@0dai-dev/cli 4.3.5 → 4.3.6

package/lib/commands/trust.js

@@ -0,0 +1,286 @@
+"use strict";
+// 0dai trust — pre-run blast-radius disclosure (F19 G3 / issue #3919).
+//
+// Renders, before any agent run, a human-readable summary of:
+//   (a) which paths agents may write vs which are protected
+//   (b) the authority matrix in force (AUTO / PICKER / FORBIDDEN per action x CLI)
+//   (c) what data leaves the repo
+//
+// WARM PATH (trust_scope.py found): delegates entirely to trust_scope.py, which
+// imports the SAME config the guards enforce.  No invented data.
+//
+// COLD PATH (trust_scope.py absent, i.e. pre-init repo): graceful degrade —
+// prints a clearly-labeled static DEFAULT scope summary and exits 0 (issue #4007).
+// This avoids the dead-end exit(1) that blocked maintainers evaluating blast-radius
+// before running `0dai init`.
+//
+// Usage:
+//   0dai trust [--json] [--target PATH]
+
+const shared = require("../shared");
+const { log, findRepoScript, spawnSync } = shared;
+
+// ── COLD-PATH: static default-scope payload ───────────────────────────────────
+//
+// Emitted when trust_scope.py is unavailable (pre-init / fresh npm install).
+//
+// Honesty contract — mirrors trust_scope.py's section labels:
+//   [ENFORCED] = gated right now, regardless of init state
+//   [DECLARED] = policy exists but gate materialises only after `0dai init`
+//   [DEFAULT]  = structural invariant described in docs, not a config file
+//
+// Why we are categorical rather than listing specific globs here:
+//   policy_enforcer.py (edit-time gate source) is NOT shipped in the npm bundle
+//   (package.json "files" includes only bin/, lib/, and scripts/ where scripts/
+//   carries only postinstall.js and build-tui.js — not policy_enforcer.py).
+//   Fabricating globs that might diverge from the enforced list would violate the
+//   honesty contract.  Run `0dai trust` after `0dai init` for the exact enforced list.
+//
+// Egress facts are derived from shared.js code (checkVersion fires unconditionally)
+// so they are the strongest honest cold signal we can disclose.
+
+function _buildColdPayload(target) {
+  return {
+    trust_scope_available: false,
+    scope: "default-pre-init",
+    note:
+      "trust_scope.py not found — this repo has not run `0dai init` yet. " +
+      "Showing DEFAULT scope: what 0dai does BEFORE repo-specific config exists. " +
+      "This is NOT the enforced scope. Run `0dai init` then `0dai trust` again.",
+    docs: "https://0dai.dev/docs",
+    target,
+    generated_at: new Date().toISOString().replace(/\.\d+Z$/, "Z"),
+
+    // ── A. Protected paths ────────────────────────────────────────────────
+    // Edit-time patterns come from policy_enforcer.py (not in npm bundle);
+    // merge-time patterns from ai/policy/path-protect.yaml (absent pre-init).
+    // Neither can be listed verbatim.  Describe the categories honestly.
+    //
+    // NOTE: ai/policy/** and ai/contracts/** are MERGE-TIME protected (by
+    // path-protect.yaml / 0dai-merge), NOT edit-time (not in policy_enforcer.py
+    // PROTECTED_WRITE_PATTERNS).  Do not conflate the two gates.
+    protected_paths: {
+      edit_time: {
+        status: "DEFAULT",
+        note:
+          "Edit-time gate is enforced by scripts/policy_enforcer.py via the 0dai MCP server. " +
+          "That file is not bundled in the npm package, so exact globs cannot be disclosed " +
+          "without a repo checkout.  The categories below are indicative examples from the " +
+          "published source; run `0dai trust` after `0dai init` for the authoritative list.",
+        categories_indicative: [
+          "credential / secret files (.env, .env.*, secrets/**, infra/secrets/**)",
+          "AI runtime state (ai/meta/**, ai/work/**, ai/sessions/**, ai/feedback/**)",
+          "AI memory file (ai/memory/memory.jsonl)",
+          "Applied lock (ai/manifest/applied-lock.json)",
+          "Terraform state (terraform.tfstate*)",
+          "Legacy memory bank (memory-bank/**)",
+        ],
+      },
+      merge_time: {
+        status: "DECLARED",
+        note:
+          "Merge-time gate reads ai/policy/path-protect.yaml (enforced by scripts/0dai-merge). " +
+          "Covers governance files including ai/policy/**, ai/contracts/**, and repo-specific " +
+          "protected paths declared by the maintainer. " +
+          "This file is generated by `0dai init`. Not present in a pre-init repo.",
+      },
+    },
+
+    // ── B. Agent authority matrix ─────────────────────────────────────────
+    // The per-action grant table (AUTO / PICKER / FORBIDDEN per action-id x CLI)
+    // materialises from ai/contracts/agent-authority.yaml after `0dai init`.
+    // That file is NOT in the npm bundle and cannot be verified at cold runtime,
+    // so we describe the structure categorically — not a fabricated action table.
+    authority: {
+      status: "DEFAULT",
+      note:
+        "Per-action grant table (AUTO / PICKER / FORBIDDEN) materialises from " +
+        "ai/contracts/agent-authority.yaml after `0dai init`. " +
+        "Dispatch-gate enforcement (ODAI_AUTONOMY_MATRIX_GATE=1) is opt-in, not default-on. " +
+        "Before init, no repo-specific grants are enforced.",
+      structural_description: {
+        "AUTO":    "agent may proceed unattended (e.g. issue create, read, CI runs)",
+        "PICKER":  "human must confirm before action executes (e.g. admin merges, deploys, protected writes)",
+        "FORBIDDEN": "action is never permitted without an explicit override (e.g. force-push to main, editing constitution)",
+      },
+      note_on_defaults:
+        "After `0dai init`, high-risk actions (admin merge, deploy, editing governance files) " +
+        "default to PICKER or FORBIDDEN.  Low-risk read and CI actions default to AUTO. " +
+        "Run `0dai trust` post-init to see the exact per-agent x per-action table.",
+    },
+
+    // ── C. Egress / telemetry ─────────────────────────────────────────────
+    // Derived from shared.js (checkVersion, apiCall).  These apply
+    // unconditionally on every CLI run, regardless of init state.
+    egress: {
+      status: "DEFAULT",
+      note:
+        "Derived from cli source (shared.js checkVersion + apiCall). " +
+        "Unconditional items fire on every CLI run, pre-init included.",
+      unconditional: [
+        {
+          endpoint: "GET /v1/version (api.0dai.dev)",
+          trigger:
+            "Every CLI run, throttled to at most once per " +
+            "ODAI_UPDATE_CHECK_INTERVAL (default 3600 s). Checks for CLI updates.",
+          headers_sent: [
+            "X-Device-ID — sha256 of stable local machine identifiers (no PII)",
+            "X-CLI-Version — installed CLI version string",
+          ],
+          request_body: null,
+        },
+      ],
+      on_explicit_command_only: [
+        {
+          endpoint: "POST /v1/graph/push",
+          trigger: "0dai graph push",
+          data: "graph-eligible artifact classes (no credentials, no file contents)",
+        },
+        {
+          endpoint: "POST /v1/report",
+          trigger: "0dai report push",
+          data: "cloud-sync-allowed artifact classes",
+        },
+        {
+          endpoint: "POST /v1/feedback",
+          trigger: "0dai feedback push",
+          data: "user_feedback_payload",
+        },
+        {
+          endpoint: "POST /v1/licenses/activate",
+          trigger: "0dai activate",
+          data: "device_fingerprint + license_code",
+        },
+      ],
+    },
+  };
+}
+
+/**
+ * Return the static default-scope output for a cold (pre-init) repo.
+ *
+ * Exported for direct unit-testing — avoids fighting findRepoScript's
+ * __dirname-anchored candidate resolution in subprocess tests.
+ *
+ * @param {string} target - Repo path shown in output (informational; not read from disk).
+ * @param {boolean} asJson - Emit JSON string instead of human-readable text.
+ * @returns {string}
+ */
+function renderColdScope(target, asJson) {
+  const payload = _buildColdPayload(target);
+
+  if (asJson) {
+    return JSON.stringify(payload, null, 2);
+  }
+
+  const HR  = "─".repeat(64);
+  const HR2 = "═".repeat(64);
+  const lines = [];
+
+  lines.push("");
+  lines.push(HR2);
+  lines.push("  0dai trust — pre-run blast-radius disclosure  [DEFAULT (pre-init) scope]");
+  lines.push(HR2);
+  lines.push(`  target:    ${payload.target}`);
+  lines.push(`  generated: ${payload.generated_at}`);
+  lines.push("");
+  lines.push("  NOTE  trust_scope.py not found — this repo has not run `0dai init` yet.");
+  lines.push("        This output shows DEFAULT scope: what 0dai does BEFORE any");
+  lines.push("        repo-specific config exists.  It is NOT the enforced scope.");
+  lines.push("        Run `0dai init`, then re-run `0dai trust` for the real scope.");
+  lines.push("");
+  lines.push("  Key: [ENFORCED] = gated now   [DECLARED] = post-init only");
+  lines.push("       [DEFAULT]  = structural invariant, not a config file");
+  lines.push("");
+
+  // ── A. Protected paths ────────────────────────────────────────────────────
+  lines.push("  A. Protected paths");
+  lines.push("  " + HR.slice(0, 60));
+
+  const et = payload.protected_paths.edit_time;
+  lines.push(`  [${et.status}] Edit-time gate`);
+  lines.push(`    ${et.note}`);
+  lines.push("    Indicative categories (run `0dai trust` post-init for the authoritative list):");
+  for (const cat of et.categories_indicative) {
+    lines.push(`      - ${cat}`);
+  }
+  lines.push("");
+
+  const mt = payload.protected_paths.merge_time;
+  lines.push(`  [${mt.status}] Merge-time gate`);
+  lines.push(`    ${mt.note}`);
+  lines.push("");
+
+  // ── B. Agent authority matrix ─────────────────────────────────────────────
+  lines.push("  B. Agent authority matrix");
+  lines.push("  " + HR.slice(0, 60));
+
+  const auth = payload.authority;
+  lines.push(`  [${auth.status}] ${auth.note}`);
+  lines.push("");
+  lines.push("    Decision levels:");
+  for (const [level, desc] of Object.entries(auth.structural_description)) {
+    lines.push(`      ${level.padEnd(12)} ${desc}`);
+  }
+  lines.push("");
+  lines.push(`    ${auth.note_on_defaults}`);
+  lines.push("");
+
+  // ── C. Data that leaves the repo ──────────────────────────────────────────
+  lines.push("  C. Data that leaves the repo");
+  lines.push("  " + HR.slice(0, 60));
+
+  const eg = payload.egress;
+  lines.push(`  [${eg.status}] ${eg.note}`);
+  lines.push("");
+  lines.push("    Unconditional (every CLI run, pre-init included):");
+  for (const ep of eg.unconditional) {
+    lines.push(`      * ${ep.endpoint}`);
+    lines.push(`          trigger: ${ep.trigger}`);
+    for (const h of ep.headers_sent) {
+      lines.push(`          header:  ${h}`);
+    }
+  }
+  lines.push("");
+  lines.push("    On explicit command only (not triggered by `0dai trust` itself):");
+  for (const ep of eg.on_explicit_command_only) {
+    lines.push(`      * ${ep.endpoint}`);
+    lines.push(`          trigger: ${ep.trigger}`);
+    lines.push(`          data:    ${ep.data}`);
+  }
+  lines.push("");
+
+  lines.push(HR);
+  lines.push("  Next steps to get the full enforced scope:");
+  lines.push("    1. Run `0dai init` to generate ai/ config.");
+  lines.push("    2. Run `0dai trust` again to see the repo-specific enforced scope.");
+  lines.push(`  Docs: ${payload.docs}`);
+  lines.push(HR);
+  lines.push("");
+
+  return lines.join("\n");
+}
+
+function cmdTrust(target, args) {
+  const scriptPath = findRepoScript(target, "trust_scope.py");
+
+  // COLD PATH — trust_scope.py not found (pre-init / cold npm install).
+  // Graceful degrade: print static DEFAULT scope summary and exit 0.
+  // Clearly labeled as "DEFAULT (pre-init) scope" — cannot be mistaken for
+  // the repo-specific enforced scope rendered by trust_scope.py (WARM path).
+  if (!scriptPath) {
+    const asJson = !!(args && args.includes("--json"));
+    console.log(renderColdScope(target, asJson));
+    process.exit(0);
+  }
+
+  // WARM PATH — delegate to trust_scope.py (behaviour unchanged).
+  const forwarded = [scriptPath, "--target", target];
+  if (args && args.includes("--json")) forwarded.push("--json");
+
+  const result = spawnSync("python3", forwarded, { stdio: "inherit" });
+  if (typeof result.status === "number") process.exit(result.status);
+  process.exit(1);
+}
+
+module.exports = { cmdTrust, renderColdScope };

package/lib/commands/vault.js

@@ -209,7 +209,9 @@ function cmdVaultDeferred(sub, args) {
 
 function cmdVault(_target, sub, args) {
   const command = sub && !sub.startsWith("-") ? sub : "";
-  const forwarded = command === sub ? args.slice(2) : args.slice(1);
+  // args is already args.slice(2) from bin/0dai.js (the tail after "vault <sub>"),
+  // so forwarded is the remaining flags/positionals unchanged.
+  const forwarded = command ? args : args.slice(1);
 
   if (!command || command === "help" || command === "-h" || command === "--help") {
     printUsage();

package/lib/shared.js

@@ -21,7 +21,7 @@ const { SUPPORTED_CLIS, MANIFEST_FILES, PROBE_DIRS, SETTINGS_PRESERVE_FIELDS } =
 const {
   deviceFingerprint, registerProject, projectIdFor,
   getGitRemoteOrigin, inferProjectName, detectStackHint,
-  collectMetadata, buildProjectIdentity,
+  collectMetadata, buildProjectIdentity, hashManifestFiles,
 } = require("./utils/identity");
 const { PLAN_LEVELS, _detectPlanLocal, requirePlan, getSwarmQuotaLocal } = require("./utils/plan");
 
@@ -403,7 +403,7 @@ module.exports = {
   // Identity
   deviceFingerprint, registerProject, projectIdFor,
   getGitRemoteOrigin, inferProjectName, detectStackHint,
-  collectMetadata, buildProjectIdentity,
+  collectMetadata, buildProjectIdentity, hashManifestFiles,
   // Plan / Tier
   _detectPlanLocal, requirePlan, getSwarmQuotaLocal,
   // Project

package/lib/utils/activation_telemetry.js

@@ -3,6 +3,94 @@
 const fs = require("fs");
 const path = require("path");
 
+// ---------------------------------------------------------------------------
+// Cohort detection
+// ---------------------------------------------------------------------------
+
+// Slug fragments that identify the 0dai self-build (dogfood) repo.
+// Any project whose scrubbed remote origin contains one of these strings is
+// classified as "dogfood". Everything else is "external".
+// Limitation (honest): until real external users exist, the "external" bucket
+// will be empty — local-only repos (no remote) also default to "dogfood"
+// because there is no reliable signal to distinguish them from the self-build.
+const DOGFOOD_ORIGIN_FRAGMENTS = ["iGeezmo/0dai", "0dai-dev/0dai", "0dai/0dai"];
+
+/**
+ * Classify the repo at `target` as "dogfood" or "external".
+ *
+ * Heuristic: if the git remote.origin.url (scrubbed of credentials) contains
+ * a known 0dai repo slug, the cohort is "dogfood". Otherwise "external".
+ * Falls back to "dogfood" when no remote is present (local-only repos).
+ *
+ * Honesty caveat: this is a name-match heuristic, not cryptographic identity.
+ * It will mis-classify a fork that still has the upstream remote as dogfood.
+ * It defaults to "dogfood" for local-only repos, so it NEVER over-counts
+ * external activations — it may under-count them.
+ *
+ * @param {string} target - absolute path to the repo root
+ * @returns {"dogfood"|"external"}
+ */
+function detectCohort(target) {
+  try {
+    const { execFileSync } = require("child_process");
+    const rawUrl = execFileSync(
+      "git", ["config", "--get", "remote.origin.url"],
+      { cwd: target, stdio: ["ignore", "pipe", "ignore"], encoding: "utf8", timeout: 3000 },
+    ).trim();
+    if (!rawUrl) return "dogfood";
+    // Scrub credentials (https://user:token@host → https://host)
+    const url = rawUrl.replace(/^(https?:\/\/)[^@/\s]+@/, "$1");
+    for (const frag of DOGFOOD_ORIGIN_FRAGMENTS) {
+      if (url.includes(frag)) return "dogfood";
+    }
+    return "external";
+  } catch {
+    // No git, no remote, or git error → safe fallback
+    return "dogfood";
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Merged-PR detection via git log
+// ---------------------------------------------------------------------------
+
+/**
+ * Detect the timestamp of the earliest merge commit in the repo's local history.
+ * Looks for commits that git identifies as merge commits (two+ parents), which
+ * covers both GitHub squash+merge and traditional merge strategies.
+ *
+ * Returns ISO timestamp of the earliest such commit, or null if none found.
+ *
+ * Limitation: reads only local history — will miss PRs merged on the remote
+ * before the repo was cloned if those commits were not fetched. That is
+ * acceptable: we record the first merge *experienced* in this checkout.
+ *
+ * @param {string} target - absolute path to the repo root
+ * @returns {string|null} ISO timestamp or null
+ */
+function detectFirstMergedPrTs(target) {
+  try {
+    const { execFileSync } = require("child_process");
+    // --merges selects only merge commits; --reverse gives oldest first; -1 takes the first
+    const out = execFileSync(
+      "git",
+      ["log", "--all", "--merges", "--format=%aI\t%s", "--reverse", "--max-count=1"],
+      { cwd: target, stdio: ["ignore", "pipe", "ignore"], encoding: "utf8", timeout: 5000 },
+    ).trim();
+    if (!out) return null;
+    const tab = out.indexOf("\t");
+    if (tab < 0) return null;
+    const ts = out.slice(0, tab).trim();
+    return ts || null;
+  } catch {
+    return null;
+  }
+}
+
+// ---------------------------------------------------------------------------
+// Core helpers
+// ---------------------------------------------------------------------------
+
 function activationPath(target) {
   return path.join(target, "ai", "meta", "telemetry", "activation.jsonl");
 }
@@ -54,13 +142,26 @@ function parseTs(ts) {
   return Number.isFinite(ms) ? ms : null;
 }
 
-// Idempotently append `{event:"init", ts, project_id}` on successful init.
-function recordActivationInit(target, projectId) {
+// ---------------------------------------------------------------------------
+// Recorders
+// ---------------------------------------------------------------------------
+
+// Idempotently append init telemetry on successful init.
+function recordActivationInit(target, projectId, metadata = {}) {
   try {
     if (!projectId) return { fired: false };
     const events = readEvents(target);
     if (hasEvent(events, "init", projectId)) return { fired: false };
-    const entry = { event: "init", ts: nowIso(), project_id: projectId };
+    const cohort = detectCohort(target);
+    const stack = metadata.stack_detected || metadata.stack || "unknown";
+    const entry = {
+      event: "init",
+      ts: nowIso(),
+      project_id: projectId,
+      repo_fingerprint_hash: projectId,
+      stack_detected: stack,
+      cohort,
+    };
     return { fired: appendEvent(target, entry) };
   } catch {
     return { fired: false };
@@ -68,7 +169,7 @@ function recordActivationInit(target, projectId) {
 }
 
 // Idempotently append first_task with duration_ms = first_task.ts - init.ts.
-function recordActivationFirstTask(target, projectId) {
+function recordActivationFirstTask(target, projectId, metadata = {}) {
   try {
     if (!projectId) return { fired: false, durationMs: null };
     const events = readEvents(target);
@@ -87,11 +188,75 @@ function recordActivationFirstTask(target, projectId) {
       }
     }
 
+    const cohort = detectCohort(target);
     const entry = {
       event: "first_task",
       ts,
       project_id: projectId,
       duration_ms: durationMs,
+      cohort,
+      outcome: metadata.outcome || "task_queued",
+    };
+    if (Number.isFinite(metadata.task_count)) entry.task_count = metadata.task_count;
+    const fired = appendEvent(target, entry);
+    return { fired, durationMs };
+  } catch {
+    return { fired: false, durationMs: null };
+  }
+}
+
+/**
+ * Idempotently append a `first_merged_pr` activation event.
+ *
+ * This event marks the end-to-end activation funnel: init → first_task →
+ * first_merged_pr. It is what M6 "activation p50 <5min (measured)" needs to
+ * be verifiable end-to-end.
+ *
+ * Detection: inspects `git log --merges` for the earliest merge commit in
+ * the local history. If none exists yet, does nothing (caller should invoke
+ * again after a merge occurs, e.g. from `0dai status` or `0dai ci`).
+ *
+ * Fields emitted:
+ *   - event: "first_merged_pr"
+ *   - ts: ISO timestamp of the first merge commit (reflects when the PR was
+ *     actually merged, not wall-clock detection time)
+ *   - project_id: hashed repo identity (no raw origin stored — privacy-safe)
+ *   - cohort: "dogfood" | "external"
+ *   - duration_ms: ms between init event and the merge timestamp (null if no
+ *     init event found in the local activation.jsonl)
+ *
+ * @param {string} target - absolute path to the repo root
+ * @param {string} projectId - opaque project identifier
+ * @returns {{ fired: boolean, durationMs: number|null }}
+ */
+function recordActivationFirstMergedPR(target, projectId) {
+  try {
+    if (!projectId) return { fired: false, durationMs: null };
+    const events = readEvents(target);
+    if (hasEvent(events, "first_merged_pr", projectId)) {
+      return { fired: false, durationMs: null };
+    }
+
+    const mergeTs = detectFirstMergedPrTs(target);
+    if (!mergeTs) return { fired: false, durationMs: null };
+
+    const initTs = findInitTs(events, projectId);
+    let durationMs = null;
+    if (initTs) {
+      const initMs = parseTs(initTs);
+      const mergeMs = parseTs(mergeTs);
+      if (initMs != null && mergeMs != null) {
+        durationMs = Math.max(0, mergeMs - initMs);
+      }
+    }
+
+    const cohort = detectCohort(target);
+    const entry = {
+      event: "first_merged_pr",
+      ts: mergeTs,
+      project_id: projectId,
+      cohort,
+      duration_ms: durationMs,
     };
     const fired = appendEvent(target, entry);
     return { fired, durationMs };
@@ -100,6 +265,10 @@ function recordActivationFirstTask(target, projectId) {
   }
 }
 
+// ---------------------------------------------------------------------------
+// Stats
+// ---------------------------------------------------------------------------
+
 function percentile(sorted, p) {
   if (!sorted.length) return null;
   if (sorted.length === 1) return sorted[0];
@@ -127,6 +296,41 @@ function getActivationDurationStats(target) {
   };
 }
 
+/**
+ * Stats over `first_merged_pr` events — parallel to getActivationDurationStats.
+ * Used by `0dai status` to surface end-to-end activation timing.
+ *
+ * @param {string} target
+ * @returns {{ count: number, p50_ms: number|null, p90_ms: number|null,
+ *             cohorts: { dogfood: number, external: number } }}
+ */
+function getActivationMergedPrStats(target) {
+  const events = readEvents(target);
+  const mergedPrEvents = events.filter((e) => e.event === "first_merged_pr");
+
+  const durations = mergedPrEvents
+    .filter((e) => typeof e.duration_ms === "number" && Number.isFinite(e.duration_ms))
+    .map((e) => e.duration_ms)
+    .sort((a, b) => a - b);
+
+  const cohorts = { dogfood: 0, external: 0 };
+  for (const e of mergedPrEvents) {
+    if (e.cohort === "external") cohorts.external++;
+    else cohorts.dogfood++;
+  }
+
+  return {
+    count: durations.length,
+    p50_ms: percentile(durations, 0.5),
+    p90_ms: percentile(durations, 0.9),
+    cohorts,
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Display helpers
+// ---------------------------------------------------------------------------
+
 function formatDurationMs(ms) {
   if (ms == null) return "?";
   if (ms < 1000) return `${ms}ms`;
@@ -136,21 +340,39 @@ function formatDurationMs(ms) {
 
 function printActivationStats(target) {
   const stats = getActivationDurationStats(target);
-  if (stats.count === 0) return stats;
-  console.log(
-    `  activation TTFV: p50 ${formatDurationMs(stats.p50_ms)}`
-    + ` / p90 ${formatDurationMs(stats.p90_ms)}`
-    + ` (${stats.count} sample${stats.count === 1 ? "" : "s"})`,
-  );
-  return stats;
+  if (stats.count > 0) {
+    console.log(
+      `  activation TTFV: p50 ${formatDurationMs(stats.p50_ms)}`
+      + ` / p90 ${formatDurationMs(stats.p90_ms)}`
+      + ` (${stats.count} sample${stats.count === 1 ? "" : "s"})`,
+    );
+  }
+
+  const mrStats = getActivationMergedPrStats(target);
+  if (mrStats.count > 0) {
+    const cohortNote = mrStats.cohorts.external > 0
+      ? ` [dogfood: ${mrStats.cohorts.dogfood}, external: ${mrStats.cohorts.external}]`
+      : ` [dogfood only — no external activations yet]`;
+    console.log(
+      `  activation first-PR: p50 ${formatDurationMs(mrStats.p50_ms)}`
+      + ` / p90 ${formatDurationMs(mrStats.p90_ms)}`
+      + ` (${mrStats.count} sample${mrStats.count === 1 ? "" : "s"})${cohortNote}`,
+    );
+  }
+
+  return { ttfv: stats, firstPr: mrStats };
 }
 
 module.exports = {
   activationPath,
   readEvents,
+  detectCohort,
+  detectFirstMergedPrTs,
   recordActivationInit,
   recordActivationFirstTask,
+  recordActivationFirstMergedPR,
   getActivationDurationStats,
+  getActivationMergedPrStats,
   printActivationStats,
   formatDurationMs,
 };