codex-plugin-doctor 0.11.0 → 0.13.0

package/README.md

@@ -98,9 +98,12 @@ codex-plugin-doctor list --installed
 codex-plugin-doctor check --installed
 codex-plugin-doctor check --installed --all-summary
 codex-plugin-doctor check --installed --compat --all-summary
+codex-plugin-doctor audit --installed --security --compat
+codex-plugin-doctor audit --installed --security --compat --policy security
+codex-plugin-doctor mcp path/to/mcp-package
 codex-plugin-doctor check --installed github
-codex-plugin-doctor explain plugin.manifest.missing
-```
+codex-plugin-doctor explain plugin.manifest.missing
+```
 
 Run from source:
 
@@ -173,11 +176,23 @@ Run these from a Codex plugin package root:
 codex-plugin-doctor --version
 codex-plugin-doctor self-test
 codex-plugin-doctor doctor
+codex-plugin-doctor doctor recommend .
+codex-plugin-doctor doctor recommend . --json --output recommendations.json
+codex-plugin-doctor doctor trust .
+codex-plugin-doctor doctor trust . --json --output trust-score.json
+codex-plugin-doctor doctor export --bundle .
+codex-plugin-doctor doctor export --bundle . --output doctor-bundle.json
 codex-plugin-doctor doctor snapshot
 codex-plugin-doctor doctor snapshot --json
 codex-plugin-doctor doctor snapshot --output doctor-snapshot.json
 codex-plugin-doctor doctor clients
 codex-plugin-doctor doctor --update-check
+codex-plugin-doctor audit --installed
+codex-plugin-doctor audit --installed --security --compat
+codex-plugin-doctor audit --installed --security --compat --json --output local-audit.json
+codex-plugin-doctor mcp .
+codex-plugin-doctor mcp . --json
+codex-plugin-doctor mcp . --json --output mcp-doctor.json
 codex-plugin-doctor init my-plugin
 codex-plugin-doctor init my-mcp --template mcp-stdio
 codex-plugin-doctor init remote-mcp --template mcp-http
@@ -185,6 +200,7 @@ codex-plugin-doctor init runtime-demo --template full-runtime
 codex-plugin-doctor security .
 codex-plugin-doctor security . --scorecard
 codex-plugin-doctor security . --json
+codex-plugin-doctor security . --policy security
 codex-plugin-doctor compat .
 codex-plugin-doctor compat . --all --scorecard
 codex-plugin-doctor compat . --client codex
@@ -204,6 +220,9 @@ codex-plugin-doctor check .
 codex-plugin-doctor check . --profile ci
 codex-plugin-doctor check . --profile strict
 codex-plugin-doctor check . --profile publish
+codex-plugin-doctor check . --policy codex-publish
+codex-plugin-doctor check . --policy mcp-strict
+codex-plugin-doctor check . --policy security
 codex-plugin-doctor check . --json
 codex-plugin-doctor check . --explain
 codex-plugin-doctor check . --json --output report.json
@@ -227,7 +246,13 @@ codex-plugin-doctor check . --json --runtime --verbose-runtime
 
 `self-test` runs the bundled runtime-complete sample through static validation, runtime MCP probes, and the compatibility scorecard. It is the fastest post-install check after `npm install -g codex-plugin-doctor`.
 
-`doctor` checks the local environment, including package version, platform, Node version, npm global prefix, Codex home, and Codex plugin cache visibility. The text output also includes recommended next commands for self-test, installed plugin discovery, runtime checks, compatibility scoring, and CI setup. `doctor snapshot` creates a redacted diagnostics bundle with environment health, client config readiness, installed plugin metadata, and next commands. Add `--json` for machine-readable output or `--output doctor-snapshot.json` to write the bundle to disk. `doctor clients` reports local Codex, Claude Desktop, Cursor, Cline, and Windsurf config readiness. `doctor --update-check` compares the installed CLI version with the latest npm version and prints the upgrade command when a newer release is available.
+`doctor` checks the local environment, including package version, platform, Node version, npm global prefix, Codex home, and Codex plugin cache visibility. The text output also includes recommended next commands for self-test, installed plugin discovery, runtime checks, compatibility scoring, and CI setup. `doctor recommend <path>` turns validation, security, and compatibility signals into a prioritized action plan with blocker, high, medium, and info actions. Add `--json` for automation or `--output recommendations.json` to write the report to disk. `doctor trust <path>` creates a local trust score from package lifecycle scripts, dependency specs, and MCP security findings. Use it before release when you want supply-chain risks summarized as one score. `doctor export --bundle <path>` creates a redacted operator handoff bundle that includes validation JSON, security scorecard data, compatibility matrix, recommendations, and trust score in one file. `doctor snapshot` creates a redacted diagnostics bundle with environment health, client config readiness, installed plugin metadata, and next commands. Add `--json` for machine-readable output or `--output doctor-snapshot.json` to write the bundle to disk. `doctor clients` reports local Codex, Claude Desktop, Cursor, Cline, and Windsurf config readiness. `doctor --update-check` compares the installed CLI version with the latest npm version and prints the upgrade command when a newer release is available.
+
+`audit --installed` runs a local ecosystem audit against every discovered Codex plugin in the installed plugin cache. Add `--security` to include security scorecards, `--compat` to include the all-client compatibility matrix, and `--json --output local-audit.json` when you want a shareable machine-readable report.
+
+`--policy codex-publish|mcp-strict|security` applies opinionated gates without requiring a local `.codex-doctor.json`. `codex-publish` fails warnings and enables runtime probes for release checks, `mcp-strict` does the same for MCP-heavy packages, and `security` fails warning-level security findings so advisory risks can block a local audit or CI gate.
+
+`mcp <path>` diagnoses generic MCP packages that may not have a Codex plugin manifest. It looks for `.mcp.json` or a manifest `mcpServers` reference, validates the top-level `mcpServers` object and server transports, adds MCP command-surface security findings, and includes the all-client compatibility matrix in the same report.
 
 `init [path] --template ...` creates targeted starter packages. `skill-only` is the default minimal skill package, `mcp-stdio` adds a local stdio MCP config and mock server, `mcp-http` scaffolds a streamable HTTP MCP config, and `full-runtime` generates a stdio sample that passes the runtime protocol probes.
 

package/dist/audit/ecosystem-audit.d.ts

@@ -0,0 +1,36 @@
+import type { CompatibilityMatrix } from "../compatibility/compatibility-matrix.js";
+import type { InstalledPlugin } from "../core/discover-installed-plugins.js";
+import type { CheckResult } from "../domain/types.js";
+import type { SecurityAudit } from "../security/security-audit.js";
+export interface EcosystemAuditOptions {
+    env?: Record<string, string | undefined>;
+    platform?: NodeJS.Platform;
+    filter?: string | null;
+    includeSecurity?: boolean;
+    includeCompatibility?: boolean;
+    failOnWarnings?: boolean;
+    validatePlugin: (targetPath: string) => Promise<CheckResult>;
+}
+export interface EcosystemAuditPluginResult {
+    plugin: InstalledPlugin;
+    status: "pass" | "warn" | "fail";
+    validation: CheckResult;
+    security?: SecurityAudit;
+    compatibility?: CompatibilityMatrix;
+}
+export interface EcosystemAuditReport {
+    schemaVersion: "1.0.0";
+    generatedAt: string;
+    status: "pass" | "warn" | "fail";
+    summary: {
+        totalPlugins: number;
+        pass: number;
+        warn: number;
+        fail: number;
+    };
+    plugins: EcosystemAuditPluginResult[];
+    priorityActions: string[];
+}
+export declare function buildEcosystemAudit(options: EcosystemAuditOptions): Promise<EcosystemAuditReport>;
+export declare function renderEcosystemAuditJson(report: EcosystemAuditReport): string;
+export declare function renderEcosystemAudit(report: EcosystemAuditReport): string;

package/dist/audit/ecosystem-audit.js

@@ -0,0 +1,135 @@
+import { buildCompatibilityMatrix, matrixExitCode } from "../compatibility/compatibility-matrix.js";
+import { discoverInstalledPlugins, filterInstalledPlugins } from "../core/discover-installed-plugins.js";
+import { buildSecurityAudit } from "../security/security-audit.js";
+function mergeStatus(statuses) {
+    if (statuses.includes("fail")) {
+        return "fail";
+    }
+    if (statuses.includes("warn")) {
+        return "warn";
+    }
+    return "pass";
+}
+function compatibilityStatus(matrix) {
+    if (!matrix) {
+        return "pass";
+    }
+    if (matrixExitCode(matrix) === 1) {
+        return "fail";
+    }
+    return matrix.results.some((result) => result.status === "warn") ? "warn" : "pass";
+}
+function summarizePlugins(plugins) {
+    return {
+        totalPlugins: plugins.length,
+        pass: plugins.filter((plugin) => plugin.status === "pass").length,
+        warn: plugins.filter((plugin) => plugin.status === "warn").length,
+        fail: plugins.filter((plugin) => plugin.status === "fail").length
+    };
+}
+function buildPriorityActions(plugins) {
+    const actions = [];
+    const cleanReason = (reason) => reason.replace(/[.。]+$/u, "");
+    for (const plugin of plugins.filter((item) => item.status === "fail")) {
+        const validationFinding = plugin.validation.findings[0];
+        const securityFinding = plugin.security?.findings[0];
+        const compatibilityFinding = plugin.compatibility?.results.find((result) => result.status === "fail");
+        const reason = validationFinding?.id ??
+            securityFinding?.id ??
+            compatibilityFinding?.summary ??
+            "unknown failure";
+        actions.push(`${plugin.plugin.name}: fix ${cleanReason(reason)}.`);
+    }
+    for (const plugin of plugins.filter((item) => item.status === "warn")) {
+        const securityFinding = plugin.security?.findings[0];
+        const compatibilityFinding = plugin.compatibility?.results.find((result) => result.status === "warn");
+        const reason = securityFinding?.id ??
+            compatibilityFinding?.summary ??
+            plugin.validation.findings[0]?.id ??
+            "warning";
+        actions.push(`${plugin.plugin.name}: review ${cleanReason(reason)}.`);
+    }
+    return actions;
+}
+export async function buildEcosystemAudit(options) {
+    const installedPlugins = filterInstalledPlugins(await discoverInstalledPlugins({ env: options.env }), options.filter ?? null);
+    const environment = {
+        env: options.env,
+        platform: options.platform
+    };
+    const plugins = [];
+    for (const plugin of installedPlugins) {
+        const validation = await options.validatePlugin(plugin.rootPath);
+        const security = options.includeSecurity
+            ? await buildSecurityAudit(plugin.rootPath)
+            : undefined;
+        const compatibility = options.includeCompatibility
+            ? await buildCompatibilityMatrix(plugin.rootPath, environment)
+            : undefined;
+        const rawStatus = mergeStatus([
+            validation.status,
+            security?.status ?? "pass",
+            compatibilityStatus(compatibility)
+        ]);
+        const status = options.failOnWarnings && rawStatus === "warn"
+            ? "fail"
+            : rawStatus;
+        plugins.push({
+            plugin,
+            status,
+            validation,
+            ...(security ? { security } : {}),
+            ...(compatibility ? { compatibility } : {})
+        });
+    }
+    const summary = summarizePlugins(plugins);
+    const status = summary.fail > 0
+        ? "fail"
+        : summary.warn > 0
+            ? "warn"
+            : "pass";
+    return {
+        schemaVersion: "1.0.0",
+        generatedAt: new Date().toISOString(),
+        status,
+        summary,
+        plugins,
+        priorityActions: buildPriorityActions(plugins)
+    };
+}
+export function renderEcosystemAuditJson(report) {
+    return JSON.stringify(report, null, 2);
+}
+export function renderEcosystemAudit(report) {
+    const lines = [
+        "Local Ecosystem Audit",
+        "=====================",
+        `Status: ${report.status.toUpperCase()}`,
+        `Installed plugins: ${report.summary.totalPlugins}`,
+        `Summary: ${report.summary.fail} fail, ${report.summary.warn} warn, ${report.summary.pass} pass`
+    ];
+    if (report.plugins.length === 0) {
+        lines.push("", "No installed Codex plugins found.");
+        return lines.join("\n");
+    }
+    lines.push("", "Plugins", "-------");
+    for (const item of report.plugins) {
+        const version = item.plugin.version ? `@${item.plugin.version}` : "";
+        lines.push(`- ${item.plugin.name}${version}: ${item.status.toUpperCase()}`);
+        lines.push(`  Validation: ${item.validation.status.toUpperCase()}`);
+        if (item.security) {
+            lines.push(`  Security: ${item.security.status.toUpperCase()} (${item.security.score}/100)`);
+        }
+        if (item.compatibility) {
+            const compatibilitySummary = item.compatibility.results
+                .map((result) => `${result.client}=${result.status}`)
+                .join(", ");
+            lines.push(`  Compatibility: ${compatibilitySummary}`);
+        }
+    }
+    if (report.priorityActions.length > 0) {
+        lines.push("", "Priority Actions", "----------------");
+        lines.push(...report.priorityActions.map((action) => `- ${action}`));
+    }
+    return lines.join("\n");
+}

package/dist/core/doctor-export-bundle.d.ts

@@ -0,0 +1,22 @@
+import { type CompatibilityEnvironment, type CompatibilityMatrix } from "../compatibility/compatibility-matrix.js";
+import type { JsonReport } from "../domain/types.js";
+import { type DoctorRecommendationsReport } from "./doctor-recommendations.js";
+import { type SecurityAudit } from "../security/security-audit.js";
+import { type TrustScoreReport } from "../security/trust-score.js";
+export interface DoctorExportBundle {
+    schemaVersion: "1.0.0";
+    generatedAt: string;
+    kind: "doctor.export.bundle";
+    version: string;
+    targetPath: string;
+    validation: JsonReport;
+    security: SecurityAudit;
+    compatibility: CompatibilityMatrix;
+    recommendations: DoctorRecommendationsReport;
+    trust: TrustScoreReport;
+}
+export declare function buildDoctorExportBundle(targetPath: string, environment?: CompatibilityEnvironment): Promise<DoctorExportBundle>;
+export declare function renderDoctorExportBundleJson(bundle: DoctorExportBundle): string;
+export declare function renderDoctorExportBundle(bundle: DoctorExportBundle, options?: {
+    outputPath?: string | null;
+}): string;

package/dist/core/doctor-export-bundle.js

@@ -0,0 +1,79 @@
+import path from "node:path";
+import { buildCompatibilityMatrix } from "../compatibility/compatibility-matrix.js";
+import { applyDoctorConfig, loadDoctorConfig } from "./doctor-config.js";
+import { buildJsonReport } from "../reporting/render-json-report.js";
+import { buildDoctorRecommendations } from "./doctor-recommendations.js";
+import { buildSecurityAudit } from "../security/security-audit.js";
+import { buildTrustScore } from "../security/trust-score.js";
+import { validatePlugin } from "./validate-plugin.js";
+import { packageVersion } from "../version.js";
+function redactString(value) {
+    return value
+        .replace(/sk-[A-Za-z0-9_-]{12,}/g, "[REDACTED_SECRET]")
+        .replace(/npm_[A-Za-z0-9_-]{12,}/g, "[REDACTED_SECRET]")
+        .replace(/gh[pousr]_[A-Za-z0-9_]{12,}/g, "[REDACTED_SECRET]")
+        .replace(/SHOULD_NOT_LEAK/g, "[REDACTED_SECRET]");
+}
+function redactValue(value) {
+    if (typeof value === "string") {
+        return redactString(value);
+    }
+    if (Array.isArray(value)) {
+        return value.map(redactValue);
+    }
+    if (typeof value === "object" && value !== null) {
+        return Object.fromEntries(Object.entries(value).map(([key, nestedValue]) => [
+            key,
+            redactValue(nestedValue)
+        ]));
+    }
+    return value;
+}
+export async function buildDoctorExportBundle(targetPath, environment = {}) {
+    const rootPath = path.resolve(targetPath);
+    const [rawValidation, security, compatibility, recommendations, trust] = await Promise.all([
+        validatePlugin(rootPath),
+        buildSecurityAudit(rootPath),
+        buildCompatibilityMatrix(rootPath, environment),
+        buildDoctorRecommendations(rootPath, { environment }),
+        buildTrustScore(rootPath)
+    ]);
+    const validation = applyDoctorConfig(rawValidation, await loadDoctorConfig(rootPath));
+    return {
+        schemaVersion: "1.0.0",
+        generatedAt: new Date().toISOString(),
+        kind: "doctor.export.bundle",
+        version: packageVersion,
+        targetPath: rootPath,
+        validation: buildJsonReport(validation, { runtimeProbeEnabled: false }),
+        security,
+        compatibility,
+        recommendations,
+        trust
+    };
+}
+export function renderDoctorExportBundleJson(bundle) {
+    return JSON.stringify(redactValue(bundle), null, 2);
+}
+export function renderDoctorExportBundle(bundle, options = {}) {
+    const lines = [
+        "Doctor Export Bundle",
+        "====================",
+        `Target: ${bundle.targetPath}`,
+        `Version: ${bundle.version}`,
+        `Validation: ${bundle.validation.summary.status.toUpperCase()}`,
+        `Security: ${bundle.security.status.toUpperCase()} (${bundle.security.score}/100)`,
+        `Trust: ${bundle.trust.status.toUpperCase()} (${bundle.trust.score}/100)`,
+        `Recommendations: ${bundle.recommendations.actions.length}`
+    ];
+    if (options.outputPath) {
+        lines.push(`Output: ${options.outputPath}`);
+    }
+    lines.push("", "Bundle sections", "---------------");
+    lines.push("validation");
+    lines.push("security");
+    lines.push("compatibility");
+    lines.push("recommendations");
+    lines.push("trust");
+    return lines.join("\n");
+}

package/dist/core/doctor-recommendations.d.ts

@@ -0,0 +1,42 @@
+import { type CompatibilityEnvironment } from "../compatibility/compatibility-matrix.js";
+import type { CheckResult } from "../domain/types.js";
+import { type SecurityAudit } from "../security/security-audit.js";
+export type RecommendationPriority = "blocker" | "high" | "medium" | "info";
+export type RecommendationCategory = "validation" | "security" | "compatibility" | "release";
+export interface DoctorRecommendationAction {
+    priority: RecommendationPriority;
+    category: RecommendationCategory;
+    title: string;
+    reason: string;
+    nextCommand: string;
+    findingId?: string;
+}
+export interface DoctorRecommendationsReport {
+    schemaVersion: "1.0.0";
+    generatedAt: string;
+    targetPath: string;
+    status: "pass" | "warn" | "fail";
+    exitCode: 0 | 1;
+    summary: {
+        actionCounts: Record<RecommendationPriority, number>;
+    };
+    validation: {
+        status: CheckResult["status"];
+        findingCount: number;
+    };
+    security: {
+        status: SecurityAudit["status"];
+        score: number;
+        findingCount: number;
+    };
+    compatibility: {
+        failedClients: string[];
+    };
+    actions: DoctorRecommendationAction[];
+}
+export declare function buildDoctorRecommendations(targetPath: string, options?: {
+    environment?: CompatibilityEnvironment;
+    runCheck?: (targetPath: string) => Promise<CheckResult>;
+}): Promise<DoctorRecommendationsReport>;
+export declare function renderDoctorRecommendationsJson(report: DoctorRecommendationsReport): string;
+export declare function renderDoctorRecommendations(report: DoctorRecommendationsReport): string;

package/dist/core/doctor-recommendations.js

@@ -0,0 +1,161 @@
+import path from "node:path";
+import { buildCompatibilityMatrix, matrixExitCode } from "../compatibility/compatibility-matrix.js";
+import { applyDoctorConfig, loadDoctorConfig } from "./doctor-config.js";
+import { buildSecurityAudit } from "../security/security-audit.js";
+import { validatePlugin } from "./validate-plugin.js";
+const priorityRank = {
+    blocker: 0,
+    high: 1,
+    medium: 2,
+    info: 3
+};
+function countActions(actions) {
+    return {
+        blocker: actions.filter((action) => action.priority === "blocker").length,
+        high: actions.filter((action) => action.priority === "high").length,
+        medium: actions.filter((action) => action.priority === "medium").length,
+        info: actions.filter((action) => action.priority === "info").length
+    };
+}
+function priorityForFinding(finding) {
+    if (finding.severity === "fail") {
+        return "blocker";
+    }
+    return finding.id.startsWith("plugin.security.") ? "high" : "medium";
+}
+function categoryForFinding(finding) {
+    return finding.id.startsWith("plugin.security.") ? "security" : "validation";
+}
+function commandForCategory(category, targetPath) {
+    if (category === "security") {
+        return `codex-plugin-doctor security ${targetPath} --scorecard`;
+    }
+    if (category === "compatibility") {
+        return `codex-plugin-doctor compat ${targetPath} --all --scorecard`;
+    }
+    return `codex-plugin-doctor check ${targetPath} --explain`;
+}
+function actionFromFinding(finding, targetPath) {
+    const category = categoryForFinding(finding);
+    return {
+        priority: priorityForFinding(finding),
+        category,
+        findingId: finding.id,
+        title: finding.message,
+        reason: finding.impact,
+        nextCommand: commandForCategory(category, targetPath)
+    };
+}
+function dedupeActions(actions) {
+    const seen = new Set();
+    return actions.filter((action) => {
+        const key = `${action.category}\n${action.findingId ?? action.title}\n${action.reason}`;
+        if (seen.has(key)) {
+            return false;
+        }
+        seen.add(key);
+        return true;
+    });
+}
+function actionsFromCompatibility(matrix, targetPath) {
+    return matrix.results
+        .filter((result) => result.status === "fail")
+        .map((result) => ({
+        priority: "high",
+        category: "compatibility",
+        title: `${result.client} compatibility failed.`,
+        reason: result.summary,
+        nextCommand: commandForCategory("compatibility", targetPath)
+    }));
+}
+function sortActions(actions) {
+    return [...actions].sort((left, right) => {
+        const priorityDelta = priorityRank[left.priority] - priorityRank[right.priority];
+        if (priorityDelta !== 0) {
+            return priorityDelta;
+        }
+        return left.category.localeCompare(right.category);
+    });
+}
+export async function buildDoctorRecommendations(targetPath, options = {}) {
+    const rootPath = path.resolve(targetPath);
+    const runCheck = options.runCheck ?? validatePlugin;
+    const [rawValidation, security, compatibility] = await Promise.all([
+        runCheck(rootPath),
+        buildSecurityAudit(rootPath),
+        buildCompatibilityMatrix(rootPath, options.environment ?? {})
+    ]);
+    const validation = applyDoctorConfig(rawValidation, await loadDoctorConfig(rootPath));
+    const actions = sortActions(dedupeActions([
+        ...validation.findings.map((finding) => actionFromFinding(finding, rootPath)),
+        ...security.findings.map((finding) => actionFromFinding(finding, rootPath)),
+        ...actionsFromCompatibility(compatibility, rootPath)
+    ]));
+    const finalActions = actions.length > 0
+        ? actions
+        : [
+            {
+                priority: "info",
+                category: "release",
+                title: "No blocker actions.",
+                reason: "The package has no validation, security, or compatibility blockers in this recommendation pass.",
+                nextCommand: `codex-plugin-doctor check ${rootPath} --profile publish`
+            }
+        ];
+    const status = finalActions.some((action) => action.priority === "blocker")
+        ? "fail"
+        : finalActions.some((action) => action.priority === "high" || action.priority === "medium")
+            ? "warn"
+            : "pass";
+    return {
+        schemaVersion: "1.0.0",
+        generatedAt: new Date().toISOString(),
+        targetPath: rootPath,
+        status,
+        exitCode: status === "fail" ? 1 : 0,
+        summary: {
+            actionCounts: countActions(finalActions)
+        },
+        validation: {
+            status: validation.status,
+            findingCount: validation.findings.length
+        },
+        security: {
+            status: security.status,
+            score: security.score,
+            findingCount: security.findings.length
+        },
+        compatibility: {
+            failedClients: matrixExitCode(compatibility) === 1
+                ? compatibility.results
+                    .filter((result) => result.status === "fail")
+                    .map((result) => result.client)
+                : []
+        },
+        actions: finalActions
+    };
+}
+export function renderDoctorRecommendationsJson(report) {
+    return JSON.stringify(report, null, 2);
+}
+export function renderDoctorRecommendations(report) {
+    const lines = [
+        "Doctor Recommendations",
+        "======================",
+        `Target: ${report.targetPath}`,
+        `Status: ${report.status.toUpperCase()}`,
+        `Actions: ${report.summary.actionCounts.blocker} blocker, ${report.summary.actionCounts.high} high, ${report.summary.actionCounts.medium} medium, ${report.summary.actionCounts.info} info`,
+        `Security: ${report.security.status.toUpperCase()} (${report.security.score}/100)`
+    ];
+    lines.push("", "Actions", "-------");
+    for (const action of report.actions) {
+        lines.push(`[${action.priority.toUpperCase()}] ${action.title}`);
+        if (action.findingId) {
+            lines.push(`  Finding: ${action.findingId}`);
+        }
+        lines.push(`  Category: ${action.category}`);
+        lines.push(`  Reason: ${action.reason}`);
+        lines.push(`  Next: ${action.nextCommand}`);
+    }
+    return lines.join("\n");
+}

package/dist/index.d.ts

@@ -1,4 +1,10 @@
 import type { CheckOptions, CheckResult } from "./domain/types.js";
 export { buildSecurityAudit, renderSecurityAuditJson, renderSecurityScorecard, type SecurityAudit } from "./security/security-audit.js";
+export { buildTrustScore, renderTrustScore, renderTrustScoreJson, type TrustScoreReport } from "./security/trust-score.js";
 export { buildDoctorSnapshot, renderDoctorSnapshot, renderDoctorSnapshotJson, type DoctorSnapshot } from "./core/doctor-snapshot.js";
+export { buildDoctorRecommendations, renderDoctorRecommendations, renderDoctorRecommendationsJson, type DoctorRecommendationAction, type DoctorRecommendationsReport } from "./core/doctor-recommendations.js";
+export { buildDoctorExportBundle, renderDoctorExportBundle, renderDoctorExportBundleJson, type DoctorExportBundle } from "./core/doctor-export-bundle.js";
+export { buildEcosystemAudit, renderEcosystemAudit, renderEcosystemAuditJson, type EcosystemAuditReport } from "./audit/ecosystem-audit.js";
+export { applyPolicyToDoctorConfig, applyPolicyToSecurityAudit, parsePolicyPack, policyEnablesRuntime, policyFailsOnWarnings, policyPackNames, type PolicyPackName } from "./policy/policy-packs.js";
+export { buildGenericMcpDoctor, renderGenericMcpDoctor, renderGenericMcpDoctorJson, type GenericMcpDoctorReport } from "./mcp/generic-mcp-doctor.js";
 export declare function runCheck(targetPath: string, options?: CheckOptions): Promise<CheckResult>;

package/dist/index.js

@@ -1,6 +1,12 @@
 import { validatePlugin } from "./core/validate-plugin.js";
 export { buildSecurityAudit, renderSecurityAuditJson, renderSecurityScorecard } from "./security/security-audit.js";
+export { buildTrustScore, renderTrustScore, renderTrustScoreJson } from "./security/trust-score.js";
 export { buildDoctorSnapshot, renderDoctorSnapshot, renderDoctorSnapshotJson } from "./core/doctor-snapshot.js";
+export { buildDoctorRecommendations, renderDoctorRecommendations, renderDoctorRecommendationsJson } from "./core/doctor-recommendations.js";
+export { buildDoctorExportBundle, renderDoctorExportBundle, renderDoctorExportBundleJson } from "./core/doctor-export-bundle.js";
+export { buildEcosystemAudit, renderEcosystemAudit, renderEcosystemAuditJson } from "./audit/ecosystem-audit.js";
+export { applyPolicyToDoctorConfig, applyPolicyToSecurityAudit, parsePolicyPack, policyEnablesRuntime, policyFailsOnWarnings, policyPackNames } from "./policy/policy-packs.js";
+export { buildGenericMcpDoctor, renderGenericMcpDoctor, renderGenericMcpDoctorJson } from "./mcp/generic-mcp-doctor.js";
 export async function runCheck(targetPath, options = {}) {
     return validatePlugin(targetPath, options);
 }

package/dist/mcp/generic-mcp-doctor.d.ts

@@ -0,0 +1,16 @@
+import { type CompatibilityEnvironment, type CompatibilityMatrix } from "../compatibility/compatibility-matrix.js";
+import type { Finding } from "../domain/types.js";
+import { type SecurityAudit } from "../security/security-audit.js";
+export interface GenericMcpDoctorReport {
+    targetPath: string;
+    status: "pass" | "warn" | "fail";
+    exitCode: 0 | 1;
+    mcpConfigPath: string | null;
+    serverCount: number;
+    findings: Finding[];
+    security: SecurityAudit;
+    compatibility: CompatibilityMatrix;
+}
+export declare function buildGenericMcpDoctor(targetPath: string, environment?: CompatibilityEnvironment): Promise<GenericMcpDoctorReport>;
+export declare function renderGenericMcpDoctorJson(report: GenericMcpDoctorReport): string;
+export declare function renderGenericMcpDoctor(report: GenericMcpDoctorReport): string;