@mutmutco/cli 2.12.0 → 2.14.0

package/dist/index.cjs

@@ -3393,8 +3393,8 @@ var program = new Command();
 
 // src/index.ts
 var import_promises2 = require("node:fs/promises");
-var import_node_fs5 = require("node:fs");
-var import_node_crypto2 = require("node:crypto");
+var import_node_fs6 = require("node:fs");
+var import_node_crypto3 = require("node:crypto");
 
 // src/rules-sync.ts
 function normalizeEol(s) {
@@ -3501,8 +3501,8 @@ function parseHookInput(stdin) {
 // src/index.ts
 var import_node_child_process6 = require("node:child_process");
 var import_node_util6 = require("node:util");
-var import_node_path6 = require("node:path");
-var import_node_os2 = require("node:os");
+var import_node_path7 = require("node:path");
+var import_node_os3 = require("node:os");
 
 // src/saga-head-maintainer.ts
 var import_node_child_process2 = require("node:child_process");
@@ -3827,10 +3827,10 @@ function defaultHubUrl() {
 function buildHealth(i) {
   const problems = [];
   if (!i.sagaApiUrl) problems.push("Hub API URL not configured");
-  if (!i.identity) problems.push("no GitHub identity (gh auth token / GH_TOKEN)");
+  if (!i.identity) problems.push("no Hub session identity (run `gh auth login`, then retry)");
   if (!i.reachable) problems.push("saga backend unreachable");
   if (i.reachable && i.livenessStatus === 403 && i.livenessMessage === "Forbidden") {
-    problems.push("saga API route-level 403 from GitHubAuthorizer cache/policy");
+    problems.push("saga API route-level 403 from HubSessionAuthorizer/session policy");
   }
   if (i.reachable && i.authorized === false) problems.push("saga backend rejected authenticated state access");
   if (!i.key.sessionId || i.key.sessionId === "-") problems.push("unsafe session id");
@@ -3887,7 +3887,7 @@ async function fetchWithRetry(fetchImpl, url, init, opts = {}) {
 
 // src/saga-note.ts
 var AGENT_SURFACE_TOKENS = ["claude", "codex", "cursor", "gemini"];
-var ROUTE_LEVEL_403 = "saga API route-level 403 from GitHubAuthorizer cache/policy";
+var ROUTE_LEVEL_403 = "saga API route-level 403 from HubSessionAuthorizer/session policy";
 function agentSurface(env = process.env) {
   const surface = env.MMI_AGENT_SURFACE?.trim() || (env.CODEX_THREAD_ID?.trim() && !env.CLAUDE_SESSION_ID?.trim() ? "codex" : "claude");
   if (AGENT_SURFACE_TOKENS.includes(surface)) return surface;
@@ -4064,6 +4064,72 @@ Related work discovered by mmi-cli:
 ${lines.join("\n")}`;
 }
 
+// src/sub-issue.ts
+function parseIssueRef(ref) {
+  const trimmed = ref.trim();
+  const url = trimmed.match(/^https:\/\/github\.com\/([^/]+\/[^/]+)\/issues\/(\d+)$/i);
+  if (url) return { repo: url[1], number: Number(url[2]) };
+  const qualified = trimmed.match(/^([^/\s#]+\/[^/\s#]+)#(\d+)$/);
+  if (qualified) return { repo: qualified[1], number: Number(qualified[2]) };
+  const bare = trimmed.match(/^#?(\d+)$/);
+  if (bare) return { number: Number(bare[1]) };
+  throw new Error(`invalid issue reference "${ref}" \u2014 expected #123, 123, owner/repo#123, or an issue URL`);
+}
+function buildResolveIdArgs(ref) {
+  const args = ["issue", "view", String(ref.number), "--json", "id", "--jq", ".id"];
+  if (ref.repo) args.push("--repo", ref.repo);
+  return args;
+}
+function buildAddSubIssueArgs(parentId, subIssueId) {
+  if (!parentId) throw new Error("addSubIssue: parentId is required");
+  if (!subIssueId) throw new Error("addSubIssue: subIssueId is required");
+  return [
+    "api",
+    "graphql",
+    "-f",
+    "query=mutation($p:ID!,$c:ID!){addSubIssue(input:{issueId:$p,subIssueId:$c}){issue{number subIssues{totalCount}} subIssue{number}}}",
+    "-f",
+    `p=${parentId}`,
+    "-f",
+    `c=${subIssueId}`
+  ];
+}
+function parseAddSubIssueResult(stdout) {
+  try {
+    const issue2 = JSON.parse(stdout)?.data?.addSubIssue;
+    const parentNumber = issue2?.issue?.number;
+    const subIssueNumber = issue2?.subIssue?.number;
+    const totalCount = issue2?.issue?.subIssues?.totalCount;
+    if (typeof parentNumber !== "number" || typeof subIssueNumber !== "number") return void 0;
+    return { parentNumber, subIssueNumber, totalCount: typeof totalCount === "number" ? totalCount : 0 };
+  } catch {
+    return void 0;
+  }
+}
+var RESOLVE_ID_TIMEOUT_MS = 1e4;
+async function resolveIssueNodeId(runGh, ref, fallbackRepo) {
+  const resolved = ref.repo ? ref : { ...ref, repo: fallbackRepo };
+  const id = (await runGh(buildResolveIdArgs(resolved), RESOLVE_ID_TIMEOUT_MS)).trim();
+  if (!id) throw new Error(`could not resolve node id for issue #${ref.number}${resolved.repo ? ` in ${resolved.repo}` : ""}`);
+  return id;
+}
+async function linkSubIssue(runGh, parentRef, childRef, defaultRepo) {
+  const parent = parseIssueRef(parentRef);
+  const child = parseIssueRef(childRef);
+  const parentId = await resolveIssueNodeId(runGh, parent, defaultRepo);
+  const subIssueId = await resolveIssueNodeId(runGh, child, defaultRepo);
+  const stdout = await runGh(buildAddSubIssueArgs(parentId, subIssueId), GH_MUTATION_TIMEOUT_MS);
+  const result = parseAddSubIssueResult(stdout);
+  if (!result) throw new Error(`addSubIssue returned an unexpected response:
+${stdout.trim() || "(empty)"}`);
+  return result;
+}
+function parentLinkFields(result, error) {
+  if (result) return { parent: result };
+  if (error) return { parentLinkError: error };
+  return {};
+}
+
 // src/report.ts
 var HUB_REPO = "mutmutco/MMI-Hub";
 var REPORT_LABEL = "report";
@@ -4997,6 +5063,99 @@ function parseWorktreePorcelain(stdout) {
 function samePath(a, b) {
   return a.replace(/\\/g, "/").replace(/\/+$/, "").toLowerCase() === b.replace(/\\/g, "/").replace(/\/+$/, "").toLowerCase();
 }
+function normPath(p) {
+  return p.replace(/\\/g, "/").replace(/\/+$/, "").toLowerCase();
+}
+function parseComposeLs(stdout) {
+  const text = stdout.trim();
+  if (!text) return [];
+  const rows = [];
+  const pushIfObject = (v) => {
+    if (v && typeof v === "object" && !Array.isArray(v)) rows.push(v);
+  };
+  try {
+    const parsed = JSON.parse(text);
+    if (Array.isArray(parsed)) parsed.forEach(pushIfObject);
+    else pushIfObject(parsed);
+  } catch {
+    for (const line of text.split(/\r?\n/)) {
+      const trimmed = line.trim();
+      if (!trimmed) continue;
+      try {
+        pushIfObject(JSON.parse(trimmed));
+      } catch {
+      }
+    }
+  }
+  return rows.map((row) => {
+    const name = typeof row.Name === "string" ? row.Name.trim() : "";
+    if (!name) return null;
+    const raw = typeof row.ConfigFiles === "string" ? row.ConfigFiles : "";
+    const configFiles = raw.split(",").map((f) => f.trim()).filter(Boolean);
+    return { name, configFiles };
+  }).filter((p) => Boolean(p));
+}
+function selectWorktreeComposeProjects(worktreePath, projects) {
+  const root = normPath(worktreePath);
+  if (!root) return [];
+  const names = [];
+  for (const project2 of projects) {
+    const inside = project2.configFiles.some((file) => {
+      const f = normPath(file);
+      return f === root || f.startsWith(`${root}/`);
+    });
+    if (inside && !names.includes(project2.name)) names.push(project2.name);
+  }
+  return names;
+}
+function deriveComposeProjectName(worktreePath) {
+  const norm = normPath(worktreePath);
+  if (!norm) return void 0;
+  const base = norm.slice(norm.lastIndexOf("/") + 1);
+  const name = base.replace(/[^a-z0-9_-]+/g, "_").replace(/^[^a-z0-9]+/, "");
+  return name || void 0;
+}
+function planWorktreeComposeTeardown(worktreePath, discovered, hasStageState) {
+  const names = [...discovered];
+  if (!hasStageState && discovered.length === 0) return names;
+  const recovery = deriveComposeProjectName(worktreePath);
+  if (recovery && !names.includes(recovery)) names.push(recovery);
+  return names;
+}
+async function runWorktreeStageTeardown(worktreePath, deps) {
+  const hasStageState = deps.hasStageState(worktreePath);
+  const stoppedPid = hasStageState ? await deps.stopRecordedStage(worktreePath).catch(() => void 0) : void 0;
+  let discovered;
+  try {
+    discovered = selectWorktreeComposeProjects(worktreePath, await deps.listComposeProjects());
+  } catch {
+    return { status: stoppedPid != null ? "torn-down" : "none", stoppedPid };
+  }
+  const projects = planWorktreeComposeTeardown(worktreePath, discovered, hasStageState);
+  const brought = [];
+  const failed = [];
+  const errors = [];
+  for (const project2 of projects) {
+    try {
+      await deps.composeDown(project2);
+      brought.push(project2);
+    } catch (e) {
+      failed.push(project2);
+      errors.push(`docker compose -p ${project2} down -v: ${errorMessage(e)}`);
+    }
+  }
+  if (failed.length) {
+    return {
+      status: "failed",
+      stoppedPid,
+      composeProjects: brought.length ? brought : void 0,
+      failedProjects: failed,
+      error: errors.join("; ")
+    };
+  }
+  if (stoppedPid == null && brought.length === 0) return { status: "none" };
+  return { status: "torn-down", stoppedPid, composeProjects: brought.length ? brought : void 0 };
+}
 function selectPrMergeCleanupWorktree(branch, before, after, startingPath) {
   if (!branch) return void 0;
   const current = after.find((w) => w.branch === branch)?.path;
@@ -5042,15 +5201,24 @@ async function cleanupPrMergeLocalBranch(branch, options) {
   const safeCwd = selectSafeWorktreeCwd([...afterWorktrees, ...beforeWorktrees], wtPath);
   const git = (args) => safeCwd ? options.execGit(["-C", safeCwd, ...args]) : options.execGit(args);
   if (wtPath) {
+    let stageTeardown;
+    if (options.teardownWorktreeStage) {
+      try {
+        stageTeardown = await options.teardownWorktreeStage(wtPath);
+      } catch (e) {
+        stageTeardown = { status: "failed", error: errorMessage(e) };
+      }
+    }
     try {
       await git(["worktree", "remove", "--force", wtPath]);
-      report.worktree = { path: wtPath, status: "removed" };
+      report.worktree = { path: wtPath, status: "removed", stageTeardown };
     } catch (e) {
       report.worktree = {
         path: wtPath,
         status: "failed",
         error: errorMessage(e),
-        safeCleanupCommand: safeWorktreeRemoveCommand(safeCwd, wtPath)
+        safeCleanupCommand: safeWorktreeRemoveCommand(safeCwd, wtPath),
+        stageTeardown
       };
       report.localBranch = { name: branch, status: "not-attempted", reason: "worktree-removal-failed" };
       return report;
@@ -5100,14 +5268,28 @@ function formatGcPlan(plan2, apply) {
 }
 
 // src/command-plans.ts
-function stagePlan(stage2 = {}) {
+function stagePlan(stage2 = {}, stops = true) {
   return [
-    { label: "force-kill previous local stage", command: "mmi-cli stage stop --apply" },
+    ...stops ? [{ label: "force-kill previous local stage", command: "mmi-cli stage stop --apply" }] : [],
     { label: "run local build", command: stage2.build || "(no stage.build configured)" },
     { label: "start local stage", command: stage2.up || "(no stage.up configured)" },
     { label: "check health", command: stage2.healthUrl ? `curl --fail ${stage2.healthUrl}` : "(no stage.healthUrl configured)" }
   ];
 }
+function derivedStagePlan(derived, shell2, stops = true) {
+  const { port } = derived;
+  const envOrder = ["MMI_STAGE", "MMI_PORT", "PORT", "COMPOSE_PROFILES"];
+  const resolved = { MMI_STAGE: "development", MMI_PORT: String(port), PORT: String(port), COMPOSE_PROFILES: "local" };
+  const ensureEnv = shell2 === "powershell" ? `if (-not (Test-Path -LiteralPath '.env')) { Copy-Item -LiteralPath '.env.example' -Destination '.env' }` : `[ -f .env ] || cp .env.example .env`;
+  const up = shell2 === "powershell" ? `${envOrder.map((k) => `$env:${k}='${resolved[k]}'`).join("; ")}; docker compose up -d --build` : `${envOrder.map((k) => `${k}=${resolved[k]}`).join(" ")} docker compose up -d --build`;
+  const health = shell2 === "powershell" ? `curl.exe --fail ${derived.url}` : `curl --fail ${derived.url}`;
+  return [
+    ...stops ? [{ label: "force-kill previous local stage", command: "mmi-cli stage stop --apply" }] : [],
+    { label: "bootstrap .env from .env.example", command: ensureEnv },
+    { label: `start local stage on port ${port} (registry portRange)`, command: up },
+    { label: `check health at ${derived.url}`, command: health }
+  ];
+}
 function stageLivePlan() {
   return [
     { label: "stage-live is not an org command; /stage is local only", command: "mmi-cli stage run --apply" },
@@ -5123,7 +5305,8 @@ function trainPlan(command) {
       { label: "preflight required rc secret names", command: "mmi-cli secrets preflight --stage rc --repo <owner/repo>", gated: true },
       { label: "for Hub distribution changes, verify the release bump is already landed before touching rc", command: "node scripts/release-distribution.mjs verify <release-tag> --skip-npm-view", gated: true },
       { label: "merge development to rc", gated: true },
-      { label: "trigger the deploy path for this repo model", command: "tenant-container: gh workflow run tenant-deploy.yml ...; hub-serverless: no manual dispatch, deploy.yml auto-fires on rc push", gated: true }
+      { label: "trigger the deploy path for this repo model, returning the Hub Actions run id/url (and, with --watch, its outcome)", command: "tenant-container: gh workflow run tenant-deploy.yml ... then gh run list/watch; hub-serverless: no manual dispatch, deploy.yml auto-fires on rc push", gated: true },
+      { label: "after a failed deploy, retry the existing rc ref (no re-tag/merge)", command: "mmi-cli tenant redeploy <owner/repo> rc --watch", gated: true }
     ];
   }
   if (command === "release") {
@@ -5135,7 +5318,7 @@ function trainPlan(command) {
       { label: "merge rc to main", gated: true },
       { label: "for Hub distribution changes, verify the promoted SHA carries the release bump", command: "node scripts/release-distribution.mjs verify <release-tag> --skip-npm-view", gated: true },
       { label: "tag release and publish GitHub Release", gated: true },
-      { label: "trigger the deploy path for this repo model", command: "tenant-container: gh workflow run tenant-deploy.yml ...; hub-serverless: no manual dispatch, deploy.yml + publish.yml auto-fire on the release", gated: true },
+      { label: "trigger the deploy path for this repo model, returning the Hub Actions run id/url (and, with --watch, its outcome)", command: "tenant-container: gh workflow run tenant-deploy.yml ... then gh run list/watch; hub-serverless: no manual dispatch, deploy.yml + publish.yml auto-fire on the release", gated: true },
       { label: "roll development forward", gated: true }
     ];
   }
@@ -5160,6 +5343,114 @@ function bootstrapPlan(repo, repoClass) {
   ];
 }
 
+// src/stage-default.ts
+function shellFor(platform = process.platform) {
+  return platform === "win32" ? "powershell" : "bash";
+}
+function deriveStageGap(inputs) {
+  const missing = [];
+  if (inputs.deployModel !== "tenant-container") {
+    return `local stage default applies to tenant-container repos only (registry deployModel = ${inputs.deployModel ?? "unset"})`;
+  }
+  if (!inputs.hasCompose) missing.push("docker-compose.yml");
+  if (!inputs.hasEnvExample) missing.push(".env.example");
+  if (!inputs.portRange) missing.push("Hub registry portRange");
+  return missing.length ? `cannot derive a default local stage \u2014 missing: ${missing.join(", ")}` : null;
+}
+function deriveStage(inputs) {
+  if (deriveStageGap(inputs) || !inputs.portRange) return null;
+  const port = inputs.portRange[0];
+  const config = {
+    up: "docker compose up -d --build",
+    healthUrl: "http://127.0.0.1:$STAGE_PORT/",
+    // A generic compose app's landing route is unknown (e.g. MM-Website serves /tr/), so "the server
+    // answered" — any HTTP status — is the health signal, not a 2xx on the bare root.
+    healthAnyStatus: true,
+    portRange: inputs.portRange,
+    ensureEnv: { example: ".env.example", target: ".env" },
+    env: {
+      MMI_STAGE: "development",
+      MMI_PORT: "$STAGE_PORT",
+      PORT: "$STAGE_PORT",
+      COMPOSE_PROFILES: "local"
+    }
+  };
+  return { config, port, url: stageUrlForPort(port) };
+}
+function stageUrlForPort(port) {
+  return `http://127.0.0.1:${port}/`;
+}
+var POSIX_ONLY = [
+  /(^|[^&|])&&([^&]|$)/,
+  // && chaining (cmd.exe uses it too, but PowerShell <7 / the typical agent shell does not)
+  /\|\|/,
+  // || chaining
+  // `VAR=value cmd` LEADING env prefix only — anchored to a command boundary (start-of-string or after a
+  // ; & | separator) so it never fires on a flag value mid-command (`-e DEBUG=true app`, `--env X=y svc`),
+  // which are valid cross-shell. The value excludes separators so it can't span past the command boundary.
+  /(?:^|[;&|])\s*[A-Za-z_][A-Za-z0-9_]*=[^\s;&|]+\s+\S/,
+  /(^|[\s;&|])(cp|rm|mv|ln|cat|touch|export)\s/
+  // bare POSIX file/env builtins
+];
+function looksPosixOnly(command) {
+  if (!command?.trim()) return false;
+  return POSIX_ONLY.some((re) => re.test(command));
+}
+function stalePosixFields(config, shell2) {
+  if (shell2 !== "powershell") return [];
+  const fields = [];
+  if (looksPosixOnly(config?.build)) fields.push("build");
+  if (looksPosixOnly(config?.up)) fields.push("up");
+  return fields;
+}
+function sanitizeLocalStage(local, stale) {
+  if (!stale.length) return local;
+  const clean2 = { ...local };
+  for (const field of stale) delete clean2[field];
+  return clean2;
+}
+function staleNote(staleFields, outcome) {
+  const list = staleFields.join(", ");
+  const plural = staleFields.length > 1 ? "fields" : "field";
+  return `local .mmi stage ${plural} ${list} ${staleFields.length > 1 ? "are" : "is"} POSIX-only and unusable on PowerShell \u2014 ${outcome}`;
+}
+function decideStage(inputs) {
+  const { local, shell: shell2, registry: registry2, hasCompose, hasEnvExample } = inputs;
+  const staleFields = stalePosixFields(local, shell2);
+  const stale = staleFields.length > 0;
+  const upStale = staleFields.includes("up");
+  if (local?.up?.trim() && !upStale) {
+    if (!stale) return { source: "local", config: local };
+    return {
+      source: "local",
+      config: sanitizeLocalStage(local, staleFields),
+      staleIgnored: true,
+      staleFields,
+      gap: staleNote(staleFields, `kept the cross-shell parts of the local recipe and ignored ${staleFields.join(", ")}`)
+    };
+  }
+  const deriveInputs = {
+    portRange: registry2.portRange,
+    deployModel: registry2.deployModel,
+    hasCompose,
+    hasEnvExample
+  };
+  const derived = deriveStage(deriveInputs);
+  if (derived) {
+    return {
+      source: "derived",
+      derived,
+      registryError: registry2.error,
+      staleIgnored: stale || void 0,
+      staleFields: stale ? staleFields : void 0
+    };
+  }
+  const registryGap = registry2.error ? `Hub registry read failed (${registry2.error}) \u2014 cannot derive a default local stage` : null;
+  const baseGap = registryGap ?? deriveStageGap(deriveInputs);
+  const gap = stale ? `local .mmi stage recipe is POSIX-only (${staleFields.join(", ")}) and unusable on PowerShell; ${baseGap ?? "no registry-derived default available"}` : baseGap ?? "no stage.up configured and no registry-derived default available";
+  return { source: "none", gap, staleIgnored: stale || void 0, staleFields: stale ? staleFields : void 0, registryError: registry2.error };
+}
+
 // src/bootstrap-seeds.ts
 var PLACEHOLDER_RE = /\{\{([A-Z0-9_]+)\}\}/g;
 function loadBootstrapSeeds(manifestJson) {
@@ -5204,6 +5495,7 @@ var MANAGED_GITIGNORE_LINES = [
   ".claude/worktrees/",
   ".mmi/.session",
   ".mmi/head-ts/",
+  ".aws-sam/",
   "/*.png"
 ];
 function renderManagedGitignoreBlock() {
@@ -5237,6 +5529,23 @@ ${block}
   }
   return { content: next, changed: src !== next };
 }
+function diffManagedGitignoreBlock(current) {
+  const lines = (current ?? "").replace(/\r\n/g, "\n").split("\n");
+  const beginAt = lines.findIndex((l) => l === GITIGNORE_MANAGED_BEGIN);
+  const endAt = beginAt === -1 ? -1 : lines.findIndex((l, i) => i > beginAt && l === GITIGNORE_MANAGED_END);
+  const hasMarker = beginAt !== -1 || lines.some((l) => l === GITIGNORE_MANAGED_END);
+  if (!hasMarker) return { added: [], removed: [], seeded: true };
+  const wellOrdered = beginAt !== -1 && endAt !== -1;
+  if (!wellOrdered) return { added: [], removed: [], seeded: false };
+  const isRule = (l) => l.trim() !== "" && !l.trim().startsWith("#");
+  const oldBody = lines.slice(beginAt + 1, endAt).filter(isRule);
+  const newBody = MANAGED_GITIGNORE_LINES.filter(isRule);
+  return {
+    added: newBody.filter((l) => !oldBody.includes(l)),
+    removed: oldBody.filter((l) => !newBody.includes(l)),
+    seeded: false
+  };
+}
 
 // src/doctor.ts
 var GH_PROJECT_LOGIN_FIX = 'run: gh auth login --hostname github.com --git-protocol https --web --scopes "project"';
@@ -5267,7 +5576,7 @@ function buildAwsCrossAccountCheck(input) {
 var MMI_PLUGIN_ID = "mmi@mmi";
 var PLUGIN_LABEL = "plugin install record (mmi@mmi for this project)";
 function pluginInstallManualFix(projectPath, surface = "claude-cli") {
-  const register = surface === "codex" ? `\`codex plugin add ${MMI_PLUGIN_ID}\`` : surface === "shell" ? `enable the MMI plugin in your client` : surface === "claude-vscode" ? `\`claude plugin enable ${MMI_PLUGIN_ID}\`` : `\`/plugin install ${MMI_PLUGIN_ID}\``;
+  const register = surface === "codex" ? `\`codex plugin add ${MMI_PLUGIN_ID}\`` : surface === "cursor" ? `import the MMI Team Marketplace in Cursor Dashboard \u2192 Settings \u2192 Plugins (or enable the MMI plugin from the marketplace panel)` : surface === "shell" ? `enable the MMI plugin in your client` : surface === "claude-vscode" ? `\`claude plugin enable ${MMI_PLUGIN_ID}\`` : `\`/plugin install ${MMI_PLUGIN_ID}\``;
   return `run ${register} then ${reloadAction(surface)} to register the install record for ${projectPath}`;
 }
 function isMmiPluginEnabled(settings) {
@@ -5322,6 +5631,9 @@ function bestRecord(records) {
   });
 }
 function pluginConfigDriftFix(pluginId, surface = "claude-cli") {
+  if (surface === "cursor") {
+    return `\`${pluginId}\` is registered through Cursor's Team Marketplace \u2014 refresh it in Dashboard \u2192 Settings \u2192 Plugins (Cursor manages its own plugin records; mmi-cli cannot rewrite them), then ${reloadAction(surface)}`;
+  }
   const file = surface === "codex" ? "~/.codex/plugins/installed_plugins.json" : "~/.claude/plugins/installed_plugins.json";
   return `\`${pluginId}\` has duplicate install rows or stale gitCommitSha in ${file} \u2014 run \`mmi-cli doctor\` interactively to collapse them to one user-scope row (a .bak backup is written first), then ${reloadAction(surface)}`;
 }
@@ -5363,7 +5675,8 @@ function buildGitignoreManagedBlockCheck(input) {
   if (!input.isOrgRepo) return base;
   const { content, changed } = upsertManagedGitignoreBlock(input.content);
   if (!changed) return base;
-  return { ...base, ok: false, contentToWrite: content };
+  const { added, removed, seeded } = diffManagedGitignoreBlock(input.content);
+  return { ...base, ok: false, contentToWrite: content, added, removed, seeded };
 }
 var MMI_PLUGIN_CACHE_CLEANUP_LABEL = "stale MMI plugin cache dirs (Claude/Codex)";
 var MMI_PLUGIN_CACHE_CLEANUP_FIX = "run `mmi-cli doctor` to quarantine stale MMI-only plugin cache dirs, then reload the affected agent surface";
@@ -5413,6 +5726,9 @@ function detectSurface(env) {
   if (env.MMI_AGENT_SURFACE === "codex" || has("CODEX_HOME") || (env.CLAUDE_PLUGIN_ROOT ?? "").includes(".codex")) {
     return "codex";
   }
+  if (env.MMI_AGENT_SURFACE === "cursor" || has("CURSOR_TRACE_ID") || has("CURSOR_USER") || has("CURSOR_SESSION_ID")) {
+    return "cursor";
+  }
   const isClaude = has("CLAUDECODE") || has("CLAUDE_CODE_ENTRYPOINT") || has("CLAUDE_PLUGIN_ROOT") || env.MMI_AGENT_SURFACE === "claude";
   const isVscode = env.TERM_PROGRAM === "vscode" || has("VSCODE_PID") || has("VSCODE_GIT_ASKPASS_NODE");
   if (isClaude && isVscode) return "claude-vscode";
@@ -5425,6 +5741,8 @@ function reloadAction(surface) {
       return "restart VS Code";
     case "codex":
       return "restart Codex";
+    case "cursor":
+      return "restart Cursor (or refresh the Team Marketplace from Dashboard \u2192 Settings \u2192 Plugins)";
     case "claude-cli":
     case "shell":
     default:
@@ -5439,6 +5757,8 @@ function pluginRecoveryFix(surface) {
       return `${claude}   # then ${reloadAction(surface)} to reload MMI commands`;
     case "codex":
       return "codex plugin marketplace upgrade mmi && codex plugin add mmi@mmi   # then restart Codex";
+    case "cursor":
+      return `in Cursor Dashboard \u2192 Settings \u2192 Plugins, click Update next to the MMI Team Marketplace; then ${reloadAction(surface)} to reload MMI skills + hooks`;
     case "shell":
     default:
       return "npm install -g @mutmutco/cli@latest";
@@ -5482,13 +5802,33 @@ var execFileP3 = (0, import_node_util5.promisify)(import_node_child_process5.exe
 function stageStatePath(cwd = process.cwd()) {
   return (0, import_node_path4.join)(cwd, "tmp", "stage", "state.json");
 }
+var POSIX_ONLY_VERBS = ["cp", "mv", "rm", "ln", "cat", "touch", "chmod", "export"];
+function posixOnlyShellProblems(command, field, platform = process.platform) {
+  if (platform !== "win32" || !command?.trim()) return [];
+  const problems = [];
+  if (/(^|&&|\||;)\s*[A-Za-z_][A-Za-z0-9_]*=\S/.test(command)) {
+    problems.push(
+      `stage.${field} uses POSIX inline env assignment (VAR=value command) which fails in cmd.exe on Windows; use 'set VAR=value && command' or a cross-platform launcher`
+    );
+  }
+  for (const verb of POSIX_ONLY_VERBS) {
+    if (new RegExp(`(^|&&|\\||;|\\()\\s*${verb}\\b`).test(command)) {
+      problems.push(
+        `stage.${field} calls POSIX '${verb}' which does not exist in cmd.exe on Windows; use the cmd/PowerShell equivalent or a cross-platform script`
+      );
+    }
+  }
+  return problems;
+}
 function validateStageConfig(config = {}, action) {
   const problems = [];
-  if (action === "run" && !config.build?.trim()) problems.push("stage.build is required for stage run");
+  if (action === "run" && !config.build?.trim() && !config.ensureEnv) problems.push("stage.build is required for stage run");
   if (!config.up?.trim()) problems.push("stage.up is required to start the local stage");
   if (config.healthUrl != null && config.healthUrl.trim() && !/^https?:\/\//.test(config.healthUrl.trim())) {
     problems.push("stage.healthUrl must be an http(s) URL");
   }
+  if (action === "run") problems.push(...posixOnlyShellProblems(config.build, "build"));
+  problems.push(...posixOnlyShellProblems(config.up, "up"));
   if (config.portRange != null) {
     const r = config.portRange;
     const ok = Array.isArray(r) && r.length === 2 && r.every((n) => Number.isInteger(n) && n >= 1024 && n <= 65535) && r[0] <= r[1];
@@ -5553,13 +5893,13 @@ async function killTree(pid) {
     }
   }
 }
-async function waitForHealth(url, timeoutMs) {
+async function waitForHealth(url, timeoutMs, anyStatus = false) {
   const deadline = Date.now() + timeoutMs;
   let last = "";
   while (Date.now() < deadline) {
     try {
       const res = await fetch(url, { signal: AbortSignal.timeout(Math.min(5e3, timeoutMs)) });
-      if (res.ok) return;
+      if (anyStatus || res.ok) return;
       last = `HTTP ${res.status}`;
     } catch (e) {
       last = e.message;
@@ -5594,14 +5934,24 @@ async function startStage(config = {}, opts = {}) {
     stagePort = pickStagePort(config.portRange, (p) => free.has(p));
   }
   const sub = (s) => s != null && stagePort != null ? s.replace(/\$\{?STAGE_PORT\}?/g, String(stagePort)) : s;
+  if (config.ensureEnv) {
+    const target = (0, import_node_path4.join)(cwd, config.ensureEnv.target);
+    const example = (0, import_node_path4.join)(cwd, config.ensureEnv.example);
+    if (!(0, import_node_fs3.existsSync)(target) && (0, import_node_fs3.existsSync)(example)) (0, import_node_fs3.copyFileSync)(example, target);
+  }
+  const extraEnv = {};
+  for (const [k, v] of Object.entries(config.env ?? {})) extraEnv[k] = sub(v) ?? v;
   const up = sub(config.up.trim());
   const child = (0, import_node_child_process5.spawn)(up, {
     cwd,
     shell: true,
-    detached: true,
+    // POSIX-only: the process group exists for the group-kill in stopStage. On win32 teardown is
+    // `taskkill /T /F` (no group needed), and detached+shell defeats windowsHide — every spawn would
+    // flash a Windows Terminal window (0x800700e8) on dev machines.
+    detached: process.platform !== "win32",
     windowsHide: true,
     stdio: "ignore",
-    env: stagePort != null ? { ...process.env, STAGE_PORT: String(stagePort) } : process.env
+    env: { ...process.env, ...stagePort != null ? { STAGE_PORT: String(stagePort) } : {}, ...extraEnv }
   });
   const state = {
     pid: child.pid ?? 0,
@@ -5613,13 +5963,13 @@ async function startStage(config = {}, opts = {}) {
   };
   (0, import_node_fs3.writeFileSync)(statePath, JSON.stringify(state, null, 2), "utf8");
   try {
-    if (state.healthUrl) await waitForHealth(state.healthUrl, opts.timeoutMs ?? 6e4);
+    if (state.healthUrl) await waitForHealth(state.healthUrl, opts.timeoutMs ?? 6e4, config.healthAnyStatus);
   } catch (e) {
     await killTree(state.pid);
     (0, import_node_fs3.rmSync)(statePath, { force: true });
     throw e;
   }
-  const result = { ok: true, action: "start", statePath, pid: state.pid, message: `started stage pid ${state.pid}${stagePort != null ? ` on port ${stagePort}` : ""}` };
+  const result = { ok: true, action: "start", statePath, pid: state.pid, port: stagePort, message: `started stage pid ${state.pid}${stagePort != null ? ` on port ${stagePort}` : ""}` };
   opts.onReady?.(result);
   child.unref();
   return result;
@@ -5630,7 +5980,7 @@ async function runStage(config = {}, opts = {}) {
   const cwd = opts.cwd ?? process.cwd();
   const timeoutMs = opts.timeoutMs ?? 6e4;
   await stopStage({ ...opts, cwd });
-  await shell(config.build.trim(), cwd, timeoutMs);
+  if (config.build?.trim()) await shell(config.build.trim(), cwd, timeoutMs);
   const started = await startStage(config, { ...opts, cwd, timeoutMs });
   return { ...started, action: "run", message: `built and ${started.message}` };
 }
@@ -5693,6 +6043,41 @@ async function verifyHubDistributionVersion(deps, model, releaseTag) {
   if (model !== "hub-serverless") return;
   await deps.run("node", ["scripts/release-distribution.mjs", "verify", releaseTag, "--skip-npm-view"]);
 }
+var ORG_SPINE_FILES = ["AGENTS.md", "CLAUDE.md", "GEMINI.md", ".claude/settings.json"];
+function isSpinePath(path2) {
+  return ORG_SPINE_FILES.includes(path2);
+}
+async function predictMergeConflicts(deps, ours, theirs) {
+  try {
+    await deps.run("git", ["merge-tree", "--write-tree", "--name-only", "--no-messages", ours, theirs]);
+    return [];
+  } catch (e) {
+    const out = String(e.stdout ?? "");
+    const files = out.split("\n").map((s) => s.trim()).filter(Boolean).slice(1);
+    if (files.length === 0) {
+      throw new Error(`could not preflight the ${theirs} -> ${ours} merge (git merge-tree failed: ${e.message ?? e})`);
+    }
+    return files;
+  }
+}
+async function mergeRcWithSpineResolution(deps) {
+  try {
+    await deps.run("git", ["merge", "rc", "--no-edit"]);
+    return;
+  } catch {
+  }
+  const unmerged = (await deps.run("git", ["diff", "--name-only", "--diff-filter=U"])).split("\n").map((s) => s.trim()).filter(Boolean);
+  const nonSpine = unmerged.filter((f) => !isSpinePath(f));
+  if (unmerged.length === 0 || nonSpine.length > 0) {
+    await deps.run("git", ["merge", "--abort"]);
+    throw new Error(
+      unmerged.length === 0 ? "rc -> main merge failed without conflicted paths \u2014 merge aborted; inspect the repo state and rerun" : `rc -> main merge conflicts on non-spine path(s): ${nonSpine.join(", ")} \u2014 merge aborted (the train is misaligned; reconcile main and rc via an approved alignment PR, then rerun release)`
+    );
+  }
+  await deps.run("git", ["checkout", "--theirs", "--", ...unmerged]);
+  await deps.run("git", ["add", "--", ...unmerged]);
+  await deps.run("git", ["commit", "--no-edit"]);
+}
 function ensurePositiveCount(out, emptyMessage) {
   const count = Number.parseInt(out.trim(), 10);
   if (!Number.isFinite(count)) throw new Error(`could not parse ahead count: ${out.trim() || "(empty)"}`);
@@ -5726,14 +6111,56 @@ async function requireBranch(deps, branch) {
   const current = clean(await deps.run("git", ["rev-parse", "--abbrev-ref", "HEAD"]));
   if (current !== branch) throw new Error(`must run from ${branch}, currently on ${current || "(unknown)"}`);
 }
-async function dispatchDeploy(deps, ctx, stage2, ref, model) {
+var HUB_REPO2 = "mutmutco/MMI-Hub";
+var CORRELATE_ATTEMPTS = 5;
+var CORRELATE_DELAY_MS = 1500;
+var CORRELATE_SKEW_SLACK_MS = 1e4;
+async function correlateTenantRun(deps, since) {
+  const sleep = deps.sleep ?? ((ms) => new Promise((resolve) => setTimeout(resolve, ms)));
+  const threshold = since - CORRELATE_SKEW_SLACK_MS;
+  for (let attempt = 0; attempt < CORRELATE_ATTEMPTS; attempt++) {
+    if (attempt > 0) await sleep(CORRELATE_DELAY_MS);
+    let rows;
+    try {
+      const out = await deps.run("gh", [
+        "run",
+        "list",
+        "--repo",
+        HUB_REPO2,
+        "--workflow",
+        "tenant-deploy.yml",
+        "--limit",
+        "10",
+        "--json",
+        "databaseId,url,event,createdAt"
+      ]);
+      rows = JSON.parse(out);
+    } catch {
+      continue;
+    }
+    const match = rows.filter((r) => r.event === "workflow_dispatch" && typeof r.databaseId === "number").map((r) => ({ row: r, created: Date.parse(r.createdAt ?? "") })).filter((c) => Number.isFinite(c.created) && c.created >= threshold).sort((a, b) => b.created - a.created)[0];
+    if (match) return { runId: match.row.databaseId, runUrl: match.row.url };
+  }
+  return {};
+}
+async function watchTenantRun(deps, runId) {
+  if (runId == null) return "pending";
+  try {
+    await deps.run("gh", ["run", "watch", String(runId), "--repo", HUB_REPO2, "--exit-status"]);
+    return "success";
+  } catch {
+    return "failure";
+  }
+}
+async function dispatchDeploy(deps, ctx, stage2, ref, model, watch) {
   if (model === "tenant-container") {
+    const since = (deps.now ?? Date.now)();
     await deps.run("gh", [
       "workflow",
       "run",
       "tenant-deploy.yml",
       "--repo",
-      "mutmutco/MMI-Hub",
+      HUB_REPO2,
       "-f",
       `slug=${ctx.slug}`,
       "-f",
@@ -5743,12 +6170,17 @@ async function dispatchDeploy(deps, ctx, stage2, ref, model) {
       "-f",
       `stage=${stage2}`
     ]);
-    return `dispatched tenant-deploy.yml (slug=${ctx.slug}, ref=${ref}, stage=${stage2})`;
+    const { runId, runUrl } = await correlateTenantRun(deps, since);
+    const deployStatus = watch ? await watchTenantRun(deps, runId) : "pending";
+    return { note: `dispatched tenant-deploy.yml (slug=${ctx.slug}, ref=${ref}, stage=${stage2})`, runId, runUrl, deployStatus };
   }
   if (model === "hub-serverless") {
-    return ref === "rc" ? "no manual dispatch: deploy.yml auto-fires on the rc push (rc stage)" : "no manual dispatch: deploy.yml + publish.yml auto-fire on the published Release (prod)";
+    return {
+      note: ref === "rc" ? "no manual dispatch: deploy.yml auto-fires on the rc push (rc stage)" : "no manual dispatch: deploy.yml + publish.yml auto-fire on the published Release (prod)",
+      deployStatus: "pending"
+    };
   }
-  return `no manual dispatch: ${model} repo deploys via its own push-triggered workflow`;
+  return { note: `no manual dispatch: ${model} repo deploys via its own push-triggered workflow`, deployStatus: "pending" };
 }
 async function preflight(deps, ctx, stage2) {
   let meta = null;
@@ -5767,7 +6199,8 @@ async function preflight(deps, ctx, stage2) {
   await deps.runSelf(["secrets", "preflight", "--stage", stage2, "--repo", ctx.repo]);
   return model;
 }
-async function runTrainApply(command, deps) {
+async function runTrainApply(command, deps, options = {}) {
+  const watch = options.watch ?? false;
   const ctx = await buildTrainApplyContext(deps);
   await requireCleanTree(deps);
   await deps.run("git", ["fetch", "origin"]);
@@ -5787,8 +6220,8 @@ async function runTrainApply(command, deps) {
     await deps.run("git", ["tag", tag2]);
     await deps.run("git", ["push", "origin", "rc"]);
     await deps.run("git", ["push", "origin", tag2]);
-    const dispatch2 = await dispatchDeploy(deps, ctx, "rc", "rc", deployModel2);
-    return { ...ctx, command, stage: "rc", ref: "rc", tag: tag2, deployModel: deployModel2, dispatch: dispatch2 };
+    const d2 = await dispatchDeploy(deps, ctx, "rc", "rc", deployModel2, watch);
+    return { ...ctx, command, stage: "rc", ref: "rc", tag: tag2, deployModel: deployModel2, promoted: true, dispatch: d2.note, runId: d2.runId, runUrl: d2.runUrl, deployStatus: d2.deployStatus };
   }
   await requireBranch(deps, "rc");
   ensurePositiveCount(
@@ -5796,21 +6229,109 @@ async function runTrainApply(command, deps) {
     "nothing to release: origin/rc is not ahead of origin/main"
   );
   const deployModel = await preflight(deps, ctx, "main");
+  const predicted = await predictMergeConflicts(deps, "origin/main", "origin/rc");
+  const predictedNonSpine = predicted.filter((f) => !isSpinePath(f));
+  if (predictedNonSpine.length > 0) {
+    throw new Error(
+      `rc -> main merge would conflict on non-spine path(s): ${predictedNonSpine.join(", ")} \u2014 no merge was started. The train is misaligned: reconcile main and rc via an approved alignment PR (do not hand-resolve on main), then rerun release.`
+    );
+  }
+  const releasedRcSha = clean(await deps.run("git", ["rev-parse", "origin/rc"]));
   await deps.run("git", ["checkout", "main"]);
   await deps.run("git", ["pull", "--ff-only", "origin", "main"]);
-  await deps.run("git", ["merge", "rc", "--no-edit"]);
+  if (predicted.length === 0) {
+    await deps.run("git", ["merge", "rc", "--no-edit"]);
+  } else {
+    await mergeRcWithSpineResolution(deps);
+  }
   const tag = requireValue(clean(await deps.run("node", ["scripts/next-version.mjs", "release"])), "release tag");
   await verifyHubDistributionVersion(deps, deployModel, tag);
   await deps.run("git", ["tag", tag]);
   await deps.run("git", ["push", "origin", "main"]);
   await deps.run("git", ["push", "origin", tag]);
   await deps.run("gh", ["release", "create", tag, "--generate-notes", "--latest", "--repo", ctx.repo]);
-  const dispatch = await dispatchDeploy(deps, ctx, "main", "main", deployModel);
+  const d = await dispatchDeploy(deps, ctx, "main", "main", deployModel, watch);
+  const retirement = await retireRcRuntime(deps, ctx, deployModel, d.deployStatus, releasedRcSha);
   await deps.run("git", ["checkout", "development"]);
   await deps.run("git", ["pull", "--ff-only", "origin", "development"]);
   await deps.run("git", ["merge", "main", "--no-edit"]);
   await deps.run("git", ["push", "origin", "development"]);
-  return { ...ctx, command, stage: "main", ref: "main", tag, deployModel, dispatch };
+  return {
+    ...ctx,
+    command,
+    stage: "main",
+    ref: "main",
+    tag,
+    deployModel,
+    promoted: true,
+    dispatch: d.note,
+    runId: d.runId,
+    runUrl: d.runUrl,
+    deployStatus: d.deployStatus,
+    rcRetirement: retirement.status,
+    rcRetirementNote: retirement.note
+  };
+}
+async function retireRcRuntime(deps, ctx, model, deployStatus, releasedRcSha) {
+  if (model !== "tenant-container") {
+    return { status: "not-applicable", note: `${model} has no co-resident rc runtime to retire` };
+  }
+  if (deployStatus === "failure") {
+    return { status: "skipped", note: "prod deploy failed \u2014 rc runtime left untouched" };
+  }
+  if (deployStatus !== "success") {
+    return {
+      status: "skipped",
+      note: `prod deploy outcome unconfirmed (run without --watch) \u2014 rc runtime left untouched; after verifying prod, retire with: mmi-cli tenant control ${ctx.repo} rc retire`
+    };
+  }
+  try {
+    await deps.run("git", ["fetch", "origin", "rc"]);
+    const rcNow = clean(await deps.run("git", ["rev-parse", "origin/rc"]));
+    if (rcNow !== releasedRcSha) {
+      return {
+        status: "skipped",
+        note: `origin/rc moved past the released candidate (${releasedRcSha.slice(0, 7)} -> ${rcNow.slice(0, 7)}) \u2014 a new candidate is in flight; rc runtime left untouched`
+      };
+    }
+    const out = await deps.runSelf(["tenant", "control", ctx.repo, "rc", "retire"]);
+    let commandId = "";
+    try {
+      commandId = String(JSON.parse(out).commandId ?? "");
+    } catch {
+    }
+    return {
+      status: "retired",
+      note: `rc runtime retired (tenant control retire${commandId ? `, command ${commandId}` : ""}) \u2014 registry coords kept; /rcand or tenant redeploy recreates rc next cycle`
+    };
+  } catch (e) {
+    return { status: "failed", note: `rc retirement failed (the release itself succeeded): ${e.message}` };
+  }
+}
+async function runTenantRedeploy(deps, options) {
+  const { stage: stage2 } = options;
+  const ref = options.ref ?? stage2;
+  const watch = options.watch ?? false;
+  const repo = options.repo;
+  const [owner, name] = repo.split("/");
+  if (!owner || !name) throw new Error(`repo must be owner/name, got ${repo}`);
+  const login = requireValue(clean(await deps.run("gh", ["api", "user", "--jq", ".login"])), "GitHub login");
+  const verdict = await deps.trainAuthority(repo);
+  if (!verdict.ok) throw new Error(`${commandAuthorityLabel(owner)}: train authority could not be verified (${verdict.error})`);
+  if (!verdict.train) throw new Error(`${commandAuthorityLabel(owner)}: @${login} is ${verdict.role} \u2014 no train authority on ${repo}`);
+  const ctx = { repo, owner, slug: name.toLowerCase(), login };
+  let meta = null;
+  try {
+    meta = JSON.parse(await deps.runSelf(["project", "get", repo]));
+  } catch {
+    meta = null;
+  }
+  const deployModel = resolveDeployModel2(meta, repo);
+  if (deployModel !== "tenant-container") {
+    throw new Error(`${repo} is ${deployModel}, not tenant-container \u2014 there is no central tenant-deploy run to retry (its deploy fires from its own workflow)`);
+  }
+  const d = await dispatchDeploy(deps, ctx, stage2, ref, deployModel, watch);
+  return { ...ctx, command: "tenant-redeploy", stage: stage2, ref, deployModel, dispatch: d.note, runId: d.runId, runUrl: d.runUrl, deployStatus: d.deployStatus };
 }
 
 // src/port-registry.ts
@@ -6212,6 +6733,12 @@ async function rulesetDetails(deps, repo, list) {
   }
   return details;
 }
+function repoRefsMatch(a, b) {
+  return a.toLowerCase() === b.toLowerCase();
+}
+function projectRegistryIncludesRepo(projects, repo) {
+  return projects.some((p) => (p.repos ?? []).some((r) => repoRefsMatch(r, repo)));
+}
 function localRegistryCheck(deps, path2, predicate) {
   const text = deps.readLocalFile?.(path2);
   if (text == null) return null;
@@ -6361,7 +6888,7 @@ async function verifyBootstrap(repo, repoClass, deps) {
   }
   const fanout = repo === "mutmutco/MMI-Hub" ? true : localRegistryCheck(deps, ".github/fanout-targets.json", (json) => Array.isArray(json?.repos) && json.repos.some((r) => r.repo === repo.split("/")[1] && r.branch === baseBranch));
   if (fanout != null) checks.push({ ok: fanout, label: `fanout target registered on ${baseBranch}` });
-  const projectRegistry = localRegistryCheck(deps, "projects.json", (json) => Array.isArray(json?.projects) && json.projects.some((p) => (p.repos || []).includes(repo)));
+  const projectRegistry = localRegistryCheck(deps, "projects.json", (json) => Array.isArray(json?.projects) && projectRegistryIncludesRepo(json.projects, repo));
   if (projectRegistry != null) checks.push({ ok: projectRegistry, label: "cloud-agent project registry includes repo" });
   const rulesetList = await restJson2(deps, `repos/${repo}/rulesets?includes_parents=true`, []);
   const rulesets = await rulesetDetails(deps, repo, rulesetList);
@@ -6421,6 +6948,94 @@ function renderBootstrapVerifyReport(report) {
   return lines.join("\n");
 }
 
+// src/hub-auth.ts
+var import_node_crypto2 = require("node:crypto");
+var import_node_fs5 = require("node:fs");
+var import_node_path5 = require("node:path");
+var import_node_os2 = require("node:os");
+var REFRESH_WINDOW_MS = 10 * 60 * 1e3;
+var EXCHANGE_TIMEOUT_MS = 8e3;
+var EXCHANGE_ATTEMPTS = 2;
+function normalizeBaseUrl(baseUrl) {
+  return baseUrl.replace(/\/$/, "");
+}
+function tokenFingerprint(token) {
+  return (0, import_node_crypto2.createHash)("sha256").update(token).digest("hex");
+}
+function defaultHubSessionCachePath(env = process.env) {
+  if (env.MMI_HUB_SESSION_CACHE) return env.MMI_HUB_SESSION_CACHE;
+  if (process.platform === "win32") {
+    const base2 = env.LOCALAPPDATA || (0, import_node_path5.join)((0, import_node_os2.homedir)(), "AppData", "Local");
+    return (0, import_node_path5.join)(base2, "MMI Future", "mmi-cli", "hub-session.json");
+  }
+  const base = env.XDG_STATE_HOME || (0, import_node_path5.join)((0, import_node_os2.homedir)(), ".mmi");
+  return (0, import_node_path5.join)(base, "mmi-cli", "hub-session.json");
+}
+function readCache(path2, apiUrl, now, githubTokenFingerprint) {
+  try {
+    const session = JSON.parse((0, import_node_fs5.readFileSync)(path2, "utf8"));
+    if (!session.token || !session.expiresAt || session.apiUrl !== apiUrl) return null;
+    if (session.githubTokenFingerprint !== githubTokenFingerprint) return null;
+    if (new Date(session.expiresAt).getTime() <= now.getTime() + REFRESH_WINDOW_MS) return null;
+    return session;
+  } catch {
+    return null;
+  }
+}
+function writeCache(path2, session) {
+  (0, import_node_fs5.mkdirSync)((0, import_node_path5.dirname)(path2), { recursive: true });
+  const tmp = `${path2}.${process.pid}.${Date.now()}.tmp`;
+  (0, import_node_fs5.writeFileSync)(tmp, JSON.stringify(session, null, 2) + "\n", { encoding: "utf8", mode: 384 });
+  try {
+    (0, import_node_fs5.chmodSync)(tmp, 384);
+  } catch {
+  }
+  (0, import_node_fs5.renameSync)(tmp, path2);
+  try {
+    (0, import_node_fs5.chmodSync)(path2, 384);
+  } catch {
+  }
+}
+async function hubAuthSession(deps) {
+  if (!deps.baseUrl) return void 0;
+  const apiUrl = normalizeBaseUrl(deps.baseUrl);
+  const now = deps.now?.() ?? /* @__PURE__ */ new Date();
+  const cachePath = deps.cachePath ?? defaultHubSessionCachePath();
+  const ghToken = await deps.githubToken();
+  if (!ghToken) return void 0;
+  const githubTokenFingerprint = tokenFingerprint(ghToken);
+  const cached = readCache(cachePath, apiUrl, now, githubTokenFingerprint);
+  if (cached) return cached;
+  try {
+    const res = await fetchWithRetry(
+      deps.fetch ?? fetch,
+      `${apiUrl}/auth/session`,
+      { method: "POST", headers: { Authorization: `Bearer ${ghToken}` } },
+      { attempts: EXCHANGE_ATTEMPTS, timeoutMs: EXCHANGE_TIMEOUT_MS }
+    );
+    if (!res.ok) return void 0;
+    const body = await res.json();
+    if (!body.token || !body.expiresAt) return void 0;
+    const session = {
+      token: body.token,
+      expiresAt: body.expiresAt,
+      login: typeof body.login === "string" ? body.login : void 0,
+      apiUrl,
+      githubTokenFingerprint
+    };
+    try {
+      writeCache(cachePath, session);
+    } catch {
+    }
+    return session;
+  } catch {
+    return void 0;
+  }
+}
+async function hubAuthToken(deps) {
+  return (await hubAuthSession(deps))?.token;
+}
+
 // src/bootstrap-apply.ts
 function parseOwnerRepo(repo) {
   const trimmed = repo.trim();
@@ -6560,7 +7175,7 @@ function retriedFetch(deps, url, init) {
 async function fetchTrainAuthority(repo, deps) {
   if (!deps.baseUrl) return { ok: false, error: "Hub API URL not configured" };
   const token = await deps.token();
-  if (!token) return { ok: false, error: "no GitHub token (gh auth login)" };
+  if (!token) return { ok: false, error: "no Hub session token (run `gh auth login`)" };
   try {
     const res = await retriedFetch(deps, `${deps.baseUrl.replace(/\/$/, "")}/train-authority?repo=${encodeURIComponent(repo)}`, {
       method: "GET",
@@ -6599,7 +7214,7 @@ async function fetchProjectBySlugChecked(slug, deps) {
   if (!deps.baseUrl) return { ok: false, error: "no Hub API URL (set MMI_HUB_URL or use a current MMI CLI/plugin build)" };
   if (!slug) return { ok: false, error: "no slug" };
   const token = await deps.token();
-  if (!token) return { ok: false, error: "no GitHub token (run `gh auth login`)" };
+  if (!token) return { ok: false, error: "no Hub session token (run `gh auth login`)" };
   try {
     const res = await retriedFetch(deps, `${deps.baseUrl.replace(/\/$/, "")}/projects/${encodeURIComponent(slug)}`, {
       method: "GET",
@@ -6651,7 +7266,7 @@ async function fetchOrgConfig(deps) {
 async function postJson(pathSuffix, payload, deps, method = "POST") {
   if (!deps.baseUrl) return { ok: false, status: 0, body: null, error: "no Hub API URL (set MMI_HUB_URL or use a current MMI CLI/plugin build)" };
   const token = await deps.token();
-  if (!token) return { ok: false, status: 0, body: null, error: "no GitHub token (run `gh auth login`)" };
+  if (!token) return { ok: false, status: 0, body: null, error: "no Hub session token (run `gh auth login`)" };
   try {
     const res = await retriedFetch(deps, `${deps.baseUrl.replace(/\/$/, "")}${pathSuffix}`, {
       method,
@@ -7087,7 +7702,7 @@ function parseKbTree(stdout, prefix) {
 }
 
 // src/plan.ts
-var import_node_path5 = require("node:path");
+var import_node_path6 = require("node:path");
 
 // src/frontmatter.ts
 function splitFrontmatter(content) {
@@ -7170,8 +7785,8 @@ function rankPlansByRelevance(plans, signals, opts = {}) {
 
 // src/plan.ts
 var PLANS_DIR = "plans";
-var META_FILE = (0, import_node_path5.join)(PLANS_DIR, ".plan-meta.json");
-var planPath = (slug) => (0, import_node_path5.join)(PLANS_DIR, `${slug}.md`);
+var META_FILE = (0, import_node_path6.join)(PLANS_DIR, ".plan-meta.json");
+var planPath = (slug) => (0, import_node_path6.join)(PLANS_DIR, `${slug}.md`);
 var metaKey = (project2, slug) => `${project2}/${slug}`;
 function parseMeta(raw) {
   if (!raw) return {};
@@ -7603,14 +8218,16 @@ async function secretsRequest(deps, key, opts) {
   deps.log(body.notified === false ? "admin notification not sent" : "admin notification sent");
   return true;
 }
-async function secretsSet(deps, key, opts) {
-  if (!isValidSecretKey(key)) return deps.err(`invalid secret key ${JSON.stringify(key)}`);
-  const repo = await targetRepo(deps, opts);
-  const value = await deps.readSecretValue(`value for ${key} (input hidden; will not be echoed): `);
+async function putSecret(deps, key, value, opts) {
+  if (!isValidSecretKey(key)) {
+    deps.err(`invalid secret key ${JSON.stringify(key)}`);
+    return false;
+  }
   if (!value) {
-    deps.err("secrets set: empty value \u2014 aborted (nothing written)");
-    return;
+    deps.err(`secrets set: empty value for ${key} \u2014 aborted (nothing written)`);
+    return false;
   }
+  const repo = await targetRepo(deps, opts);
   const res = await deps.fetch(`${deps.apiUrl}/secrets/set`, {
     method: "POST",
     headers: await deps.headers({ "content-type": "application/json" }),
@@ -7621,9 +8238,19 @@ async function secretsSet(deps, key, opts) {
     deps.err(
       res.status === 403 ? `secrets set: not authorized to write ${key} (HTTP 403)${await readErr(res)}` : `secrets set failed: HTTP ${res.status}${await readErr(res)}`
     );
-    return;
+    return false;
   }
   deps.log(`set ${key} (${classifyTier(await vaultSlug(deps, opts), key)} tier)`);
+  return true;
+}
+async function secretsSet(deps, key, opts) {
+  if (!isValidSecretKey(key)) return deps.err(`invalid secret key ${JSON.stringify(key)}`);
+  const value = await deps.readSecretValue(`value for ${key} (input hidden; will not be echoed): `);
+  if (!value) {
+    deps.err("secrets set: empty value \u2014 aborted (nothing written)");
+    return;
+  }
+  await putSecret(deps, key, value, opts);
 }
 async function secretsEdit(deps, key, opts) {
   return secretsSet(deps, key, opts);
@@ -7727,6 +8354,22 @@ function expectedRedirectUris(cfg) {
 function oauthSsmKeys() {
   return SSM_ENVS.flatMap((env) => SSM_NAMES.map((name) => `${env}/${name}`));
 }
+function parseOauthClientJson(input) {
+  let parsed;
+  try {
+    parsed = JSON.parse(input);
+  } catch {
+    throw new Error('not valid JSON \u2014 pipe the Google client JSON (the Console "Download JSON" file)');
+  }
+  const root = parsed ?? {};
+  const obj = root.web ?? root.installed ?? parsed;
+  const clientId = typeof obj?.client_id === "string" ? obj.client_id.trim() : "";
+  const clientSecret = typeof obj?.client_secret === "string" ? obj.client_secret.trim() : "";
+  if (!clientId || !clientSecret) {
+    throw new Error("missing client_id or client_secret in the JSON");
+  }
+  return { clientId, clientSecret };
+}
 function parseOauthConfig(mmiConfig, slug) {
   const rawUnknown = mmiConfig?.oauth;
   if (rawUnknown === void 0) throw new Error(`oauth is not configured for ${slug}`);
@@ -7787,8 +8430,9 @@ async function awsCallerArn() {
     return void 0;
   }
 }
-async function sagaHeaders(extra = {}) {
-  const t = await githubToken();
+async function hubHeaders(extra = {}) {
+  const cfg = await loadConfig();
+  const t = await hubAuthToken({ baseUrl: cfg.sagaApiUrl ?? defaultHubUrl(), githubToken });
   return t ? { ...extra, Authorization: `Bearer ${t}` } : extra;
 }
 async function loadConfig() {
@@ -7852,21 +8496,21 @@ function sessionDeps() {
     env: process.env,
     readPersisted: () => {
       try {
-        return (0, import_node_fs5.readFileSync)(SESSION_FILE, "utf8");
+        return (0, import_node_fs6.readFileSync)(SESSION_FILE, "utf8");
       } catch {
         return null;
       }
     },
     writePersisted: (id) => persistSession(id),
     now: () => /* @__PURE__ */ new Date(),
-    rand: () => (0, import_node_crypto2.randomBytes)(4).toString("hex")
+    rand: () => (0, import_node_crypto3.randomBytes)(4).toString("hex")
   };
 }
 var resolveSessionId = () => resolveSession(sessionDeps());
 function persistSession(id) {
   try {
-    (0, import_node_fs5.mkdirSync)(".mmi", { recursive: true });
-    (0, import_node_fs5.writeFileSync)(SESSION_FILE, id, "utf8");
+    (0, import_node_fs6.mkdirSync)(".mmi", { recursive: true });
+    (0, import_node_fs6.writeFileSync)(SESSION_FILE, id, "utf8");
   } catch {
   }
 }
@@ -7884,7 +8528,7 @@ async function postCapture(capture, quiet = false) {
     }
     const res = await fetchWithRetry(fetch, `${cfg.sagaApiUrl}/saga/capture`, {
       method: "POST",
-      headers: await sagaHeaders({ "content-type": "application/json" }),
+      headers: await hubHeaders({ "content-type": "application/json" }),
       body: JSON.stringify({ ...capture, ...await sagaKey(cfg) })
     }, { attempts: 2, timeoutMs: 2e4, retryOn: () => false });
     let message = "";
@@ -7987,12 +8631,12 @@ async function applyGcPlan(plan2, remote) {
 }
 function resolveVersion() {
   try {
-    const manifest = (0, import_node_path6.join)(__dirname, "..", "..", ".claude-plugin", "plugin.json");
-    return JSON.parse((0, import_node_fs5.readFileSync)(manifest, "utf8")).version || "0.0.0";
+    const manifest = (0, import_node_path7.join)(__dirname, "..", "..", ".claude-plugin", "plugin.json");
+    return JSON.parse((0, import_node_fs6.readFileSync)(manifest, "utf8")).version || "0.0.0";
   } catch {
     try {
-      const pkg = (0, import_node_path6.join)(__dirname, "..", "package.json");
-      return JSON.parse((0, import_node_fs5.readFileSync)(pkg, "utf8")).version || "0.0.0";
+      const pkg = (0, import_node_path7.join)(__dirname, "..", "package.json");
+      return JSON.parse((0, import_node_fs6.readFileSync)(pkg, "utf8")).version || "0.0.0";
     } catch {
       return "0.0.0";
     }
@@ -8000,7 +8644,7 @@ function resolveVersion() {
 }
 function readRepoVersion() {
   try {
-    return JSON.parse((0, import_node_fs5.readFileSync)((0, import_node_path6.join)(process.cwd(), ".claude-plugin", "plugin.json"), "utf8")).version || void 0;
+    return JSON.parse((0, import_node_fs6.readFileSync)((0, import_node_path7.join)(process.cwd(), ".claude-plugin", "plugin.json"), "utf8")).version || void 0;
   } catch {
     return void 0;
   }
@@ -8097,10 +8741,10 @@ async function runRulesSync(opts, io = consoleIo) {
   for (const entry of fetched) {
     if ("error" in entry) continue;
     const { file, source } = entry;
-    const current = (0, import_node_fs5.existsSync)(file) ? await (0, import_promises2.readFile)(file, "utf8") : null;
+    const current = (0, import_node_fs6.existsSync)(file) ? await (0, import_promises2.readFile)(file, "utf8") : null;
     if (needsUpdate(source, current)) {
       const slash = file.lastIndexOf("/");
-      if (slash > 0) (0, import_node_fs5.mkdirSync)(file.slice(0, slash), { recursive: true });
+      if (slash > 0) (0, import_node_fs6.mkdirSync)(file.slice(0, slash), { recursive: true });
       await (0, import_promises2.writeFile)(file, normalizeEol(source), "utf8");
       changed++;
       if (!opts.quiet) io.log(`mmi-cli rules: updated ${file}`);
@@ -8126,7 +8770,7 @@ async function runDocsSync(opts, io = consoleIo) {
         return null;
       }
     },
-    localContent: async (f) => (0, import_node_fs5.existsSync)(f) ? await (0, import_promises2.readFile)(f, "utf8") : null,
+    localContent: async (f) => (0, import_node_fs6.existsSync)(f) ? await (0, import_promises2.readFile)(f, "utf8") : null,
     writeDoc: async (f, c) => {
       await (0, import_promises2.writeFile)(f, c, "utf8");
     }
@@ -8140,7 +8784,7 @@ docs.command("sync").option("--quiet", "stay silent unless something changed or
 var saga = program2.command("saga").description("per-session continuity");
 async function runNote(summary, o) {
   const [sha, key] = await Promise.all([gitOut(["rev-parse", "--short", "HEAD"]), sagaKey(await loadConfig())]);
-  const capture = buildNoteCapture(summary, o, (0, import_node_crypto2.randomUUID)(), { sha: sha || void 0, branch: key.branch });
+  const capture = buildNoteCapture(summary, o, (0, import_node_crypto3.randomUUID)(), { sha: sha || void 0, branch: key.branch });
   await postCapture(capture);
 }
 saga.command("note <summary>").description("record a one-line structured note into your saga (the per-turn capture)").option("--next <text>", 'set "where I left off" (NEXT)').option("--decision <text>", "append a verbatim decision").option("--queue-add <text>", "add a worklist item").option("--queue-done <n>", "mark worklist item N done").option("--verified", "mark this claim as checked against source (state: verified, else asserted)").option("--diagnostic", "isolate a probe write (state: diagnostic, source: probe) \u2014 never resume/LAST 5").option("--supersedes <key>", "retire prior decisions matching an evidence key (pr:N | file:path)").option("--anchor <intent>", "set the sprint North-Star (write-protected; needs --anchor-force to change)").option("--anchor-force", "overwrite an existing anchor").action((summary, o) => runNote(summary, o));
@@ -8154,7 +8798,7 @@ async function runSagaShow(opts, io = consoleIo) {
   try {
     const key = await sagaKey(cfg);
     const qs = opts.latestAnywhere ? "scope=anywhere" : new URLSearchParams({ project: key.project, branch: key.branch }).toString();
-    const res = await fetchWithRetry(fetch, `${cfg.sagaApiUrl}/saga/head?${qs}`, { headers: await sagaHeaders() }, { attempts: 2, timeoutMs: 3e3 });
+    const res = await fetchWithRetry(fetch, `${cfg.sagaApiUrl}/saga/head?${qs}`, { headers: await hubHeaders() }, { attempts: 2, timeoutMs: 3e3 });
     if (res.ok) {
       io.log(resumeCue());
       return io.log(await res.text());
@@ -8171,7 +8815,7 @@ saga.command("show").option("--quiet", "no-op silently when unconfigured/unreach
 saga.command("capture").option("--quiet", "capture silently (for the Stop hook)").description("per-turn deterministic capture (Stop hook): turn boundary + current sha").action(async (opts) => {
   const hook = parseHookInput(await readStdin());
   if (hook.session_id) persistSession(hook.session_id);
-  await postCapture({ event: "stop", id: (0, import_node_crypto2.randomUUID)(), source: "hook", sha: await gitOut(["rev-parse", "--short", "HEAD"]), surface: agentSurface() }, opts.quiet ?? false);
+  await postCapture({ event: "stop", id: (0, import_node_crypto3.randomUUID)(), source: "hook", sha: await gitOut(["rev-parse", "--short", "HEAD"]), surface: agentSurface() }, opts.quiet ?? false);
 });
 saga.command("session").option("--quiet", "silent (for the SessionStart hook)").description("persist the harness session id for this repo (SessionStart hook)").action(async () => {
   const hook = parseHookInput(await readStdin());
@@ -8198,7 +8842,7 @@ saga.command("head-update").option("--run", "detached worker: fetch state, run t
     if (!cfg.sagaApiUrl) return;
     const key = await sagaKey(cfg);
     const qs = new URLSearchParams(key).toString();
-    const res = await fetch(`${cfg.sagaApiUrl}/saga/state?${qs}`, { headers: await sagaHeaders(), signal: AbortSignal.timeout(8e3) });
+    const res = await fetch(`${cfg.sagaApiUrl}/saga/state?${qs}`, { headers: await hubHeaders(), signal: AbortSignal.timeout(8e3) });
     if (!res.ok) return;
     const state = await res.json();
     if (!state.actionLog?.length) return;
@@ -8206,7 +8850,7 @@ saga.command("head-update").option("--run", "detached worker: fetch state, run t
     if (!update) return;
     await fetch(`${cfg.sagaApiUrl}/saga/head`, {
       method: "POST",
-      headers: await sagaHeaders({ "content-type": "application/json" }),
+      headers: await hubHeaders({ "content-type": "application/json" }),
       body: JSON.stringify({ ...update, ...key }),
       signal: AbortSignal.timeout(2e4)
     });
@@ -8223,7 +8867,7 @@ saga.command("key").option("--json", "machine-readable output").description("pri
 });
 async function probeBackend(url) {
   try {
-    const res = await fetchWithRetry(fetch, `${url}/saga/head`, { headers: await sagaHeaders() }, { attempts: 3, timeoutMs: 4e3 });
+    const res = await fetchWithRetry(fetch, `${url}/saga/head`, { headers: await hubHeaders() }, { attempts: 3, timeoutMs: 4e3 });
     let message = "";
     try {
       const body = await res.clone().json();
@@ -8238,7 +8882,7 @@ async function probeBackend(url) {
 async function probeSagaAccess(url, key) {
   try {
     const qs = new URLSearchParams(key).toString();
-    const res = await fetch(`${url}/saga/state?${qs}`, { headers: await sagaHeaders(), signal: AbortSignal.timeout(8e3) });
+    const res = await fetch(`${url}/saga/state?${qs}`, { headers: await hubHeaders(), signal: AbortSignal.timeout(8e3) });
     return res.ok;
   } catch {
     return false;
@@ -8250,7 +8894,7 @@ async function runSagaHealth(o, io = consoleIo) {
   const key = await sagaKey(cfg, session);
   const source = session.source;
   const [identity, liveness] = await Promise.all([
-    githubLogin(),
+    hubAuthSession({ baseUrl: cfg.sagaApiUrl ?? defaultHubUrl(), githubToken }).then((s) => s?.login),
     cfg.sagaApiUrl ? probeBackend(cfg.sagaApiUrl) : Promise.resolve({ reachable: false })
   ]);
   const authorized = cfg.sagaApiUrl && liveness.reachable ? await probeSagaAccess(cfg.sagaApiUrl, key) : void 0;
@@ -8387,6 +9031,7 @@ async function attachToProject(issueNumber, repo, priority) {
     return void 0;
   }
 }
+var ghRunner = async (args, timeoutMs) => (await execFileP4("gh", args, { timeout: timeoutMs })).stdout;
 function scheduleRelatedDiscovery(o) {
   try {
     const args = ["issue", "discover-related", "--number", String(o.number), "--title", o.title, "--body", o.body];
@@ -8401,39 +9046,39 @@ function scheduleRelatedDiscovery(o) {
   }
 }
 function makePlanDeps(cfg, io = consoleIo) {
-  const ensureDir = () => (0, import_node_fs5.mkdirSync)(PLANS_DIR, { recursive: true });
+  const ensureDir = () => (0, import_node_fs6.mkdirSync)(PLANS_DIR, { recursive: true });
   return {
     apiUrl: cfg.sagaApiUrl,
     fetch: (url, init = {}) => fetch(url, { ...init, signal: init.signal ?? AbortSignal.timeout(1e4) }),
-    headers: (extra) => sagaHeaders(extra),
+    headers: (extra) => hubHeaders(extra),
     project: async () => (await sagaKey(cfg)).project,
     readLocal: (slug) => {
       try {
-        return (0, import_node_fs5.readFileSync)(planPath(slug), "utf8");
+        return (0, import_node_fs6.readFileSync)(planPath(slug), "utf8");
       } catch {
         return null;
       }
     },
     writeLocal: (slug, content) => {
       ensureDir();
-      (0, import_node_fs5.writeFileSync)(planPath(slug), content, "utf8");
+      (0, import_node_fs6.writeFileSync)(planPath(slug), content, "utf8");
     },
     removeLocal: (slug) => {
       try {
-        (0, import_node_fs5.rmSync)(planPath(slug));
+        (0, import_node_fs6.rmSync)(planPath(slug));
       } catch {
       }
     },
     readMetaRaw: () => {
       try {
-        return (0, import_node_fs5.readFileSync)(META_FILE, "utf8");
+        return (0, import_node_fs6.readFileSync)(META_FILE, "utf8");
       } catch {
         return null;
       }
     },
     writeMetaRaw: (raw) => {
       ensureDir();
-      (0, import_node_fs5.writeFileSync)(META_FILE, raw, "utf8");
+      (0, import_node_fs6.writeFileSync)(META_FILE, raw, "utf8");
     },
     log: (m) => io.log(m),
     err: (m) => io.err(m),
@@ -8528,7 +9173,7 @@ function makeSecretsDeps(cfg) {
   return {
     apiUrl: cfg.sagaApiUrl,
     fetch: (url, init = {}) => fetch(url, { ...init, signal: init.signal ?? AbortSignal.timeout(1e4) }),
-    headers: (extra) => sagaHeaders(extra),
+    headers: (extra) => hubHeaders(extra),
     // Vault paths are lowercase kebab (AGENTS.md naming); sagaKey carries the repo name's original
     // casing, which leaked mixed-case into `secrets where` output (#681).
     slug: async () => (await sagaKey(cfg)).project.toLowerCase(),
@@ -8581,7 +9226,7 @@ secrets.command("use <key>").description("print guidance on consuming a secret w
 secrets.command("grant <repo> <login> <key>").description("MASTER-ONLY: grant a project-admin standing access to a specific org-tier secret").action((repo, login, key) => withSecrets((d) => secretsGrant(d, repo, login, key, {})));
 secrets.command("revoke <repo> <login> <key>").description("MASTER-ONLY: withdraw a previously granted org-tier secret access").action((repo, login, key) => withSecrets((d) => secretsRevoke(d, repo, login, key, {})));
 function registryClientDeps(cfg) {
-  return { baseUrl: cfg.sagaApiUrl, token: githubToken };
+  return { baseUrl: cfg.sagaApiUrl, token: () => hubAuthToken({ baseUrl: cfg.sagaApiUrl, githubToken }) };
 }
 function slugOf(repoOrSlug) {
   return (repoOrSlug.includes("/") ? repoOrSlug.split("/").pop() : repoOrSlug).toLowerCase();
@@ -8596,11 +9241,20 @@ function reportWrite(label, res) {
   fail(`${label}: HTTP ${res.status}${detail ? ` \u2014 ${detail}` : ""}`);
 }
 var tenant = program2.command("tenant").description("tenant runtime control through Hub authority");
-tenant.command("control <owner/repo> <stage> <action>").description("run bounded service control (status/start/stop/restart) for a tenant; project-admin dev/rc, master main").option("--json", "machine-readable output").action(async (repo, stage2, action) => {
+tenant.command("control <owner/repo> <stage> <action>").description("run bounded service control (status/start/stop/restart, plus rc-only retire) for a tenant; project-admin dev/rc, master main").option("--json", "machine-readable output").action(async (repo, stage2, action) => {
   const cfg = await loadConfig();
   const res = await tenantControl({ repo, stage: stage2, action }, registryClientDeps(cfg));
   reportWrite("tenant control", res);
 });
+tenant.command("redeploy <owner/repo> <stage>").description("re-dispatch the central tenant-deploy.yml for an already-promoted ref (no re-tag/merge); train-authority gated").option("--ref <ref>", "ref to deploy (defaults to the stage branch rc/main \u2014 the promoted ref)").option("--watch", "block on the dispatched run and report its outcome (gh run watch --exit-status)").option("--json", "machine-readable output").action(async (repo, stage2, o) => {
+  if (stage2 !== "rc" && stage2 !== "main") return fail("tenant redeploy: <stage> must be rc or main");
+  try {
+    const result = await runTenantRedeploy(trainApplyDeps(), { repo, stage: stage2, ref: o.ref, watch: o.watch });
+    return printLine(o.json ? JSON.stringify(result, null, 2) : renderTenantRedeploy(result));
+  } catch (e) {
+    return fail(`tenant redeploy: ${e.message}`);
+  }
+});
 async function v2ReadinessDeps(cfg) {
   const reg = registryClientDeps(cfg);
   return {
@@ -8620,7 +9274,7 @@ async function v2ReadinessDeps(cfg) {
       const qs = new URLSearchParams({ repo: targetRepo2 }).toString();
       const res = await fetchWithRetry(fetch, `${apiUrl.replace(/\/$/, "")}/secrets/list?${qs}`, {
         method: "GET",
-        headers: await sagaHeaders()
+        headers: await hubHeaders()
       }, { attempts: 2, timeoutMs: 5e3 });
       if (!res.ok) throw new Error(`secrets list failed for ${targetRepo2}: HTTP ${res.status}`);
       const body = await res.json();
@@ -8680,9 +9334,14 @@ project.command("get [owner/repo]").description("a project's META (board ids + p
   } catch (e) {
     return fail(e.message);
   }
-  const meta = await fetchProjectBySlug(slugOf(target), registryClientDeps(cfg));
-  if (!meta) return fail(`project get: no registry META for ${target} (unknown, unbootstrapped, or Hub unreachable)`);
-  console.log(JSON.stringify(meta));
+  const read = await fetchProjectBySlugChecked(slugOf(target), registryClientDeps(cfg));
+  if (!read.ok) {
+    return fail(`project get: Hub registry read failed (${read.error}) \u2014 likely transient (cold start, network, or auth blip); retry shortly`);
+  }
+  if (!read.project) {
+    return fail(`project get: no registry META for ${target} (unknown or unbootstrapped)`);
+  }
+  console.log(JSON.stringify(read.project));
 });
 project.command("resolve <owner/repo>").description("deploy coords for a stage \u2014 for diagnosis. NOTE: /deploy-coords is OIDC-gated (a deploy job\u2019s id-token), so a gh-token CLI cannot read it from a dev machine").option("--stage <main|rc>", "deploy stage", "main").option("--json", "machine-readable output").action((_repoOrRepo, o) => {
   const msg = "project resolve: deploy coords are served only to a deploy workflow (GitHub OIDC id-token, repo-scoped). A gh-token CLI on a dev machine cannot read /deploy-coords; inspect the DEPLOY# item via the AWS console / a master DDB read instead.";
@@ -8814,7 +9473,29 @@ oauth.command("plan", { isDefault: true }).description("print the canonical JS o
   console.log(`
 SSM cred params (under /mmi-future/${slug}/):`);
   ssm.forEach((k) => console.log(`  ${k}`));
-  console.log("\nProvision/repair the Console client per docs/Guides/oauth-provision.md; creds via `mmi-cli secrets set`.");
+  console.log("\nProvision/repair the Console client per docs/Guides/oauth-provision.md; store creds with `mmi-cli oauth set-creds`.");
+});
+oauth.command("set-creds").description('store the OAuth client into the canonical {dev,rc,main}/GOOGLE_CLIENT_* SSM keys (pipe the Console "Download JSON" on stdin)').option("--repo <owner/repo>", "target repo (defaults to the current repo)").action(async (o) => {
+  const raw = await readStdin();
+  if (!raw.trim()) {
+    return fail("oauth set-creds: pipe the Google client JSON on stdin \u2014 e.g.\n  mmi-cli oauth set-creds --repo <owner/repo> < client.json");
+  }
+  let creds;
+  try {
+    creds = parseOauthClientJson(raw);
+  } catch (e) {
+    return fail(`oauth set-creds: ${e.message}`);
+  }
+  await withSecrets(async (d) => {
+    for (const key of oauthSsmKeys()) {
+      const value = key.endsWith("GOOGLE_CLIENT_ID") ? creds.clientId : creds.clientSecret;
+      if (!await putSecret(d, key, value, { repo: o.repo })) {
+        process.exitCode = 1;
+        return;
+      }
+    }
+    console.log(`OAuth client stored in all ${oauthSsmKeys().length} canonical keys. Run \`mmi-cli oauth verify\` to confirm the client is port-agnostic.`);
+  });
 });
 oauth.command("verify").description("probe Google authorize with an arbitrary port (:9123) to confirm the client is port-agnostic").option("--repo <owner/repo>", "target repo (defaults to the current repo)").option("--client-id <id>", "OAuth client_id (else read dev/GOOGLE_CLIENT_ID from SSM)").option("--json", "machine-readable output").action(async (o) => {
   const cfg = await loadConfig();
@@ -8854,7 +9535,7 @@ oauth.command("verify").description("probe Google authorize with an arbitrary po
   if (mismatch) process.exitCode = 1;
 });
 var issue = program2.command("issue").description("issues \u2014 reliable create with structured output");
-issue.command("create").description("create an issue (type \u2192 label) and print {number,url,label} JSON").requiredOption("--type <type>", "bug | feature | task (sets the matching label)").requiredOption("--title <title>", "issue title").option("--body <body>", "issue body (markdown)").option("--body-file <path|->", "read issue body from a UTF-8 file, or from stdin with -").requiredOption("--priority <priority>", "urgent | high | medium | low (label + board Priority field when configured)").option("--repo <owner/repo>", "target repo (defaults to the current repo)").option("--label <label...>", "extra label(s) to attach (repeatable; auto-created if missing)").option("--no-related", "skip the auto related-issues comment").action(async (o) => {
+issue.command("create").description("create an issue (type \u2192 label) and print {number,url,label} JSON").requiredOption("--type <type>", "bug | feature | task (sets the matching label)").requiredOption("--title <title>", "issue title").option("--body <body>", "issue body (markdown)").option("--body-file <path|->", "read issue body from a UTF-8 file, or from stdin with -").requiredOption("--priority <priority>", "urgent | high | medium | low (label + board Priority field when configured)").option("--repo <owner/repo>", "target repo (defaults to the current repo)").option("--label <label...>", "extra label(s) to attach (repeatable; auto-created if missing)").option("--parent <ref>", "file as a native sub-issue of this parent (#123, owner/repo#123, or URL)").option("--no-related", "skip the auto related-issues comment").action(async (o) => {
   let args;
   let priority;
   let body;
@@ -8862,6 +9543,7 @@ issue.command("create").description("create an issue (type \u2192 label) and pri
     body = await resolveIssueBody({ body: o.body, bodyFile: o.bodyFile }, { readFile: import_promises2.readFile, readStdin });
     priority = normalizePriority(o.priority);
     args = buildIssueArgs({ type: o.type, title: o.title, body, priority, repo: o.repo, labels: o.label });
+    if (o.parent !== void 0) parseIssueRef(o.parent);
   } catch (e) {
     return fail(`issue create: ${e.message}`);
   }
@@ -8875,8 +9557,20 @@ issue.command("create").description("create an issue (type \u2192 label) and pri
   }
   const created = await ghCreate(args);
   const projectItemId = await attachToProject(created.number, o.repo, priority);
+  let parent;
+  let parentLinkError;
+  if (o.parent !== void 0) {
+    try {
+      parent = await linkSubIssue(ghRunner, o.parent, created.url, o.repo);
+    } catch (e) {
+      const err = e;
+      parentLinkError = (err.stderr || err.message || String(e)).trim();
+      process.stderr.write(`warning: issue #${created.number} created but NOT linked under ${o.parent}: ${parentLinkError}
+`);
+    }
+  }
   if (o.related !== false) scheduleRelatedDiscovery({ repo: o.repo, number: created.number, title: o.title, body });
-  console.log(JSON.stringify({ ...created, label: o.type, priority, projectItemId }));
+  console.log(JSON.stringify({ ...created, label: o.type, priority, projectItemId, ...parentLinkFields(parent, parentLinkError) }));
 });
 issue.command("discover-related").description("find related issues for an existing issue and post only high-confidence links").requiredOption("--number <number>", "created issue number").requiredOption("--title <title>", "created issue title").requiredOption("--body <body>", "created issue body").option("--repo <owner/repo>", "target repo (defaults to the current repo)").option("--json", "print candidates instead of posting").action(async (o) => {
   const number = Number(o.number);
@@ -8913,6 +9607,17 @@ issue.command("discover-related").description("find related issues for an existi
   } catch {
   }
 });
+issue.command("link-child <parent> <child>").description("link an existing issue as a native sub-issue of a parent and print {parentNumber,subIssueNumber,totalCount} JSON").option("--repo <owner/repo>", "repo for bare refs on either side (defaults to the current repo)").action(async (parentRef, childRef, o) => {
+  const defaultRepo = await resolveRepo(o.repo);
+  try {
+    const result = await linkSubIssue(ghRunner, parentRef, childRef, defaultRepo);
+    console.log(JSON.stringify(result));
+  } catch (e) {
+    const err = e;
+    const note = timeoutKillNote(e, GH_MUTATION_TIMEOUT_MS);
+    return fail(`issue link-child: ${(err.stderr || err.message || String(e)).trim()}${note ? ` (${note})` : ""}`);
+  }
+});
 program2.command("report").description("file a friction report on the Hub board (GitHub auth, dedups open reports) and print {number,url} JSON").requiredOption("--title <title>", "one-line friction summary").option("--body <body>", "report body (markdown)").option("--body-file <path|->", "read report body from a UTF-8 file, or from stdin with -").option("--type <type>", "bug | feature | task (sets the matching label)", "task").option("--priority <priority>", "urgent | high | medium | low (board Priority field when configured)", "medium").option("--repo <owner/repo>", `target repo (defaults to the org Hub: ${HUB_REPO})`).option("--force", "file a new issue even when an open report looks like a duplicate").option("--json", "machine-readable output (already the default \u2014 report always prints JSON; #682)").action(async (o) => {
   let body;
   let priority;
@@ -8991,6 +9696,20 @@ async function remoteBranchExists(branch) {
     return void 0;
   }
 }
+var COMPOSE_TIMEOUT_MS = 12e4;
+function teardownWorktreeStage(worktreePath) {
+  return runWorktreeStageTeardown(worktreePath, {
+    hasStageState: (wt) => (0, import_node_fs6.existsSync)(stageStatePath(wt)),
+    stopRecordedStage: async (wt) => (await stopStage({ cwd: wt })).pid,
+    listComposeProjects: async () => {
+      const { stdout } = await execFileP4("docker", ["compose", "ls", "--all", "--format", "json"], { timeout: GC_GH_TIMEOUT_MS });
+      return parseComposeLs(stdout);
+    },
+    composeDown: async (project2) => {
+      await execFileP4("docker", ["compose", "-p", project2, "down", "-v"], { timeout: COMPOSE_TIMEOUT_MS });
+    }
+  });
+}
 pr.command("merge <number>").description("merge a PR (squash by default) and clean up its branch + worktree \u2014 no leftover local branch").option("--squash", "squash merge (default)").option("--merge", "create a merge commit").option("--rebase", "rebase merge").option("--repo <owner/repo>", "target repo (defaults to the current repo)").action(async (number, o) => {
   const method = o.rebase ? "--rebase" : o.merge ? "--merge" : "--squash";
   const repoArgs = o.repo ? ["--repo", o.repo] : [];
@@ -9027,7 +9746,8 @@ pr.command("merge <number>").description("merge a PR (squash by default) and cle
   } : await cleanupPrMergeLocalBranch(headRef, {
     beforeWorktrees,
     startingPath,
-    execGit: async (args) => (await execFileP4("git", args, { timeout: GIT_TIMEOUT_MS })).stdout
+    execGit: async (args) => (await execFileP4("git", args, { timeout: GIT_TIMEOUT_MS })).stdout,
+    teardownWorktreeStage
   });
   console.log(JSON.stringify({
     merged: number,
@@ -9143,16 +9863,50 @@ function rawValues(flag) {
   return out;
 }
 function printLine(value) {
-  (0, import_node_fs5.writeSync)(1, `${value}
+  (0, import_node_fs6.writeSync)(1, `${value}
 `);
 }
 function stageKeepAlive() {
   return setTimeout(() => void 0, 5 * 60 * 1e3);
 }
+async function resolveStage() {
+  const cfg = await loadConfig();
+  const local = cfg.stage;
+  const read = await fetchProjectBySlugChecked(await repoSlug(), registryClientDeps(cfg)).catch((e) => ({ ok: false, error: e.message }));
+  const project2 = read.ok ? read.project : null;
+  const portRangeMeta = project2?.portRange ?? void 0;
+  const portRange = portRangeMeta && typeof portRangeMeta.start === "number" && typeof portRangeMeta.end === "number" ? [portRangeMeta.start, portRangeMeta.end] : void 0;
+  return decideStage({
+    local,
+    shell: shellFor(),
+    registry: { deployModel: project2?.deployModel, portRange, error: read.ok ? void 0 : read.error },
+    hasCompose: (0, import_node_fs6.existsSync)((0, import_node_path7.join)(process.cwd(), "docker-compose.yml")),
+    hasEnvExample: (0, import_node_fs6.existsSync)((0, import_node_path7.join)(process.cwd(), ".env.example"))
+  });
+}
+function stageStepsFor(res, stops = true) {
+  if (res.source === "derived" && res.derived) return derivedStagePlan(res.derived, shellFor(), stops);
+  if (res.source === "local") return stagePlan(res.config ?? {}, stops);
+  return [{ label: `no local stage to run \u2014 ${res.gap ?? "stage config gap"}` }];
+}
+function staleStageNote(res) {
+  if (!res.staleIgnored) return null;
+  const fields = res.staleFields ?? [];
+  const list = fields.join(", ");
+  const label = fields.length > 1 ? `fields ${list}` : `field ${list || "build/up"}`;
+  if (res.source === "local") {
+    return `note: POSIX-only .mmi stage ${label} ignored on PowerShell \u2014 kept the rest of the local recipe`;
+  }
+  return `note: stale POSIX-only .mmi stage ${label} ignored on PowerShell \u2014 using the registry-derived default`;
+}
+function reportedStageUrl(res, result) {
+  if (!res.derived) return void 0;
+  return result.port != null ? stageUrlForPort(result.port) : res.derived.url;
+}
 program2.command("port-range <repo>").description("assign (idempotently) + print the repo's local stage port block via the atomic ORG#config.portCursor allocator (committed-file fallback)").option("--json", "machine-readable output").action(async (repo, o) => {
-  const path2 = (0, import_node_path6.join)(process.cwd(), "infra", "port-ranges.json");
+  const path2 = (0, import_node_path7.join)(process.cwd(), "infra", "port-ranges.json");
   const allocate = async (seed) => {
-    const { stdout } = await execFileP4("node", [(0, import_node_path6.join)(process.cwd(), "infra", "port-ddb.mjs"), String(seed)], { timeout: 15e3 });
+    const { stdout } = await execFileP4("node", [(0, import_node_path7.join)(process.cwd(), "infra", "port-ddb.mjs"), String(seed)], { timeout: 15e3 });
     const parsed = JSON.parse(stdout);
     if (!Array.isArray(parsed.range) || parsed.range.length !== 2) throw new Error("port-ddb: no range in output");
     return parsed.range;
@@ -9161,20 +9915,27 @@ program2.command("port-range <repo>").description("assign (idempotently) + print
   printLine(o.json ? JSON.stringify({ repo, portRange: [start, end] }) : `${repo}: stage.portRange [${start}, ${end}]`);
 });
 var stage = program2.command("stage").description("plan or run the repo local stage environment").option("--json", "machine-readable output").option("--apply", "run the full local stage: stop previous, build, start, health-check").option("--timeout-ms <ms>", "bounded build/health timeout", "60000").action(async (o) => {
-  const cfg = (await loadConfig()).stage;
+  const res = await resolveStage();
   if (o.apply) {
+    if (res.source === "none") return fail(`stage: ${res.gap}`);
+    const cfg = res.config ?? res.derived.config;
     const hold = stageKeepAlive();
     try {
       const result = await runStage(cfg, { timeoutMs: Number(o.timeoutMs || 6e4) });
-      return printLine(o.json ? JSON.stringify(result) : `mmi-cli stage: ${result.message}`);
+      const reportUrl = reportedStageUrl(res, result);
+      const url = reportUrl ? ` \u2014 ${reportUrl}` : "";
+      return printLine(o.json ? JSON.stringify({ ...result, source: res.source, url: reportUrl }) : `mmi-cli stage: ${result.message}${url}`);
     } catch (e) {
       return fail(`stage: ${e.message}`);
     } finally {
       clearTimeout(hold);
     }
   }
-  const steps = stagePlan(cfg);
-  console.log(o.json ? JSON.stringify({ command: "stage", steps }, null, 2) : renderSteps("mmi-cli stage: dry-run plan", steps));
+  const steps = stageStepsFor(res);
+  if (o.json) return console.log(JSON.stringify({ command: "stage", source: res.source, url: res.derived?.url, staleIgnored: res.staleIgnored, staleFields: res.staleFields, registryError: res.registryError, steps }, null, 2));
+  const note = staleStageNote(res);
+  if (note) printLine(note);
+  console.log(renderSteps("mmi-cli stage: dry-run plan", steps));
 });
 stage.command("stop").description("stop the previous local stage process recorded in tmp/stage/state.json").option("--json", "machine-readable output").option("--apply", "kill the recorded process tree and remove the state file").action(async () => {
   const o = { json: rawFlag("--json"), apply: rawFlag("--apply") };
@@ -9191,11 +9952,16 @@ stage.command("stop").description("stop the previous local stage process recorde
 });
 stage.command("start").description("start the configured local stage process and optionally wait for health").option("--json", "machine-readable output").option("--apply", "start the configured stage.up process").option("--timeout-ms <ms>", "bounded health timeout", "60000").action(async () => {
   const o = { json: rawFlag("--json"), apply: rawFlag("--apply"), timeoutMs: rawValue("--timeout-ms", "60000") };
-  const cfg = (await loadConfig()).stage;
+  const res = await resolveStage();
   if (!o.apply) {
-    const steps = [{ label: "start local stage", command: cfg?.up || "(no stage.up configured)" }];
-    return printLine(o.json ? JSON.stringify({ command: "stage start", steps }, null, 2) : renderSteps("mmi-cli stage start: dry-run plan", steps));
-  }
+    const steps = stageStepsFor(res, false);
+    if (o.json) return printLine(JSON.stringify({ command: "stage start", source: res.source, url: res.derived?.url, staleIgnored: res.staleIgnored, staleFields: res.staleFields, registryError: res.registryError, steps }, null, 2));
+    const note = staleStageNote(res);
+    if (note) printLine(note);
+    return printLine(renderSteps("mmi-cli stage start: dry-run plan", steps));
+  }
+  if (res.source === "none") return fail(`stage start: ${res.gap}`);
+  const cfg = res.config ?? res.derived.config;
   try {
     const hold = stageKeepAlive();
     let printed = false;
@@ -9204,10 +9970,12 @@ stage.command("start").description("start the configured local stage process and
         timeoutMs: Number(o.timeoutMs || 6e4),
         onReady: (ready) => {
           printed = true;
-          printLine(o.json ? JSON.stringify(ready) : `mmi-cli stage start: ${ready.message}`);
+          const reportUrl = reportedStageUrl(res, ready);
+          const url = reportUrl ? ` \u2014 ${reportUrl}` : "";
+          printLine(o.json ? JSON.stringify({ ...ready, source: res.source, url: reportUrl }) : `mmi-cli stage start: ${ready.message}${url}`);
         }
       });
-      if (!printed) printLine(o.json ? JSON.stringify(result) : `mmi-cli stage start: ${result.message}`);
+      if (!printed) printLine(o.json ? JSON.stringify({ ...result, source: res.source, url: reportedStageUrl(res, result) }) : `mmi-cli stage start: ${result.message}`);
     } finally {
       clearTimeout(hold);
     }
@@ -9217,11 +9985,16 @@ stage.command("start").description("start the configured local stage process and
 });
 stage.command("run").description("force-stop previous stage, build, start, and health-check").option("--json", "machine-readable output").option("--apply", "run the configured stage sequence").option("--timeout-ms <ms>", "bounded build/health timeout", "60000").action(async () => {
   const o = { json: rawFlag("--json"), apply: rawFlag("--apply"), timeoutMs: rawValue("--timeout-ms", "60000") };
-  const cfg = (await loadConfig()).stage;
+  const res = await resolveStage();
   if (!o.apply) {
-    const steps = stagePlan(cfg);
-    return printLine(o.json ? JSON.stringify({ command: "stage run", steps }, null, 2) : renderSteps("mmi-cli stage run: dry-run plan", steps));
-  }
+    const steps = stageStepsFor(res);
+    if (o.json) return printLine(JSON.stringify({ command: "stage run", source: res.source, url: res.derived?.url, staleIgnored: res.staleIgnored, staleFields: res.staleFields, registryError: res.registryError, steps }, null, 2));
+    const note = staleStageNote(res);
+    if (note) printLine(note);
+    return printLine(renderSteps("mmi-cli stage run: dry-run plan", steps));
+  }
+  if (res.source === "none") return fail(`stage run: ${res.gap}`);
+  const cfg = res.config ?? res.derived.config;
   try {
     const hold = stageKeepAlive();
     let printed = false;
@@ -9229,12 +10002,14 @@ stage.command("run").description("force-stop previous stage, build, start, and h
       const result = await runStage(cfg, {
         timeoutMs: Number(o.timeoutMs || 6e4),
         onReady: (ready) => {
-          const runReady = { ...ready, action: "run", message: `built and ${ready.message}` };
+          const reportUrl = reportedStageUrl(res, ready);
+          const url = reportUrl ? ` \u2014 ${reportUrl}` : "";
+          const runReady = { ...ready, action: "run", source: res.source, url: reportUrl, message: `built and ${ready.message}${url}` };
           printed = true;
           printLine(o.json ? JSON.stringify(runReady) : `mmi-cli stage run: ${runReady.message}`);
         }
       });
-      if (!printed) printLine(o.json ? JSON.stringify(result) : `mmi-cli stage run: ${result.message}`);
+      if (!printed) printLine(o.json ? JSON.stringify({ ...result, source: res.source, url: reportedStageUrl(res, result) }) : `mmi-cli stage run: ${result.message}`);
     } finally {
       clearTimeout(hold);
     }
@@ -9247,8 +10022,38 @@ program2.command("stage-live").description("explain that remote rc/live environm
   const steps = stageLivePlan();
   console.log(o.json ? JSON.stringify({ command: "stage-live", steps }, null, 2) : renderSteps("mmi-cli stage-live: not an org command", steps));
 });
+var GH_TRAIN_TIMEOUT_MS = 3e4;
+var GH_RUN_WATCH_TIMEOUT_MS = 20 * 6e4;
+function trainApplyDeps() {
+  return {
+    run: async (file, args) => {
+      const timeout = file !== "gh" ? GIT_TIMEOUT_MS : args[0] === "run" && args[1] === "watch" ? GH_RUN_WATCH_TIMEOUT_MS : GH_TRAIN_TIMEOUT_MS;
+      return (await execFileP4(file, args, { timeout })).stdout;
+    },
+    runSelf: async (args) => (await execFileP4(process.execPath, [process.argv[1], ...args], { timeout: 3e4 })).stdout,
+    trainAuthority: async (repo) => {
+      const verdict = await fetchTrainAuthority(repo, registryClientDeps(await loadConfig()));
+      return verdict.ok ? { ok: true, role: verdict.authority.role, train: verdict.authority.train } : verdict;
+    }
+  };
+}
+function renderDeployLine(d) {
+  const parts = [d.dispatch];
+  if (d.runUrl) parts.push(`run ${d.runUrl}`);
+  if (d.deployStatus === "success") parts.push("deploy: SUCCEEDED");
+  else if (d.deployStatus === "failure") parts.push("deploy: FAILED (promotion stands; retry the deploy, do not re-tag)");
+  else if (d.runId != null) parts.push(`deploy: dispatched (watch: gh run watch ${d.runId} --repo mutmutco/MMI-Hub --exit-status)`);
+  return parts.join("; ");
+}
+function renderTrainApply(commandName, r) {
+  const base = `mmi-cli ${commandName}: promoted ${r.repo} \u2192 ${r.stage} at ${r.tag} [${r.deployModel}]; ${renderDeployLine(r)}`;
+  return r.rcRetirement ? `${base}; rc retirement: ${r.rcRetirement.toUpperCase()} (${r.rcRetirementNote ?? ""})` : base;
+}
+function renderTenantRedeploy(r) {
+  return `mmi-cli tenant redeploy: ${r.repo} ${r.stage} (ref=${r.ref}) [${r.deployModel}]; ${renderDeployLine(r)}`;
+}
 for (const commandName of ["rcand", "release", "hotfix"]) {
-  program2.command(commandName).description(`plan ${commandName} train operations; mutations require explicit master-admin approval`).option("--json", "machine-readable output").option("--apply", commandName === "hotfix" ? "reserved; hotfix uses the /hotfix skill PR path" : "execute the guarded master-only train after explicit approval").action(async (o) => {
+  program2.command(commandName).description(`plan ${commandName} train operations; mutations require explicit master-admin approval`).option("--json", "machine-readable output").option("--watch", "block on the dispatched tenant-deploy.yml run and report its outcome (tenant-container)").option("--apply", commandName === "hotfix" ? "reserved; hotfix uses the /hotfix skill PR path" : "execute the guarded master-only train after explicit approval").action(async (o) => {
     try {
       await requireFreshTrainCli(commandName);
     } catch (e) {
@@ -9257,16 +10062,8 @@ for (const commandName of ["rcand", "release", "hotfix"]) {
     if (o.apply) {
       if (commandName === "hotfix") return fail("hotfix: CLI apply is reserved; use the /hotfix skill PR path after explicit master-admin approval");
       try {
-        const result = await runTrainApply(commandName, {
-          run: async (file, args) => (await execFileP4(file, args, { timeout: file === "gh" ? 3e4 : GIT_TIMEOUT_MS })).stdout,
-          runSelf: async (args) => (await execFileP4(process.execPath, [process.argv[1], ...args], { timeout: 3e4 })).stdout,
-          trainAuthority: async (repo) => {
-            const verdict = await fetchTrainAuthority(repo, registryClientDeps(await loadConfig()));
-            return verdict.ok ? { ok: true, role: verdict.authority.role, train: verdict.authority.train } : verdict;
-          }
-        });
-        const message = `mmi-cli ${commandName}: applied ${result.repo} ${result.stage} train at ${result.tag} [${result.deployModel}]; ${result.dispatch}`;
-        return printLine(o.json ? JSON.stringify(result, null, 2) : message);
+        const result = await runTrainApply(commandName, trainApplyDeps(), { watch: o.watch });
+        return printLine(o.json ? JSON.stringify(result, null, 2) : renderTrainApply(commandName, result));
       } catch (e) {
         return fail(`${commandName}: ${e.message}`);
       }
@@ -9286,13 +10083,14 @@ bootstrap.command("verify <repo>").description("audit whether an existing repo i
   const o = { class: rawValue("--class", "deployable"), json: rawFlag("--json") };
   if (o.class !== "deployable" && o.class !== "content") return fail("bootstrap verify: --class must be deployable or content");
   const cfg = await loadConfig();
-  const apiProjects = await fetchProjectsJson({ baseUrl: cfg.sagaApiUrl, token: githubToken });
+  const reg = registryClientDeps(cfg);
+  const apiProjects = await fetchProjectsJson(reg);
   const slug = (repo.includes("/") ? repo.split("/")[1] : repo).toLowerCase();
-  const meta = await fetchProjectBySlug(slug, { baseUrl: cfg.sagaApiUrl, token: githubToken });
+  const meta = await fetchProjectBySlug(slug, reg);
   const report = await verifyBootstrap(repo, o.class, {
     client: defaultGitHubClient(),
     projectMeta: meta,
-    readLocalFile: (path2) => path2 === "projects.json" && apiProjects != null ? apiProjects : (0, import_node_fs5.existsSync)(path2) ? (0, import_node_fs5.readFileSync)(path2, "utf8") : null,
+    readLocalFile: (path2) => path2 === "projects.json" && apiProjects != null ? apiProjects : (0, import_node_fs6.existsSync)(path2) ? (0, import_node_fs6.readFileSync)(path2, "utf8") : null,
     // requiredGcpApis is stored as an array by a JSON write, but `project set --var KEY=VALUE` stores a raw
     // comma-string — accept either so the seeded value verifies regardless of how it was written.
     requiredGcpApis: (() => {
@@ -9333,12 +10131,12 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
     return fail(`bootstrap apply: ${e.message}`);
   }
   const manifestPath = "skills/bootstrap/seeds/manifest.json";
-  if (!(0, import_node_fs5.existsSync)(manifestPath)) return fail(`bootstrap apply: ${manifestPath} not found; run from the MMI-Hub repo root`);
-  const manifest = loadBootstrapSeeds((0, import_node_fs5.readFileSync)(manifestPath, "utf8"));
+  if (!(0, import_node_fs6.existsSync)(manifestPath)) return fail(`bootstrap apply: ${manifestPath} not found; run from the MMI-Hub repo root`);
+  const manifest = loadBootstrapSeeds((0, import_node_fs6.readFileSync)(manifestPath, "utf8"));
   const baseBranch = o.class === "content" ? "main" : "development";
   const slug = parsedRepo.slug;
   const gh = async (args) => execFileP4("gh", args, { timeout: 2e4 });
-  const readFile2 = (p) => (0, import_node_fs5.existsSync)(p) ? (0, import_node_fs5.readFileSync)(p, "utf8") : null;
+  const readFile2 = (p) => (0, import_node_fs6.existsSync)(p) ? (0, import_node_fs6.readFileSync)(p, "utf8") : null;
   const enc = (p) => p.split("/").map(encodeURIComponent).join("/");
   const vars = {};
   for (const value of rawValues("--var")) {
@@ -9411,7 +10209,7 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
   }
   if (o.execute) {
     const cfg = await loadConfig();
-    const res = await registerProject(registerPayload, { baseUrl: cfg.sagaApiUrl, token: githubToken });
+    const res = await registerProject(registerPayload, registryClientDeps(cfg));
     if (res.ok) {
       ddbWrites.push({ slug: registerPayload.slug, action: "register", record: registerPayload });
       applied.push(`ddb register ${registerPayload.slug}`);
@@ -9462,16 +10260,16 @@ access.command("audit").description("audit collaborator roles + train-branch pus
     if (o.class !== "deployable" && o.class !== "content") return fail("access audit: --class must be deployable or content");
     targets = [{ repo: o.repo, class: o.class }];
   } else {
-    const projectsJson = registryProjects ? JSON.stringify({ projects: registryProjects }) : (0, import_node_fs5.existsSync)("projects.json") ? (0, import_node_fs5.readFileSync)("projects.json", "utf8") : null;
+    const projectsJson = registryProjects ? JSON.stringify({ projects: registryProjects }) : (0, import_node_fs6.existsSync)("projects.json") ? (0, import_node_fs6.readFileSync)("projects.json", "utf8") : null;
     if (!projectsJson) return fail("access audit: no project registry \u2014 Hub API unreachable and projects.json not found; run from the MMI-Hub repo root or pass --repo <owner/repo>");
-    const fanoutJson = (0, import_node_fs5.existsSync)(".github/fanout-targets.json") ? (0, import_node_fs5.readFileSync)(".github/fanout-targets.json", "utf8") : null;
+    const fanoutJson = (0, import_node_fs6.existsSync)(".github/fanout-targets.json") ? (0, import_node_fs6.readFileSync)(".github/fanout-targets.json", "utf8") : null;
     targets = loadAccessTargets(projectsJson, fanoutJson);
   }
   const derivedMatrix = registryProjects ? accessMatrixFromProjects(registryProjects) : {};
-  const fileMatrix = (0, import_node_fs5.existsSync)("access-matrix.json") ? loadAccessMatrix((0, import_node_fs5.readFileSync)("access-matrix.json", "utf8")) : {};
+  const fileMatrix = (0, import_node_fs6.existsSync)("access-matrix.json") ? loadAccessMatrix((0, import_node_fs6.readFileSync)("access-matrix.json", "utf8")) : {};
   const matrix = mergeAccessMatrix(fileMatrix, derivedMatrix);
   const derivedContracts = registryProjects ? dataAccessContractsFromProjects(registryProjects) : { consumers: {} };
-  const fileContracts = (0, import_node_fs5.existsSync)("data-access-contracts.json") ? loadDataAccessContracts((0, import_node_fs5.readFileSync)("data-access-contracts.json", "utf8")) : { consumers: {} };
+  const fileContracts = (0, import_node_fs6.existsSync)("data-access-contracts.json") ? loadDataAccessContracts((0, import_node_fs6.readFileSync)("data-access-contracts.json", "utf8")) : { consumers: {} };
   const dataAccess = mergeDataAccessContracts(fileContracts, derivedContracts);
   const report = await auditOrgAccess(targets, deps, matrix, dataAccess);
   console.log(o.json ? JSON.stringify(report, null, 2) : renderAccessReport(report));
@@ -9480,18 +10278,18 @@ access.command("audit").description("audit collaborator roles + train-branch pus
 var isWin = process.platform === "win32";
 var installedPluginsPath = (surface = detectSurface(process.env)) => {
   const homeDir = surface === "codex" ? ".codex" : ".claude";
-  return (0, import_node_path6.join)((0, import_node_os2.homedir)(), homeDir, "plugins", "installed_plugins.json");
+  return (0, import_node_path7.join)((0, import_node_os3.homedir)(), homeDir, "plugins", "installed_plugins.json");
 };
 function readInstalledPlugins() {
   try {
-    return JSON.parse((0, import_node_fs5.readFileSync)(installedPluginsPath(), "utf8"));
+    return JSON.parse((0, import_node_fs6.readFileSync)(installedPluginsPath(), "utf8"));
   } catch {
     return null;
   }
 }
 function readClaudeSettings() {
   try {
-    return JSON.parse((0, import_node_fs5.readFileSync)((0, import_node_path6.join)(process.cwd(), ".claude", "settings.json"), "utf8"));
+    return JSON.parse((0, import_node_fs6.readFileSync)((0, import_node_path7.join)(process.cwd(), ".claude", "settings.json"), "utf8"));
   } catch {
     return null;
   }
@@ -9513,7 +10311,7 @@ function writeProjectInstallRecord(record) {
     const list = file.plugins[MMI_PLUGIN_ID] ?? [];
     list.push(record);
     file.plugins[MMI_PLUGIN_ID] = list;
-    (0, import_node_fs5.writeFileSync)(installedPluginsPath(), `${JSON.stringify(file, null, 2)}
+    (0, import_node_fs6.writeFileSync)(installedPluginsPath(), `${JSON.stringify(file, null, 2)}
 `, "utf8");
     return true;
   } catch {
@@ -9526,9 +10324,9 @@ function backupAndWriteInstalledPlugins(records, pluginId) {
     if (!file) return false;
     if (!file.plugins) file.plugins = {};
     const path2 = installedPluginsPath();
-    (0, import_node_fs5.copyFileSync)(path2, `${path2}.bak`);
+    (0, import_node_fs6.copyFileSync)(path2, `${path2}.bak`);
     file.plugins[pluginId] = records;
-    (0, import_node_fs5.writeFileSync)(path2, `${JSON.stringify(file, null, 2)}
+    (0, import_node_fs6.writeFileSync)(path2, `${JSON.stringify(file, null, 2)}
 `, "utf8");
     return true;
   } catch {
@@ -9537,14 +10335,14 @@ function backupAndWriteInstalledPlugins(records, pluginId) {
 }
 function mmiPluginCacheRootSnapshots() {
   const roots = [
-    { surface: "claude", root: (0, import_node_path6.join)((0, import_node_os2.homedir)(), ".claude", "plugins", "cache", "mmi", "mmi") },
-    { surface: "codex", root: (0, import_node_path6.join)((0, import_node_os2.homedir)(), ".codex", "plugins", "cache", "mmi", "mmi") }
+    { surface: "claude", root: (0, import_node_path7.join)((0, import_node_os3.homedir)(), ".claude", "plugins", "cache", "mmi", "mmi") },
+    { surface: "codex", root: (0, import_node_path7.join)((0, import_node_os3.homedir)(), ".codex", "plugins", "cache", "mmi", "mmi") }
   ];
   return roots.flatMap(({ surface, root }) => {
     try {
-      const entries = (0, import_node_fs5.readdirSync)(root, { withFileTypes: true }).map((entry) => ({
+      const entries = (0, import_node_fs6.readdirSync)(root, { withFileTypes: true }).map((entry) => ({
         name: entry.name,
-        path: (0, import_node_path6.join)(root, entry.name),
+        path: (0, import_node_path7.join)(root, entry.name),
         isDirectory: entry.isDirectory()
       }));
       return [{ surface, root, entries }];
@@ -9554,10 +10352,10 @@ function mmiPluginCacheRootSnapshots() {
   });
 }
 function uniqueQuarantineTarget(path2) {
-  if (!(0, import_node_fs5.existsSync)(path2)) return path2;
+  if (!(0, import_node_fs6.existsSync)(path2)) return path2;
   for (let i = 1; i < 100; i += 1) {
     const candidate = `${path2}-${i}`;
-    if (!(0, import_node_fs5.existsSync)(candidate)) return candidate;
+    if (!(0, import_node_fs6.existsSync)(candidate)) return candidate;
   }
   return `${path2}-${Date.now()}`;
 }
@@ -9565,27 +10363,27 @@ function quarantinePluginCacheDirs(plan2) {
   let moved = 0;
   for (const move of plan2) {
     try {
-      if (!(0, import_node_fs5.existsSync)(move.from)) continue;
+      if (!(0, import_node_fs6.existsSync)(move.from)) continue;
       const target = uniqueQuarantineTarget(move.to);
-      (0, import_node_fs5.mkdirSync)((0, import_node_path6.dirname)(target), { recursive: true });
-      (0, import_node_fs5.renameSync)(move.from, target);
+      (0, import_node_fs6.mkdirSync)((0, import_node_path7.dirname)(target), { recursive: true });
+      (0, import_node_fs6.renameSync)(move.from, target);
       moved += 1;
     } catch {
     }
   }
   return moved;
 }
-var gitignorePath = () => (0, import_node_path6.join)(process.cwd(), ".gitignore");
+var gitignorePath = () => (0, import_node_path7.join)(process.cwd(), ".gitignore");
 function readGitignore() {
   try {
-    return (0, import_node_fs5.readFileSync)(gitignorePath(), "utf8");
+    return (0, import_node_fs6.readFileSync)(gitignorePath(), "utf8");
   } catch {
     return null;
   }
 }
 function writeGitignore(content) {
   try {
-    (0, import_node_fs5.writeFileSync)(gitignorePath(), content, "utf8");
+    (0, import_node_fs6.writeFileSync)(gitignorePath(), content, "utf8");
     return true;
   } catch {
     return false;
@@ -9621,7 +10419,7 @@ async function runDoctor(opts, io = consoleIo) {
   let onPath = pathProbe;
   if (!onPath) {
     const root = process.env.CLAUDE_PLUGIN_ROOT;
-    if (root && (0, import_node_fs5.existsSync)(`${root}/bin/mmi-cli${isWin ? ".cmd" : ""}`)) onPath = true;
+    if (root && (0, import_node_fs6.existsSync)(`${root}/bin/mmi-cli${isWin ? ".cmd" : ""}`)) onPath = true;
   }
   checks.push({ ok: onPath, label: "mmi-cli on PATH", fix: "auto-provisioned at session start \u2014 reopen the session, or install the MMI plugin" });
   const surface = detectSurface(process.env);
@@ -9666,7 +10464,12 @@ async function runDoctor(opts, io = consoleIo) {
   if (!gitignoreCheck.ok && gitignoreCheck.contentToWrite && !opts.json && !opts.banner) {
     if (writeGitignore(gitignoreCheck.contentToWrite)) {
       gitignoreCheck = { ...gitignoreCheck, ok: true };
-      io.err("  \u21BB repaired: enforced .gitignore managed block (.playwright-mcp/, .claude/worktrees/, /*.png)");
+      const drift = gitignoreCheck.seeded ? "inserted the org-managed block" : [
+        gitignoreCheck.added?.length ? `added ${gitignoreCheck.added.join(", ")}` : "",
+        gitignoreCheck.removed?.length ? `removed ${gitignoreCheck.removed.join(", ")}` : ""
+      ].filter(Boolean).join("; ") || "normalized the block";
+      io.err(`  \u21BB repaired: org-managed .gitignore block \u2014 ${drift}`);
+      io.err("     this is an org-managed update (not unrelated churn) \u2014 stage & commit .gitignore so it stops recurring");
     }
   }
   checks.push(gitignoreCheck);