nself doctor

Diagnose your nSelf installation. Checks system requirements, configuration, Docker health, SSL certificates, and network. Automatically fixes common problems with --fix.

Security-Always-Free: nself doctor --deep runs the full security hardening suite without requiring a license. It also runs automatically on every nself install, nself update, nself deploy, and on the daily maintenance cron.

Quick start

# Full diagnostics
nself doctor

# Deep mode — full security hardening suite (free, no license)
nself doctor --deep

# Auto-fix detected issues
nself doctor --fix

# Check one category
nself doctor --category ssl

Synopsis

nself doctor [FLAGS]

Description

nself doctor runs a suite of checks across six categories: system requirements, configuration, Docker health, SSL certificates, network, and services. Each check reports pass, warning, or fail. Failed checks with --fix are auto-remediated where possible.

--deep extends the standard check suite with the full security hardening scan (RLS validation, rate limit verification, SSRF guard, JWT key rotation readiness, WAF baseline, encryption-at-rest config, audit log availability). This scan is free — it never checks a license.

In production, critical findings from --deep block deploys unless --force is passed with a written justification. Use --json to integrate doctor output into CI pipelines or alerting.

Flags

Flag	Type	Default	Description
`--fix`	bool	false	Auto-fix detected issues where possible
`--deep`	bool	false	Run full security hardening suite (free, no license)
`--verbose, -v`	bool	false	Show detailed diagnostic output
`--json`	bool	false	Output results as JSON
`--category`	string		Check one category: `system`, `config`, `docker`, `ssl`, `network`, `services`
`--skip`	string		Comma-separated check names or categories to skip
`--env`	string	current	Check a specific environment (local, staging, prod)

Diagnostic categories

Category	What it checks
`system`	Docker, Docker Compose, Node.js, mkcert, disk space, OS compatibility
`config`	`.env` presence, required variables, port conflicts, password strength, service dependencies
`docker`	Daemon running, container health, networks, volumes, resource usage
`ssl`	Certificate presence, validity, trust store, domain coverage, expiry warning
`network`	Port 80/443 availability, DNS resolution, `*.local.nself.org` → `127.0.0.1`
`services`	Per-service health endpoints, dependency graph, configuration drift

Examples

Standard diagnostic

nself doctor
# System Requirements    ✓ 5 passed
# Configuration         ✓ 6 passed, ⚠ 1 warning
# Docker Health         ✓ 5 passed
# SSL Certificates      ✓ 5 passed
# Network               ✓ 4 passed
# ───────────────────────────────────
# 25 passed, 1 warning, 0 failed
# Run 'nself doctor --fix' to resolve 1 warning

Deep security scan

nself doctor --deep
# (all standard checks, plus:)
# Security Hardening    ✓ RLS enabled on all np_* tables
#                       ✓ Rate limits configured
#                       ✓ SSRF guard active
#                       ⚠ JWT rotation overdue (last rotated 187 days ago)
#                       ✓ Audit log enabled

Auto-fix in CI

nself doctor --fix --json > doctor.json
exit_code=$?
if [ $exit_code -eq 2 ]; then
  echo "Critical issues remain after auto-fix"
  cat doctor.json | jq '.categories | to_entries[] | select(.value.status == "failed")'
  exit 1
fi

Skip SSL checks (CI without local DNS)

nself doctor --skip ssl,network

Check production environment

nself doctor --env prod
# Production-specific checks:
# - Let's Encrypt certificate (not mkcert)
# - DEBUG disabled
# - Strong password requirements enforced

JSON output schema

nself doctor --json
{
  "timestamp": "2026-05-07T14:22:00Z",
  "summary": { "passed": 25, "warnings": 1, "failed": 0, "total": 26 },
  "categories": {
    "ssl": {
      "status": "passed",
      "checks": [
        {
          "name": "cert_valid",
          "status": "passed",
          "message": "Certificate valid for local.nself.org",
          "fixable": false
        }
      ]
    }
  }
}

Auto-fixable checks

Issue	Auto-fix action
Docker daemon not running	Start Docker daemon
SSL certificate expired or missing	Regenerate via mkcert
Certificate not in trust store	Run `nself trust`
Weak password in config	Regenerate secrets
`.env` missing	Copy from `.env.example`
mkcert not installed	`brew install mkcert` (macOS)
Unhealthy container	Restart the container

Exit codes

0 — all checks passed (warnings are not failures)
1 — warnings detected
2 — critical failures detected
3 — doctor itself failed to run

nself dev bootstrap — one-shot setup that runs doctor at the end
nself deploy — runs doctor before every remote deploy
nself dns-setup — fix DNS resolution issues detected by doctor
Security Guide — full hardening documentation

nself doctor

Diagnose your nSelf installation. Checks system requirements, configuration, Docker health, SSL certificates, and network. Automatically fixes common problems with --fix.

Quick start

# Full diagnostics
nself doctor

# Deep mode — full security hardening suite (free, no license)
nself doctor --deep

# Auto-fix detected issues
nself doctor --fix

# Check one category
nself doctor --category ssl

Synopsis

nself doctor [FLAGS]

Description

In production, critical findings from --deep block deploys unless --force is passed with a written justification. Use --json to integrate doctor output into CI pipelines or alerting.

Flags

Flag	Type	Default	Description
`--fix`	bool	false	Auto-fix detected issues where possible
`--deep`	bool	false	Run full security hardening suite (free, no license)
`--verbose, -v`	bool	false	Show detailed diagnostic output
`--json`	bool	false	Output results as JSON
`--category`	string		Check one category: `system`, `config`, `docker`, `ssl`, `network`, `services`
`--skip`	string		Comma-separated check names or categories to skip
`--env`	string	current	Check a specific environment (local, staging, prod)

Diagnostic categories

Category	What it checks
`system`	Docker, Docker Compose, Node.js, mkcert, disk space, OS compatibility
`config`	`.env` presence, required variables, port conflicts, password strength, service dependencies
`docker`	Daemon running, container health, networks, volumes, resource usage
`ssl`	Certificate presence, validity, trust store, domain coverage, expiry warning
`network`	Port 80/443 availability, DNS resolution, `*.local.nself.org` → `127.0.0.1`
`services`	Per-service health endpoints, dependency graph, configuration drift

Examples

Standard diagnostic

nself doctor
# System Requirements    ✓ 5 passed
# Configuration         ✓ 6 passed, ⚠ 1 warning
# Docker Health         ✓ 5 passed
# SSL Certificates      ✓ 5 passed
# Network               ✓ 4 passed
# ───────────────────────────────────
# 25 passed, 1 warning, 0 failed
# Run 'nself doctor --fix' to resolve 1 warning

Deep security scan

nself doctor --deep
# (all standard checks, plus:)
# Security Hardening    ✓ RLS enabled on all np_* tables
#                       ✓ Rate limits configured
#                       ✓ SSRF guard active
#                       ⚠ JWT rotation overdue (last rotated 187 days ago)
#                       ✓ Audit log enabled

Auto-fix in CI

nself doctor --fix --json > doctor.json
exit_code=$?
if [ $exit_code -eq 2 ]; then
  echo "Critical issues remain after auto-fix"
  cat doctor.json | jq '.categories | to_entries[] | select(.value.status == "failed")'
  exit 1
fi

Skip SSL checks (CI without local DNS)

nself doctor --skip ssl,network

Check production environment

nself doctor --env prod
# Production-specific checks:
# - Let's Encrypt certificate (not mkcert)
# - DEBUG disabled
# - Strong password requirements enforced

JSON output schema

nself doctor --json
{
  "timestamp": "2026-05-07T14:22:00Z",
  "summary": { "passed": 25, "warnings": 1, "failed": 0, "total": 26 },
  "categories": {
    "ssl": {
      "status": "passed",
      "checks": [
        {
          "name": "cert_valid",
          "status": "passed",
          "message": "Certificate valid for local.nself.org",
          "fixable": false
        }
      ]
    }
  }
}

Auto-fixable checks

Issue	Auto-fix action
Docker daemon not running	Start Docker daemon
SSL certificate expired or missing	Regenerate via mkcert
Certificate not in trust store	Run `nself trust`
Weak password in config	Regenerate secrets
`.env` missing	Copy from `.env.example`
mkcert not installed	`brew install mkcert` (macOS)
Unhealthy container	Restart the container

Exit codes

0 — all checks passed (warnings are not failures)
1 — warnings detected
2 — critical failures detected
3 — doctor itself failed to run

nself dev bootstrap — one-shot setup that runs doctor at the end
nself deploy — runs doctor before every remote deploy
nself dns-setup — fix DNS resolution issues detected by doctor
Security Guide — full hardening documentation

nself doctor

Quick start

Synopsis

Description

Flags

Diagnostic categories

Examples

Standard diagnostic

Deep security scan

Auto-fix in CI

Skip SSL checks (CI without local DNS)

Check production environment

JSON output schema

Auto-fixable checks

Exit codes

Related

nself doctor

Quick start

Synopsis

Description

Flags

Diagnostic categories

Examples

Standard diagnostic

Deep security scan

Auto-fix in CI

Skip SSL checks (CI without local DNS)

Check production environment

JSON output schema

Auto-fixable checks

Exit codes

Related