@westbayberry/dg 1.3.2 → 2.0.0

package/dist/setup/plan.js

@@ -0,0 +1,899 @@
+import { accessSync, constants, existsSync, mkdirSync, readFileSync, renameSync, rmSync, writeFileSync } from "node:fs";
+import { basename, delimiter, dirname, join, resolve } from "node:path";
+import { chmodSync } from "node:fs";
+import { createTheme } from "../presentation/theme.js";
+import { acquireLockSync, findStaleSessionsSync, resolveDgPaths, sweepStaleSessionsSync, CLEANUP_REGISTRY_LOCK } from "../state/index.js";
+import { currentNodeVersion, isSupportedNode } from "../runtime/node-version.js";
+import { dgVersion } from "../commands/version.js";
+import { AuthError, authStatus, displayTier } from "../auth/store.js";
+import { ConfigError, loadUserConfig } from "../config/settings.js";
+import { resolveRealBinary } from "../launcher/resolve-real-binary.js";
+import { packageManagerNames } from "../launcher/classify.js";
+import { readServiceState } from "../service/state.js";
+import { OPTIONAL_SUPPORT_GATES } from "./optional-support.js";
+export const SHIM_COMMANDS = Object.freeze(["npm", "npx", "pnpm", "pnpx", "yarn", "pip", "pipx", "uv", "uvx", "cargo"]);
+export const SHIM_SENTINEL = "dg-shim-v1";
+export const RC_SENTINEL = "dg-shell-rc-v1";
+export const GUARD_HOOK_SENTINEL = "dg-git-hook-v1";
+export const RC_BEGIN = "# >>> dg setup >>>";
+export const RC_END = "# <<< dg setup <<<";
+export const SETUP_UNINSTALL_LOCK = "setup-uninstall";
+export const SETUP_UNINSTALL_LOCK_STALE_MS = 30 * 60 * 1000;
+export const STALE_SESSION_OLDER_THAN_MS = 24 * 60 * 60 * 1000;
+const DOCTOR_GROUP_BY_NAME = {
+    node: "environment",
+    package: "environment",
+    "dg-binary-path": "environment",
+    "real-binary-resolution": "environment",
+    "recursive-shim-guard": "environment",
+    "package-manager-discovery": "environment",
+    "cleanup-registry": "setup",
+    "cleanup-registry-stale-entries": "setup",
+    config: "setup",
+    policy: "setup",
+    telemetry: "setup",
+    shims: "setup",
+    "shell-rc": "setup",
+    path: "setup",
+    "stale-sessions": "setup",
+    service: "setup",
+    auth: "account"
+};
+const DOCTOR_FIX_BY_NAME = {
+    node: "upgrade Node to >=22.14.0",
+    "dg-binary-path": "put the dg bin directory first on PATH",
+    "cleanup-registry": "re-run dg setup",
+    "cleanup-registry-stale-entries": "re-run dg setup to refresh",
+    config: "fix or remove ~/.dg, then re-run dg setup",
+    policy: "fix ~/.dg config",
+    telemetry: "fix ~/.dg config",
+    shims: "dg setup",
+    "shell-rc": "dg setup",
+    path: "reload your shell after setup",
+    "stale-sessions": "clears on the next protected run",
+    auth: "dg login"
+};
+function enrichDoctorCheck(check) {
+    const group = check.status === "unavailable" ? "gated" : DOCTOR_GROUP_BY_NAME[check.name] ?? "setup";
+    const fix = check.status === "pass" || check.status === "unavailable" ? undefined : check.fix ?? DOCTOR_FIX_BY_NAME[check.name];
+    return fix ? { ...check, group, fix } : { ...check, group };
+}
+export class SetupUnsupportedPlatformError extends Error {
+    platform;
+    constructor(platform) {
+        super(`dg setup does not support ${platform} — Linux and macOS only`);
+        this.platform = platform;
+        this.name = "SetupUnsupportedPlatformError";
+    }
+}
+export function buildSetupPlan(options) {
+    if (process.platform === "win32") {
+        throw new SetupUnsupportedPlatformError(process.platform);
+    }
+    const env = options.env ?? process.env;
+    const paths = resolveDgPaths(env);
+    const shell = resolveShell(options.shell, env);
+    const shimDir = join(paths.homeDir, ".dg", "shims");
+    const rcPath = shellRcPath(paths.homeDir, shell);
+    return {
+        paths,
+        shell,
+        shimDir,
+        rcPath,
+        writes: [
+            {
+                kind: "directory",
+                path: shimDir,
+                action: "create dg-owned shim directory"
+            },
+            ...SHIM_COMMANDS.map((command) => ({
+                kind: "shim",
+                path: join(shimDir, command),
+                action: `write ${command} shim that dispatches to dg ${command}`
+            })),
+            {
+                kind: "shell-rc",
+                path: rcPath,
+                action: `insert or replace ${RC_SENTINEL} PATH block`
+            },
+            {
+                kind: "state",
+                path: paths.cleanupRegistryPath,
+                action: "record dg-owned writes for uninstall"
+            }
+        ],
+        reloadInstructions: reloadInstructions(shell)
+    };
+}
+export function renderSetupPlan(plan) {
+    const lines = [
+        "Dependency Guardian setup write plan",
+        "",
+        "No files are changed until this plan is confirmed.",
+        ...plan.writes.map((write) => `- ${write.action}: ${write.path}`),
+        "",
+        "After setup, reload your shell:",
+        ...plan.reloadInstructions.map((line) => `- ${line}`)
+    ];
+    return `${lines.join("\n")}\n`;
+}
+export function applySetupPlan(plan, now = new Date()) {
+    const entries = [];
+    mkdirSync(plan.shimDir, {
+        recursive: true,
+        mode: 0o700
+    });
+    for (const command of SHIM_COMMANDS) {
+        const path = join(plan.shimDir, command);
+        writeFileSync(path, shimSource(command), {
+            encoding: "utf8",
+            mode: 0o755
+        });
+        chmodSync(path, 0o755);
+        entries.push(cleanupEntry("shim", path, "mode1", now, SHIM_SENTINEL));
+    }
+    mkdirSync(dirname(plan.rcPath), {
+        recursive: true,
+        mode: 0o700
+    });
+    writeFileSync(plan.rcPath, withRcBlock(readText(plan.rcPath), plan), "utf8");
+    entries.push(cleanupEntry("rc", plan.rcPath, "mode1", now, RC_SENTINEL));
+    const registry = withRegistryLock(plan.paths, () => {
+        const merged = mergeRegistry(readRegistry(plan.paths).registry, entries);
+        writeRegistry(plan.paths, merged);
+        return merged;
+    });
+    return {
+        plan,
+        registry
+    };
+}
+export function applySetupPlanWithLock(plan, now = new Date()) {
+    const lock = acquireLockSync(plan.paths, SETUP_UNINSTALL_LOCK, {
+        staleMs: SETUP_UNINSTALL_LOCK_STALE_MS
+    });
+    try {
+        return applySetupPlan(plan, now);
+    }
+    finally {
+        lock.release();
+    }
+}
+export function uninstallSetup(options) {
+    const paths = resolveDgPaths(options.env ?? process.env);
+    const hadCacheDirBeforeLock = existsSync(paths.cacheDir);
+    const hadStateDirBeforeLock = existsSync(paths.stateDir);
+    const lock = acquireLockSync(paths, SETUP_UNINSTALL_LOCK, {
+        staleMs: SETUP_UNINSTALL_LOCK_STALE_MS
+    });
+    try {
+        const registryRead = readRegistry(paths);
+        const removed = [];
+        const missing = [];
+        const warnings = [];
+        const staleSessions = sweepStaleSessionsSync(paths, {
+            olderThanMs: STALE_SESSION_OLDER_THAN_MS
+        }).removed;
+        if (registryRead.malformed) {
+            warnings.push(`cleanup registry is malformed: ${paths.cleanupRegistryPath}`);
+        }
+        for (const entry of registryRead.registry.entries) {
+            if (entry.owner !== "dg") {
+                continue;
+            }
+            if (entry.kind === "shim") {
+                removeShim(entry, removed, missing, warnings);
+            }
+            else if (entry.kind === "rc") {
+                removeRcBlock(entry, removed, missing, warnings);
+            }
+            else if (entry.kind === "git-hook") {
+                reverseGitHookEntry(entry, removed, missing, warnings);
+            }
+        }
+        if (!options.all && !registryRead.malformed && options.keepConfig) {
+            writeRegistryWithLock(paths, {
+                version: 1,
+                entries: registryRead.registry.entries.filter((entry) => entry.owner !== "dg")
+            });
+        }
+        if (!options.keepConfig && hadCacheDirBeforeLock) {
+            removeDirectory(paths.cacheDir, removed, missing);
+        }
+        if (!options.keepConfig && hadStateDirBeforeLock) {
+            removeDirectory(paths.stateDir, removed, missing);
+        }
+        if (options.all) {
+            removeDirectory(paths.configDir, removed, missing);
+        }
+        return {
+            removed,
+            missing,
+            warnings,
+            staleSessions
+        };
+    }
+    finally {
+        lock.release();
+    }
+}
+export function doctorReport(options = {}) {
+    const env = options.env ?? process.env;
+    const paths = resolveDgPaths(env);
+    const shimDir = join(paths.homeDir, ".dg", "shims");
+    const registryRead = readRegistry(paths);
+    const staleSessions = findStaleSessionsSync(paths, {
+        olderThanMs: STALE_SESSION_OLDER_THAN_MS
+    }).stale;
+    const checks = [];
+    checks.push({
+        name: "node",
+        status: isSupportedNode(currentNodeVersion()) ? "pass" : "fail",
+        message: `Node ${currentNodeVersion()} with required >=22.14.0`
+    });
+    checks.push({
+        name: "package",
+        status: "pass",
+        message: `dg ${dgVersion()}`
+    });
+    checks.push(dgPathCheck(env));
+    checks.push({
+        name: "cleanup-registry",
+        status: registryRead.malformed ? "fail" : "pass",
+        message: registryRead.malformed ? `Malformed cleanup registry at ${paths.cleanupRegistryPath}` : paths.cleanupRegistryPath
+    });
+    checks.push({
+        name: "cleanup-registry-stale-entries",
+        status: staleRegistryEntries(registryRead.registry).length === 0 ? "pass" : "warn",
+        message: staleRegistryEntries(registryRead.registry).length === 0
+            ? "No stale cleanup registry entries detected"
+            : `Missing registered paths: ${staleRegistryEntries(registryRead.registry).join(", ")}`
+    });
+    checks.push(configCheck(paths, env));
+    checks.push(authCheck(env));
+    checks.push(policyCheck(env));
+    checks.push(telemetryCheck(env));
+    const missingShims = SHIM_COMMANDS.filter((command) => !validShim(join(shimDir, command), command));
+    checks.push({
+        name: "shims",
+        status: missingShims.length === 0 ? "pass" : "warn",
+        message: missingShims.length === 0 ? `All setup shims exist in ${shimDir}` : `Missing or drifted shims: ${missingShims.join(", ")}`
+    });
+    const rcEntries = registryRead.registry.entries.filter((entry) => entry.owner === "dg" && entry.kind === "rc");
+    const missingRc = rcEntries.filter((entry) => !readText(entry.path).includes(RC_SENTINEL));
+    checks.push({
+        name: "shell-rc",
+        status: rcEntries.length > 0 && missingRc.length === 0 ? "pass" : "warn",
+        message: rcEntries.length === 0 ? "No dg shell rc block is registered" : `Registered shell rc blocks: ${rcEntries.length}`
+    });
+    checks.push(pathPrecedenceCheck(env, shimDir));
+    checks.push({
+        name: "stale-sessions",
+        status: staleSessions.length === 0 ? "pass" : "warn",
+        message: staleSessions.length === 0 ? "No stale sessions detected" : `Stale sessions detected: ${staleSessions.join(", ")}`
+    });
+    checks.push(realBinaryResolutionCheck(env));
+    checks.push({
+        name: "recursive-shim-guard",
+        status: "pass",
+        message: `Real binary resolver skips ${shimDir} and dg shim sentinel files`
+    });
+    checks.push({
+        name: "package-manager-discovery",
+        status: "pass",
+        message: `Classifiers are registered for ${SHIM_COMMANDS.join(", ")}; gated managers remain ${packageManagerNames()
+            .filter((name) => !SHIM_COMMANDS.includes(name))
+            .join(", ")}`
+    });
+    checks.push(...unavailableDoctorChecks());
+    checks.push(serviceCheck(env));
+    return {
+        version: dgVersion(),
+        checks: checks.map(enrichDoctorCheck)
+    };
+}
+const DOCTOR_STATUS_ROLE = {
+    pass: "pass",
+    warn: "warn",
+    fail: "block",
+    unavailable: "muted"
+};
+const DOCTOR_STATUS_GLYPH = {
+    pass: "✓",
+    warn: "⚠",
+    fail: "✘",
+    unavailable: "·"
+};
+const DOCTOR_GROUP_ORDER = [
+    { key: "environment", title: "Environment" },
+    { key: "setup", title: "Setup" },
+    { key: "account", title: "Account" }
+];
+export function renderDoctorReport(report, theme = createTheme(false), verbose = false) {
+    const failures = report.checks.filter((check) => check.status === "fail").length;
+    const warnings = report.checks.filter((check) => check.status === "warn").length;
+    const role = failures > 0 ? "block" : warnings > 0 ? "warn" : "pass";
+    const glyph = failures > 0 ? "✘" : warnings > 0 ? "⚠" : "✓";
+    const summary = failures > 0
+        ? `${failures} ${failures === 1 ? "issue needs" : "issues need"} attention`
+        : warnings > 0
+            ? `${warnings} ${warnings === 1 ? "warning" : "warnings"}`
+            : "all good";
+    const lines = [`${theme.paint(role, `${glyph} DG doctor`)} — ${summary}`];
+    for (const { key, title } of DOCTOR_GROUP_ORDER) {
+        const groupChecks = report.checks.filter((check) => check.group === key);
+        if (groupChecks.length === 0) {
+            continue;
+        }
+        if (verbose) {
+            lines.push("", title);
+            const width = nameWidth(groupChecks);
+            for (const check of groupChecks) {
+                lines.push(doctorLine(check, width, theme));
+            }
+            continue;
+        }
+        let nonPass = groupChecks.filter((check) => check.status !== "pass");
+        if (key === "setup") {
+            const trio = ["shims", "shell-rc", "path"];
+            const allWarn = trio.every((name) => nonPass.some((check) => check.name === name && check.status === "warn"));
+            if (allWarn) {
+                nonPass = nonPass.filter((check) => !trio.includes(check.name) && !(check.name === "config" && check.status === "warn"));
+                const notSetUp = "not set up — bare npm/pip installs aren't protected";
+                if (nonPass.length === 0) {
+                    lines.push(rollupInlineLine(title, "warn", "⚠", notSetUp, "dg setup", theme));
+                    continue;
+                }
+                const worst = worstCheck(nonPass);
+                lines.push(`  ${theme.paint(DOCTOR_STATUS_ROLE[worst.status], `${DOCTOR_STATUS_GLYPH[worst.status]} ${title}`)}`);
+                lines.push(`  ${theme.paint("warn", "⚠")} ${notSetUp}  ${theme.paint("muted", "→ dg setup")}`);
+                const width = nameWidth(nonPass);
+                for (const check of nonPass) {
+                    lines.push(doctorLine(check, width, theme));
+                }
+                continue;
+            }
+        }
+        if (nonPass.length === 0) {
+            lines.push(`  ${theme.paint("pass", `✓ ${title}`)}`);
+            continue;
+        }
+        const worst = worstCheck(nonPass);
+        if (nonPass.length === 1) {
+            lines.push(rollupInlineLine(title, worst.status, DOCTOR_STATUS_GLYPH[worst.status], worst.message, worst.fix, theme));
+            continue;
+        }
+        lines.push(`  ${theme.paint(DOCTOR_STATUS_ROLE[worst.status], `${DOCTOR_STATUS_GLYPH[worst.status]} ${title}`)}`);
+        const width = nameWidth(nonPass);
+        for (const check of nonPass) {
+            lines.push(doctorLine(check, width, theme));
+        }
+    }
+    const gated = report.checks.filter((check) => check.group === "gated");
+    if (gated.length > 0) {
+        if (verbose) {
+            lines.push("", "Gated / remote");
+            const width = nameWidth(gated);
+            for (const check of gated) {
+                lines.push(doctorLine(check, width, theme));
+            }
+        }
+        else {
+            lines.push("", theme.paint("muted", `${gated.length} gated/remote checks hidden · dg doctor --verbose`));
+        }
+    }
+    return `${lines.join("\n")}\n`;
+}
+function nameWidth(checks) {
+    return checks.reduce((max, check) => Math.max(max, check.name.length), 0);
+}
+const DOCTOR_STATUS_SEVERITY = {
+    pass: 0,
+    unavailable: 1,
+    warn: 2,
+    fail: 3
+};
+function worstCheck(checks) {
+    return checks.reduce((worst, check) => DOCTOR_STATUS_SEVERITY[check.status] > DOCTOR_STATUS_SEVERITY[worst.status] ? check : worst);
+}
+function rollupInlineLine(title, status, glyph, message, fix, theme) {
+    const head = theme.paint(DOCTOR_STATUS_ROLE[status], `${glyph} ${title}`);
+    const fixSuffix = fix ? `  ${theme.paint("muted", `→ ${fix}`)}` : "";
+    return `  ${head}  ${message}${fixSuffix}`;
+}
+function doctorLine(check, width, theme) {
+    const glyph = theme.paint(DOCTOR_STATUS_ROLE[check.status], DOCTOR_STATUS_GLYPH[check.status]);
+    const name = check.name.padEnd(width);
+    const message = check.status === "unavailable" ? theme.paint("muted", check.message) : check.message;
+    const fix = check.fix ? `  ${theme.paint("muted", `→ ${check.fix}`)}` : "";
+    return `  ${glyph} ${name}  ${message}${fix}`;
+}
+function resolveShell(shell, env) {
+    if (shell !== "auto") {
+        return shell;
+    }
+    const detected = basename(env.SHELL ?? "");
+    if (detected === "fish") {
+        return "fish";
+    }
+    if (detected === "bash") {
+        return "bash";
+    }
+    return "zsh";
+}
+function shellRcPath(homeDir, shell) {
+    if (shell === "fish") {
+        return join(homeDir, ".config", "fish", "config.fish");
+    }
+    if (shell === "bash") {
+        return join(homeDir, ".bashrc");
+    }
+    return join(homeDir, ".zshrc");
+}
+export function activationCommand(shell, rcDisplay) {
+    if (shell === "fish") {
+        return `source ${rcDisplay}`;
+    }
+    if (shell === "bash") {
+        return `source ${rcDisplay} && hash -r`;
+    }
+    return `source ${rcDisplay} && rehash`;
+}
+function reloadInstructions(shell) {
+    if (shell === "fish") {
+        return ["start a new shell or run: source ~/.config/fish/config.fish"];
+    }
+    if (shell === "bash") {
+        return ["start a new shell or run: source ~/.bashrc", "clear cached command paths with: hash -r"];
+    }
+    return ["start a new shell or run: source ~/.zshrc", "clear cached command paths with: rehash"];
+}
+// Absolute path: a bare `exec dg` resolves through PATH, so anything that
+// shadows dg (npm run prepending node_modules/.bin with a vendored copy)
+// hijacks every shimmed package manager.
+export function shimSource(command) {
+    return `#!/bin/sh\n# ${SHIM_SENTINEL}\nDG_SHIM_ACTIVE="\${DG_SHIM_ACTIVE:+$DG_SHIM_ACTIVE,}${command}:$$" exec "${escapeDoubleQuotedSh(dgEntrypoint())}" ${command} "$@"\n`;
+}
+function escapeDoubleQuotedSh(value) {
+    return value.replace(/[\\"$`]/g, "\\$&");
+}
+function escapeDoubleQuotedFish(value) {
+    return value.replace(/[\\"$]/g, "\\$&");
+}
+function dgEntrypoint() {
+    const argv1 = process.argv[1];
+    return argv1 ? resolve(argv1) : "dg";
+}
+function withRcBlock(existing, plan) {
+    const withoutExisting = stripRcBlock(existing);
+    const block = plan.shell === "fish" ? fishRcBlock(plan.shimDir) : posixRcBlock(plan.shimDir);
+    const prefix = withoutExisting.length > 0 && !withoutExisting.endsWith("\n") ? `${withoutExisting}\n` : withoutExisting;
+    return `${prefix}${block}`;
+}
+function posixRcBlock(shimDir) {
+    return `${RC_BEGIN}\n# ${RC_SENTINEL}\nexport PATH="${escapeDoubleQuotedSh(shimDir)}:$PATH"\n${RC_END}\n`;
+}
+function fishRcBlock(shimDir) {
+    return `${RC_BEGIN}\n# ${RC_SENTINEL}\nfish_add_path -p "${escapeDoubleQuotedFish(shimDir)}"\n${RC_END}\n`;
+}
+function stripRcBlock(existing) {
+    const pattern = new RegExp(`${escapeRegex(RC_BEGIN)}\\n[\\s\\S]*?${escapeRegex(RC_END)}\\n?`, "g");
+    const unterminatedPattern = new RegExp(`${escapeRegex(RC_BEGIN)}\\n[\\s\\S]*$`, "g");
+    return existing.replace(pattern, "").replace(unterminatedPattern, "");
+}
+export function cleanupEntry(kind, path, mode, now, sentinel) {
+    return {
+        kind,
+        path,
+        mode,
+        sentinel,
+        installedAt: now.toISOString(),
+        owner: "dg"
+    };
+}
+export function mergeRegistry(registry, entries) {
+    const retained = registry.entries.filter((entry) => !entries.some((next) => entry.kind === next.kind && entry.path === next.path && entry.sentinel === next.sentinel));
+    return {
+        version: 1,
+        entries: [...retained, ...entries]
+    };
+}
+export function readRegistry(paths) {
+    try {
+        if (!existsSync(paths.cleanupRegistryPath)) {
+            return {
+                registry: {
+                    version: 1,
+                    entries: []
+                },
+                malformed: false
+            };
+        }
+        const registry = JSON.parse(readFileSync(paths.cleanupRegistryPath, "utf8"));
+        if (registry.version !== 1 || !Array.isArray(registry.entries)) {
+            throw new Error("unsupported cleanup registry");
+        }
+        return {
+            registry,
+            malformed: false
+        };
+    }
+    catch {
+        return {
+            registry: {
+                version: 1,
+                entries: []
+            },
+            malformed: true
+        };
+    }
+}
+function staleRegistryEntries(registry) {
+    return registry.entries.filter((entry) => entry.owner === "dg" && !existsSync(entry.path)).map((entry) => entry.path);
+}
+function configCheck(paths, env) {
+    if (!existsSync(paths.configDir)) {
+        return {
+            name: "config",
+            status: "warn",
+            message: `No dg config directory exists at ${paths.configDir}`
+        };
+    }
+    try {
+        accessSync(paths.configDir, constants.R_OK);
+        loadUserConfig(env);
+        return {
+            name: "config",
+            status: "pass",
+            message: `${paths.configDir} is readable and config is valid`
+        };
+    }
+    catch (error) {
+        return {
+            name: "config",
+            status: "fail",
+            message: error instanceof ConfigError ? error.message : `${paths.configDir} is not readable`
+        };
+    }
+}
+function unavailableDoctorChecks() {
+    const unavailable = [
+        ["api", "API connectivity is not checked until this machine is authenticated. Run 'dg login', then run 'dg doctor' again."],
+        ["path-cache", "Shell command path cache checks are guidance only. After setup, run 'hash -r' for bash or 'rehash' for zsh."],
+        ["proxy", "Per-command proxy health is checked when a protected prefix command runs, for example 'dg npm install <package>'."],
+        ["ca", "CA health is checked during protected HTTPS artifact fetches or explicit service startup."],
+        ["upstream-proxy", "Corporate proxy chain health is checked during protected fetches when proxy environment variables are configured."],
+        ...OPTIONAL_SUPPORT_GATES.map((gate) => [gate.id, gate.message]),
+        ["dashboard", "Dashboard setup status is checked after authentication. Run 'dg login' and open the Dependency Guardian dashboard."],
+        ["docs-api", "Docs/OpenAPI health is a remote service check. Run 'dg login', then use 'dg verify <target>' or a protected prefix command."]
+    ];
+    return unavailable.map(([name, message]) => ({
+        name,
+        status: "unavailable",
+        message
+    }));
+}
+function dgPathCheck(env) {
+    const current = currentDgBinaryPath(env);
+    const candidates = findDgExecutables(env);
+    const first = candidates[0] ?? null;
+    if (!first) {
+        return {
+            name: "dg-binary-path",
+            status: "warn",
+            message: current
+                ? `The running dg binary is ${current}, but no dg executable is on PATH. Add ${dirname(current)} to PATH or invoke this path directly.`
+                : "No dg executable was found on PATH. Add the installed dg bin directory to PATH, then run 'dg doctor' again."
+        };
+    }
+    if (current && resolve(first) !== resolve(current)) {
+        return {
+            name: "dg-binary-path",
+            status: "warn",
+            message: `Another dg executable is earlier on PATH: ${first}. This command is running ${current}. Run 'which -a dg' and put ${dirname(current)} before older dg entries.`
+        };
+    }
+    return {
+        name: "dg-binary-path",
+        status: "pass",
+        message: `dg on PATH resolves to ${first}`
+    };
+}
+function currentDgBinaryPath(env) {
+    const explicit = env.DG_TEST_CURRENT_DG_PATH;
+    if (explicit) {
+        return explicit;
+    }
+    const invoked = process.argv[1];
+    if (!invoked) {
+        return null;
+    }
+    const invokedName = basename(invoked);
+    return invokedName === "dg" || invokedName === "dg.js" ? invoked : null;
+}
+function findDgExecutables(env) {
+    const extensions = process.platform === "win32" ? ["", ".cmd", ".exe", ".bat"] : [""];
+    const matches = [];
+    for (const rawDir of (env.PATH ?? "").split(delimiter).filter(Boolean)) {
+        for (const extension of extensions) {
+            const candidate = join(rawDir, `dg${extension}`);
+            try {
+                accessSync(candidate, constants.X_OK);
+                matches.push(candidate);
+                break;
+            }
+            catch {
+                // Keep scanning PATH entries.
+            }
+        }
+    }
+    return matches;
+}
+function serviceCheck(env) {
+    const state = readServiceState(env).state;
+    if (!state.configured) {
+        return {
+            name: "service",
+            status: "pass",
+            message: "Off (optional Team feature for CI / private registries)"
+        };
+    }
+    if (!state.running) {
+        return {
+            name: "service",
+            status: "warn",
+            message: `Service mode is configured but stopped; trust installed: ${state.trustInstalled ? "yes" : "no"}`
+        };
+    }
+    if (!state.proxy) {
+        return {
+            name: "service",
+            status: "warn",
+            message: state.lastError ?? "Service mode is running without a persistent proxy"
+        };
+    }
+    return {
+        name: "service",
+        status: "pass",
+        message: `Service mode is running at ${state.proxy.proxyUrl}; trust installed: ${state.trustInstalled ? "yes" : "no"}`
+    };
+}
+function pathPrecedenceCheck(env, shimDir) {
+    const pathEntries = (env.PATH ?? "").split(delimiter).filter(Boolean);
+    const shimIndex = pathEntries.indexOf(shimDir);
+    const activateFix = `activate this shell: ${currentShellActivation(env)} — or open a new terminal`;
+    if (shimIndex === -1) {
+        return {
+            name: "path",
+            status: "warn",
+            message: `${shimDir} is not on PATH`,
+            fix: activateFix
+        };
+    }
+    let offender = null;
+    let resolvedAny = false;
+    for (const command of SHIM_COMMANDS) {
+        const real = resolveRealBinary({ name: command, env }).path;
+        if (!real) {
+            continue;
+        }
+        resolvedAny = true;
+        const dir = dirname(real);
+        const dirIndex = pathEntries.indexOf(dir);
+        if (dirIndex !== -1 && dirIndex < shimIndex && !offender) {
+            offender = { dir, command };
+        }
+    }
+    if (!resolvedAny) {
+        return {
+            name: "path",
+            status: "pass",
+            message: `${shimDir} is on PATH; no shimmed package managers found to shadow`
+        };
+    }
+    if (offender) {
+        return {
+            name: "path",
+            status: "warn",
+            message: `${shimDir} is on PATH but ${offender.dir} resolves ${offender.command} first`,
+            fix: activateFix
+        };
+    }
+    return {
+        name: "path",
+        status: "pass",
+        message: `${shimDir} precedes the real package-manager directories on PATH`
+    };
+}
+function currentShellActivation(env) {
+    const shell = resolveShell("auto", env);
+    const homeDir = resolveDgPaths(env).homeDir;
+    const rcPath = shellRcPath(homeDir, shell);
+    const rcDisplay = rcPath.startsWith(homeDir) ? `~${rcPath.slice(homeDir.length)}` : rcPath;
+    return activationCommand(shell, rcDisplay);
+}
+function realBinaryResolutionCheck(env) {
+    const installed = SHIM_COMMANDS.filter((command) => resolveRealBinary({ name: command, env }).path);
+    const absent = SHIM_COMMANDS.filter((command) => !resolveRealBinary({ name: command, env }).path);
+    return {
+        name: "real-binary-resolution",
+        status: "pass",
+        message: absent.length === 0
+            ? `Protecting ${installed.join(", ")}`
+            : `Protecting ${installed.join(", ")} (${absent.join(", ")} not installed — nothing to protect there)`
+    };
+}
+function authCheck(env) {
+    try {
+        const status = authStatus(env);
+        const connected = status.email && status.tier
+            ? `${status.email} · ${displayTier(status.tier)} plan`
+            : `Authenticated from ${status.source} token ${status.tokenPreview}`;
+        return {
+            name: "auth",
+            status: status.authenticated ? "pass" : "warn",
+            message: status.authenticated ? connected : "not signed in"
+        };
+    }
+    catch (error) {
+        return {
+            name: "auth",
+            status: "fail",
+            message: error instanceof AuthError ? error.message : "Unable to read auth state"
+        };
+    }
+}
+function policyCheck(env) {
+    try {
+        const config = loadUserConfig(env);
+        return {
+            name: "policy",
+            status: "pass",
+            message: `Local policy mode ${config.policy.mode}; project allowlists trusted: ${config.policy.trustProjectAllowlists}`
+        };
+    }
+    catch (error) {
+        return {
+            name: "policy",
+            status: "fail",
+            message: error instanceof ConfigError ? error.message : "Unable to read policy config"
+        };
+    }
+}
+function telemetryCheck(env) {
+    try {
+        const config = loadUserConfig(env);
+        return {
+            name: "telemetry",
+            status: "pass",
+            message: config.telemetry.enabled ? "Telemetry is enabled with minimized event fields" : "Telemetry is disabled"
+        };
+    }
+    catch (error) {
+        return {
+            name: "telemetry",
+            status: "fail",
+            message: error instanceof ConfigError ? error.message : "Unable to read telemetry config"
+        };
+    }
+}
+export function writeRegistry(paths, registry) {
+    mkdirSync(dirname(paths.cleanupRegistryPath), {
+        recursive: true,
+        mode: 0o700
+    });
+    const tempPath = `${paths.cleanupRegistryPath}.${process.pid}.tmp`;
+    writeFileSync(tempPath, `${JSON.stringify(registry, null, 2)}\n`, {
+        encoding: "utf8",
+        mode: 0o600
+    });
+    renameSync(tempPath, paths.cleanupRegistryPath);
+}
+function withRegistryLock(paths, action) {
+    const lock = acquireLockSync(paths, CLEANUP_REGISTRY_LOCK, {
+        staleMs: SETUP_UNINSTALL_LOCK_STALE_MS
+    });
+    try {
+        return action();
+    }
+    finally {
+        lock.release();
+    }
+}
+function writeRegistryWithLock(paths, registry) {
+    withRegistryLock(paths, () => writeRegistry(paths, registry));
+}
+function removeShim(entry, removed, missing, warnings) {
+    if (!existsSync(entry.path)) {
+        missing.push(entry.path);
+        return;
+    }
+    if (!validShim(entry.path, basename(entry.path))) {
+        warnings.push(`refused to remove drifted shim: ${entry.path}`);
+        return;
+    }
+    rmSync(entry.path, {
+        force: true
+    });
+    removed.push(entry.path);
+}
+function removeRcBlock(entry, removed, missing, warnings) {
+    const existing = readText(entry.path);
+    if (!existing) {
+        missing.push(entry.path);
+        return;
+    }
+    if (!existing.includes(RC_SENTINEL)) {
+        warnings.push(`refused to edit shell rc without dg sentinel: ${entry.path}`);
+        return;
+    }
+    writeFileSync(entry.path, stripRcBlock(existing), "utf8");
+    removed.push(entry.path);
+}
+export function reverseGitHookEntry(entry, removed, missing, warnings) {
+    const sentinel = entry.sentinel ?? GUARD_HOOK_SENTINEL;
+    let ownsTarget = false;
+    if (!existsSync(entry.path)) {
+        missing.push(entry.path);
+        ownsTarget = true;
+    }
+    else if (readText(entry.path).split("\n", 2)[1]?.includes(sentinel)) {
+        rmSync(entry.path, { force: true });
+        removed.push(entry.path);
+        ownsTarget = true;
+    }
+    else {
+        warnings.push(`refused to remove git hook without dg sentinel: ${entry.path}`);
+    }
+    if (!ownsTarget) {
+        return;
+    }
+    if (entry.original) {
+        if (existsSync(entry.original)) {
+            try {
+                renameSync(entry.original, entry.path);
+                removed.push(entry.original);
+            }
+            catch (error) {
+                warnings.push(`could not restore chained hook ${entry.original}: ${error instanceof Error ? error.message : "unknown error"}`);
+            }
+        }
+        else {
+            missing.push(entry.original);
+        }
+    }
+}
+function removeDirectory(path, removed, missing) {
+    if (!existsSync(path)) {
+        missing.push(path);
+        return;
+    }
+    rmSync(path, {
+        force: true,
+        recursive: true
+    });
+    removed.push(path);
+}
+function validShim(path, command) {
+    if (!existsSync(path)) {
+        return false;
+    }
+    return isValidShimSource(readText(path), command);
+}
+export function isValidShimSource(content, command) {
+    if (!content.includes(SHIM_SENTINEL)) {
+        return false;
+    }
+    return content.includes("DG_SHIM_ACTIVE=") && content.includes('exec "') && content.includes(`" ${command} "$@"`);
+}
+function readText(path) {
+    try {
+        return readFileSync(path, "utf8");
+    }
+    catch {
+        return "";
+    }
+}
+function escapeRegex(value) {
+    return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}