doctor detects stale installs and runtime mismatches

[Ram9199]

Source: founder dogfood UX report. Guiding principle: a permission tool must clearly identify which copy of itself is guarding the user.

Problem

agent-sudo doctor (agent_sudo/doctor.py::run_doctor) ran six green OK checks while a stale v0.5.5 snapshot was guarding the user. It never noticed the running code was behind the source, nor that the running install differed from the configured workspace/source. doctor is the first thing a confused user runs; it stayed silent on the one thing that mattered.

Proposed

Add DoctorChecks that WARN on:

1. Stale snapshot — running version < newest install detected by inventory.
2. Editable source drift — running as editable, but the imported package path doesn't match the configured/expected source.
3. Runtime != expected source — the configured workspace / client config points at a different install than the one actually running.

Each WARN names the running copy and the expected one, and points to agent-sudo inventory for the full picture.

Reuses

• Self-identity primitive (running version + install type + source path).
• agent_sudo/inventory.py::build_inventory classification (STALE / VERSION DRIFT) — call it, don't reimplement.
• agent_sudo/context.py for configured workspace/source.

Acceptance

• New non-required WARN checks (never break doctor_exit_code for normal dev setups, but surface clearly).
• Tests for stale, drift, and mismatch scenarios.
• Docs updated.

Effort: M · Risk: Low–Medium.

[Ram9199]

Implementation notes.

Depends on #108; reuses #101/#107 inventory classification.

Plan: add non-required DoctorChecks in doctor.py:

1. stale snapshot — running version (from SelfIdentity) < build_inventory().newest_version.
2. editable source drift — running editable but imported package path != configured source.
3. runtime != expected — configured workspace/client config points at a different install than the running one.

Call build_inventory() for the STALE/VERSION DRIFT signal rather than re-deriving it. Keep doctor_exit_code green for normal editable-dev setups (these are WARN, not FAIL), but make the WARN unmissable and point to agent-sudo inventory.

Rationale: doctor is the confused user's first stop and it ran six green checks past a stale gate. It must catch the one thing that mattered.

Effort M, risk Low–Medium. Separate PR.

[Ram9199]

Implementation up for review in #115 (built on #108 + inventory #101, both in main).

Two WARN-only checks in run_doctor():

• install up to date — running version < newest install found; names where the newer copy lives.
• runtime matches install source — editable install whose running package path drifted from its registered source.

Scope kept narrow per the issue: WARN-only (exit code never affected, no auto-fix), reuses SelfIdentity + inventory newest_version/_version_key, identity/inventory_report injectable for tests.

Tests: stale pinned install, editable mismatch, clean current install (+ unknown-version no-warn). Full suite 489 passed; ruff clean. Docs updated. Not closing until #115 merges.