@mutmutco/cli 2.40.3 → 2.42.0

package/dist/main.cjs

@@ -3392,7 +3392,7 @@ var program = new Command();
 
 // src/index.ts
 var import_promises7 = require("node:fs/promises");
-var import_node_fs22 = require("node:fs");
+var import_node_fs23 = require("node:fs");
 
 // src/rules-sync.ts
 function normalizeEol(s) {
@@ -5168,11 +5168,11 @@ function parseHandoffText(text) {
     const sourceSessionId = clean(raw.sourceSessionId);
     const createdAt = clean(raw.createdAt);
     if (state !== "open" && state !== "claimed" && state !== "cancelled") return null;
-    if (!key || !northStarSlug || !summary || !sourceSessionId || !createdAt) return null;
+    if (!key || !summary || !sourceSessionId || !createdAt) return null;
     return {
       state,
       key,
-      northStarSlug,
+      northStarSlug: northStarSlug || void 0,
       summary,
       sourceSessionId,
       sourceBranch: clean(raw.sourceBranch) || void 0,
@@ -5190,20 +5190,19 @@ function listHandoffs(head, opts = {}) {
 }
 function findOpenHandoff(head, key) {
   const normalized = normalizeHandoffKey(key).toLowerCase();
-  return listHandoffs(head).find((item) => item.record.key.toLowerCase() === normalized || item.record.northStarSlug.toLowerCase() === normalized);
+  return listHandoffs(head).find((item) => item.record.key.toLowerCase() === normalized || item.record.northStarSlug?.toLowerCase() === normalized);
 }
 function planOpenHandoff(input) {
   const key = normalizeHandoffKey(input.key);
   const northStarSlug = clean(input.northStarSlug);
   const summary = clean(input.summary);
   const sourceSessionId = clean(input.sourceSessionId);
-  if (!northStarSlug) throw new Error("north star slug is required");
   if (!summary) throw new Error("handoff summary is required");
   if (!sourceSessionId) throw new Error("source session id is required");
   return {
     state: "open",
     key,
-    northStarSlug,
+    northStarSlug: northStarSlug || void 0,
     summary,
     sourceSessionId,
     sourceBranch: clean(input.sourceBranch) || void 0,
@@ -5222,7 +5221,7 @@ function formatHandoffLine(item) {
   const r = item.record;
   const branch = r.sourceBranch ? ` branch:${r.sourceBranch}` : "";
   const suffix = r.state === "claimed" && r.claimedBySessionId ? ` -> ${r.claimedBySessionId}` : "";
-  return `${r.key} [${r.state}] northstar:${r.northStarSlug}${branch} source:${r.sourceSessionId}${suffix} - ${r.summary}`;
+  return `${r.key} [${r.state}] northstar:${r.northStarSlug ?? "-"}${branch} source:${r.sourceSessionId}${suffix} - ${r.summary}`;
 }
 
 // src/handoff-commands.ts
@@ -5298,7 +5297,7 @@ async function locateClaimedHandoff(key, claimedBySessionId, retry = FOREGROUND_
   const normalized = key.toLowerCase();
   return handoffs.find((item) => {
     const r = item.record;
-    return r.state === "claimed" && r.claimedBySessionId === claimedBySessionId && (r.key.toLowerCase() === normalized || r.northStarSlug.toLowerCase() === normalized);
+    return r.state === "claimed" && r.claimedBySessionId === claimedBySessionId && (r.key.toLowerCase() === normalized || r.northStarSlug?.toLowerCase() === normalized);
   }) ?? null;
 }
 async function postKeyedNote(key, summary, options) {
@@ -5312,9 +5311,12 @@ async function postKeyedNote(key, summary, options) {
 function deriveOpenFields(summary, opts, head, key) {
   const northStarSlug = opts.northStarSlug ?? head.anchor?.slug;
   const handoffKey = opts.key ?? northStarSlug;
+  if (!handoffKey?.trim()) {
+    throw new Error("a handoff needs a key: pass --key <slug|#issue> (or --next), or open it on a session with a North Star anchor");
+  }
   const text = summary?.trim() || head.next?.trim() || head.anchor?.intent?.trim();
   return planOpenHandoff({
-    key: handoffKey ?? "",
+    key: handoffKey,
     northStarSlug: northStarSlug ?? "",
     summary: text ?? "",
     sourceSessionId: key.sessionId,
@@ -5390,7 +5392,7 @@ async function closeSourceHandoff(key, state, opts = {}, io = consoleIo) {
       anchor: located.item.record.summary,
       anchorSlug: located.item.record.northStarSlug,
       anchorForce: true,
-      decision: `accepted handoff ${located.item.record.key} from session ${located.item.record.sourceSessionId}; northstar ${located.item.record.northStarSlug}`,
+      decision: `accepted handoff ${located.item.record.key} from session ${located.item.record.sourceSessionId}; northstar ${located.item.record.northStarSlug ?? "(none)"}`,
       verified: true
     });
   }
@@ -5412,7 +5414,7 @@ async function runHandoffDecline(key, opts = {}, io = consoleIo) {
 }
 function registerHandoffCommands(program3) {
   const handoff = program3.command("handoff").description("explicit saga + North Star handoff lifecycle");
-  handoff.command("open [summary]").description("open a handoff bound to the current North Star slug").option("--key <slug|#issue>", "handoff key (defaults to the current North Star slug)").option("--north-star-slug <slug>", "North Star slug to bind (defaults to current saga anchor slug)").option("--message-file <path|->", "read the handoff summary from a UTF-8 file, or from stdin with - (avoids cmd.exe quoting)").option("--json", "machine-readable output").action((summary, opts) => runHandoffOpen(summary, opts));
+  handoff.command("open [summary]").description("open a handoff bound to a North Star slug or a board issue (--key/--next)").option("--key <slug|#issue>", "handoff key: a North Star slug or a board issue (defaults to the current North Star slug)").option("--next <slug|#issue>", "alias for --key (mirrors `saga note --next`)").option("--north-star-slug <slug>", "North Star slug to bind (optional; omit for an issue-bound handoff)").option("--message-file <path|->", "read the handoff summary from a UTF-8 file, or from stdin with - (avoids cmd.exe quoting)").option("--json", "machine-readable output").action((summary, opts) => runHandoffOpen(summary, { ...opts, key: opts.key ?? opts.next }));
   handoff.command("list").description("list open handoffs for the current repo (any branch)").option("--all", "include claimed/cancelled records").option("--json", "machine-readable output").action(async (opts) => {
     await runHandoffList(opts);
   });
@@ -5678,7 +5680,16 @@ async function secretsCapabilities(deps, opts) {
     return;
   }
   if (!res.ok) {
-    deps.err(await upgradeMessage(res) ?? `access capabilities failed: HTTP ${res.status}${await readErr(res)}`);
+    const upgrade = await upgradeMessage(res);
+    if (upgrade) {
+      deps.err(upgrade);
+    } else if (res.status === 404) {
+      deps.err(
+        "access capabilities: the Hub API did not recognize /secrets/capabilities (HTTP 404). This endpoint ships in the Hub, so a 404 means the deployed Hub predates this command and should answer once a Hub release carrying this command is deployed \u2014 it is not an authorization or missing-credential error."
+      );
+    } else {
+      deps.err(`access capabilities failed: HTTP ${res.status}${await readErr(res)}`);
+    }
     return;
   }
   const report = await res.json();
@@ -6152,7 +6163,6 @@ function buildIngestPayload(args) {
 }
 
 // src/honcho-client.ts
-var HONCHO_ASSISTANT_PEER = "assistant";
 function parseHonchoQueueStatus(json) {
   const o = json && typeof json === "object" ? json : {};
   const pendingRaw = o.pending_work_units ?? o.depth ?? o.queue_depth ?? o.pending;
@@ -6205,9 +6215,9 @@ async function ingestPost(cfg, body, fetchImpl = fetch, timeoutMs = 1e4) {
     const session = String(body.session ?? "");
     const meta = body.meta && typeof body.meta === "object" ? body.meta : {};
     const rawMessages = Array.isArray(body.messages) ? body.messages : [];
-    const messages = rawMessages.filter((m) => m && typeof m.content === "string" && m.content.trim().length > 0).map((m) => ({
+    const messages = rawMessages.filter((m) => m && m.role === "user" && typeof m.content === "string" && m.content.trim().length > 0).map((m) => ({
       content: m.content,
-      peer_id: m.role === "user" ? peer : HONCHO_ASSISTANT_PEER,
+      peer_id: peer,
       metadata: { role: m.role, ...meta }
     }));
     if (!peer || !session || !messages.length) return { ok: true, threw: false, status: 204 };
@@ -6216,7 +6226,8 @@ async function ingestPost(cfg, body, fetchImpl = fetch, timeoutMs = 1e4) {
     if (res.status === 404) {
       const ensured = await request(cfg, fetchImpl, "POST", honchoRoutes.sessions(cfg.workspace), {
         id: session,
-        peers: { [peer]: {}, [HONCHO_ASSISTANT_PEER]: {} }
+        peers: { [peer]: {} }
+        // only the human peer — assistant turns are no longer ingested (#1775)
       }, timeoutMs);
       if (!ensured.ok && ensured.status !== 409) {
         if (ensured.status >= 500) return { ok: false, threw: true, message: `honcho session-ensure ${ensured.status}` };
@@ -6366,7 +6377,7 @@ function spawnHonchoFlush() {
   } catch {
   }
 }
-var DEFAULT_INGEST_MIN_INTERVAL_SEC = 60;
+var DEFAULT_INGEST_MIN_INTERVAL_SEC = 300;
 function honchoThrottlePath(key) {
   const safe = (s) => s.replace(/[^A-Za-z0-9._-]/g, "_");
   return `.mmi/head-ts/honcho/${safe(key.project)}/${safe(key.branch)}`;
@@ -6398,7 +6409,12 @@ async function resolveSummaryText(summary, messageFile) {
   }
   return "";
 }
+function isAutomatedSession(env = process.env) {
+  const v = env.GITHUB_ACTIONS;
+  return !!v && v !== "false" && v !== "0";
+}
 async function runHonchoIngest(opts) {
+  if (isAutomatedSession()) return;
   const cfg = await loadConfig();
   const peer = honchoPeerId(await honchoLogin(cfg), cfg);
   if (!peer) return;
@@ -7091,6 +7107,9 @@ function northstarPointer(injected = false) {
   }
   return "North Stars: run `mmi-cli northstar relevant` to load plans relevant to your task (`northstar list` for all).";
 }
+function kbPointer() {
+  return "MM-KB (org knowledge): start at `mmi-cli kb get kb/INDEX.md`, then `kb get <path>` \u2014 consult before inventing conventions or storing long-term docs.";
+}
 
 // src/board.ts
 var import_node_child_process7 = require("node:child_process");
@@ -8009,9 +8028,47 @@ function ghError(e) {
   return (err.stderr || err.message || String(e)).trim();
 }
 
+// src/board-slice-cache.ts
+var import_node_fs14 = require("node:fs");
+var import_node_path12 = require("node:path");
+var BOARD_SLICE_CACHE_FILE = (0, import_node_path12.join)(".mmi", "board-slice.json");
+var BOARD_SLICE_CACHE_TTL_MS = 10 * 60 * 1e3;
+function boardSliceCachePath(cwd) {
+  return (0, import_node_path12.join)(cwd, BOARD_SLICE_CACHE_FILE);
+}
+function readCachedBoardSlice(cwd) {
+  try {
+    const parsed = JSON.parse((0, import_node_fs14.readFileSync)(boardSliceCachePath(cwd), "utf8"));
+    if (typeof parsed.ts !== "number") return null;
+    return { block: typeof parsed.block === "string" ? parsed.block : null, ts: parsed.ts };
+  } catch {
+    return null;
+  }
+}
+function writeCachedBoardSlice(cwd, slice) {
+  const path2 = boardSliceCachePath(cwd);
+  const tmp = `${path2}.${process.pid}.tmp`;
+  try {
+    (0, import_node_fs14.mkdirSync)((0, import_node_path12.dirname)(path2), { recursive: true });
+    (0, import_node_fs14.writeFileSync)(tmp, JSON.stringify(slice));
+    (0, import_node_fs14.renameSync)(tmp, path2);
+  } catch {
+    try {
+      (0, import_node_fs14.rmSync)(tmp, { force: true });
+    } catch {
+    }
+  }
+}
+function boardSliceCacheStale(cached, now, ttlMs = BOARD_SLICE_CACHE_TTL_MS) {
+  return !cached || now - cached.ts >= ttlMs;
+}
+
 // src/board-slice.ts
 var SESSION_START_BOARD_TIMEOUT_MS = 3e3;
+var BOARD_SLICE_REFRESH_TIMEOUT_MS = 3e4;
 var BOARD_SLICE_FRAMING = "BOARD SLICE \u2014 reconcile with saga HEAD; board Status is authoritative for work lifecycle.";
+var BOARD_SLICE_EMPTY = "Board: nothing assigned or claimable right now \u2014 `mmi-cli board read` (or `/mmi`) for the full board.";
+var BOARD_SLICE_PENDING = "Board: loading your slice in the background \u2014 run `/mmi` now; it renders here next session.";
 var BOARD_SLICE_MAX_LINES = 5;
 var ACTIVE_STATUS_ORDER = {
   "In Progress": 0,
@@ -8072,12 +8129,25 @@ async function withTimeout(promise, ms) {
   }
 }
 async function runBoardSlice(io, deps, opts) {
+  const cwd = deps.cwd ?? process.cwd();
+  const now = deps.now ?? Date.now();
+  let cfg;
+  try {
+    cfg = await deps.loadConfig();
+  } catch {
+    return;
+  }
+  if (!boardMetaConfigured(cfg)) return;
+  const cached = readCachedBoardSlice(cwd);
+  if (boardSliceCacheStale(cached, now)) deps.scheduleRefresh?.();
+  if (cached) {
+    io.log(cached.block ?? BOARD_SLICE_EMPTY);
+    return;
+  }
   const budget = deps.timeoutMs ?? SESSION_START_BOARD_TIMEOUT_MS;
   const controller = new AbortController();
   const deadline = setTimeout(() => controller.abort(), budget);
   try {
-    const cfg = await deps.loadConfig();
-    if (!boardMetaConfigured(cfg)) return;
     const client = deps.client ?? createGitHubClient({ defaultTimeoutMs: budget, signal: controller.signal });
     const report = await withTimeout(
       deps.readBoard({ config: cfg, allowPartial: true }, { client }),
@@ -8085,7 +8155,26 @@ async function runBoardSlice(io, deps, opts) {
     );
     if (opts?.expectedLogin && report.viewer && opts.expectedLogin !== report.viewer) return;
     const block = renderBoardSlice(report);
-    if (block) io.log(block);
+    writeCachedBoardSlice(cwd, { block, ts: now });
+    io.log(block ?? BOARD_SLICE_EMPTY);
+  } catch {
+    io.log(BOARD_SLICE_PENDING);
+  } finally {
+    clearTimeout(deadline);
+  }
+}
+async function refreshBoardSliceCache(deps) {
+  const cwd = deps.cwd ?? process.cwd();
+  const now = deps.now ?? Date.now();
+  const budget = deps.timeoutMs ?? BOARD_SLICE_REFRESH_TIMEOUT_MS;
+  const controller = new AbortController();
+  const deadline = setTimeout(() => controller.abort(), budget);
+  try {
+    const cfg = await deps.loadConfig();
+    if (!boardMetaConfigured(cfg)) return;
+    const client = deps.client ?? createGitHubClient({ defaultTimeoutMs: budget, signal: controller.signal });
+    const report = await withTimeout(deps.readBoard({ config: cfg, allowPartial: true }, { client }), budget);
+    writeCachedBoardSlice(cwd, { block: renderBoardSlice(report), ts: now });
   } catch {
   } finally {
     clearTimeout(deadline);
@@ -8093,8 +8182,8 @@ async function runBoardSlice(io, deps, opts) {
 }
 
 // src/worktree.ts
-var import_node_fs14 = require("node:fs");
-var import_node_path12 = require("node:path");
+var import_node_fs15 = require("node:fs");
+var import_node_path13 = require("node:path");
 var LOCAL_ONLY_FILES = [".claude/settings.local.json"];
 var PKG = "package.json";
 var LOCKFILE = "package-lock.json";
@@ -8102,21 +8191,21 @@ var NODE_MODULES = "node_modules";
 var realFsProbe = {
   isDir: (p) => {
     try {
-      return (0, import_node_fs14.statSync)(p).isDirectory();
+      return (0, import_node_fs15.statSync)(p).isDirectory();
     } catch {
       return false;
     }
   },
   isFile: (p) => {
     try {
-      return (0, import_node_fs14.statSync)(p).isFile();
+      return (0, import_node_fs15.statSync)(p).isFile();
     } catch {
       return false;
     }
   },
   listDirs: (p) => {
     try {
-      return (0, import_node_fs14.readdirSync)(p, { withFileTypes: true }).filter((e) => e.isDirectory()).map((e) => e.name);
+      return (0, import_node_fs15.readdirSync)(p, { withFileTypes: true }).filter((e) => e.isDirectory()).map((e) => e.name);
     } catch {
       return [];
     }
@@ -8124,12 +8213,12 @@ var realFsProbe = {
 };
 function scanInstallDirs(root, fs2 = realFsProbe) {
   const factsFor = (dir) => {
-    const abs = dir ? (0, import_node_path12.join)(root, dir) : root;
+    const abs = dir ? (0, import_node_path13.join)(root, dir) : root;
     return {
       dir,
-      hasPackageJson: fs2.isFile((0, import_node_path12.join)(abs, PKG)),
-      hasLockfile: fs2.isFile((0, import_node_path12.join)(abs, LOCKFILE)),
-      hasNodeModules: fs2.isDir((0, import_node_path12.join)(abs, NODE_MODULES))
+      hasPackageJson: fs2.isFile((0, import_node_path13.join)(abs, PKG)),
+      hasLockfile: fs2.isFile((0, import_node_path13.join)(abs, LOCKFILE)),
+      hasNodeModules: fs2.isDir((0, import_node_path13.join)(abs, NODE_MODULES))
     };
   };
   const children = fs2.listDirs(root).filter((name) => name !== NODE_MODULES && name !== ".git");
@@ -8139,7 +8228,7 @@ function npmInstallTargets(dirs) {
   return dirs.filter((d) => d.hasPackageJson && !d.hasNodeModules).map((d) => ({ dir: d.dir, command: d.hasLockfile ? "npm ci" : "npm install" }));
 }
 function isLinkedWorktree(root, fs2 = realFsProbe) {
-  return fs2.isFile((0, import_node_path12.join)(root, ".git"));
+  return fs2.isFile((0, import_node_path13.join)(root, ".git"));
 }
 function worktreeAutoProvisionBanner(root, fs2 = realFsProbe) {
   if (!isLinkedWorktree(root, fs2)) return null;
@@ -8149,8 +8238,8 @@ function worktreeAutoProvisionBanner(root, fs2 = realFsProbe) {
   return `[worktree] provisioning tooling in the background (deps in ${where} + local config) \u2014 \`mmi-cli worktree setup\` to redo`;
 }
 function defaultCopyFile(from, to) {
-  (0, import_node_fs14.mkdirSync)((0, import_node_path12.dirname)(to), { recursive: true });
-  (0, import_node_fs14.copyFileSync)(from, to);
+  (0, import_node_fs15.mkdirSync)((0, import_node_path13.dirname)(to), { recursive: true });
+  (0, import_node_fs15.copyFileSync)(from, to);
 }
 async function provisionWorktree(worktreeRoot, deps) {
   const fs2 = deps.fs ?? realFsProbe;
@@ -8162,7 +8251,7 @@ async function provisionWorktree(worktreeRoot, deps) {
   const skippedInstall = allDirs.filter((d) => d.hasPackageJson && d.hasNodeModules).map((d) => d.dir);
   const installed = [];
   for (const target of targets) {
-    const cwd = target.dir ? (0, import_node_path12.join)(worktreeRoot, target.dir) : worktreeRoot;
+    const cwd = target.dir ? (0, import_node_path13.join)(worktreeRoot, target.dir) : worktreeRoot;
     log(`installing deps: ${target.command} in ${target.dir || "."}`);
     await deps.runInstall(target.command, cwd);
     installed.push(target);
@@ -8171,7 +8260,7 @@ async function provisionWorktree(worktreeRoot, deps) {
   const copySkipped = [];
   const primary = await deps.primaryCheckout();
   for (const rel of LOCAL_ONLY_FILES) {
-    const dest = (0, import_node_path12.join)(worktreeRoot, rel);
+    const dest = (0, import_node_path13.join)(worktreeRoot, rel);
     if (fs2.isFile(dest)) {
       copySkipped.push({ file: rel, reason: "already-present" });
       continue;
@@ -8180,11 +8269,11 @@ async function provisionWorktree(worktreeRoot, deps) {
       copySkipped.push({ file: rel, reason: "no-primary" });
       continue;
     }
-    if (!fs2.isFile((0, import_node_path12.join)(primary, rel))) {
+    if (!fs2.isFile((0, import_node_path13.join)(primary, rel))) {
       copySkipped.push({ file: rel, reason: "absent-in-primary" });
       continue;
     }
-    copyFile((0, import_node_path12.join)(primary, rel), dest);
+    copyFile((0, import_node_path13.join)(primary, rel), dest);
     copied.push(rel);
     log(`copied local config: ${rel}`);
   }
@@ -8192,7 +8281,7 @@ async function provisionWorktree(worktreeRoot, deps) {
 }
 function defaultWorktreePath(repoRoot, branch) {
   const safe = branch.replace(/[/\\]+/g, "-");
-  return (0, import_node_path12.join)((0, import_node_path12.dirname)(repoRoot), "mmi-worktrees", safe);
+  return (0, import_node_path13.join)((0, import_node_path13.dirname)(repoRoot), "mmi-worktrees", safe);
 }
 
 // src/frontmatter.ts
@@ -8390,7 +8479,7 @@ async function runNorthstarContext(io, deps) {
 }
 
 // src/index.ts
-var import_node_path19 = require("node:path");
+var import_node_path20 = require("node:path");
 
 // src/merge-ci-policy.ts
 function resolveMergeCiPolicy(input) {
@@ -8691,6 +8780,11 @@ function diffManagedGitignoreBlock(current) {
     seeded: false
   };
 }
+function planManagedGitignore(current) {
+  const { content, changed } = upsertManagedGitignoreBlock(current);
+  const { added, removed } = diffManagedGitignoreBlock(current);
+  return { changed, content, added, removed };
+}
 
 // src/project-model.ts
 var PROJECT_TYPES = ["web-app", "hub-service", "content", "desktop-game", "non-deployable", "cli-tool", "worker"];
@@ -9589,7 +9683,7 @@ var import_node_os6 = require("node:os");
 // src/gh-create.ts
 var import_promises5 = require("node:fs/promises");
 var import_node_os4 = require("node:os");
-var import_node_path13 = require("node:path");
+var import_node_path14 = require("node:path");
 var import_node_crypto6 = require("node:crypto");
 var ISSUE_TYPES = ["bug", "feature", "task"];
 var GH_MUTATION_TIMEOUT_MS = 12e4;
@@ -9630,7 +9724,7 @@ async function bodyArgsViaFile(args, deps = {}) {
   } };
   const write = deps.write ?? import_promises5.writeFile;
   const remove = deps.remove ?? import_promises5.unlink;
-  const file = (0, import_node_path13.join)(deps.dir ?? (0, import_node_os4.tmpdir)(), `mmi-gh-body-${process.pid}-${(0, import_node_crypto6.randomBytes)(4).toString("hex")}.md`);
+  const file = (0, import_node_path14.join)(deps.dir ?? (0, import_node_os4.tmpdir)(), `mmi-gh-body-${process.pid}-${(0, import_node_crypto6.randomBytes)(4).toString("hex")}.md`);
   await write(file, args[i + 1], "utf8");
   return {
     args: [...args.slice(0, i), "--body-file", file, ...args.slice(i + 2)],
@@ -9672,6 +9766,44 @@ function buildPrArgs({ title, body, base: base2, head, repo }) {
   return args;
 }
 
+// src/issue-check.ts
+var CHECKLIST_RE = /^([ \t]*[-*+] \[)([ xX])(\] )(.*)$/gm;
+function findChecklistItems(body) {
+  const items = [];
+  for (const m of body.matchAll(CHECKLIST_RE)) {
+    const prefix = m[1];
+    const marker = m[2];
+    const text = m[4].replace(/\r$/, "");
+    items.push({
+      markerIndex: (m.index ?? 0) + prefix.length,
+      checked: marker.toLowerCase() === "x",
+      text
+    });
+  }
+  return items;
+}
+function selectChecklistItem(items, query) {
+  const q = query.trim();
+  if (!q) return { ok: false, reason: "not-found" };
+  const exact = items.filter((it) => it.text.trim() === q);
+  if (exact.length === 1) return { ok: true, item: exact[0] };
+  if (exact.length > 1) return { ok: false, reason: "ambiguous", matches: exact };
+  const sub = items.filter((it) => it.text.includes(q));
+  if (sub.length === 1) return { ok: true, item: sub[0] };
+  if (sub.length === 0) return { ok: false, reason: "not-found" };
+  return { ok: false, reason: "ambiguous", matches: sub };
+}
+function setChecklistMarker(body, item, checked) {
+  if (item.checked === checked) return { body, changed: false };
+  const target = checked ? "x" : " ";
+  return { body: body.slice(0, item.markerIndex) + target + body.slice(item.markerIndex + 1), changed: true };
+}
+function applyChecklistCheck(body, query, checked) {
+  const sel = selectChecklistItem(findChecklistItems(body), query);
+  if (!sel.ok) return sel;
+  return { ok: true, edit: setChecklistMarker(body, sel.item, checked), item: sel.item };
+}
+
 // src/command-manifest.ts
 function buildArgument(arg) {
   const out = { name: arg.name(), required: arg.required, variadic: arg.variadic };
@@ -11193,9 +11325,9 @@ function decideStage(inputs) {
 
 // src/cursor-plugin-seed.ts
 var import_node_child_process8 = require("node:child_process");
-var import_node_fs15 = require("node:fs");
+var import_node_fs16 = require("node:fs");
 var import_node_os5 = require("node:os");
-var import_node_path14 = require("node:path");
+var import_node_path15 = require("node:path");
 var import_node_util6 = require("node:util");
 function isSemverVersion(v) {
   return typeof v === "string" && /^v?\d+\.\d+\.\d+/.test(v.trim());
@@ -11212,17 +11344,17 @@ function ghReleaseTarballApiArgs(tag) {
 }
 function cursorUserGlobalStatePath() {
   if (process.platform === "win32") {
-    const base2 = process.env.APPDATA || (0, import_node_path14.join)((0, import_node_os5.homedir)(), "AppData", "Roaming");
-    return (0, import_node_path14.join)(base2, "Cursor", "User", "globalStorage", "state.vscdb");
+    const base2 = process.env.APPDATA || (0, import_node_path15.join)((0, import_node_os5.homedir)(), "AppData", "Roaming");
+    return (0, import_node_path15.join)(base2, "Cursor", "User", "globalStorage", "state.vscdb");
   }
   if (process.platform === "darwin") {
-    return (0, import_node_path14.join)((0, import_node_os5.homedir)(), "Library", "Application Support", "Cursor", "User", "globalStorage", "state.vscdb");
+    return (0, import_node_path15.join)((0, import_node_os5.homedir)(), "Library", "Application Support", "Cursor", "User", "globalStorage", "state.vscdb");
   }
-  return (0, import_node_path14.join)((0, import_node_os5.homedir)(), ".config", "Cursor", "User", "globalStorage", "state.vscdb");
+  return (0, import_node_path15.join)((0, import_node_os5.homedir)(), ".config", "Cursor", "User", "globalStorage", "state.vscdb");
 }
 async function readCursorThirdPartyExtensibilityEnabled(execFileP5) {
   const dbPath = cursorUserGlobalStatePath();
-  if (!(0, import_node_fs15.existsSync)(dbPath)) return void 0;
+  if (!(0, import_node_fs16.existsSync)(dbPath)) return void 0;
   try {
     const { stdout } = await execFileP5("sqlite3", [dbPath, `SELECT value FROM ItemTable WHERE key = '${CURSOR_THIRD_PARTY_STATE_KEY}';`], {
       timeout: 5e3
@@ -11236,57 +11368,57 @@ async function readCursorThirdPartyExtensibilityEnabled(execFileP5) {
   }
 }
 function syncDirContents(src, dest) {
-  (0, import_node_fs15.mkdirSync)(dest, { recursive: true });
-  for (const name of (0, import_node_fs15.readdirSync)(dest)) {
-    (0, import_node_fs15.rmSync)((0, import_node_path14.join)(dest, name), { recursive: true, force: true });
+  (0, import_node_fs16.mkdirSync)(dest, { recursive: true });
+  for (const name of (0, import_node_fs16.readdirSync)(dest)) {
+    (0, import_node_fs16.rmSync)((0, import_node_path15.join)(dest, name), { recursive: true, force: true });
   }
-  (0, import_node_fs15.cpSync)(src, dest, { recursive: true });
+  (0, import_node_fs16.cpSync)(src, dest, { recursive: true });
 }
 function releaseTag(releasedVersion) {
   return releasedVersion.startsWith("v") ? releasedVersion : `v${releasedVersion}`;
 }
 async function extractPluginMmiFromHubCheckout(hubCheckout, tag, tmpRoot, execFileP5) {
-  const tarFile = (0, import_node_path14.join)(tmpRoot, "archive.tar");
+  const tarFile = (0, import_node_path15.join)(tmpRoot, "archive.tar");
   try {
     await execFileP5("git", gitFetchReleaseTagArgs(hubCheckout, tag), { timeout: 6e4 });
     await execFileP5("git", ["-C", hubCheckout, "archive", "--format=tar", `--output=${tarFile}`, tag, "plugins/mmi"], {
       timeout: 6e4
     });
     await execFileP5("tar", ["-xf", tarFile, "-C", tmpRoot], { timeout: 6e4 });
-    const pluginMmi = (0, import_node_path14.join)(tmpRoot, "plugins", "mmi");
-    return (0, import_node_fs15.existsSync)((0, import_node_path14.join)(pluginMmi, PLUGIN_JSON_REL)) ? pluginMmi : void 0;
+    const pluginMmi = (0, import_node_path15.join)(tmpRoot, "plugins", "mmi");
+    return (0, import_node_fs16.existsSync)((0, import_node_path15.join)(pluginMmi, PLUGIN_JSON_REL)) ? pluginMmi : void 0;
   } catch {
     return void 0;
   }
 }
 async function downloadPluginMmiViaGh(tag, tmpRoot) {
-  const tarPath = (0, import_node_path14.join)(tmpRoot, "repo.tgz");
+  const tarPath = (0, import_node_path15.join)(tmpRoot, "repo.tgz");
   try {
-    (0, import_node_fs15.mkdirSync)(tmpRoot, { recursive: true });
+    (0, import_node_fs16.mkdirSync)(tmpRoot, { recursive: true });
     const { stdout } = await execFileBuffer("gh", ghReleaseTarballApiArgs(tag), {
       timeout: 12e4,
       maxBuffer: 100 * 1024 * 1024,
       encoding: "buffer",
       windowsHide: true
     });
-    (0, import_node_fs15.writeFileSync)(tarPath, stdout);
+    (0, import_node_fs16.writeFileSync)(tarPath, stdout);
     await execFileBuffer("tar", ["-xzf", tarPath, "-C", tmpRoot], { timeout: 12e4, windowsHide: true });
-    const top = (0, import_node_fs15.readdirSync)(tmpRoot).find((entry) => entry !== "repo.tgz");
+    const top = (0, import_node_fs16.readdirSync)(tmpRoot).find((entry) => entry !== "repo.tgz");
     if (!top) return void 0;
-    const pluginMmi = (0, import_node_path14.join)(tmpRoot, top, "plugins", "mmi");
-    return (0, import_node_fs15.existsSync)((0, import_node_path14.join)(pluginMmi, PLUGIN_JSON_REL)) ? pluginMmi : void 0;
+    const pluginMmi = (0, import_node_path15.join)(tmpRoot, top, "plugins", "mmi");
+    return (0, import_node_fs16.existsSync)((0, import_node_path15.join)(pluginMmi, PLUGIN_JSON_REL)) ? pluginMmi : void 0;
   } catch {
     return void 0;
   }
 }
 async function resolvePluginMmiSource(releasedVersion, hubCheckout, tmpRoot, execFileP5) {
-  (0, import_node_fs15.mkdirSync)(tmpRoot, { recursive: true });
+  (0, import_node_fs16.mkdirSync)(tmpRoot, { recursive: true });
   const tag = releaseTag(releasedVersion);
   if (hubCheckout) {
     const fromHub = await extractPluginMmiFromHubCheckout(hubCheckout, tag, tmpRoot, execFileP5);
     if (fromHub) return fromHub;
   }
-  return downloadPluginMmiViaGh(tag, (0, import_node_path14.join)(tmpRoot, "gh"));
+  return downloadPluginMmiViaGh(tag, (0, import_node_path15.join)(tmpRoot, "gh"));
 }
 function cursorPluginPinsNeedingSeed(pins, releasedVersion) {
   if (!isSemverVersion(releasedVersion)) return pins.filter((pin) => !pin.hasPluginJson || !pin.hasHooksJson || pin.isEmpty);
@@ -11307,7 +11439,7 @@ async function applyCursorPluginCacheSeed(input) {
   for (const pin of pinsToSeed) {
     syncDirContents(source, pin.path);
   }
-  (0, import_node_fs15.rmSync)(tmpRoot, { recursive: true, force: true });
+  (0, import_node_fs16.rmSync)(tmpRoot, { recursive: true, force: true });
   return true;
 }
 
@@ -11348,6 +11480,17 @@ function pluginInstallManualFix(projectPath, surface = "claude-cli") {
 function isMmiPluginEnabled(settings) {
   return Boolean(settings?.enabledPlugins?.[MMI_PLUGIN_ID]);
 }
+function buildSettingsPluginDriftCheck(input) {
+  const base2 = {
+    ok: true,
+    label: "org plugin wiring in .claude/settings.json (mmi@mutmutco)",
+    fix: "the Claude Code app pruned mmi@mutmutco from the tracked .claude/settings.json (it does this at session start when the mutmutco marketplace source does not resolve, #1805); restore it with `git checkout -- .claude/settings.json` before committing, or the whole org skill set is disabled for the branch"
+  };
+  const enabled = input.settings?.enabledPlugins;
+  if (!input.isOrgRepo || !enabled || Object.keys(enabled).length === 0) return base2;
+  if (!enabled[MMI_PLUGIN_ID]) return { ...base2, ok: false };
+  return base2;
+}
 function hasProjectInstallRecord(file, pluginId, projectPath) {
   const records = file?.plugins?.[pluginId];
   if (!Array.isArray(records)) return false;
@@ -11913,8 +12056,8 @@ function stageLiveUpSteps(t) {
       command: `gh ${ghDispatchArgs("tenant-deploy.yml", { slug: t.slug, repo: t.repo, ref: t.ref ?? "<branch>", stage: "dev" }).join(" ")}`
     },
     {
-      label: "record your IP as the dev allowlist (box writes /opt/mmi/<slug>/dev/allowlist + reloads Caddy)",
-      command: `gh ${ghDispatchArgs("tenant-control.yml", { slug: t.slug, stage: "dev", action: "allow-ip", ip: "<your ip>" }).join(" ")}`
+      label: `gate ${t.host} to your IP at the Cloudflare edge (ephemeral firewall_custom skip rule)`,
+      command: `gh ${ghDispatchArgs("tenant-control.yml", { slug: t.slug, stage: "dev", action: "cf-gate-allow", host: t.host, ip: "<your ip>" }).join(" ")}`
     },
     { label: "tear down when done", command: "mmi-cli stage --live --down --apply" }
   ];
@@ -11926,8 +12069,8 @@ function stageLiveDownSteps(t) {
       command: `gh ${ghDispatchArgs("tenant-control.yml", { slug: t.slug, stage: "dev", action: "stop" }).join(" ")}`
     },
     {
-      label: "clear the dev allowlist (the stage goes dark even if restarted)",
-      command: `gh ${ghDispatchArgs("tenant-control.yml", { slug: t.slug, stage: "dev", action: "allow-ip", ip: "clear" }).join(" ")}`
+      label: "remove the Cloudflare edge gate (the stage goes dark even if restarted)",
+      command: `gh ${ghDispatchArgs("tenant-control.yml", { slug: t.slug, stage: "dev", action: "cf-gate-clear", host: t.host }).join(" ")}`
     }
   ];
 }
@@ -11935,8 +12078,9 @@ async function runStageLiveUp(deps, t) {
   if (!t.ref?.trim()) throw new Error("stage --live: cannot resolve the current branch to deploy");
   const ip = (await deps.detectIp()).trim();
   if (!validStageLiveIp(ip)) throw new Error(`stage --live: detected public IP is not a literal IPv4/IPv6 address: "${ip.slice(0, 80)}"`);
+  if (!t.host?.trim()) throw new Error("stage --live: cannot resolve the dev edge host (registry edgeDomains.dev)");
   await deps.run("gh", ghDispatchArgs("tenant-deploy.yml", { slug: t.slug, repo: t.repo, ref: t.ref, stage: "dev" }));
-  await deps.run("gh", ghDispatchArgs("tenant-control.yml", { slug: t.slug, stage: "dev", action: "allow-ip", ip }));
+  await deps.run("gh", ghDispatchArgs("tenant-control.yml", { slug: t.slug, stage: "dev", action: "cf-gate-allow", host: t.host, ip }));
   return {
     command: "stage --live",
     mode: "up",
@@ -11945,25 +12089,26 @@ async function runStageLiveUp(deps, t) {
     ref: t.ref,
     ip,
     dispatched: ["tenant-deploy.yml", "tenant-control.yml"],
-    message: `dispatched the dev deploy of ${t.ref} and the allowlist update for ${ip}; watch the runs in ${STAGE_LIVE_HUB_REPO} Actions \u2014 tear down with: mmi-cli stage --live --down --apply`
+    message: `dispatched the dev deploy of ${t.ref} and the Cloudflare edge gate for ${t.host} \u2192 ${ip}; watch the runs in ${STAGE_LIVE_HUB_REPO} Actions \u2014 tear down with: mmi-cli stage --live --down --apply`
   };
 }
 async function runStageLiveDown(deps, t) {
+  if (!t.host?.trim()) throw new Error("stage --live: cannot resolve the dev edge host (registry edgeDomains.dev)");
   await deps.run("gh", ghDispatchArgs("tenant-control.yml", { slug: t.slug, stage: "dev", action: "stop" }));
-  await deps.run("gh", ghDispatchArgs("tenant-control.yml", { slug: t.slug, stage: "dev", action: "allow-ip", ip: "clear" }));
+  await deps.run("gh", ghDispatchArgs("tenant-control.yml", { slug: t.slug, stage: "dev", action: "cf-gate-clear", host: t.host }));
   return {
     command: "stage --live",
     mode: "down",
     slug: t.slug,
     repo: t.repo,
     dispatched: ["tenant-control.yml", "tenant-control.yml"],
-    message: `dispatched the dev stop and allowlist clear for ${t.slug}; the dev stage is dark until the next mmi-cli stage --live --apply`
+    message: `dispatched the dev stop and the Cloudflare edge gate clear for ${t.host}; the dev stage is dark until the next mmi-cli stage --live --apply`
   };
 }
 
 // src/design-system.ts
-var import_node_fs16 = require("node:fs");
-var import_node_path15 = require("node:path");
+var import_node_fs17 = require("node:fs");
+var import_node_path16 = require("node:path");
 var UI_PACKAGE_CANDIDATES = ["@mutmutco/ui-dashboard", "@mutmutco/ui", "@mutmutco/theme"];
 var DESIGN_SYSTEM_VERSION_LABEL = "@mutmutco design-system npm package (vs @latest)";
 function dashboardConsumerRegistryFix(error) {
@@ -12012,17 +12157,17 @@ function buildDesignSystemVersionCheck(input) {
 }
 function readJsonFile(path2) {
   try {
-    return JSON.parse((0, import_node_fs16.readFileSync)(path2, "utf8"));
+    return JSON.parse((0, import_node_fs17.readFileSync)(path2, "utf8"));
   } catch {
     return void 0;
   }
 }
 function isUiFactoryCheckout(root) {
-  const pkg = readJsonFile((0, import_node_path15.join)(root, "package.json"));
+  const pkg = readJsonFile((0, import_node_path16.join)(root, "package.json"));
   return pkg?.name === "mmd-ui" && pkg?.private === true;
 }
 function resolveDeclaredUiPackage(root) {
-  const pkg = readJsonFile((0, import_node_path15.join)(root, "package.json"));
+  const pkg = readJsonFile((0, import_node_path16.join)(root, "package.json"));
   if (!pkg) return void 0;
   const deps = { ...pkg.dependencies, ...pkg.devDependencies };
   for (const name of UI_PACKAGE_CANDIDATES) {
@@ -12032,8 +12177,8 @@ function resolveDeclaredUiPackage(root) {
   return void 0;
 }
 function readLockfileInstalledVersion(root, packageName) {
-  const lockPath = (0, import_node_path15.join)(root, "package-lock.json");
-  if (!(0, import_node_fs16.existsSync)(lockPath)) return void 0;
+  const lockPath = (0, import_node_path16.join)(root, "package-lock.json");
+  if (!(0, import_node_fs17.existsSync)(lockPath)) return void 0;
   const lock = readJsonFile(lockPath);
   const node = lock?.packages?.[`node_modules/${packageName}`];
   const version = node?.version?.trim();
@@ -12062,15 +12207,15 @@ function designSystemSnapshot(root) {
 
 // src/design-system-registry.ts
 var import_node_crypto7 = require("node:crypto");
-var import_node_fs18 = require("node:fs");
-var import_node_path16 = require("node:path");
+var import_node_fs19 = require("node:fs");
+var import_node_path17 = require("node:path");
 
 // src/atomic-write.ts
-var import_node_fs17 = require("node:fs");
+var import_node_fs18 = require("node:fs");
 function atomicWriteFileSync(path2, content) {
   const tmp = `${path2}.${process.pid}.tmp`;
-  (0, import_node_fs17.writeFileSync)(tmp, content, "utf8");
-  (0, import_node_fs17.renameSync)(tmp, path2);
+  (0, import_node_fs18.writeFileSync)(tmp, content, "utf8");
+  (0, import_node_fs18.renameSync)(tmp, path2);
 }
 
 // src/design-system-registry.ts
@@ -12081,13 +12226,13 @@ var REGISTRY_FIX = "run `mmi-cli doctor --apply` to pull registry components int
 var REGISTRY_UNREACHABLE_FIX = "live @mutmutco registry unreachable \u2014 verify `components.json` `@mutmutco` registry URL and network, then retry `mmi-cli doctor`";
 function readJsonFile2(path2) {
   try {
-    return JSON.parse((0, import_node_fs18.readFileSync)(path2, "utf8"));
+    return JSON.parse((0, import_node_fs19.readFileSync)(path2, "utf8"));
   } catch {
     return void 0;
   }
 }
 function readComponentsJson(root) {
-  return readJsonFile2((0, import_node_path16.join)(root, "components.json"));
+  return readJsonFile2((0, import_node_path17.join)(root, "components.json"));
 }
 function hasMutmutcoRegistry(root) {
   const url = readComponentsJson(root)?.registries?.["@mutmutco"];
@@ -12095,7 +12240,7 @@ function hasMutmutcoRegistry(root) {
 }
 function resolveCacheDir(root) {
   const custom = readComponentsJson(root)?.mmi?.cacheDir;
-  return (0, import_node_path16.join)(root, custom ?? DESIGN_SYSTEM_CACHE_DIR);
+  return (0, import_node_path17.join)(root, custom ?? DESIGN_SYSTEM_CACHE_DIR);
 }
 function resolveRegistryUrlTemplate(root) {
   return readComponentsJson(root)?.registries?.["@mutmutco"];
@@ -12104,7 +12249,7 @@ function registryItemUrl(template, name) {
   return template.replace("{name}", name);
 }
 function readDesignSystemManifest(root) {
-  const raw = readJsonFile2((0, import_node_path16.join)(root, DESIGN_SYSTEM_MANIFEST_PATH));
+  const raw = readJsonFile2((0, import_node_path17.join)(root, DESIGN_SYSTEM_MANIFEST_PATH));
   if (!raw || !Array.isArray(raw.components)) return void 0;
   return raw;
 }
@@ -12116,11 +12261,11 @@ function listInstalledRegistryComponents(root) {
   return scanCachedComponentNames(resolveCacheDir(root));
 }
 function scanCachedComponentNames(cacheDir) {
-  if (!(0, import_node_fs18.existsSync)(cacheDir)) return [];
+  if (!(0, import_node_fs19.existsSync)(cacheDir)) return [];
   const names = /* @__PURE__ */ new Set();
   const walk = (dir) => {
-    for (const ent of (0, import_node_fs18.readdirSync)(dir, { withFileTypes: true })) {
-      const p = (0, import_node_path16.join)(dir, ent.name);
+    for (const ent of (0, import_node_fs19.readdirSync)(dir, { withFileTypes: true })) {
+      const p = (0, import_node_path17.join)(dir, ent.name);
       if (ent.isDirectory()) walk(p);
       else if (ent.isFile() && /\.(tsx?|jsx?)$/.test(ent.name)) {
         names.add(ent.name.replace(/\.(tsx|ts|jsx|js)$/, ""));
@@ -12209,13 +12354,13 @@ async function gatherRegistryComponentsState(root, targetVersion, deps) {
     let componentStale = false;
     for (const file of item.files) {
       if (!file.target || file.content == null) continue;
-      const cachePath = (0, import_node_path16.join)(cacheDir, cacheRelativePath(file.target));
-      if (!(0, import_node_fs18.existsSync)(cachePath)) {
+      const cachePath = (0, import_node_path17.join)(cacheDir, cacheRelativePath(file.target));
+      if (!(0, import_node_fs19.existsSync)(cachePath)) {
         componentStale = true;
         break;
       }
       try {
-        if (contentHash((0, import_node_fs18.readFileSync)(cachePath, "utf8")) !== contentHash(file.content)) {
+        if (contentHash((0, import_node_fs19.readFileSync)(cachePath, "utf8")) !== contentHash(file.content)) {
           componentStale = true;
           break;
         }
@@ -12225,7 +12370,7 @@ async function gatherRegistryComponentsState(root, targetVersion, deps) {
       }
     }
     if (componentStale) {
-      if ((0, import_node_fs18.existsSync)((0, import_node_path16.join)(cacheDir, "ui", `${name}.tsx`)) || (0, import_node_fs18.existsSync)((0, import_node_path16.join)(cacheDir, `${name}.tsx`))) {
+      if ((0, import_node_fs19.existsSync)((0, import_node_path17.join)(cacheDir, "ui", `${name}.tsx`)) || (0, import_node_fs19.existsSync)((0, import_node_path17.join)(cacheDir, `${name}.tsx`))) {
         stale.push(name);
       } else {
         missing.push(name);
@@ -12253,15 +12398,15 @@ async function applyRegistryComponentsSync(root, components, targetVersion, log,
     if (!item) return { ok: false };
     for (const file of item.files) {
       if (!file.target || file.content == null) continue;
-      const outPath = (0, import_node_path16.join)(cacheDir, cacheRelativePath(file.target));
-      deps.mkdir((0, import_node_path16.dirname)(outPath));
+      const outPath = (0, import_node_path17.join)(cacheDir, cacheRelativePath(file.target));
+      deps.mkdir((0, import_node_path17.dirname)(outPath));
       const body = file.content.endsWith("\n") ? file.content : `${file.content}
 `;
       deps.writeFile(outPath, body);
     }
   }
-  const manifestPath = (0, import_node_path16.join)(root, DESIGN_SYSTEM_MANIFEST_PATH);
-  deps.mkdir((0, import_node_path16.dirname)(manifestPath));
+  const manifestPath = (0, import_node_path17.join)(root, DESIGN_SYSTEM_MANIFEST_PATH);
+  deps.mkdir((0, import_node_path17.dirname)(manifestPath));
   const manifest = {
     version: targetVersion,
     syncedAt: (/* @__PURE__ */ new Date()).toISOString(),
@@ -12276,14 +12421,14 @@ function defaultRegistrySyncDeps() {
   return {
     fetch,
     writeFile: (path2, content) => atomicWriteFileSync(path2, content),
-    mkdir: (path2) => (0, import_node_fs18.mkdirSync)(path2, { recursive: true })
+    mkdir: (path2) => (0, import_node_fs19.mkdirSync)(path2, { recursive: true })
   };
 }
 
 // src/stage-runner.ts
 var import_node_child_process9 = require("node:child_process");
-var import_node_fs19 = require("node:fs");
-var import_node_path17 = require("node:path");
+var import_node_fs20 = require("node:fs");
+var import_node_path18 = require("node:path");
 var import_node_net2 = require("node:net");
 var import_node_util7 = require("node:util");
 var execFileP4 = (0, import_node_util7.promisify)(import_node_child_process9.execFile);
@@ -12328,7 +12473,7 @@ function detectStaleEnvFile(exampleContent, targetContent, mtimes) {
   return void 0;
 }
 function stageStatePath(cwd = process.cwd()) {
-  return (0, import_node_path17.join)(cwd, "tmp", "stage", "state.json");
+  return (0, import_node_path18.join)(cwd, "tmp", "stage", "state.json");
 }
 function mergeEnvSecretsIntoFile(content, secrets) {
   const lines = content.split(/\r?\n/);
@@ -12411,9 +12556,9 @@ async function shell(command, cwd, timeoutMs) {
   });
 }
 function readState(path2) {
-  if (!(0, import_node_fs19.existsSync)(path2)) return null;
+  if (!(0, import_node_fs20.existsSync)(path2)) return null;
   try {
-    return JSON.parse((0, import_node_fs19.readFileSync)(path2, "utf8"));
+    return JSON.parse((0, import_node_fs20.readFileSync)(path2, "utf8"));
   } catch {
     return null;
   }
@@ -12465,7 +12610,7 @@ async function stopStage(opts = {}) {
     return { ok: true, action: "stop", statePath, message: "no previous stage state found" };
   }
   await killTree(state.pid);
-  (0, import_node_fs19.rmSync)(statePath, { force: true });
+  (0, import_node_fs20.rmSync)(statePath, { force: true });
   return { ok: true, action: "stop", statePath, pid: state.pid, message: `stopped previous stage pid ${state.pid}` };
 }
 async function startStage(config = {}, opts = {}) {
@@ -12474,7 +12619,7 @@ async function startStage(config = {}, opts = {}) {
   const cwd = opts.cwd ?? process.cwd();
   const statePath = opts.statePath ?? stageStatePath(cwd);
   const dir = statePath.slice(0, Math.max(statePath.lastIndexOf("/"), statePath.lastIndexOf("\\")));
-  (0, import_node_fs19.mkdirSync)(dir, { recursive: true });
+  (0, import_node_fs20.mkdirSync)(dir, { recursive: true });
   let stagePort;
   if (config.portRange) {
     const [s, e] = config.portRange;
@@ -12484,14 +12629,14 @@ async function startStage(config = {}, opts = {}) {
   }
   const sub = (s) => s != null && stagePort != null ? s.replace(/\$\{?STAGE_PORT\}?/g, String(stagePort)) : s;
   if (config.ensureEnv) {
-    const target = (0, import_node_path17.join)(cwd, config.ensureEnv.target);
-    const example = (0, import_node_path17.join)(cwd, config.ensureEnv.example);
-    if (!(0, import_node_fs19.existsSync)(target) && (0, import_node_fs19.existsSync)(example)) {
-      (0, import_node_fs19.copyFileSync)(example, target);
-    } else if ((0, import_node_fs19.existsSync)(target) && (0, import_node_fs19.existsSync)(example)) {
-      const stale = detectStaleEnvFile((0, import_node_fs19.readFileSync)(example, "utf8"), (0, import_node_fs19.readFileSync)(target, "utf8"), {
-        exampleMtimeMs: (0, import_node_fs19.statSync)(example).mtimeMs,
-        targetMtimeMs: (0, import_node_fs19.statSync)(target).mtimeMs
+    const target = (0, import_node_path18.join)(cwd, config.ensureEnv.target);
+    const example = (0, import_node_path18.join)(cwd, config.ensureEnv.example);
+    if (!(0, import_node_fs20.existsSync)(target) && (0, import_node_fs20.existsSync)(example)) {
+      (0, import_node_fs20.copyFileSync)(example, target);
+    } else if ((0, import_node_fs20.existsSync)(target) && (0, import_node_fs20.existsSync)(example)) {
+      const stale = detectStaleEnvFile((0, import_node_fs20.readFileSync)(example, "utf8"), (0, import_node_fs20.readFileSync)(target, "utf8"), {
+        exampleMtimeMs: (0, import_node_fs20.statSync)(example).mtimeMs,
+        targetMtimeMs: (0, import_node_fs20.statSync)(target).mtimeMs
       });
       if (stale) {
         const msg = `stale ${config.ensureEnv.target} (${stale}) \u2014 delete it or refresh from ${config.ensureEnv.example} before re-running /stage`;
@@ -12499,8 +12644,8 @@ async function startStage(config = {}, opts = {}) {
         console.error(`mmi-cli stage: ${msg} (allowed via --allow-stale-env)`);
       }
     }
-    if (opts.vaultEnvMerge && Object.keys(opts.vaultEnvMerge).length && (0, import_node_fs19.existsSync)(target)) {
-      (0, import_node_fs19.writeFileSync)(target, mergeEnvSecretsIntoFile((0, import_node_fs19.readFileSync)(target, "utf8"), opts.vaultEnvMerge), "utf8");
+    if (opts.vaultEnvMerge && Object.keys(opts.vaultEnvMerge).length && (0, import_node_fs20.existsSync)(target)) {
+      (0, import_node_fs20.writeFileSync)(target, mergeEnvSecretsIntoFile((0, import_node_fs20.readFileSync)(target, "utf8"), opts.vaultEnvMerge), "utf8");
     }
   }
   const extraEnv = {};
@@ -12525,13 +12670,13 @@ async function startStage(config = {}, opts = {}) {
     healthUrl: sub(config.healthUrl?.trim()) || void 0,
     port: stagePort
   };
-  (0, import_node_fs19.writeFileSync)(statePath, JSON.stringify(state, null, 2), "utf8");
+  (0, import_node_fs20.writeFileSync)(statePath, JSON.stringify(state, null, 2), "utf8");
   try {
     if (state.healthUrl) await waitForHealth(state.healthUrl, opts.timeoutMs ?? 6e4, config.healthAnyStatus);
     else await waitForProcessStability(child);
   } catch (e) {
     await killTree(state.pid);
-    (0, import_node_fs19.rmSync)(statePath, { force: true });
+    (0, import_node_fs20.rmSync)(statePath, { force: true });
     throw e;
   }
   const result = { ok: true, action: "start", statePath, pid: state.pid, port: stagePort, message: `started stage pid ${state.pid}${stagePort != null ? ` on port ${stagePort}` : ""}` };
@@ -12989,18 +13134,25 @@ async function rollDevelopmentForward(deps, ctx, tag) {
 }
 function resolveContextState(context, checkRuns, statuses) {
   let sawFailure = false;
+  let sawSuccess = false;
+  let sawPending = false;
   for (const r of checkRuns) {
     if (r.name !== context) continue;
     if (r.status === "completed") {
-      if (r.conclusion === "success") return "success";
-      if (r.conclusion !== "skipped" && r.conclusion !== "neutral") sawFailure = true;
+      if (r.conclusion === "success") sawSuccess = true;
+      else if (r.conclusion !== "skipped" && r.conclusion !== "neutral") sawFailure = true;
+    } else {
+      sawPending = true;
     }
   }
   for (const s of statuses) {
     if (s.context !== context) continue;
-    if (s.state === "success") return "success";
-    if (s.state === "failure" || s.state === "error") sawFailure = true;
+    if (s.state === "success") sawSuccess = true;
+    else if (s.state === "failure" || s.state === "error") sawFailure = true;
+    else sawPending = true;
   }
+  if (sawPending) return "pending";
+  if (sawSuccess) return "success";
   return sawFailure ? "failed" : "pending";
 }
 async function waitForRequiredTrainChecks(deps, ctx, sha, required) {
@@ -14349,7 +14501,7 @@ async function announceRelease(deps, args) {
 }
 
 // src/port-registry.ts
-var import_node_fs20 = require("node:fs");
+var import_node_fs21 = require("node:fs");
 
 // ../infra/port-geometry.mjs
 var PORT_BLOCK = 100;
@@ -14363,8 +14515,8 @@ function nextPortBlock(registry2) {
   return [base2, base2 + PORT_SPAN];
 }
 function loadPortRegistry(path2) {
-  if (!(0, import_node_fs20.existsSync)(path2)) return {};
-  const raw = JSON.parse((0, import_node_fs20.readFileSync)(path2, "utf8"));
+  if (!(0, import_node_fs21.existsSync)(path2)) return {};
+  const raw = JSON.parse((0, import_node_fs21.readFileSync)(path2, "utf8"));
   const out = {};
   for (const [key, value] of Object.entries(raw)) {
     if (Array.isArray(value) && value.length === 2 && value.every((n) => typeof n === "number")) {
@@ -14378,9 +14530,9 @@ function ensurePortRange(repo, path2) {
   const existing = registry2[repo];
   if (existing) return existing;
   const range = nextPortBlock(registry2);
-  const raw = (0, import_node_fs20.existsSync)(path2) ? JSON.parse((0, import_node_fs20.readFileSync)(path2, "utf8")) : {};
+  const raw = (0, import_node_fs21.existsSync)(path2) ? JSON.parse((0, import_node_fs21.readFileSync)(path2, "utf8")) : {};
   raw[repo] = range;
-  (0, import_node_fs20.writeFileSync)(path2, JSON.stringify(raw, null, 2) + "\n", "utf8");
+  (0, import_node_fs21.writeFileSync)(path2, JSON.stringify(raw, null, 2) + "\n", "utf8");
   return range;
 }
 function portCursorSeed(registry2) {
@@ -15240,6 +15392,9 @@ async function upsertProject(slug, patch, deps) {
 async function attestAppGaps(slug, repo, deps) {
   return postJson(`/projects/${encodeURIComponent(slug)}/attest-app`, { repo }, deps);
 }
+async function setDeployCoords(slug, payload, deps) {
+  return postJson(`/projects/${encodeURIComponent(slug)}/deploy`, payload, deps);
+}
 async function tenantControl(payload, deps) {
   return postJson("/tenant-control", payload, deps, "POST", { noRetry: true });
 }
@@ -15634,7 +15789,7 @@ ${section}`.trim();
 }
 
 // src/project-set.ts
-var UNSET_KEYS = ["oauth", "requiredRuntimeSecrets", "edgeDomains", "requiredGcpApis", "publishRequired", "publishDir", "dashboard", "ci", "requiredChecks", "gate"];
+var UNSET_KEYS = ["oauth", "requiredRuntimeSecrets", "edgeDomains", "requiredGcpApis", "publishRequired", "publishDir", "dashboard", "fofuEnabled", "ci", "requiredChecks", "gate"];
 var UNSET_KEY_SET = new Set(UNSET_KEYS);
 var RUNTIME_SECRET_STAGES = ["dev", "rc", "main"];
 function parseRuntimeSecretsVar(raw) {
@@ -15757,7 +15912,7 @@ function parseOauthVar(raw) {
     throw new Error('project set: oauth must be JSON, e.g. {"subdomains":["app"],"domains":["example.co"],"callbackPath":"/auth/callback"}');
   }
   if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
-    throw new Error("project set: oauth must be a {subdomains,domains,callbackPath} object");
+    throw new Error("project set: oauth must be a {subdomains,domains,callbackPath,fofuSubdomain} object");
   }
   const map = parsed;
   const out = {};
@@ -15770,8 +15925,11 @@ function parseOauthVar(raw) {
     } else if (key === "callbackPath") {
       if (typeof value !== "string" || !value.trim()) throw new Error("project set: oauth.callbackPath must be a non-empty string");
       out.callbackPath = value.trim();
+    } else if (key === "fofuSubdomain") {
+      if (typeof value !== "string") throw new Error('project set: oauth.fofuSubdomain must be a string ("" selects the apex fofu.ai)');
+      out.fofuSubdomain = value.trim();
     } else {
-      throw new Error(`project set: oauth key "${key}" \u2014 expected only subdomains/domains/callbackPath`);
+      throw new Error(`project set: oauth key "${key}" \u2014 expected only subdomains/domains/callbackPath/fofuSubdomain`);
     }
   }
   return out;
@@ -15798,6 +15956,11 @@ function parseDashboardVar(raw) {
   if (raw === "false") return false;
   throw new Error("project set: dashboard must be true or false");
 }
+function parseFofuEnabledVar(raw) {
+  if (raw === "true") return true;
+  if (raw === "false") return false;
+  throw new Error("project set: fofuEnabled must be true or false");
+}
 function parsePublishDirVar(raw) {
   const v = raw.trim();
   if (v === "" || v === ".") {
@@ -15860,6 +16023,7 @@ var SETTABLE_VAR_KEYS = [
   "publishRequired",
   "publishDir",
   "dashboard",
+  "fofuEnabled",
   "requiredGcpApis",
   "requiredRuntimeSecrets",
   "edgeDomains",
@@ -15878,8 +16042,9 @@ var SETTABLE_VAR_HINTS = {
   publishRequired: "true|false",
   publishDir: "relative subpath, e.g. packages/ui",
   dashboard: "true|false",
+  fofuEnabled: "true|false",
   repos: 'JSON array, e.g. ["mutmutco/mm-foo"]',
-  oauth: "JSON {subdomains,domains,callbackPath}",
+  oauth: "JSON {subdomains,domains,callbackPath,fofuSubdomain}",
   requiredGcpApis: "comma-string",
   requiredRuntimeSecrets: 'JSON stage map, e.g. {"dev":["KEY"],"rc":["KEY"],"main":["KEY"]}',
   edgeDomains: "JSON {dev,rc,main} domain map",
@@ -15953,6 +16118,8 @@ function buildProjectSetPatch(input) {
       patch[key] = parsePublishRequiredVar(raw);
     } else if (key === "dashboard") {
       patch[key] = parseDashboardVar(raw);
+    } else if (key === "fofuEnabled") {
+      patch[key] = parseFofuEnabledVar(raw);
     } else if (key === "publishDir") {
       patch[key] = parsePublishDirVar(raw);
     } else if (key === "ci") {
@@ -15981,6 +16148,54 @@ function buildProjectSetPatch(input) {
   }
   return patch;
 }
+var DEPLOY_SUBSTRATES = ["hetzner-ssh"];
+var DEPLOY_STAGES = ["dev", "rc", "main"];
+var DEPLOY_DOMAIN_RE = /^[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)+$/;
+var DEPLOY_SHELL_SAFE_RE = /^[A-Za-z0-9./:_?&=%-]*$/;
+function buildSetDeployPatch(slug, input) {
+  const clean4 = (v) => typeof v === "string" && v.trim() !== "" ? v.trim() : void 0;
+  const stage2 = clean4(input.stage);
+  if (!stage2 || !DEPLOY_STAGES.includes(stage2)) {
+    throw new Error(`project set-deploy: --stage must be one of: ${DEPLOY_STAGES.join(", ")}`);
+  }
+  const substrate = clean4(input.substrate) ?? "hetzner-ssh";
+  if (!DEPLOY_SUBSTRATES.includes(substrate)) {
+    throw new Error(`project set-deploy: --substrate must be one of: ${DEPLOY_SUBSTRATES.join(", ")}`);
+  }
+  const sshHost = clean4(input.sshHost);
+  if (substrate === "hetzner-ssh" && !sshHost) {
+    throw new Error("project set-deploy: hetzner-ssh requires --ssh-host");
+  }
+  const sshUser = clean4(input.sshUser) ?? "root";
+  const deployPath = clean4(input.deployPath) ?? `/opt/mmi/${slug}/${stage2}`;
+  const serviceName = clean4(input.service) ?? slug;
+  for (const [label, v] of [["--ssh-host", sshHost], ["--ssh-user", sshUser], ["--deploy-path", deployPath], ["--service", serviceName]]) {
+    if (v !== void 0 && !DEPLOY_SHELL_SAFE_RE.test(v)) throw new Error(`project set-deploy: ${label} contains unsafe characters`);
+  }
+  let port;
+  if (input.port !== void 0 && input.port !== null && `${input.port}`.trim() !== "") {
+    port = Number(input.port);
+    if (!Number.isInteger(port) || port < 1 || port > 65535) throw new Error("project set-deploy: --port must be an integer 1..65535");
+  }
+  const domain = clean4(input.domain);
+  if (domain !== void 0 && !DEPLOY_DOMAIN_RE.test(domain)) throw new Error(`project set-deploy: --domain must be a DNS hostname, got ${JSON.stringify(input.domain)}`);
+  const aliases = (Array.isArray(input.aliases) ? input.aliases : []).map((a) => clean4(a)).filter((a) => a !== void 0);
+  for (const a of aliases) {
+    if (!DEPLOY_DOMAIN_RE.test(a)) throw new Error(`project set-deploy: --alias must be a DNS hostname, got ${JSON.stringify(a)}`);
+  }
+  const uniqueAliases = [...new Set(aliases)];
+  return {
+    stage: stage2,
+    substrate,
+    sshHost,
+    sshUser,
+    deployPath,
+    serviceName,
+    ...domain !== void 0 ? { domain } : {},
+    ...port !== void 0 ? { port } : {},
+    ...uniqueAliases.length ? { aliases: uniqueAliases } : {}
+  };
+}
 function repoFromRemoteUrl(remoteUrl) {
   const m = remoteUrl.trim().match(/^(?:[a-z][a-z0-9+.-]*:\/\/)?(?:[^@\s/]+@)?github\.com[:/]([^/\s:]+)\/([^/\s]+?)(?:\.git)?\/?$/i);
   return m ? `${m[1]}/${m[2]}` : void 0;
@@ -16020,15 +16235,15 @@ function parseKbTree(stdout, prefix) {
 }
 
 // src/northstar-commands.ts
-var import_node_fs21 = require("node:fs");
+var import_node_fs22 = require("node:fs");
 var import_node_child_process11 = require("node:child_process");
 var import_promises6 = require("node:fs/promises");
 
 // src/plan.ts
-var import_node_path18 = require("node:path");
+var import_node_path19 = require("node:path");
 var PLANS_DIR = "plans";
-var META_FILE = (0, import_node_path18.join)(PLANS_DIR, ".plan-meta.json");
-var planPath = (slug) => (0, import_node_path18.join)(PLANS_DIR, `${slug}.md`);
+var META_FILE = (0, import_node_path19.join)(PLANS_DIR, ".plan-meta.json");
+var planPath = (slug) => (0, import_node_path19.join)(PLANS_DIR, `${slug}.md`);
 var metaKey = (project2, slug) => `${project2}/${slug}`;
 function parseMeta(raw) {
   if (!raw) return {};
@@ -16053,7 +16268,7 @@ function hashContent(s) {
 function staleHint(slug) {
   return `remote "${slug}" is newer \u2014 run \`mmi-cli northstar pull ${slug}\` first (your local is based on an older version), or re-push with \`--force\` to overwrite`;
 }
-var INDEX_FILE = (0, import_node_path18.join)(PLANS_DIR, ".index.json");
+var INDEX_FILE = (0, import_node_path19.join)(PLANS_DIR, ".index.json");
 var INDEX_TTL_MS = 6e4;
 function parseIndex(raw) {
   if (!raw) return null;
@@ -16082,7 +16297,7 @@ function mergeIndex(idx, scope, plans, now) {
   const mergedScope = idx.scope === null ? null : [.../* @__PURE__ */ new Set([...idx.scope, ...scope])];
   return { fetchedAt: now, scope: mergedScope, plans: [...kept, ...plans] };
 }
-var QUEUE_FILE = (0, import_node_path18.join)(PLANS_DIR, ".sync-queue.json");
+var QUEUE_FILE = (0, import_node_path19.join)(PLANS_DIR, ".sync-queue.json");
 var QUEUE_MAX_ATTEMPTS = 10;
 function isValidQueueEntry(e) {
   if (!e || typeof e !== "object") return false;
@@ -16557,7 +16772,7 @@ function detachPlanSync() {
   }
 }
 function makePlanDeps(cfg, io = consoleIo) {
-  const ensureDir = () => (0, import_node_fs21.mkdirSync)(PLANS_DIR, { recursive: true });
+  const ensureDir = () => (0, import_node_fs22.mkdirSync)(PLANS_DIR, { recursive: true });
   return {
     apiUrl: cfg.sagaApiUrl,
     fetch: (url, init = {}) => fetch(url, { ...init, signal: init.signal ?? AbortSignal.timeout(1e4) }),
@@ -16565,24 +16780,24 @@ function makePlanDeps(cfg, io = consoleIo) {
     project: async () => (await sagaKey(cfg)).project,
     readLocal: (slug) => {
       try {
-        return (0, import_node_fs21.readFileSync)(planPath(slug), "utf8");
+        return (0, import_node_fs22.readFileSync)(planPath(slug), "utf8");
       } catch {
         return null;
       }
     },
     writeLocal: (slug, content) => {
       ensureDir();
-      (0, import_node_fs21.writeFileSync)(planPath(slug), content, "utf8");
+      (0, import_node_fs22.writeFileSync)(planPath(slug), content, "utf8");
     },
     removeLocal: (slug) => {
       try {
-        (0, import_node_fs21.rmSync)(planPath(slug));
+        (0, import_node_fs22.rmSync)(planPath(slug));
       } catch {
       }
     },
     readMetaRaw: () => {
       try {
-        return (0, import_node_fs21.readFileSync)(META_FILE, "utf8");
+        return (0, import_node_fs22.readFileSync)(META_FILE, "utf8");
       } catch {
         return null;
       }
@@ -16593,7 +16808,7 @@ function makePlanDeps(cfg, io = consoleIo) {
     },
     readIndexRaw: () => {
       try {
-        return (0, import_node_fs21.readFileSync)(INDEX_FILE, "utf8");
+        return (0, import_node_fs22.readFileSync)(INDEX_FILE, "utf8");
       } catch {
         return null;
       }
@@ -16604,7 +16819,7 @@ function makePlanDeps(cfg, io = consoleIo) {
     },
     readQueueRaw: () => {
       try {
-        return (0, import_node_fs21.readFileSync)(QUEUE_FILE, "utf8");
+        return (0, import_node_fs22.readFileSync)(QUEUE_FILE, "utf8");
       } catch {
         return null;
       }
@@ -16639,7 +16854,7 @@ async function withPlan(quiet, run, io = consoleIo) {
   }
   await run(makePlanDeps(cfg, io));
 }
-async function gatherRelevanceSignals() {
+async function gatherRelevanceSignals(opts = {}) {
   const branch = await gitOut(["rev-parse", "--abbrev-ref", "HEAD"]).catch(() => "") || void 0;
   const changed = (await gitOut(["diff", "--name-only", "HEAD"]).catch(() => "")).split("\n").map((s) => s.trim()).filter(Boolean);
   const signals = { branch, changedFiles: changed.length ? changed : void 0 };
@@ -16657,6 +16872,10 @@ async function gatherRelevanceSignals() {
     } catch {
     }
   }
+  if (opts.anchorSlug) {
+    const slug = (await opts.anchorSlug().catch(() => void 0))?.trim();
+    if (slug) signals.anchorSlug = slug;
+  }
   return signals;
 }
 function registerNorthStarCommands(cmd) {
@@ -16777,9 +16996,7 @@ function registerSecretsCommands(program3) {
     });
     const centralContainer = meta?.deployModel === "tenant-container" || meta?.deployModel === "solo-container";
     if (!o.required?.length && centralContainer && meta && !hasRuntimeSecretContract(meta.requiredRuntimeSecrets)) {
-      d.err("secrets preflight: requiredRuntimeSecrets is unset for this deployable tenant \u2014 declare the per-stage contract in registry META (or an explicit empty map) before promoting");
-      process.exitCode = 1;
-      return;
+      d.err('secrets preflight: requiredRuntimeSecrets is unset: treating as an empty contract (no required keys). Declare an explicit {"dev":[],"rc":[],"main":[]} in registry META to silence this warning.');
     }
     const ok = await secretsPreflight(d, { repo: o.repo, stage: o.stage, required });
     if (!ok) process.exitCode = 1;
@@ -16844,6 +17061,9 @@ function expectedHosts(cfg) {
       for (const env of ENV_PREFIXES) out.push(env ? `${env}.${base2}` : base2);
     }
   }
+  if (cfg.fofuSubdomain !== void 0) {
+    out.push(cfg.fofuSubdomain ? `${cfg.fofuSubdomain}.fofu.ai` : "fofu.ai");
+  }
   return uniq(out);
 }
 function expectedJsOrigins(cfg) {
@@ -16888,7 +17108,10 @@ function parseOauthConfig(mmiConfig, slug) {
   if (!callbackPath.startsWith("/")) {
     throw new Error(`oauth.callbackPath must start with "/" (got ${JSON.stringify(callbackPath)})`);
   }
-  return { subdomains, domains, callbackPath };
+  const meta = mmiConfig ?? {};
+  const rawFofuSub = raw.fofuSubdomain;
+  const fofuSubdomain = meta.fofuEnabled === true ? typeof rawFofuSub === "string" ? rawFofuSub : defaultSubdomain2(slug) : void 0;
+  return { subdomains, domains, callbackPath, fofuSubdomain };
 }
 function probeRedirectUri(callbackPath, port = 9123) {
   return `http://localhost:${port}${callbackPath}`;
@@ -17052,7 +17275,7 @@ async function fetchHubVersionInfo(baseUrl) {
 }
 function readRepoVersion() {
   try {
-    return JSON.parse((0, import_node_fs22.readFileSync)((0, import_node_path19.join)(process.cwd(), ".claude-plugin", "plugin.json"), "utf8")).version || void 0;
+    return JSON.parse((0, import_node_fs23.readFileSync)((0, import_node_path20.join)(process.cwd(), ".claude-plugin", "plugin.json"), "utf8")).version || void 0;
   } catch {
     return void 0;
   }
@@ -17227,10 +17450,10 @@ async function runRulesSync(opts, io = consoleIo) {
   for (const entry of fetched) {
     if ("error" in entry) continue;
     const { file, source } = entry;
-    const current = (0, import_node_fs22.existsSync)(file) ? await (0, import_promises7.readFile)(file, "utf8") : null;
+    const current = (0, import_node_fs23.existsSync)(file) ? await (0, import_promises7.readFile)(file, "utf8") : null;
     if (needsUpdate(source, current)) {
       const slash = file.lastIndexOf("/");
-      if (slash > 0) (0, import_node_fs22.mkdirSync)(file.slice(0, slash), { recursive: true });
+      if (slash > 0) (0, import_node_fs23.mkdirSync)(file.slice(0, slash), { recursive: true });
       await (0, import_promises7.writeFile)(file, normalizeEol(source), "utf8");
       changed++;
       if (!opts.quiet) io.log(`mmi-cli rules: updated ${file}`);
@@ -17243,6 +17466,27 @@ var rules = program2.command("rules").description("org rules delivery");
 rules.command("sync").option("--quiet", "stay silent unless something changed or errored").description("fetch the org-delivered files (AGENTS.md / CLAUDE.md / .claude/settings.json / output style / Cursor rule) from MMI-Hub and write them verbatim (org-owned, whole-file)").action(async (opts) => {
   if (!await runRulesSync(opts)) process.exitCode = 1;
 });
+rules.command("gitignore").option("--write", "upsert the managed block into .gitignore (default: check only, non-zero exit on drift)").description("verify (or --write) this repo's org-managed .gitignore block matches the SSOT").action((opts) => {
+  const path2 = (0, import_node_path20.join)(process.cwd(), ".gitignore");
+  const current = (0, import_node_fs23.existsSync)(path2) ? (0, import_node_fs23.readFileSync)(path2, "utf8") : null;
+  const plan2 = planManagedGitignore(current);
+  const drift = [...plan2.added.map((l) => `+${l}`), ...plan2.removed.map((l) => `-${l}`)].join(", ") || "block normalize";
+  if (opts.write) {
+    if (plan2.changed) {
+      (0, import_node_fs23.writeFileSync)(path2, plan2.content, "utf8");
+      console.log(`mmi-cli rules gitignore: updated .gitignore (${drift})`);
+    } else {
+      console.log("mmi-cli rules gitignore: up to date");
+    }
+    return;
+  }
+  if (plan2.changed) {
+    console.error(`mmi-cli rules gitignore: managed block drift (${drift}) \u2014 run \`mmi-cli rules gitignore --write\` and commit`);
+    process.exitCode = 1;
+  } else {
+    console.log("mmi-cli rules gitignore: up to date");
+  }
+});
 async function runDocsSync(opts, io = consoleIo) {
   const ref = await gitOut(["symbolic-ref", "--quiet", "--short", "refs/remotes/origin/HEAD"]);
   const def = (ref.startsWith("origin/") ? ref.slice("origin/".length) : ref) || "development";
@@ -17256,7 +17500,7 @@ async function runDocsSync(opts, io = consoleIo) {
         return null;
       }
     },
-    localContent: async (f) => (0, import_node_fs22.existsSync)(f) ? await (0, import_promises7.readFile)(f, "utf8") : null,
+    localContent: async (f) => (0, import_node_fs23.existsSync)(f) ? await (0, import_promises7.readFile)(f, "utf8") : null,
     writeDoc: async (f, c) => {
       await (0, import_promises7.writeFile)(f, c, "utf8");
     }
@@ -17355,7 +17599,7 @@ function runWorktreeInstall(command, cwd, quiet) {
 async function primaryCheckoutRoot(worktreeRoot) {
   try {
     const out = (await execFileP2("git", ["-C", worktreeRoot, "rev-parse", "--path-format=absolute", "--git-common-dir"], { timeout: GIT_TIMEOUT_MS })).stdout.trim();
-    return out ? (0, import_node_path19.dirname)(out) : void 0;
+    return out ? (0, import_node_path20.dirname)(out) : void 0;
   } catch {
     return void 0;
   }
@@ -17368,28 +17612,28 @@ function makeProvisionDeps(worktreeRoot, quiet, log) {
   };
 }
 function acquireWorktreeSetupLock(worktreeRoot) {
-  const lockPath = (0, import_node_path19.join)(worktreeRoot, ".mmi", "worktree-setup.lock");
+  const lockPath = (0, import_node_path20.join)(worktreeRoot, ".mmi", "worktree-setup.lock");
   const take = () => {
-    const fd = (0, import_node_fs22.openSync)(lockPath, "wx");
+    const fd = (0, import_node_fs23.openSync)(lockPath, "wx");
     try {
-      (0, import_node_fs22.writeSync)(fd, String(Date.now()));
+      (0, import_node_fs23.writeSync)(fd, String(Date.now()));
     } finally {
-      (0, import_node_fs22.closeSync)(fd);
+      (0, import_node_fs23.closeSync)(fd);
     }
     return () => {
       try {
-        (0, import_node_fs22.rmSync)(lockPath, { force: true });
+        (0, import_node_fs23.rmSync)(lockPath, { force: true });
       } catch {
       }
     };
   };
   try {
-    (0, import_node_fs22.mkdirSync)((0, import_node_path19.dirname)(lockPath), { recursive: true });
+    (0, import_node_fs23.mkdirSync)((0, import_node_path20.dirname)(lockPath), { recursive: true });
     return take();
   } catch {
     try {
-      if (Date.now() - (0, import_node_fs22.statSync)(lockPath).mtimeMs > WORKTREE_SETUP_LOCK_TTL_MS) {
-        (0, import_node_fs22.rmSync)(lockPath, { force: true });
+      if (Date.now() - (0, import_node_fs23.statSync)(lockPath).mtimeMs > WORKTREE_SETUP_LOCK_TTL_MS) {
+        (0, import_node_fs23.rmSync)(lockPath, { force: true });
         return take();
       }
     } catch {
@@ -17729,7 +17973,7 @@ deploys run centrally (tenant-deploy.yml); product repos carry no deploy files.
   }
 });
 project.command("resolve <owner/repo>").description("deploy coords for a stage \u2014 for diagnosis. NOTE: /deploy-coords is OIDC-gated (a deploy job\u2019s id-token), so a gh-token CLI cannot read it from a dev machine").option("--stage <main|rc>", "deploy stage", "main").option("--json", "machine-readable output").action((_repoOrRepo, o) => {
-  const msg = "project resolve: deploy coords are served only to a deploy workflow (GitHub OIDC id-token, repo-scoped). A gh-token CLI on a dev machine cannot read /deploy-coords; inspect the DEPLOY# item via the AWS console / a master DDB read instead.";
+  const msg = "project resolve: deploy coords are served only to a deploy workflow (GitHub OIDC id-token, repo-scoped). A gh-token CLI on a dev machine cannot read /deploy-coords; inspect the DEPLOY# item via a master registry (DDB) read instead.";
   if (o.json) {
     console.log(JSON.stringify({ ok: false, stage: o.stage, error: msg }));
     process.exitCode = 1;
@@ -17829,6 +18073,34 @@ project.command("set [owner/repo]").description("upsert project META (idempotent
   const res = await upsertProject(slug, { ...patch, repo }, registryClientDeps(cfg));
   return reportWrite("project set", res);
 });
+project.command("set-deploy [owner/repo]").description("write the DEPLOY#<stage> Hetzner deploy coords for a tenant (master-only) \u2014 the explicit-coords path that seeds a freshly-bootstrapped tenant; defaults to the current repo").requiredOption("--stage <stage>", "dev | rc | main").option("--ssh-host <host>", "the box address the deploy ssh-es into (required for hetzner-ssh)").option("--ssh-user <user>", "ssh user (default root)").option("--port <port>", "loopback port the container binds / Caddy upstream (1..65535)").option("--substrate <substrate>", "hetzner-ssh (default)").option("--deploy-path <path>", "on-box per-stage release root (default /opt/mmi/<slug>/<stage>)").option("--service <name>", "systemd/compose service name (default the slug)").option("--domain <domain>", "canonical serving host (default the project edgeDomains[stage])").option("--alias <domain...>", "extra serving hostname the box Caddy answers (repeatable)").option("--json", "machine-readable output").action(async (repoOrSlug, o) => {
+  const cfg = await loadConfig();
+  let target;
+  try {
+    target = await projectTarget("project set-deploy", repoOrSlug);
+  } catch (e) {
+    return fail(e.message);
+  }
+  const slug = slugOf(target);
+  let body;
+  try {
+    body = buildSetDeployPatch(slug, {
+      stage: o.stage,
+      sshHost: o.sshHost,
+      sshUser: o.sshUser,
+      port: o.port,
+      substrate: o.substrate,
+      deployPath: o.deployPath,
+      service: o.service,
+      domain: o.domain,
+      aliases: o.alias
+    });
+  } catch (e) {
+    return fail(e.message);
+  }
+  const res = await setDeployCoords(slug, body, registryClientDeps(cfg));
+  return reportWrite("project set-deploy", res);
+});
 var registry = program2.command("registry").description("the DDB org registry \u2014 org-level constants");
 registry.command("org").description("the org config (account id, region, orgProjectId, sagaApiUrl)").option("--json", "machine-readable output").action(async (_o) => {
   const cfg = await loadConfig();
@@ -18011,6 +18283,46 @@ issue.command("link-child <parent> <child>").description("link an existing issue
     return fail(`issue link-child: ${(err.stderr || err.message || String(e)).trim()}${note ? ` (${note})` : ""}`);
   }
 });
+issue.command("check <ref>").description("tick (or with --off untick) a task-list checkbox in an issue/epic body by its item text and print {number,repo,item,checked,changed} JSON").requiredOption("--item <text>", "the checklist item to match \u2014 exact item text, else a unique substring").option("--off", "untick the item ([x] \u2192 [ ]) instead of ticking it").option("--repo <owner/repo>", "repo for a bare ref (defaults to the current repo)").action(async (ref, o) => {
+  let parsed;
+  try {
+    parsed = parseIssueRef(ref);
+  } catch (e) {
+    return fail(`issue check: ${e.message}`);
+  }
+  const repo = await resolveRepo(parsed.repo ?? o.repo);
+  if (!repo) return fail("issue check: could not resolve repo \u2014 pass --repo owner/repo");
+  const checked = o.off !== true;
+  let body;
+  try {
+    const viewed = await ghJson(["issue", "view", String(parsed.number), "--repo", repo, "--json", "body"]);
+    body = viewed.body ?? "";
+  } catch (e) {
+    return fail(`issue check: could not read ${repo}#${parsed.number}: ${e.message}`);
+  }
+  const result = applyChecklistCheck(body, o.item, checked);
+  if (!result.ok) {
+    if (result.reason === "ambiguous") {
+      const list = result.matches.map((m) => `  - ${m.text}`).join("\n");
+      return fail(`issue check: "${o.item}" matches ${result.matches.length} checklist items in ${repo}#${parsed.number} \u2014 narrow the text:
+${list}`);
+    }
+    return fail(`issue check: no checklist item matching "${o.item}" in ${repo}#${parsed.number}`);
+  }
+  if (!result.edit.changed) {
+    return console.log(JSON.stringify({ number: parsed.number, repo, item: result.item.text, checked, changed: false }));
+  }
+  const edit = await bodyArgsViaFile(["issue", "edit", String(parsed.number), "--repo", repo, "--body", result.edit.body]);
+  try {
+    await execFileP2("gh", edit.args, { timeout: GH_MUTATION_TIMEOUT_MS });
+  } catch (e) {
+    const note = timeoutKillNote(e, GH_MUTATION_TIMEOUT_MS);
+    return fail(`issue check: edit failed for ${repo}#${parsed.number}: ${e.message}${note ? ` (${note})` : ""}`);
+  } finally {
+    await edit.cleanup();
+  }
+  console.log(JSON.stringify({ number: parsed.number, repo, item: result.item.text, checked, changed: true }));
+});
 program2.command("report").description("file a friction report on the Hub board (GitHub auth, dedups open reports) and print {number,url} JSON").option("--title <title>", "one-line friction summary").option("--title-file <path|->", "read the friction summary from a UTF-8 file, or from stdin with -").option("--body <body>", "report body (markdown)").option("--body-file <path|->", "read report body from a UTF-8 file, or from stdin with -").option("--type <type>", "bug | feature | task (sets the matching label)", "task").option("--priority <priority>", "urgent | high | medium | low (sets the board Priority field only, #416)", "medium").option("--repo <owner/repo>", `target repo (defaults to the org Hub: ${HUB_REPO2})`).option("--force", "file a new issue even when an open report looks like a duplicate").option("--json", "machine-readable output (already the default \u2014 report always prints JSON; #682)").action(async (o) => {
   let body;
   let priority;
@@ -18284,9 +18596,9 @@ pr.command("create").description("create a PR and print {number,url} JSON").opti
   console.log(JSON.stringify(created));
 });
 async function listCiWorkflowPaths(cwd = process.cwd()) {
-  const wfDir = (0, import_node_path19.join)(cwd, ".github", "workflows");
-  if (!(0, import_node_fs22.existsSync)(wfDir)) return [];
-  return (0, import_node_fs22.readdirSync)(wfDir).filter((name) => /\.(ya?ml)$/i.test(name)).map((name) => `.github/workflows/${name}`);
+  const wfDir = (0, import_node_path20.join)(cwd, ".github", "workflows");
+  if (!(0, import_node_fs23.existsSync)(wfDir)) return [];
+  return (0, import_node_fs23.readdirSync)(wfDir).filter((name) => /\.(ya?ml)$/i.test(name)).map((name) => `.github/workflows/${name}`);
 }
 async function resolveMergeCiPolicyForCheckout(repoOpt) {
   const repo = repoOpt ?? await resolveRepo();
@@ -18305,7 +18617,7 @@ function ciAuditDeps() {
     // Continuous CI delivery (#1550): the gate re-seed renders from the Hub's on-disk seed templates. The
     // reconcile runs IN the Hub checkout, so this is local-file I/O (no network fetch). Path is relative to
     // the repo root (e.g. skills/bootstrap/seeds/gate.template.yml).
-    readSeedFile: (path2) => (0, import_node_fs22.existsSync)(path2) ? (0, import_node_fs22.readFileSync)(path2, "utf8") : null
+    readSeedFile: (path2) => (0, import_node_fs23.existsSync)(path2) ? (0, import_node_fs23.readFileSync)(path2, "utf8") : null
   };
 }
 pr.command("ci-policy").description("report merge CI policy: wait-for-checks vs no-ci (for grind/build agents)").option("--json", "machine-readable output").option("--repo <owner/repo>", "target repo (defaults to the current checkout)").action(async (o) => {
@@ -18441,7 +18753,7 @@ async function createDeferredWorktreeStore() {
       },
       write: async (entries) => {
         try {
-          await (0, import_promises7.mkdir)((0, import_node_path19.dirname)(registryPath), { recursive: true });
+          await (0, import_promises7.mkdir)((0, import_node_path20.dirname)(registryPath), { recursive: true });
           await (0, import_promises7.writeFile)(registryPath, serializeDeferredWorktrees(entries), "utf8");
         } catch {
         }
@@ -18455,13 +18767,13 @@ var realWorktreeDirRemover = {
   probe: (p) => {
     let st;
     try {
-      st = (0, import_node_fs22.lstatSync)(p);
+      st = (0, import_node_fs23.lstatSync)(p);
     } catch {
       return null;
     }
     if (st.isSymbolicLink()) return "link";
     try {
-      (0, import_node_fs22.readlinkSync)(p);
+      (0, import_node_fs23.readlinkSync)(p);
       return "link";
     } catch {
     }
@@ -18469,7 +18781,7 @@ var realWorktreeDirRemover = {
   },
   readdir: (p) => {
     try {
-      return (0, import_node_fs22.readdirSync)(p);
+      return (0, import_node_fs23.readdirSync)(p);
     } catch {
       return [];
     }
@@ -18478,9 +18790,9 @@ var realWorktreeDirRemover = {
   // leaving the target); a file symlink with unlink. rmdir first, fall back to unlink.
   detachLink: (p) => {
     try {
-      (0, import_node_fs22.rmdirSync)(p);
+      (0, import_node_fs23.rmdirSync)(p);
     } catch {
-      (0, import_node_fs22.unlinkSync)(p);
+      (0, import_node_fs23.unlinkSync)(p);
     }
   },
   removeTree: (p) => (0, import_promises7.rm)(p, { recursive: true, force: true, maxRetries: 5, retryDelay: 200 })
@@ -18501,7 +18813,7 @@ function worktreeRemoveDeps(execGit) {
 }
 function teardownWorktreeStage(worktreePath) {
   return runWorktreeStageTeardown(worktreePath, {
-    hasStageState: (wt) => (0, import_node_fs22.existsSync)(stageStatePath(wt)),
+    hasStageState: (wt) => (0, import_node_fs23.existsSync)(stageStatePath(wt)),
     stopRecordedStage: async (wt) => (await stopStage({ cwd: wt })).pid,
     listComposeProjects: async () => {
       const { stdout } = await execFileP2("docker", ["compose", "ls", "--all", "--format", "json"], { timeout: GC_GH_TIMEOUT_MS });
@@ -18564,7 +18876,7 @@ pr.command("merge <number>").description("merge a PR (squash by default) and cle
     } : await cleanupPrMergeLocalBranch(headRef, {
       beforeWorktrees,
       startingPath,
-      pathExists: (p) => (0, import_node_fs22.existsSync)(p),
+      pathExists: (p) => (0, import_node_fs23.existsSync)(p),
       execGit: async (args) => (await execFileP2("git", args, { timeout: GIT_TIMEOUT_MS })).stdout,
       teardownWorktreeStage,
       deferredStore,
@@ -18607,6 +18919,9 @@ async function runBoardRead(o) {
 }
 var board = program2.command("board").description("read, claim, show, and move Project v2 work items for the current repo");
 board.command("read", { isDefault: true }).description("read the board and print user-owned, claimable, and taken items").option("--json", "machine-readable output").option("--repo <owner/repo>", "current repo (defaults to git origin)").option("--bundle-details", "fetch body/comments only for user-owned and claimable issues").option("--allow-partial", "return partial board results when later page/detail reads fail").action((o) => runBoardRead(o));
+board.command("slice-refresh", { hidden: true }).description("internal: refresh the cached SessionStart board slice (background worker)").option("--quiet", "silent (background worker)").action(async () => {
+  await refreshBoardSliceCache({ loadConfig: () => loadConfigForRepo(), readBoard });
+});
 board.command("claim <issues...>").description("assign Todo issues and move their Project v2 Status to In Progress (one or more refs)").option("--json", "machine-readable output").option("--repo <owner/repo>", "current repo for local issue numbers (defaults to git origin)").option("--for <login>", "assign to this login instead of @me \u2014 agent claims on behalf of the master").option("--allow-partial", "return success JSON if assignment succeeds but the status move fails").action(async (issueRefs, o) => {
   if (issueRefs.length === 1) {
     const issueRef = issueRefs[0];
@@ -18739,7 +19054,7 @@ function rawValues(flag) {
   return out;
 }
 function printLine(value) {
-  (0, import_node_fs22.writeSync)(1, `${value}
+  (0, import_node_fs23.writeSync)(1, `${value}
 `);
 }
 function stageKeepAlive() {
@@ -18756,8 +19071,8 @@ async function resolveStage() {
     local,
     shell: shellFor(),
     registry: { deployModel: project2?.deployModel, portRange, error: read.ok ? void 0 : read.error },
-    hasCompose: (0, import_node_fs22.existsSync)((0, import_node_path19.join)(process.cwd(), "docker-compose.yml")),
-    hasEnvExample: (0, import_node_fs22.existsSync)((0, import_node_path19.join)(process.cwd(), ".env.example"))
+    hasCompose: (0, import_node_fs23.existsSync)((0, import_node_path20.join)(process.cwd(), "docker-compose.yml")),
+    hasEnvExample: (0, import_node_fs23.existsSync)((0, import_node_path20.join)(process.cwd(), ".env.example"))
   });
 }
 async function fetchStageVaultEnvMerge() {
@@ -18809,9 +19124,9 @@ program2.command("port-range <repo>").description("assign (idempotently) + print
     printLine(o.json ? JSON.stringify({ repo, portRange: [start2, end2], source: "meta" }) : `${repo}: stage.portRange [${start2}, ${end2}]`);
     return;
   }
-  const path2 = (0, import_node_path19.join)(process.cwd(), "infra", "port-ranges.json");
+  const path2 = (0, import_node_path20.join)(process.cwd(), "infra", "port-ranges.json");
   const allocate = async (seed) => {
-    const { stdout } = await execFileP2("node", [(0, import_node_path19.join)(process.cwd(), "infra", "port-ddb.mjs"), String(seed)], { timeout: 15e3 });
+    const { stdout } = await execFileP2("node", [(0, import_node_path20.join)(process.cwd(), "infra", "port-ddb.mjs"), String(seed)], { timeout: 15e3 });
     const parsed = JSON.parse(stdout);
     if (!Array.isArray(parsed.range) || parsed.range.length !== 2) throw new Error("port-ddb: no range in output");
     return parsed.range;
@@ -18831,7 +19146,11 @@ async function stageLiveTarget() {
   const repo = await resolveRepo();
   if (!repo) throw new Error("stage --live: cannot resolve the current repo (run inside a GitHub-remoted checkout)");
   const ref = await gitOut(["rev-parse", "--abbrev-ref", "HEAD"]).catch(() => "") || void 0;
-  return { slug: slugOf(repo), repo, ref };
+  const slug = slugOf(repo);
+  const meta = await fetchProjectBySlug(slug, registryClientDeps(await loadConfig())).catch(() => null);
+  const host = edgeDomainsByStage(meta).dev ?? `dev.${defaultSubdomain(slug)}.mutatismutandis.co`;
+  if (!host.trim()) throw new Error(`stage --live: no dev edge host for ${slug} (registry edgeDomains.dev)`);
+  return { slug, repo, host, ref };
 }
 async function runStageLiveCommand(o) {
   let target;
@@ -19202,7 +19521,7 @@ bootstrap.command("verify <repo>").description("audit whether an existing repo i
     client: defaultGitHubClient(),
     projectMeta: meta,
     deployModel: typeof meta?.deployModel === "string" ? meta.deployModel : void 0,
-    readLocalFile: (path2) => path2 === "projects.json" && apiProjects != null ? apiProjects : (0, import_node_fs22.existsSync)(path2) ? (0, import_node_fs22.readFileSync)(path2, "utf8") : null,
+    readLocalFile: (path2) => path2 === "projects.json" && apiProjects != null ? apiProjects : (0, import_node_fs23.existsSync)(path2) ? (0, import_node_fs23.readFileSync)(path2, "utf8") : null,
     // requiredGcpApis is stored as an array by a JSON write, but `project set --var KEY=VALUE` stores a raw
     // comma-string — accept either so the seeded value verifies regardless of how it was written.
     requiredGcpApis: (() => {
@@ -19246,12 +19565,12 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
     return fail(`bootstrap apply: ${e.message}`);
   }
   const manifestPath = "skills/bootstrap/seeds/manifest.json";
-  if (!(0, import_node_fs22.existsSync)(manifestPath)) return fail(`bootstrap apply: ${manifestPath} not found; run from the MMI-Hub repo root`);
-  const manifest = loadBootstrapSeeds((0, import_node_fs22.readFileSync)(manifestPath, "utf8"));
+  if (!(0, import_node_fs23.existsSync)(manifestPath)) return fail(`bootstrap apply: ${manifestPath} not found; run from the MMI-Hub repo root`);
+  const manifest = loadBootstrapSeeds((0, import_node_fs23.readFileSync)(manifestPath, "utf8"));
   const baseBranch = o.class === "content" ? "main" : "development";
   const slug = parsedRepo.slug;
   const gh = async (args) => execFileP2("gh", args, { timeout: 2e4 });
-  const readFile7 = (p) => (0, import_node_fs22.existsSync)(p) ? (0, import_node_fs22.readFileSync)(p, "utf8") : null;
+  const readFile7 = (p) => (0, import_node_fs23.existsSync)(p) ? (0, import_node_fs23.readFileSync)(p, "utf8") : null;
   const enc2 = (p) => p.split("/").map(encodeURIComponent).join("/");
   const rawVars = {};
   for (const value of rawValues("--var")) {
@@ -19502,16 +19821,16 @@ access.command("audit").description("audit collaborator roles + train-branch pus
     if (o.class !== "deployable" && o.class !== "content") return failGraceful("access audit: --class must be deployable or content");
     targets = [{ repo: o.repo, class: o.class }];
   } else {
-    const projectsJson = registryProjects ? JSON.stringify({ projects: registryProjects }) : (0, import_node_fs22.existsSync)("projects.json") ? (0, import_node_fs22.readFileSync)("projects.json", "utf8") : null;
+    const projectsJson = registryProjects ? JSON.stringify({ projects: registryProjects }) : (0, import_node_fs23.existsSync)("projects.json") ? (0, import_node_fs23.readFileSync)("projects.json", "utf8") : null;
     if (!projectsJson) return failGraceful("access audit: no project registry \u2014 Hub API unreachable and projects.json not found; run from the MMI-Hub repo root or pass --repo <owner/repo>");
-    const fanoutJson = (0, import_node_fs22.existsSync)(".github/fanout-targets.json") ? (0, import_node_fs22.readFileSync)(".github/fanout-targets.json", "utf8") : null;
+    const fanoutJson = (0, import_node_fs23.existsSync)(".github/fanout-targets.json") ? (0, import_node_fs23.readFileSync)(".github/fanout-targets.json", "utf8") : null;
     targets = loadAccessTargets(projectsJson, fanoutJson);
   }
   const derivedMatrix = registryProjects ? accessMatrixFromProjects(registryProjects) : {};
-  const fileMatrix = (0, import_node_fs22.existsSync)("access-matrix.json") ? loadAccessMatrix((0, import_node_fs22.readFileSync)("access-matrix.json", "utf8")) : {};
+  const fileMatrix = (0, import_node_fs23.existsSync)("access-matrix.json") ? loadAccessMatrix((0, import_node_fs23.readFileSync)("access-matrix.json", "utf8")) : {};
   const matrix = mergeAccessMatrix(fileMatrix, derivedMatrix);
   const derivedContracts = registryProjects ? dataAccessContractsFromProjects(registryProjects) : { consumers: {} };
-  const fileContracts = (0, import_node_fs22.existsSync)("data-access-contracts.json") ? loadDataAccessContracts((0, import_node_fs22.readFileSync)("data-access-contracts.json", "utf8")) : { consumers: {} };
+  const fileContracts = (0, import_node_fs23.existsSync)("data-access-contracts.json") ? loadDataAccessContracts((0, import_node_fs23.readFileSync)("data-access-contracts.json", "utf8")) : { consumers: {} };
   const dataAccess = mergeDataAccessContracts(fileContracts, derivedContracts);
   const report = await auditOrgAccess(targets, deps, matrix, dataAccess);
   console.log(o.json ? JSON.stringify(report, null, 2) : renderAccessReport(report));
@@ -19521,20 +19840,20 @@ access.command("capabilities").description("enumerate your effective vault reach
 var isWin = process.platform === "win32";
 var installedPluginsPath = (surface = detectSurface(process.env)) => {
   const homeDir = surface === "codex" ? ".codex" : ".claude";
-  return (0, import_node_path19.join)((0, import_node_os6.homedir)(), homeDir, "plugins", "installed_plugins.json");
+  return (0, import_node_path20.join)((0, import_node_os6.homedir)(), homeDir, "plugins", "installed_plugins.json");
 };
 function readInstalledPlugins() {
   try {
-    return JSON.parse((0, import_node_fs22.readFileSync)(installedPluginsPath(), "utf8"));
+    return JSON.parse((0, import_node_fs23.readFileSync)(installedPluginsPath(), "utf8"));
   } catch {
     return null;
   }
 }
 function installedPluginSources() {
   return ["claude", "codex"].map((surface) => {
-    const recordPath = (0, import_node_path19.join)((0, import_node_os6.homedir)(), `.${surface}`, "plugins", "installed_plugins.json");
+    const recordPath = (0, import_node_path20.join)((0, import_node_os6.homedir)(), `.${surface}`, "plugins", "installed_plugins.json");
     try {
-      return { surface, installed: JSON.parse((0, import_node_fs22.readFileSync)(recordPath, "utf8")), recordPath };
+      return { surface, installed: JSON.parse((0, import_node_fs23.readFileSync)(recordPath, "utf8")), recordPath };
     } catch {
       return { surface, installed: null, recordPath };
     }
@@ -19542,7 +19861,7 @@ function installedPluginSources() {
 }
 function readClaudeSettings() {
   try {
-    return JSON.parse((0, import_node_fs22.readFileSync)((0, import_node_path19.join)(process.cwd(), ".claude", "settings.json"), "utf8"));
+    return JSON.parse((0, import_node_fs23.readFileSync)((0, import_node_path20.join)(process.cwd(), ".claude", "settings.json"), "utf8"));
   } catch {
     return null;
   }
@@ -19564,7 +19883,7 @@ function writeProjectInstallRecord(record) {
     const list = file.plugins[MMI_PLUGIN_ID] ?? [];
     list.push(record);
     file.plugins[MMI_PLUGIN_ID] = list;
-    (0, import_node_fs22.writeFileSync)(installedPluginsPath(), `${JSON.stringify(file, null, 2)}
+    (0, import_node_fs23.writeFileSync)(installedPluginsPath(), `${JSON.stringify(file, null, 2)}
 `, "utf8");
     return true;
   } catch {
@@ -19577,9 +19896,9 @@ function backupAndWriteInstalledPlugins(records, pluginId) {
     if (!file) return false;
     if (!file.plugins) file.plugins = {};
     const path2 = installedPluginsPath();
-    (0, import_node_fs22.copyFileSync)(path2, `${path2}.bak`);
+    (0, import_node_fs23.copyFileSync)(path2, `${path2}.bak`);
     file.plugins[pluginId] = records;
-    (0, import_node_fs22.writeFileSync)(path2, `${JSON.stringify(file, null, 2)}
+    (0, import_node_fs23.writeFileSync)(path2, `${JSON.stringify(file, null, 2)}
 `, "utf8");
     return true;
   } catch {
@@ -19587,35 +19906,35 @@ function backupAndWriteInstalledPlugins(records, pluginId) {
   }
 }
 function cursorPluginCacheRoot() {
-  return (0, import_node_path19.join)((0, import_node_os6.homedir)(), ".cursor", "plugins", "cache", "mutmutco", "mmi");
+  return (0, import_node_path20.join)((0, import_node_os6.homedir)(), ".cursor", "plugins", "cache", "mutmutco", "mmi");
 }
 function cursorPluginCachePinSnapshots() {
   const root = cursorPluginCacheRoot();
   try {
-    return (0, import_node_fs22.readdirSync)(root, { withFileTypes: true }).filter((entry) => entry.isDirectory() && !entry.name.startsWith(".")).map((entry) => {
-      const path2 = (0, import_node_path19.join)(root, entry.name);
-      const pluginJson = (0, import_node_path19.join)(path2, ".cursor-plugin", "plugin.json");
-      const hooksJson = (0, import_node_path19.join)(path2, "hooks", "hooks.json");
-      const cliBundle = (0, import_node_path19.join)(path2, "cli", "dist", "index.cjs");
+    return (0, import_node_fs23.readdirSync)(root, { withFileTypes: true }).filter((entry) => entry.isDirectory() && !entry.name.startsWith(".")).map((entry) => {
+      const path2 = (0, import_node_path20.join)(root, entry.name);
+      const pluginJson = (0, import_node_path20.join)(path2, ".cursor-plugin", "plugin.json");
+      const hooksJson = (0, import_node_path20.join)(path2, "hooks", "hooks.json");
+      const cliBundle = (0, import_node_path20.join)(path2, "cli", "dist", "index.cjs");
       let version;
       try {
-        const raw = JSON.parse((0, import_node_fs22.readFileSync)(pluginJson, "utf8"));
+        const raw = JSON.parse((0, import_node_fs23.readFileSync)(pluginJson, "utf8"));
         version = typeof raw.version === "string" ? raw.version : void 0;
       } catch {
         version = void 0;
       }
       let isEmpty = true;
       try {
-        isEmpty = (0, import_node_fs22.readdirSync)(path2).length === 0;
+        isEmpty = (0, import_node_fs23.readdirSync)(path2).length === 0;
       } catch {
         isEmpty = true;
       }
       return {
         name: entry.name,
         path: path2,
-        hasPluginJson: (0, import_node_fs22.existsSync)(pluginJson),
-        hasHooksJson: (0, import_node_fs22.existsSync)(hooksJson),
-        hasCliBundle: (0, import_node_fs22.existsSync)(cliBundle),
+        hasPluginJson: (0, import_node_fs23.existsSync)(pluginJson),
+        hasHooksJson: (0, import_node_fs23.existsSync)(hooksJson),
+        hasCliBundle: (0, import_node_fs23.existsSync)(cliBundle),
         isEmpty,
         version
       };
@@ -19625,19 +19944,19 @@ function cursorPluginCachePinSnapshots() {
   }
 }
 function hubCheckoutForCursorSeed() {
-  const manifest = (0, import_node_path19.join)(process.cwd(), "plugins", "mmi", ".cursor-plugin", "plugin.json");
-  return (0, import_node_fs22.existsSync)(manifest) ? process.cwd() : void 0;
+  const manifest = (0, import_node_path20.join)(process.cwd(), "plugins", "mmi", ".cursor-plugin", "plugin.json");
+  return (0, import_node_fs23.existsSync)(manifest) ? process.cwd() : void 0;
 }
 function mmiPluginCacheRootSnapshots() {
   const roots = [
-    { surface: "claude", root: (0, import_node_path19.join)((0, import_node_os6.homedir)(), ".claude", "plugins", "cache", "mutmutco", "mmi") },
-    { surface: "codex", root: (0, import_node_path19.join)((0, import_node_os6.homedir)(), ".codex", "plugins", "cache", "mutmutco", "mmi") }
+    { surface: "claude", root: (0, import_node_path20.join)((0, import_node_os6.homedir)(), ".claude", "plugins", "cache", "mutmutco", "mmi") },
+    { surface: "codex", root: (0, import_node_path20.join)((0, import_node_os6.homedir)(), ".codex", "plugins", "cache", "mutmutco", "mmi") }
   ];
   return roots.flatMap(({ surface, root }) => {
     try {
-      const entries = (0, import_node_fs22.readdirSync)(root, { withFileTypes: true }).map((entry) => ({
+      const entries = (0, import_node_fs23.readdirSync)(root, { withFileTypes: true }).map((entry) => ({
         name: entry.name,
-        path: (0, import_node_path19.join)(root, entry.name),
+        path: (0, import_node_path20.join)(root, entry.name),
         isDirectory: entry.isDirectory()
       }));
       return [{ surface, root, entries }];
@@ -19648,7 +19967,7 @@ function mmiPluginCacheRootSnapshots() {
 }
 function hasNestedMmiChild(versionDir) {
   try {
-    return (0, import_node_fs22.statSync)((0, import_node_path19.join)(versionDir, "mmi")).isDirectory();
+    return (0, import_node_fs23.statSync)((0, import_node_path20.join)(versionDir, "mmi")).isDirectory();
   } catch {
     return false;
   }
@@ -19659,10 +19978,10 @@ function nestedPluginTreeSnapshot() {
   );
 }
 function uniqueQuarantineTarget(path2) {
-  if (!(0, import_node_fs22.existsSync)(path2)) return path2;
+  if (!(0, import_node_fs23.existsSync)(path2)) return path2;
   for (let i = 1; i < 100; i += 1) {
     const candidate = `${path2}-${i}`;
-    if (!(0, import_node_fs22.existsSync)(candidate)) return candidate;
+    if (!(0, import_node_fs23.existsSync)(candidate)) return candidate;
   }
   return `${path2}-${Date.now()}`;
 }
@@ -19671,10 +19990,10 @@ function quarantinePluginCacheDirs(plan2) {
   const failed = [];
   for (const move of plan2) {
     try {
-      if (!(0, import_node_fs22.existsSync)(move.from)) continue;
+      if (!(0, import_node_fs23.existsSync)(move.from)) continue;
       const target = uniqueQuarantineTarget(move.to);
-      (0, import_node_fs22.mkdirSync)((0, import_node_path19.dirname)(target), { recursive: true });
-      (0, import_node_fs22.renameSync)(move.from, target);
+      (0, import_node_fs23.mkdirSync)((0, import_node_path20.dirname)(target), { recursive: true });
+      (0, import_node_fs23.renameSync)(move.from, target);
       moved += 1;
     } catch {
       failed.push(move);
@@ -19693,23 +20012,23 @@ async function robocopyMirrorEmpty(emptyDir, target) {
 }
 async function clearNestedPluginTreeDir(targetPath) {
   try {
-    if (!(0, import_node_fs22.existsSync)(targetPath)) return true;
+    if (!(0, import_node_fs23.existsSync)(targetPath)) return true;
     if (isWin) {
-      const emptyDir = (0, import_node_path19.join)((0, import_node_os6.tmpdir)(), `mmi-empty-${Date.now()}`);
-      (0, import_node_fs22.mkdirSync)(emptyDir, { recursive: true });
+      const emptyDir = (0, import_node_path20.join)((0, import_node_os6.tmpdir)(), `mmi-empty-${Date.now()}`);
+      (0, import_node_fs23.mkdirSync)(emptyDir, { recursive: true });
       try {
         await robocopyMirrorEmpty(emptyDir, targetPath);
-        (0, import_node_fs22.rmSync)(targetPath, { recursive: true, force: true });
+        (0, import_node_fs23.rmSync)(targetPath, { recursive: true, force: true });
       } finally {
         try {
-          (0, import_node_fs22.rmSync)(emptyDir, { recursive: true, force: true });
+          (0, import_node_fs23.rmSync)(emptyDir, { recursive: true, force: true });
         } catch {
         }
       }
-      return !(0, import_node_fs22.existsSync)(targetPath);
+      return !(0, import_node_fs23.existsSync)(targetPath);
     }
-    (0, import_node_fs22.rmSync)(targetPath, { recursive: true, force: true });
-    return !(0, import_node_fs22.existsSync)(targetPath);
+    (0, import_node_fs23.rmSync)(targetPath, { recursive: true, force: true });
+    return !(0, import_node_fs23.existsSync)(targetPath);
   } catch {
     return false;
   }
@@ -19722,11 +20041,11 @@ async function applyNestedPluginTreeCleanup(paths, log) {
   }
   return true;
 }
-var gitignorePath = () => (0, import_node_path19.join)(process.cwd(), ".gitignore");
+var gitignorePath = () => (0, import_node_path20.join)(process.cwd(), ".gitignore");
 function readTextFile(path2) {
   try {
-    if (!(0, import_node_fs22.existsSync)(path2)) return null;
-    return (0, import_node_fs22.readFileSync)(path2, "utf8");
+    if (!(0, import_node_fs23.existsSync)(path2)) return null;
+    return (0, import_node_fs23.readFileSync)(path2, "utf8");
   } catch {
     return null;
   }
@@ -19735,9 +20054,9 @@ function playwrightMcpConfigSnapshots() {
   const cwd = process.cwd();
   const home = (0, import_node_os6.homedir)();
   const candidates = [
-    (0, import_node_path19.join)(cwd, ".cursor", "mcp.json"),
-    (0, import_node_path19.join)(home, ".cursor", "mcp.json"),
-    (0, import_node_path19.join)(home, ".codex", "config.toml")
+    (0, import_node_path20.join)(cwd, ".cursor", "mcp.json"),
+    (0, import_node_path20.join)(home, ".cursor", "mcp.json"),
+    (0, import_node_path20.join)(home, ".codex", "config.toml")
   ];
   const out = [];
   for (const path2 of candidates) {
@@ -19750,7 +20069,7 @@ function strayBrowserArtifactPaths() {
   const cwd = process.cwd();
   return STRAY_BROWSER_ARTIFACT_DIRS.filter((rel) => {
     try {
-      return (0, import_node_fs22.existsSync)((0, import_node_path19.join)(cwd, rel));
+      return (0, import_node_fs23.existsSync)((0, import_node_path20.join)(cwd, rel));
     } catch {
       return false;
     }
@@ -19758,14 +20077,14 @@ function strayBrowserArtifactPaths() {
 }
 function readGitignore() {
   try {
-    return (0, import_node_fs22.readFileSync)(gitignorePath(), "utf8");
+    return (0, import_node_fs23.readFileSync)(gitignorePath(), "utf8");
   } catch {
     return null;
   }
 }
 function writeGitignore(content) {
   try {
-    (0, import_node_fs22.writeFileSync)(gitignorePath(), content, "utf8");
+    (0, import_node_fs23.writeFileSync)(gitignorePath(), content, "utf8");
     return true;
   } catch {
     return false;
@@ -19804,7 +20123,7 @@ async function runDoctor(opts, io = consoleIo) {
   let onPath = pathProbe;
   if (!onPath) {
     const root = process.env.CLAUDE_PLUGIN_ROOT;
-    if (root && (0, import_node_fs22.existsSync)(`${root}/bin/mmi-cli${isWin ? ".cmd" : ""}`)) onPath = true;
+    if (root && (0, import_node_fs23.existsSync)(`${root}/bin/mmi-cli${isWin ? ".cmd" : ""}`)) onPath = true;
   }
   checks.push({ ok: onPath, label: "mmi-cli on PATH", fix: "auto-provisioned at session start \u2014 reopen the session, or install the MMI plugin" });
   const surface = detectSurface(process.env);
@@ -19837,9 +20156,10 @@ async function runDoctor(opts, io = consoleIo) {
   }
   checks.push({ ok: cloneOk, label: "plugin git clone (SSH\u2192HTTPS rewrite)", fix: CLONE_FIX });
   const installed = readInstalledPlugins();
+  const claudeSettings = readClaudeSettings();
   let pluginCheck = buildPluginInstallRecordCheck({
     isOrgRepo: Boolean(cfg.sagaApiUrl),
-    settings: readClaudeSettings(),
+    settings: claudeSettings,
     installed,
     projectPath: process.cwd(),
     mirrorFrom: existingMirrorRecord(installed),
@@ -19852,6 +20172,7 @@ async function runDoctor(opts, io = consoleIo) {
     }
   }
   checks.push(pluginCheck);
+  checks.push(buildSettingsPluginDriftCheck({ isOrgRepo: Boolean(cfg.sagaApiUrl), settings: claudeSettings }));
   let legacyPluginCheck = buildLegacyPluginInstallCheck({
     isOrgRepo: Boolean(cfg.sagaApiUrl),
     sources: installedPluginSources(),
@@ -20006,7 +20327,7 @@ async function runDoctor(opts, io = consoleIo) {
     isOrgRepo: Boolean(cfg.sagaApiUrl),
     surface,
     cacheRoot: cursorCacheRoot,
-    cacheRootExists: (0, import_node_fs22.existsSync)(cursorCacheRoot),
+    cacheRootExists: (0, import_node_fs23.existsSync)(cursorCacheRoot),
     pins: cursorPins,
     hubCheckout: hubCheckoutForCursorSeed(),
     releasedVersion
@@ -20017,7 +20338,7 @@ async function runDoctor(opts, io = consoleIo) {
       releasedVersion,
       hubCheckout: hubCheckoutForCursorSeed(),
       execFileP: execFileP2,
-      mkdtemp: (prefix) => (0, import_promises7.mkdtemp)((0, import_node_path19.join)((0, import_node_os6.tmpdir)(), prefix)),
+      mkdtemp: (prefix) => (0, import_promises7.mkdtemp)((0, import_node_path20.join)((0, import_node_os6.tmpdir)(), prefix)),
       log: (m) => io.err(m)
     });
     if (seeded) {
@@ -20026,7 +20347,7 @@ async function runDoctor(opts, io = consoleIo) {
         isOrgRepo: Boolean(cfg.sagaApiUrl),
         surface,
         cacheRoot: cursorCacheRoot,
-        cacheRootExists: (0, import_node_fs22.existsSync)(cursorCacheRoot),
+        cacheRootExists: (0, import_node_fs23.existsSync)(cursorCacheRoot),
         pins: cursorPins,
         hubCheckout: hubCheckoutForCursorSeed(),
         releasedVersion
@@ -20231,7 +20552,15 @@ program2.command("session-start").description("run the SessionStart verbs (rules
       northstarInjected = await runNorthstarContext(io, {
         loadPlans: () => scopedPlanList(planDeps),
         readLocal: (slug) => planDeps.readLocal(slug),
-        gatherSignals: gatherRelevanceSignals
+        // #1812: thread the saga HEAD's North Star anchor (its NEXT slug) into the relevance gate so
+        // the plan the agent is actively on is force-injected even on a generic branch with no token
+        // overlap. fetchSagaHead errors are swallowed via a silent io — a missing/failed HEAD just
+        // falls back to token-overlap scoring, never noises or blocks the banner.
+        gatherSignals: () => gatherRelevanceSignals({
+          anchorSlug: () => fetchSagaHead({ log: () => {
+          }, err: () => {
+          } }).then((h) => h?.anchor?.slug ?? void 0)
+        })
       });
     },
     sagaHealth: (io) => runSagaHealth({ banner: true, quiet: true }, io),
@@ -20247,12 +20576,16 @@ program2.command("session-start").description("run the SessionStart verbs (rules
     },
     boardSlice: (io) => runBoardSlice(io, {
       loadConfig: () => loadConfigForRepo(),
-      readBoard
+      readBoard,
+      // #1813: warm the slice cache out-of-band (detached, like docs sync) so the ~20s live read
+      // never costs banner time and next session's glance renders instantly within budget.
+      scheduleRefresh: () => spawnDetachedSelf(["board", "slice-refresh", "--quiet"], { spawn: import_node_child_process12.spawn, execPath: process.execPath, scriptPath: process.argv[1] })
     }),
     doctor: (io) => runDoctor({ banner: true }, io)
   });
   await runSessionStart(parallel, sequential, consoleIo);
   consoleIo.log(northstarPointer(northstarInjected));
+  consoleIo.log(kbPointer());
   for (const line of planStoreLines(process.cwd())) consoleIo.log(line);
   for (const line of scratchGcLines(process.cwd())) consoleIo.log(line);
   const worktreeBanner = worktreeAutoProvisionBanner(process.cwd());