Summary
The complyctl doctor output currently renders all check results as a flat
list of status lines. As the number of checks grows, the output becomes
harder to scan. This issue tracks grouping checks into labeled sections,
nesting related sub-checks under their parents, and fixing silent policy
skipping on registry failures.
Feedback
@marcusburghardt provided the following feedback that shaped the design:
- Section ordering: "I was thinking of a list of sequential
requirements for performing a successful scan." Suggested order:
Providers (with Variables) → Policies → Complypacks → Workspace.
- Variables with providers: "Since the variables are related to
providers, wouldn't make sense to keep them together?"
- Named complypacks: "I was also thinking about the value of
informing the number of complypacks without identifying the
complypack. It is similar to say: 'You have 3 providers, but not
saying which providers specifically.'"
Current behavior
✅ config: /path/to/.complytime/complytime.yaml valid
✅ provider/ampel: healthy (v0.1.0)
✅ provider/opa: healthy (v0.1.0)
✅ cache: 6 cached policy store(s)
✅ policy/ampel-bp: latest (pinned)
✅ policy/ampel-bp/active-period: no evaluation timeline defined
✅ variables/ampel: 0/0 global vars, 2/2 target vars
✅ variables/opa: 0/0 global vars, no target mapping for this evaluator
✅ complypacks: 1 complypack(s) cached
⏭️ registry/down.io: unreachable
Problems: flat list with no grouping, variables far from their provider,
active-period far from its policy, complypacks show only a count,
unreachable registry silently skips all affected policies.
Proposed behavior
Running workspace diagnostics...
Providers
✅ ampel: healthy (v0.1.0)
✅ variables: 0/0 global vars, 2/2 target vars
✅ opa: healthy (v0.1.0)
Policies
✅ ampel-bp: 0.2.0 (latest)
✅ active-period: no evaluation timeline defined
⏭️ cis: version check skipped (registry unreachable: down.io)
✅ active-period: evaluation active (2026-01-01 to 2027-01-01)
Cache
✅ cache: 6 cached policy store(s)
Complypacks
✅ ampel: cached
⏭️ opa: not cached — run complyctl get to download
Workspace
✅ config: .complytime/complytime.yaml valid
Verification
✅ verification: all 6 cached artifacts verified
9 checks: 7 passed, 0 failed, 2 warnings
Changes
- Grouped sections following scan prerequisite sequence (per Marcus):
Providers → Policies → Cache → Complypacks → Workspace → Verification
- Variables nested under their parent provider (per Marcus)
- Active-period nested under their parent policy
- Per-policy registry warnings — each affected policy gets its own
warning instead of one registry/ result that silently skips the rest
- Named complypacks individually by evaluator-id (per Marcus)
- Summary counts all rendered results — children are included so the
count matches what the user sees on screen (failures are never hidden)
- Unmapped providers skip variable output — providers with no required
variables and no policies referencing them show no variable child
Implementation
CheckResult gains Group and Children fields; Run() assembles
the tree via attachment helpers
- Renderer strips section prefixes from display names (
provider/ampel
renders as ampel) and uses short labels for children (variables,
active-period); full qualified names preserved in data model
- OpenSpec:
openspec/changes/doctor-grouped-output/
- Branch:
opsx/doctor-grouped-output
References
Summary
The
complyctl doctoroutput currently renders all check results as a flatlist of status lines. As the number of checks grows, the output becomes
harder to scan. This issue tracks grouping checks into labeled sections,
nesting related sub-checks under their parents, and fixing silent policy
skipping on registry failures.
Feedback
@marcusburghardt provided the following feedback that shaped the design:
requirements for performing a successful scan." Suggested order:
Providers (with Variables) → Policies → Complypacks → Workspace.
providers, wouldn't make sense to keep them together?"
informing the number of complypacks without identifying the
complypack. It is similar to say: 'You have 3 providers, but not
saying which providers specifically.'"
Current behavior
Problems: flat list with no grouping, variables far from their provider,
active-period far from its policy, complypacks show only a count,
unreachable registry silently skips all affected policies.
Proposed behavior
Changes
Providers → Policies → Cache → Complypacks → Workspace → Verification
warning instead of one
registry/result that silently skips the restcount matches what the user sees on screen (failures are never hidden)
variables and no policies referencing them show no variable child
Implementation
CheckResultgainsGroupandChildrenfields;Run()assemblesthe tree via attachment helpers
provider/ampelrenders as
ampel) and uses short labels for children (variables,active-period); full qualified names preserved in data modelopenspec/changes/doctor-grouped-output/opsx/doctor-grouped-outputReferences
doctorhas no machine-readable output mode for CI #611 (machine-readable output for CI)--debugproduces no visible output #614 (debug visible output — closed)