@mutmutco/cli 2.17.0 → 2.19.0

package/dist/index.cjs

@@ -3525,7 +3525,7 @@ function parseHookInput(stdin) {
 }
 
 // src/index.ts
-var import_node_child_process6 = require("node:child_process");
+var import_node_child_process7 = require("node:child_process");
 var import_node_util6 = require("node:util");
 var import_node_path8 = require("node:path");
 var import_node_os3 = require("node:os");
@@ -5106,6 +5106,42 @@ function ghError(e) {
 }
 
 // src/gc.ts
+var WORKTREE_LOCK_RE = /EPERM|EBUSY|EACCES|ENOTEMPTY|permission denied|access is denied|used by another process|resource busy|directory not empty/i;
+function isWorktreeLockError(error) {
+  return WORKTREE_LOCK_RE.test(error instanceof Error ? error.message : String(error));
+}
+var defaultSleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+async function removeWorktreeWithRecovery(wtPath, deps) {
+  const maxAttempts = deps.maxAttempts ?? 3;
+  const backoff = deps.backoffMs ?? [250, 1e3];
+  let attempts = 0;
+  let lastError;
+  for (let i = 0; i < maxAttempts; i++) {
+    attempts++;
+    try {
+      await deps.git(["worktree", "remove", "--force", wtPath]);
+      return { status: "removed", attempts, recovery: i > 0 ? "retry" : void 0 };
+    } catch (e) {
+      lastError = e;
+      const retriesLeft = i < maxAttempts - 1;
+      if (retriesLeft && isWorktreeLockError(e)) {
+        await deps.sleep(backoff[Math.min(i, backoff.length - 1)]);
+        continue;
+      }
+      break;
+    }
+  }
+  if (deps.removeWorktreeDir) {
+    try {
+      await deps.removeWorktreeDir(wtPath);
+      await deps.git(["worktree", "prune"]).catch(() => "");
+      return { status: "removed", attempts, recovery: "fallback" };
+    } catch (fallbackError) {
+      lastError = fallbackError;
+    }
+  }
+  return { status: "failed", attempts, error: errorMessage(lastError) };
+}
 function buildRemoteBranchCleanupReport(branch, input) {
   if (!input.attempted) return { name: branch, status: "not-attempted", reason: input.reason };
   if (input.existsAfter === true) return { name: branch, status: "failed", reason: "still-present-after-delete" };
@@ -5145,6 +5181,14 @@ function buildPrMergeResultPayload(input) {
     worktree: input.localCleanup.worktree
   };
 }
+function buildPrMergeArgs(input) {
+  const args = ["pr", "merge", input.number, ...input.repoArgs, input.method, "--delete-branch"];
+  if (input.auto) args.push("--auto");
+  return args;
+}
+function basePolicyBlocksImmediateMerge(message) {
+  return /base branch policy prohibits|protected branch|required status check|merge queue/i.test(message);
+}
 async function checkRemoteBranchExists(branch, deps, options = {}) {
   if (!branch) return void 0;
   try {
@@ -5394,14 +5438,18 @@ async function cleanupPrMergeLocalBranch(branch, options) {
         stageTeardown = { status: "failed", error: errorMessage(e) };
       }
     }
-    try {
-      await git(["worktree", "remove", "--force", wtPath]);
-      report.worktree = { path: wtPath, status: "removed", stageTeardown };
-    } catch (e) {
+    const outcome = await removeWorktreeWithRecovery(wtPath, {
+      git,
+      sleep: options.sleep ?? defaultSleep,
+      removeWorktreeDir: options.removeWorktreeDir
+    });
+    if (outcome.status === "removed") {
+      report.worktree = { path: wtPath, status: "removed", stageTeardown, recovery: outcome.recovery };
+    } else {
       report.worktree = {
         path: wtPath,
         status: "failed",
-        error: errorMessage(e),
+        error: outcome.error,
         safeCleanupCommand: safeWorktreeRemoveCommand(safeCwd, wtPath),
         stageTeardown
       };
@@ -5529,10 +5577,11 @@ function rcandVersionStep(targets) {
 }
 function trainPlan(command, options = {}) {
   const isHub = options.repo?.toLowerCase() === "mutmutco/mmi-hub";
+  const isDirect = options.releaseTrack === "direct" || options.releaseTrack === void 0 && isHub;
   if (command === "rcand") {
-    if (isHub) {
+    if (isDirect) {
       return [
-        { label: "MMI-Hub releases skip rc; use /release from development instead", command: "mmi-cli release --apply", gated: true }
+        { label: "direct-track repos skip rc; use /release from development instead", command: "mmi-cli release --apply", gated: true }
       ];
     }
     return [
@@ -5541,23 +5590,22 @@ function trainPlan(command, options = {}) {
       rcandVersionStep(options),
       { label: "verify registry META for this project", command: "mmi-cli project get <owner/repo>", gated: true },
       { label: "preflight required rc secret names", command: "mmi-cli secrets preflight --stage rc --repo <owner/repo>", gated: true },
-      { label: "for Hub distribution changes, verify the release bump is already landed before touching rc", command: "node scripts/release-distribution.mjs verify <release-tag> --skip-npm-view; if missing: mmi-cli train prep --apply", gated: true },
       { label: "merge development to rc", gated: true },
       { label: "trigger the deploy path for this repo model, returning Hub Actions run id/url data (and, with --watch, its outcome)", command: "tenant-container: gh workflow run tenant-deploy.yml ... then gh run list/watch; hub-serverless: no manual dispatch, deploy.yml auto-fires on rc push, correlate/watch that run", gated: true },
       { label: "after a failed deploy, retry the existing rc ref (no re-tag/merge)", command: "mmi-cli tenant redeploy <owner/repo> rc --watch", gated: true }
     ];
   }
   if (command === "release") {
-    if (isHub) {
+    if (isDirect) {
       return [
         { label: "verify operator is a master-admin org owner", command: "gh api orgs/<owner>/memberships/<login> --jq .role", gated: true },
         { label: "verify current branch is development", gated: true },
         { label: "verify registry META for this project", command: "mmi-cli project get <owner/repo>", gated: true },
         { label: "preflight required main secret names", command: "mmi-cli secrets preflight --stage main --repo <owner/repo>", gated: true },
-        { label: "Hub releases skip rc; verify the distribution bump is already landed on development", command: "node scripts/release-distribution.mjs verify <release-tag> --skip-npm-view", gated: true },
         { label: "merge development to main", gated: true },
+        { label: "fold the version bump into the release commit (Hub: full distribution set; app repos: root package manifest) \u2014 runs inside the apply step, no separate bump PR", gated: true },
         { label: "tag release and publish GitHub Release", gated: true },
-        { label: "trigger the Hub deploy path from the release event", command: "hub-serverless: deploy.yml + publish.yml auto-fire on the release", gated: true },
+        { label: "trigger the repo deploy path from the release event", command: "hub-serverless: deploy.yml + publish.yml auto-fire on the release; other models deploy via their own workflow", gated: true },
         { label: "roll development forward", gated: true }
       ];
     }
@@ -5566,9 +5614,9 @@ function trainPlan(command, options = {}) {
       { label: "verify current branch is rc", gated: true },
       { label: "verify registry META for this project", command: "mmi-cli project get <owner/repo>", gated: true },
       { label: "preflight required main secret names", command: "mmi-cli secrets preflight --stage main --repo <owner/repo>", gated: true },
-      { label: "verify every main-only hotfix commit is covered by the rc candidate", command: "node scripts/hotfix-coverage.mjs", gated: true },
+      { label: "verify every main-only hotfix commit is covered by the rc candidate (the guard runs automatically inside the apply step below; --ack <sha> overrides a verified, trailer-less port)", command: "mmi-cli release --apply [--ack <sha>]", gated: true },
       { label: "merge rc to main", gated: true },
-      { label: "for Hub distribution changes, verify the promoted SHA carries the release bump", command: "node scripts/release-distribution.mjs verify <release-tag> --skip-npm-view; if missing: mmi-cli train prep --apply", gated: true },
+      { label: "fold the version bump into the release commit (app repos: root package manifest) \u2014 runs inside the apply step, no separate bump PR", gated: true },
       { label: "tag release and publish GitHub Release", gated: true },
       { label: "trigger the deploy path for this repo model, returning Hub Actions run id/url data (and, with --watch, its outcome)", command: "tenant-container: gh workflow run tenant-deploy.yml ... then gh run list/watch; hub-serverless: no manual dispatch, deploy.yml + publish.yml auto-fire on the release, correlate/watch those runs", gated: true },
       { label: "roll development forward", gated: true }
@@ -5578,7 +5626,7 @@ function trainPlan(command, options = {}) {
     { label: "verify the fix is merged on development (the only hotfix origin)", gated: true },
     { label: "branch hotfix from main and cherry-pick the dev commits", command: "git cherry-pick -x <dev-sha>", gated: true },
     { label: "land on main via PR, tag, deploy prod", gated: true },
-    { label: "forward-bump development distribution manifests (Hub only; no back-merge)", gated: true }
+    { label: "no residue: development already has the fix; the next /release fold + back-merge re-aligns version manifests" }
   ];
 }
 function bootstrapPlan(repo, repoClass) {
@@ -5599,10 +5647,13 @@ function bootstrapPlan(repo, repoClass) {
 function shellFor(platform = process.platform) {
   return platform === "win32" ? "powershell" : "bash";
 }
+function isCentralContainerModel(model) {
+  return model === "tenant-container" || model === "solo-container";
+}
 function deriveStageGap(inputs) {
   const missing = [];
-  if (inputs.deployModel !== "tenant-container") {
-    return `local stage default applies to tenant-container repos only (registry deployModel = ${inputs.deployModel ?? "unset"})`;
+  if (!isCentralContainerModel(inputs.deployModel)) {
+    return `local stage default applies to central-container repos only (tenant-container/solo-container; registry deployModel = ${inputs.deployModel ?? "unset"})`;
   }
   if (!inputs.hasCompose) missing.push("docker-compose.yml");
   if (!inputs.hasEnvExample) missing.push(".env.example");
@@ -5657,9 +5708,9 @@ function stalePosixFields(config, shell2) {
 }
 function sanitizeLocalStage(local, stale) {
   if (!stale.length) return local;
-  const clean4 = { ...local };
-  for (const field of stale) delete clean4[field];
-  return clean4;
+  const clean3 = { ...local };
+  for (const field of stale) delete clean3[field];
+  return clean3;
 }
 function staleNote(staleFields, outcome) {
   const list = staleFields.join(", ");
@@ -6395,16 +6446,21 @@ async function runStage(config = {}, opts = {}) {
 }
 
 // src/project-model.ts
-var PROJECT_TYPES = ["web-app", "hub-service", "content", "desktop-game", "non-deployable"];
-var DEPLOY_MODELS = ["hub-serverless", "serverless", "tenant-container", "content", "none"];
+var PROJECT_TYPES = ["web-app", "hub-service", "content", "desktop-game", "non-deployable", "cli-tool", "worker"];
+var DEPLOY_MODELS = ["hub-serverless", "serverless", "tenant-container", "solo-container", "registry-publish", "content", "none"];
+var RELEASE_TRACKS = ["full", "direct", "trunk"];
 var PROJECT_TYPE_SET = new Set(PROJECT_TYPES);
 var DEPLOY_MODEL_SET = new Set(DEPLOY_MODELS);
+var RELEASE_TRACK_SET = new Set(RELEASE_TRACKS);
 function isProjectType(value) {
   return Boolean(value && PROJECT_TYPE_SET.has(value));
 }
 function isDeployModel(value) {
   return Boolean(value && DEPLOY_MODEL_SET.has(value));
 }
+function isReleaseTrack(value) {
+  return Boolean(value && RELEASE_TRACK_SET.has(value));
+}
 function repoIsHub(repo) {
   return repo.toLowerCase().endsWith("/mmi-hub") || repo.toLowerCase() === "mmi-hub";
 }
@@ -6413,6 +6469,8 @@ function resolveProjectTypeConfident(meta, repo) {
   if (isProjectType(rawType)) return rawType;
   if (meta?.class === "content" || meta?.deployModel === "content") return "content";
   if (meta?.deployModel === "hub-serverless" || repoIsHub(repo)) return "hub-service";
+  if (meta?.deployModel === "registry-publish") return "cli-tool";
+  if (meta?.deployModel === "solo-container") return "worker";
   if (meta?.deployModel === "none") return "non-deployable";
   return void 0;
 }
@@ -6426,10 +6484,22 @@ function resolveDeployModel(meta, repo) {
   if (projectType === "content" || meta?.class === "content") return "content";
   if (projectType === "hub-service" || repoIsHub(repo)) return "hub-serverless";
   if (projectType === "desktop-game" || projectType === "non-deployable") return "none";
+  if (projectType === "cli-tool") return "registry-publish";
   return "tenant-container";
 }
 function projectTypeClearsWebProfile(projectType, deployModel) {
-  return projectType === "content" || projectType === "desktop-game" || projectType === "non-deployable" || deployModel === "content" || deployModel === "none";
+  return projectType === "content" || projectType === "desktop-game" || projectType === "non-deployable" || projectType === "cli-tool" || deployModel === "content" || deployModel === "none" || deployModel === "registry-publish";
+}
+function resolveReleaseTrack(meta) {
+  const raw = typeof meta?.releaseTrack === "string" ? meta.releaseTrack : void 0;
+  if (isReleaseTrack(raw)) return raw;
+  if (meta?.class === "content" || meta?.deployModel === "content") return "trunk";
+  return "full";
+}
+function branchesForTrack(track) {
+  if (track === "trunk") return ["main"];
+  if (track === "direct") return ["development", "main"];
+  return ["development", "rc", "main"];
 }
 
 // src/train-apply.ts
@@ -6445,9 +6515,35 @@ function requireValue(value, label) {
   if (!value) throw new Error(`${label} could not be resolved`);
   return value;
 }
-async function verifyHubDistributionVersion(deps, model, releaseTag) {
-  if (model !== "hub-serverless") return;
-  await deps.run("node", ["scripts/release-distribution.mjs", "verify", releaseTag, "--skip-npm-view"]);
+async function resolveFoldPaths(deps, model) {
+  if (model === "hub-serverless") {
+    return (await deps.run("node", ["scripts/release-distribution.mjs", "changed-files"])).split("\n").map((s) => s.trim()).filter(Boolean);
+  }
+  try {
+    await deps.run("git", ["cat-file", "-e", "origin/main:package.json"]);
+  } catch {
+    return [];
+  }
+  return ["package.json", "package-lock.json"];
+}
+async function foldReleaseVersion(deps, model, tag, foldPaths) {
+  if (foldPaths.length === 0) return "no version manifest to fold \u2014 the tag is the version";
+  const version = tag.replace(/^v/, "");
+  if (model === "hub-serverless") {
+    await deps.run("node", ["scripts/release-distribution.mjs", "prepare", version]);
+  } else {
+    await deps.run("npm", ["version", version, "--no-git-tag-version", "--allow-same-version"]);
+  }
+  for (const path2 of foldPaths) {
+    await deps.run("git", ["add", "--", path2]).catch(() => void 0);
+  }
+  const staged = (await deps.run("git", ["diff", "--cached", "--name-only"])).trim();
+  if (!staged) return `version fold: manifests already at ${version} \u2014 nothing committed`;
+  await deps.run("git", ["commit", "-m", `chore(release): bump distribution to ${tag}`]);
+  if (model === "hub-serverless") {
+    await deps.run("node", ["scripts/release-distribution.mjs", "verify", version, "--skip-npm-view"]);
+  }
+  return `version fold: distribution bumped to ${version} in the release commit`;
 }
 async function verifyPublishedRelease(deps, repo, tag, expectedTarget, expectedSha) {
   const out = await deps.run("gh", ["release", "view", tag, "--repo", repo, "--json", "tagName,targetCommitish"]);
@@ -6497,18 +6593,18 @@ async function predictMergeConflicts(deps, ours, theirs) {
     return files;
   }
 }
-async function mergeWithSpineResolution(deps, sourceRef, label, resolve) {
+async function mergeWithSpineResolution(deps, sourceRef, label, resolve, extraTolerated = []) {
   try {
     await deps.run("git", ["merge", sourceRef, "--no-edit"]);
     return;
   } catch {
   }
   const unmerged = (await deps.run("git", ["diff", "--name-only", "--diff-filter=U"])).split("\n").map((s) => s.trim()).filter(Boolean);
-  const nonSpine = unmerged.filter((f) => !isSpinePath(f));
-  if (unmerged.length === 0 || nonSpine.length > 0) {
+  const blocking = unmerged.filter((f) => !isSpinePath(f) && !extraTolerated.includes(f));
+  if (unmerged.length === 0 || blocking.length > 0) {
     await deps.run("git", ["merge", "--abort"]);
     throw new Error(
-      unmerged.length === 0 ? `${label} merge failed without conflicted paths \u2014 merge aborted; inspect the repo state and rerun` : `${label} merge conflicts on non-spine path(s): ${nonSpine.join(", ")} \u2014 merge aborted (the train is misaligned; reconcile the branches via an approved alignment PR, then rerun)`
+      unmerged.length === 0 ? `${label} merge failed without conflicted paths \u2014 merge aborted; inspect the repo state and rerun` : `${label} merge conflicts on non-spine path(s): ${blocking.join(", ")} \u2014 merge aborted (the train is misaligned; reconcile the branches via an approved alignment PR, then rerun)`
     );
   }
   await deps.run("git", ["checkout", `--${resolve}`, "--", ...unmerged]);
@@ -6552,6 +6648,13 @@ var HUB_REPO2 = "mutmutco/MMI-Hub";
 function isHubControlRepo(repo) {
   return repo.toLowerCase() === HUB_REPO2.toLowerCase();
 }
+async function loadProjectMeta(deps, ctx) {
+  try {
+    return JSON.parse(await deps.runSelf(["project", "get", ctx.repo]));
+  } catch {
+    return null;
+  }
+}
 var CORRELATE_ATTEMPTS = 5;
 var CORRELATE_DELAY_MS = 1500;
 var CORRELATE_SKEW_SLACK_MS = 1e4;
@@ -6561,7 +6664,7 @@ var TRAIN_PROTECTION_CONTEXTS_JQ = "[.contexts[]]";
 var TRAIN_RULES_CONTEXTS_JQ = '[.[]|select(.type=="required_status_checks")|.parameters.required_status_checks[].context]';
 var TRAIN_CHECK_ATTEMPTS = 40;
 var TRAIN_CHECK_DELAY_MS = 15e3;
-async function correlateTenantRun(deps, since) {
+async function correlateDispatchedRun(deps, workflow, since) {
   const sleep = deps.sleep ?? ((ms) => new Promise((resolve) => setTimeout(resolve, ms)));
   const threshold = since - CORRELATE_SKEW_SLACK_MS;
   for (let attempt = 0; attempt < CORRELATE_ATTEMPTS; attempt++) {
@@ -6574,7 +6677,7 @@ async function correlateTenantRun(deps, since) {
         "--repo",
         HUB_REPO2,
         "--workflow",
-        "tenant-deploy.yml",
+        workflow,
         "--limit",
         "10",
         "--json",
@@ -6589,6 +6692,12 @@ async function correlateTenantRun(deps, since) {
   }
   return {};
 }
+function correlateTenantRun(deps, since) {
+  return correlateDispatchedRun(deps, "tenant-deploy.yml", since);
+}
+function correlatePublishRun(deps, since) {
+  return correlateDispatchedRun(deps, "tenant-publish.yml", since);
+}
 async function correlateWorkflowRun(deps, args) {
   const sleep = deps.sleep ?? ((ms) => new Promise((resolve) => setTimeout(resolve, ms)));
   const threshold = args.since - CORRELATE_SKEW_SLACK_MS;
@@ -6763,12 +6872,19 @@ async function resolveRcResumeTag(deps, base, sha) {
   return { tag: newest, note };
 }
 async function dispatchDeploy(deps, ctx, stage2, ref, model, watch, autoRunSince, autoRunHeadSha) {
-  if (model === "tenant-container") {
+  if (model === "tenant-container" || model === "solo-container") {
+    const since = (deps.now ?? Date.now)();
+    await deps.dispatchTenantDeploy({ repo: ctx.repo, slug: ctx.slug, ref, stage: stage2 });
+    const { runId, runUrl } = await correlateTenantRun(deps, since);
+    const deployStatus = watch ? await watchTenantRun(deps, runId) : "pending";
+    return { note: `dispatched tenant-deploy.yml (slug=${ctx.slug}, ref=${ref}, stage=${stage2})`, runId, runUrl, deployStatus };
+  }
+  if (model === "registry-publish") {
     const since = (deps.now ?? Date.now)();
     await deps.run("gh", [
       "workflow",
       "run",
-      "tenant-deploy.yml",
+      "tenant-publish.yml",
       "--repo",
       HUB_REPO2,
       "-f",
@@ -6780,9 +6896,9 @@ async function dispatchDeploy(deps, ctx, stage2, ref, model, watch, autoRunSince
       "-f",
       `stage=${stage2}`
     ]);
-    const { runId, runUrl } = await correlateTenantRun(deps, since);
+    const { runId, runUrl } = await correlatePublishRun(deps, since);
     const deployStatus = watch ? await watchTenantRun(deps, runId) : "pending";
-    return { note: `dispatched tenant-deploy.yml (slug=${ctx.slug}, ref=${ref}, stage=${stage2})`, runId, runUrl, deployStatus };
+    return { note: `dispatched tenant-publish.yml (slug=${ctx.slug}, ref=${ref}, stage=${stage2})`, runId, runUrl, deployStatus };
   }
   if (model === "hub-serverless") {
     const note = ref === "rc" ? "no manual dispatch: deploy.yml auto-fires on the rc push (rc stage)" : "no manual dispatch: deploy.yml + publish.yml auto-fire on the published Release (prod)";
@@ -6813,13 +6929,7 @@ async function dispatchDeploy(deps, ctx, stage2, ref, model, watch, autoRunSince
   }
   return { note: `no manual dispatch: ${model} repo deploys via its own push-triggered workflow`, deployStatus: "pending" };
 }
-async function preflight(deps, ctx, stage2) {
-  let meta = null;
-  try {
-    meta = JSON.parse(await deps.runSelf(["project", "get", ctx.repo]));
-  } catch {
-    meta = null;
-  }
+async function preflight(deps, ctx, stage2, meta) {
   const model = resolveDeployModel2(meta, ctx.repo);
   if (model === "content") {
     throw new Error(`${ctx.repo} is a content repo (deployModel=content) \u2014 the release train does not apply (trunk-based; PR to main)`);
@@ -6835,19 +6945,20 @@ async function runTrainApply(command, deps, options = {}) {
   const ctx = await buildTrainApplyContext(deps);
   await requireCleanTree(deps);
   await deps.run("git", ["fetch", "origin"]);
+  const meta = await loadProjectMeta(deps, ctx);
+  const directTrack = isHubControlRepo(ctx.repo) || resolveReleaseTrack(meta) === "direct";
   if (command === "rcand") {
     await requireBranch(deps, "development");
+    if (directTrack) {
+      throw new Error("direct-track repos release straight to main (no rc); run `mmi-cli release --apply` from development instead of rcand");
+    }
     await deps.run("git", ["pull", "--ff-only", "origin", "development"]);
     ensurePositiveCount(
       await deps.run("git", ["rev-list", "--count", "origin/rc..origin/development"]),
       "nothing to promote: origin/development is not ahead of origin/rc"
     );
-    const deployModel2 = await preflight(deps, ctx, "rc");
-    if (isHubControlRepo(ctx.repo) && deployModel2 === "hub-serverless") {
-      throw new Error("MMI-Hub releases directly from development to main; run mmi-cli release --apply from development instead of rcand");
-    }
+    const deployModel2 = await preflight(deps, ctx, "rc", meta);
     const releaseBase = requireValue(clean(await deps.run("node", ["scripts/next-version.mjs", "cycle"])), "release base");
-    await verifyHubDistributionVersion(deps, deployModel2, releaseBase);
     await deps.run("git", ["checkout", "rc"]);
     await deps.run("git", ["pull", "--ff-only", "origin", "rc"]);
     await deps.run("git", ["merge", "development", "--no-edit"]);
@@ -6863,24 +6974,21 @@ async function runTrainApply(command, deps, options = {}) {
     const d2 = await dispatchDeploy(deps, ctx, "rc", "rc", deployModel2, watch, autoRunSince2, rcSha);
     return { ...ctx, command, stage: "rc", ref: "rc", tag: tag2, deployModel: deployModel2, promoted: true, checks: checks2, resumeNote, dispatch: d2.note, runId: d2.runId, runUrl: d2.runUrl, workflowRuns: d2.workflowRuns, deployStatus: d2.deployStatus };
   }
-  if (isHubControlRepo(ctx.repo)) {
+  if (directTrack) {
     await requireBranch(deps, "development");
     await deps.run("git", ["pull", "--ff-only", "origin", "development"]);
     ensurePositiveCount(
       await deps.run("git", ["rev-list", "--count", "origin/main..origin/development"]),
       "nothing to release: origin/development is not ahead of origin/main"
     );
-    const deployModel2 = await preflight(deps, ctx, "main");
-    if (deployModel2 !== "hub-serverless") {
-      throw new Error(`MMI-Hub direct release requires deployModel=hub-serverless, got ${deployModel2}`);
-    }
+    const deployModel2 = await preflight(deps, ctx, "main", meta);
     const tag2 = requireValue(clean(await deps.run("node", ["scripts/next-version.mjs", "cycle"])), "release tag");
-    await verifyHubDistributionVersion(deps, deployModel2, tag2);
+    const foldPaths2 = await resolveFoldPaths(deps, deployModel2);
     const predicted2 = await predictMergeConflicts(deps, "origin/main", "origin/development");
-    const predictedNonSpine2 = predicted2.filter((f) => !isSpinePath(f));
-    if (predictedNonSpine2.length > 0) {
+    const predictedBlocking2 = predicted2.filter((f) => !isSpinePath(f) && !foldPaths2.includes(f));
+    if (predictedBlocking2.length > 0) {
       throw new Error(
-        `development -> main merge would conflict on non-spine path(s): ${predictedNonSpine2.join(", ")} \u2014 no merge was started. The train is misaligned: reconcile main and development via an approved alignment PR, then rerun release.`
+        `development -> main merge would conflict on non-spine path(s): ${predictedBlocking2.join(", ")} \u2014 no merge was started. The train is misaligned: reconcile main and development via an approved alignment PR, then rerun release.`
       );
     }
     await deps.run("git", ["checkout", "main"]);
@@ -6888,8 +6996,9 @@ async function runTrainApply(command, deps, options = {}) {
     if (predicted2.length === 0) {
       await deps.run("git", ["merge", "development", "--no-edit"]);
     } else {
-      await mergeWithSpineResolution(deps, "development", "development -> main", "theirs");
+      await mergeWithSpineResolution(deps, "development", "development -> main", "theirs", foldPaths2);
     }
+    const versionFold2 = await foldReleaseVersion(deps, deployModel2, tag2, foldPaths2);
     const releaseSha2 = requireValue(clean(await deps.run("git", ["rev-parse", "main"])), "release sha");
     await ensureTagPushed(deps, tag2, releaseSha2);
     const requiredChecks2 = await discoverRequiredCheckContexts(deps, ctx, "main");
@@ -6912,13 +7021,14 @@ async function runTrainApply(command, deps, options = {}) {
       deployModel: deployModel2,
       promoted: true,
       checks: checks2,
+      versionFold: versionFold2,
       dispatch: d2.note,
       runId: d2.runId,
       runUrl: d2.runUrl,
       workflowRuns: d2.workflowRuns,
       deployStatus: d2.deployStatus,
       rcRetirement: "not-applicable",
-      rcRetirementNote: "Hub releases skip rc; no rc runtime to retire",
+      rcRetirementNote: "direct-track release skips rc; no rc runtime to retire",
       announceNote: announceNote2,
       release: { tag: tag2, url: releaseUrl2, targetSha: releaseSha2 }
     };
@@ -6928,12 +7038,20 @@ async function runTrainApply(command, deps, options = {}) {
     await deps.run("git", ["rev-list", "--count", "origin/main..origin/rc"]),
     "nothing to release: origin/rc is not ahead of origin/main"
   );
-  const deployModel = await preflight(deps, ctx, "main");
+  const deployModel = await preflight(deps, ctx, "main", meta);
+  const foldPaths = await resolveFoldPaths(deps, deployModel);
   const predicted = await predictMergeConflicts(deps, "origin/main", "origin/rc");
-  const predictedNonSpine = predicted.filter((f) => !isSpinePath(f));
-  if (predictedNonSpine.length > 0) {
+  const predictedBlocking = predicted.filter((f) => !isSpinePath(f) && !foldPaths.includes(f));
+  if (predictedBlocking.length > 0) {
+    throw new Error(
+      `rc -> main merge would conflict on non-spine path(s): ${predictedBlocking.join(", ")} \u2014 no merge was started. The train is misaligned: reconcile main and rc via an approved alignment PR (do not hand-resolve on main), then rerun release.`
+    );
+  }
+  const coverage = deps.hotfixCoverage({ mainRef: "origin/main", rcRef: "origin/rc", ack: options.ack ?? [] });
+  if (!coverage.ok) {
+    const list = coverage.uncovered.map((c) => `${c.sha.slice(0, 8)} ${c.subject}`).join("; ");
     throw new Error(
-      `rc -> main merge would conflict on non-spine path(s): ${predictedNonSpine.join(", ")} \u2014 no merge was started. The train is misaligned: reconcile main and rc via an approved alignment PR (do not hand-resolve on main), then rerun release.`
+      `hotfix-coverage: ${coverage.uncovered.length} main-only commit(s) not proven in origin/rc \u2014 the candidate would revert a prod hotfix: ${list}. Re-cut /rcand from development, or have the authorized human verify the content is in the candidate and rerun release with --ack <sha>[,<sha>\u2026].`
     );
   }
   const releasedRcSha = clean(await deps.run("git", ["rev-parse", "origin/rc"]));
@@ -6942,10 +7060,10 @@ async function runTrainApply(command, deps, options = {}) {
   if (predicted.length === 0) {
     await deps.run("git", ["merge", "rc", "--no-edit"]);
   } else {
-    await mergeWithSpineResolution(deps, "rc", "rc -> main", "theirs");
+    await mergeWithSpineResolution(deps, "rc", "rc -> main", "theirs", foldPaths);
   }
   const tag = requireValue(clean(await deps.run("node", ["scripts/next-version.mjs", "release"])), "release tag");
-  await verifyHubDistributionVersion(deps, deployModel, tag);
+  const versionFold = await foldReleaseVersion(deps, deployModel, tag, foldPaths);
   const releaseSha = requireValue(clean(await deps.run("git", ["rev-parse", "main"])), "release sha");
   await ensureTagPushed(deps, tag, releaseSha);
   const requiredChecks = await discoverRequiredCheckContexts(deps, ctx, "main");
@@ -6971,6 +7089,7 @@ async function runTrainApply(command, deps, options = {}) {
     deployModel,
     promoted: true,
     checks,
+    versionFold,
     dispatch: d.note,
     runId: d.runId,
     runUrl: d.runUrl,
@@ -7015,6 +7134,49 @@ function retireCategoryFrom(text) {
     return void 0;
   }
 }
+var TRANSPORT_REASONS = /* @__PURE__ */ new Set(["invalid-instance", "invalid-document", "throttled", "timeout", "other"]);
+function retireReasonFrom(text) {
+  try {
+    const r = JSON.parse(text).reason;
+    return typeof r === "string" && TRANSPORT_REASONS.has(r) ? r : void 0;
+  } catch {
+    return void 0;
+  }
+}
+function isRetryableTransport(reason) {
+  return reason === void 0 || reason === "throttled" || reason === "timeout" || reason === "other";
+}
+var RETIRE_MAX_ATTEMPTS = 3;
+var RETIRE_BACKOFF_MS = 1500;
+async function attemptRetire(deps, ctx) {
+  try {
+    const out = await deps.runSelf(["tenant", "control", ctx.repo, "rc", "retire"]);
+    let commandId = "";
+    let category = retireCategoryFrom(out);
+    try {
+      commandId = String(JSON.parse(out).commandId ?? "");
+    } catch {
+    }
+    if (category === "retired-edge-pending") {
+      return { result: {
+        status: "retired",
+        category,
+        note: `rc runtime retired; edge vhost reconcile pending (tenant control retire${commandId ? `, command ${commandId}` : ""}) \u2014 registry coords kept`
+      } };
+    }
+    category = category ?? "retired";
+    return { result: {
+      status: "retired",
+      category,
+      note: `rc runtime retired (tenant control retire${commandId ? `, command ${commandId}` : ""}) \u2014 registry coords kept; /rcand or tenant redeploy recreates rc next cycle`
+    } };
+  } catch (e) {
+    const err = e;
+    const category = retireCategoryFrom(err.stdout ?? "") ?? "transport-failed";
+    const reason = retireReasonFrom(err.stdout ?? "");
+    return { result: { status: "failed", category, note: `rc retirement failed (the release itself succeeded): ${err.message}` }, reason, message: err.message };
+  }
+}
 async function retireRcRuntime(deps, ctx, model, deployStatus, releasedRcSha) {
   if (model !== "tenant-container") {
     return { status: "not-applicable", note: `${model} has no co-resident rc runtime to retire` };
@@ -7037,30 +7199,22 @@ async function retireRcRuntime(deps, ctx, model, deployStatus, releasedRcSha) {
         note: `origin/rc moved past the released candidate (${releasedRcSha.slice(0, 7)} -> ${rcNow.slice(0, 7)}) \u2014 a new candidate is in flight; rc runtime left untouched`
       };
     }
-    const out = await deps.runSelf(["tenant", "control", ctx.repo, "rc", "retire"]);
-    let commandId = "";
-    let category = retireCategoryFrom(out);
-    try {
-      commandId = String(JSON.parse(out).commandId ?? "");
-    } catch {
-    }
-    if (category === "retired-edge-pending") {
-      return {
-        status: "retired",
-        category,
-        note: `rc runtime retired; edge vhost reconcile pending (tenant control retire${commandId ? `, command ${commandId}` : ""}) \u2014 registry coords kept`
-      };
-    }
-    category = category ?? "retired";
-    return {
-      status: "retired",
-      category,
-      note: `rc runtime retired (tenant control retire${commandId ? `, command ${commandId}` : ""}) \u2014 registry coords kept; /rcand or tenant redeploy recreates rc next cycle`
-    };
+    const sleep = deps.sleep ?? ((ms) => new Promise((resolve) => setTimeout(resolve, ms)));
+    let last;
+    for (let attempt = 1; attempt <= RETIRE_MAX_ATTEMPTS; attempt++) {
+      last = await attemptRetire(deps, ctx);
+      if (last.result.status === "retired") return last.result;
+      const retryable = last.result.category === "transport-failed" && isRetryableTransport(last.reason);
+      if (!retryable || attempt === RETIRE_MAX_ATTEMPTS) break;
+      await sleep(RETIRE_BACKOFF_MS * attempt);
+    }
+    const f = last;
+    const reasonSuffix = f.reason ? ` [reason: ${f.reason}]` : "";
+    const note = `rc retirement failed (the release itself succeeded)${reasonSuffix}: ${f.message ?? f.result.note}. The rc runtime may be orphaned on the box \u2014 retire it with: mmi-cli tenant control ${ctx.repo} rc retire (or sweep all: mmi-cli tenant sweep-rc --retire --yes)`;
+    return { status: "failed", category: f.result.category, note };
   } catch (e) {
     const err = e;
-    const category = retireCategoryFrom(err.stdout ?? "") ?? "transport-failed";
-    return { status: "failed", category, note: `rc retirement failed (the release itself succeeded): ${err.message}` };
+    return { status: "failed", category: "transport-failed", note: `rc retirement failed (the release itself succeeded): ${err.message}` };
   }
 }
 async function runTenantRedeploy(deps, options) {
@@ -7082,46 +7236,154 @@ async function runTenantRedeploy(deps, options) {
     meta = null;
   }
   const deployModel = resolveDeployModel2(meta, repo);
-  if (deployModel !== "tenant-container") {
-    throw new Error(`${repo} is ${deployModel}, not tenant-container \u2014 there is no central tenant-deploy run to retry (its deploy fires from its own workflow)`);
+  if (deployModel !== "tenant-container" && deployModel !== "solo-container") {
+    throw new Error(`${repo} is ${deployModel}, not a central-container model (tenant-container/solo-container) \u2014 there is no central tenant-deploy run to retry (its deploy fires from its own workflow)`);
   }
   const d = await dispatchDeploy(deps, ctx, stage2, ref, deployModel, watch);
   return { ...ctx, command: "tenant-redeploy", stage: stage2, ref, deployModel, dispatch: d.note, runId: d.runId, runUrl: d.runUrl, workflowRuns: d.workflowRuns, deployStatus: d.deployStatus };
 }
 
-// src/train-prep.ts
-function clean2(text) {
-  return text.trim();
+// src/hotfix-coverage.ts
+var import_node_child_process6 = require("node:child_process");
+var CHERRY_TRAILER = /\(cherry picked from commit ([0-9a-f]{7,40})\)/g;
+function checkHotfixCoverage(options = {}) {
+  const { cwd = process.cwd(), mainRef = "origin/main", rcRef = "origin/rc", manifestPaths = [] } = options;
+  const ack = (options.ack ?? []).filter(Boolean);
+  const git = options.git ?? ((args, opts) => (0, import_node_child_process6.execFileSync)("git", args, { cwd, encoding: "utf8", input: opts?.input, stdio: ["pipe", "pipe", "pipe"] }));
+  const revList = (range) => {
+    const out = git(["rev-list", "--no-merges", range]).trim();
+    return out ? out.split("\n") : [];
+  };
+  const isAncestor = (sha, ref) => {
+    try {
+      git(["merge-base", "--is-ancestor", sha, ref]);
+      return true;
+    } catch {
+      return false;
+    }
+  };
+  const patchId = (sha) => {
+    const diff = git(["show", "--no-color", "--pretty=format:", sha]);
+    if (!diff.trim()) return null;
+    const out = git(["patch-id", "--stable"], { input: diff }).trim();
+    return out ? out.split(" ")[0] : null;
+  };
+  const changedPaths = (sha) => {
+    const out = git(["show", "--no-color", "--name-only", "--pretty=format:", sha]).trim();
+    return out ? out.split("\n") : [];
+  };
+  const cherrySources = (sha) => {
+    const message = git(["log", "-1", "--format=%B", sha]);
+    return [...message.matchAll(CHERRY_TRAILER)].map((m) => m[1]);
+  };
+  const mainOnly = revList(`${rcRef}..${mainRef}`);
+  const rcSidePatchIds = /* @__PURE__ */ new Map();
+  let rcSideBuilt = false;
+  const buildRcSide = () => {
+    if (rcSideBuilt) return;
+    rcSideBuilt = true;
+    for (const sha of revList(`${mainRef}..${rcRef}`)) {
+      const id = patchId(sha);
+      if (id) rcSidePatchIds.set(id, sha);
+    }
+  };
+  const commits = mainOnly.map((sha) => {
+    const subject = git(["log", "-1", "--format=%s", sha]).trim();
+    const paths = changedPaths(sha);
+    if (paths.length > 0 && paths.every((p) => manifestPaths.includes(p))) {
+      return { sha, subject, coverage: "exempt-distribution" };
+    }
+    const sources = cherrySources(sha);
+    if (sources.length > 0) {
+      if (sources.every((s) => isAncestor(s, rcRef))) {
+        return { sha, subject, coverage: "trailer", sources };
+      }
+      if (ack.some((a) => sha.startsWith(a))) return { sha, subject, coverage: "acked", sources };
+      return { sha, subject, coverage: "uncovered", sources };
+    }
+    const id = patchId(sha);
+    if (id) {
+      buildRcSide();
+      const matchedRcSha = rcSidePatchIds.get(id);
+      if (matchedRcSha) {
+        return { sha, subject, coverage: "patch-id", matchedRcSha };
+      }
+    }
+    if (ack.some((a) => sha.startsWith(a))) return { sha, subject, coverage: "acked" };
+    return { sha, subject, coverage: "uncovered" };
+  });
+  const uncovered = commits.filter((c) => c.coverage === "uncovered");
+  return { ok: uncovered.length === 0, mainRef, rcRef, commits, uncovered };
 }
-function normalizeVersion2(target) {
-  const version = target.replace(/^v/, "");
-  if (!/^\d+\.\d+\.\d+$/.test(version)) {
-    throw new Error(`invalid train prep target ${target || "(empty)"}`);
+
+// src/tenant-sweep.ts
+function isRcBearingTenant(p) {
+  if ((p.deployModel ?? "") !== "tenant-container") return false;
+  return (p.releaseTrack ?? "full") === "full";
+}
+function pickRepo(p) {
+  const repos = p.repos ?? [];
+  if (repos.length === 0) return null;
+  const bySlug = repos.find((r) => r.split("/")[1]?.toLowerCase() === (p.slug ?? "").toLowerCase());
+  return bySlug ?? repos[0];
+}
+async function sweepRcOrphans(deps, opts) {
+  const projects = await deps.listProjects();
+  if (!projects) throw new Error("project list unavailable \u2014 Hub unreachable or this repo is not bootstrapped");
+  const targets = projects.filter(isRcBearingTenant);
+  const stages = [];
+  for (const p of targets) {
+    const repo = pickRepo(p);
+    if (!repo) continue;
+    const slug = p.slug ?? "";
+    let serviceState;
+    try {
+      serviceState = (await deps.status(repo)).serviceState || "unknown";
+    } catch (e) {
+      stages.push({ repo, slug, serviceState: "error", orphanCandidate: false, detail: e.message });
+      continue;
+    }
+    const orphanCandidate = serviceState === "running";
+    const stage2 = { repo, slug, serviceState, orphanCandidate };
+    if (orphanCandidate && opts.retire) {
+      try {
+        const r = await deps.retire(repo);
+        stage2.retired = r.ok ? "retired" : "failed";
+        stage2.category = r.category;
+        stage2.reason = r.reason;
+      } catch (e) {
+        stage2.retired = "failed";
+        stage2.detail = e.message;
+      }
+    }
+    stages.push(stage2);
   }
-  return version;
-}
-function parseChangedFiles(out) {
-  return out.split(/\r?\n/).map((line) => line.trim()).filter(Boolean);
+  return {
+    scanned: stages.length,
+    running: stages.filter((s) => s.orphanCandidate && s.retired !== "retired").length,
+    stages,
+    retireAttempted: !!opts.retire
+  };
 }
-async function runTrainPrep(deps, options = {}) {
-  const target = clean2(await deps.run("node", ["scripts/next-version.mjs", "cycle"]));
-  const version = normalizeVersion2(target);
-  if (!options.apply) {
-    return { target, version, applied: false, command: "mmi-cli train prep --apply", stagedFiles: [] };
+function renderSweep(r) {
+  const lines = [`tenant sweep-rc: scanned ${r.scanned} tenant-container(s); ${r.running} rc runtime(s) running`];
+  for (const s of r.stages) {
+    let line = `  ${s.repo} rc: ${s.orphanCandidate ? "RUNNING" : s.serviceState}`;
+    if (s.retired) line += ` -> ${s.retired}${s.category ? ` (${s.category}${s.reason ? `/${s.reason}` : ""})` : ""}`;
+    if (s.detail) line += ` \u2014 ${s.detail}`;
+    lines.push(line);
+  }
+  if (r.running > 0 && !r.retireAttempted) {
+    lines.push("Retire an orphan with: mmi-cli tenant control <owner/repo> rc retire (or sweep all running: mmi-cli tenant sweep-rc --retire --yes)");
   }
-  await deps.run("node", ["scripts/release-distribution.mjs", "prepare", target]);
-  const stagedFiles = parseChangedFiles(await deps.run("node", ["scripts/release-distribution.mjs", "changed-files"]));
-  if (stagedFiles.length === 0) throw new Error("no locked distribution files returned by release-distribution changed-files");
-  await deps.run("git", ["add", "--", ...stagedFiles]);
-  await deps.run("node", ["scripts/release-distribution.mjs", "verify", target, "--skip-npm-view"]);
-  return { target, version, applied: true, command: "mmi-cli pr create --base development --head <current-branch>", stagedFiles };
+  return lines.join("\n");
 }
 
 // src/hotfix-apply.ts
 var HOTFIX_RELEASE_WORKFLOWS = ["deploy.yml", "publish.yml"];
 var HOTFIX_RUN_FIND_ATTEMPTS = 10;
 var HOTFIX_RUN_FIND_DELAY_MS = 15e3;
-function clean3(out) {
+function clean2(out) {
   return out.trim();
 }
 function sleeper(deps) {
@@ -7175,7 +7437,7 @@ async function resolveHotfixSource(deps, ctx, from) {
     if (!sha2) throw new Error(`PR #${num} has no merge commit recorded \u2014 name the commit SHA explicitly`);
     return { sha: sha2, label: `PR #${num} (${sha2.slice(0, 7)})` };
   }
-  const sha = clean3(await deps.run("git", ["rev-parse", "--verify", `${from}^{commit}`]));
+  const sha = clean2(await deps.run("git", ["rev-parse", "--verify", `${from}^{commit}`]));
   if (!sha) throw new Error(`could not resolve commit ${from}`);
   return { sha, label: sha.slice(0, 7) };
 }
@@ -7202,7 +7464,7 @@ async function runHotfixStart(deps, options) {
     };
   }
   const { sha, label } = await resolveHotfixSource(deps, ctx, options.from);
-  const remoteBranch = clean3(await deps.run("git", ["ls-remote", "origin", `refs/heads/${branch}`]));
+  const remoteBranch = clean2(await deps.run("git", ["ls-remote", "origin", `refs/heads/${branch}`]));
   if (remoteBranch) {
     await deps.run("git", ["checkout", branch]);
     await deps.run("git", ["pull", "--ff-only", "origin", branch]);
@@ -7228,7 +7490,7 @@ async function runHotfixStart(deps, options) {
     }
     await deps.run("git", ["push", "-u", "origin", branch]);
   }
-  const prUrl = clean3(await deps.run("gh", [
+  const prUrl = clean2(await deps.run("gh", [
     "pr",
     "create",
     "--repo",
@@ -7311,7 +7573,7 @@ async function runHotfixRelease(deps, versionInput, options = {}) {
   if (releaseExists) {
     releaseNote = `Release ${tag} already exists \u2014 resumed without recreating`;
   } else {
-    const tagCommit = clean3(await deps.run("git", ["rev-parse", `${tag}^{commit}`]));
+    const tagCommit = clean2(await deps.run("git", ["rev-parse", `${tag}^{commit}`]));
     await deps.run("gh", ["release", "create", tag, "--repo", ctx.repo, "--target", tagCommit, "--generate-notes", "--latest"]);
     releaseNote = `Release ${tag} created (target ${tagCommit.slice(0, 7)})`;
     if (deps.announce) {
@@ -7322,7 +7584,7 @@ async function runHotfixRelease(deps, versionInput, options = {}) {
   for (const workflow of HOTFIX_RELEASE_WORKFLOWS) {
     runs.push(await watchReleaseRun(deps, ctx, workflow, mergedSha));
   }
-  const previousRef = clean3(await deps.run("git", ["rev-parse", "--abbrev-ref", "HEAD"]));
+  const previousRef = clean2(await deps.run("git", ["rev-parse", "--abbrev-ref", "HEAD"]));
   let verifyNote;
   const publishSucceeded = runs.find((r) => r.workflow === "publish.yml")?.conclusion === "success";
   try {
@@ -7335,15 +7597,6 @@ async function runHotfixRelease(deps, versionInput, options = {}) {
   }
   return { ...ctx, command: "hotfix-release", tag, mergedSha, checks, tagNote, releaseNote, runs, verifyNote, announceNote };
 }
-function versionAtLeast2(actual, wanted) {
-  const pa = actual.split(".").map(Number);
-  const pw = wanted.split(".").map(Number);
-  if (pa.length < 3 || pa.some(Number.isNaN) || pw.length < 3 || pw.some(Number.isNaN)) return false;
-  for (let i = 0; i < 3; i += 1) {
-    if (pa[i] !== pw[i]) return pa[i] > pw[i];
-  }
-  return true;
-}
 function deriveHotfixState(f) {
   if (!f.branchExists && !f.pr && !f.tagPushed && !f.releaseExists) {
     return { state: "not-started", next: `mmi-cli hotfix start --from <pr#|sha> (would mint ${f.tag})` };
@@ -7360,13 +7613,7 @@ function deriveHotfixState(f) {
   if (!f.tagPushed || !f.releaseExists) {
     return { state: "pr-merged (not released)", next: `mmi-cli hotfix release ${f.tag}` };
   }
-  if (!f.devDistribution.aligned) {
-    return {
-      state: `UNFINISHED \u2014 released but development distribution manifests behind (dev ${f.devDistribution.version} < ${f.version})`,
-      next: `forward-bump development (never a back-merge): branch from origin/development, node scripts/release-distribution.mjs prepare ${f.version}, land by PR (/hotfix Step 5)`
-    };
-  }
-  return { state: "complete", next: "nothing \u2014 pipeline complete (rc absorbs the fix at the next /rcand; /release guards coverage)" };
+  return { state: "complete", next: "nothing \u2014 pipeline complete (rc absorbs the fix at the next /rcand; /release guards coverage and re-aligns the version manifests via its fold + back-merge)" };
 }
 async function runHotfixStatus(deps, versionInput) {
   const ctx = await buildTrainApplyContext(deps);
@@ -7390,9 +7637,9 @@ async function runHotfixStatus(deps, versionInput) {
   return { ...ctx, command: "hotfix-status", ...facts, ...deriveHotfixState(facts) };
 }
 async function gatherHotfixFacts(deps, ctx, tag, version) {
-  const branchExists = Boolean(clean3(await deps.run("git", ["ls-remote", "origin", `refs/heads/${hotfixBranch(tag)}`])));
+  const branchExists = Boolean(clean2(await deps.run("git", ["ls-remote", "origin", `refs/heads/${hotfixBranch(tag)}`])));
   const pr2 = await findHotfixPr(deps, ctx, tag);
-  const remoteTag = clean3(await deps.run("git", ["ls-remote", "origin", `refs/tags/${tag}`]));
+  const remoteTag = clean2(await deps.run("git", ["ls-remote", "origin", `refs/tags/${tag}`]));
   const tagPushed = Boolean(remoteTag);
   const tagSha = remoteTag.split(/\s+/)[0] || "";
   let releaseExists = false;
@@ -7426,19 +7673,8 @@ async function gatherHotfixFacts(deps, ctx, tag, version) {
       }
     }
   }
-  const npmVersion = await deps.run("npm", ["view", "@mutmutco/cli", "version", "--silent"]).then(clean3, () => "unknown");
-  const devVersion = await deps.run("git", ["show", "origin/development:cli/package.json"]).then(
-    (out) => {
-      try {
-        return JSON.parse(out).version ?? "unknown";
-      } catch {
-        return "unknown";
-      }
-    },
-    () => "unknown"
-  );
-  const devDistribution = { version: devVersion, aligned: versionAtLeast2(devVersion, version) };
-  return { tag, version, branchExists, pr: pr2 ? { number: pr2.number, state: pr2.state, url: pr2.url } : null, tagPushed, releaseExists, runs, npmVersion, devDistribution };
+  const npmVersion = await deps.run("npm", ["view", "@mutmutco/cli", "version", "--silent"]).then(clean2, () => "unknown");
+  return { tag, version, branchExists, pr: pr2 ? { number: pr2.number, state: pr2.state, url: pr2.url } : null, tagPushed, releaseExists, runs, npmVersion };
 }
 
 // src/release-announce.ts
@@ -7605,6 +7841,18 @@ function ensurePortRange(repo, path2) {
 function portCursorSeed(registry2) {
   return nextPortBlock(registry2)[0];
 }
+function metaPortRange(meta) {
+  const r = meta?.portRange;
+  if (r && typeof r.start === "number" && typeof r.end === "number") return [r.start, r.end];
+  return null;
+}
+function decidePortRange(input) {
+  if (!input.metaReadOk) {
+    return { action: "fail", reason: "could not verify the existing port block (Hub registry read failed) \u2014 retry; NOT allocating (a re-allocation on an unverified read would advance the cursor and hand out a duplicate block)" };
+  }
+  if (input.metaPortRange) return { action: "return", range: input.metaPortRange };
+  return { action: "allocate" };
+}
 function existingPortRange(repo, registry2) {
   return registry2[repo] ?? null;
 }
@@ -7884,7 +8132,8 @@ var requiredProjectWorkflows = [
 ];
 var requiredOrgRulesetTypes = ["pull_request", "non_fast_forward", "deletion"];
 var requiredHubStatusChecks = ["cli", "infra", "docs"];
-function expectedBranches(repoClass) {
+function expectedBranches(repoClass, releaseTrack) {
+  if (isReleaseTrack(releaseTrack)) return branchesForTrack(releaseTrack);
   return repoClass === "content" ? ["main"] : ["development", "rc", "main"];
 }
 function gcpProjectForSlug(slug) {
@@ -7977,9 +8226,9 @@ function localRegistryCheck(deps, path2, predicate) {
   if (text == null) return null;
   return predicate(safeJson2(text, null));
 }
-async function verifyBootstrap(repo, repoClass, deps) {
-  const branchesWanted = expectedBranches(repoClass);
-  const baseBranch = repoClass === "content" ? "main" : "development";
+async function verifyBootstrap(repo, repoClass, deps, releaseTrack) {
+  const branchesWanted = expectedBranches(repoClass, releaseTrack);
+  const baseBranch = releaseTrack === "trunk" || repoClass === "content" ? "main" : "development";
   const checks = [];
   const repoInfo = await restJson2(deps, `repos/${repo}`, {});
   checks.push({ ok: Boolean(repoInfo.default_branch), label: "repo exists" });
@@ -8281,6 +8530,15 @@ function parseOwnerRepo(repo) {
   if (owner.includes("\\") || name.includes("\\")) throw new Error("repo must be owner/repo");
   return { owner, name, slug: name.toLowerCase(), fullName: `${owner}/${name}` };
 }
+var DEFAULT_INSTALL_CMD = "npm ci";
+function withDerivedRepoVars(vars, parsed, cls) {
+  const out = { ...vars };
+  out.REPO_NAME ??= parsed.name;
+  out.REPO_SLUG ??= parsed.slug;
+  out.CLASS ??= cls;
+  out.INSTALL_CMD ??= DEFAULT_INSTALL_CMD;
+  return out;
+}
 function planSeedAction(seed, exists) {
   if (seed.source === "fanout") {
     return { target: seed.target, action: "skip", ownership: "fanout", reason: "delivered by the fanout pipeline" };
@@ -8293,6 +8551,18 @@ function planSeedAction(seed, exists) {
   }
   return exists ? { target: seed.target, action: "update", ownership: "org", reason: "org-owned, refresh to current" } : { target: seed.target, action: "create", ownership: "org", reason: "org-owned, missing" };
 }
+function reconcileSeedAction(action, content, isManagedBlock) {
+  if (action.action === "skip") return action;
+  if (content == null) {
+    return { ...action, action: "skip", reason: "no resolvable content" };
+  }
+  if (isManagedBlock) return action;
+  const unfilled = missingPlaceholders(content);
+  if (unfilled.length) {
+    return { ...action, action: "skip", reason: `unfilled: ${unfilled.join(", ")} \u2014 pass --var` };
+  }
+  return action;
+}
 function renderSeedPlan(actions) {
   const lines = ["bootstrap apply \u2014 seed plan (dry-run; no mutations):"];
   for (const a of actions) {
@@ -8302,6 +8572,20 @@ function renderSeedPlan(actions) {
   lines.push(`  \u2014 ${order.map((k) => `${actions.filter((a) => a.action === k).length} ${k}`).join(", ")}`);
   return lines.join("\n");
 }
+var GITHUB_DEFAULT_LABELS = [
+  "documentation",
+  "duplicate",
+  "enhancement",
+  "good first issue",
+  "help wanted",
+  "invalid",
+  "question",
+  "wontfix"
+];
+function labelsToPrune(orgLabelNames) {
+  const org = new Set(orgLabelNames);
+  return GITHUB_DEFAULT_LABELS.filter((name) => !org.has(name));
+}
 function resolveSeedContent(seed, vars, readFile2) {
   if (seed.source === "self") return readFile2(seed.target);
   if (seed.source.startsWith("seed:")) {
@@ -8314,10 +8598,13 @@ function buildRegisterPayload(repo, cls, vars, options = {}) {
   const parsedRepo = parseOwnerRepo(repo);
   const slug = parsedRepo.slug;
   if (options.projectType && !isProjectType(options.projectType)) {
-    throw new Error("projectType must be web-app, hub-service, content, desktop-game, or non-deployable");
+    throw new Error(`projectType must be one of: ${PROJECT_TYPES.join(", ")}`);
   }
   if (options.deployModel && !isDeployModel(options.deployModel)) {
-    throw new Error("deployModel must be hub-serverless, serverless, tenant-container, content, or none");
+    throw new Error(`deployModel must be one of: ${DEPLOY_MODELS.join(", ")}`);
+  }
+  if (options.releaseTrack && !isReleaseTrack(options.releaseTrack)) {
+    throw new Error("releaseTrack must be full, direct, or trunk");
   }
   const shape = {
     class: cls,
@@ -8327,7 +8614,7 @@ function buildRegisterPayload(repo, cls, vars, options = {}) {
   const projectType = resolveProjectTypeConfident(shape, parsedRepo.fullName);
   if (!projectType) {
     throw new Error(
-      `Project type for ${parsedRepo.fullName} is unset and not derivable \u2014 pass --project-type <web-app|hub-service|content|desktop-game|non-deployable> and --deploy-model <tenant-container|hub-serverless|serverless|content|none> (prevents defaulting a non-web repo to tenant-container).`
+      `Project type for ${parsedRepo.fullName} is unset and not derivable \u2014 pass --project-type <${PROJECT_TYPES.join("|")}> and --deploy-model <${DEPLOY_MODELS.join("|")}> (prevents defaulting a non-web repo to tenant-container).`
     );
   }
   const deployModel = resolveDeployModel({ ...shape, projectType }, parsedRepo.fullName);
@@ -8359,6 +8646,8 @@ function buildRegisterPayload(repo, cls, vars, options = {}) {
     class: cls,
     projectType,
     deployModel,
+    // #917: only emit when explicitly direct/trunk; absent → registry resolves to `full` (no clobber).
+    releaseTrack: isReleaseTrack(options.releaseTrack) ? options.releaseTrack : void 0,
     // Board coords (from GraphQL at bootstrap, passed as --var by the skill).
     projectOwner: vars.PROJECT_OWNER || void 0,
     projectNumber: num(vars.PROJECT_NUMBER),
@@ -8374,6 +8663,83 @@ function buildRegisterPayload(repo, cls, vars, options = {}) {
   for (const k of Object.keys(payload)) if (payload[k] === void 0) delete payload[k];
   return payload;
 }
+var BOARD_FIELD_VAR_MAP = {
+  Status: {
+    fieldIdVar: "STATUS_FIELD_ID",
+    options: { Todo: "STATUS_TODO", "In Progress": "STATUS_IN_PROGRESS", "In Review": "STATUS_IN_REVIEW", Done: "STATUS_DONE" }
+  },
+  Priority: {
+    fieldIdVar: "PRIORITY_FIELD_ID",
+    options: { Urgent: "PRIORITY_URGENT", High: "PRIORITY_HIGH", Medium: "PRIORITY_MEDIUM", Low: "PRIORITY_LOW" }
+  }
+};
+function extractBoardFieldVars(fieldsJson) {
+  const out = {};
+  const nodes = Array.isArray(fieldsJson) ? fieldsJson : fieldsJson?.data?.node?.fields?.nodes ?? fieldsJson?.node?.fields?.nodes;
+  if (!Array.isArray(nodes)) return out;
+  for (const node of nodes) {
+    const field = node;
+    const name = typeof field.name === "string" ? field.name : void 0;
+    const map = name ? BOARD_FIELD_VAR_MAP[name] : void 0;
+    if (!map || typeof field.id !== "string" || !field.id) continue;
+    out[map.fieldIdVar] = field.id;
+    const options = Array.isArray(field.options) ? field.options : [];
+    for (const opt of options) {
+      const o = opt;
+      const varName = typeof o.name === "string" ? map.options[o.name] : void 0;
+      if (varName && typeof o.id === "string" && o.id) out[varName] = o.id;
+    }
+  }
+  return out;
+}
+function boardFieldsQueryArgs(projectId) {
+  const query = "query($id: ID!) { node(id: $id) { ... on ProjectV2 { fields(first: 50) { nodes { ... on ProjectV2SingleSelectField { id name options { id name } } } } } } }";
+  return ["api", "graphql", "-f", `query=${query}`, "-f", `id=${projectId}`];
+}
+function serializeRegistry(obj) {
+  return `${JSON.stringify(obj, null, 2)}
+`;
+}
+function planFanoutRegistration(fanoutTargetsRaw, projectsRaw, entry) {
+  const fanout = JSON.parse(fanoutTargetsRaw);
+  const projects = JSON.parse(projectsRaw);
+  const fanoutRepos = Array.isArray(fanout.repos) ? fanout.repos : [];
+  const projectEntries = Array.isArray(projects.projects) ? projects.projects : [];
+  const name = entry.name ?? entry.repo;
+  const canonName = entry.repo.toLowerCase();
+  const inFanout = fanoutRepos.some((r) => typeof r.repo === "string" && r.repo.toLowerCase() === canonName);
+  const inProjects = projectEntries.some(
+    (p) => p.slug === entry.slug || Array.isArray(p.repos) && p.repos.some((full) => String(full).split("/").pop()?.toLowerCase() === canonName)
+  );
+  if (inFanout || inProjects) {
+    return { changed: false, fanoutTargets: fanoutTargetsRaw, projects: projectsRaw };
+  }
+  const projectEntry = {
+    name,
+    slug: entry.slug,
+    projectId: entry.projectId,
+    wikiRepo: entry.wikiRepo,
+    repos: [`mutmutco/${entry.repo}`]
+  };
+  if (entry.cls === "content") projectEntry.branch = "main";
+  for (const k of Object.keys(projectEntry)) if (projectEntry[k] === void 0) delete projectEntry[k];
+  const nextProjects = { ...projects, projects: [...projectEntries, projectEntry] };
+  const fanoutEntry = { repo: entry.repo, branch: entry.branch, class: entry.cls };
+  const nextFanout = { ...fanout, repos: [...fanoutRepos, fanoutEntry] };
+  return {
+    changed: true,
+    fanoutTargets: serializeRegistry(nextFanout),
+    projects: serializeRegistry(nextProjects)
+  };
+}
+function decideFanoutPrAction(openPrs) {
+  const list = Array.isArray(openPrs) ? openPrs : [];
+  for (const pr2 of list) {
+    const url = pr2?.url;
+    if (typeof url === "string" && url.trim()) return { action: "reuse", url: url.trim() };
+  }
+  return { action: "create" };
+}
 function contentPutArgs(repo, path2, content, branch, sha) {
   const args = [
     "api",
@@ -8537,6 +8903,33 @@ async function tenantControl(payload, deps) {
   const timeoutMs = payload.wait ? WAITED_TENANT_CONTROL_TIMEOUT_MS : void 0;
   return postJson("/tenant-control", payload, deps, "POST", { noRetry, timeoutMs });
 }
+async function tenantDeploy(payload, deps) {
+  return postJson("/tenant-deploy", payload, deps, "POST", { noRetry: true });
+}
+
+// src/tenant-verify-secrets.ts
+function tenantControlWait(action) {
+  return action === "status" || action === "retire" || action === "verify-secrets";
+}
+function renderVerifySecrets(body) {
+  const secrets2 = body?.secrets ?? [];
+  const counts = {
+    match: secrets2.filter((s) => s.status === "match").length,
+    mismatch: secrets2.filter((s) => s.status === "mismatch").length,
+    missing: secrets2.filter((s) => s.status === "missing").length
+  };
+  const lines = secrets2.map((s) => `${s.key}: ${s.status}`);
+  lines.push(`verify-secrets: ${counts.match} match, ${counts.mismatch} mismatch, ${counts.missing} missing`);
+  const ssmStatus = body?.ssmStatus ?? "pending";
+  if (ssmStatus !== "Success") {
+    return { lines, failure: `verify-secrets did not complete (ssm status ${ssmStatus})${body?.commandId ? ` \u2014 command ${body.commandId}` : ""}` };
+  }
+  const bad = counts.mismatch + counts.missing;
+  if (bad > 0) {
+    return { lines, failure: `${bad} of ${secrets2.length} required secret(s) not matching the vault (${counts.mismatch} mismatch, ${counts.missing} missing)` };
+  }
+  return { lines, failure: null };
+}
 
 // src/project-readiness.ts
 function dnsErrorToResolution(code) {
@@ -8563,11 +8956,17 @@ function declaresNoPublicEdge(meta) {
   const ed = meta?.edgeDomains;
   return Boolean(ed && typeof ed === "object" && !Array.isArray(ed) && Object.keys(ed).length === 0);
 }
+function declaresWorker(meta) {
+  return meta?.projectType === "worker";
+}
+function isCentralContainerModel2(model) {
+  return model === "tenant-container" || model === "solo-container";
+}
 function isNoEdgeTenantWorker(meta, model) {
-  return model === "tenant-container" && declaresNoPublicEdge(meta);
+  return isCentralContainerModel2(model) && (declaresNoPublicEdge(meta) || declaresWorker(meta));
 }
 function projectRequiresDeployCoords(model, stage2, meta) {
-  if (model !== "tenant-container") return false;
+  if (!isCentralContainerModel2(model)) return false;
   if (stage2 && isNoEdgeTenantWorker(meta, model)) return stage2 === "main";
   return true;
 }
@@ -8600,7 +8999,7 @@ function attestedLine(att) {
 var CONTRACT_UNDECLARED_LINE = "No runtime secrets declared \u2014 declare requiredRuntimeSecrets (a per-stage name map) in the registry META, or attest the app needs none with an explicit empty stage map ({ dev: [], rc: [], main: [] }).";
 function appGapsFor(meta, model, slug, projectType) {
   const attested = appAttestationOf(meta);
-  const isTenantWeb = !(projectType === "content" || model === "content") && projectType !== "desktop-game" && !(projectType === "non-deployable" || model === "none") && model !== "hub-serverless" && model !== "serverless";
+  const isTenantWeb = !(projectType === "content" || model === "content") && projectType !== "desktop-game" && projectType !== "cli-tool" && !(projectType === "non-deployable" || model === "none") && model !== "hub-serverless" && model !== "serverless" && model !== "registry-publish";
   const contractUndeclared = isTenantWeb && Boolean(meta) && !hasRuntimeSecretContract(meta?.requiredRuntimeSecrets);
   if (attested) return contractUndeclared ? [attestedLine(attested), CONTRACT_UNDECLARED_LINE] : [attestedLine(attested)];
   if (projectType === "content" || model === "content") return ["Content/KB repo: keep app-owned work to docs/content changes; release train does not apply."];
@@ -8629,13 +9028,20 @@ function appGapsFor(meta, model, slug, projectType) {
       "Keep app-owned README.md and architecture.md aligned with v2 central deploy/secrets reality."
     ];
   }
+  if (projectType === "cli-tool" || model === "registry-publish") {
+    return [
+      "Distributable CLI/plugin: ship a publishable package.json (name, version, bin/exports) \u2014 release publishes to npm (plugin-marketplace publish is future work when a plugin tenant lands), not a box deploy; no Hub deploy coords, edge, or OAuth.",
+      "Keep the published version in lockstep with the release tag; make the publish idempotent (skip when the version is already on the registry).",
+      "Keep app-owned README.md and architecture.md aligned with the registry-publish release path."
+    ];
+  }
   const gaps = [
     "Ensure the compose file carries env_file: .env and the app reads plain environment variables \u2014 the box injects coords + declared runtime secrets into the release .env; the app never self-loads SSM.",
     "Make app config fail clearly for missing required env in prod/rc instead of relying on hidden defaults.",
     "Keep app-owned README.md and architecture.md aligned with v2 central deploy/secrets reality."
   ];
   if (isNoEdgeTenantWorker(meta, model)) {
-    gaps.unshift("No public edge declared (`edgeDomains: {}`): worker/outbound-only tenant; skip Cloudflare edge auto-heal, OAuth defaults, and dev/rc remote deploy coords unless META explicitly adds them.");
+    gaps.unshift("No public edge (worker/outbound-only tenant \u2014 `projectType: worker` or `edgeDomains: {}`): skip Cloudflare edge auto-heal, OAuth defaults, and dev/rc remote deploy coords unless META explicitly adds them.");
   }
   if (contractUndeclared) {
     gaps.unshift(CONTRACT_UNDECLARED_LINE);
@@ -8701,7 +9107,7 @@ function buildV2HealPatch(repoOrSlug, meta) {
   }
   if (!meta?.vaultPath) patch.vaultPath = `/mmi-future/${slug}`;
   if (!meta?.kbPointer) patch.kbPointer = `kb/projects/${slug}.md`;
-  if (confidentType && !meta?.edgeDomains && model === "tenant-container") {
+  if (confidentType && !meta?.edgeDomains && model === "tenant-container" && projectType !== "worker") {
     patch.edgeDomains = {
       dev: `dev.${sub}.mutatismutandis.co`,
       rc: `rc.${sub}.mutatismutandis.co`,
@@ -8724,7 +9130,7 @@ function buildV2HealPatch(repoOrSlug, meta) {
       patch.requiredRuntimeSecrets = next;
     }
   }
-  const appOwnedGaps = confidentType ? appGapsFor(meta, model, slug, confidentType) : [`Project type is unset and not derivable \u2014 classify with \`mmi-cli project set ${repo} --project-type <web-app|hub-service|content|desktop-game|non-deployable> --deploy-model <tenant-container|hub-serverless|serverless|content|none>\` before heal completes the v2 fields (prevents defaulting a non-web repo to tenant-container).`];
+  const appOwnedGaps = confidentType ? appGapsFor(meta, model, slug, confidentType) : [`Project type is unset and not derivable \u2014 classify with \`mmi-cli project set ${repo} --project-type <web-app|hub-service|content|desktop-game|non-deployable|cli-tool|worker> --deploy-model <tenant-container|solo-container|hub-serverless|serverless|registry-publish|content|none>\` before heal completes the v2 fields (prevents defaulting a non-web repo to tenant-container).`];
   return { slug, patch, appOwnedGaps };
 }
 async function runV2Heal(repoOrSlug, opts, deps) {
@@ -8923,6 +9329,158 @@ function parseEdgeDomainsVar(raw) {
   }
   return out;
 }
+var PRIORITY_OPTION_NAMES = ["Urgent", "High", "Medium", "Low"];
+function parsePriorityOptionsVar(raw) {
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    throw new Error('project set: priorityOptions must be JSON, e.g. {"Urgent":"<id>","High":"<id>","Medium":"<id>","Low":"<id>"}');
+  }
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw new Error("project set: priorityOptions must be a {Urgent,High,Medium,Low} map of option-id strings");
+  }
+  const map = parsed;
+  const out = {};
+  for (const [name, id] of Object.entries(map)) {
+    if (!PRIORITY_OPTION_NAMES.includes(name)) {
+      throw new Error(`project set: priorityOptions "${name}" \u2014 expected only ${PRIORITY_OPTION_NAMES.join("/")}`);
+    }
+    if (typeof id !== "string" || !id.trim()) {
+      throw new Error(`project set: priorityOptions.${name} must be a non-empty option-id string`);
+    }
+    out[name] = id.trim();
+  }
+  return out;
+}
+function parsePortRangeVar(raw) {
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    throw new Error('project set: portRange must be JSON, e.g. {"start":3700,"end":3710} or [3700,3710]');
+  }
+  let start;
+  let end;
+  if (Array.isArray(parsed) && parsed.length === 2) {
+    [start, end] = parsed;
+  } else if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+    ({ start, end } = parsed);
+  } else {
+    throw new Error("project set: portRange must be {start,end} or a [start,end] tuple");
+  }
+  if (typeof start !== "number" || typeof end !== "number" || !Number.isFinite(start) || !Number.isFinite(end)) {
+    throw new Error("project set: portRange start/end must be finite numbers");
+  }
+  if (start > end) throw new Error("project set: portRange start must be <= end");
+  return { start, end };
+}
+function parseStatusOptionsVar(raw) {
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    throw new Error('project set: statusOptions must be JSON, e.g. {"Todo":"<id>","In Progress":"<id>","In Review":"<id>","Done":"<id>"}');
+  }
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw new Error("project set: statusOptions must be a map of status name to option-id string");
+  }
+  const map = parsed;
+  const out = {};
+  for (const [name, id] of Object.entries(map)) {
+    if (typeof id !== "string" || !id.trim()) {
+      throw new Error(`project set: statusOptions.${name} must be a non-empty option-id string`);
+    }
+    out[name] = id.trim();
+  }
+  return out;
+}
+function parseOauthVar(raw) {
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    throw new Error('project set: oauth must be JSON, e.g. {"subdomains":["app"],"domains":["example.co"],"callbackPath":"/auth/callback"}');
+  }
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw new Error("project set: oauth must be a {subdomains,domains,callbackPath} object");
+  }
+  const map = parsed;
+  const out = {};
+  for (const [key, value] of Object.entries(map)) {
+    if (key === "subdomains" || key === "domains") {
+      if (!Array.isArray(value) || value.some((v) => typeof v !== "string" || !v.trim())) {
+        throw new Error(`project set: oauth.${key} must be an array of non-empty strings`);
+      }
+      out[key] = value.map((v) => v.trim());
+    } else if (key === "callbackPath") {
+      if (typeof value !== "string" || !value.trim()) throw new Error("project set: oauth.callbackPath must be a non-empty string");
+      out.callbackPath = value.trim();
+    } else {
+      throw new Error(`project set: oauth key "${key}" \u2014 expected only subdomains/domains/callbackPath`);
+    }
+  }
+  return out;
+}
+function parseReposVar(raw) {
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    throw new Error('project set: repos must be a JSON array, e.g. ["mutmutco/mm-foo"]');
+  }
+  if (!Array.isArray(parsed) || parsed.length === 0 || parsed.some((r) => typeof r !== "string" || !r.trim())) {
+    throw new Error("project set: repos must be a non-empty array of owner/name strings");
+  }
+  return parsed.map((r) => r.trim());
+}
+function parsePublishRequiredVar(raw) {
+  if (raw === "true") return true;
+  if (raw === "false") return false;
+  throw new Error("project set: publishRequired must be true or false");
+}
+var SETTABLE_VAR_KEYS = [
+  "name",
+  "division",
+  "projectId",
+  "projectOwner",
+  "projectNumber",
+  "branch",
+  "wikiRepo",
+  "vaultPath",
+  "kbPointer",
+  "repos",
+  "oauth",
+  "publishRequired",
+  "requiredGcpApis",
+  "requiredRuntimeSecrets",
+  "edgeDomains",
+  "statusFieldId",
+  "statusOptions",
+  "priorityFieldId",
+  "priorityOptions",
+  "portRange"
+];
+var SETTABLE_VAR_KEY_SET = new Set(SETTABLE_VAR_KEYS);
+var SETTABLE_VAR_HINTS = {
+  projectNumber: "numeric",
+  publishRequired: "true|false",
+  repos: 'JSON array, e.g. ["mutmutco/mm-foo"]',
+  oauth: "JSON {subdomains,domains,callbackPath}",
+  requiredGcpApis: "comma-string",
+  requiredRuntimeSecrets: 'JSON stage map, e.g. {"dev":["KEY"],"rc":["KEY"],"main":["KEY"]}',
+  edgeDomains: "JSON {dev,rc,main} domain map",
+  statusOptions: "JSON name\u2192id map",
+  priorityOptions: "JSON {Urgent,High,Medium,Low}\u2192id map",
+  portRange: "JSON {start,end} or [start,end]"
+};
+function settableVarHelp() {
+  const keys = SETTABLE_VAR_KEYS.map((k) => {
+    const hint = SETTABLE_VAR_HINTS[k];
+    return hint ? `${k} (${hint})` : k;
+  });
+  return `META field to set (repeatable): ${keys.join(", ")}`;
+}
 function buildProjectSetPatch(input) {
   const patch = {};
   if (input.class) {
@@ -8943,22 +9501,42 @@ function buildProjectSetPatch(input) {
     }
     patch.deployModel = input.deployModel;
   }
+  if (input.releaseTrack) {
+    if (!isReleaseTrack(input.releaseTrack)) {
+      throw new Error(`project set: --release-track must be one of: ${RELEASE_TRACKS.join(", ")}`);
+    }
+    patch.releaseTrack = input.releaseTrack;
+  }
   for (const value of input.vars) {
     const eq = value.indexOf("=");
-    if (eq > 0) {
-      const key = value.slice(0, eq);
-      const raw = value.slice(eq + 1);
-      if (key === "projectNumber") {
-        const n = Number(raw);
-        if (!Number.isFinite(n)) throw new Error("project set: projectNumber must be numeric");
-        patch[key] = n;
-      } else if (key === "requiredRuntimeSecrets") {
-        patch[key] = parseRuntimeSecretsVar(raw);
-      } else if (key === "edgeDomains") {
-        patch[key] = parseEdgeDomainsVar(raw);
-      } else {
-        patch[key] = raw;
-      }
+    if (eq <= 0) continue;
+    const key = value.slice(0, eq);
+    const raw = value.slice(eq + 1);
+    if (!SETTABLE_VAR_KEY_SET.has(key)) {
+      throw new Error(`project set: --var KEY "${key}" is not settable \u2014 allowed keys: ${SETTABLE_VAR_KEYS.join(", ")}`);
+    }
+    if (key === "projectNumber") {
+      const n = Number(raw);
+      if (!Number.isFinite(n)) throw new Error("project set: projectNumber must be numeric");
+      patch[key] = n;
+    } else if (key === "requiredRuntimeSecrets") {
+      patch[key] = parseRuntimeSecretsVar(raw);
+    } else if (key === "edgeDomains") {
+      patch[key] = parseEdgeDomainsVar(raw);
+    } else if (key === "priorityOptions") {
+      patch[key] = parsePriorityOptionsVar(raw);
+    } else if (key === "statusOptions") {
+      patch[key] = parseStatusOptionsVar(raw);
+    } else if (key === "portRange") {
+      patch[key] = parsePortRangeVar(raw);
+    } else if (key === "oauth") {
+      patch[key] = parseOauthVar(raw);
+    } else if (key === "repos") {
+      patch[key] = parseReposVar(raw);
+    } else if (key === "publishRequired") {
+      patch[key] = parsePublishRequiredVar(raw);
+    } else {
+      patch[key] = raw;
     }
   }
   for (const key of input.unsets) {
@@ -8972,7 +9550,7 @@ function buildProjectSetPatch(input) {
     patch.edgeDomains = null;
   }
   if (Object.keys(patch).length === 0) {
-    throw new Error("project set: nothing to set - pass --class, --project-type, --deploy-model, --var KEY=VALUE, --unset KEY, and/or --clear-web-profile");
+    throw new Error("project set: nothing to set - pass --class, --project-type, --deploy-model, --release-track, --var KEY=VALUE, --unset KEY, and/or --clear-web-profile");
   }
   return patch;
 }
@@ -8997,8 +9575,8 @@ function resolveKbSource(rawBase) {
   return { owner: m[1], repo: m[2], ref: m[3] };
 }
 function buildKbGetArgs(src, path2) {
-  const clean4 = path2.replace(/^\/+/, "");
-  return ["api", `repos/${src.owner}/${src.repo}/contents/${clean4}?ref=${src.ref}`, "-H", "Accept: application/vnd.github.raw"];
+  const clean3 = path2.replace(/^\/+/, "");
+  return ["api", `repos/${src.owner}/${src.repo}/contents/${clean3}?ref=${src.ref}`, "-H", "Accept: application/vnd.github.raw"];
 }
 function buildKbTreeArgs(src) {
   return ["api", `repos/${src.owner}/${src.repo}/git/trees/${src.ref}?recursive=1`];
@@ -9807,7 +10385,7 @@ function authorizeBodyHasMismatch(body) {
 }
 
 // src/index.ts
-var rawExecFileP3 = (0, import_node_util6.promisify)(import_node_child_process6.execFile);
+var rawExecFileP3 = (0, import_node_util6.promisify)(import_node_child_process7.execFile);
 var DEFAULT_EXEC_TIMEOUT_MS = 1e4;
 var execFileP4 = (file, args, options = {}) => (
   // encoding 'utf8' guarantees string stdout/stderr at runtime; the cast pins the type because
@@ -10086,12 +10664,10 @@ async function applyVersionAutoUpdate(report, log) {
 async function requireFreshTrainCli(commandName) {
   const report = buildVersionLagReport({
     currentVersion: resolveClientVersion(),
-    repoVersion: readRepoVersion(),
     releasedVersion: await fetchReleasedVersion()
   });
   if (report.ok) return;
-  const target = report.staleAgainst === "released" ? `released ${report.releasedVersion}` : `repo ${report.repoVersion}`;
-  throw new Error(`running mmi-cli ${report.currentVersion} is stale against ${target}; run doctor/update first so ${commandName} uses the current train path`);
+  throw new Error(`running mmi-cli ${report.currentVersion} is stale against released ${report.releasedVersion}; run doctor/update first so ${commandName} uses the current train path`);
 }
 var consoleIo = { log: (m) => console.log(m), err: (m) => console.error(m) };
 var CLAUDE_PLUGIN_TIMEOUT_MS = 12e4;
@@ -10236,7 +10812,7 @@ saga.command("head-update").option("--run", "detached worker: fetch state, run t
     if (!headGateDue(tsPath)) return;
     markHeadRun(tsPath);
     try {
-      (0, import_node_child_process6.spawn)(process.execPath, [process.argv[1], "saga", "head-update", "--run"], {
+      (0, import_node_child_process7.spawn)(process.execPath, [process.argv[1], "saga", "head-update", "--run"], {
         detached: true,
         stdio: "ignore",
         windowsHide: true
@@ -10456,7 +11032,7 @@ function scheduleRelatedDiscovery(o) {
   try {
     const args = ["issue", "discover-related", "--number", String(o.number), "--title", o.title, "--body", o.body];
     if (o.repo) args.push("--repo", o.repo);
-    (0, import_node_child_process6.spawn)(process.execPath, [process.argv[1], ...args], {
+    (0, import_node_child_process7.spawn)(process.execPath, [process.argv[1], ...args], {
       detached: true,
       stdio: "ignore",
       windowsHide: true,
@@ -10512,7 +11088,7 @@ function openInEditor(path2) {
     return;
   }
   try {
-    (0, import_node_child_process6.spawn)(editor, [path2], { stdio: "inherit" });
+    (0, import_node_child_process7.spawn)(editor, [path2], { stdio: "inherit" });
   } catch {
     console.log(`open ${path2} manually`);
   }
@@ -10671,15 +11247,22 @@ function reportWrite(label, res) {
   fail(`${label}: HTTP ${res.status}${detail ? ` \u2014 ${detail}` : ""}`);
 }
 var tenant = program2.command("tenant").description("tenant runtime control through Hub authority");
-tenant.command("control <owner/repo> <stage> <action>").description("run bounded service control (status/start/stop/restart, plus rc-only retire) for a tenant; project-admin dev/rc, master main").option("--json", "machine-readable output").action(async (repo, stage2, action) => {
+tenant.command("control <owner/repo> <stage> <action>").description("run bounded service control (status/start/stop/restart, plus rc-only retire and read-only verify-secrets) for a tenant; project-admin dev/rc, master main").option("--json", "machine-readable output").action(async (repo, stage2, action, o) => {
   const cfg = await loadConfig();
-  const wait = action === "status" || action === "retire";
+  const wait = tenantControlWait(action);
   const res = await tenantControl({ repo, stage: stage2, action, wait }, registryClientDeps(cfg));
   const body = res.body;
   if (!res.ok && body?.category) {
     console.log(JSON.stringify(body));
     return fail(`tenant control ${stage2} ${action}: ${body.category}`);
   }
+  if (res.ok && action === "verify-secrets") {
+    const { lines, failure } = renderVerifySecrets(res.body);
+    if (o.json) console.log(JSON.stringify(res.body));
+    else lines.forEach((l) => console.log(l));
+    if (failure) return fail(`tenant control ${stage2} verify-secrets: ${failure}`);
+    return;
+  }
   reportWrite("tenant control", res);
 });
 tenant.command("redeploy <owner/repo> <stage>").description("re-dispatch the central tenant-deploy.yml for an already-promoted ref (no re-tag/merge); train-authority gated").option("--ref <ref>", "ref to deploy (defaults to the stage branch rc/main \u2014 the promoted ref)").option("--watch", "block on the dispatched run and report its outcome (gh run watch --exit-status)").option("--json", "machine-readable output").action(async (repo, stage2, o) => {
@@ -10691,6 +11274,31 @@ tenant.command("redeploy <owner/repo> <stage>").description("re-dispatch the cen
     return fail(`tenant redeploy: ${e.message}`);
   }
 });
+tenant.command("sweep-rc").description("discover (and optionally retire) running rc tenant runtimes across tenant-containers \u2014 orphan cleanup after a failed post-release retire (#942)").option("--retire", "retire every running rc runtime found (requires --yes) \u2014 WARNING: tears down a legitimately-staged rc too").option("--yes", "confirm the destructive --retire").option("--json", "machine-readable output").action(async (o) => {
+  if (o.retire && !o.yes) {
+    return fail("tenant sweep-rc --retire is destructive (it tears down EVERY running rc, including one legitimately staged between /rcand and /release) \u2014 re-run with --yes to confirm");
+  }
+  const cfg = await loadConfig();
+  const cdeps = registryClientDeps(cfg);
+  try {
+    const result = await sweepRcOrphans({
+      listProjects: () => fetchProjectsList(cdeps),
+      status: async (repo) => {
+        const res = await tenantControl({ repo, stage: "rc", action: "status", wait: true }, cdeps);
+        const b = res.body;
+        return { serviceState: b?.serviceState ?? "unknown" };
+      },
+      retire: async (repo) => {
+        const res = await tenantControl({ repo, stage: "rc", action: "retire", wait: true }, cdeps);
+        const b = res.body;
+        return { ok: res.ok, category: b?.category, reason: b?.reason };
+      }
+    }, { retire: !!o.retire });
+    return printLine(o.json ? JSON.stringify(result) : renderSweep(result));
+  } catch (e) {
+    return fail(`tenant sweep-rc: ${e.message}`);
+  }
+});
 async function resolveDnsBounded(host, timeoutMs = 3e3) {
   const { lookup } = await import("node:dns/promises");
   const probe = lookup(host).then(() => true).catch((e) => dnsErrorToResolution(e?.code));
@@ -10859,7 +11467,7 @@ project.command("attest [owner/repo]").description("attest this repo's app-owned
   const res = await attestAppGaps(slugOf(target), repo, registryClientDeps(cfg));
   reportWrite("project attest", res);
 });
-project.command("set [owner/repo]").description("MASTER-ONLY: upsert a project META (idempotent merge; defaults to the current repo; no clobber of unspecified fields)").option("--class <class>", "deployable | content").option("--project-type <type>", `${PROJECT_TYPES.join(" | ")} (v2 capability shape)`).option("--deploy-model <model>", `${DEPLOY_MODELS.join(" | ")} (release/deploy path; none means no Hub deploy registration)`).option("--var <KEY=VALUE...>", 'META field to set (repeatable): name, division, projectId, branch, wikiRepo, vaultPath, kbPointer, requiredRuntimeSecrets (JSON stage map, e.g. {"dev":["KEY"],"rc":["KEY"],"main":["KEY"]})').option("--unset <KEY...>", "META field to remove (repeatable): oauth, requiredRuntimeSecrets, edgeDomains, requiredGcpApis, publishRequired").option("--clear-web-profile", "remove web-only registry fields (oauth, edgeDomains) for non-web/content projects").option("--json", "machine-readable output").action(async (repoOrSlug, o) => {
+project.command("set [owner/repo]").description("MASTER-ONLY: upsert a project META (idempotent merge; defaults to the current repo; no clobber of unspecified fields)").option("--class <class>", "deployable | content").option("--project-type <type>", `${PROJECT_TYPES.join(" | ")} (v2 capability shape)`).option("--deploy-model <model>", `${DEPLOY_MODELS.join(" | ")} (release/deploy path; none means no Hub deploy registration)`).option("--release-track <track>", `${RELEASE_TRACKS.join(" | ")} (branch topology; direct skips rc)`).option("--var <KEY=VALUE...>", settableVarHelp()).option("--unset <KEY...>", "META field to remove (repeatable): oauth, requiredRuntimeSecrets, edgeDomains, requiredGcpApis, publishRequired").option("--clear-web-profile", "remove web-only registry fields (oauth, edgeDomains) for non-web/content projects").option("--json", "machine-readable output").action(async (repoOrSlug, o) => {
   const cfg = await loadConfig();
   let target;
   try {
@@ -10874,6 +11482,7 @@ project.command("set [owner/repo]").description("MASTER-ONLY: upsert a project M
       class: o.class,
       projectType: o.projectType,
       deployModel: o.deployModel,
+      releaseTrack: o.releaseTrack,
       vars: rawValues("--var"),
       unsets: rawValues("--unset"),
       clearWebProfile: Boolean(o.clearWebProfile)
@@ -11151,7 +11760,7 @@ function teardownWorktreeStage(worktreePath) {
     }
   });
 }
-pr.command("merge <number>").description("merge a PR (squash by default) and clean up its branch + worktree \u2014 no leftover local branch").option("--squash", "squash merge (default)").option("--merge", "create a merge commit").option("--rebase", "rebase merge").option("--repo <owner/repo>", "target repo (defaults to the current repo)").action(async (number, o) => {
+pr.command("merge <number>").description("merge a PR (squash by default) and clean up its branch + worktree \u2014 no leftover local branch").option("--squash", "squash merge (default)").option("--merge", "create a merge commit").option("--rebase", "rebase merge").option("--repo <owner/repo>", "target repo (defaults to the current repo)").option("--auto", "enable auto-merge \u2014 merge once the base-branch policy is satisfied (use for policy-gated repos)").action(async (number, o) => {
   const method = o.rebase ? "--rebase" : o.merge ? "--merge" : "--squash";
   const repoArgs = o.repo ? ["--repo", o.repo] : [];
   const headRef = (await execFileP4("gh", ["pr", "view", number, ...repoArgs, "--json", "headRefName", "--jq", ".headRefName"], { timeout: GC_GH_TIMEOUT_MS })).stdout.trim();
@@ -11162,7 +11771,7 @@ pr.command("merge <number>").description("merge a PR (squash by default) and cle
   const remoteBefore = repoArgs.length ? void 0 : await remoteBranchExists(headRef);
   let remoteDeleteAttempted = false;
   let remoteNotAttemptedReason = repoArgs.length ? "repo-option" : void 0;
-  await execFileP4("gh", ["pr", "merge", number, ...repoArgs, method, "--delete-branch"], { timeout: GH_MUTATION_TIMEOUT_MS }).catch((e) => {
+  await execFileP4("gh", buildPrMergeArgs({ number, repoArgs, method, auto: o.auto }), { timeout: GH_MUTATION_TIMEOUT_MS }).catch((e) => {
     const message = String(e.message || "");
     if (/already been merged/i.test(message)) {
       remoteNotAttemptedReason = "pr-already-merged";
@@ -11170,8 +11779,18 @@ pr.command("merge <number>").description("merge a PR (squash by default) and cle
     }
     const note = timeoutKillNote(e, GH_MUTATION_TIMEOUT_MS);
     if (note) throw new Error(`gh pr merge ${number}: ${note}`);
+    if (!o.auto && basePolicyBlocksImmediateMerge(message)) {
+      throw new Error(`gh pr merge ${number}: the base-branch policy blocks an immediate merge \u2014 re-run with --auto to merge once required checks pass.`);
+    }
     if (!/used by worktree|cannot delete branch/i.test(message)) throw e;
   });
+  if (o.auto) {
+    const state = (await execFileP4("gh", ["pr", "view", number, ...repoArgs, "--json", "state", "--jq", ".state"], { timeout: GC_GH_TIMEOUT_MS }).catch(() => ({ stdout: "" }))).stdout.trim();
+    if (state !== "MERGED") {
+      console.log(JSON.stringify({ mergeStatus: "auto-merge-enqueued", pr: number, branch: headRef, state: state || "unknown" }));
+      return;
+    }
+  }
   if (!remoteNotAttemptedReason) remoteDeleteAttempted = true;
   const remoteBranch = repoArgs.length ? buildRemoteBranchCleanupReport(headRef, {
     attempted: false,
@@ -11191,7 +11810,11 @@ pr.command("merge <number>").description("merge a PR (squash by default) and cle
     beforeWorktrees,
     startingPath,
     execGit: async (args) => (await execFileP4("git", args, { timeout: GIT_TIMEOUT_MS })).stdout,
-    teardownWorktreeStage
+    teardownWorktreeStage,
+    // Hardened fallback when retried `git worktree remove` still hits a Windows file lock (#967).
+    // `fs.rm` recursive removes a junction as a link (it does not traverse into the target) and its
+    // own maxRetries/retryDelay rides out a handle that an indexer/antivirus releases a moment later.
+    removeWorktreeDir: async (worktreePath) => (0, import_promises2.rm)(worktreePath, { recursive: true, force: true, maxRetries: 5, retryDelay: 200 })
   });
   console.log(JSON.stringify(buildPrMergeResultPayload({
     number,
@@ -11370,6 +11993,19 @@ function reportedStageUrl(res, result) {
   return result.port != null ? stageUrlForPort(result.port) : res.derived.url;
 }
 program2.command("port-range <repo>").description("assign (idempotently) + print the repo's local stage port block via the atomic ORG#config.portCursor allocator (committed-file fallback)").option("--json", "machine-readable output").action(async (repo, o) => {
+  const cfg = await loadConfig();
+  const reg = registryClientDeps(cfg);
+  const slug = slugOf(repo);
+  const read = await fetchProjectBySlugChecked(slug, reg);
+  const decision = decidePortRange({ metaReadOk: read.ok, metaPortRange: read.ok ? metaPortRange(read.project) : null });
+  if (decision.action === "fail") {
+    return fail(`port-range: ${decision.reason}${read.ok ? "" : ` (${read.error})`}`);
+  }
+  if (decision.action === "return") {
+    const [start2, end2] = decision.range;
+    printLine(o.json ? JSON.stringify({ repo, portRange: [start2, end2], source: "meta" }) : `${repo}: stage.portRange [${start2}, ${end2}]`);
+    return;
+  }
   const path2 = (0, import_node_path8.join)(process.cwd(), "infra", "port-ranges.json");
   const allocate = async (seed) => {
     const { stdout } = await execFileP4("node", [(0, import_node_path8.join)(process.cwd(), "infra", "port-ddb.mjs"), String(seed)], { timeout: 15e3 });
@@ -11377,8 +12013,16 @@ program2.command("port-range <repo>").description("assign (idempotently) + print
     if (!Array.isArray(parsed.range) || parsed.range.length !== 2) throw new Error("port-ddb: no range in output");
     return parsed.range;
   };
-  const { range: [start, end] } = await ensurePortRangeAtomic(repo, path2, allocate);
-  printLine(o.json ? JSON.stringify({ repo, portRange: [start, end] }) : `${repo}: stage.portRange [${start}, ${end}]`);
+  const { range: [start, end], source } = await ensurePortRangeAtomic(repo, path2, allocate);
+  const write = await upsertProject(slug, { portRange: { start, end } }, reg);
+  if (!write.ok && source === "ddb") {
+    return fail(`port-range: block [${start}, ${end}] was allocated (cursor advanced) but NOT recorded in the registry META (${write.error ?? `HTTP ${write.status}`}) \u2014 fix auth/connectivity and retry so the block is persisted; do not re-run blind`);
+  }
+  if (o.json) {
+    printLine(JSON.stringify({ repo, portRange: [start, end], source: "allocated", persisted: write.ok, ...write.ok ? {} : { persistError: write.error ?? `HTTP ${write.status}` } }));
+  } else {
+    printLine(`${repo}: stage.portRange [${start}, ${end}]${write.ok ? "" : ` (META not persisted: ${write.error ?? `HTTP ${write.status}`})`}`);
+  }
 });
 var stage = program2.command("stage").description("plan or run the repo local stage environment").option("--json", "machine-readable output").option("--apply", "run the full local stage: stop previous, build, start, health-check").option("--timeout-ms <ms>", "bounded build/health timeout", "60000").action(async (o) => {
   const res = await resolveStage();
@@ -11491,17 +12135,32 @@ program2.command("stage-live").description("explain that remote rc/live environm
 var GH_TRAIN_TIMEOUT_MS = 3e4;
 var GH_RUN_WATCH_TIMEOUT_MS = 20 * 6e4;
 var NODE_PREPARE_TIMEOUT_MS = 10 * 6e4;
+var NPM_TRAIN_TIMEOUT_MS = 6e4;
 function trainApplyDeps() {
   return {
     run: async (file, args) => {
-      const timeout = file === "node" && args[1] === "prepare" ? NODE_PREPARE_TIMEOUT_MS : file !== "gh" ? GIT_TIMEOUT_MS : args[0] === "run" && args[1] === "watch" ? GH_RUN_WATCH_TIMEOUT_MS : GH_TRAIN_TIMEOUT_MS;
-      return (await execFileP4(file, args, { timeout })).stdout;
+      const timeout = file === "node" && args[1] === "prepare" ? NODE_PREPARE_TIMEOUT_MS : file === "npm" ? NPM_TRAIN_TIMEOUT_MS : file !== "gh" ? GIT_TIMEOUT_MS : args[0] === "run" && args[1] === "watch" ? GH_RUN_WATCH_TIMEOUT_MS : GH_TRAIN_TIMEOUT_MS;
+      return isWin && file === "npm" ? (await execFileP4("cmd.exe", ["/c", "npm", ...args], { timeout })).stdout : (await execFileP4(file, args, { timeout })).stdout;
     },
     runSelf: async (args) => (await execFileP4(process.execPath, [process.argv[1], ...args], { timeout: 3e4 })).stdout,
     trainAuthority: async (repo) => {
       const verdict = await fetchTrainAuthority(repo, registryClientDeps(await loadConfig()));
       return verdict.ok ? { ok: true, role: verdict.authority.role, train: verdict.authority.train } : verdict;
     },
+    // Hub-App-authority dispatch of the central tenant deploy (#953) — the Hub fires the
+    // workflow_dispatch with its App token, so the caller needs no MMI-Hub Actions write.
+    dispatchTenantDeploy: async ({ repo, stage: stage2, ref }) => {
+      const res = await tenantDeploy({ repo, stage: stage2, ref }, registryClientDeps(await loadConfig()));
+      if (!res.ok) {
+        const detail = res.body?.error ?? res.error ?? `HTTP ${res.status}`;
+        throw new Error(`tenant deploy dispatch failed: ${detail}`);
+      }
+    },
+    // Hotfix-coverage guard (#958): runs against the local clone via real git. manifestPaths exempts the
+    // release version fold (#976) — a main-only commit touching ONLY the root package manifest is the
+    // fold's version metadata, which the candidate replaces with its own. (The Hub's wider distribution
+    // set never reaches this guard: the Hub is direct-track.)
+    hotfixCoverage: (input) => checkHotfixCoverage({ ...input, manifestPaths: ["package.json", "package-lock.json"] }),
     // Slack release announcement (#883): Hub-only + best-effort inside announceRelease itself.
     announce: (args) => announceRelease({
       run: async (file, cmdArgs) => (await execFileP4(file, cmdArgs, { timeout: GH_TRAIN_TIMEOUT_MS })).stdout,
@@ -11516,14 +12175,6 @@ function trainApplyDeps() {
     }
   };
 }
-function trainPrepDeps() {
-  return {
-    run: async (file, args) => {
-      const timeout = file === "node" && args[1] === "prepare" ? NODE_PREPARE_TIMEOUT_MS : GIT_TIMEOUT_MS;
-      return (await execFileP4(file, args, { timeout })).stdout;
-    }
-  };
-}
 function formatWorkflowRun(r) {
   const ref = r.runUrl ?? (r.runId != null ? String(r.runId) : "unresolved");
   return `${r.workflow} ${ref} ${r.conclusion.toUpperCase()}`;
@@ -11539,6 +12190,7 @@ function renderDeployLine(d) {
 }
 function renderTrainApply(commandName, r) {
   let base = `mmi-cli ${commandName}: promoted ${r.repo} \u2192 ${r.stage} at ${r.tag} [${r.deployModel}]; ${renderDeployLine(r)}`;
+  if (r.versionFold) base = `${base}; ${r.versionFold}`;
   if (r.resumeNote) base = `${base}; ${r.resumeNote}`;
   if (r.rcRetirement) base = `${base}; rc retirement: ${r.rcRetirement.toUpperCase()} (${r.rcRetirementNote ?? ""})`;
   return r.announceNote ? `${base}; announce: ${r.announceNote}` : base;
@@ -11554,37 +12206,20 @@ async function resolveRcandPlanTargets() {
     return { plannedReleaseError: e.message, existingRcReleaseError: e.message };
   }
 }
-function renderTrainPrep(r) {
-  if (!r.applied) {
-    return `mmi-cli train prep: target ${r.target}; run ${r.command} to prepare and stage locked distribution files`;
-  }
-  return [
-    `mmi-cli train prep: prepared ${r.target}`,
-    `  - staged locked files: ${r.stagedFiles.join(", ")}`,
-    "  - stopped before promotion; no push, merge, tag, release, or deploy was run",
-    `  - next: ${r.command}`
-  ].join("\n");
-}
-var trainCmd = program2.command("train").description("release train helpers that stop before promotion");
-trainCmd.command("prep").description("prepare and stage the Hub distribution bump for the next release train").option("--json", "machine-readable output").option("--apply", "run release-distribution prepare, exact-file stage, verify, then stop").action(async (o) => {
-  try {
-    await requireFreshTrainCli("train prep");
-    const result = await runTrainPrep(trainPrepDeps(), { apply: o.apply });
-    printLine(o.json ? JSON.stringify(result, null, 2) : renderTrainPrep(result));
-  } catch (e) {
-    fail(`train prep: ${e.message}`);
-  }
-});
 for (const commandName of ["rcand", "release"]) {
-  program2.command(commandName).description(`plan ${commandName} train operations; mutations require explicit master-admin approval`).option("--json", "machine-readable output").option("--watch", "block on the deploy/publish workflow runs and report their outcomes").option("--apply", "execute the guarded master-only train after explicit approval").option("--announce-summary-file <path>", "release only: agent-curated summary lines for the Hub Slack announcement (#883)").action(async (o) => {
+  program2.command(commandName).description(`plan ${commandName} train operations; mutations require explicit master-admin approval`).option("--json", "machine-readable output").option("--watch", "block on the deploy/publish workflow runs and report their outcomes").option("--apply", "execute the guarded master-only train after explicit approval").option("--announce-summary-file <path>", "release only: agent-curated summary lines for the Hub Slack announcement (#883)").option("--ack <shas>", "release only: comma-separated dev shas a human verified are in the candidate, overriding the hotfix-coverage guard for a conflicted port whose -x trailer was lost (#958)").action(async (o) => {
     try {
       await requireFreshTrainCli(commandName);
     } catch (e) {
       return fail(`${commandName}: ${e.message}`);
     }
+    if (o.ack && commandName !== "release") {
+      return fail("--ack applies only to release: it overrides the rc -> main hotfix-coverage guard, which rcand does not run");
+    }
     if (o.apply) {
       try {
-        const result = await runTrainApply(commandName, trainApplyDeps(), { watch: o.watch, announceSummaryFile: o.announceSummaryFile });
+        const ack = (o.ack ?? "").split(",").map((s) => s.trim()).filter(Boolean);
+        const result = await runTrainApply(commandName, trainApplyDeps(), { watch: o.watch, announceSummaryFile: o.announceSummaryFile, ack });
         return printLine(o.json ? JSON.stringify(result, null, 2) : renderTrainApply(commandName, result));
       } catch (e) {
         return fail(`${commandName}: ${e.message}`);
@@ -11610,7 +12245,7 @@ function renderHotfixRelease(r) {
     ...r.runs.map((run) => `  - ${run.workflow}: ${run.conclusion}${run.url ? ` (${run.url})` : ""}`),
     `  - ${r.verifyNote}`,
     ...r.announceNote ? [`  - announce: ${r.announceNote}`] : [],
-    `  - next: mmi-cli hotfix status ${r.tag} (no back-merge \u2014 development already has the fix; align its distribution manifests by PR if status says behind)`
+    `  - next: mmi-cli hotfix status ${r.tag} (no back-merge \u2014 development already has the fix; the next /release back-merge aligns the version manifests)`
   ].join("\n");
 }
 function renderHotfixStatus(r) {
@@ -11618,7 +12253,7 @@ function renderHotfixStatus(r) {
     `mmi-cli hotfix status: ${r.tag} on ${r.repo} \u2014 ${r.state}`,
     `  - branch: ${r.branchExists ? "pushed" : "absent"} \xB7 PR: ${r.pr ? `#${r.pr.number} ${r.pr.state}` : "none"} \xB7 tag: ${r.tagPushed ? "pushed" : "absent"} \xB7 Release: ${r.releaseExists ? "exists" : "absent"}`,
     ...r.runs.map((run) => `  - ${run.workflow}: ${run.conclusion}${run.url ? ` (${run.url})` : ""}`),
-    `  - npm @mutmutco/cli: ${r.npmVersion} \xB7 development manifests: ${r.devDistribution.version}${r.devDistribution.aligned ? " (aligned)" : " (behind)"}`,
+    `  - npm @mutmutco/cli: ${r.npmVersion}`,
     `  - next: ${r.next}`
   ].join("\n");
 }
@@ -11683,15 +12318,16 @@ bootstrap.command("verify <repo>").description("audit whether an existing repo i
         return null;
       }
     }
-  });
+  }, resolveReleaseTrack(meta));
   console.log(o.json ? JSON.stringify(report, null, 2) : renderBootstrapVerifyReport(report));
   if (!report.ok) process.exitCode = 1;
 });
-bootstrap.command("apply <repo>").description("idempotent seed apply from skills/bootstrap/seeds/manifest.json; dry-run unless --execute (live, master-gated)").option("--class <class>", "deployable | content", "deployable").option("--project-type <type>", `${PROJECT_TYPES.join(" | ")} (v2 capability shape)`).option("--deploy-model <model>", `${DEPLOY_MODELS.join(" | ")} (release/deploy path)`).option("--execute", "LIVE apply via gh (master-gated) \u2014 stamps seed files + labels into the repo").option("--var <KEY=VALUE...>", "placeholder values for repo-owned templates (repeatable)").option("--json", "machine-readable output").action(async (repo) => {
+bootstrap.command("apply <repo>").description("idempotent seed apply from skills/bootstrap/seeds/manifest.json; dry-run unless --execute (live, master-gated)").option("--class <class>", "deployable | content", "deployable").option("--project-type <type>", `${PROJECT_TYPES.join(" | ")} (v2 capability shape)`).option("--deploy-model <model>", `${DEPLOY_MODELS.join(" | ")} (release/deploy path)`).option("--release-track <track>", `${RELEASE_TRACKS.join(" | ")} (branch topology; direct skips rc)`).option("--execute", "LIVE apply via gh (master-gated) \u2014 stamps seed files + labels into the repo").option("--var <KEY=VALUE...>", "placeholder values for repo-owned templates (repeatable)").option("--json", "machine-readable output").action(async (repo) => {
   const o = {
     class: rawValue("--class", "deployable"),
     projectType: rawValue("--project-type", ""),
     deployModel: rawValue("--deploy-model", ""),
+    releaseTrack: rawValue("--release-track", ""),
     execute: rawFlag("--execute"),
     json: rawFlag("--json")
   };
@@ -11710,10 +12346,19 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
   const gh = async (args) => execFileP4("gh", args, { timeout: 2e4 });
   const readFile2 = (p) => (0, import_node_fs7.existsSync)(p) ? (0, import_node_fs7.readFileSync)(p, "utf8") : null;
   const enc = (p) => p.split("/").map(encodeURIComponent).join("/");
-  const vars = {};
+  const rawVars = {};
   for (const value of rawValues("--var")) {
     const eq = value.indexOf("=");
-    if (eq > 0) vars[value.slice(0, eq)] = value.slice(eq + 1);
+    if (eq > 0) rawVars[value.slice(0, eq)] = value.slice(eq + 1);
+  }
+  const vars = withDerivedRepoVars(rawVars, parsedRepo, o.class);
+  if (vars.PROJECT_ID) {
+    try {
+      const r = await gh(boardFieldsQueryArgs(vars.PROJECT_ID));
+      const boardVars = extractBoardFieldVars(JSON.parse(r.stdout));
+      for (const [k, v] of Object.entries(boardVars)) if (vars[k] == null) vars[k] = v;
+    } catch {
+    }
   }
   const actions = [];
   const applied = [];
@@ -11739,22 +12384,12 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
         exists = false;
       }
     }
-    const action = planSeedAction(resolved, exists);
+    const planned = planSeedAction(resolved, exists);
+    const isBlock = resolved.source === "managed-block";
+    const content = planned.action === "create" || planned.action === "update" ? isBlock ? upsertManagedGitignoreBlock(remoteContent).content : resolveSeedContent(resolved, vars, readFile2) : null;
+    const action = reconcileSeedAction(planned, content, isBlock);
     actions.push(action);
     if (o.execute && (action.action === "create" || action.action === "update")) {
-      const isBlock = resolved.source === "managed-block";
-      const content = isBlock ? upsertManagedGitignoreBlock(remoteContent).content : resolveSeedContent(resolved, vars, readFile2);
-      if (content == null) {
-        applied.push(`skip ${resolved.target} (no resolvable content)`);
-        continue;
-      }
-      if (!isBlock) {
-        const missing = missingPlaceholders(content);
-        if (missing.length) {
-          applied.push(`skip ${resolved.target} (unfilled: ${missing.join(", ")} \u2014 pass --var)`);
-          continue;
-        }
-      }
       await gh(contentPutArgs(repo, resolved.target, content, baseBranch, action.action === "update" ? sha : void 0));
       applied.push(`${action.action} ${resolved.target}`);
     }
@@ -11768,13 +12403,23 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
         applied.push(`label ${l.name} (failed)`);
       }
     }
+    for (const name of labelsToPrune(manifest.labels.map((l) => l.name))) {
+      try {
+        await gh(["label", "delete", name, "-R", repo, "--yes"]);
+        applied.push(`label ${name} (pruned)`);
+      } catch (e) {
+        if (/not found/i.test(e.message ?? "")) continue;
+        applied.push(`label ${name} (prune failed)`);
+      }
+    }
   }
   const ddbWrites = [];
   let registerPayload;
   try {
     registerPayload = buildRegisterPayload(repo, o.class, vars, {
       projectType: o.projectType || void 0,
-      deployModel: o.deployModel || void 0
+      deployModel: o.deployModel || void 0,
+      releaseTrack: o.releaseTrack || void 0
     });
   } catch (e) {
     return fail(`bootstrap apply: ${e.message}`);
@@ -11790,7 +12435,83 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
       applied.push(`ddb register ${registerPayload.slug} (failed: ${why})`);
     }
   }
-  if (o.json) console.log(JSON.stringify({ repo, class: o.class, execute: o.execute, actions, applied, ddbWrites }, null, 2));
+  let fanoutPrUrl;
+  if (o.execute) {
+    const fanoutEntry = {
+      repo: parsedRepo.name,
+      slug,
+      projectId: vars.PROJECT_ID || void 0,
+      wikiRepo: vars.WIKI_REPO || parsedRepo.fullName,
+      branch: baseBranch,
+      cls: o.class,
+      name: vars.NAME || parsedRepo.name
+    };
+    const readHubFile = async (path2) => {
+      const r = await gh(["api", `repos/${HUB_REPO}/contents/${enc(path2)}?ref=development`]);
+      const parsed = JSON.parse(r.stdout);
+      if (parsed.encoding !== "base64" || typeof parsed.content !== "string" || !parsed.sha) {
+        throw new Error(`could not read ${HUB_REPO}/${path2}`);
+      }
+      return { content: Buffer.from(parsed.content, "base64").toString("utf8"), sha: parsed.sha };
+    };
+    try {
+      const fanoutFile = await readHubFile(".github/fanout-targets.json");
+      const projectsFile = await readHubFile("projects.json");
+      const plan2 = planFanoutRegistration(fanoutFile.content, projectsFile.content, fanoutEntry);
+      if (!plan2.changed) {
+        applied.push(`fanout: already registered (${parsedRepo.name})`);
+      } else {
+        const branchName = `bootstrap-register-fanout-${slug}`;
+        const headSha = (await gh(["api", `repos/${HUB_REPO}/git/ref/heads/development`, "--jq", ".object.sha"])).stdout.trim();
+        try {
+          await gh(["api", "-X", "POST", `repos/${HUB_REPO}/git/refs`, "-f", `ref=refs/heads/${branchName}`, "-f", `sha=${headSha}`]);
+        } catch (e) {
+          if (!/Reference already exists|already exists/i.test(String(e.message ?? ""))) throw e;
+        }
+        const branchFileSha = async (path2) => {
+          try {
+            const r = await gh(["api", `repos/${HUB_REPO}/contents/${enc(path2)}?ref=${branchName}`, "--jq", ".sha"]);
+            return r.stdout.trim() || void 0;
+          } catch (e) {
+            if (/404|Not Found/i.test(String(e.message ?? ""))) return void 0;
+            throw e;
+          }
+        };
+        const fanoutBranchSha = await branchFileSha(".github/fanout-targets.json");
+        const projectsBranchSha = await branchFileSha("projects.json");
+        await gh(contentPutArgs(HUB_REPO, ".github/fanout-targets.json", plan2.fanoutTargets, branchName, fanoutBranchSha));
+        await gh(contentPutArgs(HUB_REPO, "projects.json", plan2.projects, branchName, projectsBranchSha));
+        const openPrs = await gh(["pr", "list", "--repo", HUB_REPO, "--head", branchName, "--base", "development", "--state", "open", "--json", "number,url"]);
+        const prDecision = decideFanoutPrAction(JSON.parse(openPrs.stdout || "[]"));
+        if (prDecision.action === "reuse") {
+          fanoutPrUrl = prDecision.url;
+        } else {
+          const created = await ghCreate([
+            "pr",
+            "create",
+            "--repo",
+            HUB_REPO,
+            "--base",
+            "development",
+            "--head",
+            branchName,
+            "--title",
+            `bootstrap: register ${parsedRepo.name} for org-spine fanout`,
+            "--body",
+            `Auto-opened by \`mmi-cli bootstrap apply --execute ${repo}\` (#933): adds ${parsedRepo.name} to projects.json + .github/fanout-targets.json so the spine fans out to it.`
+          ]);
+          fanoutPrUrl = created.url;
+        }
+        await gh(["pr", "merge", fanoutPrUrl, "--repo", HUB_REPO, "--auto", "--squash"]).catch((e) => {
+          if (!/already/i.test(String(e.message ?? ""))) throw e;
+        });
+        applied.push(`fanout: PR ${fanoutPrUrl} (auto-merge enabled)`);
+      }
+    } catch (e) {
+      return fail(`bootstrap apply: fanout registration failed: ${e.message}`);
+    }
+  }
+  if (o.json) console.log(JSON.stringify({ repo, class: o.class, execute: o.execute, actions, applied, ddbWrites, fanoutPrUrl }, null, 2));
   else {
     console.log(renderSeedPlan(actions));
     if (o.execute) console.log(`
@@ -12196,7 +12917,7 @@ async function runDoctor(opts, io = consoleIo) {
   io.log(gaps.length ? `
 ${gaps.length} item(s) need attention.` : "\nAll set \u2014 you are ready.");
 }
-program2.command("doctor").description("check onboarding gates (GitHub auth, mmi-cli on PATH, Hub API default, plugin git clone, plugin install record, .gitignore managed block, plugin config drift, installed plugin version, Cursor Team Marketplace plugin install), print fixes, and report per-surface versions + update recipes").option("--banner", "one-line resume summary; silent when all gates pass").option("--guide", "print the MMI Agentic Onboarding guide URL").option("--json", "machine-readable output (read-only inspection \u2014 performs no repairs)").option("--apply", "perform the same auto-repairs as the interactive run (combine with --json for a machine-readable repair run)").option("--no-repo-writes", "env/plugin repairs only \u2014 never mutate the repo working tree; report pending managed .gitignore repairs with the follow-up command (for release-train prep)").action((opts) => (
+program2.command("doctor").description("check onboarding gates (GitHub auth, mmi-cli on PATH, Hub API default, plugin git clone, plugin install record, .gitignore managed block, plugin config drift, installed plugin version, Cursor Team Marketplace plugin install), print fixes, and report per-surface versions + update recipes").option("--banner", "one-line resume summary; silent when all gates pass").option("--guide", "print the MMI Agentic Onboarding guide URL").option("--json", "machine-readable output (read-only inspection \u2014 performs no repairs)").option("--apply", "perform the same auto-repairs as the interactive run (combine with --json for a machine-readable repair run)").option("--no-repo-writes", "env/plugin repairs only \u2014 never mutate the repo working tree; report pending managed .gitignore repairs with the follow-up command (for train preflights)").action((opts) => (
   // Commander maps `--no-repo-writes` to `repoWrites: false`; translate to the explicit `noRepoWrites` flag.
   runDoctor({ ...opts, noRepoWrites: opts.repoWrites === false })
 ));
@@ -12207,7 +12928,7 @@ program2.command("session-start").description("run the SessionStart verbs (rules
   } catch (e) {
     console.error(`[mmi-hook] saga session failed: ${e.message}`);
   }
-  spawnDetachedSelf(["docs", "sync", "--quiet"], { spawn: import_node_child_process6.spawn, execPath: process.execPath, scriptPath: process.argv[1] });
+  spawnDetachedSelf(["docs", "sync", "--quiet"], { spawn: import_node_child_process7.spawn, execPath: process.execPath, scriptPath: process.argv[1] });
   const { parallel, sequential } = buildSessionStartPlan({
     rulesSync: (io) => runRulesSync({ quiet: true }, io),
     sagaShow: (io) => runSagaShow({ quiet: true }, io),