diff --git a/acceptance/cmd/experimental/doctor/out.test.toml b/acceptance/cmd/experimental/doctor/out.test.toml
new file mode 100644
index 00000000000..d560f1de043
--- /dev/null
+++ b/acceptance/cmd/experimental/doctor/out.test.toml
@@ -0,0 +1,5 @@
+Local = true
+Cloud = false
+
+[EnvMatrix]
+  DATABRICKS_BUNDLE_ENGINE = ["terraform", "direct"]
diff --git a/acceptance/cmd/experimental/doctor/output.txt b/acceptance/cmd/experimental/doctor/output.txt
new file mode 100644
index 00000000000..5c755fb9c35
--- /dev/null
+++ b/acceptance/cmd/experimental/doctor/output.txt
@@ -0,0 +1,14 @@
+
+=== Doctor with --profile flag
+
+>>> [CLI] experimental doctor --profile my-workspace --output json
+CLI Version: info - [DEV_VERSION]
+Updates: info - development build ([DEV_VERSION])
+Toolchain: info - [TOOLCHAIN]
+Proxy/TLS: info - no proxy or TLS overrides configured
+Log File: info - not configured (set DATABRICKS_LOG_FILE or pass --log-file to enable)
+Config File: pass - ~/.databrickscfg (1 profiles)
+Current Profile: info - my-workspace
+Authentication: pass - OK (pat)
+Identity: pass - test@example.com
+Network: pass - [DATABRICKS_URL] is reachable
diff --git a/acceptance/cmd/experimental/doctor/script b/acceptance/cmd/experimental/doctor/script
new file mode 100644
index 00000000000..9a74e060b2f
--- /dev/null
+++ b/acceptance/cmd/experimental/doctor/script
@@ -0,0 +1,10 @@
+sethome "./home"
+
+cat > "./home/.databrickscfg" <<EOF
+[my-workspace]
+host  = $DATABRICKS_HOST
+token = $DATABRICKS_TOKEN
+EOF
+
+title "Doctor with --profile flag\n"
+trace $CLI experimental doctor --profile my-workspace --output json | jq -r '.results[] | "\(.name): \(.status) - \(.message)"'
diff --git a/acceptance/cmd/experimental/doctor/test.toml b/acceptance/cmd/experimental/doctor/test.toml
new file mode 100644
index 00000000000..546b81c541e
--- /dev/null
+++ b/acceptance/cmd/experimental/doctor/test.toml
@@ -0,0 +1,23 @@
+Local = true
+Cloud = false
+
+Ignore = [
+    "home"
+]
+
+[[Server]]
+Pattern = "GET /api/2.0/preview/scim/v2/Me"
+Response.Body = '''
+{
+  "userName": "test@example.com"
+}
+'''
+
+[[Server]]
+Pattern = "HEAD /"
+Response.Body = ''
+
+# The toolchain check reports local tool versions which vary by machine and CI image.
+[[Repls]]
+Old = 'Toolchain: info - .*'
+New = 'Toolchain: info - [TOOLCHAIN]'
diff --git a/cmd/experimental/experimental.go b/cmd/experimental/experimental.go
index 52c6bac79b0..14583081000 100644
--- a/cmd/experimental/experimental.go
+++ b/cmd/experimental/experimental.go
@@ -2,6 +2,7 @@ package experimental
 
 import (
 	aitoolscmd "github.com/databricks/cli/experimental/aitools/cmd"
+	doctorcmd "github.com/databricks/cli/experimental/doctor/cmd"
 	postgrescmd "github.com/databricks/cli/experimental/postgres/cmd"
 	"github.com/spf13/cobra"
 )
@@ -22,6 +23,7 @@ development. They may change or be removed in future versions without notice.`,
 	}
 
 	cmd.AddCommand(aitoolscmd.NewAitoolsCmd())
+	cmd.AddCommand(doctorcmd.NewDoctorCmd())
 	cmd.AddCommand(postgrescmd.New())
 	cmd.AddCommand(newWorkspaceOpenCommand())
 
diff --git a/experimental/doctor/cmd/checks.go b/experimental/doctor/cmd/checks.go
new file mode 100644
index 00000000000..d312ec76f8c
--- /dev/null
+++ b/experimental/doctor/cmd/checks.go
@@ -0,0 +1,285 @@
+package doctor
+
+import (
+	"context"
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"path/filepath"
+	"time"
+
+	"github.com/databricks/cli/internal/build"
+	"github.com/databricks/cli/libs/auth"
+	"github.com/databricks/cli/libs/databrickscfg/profile"
+	"github.com/databricks/cli/libs/env"
+	"github.com/databricks/cli/libs/log"
+	"github.com/databricks/databricks-sdk-go"
+	"github.com/databricks/databricks-sdk-go/config"
+)
+
+const (
+	networkTimeout = 10 * time.Second
+	checkTimeout   = 15 * time.Second
+)
+
+func pass(name, msg string) CheckResult {
+	return CheckResult{Name: name, Status: statusPass, Message: msg}
+}
+
+func info(name, msg string) CheckResult {
+	return CheckResult{Name: name, Status: statusInfo, Message: msg}
+}
+
+func warn(name, msg string) CheckResult {
+	return CheckResult{Name: name, Status: statusWarn, Message: msg}
+}
+
+func skip(name, msg string) CheckResult {
+	return CheckResult{Name: name, Status: statusSkip, Message: msg}
+}
+
+func fail(name, msg string, err error) CheckResult {
+	r := CheckResult{Name: name, Status: statusFail, Message: msg}
+	if err != nil {
+		r.Detail = err.Error()
+	}
+	return r
+}
+
+// runChecks runs all diagnostic checks and returns the results.
+func runChecks(ctx context.Context, profileName string, profileFromFlag bool) []CheckResult {
+	cfg, resolveErr := resolveConfig(ctx, profileName, profileFromFlag)
+
+	var (
+		authResult CheckResult
+		authCfg    *config.Config
+	)
+	if resolveErr != nil {
+		authResult = fail("Authentication", "Cannot resolve config", resolveErr)
+	} else {
+		authResult, authCfg = checkAuth(ctx, cfg)
+	}
+
+	identityResult := skip("Identity", "Skipped (authentication failed)")
+	if authCfg != nil {
+		identityResult = checkIdentity(ctx, authCfg)
+	}
+
+	return []CheckResult{
+		checkCLIVersion(),
+		checkUpdates(ctx, http.DefaultClient, updateCheckURL),
+		checkToolchain(ctx, realExec),
+		checkProxy(ctx),
+		checkLogFile(ctx),
+		checkConfigFile(ctx, profile.DefaultProfiler),
+		checkCurrentProfile(ctx, profileName, profileFromFlag, cfg),
+		authResult,
+		identityResult,
+		checkNetwork(ctx, cfg, resolveErr, authCfg),
+	}
+}
+
+func checkCLIVersion() CheckResult {
+	return info("CLI Version", build.GetInfo().Version)
+}
+
+func checkConfigFile(ctx context.Context, profiler profile.Profiler) CheckResult {
+	path, err := profiler.GetPath(ctx)
+	if err != nil {
+		return fail("Config File", "Cannot determine config file path", err)
+	}
+
+	profiles, err := profiler.LoadProfiles(ctx, profile.MatchAllProfiles)
+	if err != nil {
+		// Config file absence is not a hard failure since auth can work via env vars.
+		if errors.Is(err, profile.ErrNoConfiguration) {
+			return warn("Config File", "No config file found (auth can still work via environment variables)")
+		}
+		return fail("Config File", "Cannot read "+filepath.ToSlash(path), err)
+	}
+
+	return pass("Config File", fmt.Sprintf("%s (%d profiles)", filepath.ToSlash(path), len(profiles)))
+}
+
+func checkCurrentProfile(ctx context.Context, profileName string, fromFlag bool, resolvedCfg *config.Config) CheckResult {
+	switch envProfile := env.Get(ctx, "DATABRICKS_CONFIG_PROFILE"); {
+	case fromFlag:
+		return info("Current Profile", profileName)
+	case envProfile != "":
+		return info("Current Profile", envProfile+" (from DATABRICKS_CONFIG_PROFILE)")
+	// The SDK resolves a profile when DEFAULT is in .databrickscfg.
+	case resolvedCfg != nil && resolvedCfg.Profile != "":
+		return info("Current Profile", resolvedCfg.Profile+" (resolved from config file)")
+	default:
+		return info("Current Profile", "none (using environment or defaults)")
+	}
+}
+
+func resolveConfig(ctx context.Context, profileName string, fromFlag bool) (*config.Config, error) {
+	cfg := &config.Config{
+		Loaders: []config.Loader{
+			env.NewConfigLoader(ctx),
+			config.ConfigAttributes,
+			config.ConfigFile,
+		},
+	}
+	if fromFlag {
+		cfg.Profile = profileName
+	}
+	return cfg, cfg.EnsureResolved()
+}
+
+// isAccountLevelConfig returns true if the resolved config can target account-level APIs.
+// It uses auth.ResolveConfigType so SPOG / unified-host profiles, which the SDK's own
+// ConfigType() classifies as InvalidConfig, are still recognised as account-level.
+func isAccountLevelConfig(cfg *config.Config) bool {
+	return auth.ResolveConfigType(cfg) == config.AccountConfig
+}
+
+// checkAuth uses the resolved config to authenticate.
+// On success it returns the authenticated config for use in subsequent checks.
+func checkAuth(ctx context.Context, cfg *config.Config) (CheckResult, *config.Config) {
+	ctx, cancel := context.WithTimeout(ctx, checkTimeout)
+	defer cancel()
+
+	// Detect account-level configs and use the appropriate client constructor
+	// so that account profiles are not incorrectly reported as broken.
+	var authCfg *config.Config
+	if isAccountLevelConfig(cfg) {
+		a, err := databricks.NewAccountClient((*databricks.Config)(cfg))
+		if err != nil {
+			return fail("Authentication", "Cannot create account client", err), nil
+		}
+		authCfg = a.Config
+	} else {
+		w, err := databricks.NewWorkspaceClient((*databricks.Config)(cfg))
+		if err != nil {
+			return fail("Authentication", "Cannot create workspace client", err), nil
+		}
+		authCfg = w.Config
+	}
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, authCfg.Host, nil)
+	if err != nil {
+		return fail("Authentication", "Internal error", err), nil
+	}
+
+	if err := authCfg.Authenticate(req); err != nil {
+		return fail("Authentication", "Authentication failed", err), nil
+	}
+
+	msg := fmt.Sprintf("OK (%s)", authCfg.AuthType)
+	if isAccountLevelConfig(cfg) {
+		msg += " [account-level]"
+	}
+	return pass("Authentication", msg), authCfg
+}
+
+func checkIdentity(ctx context.Context, authCfg *config.Config) CheckResult {
+	ctx, cancel := context.WithTimeout(ctx, checkTimeout)
+	defer cancel()
+
+	if isAccountLevelConfig(authCfg) {
+		return checkAccountIdentity(ctx, authCfg)
+	}
+
+	w, err := databricks.NewWorkspaceClient((*databricks.Config)(authCfg))
+	if err != nil {
+		return fail("Identity", "Cannot create workspace client", err)
+	}
+
+	me, err := w.CurrentUser.Me(ctx)
+	if err != nil {
+		return fail("Identity", "Cannot fetch current user", err)
+	}
+
+	return pass("Identity", me.UserName)
+}
+
+// checkAccountIdentity issues a lightweight authenticated account API call so
+// account-level profiles get server-side credential validation instead of being
+// skipped (which would let invalid account PAT/OAuth report Authentication: OK).
+func checkAccountIdentity(ctx context.Context, authCfg *config.Config) CheckResult {
+	a, err := databricks.NewAccountClient((*databricks.Config)(authCfg))
+	if err != nil {
+		return fail("Identity", "Cannot create account client", err)
+	}
+
+	workspaces, err := a.Workspaces.List(ctx)
+	if err != nil {
+		return fail("Identity", "Cannot list account workspaces", err)
+	}
+
+	return pass("Identity", fmt.Sprintf("account %s (%d workspaces)", authCfg.AccountID, len(workspaces)))
+}
+
+func checkNetwork(ctx context.Context, cfg *config.Config, resolveErr error, authCfg *config.Config) CheckResult {
+	// Prefer the authenticated config (it has the fully resolved host).
+	if authCfg != nil {
+		return checkNetworkWithHost(ctx, authCfg.Host, configuredNetworkHTTPClient(authCfg))
+	}
+
+	// Auth failed or was skipped. If we still have a host from config resolution
+	// (even if resolution had other errors), attempt the network check.
+	if cfg != nil && cfg.Host != "" {
+		log.Warnf(ctx, "authenticated client unavailable for network check, using config-based HTTP client")
+		return checkNetworkWithHost(ctx, cfg.Host, configuredNetworkHTTPClient(cfg))
+	}
+
+	return fail("Network", "No host configured", resolveErr)
+}
+
+func checkNetworkWithHost(ctx context.Context, host string, client *http.Client) CheckResult {
+	ctx, cancel := context.WithTimeout(ctx, networkTimeout)
+	defer cancel()
+
+	if host == "" {
+		return fail("Network", "No host configured", nil)
+	}
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodHead, host, nil)
+	if err != nil {
+		return fail("Network", "Cannot create request for "+host, err)
+	}
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return fail("Network", "Cannot reach "+host, err)
+	}
+	defer resp.Body.Close()
+	_, _ = io.Copy(io.Discard, resp.Body)
+
+	return pass("Network", host+" is reachable")
+}
+
+func configuredNetworkHTTPClient(cfg *config.Config) *http.Client {
+	return &http.Client{
+		Transport: configuredNetworkHTTPTransport(cfg),
+	}
+}
+
+func configuredNetworkHTTPTransport(cfg *config.Config) http.RoundTripper {
+	if cfg.HTTPTransport != nil {
+		return cfg.HTTPTransport
+	}
+
+	if !cfg.InsecureSkipVerify {
+		return http.DefaultTransport
+	}
+
+	transport, ok := http.DefaultTransport.(*http.Transport)
+	if !ok {
+		return http.DefaultTransport
+	}
+
+	clone := transport.Clone()
+	if clone.TLSClientConfig != nil {
+		clone.TLSClientConfig = clone.TLSClientConfig.Clone()
+	} else {
+		clone.TLSClientConfig = &tls.Config{}
+	}
+	clone.TLSClientConfig.InsecureSkipVerify = true
+	return clone
+}
diff --git a/experimental/doctor/cmd/doctor.go b/experimental/doctor/cmd/doctor.go
new file mode 100644
index 00000000000..7f99990f492
--- /dev/null
+++ b/experimental/doctor/cmd/doctor.go
@@ -0,0 +1,127 @@
+package doctor
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+
+	"github.com/databricks/cli/cmd/root"
+	"github.com/databricks/cli/libs/cmdio"
+	"github.com/databricks/cli/libs/flags"
+	"github.com/spf13/cobra"
+)
+
+// status identifies a CheckResult's outcome. The string values are part of the
+// JSON wire contract emitted by --output json.
+type status string
+
+const (
+	statusPass status = "pass"
+	statusFail status = "fail"
+	statusWarn status = "warn"
+	statusInfo status = "info"
+	statusSkip status = "skip"
+)
+
+// CheckResult holds the outcome of a single diagnostic check.
+type CheckResult struct {
+	Name    string `json:"name,omitempty"`
+	Status  status `json:"status,omitempty"`
+	Message string `json:"message,omitempty"`
+	Detail  any    `json:"detail,omitempty"`
+}
+
+// DoctorReport is the top-level JSON output shape. Wrapping the results in an
+// object leaves room to add fields (summary, version, durationMs, ...) without
+// breaking callers that already parse the response.
+type DoctorReport struct {
+	Results []CheckResult `json:"results"`
+}
+
+// NewDoctorCmd returns the doctor command.
+func NewDoctorCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:           "doctor",
+		Args:          root.NoArgs,
+		Short:         "Validate your Databricks CLI setup",
+		Hidden:        true,
+		SilenceUsage:  true,
+		SilenceErrors: true,
+	}
+
+	cmd.RunE = func(cmd *cobra.Command, args []string) error {
+		profileName, fromFlag := profileFromCommand(cmd)
+		results := runChecks(cmd.Context(), profileName, fromFlag)
+
+		if err := render(cmd.Context(), cmd.OutOrStdout(), results, root.OutputType(cmd)); err != nil {
+			return err
+		}
+
+		if hasFailedChecks(results) {
+			return errors.New("one or more checks failed")
+		}
+		return nil
+	}
+
+	return cmd
+}
+
+func profileFromCommand(cmd *cobra.Command) (string, bool) {
+	f := cmd.Flag("profile")
+	if f == nil || !f.Changed {
+		return "", false
+	}
+	return f.Value.String(), true
+}
+
+func render(ctx context.Context, w io.Writer, results []CheckResult, outputType flags.Output) error {
+	switch outputType {
+	case flags.OutputJSON:
+		buf, err := json.MarshalIndent(DoctorReport{Results: results}, "", "  ")
+		if err != nil {
+			return err
+		}
+		buf = append(buf, '\n')
+		_, err = w.Write(buf)
+		return err
+	case flags.OutputText:
+		renderText(ctx, w, results)
+		return nil
+	default:
+		return fmt.Errorf("unknown output type %s", outputType)
+	}
+}
+
+func renderText(ctx context.Context, w io.Writer, results []CheckResult) {
+	for _, r := range results {
+		var icon string
+		switch r.Status {
+		case statusPass:
+			icon = cmdio.Green(ctx, "[ok]")
+		case statusFail:
+			icon = cmdio.Red(ctx, "[FAIL]")
+		case statusWarn:
+			icon = cmdio.Yellow(ctx, "[warn]")
+		case statusInfo:
+			icon = cmdio.Cyan(ctx, "[info]")
+		case statusSkip:
+			icon = cmdio.Yellow(ctx, "[skip]")
+		}
+		msg := fmt.Sprintf("%s %s: %s", icon, cmdio.Bold(ctx, r.Name), r.Message)
+		if r.Detail != nil {
+			msg += fmt.Sprintf(" (%v)", r.Detail)
+		}
+		fmt.Fprintln(w, msg)
+	}
+}
+
+func hasFailedChecks(results []CheckResult) bool {
+	for _, r := range results {
+		if r.Status == statusFail {
+			return true
+		}
+	}
+	return false
+}
diff --git a/experimental/doctor/cmd/doctor_test.go b/experimental/doctor/cmd/doctor_test.go
new file mode 100644
index 00000000000..3c3089d4bc4
--- /dev/null
+++ b/experimental/doctor/cmd/doctor_test.go
@@ -0,0 +1,599 @@
+package doctor
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"errors"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	"github.com/databricks/cli/libs/cmdio"
+	"github.com/databricks/cli/libs/databrickscfg/profile"
+	"github.com/databricks/cli/libs/env"
+	"github.com/databricks/cli/libs/flags"
+	"github.com/databricks/databricks-sdk-go/config"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+type mockProfiler struct {
+	profiles profile.Profiles
+	path     string
+	err      error
+}
+
+func (m *mockProfiler) LoadProfiles(_ context.Context, match profile.ProfileMatchFunction) (profile.Profiles, error) {
+	if m.err != nil {
+		return nil, m.err
+	}
+	var result profile.Profiles
+	for _, p := range m.profiles {
+		if match(p) {
+			result = append(result, p)
+		}
+	}
+	return result, nil
+}
+
+func (m *mockProfiler) GetPath(_ context.Context) (string, error) {
+	if m.err != nil {
+		return "", m.err
+	}
+	return m.path, nil
+}
+
+// noConfigProfiler returns a path but ErrNoConfiguration from LoadProfiles.
+type noConfigProfiler struct {
+	path string
+}
+
+func (m *noConfigProfiler) LoadProfiles(_ context.Context, _ profile.ProfileMatchFunction) (profile.Profiles, error) {
+	return nil, profile.ErrNoConfiguration
+}
+
+func (m *noConfigProfiler) GetPath(_ context.Context) (string, error) {
+	return m.path, nil
+}
+
+type roundTripFunc func(*http.Request) (*http.Response, error)
+
+func (f roundTripFunc) RoundTrip(r *http.Request) (*http.Response, error) {
+	return f(r)
+}
+
+func clearConfigEnv(t *testing.T) {
+	t.Helper()
+	for _, attr := range config.ConfigAttributes {
+		for _, key := range attr.EnvVars {
+			t.Setenv(key, "")
+		}
+	}
+	t.Setenv(env.HomeEnvVar(), t.TempDir())
+}
+
+func TestCheckCLIVersion(t *testing.T) {
+	result := checkCLIVersion()
+	assert.Equal(t, "CLI Version", result.Name)
+	assert.Equal(t, statusInfo, result.Status)
+	assert.NotEmpty(t, result.Message)
+}
+
+func TestCheckConfigFile(t *testing.T) {
+	tests := []struct {
+		name       string
+		profiler   profile.Profiler
+		wantStatus status
+		wantMsg    string
+	}{
+		{
+			name: "pass with profiles",
+			profiler: &mockProfiler{
+				path: "/home/user/.databrickscfg",
+				profiles: profile.Profiles{
+					{Name: "default", Host: "https://example.com"},
+					{Name: "staging", Host: "https://staging.example.com"},
+				},
+			},
+			wantStatus: statusPass,
+			wantMsg:    "2 profiles",
+		},
+		{
+			name:       "warn when config file absent",
+			profiler:   &noConfigProfiler{path: "/home/user/.databrickscfg"},
+			wantStatus: statusWarn,
+			wantMsg:    "environment variables",
+		},
+		{
+			name:       "fail when profiler errors",
+			profiler:   &mockProfiler{path: "/home/user/.databrickscfg", err: errors.New("boom")},
+			wantStatus: statusFail,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ctx := cmdio.MockDiscard(t.Context())
+			result := checkConfigFile(ctx, tt.profiler)
+			assert.Equal(t, "Config File", result.Name)
+			assert.Equal(t, tt.wantStatus, result.Status)
+			if tt.wantMsg != "" {
+				assert.Contains(t, result.Message, tt.wantMsg)
+			}
+		})
+	}
+}
+
+func TestCheckCurrentProfile(t *testing.T) {
+	tests := []struct {
+		name     string
+		profile  string
+		fromFlag bool
+		envValue string
+		cfg      *config.Config
+		wantMsg  string
+	}{
+		{
+			name:    "default",
+			wantMsg: "none (using environment or defaults)",
+		},
+		{
+			name:     "from flag",
+			profile:  "staging",
+			fromFlag: true,
+			wantMsg:  "staging",
+		},
+		{
+			name:     "from env",
+			envValue: "from-env",
+			wantMsg:  "from-env (from DATABRICKS_CONFIG_PROFILE)",
+		},
+		{
+			name:     "flag overrides env",
+			profile:  "from-flag",
+			fromFlag: true,
+			envValue: "from-env",
+			wantMsg:  "from-flag",
+		},
+		{
+			name:    "resolved from config",
+			cfg:     &config.Config{Profile: "default"},
+			wantMsg: "default (resolved from config file)",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			clearConfigEnv(t)
+			ctx := cmdio.MockDiscard(t.Context())
+			if tt.envValue != "" {
+				ctx = env.Set(ctx, "DATABRICKS_CONFIG_PROFILE", tt.envValue)
+			}
+			result := checkCurrentProfile(ctx, tt.profile, tt.fromFlag, tt.cfg)
+			assert.Equal(t, "Current Profile", result.Name)
+			assert.Equal(t, statusInfo, result.Status)
+			assert.Equal(t, tt.wantMsg, result.Message)
+		})
+	}
+}
+
+func TestCheckAuth(t *testing.T) {
+	okServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer okServer.Close()
+
+	tests := []struct {
+		name        string
+		env         map[string]string
+		wantStatus  status
+		wantMsgPart string
+		wantAuthCfg bool
+	}{
+		{
+			name: "pass with PAT",
+			env: map[string]string{
+				"DATABRICKS_HOST":  okServer.URL,
+				"DATABRICKS_TOKEN": "test-token",
+			},
+			wantStatus:  statusPass,
+			wantMsgPart: "OK",
+			wantAuthCfg: true,
+		},
+		{
+			name: "account level",
+			env: map[string]string{
+				"DATABRICKS_HOST":       "https://accounts.cloud.databricks.com",
+				"DATABRICKS_ACCOUNT_ID": "test-account-123",
+				"DATABRICKS_TOKEN":      "test-token",
+			},
+			wantStatus:  statusPass,
+			wantMsgPart: "account-level",
+			wantAuthCfg: true,
+		},
+		{
+			name:       "fail without credentials",
+			wantStatus: statusFail,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			clearConfigEnv(t)
+			for k, v := range tt.env {
+				t.Setenv(k, v)
+			}
+
+			ctx := cmdio.MockDiscard(t.Context())
+			cfg, err := resolveConfig(ctx, "", false)
+			require.NoError(t, err)
+			result, authCfg := checkAuth(ctx, cfg)
+
+			assert.Equal(t, "Authentication", result.Name)
+			assert.Equal(t, tt.wantStatus, result.Status)
+			if tt.wantMsgPart != "" {
+				assert.Contains(t, result.Message, tt.wantMsgPart)
+			}
+			if tt.wantAuthCfg {
+				assert.NotNil(t, authCfg)
+			} else {
+				assert.Nil(t, authCfg)
+			}
+		})
+	}
+}
+
+func TestResolveConfig(t *testing.T) {
+	tests := []struct {
+		name     string
+		env      map[string]string
+		ctxEnv   map[string]string
+		wantHost string
+		wantTok  string
+	}{
+		{
+			name: "process env vars",
+			env: map[string]string{
+				"DATABRICKS_HOST":  "https://env.example.com",
+				"DATABRICKS_TOKEN": "env-token",
+			},
+			wantHost: "https://env.example.com",
+			wantTok:  "env-token",
+		},
+		{
+			name: "context-backed env vars",
+			ctxEnv: map[string]string{
+				"DATABRICKS_HOST":  "https://ctx-env.example.com",
+				"DATABRICKS_TOKEN": "ctx-token",
+			},
+			wantHost: "https://ctx-env.example.com",
+			wantTok:  "ctx-token",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			clearConfigEnv(t)
+			for k, v := range tt.env {
+				t.Setenv(k, v)
+			}
+			ctx := cmdio.MockDiscard(t.Context())
+			for k, v := range tt.ctxEnv {
+				ctx = env.Set(ctx, k, v) //nolint:fatcontext // accumulating test env vars onto context
+			}
+
+			cfg, err := resolveConfig(ctx, "", false)
+			require.NoError(t, err)
+			assert.Equal(t, tt.wantHost, cfg.Host)
+			assert.Equal(t, tt.wantTok, cfg.Token)
+		})
+	}
+}
+
+func TestCheckIdentity(t *testing.T) {
+	workspaceOK := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if strings.HasSuffix(r.URL.Path, "/scim/v2/Me") {
+			w.Header().Set("Content-Type", "application/json")
+			_, _ = w.Write([]byte(`{"userName": "test@example.com"}`))
+			return
+		}
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer workspaceOK.Close()
+
+	accountOK := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if strings.Contains(r.URL.Path, "/accounts/") && strings.HasSuffix(r.URL.Path, "/workspaces") {
+			w.Header().Set("Content-Type", "application/json")
+			_, _ = w.Write([]byte(`[{"workspace_id": 1}, {"workspace_id": 2}]`))
+			return
+		}
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer accountOK.Close()
+
+	unauthorized := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusUnauthorized)
+	}))
+	defer unauthorized.Close()
+
+	tests := []struct {
+		name       string
+		cfg        *config.Config
+		wantStatus status
+		wantMsg    string
+	}{
+		{
+			name:       "workspace success",
+			cfg:        &config.Config{Host: workspaceOK.URL, Token: "test-token"},
+			wantStatus: statusPass,
+			wantMsg:    "test@example.com",
+		},
+		{
+			name:       "workspace failure",
+			cfg:        &config.Config{Host: unauthorized.URL, Token: "bad-token"},
+			wantStatus: statusFail,
+		},
+		{
+			name: "account success (unified host)",
+			cfg: &config.Config{
+				Host:         accountOK.URL,
+				AccountID:    "test-account-123",
+				Token:        "test-token",
+				DiscoveryURL: "https://spog.databricks.test/oidc/accounts/test-account-123/.well-known/oauth-authorization-server",
+			},
+			wantStatus: statusPass,
+			wantMsg:    "account test-account-123 (2 workspaces)",
+		},
+		{
+			name: "account failure (unified host)",
+			cfg: &config.Config{
+				Host:         unauthorized.URL,
+				AccountID:    "test-account-123",
+				Token:        "bad-token",
+				DiscoveryURL: "https://spog.databricks.test/oidc/accounts/test-account-123/.well-known/oauth-authorization-server",
+			},
+			wantStatus: statusFail,
+			wantMsg:    "Cannot list account workspaces",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			ctx := cmdio.MockDiscard(t.Context())
+			result := checkIdentity(ctx, tt.cfg)
+			assert.Equal(t, "Identity", result.Name)
+			assert.Equal(t, tt.wantStatus, result.Status)
+			if tt.wantMsg != "" {
+				assert.Contains(t, result.Message, tt.wantMsg)
+			}
+		})
+	}
+}
+
+func TestIsAccountLevelConfig(t *testing.T) {
+	tests := []struct {
+		name string
+		cfg  *config.Config
+		want bool
+	}{
+		{
+			name: "classic account host",
+			cfg: &config.Config{
+				Host:      "https://accounts.cloud.databricks.com",
+				AccountID: "test-account-123",
+			},
+			want: true,
+		},
+		{
+			name: "unified host with account ID",
+			cfg: &config.Config{
+				Host:         "https://myhost.databricks.test",
+				AccountID:    "test-account-123",
+				DiscoveryURL: "https://myhost.databricks.test/oidc/accounts/test-account-123/.well-known/oauth-authorization-server",
+			},
+			want: true,
+		},
+		{
+			name: "unified host with account and workspace ID is workspace-level",
+			cfg: &config.Config{
+				Host:         "https://myhost.databricks.test",
+				AccountID:    "test-account-123",
+				WorkspaceID:  "12345",
+				DiscoveryURL: "https://myhost.databricks.test/oidc/accounts/test-account-123/.well-known/oauth-authorization-server",
+			},
+			want: false,
+		},
+		{
+			name: "unified host without account ID is workspace",
+			cfg: &config.Config{
+				Host:         "https://myhost.databricks.test",
+				DiscoveryURL: "https://myhost.databricks.test/oidc/accounts/test-account-123/.well-known/oauth-authorization-server",
+			},
+			want: false,
+		},
+		{
+			name: "workspace host",
+			cfg:  &config.Config{Host: "https://myhost.databricks.com"},
+			want: false,
+		},
+		{
+			name: "no host",
+			cfg:  &config.Config{AccountID: "test-account-123"},
+			want: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.want, isAccountLevelConfig(tt.cfg))
+		})
+	}
+}
+
+func TestCheckNetwork(t *testing.T) {
+	okServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer okServer.Close()
+
+	t.Run("reachable via explicit host", func(t *testing.T) {
+		ctx := cmdio.MockDiscard(t.Context())
+		result := checkNetworkWithHost(ctx, okServer.URL, http.DefaultClient)
+		assert.Equal(t, statusPass, result.Status)
+		assert.Contains(t, result.Message, "reachable")
+	})
+
+	t.Run("no host fails", func(t *testing.T) {
+		ctx := cmdio.MockDiscard(t.Context())
+		result := checkNetworkWithHost(ctx, "", http.DefaultClient)
+		assert.Equal(t, statusFail, result.Status)
+		assert.Contains(t, result.Message, "No host configured")
+	})
+
+	t.Run("uses auth config transport", func(t *testing.T) {
+		cfg := &config.Config{
+			Host: "https://example.com",
+			HTTPTransport: roundTripFunc(func(r *http.Request) (*http.Response, error) {
+				assert.Equal(t, http.MethodHead, r.Method)
+				assert.Equal(t, "https://example.com", r.URL.String())
+				return &http.Response{StatusCode: http.StatusOK, Body: http.NoBody, Header: http.Header{}, Request: r}, nil
+			}),
+		}
+		ctx := cmdio.MockDiscard(t.Context())
+		result := checkNetwork(ctx, cfg, nil, cfg)
+		assert.Equal(t, statusPass, result.Status)
+	})
+
+	t.Run("fallback uses config transport", func(t *testing.T) {
+		called := false
+		cfg := &config.Config{
+			Host: "https://example.com",
+			HTTPTransport: roundTripFunc(func(r *http.Request) (*http.Response, error) {
+				called = true
+				return &http.Response{StatusCode: http.StatusOK, Body: http.NoBody, Header: http.Header{}, Request: r}, nil
+			}),
+		}
+		ctx := cmdio.MockDiscard(t.Context())
+		result := checkNetwork(ctx, cfg, nil, nil)
+		assert.True(t, called)
+		assert.Equal(t, statusPass, result.Status)
+	})
+
+	t.Run("resolution failure without host", func(t *testing.T) {
+		clearConfigEnv(t)
+		configFile := filepath.Join(t.TempDir(), ".databrickscfg")
+		require.NoError(t, os.WriteFile(configFile, []byte("[DEFAULT]\nhost = https://example.com\n"), 0o600))
+		t.Setenv("DATABRICKS_CONFIG_FILE", configFile)
+		t.Setenv("DATABRICKS_CONFIG_PROFILE", "missing")
+
+		ctx := cmdio.MockDiscard(t.Context())
+		cfg, resolveErr := resolveConfig(ctx, "", false)
+		require.Error(t, resolveErr)
+
+		result := checkNetwork(ctx, cfg, resolveErr, nil)
+		assert.Equal(t, statusFail, result.Status)
+		assert.Equal(t, "No host configured", result.Message)
+	})
+
+	t.Run("resolution failure with host still checks", func(t *testing.T) {
+		cfg := &config.Config{Host: okServer.URL}
+		ctx := cmdio.MockDiscard(t.Context())
+		result := checkNetwork(ctx, cfg, errors.New("validate: missing credentials"), nil)
+		assert.Equal(t, statusPass, result.Status)
+		assert.Contains(t, result.Message, "reachable")
+	})
+}
+
+func TestRender(t *testing.T) {
+	results := []CheckResult{
+		{Name: "Test", Status: statusPass, Message: "all good"},
+		{Name: "Broken", Status: statusFail, Message: "oops", Detail: "details here"},
+		{Name: "Version", Status: statusInfo, Message: "1.0.0"},
+		{Name: "Config", Status: statusWarn, Message: "not found"},
+	}
+
+	t.Run("text", func(t *testing.T) {
+		var buf bytes.Buffer
+		require.NoError(t, render(t.Context(), &buf, results, flags.OutputText))
+		out := buf.String()
+		assert.Contains(t, out, "Test")
+		assert.Contains(t, out, "all good")
+		assert.Contains(t, out, "oops")
+		assert.Contains(t, out, "details here")
+	})
+
+	t.Run("json round-trips and ends with newline", func(t *testing.T) {
+		var buf bytes.Buffer
+		require.NoError(t, render(t.Context(), &buf, results, flags.OutputJSON))
+		assert.Equal(t, byte('\n'), buf.Bytes()[buf.Len()-1])
+
+		var parsed DoctorReport
+		require.NoError(t, json.Unmarshal(buf.Bytes(), &parsed))
+		assert.Len(t, parsed.Results, 4)
+		assert.Equal(t, "Test", parsed.Results[0].Name)
+		assert.Equal(t, "details here", parsed.Results[1].Detail)
+	})
+
+	t.Run("json omits empty detail", func(t *testing.T) {
+		var buf bytes.Buffer
+		require.NoError(t, render(t.Context(), &buf, []CheckResult{{Name: "Test", Status: statusPass, Message: "ok"}}, flags.OutputJSON))
+		assert.NotContains(t, buf.String(), "detail")
+	})
+}
+
+func TestHasFailedChecks(t *testing.T) {
+	tests := []struct {
+		name    string
+		results []CheckResult
+		want    bool
+	}{
+		{
+			name: "no failures",
+			results: []CheckResult{
+				{Status: statusPass}, {Status: statusInfo}, {Status: statusWarn}, {Status: statusSkip},
+			},
+			want: false,
+		},
+		{
+			name:    "has failure",
+			results: []CheckResult{{Status: statusPass}, {Status: statusFail}},
+			want:    true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.want, hasFailedChecks(tt.results))
+		})
+	}
+}
+
+func TestNewCommandJSON(t *testing.T) {
+	clearConfigEnv(t)
+
+	ctx := cmdio.MockDiscard(t.Context())
+
+	cmd := NewDoctorCmd()
+	cmd.SetContext(ctx)
+
+	outputFlag := flags.OutputText
+	cmd.PersistentFlags().VarP(&outputFlag, "output", "o", "output type: text or json")
+
+	var buf bytes.Buffer
+	cmd.SetOut(&buf)
+	cmd.SetArgs([]string{"--output", "json"})
+
+	err := cmd.Execute()
+	require.ErrorContains(t, err, "one or more checks failed")
+	assert.Equal(t, byte('\n'), buf.Bytes()[buf.Len()-1])
+
+	var report DoctorReport
+	require.NoError(t, json.Unmarshal(buf.Bytes(), &report))
+	assert.GreaterOrEqual(t, len(report.Results), 4)
+	assert.Equal(t, "CLI Version", report.Results[0].Name)
+	assert.Equal(t, statusInfo, report.Results[0].Status)
+}
diff --git a/experimental/doctor/cmd/extended.go b/experimental/doctor/cmd/extended.go
new file mode 100644
index 00000000000..0774165bc07
--- /dev/null
+++ b/experimental/doctor/cmd/extended.go
@@ -0,0 +1,215 @@
+package doctor
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"os/exec"
+	"strings"
+	"time"
+
+	"github.com/databricks/cli/internal/build"
+	"github.com/databricks/cli/libs/env"
+)
+
+const (
+	updateCheckURL     = "https://api.github.com/repos/databricks/cli/releases/latest"
+	updateCheckTimeout = 3 * time.Second
+)
+
+type execFunc func(ctx context.Context, name string, args ...string) (string, error)
+
+func realExec(ctx context.Context, name string, args ...string) (string, error) {
+	out, err := exec.CommandContext(ctx, name, args...).CombinedOutput()
+	return string(out), err
+}
+
+// checkToolchain reports the versions of external tools the CLI commonly shells out to.
+// Missing tools are reported inline but do not fail the check, since none are strictly required.
+func checkToolchain(ctx context.Context, run execFunc) CheckResult {
+	tools := []struct {
+		name string
+		cmd  string
+		arg  string
+	}{
+		{"git", "git", "--version"},
+		{"python", "python3", "--version"},
+		{"uv", "uv", "--version"},
+		{"terraform", "terraform", "-version"},
+	}
+
+	parts := make([]string, 0, len(tools))
+	for _, t := range tools {
+		out, err := run(ctx, t.cmd, t.arg)
+		if err != nil {
+			parts = append(parts, t.name+" "+toolchainErrorLabel(err))
+			continue
+		}
+		parts = append(parts, t.name+" "+firstLineVersion(out))
+	}
+	return info("Toolchain", strings.Join(parts, ", "))
+}
+
+// toolchainErrorLabel distinguishes a missing binary from one that ran but failed,
+// so users can tell "install this tool" apart from "this tool is broken".
+func toolchainErrorLabel(err error) string {
+	if errors.Is(err, exec.ErrNotFound) {
+		return "not found"
+	}
+	var exitErr *exec.ExitError
+	if errors.As(err, &exitErr) {
+		return fmt.Sprintf("exited %d", exitErr.ExitCode())
+	}
+	return "error: " + err.Error()
+}
+
+// firstLineVersion returns a short version string from a tool's --version output.
+// It takes the first non-empty line and strips common program-name prefixes
+// (e.g. "git version 2.42.0" -> "2.42.0", "Terraform v1.5.0" -> "v1.5.0").
+func firstLineVersion(out string) string {
+	line := strings.TrimSpace(strings.SplitN(out, "\n", 2)[0])
+	fields := strings.Fields(line)
+	for i, f := range fields {
+		if looksLikeVersion(f) {
+			return strings.Join(fields[i:], " ")
+		}
+	}
+	return line
+}
+
+func looksLikeVersion(tok string) bool {
+	if len(tok) == 0 {
+		return false
+	}
+	c := tok[0]
+	if c >= '0' && c <= '9' {
+		return true
+	}
+	// Accept a leading "v" only when followed by a digit (e.g. v1.5.0).
+	if c == 'v' && len(tok) >= 2 && tok[1] >= '0' && tok[1] <= '9' {
+		return true
+	}
+	return false
+}
+
+// proxyEnvVars lists the environment variables that influence HTTP/TLS behavior.
+// Both upper- and lower-case forms are checked since Go's http.ProxyFromEnvironment
+// honors both.
+var proxyEnvVars = []string{
+	"HTTPS_PROXY", "https_proxy",
+	"HTTP_PROXY", "http_proxy",
+	"NO_PROXY", "no_proxy",
+	"SSL_CERT_FILE",
+	"REQUESTS_CA_BUNDLE",
+	"CURL_CA_BUNDLE",
+}
+
+// checkProxy reports proxy/TLS-related environment variables that affect the CLI's
+// network stack. These are a common source of enterprise connectivity issues.
+func checkProxy(ctx context.Context) CheckResult {
+	var seen []string
+	reported := map[string]bool{}
+	for _, key := range proxyEnvVars {
+		v := env.Get(ctx, key)
+		if v == "" {
+			continue
+		}
+		canonical := strings.ToUpper(key)
+		if reported[canonical] {
+			continue
+		}
+		reported[canonical] = true
+		seen = append(seen, canonical+"="+maskProxyValue(v))
+	}
+	if len(seen) == 0 {
+		return info("Proxy/TLS", "no proxy or TLS overrides configured")
+	}
+	return info("Proxy/TLS", strings.Join(seen, ", "))
+}
+
+// maskProxyValue hides credentials in proxy URLs. Any userinfo (user:pass@host,
+// token@host, or just user@host) is replaced with "***" since even a bare
+// username can be a secret (e.g. http://TOKEN@proxy).
+// net/url would percent-encode "***", so the replacement is done via string rewrite
+// on the exact userinfo segment.
+func maskProxyValue(v string) string {
+	u, err := url.Parse(v)
+	if err != nil || u.User == nil {
+		return v
+	}
+	userinfo := u.User.String()
+	if userinfo == "" {
+		return v
+	}
+	return strings.Replace(v, userinfo, "***", 1)
+}
+
+// checkUpdates fetches the latest CLI release and compares it to the current build.
+// Development builds are reported as info; older builds produce a warn status.
+func checkUpdates(ctx context.Context, client *http.Client, releaseURL string) CheckResult {
+	return checkUpdatesWithVersion(ctx, client, releaseURL, build.GetInfo().Version)
+}
+
+// checkUpdatesWithVersion is the testable core of checkUpdates, parameterized on the current version.
+func checkUpdatesWithVersion(ctx context.Context, client *http.Client, releaseURL, current string) CheckResult {
+	if isDevBuild(current) {
+		return info("Updates", "development build ("+current+")")
+	}
+
+	ctx, cancel := context.WithTimeout(ctx, updateCheckTimeout)
+	defer cancel()
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, releaseURL, nil)
+	if err != nil {
+		return warn("Updates", "cannot check for updates: "+err.Error())
+	}
+	req.Header.Set("Accept", "application/vnd.github+json")
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return warn("Updates", "cannot reach "+releaseURL)
+	}
+	defer resp.Body.Close()
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return warn("Updates", "cannot read release response: "+err.Error())
+	}
+	if resp.StatusCode != http.StatusOK {
+		return warn("Updates", fmt.Sprintf("release lookup returned HTTP %d", resp.StatusCode))
+	}
+
+	var release struct {
+		TagName string `json:"tag_name"`
+	}
+	if err := json.Unmarshal(body, &release); err != nil {
+		return warn("Updates", "cannot parse release response: "+err.Error())
+	}
+
+	latest := strings.TrimPrefix(release.TagName, "v")
+	if latest == "" {
+		return warn("Updates", "empty release tag")
+	}
+	if latest == current {
+		return pass("Updates", "up to date ("+current+")")
+	}
+	return warn("Updates", fmt.Sprintf("newer version available: %s (current %s)", latest, current))
+}
+
+// isDevBuild reports whether the running binary is a local/dev build.
+// The build.GetInfo version for dev builds is "0.0.0-dev+<sha>".
+func isDevBuild(version string) bool {
+	return version == "" || strings.HasPrefix(version, "0.0.0-dev")
+}
+
+// checkLogFile surfaces where CLI logs are being written, so users can find them for support.
+func checkLogFile(ctx context.Context) CheckResult {
+	path := env.Get(ctx, "DATABRICKS_LOG_FILE")
+	if path == "" {
+		return info("Log File", "not configured (set DATABRICKS_LOG_FILE or pass --log-file to enable)")
+	}
+	return info("Log File", path)
+}
diff --git a/experimental/doctor/cmd/extended_test.go b/experimental/doctor/cmd/extended_test.go
new file mode 100644
index 00000000000..fd7bd150994
--- /dev/null
+++ b/experimental/doctor/cmd/extended_test.go
@@ -0,0 +1,279 @@
+package doctor
+
+import (
+	"context"
+	"errors"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"os/exec"
+	"strings"
+	"testing"
+
+	"github.com/databricks/cli/libs/cmdio"
+	"github.com/databricks/cli/libs/env"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestFirstLineVersion(t *testing.T) {
+	tests := []struct {
+		in, want string
+	}{
+		{"git version 2.42.0\n", "2.42.0"},
+		{"Python 3.11.5", "3.11.5"},
+		{"uv 0.1.0 (unknown)", "0.1.0 (unknown)"},
+		{"Terraform v1.5.0\non darwin", "v1.5.0"},
+		{"", ""},
+		{"weirdtool", "weirdtool"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.in, func(t *testing.T) {
+			assert.Equal(t, tt.want, firstLineVersion(tt.in))
+		})
+	}
+}
+
+func TestCheckToolchain(t *testing.T) {
+	mockExec := func(versions map[string]string) execFunc {
+		return func(_ context.Context, name string, _ ...string) (string, error) {
+			v, ok := versions[name]
+			if !ok {
+				// Wrap in the same error that os/exec returns for a missing binary.
+				return "", &exec.Error{Name: name, Err: exec.ErrNotFound}
+			}
+			return v, nil
+		}
+	}
+
+	t.Run("all tools present", func(t *testing.T) {
+		run := mockExec(map[string]string{
+			"git":       "git version 2.42.0",
+			"python3":   "Python 3.11.5",
+			"uv":        "uv 0.1.0",
+			"terraform": "Terraform v1.5.0",
+		})
+		result := checkToolchain(t.Context(), run)
+		assert.Equal(t, statusInfo, result.Status)
+		assert.Contains(t, result.Message, "git 2.42.0")
+		assert.Contains(t, result.Message, "python 3.11.5")
+		assert.Contains(t, result.Message, "terraform v1.5.0")
+	})
+
+	t.Run("missing tools reported as not found", func(t *testing.T) {
+		run := mockExec(map[string]string{"git": "git version 2.42.0"})
+		result := checkToolchain(t.Context(), run)
+		assert.Equal(t, statusInfo, result.Status)
+		assert.Contains(t, result.Message, "git 2.42.0")
+		assert.Contains(t, result.Message, "terraform not found")
+		assert.Contains(t, result.Message, "python not found")
+	})
+
+	t.Run("non-not-found errors are surfaced verbatim", func(t *testing.T) {
+		run := func(_ context.Context, name string, _ ...string) (string, error) {
+			if name == "git" {
+				return "", errors.New("permission denied")
+			}
+			return "", &exec.Error{Name: name, Err: exec.ErrNotFound}
+		}
+		result := checkToolchain(t.Context(), run)
+		assert.Contains(t, result.Message, "git error: permission denied")
+		assert.Contains(t, result.Message, "python not found")
+	})
+}
+
+func TestToolchainErrorLabel(t *testing.T) {
+	tests := []struct {
+		name string
+		err  error
+		want string
+	}{
+		{"not found", &exec.Error{Name: "foo", Err: exec.ErrNotFound}, "not found"},
+		{"other error", errors.New("permission denied"), "error: permission denied"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			assert.Equal(t, tt.want, toolchainErrorLabel(tt.err))
+		})
+	}
+}
+
+func TestCheckProxy(t *testing.T) {
+	t.Run("none configured", func(t *testing.T) {
+		clearConfigEnv(t)
+		for _, v := range proxyEnvVars {
+			t.Setenv(v, "")
+		}
+		ctx := cmdio.MockDiscard(t.Context())
+		result := checkProxy(ctx)
+		assert.Equal(t, statusInfo, result.Status)
+		assert.Contains(t, result.Message, "no proxy")
+	})
+
+	t.Run("reports set env vars", func(t *testing.T) {
+		for _, v := range proxyEnvVars {
+			t.Setenv(v, "")
+		}
+		ctx := cmdio.MockDiscard(t.Context())
+		ctx = env.Set(ctx, "HTTPS_PROXY", "http://proxy.example.com:8080")
+		ctx = env.Set(ctx, "NO_PROXY", "localhost,127.0.0.1")
+
+		result := checkProxy(ctx)
+		assert.Equal(t, statusInfo, result.Status)
+		assert.Contains(t, result.Message, "HTTPS_PROXY=http://proxy.example.com:8080")
+		assert.Contains(t, result.Message, "NO_PROXY=localhost,127.0.0.1")
+	})
+
+	t.Run("masks credentials in proxy URL", func(t *testing.T) {
+		for _, v := range proxyEnvVars {
+			t.Setenv(v, "")
+		}
+		ctx := cmdio.MockDiscard(t.Context())
+		ctx = env.Set(ctx, "HTTPS_PROXY", "http://user:secret@proxy.example.com:8080")
+		result := checkProxy(ctx)
+		assert.Contains(t, result.Message, "***@proxy.example.com")
+		assert.NotContains(t, result.Message, "secret")
+		assert.NotContains(t, result.Message, "user")
+	})
+
+	t.Run("masks token-only userinfo", func(t *testing.T) {
+		for _, v := range proxyEnvVars {
+			t.Setenv(v, "")
+		}
+		ctx := cmdio.MockDiscard(t.Context())
+		ctx = env.Set(ctx, "HTTPS_PROXY", "http://glpat-SECRETTOKEN@proxy.example.com:8080")
+		result := checkProxy(ctx)
+		assert.Contains(t, result.Message, "***@proxy.example.com")
+		assert.NotContains(t, result.Message, "glpat-SECRETTOKEN")
+	})
+
+	t.Run("deduplicates upper and lower case variants", func(t *testing.T) {
+		for _, v := range proxyEnvVars {
+			t.Setenv(v, "")
+		}
+		ctx := cmdio.MockDiscard(t.Context())
+		ctx = env.Set(ctx, "HTTPS_PROXY", "http://a.example.com")
+		ctx = env.Set(ctx, "https_proxy", "http://b.example.com")
+
+		result := checkProxy(ctx)
+		assert.Equal(t, 1, strings.Count(result.Message, "HTTPS_PROXY="))
+	})
+}
+
+func TestMaskProxyValue(t *testing.T) {
+	tests := []struct {
+		in, want string
+	}{
+		{"http://proxy.example.com:8080", "http://proxy.example.com:8080"},
+		{"http://user:secret@proxy.example.com:8080", "http://***@proxy.example.com:8080"},
+		{"http://tokenonly@proxy.example.com:8080", "http://***@proxy.example.com:8080"},
+		{"not a url", "not a url"},
+		{"localhost,127.0.0.1", "localhost,127.0.0.1"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.in, func(t *testing.T) {
+			assert.Equal(t, tt.want, maskProxyValue(tt.in))
+		})
+	}
+}
+
+func TestCheckUpdates(t *testing.T) {
+	t.Run("dev build", func(t *testing.T) {
+		// current version is "0.0.0-dev+<sha>" in tests
+		result := checkUpdates(t.Context(), http.DefaultClient, "http://unused")
+		assert.Equal(t, statusInfo, result.Status)
+		assert.Contains(t, result.Message, "development build")
+	})
+
+	t.Run("up to date", func(t *testing.T) {
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			_, _ = io.WriteString(w, `{"tag_name": "v1.0.0"}`)
+		}))
+		defer srv.Close()
+
+		result := checkUpdatesWithVersion(t.Context(), http.DefaultClient, srv.URL, "1.0.0")
+		assert.Equal(t, statusPass, result.Status)
+		assert.Contains(t, result.Message, "up to date")
+	})
+
+	t.Run("newer available", func(t *testing.T) {
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			_, _ = io.WriteString(w, `{"tag_name": "v1.2.3"}`)
+		}))
+		defer srv.Close()
+
+		result := checkUpdatesWithVersion(t.Context(), http.DefaultClient, srv.URL, "1.0.0")
+		assert.Equal(t, statusWarn, result.Status)
+		assert.Contains(t, result.Message, "1.2.3")
+		assert.Contains(t, result.Message, "1.0.0")
+	})
+
+	t.Run("network failure warns", func(t *testing.T) {
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusInternalServerError)
+		}))
+		defer srv.Close()
+
+		result := checkUpdatesWithVersion(t.Context(), http.DefaultClient, srv.URL, "1.0.0")
+		assert.Equal(t, statusWarn, result.Status)
+		assert.Contains(t, result.Message, "HTTP 500")
+	})
+
+	t.Run("malformed response warns", func(t *testing.T) {
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			_, _ = io.WriteString(w, `not-json`)
+		}))
+		defer srv.Close()
+
+		result := checkUpdatesWithVersion(t.Context(), http.DefaultClient, srv.URL, "1.0.0")
+		assert.Equal(t, statusWarn, result.Status)
+	})
+}
+
+func TestCheckLogFile(t *testing.T) {
+	t.Run("not configured", func(t *testing.T) {
+		t.Setenv("DATABRICKS_LOG_FILE", "")
+		ctx := cmdio.MockDiscard(t.Context())
+		result := checkLogFile(ctx)
+		assert.Equal(t, statusInfo, result.Status)
+		assert.Contains(t, result.Message, "not configured")
+	})
+
+	t.Run("configured path", func(t *testing.T) {
+		t.Setenv("DATABRICKS_LOG_FILE", "")
+		ctx := cmdio.MockDiscard(t.Context())
+		ctx = env.Set(ctx, "DATABRICKS_LOG_FILE", "/var/log/databricks.log")
+		result := checkLogFile(ctx)
+		assert.Equal(t, statusInfo, result.Status)
+		assert.Equal(t, "/var/log/databricks.log", result.Message)
+	})
+}
+
+// Extra sanity: the full command includes all new checks.
+func TestRunChecksIncludesExtended(t *testing.T) {
+	clearConfigEnv(t)
+	ctx := cmdio.MockDiscard(t.Context())
+	results := runChecks(ctx, "", false)
+
+	names := map[string]bool{}
+	for _, r := range results {
+		names[r.Name] = true
+	}
+	for _, want := range []string{"CLI Version", "Updates", "Toolchain", "Proxy/TLS", "Log File", "Config File", "Current Profile", "Authentication", "Identity", "Network"} {
+		assert.True(t, names[want], "expected check %q in results", want)
+	}
+}
+
+// require the test server to return JSON (sanity).
+func TestUpdatesServerShape(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		_, _ = io.WriteString(w, `{"tag_name": "v0.1.0"}`)
+	}))
+	defer srv.Close()
+
+	resp, err := http.Get(srv.URL)
+	require.NoError(t, err)
+	defer resp.Body.Close()
+	body, _ := io.ReadAll(resp.Body)
+	assert.Contains(t, string(body), "tag_name")
+}
diff --git a/libs/cmdio/color.go b/libs/cmdio/color.go
index ffece82e47e..850a3bc4b68 100644
--- a/libs/cmdio/color.go
+++ b/libs/cmdio/color.go
@@ -44,6 +44,9 @@ func render(ctx context.Context, code, msg string) string {
 	return code + msg + ansiReset
 }
 
+// Bold renders msg in bold.
+func Bold(ctx context.Context, msg string) string { return render(ctx, ansiBold, msg) }
+
 // Red renders msg in red.
 func Red(ctx context.Context, msg string) string { return render(ctx, ansiRed, msg) }
 
diff --git a/libs/env/loader.go b/libs/env/loader.go
index 74c54cee8fa..89b6bdddc9c 100644
--- a/libs/env/loader.go
+++ b/libs/env/loader.go
@@ -43,7 +43,7 @@ func (le *configLoader) Configure(cfg *config.Config) error {
 			if v == "" {
 				continue
 			}
-			if err := a.Set(cfg, v); err != nil {
+			if err := a.SetS(cfg, v); err != nil {
 				return err
 			}
 		}