@tamyla/clodo-framework 4.5.1 → 4.6.1

package/CHANGELOG.md

@@ -1,3 +1,23 @@
+## [4.6.1](https://github.com/tamylaa/clodo-framework/compare/v4.6.0...v4.6.1) (2026-02-18)
+
+
+### Bug Fixes
+
+* **security:** export SecretsManager from main index ([2884b9d](https://github.com/tamylaa/clodo-framework/commit/2884b9d880f75cc924803d6070e3603bf46929d9))
+
+# [4.6.0](https://github.com/tamylaa/clodo-framework/compare/v4.5.1...v4.6.0) (2026-02-18)
+
+
+### Bug Fixes
+
+* **config:** add Zod schema validation for CLI config files ([3c25c88](https://github.com/tamylaa/clodo-framework/commit/3c25c88626fa5e4bc48c874a25ff89b8f75fb236))
+* **secrets:** integrate secret scanning CLI with existing SecretGenerator infrastructure ([f72f70f](https://github.com/tamylaa/clodo-framework/commit/f72f70f8fd3a0dd8da552c15e8b34bc459584870))
+
+
+### Features
+
+* **doctor:** implement clodo doctor command with token scope validation, secrets baseline scanning, and comprehensive test stabilization ([9b1fe00](https://github.com/tamylaa/clodo-framework/commit/9b1fe00f77bd7167cb8c836637caae68b9e8cd1c))
+
 ## [4.5.1](https://github.com/tamylaa/clodo-framework/compare/v4.5.0...v4.5.1) (2026-02-11)
 
 
@@ -5,6 +25,14 @@
 
 * resolve e2e test failures for validate and deploy commands ([97fd564](https://github.com/tamylaa/clodo-framework/commit/97fd5648211d13f46004b9e69c9b6face546d86d))
 
+### Features (post-4.5.1)
+
+* **doctor**: add `clodo-service doctor` preflight command — automated environment, dependency, and connectivity checks before deployment. Integrates with deploy via `--skip-doctor` / `--doctor-strict` flags. ([f72f70f](https://github.com/tamylaa/clodo-framework/commit/f72f70f))
+
+* **secrets**: add `clodo-service secrets` command — source code secret scanning with 15+ built-in patterns (AWS, Stripe, GitHub, JWT, etc.), baseline management (`baseline show`/`baseline update`), and `SecretsManager` programmatic API. 42 unit + 19 E2E tests. ([f72f70f](https://github.com/tamylaa/clodo-framework/commit/f72f70f))
+
+* **config**: add `clodo-service config-schema` command — Zod-powered schema validation for all CLI config files (create, deploy, validate, update). Includes `show`, `validate`, `types` subcommands, semantic warnings (env var placeholders, duplicate features, production without security). `ConfigSchemaValidator` programmatic API. 77 unit + 21 E2E tests. ([3c25c88](https://github.com/tamylaa/clodo-framework/commit/3c25c88))
+
 # [4.5.0](https://github.com/tamylaa/clodo-framework/compare/v4.4.1...v4.5.0) (2026-02-11)
 
 

package/README.md

@@ -7,7 +7,7 @@
 **Framework Status: ✅ VALIDATED & PRODUCTION-READY**  
 **Validation: 10/10 Phases Passed**  
 **Service Generation: 28+ Files Per Service**  
-**Test Coverage:** (Latest CI run 2026-02-04) — **115 test suites passed; 4 tests skipped; 2113 passed, 2117 total**
+**Test Coverage:** (Latest CI run 2026-02-18) — **124 test suites passed; 1 skipped; 2328 passed, 2352 total**
 
 A comprehensive framework for building enterprise-grade software architecture on Cloudflare Workers + D1. This framework enables rapid development of autonomous, domain-specific services while maintaining consistency and reusability across your entire ecosystem.
 
@@ -234,11 +234,23 @@ const zones = await api.listZones();
 Run framework commands in your terminal:
 
 ```bash
+# Create a new service
+clodo-service create
+
 # Deploy your service
 clodo-service deploy
 
-# Create a new service
-clodo-create-service my-service
+# Validate service configuration
+clodo-service validate
+
+# Preflight health checks before deployment
+clodo-service doctor
+
+# Scan for leaked secrets
+clodo-service secrets scan
+
+# Validate config files against schemas
+clodo-service config-schema validate clodo-deploy.json
 
 # Security auditing
 clodo-security audit
@@ -293,7 +305,7 @@ clodo-framework/
 │   ├── analysis/           # Technical analysis
 │   └── licensing/          # License information
 ├── src/                     # 💻 Source code
-├── test/                    # ✅ Test suites (Latest CI: 115 suites; 2113 tests passed, 4 skipped)
+├── test/                    # ✅ Test suites (Latest CI: 124 suites; 2328 tests passed, 24 skipped)
 ├── cli/                     # 🔧 CLI tools & commands
 ├── examples/                # 📚 Usage examples & demos
 ├── config/                  # ⚙️ Configuration files & examples
@@ -311,7 +323,7 @@ clodo-framework/
 ```
 
 **Quality Metrics:**
-- ✅ **Latest CI (2026-02-04): 115 test suites passed; 4 tests skipped; 2113/2117 tests passed**
+- ✅ **Latest CI (2026-02-18): 124 test suites passed; 1 skipped; 2328/2352 tests passed**
 - ✅ **CLI tests:** passing (all CLI-specific tests passed in the latest run)
 - ✅ **Clean architecture** (organized file structure, no clutter in root)
 - ✅ **Configuration-based** (no hard-coded values in source)
@@ -369,6 +381,15 @@ npx @tamyla/clodo-framework security generate-key api content-skimmer
 # Validate configuration security
 npx @tamyla/clodo-framework security validate customer production
 
+# Scan source code for leaked secrets
+clodo-service secrets scan
+
+# Validate secrets against baseline
+clodo-service secrets validate
+
+# Run preflight security checks
+clodo-service doctor
+
 # Deploy with automatic security validation
 npx @tamyla/clodo-framework security deploy customer production
 ```
@@ -388,6 +409,9 @@ npx @tamyla/clodo-framework security deploy customer production
 - ✅ **🔒 Security Validation Framework**: Automated security validation and deployment blocking
 - ✅ **🛡️ Cryptographic Key Generation**: Secure API key and JWT secret generation
 - ✅ **🚫 Deployment Security**: Pre-deployment validation that blocks insecure configurations
+- ✅ **🩺 Doctor / Preflight Checks**: Automated environment, dependency, and connectivity validation before deploy
+- ✅ **🔍 Secret Scanning & Baseline**: Detect leaked secrets in source code with baseline management
+- ✅ **📋 Config Schema Validation**: Zod-powered schema validation for all CLI config files (create, deploy, validate, update)
 - ✅ **👥 Customer Configuration Management**: Multi-environment, multi-customer configuration system
 - ✅ **🏗️ Template-Based Customer Onboarding**: Automated customer setup from reusable templates
 - ✅ **🔗 Framework Integration**: Customer configs integrate with domain and feature flag systems
@@ -404,6 +428,9 @@ npx @tamyla/clodo-framework security deploy customer production
 - **🔒 Security-by-Default**: Automatic detection and prevention of insecure configurations
 - **🛡️ Production Security**: Environment-specific security requirements and validation
 - **🔐 Cryptographic Utilities**: Secure key generation and secret management
+- **🩺 Doctor / Preflight**: Automated pre-deployment environment checks with `--skip-doctor` / `--doctor-strict` flags
+- **🔍 Secret Scanning**: Source code secret detection, pattern matching, and baseline management
+- **📋 Config Schema Validation**: Zod schemas for all config file types with semantic warnings
 - **Production Testing**: Health checks, authentication flows, performance monitoring
 - **Audit & Compliance**: Detailed deployment logging and reporting
 - **👥 Customer Configuration Management**: Multi-environment customer isolation and management
@@ -413,10 +440,84 @@ npx @tamyla/clodo-framework security deploy customer production
 - **⚡ Performance Optimized**: Intelligent caching system for schemas, SQL queries, and validation results
 - **🔄 Advanced Data Operations**: Enhanced CRUD with relationships, advanced pagination, and query optimization
 
-## 🎉 What's New in v2.0.7
+## 🎉 What's New in v4.5.x
+
+### 🩺 Doctor / Preflight Command (v4.5.x)
+Run comprehensive pre-deployment health checks to catch issues before they reach production:
+
+```bash
+# Run all preflight checks
+clodo-service doctor
+
+# Skip doctor during deploy
+clodo-service deploy --skip-doctor
+
+# Fail deploy on doctor warnings
+clodo-service deploy --doctor-strict
+```
+
+**Checks performed:**
+- ✅ Node.js version compatibility
+- ✅ Required dependencies installed (wrangler, etc.)
+- ✅ Environment variables set
+- ✅ Cloudflare API connectivity
+- ✅ Config file schema validation
+- ✅ Secret baseline compliance
+
+### 🔍 Secret Scanning & Baseline Management (v4.5.x)
+Detect leaked secrets in your codebase before they reach version control:
+
+```bash
+# Scan for secrets in source code
+clodo-service secrets scan [directory]
+
+# Validate against a known baseline
+clodo-service secrets validate
+
+# Show current baseline
+clodo-service secrets baseline show
+
+# Update baseline after review
+clodo-service secrets baseline update
+
+# List known secret patterns
+clodo-service secrets patterns
+```
+
+**Features:**
+- 15+ built-in secret patterns (AWS, Stripe, GitHub, JWT, etc.)
+- Baseline management for known/accepted findings
+- Integration with doctor preflight checks
+- Programmatic API via `SecretsManager`
+
+### 📋 Config Schema Validation (v4.5.x)
+Validate your CLI config files against Zod schemas with semantic warnings:
+
+```bash
+# Validate a config file
+clodo-service config-schema validate clodo-deploy.json
+
+# Strict mode (exit code 1 on any error)
+clodo-service config-schema validate clodo-create.json --strict
+
+# Show schema for a config type
+clodo-service config-schema show deploy
+
+# List all supported config types
+clodo-service config-schema types
+```
+
+**Supported config types:** `create`, `deploy`, `validate`, `update`
+
+**Semantic warnings detect:**
+- Environment variable placeholders left in values
+- Duplicate features
+- Production configs without security features
+- Missing backup strategy with migrations enabled
+- Name mismatches between config fields
 
 ### 🔧 Enhanced Customer Configuration System
-The customer configuration CLI now **reads directly from your wrangler.toml** file, providing a single source of truth for deployment configuration:
+The customer configuration CLI **reads directly from your wrangler.toml** file, providing a single source of truth for deployment configuration:
 
 ```bash
 # List all customers with complete deployment metadata
@@ -1200,15 +1301,58 @@ npx clodo-db sync --portfolio
 npx clodo-db backup my-domain
 ```
 
-#### `clodo-secrets` - Secret Generation Utility
-Cryptographically secure secret generation for production deployments.
+#### `clodo-secrets` - Secret Scanning & Baseline Management
+Detect leaked secrets in source code and manage baselines for known findings.
 
 ```bash
-# Generate secrets for domain
-npx clodo-secrets --domain my-domain --environment production
+# Scan current directory for secrets
+clodo-service secrets scan
+
+# Scan a specific directory
+clodo-service secrets scan ./src
+
+# Validate against baseline
+clodo-service secrets validate
+
+# Show current baseline
+clodo-service secrets baseline show
+
+# Update baseline after review
+clodo-service secrets baseline update
+
+# List known secret patterns
+clodo-service secrets patterns
+```
+
+#### `clodo doctor` - Preflight Health Checks
+Run comprehensive environment and configuration checks before deployment.
+
+```bash
+# Run all checks
+clodo-service doctor
+
+# Skip during deploy
+clodo-service deploy --skip-doctor
+
+# Strict mode (fail on warnings)
+clodo-service deploy --doctor-strict
+```
+
+#### `clodo config-schema` - Config File Validation
+Validate CLI config files against Zod schemas with semantic analysis.
+
+```bash
+# Validate a config file
+clodo-service config-schema validate clodo-deploy.json
+
+# Show schema for a config type
+clodo-service config-schema show create
+
+# List all supported config types
+clodo-service config-schema types
 
-# Generate specific secret types
-npx clodo-secrets --types database,api-keys,jwt --persist
+# Strict mode
+clodo-service config-schema validate config.json --strict
 ```
 
 ## Quick Start

package/dist/cli/clodo-service.js

@@ -14,6 +14,7 @@
  * - diagnose    Diagnose and report issues with an existing service
  * - assess      Run intelligent capability assessment
  * - list-types  List available service types and their features
+ * - secrets     Secret scanning and baseline management for leak prevention
  */
 import { Command } from 'commander';
 import { join, dirname } from 'path';
@@ -51,6 +52,10 @@ async function registerAvailableCommands() {
     name: 'diagnose',
     path: pathToFileURL(join(commandsDir, 'diagnose.js')).href,
     register: 'registerDiagnoseCommand'
+  }, {
+    name: 'doctor',
+    path: pathToFileURL(join(commandsDir, 'doctor.js')).href,
+    register: 'registerDoctorCommand'
   }, {
     name: 'assess',
     path: pathToFileURL(join(commandsDir, 'assess.js')).href,
@@ -59,6 +64,14 @@ async function registerAvailableCommands() {
     name: 'init-config',
     path: pathToFileURL(join(commandsDir, 'init-config.js')).href,
     register: 'registerInitConfigCommand'
+  }, {
+    name: 'secrets',
+    path: pathToFileURL(join(commandsDir, 'secrets.js')).href,
+    register: 'registerSecretsCommand'
+  }, {
+    name: 'config-schema',
+    path: pathToFileURL(join(commandsDir, 'config-schema.js')).href,
+    register: 'registerConfigSchemaCommand'
   }];
   for (const cmd of commands) {
     try {

package/dist/cli/commands/config-schema.js

@@ -0,0 +1,144 @@
+/**
+ * Config Schema CLI Command
+ * Provides schema inspection, validation, and documentation for config files
+ * 
+ * Subcommands:
+ *   clodo config-schema show <type>      - Show schema for a command type
+ *   clodo config-schema validate <file>  - Validate a config file
+ *   clodo config-schema types            - List all config types
+ */
+
+import chalk from 'chalk';
+import { readFileSync } from 'fs';
+import { ConfigSchemaValidator } from '../../src/validation/ConfigSchemaValidator.js';
+export function registerConfigSchemaCommand(program) {
+  const cmd = program.command('config-schema').description('Inspect and validate configuration file schemas');
+
+  // ─── show ──────────────────────────────────────────────────────────────
+  cmd.command('show <type>').description('Show the schema definition for a config type (create, deploy, validate, update)').option('--json', 'Output as JSON').action((type, options) => {
+    const validator = new ConfigSchemaValidator();
+    const definition = validator.getSchemaDefinition(type);
+    if (!definition) {
+      console.error(chalk.red(`Unknown config type: '${type}'`));
+      console.log(`Valid types: ${validator.getRegisteredTypes().join(', ')}`);
+      process.exit(1);
+    }
+    if (options.json) {
+      console.log(JSON.stringify(definition, null, 2));
+      return;
+    }
+    console.log(chalk.cyan(`\n📋 Config Schema: ${type}`));
+    console.log(chalk.gray('═'.repeat(60)));
+    console.log(chalk.white(definition.description));
+    console.log('');
+    console.log(chalk.bold('Fields:'));
+    for (const [name, field] of Object.entries(definition.fields)) {
+      const required = field.required ? chalk.red('*') : ' ';
+      const type = chalk.gray(`(${field.type})`);
+      console.log(`  ${required} ${chalk.white(name)} ${type}`);
+      if (field.description) {
+        console.log(`    ${chalk.gray(field.description)}`);
+      }
+    }
+    console.log('');
+    console.log(chalk.bold('Valid Service Types:'));
+    console.log(`  ${definition.validServiceTypes.join(', ')}`);
+    console.log('');
+    console.log(chalk.bold('Valid Features:'));
+    console.log(`  ${definition.validFeatures.join(', ')}`);
+    console.log('');
+    console.log(chalk.gray(`Total fields: ${definition.fieldCount}`));
+    console.log(chalk.gray(`Usage: npx clodo-service ${type} --config-file your-config.json`));
+  });
+
+  // ─── validate ──────────────────────────────────────────────────────────
+  cmd.command('validate <file>').description('Validate a config file against its schema').option('--type <type>', 'Config type (auto-detected if not specified)').option('--strict', 'Exit with error code on validation failures').option('--json', 'Output as JSON').action((file, options) => {
+    const validator = new ConfigSchemaValidator();
+
+    // Determine command type
+    let commandType = options.type;
+    if (!commandType) {
+      // Try to auto-detect from filename or content
+      const filenameLower = file.toLowerCase();
+      if (filenameLower.includes('create')) commandType = 'create';else if (filenameLower.includes('deploy')) commandType = 'deploy';else if (filenameLower.includes('validate')) commandType = 'validate';else if (filenameLower.includes('update')) commandType = 'update';else {
+        // Try content-based detection
+        try {
+          const content = JSON.parse(readFileSync(file, 'utf8'));
+          const detection = validator.detectConfigType(content);
+          if (detection.detected) {
+            commandType = detection.commandType;
+            if (!options.json) {
+              console.log(chalk.gray(`Auto-detected config type: ${commandType} (confidence: ${Math.round(detection.confidence * 100)}%)`));
+            }
+          }
+        } catch {
+          // Fall through
+        }
+      }
+      if (!commandType) {
+        console.error(chalk.red('Could not detect config type. Use --type to specify.'));
+        console.log(`Valid types: ${validator.getRegisteredTypes().join(', ')}`);
+        process.exit(1);
+      }
+    }
+    const result = validator.validateConfigFile(file, commandType);
+    if (options.json) {
+      console.log(JSON.stringify(result, null, 2));
+    } else {
+      console.log(chalk.cyan(`\n🔍 Config Validation: ${file}`));
+      console.log(chalk.gray(`Type: ${commandType}`));
+      console.log(chalk.gray('═'.repeat(60)));
+      if (result.valid) {
+        console.log(chalk.green(`✅ Valid configuration (${result.fieldCount} fields)`));
+      } else {
+        console.log(chalk.red(`❌ Invalid configuration — ${result.errors.length} error(s)`));
+      }
+      if (result.errors.length > 0) {
+        console.log('');
+        console.log(chalk.bold('Errors:'));
+        for (const err of result.errors) {
+          console.log(chalk.red(`  ✗ ${err.field}: ${err.message}`));
+        }
+      }
+      if (result.warnings.length > 0) {
+        console.log('');
+        console.log(chalk.bold('Warnings:'));
+        for (const warn of result.warnings) {
+          console.log(chalk.yellow(`  ⚠ ${warn.field}: ${warn.message}`));
+        }
+      }
+    }
+
+    // Exit with error code for file-level errors (always) or validation errors (when --strict)
+    if (!result.valid) {
+      const hasFileError = result.errors.some(e => e.code === 'FILE_NOT_FOUND' || e.code === 'INVALID_JSON');
+      if (hasFileError || options.strict) {
+        process.exit(1);
+      }
+    }
+  });
+
+  // ─── types ─────────────────────────────────────────────────────────────
+  cmd.command('types').description('List all available config types').option('--json', 'Output as JSON').action(options => {
+    const validator = new ConfigSchemaValidator();
+    const types = validator.getRegisteredTypes();
+    if (options.json) {
+      const details = {};
+      for (const type of types) {
+        details[type] = validator.getSchemaDefinition(type);
+      }
+      console.log(JSON.stringify(details, null, 2));
+      return;
+    }
+    console.log(chalk.cyan('\n📋 Available Config Types'));
+    console.log(chalk.gray('═'.repeat(60)));
+    for (const type of types) {
+      const def = validator.getSchemaDefinition(type);
+      console.log(`  ${chalk.white(type)} — ${def.fieldCount} fields`);
+      console.log(chalk.gray(`    Example: config/clodo-${type}.example.json`));
+      console.log(chalk.gray(`    Usage:   npx clodo-service ${type} --config-file config.json`));
+    }
+    console.log('');
+    console.log(chalk.gray('Run `clodo config-schema show <type>` for detailed field info'));
+  });
+}

package/dist/cli/commands/create.js

@@ -8,6 +8,7 @@
 import chalk from 'chalk';
 import { Clodo, ConfigLoader } from '@tamyla/clodo-framework';
 import { StandardOptions } from '../../lib/shared/utils/cli-options.js';
+import { ConfigSchemaValidator } from '../../src/validation/ConfigSchemaValidator.js';
 export function registerCreateCommand(program) {
   const command = program.command('create').description('Create a new Clodo service with conversational setup').option('-n, --non-interactive', 'Run in non-interactive mode with all required parameters').option('--service-name <name>', 'Service name (required in non-interactive mode)').option('--service-type <type>', 'Service type: data-service, auth-service, content-service, api-gateway, generic', 'generic').option('--domain-name <domain>', 'Domain name (required in non-interactive mode)').option('--cloudflare-token <token>', 'Cloudflare API token (required in non-interactive mode)').option('--cloudflare-account-id <id>', 'Cloudflare account ID (required in non-interactive mode)').option('--cloudflare-zone-id <id>', 'Cloudflare zone ID (required in non-interactive mode)').option('--environment <env>', 'Target environment: development, staging, production', 'development').option('--output-path <path>', 'Output directory for generated service', '.').option('--template-path <path>', 'Path to service templates', './templates').option('--middleware-strategy <strategy>', 'Middleware generation strategy: contract|legacy', 'contract').option('--force', 'Skip confirmation prompts').option('--validate', 'Validate service after creation');
 
@@ -21,10 +22,26 @@ export function registerCreateCommand(program) {
         json: options.json
       });
 
-      // Load config from file if specified
+      // Load config from file if specified (with schema validation)
       let configFileData = {};
       if (options.configFile) {
         configFileData = configLoader.loadSafe(options.configFile, {});
+        // Validate against create schema
+        const schemaValidator = new ConfigSchemaValidator({
+          verbose: options.verbose
+        });
+        const validation = schemaValidator.validateConfig(configFileData, 'create');
+        if (!validation.valid && options.verbose) {
+          output.warning(`Config file has ${validation.errors.length} schema validation issue(s):`);
+          for (const err of validation.errors) {
+            output.warning(`  ${err.field}: ${err.message}`);
+          }
+        }
+        if (validation.warnings.length > 0 && options.verbose) {
+          for (const warn of validation.warnings) {
+            output.info(`  ⚠ ${warn.field}: ${warn.message}`);
+          }
+        }
         if (options.verbose && !options.quiet) {
           output.info(`Loaded configuration from: ${options.configFile}`);
         }

package/dist/cli/commands/deploy.js

@@ -1,10 +1,11 @@
 import chalk from 'chalk';
 import { Clodo, ConfigLoader, InteractiveDeploymentCoordinator, OutputFormatter } from '@tamyla/clodo-framework';
 import { StandardOptions } from '../../lib/shared/utils/cli-options.js';
+import { ConfigSchemaValidator } from '../../src/validation/ConfigSchemaValidator.js';
 export function registerDeployCommand(program) {
   const command = program.command('deploy').description('Deploy a Clodo service with interactive configuration and validation')
   // Cloudflare-specific options
-  .option('--token <token>', 'Cloudflare API token (or set CLOUDFLARE_API_TOKEN env var)').option('--account-id <id>', 'Cloudflare account ID (or set CLOUDFLARE_ACCOUNT_ID env var)').option('--zone-id <id>', 'Cloudflare zone ID (or set CLOUDFLARE_ZONE_ID env var)').option('--domain <domain>', 'Specific domain to deploy to').option('--service-name <name>', 'Service name for URL generation (e.g., data-service, auth-service)', 'data-service').option('--environment <env>', 'Target environment (development, staging, production)', 'production').option('--development', 'Deploy to development environment (shorthand for --environment development)').option('--staging', 'Deploy to staging environment (shorthand for --environment staging)').option('--production', 'Deploy to production environment (shorthand for --environment production)').option('--dry-run', 'Simulate deployment without making changes').option('-y, --yes', 'Skip confirmation prompts (for CI/CD)').option('--service-path <path>', 'Path to service directory', '.').option('--check-prereqs', 'Check deployment prerequisites before starting').option('--check-auth', 'Check Wrangler authentication status').option('--check-network', 'Check network connectivity to Cloudflare');
+  .option('--token <token>', 'Cloudflare API token (or set CLOUDFLARE_API_TOKEN env var)').option('--account-id <id>', 'Cloudflare account ID (or set CLOUDFLARE_ACCOUNT_ID env var)').option('--zone-id <id>', 'Cloudflare zone ID (or set CLOUDFLARE_ZONE_ID env var)').option('--domain <domain>', 'Specific domain to deploy to').option('--service-name <name>', 'Service name for URL generation (e.g., data-service, auth-service)', 'data-service').option('--environment <env>', 'Target environment (development, staging, production)', 'production').option('--development', 'Deploy to development environment (shorthand for --environment development)').option('--staging', 'Deploy to staging environment (shorthand for --environment staging)').option('--production', 'Deploy to production environment (shorthand for --environment production)').option('--dry-run', 'Simulate deployment without making changes').option('-y, --yes', 'Skip confirmation prompts (for CI/CD)').option('--service-path <path>', 'Path to service directory', '.').option('--check-prereqs', 'Check deployment prerequisites before starting').option('--check-auth', 'Check Wrangler authentication status').option('--check-network', 'Check network connectivity to Cloudflare').option('--skip-doctor', 'Skip preflight doctor checks').option('--doctor-strict', 'Fail deployment if doctor finds warnings (default: fail only on errors)');
 
   // Add standard options (--verbose, --quiet, --json, --no-color, --config-file)
   StandardOptions.define(command).action(async options => {
@@ -25,10 +26,26 @@ export function registerDeployCommand(program) {
         options.environment = 'production';
       }
 
-      // Load config from file if specified
+      // Load config from file if specified (with schema validation)
       let configFileData = {};
       if (options.configFile) {
         configFileData = configLoader.loadSafe(options.configFile, {});
+        // Validate against deploy schema
+        const schemaValidator = new ConfigSchemaValidator({
+          verbose: options.verbose
+        });
+        const validation = schemaValidator.validateConfig(configFileData, 'deploy');
+        if (!validation.valid && options.verbose) {
+          output.warning(`Config file has ${validation.errors.length} schema validation issue(s):`);
+          for (const err of validation.errors) {
+            output.warning(`  ${err.field}: ${err.message}`);
+          }
+        }
+        if (validation.warnings.length > 0 && options.verbose) {
+          for (const warn of validation.warnings) {
+            output.info(`  ⚠ ${warn.field}: ${warn.message}`);
+          }
+        }
         if (options.verbose && !options.quiet) {
           output.info(`Loaded configuration from: ${options.configFile}`);
         }
@@ -37,6 +54,48 @@ export function registerDeployCommand(program) {
       // Merge config file defaults with CLI options (CLI takes precedence)
       const mergedOptions = configLoader.merge(configFileData, options);
 
+      // Run doctor preflight checks (unless skipped)
+      if (!mergedOptions.skipDoctor) {
+        const {
+          ValidationHandler
+        } = await import('../../src/service-management/handlers/ValidationHandler.js');
+        const doctor = new ValidationHandler();
+        if (!mergedOptions.quiet) {
+          output.info('🔍 Running preflight doctor checks...');
+        }
+        const doctorResults = await doctor.runDoctor({
+          servicePath: mergedOptions.servicePath || '.',
+          strict: mergedOptions.doctorStrict || false,
+          json: false // Always use human-readable for deploy context
+        });
+        if (doctorResults.exitCode !== 0) {
+          output.error('❌ Preflight checks failed!');
+          output.error(`Found ${doctorResults.summary.errors} errors and ${doctorResults.summary.warnings} warnings`);
+
+          // Show details of failed checks
+          doctorResults.checks.forEach(check => {
+            if (check.status !== 'passed') {
+              const color = check.severity === 'error' ? 'red' : check.severity === 'warning' ? 'yellow' : 'gray';
+              console.log(chalk[color](`  ${check.name}: ${check.message}`));
+              check.details.forEach(detail => {
+                console.log(chalk.gray(`    ${detail}`));
+              });
+            }
+          });
+          if (doctorResults.fixSuggestions.length > 0) {
+            output.info('\n💡 Fix suggestions:');
+            doctorResults.fixSuggestions.forEach(suggestion => {
+              output.log(chalk.blue(`  • ${suggestion}`));
+            });
+          }
+          output.info('\nTo skip these checks, use --skip-doctor');
+          output.info('To run checks manually, use: clodo doctor');
+          process.exit(1);
+        } else if (!mergedOptions.quiet) {
+          output.success(`✅ Preflight checks passed (${doctorResults.summary.passed}/${doctorResults.summary.total})`);
+        }
+      }
+
       // Determine if interactive mode should be enabled
       const interactive = !mergedOptions.nonInteractive && !mergedOptions.yes;
       if (interactive) {