@mutmutco/cli 2.34.1 → 2.35.0

package/dist/main.cjs

@@ -3392,7 +3392,7 @@ var program = new Command();
 
 // src/index.ts
 var import_promises5 = require("node:fs/promises");
-var import_node_fs15 = require("node:fs");
+var import_node_fs16 = require("node:fs");
 
 // src/rules-sync.ts
 function normalizeEol(s) {
@@ -3427,7 +3427,7 @@ var import_node_child_process10 = require("node:child_process");
 
 // src/cli-shared.ts
 var import_promises = require("node:fs/promises");
-var import_node_fs6 = require("node:fs");
+var import_node_fs7 = require("node:fs");
 var import_node_crypto2 = require("node:crypto");
 var import_node_child_process4 = require("node:child_process");
 var import_node_util4 = require("node:util");
@@ -4109,10 +4109,19 @@ async function hubAuthToken(deps) {
 }
 
 // src/stdin-inject.ts
+var import_node_fs6 = require("node:fs");
 var injectedStdin;
+function stdinHasPipedInput(statFd = () => (0, import_node_fs6.fstatSync)(0)) {
+  try {
+    const stat = statFd();
+    return stat.isFIFO() || stat.isFile();
+  } catch {
+    return false;
+  }
+}
 async function readStdin() {
   if (injectedStdin !== void 0) return injectedStdin;
-  if (process.stdin.isTTY !== false) return "";
+  if (!stdinHasPipedInput()) return "";
   const chunks = [];
   for await (const chunk of process.stdin) chunks.push(chunk);
   return Buffer.concat(chunks).toString("utf8");
@@ -4161,7 +4170,7 @@ function sessionDeps() {
     env: process.env,
     readPersisted: () => {
       try {
-        return (0, import_node_fs6.readFileSync)(SESSION_FILE, "utf8");
+        return (0, import_node_fs7.readFileSync)(SESSION_FILE, "utf8");
       } catch {
         return null;
       }
@@ -4174,8 +4183,8 @@ function sessionDeps() {
 var resolveSessionId = () => resolveSession(sessionDeps());
 function persistSession(id) {
   try {
-    (0, import_node_fs6.mkdirSync)(".mmi", { recursive: true });
-    (0, import_node_fs6.writeFileSync)(SESSION_FILE, id, "utf8");
+    (0, import_node_fs7.mkdirSync)(".mmi", { recursive: true });
+    (0, import_node_fs7.writeFileSync)(SESSION_FILE, id, "utf8");
   } catch {
   }
 }
@@ -4267,7 +4276,9 @@ async function resolveTextArg(input, deps, labels) {
   const source = input.file ?? "";
   const text = source === "-" ? await deps.readStdin() : await deps.readFile(source, "utf8");
   if (text.trim().length === 0) {
-    throw new Error(`${labels.file} produced an empty ${labels.noun}`);
+    throw new Error(
+      source === "-" ? `${labels.file} - read empty stdin (nothing piped \u2014 pass a heredoc/pipe, or ${labels.file} <path>)` : `${labels.file} produced an empty ${labels.noun}`
+    );
   }
   return text;
 }
@@ -4287,7 +4298,7 @@ function resolveIssueTitle(input, deps) {
 }
 
 // src/saga-capture.ts
-var import_node_fs7 = require("node:fs");
+var import_node_fs8 = require("node:fs");
 var import_node_os2 = require("node:os");
 var import_node_path6 = require("node:path");
 function parseHookInput(stdin) {
@@ -4314,16 +4325,16 @@ function resolveCursorTranscriptPath(hook, env = process.env) {
   const slug = cursorProjectSlug(workspaceRoot);
   const transcriptsDir = (0, import_node_path6.join)(cursorProjectsRoot(env), slug, "agent-transcripts");
   const nested = (0, import_node_path6.join)(transcriptsDir, conversationId, `${conversationId}.jsonl`);
-  if ((0, import_node_fs7.existsSync)(nested)) return nested;
+  if ((0, import_node_fs8.existsSync)(nested)) return nested;
   const flat = (0, import_node_path6.join)(transcriptsDir, `${conversationId}.jsonl`);
-  if ((0, import_node_fs7.existsSync)(flat)) return flat;
+  if ((0, import_node_fs8.existsSync)(flat)) return flat;
   return void 0;
 }
 function resolveTranscriptPath(hook, env = process.env) {
   const fromHook = (hook.transcript_path ?? hook.transcriptPath)?.trim();
   if (fromHook) return fromHook;
   const fromEnv = env.CURSOR_TRANSCRIPT_PATH?.trim();
-  if (fromEnv && (0, import_node_fs7.existsSync)(fromEnv)) return fromEnv;
+  if (fromEnv && (0, import_node_fs8.existsSync)(fromEnv)) return fromEnv;
   const surface = env.MMI_AGENT_SURFACE?.trim();
   if (surface === "cursor" || env.CURSOR_TRACE_ID || env.CURSOR_SESSION_ID) {
     return resolveCursorTranscriptPath(hook, env);
@@ -5072,24 +5083,24 @@ function registerSagaCommands(program3) {
 // src/honcho-commands.ts
 var import_node_child_process5 = require("node:child_process");
 var import_promises3 = require("node:fs/promises");
-var import_node_fs9 = require("node:fs");
+var import_node_fs10 = require("node:fs");
 var import_node_path8 = require("node:path");
 
 // src/honcho-ingest-skip.ts
-var import_node_fs8 = require("node:fs");
+var import_node_fs9 = require("node:fs");
 var import_node_path7 = require("node:path");
 var INGEST_SKIP_FILE = ".mmi/honcho/last-skip.json";
 function recordIngestSkip(record) {
   try {
-    (0, import_node_fs8.mkdirSync)((0, import_node_path7.dirname)(INGEST_SKIP_FILE), { recursive: true });
-    (0, import_node_fs8.writeFileSync)(INGEST_SKIP_FILE, JSON.stringify(record), "utf8");
+    (0, import_node_fs9.mkdirSync)((0, import_node_path7.dirname)(INGEST_SKIP_FILE), { recursive: true });
+    (0, import_node_fs9.writeFileSync)(INGEST_SKIP_FILE, JSON.stringify(record), "utf8");
   } catch {
   }
 }
 function readIngestSkip() {
   try {
-    if (!(0, import_node_fs8.existsSync)(INGEST_SKIP_FILE)) return null;
-    const o = JSON.parse((0, import_node_fs8.readFileSync)(INGEST_SKIP_FILE, "utf8"));
+    if (!(0, import_node_fs9.existsSync)(INGEST_SKIP_FILE)) return null;
+    const o = JSON.parse((0, import_node_fs9.readFileSync)(INGEST_SKIP_FILE, "utf8"));
     return o?.reason && o?.surface && o?.ts ? o : null;
   } catch {
     return null;
@@ -5097,7 +5108,7 @@ function readIngestSkip() {
 }
 function clearIngestSkip() {
   try {
-    if ((0, import_node_fs8.existsSync)(INGEST_SKIP_FILE)) (0, import_node_fs8.unlinkSync)(INGEST_SKIP_FILE);
+    if ((0, import_node_fs9.existsSync)(INGEST_SKIP_FILE)) (0, import_node_fs9.unlinkSync)(INGEST_SKIP_FILE);
   } catch {
   }
 }
@@ -5159,7 +5170,8 @@ function formatVaultPointer(p) {
     ``,
     `enumerate actual keys:  mmi-cli secrets list`,
     `read one:               mmi-cli secrets get <stage>/<KEY>   (e.g. main/GOOGLE_CLIENT_ID)`,
-    `set a project-tier key: mmi-cli secrets set <KEY>           (value via stdin; org tier needs a master grant)`
+    `set a project-tier key: mmi-cli secrets set <KEY>           (value via stdin; org tier needs a master grant)`,
+    `copy provider keys:     mmi-cli secrets copy --from rc --to dev --keys RECALL_API_KEY,GEMINI_API_KEY`
   ];
   return lines.join("\n");
 }
@@ -5503,6 +5515,54 @@ async function secretsRevoke(deps, repo, login, key, _opts) {
   }
   deps.log(`revoked @${login}'s access to ${key} in ${repo}`);
 }
+var SECRET_COPY_BLOCKED_RE = /(?:ENC_KEY|ENCRYPTION_KEY|SECRET_KEY_BASE)/i;
+function isSecretCopyBlocked(key) {
+  const slash = key.indexOf("/");
+  const leaf = slash === -1 ? key : key.slice(slash + 1);
+  return SECRET_COPY_BLOCKED_RE.test(leaf);
+}
+function copyTierKey(stage2, leaf) {
+  return `${stage2}/${leaf}`;
+}
+async function secretsCopy(deps, opts) {
+  if (opts.from === opts.to) {
+    deps.err("secrets copy: --from and --to must differ");
+    return false;
+  }
+  const keys = [...new Set(opts.keys.map((k) => k.trim()).filter(Boolean))];
+  if (!keys.length) {
+    deps.err("secrets copy: --keys required (comma-separated allowlist)");
+    return false;
+  }
+  for (const key of keys) {
+    if (!isValidSecretKey(key)) {
+      deps.err(`invalid secret key ${JSON.stringify(key)}`);
+      return false;
+    }
+    if (isSecretCopyBlocked(key)) {
+      deps.err(`secrets copy: ${key} is not copyable \u2014 generate encryption/stage-distinct keys per stage`);
+      return false;
+    }
+  }
+  for (const key of keys) {
+    const leaf = secretLeafName(key);
+    const srcKey = copyTierKey(opts.from, leaf);
+    const dstKey = copyTierKey(opts.to, leaf);
+    const value = await fetchSecretValue(deps, srcKey, opts);
+    if (!value) {
+      deps.err(`secrets copy: could not read source ${srcKey}`);
+      return false;
+    }
+    if (opts.dryRun) {
+      deps.log(`would copy ${srcKey} \u2192 ${dstKey}`);
+      continue;
+    }
+    const ok = await putSecret(deps, dstKey, value, opts);
+    if (!ok) return false;
+    deps.log(`copied ${srcKey} \u2192 ${dstKey}`);
+  }
+  return true;
+}
 async function secretsUse(deps, key, opts) {
   const slug = await vaultSlug(deps, opts);
   const tier = classifyTier(slug, key);
@@ -5873,7 +5933,7 @@ function honchoThrottlePath(key) {
 function honchoIngestDue(path2, intervalMs, now = Date.now()) {
   if (intervalMs <= 0) return true;
   try {
-    const last = Number((0, import_node_fs9.readFileSync)(path2, "utf8").trim()) || 0;
+    const last = Number((0, import_node_fs10.readFileSync)(path2, "utf8").trim()) || 0;
     return now - last >= intervalMs;
   } catch {
     return true;
@@ -5881,8 +5941,8 @@ function honchoIngestDue(path2, intervalMs, now = Date.now()) {
 }
 function markHonchoIngest(path2, now = Date.now()) {
   try {
-    (0, import_node_fs9.mkdirSync)((0, import_node_path8.dirname)(path2), { recursive: true });
-    (0, import_node_fs9.writeFileSync)(path2, String(now), "utf8");
+    (0, import_node_fs10.mkdirSync)((0, import_node_path8.dirname)(path2), { recursive: true });
+    (0, import_node_fs10.writeFileSync)(path2, String(now), "utf8");
   } catch {
   }
 }
@@ -6165,7 +6225,7 @@ async function syncDocs(deps, docs2 = SYNCED_DOCS) {
 }
 
 // src/session-start.ts
-var import_node_fs10 = require("node:fs");
+var import_node_fs11 = require("node:fs");
 var import_node_path9 = require("node:path");
 async function runBufferedStep(step) {
   const lines = [];
@@ -6218,11 +6278,11 @@ function spawnDetachedSelf(args, deps) {
 function planStoreLines(cwd) {
   const mdFiles = (dir, minSize = 0) => {
     const p = (0, import_node_path9.join)(cwd, dir);
-    if (!(0, import_node_fs10.existsSync)(p)) return [];
+    if (!(0, import_node_fs11.existsSync)(p)) return [];
     try {
-      return (0, import_node_fs10.readdirSync)(p).filter((f) => f.toLowerCase().endsWith(".md")).filter((f) => {
+      return (0, import_node_fs11.readdirSync)(p).filter((f) => f.toLowerCase().endsWith(".md")).filter((f) => {
         try {
-          return (0, import_node_fs10.statSync)((0, import_node_path9.join)(p, f)).size >= minSize;
+          return (0, import_node_fs11.statSync)((0, import_node_path9.join)(p, f)).size >= minSize;
         } catch {
           return false;
         }
@@ -6824,6 +6884,73 @@ async function backfillBoardPriorities(options, deps = {}) {
   }
   return result;
 }
+async function prunePriorityLabels(options, deps = {}) {
+  const cfg = resolveBoardConfig(options.config);
+  const client = deps.client ?? defaultGitHubClient();
+  const collected = await collectBoardItems(cfg, { repo: options.repo }, deps);
+  const issues = collected.items.filter(
+    (item) => item.contentType === "Issue" && item.labels.some((l) => labelToFieldPriority(l))
+  );
+  const concurrency = Math.max(1, options.concurrency ?? 8);
+  const result = {
+    scanned: issues.length,
+    pruned: 0,
+    removedLabels: 0,
+    skippedNoField: 0,
+    failed: 0,
+    details: []
+  };
+  async function work(item) {
+    const priorityLabels = item.labels.filter((l) => labelToFieldPriority(l));
+    if (!priorityLabels.length) return;
+    if (!item.priority) {
+      result.skippedNoField += 1;
+      result.details.push(
+        `${item.ref}: Priority field unset \u2014 kept ${priorityLabels.join(", ")} (run \`mmi-cli board backfill-priority\` first)`
+      );
+      return;
+    }
+    if (options.dryRun) {
+      result.pruned += 1;
+      result.removedLabels += priorityLabels.length;
+      result.details.push(`${item.ref} \u2192 remove ${priorityLabels.join(", ")} (field=${item.priority}) (dry-run)`);
+      return;
+    }
+    try {
+      const removed = [];
+      const alreadyAbsent = [];
+      for (const label of priorityLabels) {
+        try {
+          await client.rest(
+            "DELETE",
+            `repos/${item.repository}/issues/${item.number}/labels/${encodeURIComponent(label)}`
+          );
+          removed.push(label);
+          result.removedLabels += 1;
+        } catch (e) {
+          if (e instanceof GitHubApiError && e.status === 404) {
+            alreadyAbsent.push(label);
+            continue;
+          }
+          throw e;
+        }
+      }
+      result.pruned += 1;
+      const parts = [
+        ...removed.length ? [`removed ${removed.join(", ")}`] : [],
+        ...alreadyAbsent.length ? [`already absent ${alreadyAbsent.join(", ")}`] : []
+      ];
+      result.details.push(`${item.ref} \u2192 ${parts.join("; ")} (field=${item.priority})`);
+    } catch (e) {
+      result.failed += 1;
+      result.details.push(`${item.ref}: ${ghError(e)}`);
+    }
+  }
+  for (let i = 0; i < issues.length; i += concurrency) {
+    await Promise.all(issues.slice(i, i + concurrency).map(work));
+  }
+  return result;
+}
 async function recoverIssuePriority(client, item) {
   for (const label of item.labels) {
     const fromLabel = labelToFieldPriority(label);
@@ -7278,6 +7405,412 @@ async function runNorthstarContext(io, deps) {
 
 // src/index.ts
 var import_node_path14 = require("node:path");
+
+// src/merge-ci-policy.ts
+function resolveMergeCiPolicy(input) {
+  if (input.registryCi === "none") {
+    return { policy: "no-ci", reason: "registry META ci:none" };
+  }
+  if (input.registryRequiredChecks === null) {
+    return { policy: "no-ci", reason: "registry META requiredChecks:null" };
+  }
+  if (Array.isArray(input.registryRequiredChecks) && input.registryRequiredChecks.length === 0) {
+    return { policy: "no-ci", reason: "registry META requiredChecks:[]" };
+  }
+  const ciWorkflows = input.workflowPaths.filter(
+    (p) => /^\.github\/workflows\/[^/]+\.(ya?ml)$/i.test(p.replace(/\\/g, "/"))
+  );
+  if (!ciWorkflows.length) {
+    return { policy: "no-ci", reason: "no .github/workflows CI" };
+  }
+  return { policy: "wait-for-checks", reason: ciWorkflows.join(", ") };
+}
+function parseGhPrChecksOutput(stdout) {
+  const text = stdout.trim();
+  if (!text) return "no-checks-reported";
+  if (/^no checks reported/i.test(text)) return "no-checks-reported";
+  const lines = text.split(/\r?\n/).filter((l) => l.trim());
+  if (!lines.length) return "no-checks-reported";
+  let anyPending = false;
+  for (const line of lines) {
+    const parts = line.split(/\s+/);
+    const state = (parts[1] ?? "").toLowerCase();
+    if (state === "fail" || state === "failure" || state === "error") return "failure";
+    if (state === "pass" || state === "success" || state === "skipping" || state === "skipped") continue;
+    anyPending = true;
+  }
+  return anyPending ? "pending" : "success";
+}
+var PR_CHECKS_POLL_MS = 3e4;
+var PR_CHECKS_TIMEOUT_MS = 10 * 6e4;
+async function waitForPrChecks(deps) {
+  const { policy, reason } = await deps.resolvePolicy();
+  if (policy === "no-ci") {
+    return { policy, status: "skipped", reason };
+  }
+  const now = deps.now ?? (() => Date.now());
+  const deadline = now() + PR_CHECKS_TIMEOUT_MS;
+  let lastDetail = "pending";
+  while (now() < deadline) {
+    const state = await deps.pollChecks();
+    if (state === "success") return { policy, status: "success", detail: lastDetail };
+    if (state === "failure") return { policy, status: "failure", detail: lastDetail };
+    if (state === "no-checks-reported") {
+      lastDetail = "no-checks-reported (waiting for workflow to queue)";
+      await deps.sleep(PR_CHECKS_POLL_MS);
+      continue;
+    }
+    lastDetail = state;
+    await deps.sleep(PR_CHECKS_POLL_MS);
+  }
+  return { policy, status: "timeout", detail: lastDetail };
+}
+
+// src/bootstrap-ruleset.ts
+var PRODUCT_RULESET_NAME = "mmi-product-required-checks";
+var PRODUCT_GATE_CONTEXT = "gate";
+function stripRulesetComment(raw) {
+  const parsed = JSON.parse(raw);
+  delete parsed._comment;
+  return parsed;
+}
+function rulesetHasGateContext(ruleset, context = PRODUCT_GATE_CONTEXT) {
+  for (const rule of ruleset.rules ?? []) {
+    if (rule.type !== "required_status_checks") continue;
+    for (const check of rule.parameters?.required_status_checks ?? []) {
+      if (check.context === context) return true;
+    }
+  }
+  return false;
+}
+function findProductRuleset(rulesets) {
+  return rulesets.find((r) => r.name === PRODUCT_RULESET_NAME);
+}
+async function activateProductRuleset(repo, rulesetBody, client) {
+  const list = await client.rest("GET", `repos/${repo}/rulesets`, { timeoutMs: 2e4 });
+  const existing = findProductRuleset(list ?? []);
+  if (existing?.id != null) {
+    const detail = await client.rest("GET", `repos/${repo}/rulesets/${existing.id}`, { timeoutMs: 2e4 });
+    if (detail.enforcement === "active" && rulesetHasGateContext(detail)) {
+      return { action: "skipped", detail: "active ruleset already requires gate" };
+    }
+    await client.rest("PUT", `repos/${repo}/rulesets/${existing.id}`, { body: rulesetBody, timeoutMs: 2e4 });
+    return { action: "updated", detail: `ruleset ${existing.id}` };
+  }
+  await client.rest("POST", `repos/${repo}/rulesets`, { body: rulesetBody, timeoutMs: 2e4 });
+  return { action: "created" };
+}
+
+// src/ci-audit.ts
+var HUB_REPO = "mutmutco/MMI-Hub";
+var PRODUCT_GATE_CONTEXT2 = "gate";
+var HUB_GATE_CONTEXTS = ["cli", "infra", "docs"];
+var PRODUCT_GATE_PATH = ".github/workflows/gate.yml";
+var PRODUCT_RULESET_REF = ".github/rulesets/mmi-product-required-checks.json";
+function slugFromRepo(repo) {
+  return (repo.includes("/") ? repo.split("/")[1] : repo).toLowerCase();
+}
+function classifyRepo(repo, meta) {
+  if (repo.toLowerCase() === HUB_REPO.toLowerCase()) return "hub";
+  if (meta?.class === "content") return "content";
+  if (meta?.class === "deployable" || meta?.deployModel && meta.deployModel !== "content" && meta.deployModel !== "none") return "deployable";
+  if (meta) return "deployable";
+  return "unknown";
+}
+function rulesetStatusChecks(rulesets) {
+  return new Set(rulesets.flatMap((ruleset) => (ruleset.rules || []).filter((rule) => rule.type === "required_status_checks").flatMap((rule) => rule.parameters?.required_status_checks || []).map((check) => check.context).filter((context) => Boolean(context))));
+}
+async function restJson(deps, path2, fallback) {
+  try {
+    return await deps.client.rest("GET", path2) ?? fallback;
+  } catch {
+    return fallback;
+  }
+}
+async function rulesetDetails(deps, repo, list) {
+  const details = [];
+  for (const ruleset of list) {
+    if (ruleset.id == null || ruleset.rules != null) {
+      details.push(ruleset);
+      continue;
+    }
+    details.push(await restJson(deps, `repos/${repo}/rulesets/${ruleset.id}`, ruleset));
+  }
+  return details;
+}
+async function contentExists(deps, repo, branch, path2) {
+  try {
+    const encodedPath = path2.split("/").map(encodeURIComponent).join("/");
+    await deps.client.rest("GET", `repos/${repo}/contents/${encodedPath}?ref=${encodeURIComponent(branch)}`);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function collectRegistryRepos(projects) {
+  const seen = /* @__PURE__ */ new Set();
+  for (const project2 of projects) {
+    for (const raw of project2.repos ?? []) {
+      const repo = raw.includes("/") ? raw : `mutmutco/${raw}`;
+      seen.add(repo);
+    }
+  }
+  if (!seen.has(HUB_REPO)) seen.add(HUB_REPO);
+  return [...seen].sort((a, b) => a.localeCompare(b));
+}
+async function resolveRepoMergeCiPolicy(repo, deps) {
+  const meta = await deps.getProjectMeta(slugFromRepo(repo));
+  const repoClass = classifyRepo(repo, meta);
+  if (repoClass === "content") {
+    return resolveMergeCiPolicy({
+      workflowPaths: [],
+      registryCi: meta?.ci ?? "none",
+      registryRequiredChecks: meta?.requiredChecks ?? []
+    });
+  }
+  const baseBranch = "development";
+  const hasGate = repoClass === "hub" ? true : await contentExists(deps, repo, baseBranch, PRODUCT_GATE_PATH);
+  return resolveMergeCiPolicy({
+    workflowPaths: hasGate ? repoClass === "hub" ? [".github/workflows/gate.yml"] : [PRODUCT_GATE_PATH] : [],
+    registryCi: meta?.ci,
+    registryRequiredChecks: meta?.requiredChecks
+  });
+}
+async function auditRepoCi(repo, deps) {
+  const meta = await deps.getProjectMeta(slugFromRepo(repo));
+  const repoClass = classifyRepo(repo, meta);
+  const checks = [];
+  const info = await restJson(deps, `repos/${repo}`, {});
+  const baseBranch = repoClass === "content" ? "main" : "development";
+  checks.push({
+    ok: info.allow_auto_merge === true,
+    label: "allow_auto_merge enabled",
+    detail: info.allow_auto_merge === true ? void 0 : "false or unavailable",
+    remediation: `gh api -X PATCH repos/${repo} -f allow_auto_merge=true -f allow_squash_merge=true -f delete_branch_on_merge=true`
+  });
+  checks.push({
+    ok: info.allow_squash_merge === true,
+    label: "allow_squash_merge enabled",
+    detail: info.allow_squash_merge === true ? void 0 : "false or unavailable"
+  });
+  checks.push({
+    ok: info.delete_branch_on_merge === true,
+    label: "delete_branch_on_merge enabled",
+    detail: info.delete_branch_on_merge === true ? void 0 : "false or unavailable"
+  });
+  const hasGateWorkflow = repoClass === "hub" ? true : repoClass === "content" ? true : await contentExists(deps, repo, baseBranch, PRODUCT_GATE_PATH);
+  if (repoClass === "deployable") {
+    checks.push({
+      ok: hasGateWorkflow,
+      label: "gate workflow committed",
+      detail: hasGateWorkflow ? void 0 : `missing ${PRODUCT_GATE_PATH}`,
+      remediation: `mmi-cli bootstrap apply ${repo} --class deployable --execute (seeds gate.yml)`
+    });
+    checks.push({
+      ok: await contentExists(deps, repo, baseBranch, PRODUCT_RULESET_REF),
+      label: "product ruleset reference committed",
+      detail: `expected ${PRODUCT_RULESET_REF}`,
+      remediation: `mmi-cli bootstrap apply ${repo} --class deployable --execute`
+    });
+  }
+  const rulesetList = await restJson(deps, `repos/${repo}/rulesets?includes_parents=true`, []);
+  const rulesets = await rulesetDetails(deps, repo, rulesetList);
+  const activeBranchRulesets = rulesets.filter((r) => r.target === "branch" && r.enforcement === "active");
+  const statusChecks = rulesetStatusChecks(activeBranchRulesets);
+  if (repoClass === "hub") {
+    const missing = HUB_GATE_CONTEXTS.filter((c) => !statusChecks.has(c));
+    checks.push({
+      ok: missing.length === 0,
+      label: "Hub required status checks active",
+      detail: missing.length ? `missing: ${missing.join(", ")}` : void 0
+    });
+  } else if (repoClass === "deployable") {
+    const missing = [PRODUCT_GATE_CONTEXT2].filter((c) => !statusChecks.has(c));
+    checks.push({
+      ok: missing.length === 0,
+      label: "product gate status check active",
+      detail: missing.length ? `missing context: ${PRODUCT_GATE_CONTEXT2} \u2014 activate ${PRODUCT_RULESET_REF} as a repo ruleset` : void 0,
+      remediation: missing.length ? `Import ${PRODUCT_RULESET_REF} as an active repository ruleset (GitHub \u2192 Settings \u2192 Rules \u2192 Rulesets) \u2014 target: bootstrap --apply automation (#1440)` : void 0
+    });
+  }
+  const registryCi = meta?.ci;
+  const registryRequiredChecks = meta?.requiredChecks;
+  const workflowPaths = hasGateWorkflow && repoClass === "deployable" ? [PRODUCT_GATE_PATH] : [];
+  const { policy, reason } = resolveMergeCiPolicy({
+    workflowPaths,
+    registryCi,
+    registryRequiredChecks
+  });
+  if (repoClass === "content") {
+    const explicitNoCi = registryCi === "none" || registryRequiredChecks === null || Array.isArray(registryRequiredChecks) && registryRequiredChecks.length === 0;
+    checks.push({
+      ok: explicitNoCi,
+      label: "registry META declares intentional no-ci",
+      detail: explicitNoCi ? void 0 : "set ci:none and requiredChecks:[] in registry META",
+      remediation: `mmi-cli project set ${repo} --var ci=none --var requiredChecks=[]`
+    });
+  } else if (repoClass === "deployable") {
+    checks.push({
+      ok: policy === "wait-for-checks",
+      label: "merge CI policy is wait-for-checks",
+      detail: `${policy} (${reason})`
+    });
+  }
+  const ok = checks.every((c) => c.ok);
+  return { repo, class: repoClass, mergePolicy: policy, ok, checks };
+}
+async function auditOrgCi(deps, repoFilter) {
+  const projects = await deps.listProjects();
+  if (!projects) {
+    const single = repoFilter ?? HUB_REPO;
+    const report = await auditRepoCi(single, deps);
+    return { ok: report.ok, repos: [report] };
+  }
+  const targets = repoFilter ? [repoFilter] : collectRegistryRepos(projects);
+  const repos = [];
+  for (const repo of targets) {
+    repos.push(await auditRepoCi(repo, deps));
+  }
+  return { ok: repos.every((r) => r.ok), repos };
+}
+function renderCiAuditMarkdown(report) {
+  const lines = [
+    `# CI merge-readiness audit`,
+    "",
+    `Fleet: ${report.ok ? "OK" : "GAPS"} (${report.repos.filter((r) => r.ok).length}/${report.repos.length} repos ready)`,
+    "",
+    "| Repo | Class | Policy | OK | Top gap |",
+    "|------|-------|--------|----|---------|"
+  ];
+  for (const r of report.repos) {
+    const gap = r.checks.find((c) => !c.ok);
+    lines.push(`| ${r.repo} | ${r.class} | ${r.mergePolicy} | ${r.ok ? "yes" : "no"} | ${gap?.label ?? "\u2014"} |`);
+  }
+  return lines.join("\n");
+}
+function renderCiAuditText(report) {
+  const lines = [`mmi-cli ci audit: ${report.ok ? "OK" : "GAPS"} (${report.repos.length} repos)`];
+  for (const r of report.repos) {
+    lines.push(`
+${r.repo} (${r.class}, policy=${r.mergePolicy}) ${r.ok ? "OK" : "GAP"}`);
+    for (const c of r.checks) {
+      lines.push(`  ${c.ok ? "OK" : "FAIL"} ${c.label}${c.detail ? ` \u2014 ${c.detail}` : ""}`);
+    }
+  }
+  return lines.join("\n");
+}
+async function applyCiReconcileMergeSettings(repo, deps) {
+  const report = await auditRepoCi(repo, deps);
+  const applied = [];
+  const skipped = [];
+  const errors = [];
+  const mergeChecks = report.checks.filter((c) => c.label.startsWith("allow_") || c.label.startsWith("delete_branch"));
+  const needsPatch = mergeChecks.some((c) => !c.ok);
+  if (!needsPatch) {
+    skipped.push("merge settings already canonical");
+    return { repo, applied, skipped, errors };
+  }
+  try {
+    await deps.client.rest("PATCH", `repos/${repo}`, {
+      body: {
+        allow_auto_merge: true,
+        allow_squash_merge: true,
+        delete_branch_on_merge: true
+      }
+    });
+    applied.push("allow_auto_merge, allow_squash_merge, delete_branch_on_merge");
+  } catch (e) {
+    errors.push(e.message);
+  }
+  return { repo, applied, skipped, errors };
+}
+async function fetchRulesetSeedBody(deps, repo) {
+  try {
+    const encodedPath = PRODUCT_RULESET_REF.split("/").map(encodeURIComponent).join("/");
+    const file = await deps.client.rest(
+      "GET",
+      `repos/${repo}/contents/${encodedPath}?ref=development`
+    );
+    if (file.encoding !== "base64" || typeof file.content !== "string") return null;
+    return Buffer.from(file.content, "base64").toString("utf8");
+  } catch {
+    return null;
+  }
+}
+async function applyCiReconcileRepo(repo, deps) {
+  const merge = await applyCiReconcileMergeSettings(repo, deps);
+  const report = await auditRepoCi(repo, deps);
+  if (report.class !== "deployable") return merge;
+  const gateCheck = report.checks.find((c) => c.label === "product gate status check active");
+  if (gateCheck?.ok) {
+    merge.skipped.push("product ruleset already active");
+    return merge;
+  }
+  const raw = await fetchRulesetSeedBody(deps, repo);
+  if (!raw) {
+    merge.errors.push(`missing ${PRODUCT_RULESET_REF} on development \u2014 run bootstrap apply first`);
+    return merge;
+  }
+  try {
+    const body = stripRulesetComment(raw);
+    const activation = await activateProductRuleset(repo, body, deps.client);
+    if (activation.action === "skipped") merge.skipped.push(activation.detail ?? "product ruleset");
+    else merge.applied.push(`product ruleset ${activation.action}${activation.detail ? `: ${activation.detail}` : ""}`);
+  } catch (e) {
+    merge.errors.push(e.message);
+  }
+  return merge;
+}
+
+// src/pr-land.ts
+var PR_LAND_POLL_MS = 3e4;
+var PR_LAND_ENQUEUE_TIMEOUT_MS = 10 * 6e4;
+async function runPrLand(prNumber, options, deps) {
+  const repo = await deps.resolveRepo(prNumber, options.repo);
+  const base2 = { status: "failed", repo, pr: prNumber };
+  if (options.requireTrain !== false) {
+    const verdict = await deps.fetchTrainAuthority(repo);
+    if (!verdict.ok) {
+      return { ...base2, error: `train authority unavailable: ${verdict.error}` };
+    }
+    base2.train = { role: verdict.authority.role, train: verdict.authority.train };
+    if (!verdict.authority.train) {
+      return {
+        ...base2,
+        error: `@${verdict.authority.login ?? "caller"} is ${verdict.authority.role} \u2014 train not authorized on ${repo}; cannot land PR`
+      };
+    }
+  }
+  const ciPolicy = await deps.resolveCiPolicy(repo);
+  base2.ciPolicy = ciPolicy;
+  const checksWait = await deps.waitForChecks(prNumber, repo);
+  base2.checksWait = checksWait;
+  if (checksWait.status === "failure" || checksWait.status === "timeout") {
+    return {
+      ...base2,
+      error: `checks-wait ${checksWait.status}${checksWait.detail ? `: ${checksWait.detail}` : ""}`
+    };
+  }
+  const merge = await deps.mergeAuto(prNumber, repo);
+  base2.mergeStatus = merge.mergeStatus;
+  if (merge.mergeStatus === "failed") {
+    return { ...base2, error: merge.error ?? "merge failed" };
+  }
+  if (merge.mergeStatus === "merged") {
+    return { ...base2, status: "merged" };
+  }
+  const now = deps.now ?? (() => Date.now());
+  const merged = await deps.pollMerged(prNumber, repo, now() + PR_LAND_ENQUEUE_TIMEOUT_MS);
+  if (merged) {
+    return { ...base2, status: "auto-merge-enqueued-then-merged", mergeStatus: "merged" };
+  }
+  return {
+    ...base2,
+    error: "auto-merge enqueued but PR did not reach MERGED within timeout \u2014 poll manually with gh pr view"
+  };
+}
+
+// src/index.ts
 var import_node_os5 = require("node:os");
 
 // src/gh-create.ts
@@ -7614,7 +8147,7 @@ function parentLinkFields(result, error) {
 }
 
 // src/report.ts
-var HUB_REPO = "mutmutco/MMI-Hub";
+var HUB_REPO2 = "mutmutco/MMI-Hub";
 var REPORT_LABEL = "report";
 function findDuplicateReport(source, openReports, threshold = 0.6) {
   const normalizedTitle = normalizeTitle(source.title);
@@ -8298,6 +8831,28 @@ function selectSafeWorktreeCwd(worktrees, targetPath, options) {
   const exists = options?.pathExists ?? (() => true);
   return worktrees.find((w) => !samePath(w.path, targetPath) && exists(w.path))?.path;
 }
+function isPathUnderDirectory(childPath, parentPath) {
+  const child = normPath(childPath);
+  const parent = normPath(parentPath);
+  if (!child || !parent) return false;
+  if (child === parent) return true;
+  return child.startsWith(`${parent}/`);
+}
+function planReleaseCwdBeforeWorktreeRemoval(targetPath, safeCwd, currentCwd) {
+  if (!safeCwd || !isPathUnderDirectory(currentCwd, targetPath)) return void 0;
+  if (samePath(currentCwd, safeCwd)) return void 0;
+  return safeCwd;
+}
+function releaseCwdIfUnderWorktree(targetPath, safeCwd, options) {
+  const getCwd = options?.getCwd ?? (() => process.cwd());
+  const chdir = options?.chdir ?? ((path2) => {
+    process.chdir(path2);
+  });
+  const releaseTo = planReleaseCwdBeforeWorktreeRemoval(targetPath, safeCwd, getCwd());
+  if (!releaseTo) return false;
+  chdir(releaseTo);
+  return true;
+}
 function branchMissingFromList(branch, stdout) {
   const names = stdout.split(/\r?\n/).map((line) => line.replace(/^\*\s*/, "").trim()).filter(Boolean);
   return !names.includes(branch);
@@ -8350,6 +8905,10 @@ async function cleanupPrMergeLocalBranch(branch, options) {
         stageTeardown = { status: "failed", error: errorMessage(e) };
       }
     }
+    releaseCwdIfUnderWorktree(wtPath, safeCwd, {
+      getCwd: options.getCwd,
+      chdir: options.chdir
+    });
     const outcome = await removeWorktreeWithRecovery(wtPath, {
       git,
       sleep: options.sleep ?? defaultSleep,
@@ -8715,7 +9274,7 @@ function decideStage(inputs) {
 
 // src/cursor-plugin-seed.ts
 var import_node_child_process7 = require("node:child_process");
-var import_node_fs11 = require("node:fs");
+var import_node_fs12 = require("node:fs");
 var import_node_os4 = require("node:os");
 var import_node_path11 = require("node:path");
 var import_node_util6 = require("node:util");
@@ -8744,7 +9303,7 @@ function cursorUserGlobalStatePath() {
 }
 async function readCursorThirdPartyExtensibilityEnabled(execFileP5) {
   const dbPath = cursorUserGlobalStatePath();
-  if (!(0, import_node_fs11.existsSync)(dbPath)) return void 0;
+  if (!(0, import_node_fs12.existsSync)(dbPath)) return void 0;
   try {
     const { stdout } = await execFileP5("sqlite3", [dbPath, `SELECT value FROM ItemTable WHERE key = '${CURSOR_THIRD_PARTY_STATE_KEY}';`], {
       timeout: 5e3
@@ -8758,11 +9317,11 @@ async function readCursorThirdPartyExtensibilityEnabled(execFileP5) {
   }
 }
 function syncDirContents(src, dest) {
-  (0, import_node_fs11.mkdirSync)(dest, { recursive: true });
-  for (const name of (0, import_node_fs11.readdirSync)(dest)) {
-    (0, import_node_fs11.rmSync)((0, import_node_path11.join)(dest, name), { recursive: true, force: true });
+  (0, import_node_fs12.mkdirSync)(dest, { recursive: true });
+  for (const name of (0, import_node_fs12.readdirSync)(dest)) {
+    (0, import_node_fs12.rmSync)((0, import_node_path11.join)(dest, name), { recursive: true, force: true });
   }
-  (0, import_node_fs11.cpSync)(src, dest, { recursive: true });
+  (0, import_node_fs12.cpSync)(src, dest, { recursive: true });
 }
 function releaseTag(releasedVersion) {
   return releasedVersion.startsWith("v") ? releasedVersion : `v${releasedVersion}`;
@@ -8776,7 +9335,7 @@ async function extractPluginMmiFromHubCheckout(hubCheckout, tag, tmpRoot, execFi
     });
     await execFileP5("tar", ["-xf", tarFile, "-C", tmpRoot], { timeout: 6e4 });
     const pluginMmi = (0, import_node_path11.join)(tmpRoot, "plugins", "mmi");
-    return (0, import_node_fs11.existsSync)((0, import_node_path11.join)(pluginMmi, PLUGIN_JSON_REL)) ? pluginMmi : void 0;
+    return (0, import_node_fs12.existsSync)((0, import_node_path11.join)(pluginMmi, PLUGIN_JSON_REL)) ? pluginMmi : void 0;
   } catch {
     return void 0;
   }
@@ -8784,25 +9343,25 @@ async function extractPluginMmiFromHubCheckout(hubCheckout, tag, tmpRoot, execFi
 async function downloadPluginMmiViaGh(tag, tmpRoot) {
   const tarPath = (0, import_node_path11.join)(tmpRoot, "repo.tgz");
   try {
-    (0, import_node_fs11.mkdirSync)(tmpRoot, { recursive: true });
+    (0, import_node_fs12.mkdirSync)(tmpRoot, { recursive: true });
     const { stdout } = await execFileBuffer("gh", ghReleaseTarballApiArgs(tag), {
       timeout: 12e4,
       maxBuffer: 100 * 1024 * 1024,
       encoding: "buffer",
       windowsHide: true
     });
-    (0, import_node_fs11.writeFileSync)(tarPath, stdout);
+    (0, import_node_fs12.writeFileSync)(tarPath, stdout);
     await execFileBuffer("tar", ["-xzf", tarPath, "-C", tmpRoot], { timeout: 12e4, windowsHide: true });
-    const top = (0, import_node_fs11.readdirSync)(tmpRoot).find((entry) => entry !== "repo.tgz");
+    const top = (0, import_node_fs12.readdirSync)(tmpRoot).find((entry) => entry !== "repo.tgz");
     if (!top) return void 0;
     const pluginMmi = (0, import_node_path11.join)(tmpRoot, top, "plugins", "mmi");
-    return (0, import_node_fs11.existsSync)((0, import_node_path11.join)(pluginMmi, PLUGIN_JSON_REL)) ? pluginMmi : void 0;
+    return (0, import_node_fs12.existsSync)((0, import_node_path11.join)(pluginMmi, PLUGIN_JSON_REL)) ? pluginMmi : void 0;
   } catch {
     return void 0;
   }
 }
 async function resolvePluginMmiSource(releasedVersion, hubCheckout, tmpRoot, execFileP5) {
-  (0, import_node_fs11.mkdirSync)(tmpRoot, { recursive: true });
+  (0, import_node_fs12.mkdirSync)(tmpRoot, { recursive: true });
   const tag = releaseTag(releasedVersion);
   if (hubCheckout) {
     const fromHub = await extractPluginMmiFromHubCheckout(hubCheckout, tag, tmpRoot, execFileP5);
@@ -8829,7 +9388,7 @@ async function applyCursorPluginCacheSeed(input) {
   for (const pin of pinsToSeed) {
     syncDirContents(source, pin.path);
   }
-  (0, import_node_fs11.rmSync)(tmpRoot, { recursive: true, force: true });
+  (0, import_node_fs12.rmSync)(tmpRoot, { recursive: true, force: true });
   return true;
 }
 
@@ -9092,6 +9651,12 @@ function cachePathJoin(root, ...parts) {
   const sep = root.includes("\\") ? "\\" : "/";
   return [root.replace(/[\\/]+$/, ""), ...parts].join(sep);
 }
+function cacheParentDir(root) {
+  const sep = root.includes("\\") ? "\\" : "/";
+  const trimmed = root.replace(/[\\/]+$/, "");
+  const idx = trimmed.lastIndexOf(sep);
+  return idx <= 0 ? root : trimmed.slice(0, idx);
+}
 function isProtectedCacheDir(name, protectedVersions) {
   const normalized = normalizeVersion(name);
   return name.startsWith(".") || normalized !== void 0 && protectedVersions.has(normalized);
@@ -9122,7 +9687,7 @@ function buildMmiPluginCacheCleanupCheck(input) {
     plannedCount: leftovers.length,
     quarantinePlan: leftovers.map((entry) => ({
       from: entry.path,
-      to: cachePathJoin(entry.root, ".mmi-quarantine", stamp, entry.name)
+      to: cachePathJoin(cacheParentDir(entry.root), ".mmi-quarantine", stamp, entry.name)
     }))
   };
 }
@@ -9183,6 +9748,12 @@ var CLAUDE_PLUGIN_HEAL_STEPS = [
   { args: ["plugin", "install", "mmi@mmi"], gated: true },
   { args: ["plugin", "enable", "mmi@mmi"], gated: false }
 ];
+var CODEX_PLUGIN_RECOVERY = "codex plugin marketplace remove mmi && codex plugin marketplace add mutmutco/MMI-Hub --ref main && codex plugin add mmi@mmi";
+var CODEX_PLUGIN_HEAL_STEPS = [
+  { args: ["plugin", "marketplace", "remove", "mmi"], gated: false },
+  { args: ["plugin", "marketplace", "add", "mutmutco/MMI-Hub", "--ref", "main"], gated: true },
+  { args: ["plugin", "add", "mmi@mmi"], gated: true }
+];
 function healStepAborts(step, ok) {
   return !ok && step.gated;
 }
@@ -9193,7 +9764,7 @@ function pluginRecoveryFix(surface) {
     case "claude-cli":
       return `${claude}   # then ${reloadAction(surface)} to reload MMI commands`;
     case "codex":
-      return "codex plugin marketplace upgrade mmi && codex plugin add mmi@mmi   # then restart Codex";
+      return `${CODEX_PLUGIN_RECOVERY}   # then ${reloadAction(surface)}`;
     case "cursor":
       return `in Cursor Dashboard \u2192 Settings \u2192 Plugins, click Update next to the MMI Team Marketplace; then ${reloadAction(surface)} to reload MMI skills + hooks`;
     case "shell":
@@ -9203,7 +9774,7 @@ function pluginRecoveryFix(surface) {
 }
 var PLUGIN_UPDATE_RECIPES = {
   claude: [CLAUDE_PLUGIN_RECOVERY],
-  codex: ["codex plugin marketplace upgrade mmi", "codex plugin list   # verify mmi@mmi shows the new version"],
+  codex: [CODEX_PLUGIN_RECOVERY, "codex plugin list   # verify mmi@mmi shows the released version"],
   cli: ["npm install -g @mutmutco/cli@latest"]
 };
 function highestSemver(versions) {
@@ -9257,7 +9828,7 @@ function isSemverVersion2(v) {
   return typeof v === "string" && /^v?\d+\.\d+\.\d+/.test(v.trim());
 }
 function staleRecordCommand(surface) {
-  return surface === "codex" ? "codex plugin marketplace upgrade mmi && codex plugin add mmi@mmi" : CLAUDE_PLUGIN_RECOVERY;
+  return surface === "codex" ? CODEX_PLUGIN_RECOVERY : CLAUDE_PLUGIN_RECOVERY;
 }
 function staleSurfacesFix(stale, releasedVersion) {
   const parts = stale.map((s) => {
@@ -9535,7 +10106,7 @@ async function runStageLiveDown(deps, t) {
 
 // src/stage-runner.ts
 var import_node_child_process8 = require("node:child_process");
-var import_node_fs12 = require("node:fs");
+var import_node_fs13 = require("node:fs");
 var import_node_path12 = require("node:path");
 var import_node_net2 = require("node:net");
 var import_node_util7 = require("node:util");
@@ -9583,6 +10154,27 @@ function detectStaleEnvFile(exampleContent, targetContent, mtimes) {
 function stageStatePath(cwd = process.cwd()) {
   return (0, import_node_path12.join)(cwd, "tmp", "stage", "state.json");
 }
+function mergeEnvSecretsIntoFile(content, secrets2) {
+  const lines = content.split(/\r?\n/);
+  const indexByKey = /* @__PURE__ */ new Map();
+  for (let i = 0; i < lines.length; i++) {
+    const trimmed = lines[i].trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const eq = trimmed.indexOf("=");
+    if (eq === -1) continue;
+    indexByKey.set(trimmed.slice(0, eq).trim(), i);
+  }
+  for (const [key, value] of Object.entries(secrets2)) {
+    const escaped = /[\s#"'\\]/.test(value) ? `"${value.replace(/\\/g, "\\\\").replace(/"/g, '\\"')}"` : value;
+    const line = `${key}=${escaped}`;
+    const idx = indexByKey.get(key);
+    if (idx != null) lines[idx] = line;
+    else lines.push(line);
+  }
+  const body = lines.join("\n");
+  return body.endsWith("\n") ? body : `${body}
+`;
+}
 var POSIX_ONLY_VERBS = ["cp", "mv", "rm", "ln", "cat", "touch", "chmod", "export"];
 function posixOnlyShellProblems(command, field, platform = process.platform) {
   if (platform !== "win32" || !command?.trim()) return [];
@@ -9643,9 +10235,9 @@ async function shell(command, cwd, timeoutMs) {
   });
 }
 function readState(path2) {
-  if (!(0, import_node_fs12.existsSync)(path2)) return null;
+  if (!(0, import_node_fs13.existsSync)(path2)) return null;
   try {
-    return JSON.parse((0, import_node_fs12.readFileSync)(path2, "utf8"));
+    return JSON.parse((0, import_node_fs13.readFileSync)(path2, "utf8"));
   } catch {
     return null;
   }
@@ -9697,7 +10289,7 @@ async function stopStage(opts = {}) {
     return { ok: true, action: "stop", statePath, message: "no previous stage state found" };
   }
   await killTree(state.pid);
-  (0, import_node_fs12.rmSync)(statePath, { force: true });
+  (0, import_node_fs13.rmSync)(statePath, { force: true });
   return { ok: true, action: "stop", statePath, pid: state.pid, message: `stopped previous stage pid ${state.pid}` };
 }
 async function startStage(config = {}, opts = {}) {
@@ -9706,7 +10298,7 @@ async function startStage(config = {}, opts = {}) {
   const cwd = opts.cwd ?? process.cwd();
   const statePath = opts.statePath ?? stageStatePath(cwd);
   const dir = statePath.slice(0, Math.max(statePath.lastIndexOf("/"), statePath.lastIndexOf("\\")));
-  (0, import_node_fs12.mkdirSync)(dir, { recursive: true });
+  (0, import_node_fs13.mkdirSync)(dir, { recursive: true });
   let stagePort;
   if (config.portRange) {
     const [s, e] = config.portRange;
@@ -9718,12 +10310,12 @@ async function startStage(config = {}, opts = {}) {
   if (config.ensureEnv) {
     const target = (0, import_node_path12.join)(cwd, config.ensureEnv.target);
     const example = (0, import_node_path12.join)(cwd, config.ensureEnv.example);
-    if (!(0, import_node_fs12.existsSync)(target) && (0, import_node_fs12.existsSync)(example)) {
-      (0, import_node_fs12.copyFileSync)(example, target);
-    } else if ((0, import_node_fs12.existsSync)(target) && (0, import_node_fs12.existsSync)(example)) {
-      const stale = detectStaleEnvFile((0, import_node_fs12.readFileSync)(example, "utf8"), (0, import_node_fs12.readFileSync)(target, "utf8"), {
-        exampleMtimeMs: (0, import_node_fs12.statSync)(example).mtimeMs,
-        targetMtimeMs: (0, import_node_fs12.statSync)(target).mtimeMs
+    if (!(0, import_node_fs13.existsSync)(target) && (0, import_node_fs13.existsSync)(example)) {
+      (0, import_node_fs13.copyFileSync)(example, target);
+    } else if ((0, import_node_fs13.existsSync)(target) && (0, import_node_fs13.existsSync)(example)) {
+      const stale = detectStaleEnvFile((0, import_node_fs13.readFileSync)(example, "utf8"), (0, import_node_fs13.readFileSync)(target, "utf8"), {
+        exampleMtimeMs: (0, import_node_fs13.statSync)(example).mtimeMs,
+        targetMtimeMs: (0, import_node_fs13.statSync)(target).mtimeMs
       });
       if (stale) {
         const msg = `stale ${config.ensureEnv.target} (${stale}) \u2014 delete it or refresh from ${config.ensureEnv.example} before re-running /stage`;
@@ -9731,6 +10323,9 @@ async function startStage(config = {}, opts = {}) {
         console.error(`mmi-cli stage: ${msg} (allowed via --allow-stale-env)`);
       }
     }
+    if (opts.vaultEnvMerge && Object.keys(opts.vaultEnvMerge).length && (0, import_node_fs13.existsSync)(target)) {
+      (0, import_node_fs13.writeFileSync)(target, mergeEnvSecretsIntoFile((0, import_node_fs13.readFileSync)(target, "utf8"), opts.vaultEnvMerge), "utf8");
+    }
   }
   const extraEnv = {};
   for (const [k, v] of Object.entries(config.env ?? {})) extraEnv[k] = sub(v) ?? v;
@@ -9754,13 +10349,13 @@ async function startStage(config = {}, opts = {}) {
     healthUrl: sub(config.healthUrl?.trim()) || void 0,
     port: stagePort
   };
-  (0, import_node_fs12.writeFileSync)(statePath, JSON.stringify(state, null, 2), "utf8");
+  (0, import_node_fs13.writeFileSync)(statePath, JSON.stringify(state, null, 2), "utf8");
   try {
     if (state.healthUrl) await waitForHealth(state.healthUrl, opts.timeoutMs ?? 6e4, config.healthAnyStatus);
     else await waitForProcessStability(child);
   } catch (e) {
     await killTree(state.pid);
-    (0, import_node_fs12.rmSync)(statePath, { force: true });
+    (0, import_node_fs13.rmSync)(statePath, { force: true });
     throw e;
   }
   const result = { ok: true, action: "start", statePath, pid: state.pid, port: stagePort, message: `started stage pid ${state.pid}${stagePort != null ? ` on port ${stagePort}` : ""}` };
@@ -10030,9 +10625,9 @@ async function requireBranch(deps, branch) {
   const current = clean(await deps.run("git", ["rev-parse", "--abbrev-ref", "HEAD"]));
   if (current !== branch) throw new Error(`must run from ${branch}, currently on ${current || "(unknown)"}`);
 }
-var HUB_REPO2 = "mutmutco/MMI-Hub";
+var HUB_REPO3 = "mutmutco/MMI-Hub";
 function isHubControlRepo(repo) {
-  return repo.toLowerCase() === HUB_REPO2.toLowerCase();
+  return repo.toLowerCase() === HUB_REPO3.toLowerCase();
 }
 function projectGetFailureText(e) {
   const err = e;
@@ -10092,7 +10687,7 @@ async function correlateDispatchedRun(deps, workflow, since) {
         "run",
         "list",
         "--repo",
-        HUB_REPO2,
+        HUB_REPO3,
         "--workflow",
         workflow,
         "--limit",
@@ -10126,7 +10721,7 @@ async function correlateWorkflowRun(deps, args) {
       "run",
       "list",
       "--repo",
-      HUB_REPO2,
+      HUB_REPO3,
       "--workflow",
       args.workflow,
       "--event",
@@ -10154,7 +10749,7 @@ async function correlateWorkflowRun(deps, args) {
 async function watchTenantRun(deps, runId) {
   if (runId == null) return "pending";
   try {
-    await deps.run("gh", ["run", "watch", String(runId), "--repo", HUB_REPO2, "--exit-status"]);
+    await deps.run("gh", ["run", "watch", String(runId), "--repo", HUB_REPO3, "--exit-status"]);
     return "success";
   } catch {
     return "failure";
@@ -10375,7 +10970,7 @@ async function dispatchDeploy(deps, ctx, stage2, ref, model, watch, autoRunSince
       "run",
       "tenant-publish.yml",
       "--repo",
-      HUB_REPO2,
+      HUB_REPO3,
       "-f",
       `slug=${ctx.slug}`,
       "-f",
@@ -11499,7 +12094,7 @@ async function announceRelease(deps, args) {
 }
 
 // src/port-registry.ts
-var import_node_fs13 = require("node:fs");
+var import_node_fs14 = require("node:fs");
 
 // ../infra/port-geometry.mjs
 var PORT_BLOCK = 100;
@@ -11513,8 +12108,8 @@ function nextPortBlock(registry2) {
   return [base2, base2 + PORT_SPAN];
 }
 function loadPortRegistry(path2) {
-  if (!(0, import_node_fs13.existsSync)(path2)) return {};
-  const raw = JSON.parse((0, import_node_fs13.readFileSync)(path2, "utf8"));
+  if (!(0, import_node_fs14.existsSync)(path2)) return {};
+  const raw = JSON.parse((0, import_node_fs14.readFileSync)(path2, "utf8"));
   const out = {};
   for (const [key, value] of Object.entries(raw)) {
     if (Array.isArray(value) && value.length === 2 && value.every((n) => typeof n === "number")) {
@@ -11528,9 +12123,9 @@ function ensurePortRange(repo, path2) {
   const existing = registry2[repo];
   if (existing) return existing;
   const range = nextPortBlock(registry2);
-  const raw = (0, import_node_fs13.existsSync)(path2) ? JSON.parse((0, import_node_fs13.readFileSync)(path2, "utf8")) : {};
+  const raw = (0, import_node_fs14.existsSync)(path2) ? JSON.parse((0, import_node_fs14.readFileSync)(path2, "utf8")) : {};
   raw[repo] = range;
-  (0, import_node_fs13.writeFileSync)(path2, JSON.stringify(raw, null, 2) + "\n", "utf8");
+  (0, import_node_fs14.writeFileSync)(path2, JSON.stringify(raw, null, 2) + "\n", "utf8");
   return range;
 }
 function portCursorSeed(registry2) {
@@ -11582,7 +12177,7 @@ function safeJson(text, fallback) {
     return fallback;
   }
 }
-async function restJson(deps, path2, fallback) {
+async function restJson2(deps, path2, fallback) {
   try {
     return await deps.client.rest("GET", path2) ?? fallback;
   } catch {
@@ -11709,7 +12304,7 @@ async function auditRepoAccess(repo, repoClass, owners, deps, projectAdmins = /*
   return { repo, class: repoClass, ok: !findings.some((f) => f.severity === "high"), findings };
 }
 async function auditOrgBasePermission(deps) {
-  const org = await restJson(deps, `orgs/${OWNER2}`, {});
+  const org = await restJson2(deps, `orgs/${OWNER2}`, {});
   const perm = org.default_repository_permission;
   if (perm && perm !== "read" && perm !== "none") {
     return [{
@@ -11818,8 +12413,8 @@ var requiredIssueTemplates = [
 var requiredWorkflows = [];
 var requiredProductWorkflows = [".github/workflows/gate.yml"];
 var requiredProductRulesetRef = ".github/rulesets/mmi-product-required-checks.json";
-var HUB_REPO3 = "mutmutco/MMI-Hub";
-var requiredLabels = ["bug", "feature", "task", "priority:urgent", "priority:high", "priority:medium", "priority:low"];
+var HUB_REPO4 = "mutmutco/MMI-Hub";
+var requiredLabels = ["bug", "feature", "task"];
 var requiredPriorityOptions = ["Urgent", "High", "Medium", "Low"];
 var strayDefaultLabels = ["documentation", "duplicate", "enhancement", "good first issue", "help wanted", "invalid", "question", "wontfix"];
 var requiredStatusOptions = ["Todo", "In Progress", "In Review", "Done"];
@@ -11858,7 +12453,7 @@ function safeJson2(text, fallback) {
     return fallback;
   }
 }
-async function restJson2(deps, path2, fallback) {
+async function restJson3(deps, path2, fallback) {
   try {
     return await deps.client.rest("GET", path2) ?? fallback;
   } catch {
@@ -11872,7 +12467,7 @@ async function restPagedJson2(deps, path2, fallback) {
     return fallback;
   }
 }
-async function contentExists(deps, repo, branch, path2) {
+async function contentExists2(deps, repo, branch, path2) {
   try {
     const encodedPath = path2.split("/").map(encodeURIComponent).join("/");
     await deps.client.rest("GET", `repos/${repo}/contents/${encodedPath}?ref=${encodeURIComponent(branch)}`);
@@ -11917,17 +12512,17 @@ function missingRuleTypes(ruleset, required) {
   const types = new Set((ruleset.rules || []).map((rule) => rule.type).filter(Boolean));
   return required.filter((type) => !types.has(type));
 }
-function rulesetStatusChecks(rulesets) {
+function rulesetStatusChecks2(rulesets) {
   return new Set(rulesets.flatMap((ruleset) => (ruleset.rules || []).filter((rule) => rule.type === "required_status_checks").flatMap((rule) => rule.parameters?.required_status_checks || []).map((check) => check.context).filter((context) => Boolean(context))));
 }
-async function rulesetDetails(deps, repo, list) {
+async function rulesetDetails2(deps, repo, list) {
   const details = [];
   for (const ruleset of list) {
     if (ruleset.id == null || ruleset.rules != null) {
       details.push(ruleset);
       continue;
     }
-    details.push(await restJson2(deps, `repos/${repo}/rulesets/${ruleset.id}`, ruleset));
+    details.push(await restJson3(deps, `repos/${repo}/rulesets/${ruleset.id}`, ruleset));
   }
   return details;
 }
@@ -11946,7 +12541,7 @@ async function verifyBootstrap(repo, repoClass, deps, releaseTrack) {
   const branchesWanted = expectedBranches(repoClass, releaseTrack);
   const baseBranch = releaseTrack === "trunk" || repoClass === "content" ? "main" : "development";
   const checks = [];
-  const repoInfo = await restJson2(deps, `repos/${repo}`, {});
+  const repoInfo = await restJson3(deps, `repos/${repo}`, {});
   checks.push({ ok: Boolean(repoInfo.default_branch), label: "repo exists" });
   checks.push({ ok: repoInfo.default_branch === baseBranch, label: `default branch is ${baseBranch}`, detail: repoInfo.default_branch || "missing" });
   checks.push({ ok: repoInfo.has_wiki === true, label: "wiki enabled", detail: repoInfo.has_wiki === true ? void 0 : "has_wiki is false or unavailable" });
@@ -11976,29 +12571,29 @@ async function verifyBootstrap(repo, repoClass, deps, releaseTrack) {
     detail: overgrants.length ? `over-granted: ${overgrants.map((f) => f.actor).join(", ")}` : void 0
   });
   for (const path2 of requiredDocs) {
-    checks.push({ ok: await contentExists(deps, repo, baseBranch, path2), label: `bootstrap artifact exists: ${path2}` });
+    checks.push({ ok: await contentExists2(deps, repo, baseBranch, path2), label: `bootstrap artifact exists: ${path2}` });
   }
   for (const path2 of requiredIssueTemplates) {
-    checks.push({ ok: await contentExists(deps, repo, baseBranch, path2), label: `issue template exists: ${path2}` });
+    checks.push({ ok: await contentExists2(deps, repo, baseBranch, path2), label: `issue template exists: ${path2}` });
   }
   for (const path2 of requiredWorkflows) {
-    checks.push({ ok: await contentExists(deps, repo, baseBranch, path2), label: `automation workflow exists: ${path2}` });
+    checks.push({ ok: await contentExists2(deps, repo, baseBranch, path2), label: `automation workflow exists: ${path2}` });
   }
-  if (repo !== HUB_REPO3) {
+  if (repo !== HUB_REPO4 && repoClass === "deployable") {
     for (const path2 of requiredProductWorkflows) {
-      checks.push({ ok: await contentExists(deps, repo, baseBranch, path2), label: `gate workflow exists: ${path2}` });
+      checks.push({ ok: await contentExists2(deps, repo, baseBranch, path2), label: `gate workflow exists: ${path2}` });
     }
     checks.push({
-      ok: await contentExists(deps, repo, baseBranch, requiredProductRulesetRef),
+      ok: await contentExists2(deps, repo, baseBranch, requiredProductRulesetRef),
       label: "product required-check ruleset reference exists",
       detail: `expected: ${requiredProductRulesetRef} (apply as an active repo ruleset after bootstrap)`
     });
   }
   if (repoClass === "deployable") {
     const trainScript = "scripts/next-version.mjs";
-    checks.push({ ok: await contentExists(deps, repo, baseBranch, trainScript), label: `train tooling script exists: ${trainScript}` });
+    checks.push({ ok: await contentExists2(deps, repo, baseBranch, trainScript), label: `train tooling script exists: ${trainScript}` });
   }
-  checks.push({ ok: await contentExists(deps, repo, baseBranch, ".cursor/environment.json"), label: "Cursor environment committed" });
+  checks.push({ ok: await contentExists2(deps, repo, baseBranch, ".cursor/environment.json"), label: "Cursor environment committed" });
   const readme = await contentText(deps, repo, baseBranch, "README.md");
   checks.push({
     ok: readme !== null && readme.includes("## Agent context"),
@@ -12006,7 +12601,7 @@ async function verifyBootstrap(repo, repoClass, deps, releaseTrack) {
     detail: readme === null ? "README.md not readable via API" : void 0
   });
   const agentRulesPath = `.cursor/rules/${repoSlugFromFullName(repo)}.mdc`;
-  const agentRulesOk = await contentExists(deps, repo, baseBranch, agentRulesPath);
+  const agentRulesOk = await contentExists2(deps, repo, baseBranch, agentRulesPath);
   checks.push({
     ok: agentRulesOk,
     label: "Cursor agent rules file exists",
@@ -12019,7 +12614,7 @@ async function verifyBootstrap(repo, repoClass, deps, releaseTrack) {
   }
   const strays = strayDefaultLabels.filter((l) => labelNames.has(l));
   checks.push({ ok: strays.length === 0, label: "no stray GitHub-default labels", detail: presentDetail(strays) });
-  const actions = await restJson2(deps, `repos/${repo}/actions/permissions`, {});
+  const actions = await restJson3(deps, `repos/${repo}/actions/permissions`, {});
   checks.push({ ok: actions.enabled === true, label: "GitHub Actions enabled" });
   const config = deps.projectMeta ?? null;
   checks.push({
@@ -12124,8 +12719,8 @@ async function verifyBootstrap(repo, repoClass, deps, releaseTrack) {
   if (fanout != null) checks.push({ ok: fanout, label: `fanout target registered on ${baseBranch}` });
   const projectRegistry = localRegistryCheck(deps, "projects.json", (json) => Array.isArray(json?.projects) && projectRegistryIncludesRepo(json.projects, repo));
   if (projectRegistry != null) checks.push({ ok: projectRegistry, label: "cloud-agent project registry includes repo" });
-  const rulesetList = await restJson2(deps, `repos/${repo}/rulesets?includes_parents=true`, []);
-  const rulesets = await rulesetDetails(deps, repo, rulesetList);
+  const rulesetList = await restJson3(deps, `repos/${repo}/rulesets?includes_parents=true`, []);
+  const rulesets = await rulesetDetails2(deps, repo, rulesetList);
   const activeOrgRulesets = rulesets.filter(
     (r) => r.source_type === "Organization" && r.target === "branch" && r.enforcement === "active"
   );
@@ -12136,16 +12731,16 @@ async function verifyBootstrap(repo, repoClass, deps, releaseTrack) {
     label: "covered by an active org ruleset",
     detail: orgRuleset ? void 0 : activeOrgRulesets.length === 0 ? "no active Organization-sourced branch ruleset targets this repo" : `missing rule types: ${missingOrgRuleTypes.join(", ")}`
   });
-  if (repo === HUB_REPO3) {
-    const statusChecks = rulesetStatusChecks(rulesets.filter((r) => r.target === "branch" && r.enforcement === "active"));
+  if (repo === HUB_REPO4) {
+    const statusChecks = rulesetStatusChecks2(rulesets.filter((r) => r.target === "branch" && r.enforcement === "active"));
     const missing = requiredHubStatusChecks.filter((check) => !statusChecks.has(check));
     checks.push({
       ok: missing.length === 0,
       label: "Hub required status checks configured",
       detail: optionDetail(missing)
     });
-  } else {
-    const statusChecks = rulesetStatusChecks(rulesets.filter((r) => r.target === "branch" && r.enforcement === "active"));
+  } else if (repoClass === "deployable") {
+    const statusChecks = rulesetStatusChecks2(rulesets.filter((r) => r.target === "branch" && r.enforcement === "active"));
     const missing = requiredProductStatusChecks.filter((check) => !statusChecks.has(check));
     checks.push({
       ok: missing.length === 0,
@@ -13848,11 +14443,11 @@ async function planGraduate(deps, slug, opts = {}) {
 }
 
 // src/atomic-write.ts
-var import_node_fs14 = require("node:fs");
+var import_node_fs15 = require("node:fs");
 function atomicWriteFileSync(path2, content) {
   const tmp = `${path2}.${process.pid}.tmp`;
-  (0, import_node_fs14.writeFileSync)(tmp, content, "utf8");
-  (0, import_node_fs14.renameSync)(tmp, path2);
+  (0, import_node_fs15.writeFileSync)(tmp, content, "utf8");
+  (0, import_node_fs15.renameSync)(tmp, path2);
 }
 
 // src/oauth.ts
@@ -14083,7 +14678,7 @@ async function fetchHubVersionInfo(baseUrl) {
 }
 function readRepoVersion() {
   try {
-    return JSON.parse((0, import_node_fs15.readFileSync)((0, import_node_path14.join)(process.cwd(), ".claude-plugin", "plugin.json"), "utf8")).version || void 0;
+    return JSON.parse((0, import_node_fs16.readFileSync)((0, import_node_path14.join)(process.cwd(), ".claude-plugin", "plugin.json"), "utf8")).version || void 0;
   } catch {
     return void 0;
   }
@@ -14158,6 +14753,22 @@ async function applyClaudePluginHeal(surface, log) {
   }
   return true;
 }
+async function runCodexPlugin(args) {
+  try {
+    await runHostBin("codex", args, { timeout: CLAUDE_PLUGIN_TIMEOUT_MS });
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function applyCodexPluginHeal(surface, log) {
+  if (surface !== "codex") return false;
+  log("  \u21BB reinstalling the MMI plugin via `codex plugin` (marketplace remove \u2192 add --ref main \u2192 add)\u2026");
+  for (const step of CODEX_PLUGIN_HEAL_STEPS) {
+    if (healStepAborts(step, await runCodexPlugin([...step.args]))) return false;
+  }
+  return true;
+}
 var program2 = new Command();
 program2.name("mmi-cli").description("MMI Future CLI \u2014 org rules delivery, saga, KB. The engine the plugin SessionStart hook drives.").version(resolveClientVersion());
 async function runRulesSync(opts, io = consoleIo) {
@@ -14193,10 +14804,10 @@ async function runRulesSync(opts, io = consoleIo) {
   for (const entry of fetched) {
     if ("error" in entry) continue;
     const { file, source } = entry;
-    const current = (0, import_node_fs15.existsSync)(file) ? await (0, import_promises5.readFile)(file, "utf8") : null;
+    const current = (0, import_node_fs16.existsSync)(file) ? await (0, import_promises5.readFile)(file, "utf8") : null;
     if (needsUpdate(source, current)) {
       const slash = file.lastIndexOf("/");
-      if (slash > 0) (0, import_node_fs15.mkdirSync)(file.slice(0, slash), { recursive: true });
+      if (slash > 0) (0, import_node_fs16.mkdirSync)(file.slice(0, slash), { recursive: true });
       await (0, import_promises5.writeFile)(file, normalizeEol(source), "utf8");
       changed++;
       if (!opts.quiet) io.log(`mmi-cli rules: updated ${file}`);
@@ -14222,7 +14833,7 @@ async function runDocsSync(opts, io = consoleIo) {
         return null;
       }
     },
-    localContent: async (f) => (0, import_node_fs15.existsSync)(f) ? await (0, import_promises5.readFile)(f, "utf8") : null,
+    localContent: async (f) => (0, import_node_fs16.existsSync)(f) ? await (0, import_promises5.readFile)(f, "utf8") : null,
     writeDoc: async (f, c) => {
       await (0, import_promises5.writeFile)(f, c, "utf8");
     }
@@ -14395,7 +15006,7 @@ function detachPlanSync() {
   }
 }
 function makePlanDeps(cfg, io = consoleIo) {
-  const ensureDir = () => (0, import_node_fs15.mkdirSync)(PLANS_DIR, { recursive: true });
+  const ensureDir = () => (0, import_node_fs16.mkdirSync)(PLANS_DIR, { recursive: true });
   return {
     apiUrl: cfg.sagaApiUrl,
     fetch: (url, init = {}) => fetch(url, { ...init, signal: init.signal ?? AbortSignal.timeout(1e4) }),
@@ -14403,24 +15014,24 @@ function makePlanDeps(cfg, io = consoleIo) {
     project: async () => (await sagaKey(cfg)).project,
     readLocal: (slug) => {
       try {
-        return (0, import_node_fs15.readFileSync)(planPath(slug), "utf8");
+        return (0, import_node_fs16.readFileSync)(planPath(slug), "utf8");
       } catch {
         return null;
       }
     },
     writeLocal: (slug, content) => {
       ensureDir();
-      (0, import_node_fs15.writeFileSync)(planPath(slug), content, "utf8");
+      (0, import_node_fs16.writeFileSync)(planPath(slug), content, "utf8");
     },
     removeLocal: (slug) => {
       try {
-        (0, import_node_fs15.rmSync)(planPath(slug));
+        (0, import_node_fs16.rmSync)(planPath(slug));
       } catch {
       }
     },
     readMetaRaw: () => {
       try {
-        return (0, import_node_fs15.readFileSync)(META_FILE, "utf8");
+        return (0, import_node_fs16.readFileSync)(META_FILE, "utf8");
       } catch {
         return null;
       }
@@ -14431,7 +15042,7 @@ function makePlanDeps(cfg, io = consoleIo) {
     },
     readIndexRaw: () => {
       try {
-        return (0, import_node_fs15.readFileSync)(INDEX_FILE, "utf8");
+        return (0, import_node_fs16.readFileSync)(INDEX_FILE, "utf8");
       } catch {
         return null;
       }
@@ -14442,7 +15053,7 @@ function makePlanDeps(cfg, io = consoleIo) {
     },
     readQueueRaw: () => {
       try {
-        return (0, import_node_fs15.readFileSync)(QUEUE_FILE, "utf8");
+        return (0, import_node_fs16.readFileSync)(QUEUE_FILE, "utf8");
       } catch {
         return null;
       }
@@ -14632,6 +15243,20 @@ secrets.command("edit <key>").description("alias for set \u2014 replace a secret
   const ok = await secretsEdit(d, key, o);
   if (!ok) process.exitCode = 1;
 }));
+secrets.command("copy").description("copy provider keys between vault tiers (audit-logged; org-tier source is master-gated)").requiredOption("--from <stage>", "source tier: dev, rc, or main").requiredOption("--to <stage>", "destination tier: dev, rc, or main").requiredOption("--keys <names>", "comma-separated secret names (encryption keys blocked)").option("--dry-run", "report copies without writing").option("--repo <owner/repo>", "target repo (defaults to the current repo)").action((o) => withSecrets(async (d) => {
+  const stages = ["dev", "rc", "main"];
+  if (!stages.includes(o.from) || !stages.includes(o.to)) {
+    return fail("secrets copy: --from and --to must be dev, rc, or main");
+  }
+  const ok = await secretsCopy(d, {
+    repo: o.repo,
+    from: o.from,
+    to: o.to,
+    keys: o.keys.split(","),
+    dryRun: o.dryRun
+  });
+  if (!ok) process.exitCode = 1;
+}));
 secrets.command("rm <key>").description("remove a secret (project tier self-serve; org tier needs a grant)").option("--repo <owner/repo>", "target repo (defaults to the current repo)").action((key, o) => withSecrets((d) => secretsRemove(d, key, o)));
 secrets.command("use <key>").description("print guidance on consuming a secret without committing it (no value)").option("--repo <owner/repo>", "target repo (defaults to the current repo)").action((key, o) => withSecrets((d) => secretsUse(d, key, o)));
 secrets.command("grant <repo> <login> <key>").description("MASTER-ONLY: grant a project-admin standing access to a specific org-tier secret").action((repo, login, key) => withSecrets((d) => secretsGrant(d, repo, login, key, {})));
@@ -14997,7 +15622,7 @@ oauth.command("verify").description("probe Google authorize with an arbitrary po
   if (mismatch) process.exitCode = 1;
 });
 var issue = program2.command("issue").description("issues \u2014 reliable create with structured output");
-issue.command("create").description("create an issue (type \u2192 label) and print {number,url,label} JSON").requiredOption("--type <type>", "bug | feature | task (sets the matching label)").option("--title <title>", "issue title").option("--title-file <path|->", "read the issue title from a UTF-8 file, or from stdin with -").option("--body <body>", "issue body (markdown)").option("--body-file <path|->", "read issue body from a UTF-8 file, or from stdin with -").requiredOption("--priority <priority>", "urgent | high | medium | low (label + board Priority field when configured)").option("--repo <owner/repo>", "target repo (defaults to the current repo)").option("--label <label...>", "extra label(s) to attach (repeatable; auto-created if missing)").option("--parent <ref>", "file as a native sub-issue of this parent (#123, owner/repo#123, or URL)").option("--no-related", "skip the auto related-issues comment").action(async (o) => {
+issue.command("create").description("create an issue (type \u2192 label) and print {number,url,label} JSON").requiredOption("--type <type>", "bug | feature | task (sets the matching label)").option("--title <title>", "issue title").option("--title-file <path|->", "read the issue title from a UTF-8 file, or from stdin with -").option("--body <body>", "issue body (markdown)").option("--body-file <path|->", "read issue body from a UTF-8 file, or from stdin with -").requiredOption("--priority <priority>", "urgent | high | medium | low (sets the board Priority field only \u2014 never a priority:* label, #416)").option("--repo <owner/repo>", "target repo (defaults to the current repo)").option("--label <label...>", "extra label(s) to attach (repeatable; auto-created if missing)").option("--parent <ref>", "file as a native sub-issue of this parent (#123, owner/repo#123, or URL)").option("--no-related", "skip the auto related-issues comment").action(async (o) => {
   let args;
   let priority;
   let body;
@@ -15082,12 +15707,12 @@ issue.command("link-child <parent> <child>").description("link an existing issue
     return fail(`issue link-child: ${(err.stderr || err.message || String(e)).trim()}${note ? ` (${note})` : ""}`);
   }
 });
-program2.command("report").description("file a friction report on the Hub board (GitHub auth, dedups open reports) and print {number,url} JSON").option("--title <title>", "one-line friction summary").option("--title-file <path|->", "read the friction summary from a UTF-8 file, or from stdin with -").option("--body <body>", "report body (markdown)").option("--body-file <path|->", "read report body from a UTF-8 file, or from stdin with -").option("--type <type>", "bug | feature | task (sets the matching label)", "task").option("--priority <priority>", "urgent | high | medium | low (board Priority field when configured)", "medium").option("--repo <owner/repo>", `target repo (defaults to the org Hub: ${HUB_REPO})`).option("--force", "file a new issue even when an open report looks like a duplicate").option("--json", "machine-readable output (already the default \u2014 report always prints JSON; #682)").action(async (o) => {
+program2.command("report").description("file a friction report on the Hub board (GitHub auth, dedups open reports) and print {number,url} JSON").option("--title <title>", "one-line friction summary").option("--title-file <path|->", "read the friction summary from a UTF-8 file, or from stdin with -").option("--body <body>", "report body (markdown)").option("--body-file <path|->", "read report body from a UTF-8 file, or from stdin with -").option("--type <type>", "bug | feature | task (sets the matching label)", "task").option("--priority <priority>", "urgent | high | medium | low (sets the board Priority field only, #416)", "medium").option("--repo <owner/repo>", `target repo (defaults to the org Hub: ${HUB_REPO2})`).option("--force", "file a new issue even when an open report looks like a duplicate").option("--json", "machine-readable output (already the default \u2014 report always prints JSON; #682)").action(async (o) => {
   let body;
   let priority;
   let args;
   let title;
-  const targetRepo2 = o.repo ?? HUB_REPO;
+  const targetRepo2 = o.repo ?? HUB_REPO2;
   const sourceRepo = await resolveRepo(void 0);
   try {
     title = await resolveIssueTitle({ title: o.title, titleFile: o.titleFile }, { readFile: import_promises5.readFile, readStdin });
@@ -15282,8 +15907,8 @@ grindCmd.command("estimate").description("Worst-case cost proxy (agent-call unit
     console.log(`ceiling:    ${GRIND_COST_CEILING} units \u2014 ${estimate.exceedsCeiling ? "EXCEEDS \u2192 ask human (cap/stuck path)" : "within"}`);
   }
 });
-program2.command("skill-lesson").description("file a skill-lesson on the Hub board (GitHub auth, dedups open lessons) and print {number,url} JSON").requiredOption("--skill <name>", `which skill misfired (${SKILL_NAMES.join(" | ")})`).option("--title <title>", "one-line summary of what misfired").option("--title-file <path|->", "read the one-line summary from a UTF-8 file, or from stdin with -").option("--body <body>", "lesson body: what misfired, the evidence, and the proposed amendment (markdown)").option("--body-file <path|->", "read the lesson body from a UTF-8 file, or from stdin with -").option("--priority <priority>", "urgent | high | medium | low (board Priority field when configured)", "medium").option("--repo <owner/repo>", `target repo (defaults to the org Hub: ${HUB_REPO})`).option("--force", "file a new issue even when an open lesson looks like a duplicate").option("--json", "machine-readable output (already the default \u2014 skill-lesson always prints JSON)").action(async (o) => {
-  const targetRepo2 = o.repo ?? HUB_REPO;
+program2.command("skill-lesson").description("file a skill-lesson on the Hub board (GitHub auth, dedups open lessons) and print {number,url} JSON").requiredOption("--skill <name>", `which skill misfired (${SKILL_NAMES.join(" | ")})`).option("--title <title>", "one-line summary of what misfired").option("--title-file <path|->", "read the one-line summary from a UTF-8 file, or from stdin with -").option("--body <body>", "lesson body: what misfired, the evidence, and the proposed amendment (markdown)").option("--body-file <path|->", "read the lesson body from a UTF-8 file, or from stdin with -").option("--priority <priority>", "urgent | high | medium | low (sets the board Priority field only, #416)", "medium").option("--repo <owner/repo>", `target repo (defaults to the org Hub: ${HUB_REPO2})`).option("--force", "file a new issue even when an open lesson looks like a duplicate").option("--json", "machine-readable output (already the default \u2014 skill-lesson always prints JSON)").action(async (o) => {
+  const targetRepo2 = o.repo ?? HUB_REPO2;
   const sourceRepo = await resolveRepo(void 0);
   const pluginSha = await resolvePluginSha();
   let skill;
@@ -15354,6 +15979,111 @@ pr.command("create").description("create a PR and print {number,url} JSON").opti
   const created = await ghCreate(buildPrArgs({ title, body, base: o.base, head: o.head, repo: o.repo }));
   console.log(JSON.stringify(created));
 });
+async function listCiWorkflowPaths(cwd = process.cwd()) {
+  const wfDir = (0, import_node_path14.join)(cwd, ".github", "workflows");
+  if (!(0, import_node_fs16.existsSync)(wfDir)) return [];
+  return (0, import_node_fs16.readdirSync)(wfDir).filter((name) => /\.(ya?ml)$/i.test(name)).map((name) => `.github/workflows/${name}`);
+}
+async function resolveMergeCiPolicyForCheckout(repoOpt) {
+  const repo = repoOpt ?? await resolveRepo();
+  if (repo) {
+    return resolveRepoMergeCiPolicy(repo, ciAuditDeps());
+  }
+  const workflowPaths = await listCiWorkflowPaths();
+  return resolveMergeCiPolicy({ workflowPaths });
+}
+function ciAuditDeps() {
+  const cfgPromise = loadConfig();
+  return {
+    client: defaultGitHubClient(),
+    listProjects: async () => fetchProjectsList(registryClientDeps(await cfgPromise)),
+    getProjectMeta: async (slug) => fetchProjectBySlug(slug, registryClientDeps(await cfgPromise))
+  };
+}
+pr.command("ci-policy").description("report merge CI policy: wait-for-checks vs no-ci (for grind/build agents)").option("--json", "machine-readable output").option("--repo <owner/repo>", "target repo (defaults to the current checkout)").action(async (o) => {
+  const result = await resolveMergeCiPolicyForCheckout(o.repo);
+  if (o.json) return printLine(JSON.stringify(result));
+  printLine(`merge CI policy: ${result.policy} (${result.reason})`);
+});
+pr.command("checks-wait <number>").description("bounded wait for PR checks; skips immediately on no-ci repos (#1432)").option("--json", "machine-readable output").option("--repo <owner/repo>", "target repo (defaults to the current repo)").action(async (number, o) => {
+  const repoArgs = o.repo ? ["--repo", o.repo] : [];
+  const result = await waitForPrChecks({
+    resolvePolicy: () => resolveMergeCiPolicyForCheckout(o.repo),
+    pollChecks: async () => {
+      const { stdout } = await execFileP2("gh", ["pr", "checks", number, ...repoArgs], { timeout: GC_GH_TIMEOUT_MS });
+      return parseGhPrChecksOutput(stdout);
+    },
+    sleep: (ms) => new Promise((resolve) => setTimeout(resolve, ms))
+  });
+  if (o.json) printLine(JSON.stringify(result));
+  else printLine(`pr checks-wait: ${result.status}${result.reason ? ` \u2014 ${result.reason}` : ""}${result.detail ? ` (${result.detail})` : ""}`);
+  if (result.status === "failure" || result.status === "timeout") process.exitCode = 1;
+});
+pr.command("land <number>").description("agent merge path (#1440): train probe \u2192 checks-wait \u2192 merge --auto \u2192 poll enqueued \u2014 development PRs only").option("--json", "machine-readable output").option("--repo <owner/repo>", "target repo (defaults to the PR repo)").option("--no-require-train", "skip train-authority preflight (not recommended for autonomous agents)").action(async (number, o) => {
+  const repoArgs = o.repo ? ["--repo", o.repo] : [];
+  const result = await runPrLand(number, { repo: o.repo, requireTrain: o.requireTrain !== false }, {
+    resolveRepo: async (prNumber, repoOpt) => {
+      if (repoOpt) return repoOpt;
+      const viewed = (await execFileP2("gh", ["pr", "view", prNumber, ...repoArgs, "--json", "headRepository,baseRefName", "--jq", '.headRepository.nameWithOwner + " " + .baseRefName'], { timeout: GC_GH_TIMEOUT_MS })).stdout.trim();
+      const [repo, base2] = viewed.split(/\s+/);
+      if (base2 && base2 !== "development") {
+        throw new Error(`pr land: base branch must be development (got ${base2}) \u2014 promotion merges stay human-only`);
+      }
+      if (!repo) throw new Error("pr land: could not resolve PR repo");
+      return repo;
+    },
+    fetchTrainAuthority: async (repo) => fetchTrainAuthority(repo, registryClientDeps(await loadConfig())),
+    resolveCiPolicy: (repo) => resolveRepoMergeCiPolicy(repo, ciAuditDeps()),
+    waitForChecks: (prNumber, repo) => waitForPrChecks({
+      resolvePolicy: () => resolveRepoMergeCiPolicy(repo, ciAuditDeps()),
+      pollChecks: async () => {
+        const args = repo ? ["--repo", repo] : [];
+        const { stdout } = await execFileP2("gh", ["pr", "checks", prNumber, ...args], { timeout: GC_GH_TIMEOUT_MS });
+        return parseGhPrChecksOutput(stdout);
+      },
+      sleep: (ms) => new Promise((resolve) => setTimeout(resolve, ms))
+    }),
+    mergeAuto: async (prNumber, repo) => {
+      const args = repo ? ["--repo", repo] : [];
+      try {
+        await execFileP2("gh", buildPrMergeArgs({ number: prNumber, repoArgs: args, method: "--squash", auto: true }), { timeout: GH_MUTATION_TIMEOUT_MS });
+      } catch (e) {
+        const message = String(e.message || "");
+        if (/already been merged/i.test(message)) return { mergeStatus: "merged" };
+        const note = timeoutKillNote(e, GH_MUTATION_TIMEOUT_MS);
+        if (note) return { mergeStatus: "failed", error: note };
+        if (!basePolicyBlocksImmediateMerge(message)) {
+          return { mergeStatus: "failed", error: message.split("\n")[0] };
+        }
+        return { mergeStatus: "failed", error: `merge blocked: ${message.split("\n")[0]} \u2014 ensure checks are green` };
+      }
+      const state = (await execFileP2("gh", ["pr", "view", prNumber, ...args, "--json", "state", "--jq", ".state"], { timeout: GC_GH_TIMEOUT_MS }).catch(() => ({ stdout: "" }))).stdout.trim();
+      return { mergeStatus: state === "MERGED" ? "merged" : "auto-merge-enqueued" };
+    },
+    pollMerged: async (prNumber, repo, deadlineMs) => {
+      const args = repo ? ["--repo", repo] : [];
+      while (Date.now() < deadlineMs) {
+        const state = (await execFileP2("gh", ["pr", "view", prNumber, ...args, "--json", "state", "--jq", ".state"], { timeout: GC_GH_TIMEOUT_MS }).catch(() => ({ stdout: "" }))).stdout.trim();
+        if (state === "MERGED") return true;
+        await new Promise((resolve) => setTimeout(resolve, PR_LAND_POLL_MS));
+      }
+      return false;
+    }
+  });
+  if (o.json) printLine(JSON.stringify(result));
+  else printLine(`pr land: ${result.status}${result.error ? ` \u2014 ${result.error}` : ""}`);
+  if (result.status === "failed") process.exitCode = 1;
+  else {
+    await execFileP2(process.execPath, [
+      process.argv[1],
+      "pr",
+      "merge",
+      number,
+      ...o.repo ? ["--repo", o.repo] : [],
+      "--squash"
+    ], { timeout: GH_MUTATION_TIMEOUT_MS }).catch(() => void 0);
+  }
+});
 async function remoteBranchExists2(branch, options = {}) {
   return checkRemoteBranchExists(branch, {
     execGit: async (args) => (await execFileP2("git", args, { timeout: GIT_TIMEOUT_MS })).stdout
@@ -15362,7 +16092,7 @@ async function remoteBranchExists2(branch, options = {}) {
 var COMPOSE_TIMEOUT_MS = 12e4;
 async function createDeferredWorktreeStore() {
   try {
-    const { stdout } = await execFileP2("git", ["rev-parse", "--git-dir"], { timeout: GIT_TIMEOUT_MS });
+    const { stdout } = await execFileP2("git", ["rev-parse", "--git-common-dir"], { timeout: GIT_TIMEOUT_MS });
     const registryPath = deferredWorktreesRegistryPath(stdout.trim());
     return {
       read: async () => {
@@ -15393,7 +16123,7 @@ function worktreeRemoveDeps(execGit) {
 }
 function teardownWorktreeStage(worktreePath) {
   return runWorktreeStageTeardown(worktreePath, {
-    hasStageState: (wt) => (0, import_node_fs15.existsSync)(stageStatePath(wt)),
+    hasStageState: (wt) => (0, import_node_fs16.existsSync)(stageStatePath(wt)),
     stopRecordedStage: async (wt) => (await stopStage({ cwd: wt })).pid,
     listComposeProjects: async () => {
       const { stdout } = await execFileP2("docker", ["compose", "ls", "--all", "--format", "json"], { timeout: GC_GH_TIMEOUT_MS });
@@ -15404,7 +16134,7 @@ function teardownWorktreeStage(worktreePath) {
     }
   });
 }
-pr.command("merge <number>").description("merge a PR (squash by default) and clean up its branch + worktree \u2014 no leftover local branch").option("--squash", "squash merge (default)").option("--merge", "create a merge commit").option("--rebase", "rebase merge").option("--repo <owner/repo>", "target repo (defaults to the current repo)").option("--auto", "enable auto-merge \u2014 merge once the base-branch policy is satisfied (use for policy-gated repos)").action(async (number, o) => {
+pr.command("merge <number>").description("merge a PR (squash by default) and clean up its branch + worktree \u2014 no leftover local branch; on no-ci repos run pr ci-policy / checks-wait first (#1432)").option("--squash", "squash merge (default)").option("--merge", "create a merge commit").option("--rebase", "rebase merge").option("--repo <owner/repo>", "target repo (defaults to the current repo)").option("--auto", "enable auto-merge \u2014 merge once the base-branch policy is satisfied (use for policy-gated repos)").action(async (number, o) => {
   const method = o.rebase ? "--rebase" : o.merge ? "--merge" : "--squash";
   const repoArgs = o.repo ? ["--repo", o.repo] : [];
   const headRef = (await execFileP2("gh", ["pr", "view", number, ...repoArgs, "--json", "headRefName", "--jq", ".headRefName"], { timeout: GC_GH_TIMEOUT_MS })).stdout.trim();
@@ -15456,7 +16186,7 @@ pr.command("merge <number>").description("merge a PR (squash by default) and cle
     } : await cleanupPrMergeLocalBranch(headRef, {
       beforeWorktrees,
       startingPath,
-      pathExists: (p) => (0, import_node_fs15.existsSync)(p),
+      pathExists: (p) => (0, import_node_fs16.existsSync)(p),
       execGit: async (args) => (await execFileP2("git", args, { timeout: GIT_TIMEOUT_MS })).stdout,
       teardownWorktreeStage,
       deferredStore,
@@ -15571,6 +16301,25 @@ board.command("backfill-priority").description("set board Priority from priority
     return failGraceful(`board backfill-priority failed: ${e.message}`);
   }
 });
+board.command("prune-priority-labels").description("remove retired priority:* labels (#416) from issues whose board Priority field is already set").option("--json", "machine-readable output").option("--repo <owner/repo>", "current repo (defaults to git origin)").option("--dry-run", "report what would be removed without writing").option("--concurrency <n>", "parallel issue edits (default 8)", "8").action(async (o) => {
+  try {
+    const result = await prunePriorityLabels({
+      config: await loadConfigForRepo(o.repo),
+      repo: o.repo,
+      dryRun: o.dryRun,
+      concurrency: Number(o.concurrency) || 8
+    });
+    if (o.json) return console.log(JSON.stringify(result));
+    console.log(
+      `prune-priority-labels: scanned ${result.scanned}, pruned ${result.pruned} (${result.removedLabels} labels), skipped ${result.skippedNoField} (field unset), failed ${result.failed}`
+    );
+    for (const line of result.details.slice(0, 30)) console.log(`  ${line}`);
+    if (result.details.length > 30) console.log(`  ... +${result.details.length - 30} more`);
+    if (result.failed) process.exitCode = 1;
+  } catch (e) {
+    return failGraceful(`board prune-priority-labels failed: ${e.message}`);
+  }
+});
 board.command("done <issue>").description("set a board item's Status to Done (does not close the GitHub issue; use `gh issue close`)").option("--json", "machine-readable output").option("--repo <owner/repo>", "current repo for local issue numbers (defaults to git origin)").option("--allow-partial", "return success JSON if the item resolves but the status move fails").action(async (issueRef, o) => {
   try {
     const result = await moveBoardItem({ config: await loadConfigOrDiscover(), selector: issueRef, status: "Done", repo: o.repo, allowPartial: o.allowPartial });
@@ -15609,7 +16358,7 @@ function rawValues(flag) {
   return out;
 }
 function printLine(value) {
-  (0, import_node_fs15.writeSync)(1, `${value}
+  (0, import_node_fs16.writeSync)(1, `${value}
 `);
 }
 function stageKeepAlive() {
@@ -15626,10 +16375,26 @@ async function resolveStage() {
     local,
     shell: shellFor(),
     registry: { deployModel: project2?.deployModel, portRange, error: read.ok ? void 0 : read.error },
-    hasCompose: (0, import_node_fs15.existsSync)((0, import_node_path14.join)(process.cwd(), "docker-compose.yml")),
-    hasEnvExample: (0, import_node_fs15.existsSync)((0, import_node_path14.join)(process.cwd(), ".env.example"))
+    hasCompose: (0, import_node_fs16.existsSync)((0, import_node_path14.join)(process.cwd(), "docker-compose.yml")),
+    hasEnvExample: (0, import_node_fs16.existsSync)((0, import_node_path14.join)(process.cwd(), ".env.example"))
   });
 }
+async function fetchStageVaultEnvMerge() {
+  const cfg = await loadConfig();
+  if (!cfg.sagaApiUrl) return void 0;
+  const read = await fetchProjectBySlugChecked(await repoSlug(), registryClientDeps(cfg)).catch(() => null);
+  if (!read?.ok || !read.project) return void 0;
+  const names = requiredRuntimeSecretNames("dev", read.project.requiredRuntimeSecrets, { includeGoogleOAuth: false });
+  if (!names.length) return void 0;
+  const d = makeSecretsDeps(cfg);
+  const merge = {};
+  for (const name of names) {
+    const key = name.includes("/") ? name : `dev/${name}`;
+    const value = await fetchSecretValue(d, key, {});
+    if (value != null) merge[name.includes("/") ? name.split("/").pop() : name] = value;
+  }
+  return Object.keys(merge).length ? merge : void 0;
+}
 function stageStepsFor(res, stops = true) {
   if (res.source === "derived" && res.derived) return derivedStagePlan(res.derived, shellFor(), stops);
   if (res.source === "local") return stagePlan(res.config ?? {}, stops);
@@ -15761,6 +16526,7 @@ stage.command("start").description("start the configured local stage process and
   }
   if (res.source === "none") return failGraceful(`stage start: ${res.gap}`);
   const cfg = res.config ?? res.derived.config;
+  const vaultEnvMerge = res.source === "derived" ? await fetchStageVaultEnvMerge() : void 0;
   try {
     const hold = stageKeepAlive();
     let printed = false;
@@ -15768,6 +16534,7 @@ stage.command("start").description("start the configured local stage process and
       const result = await startStage(cfg, {
         timeoutMs: Number(o.timeoutMs || 6e4),
         allowStaleEnv: o.allowStaleEnv,
+        vaultEnvMerge,
         onReady: (ready) => {
           printed = true;
           const reportUrl = reportedStageUrl(res, ready);
@@ -15795,6 +16562,7 @@ stage.command("run").description("force-stop previous stage, build, start, and h
   }
   if (res.source === "none") return failGraceful(`stage run: ${res.gap}`);
   const cfg = res.config ?? res.derived.config;
+  const vaultEnvMerge = res.source === "derived" ? await fetchStageVaultEnvMerge() : void 0;
   try {
     const hold = stageKeepAlive();
     let printed = false;
@@ -15802,6 +16570,7 @@ stage.command("run").description("force-stop previous stage, build, start, and h
       const result = await runStage(cfg, {
         timeoutMs: Number(o.timeoutMs || 6e4),
         allowStaleEnv: o.allowStaleEnv,
+        vaultEnvMerge,
         onReady: (ready) => {
           const reportUrl = reportedStageUrl(res, ready);
           const url = reportUrl ? ` \u2014 ${reportUrl}` : "";
@@ -15981,6 +16750,39 @@ var hotfixCmd = program2.command("hotfix").description("stepwise hotfix orchestr
 hotfixCmd.command("start").description("cherry-pick a merged development PR (or SHA) onto hotfix/vX.Y.Z from origin/main, bump the distribution, open the main-base PR").requiredOption("--from <pr#|sha>", "merged development PR number or commit SHA to cherry-pick").option("--json", "machine-readable output").action(async (o) => runHotfixSub("start", () => runHotfixStart(trainApplyDeps(), { from: o.from }), o.json, renderHotfixStart));
 hotfixCmd.command("release <version>").description("after the hotfix PR is merged + checks green: tag, GitHub Release, watch deploy/publish, verify distribution (idempotent)").option("--json", "machine-readable output").option("--announce-summary-file <path>", "agent-curated summary lines for the Hub Slack announcement (#883)").action(async (version, o) => runHotfixSub("release", () => runHotfixRelease(trainApplyDeps(), version, { announceSummaryFile: o.announceSummaryFile }), o.json, renderHotfixRelease));
 hotfixCmd.command("status [version]").description("derive the full hotfix pipeline state from live git/gh reads and name the exact next subcommand").option("--json", "machine-readable output").action(async (version, o) => runHotfixSub("status", () => runHotfixStatus(trainApplyDeps(), version), o.json, renderHotfixStatus));
+var ci = program2.command("ci").description("org CI + merge-readiness audit and reconcile");
+ci.command("audit").description("read-only fleet scan: gate workflow, ruleset contexts, auto-merge, registry META (#1440)").option("--json", "machine-readable output").option("--markdown", "fleet summary table for issue comments").option("--repo <owner/repo>", "audit one repo instead of the full registry").action(async (o) => {
+  const report = await auditOrgCi(ciAuditDeps(), o.repo);
+  if (o.json) console.log(JSON.stringify(report, null, 2));
+  else if (o.markdown) console.log(renderCiAuditMarkdown(report));
+  else console.log(renderCiAuditText(report));
+  if (!report.ok) process.exitCode = 1;
+});
+ci.command("reconcile").description("audit + optionally apply merge settings and product ruleset activation (master-admin)").option("--json", "machine-readable output").option("--repo <owner/repo>", "reconcile one repo instead of the full registry").option("--apply", "PATCH merge settings + activate product ruleset when missing (master role required)").action(async (o) => {
+  if (o.apply) {
+    const verdict = await fetchTrainAuthority(HUB_REPO2, registryClientDeps(await loadConfig()));
+    if (!verdict.ok || verdict.authority.role !== "master") {
+      return fail("ci reconcile --apply: master-admin required");
+    }
+  }
+  const deps = ciAuditDeps();
+  const audit = await auditOrgCi(deps, o.repo);
+  const applyResults = o.apply ? await Promise.all(audit.repos.map((r) => applyCiReconcileRepo(r.repo, deps))) : [];
+  const payload = { audit, apply: applyResults };
+  if (o.json) console.log(JSON.stringify(payload, null, 2));
+  else {
+    console.log(renderCiAuditText(audit));
+    if (o.apply) {
+      for (const r of applyResults) {
+        console.log(`
+${r.repo}: applied=[${r.applied.join("; ")}] skipped=[${r.skipped.join("; ")}]${r.errors.length ? ` errors=[${r.errors.join("; ")}]` : ""}`);
+      }
+    } else {
+      console.log("\nDry-run \u2014 re-run with --apply to patch merge settings and activate product rulesets (master-admin).");
+    }
+  }
+  if (!audit.ok) process.exitCode = 1;
+});
 var bootstrap = program2.command("bootstrap").description("plan repo bootstrap operations; mutations require master-admin approval").option("--repo <owner/repo>", "target repo").option("--class <class>", "deployable | content", "deployable").option("--json", "machine-readable output").option("--apply", "reserved for future bootstrap execution after explicit master-admin approval").action((o) => {
   if (!o.repo) return fail("bootstrap: required option --repo <owner/repo> not specified");
   if (o.apply) return fail("bootstrap: execution is not implemented yet; use the dry-run plan and the existing /bootstrap skill");
@@ -15999,7 +16801,7 @@ bootstrap.command("verify <repo>").description("audit whether an existing repo i
   const report = await verifyBootstrap(repo, o.class, {
     client: defaultGitHubClient(),
     projectMeta: meta,
-    readLocalFile: (path2) => path2 === "projects.json" && apiProjects != null ? apiProjects : (0, import_node_fs15.existsSync)(path2) ? (0, import_node_fs15.readFileSync)(path2, "utf8") : null,
+    readLocalFile: (path2) => path2 === "projects.json" && apiProjects != null ? apiProjects : (0, import_node_fs16.existsSync)(path2) ? (0, import_node_fs16.readFileSync)(path2, "utf8") : null,
     // requiredGcpApis is stored as an array by a JSON write, but `project set --var KEY=VALUE` stores a raw
     // comma-string — accept either so the seeded value verifies regardless of how it was written.
     requiredGcpApis: (() => {
@@ -16042,12 +16844,12 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
     return fail(`bootstrap apply: ${e.message}`);
   }
   const manifestPath = "skills/bootstrap/seeds/manifest.json";
-  if (!(0, import_node_fs15.existsSync)(manifestPath)) return fail(`bootstrap apply: ${manifestPath} not found; run from the MMI-Hub repo root`);
-  const manifest = loadBootstrapSeeds((0, import_node_fs15.readFileSync)(manifestPath, "utf8"));
+  if (!(0, import_node_fs16.existsSync)(manifestPath)) return fail(`bootstrap apply: ${manifestPath} not found; run from the MMI-Hub repo root`);
+  const manifest = loadBootstrapSeeds((0, import_node_fs16.readFileSync)(manifestPath, "utf8"));
   const baseBranch = o.class === "content" ? "main" : "development";
   const slug = parsedRepo.slug;
   const gh = async (args) => execFileP2("gh", args, { timeout: 2e4 });
-  const readFile5 = (p) => (0, import_node_fs15.existsSync)(p) ? (0, import_node_fs15.readFileSync)(p, "utf8") : null;
+  const readFile5 = (p) => (0, import_node_fs16.existsSync)(p) ? (0, import_node_fs16.readFileSync)(p, "utf8") : null;
   const enc2 = (p) => p.split("/").map(encodeURIComponent).join("/");
   const rawVars = {};
   for (const value of rawValues("--var")) {
@@ -16097,6 +16899,26 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
       applied.push(`${action.action} ${resolved.target}`);
     }
   }
+  if (o.execute && o.class === "deployable") {
+    try {
+      await gh(["api", "-X", "PATCH", `repos/${repo}`, "-f", "allow_auto_merge=true", "-f", "allow_squash_merge=true", "-f", "delete_branch_on_merge=true"]);
+      applied.push("merge settings: allow_auto_merge, squash, delete-branch-on-merge");
+    } catch (e) {
+      applied.push(`merge settings (failed: ${e.message})`);
+    }
+    const rulesetSeed = manifest.seeds.find((s) => s.target === ".github/rulesets/mmi-product-required-checks.json");
+    if (rulesetSeed) {
+      const rulesetContent = resolveSeedContent({ ...rulesetSeed, target: rulesetSeed.target.replace("{{REPO_SLUG}}", slug) }, vars, readFile5);
+      if (rulesetContent) {
+        try {
+          const activation = await activateProductRuleset(repo, stripRulesetComment(rulesetContent), defaultGitHubClient());
+          applied.push(`product ruleset: ${activation.action}${activation.detail ? ` (${activation.detail})` : ""}`);
+        } catch (e) {
+          return failGraceful(`bootstrap apply: product ruleset activation failed: ${e.message}`);
+        }
+      }
+    }
+  }
   if (o.execute) {
     for (const l of manifest.labels) {
       try {
@@ -16150,10 +16972,10 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
       name: vars.NAME || parsedRepo.name
     };
     const readHubFile = async (path2) => {
-      const r = await gh(["api", `repos/${HUB_REPO}/contents/${enc2(path2)}?ref=development`]);
+      const r = await gh(["api", `repos/${HUB_REPO2}/contents/${enc2(path2)}?ref=development`]);
       const parsed = JSON.parse(r.stdout);
       if (parsed.encoding !== "base64" || typeof parsed.content !== "string" || !parsed.sha) {
-        throw new Error(`could not read ${HUB_REPO}/${path2}`);
+        throw new Error(`could not read ${HUB_REPO2}/${path2}`);
       }
       return { content: Buffer.from(parsed.content, "base64").toString("utf8"), sha: parsed.sha };
     };
@@ -16165,15 +16987,15 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
         applied.push(`fanout: already registered (${parsedRepo.name})`);
       } else {
         const branchName = `bootstrap-register-fanout-${slug}`;
-        const headSha = (await gh(["api", `repos/${HUB_REPO}/git/ref/heads/development`, "--jq", ".object.sha"])).stdout.trim();
+        const headSha = (await gh(["api", `repos/${HUB_REPO2}/git/ref/heads/development`, "--jq", ".object.sha"])).stdout.trim();
         try {
-          await gh(["api", "-X", "POST", `repos/${HUB_REPO}/git/refs`, "-f", `ref=refs/heads/${branchName}`, "-f", `sha=${headSha}`]);
+          await gh(["api", "-X", "POST", `repos/${HUB_REPO2}/git/refs`, "-f", `ref=refs/heads/${branchName}`, "-f", `sha=${headSha}`]);
         } catch (e) {
           if (!/Reference already exists|already exists/i.test(String(e.message ?? ""))) throw e;
         }
         const branchFileSha = async (path2) => {
           try {
-            const r = await gh(["api", `repos/${HUB_REPO}/contents/${enc2(path2)}?ref=${branchName}`, "--jq", ".sha"]);
+            const r = await gh(["api", `repos/${HUB_REPO2}/contents/${enc2(path2)}?ref=${branchName}`, "--jq", ".sha"]);
             return r.stdout.trim() || void 0;
           } catch (e) {
             if (/404|Not Found/i.test(String(e.message ?? ""))) return void 0;
@@ -16182,9 +17004,9 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
         };
         const fanoutBranchSha = await branchFileSha(".github/fanout-targets.json");
         const projectsBranchSha = await branchFileSha("projects.json");
-        await gh(contentPutArgs(HUB_REPO, ".github/fanout-targets.json", plan2.fanoutTargets, branchName, fanoutBranchSha));
-        await gh(contentPutArgs(HUB_REPO, "projects.json", plan2.projects, branchName, projectsBranchSha));
-        const openPrs = await gh(["pr", "list", "--repo", HUB_REPO, "--head", branchName, "--base", "development", "--state", "open", "--json", "number,url"]);
+        await gh(contentPutArgs(HUB_REPO2, ".github/fanout-targets.json", plan2.fanoutTargets, branchName, fanoutBranchSha));
+        await gh(contentPutArgs(HUB_REPO2, "projects.json", plan2.projects, branchName, projectsBranchSha));
+        const openPrs = await gh(["pr", "list", "--repo", HUB_REPO2, "--head", branchName, "--base", "development", "--state", "open", "--json", "number,url"]);
         const prDecision = decideFanoutPrAction(JSON.parse(openPrs.stdout || "[]"));
         if (prDecision.action === "reuse") {
           fanoutPrUrl = prDecision.url;
@@ -16193,7 +17015,7 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
             "pr",
             "create",
             "--repo",
-            HUB_REPO,
+            HUB_REPO2,
             "--base",
             "development",
             "--head",
@@ -16205,7 +17027,7 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
           ]);
           fanoutPrUrl = created.url;
         }
-        await gh(["pr", "merge", fanoutPrUrl, "--repo", HUB_REPO, "--auto", "--squash"]).catch((e) => {
+        await gh(["pr", "merge", fanoutPrUrl, "--repo", HUB_REPO2, "--auto", "--squash"]).catch((e) => {
           if (!/already/i.test(String(e.message ?? ""))) throw e;
         });
         applied.push(`fanout: PR ${fanoutPrUrl} (auto-merge enabled)`);
@@ -16256,16 +17078,16 @@ access.command("audit").description("audit collaborator roles + train-branch pus
     if (o.class !== "deployable" && o.class !== "content") return failGraceful("access audit: --class must be deployable or content");
     targets = [{ repo: o.repo, class: o.class }];
   } else {
-    const projectsJson = registryProjects ? JSON.stringify({ projects: registryProjects }) : (0, import_node_fs15.existsSync)("projects.json") ? (0, import_node_fs15.readFileSync)("projects.json", "utf8") : null;
+    const projectsJson = registryProjects ? JSON.stringify({ projects: registryProjects }) : (0, import_node_fs16.existsSync)("projects.json") ? (0, import_node_fs16.readFileSync)("projects.json", "utf8") : null;
     if (!projectsJson) return failGraceful("access audit: no project registry \u2014 Hub API unreachable and projects.json not found; run from the MMI-Hub repo root or pass --repo <owner/repo>");
-    const fanoutJson = (0, import_node_fs15.existsSync)(".github/fanout-targets.json") ? (0, import_node_fs15.readFileSync)(".github/fanout-targets.json", "utf8") : null;
+    const fanoutJson = (0, import_node_fs16.existsSync)(".github/fanout-targets.json") ? (0, import_node_fs16.readFileSync)(".github/fanout-targets.json", "utf8") : null;
     targets = loadAccessTargets(projectsJson, fanoutJson);
   }
   const derivedMatrix = registryProjects ? accessMatrixFromProjects(registryProjects) : {};
-  const fileMatrix = (0, import_node_fs15.existsSync)("access-matrix.json") ? loadAccessMatrix((0, import_node_fs15.readFileSync)("access-matrix.json", "utf8")) : {};
+  const fileMatrix = (0, import_node_fs16.existsSync)("access-matrix.json") ? loadAccessMatrix((0, import_node_fs16.readFileSync)("access-matrix.json", "utf8")) : {};
   const matrix = mergeAccessMatrix(fileMatrix, derivedMatrix);
   const derivedContracts = registryProjects ? dataAccessContractsFromProjects(registryProjects) : { consumers: {} };
-  const fileContracts = (0, import_node_fs15.existsSync)("data-access-contracts.json") ? loadDataAccessContracts((0, import_node_fs15.readFileSync)("data-access-contracts.json", "utf8")) : { consumers: {} };
+  const fileContracts = (0, import_node_fs16.existsSync)("data-access-contracts.json") ? loadDataAccessContracts((0, import_node_fs16.readFileSync)("data-access-contracts.json", "utf8")) : { consumers: {} };
   const dataAccess = mergeDataAccessContracts(fileContracts, derivedContracts);
   const report = await auditOrgAccess(targets, deps, matrix, dataAccess);
   console.log(o.json ? JSON.stringify(report, null, 2) : renderAccessReport(report));
@@ -16278,7 +17100,7 @@ var installedPluginsPath = (surface = detectSurface(process.env)) => {
 };
 function readInstalledPlugins() {
   try {
-    return JSON.parse((0, import_node_fs15.readFileSync)(installedPluginsPath(), "utf8"));
+    return JSON.parse((0, import_node_fs16.readFileSync)(installedPluginsPath(), "utf8"));
   } catch {
     return null;
   }
@@ -16287,7 +17109,7 @@ function installedPluginSources() {
   return ["claude", "codex"].map((surface) => {
     const recordPath = (0, import_node_path14.join)((0, import_node_os5.homedir)(), `.${surface}`, "plugins", "installed_plugins.json");
     try {
-      return { surface, installed: JSON.parse((0, import_node_fs15.readFileSync)(recordPath, "utf8")), recordPath };
+      return { surface, installed: JSON.parse((0, import_node_fs16.readFileSync)(recordPath, "utf8")), recordPath };
     } catch {
       return { surface, installed: null, recordPath };
     }
@@ -16295,7 +17117,7 @@ function installedPluginSources() {
 }
 function readClaudeSettings() {
   try {
-    return JSON.parse((0, import_node_fs15.readFileSync)((0, import_node_path14.join)(process.cwd(), ".claude", "settings.json"), "utf8"));
+    return JSON.parse((0, import_node_fs16.readFileSync)((0, import_node_path14.join)(process.cwd(), ".claude", "settings.json"), "utf8"));
   } catch {
     return null;
   }
@@ -16317,7 +17139,7 @@ function writeProjectInstallRecord(record) {
     const list = file.plugins[MMI_PLUGIN_ID] ?? [];
     list.push(record);
     file.plugins[MMI_PLUGIN_ID] = list;
-    (0, import_node_fs15.writeFileSync)(installedPluginsPath(), `${JSON.stringify(file, null, 2)}
+    (0, import_node_fs16.writeFileSync)(installedPluginsPath(), `${JSON.stringify(file, null, 2)}
 `, "utf8");
     return true;
   } catch {
@@ -16330,9 +17152,9 @@ function backupAndWriteInstalledPlugins(records, pluginId) {
     if (!file) return false;
     if (!file.plugins) file.plugins = {};
     const path2 = installedPluginsPath();
-    (0, import_node_fs15.copyFileSync)(path2, `${path2}.bak`);
+    (0, import_node_fs16.copyFileSync)(path2, `${path2}.bak`);
     file.plugins[pluginId] = records;
-    (0, import_node_fs15.writeFileSync)(path2, `${JSON.stringify(file, null, 2)}
+    (0, import_node_fs16.writeFileSync)(path2, `${JSON.stringify(file, null, 2)}
 `, "utf8");
     return true;
   } catch {
@@ -16345,30 +17167,30 @@ function cursorPluginCacheRoot() {
 function cursorPluginCachePinSnapshots() {
   const root = cursorPluginCacheRoot();
   try {
-    return (0, import_node_fs15.readdirSync)(root, { withFileTypes: true }).filter((entry) => entry.isDirectory() && !entry.name.startsWith(".")).map((entry) => {
+    return (0, import_node_fs16.readdirSync)(root, { withFileTypes: true }).filter((entry) => entry.isDirectory() && !entry.name.startsWith(".")).map((entry) => {
       const path2 = (0, import_node_path14.join)(root, entry.name);
       const pluginJson = (0, import_node_path14.join)(path2, ".cursor-plugin", "plugin.json");
       const hooksJson = (0, import_node_path14.join)(path2, "hooks", "hooks.json");
       const cliBundle = (0, import_node_path14.join)(path2, "cli", "dist", "index.cjs");
       let version;
       try {
-        const raw = JSON.parse((0, import_node_fs15.readFileSync)(pluginJson, "utf8"));
+        const raw = JSON.parse((0, import_node_fs16.readFileSync)(pluginJson, "utf8"));
         version = typeof raw.version === "string" ? raw.version : void 0;
       } catch {
         version = void 0;
       }
       let isEmpty = true;
       try {
-        isEmpty = (0, import_node_fs15.readdirSync)(path2).length === 0;
+        isEmpty = (0, import_node_fs16.readdirSync)(path2).length === 0;
       } catch {
         isEmpty = true;
       }
       return {
         name: entry.name,
         path: path2,
-        hasPluginJson: (0, import_node_fs15.existsSync)(pluginJson),
-        hasHooksJson: (0, import_node_fs15.existsSync)(hooksJson),
-        hasCliBundle: (0, import_node_fs15.existsSync)(cliBundle),
+        hasPluginJson: (0, import_node_fs16.existsSync)(pluginJson),
+        hasHooksJson: (0, import_node_fs16.existsSync)(hooksJson),
+        hasCliBundle: (0, import_node_fs16.existsSync)(cliBundle),
         isEmpty,
         version
       };
@@ -16379,7 +17201,7 @@ function cursorPluginCachePinSnapshots() {
 }
 function hubCheckoutForCursorSeed() {
   const manifest = (0, import_node_path14.join)(process.cwd(), "plugins", "mmi", ".cursor-plugin", "plugin.json");
-  return (0, import_node_fs15.existsSync)(manifest) ? process.cwd() : void 0;
+  return (0, import_node_fs16.existsSync)(manifest) ? process.cwd() : void 0;
 }
 function mmiPluginCacheRootSnapshots() {
   const roots = [
@@ -16388,7 +17210,7 @@ function mmiPluginCacheRootSnapshots() {
   ];
   return roots.flatMap(({ surface, root }) => {
     try {
-      const entries = (0, import_node_fs15.readdirSync)(root, { withFileTypes: true }).map((entry) => ({
+      const entries = (0, import_node_fs16.readdirSync)(root, { withFileTypes: true }).map((entry) => ({
         name: entry.name,
         path: (0, import_node_path14.join)(root, entry.name),
         isDirectory: entry.isDirectory()
@@ -16401,7 +17223,7 @@ function mmiPluginCacheRootSnapshots() {
 }
 function hasNestedMmiChild(versionDir) {
   try {
-    return (0, import_node_fs15.statSync)((0, import_node_path14.join)(versionDir, "mmi")).isDirectory();
+    return (0, import_node_fs16.statSync)((0, import_node_path14.join)(versionDir, "mmi")).isDirectory();
   } catch {
     return false;
   }
@@ -16412,10 +17234,10 @@ function nestedPluginTreeSnapshot() {
   );
 }
 function uniqueQuarantineTarget(path2) {
-  if (!(0, import_node_fs15.existsSync)(path2)) return path2;
+  if (!(0, import_node_fs16.existsSync)(path2)) return path2;
   for (let i = 1; i < 100; i += 1) {
     const candidate = `${path2}-${i}`;
-    if (!(0, import_node_fs15.existsSync)(candidate)) return candidate;
+    if (!(0, import_node_fs16.existsSync)(candidate)) return candidate;
   }
   return `${path2}-${Date.now()}`;
 }
@@ -16423,10 +17245,10 @@ function quarantinePluginCacheDirs(plan2) {
   let moved = 0;
   for (const move of plan2) {
     try {
-      if (!(0, import_node_fs15.existsSync)(move.from)) continue;
+      if (!(0, import_node_fs16.existsSync)(move.from)) continue;
       const target = uniqueQuarantineTarget(move.to);
-      (0, import_node_fs15.mkdirSync)((0, import_node_path14.dirname)(target), { recursive: true });
-      (0, import_node_fs15.renameSync)(move.from, target);
+      (0, import_node_fs16.mkdirSync)((0, import_node_path14.dirname)(target), { recursive: true });
+      (0, import_node_fs16.renameSync)(move.from, target);
       moved += 1;
     } catch {
     }
@@ -16444,23 +17266,23 @@ async function robocopyMirrorEmpty(emptyDir, target) {
 }
 async function clearNestedPluginTreeDir(targetPath) {
   try {
-    if (!(0, import_node_fs15.existsSync)(targetPath)) return true;
+    if (!(0, import_node_fs16.existsSync)(targetPath)) return true;
     if (isWin) {
       const emptyDir = (0, import_node_path14.join)((0, import_node_os5.tmpdir)(), `mmi-empty-${Date.now()}`);
-      (0, import_node_fs15.mkdirSync)(emptyDir, { recursive: true });
+      (0, import_node_fs16.mkdirSync)(emptyDir, { recursive: true });
       try {
         await robocopyMirrorEmpty(emptyDir, targetPath);
-        (0, import_node_fs15.rmSync)(targetPath, { recursive: true, force: true });
+        (0, import_node_fs16.rmSync)(targetPath, { recursive: true, force: true });
       } finally {
         try {
-          (0, import_node_fs15.rmSync)(emptyDir, { recursive: true, force: true });
+          (0, import_node_fs16.rmSync)(emptyDir, { recursive: true, force: true });
         } catch {
         }
       }
-      return !(0, import_node_fs15.existsSync)(targetPath);
+      return !(0, import_node_fs16.existsSync)(targetPath);
     }
-    (0, import_node_fs15.rmSync)(targetPath, { recursive: true, force: true });
-    return !(0, import_node_fs15.existsSync)(targetPath);
+    (0, import_node_fs16.rmSync)(targetPath, { recursive: true, force: true });
+    return !(0, import_node_fs16.existsSync)(targetPath);
   } catch {
     return false;
   }
@@ -16476,8 +17298,8 @@ async function applyNestedPluginTreeCleanup(paths, log) {
 var gitignorePath = () => (0, import_node_path14.join)(process.cwd(), ".gitignore");
 function readTextFile(path2) {
   try {
-    if (!(0, import_node_fs15.existsSync)(path2)) return null;
-    return (0, import_node_fs15.readFileSync)(path2, "utf8");
+    if (!(0, import_node_fs16.existsSync)(path2)) return null;
+    return (0, import_node_fs16.readFileSync)(path2, "utf8");
   } catch {
     return null;
   }
@@ -16501,7 +17323,7 @@ function strayBrowserArtifactPaths() {
   const cwd = process.cwd();
   return STRAY_BROWSER_ARTIFACT_DIRS.filter((rel) => {
     try {
-      return (0, import_node_fs15.existsSync)((0, import_node_path14.join)(cwd, rel));
+      return (0, import_node_fs16.existsSync)((0, import_node_path14.join)(cwd, rel));
     } catch {
       return false;
     }
@@ -16509,14 +17331,14 @@ function strayBrowserArtifactPaths() {
 }
 function readGitignore() {
   try {
-    return (0, import_node_fs15.readFileSync)(gitignorePath(), "utf8");
+    return (0, import_node_fs16.readFileSync)(gitignorePath(), "utf8");
   } catch {
     return null;
   }
 }
 function writeGitignore(content) {
   try {
-    (0, import_node_fs15.writeFileSync)(gitignorePath(), content, "utf8");
+    (0, import_node_fs16.writeFileSync)(gitignorePath(), content, "utf8");
     return true;
   } catch {
     return false;
@@ -16555,7 +17377,7 @@ async function runDoctor(opts, io = consoleIo) {
   let onPath = pathProbe;
   if (!onPath) {
     const root = process.env.CLAUDE_PLUGIN_ROOT;
-    if (root && (0, import_node_fs15.existsSync)(`${root}/bin/mmi-cli${isWin ? ".cmd" : ""}`)) onPath = true;
+    if (root && (0, import_node_fs16.existsSync)(`${root}/bin/mmi-cli${isWin ? ".cmd" : ""}`)) onPath = true;
   }
   checks.push({ ok: onPath, label: "mmi-cli on PATH", fix: "auto-provisioned at session start \u2014 reopen the session, or install the MMI plugin" });
   const surface = detectSurface(process.env);
@@ -16649,6 +17471,19 @@ async function runDoctor(opts, io = consoleIo) {
         io.err(`  \u21BB updated MMI plugin \u2192 ${releasedVersion ?? "latest"} via claude plugin \u2014 ${reloadAction(surface)} to load the new commands`);
       }
     }
+    const codexStale = installedVersionCheck.staleSurfaces?.some((s) => s.surface === "codex") ?? false;
+    if (!installedVersionCheck.ok && codexStale && await applyCodexPluginHeal(surface, (m) => io.err(m))) {
+      const healed = buildInstalledPluginVersionCheck({
+        isOrgRepo: Boolean(cfg.sagaApiUrl),
+        sources: installedPluginSources(),
+        releasedVersion,
+        surface
+      });
+      installedVersionCheck = healed;
+      if (healed.ok) {
+        io.err(`  \u21BB updated MMI plugin \u2192 ${releasedVersion ?? "latest"} via codex plugin \u2014 ${reloadAction(surface)} to load the new commands`);
+      }
+    }
   }
   checks.push(installedVersionCheck);
   let cacheCleanupCheck = buildMmiPluginCacheCleanupCheck({
@@ -16709,7 +17544,7 @@ async function runDoctor(opts, io = consoleIo) {
     isOrgRepo: Boolean(cfg.sagaApiUrl),
     surface,
     cacheRoot: cursorCacheRoot,
-    cacheRootExists: (0, import_node_fs15.existsSync)(cursorCacheRoot),
+    cacheRootExists: (0, import_node_fs16.existsSync)(cursorCacheRoot),
     pins: cursorPins,
     hubCheckout: hubCheckoutForCursorSeed(),
     releasedVersion
@@ -16729,7 +17564,7 @@ async function runDoctor(opts, io = consoleIo) {
         isOrgRepo: Boolean(cfg.sagaApiUrl),
         surface,
         cacheRoot: cursorCacheRoot,
-        cacheRootExists: (0, import_node_fs15.existsSync)(cursorCacheRoot),
+        cacheRootExists: (0, import_node_fs16.existsSync)(cursorCacheRoot),
         pins: cursorPins,
         hubCheckout: hubCheckoutForCursorSeed(),
         releasedVersion