@aligndottech/cli 0.1.3 → 0.2.0

package/dist/commands/setup.js

@@ -2,14 +2,22 @@ import { resolveEnv } from '../lib/resolve-env.js';
 import * as p from '@clack/prompts';
 import chalk from 'chalk';
 import open from 'open';
+import { execa } from 'execa';
 import { createConfigStore } from '../lib/config.js';
 import { createGatewayClient } from '../lib/gateway-client.js';
-import { runPersonalImport } from '../lib/personal-import.js';
+import { runPersonalImport, runWithConcurrency } from '../lib/personal-import.js';
 import { detectEditors, writeMcpConfig } from '../lib/mcp-setup.js';
+import { setupAgentAlignment } from '../lib/agent-rules.js';
 import { isGitRepo } from '../lib/git.js';
+import { initLocalMode } from '../lib/local-mode.js';
+import { loginInteractive } from '../lib/login-flow.js';
 import { resolveAppUrl } from '../lib/env-resolver.js';
 import { CLI_CALLBACK_PORTS, waitForCallback } from '../lib/cli-oauth.js';
 import { AuthExpiredError } from '../lib/errors.js';
+const TIER_ORDER = { personal: 0, site: 1, workspace: 2 };
+// How many connectors import concurrently after auth. Each import is itself
+// batch-parallel (runPersonalImport), so this bounds total gateway load.
+const IMPORT_CONCURRENCY = 4;
 function buildSources(gitAvailable) {
     const sources = [];
     if (gitAvailable) {
@@ -19,7 +27,7 @@ function buildSources(gitAvailable) {
             description: 'Commit history from this repo - no token needed',
             fetch: async () => {
                 const { fetchGitItems } = await import('../lib/fetchers/git.js');
-                return fetchGitItems({ limit: 100 });
+                return fetchGitItems({ limit: 500 });
             },
         });
     }
@@ -27,7 +35,12 @@ function buildSources(gitAvailable) {
         id: 'github',
         label: 'GitHub',
         description: 'Your PRs and issues',
-        oauthKey: 'github',
+        tier: 'personal',
+        oauthKey: 'github-personal',
+        // Token-paste metadata is used only by local mode (cloud uses oauthKey/OAuth).
+        tokenLabel: 'Personal access token',
+        tokenHint: 'Use a fine-grained token, read-only: Contents, Issues, Pull requests = Read',
+        tokenUrl: 'https://github.com/settings/personal-access-tokens/new',
         fetch: async (t) => {
             const { fetchGitHubItems } = await import('../lib/fetchers/github.js');
             return fetchGitHubItems({ token: t['token'], limit: 100 });
@@ -36,7 +49,17 @@ function buildSources(gitAvailable) {
         id: 'jira',
         label: 'Jira',
         description: 'Your issues',
-        oauthKey: 'jira',
+        tier: 'site',
+        // Personal/CLI tier is read-only (no write:jira-work). The team/org
+        // comment bot keeps write via the `jira` key. See ALI-94.
+        oauthKey: 'jira-personal',
+        // Local-mode token paste (read-only Atlassian API token + email + site).
+        tokenLabel: 'API token',
+        tokenUrl: 'https://id.atlassian.com/manage-profile/security/api-tokens',
+        extraFields: [
+            { key: 'email', label: 'Atlassian account email' },
+            { key: 'domain', label: 'Atlassian domain (yourorg.atlassian.net)' },
+        ],
         fetch: async (t) => {
             const { fetchJiraItems } = await import('../lib/fetchers/jira.js');
             return fetchJiraItems({ token: t['token'], cloudId: t['cloudId'], email: t['email'], domain: t['domain'], limit: 100 });
@@ -45,7 +68,16 @@ function buildSources(gitAvailable) {
         id: 'confluence',
         label: 'Confluence',
         description: 'Your pages and documentation',
-        oauthKey: 'confluence',
+        tier: 'site',
+        // Read-only personal/CLI tier. See ALI-94.
+        oauthKey: 'confluence-personal',
+        // Local-mode token paste (read-only Atlassian API token + email + site).
+        tokenLabel: 'API token',
+        tokenUrl: 'https://id.atlassian.com/manage-profile/security/api-tokens',
+        extraFields: [
+            { key: 'email', label: 'Atlassian account email' },
+            { key: 'domain', label: 'Atlassian domain (yourorg.atlassian.net)' },
+        ],
         fetch: async (t) => {
             const { fetchConfluenceItems } = await import('../lib/fetchers/confluence.js');
             return fetchConfluenceItems({ token: t['token'], cloudId: t['cloudId'], email: t['email'], domain: t['domain'], limit: 50 });
@@ -53,8 +85,15 @@ function buildSources(gitAvailable) {
     }, {
         id: 'slack',
         label: 'Slack',
-        description: 'Decision threads from your channels [experimental]',
-        oauthKey: 'slack',
+        description: 'Decision threads from your channels - may need workspace admin [experimental]',
+        tier: 'workspace',
+        // Read-only personal/CLI tier (no chat:write). The team/org bot keeps
+        // chat:write via the `slack` key. See ALI-94.
+        oauthKey: 'slack-personal',
+        // Local-mode token paste: a Slack user token (xoxp-) with read scopes only.
+        tokenLabel: 'User token (xoxp-...)',
+        tokenHint: 'User token with read scopes only: channels:read, channels:history, groups:read, groups:history',
+        tokenUrl: 'https://api.slack.com/apps',
         fetch: async (t) => {
             const { fetchSlackItems } = await import('../lib/fetchers/slack.js');
             return fetchSlackItems({ token: t['token'], limit: 50, daysBack: 90 });
@@ -62,7 +101,8 @@ function buildSources(gitAvailable) {
     }, {
         id: 'teams',
         label: 'Microsoft Teams',
-        description: 'Channel messages and decisions from your teams',
+        description: 'Channel messages and decisions - may need org/workspace admin consent',
+        tier: 'workspace',
         oauthKey: 'teams',
         fetch: async (t) => {
             const { fetchTeamsItems } = await import('../lib/fetchers/teams.js');
@@ -72,6 +112,7 @@ function buildSources(gitAvailable) {
         id: 'zoom',
         label: 'Zoom',
         description: 'Cloud recording transcripts from your meetings',
+        tier: 'personal',
         oauthKey: 'zoom',
         fetch: async (t) => {
             const { fetchZoomItems } = await import('../lib/fetchers/zoom.js');
@@ -81,8 +122,20 @@ function buildSources(gitAvailable) {
         id: 'gitlab',
         label: 'GitLab',
         description: 'Your merge requests',
+        tier: 'personal',
+        // gitlab.com → read-only browser OAuth (scope read_api, ALI-102). A
+        // self-managed host (custom domain) can't use the fixed gitlab.com OAuth
+        // app, so it falls back to the read-only PAT path below.
+        oauthKey: 'gitlab-personal',
+        hostGatedOAuth: { field: 'domain' },
         tokenLabel: 'Personal access token',
-        tokenHint: 'gitlab.com/-/user_settings/personal_access_tokens - tick "read_api"',
+        // Read-only tier: steer users to the read-only scope. `api` would grant
+        // write; `read_api` is read-only and all Align's import needs. See ALI-98.
+        tokenHint: 'Select ONLY "read_api" (not "api") so the token stays read-only',
+        tokenUrl: (t) => {
+            const base = t['domain'] ? `https://${t['domain']}` : 'https://gitlab.com';
+            return `${base}/-/user_settings/personal_access_tokens`;
+        },
         extraFields: [
             { key: 'domain', label: 'GitLab domain (leave blank for gitlab.com)' },
         ],
@@ -94,8 +147,13 @@ function buildSources(gitAvailable) {
         id: 'linear',
         label: 'Linear',
         description: 'Your issues and project discussions',
+        tier: 'personal',
+        // Read-only personal/CLI tier via browser OAuth (scope `read`), replacing the
+        // full-access API-key paste. Requires the Linear OAuth app + sealed creds. See ALI-101.
+        oauthKey: 'linear-personal',
+        // Local-mode token paste: a Linear personal API key (read-only graph).
         tokenLabel: 'Personal API key (lin_api_...)',
-        tokenHint: 'linear.app/settings/api - Personal API keys',
+        tokenUrl: 'https://linear.app/settings/api',
         fetch: async (t) => {
             const { fetchLinearItems } = await import('../lib/fetchers/linear.js');
             return fetchLinearItems({ token: t['token'], limit: 100 });
@@ -104,8 +162,18 @@ function buildSources(gitAvailable) {
         id: 'notion',
         label: 'Notion',
         description: 'Your pages and databases',
+        tier: 'personal',
+        // Read-only personal/CLI tier via browser OAuth (public integration),
+        // replacing the internal-integration-secret paste in cloud. Read-only is
+        // governed by the integration's capabilities (Read content), not scopes.
+        // Requires the Notion OAuth app + sealed creds. See ALI-104.
+        oauthKey: 'notion-personal',
+        // Local-mode token paste: a read-only internal integration secret.
         tokenLabel: 'Integration secret (secret_...)',
-        tokenHint: 'notion.so/my-integrations - New integration - show Internal Integration Secret',
+        // Read-only tier: Align only reads. Notion integration capabilities are set
+        // at creation - keep it to "Read content" (no insert/update). See ALI-98.
+        tokenHint: 'Create an integration with ONLY "Read content" capability (no insert/update), then copy its Internal Integration Secret',
+        tokenUrl: 'https://www.notion.so/my-integrations',
         fetch: async (t) => {
             const { fetchNotionItems } = await import('../lib/fetchers/notion.js');
             return fetchNotionItems({ token: t['token'], limit: 50 });
@@ -116,19 +184,27 @@ function buildSources(gitAvailable) {
 // ---------------------------------------------------------------------------
 // Token collection helper
 // ---------------------------------------------------------------------------
-async function collectTokens(source) {
-    const tokens = {};
+async function collectTokens(source, seed = {}) {
+    // `seed` pre-populates already-known fields (e.g. a self-managed host gathered
+    // up front) so tokenUrl() resolves against the right host.
+    const tokens = { ...seed };
     // Extra fields first (email, domain for Jira/Confluence)
     for (const field of source.extraFields ?? []) {
-        const val = await p.text({ message: `  ${field.label}:` });
+        // defaultValue '' so a blank submit renders empty, not the literal "undefined".
+        const val = await p.text({ message: `  ${field.label}:`, defaultValue: '' });
         if (p.isCancel(val))
             return null;
-        tokens[field.key] = val;
+        tokens[field.key] = (val ?? '');
     }
     // Main token
     if (source.tokenLabel) {
+        if (source.tokenUrl) {
+            const url = typeof source.tokenUrl === 'function' ? source.tokenUrl(tokens) : source.tokenUrl;
+            p.log.info(chalk.dim(`  Opening ${source.label} in browser...`));
+            await open(url).catch(() => { });
+        }
         if (source.tokenHint) {
-            p.log.info(chalk.dim(`  Get your token: ${source.tokenHint}`));
+            p.log.info(chalk.dim(`  ${source.tokenHint}`));
         }
         const token = await p.password({ message: `  ${source.tokenLabel}:` });
         if (p.isCancel(token))
@@ -140,23 +216,57 @@ async function collectTokens(source) {
 // ---------------------------------------------------------------------------
 // OAuth browser flow helper for connectors
 // ---------------------------------------------------------------------------
-async function collectTokensViaOAuth(source, client, config, envName, reset = false) {
+// Jira and Confluence share a single Atlassian OAuth consent, so one browser
+// sign-in connects both. Present the flow as "Atlassian (Jira & Confluence)" so a
+// user connecting "Jira" isn't surprised that Confluence is connected too.
+const ATLASSIAN_OAUTH_KEYS = new Set(['jira-personal', 'confluence-personal']);
+function isAtlassianOAuth(source) {
+    return !!source.oauthKey && ATLASSIAN_OAUTH_KEYS.has(source.oauthKey);
+}
+function oauthFlowLabel(source) {
+    return isAtlassianOAuth(source) ? 'Atlassian (Jira & Confluence)' : source.label;
+}
+function connectorDisplayName(connectorKey) {
+    if (connectorKey.startsWith('confluence'))
+        return 'Confluence';
+    if (connectorKey.startsWith('jira'))
+        return 'Jira';
+    return connectorKey;
+}
+async function collectTokensViaOAuth(source, client, config, envName, reset = false, connectedThisRun) {
     const key = source.oauthKey;
-    if (!reset) {
+    const readCachedTokens = () => {
         const cached = config.getConnectorToken(envName, key);
+        if (!cached)
+            return null;
+        const cachedCloudId = config.getConnectorCloudId(envName, key);
+        const cachedSiteBase = config.getConnectorSiteBase(envName, key);
+        return {
+            token: cached,
+            ...(cachedCloudId ? { cloudId: cachedCloudId } : {}),
+            ...(cachedSiteBase ? { siteBase: cachedSiteBase } : {}),
+        };
+    };
+    // Connected earlier in THIS run (the Atlassian sibling: Jira and Confluence
+    // share one OAuth app + token, so one consent connects both). Reuse it even
+    // under --reset, which is meant to ignore STALE tokens from prior runs, not
+    // ones just obtained moments ago this run.
+    if (connectedThisRun?.has(key)) {
+        const reused = readCachedTokens();
+        if (reused) {
+            p.log.info(chalk.dim(`  ${source.label}: already connected via a shared sign-in this run`));
+            return reused;
+        }
+    }
+    if (!reset) {
+        const cached = readCachedTokens();
         if (cached) {
             p.log.info(chalk.dim(`  ${source.label}: using cached OAuth token (run align setup --reset to re-auth)`));
-            const cachedCloudId = config.getConnectorCloudId(envName, key);
-            const cachedSiteBase = config.getConnectorSiteBase(envName, key);
-            return {
-                token: cached,
-                ...(cachedCloudId ? { cloudId: cachedCloudId } : {}),
-                ...(cachedSiteBase ? { siteBase: cachedSiteBase } : {}),
-            };
+            return cached;
         }
     }
     const spinner = p.spinner();
-    spinner.start(`Opening browser for ${source.label} OAuth...`);
+    spinner.start(`Opening browser for ${oauthFlowLabel(source)} OAuth...`);
     let authUrl = '';
     const callbackPromise = waitForCallback({
         ports: CLI_CALLBACK_PORTS,
@@ -166,7 +276,7 @@ async function collectTokensViaOAuth(source, client, config, envName, reset = fa
                 const result = await client.startCliOAuth(key, port, nonce);
                 authUrl = result.authUrl;
                 await open(authUrl).catch(() => { });
-                spinner.stop(`Browser opened for ${source.label}. If nothing happened, visit:\n  ${chalk.bold(authUrl)}`);
+                spinner.stop(`Browser opened for ${oauthFlowLabel(source)}. If nothing happened, visit:\n  ${chalk.bold(authUrl)}`);
                 p.log.info('Waiting for you to approve in the browser (2 min timeout)...');
             }
             catch (e) {
@@ -188,25 +298,150 @@ async function collectTokensViaOAuth(source, client, config, envName, reset = fa
         p.log.warn(`${source.label} OAuth did not return an access token.`);
         return null;
     }
-    config.setConnectorToken(envName, key, accessToken);
-    // Persist Atlassian cloudId and human site base so future runs (and align import) can use OAuth
+    // accessToken being truthy guarantees credentials is defined
+    persistConnectorCreds(config, envName, key, credentials);
+    connectedThisRun?.add(key);
+    // Atlassian: Jira and Confluence share one OAuth app, so a single consent
+    // returns the sibling's credentials too. Persist them AND mark the sibling
+    // connected this run so its own iteration reuses the token and skips a second
+    // browser flow (even under --reset).
+    const siblingConnector = result.data['siblingConnector'];
+    const siblingCreds = result.data['siblingCredentials'];
+    if (siblingConnector && siblingCreds?.['access_token']) {
+        persistConnectorCreds(config, envName, siblingConnector, siblingCreds);
+        connectedThisRun?.add(siblingConnector);
+        p.log.info(chalk.dim(`  Also connected ${connectorDisplayName(siblingConnector)} (shared Atlassian app - no second sign-in needed)`));
+    }
     const cloudId = credentials?.['site_id'];
+    const siteBase = credentials?.['base'];
+    return { token: accessToken, ...(cloudId ? { cloudId } : {}), ...(siteBase ? { siteBase } : {}) };
+}
+// Persist a connector's OAuth token plus Atlassian cloudId/site base so future
+// runs (and `align import`) can reuse the credentials without re-auth.
+function persistConnectorCreds(config, envName, key, credentials) {
+    const accessToken = credentials['access_token'];
+    if (!accessToken)
+        return;
+    config.setConnectorToken(envName, key, accessToken);
+    const cloudId = credentials['site_id'];
     if (cloudId)
         config.setConnectorCloudId(envName, key, cloudId);
-    const siteBase = credentials?.['base'];
+    const siteBase = credentials['base'];
     if (siteBase)
         config.setConnectorSiteBase(envName, key, siteBase);
-    return { token: accessToken, ...(cloudId ? { cloudId } : {}), ...(siteBase ? { siteBase } : {}) };
+}
+// ---------------------------------------------------------------------------
+// Deterministic auto-alignment (ALI-121)
+// ---------------------------------------------------------------------------
+// Write the project-local, committed agent-rules files (Claude Code PostToolUse hook +
+// CLAUDE.md nudge + Cursor rule) so alignment context fires regardless of model
+// discretion. Best-effort: a write failure (read-only dir, weird CWD) must never abort
+// onboarding, so we warn and continue.
+function writeAgentAlignment(envName) {
+    try {
+        const written = setupAgentAlignment({ cwd: process.cwd(), env: envName });
+        p.log.success(`Auto-alignment configured: ${written.join(', ')}`);
+        p.log.info(chalk.dim('  A PostToolUse hook will check edits against your decision graph. Claude Code asks ' +
+            'once to approve project hooks - accept it to enable automatic alignment.'));
+    }
+    catch (err) {
+        p.log.warn(`Could not write auto-alignment files: ${err.message}`);
+    }
 }
 // ---------------------------------------------------------------------------
 // Command registration
 // ---------------------------------------------------------------------------
+// Local-embedded onboarding (opt-in via --local): no account, no cloud, no OAuth.
+// Initializes the local graph, wires editor MCP configs to --env local, and
+// seeds the graph from git history - all on the user's machine. This is the
+// privacy/offline escape hatch; the default solo experience is a personal
+// cloud tenant (see the cloud path below).
+async function runLocalSetup() {
+    const { dbPath } = await initLocalMode({ quiet: false });
+    p.log.success('Local graph ready - no account needed, your data stays on this machine.');
+    // Deterministic auto-alignment files target the local graph (advisory check runs --env local).
+    writeAgentAlignment('local');
+    const config = createConfigStore();
+    const localEnv = config.getEnvironment('local');
+    const localClient = createGatewayClient(localEnv);
+    if (await isGitRepo()) {
+        console.log('');
+        p.log.info(chalk.dim('First import downloads a small local embedding model (~90MB), one time.'));
+        const gitSpinner = p.spinner();
+        gitSpinner.start('Scanning git history...');
+        try {
+            const gitSource = buildSources(true).find(s => s.id === 'git');
+            const items = await gitSource.fetch({});
+            if (items.length) {
+                gitSpinner.stop(`Found ${items.length} commits worth importing`);
+                await runPersonalImport(items, localClient, {
+                    label: 'Git',
+                    approve: true,
+                    appUrl: resolveAppUrl(localEnv),
+                    local: true,
+                });
+            }
+            else {
+                gitSpinner.stop('No decisions found in git history');
+            }
+        }
+        catch {
+            gitSpinner.stop('Git import skipped');
+        }
+    }
+    // Connectors: OAuth can't run offline (needs the hosted callback), so local mode
+    // connects via manual read-only token paste. Only sources with a tokenLabel are
+    // pasteable (Teams/Zoom have no personal token → excluded). See ALI-103.
+    const localConnectors = buildSources(false)
+        .filter((s) => s.id !== 'git' && s.tokenLabel)
+        .sort((a, b) => TIER_ORDER[a.tier ?? 'personal'] - TIER_ORDER[b.tier ?? 'personal']);
+    console.log('');
+    const selected = await p.multiselect({
+        message: 'Connect more sources with a read-only token? (skip to finish)',
+        options: localConnectors.map((s) => ({ value: s.id, label: s.label, hint: s.description })),
+        required: false,
+    });
+    if (!p.isCancel(selected)) {
+        for (const id of selected) {
+            const source = localConnectors.find((s) => s.id === id);
+            if (!source)
+                continue;
+            console.log('');
+            p.log.step(chalk.bold(source.label));
+            const tokens = await collectTokens(source);
+            if (!tokens)
+                continue;
+            const spinner = p.spinner();
+            spinner.start(`Fetching from ${source.label}...`);
+            try {
+                const items = await source.fetch(tokens);
+                spinner.stop(`Found ${items.length} items`);
+                if (items.length) {
+                    await runPersonalImport(items, localClient, {
+                        label: source.label,
+                        approve: true,
+                        appUrl: resolveAppUrl(localEnv),
+                        local: true,
+                    });
+                }
+            }
+            catch (e) {
+                spinner.stop(`Skipped ${source.label} - ${e.message}`);
+            }
+        }
+    }
+    p.outro(`${chalk.green('You are set up in local mode.')}\n` +
+        `  Graph: ${chalk.dim(dbPath)}\n` +
+        `  Ask your agent: ${chalk.bold('"What decisions exist in this codebase?"')}\n` +
+        `  ${chalk.dim('align local status')} shows stats; ${chalk.dim('align local reset')} wipes it.`);
+}
 export function registerSetupCommand(program) {
     program
         .command('setup')
         .description('Guided onboarding: connect your tools and configure MCP in one command')
         .option('--env <env>', 'Environment')
         .option('--approve', 'Skip confirmation prompts (for scripted use)')
+        .option('--local', 'Set up local-only mode (no account, no cloud)')
         .option('--reset', 'Clear cached OAuth tokens and re-authenticate all connectors')
         .action(async (opts) => {
         const config = createConfigStore();
@@ -214,205 +449,354 @@ export function registerSetupCommand(program) {
         const env = config.getEnvironment(envName);
         const client = createGatewayClient(env);
         p.intro(chalk.bgMagenta.white(' align setup '));
-        p.log.info('Building your decision graph from the tools your team already uses.');
-        p.log.info('Takes about 10 minutes. Ctrl+C to cancel at any step.');
-        console.log('');
-        // ---- Step 1: Auth check ----
-        const authSpinner = p.spinner();
-        authSpinner.start('Checking authentication...');
-        try {
-            const me = await client.whoami();
-            authSpinner.stop(`Logged in as ${me.user.email} (${me.tenant?.name ?? envName})`);
+        // ---- Step 0: Cloud (default) vs local (--local) ----
+        // Solo defaults to a personal CLOUD tenant: telemetry, the real cloud
+        // relationship classifier, backup, and a clean upgrade path to a team
+        // (reuses the personal->org join flow). --local is the opt-in offline
+        // escape hatch; --approve runs the cloud path non-interactively.
+        let mode;
+        if (opts.local) {
+            mode = 'local';
         }
-        catch {
-            authSpinner.stop('Not authenticated');
+        else if (opts.approve) {
+            mode = 'cloud';
+        }
+        else {
+            const choice = await p.select({
+                message: 'How are you using Align?',
+                options: [
+                    { value: 'cloud', label: 'Cloud (recommended) - your personal decision graph', hint: 'syncs, backed up, upgradeable to a team' },
+                    { value: 'local', label: 'Local only - private, offline, no account', hint: 'stays on this machine (--local)' },
+                ],
+                initialValue: 'cloud',
+            });
+            if (p.isCancel(choice)) {
+                p.cancel('Cancelled.');
+                process.exit(0);
+            }
+            mode = choice;
+        }
+        if (mode === 'local') {
+            await runLocalSetup();
+            return;
+        }
+        await runCloudSetup({ opts, config, env, client, envName });
+    });
+}
+// Cloud (personal-tenant) onboarding: verify login, wire MCP, seed from git,
+// then offer personal-scoped connectors. A personal-email login lands on an
+// isolated personal tenant server-side; connectors auto-bind to it.
+async function runCloudSetup(ctx) {
+    const { opts, config, env, envName } = ctx;
+    let client = ctx.client;
+    // ---- Step 1: Auth check (inline login when interactive + unauthenticated) ----
+    const authSpinner = p.spinner();
+    authSpinner.start('Checking authentication...');
+    try {
+        const me = await client.whoami();
+        authSpinner.stop(`Logged in as ${me.user.email} (${me.tenant?.name ?? envName})`);
+    }
+    catch {
+        authSpinner.stop('Not authenticated');
+        // Scripted runs (--approve) must not block on a browser; fail fast.
+        if (opts.approve) {
             p.log.warn(`Run ${chalk.bold('align login')} first, then re-run ${chalk.bold('align setup')}.`);
             process.exit(1);
         }
-        // Snapshot pre-import link count so we can report the delta after imports
-        let preImportLinkCount = 0;
+        const wantLogin = await p.confirm({ message: 'Log in to Align now? (your personal cloud graph)' });
+        if (!p.isCancel(wantLogin) && wantLogin) {
+            const ok = await loginInteractive(env, envName, config);
+            if (!ok) {
+                p.log.warn(`Login did not complete. Run ${chalk.bold('align login')} and re-run ${chalk.bold('align setup')}.`);
+                process.exit(1);
+            }
+            // Re-create the client so it carries the freshly stored token.
+            client = createGatewayClient(config.getEnvironment(envName));
+        }
+        else {
+            // Declined cloud login: offer the local escape hatch instead of failing.
+            const wantLocal = await p.confirm({ message: 'Set up local-only mode instead? (no account, stays on this machine)' });
+            if (!p.isCancel(wantLocal) && wantLocal) {
+                await runLocalSetup();
+                return;
+            }
+            p.log.warn(`Run ${chalk.bold('align login')} when ready, then ${chalk.bold('align setup')}.`);
+            process.exit(1);
+        }
+    }
+    // ---- Step 2: PATH check ----
+    try {
+        await execa('which', ['align']);
+    }
+    catch {
+        p.log.warn(`The ${chalk.bold('align')} command is not on your PATH. ` +
+            `Editor MCP configs won't work until you run: ${chalk.bold('npm install -g @aligndottech/cli')}`);
+    }
+    // ---- Step 3: MCP editor config (before import - this is the payoff) ----
+    console.log('');
+    const editors = detectEditors();
+    if (editors.length > 0) {
+        p.log.info(`Detected ${editors.length} editor${editors.length === 1 ? '' : 's'}: ${editors.map(e => e.name).join(', ')}`);
+        let selectedEditors = editors.map(e => e.name);
+        if (editors.length > 1) {
+            const sel = await p.multiselect({
+                message: 'Which editors to configure?',
+                options: editors.map(e => ({ value: e.name, label: e.name })),
+            });
+            if (!p.isCancel(sel))
+                selectedEditors = sel;
+        }
+        for (const name of selectedEditors) {
+            const target = editors.find(e => e.name === name);
+            try {
+                writeMcpConfig(target, envName === 'prod' ? undefined : envName);
+                p.log.success(`${name}: align MCP connected`);
+            }
+            catch (err) {
+                p.log.warn(`${name}: ${err.message}`);
+            }
+        }
+    }
+    else {
+        p.log.info(`No editors detected. Run ${chalk.bold('align mcp --setup')} after installing Claude Code or Cursor.`);
+    }
+    // ---- Step 3b: Deterministic auto-alignment files (hook + nudges) ----
+    writeAgentAlignment(envName);
+    // ---- Step 4: Git auto-import (zero-auth baseline graph seed) ----
+    let totalDecisions = 0;
+    const sourcesImported = [];
+    const gitAvailable = await isGitRepo();
+    if (gitAvailable) {
+        console.log('');
+        const gitSpinner = p.spinner();
+        gitSpinner.start('Scanning git history...');
         try {
-            const existing = await client.listDecisionLinks();
-            preImportLinkCount = existing.length;
+            const gitSource = buildSources(true).find(s => s.id === 'git');
+            const items = await gitSource.fetch({});
+            // Stop the scan spinner before runPersonalImport - it starts its own
+            // progress spinner, and two animated spinners on one line flicker.
+            if (items.length) {
+                gitSpinner.stop(`Found ${items.length} commits worth importing`);
+                const ingested = await runPersonalImport(items, client, {
+                    label: 'Git',
+                    approve: true,
+                    appUrl: resolveAppUrl(env),
+                });
+                totalDecisions += ingested;
+                if (ingested > 0)
+                    sourcesImported.push('Git');
+            }
+            else {
+                gitSpinner.stop('No decisions found in git history');
+            }
         }
         catch {
-            // Non-fatal - delta will just be the post-import total
+            gitSpinner.stop('Git import skipped');
         }
-        // ---- Step 2: Source selection ----
+    }
+    // ---- Step 5: First-query prompt ----
+    if (editors.length > 0) {
         console.log('');
-        const gitAvailable = await isGitRepo();
-        const allSources = buildSources(gitAvailable);
-        const sourceOptions = allSources.map(s => ({
-            value: s.id,
-            label: s.label,
-            hint: s.description,
-        }));
-        const selectedIds = await p.multiselect({
-            message: 'Which sources do you want to import? (space to select, enter to confirm)',
-            options: sourceOptions,
-            required: true,
-            initialValues: gitAvailable ? ['git'] : [],
-        });
-        if (p.isCancel(selectedIds)) {
-            p.cancel('Cancelled.');
-            process.exit(0);
-        }
-        const selectedSources = allSources.filter(s => selectedIds.includes(s.id));
-        // ---- Step 3: Token collection + import per source ----
-        let totalDecisions = 0;
-        const sourcesImported = [];
-        for (const source of selectedSources) {
-            console.log('');
-            p.log.step(chalk.bold(source.label));
-            // Collect tokens - OAuth browser flow for supported connectors, manual paste otherwise
-            let tokens = {};
-            if (source.oauthKey) {
-                const collected = await collectTokensViaOAuth(source, client, config, envName, opts.reset ?? false);
-                if (!collected) {
-                    p.log.warn(`Skipping ${source.label} - no token obtained.`);
-                    continue;
-                }
-                tokens = collected;
+        p.log.info(chalk.dim('Your agent is connected. Try asking:'));
+        p.log.info(chalk.bold('  "What decisions exist in this codebase?"'));
+    }
+    // ---- Step 6: Optional connectors ----
+    // Order by OAuth scope tier so frictionless personal-account connectors come
+    // first, then Atlassian (site-scoped), then workspace-admin (Slack/Teams).
+    console.log('');
+    const connectorSources = buildSources(false)
+        .filter(s => s.id !== 'git')
+        .sort((a, b) => TIER_ORDER[a.tier ?? 'personal'] - TIER_ORDER[b.tier ?? 'personal']);
+    const selectedIds = await p.multiselect({
+        message: 'Connect more sources for richer context? (skip to finish)',
+        options: connectorSources.map(s => ({ value: s.id, label: s.label, hint: s.description })),
+        required: false,
+    });
+    if (p.isCancel(selectedIds)) {
+        p.cancel('Cancelled.');
+        process.exit(0);
+    }
+    const selectedSources = connectorSources.filter(s => selectedIds.includes(s.id));
+    // ---- Step 7a: Collect all credentials up front (consents back-to-back) ----
+    // Interactive auth (browser OAuth, token paste) can only happen one at a
+    // time, so we gather every connector's creds first instead of interleaving
+    // a slow fetch+import between each sign-in.
+    const readyConnectors = [];
+    // OAuth keys connected during this run, so an Atlassian sibling (Jira <->
+    // Confluence, one shared app + token) reuses the token instead of opening a
+    // second browser - even under --reset.
+    const connectedThisRun = new Set();
+    for (const source of selectedSources) {
+        console.log('');
+        p.log.step(chalk.bold(source.label));
+        let tokens = {};
+        if (source.oauthKey && source.hostGatedOAuth) {
+            // Host-gated: blank host field → OAuth (SaaS default); a self-managed host
+            // → token-paste fallback (the fixed OAuth app can't serve arbitrary hosts).
+            const gate = source.hostGatedOAuth.field;
+            const gateLabel = source.extraFields?.find((f) => f.key === gate)?.label ?? gate;
+            const host = await p.text({ message: `  ${gateLabel}:`, placeholder: 'gitlab.com', defaultValue: '' });
+            if (p.isCancel(host)) {
+                p.cancel('Cancelled.');
+                process.exit(0);
             }
-            else if (source.tokenLabel || (source.extraFields?.length ?? 0) > 0) {
-                const collected = await collectTokens(source);
+            // p.text returns undefined on a blank submit (not ''), so coerce before trim.
+            const hostValue = (typeof host === 'string' ? host : '').trim();
+            if (hostValue) {
+                // self-managed → PAT. Seed the host so tokenUrl() targets it, and drop the
+                // gate field from extraFields so we don't re-ask it.
+                const patSource = { ...source, extraFields: source.extraFields?.filter((f) => f.key !== gate) };
+                const collected = await collectTokens(patSource, { [gate]: hostValue });
                 if (!collected) {
                     p.cancel('Cancelled.');
                     process.exit(0);
                 }
                 tokens = collected;
             }
-            // Fetch items (with one inline re-auth retry on auth expiry)
-            const fetchSpinner = p.spinner();
-            fetchSpinner.start(`Fetching from ${source.label}...`);
-            let items = [];
-            try {
-                items = await source.fetch(tokens);
-                fetchSpinner.stop(`Found ${items.length} items`);
-            }
-            catch (err) {
-                if (err instanceof AuthExpiredError && source.oauthKey) {
-                    fetchSpinner.stop(`${source.label} token expired.`);
-                    const reauth = await p.confirm({ message: `Reconnect ${source.label} now?` });
-                    if (!p.isCancel(reauth) && reauth) {
-                        const fresh = await collectTokensViaOAuth(source, client, config, envName, true);
-                        if (fresh) {
-                            try {
-                                fetchSpinner.start(`Retrying ${source.label}...`);
-                                items = await source.fetch(fresh);
-                                fetchSpinner.stop(`Found ${items.length} items`);
-                                tokens = fresh;
-                            }
-                            catch (retryErr) {
-                                fetchSpinner.stop(`Still failed: ${retryErr.message}`);
-                                continue;
-                            }
-                        }
-                        else {
-                            p.log.warn(`Skipping ${source.label} - re-auth cancelled or failed.`);
-                            continue;
-                        }
-                    }
-                    else {
-                        p.log.warn(`Skipping ${source.label}. Run ${chalk.bold('align setup')} to reconnect.`);
-                        continue;
-                    }
-                }
-                else {
-                    fetchSpinner.stop(`Skipped ${source.label} - ${err.message}`);
-                    p.log.warn(`You can run ${chalk.bold(`align import ${source.id}`)} later to retry.`);
+            else {
+                const collected = await collectTokensViaOAuth(source, client, config, envName, opts.reset ?? false, connectedThisRun);
+                if (!collected) {
+                    p.log.warn(`Skipping ${source.label} - no token obtained.`);
                     continue;
                 }
+                tokens = collected;
             }
-            if (!items.length) {
-                p.log.warn(`No items found in ${source.label}.`);
+        }
+        else if (source.oauthKey) {
+            const collected = await collectTokensViaOAuth(source, client, config, envName, opts.reset ?? false, connectedThisRun);
+            if (!collected) {
+                p.log.warn(`Skipping ${source.label} - no token obtained.`);
                 continue;
             }
-            // Import (always --approve inside setup to avoid double-confirmation)
-            const ingested = await runPersonalImport(items, client, {
-                label: source.label,
-                approve: true,
-                appUrl: resolveAppUrl(env),
-            });
-            totalDecisions += ingested;
-            if (ingested > 0)
-                sourcesImported.push(source.label);
+            tokens = collected;
         }
-        if (!totalDecisions) {
-            p.log.warn('No decisions imported. Run individual align import commands to try specific sources.');
-            p.outro('Setup complete (no data imported).');
-            return;
+        else if (source.tokenLabel || (source.extraFields?.length ?? 0) > 0) {
+            const collected = await collectTokens(source);
+            if (!collected) {
+                p.cancel('Cancelled.');
+                process.exit(0);
+            }
+            tokens = collected;
         }
-        // ---- Step 4: Relationship count (delta from pre-import baseline) ----
-        console.log('');
-        const linkSpinner = p.spinner();
-        linkSpinner.start('Mapping cross-tool relationships...');
-        await new Promise(r => setTimeout(r, 4000));
-        let linkCount = 0;
+        readyConnectors.push({ source, tokens });
+    }
+    const n = readyConnectors.length;
+    const fetchSpinner = p.spinner();
+    fetchSpinner.start(`Fetching from ${n} source${n === 1 ? '' : 's'}...`);
+    // Each task catches its own errors so one slow or failing connector never
+    // blocks the others. AuthExpiredError is flagged for interactive re-auth below.
+    const fetched = await Promise.all(readyConnectors.map(async ({ source, tokens }) => {
         try {
-            const links = await client.listDecisionLinks();
-            linkCount = Math.max(0, links.length - preImportLinkCount);
-            if (linkCount > 0) {
-                linkSpinner.stop(`${linkCount} new cross-tool link${linkCount === 1 ? '' : 's'} found`);
-            }
-            else {
-                linkSpinner.stop('Relationship mapping running in background - check align links list shortly');
+            return { source, items: await source.fetch(tokens) };
+        }
+        catch (err) {
+            if (err instanceof AuthExpiredError && source.oauthKey) {
+                return { source, authExpired: true };
             }
+            return { source, error: err };
         }
-        catch {
-            linkSpinner.stop('Check align links list for cross-tool relationships');
+    }));
+    fetchSpinner.stop(`Fetched ${n} source${n === 1 ? '' : 's'}`);
+    // Resolve any expired-token connectors interactively first (sequential, and
+    // rare - 7a just minted fresh tokens), collecting everything ready to import.
+    const ready = [];
+    for (const result of fetched) {
+        const source = result.source;
+        if ('items' in result) {
+            if (result.items.length)
+                ready.push({ source, items: result.items });
+            else
+                p.log.warn(`No items found in ${source.label}.`);
         }
-        // ---- Step 5: MCP setup ----
-        console.log('');
-        const editors = detectEditors();
-        if (editors.length > 0) {
-            p.log.info(`Detected ${editors.length} editor${editors.length === 1 ? '' : 's'}: ${editors.map(e => e.name).join(', ')}`);
-            const setupMcp = await p.confirm({ message: 'Configure MCP so Claude/Cursor can query your graph inline?' });
-            if (!p.isCancel(setupMcp) && setupMcp) {
-                let selected = editors.map(e => e.name);
-                if (editors.length > 1) {
-                    const sel = await p.multiselect({
-                        message: 'Which editors to configure?',
-                        options: editors.map(e => ({ value: e.name, label: e.name })),
-                    });
-                    if (!p.isCancel(sel))
-                        selected = sel;
-                }
-                for (const name of selected) {
-                    const target = editors.find(e => e.name === name);
-                    try {
-                        writeMcpConfig(target, envName === 'prod' ? undefined : envName);
-                        p.log.success(`${name}: align added to MCP servers`);
-                    }
-                    catch (err) {
-                        p.log.warn(`${name}: ${err.message}`);
-                    }
+        else if ('authExpired' in result) {
+            // Jira + Confluence share one Atlassian OAuth app, so a single consent
+            // reconnects both. If a sibling already reconnected this connector earlier
+            // in this loop, its token is fresh - reuse it silently rather than prompting
+            // and opening a second browser flow.
+            const alreadyReconnected = source.oauthKey ? connectedThisRun.has(source.oauthKey) : false;
+            if (!alreadyReconnected) {
+                const reauth = await p.confirm({ message: `${oauthFlowLabel(source)} token expired. Reconnect now?` });
+                if (p.isCancel(reauth) || !reauth) {
+                    p.log.warn(`Skipping ${source.label}. Run ${chalk.bold('align setup')} to reconnect.`);
+                    continue;
                 }
-                console.log('');
-                p.log.info(chalk.dim('Restart your editor, then ask:'));
-                p.log.info(chalk.dim(`  "What has my team decided about ${sourcesImported[0] ? `our ${sourcesImported[0].toLowerCase()} workflow` : 'authentication'}?"`));
+            }
+            // reset = !alreadyReconnected: force a fresh consent for the first connector,
+            // but reuse the shared token (no browser) for the sibling.
+            const fresh = await collectTokensViaOAuth(source, client, config, envName, !alreadyReconnected, connectedThisRun);
+            if (!fresh) {
+                p.log.warn(`Skipping ${source.label} - re-auth cancelled or failed.`);
+                continue;
+            }
+            const retrySpinner = p.spinner();
+            retrySpinner.start(`Retrying ${source.label}...`);
+            try {
+                const items = await source.fetch(fresh);
+                retrySpinner.stop(`Found ${items.length} items`);
+                if (items.length)
+                    ready.push({ source, items });
+                else
+                    p.log.warn(`No items found in ${source.label}.`);
+            }
+            catch (retryErr) {
+                retrySpinner.stop(`Still failed: ${retryErr.message}`);
             }
         }
         else {
-            p.log.info(`To use Align inside Claude or Cursor, run: ${chalk.bold('align mcp --setup')}`);
+            p.log.warn(`Skipped ${source.label} - ${result.error.message}`);
+            p.log.warn(`You can run ${chalk.bold(`align import ${source.id}`)} later to retry.`);
         }
-        // ---- Outro ----
-        const linkLine = linkCount > 0
-            ? `  ${linkCount} cross-tool link${linkCount === 1 ? '' : 's'} found\n`
-            : '';
-        const sourceLine = sourcesImported.length > 0
-            ? `  ${sourcesImported.length} source${sourcesImported.length === 1 ? '' : 's'}: ${sourcesImported.join(', ')}\n`
-            : '';
-        const outroText = [
-            chalk.bold('Setup complete.\n'),
-            `  ${totalDecisions} decisions captured`,
-            sourceLine ? `\n${sourceLine}` : '',
-            linkLine ? `\n${linkLine}` : '',
-            `\n  Run: ${chalk.bold('align ask "any question about your codebase"')}\n`,
-            chalk.dim('\n  Want your whole team to have a shared decision graph?'),
-            chalk.dim('\n  https://align.tech/pricing'),
-        ].join('');
-        p.outro(outroText);
-    });
+    }
+    // Import every ready connector CONCURRENTLY - the imports (gateway ingest +
+    // analysis) are the long pole, so they run in parallel (bounded) in quiet mode.
+    // Each prints one compact completion line; the shared footer prints once after.
+    if (ready.length) {
+        console.log('');
+        p.log.step(`Importing from ${ready.length} source${ready.length === 1 ? '' : 's'} in parallel...`);
+        const importResults = await runWithConcurrency(ready.map(({ source, items }) => async () => {
+            const total = await runPersonalImport(items, client, {
+                label: source.label,
+                approve: true,
+                appUrl: resolveAppUrl(env),
+                quiet: true,
+                // Async ingest (ALI-114): return at DB-write speed; titles + links
+                // enrich in the background. Connection counts show as 0 here and fill in later.
+                deferEnrichment: true,
+            });
+            return { label: source.label, total };
+        }), IMPORT_CONCURRENCY);
+        for (const r of importResults) {
+            if (r.status === 'fulfilled') {
+                totalDecisions += r.value.total;
+                if (r.value.total > 0)
+                    sourcesImported.push(r.value.label);
+            }
+            else {
+                p.log.warn(`Import failed: ${r.reason.message}`);
+            }
+        }
+        console.log('');
+        console.log(chalk.dim('Relationships across all your imported tools are detected automatically in the background.'));
+        console.log(chalk.dim('Query your graph: align ask "..."  or  align decisions list'));
+        console.log('');
+    }
+    // ---- Outro ----
+    const decisionsLine = totalDecisions > 0
+        ? `  ${totalDecisions} decisions in your graph`
+        : `  No decisions yet - run ${chalk.bold('align import')} to load your history`;
+    const sourceLine = sourcesImported.length > 0
+        ? `\n  Sources: ${sourcesImported.join(', ')}`
+        : '';
+    const outroText = [
+        chalk.bold('Setup complete.\n'),
+        decisionsLine,
+        sourceLine,
+        `\n\n  Run: ${chalk.bold('align ask "any question about your codebase"')}`,
+        chalk.dim('\n\n  Want your whole team on a shared decision graph?'),
+        chalk.dim('\n  Upgrade by accepting a team invite - your decisions come with you'),
+        chalk.dim('\n  (you reconnect your connectors once in the team workspace).'),
+        chalk.dim('\n  https://app.align.tech/pricing'),
+    ].join('');
+    p.outro(outroText);
 }
 //# sourceMappingURL=setup.js.map