@mutmutco/cli 2.13.0 → 2.14.1

package/dist/index.cjs

@@ -5945,7 +5945,10 @@ async function startStage(config = {}, opts = {}) {
   const child = (0, import_node_child_process5.spawn)(up, {
     cwd,
     shell: true,
-    detached: true,
+    // POSIX-only: the process group exists for the group-kill in stopStage. On win32 teardown is
+    // `taskkill /T /F` (no group needed), and detached+shell defeats windowsHide — every spawn would
+    // flash a Windows Terminal window (0x800700e8) on dev machines.
+    detached: process.platform !== "win32",
     windowsHide: true,
     stdio: "ignore",
     env: { ...process.env, ...stagePort != null ? { STAGE_PORT: String(stagePort) } : {}, ...extraEnv }
@@ -6040,6 +6043,41 @@ async function verifyHubDistributionVersion(deps, model, releaseTag) {
   if (model !== "hub-serverless") return;
   await deps.run("node", ["scripts/release-distribution.mjs", "verify", releaseTag, "--skip-npm-view"]);
 }
+var ORG_SPINE_FILES = ["AGENTS.md", "CLAUDE.md", "GEMINI.md", ".claude/settings.json"];
+function isSpinePath(path2) {
+  return ORG_SPINE_FILES.includes(path2);
+}
+async function predictMergeConflicts(deps, ours, theirs) {
+  try {
+    await deps.run("git", ["merge-tree", "--write-tree", "--name-only", "--no-messages", ours, theirs]);
+    return [];
+  } catch (e) {
+    const out = String(e.stdout ?? "");
+    const files = out.split("\n").map((s) => s.trim()).filter(Boolean).slice(1);
+    if (files.length === 0) {
+      throw new Error(`could not preflight the ${theirs} -> ${ours} merge (git merge-tree failed: ${e.message ?? e})`);
+    }
+    return files;
+  }
+}
+async function mergeRcWithSpineResolution(deps) {
+  try {
+    await deps.run("git", ["merge", "rc", "--no-edit"]);
+    return;
+  } catch {
+  }
+  const unmerged = (await deps.run("git", ["diff", "--name-only", "--diff-filter=U"])).split("\n").map((s) => s.trim()).filter(Boolean);
+  const nonSpine = unmerged.filter((f) => !isSpinePath(f));
+  if (unmerged.length === 0 || nonSpine.length > 0) {
+    await deps.run("git", ["merge", "--abort"]);
+    throw new Error(
+      unmerged.length === 0 ? "rc -> main merge failed without conflicted paths \u2014 merge aborted; inspect the repo state and rerun" : `rc -> main merge conflicts on non-spine path(s): ${nonSpine.join(", ")} \u2014 merge aborted (the train is misaligned; reconcile main and rc via an approved alignment PR, then rerun release)`
+    );
+  }
+  await deps.run("git", ["checkout", "--theirs", "--", ...unmerged]);
+  await deps.run("git", ["add", "--", ...unmerged]);
+  await deps.run("git", ["commit", "--no-edit"]);
+}
 function ensurePositiveCount(out, emptyMessage) {
   const count = Number.parseInt(out.trim(), 10);
   if (!Number.isFinite(count)) throw new Error(`could not parse ahead count: ${out.trim() || "(empty)"}`);
@@ -6077,6 +6115,11 @@ var HUB_REPO2 = "mutmutco/MMI-Hub";
 var CORRELATE_ATTEMPTS = 5;
 var CORRELATE_DELAY_MS = 1500;
 var CORRELATE_SKEW_SLACK_MS = 1e4;
+var TRAIN_REQUIRED_CHECKS = ["cli", "infra", "docs"];
+var TRAIN_REQUIRED_CHECK_SET = new Set(TRAIN_REQUIRED_CHECKS);
+var TRAIN_CHECKS_JQ = '[.check_runs[]|select(.name|test("^(cli|infra|docs)$"))|{(.name):.conclusion}]';
+var TRAIN_CHECK_ATTEMPTS = 40;
+var TRAIN_CHECK_DELAY_MS = 15e3;
 async function correlateTenantRun(deps, since) {
   const sleep = deps.sleep ?? ((ms) => new Promise((resolve) => setTimeout(resolve, ms)));
   const threshold = since - CORRELATE_SKEW_SLACK_MS;
@@ -6114,6 +6157,51 @@ async function watchTenantRun(deps, runId) {
     return "failure";
   }
 }
+function parseTrainCheckConclusions(out) {
+  const parsed = JSON.parse(out);
+  if (!Array.isArray(parsed)) throw new Error("check-runs response was not an array");
+  const conclusions = /* @__PURE__ */ new Map();
+  for (const row of parsed) {
+    if (row == null || typeof row !== "object") continue;
+    for (const [name, raw] of Object.entries(row)) {
+      if (!TRAIN_REQUIRED_CHECK_SET.has(name)) continue;
+      conclusions.set(name, raw == null ? null : String(raw));
+    }
+  }
+  return conclusions;
+}
+function describeTrainChecks(conclusions) {
+  return TRAIN_REQUIRED_CHECKS.map((name) => `${name}=${conclusions.get(name) ?? "missing"}`).join(", ");
+}
+async function waitForRequiredTrainChecks(deps, ctx, sha) {
+  const sleep = deps.sleep ?? ((ms) => new Promise((resolve) => setTimeout(resolve, ms)));
+  let lastStatus = "not checked";
+  let lastError;
+  for (let attempt = 0; attempt < TRAIN_CHECK_ATTEMPTS; attempt++) {
+    if (attempt > 0) await sleep(TRAIN_CHECK_DELAY_MS);
+    let conclusions;
+    try {
+      const out = await deps.run("gh", ["api", `repos/${ctx.repo}/commits/${sha}/check-runs`, "--jq", TRAIN_CHECKS_JQ]);
+      conclusions = parseTrainCheckConclusions(out);
+      lastError = void 0;
+    } catch (e) {
+      lastError = e.message || String(e);
+      continue;
+    }
+    lastStatus = describeTrainChecks(conclusions);
+    const failed = TRAIN_REQUIRED_CHECKS.filter((name) => {
+      const conclusion = conclusions.get(name);
+      return conclusion != null && conclusion !== "success";
+    });
+    if (failed.length > 0) {
+      throw new Error(`required train check failed: ${failed.join(", ")} (${lastStatus})`);
+    }
+    if (TRAIN_REQUIRED_CHECKS.every((name) => conclusions.get(name) === "success")) return;
+  }
+  throw new Error(
+    `timed out waiting for required train checks on ${sha}: ${lastError ? `last error: ${lastError}` : lastStatus}`
+  );
+}
 async function dispatchDeploy(deps, ctx, stage2, ref, model, watch) {
   if (model === "tenant-container") {
     const since = (deps.now ?? Date.now)();
@@ -6180,8 +6268,10 @@ async function runTrainApply(command, deps, options = {}) {
     await deps.run("git", ["pull", "--ff-only", "origin", "rc"]);
     await deps.run("git", ["merge", "development", "--no-edit"]);
     await deps.run("git", ["tag", tag2]);
-    await deps.run("git", ["push", "origin", "rc"]);
     await deps.run("git", ["push", "origin", tag2]);
+    const rcSha = requireValue(clean(await deps.run("git", ["rev-parse", "rc"])), "rc sha");
+    await waitForRequiredTrainChecks(deps, ctx, rcSha);
+    await deps.run("git", ["push", "origin", "rc"]);
     const d2 = await dispatchDeploy(deps, ctx, "rc", "rc", deployModel2, watch);
     return { ...ctx, command, stage: "rc", ref: "rc", tag: tag2, deployModel: deployModel2, promoted: true, dispatch: d2.note, runId: d2.runId, runUrl: d2.runUrl, deployStatus: d2.deployStatus };
   }
@@ -6191,21 +6281,86 @@ async function runTrainApply(command, deps, options = {}) {
     "nothing to release: origin/rc is not ahead of origin/main"
   );
   const deployModel = await preflight(deps, ctx, "main");
+  const predicted = await predictMergeConflicts(deps, "origin/main", "origin/rc");
+  const predictedNonSpine = predicted.filter((f) => !isSpinePath(f));
+  if (predictedNonSpine.length > 0) {
+    throw new Error(
+      `rc -> main merge would conflict on non-spine path(s): ${predictedNonSpine.join(", ")} \u2014 no merge was started. The train is misaligned: reconcile main and rc via an approved alignment PR (do not hand-resolve on main), then rerun release.`
+    );
+  }
+  const releasedRcSha = clean(await deps.run("git", ["rev-parse", "origin/rc"]));
   await deps.run("git", ["checkout", "main"]);
   await deps.run("git", ["pull", "--ff-only", "origin", "main"]);
-  await deps.run("git", ["merge", "rc", "--no-edit"]);
+  if (predicted.length === 0) {
+    await deps.run("git", ["merge", "rc", "--no-edit"]);
+  } else {
+    await mergeRcWithSpineResolution(deps);
+  }
   const tag = requireValue(clean(await deps.run("node", ["scripts/next-version.mjs", "release"])), "release tag");
   await verifyHubDistributionVersion(deps, deployModel, tag);
   await deps.run("git", ["tag", tag]);
-  await deps.run("git", ["push", "origin", "main"]);
   await deps.run("git", ["push", "origin", tag]);
+  const releaseSha = requireValue(clean(await deps.run("git", ["rev-parse", "main"])), "release sha");
+  await waitForRequiredTrainChecks(deps, ctx, releaseSha);
+  await deps.run("git", ["push", "origin", "main"]);
   await deps.run("gh", ["release", "create", tag, "--generate-notes", "--latest", "--repo", ctx.repo]);
   const d = await dispatchDeploy(deps, ctx, "main", "main", deployModel, watch);
+  const retirement = await retireRcRuntime(deps, ctx, deployModel, d.deployStatus, releasedRcSha);
   await deps.run("git", ["checkout", "development"]);
   await deps.run("git", ["pull", "--ff-only", "origin", "development"]);
   await deps.run("git", ["merge", "main", "--no-edit"]);
   await deps.run("git", ["push", "origin", "development"]);
-  return { ...ctx, command, stage: "main", ref: "main", tag, deployModel, promoted: true, dispatch: d.note, runId: d.runId, runUrl: d.runUrl, deployStatus: d.deployStatus };
+  return {
+    ...ctx,
+    command,
+    stage: "main",
+    ref: "main",
+    tag,
+    deployModel,
+    promoted: true,
+    dispatch: d.note,
+    runId: d.runId,
+    runUrl: d.runUrl,
+    deployStatus: d.deployStatus,
+    rcRetirement: retirement.status,
+    rcRetirementNote: retirement.note
+  };
+}
+async function retireRcRuntime(deps, ctx, model, deployStatus, releasedRcSha) {
+  if (model !== "tenant-container") {
+    return { status: "not-applicable", note: `${model} has no co-resident rc runtime to retire` };
+  }
+  if (deployStatus === "failure") {
+    return { status: "skipped", note: "prod deploy failed \u2014 rc runtime left untouched" };
+  }
+  if (deployStatus !== "success") {
+    return {
+      status: "skipped",
+      note: `prod deploy outcome unconfirmed (run without --watch) \u2014 rc runtime left untouched; after verifying prod, retire with: mmi-cli tenant control ${ctx.repo} rc retire`
+    };
+  }
+  try {
+    await deps.run("git", ["fetch", "origin", "rc"]);
+    const rcNow = clean(await deps.run("git", ["rev-parse", "origin/rc"]));
+    if (rcNow !== releasedRcSha) {
+      return {
+        status: "skipped",
+        note: `origin/rc moved past the released candidate (${releasedRcSha.slice(0, 7)} -> ${rcNow.slice(0, 7)}) \u2014 a new candidate is in flight; rc runtime left untouched`
+      };
+    }
+    const out = await deps.runSelf(["tenant", "control", ctx.repo, "rc", "retire"]);
+    let commandId = "";
+    try {
+      commandId = String(JSON.parse(out).commandId ?? "");
+    } catch {
+    }
+    return {
+      status: "retired",
+      note: `rc runtime retired (tenant control retire${commandId ? `, command ${commandId}` : ""}) \u2014 registry coords kept; /rcand or tenant redeploy recreates rc next cycle`
+    };
+  } catch (e) {
+    return { status: "failed", note: `rc retirement failed (the release itself succeeded): ${e.message}` };
+  }
 }
 async function runTenantRedeploy(deps, options) {
   const { stage: stage2 } = options;
@@ -8117,14 +8272,16 @@ async function secretsRequest(deps, key, opts) {
   deps.log(body.notified === false ? "admin notification not sent" : "admin notification sent");
   return true;
 }
-async function secretsSet(deps, key, opts) {
-  if (!isValidSecretKey(key)) return deps.err(`invalid secret key ${JSON.stringify(key)}`);
-  const repo = await targetRepo(deps, opts);
-  const value = await deps.readSecretValue(`value for ${key} (input hidden; will not be echoed): `);
+async function putSecret(deps, key, value, opts) {
+  if (!isValidSecretKey(key)) {
+    deps.err(`invalid secret key ${JSON.stringify(key)}`);
+    return false;
+  }
   if (!value) {
-    deps.err("secrets set: empty value \u2014 aborted (nothing written)");
-    return;
+    deps.err(`secrets set: empty value for ${key} \u2014 aborted (nothing written)`);
+    return false;
   }
+  const repo = await targetRepo(deps, opts);
   const res = await deps.fetch(`${deps.apiUrl}/secrets/set`, {
     method: "POST",
     headers: await deps.headers({ "content-type": "application/json" }),
@@ -8135,9 +8292,19 @@ async function secretsSet(deps, key, opts) {
     deps.err(
       res.status === 403 ? `secrets set: not authorized to write ${key} (HTTP 403)${await readErr(res)}` : `secrets set failed: HTTP ${res.status}${await readErr(res)}`
     );
-    return;
+    return false;
   }
   deps.log(`set ${key} (${classifyTier(await vaultSlug(deps, opts), key)} tier)`);
+  return true;
+}
+async function secretsSet(deps, key, opts) {
+  if (!isValidSecretKey(key)) return deps.err(`invalid secret key ${JSON.stringify(key)}`);
+  const value = await deps.readSecretValue(`value for ${key} (input hidden; will not be echoed): `);
+  if (!value) {
+    deps.err("secrets set: empty value \u2014 aborted (nothing written)");
+    return;
+  }
+  await putSecret(deps, key, value, opts);
 }
 async function secretsEdit(deps, key, opts) {
   return secretsSet(deps, key, opts);
@@ -8241,6 +8408,22 @@ function expectedRedirectUris(cfg) {
 function oauthSsmKeys() {
   return SSM_ENVS.flatMap((env) => SSM_NAMES.map((name) => `${env}/${name}`));
 }
+function parseOauthClientJson(input) {
+  let parsed;
+  try {
+    parsed = JSON.parse(input);
+  } catch {
+    throw new Error('not valid JSON \u2014 pipe the Google client JSON (the Console "Download JSON" file)');
+  }
+  const root = parsed ?? {};
+  const obj = root.web ?? root.installed ?? parsed;
+  const clientId = typeof obj?.client_id === "string" ? obj.client_id.trim() : "";
+  const clientSecret = typeof obj?.client_secret === "string" ? obj.client_secret.trim() : "";
+  if (!clientId || !clientSecret) {
+    throw new Error("missing client_id or client_secret in the JSON");
+  }
+  return { clientId, clientSecret };
+}
 function parseOauthConfig(mmiConfig, slug) {
   const rawUnknown = mmiConfig?.oauth;
   if (rawUnknown === void 0) throw new Error(`oauth is not configured for ${slug}`);
@@ -9112,7 +9295,7 @@ function reportWrite(label, res) {
   fail(`${label}: HTTP ${res.status}${detail ? ` \u2014 ${detail}` : ""}`);
 }
 var tenant = program2.command("tenant").description("tenant runtime control through Hub authority");
-tenant.command("control <owner/repo> <stage> <action>").description("run bounded service control (status/start/stop/restart) for a tenant; project-admin dev/rc, master main").option("--json", "machine-readable output").action(async (repo, stage2, action) => {
+tenant.command("control <owner/repo> <stage> <action>").description("run bounded service control (status/start/stop/restart, plus rc-only retire) for a tenant; project-admin dev/rc, master main").option("--json", "machine-readable output").action(async (repo, stage2, action) => {
   const cfg = await loadConfig();
   const res = await tenantControl({ repo, stage: stage2, action }, registryClientDeps(cfg));
   reportWrite("tenant control", res);
@@ -9344,7 +9527,29 @@ oauth.command("plan", { isDefault: true }).description("print the canonical JS o
   console.log(`
 SSM cred params (under /mmi-future/${slug}/):`);
   ssm.forEach((k) => console.log(`  ${k}`));
-  console.log("\nProvision/repair the Console client per docs/Guides/oauth-provision.md; creds via `mmi-cli secrets set`.");
+  console.log("\nProvision/repair the Console client per docs/Guides/oauth-provision.md; store creds with `mmi-cli oauth set-creds`.");
+});
+oauth.command("set-creds").description('store the OAuth client into the canonical {dev,rc,main}/GOOGLE_CLIENT_* SSM keys (pipe the Console "Download JSON" on stdin)').option("--repo <owner/repo>", "target repo (defaults to the current repo)").action(async (o) => {
+  const raw = await readStdin();
+  if (!raw.trim()) {
+    return fail("oauth set-creds: pipe the Google client JSON on stdin \u2014 e.g.\n  mmi-cli oauth set-creds --repo <owner/repo> < client.json");
+  }
+  let creds;
+  try {
+    creds = parseOauthClientJson(raw);
+  } catch (e) {
+    return fail(`oauth set-creds: ${e.message}`);
+  }
+  await withSecrets(async (d) => {
+    for (const key of oauthSsmKeys()) {
+      const value = key.endsWith("GOOGLE_CLIENT_ID") ? creds.clientId : creds.clientSecret;
+      if (!await putSecret(d, key, value, { repo: o.repo })) {
+        process.exitCode = 1;
+        return;
+      }
+    }
+    console.log(`OAuth client stored in all ${oauthSsmKeys().length} canonical keys. Run \`mmi-cli oauth verify\` to confirm the client is port-agnostic.`);
+  });
 });
 oauth.command("verify").description("probe Google authorize with an arbitrary port (:9123) to confirm the client is port-agnostic").option("--repo <owner/repo>", "target repo (defaults to the current repo)").option("--client-id <id>", "OAuth client_id (else read dev/GOOGLE_CLIENT_ID from SSM)").option("--json", "machine-readable output").action(async (o) => {
   const cfg = await loadConfig();
@@ -9895,7 +10100,8 @@ function renderDeployLine(d) {
   return parts.join("; ");
 }
 function renderTrainApply(commandName, r) {
-  return `mmi-cli ${commandName}: promoted ${r.repo} \u2192 ${r.stage} at ${r.tag} [${r.deployModel}]; ${renderDeployLine(r)}`;
+  const base = `mmi-cli ${commandName}: promoted ${r.repo} \u2192 ${r.stage} at ${r.tag} [${r.deployModel}]; ${renderDeployLine(r)}`;
+  return r.rcRetirement ? `${base}; rc retirement: ${r.rcRetirement.toUpperCase()} (${r.rcRetirementNote ?? ""})` : base;
 }
 function renderTenantRedeploy(r) {
   return `mmi-cli tenant redeploy: ${r.repo} ${r.stage} (ref=${r.ref}) [${r.deployModel}]; ${renderDeployLine(r)}`;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mutmutco/cli",
-  "version": "2.13.0",
+  "version": "2.14.1",
   "description": "MMI Future CLI — delivers the org rules (whole-file), plus saga and KB access. The cross-IDE engine the plugin's SessionStart hook drives.",
   "type": "module",
   "license": "UNLICENSED",