@inteeka/task-cli 0.2.16 → 0.2.18

package/dist/cli.js

@@ -247,7 +247,7 @@ import open from "open";
 import ora from "ora";
 
 // src/config/credentials.ts
-import { mkdir, readFile, writeFile, unlink, chmod, stat } from "fs/promises";
+import { mkdir, readFile, writeFile, unlink, chmod, stat, rename } from "fs/promises";
 import { homedir } from "os";
 import { dirname, join } from "path";
 var CONFIG_DIR = join(homedir(), ".config", "task");
@@ -289,8 +289,10 @@ async function readCredentials() {
 }
 async function writeCredentials(creds) {
   await ensureDir(dirname(CREDENTIALS_PATH));
-  await writeFile(CREDENTIALS_PATH, JSON.stringify(creds, null, 2), { mode: 384 });
-  await chmod(CREDENTIALS_PATH, 384);
+  const tmpPath = `${CREDENTIALS_PATH}.${process.pid}.tmp`;
+  await writeFile(tmpPath, JSON.stringify(creds, null, 2), { mode: 384 });
+  await chmod(tmpPath, 384);
+  await rename(tmpPath, CREDENTIALS_PATH);
 }
 async function clearCredentials() {
   try {
@@ -299,6 +301,7 @@ async function clearCredentials() {
     if (err.code !== "ENOENT") throw err;
   }
 }
+var CREDENTIALS_DIR = CONFIG_DIR;
 
 // src/util/host.ts
 import { createHash } from "crypto";
@@ -449,13 +452,34 @@ function sleep(ms) {
 
 // src/api/client.ts
 import { request as request3 } from "undici";
-import { mkdir as mkdir2, writeFile as writeFile2 } from "fs/promises";
+import { mkdir as mkdir3, writeFile as writeFile3 } from "fs/promises";
 import { homedir as homedir2 } from "os";
-import { join as join2 } from "path";
+import { join as join3 } from "path";
 
 // src/auth/refresh.ts
 import { request as request2 } from "undici";
+import { mkdir as mkdir2, writeFile as writeFile2 } from "fs/promises";
+import { join as join2 } from "path";
+import { lock } from "proper-lockfile";
 var REFRESH_LEEWAY_MS = 6e4;
+var REFRESH_LOCK_PATH = join2(CREDENTIALS_DIR, ".refresh.lock");
+async function ensureLockFileExists() {
+  await mkdir2(CREDENTIALS_DIR, { recursive: true, mode: 448 });
+  await writeFile2(REFRESH_LOCK_PATH, "", { mode: 384, flag: "a" });
+}
+async function withRefreshLock(fn) {
+  await ensureLockFileExists();
+  const release = await lock(REFRESH_LOCK_PATH, {
+    retries: { retries: 50, minTimeout: 100, maxTimeout: 1e3, factor: 1.5 },
+    stale: 3e4,
+    update: 1e4
+  });
+  try {
+    return await fn();
+  } finally {
+    await release();
+  }
+}
 async function ensureFreshAccessToken(creds) {
   const expiresMs = new Date(creds.access_expires_at).getTime();
   if (Number.isFinite(expiresMs) && expiresMs - Date.now() > REFRESH_LEEWAY_MS) {
@@ -464,6 +488,18 @@ async function ensureFreshAccessToken(creds) {
   return performRefresh(creds);
 }
 async function performRefresh(creds) {
+  return withRefreshLock(async () => {
+    const onDisk = await readCredentials();
+    if (onDisk) {
+      const expiresMs = new Date(onDisk.access_expires_at).getTime();
+      if (Number.isFinite(expiresMs) && expiresMs - Date.now() > REFRESH_LEEWAY_MS) {
+        return onDisk;
+      }
+    }
+    return refreshHttp(onDisk ?? creds);
+  });
+}
+async function refreshHttp(creds, retriesLeft = 1) {
   const { hostId } = getHostInfo();
   const apiUrl = creds.api_url.replace(/\/$/, "");
   const res = await request2(`${apiUrl}/api/v1/cli/auth/refresh`, {
@@ -481,6 +517,16 @@ async function performRefresh(creds) {
     headersTimeout: 15e3
   });
   if (res.statusCode === 401 || res.statusCode === 403) {
+    const onDisk = await readCredentials();
+    if (onDisk && onDisk.refresh_token !== creds.refresh_token) {
+      const expiresMs = new Date(onDisk.access_expires_at).getTime();
+      if (Number.isFinite(expiresMs) && expiresMs - Date.now() > REFRESH_LEEWAY_MS) {
+        return onDisk;
+      }
+      if (retriesLeft > 0) {
+        return refreshHttp(onDisk, retriesLeft - 1);
+      }
+    }
     await clearCredentials();
     throw new CliError(
       CLI_EXIT_CODES.UNAUTHORISED,
@@ -518,13 +564,13 @@ async function manualRefresh() {
 // src/api/client.ts
 async function dumpServerError(method, path, status, rawBody, headers) {
   try {
-    const dir = join2(homedir2(), ".cache", "task", "api-debug");
-    await mkdir2(dir, { recursive: true });
-    const file = join2(dir, `${Date.now()}-${status}.log`);
+    const dir = join3(homedir2(), ".cache", "task", "api-debug");
+    await mkdir3(dir, { recursive: true });
+    const file = join3(dir, `${Date.now()}-${status}.log`);
     const safeHeaders = { ...headers };
     delete safeHeaders["Authorization"];
     delete safeHeaders["authorization"];
-    await writeFile2(
+    await writeFile3(
       file,
       [
         `## ${method} ${path}`,
@@ -666,10 +712,10 @@ async function apiCallOrThrow(method, path, options = {}) {
 }
 
 // src/config/local-config.ts
-import { mkdir as mkdir3, readFile as readFile2, writeFile as writeFile3 } from "fs/promises";
+import { mkdir as mkdir4, readFile as readFile2, writeFile as writeFile4 } from "fs/promises";
 import { homedir as homedir3 } from "os";
-import { dirname as dirname2, join as join3 } from "path";
-var CONFIG_PATH = join3(homedir3(), ".config", "task", "config.json");
+import { dirname as dirname2, join as join4 } from "path";
+var CONFIG_PATH = join4(homedir3(), ".config", "task", "config.json");
 var DEFAULT_CONFIG = {
   api_url: process.env["TASK_API_URL"] ?? "http://localhost:3400",
   default_project: null,
@@ -689,8 +735,8 @@ async function readLocalConfig() {
   }
 }
 async function writeLocalConfig(config) {
-  await mkdir3(dirname2(CONFIG_PATH), { recursive: true });
-  await writeFile3(CONFIG_PATH, JSON.stringify(config, null, 2));
+  await mkdir4(dirname2(CONFIG_PATH), { recursive: true });
+  await writeFile4(CONFIG_PATH, JSON.stringify(config, null, 2));
 }
 async function setConfigValue(key, value) {
   const cfg = await readLocalConfig();
@@ -809,14 +855,14 @@ function registerAuthRefresh(program2) {
 }
 
 // src/commands/link.ts
-import { readFile as readFile4, writeFile as writeFile5, appendFile, access } from "fs/promises";
+import { readFile as readFile4, writeFile as writeFile6, appendFile, access } from "fs/promises";
 import { constants as fsConstants } from "fs";
-import { join as join5 } from "path";
+import { join as join6 } from "path";
 import inquirer from "inquirer";
 
 // src/config/project.ts
-import { mkdir as mkdir4, readFile as readFile3, writeFile as writeFile4, unlink as unlink2 } from "fs/promises";
-import { dirname as dirname3, join as join4, resolve } from "path";
+import { mkdir as mkdir5, readFile as readFile3, writeFile as writeFile5, unlink as unlink2 } from "fs/promises";
+import { dirname as dirname3, join as join5, resolve } from "path";
 import { execSync } from "child_process";
 function findRepoRoot(start = process.cwd()) {
   try {
@@ -827,7 +873,7 @@ function findRepoRoot(start = process.cwd()) {
   }
 }
 function configPath(repoRoot) {
-  return join4(repoRoot ?? findRepoRoot(), ".task", "config.json");
+  return join5(repoRoot ?? findRepoRoot(), ".task", "config.json");
 }
 async function readProjectConfig(repoRoot) {
   const path = configPath(repoRoot);
@@ -841,8 +887,8 @@ async function readProjectConfig(repoRoot) {
 }
 async function writeProjectConfig(config, repoRoot) {
   const path = configPath(repoRoot);
-  await mkdir4(dirname3(path), { recursive: true });
-  await writeFile4(path, JSON.stringify(config, null, 2));
+  await mkdir5(dirname3(path), { recursive: true });
+  await writeFile5(path, JSON.stringify(config, null, 2));
 }
 async function clearProjectConfig(repoRoot) {
   const path = configPath(repoRoot);
@@ -941,7 +987,7 @@ async function resolveProject(projects, opts) {
   return picked;
 }
 async function ensureGitignored(repoRoot) {
-  const gitignorePath = join5(repoRoot, ".gitignore");
+  const gitignorePath = join6(repoRoot, ".gitignore");
   let existing = null;
   try {
     await access(gitignorePath, fsConstants.F_OK);
@@ -956,7 +1002,7 @@ async function ensureGitignored(repoRoot) {
     await appendFile(gitignorePath, block);
     return "added";
   }
-  await writeFile5(gitignorePath, "# task CLI link config\n.task/\n");
+  await writeFile6(gitignorePath, "# task CLI link config\n.task/\n");
   return "created";
 }
 
@@ -1468,9 +1514,9 @@ import inquirer2 from "inquirer";
 
 // src/agent/agent-service.ts
 import { spawn } from "child_process";
-import { mkdir as mkdir5, writeFile as writeFile6 } from "fs/promises";
+import { mkdir as mkdir6, writeFile as writeFile7 } from "fs/promises";
 import { homedir as homedir4 } from "os";
-import { join as join6 } from "path";
+import { join as join7 } from "path";
 
 // src/agent/allowed-tools.ts
 var ALLOWED_TOOLS = CLI_ALLOWED_TOOLS;
@@ -1527,10 +1573,10 @@ async function runAgent(args) {
   let outputLogPath = null;
   let logHandle = null;
   if (args.silent) {
-    const dir = join6(homedir4(), ".cache", "task", "runs");
-    await mkdir5(dir, { recursive: true });
-    outputLogPath = join6(dir, `${args.runId}.log`);
-    await writeFile6(outputLogPath, "");
+    const dir = join7(homedir4(), ".cache", "task", "runs");
+    await mkdir6(dir, { recursive: true });
+    outputLogPath = join7(dir, `${args.runId}.log`);
+    await writeFile7(outputLogPath, "");
     const { createWriteStream } = await import("fs");
     logHandle = createWriteStream(outputLogPath, { flags: "a" });
   }
@@ -1731,11 +1777,111 @@ async function runProjectTest(args) {
   });
 }
 
+// src/test-runner/auto-install.ts
+import { spawn as spawn3 } from "child_process";
+import { stat as stat2 } from "fs/promises";
+import { dirname as dirname4, join as join8 } from "path";
+var INSTALL_TIMEOUT_MS = 10 * 60 * 1e3;
+var TAIL_BYTES2 = 4e3;
+async function findPnpmWorkspaceRoot(start) {
+  let cur = start;
+  for (; ; ) {
+    try {
+      await stat2(join8(cur, "pnpm-lock.yaml"));
+      return cur;
+    } catch {
+    }
+    const parent = dirname4(cur);
+    if (parent === cur) return null;
+    cur = parent;
+  }
+}
+async function mtimeMs(path) {
+  try {
+    return (await stat2(path)).mtimeMs;
+  } catch {
+    return null;
+  }
+}
+async function ensureWorkspaceInstalled(args) {
+  const start = Date.now();
+  const workspaceRoot = await findPnpmWorkspaceRoot(args.cwd);
+  if (!workspaceRoot) {
+    return {
+      ok: true,
+      skipped: true,
+      reason: "no pnpm-lock.yaml on the path \u2014 not a pnpm workspace",
+      workspaceRoot: null,
+      durationMs: Date.now() - start,
+      exitCode: null,
+      tail: ""
+    };
+  }
+  const lockMtime = await mtimeMs(join8(workspaceRoot, "pnpm-lock.yaml"));
+  const markerMtime = await mtimeMs(join8(workspaceRoot, "node_modules", ".modules.yaml"));
+  if (lockMtime !== null && markerMtime !== null && markerMtime >= lockMtime) {
+    return {
+      ok: true,
+      skipped: true,
+      reason: "node_modules in sync with pnpm-lock.yaml",
+      workspaceRoot,
+      durationMs: Date.now() - start,
+      exitCode: null,
+      tail: ""
+    };
+  }
+  const reason = markerMtime === null ? "node_modules missing \u2014 cold install" : "pnpm-lock.yaml newer than install marker";
+  return new Promise((resolve2) => {
+    const child = spawn3("pnpm", ["install", "--frozen-lockfile"], {
+      cwd: workspaceRoot,
+      stdio: ["ignore", "pipe", "pipe"],
+      shell: false,
+      env: { ...process.env, CI: "1" },
+      ...args.signal ? { signal: args.signal } : {}
+    });
+    let buf = "";
+    const append = (chunk) => {
+      buf += chunk.toString("utf8");
+      if (buf.length > TAIL_BYTES2 * 2) buf = buf.slice(-TAIL_BYTES2);
+    };
+    child.stdout?.on("data", append);
+    child.stderr?.on("data", append);
+    const timeoutHandle = setTimeout(() => {
+      child.kill("SIGKILL");
+    }, INSTALL_TIMEOUT_MS);
+    child.on("close", (code) => {
+      clearTimeout(timeoutHandle);
+      resolve2({
+        ok: code === 0,
+        skipped: false,
+        reason,
+        workspaceRoot,
+        durationMs: Date.now() - start,
+        exitCode: code,
+        tail: buf.slice(-TAIL_BYTES2)
+      });
+    });
+    child.on("error", (err) => {
+      clearTimeout(timeoutHandle);
+      const msg = err.code === "ENOENT" ? "`pnpm` not on PATH" : err.message;
+      resolve2({
+        ok: false,
+        skipped: false,
+        reason: `${reason} \u2014 spawn error: ${msg}`,
+        workspaceRoot,
+        durationMs: Date.now() - start,
+        exitCode: null,
+        tail: buf.slice(-TAIL_BYTES2)
+      });
+    });
+  });
+}
+
 // src/util/progress.ts
-import { mkdir as mkdir6, writeFile as writeFile7, rename, unlink as unlink3, readdir, stat as stat2 } from "fs/promises";
+import { mkdir as mkdir7, writeFile as writeFile8, rename as rename2, unlink as unlink3, readdir, stat as stat3 } from "fs/promises";
 import { tmpdir } from "os";
-import { join as join7 } from "path";
-var PROGRESS_DIR = join7(tmpdir(), "task-progress");
+import { join as join9 } from "path";
+var PROGRESS_DIR = join9(tmpdir(), "task-progress");
 var STALE_MAX_AGE_MS = 24 * 60 * 60 * 1e3;
 var ProgressWriter = class {
   path;
@@ -1748,7 +1894,7 @@ var ProgressWriter = class {
     this.ticketId = ticketId;
     const deliveryId = process.env["TASK_DELIVERY_ID"]?.trim();
     const fileBase = deliveryId && deliveryId.length > 0 ? deliveryId : `manual-${process.pid}`;
-    this.path = join7(PROGRESS_DIR, `${fileBase}.json`);
+    this.path = join9(PROGRESS_DIR, `${fileBase}.json`);
   }
   /** Switch the in-flight ticket between phases (used by `task scan` which iterates). */
   setTicketId(ticketId) {
@@ -1782,13 +1928,13 @@ var ProgressWriter = class {
     });
   }
   async writeAtomic(payload) {
-    await mkdir6(PROGRESS_DIR, { recursive: true }).catch(() => {
+    await mkdir7(PROGRESS_DIR, { recursive: true }).catch(() => {
     });
     const body = JSON.stringify(payload);
     const tmp = `${this.path}.tmp`;
     try {
-      await writeFile7(tmp, body, { encoding: "utf8", mode: 384 });
-      await rename(tmp, this.path);
+      await writeFile8(tmp, body, { encoding: "utf8", mode: 384 });
+      await rename2(tmp, this.path);
     } catch {
       await unlink3(tmp).catch(() => {
       });
@@ -1804,9 +1950,9 @@ var ProgressWriter = class {
       const cutoff = Date.now() - STALE_MAX_AGE_MS;
       await Promise.all(
         entries.filter((name) => name.endsWith(".json") || name.endsWith(".json.tmp")).map(async (name) => {
-          const p = join7(PROGRESS_DIR, name);
+          const p = join9(PROGRESS_DIR, name);
           try {
-            const s = await stat2(p);
+            const s = await stat3(p);
             if (s.mtimeMs < cutoff) {
               await unlink3(p).catch(() => {
               });
@@ -2170,6 +2316,50 @@ ${detail.ai_fix_approval_notes}` : ""
   await progress.setPhase("testing", {
     detail: testCommand ?? "pnpm typecheck"
   });
+  const installResult = await ensureWorkspaceInstalled({ cwd });
+  if (!installResult.ok) {
+    discardWorkingTreeChanges(cwd);
+    try {
+      checkoutBranch(cwd, baseBranch);
+    } catch {
+    }
+    deleteLocalBranch(cwd, branchName);
+    await apiCall("POST", "/api/v1/cli/me/runs", {
+      body: {
+        ticket_id: detail.id,
+        schedule_id: opts.scheduleId,
+        event: "tests_failed",
+        claude_session_id: runId,
+        duration_ms: installResult.durationMs,
+        output_excerpt: `pnpm install --frozen-lockfile failed (${installResult.reason})
+${installResult.tail}`.slice(
+          0,
+          4e3
+        )
+      }
+    });
+    if (!silent) {
+      process.stdout.write(
+        `${c.err("\u2717 pnpm install --frozen-lockfile failed")} (exit ${installResult.exitCode}) \u2014 branch deleted, no push.
+`
+      );
+      if (installResult.tail.trim().length > 0) {
+        process.stdout.write(c.dim(installResult.tail.slice(-1e3) + "\n"));
+      }
+    }
+    throw new CliError(
+      CLI_EXIT_CODES.GENERIC_ERROR,
+      `pnpm install --frozen-lockfile failed (exit ${installResult.exitCode}) \u2014 ${installResult.reason}`
+    );
+  }
+  if (!installResult.skipped && !silent) {
+    process.stdout.write(
+      c.dim(
+        `  pnpm install --frozen-lockfile (${installResult.reason}) \u2014 ${installResult.durationMs}ms
+`
+      )
+    );
+  }
   if (!silent)
     process.stdout.write(c.dim(`  running pre-push test: ${testCommand ?? "pnpm typecheck"}
 `));
@@ -3050,14 +3240,17 @@ async function jsonRequest(url, init) {
   };
 }
 var AutopilotApi = class {
+  creds;
   constructor(opts) {
-    this.opts = opts;
+    this.creds = opts.creds;
+    this.apiUrl = opts.apiUrl;
   }
-  adminHeaders() {
+  apiUrl;
+  async userHeaders() {
+    this.creds = await ensureFreshAccessToken(this.creds);
     return {
       "Content-Type": "application/json",
-      Authorization: `Bearer ${this.opts.apiKey}`,
-      "X-Actor-Email": this.opts.actorEmail,
+      Authorization: `Bearer ${this.creds.access_token}`,
       "User-Agent": "task-cli/scan"
     };
   }
@@ -3070,12 +3263,13 @@ var AutopilotApi = class {
     };
   }
   async listEligibleProjects() {
-    const url = `${this.opts.apiUrl}/api/v1/cli/projects`;
+    const url = `${this.apiUrl}/api/v1/cli/projects`;
     const result = await jsonRequest(url, {
       method: "GET",
-      headers: this.adminHeaders()
+      headers: await this.userHeaders()
     });
     if (!result.ok) {
+      await handleUserAuthFailure(result.code, result.status);
       throw new CliError(
         autopilotExitCode(result.code, result.status),
         `${result.code}: ${result.message}`
@@ -3084,10 +3278,10 @@ var AutopilotApi = class {
     return result.data ?? [];
   }
   async issueSkillToken(args) {
-    const url = `${this.opts.apiUrl}/api/v1/cli/issue-skill-token`;
+    const url = `${this.apiUrl}/api/v1/cli/issue-skill-token`;
     const result = await jsonRequest(url, {
       method: "POST",
-      headers: this.adminHeaders(),
+      headers: await this.userHeaders(),
       body: {
         project_id: args.project_id,
         scope: "fix_prompt_sync",
@@ -3096,6 +3290,7 @@ var AutopilotApi = class {
       }
     });
     if (!result.ok) {
+      await handleUserAuthFailure(result.code, result.status);
       throw new CliError(
         autopilotExitCode(result.code, result.status),
         `${result.code}: ${result.message}`
@@ -3104,7 +3299,7 @@ var AutopilotApi = class {
     return result.data;
   }
   async prepare(skillToken, batchSize, idempotencyKey) {
-    const url = `${this.opts.apiUrl}/api/v1/cli/fix-prompt-sync/prepare`;
+    const url = `${this.apiUrl}/api/v1/cli/fix-prompt-sync/prepare`;
     const result = await jsonRequest(url, {
       method: "POST",
       headers: this.skillHeaders(skillToken, { "Idempotency-Key": idempotencyKey }),
@@ -3122,7 +3317,7 @@ var AutopilotApi = class {
     return result.data;
   }
   async submit(args) {
-    const url = `${this.opts.apiUrl}/api/v1/cli/fix-prompt-sync/submit`;
+    const url = `${this.apiUrl}/api/v1/cli/fix-prompt-sync/submit`;
     const result = await jsonRequest(url, {
       method: "POST",
       headers: this.skillHeaders(args.skillToken, { "X-Prepare-Nonce": args.nonce }),
@@ -3148,7 +3343,7 @@ var AutopilotApi = class {
   }
   async abort(skillToken, ticketIds) {
     if (ticketIds.length === 0) return;
-    const url = `${this.opts.apiUrl}/api/v1/cli/fix-prompt-sync/abort`;
+    const url = `${this.apiUrl}/api/v1/cli/fix-prompt-sync/abort`;
     await jsonRequest(url, {
       method: "POST",
       headers: this.skillHeaders(skillToken),
@@ -3156,7 +3351,7 @@ var AutopilotApi = class {
     }).catch(() => void 0);
   }
   async runSummary(skillToken, summary) {
-    const url = `${this.opts.apiUrl}/api/v1/cli/fix-prompt-sync/run-summary`;
+    const url = `${this.apiUrl}/api/v1/cli/fix-prompt-sync/run-summary`;
     await jsonRequest(url, {
       method: "POST",
       headers: this.skillHeaders(skillToken),
@@ -3164,6 +3359,24 @@ var AutopilotApi = class {
     }).catch(() => void 0);
   }
 };
+async function handleUserAuthFailure(code, status) {
+  if (status === 401 && (code === "UNAUTHORIZED" || code === "TOKEN_EXPIRED")) {
+    await clearCredentials();
+    throw new CliError(
+      CLI_EXIT_CODES.UNAUTHORISED,
+      "Your CLI session is no longer valid",
+      "Run 'task login' to authenticate again."
+    );
+  }
+  if (status === 403 && code === "CLI_ACCESS_REVOKED") {
+    await clearCredentials();
+    throw new CliError(
+      CLI_EXIT_CODES.UNAUTHORISED,
+      "CLI access has been revoked",
+      "Ask a project admin to re-grant access from the Agentic CLI page."
+    );
+  }
+}
 function autopilotExitCode(code, status) {
   if (status === 401 || status === 403) return CLI_EXIT_CODES.UNAUTHORISED;
   if (code === "TIER_LIMIT_EXCEEDED" || code === "NO_GIT_INTEGRATION") {
@@ -3174,10 +3387,10 @@ function autopilotExitCode(code, status) {
 }
 
 // src/scan/llm.ts
-import { spawn as spawn3 } from "child_process";
-import { mkdir as mkdir7, writeFile as writeFile8 } from "fs/promises";
+import { spawn as spawn4 } from "child_process";
+import { mkdir as mkdir8, writeFile as writeFile9 } from "fs/promises";
 import { homedir as homedir5 } from "os";
-import { join as join8 } from "path";
+import { join as join10 } from "path";
 var FIX_PROMPT_JSON_SCHEMA = {
   type: "object",
   // Phase 3 — confidence_reason is REQUIRED unconditionally so the
@@ -3266,7 +3479,7 @@ async function generateFixPromptJson(args) {
   return new Promise((resolve2, reject) => {
     let child;
     try {
-      child = spawn3(claude, cliArgs, {
+      child = spawn4(claude, cliArgs, {
         stdio: ["pipe", "pipe", "pipe"],
         signal: args.signal
       });
@@ -3392,10 +3605,10 @@ function readEnvelopeTokens(raw, userPrompt, innerText) {
 async function maybeDumpDebug(ticketId, stdout, stderr) {
   if (!DEBUG && stdout.length === 0 && stderr.length === 0) return null;
   try {
-    const dir = join8(homedir5(), ".cache", "task", "scan-debug");
-    await mkdir7(dir, { recursive: true });
-    const path = join8(dir, `${ticketId}-${Date.now()}.log`);
-    await writeFile8(
+    const dir = join10(homedir5(), ".cache", "task", "scan-debug");
+    await mkdir8(dir, { recursive: true });
+    const path = join10(dir, `${ticketId}-${Date.now()}.log`);
+    await writeFile9(
       path,
       ["## ticket_id", ticketId, "", "## stdout", stdout, "", "## stderr", stderr].join("\n")
     );
@@ -3467,7 +3680,7 @@ function registerScan(program2) {
     "Restrict to one project (default: the linked project from .task/config.json, falling back to every visible project if the repo is not linked)"
   ).option(
     "--all-projects",
-    "Override the linked-project default and scan every CLI-eligible project the admin token can see"
+    "Override the linked-project default and scan every CLI-eligible project the signed-in user has cli_access on"
   ).option("--max <n>", "Max submissions per project token", "50").option("--batch <n>", "Tickets per /prepare batch (1-10)", "5").option("--api-url <url>", "Override TASK_API_URL").option("--silent", "Suppress per-ticket progress chrome").action(async (opts) => {
     await runScan(opts);
   });
@@ -3489,25 +3702,18 @@ async function runScan(opts) {
   }
 }
 async function runScanImpl(opts, progress) {
-  const apiKey = process.env["TASK_API_KEY"];
-  if (!apiKey || apiKey.length < 32) {
-    throw new CliError(
-      CLI_EXIT_CODES.MISCONFIGURATION,
-      "TASK_API_KEY is missing or shorter than 32 chars",
-      "Set TASK_API_KEY in your environment. The autopilot loop authenticates with the shared admin secret, not the per-user CLI bearer."
-    );
-  }
-  const actorEmail = process.env["TASK_API_KEY_OWNER_EMAIL"];
-  if (!actorEmail || !/^[^@\s]+@[^@\s]+\.[^@\s]+$/.test(actorEmail)) {
+  let creds = await readCredentials();
+  if (!creds) {
     throw new CliError(
       CLI_EXIT_CODES.MISCONFIGURATION,
-      "TASK_API_KEY_OWNER_EMAIL is not set or not a valid email",
-      "Set TASK_API_KEY_OWNER_EMAIL=<you@example.com>. The server records this on every audit row."
+      "Not signed in",
+      "Run 'task login' to authenticate. The scan autopilot uses the same per-user OAuth bearer as every other CLI command."
     );
   }
+  creds = await ensureFreshAccessToken(creds);
   const localCfg = await readLocalConfig();
   const linkedProject = await readProjectConfig(findRepoRoot());
-  const apiUrl = (opts.apiUrl ?? process.env["TASK_API_URL"] ?? localCfg.api_url ?? linkedProject?.api_url ?? "http://localhost:3400").replace(/\/$/, "");
+  const apiUrl = (opts.apiUrl ?? process.env["TASK_API_URL"] ?? creds.api_url ?? localCfg.api_url ?? linkedProject?.api_url ?? "http://localhost:3400").replace(/\/$/, "");
   const max = clampInt(opts.max, 1, 500, 50);
   const batchSize = clampInt(opts.batch, 1, 10, 5);
   const silent = !!opts.silent || localCfg.silent;
@@ -3526,7 +3732,7 @@ async function runScanImpl(opts, progress) {
     projectFilter = linkedProject.project_id;
     filterSource = "link";
   }
-  const api = new AutopilotApi({ apiUrl, apiKey, actorEmail });
+  const api = new AutopilotApi({ apiUrl, creds });
   if (!silent) process.stdout.write(`${c.dim("Discovering eligible projects\u2026")}
 `);
   const all = await api.listEligibleProjects();
@@ -3542,7 +3748,7 @@ async function runScanImpl(opts, progress) {
       throw new CliError(
         CLI_EXIT_CODES.GENERIC_ERROR,
         `Linked project ${linkedProject.organisation_slug}/${linkedProject.project_slug} has no CLI-eligible tickets right now`,
-        "Mark a ticket as CLI-eligible from the dashboard, or pass --all-projects to scan everything the admin token can see."
+        "Mark a ticket as CLI-eligible from the dashboard, or pass --all-projects to scan every project you have cli_access on."
       );
     }
     throw new CliError(
@@ -3742,6 +3948,252 @@ function clampInt(raw, min, max, fallback) {
   return Math.min(v, max);
 }
 
+// src/commands/fast-track.ts
+import { randomUUID as randomUUID3 } from "crypto";
+import ora3 from "ora";
+function registerFastTrack(program2) {
+  program2.command("fast-track").description(
+    "End-to-end: scan + auto-approve + work on the next CLI-eligible ticket(s) in the linked project \u2014 no admin review step"
+  ).option("--max <n>", "Process up to N tickets in this invocation", "1").option("--api-url <url>", "Override TASK_API_URL").option("--silent", "Suppress per-ticket progress chrome").option("--dry-run", "Run scan + approve + agent + tests but do not commit, push, or open a PR").option(
+    "--reset",
+    "DESTRUCTIVE: discard local working-tree changes before the first ticket. Requires --confirm in non-TTY contexts."
+  ).option("--confirm", "Confirm --reset in non-TTY (silent / scheduled-task) contexts").option("--schedule-id <id>", "Internal: schedule id when invoked from a scheduled task").action(async (opts) => {
+    await runFastTrack(opts);
+  });
+}
+async function runFastTrack(opts) {
+  let creds = await readCredentials();
+  if (!creds) {
+    throw new CliError(
+      CLI_EXIT_CODES.MISCONFIGURATION,
+      "Not signed in",
+      "Run 'task login' to authenticate."
+    );
+  }
+  creds = await ensureFreshAccessToken(creds);
+  const localCfg = await readLocalConfig();
+  const linkedProject = await readProjectConfig(findRepoRoot());
+  if (!linkedProject) {
+    throw new CliError(
+      CLI_EXIT_CODES.MISCONFIGURATION,
+      "No project link in this repo",
+      "Run 'task link' first \u2014 fast-track operates on the linked project only."
+    );
+  }
+  const apiUrl = (opts.apiUrl ?? process.env["TASK_API_URL"] ?? creds.api_url ?? localCfg.api_url ?? linkedProject.api_url ?? "http://localhost:3400").replace(/\/$/, "");
+  const max = Math.max(1, parseInt(opts.max, 10) || 1);
+  const silent = !!opts.silent || localCfg.silent;
+  const ctx = await buildWorkContext({ max: "1", silent: opts.silent });
+  const api = new AutopilotApi({ apiUrl, creds });
+  const claudePath = localCfg.claude_path ?? void 0;
+  let firstIteration = true;
+  const results = [];
+  for (let i = 0; i < max; i++) {
+    const innerWorkOpts = {
+      auto: false,
+      // We pin a specific ticketId per iteration.
+      next: false,
+      max: "1",
+      silent: opts.silent,
+      ...opts.dryRun ? { dryRun: true } : {},
+      ...opts.scheduleId ? { scheduleId: opts.scheduleId } : {},
+      ...firstIteration && opts.reset ? { reset: true } : {},
+      ...firstIteration && opts.confirm ? { confirm: true } : {}
+    };
+    const outcome = await fastTrackOneTicket({
+      api,
+      apiUrl,
+      project: linkedProject,
+      ctx,
+      claudePath,
+      silent,
+      innerWorkOpts,
+      scheduleId: opts.scheduleId
+    });
+    if (outcome.kind === "no_eligible") {
+      if (results.length === 0 && !silent) {
+        process.stdout.write(c.dim("No CLI-eligible tickets available to fast-track.\n"));
+      }
+      break;
+    }
+    results.push(outcome.result);
+    firstIteration = false;
+    if (i < max - 1 && outcome.result.status === "completed") {
+      enforceBaseBranchClean(ctx.cwd, ctx.baseBranch);
+    }
+  }
+  if (!silent) {
+    summarise(results);
+  }
+}
+async function fastTrackOneTicket(args) {
+  const { api, project, ctx, claudePath, silent, innerWorkOpts, scheduleId } = args;
+  const issued = await api.issueSkillToken({
+    project_id: project.project_id,
+    max_submits: 1
+  });
+  const skillToken = issued.token;
+  const prepared = await api.prepare(skillToken, 1, randomUUID3());
+  if (prepared.tickets.length === 0) {
+    return { kind: "no_eligible" };
+  }
+  const ticket = prepared.tickets[0];
+  const nonce = prepared.prepare_nonce;
+  const spinner = silent ? null : ora3(`#${ticket.sequence_number} ${ticket.title.slice(0, 60)} \u2014 scanning`).start();
+  let generated;
+  try {
+    generated = await generateFixPromptJson({
+      systemPrompt: ticket.system_prompt,
+      repoOverviewBlock: ticket.repo_overview_block,
+      ticketBlock: ticket.ticket_block,
+      outputSchemaHint: ticket.output_schema_hint,
+      modelId: ticket.model_id,
+      ticketId: ticket.ticket_id,
+      ...claudePath ? { claudePath } : {}
+    });
+  } catch (err) {
+    await api.abort(skillToken, [ticket.ticket_id]).catch(() => void 0);
+    const reason = err instanceof LlmGenerationError ? `${err.reason}: ${err.message.slice(0, 200)}` : "";
+    spinner?.fail(`#${ticket.sequence_number} scan failed${reason ? ` (${reason})` : ""}`);
+    throw err instanceof CliError ? err : new CliError(
+      CLI_EXIT_CODES.GENERIC_ERROR,
+      `Fix-prompt generation failed for #${ticket.sequence_number}: ${err.message.slice(0, 200)}`
+    );
+  }
+  const submitted = await api.submit({
+    skillToken,
+    nonce,
+    ticketId: ticket.ticket_id,
+    structured: generated.structured,
+    inputTokens: generated.inputTokens,
+    outputTokens: generated.outputTokens,
+    model: ticket.model_id
+  });
+  if (submitted.status === "skip") {
+    spinner?.warn(`#${ticket.sequence_number} server rejected submission (${submitted.reason})`);
+    return {
+      kind: "processed",
+      result: {
+        sequenceNumber: ticket.sequence_number,
+        ticketId: ticket.ticket_id,
+        previousFixStatus: submitted.reason,
+        status: "scan_skipped",
+        error: submitted.reason
+      }
+    };
+  }
+  const denylistHit = submitted.status === "needs_review";
+  if (spinner) {
+    spinner.text = `#${ticket.sequence_number} approving${denylistHit ? " (denylist override)" : ""}`;
+  }
+  let approved;
+  try {
+    approved = await apiCallOrThrow(
+      "POST",
+      `/api/v1/cli/me/tickets/${ticket.ticket_id}/ai-fix-prompt/fast-approve`,
+      {
+        body: {
+          ...denylistHit ? { denylist_acknowledged: true } : {},
+          reason: `fast-track: ${denylistHit ? "denylist override" : "auto-approve"} by CLI session`
+        }
+      }
+    );
+  } catch (err) {
+    spinner?.fail(
+      `#${ticket.sequence_number} fast-approve failed: ${err.message.slice(0, 120)}`
+    );
+    throw err;
+  }
+  if (spinner) {
+    spinner.text = `#${ticket.sequence_number} building`;
+  }
+  const innerOpts = { ...innerWorkOpts };
+  if (scheduleId !== void 0) innerOpts.scheduleId = scheduleId;
+  try {
+    const outcome = await processOneTicket(ctx, innerOpts, ticket.ticket_id);
+    if (outcome.kind === "no_eligible") {
+      spinner?.warn(`#${ticket.sequence_number} unexpectedly invisible to work after approve`);
+      return {
+        kind: "processed",
+        result: {
+          sequenceNumber: ticket.sequence_number,
+          ticketId: ticket.ticket_id,
+          previousFixStatus: approved.from_status ?? "unknown",
+          status: "failed",
+          error: "ticket vanished between approve and claim"
+        }
+      };
+    }
+    if (outcome.kind === "completed") {
+      spinner?.succeed(
+        `#${ticket.sequence_number} PR opened${outcome.prUrl ? ` ${outcome.prUrl}` : ""}`
+      );
+      const result = {
+        sequenceNumber: outcome.sequenceNumber,
+        ticketId: ticket.ticket_id,
+        previousFixStatus: approved.from_status ?? "unknown",
+        status: "completed"
+      };
+      if (outcome.prNumber !== void 0) result.prNumber = outcome.prNumber;
+      if (outcome.prUrl !== void 0) result.prUrl = outcome.prUrl;
+      return { kind: "processed", result };
+    }
+    if (outcome.kind === "dry_run") {
+      spinner?.succeed(`#${ticket.sequence_number} dry-run (no PR)`);
+      return {
+        kind: "processed",
+        result: {
+          sequenceNumber: outcome.sequenceNumber,
+          ticketId: ticket.ticket_id,
+          previousFixStatus: approved.from_status ?? "unknown",
+          status: "dry_run"
+        }
+      };
+    }
+    spinner?.warn(`#${ticket.sequence_number} agent produced no changes`);
+    return {
+      kind: "processed",
+      result: {
+        sequenceNumber: outcome.sequenceNumber,
+        ticketId: ticket.ticket_id,
+        previousFixStatus: approved.from_status ?? "unknown",
+        status: "no_changes"
+      }
+    };
+  } catch (err) {
+    spinner?.fail(
+      `#${ticket.sequence_number} work failed: ${err.message.slice(0, 120)}`
+    );
+    throw err;
+  }
+}
+function summarise(results) {
+  if (results.length === 0) return;
+  const counts = results.reduce(
+    (acc, r) => {
+      acc[r.status] = (acc[r.status] ?? 0) + 1;
+      return acc;
+    },
+    {}
+  );
+  const parts = [];
+  if (counts.completed) parts.push(`${c.ok(String(counts.completed))} PR(s) opened`);
+  if (counts.dry_run) parts.push(`${c.dim(String(counts.dry_run))} dry-run`);
+  if (counts.no_changes) parts.push(`${c.dim(String(counts.no_changes))} no-changes`);
+  if (counts.scan_skipped) parts.push(`${c.warn(String(counts.scan_skipped))} scan skipped`);
+  if (counts.failed) parts.push(`${c.err(String(counts.failed))} failed`);
+  process.stdout.write(`
+${c.bold("Fast-track summary")}: ${parts.join(", ")}
+`);
+  const denylistOverrides = results.filter((r) => r.previousFixStatus === "needs_review").length;
+  if (denylistOverrides > 0) {
+    process.stdout.write(
+      `${c.warn("\u26A0")} ${denylistOverrides} ticket(s) bypassed the denylist gate \u2014 review the PR diff(s) carefully.
+`
+    );
+  }
+}
+
 // src/commands/pr-test.ts
 import { execFileSync as execFileSync8 } from "child_process";
 function registerPrTest(program2) {
@@ -3880,16 +4332,16 @@ ${c.err("\u2717 pr-test failed")}: ${err.message}
 }
 
 // src/commands/scheduled-task.ts
-import { randomUUID as randomUUID3 } from "crypto";
+import { randomUUID as randomUUID4 } from "crypto";
 
 // src/scheduler/index.ts
 import { platform as platform2 } from "os";
 
 // src/scheduler/launchd.ts
-import { mkdir as mkdir8, readFile as readFile5, writeFile as writeFile9, unlink as unlink4, readdir as readdir2 } from "fs/promises";
+import { mkdir as mkdir9, readFile as readFile5, writeFile as writeFile10, unlink as unlink4, readdir as readdir2 } from "fs/promises";
 import { homedir as homedir6 } from "os";
-import { join as join9 } from "path";
-import { execFileSync as execFileSync9, spawn as spawn4 } from "child_process";
+import { join as join11 } from "path";
+import { execFileSync as execFileSync9, spawn as spawn5 } from "child_process";
 
 // src/scheduler/cron-translate.ts
 function translateToLaunchd(cron) {
@@ -3990,14 +4442,14 @@ function expandField(field, min, max) {
 }
 
 // src/scheduler/launchd.ts
-var PLIST_DIR = join9(homedir6(), "Library", "LaunchAgents");
+var PLIST_DIR = join11(homedir6(), "Library", "LaunchAgents");
 var LABEL_PREFIX = "com.inteeka.task.cli.";
 var SAFE_ID_RE = /^[0-9a-zA-Z._-]+$/;
 function plistPath(id) {
   if (!SAFE_ID_RE.test(id) || id.includes("..")) {
     throw new Error(`Refusing to compute plist path for unsafe id: ${id}`);
   }
-  return join9(PLIST_DIR, `${LABEL_PREFIX}${id}.plist`);
+  return join11(PLIST_DIR, `${LABEL_PREFIX}${id}.plist`);
 }
 function buildPlist(entry) {
   const calendars = translateToLaunchd(entry.cron);
@@ -4033,9 +4485,9 @@ ${fields}
     `    <string>/usr/local/bin:/usr/bin:/bin:/opt/homebrew/bin</string>`,
     `  </dict>`,
     `  <key>StandardOutPath</key>`,
-    `  <string>${escapeXml(join9(homedir6(), ".cache", "task", "launchd-stdout.log"))}</string>`,
+    `  <string>${escapeXml(join11(homedir6(), ".cache", "task", "launchd-stdout.log"))}</string>`,
     `  <key>StandardErrorPath</key>`,
-    `  <string>${escapeXml(join9(homedir6(), ".cache", "task", "launchd-stderr.log"))}</string>`,
+    `  <string>${escapeXml(join11(homedir6(), ".cache", "task", "launchd-stderr.log"))}</string>`,
     !entry.enabled ? `  <key>Disabled</key>
   <true/>` : "",
     "</dict>",
@@ -4053,9 +4505,9 @@ function bootstrapDomain() {
 }
 var launchdAdapter = {
   async upsert(entry) {
-    await mkdir8(PLIST_DIR, { recursive: true });
+    await mkdir9(PLIST_DIR, { recursive: true });
     const path = plistPath(entry.id);
-    await writeFile9(path, buildPlist(entry));
+    await writeFile10(path, buildPlist(entry));
     try {
       execFileSync9("launchctl", ["bootout", bootstrapDomain(), path], { stdio: "ignore" });
     } catch {
@@ -4084,7 +4536,7 @@ var launchdAdapter = {
       for (const file of ours) {
         const id = file.slice(LABEL_PREFIX.length, -".plist".length);
         try {
-          const xml = await readFile5(join9(PLIST_DIR, file), "utf8");
+          const xml = await readFile5(join11(PLIST_DIR, file), "utf8");
           const cron = xml.match(/<key>StartCalendarInterval<\/key>[\s\S]*?<\/array>/)?.[0] ?? "";
           const command = xml.match(/<key>ProgramArguments<\/key>\s*<array>([\s\S]*?)<\/array>/)?.[1] ?? "";
           const disabled = /<key>Disabled<\/key>\s*<true\/>/.test(xml);
@@ -4107,7 +4559,7 @@ var launchdAdapter = {
     return new Promise((resolve2) => {
       const args = entry.command.match(/(?:[^\s"]+|"[^"]*")+/g) ?? [entry.command];
       const cmd = args.shift() ?? entry.command;
-      const child = spawn4(cmd, args, { stdio: ["ignore", "pipe", "pipe"] });
+      const child = spawn5(cmd, args, { stdio: ["ignore", "pipe", "pipe"] });
       let stdoutTail = "";
       let stderrTail = "";
       child.stdout?.on("data", (chunk) => {
@@ -4130,7 +4582,7 @@ var launchdAdapter = {
     }
     if (enabled) {
       xml = xml.replace(/\s*<key>Disabled<\/key>\s*<true\/>/, "");
-      await writeFile9(path, xml);
+      await writeFile10(path, xml);
       try {
         execFileSync9("launchctl", ["bootout", bootstrapDomain(), path], { stdio: "ignore" });
       } catch {
@@ -4142,7 +4594,7 @@ var launchdAdapter = {
           "</dict>\n</plist>",
           "  <key>Disabled</key>\n  <true/>\n</dict>\n</plist>"
         );
-        await writeFile9(path, xml);
+        await writeFile10(path, xml);
       }
       try {
         execFileSync9("launchctl", ["bootout", bootstrapDomain(), path], { stdio: "ignore" });
@@ -4153,7 +4605,7 @@ var launchdAdapter = {
 };
 
 // src/scheduler/cron.ts
-import { execFileSync as execFileSync10, spawn as spawn5 } from "child_process";
+import { execFileSync as execFileSync10, spawn as spawn6 } from "child_process";
 
 // src/scheduler/safe-command.ts
 var FORBIDDEN = /[;&|`$()<>\\]/;
@@ -4214,7 +4666,7 @@ function readCrontab() {
   }
 }
 function writeCrontab(text) {
-  const child = spawn5("crontab", ["-"], { stdio: ["pipe", "inherit", "inherit"] });
+  const child = spawn6("crontab", ["-"], { stdio: ["pipe", "inherit", "inherit"] });
   child.stdin.write(text);
   child.stdin.end();
 }
@@ -4295,7 +4747,7 @@ var cronAdapter = {
       return Promise.resolve({ exitCode: 1, stdoutTail: "", stderrTail: `rejected: ${reason}` });
     }
     return new Promise((resolve2) => {
-      const child = spawn5(parsed.bin, parsed.args, { stdio: ["ignore", "pipe", "pipe"] });
+      const child = spawn6(parsed.bin, parsed.args, { stdio: ["ignore", "pipe", "pipe"] });
       let stdoutTail = "";
       let stderrTail = "";
       child.stdout?.on(
@@ -4323,7 +4775,7 @@ var cronAdapter = {
 };
 
 // src/scheduler/windows.ts
-import { execFileSync as execFileSync11, spawn as spawn6 } from "child_process";
+import { execFileSync as execFileSync11, spawn as spawn7 } from "child_process";
 var TASK_PREFIX = "TaskCLI_";
 function taskName(id) {
   return `${TASK_PREFIX}${id.replace(/[^A-Za-z0-9_-]/g, "_")}`;
@@ -4436,7 +4888,7 @@ var windowsAdapter = {
       return Promise.resolve({ exitCode: 1, stdoutTail: "", stderrTail: `rejected: ${reason}` });
     }
     return new Promise((resolve2) => {
-      const child = spawn6(parsed.bin, parsed.args, { stdio: ["ignore", "pipe", "pipe"] });
+      const child = spawn7(parsed.bin, parsed.args, { stdio: ["ignore", "pipe", "pipe"] });
       let stdoutTail = "";
       let stderrTail = "";
       child.stdout?.on(
@@ -4495,10 +4947,10 @@ var unsupportedAdapter = {
 };
 
 // src/scheduler/registry.ts
-import { mkdir as mkdir9, readFile as readFile6, writeFile as writeFile10 } from "fs/promises";
+import { mkdir as mkdir10, readFile as readFile6, writeFile as writeFile11 } from "fs/promises";
 import { homedir as homedir7 } from "os";
-import { dirname as dirname4, join as join10 } from "path";
-var REGISTRY_PATH = join10(homedir7(), ".config", "task", "schedules.json");
+import { dirname as dirname5, join as join12 } from "path";
+var REGISTRY_PATH = join12(homedir7(), ".config", "task", "schedules.json");
 var UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 function looksLikeRegistryRow(value) {
   if (!value || typeof value !== "object") return false;
@@ -4518,8 +4970,8 @@ async function readRegistry() {
   }
 }
 async function writeRegistry(rows) {
-  await mkdir9(dirname4(REGISTRY_PATH), { recursive: true });
-  await writeFile10(REGISTRY_PATH, JSON.stringify(rows, null, 2));
+  await mkdir10(dirname5(REGISTRY_PATH), { recursive: true });
+  await writeFile11(REGISTRY_PATH, JSON.stringify(rows, null, 2));
 }
 async function upsertRegistry(row) {
   if (!UUID_RE.test(row.id)) {
@@ -4607,7 +5059,7 @@ function registerScheduledTask(program2) {
       const max = Math.min(100, Math.max(1, parseInt(opts.max, 10) || 5));
       const command = opts.command ?? `task work --auto --silent --max ${max}`;
       const { hostId, hostLabel } = getHostInfo();
-      const id = randomUUID3();
+      const id = randomUUID4();
       const created = await apiCall("POST", "/api/v1/cli/schedules", {
         body: {
           name,
@@ -4760,7 +5212,7 @@ function stripAnsi(s) {
 // src/commands/runs.ts
 import { readFile as readFile7 } from "fs/promises";
 import { homedir as homedir8 } from "os";
-import { join as join11 } from "path";
+import { join as join13 } from "path";
 function registerRuns(program2) {
   const cmd = program2.command("runs").description("Inspect agentic CLI run history");
   cmd.command("list").description("List recent runs").option("--limit <n>", "Max rows", "50").option("--ticket <id>", "Filter by ticket").option("--schedule <id>", "Filter by schedule").action(async (opts) => {
@@ -4789,7 +5241,7 @@ function registerRuns(program2) {
     process.stdout.write(JSON.stringify(row, null, 2) + "\n");
   });
   cmd.command("logs <id>").description("Show captured agent output for a run, if available").action(async (id) => {
-    const localPath = join11(homedir8(), ".cache", "task", "runs", `${id}.log`);
+    const localPath = join13(homedir8(), ".cache", "task", "runs", `${id}.log`);
     try {
       const text = await readFile7(localPath, "utf8");
       process.stdout.write(text);
@@ -4862,32 +5314,43 @@ function registerConfig(program2) {
 
 // src/commands/doctor.ts
 import { execFileSync as execFileSync12 } from "child_process";
-import { readFile as readFile8, writeFile as writeFile11 } from "fs/promises";
-import { join as join12 } from "path";
+import { readFile as readFile8, writeFile as writeFile12 } from "fs/promises";
+import { join as join14 } from "path";
 import { request as request5 } from "undici";
 var ALLOWED_TEST_EXECUTABLES = /* @__PURE__ */ new Set(["pnpm", "npm", "yarn", "bun", "node", "npx"]);
 var DEFAULT_TEST_COMMAND = "pnpm typecheck";
 function registerDoctor(program2) {
-  program2.command("doctor").description("Diagnose your CLI setup").option("--fix", "attempt to auto-remediate fixable problems (e.g. add a typecheck script)").action(async (opts) => {
+  program2.command("doctor").description(
+    "Diagnose your CLI setup \u2014 Identity (who you are signed in as) first, then Setup checks"
+  ).option("--fix", "attempt to auto-remediate fixable problems (e.g. add a typecheck script)").action(async (opts) => {
     const checks = [];
     const creds = await readCredentials();
+    let accessLite = null;
+    if (creds) {
+      accessLite = await fetchAccessLite();
+    }
+    const authDetail = creds ? renderAuthDetail(creds.email, creds.access_expires_at, accessLite) : "not signed in \u2014 run 'task login'";
     checks.push({
+      group: "identity",
       name: "auth",
-      ok: !!creds,
-      detail: creds ? `signed in as ${creds.email ?? "(unknown)"}, expires ${creds.access_expires_at}` : "not signed in \u2014 run 'task login'"
+      ok: !!creds && (accessLite?.has_access ?? true),
+      detail: authDetail,
+      remediation: !creds ? "run 'task login' to authenticate" : accessLite && !accessLite.has_access ? "Your account has no project with cli_access \u2014 ask an admin to grant access on the Agentic CLI page." : void 0
     });
     const root = findRepoRoot();
     const project = await readProjectConfig(root);
     checks.push({
+      group: "identity",
       name: "project link",
       ok: !!project,
       detail: project ? `${project.organisation_slug}/${project.project_slug}` : "no link \u2014 run 'task link'"
     });
     const cfg = await readLocalConfig();
-    checks.push(checkBinary("claude", cfg.claude_path ?? "claude"));
-    checks.push(checkBinary("git", "git"));
+    checks.push({ group: "setup", ...checkBinary("claude", cfg.claude_path ?? "claude") });
+    checks.push({ group: "setup", ...checkBinary("git", "git") });
     const { kind } = getSchedulerAdapter();
     checks.push({
+      group: "setup",
       name: "scheduler",
       ok: kind !== "unsupported",
       detail: kind === "unsupported" ? "unsupported platform" : kind
@@ -4901,12 +5364,14 @@ function registerDoctor(program2) {
       });
       await res.body.dump();
       checks.push({
+        group: "setup",
         name: "api reachable",
         ok: true,
         detail: `${apiUrl} (HTTP ${res.statusCode})`
       });
     } catch (err) {
       checks.push({
+        group: "setup",
         name: "api reachable",
         ok: false,
         detail: `${apiUrl}: ${err.message}`
@@ -4917,6 +5382,7 @@ function registerDoctor(program2) {
       try {
         const exists = remoteBranchExists(root, baseBranch);
         checks.push({
+          group: "setup",
           name: "base branch on origin",
           ok: exists,
           detail: exists ? `origin/${baseBranch} reachable` : `origin has no branch "${baseBranch}"`,
@@ -4924,6 +5390,7 @@ function registerDoctor(program2) {
         });
       } catch (err) {
         checks.push({
+          group: "setup",
           name: "base branch on origin",
           ok: false,
           detail: err instanceof CliError ? err.message : `could not check origin: ${err.message}`,
@@ -4937,41 +5404,57 @@ function registerDoctor(program2) {
         encoding: "utf8"
       }).trim();
       checks.push({
+        group: "setup",
         name: "working tree",
         ok: dirty.length === 0,
         detail: dirty.length === 0 ? "clean" : "has uncommitted changes"
       });
     } catch {
-      checks.push({ name: "working tree", ok: false, detail: "not in a git repo" });
+      checks.push({
+        group: "setup",
+        name: "working tree",
+        ok: false,
+        detail: "not in a git repo"
+      });
     }
     const testCheck = await checkPrePushTest(
       root,
       project?.cli_test_command ?? null,
       opts.fix === true
     );
-    checks.push(testCheck);
+    checks.push({ group: "setup", ...testCheck });
     let inFlight = [];
     if (creds && project) {
       inFlight = await listInFlightTickets(project.project_id, root);
       checks.push({
+        group: "setup",
         name: "in-flight tickets",
         ok: true,
         detail: inFlight.length === 0 ? "none" : `${inFlight.length} ticket(s) waiting to be resumed`
       });
     }
     let allOk = true;
-    for (const check of checks) {
-      const sym = check.ok ? c.ok("\u2713") : c.err("\u2717");
-      process.stdout.write(`${sym} ${check.name.padEnd(20)} ${c.dim(check.detail)}
+    const renderGroup = (label, group) => {
+      const groupChecks = checks.filter((ch) => ch.group === group);
+      if (groupChecks.length === 0) return;
+      process.stdout.write(`${c.bold(label)}
+`);
+      for (const check of groupChecks) {
+        const sym = check.ok ? c.ok("\u2713") : c.err("\u2717");
+        process.stdout.write(`${sym} ${check.name.padEnd(20)} ${c.dim(check.detail)}
 `);
-      if (!check.ok) {
-        allOk = false;
-        if (check.remediation) {
-          process.stdout.write(`  ${c.dim("\u2192 " + check.remediation)}
+        if (!check.ok) {
+          allOk = false;
+          if (check.remediation) {
+            process.stdout.write(`  ${c.dim("\u2192 " + check.remediation)}
 `);
+          }
         }
       }
-    }
+    };
+    renderGroup("Identity", "identity");
+    process.stdout.write("\n");
+    renderGroup("Setup", "setup");
     for (const t of inFlight) {
       const status = t.branchPresent ? c.ok("local branch present") : c.err("local branch missing");
       process.stdout.write(
@@ -4982,6 +5465,24 @@ function registerDoctor(program2) {
     if (!allOk) process.exit(1);
   });
 }
+async function fetchAccessLite() {
+  try {
+    return await apiCallOrThrow("GET", "/api/v1/cli/access");
+  } catch {
+    return null;
+  }
+}
+function renderAuthDetail(email, expiresAt, access2) {
+  const who = `signed in as ${email ?? "(unknown)"}`;
+  const expiry = `expires ${expiresAt}`;
+  if (!access2) return `${who}, ${expiry}`;
+  if (access2.projects.length === 0) {
+    return `${who}, ${expiry}, no cli_access projects`;
+  }
+  const sample = access2.projects.slice(0, 3).map((p) => `${p.organisation_slug}/${p.slug}`).join(", ");
+  const more = access2.projects.length > 3 ? `, +${access2.projects.length - 3} more` : "";
+  return `${who}, ${expiry}, ${access2.projects.length} project${access2.projects.length === 1 ? "" : "s"} (${sample}${more})`;
+}
 async function listInFlightTickets(projectId, cwd) {
   const result = await apiCall(
     "GET",
@@ -5028,7 +5529,7 @@ async function checkPrePushTest(root, configuredCommand, fix) {
       detail: `${command} (non-script executable, not statically verifiable)`
     };
   }
-  const pkgPath = join12(root, "package.json");
+  const pkgPath = join14(root, "package.json");
   let pkgRaw;
   try {
     pkgRaw = await readFile8(pkgPath, "utf8");
@@ -5064,7 +5565,7 @@ async function checkPrePushTest(root, configuredCommand, fix) {
     pkg.scripts = { ...scripts, typecheck: "tsc --noEmit" };
     const indent = detectIndent(pkgRaw);
     const trailingNewline = pkgRaw.endsWith("\n") ? "\n" : "";
-    await writeFile11(pkgPath, JSON.stringify(pkg, null, indent) + trailingNewline);
+    await writeFile12(pkgPath, JSON.stringify(pkg, null, indent) + trailingNewline);
     return {
       name: "pre-push test",
       ok: true,
@@ -5113,7 +5614,7 @@ function checkBinary(name, command) {
 }
 
 // src/commands/version.ts
-var CLI_VERSION = true ? "0.2.16" : "0.0.0-dev";
+var CLI_VERSION = true ? "0.2.18" : "0.0.0-dev";
 function registerVersion(program2) {
   program2.command("version").description("Print the CLI version").action(() => {
     process.stdout.write(CLI_VERSION + "\n");
@@ -5140,6 +5641,7 @@ registerMultiWork(program);
 registerResume(program);
 registerReset(program);
 registerScan(program);
+registerFastTrack(program);
 registerPrTest(program);
 registerScheduledTask(program);
 registerRuns(program);