@0dai-dev/cli 4.2.0 → 4.3.4

package/README.md

@@ -1,6 +1,6 @@
 # 0dai
 
-One config layer for 5 AI agent CLIs — Claude Code, Codex, OpenCode, Gemini, Aider.
+One config layer for <!-- canonical-count:agent_clis_total -->6<!-- /canonical-count --> AI agent CLIs — Claude Code, Codex, OpenCode, Gemini, Aider, Qoder.
 
 ## Install
 
@@ -12,18 +12,21 @@ npm install -g @0dai-dev/cli
 
 ```bash
 cd your-project
-0dai auth login
-0dai activate free
-0dai init       # detect stack, generate ai/ layer + native configs
+0dai init       # guides OAuth/device auth + activation, then generates ai/ layer
+0dai init --auth-code <browser-code> --code <TEAM-CODE>
+0dai auth login # sign in separately when needed
+0dai activate code <TEAM-CODE>
 0dai sync       # update after changes
 0dai detect     # show detected stack
 0dai doctor     # check health
 0dai status     # maturity, swarm tasks, session
+0dai feedback retry # retry queued feedback after an API failure
+0dai persona-simulate "topic"  # run synthetic focus-group simulation
 ```
 
 ## What it does
 
-`0dai init` and `0dai sync` are activation-first. They authenticate the user, require a free activation license, bind the project, then send only allowlisted project metadata (file names + package/build manifests) to the API and generate:
+`0dai init` and `0dai sync` are activation-first. `init` can complete auth and plan activation in one run: browser/OAuth exchange code via `--auth-code`, Team/Pro activation code via `--code` or `--activation-code`, or the interactive OAuth/device-code prompt. After that it binds the project and sends only allowlisted project metadata (file names + package/build manifests) to the API and generates:
 
 - `ai/` — manifests, personas, skills, playbooks, delegation policy
 - `.claude/` — settings, agents, hooks, rules
@@ -34,6 +37,28 @@ cd your-project
 
 Your source code is never sent. Only file names and package/build manifests.
 
+## Why 0dai, not just Cursor or Copilot?
+
+Cursor and Copilot are editors. They help inside one coding session. 0dai writes a project layer that Claude Code, Codex, OpenCode, Gemini, and Aider can all read. The point is not another autocomplete box; it is one manifest, one set of agent roles, one task queue, and one health check for the repo.
+
+A fresh `0dai init` turns a repo into an AI-ready workspace. It records stack detection, safe project commands, agent preferences, MCP config, and delegation policy under `ai/`, then writes native files such as `AGENTS.md` and `.mcp.json`. Your source stays local; only file names and package/build manifests go to the API.
+
+0dai is useful when work needs more than one model or more than one sitting. You can ask for a backlog item with `0dai run "add password reset tests"`, check the queue with `0dai swarm status`, and continue from the same project facts in another agent CLI. Cursor or Copilot can still be your editor; 0dai keeps the repo-level context and task state outside the editor.
+
+The first five minutes are direct: run `0dai init`, run `0dai doctor`, then try one backlog task with `0dai run "..."` or inspect state with `0dai status`. If you only want a local setup, use `0dai init --local`; cloud mode adds sync, graph history, and shared task records.
+
+## Free-tier examples
+
+On the free tier you get ≈5 backlog tasks/day. Example: in one day you might ask 0dai to split and queue these tasks:
+
+- Write missing tests for the login form.
+- Add empty-state copy to the dashboard.
+- Check a failing CI log and suggest the smallest code fix.
+- Draft a PR checklist from the files changed.
+- Summarize today's `ai/swarm/done` tasks for standup.
+
+Each task can become one or more agent prompts, so the exact count depends on task size. Treat the free tier as enough for a daily cleanup pass; Pro is for larger task queues, graph sync with edges, and session roaming across projects.
+
 ## Links
 
 - Website: https://0dai.dev

package/bin/0dai.js

@@ -8,12 +8,95 @@
  * Shared config and utilities live in lib/shared.js.
  */
 
+const nodePath = require("path");
+
+function parseTargetAndArgs(rawArgs, cwd) {
+  const args = rawArgs.slice();
+  let target = cwd;
+  const ti = args.indexOf("--target");
+  if (ti >= 0 && args[ti + 1]) { target = nodePath.resolve(args[ti + 1]); args.splice(ti, 2); }
+  return { args, target };
+}
+
+const earlyParsed = parseTargetAndArgs(process.argv.slice(2), process.cwd());
+if ((earlyParsed.args[0] || "help") === "swarm-run") {
+  const { cmdSwarmRun } = require("../lib/commands/swarm");
+  cmdSwarmRun(earlyParsed.target, earlyParsed.args.slice(1));
+  process.exit(0);
+}
+
 const shared = require("../lib/shared");
 const { T, R, D, log, VERSION, fs, path, spawnSync, findRepoScript, checkVersion } = shared;
 
+/**
+ * Hot-path Go binary fallback (issue #2424).
+ *
+ * For read-only hot-path commands (status/doctor/version) we attempt to delegate
+ * to a Go binary when:
+ *   1. ODAI_GO_BIN is set and points at an executable file, OR a binary called
+ *      `0dai-go` is found on PATH.
+ *   2. The binary reports `binary_version` matching the dispatcher VERSION
+ *      (we accept exact match only — drift means fall back to Python/Node).
+ *   3. ODAI_GO_DISABLE is NOT set to a truthy value.
+ *
+ * If any of these checks fail we silently fall through to the existing
+ * Python/Node implementations. The goal is zero behaviour change when the Go
+ * binary is missing, broken, or version-skewed.
+ */
+function locateGoBinary() {
+  if (process.env.ODAI_GO_DISABLE && process.env.ODAI_GO_DISABLE !== "0") return null;
+  const explicit = process.env.ODAI_GO_BIN;
+  if (explicit && fs.existsSync(explicit)) {
+    try { if ((fs.statSync(explicit).mode & 0o111) !== 0) return explicit; } catch {}
+  }
+  // Search PATH for `0dai-go`.
+  const pathEnv = process.env.PATH || "";
+  const sep = process.platform === "win32" ? ";" : ":";
+  for (const dir of pathEnv.split(sep)) {
+    if (!dir) continue;
+    const candidate = path.join(dir, "0dai-go");
+    try {
+      if (fs.existsSync(candidate) && (fs.statSync(candidate).mode & 0o111) !== 0) return candidate;
+    } catch {}
+  }
+  return null;
+}
+
+function goBinaryCompatible(binPath) {
+  try {
+    const res = spawnSync(binPath, ["version", "--json"], { timeout: 3000 });
+    if (res.status !== 0 || !res.stdout) return false;
+    const info = JSON.parse(res.stdout.toString());
+    if (!info || typeof info.binary_version !== "string") return false;
+    return info.binary_version === VERSION;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Attempt to dispatch a hot-path command to the Go binary.
+ * Returns true if Go handled the command (process should exit), false if the
+ * caller must fall back to the existing Python/Node path.
+ */
+function tryGoHotPath(cmdName, target, argv) {
+  const bin = locateGoBinary();
+  if (!bin) return false;
+  if (!goBinaryCompatible(bin)) return false;
+  const forwarded = [cmdName, "--target", target, ...argv];
+  const res = spawnSync(bin, forwarded, { stdio: "inherit" });
+  if (res.error) return false;
+  if (typeof res.status === "number") process.exit(res.status);
+  process.exit(0);
+}
+
+// Export for tests; harmless at runtime.
+module.exports = { locateGoBinary, goBinaryCompatible, tryGoHotPath };
+const { loadCanonicalCounts, mcpToolsLabel } = require("../lib/utils/canonical-counts");
+
 // --- Command imports ---
-const { cmdAuthLogin, cmdAuthLogout, cmdRedeem, cmdAuthStatus, cmdActivateFree, cmdActivateStatus } = require("../lib/commands/auth");
-const { cmdInit, cmdSync } = require("../lib/commands/init");
+const { cmdAuthLogin, cmdAuthLogout, cmdRedeem, cmdAuthStatus, cmdAuthMcp, cmdActivateFree, cmdActivateStatus } = require("../lib/commands/auth");
+const { cmdInit, cmdSync, cmdProjectBind } = require("../lib/commands/init");
 const { cmdDetect } = require("../lib/commands/detect");
 const { cmdAudit } = require("../lib/commands/audit");
 const { cmdDoctor } = require("../lib/commands/doctor");
@@ -21,32 +104,158 @@ const { cmdValidate } = require("../lib/commands/validate");
 const { cmdUpdate } = require("../lib/commands/update");
 const { cmdReflect } = require("../lib/commands/reflect");
 const { cmdMetrics } = require("../lib/commands/metrics");
+const { cmdHeatmap } = require("../lib/commands/heatmap");
 const { cmdStatus } = require("../lib/commands/status");
 const { cmdPortfolio } = require("../lib/commands/portfolio");
 const { cmdRun } = require("../lib/commands/run");
 const { cmdWatch } = require("../lib/commands/watch");
 const { cmdModels } = require("../lib/commands/models");
 const { cmdSession } = require("../lib/commands/session");
-const { cmdSwarm } = require("../lib/commands/swarm");
+const { cmdSwarm, cmdSwarmRun } = require("../lib/commands/swarm");
+const { cmdStandup } = require("../lib/commands/standup");
 const { cmdFeedback, cmdFeedbackPush } = require("../lib/commands/feedback");
+const { cmdPlay } = require("../lib/commands/play");
 const { cmdGraph } = require("../lib/commands/graph");
 const { cmdReport } = require("../lib/commands/report");
+const { cmdCompliance } = require("../lib/commands/compliance");
 const { cmdExperience } = require("../lib/commands/experience");
 const { cmdWorkspace } = require("../lib/commands/workspace");
 const { cmdSsh } = require("../lib/commands/ssh");
 const { cmdTui } = require("../lib/commands/tui");
 const { cmdPersonaSimulate } = require("../lib/commands/persona-simulate");
 const { cmdProvider } = require("../lib/commands/provider");
+const { cmdPaste } = require("../lib/commands/paste");
+const { cmdReceipt } = require("../lib/commands/receipt");
+const { cmdBoneyard } = require("../lib/commands/boneyard");
+const { cmdQuota } = require("../lib/commands/quota");
+const { cmdGh } = require("../lib/commands/gh");
+const { cmdLoop } = require("../lib/commands/loop");
+const { cmdImportClaudeCodeAgents } = require("../lib/commands/import_claude_code_agents");
+const { cmdRunner } = require("../lib/commands/runner");
+const { cmdCi } = require("../lib/commands/ci");
+
+function printHelp() {
+  const counts = loadCanonicalCounts();
+  console.log(`\n  ${T}0dai${R} v${VERSION} — One config for ${counts.agent_clis_total} AI agent CLIs · ${mcpToolsLabel(counts)}\n`);
+  console.log("Start (first 5 minutes):");
+  console.log("  init           Create ai/ layer + MCP [--local] [--dry-run] [--minimal]");
+  console.log("  doctor         Check health, credentials, and drift [--drift]");
+  console.log("  status         Show maturity, swarm, and session state [--json]");
+  console.log("  quickstart     Run auth, init, doctor, and status checks in order");
+  console.log("  detect         Show detected stack");
+  console.log("  auth login     Authenticate (OAuth/device code flow) [--device] [--no-browser] [--code CODE] [--mcp]");
+  console.log("  auth mcp       Store an MCP token from current auth or device code [--device] [--no-browser]");
+  console.log("  auth status    Show account and usage");
+  console.log("  activate free  Claim free activation license");
+  console.log("");
+  console.log("Daily (regular work):");
+  console.log("  sync           Update ai/ layer after repo or server changes [--dry-run] [--yes] [--quiet] [--force]");
+  console.log("  run <goal>     Split a backlog item into agent tasks [--dry-run] [--agent claude|codex|gemini] [--provider X]");
+  console.log("  swarm status   Show queued, active, and done tasks");
+  console.log("  swarm add      Queue one task for an agent [--task '...' --to agent]");
+  console.log("  swarm-run      Add, dispatch, and wait for one swarm task as JSON");
+  console.log("  harvest        Convert experience events into candidate lessons");
+  console.log("  watch          Live task monitor: queue, active, recently done [--interval N]");
+  console.log("  reflect        Session reflection: delivered, delegation rate, blockers");
+  console.log("  standup        Morning voice briefing about overnight agent work");
+  console.log("  feedback push  Send feedback to 0dai");
+  console.log("  feedback retry Retry queued feedback after a failed push");
+  console.log("");
+  console.log("Pro / advanced:");
+  console.log("  init-existing  Existing-repo setup alias for init [--minimal] [--dry-run]");
+  console.log("  project bind   Bind current repository to your 0dai account [--json]");
+  console.log("  project status Show local project binding and health state [--json]");
+  console.log("  graph push     Upload local graph to server (Pro: edges, Free: nodes)");
+  console.log("  graph pull     Download server graph and merge locally");
+  console.log("  graph status   Show local graph stats and sync state");
+  console.log("  ci             Plan portable 0dai CI pipelines and inspect AI-MQ [list|plan|mq-status] [--json]");
+  console.log("  heatmap        Repo treemap: LOC x agent-edit intensity");
+  console.log("  session save   Save session for roaming");
+  console.log("  provider       Local provider profiles, bindings, and direct invoke");
+  console.log("  models         Show model ratings (--fast/--balanced/--deep/--available)");
+  console.log("  quota          Agent subscription usage table [--refresh] [--json]");
+  console.log("  workspace      Manage tmux workspace sessions (init|up|status)");
+  console.log("  runner         Show runner/project-host architecture, queues, labels, and burst routing [status|plan|queue-status|label-audit|route-dry-run] [--json]");
+  console.log("  report         Privacy-safe project reports (preview|push|status)");
+  console.log("  compliance     SOC2/ISO evidence and ADR audit-trail export");
+  console.log("  experience     Structured experience events (list|stats|sync|warnings|dismiss)");
+  console.log("  persona-simulate  Produce a focus-group report and optional issue drafts");
+  console.log("  receipt        Render a 1200×630 session receipt PNG [--last|--active|--session ID]");
+  console.log("  boneyard       Weekly digest of worst agent moves [--week YYYY-WW|current]");
+  console.log("  gh branch-protection [print|apply|install]  Manage generated GitHub branch protection");
+  console.log("  import claude-code-agents  Import .claude/agents/*.md as 0dai personas [--source DIR] [--target DIR] [--dry-run]");
+  console.log("  auth logout    Remove credentials");
+  console.log("  activate code  Redeem a Pro/Team activation code");
+  console.log("  activate status Show activation and bound-project status");
+  console.log("  redeem <CODE>  Redeem a plan upgrade code");
+  console.log("  advanced flags:");
+  console.log("    --target PATH  Run any command against another project path");
+  console.log("    init --auth-code CODE --code TEAM-CODE  Sign in and activate during init");
+  console.log("    init --no-mcp-auth --mcp-host HOST --reset  Control MCP bootstrap");
+  console.log("    sync --no-diff --force  Control managed config updates");
+  console.log("  --version\n");
+  console.log("https://0dai.dev");
+}
+
+const SYNC_ALLOWED_FLAGS = new Set([
+  "--dry-run",
+  "--yes",
+  "-y",
+  "--quiet",
+  "-q",
+  "--force",
+  "--no-diff",
+  "--no-mcp-auth",
+]);
+
+function printSyncHelp() {
+  console.log(`\n  ${T}0dai sync${R} — Update the managed ai/ layer\n`);
+  console.log("Usage:");
+  console.log("  0dai sync [--dry-run] [--yes|-y] [--quiet|-q] [--force] [--no-diff] [--no-mcp-auth] [--target PATH]");
+  console.log("");
+  console.log("Options:");
+  console.log("  --dry-run      Preview managed file changes without writing them");
+  console.log("  --yes, -y      Apply changes without an interactive confirmation prompt");
+  console.log("  --quiet, -q    Reduce non-essential output");
+  console.log("  --force        Also overwrite native config files from managed ai/ sources");
+  console.log("  --no-diff      Hide unified diff output in previews/prompts");
+  console.log("  --no-mcp-auth  Skip MCP cloud-token bootstrap during sync");
+  console.log("  --target PATH  Run sync against another project path");
+  console.log("");
+}
+
+function handleSyncHelpOrInvalidArgs(args) {
+  const syncArgs = args.slice(1);
+  if (syncArgs.includes("--help") || syncArgs.includes("-h")) {
+    printSyncHelp();
+    return true;
+  }
+
+  for (const arg of syncArgs) {
+    if (SYNC_ALLOWED_FLAGS.has(arg)) continue;
+    const label = arg.startsWith("-") ? "unknown sync option" : "unexpected sync argument";
+    log(`${label}: ${arg}`);
+    printSyncHelp();
+    process.exit(1);
+  }
+  return false;
+}
 
 async function main() {
-  const args = process.argv.slice(2);
-  let target = process.cwd();
-  const ti = args.indexOf("--target");
-  if (ti >= 0 && args[ti + 1]) { target = path.resolve(args[ti + 1]); args.splice(ti, 2); }
+  const { args, target } = parseTargetAndArgs(process.argv.slice(2), process.cwd());
 
   const cmd = args[0] || "help";
   const sub = args[1] || "";
 
+  if (cmd === "swarm-run") {
+    cmdSwarmRun(target, args.slice(1));
+    return;
+  }
+
+  if (cmd === "sync" && handleSyncHelpOrInvalidArgs(args)) {
+    return;
+  }
+
   // Non-blocking version check (runs in background, once per day)
   checkVersion();
 
@@ -54,7 +263,7 @@ async function main() {
   try { require("../lib/onboarding").trackFirstRun(target); } catch {}
 
   // First-run wizard prompt for commands that need ai/
-  if (["status", "doctor", "sync", "swarm", "detect", "validate", "reflect", "metrics", "experience", "graph", "session", "report"].includes(cmd)) {
+  if (["status", "doctor", "sync", "swarm", "swarm-run", "detect", "validate", "reflect", "metrics", "experience", "graph", "session", "report", "live", "feed", "live-feed"].includes(cmd)) {
     try {
       const { maybeWizard } = require("../lib/wizard");
       const handled = await maybeWizard(target, cmd);
@@ -68,6 +277,7 @@ async function main() {
       await ob.cmdQuickstart(target, { cmdDoctor, cmdStatus, cmdInit: (t, a) => cmdInit(t, a || []), log, ensureAuthenticated: shared.makeEnsureAuthenticated(cmdAuthLogin) });
       break;
     }
+    case "init-existing": await cmdInit(target, args); break;
     case "run": await cmdRun(args[1] || "", target, args.slice(2)); break;
     case "watch": cmdWatch(target, args.slice(1)); break;
     case "audit": cmdAudit(target); break;
@@ -109,6 +319,11 @@ async function main() {
     case "detect": await cmdDetect(target); break;
     case "doctor": {
       const driftMode = args.includes("--drift");
+      // Go fast-path covers only the base read-only doctor (no --drift, no
+      // network). Anything else falls through to the full Node implementation.
+      if (!driftMode) {
+        tryGoHotPath("doctor", target, args.slice(1));
+      }
       cmdDoctor(target, { drift: driftMode });
       if (args.includes("--drift")) {
         const ds = findRepoScript(target, "drift_detector.py");
@@ -138,27 +353,83 @@ async function main() {
     case "reflect": cmdReflect(target, args); break;
     case "update": cmdUpdate(args); break;
     case "metrics": cmdMetrics(target); break;
+    case "heatmap": cmdHeatmap(target, args.slice(1)); break;
     case "portfolio": cmdPortfolio(); break;
-    case "status": cmdStatus(target, { json: args.includes("--json") }); break;
+    case "status":
+      tryGoHotPath("status", target, args.slice(1));
+      cmdStatus(target, { json: args.includes("--json") });
+      break;
+    case "project":
+      if (sub === "status") cmdStatus(target, { json: args.includes("--json") });
+      else if (sub === "bind") await cmdProjectBind(target, args.slice(2));
+      else console.log("Usage: 0dai project [bind [--json]|status [--json]] [--target PATH]");
+      break;
     case "auth":
-      if (sub === "login") await cmdAuthLogin();
+      if (sub === "login") await cmdAuthLogin(args.slice(2));
       else if (sub === "logout") cmdAuthLogout();
       else if (sub === "status") await cmdAuthStatus();
-      else console.log("Usage: 0dai auth [login|logout|status]");
+      else if (sub === "mcp") await cmdAuthMcp(args.slice(2));
+      else console.log("Usage: 0dai auth [login [--device] [--no-browser] [--code <success-code>] [--mcp]|mcp [--device] [--no-browser]|logout|status]");
       break;
     case "activate":
       if (sub === "free" || !sub) await cmdActivateFree();
       else if (sub === "status") await cmdActivateStatus();
-      else console.log("Usage: 0dai activate [free|status]");
+      else if (sub === "code" || sub === "redeem") await cmdRedeem(args[2]);
+      else console.log("Usage: 0dai activate [free|status|code <CODE>]");
       break;
     case "session": cmdSession(target, sub, args); break;
     case "swarm": cmdSwarm(target, sub, args); break;
     case "workspace": cmdWorkspace(target, sub, args.slice(2)); break;
+    case "runner": cmdRunner(target, sub, args); break;
+    case "ci": cmdCi(target, sub, args); break;
     case "ssh": await cmdSsh(target, sub, args); break;
     case "provider": cmdProvider(target, args.slice(1)); break;
+    case "standup": await cmdStandup(target, args.slice(1)); break;
     case "tui": case "dashboard": await cmdTui(target, args.slice(1)); break;
+    case "bundle":
+    case "replay": {
+      const glassBoxScript = findRepoScript(target, "glass_box.py");
+      if (!glassBoxScript) { log("glass box bundle helper unavailable"); break; }
+      const fwd = [glassBoxScript, cmd, "--target", target, ...args.slice(1)];
+      const result = spawnSync("python3", fwd, { stdio: "inherit", timeout: 30000 });
+      if (typeof result.status === "number" && result.status !== 0) process.exit(result.status);
+      break;
+    }
     case "feedback": await cmdFeedback(target, sub, args); break;
+    case "harvest": {
+      const harvestScript = findRepoScript(target, "harvest_experience.py");
+      if (!harvestScript) { log("harvest helper unavailable"); break; }
+      const result = spawnSync("python3", [harvestScript, "--target", target, ...args.slice(1)], { stdio: "inherit", timeout: 15000 });
+      if (typeof result.status === "number" && result.status !== 0) process.exit(result.status);
+      break;
+    }
+    case "play": await cmdPlay(target, sub, args); break;
+    case "paste": await cmdPaste(args.slice(1)); break;
+    case "receipt": cmdReceipt(target, args.slice(1)); break;
+    case "boneyard": cmdBoneyard(target, args.slice(1)); break;
+    case "quota": case "quotas": cmdQuota(target, args.slice(1)); break;
+    case "gh": await cmdGh(target, sub, args); break;
+    case "loop": cmdLoop(target, sub, args); break;
+    case "import": {
+      const what = sub || args[1];
+      if (what === "claude-code-agents" || what === "claude-agents") {
+        await cmdImportClaudeCodeAgents(target, args.slice(2));
+      } else {
+        log(`unknown import source: ${what || "(none)"}`);
+        console.log(`  ${D}supported: claude-code-agents${R}`);
+        process.exit(1);
+      }
+      break;
+    }
+    case "live": case "feed": case "live-feed": {
+      const liveScript = findRepoScript(target, "live_feed.py");
+      if (!liveScript) { log("live feed helper unavailable"); break; }
+      const result = spawnSync("python3", [liveScript, "--target", target, ...args.slice(1)], { stdio: "inherit", timeout: 15000 });
+      if (typeof result.status === "number" && result.status !== 0) process.exit(result.status);
+      break;
+    }
     case "report": cmdReport(target, sub, args); break;
+    case "compliance": cmdCompliance(target, args.slice(1)); break;
     case "experience": cmdExperience(target, sub, args); break;
     case "persona-simulate": cmdPersonaSimulate(target, args.slice(1)); break;
     case "graph": await cmdGraph(target, sub, args); break;
@@ -251,55 +522,13 @@ async function main() {
         else log(`error: ${e.message}`);
       }
       break;
-    case "--version": console.log(`${T}0dai${R} ${VERSION}`); break;
+    case "--version":
+    case "version":
+      tryGoHotPath("version", target, args.slice(1));
+      console.log(`${T}0dai${R} ${VERSION}`);
+      break;
     case "help": case "--help": case "-h":
-      console.log(`\n  ${T}0dai${R} v${VERSION} — One config for 5 AI agent CLIs\n`);
-      console.log("Commands:");
-      console.log("  run <goal>     AI-decompose goal → swarm tasks (auto-routed) [--dry-run]");
-      console.log("  watch          Live task monitor: queue, active, recently done [--interval N]");
-      console.log("  audit          Scan ai/ and agent configs for leaked secrets");
-      console.log("  init           Initialize ai/ layer (via API) [--dry-run] [--minimal]");
-      console.log("  sync           Update ai/ layer (via API) [--dry-run] [--quiet] [--force]");
-      console.log("  detect         Show detected stack");
-      console.log("  doctor         Check health + credentials checklist [--drift]");
-      console.log("  update         Update all installed agent CLIs to latest [--dry-run]");
-      console.log("  validate       Validate ai/ layer completeness");
-      console.log("  reflect        Session reflection: delivered, delegation rate, blockers");
-      console.log("  metrics        Effectiveness score: adoption funnel, sessions, delegation");
-      console.log("  portfolio      All tracked projects: score, sessions, agents, last activity");
-      console.log("  status         Show maturity, swarm, session [--json]");
-      console.log("  session save   Save session for roaming");
-      console.log("  swarm status       Task queue & delegation");
-      console.log("  swarm webhook add  Register webhook (fires on task done/failed)");
-      console.log("  swarm webhook list Show registered webhooks");
-      console.log("  ssh            Manage SSH keys, hosts, grants, and host-side sync");
-      console.log("  provider       Local provider profiles, bindings, and direct invoke");
-      console.log("  swarm webhook test Send test ping to a webhook URL");
-      console.log("  workspace init     Create tmux workspace config (auto-detect services)");
-      console.log("  workspace up       Start all workspace sessions");
-      console.log("  workspace status   Show session status table");
-      console.log("  feedback push  Send feedback to 0dai");
-      console.log("  report preview Preview privacy-safe project report");
-      console.log("  report push    Send report to 0dai (with offline queue)");
-      console.log("  report status  Show last report, queue, and auto-report status");
-      console.log("  persona-simulate  Produce a focus-group report and optional issue drafts");
-      console.log("  experience list  Show recent structured experience events");
-      console.log("  experience stats Show success and cost stats by agent/model/type");
-      console.log("  graph push     Upload local graph to server (Pro: edges, Free: nodes)");
-      console.log("  graph pull     Download server graph and merge locally");
-      console.log("  graph status   Show local graph stats and sync state");
-      console.log("  models         Show model ratings (--fast/--balanced/--deep/--available)");
-      console.log("  delegate       Auto-route task to best agent/model (0dai delegate 'goal')");
-      console.log("  delegation show  Show current delegation policy");
-      console.log("  terminal       Launch interactive agent session");
-      console.log("  auth login     Authenticate (device code flow)");
-      console.log("  auth logout    Remove credentials");
-      console.log("  auth status    Show account and usage");
-      console.log("  activate free  Claim free activation license");
-      console.log("  activate status Show activation and bound-project status");
-      console.log("  redeem <CODE>  Redeem a plan upgrade code");
-      console.log("  --version\n");
-      console.log("https://0dai.dev");
+      printHelp();
       break;
     default:
       log(`unknown command: ${cmd}. Run '0dai --help'`);

package/lib/commands/audit.js

@@ -29,6 +29,18 @@ function cmdAudit(target) {
     "opencode.json", ".mcp.json",
   ];
 
+  // Paths whose contents are synthetic test fixtures by design — they contain
+  // realistic-looking secret patterns to exercise detection logic. Skipping
+  // them avoids false-positive blocking of release pipelines.
+  const SKIP_PATH_SEGMENTS = [
+    "synthetic-tests",  // ai/meta/synthetic-tests/scenarios/*.json — PII/secret detection fixtures
+  ];
+
+  function shouldSkip(filePath) {
+    const rel = path.relative(target, filePath);
+    return SKIP_PATH_SEGMENTS.some(seg => rel.split(path.sep).includes(seg));
+  }
+
   // Walk a directory recursively, return all file paths
   function walk(dir, maxDepth = 6, _depth = 0) {
     if (_depth > maxDepth) return [];
@@ -36,6 +48,7 @@ function cmdAudit(target) {
     try {
       for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
         if (entry.name.startsWith(".git") || entry.name === "node_modules") continue;
+        if (SKIP_PATH_SEGMENTS.includes(entry.name)) continue;
         const full = path.join(dir, entry.name);
         if (entry.isDirectory()) results = results.concat(walk(full, maxDepth, _depth + 1));
         else results.push(full);