@getrift/rift 0.1.0-beta.17 → 0.1.0-beta.19

package/dist/src/cli/commands/onboard.js

@@ -24,7 +24,7 @@ import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
 import readline from "node:readline";
-import { Command } from "commander";
+import { Command, Option } from "commander";
 import { CliError, createHttpClient, readToken, resolveBaseUrl, } from "../http-client.js";
 import { issueToken } from "../token.js";
 import { loadConfig } from "../../config/loader.js";
@@ -46,6 +46,11 @@ import { HooksParseFailedError } from "../hooks-writers/index.js";
 import { pollJob } from "../job-poller.js";
 import { isJobFailure } from "../output.js";
 import * as ui from "../ui.js";
+import { getBuildInfo } from "../../server/build-info.js";
+import { postFeedback } from "../feedback/feedback-relay.js";
+import { parseInvite } from "../feedback/invite.js";
+import { macRelaySecretStore, } from "../feedback/relay-secret-store.js";
+import { LockedKeychainError } from "../../auth/keychain.js";
 /**
  * Resolve a `--no-<flag>` to a single boolean ("yes, skip this thing").
  * Commander populates the affirmative key with `false`; programmatic
@@ -64,9 +69,21 @@ export function makeOnboardCommand() {
     return new Command("onboard")
         .description("First-run wizard: validate Voyage key, capture, import, recall test")
         .option("--voyage-key <key>", "Voyage API key (skips paste prompt)")
+        .option("--no-voyage-key", "Finish without a Voyage key — keyword-only (lexical) search; add a key later")
         .option("--voyage-label <label>", "Operator-supplied display label for the Voyage project")
+        .option("--invite <code>", "Accept a feedback invite from Clem (or omit it to paste when asked)")
         .option("--enable-feedback-relay <url>", "Opt into the Rift feedback relay non-interactively (URL required)")
+        .addOption(
+    // Hidden: back-compat operator flag. The secret never appears in
+    // user-facing help; friends use --invite (or the interactive paste).
+    new Option("--relay-secret <secret>", "Back-compat HMAC secret paired with --enable-feedback-relay (stored in the Keychain)").hideHelp())
+        .addOption(
+    // Hidden: dev/operator escape hatch for unsigned local receivers.
+    new Option("--allow-unsigned-feedback-relay", "Dev-only: allow --enable-feedback-relay without a secret (receiver rejects in prod)")
+        .hideHelp()
+        .default(false))
         .option("--no-feedback-relay", "Decline the feedback relay (local-only)")
+        .option("--email <address>", "Opt into beta updates + feedback non-interactively (skips the prompt)")
         .option("--import-export <path>", "Import an export inline (.json or .zip)")
         .option("--no-import-export", "Skip the import-now prompt")
         .option("--reconfigure-voyage", "Recovery flow: replace the Voyage key only", false)
@@ -75,6 +92,8 @@ export function makeOnboardCommand() {
         .option("--no-codex-capture", "Skip the Codex CLI preflight + disable the capture pass for this run")
         .option("--with-claude-hook", "Install the Rift policy hook into Claude Code without prompting", false)
         .option("--no-claude-hook", "Skip the Claude Code policy-hook prompt entirely")
+        .option("--enable-codex-enrichment", "Opt into Codex AI metadata enrichment (default: AI-free import + keyword search)", false)
+        .option("--enable-capture", "Opt into scheduled chat capture + its Codex preflight (default: capture off, zero Codex calls)", false)
         .action(async (opts, cmd) => {
         const globalOpts = cmd.optsWithGlobals();
         try {
@@ -91,7 +110,9 @@ export function makeOnboardCommand() {
         }
     });
 }
-async function runOnboard(opts, globalOpts) {
+// Exported for orchestrator-level tests (e.g. the capture-without-key gate);
+// `makeOnboardCommand().action` is the only production caller.
+export async function runOnboard(opts, globalOpts) {
     const rl = readline.createInterface({
         input: process.stdin,
         output: process.stdout,
@@ -118,23 +139,79 @@ async function runOnboard(opts, globalOpts) {
         // paste anything.
         ui.step("info", "Privacy", "");
         sayPrivacyContract();
-        // Step 2 — Voyage key + validate + persist + kickstart + smoke.
-        const last4 = await collectAndPersistVoyageKey(opts, globalOpts, rl);
+        // Step 2 — Voyage key + validate + persist env. The daemon kickstart +
+        // smoke is deferred to Step 2e (after the opt-in writes below) so the
+        // respawned daemon boots with the final config.json.
+        const last4 = await collectAndPersistVoyageKey(opts, rl);
         // Step 2b — sanitize + persist optional --voyage-label to config.json
         // (backup first). Invalid labels are dropped without echoing the raw
         // value, so a key-shaped, path-shaped, or legacy-name-shaped label
         // can never leak through stdout or config.json.
         const safeLabel = applyVoyageLabel(opts.voyageLabel, globalOpts.config, say);
-        // Step 3 — Codex CLI preflight.
+        // Step 2c — optional opt-in to Codex AI metadata enrichment. Default is
+        // AI-free import + keyword search (zero Codex calls). Only persisted when
+        // the user explicitly passed --enable-codex-enrichment.
+        applyCodexEnrichmentOptIn(opts.enableCodexEnrichment, globalOpts.config, say);
+        // Step 2d — optional opt-in to scheduled chat capture. Default off, so a
+        // fresh install makes zero Codex calls. Auto-capture embeds each saved
+        // conversation, so it requires a Voyage key; opting in without one would
+        // persist `capture.enabled = true` that the daemon can't honor (it would
+        // wake hourly, find no embedding provider, and save nothing). So we only
+        // persist the opt-in when a key was provided, and warn otherwise.
+        // `captureEnabled` is the single source of truth for the capture lane:
+        // requested AND a key is present. It gates BOTH the persistence here and
+        // the Codex preflight in Step 3 — refusing the opt-in must also skip the
+        // preflight's Codex triage call, or `--enable-capture` without a key would
+        // still leak a Codex call.
+        const captureRequested = opts.enableCapture === true;
+        const captureEnabled = captureRequested && last4 !== null;
+        if (captureRequested && last4 === null) {
+            ui.note("--enable-capture ignored: capture embeds saved conversations and needs a Voyage key. Re-run `rift onboard` with a key to enable it.");
+        }
+        else {
+            applyCaptureOptIn(opts.enableCapture, globalOpts.config, say);
+        }
+        // Step 2e — (re)start the daemon AFTER all config writes so it boots with
+        // the final config.json. The daemon builds its capture loop and metadata
+        // extractor once at boot (src/main.ts), so persisting the opt-ins above
+        // BEFORE this kickstart is what makes --enable-capture /
+        // --enable-codex-enrichment take effect immediately instead of only after
+        // a later restart. Key path only: the smoke asserts voyage_key_present,
+        // and the keyword-only path has no daemon smoke to run (the daemon was
+        // bootstrapped by install.sh and picks up config on its next start).
+        // `not_configured` / `agent_not_loaded` stay recoverable — the daemon
+        // simply isn't running yet on a fresh-Mac install before install.sh
+        // bootstraps the plist.
+        if (last4 !== null) {
+            const refresh = await daemonRefreshFlow(globalOpts);
+            if (!refresh.ok &&
+                refresh.kind !== "not_configured" &&
+                refresh.kind !== "agent_not_loaded") {
+                throw new CliError(`Voyage smoke failed after daemon kickstart: ${refresh.reason}`, "server_error");
+            }
+        }
+        // Step 3 — Codex CLI preflight (capture lane only).
+        //
+        // Capture is OFF by default (trust-first): a fresh install makes zero
+        // Codex calls. The preflight below performs a real Codex triage call,
+        // so it ONLY runs when capture is actually enabled — i.e. `--enable-capture`
+        // AND a Voyage key (see `captureEnabled` above). Without the flag, or with
+        // the flag but no key, the capture lane — and its Codex preflight — is
+        // skipped entirely, and import + keyword search below still work with no
+        // Codex dependency.
         //
-        // Codex CLI is only required by the auto-capture lane. Friends who
-        // use only Claude Desktop / Claude Code (and import via the inbox
-        // or `rift import`) should not be blocked by a missing/expired
-        // Codex auth. So a failed preflight is a warning, not fatal —
-        // onboarding continues and the capture pass is skipped for this
-        // run. `--no-codex-capture` skips the preflight entirely.
+        // When capture IS enabled, a failed preflight is a warning, not fatal —
+        // onboarding continues and the capture pass is skipped for this run.
+        // `--no-codex-capture` skips the preflight even when capture was enabled
+        // (e.g. enable the daemon schedule but skip the one-shot).
         let captureDisabled = false;
-        if (isOff(opts, "codexCapture", "noCodexCapture")) {
+        if (!captureEnabled) {
+            ui.step("skip", "Chat access", captureRequested
+                ? "capture needs a Voyage key — skipped"
+                : "capture off (default) · enable with --enable-capture");
+            captureDisabled = true;
+        }
+        else if (isOff(opts, "codexCapture", "noCodexCapture")) {
             ui.step("skip", "Chat access", "skipped (--no-codex-capture) · auto-import off");
             captureDisabled = true;
         }
@@ -154,13 +231,16 @@ async function runOnboard(opts, globalOpts) {
         const claudeSessions = safeDiscover(() => discoverClaudeCodeSessions(path.join(os.homedir(), ".claude")));
         const codexSessions = safeDiscover(() => discoverCodexSessions());
         ui.step("ok", "Chat history", `${claudeSessions} Claude Code · ${codexSessions} Codex CLI`);
-        // Step 5 — feedback preference (privacy contract already shown above).
-        const feedback = await collectFeedbackPreference(opts, dataDir);
-        if (feedback.enabled) {
-            ui.step("ok", "Feedback", `relay on (installation_id: ${feedback.installation_id})`);
+        // Step 5 — beta opt-in (stay connected: news, pricing, feedback).
+        const feedback = await collectFeedbackPreference(opts, dataDir, rl);
+        if (feedback.email) {
+            ui.step("ok", "Stay connected", `${feedback.email} — opted in (news + feedback)`);
+        }
+        else if (feedback.enabled) {
+            ui.step("ok", "Stay connected", `feedback relay on (installation_id: ${feedback.installation_id})`);
         }
         else {
-            ui.step("ok", "Feedback", "relay off — stays in local JSONL");
+            ui.step("ok", "Stay connected", "skipped — nothing shared, feedback stays local");
         }
         // Step 5b — optional Claude Code policy hook.
         await maybeInstallClaudeCodeHook(opts, rl);
@@ -169,8 +249,17 @@ async function runOnboard(opts, globalOpts) {
         if (opts.skipCapture) {
             ui.step("skip", "Chat import", "skipped (--skip-capture)");
         }
+        else if (last4 === null) {
+            // Auto-capture saves embed each conversation, so it needs a real
+            // embedding provider. In keyword-only mode it is skipped; import +
+            // search below still work.
+            ui.step("skip", "Chat import", "skipped (no embedding key — capture needs one)");
+        }
         else if (captureDisabled) {
-            ui.step("skip", "Chat import", "skipped (Codex CLI not ready)");
+            // Capture lane is off — either the default (no --enable-capture) or a
+            // failed/declined Codex preflight. The "Chat access" step above already
+            // printed the specific reason.
+            ui.step("skip", "Chat import", "skipped (capture not enabled)");
         }
         else {
             const captureResult = await runFirstCapturePass(globalOpts.config, dataDir);
@@ -223,7 +312,9 @@ async function runOnboard(opts, globalOpts) {
         }
         // Step 10 — next-action card.
         const card = decideOnboardOutcome({ ingestedAny, recall });
-        card.push(ui.pc.dim(`Voyage: key valid (last 4 …${last4})${safeLabel ? ` · label ${safeLabel}` : ""}`));
+        card.push(ui.pc.dim(last4 !== null
+            ? `Voyage: key valid (last 4 …${last4})${safeLabel ? ` · label ${safeLabel}` : ""}`
+            : "Search: keyword-only (no embedding key) — add one later for semantic search"));
         ui.box(card);
         ui.line("");
     }
@@ -261,7 +352,19 @@ async function ensureConfigAndDataDir(configPath, opts, rl) {
         embedding: { provider: "voyage", model: "voyage-3-lite" },
         data_paths: { data_dir: dataDir, jobs_dir: path.join(dataDir, "..", "jobs") },
         rate_limit: { window_ms: 60_000, max_requests: 100 },
-        capture: { enabled: true, interval_seconds: 3600 },
+        // Trust-first default: scheduled chat capture is OFF. The capture lane
+        // runs a Codex CLI triage call, so a fresh install sends no conversation
+        // content off-device, runs no Voyage embedding, and makes no Codex model
+        // call until the user opts in with `--enable-capture` (persisted below).
+        // (The daemon does make a metadata-only npm version check — no content, no
+        // key, no machine info.) The daemon gates auto-capture on `capture.enabled`.
+        capture: { enabled: false, interval_seconds: 3600 },
+        // Trust-first default: AI metadata enrichment is OFF. Import + keyword
+        // search run AI-free (BasicMetadataExtractor) and make no Codex calls,
+        // even on a machine with Codex installed. `--enable-codex-enrichment`
+        // (persisted below) flips this on. The `embedding` block above is a
+        // routing target only — without a Voyage key, search stays lexical.
+        enrichment: { ai_metadata: false },
     };
     fs.mkdirSync(path.dirname(absoluteConfig), { recursive: true });
     fs.writeFileSync(absoluteConfig, JSON.stringify(config, null, 2) + "\n", {
@@ -339,9 +442,82 @@ export function persistVoyageLabel(configPath, label) {
     });
     fs.renameSync(tmp, absolute);
 }
+/**
+ * Persist the Codex AI-metadata-enrichment opt-in into config.json. Default
+ * onboarding leaves `enrichment.ai_metadata = false` (AI-free import + keyword
+ * search, zero Codex calls). When the user passes `--enable-codex-enrichment`,
+ * this flips it to true so the daemon/worker select the Codex-backed extractor.
+ * Backs the file up first, mirroring `persistVoyageLabel`.
+ *
+ * Exported for orchestrator-level tests; `runOnboard` is the only production
+ * caller. Returns true when the flag was set and persisted, false otherwise.
+ */
+export function applyCodexEnrichmentOptIn(enable, configPath, emit) {
+    if (enable !== true)
+        return false;
+    const absolute = path.resolve(configPath);
+    if (!fs.existsSync(absolute)) {
+        throw new CliError(`Cannot persist enrichment opt-in: config not found at ${absolute}`, "validation");
+    }
+    const raw = fs.readFileSync(absolute, "utf8");
+    const stamp = new Date().toISOString().replace(/[:.]/g, "-");
+    fs.writeFileSync(`${absolute}.bak.${stamp}`, raw, { encoding: "utf8", mode: 0o600 });
+    const parsed = JSON.parse(raw);
+    const enrichment = parsed["enrichment"] ?? {};
+    enrichment["ai_metadata"] = true;
+    parsed["enrichment"] = enrichment;
+    const tmp = `${absolute}.tmp.${process.pid}`;
+    fs.writeFileSync(tmp, JSON.stringify(parsed, null, 2) + "\n", {
+        encoding: "utf8",
+        mode: 0o644,
+    });
+    fs.renameSync(tmp, absolute);
+    emit("Codex AI metadata enrichment enabled (enrichment.ai_metadata = true).");
+    return true;
+}
+/**
+ * Persist the scheduled-capture opt-in. Default install writes
+ * `capture.enabled = false` (trust-first: zero Codex calls on a fresh
+ * machine). When the user passes `--enable-capture`, this flips it to true
+ * so the daemon runs auto-capture on its interval. Backs the file up first,
+ * mirroring `applyCodexEnrichmentOptIn`.
+ *
+ * Exported for orchestrator-level tests; `runOnboard` is the only production
+ * caller. Returns true when the flag was set and persisted, false otherwise.
+ */
+export function applyCaptureOptIn(enable, configPath, emit) {
+    if (enable !== true)
+        return false;
+    const absolute = path.resolve(configPath);
+    if (!fs.existsSync(absolute)) {
+        throw new CliError(`Cannot persist capture opt-in: config not found at ${absolute}`, "validation");
+    }
+    const raw = fs.readFileSync(absolute, "utf8");
+    const stamp = new Date().toISOString().replace(/[:.]/g, "-");
+    fs.writeFileSync(`${absolute}.bak.${stamp}`, raw, { encoding: "utf8", mode: 0o600 });
+    const parsed = JSON.parse(raw);
+    const capture = parsed["capture"] ?? {};
+    capture["enabled"] = true;
+    parsed["capture"] = capture;
+    const tmp = `${absolute}.tmp.${process.pid}`;
+    fs.writeFileSync(tmp, JSON.stringify(parsed, null, 2) + "\n", {
+        encoding: "utf8",
+        mode: 0o644,
+    });
+    fs.renameSync(tmp, absolute);
+    emit("Scheduled chat capture enabled (capture.enabled = true).");
+    return true;
+}
 // ----- Step 2: Voyage key flow -----
-async function collectAndPersistVoyageKey(opts, globalOpts, rl) {
+async function collectAndPersistVoyageKey(opts, rl) {
     const key = await collectVoyageKey(opts, rl);
+    if (!key) {
+        // No key → keyword-only (lexical) mode. Not a failure; import + search
+        // still work. Skip validation, the env write, and the Voyage smoke.
+        ui.step("info", "Search index", "no key — keyword search (semantic off)");
+        ui.note("Add semantic search later: run `rift onboard` and paste a Voyage key.");
+        return null;
+    }
     const validateSpin = new ui.Spinner("Search index").start();
     const validation = await validateVoyageKey({ apiKey: key });
     if (!validation.ok) {
@@ -356,37 +532,45 @@ async function collectAndPersistVoyageKey(opts, globalOpts, rl) {
         : "wrote ~/.rift.env (mode 0600)");
     // Refresh process.env so any subsequent in-process Voyage call sees it.
     loadRiftEnv({ filePath: envPath });
-    const refresh = await daemonRefreshFlow(globalOpts);
-    // `not_configured` / `agent_not_loaded` are recoverable — the daemon
-    // simply isn't running yet (typical on fresh-Mac install before
-    // install.sh bootstraps the plist). Onboarding continues without the
-    // post-kickstart smoke; install.sh will pick it up.
-    if (!refresh.ok && refresh.kind !== "not_configured" && refresh.kind !== "agent_not_loaded") {
-        throw new CliError(`Voyage smoke failed after daemon kickstart: ${refresh.reason}`, "server_error");
-    }
+    // NOTE: the daemon kickstart + smoke deliberately does NOT happen here.
+    // It runs in `runOnboard` AFTER the opt-in writes (label/enrichment/
+    // capture) land in config.json, so the respawned daemon boots with the
+    // final config. The daemon builds its capture loop and metadata extractor
+    // once at boot (src/main.ts), so kickstarting before those writes would
+    // leave `--enable-capture` / `--enable-codex-enrichment` inert until a
+    // later restart.
     return validation.last4;
 }
-async function collectVoyageKey(opts, rl) {
-    if (opts.voyageKey)
+/**
+ * Resolve the Voyage key, or `""` to mean "finish without a key" (keyword-only
+ * lexical mode). The key is no longer mandatory: a friend can import and search
+ * first, then add a key later for semantic ranking. Returns `""` on explicit
+ * opt-out (`--no-voyage-key`), on `--yes` with no key available, or when the
+ * interactive prompt is left blank.
+ */
+export async function collectVoyageKey(opts, rl) {
+    if (opts.voyageKey === false || opts.noVoyageKey === true)
+        return "";
+    if (typeof opts.voyageKey === "string" && opts.voyageKey.trim()) {
         return opts.voyageKey.trim();
+    }
     if (process.env["VOYAGE_API_KEY"])
         return process.env["VOYAGE_API_KEY"].trim();
-    if (opts.yes) {
-        throw new CliError("--yes given but no Voyage key found (use --voyage-key or set VOYAGE_API_KEY).", "validation");
-    }
+    // Non-interactive with no key supplied: finish in lexical mode rather than
+    // fail. The friend can run `rift onboard` again with a key anytime.
+    if (opts.yes)
+        return "";
     // Explain the key BEFORE asking for it — a beta user should know what
     // they are pasting and why, not be confronted with a bare prompt.
     ui.detail([
-        "Search index key",
+        "Search index key (optional)",
         "• What: paste the Voyage key Clem sent you (it won't echo as you type).",
-        "• Why: Rift uses Voyage to make your archive searchable by meaning.",
+        "• Why: Voyage adds meaning-based (semantic) search on top of keyword search.",
+        "• Skip: press Enter to finish now with keyword search — add a key later anytime.",
         "• Privacy: the key is stored locally and only sent to Voyage when Rift calls Voyage; never sent to Clem.",
     ].join("\n"));
-    const answer = (await ask(rl, "Paste your Voyage API key: ")).trim();
-    if (answer.length === 0) {
-        throw new CliError("Voyage key is required.", "validation");
-    }
-    return answer;
+    const answer = (await ask(rl, "Paste your Voyage API key (or press Enter to skip): ")).trim();
+    return answer; // "" → finish in keyword-only mode
 }
 /**
  * Kickstart, wait for /health, confirm the respawned daemon process has
@@ -533,21 +717,115 @@ async function codexPreflight() {
         return false;
     }
 }
-async function collectFeedbackPreference(opts, dataDir) {
-    let enabled = false;
+/**
+ * Conservative email check — enough to catch obvious typos at the prompt;
+ * the relay endpoint can re-validate. Returns the normalized (trimmed,
+ * lowercased) address, or undefined if it doesn't look like an email.
+ */
+export function normalizeEmail(raw) {
+    const s = raw.trim().toLowerCase();
+    return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(s) ? s : undefined;
+}
+/**
+ * Bundled "stay connected" opt-in. One yes/no that, on yes, collects an
+ * email used for product news, pricing, a leaving-beta heads-up, and a
+ * feedback channel. Opt-in only: `--yes` alone never subscribes (consent
+ * must be active), `--no-feedback-relay` declines, and `--email` subscribes
+ * non-interactively. The relay URL stays operator-only infra; when none is
+ * configured the email is captured locally (sidecar + beta-signups.jsonl)
+ * and reaches the operator once an endpoint is wired.
+ */
+export async function collectFeedbackPreference(opts, dataDir, rl, store = macRelaySecretStore) {
+    const declined = isOff(opts, "feedbackRelay", "noFeedbackRelay");
+    // Relay URL + signing secret come from EITHER an invite code (preferred:
+    // nothing to paste by hand) OR the back-compat operator flags. The secret
+    // never lands in the sidecar — it goes to the Keychain below.
     let url;
-    // Default onboarding keeps feedback fully local (JSONL). There is no
-    // bundled hosted relay endpoint, so we never ask a beta user to paste a
-    // "Relay URL:" — that field is operator-only infrastructure. The relay
-    // is reachable solely via the advanced, non-interactive
-    // `--enable-feedback-relay <url>` flag.
-    if (opts.enableFeedbackRelay) {
-        enabled = true;
-        url = opts.enableFeedbackRelay;
-    }
-    const cfg = enabled && url
-        ? { enabled: true, url, installation_id: crypto.randomUUID() }
+    let secret;
+    if (!declined) {
+        if (opts.invite) {
+            const invite = parseInvite(opts.invite); // throws a friendly CliError if bad
+            url = invite.url;
+            secret = invite.secret;
+        }
+        else {
+            url = opts.enableFeedbackRelay;
+            secret = url ? opts.relaySecret : undefined;
+        }
+    }
+    // Friend-grade interactive path: when no relay flags were passed, offer to
+    // paste an invite so the bearer code never lands in shell history. Skipped
+    // off a TTY and under --yes (automation). A bad paste warns and skips — it
+    // never aborts onboarding.
+    if (!declined &&
+        !url &&
+        !opts.invite &&
+        !opts.enableFeedbackRelay &&
+        !opts.yes &&
+        process.stdin.isTTY) {
+        const pasted = (await ask(rl, "Paste a Rift invite code to enable feedback (Enter to skip): ")).trim();
+        if (pasted) {
+            try {
+                const invite = parseInvite(pasted);
+                url = invite.url;
+                secret = invite.secret;
+            }
+            catch {
+                say("  That invite code is not valid — skipping feedback setup.");
+            }
+        }
+    }
+    // Configuring a URL without a signing secret leaves the install "looks
+    // configured, silently dead" — the receiver requires a valid signature.
+    // An invite always carries one; the flag path must pair a secret or
+    // knowingly opt into unsigned mode (dev/local receivers only).
+    if (url && !secret && !opts.allowUnsignedFeedbackRelay) {
+        throw new CliError("Relay needs a signing secret. Use an invite (rift onboard --invite <code>), " +
+            "or pair --enable-feedback-relay with --relay-secret " +
+            "(or --allow-unsigned-feedback-relay for a dev receiver).", "validation");
+    }
+    // Secure the secret BEFORE enabling relay: a write failure must not leave an
+    // enabled config that can't sign. (3a's `rift feedback setup` does the same.)
+    if (secret) {
+        try {
+            await store.write(secret);
+        }
+        catch (err) {
+            if (err instanceof LockedKeychainError) {
+                throw new CliError("Your macOS Keychain is locked. Unlock it and retry: " +
+                    "security unlock-keychain ~/Library/Keychains/login.keychain-db", "validation");
+            }
+            throw err;
+        }
+    }
+    let email;
+    if (!declined) {
+        if (opts.email) {
+            email = normalizeEmail(opts.email);
+            if (!email) {
+                throw new CliError(`--email "${opts.email}" is not a valid email address.`, "validation");
+            }
+        }
+        else if (!opts.yes && process.stdin.isTTY) {
+            email = await promptStayConnected(rl);
+        }
+        // --yes / non-TTY with no --email: do not auto-subscribe.
+    }
+    const optedIn = email !== undefined || url !== undefined;
+    const cfg = optedIn
+        ? {
+            enabled: true,
+            installation_id: crypto.randomUUID(),
+            ...(email ? { email } : {}),
+            ...(url ? { url } : {}),
+            // url && !secret only happens under --allow-unsigned-feedback-relay
+            // (the guard above throws otherwise): mark it an intentional unsigned
+            // relay so maybeRelay may POST without a secret for THIS install only.
+            ...(url && !secret ? { unsigned: true } : {}),
+        }
         : { enabled: false };
+    // The sidecar holds only non-secret fields; the secret is already in the
+    // Keychain (above).
     fs.mkdirSync(dataDir, { recursive: true });
     const sidecar = path.join(dataDir, "feedback-config.json");
     fs.writeFileSync(sidecar, JSON.stringify(cfg, null, 2) + "\n", {
@@ -555,8 +833,91 @@ async function collectFeedbackPreference(opts, dataDir) {
         mode: 0o600,
     });
     fs.chmodSync(sidecar, 0o600);
+    if (cfg.email && cfg.installation_id) {
+        // Sign the signup POST with the in-hand secret (no Keychain round-trip).
+        await emitBetaSignup(cfg.email, cfg.installation_id, cfg.url, secret, dataDir);
+    }
     return cfg;
 }
+/**
+ * Interactive bundled opt-in. Returns the chosen email, or undefined if the
+ * user declines or skips. Re-prompts up to 3× on a malformed address; an
+ * empty line at any point means "skip".
+ */
+async function promptStayConnected(rl) {
+    ui.detail([
+        "Stay in the loop (optional)",
+        "• Get product news, pricing once we set it, and a heads-up when Rift leaves beta.",
+        "• Gives you a direct line to send feedback any time via `rift feedback`.",
+        "• Opt-in. Stored locally, shared only with Clem — never sold, never spammed.",
+    ].join("\n"));
+    const yn = (await ask(rl, "Share your email to stay connected? [y/N] ")).trim().toLowerCase();
+    if (yn !== "y" && yn !== "yes")
+        return undefined;
+    for (let attempt = 0; attempt < 3; attempt++) {
+        const raw = (await ask(rl, "Your email (Enter to skip): ")).trim();
+        if (raw.length === 0)
+            return undefined;
+        const norm = normalizeEmail(raw);
+        if (norm)
+            return norm;
+        say("  That doesn't look like an email address — try again, or press Enter to skip.");
+    }
+    return undefined;
+}
+/**
+ * Record a one-time beta signup. The local JSONL row is canonical (never
+ * lost); the relay POST is best-effort and only fires when an endpoint URL
+ * is configured. Failures are swallowed — onboarding must never break on a
+ * signup hiccup.
+ */
+async function emitBetaSignup(email, installationId, url, hmacSecret, dataDir) {
+    const build = getBuildInfo();
+    const payload = {
+        ts: new Date().toISOString(),
+        event: "beta_signup",
+        email,
+        installation_id: installationId,
+        version: build.version,
+        commit: build.commit,
+        node: build.node,
+    };
+    // Audit invariant: every byte that reaches Clem must exist locally first.
+    // If the canonical row can't be written, we must NOT relay — otherwise a
+    // signup could reach Clem with no local record to audit against.
+    let wroteLocal = false;
+    try {
+        const dir = path.join(dataDir, "observability");
+        fs.mkdirSync(dir, { recursive: true });
+        const file = path.join(dir, "beta-signups.jsonl");
+        fs.appendFileSync(file, `${JSON.stringify(payload)}\n`, {
+            encoding: "utf8",
+            mode: 0o600,
+        });
+        wroteLocal = true; // the canonical row is on disk; chmod below is cosmetic
+        try {
+            fs.chmodSync(file, 0o600);
+        }
+        catch {
+            // best-effort permission fix — does not affect the audit invariant
+        }
+    }
+    catch {
+        // Local write failed — don't break onboarding over a signup row, and
+        // (below) don't relay something we couldn't record locally.
+    }
+    if (url && wroteLocal) {
+        try {
+            await postFeedback(payload, {
+                url,
+                ...(hmacSecret ? { hmacSecret } : {}),
+            });
+        }
+        catch {
+            // Best-effort; the canonical row is already on disk.
+        }
+    }
+}
 // ----- Step 5b: Claude Code policy hook (opt-in) -----
 /**
  * Offer to install the Rift policy hook into Claude Code's settings.