@0dai-dev/cli 4.3.5 → 4.3.6

package/bin/0dai.js

@@ -31,18 +31,58 @@ const { T, R, D, log, VERSION, fs, path, spawnSync, findRepoScript, checkVersion
 /**
  * Hot-path Go binary fallback (issue #2424).
  *
- * For read-only hot-path commands (status/doctor/version) we attempt to delegate
- * to a Go binary when:
+ * For read-only hot-path commands we attempt to delegate to a Go binary when:
  *   1. ODAI_GO_BIN is set and points at an executable file, OR a binary called
  *      `0dai-go` is found on PATH.
- *   2. The binary reports `binary_version` matching the dispatcher VERSION
- *      (we accept exact match only — drift means fall back to Python/Node).
+ *   2. The binary reports `dispatcher_compat_version` matching the dispatcher
+ *      VERSION (legacy binaries may still use `binary_version` for this).
  *   3. ODAI_GO_DISABLE is NOT set to a truthy value.
+ *   4. The command's batch flag is not disabled. SPEC-035 rollback Level 1
+ *      is `ODAI_GO_BATCH_<N>=0`, which transparently routes the whole batch
+ *      back to the Node/Python implementation without reinstalling.
+ *
+ * Only commands listed in GO_HOT_PATH_COMMANDS are eligible for automatic
+ * delegation. `status` moved into batch 2 only after the #4098 Go↔Node
+ * payload parity proof landed. Base `doctor` moved into the same batch only
+ * after #4111 made the local `doctor_checks` shadow contract explicit;
+ * `doctor --drift` stays on the full Node implementation.
  *
  * If any of these checks fail we silently fall through to the existing
  * Python/Node implementations. The goal is zero behaviour change when the Go
  * binary is missing, broken, or version-skewed.
  */
+const GO_HOT_PATH_COMMANDS = new Set(["version", "status", "doctor"]);
+const GO_HOT_PATH_BATCHES = Object.freeze({
+  version: 1,
+  status: 2,
+  doctor: 2,
+});
+
+function goFlagDisabled(raw) {
+  if (raw === undefined || raw === null || raw === "") return false;
+  const value = String(raw).trim().toLowerCase();
+  return ["0", "false", "no", "off"].includes(value);
+}
+
+function goCommandEnvName(cmdName) {
+  return `ODAI_GO_COMMAND_${String(cmdName).toUpperCase().replace(/[^A-Z0-9]+/g, "_")}`;
+}
+
+function goBatchEnvName(batch) {
+  return `ODAI_GO_BATCH_${batch}`;
+}
+
+function goBatchEnabled(cmdName) {
+  const batch = GO_HOT_PATH_BATCHES[cmdName];
+  if (!batch) return false;
+  if (goFlagDisabled(process.env[goBatchEnvName(batch)])) return false;
+
+  // Drill-only per-command rollback override. Batch flags remain the release
+  // contract; this override is intentionally narrower for staging drills.
+  if (goFlagDisabled(process.env[goCommandEnvName(cmdName)])) return false;
+  return true;
+}
+
 function locateGoBinary() {
   if (process.env.ODAI_GO_DISABLE && process.env.ODAI_GO_DISABLE !== "0") return null;
   const explicit = process.env.ODAI_GO_BIN;
@@ -68,7 +108,11 @@ function goBinaryCompatible(binPath) {
     if (res.status !== 0 || !res.stdout) return false;
     const info = JSON.parse(res.stdout.toString());
     if (!info || typeof info.binary_version !== "string") return false;
-    return info.binary_version === VERSION;
+    const compatVersion =
+      typeof info.dispatcher_compat_version === "string"
+        ? info.dispatcher_compat_version
+        : info.binary_version;
+    return compatVersion === VERSION;
   } catch {
     return false;
   }
@@ -80,6 +124,8 @@ function goBinaryCompatible(binPath) {
  * caller must fall back to the existing Python/Node path.
  */
 function tryGoHotPath(cmdName, target, argv) {
+  if (!GO_HOT_PATH_COMMANDS.has(cmdName)) return false;
+  if (!goBatchEnabled(cmdName)) return false;
   const bin = locateGoBinary();
   if (!bin) return false;
   if (!goBinaryCompatible(bin)) return false;
@@ -91,7 +137,16 @@ function tryGoHotPath(cmdName, target, argv) {
 }
 
 // Export for tests; harmless at runtime.
-module.exports = { locateGoBinary, goBinaryCompatible, tryGoHotPath };
+module.exports = {
+  locateGoBinary,
+  goBinaryCompatible,
+  goBatchEnabled,
+  goBatchEnvName,
+  goCommandEnvName,
+  tryGoHotPath,
+  GO_HOT_PATH_BATCHES,
+  GO_HOT_PATH_COMMANDS,
+};
 const { loadCanonicalCounts, mcpToolsLabel } = require("../lib/utils/canonical-counts");
 
 // --- Command imports ---
@@ -99,6 +154,9 @@ const { cmdAuthLogin, cmdAuthLogout, cmdRedeem, cmdAuthStatus, cmdAuthMcp, cmdAc
 const { cmdInit, cmdSync, cmdProjectBind } = require("../lib/commands/init");
 const { cmdDetect } = require("../lib/commands/detect");
 const { cmdAudit } = require("../lib/commands/audit");
+const { cmdExport } = require("../lib/commands/export");
+const { cmdMcp } = require("../lib/commands/mcp");
+const { cmdVault } = require("../lib/commands/vault");
 const { cmdDoctor } = require("../lib/commands/doctor");
 const { cmdValidate } = require("../lib/commands/validate");
 const { cmdUpdate } = require("../lib/commands/update");
@@ -110,7 +168,7 @@ const { cmdStatus } = require("../lib/commands/status");
 const { cmdPortfolio } = require("../lib/commands/portfolio");
 const { cmdRun } = require("../lib/commands/run");
 const { cmdWatch } = require("../lib/commands/watch");
-const { cmdModels } = require("../lib/commands/models");
+const { cmdModels, cmdModelsRecommend } = require("../lib/commands/models");
 const { cmdSession } = require("../lib/commands/session");
 const { cmdSwarm, cmdSwarmRun } = require("../lib/commands/swarm");
 const { cmdStandup } = require("../lib/commands/standup");
@@ -135,10 +193,18 @@ const { cmdLoop } = require("../lib/commands/loop");
 const { cmdImportClaudeCodeAgents } = require("../lib/commands/import_claude_code_agents");
 const { cmdRunner } = require("../lib/commands/runner");
 const { cmdCi } = require("../lib/commands/ci");
+const { cmdTrust } = require("../lib/commands/trust");
 
 function printHelp() {
   const counts = loadCanonicalCounts();
   console.log(`\n  ${T}0dai${R} v${VERSION} — One config for ${counts.agent_clis_total} AI agent CLIs · ${mcpToolsLabel(counts)}\n`);
+  console.log("First-run sequence (canonical):");
+  console.log("  npm install -g @0dai-dev/cli   # install once, globally");
+  console.log("  0dai auth login                # sign in (OAuth / device code)");
+  console.log("  0dai activate free             # claim free-tier license");
+  console.log("  0dai init                      # generate ai/ layer in cwd");
+  console.log("  0dai doctor                    # verify health and drift");
+  console.log("");
   console.log("Start (first 5 minutes):");
   console.log("  init           Create ai/ layer + MCP [--local] [--dry-run] [--minimal]");
   console.log("  doctor         Check health, credentials, and drift [--drift]");
@@ -164,22 +230,26 @@ function printHelp() {
   console.log("  feedback retry Retry queued feedback after a failed push");
   console.log("");
   console.log("Pro / advanced:");
-  console.log("  init-existing  Existing-repo setup alias for init [--minimal] [--dry-run]");
+  console.log("  init-existing  Legacy alias for init (older docs / scripted bootstraps); use 'init' [--minimal] [--dry-run]");
   console.log("  project bind   Bind current repository to your 0dai account [--json]");
   console.log("  project status Show local project binding and health state [--json]");
   console.log("  graph push     Upload local graph to server (Pro: edges, Free: nodes)");
   console.log("  graph pull     Download server graph and merge locally");
   console.log("  graph status   Show local graph stats and sync state");
   console.log("  ci             Plan portable 0dai CI pipelines and inspect AI-MQ [list|plan|mq-status] [--json]");
+  console.log("  mcp            MCP server, tools, and health [list|catalog|doctor|call] [--json]");
+  console.log("  vault          Local age-encrypted secrets vault [init|add|get] [--json]");
   console.log("  heatmap        Repo treemap: LOC x agent-edit intensity");
   console.log("  session save   Save session for roaming");
   console.log("  provider       Local provider profiles, bindings, and direct invoke");
   console.log("  models         Show model ratings (--fast/--balanced/--deep/--available)");
+  console.log("  models recommend  Ledger-ranked model pick for a task type [--task TYPE] [--goal '...'] [--json]");
   console.log("  quota          Agent subscription usage table [--refresh] [--json]");
   console.log("  usage          Local token, task, and USD usage ledger [status|daily|monthly]");
   console.log("  workspace      Manage tmux workspace sessions (init|up|status)");
   console.log("  runner         Show runner/project-host architecture, queues, labels, and burst routing [status|plan|queue-status|label-audit|route-dry-run] [--json]");
   console.log("  report         Privacy-safe project reports (preview|push|status)");
+  console.log("  trust          Pre-run blast-radius: protected paths, authority matrix, egress [--json]");
   console.log("  compliance     SOC2/ISO evidence and ADR audit-trail export");
   console.log("  experience     Structured experience events (list|stats|sync|warnings|dismiss)");
   console.log("  persona-simulate  Produce a focus-group report and optional issue drafts");
@@ -288,6 +358,7 @@ async function main() {
     case "run": await cmdRun(args[1] || "", target, args.slice(2)); break;
     case "watch": cmdWatch(target, args.slice(1)); break;
     case "audit": cmdAudit(target); break;
+    case "export": await cmdExport(target, args); break;
     case "security": {
       const subSec = args[1] || "";
       if (subSec === "install-hook") {
@@ -331,7 +402,7 @@ async function main() {
       if (!driftMode) {
         tryGoHotPath("doctor", target, args.slice(1));
       }
-      cmdDoctor(target, { drift: driftMode });
+      cmdDoctor(target, { drift: driftMode, json: args.includes("--json") });
       if (args.includes("--drift")) {
         const ds = findRepoScript(target, "drift_detector.py");
         console.log("\n  drift report:");
@@ -385,6 +456,8 @@ async function main() {
       else if (sub === "code" || sub === "redeem") await cmdRedeem(args[2]);
       else console.log("Usage: 0dai activate [free|status|code <CODE>]");
       break;
+    case "mcp": cmdMcp(target, sub, args); break;
+    case "vault": cmdVault(target, args[1], args.slice(2)); break;
     case "session": cmdSession(target, sub, args); break;
     case "swarm": cmdSwarm(target, sub, args); break;
     case "workspace": cmdWorkspace(target, sub, args.slice(2)); break;
@@ -438,11 +511,15 @@ async function main() {
       break;
     }
     case "report": cmdReport(target, sub, args); break;
+    case "trust": cmdTrust(target, args.slice(1)); break;
     case "compliance": cmdCompliance(target, args.slice(1)); break;
     case "experience": cmdExperience(target, sub, args); break;
     case "persona-simulate": cmdPersonaSimulate(target, args.slice(1)); break;
     case "graph": await cmdGraph(target, sub, args); break;
-    case "models": cmdModels(sub || args[1]); break;
+    case "models":
+      if (sub === "recommend") await cmdModelsRecommend(target, args.slice(2));
+      else cmdModels(sub || args[1]);
+      break;
     case "delegate": case "delegation": {
       const deScript = findRepoScript(target, "delegation_engine.py");
       if (!deScript) { log("delegation engine unavailable"); break; }

package/lib/commands/auth.js

@@ -481,6 +481,54 @@ async function cmdAuthStatus() {
   }
 }
 
+// Disclosure text for the remote activation event.
+// Exported so tests can assert the notice references the real payload fields.
+const ACTIVATION_TELEMETRY_NOTICE =
+  "Telemetry: on activation, 0dai sends an event (free_tier_activated, timestamp, "
+  + "path=cli://activate-free, source=cli) to api.0dai.dev/v1/events via your "
+  + "authenticated session with a device identifier (X-Device-ID header). "
+  + "To opt out: set DO_NOT_TRACK=1 or ODAI_NO_TELEMETRY=1.";
+
+/**
+ * Post a best-effort activation event to the remote analytics endpoint.
+ *
+ * Opt-out: set DO_NOT_TRACK=1 or ODAI_NO_TELEMETRY=1 in the environment.
+ * When opted out, the local activation log (ai/meta/telemetry/activation.jsonl)
+ * is NOT affected — only the remote HTTP POST is skipped.
+ *
+ * @param {object} [deps]
+ * @param {Function} [deps.apiCallFn] - injectable stand-in for apiCall (tests)
+ * @param {object}  [deps.env]        - injectable env (defaults to process.env)
+ * @param {Function} [deps.print]     - injectable print fn (defaults to console.log)
+ */
+async function trackFreeTierActivated(deps = {}) {
+  const env = deps.env || process.env;
+  const print = deps.print || console.log;
+  const callFn = deps.apiCallFn || apiCall;
+
+  // Honour standard cross-ecosystem opt-out AND 0dai-specific form.
+  if (env.DO_NOT_TRACK === "1" || env.ODAI_NO_TELEMETRY === "1") {
+    return; // remote POST skipped; local log is unaffected
+  }
+
+  // One-time honest disclosure: what is sent, where, and how to opt out.
+  print(ACTIVATION_TELEMETRY_NOTICE);
+
+  try {
+    await callFn("/v1/events", {
+      events: [{
+        event: "free_tier_activated",
+        timestamp: new Date().toISOString(),
+        path: "cli://activate-free",
+        page: "0dai activate free",
+        props: { source: "cli" },
+      }],
+    });
+  } catch {
+    // best-effort telemetry — network failure is non-fatal
+  }
+}
+
 async function cmdActivateFree() {
   const ensureAuthenticated = makeEnsureAuthenticated(cmdAuthLogin);
   await ensureAuthenticated("activation");
@@ -488,6 +536,9 @@ async function cmdActivateFree() {
   log(`license ${license.status}`);
   console.log(`  activation id: ${license.activation_id}`);
   console.log(`  plan: ${license.plan || "free"}`);
+  if (license.status === "active") {
+    await trackFreeTierActivated();
+  }
 }
 
 async function cmdActivateStatus() {
@@ -523,4 +574,6 @@ module.exports = {
   parseActivationArgs,
   parseAuthLoginFlags,
   printDeviceLoginInstructions,
+  trackFreeTierActivated,
+  ACTIVATION_TELEMETRY_NOTICE,
 };

package/lib/commands/detect.js

@@ -1,15 +1,21 @@
 "use strict";
 const shared = require("../shared");
-const { D, R, log, apiCall, collectMetadata } = shared;
+const { D, R, log, apiCall, collectMetadata, buildProjectIdentity, hashManifestFiles } = shared;
 
 async function cmdDetect(target) {
   const OPTIONAL_CLIS = ["gemini", "aider", "opencode"];
-  const { projectFiles, manifestContents, clis: localClis } = collectMetadata(target);
-  // Send file contents AND local CLI inventory so server can do content-based detection
+  const metadata = collectMetadata(target);
+  const { projectFiles, manifestContents, clis: localClis } = metadata;
+  const identity = buildProjectIdentity(target, metadata);
+  // Privacy: send only filenames + SHA-256 hashes, never raw content (closes #4016).
+  // Local stack detection is pre-computed and passed as `stack`; server works from
+  // project_files + client-derived stack, not file content.
   const result = await apiCall("/v1/detect", {
     project_files: projectFiles,
-    manifest_contents: manifestContents,
+    manifest_files: hashManifestFiles(manifestContents),
     available_clis: localClis,
+    project_name: identity.project_name,
+    stack: identity.stack,
   });
   if (result.error) { log(`error: ${result.error}`); return; }
   console.log(`stack: ${result.stack || "?"}`);

package/lib/commands/doctor.js

@@ -2,6 +2,15 @@
 const shared = require("../shared");
 const { log, T, R, D, fs, path, spawnSync, findRepoScript, SUPPORTED_CLIS, recordExperienceEvent } = shared;
 
+const LOCAL_LAYER_CHECKS = Object.freeze([
+  ["ai/VERSION", "ai/VERSION", "error"],
+  ["ai/manifest/project.yaml", "ai/manifest/project.yaml", "error"],
+  ["ai/manifest/discovery.json", "ai/manifest/discovery.json", "warn"],
+  ["ai/manifest/commands.yaml", "ai/manifest/commands.yaml", "warn"],
+  [".claude/settings.json", ".claude/settings.json", "warn"],
+  ["AGENTS.md", "AGENTS.md", "warn"],
+]);
+
 function nodePtyProbe() {
   try {
     require.resolve("node-pty");
@@ -39,9 +48,35 @@ function ghostAuthStatus(home = process.env.HOME || process.env.USERPROFILE || "
   };
 }
 
+function collectLayerChecks(target) {
+  return LOCAL_LAYER_CHECKS.map(([name, relPath, missingSev]) => {
+    const fullPath = path.join(target, relPath);
+    const present = fs.existsSync(fullPath);
+    return {
+      name,
+      ok: present,
+      sev: present ? "ok" : missingSev,
+      hint: present ? "present" : `missing: ${fullPath}`,
+    };
+  });
+}
+
+function collectDoctorPayload(target) {
+  return {
+    binary: "node",
+    binary_version: shared.VERSION,
+    checks: collectLayerChecks(target),
+  };
+}
+
 function cmdDoctor(target, options = {}) {
   const ai = path.join(target, "ai");
   if (!fs.existsSync(ai)) { log("No 0dai config found. Run: 0dai init"); return; }
+  if (options.json) {
+    const payload = collectDoctorPayload(target);
+    console.log(JSON.stringify(payload, null, 2));
+    return payload;
+  }
   let v = "?", stack = "generic";
   try { v = fs.readFileSync(path.join(ai, "VERSION"), "utf8").trim(); } catch {}
   try { stack = JSON.parse(fs.readFileSync(path.join(ai, "manifest", "discovery.json"), "utf8")).stack || "generic"; } catch {}
@@ -52,15 +87,6 @@ function cmdDoctor(target, options = {}) {
   const R2 = process.stdout.isTTY ? "\x1b[0m" : "";
 
   // --- ai/ layer checks ---
-  const layerChecks = {
-    "ai/VERSION":                  { path: path.join(ai, "VERSION"),                   sev: "error" },
-    "ai/manifest/project.yaml":    { path: path.join(ai, "manifest", "project.yaml"),  sev: "error" },
-    "ai/manifest/commands.yaml":   { path: path.join(ai, "manifest", "commands.yaml"), sev: "warn"  },
-    "ai/manifest/discovery.json":  { path: path.join(ai, "manifest", "discovery.json"),sev: "warn"  },
-    ".claude/settings.json":       { path: path.join(target, ".claude", "settings.json"), sev: "warn" },
-    "AGENTS.md":                   { path: path.join(target, "AGENTS.md"),             sev: "warn"  },
-  };
-
   // --- credentials checklist ---
   // Detect subscription-based auth (not just env API keys)
   const { execFileSync: _execFile } = require("child_process");
@@ -118,14 +144,13 @@ function cmdDoctor(target, options = {}) {
 
   const missingConfigs = [];
   console.log("  ai/ layer:");
-  for (const [name, { path: p, sev }] of Object.entries(layerChecks)) {
-    const exists = fs.existsSync(p);
-    if (!exists) {
-      sev === "error" ? errors++ : warnings++;
-      if (sev === "warn") missingConfigs.push(name);
+  for (const check of collectLayerChecks(target)) {
+    if (!check.ok) {
+      check.sev === "error" ? errors++ : warnings++;
+      if (check.sev === "warn") missingConfigs.push(check.name);
     }
-    const mark = exists ? `${G}ok${R2}` : sev === "error" ? `${E}MISSING${R2}` : `${W}missing${R2}`;
-    console.log(`    ${mark.padEnd(22)} ${name}`);
+    const mark = check.ok ? `${G}ok${R2}` : check.sev === "error" ? `${E}MISSING${R2}` : `${W}missing${R2}`;
+    console.log(`    ${mark.padEnd(22)} ${check.name}`);
   }
   // Explain WHY native configs are missing and what to do
   if (missingConfigs.length > 0) {
@@ -275,4 +300,4 @@ function cmdDoctor(target, options = {}) {
   }
 }
 
-module.exports = { cmdDoctor, ghostAuthStatus, nodePtyProbe };
+module.exports = { cmdDoctor, ghostAuthStatus, nodePtyProbe, collectDoctorPayload, collectLayerChecks };

package/lib/commands/export.js

@@ -0,0 +1,73 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (c) 2026 0dai.dev
+//
+// F14 G4 Phase 2 — `0dai export --all` CLI command.
+//
+// Bundles user-owned tenant data into a tarball per the contract
+// at docs/governance/data-export-contract.md (F14 G4 Phase 1 /
+// PR #3569). Phase 2 ships personas + path-protect.yaml as real
+// data, plus usage-ledger.jsonl when present; the other 6 surfaces emit placeholder JSON
+// ({"_status": "not-implemented", "since": "F14 G4 Phase 2"}).
+//
+// Cosign signing is deferred to Phase 3 (stubs .sig + .crt as
+// empty files alongside the tarball so the layout contract holds).
+//
+// Usage:
+//   0dai export --all [--output PATH] [--target DIR]
+
+"use strict";
+
+const shared = require("../shared");
+const { T, R, D, log } = shared;
+const { buildExportTarball } = require("../utils/export-bundler");
+
+function parseExportArgs(args) {
+  const out = { all: false, output: null, target: process.cwd() };
+  for (let i = 0; i < args.length; i++) {
+    const a = args[i];
+    if (a === "--all") out.all = true;
+    else if (a === "--output" && args[i + 1]) { out.output = args[i + 1]; i++; }
+    else if (a === "--target" && args[i + 1]) { out.target = args[i + 1]; i++; }
+  }
+  return out;
+}
+
+function defaultOutputName() {
+  const now = new Date().toISOString().replace(/[:.]/g, "-").replace(/Z$/, "Z");
+  return `0dai-export-${now}.tar.gz`;
+}
+
+async function cmdExport(target, args) {
+  const opts = parseExportArgs(args);
+  if (!opts.all) {
+    console.error(`${T}[0dai-export]${R} --all is required (partial export is a Phase 2 follow-up)`);
+    process.exit(2);
+  }
+  const sourceRoot = opts.target || target || process.cwd();
+  const outputPath = opts.output || defaultOutputName();
+
+  log(`tenant data source: ${sourceRoot}`);
+  log(`output:             ${outputPath}`);
+
+  let result;
+  try {
+    result = await buildExportTarball({ sourceRoot, outputPath });
+  } catch (err) {
+    console.error(`${T}[0dai-export]${R} bundle failed: ${err.message}`);
+    process.exit(3);
+  }
+
+  log(`personas:       ${result.counts.personas} bundled`);
+  log(`path-protect:   ${result.counts.pathProtect} file(s)`);
+  log(`usage-ledger:   ${result.counts.usageLedger} file(s)`);
+  log(`placeholders:   ${result.counts.placeholders} surfaces (Phase 2 not-implemented)`);
+  log(`tarball:        ${result.tarballPath}`);
+  log(`sha256:         ${result.sha256}`);
+  if (result.signed) {
+    log(`signature:      cosign keyless signed (${result.sigPath})`);
+  } else {
+    log(`${D}signature:      ${result.signSkipReason} — stub .sig + .crt written${R}`);
+  }
+}
+
+module.exports = { cmdExport };

package/lib/commands/init.js

@@ -7,7 +7,7 @@ const {
   VERSION, SUPPORTED_CLIS,
   CONFIG_DIR, PROJECTS_FILE,
   apiCall, makeEnsureAuthenticated, ensureLicenseActivation, loadAuthState,
-  collectMetadata, buildProjectIdentity, registerProject,
+  collectMetadata, buildProjectIdentity, registerProject, hashManifestFiles,
   writeFiles, sendProjectHeartbeat, recordExperienceEvent,
   logFirstRunSuccess,
 } = shared;
@@ -364,11 +364,15 @@ async function cmdInit(target, args = []) {
   else if (!dryRun) log(`sending to API (${projectFiles.length} files, ${clis.length} CLIs)...`);
   const result = await apiCall("/v1/init", {
     project_files: projectFiles,
-    manifest_contents: manifestContents,
+    // Privacy: send only filenames + SHA-256 hashes, never raw content (closes #4016).
+    // Local detection (inferProjectName, detectStackHint) still reads content locally —
+    // the results are passed as project_name and stack so the server needs no raw content.
+    manifest_files: hashManifestFiles(manifestContents),
     available_clis: clis,
     dry_run: dryRun,
     minimal: minimal,
     project_name: identity.project_name,
+    stack: identity.stack,
     project_id: boundProject.project_id || identity.project_id,
     remote_origin: identity.remote_origin,
     origin: identity.origin,
@@ -464,7 +468,9 @@ async function cmdInit(target, args = []) {
   // First-run proof gate (issue #342). All 4 gates pass once we reach here:
   // license active (line above), project bound, ai/ layer written, heartbeat sent.
   // Idempotent — only fires once per project. See docs/first-run.md.
-  recordActivationInit(target, boundProject.project_id || identity.project_id);
+  recordActivationInit(target, boundProject.project_id || identity.project_id, {
+    stack: result.stack || identity.stack || "unknown",
+  });
 
   const firstRun = logFirstRunSuccess(target, {
     license: true,
@@ -665,7 +671,11 @@ async function cmdSync(target, args = []) {
 
   const result = await apiCall("/v1/sync", {
     ai_version: version, stack, agents: agents.length ? agents : clis,
-    current_files: currentFiles, manifest_contents: manifestContents,
+    current_files: currentFiles,
+    // Privacy: send only filenames + SHA-256 hashes, never raw content (closes #4031).
+    // Local detection (stack, agents) is derived locally and sent separately so the
+    // server needs no raw manifest content — mirrors the /v1/init fix from #4030.
+    manifest_files: hashManifestFiles(manifestContents),
     dry_run: dryRun, quiet, force,
     project_name: identity.project_name,
     project_id: boundProject.project_id || identity.project_id,

package/lib/commands/mcp.js

@@ -72,7 +72,7 @@ function _toolsFromTierManifest(target, plan) {
     const section = exposure[plan] || exposure.free;
     if (!section) continue;
     const tools = Array.isArray(section.tools) ? section.tools.slice() : [];
-    return { source: candidate, plan, tools, count: tools.length };
+    return { source: candidate, plan, tools, count: tools.length, exposure };
   }
   return null;
 }
@@ -203,12 +203,33 @@ function _cmdCatalog(target, args) {
   console.log(`\n  ${T}available stacks${R}: ${available.join(", ")}\n`);
 }
 
+// Flag MCP server entries left behind by a pre-4.3 `0dai sync` that no longer
+// connect. Two dead patterns: the deprecated `/sse` operator endpoint (HTTP 404,
+// 0dai-dev/docs#56) and the `transport: "sse"` form. `mergeMcpConfig` only manages
+// its own servers and never prunes unknown user entries -- even with --reset -- so
+// these persist after upgrade until removed by hand. The current generator connects
+// operator-MCP via the headerless "claude.ai 0dai" (OAuth /mcp) entry, so the stale
+// block is dead weight. Detection stays on the unambiguous /sse signal to avoid
+// false positives on a legitimately-wired bearer host-pool config (#57).
+function _detectStaleMcpServers(mcpServers) {
+  const stale = [];
+  for (const [name, cfg] of Object.entries(mcpServers || {})) {
+    if (!cfg || typeof cfg !== "object") continue;
+    const url = typeof cfg.url === "string" ? cfg.url : "";
+    const transport = typeof cfg.transport === "string" ? cfg.transport : "";
+    if (/\/sse\/?(\?|$)/.test(url) || transport === "sse") {
+      stale.push({ name, reason: "deprecated SSE endpoint/transport (HTTP 404)" });
+    }
+  }
+  return stale;
+}
+
 function _cmdDoctor(target, args) {
   const wantJson = args.includes("--json");
   const report = {
     target,
     server_script: { path: "", ok: false },
-    mcp_config: { path: "", ok: false, servers: [] },
+    mcp_config: { path: "", ok: false, servers: [], stale: [] },
     tier_manifest: { path: "", ok: false, free_count: 0, pro_count: 0 },
     catalog: { path: "", ok: false, stacks: 0 },
   };
@@ -226,6 +247,7 @@ function _cmdDoctor(target, args) {
     if (data && data.mcpServers && typeof data.mcpServers === "object") {
       report.mcp_config.ok = true;
       report.mcp_config.servers = Object.keys(data.mcpServers);
+      report.mcp_config.stale = _detectStaleMcpServers(data.mcpServers);
     }
   }
 
@@ -268,6 +290,12 @@ function _cmdDoctor(target, args) {
   if (report.mcp_config.ok) {
     console.log(`    servers: ${report.mcp_config.servers.join(", ")}`);
   }
+  if (report.mcp_config.stale.length) {
+    console.log(`    ${W}stale${R} (remove from .mcp.json — superseded by the "claude.ai 0dai" OAuth /mcp entry):`);
+    for (const s of report.mcp_config.stale) {
+      console.log(`      ${W}!${R} ${s.name} ${D}— ${s.reason}${R}`);
+    }
+  }
   console.log(`  tier manifest   ${ok(report.tier_manifest.ok)}  ${D}${report.tier_manifest.path || "(not found)"}${R}`);
   if (report.tier_manifest.ok) {
     console.log(`    free=${report.tier_manifest.free_count} pro=${report.tier_manifest.pro_count}`);
@@ -278,7 +306,9 @@ function _cmdDoctor(target, args) {
   }
   console.log("");
 
-  const allOk = report.server_script.ok && report.mcp_config.ok && (report.tier_manifest.ok || report.catalog.ok);
+  const allOk = report.server_script.ok && report.mcp_config.ok
+    && report.mcp_config.stale.length === 0
+    && (report.tier_manifest.ok || report.catalog.ok);
   if (!allOk) process.exitCode = 1;
 }
 

package/lib/commands/run.js

@@ -125,7 +125,10 @@ async function cmdRun(goal, target, args = []) {
 
   if (created.length > 0) {
     const identity = shared.buildProjectIdentity(target, shared.collectMetadata(target));
-    recordActivationFirstTask(target, identity.project_id);
+    recordActivationFirstTask(target, identity.project_id, {
+      outcome: "task_queued",
+      task_count: created.length,
+    });
   }
 }
 

package/lib/commands/status.js

@@ -4,7 +4,11 @@ const {
   log, T, R, D, fs, path, spawnSync, findRepoScript,
   getSwarmQuotaLocal, _detectPlanLocal, PLAN_LEVELS, loadAuthState,
 } = shared;
-const { getActivationDurationStats, printActivationStats } = require("../utils/activation_telemetry");
+const {
+  getActivationDurationStats,
+  getActivationMergedPrStats,
+  printActivationStats,
+} = require("../utils/activation_telemetry");
 
 function countJson(dir) {
   try { return fs.readdirSync(dir).filter(f => f.endsWith(".json")).length; } catch { return 0; }
@@ -118,6 +122,7 @@ function collectStatusPayload(target) {
     },
     warnings: warningCount,
     activation_ttfv: getActivationDurationStats(target),
+    activation_first_merged_pr: getActivationMergedPrStats(target),
   };
 }