@mutmutco/cli 0.10.0 → 0.12.0

package/dist/index.cjs

@@ -3038,7 +3038,7 @@ var {
 
 // src/index.ts
 var import_promises = require("node:fs/promises");
-var import_node_fs3 = require("node:fs");
+var import_node_fs4 = require("node:fs");
 var import_node_crypto = require("node:crypto");
 
 // src/rules-sync.ts
@@ -3064,6 +3064,31 @@ function rulesSourceAuthHeaders(sourceUrl, token) {
   }
   return void 0;
 }
+function resolveRulesBase(orgRulesSource, defaultBase) {
+  const isUrl = typeof orgRulesSource === "string" && /^https?:\/\//i.test(orgRulesSource);
+  return (isUrl ? orgRulesSource : defaultBase).replace(/\/$/, "");
+}
+
+// src/docs-sync.ts
+var SYNCED_DOCS = ["README.md", "architecture.md"];
+async function syncDocs(deps, docs2 = SYNCED_DOCS) {
+  const updated = [];
+  const skippedDirty = [];
+  for (const file of docs2) {
+    if (await deps.isDirty(file)) {
+      skippedDirty.push(file);
+      continue;
+    }
+    const origin = await deps.originContent(file);
+    if (origin === null) continue;
+    const local = await deps.localContent(file);
+    if (needsUpdate(origin, local)) {
+      await deps.writeDoc(file, normalizeEol(origin));
+      updated.push(file);
+    }
+  }
+  return { updated, skippedDirty };
+}
 
 // src/saga-capture.ts
 function parseHookInput(stdin) {
@@ -3079,6 +3104,7 @@ function parseHookInput(stdin) {
 var import_node_child_process4 = require("node:child_process");
 var import_node_util3 = require("node:util");
 var import_node_path4 = require("node:path");
+var import_node_os = require("node:os");
 
 // src/saga-head-maintainer.ts
 var import_node_child_process = require("node:child_process");
@@ -3194,7 +3220,7 @@ async function runHeadEngine(prompt, timeoutMs = HEAD_ENGINE_TIMEOUT_MS) {
 
 // src/gh-create.ts
 var ISSUE_TYPES = ["bug", "feature", "task"];
-var PRIORITIES = ["high", "medium", "low"];
+var PRIORITIES = ["urgent", "high", "medium", "low"];
 function parseCreatedUrl(stdout) {
   const re = /https:\/\/github\.com\/[^\s]+\/(?:issues|pull)\/(\d+)/g;
   let match;
@@ -3206,7 +3232,7 @@ function parseCreatedUrl(stdout) {
 ${stdout.trim() || "(empty)"}`);
   return last;
 }
-function buildIssueArgs({ type, title, body, priority, repo }) {
+function buildIssueArgs({ type, title, body, priority, repo, labels }) {
   if (!ISSUE_TYPES.includes(type)) throw new Error(`unknown issue type "${type}" \u2014 expected one of: ${ISSUE_TYPES.join(", ")}`);
   if (!PRIORITIES.includes(priority)) {
     throw new Error(`unknown priority "${priority}" \u2014 expected one of: ${PRIORITIES.join(", ")}`);
@@ -3214,9 +3240,36 @@ function buildIssueArgs({ type, title, body, priority, repo }) {
   const args = ["issue", "create"];
   if (repo) args.push("--repo", repo);
   args.push("--title", title, "--body", body, "--label", type);
-  args.push("--label", `priority:${priority}`);
+  for (const label of labels ?? []) args.push("--label", label);
   return args;
 }
+function boardAttachSkipReason(cwdRepo, targetRepo2) {
+  if (targetRepo2 && cwdRepo && targetRepo2 !== cwdRepo) {
+    return `issue was created in ${targetRepo2}, not the board's repo ${cwdRepo}`;
+  }
+  return null;
+}
+function buildAddToProjectArgs(projectId, contentId) {
+  if (!projectId) throw new Error("addToProject: projectId is required");
+  if (!contentId) throw new Error("addToProject: contentId is required");
+  return [
+    "api",
+    "graphql",
+    "-f",
+    "query=mutation($p:ID!,$c:ID!){addProjectV2ItemById(input:{projectId:$p,contentId:$c}){item{id}}}",
+    "-f",
+    `p=${projectId}`,
+    "-f",
+    `c=${contentId}`
+  ];
+}
+function parseAddedItemId(stdout) {
+  try {
+    return JSON.parse(stdout)?.data?.addProjectV2ItemById?.item?.id || void 0;
+  } catch {
+    return void 0;
+  }
+}
 function buildPrArgs({ title, body, base, head, repo }) {
   const args = ["pr", "create"];
   if (repo) args.push("--repo", repo);
@@ -3239,6 +3292,12 @@ function resolveSession(d) {
   return { id, source: "generated" };
 }
 
+// src/hub-url.ts
+var DEFAULT_HUB_URL = "https://tqxxwzftic.execute-api.eu-central-1.amazonaws.com";
+function defaultHubUrl() {
+  return process.env.MMI_HUB_URL || DEFAULT_HUB_URL;
+}
+
 // src/saga-health.ts
 function buildHealth(i) {
   const problems = [];
@@ -3264,8 +3323,17 @@ function healthBanner(report) {
   const suffix = report.problems.length > 2 ? ` (+${report.problems.length - 2} more)` : "";
   return `saga health: CHECK - ${summary}${suffix}`;
 }
+function resumeCue() {
+  return '> STATUS/RESUME CUE \u2014 For any status, resume, or "where do I stand" report: read THIS saga HEAD first (`mmi-cli saga show`), then reconcile its NEXT / LAST 5 / DECISIONS against the live board + git/gh before reporting. Do not rebuild the picture from board/issues/memory while skipping the HEAD.';
+}
 
 // src/saga-note.ts
+var AGENT_SURFACE_TOKENS = ["claude", "codex", "cursor", "gemini"];
+function agentSurface() {
+  const surface = process.env.MMI_AGENT_SURFACE || "claude";
+  if (AGENT_SURFACE_TOKENS.includes(surface)) return surface;
+  throw new Error(`MMI_AGENT_SURFACE must be one of: ${AGENT_SURFACE_TOKENS.join(", ")}`);
+}
 function buildNoteCapture(summary, o, id, evidence) {
   const queueOp = o.queueAdd ? { op: "add", text: o.queueAdd } : o.queueDone != null ? { op: "done", index: Number(o.queueDone) } : void 0;
   const state = o.diagnostic ? "diagnostic" : o.verified ? "verified" : "asserted";
@@ -3286,7 +3354,7 @@ function buildNoteCapture(summary, o, id, evidence) {
     state,
     source,
     evidence: Object.keys(ev).length ? ev : void 0,
-    surface: process.env.MMI_AGENT_SURFACE || "claude",
+    surface: agentSurface(),
     supersedes: o.supersedes,
     anchor,
     anchorForce: o.anchorForce || void 0
@@ -3343,6 +3411,20 @@ function buildVersionLagReport(input) {
     releasedVersion: input.releasedVersion
   };
 }
+function pluginManifestVersionArgs() {
+  return ["api", "repos/mutmutco/MMI-Hub/contents/.claude-plugin/plugin.json?ref=main", "-H", "Accept: application/vnd.github.raw"];
+}
+function parseManifestVersion(stdout) {
+  try {
+    return JSON.parse(stdout).version || void 0;
+  } catch {
+    return void 0;
+  }
+}
+function versionAutoUpdateAction(report, hasPluginRoot) {
+  if (report.ok || report.staleAgainst !== "released") return "none";
+  return hasPluginRoot ? "plugin-pull" : "npm";
+}
 
 // src/issue-related.ts
 var STOPWORDS = /* @__PURE__ */ new Set([
@@ -3401,7 +3483,50 @@ ${lines.join("\n")}`;
 // src/board.ts
 var import_node_child_process2 = require("node:child_process");
 var import_node_util = require("node:util");
-var execFileP = (0, import_node_util.promisify)(import_node_child_process2.execFile);
+
+// src/board-priority.ts
+var BOARD_PRIORITY_NAMES = ["Urgent", "High", "Medium", "Low"];
+var CLI_PRIORITIES = ["urgent", "high", "medium", "low"];
+var LABEL_PREFIX = "priority:";
+function cliPriorityToFieldName(priority) {
+  if (!CLI_PRIORITIES.includes(priority)) {
+    throw new Error(`unknown priority "${priority}" \u2014 expected one of: ${CLI_PRIORITIES.join(", ")}`);
+  }
+  return priority.charAt(0).toUpperCase() + priority.slice(1);
+}
+function labelToFieldPriority(label) {
+  if (!label.startsWith(LABEL_PREFIX)) return void 0;
+  const slug = label.slice(LABEL_PREFIX.length).toLowerCase();
+  if (!CLI_PRIORITIES.includes(slug)) return void 0;
+  return cliPriorityToFieldName(slug);
+}
+function resolvePriorityOptionId(cfg, priority) {
+  if (!cfg.priorityFieldId || !cfg.priorityOptions) return void 0;
+  const name = cliPriorityToFieldName(priority);
+  return cfg.priorityOptions[name];
+}
+function isPriorityFieldConfigured(cfg) {
+  return Boolean(
+    cfg.priorityFieldId && BOARD_PRIORITY_NAMES.every((name) => cfg.priorityOptions?.[name])
+  );
+}
+function recoverPriorityFromEvents(events) {
+  let found;
+  for (const event of events) {
+    if (event.event !== "labeled" || !event.label?.name) continue;
+    const mapped = labelToFieldPriority(event.label.name);
+    if (mapped) found = mapped;
+  }
+  return found;
+}
+
+// src/board.ts
+var rawExecFileP = (0, import_node_util.promisify)(import_node_child_process2.execFile);
+var execFileP = (file, args, options = {}) => (
+  // encoding 'utf8' guarantees string output at runtime; the cast pins the type (promisify's
+  // overloads widen to string|Buffer when options is spread in).
+  rawExecFileP(file, args, { encoding: "utf8", windowsHide: true, ...options })
+);
 var BOARD_STATUSES = ["Todo", "In Progress", "In Review", "Done"];
 var ACTIVE_STATUSES = /* @__PURE__ */ new Set(["Todo", "In Progress", "In Review"]);
 var STATUS_ORDER = new Map(BOARD_STATUSES.map((s, i) => [s, i]));
@@ -3419,7 +3544,7 @@ var defaultGit = async (args) => {
   }
 };
 var PROJECT_ITEMS_QUERY = `
-query($owner: String!, $number: Int!, $statusField: String!, $after: String) {
+query($owner: String!, $number: Int!, $after: String) {
   viewer { login }
   organization(login: $owner) {
     projectV2(number: $number) {
@@ -3429,8 +3554,14 @@ query($owner: String!, $number: Int!, $statusField: String!, $after: String) {
         pageInfo { hasNextPage endCursor }
         nodes {
           id
-          fieldValueByName(name: $statusField) {
-            ... on ProjectV2ItemFieldSingleSelectValue { name optionId }
+          fieldValues(first: 8) {
+            nodes {
+              ... on ProjectV2ItemFieldSingleSelectValue {
+                name
+                optionId
+                field { ... on ProjectV2SingleSelectField { name } }
+              }
+            }
           }
           content {
             __typename
@@ -3476,7 +3607,9 @@ function resolveBoardConfig(cfg) {
     projectNumber: cfg.projectNumber,
     projectId: cfg.projectId,
     statusFieldId: cfg.statusFieldId,
-    statusOptions: cfg.statusOptions
+    statusOptions: cfg.statusOptions,
+    priorityFieldId: cfg.priorityFieldId,
+    priorityOptions: cfg.priorityOptions
   };
 }
 function repoFromGitRemote(remote) {
@@ -3499,7 +3632,7 @@ function parseIssueSelector(selector, defaultRepo) {
   if (local) return { repo: defaultRepo, number: Number(local[1]) };
   throw new Error(`expected an issue selector like 123, #123, owner/repo#123, or a GitHub issue URL`);
 }
-function partitionBoardItems(items, viewer, currentRepo) {
+function partitionBoardItems(items, viewer, currentRepo, writableRepos) {
   const empty = () => ({ userOwned: [], claimable: [], taken: [] });
   const groups = { primary: empty(), secondary: empty() };
   const viewerKey = viewer.toLowerCase();
@@ -3511,7 +3644,7 @@ function partitionBoardItems(items, viewer, currentRepo) {
     const assignedToViewer = assignees.includes(viewerKey);
     if (assignedToViewer) {
       groups[scope].userOwned.push(item);
-    } else if (item.status === "Todo" && item.assignees.length === 0) {
+    } else if (item.status === "Todo" && item.assignees.length === 0 && (!writableRepos || writableRepos.has(item.repository.toLowerCase()))) {
       groups[scope].claimable.push(item);
     } else if (item.assignees.length > 0) {
       groups[scope].taken.push(item);
@@ -3549,6 +3682,22 @@ function findClaimableItem(report, selector) {
   }
   throw new Error(`${selector.repo}#${selector.number} is not on this project board`);
 }
+function renderBoardItem(item) {
+  const assignees = item.assignees.length ? `@${item.assignees.join(", @")}` : "unassigned";
+  const lines = [
+    `${item.ref} - ${item.title}`,
+    `Status: ${item.status} \xB7 ${assignees}${item.priority ? ` \xB7 Priority: ${item.priority}` : ""}`,
+    `Type: ${item.type ?? "item"}${item.labels.length ? ` \xB7 ${item.labels.join(", ")}` : ""}`,
+    item.url
+  ];
+  if (item.details) {
+    lines.push("", item.details.body.trim() || "_(no body)_");
+    for (const comment of item.details.comments) {
+      lines.push("", `\u2014 @${comment.author}:`, comment.body.trim());
+    }
+  }
+  return lines.join("\n");
+}
 function renderBoardReport(report) {
   const lines = [`Board \xB7 ${report.project.title} \xB7 @${report.viewer}`];
   renderScope(lines, "PRIMARY", report.repo, report.primary);
@@ -3559,8 +3708,7 @@ function renderBoardReport(report) {
   }
   return lines.join("\n");
 }
-async function readBoard(options, deps = {}) {
-  const cfg = resolveBoardConfig(options.config);
+async function collectBoardItems(cfg, options, deps) {
   const gh = deps.gh ?? defaultGh;
   const git = deps.git ?? defaultGit;
   const currentRepo = options.repo ?? repoFromGitRemote(await git(["remote", "get-url", "origin"])) ?? "";
@@ -3576,12 +3724,12 @@ async function readBoard(options, deps = {}) {
     try {
       const page = await fetchProjectPage(gh, cfg, after);
       viewer ||= page.viewer.login;
-      const project = page.organization?.projectV2;
-      if (!project) throw new Error(`project ${cfg.projectOwner}#${cfg.projectNumber} not found`);
-      projectId = project.id;
-      projectTitle ||= project.title;
-      nodes.push(...project.items.nodes ?? []);
-      after = project.items.pageInfo.hasNextPage ? project.items.pageInfo.endCursor ?? void 0 : void 0;
+      const project2 = page.organization?.projectV2;
+      if (!project2) throw new Error(`project ${cfg.projectOwner}#${cfg.projectNumber} not found`);
+      projectId = project2.id;
+      projectTitle ||= project2.title;
+      nodes.push(...project2.items.nodes ?? []);
+      after = project2.items.pageInfo.hasNextPage ? project2.items.pageInfo.endCursor ?? void 0 : void 0;
     } catch (e) {
       const message = `partial board read: ${e.message}`;
       if (!nodes.length || !options.allowPartial) throw new Error(message);
@@ -3590,30 +3738,154 @@ async function readBoard(options, deps = {}) {
       after = void 0;
     }
   } while (after);
-  const items = nodesToItems(nodes, warnings);
-  const groups = partitionBoardItems(items, viewer, currentRepo);
+  return { items: nodesToItems(nodes, warnings), viewer, repo: currentRepo, projectId, projectTitle, warnings, partial };
+}
+async function repoCanPush(repo, gh) {
+  try {
+    const { stdout } = await gh(["api", `repos/${repo}`, "--jq", ".permissions.push"]);
+    const value = stdout.trim();
+    if (value === "true") return true;
+    if (value === "false") return false;
+    const parsed = JSON.parse(value);
+    return typeof parsed.permissions?.push === "boolean" ? parsed.permissions.push : void 0;
+  } catch {
+    return void 0;
+  }
+}
+async function resolveWritableReposForClaimables(items, gh, allowPartial) {
+  const candidateRepos = [...new Set(items.filter((item) => item.status === "Todo" && item.assignees.length === 0).map((item) => item.repository))];
+  const repos = /* @__PURE__ */ new Set();
+  const warnings = [];
+  let partial = false;
+  for (const repo of candidateRepos) {
+    const canPush = await repoCanPush(repo, gh);
+    if (canPush === true) {
+      repos.add(repo.toLowerCase());
+      continue;
+    }
+    if (canPush === void 0) {
+      const warning = `partial claimable access read: ${repo}: could not verify viewer write access`;
+      if (!allowPartial) throw new Error(warning);
+      warnings.push(warning);
+      partial = true;
+    }
+  }
+  return { repos, warnings, partial };
+}
+async function readBoard(options, deps = {}) {
+  const cfg = resolveBoardConfig(options.config);
+  const gh = deps.gh ?? defaultGh;
+  const collected = await collectBoardItems(cfg, options, deps);
+  const writable = await resolveWritableReposForClaimables(collected.items, gh, options.allowPartial ?? false);
+  collected.warnings.push(...writable.warnings);
+  collected.partial = collected.partial || writable.partial;
+  const groups = partitionBoardItems(collected.items, collected.viewer, collected.repo, writable.repos);
   const report = {
-    project: { owner: cfg.projectOwner, number: cfg.projectNumber, id: projectId, title: projectTitle || String(cfg.projectNumber) },
-    viewer,
-    repo: currentRepo,
+    project: { owner: cfg.projectOwner, number: cfg.projectNumber, id: collected.projectId, title: collected.projectTitle || String(cfg.projectNumber) },
+    viewer: collected.viewer,
+    repo: collected.repo,
     ...groups,
-    warnings,
-    partial
+    warnings: collected.warnings,
+    partial: collected.partial
   };
   if (options.includeBundleDetails) {
     await attachBundleDetails(report, gh, options.allowPartial ?? false);
   }
   return report;
 }
+function findBoardItem(items, selector) {
+  const found = items.find(
+    (candidate) => candidate.repository.toLowerCase() === selector.repo.toLowerCase() && candidate.number === selector.number
+  );
+  if (!found) throw new Error(`${selector.repo}#${selector.number} is not on this project board`);
+  return found;
+}
+async function moveBoardItem(options, deps = {}) {
+  if (!BOARD_STATUSES.includes(options.status)) {
+    throw new Error(`unknown status '${options.status}'; expected one of ${BOARD_STATUSES.join(", ")}`);
+  }
+  const cfg = resolveBoardConfig(options.config);
+  const gh = deps.gh ?? defaultGh;
+  const collected = await collectBoardItems(cfg, options, deps);
+  const selector = parseIssueSelector(options.selector, collected.repo);
+  const item = findBoardItem(collected.items, selector);
+  if (item.contentType !== "Issue") throw new Error(`${item.ref} is not an issue`);
+  const optionId = cfg.statusOptions[options.status];
+  try {
+    await gh([
+      "project",
+      "item-edit",
+      "--id",
+      item.itemId,
+      "--project-id",
+      cfg.projectId,
+      "--field-id",
+      cfg.statusFieldId,
+      "--single-select-option-id",
+      optionId
+    ]);
+  } catch (e) {
+    const warning = `partial move: ${item.ref} status was not changed to ${options.status} (${ghError(e)})`;
+    if (!options.allowPartial) throw new Error(warning);
+    return { item, viewer: collected.viewer, repo: collected.repo, status: item.status, partial: true, warning };
+  }
+  return {
+    item: { ...item, status: options.status, statusOptionId: optionId },
+    viewer: collected.viewer,
+    repo: collected.repo,
+    status: options.status,
+    partial: false
+  };
+}
+async function showBoardItem(options, deps = {}) {
+  const cfg = resolveBoardConfig(options.config);
+  const gh = deps.gh ?? defaultGh;
+  const collected = await collectBoardItems(cfg, options, deps);
+  const selector = parseIssueSelector(options.selector, collected.repo);
+  const item = findBoardItem(collected.items, selector);
+  if (item.contentType === "Issue") {
+    try {
+      const { stdout } = await gh(["issue", "view", String(item.number), "--repo", item.repository, "--json", "body,comments"]);
+      const detail = JSON.parse(stdout);
+      item.details = {
+        body: detail.body ?? "",
+        comments: (detail.comments ?? []).map((comment) => ({
+          author: comment.author?.login ?? "",
+          body: comment.body ?? ""
+        }))
+      };
+    } catch (e) {
+      if (!options.allowPartial) throw new Error(`detail read failed: ${item.ref}: ${ghError(e)}`);
+    }
+  }
+  return item;
+}
 async function claimBoardIssue(options, deps = {}) {
   const cfg = resolveBoardConfig(options.config);
   const gh = deps.gh ?? defaultGh;
-  const report = await readBoard({ config: cfg, repo: options.repo, allowPartial: options.allowPartial }, deps);
-  const selector = parseIssueSelector(options.selector, report.repo);
+  const collected = await collectBoardItems(cfg, { repo: options.repo, allowPartial: options.allowPartial }, deps);
+  const writable = await resolveWritableReposForClaimables(collected.items, gh, options.allowPartial ?? false);
+  collected.warnings.push(...writable.warnings);
+  collected.partial = collected.partial || writable.partial;
+  const report = {
+    project: { owner: cfg.projectOwner, number: cfg.projectNumber, id: collected.projectId, title: collected.projectTitle || String(cfg.projectNumber) },
+    viewer: collected.viewer,
+    repo: collected.repo,
+    ...partitionBoardItems(collected.items, collected.viewer, collected.repo, writable.repos),
+    warnings: collected.warnings,
+    partial: collected.partial
+  };
+  const selector = parseIssueSelector(options.selector, collected.repo);
+  const flatItem = findBoardItem(collected.items, selector);
+  if (flatItem.status === "Todo" && flatItem.assignees.length === 0 && !writable.repos.has(flatItem.repository.toLowerCase())) {
+    throw new Error(`${flatItem.ref} is not claimable: viewer does not have write access to ${flatItem.repository}`);
+  }
   const item = findClaimableItem(report, selector);
   if (item.contentType !== "Issue") throw new Error(`${item.ref} is not an issue`);
+  const assignee = options.assignee ?? "@me";
+  const assignedLogin = assignee === "@me" ? report.viewer : assignee.replace(/^@/, "");
   try {
-    await gh(["issue", "edit", String(item.number), "--repo", item.repository, "--add-assignee", "@me"]);
+    await gh(["issue", "edit", String(item.number), "--repo", item.repository, "--add-assignee", assignee]);
   } catch (e) {
     throw new Error(`claim failed before board status changed: ${ghError(e)}`);
   }
@@ -3631,11 +3903,117 @@ async function claimBoardIssue(options, deps = {}) {
       cfg.statusOptions["In Progress"]
     ]);
   } catch (e) {
-    const warning = `partial claim: ${item.ref} was assigned to @${report.viewer}, but Status was not moved to In Progress (${ghError(e)})`;
+    const warning = `partial claim: ${item.ref} was assigned to @${assignedLogin}, but Status was not moved to In Progress (${ghError(e)})`;
     if (!options.allowPartial) throw new Error(warning);
     return { item, viewer: report.viewer, repo: report.repo, status: "Todo", partial: true, warning };
   }
-  return { item: { ...item, assignees: [...item.assignees, report.viewer], status: "In Progress" }, viewer: report.viewer, repo: report.repo, status: "In Progress", partial: false };
+  return {
+    item: {
+      ...item,
+      assignees: item.assignees.includes(assignedLogin) ? item.assignees : [...item.assignees, assignedLogin],
+      status: "In Progress",
+      statusOptionId: cfg.statusOptions["In Progress"]
+    },
+    viewer: report.viewer,
+    repo: report.repo,
+    status: "In Progress",
+    partial: false
+  };
+}
+async function setBoardItemPriority(gh, cfg, itemId, priority) {
+  if (!isPriorityFieldConfigured(cfg)) return void 0;
+  const optionId = resolvePriorityOptionId(cfg, priority);
+  if (!optionId || !cfg.priorityFieldId || !cfg.projectId) return void 0;
+  await gh([
+    "project",
+    "item-edit",
+    "--id",
+    itemId,
+    "--project-id",
+    cfg.projectId,
+    "--field-id",
+    cfg.priorityFieldId,
+    "--single-select-option-id",
+    optionId
+  ]);
+  return cliPriorityToFieldName(priority);
+}
+async function backfillBoardPriorities(options, deps = {}) {
+  const cfg = resolveBoardConfig(options.config);
+  if (!isPriorityFieldConfigured(cfg)) {
+    throw new Error("priority field is not configured in .mmi/config.json (priorityFieldId + priorityOptions)");
+  }
+  const gh = deps.gh ?? defaultGh;
+  const collected = await collectBoardItems(cfg, { repo: options.repo }, deps);
+  const issues = collected.items.filter((item) => item.contentType === "Issue");
+  const concurrency = Math.max(1, options.concurrency ?? 8);
+  const result = { scanned: issues.length, set: 0, skipped: 0, failed: 0, details: [] };
+  async function work(item) {
+    if (item.priority) {
+      result.skipped += 1;
+      return;
+    }
+    try {
+      const priority = await recoverIssuePriority(gh, item);
+      if (!priority) {
+        result.skipped += 1;
+        return;
+      }
+      if (options.dryRun) {
+        result.set += 1;
+        result.details.push(`${item.ref} \u2192 ${priority} (dry-run)`);
+        return;
+      }
+      const optionId = cfg.priorityOptions?.[priority];
+      if (!optionId) throw new Error(`no option id for ${priority}`);
+      await gh([
+        "project",
+        "item-edit",
+        "--id",
+        item.itemId,
+        "--project-id",
+        cfg.projectId,
+        "--field-id",
+        cfg.priorityFieldId,
+        "--single-select-option-id",
+        optionId
+      ]);
+      result.set += 1;
+      result.details.push(`${item.ref} \u2192 ${priority}`);
+    } catch (e) {
+      result.failed += 1;
+      result.details.push(`${item.ref}: ${ghError(e)}`);
+    }
+  }
+  for (let i = 0; i < issues.length; i += concurrency) {
+    await Promise.all(issues.slice(i, i + concurrency).map(work));
+  }
+  return result;
+}
+async function recoverIssuePriority(gh, item) {
+  for (const label of item.labels) {
+    const fromLabel = labelToFieldPriority(label);
+    if (fromLabel) return fromLabel;
+  }
+  const { stdout } = await gh(["api", `repos/${item.repository}/issues/${item.number}/events`, "--paginate"]);
+  return recoverPriorityFromEvents(parsePaginatedEvents(stdout));
+}
+function parsePaginatedEvents(stdout) {
+  const trimmed = stdout.trim();
+  if (!trimmed) return [];
+  try {
+    const parsed = JSON.parse(trimmed);
+    if (Array.isArray(parsed)) return parsed;
+  } catch {
+  }
+  return trimmed.split(/\r?\n/).filter(Boolean).flatMap((line) => {
+    try {
+      const parsed = JSON.parse(line);
+      return Array.isArray(parsed) ? parsed : [];
+    } catch {
+      return [];
+    }
+  });
 }
 async function fetchProjectPage(gh, cfg, after) {
   const args = [
@@ -3646,9 +4024,7 @@ async function fetchProjectPage(gh, cfg, after) {
     "-f",
     `owner=${cfg.projectOwner}`,
     "-F",
-    `number=${cfg.projectNumber}`,
-    "-f",
-    "statusField=Status"
+    `number=${cfg.projectNumber}`
   ];
   if (after) args.push("-f", `after=${after}`);
   const { stdout } = await gh(args);
@@ -3665,10 +4041,27 @@ function nodesToItems(nodes, warnings) {
   }
   return items;
 }
+function parseSingleSelectFields(nodes) {
+  const out = {};
+  for (const node of nodes ?? []) {
+    const fieldName = node.field?.name;
+    if (fieldName === "Status") {
+      const status = asBoardStatus(node.name);
+      if (status) out.status = { name: status, optionId: node.optionId };
+    } else if (fieldName === "Priority" && node.name) {
+      const priority = node.name;
+      if (["Urgent", "High", "Medium", "Low"].includes(priority)) {
+        out.priority = { name: priority, optionId: node.optionId };
+      }
+    }
+  }
+  return out;
+}
 function nodeToItem(node) {
   const content = node.content;
   if (!node.id || !isSupportedContent(content)) return void 0;
-  const status = asBoardStatus(node.fieldValueByName?.name);
+  const fields = parseSingleSelectFields(node.fieldValues?.nodes);
+  const status = fields.status?.name;
   const repository = content.repository?.nameWithOwner;
   if (!status || !content.id || !content.number || !content.title || !content.url || !repository) return void 0;
   const labels = (content.labels?.nodes ?? []).map((l) => l.name).filter((name) => Boolean(name));
@@ -3684,7 +4077,9 @@ function nodeToItem(node) {
     title: content.title,
     state: content.state ?? "",
     status,
-    statusOptionId: node.fieldValueByName?.optionId,
+    statusOptionId: fields.status?.optionId,
+    priority: fields.priority?.name,
+    priorityOptionId: fields.priority?.optionId,
     assignees,
     labels,
     type: labels.find((label) => TYPE_LABELS.includes(label)) ?? labels[0]
@@ -3743,7 +4138,8 @@ function renderTaken(lines, items) {
   for (const item of items) lines.push(`  ${item.ref} \xB7 ${item.status} \xB7 @${item.assignees.join(", @")}`);
 }
 function renderTitledItem(item) {
-  return `${item.ref} - [${item.type ?? "item"}] ${item.title}`;
+  const pri = item.priority ? ` \xB7 ${item.priority}` : "";
+  return `${item.ref} - [${item.type ?? "item"}]${pri} ${item.title}`;
 }
 function hasItems(buckets) {
   return buckets.userOwned.length > 0 || buckets.claimable.length > 0 || buckets.taken.length > 0;
@@ -3889,6 +4285,12 @@ function stagePlan(stage2 = {}) {
     { label: "check health", command: stage2.healthUrl ? `curl --fail ${stage2.healthUrl}` : "(no stage.healthUrl configured)" }
   ];
 }
+function stageLivePlan() {
+  return [
+    { label: "stage-live is not an org command; /stage is local only", command: "mmi-cli stage run --apply" },
+    { label: "remote rc/live environments move through the gated promotion train", command: "mmi-cli rc && mmi-cli release && mmi-cli hotfix", gated: true }
+  ];
+}
 function trainPlan(command) {
   if (command === "rc") {
     return [
@@ -3927,8 +4329,83 @@ function bootstrapPlan(repo, repoClass) {
   ];
 }
 
+// src/bootstrap-seeds.ts
+var PLACEHOLDER_RE = /\{\{([A-Z0-9_]+)\}\}/g;
+function loadBootstrapSeeds(manifestJson) {
+  let parsed;
+  try {
+    parsed = JSON.parse(manifestJson);
+  } catch {
+    throw new Error("bootstrap seed manifest is not valid JSON");
+  }
+  const obj = parsed ?? {};
+  const seeds = obj.seeds ?? [];
+  for (const s of seeds) {
+    if (!s || !s.target || !s.source || !Array.isArray(s.classes)) {
+      throw new Error(`invalid seed entry (needs target, source, classes): ${JSON.stringify(s)}`);
+    }
+    if (s.ownership !== "org" && s.ownership !== "repo") {
+      throw new Error(`invalid seed ownership '${s.ownership}' for ${s.target} (must be 'org' or 'repo')`);
+    }
+  }
+  return {
+    seeds,
+    labels: obj.labels ?? [],
+    placeholders: obj.placeholders ?? []
+  };
+}
+function renderSeed(template, vars) {
+  return template.replace(PLACEHOLDER_RE, (match, key) => key in vars ? vars[key] : match);
+}
+function missingPlaceholders(rendered) {
+  const out = /* @__PURE__ */ new Set();
+  for (const m of rendered.matchAll(PLACEHOLDER_RE)) out.add(m[1]);
+  return [...out];
+}
+var GITIGNORE_MANAGED_BEGIN = "# >>> mmi-managed >>>";
+var GITIGNORE_MANAGED_END = "# <<< mmi-managed <<<";
+var MANAGED_GITIGNORE_LINES = [
+  '# Org-wide cleanliness (AGENTS.md "Repo cleanliness") \u2014 enforced by `mmi-cli doctor`.',
+  "# Do not edit inside these markers; this block is regenerated on the next doctor run.",
+  ".playwright-mcp/",
+  ".claude/worktrees/",
+  "/*.png"
+];
+function renderManagedGitignoreBlock() {
+  return [GITIGNORE_MANAGED_BEGIN, ...MANAGED_GITIGNORE_LINES, GITIGNORE_MANAGED_END].join("\n");
+}
+function upsertManagedGitignoreBlock(current) {
+  const block = renderManagedGitignoreBlock();
+  const src = (current ?? "").replace(/\r\n/g, "\n");
+  if (src.trim() === "") {
+    const next2 = `${block}
+`;
+    return { content: next2, changed: src !== next2 };
+  }
+  const managed = /* @__PURE__ */ new Set([GITIGNORE_MANAGED_BEGIN, GITIGNORE_MANAGED_END, ...MANAGED_GITIGNORE_LINES]);
+  const lines = src.split("\n");
+  const beginAt = lines.findIndex((l) => l === GITIGNORE_MANAGED_BEGIN);
+  const endAt = beginAt === -1 ? -1 : lines.findIndex((l, i) => i > beginAt && l === GITIGNORE_MANAGED_END);
+  let next;
+  if (beginAt !== -1 && endAt !== -1) {
+    const before = lines.slice(0, beginAt).filter((l) => !managed.has(l.trim()));
+    const after = lines.slice(endAt + 1).filter((l) => !managed.has(l.trim()));
+    next = `${[...before, ...block.split("\n"), ...after].join("\n").replace(/\n+$/, "")}
+`;
+  } else {
+    const kept = lines.filter((l) => !managed.has(l.trim())).join("\n").replace(/\n+$/, "");
+    next = kept === "" ? `${block}
+` : `${kept}
+
+${block}
+`;
+  }
+  return { content: next, changed: src !== next };
+}
+
 // src/doctor.ts
 var GH_PROJECT_LOGIN_FIX = 'run: gh auth login --hostname github.com --git-protocol https --web --scopes "project"';
+var AWS_CROSS_ACCOUNT_FIX = "use a non-root IAM user/session profile for master-agent AWS checks; set AWS_PROFILE or AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY (plus AWS_SESSION_TOKEN for temporary credentials), then verify `aws sts get-caller-identity` does not end in :root";
 function buildGithubAuthCheck(input) {
   const ok = Boolean(input.login?.trim());
   return {
@@ -3937,11 +4414,68 @@ function buildGithubAuthCheck(input) {
     fix: input.ghInstalled ? GH_PROJECT_LOGIN_FIX : `install GitHub CLI (https://cli.github.com), then: ${GH_PROJECT_LOGIN_FIX.replace(/^run: /, "")}`
   };
 }
+function buildAwsCrossAccountCheck(input) {
+  const callerArn = input.callerArn?.trim();
+  return {
+    ok: !callerArn || !callerArn.endsWith(":root"),
+    label: "AWS cross-account identity (master-agent audits)",
+    fix: AWS_CROSS_ACCOUNT_FIX
+  };
+}
+var MMI_PLUGIN_ID = "mmi@mmi";
+var PLUGIN_LABEL = "plugin install record (mmi@mmi for this project)";
+function pluginInstallManualFix(projectPath) {
+  return `run \`/plugin install ${MMI_PLUGIN_ID}\` then \`/reload-plugins\` (VS Code extension: reopen the workspace) to register the project install record for ${projectPath}`;
+}
+function isMmiPluginEnabled(settings) {
+  return Boolean(settings?.enabledPlugins?.[MMI_PLUGIN_ID]);
+}
+function hasProjectInstallRecord(file, pluginId, projectPath) {
+  const records = file?.plugins?.[pluginId];
+  if (!Array.isArray(records)) return false;
+  return records.some((r) => r.scope === "project" && r.projectPath === projectPath);
+}
+function buildPluginInstallRecordCheck(input) {
+  const pluginId = input.pluginId ?? MMI_PLUGIN_ID;
+  const base = {
+    ok: true,
+    label: PLUGIN_LABEL,
+    fix: pluginInstallManualFix(input.projectPath),
+    pluginId
+  };
+  if (!input.isOrgRepo || !isMmiPluginEnabled(input.settings)) return base;
+  if (hasProjectInstallRecord(input.installed, pluginId, input.projectPath)) return base;
+  const now = input.now ?? (/* @__PURE__ */ new Date()).toISOString();
+  const recordToInsert = input.mirrorFrom ? {
+    ...input.mirrorFrom,
+    scope: "project",
+    projectPath: input.projectPath,
+    ...input.mirrorFrom.installedAt !== void 0 ? { installedAt: now } : {},
+    ...input.mirrorFrom.lastUpdated !== void 0 ? { lastUpdated: now } : {}
+  } : { scope: "project", projectPath: input.projectPath, installedAt: now, lastUpdated: now };
+  return {
+    ok: false,
+    label: PLUGIN_LABEL,
+    fix: pluginInstallManualFix(input.projectPath),
+    pluginId,
+    recordToInsert
+  };
+}
+var GITIGNORE_BLOCK_LABEL = "org .gitignore managed block (.playwright-mcp/, .claude/worktrees/, scratch *.png)";
+var GITIGNORE_BLOCK_FIX = "run `mmi-cli doctor` to auto-insert the `# >>> mmi-managed >>>` block (or copy it from MMI-Hub's .gitignore)";
+function buildGitignoreManagedBlockCheck(input) {
+  const base = { ok: true, label: GITIGNORE_BLOCK_LABEL, fix: GITIGNORE_BLOCK_FIX };
+  if (!input.isOrgRepo) return base;
+  const { content, changed } = upsertManagedGitignoreBlock(input.content);
+  if (!changed) return base;
+  return { ...base, ok: false, contentToWrite: content };
+}
 
 // src/stage-runner.ts
 var import_node_child_process3 = require("node:child_process");
 var import_node_fs2 = require("node:fs");
 var import_node_path2 = require("node:path");
+var import_node_net = require("node:net");
 var import_node_util2 = require("node:util");
 var execFileP2 = (0, import_node_util2.promisify)(import_node_child_process3.execFile);
 function stageStatePath(cwd = process.cwd()) {
@@ -3954,8 +4488,29 @@ function validateStageConfig(config = {}, action) {
   if (config.healthUrl != null && config.healthUrl.trim() && !/^https?:\/\//.test(config.healthUrl.trim())) {
     problems.push("stage.healthUrl must be an http(s) URL");
   }
+  if (config.portRange != null) {
+    const r = config.portRange;
+    const ok = Array.isArray(r) && r.length === 2 && r.every((n) => Number.isInteger(n) && n >= 1024 && n <= 65535) && r[0] <= r[1];
+    if (!ok) problems.push("stage.portRange must be [start, end] within 1024-65535 with start <= end");
+  }
   return problems;
 }
+function pickStagePort(range, isFree) {
+  if (!range) return void 0;
+  const [start, end] = range;
+  for (let port = start; port <= end; port++) {
+    if (isFree(port)) return port;
+  }
+  throw new Error(`no free stage port in range ${start}-${end} \u2014 every port is in use`);
+}
+function isPortFree(port) {
+  return new Promise((resolve) => {
+    const srv = (0, import_node_net.createServer)();
+    srv.once("error", () => resolve(false));
+    srv.once("listening", () => srv.close(() => resolve(true)));
+    srv.listen(port, "127.0.0.1");
+  });
+}
 async function shell(command, cwd, timeoutMs) {
   await execFileP2(command, [], {
     cwd,
@@ -4030,24 +4585,34 @@ async function startStage(config = {}, opts = {}) {
   const statePath = opts.statePath ?? stageStatePath(cwd);
   const dir = statePath.slice(0, Math.max(statePath.lastIndexOf("/"), statePath.lastIndexOf("\\")));
   (0, import_node_fs2.mkdirSync)(dir, { recursive: true });
-  const up = config.up.trim();
+  let stagePort;
+  if (config.portRange) {
+    const [s, e] = config.portRange;
+    const free = /* @__PURE__ */ new Set();
+    for (let p = s; p <= e; p++) if (await isPortFree(p)) free.add(p);
+    stagePort = pickStagePort(config.portRange, (p) => free.has(p));
+  }
+  const sub = (s) => s != null && stagePort != null ? s.replace(/\$\{?STAGE_PORT\}?/g, String(stagePort)) : s;
+  const up = sub(config.up.trim());
   const child = (0, import_node_child_process3.spawn)(up, {
     cwd,
     shell: true,
     detached: true,
     windowsHide: true,
-    stdio: "ignore"
+    stdio: "ignore",
+    env: stagePort != null ? { ...process.env, STAGE_PORT: String(stagePort) } : process.env
   });
   const state = {
     pid: child.pid ?? 0,
     command: up,
     cwd,
     startedAt: (opts.now ?? (() => /* @__PURE__ */ new Date()))().toISOString(),
-    healthUrl: config.healthUrl?.trim() || void 0
+    healthUrl: sub(config.healthUrl?.trim()) || void 0,
+    port: stagePort
   };
   (0, import_node_fs2.writeFileSync)(statePath, JSON.stringify(state, null, 2), "utf8");
   if (state.healthUrl) await waitForHealth(state.healthUrl, opts.timeoutMs ?? 6e4);
-  const result = { ok: true, action: "start", statePath, pid: state.pid, message: `started stage pid ${state.pid}` };
+  const result = { ok: true, action: "start", statePath, pid: state.pid, message: `started stage pid ${state.pid}${stagePort != null ? ` on port ${stagePort}` : ""}` };
   opts.onReady?.(result);
   child.unref();
   return result;
@@ -4063,28 +4628,65 @@ async function runStage(config = {}, opts = {}) {
   return { ...started, action: "run", message: `built and ${started.message}` };
 }
 
-// src/bootstrap-verify.ts
-var requiredDocs = ["README.md", "architecture.md", "AGENTS.md", "CLAUDE.md", ".claude/settings.json", ".mmi/config.json"];
-var requiredIssueTemplates = [
-  ".github/ISSUE_TEMPLATE/bug.yml",
-  ".github/ISSUE_TEMPLATE/feature.yml",
-  ".github/ISSUE_TEMPLATE/task.yml",
-  ".github/ISSUE_TEMPLATE/config.yml"
-];
-var requiredWorkflows = [".github/workflows/pr-to-board.yml"];
-var requiredLabels = ["bug", "feature", "task", "priority:high", "priority:medium", "priority:low"];
-var requiredStatusOptions = ["Todo", "In Progress", "In Review", "Done"];
-var requiredProjectWorkflows = [
-  "Auto-add sub-issues to project",
-  "Auto-close issue",
-  "Item added to project",
-  "Item closed",
-  "Pull request linked to issue",
-  "Pull request merged"
-];
-var requiredActionsVariables = ["MMI_APP_ID"];
-var requiredActionsSecrets = ["MMI_APP_PRIVATE_KEY"];
-function expectedBranches(repoClass) {
+// src/port-registry.ts
+var import_node_fs3 = require("node:fs");
+var BLOCK = 100;
+var SPAN = 10;
+var FIRST = 3e3;
+function nextPortBlock(registry2) {
+  const bases = Object.values(registry2).map(([start]) => start);
+  const base = bases.length ? Math.max(...bases) + BLOCK : FIRST;
+  return [base, base + SPAN];
+}
+function loadPortRegistry(path) {
+  if (!(0, import_node_fs3.existsSync)(path)) return {};
+  const raw = JSON.parse((0, import_node_fs3.readFileSync)(path, "utf8"));
+  const out = {};
+  for (const [key, value] of Object.entries(raw)) {
+    if (Array.isArray(value) && value.length === 2 && value.every((n) => typeof n === "number")) {
+      out[key] = [value[0], value[1]];
+    }
+  }
+  return out;
+}
+function ensurePortRange(repo, path) {
+  const registry2 = loadPortRegistry(path);
+  const existing = registry2[repo];
+  if (existing) return existing;
+  const range = nextPortBlock(registry2);
+  const raw = (0, import_node_fs3.existsSync)(path) ? JSON.parse((0, import_node_fs3.readFileSync)(path, "utf8")) : {};
+  raw[repo] = range;
+  (0, import_node_fs3.writeFileSync)(path, JSON.stringify(raw, null, 2) + "\n", "utf8");
+  return range;
+}
+function portCursorSeed(registry2) {
+  return nextPortBlock(registry2)[0];
+}
+function existingPortRange(repo, registry2) {
+  return registry2[repo] ?? null;
+}
+async function ensurePortRangeAtomic(repo, path, allocate, opts = {}) {
+  const registry2 = loadPortRegistry(path);
+  const existing = existingPortRange(repo, registry2);
+  if (existing) return { range: existing, source: "existing" };
+  const seed = portCursorSeed(registry2);
+  try {
+    const range = await allocate(seed);
+    return { range, source: "ddb" };
+  } catch (e) {
+    if (!opts.quiet) console.warn(`port-registry: DDB allocator unreachable, falling back to committed file (${e.message})`);
+    return { range: ensurePortRange(repo, path), source: "file" };
+  }
+}
+
+// src/access.ts
+var OWNER = "mutmutco";
+var LOCKED_APP = "mmi-github-app";
+var OVERGRANT_ROLES = /* @__PURE__ */ new Set(["admin", "maintain"]);
+var REQUIRED_DATA_ACCESS = {
+  "mutmutco/MM-Chat": [{ name: "kb-projection-reader", dbRole: "kb_reader", vaultParamNeedle: "KB_READ_DB_URL" }]
+};
+function lockedBranches(repoClass) {
   return repoClass === "content" ? ["main"] : ["development", "rc", "main"];
 }
 function safeJson(text, fallback) {
@@ -4101,59 +4703,330 @@ async function ghJson(deps, args, fallback) {
     return fallback;
   }
 }
-async function contentExists(deps, repo, branch, path) {
-  try {
-    const encodedPath = path.split("/").map(encodeURIComponent).join("/");
-    await deps.gh(["api", `repos/${repo}/contents/${encodedPath}?ref=${encodeURIComponent(branch)}`]);
-    return true;
-  } catch {
-    return false;
-  }
+async function resolveOwners(deps) {
+  const members = await ghJson(deps, ["api", `orgs/${OWNER}/members?role=admin`, "--paginate"], []);
+  return members.map((m) => m.login);
 }
-async function contentText(deps, repo, branch, path) {
-  try {
-    const encodedPath = path.split("/").map(encodeURIComponent).join("/");
-    const response = safeJson(
-      (await deps.gh(["api", `repos/${repo}/contents/${encodedPath}?ref=${encodeURIComponent(branch)}`])).stdout,
-      {}
-    );
-    if (response.content == null) return null;
-    if (response.encoding != null && response.encoding !== "base64") return null;
-    return Buffer.from(response.content.replace(/\s/g, ""), "base64").toString("utf8");
-  } catch {
-    return null;
+function collaboratorRole(c) {
+  return c.role_name ?? (c.permissions?.admin ? "admin" : c.permissions?.maintain ? "maintain" : "write");
+}
+async function auditRepoCollaborators(repo, owners, deps) {
+  const collabs = await ghJson(deps, ["api", `repos/${repo}/collaborators?affiliation=direct`, "--paginate"], []);
+  const findings = [];
+  for (const c of collabs) {
+    if (owners.has(c.login)) continue;
+    const role = collaboratorRole(c);
+    if (OVERGRANT_ROLES.has(role)) {
+      findings.push({
+        repo,
+        kind: "collaborator-overgrant",
+        severity: "high",
+        actor: c.login,
+        detail: `direct collaborator @${c.login} holds role '${role}'; a developer must be 'write' (admin/maintain is master-only)`,
+        remediation: `gh api -X PUT repos/${repo}/collaborators/${c.login} -f permission=push`
+      });
+    }
   }
+  return findings;
 }
-async function protectedBranch(deps, repo, branch) {
+async function auditTrainBranch(repo, branch, owners, deps, projectAdmins = /* @__PURE__ */ new Set()) {
+  let restrictions = null;
   try {
-    await deps.gh(["api", `repos/${repo}/branches/${branch}/protection`]);
-    return true;
+    restrictions = safeJson((await deps.gh(["api", `repos/${repo}/branches/${branch}/protection/restrictions`])).stdout, null);
   } catch {
-    return false;
+    restrictions = null;
+  }
+  if (!restrictions) {
+    return [{
+      repo,
+      branch,
+      kind: "unprotected-branch",
+      severity: "medium",
+      detail: `${branch} has no push restrictions (branch unprotected, or protection without a user/app allowlist)`,
+      remediation: `initialize the lock \u2014 see docs/Guides/repo-access.md "Initialize the lock"; PUT repos/${repo}/branches/${branch}/protection with restrictions {users:[<owners>], apps:["${LOCKED_APP}"]}`
+    }];
+  }
+  const findings = [];
+  const users = (restrictions.users ?? []).map((u) => u.login);
+  for (const login of users) {
+    if (!owners.has(login) && !projectAdmins.has(login)) {
+      findings.push({
+        repo,
+        branch,
+        kind: "train-allowlist-extra",
+        severity: "medium",
+        actor: login,
+        detail: `@${login} is on the ${branch} push allowlist \u2014 legitimate only if an intended full-write project-admin; confirm`,
+        remediation: `# if NOT an intended full-write member: gh api -X DELETE repos/${repo}/branches/${branch}/protection/restrictions/users --input - <<< '["${login}"]'`
+      });
+    }
+  }
+  for (const owner of owners) {
+    if (!users.includes(owner)) {
+      findings.push({
+        repo,
+        branch,
+        kind: "train-allowlist-missing",
+        severity: "medium",
+        actor: owner,
+        detail: `org owner @${owner} is missing from the ${branch} push allowlist`,
+        remediation: `gh api -X POST repos/${repo}/branches/${branch}/protection/restrictions/users --input - <<< '["${owner}"]'`
+      });
+    }
+  }
+  const apps = (restrictions.apps ?? []).map((a) => a.slug);
+  if (!apps.includes(LOCKED_APP)) {
+    findings.push({
+      repo,
+      branch,
+      kind: "app-bypass-missing",
+      severity: "high",
+      detail: `the ${LOCKED_APP} App is missing from the ${branch} allowlist \u2014 fanout/promotions will break`,
+      remediation: `gh api -X POST repos/${repo}/branches/${branch}/protection/restrictions/apps --input - <<< '["${LOCKED_APP}"]'`
+    });
   }
+  return findings;
+}
+function auditDataAccessContracts(repo, contracts = { consumers: {} }) {
+  const required = REQUIRED_DATA_ACCESS[repo] ?? [];
+  const configured = (contracts.consumers ?? {})[repo] ?? [];
+  const findings = [];
+  for (const req of required) {
+    const matched = configured.some((grant) => grant.name === req.name && grant.dbRole === req.dbRole && (grant.vaultParams ?? []).some((param) => param.includes(req.vaultParamNeedle)));
+    if (!matched) {
+      findings.push({
+        repo,
+        kind: "data-access-missing",
+        severity: "high",
+        detail: `${repo} must have auditable data-access contract '${req.name}' with DB role '${req.dbRole}' and vault parameter name containing '${req.vaultParamNeedle}'`,
+        remediation: `add or fix data-access-contracts.json for ${repo}; record parameter names only, never DSNs or secret values`
+      });
+    }
+  }
+  return findings;
+}
+async function auditRepoAccess(repo, repoClass, owners, deps, projectAdmins = /* @__PURE__ */ new Set(), dataAccess) {
+  const findings = [];
+  findings.push(...await auditRepoCollaborators(repo, owners, deps));
+  if (dataAccess) findings.push(...auditDataAccessContracts(repo, dataAccess));
+  for (const branch of lockedBranches(repoClass)) {
+    findings.push(...await auditTrainBranch(repo, branch, owners, deps, projectAdmins));
+  }
+  return { repo, class: repoClass, ok: !findings.some((f) => f.severity === "high"), findings };
+}
+async function auditOrgBasePermission(deps) {
+  const org = await ghJson(deps, ["api", `orgs/${OWNER}`], {});
+  const perm = org.default_repository_permission;
+  if (perm && perm !== "read" && perm !== "none") {
+    return [{
+      repo: OWNER,
+      kind: "org-base-permission",
+      severity: "high",
+      detail: `org default_repository_permission is '${perm}' \u2014 every member gets '${perm}' on every repo; D25 requires 'read'`,
+      remediation: `gh api -X PATCH orgs/${OWNER} -f default_repository_permission=read`
+    }];
+  }
+  return [];
+}
+async function auditOrgAccess(targets, deps, matrix = {}, dataAccess) {
+  const owners = new Set(await resolveOwners(deps));
+  const orgFindings = await auditOrgBasePermission(deps);
+  const repos = [];
+  for (const target of targets) {
+    repos.push(await auditRepoAccess(target.repo, target.class, owners, deps, new Set(matrix[target.repo] ?? []), dataAccess));
+  }
+  const ok = orgFindings.every((f) => f.severity !== "high") && repos.every((r) => r.ok);
+  return { ok, owners: [...owners], orgFindings, repos };
+}
+function loadAccessTargets(projectsJson, fanoutJson) {
+  const projects = safeJson(projectsJson, {}).projects ?? [];
+  const fanout = fanoutJson ? safeJson(fanoutJson, {}).repos ?? [] : [];
+  const contentNames = new Set(fanout.filter((r) => r.class === "content").map((r) => r.repo));
+  const seen = /* @__PURE__ */ new Set();
+  const targets = [];
+  for (const project2 of projects) {
+    for (const repo of project2.repos ?? []) {
+      if (seen.has(repo)) continue;
+      seen.add(repo);
+      targets.push({ repo, class: contentNames.has(repo.split("/")[1]) ? "content" : "deployable" });
+    }
+  }
+  return targets;
+}
+function loadAccessMatrix(matrixJson) {
+  if (!matrixJson) return {};
+  return safeJson(matrixJson, {}).projectAdmins ?? {};
+}
+function loadDataAccessContracts(dataAccessJson) {
+  if (!dataAccessJson) return { consumers: {} };
+  const parsed = safeJson(dataAccessJson, { consumers: {} });
+  return { consumers: parsed.consumers ?? {} };
+}
+function canonAccessRepo(repo) {
+  const name = repo.includes("/") ? repo.split("/").pop() : repo;
+  return `mutmutco/${name.toLowerCase()}`;
+}
+function accessMatrixFromProjects(projects) {
+  const matrix = {};
+  for (const p of projects) {
+    if (!Array.isArray(p.projectAdmins) || p.projectAdmins.length === 0) continue;
+    for (const repo of p.repos ?? []) matrix[canonAccessRepo(repo)] = p.projectAdmins;
+  }
+  return matrix;
+}
+function dataAccessContractsFromProjects(projects) {
+  const consumers = {};
+  for (const p of projects) {
+    if (!Array.isArray(p.consumers) || p.consumers.length === 0) continue;
+    for (const repo of p.repos ?? []) consumers[canonAccessRepo(repo)] = p.consumers;
+  }
+  return { consumers };
+}
+function renderAccessReport(report) {
+  const lines = [`mmi-cli access audit: ${report.ok ? "OK" : "CHECK"} (owners: ${report.owners.map((o) => "@" + o).join(", ") || "none"})`];
+  for (const finding of report.orgFindings ?? []) {
+    lines.push(`  [${finding.severity}] ${finding.kind}: ${finding.detail}`);
+    if (finding.remediation) lines.push(`      ${finding.remediation}`);
+  }
+  for (const repo of report.repos) {
+    lines.push(`${repo.ok ? "OK" : "FLAG"} ${repo.repo} (${repo.class})`);
+    for (const finding of repo.findings) {
+      lines.push(`  [${finding.severity}] ${finding.kind}${finding.branch ? ` @${finding.branch}` : ""}: ${finding.detail}`);
+      if (finding.remediation) lines.push(`      ${finding.remediation}`);
+    }
+  }
+  return lines.join("\n");
+}
+
+// src/bootstrap-verify.ts
+var requiredDocs = ["README.md", "architecture.md", "AGENTS.md", "CLAUDE.md", ".claude/settings.json", ".mmi/config.json"];
+var requiredIssueTemplates = [
+  ".github/ISSUE_TEMPLATE/bug.yml",
+  ".github/ISSUE_TEMPLATE/feature.yml",
+  ".github/ISSUE_TEMPLATE/task.yml",
+  ".github/ISSUE_TEMPLATE/config.yml"
+];
+var requiredWorkflows = [".github/workflows/pr-to-board.yml"];
+var requiredLabels = ["bug", "feature", "task", "priority:urgent", "priority:high", "priority:medium", "priority:low"];
+var requiredPriorityOptions = ["Urgent", "High", "Medium", "Low"];
+var strayDefaultLabels = ["documentation", "duplicate", "enhancement", "good first issue", "help wanted", "invalid", "question", "wontfix"];
+var requiredStatusOptions = ["Todo", "In Progress", "In Review", "Done"];
+var requiredProjectWorkflows = [
+  "Auto-add sub-issues to project",
+  "Auto-archive items",
+  "Item added to project",
+  "Item closed"
+];
+var requiredOrgRulesetTypes = ["pull_request", "non_fast_forward", "deletion"];
+var requiredHubStatusChecks = ["cli", "infra", "docs"];
+var requiredActionsVariables = ["MMI_APP_ID"];
+var requiredActionsSecrets = ["MMI_APP_PRIVATE_KEY"];
+function expectedBranches(repoClass) {
+  return repoClass === "content" ? ["main"] : ["development", "rc", "main"];
+}
+function safeJson2(text, fallback) {
+  try {
+    return JSON.parse(text);
+  } catch {
+    return fallback;
+  }
+}
+async function ghJson2(deps, args, fallback) {
+  try {
+    return safeJson2((await deps.gh(args)).stdout, fallback);
+  } catch {
+    return fallback;
+  }
+}
+async function contentExists(deps, repo, branch, path) {
+  try {
+    const encodedPath = path.split("/").map(encodeURIComponent).join("/");
+    await deps.gh(["api", `repos/${repo}/contents/${encodedPath}?ref=${encodeURIComponent(branch)}`]);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function contentText(deps, repo, branch, path) {
+  try {
+    const encodedPath = path.split("/").map(encodeURIComponent).join("/");
+    const response = safeJson2(
+      (await deps.gh(["api", `repos/${repo}/contents/${encodedPath}?ref=${encodeURIComponent(branch)}`])).stdout,
+      {}
+    );
+    if (response.content == null) return null;
+    if (response.encoding != null && response.encoding !== "base64") return null;
+    return Buffer.from(response.content.replace(/\s/g, ""), "base64").toString("utf8");
+  } catch {
+    return null;
+  }
+}
+async function getProtection(deps, repo, branch) {
+  try {
+    return safeJson2((await deps.gh(["api", `repos/${repo}/branches/${branch}/protection`])).stdout, {});
+  } catch {
+    return null;
+  }
+}
+function hasPushAllowlist(p) {
+  return Array.isArray(p?.restrictions?.users) && p.restrictions.users.length > 0;
 }
 function optionDetail(missing) {
   return missing.length === 0 ? void 0 : `missing: ${missing.join(", ")}`;
 }
+function presentDetail(present) {
+  return present.length === 0 ? void 0 : `present: ${present.join(", ")}`;
+}
+function missingRuleTypes(ruleset, required) {
+  const types = new Set((ruleset.rules || []).map((rule) => rule.type).filter(Boolean));
+  return required.filter((type) => !types.has(type));
+}
+function rulesetStatusChecks(rulesets) {
+  return new Set(rulesets.flatMap((ruleset) => (ruleset.rules || []).filter((rule) => rule.type === "required_status_checks").flatMap((rule) => rule.parameters?.required_status_checks || []).map((check) => check.context).filter((context) => Boolean(context))));
+}
+async function rulesetDetails(deps, repo, list) {
+  const details = [];
+  for (const ruleset of list) {
+    if (ruleset.id == null || ruleset.rules != null) {
+      details.push(ruleset);
+      continue;
+    }
+    details.push(await ghJson2(deps, ["api", `repos/${repo}/rulesets/${ruleset.id}`], ruleset));
+  }
+  return details;
+}
 function localRegistryCheck(deps, path, predicate) {
   const text = deps.readLocalFile?.(path);
   if (text == null) return null;
-  return predicate(safeJson(text, null));
+  return predicate(safeJson2(text, null));
 }
 async function verifyBootstrap(repo, repoClass, deps) {
   const branchesWanted = expectedBranches(repoClass);
   const baseBranch = repoClass === "content" ? "main" : "development";
   const checks = [];
-  const repoInfo = await ghJson(deps, ["api", `repos/${repo}`], {});
+  const repoInfo = await ghJson2(deps, ["api", `repos/${repo}`], {});
   checks.push({ ok: Boolean(repoInfo.default_branch), label: "repo exists" });
   checks.push({ ok: repoInfo.default_branch === baseBranch, label: `default branch is ${baseBranch}`, detail: repoInfo.default_branch || "missing" });
   checks.push({ ok: repoInfo.has_wiki === true, label: "wiki enabled", detail: repoInfo.has_wiki === true ? void 0 : "has_wiki is false or unavailable" });
-  const branchList = await ghJson(deps, ["api", `repos/${repo}/branches`, "--paginate"], []);
+  const branchList = await ghJson2(deps, ["api", `repos/${repo}/branches`, "--paginate"], []);
   const branchNames = new Set(branchList.map((b) => b.name));
   for (const branch of branchesWanted) {
     checks.push({ ok: branchNames.has(branch), label: `branch exists: ${branch}` });
-    checks.push({ ok: await protectedBranch(deps, repo, branch), label: `branch protection exists: ${branch}` });
+    const protection = await getProtection(deps, repo, branch);
+    checks.push({ ok: protection != null, label: `branch protection exists: ${branch}` });
+    checks.push({
+      ok: hasPushAllowlist(protection),
+      label: `push allowlist configured: ${branch}`,
+      detail: hasPushAllowlist(protection) ? void 0 : "restrictions.users is empty or unset"
+    });
   }
+  const owners = new Set(await resolveOwners(deps));
+  const overgrants = await auditRepoCollaborators(repo, owners, deps);
+  checks.push({
+    ok: overgrants.length === 0,
+    label: "collaborator roles are master-only (no admin/maintain over-grant)",
+    detail: overgrants.length ? `over-granted: ${overgrants.map((f) => f.actor).join(", ")}` : void 0
+  });
   for (const path of requiredDocs) {
     checks.push({ ok: await contentExists(deps, repo, baseBranch, path), label: `bootstrap artifact exists: ${path}` });
   }
@@ -4163,36 +5036,42 @@ async function verifyBootstrap(repo, repoClass, deps) {
   for (const path of requiredWorkflows) {
     checks.push({ ok: await contentExists(deps, repo, baseBranch, path), label: `automation workflow exists: ${path}` });
   }
+  if (repoClass === "deployable") {
+    const trainScript = "scripts/next-version.mjs";
+    checks.push({ ok: await contentExists(deps, repo, baseBranch, trainScript), label: `train tooling script exists: ${trainScript}` });
+  }
   checks.push({ ok: await contentExists(deps, repo, baseBranch, ".cursor/environment.json"), label: "Cursor environment committed" });
-  const labels = await ghJson(deps, ["label", "list", "--repo", repo, "--limit", "200", "--json", "name"], []);
+  const labels = await ghJson2(deps, ["label", "list", "--repo", repo, "--limit", "200", "--json", "name"], []);
   const labelNames = new Set(labels.map((l) => l.name));
   for (const label of requiredLabels) {
     checks.push({ ok: labelNames.has(label), label: `label exists: ${label}` });
   }
-  const actions = await ghJson(deps, ["api", `repos/${repo}/actions/permissions`], {});
+  const strays = strayDefaultLabels.filter((l) => labelNames.has(l));
+  checks.push({ ok: strays.length === 0, label: "no stray GitHub-default labels", detail: presentDetail(strays) });
+  const actions = await ghJson2(deps, ["api", `repos/${repo}/actions/permissions`], {});
   checks.push({ ok: actions.enabled === true, label: "GitHub Actions enabled" });
-  const variables = await ghJson(deps, ["variable", "list", "--repo", repo, "--json", "name"], []);
+  const variables = await ghJson2(deps, ["variable", "list", "--repo", repo, "--json", "name"], []);
   const variableNames = new Set(variables.map((v) => v.name));
   for (const variable of requiredActionsVariables) {
     checks.push({ ok: variableNames.has(variable), label: `Actions variable exists: ${variable}` });
   }
-  const secrets = await ghJson(deps, ["secret", "list", "--repo", repo, "--json", "name"], []);
-  const secretNames = new Set(secrets.map((s) => s.name));
+  const secrets2 = await ghJson2(deps, ["secret", "list", "--repo", repo, "--json", "name"], []);
+  const secretNames = new Set(secrets2.map((s) => s.name));
   for (const secret of requiredActionsSecrets) {
     checks.push({ ok: secretNames.has(secret), label: `Actions secret exists: ${secret}` });
   }
-  const config = safeJson(await contentText(deps, repo, baseBranch, ".mmi/config.json") || "", null);
+  const config = safeJson2(await contentText(deps, repo, baseBranch, ".mmi/config.json") || "", null);
   checks.push({
     ok: Boolean(config?.projectOwner && config?.projectNumber),
     label: ".mmi project board config exists"
   });
   if (config?.projectOwner && config.projectNumber != null) {
-    const project = await ghJson(
+    const project2 = await ghJson2(
       deps,
       ["project", "field-list", String(config.projectNumber), "--owner", config.projectOwner, "--format", "json"],
       {}
     );
-    const fields = project.fields || [];
+    const fields = project2.fields || [];
     const statusField = fields.find((field) => field.name === "Status");
     const labelField = fields.find((field) => field.name === "Labels");
     checks.push({
@@ -4223,8 +5102,33 @@ async function verifyBootstrap(repo, repoClass, deps) {
         });
       }
     }
+    const priorityField = fields.find((field) => field.name === "Priority" && (field.options?.length ?? 0) > 0);
+    checks.push({
+      ok: Boolean(priorityField),
+      label: `Project Priority field exists (API-writable): ${config.projectOwner}#${config.projectNumber}`
+    });
+    if (priorityField != null) {
+      const priorityNames = new Set((priorityField.options || []).map((option) => option.name));
+      const missingPriority = requiredPriorityOptions.filter((option) => !priorityNames.has(option));
+      checks.push({
+        ok: missingPriority.length === 0,
+        label: "Project Priority options configured",
+        detail: optionDetail(missingPriority)
+      });
+      checks.push({
+        ok: config.priorityFieldId === priorityField.id,
+        label: ".mmi priorityFieldId matches project"
+      });
+      for (const optionName of requiredPriorityOptions) {
+        const projectOption = priorityField.options?.find((option) => option.name === optionName);
+        checks.push({
+          ok: Boolean(projectOption?.id && config.priorityOptions?.[optionName] === projectOption.id),
+          label: `.mmi priority option matches project: ${optionName}`
+        });
+      }
+    }
     const workflowQuery = "query($login: String!, $number: Int!) { organization(login: $login) { projectV2(number: $number) { workflows(first: 30) { nodes { name enabled } } } } }";
-    const workflowResponse = await ghJson(
+    const workflowResponse = await ghJson2(
       deps,
       ["api", "graphql", "-f", `query=${workflowQuery}`, "-f", `login=${config.projectOwner}`, "-F", `number=${config.projectNumber}`],
       {}
@@ -4241,22 +5145,257 @@ async function verifyBootstrap(repo, repoClass, deps) {
   if (fanout != null) checks.push({ ok: fanout, label: `fanout target registered on ${baseBranch}` });
   const projectRegistry = localRegistryCheck(deps, "projects.json", (json) => Array.isArray(json?.projects) && json.projects.some((p) => (p.repos || []).includes(repo)));
   if (projectRegistry != null) checks.push({ ok: projectRegistry, label: "cloud-agent project registry includes repo" });
-  return { ok: checks.every((c) => c.ok), repo, class: repoClass, baseBranch, checks };
+  const rulesetList = await ghJson2(
+    deps,
+    ["api", `repos/${repo}/rulesets?includes_parents=true`],
+    []
+  );
+  const rulesets = await rulesetDetails(deps, repo, rulesetList);
+  const activeOrgRulesets = rulesets.filter(
+    (r) => r.source_type === "Organization" && r.target === "branch" && r.enforcement === "active"
+  );
+  const orgRuleset = activeOrgRulesets.find((ruleset) => missingRuleTypes(ruleset, requiredOrgRulesetTypes).length === 0);
+  const missingOrgRuleTypes = activeOrgRulesets.length === 0 ? requiredOrgRulesetTypes : missingRuleTypes(activeOrgRulesets[0], requiredOrgRulesetTypes);
+  checks.push({
+    ok: Boolean(orgRuleset),
+    label: "covered by an active org ruleset",
+    detail: orgRuleset ? void 0 : activeOrgRulesets.length === 0 ? "no active Organization-sourced branch ruleset targets this repo" : `missing rule types: ${missingOrgRuleTypes.join(", ")}`
+  });
+  if (repo === "mutmutco/MMI-Hub") {
+    const statusChecks = rulesetStatusChecks(rulesets.filter((r) => r.target === "branch" && r.enforcement === "active"));
+    const missing = requiredHubStatusChecks.filter((check) => !statusChecks.has(check));
+    checks.push({
+      ok: missing.length === 0,
+      label: "Hub required status checks configured",
+      detail: optionDetail(missing)
+    });
+  }
+  const waived = applyWaivers(checks, config?.verifyWaivers ?? []);
+  return { ok: waived.every((c) => c.ok || c.waived), repo, class: repoClass, baseBranch, checks: waived };
+}
+function applyWaivers(checks, waivers) {
+  if (!waivers?.length) return checks;
+  const set = new Set(waivers);
+  return checks.map((c) => !c.ok && set.has(c.label) ? { ...c, waived: true } : c);
 }
 function renderBootstrapVerifyReport(report) {
   const lines = [`mmi-cli bootstrap verify: ${report.ok ? "OK" : "CHECK"} ${report.repo} (${report.class}, ${report.baseBranch})`];
   for (const check of report.checks) {
-    lines.push(`${check.ok ? "OK" : "FAIL"} ${check.label}${check.detail ? ` - ${check.detail}` : ""}`);
+    const status = check.ok ? "OK" : check.waived ? "WAIVE" : "FAIL";
+    lines.push(`${status} ${check.label}${check.detail ? ` - ${check.detail}` : ""}`);
+  }
+  return lines.join("\n");
+}
+
+// src/bootstrap-apply.ts
+function planSeedAction(seed, exists) {
+  if (seed.source === "fanout") {
+    return { target: seed.target, action: "skip", ownership: "fanout", reason: "delivered by the fanout pipeline" };
+  }
+  if (seed.source === "managed-block") {
+    return exists ? { target: seed.target, action: "update", ownership: "org", reason: "org-managed block merged in-place (repo-owned lines preserved)" } : { target: seed.target, action: "create", ownership: "org", reason: "org-managed block; .gitignore absent, created" };
+  }
+  if (seed.ownership === "repo") {
+    return exists ? { target: seed.target, action: "skip", ownership: "repo", reason: "repo-owned, already present (never clobbered)" } : { target: seed.target, action: "create", ownership: "repo", reason: "repo-owned, missing" };
   }
+  return exists ? { target: seed.target, action: "update", ownership: "org", reason: "org-owned, refresh to current" } : { target: seed.target, action: "create", ownership: "org", reason: "org-owned, missing" };
+}
+function renderSeedPlan(actions) {
+  const lines = ["bootstrap apply \u2014 seed plan (dry-run; no mutations):"];
+  for (const a of actions) {
+    lines.push(`  ${a.action.toUpperCase().padEnd(6)} ${a.target}  (${a.ownership}: ${a.reason})`);
+  }
+  const order = ["create", "update", "skip"];
+  lines.push(`  \u2014 ${order.map((k) => `${actions.filter((a) => a.action === k).length} ${k}`).join(", ")}`);
   return lines.join("\n");
 }
+function resolveSeedContent(seed, vars, readFile2) {
+  if (seed.source === "self") return readFile2(seed.target);
+  if (seed.source.startsWith("seed:")) {
+    const tmpl = readFile2(`skills/bootstrap/seeds/${seed.source.slice("seed:".length)}`);
+    return tmpl == null ? null : renderSeed(tmpl, vars);
+  }
+  return null;
+}
+function buildRegisterPayload(repo, cls, vars) {
+  const slug = (repo.split("/")[1] ?? repo).toLowerCase();
+  const num = (v) => {
+    if (v == null || v === "") return void 0;
+    const n = Number(v);
+    return Number.isFinite(n) ? n : void 0;
+  };
+  const statusOptions = vars.STATUS_TODO || vars.STATUS_IN_PROGRESS || vars.STATUS_IN_REVIEW || vars.STATUS_DONE ? {
+    Todo: vars.STATUS_TODO,
+    "In Progress": vars.STATUS_IN_PROGRESS,
+    "In Review": vars.STATUS_IN_REVIEW,
+    Done: vars.STATUS_DONE
+  } : void 0;
+  const priorityOptions = vars.PRIORITY_URGENT || vars.PRIORITY_HIGH || vars.PRIORITY_MEDIUM || vars.PRIORITY_LOW ? {
+    Urgent: vars.PRIORITY_URGENT,
+    High: vars.PRIORITY_HIGH,
+    Medium: vars.PRIORITY_MEDIUM,
+    Low: vars.PRIORITY_LOW
+  } : void 0;
+  const payload = {
+    slug,
+    // Identity. name/division default off the repo name when the skill didn't pass them.
+    name: vars.NAME || repo.split("/")[1] || slug,
+    division: vars.DIVISION || (repo.split("/")[1] ?? "").split("-")[0] || void 0,
+    repos: [`mutmutco/${slug}`],
+    wikiRepo: vars.WIKI_REPO || `mutmutco/${repo.split("/")[1] ?? slug}`,
+    branch: vars.BRANCH || (cls === "content" ? "main" : "development"),
+    class: cls,
+    // Board coords (from GraphQL at bootstrap, passed as --var by the skill).
+    projectOwner: vars.PROJECT_OWNER || void 0,
+    projectNumber: num(vars.PROJECT_NUMBER),
+    projectId: vars.PROJECT_ID || void 0,
+    statusFieldId: vars.STATUS_FIELD_ID || void 0,
+    statusOptions,
+    priorityFieldId: vars.PRIORITY_FIELD_ID || void 0,
+    priorityOptions,
+    // Pointers. vaultPath is explicit + canonical; kbPointer is the per-project KB doc path.
+    vaultPath: `/mmi-future/${slug}`,
+    kbPointer: `kb/projects/${slug}.md`
+  };
+  for (const k of Object.keys(payload)) if (payload[k] === void 0) delete payload[k];
+  return payload;
+}
+function contentPutArgs(repo, path, content, branch, sha) {
+  const args = [
+    "api",
+    "-X",
+    "PUT",
+    `repos/${repo}/contents/${path.split("/").map(encodeURIComponent).join("/")}`,
+    "-f",
+    `message=bootstrap: seed ${path}`,
+    "-f",
+    `content=${Buffer.from(content, "utf8").toString("base64")}`,
+    "-f",
+    `branch=${branch}`
+  ];
+  if (sha) args.push("-f", `sha=${sha}`);
+  return args;
+}
+
+// src/registry-client.ts
+var DEFAULT_TIMEOUT_MS = 8e3;
+async function fetchProjectsList(deps) {
+  if (!deps.baseUrl) return null;
+  const token = await deps.token();
+  if (!token) return null;
+  const doFetch = deps.fetch ?? fetch;
+  try {
+    const res = await doFetch(`${deps.baseUrl.replace(/\/$/, "")}/projects/list`, {
+      method: "GET",
+      headers: { Authorization: `Bearer ${token}` },
+      signal: AbortSignal.timeout(deps.timeoutMs ?? DEFAULT_TIMEOUT_MS)
+    });
+    if (!res.ok) return null;
+    const body = await res.json();
+    return Array.isArray(body?.projects) ? body.projects : null;
+  } catch {
+    return null;
+  }
+}
+async function fetchProjectsJson(deps) {
+  const projects = await fetchProjectsList(deps);
+  return projects ? JSON.stringify({ projects }) : null;
+}
+async function fetchProjectBySlug(slug, deps) {
+  if (!deps.baseUrl || !slug) return null;
+  const token = await deps.token();
+  if (!token) return null;
+  const doFetch = deps.fetch ?? fetch;
+  try {
+    const res = await doFetch(`${deps.baseUrl.replace(/\/$/, "")}/projects/${encodeURIComponent(slug)}`, {
+      method: "GET",
+      headers: { Authorization: `Bearer ${token}` },
+      signal: AbortSignal.timeout(deps.timeoutMs ?? DEFAULT_TIMEOUT_MS)
+    });
+    if (!res.ok) return null;
+    return await res.json();
+  } catch {
+    return null;
+  }
+}
+async function fetchOrgConfig(deps) {
+  if (!deps.baseUrl) return null;
+  const token = await deps.token();
+  if (!token) return null;
+  const doFetch = deps.fetch ?? fetch;
+  try {
+    const res = await doFetch(`${deps.baseUrl.replace(/\/$/, "")}/org/config`, {
+      method: "GET",
+      headers: { Authorization: `Bearer ${token}` },
+      signal: AbortSignal.timeout(deps.timeoutMs ?? DEFAULT_TIMEOUT_MS)
+    });
+    if (!res.ok) return null;
+    return await res.json();
+  } catch {
+    return null;
+  }
+}
+async function postJson(pathSuffix, payload, deps, method = "POST") {
+  if (!deps.baseUrl) return { ok: false, status: 0, body: null, error: "no Hub API URL (this repo is not bootstrapped)" };
+  const token = await deps.token();
+  if (!token) return { ok: false, status: 0, body: null, error: "no GitHub token (run `gh auth login`)" };
+  const doFetch = deps.fetch ?? fetch;
+  try {
+    const res = await doFetch(`${deps.baseUrl.replace(/\/$/, "")}${pathSuffix}`, {
+      method,
+      headers: { Authorization: `Bearer ${token}`, "content-type": "application/json" },
+      body: JSON.stringify(payload),
+      signal: AbortSignal.timeout(deps.timeoutMs ?? DEFAULT_TIMEOUT_MS)
+    });
+    let body = null;
+    try {
+      body = await res.json();
+    } catch {
+    }
+    return { ok: res.ok, status: res.status, body };
+  } catch (e) {
+    return { ok: false, status: 0, body: null, error: e.message };
+  }
+}
+async function registerProject(payload, deps) {
+  return postJson("/projects/register", payload, deps);
+}
+async function upsertProject(slug, patch, deps) {
+  return postJson(`/projects/${encodeURIComponent(slug)}`, patch, deps);
+}
+
+// src/kb.ts
+var DEFAULT_KB = { owner: "mutmutco", repo: "MM-KB", ref: "main" };
+function resolveKbSource(rawBase) {
+  if (!rawBase) return DEFAULT_KB;
+  const m = rawBase.match(/raw\.githubusercontent\.com\/([^/]+)\/([^/]+)\/([^/?#]+)/);
+  if (!m) return DEFAULT_KB;
+  return { owner: m[1], repo: m[2], ref: m[3] };
+}
+function buildKbGetArgs(src, path) {
+  const clean = path.replace(/^\/+/, "");
+  return ["api", `repos/${src.owner}/${src.repo}/contents/${clean}?ref=${src.ref}`, "-H", "Accept: application/vnd.github.raw"];
+}
+function buildKbTreeArgs(src) {
+  return ["api", `repos/${src.owner}/${src.repo}/git/trees/${src.ref}?recursive=1`];
+}
+function parseKbTree(stdout, prefix) {
+  let tree;
+  try {
+    tree = JSON.parse(stdout)?.tree ?? [];
+  } catch {
+    return [];
+  }
+  const pre = prefix ? prefix.replace(/^\/+/, "") : void 0;
+  return tree.filter((t) => t.type === "blob" && typeof t.path === "string" && t.path.startsWith("kb/")).map((t) => t.path).filter((p) => pre ? p.startsWith(pre) : true).sort();
+}
 
 // src/plan.ts
 var import_node_path3 = require("node:path");
 var PLANS_DIR = "plans";
 var META_FILE = (0, import_node_path3.join)(PLANS_DIR, ".plan-meta.json");
 var planPath = (slug) => (0, import_node_path3.join)(PLANS_DIR, `${slug}.md`);
-var metaKey = (project, slug) => `${project}/${slug}`;
+var metaKey = (project2, slug) => `${project2}/${slug}`;
 function parseMeta(raw) {
   if (!raw) return {};
   try {
@@ -4278,23 +5417,46 @@ function hashContent(s) {
   return (h >>> 0).toString(16);
 }
 function staleHint(slug) {
-  return `remote "${slug}" is newer \u2014 run \`mmi-cli plan pull ${slug}\` first (your local is based on an older version), or re-push with \`--force\` to overwrite`;
+  return `remote "${slug}" is newer \u2014 run \`mmi-cli northstar pull ${slug}\` first (your local is based on an older version), or re-push with \`--force\` to overwrite`;
 }
 function formatPlanList(plans) {
   return plans.map((p) => `${p.slug}  \xB7  ${p.updatedAt ?? "-"}  \xB7  ${p.project}`).join("\n");
 }
 var TIMEOUT_MS = 8e3;
+var GRADUATION_KEYS = /* @__PURE__ */ new Set(["northstar-graduation", "privacy", "merged-pr"]);
+function splitFrontmatter(content) {
+  const match = /^---\n([\s\S]*?)\n---(?:\n|$)/.exec(content);
+  if (!match) return { entries: [], body: content };
+  return { entries: match[1].split(/\r?\n/).filter((line) => line.trim()), body: content.slice(match[0].length) };
+}
+function markPlanGraduated(content, opts) {
+  const { entries, body } = splitFrontmatter(normalizeEol(content));
+  const preserved = entries.filter((line) => {
+    const key = /^([A-Za-z0-9_-]+):/.exec(line)?.[1]?.toLowerCase();
+    return !key || !GRADUATION_KEYS.has(key);
+  });
+  const next = [
+    ...preserved,
+    "northstar-graduation: built-and-merged",
+    "privacy: org",
+    `merged-pr: ${opts.mergedPr}`
+  ];
+  return `---
+${next.join("\n")}
+---
+${body.replace(/^\n+/, "")}`;
+}
 async function planPush(deps, slug, opts = {}) {
   const raw = deps.readLocal(slug);
   if (raw == null) {
     deps.err(`no local ${planPath(slug)} to push`);
-    return;
+    return false;
   }
   const content = normalizeEol(raw);
-  const project = opts.project ?? await deps.project();
+  const project2 = opts.project ?? await deps.project();
   const meta = parseMeta(deps.readMetaRaw());
-  const entry = meta[metaKey(project, slug)];
-  const body = { project, slug, content };
+  const entry = meta[metaKey(project2, slug)];
+  const body = { project: project2, slug, content };
   if (opts.force) body.force = true;
   else if (entry?.etag) body.baseEtag = entry.etag;
   const res = await deps.fetch(`${deps.apiUrl}/plan/put`, {
@@ -4305,25 +5467,28 @@ async function planPush(deps, slug, opts = {}) {
   });
   if (res.ok) {
     const out = await res.json();
-    meta[metaKey(project, slug)] = { etag: out.etag, hash: hashContent(content), syncedAt: deps.now() };
+    meta[metaKey(project2, slug)] = { etag: out.etag, hash: hashContent(content), syncedAt: deps.now() };
     deps.writeMetaRaw(serializeMeta(meta));
     deps.log(`pushed ${slug}`);
+    return true;
   } else if (res.status === 409) {
     deps.err(staleHint(slug));
+    return false;
   } else {
     deps.err(`plan push failed: HTTP ${res.status}`);
+    return false;
   }
 }
 async function planPull(deps, slug, opts = {}) {
-  const project = opts.project ?? await deps.project();
+  const project2 = opts.project ?? await deps.project();
   const meta = parseMeta(deps.readMetaRaw());
-  const entry = meta[metaKey(project, slug)];
+  const entry = meta[metaKey(project2, slug)];
   const local = deps.readLocal(slug);
   if (local != null && entry && !opts.force && hashContent(normalizeEol(local)) !== entry.hash) {
     deps.err(`local ${planPath(slug)} has unpushed edits \u2014 push it, or pull with --force to overwrite`);
     return;
   }
-  const qs = new URLSearchParams({ project, slug }).toString();
+  const qs = new URLSearchParams({ project: project2, slug }).toString();
   const res = await deps.fetch(`${deps.apiUrl}/plan/get?${qs}`, {
     method: "GET",
     headers: await deps.headers(),
@@ -4340,7 +5505,7 @@ async function planPull(deps, slug, opts = {}) {
   const doc = await res.json();
   const content = normalizeEol(doc.content ?? "");
   deps.writeLocal(slug, content);
-  meta[metaKey(project, slug)] = { etag: doc.etag, hash: hashContent(content), syncedAt: deps.now() };
+  meta[metaKey(project2, slug)] = { etag: doc.etag, hash: hashContent(content), syncedAt: deps.now() };
   deps.writeMetaRaw(serializeMeta(meta));
   deps.log(`pulled ${slug} \u2192 ${planPath(slug)}`);
 }
@@ -4373,26 +5538,331 @@ async function planList(deps, opts = {}) {
   deps.log(formatPlanList(plans));
 }
 async function planDelete(deps, slug, opts = {}) {
-  const project = opts.project ?? await deps.project();
+  const project2 = opts.project ?? await deps.project();
   const res = await deps.fetch(`${deps.apiUrl}/plan/delete`, {
     method: "POST",
     headers: await deps.headers({ "content-type": "application/json" }),
-    body: JSON.stringify({ project, slug }),
-    signal: AbortSignal.timeout(TIMEOUT_MS)
+    body: JSON.stringify({ project: project2, slug }),
+    signal: AbortSignal.timeout(TIMEOUT_MS)
+  });
+  if (!res.ok) {
+    deps.err(`plan delete failed: HTTP ${res.status}`);
+    return;
+  }
+  deps.removeLocal(slug);
+  const meta = parseMeta(deps.readMetaRaw());
+  delete meta[metaKey(project2, slug)];
+  deps.writeMetaRaw(serializeMeta(meta));
+  deps.log(`deleted ${slug}`);
+}
+async function planGraduate(deps, slug, opts = {}) {
+  if (!opts.orgVisible) {
+    deps.err("refusing to mark an org-visible graduation without --org-visible");
+    return;
+  }
+  if (!opts.mergedPr) {
+    deps.err("missing --merged-pr <url|number>");
+    return;
+  }
+  const raw = deps.readLocal(slug);
+  if (raw == null) {
+    deps.err(`no local ${planPath(slug)} to graduate`);
+    return;
+  }
+  const content = markPlanGraduated(raw, { mergedPr: opts.mergedPr });
+  deps.writeLocal(slug, content);
+  const pushed = await planPush(deps, slug, { project: opts.project, force: opts.force });
+  if (pushed) deps.log(`graduated ${slug}`);
+}
+
+// src/secrets.ts
+var OWNER2 = "mutmutco";
+var SSM_ROOT = "/mmi-future";
+var PROJECT_TIER_SEGMENT = "dev";
+var KEY_RE = /^(?:[a-z][a-z0-9-]*\/)?[A-Za-z][A-Za-z0-9_]*$/;
+function isValidSecretKey(key) {
+  if (!key || key.length > 256) return false;
+  if (key.includes("..") || key.startsWith("/") || key.includes("*")) return false;
+  return KEY_RE.test(key);
+}
+function classifyTier(_slug, key) {
+  const slash = key.indexOf("/");
+  if (slash === -1) return "project";
+  return key.slice(0, slash) === PROJECT_TIER_SEGMENT ? "project" : "org";
+}
+function secretParamName(slug, key) {
+  const rel = key.includes("/") ? key : `${PROJECT_TIER_SEGMENT}/${key}`;
+  return `${SSM_ROOT}/${slug}/${rel}`;
+}
+function formatSecretList(items) {
+  if (!items.length) return "no secrets";
+  const width = Math.max(...items.map((i) => i.key.length));
+  return items.map((i) => `${i.canManage ? "*" : " "} ${i.key.padEnd(width)}  ${i.tier}`).join("\n").concat("\n\n* = you can manage (write/rotate) this secret. Values are never shown \u2014 `secrets get <KEY>` prints one.");
+}
+function vaultPointer(slug) {
+  const root = `${SSM_ROOT}/${slug}`;
+  return {
+    slug,
+    root,
+    tiers: {
+      project: `${root}/${PROJECT_TIER_SEGMENT}/*  (project-admin self-serve)`,
+      org: [`${root}/rc/*`, `${root}/main/*`].map((p) => `${p}  (master-gated)`)
+    },
+    stages: ["dev", "rc", "main"],
+    // Google OAuth is one client per repo; creds live at every stage under the standard key names
+    // (local is port-agnostic and reuses the dev tier). See the oauth-everywhere convention.
+    wellKnown: {
+      googleOAuth: ["dev/GOOGLE_CLIENT_ID", "dev/GOOGLE_CLIENT_SECRET", "rc/GOOGLE_CLIENT_ID", "rc/GOOGLE_CLIENT_SECRET", "main/GOOGLE_CLIENT_ID", "main/GOOGLE_CLIENT_SECRET"]
+    }
+  };
+}
+function formatVaultPointer(p) {
+  const lines = [
+    `vault root: ${p.root}`,
+    `  project tier (self-serve): ${p.tiers.project}`,
+    `  org tier (master-gated):   ${p.tiers.org.join("  \xB7  ")}`,
+    `stages: ${p.stages.join(", ")}  (local is port-agnostic, reuses dev)`,
+    `well-known keys:`,
+    ...Object.entries(p.wellKnown).map(([k, keys]) => `  ${k}: ${keys.join(", ")}`),
+    ``,
+    `enumerate actual keys:  mmi-cli secrets list`,
+    `read one:               mmi-cli secrets get <stage>/<KEY>   (e.g. main/GOOGLE_CLIENT_ID)`,
+    `set a project-tier key: mmi-cli secrets set <KEY>           (value via stdin; org tier needs a master grant)`
+  ];
+  return lines.join("\n");
+}
+var TIMEOUT_MS2 = 8e3;
+var repoOf = (slug) => `${OWNER2}/${slug}`;
+async function targetRepo(deps, opts) {
+  return opts.repo ?? repoOf(await deps.slug());
+}
+async function secretsWhere(deps, opts) {
+  const slug = opts.repo ? opts.repo.split("/").pop().toLowerCase() : await deps.slug();
+  deps.log(formatVaultPointer(vaultPointer(slug)));
+}
+async function readErr(res) {
+  try {
+    const j = await res.json();
+    return j?.error ? `: ${j.error}` : "";
+  } catch {
+    return "";
+  }
+}
+async function fetchSecretValue(deps, key, opts) {
+  if (!isValidSecretKey(key)) return null;
+  const repo = await targetRepo(deps, opts);
+  try {
+    const res = await deps.fetch(`${deps.apiUrl}/secrets/get`, {
+      method: "POST",
+      headers: await deps.headers({ "content-type": "application/json" }),
+      body: JSON.stringify({ repo, key }),
+      signal: AbortSignal.timeout(TIMEOUT_MS2)
+    });
+    if (!res.ok) return null;
+    const { value } = await res.json();
+    return value ?? null;
+  } catch {
+    return null;
+  }
+}
+async function secretsList(deps, opts) {
+  const repo = await targetRepo(deps, opts);
+  const qs = new URLSearchParams({ repo }).toString();
+  let res;
+  try {
+    res = await deps.fetch(`${deps.apiUrl}/secrets/list?${qs}`, {
+      method: "GET",
+      headers: await deps.headers(),
+      signal: AbortSignal.timeout(TIMEOUT_MS2)
+    });
+  } catch (e) {
+    deps.err(`secrets list: ${e.message}`);
+    return;
+  }
+  if (!res.ok) {
+    deps.err(`secrets list failed: HTTP ${res.status}${await readErr(res)}`);
+    return;
+  }
+  const { secrets: secrets2 } = await res.json();
+  deps.log(formatSecretList(secrets2 ?? []));
+}
+async function secretsGet(deps, key, opts) {
+  if (!isValidSecretKey(key)) return deps.err(`invalid secret key ${JSON.stringify(key)}`);
+  const repo = await targetRepo(deps, opts);
+  const res = await deps.fetch(`${deps.apiUrl}/secrets/get`, {
+    method: "POST",
+    headers: await deps.headers({ "content-type": "application/json" }),
+    body: JSON.stringify({ repo, key }),
+    signal: AbortSignal.timeout(TIMEOUT_MS2)
+  });
+  if (!res.ok) {
+    deps.err(
+      res.status === 403 ? `secrets get: not authorized for ${key} (HTTP 403)${await readErr(res)}` : `secrets get failed: HTTP ${res.status}${await readErr(res)}`
+    );
+    return;
+  }
+  const { value } = await res.json();
+  deps.log(value ?? "");
+}
+async function secretsSet(deps, key, opts) {
+  if (!isValidSecretKey(key)) return deps.err(`invalid secret key ${JSON.stringify(key)}`);
+  const repo = await targetRepo(deps, opts);
+  const value = await deps.readSecretValue(`value for ${key} (input hidden; will not be echoed): `);
+  if (!value) {
+    deps.err("secrets set: empty value \u2014 aborted (nothing written)");
+    return;
+  }
+  const res = await deps.fetch(`${deps.apiUrl}/secrets/set`, {
+    method: "POST",
+    headers: await deps.headers({ "content-type": "application/json" }),
+    body: JSON.stringify({ repo, key, value }),
+    signal: AbortSignal.timeout(TIMEOUT_MS2)
+  });
+  if (!res.ok) {
+    deps.err(
+      res.status === 403 ? `secrets set: not authorized to write ${key} (HTTP 403)${await readErr(res)}` : `secrets set failed: HTTP ${res.status}${await readErr(res)}`
+    );
+    return;
+  }
+  deps.log(`set ${key} (${classifyTier(await deps.slug(), key)} tier)`);
+}
+async function secretsEdit(deps, key, opts) {
+  return secretsSet(deps, key, opts);
+}
+async function secretsRemove(deps, key, opts) {
+  if (!isValidSecretKey(key)) return deps.err(`invalid secret key ${JSON.stringify(key)}`);
+  const repo = await targetRepo(deps, opts);
+  const res = await deps.fetch(`${deps.apiUrl}/secrets/rm`, {
+    method: "POST",
+    headers: await deps.headers({ "content-type": "application/json" }),
+    body: JSON.stringify({ repo, key }),
+    signal: AbortSignal.timeout(TIMEOUT_MS2)
+  });
+  if (!res.ok) {
+    deps.err(
+      res.status === 403 ? `secrets rm: not authorized to remove ${key} (HTTP 403)${await readErr(res)}` : `secrets rm failed: HTTP ${res.status}${await readErr(res)}`
+    );
+    return;
+  }
+  deps.log(`removed ${key}`);
+}
+async function secretsGrant(deps, repo, login, key, _opts) {
+  const res = await deps.fetch(`${deps.apiUrl}/secrets/grant`, {
+    method: "POST",
+    headers: await deps.headers({ "content-type": "application/json" }),
+    body: JSON.stringify({ repo, login, key }),
+    signal: AbortSignal.timeout(TIMEOUT_MS2)
+  });
+  if (!res.ok) {
+    deps.err(
+      res.status === 403 ? `secrets grant: master-admin only (HTTP 403)${await readErr(res)}` : `secrets grant failed: HTTP ${res.status}${await readErr(res)}`
+    );
+    return;
+  }
+  deps.log(`granted @${login} access to ${key} in ${repo}`);
+}
+async function secretsRevoke(deps, repo, login, key, _opts) {
+  const res = await deps.fetch(`${deps.apiUrl}/secrets/revoke`, {
+    method: "POST",
+    headers: await deps.headers({ "content-type": "application/json" }),
+    body: JSON.stringify({ repo, login, key }),
+    signal: AbortSignal.timeout(TIMEOUT_MS2)
   });
   if (!res.ok) {
-    deps.err(`plan delete failed: HTTP ${res.status}`);
+    deps.err(
+      res.status === 403 ? `secrets revoke: master-admin only (HTTP 403)${await readErr(res)}` : `secrets revoke failed: HTTP ${res.status}${await readErr(res)}`
+    );
     return;
   }
-  deps.removeLocal(slug);
-  const meta = parseMeta(deps.readMetaRaw());
-  delete meta[metaKey(project, slug)];
-  deps.writeMetaRaw(serializeMeta(meta));
-  deps.log(`deleted ${slug}`);
+  deps.log(`revoked @${login}'s access to ${key} in ${repo}`);
+}
+async function secretsUse(deps, key, _opts) {
+  const slug = await deps.slug();
+  const tier = classifyTier(slug, key);
+  const path = secretParamName(slug, key);
+  deps.log(
+    [
+      `${key} \u2192 ${path} (${tier} tier)`,
+      "",
+      "Consume it WITHOUT committing it:",
+      `  \u2022 Runtime / agents: read it keylessly at runtime via the box's OIDC role (it can read its own ${tier} tier). Never bake it into an image or commit it.`,
+      `  \u2022 CI (GitHub Actions): the workflow assumes its OIDC role and runs \`aws ssm get-parameter --with-decryption --name ${path}\` \u2014 no GitHub secret.`,
+      "  \u2022 Local dev: pull it into a gitignored .env from the vault \u2014 `mmi-cli secrets get " + key + " > /dev/null` to confirm access, then export it in your shell. Never paste it into tracked files or chat.",
+      tier === "project" ? "  \u2022 If this dev secret graduates to a real prod credential, ask the master to promote it to the org tier (rc/ or main/)." : "  \u2022 This is an ORG-tier secret \u2014 master-gated. If you need standing access, ask the master for a `secrets grant`."
+    ].join("\n")
+  );
+}
+
+// src/oauth.ts
+var DEFAULT_DOMAINS = ["mutatismutandis.co", "mutmut.co"];
+var DEFAULT_CALLBACK_PATH = "/api/auth/callback";
+var ENV_PREFIXES = ["", "dev", "rc"];
+var LOOPBACK = ["http://localhost", "http://127.0.0.1"];
+var SSM_ENVS = ["dev", "rc", "main"];
+var SSM_NAMES = ["GOOGLE_CLIENT_ID", "GOOGLE_CLIENT_SECRET"];
+var uniq = (xs) => [...new Set(xs)];
+function defaultSubdomain(slug) {
+  const i = slug.indexOf("-");
+  return i === -1 ? slug : slug.slice(i + 1);
+}
+function expectedHosts(cfg) {
+  const out = [];
+  for (const sub of cfg.subdomains) {
+    for (const domain of cfg.domains) {
+      const base = sub ? `${sub}.${domain}` : domain;
+      for (const env of ENV_PREFIXES) out.push(env ? `${env}.${base}` : base);
+    }
+  }
+  return uniq(out);
+}
+function expectedJsOrigins(cfg) {
+  return uniq([...expectedHosts(cfg).map((h) => `https://${h}`), ...LOOPBACK]);
+}
+function expectedRedirectUris(cfg) {
+  const { callbackPath } = cfg;
+  return uniq([
+    ...expectedHosts(cfg).map((h) => `https://${h}${callbackPath}`),
+    ...LOOPBACK.map((l) => `${l}${callbackPath}`)
+  ]);
+}
+function oauthSsmKeys() {
+  return SSM_ENVS.flatMap((env) => SSM_NAMES.map((name) => `${env}/${name}`));
+}
+function parseOauthConfig(mmiConfig, slug) {
+  const raw = mmiConfig?.oauth ?? {};
+  const subdomains = Array.isArray(raw.subdomains) && raw.subdomains.length > 0 ? raw.subdomains.map(String) : [defaultSubdomain(slug)];
+  const domains = Array.isArray(raw.domains) && raw.domains.length > 0 ? raw.domains.map(String) : [...DEFAULT_DOMAINS];
+  const callbackPath = typeof raw.callbackPath === "string" && raw.callbackPath ? raw.callbackPath : DEFAULT_CALLBACK_PATH;
+  if (!callbackPath.startsWith("/")) {
+    throw new Error(`oauth.callbackPath must start with "/" (got ${JSON.stringify(callbackPath)})`);
+  }
+  return { subdomains, domains, callbackPath };
+}
+function probeRedirectUri(callbackPath, port = 9123) {
+  return `http://localhost:${port}${callbackPath}`;
+}
+function buildAuthorizeProbeUrl(clientId, redirectUri) {
+  const qs = new URLSearchParams({
+    client_id: clientId,
+    redirect_uri: redirectUri,
+    response_type: "code",
+    scope: "openid email",
+    access_type: "offline",
+    prompt: "consent"
+  });
+  return `https://accounts.google.com/o/oauth2/v2/auth?${qs.toString()}`;
+}
+function authorizeBodyHasMismatch(body) {
+  return /redirect_uri_mismatch/i.test(body);
 }
 
 // src/index.ts
-var execFileP3 = (0, import_node_util3.promisify)(import_node_child_process4.execFile);
+var rawExecFileP2 = (0, import_node_util3.promisify)(import_node_child_process4.execFile);
+var execFileP3 = (file, args, options = {}) => (
+  // encoding 'utf8' guarantees string stdout/stderr at runtime; the cast pins the type because
+  // promisify(execFile)'s overloads widen to string|Buffer when options is spread in.
+  rawExecFileP2(file, args, { encoding: "utf8", windowsHide: true, ...options })
+);
 var GIT_TIMEOUT_MS = 1e4;
 var GC_GH_TIMEOUT_MS = 2e4;
 async function githubToken() {
@@ -4413,19 +5883,60 @@ async function githubLogin() {
     return void 0;
   }
 }
+async function awsCallerArn() {
+  try {
+    const { stdout } = await execFileP3(
+      "aws",
+      ["sts", "get-caller-identity", "--query", "Arn", "--output", "text"],
+      { timeout: GIT_TIMEOUT_MS }
+    );
+    return stdout.trim() || void 0;
+  } catch {
+    return void 0;
+  }
+}
 async function sagaHeaders(extra = {}) {
   const t = await githubToken();
   return t ? { ...extra, Authorization: `Bearer ${t}` } : extra;
 }
 async function loadConfig() {
+  let file = {};
   try {
-    return JSON.parse(await (0, import_promises.readFile)(".mmi/config.json", "utf8"));
+    file = JSON.parse(await (0, import_promises.readFile)(".mmi/config.json", "utf8"));
   } catch {
-    return {};
+    file = {};
+  }
+  if (!file.sagaApiUrl) file.sagaApiUrl = defaultHubUrl();
+  return file;
+}
+var discoveredConfig = null;
+async function loadConfigOrDiscover() {
+  if (discoveredConfig) return discoveredConfig;
+  const floor = await loadConfig();
+  if (floor.projectId && floor.statusFieldId && floor.statusOptions) {
+    discoveredConfig = floor;
+    return floor;
   }
+  if (!floor.sagaApiUrl) return floor;
+  const meta = await fetchProjectBySlug(await repoSlug(), { baseUrl: floor.sagaApiUrl, token: githubToken });
+  if (!meta) return floor;
+  discoveredConfig = {
+    projectOwner: meta.projectOwner,
+    projectNumber: meta.projectNumber,
+    projectId: meta.projectId,
+    statusFieldId: meta.statusFieldId,
+    statusOptions: meta.statusOptions,
+    priorityFieldId: meta.priorityFieldId,
+    priorityOptions: meta.priorityOptions,
+    ...floor
+  };
+  return discoveredConfig;
+}
+async function repoSlug() {
+  const remote = await gitOut(["remote", "get-url", "origin"]);
+  return (remote.replace(/\.git$/, "").split("/").pop() || "-").toLowerCase();
 }
 var DEFAULT_RULES_SOURCE = "https://raw.githubusercontent.com/mutmutco/MMI-Hub/development";
-var DEFAULT_KB_SOURCE = "https://raw.githubusercontent.com/mutmutco/MM-KB/main";
 var SESSION_FILE = ".mmi/.session";
 var gitOut = async (args) => {
   try {
@@ -4439,7 +5950,7 @@ function sessionDeps() {
     env: process.env,
     readPersisted: () => {
       try {
-        return (0, import_node_fs3.readFileSync)(SESSION_FILE, "utf8");
+        return (0, import_node_fs4.readFileSync)(SESSION_FILE, "utf8");
       } catch {
         return null;
       }
@@ -4452,8 +5963,8 @@ function sessionDeps() {
 var resolveSessionId = () => resolveSession(sessionDeps());
 function persistSession(id) {
   try {
-    (0, import_node_fs3.mkdirSync)(".mmi", { recursive: true });
-    (0, import_node_fs3.writeFileSync)(SESSION_FILE, id, "utf8");
+    (0, import_node_fs4.mkdirSync)(".mmi", { recursive: true });
+    (0, import_node_fs4.writeFileSync)(SESSION_FILE, id, "utf8");
   } catch {
   }
 }
@@ -4473,7 +5984,11 @@ async function postCapture(capture, quiet = false) {
       method: "POST",
       headers: await sagaHeaders({ "content-type": "application/json" }),
       body: JSON.stringify({ ...capture, ...await sagaKey(cfg) }),
-      signal: AbortSignal.timeout(8e3)
+      // Capture latency is high + variable (server-side HEAD render); 8s dropped larger notes. Match the
+      // head-write timeout (20s) so a continuity note isn't lost to a slow/cold backend. No client retry:
+      // the capture isn't guaranteed idempotent, so a retry after a server-side-completed write could
+      // duplicate the note. Backend capture-latency root cause tracked in #255.
+      signal: AbortSignal.timeout(2e4)
     });
     if (!quiet) console.log(res.ok ? "noted" : `saga: HTTP ${res.status}`);
   } catch (e) {
@@ -4537,14 +6052,35 @@ async function applyGcPlan(plan2, remote) {
     await execFileP3("git", ["worktree", "prune"], { timeout: GIT_TIMEOUT_MS });
   }
 }
+async function cleanupLocalBranch(branch) {
+  const result = { branchDeleted: false };
+  if (!branch) return result;
+  const { stdout } = await execFileP3("git", ["worktree", "list", "--porcelain"], { timeout: GIT_TIMEOUT_MS });
+  const wt = parseWorktreePorcelain(stdout).find((w) => w.branch === branch);
+  if (wt) {
+    await execFileP3("git", ["worktree", "remove", "--force", wt.path], { timeout: GIT_TIMEOUT_MS }).catch(() => {
+    });
+    result.worktreeRemoved = wt.path;
+  }
+  const current = await gitOut(["rev-parse", "--abbrev-ref", "HEAD"]) || "";
+  if (branch !== current) {
+    await execFileP3("git", ["branch", "-D", branch], { timeout: GIT_TIMEOUT_MS }).then(() => {
+      result.branchDeleted = true;
+    }).catch(() => {
+    });
+  }
+  if (wt) await execFileP3("git", ["worktree", "prune"], { timeout: GIT_TIMEOUT_MS }).catch(() => {
+  });
+  return result;
+}
 function resolveVersion() {
   try {
     const manifest = (0, import_node_path4.join)(__dirname, "..", "..", ".claude-plugin", "plugin.json");
-    return JSON.parse((0, import_node_fs3.readFileSync)(manifest, "utf8")).version || "0.0.0";
+    return JSON.parse((0, import_node_fs4.readFileSync)(manifest, "utf8")).version || "0.0.0";
   } catch {
     try {
       const pkg = (0, import_node_path4.join)(__dirname, "..", "package.json");
-      return JSON.parse((0, import_node_fs3.readFileSync)(pkg, "utf8")).version || "0.0.0";
+      return JSON.parse((0, import_node_fs4.readFileSync)(pkg, "utf8")).version || "0.0.0";
     } catch {
       return "0.0.0";
     }
@@ -4552,22 +6088,44 @@ function resolveVersion() {
 }
 function readRepoVersion() {
   try {
-    return JSON.parse((0, import_node_fs3.readFileSync)((0, import_node_path4.join)(process.cwd(), ".claude-plugin", "plugin.json"), "utf8")).version || void 0;
+    return JSON.parse((0, import_node_fs4.readFileSync)((0, import_node_path4.join)(process.cwd(), ".claude-plugin", "plugin.json"), "utf8")).version || void 0;
   } catch {
     return void 0;
   }
 }
 async function fetchReleasedVersion() {
   try {
-    const res = await fetch("https://raw.githubusercontent.com/mutmutco/MMI-Hub/main/.claude-plugin/plugin.json", {
-      signal: AbortSignal.timeout(5e3)
-    });
-    if (!res.ok) return void 0;
-    return (await res.json()).version;
+    const { stdout } = await execFileP3("gh", pluginManifestVersionArgs(), { timeout: 5e3 });
+    return parseManifestVersion(stdout);
   } catch {
     return void 0;
   }
 }
+var NPM_UPDATE_TIMEOUT_MS = 12e4;
+var PLUGIN_PULL_TIMEOUT_MS = 3e4;
+async function applyVersionAutoUpdate(report, log) {
+  const action = versionAutoUpdateAction(report, Boolean(process.env.CLAUDE_PLUGIN_ROOT));
+  if (action === "none") return report;
+  const target = report.releasedVersion ?? "latest";
+  if (action === "plugin-pull") {
+    try {
+      const root = (await execFileP3("git", ["-C", process.env.CLAUDE_PLUGIN_ROOT, "rev-parse", "--show-toplevel"], { timeout: PLUGIN_PULL_TIMEOUT_MS })).stdout.trim();
+      log(`  \u21BB refreshing MMI plugin ${report.currentVersion} \u2192 ${target} (effective next session)\u2026`);
+      await execFileP3("git", ["-C", root, "pull", "--ff-only"], { timeout: PLUGIN_PULL_TIMEOUT_MS });
+      return { ...report, ok: true };
+    } catch {
+      return report;
+    }
+  }
+  try {
+    const npm = process.platform === "win32" ? "npm.cmd" : "npm";
+    log(`  \u21BB updating mmi-cli ${report.currentVersion} \u2192 ${target}\u2026`);
+    await execFileP3(npm, ["install", "-g", "@mutmutco/cli@latest"], { timeout: NPM_UPDATE_TIMEOUT_MS });
+    return { ...report, ok: true };
+  } catch {
+    return report;
+  }
+}
 var program2 = new Command();
 program2.name("mmi-cli").description("MMI Future CLI \u2014 org rules delivery, saga, KB. The engine the plugin SessionStart hook drives.").version(resolveVersion());
 var rules = program2.command("rules").description("org rules delivery");
@@ -4577,7 +6135,7 @@ rules.command("sync").option("--quiet", "stay silent unless something changed or
     if (!opts.quiet) console.log('mmi-cli rules: source repo (orgRulesSource: "self") \u2014 skipping self-sync');
     return;
   }
-  const base = (cfg.orgRulesSource ?? DEFAULT_RULES_SOURCE).replace(/\/$/, "");
+  const base = resolveRulesBase(cfg.orgRulesSource, DEFAULT_RULES_SOURCE);
   const token = await githubToken();
   let changed = 0;
   for (const file of ["AGENTS.md", "CLAUDE.md", ".claude/settings.json"]) {
@@ -4591,10 +6149,10 @@ rules.command("sync").option("--quiet", "stay silent unless something changed or
       if (!opts.quiet) console.error(`mmi-cli rules: could not fetch ${file} (${e.message}); left it untouched`);
       continue;
     }
-    const current = (0, import_node_fs3.existsSync)(file) ? await (0, import_promises.readFile)(file, "utf8") : null;
+    const current = (0, import_node_fs4.existsSync)(file) ? await (0, import_promises.readFile)(file, "utf8") : null;
     if (needsUpdate(source, current)) {
       const slash = file.lastIndexOf("/");
-      if (slash > 0) (0, import_node_fs3.mkdirSync)(file.slice(0, slash), { recursive: true });
+      if (slash > 0) (0, import_node_fs4.mkdirSync)(file.slice(0, slash), { recursive: true });
       await (0, import_promises.writeFile)(file, normalizeEol(source), "utf8");
       changed++;
       if (!opts.quiet) console.log(`mmi-cli rules: updated ${file}`);
@@ -4602,6 +6160,29 @@ rules.command("sync").option("--quiet", "stay silent unless something changed or
   }
   if (!opts.quiet && changed === 0) console.log("mmi-cli rules: up to date");
 });
+var docs = program2.command("docs").description("repo-owned authoritative docs");
+docs.command("sync").option("--quiet", "stay silent unless something changed or errored").description("refresh README.md / architecture.md from the repo default branch (keeper-authored); never clobbers uncommitted edits").action(async (opts) => {
+  const ref = await gitOut(["symbolic-ref", "--quiet", "--short", "refs/remotes/origin/HEAD"]);
+  const def = (ref.startsWith("origin/") ? ref.slice("origin/".length) : ref) || "development";
+  await gitOut(["fetch", "origin", def, "--quiet"]);
+  const result = await syncDocs({
+    isDirty: async (f) => await gitOut(["status", "--porcelain", "--", f]) !== "",
+    originContent: async (f) => {
+      try {
+        return (await execFileP3("git", ["show", `origin/${def}:${f}`], { maxBuffer: 10 * 1024 * 1024 })).stdout;
+      } catch {
+        return null;
+      }
+    },
+    localContent: async (f) => (0, import_node_fs4.existsSync)(f) ? await (0, import_promises.readFile)(f, "utf8") : null,
+    writeDoc: async (f, c) => {
+      await (0, import_promises.writeFile)(f, c, "utf8");
+    }
+  });
+  for (const f of result.updated) console.log(`mmi-cli docs: updated ${f} (from origin/${def})`);
+  if (!opts.quiet && result.skippedDirty.length) console.log(`mmi-cli docs: kept local edits in ${result.skippedDirty.join(", ")}`);
+  if (!opts.quiet && result.updated.length === 0 && result.skippedDirty.length === 0) console.log("mmi-cli docs: up to date");
+});
 var saga = program2.command("saga").description("per-session continuity");
 async function runNote(summary, o) {
   const [sha, key] = await Promise.all([gitOut(["rev-parse", "--short", "HEAD"]), sagaKey(await loadConfig())]);
@@ -4620,7 +6201,10 @@ saga.command("show").option("--quiet", "no-op silently when unconfigured/unreach
     const key = await sagaKey(cfg);
     const qs = opts.latestAnywhere ? "scope=anywhere" : new URLSearchParams({ project: key.project, branch: key.branch }).toString();
     const res = await fetch(`${cfg.sagaApiUrl}/saga/head?${qs}`, { headers: await sagaHeaders(), signal: AbortSignal.timeout(8e3) });
-    if (res.ok) return console.log(await res.text());
+    if (res.ok) {
+      console.log(resumeCue());
+      return console.log(await res.text());
+    }
     if (!opts.quiet) console.log(`saga show failed: HTTP ${res.status}`);
   } catch (e) {
     if (!opts.quiet) console.error(`saga show: ${e.message}`);
@@ -4719,11 +6303,28 @@ program2.command("gc").description("dry-run cleanup for merged/closed PR branche
     fail(`gc: ${e.message}`);
   }
 });
-program2.command("kb").description("org knowledgebase (read-only)").command("get <path>").description("print a KB document by path").action(async (path) => {
-  const cfg = await loadConfig();
-  const base = (cfg.kbSource ?? DEFAULT_KB_SOURCE).replace(/\/$/, "");
-  const res = await fetch(`${base}/${path.replace(/^\//, "")}`);
-  console.log(res.ok ? await res.text() : `kb get failed: HTTP ${res.status}`);
+var kb = program2.command("kb").description("org knowledgebase (read-only)");
+kb.command("get <path>").description("print a KB document by path").action(async (path) => {
+  const src = resolveKbSource((await loadConfig()).kbSource);
+  try {
+    const { stdout } = await execFileP3("gh", buildKbGetArgs(src, path), { timeout: 1e4 });
+    process.stdout.write(stdout);
+  } catch (e) {
+    const err = e;
+    fail(`kb get failed: ${(err.stderr || err.message || String(e)).trim()}`);
+  }
+});
+kb.command("list [prefix]").description("list KB document paths (optionally under a prefix)").action(async (prefix) => {
+  const src = resolveKbSource((await loadConfig()).kbSource);
+  try {
+    const { stdout } = await execFileP3("gh", buildKbTreeArgs(src), { timeout: 1e4 });
+    const paths = parseKbTree(stdout, prefix);
+    if (!paths.length) return fail(`kb list: no documents${prefix ? ` under ${prefix}` : ""}`);
+    console.log(paths.join("\n"));
+  } catch (e) {
+    const err = e;
+    fail(`kb list failed: ${(err.stderr || err.message || String(e)).trim()}`);
+  }
 });
 async function ghCreate(args) {
   try {
@@ -4734,7 +6335,7 @@ async function ghCreate(args) {
     fail(`gh ${args[0]} create failed: ${(err.stderr || err.message || String(e)).trim()}`);
   }
 }
-async function ghJson2(args, timeout = 1e4) {
+async function ghJson3(args, timeout = 1e4) {
   const { stdout } = await execFileP3("gh", args, { timeout });
   return JSON.parse(stdout);
 }
@@ -4747,6 +6348,47 @@ async function resolveRepo(repo) {
     return void 0;
   }
 }
+async function attachToProject(issueNumber, repo, priority) {
+  const cfg = await loadConfigOrDiscover();
+  if (!cfg.projectId) return void 0;
+  if (repo) {
+    const skip = boardAttachSkipReason(await resolveRepo(), repo);
+    if (skip) {
+      process.stderr.write(`warning: issue #${issueNumber} NOT added to this board \u2014 ${skip}
+`);
+      return void 0;
+    }
+  }
+  try {
+    const viewArgs = ["issue", "view", String(issueNumber), "--json", "id", "--jq", ".id"];
+    if (repo) viewArgs.push("--repo", repo);
+    const { stdout: idOut } = await execFileP3("gh", viewArgs, { timeout: 1e4 });
+    const contentId = idOut.trim();
+    if (!contentId) throw new Error("could not resolve issue node id");
+    const { stdout } = await execFileP3("gh", buildAddToProjectArgs(cfg.projectId, contentId), { timeout: 1e4 });
+    const projectItemId = parseAddedItemId(stdout);
+    if (projectItemId && priority) {
+      try {
+        await setBoardItemPriority(
+          async (args) => execFileP3("gh", args, { timeout: 1e4 }),
+          cfg,
+          projectItemId,
+          priority
+        );
+      } catch (e) {
+        const err = e;
+        process.stderr.write(`warning: issue #${issueNumber} board Priority not set: ${(err.stderr || err.message || String(e)).trim()}
+`);
+      }
+    }
+    return projectItemId;
+  } catch (e) {
+    const err = e;
+    process.stderr.write(`warning: issue #${issueNumber} created but NOT added to the project board: ${(err.stderr || err.message || String(e)).trim()}
+`);
+    return void 0;
+  }
+}
 function scheduleRelatedDiscovery(o) {
   try {
     const args = ["issue", "discover-related", "--number", String(o.number), "--title", o.title, "--body", o.body];
@@ -4761,7 +6403,7 @@ function scheduleRelatedDiscovery(o) {
   }
 }
 function makePlanDeps(cfg) {
-  const ensureDir = () => (0, import_node_fs3.mkdirSync)(PLANS_DIR, { recursive: true });
+  const ensureDir = () => (0, import_node_fs4.mkdirSync)(PLANS_DIR, { recursive: true });
   return {
     apiUrl: cfg.sagaApiUrl,
     fetch: (url, init) => fetch(url, init),
@@ -4769,31 +6411,31 @@ function makePlanDeps(cfg) {
     project: async () => (await sagaKey(cfg)).project,
     readLocal: (slug) => {
       try {
-        return (0, import_node_fs3.readFileSync)(planPath(slug), "utf8");
+        return (0, import_node_fs4.readFileSync)(planPath(slug), "utf8");
       } catch {
         return null;
       }
     },
     writeLocal: (slug, content) => {
       ensureDir();
-      (0, import_node_fs3.writeFileSync)(planPath(slug), content, "utf8");
+      (0, import_node_fs4.writeFileSync)(planPath(slug), content, "utf8");
     },
     removeLocal: (slug) => {
       try {
-        (0, import_node_fs3.rmSync)(planPath(slug));
+        (0, import_node_fs4.rmSync)(planPath(slug));
       } catch {
       }
     },
     readMetaRaw: () => {
       try {
-        return (0, import_node_fs3.readFileSync)(META_FILE, "utf8");
+        return (0, import_node_fs4.readFileSync)(META_FILE, "utf8");
       } catch {
         return null;
       }
     },
     writeMetaRaw: (raw) => {
       ensureDir();
-      (0, import_node_fs3.writeFileSync)(META_FILE, raw, "utf8");
+      (0, import_node_fs4.writeFileSync)(META_FILE, raw, "utf8");
     },
     log: (m) => console.log(m),
     err: (m) => console.error(m),
@@ -4820,28 +6462,221 @@ async function withPlan(quiet, run) {
   }
   await run(makePlanDeps(cfg));
 }
-var plan = program2.command("plan").description("your cross-device plans/SSOTs (S3-backed, git-clean)");
-plan.command("push <slug>").description("push a local plan (plans/<slug>.md) to the server").option("--project <name>", "override the project key").option("--force", "overwrite the remote even if it changed since your last sync").action((slug, o) => withPlan(false, (d) => planPush(d, slug, o)));
-plan.command("pull <slug>").description("pull a plan from the server into plans/<slug>.md").option("--project <name>", "override the project key").option("--force", "overwrite local even if it has unpushed edits").action((slug, o) => withPlan(false, (d) => planPull(d, slug, o)));
-plan.command("list").description("list your plans (cross-device)").option("--project <name>", "filter by project").option("--json", "machine-readable output").option("--quiet", "silent when unconfigured/empty/unreachable (SessionStart hook)").action((o) => withPlan(o.quiet ?? false, (d) => planList(d, o)));
-plan.command("open <slug>").description("pull if needed, then open plans/<slug>.md in $EDITOR").option("--project <name>", "override the project key").action(
-  (slug, o) => withPlan(false, async (d) => {
-    await planPull(d, slug, { project: o.project });
-    openInEditor(planPath(slug));
-  })
-);
-plan.command("delete <slug>").description("delete a plan from the server and the local copy").option("--project <name>", "override the project key").action((slug, o) => withPlan(false, (d) => planDelete(d, slug, o)));
+function registerNorthStarCommands(cmd) {
+  cmd.command("push <slug>").description("push a local North Star plan (plans/<slug>.md) to the server").option("--project <name>", "override the project key").option("--force", "overwrite the remote even if it changed since your last sync").action((slug, o) => withPlan(false, async (d) => {
+    await planPush(d, slug, o);
+  }));
+  cmd.command("pull <slug>").description("pull a North Star plan from the server into plans/<slug>.md").option("--project <name>", "override the project key").option("--force", "overwrite local even if it has unpushed edits").action((slug, o) => withPlan(false, (d) => planPull(d, slug, o)));
+  cmd.command("list").description("list your North Star plans (cross-device)").option("--project <name>", "filter by project").option("--json", "machine-readable output").option("--quiet", "silent when unconfigured/empty/unreachable (SessionStart hook)").action((o) => withPlan(o.quiet ?? false, (d) => planList(d, o)));
+  cmd.command("open <slug>").description("pull if needed, then open plans/<slug>.md in $EDITOR").option("--project <name>", "override the project key").action(
+    (slug, o) => withPlan(false, async (d) => {
+      await planPull(d, slug, { project: o.project });
+      openInEditor(planPath(slug));
+    })
+  );
+  cmd.command("delete <slug>").description("delete a North Star plan from the server and the local copy").option("--project <name>", "override the project key").action((slug, o) => withPlan(false, (d) => planDelete(d, slug, o)));
+  cmd.command("graduate <slug>").description("mark a built-and-merged North Star plan as org-visible and push it").requiredOption("--merged-pr <url|number>", "merged PR URL or number proving the plan shipped").option("--org-visible", "confirm this plan is safe to queue for org KB curation").option("--project <name>", "override the project key").option("--force", "overwrite the remote even if it changed since your last sync").action(
+    (slug, o) => withPlan(false, (d) => planGraduate(d, slug, o))
+  );
+}
+var northstar = program2.command("northstar").description("North Star \u2014 your cross-device plans/SSOTs (S3-backed, git-clean)");
+registerNorthStarCommands(northstar);
+var plan = program2.command("plan").description("Alias for `northstar` (kept for compatibility)");
+registerNorthStarCommands(plan);
+async function readSecretStdin() {
+  if (process.stdin.isTTY) {
+    process.stderr.write(
+      'secrets set: pipe the value on stdin (it is never an argument) \u2014 e.g.\n  printf %s "$VALUE" | mmi-cli secrets set <KEY>\n'
+    );
+    return "";
+  }
+  const chunks = [];
+  for await (const chunk of process.stdin) chunks.push(chunk);
+  return Buffer.concat(chunks).toString("utf8").replace(/\r?\n$/, "");
+}
+function makeSecretsDeps(cfg) {
+  return {
+    apiUrl: cfg.sagaApiUrl,
+    fetch: (url, init) => fetch(url, init),
+    headers: (extra) => sagaHeaders(extra),
+    slug: async () => (await sagaKey(cfg)).project,
+    readSecretValue: () => readSecretStdin(),
+    log: (m) => console.log(m),
+    err: (m) => console.error(m)
+  };
+}
+async function withSecrets(run) {
+  const cfg = await loadConfig();
+  if (!cfg.sagaApiUrl) {
+    fail("secrets: sagaApiUrl not configured in .mmi/config.json (this repo is not bootstrapped)");
+    return;
+  }
+  await run(makeSecretsDeps(cfg));
+}
+var secrets = program2.command("secrets").description("two-tier project secrets \u2014 self-serve your repo dev/* tier; org tier is master-gated");
+secrets.command("where").description("print where this repo\u2019s secrets live \u2014 the two-tier vault layout + well-known keys (no values)").option("--repo <owner/repo>", "target repo (defaults to the current repo)").action((o) => withSecrets((d) => secretsWhere(d, o)));
+secrets.command("list").description("list secret NAMES + tier for this repo (never values)").option("--repo <owner/repo>", "target repo (defaults to the current repo)").action((o) => withSecrets((d) => secretsList(d, o)));
+secrets.command("get <key>").description("print one secret value over TLS (prints once, raw \u2014 do not log/paste it)").option("--repo <owner/repo>", "target repo (defaults to the current repo)").action((key, o) => withSecrets((d) => secretsGet(d, key, o)));
+secrets.command("set <key>").description("write/rotate a secret; value is read from stdin (never an argument)").option("--repo <owner/repo>", "target repo (defaults to the current repo)").action((key, o) => withSecrets((d) => secretsSet(d, key, o)));
+secrets.command("edit <key>").description("alias for set \u2014 replace a secret value (read from stdin)").option("--repo <owner/repo>", "target repo (defaults to the current repo)").action((key, o) => withSecrets((d) => secretsEdit(d, key, o)));
+secrets.command("rm <key>").description("remove a secret (project tier self-serve; org tier needs a grant)").option("--repo <owner/repo>", "target repo (defaults to the current repo)").action((key, o) => withSecrets((d) => secretsRemove(d, key, o)));
+secrets.command("use <key>").description("print guidance on consuming a secret without committing it (no value)").option("--repo <owner/repo>", "target repo (defaults to the current repo)").action((key, o) => withSecrets((d) => secretsUse(d, key, o)));
+secrets.command("grant <repo> <login> <key>").description("MASTER-ONLY: grant a project-admin standing access to a specific org-tier secret").action((repo, login, key) => withSecrets((d) => secretsGrant(d, repo, login, key, {})));
+secrets.command("revoke <repo> <login> <key>").description("MASTER-ONLY: withdraw a previously granted org-tier secret access").action((repo, login, key) => withSecrets((d) => secretsRevoke(d, repo, login, key, {})));
+function registryClientDeps(cfg) {
+  return { baseUrl: cfg.sagaApiUrl, token: githubToken };
+}
+function slugOf(repoOrSlug) {
+  return (repoOrSlug.includes("/") ? repoOrSlug.split("/").pop() : repoOrSlug).toLowerCase();
+}
+function reportWrite(label, res) {
+  if (res.ok) {
+    console.log(JSON.stringify(res.body));
+    return;
+  }
+  if (res.error) return fail(`${label}: ${res.error}`);
+  const detail = res.body?.error ?? "";
+  fail(`${label}: HTTP ${res.status}${detail ? ` \u2014 ${detail}` : ""}`);
+}
+var project = program2.command("project").description("the DDB org registry \u2014 list/get projects (any member); set is master-only");
+project.command("list").description("list all projects (identity + board, never deploy coords)").option("--json", "machine-readable output").action(async (o) => {
+  const cfg = await loadConfig();
+  const projects = await fetchProjectsList(registryClientDeps(cfg));
+  if (!projects) return fail("project list: Hub API unreachable or this repo is not bootstrapped");
+  if (o.json) {
+    console.log(JSON.stringify(projects));
+    return;
+  }
+  for (const p of projects) {
+    console.log(`${p.slug ?? "?"} - ${p.name ?? ""}${p.division ? ` [${p.division}]` : ""}${p.class ? ` (${p.class})` : ""}`);
+  }
+});
+project.command("get <owner/repo>").description("a project's META (board ids + pointers) by repo or slug \u2014 identity, NOT deploy coords").option("--json", "machine-readable output").action(async (repoOrSlug, o) => {
+  const cfg = await loadConfig();
+  const meta = await fetchProjectBySlug(slugOf(repoOrSlug), registryClientDeps(cfg));
+  if (!meta) return fail(`project get: no registry META for ${repoOrSlug} (unknown, unbootstrapped, or Hub unreachable)`);
+  console.log(JSON.stringify(meta));
+});
+project.command("resolve <owner/repo>").description("deploy coords for a stage \u2014 for diagnosis. NOTE: /deploy-coords is OIDC-gated (a deploy job\u2019s id-token), so a gh-token CLI cannot read it from a dev machine").option("--stage <main|rc>", "deploy stage", "main").option("--json", "machine-readable output").action((_repoOrRepo, o) => {
+  const msg = "project resolve: deploy coords are served only to a deploy workflow (GitHub OIDC id-token, repo-scoped). A gh-token CLI on a dev machine cannot read /deploy-coords; inspect the DEPLOY# item via the AWS console / a master DDB read instead.";
+  if (o.json) {
+    console.log(JSON.stringify({ ok: false, stage: o.stage, error: msg }));
+    process.exitCode = 1;
+    return;
+  }
+  fail(msg);
+});
+project.command("set <owner/repo>").description("MASTER-ONLY: upsert a project META (idempotent merge; no clobber of unspecified fields)").option("--class <class>", "deployable | content").option("--var <KEY=VALUE...>", "META field to set (repeatable): name, division, projectId, branch, wikiRepo, vaultPath, kbPointer").option("--json", "machine-readable output").action(async (repoOrSlug, o) => {
+  const cfg = await loadConfig();
+  const slug = slugOf(repoOrSlug);
+  const patch = {};
+  if (o.class) {
+    if (o.class !== "deployable" && o.class !== "content") return fail("project set: --class must be deployable or content");
+    patch.class = o.class;
+  }
+  for (let i = 0; i < process.argv.length - 1; i++) {
+    if (process.argv[i] === "--var") {
+      const eq = process.argv[i + 1].indexOf("=");
+      if (eq > 0) patch[process.argv[i + 1].slice(0, eq)] = process.argv[i + 1].slice(eq + 1);
+    }
+  }
+  if (Object.keys(patch).length === 0) return fail("project set: nothing to set \u2014 pass --class and/or --var KEY=VALUE");
+  const res = await upsertProject(slug, patch, registryClientDeps(cfg));
+  reportWrite("project set", res);
+});
+var registry = program2.command("registry").description("the DDB org registry \u2014 org-level constants");
+registry.command("org").description("the org config (account id, region, orgProjectId, sagaApiUrl)").option("--json", "machine-readable output").action(async (_o) => {
+  const cfg = await loadConfig();
+  const org = await fetchOrgConfig(registryClientDeps(cfg));
+  if (!org) return fail("registry org: Hub API unreachable, unseeded, or this repo is not bootstrapped");
+  console.log(JSON.stringify(org));
+});
+var oauth = program2.command("oauth").description("per-repo Google OAuth \u2014 plan the canonical URI set, verify the client is port-agnostic");
+oauth.command("plan", { isDefault: true }).description("print the canonical JS origins + redirect URIs + SSM cred param names for this repo").option("--repo <owner/repo>", "slug source (defaults to the current repo)").option("--json", "machine-readable output").action(async (o) => {
+  const cfg = await loadConfig();
+  const slug = (o.repo ? o.repo.split("/").pop() : cfg.project ?? await repoSlug()).toLowerCase();
+  const meta = await fetchProjectBySlug(slug, registryClientDeps(cfg));
+  let oc;
+  try {
+    oc = parseOauthConfig(meta ?? {}, slug);
+  } catch (e) {
+    return fail(`oauth plan: ${e.message}`);
+  }
+  const origins = expectedJsOrigins(oc);
+  const redirects = expectedRedirectUris(oc);
+  const ssm = oauthSsmKeys();
+  if (o.json) {
+    console.log(JSON.stringify({ slug, oauth: oc, jsOrigins: origins, redirectUris: redirects, ssmKeys: ssm }, null, 2));
+    return;
+  }
+  console.log(`OAuth plan for ${slug} (callback ${oc.callbackPath}):
+`);
+  console.log("Authorized JavaScript origins:");
+  origins.forEach((u) => console.log(`  ${u}`));
+  console.log("\nAuthorized redirect URIs:");
+  redirects.forEach((u) => console.log(`  ${u}`));
+  console.log(`
+SSM cred params (under /mmi-future/${slug}/):`);
+  ssm.forEach((k) => console.log(`  ${k}`));
+  console.log("\nProvision/repair the Console client per docs/Guides/oauth-provision.md; creds via `mmi-cli secrets set`.");
+});
+oauth.command("verify").description("probe Google authorize with an arbitrary port (:9123) to confirm the client is port-agnostic").option("--repo <owner/repo>", "target repo (defaults to the current repo)").option("--client-id <id>", "OAuth client_id (else read dev/GOOGLE_CLIENT_ID from SSM)").option("--json", "machine-readable output").action(async (o) => {
+  const cfg = await loadConfig();
+  const slug = (o.repo ? o.repo.split("/").pop() : cfg.project ?? await repoSlug()).toLowerCase();
+  const meta = await fetchProjectBySlug(slug, registryClientDeps(cfg));
+  let oc;
+  try {
+    oc = parseOauthConfig(meta ?? {}, slug);
+  } catch (e) {
+    return fail(`oauth verify: ${e.message}`);
+  }
+  let clientId = o.clientId;
+  if (!clientId) {
+    await withSecrets(async (d) => {
+      clientId = await fetchSecretValue(d, "dev/GOOGLE_CLIENT_ID", { repo: o.repo }) ?? void 0;
+    });
+  }
+  if (!clientId) {
+    return fail("oauth verify: no client_id (pass --client-id, or provision the repo so dev/GOOGLE_CLIENT_ID exists)");
+  }
+  const redirectUri = probeRedirectUri(oc.callbackPath);
+  let body = "";
+  try {
+    const res = await fetch(buildAuthorizeProbeUrl(clientId, redirectUri), { redirect: "follow" });
+    body = await res.text();
+  } catch (e) {
+    return fail(`oauth verify: probe request failed: ${e.message}`);
+  }
+  const mismatch = authorizeBodyHasMismatch(body);
+  if (o.json) {
+    console.log(JSON.stringify({ slug, redirectUri, portAgnostic: !mismatch }));
+  } else if (mismatch) {
+    console.error(`FAIL ${slug}: redirect_uri_mismatch for ${redirectUri} \u2014 client is not port-agnostic (run /oauth-provision)`);
+  } else {
+    console.log(`PASS ${slug}: ${redirectUri} accepted \u2014 port-agnostic OAuth is live`);
+  }
+  if (mismatch) process.exitCode = 1;
+});
 var issue = program2.command("issue").description("issues \u2014 reliable create with structured output");
-issue.command("create").description("create an issue (type \u2192 label) and print {number,url,label} JSON").requiredOption("--type <type>", "bug | feature | task (sets the matching label)").requiredOption("--title <title>", "issue title").requiredOption("--body <body>", "issue body (markdown)").requiredOption("--priority <priority>", "high | medium | low (adds a priority:<p> label)").option("--repo <owner/repo>", "target repo (defaults to the current repo)").action(async (o) => {
+issue.command("create").description("create an issue (type \u2192 label) and print {number,url,label} JSON").requiredOption("--type <type>", "bug | feature | task (sets the matching label)").requiredOption("--title <title>", "issue title").requiredOption("--body <body>", "issue body (markdown)").requiredOption("--priority <priority>", "urgent | high | medium | low (label + board Priority field when configured)").option("--repo <owner/repo>", "target repo (defaults to the current repo)").option("--label <label...>", "extra label(s) to attach (repeatable; auto-created if missing)").option("--no-related", "skip the auto related-issues comment").action(async (o) => {
   let args;
   try {
-    args = buildIssueArgs({ type: o.type, title: o.title, body: o.body, priority: o.priority, repo: o.repo });
+    args = buildIssueArgs({ type: o.type, title: o.title, body: o.body, priority: o.priority, repo: o.repo, labels: o.label });
   } catch (e) {
     return fail(`issue create: ${e.message}`);
   }
+  for (const label of o.label ?? []) {
+    const la = ["label", "create", label, "--color", "ededed"];
+    if (o.repo) la.push("--repo", o.repo);
+    try {
+      await execFileP3("gh", la, { timeout: 1e4 });
+    } catch {
+    }
+  }
   const created = await ghCreate(args);
-  scheduleRelatedDiscovery({ repo: o.repo, number: created.number, title: o.title, body: o.body });
-  console.log(JSON.stringify({ ...created, label: o.type, priority: o.priority }));
+  const projectItemId = await attachToProject(created.number, o.repo, o.priority);
+  if (o.related !== false) scheduleRelatedDiscovery({ repo: o.repo, number: created.number, title: o.title, body: o.body });
+  console.log(JSON.stringify({ ...created, label: o.type, priority: o.priority, projectItemId }));
 });
 issue.command("discover-related").description("find related issues for an existing issue and post only high-confidence links").requiredOption("--number <number>", "created issue number").requiredOption("--title <title>", "created issue title").requiredOption("--body <body>", "created issue body").option("--repo <owner/repo>", "target repo (defaults to the current repo)").option("--json", "print candidates instead of posting").action(async (o) => {
   const number = Number(o.number);
@@ -4849,7 +6684,7 @@ issue.command("discover-related").description("find related issues for an existi
   const repo = await resolveRepo(o.repo);
   if (!repo) return fail("issue discover-related: could not resolve repo");
   try {
-    const issues = await ghJson2([
+    const issues = await ghJson3([
       "issue",
       "list",
       "--repo",
@@ -4864,7 +6699,7 @@ issue.command("discover-related").description("find related issues for an existi
     const candidates = findRelatedIssues({ number, title: o.title, body: o.body }, issues);
     if (o.json) return console.log(JSON.stringify({ number, repo, candidates }, null, 2));
     if (!candidates.length) return;
-    const viewed = await ghJson2([
+    const viewed = await ghJson3([
       "issue",
       "view",
       String(number),
@@ -4883,10 +6718,20 @@ pr.command("create").description("create a PR and print {number,url} JSON").requ
   const created = await ghCreate(buildPrArgs({ title: o.title, body: o.body, base: o.base, head: o.head, repo: o.repo }));
   console.log(JSON.stringify(created));
 });
+pr.command("merge <number>").description("merge a PR (squash by default) and clean up its branch + worktree \u2014 no leftover local branch").option("--squash", "squash merge (default)").option("--merge", "create a merge commit").option("--rebase", "rebase merge").option("--repo <owner/repo>", "target repo (defaults to the current repo)").action(async (number, o) => {
+  const method = o.rebase ? "--rebase" : o.merge ? "--merge" : "--squash";
+  const repoArgs = o.repo ? ["--repo", o.repo] : [];
+  const headRef = (await execFileP3("gh", ["pr", "view", number, ...repoArgs, "--json", "headRefName", "--jq", ".headRefName"], { timeout: GC_GH_TIMEOUT_MS })).stdout.trim();
+  await execFileP3("gh", ["pr", "merge", number, ...repoArgs, method, "--delete-branch"], { timeout: GC_GH_TIMEOUT_MS }).catch((e) => {
+    if (!/used by worktree|cannot delete branch|already been merged/i.test(String(e.message || ""))) throw e;
+  });
+  const cleaned = repoArgs.length ? { branchDeleted: false } : await cleanupLocalBranch(headRef);
+  console.log(JSON.stringify({ merged: number, branch: headRef, method: method.slice(2), ...cleaned }));
+});
 async function runBoardRead(o) {
   try {
     const report = await readBoard({
-      config: await loadConfig(),
+      config: await loadConfigOrDiscover(),
       repo: o.repo,
       includeBundleDetails: o.bundleDetails,
       allowPartial: o.allowPartial
@@ -4896,17 +6741,69 @@ async function runBoardRead(o) {
     fail(`board read failed: ${e.message}`);
   }
 }
-var board = program2.command("board").description("read and claim Project v2 work items for the current repo");
+var board = program2.command("board").description("read, claim, show, and move Project v2 work items for the current repo");
 board.command("read", { isDefault: true }).description("read the board and print user-owned, claimable, and taken items").option("--json", "machine-readable output").option("--repo <owner/repo>", "current repo (defaults to git origin)").option("--bundle-details", "fetch body/comments only for user-owned and claimable issues").option("--allow-partial", "return partial board results when later page/detail reads fail").action((o) => runBoardRead(o));
-board.command("claim <issue>").description("assign a Todo issue to you and move its Project v2 Status to In Progress").option("--json", "machine-readable output").option("--repo <owner/repo>", "current repo for local issue numbers (defaults to git origin)").option("--allow-partial", "return success JSON if assignment succeeds but the status move fails").action(async (issueRef, o) => {
+board.command("claim <issue>").description("assign a Todo issue and move its Project v2 Status to In Progress").option("--json", "machine-readable output").option("--repo <owner/repo>", "current repo for local issue numbers (defaults to git origin)").option("--for <login>", "assign to this login instead of @me \u2014 agent claims on behalf of the master").option("--allow-partial", "return success JSON if assignment succeeds but the status move fails").action(async (issueRef, o) => {
   try {
-    const result = await claimBoardIssue({ config: await loadConfig(), selector: issueRef, repo: o.repo, allowPartial: o.allowPartial });
+    const result = await claimBoardIssue({
+      config: await loadConfigOrDiscover(),
+      selector: issueRef,
+      repo: o.repo,
+      assignee: o.for,
+      allowPartial: o.allowPartial
+    });
     if (o.json) return console.log(JSON.stringify(result));
     console.log(result.partial ? `Partially claimed ${result.item.ref}: ${result.warning}` : `Claimed ${result.item.ref} - In Progress`);
   } catch (e) {
     fail(`board claim failed: ${e.message}`);
   }
 });
+board.command("show <issue>").alias("open").description("print one board item (status, assignees, type, url) with its body and comments").option("--json", "machine-readable output").option("--repo <owner/repo>", "current repo for local issue numbers (defaults to git origin)").option("--allow-partial", "return the item even if its body/comments fetch fails").action(async (issueRef, o) => {
+  try {
+    const item = await showBoardItem({ config: await loadConfigOrDiscover(), selector: issueRef, repo: o.repo, allowPartial: o.allowPartial });
+    console.log(o.json ? JSON.stringify(item) : renderBoardItem(item));
+  } catch (e) {
+    fail(`board show failed: ${e.message}`);
+  }
+});
+board.command("move <issue> <status>").description(`move a board item's Status to one of: ${BOARD_STATUSES.join(", ")} (quote multi-word statuses)`).option("--json", "machine-readable output").option("--repo <owner/repo>", "current repo for local issue numbers (defaults to git origin)").option("--allow-partial", "return success JSON if the item resolves but the status move fails").action(async (issueRef, status, o) => {
+  if (!BOARD_STATUSES.includes(status)) {
+    return fail(`board move failed: unknown status '${status}'; expected one of ${BOARD_STATUSES.join(", ")}`);
+  }
+  try {
+    const result = await moveBoardItem({ config: await loadConfigOrDiscover(), selector: issueRef, status, repo: o.repo, allowPartial: o.allowPartial });
+    if (o.json) return console.log(JSON.stringify(result));
+    console.log(result.partial ? `Partially moved ${result.item.ref}: ${result.warning}` : `Moved ${result.item.ref} -> ${result.status}`);
+  } catch (e) {
+    fail(`board move failed: ${e.message}`);
+  }
+});
+board.command("backfill-priority").description("set board Priority from priority:* labels or issue timeline for items missing the field").option("--json", "machine-readable output").option("--repo <owner/repo>", "current repo (defaults to git origin)").option("--dry-run", "report what would be set without writing").option("--concurrency <n>", "parallel timeline reads (default 8)", "8").action(async (o) => {
+  try {
+    const result = await backfillBoardPriorities({
+      config: await loadConfigOrDiscover(),
+      repo: o.repo,
+      dryRun: o.dryRun,
+      concurrency: Number(o.concurrency) || 8
+    });
+    if (o.json) return console.log(JSON.stringify(result));
+    console.log(`backfill-priority: scanned ${result.scanned}, set ${result.set}, skipped ${result.skipped}, failed ${result.failed}`);
+    for (const line of result.details.slice(0, 30)) console.log(`  ${line}`);
+    if (result.details.length > 30) console.log(`  ... +${result.details.length - 30} more`);
+    if (result.failed) process.exitCode = 1;
+  } catch (e) {
+    fail(`board backfill-priority failed: ${e.message}`);
+  }
+});
+board.command("done <issue>").description("set a board item's Status to Done (does not close the GitHub issue; use `gh issue close`)").option("--json", "machine-readable output").option("--repo <owner/repo>", "current repo for local issue numbers (defaults to git origin)").option("--allow-partial", "return success JSON if the item resolves but the status move fails").action(async (issueRef, o) => {
+  try {
+    const result = await moveBoardItem({ config: await loadConfigOrDiscover(), selector: issueRef, status: "Done", repo: o.repo, allowPartial: o.allowPartial });
+    if (o.json) return console.log(JSON.stringify(result));
+    console.log(result.partial ? `Partially moved ${result.item.ref}: ${result.warning}` : `Moved ${result.item.ref} -> Done`);
+  } catch (e) {
+    fail(`board done failed: ${e.message}`);
+  }
+});
 function renderSteps(title, steps) {
   return [
     title,
@@ -4921,12 +6818,23 @@ function rawValue(flag, fallback) {
   return index >= 0 && process.argv[index + 1] ? process.argv[index + 1] : fallback;
 }
 function printLine(value) {
-  (0, import_node_fs3.writeSync)(1, `${value}
+  (0, import_node_fs4.writeSync)(1, `${value}
 `);
 }
 function stageKeepAlive() {
   return setTimeout(() => void 0, 5 * 60 * 1e3);
 }
+program2.command("port-range <repo>").description("assign (idempotently) + print the repo's local stage port block via the atomic ORG#config.portCursor allocator (committed-file fallback)").option("--json", "machine-readable output").action(async (repo, o) => {
+  const path = (0, import_node_path4.join)(process.cwd(), "infra", "port-ranges.json");
+  const allocate = async (seed) => {
+    const { stdout } = await execFileP3("node", [(0, import_node_path4.join)(process.cwd(), "infra", "port-ddb.mjs"), String(seed)], { timeout: 15e3 });
+    const parsed = JSON.parse(stdout);
+    if (!Array.isArray(parsed.range) || parsed.range.length !== 2) throw new Error("port-ddb: no range in output");
+    return parsed.range;
+  };
+  const { range: [start, end] } = await ensurePortRangeAtomic(repo, path, allocate);
+  printLine(o.json ? JSON.stringify({ repo, portRange: [start, end] }) : `${repo}: stage.portRange [${start}, ${end}]`);
+});
 var stage = program2.command("stage").description("plan or run the repo local stage environment").option("--json", "machine-readable output").option("--apply", "run the full local stage: stop previous, build, start, health-check").option("--timeout-ms <ms>", "bounded build/health timeout", "60000").action(async (o) => {
   const cfg = (await loadConfig()).stage;
   if (o.apply) {
@@ -5009,9 +6917,14 @@ stage.command("run").description("force-stop previous stage, build, start, and h
     fail(`stage run: ${e.message}`);
   }
 });
+program2.command("stage-live").description("explain that remote rc/live environments use /rcand, /release, and /hotfix; /stage is local only").option("--json", "machine-readable output").option("--apply", "always refused; there is no stage-live mutation path").action((o) => {
+  if (o.apply) return fail("stage-live: not an org command; use mmi-cli stage for local tests, or the gated rc/release/hotfix train for remote environments");
+  const steps = stageLivePlan();
+  console.log(o.json ? JSON.stringify({ command: "stage-live", steps }, null, 2) : renderSteps("mmi-cli stage-live: not an org command", steps));
+});
 for (const commandName of ["rc", "release", "hotfix"]) {
   program2.command(commandName).description(`plan ${commandName} train operations; mutations require explicit approval`).option("--json", "machine-readable output").option("--apply", "reserved for future train execution after explicit admin approval").action((o) => {
-    if (o.apply) return fail(`${commandName}: execution is not implemented yet; use the dry-run plan and the existing /${commandName} skill`);
+    if (o.apply) return fail(`${commandName}: execution is not implemented yet; use the dry-run plan and the existing /${commandName === "rc" ? "rcand" : commandName} skill`);
     const steps = trainPlan(commandName);
     console.log(o.json ? JSON.stringify({ command: commandName, steps }, null, 2) : renderSteps(`mmi-cli ${commandName}: dry-run plan`, steps));
   });
@@ -5026,15 +6939,184 @@ var bootstrap = program2.command("bootstrap").description("plan repo bootstrap o
 bootstrap.command("verify <repo>").description("audit whether an existing repo is bootstrapped correctly; no mutations").option("--class <class>", "deployable | content", "deployable").option("--json", "machine-readable output").action(async (repo) => {
   const o = { class: rawValue("--class", "deployable"), json: rawFlag("--json") };
   if (o.class !== "deployable" && o.class !== "content") return fail("bootstrap verify: --class must be deployable or content");
+  const cfg = await loadConfig();
+  const apiProjects = await fetchProjectsJson({ baseUrl: cfg.sagaApiUrl, token: githubToken });
   const report = await verifyBootstrap(repo, o.class, {
     gh: async (args) => execFileP3("gh", args, { timeout: 2e4 }),
-    readLocalFile: (path) => (0, import_node_fs3.existsSync)(path) ? (0, import_node_fs3.readFileSync)(path, "utf8") : null
+    readLocalFile: (path) => path === "projects.json" && apiProjects != null ? apiProjects : (0, import_node_fs4.existsSync)(path) ? (0, import_node_fs4.readFileSync)(path, "utf8") : null
   });
   console.log(o.json ? JSON.stringify(report, null, 2) : renderBootstrapVerifyReport(report));
   if (!report.ok) process.exitCode = 1;
 });
+bootstrap.command("apply <repo>").description("idempotent seed apply from skills/bootstrap/seeds/manifest.json; dry-run unless --execute (live, master-gated)").option("--class <class>", "deployable | content", "deployable").option("--execute", "LIVE apply via gh (master-gated) \u2014 stamps seed files + labels into the repo").option("--var <KEY=VALUE...>", "placeholder values for repo-owned templates (repeatable)").option("--json", "machine-readable output").action(async (repo) => {
+  const o = { class: rawValue("--class", "deployable"), execute: rawFlag("--execute"), json: rawFlag("--json") };
+  if (o.class !== "deployable" && o.class !== "content") return fail("bootstrap apply: --class must be deployable or content");
+  const manifestPath = "skills/bootstrap/seeds/manifest.json";
+  if (!(0, import_node_fs4.existsSync)(manifestPath)) return fail(`bootstrap apply: ${manifestPath} not found; run from the MMI-Hub repo root`);
+  const manifest = loadBootstrapSeeds((0, import_node_fs4.readFileSync)(manifestPath, "utf8"));
+  const baseBranch = o.class === "content" ? "main" : "development";
+  const slug = repo.split("/")[1].toLowerCase();
+  const gh = async (args) => execFileP3("gh", args, { timeout: 2e4 });
+  const readFile2 = (p) => (0, import_node_fs4.existsSync)(p) ? (0, import_node_fs4.readFileSync)(p, "utf8") : null;
+  const enc = (p) => p.split("/").map(encodeURIComponent).join("/");
+  const vars = {};
+  for (let i = 0; i < process.argv.length - 1; i++) {
+    if (process.argv[i] === "--var") {
+      const eq = process.argv[i + 1].indexOf("=");
+      if (eq > 0) vars[process.argv[i + 1].slice(0, eq)] = process.argv[i + 1].slice(eq + 1);
+    }
+  }
+  const actions = [];
+  const applied = [];
+  for (const seed of manifest.seeds) {
+    if (!seed.classes.includes(o.class)) continue;
+    const resolved = { ...seed, target: seed.target.replace("{{REPO_SLUG}}", slug) };
+    let exists = false;
+    let sha;
+    let remoteContent = null;
+    if (resolved.source !== "fanout") {
+      try {
+        const r = await gh(["api", `repos/${repo}/contents/${enc(resolved.target)}?ref=${baseBranch}`]);
+        exists = true;
+        try {
+          const parsed = JSON.parse(r.stdout);
+          sha = parsed.sha;
+          if (parsed.encoding === "base64" && typeof parsed.content === "string") {
+            remoteContent = Buffer.from(parsed.content, "base64").toString("utf8");
+          }
+        } catch {
+        }
+      } catch {
+        exists = false;
+      }
+    }
+    const action = planSeedAction(resolved, exists);
+    actions.push(action);
+    if (o.execute && (action.action === "create" || action.action === "update")) {
+      const isBlock = resolved.source === "managed-block";
+      const content = isBlock ? upsertManagedGitignoreBlock(remoteContent).content : resolveSeedContent(resolved, vars, readFile2);
+      if (content == null) {
+        applied.push(`skip ${resolved.target} (no resolvable content)`);
+        continue;
+      }
+      if (!isBlock) {
+        const missing = missingPlaceholders(content);
+        if (missing.length) {
+          applied.push(`skip ${resolved.target} (unfilled: ${missing.join(", ")} \u2014 pass --var)`);
+          continue;
+        }
+      }
+      await gh(contentPutArgs(repo, resolved.target, content, baseBranch, action.action === "update" ? sha : void 0));
+      applied.push(`${action.action} ${resolved.target}`);
+    }
+  }
+  if (o.execute) {
+    for (const l of manifest.labels) {
+      try {
+        await gh(["label", "create", l.name, "--color", l.color, "--description", l.description, "--force", "-R", repo]);
+        applied.push(`label ${l.name}`);
+      } catch {
+        applied.push(`label ${l.name} (failed)`);
+      }
+    }
+  }
+  const ddbWrites = [];
+  const registerPayload = buildRegisterPayload(repo, o.class, vars);
+  if (o.execute) {
+    const cfg = await loadConfig();
+    const res = await registerProject(registerPayload, { baseUrl: cfg.sagaApiUrl, token: githubToken });
+    if (res.ok) {
+      ddbWrites.push({ slug: registerPayload.slug, action: "register", record: registerPayload });
+      applied.push(`ddb register ${registerPayload.slug}`);
+    } else {
+      const why = res.error ?? `HTTP ${res.status}${res.body?.error ? ` \u2014 ${res.body.error}` : ""}`;
+      applied.push(`ddb register ${registerPayload.slug} (failed: ${why})`);
+    }
+  }
+  if (o.json) console.log(JSON.stringify({ repo, class: o.class, execute: o.execute, actions, applied, ddbWrites }, null, 2));
+  else {
+    console.log(renderSeedPlan(actions));
+    if (o.execute) console.log(`
+LIVE apply to ${repo}:
+  ${applied.join("\n  ")}`);
+  }
+});
+var access = program2.command("access").description("org access audit (read-only)");
+access.command("audit").description("audit collaborator roles + train-branch push allowlists vs the locked state; read-only, emits gh remediation, never applies").option("--json", "machine-readable output").option("--repo <owner/repo>", "audit a single repo instead of the whole org").option("--class <class>", "repo class for --repo (deployable | content)", "deployable").action(async () => {
+  const o = { json: rawFlag("--json"), repo: rawValue("--repo", ""), class: rawValue("--class", "deployable") };
+  const deps = { gh: async (args) => execFileP3("gh", args, { timeout: 2e4 }) };
+  let targets;
+  const cfg = await loadConfig();
+  const registryProjects = await fetchProjectsList(registryClientDeps(cfg));
+  if (o.repo) {
+    if (o.class !== "deployable" && o.class !== "content") return fail("access audit: --class must be deployable or content");
+    targets = [{ repo: o.repo, class: o.class }];
+  } else {
+    const projectsJson = registryProjects ? JSON.stringify({ projects: registryProjects }) : (0, import_node_fs4.existsSync)("projects.json") ? (0, import_node_fs4.readFileSync)("projects.json", "utf8") : null;
+    if (!projectsJson) return fail("access audit: no project registry \u2014 Hub API unreachable and projects.json not found; run from the MMI-Hub repo root or pass --repo <owner/repo>");
+    const fanoutJson = (0, import_node_fs4.existsSync)(".github/fanout-targets.json") ? (0, import_node_fs4.readFileSync)(".github/fanout-targets.json", "utf8") : null;
+    targets = loadAccessTargets(projectsJson, fanoutJson);
+  }
+  const derivedMatrix = registryProjects ? accessMatrixFromProjects(registryProjects) : {};
+  const matrix = Object.keys(derivedMatrix).length ? derivedMatrix : (0, import_node_fs4.existsSync)("access-matrix.json") ? loadAccessMatrix((0, import_node_fs4.readFileSync)("access-matrix.json", "utf8")) : {};
+  const derivedContracts = registryProjects ? dataAccessContractsFromProjects(registryProjects) : { consumers: {} };
+  const dataAccess = Object.keys(derivedContracts.consumers).length ? derivedContracts : (0, import_node_fs4.existsSync)("data-access-contracts.json") ? loadDataAccessContracts((0, import_node_fs4.readFileSync)("data-access-contracts.json", "utf8")) : void 0;
+  const report = await auditOrgAccess(targets, deps, matrix, dataAccess);
+  console.log(o.json ? JSON.stringify(report, null, 2) : renderAccessReport(report));
+  if (!report.ok) process.exitCode = 1;
+});
 var isWin = process.platform === "win32";
-program2.command("doctor").description("check onboarding gates (GitHub auth, mmi-cli on PATH, repo config, plugin git clone) and print fixes").option("--banner", "one-line resume summary; silent when all gates pass").option("--json", "machine-readable output").action(async (opts) => {
+var installedPluginsPath = () => (0, import_node_path4.join)((0, import_node_os.homedir)(), ".claude", "plugins", "installed_plugins.json");
+function readInstalledPlugins() {
+  try {
+    return JSON.parse((0, import_node_fs4.readFileSync)(installedPluginsPath(), "utf8"));
+  } catch {
+    return null;
+  }
+}
+function readClaudeSettings() {
+  try {
+    return JSON.parse((0, import_node_fs4.readFileSync)((0, import_node_path4.join)(process.cwd(), ".claude", "settings.json"), "utf8"));
+  } catch {
+    return null;
+  }
+}
+function existingMirrorRecord(file) {
+  const records = file?.plugins?.[MMI_PLUGIN_ID];
+  if (!Array.isArray(records) || records.length === 0) return void 0;
+  return records.find((r) => r.scope === "user") ?? records[0];
+}
+function writeProjectInstallRecord(record) {
+  try {
+    const file = readInstalledPlugins() ?? { version: 2, plugins: {} };
+    if (!file.plugins) file.plugins = {};
+    const list = file.plugins[MMI_PLUGIN_ID] ?? [];
+    list.push(record);
+    file.plugins[MMI_PLUGIN_ID] = list;
+    (0, import_node_fs4.writeFileSync)(installedPluginsPath(), `${JSON.stringify(file, null, 2)}
+`, "utf8");
+    return true;
+  } catch {
+    return false;
+  }
+}
+var gitignorePath = () => (0, import_node_path4.join)(process.cwd(), ".gitignore");
+function readGitignore() {
+  try {
+    return (0, import_node_fs4.readFileSync)(gitignorePath(), "utf8");
+  } catch {
+    return null;
+  }
+}
+function writeGitignore(content) {
+  try {
+    (0, import_node_fs4.writeFileSync)(gitignorePath(), content, "utf8");
+    return true;
+  } catch {
+    return false;
+  }
+}
+program2.command("doctor").description("check onboarding gates (GitHub auth, mmi-cli on PATH, repo config, plugin git clone, plugin install record, .gitignore managed block) and print fixes").option("--banner", "one-line resume summary; silent when all gates pass").option("--json", "machine-readable output").action(async (opts) => {
   const checks = [];
   const login = await githubLogin();
   let ghInstalled = true;
@@ -5054,16 +7136,19 @@ program2.command("doctor").description("check onboarding gates (GitHub auth, mmi
   }
   if (!onPath) {
     const root = process.env.CLAUDE_PLUGIN_ROOT;
-    if (root && (0, import_node_fs3.existsSync)(`${root}/bin/mmi-cli${isWin ? ".cmd" : ""}`)) onPath = true;
+    if (root && (0, import_node_fs4.existsSync)(`${root}/bin/mmi-cli${isWin ? ".cmd" : ""}`)) onPath = true;
   }
   checks.push({ ok: onPath, label: "mmi-cli on PATH", fix: "auto-provisioned at session start \u2014 reopen the session, or install the MMI plugin" });
-  checks.push(buildVersionLagReport({
+  let versionReport = buildVersionLagReport({
     currentVersion: resolveVersion(),
     repoVersion: readRepoVersion(),
     releasedVersion: await fetchReleasedVersion()
-  }));
+  });
+  if (!opts.json) versionReport = await applyVersionAutoUpdate(versionReport, (m) => console.error(m));
+  checks.push(versionReport);
   const cfg = await loadConfig();
   checks.push({ ok: Boolean(cfg.sagaApiUrl), label: "repo config (.mmi/config.json)", fix: "ask a master-admin to run /bootstrap on this repo" });
+  checks.push(buildAwsCrossAccountCheck({ callerArn: await awsCallerArn() }));
   const REWRITE_KEY = "url.https://github.com/.insteadOf";
   const CLONE_FIX = 'run: git config --global url."https://github.com/".insteadOf "git@github.com:"';
   let cloneOk = false;
@@ -5081,6 +7166,29 @@ program2.command("doctor").description("check onboarding gates (GitHub auth, mmi
     }
   }
   checks.push({ ok: cloneOk, label: "plugin git clone (SSH\u2192HTTPS rewrite)", fix: CLONE_FIX });
+  const installed = readInstalledPlugins();
+  let pluginCheck = buildPluginInstallRecordCheck({
+    isOrgRepo: Boolean(cfg.sagaApiUrl),
+    settings: readClaudeSettings(),
+    installed,
+    projectPath: process.cwd(),
+    mirrorFrom: existingMirrorRecord(installed)
+  });
+  if (!pluginCheck.ok && pluginCheck.recordToInsert && !opts.json) {
+    if (writeProjectInstallRecord(pluginCheck.recordToInsert)) {
+      pluginCheck = { ...pluginCheck, ok: true };
+      if (!opts.banner) console.error("  \u21BB repaired: registered mmi@mmi project install record \u2014 run /reload-plugins to load it this session");
+    }
+  }
+  checks.push(pluginCheck);
+  let gitignoreCheck = buildGitignoreManagedBlockCheck({ isOrgRepo: Boolean(cfg.sagaApiUrl), content: readGitignore() });
+  if (!gitignoreCheck.ok && gitignoreCheck.contentToWrite && !opts.json) {
+    if (writeGitignore(gitignoreCheck.contentToWrite)) {
+      gitignoreCheck = { ...gitignoreCheck, ok: true };
+      if (!opts.banner) console.error("  \u21BB repaired: enforced .gitignore managed block (.playwright-mcp/, .claude/worktrees/, /*.png)");
+    }
+  }
+  checks.push(gitignoreCheck);
   const gaps = checks.filter((c) => !c.ok);
   if (opts.json) {
     console.log(JSON.stringify({ ok: gaps.length === 0, checks }, null, 2));