@mutmutco/cli 2.17.0 → 2.18.0

package/dist/index.cjs

@@ -3525,7 +3525,7 @@ function parseHookInput(stdin) {
 }
 
 // src/index.ts
-var import_node_child_process6 = require("node:child_process");
+var import_node_child_process7 = require("node:child_process");
 var import_node_util6 = require("node:util");
 var import_node_path8 = require("node:path");
 var import_node_os3 = require("node:os");
@@ -5106,6 +5106,42 @@ function ghError(e) {
 }
 
 // src/gc.ts
+var WORKTREE_LOCK_RE = /EPERM|EBUSY|EACCES|ENOTEMPTY|permission denied|access is denied|used by another process|resource busy|directory not empty/i;
+function isWorktreeLockError(error) {
+  return WORKTREE_LOCK_RE.test(error instanceof Error ? error.message : String(error));
+}
+var defaultSleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+async function removeWorktreeWithRecovery(wtPath, deps) {
+  const maxAttempts = deps.maxAttempts ?? 3;
+  const backoff = deps.backoffMs ?? [250, 1e3];
+  let attempts = 0;
+  let lastError;
+  for (let i = 0; i < maxAttempts; i++) {
+    attempts++;
+    try {
+      await deps.git(["worktree", "remove", "--force", wtPath]);
+      return { status: "removed", attempts, recovery: i > 0 ? "retry" : void 0 };
+    } catch (e) {
+      lastError = e;
+      const retriesLeft = i < maxAttempts - 1;
+      if (retriesLeft && isWorktreeLockError(e)) {
+        await deps.sleep(backoff[Math.min(i, backoff.length - 1)]);
+        continue;
+      }
+      break;
+    }
+  }
+  if (deps.removeWorktreeDir) {
+    try {
+      await deps.removeWorktreeDir(wtPath);
+      await deps.git(["worktree", "prune"]).catch(() => "");
+      return { status: "removed", attempts, recovery: "fallback" };
+    } catch (fallbackError) {
+      lastError = fallbackError;
+    }
+  }
+  return { status: "failed", attempts, error: errorMessage(lastError) };
+}
 function buildRemoteBranchCleanupReport(branch, input) {
   if (!input.attempted) return { name: branch, status: "not-attempted", reason: input.reason };
   if (input.existsAfter === true) return { name: branch, status: "failed", reason: "still-present-after-delete" };
@@ -5145,6 +5181,14 @@ function buildPrMergeResultPayload(input) {
     worktree: input.localCleanup.worktree
   };
 }
+function buildPrMergeArgs(input) {
+  const args = ["pr", "merge", input.number, ...input.repoArgs, input.method, "--delete-branch"];
+  if (input.auto) args.push("--auto");
+  return args;
+}
+function basePolicyBlocksImmediateMerge(message) {
+  return /base branch policy prohibits|protected branch|required status check|merge queue/i.test(message);
+}
 async function checkRemoteBranchExists(branch, deps, options = {}) {
   if (!branch) return void 0;
   try {
@@ -5394,14 +5438,18 @@ async function cleanupPrMergeLocalBranch(branch, options) {
         stageTeardown = { status: "failed", error: errorMessage(e) };
       }
     }
-    try {
-      await git(["worktree", "remove", "--force", wtPath]);
-      report.worktree = { path: wtPath, status: "removed", stageTeardown };
-    } catch (e) {
+    const outcome = await removeWorktreeWithRecovery(wtPath, {
+      git,
+      sleep: options.sleep ?? defaultSleep,
+      removeWorktreeDir: options.removeWorktreeDir
+    });
+    if (outcome.status === "removed") {
+      report.worktree = { path: wtPath, status: "removed", stageTeardown, recovery: outcome.recovery };
+    } else {
       report.worktree = {
         path: wtPath,
         status: "failed",
-        error: errorMessage(e),
+        error: outcome.error,
         safeCleanupCommand: safeWorktreeRemoveCommand(safeCwd, wtPath),
         stageTeardown
       };
@@ -5529,10 +5577,11 @@ function rcandVersionStep(targets) {
 }
 function trainPlan(command, options = {}) {
   const isHub = options.repo?.toLowerCase() === "mutmutco/mmi-hub";
+  const isDirect = options.releaseTrack === "direct" || options.releaseTrack === void 0 && isHub;
   if (command === "rcand") {
-    if (isHub) {
+    if (isDirect) {
       return [
-        { label: "MMI-Hub releases skip rc; use /release from development instead", command: "mmi-cli release --apply", gated: true }
+        { label: "direct-track repos skip rc; use /release from development instead", command: "mmi-cli release --apply", gated: true }
       ];
     }
     return [
@@ -5548,16 +5597,16 @@ function trainPlan(command, options = {}) {
     ];
   }
   if (command === "release") {
-    if (isHub) {
+    if (isDirect) {
       return [
         { label: "verify operator is a master-admin org owner", command: "gh api orgs/<owner>/memberships/<login> --jq .role", gated: true },
         { label: "verify current branch is development", gated: true },
         { label: "verify registry META for this project", command: "mmi-cli project get <owner/repo>", gated: true },
         { label: "preflight required main secret names", command: "mmi-cli secrets preflight --stage main --repo <owner/repo>", gated: true },
-        { label: "Hub releases skip rc; verify the distribution bump is already landed on development", command: "node scripts/release-distribution.mjs verify <release-tag> --skip-npm-view", gated: true },
+        { label: "direct-track release skips rc; verify any distribution bump is already landed on development", command: "node scripts/release-distribution.mjs verify <release-tag> --skip-npm-view", gated: true },
         { label: "merge development to main", gated: true },
         { label: "tag release and publish GitHub Release", gated: true },
-        { label: "trigger the Hub deploy path from the release event", command: "hub-serverless: deploy.yml + publish.yml auto-fire on the release", gated: true },
+        { label: "trigger the repo deploy path from the release event", command: "hub-serverless: deploy.yml + publish.yml auto-fire on the release; other models deploy via their own workflow", gated: true },
         { label: "roll development forward", gated: true }
       ];
     }
@@ -5566,7 +5615,7 @@ function trainPlan(command, options = {}) {
       { label: "verify current branch is rc", gated: true },
       { label: "verify registry META for this project", command: "mmi-cli project get <owner/repo>", gated: true },
       { label: "preflight required main secret names", command: "mmi-cli secrets preflight --stage main --repo <owner/repo>", gated: true },
-      { label: "verify every main-only hotfix commit is covered by the rc candidate", command: "node scripts/hotfix-coverage.mjs", gated: true },
+      { label: "verify every main-only hotfix commit is covered by the rc candidate (the guard runs automatically inside the apply step below; --ack <sha> overrides a verified, trailer-less port)", command: "mmi-cli release --apply [--ack <sha>]", gated: true },
       { label: "merge rc to main", gated: true },
       { label: "for Hub distribution changes, verify the promoted SHA carries the release bump", command: "node scripts/release-distribution.mjs verify <release-tag> --skip-npm-view; if missing: mmi-cli train prep --apply", gated: true },
       { label: "tag release and publish GitHub Release", gated: true },
@@ -5599,10 +5648,13 @@ function bootstrapPlan(repo, repoClass) {
 function shellFor(platform = process.platform) {
   return platform === "win32" ? "powershell" : "bash";
 }
+function isCentralContainerModel(model) {
+  return model === "tenant-container" || model === "solo-container";
+}
 function deriveStageGap(inputs) {
   const missing = [];
-  if (inputs.deployModel !== "tenant-container") {
-    return `local stage default applies to tenant-container repos only (registry deployModel = ${inputs.deployModel ?? "unset"})`;
+  if (!isCentralContainerModel(inputs.deployModel)) {
+    return `local stage default applies to central-container repos only (tenant-container/solo-container; registry deployModel = ${inputs.deployModel ?? "unset"})`;
   }
   if (!inputs.hasCompose) missing.push("docker-compose.yml");
   if (!inputs.hasEnvExample) missing.push(".env.example");
@@ -6395,16 +6447,21 @@ async function runStage(config = {}, opts = {}) {
 }
 
 // src/project-model.ts
-var PROJECT_TYPES = ["web-app", "hub-service", "content", "desktop-game", "non-deployable"];
-var DEPLOY_MODELS = ["hub-serverless", "serverless", "tenant-container", "content", "none"];
+var PROJECT_TYPES = ["web-app", "hub-service", "content", "desktop-game", "non-deployable", "cli-tool", "worker"];
+var DEPLOY_MODELS = ["hub-serverless", "serverless", "tenant-container", "solo-container", "registry-publish", "content", "none"];
+var RELEASE_TRACKS = ["full", "direct", "trunk"];
 var PROJECT_TYPE_SET = new Set(PROJECT_TYPES);
 var DEPLOY_MODEL_SET = new Set(DEPLOY_MODELS);
+var RELEASE_TRACK_SET = new Set(RELEASE_TRACKS);
 function isProjectType(value) {
   return Boolean(value && PROJECT_TYPE_SET.has(value));
 }
 function isDeployModel(value) {
   return Boolean(value && DEPLOY_MODEL_SET.has(value));
 }
+function isReleaseTrack(value) {
+  return Boolean(value && RELEASE_TRACK_SET.has(value));
+}
 function repoIsHub(repo) {
   return repo.toLowerCase().endsWith("/mmi-hub") || repo.toLowerCase() === "mmi-hub";
 }
@@ -6413,6 +6470,8 @@ function resolveProjectTypeConfident(meta, repo) {
   if (isProjectType(rawType)) return rawType;
   if (meta?.class === "content" || meta?.deployModel === "content") return "content";
   if (meta?.deployModel === "hub-serverless" || repoIsHub(repo)) return "hub-service";
+  if (meta?.deployModel === "registry-publish") return "cli-tool";
+  if (meta?.deployModel === "solo-container") return "worker";
   if (meta?.deployModel === "none") return "non-deployable";
   return void 0;
 }
@@ -6426,10 +6485,22 @@ function resolveDeployModel(meta, repo) {
   if (projectType === "content" || meta?.class === "content") return "content";
   if (projectType === "hub-service" || repoIsHub(repo)) return "hub-serverless";
   if (projectType === "desktop-game" || projectType === "non-deployable") return "none";
+  if (projectType === "cli-tool") return "registry-publish";
   return "tenant-container";
 }
 function projectTypeClearsWebProfile(projectType, deployModel) {
-  return projectType === "content" || projectType === "desktop-game" || projectType === "non-deployable" || deployModel === "content" || deployModel === "none";
+  return projectType === "content" || projectType === "desktop-game" || projectType === "non-deployable" || projectType === "cli-tool" || deployModel === "content" || deployModel === "none" || deployModel === "registry-publish";
+}
+function resolveReleaseTrack(meta) {
+  const raw = typeof meta?.releaseTrack === "string" ? meta.releaseTrack : void 0;
+  if (isReleaseTrack(raw)) return raw;
+  if (meta?.class === "content" || meta?.deployModel === "content") return "trunk";
+  return "full";
+}
+function branchesForTrack(track) {
+  if (track === "trunk") return ["main"];
+  if (track === "direct") return ["development", "main"];
+  return ["development", "rc", "main"];
 }
 
 // src/train-apply.ts
@@ -6552,6 +6623,13 @@ var HUB_REPO2 = "mutmutco/MMI-Hub";
 function isHubControlRepo(repo) {
   return repo.toLowerCase() === HUB_REPO2.toLowerCase();
 }
+async function loadProjectMeta(deps, ctx) {
+  try {
+    return JSON.parse(await deps.runSelf(["project", "get", ctx.repo]));
+  } catch {
+    return null;
+  }
+}
 var CORRELATE_ATTEMPTS = 5;
 var CORRELATE_DELAY_MS = 1500;
 var CORRELATE_SKEW_SLACK_MS = 1e4;
@@ -6561,7 +6639,7 @@ var TRAIN_PROTECTION_CONTEXTS_JQ = "[.contexts[]]";
 var TRAIN_RULES_CONTEXTS_JQ = '[.[]|select(.type=="required_status_checks")|.parameters.required_status_checks[].context]';
 var TRAIN_CHECK_ATTEMPTS = 40;
 var TRAIN_CHECK_DELAY_MS = 15e3;
-async function correlateTenantRun(deps, since) {
+async function correlateDispatchedRun(deps, workflow, since) {
   const sleep = deps.sleep ?? ((ms) => new Promise((resolve) => setTimeout(resolve, ms)));
   const threshold = since - CORRELATE_SKEW_SLACK_MS;
   for (let attempt = 0; attempt < CORRELATE_ATTEMPTS; attempt++) {
@@ -6574,7 +6652,7 @@ async function correlateTenantRun(deps, since) {
         "--repo",
         HUB_REPO2,
         "--workflow",
-        "tenant-deploy.yml",
+        workflow,
         "--limit",
         "10",
         "--json",
@@ -6589,6 +6667,12 @@ async function correlateTenantRun(deps, since) {
   }
   return {};
 }
+function correlateTenantRun(deps, since) {
+  return correlateDispatchedRun(deps, "tenant-deploy.yml", since);
+}
+function correlatePublishRun(deps, since) {
+  return correlateDispatchedRun(deps, "tenant-publish.yml", since);
+}
 async function correlateWorkflowRun(deps, args) {
   const sleep = deps.sleep ?? ((ms) => new Promise((resolve) => setTimeout(resolve, ms)));
   const threshold = args.since - CORRELATE_SKEW_SLACK_MS;
@@ -6763,12 +6847,19 @@ async function resolveRcResumeTag(deps, base, sha) {
   return { tag: newest, note };
 }
 async function dispatchDeploy(deps, ctx, stage2, ref, model, watch, autoRunSince, autoRunHeadSha) {
-  if (model === "tenant-container") {
+  if (model === "tenant-container" || model === "solo-container") {
+    const since = (deps.now ?? Date.now)();
+    await deps.dispatchTenantDeploy({ repo: ctx.repo, slug: ctx.slug, ref, stage: stage2 });
+    const { runId, runUrl } = await correlateTenantRun(deps, since);
+    const deployStatus = watch ? await watchTenantRun(deps, runId) : "pending";
+    return { note: `dispatched tenant-deploy.yml (slug=${ctx.slug}, ref=${ref}, stage=${stage2})`, runId, runUrl, deployStatus };
+  }
+  if (model === "registry-publish") {
     const since = (deps.now ?? Date.now)();
     await deps.run("gh", [
       "workflow",
       "run",
-      "tenant-deploy.yml",
+      "tenant-publish.yml",
       "--repo",
       HUB_REPO2,
       "-f",
@@ -6780,9 +6871,9 @@ async function dispatchDeploy(deps, ctx, stage2, ref, model, watch, autoRunSince
       "-f",
       `stage=${stage2}`
     ]);
-    const { runId, runUrl } = await correlateTenantRun(deps, since);
+    const { runId, runUrl } = await correlatePublishRun(deps, since);
     const deployStatus = watch ? await watchTenantRun(deps, runId) : "pending";
-    return { note: `dispatched tenant-deploy.yml (slug=${ctx.slug}, ref=${ref}, stage=${stage2})`, runId, runUrl, deployStatus };
+    return { note: `dispatched tenant-publish.yml (slug=${ctx.slug}, ref=${ref}, stage=${stage2})`, runId, runUrl, deployStatus };
   }
   if (model === "hub-serverless") {
     const note = ref === "rc" ? "no manual dispatch: deploy.yml auto-fires on the rc push (rc stage)" : "no manual dispatch: deploy.yml + publish.yml auto-fire on the published Release (prod)";
@@ -6813,13 +6904,7 @@ async function dispatchDeploy(deps, ctx, stage2, ref, model, watch, autoRunSince
   }
   return { note: `no manual dispatch: ${model} repo deploys via its own push-triggered workflow`, deployStatus: "pending" };
 }
-async function preflight(deps, ctx, stage2) {
-  let meta = null;
-  try {
-    meta = JSON.parse(await deps.runSelf(["project", "get", ctx.repo]));
-  } catch {
-    meta = null;
-  }
+async function preflight(deps, ctx, stage2, meta) {
   const model = resolveDeployModel2(meta, ctx.repo);
   if (model === "content") {
     throw new Error(`${ctx.repo} is a content repo (deployModel=content) \u2014 the release train does not apply (trunk-based; PR to main)`);
@@ -6835,17 +6920,19 @@ async function runTrainApply(command, deps, options = {}) {
   const ctx = await buildTrainApplyContext(deps);
   await requireCleanTree(deps);
   await deps.run("git", ["fetch", "origin"]);
+  const meta = await loadProjectMeta(deps, ctx);
+  const directTrack = isHubControlRepo(ctx.repo) || resolveReleaseTrack(meta) === "direct";
   if (command === "rcand") {
     await requireBranch(deps, "development");
+    if (directTrack) {
+      throw new Error("direct-track repos release straight to main (no rc); run `mmi-cli release --apply` from development instead of rcand");
+    }
     await deps.run("git", ["pull", "--ff-only", "origin", "development"]);
     ensurePositiveCount(
       await deps.run("git", ["rev-list", "--count", "origin/rc..origin/development"]),
       "nothing to promote: origin/development is not ahead of origin/rc"
     );
-    const deployModel2 = await preflight(deps, ctx, "rc");
-    if (isHubControlRepo(ctx.repo) && deployModel2 === "hub-serverless") {
-      throw new Error("MMI-Hub releases directly from development to main; run mmi-cli release --apply from development instead of rcand");
-    }
+    const deployModel2 = await preflight(deps, ctx, "rc", meta);
     const releaseBase = requireValue(clean(await deps.run("node", ["scripts/next-version.mjs", "cycle"])), "release base");
     await verifyHubDistributionVersion(deps, deployModel2, releaseBase);
     await deps.run("git", ["checkout", "rc"]);
@@ -6863,17 +6950,14 @@ async function runTrainApply(command, deps, options = {}) {
     const d2 = await dispatchDeploy(deps, ctx, "rc", "rc", deployModel2, watch, autoRunSince2, rcSha);
     return { ...ctx, command, stage: "rc", ref: "rc", tag: tag2, deployModel: deployModel2, promoted: true, checks: checks2, resumeNote, dispatch: d2.note, runId: d2.runId, runUrl: d2.runUrl, workflowRuns: d2.workflowRuns, deployStatus: d2.deployStatus };
   }
-  if (isHubControlRepo(ctx.repo)) {
+  if (directTrack) {
     await requireBranch(deps, "development");
     await deps.run("git", ["pull", "--ff-only", "origin", "development"]);
     ensurePositiveCount(
       await deps.run("git", ["rev-list", "--count", "origin/main..origin/development"]),
       "nothing to release: origin/development is not ahead of origin/main"
     );
-    const deployModel2 = await preflight(deps, ctx, "main");
-    if (deployModel2 !== "hub-serverless") {
-      throw new Error(`MMI-Hub direct release requires deployModel=hub-serverless, got ${deployModel2}`);
-    }
+    const deployModel2 = await preflight(deps, ctx, "main", meta);
     const tag2 = requireValue(clean(await deps.run("node", ["scripts/next-version.mjs", "cycle"])), "release tag");
     await verifyHubDistributionVersion(deps, deployModel2, tag2);
     const predicted2 = await predictMergeConflicts(deps, "origin/main", "origin/development");
@@ -6918,7 +7002,7 @@ async function runTrainApply(command, deps, options = {}) {
       workflowRuns: d2.workflowRuns,
       deployStatus: d2.deployStatus,
       rcRetirement: "not-applicable",
-      rcRetirementNote: "Hub releases skip rc; no rc runtime to retire",
+      rcRetirementNote: "direct-track release skips rc; no rc runtime to retire",
       announceNote: announceNote2,
       release: { tag: tag2, url: releaseUrl2, targetSha: releaseSha2 }
     };
@@ -6928,7 +7012,7 @@ async function runTrainApply(command, deps, options = {}) {
     await deps.run("git", ["rev-list", "--count", "origin/main..origin/rc"]),
     "nothing to release: origin/rc is not ahead of origin/main"
   );
-  const deployModel = await preflight(deps, ctx, "main");
+  const deployModel = await preflight(deps, ctx, "main", meta);
   const predicted = await predictMergeConflicts(deps, "origin/main", "origin/rc");
   const predictedNonSpine = predicted.filter((f) => !isSpinePath(f));
   if (predictedNonSpine.length > 0) {
@@ -6936,6 +7020,13 @@ async function runTrainApply(command, deps, options = {}) {
       `rc -> main merge would conflict on non-spine path(s): ${predictedNonSpine.join(", ")} \u2014 no merge was started. The train is misaligned: reconcile main and rc via an approved alignment PR (do not hand-resolve on main), then rerun release.`
     );
   }
+  const coverage = deps.hotfixCoverage({ mainRef: "origin/main", rcRef: "origin/rc", ack: options.ack ?? [] });
+  if (!coverage.ok) {
+    const list = coverage.uncovered.map((c) => `${c.sha.slice(0, 8)} ${c.subject}`).join("; ");
+    throw new Error(
+      `hotfix-coverage: ${coverage.uncovered.length} main-only commit(s) not proven in origin/rc \u2014 the candidate would revert a prod hotfix: ${list}. Re-cut /rcand from development, or have the authorized human verify the content is in the candidate and rerun release with --ack <sha>[,<sha>\u2026].`
+    );
+  }
   const releasedRcSha = clean(await deps.run("git", ["rev-parse", "origin/rc"]));
   await deps.run("git", ["checkout", "main"]);
   await deps.run("git", ["pull", "--ff-only", "origin", "main"]);
@@ -7015,6 +7106,49 @@ function retireCategoryFrom(text) {
     return void 0;
   }
 }
+var TRANSPORT_REASONS = /* @__PURE__ */ new Set(["invalid-instance", "invalid-document", "throttled", "timeout", "other"]);
+function retireReasonFrom(text) {
+  try {
+    const r = JSON.parse(text).reason;
+    return typeof r === "string" && TRANSPORT_REASONS.has(r) ? r : void 0;
+  } catch {
+    return void 0;
+  }
+}
+function isRetryableTransport(reason) {
+  return reason === void 0 || reason === "throttled" || reason === "timeout" || reason === "other";
+}
+var RETIRE_MAX_ATTEMPTS = 3;
+var RETIRE_BACKOFF_MS = 1500;
+async function attemptRetire(deps, ctx) {
+  try {
+    const out = await deps.runSelf(["tenant", "control", ctx.repo, "rc", "retire"]);
+    let commandId = "";
+    let category = retireCategoryFrom(out);
+    try {
+      commandId = String(JSON.parse(out).commandId ?? "");
+    } catch {
+    }
+    if (category === "retired-edge-pending") {
+      return { result: {
+        status: "retired",
+        category,
+        note: `rc runtime retired; edge vhost reconcile pending (tenant control retire${commandId ? `, command ${commandId}` : ""}) \u2014 registry coords kept`
+      } };
+    }
+    category = category ?? "retired";
+    return { result: {
+      status: "retired",
+      category,
+      note: `rc runtime retired (tenant control retire${commandId ? `, command ${commandId}` : ""}) \u2014 registry coords kept; /rcand or tenant redeploy recreates rc next cycle`
+    } };
+  } catch (e) {
+    const err = e;
+    const category = retireCategoryFrom(err.stdout ?? "") ?? "transport-failed";
+    const reason = retireReasonFrom(err.stdout ?? "");
+    return { result: { status: "failed", category, note: `rc retirement failed (the release itself succeeded): ${err.message}` }, reason, message: err.message };
+  }
+}
 async function retireRcRuntime(deps, ctx, model, deployStatus, releasedRcSha) {
   if (model !== "tenant-container") {
     return { status: "not-applicable", note: `${model} has no co-resident rc runtime to retire` };
@@ -7037,30 +7171,22 @@ async function retireRcRuntime(deps, ctx, model, deployStatus, releasedRcSha) {
         note: `origin/rc moved past the released candidate (${releasedRcSha.slice(0, 7)} -> ${rcNow.slice(0, 7)}) \u2014 a new candidate is in flight; rc runtime left untouched`
       };
     }
-    const out = await deps.runSelf(["tenant", "control", ctx.repo, "rc", "retire"]);
-    let commandId = "";
-    let category = retireCategoryFrom(out);
-    try {
-      commandId = String(JSON.parse(out).commandId ?? "");
-    } catch {
-    }
-    if (category === "retired-edge-pending") {
-      return {
-        status: "retired",
-        category,
-        note: `rc runtime retired; edge vhost reconcile pending (tenant control retire${commandId ? `, command ${commandId}` : ""}) \u2014 registry coords kept`
-      };
-    }
-    category = category ?? "retired";
-    return {
-      status: "retired",
-      category,
-      note: `rc runtime retired (tenant control retire${commandId ? `, command ${commandId}` : ""}) \u2014 registry coords kept; /rcand or tenant redeploy recreates rc next cycle`
-    };
+    const sleep = deps.sleep ?? ((ms) => new Promise((resolve) => setTimeout(resolve, ms)));
+    let last;
+    for (let attempt = 1; attempt <= RETIRE_MAX_ATTEMPTS; attempt++) {
+      last = await attemptRetire(deps, ctx);
+      if (last.result.status === "retired") return last.result;
+      const retryable = last.result.category === "transport-failed" && isRetryableTransport(last.reason);
+      if (!retryable || attempt === RETIRE_MAX_ATTEMPTS) break;
+      await sleep(RETIRE_BACKOFF_MS * attempt);
+    }
+    const f = last;
+    const reasonSuffix = f.reason ? ` [reason: ${f.reason}]` : "";
+    const note = `rc retirement failed (the release itself succeeded)${reasonSuffix}: ${f.message ?? f.result.note}. The rc runtime may be orphaned on the box \u2014 retire it with: mmi-cli tenant control ${ctx.repo} rc retire (or sweep all: mmi-cli tenant sweep-rc --retire --yes)`;
+    return { status: "failed", category: f.result.category, note };
   } catch (e) {
     const err = e;
-    const category = retireCategoryFrom(err.stdout ?? "") ?? "transport-failed";
-    return { status: "failed", category, note: `rc retirement failed (the release itself succeeded): ${err.message}` };
+    return { status: "failed", category: "transport-failed", note: `rc retirement failed (the release itself succeeded): ${err.message}` };
   }
 }
 async function runTenantRedeploy(deps, options) {
@@ -7082,13 +7208,86 @@ async function runTenantRedeploy(deps, options) {
     meta = null;
   }
   const deployModel = resolveDeployModel2(meta, repo);
-  if (deployModel !== "tenant-container") {
-    throw new Error(`${repo} is ${deployModel}, not tenant-container \u2014 there is no central tenant-deploy run to retry (its deploy fires from its own workflow)`);
+  if (deployModel !== "tenant-container" && deployModel !== "solo-container") {
+    throw new Error(`${repo} is ${deployModel}, not a central-container model (tenant-container/solo-container) \u2014 there is no central tenant-deploy run to retry (its deploy fires from its own workflow)`);
   }
   const d = await dispatchDeploy(deps, ctx, stage2, ref, deployModel, watch);
   return { ...ctx, command: "tenant-redeploy", stage: stage2, ref, deployModel, dispatch: d.note, runId: d.runId, runUrl: d.runUrl, workflowRuns: d.workflowRuns, deployStatus: d.deployStatus };
 }
 
+// src/hotfix-coverage.ts
+var import_node_child_process6 = require("node:child_process");
+var CHERRY_TRAILER = /\(cherry picked from commit ([0-9a-f]{7,40})\)/g;
+function checkHotfixCoverage(options = {}) {
+  const { cwd = process.cwd(), mainRef = "origin/main", rcRef = "origin/rc", manifestPaths = [] } = options;
+  const ack = (options.ack ?? []).filter(Boolean);
+  const git = options.git ?? ((args, opts) => (0, import_node_child_process6.execFileSync)("git", args, { cwd, encoding: "utf8", input: opts?.input, stdio: ["pipe", "pipe", "pipe"] }));
+  const revList = (range) => {
+    const out = git(["rev-list", "--no-merges", range]).trim();
+    return out ? out.split("\n") : [];
+  };
+  const isAncestor = (sha, ref) => {
+    try {
+      git(["merge-base", "--is-ancestor", sha, ref]);
+      return true;
+    } catch {
+      return false;
+    }
+  };
+  const patchId = (sha) => {
+    const diff = git(["show", "--no-color", "--pretty=format:", sha]);
+    if (!diff.trim()) return null;
+    const out = git(["patch-id", "--stable"], { input: diff }).trim();
+    return out ? out.split(" ")[0] : null;
+  };
+  const changedPaths = (sha) => {
+    const out = git(["show", "--no-color", "--name-only", "--pretty=format:", sha]).trim();
+    return out ? out.split("\n") : [];
+  };
+  const cherrySources = (sha) => {
+    const message = git(["log", "-1", "--format=%B", sha]);
+    return [...message.matchAll(CHERRY_TRAILER)].map((m) => m[1]);
+  };
+  const mainOnly = revList(`${rcRef}..${mainRef}`);
+  const rcSidePatchIds = /* @__PURE__ */ new Map();
+  let rcSideBuilt = false;
+  const buildRcSide = () => {
+    if (rcSideBuilt) return;
+    rcSideBuilt = true;
+    for (const sha of revList(`${mainRef}..${rcRef}`)) {
+      const id = patchId(sha);
+      if (id) rcSidePatchIds.set(id, sha);
+    }
+  };
+  const commits = mainOnly.map((sha) => {
+    const subject = git(["log", "-1", "--format=%s", sha]).trim();
+    const paths = changedPaths(sha);
+    if (paths.length > 0 && paths.every((p) => manifestPaths.includes(p))) {
+      return { sha, subject, coverage: "exempt-distribution" };
+    }
+    const sources = cherrySources(sha);
+    if (sources.length > 0) {
+      if (sources.every((s) => isAncestor(s, rcRef))) {
+        return { sha, subject, coverage: "trailer", sources };
+      }
+      if (ack.some((a) => sha.startsWith(a))) return { sha, subject, coverage: "acked", sources };
+      return { sha, subject, coverage: "uncovered", sources };
+    }
+    const id = patchId(sha);
+    if (id) {
+      buildRcSide();
+      const matchedRcSha = rcSidePatchIds.get(id);
+      if (matchedRcSha) {
+        return { sha, subject, coverage: "patch-id", matchedRcSha };
+      }
+    }
+    if (ack.some((a) => sha.startsWith(a))) return { sha, subject, coverage: "acked" };
+    return { sha, subject, coverage: "uncovered" };
+  });
+  const uncovered = commits.filter((c) => c.coverage === "uncovered");
+  return { ok: uncovered.length === 0, mainRef, rcRef, commits, uncovered };
+}
+
 // src/train-prep.ts
 function clean2(text) {
   return text.trim();
@@ -7117,6 +7316,69 @@ async function runTrainPrep(deps, options = {}) {
   return { target, version, applied: true, command: "mmi-cli pr create --base development --head <current-branch>", stagedFiles };
 }
 
+// src/tenant-sweep.ts
+function isRcBearingTenant(p) {
+  if ((p.deployModel ?? "") !== "tenant-container") return false;
+  return (p.releaseTrack ?? "full") === "full";
+}
+function pickRepo(p) {
+  const repos = p.repos ?? [];
+  if (repos.length === 0) return null;
+  const bySlug = repos.find((r) => r.split("/")[1]?.toLowerCase() === (p.slug ?? "").toLowerCase());
+  return bySlug ?? repos[0];
+}
+async function sweepRcOrphans(deps, opts) {
+  const projects = await deps.listProjects();
+  if (!projects) throw new Error("project list unavailable \u2014 Hub unreachable or this repo is not bootstrapped");
+  const targets = projects.filter(isRcBearingTenant);
+  const stages = [];
+  for (const p of targets) {
+    const repo = pickRepo(p);
+    if (!repo) continue;
+    const slug = p.slug ?? "";
+    let serviceState;
+    try {
+      serviceState = (await deps.status(repo)).serviceState || "unknown";
+    } catch (e) {
+      stages.push({ repo, slug, serviceState: "error", orphanCandidate: false, detail: e.message });
+      continue;
+    }
+    const orphanCandidate = serviceState === "running";
+    const stage2 = { repo, slug, serviceState, orphanCandidate };
+    if (orphanCandidate && opts.retire) {
+      try {
+        const r = await deps.retire(repo);
+        stage2.retired = r.ok ? "retired" : "failed";
+        stage2.category = r.category;
+        stage2.reason = r.reason;
+      } catch (e) {
+        stage2.retired = "failed";
+        stage2.detail = e.message;
+      }
+    }
+    stages.push(stage2);
+  }
+  return {
+    scanned: stages.length,
+    running: stages.filter((s) => s.orphanCandidate && s.retired !== "retired").length,
+    stages,
+    retireAttempted: !!opts.retire
+  };
+}
+function renderSweep(r) {
+  const lines = [`tenant sweep-rc: scanned ${r.scanned} tenant-container(s); ${r.running} rc runtime(s) running`];
+  for (const s of r.stages) {
+    let line = `  ${s.repo} rc: ${s.orphanCandidate ? "RUNNING" : s.serviceState}`;
+    if (s.retired) line += ` -> ${s.retired}${s.category ? ` (${s.category}${s.reason ? `/${s.reason}` : ""})` : ""}`;
+    if (s.detail) line += ` \u2014 ${s.detail}`;
+    lines.push(line);
+  }
+  if (r.running > 0 && !r.retireAttempted) {
+    lines.push("Retire an orphan with: mmi-cli tenant control <owner/repo> rc retire (or sweep all running: mmi-cli tenant sweep-rc --retire --yes)");
+  }
+  return lines.join("\n");
+}
+
 // src/hotfix-apply.ts
 var HOTFIX_RELEASE_WORKFLOWS = ["deploy.yml", "publish.yml"];
 var HOTFIX_RUN_FIND_ATTEMPTS = 10;
@@ -7605,6 +7867,18 @@ function ensurePortRange(repo, path2) {
 function portCursorSeed(registry2) {
   return nextPortBlock(registry2)[0];
 }
+function metaPortRange(meta) {
+  const r = meta?.portRange;
+  if (r && typeof r.start === "number" && typeof r.end === "number") return [r.start, r.end];
+  return null;
+}
+function decidePortRange(input) {
+  if (!input.metaReadOk) {
+    return { action: "fail", reason: "could not verify the existing port block (Hub registry read failed) \u2014 retry; NOT allocating (a re-allocation on an unverified read would advance the cursor and hand out a duplicate block)" };
+  }
+  if (input.metaPortRange) return { action: "return", range: input.metaPortRange };
+  return { action: "allocate" };
+}
 function existingPortRange(repo, registry2) {
   return registry2[repo] ?? null;
 }
@@ -7884,7 +8158,8 @@ var requiredProjectWorkflows = [
 ];
 var requiredOrgRulesetTypes = ["pull_request", "non_fast_forward", "deletion"];
 var requiredHubStatusChecks = ["cli", "infra", "docs"];
-function expectedBranches(repoClass) {
+function expectedBranches(repoClass, releaseTrack) {
+  if (isReleaseTrack(releaseTrack)) return branchesForTrack(releaseTrack);
   return repoClass === "content" ? ["main"] : ["development", "rc", "main"];
 }
 function gcpProjectForSlug(slug) {
@@ -7977,9 +8252,9 @@ function localRegistryCheck(deps, path2, predicate) {
   if (text == null) return null;
   return predicate(safeJson2(text, null));
 }
-async function verifyBootstrap(repo, repoClass, deps) {
-  const branchesWanted = expectedBranches(repoClass);
-  const baseBranch = repoClass === "content" ? "main" : "development";
+async function verifyBootstrap(repo, repoClass, deps, releaseTrack) {
+  const branchesWanted = expectedBranches(repoClass, releaseTrack);
+  const baseBranch = releaseTrack === "trunk" || repoClass === "content" ? "main" : "development";
   const checks = [];
   const repoInfo = await restJson2(deps, `repos/${repo}`, {});
   checks.push({ ok: Boolean(repoInfo.default_branch), label: "repo exists" });
@@ -8281,6 +8556,15 @@ function parseOwnerRepo(repo) {
   if (owner.includes("\\") || name.includes("\\")) throw new Error("repo must be owner/repo");
   return { owner, name, slug: name.toLowerCase(), fullName: `${owner}/${name}` };
 }
+var DEFAULT_INSTALL_CMD = "npm ci";
+function withDerivedRepoVars(vars, parsed, cls) {
+  const out = { ...vars };
+  out.REPO_NAME ??= parsed.name;
+  out.REPO_SLUG ??= parsed.slug;
+  out.CLASS ??= cls;
+  out.INSTALL_CMD ??= DEFAULT_INSTALL_CMD;
+  return out;
+}
 function planSeedAction(seed, exists) {
   if (seed.source === "fanout") {
     return { target: seed.target, action: "skip", ownership: "fanout", reason: "delivered by the fanout pipeline" };
@@ -8293,6 +8577,18 @@ function planSeedAction(seed, exists) {
   }
   return exists ? { target: seed.target, action: "update", ownership: "org", reason: "org-owned, refresh to current" } : { target: seed.target, action: "create", ownership: "org", reason: "org-owned, missing" };
 }
+function reconcileSeedAction(action, content, isManagedBlock) {
+  if (action.action === "skip") return action;
+  if (content == null) {
+    return { ...action, action: "skip", reason: "no resolvable content" };
+  }
+  if (isManagedBlock) return action;
+  const unfilled = missingPlaceholders(content);
+  if (unfilled.length) {
+    return { ...action, action: "skip", reason: `unfilled: ${unfilled.join(", ")} \u2014 pass --var` };
+  }
+  return action;
+}
 function renderSeedPlan(actions) {
   const lines = ["bootstrap apply \u2014 seed plan (dry-run; no mutations):"];
   for (const a of actions) {
@@ -8302,6 +8598,20 @@ function renderSeedPlan(actions) {
   lines.push(`  \u2014 ${order.map((k) => `${actions.filter((a) => a.action === k).length} ${k}`).join(", ")}`);
   return lines.join("\n");
 }
+var GITHUB_DEFAULT_LABELS = [
+  "documentation",
+  "duplicate",
+  "enhancement",
+  "good first issue",
+  "help wanted",
+  "invalid",
+  "question",
+  "wontfix"
+];
+function labelsToPrune(orgLabelNames) {
+  const org = new Set(orgLabelNames);
+  return GITHUB_DEFAULT_LABELS.filter((name) => !org.has(name));
+}
 function resolveSeedContent(seed, vars, readFile2) {
   if (seed.source === "self") return readFile2(seed.target);
   if (seed.source.startsWith("seed:")) {
@@ -8314,10 +8624,13 @@ function buildRegisterPayload(repo, cls, vars, options = {}) {
   const parsedRepo = parseOwnerRepo(repo);
   const slug = parsedRepo.slug;
   if (options.projectType && !isProjectType(options.projectType)) {
-    throw new Error("projectType must be web-app, hub-service, content, desktop-game, or non-deployable");
+    throw new Error(`projectType must be one of: ${PROJECT_TYPES.join(", ")}`);
   }
   if (options.deployModel && !isDeployModel(options.deployModel)) {
-    throw new Error("deployModel must be hub-serverless, serverless, tenant-container, content, or none");
+    throw new Error(`deployModel must be one of: ${DEPLOY_MODELS.join(", ")}`);
+  }
+  if (options.releaseTrack && !isReleaseTrack(options.releaseTrack)) {
+    throw new Error("releaseTrack must be full, direct, or trunk");
   }
   const shape = {
     class: cls,
@@ -8327,7 +8640,7 @@ function buildRegisterPayload(repo, cls, vars, options = {}) {
   const projectType = resolveProjectTypeConfident(shape, parsedRepo.fullName);
   if (!projectType) {
     throw new Error(
-      `Project type for ${parsedRepo.fullName} is unset and not derivable \u2014 pass --project-type <web-app|hub-service|content|desktop-game|non-deployable> and --deploy-model <tenant-container|hub-serverless|serverless|content|none> (prevents defaulting a non-web repo to tenant-container).`
+      `Project type for ${parsedRepo.fullName} is unset and not derivable \u2014 pass --project-type <${PROJECT_TYPES.join("|")}> and --deploy-model <${DEPLOY_MODELS.join("|")}> (prevents defaulting a non-web repo to tenant-container).`
     );
   }
   const deployModel = resolveDeployModel({ ...shape, projectType }, parsedRepo.fullName);
@@ -8359,6 +8672,8 @@ function buildRegisterPayload(repo, cls, vars, options = {}) {
     class: cls,
     projectType,
     deployModel,
+    // #917: only emit when explicitly direct/trunk; absent → registry resolves to `full` (no clobber).
+    releaseTrack: isReleaseTrack(options.releaseTrack) ? options.releaseTrack : void 0,
     // Board coords (from GraphQL at bootstrap, passed as --var by the skill).
     projectOwner: vars.PROJECT_OWNER || void 0,
     projectNumber: num(vars.PROJECT_NUMBER),
@@ -8374,6 +8689,83 @@ function buildRegisterPayload(repo, cls, vars, options = {}) {
   for (const k of Object.keys(payload)) if (payload[k] === void 0) delete payload[k];
   return payload;
 }
+var BOARD_FIELD_VAR_MAP = {
+  Status: {
+    fieldIdVar: "STATUS_FIELD_ID",
+    options: { Todo: "STATUS_TODO", "In Progress": "STATUS_IN_PROGRESS", "In Review": "STATUS_IN_REVIEW", Done: "STATUS_DONE" }
+  },
+  Priority: {
+    fieldIdVar: "PRIORITY_FIELD_ID",
+    options: { Urgent: "PRIORITY_URGENT", High: "PRIORITY_HIGH", Medium: "PRIORITY_MEDIUM", Low: "PRIORITY_LOW" }
+  }
+};
+function extractBoardFieldVars(fieldsJson) {
+  const out = {};
+  const nodes = Array.isArray(fieldsJson) ? fieldsJson : fieldsJson?.data?.node?.fields?.nodes ?? fieldsJson?.node?.fields?.nodes;
+  if (!Array.isArray(nodes)) return out;
+  for (const node of nodes) {
+    const field = node;
+    const name = typeof field.name === "string" ? field.name : void 0;
+    const map = name ? BOARD_FIELD_VAR_MAP[name] : void 0;
+    if (!map || typeof field.id !== "string" || !field.id) continue;
+    out[map.fieldIdVar] = field.id;
+    const options = Array.isArray(field.options) ? field.options : [];
+    for (const opt of options) {
+      const o = opt;
+      const varName = typeof o.name === "string" ? map.options[o.name] : void 0;
+      if (varName && typeof o.id === "string" && o.id) out[varName] = o.id;
+    }
+  }
+  return out;
+}
+function boardFieldsQueryArgs(projectId) {
+  const query = "query($id: ID!) { node(id: $id) { ... on ProjectV2 { fields(first: 50) { nodes { ... on ProjectV2SingleSelectField { id name options { id name } } } } } } }";
+  return ["api", "graphql", "-f", `query=${query}`, "-f", `id=${projectId}`];
+}
+function serializeRegistry(obj) {
+  return `${JSON.stringify(obj, null, 2)}
+`;
+}
+function planFanoutRegistration(fanoutTargetsRaw, projectsRaw, entry) {
+  const fanout = JSON.parse(fanoutTargetsRaw);
+  const projects = JSON.parse(projectsRaw);
+  const fanoutRepos = Array.isArray(fanout.repos) ? fanout.repos : [];
+  const projectEntries = Array.isArray(projects.projects) ? projects.projects : [];
+  const name = entry.name ?? entry.repo;
+  const canonName = entry.repo.toLowerCase();
+  const inFanout = fanoutRepos.some((r) => typeof r.repo === "string" && r.repo.toLowerCase() === canonName);
+  const inProjects = projectEntries.some(
+    (p) => p.slug === entry.slug || Array.isArray(p.repos) && p.repos.some((full) => String(full).split("/").pop()?.toLowerCase() === canonName)
+  );
+  if (inFanout || inProjects) {
+    return { changed: false, fanoutTargets: fanoutTargetsRaw, projects: projectsRaw };
+  }
+  const projectEntry = {
+    name,
+    slug: entry.slug,
+    projectId: entry.projectId,
+    wikiRepo: entry.wikiRepo,
+    repos: [`mutmutco/${entry.repo}`]
+  };
+  if (entry.cls === "content") projectEntry.branch = "main";
+  for (const k of Object.keys(projectEntry)) if (projectEntry[k] === void 0) delete projectEntry[k];
+  const nextProjects = { ...projects, projects: [...projectEntries, projectEntry] };
+  const fanoutEntry = { repo: entry.repo, branch: entry.branch, class: entry.cls };
+  const nextFanout = { ...fanout, repos: [...fanoutRepos, fanoutEntry] };
+  return {
+    changed: true,
+    fanoutTargets: serializeRegistry(nextFanout),
+    projects: serializeRegistry(nextProjects)
+  };
+}
+function decideFanoutPrAction(openPrs) {
+  const list = Array.isArray(openPrs) ? openPrs : [];
+  for (const pr2 of list) {
+    const url = pr2?.url;
+    if (typeof url === "string" && url.trim()) return { action: "reuse", url: url.trim() };
+  }
+  return { action: "create" };
+}
 function contentPutArgs(repo, path2, content, branch, sha) {
   const args = [
     "api",
@@ -8537,6 +8929,33 @@ async function tenantControl(payload, deps) {
   const timeoutMs = payload.wait ? WAITED_TENANT_CONTROL_TIMEOUT_MS : void 0;
   return postJson("/tenant-control", payload, deps, "POST", { noRetry, timeoutMs });
 }
+async function tenantDeploy(payload, deps) {
+  return postJson("/tenant-deploy", payload, deps, "POST", { noRetry: true });
+}
+
+// src/tenant-verify-secrets.ts
+function tenantControlWait(action) {
+  return action === "status" || action === "retire" || action === "verify-secrets";
+}
+function renderVerifySecrets(body) {
+  const secrets2 = body?.secrets ?? [];
+  const counts = {
+    match: secrets2.filter((s) => s.status === "match").length,
+    mismatch: secrets2.filter((s) => s.status === "mismatch").length,
+    missing: secrets2.filter((s) => s.status === "missing").length
+  };
+  const lines = secrets2.map((s) => `${s.key}: ${s.status}`);
+  lines.push(`verify-secrets: ${counts.match} match, ${counts.mismatch} mismatch, ${counts.missing} missing`);
+  const ssmStatus = body?.ssmStatus ?? "pending";
+  if (ssmStatus !== "Success") {
+    return { lines, failure: `verify-secrets did not complete (ssm status ${ssmStatus})${body?.commandId ? ` \u2014 command ${body.commandId}` : ""}` };
+  }
+  const bad = counts.mismatch + counts.missing;
+  if (bad > 0) {
+    return { lines, failure: `${bad} of ${secrets2.length} required secret(s) not matching the vault (${counts.mismatch} mismatch, ${counts.missing} missing)` };
+  }
+  return { lines, failure: null };
+}
 
 // src/project-readiness.ts
 function dnsErrorToResolution(code) {
@@ -8563,11 +8982,17 @@ function declaresNoPublicEdge(meta) {
   const ed = meta?.edgeDomains;
   return Boolean(ed && typeof ed === "object" && !Array.isArray(ed) && Object.keys(ed).length === 0);
 }
+function declaresWorker(meta) {
+  return meta?.projectType === "worker";
+}
+function isCentralContainerModel2(model) {
+  return model === "tenant-container" || model === "solo-container";
+}
 function isNoEdgeTenantWorker(meta, model) {
-  return model === "tenant-container" && declaresNoPublicEdge(meta);
+  return isCentralContainerModel2(model) && (declaresNoPublicEdge(meta) || declaresWorker(meta));
 }
 function projectRequiresDeployCoords(model, stage2, meta) {
-  if (model !== "tenant-container") return false;
+  if (!isCentralContainerModel2(model)) return false;
   if (stage2 && isNoEdgeTenantWorker(meta, model)) return stage2 === "main";
   return true;
 }
@@ -8600,7 +9025,7 @@ function attestedLine(att) {
 var CONTRACT_UNDECLARED_LINE = "No runtime secrets declared \u2014 declare requiredRuntimeSecrets (a per-stage name map) in the registry META, or attest the app needs none with an explicit empty stage map ({ dev: [], rc: [], main: [] }).";
 function appGapsFor(meta, model, slug, projectType) {
   const attested = appAttestationOf(meta);
-  const isTenantWeb = !(projectType === "content" || model === "content") && projectType !== "desktop-game" && !(projectType === "non-deployable" || model === "none") && model !== "hub-serverless" && model !== "serverless";
+  const isTenantWeb = !(projectType === "content" || model === "content") && projectType !== "desktop-game" && projectType !== "cli-tool" && !(projectType === "non-deployable" || model === "none") && model !== "hub-serverless" && model !== "serverless" && model !== "registry-publish";
   const contractUndeclared = isTenantWeb && Boolean(meta) && !hasRuntimeSecretContract(meta?.requiredRuntimeSecrets);
   if (attested) return contractUndeclared ? [attestedLine(attested), CONTRACT_UNDECLARED_LINE] : [attestedLine(attested)];
   if (projectType === "content" || model === "content") return ["Content/KB repo: keep app-owned work to docs/content changes; release train does not apply."];
@@ -8629,13 +9054,20 @@ function appGapsFor(meta, model, slug, projectType) {
       "Keep app-owned README.md and architecture.md aligned with v2 central deploy/secrets reality."
     ];
   }
+  if (projectType === "cli-tool" || model === "registry-publish") {
+    return [
+      "Distributable CLI/plugin: ship a publishable package.json (name, version, bin/exports) \u2014 release publishes to npm (plugin-marketplace publish is future work when a plugin tenant lands), not a box deploy; no Hub deploy coords, edge, or OAuth.",
+      "Keep the published version in lockstep with the release tag; make the publish idempotent (skip when the version is already on the registry).",
+      "Keep app-owned README.md and architecture.md aligned with the registry-publish release path."
+    ];
+  }
   const gaps = [
     "Ensure the compose file carries env_file: .env and the app reads plain environment variables \u2014 the box injects coords + declared runtime secrets into the release .env; the app never self-loads SSM.",
     "Make app config fail clearly for missing required env in prod/rc instead of relying on hidden defaults.",
     "Keep app-owned README.md and architecture.md aligned with v2 central deploy/secrets reality."
   ];
   if (isNoEdgeTenantWorker(meta, model)) {
-    gaps.unshift("No public edge declared (`edgeDomains: {}`): worker/outbound-only tenant; skip Cloudflare edge auto-heal, OAuth defaults, and dev/rc remote deploy coords unless META explicitly adds them.");
+    gaps.unshift("No public edge (worker/outbound-only tenant \u2014 `projectType: worker` or `edgeDomains: {}`): skip Cloudflare edge auto-heal, OAuth defaults, and dev/rc remote deploy coords unless META explicitly adds them.");
   }
   if (contractUndeclared) {
     gaps.unshift(CONTRACT_UNDECLARED_LINE);
@@ -8701,7 +9133,7 @@ function buildV2HealPatch(repoOrSlug, meta) {
   }
   if (!meta?.vaultPath) patch.vaultPath = `/mmi-future/${slug}`;
   if (!meta?.kbPointer) patch.kbPointer = `kb/projects/${slug}.md`;
-  if (confidentType && !meta?.edgeDomains && model === "tenant-container") {
+  if (confidentType && !meta?.edgeDomains && model === "tenant-container" && projectType !== "worker") {
     patch.edgeDomains = {
       dev: `dev.${sub}.mutatismutandis.co`,
       rc: `rc.${sub}.mutatismutandis.co`,
@@ -8724,7 +9156,7 @@ function buildV2HealPatch(repoOrSlug, meta) {
       patch.requiredRuntimeSecrets = next;
     }
   }
-  const appOwnedGaps = confidentType ? appGapsFor(meta, model, slug, confidentType) : [`Project type is unset and not derivable \u2014 classify with \`mmi-cli project set ${repo} --project-type <web-app|hub-service|content|desktop-game|non-deployable> --deploy-model <tenant-container|hub-serverless|serverless|content|none>\` before heal completes the v2 fields (prevents defaulting a non-web repo to tenant-container).`];
+  const appOwnedGaps = confidentType ? appGapsFor(meta, model, slug, confidentType) : [`Project type is unset and not derivable \u2014 classify with \`mmi-cli project set ${repo} --project-type <web-app|hub-service|content|desktop-game|non-deployable|cli-tool|worker> --deploy-model <tenant-container|solo-container|hub-serverless|serverless|registry-publish|content|none>\` before heal completes the v2 fields (prevents defaulting a non-web repo to tenant-container).`];
   return { slug, patch, appOwnedGaps };
 }
 async function runV2Heal(repoOrSlug, opts, deps) {
@@ -8923,6 +9355,158 @@ function parseEdgeDomainsVar(raw) {
   }
   return out;
 }
+var PRIORITY_OPTION_NAMES = ["Urgent", "High", "Medium", "Low"];
+function parsePriorityOptionsVar(raw) {
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    throw new Error('project set: priorityOptions must be JSON, e.g. {"Urgent":"<id>","High":"<id>","Medium":"<id>","Low":"<id>"}');
+  }
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw new Error("project set: priorityOptions must be a {Urgent,High,Medium,Low} map of option-id strings");
+  }
+  const map = parsed;
+  const out = {};
+  for (const [name, id] of Object.entries(map)) {
+    if (!PRIORITY_OPTION_NAMES.includes(name)) {
+      throw new Error(`project set: priorityOptions "${name}" \u2014 expected only ${PRIORITY_OPTION_NAMES.join("/")}`);
+    }
+    if (typeof id !== "string" || !id.trim()) {
+      throw new Error(`project set: priorityOptions.${name} must be a non-empty option-id string`);
+    }
+    out[name] = id.trim();
+  }
+  return out;
+}
+function parsePortRangeVar(raw) {
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    throw new Error('project set: portRange must be JSON, e.g. {"start":3700,"end":3710} or [3700,3710]');
+  }
+  let start;
+  let end;
+  if (Array.isArray(parsed) && parsed.length === 2) {
+    [start, end] = parsed;
+  } else if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+    ({ start, end } = parsed);
+  } else {
+    throw new Error("project set: portRange must be {start,end} or a [start,end] tuple");
+  }
+  if (typeof start !== "number" || typeof end !== "number" || !Number.isFinite(start) || !Number.isFinite(end)) {
+    throw new Error("project set: portRange start/end must be finite numbers");
+  }
+  if (start > end) throw new Error("project set: portRange start must be <= end");
+  return { start, end };
+}
+function parseStatusOptionsVar(raw) {
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    throw new Error('project set: statusOptions must be JSON, e.g. {"Todo":"<id>","In Progress":"<id>","In Review":"<id>","Done":"<id>"}');
+  }
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw new Error("project set: statusOptions must be a map of status name to option-id string");
+  }
+  const map = parsed;
+  const out = {};
+  for (const [name, id] of Object.entries(map)) {
+    if (typeof id !== "string" || !id.trim()) {
+      throw new Error(`project set: statusOptions.${name} must be a non-empty option-id string`);
+    }
+    out[name] = id.trim();
+  }
+  return out;
+}
+function parseOauthVar(raw) {
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    throw new Error('project set: oauth must be JSON, e.g. {"subdomains":["app"],"domains":["example.co"],"callbackPath":"/auth/callback"}');
+  }
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw new Error("project set: oauth must be a {subdomains,domains,callbackPath} object");
+  }
+  const map = parsed;
+  const out = {};
+  for (const [key, value] of Object.entries(map)) {
+    if (key === "subdomains" || key === "domains") {
+      if (!Array.isArray(value) || value.some((v) => typeof v !== "string" || !v.trim())) {
+        throw new Error(`project set: oauth.${key} must be an array of non-empty strings`);
+      }
+      out[key] = value.map((v) => v.trim());
+    } else if (key === "callbackPath") {
+      if (typeof value !== "string" || !value.trim()) throw new Error("project set: oauth.callbackPath must be a non-empty string");
+      out.callbackPath = value.trim();
+    } else {
+      throw new Error(`project set: oauth key "${key}" \u2014 expected only subdomains/domains/callbackPath`);
+    }
+  }
+  return out;
+}
+function parseReposVar(raw) {
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    throw new Error('project set: repos must be a JSON array, e.g. ["mutmutco/mm-foo"]');
+  }
+  if (!Array.isArray(parsed) || parsed.length === 0 || parsed.some((r) => typeof r !== "string" || !r.trim())) {
+    throw new Error("project set: repos must be a non-empty array of owner/name strings");
+  }
+  return parsed.map((r) => r.trim());
+}
+function parsePublishRequiredVar(raw) {
+  if (raw === "true") return true;
+  if (raw === "false") return false;
+  throw new Error("project set: publishRequired must be true or false");
+}
+var SETTABLE_VAR_KEYS = [
+  "name",
+  "division",
+  "projectId",
+  "projectOwner",
+  "projectNumber",
+  "branch",
+  "wikiRepo",
+  "vaultPath",
+  "kbPointer",
+  "repos",
+  "oauth",
+  "publishRequired",
+  "requiredGcpApis",
+  "requiredRuntimeSecrets",
+  "edgeDomains",
+  "statusFieldId",
+  "statusOptions",
+  "priorityFieldId",
+  "priorityOptions",
+  "portRange"
+];
+var SETTABLE_VAR_KEY_SET = new Set(SETTABLE_VAR_KEYS);
+var SETTABLE_VAR_HINTS = {
+  projectNumber: "numeric",
+  publishRequired: "true|false",
+  repos: 'JSON array, e.g. ["mutmutco/mm-foo"]',
+  oauth: "JSON {subdomains,domains,callbackPath}",
+  requiredGcpApis: "comma-string",
+  requiredRuntimeSecrets: 'JSON stage map, e.g. {"dev":["KEY"],"rc":["KEY"],"main":["KEY"]}',
+  edgeDomains: "JSON {dev,rc,main} domain map",
+  statusOptions: "JSON name\u2192id map",
+  priorityOptions: "JSON {Urgent,High,Medium,Low}\u2192id map",
+  portRange: "JSON {start,end} or [start,end]"
+};
+function settableVarHelp() {
+  const keys = SETTABLE_VAR_KEYS.map((k) => {
+    const hint = SETTABLE_VAR_HINTS[k];
+    return hint ? `${k} (${hint})` : k;
+  });
+  return `META field to set (repeatable): ${keys.join(", ")}`;
+}
 function buildProjectSetPatch(input) {
   const patch = {};
   if (input.class) {
@@ -8943,22 +9527,42 @@ function buildProjectSetPatch(input) {
     }
     patch.deployModel = input.deployModel;
   }
+  if (input.releaseTrack) {
+    if (!isReleaseTrack(input.releaseTrack)) {
+      throw new Error(`project set: --release-track must be one of: ${RELEASE_TRACKS.join(", ")}`);
+    }
+    patch.releaseTrack = input.releaseTrack;
+  }
   for (const value of input.vars) {
     const eq = value.indexOf("=");
-    if (eq > 0) {
-      const key = value.slice(0, eq);
-      const raw = value.slice(eq + 1);
-      if (key === "projectNumber") {
-        const n = Number(raw);
-        if (!Number.isFinite(n)) throw new Error("project set: projectNumber must be numeric");
-        patch[key] = n;
-      } else if (key === "requiredRuntimeSecrets") {
-        patch[key] = parseRuntimeSecretsVar(raw);
-      } else if (key === "edgeDomains") {
-        patch[key] = parseEdgeDomainsVar(raw);
-      } else {
-        patch[key] = raw;
-      }
+    if (eq <= 0) continue;
+    const key = value.slice(0, eq);
+    const raw = value.slice(eq + 1);
+    if (!SETTABLE_VAR_KEY_SET.has(key)) {
+      throw new Error(`project set: --var KEY "${key}" is not settable \u2014 allowed keys: ${SETTABLE_VAR_KEYS.join(", ")}`);
+    }
+    if (key === "projectNumber") {
+      const n = Number(raw);
+      if (!Number.isFinite(n)) throw new Error("project set: projectNumber must be numeric");
+      patch[key] = n;
+    } else if (key === "requiredRuntimeSecrets") {
+      patch[key] = parseRuntimeSecretsVar(raw);
+    } else if (key === "edgeDomains") {
+      patch[key] = parseEdgeDomainsVar(raw);
+    } else if (key === "priorityOptions") {
+      patch[key] = parsePriorityOptionsVar(raw);
+    } else if (key === "statusOptions") {
+      patch[key] = parseStatusOptionsVar(raw);
+    } else if (key === "portRange") {
+      patch[key] = parsePortRangeVar(raw);
+    } else if (key === "oauth") {
+      patch[key] = parseOauthVar(raw);
+    } else if (key === "repos") {
+      patch[key] = parseReposVar(raw);
+    } else if (key === "publishRequired") {
+      patch[key] = parsePublishRequiredVar(raw);
+    } else {
+      patch[key] = raw;
     }
   }
   for (const key of input.unsets) {
@@ -8972,7 +9576,7 @@ function buildProjectSetPatch(input) {
     patch.edgeDomains = null;
   }
   if (Object.keys(patch).length === 0) {
-    throw new Error("project set: nothing to set - pass --class, --project-type, --deploy-model, --var KEY=VALUE, --unset KEY, and/or --clear-web-profile");
+    throw new Error("project set: nothing to set - pass --class, --project-type, --deploy-model, --release-track, --var KEY=VALUE, --unset KEY, and/or --clear-web-profile");
   }
   return patch;
 }
@@ -9807,7 +10411,7 @@ function authorizeBodyHasMismatch(body) {
 }
 
 // src/index.ts
-var rawExecFileP3 = (0, import_node_util6.promisify)(import_node_child_process6.execFile);
+var rawExecFileP3 = (0, import_node_util6.promisify)(import_node_child_process7.execFile);
 var DEFAULT_EXEC_TIMEOUT_MS = 1e4;
 var execFileP4 = (file, args, options = {}) => (
   // encoding 'utf8' guarantees string stdout/stderr at runtime; the cast pins the type because
@@ -10236,7 +10840,7 @@ saga.command("head-update").option("--run", "detached worker: fetch state, run t
     if (!headGateDue(tsPath)) return;
     markHeadRun(tsPath);
     try {
-      (0, import_node_child_process6.spawn)(process.execPath, [process.argv[1], "saga", "head-update", "--run"], {
+      (0, import_node_child_process7.spawn)(process.execPath, [process.argv[1], "saga", "head-update", "--run"], {
         detached: true,
         stdio: "ignore",
         windowsHide: true
@@ -10456,7 +11060,7 @@ function scheduleRelatedDiscovery(o) {
   try {
     const args = ["issue", "discover-related", "--number", String(o.number), "--title", o.title, "--body", o.body];
     if (o.repo) args.push("--repo", o.repo);
-    (0, import_node_child_process6.spawn)(process.execPath, [process.argv[1], ...args], {
+    (0, import_node_child_process7.spawn)(process.execPath, [process.argv[1], ...args], {
       detached: true,
       stdio: "ignore",
       windowsHide: true,
@@ -10512,7 +11116,7 @@ function openInEditor(path2) {
     return;
   }
   try {
-    (0, import_node_child_process6.spawn)(editor, [path2], { stdio: "inherit" });
+    (0, import_node_child_process7.spawn)(editor, [path2], { stdio: "inherit" });
   } catch {
     console.log(`open ${path2} manually`);
   }
@@ -10671,15 +11275,22 @@ function reportWrite(label, res) {
   fail(`${label}: HTTP ${res.status}${detail ? ` \u2014 ${detail}` : ""}`);
 }
 var tenant = program2.command("tenant").description("tenant runtime control through Hub authority");
-tenant.command("control <owner/repo> <stage> <action>").description("run bounded service control (status/start/stop/restart, plus rc-only retire) for a tenant; project-admin dev/rc, master main").option("--json", "machine-readable output").action(async (repo, stage2, action) => {
+tenant.command("control <owner/repo> <stage> <action>").description("run bounded service control (status/start/stop/restart, plus rc-only retire and read-only verify-secrets) for a tenant; project-admin dev/rc, master main").option("--json", "machine-readable output").action(async (repo, stage2, action, o) => {
   const cfg = await loadConfig();
-  const wait = action === "status" || action === "retire";
+  const wait = tenantControlWait(action);
   const res = await tenantControl({ repo, stage: stage2, action, wait }, registryClientDeps(cfg));
   const body = res.body;
   if (!res.ok && body?.category) {
     console.log(JSON.stringify(body));
     return fail(`tenant control ${stage2} ${action}: ${body.category}`);
   }
+  if (res.ok && action === "verify-secrets") {
+    const { lines, failure } = renderVerifySecrets(res.body);
+    if (o.json) console.log(JSON.stringify(res.body));
+    else lines.forEach((l) => console.log(l));
+    if (failure) return fail(`tenant control ${stage2} verify-secrets: ${failure}`);
+    return;
+  }
   reportWrite("tenant control", res);
 });
 tenant.command("redeploy <owner/repo> <stage>").description("re-dispatch the central tenant-deploy.yml for an already-promoted ref (no re-tag/merge); train-authority gated").option("--ref <ref>", "ref to deploy (defaults to the stage branch rc/main \u2014 the promoted ref)").option("--watch", "block on the dispatched run and report its outcome (gh run watch --exit-status)").option("--json", "machine-readable output").action(async (repo, stage2, o) => {
@@ -10691,6 +11302,31 @@ tenant.command("redeploy <owner/repo> <stage>").description("re-dispatch the cen
     return fail(`tenant redeploy: ${e.message}`);
   }
 });
+tenant.command("sweep-rc").description("discover (and optionally retire) running rc tenant runtimes across tenant-containers \u2014 orphan cleanup after a failed post-release retire (#942)").option("--retire", "retire every running rc runtime found (requires --yes) \u2014 WARNING: tears down a legitimately-staged rc too").option("--yes", "confirm the destructive --retire").option("--json", "machine-readable output").action(async (o) => {
+  if (o.retire && !o.yes) {
+    return fail("tenant sweep-rc --retire is destructive (it tears down EVERY running rc, including one legitimately staged between /rcand and /release) \u2014 re-run with --yes to confirm");
+  }
+  const cfg = await loadConfig();
+  const cdeps = registryClientDeps(cfg);
+  try {
+    const result = await sweepRcOrphans({
+      listProjects: () => fetchProjectsList(cdeps),
+      status: async (repo) => {
+        const res = await tenantControl({ repo, stage: "rc", action: "status", wait: true }, cdeps);
+        const b = res.body;
+        return { serviceState: b?.serviceState ?? "unknown" };
+      },
+      retire: async (repo) => {
+        const res = await tenantControl({ repo, stage: "rc", action: "retire", wait: true }, cdeps);
+        const b = res.body;
+        return { ok: res.ok, category: b?.category, reason: b?.reason };
+      }
+    }, { retire: !!o.retire });
+    return printLine(o.json ? JSON.stringify(result) : renderSweep(result));
+  } catch (e) {
+    return fail(`tenant sweep-rc: ${e.message}`);
+  }
+});
 async function resolveDnsBounded(host, timeoutMs = 3e3) {
   const { lookup } = await import("node:dns/promises");
   const probe = lookup(host).then(() => true).catch((e) => dnsErrorToResolution(e?.code));
@@ -10859,7 +11495,7 @@ project.command("attest [owner/repo]").description("attest this repo's app-owned
   const res = await attestAppGaps(slugOf(target), repo, registryClientDeps(cfg));
   reportWrite("project attest", res);
 });
-project.command("set [owner/repo]").description("MASTER-ONLY: upsert a project META (idempotent merge; defaults to the current repo; no clobber of unspecified fields)").option("--class <class>", "deployable | content").option("--project-type <type>", `${PROJECT_TYPES.join(" | ")} (v2 capability shape)`).option("--deploy-model <model>", `${DEPLOY_MODELS.join(" | ")} (release/deploy path; none means no Hub deploy registration)`).option("--var <KEY=VALUE...>", 'META field to set (repeatable): name, division, projectId, branch, wikiRepo, vaultPath, kbPointer, requiredRuntimeSecrets (JSON stage map, e.g. {"dev":["KEY"],"rc":["KEY"],"main":["KEY"]})').option("--unset <KEY...>", "META field to remove (repeatable): oauth, requiredRuntimeSecrets, edgeDomains, requiredGcpApis, publishRequired").option("--clear-web-profile", "remove web-only registry fields (oauth, edgeDomains) for non-web/content projects").option("--json", "machine-readable output").action(async (repoOrSlug, o) => {
+project.command("set [owner/repo]").description("MASTER-ONLY: upsert a project META (idempotent merge; defaults to the current repo; no clobber of unspecified fields)").option("--class <class>", "deployable | content").option("--project-type <type>", `${PROJECT_TYPES.join(" | ")} (v2 capability shape)`).option("--deploy-model <model>", `${DEPLOY_MODELS.join(" | ")} (release/deploy path; none means no Hub deploy registration)`).option("--release-track <track>", `${RELEASE_TRACKS.join(" | ")} (branch topology; direct skips rc)`).option("--var <KEY=VALUE...>", settableVarHelp()).option("--unset <KEY...>", "META field to remove (repeatable): oauth, requiredRuntimeSecrets, edgeDomains, requiredGcpApis, publishRequired").option("--clear-web-profile", "remove web-only registry fields (oauth, edgeDomains) for non-web/content projects").option("--json", "machine-readable output").action(async (repoOrSlug, o) => {
   const cfg = await loadConfig();
   let target;
   try {
@@ -10874,6 +11510,7 @@ project.command("set [owner/repo]").description("MASTER-ONLY: upsert a project M
       class: o.class,
       projectType: o.projectType,
       deployModel: o.deployModel,
+      releaseTrack: o.releaseTrack,
       vars: rawValues("--var"),
       unsets: rawValues("--unset"),
       clearWebProfile: Boolean(o.clearWebProfile)
@@ -11151,7 +11788,7 @@ function teardownWorktreeStage(worktreePath) {
     }
   });
 }
-pr.command("merge <number>").description("merge a PR (squash by default) and clean up its branch + worktree \u2014 no leftover local branch").option("--squash", "squash merge (default)").option("--merge", "create a merge commit").option("--rebase", "rebase merge").option("--repo <owner/repo>", "target repo (defaults to the current repo)").action(async (number, o) => {
+pr.command("merge <number>").description("merge a PR (squash by default) and clean up its branch + worktree \u2014 no leftover local branch").option("--squash", "squash merge (default)").option("--merge", "create a merge commit").option("--rebase", "rebase merge").option("--repo <owner/repo>", "target repo (defaults to the current repo)").option("--auto", "enable auto-merge \u2014 merge once the base-branch policy is satisfied (use for policy-gated repos)").action(async (number, o) => {
   const method = o.rebase ? "--rebase" : o.merge ? "--merge" : "--squash";
   const repoArgs = o.repo ? ["--repo", o.repo] : [];
   const headRef = (await execFileP4("gh", ["pr", "view", number, ...repoArgs, "--json", "headRefName", "--jq", ".headRefName"], { timeout: GC_GH_TIMEOUT_MS })).stdout.trim();
@@ -11162,7 +11799,7 @@ pr.command("merge <number>").description("merge a PR (squash by default) and cle
   const remoteBefore = repoArgs.length ? void 0 : await remoteBranchExists(headRef);
   let remoteDeleteAttempted = false;
   let remoteNotAttemptedReason = repoArgs.length ? "repo-option" : void 0;
-  await execFileP4("gh", ["pr", "merge", number, ...repoArgs, method, "--delete-branch"], { timeout: GH_MUTATION_TIMEOUT_MS }).catch((e) => {
+  await execFileP4("gh", buildPrMergeArgs({ number, repoArgs, method, auto: o.auto }), { timeout: GH_MUTATION_TIMEOUT_MS }).catch((e) => {
     const message = String(e.message || "");
     if (/already been merged/i.test(message)) {
       remoteNotAttemptedReason = "pr-already-merged";
@@ -11170,8 +11807,18 @@ pr.command("merge <number>").description("merge a PR (squash by default) and cle
     }
     const note = timeoutKillNote(e, GH_MUTATION_TIMEOUT_MS);
     if (note) throw new Error(`gh pr merge ${number}: ${note}`);
+    if (!o.auto && basePolicyBlocksImmediateMerge(message)) {
+      throw new Error(`gh pr merge ${number}: the base-branch policy blocks an immediate merge \u2014 re-run with --auto to merge once required checks pass.`);
+    }
     if (!/used by worktree|cannot delete branch/i.test(message)) throw e;
   });
+  if (o.auto) {
+    const state = (await execFileP4("gh", ["pr", "view", number, ...repoArgs, "--json", "state", "--jq", ".state"], { timeout: GC_GH_TIMEOUT_MS }).catch(() => ({ stdout: "" }))).stdout.trim();
+    if (state !== "MERGED") {
+      console.log(JSON.stringify({ mergeStatus: "auto-merge-enqueued", pr: number, branch: headRef, state: state || "unknown" }));
+      return;
+    }
+  }
   if (!remoteNotAttemptedReason) remoteDeleteAttempted = true;
   const remoteBranch = repoArgs.length ? buildRemoteBranchCleanupReport(headRef, {
     attempted: false,
@@ -11191,7 +11838,11 @@ pr.command("merge <number>").description("merge a PR (squash by default) and cle
     beforeWorktrees,
     startingPath,
     execGit: async (args) => (await execFileP4("git", args, { timeout: GIT_TIMEOUT_MS })).stdout,
-    teardownWorktreeStage
+    teardownWorktreeStage,
+    // Hardened fallback when retried `git worktree remove` still hits a Windows file lock (#967).
+    // `fs.rm` recursive removes a junction as a link (it does not traverse into the target) and its
+    // own maxRetries/retryDelay rides out a handle that an indexer/antivirus releases a moment later.
+    removeWorktreeDir: async (worktreePath) => (0, import_promises2.rm)(worktreePath, { recursive: true, force: true, maxRetries: 5, retryDelay: 200 })
   });
   console.log(JSON.stringify(buildPrMergeResultPayload({
     number,
@@ -11370,6 +12021,19 @@ function reportedStageUrl(res, result) {
   return result.port != null ? stageUrlForPort(result.port) : res.derived.url;
 }
 program2.command("port-range <repo>").description("assign (idempotently) + print the repo's local stage port block via the atomic ORG#config.portCursor allocator (committed-file fallback)").option("--json", "machine-readable output").action(async (repo, o) => {
+  const cfg = await loadConfig();
+  const reg = registryClientDeps(cfg);
+  const slug = slugOf(repo);
+  const read = await fetchProjectBySlugChecked(slug, reg);
+  const decision = decidePortRange({ metaReadOk: read.ok, metaPortRange: read.ok ? metaPortRange(read.project) : null });
+  if (decision.action === "fail") {
+    return fail(`port-range: ${decision.reason}${read.ok ? "" : ` (${read.error})`}`);
+  }
+  if (decision.action === "return") {
+    const [start2, end2] = decision.range;
+    printLine(o.json ? JSON.stringify({ repo, portRange: [start2, end2], source: "meta" }) : `${repo}: stage.portRange [${start2}, ${end2}]`);
+    return;
+  }
   const path2 = (0, import_node_path8.join)(process.cwd(), "infra", "port-ranges.json");
   const allocate = async (seed) => {
     const { stdout } = await execFileP4("node", [(0, import_node_path8.join)(process.cwd(), "infra", "port-ddb.mjs"), String(seed)], { timeout: 15e3 });
@@ -11377,8 +12041,16 @@ program2.command("port-range <repo>").description("assign (idempotently) + print
     if (!Array.isArray(parsed.range) || parsed.range.length !== 2) throw new Error("port-ddb: no range in output");
     return parsed.range;
   };
-  const { range: [start, end] } = await ensurePortRangeAtomic(repo, path2, allocate);
-  printLine(o.json ? JSON.stringify({ repo, portRange: [start, end] }) : `${repo}: stage.portRange [${start}, ${end}]`);
+  const { range: [start, end], source } = await ensurePortRangeAtomic(repo, path2, allocate);
+  const write = await upsertProject(slug, { portRange: { start, end } }, reg);
+  if (!write.ok && source === "ddb") {
+    return fail(`port-range: block [${start}, ${end}] was allocated (cursor advanced) but NOT recorded in the registry META (${write.error ?? `HTTP ${write.status}`}) \u2014 fix auth/connectivity and retry so the block is persisted; do not re-run blind`);
+  }
+  if (o.json) {
+    printLine(JSON.stringify({ repo, portRange: [start, end], source: "allocated", persisted: write.ok, ...write.ok ? {} : { persistError: write.error ?? `HTTP ${write.status}` } }));
+  } else {
+    printLine(`${repo}: stage.portRange [${start}, ${end}]${write.ok ? "" : ` (META not persisted: ${write.error ?? `HTTP ${write.status}`})`}`);
+  }
 });
 var stage = program2.command("stage").description("plan or run the repo local stage environment").option("--json", "machine-readable output").option("--apply", "run the full local stage: stop previous, build, start, health-check").option("--timeout-ms <ms>", "bounded build/health timeout", "60000").action(async (o) => {
   const res = await resolveStage();
@@ -11502,6 +12174,19 @@ function trainApplyDeps() {
       const verdict = await fetchTrainAuthority(repo, registryClientDeps(await loadConfig()));
       return verdict.ok ? { ok: true, role: verdict.authority.role, train: verdict.authority.train } : verdict;
     },
+    // Hub-App-authority dispatch of the central tenant deploy (#953) — the Hub fires the
+    // workflow_dispatch with its App token, so the caller needs no MMI-Hub Actions write.
+    dispatchTenantDeploy: async ({ repo, stage: stage2, ref }) => {
+      const res = await tenantDeploy({ repo, stage: stage2, ref }, registryClientDeps(await loadConfig()));
+      if (!res.ok) {
+        const detail = res.body?.error ?? res.error ?? `HTTP ${res.status}`;
+        throw new Error(`tenant deploy dispatch failed: ${detail}`);
+      }
+    },
+    // Hotfix-coverage guard (#958): runs against the local clone via real git. manifestPaths is empty —
+    // product repos carry no main-only distribution bump (that exemption is Hub-distribution-specific, and
+    // the Hub is direct-track, so it never reaches this guard).
+    hotfixCoverage: (input) => checkHotfixCoverage({ ...input, manifestPaths: [] }),
     // Slack release announcement (#883): Hub-only + best-effort inside announceRelease itself.
     announce: (args) => announceRelease({
       run: async (file, cmdArgs) => (await execFileP4(file, cmdArgs, { timeout: GH_TRAIN_TIMEOUT_MS })).stdout,
@@ -11576,15 +12261,19 @@ trainCmd.command("prep").description("prepare and stage the Hub distribution bum
   }
 });
 for (const commandName of ["rcand", "release"]) {
-  program2.command(commandName).description(`plan ${commandName} train operations; mutations require explicit master-admin approval`).option("--json", "machine-readable output").option("--watch", "block on the deploy/publish workflow runs and report their outcomes").option("--apply", "execute the guarded master-only train after explicit approval").option("--announce-summary-file <path>", "release only: agent-curated summary lines for the Hub Slack announcement (#883)").action(async (o) => {
+  program2.command(commandName).description(`plan ${commandName} train operations; mutations require explicit master-admin approval`).option("--json", "machine-readable output").option("--watch", "block on the deploy/publish workflow runs and report their outcomes").option("--apply", "execute the guarded master-only train after explicit approval").option("--announce-summary-file <path>", "release only: agent-curated summary lines for the Hub Slack announcement (#883)").option("--ack <shas>", "release only: comma-separated dev shas a human verified are in the candidate, overriding the hotfix-coverage guard for a conflicted port whose -x trailer was lost (#958)").action(async (o) => {
     try {
       await requireFreshTrainCli(commandName);
     } catch (e) {
       return fail(`${commandName}: ${e.message}`);
     }
+    if (o.ack && commandName !== "release") {
+      return fail("--ack applies only to release: it overrides the rc -> main hotfix-coverage guard, which rcand does not run");
+    }
     if (o.apply) {
       try {
-        const result = await runTrainApply(commandName, trainApplyDeps(), { watch: o.watch, announceSummaryFile: o.announceSummaryFile });
+        const ack = (o.ack ?? "").split(",").map((s) => s.trim()).filter(Boolean);
+        const result = await runTrainApply(commandName, trainApplyDeps(), { watch: o.watch, announceSummaryFile: o.announceSummaryFile, ack });
         return printLine(o.json ? JSON.stringify(result, null, 2) : renderTrainApply(commandName, result));
       } catch (e) {
         return fail(`${commandName}: ${e.message}`);
@@ -11683,15 +12372,16 @@ bootstrap.command("verify <repo>").description("audit whether an existing repo i
         return null;
       }
     }
-  });
+  }, resolveReleaseTrack(meta));
   console.log(o.json ? JSON.stringify(report, null, 2) : renderBootstrapVerifyReport(report));
   if (!report.ok) process.exitCode = 1;
 });
-bootstrap.command("apply <repo>").description("idempotent seed apply from skills/bootstrap/seeds/manifest.json; dry-run unless --execute (live, master-gated)").option("--class <class>", "deployable | content", "deployable").option("--project-type <type>", `${PROJECT_TYPES.join(" | ")} (v2 capability shape)`).option("--deploy-model <model>", `${DEPLOY_MODELS.join(" | ")} (release/deploy path)`).option("--execute", "LIVE apply via gh (master-gated) \u2014 stamps seed files + labels into the repo").option("--var <KEY=VALUE...>", "placeholder values for repo-owned templates (repeatable)").option("--json", "machine-readable output").action(async (repo) => {
+bootstrap.command("apply <repo>").description("idempotent seed apply from skills/bootstrap/seeds/manifest.json; dry-run unless --execute (live, master-gated)").option("--class <class>", "deployable | content", "deployable").option("--project-type <type>", `${PROJECT_TYPES.join(" | ")} (v2 capability shape)`).option("--deploy-model <model>", `${DEPLOY_MODELS.join(" | ")} (release/deploy path)`).option("--release-track <track>", `${RELEASE_TRACKS.join(" | ")} (branch topology; direct skips rc)`).option("--execute", "LIVE apply via gh (master-gated) \u2014 stamps seed files + labels into the repo").option("--var <KEY=VALUE...>", "placeholder values for repo-owned templates (repeatable)").option("--json", "machine-readable output").action(async (repo) => {
   const o = {
     class: rawValue("--class", "deployable"),
     projectType: rawValue("--project-type", ""),
     deployModel: rawValue("--deploy-model", ""),
+    releaseTrack: rawValue("--release-track", ""),
     execute: rawFlag("--execute"),
     json: rawFlag("--json")
   };
@@ -11710,10 +12400,19 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
   const gh = async (args) => execFileP4("gh", args, { timeout: 2e4 });
   const readFile2 = (p) => (0, import_node_fs7.existsSync)(p) ? (0, import_node_fs7.readFileSync)(p, "utf8") : null;
   const enc = (p) => p.split("/").map(encodeURIComponent).join("/");
-  const vars = {};
+  const rawVars = {};
   for (const value of rawValues("--var")) {
     const eq = value.indexOf("=");
-    if (eq > 0) vars[value.slice(0, eq)] = value.slice(eq + 1);
+    if (eq > 0) rawVars[value.slice(0, eq)] = value.slice(eq + 1);
+  }
+  const vars = withDerivedRepoVars(rawVars, parsedRepo, o.class);
+  if (vars.PROJECT_ID) {
+    try {
+      const r = await gh(boardFieldsQueryArgs(vars.PROJECT_ID));
+      const boardVars = extractBoardFieldVars(JSON.parse(r.stdout));
+      for (const [k, v] of Object.entries(boardVars)) if (vars[k] == null) vars[k] = v;
+    } catch {
+    }
   }
   const actions = [];
   const applied = [];
@@ -11739,22 +12438,12 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
         exists = false;
       }
     }
-    const action = planSeedAction(resolved, exists);
+    const planned = planSeedAction(resolved, exists);
+    const isBlock = resolved.source === "managed-block";
+    const content = planned.action === "create" || planned.action === "update" ? isBlock ? upsertManagedGitignoreBlock(remoteContent).content : resolveSeedContent(resolved, vars, readFile2) : null;
+    const action = reconcileSeedAction(planned, content, isBlock);
     actions.push(action);
     if (o.execute && (action.action === "create" || action.action === "update")) {
-      const isBlock = resolved.source === "managed-block";
-      const content = isBlock ? upsertManagedGitignoreBlock(remoteContent).content : resolveSeedContent(resolved, vars, readFile2);
-      if (content == null) {
-        applied.push(`skip ${resolved.target} (no resolvable content)`);
-        continue;
-      }
-      if (!isBlock) {
-        const missing = missingPlaceholders(content);
-        if (missing.length) {
-          applied.push(`skip ${resolved.target} (unfilled: ${missing.join(", ")} \u2014 pass --var)`);
-          continue;
-        }
-      }
       await gh(contentPutArgs(repo, resolved.target, content, baseBranch, action.action === "update" ? sha : void 0));
       applied.push(`${action.action} ${resolved.target}`);
     }
@@ -11768,13 +12457,23 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
         applied.push(`label ${l.name} (failed)`);
       }
     }
+    for (const name of labelsToPrune(manifest.labels.map((l) => l.name))) {
+      try {
+        await gh(["label", "delete", name, "-R", repo, "--yes"]);
+        applied.push(`label ${name} (pruned)`);
+      } catch (e) {
+        if (/not found/i.test(e.message ?? "")) continue;
+        applied.push(`label ${name} (prune failed)`);
+      }
+    }
   }
   const ddbWrites = [];
   let registerPayload;
   try {
     registerPayload = buildRegisterPayload(repo, o.class, vars, {
       projectType: o.projectType || void 0,
-      deployModel: o.deployModel || void 0
+      deployModel: o.deployModel || void 0,
+      releaseTrack: o.releaseTrack || void 0
     });
   } catch (e) {
     return fail(`bootstrap apply: ${e.message}`);
@@ -11790,7 +12489,83 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
       applied.push(`ddb register ${registerPayload.slug} (failed: ${why})`);
     }
   }
-  if (o.json) console.log(JSON.stringify({ repo, class: o.class, execute: o.execute, actions, applied, ddbWrites }, null, 2));
+  let fanoutPrUrl;
+  if (o.execute) {
+    const fanoutEntry = {
+      repo: parsedRepo.name,
+      slug,
+      projectId: vars.PROJECT_ID || void 0,
+      wikiRepo: vars.WIKI_REPO || parsedRepo.fullName,
+      branch: baseBranch,
+      cls: o.class,
+      name: vars.NAME || parsedRepo.name
+    };
+    const readHubFile = async (path2) => {
+      const r = await gh(["api", `repos/${HUB_REPO}/contents/${enc(path2)}?ref=development`]);
+      const parsed = JSON.parse(r.stdout);
+      if (parsed.encoding !== "base64" || typeof parsed.content !== "string" || !parsed.sha) {
+        throw new Error(`could not read ${HUB_REPO}/${path2}`);
+      }
+      return { content: Buffer.from(parsed.content, "base64").toString("utf8"), sha: parsed.sha };
+    };
+    try {
+      const fanoutFile = await readHubFile(".github/fanout-targets.json");
+      const projectsFile = await readHubFile("projects.json");
+      const plan2 = planFanoutRegistration(fanoutFile.content, projectsFile.content, fanoutEntry);
+      if (!plan2.changed) {
+        applied.push(`fanout: already registered (${parsedRepo.name})`);
+      } else {
+        const branchName = `bootstrap-register-fanout-${slug}`;
+        const headSha = (await gh(["api", `repos/${HUB_REPO}/git/ref/heads/development`, "--jq", ".object.sha"])).stdout.trim();
+        try {
+          await gh(["api", "-X", "POST", `repos/${HUB_REPO}/git/refs`, "-f", `ref=refs/heads/${branchName}`, "-f", `sha=${headSha}`]);
+        } catch (e) {
+          if (!/Reference already exists|already exists/i.test(String(e.message ?? ""))) throw e;
+        }
+        const branchFileSha = async (path2) => {
+          try {
+            const r = await gh(["api", `repos/${HUB_REPO}/contents/${enc(path2)}?ref=${branchName}`, "--jq", ".sha"]);
+            return r.stdout.trim() || void 0;
+          } catch (e) {
+            if (/404|Not Found/i.test(String(e.message ?? ""))) return void 0;
+            throw e;
+          }
+        };
+        const fanoutBranchSha = await branchFileSha(".github/fanout-targets.json");
+        const projectsBranchSha = await branchFileSha("projects.json");
+        await gh(contentPutArgs(HUB_REPO, ".github/fanout-targets.json", plan2.fanoutTargets, branchName, fanoutBranchSha));
+        await gh(contentPutArgs(HUB_REPO, "projects.json", plan2.projects, branchName, projectsBranchSha));
+        const openPrs = await gh(["pr", "list", "--repo", HUB_REPO, "--head", branchName, "--base", "development", "--state", "open", "--json", "number,url"]);
+        const prDecision = decideFanoutPrAction(JSON.parse(openPrs.stdout || "[]"));
+        if (prDecision.action === "reuse") {
+          fanoutPrUrl = prDecision.url;
+        } else {
+          const created = await ghCreate([
+            "pr",
+            "create",
+            "--repo",
+            HUB_REPO,
+            "--base",
+            "development",
+            "--head",
+            branchName,
+            "--title",
+            `bootstrap: register ${parsedRepo.name} for org-spine fanout`,
+            "--body",
+            `Auto-opened by \`mmi-cli bootstrap apply --execute ${repo}\` (#933): adds ${parsedRepo.name} to projects.json + .github/fanout-targets.json so the spine fans out to it.`
+          ]);
+          fanoutPrUrl = created.url;
+        }
+        await gh(["pr", "merge", fanoutPrUrl, "--repo", HUB_REPO, "--auto", "--squash"]).catch((e) => {
+          if (!/already/i.test(String(e.message ?? ""))) throw e;
+        });
+        applied.push(`fanout: PR ${fanoutPrUrl} (auto-merge enabled)`);
+      }
+    } catch (e) {
+      return fail(`bootstrap apply: fanout registration failed: ${e.message}`);
+    }
+  }
+  if (o.json) console.log(JSON.stringify({ repo, class: o.class, execute: o.execute, actions, applied, ddbWrites, fanoutPrUrl }, null, 2));
   else {
     console.log(renderSeedPlan(actions));
     if (o.execute) console.log(`
@@ -12207,7 +12982,7 @@ program2.command("session-start").description("run the SessionStart verbs (rules
   } catch (e) {
     console.error(`[mmi-hook] saga session failed: ${e.message}`);
   }
-  spawnDetachedSelf(["docs", "sync", "--quiet"], { spawn: import_node_child_process6.spawn, execPath: process.execPath, scriptPath: process.argv[1] });
+  spawnDetachedSelf(["docs", "sync", "--quiet"], { spawn: import_node_child_process7.spawn, execPath: process.execPath, scriptPath: process.argv[1] });
   const { parallel, sequential } = buildSessionStartPlan({
     rulesSync: (io) => runRulesSync({ quiet: true }, io),
     sagaShow: (io) => runSagaShow({ quiet: true }, io),