, `  Or switch to token: ${formatCliCommand("moldclaw config set gateway.auth.mode token")}`] : [`  Fix: ${formatCliCommand("moldclaw doctor --fix")} to generate a token`, `  Or set token directly: ${formatCliCommand("moldclaw config set gateway.auth.mode token")}`];
+		warnings.push(`- CRITICAL: Gateway bound to ${bindDescriptor} without authentication.`, `  Anyone on your network (or internet if port-forwarded) can fully control your agent.`, `  Fix: ${formatCliCommand("moldclaw config set gateway.bind loopback")}`, ...saferRemoteAccessLines, ...authFixLines);
+	} else warnings.push(`- WARNING: Gateway bound to ${bindDescriptor} (network-accessible).`, `  Ensure your auth credentials are strong and not exposed.`, ...saferRemoteAccessLines);
+	const warnDmPolicy = async (params) => {
+		const dmPolicy = params.dmPolicy;
+		const policyPath = params.policyPath ?? `${params.allowFromPath}policy`;
+		const { hasWildcard, allowCount, isMultiUserDm } = await resolveDmAllowState({
+			provider: params.provider,
+			accountId: params.accountId,
+			allowFrom: params.allowFrom,
+			normalizeEntry: params.normalizeEntry
+		});
+		const dmScope = cfg.session?.dmScope ?? "main";
+		if (dmPolicy === "open") {
+			const allowFromPath = `${params.allowFromPath}allowFrom`;
+			warnings.push(`- ${params.label} DMs: OPEN (${policyPath}="open"). Anyone can DM it.`);
+			if (!hasWildcard) warnings.push(`- ${params.label} DMs: config invalid — "open" requires ${allowFromPath} to include "*".`);
+		}
+		if (dmPolicy === "disabled") {
+			warnings.push(`- ${params.label} DMs: disabled (${policyPath}="disabled").`);
+			return;
+		}
+		if (dmPolicy !== "open" && allowCount === 0) {
+			warnings.push(`- ${params.label} DMs: locked (${policyPath}="${dmPolicy}") with no allowlist; unknown senders will be blocked / get a pairing code.`);
+			warnings.push(`  ${params.approveHint}`);
+		}
+		if (dmScope === "main" && isMultiUserDm) warnings.push(`- ${params.label} DMs: multiple senders share the main session; run: ` + formatCliCommand("moldclaw config set session.dmScope \"per-channel-peer\"") + " (or \"per-account-channel-peer\" for multi-account channels) to isolate sessions.");
+	};
+	for (const plugin of listChannelPlugins()) {
+		if (!plugin.security) continue;
+		const { defaultAccountId, account, enabled, configured, diagnostics } = await resolveDefaultChannelAccountContext(plugin, cfg, {
+			mode: "read_only",
+			commandName: "doctor"
+		});
+		for (const diagnostic of diagnostics) warnings.push(`- [secrets] ${diagnostic}`);
+		if (!enabled) continue;
+		if (!configured) continue;
+		const dmPolicy = plugin.security.resolveDmPolicy?.({
+			cfg,
+			accountId: defaultAccountId,
+			account
+		});
+		if (dmPolicy) await warnDmPolicy({
+			label: plugin.meta.label ?? plugin.id,
+			provider: plugin.id,
+			accountId: defaultAccountId,
+			dmPolicy: dmPolicy.policy,
+			allowFrom: dmPolicy.allowFrom,
+			policyPath: dmPolicy.policyPath,
+			allowFromPath: dmPolicy.allowFromPath,
+			approveHint: dmPolicy.approveHint,
+			normalizeEntry: dmPolicy.normalizeEntry
+		});
+		if (plugin.security.collectWarnings) {
+			const extra = await plugin.security.collectWarnings({
+				cfg,
+				accountId: defaultAccountId,
+				account
+			});
+			if (extra?.length) warnings.push(...extra);
+		}
+	}
+	const lines = warnings.length > 0 ? warnings : ["- No channel security warnings detected."];
+	lines.push(auditHint);
+	note$1(lines.join("\n"), "Security");
+}
+//#endregion
+//#region src/commands/doctor-session-locks.ts
+const DEFAULT_STALE_MS = 1800 * 1e3;
+function formatAge(ageMs) {
+	if (ageMs === null) return "unknown";
+	const seconds = Math.floor(ageMs / 1e3);
+	if (seconds < 60) return `${seconds}s`;
+	const minutes = Math.floor(seconds / 60);
+	const remainingSeconds = seconds % 60;
+	if (minutes < 60) return `${minutes}m${remainingSeconds}s`;
+	return `${Math.floor(minutes / 60)}h${minutes % 60}m`;
+}
+function formatLockLine(lock) {
+	const pidStatus = lock.pid === null ? "pid=missing" : `pid=${lock.pid} (${lock.pidAlive ? "alive" : "dead"})`;
+	const ageStatus = `age=${formatAge(lock.ageMs)}`;
+	const staleStatus = lock.stale ? `stale=yes (${lock.staleReasons.join(", ") || "unknown"})` : "stale=no";
+	const removedStatus = lock.removed ? " [removed]" : "";
+	return `- ${shortenHomePath(lock.lockPath)} ${pidStatus} ${ageStatus} ${staleStatus}${removedStatus}`;
+}
+async function noteSessionLockHealth(params) {
+	const shouldRepair = params?.shouldRepair === true;
+	const staleMs = params?.staleMs ?? DEFAULT_STALE_MS;
+	let sessionDirs = [];
+	try {
+		sessionDirs = await resolveAgentSessionDirs(resolveStateDir(process.env));
+	} catch (err) {
+		note$1(`- Failed to inspect session lock files: ${String(err)}`, "Session locks");
+		return;
+	}
+	if (sessionDirs.length === 0) return;
+	const allLocks = [];
+	for (const sessionsDir of sessionDirs) {
+		const result = await cleanStaleLockFiles({
+			sessionsDir,
+			staleMs,
+			removeStale: shouldRepair
+		});
+		allLocks.push(...result.locks);
+	}
+	if (allLocks.length === 0) return;
+	const staleCount = allLocks.filter((lock) => lock.stale).length;
+	const removedCount = allLocks.filter((lock) => lock.removed).length;
+	const lines = [`- Found ${allLocks.length} session lock file${allLocks.length === 1 ? "" : "s"}.`, ...allLocks.toSorted((a, b) => a.lockPath.localeCompare(b.lockPath)).map(formatLockLine)];
+	if (staleCount > 0 && !shouldRepair) {
+		lines.push(`- ${staleCount} lock file${staleCount === 1 ? " is" : "s are"} stale.`);
+		lines.push("- Run \"moldclaw doctor --fix\" to remove stale lock files automatically.");
+	}
+	if (shouldRepair && removedCount > 0) lines.push(`- Removed ${removedCount} stale session lock file${removedCount === 1 ? "" : "s"}.`);
+	note$1(lines.join("\n"), "Session locks");
+}
+//#endregion
+//#region src/commands/doctor-state-integrity.ts
+function existsDir(dir) {
+	try {
+		return fs.existsSync(dir) && fs.statSync(dir).isDirectory();
+	} catch {
+		return false;
+	}
+}
+function existsFile(filePath) {
+	try {
+		return fs.existsSync(filePath) && fs.statSync(filePath).isFile();
+	} catch {
+		return false;
+	}
+}
+function canWriteDir(dir) {
+	try {
+		fs.accessSync(dir, fs.constants.W_OK);
+		return true;
+	} catch {
+		return false;
+	}
+}
+function ensureDir(dir) {
+	try {
+		fs.mkdirSync(dir, { recursive: true });
+		return { ok: true };
+	} catch (err) {
+		return {
+			ok: false,
+			error: String(err)
+		};
+	}
+}
+function dirPermissionHint(dir) {
+	const uid = typeof process.getuid === "function" ? process.getuid() : null;
+	const gid = typeof process.getgid === "function" ? process.getgid() : null;
+	try {
+		const stat = fs.statSync(dir);
+		if (uid !== null && stat.uid !== uid) return `Owner mismatch (uid ${stat.uid}). Run: sudo chown -R $USER "${dir}"`;
+		if (gid !== null && stat.gid !== gid) return `Group mismatch (gid ${stat.gid}). If access fails, run: sudo chown -R $USER "${dir}"`;
+	} catch {
+		return null;
+	}
+	return null;
+}
+function addUserRwx(mode) {
+	return mode & 511 | 448;
+}
+function countJsonlLines(filePath) {
+	try {
+		const raw = fs.readFileSync(filePath, "utf-8");
+		if (!raw) return 0;
+		let count = 0;
+		for (let i = 0; i < raw.length; i += 1) if (raw[i] === "\n") count += 1;
+		if (!raw.endsWith("\n")) count += 1;
+		return count;
+	} catch {
+		return 0;
+	}
+}
+function findOtherStateDirs(stateDir) {
+	const resolvedState = path.resolve(stateDir);
+	const roots = process.platform === "darwin" ? ["/Users"] : process.platform === "linux" ? ["/home"] : [];
+	const found = [];
+	for (const root of roots) {
+		let entries = [];
+		try {
+			entries = fs.readdirSync(root, { withFileTypes: true });
+		} catch {
+			continue;
+		}
+		for (const entry of entries) {
+			if (!entry.isDirectory()) continue;
+			if (entry.name.startsWith(".")) continue;
+			const candidates = [".moldclaw"].map((dir) => path.resolve(root, entry.name, dir));
+			for (const candidate of candidates) {
+				if (candidate === resolvedState) continue;
+				if (existsDir(candidate)) found.push(candidate);
+			}
+		}
+	}
+	return found;
+}
+function isPathUnderRoot(targetPath, rootPath) {
+	const normalizedTarget = path.resolve(targetPath);
+	const normalizedRoot = path.resolve(rootPath);
+	const rootToken = path.parse(normalizedRoot).root;
+	if (normalizedRoot === rootToken) return normalizedTarget.startsWith(rootToken);
+	return normalizedTarget === normalizedRoot || normalizedTarget.startsWith(`${normalizedRoot}${path.sep}`);
+}
+function tryResolveRealPath(targetPath) {
+	try {
+		return fs.realpathSync(targetPath);
+	} catch {
+		return null;
+	}
+}
+function decodeMountInfoPath(value) {
+	return value.replace(/\\([0-7]{3})/g, (_, octal) => String.fromCharCode(Number.parseInt(octal, 8)));
+}
+function escapeControlCharsForTerminal(value) {
+	let escaped = "";
+	for (const char of value) {
+		if (char === "\x1B") {
+			escaped += "\\x1b";
+			continue;
+		}
+		if (char === "\r") {
+			escaped += "\\r";
+			continue;
+		}
+		if (char === "\n") {
+			escaped += "\\n";
+			continue;
+		}
+		if (char === "	") {
+			escaped += "\\t";
+			continue;
+		}
+		const code = char.charCodeAt(0);
+		if (code >= 0 && code <= 8 || code === 11 || code === 12 || code >= 14 && code <= 31) {
+			escaped += `\\x${code.toString(16).padStart(2, "0")}`;
+			continue;
+		}
+		if (code === 127) {
+			escaped += "\\x7f";
+			continue;
+		}
+		escaped += char;
+	}
+	return escaped;
+}
+function parseLinuxMountInfo(rawMountInfo) {
+	const entries = [];
+	for (const line of rawMountInfo.split("\n")) {
+		const trimmed = line.trim();
+		if (!trimmed) continue;
+		const separatorIndex = trimmed.indexOf(" - ");
+		if (separatorIndex === -1) continue;
+		const left = trimmed.slice(0, separatorIndex);
+		const right = trimmed.slice(separatorIndex + 3);
+		const leftFields = left.split(" ");
+		const rightFields = right.split(" ");
+		if (leftFields.length < 5 || rightFields.length < 2) continue;
+		entries.push({
+			mountPoint: decodeMountInfoPath(leftFields[4]),
+			fsType: rightFields[0],
+			source: decodeMountInfoPath(rightFields[1])
+		});
+	}
+	return entries;
+}
+function isPathUnderRootWithPathOps(targetPath, rootPath, pathOps) {
+	const normalizedTarget = pathOps.resolve(targetPath);
+	const normalizedRoot = pathOps.resolve(rootPath);
+	const rootToken = pathOps.parse(normalizedRoot).root;
+	if (normalizedRoot === rootToken) return normalizedTarget.startsWith(rootToken);
+	return normalizedTarget === normalizedRoot || normalizedTarget.startsWith(`${normalizedRoot}${pathOps.sep}`);
+}
+function findLinuxMountInfoEntryForPath(targetPath, entries, pathOps) {
+	const normalizedTarget = pathOps.resolve(targetPath);
+	let bestMatch = null;
+	for (const entry of entries) {
+		if (!isPathUnderRootWithPathOps(normalizedTarget, entry.mountPoint, pathOps)) continue;
+		if (!bestMatch || pathOps.resolve(entry.mountPoint).length > pathOps.resolve(bestMatch.mountPoint).length) bestMatch = entry;
+	}
+	return bestMatch;
+}
+function isMmcDevicePath(devicePath, pathOps) {
+	const name = pathOps.basename(devicePath);
+	return /^mmcblk\d+(?:p\d+)?$/.test(name);
+}
+function tryReadLinuxMountInfo() {
+	try {
+		return fs.readFileSync("/proc/self/mountinfo", "utf8");
+	} catch {
+		return null;
+	}
+}
+function detectLinuxSdBackedStateDir(stateDir, deps) {
+	if ((deps?.platform ?? process.platform) !== "linux") return null;
+	const linuxPath = path.posix;
+	const resolvedStatePath = (deps?.resolveRealPath ?? tryResolveRealPath)(stateDir) ?? linuxPath.resolve(stateDir);
+	const mountInfo = deps?.mountInfo ?? tryReadLinuxMountInfo();
+	if (!mountInfo) return null;
+	const mountEntry = findLinuxMountInfoEntryForPath(resolvedStatePath, parseLinuxMountInfo(mountInfo), linuxPath);
+	if (!mountEntry) return null;
+	const sourceCandidates = [mountEntry.source];
+	if (mountEntry.source.startsWith("/dev/")) {
+		const resolvedDevicePath = (deps?.resolveDeviceRealPath ?? tryResolveRealPath)(mountEntry.source);
+		if (resolvedDevicePath) sourceCandidates.push(linuxPath.resolve(resolvedDevicePath));
+	}
+	if (!sourceCandidates.some((candidate) => isMmcDevicePath(candidate, linuxPath))) return null;
+	return {
+		path: linuxPath.resolve(resolvedStatePath),
+		mountPoint: linuxPath.resolve(mountEntry.mountPoint),
+		fsType: mountEntry.fsType,
+		source: mountEntry.source
+	};
+}
+function formatLinuxSdBackedStateDirWarning(displayStateDir, linuxSdBackedStateDir) {
+	const displayMountPoint = linuxSdBackedStateDir.mountPoint === "/" ? "/" : shortenHomePath(linuxSdBackedStateDir.mountPoint);
+	return [
+		`- State directory appears to be on SD/eMMC storage (${displayStateDir}; device ${escapeControlCharsForTerminal(linuxSdBackedStateDir.source)}, fs ${escapeControlCharsForTerminal(linuxSdBackedStateDir.fsType)}, mount ${escapeControlCharsForTerminal(displayMountPoint)}).`,
+		"- SD/eMMC media can be slower for random I/O and wear faster under session/log churn.",
+		"- For better startup and state durability, prefer SSD/NVMe (or USB SSD on Raspberry Pi) for MOLDCLAW_STATE_DIR."
+	].join("\n");
+}
+function detectMacCloudSyncedStateDir(stateDir, deps) {
+	if ((deps?.platform ?? process.platform) !== "darwin") return null;
+	const homedir = deps?.homedir ?? os.homedir();
+	const roots = [{
+		storage: "iCloud Drive",
+		root: path.join(homedir, "Library", "Mobile Documents", "com~apple~CloudDocs")
+	}, {
+		storage: "CloudStorage provider",
+		root: path.join(homedir, "Library", "CloudStorage")
+	}];
+	const realPath = (deps?.resolveRealPath ?? tryResolveRealPath)(stateDir);
+	const candidates = realPath ? [path.resolve(realPath)] : [path.resolve(stateDir)];
+	for (const candidate of candidates) for (const { storage, root } of roots) if (isPathUnderRoot(candidate, root)) return {
+		path: candidate,
+		storage
+	};
+	return null;
+}
+function isRecord(value) {
+	return typeof value === "object" && value !== null;
+}
+function isPairingPolicy(value) {
+	return typeof value === "string" && value.trim().toLowerCase() === "pairing";
+}
+function hasPairingPolicy(value) {
+	if (!isRecord(value)) return false;
+	if (isPairingPolicy(value.dmPolicy)) return true;
+	if (isRecord(value.dm) && isPairingPolicy(value.dm.policy)) return true;
+	if (!isRecord(value.accounts)) return false;
+	for (const accountCfg of Object.values(value.accounts)) if (hasPairingPolicy(accountCfg)) return true;
+	return false;
+}
+function isSlashRoutingSessionKey(sessionKey) {
+	const raw = sessionKey.trim().toLowerCase();
+	if (!raw) return false;
+	const scoped = parseAgentSessionKey(raw)?.rest ?? raw;
+	return /^[^:]+:slash:[^:]+(?:$|:)/.test(scoped);
+}
+function shouldRequireOAuthDir(cfg, env) {
+	if (env.MOLDCLAW_OAUTH_DIR?.trim()) return true;
+	const channels = cfg.channels;
+	if (!isRecord(channels)) return false;
+	if (isRecord(channels.whatsapp)) return true;
+	for (const [channelId, channelCfg] of Object.entries(channels)) {
+		if (channelId === "defaults" || channelId === "modelByChannel") continue;
+		if (hasPairingPolicy(channelCfg)) return true;
+	}
+	return false;
+}
+async function noteStateIntegrity(cfg, prompter, configPath) {
+	const warnings = [];
+	const changes = [];
+	const env = process.env;
+	const homedir = () => resolveRequiredHomeDir(env, os.homedir);
+	const stateDir = resolveStateDir(env, homedir);
+	const defaultStateDir = path.join(homedir(), ".moldclaw");
+	const oauthDir = resolveOAuthDir(env, stateDir);
+	const agentId = resolveDefaultAgentId(cfg);
+	const sessionsDir = resolveSessionTranscriptsDirForAgent(agentId, env, homedir);
+	const storePath = resolveStorePath(cfg.session?.store, { agentId });
+	const storeDir = path.dirname(storePath);
+	const absoluteStorePath = path.resolve(storePath);
+	const displayStateDir = shortenHomePath(stateDir);
+	const displayOauthDir = shortenHomePath(oauthDir);
+	const displaySessionsDir = shortenHomePath(sessionsDir);
+	const displayStoreDir = shortenHomePath(storeDir);
+	const displayConfigPath = configPath ? shortenHomePath(configPath) : void 0;
+	const requireOAuthDir = shouldRequireOAuthDir(cfg, env);
+	const cloudSyncedStateDir = detectMacCloudSyncedStateDir(stateDir);
+	const linuxSdBackedStateDir = detectLinuxSdBackedStateDir(stateDir);
+	if (cloudSyncedStateDir) warnings.push([
+		`- State directory is under macOS cloud-synced storage (${displayStateDir}; ${cloudSyncedStateDir.storage}).`,
+		"- This can cause slow I/O and sync/lock races for sessions and credentials.",
+		"- Prefer a local non-synced state dir (for example: ~/.moldclaw).",
+		`  Set locally: MOLDCLAW_STATE_DIR=~/.moldclaw ${formatCliCommand("moldclaw doctor")}`
+	].join("\n"));
+	if (linuxSdBackedStateDir) warnings.push(formatLinuxSdBackedStateDirWarning(displayStateDir, linuxSdBackedStateDir));
+	let stateDirExists = existsDir(stateDir);
+	if (!stateDirExists) {
+		warnings.push(`- CRITICAL: state directory missing (${displayStateDir}). Sessions, credentials, logs, and config are stored there.`);
+		if (cfg.gateway?.mode === "remote") warnings.push("- Gateway is in remote mode; run doctor on the remote host where the gateway runs.");
+		if (await prompter.confirmSkipInNonInteractive({
+			message: `Create ${displayStateDir} now?`,
+			initialValue: false
+		})) {
+			const created = ensureDir(stateDir);
+			if (created.ok) {
+				changes.push(`- Created ${displayStateDir}`);
+				stateDirExists = true;
+			} else warnings.push(`- Failed to create ${displayStateDir}: ${created.error}`);
+		}
+	}
+	if (stateDirExists && !canWriteDir(stateDir)) {
+		warnings.push(`- State directory not writable (${displayStateDir}).`);
+		const hint = dirPermissionHint(stateDir);
+		if (hint) warnings.push(`  ${hint}`);
+		if (await prompter.confirmSkipInNonInteractive({
+			message: `Repair permissions on ${displayStateDir}?`,
+			initialValue: true
+		})) try {
+			const target = addUserRwx(fs.statSync(stateDir).mode);
+			fs.chmodSync(stateDir, target);
+			changes.push(`- Repaired permissions on ${displayStateDir}`);
+		} catch (err) {
+			warnings.push(`- Failed to repair ${displayStateDir}: ${String(err)}`);
+		}
+	}
+	if (stateDirExists && process.platform !== "win32") try {
+		const dirLstat = fs.lstatSync(stateDir);
+		const isDirSymlink = dirLstat.isSymbolicLink();
+		const stat = isDirSymlink ? fs.statSync(stateDir) : dirLstat;
+		if (!(isDirSymlink ? fs.realpathSync(stateDir) : stateDir).startsWith("/nix/store/") && (stat.mode & 63) !== 0) {
+			warnings.push(`- State directory permissions are too open (${displayStateDir}). Recommend chmod 700.`);
+			if (await prompter.confirmSkipInNonInteractive({
+				message: `Tighten permissions on ${displayStateDir} to 700?`,
+				initialValue: true
+			})) {
+				fs.chmodSync(stateDir, 448);
+				changes.push(`- Tightened permissions on ${displayStateDir} to 700`);
+			}
+		}
+	} catch (err) {
+		warnings.push(`- Failed to read ${displayStateDir} permissions: ${String(err)}`);
+	}
+	if (configPath && existsFile(configPath) && process.platform !== "win32") try {
+		const configLstat = fs.lstatSync(configPath);
+		const isSymlink = configLstat.isSymbolicLink();
+		const stat = isSymlink ? fs.statSync(configPath) : configLstat;
+		if (!(isSymlink ? fs.realpathSync(configPath) : configPath).startsWith("/nix/store/") && (stat.mode & 63) !== 0) {
+			warnings.push(`- Config file is group/world readable (${displayConfigPath ?? configPath}). Recommend chmod 600.`);
+			if (await prompter.confirmSkipInNonInteractive({
+				message: `Tighten permissions on ${displayConfigPath ?? configPath} to 600?`,
+				initialValue: true
+			})) {
+				fs.chmodSync(configPath, 384);
+				changes.push(`- Tightened permissions on ${displayConfigPath ?? configPath} to 600`);
+			}
+		}
+	} catch (err) {
+		warnings.push(`- Failed to read config permissions (${displayConfigPath ?? configPath}): ${String(err)}`);
+	}
+	if (stateDirExists) {
+		const dirCandidates = /* @__PURE__ */ new Map();
+		dirCandidates.set(sessionsDir, "Sessions dir");
+		dirCandidates.set(storeDir, "Session store dir");
+		if (requireOAuthDir) dirCandidates.set(oauthDir, "OAuth dir");
+		else if (!existsDir(oauthDir)) warnings.push(`- OAuth dir not present (${displayOauthDir}). Skipping create because no WhatsApp/pairing channel config is active.`);
+		const displayDirFor = (dir) => {
+			if (dir === sessionsDir) return displaySessionsDir;
+			if (dir === storeDir) return displayStoreDir;
+			if (dir === oauthDir) return displayOauthDir;
+			return shortenHomePath(dir);
+		};
+		for (const [dir, label] of dirCandidates) {
+			const displayDir = displayDirFor(dir);
+			if (!existsDir(dir)) {
+				warnings.push(`- CRITICAL: ${label} missing (${displayDir}).`);
+				if (await prompter.confirmSkipInNonInteractive({
+					message: `Create ${label} at ${displayDir}?`,
+					initialValue: true
+				})) {
+					const created = ensureDir(dir);
+					if (created.ok) changes.push(`- Created ${label}: ${displayDir}`);
+					else warnings.push(`- Failed to create ${displayDir}: ${created.error}`);
+				}
+				continue;
+			}
+			if (!canWriteDir(dir)) {
+				warnings.push(`- ${label} not writable (${displayDir}).`);
+				const hint = dirPermissionHint(dir);
+				if (hint) warnings.push(`  ${hint}`);
+				if (await prompter.confirmSkipInNonInteractive({
+					message: `Repair permissions on ${label}?`,
+					initialValue: true
+				})) try {
+					const target = addUserRwx(fs.statSync(dir).mode);
+					fs.chmodSync(dir, target);
+					changes.push(`- Repaired permissions on ${label}: ${displayDir}`);
+				} catch (err) {
+					warnings.push(`- Failed to repair ${displayDir}: ${String(err)}`);
+				}
+			}
+		}
+	}
+	const extraStateDirs = /* @__PURE__ */ new Set();
+	if (path.resolve(stateDir) !== path.resolve(defaultStateDir)) {
+		if (existsDir(defaultStateDir)) extraStateDirs.add(defaultStateDir);
+	}
+	for (const other of findOtherStateDirs(stateDir)) extraStateDirs.add(other);
+	if (extraStateDirs.size > 0) warnings.push([
+		"- Multiple state directories detected. This can split session history.",
+		...Array.from(extraStateDirs).map((dir) => `  - ${shortenHomePath(dir)}`),
+		`  Active state dir: ${displayStateDir}`
+	].join("\n"));
+	const store = loadSessionStore(storePath);
+	const sessionPathOpts = resolveSessionFilePathOptions({
+		agentId,
+		storePath
+	});
+	const entries = Object.entries(store).filter(([, entry]) => entry && typeof entry === "object");
+	if (entries.length > 0) {
+		const recentTranscriptCandidates = entries.slice().toSorted((a, b) => {
+			const aUpdated = typeof a[1].updatedAt === "number" ? a[1].updatedAt : 0;
+			return (typeof b[1].updatedAt === "number" ? b[1].updatedAt : 0) - aUpdated;
+		}).slice(0, 5).filter(([key]) => !isSlashRoutingSessionKey(key));
+		const missing = recentTranscriptCandidates.filter(([, entry]) => {
+			const sessionId = entry.sessionId;
+			if (!sessionId) return false;
+			return !existsFile(resolveSessionFilePath(sessionId, entry, sessionPathOpts));
+		});
+		if (missing.length > 0) warnings.push([
+			`- ${missing.length}/${recentTranscriptCandidates.length} recent sessions are missing transcripts.`,
+			`  Verify sessions in store: ${formatCliCommand(`moldclaw sessions --store "${absoluteStorePath}"`)}`,
+			`  Preview cleanup impact: ${formatCliCommand(`moldclaw sessions cleanup --store "${absoluteStorePath}" --dry-run`)}`,
+			`  Prune missing entries: ${formatCliCommand(`moldclaw sessions cleanup --store "${absoluteStorePath}" --enforce --fix-missing`)}`
+		].join("\n"));
+		const mainEntry = store[resolveMainSessionKey(cfg)];
+		if (mainEntry?.sessionId) {
+			const transcriptPath = resolveSessionFilePath(mainEntry.sessionId, mainEntry, sessionPathOpts);
+			if (!existsFile(transcriptPath)) warnings.push(`- Main session transcript missing (${shortenHomePath(transcriptPath)}). History will appear to reset.`);
+			else {
+				const lineCount = countJsonlLines(transcriptPath);
+				if (lineCount <= 1) warnings.push(`- Main session transcript has only ${lineCount} line. Session history may not be appending.`);
+			}
+		}
+	}
+	if (existsDir(sessionsDir)) {
+		const referencedTranscriptPaths = /* @__PURE__ */ new Set();
+		for (const [, entry] of entries) {
+			if (!entry?.sessionId) continue;
+			try {
+				referencedTranscriptPaths.add(path.resolve(resolveSessionFilePath(entry.sessionId, entry, sessionPathOpts)));
+			} catch {}
+		}
+		const orphanTranscriptPaths = fs.readdirSync(sessionsDir, { withFileTypes: true }).filter((entry) => entry.isFile() && isPrimarySessionTranscriptFileName(entry.name)).map((entry) => path.resolve(path.join(sessionsDir, entry.name))).filter((filePath) => !referencedTranscriptPaths.has(filePath));
+		if (orphanTranscriptPaths.length > 0) {
+			warnings.push(`- Found ${orphanTranscriptPaths.length} orphan transcript file(s) in ${displaySessionsDir}. They are not referenced by sessions.json and can consume disk over time.`);
+			if (await prompter.confirmSkipInNonInteractive({
+				message: `Archive ${orphanTranscriptPaths.length} orphan transcript file(s) in ${displaySessionsDir}?`,
+				initialValue: false
+			})) {
+				let archived = 0;
+				const archivedAt = formatSessionArchiveTimestamp();
+				for (const orphanPath of orphanTranscriptPaths) {
+					const archivedPath = `${orphanPath}.deleted.${archivedAt}`;
+					try {
+						fs.renameSync(orphanPath, archivedPath);
+						archived += 1;
+					} catch (err) {
+						warnings.push(`- Failed to archive orphan transcript ${shortenHomePath(orphanPath)}: ${String(err)}`);
+					}
+				}
+				if (archived > 0) changes.push(`- Archived ${archived} orphan transcript file(s) in ${displaySessionsDir}`);
+			}
+		}
+	}
+	if (warnings.length > 0) note$1(warnings.join("\n"), "State integrity");
+	if (changes.length > 0) note$1(changes.join("\n"), "Doctor changes");
+}
+function noteWorkspaceBackupTip(workspaceDir) {
+	if (!existsDir(workspaceDir)) return;
+	const gitMarker = path.join(workspaceDir, ".git");
+	if (fs.existsSync(gitMarker)) return;
+	note$1([
+		"- Tip: back up the workspace in a private git repo (GitHub or GitLab).",
+		"- Keep ~/.moldclaw out of git; it contains credentials and session history.",
+		"- Details: /concepts/agent-workspace#git-backup-recommended"
+	].join("\n"), "Workspace");
+}
+//#endregion
+//#region src/commands/doctor-ui.ts
+async function maybeRepairUiProtocolFreshness(_runtime, prompter) {
+	const root = await resolvemoldClawPackageRoot({
+		moduleUrl: import.meta.url,
+		argv1: process.argv[1],
+		cwd: process.cwd()
+	});
+	if (!root) return;
+	const schemaPath = path.join(root, "src/gateway/protocol/schema.ts");
+	const uiIndexPath = (await resolveControlUiDistIndexHealth({
+		root,
+		argv1: process.argv[1]
+	})).indexPath ?? resolveControlUiDistIndexPathForRoot(root);
+	try {
+		const [schemaStats, uiStats] = await Promise.all([fs$1.stat(schemaPath).catch(() => null), fs$1.stat(uiIndexPath).catch(() => null)]);
+		if (schemaStats && !uiStats) {
+			note$1(["- Control UI assets are missing.", "- Run: pnpm ui:build"].join("\n"), "UI");
+			const uiSourcesPath = path.join(root, "ui/package.json");
+			if (!await fs$1.stat(uiSourcesPath).catch(() => null)) {
+				note$1("Skipping UI build: ui/ sources not present.", "UI");
+				return;
+			}
+			if (await prompter.confirmRepair({
+				message: "Build Control UI assets now?",
+				initialValue: true
+			})) {
+				note$1("Building Control UI assets... (this may take a moment)", "UI");
+				const uiScriptPath = path.join(root, "scripts/ui.js");
+				const buildResult = await runCommandWithTimeout([
+					process.execPath,
+					uiScriptPath,
+					"build"
+				], {
+					cwd: root,
+					timeoutMs: 12e4,
+					env: {
+						...process.env,
+						FORCE_COLOR: "1"
+					}
+				});
+				if (buildResult.code === 0) note$1("UI build complete.", "UI");
+				else note$1([`UI build failed (exit ${buildResult.code ?? "unknown"}).`, buildResult.stderr.trim() ? buildResult.stderr.trim() : null].filter(Boolean).join("\n"), "UI");
+			}
+			return;
+		}
+		if (!schemaStats || !uiStats) return;
+		if (schemaStats.mtime > uiStats.mtime) {
+			const gitLog = await runCommandWithTimeout([
+				"git",
+				"-C",
+				root,
+				"log",
+				`--since=${uiStats.mtime.toISOString()}`,
+				"--format=%h %s",
+				"src/gateway/protocol/schema.ts"
+			], { timeoutMs: 5e3 }).catch(() => null);
+			if (gitLog && gitLog.code === 0 && gitLog.stdout.trim()) {
+				note$1(`UI assets are older than the protocol schema.\nFunctional changes since last build:\n${gitLog.stdout.trim().split("\n").map((l) => `- ${l}`).join("\n")}`, "UI Freshness");
+				if (await prompter.confirmAggressive({
+					message: "Rebuild UI now? (Detected protocol mismatch requiring update)",
+					initialValue: true
+				})) {
+					const uiSourcesPath = path.join(root, "ui/package.json");
+					if (!await fs$1.stat(uiSourcesPath).catch(() => null)) {
+						note$1("Skipping UI rebuild: ui/ sources not present.", "UI");
+						return;
+					}
+					note$1("Rebuilding stale UI assets... (this may take a moment)", "UI");
+					const uiScriptPath = path.join(root, "scripts/ui.js");
+					const buildResult = await runCommandWithTimeout([
+						process.execPath,
+						uiScriptPath,
+						"build"
+					], {
+						cwd: root,
+						timeoutMs: 12e4,
+						env: {
+							...process.env,
+							FORCE_COLOR: "1"
+						}
+					});
+					if (buildResult.code === 0) note$1("UI rebuild complete.", "UI");
+					else note$1([`UI rebuild failed (exit ${buildResult.code ?? "unknown"}).`, buildResult.stderr.trim() ? buildResult.stderr.trim() : null].filter(Boolean).join("\n"), "UI");
+				}
+			}
+		}
+	} catch {}
+}
+//#endregion
+//#region src/commands/doctor-update.ts
+async function detectmoldClawGitCheckout(root) {
+	const res = await runCommandWithTimeout([
+		"git",
+		"-C",
+		root,
+		"rev-parse",
+		"--show-toplevel"
+	], { timeoutMs: 5e3 }).catch(() => null);
+	if (!res) return "unknown";
+	if (res.code !== 0) {
+		if (res.stderr.toLowerCase().includes("not a git repository")) return "not-git";
+		return "unknown";
+	}
+	return res.stdout.trim() === root ? "git" : "not-git";
+}
+async function maybeOfferUpdateBeforeDoctor(params) {
+	if (!(!isTruthyEnvValue$1(process.env.MOLDCLAW_UPDATE_IN_PROGRESS) && params.options.nonInteractive !== true && params.options.yes !== true && params.options.repair !== true && Boolean(process.stdin.isTTY)) || !params.root) return { updated: false };
+	const git = await detectmoldClawGitCheckout(params.root);
+	if (git === "git") {
+		if (!await params.confirm({
+			message: "Update moldClaw from git before running doctor?",
+			initialValue: true
+		})) return { updated: false };
+		note$1("Running update (fetch/rebase/build/ui:build/doctor)…", "Update");
+		const result = await runGatewayUpdate({
+			cwd: params.root,
+			argv1: process.argv[1]
+		});
+		note$1([
+			`Status: ${result.status}`,
+			`Mode: ${result.mode}`,
+			result.root ? `Root: ${result.root}` : null,
+			result.reason ? `Reason: ${result.reason}` : null
+		].filter(Boolean).join("\n"), "Update result");
+		if (result.status === "ok") {
+			params.outro("Update completed (doctor already ran as part of the update).");
+			return {
+				updated: true,
+				handled: true
+			};
+		}
+		return {
+			updated: true,
+			handled: false
+		};
+	}
+	if (git === "not-git") note$1(["This install is not a git checkout.", `Run \`${formatCliCommand("moldclaw update")}\` to update via your package manager (npm/pnpm), then rerun doctor.`].join("\n"), "Update");
+	return { updated: false };
+}
+//#endregion
+//#region src/commands/doctor-workspace.ts
+const MEMORY_SYSTEM_PROMPT = [
+	"Memory system not found in workspace.",
+	"Paste this into your agent:",
+	"",
+	"Install the memory system by applying:",
+	"https://github.com/moldclaw/moldclaw/commit/9ffea23f31ca1df5183b25668f8f814bee0fb34e",
+	"https://github.com/moldclaw/moldclaw/commit/7d1fee70e76f2f634f1b41fca927ee663914183a"
+].join("\n");
+async function shouldSuggestMemorySystem(workspaceDir) {
+	const memoryPaths = [path.join(workspaceDir, "MEMORY.md"), path.join(workspaceDir, "memory.md")];
+	for (const memoryPath of memoryPaths) try {
+		await fs.promises.access(memoryPath);
+		return false;
+	} catch {}
+	const agentsPath = path.join(workspaceDir, DEFAULT_AGENTS_FILENAME);
+	try {
+		const content = await fs.promises.readFile(agentsPath, "utf-8");
+		if (/memory\.md/i.test(content)) return false;
+	} catch {}
+	return true;
+}
+function detectLegacyWorkspaceDirs(params) {
+	return {
+		activeWorkspace: path.resolve(params.workspaceDir),
+		legacyDirs: []
+	};
+}
+function formatLegacyWorkspaceWarning(detection) {
+	return [
+		"Extra workspace directories detected (may contain old agent files):",
+		...detection.legacyDirs.map((dir) => `- ${shortenHomePath(dir)}`),
+		`Active workspace: ${shortenHomePath(detection.activeWorkspace)}`,
+		"If unused, archive or move to Trash."
+	].join("\n");
+}
+//#endregion
+//#region src/commands/doctor-workspace-status.ts
+function noteWorkspaceStatus(cfg) {
+	const workspaceDir = resolveAgentWorkspaceDir(cfg, resolveDefaultAgentId(cfg));
+	const legacyWorkspace = detectLegacyWorkspaceDirs({ workspaceDir });
+	if (legacyWorkspace.legacyDirs.length > 0) note$1(formatLegacyWorkspaceWarning(legacyWorkspace), "Extra workspace");
+	const skillsReport = buildWorkspaceSkillStatus(workspaceDir, { config: cfg });
+	note$1([
+		`Eligible: ${skillsReport.skills.filter((s) => s.eligible).length}`,
+		`Missing requirements: ${skillsReport.skills.filter((s) => !s.eligible && !s.disabled && !s.blockedByAllowlist).length}`,
+		`Blocked by allowlist: ${skillsReport.skills.filter((s) => s.blockedByAllowlist).length}`
+	].join("\n"), "Skills status");
+	const pluginRegistry = loadmoldClawPlugins({
+		config: cfg,
+		workspaceDir,
+		logger: {
+			info: () => {},
+			warn: () => {},
+			error: () => {},
+			debug: () => {}
+		}
+	});
+	if (pluginRegistry.plugins.length > 0) {
+		const loaded = pluginRegistry.plugins.filter((p) => p.status === "loaded");
+		const disabled = pluginRegistry.plugins.filter((p) => p.status === "disabled");
+		const errored = pluginRegistry.plugins.filter((p) => p.status === "error");
+		note$1([
+			`Loaded: ${loaded.length}`,
+			`Disabled: ${disabled.length}`,
+			`Errors: ${errored.length}`,
+			errored.length > 0 ? `- ${errored.slice(0, 10).map((p) => p.id).join("\n- ")}${errored.length > 10 ? "\n- ..." : ""}` : null
+		].filter((line) => Boolean(line)).join("\n"), "Plugins");
+	}
+	if (pluginRegistry.diagnostics.length > 0) note$1(pluginRegistry.diagnostics.map((diag) => {
+		const prefix = diag.level.toUpperCase();
+		const plugin = diag.pluginId ? ` ${diag.pluginId}` : "";
+		const source = diag.source ? ` (${diag.source})` : "";
+		return `- ${prefix}${plugin}: ${diag.message}${source}`;
+	}).join("\n"), "Plugin diagnostics");
+	return { workspaceDir };
+}
+//#endregion
+//#region src/commands/doctor.ts
+const intro$1 = (message) => intro(stylePromptTitle(message) ?? message);
+const outro$1 = (message) => outro(stylePromptTitle(message) ?? message);
+function resolveMode(cfg) {
+	return cfg.gateway?.mode === "remote" ? "remote" : "local";
+}
+async function doctorCommand(runtime = defaultRuntime, options = {}) {
+	const prompter = createDoctorPrompter({
+		runtime,
+		options
+	});
+	printWizardHeader(runtime);
+	intro$1("moldClaw doctor");
+	const root = await resolvemoldClawPackageRoot({
+		moduleUrl: import.meta.url,
+		argv1: process.argv[1],
+		cwd: process.cwd()
+	});
+	if ((await maybeOfferUpdateBeforeDoctor({
+		runtime,
+		options,
+		root,
+		confirm: (p) => prompter.confirm(p),
+		outro: outro$1
+	})).handled) return;
+	await maybeRepairUiProtocolFreshness(runtime, prompter);
+	noteSourceInstallIssues(root);
+	noteDeprecatedLegacyEnvVars();
+	noteStartupOptimizationHints();
+	const configResult = await loadAndMaybeMigrateDoctorConfig({
+		options,
+		confirm: (p) => prompter.confirm(p)
+	});
+	let cfg = configResult.cfg;
+	const cfgForPersistence = structuredClone(cfg);
+	const sourceConfigValid = configResult.sourceConfigValid ?? true;
+	const configPath = configResult.path ?? CONFIG_PATH;
+	if (!cfg.gateway?.mode) {
+		const lines = [
+			"gateway.mode is unset; gateway start will be blocked.",
+			`Fix: run ${formatCliCommand("moldclaw configure")} and set Gateway mode (local/remote).`,
+			`Or set directly: ${formatCliCommand("moldclaw config set gateway.mode local")}`
+		];
+		if (!fs.existsSync(configPath)) lines.push(`Missing config: run ${formatCliCommand("moldclaw setup")} first.`);
+		note$1(lines.join("\n"), "Gateway");
+	}
+	if (resolveMode(cfg) === "local" && hasAmbiguousGatewayAuthModeConfig(cfg)) note$1([
+		"gateway.auth.token and gateway.auth.password are both configured while gateway.auth.mode is unset.",
+		"Set an explicit mode to avoid ambiguous auth selection and startup/runtime failures.",
+		`Set token mode: ${formatCliCommand("moldclaw config set gateway.auth.mode token")}`,
+		`Set password mode: ${formatCliCommand("moldclaw config set gateway.auth.mode password")}`
+	].join("\n"), "Gateway auth");
+	cfg = await maybeRepairAnthropicOAuthProfileId(cfg, prompter);
+	cfg = await maybeRemoveDeprecatedCliAuthProfiles(cfg, prompter);
+	await noteAuthProfileHealth({
+		cfg,
+		prompter,
+		allowKeychainPrompt: options.nonInteractive !== true && Boolean(process.stdin.isTTY)
+	});
+	const gatewayDetails = buildGatewayConnectionDetails({ config: cfg });
+	if (gatewayDetails.remoteFallbackNote) note$1(gatewayDetails.remoteFallbackNote, "Gateway");
+	if (resolveMode(cfg) === "local" && sourceConfigValid) {
+		const gatewayTokenRef = resolveSecretInputRef({
+			value: cfg.gateway?.auth?.token,
+			defaults: cfg.secrets?.defaults
+		}).ref;
+		const auth = resolveGatewayAuth({
+			authConfig: cfg.gateway?.auth,
+			tailscaleMode: cfg.gateway?.tailscale?.mode ?? "off"
+		});
+		if (auth.mode !== "password" && (auth.mode !== "token" || !auth.token)) if (gatewayTokenRef) note$1([
+			"Gateway token is managed via SecretRef and is currently unavailable.",
+			"Doctor will not overwrite gateway.auth.token with a plaintext value.",
+			"Resolve/rotate the external secret source, then rerun doctor."
+		].join("\n"), "Gateway auth");
+		else {
+			note$1("Gateway auth is off or missing a token. Token auth is now the recommended default (including loopback).", "Gateway auth");
+			if (options.generateGatewayToken === true ? true : options.nonInteractive === true ? false : await prompter.confirmRepair({
+				message: "Generate and configure a gateway token now?",
+				initialValue: true
+			})) {
+				const nextToken = randomToken();
+				cfg = {
+					...cfg,
+					gateway: {
+						...cfg.gateway,
+						auth: {
+							...cfg.gateway?.auth,
+							mode: "token",
+							token: nextToken
+						}
+					}
+				};
+				note$1("Gateway token configured.", "Gateway auth");
+			}
+		}
+	}
+	const legacyState = await detectLegacyStateMigrations({ cfg });
+	if (legacyState.preview.length > 0) {
+		note$1(legacyState.preview.join("\n"), "Legacy state detected");
+		if (options.nonInteractive === true ? true : await prompter.confirm({
+			message: "Migrate legacy state (sessions/agent/WhatsApp auth) now?",
+			initialValue: true
+		})) {
+			const migrated = await runLegacyStateMigrations({ detected: legacyState });
+			if (migrated.changes.length > 0) note$1(migrated.changes.join("\n"), "Doctor changes");
+			if (migrated.warnings.length > 0) note$1(migrated.warnings.join("\n"), "Doctor warnings");
+		}
+	}
+	await noteStateIntegrity(cfg, prompter, configResult.path ?? CONFIG_PATH);
+	await noteSessionLockHealth({ shouldRepair: prompter.shouldRepair });
+	await maybeRepairLegacyCronStore({
+		cfg,
+		options,
+		prompter
+	});
+	cfg = await maybeRepairSandboxImages(cfg, runtime, prompter);
+	noteSandboxScopeWarnings(cfg);
+	await maybeScanExtraGatewayServices(options, runtime, prompter);
+	await maybeRepairGatewayServiceConfig(cfg, resolveMode(cfg), runtime, prompter);
+	await noteMacLaunchAgentOverrides();
+	await noteMacLaunchctlGatewayEnvOverrides(cfg);
+	await noteSecurityWarnings(cfg);
+	await noteChromeMcpBrowserReadiness(cfg);
+	await noteOpenAIOAuthTlsPrerequisites({
+		cfg,
+		deep: options.deep === true
+	});
+	if (cfg.hooks?.gmail?.model?.trim()) {
+		const hooksModelRef = resolveHooksGmailModel({
+			cfg,
+			defaultProvider: DEFAULT_PROVIDER
+		});
+		if (!hooksModelRef) note$1(`- hooks.gmail.model "${cfg.hooks.gmail.model}" could not be resolved`, "Hooks");
+		else {
+			const { provider: defaultProvider, model: defaultModel } = resolveConfiguredModelRef({
+				cfg,
+				defaultProvider: DEFAULT_PROVIDER,
+				defaultModel: DEFAULT_MODEL
+			});
+			const catalog = await loadModelCatalog({ config: cfg });
+			const status = getModelRefStatus({
+				cfg,
+				catalog,
+				ref: hooksModelRef,
+				defaultProvider,
+				defaultModel
+			});
+			const warnings = [];
+			if (!status.allowed) warnings.push(`- hooks.gmail.model "${status.key}" not in agents.defaults.models allowlist (will use primary instead)`);
+			if (!status.inCatalog) warnings.push(`- hooks.gmail.model "${status.key}" not in the model catalog (may fail at runtime)`);
+			if (warnings.length > 0) note$1(warnings.join("\n"), "Hooks");
+		}
+	}
+	if (options.nonInteractive !== true && process.platform === "linux" && resolveMode(cfg) === "local") {
+		const service = resolveGatewayService();
+		let loaded = false;
+		try {
+			loaded = await service.isLoaded({ env: process.env });
+		} catch {
+			loaded = false;
+		}
+		if (loaded) await ensureSystemdUserLingerInteractive({
+			runtime,
+			prompter: {
+				confirm: async (p) => prompter.confirm(p),
+				note: note$1
+			},
+			reason: "Gateway runs as a systemd user service. Without lingering, systemd stops the user session on logout/idle and kills the Gateway.",
+			requireConfirm: true
+		});
+	}
+	noteWorkspaceStatus(cfg);
+	await noteBootstrapFileSize(cfg);
+	await doctorShellCompletion(runtime, prompter, { nonInteractive: options.nonInteractive });
+	const { healthOk } = await checkGatewayHealth({
+		runtime,
+		cfg,
+		timeoutMs: options.nonInteractive === true ? 3e3 : 1e4
+	});
+	const gatewayMemoryProbe = healthOk ? await probeGatewayMemoryStatus({
+		cfg,
+		timeoutMs: options.nonInteractive === true ? 3e3 : 1e4
+	}) : {
+		checked: false,
+		ready: false
+	};
+	await noteMemorySearchHealth(cfg, { gatewayMemoryProbe });
+	await maybeRepairGatewayDaemon({
+		cfg,
+		runtime,
+		prompter,
+		options,
+		gatewayDetailsMessage: gatewayDetails.message,
+		healthOk
+	});
+	if (configResult.shouldWriteConfig || JSON.stringify(cfg) !== JSON.stringify(cfgForPersistence)) {
+		cfg = applyWizardMetadata(cfg, {
+			command: "doctor",
+			mode: resolveMode(cfg)
+		});
+		await writeConfigFile(cfg);
+		logConfigUpdated(runtime);
+		const backupPath = `${CONFIG_PATH}.bak`;
+		if (fs.existsSync(backupPath)) runtime.log(`Backup: ${shortenHomePath(backupPath)}`);
+	} else if (!prompter.shouldRepair) runtime.log(`Run "${formatCliCommand("moldclaw doctor --fix")}" to apply changes.`);
+	if (options.workspaceSuggestions !== false) {
+		const workspaceDir = resolveAgentWorkspaceDir(cfg, resolveDefaultAgentId(cfg));
+		noteWorkspaceBackupTip(workspaceDir);
+		if (await shouldSuggestMemorySystem(workspaceDir)) note$1(MEMORY_SYSTEM_PROMPT, "Workspace");
+	}
+	const finalSnapshot = await readConfigFileSnapshot();
+	if (finalSnapshot.exists && !finalSnapshot.valid) {
+		runtime.error("Invalid config:");
+		for (const issue of finalSnapshot.issues) {
+			const path = issue.path || "<root>";
+			runtime.error(`- ${path}: ${issue.message}`);
+		}
+	}
+	outro$1("Doctor complete.");
+}
+//#endregion
+//#region src/terminal/prompt-select-styled.ts
+function selectStyled(params) {
+	return select({
+		...params,
+		message: stylePromptMessage(params.message),
+		options: params.options.map((opt) => opt.hint === void 0 ? opt : {
+			...opt,
+			hint: stylePromptHint(opt.hint)
+		})
+	});
+}
+//#endregion
+export { doctorCommand as n, selectStyled as t };