@mutmutco/cli 0.11.0 → 2.0.0

package/dist/index.cjs

@@ -3064,6 +3064,10 @@ function rulesSourceAuthHeaders(sourceUrl, token) {
   }
   return void 0;
 }
+function resolveRulesBase(orgRulesSource, defaultBase) {
+  const isUrl = typeof orgRulesSource === "string" && /^https?:\/\//i.test(orgRulesSource);
+  return (isUrl ? orgRulesSource : defaultBase).replace(/\/$/, "");
+}
 
 // src/docs-sync.ts
 var SYNCED_DOCS = ["README.md", "architecture.md"];
@@ -3100,6 +3104,7 @@ function parseHookInput(stdin) {
 var import_node_child_process4 = require("node:child_process");
 var import_node_util3 = require("node:util");
 var import_node_path4 = require("node:path");
+var import_node_os = require("node:os");
 
 // src/saga-head-maintainer.ts
 var import_node_child_process = require("node:child_process");
@@ -3235,7 +3240,6 @@ function buildIssueArgs({ type, title, body, priority, repo, labels }) {
   const args = ["issue", "create"];
   if (repo) args.push("--repo", repo);
   args.push("--title", title, "--body", body, "--label", type);
-  args.push("--label", `priority:${priority}`);
   for (const label of labels ?? []) args.push("--label", label);
   return args;
 }
@@ -3288,6 +3292,12 @@ function resolveSession(d) {
   return { id, source: "generated" };
 }
 
+// src/hub-url.ts
+var DEFAULT_HUB_URL = "https://tqxxwzftic.execute-api.eu-central-1.amazonaws.com";
+function defaultHubUrl() {
+  return process.env.MMI_HUB_URL || DEFAULT_HUB_URL;
+}
+
 // src/saga-health.ts
 function buildHealth(i) {
   const problems = [];
@@ -3313,8 +3323,17 @@ function healthBanner(report) {
   const suffix = report.problems.length > 2 ? ` (+${report.problems.length - 2} more)` : "";
   return `saga health: CHECK - ${summary}${suffix}`;
 }
+function resumeCue() {
+  return '> STATUS/RESUME CUE \u2014 For any status, resume, or "where do I stand" report: read THIS saga HEAD first (`mmi-cli saga show`), then reconcile its NEXT / LAST 5 / DECISIONS against the live board + git/gh before reporting. Do not rebuild the picture from board/issues/memory while skipping the HEAD.';
+}
 
 // src/saga-note.ts
+var AGENT_SURFACE_TOKENS = ["claude", "codex", "cursor", "gemini"];
+function agentSurface() {
+  const surface = process.env.MMI_AGENT_SURFACE || "claude";
+  if (AGENT_SURFACE_TOKENS.includes(surface)) return surface;
+  throw new Error(`MMI_AGENT_SURFACE must be one of: ${AGENT_SURFACE_TOKENS.join(", ")}`);
+}
 function buildNoteCapture(summary, o, id, evidence) {
   const queueOp = o.queueAdd ? { op: "add", text: o.queueAdd } : o.queueDone != null ? { op: "done", index: Number(o.queueDone) } : void 0;
   const state = o.diagnostic ? "diagnostic" : o.verified ? "verified" : "asserted";
@@ -3335,7 +3354,7 @@ function buildNoteCapture(summary, o, id, evidence) {
     state,
     source,
     evidence: Object.keys(ev).length ? ev : void 0,
-    surface: process.env.MMI_AGENT_SURFACE || "claude",
+    surface: agentSurface(),
     supersedes: o.supersedes,
     anchor,
     anchorForce: o.anchorForce || void 0
@@ -3392,6 +3411,16 @@ function buildVersionLagReport(input) {
     releasedVersion: input.releasedVersion
   };
 }
+function pluginManifestVersionArgs() {
+  return ["api", "repos/mutmutco/MMI-Hub/contents/.claude-plugin/plugin.json?ref=main", "-H", "Accept: application/vnd.github.raw"];
+}
+function parseManifestVersion(stdout) {
+  try {
+    return JSON.parse(stdout).version || void 0;
+  } catch {
+    return void 0;
+  }
+}
 function versionAutoUpdateAction(report, hasPluginRoot) {
   if (report.ok || report.staleAgainst !== "released") return "none";
   return hasPluginRoot ? "plugin-pull" : "npm";
@@ -3603,7 +3632,7 @@ function parseIssueSelector(selector, defaultRepo) {
   if (local) return { repo: defaultRepo, number: Number(local[1]) };
   throw new Error(`expected an issue selector like 123, #123, owner/repo#123, or a GitHub issue URL`);
 }
-function partitionBoardItems(items, viewer, currentRepo) {
+function partitionBoardItems(items, viewer, currentRepo, writableRepos) {
   const empty = () => ({ userOwned: [], claimable: [], taken: [] });
   const groups = { primary: empty(), secondary: empty() };
   const viewerKey = viewer.toLowerCase();
@@ -3615,7 +3644,7 @@ function partitionBoardItems(items, viewer, currentRepo) {
     const assignedToViewer = assignees.includes(viewerKey);
     if (assignedToViewer) {
       groups[scope].userOwned.push(item);
-    } else if (item.status === "Todo" && item.assignees.length === 0) {
+    } else if (item.status === "Todo" && item.assignees.length === 0 && (!writableRepos || writableRepos.has(item.repository.toLowerCase()))) {
       groups[scope].claimable.push(item);
     } else if (item.assignees.length > 0) {
       groups[scope].taken.push(item);
@@ -3695,12 +3724,12 @@ async function collectBoardItems(cfg, options, deps) {
     try {
       const page = await fetchProjectPage(gh, cfg, after);
       viewer ||= page.viewer.login;
-      const project = page.organization?.projectV2;
-      if (!project) throw new Error(`project ${cfg.projectOwner}#${cfg.projectNumber} not found`);
-      projectId = project.id;
-      projectTitle ||= project.title;
-      nodes.push(...project.items.nodes ?? []);
-      after = project.items.pageInfo.hasNextPage ? project.items.pageInfo.endCursor ?? void 0 : void 0;
+      const project2 = page.organization?.projectV2;
+      if (!project2) throw new Error(`project ${cfg.projectOwner}#${cfg.projectNumber} not found`);
+      projectId = project2.id;
+      projectTitle ||= project2.title;
+      nodes.push(...project2.items.nodes ?? []);
+      after = project2.items.pageInfo.hasNextPage ? project2.items.pageInfo.endCursor ?? void 0 : void 0;
     } catch (e) {
       const message = `partial board read: ${e.message}`;
       if (!nodes.length || !options.allowPartial) throw new Error(message);
@@ -3711,11 +3740,46 @@ async function collectBoardItems(cfg, options, deps) {
   } while (after);
   return { items: nodesToItems(nodes, warnings), viewer, repo: currentRepo, projectId, projectTitle, warnings, partial };
 }
+async function repoCanPush(repo, gh) {
+  try {
+    const { stdout } = await gh(["api", `repos/${repo}`, "--jq", ".permissions.push"]);
+    const value = stdout.trim();
+    if (value === "true") return true;
+    if (value === "false") return false;
+    const parsed = JSON.parse(value);
+    return typeof parsed.permissions?.push === "boolean" ? parsed.permissions.push : void 0;
+  } catch {
+    return void 0;
+  }
+}
+async function resolveWritableReposForClaimables(items, gh, allowPartial) {
+  const candidateRepos = [...new Set(items.filter((item) => item.status === "Todo" && item.assignees.length === 0).map((item) => item.repository))];
+  const repos = /* @__PURE__ */ new Set();
+  const warnings = [];
+  let partial = false;
+  for (const repo of candidateRepos) {
+    const canPush = await repoCanPush(repo, gh);
+    if (canPush === true) {
+      repos.add(repo.toLowerCase());
+      continue;
+    }
+    if (canPush === void 0) {
+      const warning = `partial claimable access read: ${repo}: could not verify viewer write access`;
+      if (!allowPartial) throw new Error(warning);
+      warnings.push(warning);
+      partial = true;
+    }
+  }
+  return { repos, warnings, partial };
+}
 async function readBoard(options, deps = {}) {
   const cfg = resolveBoardConfig(options.config);
   const gh = deps.gh ?? defaultGh;
   const collected = await collectBoardItems(cfg, options, deps);
-  const groups = partitionBoardItems(collected.items, collected.viewer, collected.repo);
+  const writable = await resolveWritableReposForClaimables(collected.items, gh, options.allowPartial ?? false);
+  collected.warnings.push(...writable.warnings);
+  collected.partial = collected.partial || writable.partial;
+  const groups = partitionBoardItems(collected.items, collected.viewer, collected.repo, writable.repos);
   const report = {
     project: { owner: cfg.projectOwner, number: cfg.projectNumber, id: collected.projectId, title: collected.projectTitle || String(cfg.projectNumber) },
     viewer: collected.viewer,
@@ -3799,8 +3863,23 @@ async function showBoardItem(options, deps = {}) {
 async function claimBoardIssue(options, deps = {}) {
   const cfg = resolveBoardConfig(options.config);
   const gh = deps.gh ?? defaultGh;
-  const report = await readBoard({ config: cfg, repo: options.repo, allowPartial: options.allowPartial }, deps);
-  const selector = parseIssueSelector(options.selector, report.repo);
+  const collected = await collectBoardItems(cfg, { repo: options.repo, allowPartial: options.allowPartial }, deps);
+  const writable = await resolveWritableReposForClaimables(collected.items, gh, options.allowPartial ?? false);
+  collected.warnings.push(...writable.warnings);
+  collected.partial = collected.partial || writable.partial;
+  const report = {
+    project: { owner: cfg.projectOwner, number: cfg.projectNumber, id: collected.projectId, title: collected.projectTitle || String(cfg.projectNumber) },
+    viewer: collected.viewer,
+    repo: collected.repo,
+    ...partitionBoardItems(collected.items, collected.viewer, collected.repo, writable.repos),
+    warnings: collected.warnings,
+    partial: collected.partial
+  };
+  const selector = parseIssueSelector(options.selector, collected.repo);
+  const flatItem = findBoardItem(collected.items, selector);
+  if (flatItem.status === "Todo" && flatItem.assignees.length === 0 && !writable.repos.has(flatItem.repository.toLowerCase())) {
+    throw new Error(`${flatItem.ref} is not claimable: viewer does not have write access to ${flatItem.repository}`);
+  }
   const item = findClaimableItem(report, selector);
   if (item.contentType !== "Issue") throw new Error(`${item.ref} is not an issue`);
   const assignee = options.assignee ?? "@me";
@@ -4206,6 +4285,12 @@ function stagePlan(stage2 = {}) {
     { label: "check health", command: stage2.healthUrl ? `curl --fail ${stage2.healthUrl}` : "(no stage.healthUrl configured)" }
   ];
 }
+function stageLivePlan() {
+  return [
+    { label: "stage-live is not an org command; /stage is local only", command: "mmi-cli stage run --apply" },
+    { label: "remote rc/live environments move through the gated promotion train", command: "mmi-cli rc && mmi-cli release && mmi-cli hotfix", gated: true }
+  ];
+}
 function trainPlan(command) {
   if (command === "rc") {
     return [
@@ -4244,8 +4329,83 @@ function bootstrapPlan(repo, repoClass) {
   ];
 }
 
+// src/bootstrap-seeds.ts
+var PLACEHOLDER_RE = /\{\{([A-Z0-9_]+)\}\}/g;
+function loadBootstrapSeeds(manifestJson) {
+  let parsed;
+  try {
+    parsed = JSON.parse(manifestJson);
+  } catch {
+    throw new Error("bootstrap seed manifest is not valid JSON");
+  }
+  const obj = parsed ?? {};
+  const seeds = obj.seeds ?? [];
+  for (const s of seeds) {
+    if (!s || !s.target || !s.source || !Array.isArray(s.classes)) {
+      throw new Error(`invalid seed entry (needs target, source, classes): ${JSON.stringify(s)}`);
+    }
+    if (s.ownership !== "org" && s.ownership !== "repo") {
+      throw new Error(`invalid seed ownership '${s.ownership}' for ${s.target} (must be 'org' or 'repo')`);
+    }
+  }
+  return {
+    seeds,
+    labels: obj.labels ?? [],
+    placeholders: obj.placeholders ?? []
+  };
+}
+function renderSeed(template, vars) {
+  return template.replace(PLACEHOLDER_RE, (match, key) => key in vars ? vars[key] : match);
+}
+function missingPlaceholders(rendered) {
+  const out = /* @__PURE__ */ new Set();
+  for (const m of rendered.matchAll(PLACEHOLDER_RE)) out.add(m[1]);
+  return [...out];
+}
+var GITIGNORE_MANAGED_BEGIN = "# >>> mmi-managed >>>";
+var GITIGNORE_MANAGED_END = "# <<< mmi-managed <<<";
+var MANAGED_GITIGNORE_LINES = [
+  '# Org-wide cleanliness (AGENTS.md "Repo cleanliness") \u2014 enforced by `mmi-cli doctor`.',
+  "# Do not edit inside these markers; this block is regenerated on the next doctor run.",
+  ".playwright-mcp/",
+  ".claude/worktrees/",
+  "/*.png"
+];
+function renderManagedGitignoreBlock() {
+  return [GITIGNORE_MANAGED_BEGIN, ...MANAGED_GITIGNORE_LINES, GITIGNORE_MANAGED_END].join("\n");
+}
+function upsertManagedGitignoreBlock(current) {
+  const block = renderManagedGitignoreBlock();
+  const src = (current ?? "").replace(/\r\n/g, "\n");
+  if (src.trim() === "") {
+    const next2 = `${block}
+`;
+    return { content: next2, changed: src !== next2 };
+  }
+  const managed = /* @__PURE__ */ new Set([GITIGNORE_MANAGED_BEGIN, GITIGNORE_MANAGED_END, ...MANAGED_GITIGNORE_LINES]);
+  const lines = src.split("\n");
+  const beginAt = lines.findIndex((l) => l === GITIGNORE_MANAGED_BEGIN);
+  const endAt = beginAt === -1 ? -1 : lines.findIndex((l, i) => i > beginAt && l === GITIGNORE_MANAGED_END);
+  let next;
+  if (beginAt !== -1 && endAt !== -1) {
+    const before = lines.slice(0, beginAt).filter((l) => !managed.has(l.trim()));
+    const after = lines.slice(endAt + 1).filter((l) => !managed.has(l.trim()));
+    next = `${[...before, ...block.split("\n"), ...after].join("\n").replace(/\n+$/, "")}
+`;
+  } else {
+    const kept = lines.filter((l) => !managed.has(l.trim())).join("\n").replace(/\n+$/, "");
+    next = kept === "" ? `${block}
+` : `${kept}
+
+${block}
+`;
+  }
+  return { content: next, changed: src !== next };
+}
+
 // src/doctor.ts
 var GH_PROJECT_LOGIN_FIX = 'run: gh auth login --hostname github.com --git-protocol https --web --scopes "project"';
+var AWS_CROSS_ACCOUNT_FIX = "use a non-root IAM user/session profile for master-agent AWS checks; set AWS_PROFILE or AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY (plus AWS_SESSION_TOKEN for temporary credentials), then verify `aws sts get-caller-identity` does not end in :root";
 function buildGithubAuthCheck(input) {
   const ok = Boolean(input.login?.trim());
   return {
@@ -4254,6 +4414,62 @@ function buildGithubAuthCheck(input) {
     fix: input.ghInstalled ? GH_PROJECT_LOGIN_FIX : `install GitHub CLI (https://cli.github.com), then: ${GH_PROJECT_LOGIN_FIX.replace(/^run: /, "")}`
   };
 }
+function buildAwsCrossAccountCheck(input) {
+  const callerArn = input.callerArn?.trim();
+  return {
+    ok: !callerArn || !callerArn.endsWith(":root"),
+    label: "AWS cross-account identity (master-agent audits)",
+    fix: AWS_CROSS_ACCOUNT_FIX
+  };
+}
+var MMI_PLUGIN_ID = "mmi@mmi";
+var PLUGIN_LABEL = "plugin install record (mmi@mmi for this project)";
+function pluginInstallManualFix(projectPath) {
+  return `run \`/plugin install ${MMI_PLUGIN_ID}\` then \`/reload-plugins\` (VS Code extension: reopen the workspace) to register the project install record for ${projectPath}`;
+}
+function isMmiPluginEnabled(settings) {
+  return Boolean(settings?.enabledPlugins?.[MMI_PLUGIN_ID]);
+}
+function hasProjectInstallRecord(file, pluginId, projectPath) {
+  const records = file?.plugins?.[pluginId];
+  if (!Array.isArray(records)) return false;
+  return records.some((r) => r.scope === "project" && r.projectPath === projectPath);
+}
+function buildPluginInstallRecordCheck(input) {
+  const pluginId = input.pluginId ?? MMI_PLUGIN_ID;
+  const base = {
+    ok: true,
+    label: PLUGIN_LABEL,
+    fix: pluginInstallManualFix(input.projectPath),
+    pluginId
+  };
+  if (!input.isOrgRepo || !isMmiPluginEnabled(input.settings)) return base;
+  if (hasProjectInstallRecord(input.installed, pluginId, input.projectPath)) return base;
+  const now = input.now ?? (/* @__PURE__ */ new Date()).toISOString();
+  const recordToInsert = input.mirrorFrom ? {
+    ...input.mirrorFrom,
+    scope: "project",
+    projectPath: input.projectPath,
+    ...input.mirrorFrom.installedAt !== void 0 ? { installedAt: now } : {},
+    ...input.mirrorFrom.lastUpdated !== void 0 ? { lastUpdated: now } : {}
+  } : { scope: "project", projectPath: input.projectPath, installedAt: now, lastUpdated: now };
+  return {
+    ok: false,
+    label: PLUGIN_LABEL,
+    fix: pluginInstallManualFix(input.projectPath),
+    pluginId,
+    recordToInsert
+  };
+}
+var GITIGNORE_BLOCK_LABEL = "org .gitignore managed block (.playwright-mcp/, .claude/worktrees/, scratch *.png)";
+var GITIGNORE_BLOCK_FIX = "run `mmi-cli doctor` to auto-insert the `# >>> mmi-managed >>>` block (or copy it from MMI-Hub's .gitignore)";
+function buildGitignoreManagedBlockCheck(input) {
+  const base = { ok: true, label: GITIGNORE_BLOCK_LABEL, fix: GITIGNORE_BLOCK_FIX };
+  if (!input.isOrgRepo) return base;
+  const { content, changed } = upsertManagedGitignoreBlock(input.content);
+  if (!changed) return base;
+  return { ...base, ok: false, contentToWrite: content };
+}
 
 // src/stage-runner.ts
 var import_node_child_process3 = require("node:child_process");
@@ -4417,8 +4633,8 @@ var import_node_fs3 = require("node:fs");
 var BLOCK = 100;
 var SPAN = 10;
 var FIRST = 3e3;
-function nextPortBlock(registry) {
-  const bases = Object.values(registry).map(([start]) => start);
+function nextPortBlock(registry2) {
+  const bases = Object.values(registry2).map(([start]) => start);
   const base = bases.length ? Math.max(...bases) + BLOCK : FIRST;
   return [base, base + SPAN];
 }
@@ -4434,20 +4650,42 @@ function loadPortRegistry(path) {
   return out;
 }
 function ensurePortRange(repo, path) {
-  const registry = loadPortRegistry(path);
-  const existing = registry[repo];
+  const registry2 = loadPortRegistry(path);
+  const existing = registry2[repo];
   if (existing) return existing;
-  const range = nextPortBlock(registry);
+  const range = nextPortBlock(registry2);
   const raw = (0, import_node_fs3.existsSync)(path) ? JSON.parse((0, import_node_fs3.readFileSync)(path, "utf8")) : {};
   raw[repo] = range;
   (0, import_node_fs3.writeFileSync)(path, JSON.stringify(raw, null, 2) + "\n", "utf8");
   return range;
 }
+function portCursorSeed(registry2) {
+  return nextPortBlock(registry2)[0];
+}
+function existingPortRange(repo, registry2) {
+  return registry2[repo] ?? null;
+}
+async function ensurePortRangeAtomic(repo, path, allocate, opts = {}) {
+  const registry2 = loadPortRegistry(path);
+  const existing = existingPortRange(repo, registry2);
+  if (existing) return { range: existing, source: "existing" };
+  const seed = portCursorSeed(registry2);
+  try {
+    const range = await allocate(seed);
+    return { range, source: "ddb" };
+  } catch (e) {
+    if (!opts.quiet) console.warn(`port-registry: DDB allocator unreachable, falling back to committed file (${e.message})`);
+    return { range: ensurePortRange(repo, path), source: "file" };
+  }
+}
 
 // src/access.ts
 var OWNER = "mutmutco";
 var LOCKED_APP = "mmi-github-app";
 var OVERGRANT_ROLES = /* @__PURE__ */ new Set(["admin", "maintain"]);
+var REQUIRED_DATA_ACCESS = {
+  "mutmutco/MM-Chat": [{ name: "kb-projection-reader", dbRole: "kb_reader", vaultParamNeedle: "KB_READ_DB_URL" }]
+};
 function lockedBranches(repoClass) {
   return repoClass === "content" ? ["main"] : ["development", "rc", "main"];
 }
@@ -4549,21 +4787,56 @@ async function auditTrainBranch(repo, branch, owners, deps, projectAdmins = /* @
   }
   return findings;
 }
-async function auditRepoAccess(repo, repoClass, owners, deps, projectAdmins = /* @__PURE__ */ new Set()) {
+function auditDataAccessContracts(repo, contracts = { consumers: {} }) {
+  const required = REQUIRED_DATA_ACCESS[repo] ?? [];
+  const configured = (contracts.consumers ?? {})[repo] ?? [];
+  const findings = [];
+  for (const req of required) {
+    const matched = configured.some((grant) => grant.name === req.name && grant.dbRole === req.dbRole && (grant.vaultParams ?? []).some((param) => param.includes(req.vaultParamNeedle)));
+    if (!matched) {
+      findings.push({
+        repo,
+        kind: "data-access-missing",
+        severity: "high",
+        detail: `${repo} must have auditable data-access contract '${req.name}' with DB role '${req.dbRole}' and vault parameter name containing '${req.vaultParamNeedle}'`,
+        remediation: `add or fix data-access-contracts.json for ${repo}; record parameter names only, never DSNs or secret values`
+      });
+    }
+  }
+  return findings;
+}
+async function auditRepoAccess(repo, repoClass, owners, deps, projectAdmins = /* @__PURE__ */ new Set(), dataAccess) {
   const findings = [];
   findings.push(...await auditRepoCollaborators(repo, owners, deps));
+  if (dataAccess) findings.push(...auditDataAccessContracts(repo, dataAccess));
   for (const branch of lockedBranches(repoClass)) {
     findings.push(...await auditTrainBranch(repo, branch, owners, deps, projectAdmins));
   }
   return { repo, class: repoClass, ok: !findings.some((f) => f.severity === "high"), findings };
 }
-async function auditOrgAccess(targets, deps, matrix = {}) {
+async function auditOrgBasePermission(deps) {
+  const org = await ghJson(deps, ["api", `orgs/${OWNER}`], {});
+  const perm = org.default_repository_permission;
+  if (perm && perm !== "read" && perm !== "none") {
+    return [{
+      repo: OWNER,
+      kind: "org-base-permission",
+      severity: "high",
+      detail: `org default_repository_permission is '${perm}' \u2014 every member gets '${perm}' on every repo; D25 requires 'read'`,
+      remediation: `gh api -X PATCH orgs/${OWNER} -f default_repository_permission=read`
+    }];
+  }
+  return [];
+}
+async function auditOrgAccess(targets, deps, matrix = {}, dataAccess) {
   const owners = new Set(await resolveOwners(deps));
+  const orgFindings = await auditOrgBasePermission(deps);
   const repos = [];
   for (const target of targets) {
-    repos.push(await auditRepoAccess(target.repo, target.class, owners, deps, new Set(matrix[target.repo] ?? [])));
+    repos.push(await auditRepoAccess(target.repo, target.class, owners, deps, new Set(matrix[target.repo] ?? []), dataAccess));
   }
-  return { ok: repos.every((r) => r.ok), owners: [...owners], repos };
+  const ok = orgFindings.every((f) => f.severity !== "high") && repos.every((r) => r.ok);
+  return { ok, owners: [...owners], orgFindings, repos };
 }
 function loadAccessTargets(projectsJson, fanoutJson) {
   const projects = safeJson(projectsJson, {}).projects ?? [];
@@ -4571,8 +4844,8 @@ function loadAccessTargets(projectsJson, fanoutJson) {
   const contentNames = new Set(fanout.filter((r) => r.class === "content").map((r) => r.repo));
   const seen = /* @__PURE__ */ new Set();
   const targets = [];
-  for (const project of projects) {
-    for (const repo of project.repos ?? []) {
+  for (const project2 of projects) {
+    for (const repo of project2.repos ?? []) {
       if (seen.has(repo)) continue;
       seen.add(repo);
       targets.push({ repo, class: contentNames.has(repo.split("/")[1]) ? "content" : "deployable" });
@@ -4584,8 +4857,37 @@ function loadAccessMatrix(matrixJson) {
   if (!matrixJson) return {};
   return safeJson(matrixJson, {}).projectAdmins ?? {};
 }
+function loadDataAccessContracts(dataAccessJson) {
+  if (!dataAccessJson) return { consumers: {} };
+  const parsed = safeJson(dataAccessJson, { consumers: {} });
+  return { consumers: parsed.consumers ?? {} };
+}
+function canonAccessRepo(repo) {
+  const name = repo.includes("/") ? repo.split("/").pop() : repo;
+  return `mutmutco/${name.toLowerCase()}`;
+}
+function accessMatrixFromProjects(projects) {
+  const matrix = {};
+  for (const p of projects) {
+    if (!Array.isArray(p.projectAdmins) || p.projectAdmins.length === 0) continue;
+    for (const repo of p.repos ?? []) matrix[canonAccessRepo(repo)] = p.projectAdmins;
+  }
+  return matrix;
+}
+function dataAccessContractsFromProjects(projects) {
+  const consumers = {};
+  for (const p of projects) {
+    if (!Array.isArray(p.consumers) || p.consumers.length === 0) continue;
+    for (const repo of p.repos ?? []) consumers[canonAccessRepo(repo)] = p.consumers;
+  }
+  return { consumers };
+}
 function renderAccessReport(report) {
   const lines = [`mmi-cli access audit: ${report.ok ? "OK" : "CHECK"} (owners: ${report.owners.map((o) => "@" + o).join(", ") || "none"})`];
+  for (const finding of report.orgFindings ?? []) {
+    lines.push(`  [${finding.severity}] ${finding.kind}: ${finding.detail}`);
+    if (finding.remediation) lines.push(`      ${finding.remediation}`);
+  }
   for (const repo of report.repos) {
     lines.push(`${repo.ok ? "OK" : "FLAG"} ${repo.repo} (${repo.class})`);
     for (const finding of repo.findings) {
@@ -4604,19 +4906,19 @@ var requiredIssueTemplates = [
   ".github/ISSUE_TEMPLATE/task.yml",
   ".github/ISSUE_TEMPLATE/config.yml"
 ];
-var requiredWorkflows = [".github/workflows/pr-to-board.yml"];
+var requiredWorkflows = [];
 var requiredLabels = ["bug", "feature", "task", "priority:urgent", "priority:high", "priority:medium", "priority:low"];
 var requiredPriorityOptions = ["Urgent", "High", "Medium", "Low"];
 var strayDefaultLabels = ["documentation", "duplicate", "enhancement", "good first issue", "help wanted", "invalid", "question", "wontfix"];
 var requiredStatusOptions = ["Todo", "In Progress", "In Review", "Done"];
 var requiredProjectWorkflows = [
   "Auto-add sub-issues to project",
-  "Auto-close issue",
+  "Auto-archive items",
   "Item added to project",
-  "Item closed",
-  "Pull request linked to issue",
-  "Pull request merged"
+  "Item closed"
 ];
+var requiredOrgRulesetTypes = ["pull_request", "non_fast_forward", "deletion"];
+var requiredHubStatusChecks = ["cli", "infra", "docs"];
 var requiredActionsVariables = ["MMI_APP_ID"];
 var requiredActionsSecrets = ["MMI_APP_PRIVATE_KEY"];
 function expectedBranches(repoClass) {
@@ -4672,6 +4974,27 @@ function hasPushAllowlist(p) {
 function optionDetail(missing) {
   return missing.length === 0 ? void 0 : `missing: ${missing.join(", ")}`;
 }
+function presentDetail(present) {
+  return present.length === 0 ? void 0 : `present: ${present.join(", ")}`;
+}
+function missingRuleTypes(ruleset, required) {
+  const types = new Set((ruleset.rules || []).map((rule) => rule.type).filter(Boolean));
+  return required.filter((type) => !types.has(type));
+}
+function rulesetStatusChecks(rulesets) {
+  return new Set(rulesets.flatMap((ruleset) => (ruleset.rules || []).filter((rule) => rule.type === "required_status_checks").flatMap((rule) => rule.parameters?.required_status_checks || []).map((check) => check.context).filter((context) => Boolean(context))));
+}
+async function rulesetDetails(deps, repo, list) {
+  const details = [];
+  for (const ruleset of list) {
+    if (ruleset.id == null || ruleset.rules != null) {
+      details.push(ruleset);
+      continue;
+    }
+    details.push(await ghJson2(deps, ["api", `repos/${repo}/rulesets/${ruleset.id}`], ruleset));
+  }
+  return details;
+}
 function localRegistryCheck(deps, path, predicate) {
   const text = deps.readLocalFile?.(path);
   if (text == null) return null;
@@ -4724,7 +5047,7 @@ async function verifyBootstrap(repo, repoClass, deps) {
     checks.push({ ok: labelNames.has(label), label: `label exists: ${label}` });
   }
   const strays = strayDefaultLabels.filter((l) => labelNames.has(l));
-  checks.push({ ok: strays.length === 0, label: "no stray GitHub-default labels", detail: optionDetail(strays) });
+  checks.push({ ok: strays.length === 0, label: "no stray GitHub-default labels", detail: presentDetail(strays) });
   const actions = await ghJson2(deps, ["api", `repos/${repo}/actions/permissions`], {});
   checks.push({ ok: actions.enabled === true, label: "GitHub Actions enabled" });
   const variables = await ghJson2(deps, ["variable", "list", "--repo", repo, "--json", "name"], []);
@@ -4743,12 +5066,12 @@ async function verifyBootstrap(repo, repoClass, deps) {
     label: ".mmi project board config exists"
   });
   if (config?.projectOwner && config.projectNumber != null) {
-    const project = await ghJson2(
+    const project2 = await ghJson2(
       deps,
       ["project", "field-list", String(config.projectNumber), "--owner", config.projectOwner, "--format", "json"],
       {}
     );
-    const fields = project.fields || [];
+    const fields = project2.fields || [];
     const statusField = fields.find((field) => field.name === "Status");
     const labelField = fields.find((field) => field.name === "Labels");
     checks.push({
@@ -4822,19 +5145,31 @@ async function verifyBootstrap(repo, repoClass, deps) {
   if (fanout != null) checks.push({ ok: fanout, label: `fanout target registered on ${baseBranch}` });
   const projectRegistry = localRegistryCheck(deps, "projects.json", (json) => Array.isArray(json?.projects) && json.projects.some((p) => (p.repos || []).includes(repo)));
   if (projectRegistry != null) checks.push({ ok: projectRegistry, label: "cloud-agent project registry includes repo" });
-  const rulesets = await ghJson2(
+  const rulesetList = await ghJson2(
     deps,
     ["api", `repos/${repo}/rulesets?includes_parents=true`],
     []
   );
-  const orgRuleset = rulesets.some(
+  const rulesets = await rulesetDetails(deps, repo, rulesetList);
+  const activeOrgRulesets = rulesets.filter(
     (r) => r.source_type === "Organization" && r.target === "branch" && r.enforcement === "active"
   );
+  const orgRuleset = activeOrgRulesets.find((ruleset) => missingRuleTypes(ruleset, requiredOrgRulesetTypes).length === 0);
+  const missingOrgRuleTypes = activeOrgRulesets.length === 0 ? requiredOrgRulesetTypes : missingRuleTypes(activeOrgRulesets[0], requiredOrgRulesetTypes);
   checks.push({
-    ok: orgRuleset,
+    ok: Boolean(orgRuleset),
     label: "covered by an active org ruleset",
-    detail: orgRuleset ? void 0 : "no active Organization-sourced branch ruleset targets this repo"
+    detail: orgRuleset ? void 0 : activeOrgRulesets.length === 0 ? "no active Organization-sourced branch ruleset targets this repo" : `missing rule types: ${missingOrgRuleTypes.join(", ")}`
   });
+  if (repo === "mutmutco/MMI-Hub") {
+    const statusChecks = rulesetStatusChecks(rulesets.filter((r) => r.target === "branch" && r.enforcement === "active"));
+    const missing = requiredHubStatusChecks.filter((check) => !statusChecks.has(check));
+    checks.push({
+      ok: missing.length === 0,
+      label: "Hub required status checks configured",
+      detail: optionDetail(missing)
+    });
+  }
   const waived = applyWaivers(checks, config?.verifyWaivers ?? []);
   return { ok: waived.every((c) => c.ok || c.waived), repo, class: repoClass, baseBranch, checks: waived };
 }
@@ -4852,45 +5187,14 @@ function renderBootstrapVerifyReport(report) {
   return lines.join("\n");
 }
 
-// src/bootstrap-seeds.ts
-var PLACEHOLDER_RE = /\{\{([A-Z0-9_]+)\}\}/g;
-function loadBootstrapSeeds(manifestJson) {
-  let parsed;
-  try {
-    parsed = JSON.parse(manifestJson);
-  } catch {
-    throw new Error("bootstrap seed manifest is not valid JSON");
-  }
-  const obj = parsed ?? {};
-  const seeds = obj.seeds ?? [];
-  for (const s of seeds) {
-    if (!s || !s.target || !s.source || !Array.isArray(s.classes)) {
-      throw new Error(`invalid seed entry (needs target, source, classes): ${JSON.stringify(s)}`);
-    }
-    if (s.ownership !== "org" && s.ownership !== "repo") {
-      throw new Error(`invalid seed ownership '${s.ownership}' for ${s.target} (must be 'org' or 'repo')`);
-    }
-  }
-  return {
-    seeds,
-    labels: obj.labels ?? [],
-    placeholders: obj.placeholders ?? []
-  };
-}
-function renderSeed(template, vars) {
-  return template.replace(PLACEHOLDER_RE, (match, key) => key in vars ? vars[key] : match);
-}
-function missingPlaceholders(rendered) {
-  const out = /* @__PURE__ */ new Set();
-  for (const m of rendered.matchAll(PLACEHOLDER_RE)) out.add(m[1]);
-  return [...out];
-}
-
 // src/bootstrap-apply.ts
 function planSeedAction(seed, exists) {
   if (seed.source === "fanout") {
     return { target: seed.target, action: "skip", ownership: "fanout", reason: "delivered by the fanout pipeline" };
   }
+  if (seed.source === "managed-block") {
+    return exists ? { target: seed.target, action: "update", ownership: "org", reason: "org-managed block merged in-place (repo-owned lines preserved)" } : { target: seed.target, action: "create", ownership: "org", reason: "org-managed block; .gitignore absent, created" };
+  }
   if (seed.ownership === "repo") {
     return exists ? { target: seed.target, action: "skip", ownership: "repo", reason: "repo-owned, already present (never clobbered)" } : { target: seed.target, action: "create", ownership: "repo", reason: "repo-owned, missing" };
   }
@@ -4913,6 +5217,49 @@ function resolveSeedContent(seed, vars, readFile2) {
   }
   return null;
 }
+function buildRegisterPayload(repo, cls, vars) {
+  const slug = (repo.split("/")[1] ?? repo).toLowerCase();
+  const num = (v) => {
+    if (v == null || v === "") return void 0;
+    const n = Number(v);
+    return Number.isFinite(n) ? n : void 0;
+  };
+  const statusOptions = vars.STATUS_TODO || vars.STATUS_IN_PROGRESS || vars.STATUS_IN_REVIEW || vars.STATUS_DONE ? {
+    Todo: vars.STATUS_TODO,
+    "In Progress": vars.STATUS_IN_PROGRESS,
+    "In Review": vars.STATUS_IN_REVIEW,
+    Done: vars.STATUS_DONE
+  } : void 0;
+  const priorityOptions = vars.PRIORITY_URGENT || vars.PRIORITY_HIGH || vars.PRIORITY_MEDIUM || vars.PRIORITY_LOW ? {
+    Urgent: vars.PRIORITY_URGENT,
+    High: vars.PRIORITY_HIGH,
+    Medium: vars.PRIORITY_MEDIUM,
+    Low: vars.PRIORITY_LOW
+  } : void 0;
+  const payload = {
+    slug,
+    // Identity. name/division default off the repo name when the skill didn't pass them.
+    name: vars.NAME || repo.split("/")[1] || slug,
+    division: vars.DIVISION || (repo.split("/")[1] ?? "").split("-")[0] || void 0,
+    repos: [`mutmutco/${slug}`],
+    wikiRepo: vars.WIKI_REPO || `mutmutco/${repo.split("/")[1] ?? slug}`,
+    branch: vars.BRANCH || (cls === "content" ? "main" : "development"),
+    class: cls,
+    // Board coords (from GraphQL at bootstrap, passed as --var by the skill).
+    projectOwner: vars.PROJECT_OWNER || void 0,
+    projectNumber: num(vars.PROJECT_NUMBER),
+    projectId: vars.PROJECT_ID || void 0,
+    statusFieldId: vars.STATUS_FIELD_ID || void 0,
+    statusOptions,
+    priorityFieldId: vars.PRIORITY_FIELD_ID || void 0,
+    priorityOptions,
+    // Pointers. vaultPath is explicit + canonical; kbPointer is the per-project KB doc path.
+    vaultPath: `/mmi-future/${slug}`,
+    kbPointer: `kb/projects/${slug}.md`
+  };
+  for (const k of Object.keys(payload)) if (payload[k] === void 0) delete payload[k];
+  return payload;
+}
 function contentPutArgs(repo, path, content, branch, sha) {
   const args = [
     "api",
@@ -4930,6 +5277,93 @@ function contentPutArgs(repo, path, content, branch, sha) {
   return args;
 }
 
+// src/registry-client.ts
+var DEFAULT_TIMEOUT_MS = 8e3;
+async function fetchProjectsList(deps) {
+  if (!deps.baseUrl) return null;
+  const token = await deps.token();
+  if (!token) return null;
+  const doFetch = deps.fetch ?? fetch;
+  try {
+    const res = await doFetch(`${deps.baseUrl.replace(/\/$/, "")}/projects/list`, {
+      method: "GET",
+      headers: { Authorization: `Bearer ${token}` },
+      signal: AbortSignal.timeout(deps.timeoutMs ?? DEFAULT_TIMEOUT_MS)
+    });
+    if (!res.ok) return null;
+    const body = await res.json();
+    return Array.isArray(body?.projects) ? body.projects : null;
+  } catch {
+    return null;
+  }
+}
+async function fetchProjectsJson(deps) {
+  const projects = await fetchProjectsList(deps);
+  return projects ? JSON.stringify({ projects }) : null;
+}
+async function fetchProjectBySlug(slug, deps) {
+  if (!deps.baseUrl || !slug) return null;
+  const token = await deps.token();
+  if (!token) return null;
+  const doFetch = deps.fetch ?? fetch;
+  try {
+    const res = await doFetch(`${deps.baseUrl.replace(/\/$/, "")}/projects/${encodeURIComponent(slug)}`, {
+      method: "GET",
+      headers: { Authorization: `Bearer ${token}` },
+      signal: AbortSignal.timeout(deps.timeoutMs ?? DEFAULT_TIMEOUT_MS)
+    });
+    if (!res.ok) return null;
+    return await res.json();
+  } catch {
+    return null;
+  }
+}
+async function fetchOrgConfig(deps) {
+  if (!deps.baseUrl) return null;
+  const token = await deps.token();
+  if (!token) return null;
+  const doFetch = deps.fetch ?? fetch;
+  try {
+    const res = await doFetch(`${deps.baseUrl.replace(/\/$/, "")}/org/config`, {
+      method: "GET",
+      headers: { Authorization: `Bearer ${token}` },
+      signal: AbortSignal.timeout(deps.timeoutMs ?? DEFAULT_TIMEOUT_MS)
+    });
+    if (!res.ok) return null;
+    return await res.json();
+  } catch {
+    return null;
+  }
+}
+async function postJson(pathSuffix, payload, deps, method = "POST") {
+  if (!deps.baseUrl) return { ok: false, status: 0, body: null, error: "no Hub API URL (this repo is not bootstrapped)" };
+  const token = await deps.token();
+  if (!token) return { ok: false, status: 0, body: null, error: "no GitHub token (run `gh auth login`)" };
+  const doFetch = deps.fetch ?? fetch;
+  try {
+    const res = await doFetch(`${deps.baseUrl.replace(/\/$/, "")}${pathSuffix}`, {
+      method,
+      headers: { Authorization: `Bearer ${token}`, "content-type": "application/json" },
+      body: JSON.stringify(payload),
+      signal: AbortSignal.timeout(deps.timeoutMs ?? DEFAULT_TIMEOUT_MS)
+    });
+    let body = null;
+    try {
+      body = await res.json();
+    } catch {
+    }
+    return { ok: res.ok, status: res.status, body };
+  } catch (e) {
+    return { ok: false, status: 0, body: null, error: e.message };
+  }
+}
+async function registerProject(payload, deps) {
+  return postJson("/projects/register", payload, deps);
+}
+async function upsertProject(slug, patch, deps) {
+  return postJson(`/projects/${encodeURIComponent(slug)}`, patch, deps);
+}
+
 // src/kb.ts
 var DEFAULT_KB = { owner: "mutmutco", repo: "MM-KB", ref: "main" };
 function resolveKbSource(rawBase) {
@@ -4961,7 +5395,7 @@ var import_node_path3 = require("node:path");
 var PLANS_DIR = "plans";
 var META_FILE = (0, import_node_path3.join)(PLANS_DIR, ".plan-meta.json");
 var planPath = (slug) => (0, import_node_path3.join)(PLANS_DIR, `${slug}.md`);
-var metaKey = (project, slug) => `${project}/${slug}`;
+var metaKey = (project2, slug) => `${project2}/${slug}`;
 function parseMeta(raw) {
   if (!raw) return {};
   try {
@@ -4983,23 +5417,46 @@ function hashContent(s) {
   return (h >>> 0).toString(16);
 }
 function staleHint(slug) {
-  return `remote "${slug}" is newer \u2014 run \`mmi-cli plan pull ${slug}\` first (your local is based on an older version), or re-push with \`--force\` to overwrite`;
+  return `remote "${slug}" is newer \u2014 run \`mmi-cli northstar pull ${slug}\` first (your local is based on an older version), or re-push with \`--force\` to overwrite`;
 }
 function formatPlanList(plans) {
   return plans.map((p) => `${p.slug}  \xB7  ${p.updatedAt ?? "-"}  \xB7  ${p.project}`).join("\n");
 }
 var TIMEOUT_MS = 8e3;
+var GRADUATION_KEYS = /* @__PURE__ */ new Set(["northstar-graduation", "privacy", "merged-pr"]);
+function splitFrontmatter(content) {
+  const match = /^---\n([\s\S]*?)\n---(?:\n|$)/.exec(content);
+  if (!match) return { entries: [], body: content };
+  return { entries: match[1].split(/\r?\n/).filter((line) => line.trim()), body: content.slice(match[0].length) };
+}
+function markPlanGraduated(content, opts) {
+  const { entries, body } = splitFrontmatter(normalizeEol(content));
+  const preserved = entries.filter((line) => {
+    const key = /^([A-Za-z0-9_-]+):/.exec(line)?.[1]?.toLowerCase();
+    return !key || !GRADUATION_KEYS.has(key);
+  });
+  const next = [
+    ...preserved,
+    "northstar-graduation: built-and-merged",
+    "privacy: org",
+    `merged-pr: ${opts.mergedPr}`
+  ];
+  return `---
+${next.join("\n")}
+---
+${body.replace(/^\n+/, "")}`;
+}
 async function planPush(deps, slug, opts = {}) {
   const raw = deps.readLocal(slug);
   if (raw == null) {
     deps.err(`no local ${planPath(slug)} to push`);
-    return;
+    return false;
   }
   const content = normalizeEol(raw);
-  const project = opts.project ?? await deps.project();
+  const project2 = opts.project ?? await deps.project();
   const meta = parseMeta(deps.readMetaRaw());
-  const entry = meta[metaKey(project, slug)];
-  const body = { project, slug, content };
+  const entry = meta[metaKey(project2, slug)];
+  const body = { project: project2, slug, content };
   if (opts.force) body.force = true;
   else if (entry?.etag) body.baseEtag = entry.etag;
   const res = await deps.fetch(`${deps.apiUrl}/plan/put`, {
@@ -5010,25 +5467,28 @@ async function planPush(deps, slug, opts = {}) {
   });
   if (res.ok) {
     const out = await res.json();
-    meta[metaKey(project, slug)] = { etag: out.etag, hash: hashContent(content), syncedAt: deps.now() };
+    meta[metaKey(project2, slug)] = { etag: out.etag, hash: hashContent(content), syncedAt: deps.now() };
     deps.writeMetaRaw(serializeMeta(meta));
     deps.log(`pushed ${slug}`);
+    return true;
   } else if (res.status === 409) {
     deps.err(staleHint(slug));
+    return false;
   } else {
     deps.err(`plan push failed: HTTP ${res.status}`);
+    return false;
   }
 }
 async function planPull(deps, slug, opts = {}) {
-  const project = opts.project ?? await deps.project();
+  const project2 = opts.project ?? await deps.project();
   const meta = parseMeta(deps.readMetaRaw());
-  const entry = meta[metaKey(project, slug)];
+  const entry = meta[metaKey(project2, slug)];
   const local = deps.readLocal(slug);
   if (local != null && entry && !opts.force && hashContent(normalizeEol(local)) !== entry.hash) {
     deps.err(`local ${planPath(slug)} has unpushed edits \u2014 push it, or pull with --force to overwrite`);
     return;
   }
-  const qs = new URLSearchParams({ project, slug }).toString();
+  const qs = new URLSearchParams({ project: project2, slug }).toString();
   const res = await deps.fetch(`${deps.apiUrl}/plan/get?${qs}`, {
     method: "GET",
     headers: await deps.headers(),
@@ -5045,7 +5505,7 @@ async function planPull(deps, slug, opts = {}) {
   const doc = await res.json();
   const content = normalizeEol(doc.content ?? "");
   deps.writeLocal(slug, content);
-  meta[metaKey(project, slug)] = { etag: doc.etag, hash: hashContent(content), syncedAt: deps.now() };
+  meta[metaKey(project2, slug)] = { etag: doc.etag, hash: hashContent(content), syncedAt: deps.now() };
   deps.writeMetaRaw(serializeMeta(meta));
   deps.log(`pulled ${slug} \u2192 ${planPath(slug)}`);
 }
@@ -5078,11 +5538,11 @@ async function planList(deps, opts = {}) {
   deps.log(formatPlanList(plans));
 }
 async function planDelete(deps, slug, opts = {}) {
-  const project = opts.project ?? await deps.project();
+  const project2 = opts.project ?? await deps.project();
   const res = await deps.fetch(`${deps.apiUrl}/plan/delete`, {
     method: "POST",
     headers: await deps.headers({ "content-type": "application/json" }),
-    body: JSON.stringify({ project, slug }),
+    body: JSON.stringify({ project: project2, slug }),
     signal: AbortSignal.timeout(TIMEOUT_MS)
   });
   if (!res.ok) {
@@ -5091,10 +5551,29 @@ async function planDelete(deps, slug, opts = {}) {
   }
   deps.removeLocal(slug);
   const meta = parseMeta(deps.readMetaRaw());
-  delete meta[metaKey(project, slug)];
+  delete meta[metaKey(project2, slug)];
   deps.writeMetaRaw(serializeMeta(meta));
   deps.log(`deleted ${slug}`);
 }
+async function planGraduate(deps, slug, opts = {}) {
+  if (!opts.orgVisible) {
+    deps.err("refusing to mark an org-visible graduation without --org-visible");
+    return;
+  }
+  if (!opts.mergedPr) {
+    deps.err("missing --merged-pr <url|number>");
+    return;
+  }
+  const raw = deps.readLocal(slug);
+  if (raw == null) {
+    deps.err(`no local ${planPath(slug)} to graduate`);
+    return;
+  }
+  const content = markPlanGraduated(raw, { mergedPr: opts.mergedPr });
+  deps.writeLocal(slug, content);
+  const pushed = await planPush(deps, slug, { project: opts.project, force: opts.force });
+  if (pushed) deps.log(`graduated ${slug}`);
+}
 
 // src/secrets.ts
 var OWNER2 = "mutmutco";
@@ -5120,11 +5599,47 @@ function formatSecretList(items) {
   const width = Math.max(...items.map((i) => i.key.length));
   return items.map((i) => `${i.canManage ? "*" : " "} ${i.key.padEnd(width)}  ${i.tier}`).join("\n").concat("\n\n* = you can manage (write/rotate) this secret. Values are never shown \u2014 `secrets get <KEY>` prints one.");
 }
+function vaultPointer(slug) {
+  const root = `${SSM_ROOT}/${slug}`;
+  return {
+    slug,
+    root,
+    tiers: {
+      project: `${root}/${PROJECT_TIER_SEGMENT}/*  (project-admin self-serve)`,
+      org: [`${root}/rc/*`, `${root}/main/*`].map((p) => `${p}  (master-gated)`)
+    },
+    stages: ["dev", "rc", "main"],
+    // Google OAuth is one client per repo; creds live at every stage under the standard key names
+    // (local is port-agnostic and reuses the dev tier). See the oauth-everywhere convention.
+    wellKnown: {
+      googleOAuth: ["dev/GOOGLE_CLIENT_ID", "dev/GOOGLE_CLIENT_SECRET", "rc/GOOGLE_CLIENT_ID", "rc/GOOGLE_CLIENT_SECRET", "main/GOOGLE_CLIENT_ID", "main/GOOGLE_CLIENT_SECRET"]
+    }
+  };
+}
+function formatVaultPointer(p) {
+  const lines = [
+    `vault root: ${p.root}`,
+    `  project tier (self-serve): ${p.tiers.project}`,
+    `  org tier (master-gated):   ${p.tiers.org.join("  \xB7  ")}`,
+    `stages: ${p.stages.join(", ")}  (local is port-agnostic, reuses dev)`,
+    `well-known keys:`,
+    ...Object.entries(p.wellKnown).map(([k, keys]) => `  ${k}: ${keys.join(", ")}`),
+    ``,
+    `enumerate actual keys:  mmi-cli secrets list`,
+    `read one:               mmi-cli secrets get <stage>/<KEY>   (e.g. main/GOOGLE_CLIENT_ID)`,
+    `set a project-tier key: mmi-cli secrets set <KEY>           (value via stdin; org tier needs a master grant)`
+  ];
+  return lines.join("\n");
+}
 var TIMEOUT_MS2 = 8e3;
 var repoOf = (slug) => `${OWNER2}/${slug}`;
 async function targetRepo(deps, opts) {
   return opts.repo ?? repoOf(await deps.slug());
 }
+async function secretsWhere(deps, opts) {
+  const slug = opts.repo ? opts.repo.split("/").pop().toLowerCase() : await deps.slug();
+  deps.log(formatVaultPointer(vaultPointer(slug)));
+}
 async function readErr(res) {
   try {
     const j = await res.json();
@@ -5133,6 +5648,23 @@ async function readErr(res) {
     return "";
   }
 }
+async function fetchSecretValue(deps, key, opts) {
+  if (!isValidSecretKey(key)) return null;
+  const repo = await targetRepo(deps, opts);
+  try {
+    const res = await deps.fetch(`${deps.apiUrl}/secrets/get`, {
+      method: "POST",
+      headers: await deps.headers({ "content-type": "application/json" }),
+      body: JSON.stringify({ repo, key }),
+      signal: AbortSignal.timeout(TIMEOUT_MS2)
+    });
+    if (!res.ok) return null;
+    const { value } = await res.json();
+    return value ?? null;
+  } catch {
+    return null;
+  }
+}
 async function secretsList(deps, opts) {
   const repo = await targetRepo(deps, opts);
   const qs = new URLSearchParams({ repo }).toString();
@@ -5261,6 +5793,69 @@ async function secretsUse(deps, key, _opts) {
   );
 }
 
+// src/oauth.ts
+var DEFAULT_DOMAINS = ["mutatismutandis.co", "mutmut.co"];
+var DEFAULT_CALLBACK_PATH = "/api/auth/callback";
+var ENV_PREFIXES = ["", "dev", "rc"];
+var LOOPBACK = ["http://localhost", "http://127.0.0.1"];
+var SSM_ENVS = ["dev", "rc", "main"];
+var SSM_NAMES = ["GOOGLE_CLIENT_ID", "GOOGLE_CLIENT_SECRET"];
+var uniq = (xs) => [...new Set(xs)];
+function defaultSubdomain(slug) {
+  const i = slug.indexOf("-");
+  return i === -1 ? slug : slug.slice(i + 1);
+}
+function expectedHosts(cfg) {
+  const out = [];
+  for (const sub of cfg.subdomains) {
+    for (const domain of cfg.domains) {
+      const base = sub ? `${sub}.${domain}` : domain;
+      for (const env of ENV_PREFIXES) out.push(env ? `${env}.${base}` : base);
+    }
+  }
+  return uniq(out);
+}
+function expectedJsOrigins(cfg) {
+  return uniq([...expectedHosts(cfg).map((h) => `https://${h}`), ...LOOPBACK]);
+}
+function expectedRedirectUris(cfg) {
+  const { callbackPath } = cfg;
+  return uniq([
+    ...expectedHosts(cfg).map((h) => `https://${h}${callbackPath}`),
+    ...LOOPBACK.map((l) => `${l}${callbackPath}`)
+  ]);
+}
+function oauthSsmKeys() {
+  return SSM_ENVS.flatMap((env) => SSM_NAMES.map((name) => `${env}/${name}`));
+}
+function parseOauthConfig(mmiConfig, slug) {
+  const raw = mmiConfig?.oauth ?? {};
+  const subdomains = Array.isArray(raw.subdomains) && raw.subdomains.length > 0 ? raw.subdomains.map(String) : [defaultSubdomain(slug)];
+  const domains = Array.isArray(raw.domains) && raw.domains.length > 0 ? raw.domains.map(String) : [...DEFAULT_DOMAINS];
+  const callbackPath = typeof raw.callbackPath === "string" && raw.callbackPath ? raw.callbackPath : DEFAULT_CALLBACK_PATH;
+  if (!callbackPath.startsWith("/")) {
+    throw new Error(`oauth.callbackPath must start with "/" (got ${JSON.stringify(callbackPath)})`);
+  }
+  return { subdomains, domains, callbackPath };
+}
+function probeRedirectUri(callbackPath, port = 9123) {
+  return `http://localhost:${port}${callbackPath}`;
+}
+function buildAuthorizeProbeUrl(clientId, redirectUri) {
+  const qs = new URLSearchParams({
+    client_id: clientId,
+    redirect_uri: redirectUri,
+    response_type: "code",
+    scope: "openid email",
+    access_type: "offline",
+    prompt: "consent"
+  });
+  return `https://accounts.google.com/o/oauth2/v2/auth?${qs.toString()}`;
+}
+function authorizeBodyHasMismatch(body) {
+  return /redirect_uri_mismatch/i.test(body);
+}
+
 // src/index.ts
 var rawExecFileP2 = (0, import_node_util3.promisify)(import_node_child_process4.execFile);
 var execFileP3 = (file, args, options = {}) => (
@@ -5288,16 +5883,58 @@ async function githubLogin() {
     return void 0;
   }
 }
+async function awsCallerArn() {
+  try {
+    const { stdout } = await execFileP3(
+      "aws",
+      ["sts", "get-caller-identity", "--query", "Arn", "--output", "text"],
+      { timeout: GIT_TIMEOUT_MS }
+    );
+    return stdout.trim() || void 0;
+  } catch {
+    return void 0;
+  }
+}
 async function sagaHeaders(extra = {}) {
   const t = await githubToken();
   return t ? { ...extra, Authorization: `Bearer ${t}` } : extra;
 }
 async function loadConfig() {
+  let file = {};
   try {
-    return JSON.parse(await (0, import_promises.readFile)(".mmi/config.json", "utf8"));
+    file = JSON.parse(await (0, import_promises.readFile)(".mmi/config.json", "utf8"));
   } catch {
-    return {};
-  }
+    file = {};
+  }
+  if (!file.sagaApiUrl) file.sagaApiUrl = defaultHubUrl();
+  return file;
+}
+var discoveredConfig = null;
+async function loadConfigOrDiscover() {
+  if (discoveredConfig) return discoveredConfig;
+  const floor = await loadConfig();
+  if (floor.projectId && floor.statusFieldId && floor.statusOptions) {
+    discoveredConfig = floor;
+    return floor;
+  }
+  if (!floor.sagaApiUrl) return floor;
+  const meta = await fetchProjectBySlug(await repoSlug(), { baseUrl: floor.sagaApiUrl, token: githubToken });
+  if (!meta) return floor;
+  discoveredConfig = {
+    projectOwner: meta.projectOwner,
+    projectNumber: meta.projectNumber,
+    projectId: meta.projectId,
+    statusFieldId: meta.statusFieldId,
+    statusOptions: meta.statusOptions,
+    priorityFieldId: meta.priorityFieldId,
+    priorityOptions: meta.priorityOptions,
+    ...floor
+  };
+  return discoveredConfig;
+}
+async function repoSlug() {
+  const remote = await gitOut(["remote", "get-url", "origin"]);
+  return (remote.replace(/\.git$/, "").split("/").pop() || "-").toLowerCase();
 }
 var DEFAULT_RULES_SOURCE = "https://raw.githubusercontent.com/mutmutco/MMI-Hub/development";
 var SESSION_FILE = ".mmi/.session";
@@ -5458,11 +6095,8 @@ function readRepoVersion() {
 }
 async function fetchReleasedVersion() {
   try {
-    const res = await fetch("https://raw.githubusercontent.com/mutmutco/MMI-Hub/main/.claude-plugin/plugin.json", {
-      signal: AbortSignal.timeout(5e3)
-    });
-    if (!res.ok) return void 0;
-    return (await res.json()).version;
+    const { stdout } = await execFileP3("gh", pluginManifestVersionArgs(), { timeout: 5e3 });
+    return parseManifestVersion(stdout);
   } catch {
     return void 0;
   }
@@ -5501,7 +6135,7 @@ rules.command("sync").option("--quiet", "stay silent unless something changed or
     if (!opts.quiet) console.log('mmi-cli rules: source repo (orgRulesSource: "self") \u2014 skipping self-sync');
     return;
   }
-  const base = (cfg.orgRulesSource ?? DEFAULT_RULES_SOURCE).replace(/\/$/, "");
+  const base = resolveRulesBase(cfg.orgRulesSource, DEFAULT_RULES_SOURCE);
   const token = await githubToken();
   let changed = 0;
   for (const file of ["AGENTS.md", "CLAUDE.md", ".claude/settings.json"]) {
@@ -5567,7 +6201,10 @@ saga.command("show").option("--quiet", "no-op silently when unconfigured/unreach
     const key = await sagaKey(cfg);
     const qs = opts.latestAnywhere ? "scope=anywhere" : new URLSearchParams({ project: key.project, branch: key.branch }).toString();
     const res = await fetch(`${cfg.sagaApiUrl}/saga/head?${qs}`, { headers: await sagaHeaders(), signal: AbortSignal.timeout(8e3) });
-    if (res.ok) return console.log(await res.text());
+    if (res.ok) {
+      console.log(resumeCue());
+      return console.log(await res.text());
+    }
     if (!opts.quiet) console.log(`saga show failed: HTTP ${res.status}`);
   } catch (e) {
     if (!opts.quiet) console.error(`saga show: ${e.message}`);
@@ -5712,7 +6349,7 @@ async function resolveRepo(repo) {
   }
 }
 async function attachToProject(issueNumber, repo, priority) {
-  const cfg = await loadConfig();
+  const cfg = await loadConfigOrDiscover();
   if (!cfg.projectId) return void 0;
   if (repo) {
     const skip = boardAttachSkipReason(await resolveRepo(), repo);
@@ -5825,17 +6462,27 @@ async function withPlan(quiet, run) {
   }
   await run(makePlanDeps(cfg));
 }
-var plan = program2.command("plan").description("your cross-device plans/SSOTs (S3-backed, git-clean)");
-plan.command("push <slug>").description("push a local plan (plans/<slug>.md) to the server").option("--project <name>", "override the project key").option("--force", "overwrite the remote even if it changed since your last sync").action((slug, o) => withPlan(false, (d) => planPush(d, slug, o)));
-plan.command("pull <slug>").description("pull a plan from the server into plans/<slug>.md").option("--project <name>", "override the project key").option("--force", "overwrite local even if it has unpushed edits").action((slug, o) => withPlan(false, (d) => planPull(d, slug, o)));
-plan.command("list").description("list your plans (cross-device)").option("--project <name>", "filter by project").option("--json", "machine-readable output").option("--quiet", "silent when unconfigured/empty/unreachable (SessionStart hook)").action((o) => withPlan(o.quiet ?? false, (d) => planList(d, o)));
-plan.command("open <slug>").description("pull if needed, then open plans/<slug>.md in $EDITOR").option("--project <name>", "override the project key").action(
-  (slug, o) => withPlan(false, async (d) => {
-    await planPull(d, slug, { project: o.project });
-    openInEditor(planPath(slug));
-  })
-);
-plan.command("delete <slug>").description("delete a plan from the server and the local copy").option("--project <name>", "override the project key").action((slug, o) => withPlan(false, (d) => planDelete(d, slug, o)));
+function registerNorthStarCommands(cmd) {
+  cmd.command("push <slug>").description("push a local North Star plan (plans/<slug>.md) to the server").option("--project <name>", "override the project key").option("--force", "overwrite the remote even if it changed since your last sync").action((slug, o) => withPlan(false, async (d) => {
+    await planPush(d, slug, o);
+  }));
+  cmd.command("pull <slug>").description("pull a North Star plan from the server into plans/<slug>.md").option("--project <name>", "override the project key").option("--force", "overwrite local even if it has unpushed edits").action((slug, o) => withPlan(false, (d) => planPull(d, slug, o)));
+  cmd.command("list").description("list your North Star plans (cross-device)").option("--project <name>", "filter by project").option("--json", "machine-readable output").option("--quiet", "silent when unconfigured/empty/unreachable (SessionStart hook)").action((o) => withPlan(o.quiet ?? false, (d) => planList(d, o)));
+  cmd.command("open <slug>").description("pull if needed, then open plans/<slug>.md in $EDITOR").option("--project <name>", "override the project key").action(
+    (slug, o) => withPlan(false, async (d) => {
+      await planPull(d, slug, { project: o.project });
+      openInEditor(planPath(slug));
+    })
+  );
+  cmd.command("delete <slug>").description("delete a North Star plan from the server and the local copy").option("--project <name>", "override the project key").action((slug, o) => withPlan(false, (d) => planDelete(d, slug, o)));
+  cmd.command("graduate <slug>").description("mark a built-and-merged North Star plan as org-visible and push it").requiredOption("--merged-pr <url|number>", "merged PR URL or number proving the plan shipped").option("--org-visible", "confirm this plan is safe to queue for org KB curation").option("--project <name>", "override the project key").option("--force", "overwrite the remote even if it changed since your last sync").action(
+    (slug, o) => withPlan(false, (d) => planGraduate(d, slug, o))
+  );
+}
+var northstar = program2.command("northstar").description("North Star \u2014 your cross-device plans/SSOTs (S3-backed, git-clean)");
+registerNorthStarCommands(northstar);
+var plan = program2.command("plan").description("Alias for `northstar` (kept for compatibility)");
+registerNorthStarCommands(plan);
 async function readSecretStdin() {
   if (process.stdin.isTTY) {
     process.stderr.write(
@@ -5867,6 +6514,7 @@ async function withSecrets(run) {
   await run(makeSecretsDeps(cfg));
 }
 var secrets = program2.command("secrets").description("two-tier project secrets \u2014 self-serve your repo dev/* tier; org tier is master-gated");
+secrets.command("where").description("print where this repo\u2019s secrets live \u2014 the two-tier vault layout + well-known keys (no values)").option("--repo <owner/repo>", "target repo (defaults to the current repo)").action((o) => withSecrets((d) => secretsWhere(d, o)));
 secrets.command("list").description("list secret NAMES + tier for this repo (never values)").option("--repo <owner/repo>", "target repo (defaults to the current repo)").action((o) => withSecrets((d) => secretsList(d, o)));
 secrets.command("get <key>").description("print one secret value over TLS (prints once, raw \u2014 do not log/paste it)").option("--repo <owner/repo>", "target repo (defaults to the current repo)").action((key, o) => withSecrets((d) => secretsGet(d, key, o)));
 secrets.command("set <key>").description("write/rotate a secret; value is read from stdin (never an argument)").option("--repo <owner/repo>", "target repo (defaults to the current repo)").action((key, o) => withSecrets((d) => secretsSet(d, key, o)));
@@ -5875,6 +6523,140 @@ secrets.command("rm <key>").description("remove a secret (project tier self-serv
 secrets.command("use <key>").description("print guidance on consuming a secret without committing it (no value)").option("--repo <owner/repo>", "target repo (defaults to the current repo)").action((key, o) => withSecrets((d) => secretsUse(d, key, o)));
 secrets.command("grant <repo> <login> <key>").description("MASTER-ONLY: grant a project-admin standing access to a specific org-tier secret").action((repo, login, key) => withSecrets((d) => secretsGrant(d, repo, login, key, {})));
 secrets.command("revoke <repo> <login> <key>").description("MASTER-ONLY: withdraw a previously granted org-tier secret access").action((repo, login, key) => withSecrets((d) => secretsRevoke(d, repo, login, key, {})));
+function registryClientDeps(cfg) {
+  return { baseUrl: cfg.sagaApiUrl, token: githubToken };
+}
+function slugOf(repoOrSlug) {
+  return (repoOrSlug.includes("/") ? repoOrSlug.split("/").pop() : repoOrSlug).toLowerCase();
+}
+function reportWrite(label, res) {
+  if (res.ok) {
+    console.log(JSON.stringify(res.body));
+    return;
+  }
+  if (res.error) return fail(`${label}: ${res.error}`);
+  const detail = res.body?.error ?? "";
+  fail(`${label}: HTTP ${res.status}${detail ? ` \u2014 ${detail}` : ""}`);
+}
+var project = program2.command("project").description("the DDB org registry \u2014 list/get projects (any member); set is master-only");
+project.command("list").description("list all projects (identity + board, never deploy coords)").option("--json", "machine-readable output").action(async (o) => {
+  const cfg = await loadConfig();
+  const projects = await fetchProjectsList(registryClientDeps(cfg));
+  if (!projects) return fail("project list: Hub API unreachable or this repo is not bootstrapped");
+  if (o.json) {
+    console.log(JSON.stringify(projects));
+    return;
+  }
+  for (const p of projects) {
+    console.log(`${p.slug ?? "?"} - ${p.name ?? ""}${p.division ? ` [${p.division}]` : ""}${p.class ? ` (${p.class})` : ""}`);
+  }
+});
+project.command("get <owner/repo>").description("a project's META (board ids + pointers) by repo or slug \u2014 identity, NOT deploy coords").option("--json", "machine-readable output").action(async (repoOrSlug, o) => {
+  const cfg = await loadConfig();
+  const meta = await fetchProjectBySlug(slugOf(repoOrSlug), registryClientDeps(cfg));
+  if (!meta) return fail(`project get: no registry META for ${repoOrSlug} (unknown, unbootstrapped, or Hub unreachable)`);
+  console.log(JSON.stringify(meta));
+});
+project.command("resolve <owner/repo>").description("deploy coords for a stage \u2014 for diagnosis. NOTE: /deploy-coords is OIDC-gated (a deploy job\u2019s id-token), so a gh-token CLI cannot read it from a dev machine").option("--stage <main|rc>", "deploy stage", "main").option("--json", "machine-readable output").action((_repoOrRepo, o) => {
+  const msg = "project resolve: deploy coords are served only to a deploy workflow (GitHub OIDC id-token, repo-scoped). A gh-token CLI on a dev machine cannot read /deploy-coords; inspect the DEPLOY# item via the AWS console / a master DDB read instead.";
+  if (o.json) {
+    console.log(JSON.stringify({ ok: false, stage: o.stage, error: msg }));
+    process.exitCode = 1;
+    return;
+  }
+  fail(msg);
+});
+project.command("set <owner/repo>").description("MASTER-ONLY: upsert a project META (idempotent merge; no clobber of unspecified fields)").option("--class <class>", "deployable | content").option("--var <KEY=VALUE...>", "META field to set (repeatable): name, division, projectId, branch, wikiRepo, vaultPath, kbPointer").option("--json", "machine-readable output").action(async (repoOrSlug, o) => {
+  const cfg = await loadConfig();
+  const slug = slugOf(repoOrSlug);
+  const patch = {};
+  if (o.class) {
+    if (o.class !== "deployable" && o.class !== "content") return fail("project set: --class must be deployable or content");
+    patch.class = o.class;
+  }
+  for (let i = 0; i < process.argv.length - 1; i++) {
+    if (process.argv[i] === "--var") {
+      const eq = process.argv[i + 1].indexOf("=");
+      if (eq > 0) patch[process.argv[i + 1].slice(0, eq)] = process.argv[i + 1].slice(eq + 1);
+    }
+  }
+  if (Object.keys(patch).length === 0) return fail("project set: nothing to set \u2014 pass --class and/or --var KEY=VALUE");
+  const res = await upsertProject(slug, patch, registryClientDeps(cfg));
+  reportWrite("project set", res);
+});
+var registry = program2.command("registry").description("the DDB org registry \u2014 org-level constants");
+registry.command("org").description("the org config (account id, region, orgProjectId, sagaApiUrl)").option("--json", "machine-readable output").action(async (_o) => {
+  const cfg = await loadConfig();
+  const org = await fetchOrgConfig(registryClientDeps(cfg));
+  if (!org) return fail("registry org: Hub API unreachable, unseeded, or this repo is not bootstrapped");
+  console.log(JSON.stringify(org));
+});
+var oauth = program2.command("oauth").description("per-repo Google OAuth \u2014 plan the canonical URI set, verify the client is port-agnostic");
+oauth.command("plan", { isDefault: true }).description("print the canonical JS origins + redirect URIs + SSM cred param names for this repo").option("--repo <owner/repo>", "slug source (defaults to the current repo)").option("--json", "machine-readable output").action(async (o) => {
+  const cfg = await loadConfig();
+  const slug = (o.repo ? o.repo.split("/").pop() : cfg.project ?? await repoSlug()).toLowerCase();
+  const meta = await fetchProjectBySlug(slug, registryClientDeps(cfg));
+  let oc;
+  try {
+    oc = parseOauthConfig(meta ?? {}, slug);
+  } catch (e) {
+    return fail(`oauth plan: ${e.message}`);
+  }
+  const origins = expectedJsOrigins(oc);
+  const redirects = expectedRedirectUris(oc);
+  const ssm = oauthSsmKeys();
+  if (o.json) {
+    console.log(JSON.stringify({ slug, oauth: oc, jsOrigins: origins, redirectUris: redirects, ssmKeys: ssm }, null, 2));
+    return;
+  }
+  console.log(`OAuth plan for ${slug} (callback ${oc.callbackPath}):
+`);
+  console.log("Authorized JavaScript origins:");
+  origins.forEach((u) => console.log(`  ${u}`));
+  console.log("\nAuthorized redirect URIs:");
+  redirects.forEach((u) => console.log(`  ${u}`));
+  console.log(`
+SSM cred params (under /mmi-future/${slug}/):`);
+  ssm.forEach((k) => console.log(`  ${k}`));
+  console.log("\nProvision/repair the Console client per docs/Guides/oauth-provision.md; creds via `mmi-cli secrets set`.");
+});
+oauth.command("verify").description("probe Google authorize with an arbitrary port (:9123) to confirm the client is port-agnostic").option("--repo <owner/repo>", "target repo (defaults to the current repo)").option("--client-id <id>", "OAuth client_id (else read dev/GOOGLE_CLIENT_ID from SSM)").option("--json", "machine-readable output").action(async (o) => {
+  const cfg = await loadConfig();
+  const slug = (o.repo ? o.repo.split("/").pop() : cfg.project ?? await repoSlug()).toLowerCase();
+  const meta = await fetchProjectBySlug(slug, registryClientDeps(cfg));
+  let oc;
+  try {
+    oc = parseOauthConfig(meta ?? {}, slug);
+  } catch (e) {
+    return fail(`oauth verify: ${e.message}`);
+  }
+  let clientId = o.clientId;
+  if (!clientId) {
+    await withSecrets(async (d) => {
+      clientId = await fetchSecretValue(d, "dev/GOOGLE_CLIENT_ID", { repo: o.repo }) ?? void 0;
+    });
+  }
+  if (!clientId) {
+    return fail("oauth verify: no client_id (pass --client-id, or provision the repo so dev/GOOGLE_CLIENT_ID exists)");
+  }
+  const redirectUri = probeRedirectUri(oc.callbackPath);
+  let body = "";
+  try {
+    const res = await fetch(buildAuthorizeProbeUrl(clientId, redirectUri), { redirect: "follow" });
+    body = await res.text();
+  } catch (e) {
+    return fail(`oauth verify: probe request failed: ${e.message}`);
+  }
+  const mismatch = authorizeBodyHasMismatch(body);
+  if (o.json) {
+    console.log(JSON.stringify({ slug, redirectUri, portAgnostic: !mismatch }));
+  } else if (mismatch) {
+    console.error(`FAIL ${slug}: redirect_uri_mismatch for ${redirectUri} \u2014 client is not port-agnostic (run /oauth-provision)`);
+  } else {
+    console.log(`PASS ${slug}: ${redirectUri} accepted \u2014 port-agnostic OAuth is live`);
+  }
+  if (mismatch) process.exitCode = 1;
+});
 var issue = program2.command("issue").description("issues \u2014 reliable create with structured output");
 issue.command("create").description("create an issue (type \u2192 label) and print {number,url,label} JSON").requiredOption("--type <type>", "bug | feature | task (sets the matching label)").requiredOption("--title <title>", "issue title").requiredOption("--body <body>", "issue body (markdown)").requiredOption("--priority <priority>", "urgent | high | medium | low (label + board Priority field when configured)").option("--repo <owner/repo>", "target repo (defaults to the current repo)").option("--label <label...>", "extra label(s) to attach (repeatable; auto-created if missing)").option("--no-related", "skip the auto related-issues comment").action(async (o) => {
   let args;
@@ -5949,7 +6731,7 @@ pr.command("merge <number>").description("merge a PR (squash by default) and cle
 async function runBoardRead(o) {
   try {
     const report = await readBoard({
-      config: await loadConfig(),
+      config: await loadConfigOrDiscover(),
       repo: o.repo,
       includeBundleDetails: o.bundleDetails,
       allowPartial: o.allowPartial
@@ -5964,7 +6746,7 @@ board.command("read", { isDefault: true }).description("read the board and print
 board.command("claim <issue>").description("assign a Todo issue and move its Project v2 Status to In Progress").option("--json", "machine-readable output").option("--repo <owner/repo>", "current repo for local issue numbers (defaults to git origin)").option("--for <login>", "assign to this login instead of @me \u2014 agent claims on behalf of the master").option("--allow-partial", "return success JSON if assignment succeeds but the status move fails").action(async (issueRef, o) => {
   try {
     const result = await claimBoardIssue({
-      config: await loadConfig(),
+      config: await loadConfigOrDiscover(),
       selector: issueRef,
       repo: o.repo,
       assignee: o.for,
@@ -5978,7 +6760,7 @@ board.command("claim <issue>").description("assign a Todo issue and move its Pro
 });
 board.command("show <issue>").alias("open").description("print one board item (status, assignees, type, url) with its body and comments").option("--json", "machine-readable output").option("--repo <owner/repo>", "current repo for local issue numbers (defaults to git origin)").option("--allow-partial", "return the item even if its body/comments fetch fails").action(async (issueRef, o) => {
   try {
-    const item = await showBoardItem({ config: await loadConfig(), selector: issueRef, repo: o.repo, allowPartial: o.allowPartial });
+    const item = await showBoardItem({ config: await loadConfigOrDiscover(), selector: issueRef, repo: o.repo, allowPartial: o.allowPartial });
     console.log(o.json ? JSON.stringify(item) : renderBoardItem(item));
   } catch (e) {
     fail(`board show failed: ${e.message}`);
@@ -5989,7 +6771,7 @@ board.command("move <issue> <status>").description(`move a board item's Status t
     return fail(`board move failed: unknown status '${status}'; expected one of ${BOARD_STATUSES.join(", ")}`);
   }
   try {
-    const result = await moveBoardItem({ config: await loadConfig(), selector: issueRef, status, repo: o.repo, allowPartial: o.allowPartial });
+    const result = await moveBoardItem({ config: await loadConfigOrDiscover(), selector: issueRef, status, repo: o.repo, allowPartial: o.allowPartial });
     if (o.json) return console.log(JSON.stringify(result));
     console.log(result.partial ? `Partially moved ${result.item.ref}: ${result.warning}` : `Moved ${result.item.ref} -> ${result.status}`);
   } catch (e) {
@@ -5999,7 +6781,7 @@ board.command("move <issue> <status>").description(`move a board item's Status t
 board.command("backfill-priority").description("set board Priority from priority:* labels or issue timeline for items missing the field").option("--json", "machine-readable output").option("--repo <owner/repo>", "current repo (defaults to git origin)").option("--dry-run", "report what would be set without writing").option("--concurrency <n>", "parallel timeline reads (default 8)", "8").action(async (o) => {
   try {
     const result = await backfillBoardPriorities({
-      config: await loadConfig(),
+      config: await loadConfigOrDiscover(),
       repo: o.repo,
       dryRun: o.dryRun,
       concurrency: Number(o.concurrency) || 8
@@ -6015,7 +6797,7 @@ board.command("backfill-priority").description("set board Priority from priority
 });
 board.command("done <issue>").description("set a board item's Status to Done (does not close the GitHub issue; use `gh issue close`)").option("--json", "machine-readable output").option("--repo <owner/repo>", "current repo for local issue numbers (defaults to git origin)").option("--allow-partial", "return success JSON if the item resolves but the status move fails").action(async (issueRef, o) => {
   try {
-    const result = await moveBoardItem({ config: await loadConfig(), selector: issueRef, status: "Done", repo: o.repo, allowPartial: o.allowPartial });
+    const result = await moveBoardItem({ config: await loadConfigOrDiscover(), selector: issueRef, status: "Done", repo: o.repo, allowPartial: o.allowPartial });
     if (o.json) return console.log(JSON.stringify(result));
     console.log(result.partial ? `Partially moved ${result.item.ref}: ${result.warning}` : `Moved ${result.item.ref} -> Done`);
   } catch (e) {
@@ -6042,9 +6824,15 @@ function printLine(value) {
 function stageKeepAlive() {
   return setTimeout(() => void 0, 5 * 60 * 1e3);
 }
-program2.command("port-range <repo>").description("assign (idempotently) + print the repo's local stage port block from infra/port-ranges.json").option("--json", "machine-readable output").action((repo, o) => {
+program2.command("port-range <repo>").description("assign (idempotently) + print the repo's local stage port block via the atomic ORG#config.portCursor allocator (committed-file fallback)").option("--json", "machine-readable output").action(async (repo, o) => {
   const path = (0, import_node_path4.join)(process.cwd(), "infra", "port-ranges.json");
-  const [start, end] = ensurePortRange(repo, path);
+  const allocate = async (seed) => {
+    const { stdout } = await execFileP3("node", [(0, import_node_path4.join)(process.cwd(), "infra", "port-ddb.mjs"), String(seed)], { timeout: 15e3 });
+    const parsed = JSON.parse(stdout);
+    if (!Array.isArray(parsed.range) || parsed.range.length !== 2) throw new Error("port-ddb: no range in output");
+    return parsed.range;
+  };
+  const { range: [start, end] } = await ensurePortRangeAtomic(repo, path, allocate);
   printLine(o.json ? JSON.stringify({ repo, portRange: [start, end] }) : `${repo}: stage.portRange [${start}, ${end}]`);
 });
 var stage = program2.command("stage").description("plan or run the repo local stage environment").option("--json", "machine-readable output").option("--apply", "run the full local stage: stop previous, build, start, health-check").option("--timeout-ms <ms>", "bounded build/health timeout", "60000").action(async (o) => {
@@ -6129,9 +6917,14 @@ stage.command("run").description("force-stop previous stage, build, start, and h
     fail(`stage run: ${e.message}`);
   }
 });
+program2.command("stage-live").description("explain that remote rc/live environments use /rcand, /release, and /hotfix; /stage is local only").option("--json", "machine-readable output").option("--apply", "always refused; there is no stage-live mutation path").action((o) => {
+  if (o.apply) return fail("stage-live: not an org command; use mmi-cli stage for local tests, or the gated rc/release/hotfix train for remote environments");
+  const steps = stageLivePlan();
+  console.log(o.json ? JSON.stringify({ command: "stage-live", steps }, null, 2) : renderSteps("mmi-cli stage-live: not an org command", steps));
+});
 for (const commandName of ["rc", "release", "hotfix"]) {
   program2.command(commandName).description(`plan ${commandName} train operations; mutations require explicit approval`).option("--json", "machine-readable output").option("--apply", "reserved for future train execution after explicit admin approval").action((o) => {
-    if (o.apply) return fail(`${commandName}: execution is not implemented yet; use the dry-run plan and the existing /${commandName} skill`);
+    if (o.apply) return fail(`${commandName}: execution is not implemented yet; use the dry-run plan and the existing /${commandName === "rc" ? "rcand" : commandName} skill`);
     const steps = trainPlan(commandName);
     console.log(o.json ? JSON.stringify({ command: commandName, steps }, null, 2) : renderSteps(`mmi-cli ${commandName}: dry-run plan`, steps));
   });
@@ -6146,9 +6939,11 @@ var bootstrap = program2.command("bootstrap").description("plan repo bootstrap o
 bootstrap.command("verify <repo>").description("audit whether an existing repo is bootstrapped correctly; no mutations").option("--class <class>", "deployable | content", "deployable").option("--json", "machine-readable output").action(async (repo) => {
   const o = { class: rawValue("--class", "deployable"), json: rawFlag("--json") };
   if (o.class !== "deployable" && o.class !== "content") return fail("bootstrap verify: --class must be deployable or content");
+  const cfg = await loadConfig();
+  const apiProjects = await fetchProjectsJson({ baseUrl: cfg.sagaApiUrl, token: githubToken });
   const report = await verifyBootstrap(repo, o.class, {
     gh: async (args) => execFileP3("gh", args, { timeout: 2e4 }),
-    readLocalFile: (path) => (0, import_node_fs4.existsSync)(path) ? (0, import_node_fs4.readFileSync)(path, "utf8") : null
+    readLocalFile: (path) => path === "projects.json" && apiProjects != null ? apiProjects : (0, import_node_fs4.existsSync)(path) ? (0, import_node_fs4.readFileSync)(path, "utf8") : null
   });
   console.log(o.json ? JSON.stringify(report, null, 2) : renderBootstrapVerifyReport(report));
   if (!report.ok) process.exitCode = 1;
@@ -6178,12 +6973,17 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
     const resolved = { ...seed, target: seed.target.replace("{{REPO_SLUG}}", slug) };
     let exists = false;
     let sha;
+    let remoteContent = null;
     if (resolved.source !== "fanout") {
       try {
         const r = await gh(["api", `repos/${repo}/contents/${enc(resolved.target)}?ref=${baseBranch}`]);
         exists = true;
         try {
-          sha = JSON.parse(r.stdout).sha;
+          const parsed = JSON.parse(r.stdout);
+          sha = parsed.sha;
+          if (parsed.encoding === "base64" && typeof parsed.content === "string") {
+            remoteContent = Buffer.from(parsed.content, "base64").toString("utf8");
+          }
         } catch {
         }
       } catch {
@@ -6193,15 +6993,18 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
     const action = planSeedAction(resolved, exists);
     actions.push(action);
     if (o.execute && (action.action === "create" || action.action === "update")) {
-      const content = resolveSeedContent(resolved, vars, readFile2);
+      const isBlock = resolved.source === "managed-block";
+      const content = isBlock ? upsertManagedGitignoreBlock(remoteContent).content : resolveSeedContent(resolved, vars, readFile2);
       if (content == null) {
         applied.push(`skip ${resolved.target} (no resolvable content)`);
         continue;
       }
-      const missing = missingPlaceholders(content);
-      if (missing.length) {
-        applied.push(`skip ${resolved.target} (unfilled: ${missing.join(", ")} \u2014 pass --var)`);
-        continue;
+      if (!isBlock) {
+        const missing = missingPlaceholders(content);
+        if (missing.length) {
+          applied.push(`skip ${resolved.target} (unfilled: ${missing.join(", ")} \u2014 pass --var)`);
+          continue;
+        }
       }
       await gh(contentPutArgs(repo, resolved.target, content, baseBranch, action.action === "update" ? sha : void 0));
       applied.push(`${action.action} ${resolved.target}`);
@@ -6217,7 +7020,20 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
       }
     }
   }
-  if (o.json) console.log(JSON.stringify({ repo, class: o.class, execute: o.execute, actions, applied }, null, 2));
+  const ddbWrites = [];
+  const registerPayload = buildRegisterPayload(repo, o.class, vars);
+  if (o.execute) {
+    const cfg = await loadConfig();
+    const res = await registerProject(registerPayload, { baseUrl: cfg.sagaApiUrl, token: githubToken });
+    if (res.ok) {
+      ddbWrites.push({ slug: registerPayload.slug, action: "register", record: registerPayload });
+      applied.push(`ddb register ${registerPayload.slug}`);
+    } else {
+      const why = res.error ?? `HTTP ${res.status}${res.body?.error ? ` \u2014 ${res.body.error}` : ""}`;
+      applied.push(`ddb register ${registerPayload.slug} (failed: ${why})`);
+    }
+  }
+  if (o.json) console.log(JSON.stringify({ repo, class: o.class, execute: o.execute, actions, applied, ddbWrites }, null, 2));
   else {
     console.log(renderSeedPlan(actions));
     if (o.execute) console.log(`
@@ -6230,21 +7046,77 @@ access.command("audit").description("audit collaborator roles + train-branch pus
   const o = { json: rawFlag("--json"), repo: rawValue("--repo", ""), class: rawValue("--class", "deployable") };
   const deps = { gh: async (args) => execFileP3("gh", args, { timeout: 2e4 }) };
   let targets;
+  const cfg = await loadConfig();
+  const registryProjects = await fetchProjectsList(registryClientDeps(cfg));
   if (o.repo) {
     if (o.class !== "deployable" && o.class !== "content") return fail("access audit: --class must be deployable or content");
     targets = [{ repo: o.repo, class: o.class }];
   } else {
-    if (!(0, import_node_fs4.existsSync)("projects.json")) return fail("access audit: projects.json not found; run from the MMI-Hub repo root or pass --repo <owner/repo>");
+    const projectsJson = registryProjects ? JSON.stringify({ projects: registryProjects }) : (0, import_node_fs4.existsSync)("projects.json") ? (0, import_node_fs4.readFileSync)("projects.json", "utf8") : null;
+    if (!projectsJson) return fail("access audit: no project registry \u2014 Hub API unreachable and projects.json not found; run from the MMI-Hub repo root or pass --repo <owner/repo>");
     const fanoutJson = (0, import_node_fs4.existsSync)(".github/fanout-targets.json") ? (0, import_node_fs4.readFileSync)(".github/fanout-targets.json", "utf8") : null;
-    targets = loadAccessTargets((0, import_node_fs4.readFileSync)("projects.json", "utf8"), fanoutJson);
+    targets = loadAccessTargets(projectsJson, fanoutJson);
   }
-  const matrix = (0, import_node_fs4.existsSync)("access-matrix.json") ? loadAccessMatrix((0, import_node_fs4.readFileSync)("access-matrix.json", "utf8")) : {};
-  const report = await auditOrgAccess(targets, deps, matrix);
+  const derivedMatrix = registryProjects ? accessMatrixFromProjects(registryProjects) : {};
+  const matrix = Object.keys(derivedMatrix).length ? derivedMatrix : (0, import_node_fs4.existsSync)("access-matrix.json") ? loadAccessMatrix((0, import_node_fs4.readFileSync)("access-matrix.json", "utf8")) : {};
+  const derivedContracts = registryProjects ? dataAccessContractsFromProjects(registryProjects) : { consumers: {} };
+  const dataAccess = Object.keys(derivedContracts.consumers).length ? derivedContracts : (0, import_node_fs4.existsSync)("data-access-contracts.json") ? loadDataAccessContracts((0, import_node_fs4.readFileSync)("data-access-contracts.json", "utf8")) : void 0;
+  const report = await auditOrgAccess(targets, deps, matrix, dataAccess);
   console.log(o.json ? JSON.stringify(report, null, 2) : renderAccessReport(report));
   if (!report.ok) process.exitCode = 1;
 });
 var isWin = process.platform === "win32";
-program2.command("doctor").description("check onboarding gates (GitHub auth, mmi-cli on PATH, repo config, plugin git clone) and print fixes").option("--banner", "one-line resume summary; silent when all gates pass").option("--json", "machine-readable output").action(async (opts) => {
+var installedPluginsPath = () => (0, import_node_path4.join)((0, import_node_os.homedir)(), ".claude", "plugins", "installed_plugins.json");
+function readInstalledPlugins() {
+  try {
+    return JSON.parse((0, import_node_fs4.readFileSync)(installedPluginsPath(), "utf8"));
+  } catch {
+    return null;
+  }
+}
+function readClaudeSettings() {
+  try {
+    return JSON.parse((0, import_node_fs4.readFileSync)((0, import_node_path4.join)(process.cwd(), ".claude", "settings.json"), "utf8"));
+  } catch {
+    return null;
+  }
+}
+function existingMirrorRecord(file) {
+  const records = file?.plugins?.[MMI_PLUGIN_ID];
+  if (!Array.isArray(records) || records.length === 0) return void 0;
+  return records.find((r) => r.scope === "user") ?? records[0];
+}
+function writeProjectInstallRecord(record) {
+  try {
+    const file = readInstalledPlugins() ?? { version: 2, plugins: {} };
+    if (!file.plugins) file.plugins = {};
+    const list = file.plugins[MMI_PLUGIN_ID] ?? [];
+    list.push(record);
+    file.plugins[MMI_PLUGIN_ID] = list;
+    (0, import_node_fs4.writeFileSync)(installedPluginsPath(), `${JSON.stringify(file, null, 2)}
+`, "utf8");
+    return true;
+  } catch {
+    return false;
+  }
+}
+var gitignorePath = () => (0, import_node_path4.join)(process.cwd(), ".gitignore");
+function readGitignore() {
+  try {
+    return (0, import_node_fs4.readFileSync)(gitignorePath(), "utf8");
+  } catch {
+    return null;
+  }
+}
+function writeGitignore(content) {
+  try {
+    (0, import_node_fs4.writeFileSync)(gitignorePath(), content, "utf8");
+    return true;
+  } catch {
+    return false;
+  }
+}
+program2.command("doctor").description("check onboarding gates (GitHub auth, mmi-cli on PATH, repo config, plugin git clone, plugin install record, .gitignore managed block) and print fixes").option("--banner", "one-line resume summary; silent when all gates pass").option("--json", "machine-readable output").action(async (opts) => {
   const checks = [];
   const login = await githubLogin();
   let ghInstalled = true;
@@ -6276,6 +7148,7 @@ program2.command("doctor").description("check onboarding gates (GitHub auth, mmi
   checks.push(versionReport);
   const cfg = await loadConfig();
   checks.push({ ok: Boolean(cfg.sagaApiUrl), label: "repo config (.mmi/config.json)", fix: "ask a master-admin to run /bootstrap on this repo" });
+  checks.push(buildAwsCrossAccountCheck({ callerArn: await awsCallerArn() }));
   const REWRITE_KEY = "url.https://github.com/.insteadOf";
   const CLONE_FIX = 'run: git config --global url."https://github.com/".insteadOf "git@github.com:"';
   let cloneOk = false;
@@ -6293,6 +7166,29 @@ program2.command("doctor").description("check onboarding gates (GitHub auth, mmi
     }
   }
   checks.push({ ok: cloneOk, label: "plugin git clone (SSH\u2192HTTPS rewrite)", fix: CLONE_FIX });
+  const installed = readInstalledPlugins();
+  let pluginCheck = buildPluginInstallRecordCheck({
+    isOrgRepo: Boolean(cfg.sagaApiUrl),
+    settings: readClaudeSettings(),
+    installed,
+    projectPath: process.cwd(),
+    mirrorFrom: existingMirrorRecord(installed)
+  });
+  if (!pluginCheck.ok && pluginCheck.recordToInsert && !opts.json) {
+    if (writeProjectInstallRecord(pluginCheck.recordToInsert)) {
+      pluginCheck = { ...pluginCheck, ok: true };
+      if (!opts.banner) console.error("  \u21BB repaired: registered mmi@mmi project install record \u2014 run /reload-plugins to load it this session");
+    }
+  }
+  checks.push(pluginCheck);
+  let gitignoreCheck = buildGitignoreManagedBlockCheck({ isOrgRepo: Boolean(cfg.sagaApiUrl), content: readGitignore() });
+  if (!gitignoreCheck.ok && gitignoreCheck.contentToWrite && !opts.json) {
+    if (writeGitignore(gitignoreCheck.contentToWrite)) {
+      gitignoreCheck = { ...gitignoreCheck, ok: true };
+      if (!opts.banner) console.error("  \u21BB repaired: enforced .gitignore managed block (.playwright-mcp/, .claude/worktrees/, /*.png)");
+    }
+  }
+  checks.push(gitignoreCheck);
   const gaps = checks.filter((c) => !c.ok);
   if (opts.json) {
     console.log(JSON.stringify({ ok: gaps.length === 0, checks }, null, 2));