@mutmutco/cli 2.11.0 → 2.13.0

package/dist/index.cjs

@@ -3392,9 +3392,9 @@ function useColor() {
 var program = new Command();
 
 // src/index.ts
-var import_promises = require("node:fs/promises");
-var import_node_fs5 = require("node:fs");
-var import_node_crypto = require("node:crypto");
+var import_promises2 = require("node:fs/promises");
+var import_node_fs6 = require("node:fs");
+var import_node_crypto3 = require("node:crypto");
 
 // src/rules-sync.ts
 function normalizeEol(s) {
@@ -3468,6 +3468,25 @@ async function runSessionStart(parallel, sequential, io) {
   for (const lines of buffered) flush(lines, io);
   for (const step of sequential) flush(await runBufferedStep(step), io);
 }
+function buildSessionStartPlan(verbs) {
+  return {
+    parallel: [
+      { name: "rules sync", run: verbs.rulesSync },
+      { name: "saga show", run: verbs.sagaShow },
+      { name: "saga health", run: verbs.sagaHealth }
+    ],
+    sequential: [{ name: "doctor", run: verbs.doctor }]
+  };
+}
+function spawnDetachedSelf(args, deps) {
+  try {
+    deps.spawn(deps.execPath, [deps.scriptPath, ...args], { detached: true, stdio: "ignore", windowsHide: true }).unref();
+  } catch {
+  }
+}
+function northstarPointer() {
+  return "North Stars: run `mmi-cli northstar relevant` to load plans relevant to your task (`northstar list` for all).";
+}
 
 // src/saga-capture.ts
 function parseHookInput(stdin) {
@@ -3482,8 +3501,8 @@ function parseHookInput(stdin) {
 // src/index.ts
 var import_node_child_process6 = require("node:child_process");
 var import_node_util6 = require("node:util");
-var import_node_path5 = require("node:path");
-var import_node_os = require("node:os");
+var import_node_path7 = require("node:path");
+var import_node_os3 = require("node:os");
 
 // src/saga-head-maintainer.ts
 var import_node_child_process2 = require("node:child_process");
@@ -3608,6 +3627,12 @@ async function runHeadEngine(prompt, timeoutMs = HEAD_ENGINE_TIMEOUT_MS) {
   });
 }
 
+// src/gh-create.ts
+var import_promises = require("node:fs/promises");
+var import_node_os = require("node:os");
+var import_node_path3 = require("node:path");
+var import_node_crypto = require("node:crypto");
+
 // src/board-priority.ts
 var BOARD_PRIORITY_NAMES = ["Urgent", "High", "Medium", "Low"];
 var CLI_PRIORITIES = ["urgent", "high", "medium", "low"];
@@ -3646,6 +3671,11 @@ function recoverPriorityFromEvents(events) {
 
 // src/gh-create.ts
 var ISSUE_TYPES = ["bug", "feature", "task"];
+var GH_MUTATION_TIMEOUT_MS = 12e4;
+function timeoutKillNote(err, timeoutMs) {
+  if (typeof err !== "object" || err === null || !err.killed) return void 0;
+  return `killed at the ${timeoutMs}ms timeout \u2014 the write may have completed server-side; verify before retrying`;
+}
 function normalizePriority(priority) {
   const p = priority.trim().toLowerCase();
   if (!CLI_PRIORITIES.includes(p)) {
@@ -3673,6 +3703,24 @@ function buildIssueArgs({ type, title, body, priority, repo, labels }) {
   for (const label of labels ?? []) args.push("--label", label);
   return args;
 }
+async function bodyArgsViaFile(args, deps = {}) {
+  const i = args.indexOf("--body");
+  if (i === -1 || i + 1 >= args.length) return { args, cleanup: async () => {
+  } };
+  const write = deps.write ?? import_promises.writeFile;
+  const remove = deps.remove ?? import_promises.unlink;
+  const file = (0, import_node_path3.join)(deps.dir ?? (0, import_node_os.tmpdir)(), `mmi-gh-body-${process.pid}-${(0, import_node_crypto.randomBytes)(4).toString("hex")}.md`);
+  await write(file, args[i + 1], "utf8");
+  return {
+    args: [...args.slice(0, i), "--body-file", file, ...args.slice(i + 2)],
+    cleanup: async () => {
+      try {
+        await remove(file);
+      } catch {
+      }
+    }
+  };
+}
 function buildAddToProjectArgs(projectId, contentId) {
   if (!projectId) throw new Error("addToProject: projectId is required");
   if (!contentId) throw new Error("addToProject: contentId is required");
@@ -3779,10 +3827,10 @@ function defaultHubUrl() {
 function buildHealth(i) {
   const problems = [];
   if (!i.sagaApiUrl) problems.push("Hub API URL not configured");
-  if (!i.identity) problems.push("no GitHub identity (gh auth token / GH_TOKEN)");
+  if (!i.identity) problems.push("no Hub session identity (run `gh auth login`, then retry)");
   if (!i.reachable) problems.push("saga backend unreachable");
   if (i.reachable && i.livenessStatus === 403 && i.livenessMessage === "Forbidden") {
-    problems.push("saga API route-level 403 from GitHubAuthorizer cache/policy");
+    problems.push("saga API route-level 403 from HubSessionAuthorizer/session policy");
   }
   if (i.reachable && i.authorized === false) problems.push("saga backend rejected authenticated state access");
   if (!i.key.sessionId || i.key.sessionId === "-") problems.push("unsafe session id");
@@ -3811,9 +3859,35 @@ function resumeCue() {
   return '> STATUS/RESUME CUE \u2014 For any status, resume, or "where do I stand" report: read THIS saga HEAD first (`mmi-cli saga show`), then reconcile its NEXT / LAST 5 / DECISIONS against the live board + git/gh before reporting. Do not rebuild the picture from board/issues/memory while skipping the HEAD. PRECEDENCE: the HEAD is prior-session belief and MAY BE SUPERSEDED \u2014 the current live user/master instruction WINS over any conflicting HEAD anchor, NEXT, or checklist; follow the live instruction and treat the stale HEAD item as superseded.';
 }
 
+// src/fetch-retry.ts
+async function fetchWithRetry(fetchImpl, url, init, opts = {}) {
+  const attempts = opts.attempts ?? 3;
+  const baseDelayMs = opts.baseDelayMs ?? 250;
+  const retryOn = opts.retryOn ?? ((res) => res.status >= 500);
+  const sleep = opts.sleep ?? ((ms) => new Promise((resolve) => setTimeout(resolve, ms)));
+  let lastErr;
+  for (let i = 0; i < attempts; i++) {
+    const isLast = i === attempts - 1;
+    const attemptInit = opts.timeoutMs ? { ...init, signal: AbortSignal.timeout(opts.timeoutMs) } : init;
+    try {
+      const res = await fetchImpl(url, attemptInit);
+      if (!isLast && retryOn(res)) {
+        await sleep(baseDelayMs * 2 ** i);
+        continue;
+      }
+      return res;
+    } catch (e) {
+      lastErr = e;
+      if (isLast) throw e;
+      await sleep(baseDelayMs * 2 ** i);
+    }
+  }
+  throw lastErr;
+}
+
 // src/saga-note.ts
 var AGENT_SURFACE_TOKENS = ["claude", "codex", "cursor", "gemini"];
-var ROUTE_LEVEL_403 = "saga API route-level 403 from GitHubAuthorizer cache/policy";
+var ROUTE_LEVEL_403 = "saga API route-level 403 from HubSessionAuthorizer/session policy";
 function agentSurface(env = process.env) {
   const surface = env.MMI_AGENT_SURFACE?.trim() || (env.CODEX_THREAD_ID?.trim() && !env.CLAUDE_SESSION_ID?.trim() ? "codex" : "claude");
   if (AGENT_SURFACE_TOKENS.includes(surface)) return surface;
@@ -3990,6 +4064,72 @@ Related work discovered by mmi-cli:
 ${lines.join("\n")}`;
 }
 
+// src/sub-issue.ts
+function parseIssueRef(ref) {
+  const trimmed = ref.trim();
+  const url = trimmed.match(/^https:\/\/github\.com\/([^/]+\/[^/]+)\/issues\/(\d+)$/i);
+  if (url) return { repo: url[1], number: Number(url[2]) };
+  const qualified = trimmed.match(/^([^/\s#]+\/[^/\s#]+)#(\d+)$/);
+  if (qualified) return { repo: qualified[1], number: Number(qualified[2]) };
+  const bare = trimmed.match(/^#?(\d+)$/);
+  if (bare) return { number: Number(bare[1]) };
+  throw new Error(`invalid issue reference "${ref}" \u2014 expected #123, 123, owner/repo#123, or an issue URL`);
+}
+function buildResolveIdArgs(ref) {
+  const args = ["issue", "view", String(ref.number), "--json", "id", "--jq", ".id"];
+  if (ref.repo) args.push("--repo", ref.repo);
+  return args;
+}
+function buildAddSubIssueArgs(parentId, subIssueId) {
+  if (!parentId) throw new Error("addSubIssue: parentId is required");
+  if (!subIssueId) throw new Error("addSubIssue: subIssueId is required");
+  return [
+    "api",
+    "graphql",
+    "-f",
+    "query=mutation($p:ID!,$c:ID!){addSubIssue(input:{issueId:$p,subIssueId:$c}){issue{number subIssues{totalCount}} subIssue{number}}}",
+    "-f",
+    `p=${parentId}`,
+    "-f",
+    `c=${subIssueId}`
+  ];
+}
+function parseAddSubIssueResult(stdout) {
+  try {
+    const issue2 = JSON.parse(stdout)?.data?.addSubIssue;
+    const parentNumber = issue2?.issue?.number;
+    const subIssueNumber = issue2?.subIssue?.number;
+    const totalCount = issue2?.issue?.subIssues?.totalCount;
+    if (typeof parentNumber !== "number" || typeof subIssueNumber !== "number") return void 0;
+    return { parentNumber, subIssueNumber, totalCount: typeof totalCount === "number" ? totalCount : 0 };
+  } catch {
+    return void 0;
+  }
+}
+var RESOLVE_ID_TIMEOUT_MS = 1e4;
+async function resolveIssueNodeId(runGh, ref, fallbackRepo) {
+  const resolved = ref.repo ? ref : { ...ref, repo: fallbackRepo };
+  const id = (await runGh(buildResolveIdArgs(resolved), RESOLVE_ID_TIMEOUT_MS)).trim();
+  if (!id) throw new Error(`could not resolve node id for issue #${ref.number}${resolved.repo ? ` in ${resolved.repo}` : ""}`);
+  return id;
+}
+async function linkSubIssue(runGh, parentRef, childRef, defaultRepo) {
+  const parent = parseIssueRef(parentRef);
+  const child = parseIssueRef(childRef);
+  const parentId = await resolveIssueNodeId(runGh, parent, defaultRepo);
+  const subIssueId = await resolveIssueNodeId(runGh, child, defaultRepo);
+  const stdout = await runGh(buildAddSubIssueArgs(parentId, subIssueId), GH_MUTATION_TIMEOUT_MS);
+  const result = parseAddSubIssueResult(stdout);
+  if (!result) throw new Error(`addSubIssue returned an unexpected response:
+${stdout.trim() || "(empty)"}`);
+  return result;
+}
+function parentLinkFields(result, error) {
+  if (result) return { parent: result };
+  if (error) return { parentLinkError: error };
+  return {};
+}
+
 // src/report.ts
 var HUB_REPO = "mutmutco/MMI-Hub";
 var REPORT_LABEL = "report";
@@ -4923,6 +5063,99 @@ function parseWorktreePorcelain(stdout) {
 function samePath(a, b) {
   return a.replace(/\\/g, "/").replace(/\/+$/, "").toLowerCase() === b.replace(/\\/g, "/").replace(/\/+$/, "").toLowerCase();
 }
+function normPath(p) {
+  return p.replace(/\\/g, "/").replace(/\/+$/, "").toLowerCase();
+}
+function parseComposeLs(stdout) {
+  const text = stdout.trim();
+  if (!text) return [];
+  const rows = [];
+  const pushIfObject = (v) => {
+    if (v && typeof v === "object" && !Array.isArray(v)) rows.push(v);
+  };
+  try {
+    const parsed = JSON.parse(text);
+    if (Array.isArray(parsed)) parsed.forEach(pushIfObject);
+    else pushIfObject(parsed);
+  } catch {
+    for (const line of text.split(/\r?\n/)) {
+      const trimmed = line.trim();
+      if (!trimmed) continue;
+      try {
+        pushIfObject(JSON.parse(trimmed));
+      } catch {
+      }
+    }
+  }
+  return rows.map((row) => {
+    const name = typeof row.Name === "string" ? row.Name.trim() : "";
+    if (!name) return null;
+    const raw = typeof row.ConfigFiles === "string" ? row.ConfigFiles : "";
+    const configFiles = raw.split(",").map((f) => f.trim()).filter(Boolean);
+    return { name, configFiles };
+  }).filter((p) => Boolean(p));
+}
+function selectWorktreeComposeProjects(worktreePath, projects) {
+  const root = normPath(worktreePath);
+  if (!root) return [];
+  const names = [];
+  for (const project2 of projects) {
+    const inside = project2.configFiles.some((file) => {
+      const f = normPath(file);
+      return f === root || f.startsWith(`${root}/`);
+    });
+    if (inside && !names.includes(project2.name)) names.push(project2.name);
+  }
+  return names;
+}
+function deriveComposeProjectName(worktreePath) {
+  const norm = normPath(worktreePath);
+  if (!norm) return void 0;
+  const base = norm.slice(norm.lastIndexOf("/") + 1);
+  const name = base.replace(/[^a-z0-9_-]+/g, "_").replace(/^[^a-z0-9]+/, "");
+  return name || void 0;
+}
+function planWorktreeComposeTeardown(worktreePath, discovered, hasStageState) {
+  const names = [...discovered];
+  if (!hasStageState && discovered.length === 0) return names;
+  const recovery = deriveComposeProjectName(worktreePath);
+  if (recovery && !names.includes(recovery)) names.push(recovery);
+  return names;
+}
+async function runWorktreeStageTeardown(worktreePath, deps) {
+  const hasStageState = deps.hasStageState(worktreePath);
+  const stoppedPid = hasStageState ? await deps.stopRecordedStage(worktreePath).catch(() => void 0) : void 0;
+  let discovered;
+  try {
+    discovered = selectWorktreeComposeProjects(worktreePath, await deps.listComposeProjects());
+  } catch {
+    return { status: stoppedPid != null ? "torn-down" : "none", stoppedPid };
+  }
+  const projects = planWorktreeComposeTeardown(worktreePath, discovered, hasStageState);
+  const brought = [];
+  const failed = [];
+  const errors = [];
+  for (const project2 of projects) {
+    try {
+      await deps.composeDown(project2);
+      brought.push(project2);
+    } catch (e) {
+      failed.push(project2);
+      errors.push(`docker compose -p ${project2} down -v: ${errorMessage(e)}`);
+    }
+  }
+  if (failed.length) {
+    return {
+      status: "failed",
+      stoppedPid,
+      composeProjects: brought.length ? brought : void 0,
+      failedProjects: failed,
+      error: errors.join("; ")
+    };
+  }
+  if (stoppedPid == null && brought.length === 0) return { status: "none" };
+  return { status: "torn-down", stoppedPid, composeProjects: brought.length ? brought : void 0 };
+}
 function selectPrMergeCleanupWorktree(branch, before, after, startingPath) {
   if (!branch) return void 0;
   const current = after.find((w) => w.branch === branch)?.path;
@@ -4968,15 +5201,24 @@ async function cleanupPrMergeLocalBranch(branch, options) {
   const safeCwd = selectSafeWorktreeCwd([...afterWorktrees, ...beforeWorktrees], wtPath);
   const git = (args) => safeCwd ? options.execGit(["-C", safeCwd, ...args]) : options.execGit(args);
   if (wtPath) {
+    let stageTeardown;
+    if (options.teardownWorktreeStage) {
+      try {
+        stageTeardown = await options.teardownWorktreeStage(wtPath);
+      } catch (e) {
+        stageTeardown = { status: "failed", error: errorMessage(e) };
+      }
+    }
     try {
       await git(["worktree", "remove", "--force", wtPath]);
-      report.worktree = { path: wtPath, status: "removed" };
+      report.worktree = { path: wtPath, status: "removed", stageTeardown };
     } catch (e) {
       report.worktree = {
         path: wtPath,
         status: "failed",
         error: errorMessage(e),
-        safeCleanupCommand: safeWorktreeRemoveCommand(safeCwd, wtPath)
+        safeCleanupCommand: safeWorktreeRemoveCommand(safeCwd, wtPath),
+        stageTeardown
       };
       report.localBranch = { name: branch, status: "not-attempted", reason: "worktree-removal-failed" };
       return report;
@@ -5026,14 +5268,28 @@ function formatGcPlan(plan2, apply) {
 }
 
 // src/command-plans.ts
-function stagePlan(stage2 = {}) {
+function stagePlan(stage2 = {}, stops = true) {
   return [
-    { label: "force-kill previous local stage", command: "mmi-cli stage stop --apply" },
+    ...stops ? [{ label: "force-kill previous local stage", command: "mmi-cli stage stop --apply" }] : [],
     { label: "run local build", command: stage2.build || "(no stage.build configured)" },
     { label: "start local stage", command: stage2.up || "(no stage.up configured)" },
     { label: "check health", command: stage2.healthUrl ? `curl --fail ${stage2.healthUrl}` : "(no stage.healthUrl configured)" }
   ];
 }
+function derivedStagePlan(derived, shell2, stops = true) {
+  const { port } = derived;
+  const envOrder = ["MMI_STAGE", "MMI_PORT", "PORT", "COMPOSE_PROFILES"];
+  const resolved = { MMI_STAGE: "development", MMI_PORT: String(port), PORT: String(port), COMPOSE_PROFILES: "local" };
+  const ensureEnv = shell2 === "powershell" ? `if (-not (Test-Path -LiteralPath '.env')) { Copy-Item -LiteralPath '.env.example' -Destination '.env' }` : `[ -f .env ] || cp .env.example .env`;
+  const up = shell2 === "powershell" ? `${envOrder.map((k) => `$env:${k}='${resolved[k]}'`).join("; ")}; docker compose up -d --build` : `${envOrder.map((k) => `${k}=${resolved[k]}`).join(" ")} docker compose up -d --build`;
+  const health = shell2 === "powershell" ? `curl.exe --fail ${derived.url}` : `curl --fail ${derived.url}`;
+  return [
+    ...stops ? [{ label: "force-kill previous local stage", command: "mmi-cli stage stop --apply" }] : [],
+    { label: "bootstrap .env from .env.example", command: ensureEnv },
+    { label: `start local stage on port ${port} (registry portRange)`, command: up },
+    { label: `check health at ${derived.url}`, command: health }
+  ];
+}
 function stageLivePlan() {
   return [
     { label: "stage-live is not an org command; /stage is local only", command: "mmi-cli stage run --apply" },
@@ -5049,7 +5305,8 @@ function trainPlan(command) {
       { label: "preflight required rc secret names", command: "mmi-cli secrets preflight --stage rc --repo <owner/repo>", gated: true },
       { label: "for Hub distribution changes, verify the release bump is already landed before touching rc", command: "node scripts/release-distribution.mjs verify <release-tag> --skip-npm-view", gated: true },
       { label: "merge development to rc", gated: true },
-      { label: "trigger the deploy path for this repo model", command: "tenant-container: gh workflow run tenant-deploy.yml ...; hub-serverless: no manual dispatch, deploy.yml auto-fires on rc push", gated: true }
+      { label: "trigger the deploy path for this repo model, returning the Hub Actions run id/url (and, with --watch, its outcome)", command: "tenant-container: gh workflow run tenant-deploy.yml ... then gh run list/watch; hub-serverless: no manual dispatch, deploy.yml auto-fires on rc push", gated: true },
+      { label: "after a failed deploy, retry the existing rc ref (no re-tag/merge)", command: "mmi-cli tenant redeploy <owner/repo> rc --watch", gated: true }
     ];
   }
   if (command === "release") {
@@ -5061,7 +5318,7 @@ function trainPlan(command) {
       { label: "merge rc to main", gated: true },
       { label: "for Hub distribution changes, verify the promoted SHA carries the release bump", command: "node scripts/release-distribution.mjs verify <release-tag> --skip-npm-view", gated: true },
       { label: "tag release and publish GitHub Release", gated: true },
-      { label: "trigger the deploy path for this repo model", command: "tenant-container: gh workflow run tenant-deploy.yml ...; hub-serverless: no manual dispatch, deploy.yml + publish.yml auto-fire on the release", gated: true },
+      { label: "trigger the deploy path for this repo model, returning the Hub Actions run id/url (and, with --watch, its outcome)", command: "tenant-container: gh workflow run tenant-deploy.yml ... then gh run list/watch; hub-serverless: no manual dispatch, deploy.yml + publish.yml auto-fire on the release", gated: true },
       { label: "roll development forward", gated: true }
     ];
   }
@@ -5086,6 +5343,114 @@ function bootstrapPlan(repo, repoClass) {
   ];
 }
 
+// src/stage-default.ts
+function shellFor(platform = process.platform) {
+  return platform === "win32" ? "powershell" : "bash";
+}
+function deriveStageGap(inputs) {
+  const missing = [];
+  if (inputs.deployModel !== "tenant-container") {
+    return `local stage default applies to tenant-container repos only (registry deployModel = ${inputs.deployModel ?? "unset"})`;
+  }
+  if (!inputs.hasCompose) missing.push("docker-compose.yml");
+  if (!inputs.hasEnvExample) missing.push(".env.example");
+  if (!inputs.portRange) missing.push("Hub registry portRange");
+  return missing.length ? `cannot derive a default local stage \u2014 missing: ${missing.join(", ")}` : null;
+}
+function deriveStage(inputs) {
+  if (deriveStageGap(inputs) || !inputs.portRange) return null;
+  const port = inputs.portRange[0];
+  const config = {
+    up: "docker compose up -d --build",
+    healthUrl: "http://127.0.0.1:$STAGE_PORT/",
+    // A generic compose app's landing route is unknown (e.g. MM-Website serves /tr/), so "the server
+    // answered" — any HTTP status — is the health signal, not a 2xx on the bare root.
+    healthAnyStatus: true,
+    portRange: inputs.portRange,
+    ensureEnv: { example: ".env.example", target: ".env" },
+    env: {
+      MMI_STAGE: "development",
+      MMI_PORT: "$STAGE_PORT",
+      PORT: "$STAGE_PORT",
+      COMPOSE_PROFILES: "local"
+    }
+  };
+  return { config, port, url: stageUrlForPort(port) };
+}
+function stageUrlForPort(port) {
+  return `http://127.0.0.1:${port}/`;
+}
+var POSIX_ONLY = [
+  /(^|[^&|])&&([^&]|$)/,
+  // && chaining (cmd.exe uses it too, but PowerShell <7 / the typical agent shell does not)
+  /\|\|/,
+  // || chaining
+  // `VAR=value cmd` LEADING env prefix only — anchored to a command boundary (start-of-string or after a
+  // ; & | separator) so it never fires on a flag value mid-command (`-e DEBUG=true app`, `--env X=y svc`),
+  // which are valid cross-shell. The value excludes separators so it can't span past the command boundary.
+  /(?:^|[;&|])\s*[A-Za-z_][A-Za-z0-9_]*=[^\s;&|]+\s+\S/,
+  /(^|[\s;&|])(cp|rm|mv|ln|cat|touch|export)\s/
+  // bare POSIX file/env builtins
+];
+function looksPosixOnly(command) {
+  if (!command?.trim()) return false;
+  return POSIX_ONLY.some((re) => re.test(command));
+}
+function stalePosixFields(config, shell2) {
+  if (shell2 !== "powershell") return [];
+  const fields = [];
+  if (looksPosixOnly(config?.build)) fields.push("build");
+  if (looksPosixOnly(config?.up)) fields.push("up");
+  return fields;
+}
+function sanitizeLocalStage(local, stale) {
+  if (!stale.length) return local;
+  const clean2 = { ...local };
+  for (const field of stale) delete clean2[field];
+  return clean2;
+}
+function staleNote(staleFields, outcome) {
+  const list = staleFields.join(", ");
+  const plural = staleFields.length > 1 ? "fields" : "field";
+  return `local .mmi stage ${plural} ${list} ${staleFields.length > 1 ? "are" : "is"} POSIX-only and unusable on PowerShell \u2014 ${outcome}`;
+}
+function decideStage(inputs) {
+  const { local, shell: shell2, registry: registry2, hasCompose, hasEnvExample } = inputs;
+  const staleFields = stalePosixFields(local, shell2);
+  const stale = staleFields.length > 0;
+  const upStale = staleFields.includes("up");
+  if (local?.up?.trim() && !upStale) {
+    if (!stale) return { source: "local", config: local };
+    return {
+      source: "local",
+      config: sanitizeLocalStage(local, staleFields),
+      staleIgnored: true,
+      staleFields,
+      gap: staleNote(staleFields, `kept the cross-shell parts of the local recipe and ignored ${staleFields.join(", ")}`)
+    };
+  }
+  const deriveInputs = {
+    portRange: registry2.portRange,
+    deployModel: registry2.deployModel,
+    hasCompose,
+    hasEnvExample
+  };
+  const derived = deriveStage(deriveInputs);
+  if (derived) {
+    return {
+      source: "derived",
+      derived,
+      registryError: registry2.error,
+      staleIgnored: stale || void 0,
+      staleFields: stale ? staleFields : void 0
+    };
+  }
+  const registryGap = registry2.error ? `Hub registry read failed (${registry2.error}) \u2014 cannot derive a default local stage` : null;
+  const baseGap = registryGap ?? deriveStageGap(deriveInputs);
+  const gap = stale ? `local .mmi stage recipe is POSIX-only (${staleFields.join(", ")}) and unusable on PowerShell; ${baseGap ?? "no registry-derived default available"}` : baseGap ?? "no stage.up configured and no registry-derived default available";
+  return { source: "none", gap, staleIgnored: stale || void 0, staleFields: stale ? staleFields : void 0, registryError: registry2.error };
+}
+
 // src/bootstrap-seeds.ts
 var PLACEHOLDER_RE = /\{\{([A-Z0-9_]+)\}\}/g;
 function loadBootstrapSeeds(manifestJson) {
@@ -5130,6 +5495,7 @@ var MANAGED_GITIGNORE_LINES = [
   ".claude/worktrees/",
   ".mmi/.session",
   ".mmi/head-ts/",
+  ".aws-sam/",
   "/*.png"
 ];
 function renderManagedGitignoreBlock() {
@@ -5163,6 +5529,23 @@ ${block}
   }
   return { content: next, changed: src !== next };
 }
+function diffManagedGitignoreBlock(current) {
+  const lines = (current ?? "").replace(/\r\n/g, "\n").split("\n");
+  const beginAt = lines.findIndex((l) => l === GITIGNORE_MANAGED_BEGIN);
+  const endAt = beginAt === -1 ? -1 : lines.findIndex((l, i) => i > beginAt && l === GITIGNORE_MANAGED_END);
+  const hasMarker = beginAt !== -1 || lines.some((l) => l === GITIGNORE_MANAGED_END);
+  if (!hasMarker) return { added: [], removed: [], seeded: true };
+  const wellOrdered = beginAt !== -1 && endAt !== -1;
+  if (!wellOrdered) return { added: [], removed: [], seeded: false };
+  const isRule = (l) => l.trim() !== "" && !l.trim().startsWith("#");
+  const oldBody = lines.slice(beginAt + 1, endAt).filter(isRule);
+  const newBody = MANAGED_GITIGNORE_LINES.filter(isRule);
+  return {
+    added: newBody.filter((l) => !oldBody.includes(l)),
+    removed: oldBody.filter((l) => !newBody.includes(l)),
+    seeded: false
+  };
+}
 
 // src/doctor.ts
 var GH_PROJECT_LOGIN_FIX = 'run: gh auth login --hostname github.com --git-protocol https --web --scopes "project"';
@@ -5193,7 +5576,7 @@ function buildAwsCrossAccountCheck(input) {
 var MMI_PLUGIN_ID = "mmi@mmi";
 var PLUGIN_LABEL = "plugin install record (mmi@mmi for this project)";
 function pluginInstallManualFix(projectPath, surface = "claude-cli") {
-  const register = surface === "codex" ? `\`codex plugin add ${MMI_PLUGIN_ID}\`` : surface === "shell" ? `enable the MMI plugin in your client` : surface === "claude-vscode" ? `\`claude plugin enable ${MMI_PLUGIN_ID}\`` : `\`/plugin install ${MMI_PLUGIN_ID}\``;
+  const register = surface === "codex" ? `\`codex plugin add ${MMI_PLUGIN_ID}\`` : surface === "cursor" ? `import the MMI Team Marketplace in Cursor Dashboard \u2192 Settings \u2192 Plugins (or enable the MMI plugin from the marketplace panel)` : surface === "shell" ? `enable the MMI plugin in your client` : surface === "claude-vscode" ? `\`claude plugin enable ${MMI_PLUGIN_ID}\`` : `\`/plugin install ${MMI_PLUGIN_ID}\``;
   return `run ${register} then ${reloadAction(surface)} to register the install record for ${projectPath}`;
 }
 function isMmiPluginEnabled(settings) {
@@ -5248,6 +5631,9 @@ function bestRecord(records) {
   });
 }
 function pluginConfigDriftFix(pluginId, surface = "claude-cli") {
+  if (surface === "cursor") {
+    return `\`${pluginId}\` is registered through Cursor's Team Marketplace \u2014 refresh it in Dashboard \u2192 Settings \u2192 Plugins (Cursor manages its own plugin records; mmi-cli cannot rewrite them), then ${reloadAction(surface)}`;
+  }
   const file = surface === "codex" ? "~/.codex/plugins/installed_plugins.json" : "~/.claude/plugins/installed_plugins.json";
   return `\`${pluginId}\` has duplicate install rows or stale gitCommitSha in ${file} \u2014 run \`mmi-cli doctor\` interactively to collapse them to one user-scope row (a .bak backup is written first), then ${reloadAction(surface)}`;
 }
@@ -5289,7 +5675,8 @@ function buildGitignoreManagedBlockCheck(input) {
   if (!input.isOrgRepo) return base;
   const { content, changed } = upsertManagedGitignoreBlock(input.content);
   if (!changed) return base;
-  return { ...base, ok: false, contentToWrite: content };
+  const { added, removed, seeded } = diffManagedGitignoreBlock(input.content);
+  return { ...base, ok: false, contentToWrite: content, added, removed, seeded };
 }
 var MMI_PLUGIN_CACHE_CLEANUP_LABEL = "stale MMI plugin cache dirs (Claude/Codex)";
 var MMI_PLUGIN_CACHE_CLEANUP_FIX = "run `mmi-cli doctor` to quarantine stale MMI-only plugin cache dirs, then reload the affected agent surface";
@@ -5339,6 +5726,9 @@ function detectSurface(env) {
   if (env.MMI_AGENT_SURFACE === "codex" || has("CODEX_HOME") || (env.CLAUDE_PLUGIN_ROOT ?? "").includes(".codex")) {
     return "codex";
   }
+  if (env.MMI_AGENT_SURFACE === "cursor" || has("CURSOR_TRACE_ID") || has("CURSOR_USER") || has("CURSOR_SESSION_ID")) {
+    return "cursor";
+  }
   const isClaude = has("CLAUDECODE") || has("CLAUDE_CODE_ENTRYPOINT") || has("CLAUDE_PLUGIN_ROOT") || env.MMI_AGENT_SURFACE === "claude";
   const isVscode = env.TERM_PROGRAM === "vscode" || has("VSCODE_PID") || has("VSCODE_GIT_ASKPASS_NODE");
   if (isClaude && isVscode) return "claude-vscode";
@@ -5351,6 +5741,8 @@ function reloadAction(surface) {
       return "restart VS Code";
     case "codex":
       return "restart Codex";
+    case "cursor":
+      return "restart Cursor (or refresh the Team Marketplace from Dashboard \u2192 Settings \u2192 Plugins)";
     case "claude-cli":
     case "shell":
     default:
@@ -5365,6 +5757,8 @@ function pluginRecoveryFix(surface) {
       return `${claude}   # then ${reloadAction(surface)} to reload MMI commands`;
     case "codex":
       return "codex plugin marketplace upgrade mmi && codex plugin add mmi@mmi   # then restart Codex";
+    case "cursor":
+      return `in Cursor Dashboard \u2192 Settings \u2192 Plugins, click Update next to the MMI Team Marketplace; then ${reloadAction(surface)} to reload MMI skills + hooks`;
     case "shell":
     default:
       return "npm install -g @mutmutco/cli@latest";
@@ -5401,20 +5795,40 @@ function buildInstalledPluginVersionCheck(input) {
 // src/stage-runner.ts
 var import_node_child_process5 = require("node:child_process");
 var import_node_fs3 = require("node:fs");
-var import_node_path3 = require("node:path");
+var import_node_path4 = require("node:path");
 var import_node_net = require("node:net");
 var import_node_util5 = require("node:util");
 var execFileP3 = (0, import_node_util5.promisify)(import_node_child_process5.execFile);
 function stageStatePath(cwd = process.cwd()) {
-  return (0, import_node_path3.join)(cwd, "tmp", "stage", "state.json");
+  return (0, import_node_path4.join)(cwd, "tmp", "stage", "state.json");
+}
+var POSIX_ONLY_VERBS = ["cp", "mv", "rm", "ln", "cat", "touch", "chmod", "export"];
+function posixOnlyShellProblems(command, field, platform = process.platform) {
+  if (platform !== "win32" || !command?.trim()) return [];
+  const problems = [];
+  if (/(^|&&|\||;)\s*[A-Za-z_][A-Za-z0-9_]*=\S/.test(command)) {
+    problems.push(
+      `stage.${field} uses POSIX inline env assignment (VAR=value command) which fails in cmd.exe on Windows; use 'set VAR=value && command' or a cross-platform launcher`
+    );
+  }
+  for (const verb of POSIX_ONLY_VERBS) {
+    if (new RegExp(`(^|&&|\\||;|\\()\\s*${verb}\\b`).test(command)) {
+      problems.push(
+        `stage.${field} calls POSIX '${verb}' which does not exist in cmd.exe on Windows; use the cmd/PowerShell equivalent or a cross-platform script`
+      );
+    }
+  }
+  return problems;
 }
 function validateStageConfig(config = {}, action) {
   const problems = [];
-  if (action === "run" && !config.build?.trim()) problems.push("stage.build is required for stage run");
+  if (action === "run" && !config.build?.trim() && !config.ensureEnv) problems.push("stage.build is required for stage run");
   if (!config.up?.trim()) problems.push("stage.up is required to start the local stage");
   if (config.healthUrl != null && config.healthUrl.trim() && !/^https?:\/\//.test(config.healthUrl.trim())) {
     problems.push("stage.healthUrl must be an http(s) URL");
   }
+  if (action === "run") problems.push(...posixOnlyShellProblems(config.build, "build"));
+  problems.push(...posixOnlyShellProblems(config.up, "up"));
   if (config.portRange != null) {
     const r = config.portRange;
     const ok = Array.isArray(r) && r.length === 2 && r.every((n) => Number.isInteger(n) && n >= 1024 && n <= 65535) && r[0] <= r[1];
@@ -5479,13 +5893,13 @@ async function killTree(pid) {
     }
   }
 }
-async function waitForHealth(url, timeoutMs) {
+async function waitForHealth(url, timeoutMs, anyStatus = false) {
   const deadline = Date.now() + timeoutMs;
   let last = "";
   while (Date.now() < deadline) {
     try {
       const res = await fetch(url, { signal: AbortSignal.timeout(Math.min(5e3, timeoutMs)) });
-      if (res.ok) return;
+      if (anyStatus || res.ok) return;
       last = `HTTP ${res.status}`;
     } catch (e) {
       last = e.message;
@@ -5520,6 +5934,13 @@ async function startStage(config = {}, opts = {}) {
     stagePort = pickStagePort(config.portRange, (p) => free.has(p));
   }
   const sub = (s) => s != null && stagePort != null ? s.replace(/\$\{?STAGE_PORT\}?/g, String(stagePort)) : s;
+  if (config.ensureEnv) {
+    const target = (0, import_node_path4.join)(cwd, config.ensureEnv.target);
+    const example = (0, import_node_path4.join)(cwd, config.ensureEnv.example);
+    if (!(0, import_node_fs3.existsSync)(target) && (0, import_node_fs3.existsSync)(example)) (0, import_node_fs3.copyFileSync)(example, target);
+  }
+  const extraEnv = {};
+  for (const [k, v] of Object.entries(config.env ?? {})) extraEnv[k] = sub(v) ?? v;
   const up = sub(config.up.trim());
   const child = (0, import_node_child_process5.spawn)(up, {
     cwd,
@@ -5527,7 +5948,7 @@ async function startStage(config = {}, opts = {}) {
     detached: true,
     windowsHide: true,
     stdio: "ignore",
-    env: stagePort != null ? { ...process.env, STAGE_PORT: String(stagePort) } : process.env
+    env: { ...process.env, ...stagePort != null ? { STAGE_PORT: String(stagePort) } : {}, ...extraEnv }
   });
   const state = {
     pid: child.pid ?? 0,
@@ -5539,13 +5960,13 @@ async function startStage(config = {}, opts = {}) {
   };
   (0, import_node_fs3.writeFileSync)(statePath, JSON.stringify(state, null, 2), "utf8");
   try {
-    if (state.healthUrl) await waitForHealth(state.healthUrl, opts.timeoutMs ?? 6e4);
+    if (state.healthUrl) await waitForHealth(state.healthUrl, opts.timeoutMs ?? 6e4, config.healthAnyStatus);
   } catch (e) {
     await killTree(state.pid);
     (0, import_node_fs3.rmSync)(statePath, { force: true });
     throw e;
   }
-  const result = { ok: true, action: "start", statePath, pid: state.pid, message: `started stage pid ${state.pid}${stagePort != null ? ` on port ${stagePort}` : ""}` };
+  const result = { ok: true, action: "start", statePath, pid: state.pid, port: stagePort, message: `started stage pid ${state.pid}${stagePort != null ? ` on port ${stagePort}` : ""}` };
   opts.onReady?.(result);
   child.unref();
   return result;
@@ -5556,7 +5977,7 @@ async function runStage(config = {}, opts = {}) {
   const cwd = opts.cwd ?? process.cwd();
   const timeoutMs = opts.timeoutMs ?? 6e4;
   await stopStage({ ...opts, cwd });
-  await shell(config.build.trim(), cwd, timeoutMs);
+  if (config.build?.trim()) await shell(config.build.trim(), cwd, timeoutMs);
   const started = await startStage(config, { ...opts, cwd, timeoutMs });
   return { ...started, action: "run", message: `built and ${started.message}` };
 }
@@ -5652,14 +6073,56 @@ async function requireBranch(deps, branch) {
   const current = clean(await deps.run("git", ["rev-parse", "--abbrev-ref", "HEAD"]));
   if (current !== branch) throw new Error(`must run from ${branch}, currently on ${current || "(unknown)"}`);
 }
-async function dispatchDeploy(deps, ctx, stage2, ref, model) {
+var HUB_REPO2 = "mutmutco/MMI-Hub";
+var CORRELATE_ATTEMPTS = 5;
+var CORRELATE_DELAY_MS = 1500;
+var CORRELATE_SKEW_SLACK_MS = 1e4;
+async function correlateTenantRun(deps, since) {
+  const sleep = deps.sleep ?? ((ms) => new Promise((resolve) => setTimeout(resolve, ms)));
+  const threshold = since - CORRELATE_SKEW_SLACK_MS;
+  for (let attempt = 0; attempt < CORRELATE_ATTEMPTS; attempt++) {
+    if (attempt > 0) await sleep(CORRELATE_DELAY_MS);
+    let rows;
+    try {
+      const out = await deps.run("gh", [
+        "run",
+        "list",
+        "--repo",
+        HUB_REPO2,
+        "--workflow",
+        "tenant-deploy.yml",
+        "--limit",
+        "10",
+        "--json",
+        "databaseId,url,event,createdAt"
+      ]);
+      rows = JSON.parse(out);
+    } catch {
+      continue;
+    }
+    const match = rows.filter((r) => r.event === "workflow_dispatch" && typeof r.databaseId === "number").map((r) => ({ row: r, created: Date.parse(r.createdAt ?? "") })).filter((c) => Number.isFinite(c.created) && c.created >= threshold).sort((a, b) => b.created - a.created)[0];
+    if (match) return { runId: match.row.databaseId, runUrl: match.row.url };
+  }
+  return {};
+}
+async function watchTenantRun(deps, runId) {
+  if (runId == null) return "pending";
+  try {
+    await deps.run("gh", ["run", "watch", String(runId), "--repo", HUB_REPO2, "--exit-status"]);
+    return "success";
+  } catch {
+    return "failure";
+  }
+}
+async function dispatchDeploy(deps, ctx, stage2, ref, model, watch) {
   if (model === "tenant-container") {
+    const since = (deps.now ?? Date.now)();
     await deps.run("gh", [
       "workflow",
       "run",
       "tenant-deploy.yml",
       "--repo",
-      "mutmutco/MMI-Hub",
+      HUB_REPO2,
       "-f",
       `slug=${ctx.slug}`,
       "-f",
@@ -5669,12 +6132,17 @@ async function dispatchDeploy(deps, ctx, stage2, ref, model) {
       "-f",
       `stage=${stage2}`
     ]);
-    return `dispatched tenant-deploy.yml (slug=${ctx.slug}, ref=${ref}, stage=${stage2})`;
+    const { runId, runUrl } = await correlateTenantRun(deps, since);
+    const deployStatus = watch ? await watchTenantRun(deps, runId) : "pending";
+    return { note: `dispatched tenant-deploy.yml (slug=${ctx.slug}, ref=${ref}, stage=${stage2})`, runId, runUrl, deployStatus };
   }
   if (model === "hub-serverless") {
-    return ref === "rc" ? "no manual dispatch: deploy.yml auto-fires on the rc push (rc stage)" : "no manual dispatch: deploy.yml + publish.yml auto-fire on the published Release (prod)";
+    return {
+      note: ref === "rc" ? "no manual dispatch: deploy.yml auto-fires on the rc push (rc stage)" : "no manual dispatch: deploy.yml + publish.yml auto-fire on the published Release (prod)",
+      deployStatus: "pending"
+    };
   }
-  return `no manual dispatch: ${model} repo deploys via its own push-triggered workflow`;
+  return { note: `no manual dispatch: ${model} repo deploys via its own push-triggered workflow`, deployStatus: "pending" };
 }
 async function preflight(deps, ctx, stage2) {
   let meta = null;
@@ -5693,7 +6161,8 @@ async function preflight(deps, ctx, stage2) {
   await deps.runSelf(["secrets", "preflight", "--stage", stage2, "--repo", ctx.repo]);
   return model;
 }
-async function runTrainApply(command, deps) {
+async function runTrainApply(command, deps, options = {}) {
+  const watch = options.watch ?? false;
   const ctx = await buildTrainApplyContext(deps);
   await requireCleanTree(deps);
   await deps.run("git", ["fetch", "origin"]);
@@ -5713,8 +6182,8 @@ async function runTrainApply(command, deps) {
     await deps.run("git", ["tag", tag2]);
     await deps.run("git", ["push", "origin", "rc"]);
     await deps.run("git", ["push", "origin", tag2]);
-    const dispatch2 = await dispatchDeploy(deps, ctx, "rc", "rc", deployModel2);
-    return { ...ctx, command, stage: "rc", ref: "rc", tag: tag2, deployModel: deployModel2, dispatch: dispatch2 };
+    const d2 = await dispatchDeploy(deps, ctx, "rc", "rc", deployModel2, watch);
+    return { ...ctx, command, stage: "rc", ref: "rc", tag: tag2, deployModel: deployModel2, promoted: true, dispatch: d2.note, runId: d2.runId, runUrl: d2.runUrl, deployStatus: d2.deployStatus };
   }
   await requireBranch(deps, "rc");
   ensurePositiveCount(
@@ -5731,12 +6200,37 @@ async function runTrainApply(command, deps) {
   await deps.run("git", ["push", "origin", "main"]);
   await deps.run("git", ["push", "origin", tag]);
   await deps.run("gh", ["release", "create", tag, "--generate-notes", "--latest", "--repo", ctx.repo]);
-  const dispatch = await dispatchDeploy(deps, ctx, "main", "main", deployModel);
+  const d = await dispatchDeploy(deps, ctx, "main", "main", deployModel, watch);
   await deps.run("git", ["checkout", "development"]);
   await deps.run("git", ["pull", "--ff-only", "origin", "development"]);
   await deps.run("git", ["merge", "main", "--no-edit"]);
   await deps.run("git", ["push", "origin", "development"]);
-  return { ...ctx, command, stage: "main", ref: "main", tag, deployModel, dispatch };
+  return { ...ctx, command, stage: "main", ref: "main", tag, deployModel, promoted: true, dispatch: d.note, runId: d.runId, runUrl: d.runUrl, deployStatus: d.deployStatus };
+}
+async function runTenantRedeploy(deps, options) {
+  const { stage: stage2 } = options;
+  const ref = options.ref ?? stage2;
+  const watch = options.watch ?? false;
+  const repo = options.repo;
+  const [owner, name] = repo.split("/");
+  if (!owner || !name) throw new Error(`repo must be owner/name, got ${repo}`);
+  const login = requireValue(clean(await deps.run("gh", ["api", "user", "--jq", ".login"])), "GitHub login");
+  const verdict = await deps.trainAuthority(repo);
+  if (!verdict.ok) throw new Error(`${commandAuthorityLabel(owner)}: train authority could not be verified (${verdict.error})`);
+  if (!verdict.train) throw new Error(`${commandAuthorityLabel(owner)}: @${login} is ${verdict.role} \u2014 no train authority on ${repo}`);
+  const ctx = { repo, owner, slug: name.toLowerCase(), login };
+  let meta = null;
+  try {
+    meta = JSON.parse(await deps.runSelf(["project", "get", repo]));
+  } catch {
+    meta = null;
+  }
+  const deployModel = resolveDeployModel2(meta, repo);
+  if (deployModel !== "tenant-container") {
+    throw new Error(`${repo} is ${deployModel}, not tenant-container \u2014 there is no central tenant-deploy run to retry (its deploy fires from its own workflow)`);
+  }
+  const d = await dispatchDeploy(deps, ctx, stage2, ref, deployModel, watch);
+  return { ...ctx, command: "tenant-redeploy", stage: stage2, ref, deployModel, dispatch: d.note, runId: d.runId, runUrl: d.runUrl, deployStatus: d.deployStatus };
 }
 
 // src/port-registry.ts
@@ -6138,6 +6632,12 @@ async function rulesetDetails(deps, repo, list) {
   }
   return details;
 }
+function repoRefsMatch(a, b) {
+  return a.toLowerCase() === b.toLowerCase();
+}
+function projectRegistryIncludesRepo(projects, repo) {
+  return projects.some((p) => (p.repos ?? []).some((r) => repoRefsMatch(r, repo)));
+}
 function localRegistryCheck(deps, path2, predicate) {
   const text = deps.readLocalFile?.(path2);
   if (text == null) return null;
@@ -6287,7 +6787,7 @@ async function verifyBootstrap(repo, repoClass, deps) {
   }
   const fanout = repo === "mutmutco/MMI-Hub" ? true : localRegistryCheck(deps, ".github/fanout-targets.json", (json) => Array.isArray(json?.repos) && json.repos.some((r) => r.repo === repo.split("/")[1] && r.branch === baseBranch));
   if (fanout != null) checks.push({ ok: fanout, label: `fanout target registered on ${baseBranch}` });
-  const projectRegistry = localRegistryCheck(deps, "projects.json", (json) => Array.isArray(json?.projects) && json.projects.some((p) => (p.repos || []).includes(repo)));
+  const projectRegistry = localRegistryCheck(deps, "projects.json", (json) => Array.isArray(json?.projects) && projectRegistryIncludesRepo(json.projects, repo));
   if (projectRegistry != null) checks.push({ ok: projectRegistry, label: "cloud-agent project registry includes repo" });
   const rulesetList = await restJson2(deps, `repos/${repo}/rulesets?includes_parents=true`, []);
   const rulesets = await rulesetDetails(deps, repo, rulesetList);
@@ -6347,6 +6847,94 @@ function renderBootstrapVerifyReport(report) {
   return lines.join("\n");
 }
 
+// src/hub-auth.ts
+var import_node_crypto2 = require("node:crypto");
+var import_node_fs5 = require("node:fs");
+var import_node_path5 = require("node:path");
+var import_node_os2 = require("node:os");
+var REFRESH_WINDOW_MS = 10 * 60 * 1e3;
+var EXCHANGE_TIMEOUT_MS = 8e3;
+var EXCHANGE_ATTEMPTS = 2;
+function normalizeBaseUrl(baseUrl) {
+  return baseUrl.replace(/\/$/, "");
+}
+function tokenFingerprint(token) {
+  return (0, import_node_crypto2.createHash)("sha256").update(token).digest("hex");
+}
+function defaultHubSessionCachePath(env = process.env) {
+  if (env.MMI_HUB_SESSION_CACHE) return env.MMI_HUB_SESSION_CACHE;
+  if (process.platform === "win32") {
+    const base2 = env.LOCALAPPDATA || (0, import_node_path5.join)((0, import_node_os2.homedir)(), "AppData", "Local");
+    return (0, import_node_path5.join)(base2, "MMI Future", "mmi-cli", "hub-session.json");
+  }
+  const base = env.XDG_STATE_HOME || (0, import_node_path5.join)((0, import_node_os2.homedir)(), ".mmi");
+  return (0, import_node_path5.join)(base, "mmi-cli", "hub-session.json");
+}
+function readCache(path2, apiUrl, now, githubTokenFingerprint) {
+  try {
+    const session = JSON.parse((0, import_node_fs5.readFileSync)(path2, "utf8"));
+    if (!session.token || !session.expiresAt || session.apiUrl !== apiUrl) return null;
+    if (session.githubTokenFingerprint !== githubTokenFingerprint) return null;
+    if (new Date(session.expiresAt).getTime() <= now.getTime() + REFRESH_WINDOW_MS) return null;
+    return session;
+  } catch {
+    return null;
+  }
+}
+function writeCache(path2, session) {
+  (0, import_node_fs5.mkdirSync)((0, import_node_path5.dirname)(path2), { recursive: true });
+  const tmp = `${path2}.${process.pid}.${Date.now()}.tmp`;
+  (0, import_node_fs5.writeFileSync)(tmp, JSON.stringify(session, null, 2) + "\n", { encoding: "utf8", mode: 384 });
+  try {
+    (0, import_node_fs5.chmodSync)(tmp, 384);
+  } catch {
+  }
+  (0, import_node_fs5.renameSync)(tmp, path2);
+  try {
+    (0, import_node_fs5.chmodSync)(path2, 384);
+  } catch {
+  }
+}
+async function hubAuthSession(deps) {
+  if (!deps.baseUrl) return void 0;
+  const apiUrl = normalizeBaseUrl(deps.baseUrl);
+  const now = deps.now?.() ?? /* @__PURE__ */ new Date();
+  const cachePath = deps.cachePath ?? defaultHubSessionCachePath();
+  const ghToken = await deps.githubToken();
+  if (!ghToken) return void 0;
+  const githubTokenFingerprint = tokenFingerprint(ghToken);
+  const cached = readCache(cachePath, apiUrl, now, githubTokenFingerprint);
+  if (cached) return cached;
+  try {
+    const res = await fetchWithRetry(
+      deps.fetch ?? fetch,
+      `${apiUrl}/auth/session`,
+      { method: "POST", headers: { Authorization: `Bearer ${ghToken}` } },
+      { attempts: EXCHANGE_ATTEMPTS, timeoutMs: EXCHANGE_TIMEOUT_MS }
+    );
+    if (!res.ok) return void 0;
+    const body = await res.json();
+    if (!body.token || !body.expiresAt) return void 0;
+    const session = {
+      token: body.token,
+      expiresAt: body.expiresAt,
+      login: typeof body.login === "string" ? body.login : void 0,
+      apiUrl,
+      githubTokenFingerprint
+    };
+    try {
+      writeCache(cachePath, session);
+    } catch {
+    }
+    return session;
+  } catch {
+    return void 0;
+  }
+}
+async function hubAuthToken(deps) {
+  return (await hubAuthSession(deps))?.token;
+}
+
 // src/bootstrap-apply.ts
 function parseOwnerRepo(repo) {
   const trimmed = repo.trim();
@@ -6476,16 +7064,21 @@ var PROJECTS_ENVELOPE_KEY = "projects";
 
 // src/registry-client.ts
 var DEFAULT_TIMEOUT_MS2 = 8e3;
+var RETRY_ATTEMPTS = 3;
+function retriedFetch(deps, url, init) {
+  return fetchWithRetry(deps.fetch ?? fetch, url, init, {
+    attempts: RETRY_ATTEMPTS,
+    timeoutMs: deps.timeoutMs ?? DEFAULT_TIMEOUT_MS2
+  });
+}
 async function fetchTrainAuthority(repo, deps) {
   if (!deps.baseUrl) return { ok: false, error: "Hub API URL not configured" };
   const token = await deps.token();
-  if (!token) return { ok: false, error: "no GitHub token (gh auth login)" };
-  const doFetch = deps.fetch ?? fetch;
+  if (!token) return { ok: false, error: "no Hub session token (run `gh auth login`)" };
   try {
-    const res = await doFetch(`${deps.baseUrl.replace(/\/$/, "")}/train-authority?repo=${encodeURIComponent(repo)}`, {
+    const res = await retriedFetch(deps, `${deps.baseUrl.replace(/\/$/, "")}/train-authority?repo=${encodeURIComponent(repo)}`, {
       method: "GET",
-      headers: { Authorization: `Bearer ${token}` },
-      signal: AbortSignal.timeout(deps.timeoutMs ?? DEFAULT_TIMEOUT_MS2)
+      headers: { Authorization: `Bearer ${token}` }
     });
     if (!res.ok) return { ok: false, error: `train-authority HTTP ${res.status}` };
     const body = await res.json();
@@ -6499,12 +7092,10 @@ async function fetchProjectsList(deps) {
   if (!deps.baseUrl) return null;
   const token = await deps.token();
   if (!token) return null;
-  const doFetch = deps.fetch ?? fetch;
   try {
-    const res = await doFetch(`${deps.baseUrl.replace(/\/$/, "")}${PROJECTS_LIST_PATH}`, {
+    const res = await retriedFetch(deps, `${deps.baseUrl.replace(/\/$/, "")}${PROJECTS_LIST_PATH}`, {
       method: "GET",
-      headers: { Authorization: `Bearer ${token}` },
-      signal: AbortSignal.timeout(deps.timeoutMs ?? DEFAULT_TIMEOUT_MS2)
+      headers: { Authorization: `Bearer ${token}` }
     });
     if (!res.ok) return null;
     const body = await res.json();
@@ -6522,13 +7113,11 @@ async function fetchProjectBySlugChecked(slug, deps) {
   if (!deps.baseUrl) return { ok: false, error: "no Hub API URL (set MMI_HUB_URL or use a current MMI CLI/plugin build)" };
   if (!slug) return { ok: false, error: "no slug" };
   const token = await deps.token();
-  if (!token) return { ok: false, error: "no GitHub token (run `gh auth login`)" };
-  const doFetch = deps.fetch ?? fetch;
+  if (!token) return { ok: false, error: "no Hub session token (run `gh auth login`)" };
   try {
-    const res = await doFetch(`${deps.baseUrl.replace(/\/$/, "")}/projects/${encodeURIComponent(slug)}`, {
+    const res = await retriedFetch(deps, `${deps.baseUrl.replace(/\/$/, "")}/projects/${encodeURIComponent(slug)}`, {
       method: "GET",
-      headers: { Authorization: `Bearer ${token}` },
-      signal: AbortSignal.timeout(deps.timeoutMs ?? DEFAULT_TIMEOUT_MS2)
+      headers: { Authorization: `Bearer ${token}` }
     });
     if (res.status === 404) return { ok: true, project: null };
     if (!res.ok) return { ok: false, error: `HTTP ${res.status}` };
@@ -6545,12 +7134,10 @@ async function fetchDeployStatusBySlug(slug, deps) {
   if (!deps.baseUrl || !slug) return null;
   const token = await deps.token();
   if (!token) return null;
-  const doFetch = deps.fetch ?? fetch;
   try {
-    const res = await doFetch(`${deps.baseUrl.replace(/\/$/, "")}/projects/${encodeURIComponent(slug)}/deploy-status`, {
+    const res = await retriedFetch(deps, `${deps.baseUrl.replace(/\/$/, "")}/projects/${encodeURIComponent(slug)}/deploy-status`, {
       method: "GET",
-      headers: { Authorization: `Bearer ${token}` },
-      signal: AbortSignal.timeout(deps.timeoutMs ?? DEFAULT_TIMEOUT_MS2)
+      headers: { Authorization: `Bearer ${token}` }
     });
     if (!res.ok) return null;
     const body = await res.json();
@@ -6564,12 +7151,10 @@ async function fetchOrgConfig(deps) {
   if (!deps.baseUrl) return null;
   const token = await deps.token();
   if (!token) return null;
-  const doFetch = deps.fetch ?? fetch;
   try {
-    const res = await doFetch(`${deps.baseUrl.replace(/\/$/, "")}${ORG_CONFIG_PATH}`, {
+    const res = await retriedFetch(deps, `${deps.baseUrl.replace(/\/$/, "")}${ORG_CONFIG_PATH}`, {
       method: "GET",
-      headers: { Authorization: `Bearer ${token}` },
-      signal: AbortSignal.timeout(deps.timeoutMs ?? DEFAULT_TIMEOUT_MS2)
+      headers: { Authorization: `Bearer ${token}` }
     });
     if (!res.ok) return null;
     return await res.json();
@@ -6580,14 +7165,12 @@ async function fetchOrgConfig(deps) {
 async function postJson(pathSuffix, payload, deps, method = "POST") {
   if (!deps.baseUrl) return { ok: false, status: 0, body: null, error: "no Hub API URL (set MMI_HUB_URL or use a current MMI CLI/plugin build)" };
   const token = await deps.token();
-  if (!token) return { ok: false, status: 0, body: null, error: "no GitHub token (run `gh auth login`)" };
-  const doFetch = deps.fetch ?? fetch;
+  if (!token) return { ok: false, status: 0, body: null, error: "no Hub session token (run `gh auth login`)" };
   try {
-    const res = await doFetch(`${deps.baseUrl.replace(/\/$/, "")}${pathSuffix}`, {
+    const res = await retriedFetch(deps, `${deps.baseUrl.replace(/\/$/, "")}${pathSuffix}`, {
       method,
       headers: { Authorization: `Bearer ${token}`, "content-type": "application/json" },
-      body: JSON.stringify(payload),
-      signal: AbortSignal.timeout(deps.timeoutMs ?? DEFAULT_TIMEOUT_MS2)
+      body: JSON.stringify(payload)
     });
     let body = null;
     try {
@@ -6658,9 +7241,12 @@ function appAttestationOf(meta) {
 function attestedLine(att) {
   return `App-owned readiness attested by @${att.by} on ${att.at.slice(0, 10)} \u2014 the static checklist is cleared (the doctor reads no product repo files); re-run \`mmi-cli project attest\` after app-owned structural changes.`;
 }
+var CONTRACT_UNDECLARED_LINE = "No runtime secrets declared \u2014 declare requiredRuntimeSecrets (a per-stage name map) in the registry META, or attest the app needs none with an explicit empty stage map ({ dev: [], rc: [], main: [] }).";
 function appGapsFor(meta, model, slug, projectType) {
   const attested = appAttestationOf(meta);
-  if (attested) return [attestedLine(attested)];
+  const isTenantWeb = !(projectType === "content" || model === "content") && projectType !== "desktop-game" && !(projectType === "non-deployable" || model === "none") && model !== "hub-serverless" && model !== "serverless";
+  const contractUndeclared = isTenantWeb && Boolean(meta) && !hasRuntimeSecretContract(meta?.requiredRuntimeSecrets);
+  if (attested) return contractUndeclared ? [attestedLine(attested), CONTRACT_UNDECLARED_LINE] : [attestedLine(attested)];
   if (projectType === "content" || model === "content") return ["Content/KB repo: keep app-owned work to docs/content changes; release train does not apply."];
   if (projectType === "desktop-game") {
     return [
@@ -6692,8 +7278,8 @@ function appGapsFor(meta, model, slug, projectType) {
     "Make app config fail clearly for missing required env in prod/rc instead of relying on hidden defaults.",
     "Keep app-owned README.md and architecture.md aligned with v2 central deploy/secrets reality."
   ];
-  if (meta && !hasRuntimeSecretContract(meta.requiredRuntimeSecrets)) {
-    gaps.unshift("No runtime secrets declared \u2014 declare requiredRuntimeSecrets (a per-stage name map) in the registry META, or attest the app needs none with an explicit empty stage map ({ dev: [], rc: [], main: [] }).");
+  if (contractUndeclared) {
+    gaps.unshift(CONTRACT_UNDECLARED_LINE);
   }
   if (slug === "mmi-katip") {
     gaps.push("Katip-specific app plan: declare Google Workspace service-account requirements, use the service account numeric OAuth2 client ID for DWD, remove prod-hidden impersonation defaults, and make non-critical Google Workspace failures degrade instead of crash-looping.");
@@ -6773,7 +7359,29 @@ async function runV2Heal(repoOrSlug, opts, deps) {
 async function buildV2Doctor(repoOrSlug, deps) {
   const slug = slugOfRepo(repoOrSlug);
   const repo = repoFrom(repoOrSlug, slug);
-  const meta = await deps.getProject(slug);
+  const read = await deps.getProject(slug);
+  if (!read.ok) {
+    const degradedSecrets = {
+      dev: { required: [], present: [], missing: [] },
+      rc: { required: [], present: [], missing: [] },
+      main: { required: [], present: [], missing: [] }
+    };
+    const degradedStage = {
+      dev: { ok: false, required: false },
+      rc: { ok: false, required: false },
+      main: { ok: false, required: false }
+    };
+    return {
+      ok: false,
+      repo,
+      slug,
+      registryError: read.error,
+      hubOwned: { meta: { ok: false, missing: [] }, deployCoords: degradedStage, deployState: degradedStage, secrets: degradedSecrets },
+      autoHealAvailable: [],
+      appOwnedGaps: [`Hub registry read failed (${read.error}) \u2014 diagnosis degraded; nothing is known about META, coords, or gaps. Likely transient (cold start, network, or auth blip): retry \`mmi-cli project doctor\` shortly.`]
+    };
+  }
+  const meta = read.project;
   const projectType = resolveProjectType(meta, repo);
   const model = resolveDeployModel(meta, repo);
   const autoHeal = buildV2HealPatch(repo, meta);
@@ -6879,6 +7487,30 @@ ${section}`.trim();
 // src/project-set.ts
 var UNSET_KEYS = ["oauth", "requiredRuntimeSecrets", "edgeDomains", "requiredGcpApis", "publishRequired"];
 var UNSET_KEY_SET = new Set(UNSET_KEYS);
+var RUNTIME_SECRET_STAGES = ["dev", "rc", "main"];
+function parseRuntimeSecretsVar(raw) {
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    throw new Error('project set: requiredRuntimeSecrets must be JSON, e.g. {"dev":["KEY"],"rc":["KEY"],"main":["KEY"]}');
+  }
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw new Error("project set: requiredRuntimeSecrets must be a stage map (a flat array is not box-loadable)");
+  }
+  const map = parsed;
+  const out = {};
+  for (const [stage2, names] of Object.entries(map)) {
+    if (!RUNTIME_SECRET_STAGES.includes(stage2)) {
+      throw new Error(`project set: requiredRuntimeSecrets stage "${stage2}" \u2014 expected only ${RUNTIME_SECRET_STAGES.join("/")}`);
+    }
+    if (!Array.isArray(names) || names.some((n) => typeof n !== "string" || !n.trim())) {
+      throw new Error(`project set: requiredRuntimeSecrets.${stage2} must be an array of non-empty secret names`);
+    }
+    out[stage2] = names;
+  }
+  return out;
+}
 function buildProjectSetPatch(input) {
   const patch = {};
   if (input.class) {
@@ -6908,6 +7540,8 @@ function buildProjectSetPatch(input) {
         const n = Number(raw);
         if (!Number.isFinite(n)) throw new Error("project set: projectNumber must be numeric");
         patch[key] = n;
+      } else if (key === "requiredRuntimeSecrets") {
+        patch[key] = parseRuntimeSecretsVar(raw);
       } else {
         patch[key] = raw;
       }
@@ -6967,10 +7601,91 @@ function parseKbTree(stdout, prefix) {
 }
 
 // src/plan.ts
-var import_node_path4 = require("node:path");
+var import_node_path6 = require("node:path");
+
+// src/frontmatter.ts
+function splitFrontmatter(content) {
+  const match = /^---\n([\s\S]*?)\n---(?:\n|$)/.exec(content);
+  if (!match) return { entries: [], body: content };
+  return { entries: match[1].split(/\r?\n/).filter((line) => line.trim()), body: content.slice(match[0].length) };
+}
+function entryKeyValue(line) {
+  const i = line.indexOf(":");
+  if (i < 0) return null;
+  return { key: line.slice(0, i).trim().toLowerCase(), value: line.slice(i + 1).trim() };
+}
+function frontmatterValue(content, key) {
+  const want = key.trim().toLowerCase();
+  for (const line of splitFrontmatter(content).entries) {
+    const kv = entryKeyValue(line);
+    if (kv && kv.key === want) return kv.value || void 0;
+  }
+  return void 0;
+}
+function frontmatterList(content, key) {
+  const raw = frontmatterValue(content, key);
+  if (!raw) return [];
+  return raw.replace(/^\[/, "").replace(/\]$/, "").split(",").map((s) => s.trim()).filter(Boolean);
+}
+function extractPlanMeta(content) {
+  const meta = {};
+  const status = frontmatterValue(content, "status");
+  if (status) meta.status = status;
+  const tags = frontmatterList(content, "topic-tags");
+  if (tags.length) meta.topicTags = tags;
+  const title = frontmatterValue(content, "title");
+  if (title) meta.title = title;
+  const supersedes = frontmatterValue(content, "supersedes");
+  if (supersedes) meta.supersedes = supersedes;
+  return meta;
+}
+
+// src/plan-relevance.ts
+var STOP = /* @__PURE__ */ new Set(["the", "and", "for", "with", "plan", "issue", "fix", "feat", "add", "wip", "src", "tsx", "mjs"]);
+function tokenize(s) {
+  return (s ?? "").replace(/([a-z0-9])([A-Z])/g, "$1 $2").toLowerCase().split(/[^a-z0-9]+/).filter((t) => t.length >= 3 && !STOP.has(t));
+}
+var SUPPRESSED = /* @__PURE__ */ new Set(["superseded", "graduated"]);
+function signalTokens(s) {
+  const all = [
+    ...tokenize(s.branch),
+    ...tokenize(s.issueTitle),
+    ...(s.issueLabels ?? []).flatMap(tokenize),
+    ...(s.changedFiles ?? []).flatMap(tokenize)
+  ];
+  return new Set(all);
+}
+function rankPlansByRelevance(plans, signals, opts = {}) {
+  const wanted = signalTokens(signals);
+  const eligible = opts.includeAll ? plans : plans.filter((p) => !p.status || !SUPPRESSED.has(p.status.toLowerCase()));
+  const ranked = eligible.map((plan2) => {
+    const tagTokens = new Set((plan2.topicTags ?? []).flatMap(tokenize));
+    const titleTokens = new Set(tokenize(plan2.title));
+    const slugTokens = new Set(tokenize(plan2.slug));
+    const matched = /* @__PURE__ */ new Set();
+    let score = 0;
+    for (const t of wanted) {
+      if (tagTokens.has(t)) {
+        score += 3;
+        matched.add(t);
+      } else if (titleTokens.has(t)) {
+        score += 2;
+        matched.add(t);
+      } else if (slugTokens.has(t)) {
+        score += 1;
+        matched.add(t);
+      }
+    }
+    return { plan: plan2, score, matched: [...matched] };
+  });
+  ranked.sort((a, b) => b.score - a.score || (b.plan.updatedAt ?? "").localeCompare(a.plan.updatedAt ?? ""));
+  return ranked;
+}
+
+// src/plan.ts
 var PLANS_DIR = "plans";
-var META_FILE = (0, import_node_path4.join)(PLANS_DIR, ".plan-meta.json");
-var planPath = (slug) => (0, import_node_path4.join)(PLANS_DIR, `${slug}.md`);
+var META_FILE = (0, import_node_path6.join)(PLANS_DIR, ".plan-meta.json");
+var planPath = (slug) => (0, import_node_path6.join)(PLANS_DIR, `${slug}.md`);
 var metaKey = (project2, slug) => `${project2}/${slug}`;
 function parseMeta(raw) {
   if (!raw) return {};
@@ -6999,12 +7714,7 @@ function formatPlanList(plans) {
   return plans.map((p) => `${p.slug}  \xB7  ${p.updatedAt ?? "-"}  \xB7  ${p.project}`).join("\n");
 }
 var TIMEOUT_MS = 8e3;
-var GRADUATION_KEYS = /* @__PURE__ */ new Set(["northstar-graduation", "privacy", "merged-pr"]);
-function splitFrontmatter(content) {
-  const match = /^---\n([\s\S]*?)\n---(?:\n|$)/.exec(content);
-  if (!match) return { entries: [], body: content };
-  return { entries: match[1].split(/\r?\n/).filter((line) => line.trim()), body: content.slice(match[0].length) };
-}
+var GRADUATION_KEYS = /* @__PURE__ */ new Set(["northstar-graduation", "privacy", "merged-pr", "status"]);
 function markPlanGraduated(content, opts) {
   const { entries, body } = splitFrontmatter(normalizeEol(content));
   const preserved = entries.filter((line) => {
@@ -7014,6 +7724,7 @@ function markPlanGraduated(content, opts) {
   const next = [
     ...preserved,
     "northstar-graduation: built-and-merged",
+    "status: graduated",
     "privacy: org",
     `merged-pr: ${opts.mergedPr}`
   ];
@@ -7033,6 +7744,8 @@ async function planPush(deps, slug, opts = {}) {
   const meta = parseMeta(deps.readMetaRaw());
   const entry = meta[metaKey(project2, slug)];
   const body = { project: project2, slug, content };
+  const frontmatterMeta = extractPlanMeta(content);
+  if (Object.keys(frontmatterMeta).length) body.meta = frontmatterMeta;
   if (opts.force) body.force = true;
   else if (entry?.etag) body.baseEtag = entry.etag;
   const res = await deps.fetch(`${deps.apiUrl}/plan/put`, {
@@ -7086,35 +7799,59 @@ async function planPull(deps, slug, opts = {}) {
   deps.log(`pulled ${slug} \u2192 ${planPath(slug)}`);
   return true;
 }
+async function fetchPlanList(deps, project2) {
+  const qs = project2 ? `?${new URLSearchParams({ project: project2 }).toString()}` : "";
+  const res = await deps.fetch(`${deps.apiUrl}/plan/list${qs}`, {
+    method: "GET",
+    headers: await deps.headers(),
+    signal: AbortSignal.timeout(TIMEOUT_MS)
+  });
+  if (!res.ok) throw new Error(`HTTP ${res.status}`);
+  const { plans } = await res.json();
+  return plans ?? [];
+}
 async function planList(deps, opts = {}) {
   const project2 = opts.project ?? (opts.quiet ? await deps.project() : void 0);
-  const qs = project2 ? `?${new URLSearchParams({ project: project2 }).toString()}` : "";
-  let res;
+  let plans;
   try {
-    res = await deps.fetch(`${deps.apiUrl}/plan/list${qs}`, {
-      method: "GET",
-      headers: await deps.headers(),
-      signal: AbortSignal.timeout(TIMEOUT_MS)
-    });
+    plans = await fetchPlanList(deps, project2);
   } catch (e) {
     if (!opts.quiet) deps.err(`plan list: ${e.message}`);
     return;
   }
-  if (!res.ok) {
-    if (!opts.quiet) deps.err(`plan list failed: HTTP ${res.status}`);
-    return;
-  }
-  const { plans } = await res.json();
-  if (opts.json) {
-    deps.log(JSON.stringify(plans));
-    return;
-  }
+  if (opts.json) return deps.log(JSON.stringify(plans));
   if (!plans.length) {
     if (!opts.quiet) deps.log("no plans");
     return;
   }
   deps.log(formatPlanList(plans));
 }
+function formatRelevant(ranked) {
+  return ranked.map((r) => {
+    const why = r.matched.length ? `matches ${r.matched.join(", ")}` : "recent";
+    return `${r.plan.slug}  \xB7  ${why}  \xB7  mmi-cli northstar pull ${r.plan.slug}`;
+  }).join("\n");
+}
+async function relevantPlans(deps, signals, opts = {}) {
+  const project2 = opts.project ?? await deps.project();
+  let plans;
+  try {
+    const scoped = await fetchPlanList(deps, project2);
+    const unprojected = project2 === "-" ? [] : await fetchPlanList(deps, "-").catch(() => []);
+    const seen = new Set(scoped.map((p) => `${p.project}/${p.slug}`));
+    plans = [...scoped, ...unprojected.filter((p) => !seen.has(`${p.project}/${p.slug}`))];
+  } catch (e) {
+    deps.err(`northstar relevant: ${e.message}`);
+    return;
+  }
+  if (!plans.length) return deps.log("no North Stars for this repo yet");
+  const ranked = rankPlansByRelevance(plans, signals, { includeAll: opts.includeAll });
+  const top = (opts.includeAll ? ranked : ranked.filter((r) => r.score > 0)).slice(0, opts.limit ?? 5);
+  if (!top.length) {
+    return deps.log(`no task-relevant North Stars among ${plans.length} for this repo \u2014 \`mmi-cli northstar relevant --all\` lists recent ones`);
+  }
+  deps.log(formatRelevant(top));
+}
 async function planDelete(deps, slug, opts = {}) {
   const project2 = opts.project ?? await deps.project();
   const res = await deps.fetch(`${deps.apiUrl}/plan/delete`, {
@@ -7564,14 +8301,15 @@ async function awsCallerArn() {
     return void 0;
   }
 }
-async function sagaHeaders(extra = {}) {
-  const t = await githubToken();
+async function hubHeaders(extra = {}) {
+  const cfg = await loadConfig();
+  const t = await hubAuthToken({ baseUrl: cfg.sagaApiUrl ?? defaultHubUrl(), githubToken });
   return t ? { ...extra, Authorization: `Bearer ${t}` } : extra;
 }
 async function loadConfig() {
   let file = {};
   try {
-    file = JSON.parse(await (0, import_promises.readFile)(".mmi/config.json", "utf8"));
+    file = JSON.parse(await (0, import_promises2.readFile)(".mmi/config.json", "utf8"));
   } catch {
     file = {};
   }
@@ -7579,12 +8317,16 @@ async function loadConfig() {
   return file;
 }
 var discoveredConfig = null;
+function registryDegradeError(error) {
+  return new Error(`Hub registry read failed (${error}) \u2014 board coords could not be discovered; likely transient (cold start, network, or auth blip) \u2014 retry shortly`);
+}
 async function loadConfigOrDiscover() {
   if (discoveredConfig) return discoveredConfig;
   const floor = await loadConfig();
   if (!floor.sagaApiUrl) return stripMutableBoardConfig(floor);
-  const meta = await fetchProjectBySlug(await repoSlug(), registryClientDeps(floor));
-  discoveredConfig = meta ? boardConfigFromProject(meta, floor) : stripMutableBoardConfig(floor);
+  const read = await fetchProjectBySlugChecked(await repoSlug(), registryClientDeps(floor));
+  if (!read.ok) throw registryDegradeError(read.error);
+  discoveredConfig = read.project ? boardConfigFromProject(read.project, floor) : stripMutableBoardConfig(floor);
   return discoveredConfig;
 }
 async function loadConfigForRepo(targetRepo2) {
@@ -7592,9 +8334,10 @@ async function loadConfigForRepo(targetRepo2) {
   const cwdRepo = await resolveRepo();
   if (cwdRepo && targetRepo2.toLowerCase() === cwdRepo.toLowerCase()) return loadConfigOrDiscover();
   const floor = await loadConfig();
-  const meta = await fetchProjectBySlug(slugOf(targetRepo2), registryClientDeps(floor));
-  if (!meta) return stripMutableBoardConfig(floor);
-  return boardConfigFromProject(meta, floor);
+  const read = await fetchProjectBySlugChecked(slugOf(targetRepo2), registryClientDeps(floor));
+  if (!read.ok) throw registryDegradeError(read.error);
+  if (!read.project) return stripMutableBoardConfig(floor);
+  return boardConfigFromProject(read.project, floor);
 }
 function repoFromSelector(selector) {
   const trimmed = selector.trim();
@@ -7624,21 +8367,21 @@ function sessionDeps() {
     env: process.env,
     readPersisted: () => {
       try {
-        return (0, import_node_fs5.readFileSync)(SESSION_FILE, "utf8");
+        return (0, import_node_fs6.readFileSync)(SESSION_FILE, "utf8");
       } catch {
         return null;
       }
     },
     writePersisted: (id) => persistSession(id),
     now: () => /* @__PURE__ */ new Date(),
-    rand: () => (0, import_node_crypto.randomBytes)(4).toString("hex")
+    rand: () => (0, import_node_crypto3.randomBytes)(4).toString("hex")
   };
 }
 var resolveSessionId = () => resolveSession(sessionDeps());
 function persistSession(id) {
   try {
-    (0, import_node_fs5.mkdirSync)(".mmi", { recursive: true });
-    (0, import_node_fs5.writeFileSync)(SESSION_FILE, id, "utf8");
+    (0, import_node_fs6.mkdirSync)(".mmi", { recursive: true });
+    (0, import_node_fs6.writeFileSync)(SESSION_FILE, id, "utf8");
   } catch {
   }
 }
@@ -7654,16 +8397,11 @@ async function postCapture(capture, quiet = false) {
       if (!quiet) console.error("mmi-cli saga: Hub API URL not configured");
       return;
     }
-    const res = await fetch(`${cfg.sagaApiUrl}/saga/capture`, {
+    const res = await fetchWithRetry(fetch, `${cfg.sagaApiUrl}/saga/capture`, {
       method: "POST",
-      headers: await sagaHeaders({ "content-type": "application/json" }),
-      body: JSON.stringify({ ...capture, ...await sagaKey(cfg) }),
-      // Capture latency is high + variable (server-side HEAD render); 8s dropped larger notes. Match the
-      // head-write timeout (20s) so a continuity note isn't lost to a slow/cold backend. No client retry:
-      // the capture isn't guaranteed idempotent, so a retry after a server-side-completed write could
-      // duplicate the note. Backend capture-latency root cause tracked in #255.
-      signal: AbortSignal.timeout(2e4)
-    });
+      headers: await hubHeaders({ "content-type": "application/json" }),
+      body: JSON.stringify({ ...capture, ...await sagaKey(cfg) })
+    }, { attempts: 2, timeoutMs: 2e4, retryOn: () => false });
     let message = "";
     if (!res.ok) {
       try {
@@ -7764,12 +8502,12 @@ async function applyGcPlan(plan2, remote) {
 }
 function resolveVersion() {
   try {
-    const manifest = (0, import_node_path5.join)(__dirname, "..", "..", ".claude-plugin", "plugin.json");
-    return JSON.parse((0, import_node_fs5.readFileSync)(manifest, "utf8")).version || "0.0.0";
+    const manifest = (0, import_node_path7.join)(__dirname, "..", "..", ".claude-plugin", "plugin.json");
+    return JSON.parse((0, import_node_fs6.readFileSync)(manifest, "utf8")).version || "0.0.0";
   } catch {
     try {
-      const pkg = (0, import_node_path5.join)(__dirname, "..", "package.json");
-      return JSON.parse((0, import_node_fs5.readFileSync)(pkg, "utf8")).version || "0.0.0";
+      const pkg = (0, import_node_path7.join)(__dirname, "..", "package.json");
+      return JSON.parse((0, import_node_fs6.readFileSync)(pkg, "utf8")).version || "0.0.0";
     } catch {
       return "0.0.0";
     }
@@ -7777,7 +8515,7 @@ function resolveVersion() {
 }
 function readRepoVersion() {
   try {
-    return JSON.parse((0, import_node_fs5.readFileSync)((0, import_node_path5.join)(process.cwd(), ".claude-plugin", "plugin.json"), "utf8")).version || void 0;
+    return JSON.parse((0, import_node_fs6.readFileSync)((0, import_node_path7.join)(process.cwd(), ".claude-plugin", "plugin.json"), "utf8")).version || void 0;
   } catch {
     return void 0;
   }
@@ -7874,11 +8612,11 @@ async function runRulesSync(opts, io = consoleIo) {
   for (const entry of fetched) {
     if ("error" in entry) continue;
     const { file, source } = entry;
-    const current = (0, import_node_fs5.existsSync)(file) ? await (0, import_promises.readFile)(file, "utf8") : null;
+    const current = (0, import_node_fs6.existsSync)(file) ? await (0, import_promises2.readFile)(file, "utf8") : null;
     if (needsUpdate(source, current)) {
       const slash = file.lastIndexOf("/");
-      if (slash > 0) (0, import_node_fs5.mkdirSync)(file.slice(0, slash), { recursive: true });
-      await (0, import_promises.writeFile)(file, normalizeEol(source), "utf8");
+      if (slash > 0) (0, import_node_fs6.mkdirSync)(file.slice(0, slash), { recursive: true });
+      await (0, import_promises2.writeFile)(file, normalizeEol(source), "utf8");
       changed++;
       if (!opts.quiet) io.log(`mmi-cli rules: updated ${file}`);
     }
@@ -7903,9 +8641,9 @@ async function runDocsSync(opts, io = consoleIo) {
         return null;
       }
     },
-    localContent: async (f) => (0, import_node_fs5.existsSync)(f) ? await (0, import_promises.readFile)(f, "utf8") : null,
+    localContent: async (f) => (0, import_node_fs6.existsSync)(f) ? await (0, import_promises2.readFile)(f, "utf8") : null,
     writeDoc: async (f, c) => {
-      await (0, import_promises.writeFile)(f, c, "utf8");
+      await (0, import_promises2.writeFile)(f, c, "utf8");
     }
   });
   for (const f of result.updated) io.log(`mmi-cli docs: updated ${f} (from origin/${def})`);
@@ -7917,7 +8655,7 @@ docs.command("sync").option("--quiet", "stay silent unless something changed or
 var saga = program2.command("saga").description("per-session continuity");
 async function runNote(summary, o) {
   const [sha, key] = await Promise.all([gitOut(["rev-parse", "--short", "HEAD"]), sagaKey(await loadConfig())]);
-  const capture = buildNoteCapture(summary, o, (0, import_node_crypto.randomUUID)(), { sha: sha || void 0, branch: key.branch });
+  const capture = buildNoteCapture(summary, o, (0, import_node_crypto3.randomUUID)(), { sha: sha || void 0, branch: key.branch });
   await postCapture(capture);
 }
 saga.command("note <summary>").description("record a one-line structured note into your saga (the per-turn capture)").option("--next <text>", 'set "where I left off" (NEXT)').option("--decision <text>", "append a verbatim decision").option("--queue-add <text>", "add a worklist item").option("--queue-done <n>", "mark worklist item N done").option("--verified", "mark this claim as checked against source (state: verified, else asserted)").option("--diagnostic", "isolate a probe write (state: diagnostic, source: probe) \u2014 never resume/LAST 5").option("--supersedes <key>", "retire prior decisions matching an evidence key (pr:N | file:path)").option("--anchor <intent>", "set the sprint North-Star (write-protected; needs --anchor-force to change)").option("--anchor-force", "overwrite an existing anchor").action((summary, o) => runNote(summary, o));
@@ -7931,7 +8669,7 @@ async function runSagaShow(opts, io = consoleIo) {
   try {
     const key = await sagaKey(cfg);
     const qs = opts.latestAnywhere ? "scope=anywhere" : new URLSearchParams({ project: key.project, branch: key.branch }).toString();
-    const res = await fetch(`${cfg.sagaApiUrl}/saga/head?${qs}`, { headers: await sagaHeaders(), signal: AbortSignal.timeout(3e3) });
+    const res = await fetchWithRetry(fetch, `${cfg.sagaApiUrl}/saga/head?${qs}`, { headers: await hubHeaders() }, { attempts: 2, timeoutMs: 3e3 });
     if (res.ok) {
       io.log(resumeCue());
       return io.log(await res.text());
@@ -7939,7 +8677,7 @@ async function runSagaShow(opts, io = consoleIo) {
     if (!opts.quiet) io.log(`saga show failed: HTTP ${res.status}`);
   } catch (e) {
     if (!opts.quiet) {
-      const reason = e.name === "TimeoutError" ? "backend unreachable (timed out after 3s)" : e.message;
+      const reason = e.name === "TimeoutError" ? "backend unreachable (timed out after 2 attempts)" : e.message;
       io.err(`saga show: ${reason} \u2014 continuing without saga; diagnose with \`mmi-cli saga health --json\``);
     }
   }
@@ -7948,7 +8686,7 @@ saga.command("show").option("--quiet", "no-op silently when unconfigured/unreach
 saga.command("capture").option("--quiet", "capture silently (for the Stop hook)").description("per-turn deterministic capture (Stop hook): turn boundary + current sha").action(async (opts) => {
   const hook = parseHookInput(await readStdin());
   if (hook.session_id) persistSession(hook.session_id);
-  await postCapture({ event: "stop", id: (0, import_node_crypto.randomUUID)(), source: "hook", sha: await gitOut(["rev-parse", "--short", "HEAD"]), surface: agentSurface() }, opts.quiet ?? false);
+  await postCapture({ event: "stop", id: (0, import_node_crypto3.randomUUID)(), source: "hook", sha: await gitOut(["rev-parse", "--short", "HEAD"]), surface: agentSurface() }, opts.quiet ?? false);
 });
 saga.command("session").option("--quiet", "silent (for the SessionStart hook)").description("persist the harness session id for this repo (SessionStart hook)").action(async () => {
   const hook = parseHookInput(await readStdin());
@@ -7975,7 +8713,7 @@ saga.command("head-update").option("--run", "detached worker: fetch state, run t
     if (!cfg.sagaApiUrl) return;
     const key = await sagaKey(cfg);
     const qs = new URLSearchParams(key).toString();
-    const res = await fetch(`${cfg.sagaApiUrl}/saga/state?${qs}`, { headers: await sagaHeaders(), signal: AbortSignal.timeout(8e3) });
+    const res = await fetch(`${cfg.sagaApiUrl}/saga/state?${qs}`, { headers: await hubHeaders(), signal: AbortSignal.timeout(8e3) });
     if (!res.ok) return;
     const state = await res.json();
     if (!state.actionLog?.length) return;
@@ -7983,7 +8721,7 @@ saga.command("head-update").option("--run", "detached worker: fetch state, run t
     if (!update) return;
     await fetch(`${cfg.sagaApiUrl}/saga/head`, {
       method: "POST",
-      headers: await sagaHeaders({ "content-type": "application/json" }),
+      headers: await hubHeaders({ "content-type": "application/json" }),
       body: JSON.stringify({ ...update, ...key }),
       signal: AbortSignal.timeout(2e4)
     });
@@ -8000,7 +8738,7 @@ saga.command("key").option("--json", "machine-readable output").description("pri
 });
 async function probeBackend(url) {
   try {
-    const res = await fetch(`${url}/saga/head`, { headers: await sagaHeaders(), signal: AbortSignal.timeout(8e3) });
+    const res = await fetchWithRetry(fetch, `${url}/saga/head`, { headers: await hubHeaders() }, { attempts: 3, timeoutMs: 4e3 });
     let message = "";
     try {
       const body = await res.clone().json();
@@ -8015,7 +8753,7 @@ async function probeBackend(url) {
 async function probeSagaAccess(url, key) {
   try {
     const qs = new URLSearchParams(key).toString();
-    const res = await fetch(`${url}/saga/state?${qs}`, { headers: await sagaHeaders(), signal: AbortSignal.timeout(8e3) });
+    const res = await fetch(`${url}/saga/state?${qs}`, { headers: await hubHeaders(), signal: AbortSignal.timeout(8e3) });
     return res.ok;
   } catch {
     return false;
@@ -8027,7 +8765,7 @@ async function runSagaHealth(o, io = consoleIo) {
   const key = await sagaKey(cfg, session);
   const source = session.source;
   const [identity, liveness] = await Promise.all([
-    githubLogin(),
+    hubAuthSession({ baseUrl: cfg.sagaApiUrl ?? defaultHubUrl(), githubToken }).then((s) => s?.login),
     cfg.sagaApiUrl ? probeBackend(cfg.sagaApiUrl) : Promise.resolve({ reachable: false })
   ]);
   const authorized = cfg.sagaApiUrl && liveness.reachable ? await probeSagaAccess(cfg.sagaApiUrl, key) : void 0;
@@ -8098,12 +8836,17 @@ kb.command("list [prefix]").description("list KB document paths (optionally unde
   }
 });
 async function ghCreate(args) {
+  const swapped = await bodyArgsViaFile(args);
   try {
-    const { stdout } = await execFileP4("gh", args);
+    const { stdout } = await execFileP4("gh", swapped.args, { timeout: GH_MUTATION_TIMEOUT_MS });
     return parseCreatedUrl(stdout);
   } catch (e) {
+    await swapped.cleanup();
     const err = e;
-    fail(`gh ${args[0]} create failed: ${(err.stderr || err.message || String(e)).trim()}`);
+    const note = timeoutKillNote(e, GH_MUTATION_TIMEOUT_MS);
+    fail(`gh ${args[0]} create failed: ${(err.stderr || err.message || String(e)).trim()}${note ? ` (${note})` : ""}`);
+  } finally {
+    await swapped.cleanup();
   }
 }
 async function ghJson(args, timeout = 1e4) {
@@ -8123,7 +8866,13 @@ async function resolveRepo(repo) {
 }
 async function attachToProject(issueNumber, repo, priority) {
   const targetRepo2 = await resolveRepo(repo);
-  const cfg = await loadConfigForRepo(targetRepo2);
+  let cfg;
+  try {
+    cfg = await loadConfigForRepo(targetRepo2);
+  } catch (e) {
+    console.error(`issue create: board attach skipped \u2014 ${e.message}`);
+    return void 0;
+  }
   if (!cfg.projectId) {
     console.error(`issue create: board attach skipped \u2014 no Hub registry board META for ${targetRepo2 ?? "current repo"}; run \`mmi-cli project get ${targetRepo2 ?? "<owner/repo>"}\` and backfill board coords`);
     return void 0;
@@ -8134,7 +8883,7 @@ async function attachToProject(issueNumber, repo, priority) {
     const { stdout: idOut } = await execFileP4("gh", viewArgs, { timeout: 1e4 });
     const contentId = idOut.trim();
     if (!contentId) throw new Error("could not resolve issue node id");
-    const { stdout } = await execFileP4("gh", buildAddToProjectArgs(cfg.projectId, contentId), { timeout: 1e4 });
+    const { stdout } = await execFileP4("gh", buildAddToProjectArgs(cfg.projectId, contentId), { timeout: GH_MUTATION_TIMEOUT_MS });
     const projectItemId = parseAddedItemId(stdout);
     if (projectItemId && priority) {
       try {
@@ -8153,6 +8902,7 @@ async function attachToProject(issueNumber, repo, priority) {
     return void 0;
   }
 }
+var ghRunner = async (args, timeoutMs) => (await execFileP4("gh", args, { timeout: timeoutMs })).stdout;
 function scheduleRelatedDiscovery(o) {
   try {
     const args = ["issue", "discover-related", "--number", String(o.number), "--title", o.title, "--body", o.body];
@@ -8167,39 +8917,39 @@ function scheduleRelatedDiscovery(o) {
   }
 }
 function makePlanDeps(cfg, io = consoleIo) {
-  const ensureDir = () => (0, import_node_fs5.mkdirSync)(PLANS_DIR, { recursive: true });
+  const ensureDir = () => (0, import_node_fs6.mkdirSync)(PLANS_DIR, { recursive: true });
   return {
     apiUrl: cfg.sagaApiUrl,
     fetch: (url, init = {}) => fetch(url, { ...init, signal: init.signal ?? AbortSignal.timeout(1e4) }),
-    headers: (extra) => sagaHeaders(extra),
+    headers: (extra) => hubHeaders(extra),
     project: async () => (await sagaKey(cfg)).project,
     readLocal: (slug) => {
       try {
-        return (0, import_node_fs5.readFileSync)(planPath(slug), "utf8");
+        return (0, import_node_fs6.readFileSync)(planPath(slug), "utf8");
       } catch {
         return null;
       }
     },
     writeLocal: (slug, content) => {
       ensureDir();
-      (0, import_node_fs5.writeFileSync)(planPath(slug), content, "utf8");
+      (0, import_node_fs6.writeFileSync)(planPath(slug), content, "utf8");
     },
     removeLocal: (slug) => {
       try {
-        (0, import_node_fs5.rmSync)(planPath(slug));
+        (0, import_node_fs6.rmSync)(planPath(slug));
       } catch {
       }
     },
     readMetaRaw: () => {
       try {
-        return (0, import_node_fs5.readFileSync)(META_FILE, "utf8");
+        return (0, import_node_fs6.readFileSync)(META_FILE, "utf8");
       } catch {
         return null;
       }
     },
     writeMetaRaw: (raw) => {
       ensureDir();
-      (0, import_node_fs5.writeFileSync)(META_FILE, raw, "utf8");
+      (0, import_node_fs6.writeFileSync)(META_FILE, raw, "utf8");
     },
     log: (m) => io.log(m),
     err: (m) => io.err(m),
@@ -8226,6 +8976,26 @@ async function withPlan(quiet, run, io = consoleIo) {
   }
   await run(makePlanDeps(cfg, io));
 }
+async function gatherRelevanceSignals() {
+  const branch = await gitOut(["rev-parse", "--abbrev-ref", "HEAD"]).catch(() => "") || void 0;
+  const changed = (await gitOut(["diff", "--name-only", "HEAD"]).catch(() => "")).split("\n").map((s) => s.trim()).filter(Boolean);
+  const signals = { branch, changedFiles: changed.length ? changed : void 0 };
+  const issueNum = branch?.match(/\b(\d{2,})\b/)?.[1];
+  if (issueNum) {
+    try {
+      const { stdout } = await execFileP4(
+        "gh",
+        ["issue", "view", issueNum, "--json", "title,labels", "--jq", "{title:.title,labels:[.labels[].name]}"],
+        { timeout: 1e4 }
+      );
+      const j = JSON.parse(stdout);
+      if (j.title) signals.issueTitle = j.title;
+      if (j.labels?.length) signals.issueLabels = j.labels;
+    } catch {
+    }
+  }
+  return signals;
+}
 function registerNorthStarCommands(cmd) {
   cmd.command("push <slug>").description("push a local North Star plan (plans/<slug>.md) to the server").option("--project <name>", "override the project key").option("--force", "overwrite the remote even if it changed since your last sync").action((slug, o) => withPlan(false, async (d) => {
     const ok = await planPush(d, slug, o);
@@ -8236,6 +9006,10 @@ function registerNorthStarCommands(cmd) {
     if (!ok) process.exitCode = 1;
   }));
   cmd.command("list").description("list your North Star plans (cross-device)").option("--project <name>", "filter by project").option("--json", "machine-readable output").option("--quiet", "silent when unconfigured/empty/unreachable (SessionStart hook)").action((o) => withPlan(o.quiet ?? false, (d) => planList(d, o)));
+  cmd.command("relevant").description("list North Stars relevant to your current task (branch + claimed issue + changed files)").option("--project <name>", "override the project key").option("--all", "include superseded/graduated and recent non-matching plans").option("--limit <n>", "max results (default 5)").action((o) => withPlan(false, async (d) => {
+    const signals = await gatherRelevanceSignals();
+    await relevantPlans(d, signals, { project: o.project, includeAll: o.all, limit: o.limit ? Number(o.limit) : void 0 });
+  }));
   cmd.command("open <slug>").description("pull if needed, then open plans/<slug>.md in $EDITOR").option("--project <name>", "override the project key").action(
     (slug, o) => withPlan(false, async (d) => {
       const ok = await planPull(d, slug, { project: o.project });
@@ -8270,7 +9044,7 @@ function makeSecretsDeps(cfg) {
   return {
     apiUrl: cfg.sagaApiUrl,
     fetch: (url, init = {}) => fetch(url, { ...init, signal: init.signal ?? AbortSignal.timeout(1e4) }),
-    headers: (extra) => sagaHeaders(extra),
+    headers: (extra) => hubHeaders(extra),
     // Vault paths are lowercase kebab (AGENTS.md naming); sagaKey carries the repo name's original
     // casing, which leaked mixed-case into `secrets where` output (#681).
     slug: async () => (await sagaKey(cfg)).project.toLowerCase(),
@@ -8323,7 +9097,7 @@ secrets.command("use <key>").description("print guidance on consuming a secret w
 secrets.command("grant <repo> <login> <key>").description("MASTER-ONLY: grant a project-admin standing access to a specific org-tier secret").action((repo, login, key) => withSecrets((d) => secretsGrant(d, repo, login, key, {})));
 secrets.command("revoke <repo> <login> <key>").description("MASTER-ONLY: withdraw a previously granted org-tier secret access").action((repo, login, key) => withSecrets((d) => secretsRevoke(d, repo, login, key, {})));
 function registryClientDeps(cfg) {
-  return { baseUrl: cfg.sagaApiUrl, token: githubToken };
+  return { baseUrl: cfg.sagaApiUrl, token: () => hubAuthToken({ baseUrl: cfg.sagaApiUrl, githubToken }) };
 }
 function slugOf(repoOrSlug) {
   return (repoOrSlug.includes("/") ? repoOrSlug.split("/").pop() : repoOrSlug).toLowerCase();
@@ -8343,10 +9117,20 @@ tenant.command("control <owner/repo> <stage> <action>").description("run bounded
   const res = await tenantControl({ repo, stage: stage2, action }, registryClientDeps(cfg));
   reportWrite("tenant control", res);
 });
+tenant.command("redeploy <owner/repo> <stage>").description("re-dispatch the central tenant-deploy.yml for an already-promoted ref (no re-tag/merge); train-authority gated").option("--ref <ref>", "ref to deploy (defaults to the stage branch rc/main \u2014 the promoted ref)").option("--watch", "block on the dispatched run and report its outcome (gh run watch --exit-status)").option("--json", "machine-readable output").action(async (repo, stage2, o) => {
+  if (stage2 !== "rc" && stage2 !== "main") return fail("tenant redeploy: <stage> must be rc or main");
+  try {
+    const result = await runTenantRedeploy(trainApplyDeps(), { repo, stage: stage2, ref: o.ref, watch: o.watch });
+    return printLine(o.json ? JSON.stringify(result, null, 2) : renderTenantRedeploy(result));
+  } catch (e) {
+    return fail(`tenant redeploy: ${e.message}`);
+  }
+});
 async function v2ReadinessDeps(cfg) {
   const reg = registryClientDeps(cfg);
   return {
-    getProject: (slug) => fetchProjectBySlug(slug, reg),
+    // Checked read (#727/#733): the doctor distinguishes a FAILED read (degraded report) from a 404.
+    getProject: (slug) => fetchProjectBySlugChecked(slug, reg),
     hasDeployCoords: async (slug, stage2) => {
       const status = await fetchDeployStatusBySlug(slug, reg);
       return Boolean(status?.stages[stage2]);
@@ -8359,11 +9143,10 @@ async function v2ReadinessDeps(cfg) {
       const apiUrl = cfg.sagaApiUrl;
       if (!apiUrl) throw new Error("Hub API URL not configured \u2014 cannot verify secret names (set sagaApiUrl)");
       const qs = new URLSearchParams({ repo: targetRepo2 }).toString();
-      const res = await fetch(`${apiUrl.replace(/\/$/, "")}/secrets/list?${qs}`, {
+      const res = await fetchWithRetry(fetch, `${apiUrl.replace(/\/$/, "")}/secrets/list?${qs}`, {
         method: "GET",
-        headers: await sagaHeaders(),
-        signal: AbortSignal.timeout(8e3)
-      });
+        headers: await hubHeaders()
+      }, { attempts: 2, timeoutMs: 5e3 });
       if (!res.ok) throw new Error(`secrets list failed for ${targetRepo2}: HTTP ${res.status}`);
       const body = await res.json();
       return (body.secrets ?? []).map((s) => s.key).filter(Boolean);
@@ -8377,15 +9160,25 @@ async function updateV2ReadinessIssue(repo, report, healed) {
   const issues = JSON.parse(list.stdout || "[]");
   const existing = issues.find((i) => i.title.toLowerCase().includes("v2 readiness"));
   if (!existing) {
-    const created = await execFileP4("gh", ["issue", "create", "--repo", repo, "--title", title, "--body", freshBody, "--label", "feature"], { timeout: 2e4 });
-    const url = created.stdout.trim();
-    const number = Number(url.match(/\/issues\/(\d+)$/)?.[1] ?? 0);
-    return { number, url, action: "created" };
+    const create = await bodyArgsViaFile(["issue", "create", "--repo", repo, "--title", title, "--body", freshBody, "--label", "feature"]);
+    try {
+      const created = await execFileP4("gh", create.args, { timeout: GH_MUTATION_TIMEOUT_MS });
+      const url = created.stdout.trim();
+      const number = Number(url.match(/\/issues\/(\d+)$/)?.[1] ?? 0);
+      return { number, url, action: "created" };
+    } finally {
+      await create.cleanup();
+    }
   }
   const view = await execFileP4("gh", ["issue", "view", String(existing.number), "--repo", repo, "--json", "body,url", "--jq", "{body:.body,url:.url}"], { timeout: 2e4 });
   const current = JSON.parse(view.stdout || "{}");
   const nextBody = renderReadinessIssueBody(current.body ?? "", report, { healed });
-  await execFileP4("gh", ["issue", "edit", String(existing.number), "--repo", repo, "--body", nextBody], { timeout: 2e4 });
+  const edit = await bodyArgsViaFile(["issue", "edit", String(existing.number), "--repo", repo, "--body", nextBody]);
+  try {
+    await execFileP4("gh", edit.args, { timeout: GH_MUTATION_TIMEOUT_MS });
+  } finally {
+    await edit.cleanup();
+  }
   return { number: existing.number, url: current.url ?? `https://github.com/${repo}/issues/${existing.number}`, action: "updated" };
 }
 var project = program2.command("project").description("the DDB org registry \u2014 list/get projects (any member); attest is project-admin; set is master-only");
@@ -8412,9 +9205,14 @@ project.command("get [owner/repo]").description("a project's META (board ids + p
   } catch (e) {
     return fail(e.message);
   }
-  const meta = await fetchProjectBySlug(slugOf(target), registryClientDeps(cfg));
-  if (!meta) return fail(`project get: no registry META for ${target} (unknown, unbootstrapped, or Hub unreachable)`);
-  console.log(JSON.stringify(meta));
+  const read = await fetchProjectBySlugChecked(slugOf(target), registryClientDeps(cfg));
+  if (!read.ok) {
+    return fail(`project get: Hub registry read failed (${read.error}) \u2014 likely transient (cold start, network, or auth blip); retry shortly`);
+  }
+  if (!read.project) {
+    return fail(`project get: no registry META for ${target} (unknown or unbootstrapped)`);
+  }
+  console.log(JSON.stringify(read.project));
 });
 project.command("resolve <owner/repo>").description("deploy coords for a stage \u2014 for diagnosis. NOTE: /deploy-coords is OIDC-gated (a deploy job\u2019s id-token), so a gh-token CLI cannot read it from a dev machine").option("--stage <main|rc>", "deploy stage", "main").option("--json", "machine-readable output").action((_repoOrRepo, o) => {
   const msg = "project resolve: deploy coords are served only to a deploy workflow (GitHub OIDC id-token, repo-scoped). A gh-token CLI on a dev machine cannot read /deploy-coords; inspect the DEPLOY# item via the AWS console / a master DDB read instead.";
@@ -8487,7 +9285,7 @@ project.command("attest [owner/repo]").description("attest this repo's app-owned
   const res = await attestAppGaps(slugOf(target), repo, registryClientDeps(cfg));
   reportWrite("project attest", res);
 });
-project.command("set [owner/repo]").description("MASTER-ONLY: upsert a project META (idempotent merge; defaults to the current repo; no clobber of unspecified fields)").option("--class <class>", "deployable | content").option("--project-type <type>", `${PROJECT_TYPES.join(" | ")} (v2 capability shape)`).option("--deploy-model <model>", `${DEPLOY_MODELS.join(" | ")} (release/deploy path; none means no Hub deploy registration)`).option("--var <KEY=VALUE...>", "META field to set (repeatable): name, division, projectId, branch, wikiRepo, vaultPath, kbPointer").option("--unset <KEY...>", "META field to remove (repeatable): oauth, requiredRuntimeSecrets, edgeDomains, requiredGcpApis, publishRequired").option("--clear-web-profile", "remove web-only registry fields (oauth, edgeDomains) for non-web/content projects").option("--json", "machine-readable output").action(async (repoOrSlug, o) => {
+project.command("set [owner/repo]").description("MASTER-ONLY: upsert a project META (idempotent merge; defaults to the current repo; no clobber of unspecified fields)").option("--class <class>", "deployable | content").option("--project-type <type>", `${PROJECT_TYPES.join(" | ")} (v2 capability shape)`).option("--deploy-model <model>", `${DEPLOY_MODELS.join(" | ")} (release/deploy path; none means no Hub deploy registration)`).option("--var <KEY=VALUE...>", 'META field to set (repeatable): name, division, projectId, branch, wikiRepo, vaultPath, kbPointer, requiredRuntimeSecrets (JSON stage map, e.g. {"dev":["KEY"],"rc":["KEY"],"main":["KEY"]})').option("--unset <KEY...>", "META field to remove (repeatable): oauth, requiredRuntimeSecrets, edgeDomains, requiredGcpApis, publishRequired").option("--clear-web-profile", "remove web-only registry fields (oauth, edgeDomains) for non-web/content projects").option("--json", "machine-readable output").action(async (repoOrSlug, o) => {
   const cfg = await loadConfig();
   let target;
   try {
@@ -8586,14 +9384,15 @@ oauth.command("verify").description("probe Google authorize with an arbitrary po
   if (mismatch) process.exitCode = 1;
 });
 var issue = program2.command("issue").description("issues \u2014 reliable create with structured output");
-issue.command("create").description("create an issue (type \u2192 label) and print {number,url,label} JSON").requiredOption("--type <type>", "bug | feature | task (sets the matching label)").requiredOption("--title <title>", "issue title").option("--body <body>", "issue body (markdown)").option("--body-file <path|->", "read issue body from a UTF-8 file, or from stdin with -").requiredOption("--priority <priority>", "urgent | high | medium | low (label + board Priority field when configured)").option("--repo <owner/repo>", "target repo (defaults to the current repo)").option("--label <label...>", "extra label(s) to attach (repeatable; auto-created if missing)").option("--no-related", "skip the auto related-issues comment").action(async (o) => {
+issue.command("create").description("create an issue (type \u2192 label) and print {number,url,label} JSON").requiredOption("--type <type>", "bug | feature | task (sets the matching label)").requiredOption("--title <title>", "issue title").option("--body <body>", "issue body (markdown)").option("--body-file <path|->", "read issue body from a UTF-8 file, or from stdin with -").requiredOption("--priority <priority>", "urgent | high | medium | low (label + board Priority field when configured)").option("--repo <owner/repo>", "target repo (defaults to the current repo)").option("--label <label...>", "extra label(s) to attach (repeatable; auto-created if missing)").option("--parent <ref>", "file as a native sub-issue of this parent (#123, owner/repo#123, or URL)").option("--no-related", "skip the auto related-issues comment").action(async (o) => {
   let args;
   let priority;
   let body;
   try {
-    body = await resolveIssueBody({ body: o.body, bodyFile: o.bodyFile }, { readFile: import_promises.readFile, readStdin });
+    body = await resolveIssueBody({ body: o.body, bodyFile: o.bodyFile }, { readFile: import_promises2.readFile, readStdin });
     priority = normalizePriority(o.priority);
     args = buildIssueArgs({ type: o.type, title: o.title, body, priority, repo: o.repo, labels: o.label });
+    if (o.parent !== void 0) parseIssueRef(o.parent);
   } catch (e) {
     return fail(`issue create: ${e.message}`);
   }
@@ -8601,14 +9400,26 @@ issue.command("create").description("create an issue (type \u2192 label) and pri
     const la = ["label", "create", label, "--color", "ededed"];
     if (o.repo) la.push("--repo", o.repo);
     try {
-      await execFileP4("gh", la, { timeout: 1e4 });
+      await execFileP4("gh", la, { timeout: GH_MUTATION_TIMEOUT_MS });
     } catch {
     }
   }
   const created = await ghCreate(args);
   const projectItemId = await attachToProject(created.number, o.repo, priority);
+  let parent;
+  let parentLinkError;
+  if (o.parent !== void 0) {
+    try {
+      parent = await linkSubIssue(ghRunner, o.parent, created.url, o.repo);
+    } catch (e) {
+      const err = e;
+      parentLinkError = (err.stderr || err.message || String(e)).trim();
+      process.stderr.write(`warning: issue #${created.number} created but NOT linked under ${o.parent}: ${parentLinkError}
+`);
+    }
+  }
   if (o.related !== false) scheduleRelatedDiscovery({ repo: o.repo, number: created.number, title: o.title, body });
-  console.log(JSON.stringify({ ...created, label: o.type, priority, projectItemId }));
+  console.log(JSON.stringify({ ...created, label: o.type, priority, projectItemId, ...parentLinkFields(parent, parentLinkError) }));
 });
 issue.command("discover-related").description("find related issues for an existing issue and post only high-confidence links").requiredOption("--number <number>", "created issue number").requiredOption("--title <title>", "created issue title").requiredOption("--body <body>", "created issue body").option("--repo <owner/repo>", "target repo (defaults to the current repo)").option("--json", "print candidates instead of posting").action(async (o) => {
   const number = Number(o.number);
@@ -8641,10 +9452,21 @@ issue.command("discover-related").description("find related issues for an existi
       "comments"
     ]);
     if (viewed.comments.some((comment) => comment.body.includes(relatedMarker(number)))) return;
-    await execFileP4("gh", ["issue", "comment", String(number), "--repo", repo, "--body", buildRelatedComment(number, candidates)], { timeout: 1e4 });
+    await execFileP4("gh", ["issue", "comment", String(number), "--repo", repo, "--body", buildRelatedComment(number, candidates)], { timeout: GH_MUTATION_TIMEOUT_MS });
   } catch {
   }
 });
+issue.command("link-child <parent> <child>").description("link an existing issue as a native sub-issue of a parent and print {parentNumber,subIssueNumber,totalCount} JSON").option("--repo <owner/repo>", "repo for bare refs on either side (defaults to the current repo)").action(async (parentRef, childRef, o) => {
+  const defaultRepo = await resolveRepo(o.repo);
+  try {
+    const result = await linkSubIssue(ghRunner, parentRef, childRef, defaultRepo);
+    console.log(JSON.stringify(result));
+  } catch (e) {
+    const err = e;
+    const note = timeoutKillNote(e, GH_MUTATION_TIMEOUT_MS);
+    return fail(`issue link-child: ${(err.stderr || err.message || String(e)).trim()}${note ? ` (${note})` : ""}`);
+  }
+});
 program2.command("report").description("file a friction report on the Hub board (GitHub auth, dedups open reports) and print {number,url} JSON").requiredOption("--title <title>", "one-line friction summary").option("--body <body>", "report body (markdown)").option("--body-file <path|->", "read report body from a UTF-8 file, or from stdin with -").option("--type <type>", "bug | feature | task (sets the matching label)", "task").option("--priority <priority>", "urgent | high | medium | low (board Priority field when configured)", "medium").option("--repo <owner/repo>", `target repo (defaults to the org Hub: ${HUB_REPO})`).option("--force", "file a new issue even when an open report looks like a duplicate").option("--json", "machine-readable output (already the default \u2014 report always prints JSON; #682)").action(async (o) => {
   let body;
   let priority;
@@ -8652,7 +9474,7 @@ program2.command("report").description("file a friction report on the Hub board
   const targetRepo2 = o.repo ?? HUB_REPO;
   const sourceRepo = await resolveRepo(void 0);
   try {
-    body = await resolveIssueBody({ body: o.body, bodyFile: o.bodyFile }, { readFile: import_promises.readFile, readStdin });
+    body = await resolveIssueBody({ body: o.body, bodyFile: o.bodyFile }, { readFile: import_promises2.readFile, readStdin });
     priority = normalizePriority(o.priority);
     args = buildIssueArgs({
       type: o.type,
@@ -8687,7 +9509,7 @@ program2.command("report").description("file a friction report on the Hub board
     const dup = findDuplicateReport({ title: o.title, body }, openReports);
     if (dup) {
       try {
-        await execFileP4("gh", ["issue", "comment", String(dup.number), "--repo", targetRepo2, "--body", buildDupComment(dup.number, body, sourceRepo)], { timeout: 1e4 });
+        await execFileP4("gh", ["issue", "comment", String(dup.number), "--repo", targetRepo2, "--body", buildDupComment(dup.number, body, sourceRepo)], { timeout: GH_MUTATION_TIMEOUT_MS });
       } catch (e) {
         const err = e;
         return fail(`report: duplicate of #${dup.number} (${dup.url}) but the +1 comment failed: ${(err.stderr || err.message || String(e)).trim()}`);
@@ -8696,7 +9518,7 @@ program2.command("report").description("file a friction report on the Hub board
     }
   }
   try {
-    await execFileP4("gh", ["label", "create", REPORT_LABEL, "--color", "ededed", "--repo", targetRepo2], { timeout: 1e4 });
+    await execFileP4("gh", ["label", "create", REPORT_LABEL, "--color", "ededed", "--repo", targetRepo2], { timeout: GH_MUTATION_TIMEOUT_MS });
   } catch {
   }
   const created = await ghCreate(args);
@@ -8704,8 +9526,14 @@ program2.command("report").description("file a friction report on the Hub board
   console.log(JSON.stringify({ ...created, deduped: false, label: REPORT_LABEL, priority, projectItemId }));
 });
 var pr = program2.command("pr").description("pull requests \u2014 reliable create with structured output");
-pr.command("create").description("create a PR and print {number,url} JSON").requiredOption("--title <title>", "PR title").requiredOption("--body <body>", "PR body (markdown)").option("--base <branch>", "base branch (defaults to the repo default)").option("--head <branch>", "head branch (defaults to the current branch)").option("--repo <owner/repo>", "target repo (defaults to the current repo)").action(async (o) => {
-  const created = await ghCreate(buildPrArgs({ title: o.title, body: o.body, base: o.base, head: o.head, repo: o.repo }));
+pr.command("create").description("create a PR and print {number,url} JSON").requiredOption("--title <title>", "PR title").option("--body <body>", "PR body (markdown)").option("--body-file <path|->", "read PR body from a UTF-8 file, or from stdin with -").option("--base <branch>", "base branch (defaults to the repo default)").option("--head <branch>", "head branch (defaults to the current branch)").option("--repo <owner/repo>", "target repo (defaults to the current repo)").action(async (o) => {
+  let body;
+  try {
+    body = await resolveIssueBody({ body: o.body, bodyFile: o.bodyFile }, { readFile: import_promises2.readFile, readStdin });
+  } catch (e) {
+    return fail(`pr create: ${e.message}`);
+  }
+  const created = await ghCreate(buildPrArgs({ title: o.title, body, base: o.base, head: o.head, repo: o.repo }));
   console.log(JSON.stringify(created));
 });
 async function remoteBranchExists(branch) {
@@ -8717,6 +9545,20 @@ async function remoteBranchExists(branch) {
     return void 0;
   }
 }
+var COMPOSE_TIMEOUT_MS = 12e4;
+function teardownWorktreeStage(worktreePath) {
+  return runWorktreeStageTeardown(worktreePath, {
+    hasStageState: (wt) => (0, import_node_fs6.existsSync)(stageStatePath(wt)),
+    stopRecordedStage: async (wt) => (await stopStage({ cwd: wt })).pid,
+    listComposeProjects: async () => {
+      const { stdout } = await execFileP4("docker", ["compose", "ls", "--all", "--format", "json"], { timeout: GC_GH_TIMEOUT_MS });
+      return parseComposeLs(stdout);
+    },
+    composeDown: async (project2) => {
+      await execFileP4("docker", ["compose", "-p", project2, "down", "-v"], { timeout: COMPOSE_TIMEOUT_MS });
+    }
+  });
+}
 pr.command("merge <number>").description("merge a PR (squash by default) and clean up its branch + worktree \u2014 no leftover local branch").option("--squash", "squash merge (default)").option("--merge", "create a merge commit").option("--rebase", "rebase merge").option("--repo <owner/repo>", "target repo (defaults to the current repo)").action(async (number, o) => {
   const method = o.rebase ? "--rebase" : o.merge ? "--merge" : "--squash";
   const repoArgs = o.repo ? ["--repo", o.repo] : [];
@@ -8728,12 +9570,14 @@ pr.command("merge <number>").description("merge a PR (squash by default) and cle
   const remoteBefore = repoArgs.length ? void 0 : await remoteBranchExists(headRef);
   let remoteDeleteAttempted = false;
   let remoteNotAttemptedReason = repoArgs.length ? "repo-option" : void 0;
-  await execFileP4("gh", ["pr", "merge", number, ...repoArgs, method, "--delete-branch"], { timeout: GC_GH_TIMEOUT_MS }).catch((e) => {
+  await execFileP4("gh", ["pr", "merge", number, ...repoArgs, method, "--delete-branch"], { timeout: GH_MUTATION_TIMEOUT_MS }).catch((e) => {
     const message = String(e.message || "");
     if (/already been merged/i.test(message)) {
       remoteNotAttemptedReason = "pr-already-merged";
       return;
     }
+    const note = timeoutKillNote(e, GH_MUTATION_TIMEOUT_MS);
+    if (note) throw new Error(`gh pr merge ${number}: ${note}`);
     if (!/used by worktree|cannot delete branch/i.test(message)) throw e;
   });
   if (!remoteNotAttemptedReason) remoteDeleteAttempted = true;
@@ -8751,7 +9595,8 @@ pr.command("merge <number>").description("merge a PR (squash by default) and cle
   } : await cleanupPrMergeLocalBranch(headRef, {
     beforeWorktrees,
     startingPath,
-    execGit: async (args) => (await execFileP4("git", args, { timeout: GIT_TIMEOUT_MS })).stdout
+    execGit: async (args) => (await execFileP4("git", args, { timeout: GIT_TIMEOUT_MS })).stdout,
+    teardownWorktreeStage
   });
   console.log(JSON.stringify({
     merged: number,
@@ -8867,16 +9712,50 @@ function rawValues(flag) {
   return out;
 }
 function printLine(value) {
-  (0, import_node_fs5.writeSync)(1, `${value}
+  (0, import_node_fs6.writeSync)(1, `${value}
 `);
 }
 function stageKeepAlive() {
   return setTimeout(() => void 0, 5 * 60 * 1e3);
 }
+async function resolveStage() {
+  const cfg = await loadConfig();
+  const local = cfg.stage;
+  const read = await fetchProjectBySlugChecked(await repoSlug(), registryClientDeps(cfg)).catch((e) => ({ ok: false, error: e.message }));
+  const project2 = read.ok ? read.project : null;
+  const portRangeMeta = project2?.portRange ?? void 0;
+  const portRange = portRangeMeta && typeof portRangeMeta.start === "number" && typeof portRangeMeta.end === "number" ? [portRangeMeta.start, portRangeMeta.end] : void 0;
+  return decideStage({
+    local,
+    shell: shellFor(),
+    registry: { deployModel: project2?.deployModel, portRange, error: read.ok ? void 0 : read.error },
+    hasCompose: (0, import_node_fs6.existsSync)((0, import_node_path7.join)(process.cwd(), "docker-compose.yml")),
+    hasEnvExample: (0, import_node_fs6.existsSync)((0, import_node_path7.join)(process.cwd(), ".env.example"))
+  });
+}
+function stageStepsFor(res, stops = true) {
+  if (res.source === "derived" && res.derived) return derivedStagePlan(res.derived, shellFor(), stops);
+  if (res.source === "local") return stagePlan(res.config ?? {}, stops);
+  return [{ label: `no local stage to run \u2014 ${res.gap ?? "stage config gap"}` }];
+}
+function staleStageNote(res) {
+  if (!res.staleIgnored) return null;
+  const fields = res.staleFields ?? [];
+  const list = fields.join(", ");
+  const label = fields.length > 1 ? `fields ${list}` : `field ${list || "build/up"}`;
+  if (res.source === "local") {
+    return `note: POSIX-only .mmi stage ${label} ignored on PowerShell \u2014 kept the rest of the local recipe`;
+  }
+  return `note: stale POSIX-only .mmi stage ${label} ignored on PowerShell \u2014 using the registry-derived default`;
+}
+function reportedStageUrl(res, result) {
+  if (!res.derived) return void 0;
+  return result.port != null ? stageUrlForPort(result.port) : res.derived.url;
+}
 program2.command("port-range <repo>").description("assign (idempotently) + print the repo's local stage port block via the atomic ORG#config.portCursor allocator (committed-file fallback)").option("--json", "machine-readable output").action(async (repo, o) => {
-  const path2 = (0, import_node_path5.join)(process.cwd(), "infra", "port-ranges.json");
+  const path2 = (0, import_node_path7.join)(process.cwd(), "infra", "port-ranges.json");
   const allocate = async (seed) => {
-    const { stdout } = await execFileP4("node", [(0, import_node_path5.join)(process.cwd(), "infra", "port-ddb.mjs"), String(seed)], { timeout: 15e3 });
+    const { stdout } = await execFileP4("node", [(0, import_node_path7.join)(process.cwd(), "infra", "port-ddb.mjs"), String(seed)], { timeout: 15e3 });
     const parsed = JSON.parse(stdout);
     if (!Array.isArray(parsed.range) || parsed.range.length !== 2) throw new Error("port-ddb: no range in output");
     return parsed.range;
@@ -8885,20 +9764,27 @@ program2.command("port-range <repo>").description("assign (idempotently) + print
   printLine(o.json ? JSON.stringify({ repo, portRange: [start, end] }) : `${repo}: stage.portRange [${start}, ${end}]`);
 });
 var stage = program2.command("stage").description("plan or run the repo local stage environment").option("--json", "machine-readable output").option("--apply", "run the full local stage: stop previous, build, start, health-check").option("--timeout-ms <ms>", "bounded build/health timeout", "60000").action(async (o) => {
-  const cfg = (await loadConfig()).stage;
+  const res = await resolveStage();
   if (o.apply) {
+    if (res.source === "none") return fail(`stage: ${res.gap}`);
+    const cfg = res.config ?? res.derived.config;
     const hold = stageKeepAlive();
     try {
       const result = await runStage(cfg, { timeoutMs: Number(o.timeoutMs || 6e4) });
-      return printLine(o.json ? JSON.stringify(result) : `mmi-cli stage: ${result.message}`);
+      const reportUrl = reportedStageUrl(res, result);
+      const url = reportUrl ? ` \u2014 ${reportUrl}` : "";
+      return printLine(o.json ? JSON.stringify({ ...result, source: res.source, url: reportUrl }) : `mmi-cli stage: ${result.message}${url}`);
     } catch (e) {
       return fail(`stage: ${e.message}`);
     } finally {
       clearTimeout(hold);
     }
   }
-  const steps = stagePlan(cfg);
-  console.log(o.json ? JSON.stringify({ command: "stage", steps }, null, 2) : renderSteps("mmi-cli stage: dry-run plan", steps));
+  const steps = stageStepsFor(res);
+  if (o.json) return console.log(JSON.stringify({ command: "stage", source: res.source, url: res.derived?.url, staleIgnored: res.staleIgnored, staleFields: res.staleFields, registryError: res.registryError, steps }, null, 2));
+  const note = staleStageNote(res);
+  if (note) printLine(note);
+  console.log(renderSteps("mmi-cli stage: dry-run plan", steps));
 });
 stage.command("stop").description("stop the previous local stage process recorded in tmp/stage/state.json").option("--json", "machine-readable output").option("--apply", "kill the recorded process tree and remove the state file").action(async () => {
   const o = { json: rawFlag("--json"), apply: rawFlag("--apply") };
@@ -8915,11 +9801,16 @@ stage.command("stop").description("stop the previous local stage process recorde
 });
 stage.command("start").description("start the configured local stage process and optionally wait for health").option("--json", "machine-readable output").option("--apply", "start the configured stage.up process").option("--timeout-ms <ms>", "bounded health timeout", "60000").action(async () => {
   const o = { json: rawFlag("--json"), apply: rawFlag("--apply"), timeoutMs: rawValue("--timeout-ms", "60000") };
-  const cfg = (await loadConfig()).stage;
+  const res = await resolveStage();
   if (!o.apply) {
-    const steps = [{ label: "start local stage", command: cfg?.up || "(no stage.up configured)" }];
-    return printLine(o.json ? JSON.stringify({ command: "stage start", steps }, null, 2) : renderSteps("mmi-cli stage start: dry-run plan", steps));
-  }
+    const steps = stageStepsFor(res, false);
+    if (o.json) return printLine(JSON.stringify({ command: "stage start", source: res.source, url: res.derived?.url, staleIgnored: res.staleIgnored, staleFields: res.staleFields, registryError: res.registryError, steps }, null, 2));
+    const note = staleStageNote(res);
+    if (note) printLine(note);
+    return printLine(renderSteps("mmi-cli stage start: dry-run plan", steps));
+  }
+  if (res.source === "none") return fail(`stage start: ${res.gap}`);
+  const cfg = res.config ?? res.derived.config;
   try {
     const hold = stageKeepAlive();
     let printed = false;
@@ -8928,10 +9819,12 @@ stage.command("start").description("start the configured local stage process and
         timeoutMs: Number(o.timeoutMs || 6e4),
         onReady: (ready) => {
           printed = true;
-          printLine(o.json ? JSON.stringify(ready) : `mmi-cli stage start: ${ready.message}`);
+          const reportUrl = reportedStageUrl(res, ready);
+          const url = reportUrl ? ` \u2014 ${reportUrl}` : "";
+          printLine(o.json ? JSON.stringify({ ...ready, source: res.source, url: reportUrl }) : `mmi-cli stage start: ${ready.message}${url}`);
         }
       });
-      if (!printed) printLine(o.json ? JSON.stringify(result) : `mmi-cli stage start: ${result.message}`);
+      if (!printed) printLine(o.json ? JSON.stringify({ ...result, source: res.source, url: reportedStageUrl(res, result) }) : `mmi-cli stage start: ${result.message}`);
     } finally {
       clearTimeout(hold);
     }
@@ -8941,11 +9834,16 @@ stage.command("start").description("start the configured local stage process and
 });
 stage.command("run").description("force-stop previous stage, build, start, and health-check").option("--json", "machine-readable output").option("--apply", "run the configured stage sequence").option("--timeout-ms <ms>", "bounded build/health timeout", "60000").action(async () => {
   const o = { json: rawFlag("--json"), apply: rawFlag("--apply"), timeoutMs: rawValue("--timeout-ms", "60000") };
-  const cfg = (await loadConfig()).stage;
+  const res = await resolveStage();
   if (!o.apply) {
-    const steps = stagePlan(cfg);
-    return printLine(o.json ? JSON.stringify({ command: "stage run", steps }, null, 2) : renderSteps("mmi-cli stage run: dry-run plan", steps));
-  }
+    const steps = stageStepsFor(res);
+    if (o.json) return printLine(JSON.stringify({ command: "stage run", source: res.source, url: res.derived?.url, staleIgnored: res.staleIgnored, staleFields: res.staleFields, registryError: res.registryError, steps }, null, 2));
+    const note = staleStageNote(res);
+    if (note) printLine(note);
+    return printLine(renderSteps("mmi-cli stage run: dry-run plan", steps));
+  }
+  if (res.source === "none") return fail(`stage run: ${res.gap}`);
+  const cfg = res.config ?? res.derived.config;
   try {
     const hold = stageKeepAlive();
     let printed = false;
@@ -8953,12 +9851,14 @@ stage.command("run").description("force-stop previous stage, build, start, and h
       const result = await runStage(cfg, {
         timeoutMs: Number(o.timeoutMs || 6e4),
         onReady: (ready) => {
-          const runReady = { ...ready, action: "run", message: `built and ${ready.message}` };
+          const reportUrl = reportedStageUrl(res, ready);
+          const url = reportUrl ? ` \u2014 ${reportUrl}` : "";
+          const runReady = { ...ready, action: "run", source: res.source, url: reportUrl, message: `built and ${ready.message}${url}` };
           printed = true;
           printLine(o.json ? JSON.stringify(runReady) : `mmi-cli stage run: ${runReady.message}`);
         }
       });
-      if (!printed) printLine(o.json ? JSON.stringify(result) : `mmi-cli stage run: ${result.message}`);
+      if (!printed) printLine(o.json ? JSON.stringify({ ...result, source: res.source, url: reportedStageUrl(res, result) }) : `mmi-cli stage run: ${result.message}`);
     } finally {
       clearTimeout(hold);
     }
@@ -8971,8 +9871,37 @@ program2.command("stage-live").description("explain that remote rc/live environm
   const steps = stageLivePlan();
   console.log(o.json ? JSON.stringify({ command: "stage-live", steps }, null, 2) : renderSteps("mmi-cli stage-live: not an org command", steps));
 });
+var GH_TRAIN_TIMEOUT_MS = 3e4;
+var GH_RUN_WATCH_TIMEOUT_MS = 20 * 6e4;
+function trainApplyDeps() {
+  return {
+    run: async (file, args) => {
+      const timeout = file !== "gh" ? GIT_TIMEOUT_MS : args[0] === "run" && args[1] === "watch" ? GH_RUN_WATCH_TIMEOUT_MS : GH_TRAIN_TIMEOUT_MS;
+      return (await execFileP4(file, args, { timeout })).stdout;
+    },
+    runSelf: async (args) => (await execFileP4(process.execPath, [process.argv[1], ...args], { timeout: 3e4 })).stdout,
+    trainAuthority: async (repo) => {
+      const verdict = await fetchTrainAuthority(repo, registryClientDeps(await loadConfig()));
+      return verdict.ok ? { ok: true, role: verdict.authority.role, train: verdict.authority.train } : verdict;
+    }
+  };
+}
+function renderDeployLine(d) {
+  const parts = [d.dispatch];
+  if (d.runUrl) parts.push(`run ${d.runUrl}`);
+  if (d.deployStatus === "success") parts.push("deploy: SUCCEEDED");
+  else if (d.deployStatus === "failure") parts.push("deploy: FAILED (promotion stands; retry the deploy, do not re-tag)");
+  else if (d.runId != null) parts.push(`deploy: dispatched (watch: gh run watch ${d.runId} --repo mutmutco/MMI-Hub --exit-status)`);
+  return parts.join("; ");
+}
+function renderTrainApply(commandName, r) {
+  return `mmi-cli ${commandName}: promoted ${r.repo} \u2192 ${r.stage} at ${r.tag} [${r.deployModel}]; ${renderDeployLine(r)}`;
+}
+function renderTenantRedeploy(r) {
+  return `mmi-cli tenant redeploy: ${r.repo} ${r.stage} (ref=${r.ref}) [${r.deployModel}]; ${renderDeployLine(r)}`;
+}
 for (const commandName of ["rcand", "release", "hotfix"]) {
-  program2.command(commandName).description(`plan ${commandName} train operations; mutations require explicit master-admin approval`).option("--json", "machine-readable output").option("--apply", commandName === "hotfix" ? "reserved; hotfix uses the /hotfix skill PR path" : "execute the guarded master-only train after explicit approval").action(async (o) => {
+  program2.command(commandName).description(`plan ${commandName} train operations; mutations require explicit master-admin approval`).option("--json", "machine-readable output").option("--watch", "block on the dispatched tenant-deploy.yml run and report its outcome (tenant-container)").option("--apply", commandName === "hotfix" ? "reserved; hotfix uses the /hotfix skill PR path" : "execute the guarded master-only train after explicit approval").action(async (o) => {
     try {
       await requireFreshTrainCli(commandName);
     } catch (e) {
@@ -8981,16 +9910,8 @@ for (const commandName of ["rcand", "release", "hotfix"]) {
     if (o.apply) {
       if (commandName === "hotfix") return fail("hotfix: CLI apply is reserved; use the /hotfix skill PR path after explicit master-admin approval");
       try {
-        const result = await runTrainApply(commandName, {
-          run: async (file, args) => (await execFileP4(file, args, { timeout: file === "gh" ? 3e4 : GIT_TIMEOUT_MS })).stdout,
-          runSelf: async (args) => (await execFileP4(process.execPath, [process.argv[1], ...args], { timeout: 3e4 })).stdout,
-          trainAuthority: async (repo) => {
-            const verdict = await fetchTrainAuthority(repo, registryClientDeps(await loadConfig()));
-            return verdict.ok ? { ok: true, role: verdict.authority.role, train: verdict.authority.train } : verdict;
-          }
-        });
-        const message = `mmi-cli ${commandName}: applied ${result.repo} ${result.stage} train at ${result.tag} [${result.deployModel}]; ${result.dispatch}`;
-        return printLine(o.json ? JSON.stringify(result, null, 2) : message);
+        const result = await runTrainApply(commandName, trainApplyDeps(), { watch: o.watch });
+        return printLine(o.json ? JSON.stringify(result, null, 2) : renderTrainApply(commandName, result));
       } catch (e) {
         return fail(`${commandName}: ${e.message}`);
       }
@@ -9010,13 +9931,14 @@ bootstrap.command("verify <repo>").description("audit whether an existing repo i
   const o = { class: rawValue("--class", "deployable"), json: rawFlag("--json") };
   if (o.class !== "deployable" && o.class !== "content") return fail("bootstrap verify: --class must be deployable or content");
   const cfg = await loadConfig();
-  const apiProjects = await fetchProjectsJson({ baseUrl: cfg.sagaApiUrl, token: githubToken });
+  const reg = registryClientDeps(cfg);
+  const apiProjects = await fetchProjectsJson(reg);
   const slug = (repo.includes("/") ? repo.split("/")[1] : repo).toLowerCase();
-  const meta = await fetchProjectBySlug(slug, { baseUrl: cfg.sagaApiUrl, token: githubToken });
+  const meta = await fetchProjectBySlug(slug, reg);
   const report = await verifyBootstrap(repo, o.class, {
     client: defaultGitHubClient(),
     projectMeta: meta,
-    readLocalFile: (path2) => path2 === "projects.json" && apiProjects != null ? apiProjects : (0, import_node_fs5.existsSync)(path2) ? (0, import_node_fs5.readFileSync)(path2, "utf8") : null,
+    readLocalFile: (path2) => path2 === "projects.json" && apiProjects != null ? apiProjects : (0, import_node_fs6.existsSync)(path2) ? (0, import_node_fs6.readFileSync)(path2, "utf8") : null,
     // requiredGcpApis is stored as an array by a JSON write, but `project set --var KEY=VALUE` stores a raw
     // comma-string — accept either so the seeded value verifies regardless of how it was written.
     requiredGcpApis: (() => {
@@ -9057,12 +9979,12 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
     return fail(`bootstrap apply: ${e.message}`);
   }
   const manifestPath = "skills/bootstrap/seeds/manifest.json";
-  if (!(0, import_node_fs5.existsSync)(manifestPath)) return fail(`bootstrap apply: ${manifestPath} not found; run from the MMI-Hub repo root`);
-  const manifest = loadBootstrapSeeds((0, import_node_fs5.readFileSync)(manifestPath, "utf8"));
+  if (!(0, import_node_fs6.existsSync)(manifestPath)) return fail(`bootstrap apply: ${manifestPath} not found; run from the MMI-Hub repo root`);
+  const manifest = loadBootstrapSeeds((0, import_node_fs6.readFileSync)(manifestPath, "utf8"));
   const baseBranch = o.class === "content" ? "main" : "development";
   const slug = parsedRepo.slug;
   const gh = async (args) => execFileP4("gh", args, { timeout: 2e4 });
-  const readFile2 = (p) => (0, import_node_fs5.existsSync)(p) ? (0, import_node_fs5.readFileSync)(p, "utf8") : null;
+  const readFile2 = (p) => (0, import_node_fs6.existsSync)(p) ? (0, import_node_fs6.readFileSync)(p, "utf8") : null;
   const enc = (p) => p.split("/").map(encodeURIComponent).join("/");
   const vars = {};
   for (const value of rawValues("--var")) {
@@ -9135,7 +10057,7 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
   }
   if (o.execute) {
     const cfg = await loadConfig();
-    const res = await registerProject(registerPayload, { baseUrl: cfg.sagaApiUrl, token: githubToken });
+    const res = await registerProject(registerPayload, registryClientDeps(cfg));
     if (res.ok) {
       ddbWrites.push({ slug: registerPayload.slug, action: "register", record: registerPayload });
       applied.push(`ddb register ${registerPayload.slug}`);
@@ -9186,16 +10108,16 @@ access.command("audit").description("audit collaborator roles + train-branch pus
     if (o.class !== "deployable" && o.class !== "content") return fail("access audit: --class must be deployable or content");
     targets = [{ repo: o.repo, class: o.class }];
   } else {
-    const projectsJson = registryProjects ? JSON.stringify({ projects: registryProjects }) : (0, import_node_fs5.existsSync)("projects.json") ? (0, import_node_fs5.readFileSync)("projects.json", "utf8") : null;
+    const projectsJson = registryProjects ? JSON.stringify({ projects: registryProjects }) : (0, import_node_fs6.existsSync)("projects.json") ? (0, import_node_fs6.readFileSync)("projects.json", "utf8") : null;
     if (!projectsJson) return fail("access audit: no project registry \u2014 Hub API unreachable and projects.json not found; run from the MMI-Hub repo root or pass --repo <owner/repo>");
-    const fanoutJson = (0, import_node_fs5.existsSync)(".github/fanout-targets.json") ? (0, import_node_fs5.readFileSync)(".github/fanout-targets.json", "utf8") : null;
+    const fanoutJson = (0, import_node_fs6.existsSync)(".github/fanout-targets.json") ? (0, import_node_fs6.readFileSync)(".github/fanout-targets.json", "utf8") : null;
     targets = loadAccessTargets(projectsJson, fanoutJson);
   }
   const derivedMatrix = registryProjects ? accessMatrixFromProjects(registryProjects) : {};
-  const fileMatrix = (0, import_node_fs5.existsSync)("access-matrix.json") ? loadAccessMatrix((0, import_node_fs5.readFileSync)("access-matrix.json", "utf8")) : {};
+  const fileMatrix = (0, import_node_fs6.existsSync)("access-matrix.json") ? loadAccessMatrix((0, import_node_fs6.readFileSync)("access-matrix.json", "utf8")) : {};
   const matrix = mergeAccessMatrix(fileMatrix, derivedMatrix);
   const derivedContracts = registryProjects ? dataAccessContractsFromProjects(registryProjects) : { consumers: {} };
-  const fileContracts = (0, import_node_fs5.existsSync)("data-access-contracts.json") ? loadDataAccessContracts((0, import_node_fs5.readFileSync)("data-access-contracts.json", "utf8")) : { consumers: {} };
+  const fileContracts = (0, import_node_fs6.existsSync)("data-access-contracts.json") ? loadDataAccessContracts((0, import_node_fs6.readFileSync)("data-access-contracts.json", "utf8")) : { consumers: {} };
   const dataAccess = mergeDataAccessContracts(fileContracts, derivedContracts);
   const report = await auditOrgAccess(targets, deps, matrix, dataAccess);
   console.log(o.json ? JSON.stringify(report, null, 2) : renderAccessReport(report));
@@ -9204,18 +10126,18 @@ access.command("audit").description("audit collaborator roles + train-branch pus
 var isWin = process.platform === "win32";
 var installedPluginsPath = (surface = detectSurface(process.env)) => {
   const homeDir = surface === "codex" ? ".codex" : ".claude";
-  return (0, import_node_path5.join)((0, import_node_os.homedir)(), homeDir, "plugins", "installed_plugins.json");
+  return (0, import_node_path7.join)((0, import_node_os3.homedir)(), homeDir, "plugins", "installed_plugins.json");
 };
 function readInstalledPlugins() {
   try {
-    return JSON.parse((0, import_node_fs5.readFileSync)(installedPluginsPath(), "utf8"));
+    return JSON.parse((0, import_node_fs6.readFileSync)(installedPluginsPath(), "utf8"));
   } catch {
     return null;
   }
 }
 function readClaudeSettings() {
   try {
-    return JSON.parse((0, import_node_fs5.readFileSync)((0, import_node_path5.join)(process.cwd(), ".claude", "settings.json"), "utf8"));
+    return JSON.parse((0, import_node_fs6.readFileSync)((0, import_node_path7.join)(process.cwd(), ".claude", "settings.json"), "utf8"));
   } catch {
     return null;
   }
@@ -9237,7 +10159,7 @@ function writeProjectInstallRecord(record) {
     const list = file.plugins[MMI_PLUGIN_ID] ?? [];
     list.push(record);
     file.plugins[MMI_PLUGIN_ID] = list;
-    (0, import_node_fs5.writeFileSync)(installedPluginsPath(), `${JSON.stringify(file, null, 2)}
+    (0, import_node_fs6.writeFileSync)(installedPluginsPath(), `${JSON.stringify(file, null, 2)}
 `, "utf8");
     return true;
   } catch {
@@ -9250,9 +10172,9 @@ function backupAndWriteInstalledPlugins(records, pluginId) {
     if (!file) return false;
     if (!file.plugins) file.plugins = {};
     const path2 = installedPluginsPath();
-    (0, import_node_fs5.copyFileSync)(path2, `${path2}.bak`);
+    (0, import_node_fs6.copyFileSync)(path2, `${path2}.bak`);
     file.plugins[pluginId] = records;
-    (0, import_node_fs5.writeFileSync)(path2, `${JSON.stringify(file, null, 2)}
+    (0, import_node_fs6.writeFileSync)(path2, `${JSON.stringify(file, null, 2)}
 `, "utf8");
     return true;
   } catch {
@@ -9261,14 +10183,14 @@ function backupAndWriteInstalledPlugins(records, pluginId) {
 }
 function mmiPluginCacheRootSnapshots() {
   const roots = [
-    { surface: "claude", root: (0, import_node_path5.join)((0, import_node_os.homedir)(), ".claude", "plugins", "cache", "mmi", "mmi") },
-    { surface: "codex", root: (0, import_node_path5.join)((0, import_node_os.homedir)(), ".codex", "plugins", "cache", "mmi", "mmi") }
+    { surface: "claude", root: (0, import_node_path7.join)((0, import_node_os3.homedir)(), ".claude", "plugins", "cache", "mmi", "mmi") },
+    { surface: "codex", root: (0, import_node_path7.join)((0, import_node_os3.homedir)(), ".codex", "plugins", "cache", "mmi", "mmi") }
   ];
   return roots.flatMap(({ surface, root }) => {
     try {
-      const entries = (0, import_node_fs5.readdirSync)(root, { withFileTypes: true }).map((entry) => ({
+      const entries = (0, import_node_fs6.readdirSync)(root, { withFileTypes: true }).map((entry) => ({
         name: entry.name,
-        path: (0, import_node_path5.join)(root, entry.name),
+        path: (0, import_node_path7.join)(root, entry.name),
         isDirectory: entry.isDirectory()
       }));
       return [{ surface, root, entries }];
@@ -9278,10 +10200,10 @@ function mmiPluginCacheRootSnapshots() {
   });
 }
 function uniqueQuarantineTarget(path2) {
-  if (!(0, import_node_fs5.existsSync)(path2)) return path2;
+  if (!(0, import_node_fs6.existsSync)(path2)) return path2;
   for (let i = 1; i < 100; i += 1) {
     const candidate = `${path2}-${i}`;
-    if (!(0, import_node_fs5.existsSync)(candidate)) return candidate;
+    if (!(0, import_node_fs6.existsSync)(candidate)) return candidate;
   }
   return `${path2}-${Date.now()}`;
 }
@@ -9289,27 +10211,27 @@ function quarantinePluginCacheDirs(plan2) {
   let moved = 0;
   for (const move of plan2) {
     try {
-      if (!(0, import_node_fs5.existsSync)(move.from)) continue;
+      if (!(0, import_node_fs6.existsSync)(move.from)) continue;
       const target = uniqueQuarantineTarget(move.to);
-      (0, import_node_fs5.mkdirSync)((0, import_node_path5.dirname)(target), { recursive: true });
-      (0, import_node_fs5.renameSync)(move.from, target);
+      (0, import_node_fs6.mkdirSync)((0, import_node_path7.dirname)(target), { recursive: true });
+      (0, import_node_fs6.renameSync)(move.from, target);
       moved += 1;
     } catch {
     }
   }
   return moved;
 }
-var gitignorePath = () => (0, import_node_path5.join)(process.cwd(), ".gitignore");
+var gitignorePath = () => (0, import_node_path7.join)(process.cwd(), ".gitignore");
 function readGitignore() {
   try {
-    return (0, import_node_fs5.readFileSync)(gitignorePath(), "utf8");
+    return (0, import_node_fs6.readFileSync)(gitignorePath(), "utf8");
   } catch {
     return null;
   }
 }
 function writeGitignore(content) {
   try {
-    (0, import_node_fs5.writeFileSync)(gitignorePath(), content, "utf8");
+    (0, import_node_fs6.writeFileSync)(gitignorePath(), content, "utf8");
     return true;
   } catch {
     return false;
@@ -9345,7 +10267,7 @@ async function runDoctor(opts, io = consoleIo) {
   let onPath = pathProbe;
   if (!onPath) {
     const root = process.env.CLAUDE_PLUGIN_ROOT;
-    if (root && (0, import_node_fs5.existsSync)(`${root}/bin/mmi-cli${isWin ? ".cmd" : ""}`)) onPath = true;
+    if (root && (0, import_node_fs6.existsSync)(`${root}/bin/mmi-cli${isWin ? ".cmd" : ""}`)) onPath = true;
   }
   checks.push({ ok: onPath, label: "mmi-cli on PATH", fix: "auto-provisioned at session start \u2014 reopen the session, or install the MMI plugin" });
   const surface = detectSurface(process.env);
@@ -9390,7 +10312,12 @@ async function runDoctor(opts, io = consoleIo) {
   if (!gitignoreCheck.ok && gitignoreCheck.contentToWrite && !opts.json && !opts.banner) {
     if (writeGitignore(gitignoreCheck.contentToWrite)) {
       gitignoreCheck = { ...gitignoreCheck, ok: true };
-      io.err("  \u21BB repaired: enforced .gitignore managed block (.playwright-mcp/, .claude/worktrees/, /*.png)");
+      const drift = gitignoreCheck.seeded ? "inserted the org-managed block" : [
+        gitignoreCheck.added?.length ? `added ${gitignoreCheck.added.join(", ")}` : "",
+        gitignoreCheck.removed?.length ? `removed ${gitignoreCheck.removed.join(", ")}` : ""
+      ].filter(Boolean).join("; ") || "normalized the block";
+      io.err(`  \u21BB repaired: org-managed .gitignore block \u2014 ${drift}`);
+      io.err("     this is an org-managed update (not unrelated churn) \u2014 stage & commit .gitignore so it stops recurring");
     }
   }
   checks.push(gitignoreCheck);
@@ -9462,24 +10389,22 @@ async function runDoctor(opts, io = consoleIo) {
 ${gaps.length} item(s) need attention.` : "\nAll set \u2014 you are ready.");
 }
 program2.command("doctor").description("check onboarding gates (GitHub auth, mmi-cli on PATH, Hub API default, plugin git clone, plugin install record, .gitignore managed block, plugin config drift, installed plugin version) and print fixes").option("--banner", "one-line resume summary; silent when all gates pass").option("--guide", "print the MMI Agentic Onboarding guide URL").option("--json", "machine-readable output").action((opts) => runDoctor(opts));
-program2.command("session-start").description("run the SessionStart verbs (rules/docs sync, saga session+show, plan list, saga health, doctor) in one process").action(async () => {
+program2.command("session-start").description("run the SessionStart verbs (rules sync, saga session+show, saga health, doctor) in one process; docs sync runs detached").action(async () => {
   try {
     const hook = parseHookInput(await readStdin());
     if (hook.session_id) persistSession(hook.session_id);
   } catch (e) {
     console.error(`[mmi-hook] saga session failed: ${e.message}`);
   }
-  const parallel = [
-    { name: "rules sync", run: (io) => runRulesSync({ quiet: true }, io) },
-    { name: "docs sync", run: (io) => runDocsSync({ quiet: true }, io) },
-    { name: "saga show", run: (io) => runSagaShow({ quiet: true }, io) },
-    { name: "plan list", run: (io) => withPlan(true, (d) => planList(d, { quiet: true }), io) },
-    { name: "saga health", run: (io) => runSagaHealth({ banner: true, quiet: true }, io) }
-  ];
-  const sequential = [
-    { name: "doctor", run: (io) => runDoctor({ banner: true }, io) }
-  ];
+  spawnDetachedSelf(["docs", "sync", "--quiet"], { spawn: import_node_child_process6.spawn, execPath: process.execPath, scriptPath: process.argv[1] });
+  const { parallel, sequential } = buildSessionStartPlan({
+    rulesSync: (io) => runRulesSync({ quiet: true }, io),
+    sagaShow: (io) => runSagaShow({ quiet: true }, io),
+    sagaHealth: (io) => runSagaHealth({ banner: true, quiet: true }, io),
+    doctor: (io) => runDoctor({ banner: true }, io)
+  });
   await runSessionStart(parallel, sequential, consoleIo);
+  consoleIo.log(northstarPointer());
 });
 function fail(msg) {
   console.error(`mmi-cli ${msg}`);