@mutmutco/cli 2.34.1 → 2.36.0

package/dist/main.cjs

@@ -3392,7 +3392,7 @@ var program = new Command();
 
 // src/index.ts
 var import_promises5 = require("node:fs/promises");
-var import_node_fs15 = require("node:fs");
+var import_node_fs18 = require("node:fs");
 
 // src/rules-sync.ts
 function normalizeEol(s) {
@@ -3427,7 +3427,7 @@ var import_node_child_process10 = require("node:child_process");
 
 // src/cli-shared.ts
 var import_promises = require("node:fs/promises");
-var import_node_fs6 = require("node:fs");
+var import_node_fs7 = require("node:fs");
 var import_node_crypto2 = require("node:crypto");
 var import_node_child_process4 = require("node:child_process");
 var import_node_util4 = require("node:util");
@@ -4109,10 +4109,19 @@ async function hubAuthToken(deps) {
 }
 
 // src/stdin-inject.ts
+var import_node_fs6 = require("node:fs");
 var injectedStdin;
+function stdinHasPipedInput(statFd = () => (0, import_node_fs6.fstatSync)(0)) {
+  try {
+    const stat = statFd();
+    return stat.isFIFO() || stat.isFile();
+  } catch {
+    return false;
+  }
+}
 async function readStdin() {
   if (injectedStdin !== void 0) return injectedStdin;
-  if (process.stdin.isTTY !== false) return "";
+  if (!stdinHasPipedInput()) return "";
   const chunks = [];
   for await (const chunk of process.stdin) chunks.push(chunk);
   return Buffer.concat(chunks).toString("utf8");
@@ -4161,7 +4170,7 @@ function sessionDeps() {
     env: process.env,
     readPersisted: () => {
       try {
-        return (0, import_node_fs6.readFileSync)(SESSION_FILE, "utf8");
+        return (0, import_node_fs7.readFileSync)(SESSION_FILE, "utf8");
       } catch {
         return null;
       }
@@ -4174,8 +4183,8 @@ function sessionDeps() {
 var resolveSessionId = () => resolveSession(sessionDeps());
 function persistSession(id) {
   try {
-    (0, import_node_fs6.mkdirSync)(".mmi", { recursive: true });
-    (0, import_node_fs6.writeFileSync)(SESSION_FILE, id, "utf8");
+    (0, import_node_fs7.mkdirSync)(".mmi", { recursive: true });
+    (0, import_node_fs7.writeFileSync)(SESSION_FILE, id, "utf8");
   } catch {
   }
 }
@@ -4267,7 +4276,9 @@ async function resolveTextArg(input, deps, labels) {
   const source = input.file ?? "";
   const text = source === "-" ? await deps.readStdin() : await deps.readFile(source, "utf8");
   if (text.trim().length === 0) {
-    throw new Error(`${labels.file} produced an empty ${labels.noun}`);
+    throw new Error(
+      source === "-" ? `${labels.file} - read empty stdin (nothing piped \u2014 pass a heredoc/pipe, or ${labels.file} <path>)` : `${labels.file} produced an empty ${labels.noun}`
+    );
   }
   return text;
 }
@@ -4287,7 +4298,7 @@ function resolveIssueTitle(input, deps) {
 }
 
 // src/saga-capture.ts
-var import_node_fs7 = require("node:fs");
+var import_node_fs8 = require("node:fs");
 var import_node_os2 = require("node:os");
 var import_node_path6 = require("node:path");
 function parseHookInput(stdin) {
@@ -4314,16 +4325,16 @@ function resolveCursorTranscriptPath(hook, env = process.env) {
   const slug = cursorProjectSlug(workspaceRoot);
   const transcriptsDir = (0, import_node_path6.join)(cursorProjectsRoot(env), slug, "agent-transcripts");
   const nested = (0, import_node_path6.join)(transcriptsDir, conversationId, `${conversationId}.jsonl`);
-  if ((0, import_node_fs7.existsSync)(nested)) return nested;
+  if ((0, import_node_fs8.existsSync)(nested)) return nested;
   const flat = (0, import_node_path6.join)(transcriptsDir, `${conversationId}.jsonl`);
-  if ((0, import_node_fs7.existsSync)(flat)) return flat;
+  if ((0, import_node_fs8.existsSync)(flat)) return flat;
   return void 0;
 }
 function resolveTranscriptPath(hook, env = process.env) {
   const fromHook = (hook.transcript_path ?? hook.transcriptPath)?.trim();
   if (fromHook) return fromHook;
   const fromEnv = env.CURSOR_TRANSCRIPT_PATH?.trim();
-  if (fromEnv && (0, import_node_fs7.existsSync)(fromEnv)) return fromEnv;
+  if (fromEnv && (0, import_node_fs8.existsSync)(fromEnv)) return fromEnv;
   const surface = env.MMI_AGENT_SURFACE?.trim();
   if (surface === "cursor" || env.CURSOR_TRACE_ID || env.CURSOR_SESSION_ID) {
     return resolveCursorTranscriptPath(hook, env);
@@ -4436,6 +4447,7 @@ function buildNoteCapture(summary, o, id, evidence) {
     next: o.next,
     decision: o.decision,
     queueOp,
+    handoffClose: o.handoffClose,
     state,
     source,
     evidence: Object.keys(ev).length ? ev : void 0,
@@ -5069,27 +5081,281 @@ function registerSagaCommands(program3) {
   });
 }
 
+// src/handoff-commands.ts
+var import_node_crypto4 = require("node:crypto");
+
+// src/handoff.ts
+var HANDOFF_PREFIX = "handoff:";
+function clean(value) {
+  return value?.trim() ?? "";
+}
+function normalizeHandoffKey(value) {
+  const key = clean(value);
+  if (!key) throw new Error("handoff key is required");
+  return key;
+}
+function serializeHandoff(record) {
+  return `${HANDOFF_PREFIX}${JSON.stringify(record)}`;
+}
+function parseHandoffText(text) {
+  if (!text.startsWith(HANDOFF_PREFIX)) return null;
+  try {
+    const raw = JSON.parse(text.slice(HANDOFF_PREFIX.length));
+    const state = raw.state;
+    const key = clean(raw.key);
+    const northStarSlug = clean(raw.northStarSlug);
+    const summary = clean(raw.summary);
+    const sourceSessionId = clean(raw.sourceSessionId);
+    const createdAt = clean(raw.createdAt);
+    if (state !== "open" && state !== "claimed" && state !== "cancelled") return null;
+    if (!key || !northStarSlug || !summary || !sourceSessionId || !createdAt) return null;
+    return {
+      state,
+      key,
+      northStarSlug,
+      summary,
+      sourceSessionId,
+      createdAt,
+      claimedBySessionId: clean(raw.claimedBySessionId) || void 0,
+      closedAt: clean(raw.closedAt) || void 0
+    };
+  } catch {
+    return null;
+  }
+}
+function listHandoffs(head, opts = {}) {
+  const parsed = (head.queued ?? []).map((item, index) => ({ done: item.done, index, record: parseHandoffText(item.text) })).filter((x) => x.record !== null);
+  return parsed.filter((x) => opts.includeClosed || x.record.state === "open" && !x.done).map((x) => ({ index: x.index, done: x.done, record: x.record }));
+}
+function findOpenHandoff(head, key) {
+  const normalized = normalizeHandoffKey(key).toLowerCase();
+  return listHandoffs(head).find((item) => item.record.key.toLowerCase() === normalized || item.record.northStarSlug.toLowerCase() === normalized);
+}
+function planOpenHandoff(input) {
+  const key = normalizeHandoffKey(input.key);
+  const northStarSlug = clean(input.northStarSlug);
+  const summary = clean(input.summary);
+  const sourceSessionId = clean(input.sourceSessionId);
+  if (!northStarSlug) throw new Error("north star slug is required");
+  if (!summary) throw new Error("handoff summary is required");
+  if (!sourceSessionId) throw new Error("source session id is required");
+  return {
+    state: "open",
+    key,
+    northStarSlug,
+    summary,
+    sourceSessionId,
+    createdAt: input.createdAt
+  };
+}
+function closeHandoff(record, state, at, claimedBySessionId) {
+  return {
+    ...record,
+    state,
+    closedAt: at,
+    claimedBySessionId: claimedBySessionId || record.claimedBySessionId
+  };
+}
+function formatHandoffLine(item) {
+  const r = item.record;
+  const suffix = r.state === "claimed" && r.claimedBySessionId ? ` -> ${r.claimedBySessionId}` : "";
+  return `${r.key} [${r.state}] northstar:${r.northStarSlug} source:${r.sourceSessionId}${suffix} - ${r.summary}`;
+}
+
+// src/handoff-commands.ts
+var FOREGROUND_FETCH = { attempts: 2, timeoutMs: 8e3 };
+var SESSION_START_FETCH = { attempts: 1, timeoutMs: 3e3 };
+async function fetchState(url, qs, retry = FOREGROUND_FETCH) {
+  const res = await fetchWithRetry(fetch, `${url}/saga/state?${qs}`, { headers: await hubHeaders() }, retry);
+  if (!res.ok) return null;
+  const body = await res.json();
+  if ("state" in body) return body;
+  return { key: null, state: { head: body.head } };
+}
+async function fetchScopedSessions(url, project2, branch, retry = FOREGROUND_FETCH) {
+  const qs = new URLSearchParams({ project: project2, branch });
+  const res = await fetchWithRetry(fetch, `${url}/saga/sessions?${qs}`, { headers: await hubHeaders() }, retry);
+  if (!res.ok) return [];
+  const body = await res.json();
+  return body.sessions ?? [];
+}
+async function fetchSessionHead(url, key, retry = FOREGROUND_FETCH) {
+  const qs = new URLSearchParams(key);
+  const got = await fetchState(url, qs, retry);
+  return got?.state?.head ?? null;
+}
+async function fetchCurrentState() {
+  const cfg = await loadConfig();
+  if (!cfg.sagaApiUrl) return null;
+  const key = await sagaKey(cfg);
+  const got = await fetchState(cfg.sagaApiUrl, new URLSearchParams(key));
+  return got ? { key, head: got.state?.head ?? {} } : null;
+}
+async function collectScopedHandoffs(opts = {}) {
+  const cfg = await loadConfig();
+  if (!cfg.sagaApiUrl) return { handoffs: [], sessions: [] };
+  const key = await sagaKey(cfg);
+  const retry = opts.retry ?? FOREGROUND_FETCH;
+  const sessions = await fetchScopedSessions(cfg.sagaApiUrl, key.project, key.branch, retry);
+  const seen = /* @__PURE__ */ new Set();
+  const handoffs = [];
+  for (const session of sessions) {
+    const head = await fetchSessionHead(cfg.sagaApiUrl, session, retry);
+    if (!head) continue;
+    for (const item of listHandoffs(head, { includeClosed: opts.includeClosed })) {
+      const dedupe = `${item.record.sourceSessionId}:${item.record.key}:${item.record.state}`;
+      if (seen.has(dedupe)) continue;
+      seen.add(dedupe);
+      handoffs.push(item);
+    }
+  }
+  return { handoffs, sessions };
+}
+async function locateOpenHandoff(key, retry = FOREGROUND_FETCH) {
+  const cfg = await loadConfig();
+  if (!cfg.sagaApiUrl) return null;
+  const scopeKey = await sagaKey(cfg);
+  const sessions = await fetchScopedSessions(cfg.sagaApiUrl, scopeKey.project, scopeKey.branch, retry);
+  for (const session of sessions) {
+    const head = await fetchSessionHead(cfg.sagaApiUrl, session, retry);
+    if (!head) continue;
+    const item = findOpenHandoff(head, key);
+    if (item) {
+      return {
+        key: { project: session.project, branch: session.branch, sessionId: session.sessionId },
+        item
+      };
+    }
+  }
+  return null;
+}
+async function locateClaimedHandoff(key, claimedBySessionId, retry = FOREGROUND_FETCH) {
+  const { handoffs } = await collectScopedHandoffs({ includeClosed: true, retry });
+  const normalized = key.toLowerCase();
+  return handoffs.find((item) => {
+    const r = item.record;
+    return r.state === "claimed" && r.claimedBySessionId === claimedBySessionId && (r.key.toLowerCase() === normalized || r.northStarSlug.toLowerCase() === normalized);
+  }) ?? null;
+}
+async function postKeyedNote(key, summary, options) {
+  const cfg = await loadConfig();
+  if (!cfg.sagaApiUrl) fail("handoff: Hub API URL not configured");
+  const sha = await gitOut(["rev-parse", "--short", "HEAD"]);
+  const capture = buildNoteCapture(summary, options, (0, import_node_crypto4.randomUUID)(), { sha: sha || void 0, branch: key.branch });
+  const result = await postCaptureOnce(cfg.sagaApiUrl, { ...capture, ...key });
+  if (!result.ok) fail(`handoff: write failed${result.status ? ` (HTTP ${result.status})` : ""}${result.message ? `: ${result.message}` : ""}`);
+}
+function deriveOpenFields(summary, opts, head, key) {
+  const northStarSlug = opts.northStarSlug ?? head.anchor?.slug;
+  const handoffKey = opts.key ?? northStarSlug;
+  const text = summary?.trim() || head.next?.trim() || head.anchor?.intent?.trim();
+  return planOpenHandoff({
+    key: handoffKey ?? "",
+    northStarSlug: northStarSlug ?? "",
+    summary: text ?? "",
+    sourceSessionId: key.sessionId,
+    createdAt: (/* @__PURE__ */ new Date()).toISOString()
+  });
+}
+async function runHandoffOpen(summary, opts, io = consoleIo) {
+  const current = await fetchCurrentState();
+  if (!current) return fail("handoff open: saga state unavailable");
+  let record;
+  try {
+    record = deriveOpenFields(summary, opts, current.head, current.key);
+  } catch (e) {
+    return fail(`handoff open: ${e.message}`);
+  }
+  await postKeyedNote(current.key, `handoff opened ${record.key}`, { queueAdd: serializeHandoff(record), anchorSlug: record.northStarSlug });
+  if (opts.json) return io.log(JSON.stringify({ ok: true, handoff: record }));
+  io.log(`handoff open: ${formatHandoffLine({ index: -1, done: false, record })}`);
+}
+async function runHandoffList(opts, io = consoleIo) {
+  const { handoffs } = await collectScopedHandoffs({ includeClosed: opts.all });
+  if (opts.json) {
+    io.log(JSON.stringify({ handoffs }, null, 2));
+  } else if (!handoffs.length) {
+    io.log("handoff list: none");
+  } else {
+    for (const h of handoffs) io.log(formatHandoffLine(h));
+  }
+  return handoffs;
+}
+async function runHandoffOffer(io = consoleIo, opts = {}) {
+  const retry = opts.fast ? SESSION_START_FETCH : FOREGROUND_FETCH;
+  const { handoffs } = await collectScopedHandoffs({ retry });
+  if (!handoffs.length) return;
+  io.log("Open handoffs:");
+  for (const h of handoffs) io.log(`- ${formatHandoffLine(h)}`);
+  io.log("Use `mmi-cli handoff accept <key>` to claim, `mmi-cli handoff cancel <key>` to close, or decline in chat to leave it open.");
+}
+async function closeSourceHandoff(key, state, opts = {}, io = consoleIo) {
+  const current = await sagaKey(await loadConfig(), resolveSessionId());
+  const located = await locateOpenHandoff(key);
+  if (!located) {
+    if (state === "claimed") {
+      const prior = await locateClaimedHandoff(key, current.sessionId);
+      if (prior) {
+        if (opts.json) return io.log(JSON.stringify({ ok: true, handoff: prior.record, idempotent: true }));
+        return io.log(`handoff claimed: ${formatHandoffLine(prior)} (already accepted)`);
+      }
+    }
+    return fail(`handoff ${state}: no open handoff matching ${key}`);
+  }
+  const closed = closeHandoff(located.item.record, state, (/* @__PURE__ */ new Date()).toISOString(), state === "claimed" ? current.sessionId : void 0);
+  await postKeyedNote(located.key, `handoff ${state} ${located.item.record.key}`, {
+    handoffClose: { index: located.item.index, closedText: serializeHandoff(closed) }
+  });
+  if (state === "claimed") {
+    await postKeyedNote(current, `handoff accepted ${located.item.record.key}`, {
+      anchor: located.item.record.summary,
+      anchorSlug: located.item.record.northStarSlug,
+      anchorForce: true,
+      decision: `accepted handoff ${located.item.record.key} from session ${located.item.record.sourceSessionId}; northstar ${located.item.record.northStarSlug}`,
+      verified: true
+    });
+  }
+  if (opts.json) return io.log(JSON.stringify({ ok: true, handoff: closed }));
+  io.log(`handoff ${state}: ${formatHandoffLine({ index: located.item.index, done: true, record: closed })}`);
+}
+async function runHandoffDecline(key, opts = {}, io = consoleIo) {
+  const located = await locateOpenHandoff(key);
+  if (!located) return fail(`handoff decline: no open handoff matching ${key}`);
+  if (opts.json) return io.log(JSON.stringify({ ok: true, unchanged: true, handoff: located.item.record }));
+  io.log(`handoff decline: left open for re-offer \u2014 ${formatHandoffLine(located.item)}`);
+}
+function registerHandoffCommands(program3) {
+  const handoff = program3.command("handoff").description("explicit saga + North Star handoff lifecycle");
+  handoff.command("open [summary]").description("open a handoff bound to the current North Star slug").option("--key <slug|#issue>", "handoff key (defaults to the current North Star slug)").option("--north-star-slug <slug>", "North Star slug to bind (defaults to current saga anchor slug)").option("--json", "machine-readable output").action((summary, opts) => runHandoffOpen(summary, opts));
+  handoff.command("list").description("list open handoffs for the current repo/branch").option("--all", "include claimed/cancelled records").option("--json", "machine-readable output").action(async (opts) => {
+    await runHandoffList(opts);
+  });
+  handoff.command("accept <key>").description("claim an open handoff and bind this session to its North Star").option("--json", "machine-readable output").action((key, opts) => closeSourceHandoff(key, "claimed", opts));
+  handoff.command("cancel <key>").description("close an open handoff without claiming it").option("--json", "machine-readable output").action((key, opts) => closeSourceHandoff(key, "cancelled", opts));
+  handoff.command("decline <key>").description("leave an open handoff unchanged so it is re-offered later").option("--json", "machine-readable output").action((key, opts) => runHandoffDecline(key, opts));
+}
+
 // src/honcho-commands.ts
 var import_node_child_process5 = require("node:child_process");
 var import_promises3 = require("node:fs/promises");
-var import_node_fs9 = require("node:fs");
+var import_node_fs10 = require("node:fs");
 var import_node_path8 = require("node:path");
 
 // src/honcho-ingest-skip.ts
-var import_node_fs8 = require("node:fs");
+var import_node_fs9 = require("node:fs");
 var import_node_path7 = require("node:path");
 var INGEST_SKIP_FILE = ".mmi/honcho/last-skip.json";
 function recordIngestSkip(record) {
   try {
-    (0, import_node_fs8.mkdirSync)((0, import_node_path7.dirname)(INGEST_SKIP_FILE), { recursive: true });
-    (0, import_node_fs8.writeFileSync)(INGEST_SKIP_FILE, JSON.stringify(record), "utf8");
+    (0, import_node_fs9.mkdirSync)((0, import_node_path7.dirname)(INGEST_SKIP_FILE), { recursive: true });
+    (0, import_node_fs9.writeFileSync)(INGEST_SKIP_FILE, JSON.stringify(record), "utf8");
   } catch {
   }
 }
 function readIngestSkip() {
   try {
-    if (!(0, import_node_fs8.existsSync)(INGEST_SKIP_FILE)) return null;
-    const o = JSON.parse((0, import_node_fs8.readFileSync)(INGEST_SKIP_FILE, "utf8"));
+    if (!(0, import_node_fs9.existsSync)(INGEST_SKIP_FILE)) return null;
+    const o = JSON.parse((0, import_node_fs9.readFileSync)(INGEST_SKIP_FILE, "utf8"));
     return o?.reason && o?.surface && o?.ts ? o : null;
   } catch {
     return null;
@@ -5097,7 +5363,7 @@ function readIngestSkip() {
 }
 function clearIngestSkip() {
   try {
-    if ((0, import_node_fs8.existsSync)(INGEST_SKIP_FILE)) (0, import_node_fs8.unlinkSync)(INGEST_SKIP_FILE);
+    if ((0, import_node_fs9.existsSync)(INGEST_SKIP_FILE)) (0, import_node_fs9.unlinkSync)(INGEST_SKIP_FILE);
   } catch {
   }
 }
@@ -5159,7 +5425,8 @@ function formatVaultPointer(p) {
     ``,
     `enumerate actual keys:  mmi-cli secrets list`,
     `read one:               mmi-cli secrets get <stage>/<KEY>   (e.g. main/GOOGLE_CLIENT_ID)`,
-    `set a project-tier key: mmi-cli secrets set <KEY>           (value via stdin; org tier needs a master grant)`
+    `set a project-tier key: mmi-cli secrets set <KEY>           (value via stdin; org tier needs a master grant)`,
+    `copy provider keys:     mmi-cli secrets copy --from rc --to dev --keys RECALL_API_KEY,GEMINI_API_KEY`
   ];
   return lines.join("\n");
 }
@@ -5503,6 +5770,54 @@ async function secretsRevoke(deps, repo, login, key, _opts) {
   }
   deps.log(`revoked @${login}'s access to ${key} in ${repo}`);
 }
+var SECRET_COPY_BLOCKED_RE = /(?:ENC_KEY|ENCRYPTION_KEY|SECRET_KEY_BASE)/i;
+function isSecretCopyBlocked(key) {
+  const slash = key.indexOf("/");
+  const leaf = slash === -1 ? key : key.slice(slash + 1);
+  return SECRET_COPY_BLOCKED_RE.test(leaf);
+}
+function copyTierKey(stage2, leaf) {
+  return `${stage2}/${leaf}`;
+}
+async function secretsCopy(deps, opts) {
+  if (opts.from === opts.to) {
+    deps.err("secrets copy: --from and --to must differ");
+    return false;
+  }
+  const keys = [...new Set(opts.keys.map((k) => k.trim()).filter(Boolean))];
+  if (!keys.length) {
+    deps.err("secrets copy: --keys required (comma-separated allowlist)");
+    return false;
+  }
+  for (const key of keys) {
+    if (!isValidSecretKey(key)) {
+      deps.err(`invalid secret key ${JSON.stringify(key)}`);
+      return false;
+    }
+    if (isSecretCopyBlocked(key)) {
+      deps.err(`secrets copy: ${key} is not copyable \u2014 generate encryption/stage-distinct keys per stage`);
+      return false;
+    }
+  }
+  for (const key of keys) {
+    const leaf = secretLeafName(key);
+    const srcKey = copyTierKey(opts.from, leaf);
+    const dstKey = copyTierKey(opts.to, leaf);
+    const value = await fetchSecretValue(deps, srcKey, opts);
+    if (!value) {
+      deps.err(`secrets copy: could not read source ${srcKey}`);
+      return false;
+    }
+    if (opts.dryRun) {
+      deps.log(`would copy ${srcKey} \u2192 ${dstKey}`);
+      continue;
+    }
+    const ok = await putSecret(deps, dstKey, value, opts);
+    if (!ok) return false;
+    deps.log(`copied ${srcKey} \u2192 ${dstKey}`);
+  }
+  return true;
+}
 async function secretsUse(deps, key, opts) {
   const slug = await vaultSlug(deps, opts);
   const tier = classifyTier(slug, key);
@@ -5580,7 +5895,7 @@ async function resolveHonchoConfig(cfg = {}, opts = {}) {
 }
 
 // src/honcho-ingest.ts
-var import_node_crypto4 = require("node:crypto");
+var import_node_crypto5 = require("node:crypto");
 var DEFAULT_HONCHO_MAX_CHARS = 4e3;
 var DEFAULT_HONCHO_CARD_MAX_CHARS = 1200;
 var REDACTED = "[REDACTED]";
@@ -5666,7 +5981,7 @@ function buildIngestPayload(args) {
   const maxChars = args.maxChars ?? DEFAULT_HONCHO_MAX_CHARS;
   const messages = args.messages.map((m) => ({ role: m.role, content: capContent(redactSecrets(m.content), maxChars) })).filter((m) => m.content.trim().length > 0);
   return {
-    id: args.id ?? (0, import_node_crypto4.randomUUID)(),
+    id: args.id ?? (0, import_node_crypto5.randomUUID)(),
     workspace: args.workspace,
     peer: args.peer,
     session: args.session,
@@ -5873,7 +6188,7 @@ function honchoThrottlePath(key) {
 function honchoIngestDue(path2, intervalMs, now = Date.now()) {
   if (intervalMs <= 0) return true;
   try {
-    const last = Number((0, import_node_fs9.readFileSync)(path2, "utf8").trim()) || 0;
+    const last = Number((0, import_node_fs10.readFileSync)(path2, "utf8").trim()) || 0;
     return now - last >= intervalMs;
   } catch {
     return true;
@@ -5881,8 +6196,8 @@ function honchoIngestDue(path2, intervalMs, now = Date.now()) {
 }
 function markHonchoIngest(path2, now = Date.now()) {
   try {
-    (0, import_node_fs9.mkdirSync)((0, import_node_path8.dirname)(path2), { recursive: true });
-    (0, import_node_fs9.writeFileSync)(path2, String(now), "utf8");
+    (0, import_node_fs10.mkdirSync)((0, import_node_path8.dirname)(path2), { recursive: true });
+    (0, import_node_fs10.writeFileSync)(path2, String(now), "utf8");
   } catch {
   }
 }
@@ -6165,8 +6480,205 @@ async function syncDocs(deps, docs2 = SYNCED_DOCS) {
 }
 
 // src/session-start.ts
-var import_node_fs10 = require("node:fs");
+var import_node_fs12 = require("node:fs");
+var import_node_path10 = require("node:path");
+
+// src/scratch-gc.ts
+var import_node_fs11 = require("node:fs");
 var import_node_path9 = require("node:path");
+var TMP_STALE_MS = 6e4;
+var FLUSH_LOCK_GC_MS = 6e5;
+var HEAD_TS_STALE_MS = 48 * 36e5;
+var LAST_SKIP_STALE_MS = 24 * 36e5;
+var CONFLICT_COPY_STALE_MS = 24 * 36e5;
+var PLAN_ADVISORY_AGE_MS = 30 * 24 * 36e5;
+var SCRATCH_GC_THROTTLE_MS = 24 * 36e5;
+function scratchGcThrottlePath(mmiRoot) {
+  return (0, import_node_path9.join)(mmiRoot, "head-ts", ".scratch-gc-last");
+}
+function scratchGcDue(stampPath, now = Date.now(), read = import_node_fs11.readFileSync) {
+  try {
+    return now - (Number(read(stampPath, "utf8").trim()) || 0) >= SCRATCH_GC_THROTTLE_MS;
+  } catch {
+    return true;
+  }
+}
+function markScratchGcRun(stampPath, now = Date.now()) {
+  try {
+    (0, import_node_fs11.mkdirSync)((0, import_node_path9.dirname)(stampPath), { recursive: true });
+    (0, import_node_fs11.writeFileSync)(stampPath, String(now), "utf8");
+  } catch {
+  }
+}
+function executeScratchGc(repoRoot, opts, now = Date.now()) {
+  const snap = collectScratchSnapshot(repoRoot);
+  const plan2 = planScratchGc(snap, now);
+  if (!opts.apply) return { plan: plan2 };
+  return { plan: plan2, applied: applyScratchGc(plan2, snap.mmiRoot, now) };
+}
+var NEVER_BASENAMES = /* @__PURE__ */ new Set([".session", "config.json", "saga-pending.jsonl"]);
+var TMP_SIDECAR_BASES = ["saga-pending.jsonl", "last-skip.json"];
+var CONFLICT_COPY_ALLOWLIST = /* @__PURE__ */ new Set(["saga-pending.jsonl", "last-skip.json"]);
+function conflictCopyOriginal(name) {
+  const m = /^(.+) \d+(\.[^.]+)$/.exec(name);
+  return m ? `${m[1]}${m[2]}` : null;
+}
+function isTmpSidecar(name) {
+  return name.endsWith(".tmp") && TMP_SIDECAR_BASES.some((b) => name.startsWith(`${b}.`));
+}
+function planScratchGc(snap, now = Date.now()) {
+  const candidates = [];
+  const normalizePath = (p) => p.replace(/\\/g, "/");
+  const mmiPaths = new Set(snap.mmiFiles.map((f) => normalizePath(f.path)));
+  const headTsPrefix = `${snap.mmiRoot.replace(/[\\/]+$/, "")}/head-ts/`.replace(/\\/g, "/");
+  const days = (ms) => `${Math.floor(ms / 864e5)}d`;
+  for (const f of snap.mmiFiles) {
+    const age = now - f.mtimeMs;
+    const add = (family, reason) => candidates.push({ path: f.path, family, tier: "safe-auto", reason, bytes: f.bytes });
+    if (isTmpSidecar(f.name)) {
+      if (age > TMP_STALE_MS) add("tmp-sidecar", `crashed atomic-write sidecar (${days(age)} old)`);
+      continue;
+    }
+    if (f.name === "saga-flush.lock") {
+      if (age > FLUSH_LOCK_GC_MS) add("flush-lock", `abandoned flush lock (${days(age)} old)`);
+      continue;
+    }
+    if (NEVER_BASENAMES.has(f.name)) continue;
+    if (f.path.replace(/\\/g, "/").startsWith(headTsPrefix) && !f.name.startsWith(".")) {
+      if (age > HEAD_TS_STALE_MS) add("head-ts", `stale throttle stamp (${days(age)} old)`);
+      continue;
+    }
+    if (f.name === "last-skip.json") {
+      if (age > LAST_SKIP_STALE_MS) add("last-skip", `stale ingest-skip hint (${days(age)} old)`);
+      continue;
+    }
+    const orig = conflictCopyOriginal(f.name);
+    if (orig && CONFLICT_COPY_ALLOWLIST.has(orig) && mmiPaths.has(normalizePath((0, import_node_path9.join)(f.dir, orig))) && age > CONFLICT_COPY_STALE_MS) {
+      add("conflict-copy", `cloud-sync conflict copy of ${orig} (${days(age)} old)`);
+    }
+  }
+  if (snap.syncQueueSlugs) {
+    for (const f of snap.planMdFiles) {
+      const slug = f.name.replace(/\.md$/, "");
+      if (snap.syncQueueSlugs.has(slug)) continue;
+      if (now - f.mtimeMs > PLAN_ADVISORY_AGE_MS) {
+        candidates.push({
+          path: f.path,
+          family: "plan",
+          tier: "advisory",
+          reason: `synced plan older than ${Math.floor(PLAN_ADVISORY_AGE_MS / 864e5)}d`,
+          bytes: f.bytes
+        });
+      }
+    }
+  }
+  return {
+    candidates,
+    safeAuto: candidates.filter((c) => c.tier === "safe-auto"),
+    advisory: candidates.filter((c) => c.tier === "advisory")
+  };
+}
+function formatScratchGcPlan(plan2, applied) {
+  if (plan2.candidates.length === 0) return "scratch GC: nothing to prune \u2014 local saga/plan/honcho scratch is clean.";
+  const lines = [];
+  const bytes = plan2.safeAuto.reduce((n, c) => n + c.bytes, 0);
+  lines.push(
+    `scratch GC: ${applied ? "pruned" : "would prune"} ${plan2.safeAuto.length} stale file(s) (${bytes} bytes)` + (plan2.advisory.length ? `; ${plan2.advisory.length} advisory (kept):` : ":")
+  );
+  for (const c of plan2.safeAuto.slice(0, 40)) lines.push(`  - [${c.family}] ${c.path} \u2014 ${c.reason}`);
+  if (plan2.safeAuto.length > 40) lines.push(`  ... +${plan2.safeAuto.length - 40} more`);
+  for (const c of plan2.advisory.slice(0, 20)) lines.push(`  \xB7 [advisory] ${c.path} \u2014 ${c.reason} (kept; review manually)`);
+  return lines.join("\n");
+}
+function scratchGcBannerLine(safeAutoPruned, advisory) {
+  const parts = [];
+  if (safeAutoPruned > 0) parts.push(`pruned ${safeAutoPruned} stale local file(s)`);
+  if (advisory > 0) parts.push(`${advisory} old synced plan(s) prunable \u2014 \`mmi-cli gc --scratch --dry-run\` to review`);
+  return parts.length ? `[cleanup] ${parts.join("; ")}` : void 0;
+}
+function applyScratchGc(plan2, mmiRoot, now = Date.now()) {
+  const result = { pruned: [], skipped: 0, bytes: 0 };
+  let anchor;
+  try {
+    anchor = (0, import_node_fs11.realpathSync)(mmiRoot).replace(/\\/g, "/").replace(/\/+$/, "");
+  } catch {
+    return result;
+  }
+  for (const c of plan2.safeAuto) {
+    try {
+      const real = (0, import_node_fs11.realpathSync)(c.path).replace(/\\/g, "/");
+      if (real !== anchor && !real.startsWith(`${anchor}/`)) {
+        result.skipped += 1;
+        continue;
+      }
+      const st = (0, import_node_fs11.statSync)(c.path);
+      const floor = c.family === "flush-lock" ? FLUSH_LOCK_GC_MS : c.family === "tmp-sidecar" ? TMP_STALE_MS : c.family === "head-ts" ? HEAD_TS_STALE_MS : c.family === "last-skip" ? LAST_SKIP_STALE_MS : CONFLICT_COPY_STALE_MS;
+      if (now - st.mtimeMs <= floor) {
+        result.skipped += 1;
+        continue;
+      }
+      (0, import_node_fs11.unlinkSync)(c.path);
+      result.pruned.push(c.path);
+      result.bytes += c.bytes;
+    } catch {
+      result.skipped += 1;
+    }
+  }
+  return result;
+}
+function collectScratchSnapshot(repoRoot, deps = {}) {
+  const readdir = deps.readdir ?? import_node_fs11.readdirSync;
+  const stat = deps.stat ?? import_node_fs11.statSync;
+  const readFile5 = deps.readFile ?? import_node_fs11.readFileSync;
+  const mmiRoot = (0, import_node_path9.join)(repoRoot, ".mmi");
+  const plansRoot = (0, import_node_path9.join)(repoRoot, "plans");
+  const mmiFiles = [];
+  try {
+    for (const ent of readdir(mmiRoot, { recursive: true, withFileTypes: true })) {
+      if (!ent.isFile()) continue;
+      const dir = ent.parentPath ?? ent.path ?? mmiRoot;
+      const full = (0, import_node_path9.join)(dir, ent.name);
+      try {
+        const st = stat(full);
+        mmiFiles.push({ path: full, dir, name: ent.name, mtimeMs: st.mtimeMs, bytes: st.size });
+      } catch {
+      }
+    }
+  } catch {
+  }
+  const planMdFiles = [];
+  try {
+    for (const ent of readdir(plansRoot, { withFileTypes: true })) {
+      if (!ent.isFile() || !ent.name.endsWith(".md")) continue;
+      const full = (0, import_node_path9.join)(plansRoot, ent.name);
+      try {
+        const st = stat(full);
+        planMdFiles.push({ path: full, dir: plansRoot, name: ent.name, mtimeMs: st.mtimeMs, bytes: st.size });
+      } catch {
+      }
+    }
+  } catch {
+  }
+  let syncQueueSlugs = null;
+  let queueRaw;
+  try {
+    queueRaw = readFile5((0, import_node_path9.join)(plansRoot, ".sync-queue.json"), "utf8");
+  } catch {
+    syncQueueSlugs = /* @__PURE__ */ new Set();
+  }
+  if (queueRaw !== void 0) {
+    try {
+      const parsed = JSON.parse(queueRaw);
+      const entries = Array.isArray(parsed) ? parsed : parsed.entries ?? [];
+      syncQueueSlugs = new Set(entries.map((e) => e.slug).filter((s) => typeof s === "string"));
+    } catch {
+      syncQueueSlugs = null;
+    }
+  }
+  return { mmiRoot, mmiFiles, planMdFiles, syncQueueSlugs };
+}
+
+// src/session-start.ts
 async function runBufferedStep(step) {
   const lines = [];
   const io = {
@@ -6194,6 +6706,7 @@ function buildSessionStartPlan(verbs) {
     parallel: [
       { name: "rules sync", run: verbs.rulesSync },
       { name: "saga show", run: verbs.sagaShow },
+      { name: "handoff offer", run: verbs.handoffOffer },
       // honcho profile (#1162): the behavioral-memory prior, flushed right after the saga resume. A fast
       // peer-card GET, fail-soft + silent when off/empty — it never hangs or noises the banner.
       { name: "honcho profile", run: verbs.honchoContext },
@@ -6217,12 +6730,12 @@ function spawnDetachedSelf(args, deps) {
 }
 function planStoreLines(cwd) {
   const mdFiles = (dir, minSize = 0) => {
-    const p = (0, import_node_path9.join)(cwd, dir);
-    if (!(0, import_node_fs10.existsSync)(p)) return [];
+    const p = (0, import_node_path10.join)(cwd, dir);
+    if (!(0, import_node_fs12.existsSync)(p)) return [];
     try {
-      return (0, import_node_fs10.readdirSync)(p).filter((f) => f.toLowerCase().endsWith(".md")).filter((f) => {
+      return (0, import_node_fs12.readdirSync)(p).filter((f) => f.toLowerCase().endsWith(".md")).filter((f) => {
         try {
-          return (0, import_node_fs10.statSync)((0, import_node_path9.join)(p, f)).size >= minSize;
+          return (0, import_node_fs12.statSync)((0, import_node_path10.join)(p, f)).size >= minSize;
         } catch {
           return false;
         }
@@ -6240,6 +6753,19 @@ function planStoreLines(cwd) {
     out.push(`[plan-store] ${localPlans.length} local plan(s) in plans/ \u2014 ensure new/changed ones are \`mmi-cli plan push\`ed (S3-backed, not git).`);
   return out;
 }
+function scratchGcLines(cwd, env = process.env, now = Date.now()) {
+  if (env.MMI_NO_AUTO_GC) return [];
+  try {
+    const stamp = scratchGcThrottlePath((0, import_node_path10.join)(cwd, ".mmi"));
+    if (!scratchGcDue(stamp, now)) return [];
+    const run = executeScratchGc(cwd, { apply: true }, now);
+    markScratchGcRun(stamp, now);
+    const line = scratchGcBannerLine(run.applied?.pruned.length ?? 0, run.plan.advisory.length);
+    return line ? [line] : [];
+  } catch {
+    return [];
+  }
+}
 function northstarPointer(injected = false) {
   if (injected) {
     return "North Stars: `mmi-cli northstar relevant` for more matches; `northstar pull <slug>` for the full SSOT.";
@@ -6287,6 +6813,71 @@ function recoverPriorityFromEvents(events) {
   return found;
 }
 
+// src/board-dependency.ts
+var DEPENDS_ON_LINE = /^\s*[-*]?\s*\*\*Depends on:\*\*\s*(.+)$/im;
+var ISSUE_REF = /([a-zA-Z0-9_.-]+\/[a-zA-Z0-9_.-]+)#(\d+)/g;
+function parseDependsOnRefs(body) {
+  const match = body.match(DEPENDS_ON_LINE);
+  if (!match) return [];
+  const refs = [];
+  for (const m of match[1].matchAll(ISSUE_REF)) {
+    refs.push({ repo: m[1], number: Number(m[2]) });
+  }
+  return refs;
+}
+async function issueOpen(client, repo, number) {
+  try {
+    const data = await client.rest("GET", `repos/${repo}/issues/${number}`);
+    return data?.state === "OPEN";
+  } catch {
+    return void 0;
+  }
+}
+async function dependencyBlocksClaim(client, body) {
+  const refs = parseDependsOnRefs(body);
+  if (!refs.length) return { blocked: false, openDependencies: [] };
+  const openDependencies = [];
+  for (const ref of refs) {
+    const open = await issueOpen(client, ref.repo, ref.number);
+    if (open === true) openDependencies.push(`${ref.repo}#${ref.number}`);
+  }
+  return { blocked: openDependencies.length > 0, openDependencies };
+}
+async function filterDependencyBlockedClaimables(items, client, opts = {}) {
+  const claimable = [];
+  const blocked = [];
+  const warnings = [];
+  for (const item of items) {
+    if (item.contentType !== "Issue") {
+      claimable.push(item);
+      continue;
+    }
+    let body = item.details?.body;
+    if (body === void 0) {
+      if (opts.requireBundledBody) {
+        claimable.push(item);
+        continue;
+      }
+      try {
+        const data = await client.rest("GET", `repos/${item.repository}/issues/${item.number}`);
+        body = data?.body ?? "";
+      } catch (e) {
+        warnings.push(`dependency check skipped for ${item.ref}: ${e.message}`);
+        claimable.push(item);
+        continue;
+      }
+    }
+    const gate = await dependencyBlocksClaim(client, body);
+    if (gate.blocked) {
+      blocked.push(item);
+      warnings.push(`${item.ref} blocked on open ${gate.openDependencies.join(", ")}`);
+    } else {
+      claimable.push(item);
+    }
+  }
+  return { claimable, blocked, warnings };
+}
+
 // ../infra/board-vocab.mjs
 var BOARD_STATUSES = ["Todo", "In Progress", "In Review", "Done"];
 
@@ -6610,6 +7201,13 @@ async function readBoard(options, deps = {}) {
   if (options.includeBundleDetails) {
     await attachBundleDetails(report, client, options.allowPartial ?? false);
   }
+  for (const scope of ["primary", "secondary"]) {
+    const filtered = await filterDependencyBlockedClaimables(report[scope].claimable, client, {
+      requireBundledBody: Boolean(options.includeBundleDetails)
+    });
+    report[scope].claimable = filtered.claimable;
+    report.warnings.push(...filtered.warnings);
+  }
   return report;
 }
 function findBoardItem(items, selector) {
@@ -6691,6 +7289,11 @@ async function prepareClaimContext(options, selectors, deps, collected) {
     warnings: collected.warnings,
     partial: collected.partial
   };
+  for (const scope of ["primary", "secondary"]) {
+    const filtered = await filterDependencyBlockedClaimables(report[scope].claimable, client);
+    report[scope].claimable = filtered.claimable;
+    report.warnings.push(...filtered.warnings);
+  }
   return { cfg, client, items: collected.items, writable: writable.repos, report };
 }
 async function claimOneBoardItem(ctx, selector, options) {
@@ -6699,6 +7302,21 @@ async function claimOneBoardItem(ctx, selector, options) {
   if (flatItem.status === "Todo" && flatItem.assignees.length === 0 && !ctx.writable.has(flatItem.repository.toLowerCase())) {
     throw new Error(`${flatItem.ref} is not claimable: viewer does not have write access to ${flatItem.repository}`);
   }
+  if (flatItem.contentType === "Issue") {
+    let body = flatItem.details?.body;
+    if (body === void 0) {
+      try {
+        const data = await client.rest("GET", `repos/${flatItem.repository}/issues/${flatItem.number}`);
+        body = data?.body ?? "";
+      } catch {
+        body = "";
+      }
+    }
+    const gate = await dependencyBlocksClaim(client, body);
+    if (gate.blocked) {
+      throw new Error(`${flatItem.ref} is not claimable: blocked on open ${gate.openDependencies.join(", ")}`);
+    }
+  }
   let item = findClaimableItem(report, selector);
   if (item.contentType !== "Issue") throw new Error(`${item.ref} is not an issue`);
   const fresh = (await fetchIssueProjectItem(client, cfg, { repo: item.repository, number: item.number })).item;
@@ -6824,6 +7442,73 @@ async function backfillBoardPriorities(options, deps = {}) {
   }
   return result;
 }
+async function prunePriorityLabels(options, deps = {}) {
+  const cfg = resolveBoardConfig(options.config);
+  const client = deps.client ?? defaultGitHubClient();
+  const collected = await collectBoardItems(cfg, { repo: options.repo }, deps);
+  const issues = collected.items.filter(
+    (item) => item.contentType === "Issue" && item.labels.some((l) => labelToFieldPriority(l))
+  );
+  const concurrency = Math.max(1, options.concurrency ?? 8);
+  const result = {
+    scanned: issues.length,
+    pruned: 0,
+    removedLabels: 0,
+    skippedNoField: 0,
+    failed: 0,
+    details: []
+  };
+  async function work(item) {
+    const priorityLabels = item.labels.filter((l) => labelToFieldPriority(l));
+    if (!priorityLabels.length) return;
+    if (!item.priority) {
+      result.skippedNoField += 1;
+      result.details.push(
+        `${item.ref}: Priority field unset \u2014 kept ${priorityLabels.join(", ")} (run \`mmi-cli board backfill-priority\` first)`
+      );
+      return;
+    }
+    if (options.dryRun) {
+      result.pruned += 1;
+      result.removedLabels += priorityLabels.length;
+      result.details.push(`${item.ref} \u2192 remove ${priorityLabels.join(", ")} (field=${item.priority}) (dry-run)`);
+      return;
+    }
+    try {
+      const removed = [];
+      const alreadyAbsent = [];
+      for (const label of priorityLabels) {
+        try {
+          await client.rest(
+            "DELETE",
+            `repos/${item.repository}/issues/${item.number}/labels/${encodeURIComponent(label)}`
+          );
+          removed.push(label);
+          result.removedLabels += 1;
+        } catch (e) {
+          if (e instanceof GitHubApiError && e.status === 404) {
+            alreadyAbsent.push(label);
+            continue;
+          }
+          throw e;
+        }
+      }
+      result.pruned += 1;
+      const parts = [
+        ...removed.length ? [`removed ${removed.join(", ")}`] : [],
+        ...alreadyAbsent.length ? [`already absent ${alreadyAbsent.join(", ")}`] : []
+      ];
+      result.details.push(`${item.ref} \u2192 ${parts.join("; ")} (field=${item.priority})`);
+    } catch (e) {
+      result.failed += 1;
+      result.details.push(`${item.ref}: ${ghError(e)}`);
+    }
+  }
+  for (let i = 0; i < issues.length; i += concurrency) {
+    await Promise.all(issues.slice(i, i + concurrency).map(work));
+  }
+  return result;
+}
 async function recoverIssuePriority(client, item) {
   for (const label of item.labels) {
     const fromLabel = labelToFieldPriority(label);
@@ -7082,6 +7767,109 @@ async function runBoardSlice(io, deps, opts) {
   }
 }
 
+// src/worktree.ts
+var import_node_fs13 = require("node:fs");
+var import_node_path11 = require("node:path");
+var LOCAL_ONLY_FILES = [".claude/settings.local.json"];
+var PKG = "package.json";
+var LOCKFILE = "package-lock.json";
+var NODE_MODULES = "node_modules";
+var realFsProbe = {
+  isDir: (p) => {
+    try {
+      return (0, import_node_fs13.statSync)(p).isDirectory();
+    } catch {
+      return false;
+    }
+  },
+  isFile: (p) => {
+    try {
+      return (0, import_node_fs13.statSync)(p).isFile();
+    } catch {
+      return false;
+    }
+  },
+  listDirs: (p) => {
+    try {
+      return (0, import_node_fs13.readdirSync)(p, { withFileTypes: true }).filter((e) => e.isDirectory()).map((e) => e.name);
+    } catch {
+      return [];
+    }
+  }
+};
+function scanInstallDirs(root, fs2 = realFsProbe) {
+  const factsFor = (dir) => {
+    const abs = dir ? (0, import_node_path11.join)(root, dir) : root;
+    return {
+      dir,
+      hasPackageJson: fs2.isFile((0, import_node_path11.join)(abs, PKG)),
+      hasLockfile: fs2.isFile((0, import_node_path11.join)(abs, LOCKFILE)),
+      hasNodeModules: fs2.isDir((0, import_node_path11.join)(abs, NODE_MODULES))
+    };
+  };
+  const children = fs2.listDirs(root).filter((name) => name !== NODE_MODULES && name !== ".git");
+  return [factsFor(""), ...children.map(factsFor).filter((f) => f.hasPackageJson)];
+}
+function npmInstallTargets(dirs) {
+  return dirs.filter((d) => d.hasPackageJson && !d.hasNodeModules).map((d) => ({ dir: d.dir, command: d.hasLockfile ? "npm ci" : "npm install" }));
+}
+function isLinkedWorktree(root, fs2 = realFsProbe) {
+  return fs2.isFile((0, import_node_path11.join)(root, ".git"));
+}
+function worktreeAutoProvisionBanner(root, fs2 = realFsProbe) {
+  if (!isLinkedWorktree(root, fs2)) return null;
+  const pending = npmInstallTargets(scanInstallDirs(root, fs2));
+  if (!pending.length) return null;
+  const where = pending.map((t) => t.dir || ".").join(", ");
+  return `[worktree] provisioning tooling in the background (deps in ${where} + local config) \u2014 \`mmi-cli worktree setup\` to redo`;
+}
+function defaultCopyFile(from, to) {
+  (0, import_node_fs13.mkdirSync)((0, import_node_path11.dirname)(to), { recursive: true });
+  (0, import_node_fs13.copyFileSync)(from, to);
+}
+async function provisionWorktree(worktreeRoot, deps) {
+  const fs2 = deps.fs ?? realFsProbe;
+  const copyFile = deps.copyFile ?? defaultCopyFile;
+  const log = deps.log ?? (() => {
+  });
+  const allDirs = scanInstallDirs(worktreeRoot, fs2);
+  const targets = npmInstallTargets(allDirs);
+  const skippedInstall = allDirs.filter((d) => d.hasPackageJson && d.hasNodeModules).map((d) => d.dir);
+  const installed = [];
+  for (const target of targets) {
+    const cwd = target.dir ? (0, import_node_path11.join)(worktreeRoot, target.dir) : worktreeRoot;
+    log(`installing deps: ${target.command} in ${target.dir || "."}`);
+    await deps.runInstall(target.command, cwd);
+    installed.push(target);
+  }
+  const copied = [];
+  const copySkipped = [];
+  const primary = await deps.primaryCheckout();
+  for (const rel of LOCAL_ONLY_FILES) {
+    const dest = (0, import_node_path11.join)(worktreeRoot, rel);
+    if (fs2.isFile(dest)) {
+      copySkipped.push({ file: rel, reason: "already-present" });
+      continue;
+    }
+    if (!primary) {
+      copySkipped.push({ file: rel, reason: "no-primary" });
+      continue;
+    }
+    if (!fs2.isFile((0, import_node_path11.join)(primary, rel))) {
+      copySkipped.push({ file: rel, reason: "absent-in-primary" });
+      continue;
+    }
+    copyFile((0, import_node_path11.join)(primary, rel), dest);
+    copied.push(rel);
+    log(`copied local config: ${rel}`);
+  }
+  return { worktree: worktreeRoot, installed, skippedInstall, copied, copySkipped };
+}
+function defaultWorktreePath(repoRoot, branch) {
+  const safe = branch.replace(/[/\\]+/g, "-");
+  return (0, import_node_path11.join)((0, import_node_path11.dirname)(repoRoot), "mmi-worktrees", safe);
+}
+
 // src/frontmatter.ts
 function splitFrontmatter(content) {
   const match = /^---\n([\s\S]*?)\n---(?:\n|$)/.exec(content);
@@ -7237,54 +8025,460 @@ function buildNorthstarContextBlock(ranked, signals, readLocal, opts = {}) {
     cards.push(card);
     used += card.length;
   }
-  if (!cards.length) return null;
-  return [NORTHSTAR_CONTEXT_FRAMING, ...cards].join("\n");
+  if (!cards.length) return null;
+  return [NORTHSTAR_CONTEXT_FRAMING, ...cards].join("\n");
+}
+async function withTimeout2(promise, ms) {
+  let timer;
+  try {
+    return await Promise.race([
+      promise,
+      new Promise((_, reject) => {
+        timer = setTimeout(() => reject(new Error("northstar context timeout")), ms);
+      })
+    ]);
+  } finally {
+    if (timer) clearTimeout(timer);
+  }
+}
+async function runNorthstarContext(io, deps) {
+  try {
+    const injected = await withTimeout2(
+      (async () => {
+        const plans = await deps.loadPlans();
+        if (!plans.length) return false;
+        const signals = await deps.gatherSignals();
+        const ranked = rankPlansByRelevance(plans, signals);
+        const block = buildNorthstarContextBlock(ranked, signals, deps.readLocal, {
+          anchorSlug: signals.anchorSlug
+        });
+        if (!block) return false;
+        io.log(block);
+        return true;
+      })(),
+      deps.timeoutMs ?? SESSION_START_NORTHSTAR_TIMEOUT_MS
+    );
+    return injected;
+  } catch {
+    return false;
+  }
+}
+
+// src/index.ts
+var import_node_path16 = require("node:path");
+
+// src/merge-ci-policy.ts
+function resolveMergeCiPolicy(input) {
+  if (input.registryCi === "none") {
+    return { policy: "no-ci", reason: "registry META ci:none" };
+  }
+  if (input.registryRequiredChecks === null) {
+    return { policy: "no-ci", reason: "registry META requiredChecks:null" };
+  }
+  if (Array.isArray(input.registryRequiredChecks) && input.registryRequiredChecks.length === 0) {
+    return { policy: "no-ci", reason: "registry META requiredChecks:[]" };
+  }
+  const ciWorkflows = input.workflowPaths.filter(
+    (p) => /^\.github\/workflows\/[^/]+\.(ya?ml)$/i.test(p.replace(/\\/g, "/"))
+  );
+  if (!ciWorkflows.length) {
+    return { policy: "no-ci", reason: "no .github/workflows CI" };
+  }
+  return { policy: "wait-for-checks", reason: ciWorkflows.join(", ") };
+}
+function parseGhPrChecksOutput(stdout) {
+  const text = stdout.trim();
+  if (!text) return "no-checks-reported";
+  if (/^no checks reported/i.test(text)) return "no-checks-reported";
+  const lines = text.split(/\r?\n/).filter((l) => l.trim());
+  if (!lines.length) return "no-checks-reported";
+  let anyPending = false;
+  for (const line of lines) {
+    const parts = line.split(/\s+/);
+    const state = (parts[1] ?? "").toLowerCase();
+    if (state === "fail" || state === "failure" || state === "error") return "failure";
+    if (state === "pass" || state === "success" || state === "skipping" || state === "skipped") continue;
+    anyPending = true;
+  }
+  return anyPending ? "pending" : "success";
+}
+var PR_CHECKS_POLL_MS = 3e4;
+var PR_CHECKS_TIMEOUT_MS = 10 * 6e4;
+async function waitForPrChecks(deps) {
+  const { policy, reason } = await deps.resolvePolicy();
+  if (policy === "no-ci") {
+    return { policy, status: "skipped", reason };
+  }
+  const now = deps.now ?? (() => Date.now());
+  const deadline = now() + PR_CHECKS_TIMEOUT_MS;
+  let lastDetail = "pending";
+  while (now() < deadline) {
+    const state = await deps.pollChecks();
+    if (state === "success") return { policy, status: "success", detail: lastDetail };
+    if (state === "failure") return { policy, status: "failure", detail: lastDetail };
+    if (state === "no-checks-reported") {
+      lastDetail = "no-checks-reported (waiting for workflow to queue)";
+      await deps.sleep(PR_CHECKS_POLL_MS);
+      continue;
+    }
+    lastDetail = state;
+    await deps.sleep(PR_CHECKS_POLL_MS);
+  }
+  return { policy, status: "timeout", detail: lastDetail };
+}
+
+// src/bootstrap-ruleset.ts
+var PRODUCT_RULESET_NAME = "mmi-product-required-checks";
+var PRODUCT_GATE_CONTEXT = "gate";
+function stripRulesetComment(raw) {
+  const parsed = JSON.parse(raw);
+  delete parsed._comment;
+  return parsed;
+}
+function rulesetHasGateContext(ruleset, context = PRODUCT_GATE_CONTEXT) {
+  for (const rule of ruleset.rules ?? []) {
+    if (rule.type !== "required_status_checks") continue;
+    for (const check of rule.parameters?.required_status_checks ?? []) {
+      if (check.context === context) return true;
+    }
+  }
+  return false;
+}
+function findProductRuleset(rulesets) {
+  return rulesets.find((r) => r.name === PRODUCT_RULESET_NAME);
+}
+async function activateProductRuleset(repo, rulesetBody, client) {
+  const list = await client.rest("GET", `repos/${repo}/rulesets`, { timeoutMs: 2e4 });
+  const existing = findProductRuleset(list ?? []);
+  if (existing?.id != null) {
+    const detail = await client.rest("GET", `repos/${repo}/rulesets/${existing.id}`, { timeoutMs: 2e4 });
+    if (detail.enforcement === "active" && rulesetHasGateContext(detail)) {
+      return { action: "skipped", detail: "active ruleset already requires gate" };
+    }
+    await client.rest("PUT", `repos/${repo}/rulesets/${existing.id}`, { body: rulesetBody, timeoutMs: 2e4 });
+    return { action: "updated", detail: `ruleset ${existing.id}` };
+  }
+  await client.rest("POST", `repos/${repo}/rulesets`, { body: rulesetBody, timeoutMs: 2e4 });
+  return { action: "created" };
+}
+
+// src/ci-audit.ts
+var HUB_REPO = "mutmutco/MMI-Hub";
+var PRODUCT_GATE_CONTEXT2 = "gate";
+var HUB_GATE_CONTEXTS = ["cli", "infra", "docs"];
+var PRODUCT_GATE_PATH = ".github/workflows/gate.yml";
+var PRODUCT_RULESET_REF = ".github/rulesets/mmi-product-required-checks.json";
+function slugFromRepo(repo) {
+  return (repo.includes("/") ? repo.split("/")[1] : repo).toLowerCase();
+}
+function classifyRepo(repo, meta) {
+  if (repo.toLowerCase() === HUB_REPO.toLowerCase()) return "hub";
+  if (meta?.class === "content") return "content";
+  if (meta?.class === "deployable" || meta?.deployModel && meta.deployModel !== "content" && meta.deployModel !== "none") return "deployable";
+  if (meta) return "deployable";
+  return "unknown";
+}
+function rulesetStatusChecks(rulesets) {
+  return new Set(rulesets.flatMap((ruleset) => (ruleset.rules || []).filter((rule) => rule.type === "required_status_checks").flatMap((rule) => rule.parameters?.required_status_checks || []).map((check) => check.context).filter((context) => Boolean(context))));
+}
+async function restJson(deps, path2, fallback) {
+  try {
+    return await deps.client.rest("GET", path2) ?? fallback;
+  } catch {
+    return fallback;
+  }
+}
+async function rulesetDetails(deps, repo, list) {
+  const details = [];
+  for (const ruleset of list) {
+    if (ruleset.id == null || ruleset.rules != null) {
+      details.push(ruleset);
+      continue;
+    }
+    details.push(await restJson(deps, `repos/${repo}/rulesets/${ruleset.id}`, ruleset));
+  }
+  return details;
+}
+async function contentExists(deps, repo, branch, path2) {
+  try {
+    const encodedPath = path2.split("/").map(encodeURIComponent).join("/");
+    await deps.client.rest("GET", `repos/${repo}/contents/${encodedPath}?ref=${encodeURIComponent(branch)}`);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function collectRegistryRepos(projects) {
+  const seen = /* @__PURE__ */ new Set();
+  for (const project2 of projects) {
+    for (const raw of project2.repos ?? []) {
+      const repo = raw.includes("/") ? raw : `mutmutco/${raw}`;
+      seen.add(repo);
+    }
+  }
+  if (!seen.has(HUB_REPO)) seen.add(HUB_REPO);
+  return [...seen].sort((a, b) => a.localeCompare(b));
+}
+async function resolveRepoMergeCiPolicy(repo, deps) {
+  const meta = await deps.getProjectMeta(slugFromRepo(repo));
+  const repoClass = classifyRepo(repo, meta);
+  if (repoClass === "content") {
+    return resolveMergeCiPolicy({
+      workflowPaths: [],
+      registryCi: meta?.ci ?? "none",
+      registryRequiredChecks: meta?.requiredChecks ?? []
+    });
+  }
+  const baseBranch = "development";
+  const hasGate = repoClass === "hub" ? true : await contentExists(deps, repo, baseBranch, PRODUCT_GATE_PATH);
+  return resolveMergeCiPolicy({
+    workflowPaths: hasGate ? repoClass === "hub" ? [".github/workflows/gate.yml"] : [PRODUCT_GATE_PATH] : [],
+    registryCi: meta?.ci,
+    registryRequiredChecks: meta?.requiredChecks
+  });
+}
+async function auditRepoCi(repo, deps) {
+  const meta = await deps.getProjectMeta(slugFromRepo(repo));
+  const repoClass = classifyRepo(repo, meta);
+  const checks = [];
+  const info = await restJson(deps, `repos/${repo}`, {});
+  const baseBranch = repoClass === "content" ? "main" : "development";
+  checks.push({
+    ok: info.allow_auto_merge === true,
+    label: "allow_auto_merge enabled",
+    detail: info.allow_auto_merge === true ? void 0 : "false or unavailable",
+    remediation: `gh api -X PATCH repos/${repo} -f allow_auto_merge=true -f allow_squash_merge=true -f delete_branch_on_merge=true`
+  });
+  checks.push({
+    ok: info.allow_squash_merge === true,
+    label: "allow_squash_merge enabled",
+    detail: info.allow_squash_merge === true ? void 0 : "false or unavailable"
+  });
+  checks.push({
+    ok: info.delete_branch_on_merge === true,
+    label: "delete_branch_on_merge enabled",
+    detail: info.delete_branch_on_merge === true ? void 0 : "false or unavailable"
+  });
+  const hasGateWorkflow = repoClass === "hub" ? true : repoClass === "content" ? true : await contentExists(deps, repo, baseBranch, PRODUCT_GATE_PATH);
+  if (repoClass === "deployable") {
+    checks.push({
+      ok: hasGateWorkflow,
+      label: "gate workflow committed",
+      detail: hasGateWorkflow ? void 0 : `missing ${PRODUCT_GATE_PATH}`,
+      remediation: `mmi-cli bootstrap apply ${repo} --class deployable --execute (seeds gate.yml)`
+    });
+    checks.push({
+      ok: await contentExists(deps, repo, baseBranch, PRODUCT_RULESET_REF),
+      label: "product ruleset reference committed",
+      detail: `expected ${PRODUCT_RULESET_REF}`,
+      remediation: `mmi-cli bootstrap apply ${repo} --class deployable --execute`
+    });
+  }
+  const rulesetList = await restJson(deps, `repos/${repo}/rulesets?includes_parents=true`, []);
+  const rulesets = await rulesetDetails(deps, repo, rulesetList);
+  const activeBranchRulesets = rulesets.filter((r) => r.target === "branch" && r.enforcement === "active");
+  const statusChecks = rulesetStatusChecks(activeBranchRulesets);
+  if (repoClass === "hub") {
+    const missing = HUB_GATE_CONTEXTS.filter((c) => !statusChecks.has(c));
+    checks.push({
+      ok: missing.length === 0,
+      label: "Hub required status checks active",
+      detail: missing.length ? `missing: ${missing.join(", ")}` : void 0
+    });
+  } else if (repoClass === "deployable") {
+    const missing = [PRODUCT_GATE_CONTEXT2].filter((c) => !statusChecks.has(c));
+    checks.push({
+      ok: missing.length === 0,
+      label: "product gate status check active",
+      detail: missing.length ? `missing context: ${PRODUCT_GATE_CONTEXT2} \u2014 activate ${PRODUCT_RULESET_REF} as a repo ruleset` : void 0,
+      remediation: missing.length ? `Import ${PRODUCT_RULESET_REF} as an active repository ruleset (GitHub \u2192 Settings \u2192 Rules \u2192 Rulesets) \u2014 target: bootstrap --apply automation (#1440)` : void 0
+    });
+  }
+  const registryCi = meta?.ci;
+  const registryRequiredChecks = meta?.requiredChecks;
+  const workflowPaths = hasGateWorkflow && repoClass === "deployable" ? [PRODUCT_GATE_PATH] : [];
+  const { policy, reason } = resolveMergeCiPolicy({
+    workflowPaths,
+    registryCi,
+    registryRequiredChecks
+  });
+  if (repoClass === "content") {
+    const explicitNoCi = registryCi === "none" || registryRequiredChecks === null || Array.isArray(registryRequiredChecks) && registryRequiredChecks.length === 0;
+    checks.push({
+      ok: explicitNoCi,
+      label: "registry META declares intentional no-ci",
+      detail: explicitNoCi ? void 0 : "set ci:none and requiredChecks:[] in registry META",
+      remediation: `mmi-cli project set ${repo} --var ci=none --var requiredChecks=[]`
+    });
+  } else if (repoClass === "deployable") {
+    checks.push({
+      ok: policy === "wait-for-checks",
+      label: "merge CI policy is wait-for-checks",
+      detail: `${policy} (${reason})`
+    });
+  }
+  const ok = checks.every((c) => c.ok);
+  return { repo, class: repoClass, mergePolicy: policy, ok, checks };
+}
+async function auditOrgCi(deps, repoFilter) {
+  const projects = await deps.listProjects();
+  if (!projects) {
+    const single = repoFilter ?? HUB_REPO;
+    const report = await auditRepoCi(single, deps);
+    return { ok: report.ok, repos: [report] };
+  }
+  const targets = repoFilter ? [repoFilter] : collectRegistryRepos(projects);
+  const repos = [];
+  for (const repo of targets) {
+    repos.push(await auditRepoCi(repo, deps));
+  }
+  return { ok: repos.every((r) => r.ok), repos };
+}
+function renderCiAuditMarkdown(report) {
+  const lines = [
+    `# CI merge-readiness audit`,
+    "",
+    `Fleet: ${report.ok ? "OK" : "GAPS"} (${report.repos.filter((r) => r.ok).length}/${report.repos.length} repos ready)`,
+    "",
+    "| Repo | Class | Policy | OK | Top gap |",
+    "|------|-------|--------|----|---------|"
+  ];
+  for (const r of report.repos) {
+    const gap = r.checks.find((c) => !c.ok);
+    lines.push(`| ${r.repo} | ${r.class} | ${r.mergePolicy} | ${r.ok ? "yes" : "no"} | ${gap?.label ?? "\u2014"} |`);
+  }
+  return lines.join("\n");
+}
+function renderCiAuditText(report) {
+  const lines = [`mmi-cli ci audit: ${report.ok ? "OK" : "GAPS"} (${report.repos.length} repos)`];
+  for (const r of report.repos) {
+    lines.push(`
+${r.repo} (${r.class}, policy=${r.mergePolicy}) ${r.ok ? "OK" : "GAP"}`);
+    for (const c of r.checks) {
+      lines.push(`  ${c.ok ? "OK" : "FAIL"} ${c.label}${c.detail ? ` \u2014 ${c.detail}` : ""}`);
+    }
+  }
+  return lines.join("\n");
 }
-async function withTimeout2(promise, ms) {
-  let timer;
+async function applyCiReconcileMergeSettings(repo, deps) {
+  const report = await auditRepoCi(repo, deps);
+  const applied = [];
+  const skipped = [];
+  const errors = [];
+  const mergeChecks = report.checks.filter((c) => c.label.startsWith("allow_") || c.label.startsWith("delete_branch"));
+  const needsPatch = mergeChecks.some((c) => !c.ok);
+  if (!needsPatch) {
+    skipped.push("merge settings already canonical");
+    return { repo, applied, skipped, errors };
+  }
   try {
-    return await Promise.race([
-      promise,
-      new Promise((_, reject) => {
-        timer = setTimeout(() => reject(new Error("northstar context timeout")), ms);
-      })
-    ]);
-  } finally {
-    if (timer) clearTimeout(timer);
+    await deps.client.rest("PATCH", `repos/${repo}`, {
+      body: {
+        allow_auto_merge: true,
+        allow_squash_merge: true,
+        delete_branch_on_merge: true
+      }
+    });
+    applied.push("allow_auto_merge, allow_squash_merge, delete_branch_on_merge");
+  } catch (e) {
+    errors.push(e.message);
   }
+  return { repo, applied, skipped, errors };
 }
-async function runNorthstarContext(io, deps) {
+async function fetchRulesetSeedBody(deps, repo) {
   try {
-    const injected = await withTimeout2(
-      (async () => {
-        const plans = await deps.loadPlans();
-        if (!plans.length) return false;
-        const signals = await deps.gatherSignals();
-        const ranked = rankPlansByRelevance(plans, signals);
-        const block = buildNorthstarContextBlock(ranked, signals, deps.readLocal, {
-          anchorSlug: signals.anchorSlug
-        });
-        if (!block) return false;
-        io.log(block);
-        return true;
-      })(),
-      deps.timeoutMs ?? SESSION_START_NORTHSTAR_TIMEOUT_MS
+    const encodedPath = PRODUCT_RULESET_REF.split("/").map(encodeURIComponent).join("/");
+    const file = await deps.client.rest(
+      "GET",
+      `repos/${repo}/contents/${encodedPath}?ref=development`
     );
-    return injected;
+    if (file.encoding !== "base64" || typeof file.content !== "string") return null;
+    return Buffer.from(file.content, "base64").toString("utf8");
   } catch {
-    return false;
+    return null;
+  }
+}
+async function applyCiReconcileRepo(repo, deps) {
+  const merge = await applyCiReconcileMergeSettings(repo, deps);
+  const report = await auditRepoCi(repo, deps);
+  if (report.class !== "deployable") return merge;
+  const gateCheck = report.checks.find((c) => c.label === "product gate status check active");
+  if (gateCheck?.ok) {
+    merge.skipped.push("product ruleset already active");
+    return merge;
+  }
+  const raw = await fetchRulesetSeedBody(deps, repo);
+  if (!raw) {
+    merge.errors.push(`missing ${PRODUCT_RULESET_REF} on development \u2014 run bootstrap apply first`);
+    return merge;
+  }
+  try {
+    const body = stripRulesetComment(raw);
+    const activation = await activateProductRuleset(repo, body, deps.client);
+    if (activation.action === "skipped") merge.skipped.push(activation.detail ?? "product ruleset");
+    else merge.applied.push(`product ruleset ${activation.action}${activation.detail ? `: ${activation.detail}` : ""}`);
+  } catch (e) {
+    merge.errors.push(e.message);
+  }
+  return merge;
+}
+
+// src/pr-land.ts
+var PR_LAND_POLL_MS = 3e4;
+var PR_LAND_ENQUEUE_TIMEOUT_MS = 10 * 6e4;
+async function runPrLand(prNumber, options, deps) {
+  const repo = await deps.resolveRepo(prNumber, options.repo);
+  const base2 = { status: "failed", repo, pr: prNumber };
+  if (options.requireTrain !== false) {
+    const verdict = await deps.fetchTrainAuthority(repo);
+    if (!verdict.ok) {
+      return { ...base2, error: `train authority unavailable: ${verdict.error}` };
+    }
+    base2.train = { role: verdict.authority.role, train: verdict.authority.train };
+    if (!verdict.authority.train) {
+      return {
+        ...base2,
+        error: `@${verdict.authority.login ?? "caller"} is ${verdict.authority.role} \u2014 train not authorized on ${repo}; cannot land PR`
+      };
+    }
+  }
+  const ciPolicy = await deps.resolveCiPolicy(repo);
+  base2.ciPolicy = ciPolicy;
+  const checksWait = await deps.waitForChecks(prNumber, repo);
+  base2.checksWait = checksWait;
+  if (checksWait.status === "failure" || checksWait.status === "timeout") {
+    return {
+      ...base2,
+      error: `checks-wait ${checksWait.status}${checksWait.detail ? `: ${checksWait.detail}` : ""}`
+    };
+  }
+  const merge = await deps.mergeAuto(prNumber, repo);
+  base2.mergeStatus = merge.mergeStatus;
+  if (merge.mergeStatus === "failed") {
+    return { ...base2, error: merge.error ?? "merge failed" };
+  }
+  if (merge.mergeStatus === "merged") {
+    return { ...base2, status: "merged" };
+  }
+  const now = deps.now ?? (() => Date.now());
+  const merged = await deps.pollMerged(prNumber, repo, now() + PR_LAND_ENQUEUE_TIMEOUT_MS);
+  if (merged) {
+    return { ...base2, status: "auto-merge-enqueued-then-merged", mergeStatus: "merged" };
   }
+  return {
+    ...base2,
+    error: "auto-merge enqueued but PR did not reach MERGED within timeout \u2014 poll manually with gh pr view"
+  };
 }
 
 // src/index.ts
-var import_node_path14 = require("node:path");
 var import_node_os5 = require("node:os");
 
 // src/gh-create.ts
 var import_promises4 = require("node:fs/promises");
 var import_node_os3 = require("node:os");
-var import_node_path10 = require("node:path");
-var import_node_crypto5 = require("node:crypto");
+var import_node_path12 = require("node:path");
+var import_node_crypto6 = require("node:crypto");
 var ISSUE_TYPES = ["bug", "feature", "task"];
 var GH_MUTATION_TIMEOUT_MS = 12e4;
 function timeoutKillNote(err, timeoutMs) {
@@ -7324,7 +8518,7 @@ async function bodyArgsViaFile(args, deps = {}) {
   } };
   const write = deps.write ?? import_promises4.writeFile;
   const remove = deps.remove ?? import_promises4.unlink;
-  const file = (0, import_node_path10.join)(deps.dir ?? (0, import_node_os3.tmpdir)(), `mmi-gh-body-${process.pid}-${(0, import_node_crypto5.randomBytes)(4).toString("hex")}.md`);
+  const file = (0, import_node_path12.join)(deps.dir ?? (0, import_node_os3.tmpdir)(), `mmi-gh-body-${process.pid}-${(0, import_node_crypto6.randomBytes)(4).toString("hex")}.md`);
   await write(file, args[i + 1], "utf8");
   return {
     args: [...args.slice(0, i), "--body-file", file, ...args.slice(i + 2)],
@@ -7614,7 +8808,7 @@ function parentLinkFields(result, error) {
 }
 
 // src/report.ts
-var HUB_REPO = "mutmutco/MMI-Hub";
+var HUB_REPO2 = "mutmutco/MMI-Hub";
 var REPORT_LABEL = "report";
 function findDuplicateReport(source, openReports, threshold = 0.6) {
   const normalizedTitle = normalizeTitle(source.title);
@@ -7649,7 +8843,7 @@ ${buildReportBody(body, sourceRepo)}`;
 
 // src/skill-lesson.ts
 var SKILL_LESSON_LABEL = "skill-lesson";
-var SKILL_NAMES = ["bootstrap", "browser-automation", "build", "grind", "hotfix", "mmi", "rcand", "release", "secrets", "stage"];
+var SKILL_NAMES = ["bootstrap", "browser-automation", "build", "grind", "handoff", "hotfix", "mmi", "rcand", "release", "secrets", "stage"];
 function assertSkillName(name) {
   const match = SKILL_NAMES.find((skill) => skill === name);
   if (!match) throw new Error(`unknown skill "${name}" \u2014 expected one of: ${SKILL_NAMES.join(", ")}`);
@@ -8149,12 +9343,12 @@ function buildGcPlan(inputs) {
       skipped.push({ branch, reason: "current-branch" });
       continue;
     }
-    const worktree = worktrees.get(branch);
-    if (worktree?.dirty) {
-      skipped.push({ branch, reason: "dirty-worktree", detail: worktree.path });
+    const worktree2 = worktrees.get(branch);
+    if (worktree2?.dirty) {
+      skipped.push({ branch, reason: "dirty-worktree", detail: worktree2.path });
       continue;
     }
-    branches.push({ branch, prState: state.state, prNumbers: state.numbers, worktreePath: worktree?.path });
+    branches.push({ branch, prState: state.state, prNumbers: state.numbers, worktreePath: worktree2?.path });
   }
   const trackingRefs = [...new Set(inputs.staleTrackingRefs ?? [])].map((ref) => {
     const branch = branchForTrackingRef(ref, remote);
@@ -8298,6 +9492,28 @@ function selectSafeWorktreeCwd(worktrees, targetPath, options) {
   const exists = options?.pathExists ?? (() => true);
   return worktrees.find((w) => !samePath(w.path, targetPath) && exists(w.path))?.path;
 }
+function isPathUnderDirectory(childPath, parentPath) {
+  const child = normPath(childPath);
+  const parent = normPath(parentPath);
+  if (!child || !parent) return false;
+  if (child === parent) return true;
+  return child.startsWith(`${parent}/`);
+}
+function planReleaseCwdBeforeWorktreeRemoval(targetPath, safeCwd, currentCwd) {
+  if (!safeCwd || !isPathUnderDirectory(currentCwd, targetPath)) return void 0;
+  if (samePath(currentCwd, safeCwd)) return void 0;
+  return safeCwd;
+}
+function releaseCwdIfUnderWorktree(targetPath, safeCwd, options) {
+  const getCwd = options?.getCwd ?? (() => process.cwd());
+  const chdir = options?.chdir ?? ((path2) => {
+    process.chdir(path2);
+  });
+  const releaseTo = planReleaseCwdBeforeWorktreeRemoval(targetPath, safeCwd, getCwd());
+  if (!releaseTo) return false;
+  chdir(releaseTo);
+  return true;
+}
 function branchMissingFromList(branch, stdout) {
   const names = stdout.split(/\r?\n/).map((line) => line.replace(/^\*\s*/, "").trim()).filter(Boolean);
   return !names.includes(branch);
@@ -8350,6 +9566,10 @@ async function cleanupPrMergeLocalBranch(branch, options) {
         stageTeardown = { status: "failed", error: errorMessage(e) };
       }
     }
+    releaseCwdIfUnderWorktree(wtPath, safeCwd, {
+      getCwd: options.getCwd,
+      chdir: options.chdir
+    });
     const outcome = await removeWorktreeWithRecovery(wtPath, {
       git,
       sleep: options.sleep ?? defaultSleep,
@@ -8667,9 +9887,9 @@ function stalePosixFields(config, shell2) {
 }
 function sanitizeLocalStage(local, stale) {
   if (!stale.length) return local;
-  const clean3 = { ...local };
-  for (const field of stale) delete clean3[field];
-  return clean3;
+  const clean4 = { ...local };
+  for (const field of stale) delete clean4[field];
+  return clean4;
 }
 function staleNote(staleFields, outcome) {
   const list = staleFields.join(", ");
@@ -8715,9 +9935,9 @@ function decideStage(inputs) {
 
 // src/cursor-plugin-seed.ts
 var import_node_child_process7 = require("node:child_process");
-var import_node_fs11 = require("node:fs");
+var import_node_fs14 = require("node:fs");
 var import_node_os4 = require("node:os");
-var import_node_path11 = require("node:path");
+var import_node_path13 = require("node:path");
 var import_node_util6 = require("node:util");
 function isSemverVersion(v) {
   return typeof v === "string" && /^v?\d+\.\d+\.\d+/.test(v.trim());
@@ -8734,17 +9954,17 @@ function ghReleaseTarballApiArgs(tag) {
 }
 function cursorUserGlobalStatePath() {
   if (process.platform === "win32") {
-    const base2 = process.env.APPDATA || (0, import_node_path11.join)((0, import_node_os4.homedir)(), "AppData", "Roaming");
-    return (0, import_node_path11.join)(base2, "Cursor", "User", "globalStorage", "state.vscdb");
+    const base2 = process.env.APPDATA || (0, import_node_path13.join)((0, import_node_os4.homedir)(), "AppData", "Roaming");
+    return (0, import_node_path13.join)(base2, "Cursor", "User", "globalStorage", "state.vscdb");
   }
   if (process.platform === "darwin") {
-    return (0, import_node_path11.join)((0, import_node_os4.homedir)(), "Library", "Application Support", "Cursor", "User", "globalStorage", "state.vscdb");
+    return (0, import_node_path13.join)((0, import_node_os4.homedir)(), "Library", "Application Support", "Cursor", "User", "globalStorage", "state.vscdb");
   }
-  return (0, import_node_path11.join)((0, import_node_os4.homedir)(), ".config", "Cursor", "User", "globalStorage", "state.vscdb");
+  return (0, import_node_path13.join)((0, import_node_os4.homedir)(), ".config", "Cursor", "User", "globalStorage", "state.vscdb");
 }
 async function readCursorThirdPartyExtensibilityEnabled(execFileP5) {
   const dbPath = cursorUserGlobalStatePath();
-  if (!(0, import_node_fs11.existsSync)(dbPath)) return void 0;
+  if (!(0, import_node_fs14.existsSync)(dbPath)) return void 0;
   try {
     const { stdout } = await execFileP5("sqlite3", [dbPath, `SELECT value FROM ItemTable WHERE key = '${CURSOR_THIRD_PARTY_STATE_KEY}';`], {
       timeout: 5e3
@@ -8758,57 +9978,57 @@ async function readCursorThirdPartyExtensibilityEnabled(execFileP5) {
   }
 }
 function syncDirContents(src, dest) {
-  (0, import_node_fs11.mkdirSync)(dest, { recursive: true });
-  for (const name of (0, import_node_fs11.readdirSync)(dest)) {
-    (0, import_node_fs11.rmSync)((0, import_node_path11.join)(dest, name), { recursive: true, force: true });
+  (0, import_node_fs14.mkdirSync)(dest, { recursive: true });
+  for (const name of (0, import_node_fs14.readdirSync)(dest)) {
+    (0, import_node_fs14.rmSync)((0, import_node_path13.join)(dest, name), { recursive: true, force: true });
   }
-  (0, import_node_fs11.cpSync)(src, dest, { recursive: true });
+  (0, import_node_fs14.cpSync)(src, dest, { recursive: true });
 }
 function releaseTag(releasedVersion) {
   return releasedVersion.startsWith("v") ? releasedVersion : `v${releasedVersion}`;
 }
 async function extractPluginMmiFromHubCheckout(hubCheckout, tag, tmpRoot, execFileP5) {
-  const tarFile = (0, import_node_path11.join)(tmpRoot, "archive.tar");
+  const tarFile = (0, import_node_path13.join)(tmpRoot, "archive.tar");
   try {
     await execFileP5("git", gitFetchReleaseTagArgs(hubCheckout, tag), { timeout: 6e4 });
     await execFileP5("git", ["-C", hubCheckout, "archive", "--format=tar", `--output=${tarFile}`, tag, "plugins/mmi"], {
       timeout: 6e4
     });
     await execFileP5("tar", ["-xf", tarFile, "-C", tmpRoot], { timeout: 6e4 });
-    const pluginMmi = (0, import_node_path11.join)(tmpRoot, "plugins", "mmi");
-    return (0, import_node_fs11.existsSync)((0, import_node_path11.join)(pluginMmi, PLUGIN_JSON_REL)) ? pluginMmi : void 0;
+    const pluginMmi = (0, import_node_path13.join)(tmpRoot, "plugins", "mmi");
+    return (0, import_node_fs14.existsSync)((0, import_node_path13.join)(pluginMmi, PLUGIN_JSON_REL)) ? pluginMmi : void 0;
   } catch {
     return void 0;
   }
 }
 async function downloadPluginMmiViaGh(tag, tmpRoot) {
-  const tarPath = (0, import_node_path11.join)(tmpRoot, "repo.tgz");
+  const tarPath = (0, import_node_path13.join)(tmpRoot, "repo.tgz");
   try {
-    (0, import_node_fs11.mkdirSync)(tmpRoot, { recursive: true });
+    (0, import_node_fs14.mkdirSync)(tmpRoot, { recursive: true });
     const { stdout } = await execFileBuffer("gh", ghReleaseTarballApiArgs(tag), {
       timeout: 12e4,
       maxBuffer: 100 * 1024 * 1024,
       encoding: "buffer",
       windowsHide: true
     });
-    (0, import_node_fs11.writeFileSync)(tarPath, stdout);
+    (0, import_node_fs14.writeFileSync)(tarPath, stdout);
     await execFileBuffer("tar", ["-xzf", tarPath, "-C", tmpRoot], { timeout: 12e4, windowsHide: true });
-    const top = (0, import_node_fs11.readdirSync)(tmpRoot).find((entry) => entry !== "repo.tgz");
+    const top = (0, import_node_fs14.readdirSync)(tmpRoot).find((entry) => entry !== "repo.tgz");
     if (!top) return void 0;
-    const pluginMmi = (0, import_node_path11.join)(tmpRoot, top, "plugins", "mmi");
-    return (0, import_node_fs11.existsSync)((0, import_node_path11.join)(pluginMmi, PLUGIN_JSON_REL)) ? pluginMmi : void 0;
+    const pluginMmi = (0, import_node_path13.join)(tmpRoot, top, "plugins", "mmi");
+    return (0, import_node_fs14.existsSync)((0, import_node_path13.join)(pluginMmi, PLUGIN_JSON_REL)) ? pluginMmi : void 0;
   } catch {
     return void 0;
   }
 }
 async function resolvePluginMmiSource(releasedVersion, hubCheckout, tmpRoot, execFileP5) {
-  (0, import_node_fs11.mkdirSync)(tmpRoot, { recursive: true });
+  (0, import_node_fs14.mkdirSync)(tmpRoot, { recursive: true });
   const tag = releaseTag(releasedVersion);
   if (hubCheckout) {
     const fromHub = await extractPluginMmiFromHubCheckout(hubCheckout, tag, tmpRoot, execFileP5);
     if (fromHub) return fromHub;
   }
-  return downloadPluginMmiViaGh(tag, (0, import_node_path11.join)(tmpRoot, "gh"));
+  return downloadPluginMmiViaGh(tag, (0, import_node_path13.join)(tmpRoot, "gh"));
 }
 function cursorPluginPinsNeedingSeed(pins, releasedVersion) {
   if (!isSemverVersion(releasedVersion)) return pins.filter((pin) => !pin.hasPluginJson || !pin.hasHooksJson || pin.isEmpty);
@@ -8829,7 +10049,7 @@ async function applyCursorPluginCacheSeed(input) {
   for (const pin of pinsToSeed) {
     syncDirContents(source, pin.path);
   }
-  (0, import_node_fs11.rmSync)(tmpRoot, { recursive: true, force: true });
+  (0, import_node_fs14.rmSync)(tmpRoot, { recursive: true, force: true });
   return true;
 }
 
@@ -8877,8 +10097,12 @@ var MANAGED_GITIGNORE_LINES = [
   ".claude/worktrees/",
   ".mmi/.session",
   ".mmi/head-ts/",
-  // Recursive so any reuse of the parameterized queue engine in a new .mmi subdir (honcho today, others
-  // later) is ignored too — `**` matches zero dirs, so this still covers the root saga queue.
+  // Honcho's whole runtime dir — its ingest-throttle stamp (`last-skip.json`) is NOT a queue file, so the
+  // recursive patterns below miss it and it dirtied the working tree (blocked a release clean-tree check,
+  // #1472). The dir is pure scratch, so ignore it wholesale, like `.mmi/head-ts/`.
+  ".mmi/honcho/",
+  // Recursive so any reuse of the parameterized queue engine in a new .mmi subdir is ignored too —
+  // `**` matches zero dirs, so this still covers the root saga queue.
   ".mmi/**/saga-pending.jsonl*",
   ".mmi/**/saga-flush.lock",
   ".aws-sam/",
@@ -9092,6 +10316,12 @@ function cachePathJoin(root, ...parts) {
   const sep = root.includes("\\") ? "\\" : "/";
   return [root.replace(/[\\/]+$/, ""), ...parts].join(sep);
 }
+function cacheParentDir(root) {
+  const sep = root.includes("\\") ? "\\" : "/";
+  const trimmed = root.replace(/[\\/]+$/, "");
+  const idx = trimmed.lastIndexOf(sep);
+  return idx <= 0 ? root : trimmed.slice(0, idx);
+}
 function isProtectedCacheDir(name, protectedVersions) {
   const normalized = normalizeVersion(name);
   return name.startsWith(".") || normalized !== void 0 && protectedVersions.has(normalized);
@@ -9122,7 +10352,7 @@ function buildMmiPluginCacheCleanupCheck(input) {
     plannedCount: leftovers.length,
     quarantinePlan: leftovers.map((entry) => ({
       from: entry.path,
-      to: cachePathJoin(entry.root, ".mmi-quarantine", stamp, entry.name)
+      to: cachePathJoin(cacheParentDir(entry.root), ".mmi-quarantine", stamp, entry.name)
     }))
   };
 }
@@ -9183,6 +10413,12 @@ var CLAUDE_PLUGIN_HEAL_STEPS = [
   { args: ["plugin", "install", "mmi@mmi"], gated: true },
   { args: ["plugin", "enable", "mmi@mmi"], gated: false }
 ];
+var CODEX_PLUGIN_RECOVERY = "codex plugin marketplace remove mmi && codex plugin marketplace add mutmutco/MMI-Hub --ref main && codex plugin add mmi@mmi";
+var CODEX_PLUGIN_HEAL_STEPS = [
+  { args: ["plugin", "marketplace", "remove", "mmi"], gated: false },
+  { args: ["plugin", "marketplace", "add", "mutmutco/MMI-Hub", "--ref", "main"], gated: true },
+  { args: ["plugin", "add", "mmi@mmi"], gated: true }
+];
 function healStepAborts(step, ok) {
   return !ok && step.gated;
 }
@@ -9193,7 +10429,7 @@ function pluginRecoveryFix(surface) {
     case "claude-cli":
       return `${claude}   # then ${reloadAction(surface)} to reload MMI commands`;
     case "codex":
-      return "codex plugin marketplace upgrade mmi && codex plugin add mmi@mmi   # then restart Codex";
+      return `${CODEX_PLUGIN_RECOVERY}   # then ${reloadAction(surface)}`;
     case "cursor":
       return `in Cursor Dashboard \u2192 Settings \u2192 Plugins, click Update next to the MMI Team Marketplace; then ${reloadAction(surface)} to reload MMI skills + hooks`;
     case "shell":
@@ -9203,7 +10439,7 @@ function pluginRecoveryFix(surface) {
 }
 var PLUGIN_UPDATE_RECIPES = {
   claude: [CLAUDE_PLUGIN_RECOVERY],
-  codex: ["codex plugin marketplace upgrade mmi", "codex plugin list   # verify mmi@mmi shows the new version"],
+  codex: [CODEX_PLUGIN_RECOVERY, "codex plugin list   # verify mmi@mmi shows the released version"],
   cli: ["npm install -g @mutmutco/cli@latest"]
 };
 function highestSemver(versions) {
@@ -9257,7 +10493,7 @@ function isSemverVersion2(v) {
   return typeof v === "string" && /^v?\d+\.\d+\.\d+/.test(v.trim());
 }
 function staleRecordCommand(surface) {
-  return surface === "codex" ? "codex plugin marketplace upgrade mmi && codex plugin add mmi@mmi" : CLAUDE_PLUGIN_RECOVERY;
+  return surface === "codex" ? CODEX_PLUGIN_RECOVERY : CLAUDE_PLUGIN_RECOVERY;
 }
 function staleSurfacesFix(stale, releasedVersion) {
   const parts = stale.map((s) => {
@@ -9535,8 +10771,8 @@ async function runStageLiveDown(deps, t) {
 
 // src/stage-runner.ts
 var import_node_child_process8 = require("node:child_process");
-var import_node_fs12 = require("node:fs");
-var import_node_path12 = require("node:path");
+var import_node_fs15 = require("node:fs");
+var import_node_path14 = require("node:path");
 var import_node_net2 = require("node:net");
 var import_node_util7 = require("node:util");
 var execFileP4 = (0, import_node_util7.promisify)(import_node_child_process8.execFile);
@@ -9581,7 +10817,28 @@ function detectStaleEnvFile(exampleContent, targetContent, mtimes) {
   return void 0;
 }
 function stageStatePath(cwd = process.cwd()) {
-  return (0, import_node_path12.join)(cwd, "tmp", "stage", "state.json");
+  return (0, import_node_path14.join)(cwd, "tmp", "stage", "state.json");
+}
+function mergeEnvSecretsIntoFile(content, secrets2) {
+  const lines = content.split(/\r?\n/);
+  const indexByKey = /* @__PURE__ */ new Map();
+  for (let i = 0; i < lines.length; i++) {
+    const trimmed = lines[i].trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const eq = trimmed.indexOf("=");
+    if (eq === -1) continue;
+    indexByKey.set(trimmed.slice(0, eq).trim(), i);
+  }
+  for (const [key, value] of Object.entries(secrets2)) {
+    const escaped = /[\s#"'\\]/.test(value) ? `"${value.replace(/\\/g, "\\\\").replace(/"/g, '\\"')}"` : value;
+    const line = `${key}=${escaped}`;
+    const idx = indexByKey.get(key);
+    if (idx != null) lines[idx] = line;
+    else lines.push(line);
+  }
+  const body = lines.join("\n");
+  return body.endsWith("\n") ? body : `${body}
+`;
 }
 var POSIX_ONLY_VERBS = ["cp", "mv", "rm", "ln", "cat", "touch", "chmod", "export"];
 function posixOnlyShellProblems(command, field, platform = process.platform) {
@@ -9643,9 +10900,9 @@ async function shell(command, cwd, timeoutMs) {
   });
 }
 function readState(path2) {
-  if (!(0, import_node_fs12.existsSync)(path2)) return null;
+  if (!(0, import_node_fs15.existsSync)(path2)) return null;
   try {
-    return JSON.parse((0, import_node_fs12.readFileSync)(path2, "utf8"));
+    return JSON.parse((0, import_node_fs15.readFileSync)(path2, "utf8"));
   } catch {
     return null;
   }
@@ -9697,7 +10954,7 @@ async function stopStage(opts = {}) {
     return { ok: true, action: "stop", statePath, message: "no previous stage state found" };
   }
   await killTree(state.pid);
-  (0, import_node_fs12.rmSync)(statePath, { force: true });
+  (0, import_node_fs15.rmSync)(statePath, { force: true });
   return { ok: true, action: "stop", statePath, pid: state.pid, message: `stopped previous stage pid ${state.pid}` };
 }
 async function startStage(config = {}, opts = {}) {
@@ -9706,7 +10963,7 @@ async function startStage(config = {}, opts = {}) {
   const cwd = opts.cwd ?? process.cwd();
   const statePath = opts.statePath ?? stageStatePath(cwd);
   const dir = statePath.slice(0, Math.max(statePath.lastIndexOf("/"), statePath.lastIndexOf("\\")));
-  (0, import_node_fs12.mkdirSync)(dir, { recursive: true });
+  (0, import_node_fs15.mkdirSync)(dir, { recursive: true });
   let stagePort;
   if (config.portRange) {
     const [s, e] = config.portRange;
@@ -9716,14 +10973,14 @@ async function startStage(config = {}, opts = {}) {
   }
   const sub = (s) => s != null && stagePort != null ? s.replace(/\$\{?STAGE_PORT\}?/g, String(stagePort)) : s;
   if (config.ensureEnv) {
-    const target = (0, import_node_path12.join)(cwd, config.ensureEnv.target);
-    const example = (0, import_node_path12.join)(cwd, config.ensureEnv.example);
-    if (!(0, import_node_fs12.existsSync)(target) && (0, import_node_fs12.existsSync)(example)) {
-      (0, import_node_fs12.copyFileSync)(example, target);
-    } else if ((0, import_node_fs12.existsSync)(target) && (0, import_node_fs12.existsSync)(example)) {
-      const stale = detectStaleEnvFile((0, import_node_fs12.readFileSync)(example, "utf8"), (0, import_node_fs12.readFileSync)(target, "utf8"), {
-        exampleMtimeMs: (0, import_node_fs12.statSync)(example).mtimeMs,
-        targetMtimeMs: (0, import_node_fs12.statSync)(target).mtimeMs
+    const target = (0, import_node_path14.join)(cwd, config.ensureEnv.target);
+    const example = (0, import_node_path14.join)(cwd, config.ensureEnv.example);
+    if (!(0, import_node_fs15.existsSync)(target) && (0, import_node_fs15.existsSync)(example)) {
+      (0, import_node_fs15.copyFileSync)(example, target);
+    } else if ((0, import_node_fs15.existsSync)(target) && (0, import_node_fs15.existsSync)(example)) {
+      const stale = detectStaleEnvFile((0, import_node_fs15.readFileSync)(example, "utf8"), (0, import_node_fs15.readFileSync)(target, "utf8"), {
+        exampleMtimeMs: (0, import_node_fs15.statSync)(example).mtimeMs,
+        targetMtimeMs: (0, import_node_fs15.statSync)(target).mtimeMs
       });
       if (stale) {
         const msg = `stale ${config.ensureEnv.target} (${stale}) \u2014 delete it or refresh from ${config.ensureEnv.example} before re-running /stage`;
@@ -9731,6 +10988,9 @@ async function startStage(config = {}, opts = {}) {
         console.error(`mmi-cli stage: ${msg} (allowed via --allow-stale-env)`);
       }
     }
+    if (opts.vaultEnvMerge && Object.keys(opts.vaultEnvMerge).length && (0, import_node_fs15.existsSync)(target)) {
+      (0, import_node_fs15.writeFileSync)(target, mergeEnvSecretsIntoFile((0, import_node_fs15.readFileSync)(target, "utf8"), opts.vaultEnvMerge), "utf8");
+    }
   }
   const extraEnv = {};
   for (const [k, v] of Object.entries(config.env ?? {})) extraEnv[k] = sub(v) ?? v;
@@ -9754,13 +11014,13 @@ async function startStage(config = {}, opts = {}) {
     healthUrl: sub(config.healthUrl?.trim()) || void 0,
     port: stagePort
   };
-  (0, import_node_fs12.writeFileSync)(statePath, JSON.stringify(state, null, 2), "utf8");
+  (0, import_node_fs15.writeFileSync)(statePath, JSON.stringify(state, null, 2), "utf8");
   try {
     if (state.healthUrl) await waitForHealth(state.healthUrl, opts.timeoutMs ?? 6e4, config.healthAnyStatus);
     else await waitForProcessStability(child);
   } catch (e) {
     await killTree(state.pid);
-    (0, import_node_fs12.rmSync)(statePath, { force: true });
+    (0, import_node_fs15.rmSync)(statePath, { force: true });
     throw e;
   }
   const result = { ok: true, action: "start", statePath, pid: state.pid, port: stagePort, message: `started stage pid ${state.pid}${stagePort != null ? ` on port ${stagePort}` : ""}` };
@@ -9876,7 +11136,7 @@ function resolveDeployModel2(meta, repo) {
   if (isDeployModel(m)) return m;
   return resolveDeployModel(meta, repo);
 }
-function clean(out) {
+function clean2(out) {
   return out.trim();
 }
 function requireValue(value, label) {
@@ -9927,11 +11187,11 @@ async function verifyPublishedRelease(deps, repo, tag, expectedTarget, expectedS
   if (release.targetCommitish !== expectedTarget) {
     throw new Error(`Release ${tag} targetCommitish is ${String(release.targetCommitish || "(missing)")}, expected ${expectedTarget}`);
   }
-  const tagSha = requireValue(clean(await deps.run("git", ["rev-parse", `${tag}^{commit}`])), "release tag sha");
+  const tagSha = requireValue(clean2(await deps.run("git", ["rev-parse", `${tag}^{commit}`])), "release tag sha");
   if (tagSha !== expectedSha) {
     throw new Error(`Release ${tag} tag points at ${tagSha}, expected ${expectedSha}`);
   }
-  const branchOut = clean(await deps.run("git", ["ls-remote", "origin", `refs/heads/${expectedTarget}`]));
+  const branchOut = clean2(await deps.run("git", ["ls-remote", "origin", `refs/heads/${expectedTarget}`]));
   const branchSha = requireValue(branchOut.split(/\s+/)[0] ?? "", `origin/${expectedTarget} sha`);
   if (branchSha !== expectedSha) {
     throw new Error(`origin/${expectedTarget} points at ${branchSha}, expected ${expectedSha}`);
@@ -9991,7 +11251,7 @@ function ensurePositiveCount(out, emptyMessage) {
   if (count <= 0) throw new Error(emptyMessage);
 }
 async function remoteBranchExists(deps, branch) {
-  const out = clean(await deps.run("git", ["ls-remote", "origin", `refs/heads/${branch}`]));
+  const out = clean2(await deps.run("git", ["ls-remote", "origin", `refs/heads/${branch}`]));
   return out.length > 0;
 }
 async function loadReleaseTrackBranchHints(deps) {
@@ -10003,10 +11263,10 @@ async function loadReleaseTrackBranchHints(deps) {
   return { hasDevelopmentBranch, hasMainBranch, hasRcBranch };
 }
 async function buildTrainApplyContext(deps) {
-  const repo = requireValue(clean(await deps.run("gh", ["repo", "view", "--json", "nameWithOwner", "--jq", ".nameWithOwner"])), "repo");
+  const repo = requireValue(clean2(await deps.run("gh", ["repo", "view", "--json", "nameWithOwner", "--jq", ".nameWithOwner"])), "repo");
   const [owner, name] = repo.split("/");
   if (!owner || !name) throw new Error(`repo must be owner/name, got ${repo}`);
-  const login = requireValue(clean(await deps.run("gh", ["api", "user", "--jq", ".login"])), "GitHub login");
+  const login = requireValue(clean2(await deps.run("gh", ["api", "user", "--jq", ".login"])), "GitHub login");
   const verdict = await deps.trainAuthority(repo);
   if (!verdict.ok) throw new Error(`${commandAuthorityLabel(owner)}: train authority could not be verified (${verdict.error})`);
   if (!verdict.train) {
@@ -10027,12 +11287,12 @@ async function requireCleanTree(deps) {
   if (status.trim()) throw new Error("working tree must be clean before train apply");
 }
 async function requireBranch(deps, branch) {
-  const current = clean(await deps.run("git", ["rev-parse", "--abbrev-ref", "HEAD"]));
+  const current = clean2(await deps.run("git", ["rev-parse", "--abbrev-ref", "HEAD"]));
   if (current !== branch) throw new Error(`must run from ${branch}, currently on ${current || "(unknown)"}`);
 }
-var HUB_REPO2 = "mutmutco/MMI-Hub";
+var HUB_REPO3 = "mutmutco/MMI-Hub";
 function isHubControlRepo(repo) {
-  return repo.toLowerCase() === HUB_REPO2.toLowerCase();
+  return repo.toLowerCase() === HUB_REPO3.toLowerCase();
 }
 function projectGetFailureText(e) {
   const err = e;
@@ -10092,7 +11352,7 @@ async function correlateDispatchedRun(deps, workflow, since) {
         "run",
         "list",
         "--repo",
-        HUB_REPO2,
+        HUB_REPO3,
         "--workflow",
         workflow,
         "--limit",
@@ -10126,7 +11386,7 @@ async function correlateWorkflowRun(deps, args) {
       "run",
       "list",
       "--repo",
-      HUB_REPO2,
+      HUB_REPO3,
       "--workflow",
       args.workflow,
       "--event",
@@ -10154,7 +11414,7 @@ async function correlateWorkflowRun(deps, args) {
 async function watchTenantRun(deps, runId) {
   if (runId == null) return "pending";
   try {
-    await deps.run("gh", ["run", "watch", String(runId), "--repo", HUB_REPO2, "--exit-status"]);
+    await deps.run("gh", ["run", "watch", String(runId), "--repo", HUB_REPO3, "--exit-status"]);
     return "success";
   } catch {
     return "failure";
@@ -10196,7 +11456,7 @@ async function discoverRequiredCheckContexts(deps, ctx, branch) {
   return [...contexts];
 }
 async function findOpenAlignmentPr(deps, ctx) {
-  const out = clean(await deps.run("gh", ["pr", "list", "--repo", ctx.repo, "--base", "development", "--head", "main", "--state", "open", "--json", "number,url"]));
+  const out = clean2(await deps.run("gh", ["pr", "list", "--repo", ctx.repo, "--base", "development", "--head", "main", "--state", "open", "--json", "number,url"]));
   if (!out) return void 0;
   const rows = JSON.parse(out);
   const row = rows.find((r) => typeof r.number === "number" && typeof r.url === "string");
@@ -10224,14 +11484,14 @@ async function rollDevelopmentForward(deps, ctx, tag) {
       note: `alignment PR already open: ${existing.url} \u2014 land it with \`gh pr merge ${existing.number} --merge\``
     };
   }
-  const ahead = clean(await deps.run("git", ["rev-list", "--count", "origin/development..main"]));
+  const ahead = clean2(await deps.run("git", ["rev-list", "--count", "origin/development..main"]));
   if (ahead === "0") {
     return { status: "aligned", note: "development already contains the released main; nothing to roll forward" };
   }
   const body = `Carries the ${tag} release (including the version fold) from \`main\` back to \`development\`.
 
 \`development\` requires status checks, so the release train opens this alignment PR instead of a direct push of the un-checked merge commit (#1143). Land it with a **true merge** (\`gh pr merge --merge\`, not squash) so the merge parentage survives and the misalignment guard stays satisfied.`;
-  const url = clean(await deps.run("gh", ["pr", "create", "--repo", ctx.repo, "--base", "development", "--head", "main", "--title", `chore(release): align development to ${tag}`, "--body", body]));
+  const url = clean2(await deps.run("gh", ["pr", "create", "--repo", ctx.repo, "--base", "development", "--head", "main", "--title", `chore(release): align development to ${tag}`, "--body", body]));
   const number = parsePrNumber(url);
   return {
     status: "pr-pending",
@@ -10297,10 +11557,10 @@ async function waitForRequiredTrainChecks(deps, ctx, sha, required) {
 }
 async function ensureTagPushed(deps, tag, sha) {
   const remoteOut = await deps.run("git", ["ls-remote", "origin", `refs/tags/${tag}`]);
-  const remoteSha = clean(remoteOut).split(/\s+/)[0] || "";
+  const remoteSha = clean2(remoteOut).split(/\s+/)[0] || "";
   let localSha = "";
   try {
-    localSha = clean(await deps.run("git", ["rev-parse", "--verify", `refs/tags/${tag}^{commit}`]));
+    localSha = clean2(await deps.run("git", ["rev-parse", "--verify", `refs/tags/${tag}^{commit}`]));
   } catch {
   }
   if (remoteSha) {
@@ -10323,7 +11583,7 @@ async function ensureTagPushed(deps, tag, sha) {
 }
 async function resolveRcResumeTag(deps, base2, sha) {
   const out = await deps.run("git", ["ls-remote", "--tags", "origin", `refs/tags/${base2}-rc.*`]);
-  const onSha = clean(out).split("\n").map((line) => line.trim()).filter(Boolean).map((line) => line.split(/\s+/)).filter(([refSha]) => refSha === sha).map(([, ref]) => ref.replace(/^refs\/tags\//, "").replace(/\^\{\}$/, "")).filter((ref) => new RegExp(`^${base2.replace(/\./g, "\\.")}-rc\\.\\d+$`).test(ref));
+  const onSha = clean2(out).split("\n").map((line) => line.trim()).filter(Boolean).map((line) => line.split(/\s+/)).filter(([refSha]) => refSha === sha).map(([, ref]) => ref.replace(/^refs\/tags\//, "").replace(/\^\{\}$/, "")).filter((ref) => new RegExp(`^${base2.replace(/\./g, "\\.")}-rc\\.\\d+$`).test(ref));
   const unique = [...new Set(onSha)];
   if (unique.length === 0) return { tag: null };
   const rcNum = (t) => Number.parseInt(t.replace(/^.*-rc\./, ""), 10);
@@ -10375,7 +11635,7 @@ async function dispatchDeploy(deps, ctx, stage2, ref, model, watch, autoRunSince
       "run",
       "tenant-publish.yml",
       "--repo",
-      HUB_REPO2,
+      HUB_REPO3,
       "-f",
       `slug=${ctx.slug}`,
       "-f",
@@ -10448,13 +11708,13 @@ async function runTrainApply(command, deps, options = {}) {
       "nothing to promote: origin/development is not ahead of origin/rc"
     );
     const deployModel2 = await preflight(deps, ctx, "rc", meta);
-    const releaseBase = requireValue(clean(await deps.run("node", ["scripts/next-version.mjs", "cycle"])), "release base");
+    const releaseBase = requireValue(clean2(await deps.run("node", ["scripts/next-version.mjs", "cycle"])), "release base");
     await deps.run("git", ["checkout", "rc"]);
     await ffOnlyPull(deps, "rc");
     await deps.run("git", ["merge", "development", "--no-edit"]);
-    const rcSha = requireValue(clean(await deps.run("git", ["rev-parse", "rc"])), "rc sha");
+    const rcSha = requireValue(clean2(await deps.run("git", ["rev-parse", "rc"])), "rc sha");
     const resume = await resolveRcResumeTag(deps, releaseBase, rcSha);
-    const tag2 = resume.tag ?? requireValue(clean(await deps.run("node", ["scripts/next-version.mjs", "rc"])), "rc tag");
+    const tag2 = resume.tag ?? requireValue(clean2(await deps.run("node", ["scripts/next-version.mjs", "rc"])), "rc tag");
     const resumeNote = resume.tag ? resume.note : void 0;
     await ensureTagPushed(deps, tag2, rcSha);
     const requiredChecks2 = await discoverRequiredCheckContexts(deps, ctx, "rc");
@@ -10472,7 +11732,7 @@ async function runTrainApply(command, deps, options = {}) {
       "nothing to release: origin/development is not ahead of origin/main"
     );
     const deployModel2 = await preflight(deps, ctx, "main", meta);
-    const tag2 = requireValue(clean(await deps.run("node", ["scripts/next-version.mjs", "cycle"])), "release tag");
+    const tag2 = requireValue(clean2(await deps.run("node", ["scripts/next-version.mjs", "cycle"])), "release tag");
     const foldPaths2 = await resolveFoldPaths(deps, deployModel2);
     const tolerated2 = [...foldPaths2, ...RELEASE_TOLERATED_PATHS];
     const predicted2 = await predictMergeConflicts(deps, "origin/main", "origin/development");
@@ -10490,12 +11750,12 @@ async function runTrainApply(command, deps, options = {}) {
       await mergeWithSpineResolution(deps, "development", "development -> main", "theirs", tolerated2);
     }
     const versionFold2 = await foldReleaseVersion(deps, deployModel2, tag2, foldPaths2);
-    const releaseSha2 = requireValue(clean(await deps.run("git", ["rev-parse", "main"])), "release sha");
+    const releaseSha2 = requireValue(clean2(await deps.run("git", ["rev-parse", "main"])), "release sha");
     await ensureTagPushed(deps, tag2, releaseSha2);
     const requiredChecks2 = await discoverRequiredCheckContexts(deps, ctx, "main");
     const checks2 = await waitForRequiredTrainChecks(deps, ctx, releaseSha2, requiredChecks2);
     await deps.run("git", ["push", "origin", "main"]);
-    const releaseUrl2 = clean(await deps.run("gh", ["release", "create", tag2, "--target", "main", "--generate-notes", "--latest", "--repo", ctx.repo])) || void 0;
+    const releaseUrl2 = clean2(await deps.run("gh", ["release", "create", tag2, "--target", "main", "--generate-notes", "--latest", "--repo", ctx.repo])) || void 0;
     await verifyPublishedRelease(deps, ctx.repo, tag2, "main", releaseSha2);
     const announceNote2 = deps.announce ? (await deps.announce({ repo: ctx.repo, tag: tag2, summaryFile: options.announceSummaryFile })).note : void 0;
     const autoRunSince2 = (deps.now ?? Date.now)();
@@ -10544,8 +11804,8 @@ async function runTrainApply(command, deps, options = {}) {
       "nothing to release: origin/development is not ahead of origin/main"
     );
     const deployModel2 = await preflight(deps, ctx, "main", meta);
-    const tag2 = requireValue(clean(await deps.run("node", ["scripts/next-version.mjs", "cycle"])), "release tag");
-    const rcShaAtRelease = hasRcBranch ? clean(await deps.run("git", ["rev-parse", "origin/rc"])) : "";
+    const tag2 = requireValue(clean2(await deps.run("node", ["scripts/next-version.mjs", "cycle"])), "release tag");
+    const rcShaAtRelease = hasRcBranch ? clean2(await deps.run("git", ["rev-parse", "origin/rc"])) : "";
     const foldPaths2 = await resolveFoldPaths(deps, deployModel2);
     const tolerated2 = [...foldPaths2, ...RELEASE_TOLERATED_PATHS];
     const predicted2 = await predictMergeConflicts(deps, "origin/main", "origin/development");
@@ -10563,12 +11823,12 @@ async function runTrainApply(command, deps, options = {}) {
       await mergeWithSpineResolution(deps, "development", "development -> main", "theirs", tolerated2);
     }
     const versionFold2 = await foldReleaseVersion(deps, deployModel2, tag2, foldPaths2);
-    const releaseSha2 = requireValue(clean(await deps.run("git", ["rev-parse", "main"])), "release sha");
+    const releaseSha2 = requireValue(clean2(await deps.run("git", ["rev-parse", "main"])), "release sha");
     await ensureTagPushed(deps, tag2, releaseSha2);
     const requiredChecks2 = await discoverRequiredCheckContexts(deps, ctx, "main");
     const checks2 = await waitForRequiredTrainChecks(deps, ctx, releaseSha2, requiredChecks2);
     await deps.run("git", ["push", "origin", "main"]);
-    const releaseUrl2 = clean(await deps.run("gh", ["release", "create", tag2, "--target", "main", "--generate-notes", "--latest", "--repo", ctx.repo])) || void 0;
+    const releaseUrl2 = clean2(await deps.run("gh", ["release", "create", tag2, "--target", "main", "--generate-notes", "--latest", "--repo", ctx.repo])) || void 0;
     await verifyPublishedRelease(deps, ctx.repo, tag2, "main", releaseSha2);
     const announceNote2 = deps.announce ? (await deps.announce({ repo: ctx.repo, tag: tag2, summaryFile: options.announceSummaryFile })).note : void 0;
     const autoRunSince2 = (deps.now ?? Date.now)();
@@ -10635,7 +11895,7 @@ async function runTrainApply(command, deps, options = {}) {
       `hotfix-coverage: ${coverage.uncovered.length} main-only commit(s) not proven in origin/rc \u2014 the candidate would revert a prod hotfix: ${list}. Re-cut /rcand from development, or have the authorized human verify the content is in the candidate and rerun release with --ack <sha>[,<sha>\u2026].`
     );
   }
-  const releasedRcSha = clean(await deps.run("git", ["rev-parse", "origin/rc"]));
+  const releasedRcSha = clean2(await deps.run("git", ["rev-parse", "origin/rc"]));
   await deps.run("git", ["checkout", "main"]);
   await ffOnlyPull(deps, "main");
   if (predicted.length === 0) {
@@ -10643,15 +11903,15 @@ async function runTrainApply(command, deps, options = {}) {
   } else {
     await mergeWithSpineResolution(deps, "rc", "rc -> main", "theirs", tolerated);
   }
-  const tag = requireValue(clean(await deps.run("node", ["scripts/next-version.mjs", "release"])), "release tag");
+  const tag = requireValue(clean2(await deps.run("node", ["scripts/next-version.mjs", "release"])), "release tag");
   const versionFold = await foldReleaseVersion(deps, deployModel, tag, foldPaths);
-  const releaseSha = requireValue(clean(await deps.run("git", ["rev-parse", "main"])), "release sha");
+  const releaseSha = requireValue(clean2(await deps.run("git", ["rev-parse", "main"])), "release sha");
   await ensureTagPushed(deps, tag, releaseSha);
   const requiredChecks = await discoverRequiredCheckContexts(deps, ctx, "main");
   const checks = await waitForRequiredTrainChecks(deps, ctx, releaseSha, requiredChecks);
   await deps.run("git", ["push", "origin", "main"]);
   const autoRunSince = (deps.now ?? Date.now)();
-  const releaseUrl = clean(await deps.run("gh", ["release", "create", tag, "--target", "main", "--generate-notes", "--latest", "--repo", ctx.repo])) || void 0;
+  const releaseUrl = clean2(await deps.run("gh", ["release", "create", tag, "--target", "main", "--generate-notes", "--latest", "--repo", ctx.repo])) || void 0;
   await verifyPublishedRelease(deps, ctx.repo, tag, "main", releaseSha);
   const announceNote = deps.announce ? (await deps.announce({ repo: ctx.repo, tag, summaryFile: options.announceSummaryFile })).note : void 0;
   const d = await dispatchDeploy(deps, ctx, "main", "main", deployModel, watch, autoRunSince, releaseSha, "report");
@@ -10779,7 +12039,7 @@ async function retireRcRuntime(deps, ctx, model, deployStatus, releasedRcSha) {
   }
   try {
     await deps.run("git", ["fetch", "origin", "rc"]);
-    const rcNow = clean(await deps.run("git", ["rev-parse", "origin/rc"]));
+    const rcNow = clean2(await deps.run("git", ["rev-parse", "origin/rc"]));
     if (rcNow !== releasedRcSha) {
       return {
         status: "skipped",
@@ -10811,7 +12071,7 @@ async function runTenantRedeploy(deps, options) {
   const repo = options.repo;
   const [owner, name] = repo.split("/");
   if (!owner || !name) throw new Error(`repo must be owner/name, got ${repo}`);
-  const login = requireValue(clean(await deps.run("gh", ["api", "user", "--jq", ".login"])), "GitHub login");
+  const login = requireValue(clean2(await deps.run("gh", ["api", "user", "--jq", ".login"])), "GitHub login");
   const verdict = await deps.trainAuthority(repo);
   if (!verdict.ok) throw new Error(`${commandAuthorityLabel(owner)}: train authority could not be verified (${verdict.error})`);
   if (!verdict.train) throw new Error(`${commandAuthorityLabel(owner)}: @${login} is ${verdict.role} \u2014 no train authority on ${repo}`);
@@ -10967,7 +12227,7 @@ var HOTFIX_RUN_FIND_ATTEMPTS = 10;
 var HOTFIX_RUN_FIND_DELAY_MS = 15e3;
 var HOTFIX_VERIFY_ATTEMPTS = 5;
 var HOTFIX_VERIFY_RETRY_MS = 6e3;
-function clean2(out) {
+function clean3(out) {
   return out.trim();
 }
 function sleeper(deps) {
@@ -11025,7 +12285,7 @@ async function resolveHotfixSource(deps, ctx, from) {
     if (!sha2) throw new Error(`PR #${num} has no merge commit recorded \u2014 name the commit SHA explicitly`);
     return { sha: sha2, label: `PR #${num} (${sha2.slice(0, 7)})` };
   }
-  const sha = clean2(await deps.run("git", ["rev-parse", "--verify", `${from}^{commit}`]));
+  const sha = clean3(await deps.run("git", ["rev-parse", "--verify", `${from}^{commit}`]));
   if (!sha) throw new Error(`could not resolve commit ${from}`);
   return { sha, label: sha.slice(0, 7) };
 }
@@ -11053,7 +12313,7 @@ async function runHotfixStart(deps, options) {
     };
   }
   const { sha, label } = await resolveHotfixSource(deps, ctx, options.from);
-  const remoteBranch = clean2(await deps.run("git", ["ls-remote", "origin", `refs/heads/${branch}`]));
+  const remoteBranch = clean3(await deps.run("git", ["ls-remote", "origin", `refs/heads/${branch}`]));
   if (remoteBranch) {
     await deps.run("git", ["checkout", branch]);
     const isRulesSource2 = deps.isRulesSource ? await deps.isRulesSource() : false;
@@ -11086,7 +12346,7 @@ async function runHotfixStart(deps, options) {
     await deps.run("git", ["push", "-u", "origin", branch]);
   }
   const bumpNote = deployModel === "hub-serverless" ? " with the locked distribution bump" : "";
-  const prUrl = clean2(await deps.run("gh", [
+  const prUrl = clean3(await deps.run("gh", [
     "pr",
     "create",
     "--repo",
@@ -11206,7 +12466,7 @@ async function runHotfixRelease(deps, versionInput, options = {}) {
   }
   let verifyNote;
   if (deployModel === "hub-serverless") {
-    const previousRef = clean2(await deps.run("git", ["rev-parse", "--abbrev-ref", "HEAD"]));
+    const previousRef = clean3(await deps.run("git", ["rev-parse", "--abbrev-ref", "HEAD"]));
     const publishSucceeded = runs.find((r) => r.workflow === "publish.yml")?.conclusion === "success";
     try {
       await deps.run("git", ["-c", "advice.detachedHead=false", "checkout", tag]);
@@ -11291,9 +12551,9 @@ async function runHotfixStatus(deps, versionInput) {
   return { ...ctx, command: "hotfix-status", ...facts, ...deriveHotfixState(facts) };
 }
 async function gatherHotfixFacts(deps, ctx, tag, version) {
-  const branchExists = Boolean(clean2(await deps.run("git", ["ls-remote", "origin", `refs/heads/${hotfixBranch(tag)}`])));
+  const branchExists = Boolean(clean3(await deps.run("git", ["ls-remote", "origin", `refs/heads/${hotfixBranch(tag)}`])));
   const pr2 = await findHotfixPr(deps, ctx, tag);
-  const remoteTag = clean2(await deps.run("git", ["ls-remote", "origin", `refs/tags/${tag}`]));
+  const remoteTag = clean3(await deps.run("git", ["ls-remote", "origin", `refs/tags/${tag}`]));
   const tagPushed = Boolean(remoteTag);
   const tagSha = remoteTag.split(/\s+/)[0] || "";
   let releaseExists = false;
@@ -11327,7 +12587,7 @@ async function gatherHotfixFacts(deps, ctx, tag, version) {
       }
     }
   }
-  const npmVersion = await deps.run("npm", ["view", "@mutmutco/cli", "version", "--silent"]).then(clean2, () => "unknown");
+  const npmVersion = await deps.run("npm", ["view", "@mutmutco/cli", "version", "--silent"]).then(clean3, () => "unknown");
   return { tag, version, branchExists, pr: pr2 ? { number: pr2.number, state: pr2.state, url: pr2.url } : null, tagPushed, releaseExists, runs, npmVersion };
 }
 async function findInFlightHotfixVersion(deps, ctx) {
@@ -11350,7 +12610,7 @@ async function findInFlightHotfixVersion(deps, ctx) {
     const m = typeof row.headRefName === "string" && /^hotfix\/(v\d+\.\d+\.\d+)/.exec(row.headRefName);
     if (m) tags.add(m[1]);
   }
-  const branchOut = clean2(await deps.run("git", ["ls-remote", "origin", "refs/heads/hotfix/v*"]));
+  const branchOut = clean3(await deps.run("git", ["ls-remote", "origin", "refs/heads/hotfix/v*"]));
   for (const line of branchOut.split("\n").filter(Boolean)) {
     const ref = line.split(/\s+/)[1] ?? "";
     const m = /^refs\/heads\/hotfix\/(v\d+\.\d+\.\d+)/.exec(ref);
@@ -11499,7 +12759,7 @@ async function announceRelease(deps, args) {
 }
 
 // src/port-registry.ts
-var import_node_fs13 = require("node:fs");
+var import_node_fs16 = require("node:fs");
 
 // ../infra/port-geometry.mjs
 var PORT_BLOCK = 100;
@@ -11513,8 +12773,8 @@ function nextPortBlock(registry2) {
   return [base2, base2 + PORT_SPAN];
 }
 function loadPortRegistry(path2) {
-  if (!(0, import_node_fs13.existsSync)(path2)) return {};
-  const raw = JSON.parse((0, import_node_fs13.readFileSync)(path2, "utf8"));
+  if (!(0, import_node_fs16.existsSync)(path2)) return {};
+  const raw = JSON.parse((0, import_node_fs16.readFileSync)(path2, "utf8"));
   const out = {};
   for (const [key, value] of Object.entries(raw)) {
     if (Array.isArray(value) && value.length === 2 && value.every((n) => typeof n === "number")) {
@@ -11528,9 +12788,9 @@ function ensurePortRange(repo, path2) {
   const existing = registry2[repo];
   if (existing) return existing;
   const range = nextPortBlock(registry2);
-  const raw = (0, import_node_fs13.existsSync)(path2) ? JSON.parse((0, import_node_fs13.readFileSync)(path2, "utf8")) : {};
+  const raw = (0, import_node_fs16.existsSync)(path2) ? JSON.parse((0, import_node_fs16.readFileSync)(path2, "utf8")) : {};
   raw[repo] = range;
-  (0, import_node_fs13.writeFileSync)(path2, JSON.stringify(raw, null, 2) + "\n", "utf8");
+  (0, import_node_fs16.writeFileSync)(path2, JSON.stringify(raw, null, 2) + "\n", "utf8");
   return range;
 }
 function portCursorSeed(registry2) {
@@ -11582,7 +12842,7 @@ function safeJson(text, fallback) {
     return fallback;
   }
 }
-async function restJson(deps, path2, fallback) {
+async function restJson2(deps, path2, fallback) {
   try {
     return await deps.client.rest("GET", path2) ?? fallback;
   } catch {
@@ -11709,7 +12969,7 @@ async function auditRepoAccess(repo, repoClass, owners, deps, projectAdmins = /*
   return { repo, class: repoClass, ok: !findings.some((f) => f.severity === "high"), findings };
 }
 async function auditOrgBasePermission(deps) {
-  const org = await restJson(deps, `orgs/${OWNER2}`, {});
+  const org = await restJson2(deps, `orgs/${OWNER2}`, {});
   const perm = org.default_repository_permission;
   if (perm && perm !== "read" && perm !== "none") {
     return [{
@@ -11818,8 +13078,8 @@ var requiredIssueTemplates = [
 var requiredWorkflows = [];
 var requiredProductWorkflows = [".github/workflows/gate.yml"];
 var requiredProductRulesetRef = ".github/rulesets/mmi-product-required-checks.json";
-var HUB_REPO3 = "mutmutco/MMI-Hub";
-var requiredLabels = ["bug", "feature", "task", "priority:urgent", "priority:high", "priority:medium", "priority:low"];
+var HUB_REPO4 = "mutmutco/MMI-Hub";
+var requiredLabels = ["bug", "feature", "task"];
 var requiredPriorityOptions = ["Urgent", "High", "Medium", "Low"];
 var strayDefaultLabels = ["documentation", "duplicate", "enhancement", "good first issue", "help wanted", "invalid", "question", "wontfix"];
 var requiredStatusOptions = ["Todo", "In Progress", "In Review", "Done"];
@@ -11858,7 +13118,7 @@ function safeJson2(text, fallback) {
     return fallback;
   }
 }
-async function restJson2(deps, path2, fallback) {
+async function restJson3(deps, path2, fallback) {
   try {
     return await deps.client.rest("GET", path2) ?? fallback;
   } catch {
@@ -11872,7 +13132,7 @@ async function restPagedJson2(deps, path2, fallback) {
     return fallback;
   }
 }
-async function contentExists(deps, repo, branch, path2) {
+async function contentExists2(deps, repo, branch, path2) {
   try {
     const encodedPath = path2.split("/").map(encodeURIComponent).join("/");
     await deps.client.rest("GET", `repos/${repo}/contents/${encodedPath}?ref=${encodeURIComponent(branch)}`);
@@ -11917,17 +13177,17 @@ function missingRuleTypes(ruleset, required) {
   const types = new Set((ruleset.rules || []).map((rule) => rule.type).filter(Boolean));
   return required.filter((type) => !types.has(type));
 }
-function rulesetStatusChecks(rulesets) {
+function rulesetStatusChecks2(rulesets) {
   return new Set(rulesets.flatMap((ruleset) => (ruleset.rules || []).filter((rule) => rule.type === "required_status_checks").flatMap((rule) => rule.parameters?.required_status_checks || []).map((check) => check.context).filter((context) => Boolean(context))));
 }
-async function rulesetDetails(deps, repo, list) {
+async function rulesetDetails2(deps, repo, list) {
   const details = [];
   for (const ruleset of list) {
     if (ruleset.id == null || ruleset.rules != null) {
       details.push(ruleset);
       continue;
     }
-    details.push(await restJson2(deps, `repos/${repo}/rulesets/${ruleset.id}`, ruleset));
+    details.push(await restJson3(deps, `repos/${repo}/rulesets/${ruleset.id}`, ruleset));
   }
   return details;
 }
@@ -11946,7 +13206,7 @@ async function verifyBootstrap(repo, repoClass, deps, releaseTrack) {
   const branchesWanted = expectedBranches(repoClass, releaseTrack);
   const baseBranch = releaseTrack === "trunk" || repoClass === "content" ? "main" : "development";
   const checks = [];
-  const repoInfo = await restJson2(deps, `repos/${repo}`, {});
+  const repoInfo = await restJson3(deps, `repos/${repo}`, {});
   checks.push({ ok: Boolean(repoInfo.default_branch), label: "repo exists" });
   checks.push({ ok: repoInfo.default_branch === baseBranch, label: `default branch is ${baseBranch}`, detail: repoInfo.default_branch || "missing" });
   checks.push({ ok: repoInfo.has_wiki === true, label: "wiki enabled", detail: repoInfo.has_wiki === true ? void 0 : "has_wiki is false or unavailable" });
@@ -11976,29 +13236,29 @@ async function verifyBootstrap(repo, repoClass, deps, releaseTrack) {
     detail: overgrants.length ? `over-granted: ${overgrants.map((f) => f.actor).join(", ")}` : void 0
   });
   for (const path2 of requiredDocs) {
-    checks.push({ ok: await contentExists(deps, repo, baseBranch, path2), label: `bootstrap artifact exists: ${path2}` });
+    checks.push({ ok: await contentExists2(deps, repo, baseBranch, path2), label: `bootstrap artifact exists: ${path2}` });
   }
   for (const path2 of requiredIssueTemplates) {
-    checks.push({ ok: await contentExists(deps, repo, baseBranch, path2), label: `issue template exists: ${path2}` });
+    checks.push({ ok: await contentExists2(deps, repo, baseBranch, path2), label: `issue template exists: ${path2}` });
   }
   for (const path2 of requiredWorkflows) {
-    checks.push({ ok: await contentExists(deps, repo, baseBranch, path2), label: `automation workflow exists: ${path2}` });
+    checks.push({ ok: await contentExists2(deps, repo, baseBranch, path2), label: `automation workflow exists: ${path2}` });
   }
-  if (repo !== HUB_REPO3) {
+  if (repo !== HUB_REPO4 && repoClass === "deployable") {
     for (const path2 of requiredProductWorkflows) {
-      checks.push({ ok: await contentExists(deps, repo, baseBranch, path2), label: `gate workflow exists: ${path2}` });
+      checks.push({ ok: await contentExists2(deps, repo, baseBranch, path2), label: `gate workflow exists: ${path2}` });
     }
     checks.push({
-      ok: await contentExists(deps, repo, baseBranch, requiredProductRulesetRef),
+      ok: await contentExists2(deps, repo, baseBranch, requiredProductRulesetRef),
       label: "product required-check ruleset reference exists",
       detail: `expected: ${requiredProductRulesetRef} (apply as an active repo ruleset after bootstrap)`
     });
   }
   if (repoClass === "deployable") {
     const trainScript = "scripts/next-version.mjs";
-    checks.push({ ok: await contentExists(deps, repo, baseBranch, trainScript), label: `train tooling script exists: ${trainScript}` });
+    checks.push({ ok: await contentExists2(deps, repo, baseBranch, trainScript), label: `train tooling script exists: ${trainScript}` });
   }
-  checks.push({ ok: await contentExists(deps, repo, baseBranch, ".cursor/environment.json"), label: "Cursor environment committed" });
+  checks.push({ ok: await contentExists2(deps, repo, baseBranch, ".cursor/environment.json"), label: "Cursor environment committed" });
   const readme = await contentText(deps, repo, baseBranch, "README.md");
   checks.push({
     ok: readme !== null && readme.includes("## Agent context"),
@@ -12006,7 +13266,7 @@ async function verifyBootstrap(repo, repoClass, deps, releaseTrack) {
     detail: readme === null ? "README.md not readable via API" : void 0
   });
   const agentRulesPath = `.cursor/rules/${repoSlugFromFullName(repo)}.mdc`;
-  const agentRulesOk = await contentExists(deps, repo, baseBranch, agentRulesPath);
+  const agentRulesOk = await contentExists2(deps, repo, baseBranch, agentRulesPath);
   checks.push({
     ok: agentRulesOk,
     label: "Cursor agent rules file exists",
@@ -12019,7 +13279,7 @@ async function verifyBootstrap(repo, repoClass, deps, releaseTrack) {
   }
   const strays = strayDefaultLabels.filter((l) => labelNames.has(l));
   checks.push({ ok: strays.length === 0, label: "no stray GitHub-default labels", detail: presentDetail(strays) });
-  const actions = await restJson2(deps, `repos/${repo}/actions/permissions`, {});
+  const actions = await restJson3(deps, `repos/${repo}/actions/permissions`, {});
   checks.push({ ok: actions.enabled === true, label: "GitHub Actions enabled" });
   const config = deps.projectMeta ?? null;
   checks.push({
@@ -12124,8 +13384,8 @@ async function verifyBootstrap(repo, repoClass, deps, releaseTrack) {
   if (fanout != null) checks.push({ ok: fanout, label: `fanout target registered on ${baseBranch}` });
   const projectRegistry = localRegistryCheck(deps, "projects.json", (json) => Array.isArray(json?.projects) && projectRegistryIncludesRepo(json.projects, repo));
   if (projectRegistry != null) checks.push({ ok: projectRegistry, label: "cloud-agent project registry includes repo" });
-  const rulesetList = await restJson2(deps, `repos/${repo}/rulesets?includes_parents=true`, []);
-  const rulesets = await rulesetDetails(deps, repo, rulesetList);
+  const rulesetList = await restJson3(deps, `repos/${repo}/rulesets?includes_parents=true`, []);
+  const rulesets = await rulesetDetails2(deps, repo, rulesetList);
   const activeOrgRulesets = rulesets.filter(
     (r) => r.source_type === "Organization" && r.target === "branch" && r.enforcement === "active"
   );
@@ -12136,16 +13396,16 @@ async function verifyBootstrap(repo, repoClass, deps, releaseTrack) {
     label: "covered by an active org ruleset",
     detail: orgRuleset ? void 0 : activeOrgRulesets.length === 0 ? "no active Organization-sourced branch ruleset targets this repo" : `missing rule types: ${missingOrgRuleTypes.join(", ")}`
   });
-  if (repo === HUB_REPO3) {
-    const statusChecks = rulesetStatusChecks(rulesets.filter((r) => r.target === "branch" && r.enforcement === "active"));
+  if (repo === HUB_REPO4) {
+    const statusChecks = rulesetStatusChecks2(rulesets.filter((r) => r.target === "branch" && r.enforcement === "active"));
     const missing = requiredHubStatusChecks.filter((check) => !statusChecks.has(check));
     checks.push({
       ok: missing.length === 0,
       label: "Hub required status checks configured",
       detail: optionDetail(missing)
     });
-  } else {
-    const statusChecks = rulesetStatusChecks(rulesets.filter((r) => r.target === "branch" && r.enforcement === "active"));
+  } else if (repoClass === "deployable") {
+    const statusChecks = rulesetStatusChecks2(rulesets.filter((r) => r.target === "branch" && r.enforcement === "active"));
     const missing = requiredProductStatusChecks.filter((check) => !statusChecks.has(check));
     checks.push({
       ok: missing.length === 0,
@@ -13324,8 +14584,8 @@ function resolveKbSource(rawBase) {
   return { owner: m[1], repo: m[2], ref: m[3] };
 }
 function buildKbGetArgs(src, path2) {
-  const clean3 = path2.replace(/^\/+/, "");
-  return ["api", `repos/${src.owner}/${src.repo}/contents/${clean3}?ref=${src.ref}`, "-H", "Accept: application/vnd.github.raw"];
+  const clean4 = path2.replace(/^\/+/, "");
+  return ["api", `repos/${src.owner}/${src.repo}/contents/${clean4}?ref=${src.ref}`, "-H", "Accept: application/vnd.github.raw"];
 }
 function buildKbTreeArgs(src) {
   return ["api", `repos/${src.owner}/${src.repo}/git/trees/${src.ref}?recursive=1`];
@@ -13342,10 +14602,10 @@ function parseKbTree(stdout, prefix) {
 }
 
 // src/plan.ts
-var import_node_path13 = require("node:path");
+var import_node_path15 = require("node:path");
 var PLANS_DIR = "plans";
-var META_FILE = (0, import_node_path13.join)(PLANS_DIR, ".plan-meta.json");
-var planPath = (slug) => (0, import_node_path13.join)(PLANS_DIR, `${slug}.md`);
+var META_FILE = (0, import_node_path15.join)(PLANS_DIR, ".plan-meta.json");
+var planPath = (slug) => (0, import_node_path15.join)(PLANS_DIR, `${slug}.md`);
 var metaKey = (project2, slug) => `${project2}/${slug}`;
 function parseMeta(raw) {
   if (!raw) return {};
@@ -13370,7 +14630,7 @@ function hashContent(s) {
 function staleHint(slug) {
   return `remote "${slug}" is newer \u2014 run \`mmi-cli northstar pull ${slug}\` first (your local is based on an older version), or re-push with \`--force\` to overwrite`;
 }
-var INDEX_FILE = (0, import_node_path13.join)(PLANS_DIR, ".index.json");
+var INDEX_FILE = (0, import_node_path15.join)(PLANS_DIR, ".index.json");
 var INDEX_TTL_MS = 6e4;
 function parseIndex(raw) {
   if (!raw) return null;
@@ -13399,7 +14659,7 @@ function mergeIndex(idx, scope, plans, now) {
   const mergedScope = idx.scope === null ? null : [.../* @__PURE__ */ new Set([...idx.scope, ...scope])];
   return { fetchedAt: now, scope: mergedScope, plans: [...kept, ...plans] };
 }
-var QUEUE_FILE = (0, import_node_path13.join)(PLANS_DIR, ".sync-queue.json");
+var QUEUE_FILE = (0, import_node_path15.join)(PLANS_DIR, ".sync-queue.json");
 var QUEUE_MAX_ATTEMPTS = 10;
 function isValidQueueEntry(e) {
   if (!e || typeof e !== "object") return false;
@@ -13848,11 +15108,11 @@ async function planGraduate(deps, slug, opts = {}) {
 }
 
 // src/atomic-write.ts
-var import_node_fs14 = require("node:fs");
+var import_node_fs17 = require("node:fs");
 function atomicWriteFileSync(path2, content) {
   const tmp = `${path2}.${process.pid}.tmp`;
-  (0, import_node_fs14.writeFileSync)(tmp, content, "utf8");
-  (0, import_node_fs14.renameSync)(tmp, path2);
+  (0, import_node_fs17.writeFileSync)(tmp, content, "utf8");
+  (0, import_node_fs17.renameSync)(tmp, path2);
 }
 
 // src/oauth.ts
@@ -14083,7 +15343,7 @@ async function fetchHubVersionInfo(baseUrl) {
 }
 function readRepoVersion() {
   try {
-    return JSON.parse((0, import_node_fs15.readFileSync)((0, import_node_path14.join)(process.cwd(), ".claude-plugin", "plugin.json"), "utf8")).version || void 0;
+    return JSON.parse((0, import_node_fs18.readFileSync)((0, import_node_path16.join)(process.cwd(), ".claude-plugin", "plugin.json"), "utf8")).version || void 0;
   } catch {
     return void 0;
   }
@@ -14158,6 +15418,22 @@ async function applyClaudePluginHeal(surface, log) {
   }
   return true;
 }
+async function runCodexPlugin(args) {
+  try {
+    await runHostBin("codex", args, { timeout: CLAUDE_PLUGIN_TIMEOUT_MS });
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function applyCodexPluginHeal(surface, log) {
+  if (surface !== "codex") return false;
+  log("  \u21BB reinstalling the MMI plugin via `codex plugin` (marketplace remove \u2192 add --ref main \u2192 add)\u2026");
+  for (const step of CODEX_PLUGIN_HEAL_STEPS) {
+    if (healStepAborts(step, await runCodexPlugin([...step.args]))) return false;
+  }
+  return true;
+}
 var program2 = new Command();
 program2.name("mmi-cli").description("MMI Future CLI \u2014 org rules delivery, saga, KB. The engine the plugin SessionStart hook drives.").version(resolveClientVersion());
 async function runRulesSync(opts, io = consoleIo) {
@@ -14193,10 +15469,10 @@ async function runRulesSync(opts, io = consoleIo) {
   for (const entry of fetched) {
     if ("error" in entry) continue;
     const { file, source } = entry;
-    const current = (0, import_node_fs15.existsSync)(file) ? await (0, import_promises5.readFile)(file, "utf8") : null;
+    const current = (0, import_node_fs18.existsSync)(file) ? await (0, import_promises5.readFile)(file, "utf8") : null;
     if (needsUpdate(source, current)) {
       const slash = file.lastIndexOf("/");
-      if (slash > 0) (0, import_node_fs15.mkdirSync)(file.slice(0, slash), { recursive: true });
+      if (slash > 0) (0, import_node_fs18.mkdirSync)(file.slice(0, slash), { recursive: true });
       await (0, import_promises5.writeFile)(file, normalizeEol(source), "utf8");
       changed++;
       if (!opts.quiet) io.log(`mmi-cli rules: updated ${file}`);
@@ -14222,7 +15498,7 @@ async function runDocsSync(opts, io = consoleIo) {
         return null;
       }
     },
-    localContent: async (f) => (0, import_node_fs15.existsSync)(f) ? await (0, import_promises5.readFile)(f, "utf8") : null,
+    localContent: async (f) => (0, import_node_fs18.existsSync)(f) ? await (0, import_promises5.readFile)(f, "utf8") : null,
     writeDoc: async (f, c) => {
       await (0, import_promises5.writeFile)(f, c, "utf8");
     }
@@ -14234,6 +15510,7 @@ async function runDocsSync(opts, io = consoleIo) {
 var docs = program2.command("docs").description("repo-owned authoritative docs");
 docs.command("sync").option("--quiet", "stay silent unless something changed or errored").description("refresh README.md / architecture.md from the repo default branch (keeper-authored); never clobbers uncommitted edits").action((opts) => runDocsSync(opts));
 registerSagaCommands(program2);
+registerHandoffCommands(program2);
 registerHonchoCommands(program2);
 async function runWhoami(io = consoleIo) {
   const cfg = await loadConfig();
@@ -14247,8 +15524,18 @@ async function runWhoami(io = consoleIo) {
 program2.command("whoami").description('resolve the logged-in human: {login, source, sessionExpiresAt} JSON; source "unknown" (exit 0) when neither the Hub session nor gh can name them').option("--json", "machine-readable output (default)").action(async () => {
   await runWhoami();
 });
-program2.command("gc").description("dry-run cleanup for merged/closed PR branches and stale tracking refs").option("--dry-run", "show what would be deleted (default)").option("--apply", "delete only the listed clean merged/closed PR branches and stale tracking refs").option("--json", "machine-readable output").option("--remote <name>", "remote name", "origin").option("--limit <n>", "PRs to inspect per state", "200").action(async (o) => {
+program2.command("gc").description("dry-run cleanup for merged/closed PR branches and stale tracking refs (--scratch: stale local saga/plan/honcho files)").option("--dry-run", "show what would be deleted (default)").option("--apply", "delete only the listed clean merged/closed PR branches and stale tracking refs").option("--json", "machine-readable output").option("--scratch", "prune stale local saga/plan/honcho scratch already recorded remotely (#1474) instead of git branches/refs").option("--remote <name>", "remote name", "origin").option("--limit <n>", "PRs to inspect per state", "200").action(async (o) => {
   if (o.apply && o.dryRun) return fail("gc: choose either --dry-run or --apply");
+  if (o.scratch) {
+    try {
+      const root = (await execFileP2("git", ["rev-parse", "--show-toplevel"], { timeout: GIT_TIMEOUT_MS }).catch(() => ({ stdout: "" }))).stdout.trim() || process.cwd();
+      const run = executeScratchGc(root, { apply: Boolean(o.apply) });
+      if (o.json) return console.log(JSON.stringify({ dryRun: !o.apply, ...run }, null, 2));
+      return console.log(formatScratchGcPlan(run.plan, Boolean(o.apply)));
+    } catch (e) {
+      return fail(`gc --scratch: ${e.message}`);
+    }
+  }
   const limit = Number.parseInt(o.limit, 10);
   if (!Number.isFinite(limit) || limit < 1) return fail("gc: --limit must be a positive integer");
   try {
@@ -14276,6 +15563,120 @@ ${renderGcApplyResult(applyResult)}`);
     fail(`gc: ${e.message}`);
   }
 });
+var NPM_PROVISION_TIMEOUT_MS = 3e5;
+var WORKTREE_SETUP_LOCK_TTL_MS = 10 * 6e4;
+function runWorktreeInstall(command, cwd, quiet) {
+  const [bin, ...args] = command.split(" ");
+  const file = isWin ? "cmd.exe" : bin;
+  const spawnArgs = isWin ? ["/c", bin, ...args] : args;
+  return new Promise((resolve, reject) => {
+    const child = (0, import_node_child_process10.spawn)(file, spawnArgs, { cwd, stdio: quiet ? "ignore" : "inherit", windowsHide: true });
+    const timer = setTimeout(() => {
+      try {
+        child.kill();
+      } catch {
+      }
+      reject(new Error(`${command} timed out after ${NPM_PROVISION_TIMEOUT_MS}ms in ${cwd}`));
+    }, NPM_PROVISION_TIMEOUT_MS);
+    child.on("error", (e) => {
+      clearTimeout(timer);
+      reject(e);
+    });
+    child.on("exit", (code) => {
+      clearTimeout(timer);
+      if (code === 0) resolve();
+      else reject(new Error(`${command} exited ${code} in ${cwd}`));
+    });
+  });
+}
+async function primaryCheckoutRoot(worktreeRoot) {
+  try {
+    const out = (await execFileP2("git", ["-C", worktreeRoot, "rev-parse", "--path-format=absolute", "--git-common-dir"], { timeout: GIT_TIMEOUT_MS })).stdout.trim();
+    return out ? (0, import_node_path16.dirname)(out) : void 0;
+  } catch {
+    return void 0;
+  }
+}
+function makeProvisionDeps(worktreeRoot, quiet, log) {
+  return {
+    runInstall: (command, cwd) => runWorktreeInstall(command, cwd, quiet),
+    primaryCheckout: () => primaryCheckoutRoot(worktreeRoot),
+    log
+  };
+}
+function acquireWorktreeSetupLock(worktreeRoot) {
+  const lockPath = (0, import_node_path16.join)(worktreeRoot, ".mmi", "worktree-setup.lock");
+  const take = () => {
+    const fd = (0, import_node_fs18.openSync)(lockPath, "wx");
+    try {
+      (0, import_node_fs18.writeSync)(fd, String(Date.now()));
+    } finally {
+      (0, import_node_fs18.closeSync)(fd);
+    }
+    return () => {
+      try {
+        (0, import_node_fs18.rmSync)(lockPath, { force: true });
+      } catch {
+      }
+    };
+  };
+  try {
+    (0, import_node_fs18.mkdirSync)((0, import_node_path16.dirname)(lockPath), { recursive: true });
+    return take();
+  } catch {
+    try {
+      if (Date.now() - (0, import_node_fs18.statSync)(lockPath).mtimeMs > WORKTREE_SETUP_LOCK_TTL_MS) {
+        (0, import_node_fs18.rmSync)(lockPath, { force: true });
+        return take();
+      }
+    } catch {
+    }
+    return null;
+  }
+}
+var worktree = program2.command("worktree").description("self-provisioning worktrees \u2014 install deps + copy local-only config");
+worktree.command("create <branch>").description("create a worktree from a base ref and provision it (install deps + copy local-only config)").option("--from <ref>", "base ref to branch from", "origin/development").option("--path <path>", "worktree path (default: ../mmi-worktrees/<branch>)").option("--remote <name>", "remote to fetch the base from", "origin").option("--json", "machine-readable output").action(async (branch, o) => {
+  try {
+    const repoRoot = (await execFileP2("git", ["rev-parse", "--show-toplevel"], { timeout: GIT_TIMEOUT_MS }).catch(() => ({ stdout: "" }))).stdout.trim() || process.cwd();
+    const wtPath = o.path ?? defaultWorktreePath(repoRoot, branch);
+    const baseBranch = o.from.startsWith(`${o.remote}/`) ? o.from.slice(o.remote.length + 1) : void 0;
+    if (baseBranch) await execFileP2("git", ["fetch", o.remote, baseBranch], { timeout: GH_MUTATION_TIMEOUT_MS }).catch(() => void 0);
+    await execFileP2("git", ["worktree", "add", wtPath, "-b", branch, o.from], { timeout: GH_MUTATION_TIMEOUT_MS });
+    const report = await provisionWorktree(wtPath, makeProvisionDeps(wtPath, Boolean(o.json), (m) => {
+      if (!o.json) console.error(`  ${m}`);
+    }));
+    if (o.json) return console.log(JSON.stringify({ branch, path: wtPath, base: o.from, ...report }, null, 2));
+    console.log(`worktree ready: ${wtPath} (branch ${branch} from ${o.from})`);
+    console.log(`  installed: ${report.installed.map((i) => i.dir || ".").join(", ") || "none"}`);
+    console.log(`  copied: ${report.copied.join(", ") || "none"}`);
+  } catch (e) {
+    fail(`worktree create: ${e.message}`);
+  }
+});
+worktree.command("setup [path]").description("provision an existing worktree (install missing deps + copy local-only config); fired automatically by SessionStart").option("--quiet", "no output on success (for the detached SessionStart auto-fire worker)").option("--json", "machine-readable output").action(async (path2, o) => {
+  const root = path2 ?? process.cwd();
+  const release = acquireWorktreeSetupLock(root);
+  if (!release) {
+    if (!o.quiet && !o.json) console.log("worktree setup: another provision is in progress \u2014 skipping");
+    return;
+  }
+  try {
+    const report = await provisionWorktree(root, makeProvisionDeps(root, Boolean(o.quiet), (m) => {
+      if (!o.quiet && !o.json) console.error(`  ${m}`);
+    }));
+    if (o.json) return console.log(JSON.stringify({ path: root, ...report }, null, 2));
+    if (!o.quiet) {
+      console.log(`worktree provisioned: ${root}`);
+      console.log(`  installed: ${report.installed.map((i) => i.dir || ".").join(", ") || "none"}`);
+      console.log(`  copied: ${report.copied.join(", ") || "none"}`);
+    }
+  } catch (e) {
+    if (o.quiet) return void console.error(`[worktree-setup] ${e.message}`);
+    fail(`worktree setup: ${e.message}`);
+  } finally {
+    release();
+  }
+});
 var kb = program2.command("kb").description("org knowledgebase (read-only)");
 kb.command("get <path>").description("print a KB document by path").action(async (path2) => {
   const src = resolveKbSource((await loadConfig()).kbSource);
@@ -14395,7 +15796,7 @@ function detachPlanSync() {
   }
 }
 function makePlanDeps(cfg, io = consoleIo) {
-  const ensureDir = () => (0, import_node_fs15.mkdirSync)(PLANS_DIR, { recursive: true });
+  const ensureDir = () => (0, import_node_fs18.mkdirSync)(PLANS_DIR, { recursive: true });
   return {
     apiUrl: cfg.sagaApiUrl,
     fetch: (url, init = {}) => fetch(url, { ...init, signal: init.signal ?? AbortSignal.timeout(1e4) }),
@@ -14403,24 +15804,24 @@ function makePlanDeps(cfg, io = consoleIo) {
     project: async () => (await sagaKey(cfg)).project,
     readLocal: (slug) => {
       try {
-        return (0, import_node_fs15.readFileSync)(planPath(slug), "utf8");
+        return (0, import_node_fs18.readFileSync)(planPath(slug), "utf8");
       } catch {
         return null;
       }
     },
     writeLocal: (slug, content) => {
       ensureDir();
-      (0, import_node_fs15.writeFileSync)(planPath(slug), content, "utf8");
+      (0, import_node_fs18.writeFileSync)(planPath(slug), content, "utf8");
     },
     removeLocal: (slug) => {
       try {
-        (0, import_node_fs15.rmSync)(planPath(slug));
+        (0, import_node_fs18.rmSync)(planPath(slug));
       } catch {
       }
     },
     readMetaRaw: () => {
       try {
-        return (0, import_node_fs15.readFileSync)(META_FILE, "utf8");
+        return (0, import_node_fs18.readFileSync)(META_FILE, "utf8");
       } catch {
         return null;
       }
@@ -14431,7 +15832,7 @@ function makePlanDeps(cfg, io = consoleIo) {
     },
     readIndexRaw: () => {
       try {
-        return (0, import_node_fs15.readFileSync)(INDEX_FILE, "utf8");
+        return (0, import_node_fs18.readFileSync)(INDEX_FILE, "utf8");
       } catch {
         return null;
       }
@@ -14442,7 +15843,7 @@ function makePlanDeps(cfg, io = consoleIo) {
     },
     readQueueRaw: () => {
       try {
-        return (0, import_node_fs15.readFileSync)(QUEUE_FILE, "utf8");
+        return (0, import_node_fs18.readFileSync)(QUEUE_FILE, "utf8");
       } catch {
         return null;
       }
@@ -14632,6 +16033,20 @@ secrets.command("edit <key>").description("alias for set \u2014 replace a secret
   const ok = await secretsEdit(d, key, o);
   if (!ok) process.exitCode = 1;
 }));
+secrets.command("copy").description("copy provider keys between vault tiers (audit-logged; org-tier source is master-gated)").requiredOption("--from <stage>", "source tier: dev, rc, or main").requiredOption("--to <stage>", "destination tier: dev, rc, or main").requiredOption("--keys <names>", "comma-separated secret names (encryption keys blocked)").option("--dry-run", "report copies without writing").option("--repo <owner/repo>", "target repo (defaults to the current repo)").action((o) => withSecrets(async (d) => {
+  const stages = ["dev", "rc", "main"];
+  if (!stages.includes(o.from) || !stages.includes(o.to)) {
+    return fail("secrets copy: --from and --to must be dev, rc, or main");
+  }
+  const ok = await secretsCopy(d, {
+    repo: o.repo,
+    from: o.from,
+    to: o.to,
+    keys: o.keys.split(","),
+    dryRun: o.dryRun
+  });
+  if (!ok) process.exitCode = 1;
+}));
 secrets.command("rm <key>").description("remove a secret (project tier self-serve; org tier needs a grant)").option("--repo <owner/repo>", "target repo (defaults to the current repo)").action((key, o) => withSecrets((d) => secretsRemove(d, key, o)));
 secrets.command("use <key>").description("print guidance on consuming a secret without committing it (no value)").option("--repo <owner/repo>", "target repo (defaults to the current repo)").action((key, o) => withSecrets((d) => secretsUse(d, key, o)));
 secrets.command("grant <repo> <login> <key>").description("MASTER-ONLY: grant a project-admin standing access to a specific org-tier secret").action((repo, login, key) => withSecrets((d) => secretsGrant(d, repo, login, key, {})));
@@ -14997,7 +16412,7 @@ oauth.command("verify").description("probe Google authorize with an arbitrary po
   if (mismatch) process.exitCode = 1;
 });
 var issue = program2.command("issue").description("issues \u2014 reliable create with structured output");
-issue.command("create").description("create an issue (type \u2192 label) and print {number,url,label} JSON").requiredOption("--type <type>", "bug | feature | task (sets the matching label)").option("--title <title>", "issue title").option("--title-file <path|->", "read the issue title from a UTF-8 file, or from stdin with -").option("--body <body>", "issue body (markdown)").option("--body-file <path|->", "read issue body from a UTF-8 file, or from stdin with -").requiredOption("--priority <priority>", "urgent | high | medium | low (label + board Priority field when configured)").option("--repo <owner/repo>", "target repo (defaults to the current repo)").option("--label <label...>", "extra label(s) to attach (repeatable; auto-created if missing)").option("--parent <ref>", "file as a native sub-issue of this parent (#123, owner/repo#123, or URL)").option("--no-related", "skip the auto related-issues comment").action(async (o) => {
+issue.command("create").description("create an issue (type \u2192 label) and print {number,url,label} JSON").requiredOption("--type <type>", "bug | feature | task (sets the matching label)").option("--title <title>", "issue title").option("--title-file <path|->", "read the issue title from a UTF-8 file, or from stdin with -").option("--body <body>", "issue body (markdown)").option("--body-file <path|->", "read issue body from a UTF-8 file, or from stdin with -").option("--priority <priority>", "urgent | high | medium | low (sets the board Priority field only \u2014 never a priority:* label, #416)").option("--repo <owner/repo>", "target repo (defaults to the current repo)").option("--label <label...>", "extra label(s) to attach (repeatable; auto-created if missing)").option("--parent <ref>", "file as a native sub-issue of this parent (#123, owner/repo#123, or URL)").option("--no-related", "skip the auto related-issues comment").action(async (o) => {
   let args;
   let priority;
   let body;
@@ -15005,6 +16420,7 @@ issue.command("create").description("create an issue (type \u2192 label) and pri
   try {
     title = await resolveIssueTitle({ title: o.title, titleFile: o.titleFile }, { readFile: import_promises5.readFile, readStdin });
     body = await resolveIssueBody({ body: o.body, bodyFile: o.bodyFile }, { readFile: import_promises5.readFile, readStdin });
+    if (o.priority === void 0) throw new Error("missing --priority <priority> \u2014 expected one of: urgent, high, medium, low");
     priority = normalizePriority(o.priority);
     args = buildIssueArgs({ type: o.type, title, body, priority, repo: o.repo, labels: o.label });
     if (o.parent !== void 0) parseIssueRef(o.parent);
@@ -15082,12 +16498,12 @@ issue.command("link-child <parent> <child>").description("link an existing issue
     return fail(`issue link-child: ${(err.stderr || err.message || String(e)).trim()}${note ? ` (${note})` : ""}`);
   }
 });
-program2.command("report").description("file a friction report on the Hub board (GitHub auth, dedups open reports) and print {number,url} JSON").option("--title <title>", "one-line friction summary").option("--title-file <path|->", "read the friction summary from a UTF-8 file, or from stdin with -").option("--body <body>", "report body (markdown)").option("--body-file <path|->", "read report body from a UTF-8 file, or from stdin with -").option("--type <type>", "bug | feature | task (sets the matching label)", "task").option("--priority <priority>", "urgent | high | medium | low (board Priority field when configured)", "medium").option("--repo <owner/repo>", `target repo (defaults to the org Hub: ${HUB_REPO})`).option("--force", "file a new issue even when an open report looks like a duplicate").option("--json", "machine-readable output (already the default \u2014 report always prints JSON; #682)").action(async (o) => {
+program2.command("report").description("file a friction report on the Hub board (GitHub auth, dedups open reports) and print {number,url} JSON").option("--title <title>", "one-line friction summary").option("--title-file <path|->", "read the friction summary from a UTF-8 file, or from stdin with -").option("--body <body>", "report body (markdown)").option("--body-file <path|->", "read report body from a UTF-8 file, or from stdin with -").option("--type <type>", "bug | feature | task (sets the matching label)", "task").option("--priority <priority>", "urgent | high | medium | low (sets the board Priority field only, #416)", "medium").option("--repo <owner/repo>", `target repo (defaults to the org Hub: ${HUB_REPO2})`).option("--force", "file a new issue even when an open report looks like a duplicate").option("--json", "machine-readable output (already the default \u2014 report always prints JSON; #682)").action(async (o) => {
   let body;
   let priority;
   let args;
   let title;
-  const targetRepo2 = o.repo ?? HUB_REPO;
+  const targetRepo2 = o.repo ?? HUB_REPO2;
   const sourceRepo = await resolveRepo(void 0);
   try {
     title = await resolveIssueTitle({ title: o.title, titleFile: o.titleFile }, { readFile: import_promises5.readFile, readStdin });
@@ -15282,8 +16698,8 @@ grindCmd.command("estimate").description("Worst-case cost proxy (agent-call unit
     console.log(`ceiling:    ${GRIND_COST_CEILING} units \u2014 ${estimate.exceedsCeiling ? "EXCEEDS \u2192 ask human (cap/stuck path)" : "within"}`);
   }
 });
-program2.command("skill-lesson").description("file a skill-lesson on the Hub board (GitHub auth, dedups open lessons) and print {number,url} JSON").requiredOption("--skill <name>", `which skill misfired (${SKILL_NAMES.join(" | ")})`).option("--title <title>", "one-line summary of what misfired").option("--title-file <path|->", "read the one-line summary from a UTF-8 file, or from stdin with -").option("--body <body>", "lesson body: what misfired, the evidence, and the proposed amendment (markdown)").option("--body-file <path|->", "read the lesson body from a UTF-8 file, or from stdin with -").option("--priority <priority>", "urgent | high | medium | low (board Priority field when configured)", "medium").option("--repo <owner/repo>", `target repo (defaults to the org Hub: ${HUB_REPO})`).option("--force", "file a new issue even when an open lesson looks like a duplicate").option("--json", "machine-readable output (already the default \u2014 skill-lesson always prints JSON)").action(async (o) => {
-  const targetRepo2 = o.repo ?? HUB_REPO;
+program2.command("skill-lesson").description("file a skill-lesson on the Hub board (GitHub auth, dedups open lessons) and print {number,url} JSON").requiredOption("--skill <name>", `which skill misfired (${SKILL_NAMES.join(" | ")})`).option("--title <title>", "one-line summary of what misfired").option("--title-file <path|->", "read the one-line summary from a UTF-8 file, or from stdin with -").option("--body <body>", "lesson body: what misfired, the evidence, and the proposed amendment (markdown)").option("--body-file <path|->", "read the lesson body from a UTF-8 file, or from stdin with -").option("--priority <priority>", "urgent | high | medium | low (sets the board Priority field only, #416)", "medium").option("--repo <owner/repo>", `target repo (defaults to the org Hub: ${HUB_REPO2})`).option("--force", "file a new issue even when an open lesson looks like a duplicate").option("--json", "machine-readable output (already the default \u2014 skill-lesson always prints JSON)").action(async (o) => {
+  const targetRepo2 = o.repo ?? HUB_REPO2;
   const sourceRepo = await resolveRepo(void 0);
   const pluginSha = await resolvePluginSha();
   let skill;
@@ -15354,6 +16770,111 @@ pr.command("create").description("create a PR and print {number,url} JSON").opti
   const created = await ghCreate(buildPrArgs({ title, body, base: o.base, head: o.head, repo: o.repo }));
   console.log(JSON.stringify(created));
 });
+async function listCiWorkflowPaths(cwd = process.cwd()) {
+  const wfDir = (0, import_node_path16.join)(cwd, ".github", "workflows");
+  if (!(0, import_node_fs18.existsSync)(wfDir)) return [];
+  return (0, import_node_fs18.readdirSync)(wfDir).filter((name) => /\.(ya?ml)$/i.test(name)).map((name) => `.github/workflows/${name}`);
+}
+async function resolveMergeCiPolicyForCheckout(repoOpt) {
+  const repo = repoOpt ?? await resolveRepo();
+  if (repo) {
+    return resolveRepoMergeCiPolicy(repo, ciAuditDeps());
+  }
+  const workflowPaths = await listCiWorkflowPaths();
+  return resolveMergeCiPolicy({ workflowPaths });
+}
+function ciAuditDeps() {
+  const cfgPromise = loadConfig();
+  return {
+    client: defaultGitHubClient(),
+    listProjects: async () => fetchProjectsList(registryClientDeps(await cfgPromise)),
+    getProjectMeta: async (slug) => fetchProjectBySlug(slug, registryClientDeps(await cfgPromise))
+  };
+}
+pr.command("ci-policy").description("report merge CI policy: wait-for-checks vs no-ci (for grind/build agents)").option("--json", "machine-readable output").option("--repo <owner/repo>", "target repo (defaults to the current checkout)").action(async (o) => {
+  const result = await resolveMergeCiPolicyForCheckout(o.repo);
+  if (o.json) return printLine(JSON.stringify(result));
+  printLine(`merge CI policy: ${result.policy} (${result.reason})`);
+});
+pr.command("checks-wait <number>").description("bounded wait for PR checks; skips immediately on no-ci repos (#1432)").option("--json", "machine-readable output").option("--repo <owner/repo>", "target repo (defaults to the current repo)").action(async (number, o) => {
+  const repoArgs = o.repo ? ["--repo", o.repo] : [];
+  const result = await waitForPrChecks({
+    resolvePolicy: () => resolveMergeCiPolicyForCheckout(o.repo),
+    pollChecks: async () => {
+      const { stdout } = await execFileP2("gh", ["pr", "checks", number, ...repoArgs], { timeout: GC_GH_TIMEOUT_MS });
+      return parseGhPrChecksOutput(stdout);
+    },
+    sleep: (ms) => new Promise((resolve) => setTimeout(resolve, ms))
+  });
+  if (o.json) printLine(JSON.stringify(result));
+  else printLine(`pr checks-wait: ${result.status}${result.reason ? ` \u2014 ${result.reason}` : ""}${result.detail ? ` (${result.detail})` : ""}`);
+  if (result.status === "failure" || result.status === "timeout") process.exitCode = 1;
+});
+pr.command("land <number>").description("agent merge path (#1440): train probe \u2192 checks-wait \u2192 merge --auto \u2192 poll enqueued \u2014 development PRs only").option("--json", "machine-readable output").option("--repo <owner/repo>", "target repo (defaults to the PR repo)").option("--no-require-train", "skip train-authority preflight (not recommended for autonomous agents)").action(async (number, o) => {
+  const repoArgs = o.repo ? ["--repo", o.repo] : [];
+  const result = await runPrLand(number, { repo: o.repo, requireTrain: o.requireTrain !== false }, {
+    resolveRepo: async (prNumber, repoOpt) => {
+      if (repoOpt) return repoOpt;
+      const viewed = (await execFileP2("gh", ["pr", "view", prNumber, ...repoArgs, "--json", "headRepository,baseRefName", "--jq", '.headRepository.nameWithOwner + " " + .baseRefName'], { timeout: GC_GH_TIMEOUT_MS })).stdout.trim();
+      const [repo, base2] = viewed.split(/\s+/);
+      if (base2 && base2 !== "development") {
+        throw new Error(`pr land: base branch must be development (got ${base2}) \u2014 promotion merges stay human-only`);
+      }
+      if (!repo) throw new Error("pr land: could not resolve PR repo");
+      return repo;
+    },
+    fetchTrainAuthority: async (repo) => fetchTrainAuthority(repo, registryClientDeps(await loadConfig())),
+    resolveCiPolicy: (repo) => resolveRepoMergeCiPolicy(repo, ciAuditDeps()),
+    waitForChecks: (prNumber, repo) => waitForPrChecks({
+      resolvePolicy: () => resolveRepoMergeCiPolicy(repo, ciAuditDeps()),
+      pollChecks: async () => {
+        const args = repo ? ["--repo", repo] : [];
+        const { stdout } = await execFileP2("gh", ["pr", "checks", prNumber, ...args], { timeout: GC_GH_TIMEOUT_MS });
+        return parseGhPrChecksOutput(stdout);
+      },
+      sleep: (ms) => new Promise((resolve) => setTimeout(resolve, ms))
+    }),
+    mergeAuto: async (prNumber, repo) => {
+      const args = repo ? ["--repo", repo] : [];
+      try {
+        await execFileP2("gh", buildPrMergeArgs({ number: prNumber, repoArgs: args, method: "--squash", auto: true }), { timeout: GH_MUTATION_TIMEOUT_MS });
+      } catch (e) {
+        const message = String(e.message || "");
+        if (/already been merged/i.test(message)) return { mergeStatus: "merged" };
+        const note = timeoutKillNote(e, GH_MUTATION_TIMEOUT_MS);
+        if (note) return { mergeStatus: "failed", error: note };
+        if (!basePolicyBlocksImmediateMerge(message)) {
+          return { mergeStatus: "failed", error: message.split("\n")[0] };
+        }
+        return { mergeStatus: "failed", error: `merge blocked: ${message.split("\n")[0]} \u2014 ensure checks are green` };
+      }
+      const state = (await execFileP2("gh", ["pr", "view", prNumber, ...args, "--json", "state", "--jq", ".state"], { timeout: GC_GH_TIMEOUT_MS }).catch(() => ({ stdout: "" }))).stdout.trim();
+      return { mergeStatus: state === "MERGED" ? "merged" : "auto-merge-enqueued" };
+    },
+    pollMerged: async (prNumber, repo, deadlineMs) => {
+      const args = repo ? ["--repo", repo] : [];
+      while (Date.now() < deadlineMs) {
+        const state = (await execFileP2("gh", ["pr", "view", prNumber, ...args, "--json", "state", "--jq", ".state"], { timeout: GC_GH_TIMEOUT_MS }).catch(() => ({ stdout: "" }))).stdout.trim();
+        if (state === "MERGED") return true;
+        await new Promise((resolve) => setTimeout(resolve, PR_LAND_POLL_MS));
+      }
+      return false;
+    }
+  });
+  if (o.json) printLine(JSON.stringify(result));
+  else printLine(`pr land: ${result.status}${result.error ? ` \u2014 ${result.error}` : ""}`);
+  if (result.status === "failed") process.exitCode = 1;
+  else {
+    await execFileP2(process.execPath, [
+      process.argv[1],
+      "pr",
+      "merge",
+      number,
+      ...o.repo ? ["--repo", o.repo] : [],
+      "--squash"
+    ], { timeout: GH_MUTATION_TIMEOUT_MS }).catch(() => void 0);
+  }
+});
 async function remoteBranchExists2(branch, options = {}) {
   return checkRemoteBranchExists(branch, {
     execGit: async (args) => (await execFileP2("git", args, { timeout: GIT_TIMEOUT_MS })).stdout
@@ -15362,7 +16883,7 @@ async function remoteBranchExists2(branch, options = {}) {
 var COMPOSE_TIMEOUT_MS = 12e4;
 async function createDeferredWorktreeStore() {
   try {
-    const { stdout } = await execFileP2("git", ["rev-parse", "--git-dir"], { timeout: GIT_TIMEOUT_MS });
+    const { stdout } = await execFileP2("git", ["rev-parse", "--git-common-dir"], { timeout: GIT_TIMEOUT_MS });
     const registryPath = deferredWorktreesRegistryPath(stdout.trim());
     return {
       read: async () => {
@@ -15374,7 +16895,7 @@ async function createDeferredWorktreeStore() {
       },
       write: async (entries) => {
         try {
-          await (0, import_promises5.mkdir)((0, import_node_path14.dirname)(registryPath), { recursive: true });
+          await (0, import_promises5.mkdir)((0, import_node_path16.dirname)(registryPath), { recursive: true });
           await (0, import_promises5.writeFile)(registryPath, serializeDeferredWorktrees(entries), "utf8");
         } catch {
         }
@@ -15393,7 +16914,7 @@ function worktreeRemoveDeps(execGit) {
 }
 function teardownWorktreeStage(worktreePath) {
   return runWorktreeStageTeardown(worktreePath, {
-    hasStageState: (wt) => (0, import_node_fs15.existsSync)(stageStatePath(wt)),
+    hasStageState: (wt) => (0, import_node_fs18.existsSync)(stageStatePath(wt)),
     stopRecordedStage: async (wt) => (await stopStage({ cwd: wt })).pid,
     listComposeProjects: async () => {
       const { stdout } = await execFileP2("docker", ["compose", "ls", "--all", "--format", "json"], { timeout: GC_GH_TIMEOUT_MS });
@@ -15404,7 +16925,7 @@ function teardownWorktreeStage(worktreePath) {
     }
   });
 }
-pr.command("merge <number>").description("merge a PR (squash by default) and clean up its branch + worktree \u2014 no leftover local branch").option("--squash", "squash merge (default)").option("--merge", "create a merge commit").option("--rebase", "rebase merge").option("--repo <owner/repo>", "target repo (defaults to the current repo)").option("--auto", "enable auto-merge \u2014 merge once the base-branch policy is satisfied (use for policy-gated repos)").action(async (number, o) => {
+pr.command("merge <number>").description("merge a PR (squash by default) and clean up its branch + worktree \u2014 no leftover local branch; on no-ci repos run pr ci-policy / checks-wait first (#1432)").option("--squash", "squash merge (default)").option("--merge", "create a merge commit").option("--rebase", "rebase merge").option("--repo <owner/repo>", "target repo (defaults to the current repo)").option("--auto", "enable auto-merge \u2014 merge once the base-branch policy is satisfied (use for policy-gated repos)").action(async (number, o) => {
   const method = o.rebase ? "--rebase" : o.merge ? "--merge" : "--squash";
   const repoArgs = o.repo ? ["--repo", o.repo] : [];
   const headRef = (await execFileP2("gh", ["pr", "view", number, ...repoArgs, "--json", "headRefName", "--jq", ".headRefName"], { timeout: GC_GH_TIMEOUT_MS })).stdout.trim();
@@ -15456,7 +16977,7 @@ pr.command("merge <number>").description("merge a PR (squash by default) and cle
     } : await cleanupPrMergeLocalBranch(headRef, {
       beforeWorktrees,
       startingPath,
-      pathExists: (p) => (0, import_node_fs15.existsSync)(p),
+      pathExists: (p) => (0, import_node_fs18.existsSync)(p),
       execGit: async (args) => (await execFileP2("git", args, { timeout: GIT_TIMEOUT_MS })).stdout,
       teardownWorktreeStage,
       deferredStore,
@@ -15571,6 +17092,25 @@ board.command("backfill-priority").description("set board Priority from priority
     return failGraceful(`board backfill-priority failed: ${e.message}`);
   }
 });
+board.command("prune-priority-labels").description("remove retired priority:* labels (#416) from issues whose board Priority field is already set").option("--json", "machine-readable output").option("--repo <owner/repo>", "current repo (defaults to git origin)").option("--dry-run", "report what would be removed without writing").option("--concurrency <n>", "parallel issue edits (default 8)", "8").action(async (o) => {
+  try {
+    const result = await prunePriorityLabels({
+      config: await loadConfigForRepo(o.repo),
+      repo: o.repo,
+      dryRun: o.dryRun,
+      concurrency: Number(o.concurrency) || 8
+    });
+    if (o.json) return console.log(JSON.stringify(result));
+    console.log(
+      `prune-priority-labels: scanned ${result.scanned}, pruned ${result.pruned} (${result.removedLabels} labels), skipped ${result.skippedNoField} (field unset), failed ${result.failed}`
+    );
+    for (const line of result.details.slice(0, 30)) console.log(`  ${line}`);
+    if (result.details.length > 30) console.log(`  ... +${result.details.length - 30} more`);
+    if (result.failed) process.exitCode = 1;
+  } catch (e) {
+    return failGraceful(`board prune-priority-labels failed: ${e.message}`);
+  }
+});
 board.command("done <issue>").description("set a board item's Status to Done (does not close the GitHub issue; use `gh issue close`)").option("--json", "machine-readable output").option("--repo <owner/repo>", "current repo for local issue numbers (defaults to git origin)").option("--allow-partial", "return success JSON if the item resolves but the status move fails").action(async (issueRef, o) => {
   try {
     const result = await moveBoardItem({ config: await loadConfigOrDiscover(), selector: issueRef, status: "Done", repo: o.repo, allowPartial: o.allowPartial });
@@ -15609,7 +17149,7 @@ function rawValues(flag) {
   return out;
 }
 function printLine(value) {
-  (0, import_node_fs15.writeSync)(1, `${value}
+  (0, import_node_fs18.writeSync)(1, `${value}
 `);
 }
 function stageKeepAlive() {
@@ -15626,10 +17166,26 @@ async function resolveStage() {
     local,
     shell: shellFor(),
     registry: { deployModel: project2?.deployModel, portRange, error: read.ok ? void 0 : read.error },
-    hasCompose: (0, import_node_fs15.existsSync)((0, import_node_path14.join)(process.cwd(), "docker-compose.yml")),
-    hasEnvExample: (0, import_node_fs15.existsSync)((0, import_node_path14.join)(process.cwd(), ".env.example"))
+    hasCompose: (0, import_node_fs18.existsSync)((0, import_node_path16.join)(process.cwd(), "docker-compose.yml")),
+    hasEnvExample: (0, import_node_fs18.existsSync)((0, import_node_path16.join)(process.cwd(), ".env.example"))
   });
 }
+async function fetchStageVaultEnvMerge() {
+  const cfg = await loadConfig();
+  if (!cfg.sagaApiUrl) return void 0;
+  const read = await fetchProjectBySlugChecked(await repoSlug(), registryClientDeps(cfg)).catch(() => null);
+  if (!read?.ok || !read.project) return void 0;
+  const names = requiredRuntimeSecretNames("dev", read.project.requiredRuntimeSecrets, { includeGoogleOAuth: false });
+  if (!names.length) return void 0;
+  const d = makeSecretsDeps(cfg);
+  const merge = {};
+  for (const name of names) {
+    const key = name.includes("/") ? name : `dev/${name}`;
+    const value = await fetchSecretValue(d, key, {});
+    if (value != null) merge[name.includes("/") ? name.split("/").pop() : name] = value;
+  }
+  return Object.keys(merge).length ? merge : void 0;
+}
 function stageStepsFor(res, stops = true) {
   if (res.source === "derived" && res.derived) return derivedStagePlan(res.derived, shellFor(), stops);
   if (res.source === "local") return stagePlan(res.config ?? {}, stops);
@@ -15663,9 +17219,9 @@ program2.command("port-range <repo>").description("assign (idempotently) + print
     printLine(o.json ? JSON.stringify({ repo, portRange: [start2, end2], source: "meta" }) : `${repo}: stage.portRange [${start2}, ${end2}]`);
     return;
   }
-  const path2 = (0, import_node_path14.join)(process.cwd(), "infra", "port-ranges.json");
+  const path2 = (0, import_node_path16.join)(process.cwd(), "infra", "port-ranges.json");
   const allocate = async (seed) => {
-    const { stdout } = await execFileP2("node", [(0, import_node_path14.join)(process.cwd(), "infra", "port-ddb.mjs"), String(seed)], { timeout: 15e3 });
+    const { stdout } = await execFileP2("node", [(0, import_node_path16.join)(process.cwd(), "infra", "port-ddb.mjs"), String(seed)], { timeout: 15e3 });
     const parsed = JSON.parse(stdout);
     if (!Array.isArray(parsed.range) || parsed.range.length !== 2) throw new Error("port-ddb: no range in output");
     return parsed.range;
@@ -15761,6 +17317,7 @@ stage.command("start").description("start the configured local stage process and
   }
   if (res.source === "none") return failGraceful(`stage start: ${res.gap}`);
   const cfg = res.config ?? res.derived.config;
+  const vaultEnvMerge = res.source === "derived" ? await fetchStageVaultEnvMerge() : void 0;
   try {
     const hold = stageKeepAlive();
     let printed = false;
@@ -15768,6 +17325,7 @@ stage.command("start").description("start the configured local stage process and
       const result = await startStage(cfg, {
         timeoutMs: Number(o.timeoutMs || 6e4),
         allowStaleEnv: o.allowStaleEnv,
+        vaultEnvMerge,
         onReady: (ready) => {
           printed = true;
           const reportUrl = reportedStageUrl(res, ready);
@@ -15795,6 +17353,7 @@ stage.command("run").description("force-stop previous stage, build, start, and h
   }
   if (res.source === "none") return failGraceful(`stage run: ${res.gap}`);
   const cfg = res.config ?? res.derived.config;
+  const vaultEnvMerge = res.source === "derived" ? await fetchStageVaultEnvMerge() : void 0;
   try {
     const hold = stageKeepAlive();
     let printed = false;
@@ -15802,6 +17361,7 @@ stage.command("run").description("force-stop previous stage, build, start, and h
       const result = await runStage(cfg, {
         timeoutMs: Number(o.timeoutMs || 6e4),
         allowStaleEnv: o.allowStaleEnv,
+        vaultEnvMerge,
         onReady: (ready) => {
           const reportUrl = reportedStageUrl(res, ready);
           const url = reportUrl ? ` \u2014 ${reportUrl}` : "";
@@ -15981,6 +17541,39 @@ var hotfixCmd = program2.command("hotfix").description("stepwise hotfix orchestr
 hotfixCmd.command("start").description("cherry-pick a merged development PR (or SHA) onto hotfix/vX.Y.Z from origin/main, bump the distribution, open the main-base PR").requiredOption("--from <pr#|sha>", "merged development PR number or commit SHA to cherry-pick").option("--json", "machine-readable output").action(async (o) => runHotfixSub("start", () => runHotfixStart(trainApplyDeps(), { from: o.from }), o.json, renderHotfixStart));
 hotfixCmd.command("release <version>").description("after the hotfix PR is merged + checks green: tag, GitHub Release, watch deploy/publish, verify distribution (idempotent)").option("--json", "machine-readable output").option("--announce-summary-file <path>", "agent-curated summary lines for the Hub Slack announcement (#883)").action(async (version, o) => runHotfixSub("release", () => runHotfixRelease(trainApplyDeps(), version, { announceSummaryFile: o.announceSummaryFile }), o.json, renderHotfixRelease));
 hotfixCmd.command("status [version]").description("derive the full hotfix pipeline state from live git/gh reads and name the exact next subcommand").option("--json", "machine-readable output").action(async (version, o) => runHotfixSub("status", () => runHotfixStatus(trainApplyDeps(), version), o.json, renderHotfixStatus));
+var ci = program2.command("ci").description("org CI + merge-readiness audit and reconcile");
+ci.command("audit").description("read-only fleet scan: gate workflow, ruleset contexts, auto-merge, registry META (#1440)").option("--json", "machine-readable output").option("--markdown", "fleet summary table for issue comments").option("--repo <owner/repo>", "audit one repo instead of the full registry").action(async (o) => {
+  const report = await auditOrgCi(ciAuditDeps(), o.repo);
+  if (o.json) console.log(JSON.stringify(report, null, 2));
+  else if (o.markdown) console.log(renderCiAuditMarkdown(report));
+  else console.log(renderCiAuditText(report));
+  if (!report.ok) process.exitCode = 1;
+});
+ci.command("reconcile").description("audit + optionally apply merge settings and product ruleset activation (master-admin)").option("--json", "machine-readable output").option("--repo <owner/repo>", "reconcile one repo instead of the full registry").option("--apply", "PATCH merge settings + activate product ruleset when missing (master role required)").action(async (o) => {
+  if (o.apply) {
+    const verdict = await fetchTrainAuthority(HUB_REPO2, registryClientDeps(await loadConfig()));
+    if (!verdict.ok || verdict.authority.role !== "master") {
+      return fail("ci reconcile --apply: master-admin required");
+    }
+  }
+  const deps = ciAuditDeps();
+  const audit = await auditOrgCi(deps, o.repo);
+  const applyResults = o.apply ? await Promise.all(audit.repos.map((r) => applyCiReconcileRepo(r.repo, deps))) : [];
+  const payload = { audit, apply: applyResults };
+  if (o.json) console.log(JSON.stringify(payload, null, 2));
+  else {
+    console.log(renderCiAuditText(audit));
+    if (o.apply) {
+      for (const r of applyResults) {
+        console.log(`
+${r.repo}: applied=[${r.applied.join("; ")}] skipped=[${r.skipped.join("; ")}]${r.errors.length ? ` errors=[${r.errors.join("; ")}]` : ""}`);
+      }
+    } else {
+      console.log("\nDry-run \u2014 re-run with --apply to patch merge settings and activate product rulesets (master-admin).");
+    }
+  }
+  if (!audit.ok) process.exitCode = 1;
+});
 var bootstrap = program2.command("bootstrap").description("plan repo bootstrap operations; mutations require master-admin approval").option("--repo <owner/repo>", "target repo").option("--class <class>", "deployable | content", "deployable").option("--json", "machine-readable output").option("--apply", "reserved for future bootstrap execution after explicit master-admin approval").action((o) => {
   if (!o.repo) return fail("bootstrap: required option --repo <owner/repo> not specified");
   if (o.apply) return fail("bootstrap: execution is not implemented yet; use the dry-run plan and the existing /bootstrap skill");
@@ -15999,7 +17592,7 @@ bootstrap.command("verify <repo>").description("audit whether an existing repo i
   const report = await verifyBootstrap(repo, o.class, {
     client: defaultGitHubClient(),
     projectMeta: meta,
-    readLocalFile: (path2) => path2 === "projects.json" && apiProjects != null ? apiProjects : (0, import_node_fs15.existsSync)(path2) ? (0, import_node_fs15.readFileSync)(path2, "utf8") : null,
+    readLocalFile: (path2) => path2 === "projects.json" && apiProjects != null ? apiProjects : (0, import_node_fs18.existsSync)(path2) ? (0, import_node_fs18.readFileSync)(path2, "utf8") : null,
     // requiredGcpApis is stored as an array by a JSON write, but `project set --var KEY=VALUE` stores a raw
     // comma-string — accept either so the seeded value verifies regardless of how it was written.
     requiredGcpApis: (() => {
@@ -16042,12 +17635,12 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
     return fail(`bootstrap apply: ${e.message}`);
   }
   const manifestPath = "skills/bootstrap/seeds/manifest.json";
-  if (!(0, import_node_fs15.existsSync)(manifestPath)) return fail(`bootstrap apply: ${manifestPath} not found; run from the MMI-Hub repo root`);
-  const manifest = loadBootstrapSeeds((0, import_node_fs15.readFileSync)(manifestPath, "utf8"));
+  if (!(0, import_node_fs18.existsSync)(manifestPath)) return fail(`bootstrap apply: ${manifestPath} not found; run from the MMI-Hub repo root`);
+  const manifest = loadBootstrapSeeds((0, import_node_fs18.readFileSync)(manifestPath, "utf8"));
   const baseBranch = o.class === "content" ? "main" : "development";
   const slug = parsedRepo.slug;
   const gh = async (args) => execFileP2("gh", args, { timeout: 2e4 });
-  const readFile5 = (p) => (0, import_node_fs15.existsSync)(p) ? (0, import_node_fs15.readFileSync)(p, "utf8") : null;
+  const readFile5 = (p) => (0, import_node_fs18.existsSync)(p) ? (0, import_node_fs18.readFileSync)(p, "utf8") : null;
   const enc2 = (p) => p.split("/").map(encodeURIComponent).join("/");
   const rawVars = {};
   for (const value of rawValues("--var")) {
@@ -16097,6 +17690,26 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
       applied.push(`${action.action} ${resolved.target}`);
     }
   }
+  if (o.execute && o.class === "deployable") {
+    try {
+      await gh(["api", "-X", "PATCH", `repos/${repo}`, "-f", "allow_auto_merge=true", "-f", "allow_squash_merge=true", "-f", "delete_branch_on_merge=true"]);
+      applied.push("merge settings: allow_auto_merge, squash, delete-branch-on-merge");
+    } catch (e) {
+      applied.push(`merge settings (failed: ${e.message})`);
+    }
+    const rulesetSeed = manifest.seeds.find((s) => s.target === ".github/rulesets/mmi-product-required-checks.json");
+    if (rulesetSeed) {
+      const rulesetContent = resolveSeedContent({ ...rulesetSeed, target: rulesetSeed.target.replace("{{REPO_SLUG}}", slug) }, vars, readFile5);
+      if (rulesetContent) {
+        try {
+          const activation = await activateProductRuleset(repo, stripRulesetComment(rulesetContent), defaultGitHubClient());
+          applied.push(`product ruleset: ${activation.action}${activation.detail ? ` (${activation.detail})` : ""}`);
+        } catch (e) {
+          return failGraceful(`bootstrap apply: product ruleset activation failed: ${e.message}`);
+        }
+      }
+    }
+  }
   if (o.execute) {
     for (const l of manifest.labels) {
       try {
@@ -16150,10 +17763,10 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
       name: vars.NAME || parsedRepo.name
     };
     const readHubFile = async (path2) => {
-      const r = await gh(["api", `repos/${HUB_REPO}/contents/${enc2(path2)}?ref=development`]);
+      const r = await gh(["api", `repos/${HUB_REPO2}/contents/${enc2(path2)}?ref=development`]);
       const parsed = JSON.parse(r.stdout);
       if (parsed.encoding !== "base64" || typeof parsed.content !== "string" || !parsed.sha) {
-        throw new Error(`could not read ${HUB_REPO}/${path2}`);
+        throw new Error(`could not read ${HUB_REPO2}/${path2}`);
       }
       return { content: Buffer.from(parsed.content, "base64").toString("utf8"), sha: parsed.sha };
     };
@@ -16165,15 +17778,15 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
         applied.push(`fanout: already registered (${parsedRepo.name})`);
       } else {
         const branchName = `bootstrap-register-fanout-${slug}`;
-        const headSha = (await gh(["api", `repos/${HUB_REPO}/git/ref/heads/development`, "--jq", ".object.sha"])).stdout.trim();
+        const headSha = (await gh(["api", `repos/${HUB_REPO2}/git/ref/heads/development`, "--jq", ".object.sha"])).stdout.trim();
         try {
-          await gh(["api", "-X", "POST", `repos/${HUB_REPO}/git/refs`, "-f", `ref=refs/heads/${branchName}`, "-f", `sha=${headSha}`]);
+          await gh(["api", "-X", "POST", `repos/${HUB_REPO2}/git/refs`, "-f", `ref=refs/heads/${branchName}`, "-f", `sha=${headSha}`]);
         } catch (e) {
           if (!/Reference already exists|already exists/i.test(String(e.message ?? ""))) throw e;
         }
         const branchFileSha = async (path2) => {
           try {
-            const r = await gh(["api", `repos/${HUB_REPO}/contents/${enc2(path2)}?ref=${branchName}`, "--jq", ".sha"]);
+            const r = await gh(["api", `repos/${HUB_REPO2}/contents/${enc2(path2)}?ref=${branchName}`, "--jq", ".sha"]);
             return r.stdout.trim() || void 0;
           } catch (e) {
             if (/404|Not Found/i.test(String(e.message ?? ""))) return void 0;
@@ -16182,9 +17795,9 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
         };
         const fanoutBranchSha = await branchFileSha(".github/fanout-targets.json");
         const projectsBranchSha = await branchFileSha("projects.json");
-        await gh(contentPutArgs(HUB_REPO, ".github/fanout-targets.json", plan2.fanoutTargets, branchName, fanoutBranchSha));
-        await gh(contentPutArgs(HUB_REPO, "projects.json", plan2.projects, branchName, projectsBranchSha));
-        const openPrs = await gh(["pr", "list", "--repo", HUB_REPO, "--head", branchName, "--base", "development", "--state", "open", "--json", "number,url"]);
+        await gh(contentPutArgs(HUB_REPO2, ".github/fanout-targets.json", plan2.fanoutTargets, branchName, fanoutBranchSha));
+        await gh(contentPutArgs(HUB_REPO2, "projects.json", plan2.projects, branchName, projectsBranchSha));
+        const openPrs = await gh(["pr", "list", "--repo", HUB_REPO2, "--head", branchName, "--base", "development", "--state", "open", "--json", "number,url"]);
         const prDecision = decideFanoutPrAction(JSON.parse(openPrs.stdout || "[]"));
         if (prDecision.action === "reuse") {
           fanoutPrUrl = prDecision.url;
@@ -16193,7 +17806,7 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
             "pr",
             "create",
             "--repo",
-            HUB_REPO,
+            HUB_REPO2,
             "--base",
             "development",
             "--head",
@@ -16205,7 +17818,7 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
           ]);
           fanoutPrUrl = created.url;
         }
-        await gh(["pr", "merge", fanoutPrUrl, "--repo", HUB_REPO, "--auto", "--squash"]).catch((e) => {
+        await gh(["pr", "merge", fanoutPrUrl, "--repo", HUB_REPO2, "--auto", "--squash"]).catch((e) => {
           if (!/already/i.test(String(e.message ?? ""))) throw e;
         });
         applied.push(`fanout: PR ${fanoutPrUrl} (auto-merge enabled)`);
@@ -16256,16 +17869,16 @@ access.command("audit").description("audit collaborator roles + train-branch pus
     if (o.class !== "deployable" && o.class !== "content") return failGraceful("access audit: --class must be deployable or content");
     targets = [{ repo: o.repo, class: o.class }];
   } else {
-    const projectsJson = registryProjects ? JSON.stringify({ projects: registryProjects }) : (0, import_node_fs15.existsSync)("projects.json") ? (0, import_node_fs15.readFileSync)("projects.json", "utf8") : null;
+    const projectsJson = registryProjects ? JSON.stringify({ projects: registryProjects }) : (0, import_node_fs18.existsSync)("projects.json") ? (0, import_node_fs18.readFileSync)("projects.json", "utf8") : null;
     if (!projectsJson) return failGraceful("access audit: no project registry \u2014 Hub API unreachable and projects.json not found; run from the MMI-Hub repo root or pass --repo <owner/repo>");
-    const fanoutJson = (0, import_node_fs15.existsSync)(".github/fanout-targets.json") ? (0, import_node_fs15.readFileSync)(".github/fanout-targets.json", "utf8") : null;
+    const fanoutJson = (0, import_node_fs18.existsSync)(".github/fanout-targets.json") ? (0, import_node_fs18.readFileSync)(".github/fanout-targets.json", "utf8") : null;
     targets = loadAccessTargets(projectsJson, fanoutJson);
   }
   const derivedMatrix = registryProjects ? accessMatrixFromProjects(registryProjects) : {};
-  const fileMatrix = (0, import_node_fs15.existsSync)("access-matrix.json") ? loadAccessMatrix((0, import_node_fs15.readFileSync)("access-matrix.json", "utf8")) : {};
+  const fileMatrix = (0, import_node_fs18.existsSync)("access-matrix.json") ? loadAccessMatrix((0, import_node_fs18.readFileSync)("access-matrix.json", "utf8")) : {};
   const matrix = mergeAccessMatrix(fileMatrix, derivedMatrix);
   const derivedContracts = registryProjects ? dataAccessContractsFromProjects(registryProjects) : { consumers: {} };
-  const fileContracts = (0, import_node_fs15.existsSync)("data-access-contracts.json") ? loadDataAccessContracts((0, import_node_fs15.readFileSync)("data-access-contracts.json", "utf8")) : { consumers: {} };
+  const fileContracts = (0, import_node_fs18.existsSync)("data-access-contracts.json") ? loadDataAccessContracts((0, import_node_fs18.readFileSync)("data-access-contracts.json", "utf8")) : { consumers: {} };
   const dataAccess = mergeDataAccessContracts(fileContracts, derivedContracts);
   const report = await auditOrgAccess(targets, deps, matrix, dataAccess);
   console.log(o.json ? JSON.stringify(report, null, 2) : renderAccessReport(report));
@@ -16274,20 +17887,20 @@ access.command("audit").description("audit collaborator roles + train-branch pus
 var isWin = process.platform === "win32";
 var installedPluginsPath = (surface = detectSurface(process.env)) => {
   const homeDir = surface === "codex" ? ".codex" : ".claude";
-  return (0, import_node_path14.join)((0, import_node_os5.homedir)(), homeDir, "plugins", "installed_plugins.json");
+  return (0, import_node_path16.join)((0, import_node_os5.homedir)(), homeDir, "plugins", "installed_plugins.json");
 };
 function readInstalledPlugins() {
   try {
-    return JSON.parse((0, import_node_fs15.readFileSync)(installedPluginsPath(), "utf8"));
+    return JSON.parse((0, import_node_fs18.readFileSync)(installedPluginsPath(), "utf8"));
   } catch {
     return null;
   }
 }
 function installedPluginSources() {
   return ["claude", "codex"].map((surface) => {
-    const recordPath = (0, import_node_path14.join)((0, import_node_os5.homedir)(), `.${surface}`, "plugins", "installed_plugins.json");
+    const recordPath = (0, import_node_path16.join)((0, import_node_os5.homedir)(), `.${surface}`, "plugins", "installed_plugins.json");
     try {
-      return { surface, installed: JSON.parse((0, import_node_fs15.readFileSync)(recordPath, "utf8")), recordPath };
+      return { surface, installed: JSON.parse((0, import_node_fs18.readFileSync)(recordPath, "utf8")), recordPath };
     } catch {
       return { surface, installed: null, recordPath };
     }
@@ -16295,7 +17908,7 @@ function installedPluginSources() {
 }
 function readClaudeSettings() {
   try {
-    return JSON.parse((0, import_node_fs15.readFileSync)((0, import_node_path14.join)(process.cwd(), ".claude", "settings.json"), "utf8"));
+    return JSON.parse((0, import_node_fs18.readFileSync)((0, import_node_path16.join)(process.cwd(), ".claude", "settings.json"), "utf8"));
   } catch {
     return null;
   }
@@ -16317,7 +17930,7 @@ function writeProjectInstallRecord(record) {
     const list = file.plugins[MMI_PLUGIN_ID] ?? [];
     list.push(record);
     file.plugins[MMI_PLUGIN_ID] = list;
-    (0, import_node_fs15.writeFileSync)(installedPluginsPath(), `${JSON.stringify(file, null, 2)}
+    (0, import_node_fs18.writeFileSync)(installedPluginsPath(), `${JSON.stringify(file, null, 2)}
 `, "utf8");
     return true;
   } catch {
@@ -16330,9 +17943,9 @@ function backupAndWriteInstalledPlugins(records, pluginId) {
     if (!file) return false;
     if (!file.plugins) file.plugins = {};
     const path2 = installedPluginsPath();
-    (0, import_node_fs15.copyFileSync)(path2, `${path2}.bak`);
+    (0, import_node_fs18.copyFileSync)(path2, `${path2}.bak`);
     file.plugins[pluginId] = records;
-    (0, import_node_fs15.writeFileSync)(path2, `${JSON.stringify(file, null, 2)}
+    (0, import_node_fs18.writeFileSync)(path2, `${JSON.stringify(file, null, 2)}
 `, "utf8");
     return true;
   } catch {
@@ -16340,35 +17953,35 @@ function backupAndWriteInstalledPlugins(records, pluginId) {
   }
 }
 function cursorPluginCacheRoot() {
-  return (0, import_node_path14.join)((0, import_node_os5.homedir)(), ".cursor", "plugins", "cache", "mmi", "mmi");
+  return (0, import_node_path16.join)((0, import_node_os5.homedir)(), ".cursor", "plugins", "cache", "mmi", "mmi");
 }
 function cursorPluginCachePinSnapshots() {
   const root = cursorPluginCacheRoot();
   try {
-    return (0, import_node_fs15.readdirSync)(root, { withFileTypes: true }).filter((entry) => entry.isDirectory() && !entry.name.startsWith(".")).map((entry) => {
-      const path2 = (0, import_node_path14.join)(root, entry.name);
-      const pluginJson = (0, import_node_path14.join)(path2, ".cursor-plugin", "plugin.json");
-      const hooksJson = (0, import_node_path14.join)(path2, "hooks", "hooks.json");
-      const cliBundle = (0, import_node_path14.join)(path2, "cli", "dist", "index.cjs");
+    return (0, import_node_fs18.readdirSync)(root, { withFileTypes: true }).filter((entry) => entry.isDirectory() && !entry.name.startsWith(".")).map((entry) => {
+      const path2 = (0, import_node_path16.join)(root, entry.name);
+      const pluginJson = (0, import_node_path16.join)(path2, ".cursor-plugin", "plugin.json");
+      const hooksJson = (0, import_node_path16.join)(path2, "hooks", "hooks.json");
+      const cliBundle = (0, import_node_path16.join)(path2, "cli", "dist", "index.cjs");
       let version;
       try {
-        const raw = JSON.parse((0, import_node_fs15.readFileSync)(pluginJson, "utf8"));
+        const raw = JSON.parse((0, import_node_fs18.readFileSync)(pluginJson, "utf8"));
         version = typeof raw.version === "string" ? raw.version : void 0;
       } catch {
         version = void 0;
       }
       let isEmpty = true;
       try {
-        isEmpty = (0, import_node_fs15.readdirSync)(path2).length === 0;
+        isEmpty = (0, import_node_fs18.readdirSync)(path2).length === 0;
       } catch {
         isEmpty = true;
       }
       return {
         name: entry.name,
         path: path2,
-        hasPluginJson: (0, import_node_fs15.existsSync)(pluginJson),
-        hasHooksJson: (0, import_node_fs15.existsSync)(hooksJson),
-        hasCliBundle: (0, import_node_fs15.existsSync)(cliBundle),
+        hasPluginJson: (0, import_node_fs18.existsSync)(pluginJson),
+        hasHooksJson: (0, import_node_fs18.existsSync)(hooksJson),
+        hasCliBundle: (0, import_node_fs18.existsSync)(cliBundle),
         isEmpty,
         version
       };
@@ -16378,19 +17991,19 @@ function cursorPluginCachePinSnapshots() {
   }
 }
 function hubCheckoutForCursorSeed() {
-  const manifest = (0, import_node_path14.join)(process.cwd(), "plugins", "mmi", ".cursor-plugin", "plugin.json");
-  return (0, import_node_fs15.existsSync)(manifest) ? process.cwd() : void 0;
+  const manifest = (0, import_node_path16.join)(process.cwd(), "plugins", "mmi", ".cursor-plugin", "plugin.json");
+  return (0, import_node_fs18.existsSync)(manifest) ? process.cwd() : void 0;
 }
 function mmiPluginCacheRootSnapshots() {
   const roots = [
-    { surface: "claude", root: (0, import_node_path14.join)((0, import_node_os5.homedir)(), ".claude", "plugins", "cache", "mmi", "mmi") },
-    { surface: "codex", root: (0, import_node_path14.join)((0, import_node_os5.homedir)(), ".codex", "plugins", "cache", "mmi", "mmi") }
+    { surface: "claude", root: (0, import_node_path16.join)((0, import_node_os5.homedir)(), ".claude", "plugins", "cache", "mmi", "mmi") },
+    { surface: "codex", root: (0, import_node_path16.join)((0, import_node_os5.homedir)(), ".codex", "plugins", "cache", "mmi", "mmi") }
   ];
   return roots.flatMap(({ surface, root }) => {
     try {
-      const entries = (0, import_node_fs15.readdirSync)(root, { withFileTypes: true }).map((entry) => ({
+      const entries = (0, import_node_fs18.readdirSync)(root, { withFileTypes: true }).map((entry) => ({
         name: entry.name,
-        path: (0, import_node_path14.join)(root, entry.name),
+        path: (0, import_node_path16.join)(root, entry.name),
         isDirectory: entry.isDirectory()
       }));
       return [{ surface, root, entries }];
@@ -16401,7 +18014,7 @@ function mmiPluginCacheRootSnapshots() {
 }
 function hasNestedMmiChild(versionDir) {
   try {
-    return (0, import_node_fs15.statSync)((0, import_node_path14.join)(versionDir, "mmi")).isDirectory();
+    return (0, import_node_fs18.statSync)((0, import_node_path16.join)(versionDir, "mmi")).isDirectory();
   } catch {
     return false;
   }
@@ -16412,26 +18025,28 @@ function nestedPluginTreeSnapshot() {
   );
 }
 function uniqueQuarantineTarget(path2) {
-  if (!(0, import_node_fs15.existsSync)(path2)) return path2;
+  if (!(0, import_node_fs18.existsSync)(path2)) return path2;
   for (let i = 1; i < 100; i += 1) {
     const candidate = `${path2}-${i}`;
-    if (!(0, import_node_fs15.existsSync)(candidate)) return candidate;
+    if (!(0, import_node_fs18.existsSync)(candidate)) return candidate;
   }
   return `${path2}-${Date.now()}`;
 }
 function quarantinePluginCacheDirs(plan2) {
   let moved = 0;
+  const failed = [];
   for (const move of plan2) {
     try {
-      if (!(0, import_node_fs15.existsSync)(move.from)) continue;
+      if (!(0, import_node_fs18.existsSync)(move.from)) continue;
       const target = uniqueQuarantineTarget(move.to);
-      (0, import_node_fs15.mkdirSync)((0, import_node_path14.dirname)(target), { recursive: true });
-      (0, import_node_fs15.renameSync)(move.from, target);
+      (0, import_node_fs18.mkdirSync)((0, import_node_path16.dirname)(target), { recursive: true });
+      (0, import_node_fs18.renameSync)(move.from, target);
       moved += 1;
     } catch {
+      failed.push(move);
     }
   }
-  return moved;
+  return { moved, failed };
 }
 async function robocopyMirrorEmpty(emptyDir, target) {
   try {
@@ -16444,23 +18059,23 @@ async function robocopyMirrorEmpty(emptyDir, target) {
 }
 async function clearNestedPluginTreeDir(targetPath) {
   try {
-    if (!(0, import_node_fs15.existsSync)(targetPath)) return true;
+    if (!(0, import_node_fs18.existsSync)(targetPath)) return true;
     if (isWin) {
-      const emptyDir = (0, import_node_path14.join)((0, import_node_os5.tmpdir)(), `mmi-empty-${Date.now()}`);
-      (0, import_node_fs15.mkdirSync)(emptyDir, { recursive: true });
+      const emptyDir = (0, import_node_path16.join)((0, import_node_os5.tmpdir)(), `mmi-empty-${Date.now()}`);
+      (0, import_node_fs18.mkdirSync)(emptyDir, { recursive: true });
       try {
         await robocopyMirrorEmpty(emptyDir, targetPath);
-        (0, import_node_fs15.rmSync)(targetPath, { recursive: true, force: true });
+        (0, import_node_fs18.rmSync)(targetPath, { recursive: true, force: true });
       } finally {
         try {
-          (0, import_node_fs15.rmSync)(emptyDir, { recursive: true, force: true });
+          (0, import_node_fs18.rmSync)(emptyDir, { recursive: true, force: true });
         } catch {
         }
       }
-      return !(0, import_node_fs15.existsSync)(targetPath);
+      return !(0, import_node_fs18.existsSync)(targetPath);
     }
-    (0, import_node_fs15.rmSync)(targetPath, { recursive: true, force: true });
-    return !(0, import_node_fs15.existsSync)(targetPath);
+    (0, import_node_fs18.rmSync)(targetPath, { recursive: true, force: true });
+    return !(0, import_node_fs18.existsSync)(targetPath);
   } catch {
     return false;
   }
@@ -16473,11 +18088,11 @@ async function applyNestedPluginTreeCleanup(paths, log) {
   }
   return true;
 }
-var gitignorePath = () => (0, import_node_path14.join)(process.cwd(), ".gitignore");
+var gitignorePath = () => (0, import_node_path16.join)(process.cwd(), ".gitignore");
 function readTextFile(path2) {
   try {
-    if (!(0, import_node_fs15.existsSync)(path2)) return null;
-    return (0, import_node_fs15.readFileSync)(path2, "utf8");
+    if (!(0, import_node_fs18.existsSync)(path2)) return null;
+    return (0, import_node_fs18.readFileSync)(path2, "utf8");
   } catch {
     return null;
   }
@@ -16486,9 +18101,9 @@ function playwrightMcpConfigSnapshots() {
   const cwd = process.cwd();
   const home = (0, import_node_os5.homedir)();
   const candidates = [
-    (0, import_node_path14.join)(cwd, ".cursor", "mcp.json"),
-    (0, import_node_path14.join)(home, ".cursor", "mcp.json"),
-    (0, import_node_path14.join)(home, ".codex", "config.toml")
+    (0, import_node_path16.join)(cwd, ".cursor", "mcp.json"),
+    (0, import_node_path16.join)(home, ".cursor", "mcp.json"),
+    (0, import_node_path16.join)(home, ".codex", "config.toml")
   ];
   const out = [];
   for (const path2 of candidates) {
@@ -16501,7 +18116,7 @@ function strayBrowserArtifactPaths() {
   const cwd = process.cwd();
   return STRAY_BROWSER_ARTIFACT_DIRS.filter((rel) => {
     try {
-      return (0, import_node_fs15.existsSync)((0, import_node_path14.join)(cwd, rel));
+      return (0, import_node_fs18.existsSync)((0, import_node_path16.join)(cwd, rel));
     } catch {
       return false;
     }
@@ -16509,14 +18124,14 @@ function strayBrowserArtifactPaths() {
 }
 function readGitignore() {
   try {
-    return (0, import_node_fs15.readFileSync)(gitignorePath(), "utf8");
+    return (0, import_node_fs18.readFileSync)(gitignorePath(), "utf8");
   } catch {
     return null;
   }
 }
 function writeGitignore(content) {
   try {
-    (0, import_node_fs15.writeFileSync)(gitignorePath(), content, "utf8");
+    (0, import_node_fs18.writeFileSync)(gitignorePath(), content, "utf8");
     return true;
   } catch {
     return false;
@@ -16555,7 +18170,7 @@ async function runDoctor(opts, io = consoleIo) {
   let onPath = pathProbe;
   if (!onPath) {
     const root = process.env.CLAUDE_PLUGIN_ROOT;
-    if (root && (0, import_node_fs15.existsSync)(`${root}/bin/mmi-cli${isWin ? ".cmd" : ""}`)) onPath = true;
+    if (root && (0, import_node_fs18.existsSync)(`${root}/bin/mmi-cli${isWin ? ".cmd" : ""}`)) onPath = true;
   }
   checks.push({ ok: onPath, label: "mmi-cli on PATH", fix: "auto-provisioned at session start \u2014 reopen the session, or install the MMI plugin" });
   const surface = detectSurface(process.env);
@@ -16649,6 +18264,19 @@ async function runDoctor(opts, io = consoleIo) {
         io.err(`  \u21BB updated MMI plugin \u2192 ${releasedVersion ?? "latest"} via claude plugin \u2014 ${reloadAction(surface)} to load the new commands`);
       }
     }
+    const codexStale = installedVersionCheck.staleSurfaces?.some((s) => s.surface === "codex") ?? false;
+    if (!installedVersionCheck.ok && codexStale && await applyCodexPluginHeal(surface, (m) => io.err(m))) {
+      const healed = buildInstalledPluginVersionCheck({
+        isOrgRepo: Boolean(cfg.sagaApiUrl),
+        sources: installedPluginSources(),
+        releasedVersion,
+        surface
+      });
+      installedVersionCheck = healed;
+      if (healed.ok) {
+        io.err(`  \u21BB updated MMI plugin \u2192 ${releasedVersion ?? "latest"} via codex plugin \u2014 ${reloadAction(surface)} to load the new commands`);
+      }
+    }
   }
   checks.push(installedVersionCheck);
   let cacheCleanupCheck = buildMmiPluginCacheCleanupCheck({
@@ -16659,7 +18287,8 @@ async function runDoctor(opts, io = consoleIo) {
     installedVersions: installedPluginVersions(installed)
   });
   if (!cacheCleanupCheck.ok && cacheCleanupCheck.quarantinePlan && repairLocal) {
-    const moved = quarantinePluginCacheDirs(cacheCleanupCheck.quarantinePlan);
+    const { moved, failed } = quarantinePluginCacheDirs(cacheCleanupCheck.quarantinePlan);
+    const attempted = moved + failed.length;
     if (moved > 0) {
       const surfaces = [...new Set(cacheCleanupCheck.leftovers?.map((entry) => entry.surface) ?? [])].join("/");
       const names = cacheCleanupCheck.leftovers?.map((entry) => entry.name).join(", ");
@@ -16670,8 +18299,12 @@ async function runDoctor(opts, io = consoleIo) {
         isOrgRepo: Boolean(cfg.sagaApiUrl),
         roots: mmiPluginCacheRootSnapshots(),
         activeVersion: resolveClientVersion(),
-        releasedVersion
+        releasedVersion,
+        installedVersions: installedPluginVersions(installed)
       }),
+      attemptedCount: attempted,
+      failedCount: failed.length,
+      ...failed.length > 0 ? { failedMoves: failed } : {},
       ...moved > 0 ? { cleanedCount: moved } : {}
     };
   }
@@ -16709,7 +18342,7 @@ async function runDoctor(opts, io = consoleIo) {
     isOrgRepo: Boolean(cfg.sagaApiUrl),
     surface,
     cacheRoot: cursorCacheRoot,
-    cacheRootExists: (0, import_node_fs15.existsSync)(cursorCacheRoot),
+    cacheRootExists: (0, import_node_fs18.existsSync)(cursorCacheRoot),
     pins: cursorPins,
     hubCheckout: hubCheckoutForCursorSeed(),
     releasedVersion
@@ -16720,7 +18353,7 @@ async function runDoctor(opts, io = consoleIo) {
       releasedVersion,
       hubCheckout: hubCheckoutForCursorSeed(),
       execFileP: execFileP2,
-      mkdtemp: (prefix) => (0, import_promises5.mkdtemp)((0, import_node_path14.join)((0, import_node_os5.tmpdir)(), prefix)),
+      mkdtemp: (prefix) => (0, import_promises5.mkdtemp)((0, import_node_path16.join)((0, import_node_os5.tmpdir)(), prefix)),
       log: (m) => io.err(m)
     });
     if (seeded) {
@@ -16729,7 +18362,7 @@ async function runDoctor(opts, io = consoleIo) {
         isOrgRepo: Boolean(cfg.sagaApiUrl),
         surface,
         cacheRoot: cursorCacheRoot,
-        cacheRootExists: (0, import_node_fs15.existsSync)(cursorCacheRoot),
+        cacheRootExists: (0, import_node_fs18.existsSync)(cursorCacheRoot),
         pins: cursorPins,
         hubCheckout: hubCheckoutForCursorSeed(),
         releasedVersion
@@ -16812,6 +18445,7 @@ program2.command("session-start").description("run the SessionStart verbs (rules
   const { parallel, sequential } = buildSessionStartPlan({
     rulesSync: (io) => runRulesSync({ quiet: true }, io),
     sagaShow: (io) => runSagaShow({ quiet: true }, io),
+    handoffOffer: (io) => runHandoffOffer(io, { fast: true }),
     // honcho profile (#1162): inject the behavioral-memory prior (peer card). Bounded + fail-soft +
     // silent when off/empty, so it never delays or noises the session banner.
     honchoContext: (io) => runHonchoContext({ quiet: true, banner: true }, io),
@@ -16845,6 +18479,12 @@ program2.command("session-start").description("run the SessionStart verbs (rules
   await runSessionStart(parallel, sequential, consoleIo);
   consoleIo.log(northstarPointer(northstarInjected));
   for (const line of planStoreLines(process.cwd())) consoleIo.log(line);
+  for (const line of scratchGcLines(process.cwd())) consoleIo.log(line);
+  const worktreeBanner = worktreeAutoProvisionBanner(process.cwd());
+  if (worktreeBanner) {
+    spawnDetachedSelf(["worktree", "setup", "--quiet"], { spawn: import_node_child_process10.spawn, execPath: process.execPath, scriptPath: process.argv[1] });
+    consoleIo.log(worktreeBanner);
+  }
 });
 installProcessBackstop();
 program2.parseAsync().catch((e) => failGraceful(e.message));