memorylink 1.0.0

package/src/commands/doctor.ts

@@ -0,0 +1,1468 @@
+/**
+ * MemoryLink - Doctor Command
+ * System health check and troubleshooting
+ */
+
+import * as fs from 'fs';
+import * as path from 'path';
+import { execSync } from 'child_process';
+import {
+  isInitialized,
+  success,
+  error,
+  warn,
+  info,
+  log,
+  findRoot,
+  readConfig,
+  getFilePath,
+  readJsonlEntries,
+  isJsonlFormat,
+  safeLog,
+  safeError,
+  isStdoutWritable,
+} from '../utils.js';
+import { loadGraph } from '../utils/code-structure.js';
+import { MEMORYLINK_DIR, FILES } from '../types.js';
+import { logBuddyCheckRun } from '../utils/observability.js';
+import { checkLock } from './lock.js';
+import type { 
+  GlobalOptions, 
+  DoctorCheck, 
+  MemoryEntry, 
+  LearningEntry,
+  BuddyStatus,
+  BuddyIssue,
+  BuddyReport,
+  BuddyOverride,
+  MemoryStatus,
+  Sensitivity,
+  TrustLevel,
+  SourceType,
+} from '../types.js';
+
+// Secret patterns to detect (HIGH PRIORITY - All 7 AIs require this)
+const SECRET_PATTERNS = [
+  // API Keys
+  { name: 'OpenAI API Key', pattern: /sk-[a-zA-Z0-9]{20,}/g },
+  { name: 'Anthropic API Key', pattern: /sk-ant-[a-zA-Z0-9-]{20,}/g },
+  { name: 'Stripe Secret Key', pattern: /sk_live_[a-zA-Z0-9]{20,}/g },
+  { name: 'Stripe Test Key', pattern: /sk_test_[a-zA-Z0-9]{20,}/g },
+  { name: 'AWS Access Key', pattern: /AKIA[0-9A-Z]{16}/g },
+  { name: 'AWS Secret Key', pattern: /[a-zA-Z0-9/+=]{40}/g },
+  { name: 'GitHub Token', pattern: /ghp_[a-zA-Z0-9]{36}/g },
+  { name: 'GitHub Token (old)', pattern: /github_pat_[a-zA-Z0-9_]{22,}/g },
+  { name: 'Google API Key', pattern: /AIza[0-9A-Za-z-_]{35}/g },
+  { name: 'Slack Token', pattern: /xox[baprs]-[0-9]{10,13}-[a-zA-Z0-9-]+/g },
+  { name: 'Discord Token', pattern: /[MN][A-Za-z\d]{23,}\.[\w-]{6}\.[\w-]{27}/g },
+  
+  // Generic patterns
+  { name: 'Generic API Key', pattern: /api[_-]?key["\s]*[:=]["\s]*[a-zA-Z0-9_-]{16,}/gi },
+  { name: 'Generic Secret', pattern: /secret["\s]*[:=]["\s]*[a-zA-Z0-9_-]{16,}/gi },
+  { name: 'Generic Token', pattern: /token["\s]*[:=]["\s]*[a-zA-Z0-9_-]{16,}/gi },
+  { name: 'Password', pattern: /password["\s]*[:=]["\s]*[^\s"]{8,}/gi },
+  { name: 'Private Key', pattern: /-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g },
+  { name: 'Bearer Token', pattern: /bearer\s+[a-zA-Z0-9_-]{20,}/gi },
+];
+
+interface SecretMatch {
+  file: string;
+  line: number;
+  pattern: string;
+  preview: string;
+}
+
+interface Conflict {
+  type: 'duplicate' | 'conflict';
+  entries: string[];
+  message: string;
+  suggestion?: string;
+}
+
+/**
+ * Detect Git merge conflict markers in log files
+ */
+function detectGitConflicts(root: string): { file: string; line: number }[] {
+  const conflicts: { file: string; line: number }[] = [];
+  const filesToScan = ['MEMORY', 'LEARNINGS', 'CHANGES'] as const;
+  
+  for (const fileKey of filesToScan) {
+    const filePath = getFilePath(fileKey, root);
+    if (!fs.existsSync(filePath)) continue;
+    
+    const content = fs.readFileSync(filePath, 'utf-8');
+    const lines = content.split('\n');
+    
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      // Check for Git merge conflict markers
+      if (line.trim().startsWith('<<<<<<<') || 
+          line.trim().startsWith('=======') || 
+          line.trim().startsWith('>>>>>>>')) {
+        conflicts.push({
+          file: FILES[fileKey],
+          line: i + 1,
+        });
+      }
+    }
+  }
+  
+  return conflicts;
+}
+
+function scanForSecrets(root: string): SecretMatch[] {
+  const matches: SecretMatch[] = [];
+  const filesToScan = ['MEMORY', 'LEARNINGS', 'CHANGES'] as const;
+  
+  for (const fileKey of filesToScan) {
+    const filePath = getFilePath(fileKey, root);
+    if (!fs.existsSync(filePath)) continue;
+    
+    const content = fs.readFileSync(filePath, 'utf-8');
+    const lines = content.split('\n');
+    
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      
+      for (const secretPattern of SECRET_PATTERNS) {
+        const regex = new RegExp(secretPattern.pattern);
+        if (regex.test(line)) {
+          // Create a safe preview (mask most of the secret)
+          const preview = line.length > 60 
+            ? line.substring(0, 30) + '...' + line.substring(line.length - 10)
+            : line;
+          
+          matches.push({
+            file: FILES[fileKey],
+            line: i + 1,
+            pattern: secretPattern.name,
+            preview: preview.replace(/([a-zA-Z0-9_-]{8})[a-zA-Z0-9_-]{8,}([a-zA-Z0-9_-]{4})/g, '$1****$2'),
+          });
+          break; // Only report once per line
+        }
+      }
+    }
+  }
+  
+  return matches;
+}
+
+/**
+ * Normalize text for comparison (lowercase, trim, remove extra spaces)
+ */
+function normalizeText(text: string): string {
+  return text.toLowerCase().trim().replace(/\s+/g, ' ');
+}
+
+/**
+ * Detect duplicate and conflicting memories
+ */
+function detectMemoryConflicts(root: string): Conflict[] {
+  const conflicts: Conflict[] = [];
+  const memoryPath = getFilePath('MEMORY', root);
+  
+  if (!fs.existsSync(memoryPath) || !isJsonlFormat(memoryPath)) {
+    return conflicts;
+  }
+
+  const memories = readJsonlEntries<MemoryEntry>(memoryPath)
+    .filter(e => e.status === 'ACTIVE');
+
+  // Group by normalized details (exact duplicates)
+  const detailsMap = new Map<string, MemoryEntry[]>();
+  for (const mem of memories) {
+    const normalized = normalizeText(mem.details);
+    if (!detailsMap.has(normalized)) {
+      detailsMap.set(normalized, []);
+    }
+    detailsMap.get(normalized)!.push(mem);
+  }
+
+  // Find duplicates
+  for (const [normalized, entries] of detailsMap) {
+    if (entries.length > 1) {
+      const preview = entries[0].details.length > 60 
+        ? entries[0].details.substring(0, 60) + '...'
+        : entries[0].details;
+      
+      conflicts.push({
+        type: 'duplicate',
+        entries: entries.map(e => e.id),
+        message: `Duplicate memory: "${preview}"`,
+        suggestion: `Consider deprecating older entries or merging them`,
+      });
+    }
+  }
+
+  // Find conflicting rules/decisions (same topic, contradictory)
+  const rules = memories.filter(m => m.type === 'rule' || m.type === 'decision');
+  const rulesByTopic = new Map<string, MemoryEntry[]>();
+  
+  for (const rule of rules) {
+    // Extract topic from details (first few words)
+    const topic = normalizeText(rule.details).split(' ').slice(0, 3).join(' ');
+    if (!rulesByTopic.has(topic)) {
+      rulesByTopic.set(topic, []);
+    }
+    rulesByTopic.get(topic)!.push(rule);
+  }
+
+  // Check for potential conflicts (same topic, different details)
+  for (const [topic, entries] of rulesByTopic) {
+    if (entries.length > 1) {
+      const uniqueDetails = new Set(entries.map(e => normalizeText(e.details)));
+      if (uniqueDetails.size > 1) {
+        conflicts.push({
+          type: 'conflict',
+          entries: entries.map(e => e.id),
+          message: `Conflicting ${entries[0].type}s about: "${topic}..."`,
+          suggestion: `Review and resolve contradictions`,
+        });
+      }
+    }
+  }
+
+  return conflicts;
+}
+
+/**
+ * Detect duplicate learnings
+ */
+function detectLearningConflicts(root: string): Conflict[] {
+  const conflicts: Conflict[] = [];
+  const learningsPath = getFilePath('LEARNINGS', root);
+  
+  if (!fs.existsSync(learningsPath) || !isJsonlFormat(learningsPath)) {
+    return conflicts;
+  }
+
+  const learnings = readJsonlEntries<LearningEntry>(learningsPath)
+    .filter(e => e.status === 'ACTIVE');
+
+  // Group by normalized problem + solution (exact duplicates)
+  const problemSolutionMap = new Map<string, LearningEntry[]>();
+  for (const learning of learnings) {
+    const key = `${normalizeText(learning.problem)}|${normalizeText(learning.solution)}`;
+    if (!problemSolutionMap.has(key)) {
+      problemSolutionMap.set(key, []);
+    }
+    problemSolutionMap.get(key)!.push(learning);
+  }
+
+  // Find duplicates
+  for (const [key, entries] of problemSolutionMap) {
+    if (entries.length > 1) {
+      const preview = entries[0].problem.length > 50 
+        ? entries[0].problem.substring(0, 50) + '...'
+        : entries[0].problem;
+      
+      conflicts.push({
+        type: 'duplicate',
+        entries: entries.map(e => e.id),
+        message: `Duplicate learning: "${preview}"`,
+        suggestion: `Keep the most recent entry, deprecate others`,
+      });
+    }
+  }
+
+  return conflicts;
+}
+
+export interface DoctorOptions extends GlobalOptions {
+  scanSecrets?: boolean;
+  autoFix?: boolean;  // Auto-fix issues where possible
+  preflight?: boolean;  // v1.4: Run preflight check
+  postflight?: boolean;  // v1.4: Run postflight check
+  changed?: boolean;  // v1.4: Only check changed files (for postflight)
+  fix?: boolean;  // v1.4: Auto-fix memory records (for postflight)
+  json?: boolean;  // v1.4: Output as JSON
+  for?: string;  // v1.4: Agent/user ID for preflight
+  pr?: string;  // v1.4: PR number for preflight
+  branch?: string;  // v1.4: Branch name for preflight
+}
+
+export async function doctorCommand(options: DoctorOptions = {}): Promise<void> {
+  const { 
+    verbose, 
+    scanSecrets, 
+    autoFix = false,
+    preflight = false,
+    postflight = false,
+    changed = false,
+    fix = false,
+    json = false,
+    for: agentId,
+    pr: prNumber,
+    branch: branchName,
+  } = options;
+
+  // TODO v1.6: Record telemetry event (command start)
+  // await recordEvent({
+  //   command: 'doctor',
+  //   result: 'success', // Will be updated to 'error' if command fails
+  //   flags: { preflight, postflight, json, scanSecrets },
+  //   isGitRepo: checkIsGitRepo(),
+  //   hasConfig: checkHasConfig(),
+  // });
+
+  // v1.4: Handle preflight/postflight
+  if (preflight) {
+    const root = findRoot();
+    let report = await runPreflightCheck(options);
+    
+    // Handle override if RED status
+    if (report.status === 'RED' && !json) {
+      report = await handleOverride(report, root, options);
+    }
+    
+    // Log to observability
+    if (root) {
+      logBuddyCheckRun(report, root);
+    }
+    
+    if (json) {
+      // For JSON output, use safeLog to handle EPIPE
+      safeLog(JSON.stringify(report, null, 2));
+    } else {
+      printBuddyReport(report);
+    }
+    
+    // Write to file
+    if (root) {
+      const reportPath = path.join(root, MEMORYLINK_DIR, 'preflight.json');
+      fs.writeFileSync(reportPath, JSON.stringify(report, null, 2));
+      if (!json) {
+        info(`Report saved to: ${reportPath}`);
+      }
+      
+      // Log override to overrides.log if present
+      if (report.override) {
+        logOverride(report.override, 'preflight', root);
+      }
+    }
+    
+    // Exit with error code only if RED and not overridden
+    if (report.status === 'RED' && !report.override) {
+      process.exit(1);
+    }
+    return;
+  }
+
+  if (postflight) {
+    const root = findRoot();
+    let report = await runPostflightCheck(options);
+    
+    // Handle override if RED status
+    if (report.status === 'RED' && !json) {
+      report = await handleOverride(report, root, options);
+    }
+    
+    // Log to observability
+    if (root) {
+      logBuddyCheckRun(report, root);
+    }
+    
+    if (json) {
+      // For JSON output, use safeLog to handle EPIPE
+      safeLog(JSON.stringify(report, null, 2));
+    } else {
+      printBuddyReport(report);
+    }
+    
+    // Write to file
+    if (root) {
+      const reportPath = path.join(root, MEMORYLINK_DIR, 'postflight.json');
+      fs.writeFileSync(reportPath, JSON.stringify(report, null, 2));
+      if (!json) {
+        info(`Report saved to: ${reportPath}`);
+      }
+      
+      // Log override to overrides.log if present
+      if (report.override) {
+        logOverride(report.override, 'postflight', root);
+      }
+    }
+    
+    // Exit with error code only if RED and not overridden
+    if (report.status === 'RED' && !report.override) {
+      process.exit(1);
+    }
+    return;
+  }
+
+  // Original doctor command (v1.3)
+  log('Running health checks', verbose);
+
+  console.log('');
+  console.log('\x1b[1m🩺 MemoryLink Doctor\x1b[0m');
+  console.log('');
+
+  const checks: DoctorCheck[] = [];
+
+  // Check 1: MemoryLink initialized
+  const root = findRoot();
+  const initialized = root && isInitialized(root);
+  
+  checks.push({
+    name: 'MemoryLink initialized',
+    status: initialized ? 'pass' : 'fail',
+    message: initialized
+      ? `Found .memorylink/ in ${root}`
+      : 'Run: memorylink init',
+    suggestion: initialized ? undefined : 'Run: memorylink init',
+  });
+
+  if (!initialized) {
+    printChecks(checks);
+    return;
+  }
+
+  // Check 2: All required files exist
+  const requiredFiles = ['PROTECTED', 'MEMORY', 'CHANGES', 'LEARNINGS', 'CONFIG'] as const;
+  let allFilesExist = true;
+  const missingFiles: string[] = [];
+
+  for (const fileKey of requiredFiles) {
+    const filePath = getFilePath(fileKey, root);
+    if (!fs.existsSync(filePath)) {
+      allFilesExist = false;
+      missingFiles.push(FILES[fileKey]);
+    }
+  }
+
+  checks.push({
+    name: 'Required files exist',
+    status: allFilesExist ? 'pass' : 'fail',
+    message: allFilesExist
+      ? 'All 5 files present'
+      : `Missing: ${missingFiles.join(', ')}`,
+  });
+
+  // Check 3: Config file valid
+  const config = readConfig(root);
+  checks.push({
+    name: 'Config file valid',
+    status: config ? 'pass' : 'fail',
+    message: config
+      ? `Version ${config.version}, initialized ${new Date(config.initialized).toLocaleDateString()}`
+      : 'Config file is corrupted or invalid',
+    suggestion: config ? undefined : 'Run: memorylink init (will recreate config)',
+  });
+
+  // Check 4: Files are readable/writable
+  let filesWritable = true;
+  try {
+    const testFile = path.join(root!, MEMORYLINK_DIR, '.doctor-test');
+    fs.writeFileSync(testFile, 'test');
+    fs.unlinkSync(testFile);
+  } catch {
+    filesWritable = false;
+  }
+
+  checks.push({
+    name: 'Files are writable',
+    status: filesWritable ? 'pass' : 'fail',
+    message: filesWritable
+      ? 'Read/write access confirmed'
+      : 'Permission denied - check file permissions',
+  });
+
+  // Check 5: Git repository
+  let isGitRepo = false;
+  let gitTracked = false;
+  
+  try {
+    execSync('git rev-parse --git-dir', { cwd: root!, stdio: 'pipe' });
+    isGitRepo = true;
+    
+    // Check if .memorylink is tracked
+    try {
+      const gitStatus = execSync(`git ls-files ${MEMORYLINK_DIR}`, { cwd: root!, stdio: 'pipe' }).toString();
+      gitTracked = gitStatus.trim().length > 0;
+    } catch {
+      gitTracked = false;
+    }
+  } catch {
+    isGitRepo = false;
+  }
+
+  checks.push({
+    name: 'Git repository',
+    status: isGitRepo ? 'pass' : 'warn',
+    message: isGitRepo
+      ? gitTracked
+        ? '.memorylink/ is tracked in Git (team sharing enabled)'
+        : '.memorylink/ exists but not tracked in Git'
+      : 'Not a Git repository - team sharing disabled',
+  });
+
+  // Check 6: Git hooks
+  let hooksInstalled = false;
+  if (isGitRepo && root) {
+    const preCommitPath = path.join(root, '.git', 'hooks', 'pre-commit');
+    if (fs.existsSync(preCommitPath)) {
+      const hookContent = fs.readFileSync(preCommitPath, 'utf-8');
+      hooksInstalled = hookContent.includes('memorylink');
+    }
+  }
+
+  checks.push({
+    name: 'Git hooks installed',
+    status: hooksInstalled ? 'pass' : 'warn',
+    message: hooksInstalled
+      ? 'Pre-commit hook protects files'
+      : 'Run: memorylink hooks install',
+  });
+
+  // Check 7: Node.js version
+  const nodeVersion = process.version;
+  const majorVersion = parseInt(nodeVersion.slice(1).split('.')[0], 10);
+  
+  checks.push({
+    name: 'Node.js version',
+    status: majorVersion >= 18 ? 'pass' : 'warn',
+    message: `${nodeVersion} ${majorVersion >= 18 ? '(supported)' : '(recommend v18+)'}`,
+  });
+
+  // Check 8: Protected files exist
+  const protectedPath = getFilePath('PROTECTED', root);
+  const protectedFiles = fs.readFileSync(protectedPath, 'utf-8')
+    .split('\n')
+    .filter(l => l.trim() && !l.startsWith('#'))
+    .map(l => l.split('#')[0].trim());
+
+  let allProtectedExist = true;
+  const missingProtected: string[] = [];
+
+  for (const file of protectedFiles) {
+    const fullPath = path.join(root!, file);
+    if (!fs.existsSync(fullPath)) {
+      allProtectedExist = false;
+      missingProtected.push(file);
+    }
+  }
+
+  if (protectedFiles.length > 0) {
+    checks.push({
+      name: 'Protected files exist',
+      status: allProtectedExist ? 'pass' : 'warn',
+      message: allProtectedExist
+        ? `All ${protectedFiles.length} protected files found`
+        : `Missing: ${missingProtected.slice(0, 3).join(', ')}${missingProtected.length > 3 ? '...' : ''}`,
+    });
+  }
+
+  // Check 9: SECRET SCANNING (Critical - All 7 AIs require this)
+  const secretMatches = scanForSecrets(root!);
+  
+  checks.push({
+    name: 'Secret scanning',
+    status: secretMatches.length === 0 ? 'pass' : 'fail',
+    message: secretMatches.length === 0
+      ? 'No potential secrets detected in logs'
+      : `⚠️  ${secretMatches.length} potential secret(s) detected!`,
+    suggestion: secretMatches.length === 0 ? undefined : 'Review detected secrets and remove them from logs',
+  });
+
+  // Check 10: Common sensitive files protection
+  const sensitiveFiles = ['.env', '.env.local', '.env.production', 'secrets.json', '*.pem', 'id_rsa'];
+  const unprotectedSensitive: string[] = [];
+  
+  for (const sensitive of sensitiveFiles) {
+    // Check if file exists and is not protected
+    if (sensitive.includes('*')) continue; // Skip glob patterns for now
+    const sensitivePath = path.join(root!, sensitive);
+    if (fs.existsSync(sensitivePath) && !protectedFiles.includes(sensitive)) {
+      unprotectedSensitive.push(sensitive);
+    }
+  }
+
+  if (unprotectedSensitive.length > 0) {
+    checks.push({
+      name: 'Sensitive files protected',
+      status: 'warn',
+      message: `Unprotected: ${unprotectedSensitive.join(', ')} - Run: memorylink protect <file>`,
+      suggestion: `Run: memorylink protect ${unprotectedSensitive[0]}`,
+    });
+  }
+
+  // Check 11: Git merge conflict detection
+  const gitConflicts = detectGitConflicts(root!);
+  checks.push({
+    name: 'Git merge conflicts',
+    status: gitConflicts.length === 0 ? 'pass' : 'fail',
+    message: gitConflicts.length === 0
+      ? 'No Git merge conflicts found'
+      : `${gitConflicts.length} Git merge conflict(s) detected in log files`,
+  });
+
+  // Check 12: Conflict/duplicate detection
+  const memoryConflicts = detectMemoryConflicts(root!);
+  const learningConflicts = detectLearningConflicts(root!);
+  const allConflicts = [...memoryConflicts, ...learningConflicts];
+  
+  checks.push({
+    name: 'Conflict/duplicate detection',
+    status: allConflicts.length === 0 ? 'pass' : 'warn',
+    message: allConflicts.length === 0
+      ? 'No duplicates or conflicts found'
+      : `${allConflicts.length} conflict(s) detected (see details below)`,
+  });
+
+  // Check 13: Code structure graph freshness (v1.2)
+  const graphFile = path.join(root!, '.memorylink', 'code-graph.json');
+  if (fs.existsSync(graphFile)) {
+    const stats = fs.statSync(graphFile);
+    const age = Date.now() - stats.mtimeMs;
+    const oneWeek = 7 * 24 * 60 * 60 * 1000;
+    
+    checks.push({
+      name: 'Code structure graph',
+      status: age < oneWeek ? 'pass' : 'warn',
+      message: age < oneWeek
+        ? `Graph is ${Math.floor(age / (24 * 60 * 60 * 1000))} day(s) old`
+        : 'Graph is older than 7 days - Run: memorylink graph build --rebuild',
+      suggestion: age >= oneWeek ? 'Run: memorylink graph build --rebuild' : undefined,
+    });
+  } else {
+    checks.push({
+      name: 'Code structure graph',
+      status: 'warn',
+      message: 'No code structure graph found',
+      suggestion: 'Run: memorylink graph build to enable code structure memory',
+    });
+  }
+
+  printChecks(checks);
+
+  // If secrets were found, print detailed report
+  if (secretMatches.length > 0) {
+    console.log('');
+    console.log('\x1b[31m\x1b[1m🚨 SECURITY WARNING: Potential Secrets Detected!\x1b[0m');
+    console.log('');
+    console.log('\x1b[33mThe following entries may contain sensitive data:\x1b[0m');
+    console.log('');
+    
+    for (const match of secretMatches) {
+      console.log(`   \x1b[31m•\x1b[0m ${match.file}:${match.line}`);
+      console.log(`     \x1b[90mType: ${match.pattern}\x1b[0m`);
+      console.log(`     \x1b[90mPreview: ${match.preview}\x1b[0m`);
+      console.log('');
+    }
+    
+    console.log('\x1b[33m⚠️  ACTION REQUIRED:\x1b[0m');
+    console.log('   1. Remove secrets from MemoryLink logs immediately');
+    console.log('   2. Rotate any exposed credentials');
+    console.log('   3. Use environment variables instead of storing secrets');
+    console.log('   4. Add sensitive files to protected.txt');
+    console.log('');
+    console.log('\x1b[90mTip: Never store API keys, passwords, or tokens in MemoryLink logs.\x1b[0m');
+    console.log('\x1b[90mUse: memorylink protect .env\x1b[0m');
+    console.log('');
+  }
+
+  // Auto-fix suggestions
+  const failCount = checks.filter(c => c.status === 'fail').length;
+  if (autoFix && failCount > 0) {
+    const fixableChecks = checks.filter(c => c.status === 'fail' && c.suggestion);
+    if (fixableChecks.length > 0) {
+      console.log('');
+      info('🔧 Auto-fix suggestions:');
+      console.log('');
+      for (const check of fixableChecks) {
+        if (check.suggestion) {
+          console.log(`   ${check.name}:`);
+          console.log(`   → ${check.suggestion}`);
+          console.log('');
+        }
+      }
+    }
+  }
+
+  // If conflicts were found, print detailed report
+  if (allConflicts.length > 0) {
+    console.log('');
+    console.log('\x1b[33m\x1b[1m⚠️  CONFLICTS & DUPLICATES DETECTED\x1b[0m');
+    console.log('');
+    console.log('\x1b[33mThe following entries may need attention:\x1b[0m');
+    console.log('');
+    
+    for (const conflict of allConflicts) {
+      const icon = conflict.type === 'duplicate' ? '📋' : '⚠️';
+      const color = conflict.type === 'duplicate' ? '\x1b[33m' : '\x1b[31m';
+      console.log(`   ${icon} ${color}${conflict.message}\x1b[0m`);
+      console.log(`     \x1b[90mEntry IDs: ${conflict.entries.slice(0, 3).join(', ')}${conflict.entries.length > 3 ? ` (+${conflict.entries.length - 3} more)` : ''}\x1b[0m`);
+      if (conflict.suggestion) {
+        console.log(`     \x1b[90mSuggestion: ${conflict.suggestion}\x1b[0m`);
+      }
+      console.log('');
+    }
+    
+    console.log('\x1b[33m💡 TIPS:\x1b[0m');
+    console.log('   • Review duplicate entries and keep the most relevant');
+    console.log('   • Resolve conflicting rules/decisions');
+    console.log('   • Use memorylink search to find entries by ID');
+    console.log('   • Consider deprecating outdated entries');
+    console.log('');
+  }
+
+  // Print all checks
+  printChecks(checks);
+
+  // Summary
+  console.log('');
+  const passCount = checks.filter(c => c.status === 'pass').length;
+  const warnCount = checks.filter(c => c.status === 'warn').length;
+
+  if (failCount > 0) {
+    error(`${failCount} issue(s) need attention`);
+    if (!autoFix) {
+      info('   Run with --auto-fix to see fix suggestions');
+    }
+  } else if (warnCount > 0) {
+    warn(`${warnCount} warning(s), ${passCount} passed`);
+  } else {
+    success(`All ${passCount} checks passed! MemoryLink is healthy.`);
+  }
+  console.log('');
+}
+
+function printChecks(checks: DoctorCheck[]): void {
+  for (const check of checks) {
+    let icon: string;
+    let color: string;
+    
+    switch (check.status) {
+      case 'pass':
+        icon = '✓';
+        color = '\x1b[32m';
+        break;
+      case 'warn':
+        icon = '⚠';
+        color = '\x1b[33m';
+        break;
+      case 'fail':
+        icon = '✗';
+        color = '\x1b[31m';
+        break;
+    }
+
+    console.log(`   ${color}${icon}\x1b[0m ${check.name}`);
+    console.log(`     \x1b[90m${check.message}\x1b[0m`);
+  }
+}
+
+// ============================================
+// V1.4 BUDDY-CHECK: PREFLIGHT & POSTFLIGHT
+// ============================================
+
+/**
+ * Run preflight check before AI agent operations
+ */
+async function runPreflightCheck(options: DoctorOptions): Promise<BuddyReport> {
+  const startTime = Date.now();
+  const root = findRoot();
+  
+  if (!root || !isInitialized(root)) {
+    return {
+      status: 'RED',
+      summary: 'MemoryLink not initialized',
+      issues: [{
+        type: 'INIT',
+        severity: 'error',
+        message: 'MemoryLink is not initialized. Run: memorylink init',
+      }],
+      timestamp: new Date().toISOString(),
+      runType: 'preflight',
+      durationMs: Date.now() - startTime,
+    };
+  }
+
+  const issues: BuddyIssue[] = [];
+  
+  // Check 0: Agent locking (v1.5)
+  const lockStatus = checkLock(root);
+  if (lockStatus.locked) {
+    issues.push({
+      type: 'LOCK',
+      severity: 'warning',
+      message: `Agent lock active: ${lockStatus.agentId} (expires ${lockStatus.expiresAt?.toLocaleString()})`,
+      projectPath: root,
+      suggestion: 'Wait for lock to expire or release with: memorylink lock release',
+    });
+  }
+  
+  const memoryEntries = readJsonlEntries<MemoryEntry>(getFilePath('MEMORY', root));
+  
+  // Check 1: Schema validation
+  const schemaIssues = validateSchema(memoryEntries, root);
+  issues.push(...schemaIssues);
+
+  // Check 2: Referential integrity
+  const refIssues = validateReferentialIntegrity(memoryEntries, root);
+  issues.push(...refIssues);
+
+  // Check 3: Security checks (secrets, PII)
+  const securityIssues = validateSecurity(memoryEntries, root);
+  issues.push(...securityIssues);
+
+  // Check 4: Staleness detection
+  const stalenessIssues = detectStaleness(memoryEntries, root);
+  issues.push(...stalenessIssues);
+
+  // Check 5: Policy validation
+  const policyIssues = validatePolicies(memoryEntries, root);
+  issues.push(...policyIssues);
+
+  // Calculate status
+  const status = calculateBuddyStatus(issues);
+  
+  // Count trust levels
+  const trustCounts = countTrustLevels(memoryEntries);
+
+  const duration = Date.now() - startTime;
+
+  return {
+    status,
+    summary: generateSummary(status, issues.length, memoryEntries.length),
+    issues,
+    timestamp: new Date().toISOString(),
+    runType: 'preflight',
+    agentId: options.for,
+    branch: options.branch,
+    recordsUsed: memoryEntries.length,
+    highTrust: trustCounts.high,
+    mediumTrust: trustCounts.medium,
+    lowTrust: trustCounts.low,
+    staleCount: stalenessIssues.length,
+    durationMs: duration,
+  };
+}
+
+/**
+ * Run postflight check after AI agent operations
+ */
+async function runPostflightCheck(options: DoctorOptions): Promise<BuddyReport> {
+  const startTime = Date.now();
+  const root = findRoot();
+  
+  if (!root || !isInitialized(root)) {
+    return {
+      status: 'RED',
+      summary: 'MemoryLink not initialized',
+      issues: [{
+        type: 'INIT',
+        severity: 'error',
+        message: 'MemoryLink is not initialized. Run: memorylink init',
+      }],
+      timestamp: new Date().toISOString(),
+      runType: 'postflight',
+      durationMs: Date.now() - startTime,
+    };
+  }
+
+  const issues: BuddyIssue[] = [];
+  
+  // Get changed files if --changed flag is set
+  // TODO v1.6: Use `git diff` to detect changed files instead of file watching
+  // This will enable detection of:
+  // - Protected file modifications (via git diff --name-only + protected.txt check)
+  // - File deletions (via git diff --diff-filter=D)
+  // - Large-scale changes (via git diff --stat line count)
+  const changedFiles = options.changed ? getChangedFiles(root) : [];
+  
+  // Read memory entries (filter to changed if needed)
+  let memoryEntries = readJsonlEntries<MemoryEntry>(getFilePath('MEMORY', root));
+  if (options.changed && changedFiles.length > 0) {
+    // Filter entries related to changed files
+    memoryEntries = memoryEntries.filter(entry => {
+      if (entry.file && changedFiles.includes(entry.file)) return true;
+      if (entry.path && changedFiles.includes(entry.path)) return true;
+      // Check if entry was created/updated recently (last 5 minutes)
+      const entryTime = new Date(entry.ts).getTime();
+      const fiveMinutesAgo = Date.now() - 5 * 60 * 1000;
+      return entryTime > fiveMinutesAgo;
+    });
+  }
+
+  // Run same checks as preflight
+  const schemaIssues = validateSchema(memoryEntries, root);
+  issues.push(...schemaIssues);
+
+  const refIssues = validateReferentialIntegrity(memoryEntries, root);
+  issues.push(...refIssues);
+
+  const securityIssues = validateSecurity(memoryEntries, root);
+  issues.push(...securityIssues);
+
+  const stalenessIssues = detectStaleness(memoryEntries, root);
+  issues.push(...stalenessIssues);
+
+  const policyIssues = validatePolicies(memoryEntries, root);
+  issues.push(...policyIssues);
+
+  // Additional postflight checks
+  const consistencyIssues = validateConsistency(memoryEntries, root, changedFiles);
+  issues.push(...consistencyIssues);
+
+  // Mark new agent records as DRAFT
+  if (options.fix) {
+    await markAgentRecordsAsDraft(memoryEntries, root);
+  }
+
+  // Calculate status
+  const status = calculateBuddyStatus(issues);
+  
+  const trustCounts = countTrustLevels(memoryEntries);
+  const duration = Date.now() - startTime;
+
+  return {
+    status,
+    summary: generateSummary(status, issues.length, memoryEntries.length),
+    issues,
+    timestamp: new Date().toISOString(),
+    runType: 'postflight',
+    recordsUsed: memoryEntries.length,
+    highTrust: trustCounts.high,
+    mediumTrust: trustCounts.medium,
+    lowTrust: trustCounts.low,
+    staleCount: stalenessIssues.length,
+    durationMs: duration,
+  };
+}
+
+/**
+ * Validate schema and required fields
+ */
+function validateSchema(entries: MemoryEntry[], root: string): BuddyIssue[] {
+  const issues: BuddyIssue[] = [];
+  
+  for (const entry of entries) {
+    // Check required fields
+    if (!entry.id) {
+      issues.push({
+        id: entry.id,
+        type: 'SCHEMA',
+        severity: 'error',
+        message: 'Missing required field: id',
+        projectPath: root,
+      });
+    }
+    
+    if (!entry.ts) {
+      issues.push({
+        id: entry.id,
+        type: 'SCHEMA',
+        severity: 'error',
+        message: 'Missing required field: ts (timestamp)',
+        projectPath: root,
+      });
+    }
+    
+    if (!entry.type) {
+      issues.push({
+        id: entry.id,
+        type: 'SCHEMA',
+        severity: 'error',
+        message: 'Missing required field: type',
+        projectPath: root,
+      });
+    }
+    
+    // v1.4: Check schema version if present
+    if (entry.schemaVersion && entry.schemaVersion !== '1.4.0' && entry.schemaVersion !== '1.3.0') {
+      issues.push({
+        id: entry.id,
+        type: 'SCHEMA',
+        severity: 'warning',
+        message: `Unknown schema version: ${entry.schemaVersion}`,
+        projectPath: root,
+      });
+    }
+  }
+  
+  return issues;
+}
+
+/**
+ * Validate referential integrity (files exist, lines in range, commits exist)
+ */
+function validateReferentialIntegrity(entries: MemoryEntry[], root: string): BuddyIssue[] {
+  const issues: BuddyIssue[] = [];
+  
+  for (const entry of entries) {
+    // Check file references
+    if (entry.file) {
+      const filePath = path.join(root, entry.file);
+      if (!fs.existsSync(filePath)) {
+        issues.push({
+          id: entry.id,
+          type: 'BROKEN_REF',
+          severity: 'warning',
+          message: `Referenced file does not exist: ${entry.file}`,
+          projectPath: root,
+        });
+      } else if (entry.lines) {
+        // Check line numbers are in range
+        const lineRange = parseLineRange(entry.lines);
+        if (lineRange) {
+          const fileContent = fs.readFileSync(filePath, 'utf-8');
+          const totalLines = fileContent.split('\n').length;
+          if (lineRange.end > totalLines) {
+            issues.push({
+              id: entry.id,
+              type: 'BROKEN_REF',
+              severity: 'warning',
+              message: `Line range ${entry.lines} exceeds file length (${totalLines} lines)`,
+              projectPath: root,
+            });
+          }
+        }
+      }
+    }
+    
+    // Check commit OID if location.commit is present (v1.4)
+    if (entry.location?.commit) {
+      try {
+        execSync(`git cat-file -e ${entry.location.commit}`, { 
+          cwd: root, 
+          stdio: 'ignore' 
+        });
+      } catch {
+        issues.push({
+          id: entry.id,
+          type: 'BROKEN_REF',
+          severity: 'warning',
+          message: `Referenced commit does not exist: ${entry.location.commit}`,
+          projectPath: root,
+        });
+      }
+    }
+  }
+  
+  return issues;
+}
+
+/**
+ * Validate security (secrets, PII)
+ * 
+ * TODO v1.6: Enhanced pattern matching
+ * - Add credit card patterns (Luhn algorithm validation)
+ * - Add CVV patterns (3-4 digits)
+ * - Add SSN patterns (XXX-XX-XXXX)
+ * - Add API key patterns (common formats)
+ * - Add file-based logging detection (console.log with sensitive data)
+ * - See: src/utils/v1.6-patterns.ts (commented out for v1.6)
+ */
+function validateSecurity(entries: MemoryEntry[], root: string): BuddyIssue[] {
+  const issues: BuddyIssue[] = [];
+  
+  for (const entry of entries) {
+    const content = entry.details || entry.code || '';
+    
+    // Check for secrets
+    for (const pattern of SECRET_PATTERNS) {
+      const matches = content.match(pattern.pattern);
+      if (matches) {
+        // RED if agent-origin, YELLOW if human
+        const severity = entry.sourceType === 'agent' ? 'error' : 'warning';
+        issues.push({
+          id: entry.id,
+          type: 'SECRET',
+          severity,
+          message: `Potential secret detected (${pattern.name}): ${matches[0].substring(0, 20)}...`,
+          projectPath: root,
+          suggestion: 'Remove secret from memory entry',
+        });
+      }
+    }
+    
+    // Check for PII (emails, IDs)
+    const emailPattern = /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b/g;
+    const emailMatches = content.match(emailPattern);
+    if (emailMatches && entry.sourceType === 'agent') {
+      issues.push({
+        id: entry.id,
+        type: 'PII',
+        severity: 'error',
+        message: `PII detected (email): ${emailMatches[0]}`,
+        projectPath: root,
+        suggestion: 'Remove PII from memory entry',
+      });
+    }
+    
+    // TODO v1.6: Enhanced patterns (see src/utils/v1.6-patterns.ts)
+    // - Credit card: /(?:\d{4}[-\s]?){3}\d{4}/g + Luhn validation
+    // - CVV: /\b\d{3,4}\b/g (context-dependent)
+    // - SSN: /\b\d{3}-\d{2}-\d{4}\b/g
+    // - API keys: Common formats (AWS, Google, etc.)
+    // - File logging: console.log/logger.* with sensitive patterns
+  }
+  
+  return issues;
+}
+
+/**
+ * Detect stale records (file changed since commit)
+ */
+function detectStaleness(entries: MemoryEntry[], root: string): BuddyIssue[] {
+  const issues: BuddyIssue[] = [];
+  
+  for (const entry of entries) {
+    if (entry.location?.commit && entry.file) {
+      try {
+        // Check if file has changed since commit
+        const filePath = path.join(root, entry.file);
+        if (fs.existsSync(filePath)) {
+          const currentCommit = execSync('git rev-parse HEAD', { 
+            cwd: root, 
+            encoding: 'utf-8' 
+          }).trim();
+          
+          if (currentCommit !== entry.location.commit) {
+            // File has changed - mark as stale
+            issues.push({
+              id: entry.id,
+              type: 'STALE',
+              severity: 'warning',
+              message: `File changed since commit ${entry.location.commit.substring(0, 8)}`,
+              projectPath: root,
+              suggestion: 'Update memory entry or rebuild graph',
+            });
+          }
+        }
+      } catch {
+        // Git not available or file doesn't exist - skip
+      }
+    }
+  }
+  
+  return issues;
+}
+
+/**
+ * Validate policy rules
+ * 
+ * TODO v1.6: Add Git-based protected file detection
+ * - Use `git diff --name-only HEAD` to get changed files
+ * - Cross-reference with protected.txt
+ * - Detect protected file modifications (RED status)
+ * - Detect file deletions (via `git diff --diff-filter=D`)
+ * - Detect large-scale changes (via `git diff --stat` line count > threshold)
+ */
+function validatePolicies(entries: MemoryEntry[], root: string): BuddyIssue[] {
+  const issues: BuddyIssue[] = [];
+  
+  // Policy: "Prefer fresh code over memory"
+  // Policy: "No secrets in memory"
+  // (Already checked in validateSecurity)
+  
+  // TODO v1.6: Protected file detection via Git diff
+  // const protectedFiles = readLines(getFilePath('PROTECTED', root));
+  // const changedFiles = getChangedFiles(root);
+  // for (const file of changedFiles) {
+  //   if (protectedFiles.includes(file)) {
+  //     issues.push({
+  //       type: 'PROTECTED_FILE',
+  //       severity: 'error',
+  //       message: `Protected file modified: ${file}`,
+  //       projectPath: root,
+  //       suggestion: 'Review changes or remove from protected.txt',
+  //     });
+  //   }
+  // }
+  
+  // Policy: "Agent records should be DRAFT until verified"
+  for (const entry of entries) {
+    if (entry.sourceType === 'agent' && entry.memoryStatus !== 'DRAFT') {
+      issues.push({
+        id: entry.id,
+        type: 'POLICY',
+        severity: 'info',
+        message: 'Agent-origin record should be DRAFT until verified',
+        projectPath: root,
+        suggestion: 'Mark as DRAFT or promote to VERIFIED after review',
+      });
+    }
+  }
+  
+  return issues;
+}
+
+/**
+ * Validate consistency (code + memory changes)
+ */
+function validateConsistency(entries: MemoryEntry[], root: string, changedFiles: string[]): BuddyIssue[] {
+  const issues: BuddyIssue[] = [];
+  
+  // Check if memory entries match changed files
+  for (const entry of entries) {
+    if (entry.file && changedFiles.length > 0 && !changedFiles.includes(entry.file)) {
+      // Entry references file that wasn't changed - might be inconsistent
+      issues.push({
+        id: entry.id,
+        type: 'CONFLICT',
+        severity: 'info',
+        message: `Memory entry references unchanged file: ${entry.file}`,
+        projectPath: root,
+      });
+    }
+  }
+  
+  return issues;
+}
+
+/**
+ * Calculate Buddy-Check status from issues
+ */
+function calculateBuddyStatus(issues: BuddyIssue[]): BuddyStatus {
+  // RED: Any error-level issues
+  if (issues.some(i => i.severity === 'error')) {
+    return 'RED';
+  }
+  
+  // YELLOW: Any warnings
+  if (issues.some(i => i.severity === 'warning')) {
+    return 'YELLOW';
+  }
+  
+  // GREEN: No errors or warnings
+  return 'GREEN';
+}
+
+/**
+ * Generate summary text
+ */
+function generateSummary(status: BuddyStatus, issueCount: number, recordCount: number): string {
+  if (status === 'RED') {
+    return `RED: ${issueCount} critical issue(s) found in ${recordCount} records`;
+  } else if (status === 'YELLOW') {
+    return `YELLOW: ${issueCount} warning(s) found in ${recordCount} records`;
+  } else {
+    return `GREEN: All checks passed for ${recordCount} records`;
+  }
+}
+
+/**
+ * Count trust levels in entries
+ */
+function countTrustLevels(entries: MemoryEntry[]): { high: number; medium: number; low: number } {
+  let high = 0;
+  let medium = 0;
+  let low = 0;
+  
+  for (const entry of entries) {
+    const trust = entry.trustLevel || 'medium';
+    if (trust === 'high') high++;
+    else if (trust === 'low') low++;
+    else medium++;
+  }
+  
+  return { high, medium, low };
+}
+
+/**
+ * Get changed files from Git
+ */
+function getChangedFiles(root: string): string[] {
+  try {
+    const output = execSync('git diff --name-only HEAD', { 
+      cwd: root, 
+      encoding: 'utf-8' 
+    });
+    return output.split('\n').filter(f => f.trim()).map(f => f.trim());
+  } catch {
+    return [];
+  }
+}
+
+/**
+ * Parse line range (e.g., "42-50" or "42")
+ */
+function parseLineRange(lines: string): { start: number; end: number } | null {
+  if (lines.includes('-')) {
+    const [start, end] = lines.split('-').map(n => parseInt(n, 10));
+    if (!isNaN(start) && !isNaN(end)) {
+      return { start, end };
+    }
+  } else {
+    const line = parseInt(lines, 10);
+    if (!isNaN(line)) {
+      return { start: line, end: line };
+    }
+  }
+  return null;
+}
+
+/**
+ * Mark agent records as DRAFT (for postflight --fix)
+ */
+async function markAgentRecordsAsDraft(entries: MemoryEntry[], root: string): Promise<void> {
+  const memoryPath = getFilePath('MEMORY', root);
+  const updatedEntries: MemoryEntry[] = [];
+  let updated = false;
+  
+  for (const entry of entries) {
+    if (entry.sourceType === 'agent' && entry.memoryStatus !== 'DRAFT') {
+      updatedEntries.push({
+        ...entry,
+        memoryStatus: 'DRAFT',
+        recordVersion: (entry.recordVersion || 1) + 1,
+      });
+      updated = true;
+    } else {
+      updatedEntries.push(entry);
+    }
+  }
+  
+  if (updated) {
+    // Write updated entries back
+    const jsonl = updatedEntries.map(e => JSON.stringify(e)).join('\n') + '\n';
+    fs.writeFileSync(memoryPath, jsonl);
+    info('Marked agent records as DRAFT');
+  }
+}
+
+/**
+ * Handle human override for RED status
+ */
+async function handleOverride(
+  report: BuddyReport,
+  root: string | null,
+  options: DoctorOptions
+): Promise<BuddyReport> {
+  if (!root) {
+    return report;
+  }
+  
+  // Check if in strict mode (would require override)
+  const config = readConfig(root);
+  const isStrict = config?.strict === true || config?.mode === 'enterprise';
+  
+  if (!isStrict) {
+    // Developer mode: allow override but don't require it
+    return report;
+  }
+  
+  // In strict mode, prompt for override
+  console.log('');
+  warn('⚠️  RED status detected - override required in strict mode');
+  console.log('');
+  
+  // For now, we'll just return the report without override
+  // In a full implementation, this would prompt for:
+  // - approvedBy (user name/ID)
+  // - reason (why override is needed)
+  
+  // For CLI, we can use environment variables or flags
+  const overrideBy = process.env.MEMORYLINK_OVERRIDE_BY || options.for || 'unknown';
+  const overrideReason = process.env.MEMORYLINK_OVERRIDE_REASON || 'Manual override via CLI';
+  
+  if (overrideBy !== 'unknown' || overrideReason !== 'Manual override via CLI') {
+    const override: BuddyOverride = {
+      approvedBy: overrideBy,
+      reason: overrideReason,
+      timestamp: new Date().toISOString(),
+    };
+    
+    return {
+      ...report,
+      override,
+    };
+  }
+  
+  return report;
+}
+
+/**
+ * Log override to overrides.log (JSONL)
+ * 
+ * TODO v1.6: Enhanced override logging
+ * - Add report ID reference
+ * - Add issue IDs that were overridden
+ * - Add context (branch, PR, agent)
+ * - Add audit trail fields (who, when, why, what)
+ * - Format: { approvedBy, reason, timestamp, runType, reportId, issueIds[], context: { branch, pr, agent } }
+ */
+function logOverride(override: BuddyOverride, runType: 'preflight' | 'postflight', root: string): void {
+  try {
+    const overridesPath = path.join(root, MEMORYLINK_DIR, 'overrides.log');
+    const entry = {
+      ...override,
+      runType,
+      // TODO v1.6: Add reportId, issueIds[], context
+    };
+    const jsonlLine = JSON.stringify(entry) + '\n';
+    fs.appendFileSync(overridesPath, jsonlLine, 'utf-8');
+  } catch (err) {
+    // Silently fail - override logging should not break the main flow
+  }
+}
+
+/**
+ * Print Buddy-Check report
+ */
+function printBuddyReport(report: BuddyReport): void {
+  // Check if stdout is writable before printing
+  if (!isStdoutWritable()) {
+    return; // Silently return if stdout is closed
+  }
+  
+  safeLog('');
+  safeLog('\x1b[1m🔍 Buddy-Check Report\x1b[0m');
+  safeLog('');
+  
+  // Status indicator
+  let statusColor = '\x1b[32m'; // GREEN
+  let statusIcon = '●';
+  if (report.status === 'YELLOW') {
+    statusColor = '\x1b[33m'; // YELLOW
+  } else if (report.status === 'RED') {
+    statusColor = '\x1b[31m'; // RED
+  }
+  
+  safeLog(`   Status: ${statusColor}${statusIcon} ${report.status}\x1b[0m`);
+  safeLog(`   ${report.summary}`);
+  safeLog('');
+  
+  if (report.issues.length > 0) {
+    safeLog(`   Issues (${report.issues.length}):`);
+    for (const issue of report.issues.slice(0, 10)) {
+      const severityColor = issue.severity === 'error' ? '\x1b[31m' : 
+                           issue.severity === 'warning' ? '\x1b[33m' : '\x1b[36m';
+      safeLog(`   ${severityColor}${issue.severity.toUpperCase()}\x1b[0m [${issue.type}] ${issue.message}`);
+      if (issue.suggestion) {
+        safeLog(`     💡 ${issue.suggestion}`);
+      }
+    }
+    if (report.issues.length > 10) {
+      safeLog(`   ... and ${report.issues.length - 10} more`);
+    }
+  } else {
+    safeLog('   ✓ No issues found');
+  }
+  
+  if (report.recordsUsed !== undefined) {
+    safeLog('');
+    safeLog(`   Records: ${report.recordsUsed} checked`);
+    if (report.highTrust !== undefined) {
+      safeLog(`   Trust: ${report.highTrust} high, ${report.mediumTrust} medium, ${report.lowTrust} low`);
+    }
+    if (report.staleCount !== undefined && report.staleCount > 0) {
+      safeLog(`   Stale: ${report.staleCount}`);
+    }
+  }
+  
+  if (report.durationMs !== undefined) {
+    safeLog(`   Duration: ${report.durationMs}ms`);
+  }
+  
+  if (report.override) {
+    safeLog('');
+    warn(`⚠️  Override: Approved by ${report.override.approvedBy}`);
+    safeLog(`   Reason: ${report.override.reason}`);
+  }
+  
+  safeLog('');
+}
+