@friedbotstudio/create-baseline 0.7.0 → 0.8.1

package/README.md

@@ -95,7 +95,7 @@ npx @friedbotstudio/create-baseline ./your-project
 npx @friedbotstudio/create-baseline ./your-project --force
 
 # Upgrade an existing install against a newer baseline version.
-# In a TTY, each tier-1 customised file becomes a keep-mine / take-theirs / abort
+# In a TTY, each tier-1 customised file prompts: keep-mine / take-theirs / merge / abort
 # prompt; tier-2 files auto-merge via `git merge-file --diff3`; tier-3 files
 # stage for the /upgrade-project Claude Code skill to reconcile. In CI / piped
 # stdout, every per-file action is reported with a user-facing label:

package/bin/cli.js

@@ -33,7 +33,9 @@ Upgrade:
   Replaces the prior --merge flag. Reads <target>/.claude/.baseline-manifest.json
   and runs a three-tier merge against the shipped template:
     - tier 1 (binary prompt): customized files prompt "Keep your version / Use
-      new baseline / Show diff" in TTY mode (exit 3 on any skipped).
+      new baseline / Merge / Abort" in TTY mode. "Merge" stages incoming bytes
+      under .claude/state/upgrade/<ts>/ for /upgrade-project to reconcile in
+      Claude Code (exit 5); "Keep your version" exits 3 on any skipped.
     - tier 2 (mechanical): files routed through git merge-file --diff3 with
       BASE recovered from .claude/.baseline-prior/ cache or npm fallback;
       clean merges land silently, conflicts surface with markers (exit 4).

package/obj/template/.claude/hooks/git_commit_guard.mjs

@@ -10,7 +10,7 @@
 //          --abbrev-ref HEAD`. Detached HEAD ("HEAD") → DENY explicitly.
 //        - On a branch matched by project.json → git.protected_branches
 //          (or when that key is null/absent → every branch protected),
-//          commits require fresh commit_consent (300s) and pushes require
+//          commits require fresh commit_consent (900s) and pushes require
 //          fresh push_consent (300s).
 //        - When git.branch_pattern is set and the current branch does NOT
 //          match the regex, commits are denied with the pattern surfaced.
@@ -179,7 +179,7 @@ function handleBash(cmd) {
 
   // Protected — require the matching consent token.
   if (isCommit) {
-    validateConsentToken(`${STATE_DIR}/commit_consent`, '.consent.commit_ttl_seconds', 300, 'Git Commit Guard', '/grant-commit');
+    validateConsentToken(`${STATE_DIR}/commit_consent`, '.consent.commit_ttl_seconds', 900, 'Git Commit Guard', '/grant-commit');
   } else {
     validateConsentToken(`${STATE_DIR}/push_consent`, '.consent.push_ttl_seconds', 300, 'Git Commit Guard', '/grant-push');
   }

package/obj/template/.claude/hooks/memory_session_start.sh

@@ -189,6 +189,30 @@ if pending_count > 0 and not active_workflow:
         'run `/memory-flush` to clear before starting new work.'
     )
 
+# Pending upgrade stages (tier1-merge-option AC-004 + AC-008). Scans
+# .claude/state/upgrade/*/manifest.json for entries with status: PENDING.
+# Fires regardless of active_workflow (design pick 2C): stages are stable
+# infrastructure debt, distinct from memory-candidate debt above.
+upgrade_pending = 0
+upgrade_root = root / '.claude/state/upgrade'
+if upgrade_root.is_dir():
+    for stage_manifest in upgrade_root.glob('*/manifest.json'):
+        try:
+            with open(stage_manifest) as f:
+                stage = json.load(f)
+        except Exception:
+            continue
+        for entry in stage.get('files', []):
+            if entry.get('status') == 'PENDING':
+                upgrade_pending += 1
+
+if upgrade_pending > 0:
+    noun = 'file' if upgrade_pending == 1 else 'files'
+    lines.append(
+        f'**{upgrade_pending} {noun} staged for /upgrade-project to reconcile** — '
+        'run `/upgrade-project` when ready.'
+    )
+
 lines.append('')
 lines.append(
     'Files are read on demand by the relevant skill (scout reads landmarks, research reads libraries, etc.). '

package/obj/template/.claude/manifest.json

@@ -1,6 +1,6 @@
 {
   "manifest_version": 3,
-  "generated_at": "2026-05-21T16:49:56.519Z",
+  "generated_at": "2026-05-22T15:13:25.707Z",
   "files": {
     ".claude/agents/swarm-worker.md": {
       "sha256": "1735a220f268c9765cb22e0567b728803f2edd7776cbde51dd017a9f062ae41f",
@@ -55,7 +55,7 @@
       "tier": "MECHANICAL"
     },
     ".claude/hooks/git_commit_guard.mjs": {
-      "sha256": "95449912110be43635c8130f06ff87d851fc0ebec89fda17b3290671710dfbf6",
+      "sha256": "dbea846f2e11a68054a902ee37ac2f11383fdfc9abff33fa2bdec0f4c373f610",
       "tier": "MECHANICAL"
     },
     ".claude/hooks/harness_continuation.sh": {
@@ -83,7 +83,7 @@
       "tier": "MECHANICAL"
     },
     ".claude/hooks/memory_session_start.sh": {
-      "sha256": "76625781d6cec1dc0d069926adad65c30010b07b1c0e24a2ac441c2981d2ecb5",
+      "sha256": "ec03026919c3cfeb0bdb8e46d8ace19b23d93b5b21f1ebdb4f579e9c52293ac9",
       "tier": "MECHANICAL"
     },
     ".claude/hooks/memory_stop.sh": {
@@ -203,7 +203,7 @@
       "tier": "MECHANICAL"
     },
     ".claude/project.json": {
-      "sha256": "a81f9c1341a15831fe8dd558e376dfe38d5fd938aac6291a4c59529637a8d2c7",
+      "sha256": "752fe71917e2d0c38e756427af8ca0a01efe096cc633dced2f870edfc878c495",
       "tier": "NEVER_TOUCH"
     },
     ".claude/schemas/workflow-track.v1.json": {
@@ -227,7 +227,7 @@
       "tier": "MECHANICAL"
     },
     ".claude/skills/audit-baseline/audit.sh": {
-      "sha256": "6d799ea8b567ecf91757fa142f72795b1da0b4d8443e54b4d233dad5b98b5dab",
+      "sha256": "68011b46a05473237b9d1ce3d6c9c6d760b460e3416a749b2738504fbde6ab4f",
       "tier": "MECHANICAL"
     },
     ".claude/skills/audit-baseline/tests/fixtures/_pending_opener_only.md": {
@@ -267,7 +267,7 @@
       "tier": "MECHANICAL"
     },
     ".claude/skills/changelog/changelog.mjs": {
-      "sha256": "662ae8142ea55c70375e45d874f97b40bcb85b0d6e5378393be56aba1b254eee",
+      "sha256": "a00e9aae5d660424588a37774d13d44625012506e128cf51bb9198b9c9c518dd",
       "tier": "MECHANICAL"
     },
     ".claude/skills/changelog/classifier.mjs": {
@@ -279,7 +279,7 @@
       "tier": "MECHANICAL"
     },
     ".claude/skills/changelog/tests/consent-expired_test.sh": {
-      "sha256": "60351d32cb544af33a6929f898411e43d20ec258f620ebc08179754a74811cf1",
+      "sha256": "da950772c5f6938c81b7c2667d1807b0da838e1f8ea00d64970d2251692b7b87",
       "tier": "MECHANICAL"
     },
     ".claude/skills/changelog/tests/golden-path_test.sh": {
@@ -823,7 +823,7 @@
       "tier": "MECHANICAL"
     },
     ".claude/skills/upgrade-project/SKILL.md": {
-      "sha256": "15e7cc2bd2ad8a271854352a7aa6ce8afc864747657af0be1ec90d392a8ee648",
+      "sha256": "a8d31370b626bb2c5fb733cf3b1e210f66ade1de84007ad0b3a46e31d115687a",
       "tier": "MECHANICAL"
     },
     ".claude/skills/verify/SKILL.md": {
@@ -843,7 +843,7 @@
       "tier": "SEMANTIC"
     },
     "docs/init/seed.md": {
-      "sha256": "7c64057392b39289edf123e3395b67b8605c28b9ab35c102c9469f6974047c78",
+      "sha256": "d1c33da767f4311d1f1c5efc98157b5c09a0b80331d7992f0ca66ec48a6ee08d",
       "tier": "SEMANTIC"
     }
   },
@@ -889,5 +889,5 @@
       "verify": "baseline"
     }
   },
-  "build_id": "gha-26240106828"
+  "build_id": "gha-26295896640"
 }

package/obj/template/.claude/project.json

@@ -184,7 +184,7 @@
     }
   },
   "consent": {
-    "commit_ttl_seconds": 300,
+    "commit_ttl_seconds": 900,
     "gate_marker_ttl_seconds": 120,
     "push_ttl_seconds": 300
   },

package/obj/template/.claude/skills/audit-baseline/audit.sh

@@ -224,13 +224,17 @@ check_names("agents names match seed §4.2",   EXPECTED_AGENTS,   add_agents,
 # Skills canonical set comes from manifest.owners.skills (built by
 # scripts/build-manifest.mjs at release time). Falls back to disk_baseline_skills
 # when the manifest is missing (e.g., first audit before initial build).
+# Unlike hooks/agents/commands, the skills `disk_*` is `disk_baseline_skills`
+# (filtered to `owner: baseline`), so `add_skills` (project additions, which are
+# user/third-party by design) cannot be passed in here — they'd false-FAIL.
+# Per CLAUDE.md Article XI #5.
 _manifest_for_skills = load_manifest()
 if _manifest_for_skills is None:
     _canonical_skills = disk_baseline_skills
 else:
     _canonical_skills = set((_manifest_for_skills.get("owners") or {}).get("skills", {}).keys()) \
                         or disk_baseline_skills
-check_names("skills names match seed §4.3",   _canonical_skills, add_skills,   disk_baseline_skills)
+check_names("skills names match seed §4.3",   _canonical_skills, set(),        disk_baseline_skills)
 check_names("commands names match seed §4.4", EXPECTED_COMMANDS, set(),        disk_commands)
 
 # ---------- skill ownership (per-file hash drift + frontmatter validation) ----------
@@ -349,11 +353,23 @@ else:
 # The src/ tree mirrors the canonical paths with a `.template` suffix so
 # `npx @friedbotstudio/create-baseline` can discover and overlay deterministically.
 src_dir = root / "src"
+# Consumer-mode detection: the CLI overlay ships .claude/manifest.json into
+# every consumer project; src/ exists only in the baseline-dev repo as the
+# overlay source. Manifest present + src/ absent ⇒ legitimate consumer install
+# ⇒ skip the src/ checks instead of false-FAIL'ing. Per CLAUDE.md Appendix A.
+consumer_manifest = (root / ".claude" / "manifest.json").is_file()
 if not src_dir.is_dir():
-    add("src templates: directory", "FAIL", "missing src/")
+    if consumer_manifest:
+        add("src templates: directory", "PASS",
+            "consumer install (manifest present, src/ absent) — src/ checks skipped")
+    else:
+        add("src templates: directory", "FAIL", "missing src/")
+    _SKIP_SRC = True
 else:
     add("src templates: directory", "PASS", "")
+    _SKIP_SRC = False
 
+if not _SKIP_SRC:
     # CLAUDE.template.md — must exist and read as constitution-voice (or, in
     # the pre-Stage-2 transitional shape, at least the user-voice lede). The
     # test below tolerates either: dogfood-leak fails hard; constitutional
@@ -630,12 +646,13 @@ else:
     add("CLAUDE.md: Article X.2 present", "FAIL",
         "missing `### X.2 Design-task routing` heading — Article X.2 is the structural seam between design-ui and impeccable")
 
-template_claude = read_text("src/CLAUDE.template.md")
-if "### X.2 Design-task routing" in template_claude:
-    add("src/CLAUDE.template.md: Article X.2 mirrors", "PASS", "")
-else:
-    add("src/CLAUDE.template.md: Article X.2 mirrors", "FAIL",
-        "src template does not contain Article X.2 — template-drift will fail")
+if not _SKIP_SRC:
+    template_claude = read_text("src/CLAUDE.template.md")
+    if "### X.2 Design-task routing" in template_claude:
+        add("src/CLAUDE.template.md: Article X.2 mirrors", "PASS", "")
+    else:
+        add("src/CLAUDE.template.md: Article X.2 mirrors", "FAIL",
+            "src template does not contain Article X.2 — template-drift will fail")
 
 design_ui_skill = read_text(".claude/skills/design-ui/SKILL.md")
 if re.search(r'^description:.*orchestrat', design_ui_skill, re.MULTILINE | re.IGNORECASE):

package/obj/template/.claude/skills/changelog/changelog.mjs

@@ -20,7 +20,7 @@ import { previewProjectedVersion } from './version-preview.mjs';
 import { writeState } from './state-writer.mjs';
 import { appendUnderUnreleased } from './unreleased-writer.mjs';
 
-const TTL_SECONDS = 300;
+const TTL_SECONDS = 900;
 
 function parseCli() {
   const { values } = parseArgs({

package/obj/template/.claude/skills/changelog/tests/consent-expired_test.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 # Fixture-based integration test for AC-010: when commit_consent token is
-# stale (older than consent.commit_ttl_seconds, default 300s), the changelog
+# stale (older than consent.commit_ttl_seconds, default 900s), the changelog
 # skill exits non-zero with "consent expired" stderr, does NOT modify
 # CHANGELOG.md, and does NOT write the state file.
 #
@@ -16,7 +16,7 @@ PASS=0; FAIL=0; FAILED=()
 
 fail() { echo "  FAIL: $*"; return 1; }
 
-# Seed a tempdir with a stale commit_consent (epoch = now - 310s).
+# Seed a tempdir with a stale commit_consent (epoch = now - 910s).
 seed_stale_consent_project() {
   local proj="$1" slug="$2"
   mkdir -p "$proj/.claude/state"
@@ -29,8 +29,8 @@ seed_stale_consent_project() {
   echo "stale test" > thing.txt
   git add thing.txt
   git commit -q -m "feat: stale consent path"
-  # Stale token: epoch in the past, beyond 300s default TTL.
-  local stale_epoch; stale_epoch=$(( $(date +%s) - 310 ))
+  # Stale token: epoch in the past, beyond 900s default TTL.
+  local stale_epoch; stale_epoch=$(( $(date +%s) - 910 ))
   echo "$stale_epoch" > "$proj/.claude/state/commit_consent"
   echo "stale" >> "$proj/.claude/state/commit_consent"
   cat > "$proj/.claude/state/workflow.json" <<EOF

package/obj/template/.claude/skills/upgrade-project/SKILL.md

@@ -31,7 +31,7 @@ For each stage directory under `.claude/state/upgrade/`:
     "files": [
       {
         "rel": "docs/init/seed.md",
-        "base_sha256": "<hex>",
+        "base_sha256": "<hex>" | null,
         "incoming_sha256": "<hex>",
         "local_sha256": "<hex>",
         "status": "PENDING"
@@ -39,24 +39,35 @@ For each stage directory under `.claude/state/upgrade/`:
     ]
   }
   ```
-- For each entry in `files`, three artifacts are present:
-  - `<rel>.baseline-base` — the **BASE** content (the file as it was when the user last installed the baseline).
-  - `<rel>.baseline-incoming` — the **INCOMING** content (the file as it ships in the new baseline; INCOMING and REMOTE are the same thing).
+  `base_sha256` is the **per-entry classification discriminator**: a 64-hex string means the CLI staged a recoverable BASE (three-way reconciliation); the JSON value `null` means BASE was unrecoverable when the user picked Merge on the tier-1 prompt (two-way reconciliation). See [tier1-merge-option spec](../../../docs/specs/tier1-merge-option.md) §Design pick 1A.
+- For each entry, the staged artifacts are:
+  - `<rel>.baseline-incoming` — the **INCOMING** content. Always present.
+  - `<rel>.baseline-base` — the **BASE** content. Present iff `base_sha256` is a string; **absent** for BASE-less entries.
   - The LOCAL file remains at its real path inside the target tree (untouched by the CLI).
 
 ## Procedure
 
 1. **Discover the stage.** Read `.claude/state/upgrade/` and pick the most-recent stage directory whose manifest has at least one file with `status: PENDING` or `status: NEEDS_USER_INPUT`. If no such stage exists, tell the user "No pending stage to reconcile" and exit.
-2. **Per file**, in the order they appear in the stage manifest:
+2. **Per-entry classification** (binding). For each entry in the stage manifest, in declared order:
+   - If `entry.base_sha256` is a 64-hex string → **three-way reconciliation** (existing path; BASE was recoverable).
+   - If `entry.base_sha256` is `null` → **two-way reconciliation** (new path; BASE was unrecoverable when the user picked Merge on tier-1; the zero-drift renumbering rule does not apply because there is no BASE anchor to shift against).
+   - Any other value → apply the `NEEDS_USER_INPUT` fallback with reason `malformed-base-sha256`.
+3. **Three-way reconciliation** (BASE recoverable):
    - Read BASE, INCOMING, and LOCAL.
    - Reason about the three-way delta. Identify what changed between BASE → INCOMING (the upstream edit), what changed between BASE → LOCAL (the user edit), and where they conflict.
    - If both edits are textually non-overlapping, the CLI would have routed the file to tier 2 (mechanical merge). The fact that the file is in tier 3 means structural reconciliation is needed — most commonly: both sides inserted content at the same structural anchor (a new section, a new numbered article, a new TOC entry).
    - Apply the **zero-drift renumbering rule** below.
    - Write the reconciled bytes to the LOCAL path.
    - Update the stage manifest entry's `status` to `RECONCILED`.
-3. **Finalize the stage.** When every entry's status is `RECONCILED`, delete the stage directory (`rm -rf .claude/state/upgrade/<ts>/`). Report per-file status to the user.
+4. **Two-way reconciliation** (BASE-less; tier-1 Merge):
+   - Read INCOMING and LOCAL. Do NOT attempt to read `<rel>.baseline-base` — it is absent by construction.
+   - Reason about the two-way diff: which lines/sections in INCOMING are new bytes that should land in LOCAL, and which lines/sections in LOCAL are user-authored content that should be preserved.
+   - The **zero-drift renumbering rule does NOT apply** to two-way reconciliation — there is no BASE anchor to shift against, so "shift, never fold" cannot be evaluated. When LOCAL and INCOMING both add structural entries at the same anchor and you cannot determine which is user content vs baseline content without the BASE, apply the `NEEDS_USER_INPUT` fallback.
+   - Write the reconciled bytes to the LOCAL path.
+   - Update the stage manifest entry's `status` to `RECONCILED`.
+5. **Finalize the stage.** When every entry's status is `RECONCILED`, delete the stage directory (`rm -rf .claude/state/upgrade/<ts>/`). Report per-file status to the user.
 
-## The zero-drift renumbering rule (binding)
+## The zero-drift renumbering rule (binding for three-way only)
 
 When BASE → INCOMING adds a new structural entry (a new Article, a new section, a new numbered item) at position N, and BASE → LOCAL added the user's own entry at the same position N, you SHALL renumber the user's entry to the **next available** slot (N+1) — you SHALL **never fold** the user's entry into an existing baseline section.
 

package/obj/template/docs/init/seed.md

@@ -531,7 +531,7 @@ Seed-level requirement: no stale workflow artifacts in the working tree after co
 - `artifacts.required_sections.{intake,brd,spec,rca}` — the canonical section lists.
 - `artifacts.required_diagrams.spec` — the six kinds (§4.7).
 - `swarm.max_parallel`, `swarm.isolation: "auto"`, `swarm.min_tasks_worth_swarming: 3`, `swarm.refuse_dirty_tree: true`, `swarm.exempt_path_prefixes`, `swarm.enforced_path_prefixes`.
-- `consent.commit_ttl_seconds: 300`.
+- `consent.commit_ttl_seconds: 900`.
 - `additions.{agents,skills,hooks,mcp_servers,swarm_worker_skills}` — names of every project-adopted addition the recommender emitted (just identifiers, no `command`/`why`/`tokens` payload). `additions.agents` stays empty in this baseline — the recommender does not propose new subagent types. `additions.swarm_worker_skills` lists stack-specific skills the `swarm-worker` template should preload via the `{{SKILLS}}` token at re-render time. `audit.sh` reads this manifest and unions each set with the baseline `EXPECTED_*` sets when checking names; counts are reframed as `"<total> = <baseline> + <project>"` so legitimate additions don't fail drift detection. Default state is five empty arrays.
 - Flip `configured: true`.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@friedbotstudio/create-baseline",
-  "version": "0.7.0",
+  "version": "0.8.1",
   "description": "Node CLI scaffolder that materializes the Claude Code baseline (hooks, skills, commands, MCP servers, governance docs) into a target project, with branded interactive install / upgrade / doctor flows. Run via `npx @friedbotstudio/create-baseline <target>`.",
   "type": "module",
   "bin": {

package/src/cli/merge.js

@@ -1,10 +1,10 @@
-import { cp, mkdir, unlink } from 'node:fs/promises';
+import { cp, mkdir, readFile, unlink } from 'node:fs/promises';
 import { join, dirname } from 'node:path';
 import { hashFile, saveManifest } from './manifest.js';
 import { deepMergeMcpServers } from './mcp.js';
 import { NEVER_TOUCH, SPECIAL_MERGE } from './install.js';
 import { pathExists } from './util.js';
-import { dispatchByTier, NoBaseError, canRecoverBase } from './upgrade-tiers.js';
+import { dispatchByTier, NoBaseError, canRecoverBase, writeStageBaseless } from './upgrade-tiers.js';
 
 export const ACTION_KINDS = Object.freeze({
   ADD: 'ADD',
@@ -176,23 +176,33 @@ async function dispatchCustomized({ rel, newEntry, tierCtx, dryRun, onSkipCustom
       return await dispatchByTier(rel, tier, tierCtx);
     } catch (err) {
       if (err instanceof NoBaseError) {
-        return fallbackToBinaryPrompt({ rel, onSkipCustomized, dryRun, tplPath, tgtPath, err });
+        return fallbackToBinaryPrompt({ rel, onSkipCustomized, dryRun, tplPath, tgtPath, tierCtx, err });
       }
       throw err;
     }
   }
-  return fallbackToBinaryPrompt({ rel, onSkipCustomized, dryRun, tplPath, tgtPath });
+  return fallbackToBinaryPrompt({ rel, onSkipCustomized, dryRun, tplPath, tgtPath, tierCtx });
 }
 
-async function fallbackToBinaryPrompt({ rel, onSkipCustomized, dryRun, tplPath, tgtPath, err = null }) {
+async function fallbackToBinaryPrompt({ rel, onSkipCustomized, dryRun, tplPath, tgtPath, tierCtx, err = null }) {
   const choice = onSkipCustomized ? await onSkipCustomized(rel) : 'keep-mine';
   if (choice === 'take-theirs') {
     if (!dryRun) await copyFile(tplPath, tgtPath);
     return { kind: ACTION_KINDS.OVERWRITE, path: rel, reason: err ? `BASE recovery failed (${err.kind}); user chose take-theirs` : 'customized file; user chose take-theirs' };
   }
+  if (choice === 'merge') {
+    if (!dryRun) await stageBaselessMerge({ rel, tplPath, tgtPath, tierCtx });
+    return { kind: ACTION_KINDS.SEMANTIC_MERGE_STAGED, path: rel, reason: err ? `BASE recovery failed (${err.kind}); staged for two-way merge` : 'tier-1 customized; staged for two-way merge' };
+  }
   return { kind: ACTION_KINDS.SKIP_CUSTOMIZED, path: rel, reason: err ? `BASE recovery failed (${err.kind}); preserved` : 'target customized since last install' };
 }
 
+async function stageBaselessMerge({ rel, tplPath, tgtPath, tierCtx }) {
+  const incomingBuf = await readFile(tplPath);
+  const localBuf = await readFile(tgtPath);
+  await writeStageBaseless(tierCtx, rel, incomingBuf, localBuf);
+}
+
 function computeExitCode(actions) {
   let code = 0;
   for (const a of actions) {

package/src/cli/tui/upgrade.js

@@ -2,7 +2,9 @@
 // Plan/apply split:
 //   1. detect pending semantic-merge stage (idempotency short-circuit, AC-007)
 //   2. dry-run threeWayMerge → enumerate SKIP_CUSTOMIZED conflicts (tier-1 only)
-//   3. prompt the user once per tier-1 conflict (with Show-diff loop, cap-at-2)
+//   3. prompt the user once per tier-1 conflict: Keep your version / Use new
+//      baseline / Merge / Abort. The Merge pick stages incoming bytes for
+//      /upgrade-project to reconcile (tier1-merge-option spec).
 //   4. on cancel/abort: bail before any write
 //   5. on resolve: real threeWayMerge with onSkipCustomized backed by the Map.
 // Tier-2 MECHANICAL and tier-3 SEMANTIC files are NOT prompted — they're
@@ -16,7 +18,6 @@ import { threeWayMerge, ACTION_KINDS, ACTION_LABELS, ACTION_LABEL_WIDTH } from '
 import { loadManifest, buildManifestFromDir } from '../manifest.js';
 import { COPY_EXCLUDE } from '../install.js';
 import { findPendingStage, formatStageTimestamp } from '../upgrade-tiers.js';
-import { renderUnifiedDiff } from '../diff-render.js';
 import { renderBrandStrip } from './splash.js';
 
 const SUCCESS = 0;
@@ -29,12 +30,10 @@ const ERR_SEMANTIC_STAGED = 5;
 const CHOICE_OPTIONS = [
   { value: 'keep-mine', label: 'Keep your version', hint: 'preserve target file as-is' },
   { value: 'take-theirs', label: 'Use new baseline', hint: 'overwrite with new template' },
-  { value: 'show-diff', label: 'Show diff', hint: 'render local vs incoming and re-prompt' },
+  { value: 'merge', label: 'Merge', hint: 'stage incoming bytes for /upgrade-project to reconcile' },
   { value: 'abort', label: 'Abort', hint: 'exit without changes' },
 ];
 
-const SHOW_DIFF_CONSECUTIVE_CAP = 2;
-
 export async function run({ target, opts = {}, prompts = clackModule } = {}) {
   if (!target || typeof target !== 'string') {
     throw new Error('tui.upgrade.run requires a non-empty string target');
@@ -65,7 +64,7 @@ export async function run({ target, opts = {}, prompts = clackModule } = {}) {
   const conflicts = dryReport.actions.filter((a) => a.kind === ACTION_KINDS.SKIP_CUSTOMIZED);
 
   const choices = new Map();
-  const aborted = await collectUserChoices(prompts, conflicts, opts.templateDir, target, choices);
+  const aborted = await collectUserChoices(prompts, conflicts, choices);
   if (aborted) {
     prompts.cancel('Upgrade aborted; tree unchanged.');
     return ERR_ABORT;
@@ -95,7 +94,7 @@ export async function run({ target, opts = {}, prompts = clackModule } = {}) {
 
   const stagedCount = finalReport.actions.filter((a) => a.kind === ACTION_KINDS.SEMANTIC_MERGE_STAGED).length;
   if (stagedCount > 0) {
-    prompts.log.info(`${stagedCount} file(s) need semantic merge. Open Claude Code and run /upgrade-project to reconcile.`);
+    prompts.log.info(`${stagedCount} file(s) staged. Open Claude Code and run /upgrade-project to reconcile.`);
   }
 
   const applied = finalReport.actions.filter((a) => isApplied(a.kind)).length;
@@ -121,38 +120,22 @@ function isLegacyManifest(m) {
   return typeof m.baseline_version !== 'string';
 }
 
-async function collectUserChoices(prompts, conflicts, templateDir, target, choices) {
+async function collectUserChoices(prompts, conflicts, choices) {
   for (const conflict of conflicts) {
-    const choice = await pickForFile(prompts, conflict.path, templateDir, target);
+    const choice = await pickForFile(prompts, conflict.path);
     if (choice === 'abort') return true;
-    if (choice !== null) choices.set(conflict.path, choice);
+    choices.set(conflict.path, choice);
   }
   return false;
 }
 
-async function pickForFile(prompts, rel, templateDir, target) {
-  let consecutiveShowDiff = 0;
-  while (true) {
-    const choice = await prompts.select({
-      message: `${rel} has been customized — choose:`,
-      options: CHOICE_OPTIONS,
-    });
-    if (prompts.isCancel(choice)) return 'abort';
-    if (choice !== 'show-diff') return choice;
-    await renderConflictDiff(prompts, rel, templateDir, target);
-    consecutiveShowDiff++;
-    if (consecutiveShowDiff >= SHOW_DIFF_CONSECUTIVE_CAP) {
-      prompts.log.info(`Show-diff picked ${SHOW_DIFF_CONSECUTIVE_CAP} times for ${rel}; falling through (keeping your version). Re-run if you want to choose differently.`);
-      return null;
-    }
-  }
-}
-
-async function renderConflictDiff(prompts, rel, templateDir, target) {
-  const localBytes = await readFile(join(target, rel), 'utf8');
-  const incomingBytes = await readFile(join(templateDir, rel), 'utf8');
-  const diff = renderUnifiedDiff(localBytes, incomingBytes, { colorize: process.stdout.isTTY === true });
-  prompts.log.info(`Diff for ${rel} (local → incoming):\n${diff}`);
+async function pickForFile(prompts, rel) {
+  const choice = await prompts.select({
+    message: `${rel} has been customized — choose:`,
+    options: CHOICE_OPTIONS,
+  });
+  if (prompts.isCancel(choice)) return 'abort';
+  return choice;
 }
 
 function isReportableAction(kind) {

package/src/cli/upgrade-tiers.js

@@ -86,14 +86,30 @@ export async function dispatchByTier(rel, tier, ctx) {
 }
 
 export async function writeStage(ctx, rel, baseBuf, incomingBuf, localBuf) {
-  if (!ctx.stageRunTs) ctx.stageRunTs = stageTimestamp();
-  const stageDir = join(ctx.target, '.claude/state/upgrade', ctx.stageRunTs);
-  await mkdir(stageDir, { recursive: true });
+  const stageDir = await ensureStageDir(ctx);
   await writeStageArtifact(stageDir, `${rel}.baseline-base`, baseBuf);
   await writeStageArtifact(stageDir, `${rel}.baseline-incoming`, incomingBuf);
   await appendToStageManifest(stageDir, ctx, rel, baseBuf, incomingBuf, localBuf);
 }
 
+// BASE-less stage writer used by the tier-1 Merge pick (see
+// docs/specs/tier1-merge-option.md §Behavior #2 + design pick 1A). Unlike
+// writeStage, no BASE artifact is written and the manifest entry carries
+// base_sha256: null — the discriminator /upgrade-project reads to route to
+// two-way reconciliation.
+export async function writeStageBaseless(ctx, rel, incomingBuf, localBuf) {
+  const stageDir = await ensureStageDir(ctx);
+  await writeStageArtifact(stageDir, `${rel}.baseline-incoming`, incomingBuf);
+  await appendToStageManifest(stageDir, ctx, rel, null, incomingBuf, localBuf);
+}
+
+async function ensureStageDir(ctx) {
+  if (!ctx.stageRunTs) ctx.stageRunTs = stageTimestamp();
+  const stageDir = join(ctx.target, '.claude/state/upgrade', ctx.stageRunTs);
+  await mkdir(stageDir, { recursive: true });
+  return stageDir;
+}
+
 // --- foundation helpers ---
 
 function sha256(buf) {
@@ -232,7 +248,7 @@ async function appendToStageManifest(stageDir, ctx, rel, baseBuf, incomingBuf, l
     : newStageManifest(ctx);
   manifest.files.push({
     rel,
-    base_sha256: sha256(baseBuf),
+    base_sha256: baseBuf === null ? null : sha256(baseBuf),
     incoming_sha256: sha256(incomingBuf),
     local_sha256: sha256(localBuf),
     status: 'PENDING',

package/src/project.template.json

@@ -184,7 +184,7 @@
     }
   },
   "consent": {
-    "commit_ttl_seconds": 300,
+    "commit_ttl_seconds": 900,
     "gate_marker_ttl_seconds": 120,
     "push_ttl_seconds": 300
   },

package/src/seed.template.md

@@ -531,7 +531,7 @@ Seed-level requirement: no stale workflow artifacts in the working tree after co
 - `artifacts.required_sections.{intake,brd,spec,rca}` — the canonical section lists.
 - `artifacts.required_diagrams.spec` — the six kinds (§4.7).
 - `swarm.max_parallel`, `swarm.isolation: "auto"`, `swarm.min_tasks_worth_swarming: 3`, `swarm.refuse_dirty_tree: true`, `swarm.exempt_path_prefixes`, `swarm.enforced_path_prefixes`.
-- `consent.commit_ttl_seconds: 300`.
+- `consent.commit_ttl_seconds: 900`.
 - `additions.{agents,skills,hooks,mcp_servers,swarm_worker_skills}` — names of every project-adopted addition the recommender emitted (just identifiers, no `command`/`why`/`tokens` payload). `additions.agents` stays empty in this baseline — the recommender does not propose new subagent types. `additions.swarm_worker_skills` lists stack-specific skills the `swarm-worker` template should preload via the `{{SKILLS}}` token at re-render time. `audit.sh` reads this manifest and unions each set with the baseline `EXPECTED_*` sets when checking names; counts are reframed as `"<total> = <baseline> + <project>"` so legitimate additions don't fail drift detection. Default state is five empty arrays.
 - Flip `configured: true`.
 

package/src/cli/diff-render.js

@@ -1,54 +0,0 @@
-// Foundation — line-level unified-diff renderer used by the upgrade TUI's
-// "Show diff" prompt. Pure function; no IO, no side effects.
-
-const ANSI_RED = '\x1b[31m';
-const ANSI_GREEN = '\x1b[32m';
-const ANSI_RESET = '\x1b[0m';
-
-export function renderUnifiedDiff(localText, incomingText, opts = {}) {
-  const colorize = opts.colorize === true;
-  const ops = diffLines(splitLines(localText), splitLines(incomingText));
-  return ops.map((op) => renderOp(op, colorize)).join('\n');
-}
-
-function splitLines(text) {
-  return String(text).split('\n');
-}
-
-function renderOp(op, colorize) {
-  if (op.kind === 'context') return ' ' + op.line;
-  const marker = op.kind === 'remove' ? '-' : '+';
-  if (!colorize) return marker + op.line;
-  const color = op.kind === 'remove' ? ANSI_RED : ANSI_GREEN;
-  return color + marker + op.line + ANSI_RESET;
-}
-
-function diffLines(a, b) {
-  const m = a.length;
-  const n = b.length;
-  const dp = Array.from({ length: m + 1 }, () => new Array(n + 1).fill(0));
-  for (let i = 1; i <= m; i++) {
-    for (let j = 1; j <= n; j++) {
-      if (a[i - 1] === b[j - 1]) dp[i][j] = dp[i - 1][j - 1] + 1;
-      else dp[i][j] = Math.max(dp[i - 1][j], dp[i][j - 1]);
-    }
-  }
-  const ops = [];
-  let i = m;
-  let j = n;
-  while (i > 0 && j > 0) {
-    if (a[i - 1] === b[j - 1]) {
-      ops.push({ kind: 'context', line: a[i - 1] });
-      i--; j--;
-    } else if (dp[i - 1][j] >= dp[i][j - 1]) {
-      ops.push({ kind: 'remove', line: a[i - 1] });
-      i--;
-    } else {
-      ops.push({ kind: 'add', line: b[j - 1] });
-      j--;
-    }
-  }
-  while (i > 0) { ops.push({ kind: 'remove', line: a[i - 1] }); i--; }
-  while (j > 0) { ops.push({ kind: 'add', line: b[j - 1] }); j--; }
-  return ops.reverse();
-}