@westbayberry/dg 1.3.3 → 2.0.0

package/dist/commands/audit.js

@@ -0,0 +1,357 @@
+import { existsSync, readFileSync, statSync, writeFileSync } from "node:fs";
+import { basename, dirname, resolve } from "node:path";
+import { EXIT_TOOL_ERROR, EXIT_USAGE } from "./types.js";
+import { resolvePresentation } from "../presentation/mode.js";
+import { createTheme } from "../presentation/theme.js";
+import { actionForFindings, detectFindings, findingLocation } from "../audit/detectors.js";
+import { buildAuditFile } from "../publish-set/collect.js";
+import { npmPublishSet } from "../publish-set/npm.js";
+import { pypiPublishSet } from "../publish-set/pypi.js";
+import { deepDecision, runDeepUpload, consentGiven, deepSummary, teamPolicyBlocksUpload } from "../audit/deep.js";
+import { loadUserConfig, saveUserConfig, setConfigValue } from "../config/settings.js";
+import { promptYesNo } from "../util/tty-prompt.js";
+import { authStatus } from "../auth/store.js";
+import { shouldLaunchAuditTui, launchAuditTui } from "../audit-ui/launch.js";
+export const auditCommand = {
+    name: "audit",
+    summary: "Audit the package you're about to publish for leaked secrets and risky files.",
+    usage: "dg audit [path] [--json] [--output <path>] [--local] [--require-deep] [--fail-on <warn|block>]",
+    args: [
+        { name: "[path]", summary: "Package directory to audit (default: the nearest package from the current directory)." }
+    ],
+    flags: [
+        { flag: "--json", summary: "Machine-readable report." },
+        { flag: "--output", value: "<path>", summary: "Write the report to a file (alias -o)." },
+        { flag: "--local", summary: "Run only the local audit; skip the paid deep behavioral upload." },
+        { flag: "--require-deep", summary: "Fail if the deep behavioral audit could not run (for CI)." },
+        { flag: "--fail-on", value: "<warn|block>", summary: "Exit non-zero at or above this level (default: block)." }
+    ],
+    examples: ["dg audit", "dg audit ./packages/api", "dg audit --json", "dg audit --local"],
+    details: [
+        "Audits exactly what you're about to publish — the resolved publish set of one package, never the whole repo.",
+        "Basic checks run 100% locally and never upload anything. If you're on a paid plan (and your org allows it), it also runs a deep behavioral scan of your package on the scanner; raw bytes are never retained. Exit codes: 0 clean (warn counts as clean under the default --fail-on block), 1 warn with --fail-on warn, 2 block, 3 deep audit required but unavailable (--require-deep), 4 analysis incomplete."
+    ],
+    handler: (context) => runAuditCommand(context.args)
+};
+function gather(args) {
+    const parsed = parseAuditArgs(args);
+    if ("error" in parsed) {
+        return { error: parsed.error, usage: true };
+    }
+    const scope = resolveScope(parsed.target);
+    if ("error" in scope) {
+        return { error: scope.error, usage: false };
+    }
+    const set = scope.ecosystem === "pypi" ? pypiPublishSet(scope.root) : npmPublishSet(scope.root);
+    const files = set.relPaths
+        .map((relPath) => buildAuditFile(scope.root, relPath))
+        .filter((file) => file !== null);
+    const context = {
+        packageJson: scope.packageJson,
+        ecosystem: scope.ecosystem,
+        hasFilesAllowlist: set.hasAllowlist,
+        fileCount: files.length
+    };
+    const findings = detectFindings(files, context);
+    return { parsed, scope, localAction: actionForFindings(findings), findings, publishSetSource: set.source, fileCount: files.length };
+}
+function finalize(gathered, deep) {
+    const { parsed, scope } = gathered;
+    const report = {
+        target: displayTarget(scope.root),
+        artifact: scope.artifact,
+        ecosystem: scope.ecosystem,
+        action: combineAction(gathered.localAction, deep),
+        fileCount: gathered.fileCount,
+        publishSetSource: gathered.publishSetSource,
+        findings: gathered.findings,
+        deep
+    };
+    const theme = createTheme(resolvePresentation().color);
+    const rendered = parsed.format === "json" ? `${JSON.stringify(report, null, 2)}\n` : renderReport(report, theme);
+    if (parsed.outputPath) {
+        try {
+            writeFileSync(resolve(parsed.outputPath), rendered, "utf8");
+        }
+        catch (error) {
+            return { exitCode: EXIT_TOOL_ERROR, stdout: "", stderr: `dg audit could not write ${parsed.outputPath}: ${error instanceof Error ? error.message : "write error"}\n` };
+        }
+        return { exitCode: exitCodeFor(report, parsed), stdout: `Wrote ${parsed.format} audit report to ${parsed.outputPath}\n`, stderr: "" };
+    }
+    return { exitCode: exitCodeFor(report, parsed), stdout: rendered, stderr: "" };
+}
+function gatherError(gathered) {
+    return gathered.usage ? usageError(gathered.error) : { exitCode: EXIT_USAGE, stdout: "", stderr: `dg audit: ${gathered.error}.\n` };
+}
+function runAuditCommand(args) {
+    const gathered = gather(args);
+    if ("error" in gathered) {
+        return gatherError(gathered);
+    }
+    const decision = deepDecision(gathered.scope, gathered.parsed.local);
+    return finalize(gathered, { ran: false, reason: decision.reason });
+}
+export async function maybeAudit(args) {
+    if (args[0] !== "audit") {
+        return { handled: false, result: { exitCode: 0, stdout: "", stderr: "" } };
+    }
+    const gathered = gather(args.slice(1));
+    if ("error" in gathered) {
+        return { handled: true, result: gatherError(gathered) };
+    }
+    let decision = deepDecision(gathered.scope, gathered.parsed.local);
+    if (!decision.upload && canPromptConsent(gathered)) {
+        if (!(await teamPolicyBlocksUpload())) {
+            if (grantConsentInteractively()) {
+                decision = deepDecision(gathered.scope, gathered.parsed.local);
+            }
+        }
+    }
+    if (shouldLaunchAuditTui({ format: gathered.parsed.format, outputPath: gathered.parsed.outputPath })) {
+        const uploadAbort = new AbortController();
+        const deepPromise = decision.upload
+            ? runDeepUpload(gathered.scope, gathered.scope.packageJson, { signal: uploadAbort.signal })
+            : null;
+        const initialDeep = decision.upload ? null : { ran: false, reason: decision.reason };
+        const exitCode = await launchAuditTui({ gathered, initialDeep, deepPromise });
+        uploadAbort.abort();
+        return { handled: true, result: { exitCode, stdout: "", stderr: "" } };
+    }
+    if (!decision.upload) {
+        return { handled: true, result: finalize(gathered, { ran: false, reason: decision.reason }) };
+    }
+    try {
+        const deep = await runDeepUpload(gathered.scope, gathered.scope.packageJson);
+        return { handled: true, result: finalize(gathered, deep) };
+    }
+    catch (error) {
+        const reason = error instanceof Error ? error.message : "deep audit failed";
+        return { handled: true, result: finalize(gathered, { ran: false, reason }) };
+    }
+}
+function canPromptConsent(gathered) {
+    return (!gathered.parsed.local &&
+        gathered.parsed.format !== "json" &&
+        !gathered.parsed.outputPath &&
+        gathered.scope.ecosystem === "npm" &&
+        Boolean(process.stdin.isTTY && process.stderr.isTTY) &&
+        !consentGiven() &&
+        safeAuthed());
+}
+function safeAuthed() {
+    try {
+        return authStatus().authenticated;
+    }
+    catch {
+        return false;
+    }
+}
+function grantConsentInteractively() {
+    process.stderr.write("\n  dg audit can also run a deep behavioral scan of this package on Dependency Guardian's scanner.\n" +
+        "  That uploads a packed copy of your package (no lifecycle scripts run); raw bytes are never retained,\n" +
+        "  only the verdict + redacted findings are recorded to your dashboard.\n");
+    const yes = promptYesNo("  Enable the deep upload for this machine?", false);
+    if (yes === true) {
+        try {
+            saveUserConfig(setConfigValue(loadUserConfig(), "audit.upload", "true"));
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    return false;
+}
+export function combineAction(local, deep) {
+    if (deep.ran && deep.action === "block") {
+        return "block";
+    }
+    if (deep.ran && deep.action === "warn" && local === "pass") {
+        return "warn";
+    }
+    return local;
+}
+export function auditExitCode(localAction, deep, policy) {
+    const action = combineAction(localAction, deep);
+    if (policy.requireDeep && !deep.ran) {
+        return 3;
+    }
+    if (deep.ran && deep.action === "analysis_incomplete" && action !== "block") {
+        return 4;
+    }
+    if (action === "block") {
+        return 2;
+    }
+    if (action === "warn") {
+        return policy.failOn === "warn" ? 1 : 0;
+    }
+    return 0;
+}
+function exitCodeFor(report, parsed) {
+    return auditExitCode(report.action, report.deep, { requireDeep: parsed.requireDeep, failOn: parsed.failOn });
+}
+function resolveScope(target) {
+    const absolute = resolve(target);
+    if (!existsSync(absolute)) {
+        return { error: `path does not exist: ${target}` };
+    }
+    const start = statSync(absolute).isDirectory() ? absolute : dirname(absolute);
+    const root = findPackageRoot(start);
+    if (!root) {
+        return { error: "no package manifest found here — run inside the package you're publishing, or pass its path" };
+    }
+    if (existsSync(resolve(root, "package.json"))) {
+        const packageJson = safeReadJson(resolve(root, "package.json"));
+        const name = packageJson && typeof packageJson.name === "string" ? packageJson.name : basename(root);
+        const version = packageJson && typeof packageJson.version === "string" ? packageJson.version : "(unknown)";
+        return { root, ecosystem: "npm", packageJson, artifact: `${name}@${version}` };
+    }
+    if (existsSync(resolve(root, "pyproject.toml")) || existsSync(resolve(root, "setup.py")) || existsSync(resolve(root, "setup.cfg"))) {
+        return { root, ecosystem: "pypi", packageJson: null, artifact: basename(root) };
+    }
+    if (existsSync(resolve(root, "Cargo.toml"))) {
+        return { root, ecosystem: "cargo", packageJson: null, artifact: basename(root) };
+    }
+    return { root, ecosystem: "unknown", packageJson: null, artifact: basename(root) };
+}
+function findPackageRoot(start) {
+    let current = start;
+    for (let depth = 0; depth < 40; depth += 1) {
+        if (existsSync(resolve(current, "package.json")) ||
+            existsSync(resolve(current, "pyproject.toml")) ||
+            existsSync(resolve(current, "setup.py")) ||
+            existsSync(resolve(current, "setup.cfg")) ||
+            existsSync(resolve(current, "Cargo.toml"))) {
+            return current;
+        }
+        const parent = dirname(current);
+        if (parent === current) {
+            return null;
+        }
+        current = parent;
+    }
+    return null;
+}
+const WARN_GLYPH = "\u26A0\uFE0E";
+function renderReport(report, theme) {
+    const muted = (text) => theme.paint("muted", text);
+    const accent = (text) => theme.paint("accent", text);
+    const role = report.action === "block" ? "block" : report.action === "warn" ? "warn" : "pass";
+    const glyph = report.action === "block" ? "✘" : report.action === "warn" ? WARN_GLYPH : "✓";
+    const blocking = report.findings.filter((finding) => finding.severity >= 4).length;
+    const warnings = report.findings.filter((finding) => finding.severity === 3).length;
+    const notes = report.findings.filter((finding) => finding.severity < 3).length;
+    const counts = [
+        blocking ? `${blocking} blocking` : "",
+        warnings ? `${warnings} warning${warnings === 1 ? "" : "s"}` : "",
+        notes ? `${notes} note${notes === 1 ? "" : "s"}` : ""
+    ].filter(Boolean).join(" · ") || "no issues";
+    const fileLabel = `${report.fileCount} file${report.fileCount === 1 ? "" : "s"}`;
+    const fallback = report.publishSetSource === "fallback" ? " · publish set approximated" : "";
+    const lines = [
+        ...verdictBox([
+            `${theme.paint(role, `${glyph} ${report.action.toUpperCase()}`)}   ${accent(report.artifact)} ${muted(`· ${report.ecosystem}`)}`,
+            muted(`${counts} in ${fileLabel}${fallback}`)
+        ], theme, role),
+        ""
+    ];
+    for (const finding of report.findings) {
+        const tag = finding.severity >= 4
+            ? theme.paint("block", "✘")
+            : finding.severity >= 3
+                ? theme.paint("warn", WARN_GLYPH)
+                : theme.paint("muted", "·");
+        lines.push(`  ${tag} ${accent(findingLocation(finding))}`);
+        lines.push(`     ${finding.title}`);
+        if (finding.evidence && finding.evidence !== `path: ${finding.location}` && finding.evidence !== finding.location) {
+            lines.push(`     ${muted(finding.evidence)}`);
+        }
+        lines.push(`     ${accent("→")} ${finding.recommendation}`);
+        lines.push("");
+    }
+    lines.push(`  ${muted(`Deep behavioral scan · ${deepSummary(report.deep)}`)}`);
+    return `${lines.join("\n")}\n`;
+}
+function visibleWidth(text) {
+    return text.replace(/\u001b\[[0-9;]*m/g, "").replace(/[\uFE0E\uFE0F]/gu, "").length;
+}
+function verdictBox(content, theme, role) {
+    const inner = Math.max(...content.map(visibleWidth));
+    const edge = (text) => theme.paint(role, text);
+    return [
+        `  ${edge(`╭${"─".repeat(inner + 2)}╮`)}`,
+        ...content.map((line) => `  ${edge("│")} ${line}${" ".repeat(inner - visibleWidth(line))} ${edge("│")}`),
+        `  ${edge(`╰${"─".repeat(inner + 2)}╯`)}`
+    ];
+}
+function parseAuditArgs(args) {
+    let target = ".";
+    let sawTarget = false;
+    let format = "text";
+    let outputPath = null;
+    let local = false;
+    let requireDeep = false;
+    let failOn = "block";
+    for (let index = 0; index < args.length; index += 1) {
+        const arg = args[index];
+        if (!arg) {
+            return { error: "empty argument" };
+        }
+        if (arg === "--json") {
+            format = "json";
+        }
+        else if (arg === "--local") {
+            local = true;
+        }
+        else if (arg === "--require-deep") {
+            requireDeep = true;
+        }
+        else if (arg === "--output" || arg === "-o") {
+            const next = args[index + 1];
+            if (!next) {
+                return { error: `${arg} requires a path` };
+            }
+            outputPath = next;
+            index += 1;
+        }
+        else if (arg === "--fail-on") {
+            const next = args[index + 1];
+            if (next !== "warn" && next !== "block") {
+                return { error: "--fail-on requires 'warn' or 'block'" };
+            }
+            failOn = next;
+            index += 1;
+        }
+        else if (arg.startsWith("-")) {
+            return { error: `unknown option '${arg}'` };
+        }
+        else if (sawTarget) {
+            return { error: "audit accepts at most one path" };
+        }
+        else {
+            target = arg;
+            sawTarget = true;
+        }
+    }
+    return { target, format, outputPath, local, requireDeep, failOn };
+}
+export function displayTarget(root) {
+    const rel = root.startsWith(process.cwd()) ? root.slice(process.cwd().length).replace(/^[/\\]/u, "") : root;
+    return rel.length === 0 ? "." : rel;
+}
+function safeReadJson(path) {
+    try {
+        const parsed = JSON.parse(readFileSync(path, "utf8"));
+        return typeof parsed === "object" && parsed !== null && !Array.isArray(parsed) ? parsed : null;
+    }
+    catch {
+        return null;
+    }
+}
+function usageError(message) {
+    return {
+        exitCode: EXIT_USAGE,
+        stdout: "",
+        stderr: `dg audit: ${message}. Usage: ${auditCommand.usage}\n`
+    };
+}

package/dist/commands/completion.js

@@ -0,0 +1,116 @@
+import { commandCatalog } from "./router.js";
+import { packageManagerCommandNames } from "./wrap.js";
+import { EXIT_USAGE } from "./types.js";
+const SHELLS = ["bash", "zsh", "fish"];
+const COMMON_FLAGS = ["--help", "--version", "--json", "--sarif", "--output", "--yes", "--check", "--staged", "--dg-force-install"];
+const FISH_FLAG_DESCRIPTIONS = {
+    "--help": "Show help",
+    "--version": "Show version",
+    "--json": "Write JSON output",
+    "--sarif": "Write SARIF output",
+    "--output": "Write report to file",
+    "--yes": "Apply a confirmed mutation",
+    "--check": "Report without mutating",
+    "--staged": "Limit to staged files",
+    "--dg-force-install": "Install despite a block, where policy allows"
+};
+function completionCommands() {
+    const names = new Set(packageManagerCommandNames);
+    for (const command of commandCatalog) {
+        names.add(command.name);
+        for (const alias of command.aliases ?? []) {
+            names.add(alias);
+        }
+    }
+    return [...names];
+}
+export const completionCommand = {
+    name: "completion",
+    summary: "Print shell completion for bash, zsh, or fish.",
+    usage: "dg completion <bash|zsh|fish>",
+    args: [{ name: "<shell>", summary: "bash, zsh, or fish." }],
+    examples: [
+        "dg completion bash > ~/.local/share/bash-completion/completions/dg",
+        "dg completion zsh > ~/.zfunc/_dg",
+        "dg completion fish > ~/.config/fish/completions/dg.fish"
+    ],
+    details: ["Prints a completion script to stdout without changing shell files."],
+    handler: (context) => completionHandler(context.args)
+};
+function completionHandler(args) {
+    const [shell, ...rest] = args;
+    if (!shell || rest.length > 0 || !isSupportedShell(shell)) {
+        return {
+            exitCode: EXIT_USAGE,
+            stdout: "",
+            stderr: "dg completion: expected one shell: bash, zsh, or fish.\n"
+        };
+    }
+    return {
+        exitCode: 0,
+        stdout: renderCompletion(shell),
+        stderr: ""
+    };
+}
+function isSupportedShell(value) {
+    return SHELLS.includes(value);
+}
+function renderCompletion(shell) {
+    const commandList = completionCommands();
+    const commands = commandList.join(" ");
+    const flags = COMMON_FLAGS.join(" ");
+    if (shell === "bash") {
+        return `# dg bash completion
+_dg_completion() {
+  local cur prev
+  COMPREPLY=()
+  cur="\${COMP_WORDS[COMP_CWORD]}"
+  prev="\${COMP_WORDS[COMP_CWORD-1]}"
+  if [ "$prev" = "completion" ]; then
+    COMPREPLY=( $(compgen -W "bash zsh fish" -- "$cur") )
+    return 0
+  fi
+  if [ "$COMP_CWORD" -eq 1 ]; then
+    COMPREPLY=( $(compgen -W "${commands}" -- "$cur") )
+    return 0
+  fi
+  COMPREPLY=( $(compgen -W "${flags}" -- "$cur") )
+}
+complete -F _dg_completion dg
+`;
+    }
+    if (shell === "zsh") {
+        return `#compdef dg
+_dg() {
+  local -a commands flags shells
+  commands=(${commandList.map((command) => escapeZsh(command)).join(" ")})
+  flags=(${COMMON_FLAGS.map((flag) => escapeZsh(flag)).join(" ")})
+  shells=(bash zsh fish)
+  if [[ "$words[2]" == "completion" ]]; then
+    compadd "$@" -- "$shells[@]"
+    return
+  fi
+  if [[ "$CURRENT" -eq 2 ]]; then
+    compadd "$@" -- "$commands[@]"
+    return
+  fi
+  compadd "$@" -- "$flags[@]"
+}
+_dg "$@"
+`;
+    }
+    const fishFlagLines = COMMON_FLAGS.map((flag) => {
+        const option = flag.replace(/^--/u, "");
+        const requiresArg = flag === "--output" ? " -r" : "";
+        const description = FISH_FLAG_DESCRIPTIONS[flag] ?? option;
+        return `complete -c dg -f -l ${option}${requiresArg} -d '${description}'`;
+    }).join("\n");
+    return `# dg fish completion
+complete -c dg -f -n '__fish_is_first_arg' -a '${commands}' -d 'Dependency Guardian command'
+complete -c dg -f -n '__fish_seen_subcommand_from completion' -a 'bash zsh fish' -d 'Shell'
+${fishFlagLines}
+`;
+}
+function escapeZsh(value) {
+    return value.replace(/([\\[\]{}()$`"'\s])/gu, "\\$1");
+}

package/dist/commands/config.js

@@ -0,0 +1,99 @@
+import { EXIT_USAGE } from "./types.js";
+import { ConfigError, getConfigValue, isConfigKey, listConfig, loadUserConfig, saveUserConfig, setConfigValue, unsetConfigValue } from "../config/settings.js";
+export const configCommand = {
+    name: "config",
+    summary: "Inspect or edit trusted dg configuration.",
+    usage: "dg config <get|set|unset|list> [key] [value] [--json]",
+    args: [
+        { name: "<action>", summary: "list | get <key> | set <key> <value> | unset <key>." },
+        { name: "[key]", summary: "e.g. policy.mode, gitHook.onWarn, gitHook.onIncomplete, api.baseUrl." }
+    ],
+    flags: [{ flag: "--json", summary: "Machine-readable output for list/get." }],
+    examples: ["dg config list", "dg config get policy.mode", "dg config set gitHook.onWarn allow", "dg config unset api.baseUrl"],
+    details: [
+        "Reads and writes user-global dg configuration only.",
+        "Project-local config and allowlists remain untrusted for install-time firewall enforcement by default."
+    ],
+    handler: (context) => configHandler(context.args)
+};
+function configHandler(args) {
+    const json = args.includes("--json");
+    const filtered = args.filter((arg) => arg !== "--json");
+    const [action, key, value, extra] = filtered;
+    if (!action || extra) {
+        return usageError("expected get, set, unset, or list");
+    }
+    try {
+        const config = loadUserConfig();
+        if (action === "list") {
+            if (key || value) {
+                return usageError("list does not accept a key or value");
+            }
+            const entries = listConfig(config);
+            return {
+                exitCode: 0,
+                stdout: json ? `${JSON.stringify(Object.fromEntries(entries.map((entry) => [entry.key, entry.value])), null, 2)}\n` : renderConfigList(entries),
+                stderr: ""
+            };
+        }
+        if (!key || !isConfigKey(key)) {
+            return usageError(`unknown config key '${key ?? ""}'`);
+        }
+        if (action === "get") {
+            if (value) {
+                return usageError("get accepts only a key");
+            }
+            const result = getConfigValue(config, key);
+            return {
+                exitCode: 0,
+                stdout: json ? `${JSON.stringify({ key, value: result }, null, 2)}\n` : `${result}\n`,
+                stderr: ""
+            };
+        }
+        if (action === "set") {
+            if (value === undefined) {
+                return usageError("set requires a value");
+            }
+            const next = setConfigValue(config, key, value);
+            saveUserConfig(next);
+            return {
+                exitCode: 0,
+                stdout: `${key}=${getConfigValue(next, key)}\n`,
+                stderr: ""
+            };
+        }
+        if (action === "unset") {
+            if (value) {
+                return usageError("unset accepts only a key");
+            }
+            const next = unsetConfigValue(config, key);
+            saveUserConfig(next);
+            return {
+                exitCode: 0,
+                stdout: `${key}=${getConfigValue(next, key)}\n`,
+                stderr: ""
+            };
+        }
+        return usageError(`unknown action '${action}'`);
+    }
+    catch (error) {
+        if (error instanceof ConfigError) {
+            return {
+                exitCode: EXIT_USAGE,
+                stdout: "",
+                stderr: `dg config: ${error.message}\n`
+            };
+        }
+        throw error;
+    }
+}
+function renderConfigList(entries) {
+    return `${entries.map((entry) => `${entry.key}=${entry.value}`).join("\n")}\n`;
+}
+function usageError(message) {
+    return {
+        exitCode: EXIT_USAGE,
+        stdout: "",
+        stderr: `dg config: ${message}. Run 'dg config --help'.\n`
+    };
+}

package/dist/commands/doctor.js

@@ -0,0 +1,39 @@
+import { EXIT_USAGE } from "./types.js";
+import { doctorReport, renderDoctorReport } from "../setup/plan.js";
+import { resolvePresentation } from "../presentation/mode.js";
+import { createTheme } from "../presentation/theme.js";
+export const doctorCommand = {
+    name: "doctor",
+    summary: "Inspect local dg health and setup state.",
+    usage: "dg doctor [--verbose] [--json]",
+    flags: [
+        { flag: "--verbose", summary: "List every check, including passing and gated ones (alias -v)." },
+        { flag: "--json", summary: "Machine-readable check results." }
+    ],
+    examples: ["dg doctor", "dg doctor --verbose"],
+    details: [
+        "Checks runtime, package, config, auth, PATH, package-manager resolution, stale state, optional support gates, service state, and next fix commands.",
+        "Groups checks and collapses passing ones; --verbose lists every check including gated/remote surfaces."
+    ],
+    handler: (context) => doctorHandler(context.args)
+};
+function doctorHandler(args) {
+    const json = args.includes("--json");
+    const verbose = args.includes("--verbose") || args.includes("-v");
+    const unknown = args.find((arg) => arg !== "--json" && arg !== "--verbose" && arg !== "-v");
+    if (unknown) {
+        return {
+            exitCode: EXIT_USAGE,
+            stdout: "",
+            stderr: `dg doctor: unknown option '${unknown}'. Run 'dg doctor --help'.\n`
+        };
+    }
+    const report = doctorReport();
+    const hasFailure = report.checks.some((check) => check.status === "fail");
+    const theme = createTheme(resolvePresentation().color);
+    return {
+        exitCode: hasFailure ? 1 : 0,
+        stdout: json ? `${JSON.stringify(report, null, 2)}\n` : renderDoctorReport(report, theme, verbose),
+        stderr: ""
+    };
+}