agent-security-lens 0.1.8 → 0.1.9

package/.mcp/server.json

@@ -2,18 +2,18 @@
   "$schema": "https://static.modelcontextprotocol.io/schemas/2025-12-11/server.schema.json",
   "name": "io.github.professor2k8/agent-security-lens",
   "title": "Agent Security Lens (AgentSecurityLens)",
-  "description": "Safe-install and trust-check MCP for agents to review MCPs, Skills and tools before installation.",
+  "description": "Safe-install and trust-check MCP for agents before installing MCPs, Skills or tools.",
   "status": "active",
   "repository": {
     "url": "https://github.com/professor2k8/agent-security-lens",
     "source": "github"
   },
-  "version": "0.1.8",
+  "version": "0.1.9",
   "packages": [
     {
       "registryType": "npm",
       "identifier": "agent-security-lens",
-      "version": "0.1.8",
+      "version": "0.1.9",
       "transport": {
         "type": "stdio"
       },

package/AGENTS.md

@@ -6,6 +6,12 @@ If you are an autonomous agent, coding agent, workflow agent or tool-installing
 
 ## Quick Decision
 
+First check ASL health and intelligence coverage:
+
+```bash
+npx -y agent-security-lens doctor
+```
+
 Run a pre-install decision check:
 
 ```bash

package/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 0.1.9
+
+- Add `agent-security-lens doctor` so agents can check cloud reachability, local fallback coverage and queued telemetry before first use.
+- Fix cloud review normalization so valid ASL Cloud install decisions are accepted instead of falling back to local mode.
+- Resolve common GitHub monorepo URLs and install commands, including `modelcontextprotocol/servers/.../filesystem`, to canonical known components.
+- Canonicalize cloud component display names on the client so agent-facing output uses stable component names.
+- Improve operations metrics by tracking explicit npm daily ranges instead of relying only on cached point windows.
+
 ## 0.1.8
 
 - Add copy-ready first-call examples for 10 common MCP install decisions.

package/README.md

@@ -21,6 +21,12 @@ Machine-readable agent instructions are also available in [AGENTS.md](AGENTS.md)
 
 ## Agent Quick Install
 
+Check whether ASL can reach online intelligence and what local fallback is available:
+
+```bash
+npx -y agent-security-lens doctor
+```
+
 Try one pre-install decision first:
 
 ```bash
@@ -132,6 +138,7 @@ Never submit private source code, secrets, tokens, cookies, or file contents.
 ## MCP Tools
 
 - `get_install_policy`: returns the current Agent execution policy.
+- `get_intelligence_status`: reports online or local intelligence status for MCP clients.
 - `review_before_install`: evaluates a proposed component and installation context.
 - `check_component`: retrieves known component intelligence.
 - `recommend_alternatives`: returns evidence-backed alternatives and mitigations.

package/RELEASE-MANIFEST.json

@@ -1,8 +1,8 @@
 {
   "schema_version": "0.1.0",
   "package": "agent-security-lens",
-  "version": "0.1.8",
-  "generated_at": "2026-06-25T04:55:00.570Z",
+  "version": "0.1.9",
+  "generated_at": "2026-06-27T08:42:28.272Z",
   "source": "ASL verified public release exporter",
   "files": [
     {
@@ -47,8 +47,8 @@
     },
     {
       "path": ".mcp/server.json",
-      "bytes": 1316,
-      "sha256": "a9dee7dbc493a6d4ebf6ceadf67d569c41cd5c1e0b7b63addf715845ed1595d8"
+      "bytes": 1303,
+      "sha256": "0ffe3bff5b51969977aa55a867698b72cdf7d1f3bd1b14c267d7979d5da92cb5"
     },
     {
       "path": ".npmignore",
@@ -57,13 +57,13 @@
     },
     {
       "path": "AGENTS.md",
-      "bytes": 1973,
-      "sha256": "320aba3d74cdec74b59ff4607abbe1fb920728daca44986aea115c377c563412"
+      "bytes": 2071,
+      "sha256": "2acf50a851a3ca8ec275f8c1bbdb198be44e519a9956a615136f8b4215fc51b8"
     },
     {
       "path": "CHANGELOG.md",
-      "bytes": 3077,
-      "sha256": "24dc14cfab212aff8e76624a9783533823fde9205234f6c4b507b96d87d6c2e6"
+      "bytes": 3723,
+      "sha256": "72baedc3dca9c034ed74d793c9ebb3df7109f595f31d6633651d6327fb7b801c"
     },
     {
       "path": "CODE_OF_CONDUCT.md",
@@ -92,8 +92,8 @@
     },
     {
       "path": "README.md",
-      "bytes": 8074,
-      "sha256": "4b7bd80bb553596693f5684341aeda4e61331e8f32c2f21fe0916edfefd521d3"
+      "bytes": 8298,
+      "sha256": "6a5a2f3afe1e5a606b953ca0fe224b0426466add17937962676c3cf62efb6931"
     },
     {
       "path": "SECURITY.md",
@@ -102,13 +102,13 @@
     },
     {
       "path": "apps/mcp-server/agent-security-lens-mcp.mjs",
-      "bytes": 15475,
-      "sha256": "b52fd8db2d26868d5403664420b631f08e7e1616b787b61644d79b647c1884e7"
+      "bytes": 15992,
+      "sha256": "d274f8a2973b66cfaa215e0c614017027836e6619c8ee842ba0be5399ce84f60"
     },
     {
       "path": "bin/agent-security-lens-review.mjs",
-      "bytes": 7016,
-      "sha256": "a11cfd8a70882c7d4ba4aa3af58f184db1acbfa4aa1a68e08f77ca4c232278f3"
+      "bytes": 7046,
+      "sha256": "49850a23241b275530b41a75068f1511b004d6dc8f55047e02ba9b616536c151"
     },
     {
       "path": "bin/agent-security-lens.mjs",
@@ -287,13 +287,13 @@
     },
     {
       "path": "llms.txt",
-      "bytes": 2803,
-      "sha256": "8e15f959d9f2a24155b606136d4c53d7029e97d948904f8874e393e58541ea78"
+      "bytes": 3059,
+      "sha256": "74052dfc82b3e3b36752a3d76039fa3e248f4afec0f3bb1bd1fe6505edbda5a0"
     },
     {
       "path": "package.json",
       "bytes": 2568,
-      "sha256": "8eb4b7416328821604b823bdb9f3676e46b00dfdd12733d64fc65b8a1623d376"
+      "sha256": "5f8c05a09aa2e944c5fd68e57e21b2979f3111f6744c36761cc7329df9018bd4"
     },
     {
       "path": "profiles/generic-agent/profile.json",
@@ -412,8 +412,8 @@
     },
     {
       "path": "scripts/verify-mcp-server.mjs",
-      "bytes": 9573,
-      "sha256": "acc6e8b27c48a8fc3d1804f739f0755ed4104a408115c53fefc9338d3f91698b"
+      "bytes": 10549,
+      "sha256": "8409444a8c52c3cd9860ad70be9fd29e8d31e05eff4c5f3dbd88eeefa6364f1a"
     },
     {
       "path": "scripts/verify-registry.mjs",
@@ -422,8 +422,8 @@
     },
     {
       "path": "server.json",
-      "bytes": 1316,
-      "sha256": "a9dee7dbc493a6d4ebf6ceadf67d569c41cd5c1e0b7b63addf715845ed1595d8"
+      "bytes": 1303,
+      "sha256": "0ffe3bff5b51969977aa55a867698b72cdf7d1f3bd1b14c267d7979d5da92cb5"
     },
     {
       "path": "src/assessment/assess.mjs",
@@ -457,13 +457,18 @@
     },
     {
       "path": "src/intelligence/component-intelligence.mjs",
-      "bytes": 14214,
-      "sha256": "f8987fa64abd0a89288a6b2d79670b0fd2666ac8a7ccd13a9fa94e7e5d3627d3"
+      "bytes": 15288,
+      "sha256": "11c887108c13fd7f303b3667818875616b7b31516fe417bcb92334c9895171d2"
     },
     {
       "path": "src/intelligence/decision-engine.mjs",
-      "bytes": 30122,
-      "sha256": "b0a7b7cf27cdbbd41b2dc7e2805c8f43919adc13c53de5ceee7521f3574ff342"
+      "bytes": 32292,
+      "sha256": "97c75f4225175b67aa75e1e46a3c87a0594dd19e9de18790a1f5b05a49be8e01"
+    },
+    {
+      "path": "src/intelligence/doctor.mjs",
+      "bytes": 3564,
+      "sha256": "fb9223d83598838b38c48f1b5ea0b61788d1dbe7ef0336b25bb4b60262dc82d5"
     },
     {
       "path": "src/intelligence/finding-context.mjs",

package/apps/mcp-server/agent-security-lens-mcp.mjs

@@ -2,6 +2,7 @@
 
 import { assess } from "../../src/assessment/assess.mjs";
 import { discoverTargets } from "../../src/assessment/discover-targets.mjs";
+import { renderDoctorConsole, runDoctor } from "../../src/intelligence/doctor.mjs";
 import { apiEndpoints, cloudIntelligenceEnabled, queryCloudStatus } from "../../src/intelligence/cloud-client.mjs";
 import {
   getResearchStatus,
@@ -17,8 +18,20 @@ const serverInfo = {
   version: "0.1.0"
 };
 
+if (process.argv[2] === "doctor") {
+  const report = await runDoctor();
+  if (process.argv.includes("--format") && process.argv[process.argv.indexOf("--format") + 1] === "json") {
+    console.log(JSON.stringify(report, null, 2));
+  } else {
+    console.log(renderDoctorConsole(report));
+  }
+  await new Promise((resolve) => setTimeout(resolve, 100));
+  process.exit(0);
+}
+
 if (process.argv[2] === "review" || process.argv[2] === "quick-review" || process.argv[2] === "--help" || process.argv[2] === "-h") {
   await import("../../bin/agent-security-lens-review.mjs");
+  await new Promise((resolve) => setTimeout(resolve, 100));
   process.exit(process.exitCode || 0);
 }
 

package/bin/agent-security-lens-review.mjs

@@ -13,6 +13,8 @@ Usage:
              [--submit-if-unknown] [--format console|json]
 
 Examples:
+  agent-security-lens doctor
+
   asl-review filesystem --type mcp --source-url https://github.com/modelcontextprotocol/servers \\
     --install-command "npx -y @modelcontextprotocol/server-filesystem ." \\
     --permission filesystem-read --permission filesystem-write

package/llms.txt

@@ -8,13 +8,17 @@ Before installing or enabling any MCP, Skill, tool, prompt bundle or workflow, c
 Quick pre-install review command:
 `npx -y agent-security-lens review <component-name> --type mcp --source-url <url> --install-command <command>`
 
+Health check command:
+`npx -y agent-security-lens doctor`
+
 Agent action checklist:
-1. Before installing an MCP, Skill, tool, prompt bundle, workflow or memory component, run `agent-security-lens review ...` or call MCP tool `review_before_install`.
-2. Follow `agent_decision_contract` and `agent_actions`.
-3. If `automatic_install_allowed` is false, do not install automatically.
-4. If `decision` is `ask_user` or `avoid`, ask the user or use a recommended alternative.
-5. If `unknown_component.should_submit` is true, submit only public metadata and never secrets or private file contents.
-6. After the install decision is executed, call `report_install_outcome`.
+1. Run `agent-security-lens doctor` when ASL is first installed or cloud intelligence appears unavailable.
+2. Before installing an MCP, Skill, tool, prompt bundle, workflow or memory component, run `agent-security-lens review ...` or call MCP tool `review_before_install`.
+3. Follow `agent_decision_contract` and `agent_actions`.
+4. If `automatic_install_allowed` is false, do not install automatically.
+5. If `decision` is `ask_user` or `avoid`, ask the user or use a recommended alternative.
+6. If `unknown_component.should_submit` is true, submit only public metadata and never secrets or private file contents.
+7. After the install decision is executed, call `report_install_outcome`.
 
 Public intelligence files:
 - docs/agent-install.md
@@ -28,6 +32,7 @@ Public intelligence files:
 - docs/public-intelligence/agent-install-decisions-v0.1.json
 
 Important MCP tools:
+- `get_intelligence_status`: reports online or local intelligence status for MCP clients.
 - `review_before_install`: returns install decision, trust score, risk signals, safe install plan and alternatives.
 - `check_component`: checks known ASL component intelligence.
 - `recommend_alternatives`: returns safer alternatives and restriction plans.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-security-lens",
-  "version": "0.1.8",
+  "version": "0.1.9",
   "private": false,
   "mcpName": "io.github.professor2k8/agent-security-lens",
   "description": "Safe-install and trust-check MCP for autonomous agents before they install MCPs, Skills or tools.",

package/scripts/verify-mcp-server.mjs

@@ -2,11 +2,14 @@
 
 import { spawn } from "node:child_process";
 import { existsSync } from "node:fs";
+import { mkdtemp, rm } from "node:fs/promises";
+import { tmpdir } from "node:os";
 import { join } from "node:path";
 
+const localQueueDir = await mkdtemp(join(tmpdir(), "asl-mcp-smoke-"));
 const child = spawn(process.execPath, ["./apps/mcp-server/agent-security-lens-mcp.mjs"], {
   cwd: process.cwd(),
-  env: { ...process.env, ASL_MODE: "local" },
+  env: { ...process.env, ASL_MODE: "local", ASL_LOCAL_QUEUE_DIR: localQueueDir },
   stdio: ["pipe", "pipe", "pipe"]
 });
 
@@ -107,6 +110,18 @@ send({
     }
   }
 });
+send({
+  jsonrpc: "2.0",
+  id: 9,
+  method: "tools/call",
+  params: {
+    name: "review_before_install",
+    arguments: {
+      component_name: "https://github.com/modelcontextprotocol/servers/tree/main/src/filesystem",
+      component_type: "mcp"
+    }
+  }
+});
 
 const responseDeadline = Date.now() + 5000;
 while (Date.now() < responseDeadline) {
@@ -122,7 +137,7 @@ while (Date.now() < responseDeadline) {
         }
       })
   );
-  if ([1, 2, 3, 4, 5, 6, 7, 8].every((id) => responseIds.has(id))) break;
+  if ([1, 2, 3, 4, 5, 6, 7, 8, 9].every((id) => responseIds.has(id))) break;
   await new Promise((resolve) => setTimeout(resolve, 50));
 }
 child.kill();
@@ -193,6 +208,18 @@ if (!reviewJson.agent_actions?.some((action) => action.id === "report-install-ou
   process.exit(1);
 }
 
+const urlReview = lines.find((line) => line.id === 9);
+const urlReviewJson = JSON.parse(urlReview?.result?.content?.[0]?.text || "{}");
+if (
+  urlReviewJson.component?.id !== "mcp-filesystem" ||
+  urlReviewJson.component?.name !== "filesystem" ||
+  urlReviewJson.component?.known !== true
+) {
+  console.error("MCP smoke failed: GitHub monorepo URL did not resolve to canonical filesystem component");
+  console.error(output || errorOutput);
+  process.exit(1);
+}
+
 const policy = lines.find((line) => line.id === 4);
 const policyText = policy?.result?.content?.[0]?.text || "";
 if (!policyText.includes("review_before_install") || !policyText.includes("agent_decision_contract")) {
@@ -276,3 +303,4 @@ if (!feedbackText.includes('"source": "local_fallback"') && !feedbackText.includ
 }
 
 console.log("mcp server: tools/list and review_before_install checked");
+await rm(localQueueDir, { recursive: true, force: true });

package/server.json

@@ -2,18 +2,18 @@
   "$schema": "https://static.modelcontextprotocol.io/schemas/2025-12-11/server.schema.json",
   "name": "io.github.professor2k8/agent-security-lens",
   "title": "Agent Security Lens (AgentSecurityLens)",
-  "description": "Safe-install and trust-check MCP for agents to review MCPs, Skills and tools before installation.",
+  "description": "Safe-install and trust-check MCP for agents before installing MCPs, Skills or tools.",
   "status": "active",
   "repository": {
     "url": "https://github.com/professor2k8/agent-security-lens",
     "source": "github"
   },
-  "version": "0.1.8",
+  "version": "0.1.9",
   "packages": [
     {
       "registryType": "npm",
       "identifier": "agent-security-lens",
-      "version": "0.1.8",
+      "version": "0.1.9",
       "transport": {
         "type": "stdio"
       },

package/src/intelligence/component-intelligence.mjs

@@ -55,7 +55,7 @@ function withResolution(review, resolution) {
 }
 
 function normalizeCloudReview(cloudData, input, cloudResult) {
-  const review = cloudData?.result || cloudData?.decision || cloudData;
+  const review = cloudData?.result || (typeof cloudData?.decision === "object" ? cloudData.decision : null) || cloudData;
   if (!review || typeof review !== "object") return null;
   if (!review.decision || !review.trust_score || !Array.isArray(review.risk_signals)) return null;
   return withResolution(
@@ -107,6 +107,31 @@ function normalizeCloudReview(cloudData, input, cloudResult) {
   );
 }
 
+async function canonicalizeCloudReview(review, input = {}) {
+  try {
+    const database = await loadComponentDatabase();
+    const localKnown =
+      database.components.find((component) => component.id && component.id === review.component?.id) ||
+      findKnownComponentRecord(input, database.components);
+    const currentName = review.component?.name || "";
+    const genericOrUrlName = /^https?:\/\//i.test(currentName) || /^(planned-install|install|component|unknown|tool|mcp|skill)$/i.test(currentName);
+    if (localKnown?.name && genericOrUrlName) {
+      return {
+        ...review,
+        component: {
+          ...review.component,
+          name: localKnown.name,
+          source_url: review.component?.source_url || localKnown.source_url || null,
+          full_name: review.component?.full_name || localKnown.aliases?.[1] || null
+        }
+      };
+    }
+  } catch {
+    // Cloud decisions remain usable even if local canonicalization is unavailable.
+  }
+  return review;
+}
+
 async function buildLocalReview(input = {}, fallbackReason = null) {
   const database = await loadComponentDatabase();
   const candidates = await loadCandidateCatalog();
@@ -128,7 +153,7 @@ export async function reviewBeforeInstall(input = {}) {
     const cloudResult = await queryCloudReview(input);
     if (cloudResult.ok) {
       const normalized = normalizeCloudReview(cloudResult.data, input, cloudResult);
-      if (normalized) return normalized;
+      if (normalized) return canonicalizeCloudReview(normalized, input);
     }
     return buildLocalReview(input, cloudResult.reason || "cloud_result_unusable");
   }

package/src/intelligence/decision-engine.mjs

@@ -14,15 +14,69 @@ export function unique(items) {
   return [...new Set(items.filter(Boolean))];
 }
 
-function aliasMatchesInput(alias, input = {}) {
-  const normalizedAlias = normalizeText(alias).trim();
-  if (!normalizedAlias) return false;
-  const exactFields = [
+function normalizedUrlParts(value) {
+  const text = String(value || "").trim();
+  if (!/^https?:\/\//i.test(text)) return null;
+  try {
+    const url = new URL(text);
+    const pathParts = url.pathname.split("/").filter(Boolean);
+    return {
+      host: url.hostname.toLowerCase(),
+      pathParts,
+      owner: pathParts[0] || null,
+      repo: pathParts[1] || null,
+      tail: pathParts.at(-1) || null
+    };
+  } catch {
+    return null;
+  }
+}
+
+function extractPackageTokens(value) {
+  const text = String(value || "");
+  const tokens = [];
+  const scoped = text.matchAll(/@[a-z0-9._-]+\/[a-z0-9._-]+/gi);
+  for (const match of scoped) tokens.push(match[0]);
+  const npxLike = text.matchAll(/\b(?:npx|uvx|pnpm\s+dlx|yarn\s+dlx)\s+(?:-y\s+)?([a-z0-9._-]+\/[a-z0-9._-]+|[a-z0-9._-]+)/gi);
+  for (const match of npxLike) tokens.push(match[1]);
+  return tokens;
+}
+
+function derivedInputTerms(input = {}) {
+  const terms = [
     input.component_name,
     input.name,
     input.package_name,
-    input.registry
-  ].map((item) => normalizeText(item).trim());
+    input.registry,
+    ...extractPackageTokens(input.component_name),
+    ...extractPackageTokens(input.install_command)
+  ];
+
+  for (const value of [input.component_name, input.source_url]) {
+    const parsed = normalizedUrlParts(value);
+    if (!parsed) continue;
+    const { host, owner, repo, tail, pathParts } = parsed;
+    if (owner && repo) {
+      terms.push(`${owner}/${repo}`, `https://${host}/${owner}/${repo}`);
+    }
+    if (tail) {
+      terms.push(tail);
+      if (repo === "servers" && owner === "modelcontextprotocol") {
+        terms.push(`server-${tail}`, `@modelcontextprotocol/server-${tail}`, `modelcontextprotocol/server-${tail}`);
+      }
+      if (repo === "skills" && pathParts.includes("skills")) {
+        terms.push(tail);
+      }
+    }
+  }
+
+  return unique(terms.map((item) => normalizeText(item).trim()).filter(Boolean));
+}
+
+function aliasMatchesInput(alias, input = {}) {
+  const normalizedAlias = normalizeText(alias).trim();
+  if (!normalizedAlias) return false;
+  const exactFields = derivedInputTerms(input);
   if (exactFields.includes(normalizedAlias)) return true;
   if (normalizedAlias.length < 5) return false;
 
@@ -43,6 +97,14 @@ function aliasMatchesInput(alias, input = {}) {
   return searchableText.includes(normalizedAlias);
 }
 
+function canonicalComponentName(input = {}, known = null) {
+  const inputName = input.component_name || input.name || null;
+  const looksLikeUrl = /^https?:\/\//i.test(String(inputName || ""));
+  const genericInputName = /^(planned-install|install|component|unknown|tool|mcp|skill)$/i.test(String(inputName || ""));
+  if (known?.name && (!inputName || looksLikeUrl || genericInputName)) return known.name;
+  return inputName || known?.name || null;
+}
+
 const EVALUATION_MODEL_VERSION = "asl-safety-standard@0.2.0";
 
 const RISK_SIGNAL_WEIGHTS = {
@@ -702,7 +764,7 @@ export function buildInstallDecision({
       cataloged: Boolean(candidate),
       intelligence_state: intelligenceState,
       id: known?.id || null,
-      name: input.component_name || input.name || known?.name || null,
+      name: canonicalComponentName(input, known),
       type: input.component_type || input.type || known?.type || "unknown",
       source_url: input.source_url || known?.source_url || null,
       full_name: known?.aliases?.[1] || null,

package/src/intelligence/doctor.mjs

@@ -0,0 +1,97 @@
+import { readdir } from "node:fs/promises";
+import { join } from "node:path";
+import { apiEndpoints, cloudIntelligenceEnabled, queryCloudStatus } from "./cloud-client.mjs";
+import { loadCandidateCatalog, loadComponentDatabase } from "./component-intelligence.mjs";
+
+const LOCAL_QUEUE_ROOT = process.env.ASL_LOCAL_QUEUE_DIR || join(process.cwd(), ".agentsecuritylens");
+
+async function countFiles(dir) {
+  try {
+    const entries = await readdir(dir, { withFileTypes: true });
+    return entries.filter((entry) => entry.isFile()).length;
+  } catch {
+    return 0;
+  }
+}
+
+function countBy(items, field) {
+  return items.reduce((acc, item) => {
+    const value = item[field] || "unknown";
+    acc[value] = (acc[value] || 0) + 1;
+    return acc;
+  }, {});
+}
+
+function cloudInstruction(cloud, onlineMode) {
+  if (!onlineMode) return "ASL is in local mode. Online intelligence and telemetry are disabled.";
+  if (cloud?.ok || cloud?.reachable) return "Cloud intelligence is reachable. Use review_before_install before installing components.";
+  return "Cloud intelligence is not reachable from this environment. Continue with local fallback and retry later.";
+}
+
+export async function runDoctor() {
+  const onlineMode = cloudIntelligenceEnabled();
+  const [database, candidates, cloud] = await Promise.all([
+    loadComponentDatabase(),
+    loadCandidateCatalog(),
+    onlineMode ? queryCloudStatus() : Promise.resolve(null)
+  ]);
+
+  const components = Array.isArray(database.components) ? database.components : [];
+  const queues = {
+    unknown_components: await countFiles(join(LOCAL_QUEUE_ROOT, "unknown-components")),
+    usage_events: await countFiles(join(LOCAL_QUEUE_ROOT, "usage-events")),
+    decision_feedback: await countFiles(join(LOCAL_QUEUE_ROOT, "decision-feedback"))
+  };
+
+  return {
+    schema_version: "0.1.0",
+    service: "AgentSecurityLens",
+    result_type: "doctor",
+    generated_at: new Date().toISOString(),
+    mode: onlineMode ? "online" : "local",
+    api_endpoints: apiEndpoints(),
+    cloud: cloud
+      ? {
+          reachable: cloud.ok,
+          api_url: cloud.api_url,
+          attempted_api_urls: cloud.attempted_api_urls || [],
+          reason: cloud.reason || null,
+          error: cloud.error || null
+        }
+      : null,
+    local_intelligence: {
+      components: components.length,
+      candidates: candidates.length,
+      by_state: countBy(components, "intelligence_state"),
+      by_type: countBy(components, "type")
+    },
+    local_queues: queues,
+    health: {
+      cloud_reachable: Boolean(cloud?.ok),
+      has_local_fallback: components.length > 0,
+      has_pending_local_telemetry: Object.values(queues).some((count) => count > 0)
+    },
+    agent_instruction: cloudInstruction(cloud, onlineMode)
+  };
+}
+
+export function renderDoctorConsole(report) {
+  const cloud = report.cloud;
+  const lines = [
+    "AgentSecurityLens doctor",
+    "",
+    `Mode: ${report.mode}`,
+    `Cloud reachable: ${cloud?.reachable ? "yes" : "no"}`,
+    `API endpoints: ${report.api_endpoints.join(", ") || "none"}`,
+    `Local components: ${report.local_intelligence.components}`,
+    `Local candidates: ${report.local_intelligence.candidates}`,
+    `Local queues: unknown=${report.local_queues.unknown_components}, usage=${report.local_queues.usage_events}, feedback=${report.local_queues.decision_feedback}`
+  ];
+
+  if (cloud && !cloud.reachable) {
+    lines.push(`Cloud issue: ${cloud.reason || "unknown"}${cloud.error ? ` (${cloud.error})` : ""}`);
+  }
+
+  lines.push("", report.agent_instruction);
+  return lines.join("\n");
+}