@0dai-dev/cli 4.3.7 → 4.3.8

package/bin/0dai.js

@@ -210,7 +210,7 @@ function printHelp() {
   console.log("");
   console.log("Start (first 5 minutes):");
   console.log("  init           Create ai/ layer + MCP [--local] [--dry-run] [--minimal]");
-  console.log("  doctor         Check health, credentials, and drift [--drift]");
+  console.log("  doctor         Check health, credentials, and drift [--drift] [--security]");
   console.log("  status         Show maturity, swarm, and session state [--json]");
   console.log("  quickstart     Run auth, init, doctor, and status checks in order");
   console.log("  detect         Show detected stack");
@@ -341,6 +341,7 @@ function printInitHelp(commandName = "init") {
   console.log("  --local        Generate the ai/ layer offline without signing in");
   console.log("  --minimal      Generate the smallest starter layer");
   console.log("  --dry-run      Preview init changes without writing them");
+  console.log("                 (pair with --local to preview configs with no account or network)");
   console.log("  --no-wizard    Skip the interactive first-run wizard");
   console.log("  --auth-code    Exchange a browser/device auth code before init");
   console.log("  --code         Redeem an activation/license code before init");
@@ -503,13 +504,15 @@ async function main() {
     case "detect": await cmdDetect(target); break;
     case "doctor": {
       const driftMode = args.includes("--drift");
+      const securityMode = args.includes("--security");
       // Go fast-path covers only the base read-only doctor (no --drift, no
-      // network). Anything else falls through to the full Node implementation.
+      // --security, no network). Anything else falls through to the full Node
+      // implementation so the flag is not silently swallowed.
       const layerFreshness = collectLayerVersionFreshness(target);
-      if (!driftMode && layerFreshness.status !== "stale") {
+      if (!driftMode && !securityMode && layerFreshness.status !== "stale") {
         tryGoHotPath("doctor", target, args.slice(1));
       }
-      cmdDoctor(target, { drift: driftMode, json: args.includes("--json") });
+      cmdDoctor(target, { drift: driftMode, security: securityMode, json: args.includes("--json") });
       break;
     }
     case "drift": {

package/lib/commands/doctor.js

@@ -481,6 +481,197 @@ function printDriftReport(target, options = {}) {
   return payload;
 }
 
+// --- security mode (0dai doctor --security) -------------------------------
+//
+// Static, code-derived disclosure of the data boundary so a reviewer can see,
+// without reading source, what leaves the box and which routes need operator
+// authZ. Three sections:
+//   1. egress   — network endpoints the CLI may call (reused verbatim from
+//                 trust.js _buildColdPayload so there is ONE egress list).
+//   2. local sinks — files the CLI writes locally (NOT egress) + the host-side
+//                 secret vault dir, live-detected and labeled.
+//   3. authZ    — deny-by-default operator-gate summary, enforced server-side
+//                 (web/src/lib/auth.ts requireOperator); described, not probed.
+//
+// This mode performs NO network calls and reads NO secret values — it only
+// reports paths and presence. Run `0dai trust` for the live enforced scope.
+
+// authZ summary mirrors web/src/lib/auth.ts. Tiers are described, not probed —
+// the CLI cannot reach into the deployment's route guards at runtime.
+const AUTHZ_SUMMARY = Object.freeze({
+  enforced_by: "web/src/lib/auth.ts (Next.js API routes)",
+  default: "deny",
+  note:
+    "Operator-state routes require authN + authZ. With ODAI_OPERATOR_EMAILS unset, "
+    + "every authenticated user is denied (403) — default-deny, not default-allow.",
+  tiers: Object.freeze([
+    {
+      level: "operator",
+      guard: "requireOperator",
+      rule: "authN + email in ODAI_OPERATOR_EMAILS allowlist; unset allowlist = deny all",
+      routes: "swarm/*, cli/[action], team",
+    },
+    {
+      level: "authenticated",
+      guard: "requireAuth",
+      rule: "any valid token (401 if absent/invalid)",
+      routes: "plugins",
+    },
+    {
+      level: "auth-forward",
+      guard: "forward",
+      rule: "web layer forwards any Authorization header to the Python API; downstream authZ enforced there (verify)",
+      routes: "admin/* (adminForwardAuth), events",
+    },
+    {
+      level: "open",
+      guard: "none",
+      rule: "intentionally unauthenticated public endpoints",
+      routes: "contact, public/*",
+    },
+  ]),
+});
+
+function _secretVaultProbe(home = process.env.HOME || process.env.USERPROFILE || "") {
+  // Host-side secret vault written by scripts/telegram_secrets.py and
+  // scripts/secrets_decrypt.sh — NOT by this CLI. We only report presence.
+  const dir = home ? path.join(home, ".config", "secrets") : "";
+  const present = Boolean(dir && fs.existsSync(dir));
+  return {
+    name: "~/.config/secrets",
+    path: dir,
+    present,
+    written_by_cli: false,
+    note: present
+      ? "present on this host; populated by server-side secret sync, not the CLI"
+      : "absent on this host; populated by server-side secret sync when configured (verify)",
+  };
+}
+
+function _mcpEgressEntry(target, env = process.env) {
+  // MCP cloud transport host — DEFAULT_MCP_HOST from lib/utils/mcp-auth.js,
+  // overridable via MCP_HOST / ODAI_MCP_HOST. The local 0dai + filesystem MCP
+  // servers run as on-box subprocesses (no egress); only the cloud server
+  // ("claude_ai_0dai") talks to the network. We also surface the configured
+  // server names from .mcp.json if present (no values, just names).
+  const host = env.MCP_HOST || env.ODAI_MCP_HOST || "https://mcp.0dai.dev";
+  let configured = [];
+  try {
+    configured = _readMcpConfigSummary(target).servers || [];
+  } catch { configured = []; }
+  return {
+    endpoint: `${host}/mcp`,
+    trigger: "MCP cloud server (claude_ai_0dai) when an agent CLI connects to it",
+    data: "MCP tool calls over an authenticated session; local 0dai + filesystem servers are on-box subprocesses (no egress)",
+    configured_servers: configured,
+  };
+}
+
+function collectSecurityPayload(target, options = {}) {
+  const home = options.home || process.env.HOME || process.env.USERPROFILE || "";
+  const env = options.env || process.env;
+  let egress;
+  try {
+    egress = require("./trust")._buildColdPayload(target).egress;
+  } catch {
+    egress = { status: "unavailable", note: "trust.js egress facts not loadable" };
+  }
+  // Augment the trust.js subset with the two surfaces the issue names that are
+  // not in that subset: the MCP cloud transport and the activation telemetry
+  // POST. Both are derived from real CLI code (mcp-auth.js, auth.js).
+  egress = JSON.parse(JSON.stringify(egress));
+  egress.note =
+    "Egress surfaces relevant to this disclosure (MCP, telemetry, on-command "
+    + "pushes). Not an exhaustive list of every /v1/* endpoint the CLI can reach.";
+  egress.mcp = _mcpEgressEntry(target, env);
+  if (Array.isArray(egress.on_explicit_command_only)) {
+    egress.on_explicit_command_only.push({
+      endpoint: "POST /v1/events (api.0dai.dev)",
+      trigger: "0dai activate free (best-effort, on successful activation)",
+      data: "activation event {event, timestamp, path, source}; no file contents, no secrets",
+    });
+  }
+  return {
+    target,
+    generated_at: new Date().toISOString().replace(/\.\d+Z$/, "Z"),
+    note:
+      "Static, code-derived data boundary. This mode makes NO network calls and "
+      + "reads NO secret values. Run `0dai trust` for the live enforced scope.",
+    egress,
+    local_sinks: [
+      {
+        name: "ai/meta/telemetry/activation.jsonl",
+        kind: "local file write",
+        note: "activation funnel timing written to disk; a summary event is POSTed to /v1/events only on `0dai activate free` (see egress)",
+      },
+      {
+        name: "ai/meta/telemetry/*.jsonl",
+        kind: "local file write",
+        note: "MCP tool usage, operator-ack, and other local telemetry; written to disk, not auto-POSTed",
+      },
+    ],
+    secret_vault: _secretVaultProbe(home),
+    authz: AUTHZ_SUMMARY,
+    docs: "docs/data-boundary.md",
+  };
+}
+
+function printSecurityReport(target, options = {}) {
+  const payload = collectSecurityPayload(target, options);
+  const W = process.stdout.isTTY ? "\x1b[33m" : "";
+  const G = process.stdout.isTTY ? "\x1b[32m" : "";
+  const R2 = process.stdout.isTTY ? "\x1b[0m" : "";
+
+  console.log("\n  0dai doctor --security — data boundary");
+  console.log(`  ${D}${payload.note}${R2}`);
+
+  console.log("\n  egress (network):");
+  const eg = payload.egress || {};
+  if (Array.isArray(eg.unconditional)) {
+    console.log("    unconditional (every CLI run):");
+    for (const ep of eg.unconditional) {
+      console.log(`      * ${ep.endpoint}`);
+      console.log(`          ${D}trigger: ${ep.trigger}${R2}`);
+    }
+  }
+  if (eg.mcp) {
+    console.log("    MCP:");
+    console.log(`      * ${eg.mcp.endpoint}`);
+    console.log(`          ${D}trigger: ${eg.mcp.trigger}${R2}`);
+    if (Array.isArray(eg.mcp.configured_servers) && eg.mcp.configured_servers.length) {
+      console.log(`          ${D}configured servers: ${eg.mcp.configured_servers.join(", ")}${R2}`);
+    }
+  }
+  if (Array.isArray(eg.on_explicit_command_only)) {
+    console.log("    on explicit command only:");
+    for (const ep of eg.on_explicit_command_only) {
+      console.log(`      * ${ep.endpoint} ${D}(${ep.trigger})${R2}`);
+      console.log(`          ${D}data: ${ep.data}${R2}`);
+    }
+  }
+  if (!eg.unconditional && !eg.on_explicit_command_only) {
+    console.log(`    ${D}${eg.note || "egress facts unavailable"}${R2}`);
+  }
+
+  console.log("\n  local sinks (no egress):");
+  for (const sink of payload.local_sinks) {
+    console.log(`    * ${sink.name} ${D}(${sink.note})${R2}`);
+  }
+  const vault = payload.secret_vault;
+  const vaultMark = vault.present ? `${G}present${R2}` : `${D}absent${R2}`;
+  console.log(`    ${vaultMark} ${vault.name} ${D}(${vault.note})${R2}`);
+
+  console.log("\n  authZ (enforced server-side, deny-by-default):");
+  console.log(`    ${W}default: ${payload.authz.default}${R2} ${D}— ${payload.authz.note}${R2}`);
+  for (const tier of payload.authz.tiers) {
+    console.log(`    * ${tier.level.padEnd(13)} ${tier.guard} ${D}→ ${tier.routes}${R2}`);
+    console.log(`          ${D}${tier.rule}${R2}`);
+  }
+
+  console.log(`\n  ${D}Full doc: ${payload.docs}    Live enforced scope: 0dai trust${R2}`);
+  return payload;
+}
+
 function collectDoctorPayload(target, options = {}) {
   const payload = {
     binary: "node",
@@ -499,6 +690,14 @@ function collectDoctorPayload(target, options = {}) {
 function cmdDoctor(target, options = {}) {
   const ai = path.join(target, "ai");
   if (!fs.existsSync(ai)) { log("No 0dai config found. Run: 0dai init"); return; }
+  if (options.security) {
+    if (options.json) {
+      const payload = collectSecurityPayload(target, options.securityOptions || {});
+      console.log(JSON.stringify(payload, null, 2));
+      return payload;
+    }
+    return printSecurityReport(target, options.securityOptions || {});
+  }
   if (options.json) {
     const payload = collectDoctorPayload(target, {
       drift: options.drift,
@@ -794,4 +993,6 @@ module.exports = {
   collectGitHubIdentityPayload,
   collectMcpExposurePayload,
   formatMcpExposureLine,
+  collectSecurityPayload,
+  printSecurityReport,
 };

package/lib/commands/init.js

@@ -7,10 +7,11 @@ const {
   VERSION, SUPPORTED_CLIS,
   CONFIG_DIR, PROJECTS_FILE,
   apiCall, makeEnsureAuthenticated, ensureLicenseActivation, loadAuthState,
-  collectMetadata, buildProjectIdentity, registerProject, projectIdFor, hashManifestFiles,
+  collectMetadata, inferProjectName, detectStackHint,
+  buildProjectIdentity, registerProject, projectIdFor, hashManifestFiles,
   loadProjectBinding, boundProjectIdentityFromBinding, validateProjectDisplayName,
   writeProjectBinding,
-  writeFiles, missingLiveManifestDefaults, ensureLiveManifestDefaults,
+  writeFiles, missingLiveManifestDefaults, ensureLiveManifestDefaults, LIVE_MANIFEST_DEFAULTS,
   sendProjectHeartbeat, recordExperienceEvent,
   logFirstRunSuccess, checkVersion,
 } = shared;
@@ -403,12 +404,98 @@ async function cmdProjectBind(target, args = []) {
   return payload;
 }
 
+// buildLocalDryRunPreview — pure, offline preview for `0dai init --local --dry-run`.
+// Detects the stack and renders the configs the local (offline) init path
+// produces, entirely IN MEMORY. Makes ZERO auth/license/server/network calls:
+// it only reads the target dir via collectMetadata + the local detection helpers
+// (inferProjectName / detectStackHint), all of which run on-disk with no egress.
+// Returns { projectName, stack, clis, files, agentTargets } where:
+//   files        — { relPath: content } the offline path would write
+//   agentTargets — [{ cli, files: [...] }] the per-CLI config paths a full
+//                  (authenticated) `0dai init` would manage for each detected CLI
+function buildLocalDryRunPreview(target) {
+  const metadata = collectMetadata(target);
+  const { projectFiles, manifestContents, clis } = metadata;
+  const projectName = inferProjectName(target, manifestContents);
+  const stack = detectStackHint(projectFiles, manifestContents);
+
+  // Mirror the offline generator (lib/wizard.js stepGenerate) so the preview
+  // matches what `0dai init --local` writes without auth — no fabricated bodies.
+  const claudeMd = `# ${projectName}\n\nStack: ${stack}\nGenerated by 0dai (local mode).\n\n## Commands\n\nSee ai/manifest/ for full configuration.\n`;
+  const agentsMd = `# Agent Configuration\n\nProject: ${projectName}\nStack: ${stack}\n\nSee ai/manifest/ for configuration details.\n`;
+  const discovery = {
+    project_name: projectName,
+    stack,
+    detected_stack: [stack],
+    selected_agents: clis.length ? clis : SUPPORTED_CLIS.map((c) => c.name),
+    local: true,
+  };
+  const files = {
+    "CLAUDE.md": claudeMd,
+    "AGENTS.md": agentsMd,
+    "ai/manifest/discovery.json": JSON.stringify(discovery, null, 2) + "\n",
+    "ai/manifest/project.yaml": `plan: free\nname: ${projectName}\nstack: ${stack}\n`,
+    // Live manifest scaffolds the offline path writes via ensureLiveManifestDefaults
+    // (lib/wizard.js stepGenerate). Use the canonical bodies, not fabricated ones.
+    ...LIVE_MANIFEST_DEFAULTS,
+    "ai/VERSION": `${VERSION}\n`,
+  };
+
+  // Per-CLI native config paths the full managed init would generate. We list
+  // paths (factual, from SUPPORTED_CLIS) rather than inventing offline bodies.
+  const agentTargets = SUPPORTED_CLIS
+    .filter((c) => Array.isArray(c.agentFiles) && c.agentFiles.length)
+    .map((c) => ({ cli: c.name, files: c.agentFiles }));
+
+  return { projectName, stack, clis, files, agentTargets };
+}
+
+// cmdInitLocalDryRun — offline `0dai init --local --dry-run`. Prints the
+// preview to stdout and returns. Writes nothing to disk and makes no network
+// calls. This is the only path that bypasses the auth/license preflight, and
+// only when BOTH --local AND --dry-run are set (see cmdInit).
+function cmdInitLocalDryRun(target) {
+  const { projectName, stack, clis, files, agentTargets } = buildLocalDryRunPreview(target);
+  log(`local dry-run: no account or network needed`);
+  console.log(`  project: ${projectName}`);
+  console.log(`  stack: ${stack}`);
+  console.log(`  agent CLIs detected: ${clis.length ? clis.join(", ") : "none"}`);
+  console.log("");
+  const names = Object.keys(files);
+  log(`local dry-run: would write ${names.length} file(s) (nothing written):`);
+  for (const name of names) {
+    console.log(`  ${D}+ ${name}${R}`);
+  }
+  console.log("");
+  log(`local dry-run: per-CLI native configs a full 0dai init would manage:`);
+  for (const target_ of agentTargets) {
+    console.log(`  ${D}${target_.cli}: ${target_.files.join(", ")}${R}`);
+  }
+  console.log("");
+  for (const name of names) {
+    console.log(`${T}--- ${name} ---${R}`);
+    console.log(files[name].replace(/\n$/, ""));
+    console.log("");
+  }
+  console.log(`  ${D}Sign in to write these for real: 0dai init --local${R}`);
+  return { projectName, stack, clis, files, agentTargets };
+}
+
 async function cmdInit(target, args = []) {
   const dryRun = args.includes("--dry-run");
   const minimal = args.includes("--minimal");
   const noWizard = args.includes("--no-wizard");
   const localMode = args.includes("--local");
 
+  // Offline preview: `0dai init --local --dry-run` renders configs in memory,
+  // prints them, and returns. Bypasses the auth/license/server preflight ONLY
+  // when BOTH flags are present (issue #4475). Plain --dry-run (server plan)
+  // and plain --local (wizard, writes) are unchanged.
+  if (localMode && dryRun) {
+    cmdInitLocalDryRun(target);
+    return;
+  }
+
   if (fs.existsSync(path.join(target, "ai", "VERSION"))) {
     const v = fs.readFileSync(path.join(target, "ai", "VERSION"), "utf8").trim();
     log(`ai/ layer already exists (v${v}). Run '0dai sync' to update.`);
@@ -1066,6 +1153,8 @@ module.exports = {
   cmdInit,
   cmdSync,
   cmdProjectBind,
+  buildLocalDryRunPreview,
+  cmdInitLocalDryRun,
   buildLocalSyncPreview,
   runMcpBootstrap,
   bindProjectForCloud,

package/lib/commands/play.js

@@ -30,7 +30,7 @@ function findRepoScript(target, name) {
 
 function runLocal(target, args) {
   const script = findRepoScript(target, "play_book.py");
-  if (!script) return { ok: false, error: "play_book.py not found locally" };
+  if (!script) return { ok: false, repoRequired: true, error: "play_book.py not found locally" };
   const res = spawnSync("python3", [script, "--root", target, ...args], {
     encoding: "utf8",
     stdio: ["ignore", "pipe", "pipe"],
@@ -116,7 +116,7 @@ function cmdFork(target, slug, args) {
   const author = argAfter(args, "--author");
   if (!newSlug || !author) { log("fork requires --as <new-slug> --author <handle>"); return; }
   const res = runLocal(target, ["fork", slug, "--as", newSlug, "--author", author]);
-  if (!res.ok) { log(`fork failed: ${res.error}`); process.exit(1); }
+  if (!handleLocal(res, "fork")) return;
   console.log(typeof res.data === "string" ? res.data : JSON.stringify(res.data, null, 2));
 }
 
@@ -127,7 +127,7 @@ function cmdRun(target, slug, args) {
     if (args[i] === "--var" && args[i + 1]) { fwdArgs.push("--var", args[i + 1]); i++; }
   }
   const res = runLocal(target, fwdArgs);
-  if (!res.ok) { log(`run failed: ${res.error}`); process.exit(1); }
+  if (!handleLocal(res, "run")) return;
   console.log(typeof res.data === "string" ? res.data : JSON.stringify(res.data, null, 2));
 }
 
@@ -136,7 +136,7 @@ function cmdRank(target, args) {
   const outcomes = argAfter(args, "--outcomes");
   if (outcomes) fwdArgs.push("--outcomes", outcomes);
   const res = runLocal(target, fwdArgs);
-  if (!res.ok) { log(`rank failed: ${res.error}`); process.exit(1); }
+  if (!handleLocal(res, "rank")) return;
   console.log(typeof res.data === "string" ? res.data : JSON.stringify(res.data, null, 2));
 }
 
@@ -145,6 +145,22 @@ function argAfter(args, flag) {
   return i >= 0 && i + 1 < args.length ? args[i + 1] : null;
 }
 
+// fork/run/rank drive the bundled play_book.py, which only ships inside a 0dai
+// project checkout (it needs ai/plays/ on disk + PyYAML). A bare `npm install -g`
+// has neither, so findRepoScript returns null. That is an expected environment
+// limitation, not a crash — say so honestly and exit 0 instead of a misleading
+// "X failed: play_book.py not found locally" + exit 1.
+function handleLocal(res, verb) {
+  if (res.repoRequired) {
+    log(`'play ${verb}' runs locally against ai/plays/ and needs a 0dai project checkout (it is not bundled in the npm package).`);
+    log(`Run it from a cloned project — e.g. 'git clone https://github.com/iGeezmo/0dai && cd 0dai && 0dai play ${verb} …'.`);
+    log(`The server-backed 'play list / get / search' work anywhere.`);
+    return false;
+  }
+  if (!res.ok) { log(`${verb} failed: ${res.error}`); process.exit(1); }
+  return true;
+}
+
 async function cmdPlay(target, sub, args) {
   const remaining = args.slice(2);
   if (!sub || sub === "help") {

package/lib/commands/status.js

@@ -26,6 +26,107 @@ function loadProjectBinding(target) {
   return shared.loadProjectBinding(target);
 }
 
+// Open sprint:current issues are the authoritative work queue (SPRINT.md
+// retired as SoT). Probe gh; degrade quietly when gh is absent or the token
+// is not authenticated — never throw out of status.
+function collectSprintPayload(target, options = {}) {
+  const out = { available: false, authenticated: false, issues: [], reason: "" };
+  try {
+    const r = spawnSync(
+      "gh",
+      [
+        "issue", "list",
+        "--label", "sprint:current",
+        "--state", "open",
+        "--json", "number,title",
+        "--limit", "20",
+      ],
+      {
+        cwd: target,
+        stdio: ["ignore", "pipe", "pipe"],
+        encoding: "utf8",
+        timeout: options.ghTimeout || 8000,
+      },
+    );
+    if (r.error && r.error.code === "ENOENT") {
+      out.reason = "gh CLI not installed";
+      return out;
+    }
+    out.available = true;
+    if (r.status !== 0) {
+      const err = String(r.stderr || "").trim();
+      out.reason = /auth|logged in|token/i.test(err)
+        ? "gh not authenticated — run: gh auth login"
+        : (err.split("\n").slice(-1)[0] || "gh issue list failed");
+      return out;
+    }
+    out.authenticated = true;
+    const parsed = JSON.parse(String(r.stdout || "[]").trim() || "[]");
+    out.issues = Array.isArray(parsed)
+      ? parsed.map((i) => ({ number: i.number, title: i.title || "" }))
+      : [];
+  } catch (e) {
+    out.reason = String((e && e.message) || e).split("\n").slice(-1)[0] || "sprint probe failed";
+  }
+  return out;
+}
+
+// Active flight = newest flight plan under ai/meta/reports/flight-F*.md, ranked
+// by flight number (F17 > F6) then by the trailing date in the filename.
+function findActiveFlight(target) {
+  const dir = path.join(target, "ai", "meta", "reports");
+  let names;
+  try {
+    names = fs.readdirSync(dir).filter((f) => /^flight-F\d+.*\.md$/.test(f));
+  } catch {
+    return null;
+  }
+  if (!names.length) return null;
+  const parse = (name) => {
+    const m = name.match(/^flight-F(\d+)/);
+    const dateM = name.match(/(\d{4}-\d{2}-\d{2})/);
+    return { name, num: m ? Number(m[1]) : -1, date: dateM ? dateM[1] : "" };
+  };
+  const newest = names
+    .map(parse)
+    .sort((a, b) => (b.num - a.num) || b.date.localeCompare(a.date))[0];
+  const file = path.join(dir, newest.name);
+  let id = `F${newest.num}`, title = "", flightStatus = "";
+  try {
+    const text = fs.readFileSync(file, "utf8");
+    const fm = text.match(/^---\n([\s\S]*?)\n---/);
+    const block = fm ? fm[1] : text;
+    const idM = block.match(/^id:\s*(.+)$/m);
+    const titleM = block.match(/^title:\s*(.+)$/m);
+    const statusM = block.match(/^status:\s*(.+)$/m);
+    if (idM) id = idM[1].trim().replace(/^["']|["']$/g, "");
+    if (titleM) title = titleM[1].trim().replace(/^["']|["']$/g, "");
+    if (statusM) flightStatus = statusM[1].trim().replace(/^["']|["']$/g, "");
+  } catch {}
+  return { id, title, status: flightStatus, file: path.relative(target, file) };
+}
+
+// Drift signal: roadmap.json is generated from ROADMAP.md. If the source is
+// newer than the generated artifact, the JSON is stale and should be regenerated.
+function collectRoadmapDrift(target) {
+  const out = { detected: false, reason: "" };
+  const jsonPath = path.join(target, "ai", "meta", "manifest", "roadmap.json");
+  const mdPath = path.join(target, "ROADMAP.md");
+  let jsonMtime, mdMtime;
+  try { jsonMtime = fs.statSync(jsonPath).mtimeMs; } catch { return out; }
+  try { mdMtime = fs.statSync(mdPath).mtimeMs; } catch { return out; }
+  // Prefer an explicit updated_at/generated_at in the JSON over file mtime when present.
+  const j = loadJson(jsonPath);
+  const stamp = j && (j.updated_at || j.generated_at);
+  const jsonTime = stamp ? Date.parse(stamp) : NaN;
+  const jsonEffective = Number.isFinite(jsonTime) ? jsonTime : jsonMtime;
+  if (mdMtime > jsonEffective) {
+    out.detected = true;
+    out.reason = "ROADMAP.md is newer than roadmap.json — run: python3 scripts/roadmap_to_json.py";
+  }
+  return out;
+}
+
 function collectStatusPayload(target, options = {}) {
   const ai = path.join(target, "ai");
   const baseIdentity = shared.buildProjectIdentity(target, shared.collectMetadata(target));
@@ -139,6 +240,9 @@ function collectStatusPayload(target, options = {}) {
     drift: {
       detected: driftDetected,
     },
+    sprint: collectSprintPayload(target, options),
+    flight: findActiveFlight(target),
+    roadmap_drift: collectRoadmapDrift(target),
     mcp_exposure: collectMcpExposurePayload(target, options.mcpExposureOptions || {}),
     warnings: warningCount,
     activation_ttfv: getActivationDurationStats(target),
@@ -159,6 +263,33 @@ function cmdStatus(target, options = {}) {
     console.log(`  swarm: ${payload.swarm.queued} queued, ${payload.swarm.active} active, ${payload.swarm.done} done`);
   }
 
+  const sprint = payload.sprint || {};
+  if (sprint.authenticated) {
+    if (sprint.issues.length) {
+      console.log(`  sprint:current — ${sprint.issues.length} open:`);
+      for (const i of sprint.issues.slice(0, 8)) {
+        console.log(`    #${i.number} ${i.title}`);
+      }
+      if (sprint.issues.length > 8) {
+        console.log(`    …and ${sprint.issues.length - 8} more`);
+      }
+    } else {
+      console.log(`  sprint:current — none open`);
+    }
+  } else if (sprint.reason) {
+    console.log(`  sprint:current — ${D}unavailable (${sprint.reason})${R}`);
+  }
+
+  if (payload.flight) {
+    const ftitle = payload.flight.title ? ` ${payload.flight.title}` : "";
+    const fstatus = payload.flight.status ? ` [${payload.flight.status}]` : "";
+    console.log(`  flight: ${payload.flight.id}${ftitle}${fstatus}`);
+  }
+
+  if (payload.roadmap_drift && payload.roadmap_drift.detected) {
+    console.log(`  roadmap: ${D}${payload.roadmap_drift.reason}${R}`);
+  }
+
   if (payload.swarm.quota_state === "locked") {
     console.log(`  swarm quota: ${D}locked (Free) — upgrade for ${payload.swarm.daily_limit} tasks/day${R}`);
   } else {
@@ -198,4 +329,10 @@ function cmdStatus(target, options = {}) {
   return payload;
 }
 
-module.exports = { cmdStatus, collectStatusPayload };
+module.exports = {
+  cmdStatus,
+  collectStatusPayload,
+  collectSprintPayload,
+  findActiveFlight,
+  collectRoadmapDrift,
+};

package/lib/commands/trust.js

@@ -283,4 +283,4 @@ function cmdTrust(target, args) {
   process.exit(1);
 }
 
-module.exports = { cmdTrust, renderColdScope };
+module.exports = { cmdTrust, renderColdScope, _buildColdPayload };

package/lib/python/heatmap.py

@@ -26,7 +26,10 @@ from collections import defaultdict
 from dataclasses import dataclass, field
 from typing import Any, Iterable
 
-from PIL import Image, ImageColor, ImageDraw, ImageFont
+try:  # Pillow is needed ONLY for `--png`; the text + `--json` paths never touch it.
+    from PIL import Image, ImageColor, ImageDraw, ImageFont
+except ModuleNotFoundError:  # npm-installed users may lack Pillow — degrade, don't crash at import.
+    Image = ImageColor = ImageDraw = ImageFont = None  # type: ignore[assignment]
 
 
 SUPPORTED_MODES = ("edits", "failures", "authorship")
@@ -781,6 +784,12 @@ def _draw_wrapped_text(draw: ImageDraw.ImageDraw, text: str, box: tuple[float, f
 
 
 def render_png(payload: dict[str, Any], output_path: pathlib.Path | str) -> pathlib.Path:
+    if Image is None:  # Pillow absent (e.g. a fresh `npm install -g` without `pip install pillow`).
+        raise SystemExit(
+            "0dai heatmap --png needs Pillow, which is not installed.\n"
+            "Install it (pip install pillow) for PNG export; the default text and --json "
+            "summaries work without it."
+        )
     width = int(payload.get("width") or DEFAULT_WIDTH)
     height = int(payload.get("height") or DEFAULT_HEIGHT)
     out = pathlib.Path(output_path).expanduser().resolve()

package/lib/shared.js

@@ -492,6 +492,7 @@ module.exports = {
   sendProjectHeartbeat, recordExperienceEvent, logFirstRunSuccess,
   // Files
   mergeSettingsJson, writeFiles, missingLiveManifestDefaults, ensureLiveManifestDefaults,
+  LIVE_MANIFEST_DEFAULTS,
   findRepoScript, repoScriptCandidates, resolveBundledScript, resolvePythonScript,
   // Version
   checkVersion,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@0dai-dev/cli",
-  "version": "4.3.7",
+  "version": "4.3.8",
   "description": "One config layer for seven AI coding agents \u2014 Claude Code, Codex, OpenCode, Gemini, Aider, Qoder, Cursor",
   "bin": {
     "0dai": "./bin/0dai.js"