@mutmutco/cli 2.54.2 → 2.56.0

package/dist/main.cjs

@@ -3408,7 +3408,7 @@ var program = new Command();
 
 // src/index.ts
 var import_promises8 = require("node:fs/promises");
-var import_node_fs28 = require("node:fs");
+var import_node_fs29 = require("node:fs");
 
 // src/rules-sync.ts
 function normalizeEol(s) {
@@ -5594,7 +5594,7 @@ async function restoreDirtyOrgSpineToHead(deps, options = {}) {
 }
 
 // src/index.ts
-var import_node_child_process13 = require("node:child_process");
+var import_node_child_process15 = require("node:child_process");
 
 // src/cli-shared.ts
 var import_promises = require("node:fs/promises");
@@ -9862,7 +9862,7 @@ async function runCoopDeliver(coopId, io, quiet = false) {
   if (!quiet) {
     io.log(`[coop deliver] ${coopId} \u2014 issue ${match.meta.issueUrl}`);
     for (const m of match.messages) io.log(m.envelope);
-    io.log("[coop deliver] Read the issue, reply via `mmi-cli coop say`, then mark delivered.");
+    io.log("[coop deliver] Coordinate in `#mmi-agents` via `mmi-cli coop say`; the issue keeps proof/context.");
   }
   await postJson("/coop/delivered", { coopId });
 }
@@ -9874,7 +9874,7 @@ function registerCoopCommands(program3) {
       { file: opts.messageFile },
       { readFile: import_promises4.readFile, readStdin },
       { value: "a message argument", file: "--message-file", noun: "message" }
-    ) : "Coop session started \u2014 handshake on the linked issue.";
+    ) : "Coop session started - coordinate in #mmi-agents; the issue keeps proof/context.";
     const payload = {
       repo: opts.repo ?? ctx.repo,
       branch: ctx.branch,
@@ -9955,14 +9955,856 @@ function registerCoopCommands(program3) {
   });
 }
 
-// src/throttle-commands.ts
+// src/overlord.ts
 var import_node_child_process8 = require("node:child_process");
-var import_node_fs14 = require("node:fs");
+var import_node_fs15 = require("node:fs");
+var import_node_os3 = require("node:os");
 var import_node_path13 = require("node:path");
-var THROTTLE_TRACE_REL = (0, import_node_path13.join)(".mmi", "throttle", "trace.jsonl");
+
+// src/atomic-write.ts
+var import_node_fs14 = require("node:fs");
+function atomicWriteFileSync(path2, content) {
+  const tmp = `${path2}.${process.pid}.tmp`;
+  (0, import_node_fs14.writeFileSync)(tmp, content, "utf8");
+  (0, import_node_fs14.renameSync)(tmp, path2);
+}
+
+// src/overlord.ts
+var OVERLORD_DEFAULT_COUNT = 3;
+var OVERLORD_MIN_COUNT = 3;
+var OVERLORD_MAX_COUNT = 6;
+var OVERLORD_HANDOFF_TIMEOUT_MS = 12e4;
+var GENERIC_STOP_NAMES = /* @__PURE__ */ new Set([
+  "windowsterminal",
+  "windows terminal",
+  "pwsh",
+  "powershell",
+  "opencode",
+  "codex",
+  "codex-fugu"
+]);
+function numericCountArg(arg) {
+  const match = /^--([0-9]+)$/.exec(arg);
+  return match ? Number(match[1]) : void 0;
+}
+function isoNow(now = () => /* @__PURE__ */ new Date()) {
+  return now().toISOString();
+}
+function defaultRunId() {
+  return `overlord-${Date.now().toString(36)}-${Math.random().toString(36).slice(2, 10)}`;
+}
+function defaultRunToken() {
+  return Math.random().toString(36).slice(2) + Math.random().toString(36).slice(2);
+}
+function defaultMessageId() {
+  return `msg-${Date.now().toString(36)}-${Math.random().toString(36).slice(2, 10)}`;
+}
+function servantSlotId(slot) {
+  return slot.name.replace(/\s+/g, "-").toLowerCase();
+}
+function overlordServantPrompt(servant, run) {
+  const roleLine = servant.role === "ultra" ? "You are the single Ultra Fugu: take the hardest, highest-uncertainty questions and report calibrated judgment." : "You are a normal Fugu servant: take one bounded mission at a time and report concise evidence.";
+  return [
+    `You are ${servant.name} in Overlord run ${run.runId}.`,
+    roleLine,
+    "First respond with exactly: ACK " + servant.name + " ready",
+    "After the ACK, wait for the Overlord to assign bounded work.",
+    "Do not start dev servers, browsers, Playwright, PRs, merges, releases, or worktree changes unless the Overlord explicitly assigns that scope.",
+    "When assigned work, gather evidence before editing, verify before claiming done, and escalate blockers instead of looping."
+  ].join("\n");
+}
+function parseOverlordCount(args) {
+  const counts = args.map(numericCountArg).filter((n) => n !== void 0);
+  if (counts.length === 0) return OVERLORD_DEFAULT_COUNT;
+  if (counts.length > 1) throw new Error("provide only one overlord servant count");
+  const count = counts[0];
+  if (count < OVERLORD_MIN_COUNT || count > OVERLORD_MAX_COUNT) {
+    throw new Error(`overlord servant count must be between ${OVERLORD_MIN_COUNT} and ${OVERLORD_MAX_COUNT}`);
+  }
+  return count;
+}
+function buildServantLayout(count) {
+  if (count < OVERLORD_MIN_COUNT || count > OVERLORD_MAX_COUNT) {
+    throw new Error(`overlord servant count must be between ${OVERLORD_MIN_COUNT} and ${OVERLORD_MAX_COUNT}`);
+  }
+  const slots = [{
+    name: "fugu ultra 1",
+    role: "ultra",
+    model: "fugu-ultra",
+    index: 1
+  }];
+  for (let i = 1; i < count; i++) {
+    slots.push({
+      name: `fugu normal ${i}`,
+      role: "normal",
+      model: "fugu",
+      index: i
+    });
+  }
+  return slots;
+}
+function validateCodexFuguHelp(helpText) {
+  const problems = [];
+  if (!/(?:^|\s)-a(?:,|\s)|--ask-for-approval/.test(helpText)) problems.push("missing approval flag");
+  if (!/(?:^|\s)-s(?:,|\s)|--sandbox/.test(helpText)) problems.push("missing sandbox flag");
+  if (!/(?:^|\s)-c(?:,|\s)|--config/.test(helpText)) problems.push("missing config override flag");
+  if (!/--no-alt-screen/.test(helpText)) problems.push("missing no-alt-screen flag");
+  if (!/(?:^|\s)-C(?:,|\s)|--cwd|--cd|--workdir/.test(helpText)) problems.push("missing cwd flag");
+  return problems;
+}
+function evaluateCodexFuguPreflight(input) {
+  const problems = [];
+  if (!input.codexFound) problems.push("codex is not installed or not on PATH");
+  if (!input.fuguFound) problems.push("codex-fugu is not installed or not on PATH");
+  if (!input.authConfigured && !input.envNames.includes("OPENAI_API_KEY") && !input.envNames.includes("CODEX_API_KEY")) {
+    problems.push("missing API key environment: OPENAI_API_KEY or CODEX_API_KEY");
+  }
+  problems.push(...validateCodexFuguHelp(input.helpText ?? ""));
+  const status = input.statusText ?? "";
+  const modelCatalog = input.modelCatalogText ?? "";
+  if (!/\bfugu-ultra\b/i.test(`${status}
+${modelCatalog}`)) problems.push("fugu-ultra is not available");
+  if (/native windows codex[^\n]*\/c\/users|\/c\/users[^\n]*native windows codex/i.test(status)) {
+    problems.push("native Windows Codex is configured with a Git Bash /c/Users path");
+  }
+  return { ok: problems.length === 0, problems };
+}
+function evaluateOpenCodePreflight(input) {
+  const problems = [];
+  if (!input.found) problems.push("opencode is not installed or not on PATH");
+  if (!/sakana\/fugu\b/i.test(input.modelsText ?? "")) problems.push("sakana/fugu is not available");
+  if (!/sakana\/fugu-ultra\b/i.test(input.modelsText ?? "")) problems.push("sakana/fugu-ultra is not available");
+  const probe = input.jsonProbeText ?? "";
+  if (probe && !/(sessionID|sessionId|step_finish|finish)/i.test(probe)) problems.push("opencode run --format json did not emit session or finish events");
+  return { ok: problems.length === 0, problems };
+}
+function buildOpenCodeLaunch(slot, message, sessionId) {
+  const model = slot.role === "ultra" ? "sakana/fugu-ultra" : "sakana/fugu";
+  const args = ["run", "-m", model, "--format", "json"];
+  if (sessionId) args.push("--session", sessionId);
+  args.push(message);
+  return { command: "opencode", args };
+}
+function parseOpenCodeEvents(raw) {
+  const events = [];
+  const trimmed = (raw ?? "").trim();
+  if (!trimmed) return { text: "", finished: false, events };
+  const pushParsed = (chunk) => {
+    const t = chunk.trim();
+    if (!t) return;
+    try {
+      events.push(JSON.parse(t));
+    } catch {
+    }
+  };
+  try {
+    const whole = JSON.parse(trimmed);
+    if (Array.isArray(whole)) events.push(...whole);
+    else events.push(whole);
+  } catch {
+    for (const line of trimmed.split(/\r?\n/)) pushParsed(line);
+  }
+  let sessionId;
+  let text = "";
+  let finished = false;
+  for (const ev of events) {
+    if (!ev || typeof ev !== "object") continue;
+    const e = ev;
+    const sid = e.sessionID ?? e.sessionId ?? e.session?.id;
+    if (typeof sid === "string" && sid) sessionId = sid;
+    const type = typeof e.type === "string" ? e.type : void 0;
+    if (typeof e.text === "string") text += e.text;
+    else if (type === "text" && typeof e.content === "string") text += e.content;
+    if (type === "step_finish" || type === "finish" || e.finishReason || e.finish_reason) finished = true;
+  }
+  return { sessionId, text: text.trim(), finished, events };
+}
+function appendOverlordLedger(ledgerPath, entry) {
+  try {
+    (0, import_node_fs15.mkdirSync)((0, import_node_path13.dirname)(ledgerPath), { recursive: true });
+    (0, import_node_fs15.appendFileSync)(ledgerPath, `${JSON.stringify(entry)}
+`, "utf8");
+  } catch {
+  }
+}
+function defaultOverlordStatePath(cwd) {
+  return (0, import_node_path13.join)(cwd, "tmp", "overlord", "runs.json");
+}
+function readOverlordRegistry(statePath) {
+  if (!(0, import_node_fs15.existsSync)(statePath)) return { runs: {} };
+  try {
+    const parsed = JSON.parse((0, import_node_fs15.readFileSync)(statePath, "utf8"));
+    return { activeRunId: parsed.activeRunId, runs: parsed.runs ?? {} };
+  } catch {
+    return { runs: {} };
+  }
+}
+function writeOverlordRegistry(statePath, registry2) {
+  (0, import_node_fs15.mkdirSync)((0, import_node_path13.dirname)(statePath), { recursive: true });
+  atomicWriteFileSync(statePath, `${JSON.stringify(registry2, null, 2)}
+`);
+}
+function buildOverlordRun(options) {
+  const runId = options.runId?.() ?? defaultRunId();
+  const runToken = options.runToken?.() ?? defaultRunToken();
+  const statePath = defaultOverlordStatePath(options.cwd);
+  const journalDir = (0, import_node_path13.join)(options.cwd, "tmp", "overlord", runId);
+  const engine = options.engine ?? "codex-fugu";
+  const timestamp = isoNow(options.now);
+  return {
+    runId,
+    runToken,
+    task: options.task,
+    state: "starting",
+    createdAt: timestamp,
+    updatedAt: timestamp,
+    worktree: options.cwd,
+    statePath,
+    journalDir,
+    ledgerPath: (0, import_node_path13.join)(journalDir, "ledger.jsonl"),
+    engine,
+    provider: engine === "opencode" ? "opencode" : "codex",
+    opencodeVersion: options.opencodeVersion,
+    servants: buildServantLayout(options.count).map((slot) => ({
+      ...slot,
+      slotId: servantSlotId(slot),
+      profile: "consultation",
+      state: "planned",
+      journalPath: (0, import_node_path13.join)(journalDir, `${servantSlotId(slot)}.log`),
+      composerSubmitMode: engine === "opencode" ? "surface-api" : "unknown",
+      engine,
+      provider: engine === "opencode" ? "opencode" : "codex",
+      opencodeVersion: options.opencodeVersion,
+      eventJournalPath: engine === "opencode" ? (0, import_node_path13.join)(journalDir, `${servantSlotId(slot)}.events.jsonl`) : void 0
+    })),
+    ownedResources: []
+  };
+}
+function recordOverlordHeartbeat(run, options) {
+  const timestamp = isoNow(options.now);
+  const controllerResource = {
+    kind: "process",
+    pid: options.controllerPid,
+    commandName: "mmi-cli overlord controller",
+    runId: run.runId,
+    runToken: run.runToken,
+    fingerprint: options.fingerprint
+  };
+  const others = run.ownedResources.filter((resource) => resource.commandName !== "mmi-cli overlord controller");
+  return {
+    ...run,
+    state: run.state === "starting" ? "active" : run.state,
+    updatedAt: timestamp,
+    controllerPid: options.controllerPid,
+    controllerFingerprint: options.fingerprint,
+    lastControllerHeartbeatAt: timestamp,
+    ownedResources: [controllerResource, ...others]
+  };
+}
+function buildOverlordStartupPlan(args, cwd) {
+  const count = parseOverlordCount(args);
+  const task = args.filter((arg) => numericCountArg(arg) === void 0).join(" ").trim();
+  return {
+    count,
+    servants: buildServantLayout(count),
+    task,
+    statePath: defaultOverlordStatePath(cwd),
+    nextPhase: "preflight"
+  };
+}
+function normalizedCommandName(resource) {
+  return (resource.commandName ?? resource.title ?? "").trim().toLowerCase();
+}
+function planStopResource(resource, context) {
+  const exactOwner = resource.runId === context.runId && resource.runToken === context.runToken && Boolean(resource.fingerprint);
+  if (exactOwner) return { action: "stop", reason: "owned" };
+  const name = normalizedCommandName(resource);
+  if (!name || GENERIC_STOP_NAMES.has(name)) return { action: "refuse", reason: "ownership not proven" };
+  return { action: "refuse", reason: "ownership not proven" };
+}
+function summarizeOverlordRun(run, probe) {
+  const controller = run.controllerPid == null ? "not-started" : probe.isPidAlive(run.controllerPid) ? "alive" : "lost";
+  const now = probe.now?.() ?? /* @__PURE__ */ new Date();
+  return {
+    active: run.state !== "stopped" && run.state !== "failed",
+    runId: run.runId,
+    state: run.state,
+    controller,
+    servants: run.servants.map((servant) => {
+      if (run.engine === "opencode" || servant.engine === "opencode") return { name: servant.name, state: servantProgress(run, servant, now) };
+      if (servant.pid == null) return { name: servant.name, state: "not-started" };
+      if (!probe.isPidAlive(servant.pid)) return { name: servant.name, state: "lost" };
+      const progress = servantProgress(run, servant, now);
+      if (progress !== servant.state) return { name: servant.name, state: progress };
+      if (servant.state === "ready" && servant.lastAckAt && servant.composerSubmitMode !== "unknown") {
+        return { name: servant.name, state: "ready" };
+      }
+      return { name: servant.name, state: servant.state };
+    })
+  };
+}
+function planOverlordRunStop(run) {
+  const killPids = [];
+  const uncertain = [];
+  for (const resource of run.ownedResources) {
+    const plan2 = planStopResource(resource, { runId: run.runId, runToken: run.runToken });
+    if (plan2.action === "stop" && resource.pid != null) killPids.push(resource.pid);
+    else uncertain.push(resource);
+  }
+  return { killPids, uncertain };
+}
+function controllerFingerprint(run) {
+  return `mmi-overlord-controller:${run.runId}:${run.worktree}`;
+}
+function defaultStartController(run) {
+  const scriptPath = (0, import_node_path13.join)(__dirname, "overlord-controller.cjs");
+  const fingerprint = controllerFingerprint(run);
+  const child = (0, import_node_child_process8.spawn)(process.execPath, [scriptPath, run.runId, run.statePath, fingerprint], {
+    detached: true,
+    stdio: "ignore",
+    windowsHide: true,
+    cwd: run.worktree
+  });
+  child.unref();
+  return { pid: child.pid, fingerprint };
+}
+function defaultRunOpenCode(run, servant, message, sessionId) {
+  const launch = buildOpenCodeLaunch(servant, message, sessionId ?? servant.opencodeSessionId);
+  const shell2 = process.platform === "win32";
+  const file = shell2 ? [launch.command, ...launch.args].map(shellQuote2).join(" ") : launch.command;
+  const result = (0, import_node_child_process8.spawnSync)(file, shell2 ? [] : launch.args, {
+    encoding: "utf8",
+    shell: shell2,
+    cwd: run.worktree,
+    timeout: 6e5,
+    windowsHide: true,
+    env: { ...process.env }
+  });
+  if (result.error && result.error.code === "ENOENT") {
+    return { ok: false, error: "opencode is not installed or not on PATH" };
+  }
+  const raw = `${result.stdout ?? ""}
+${result.stderr ?? ""}`;
+  if (servant.eventJournalPath) {
+    try {
+      (0, import_node_fs15.mkdirSync)((0, import_node_path13.dirname)(servant.eventJournalPath), { recursive: true });
+      (0, import_node_fs15.appendFileSync)(servant.eventJournalPath, `${raw.trim()}
+`, "utf8");
+    } catch {
+    }
+  }
+  const parsed = parseOpenCodeEvents(raw);
+  if (result.status !== 0 && !parsed.finished) {
+    return { ok: false, sessionId: parsed.sessionId, text: parsed.text, error: `opencode run exited ${result.status ?? "with error"}`, events: parsed.events };
+  }
+  return { ok: true, sessionId: parsed.sessionId, text: parsed.text, events: parsed.events };
+}
+function defaultIsPidAlive(pid) {
+  if (!Number.isFinite(pid) || pid <= 0) return false;
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function defaultKillPid(pid) {
+  process.kill(pid);
+}
+function shellQuote2(arg) {
+  return /^[A-Za-z0-9_./:-]+$/.test(arg) ? arg : `"${arg.replace(/"/g, '\\"')}"`;
+}
+function boundedCommandText(command, args) {
+  const shell2 = process.platform === "win32";
+  const file = shell2 ? [command, ...args].map(shellQuote2).join(" ") : command;
+  const result = (0, import_node_child_process8.spawnSync)(file, shell2 ? [] : args, {
+    encoding: "utf8",
+    shell: shell2,
+    timeout: 5e3,
+    windowsHide: true,
+    env: {
+      ...process.env,
+      CODEX_FUGU_NO_NOTICE: "1",
+      CODEX_FUGU_NO_UPDATE: "1"
+    }
+  });
+  const text = `${result.stdout ?? ""}
+${result.stderr ?? ""}`.trim();
+  if (result.error && result.error.code === "ENOENT") return { found: false, text };
+  return { found: !result.error, text };
+}
+function readFuguModelCatalogText() {
+  const codexHome = process.env.CODEX_HOME ?? (0, import_node_path13.join)((0, import_node_os3.homedir)(), ".codex");
+  const catalogPath = (0, import_node_path13.join)(codexHome, "fugu.json");
+  try {
+    return (0, import_node_fs15.existsSync)(catalogPath) ? (0, import_node_fs15.readFileSync)(catalogPath, "utf8") : "";
+  } catch {
+    return "";
+  }
+}
+function hasCodexAuthEvidence() {
+  const codexHome = process.env.CODEX_HOME ?? (0, import_node_path13.join)((0, import_node_os3.homedir)(), ".codex");
+  return (0, import_node_fs15.existsSync)((0, import_node_path13.join)(codexHome, "auth.json"));
+}
+function collectOpenCodePreflight() {
+  const version = boundedCommandText("opencode", ["--version"]);
+  const models = boundedCommandText("opencode", ["models"]);
+  return evaluateOpenCodePreflight({
+    found: version.found,
+    versionText: version.text,
+    modelsText: models.text
+  });
+}
+function collectCodexFuguPreflight() {
+  const codexHelp = boundedCommandText("codex", ["--help"]);
+  const fuguHelp = boundedCommandText("codex-fugu", ["--help"]);
+  const fuguStatus = boundedCommandText("codex-fugu", ["--status"]);
+  return evaluateCodexFuguPreflight({
+    codexFound: codexHelp.found,
+    fuguFound: fuguHelp.found,
+    helpText: fuguHelp.text || codexHelp.text,
+    statusText: fuguStatus.text,
+    modelCatalogText: readFuguModelCatalogText(),
+    authConfigured: hasCodexAuthEvidence(),
+    envNames: Object.keys(process.env)
+  });
+}
+function renderCodexFuguPreflightFailure(report) {
+  const lines = [
+    "Overlord setup needed",
+    "The servant pool was not started because Codex/Fugu preflight failed.",
+    "",
+    "Problems:",
+    ...report.problems.map((problem) => `- ${problem}`),
+    "",
+    "Fixes:"
+  ];
+  if (report.problems.some((problem) => problem.includes("codex is not installed"))) {
+    lines.push("- Install or update Codex, then confirm with `codex --version`.");
+  }
+  if (report.problems.some((problem) => problem.includes("codex-fugu is not installed"))) {
+    lines.push("- Install or repair codex-fugu, then confirm with `codex-fugu --status`.");
+  }
+  if (report.problems.some((problem) => problem.includes("missing API key"))) {
+    lines.push("- Set OPENAI_API_KEY or CODEX_API_KEY in the launching shell; do not paste key values into chat.");
+  }
+  if (report.problems.some((problem) => problem.includes("fugu-ultra"))) {
+    lines.push("- Recheck or update Fugu configs so `fugu-ultra` appears in the Fugu model catalog.");
+  }
+  if (report.problems.some((problem) => problem.includes("missing ") && problem.includes("flag"))) {
+    lines.push("- Update Codex/Fugu until `codex-fugu --help` exposes approval, sandbox, config, cwd, and no-alt-screen flags.");
+  }
+  if (report.problems.some((problem) => problem.includes("/c/Users"))) {
+    lines.push("- Launch from a native shell adapter or repair Fugu path configuration so Windows paths stay native.");
+  }
+  return lines.join("\n");
+}
+function updateOpenCodeServant(run, servant, result, timestamp) {
+  return {
+    ...servant,
+    state: result.ok ? "ready" : "blocked",
+    opencodeSessionId: result.sessionId ?? servant.opencodeSessionId,
+    lastAckAt: result.ok ? timestamp : servant.lastAckAt,
+    lastUsefulSignalAt: result.ok ? timestamp : servant.lastUsefulSignalAt,
+    lastEventAt: timestamp,
+    lastMessageCompletedAt: result.ok ? timestamp : servant.lastMessageCompletedAt
+  };
+}
+function startOpenCodeServants(run, runOpenCode, now) {
+  const timestamp = isoNow(now);
+  const servants = run.servants.map((servant) => {
+    const result = runOpenCode(run, servant, overlordServantPrompt(servant, run));
+    if (run.ledgerPath) appendOverlordLedger(run.ledgerPath, { at: timestamp, kind: "servant-start", ownerSlotId: servant.slotId, ok: result.ok, sessionId: result.sessionId, responseText: result.text, error: result.error });
+    return updateOpenCodeServant(run, servant, result, timestamp);
+  });
+  return { ...run, state: "active", updatedAt: timestamp, servants };
+}
+function dispatchOpenCodeMessage(run, message, runOpenCode, now) {
+  const timestamp = isoNow(now);
+  const targets = run.servants.filter((servant) => message.target === "all" || servant.slotId === message.target || normalizeServantTarget(servant.name) === message.target);
+  const responses = [];
+  let ok = targets.length > 0;
+  const nextServants = run.servants.map((servant) => {
+    if (!targets.some((target) => target.slotId === servant.slotId)) return servant;
+    const result = runOpenCode(run, servant, message.text, servant.opencodeSessionId);
+    if (!result.ok) ok = false;
+    if (result.text) responses.push(`${servant.slotId}: ${result.text}`);
+    if (run.ledgerPath) appendOverlordLedger(run.ledgerPath, { at: timestamp, kind: "message-response", messageId: message.id, ownerSlotId: servant.slotId, ok: result.ok, sessionId: result.sessionId, responseText: result.text, error: result.error });
+    return updateOpenCodeServant(run, servant, result, timestamp);
+  });
+  const nextMessage = {
+    ...message,
+    state: ok ? "completed" : "failed",
+    startedAt: timestamp,
+    completedAt: ok ? timestamp : void 0,
+    failedAt: ok ? void 0 : timestamp,
+    ackText: ok ? "opencode response captured" : void 0,
+    responseText: responses.join("\n"),
+    failureReason: ok ? void 0 : "one or more OpenCode servant calls failed",
+    eventJournalPath: targets.map((target) => target.eventJournalPath).filter(Boolean).join(",")
+  };
+  return {
+    ...run,
+    updatedAt: timestamp,
+    servants: nextServants,
+    messages: [...(run.messages ?? []).filter((m) => m.id !== message.id), nextMessage]
+  };
+}
+function findActiveRun(registry2) {
+  const runId = registry2.activeRunId;
+  if (!runId) return void 0;
+  return registry2.runs[runId];
+}
+function normalizeServantTarget(target) {
+  return target.trim().toLowerCase().replace(/\s+/g, "-");
+}
+function hasServantTarget(run, target) {
+  const normalized = normalizeServantTarget(target);
+  return normalized === "all" || run.servants.some(
+    (servant) => servant.slotId === normalized || normalizeServantTarget(servant.name) === normalized
+  );
+}
+function messageProgress(message, now = /* @__PURE__ */ new Date(), timeoutMs = OVERLORD_HANDOFF_TIMEOUT_MS) {
+  if (message.completedAt || message.state === "completed") return "completed";
+  if (message.failedAt || message.state === "failed") return "failed";
+  const startedAt = message.startedAt ?? message.deliveredAt;
+  if (!startedAt) return "queued";
+  const elapsed = now.getTime() - new Date(startedAt).getTime();
+  return Number.isFinite(elapsed) && elapsed >= timeoutMs ? "stalled" : "started";
+}
+function servantProgress(run, servant, now = /* @__PURE__ */ new Date()) {
+  const relevant = (run.messages ?? []).filter((message) => message.target === "all" || servant.slotId === message.target || normalizeServantTarget(servant.name) === message.target);
+  return relevant.some((message) => messageProgress(message, now) === "stalled") ? "stalled-after-delivery" : servant.state;
+}
+function renderOverlordStatus(summary, run) {
+  const servants = summary.servants.map((servant) => `- ${servant.name}: ${servant.state}`).join("\n");
+  const messages = (run.messages ?? []).map((message) => `- ${message.id}: ${message.target} ${messageProgress(message)}`).join("\n");
+  return [
+    `Overlord run ${summary.runId}`,
+    `State: ${summary.state}`,
+    `Task: ${run.task || "not provided yet"}`,
+    `Controller: ${summary.controller}`,
+    "Servants:",
+    servants,
+    ...messages ? ["Messages:", messages] : []
+  ].join("\n");
+}
+function usefulJournalLines(text) {
+  return text.split(/\r?\n/).map((line) => line.trim()).filter((line) => line && !/^fugu\s/i.test(line) && !/^›/.test(line) && !/^\[overlord\] launched/.test(line)).slice(-20);
+}
+function servantJournalSummary(servant) {
+  try {
+    const lines = usefulJournalLines((0, import_node_fs15.readFileSync)(servant.journalPath, "utf8"));
+    return { lines, hasHandoff: lines.some((line) => /\b(handoff|evidence|recommended|recommendation)\b/i.test(line)) };
+  } catch {
+    return { lines: [], hasHandoff: false };
+  }
+}
+function runJson(run, extra = {}) {
+  return {
+    ok: true,
+    runId: run.runId,
+    state: run.state,
+    task: run.task,
+    count: run.servants.length,
+    engine: run.engine,
+    controllerPid: run.controllerPid,
+    statePath: run.statePath,
+    ledgerPath: run.ledgerPath,
+    servants: run.servants.map((servant) => ({
+      name: servant.name,
+      role: servant.role,
+      model: servant.model,
+      state: servant.state,
+      pid: servant.pid,
+      journalPath: servant.journalPath,
+      engine: servant.engine,
+      opencodeSessionId: servant.opencodeSessionId
+    })),
+    ...extra
+  };
+}
+function wantsJson(options, command) {
+  return Boolean(options.json || command?.parent?.opts?.().json);
+}
+function countArgsFromOptions(options) {
+  return ["3", "4", "5", "6"].filter((key) => options[key]).map((key) => `--${key}`);
+}
+function registerOverlordCommands(program3, deps = {}) {
+  const out = deps.out ?? ((text) => process.stdout.write(text));
+  const err = deps.err ?? ((text) => process.stderr.write(text));
+  const cwd = deps.cwd ?? (() => process.cwd());
+  const now = deps.now ?? (() => /* @__PURE__ */ new Date());
+  const preflight2 = deps.preflight ?? collectCodexFuguPreflight;
+  const opencodePreflight = deps.opencodePreflight ?? collectOpenCodePreflight;
+  const startController = deps.startController ?? defaultStartController;
+  const runOpenCode = deps.runOpenCode ?? defaultRunOpenCode;
+  const isPidAlive = deps.isPidAlive ?? defaultIsPidAlive;
+  const killPid = deps.killPid ?? defaultKillPid;
+  const overlord = program3.command("overlord").description("coordinate one Ultra and normal Fugu servants for hard org work").allowUnknownOption(true).argument("[task...]", "task for the Overlord system").option("--3", "run one Ultra and two normal Fugus").option("--4", "run one Ultra and three normal Fugus").option("--5", "run one Ultra and four normal Fugus").option("--6", "run one Ultra and five normal Fugus").option("--engine <engine>", "servant engine: opencode or codex-fugu", "codex-fugu").option("--json", "print machine-readable output").action((task = [], options) => {
+    try {
+      const args = [...countArgsFromOptions(options), ...task];
+      const root = cwd();
+      const plan2 = buildOverlordStartupPlan(args, root);
+      const engine = `${options.engine ?? "codex-fugu"}`;
+      if (engine !== "codex-fugu" && engine !== "opencode") throw new Error("--engine must be opencode or codex-fugu");
+      const preflightReport = engine === "opencode" ? opencodePreflight() : preflight2();
+      if (!preflightReport.ok) {
+        err(`${renderCodexFuguPreflightFailure(preflightReport)}
+`);
+        process.exitCode = 1;
+        return;
+      }
+      const registry2 = readOverlordRegistry(plan2.statePath);
+      const active = findActiveRun(registry2);
+      if (active && active.state !== "stopped" && active.state !== "failed") {
+        throw new Error(`active Overlord run already exists: ${active.runId}`);
+      }
+      let run = buildOverlordRun({
+        task: plan2.task,
+        cwd: root,
+        count: plan2.count,
+        engine,
+        now,
+        runId: deps.runId,
+        runToken: deps.runToken
+      });
+      writeOverlordRegistry(plan2.statePath, { activeRunId: run.runId, runs: { ...registry2.runs, [run.runId]: run } });
+      if (engine === "opencode") {
+        run = startOpenCodeServants(run, runOpenCode, now);
+        writeOverlordRegistry(plan2.statePath, { activeRunId: run.runId, runs: { ...registry2.runs, [run.runId]: run } });
+      } else {
+        const controller = startController(run);
+        if (controller.pid != null) {
+          run = recordOverlordHeartbeat(run, {
+            controllerPid: controller.pid,
+            fingerprint: controller.fingerprint,
+            now
+          });
+          writeOverlordRegistry(plan2.statePath, { activeRunId: run.runId, runs: { ...registry2.runs, [run.runId]: run } });
+        }
+      }
+      if (options.json) out(`${JSON.stringify(runJson(run, { nextPhase: "consult-servants" }), null, 2)}
+`);
+      else {
+        out(`${[
+          "Overlord startup",
+          `Task: ${run.task || "not provided yet"}`,
+          `Run: ${run.runId}`,
+          `Servants: ${run.servants.length} total`,
+          `Controller: ${run.controllerPid ? `started (pid ${run.controllerPid})` : "launch requested"}`,
+          "Next: consult servants, interview the human, then print an approved todo list."
+        ].join("\n")}
+`);
+      }
+    } catch (e) {
+      const message = e instanceof Error ? e.message : String(e);
+      if (options.json) out(`${JSON.stringify({ ok: false, error: message }, null, 2)}
+`);
+      else err(`overlord: ${message}
+`);
+      process.exitCode = 1;
+    }
+  });
+  overlord.command("send").description("queue an assignment or redirect for the active Overlord servant controller").argument("<target>", "servant slot id/name, or all").argument("[message...]", "message to deliver to the servant PTY").option("--json", "print machine-readable output").action((target, message = [], options, command) => {
+    const json = wantsJson(options, command);
+    try {
+      const statePath = defaultOverlordStatePath(cwd());
+      const registry2 = readOverlordRegistry(statePath);
+      const run = findActiveRun(registry2);
+      if (!run) throw new Error("no active Overlord run found");
+      const normalized = normalizeServantTarget(target);
+      if (!hasServantTarget(run, normalized)) throw new Error(`unknown Overlord servant target: ${target}`);
+      const text = message.join(" ").trim();
+      if (!text) throw new Error("message is required");
+      const timestamp = isoNow(now);
+      const queued = {
+        id: deps.runId?.() ?? defaultMessageId(),
+        target: normalized,
+        text,
+        createdAt: timestamp,
+        queuedAt: timestamp,
+        state: "queued"
+      };
+      if (run.engine === "opencode") {
+        const dispatched = dispatchOpenCodeMessage(run, queued, runOpenCode, now);
+        writeOverlordRegistry(statePath, { ...registry2, runs: { ...registry2.runs, [run.runId]: dispatched } });
+        const settled = (dispatched.messages ?? []).find((m) => m.id === queued.id);
+        const ok = settled?.state === "completed";
+        const payload2 = { ok, runId: run.runId, target: normalized, messageId: queued.id, state: settled?.state, responseText: settled?.responseText, statePath };
+        if (json) out(`${JSON.stringify(payload2, null, 2)}
+`);
+        else out(`Message ${queued.id} ${ok ? "completed" : "failed"} for ${normalized}.
+State: ${statePath}
+`);
+        if (!ok) process.exitCode = 1;
+        return;
+      }
+      const next = {
+        ...run,
+        updatedAt: timestamp,
+        messages: [...run.messages ?? [], queued]
+      };
+      writeOverlordRegistry(statePath, {
+        ...registry2,
+        runs: { ...registry2.runs, [run.runId]: next }
+      });
+      const payload = { queued: 1, runId: run.runId, target: normalized, messageId: queued.id, statePath };
+      if (json) out(`${JSON.stringify(payload, null, 2)}
+`);
+      else out(`Queued message ${queued.id} for ${normalized}.
+State: ${statePath}
+`);
+    } catch (e) {
+      const messageText = e instanceof Error ? e.message : String(e);
+      if (json) out(`${JSON.stringify({ ok: false, error: messageText }, null, 2)}
+`);
+      else err(`overlord send: ${messageText}
+`);
+      process.exitCode = 1;
+    }
+  });
+  overlord.command("status").description("show the active Overlord run and servant liveness").option("--json", "print machine-readable output").action((options, command) => {
+    const json = wantsJson(options, command);
+    const statePath = defaultOverlordStatePath(cwd());
+    const registry2 = readOverlordRegistry(statePath);
+    const run = findActiveRun(registry2);
+    if (!run) {
+      const payload2 = { active: false, statePath, message: "no active Overlord run found" };
+      if (json) out(`${JSON.stringify(payload2, null, 2)}
+`);
+      else out(`No active Overlord run found.
+State: ${payload2.statePath}
+`);
+      return;
+    }
+    const summary = summarizeOverlordRun(run, { isPidAlive, now });
+    const current = now();
+    const payload = {
+      ...summary,
+      statePath,
+      task: run.task,
+      engine: run.engine,
+      ledgerPath: run.ledgerPath,
+      sessions: run.servants.map((servant) => ({
+        name: servant.name,
+        slotId: servant.slotId,
+        engine: servant.engine,
+        opencodeSessionId: servant.opencodeSessionId,
+        eventJournalPath: servant.eventJournalPath,
+        lastEventAt: servant.lastEventAt,
+        lastMessageCompletedAt: servant.lastMessageCompletedAt
+      })),
+      messages: (run.messages ?? []).map((message) => ({
+        id: message.id,
+        target: message.target,
+        state: messageProgress(message, current),
+        queuedAt: message.queuedAt ?? message.createdAt,
+        startedAt: message.startedAt ?? message.deliveredAt,
+        completedAt: message.completedAt,
+        failedAt: message.failedAt,
+        ackText: message.ackText,
+        responseText: message.responseText,
+        eventJournalPath: message.eventJournalPath,
+        failureReason: message.failureReason
+      }))
+    };
+    if (json) out(`${JSON.stringify(payload, null, 2)}
+`);
+    else out(`${renderOverlordStatus(summary, run)}
+State: ${statePath}
+`);
+  });
+  overlord.command("collect").description("summarize servant handoff/liveness evidence from the active Overlord journals").option("--json", "print machine-readable output").action((options, command) => {
+    const json = wantsJson(options, command);
+    const statePath = defaultOverlordStatePath(cwd());
+    const registry2 = readOverlordRegistry(statePath);
+    const run = findActiveRun(registry2);
+    if (!run) {
+      const payload2 = { active: false, statePath, message: "no active Overlord run found" };
+      if (json) out(`${JSON.stringify(payload2, null, 2)}
+`);
+      else out(`No active Overlord run found.
+State: ${payload2.statePath}
+`);
+      return;
+    }
+    const current = now();
+    const servants = run.servants.map((servant) => {
+      const journal = servantJournalSummary(servant);
+      return {
+        slotId: servant.slotId,
+        name: servant.name,
+        state: servantProgress(run, servant, current),
+        hasHandoff: journal.hasHandoff,
+        journalPath: servant.journalPath,
+        lines: journal.lines
+      };
+    });
+    const payload = { active: true, runId: run.runId, statePath, servants };
+    if (json) out(`${JSON.stringify(payload, null, 2)}
+`);
+    else out(`${servants.map((servant) => `${servant.name}: ${servant.state}; handoff=${servant.hasHandoff ? "yes" : "no"}; ${servant.journalPath}`).join("\n")}
+State: ${statePath}
+`);
+  });
+  overlord.command("stop").description("stop only exact run-owned Overlord resources").option("--json", "print machine-readable output").action((options, command) => {
+    const json = wantsJson(options, command);
+    const statePath = defaultOverlordStatePath(cwd());
+    const registry2 = readOverlordRegistry(statePath);
+    const run = findActiveRun(registry2);
+    if (!run) {
+      const payload2 = { stopped: 0, uncertain: 0, statePath, message: "no active Overlord run found" };
+      if (json) out(`${JSON.stringify(payload2, null, 2)}
+`);
+      else out(`No active Overlord run found. Nothing stopped.
+State: ${payload2.statePath}
+`);
+      return;
+    }
+    const stopPlan = planOverlordRunStop(run);
+    for (const pid of stopPlan.killPids) {
+      try {
+        killPid(pid);
+      } catch {
+      }
+    }
+    const stoppedRun = {
+      ...run,
+      state: "stopped",
+      updatedAt: isoNow(now)
+    };
+    writeOverlordRegistry(statePath, {
+      runs: { ...registry2.runs, [run.runId]: stoppedRun }
+    });
+    const payload = {
+      runId: run.runId,
+      stopped: stopPlan.killPids.length,
+      uncertain: stopPlan.uncertain.length,
+      statePath
+    };
+    if (json) out(`${JSON.stringify(payload, null, 2)}
+`);
+    else {
+      out(`${[
+        `Stopped ${payload.stopped} Overlord-owned process(es).`,
+        payload.uncertain ? `Left ${payload.uncertain} uncertain resource(s) untouched.` : "No uncertain resources.",
+        `State: ${statePath}`
+      ].join("\n")}
+`);
+    }
+  });
+  return overlord;
+}
+
+// src/throttle-commands.ts
+var import_node_child_process9 = require("node:child_process");
+var import_node_fs16 = require("node:fs");
+var import_node_path14 = require("node:path");
+var THROTTLE_TRACE_REL = (0, import_node_path14.join)(".mmi", "throttle", "trace.jsonl");
 function resolveRepoGitRoot(cwd = process.cwd()) {
   try {
-    const root = (0, import_node_child_process8.execFileSync)("git", ["-C", cwd, "rev-parse", "--show-toplevel"], {
+    const root = (0, import_node_child_process9.execFileSync)("git", ["-C", cwd, "rev-parse", "--show-toplevel"], {
       encoding: "utf8",
       timeout: 5e3
     }).trim();
@@ -9972,7 +10814,7 @@ function resolveRepoGitRoot(cwd = process.cwd()) {
   }
 }
 function resolveThrottleTracePath(cwd = process.cwd()) {
-  return (0, import_node_path13.join)(resolveRepoGitRoot(cwd), THROTTLE_TRACE_REL);
+  return (0, import_node_path14.join)(resolveRepoGitRoot(cwd), THROTTLE_TRACE_REL);
 }
 function resolveModeFromEnv() {
   const v = String(process.env.MMI_THROTTLE_MODE ?? "block").trim().toLowerCase();
@@ -9992,6 +10834,12 @@ function parseTraceLines(raw) {
   }
   return out;
 }
+function commandSafetyClass(reasonId) {
+  if (reasonId === "shell_dialect_redirect") return "dialect/redirect mismatch";
+  if (reasonId === "shell_log_dump") return "unbounded log/text dump";
+  if (reasonId.startsWith("shell_")) return "shell command safety";
+  return void 0;
+}
 function summarizeTrace(entries) {
   let denials = 0;
   let readBytesWouldBlock = 0;
@@ -9999,6 +10847,7 @@ function summarizeTrace(entries) {
   const byReason = {};
   const bySurface = {};
   const byMode = {};
+  const commandSafetyBySurface = {};
   for (const e of entries) {
     denials += 1;
     const tool = e.tool ?? "unknown";
@@ -10009,22 +10858,27 @@ function summarizeTrace(entries) {
     bySurface[surface] = (bySurface[surface] ?? 0) + 1;
     const mode = e.mode ?? "unknown";
     byMode[mode] = (byMode[mode] ?? 0) + 1;
+    const safetyClass = commandSafetyClass(reason);
+    if (safetyClass) {
+      commandSafetyBySurface[surface] = commandSafetyBySurface[surface] ?? {};
+      commandSafetyBySurface[surface][safetyClass] = (commandSafetyBySurface[surface][safetyClass] ?? 0) + 1;
+    }
     if (reason === "read_unbounded_large") {
       readBytesWouldBlock += Number(e.fileBytes) || 0;
     }
   }
-  return { denials, readBytesWouldBlock, byTool, byReason, bySurface, byMode };
+  return { denials, readBytesWouldBlock, byTool, byReason, bySurface, byMode, commandSafetyBySurface };
 }
 function runThrottleReport(io, tracePath = resolveThrottleTracePath()) {
   const mode = resolveModeFromEnv();
-  if (!(0, import_node_fs14.existsSync)(tracePath)) {
+  if (!(0, import_node_fs16.existsSync)(tracePath)) {
     io.log(`Throttle: no trace at ${tracePath} (gates have not denied anything yet).`);
     io.log(`Active mode: ${mode} (MMI_THROTTLE_MODE env; default block).`);
     return 0;
   }
   let raw = "";
   try {
-    raw = (0, import_node_fs14.readFileSync)(tracePath, "utf8");
+    raw = (0, import_node_fs16.readFileSync)(tracePath, "utf8");
   } catch (e) {
     io.err(`Throttle: could not read trace: ${e.message}`);
     return 1;
@@ -10059,6 +10913,14 @@ function runThrottleReport(io, tracePath = resolveThrottleTracePath()) {
     io.log("  by surface:");
     for (const [name, count] of surfaces) io.log(`    ${name}: ${count}`);
   }
+  const safetySurfaces = Object.entries(s.commandSafetyBySurface).sort((a, b) => a[0].localeCompare(b[0]));
+  if (safetySurfaces.length) {
+    io.log("  command safety (quoting/dialect/shell) by surface:");
+    for (const [surface, classes] of safetySurfaces) {
+      const detail = Object.entries(classes).sort((a, b) => b[1] - a[1]).map(([cls, count]) => `${cls}: ${count}`).join(", ");
+      io.log(`    ${surface}: ${detail}`);
+    }
+  }
   return 0;
 }
 function registerThrottleCommands(program3) {
@@ -10091,7 +10953,7 @@ async function syncDocs(deps, docs2 = SYNCED_DOCS) {
 }
 
 // src/board.ts
-var import_node_child_process9 = require("node:child_process");
+var import_node_child_process10 = require("node:child_process");
 var import_node_util6 = require("node:util");
 
 // src/board-priority.ts
@@ -10199,7 +11061,7 @@ async function filterDependencyBlockedClaimables(items, client, opts = {}) {
 var BOARD_STATUSES = ["Todo", "In Progress", "In Review", "Done"];
 
 // src/board.ts
-var rawExecFileP3 = (0, import_node_util6.promisify)(import_node_child_process9.execFile);
+var rawExecFileP3 = (0, import_node_util6.promisify)(import_node_child_process10.execFile);
 var BOARD_GIT_TIMEOUT_MS = 1e4;
 var WRITE_PROBE_CONCURRENCY = 8;
 var CLAIM_CONCURRENCY = 5;
@@ -11028,16 +11890,16 @@ function ghError(e) {
 }
 
 // src/board-slice-cache.ts
-var import_node_fs15 = require("node:fs");
-var import_node_path14 = require("node:path");
-var BOARD_SLICE_CACHE_FILE = (0, import_node_path14.join)(".mmi", "board-slice.json");
+var import_node_fs17 = require("node:fs");
+var import_node_path15 = require("node:path");
+var BOARD_SLICE_CACHE_FILE = (0, import_node_path15.join)(".mmi", "board-slice.json");
 var BOARD_SLICE_CACHE_TTL_MS = 10 * 60 * 1e3;
 function boardSliceCachePath(cwd) {
-  return (0, import_node_path14.join)(cwd, BOARD_SLICE_CACHE_FILE);
+  return (0, import_node_path15.join)(cwd, BOARD_SLICE_CACHE_FILE);
 }
 function readCachedBoardSlice(cwd) {
   try {
-    const parsed = JSON.parse((0, import_node_fs15.readFileSync)(boardSliceCachePath(cwd), "utf8"));
+    const parsed = JSON.parse((0, import_node_fs17.readFileSync)(boardSliceCachePath(cwd), "utf8"));
     if (typeof parsed.ts !== "number") return null;
     return { block: typeof parsed.block === "string" ? parsed.block : null, ts: parsed.ts };
   } catch {
@@ -11048,12 +11910,12 @@ function writeCachedBoardSlice(cwd, slice) {
   const path2 = boardSliceCachePath(cwd);
   const tmp = `${path2}.${process.pid}.tmp`;
   try {
-    (0, import_node_fs15.mkdirSync)((0, import_node_path14.dirname)(path2), { recursive: true });
-    (0, import_node_fs15.writeFileSync)(tmp, JSON.stringify(slice));
-    (0, import_node_fs15.renameSync)(tmp, path2);
+    (0, import_node_fs17.mkdirSync)((0, import_node_path15.dirname)(path2), { recursive: true });
+    (0, import_node_fs17.writeFileSync)(tmp, JSON.stringify(slice));
+    (0, import_node_fs17.renameSync)(tmp, path2);
   } catch {
     try {
-      (0, import_node_fs15.rmSync)(tmp, { force: true });
+      (0, import_node_fs17.rmSync)(tmp, { force: true });
     } catch {
     }
   }
@@ -11181,8 +12043,8 @@ async function refreshBoardSliceCache(deps) {
 }
 
 // src/worktree.ts
-var import_node_fs16 = require("node:fs");
-var import_node_path15 = require("node:path");
+var import_node_fs18 = require("node:fs");
+var import_node_path16 = require("node:path");
 var LOCAL_ONLY_FILES = [".claude/settings.local.json"];
 var PKG = "package.json";
 var LOCKFILE = "package-lock.json";
@@ -11190,21 +12052,21 @@ var NODE_MODULES = "node_modules";
 var realFsProbe = {
   isDir: (p) => {
     try {
-      return (0, import_node_fs16.statSync)(p).isDirectory();
+      return (0, import_node_fs18.statSync)(p).isDirectory();
     } catch {
       return false;
     }
   },
   isFile: (p) => {
     try {
-      return (0, import_node_fs16.statSync)(p).isFile();
+      return (0, import_node_fs18.statSync)(p).isFile();
     } catch {
       return false;
     }
   },
   listDirs: (p) => {
     try {
-      return (0, import_node_fs16.readdirSync)(p, { withFileTypes: true }).filter((e) => e.isDirectory()).map((e) => e.name);
+      return (0, import_node_fs18.readdirSync)(p, { withFileTypes: true }).filter((e) => e.isDirectory()).map((e) => e.name);
     } catch {
       return [];
     }
@@ -11212,12 +12074,12 @@ var realFsProbe = {
 };
 function scanInstallDirs(root, fs2 = realFsProbe) {
   const factsFor = (dir) => {
-    const abs = dir ? (0, import_node_path15.join)(root, dir) : root;
+    const abs = dir ? (0, import_node_path16.join)(root, dir) : root;
     return {
       dir,
-      hasPackageJson: fs2.isFile((0, import_node_path15.join)(abs, PKG)),
-      hasLockfile: fs2.isFile((0, import_node_path15.join)(abs, LOCKFILE)),
-      hasNodeModules: fs2.isDir((0, import_node_path15.join)(abs, NODE_MODULES))
+      hasPackageJson: fs2.isFile((0, import_node_path16.join)(abs, PKG)),
+      hasLockfile: fs2.isFile((0, import_node_path16.join)(abs, LOCKFILE)),
+      hasNodeModules: fs2.isDir((0, import_node_path16.join)(abs, NODE_MODULES))
     };
   };
   const children = fs2.listDirs(root).filter((name) => name !== NODE_MODULES && name !== ".git");
@@ -11227,7 +12089,7 @@ function npmInstallTargets(dirs) {
   return dirs.filter((d) => d.hasPackageJson && !d.hasNodeModules).map((d) => ({ dir: d.dir, command: d.hasLockfile ? "npm ci" : "npm install" }));
 }
 function isLinkedWorktree(root, fs2 = realFsProbe) {
-  return fs2.isFile((0, import_node_path15.join)(root, ".git"));
+  return fs2.isFile((0, import_node_path16.join)(root, ".git"));
 }
 function worktreeAutoProvisionBanner(root, fs2 = realFsProbe) {
   if (!isLinkedWorktree(root, fs2)) return null;
@@ -11237,8 +12099,8 @@ function worktreeAutoProvisionBanner(root, fs2 = realFsProbe) {
   return `[worktree] provisioning tooling in the background (deps in ${where} + local config) \u2014 \`mmi-cli worktree setup\` to redo`;
 }
 function defaultCopyFile(from, to) {
-  (0, import_node_fs16.mkdirSync)((0, import_node_path15.dirname)(to), { recursive: true });
-  (0, import_node_fs16.copyFileSync)(from, to);
+  (0, import_node_fs18.mkdirSync)((0, import_node_path16.dirname)(to), { recursive: true });
+  (0, import_node_fs18.copyFileSync)(from, to);
 }
 async function provisionWorktree(worktreeRoot, deps) {
   const fs2 = deps.fs ?? realFsProbe;
@@ -11250,7 +12112,7 @@ async function provisionWorktree(worktreeRoot, deps) {
   const skippedInstall = allDirs.filter((d) => d.hasPackageJson && d.hasNodeModules).map((d) => d.dir);
   const installed = [];
   for (const target of targets) {
-    const cwd = target.dir ? (0, import_node_path15.join)(worktreeRoot, target.dir) : worktreeRoot;
+    const cwd = target.dir ? (0, import_node_path16.join)(worktreeRoot, target.dir) : worktreeRoot;
     log(`installing deps: ${target.command} in ${target.dir || "."}`);
     await deps.runInstall(target.command, cwd);
     installed.push(target);
@@ -11259,7 +12121,7 @@ async function provisionWorktree(worktreeRoot, deps) {
   const copySkipped = [];
   const primary = await deps.primaryCheckout();
   for (const rel of LOCAL_ONLY_FILES) {
-    const dest = (0, import_node_path15.join)(worktreeRoot, rel);
+    const dest = (0, import_node_path16.join)(worktreeRoot, rel);
     if (fs2.isFile(dest)) {
       copySkipped.push({ file: rel, reason: "already-present" });
       continue;
@@ -11268,11 +12130,11 @@ async function provisionWorktree(worktreeRoot, deps) {
       copySkipped.push({ file: rel, reason: "no-primary" });
       continue;
     }
-    if (!fs2.isFile((0, import_node_path15.join)(primary, rel))) {
+    if (!fs2.isFile((0, import_node_path16.join)(primary, rel))) {
       copySkipped.push({ file: rel, reason: "absent-in-primary" });
       continue;
     }
-    copyFile((0, import_node_path15.join)(primary, rel), dest);
+    copyFile((0, import_node_path16.join)(primary, rel), dest);
     copied.push(rel);
     log(`copied local config: ${rel}`);
   }
@@ -11280,7 +12142,7 @@ async function provisionWorktree(worktreeRoot, deps) {
 }
 function defaultWorktreePath(repoRoot, branch) {
   const safe = branch.replace(/[/\\]+/g, "-");
-  return (0, import_node_path15.join)((0, import_node_path15.dirname)(repoRoot), "mmi-worktrees", safe);
+  return (0, import_node_path16.join)((0, import_node_path16.dirname)(repoRoot), "mmi-worktrees", safe);
 }
 function resolveWorktreeBase(from, remote) {
   const remotePrefix = `${remote}/`;
@@ -11427,7 +12289,7 @@ function whoamiLine(report) {
 }
 
 // src/index.ts
-var import_node_path25 = require("node:path");
+var import_node_path26 = require("node:path");
 
 // src/merge-ci-policy.ts
 function resolveMergeCiPolicy(input) {
@@ -12206,14 +13068,14 @@ async function auditRepoCi(repo, deps) {
   if (deployableGated) {
     checks.push({
       ok: hasGateWorkflow,
-      label: "gate workflow committed",
-      detail: hasGateWorkflow ? void 0 : `missing ${PRODUCT_GATE_PATH}`,
+      label: `gate workflow committed on ${baseBranch}`,
+      detail: hasGateWorkflow ? `read ${PRODUCT_GATE_PATH} at refs/heads/${baseBranch}` : `missing ${PRODUCT_GATE_PATH} at refs/heads/${baseBranch}`,
       remediation: `mmi-cli bootstrap apply ${repo} --class deployable --execute (seeds gate.yml)`
     });
     checks.push({
       ok: await contentExists(deps, repo, baseBranch, PRODUCT_RULESET_REF),
-      label: "product ruleset reference committed",
-      detail: `expected ${PRODUCT_RULESET_REF}`,
+      label: `product ruleset reference committed on ${baseBranch}`,
+      detail: `read ${PRODUCT_RULESET_REF} at refs/heads/${baseBranch}`,
       remediation: `mmi-cli bootstrap apply ${repo} --class deployable --execute`
     });
   }
@@ -12609,8 +13471,8 @@ async function resolveAutoAddBoardAttach(client, cfg, selector, priority, warn =
 
 // src/gh-create.ts
 var import_promises5 = require("node:fs/promises");
-var import_node_os3 = require("node:os");
-var import_node_path16 = require("node:path");
+var import_node_os4 = require("node:os");
+var import_node_path17 = require("node:path");
 var import_node_crypto5 = require("node:crypto");
 var ISSUE_TYPES = ["bug", "feature", "task"];
 var GH_MUTATION_TIMEOUT_MS = 12e4;
@@ -12651,7 +13513,7 @@ async function bodyArgsViaFile(args, deps = {}) {
   } };
   const write = deps.write ?? import_promises5.writeFile;
   const remove = deps.remove ?? import_promises5.unlink;
-  const file = (0, import_node_path16.join)(deps.dir ?? (0, import_node_os3.tmpdir)(), `mmi-gh-body-${process.pid}-${(0, import_node_crypto5.randomBytes)(4).toString("hex")}.md`);
+  const file = (0, import_node_path17.join)(deps.dir ?? (0, import_node_os4.tmpdir)(), `mmi-gh-body-${process.pid}-${(0, import_node_crypto5.randomBytes)(4).toString("hex")}.md`);
   await write(file, args[i + 1], "utf8");
   return {
     args: [...args.slice(0, i), "--body-file", file, ...args.slice(i + 2)],
@@ -12696,23 +13558,109 @@ function buildPrArgs({ title, body, base, head, repo }) {
   return args;
 }
 
-// src/issue-check.ts
-var CHECKLIST_RE = /^([ \t]*[-*+] \[)([ xX])(\] )(.*)$/gm;
-function findChecklistItems(body) {
-  const items = [];
-  for (const m of body.matchAll(CHECKLIST_RE)) {
-    const prefix = m[1];
-    const marker = m[2];
-    const text = m[4].replace(/\r$/, "");
-    items.push({
-      markerIndex: (m.index ?? 0) + prefix.length,
-      checked: marker.toLowerCase() === "x",
-      text
-    });
-  }
-  return items;
-}
-function selectChecklistItem(items, query) {
+// src/sub-issue.ts
+function parseIssueRef(ref) {
+  const trimmed = ref.trim();
+  const url = trimmed.match(/^https:\/\/github\.com\/([^/]+\/[^/]+)\/issues\/(\d+)$/i);
+  if (url) return { repo: url[1], number: Number(url[2]) };
+  const qualified = trimmed.match(/^([^/\s#]+\/[^/\s#]+)#(\d+)$/);
+  if (qualified) return { repo: qualified[1], number: Number(qualified[2]) };
+  const bare = trimmed.match(/^#?(\d+)$/);
+  if (bare) return { number: Number(bare[1]) };
+  throw new Error(`invalid issue reference "${ref}" \u2014 expected #123, 123, owner/repo#123, or an issue URL`);
+}
+function buildResolveIdArgs(ref) {
+  const args = ["issue", "view", String(ref.number), "--json", "id", "--jq", ".id"];
+  if (ref.repo) args.push("--repo", ref.repo);
+  return args;
+}
+function buildAddSubIssueArgs(parentId, subIssueId) {
+  if (!parentId) throw new Error("addSubIssue: parentId is required");
+  if (!subIssueId) throw new Error("addSubIssue: subIssueId is required");
+  return [
+    "api",
+    "graphql",
+    "-f",
+    "query=mutation($p:ID!,$c:ID!){addSubIssue(input:{issueId:$p,subIssueId:$c}){issue{number subIssues{totalCount}} subIssue{number}}}",
+    "-f",
+    `p=${parentId}`,
+    "-f",
+    `c=${subIssueId}`
+  ];
+}
+function parseAddSubIssueResult(stdout) {
+  try {
+    const issue2 = JSON.parse(stdout)?.data?.addSubIssue;
+    const parentNumber = issue2?.issue?.number;
+    const subIssueNumber = issue2?.subIssue?.number;
+    const totalCount = issue2?.issue?.subIssues?.totalCount;
+    if (typeof parentNumber !== "number" || typeof subIssueNumber !== "number") return void 0;
+    return { parentNumber, subIssueNumber, totalCount: typeof totalCount === "number" ? totalCount : 0 };
+  } catch {
+    return void 0;
+  }
+}
+var RESOLVE_ID_TIMEOUT_MS = 1e4;
+async function resolveIssueNodeId(runGh, ref, fallbackRepo) {
+  const resolved = ref.repo ? ref : { ...ref, repo: fallbackRepo };
+  const id = (await runGh(buildResolveIdArgs(resolved), RESOLVE_ID_TIMEOUT_MS)).trim();
+  if (!id) throw new Error(`could not resolve node id for issue #${ref.number}${resolved.repo ? ` in ${resolved.repo}` : ""}`);
+  return id;
+}
+async function linkSubIssue(runGh, parentRef, childRef, defaultRepo) {
+  const parent = parseIssueRef(parentRef);
+  const child = parseIssueRef(childRef);
+  const parentId = await resolveIssueNodeId(runGh, parent, defaultRepo);
+  const subIssueId = await resolveIssueNodeId(runGh, child, defaultRepo);
+  const stdout = await runGh(buildAddSubIssueArgs(parentId, subIssueId), GH_MUTATION_TIMEOUT_MS);
+  const result = parseAddSubIssueResult(stdout);
+  if (!result) throw new Error(`addSubIssue returned an unexpected response:
+${stdout.trim() || "(empty)"}`);
+  return result;
+}
+function parentLinkFields(result, error) {
+  if (result) return { parent: result };
+  if (error) return { parentLinkError: error };
+  return {};
+}
+
+// src/issue-comment.ts
+async function postIssueComment(client, input) {
+  const parsed = parseIssueRef(input.ref);
+  const repo = parsed.repo ?? input.defaultRepo;
+  if (!repo) throw new Error("could not resolve repo \u2014 pass --repo owner/repo");
+  if (input.body.trim().length === 0) throw new Error("comment body is empty");
+  const comment = await client.rest(
+    "POST",
+    `repos/${repo}/issues/${parsed.number}/comments`,
+    { body: { body: input.body } }
+  );
+  if (!comment?.html_url) throw new Error("GitHub did not return a comment URL");
+  return {
+    number: parsed.number,
+    repo,
+    url: `https://github.com/${repo}/issues/${parsed.number}`,
+    commentUrl: comment.html_url
+  };
+}
+
+// src/issue-check.ts
+var CHECKLIST_RE = /^([ \t]*[-*+] \[)([ xX])(\] )(.*)$/gm;
+function findChecklistItems(body) {
+  const items = [];
+  for (const m of body.matchAll(CHECKLIST_RE)) {
+    const prefix = m[1];
+    const marker = m[2];
+    const text = m[4].replace(/\r$/, "");
+    items.push({
+      markerIndex: (m.index ?? 0) + prefix.length,
+      checked: marker.toLowerCase() === "x",
+      text
+    });
+  }
+  return items;
+}
+function selectChecklistItem(items, query) {
   const q = query.trim();
   if (!q) return { ok: false, reason: "not-found" };
   const exact = items.filter((it) => it.text.trim() === q);
@@ -12978,72 +13926,6 @@ Related work discovered by mmi-cli:
 ${lines.join("\n")}`;
 }
 
-// src/sub-issue.ts
-function parseIssueRef(ref) {
-  const trimmed = ref.trim();
-  const url = trimmed.match(/^https:\/\/github\.com\/([^/]+\/[^/]+)\/issues\/(\d+)$/i);
-  if (url) return { repo: url[1], number: Number(url[2]) };
-  const qualified = trimmed.match(/^([^/\s#]+\/[^/\s#]+)#(\d+)$/);
-  if (qualified) return { repo: qualified[1], number: Number(qualified[2]) };
-  const bare = trimmed.match(/^#?(\d+)$/);
-  if (bare) return { number: Number(bare[1]) };
-  throw new Error(`invalid issue reference "${ref}" \u2014 expected #123, 123, owner/repo#123, or an issue URL`);
-}
-function buildResolveIdArgs(ref) {
-  const args = ["issue", "view", String(ref.number), "--json", "id", "--jq", ".id"];
-  if (ref.repo) args.push("--repo", ref.repo);
-  return args;
-}
-function buildAddSubIssueArgs(parentId, subIssueId) {
-  if (!parentId) throw new Error("addSubIssue: parentId is required");
-  if (!subIssueId) throw new Error("addSubIssue: subIssueId is required");
-  return [
-    "api",
-    "graphql",
-    "-f",
-    "query=mutation($p:ID!,$c:ID!){addSubIssue(input:{issueId:$p,subIssueId:$c}){issue{number subIssues{totalCount}} subIssue{number}}}",
-    "-f",
-    `p=${parentId}`,
-    "-f",
-    `c=${subIssueId}`
-  ];
-}
-function parseAddSubIssueResult(stdout) {
-  try {
-    const issue2 = JSON.parse(stdout)?.data?.addSubIssue;
-    const parentNumber = issue2?.issue?.number;
-    const subIssueNumber = issue2?.subIssue?.number;
-    const totalCount = issue2?.issue?.subIssues?.totalCount;
-    if (typeof parentNumber !== "number" || typeof subIssueNumber !== "number") return void 0;
-    return { parentNumber, subIssueNumber, totalCount: typeof totalCount === "number" ? totalCount : 0 };
-  } catch {
-    return void 0;
-  }
-}
-var RESOLVE_ID_TIMEOUT_MS = 1e4;
-async function resolveIssueNodeId(runGh, ref, fallbackRepo) {
-  const resolved = ref.repo ? ref : { ...ref, repo: fallbackRepo };
-  const id = (await runGh(buildResolveIdArgs(resolved), RESOLVE_ID_TIMEOUT_MS)).trim();
-  if (!id) throw new Error(`could not resolve node id for issue #${ref.number}${resolved.repo ? ` in ${resolved.repo}` : ""}`);
-  return id;
-}
-async function linkSubIssue(runGh, parentRef, childRef, defaultRepo) {
-  const parent = parseIssueRef(parentRef);
-  const child = parseIssueRef(childRef);
-  const parentId = await resolveIssueNodeId(runGh, parent, defaultRepo);
-  const subIssueId = await resolveIssueNodeId(runGh, child, defaultRepo);
-  const stdout = await runGh(buildAddSubIssueArgs(parentId, subIssueId), GH_MUTATION_TIMEOUT_MS);
-  const result = parseAddSubIssueResult(stdout);
-  if (!result) throw new Error(`addSubIssue returned an unexpected response:
-${stdout.trim() || "(empty)"}`);
-  return result;
-}
-function parentLinkFields(result, error) {
-  if (result) return { parent: result };
-  if (error) return { parentLinkError: error };
-  return {};
-}
-
 // src/report.ts
 var HUB_REPO3 = "mutmutco/MMI-Hub";
 var REPORT_LABEL = "report";
@@ -13080,7 +13962,7 @@ ${buildReportBody(body, sourceRepo)}`;
 
 // src/skill-lesson.ts
 var SKILL_LESSON_LABEL = "skill-lesson";
-var SKILL_NAMES = ["bootstrap", "browser-automation", "build", "coop", "grind", "handoff", "hotfix", "mmi", "rcand", "release", "secrets", "stage"];
+var SKILL_NAMES = ["bootstrap", "browser-automation", "build", "coop", "grind", "handoff", "hotfix", "mmi", "overlord", "rcand", "release", "secrets", "stage"];
 function assertSkillName(name) {
   const match = SKILL_NAMES.find((skill) => skill === name);
   if (!match) throw new Error(`unknown skill "${name}" \u2014 expected one of: ${SKILL_NAMES.join(", ")}`);
@@ -13745,8 +14627,8 @@ async function runStageLiveDown(deps, t) {
 }
 
 // src/design-system.ts
-var import_node_fs17 = require("node:fs");
-var import_node_path17 = require("node:path");
+var import_node_fs19 = require("node:fs");
+var import_node_path18 = require("node:path");
 var UI_PACKAGE_CANDIDATES = ["@mutmutco/ui-dashboard", "@mutmutco/ui", "@mutmutco/theme"];
 var DESIGN_SYSTEM_VERSION_LABEL = "@mutmutco design-system npm package (vs @latest)";
 function dashboardConsumerRegistryFix(error) {
@@ -13795,17 +14677,17 @@ function buildDesignSystemVersionCheck(input) {
 }
 function readJsonFile(path2) {
   try {
-    return JSON.parse((0, import_node_fs17.readFileSync)(path2, "utf8"));
+    return JSON.parse((0, import_node_fs19.readFileSync)(path2, "utf8"));
   } catch {
     return void 0;
   }
 }
 function isUiFactoryCheckout(root) {
-  const pkg = readJsonFile((0, import_node_path17.join)(root, "package.json"));
+  const pkg = readJsonFile((0, import_node_path18.join)(root, "package.json"));
   return pkg?.name === "mmd-ui" && pkg?.private === true;
 }
 function resolveDeclaredUiPackage(root) {
-  const pkg = readJsonFile((0, import_node_path17.join)(root, "package.json"));
+  const pkg = readJsonFile((0, import_node_path18.join)(root, "package.json"));
   if (!pkg) return void 0;
   const deps = { ...pkg.dependencies, ...pkg.devDependencies };
   for (const name of UI_PACKAGE_CANDIDATES) {
@@ -13815,8 +14697,8 @@ function resolveDeclaredUiPackage(root) {
   return void 0;
 }
 function readLockfileInstalledVersion(root, packageName) {
-  const lockPath = (0, import_node_path17.join)(root, "package-lock.json");
-  if (!(0, import_node_fs17.existsSync)(lockPath)) return void 0;
+  const lockPath = (0, import_node_path18.join)(root, "package-lock.json");
+  if (!(0, import_node_fs19.existsSync)(lockPath)) return void 0;
   const lock = readJsonFile(lockPath);
   const node = lock?.packages?.[`node_modules/${packageName}`];
   const version = node?.version?.trim();
@@ -13845,18 +14727,8 @@ function designSystemSnapshot(root) {
 
 // src/design-system-registry.ts
 var import_node_crypto6 = require("node:crypto");
-var import_node_fs19 = require("node:fs");
-var import_node_path18 = require("node:path");
-
-// src/atomic-write.ts
-var import_node_fs18 = require("node:fs");
-function atomicWriteFileSync(path2, content) {
-  const tmp = `${path2}.${process.pid}.tmp`;
-  (0, import_node_fs18.writeFileSync)(tmp, content, "utf8");
-  (0, import_node_fs18.renameSync)(tmp, path2);
-}
-
-// src/design-system-registry.ts
+var import_node_fs20 = require("node:fs");
+var import_node_path19 = require("node:path");
 var DESIGN_SYSTEM_CACHE_DIR = ".mmi/design-system/components";
 var DESIGN_SYSTEM_MANIFEST_PATH = ".mmi/design-system/manifest.json";
 var REGISTRY_COMPONENTS_LABEL = "@mutmutco registry components (.mmi cache vs live registry)";
@@ -13864,13 +14736,13 @@ var REGISTRY_FIX = "run `mmi-cli doctor --apply` to pull registry components int
 var REGISTRY_UNREACHABLE_FIX = "live @mutmutco registry unreachable \u2014 verify `components.json` `@mutmutco` registry URL and network, then retry `mmi-cli doctor`";
 function readJsonFile2(path2) {
   try {
-    return JSON.parse((0, import_node_fs19.readFileSync)(path2, "utf8"));
+    return JSON.parse((0, import_node_fs20.readFileSync)(path2, "utf8"));
   } catch {
     return void 0;
   }
 }
 function readComponentsJson(root) {
-  return readJsonFile2((0, import_node_path18.join)(root, "components.json"));
+  return readJsonFile2((0, import_node_path19.join)(root, "components.json"));
 }
 function hasMutmutcoRegistry(root) {
   const url = readComponentsJson(root)?.registries?.["@mutmutco"];
@@ -13878,7 +14750,7 @@ function hasMutmutcoRegistry(root) {
 }
 function resolveCacheDir(root) {
   const custom = readComponentsJson(root)?.mmi?.cacheDir;
-  return (0, import_node_path18.join)(root, custom ?? DESIGN_SYSTEM_CACHE_DIR);
+  return (0, import_node_path19.join)(root, custom ?? DESIGN_SYSTEM_CACHE_DIR);
 }
 function resolveRegistryUrlTemplate(root) {
   return readComponentsJson(root)?.registries?.["@mutmutco"];
@@ -13887,7 +14759,7 @@ function registryItemUrl(template, name) {
   return template.replace("{name}", name);
 }
 function readDesignSystemManifest(root) {
-  const raw = readJsonFile2((0, import_node_path18.join)(root, DESIGN_SYSTEM_MANIFEST_PATH));
+  const raw = readJsonFile2((0, import_node_path19.join)(root, DESIGN_SYSTEM_MANIFEST_PATH));
   if (!raw || !Array.isArray(raw.components)) return void 0;
   return raw;
 }
@@ -13899,11 +14771,11 @@ function listInstalledRegistryComponents(root) {
   return scanCachedComponentNames(resolveCacheDir(root));
 }
 function scanCachedComponentNames(cacheDir) {
-  if (!(0, import_node_fs19.existsSync)(cacheDir)) return [];
+  if (!(0, import_node_fs20.existsSync)(cacheDir)) return [];
   const names = /* @__PURE__ */ new Set();
   const walk = (dir) => {
-    for (const ent of (0, import_node_fs19.readdirSync)(dir, { withFileTypes: true })) {
-      const p = (0, import_node_path18.join)(dir, ent.name);
+    for (const ent of (0, import_node_fs20.readdirSync)(dir, { withFileTypes: true })) {
+      const p = (0, import_node_path19.join)(dir, ent.name);
       if (ent.isDirectory()) walk(p);
       else if (ent.isFile() && /\.(tsx?|jsx?)$/.test(ent.name)) {
         names.add(ent.name.replace(/\.(tsx|ts|jsx|js)$/, ""));
@@ -13992,13 +14864,13 @@ async function gatherRegistryComponentsState(root, targetVersion, deps) {
     let componentStale = false;
     for (const file of item.files) {
       if (!file.target || file.content == null) continue;
-      const cachePath = (0, import_node_path18.join)(cacheDir, cacheRelativePath(file.target));
-      if (!(0, import_node_fs19.existsSync)(cachePath)) {
+      const cachePath = (0, import_node_path19.join)(cacheDir, cacheRelativePath(file.target));
+      if (!(0, import_node_fs20.existsSync)(cachePath)) {
         componentStale = true;
         break;
       }
       try {
-        if (contentHash((0, import_node_fs19.readFileSync)(cachePath, "utf8")) !== contentHash(file.content)) {
+        if (contentHash((0, import_node_fs20.readFileSync)(cachePath, "utf8")) !== contentHash(file.content)) {
           componentStale = true;
           break;
         }
@@ -14008,7 +14880,7 @@ async function gatherRegistryComponentsState(root, targetVersion, deps) {
       }
     }
     if (componentStale) {
-      if ((0, import_node_fs19.existsSync)((0, import_node_path18.join)(cacheDir, "ui", `${name}.tsx`)) || (0, import_node_fs19.existsSync)((0, import_node_path18.join)(cacheDir, `${name}.tsx`))) {
+      if ((0, import_node_fs20.existsSync)((0, import_node_path19.join)(cacheDir, "ui", `${name}.tsx`)) || (0, import_node_fs20.existsSync)((0, import_node_path19.join)(cacheDir, `${name}.tsx`))) {
         stale.push(name);
       } else {
         missing.push(name);
@@ -14036,15 +14908,15 @@ async function applyRegistryComponentsSync(root, components, targetVersion, log,
     if (!item) return { ok: false };
     for (const file of item.files) {
       if (!file.target || file.content == null) continue;
-      const outPath = (0, import_node_path18.join)(cacheDir, cacheRelativePath(file.target));
-      deps.mkdir((0, import_node_path18.dirname)(outPath));
+      const outPath = (0, import_node_path19.join)(cacheDir, cacheRelativePath(file.target));
+      deps.mkdir((0, import_node_path19.dirname)(outPath));
       const body = file.content.endsWith("\n") ? file.content : `${file.content}
 `;
       deps.writeFile(outPath, body);
     }
   }
-  const manifestPath = (0, import_node_path18.join)(root, DESIGN_SYSTEM_MANIFEST_PATH);
-  deps.mkdir((0, import_node_path18.dirname)(manifestPath));
+  const manifestPath = (0, import_node_path19.join)(root, DESIGN_SYSTEM_MANIFEST_PATH);
+  deps.mkdir((0, import_node_path19.dirname)(manifestPath));
   const manifest = {
     version: targetVersion,
     syncedAt: (/* @__PURE__ */ new Date()).toISOString(),
@@ -14059,7 +14931,7 @@ function defaultRegistrySyncDeps() {
   return {
     fetch,
     writeFile: (path2, content) => atomicWriteFileSync(path2, content),
-    mkdir: (path2) => (0, import_node_fs19.mkdirSync)(path2, { recursive: true })
+    mkdir: (path2) => (0, import_node_fs20.mkdirSync)(path2, { recursive: true })
   };
 }
 
@@ -14085,12 +14957,12 @@ function renderVerifySecrets(body) {
 }
 
 // src/hotfix-coverage.ts
-var import_node_child_process10 = require("node:child_process");
+var import_node_child_process11 = require("node:child_process");
 var CHERRY_TRAILER = /\(cherry picked from commit ([0-9a-f]{7,40})\)/g;
 function checkHotfixCoverage(options = {}) {
   const { cwd = process.cwd(), mainRef = "origin/main", rcRef = "origin/rc", manifestPaths = [] } = options;
   const ack = (options.ack ?? []).filter(Boolean);
-  const git = options.git ?? ((args, opts) => (0, import_node_child_process10.execFileSync)("git", args, { cwd, encoding: "utf8", input: opts?.input, stdio: ["pipe", "pipe", "pipe"] }));
+  const git = options.git ?? ((args, opts) => (0, import_node_child_process11.execFileSync)("git", args, { cwd, encoding: "utf8", input: opts?.input, stdio: ["pipe", "pipe", "pipe"] }));
   const revList = (range) => {
     const out = git(["rev-list", "--no-merges", range]).trim();
     return out ? out.split("\n") : [];
@@ -14813,8 +15685,8 @@ async function announceRelease(deps, args) {
 }
 
 // src/port-registry.ts
-var import_node_fs20 = require("node:fs");
-var import_node_path19 = require("node:path");
+var import_node_fs21 = require("node:fs");
+var import_node_path20 = require("node:path");
 
 // ../infra/port-geometry.mjs
 var PORT_BLOCK = 100;
@@ -14828,8 +15700,8 @@ function nextPortBlock(registry2) {
   return [base, base + PORT_SPAN];
 }
 function loadPortRegistry(path2) {
-  if (!(0, import_node_fs20.existsSync)(path2)) return {};
-  const raw = JSON.parse((0, import_node_fs20.readFileSync)(path2, "utf8"));
+  if (!(0, import_node_fs21.existsSync)(path2)) return {};
+  const raw = JSON.parse((0, import_node_fs21.readFileSync)(path2, "utf8"));
   const out = {};
   for (const [key, value] of Object.entries(raw)) {
     if (Array.isArray(value) && value.length === 2 && value.every((n) => typeof n === "number")) {
@@ -14843,9 +15715,9 @@ function ensurePortRange(repo, path2) {
   const existing = registry2[repo];
   if (existing) return existing;
   const range = nextPortBlock(registry2);
-  const raw = (0, import_node_fs20.existsSync)(path2) ? JSON.parse((0, import_node_fs20.readFileSync)(path2, "utf8")) : {};
+  const raw = (0, import_node_fs21.existsSync)(path2) ? JSON.parse((0, import_node_fs21.readFileSync)(path2, "utf8")) : {};
   raw[repo] = range;
-  (0, import_node_fs20.writeFileSync)(path2, JSON.stringify(raw, null, 2) + "\n", "utf8");
+  (0, import_node_fs21.writeFileSync)(path2, JSON.stringify(raw, null, 2) + "\n", "utf8");
   return range;
 }
 function portCursorSeed(registry2) {
@@ -14867,18 +15739,18 @@ function existingPortRange(repo, registry2) {
   return registry2[repo] ?? null;
 }
 function portRangeInfraAt(root, source) {
-  const registryPath = (0, import_node_path19.join)(root, "infra", "port-ranges.json");
-  const ddbScriptPath = (0, import_node_path19.join)(root, "infra", "port-ddb.mjs");
-  if (!(0, import_node_fs20.existsSync)(registryPath) || !(0, import_node_fs20.existsSync)(ddbScriptPath)) return null;
+  const registryPath = (0, import_node_path20.join)(root, "infra", "port-ranges.json");
+  const ddbScriptPath = (0, import_node_path20.join)(root, "infra", "port-ddb.mjs");
+  if (!(0, import_node_fs21.existsSync)(registryPath) || !(0, import_node_fs21.existsSync)(ddbScriptPath)) return null;
   return { root, source, registryPath, ddbScriptPath };
 }
 function resolvePortRangeInfra(cwd) {
   const direct = portRangeInfraAt(cwd, "cwd");
   if (direct) return direct;
-  for (let dir = cwd; ; dir = (0, import_node_path19.dirname)(dir)) {
-    const sibling = portRangeInfraAt((0, import_node_path19.join)(dir, "MMI-Hub"), "sibling-hub");
+  for (let dir = cwd; ; dir = (0, import_node_path20.dirname)(dir)) {
+    const sibling = portRangeInfraAt((0, import_node_path20.join)(dir, "MMI-Hub"), "sibling-hub");
     if (sibling) return sibling;
-    const parent = (0, import_node_path19.dirname)(dir);
+    const parent = (0, import_node_path20.dirname)(dir);
     if (parent === dir) return null;
   }
 }
@@ -14903,7 +15775,8 @@ var OVERGRANT_ROLES = /* @__PURE__ */ new Set(["admin", "maintain"]);
 var REQUIRED_DATA_ACCESS = {
   "mutmutco/MM-Chat": [{ name: "kb-projection-reader", dbRole: "kb_reader", vaultParamNeedle: "KB_READ_DB_URL" }]
 };
-function lockedBranches(repoClass) {
+function lockedBranches(repoClass, releaseTrack) {
+  if (releaseTrack) return branchesForTrack(releaseTrack);
   return repoClass === "content" ? ["main"] : ["development", "rc", "main"];
 }
 function safeJson(text, fallback) {
@@ -15030,14 +15903,15 @@ function auditDataAccessContracts(repo, contracts = { consumers: {} }) {
   }
   return findings;
 }
-async function auditRepoAccess(repo, repoClass, owners, deps, projectAdmins = /* @__PURE__ */ new Set(), dataAccess) {
+async function auditRepoAccess(repo, repoClass, owners, deps, projectAdmins = /* @__PURE__ */ new Set(), dataAccess, releaseTrack) {
   const findings = [];
   findings.push(...await auditRepoCollaborators(repo, owners, deps));
   if (dataAccess) findings.push(...auditDataAccessContracts(repo, dataAccess));
-  for (const branch of lockedBranches(repoClass)) {
+  const track = releaseTrack ?? (repoClass === "content" ? "trunk" : void 0);
+  for (const branch of lockedBranches(repoClass, track)) {
     findings.push(...await auditTrainBranch(repo, branch, owners, deps, projectAdmins));
   }
-  return { repo, class: repoClass, ok: !findings.some((f) => f.severity === "high"), findings };
+  return { repo, class: repoClass, releaseTrack: track, ok: !findings.some((f) => f.severity === "high"), findings };
 }
 async function auditOrgBasePermission(deps) {
   const org = await restJson2(deps, `orgs/${OWNER}`, {});
@@ -15058,7 +15932,7 @@ async function auditOrgAccess(targets, deps, matrix = {}, dataAccess) {
   const orgFindings = await auditOrgBasePermission(deps);
   const repos = [];
   for (const target of targets) {
-    repos.push(await auditRepoAccess(target.repo, target.class, owners, deps, new Set(entriesValueByCanonicalRepo(matrix, target.repo) ?? []), dataAccess));
+    repos.push(await auditRepoAccess(target.repo, target.class, owners, deps, new Set(entriesValueByCanonicalRepo(matrix, target.repo) ?? []), dataAccess, target.releaseTrack));
   }
   const ok = orgFindings.every((f) => f.severity !== "high") && repos.every((r) => r.ok);
   return { ok, owners: [...owners], orgFindings, repos };
@@ -15078,7 +15952,8 @@ function loadAccessTargets(projectsJson, fanoutJson) {
       seen.add(repo);
       const repoName = repo.split("/").pop()?.toLowerCase() ?? repo.toLowerCase();
       const cls = project2.class === "content" || project2.deployModel === "content" || embeddedContent.has(repo.toLowerCase()) || embeddedContent.has(repoName) || legacyContentNames.has(repo.toLowerCase()) || legacyContentNames.has(repoName) ? "content" : "deployable";
-      targets.push({ repo, class: cls });
+      const releaseTrack = cls === "content" ? "trunk" : resolveReleaseTrack(project2, void 0, repo);
+      targets.push({ repo, class: cls, releaseTrack });
     }
   }
   return targets;
@@ -15128,7 +16003,7 @@ function renderAccessReport(report) {
     if (finding.remediation) lines.push(`      ${finding.remediation}`);
   }
   for (const repo of report.repos) {
-    lines.push(`${repo.ok ? "OK" : "FLAG"} ${repo.repo} (${repo.class})`);
+    lines.push(`${repo.ok ? "OK" : "FLAG"} ${repo.repo} (${repo.class}${repo.releaseTrack ? `, ${repo.releaseTrack}` : ""})`);
     for (const finding of repo.findings) {
       lines.push(`  [${finding.severity}] ${finding.kind}${finding.branch ? ` @${finding.branch}` : ""}: ${finding.detail}`);
       if (finding.remediation) lines.push(`      ${finding.remediation}`);
@@ -15674,6 +16549,23 @@ async function fetchDeployStatusBySlug(slug, deps) {
     return null;
   }
 }
+async function fetchDeployFactsBySlug(slug, deps) {
+  if (!deps.baseUrl || !slug) return null;
+  const token = await deps.token();
+  if (!token) return null;
+  try {
+    const res = await retriedFetch(deps, `${deps.baseUrl.replace(/\/$/, "")}/projects/${encodeURIComponent(slug)}/deploy-facts`, {
+      method: "GET",
+      headers: { Authorization: `Bearer ${token}` }
+    });
+    if (!res.ok) return null;
+    const body = await res.json();
+    if (!body?.stages) return null;
+    return { slug: body.slug ?? slug, stages: body.stages };
+  } catch {
+    return null;
+  }
+}
 async function fetchOrgConfig(deps) {
   if (!deps.baseUrl) return null;
   const token = await deps.token();
@@ -15847,7 +16739,7 @@ function attestedLine(att) {
   return `App-owned readiness attested by @${att.by} on ${att.at.slice(0, 10)} \u2014 the static checklist is cleared (the doctor reads no product repo files); re-run \`mmi-cli project attest\` after app-owned structural changes.`;
 }
 var CONTRACT_UNDECLARED_LINE = "No runtime secrets declared \u2014 declare requiredRuntimeSecrets (a per-stage name map) in the registry META, or attest the app needs none with an explicit empty stage map ({ dev: [], rc: [], main: [] }).";
-function appGapsFor(meta, model, slug, projectType) {
+function appGapsFor(meta, model, slug, projectType, mainDeployFact) {
   const attested = appAttestationOf(meta);
   const isTenantWeb = !(projectType === "content" || model === "content") && projectType !== "desktop-game" && projectType !== "cli-tool" && !(projectType === "non-deployable" || model === "none") && model !== "hub-serverless" && model !== "serverless" && model !== "registry-publish";
   const contractUndeclared = isTenantWeb && Boolean(meta) && !hasRuntimeSecretContract(meta?.requiredRuntimeSecrets);
@@ -15899,8 +16791,12 @@ function appGapsFor(meta, model, slug, projectType) {
   if (slug === "mmi-katip") {
     gaps.push("Katip-specific app plan: declare Google Workspace service-account requirements, use the service account numeric OAuth2 client ID for DWD, remove prod-hidden impersonation defaults, and make non-critical Google Workspace failures degrade instead of crash-looping.");
   }
-  if ((model === "solo-container" || model === "tenant-container") && typeof meta?.portRange?.start === "number") {
-    gaps.push(`Seed DEPLOY#main healthUrl to http://127.0.0.1:${meta.portRange.start}/health during bootstrap (tenant reconcile/control health gate \u2014 #1202).`);
+  if (model === "solo-container" || model === "tenant-container") {
+    if (typeof mainDeployFact?.port === "number") {
+      gaps.push(`Seed DEPLOY#main healthUrl to http://127.0.0.1:${mainDeployFact.port}/health during bootstrap (tenant reconcile/control health gate \u2014 #1202; port read from DEPLOY#main).`);
+    } else if (!appAttestationOf(meta)) {
+      gaps.push("Seed DEPLOY#main healthUrl from the DEPLOY#main edgeVhost.port during bootstrap (tenant reconcile/control health gate \u2014 #1202); doctor has no committed DEPLOY port to cite yet.");
+    }
   }
   if (!meta) gaps.unshift("No app-owned repo changes can be planned precisely until Hub registry META exists.");
   return gaps;
@@ -15945,7 +16841,7 @@ function sameNames(a, b) {
 function sameStageContract(a, b) {
   return STAGES.every((stage2) => sameNames(a[stage2], b[stage2]));
 }
-function buildV2HealPatch(repoOrSlug, meta) {
+function buildV2HealPatch(repoOrSlug, meta, mainDeployFact) {
   const slug = slugOfRepo(repoOrSlug);
   const repo = repoFrom(repoOrSlug, slug);
   const sub = defaultSubdomain(slug);
@@ -15983,7 +16879,7 @@ function buildV2HealPatch(repoOrSlug, meta) {
       patch.requiredRuntimeSecrets = next;
     }
   }
-  const appOwnedGaps = confidentType ? appGapsFor(meta, model, slug, confidentType) : [`Project type is unset and not derivable \u2014 classify with \`mmi-cli project set ${repo} --project-type <web-app|hub-service|content|desktop-game|non-deployable|cli-tool|worker> --deploy-model <tenant-container|solo-container|hub-serverless|serverless|registry-publish|content|none>\` before heal completes the v2 fields (prevents defaulting a non-web repo to tenant-container).`];
+  const appOwnedGaps = confidentType ? appGapsFor(meta, model, slug, confidentType, mainDeployFact) : [`Project type is unset and not derivable \u2014 classify with \`mmi-cli project set ${repo} --project-type <web-app|hub-service|content|desktop-game|non-deployable|cli-tool|worker> --deploy-model <tenant-container|solo-container|hub-serverless|serverless|registry-publish|content|none>\` before heal completes the v2 fields (prevents defaulting a non-web repo to tenant-container).`];
   if (boardRegistryGaps(meta).length) appOwnedGaps.unshift(boardRegistryGapMessage(repo));
   return { slug, patch, appOwnedGaps };
 }
@@ -16028,7 +16924,8 @@ async function buildV2Doctor(repoOrSlug, deps) {
   const meta = read.project;
   const projectType = resolveProjectType(meta, repo);
   const model = resolveDeployModel(meta, repo);
-  const autoHeal = buildV2HealPatch(repo, meta);
+  const mainDeployFact = meta && deps.getDeployFact ? await deps.getDeployFact(slug, "main") : null;
+  const autoHeal = buildV2HealPatch(repo, meta, mainDeployFact);
   if (!meta) {
     const emptySecrets = {
       dev: { required: [], present: [], missing: [] },
@@ -16142,6 +17039,152 @@ function renderReadinessIssueBody(existingBody, report, opts = {}) {
 ${section}`.trim();
 }
 
+// src/readiness-audit.ts
+function publicUrlFromDeployFact(fact) {
+  return fact?.domain ? `https://${fact.domain}` : void 0;
+}
+function tenantRuntimeHints(stage2, fact, probe) {
+  const hints = [];
+  if (!fact) {
+    hints.push(`DEPLOY#${stage2} row missing or state-only; seed deploy coords before runtime audit can prove the endpoint.`);
+    return hints;
+  }
+  if (!fact.sshHostPresent && fact.substrate === "hetzner-ssh") hints.push(`DEPLOY#${stage2} has hetzner-ssh substrate but no sshHost presence; tenant-deploy cannot reach the box.`);
+  if (!fact.domain) hints.push(`DEPLOY#${stage2} has no edgeVhost.domain; Cloudflare/Caddy public URL cannot be derived.`);
+  if (typeof fact.port !== "number") hints.push(`DEPLOY#${stage2} has no edgeVhost.port; Caddy upstream/healthUrl hints cannot be checked.`);
+  if (probe?.ok === false || probe?.status != null && probe.status >= 500) hints.push("Public URL probe failed; for Cloudflare 525 check Caddy TLS/origin certificate and Cloudflare SSL mode before changing app code.");
+  if (stage2 === "rc") hints.push("rc runtime is expected to be ephemeral: present between /rcand and /release, then retired after release.");
+  return hints;
+}
+function buildTenantRuntimeStatus(input) {
+  const publicUrl = publicUrlFromDeployFact(input.deploy);
+  return {
+    repo: input.repo,
+    slug: input.slug,
+    stage: input.stage,
+    deployRowPresent: Boolean(input.deploy?.present),
+    deploy: input.deploy ?? null,
+    publicUrl,
+    publicProbe: input.publicProbe,
+    lastTenantDeployRun: input.lastTenantDeployRun,
+    expectedEphemeralRc: input.stage === "rc",
+    hints: tenantRuntimeHints(input.stage, input.deploy, input.publicProbe)
+  };
+}
+function buildFullTrackReadinessReport(input) {
+  const releaseTrack = resolveReleaseTrack(input.meta, void 0, input.repo);
+  const branches = branchesForTrack(releaseTrack);
+  const reasons = [];
+  if (releaseTrack !== "full") reasons.push(`releaseTrack resolves ${releaseTrack}; set full for development -> rc -> main`);
+  if (!input.trainAuthority?.train) reasons.push("caller does not have train authority");
+  if (!input.deployFacts?.stages.rc?.present) reasons.push("DEPLOY#rc coords missing");
+  const rcRuntime = input.runtime.rc;
+  if (rcRuntime.publicProbe?.ok === false) reasons.push("rc public endpoint probe failed");
+  return {
+    repo: input.repo,
+    slug: input.slug,
+    releaseTrack,
+    branches,
+    trainAuthority: input.trainAuthority,
+    deployFacts: input.deployFacts,
+    rcand: { canApply: reasons.length === 0, reasons },
+    runtime: input.runtime
+  };
+}
+
+// src/oauth.ts
+var DEFAULT_DOMAINS = ["mutatismutandis.co", "mutmut.co"];
+var DEFAULT_CALLBACK_PATH = "/api/auth/callback";
+var ENV_PREFIXES = ["", "dev", "rc"];
+var LOOPBACK = ["http://localhost", "http://127.0.0.1"];
+var SSM_ENVS = ["dev", "rc", "main"];
+var SSM_NAMES = ["GOOGLE_CLIENT_ID", "GOOGLE_CLIENT_SECRET"];
+var uniq = (xs) => [...new Set(xs)];
+function defaultSubdomain2(slug) {
+  const i = slug.indexOf("-");
+  return i === -1 ? slug : slug.slice(i + 1);
+}
+function expectedHosts(cfg) {
+  const out = [];
+  for (const sub of cfg.subdomains) {
+    for (const domain of cfg.domains) {
+      const base = sub ? `${sub}.${domain}` : domain;
+      for (const env of ENV_PREFIXES) out.push(env ? `${env}.${base}` : base);
+    }
+  }
+  if (cfg.fofuSubdomain !== void 0) {
+    out.push(cfg.fofuSubdomain ? `${cfg.fofuSubdomain}.fofu.ai` : "fofu.ai");
+  }
+  return uniq(out);
+}
+function expectedJsOrigins(cfg) {
+  return uniq([...expectedHosts(cfg).map((h) => `https://${h}`), ...LOOPBACK]);
+}
+function expectedRedirectUris(cfg) {
+  const { callbackPath } = cfg;
+  return uniq([
+    ...expectedHosts(cfg).map((h) => `https://${h}${callbackPath}`),
+    ...LOOPBACK.map((l) => `${l}${callbackPath}`)
+  ]);
+}
+function oauthSsmKeys() {
+  return SSM_ENVS.flatMap((env) => SSM_NAMES.map((name) => `${env}/${name}`));
+}
+function parseOauthClientJson(input) {
+  let parsed;
+  try {
+    parsed = JSON.parse(input);
+  } catch {
+    throw new Error('not valid JSON \u2014 pipe the Google client JSON (the Console "Download JSON" file)');
+  }
+  const root = parsed ?? {};
+  const obj = root.web ?? root.installed ?? parsed;
+  const clientId = typeof obj?.client_id === "string" ? obj.client_id.trim() : "";
+  const clientSecret = typeof obj?.client_secret === "string" ? obj.client_secret.trim() : "";
+  if (!clientId || !clientSecret) {
+    throw new Error("missing client_id or client_secret in the JSON");
+  }
+  return { clientId, clientSecret };
+}
+function parseOauthConfig(mmiConfig, slug) {
+  const rawUnknown = mmiConfig?.oauth;
+  if (rawUnknown === void 0) throw new Error(`oauth is not configured for ${slug}`);
+  if (!rawUnknown || typeof rawUnknown !== "object" || Array.isArray(rawUnknown)) {
+    throw new Error("oauth must be an object when configured");
+  }
+  const raw = rawUnknown;
+  const subdomains = Array.isArray(raw.subdomains) && raw.subdomains.length > 0 ? raw.subdomains.map(String) : [defaultSubdomain2(slug)];
+  const domains = Array.isArray(raw.domains) && raw.domains.length > 0 ? raw.domains.map(String) : [...DEFAULT_DOMAINS];
+  const callbackPath = typeof raw.callbackPath === "string" && raw.callbackPath ? raw.callbackPath : DEFAULT_CALLBACK_PATH;
+  if (!callbackPath.startsWith("/")) {
+    throw new Error(`oauth.callbackPath must start with "/" (got ${JSON.stringify(callbackPath)})`);
+  }
+  if (callbackPath !== DEFAULT_CALLBACK_PATH) {
+    throw new Error(`oauth.callbackPath must be "${DEFAULT_CALLBACK_PATH}" (got ${JSON.stringify(callbackPath)})`);
+  }
+  const meta = mmiConfig ?? {};
+  const rawFofuSub = raw.fofuSubdomain;
+  const fofuSubdomain = meta.fofuEnabled === true ? typeof rawFofuSub === "string" ? rawFofuSub : defaultSubdomain2(slug) : void 0;
+  return { subdomains, domains, callbackPath, fofuSubdomain };
+}
+function probeRedirectUri(callbackPath, port = 9123) {
+  return `http://localhost:${port}${callbackPath}`;
+}
+function buildAuthorizeProbeUrl(clientId, redirectUri) {
+  const qs = new URLSearchParams({
+    client_id: clientId,
+    redirect_uri: redirectUri,
+    response_type: "code",
+    scope: "openid email",
+    access_type: "offline",
+    prompt: "consent"
+  });
+  return `https://accounts.google.com/o/oauth2/v2/auth?${qs.toString()}`;
+}
+function authorizeBodyHasMismatch(body) {
+  return /redirect_uri_mismatch/i.test(body);
+}
+
 // src/project-set.ts
 var UNSET_KEYS = ["oauth", "requiredRuntimeSecrets", "edgeDomains", "requiredGcpApis", "publishRequired", "publishDir", "dsManifestPath", "dashboard", "fofuEnabled", "consumesDesignSystem", "ci", "requiredChecks", "gate"];
 var UNSET_KEY_SET = new Set(UNSET_KEYS);
@@ -16263,7 +17306,7 @@ function parseOauthVar(raw) {
   try {
     parsed = JSON.parse(raw);
   } catch {
-    throw new Error('project set: oauth must be JSON, e.g. {"subdomains":["app"],"domains":["example.co"],"callbackPath":"/auth/callback"}');
+    throw new Error(`project set: oauth must be JSON, e.g. {"subdomains":["app"],"domains":["example.co"],"callbackPath":"${DEFAULT_CALLBACK_PATH}"}`);
   }
   if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
     throw new Error("project set: oauth must be a {subdomains,domains,callbackPath,fofuSubdomain} object");
@@ -16278,7 +17321,11 @@ function parseOauthVar(raw) {
       out[key] = value.map((v) => v.trim());
     } else if (key === "callbackPath") {
       if (typeof value !== "string" || !value.trim()) throw new Error("project set: oauth.callbackPath must be a non-empty string");
-      out.callbackPath = value.trim();
+      const callbackPath = value.trim();
+      if (callbackPath !== DEFAULT_CALLBACK_PATH) {
+        throw new Error(`project set: oauth.callbackPath must be "${DEFAULT_CALLBACK_PATH}" (got ${JSON.stringify(callbackPath)})`);
+      }
+      out.callbackPath = callbackPath;
     } else if (key === "fofuSubdomain") {
       if (typeof value !== "string") throw new Error('project set: oauth.fofuSubdomain must be a string ("" selects the apex fofu.ai)');
       out.fofuSubdomain = value.trim();
@@ -16592,8 +17639,12 @@ function resolveKbSource(rawBase) {
   if (!m) return DEFAULT_KB;
   return { owner: m[1], repo: m[2], ref: m[3] };
 }
-function buildKbGetArgs(src, path2) {
+function normalizeKbPath(path2) {
   const clean4 = path2.replace(/^\/+/, "");
+  return clean4 === "kb" || clean4.startsWith("kb/") ? clean4 : `kb/${clean4}`;
+}
+function buildKbGetArgs(src, path2) {
+  const clean4 = normalizeKbPath(path2);
   return ["api", `repos/${src.owner}/${src.repo}/contents/${clean4}?ref=${src.ref}`, "-H", "Accept: application/vnd.github.raw"];
 }
 function buildKbTreeArgs(src) {
@@ -16606,20 +17657,20 @@ function parseKbTree(stdout, prefix) {
   } catch {
     return [];
   }
-  const pre = prefix ? prefix.replace(/^\/+/, "") : void 0;
-  return tree.filter((t) => t.type === "blob" && typeof t.path === "string" && t.path.startsWith("kb/")).map((t) => t.path).filter((p) => pre ? p.startsWith(pre) : true).sort();
+  const pre = prefix ? normalizeKbPath(prefix) : void 0;
+  return tree.filter((t) => t.type === "blob" && typeof t.path === "string" && t.path.startsWith("kb/") && !t.path.split("/").some((s) => s.startsWith("."))).map((t) => t.path).filter((p) => pre ? p.startsWith(pre) : true).sort();
 }
 
 // src/northstar-commands.ts
-var import_node_fs21 = require("node:fs");
-var import_node_child_process11 = require("node:child_process");
+var import_node_fs22 = require("node:fs");
+var import_node_child_process12 = require("node:child_process");
 var import_promises6 = require("node:fs/promises");
 var planSyncDetached = false;
 function detachPlanSync() {
   if (planSyncDetached) return;
   planSyncDetached = true;
   try {
-    (0, import_node_child_process11.spawn)(process.execPath, [process.argv[1], "northstar", "sync", "--quiet"], {
+    (0, import_node_child_process12.spawn)(process.execPath, [process.argv[1], "northstar", "sync", "--quiet"], {
       detached: true,
       stdio: "ignore",
       windowsHide: true,
@@ -16629,7 +17680,7 @@ function detachPlanSync() {
   }
 }
 function makePlanDeps(cfg, io = consoleIo) {
-  const ensureDir = () => (0, import_node_fs21.mkdirSync)(PLANS_DIR, { recursive: true });
+  const ensureDir = () => (0, import_node_fs22.mkdirSync)(PLANS_DIR, { recursive: true });
   return {
     apiUrl: cfg.sagaApiUrl,
     fetch: (url, init = {}) => fetch(url, { ...init, signal: init.signal ?? AbortSignal.timeout(1e4) }),
@@ -16637,31 +17688,31 @@ function makePlanDeps(cfg, io = consoleIo) {
     project: async () => (await sagaKey(cfg)).project,
     readLocal: (slug) => {
       try {
-        return (0, import_node_fs21.readFileSync)(planPath(slug), "utf8");
+        return (0, import_node_fs22.readFileSync)(planPath(slug), "utf8");
       } catch {
         return null;
       }
     },
     listLocalSlugs: () => {
       try {
-        return (0, import_node_fs21.readdirSync)(PLANS_DIR, { withFileTypes: true }).filter((entry) => entry.isFile() && /^[A-Za-z0-9][A-Za-z0-9_-]*\.md$/.test(entry.name)).map((entry) => entry.name.replace(/\.md$/, ""));
+        return (0, import_node_fs22.readdirSync)(PLANS_DIR, { withFileTypes: true }).filter((entry) => entry.isFile() && /^[A-Za-z0-9][A-Za-z0-9_-]*\.md$/.test(entry.name)).map((entry) => entry.name.replace(/\.md$/, ""));
       } catch {
         return [];
       }
     },
     writeLocal: (slug, content) => {
       ensureDir();
-      (0, import_node_fs21.writeFileSync)(planPath(slug), content, "utf8");
+      (0, import_node_fs22.writeFileSync)(planPath(slug), content, "utf8");
     },
     removeLocal: (slug) => {
       try {
-        (0, import_node_fs21.rmSync)(planPath(slug));
+        (0, import_node_fs22.rmSync)(planPath(slug));
       } catch {
       }
     },
     readMetaRaw: () => {
       try {
-        return (0, import_node_fs21.readFileSync)(META_FILE, "utf8");
+        return (0, import_node_fs22.readFileSync)(META_FILE, "utf8");
       } catch {
         return null;
       }
@@ -16672,7 +17723,7 @@ function makePlanDeps(cfg, io = consoleIo) {
     },
     readIndexRaw: () => {
       try {
-        return (0, import_node_fs21.readFileSync)(INDEX_FILE, "utf8");
+        return (0, import_node_fs22.readFileSync)(INDEX_FILE, "utf8");
       } catch {
         return null;
       }
@@ -16683,7 +17734,7 @@ function makePlanDeps(cfg, io = consoleIo) {
     },
     readQueueRaw: () => {
       try {
-        return (0, import_node_fs21.readFileSync)(QUEUE_FILE, "utf8");
+        return (0, import_node_fs22.readFileSync)(QUEUE_FILE, "utf8");
       } catch {
         return null;
       }
@@ -16705,7 +17756,7 @@ function openInEditor(path2) {
     return;
   }
   try {
-    (0, import_node_child_process11.spawn)(editor, [path2], { stdio: "inherit" });
+    (0, import_node_child_process12.spawn)(editor, [path2], { stdio: "inherit" });
   } catch {
     console.log(`open ${path2} manually`);
   }
@@ -16743,7 +17794,7 @@ function repoInfoFromRemote(remote) {
 }
 function readStageUrl() {
   try {
-    const state = JSON.parse((0, import_node_fs21.readFileSync)("tmp/stage/state.json", "utf8"));
+    const state = JSON.parse((0, import_node_fs22.readFileSync)("tmp/stage/state.json", "utf8"));
     if (typeof state.url === "string" && state.url.trim()) return state.url.trim();
     if (typeof state.port === "number" && Number.isFinite(state.port)) return `http://127.0.0.1:${state.port}/`;
     if (typeof state.healthUrl === "string" && state.healthUrl.trim()) {
@@ -17056,6 +18107,11 @@ async function secretsList(deps, opts) {
   const { secrets } = await res.json();
   deps.log(formatSecretList(secrets ?? []));
 }
+var CAPABILITIES_TIMEOUT_MS = 2e4;
+function isTimeoutError(e) {
+  const name = e?.name;
+  return name === "TimeoutError" || name === "AbortError";
+}
 function formatCapabilities(r) {
   const head = `@${r.login} on ${r.repo} \u2014 ${r.role}`;
   const items = [...r.capabilities ?? []].sort((a, b) => a.scope.localeCompare(b.scope));
@@ -17086,10 +18142,15 @@ async function secretsCapabilities(deps, opts) {
     res = await deps.fetch(`${deps.apiUrl}/secrets/capabilities?${qs}`, {
       method: "GET",
       headers: await deps.headers(),
-      signal: AbortSignal.timeout(TIMEOUT_MS2)
+      signal: AbortSignal.timeout(CAPABILITIES_TIMEOUT_MS)
     });
   } catch (e) {
-    deps.err(`access capabilities: ${e.message}`);
+    const message = e.message;
+    if (isTimeoutError(e)) {
+      deps.err(`access capabilities: timed out after ${CAPABILITIES_TIMEOUT_MS}ms while aggregating vault scopes for ${repo}. No access conclusion was made; retry with a warm Hub or run scoped reads such as \`mmi-cli secrets list --repo ${repo}\` while investigating the slow source.`);
+      return;
+    }
+    deps.err(`access capabilities: ${message}`);
     return;
   }
   if (!res.ok) {
@@ -17483,8 +18544,8 @@ async function secretsUse(deps, key, opts) {
 }
 
 // src/secrets-commands.ts
-var import_node_fs22 = require("node:fs");
-var import_node_path20 = require("node:path");
+var import_node_fs23 = require("node:fs");
+var import_node_path21 = require("node:path");
 var RAILS_CREDENTIALS_DECRYPT_TIMEOUT_MS = 3e4;
 var DEFAULT_RAILS_CREDENTIALS_FILE = "config/credentials.yml.enc";
 var DEFAULT_RAILS_MASTER_KEY_FILE = "config/master.key";
@@ -17492,18 +18553,18 @@ function collectMap(value, previous = []) {
   return [...previous, value];
 }
 async function decryptRailsCredentials(input) {
-  const appDir = (0, import_node_path20.resolve)(input.appDir ?? process.cwd());
+  const appDir = (0, import_node_path21.resolve)(input.appDir ?? process.cwd());
   const credentialsFile = input.credentialsFile ?? DEFAULT_RAILS_CREDENTIALS_FILE;
   const masterKeyFile = input.masterKeyFile ?? DEFAULT_RAILS_MASTER_KEY_FILE;
-  const credentialsPath = (0, import_node_path20.resolve)(appDir, credentialsFile);
-  const masterKeyPath = (0, import_node_path20.resolve)(appDir, masterKeyFile);
+  const credentialsPath = (0, import_node_path21.resolve)(appDir, credentialsFile);
+  const masterKeyPath = (0, import_node_path21.resolve)(appDir, masterKeyFile);
   const env = {
     ...process.env,
     MMI_RAILS_CREDENTIALS_FILE: credentialsPath,
     MMI_RAILS_MASTER_KEY_FILE: masterKeyPath
   };
-  if ((0, import_node_fs22.existsSync)(masterKeyPath)) {
-    env.RAILS_MASTER_KEY = (0, import_node_fs22.readFileSync)(masterKeyPath, "utf8").trim();
+  if ((0, import_node_fs23.existsSync)(masterKeyPath)) {
+    env.RAILS_MASTER_KEY = (0, import_node_fs23.readFileSync)(masterKeyPath, "utf8").trim();
   }
   const script = [
     'require "json"',
@@ -17628,7 +18689,7 @@ function registerSecretsCommands(program3) {
       {
         ...d,
         decryptRailsCredentials,
-        removeFile: (path2) => (0, import_node_fs22.unlinkSync)((0, import_node_path20.resolve)(o.appDir ?? process.cwd(), path2))
+        removeFile: (path2) => (0, import_node_fs23.unlinkSync)((0, import_node_path21.resolve)(o.appDir ?? process.cwd(), path2))
       },
       {
         repo: o.repo,
@@ -17713,101 +18774,12 @@ function registerEdgeCommands(program3) {
   });
 }
 
-// src/oauth.ts
-var DEFAULT_DOMAINS = ["mutatismutandis.co", "mutmut.co"];
-var DEFAULT_CALLBACK_PATH = "/api/auth/callback";
-var ENV_PREFIXES = ["", "dev", "rc"];
-var LOOPBACK = ["http://localhost", "http://127.0.0.1"];
-var SSM_ENVS = ["dev", "rc", "main"];
-var SSM_NAMES = ["GOOGLE_CLIENT_ID", "GOOGLE_CLIENT_SECRET"];
-var uniq = (xs) => [...new Set(xs)];
-function defaultSubdomain2(slug) {
-  const i = slug.indexOf("-");
-  return i === -1 ? slug : slug.slice(i + 1);
-}
-function expectedHosts(cfg) {
-  const out = [];
-  for (const sub of cfg.subdomains) {
-    for (const domain of cfg.domains) {
-      const base = sub ? `${sub}.${domain}` : domain;
-      for (const env of ENV_PREFIXES) out.push(env ? `${env}.${base}` : base);
-    }
-  }
-  if (cfg.fofuSubdomain !== void 0) {
-    out.push(cfg.fofuSubdomain ? `${cfg.fofuSubdomain}.fofu.ai` : "fofu.ai");
-  }
-  return uniq(out);
-}
-function expectedJsOrigins(cfg) {
-  return uniq([...expectedHosts(cfg).map((h) => `https://${h}`), ...LOOPBACK]);
-}
-function expectedRedirectUris(cfg) {
-  const { callbackPath } = cfg;
-  return uniq([
-    ...expectedHosts(cfg).map((h) => `https://${h}${callbackPath}`),
-    ...LOOPBACK.map((l) => `${l}${callbackPath}`)
-  ]);
-}
-function oauthSsmKeys() {
-  return SSM_ENVS.flatMap((env) => SSM_NAMES.map((name) => `${env}/${name}`));
-}
-function parseOauthClientJson(input) {
-  let parsed;
-  try {
-    parsed = JSON.parse(input);
-  } catch {
-    throw new Error('not valid JSON \u2014 pipe the Google client JSON (the Console "Download JSON" file)');
-  }
-  const root = parsed ?? {};
-  const obj = root.web ?? root.installed ?? parsed;
-  const clientId = typeof obj?.client_id === "string" ? obj.client_id.trim() : "";
-  const clientSecret = typeof obj?.client_secret === "string" ? obj.client_secret.trim() : "";
-  if (!clientId || !clientSecret) {
-    throw new Error("missing client_id or client_secret in the JSON");
-  }
-  return { clientId, clientSecret };
-}
-function parseOauthConfig(mmiConfig, slug) {
-  const rawUnknown = mmiConfig?.oauth;
-  if (rawUnknown === void 0) throw new Error(`oauth is not configured for ${slug}`);
-  if (!rawUnknown || typeof rawUnknown !== "object" || Array.isArray(rawUnknown)) {
-    throw new Error("oauth must be an object when configured");
-  }
-  const raw = rawUnknown;
-  const subdomains = Array.isArray(raw.subdomains) && raw.subdomains.length > 0 ? raw.subdomains.map(String) : [defaultSubdomain2(slug)];
-  const domains = Array.isArray(raw.domains) && raw.domains.length > 0 ? raw.domains.map(String) : [...DEFAULT_DOMAINS];
-  const callbackPath = typeof raw.callbackPath === "string" && raw.callbackPath ? raw.callbackPath : DEFAULT_CALLBACK_PATH;
-  if (!callbackPath.startsWith("/")) {
-    throw new Error(`oauth.callbackPath must start with "/" (got ${JSON.stringify(callbackPath)})`);
-  }
-  const meta = mmiConfig ?? {};
-  const rawFofuSub = raw.fofuSubdomain;
-  const fofuSubdomain = meta.fofuEnabled === true ? typeof rawFofuSub === "string" ? rawFofuSub : defaultSubdomain2(slug) : void 0;
-  return { subdomains, domains, callbackPath, fofuSubdomain };
-}
-function probeRedirectUri(callbackPath, port = 9123) {
-  return `http://localhost:${port}${callbackPath}`;
-}
-function buildAuthorizeProbeUrl(clientId, redirectUri) {
-  const qs = new URLSearchParams({
-    client_id: clientId,
-    redirect_uri: redirectUri,
-    response_type: "code",
-    scope: "openid email",
-    access_type: "offline",
-    prompt: "consent"
-  });
-  return `https://accounts.google.com/o/oauth2/v2/auth?${qs.toString()}`;
-}
-function authorizeBodyHasMismatch(body) {
-  return /redirect_uri_mismatch/i.test(body);
-}
-
 // src/doctor-run.ts
-var import_node_fs27 = require("node:fs");
+var import_node_fs28 = require("node:fs");
+var import_node_child_process14 = require("node:child_process");
 var import_promises7 = require("node:fs/promises");
-var import_node_path24 = require("node:path");
-var import_node_os5 = require("node:os");
+var import_node_path25 = require("node:path");
+var import_node_os6 = require("node:os");
 
 // src/plugin-guard.ts
 function buildPluginGuardDecision(i) {
@@ -17827,10 +18799,10 @@ function buildGuardSessionStartLine(state, opts = {}) {
 }
 
 // src/cursor-plugin-seed.ts
-var import_node_child_process12 = require("node:child_process");
-var import_node_fs23 = require("node:fs");
-var import_node_os4 = require("node:os");
-var import_node_path21 = require("node:path");
+var import_node_child_process13 = require("node:child_process");
+var import_node_fs24 = require("node:fs");
+var import_node_os5 = require("node:os");
+var import_node_path22 = require("node:path");
 var import_node_util7 = require("node:util");
 function isSemverVersion(v) {
   return typeof v === "string" && /^v?\d+\.\d+\.\d+/.test(v.trim());
@@ -17838,7 +18810,7 @@ function isSemverVersion(v) {
 var MMI_HUB_REPO = "mutmutco/MMI-Hub";
 var CURSOR_THIRD_PARTY_STATE_KEY = "cursor/thirdPartyExtensibilityEnabled";
 var PLUGIN_JSON_REL = ".cursor-plugin/plugin.json";
-var execFileBuffer = (0, import_node_util7.promisify)(import_node_child_process12.execFile);
+var execFileBuffer = (0, import_node_util7.promisify)(import_node_child_process13.execFile);
 function gitFetchReleaseTagArgs(hubCheckout, tag) {
   return ["-C", hubCheckout, "fetch", "origin", "tag", tag, "--quiet"];
 }
@@ -17847,17 +18819,17 @@ function ghReleaseTarballApiArgs(tag) {
 }
 function cursorUserGlobalStatePath() {
   if (process.platform === "win32") {
-    const base = process.env.APPDATA || (0, import_node_path21.join)((0, import_node_os4.homedir)(), "AppData", "Roaming");
-    return (0, import_node_path21.join)(base, "Cursor", "User", "globalStorage", "state.vscdb");
+    const base = process.env.APPDATA || (0, import_node_path22.join)((0, import_node_os5.homedir)(), "AppData", "Roaming");
+    return (0, import_node_path22.join)(base, "Cursor", "User", "globalStorage", "state.vscdb");
   }
   if (process.platform === "darwin") {
-    return (0, import_node_path21.join)((0, import_node_os4.homedir)(), "Library", "Application Support", "Cursor", "User", "globalStorage", "state.vscdb");
+    return (0, import_node_path22.join)((0, import_node_os5.homedir)(), "Library", "Application Support", "Cursor", "User", "globalStorage", "state.vscdb");
   }
-  return (0, import_node_path21.join)((0, import_node_os4.homedir)(), ".config", "Cursor", "User", "globalStorage", "state.vscdb");
+  return (0, import_node_path22.join)((0, import_node_os5.homedir)(), ".config", "Cursor", "User", "globalStorage", "state.vscdb");
 }
 async function readCursorThirdPartyExtensibilityEnabled(execFileP5) {
   const dbPath = cursorUserGlobalStatePath();
-  if (!(0, import_node_fs23.existsSync)(dbPath)) return void 0;
+  if (!(0, import_node_fs24.existsSync)(dbPath)) return void 0;
   try {
     const { stdout } = await execFileP5("sqlite3", [dbPath, `SELECT value FROM ItemTable WHERE key = '${CURSOR_THIRD_PARTY_STATE_KEY}';`], {
       timeout: 5e3
@@ -17871,57 +18843,57 @@ async function readCursorThirdPartyExtensibilityEnabled(execFileP5) {
   }
 }
 function syncDirContents(src, dest) {
-  (0, import_node_fs23.mkdirSync)(dest, { recursive: true });
-  for (const name of (0, import_node_fs23.readdirSync)(dest)) {
-    (0, import_node_fs23.rmSync)((0, import_node_path21.join)(dest, name), { recursive: true, force: true });
+  (0, import_node_fs24.mkdirSync)(dest, { recursive: true });
+  for (const name of (0, import_node_fs24.readdirSync)(dest)) {
+    (0, import_node_fs24.rmSync)((0, import_node_path22.join)(dest, name), { recursive: true, force: true });
   }
-  (0, import_node_fs23.cpSync)(src, dest, { recursive: true });
+  (0, import_node_fs24.cpSync)(src, dest, { recursive: true });
 }
 function releaseTag(releasedVersion) {
   return releasedVersion.startsWith("v") ? releasedVersion : `v${releasedVersion}`;
 }
 async function extractPluginMmiFromHubCheckout(hubCheckout, tag, tmpRoot, execFileP5) {
-  const tarFile = (0, import_node_path21.join)(tmpRoot, "archive.tar");
+  const tarFile = (0, import_node_path22.join)(tmpRoot, "archive.tar");
   try {
     await execFileP5("git", gitFetchReleaseTagArgs(hubCheckout, tag), { timeout: 6e4 });
     await execFileP5("git", ["-C", hubCheckout, "archive", "--format=tar", `--output=${tarFile}`, tag, "plugins/mmi"], {
       timeout: 6e4
     });
     await execFileP5("tar", ["-xf", tarFile, "-C", tmpRoot], { timeout: 6e4 });
-    const pluginMmi = (0, import_node_path21.join)(tmpRoot, "plugins", "mmi");
-    return (0, import_node_fs23.existsSync)((0, import_node_path21.join)(pluginMmi, PLUGIN_JSON_REL)) ? pluginMmi : void 0;
+    const pluginMmi = (0, import_node_path22.join)(tmpRoot, "plugins", "mmi");
+    return (0, import_node_fs24.existsSync)((0, import_node_path22.join)(pluginMmi, PLUGIN_JSON_REL)) ? pluginMmi : void 0;
   } catch {
     return void 0;
   }
 }
 async function downloadPluginMmiViaGh(tag, tmpRoot) {
-  const tarPath = (0, import_node_path21.join)(tmpRoot, "repo.tgz");
+  const tarPath = (0, import_node_path22.join)(tmpRoot, "repo.tgz");
   try {
-    (0, import_node_fs23.mkdirSync)(tmpRoot, { recursive: true });
+    (0, import_node_fs24.mkdirSync)(tmpRoot, { recursive: true });
     const { stdout } = await execFileBuffer("gh", ghReleaseTarballApiArgs(tag), {
       timeout: 12e4,
       maxBuffer: 100 * 1024 * 1024,
       encoding: "buffer",
       windowsHide: true
     });
-    (0, import_node_fs23.writeFileSync)(tarPath, stdout);
+    (0, import_node_fs24.writeFileSync)(tarPath, stdout);
     await execFileBuffer("tar", ["-xzf", tarPath, "-C", tmpRoot], { timeout: 12e4, windowsHide: true });
-    const top = (0, import_node_fs23.readdirSync)(tmpRoot).find((entry) => entry !== "repo.tgz");
+    const top = (0, import_node_fs24.readdirSync)(tmpRoot).find((entry) => entry !== "repo.tgz");
     if (!top) return void 0;
-    const pluginMmi = (0, import_node_path21.join)(tmpRoot, top, "plugins", "mmi");
-    return (0, import_node_fs23.existsSync)((0, import_node_path21.join)(pluginMmi, PLUGIN_JSON_REL)) ? pluginMmi : void 0;
+    const pluginMmi = (0, import_node_path22.join)(tmpRoot, top, "plugins", "mmi");
+    return (0, import_node_fs24.existsSync)((0, import_node_path22.join)(pluginMmi, PLUGIN_JSON_REL)) ? pluginMmi : void 0;
   } catch {
     return void 0;
   }
 }
 async function resolvePluginMmiSource(releasedVersion, hubCheckout, tmpRoot, execFileP5) {
-  (0, import_node_fs23.mkdirSync)(tmpRoot, { recursive: true });
+  (0, import_node_fs24.mkdirSync)(tmpRoot, { recursive: true });
   const tag = releaseTag(releasedVersion);
   if (hubCheckout) {
     const fromHub = await extractPluginMmiFromHubCheckout(hubCheckout, tag, tmpRoot, execFileP5);
     if (fromHub) return fromHub;
   }
-  return downloadPluginMmiViaGh(tag, (0, import_node_path21.join)(tmpRoot, "gh"));
+  return downloadPluginMmiViaGh(tag, (0, import_node_path22.join)(tmpRoot, "gh"));
 }
 function cursorPluginPinsNeedingSeed(pins, releasedVersion) {
   if (!isSemverVersion(releasedVersion)) return pins.filter((pin) => !pin.hasPluginJson || !pin.hasHooksJson || pin.isEmpty);
@@ -17942,7 +18914,7 @@ async function applyCursorPluginCacheSeed(input) {
   for (const pin of pinsToSeed) {
     syncDirContents(source, pin.path);
   }
-  (0, import_node_fs23.rmSync)(tmpRoot, { recursive: true, force: true });
+  (0, import_node_fs24.rmSync)(tmpRoot, { recursive: true, force: true });
   return true;
 }
 
@@ -18269,6 +19241,30 @@ function buildNestedPluginTreeCheck(input) {
     fix: `${nested.length} self-nested MMI plugin cache tree(s) (#1126) exceed MAX_PATH and can't self-clean \u2014 run: ${nestedPluginTreeCleanupCommand(nested.map((n) => n.path), input.isWindows)}`
   };
 }
+var CODEX_ACTIVE_CACHE_LABEL = "Codex active plugin cache (vs latest release)";
+function buildCodexActiveCacheCheck(input) {
+  const base = {
+    ok: true,
+    label: CODEX_ACTIVE_CACHE_LABEL,
+    fix: CODEX_PLUGIN_RECOVERY
+  };
+  if (!input.isOrgRepo || !isSemverVersion2(input.releasedVersion)) return base;
+  if (isSemverVersion2(input.codexRecordVersion) && compareVersions(input.codexRecordVersion, input.releasedVersion) < 0) {
+    return base;
+  }
+  const activeCacheVersion = highestSemver(input.codexCacheVersions ?? []);
+  const cacheCurrent = isSemverVersion2(activeCacheVersion) && compareVersions(activeCacheVersion, input.releasedVersion) >= 0;
+  if (cacheCurrent) {
+    return { ...base, activeCacheVersion, releasedVersion: input.releasedVersion };
+  }
+  return {
+    ...base,
+    ok: false,
+    activeCacheVersion,
+    releasedVersion: input.releasedVersion,
+    fix: `Codex active plugin cache is ${activeCacheVersion ?? "missing the released version"} < ${input.releasedVersion} while the installed record is current \u2014 run \`mmi-cli doctor --apply\` (forces the Codex reinstall when \`codex\` is on PATH; restart Codex after), or manually: ${CODEX_PLUGIN_RECOVERY}`
+  };
+}
 function detectSurface(env) {
   const has = (k) => Boolean(env[k]?.trim());
   if (env.MMI_AGENT_SURFACE === "codex" || has("CODEX_HOME") || (env.CLAUDE_PLUGIN_ROOT ?? "").includes(".codex")) {
@@ -18397,6 +19393,25 @@ var CODEX_PLUGIN_HEAL_STEPS = PLUGIN_SURFACE_HEAL.codex.healSteps;
 function healStepAborts(step, ok) {
   return !ok && step.gated;
 }
+function marketplaceAddSupportsRef(helpText) {
+  if (!helpText) return false;
+  return /(^|\s)--ref(\b|=)/.test(helpText);
+}
+function adaptHealStepsForRefSupport(steps, refSupported) {
+  if (refSupported) return { steps: [...steps], strippedRef: false };
+  let strippedRef = false;
+  const adapted = steps.map((step) => {
+    const refIdx = step.args.indexOf("--ref");
+    const isAdd = step.args.includes("marketplace") && step.args.includes("add");
+    if (!isAdd || refIdx === -1) return step;
+    strippedRef = true;
+    return { ...step, args: [...step.args.slice(0, refIdx), ...step.args.slice(refIdx + 2)] };
+  });
+  return { steps: adapted, strippedRef };
+}
+function recoveryWithoutRef(recovery) {
+  return recovery.replace(/ --ref \S+/g, "");
+}
 function pluginRecoveryFix(surface) {
   const token = surfaceToken(surface);
   if (token) return PLUGIN_SURFACE_HEAL[token].fix(surface);
@@ -18737,7 +19752,7 @@ function cursorPluginInstallFix(input) {
   const cacheDir = joinCachePath(input.cacheRoot, pin);
   const autoSeed = "run `mmi-cli doctor --apply` to seed plugins/mmi from the latest release into the active pin";
   const localSeed = input.hubCheckout ? `temporary fallback: copy ${joinCachePath(input.hubCheckout, "plugins", "mmi")} to ${cacheDir}, then restart Cursor` : `temporary fallback: copy plugins/mmi from a local MMI-Hub checkout to ${cacheDir}, then restart Cursor`;
-  return `Cursor plugin cache at ${cacheDir} is empty or missing ${CURSOR_PLUGIN_JSON_REL} or ${CURSOR_HOOKS_JSON_REL} \u2014 ${autoSeed}; ${marketplaceRefresh}; ${authSteps}; ${localSeed}; ${logHint}; ${guide}`;
+  return `Cursor plugin cache at ${cacheDir} is empty or missing ${CURSOR_PLUGIN_JSON_REL}, ${CURSOR_HOOKS_JSON_REL}, or the shell-dialect guard scripts \u2014 ${autoSeed}; ${marketplaceRefresh}; ${authSteps}; ${localSeed}; ${logHint}; ${guide}`;
 }
 function buildCursorPluginInstallCheck(input) {
   const base = {
@@ -18759,7 +19774,7 @@ function buildCursorPluginInstallCheck(input) {
     };
   }
   for (const pin of input.pins) {
-    if (!pin.hasPluginJson || !pin.hasHooksJson || pin.isEmpty) {
+    if (!pin.hasPluginJson || !pin.hasHooksJson || pin.hasShellDialectGuard === false || pin.isEmpty) {
       return {
         ...base,
         ok: false,
@@ -18976,6 +19991,22 @@ function buildSelfUpdateHaltPayload(input) {
     checks: input.checks
   };
 }
+var DOCTOR_POST_SELF_UPDATE_ENV = "MMI_DOCTOR_POST_SELF_UPDATE";
+function buildSelfUpdateReexecArgs(opts) {
+  const args = ["doctor"];
+  if (opts.banner) args.push("--banner");
+  if (opts.preflight) args.push("--preflight");
+  if (opts.verbose) args.push("--verbose");
+  if (opts.guide) args.push("--guide");
+  if (opts.json) args.push("--json");
+  if (opts.apply) args.push("--apply");
+  if (opts.noRepoWrites) args.push("--no-repo-writes");
+  return args;
+}
+function selfUpdateReexecLine(report) {
+  const to = report.releasedVersion ?? "latest";
+  return `\u21BB mmi-cli updated \u2192 ${to}. Re-running \`mmi-cli doctor\` under the new CLI\u2026`;
+}
 function preflightOutcome(input) {
   if (input.gaps.length) {
     return { healed: false, line: `\u26A0 MMI preflight: ${input.gaps.length} item(s) still need attention \u2014 ${input.gaps.map((g) => g.fix).join(" \xB7 ")}` };
@@ -19051,16 +20082,16 @@ function buildPluginResolvabilityCheck(input) {
 }
 
 // src/kb-drift-report.ts
-var import_node_fs24 = require("node:fs");
-var import_node_path22 = require("node:path");
+var import_node_fs25 = require("node:fs");
+var import_node_path23 = require("node:path");
 function yesterdayIso() {
   const d = /* @__PURE__ */ new Date();
   d.setUTCDate(d.getUTCDate() - 1);
   return d.toISOString().slice(0, 10);
 }
 async function fetchLatestKbDriftReport(execFileP5, repoRoot) {
-  const sagaIo = (0, import_node_path22.join)(repoRoot, "infra", "saga-io.mjs");
-  if (!(0, import_node_fs24.existsSync)(sagaIo)) return null;
+  const sagaIo = (0, import_node_path23.join)(repoRoot, "infra", "saga-io.mjs");
+  if (!(0, import_node_fs25.existsSync)(sagaIo)) return null;
   const today = (/* @__PURE__ */ new Date()).toISOString().slice(0, 10);
   for (const date of [today, yesterdayIso()]) {
     try {
@@ -19076,9 +20107,9 @@ async function fetchLatestKbDriftReport(execFileP5, repoRoot) {
 }
 
 // src/cli-doctor-shared.ts
-var import_node_fs25 = require("node:fs");
-var import_node_path23 = require("node:path");
 var import_node_fs26 = require("node:fs");
+var import_node_path24 = require("node:path");
+var import_node_fs27 = require("node:fs");
 var GC_GH_TIMEOUT_MS = 2e4;
 async function awsCallerArn() {
   try {
@@ -19124,7 +20155,7 @@ async function localBranchHeads() {
 }
 async function currentRepoWorktreeGitRoot(repoRoot) {
   const gitCommonDir = (await execFileP2("git", ["rev-parse", "--git-common-dir"], { timeout: GIT_TIMEOUT_MS }).catch(() => ({ stdout: "" }))).stdout.trim();
-  return gitCommonDir ? (0, import_node_path23.resolve)(repoRoot, gitCommonDir, "worktrees") : "";
+  return gitCommonDir ? (0, import_node_path24.resolve)(repoRoot, gitCommonDir, "worktrees") : "";
 }
 async function worktreeBranches() {
   const { stdout } = await execFileP2("git", ["worktree", "list", "--porcelain"], { timeout: GIT_TIMEOUT_MS });
@@ -19144,18 +20175,18 @@ function resolveGitdirForWorktreeFile(worktreePath, content) {
   const match = /^gitdir:\s*(.+)\s*$/im.exec(content);
   if (!match?.[1]) return void 0;
   const raw = match[1].trim();
-  return (0, import_node_path23.isAbsolute)(raw) ? raw : (0, import_node_path23.resolve)(worktreePath, raw);
+  return (0, import_node_path24.isAbsolute)(raw) ? raw : (0, import_node_path24.resolve)(worktreePath, raw);
 }
 function metadataOwnsMissingWorktreeDir(worktreePath, worktreeGitRoot) {
   if (!worktreeGitRoot) return false;
   try {
-    const entries = (0, import_node_fs26.readdirSync)(worktreeGitRoot, { withFileTypes: true });
+    const entries = (0, import_node_fs27.readdirSync)(worktreeGitRoot, { withFileTypes: true });
     for (const ent of entries) {
       if (!ent.isDirectory()) continue;
       try {
-        const gitdirPath = (0, import_node_fs25.readFileSync)((0, import_node_path23.join)(worktreeGitRoot, ent.name, "gitdir"), "utf8").trim();
-        const resolvedGitdir = (0, import_node_path23.isAbsolute)(gitdirPath) ? gitdirPath : (0, import_node_path23.resolve)(worktreeGitRoot, ent.name, gitdirPath);
-        if (sameWorktreeMetadataPath((0, import_node_path23.dirname)(resolvedGitdir), worktreePath)) return true;
+        const gitdirPath = (0, import_node_fs26.readFileSync)((0, import_node_path24.join)(worktreeGitRoot, ent.name, "gitdir"), "utf8").trim();
+        const resolvedGitdir = (0, import_node_path24.isAbsolute)(gitdirPath) ? gitdirPath : (0, import_node_path24.resolve)(worktreeGitRoot, ent.name, gitdirPath);
+        if (sameWorktreeMetadataPath((0, import_node_path24.dirname)(resolvedGitdir), worktreePath)) return true;
       } catch {
       }
     }
@@ -19165,7 +20196,7 @@ function metadataOwnsMissingWorktreeDir(worktreePath, worktreeGitRoot) {
 }
 function pathExistsKnown(path2) {
   try {
-    (0, import_node_fs26.statSync)(path2);
+    (0, import_node_fs27.statSync)(path2);
     return true;
   } catch (e) {
     const code = typeof e === "object" && e && "code" in e ? String(e.code ?? "") : "";
@@ -19174,10 +20205,10 @@ function pathExistsKnown(path2) {
   }
 }
 function inspectSiblingWorktreeDir(path2, worktreeGitRoot) {
-  const gitPath = (0, import_node_path23.join)(path2, ".git");
+  const gitPath = (0, import_node_path24.join)(path2, ".git");
   let st;
   try {
-    st = (0, import_node_fs26.lstatSync)(gitPath);
+    st = (0, import_node_fs27.lstatSync)(gitPath);
   } catch (e) {
     const code = typeof e === "object" && e && "code" in e ? String(e.code ?? "") : "";
     if (code === "ENOENT" || code === "ENOTDIR") {
@@ -19194,7 +20225,7 @@ function inspectSiblingWorktreeDir(path2, worktreeGitRoot) {
   if (st.isDirectory()) return { path: path2, gitType: "dir" };
   if (!st.isFile()) return { path: path2, gitType: "other" };
   try {
-    const gitFileContent = (0, import_node_fs25.readFileSync)(gitPath, "utf8");
+    const gitFileContent = (0, import_node_fs26.readFileSync)(gitPath, "utf8");
     const gitdir = resolveGitdirForWorktreeFile(path2, gitFileContent);
     const gitDirExists = gitdir ? pathExistsKnown(gitdir) : false;
     return {
@@ -19211,7 +20242,7 @@ function inspectSiblingWorktreeDir(path2, worktreeGitRoot) {
 }
 function inspectDeadWorktreeDirContent(path2) {
   try {
-    return { entries: (0, import_node_fs26.readdirSync)(path2) };
+    return { entries: (0, import_node_fs27.readdirSync)(path2) };
   } catch (e) {
     const code = typeof e === "object" && e && "code" in e ? String(e.code ?? "") : "";
     return { error: code ? `unable to inspect directory contents (${code})` : "unable to inspect directory contents" };
@@ -19230,8 +20261,8 @@ async function siblingWorktreeDirs() {
   const worktreeGitRoot = await currentRepoWorktreeGitRoot(repoRoot);
   const siblingRoot = siblingMmiWorktreesRoot(repoRoot);
   try {
-    const entries = (0, import_node_fs26.readdirSync)(siblingRoot, { withFileTypes: true });
-    return entries.filter((ent) => ent.isDirectory()).map((ent) => inspectSiblingWorktreeDir((0, import_node_path23.join)(siblingRoot, ent.name), worktreeGitRoot)).filter((entry) => Boolean(entry));
+    const entries = (0, import_node_fs27.readdirSync)(siblingRoot, { withFileTypes: true });
+    return entries.filter((ent) => ent.isDirectory()).map((ent) => inspectSiblingWorktreeDir((0, import_node_path24.join)(siblingRoot, ent.name), worktreeGitRoot)).filter((entry) => Boolean(entry));
   } catch {
     return [];
   }
@@ -19281,7 +20312,7 @@ async function fetchHubVersionInfo(baseUrl) {
 }
 function readRepoVersion() {
   try {
-    return JSON.parse((0, import_node_fs27.readFileSync)((0, import_node_path24.join)(process.cwd(), ".claude-plugin", "plugin.json"), "utf8")).version || void 0;
+    return JSON.parse((0, import_node_fs28.readFileSync)((0, import_node_path25.join)(process.cwd(), ".claude-plugin", "plugin.json"), "utf8")).version || void 0;
   } catch {
     return void 0;
   }
@@ -19382,6 +20413,21 @@ var CLAUDE_PLUGIN_TIMEOUT_MS = 12e4;
 function runHostBin(bin, args, opts) {
   return isWin ? execFileP2("cmd.exe", ["/c", bin, ...args], opts) : execFileP2(bin, args, opts);
 }
+function reexecMmiCli(args) {
+  return new Promise((resolve6) => {
+    let settled = false;
+    const done = (code) => {
+      if (!settled) {
+        settled = true;
+        resolve6(code);
+      }
+    };
+    const env = { ...process.env, [DOCTOR_POST_SELF_UPDATE_ENV]: "1" };
+    const child = isWin ? (0, import_node_child_process14.spawn)("cmd.exe", ["/c", "mmi-cli", ...args], { stdio: "inherit", env }) : (0, import_node_child_process14.spawn)("mmi-cli", args, { stdio: "inherit", env });
+    child.on("error", () => done(-1));
+    child.on("exit", (code) => done(code ?? 0));
+  });
+}
 function hostBinAvailable(bin) {
   return execFileP2(isWin ? "where" : "which", [bin]).then(() => true).catch(() => false);
 }
@@ -19401,15 +20447,32 @@ async function runCodexPlugin(args) {
     return false;
   }
 }
+async function marketplaceAddRefSupported(bin) {
+  try {
+    const { stdout, stderr } = await runHostBin(bin, ["plugin", "marketplace", "add", "--help"], {
+      timeout: CLAUDE_PLUGIN_TIMEOUT_MS
+    });
+    return marketplaceAddSupportsRef(`${stdout}
+${stderr}`);
+  } catch {
+    return false;
+  }
+}
 async function applyPluginHeal(token, surface, log, opts) {
   if (!opts?.force && surfaceToken(surface) !== token) return false;
   const descriptor = PLUGIN_SURFACE_HEAL[token];
-  const steps = descriptor.healSteps;
-  if (!steps) return false;
+  const tableSteps = descriptor.healSteps;
+  if (!tableSteps) return false;
+  const bin = descriptor.pluginRunner === "codex" ? "codex" : "claude";
   const runner = descriptor.pluginRunner === "codex" ? runCodexPlugin : runClaudePlugin;
+  const refSupported = await marketplaceAddRefSupported(bin);
+  const { steps, strippedRef } = adaptHealStepsForRefSupport(tableSteps, refSupported);
   log(
-    token === "codex" ? "  \u21BB reinstalling the MMI plugin via `codex plugin` (marketplace remove \u2192 add --ref main \u2192 add)\u2026" : "  \u21BB reinstalling the MMI plugin via `claude plugin` (marketplace remove \u2192 add \u2192 install)\u2026"
+    refSupported ? `  \u21BB reinstalling the MMI plugin via \`${bin} plugin\` (marketplace remove \u2192 add --ref main \u2192 ${token === "codex" ? "add" : "install"})\u2026` : `  \u21BB reinstalling the MMI plugin via \`${bin} plugin\` (marketplace remove \u2192 add \u2192 ${token === "codex" ? "add" : "install"})\u2026`
   );
+  if (strippedRef) {
+    log(`  \u26A0 \`${bin}\` has no \`--ref\` option \u2014 cloning the default branch; update \`${bin}\` to pin the released \`main\` branch (#2080)`);
+  }
   for (const step of steps) {
     if (healStepAborts(step, await runner([...step.args]))) return false;
   }
@@ -19417,11 +20480,11 @@ async function applyPluginHeal(token, surface, log, opts) {
 }
 var installedPluginsPath = (surface = detectSurface(process.env)) => {
   const homeDir = surface === "codex" ? ".codex" : ".claude";
-  return (0, import_node_path24.join)((0, import_node_os5.homedir)(), homeDir, "plugins", "installed_plugins.json");
+  return (0, import_node_path25.join)((0, import_node_os6.homedir)(), homeDir, "plugins", "installed_plugins.json");
 };
 function readInstalledPlugins(surface = detectSurface(process.env)) {
   try {
-    return JSON.parse((0, import_node_fs27.readFileSync)(installedPluginsPath(surface), "utf8"));
+    return JSON.parse((0, import_node_fs28.readFileSync)(installedPluginsPath(surface), "utf8"));
   } catch {
     return null;
   }
@@ -19432,15 +20495,15 @@ function snapshotPluginGuardInput(surface = detectSurface(process.env), isOrgRep
   return {
     isOrgRepo,
     installRecordPresent: hasUserInstallRecord(installed, MMI_PLUGIN_ID) || hasProjectInstallRecord(installed, MMI_PLUGIN_ID, process.cwd()),
-    marketplaceClonePresent: (0, import_node_fs27.existsSync)((0, import_node_path24.join)((0, import_node_os5.homedir)(), homeDir, "plugins", "marketplaces", "mutmutco")),
-    pluginCachePresent: (0, import_node_fs27.existsSync)((0, import_node_path24.join)((0, import_node_os5.homedir)(), homeDir, "plugins", "cache", "mutmutco", "mmi"))
+    marketplaceClonePresent: (0, import_node_fs28.existsSync)((0, import_node_path25.join)((0, import_node_os6.homedir)(), homeDir, "plugins", "marketplaces", "mutmutco")),
+    pluginCachePresent: (0, import_node_fs28.existsSync)((0, import_node_path25.join)((0, import_node_os6.homedir)(), homeDir, "plugins", "cache", "mutmutco", "mmi"))
   };
 }
 function installedPluginSources() {
   return ["claude", "codex"].map((surface) => {
-    const recordPath = (0, import_node_path24.join)((0, import_node_os5.homedir)(), `.${surface}`, "plugins", "installed_plugins.json");
+    const recordPath = (0, import_node_path25.join)((0, import_node_os6.homedir)(), `.${surface}`, "plugins", "installed_plugins.json");
     try {
-      return { surface, installed: JSON.parse((0, import_node_fs27.readFileSync)(recordPath, "utf8")), recordPath };
+      return { surface, installed: JSON.parse((0, import_node_fs28.readFileSync)(recordPath, "utf8")), recordPath };
     } catch {
       return { surface, installed: null, recordPath };
     }
@@ -19448,7 +20511,7 @@ function installedPluginSources() {
 }
 function readClaudeSettings() {
   try {
-    return JSON.parse((0, import_node_fs27.readFileSync)((0, import_node_path24.join)(process.cwd(), ".claude", "settings.json"), "utf8"));
+    return JSON.parse((0, import_node_fs28.readFileSync)((0, import_node_path25.join)(process.cwd(), ".claude", "settings.json"), "utf8"));
   } catch {
     return null;
   }
@@ -19470,7 +20533,7 @@ function writeProjectInstallRecord(record) {
     const list = file.plugins[MMI_PLUGIN_ID] ?? [];
     list.push(record);
     file.plugins[MMI_PLUGIN_ID] = list;
-    (0, import_node_fs27.writeFileSync)(installedPluginsPath(), `${JSON.stringify(file, null, 2)}
+    (0, import_node_fs28.writeFileSync)(installedPluginsPath(), `${JSON.stringify(file, null, 2)}
 `, "utf8");
     return true;
   } catch {
@@ -19483,9 +20546,9 @@ function backupAndWriteInstalledPlugins(records, pluginId) {
     if (!file) return false;
     if (!file.plugins) file.plugins = {};
     const path2 = installedPluginsPath();
-    (0, import_node_fs27.copyFileSync)(path2, `${path2}.bak`);
+    (0, import_node_fs28.copyFileSync)(path2, `${path2}.bak`);
     file.plugins[pluginId] = records;
-    (0, import_node_fs27.writeFileSync)(path2, `${JSON.stringify(file, null, 2)}
+    (0, import_node_fs28.writeFileSync)(path2, `${JSON.stringify(file, null, 2)}
 `, "utf8");
     return true;
   } catch {
@@ -19493,22 +20556,22 @@ function backupAndWriteInstalledPlugins(records, pluginId) {
   }
 }
 function opencodeConfigDir() {
-  return (0, import_node_path24.join)((0, import_node_os5.homedir)(), ".config", "opencode");
+  return (0, import_node_path25.join)((0, import_node_os6.homedir)(), ".config", "opencode");
 }
 function opencodeConfigPath() {
-  return (0, import_node_path24.join)(opencodeConfigDir(), "opencode.jsonc");
+  return (0, import_node_path25.join)(opencodeConfigDir(), "opencode.jsonc");
 }
 function opencodeCommandsDir() {
-  return (0, import_node_path24.join)(opencodeConfigDir(), "commands");
+  return (0, import_node_path25.join)(opencodeConfigDir(), "commands");
 }
 function opencodeSkillsPath() {
-  return (0, import_node_path24.join)(opencodeConfigDir(), "node_modules", "@mutmutco", "opencode-mmi", "skills");
+  return (0, import_node_path25.join)(opencodeConfigDir(), "node_modules", "@mutmutco", "opencode-mmi", "skills");
 }
 function opencodeConfigSnapshot() {
   const path2 = opencodeConfigPath();
-  if (!(0, import_node_fs27.existsSync)(path2)) return { path: path2, hasConfig: false, hasPluginField: false, parseOk: true };
+  if (!(0, import_node_fs28.existsSync)(path2)) return { path: path2, hasConfig: false, hasPluginField: false, parseOk: true };
   try {
-    const raw = (0, import_node_fs27.readFileSync)(path2, "utf8");
+    const raw = (0, import_node_fs28.readFileSync)(path2, "utf8");
     const parsed = JSON.parse(stripJsonc(raw));
     const hasPluginField = Object.prototype.hasOwnProperty.call(parsed, "plugin");
     const skillsPaths = Array.isArray(parsed.skills?.paths) ? parsed.skills.paths.filter((p) => typeof p === "string") : void 0;
@@ -19531,9 +20594,9 @@ function writeOpencodeConfigPlugin(snapshot) {
     const plan2 = planOpencodeConfigWrite(snapshot.hasConfig ? snapshot.raw : void 0);
     if (plan2.action === "already") return true;
     if (!plan2.text || plan2.action === "unsafe") return false;
-    (0, import_node_fs27.mkdirSync)((0, import_node_path24.dirname)(path2), { recursive: true });
-    if (snapshot.hasConfig) (0, import_node_fs27.copyFileSync)(path2, `${path2}.bak`);
-    (0, import_node_fs27.writeFileSync)(path2, plan2.text, "utf8");
+    (0, import_node_fs28.mkdirSync)((0, import_node_path25.dirname)(path2), { recursive: true });
+    if (snapshot.hasConfig) (0, import_node_fs28.copyFileSync)(path2, `${path2}.bak`);
+    (0, import_node_fs28.writeFileSync)(path2, plan2.text, "utf8");
     return true;
   } catch {
     return false;
@@ -19548,9 +20611,9 @@ function writeOpencodeSkillsPath(snapshot, skillsPath) {
     const normalized = skillsPath.replace(/\\/g, "/");
     if (!paths.some((p) => p.replace(/\\/g, "/") === normalized)) paths.push(skillsPath.replace(/\\/g, "/"));
     parsed.skills = { ...skills, paths };
-    (0, import_node_fs27.mkdirSync)((0, import_node_path24.dirname)(snapshot.path), { recursive: true });
-    if (snapshot.hasConfig && (0, import_node_fs27.existsSync)(snapshot.path)) (0, import_node_fs27.copyFileSync)(snapshot.path, `${snapshot.path}.bak`);
-    (0, import_node_fs27.writeFileSync)(snapshot.path, `${JSON.stringify(parsed, null, 2)}
+    (0, import_node_fs28.mkdirSync)((0, import_node_path25.dirname)(snapshot.path), { recursive: true });
+    if (snapshot.hasConfig && (0, import_node_fs28.existsSync)(snapshot.path)) (0, import_node_fs28.copyFileSync)(snapshot.path, `${snapshot.path}.bak`);
+    (0, import_node_fs28.writeFileSync)(snapshot.path, `${JSON.stringify(parsed, null, 2)}
 `, "utf8");
     return true;
   } catch {
@@ -19559,7 +20622,7 @@ function writeOpencodeSkillsPath(snapshot, skillsPath) {
 }
 function opencodeExistingCommands() {
   try {
-    return (0, import_node_fs27.readdirSync)(opencodeCommandsDir(), { withFileTypes: true }).filter((entry) => entry.isFile() && entry.name.endsWith(".md")).map((entry) => entry.name.slice(0, -3).toLowerCase());
+    return (0, import_node_fs28.readdirSync)(opencodeCommandsDir(), { withFileTypes: true }).filter((entry) => entry.isFile() && entry.name.endsWith(".md")).map((entry) => entry.name.slice(0, -3).toLowerCase());
   } catch {
     return [];
   }
@@ -19567,9 +20630,9 @@ function opencodeExistingCommands() {
 function writeOpencodeCommandFiles() {
   try {
     const dir = opencodeCommandsDir();
-    (0, import_node_fs27.mkdirSync)(dir, { recursive: true });
+    (0, import_node_fs28.mkdirSync)(dir, { recursive: true });
     for (const command of OPENCODE_WORKFLOW_COMMANDS) {
-      (0, import_node_fs27.writeFileSync)((0, import_node_path24.join)(dir, `${command}.md`), opencodeCommandMarkdown(command), "utf8");
+      (0, import_node_fs28.writeFileSync)((0, import_node_path25.join)(dir, `${command}.md`), opencodeCommandMarkdown(command), "utf8");
     }
     return true;
   } catch {
@@ -19578,12 +20641,12 @@ function writeOpencodeCommandFiles() {
 }
 function readOpencodeAdapterDiskVersion() {
   const candidates = [
-    (0, import_node_path24.join)(opencodeConfigDir(), "node_modules", "@mutmutco", "opencode-mmi", "package.json"),
-    (0, import_node_path24.join)((0, import_node_os5.homedir)(), ".cache", "opencode", "node_modules", "@mutmutco", "opencode-mmi", "package.json")
+    (0, import_node_path25.join)(opencodeConfigDir(), "node_modules", "@mutmutco", "opencode-mmi", "package.json"),
+    (0, import_node_path25.join)((0, import_node_os6.homedir)(), ".cache", "opencode", "node_modules", "@mutmutco", "opencode-mmi", "package.json")
   ];
   for (const path2 of candidates) {
     try {
-      const parsed = JSON.parse((0, import_node_fs27.readFileSync)(path2, "utf8"));
+      const parsed = JSON.parse((0, import_node_fs28.readFileSync)(path2, "utf8"));
       if (typeof parsed.version === "string" && parsed.version.trim()) return parsed.version.trim();
     } catch {
       continue;
@@ -19599,7 +20662,7 @@ async function forceInstallOpencodeMmiPlugins(snapshot, log) {
   try {
     const specs = opencodeMmiPluginSpecs(snapshot);
     log(`  \u21BB force-refreshing OpenCode MMI npm plugin(s): ${specs.join(", ")}\u2026`);
-    (0, import_node_fs27.mkdirSync)(opencodeConfigDir(), { recursive: true });
+    (0, import_node_fs28.mkdirSync)(opencodeConfigDir(), { recursive: true });
     await runHostBin("npm", ["install", "--prefix", opencodeConfigDir(), "--force", ...specs], { timeout: NPM_UPDATE_TIMEOUT_MS });
     return true;
   } catch {
@@ -19614,30 +20677,30 @@ function opencodePluginVersionsForReport() {
 }
 function opencodeDesktopLogsRoot() {
   if (process.platform === "win32") {
-    const base = process.env.APPDATA || (0, import_node_path24.join)((0, import_node_os5.homedir)(), "AppData", "Roaming");
-    return (0, import_node_path24.join)(base, "ai.opencode.desktop", "logs");
+    const base = process.env.APPDATA || (0, import_node_path25.join)((0, import_node_os6.homedir)(), "AppData", "Roaming");
+    return (0, import_node_path25.join)(base, "ai.opencode.desktop", "logs");
   }
   if (process.platform === "darwin") {
-    return (0, import_node_path24.join)((0, import_node_os5.homedir)(), "Library", "Application Support", "ai.opencode.desktop", "logs");
+    return (0, import_node_path25.join)((0, import_node_os6.homedir)(), "Library", "Application Support", "ai.opencode.desktop", "logs");
   }
-  return (0, import_node_path24.join)((0, import_node_os5.homedir)(), ".config", "ai.opencode.desktop", "logs");
+  return (0, import_node_path25.join)((0, import_node_os6.homedir)(), ".config", "ai.opencode.desktop", "logs");
 }
 function opencodeDesktopBootstrapSnapshot() {
   const root = opencodeDesktopLogsRoot();
   try {
-    const sessionDirs = (0, import_node_fs27.readdirSync)(root, { withFileTypes: true }).filter((entry) => entry.isDirectory()).map((entry) => (0, import_node_path24.join)(root, entry.name)).sort((a, b) => (0, import_node_fs27.statSync)(b).mtimeMs - (0, import_node_fs27.statSync)(a).mtimeMs);
+    const sessionDirs = (0, import_node_fs28.readdirSync)(root, { withFileTypes: true }).filter((entry) => entry.isDirectory()).map((entry) => (0, import_node_path25.join)(root, entry.name)).sort((a, b) => (0, import_node_fs28.statSync)(b).mtimeMs - (0, import_node_fs28.statSync)(a).mtimeMs);
     const newest = sessionDirs[0];
     if (!newest) return [];
-    const logPath = (0, import_node_path24.join)(newest, "renderer.log");
-    const text = (0, import_node_fs27.readFileSync)(logPath, "utf8");
-    return opencodeAgentDirectoriesFromLog(text).filter((directory) => !(0, import_node_fs27.existsSync)(directory)).map((directory) => ({ directory, logPath }));
+    const logPath = (0, import_node_path25.join)(newest, "renderer.log");
+    const text = (0, import_node_fs28.readFileSync)(logPath, "utf8");
+    return opencodeAgentDirectoriesFromLog(text).filter((directory) => !(0, import_node_fs28.existsSync)(directory)).map((directory) => ({ directory, logPath }));
   } catch {
     return [];
   }
 }
 function opencodeLegacyConfigSnapshot() {
-  const legacyPath = (0, import_node_path24.join)((0, import_node_os5.homedir)(), ".opencode", "opencode.json");
-  if (!(0, import_node_fs27.existsSync)(legacyPath)) return {};
+  const legacyPath = (0, import_node_path25.join)((0, import_node_os6.homedir)(), ".opencode", "opencode.json");
+  if (!(0, import_node_fs28.existsSync)(legacyPath)) return {};
   const content = readTextFile(legacyPath);
   if (content == null) return {};
   const plugins = parseOpencodeLegacyConfigPlugins(content);
@@ -19649,43 +20712,46 @@ function opencodeLegacyConfigSnapshot() {
 function quarantineOpencodeLegacyConfig(legacyPath) {
   try {
     const backupPath = `${legacyPath}.bak`;
-    if ((0, import_node_fs27.existsSync)(backupPath)) return false;
-    (0, import_node_fs27.renameSync)(legacyPath, backupPath);
+    if ((0, import_node_fs28.existsSync)(backupPath)) return false;
+    (0, import_node_fs28.renameSync)(legacyPath, backupPath);
     return true;
   } catch {
     return false;
   }
 }
 function cursorPluginCacheRoot() {
-  return (0, import_node_path24.join)((0, import_node_os5.homedir)(), ".cursor", "plugins", "cache", "mutmutco", "mmi");
+  return (0, import_node_path25.join)((0, import_node_os6.homedir)(), ".cursor", "plugins", "cache", "mutmutco", "mmi");
 }
 function cursorPluginCachePinSnapshots() {
   const root = cursorPluginCacheRoot();
   try {
-    return (0, import_node_fs27.readdirSync)(root, { withFileTypes: true }).filter((entry) => entry.isDirectory() && !entry.name.startsWith(".")).map((entry) => {
-      const path2 = (0, import_node_path24.join)(root, entry.name);
-      const pluginJson = (0, import_node_path24.join)(path2, ".cursor-plugin", "plugin.json");
-      const hooksJson = (0, import_node_path24.join)(path2, "hooks", "hooks.json");
-      const cliBundle = (0, import_node_path24.join)(path2, "cli", "dist", "index.cjs");
+    return (0, import_node_fs28.readdirSync)(root, { withFileTypes: true }).filter((entry) => entry.isDirectory() && !entry.name.startsWith(".")).map((entry) => {
+      const path2 = (0, import_node_path25.join)(root, entry.name);
+      const pluginJson = (0, import_node_path25.join)(path2, ".cursor-plugin", "plugin.json");
+      const hooksJson = (0, import_node_path25.join)(path2, "hooks", "hooks.json");
+      const cliBundle = (0, import_node_path25.join)(path2, "cli", "dist", "index.cjs");
+      const throttleGateCursor = (0, import_node_path25.join)(path2, "scripts", "throttle-gate-cursor.mjs");
+      const throttleCore = (0, import_node_path25.join)(path2, "scripts", "throttle-core.mjs");
       let version;
       try {
-        const raw = JSON.parse((0, import_node_fs27.readFileSync)(pluginJson, "utf8"));
+        const raw = JSON.parse((0, import_node_fs28.readFileSync)(pluginJson, "utf8"));
         version = typeof raw.version === "string" ? raw.version : void 0;
       } catch {
         version = void 0;
       }
       let isEmpty = true;
       try {
-        isEmpty = (0, import_node_fs27.readdirSync)(path2).length === 0;
+        isEmpty = (0, import_node_fs28.readdirSync)(path2).length === 0;
       } catch {
         isEmpty = true;
       }
       return {
         name: entry.name,
         path: path2,
-        hasPluginJson: (0, import_node_fs27.existsSync)(pluginJson),
-        hasHooksJson: (0, import_node_fs27.existsSync)(hooksJson),
-        hasCliBundle: (0, import_node_fs27.existsSync)(cliBundle),
+        hasPluginJson: (0, import_node_fs28.existsSync)(pluginJson),
+        hasHooksJson: (0, import_node_fs28.existsSync)(hooksJson),
+        hasCliBundle: (0, import_node_fs28.existsSync)(cliBundle),
+        hasShellDialectGuard: (0, import_node_fs28.existsSync)(throttleGateCursor) && (0, import_node_fs28.existsSync)(throttleCore),
         isEmpty,
         version
       };
@@ -19695,19 +20761,19 @@ function cursorPluginCachePinSnapshots() {
   }
 }
 function hubCheckoutForCursorSeed() {
-  const manifest = (0, import_node_path24.join)(process.cwd(), "plugins", "mmi", ".cursor-plugin", "plugin.json");
-  return (0, import_node_fs27.existsSync)(manifest) ? process.cwd() : void 0;
+  const manifest = (0, import_node_path25.join)(process.cwd(), "plugins", "mmi", ".cursor-plugin", "plugin.json");
+  return (0, import_node_fs28.existsSync)(manifest) ? process.cwd() : void 0;
 }
 function mmiPluginCacheRootSnapshots() {
   const roots = [
-    { surface: "claude", root: (0, import_node_path24.join)((0, import_node_os5.homedir)(), ".claude", "plugins", "cache", "mutmutco", "mmi") },
-    { surface: "codex", root: (0, import_node_path24.join)((0, import_node_os5.homedir)(), ".codex", "plugins", "cache", "mutmutco", "mmi") }
+    { surface: "claude", root: (0, import_node_path25.join)((0, import_node_os6.homedir)(), ".claude", "plugins", "cache", "mutmutco", "mmi") },
+    { surface: "codex", root: (0, import_node_path25.join)((0, import_node_os6.homedir)(), ".codex", "plugins", "cache", "mutmutco", "mmi") }
   ];
   return roots.flatMap(({ surface, root }) => {
     try {
-      const entries = (0, import_node_fs27.readdirSync)(root, { withFileTypes: true }).map((entry) => ({
+      const entries = (0, import_node_fs28.readdirSync)(root, { withFileTypes: true }).map((entry) => ({
         name: entry.name,
-        path: (0, import_node_path24.join)(root, entry.name),
+        path: (0, import_node_path25.join)(root, entry.name),
         isDirectory: entry.isDirectory()
       }));
       return [{ surface, root, entries }];
@@ -19718,7 +20784,7 @@ function mmiPluginCacheRootSnapshots() {
 }
 function hasNestedMmiChild(versionDir) {
   try {
-    return (0, import_node_fs27.statSync)((0, import_node_path24.join)(versionDir, "mmi")).isDirectory();
+    return (0, import_node_fs28.statSync)((0, import_node_path25.join)(versionDir, "mmi")).isDirectory();
   } catch {
     return false;
   }
@@ -19729,10 +20795,10 @@ function nestedPluginTreeSnapshot() {
   );
 }
 function uniqueQuarantineTarget(path2) {
-  if (!(0, import_node_fs27.existsSync)(path2)) return path2;
+  if (!(0, import_node_fs28.existsSync)(path2)) return path2;
   for (let i = 1; i < 100; i += 1) {
     const candidate = `${path2}-${i}`;
-    if (!(0, import_node_fs27.existsSync)(candidate)) return candidate;
+    if (!(0, import_node_fs28.existsSync)(candidate)) return candidate;
   }
   return `${path2}-${Date.now()}`;
 }
@@ -19741,10 +20807,10 @@ function quarantinePluginCacheDirs(plan2) {
   const failed = [];
   for (const move of plan2) {
     try {
-      if (!(0, import_node_fs27.existsSync)(move.from)) continue;
+      if (!(0, import_node_fs28.existsSync)(move.from)) continue;
       const target = uniqueQuarantineTarget(move.to);
-      (0, import_node_fs27.mkdirSync)((0, import_node_path24.dirname)(target), { recursive: true });
-      (0, import_node_fs27.renameSync)(move.from, target);
+      (0, import_node_fs28.mkdirSync)((0, import_node_path25.dirname)(target), { recursive: true });
+      (0, import_node_fs28.renameSync)(move.from, target);
       moved += 1;
     } catch {
       failed.push(move);
@@ -19763,23 +20829,23 @@ async function robocopyMirrorEmpty(emptyDir, target) {
 }
 async function clearNestedPluginTreeDir(targetPath) {
   try {
-    if (!(0, import_node_fs27.existsSync)(targetPath)) return true;
+    if (!(0, import_node_fs28.existsSync)(targetPath)) return true;
     if (isWin) {
-      const emptyDir = (0, import_node_path24.join)((0, import_node_os5.tmpdir)(), `mmi-empty-${Date.now()}`);
-      (0, import_node_fs27.mkdirSync)(emptyDir, { recursive: true });
+      const emptyDir = (0, import_node_path25.join)((0, import_node_os6.tmpdir)(), `mmi-empty-${Date.now()}`);
+      (0, import_node_fs28.mkdirSync)(emptyDir, { recursive: true });
       try {
         await robocopyMirrorEmpty(emptyDir, targetPath);
-        (0, import_node_fs27.rmSync)(targetPath, { recursive: true, force: true });
+        (0, import_node_fs28.rmSync)(targetPath, { recursive: true, force: true });
       } finally {
         try {
-          (0, import_node_fs27.rmSync)(emptyDir, { recursive: true, force: true });
+          (0, import_node_fs28.rmSync)(emptyDir, { recursive: true, force: true });
         } catch {
         }
       }
-      return !(0, import_node_fs27.existsSync)(targetPath);
+      return !(0, import_node_fs28.existsSync)(targetPath);
     }
-    (0, import_node_fs27.rmSync)(targetPath, { recursive: true, force: true });
-    return !(0, import_node_fs27.existsSync)(targetPath);
+    (0, import_node_fs28.rmSync)(targetPath, { recursive: true, force: true });
+    return !(0, import_node_fs28.existsSync)(targetPath);
   } catch {
     return false;
   }
@@ -19792,23 +20858,23 @@ async function applyNestedPluginTreeCleanup(paths, log) {
   }
   return true;
 }
-var gitignorePath = () => (0, import_node_path24.join)(process.cwd(), ".gitignore");
+var gitignorePath = () => (0, import_node_path25.join)(process.cwd(), ".gitignore");
 function readTextFile(path2) {
   try {
-    if (!(0, import_node_fs27.existsSync)(path2)) return null;
-    return (0, import_node_fs27.readFileSync)(path2, "utf8");
+    if (!(0, import_node_fs28.existsSync)(path2)) return null;
+    return (0, import_node_fs28.readFileSync)(path2, "utf8");
   } catch {
     return null;
   }
 }
 function playwrightMcpConfigSnapshots() {
   const cwd = process.cwd();
-  const home = (0, import_node_os5.homedir)();
+  const home = (0, import_node_os6.homedir)();
   const candidates = [
-    (0, import_node_path24.join)(cwd, ".mcp.json"),
-    (0, import_node_path24.join)(cwd, ".cursor", "mcp.json"),
-    (0, import_node_path24.join)(home, ".cursor", "mcp.json"),
-    (0, import_node_path24.join)(home, ".codex", "config.toml")
+    (0, import_node_path25.join)(cwd, ".mcp.json"),
+    (0, import_node_path25.join)(cwd, ".cursor", "mcp.json"),
+    (0, import_node_path25.join)(home, ".cursor", "mcp.json"),
+    (0, import_node_path25.join)(home, ".codex", "config.toml")
   ];
   const out = [];
   for (const path2 of candidates) {
@@ -19821,7 +20887,7 @@ function strayBrowserArtifactPaths() {
   const cwd = process.cwd();
   return STRAY_BROWSER_ARTIFACT_DIRS.filter((rel) => {
     try {
-      return (0, import_node_fs27.existsSync)((0, import_node_path24.join)(cwd, rel));
+      return (0, import_node_fs28.existsSync)((0, import_node_path25.join)(cwd, rel));
     } catch {
       return false;
     }
@@ -19840,8 +20906,8 @@ function latestIso(values) {
   return best;
 }
 function latestNorthstarContinuityAt() {
-  const meta = parseMeta(readTextFile((0, import_node_path24.join)(process.cwd(), META_FILE)));
-  const queue = parseQueue(readTextFile((0, import_node_path24.join)(process.cwd(), QUEUE_FILE)));
+  const meta = parseMeta(readTextFile((0, import_node_path25.join)(process.cwd(), META_FILE)));
+  const queue = parseQueue(readTextFile((0, import_node_path25.join)(process.cwd(), QUEUE_FILE)));
   return latestIso([
     ...Object.values(meta).map((entry) => entry.syncedAt),
     ...queue.map((entry) => entry.queuedAt)
@@ -19855,14 +20921,14 @@ async function latestBranchWorkAt() {
 }
 function readGitignore() {
   try {
-    return (0, import_node_fs27.readFileSync)(gitignorePath(), "utf8");
+    return (0, import_node_fs28.readFileSync)(gitignorePath(), "utf8");
   } catch {
     return null;
   }
 }
 function writeGitignore(content) {
   try {
-    (0, import_node_fs27.writeFileSync)(gitignorePath(), content, "utf8");
+    (0, import_node_fs28.writeFileSync)(gitignorePath(), content, "utf8");
     return true;
   } catch {
     return false;
@@ -19901,7 +20967,7 @@ async function runDoctor(opts, io = consoleIo) {
   const semverPrefix = /^\d+\.\d+\.\d+/;
   const isBehind = (installed2, released) => Boolean(installed2 && released && semverPrefix.test(installed2) && semverPrefix.test(released) && compareVersions(installed2, released) < 0);
   const opencodeAdapterStale = isBehind(opencodeInstalledVersionForDoctor(), releasedVersion);
-  const cursorCacheStale = (0, import_node_fs27.existsSync)(cursorPluginCacheRoot()) && (cursorPluginCachePinSnapshots() ?? []).some((p) => isBehind(p.version, releasedVersion));
+  const cursorCacheStale = (0, import_node_fs28.existsSync)(cursorPluginCacheRoot()) && (cursorPluginCachePinSnapshots() ?? []).some((p) => isBehind(p.version, releasedVersion));
   const healPlan = doctorHealPlan({
     isOrgRepo: Boolean(cfg.sagaApiUrl),
     surface,
@@ -19936,7 +21002,7 @@ async function runDoctor(opts, io = consoleIo) {
   let onPath = pathProbe;
   if (!onPath) {
     const root = process.env.CLAUDE_PLUGIN_ROOT;
-    if (root && (0, import_node_fs27.existsSync)(`${root}/bin/mmi-cli${isWin ? ".cmd" : ""}`)) onPath = true;
+    if (root && (0, import_node_fs28.existsSync)(`${root}/bin/mmi-cli${isWin ? ".cmd" : ""}`)) onPath = true;
   }
   checks.push({ ok: onPath, label: "mmi-cli on PATH", fix: "auto-provisioned at session start \u2014 reopen the session, or install the MMI plugin" });
   const reloadHint = reloadAction(surface);
@@ -19950,7 +21016,7 @@ async function runDoctor(opts, io = consoleIo) {
     releasedVersion
   });
   let selfUpdatedCli = false;
-  if (repairFull) {
+  if (repairFull && !process.env[DOCTOR_POST_SELF_UPDATE_ENV]) {
     const updated = await applyVersionAutoUpdate(versionReport, (m) => io.err(m));
     versionReport = updated.report;
     selfUpdatedCli = updated.applied === "npm";
@@ -19958,6 +21024,12 @@ async function runDoctor(opts, io = consoleIo) {
   if (!versionReport.ok) versionReport = { ...versionReport, fix: pluginRecoveryFix(surface) };
   checks.push(versionReport);
   if (selfUpdatedCli) {
+    if (!opts.json) io.err(selfUpdateReexecLine(versionReport));
+    const code = await reexecMmiCli(buildSelfUpdateReexecArgs(opts));
+    if (code >= 0) {
+      if (code > 0) process.exitCode = code;
+      return;
+    }
     if (opts.json) io.log(JSON.stringify(buildSelfUpdateHaltPayload({ checks, updatedTo: versionReport.releasedVersion }), null, 2));
     else io.err(selfUpdateHaltLine(versionReport));
     return;
@@ -20209,6 +21281,11 @@ async function runDoctor(opts, io = consoleIo) {
     }
     checks.push(legacyOpenCodeCheck);
   }
+  const codexRecordVersion = () => {
+    const versions = installedPluginVersions(installedPluginSources().find((src) => src.surface === "codex")?.installed ?? null).filter((v) => /^v?\d+\.\d+\.\d+/.test(v));
+    return versions.sort((a, b) => compareVersions(b, a))[0];
+  };
+  const codexCacheVersions = () => mmiPluginCacheRootSnapshots().filter((r) => r.surface === "codex").flatMap((r) => r.entries.filter((e) => e.isDirectory).map((e) => e.name));
   let cacheCleanupCheck = buildMmiPluginCacheCleanupCheck({
     isOrgRepo: Boolean(cfg.sagaApiUrl),
     roots: mmiPluginCacheRootSnapshots(),
@@ -20240,6 +21317,26 @@ async function runDoctor(opts, io = consoleIo) {
     };
   }
   checks.push(cacheCleanupCheck);
+  let codexActiveCacheCheck = buildCodexActiveCacheCheck({
+    isOrgRepo: Boolean(cfg.sagaApiUrl),
+    releasedVersion,
+    codexCacheVersions: codexCacheVersions(),
+    codexRecordVersion: codexRecordVersion()
+  });
+  if (!codexActiveCacheCheck.ok && repairFull) {
+    const canDriveCodex = surfaceToken(surface) === "codex" || await hostBinAvailable("codex");
+    if (canDriveCodex && await applyPluginHeal("codex", surface, (m) => io.err(m), { force: true })) {
+      markPluginReloadRequired();
+      io.err(`  \u21BB restored Codex MMI plugin cache \u2192 ${releasedVersion ?? "latest"} via codex plugin \u2014 ${reloadAction("codex")} to load the new commands`);
+      codexActiveCacheCheck = buildCodexActiveCacheCheck({
+        isOrgRepo: Boolean(cfg.sagaApiUrl),
+        releasedVersion,
+        codexCacheVersions: codexCacheVersions(),
+        codexRecordVersion: codexRecordVersion()
+      });
+    }
+  }
+  checks.push(codexActiveCacheCheck);
   let nestedPluginTreeCheck = buildNestedPluginTreeCheck({
     isOrgRepo: Boolean(cfg.sagaApiUrl),
     isWindows: isWin,
@@ -20274,7 +21371,7 @@ async function runDoctor(opts, io = consoleIo) {
     isOrgRepo: Boolean(cfg.sagaApiUrl),
     surface,
     cacheRoot: cursorCacheRoot,
-    cacheRootExists: (0, import_node_fs27.existsSync)(cursorCacheRoot),
+    cacheRootExists: (0, import_node_fs28.existsSync)(cursorCacheRoot),
     pins: cursorPins,
     hubCheckout: hubCheckoutForCursorSeed(),
     releasedVersion
@@ -20285,7 +21382,7 @@ async function runDoctor(opts, io = consoleIo) {
       releasedVersion,
       hubCheckout: hubCheckoutForCursorSeed(),
       execFileP: execFileP2,
-      mkdtemp: (prefix) => (0, import_promises7.mkdtemp)((0, import_node_path24.join)((0, import_node_os5.tmpdir)(), prefix)),
+      mkdtemp: (prefix) => (0, import_promises7.mkdtemp)((0, import_node_path25.join)((0, import_node_os6.tmpdir)(), prefix)),
       log: (m) => io.err(m)
     });
     if (seeded) {
@@ -20294,7 +21391,7 @@ async function runDoctor(opts, io = consoleIo) {
         isOrgRepo: Boolean(cfg.sagaApiUrl),
         surface,
         cacheRoot: cursorCacheRoot,
-        cacheRootExists: (0, import_node_fs27.existsSync)(cursorCacheRoot),
+        cacheRootExists: (0, import_node_fs28.existsSync)(cursorCacheRoot),
         pins: cursorPins,
         hubCheckout: hubCheckoutForCursorSeed(),
         releasedVersion
@@ -20483,23 +21580,23 @@ function mergeGuardHook(settings) {
   next.hooks = hooks;
   return next;
 }
-var userScopeSettingsPath = (surface = detectSurface(process.env)) => (0, import_node_path24.join)((0, import_node_os5.homedir)(), surface === "codex" ? ".codex" : ".claude", "settings.json");
+var userScopeSettingsPath = (surface = detectSurface(process.env)) => (0, import_node_path25.join)((0, import_node_os6.homedir)(), surface === "codex" ? ".codex" : ".claude", "settings.json");
 function ensureUserScopeGuardHook(opts = {}) {
   const path2 = opts.settingsPath ?? userScopeSettingsPath();
   try {
     let current = null;
-    if ((0, import_node_fs27.existsSync)(path2)) {
+    if ((0, import_node_fs28.existsSync)(path2)) {
       try {
-        current = JSON.parse((0, import_node_fs27.readFileSync)(path2, "utf8"));
+        current = JSON.parse((0, import_node_fs28.readFileSync)(path2, "utf8"));
       } catch {
         return "failed";
       }
     }
     if (settingsHasGuardHook(current)) return "already";
     const merged = mergeGuardHook(current);
-    (0, import_node_fs27.mkdirSync)((0, import_node_path24.dirname)(path2), { recursive: true });
-    if ((0, import_node_fs27.existsSync)(path2)) (0, import_node_fs27.copyFileSync)(path2, `${path2}.bak`);
-    (0, import_node_fs27.writeFileSync)(path2, `${JSON.stringify(merged, null, 2)}
+    (0, import_node_fs28.mkdirSync)((0, import_node_path25.dirname)(path2), { recursive: true });
+    if ((0, import_node_fs28.existsSync)(path2)) (0, import_node_fs28.copyFileSync)(path2, `${path2}.bak`);
+    (0, import_node_fs28.writeFileSync)(path2, `${JSON.stringify(merged, null, 2)}
 `, "utf8");
     return "written";
   } catch {
@@ -20533,8 +21630,13 @@ async function runPluginHeal(surface = detectSurface(process.env)) {
   if (healed) {
     console.log(`  \u2713 MMI plugin reinstalled \u2014 ${reloadAction(surface)} to load MMI commands`);
   } else {
+    const bin = descriptor.pluginRunner === "codex" ? "codex" : "claude";
+    const refSupported = await marketplaceAddRefSupported(bin);
+    const recovery = refSupported ? descriptor.recovery : recoveryWithoutRef(descriptor.recovery);
+    const note = refSupported ? "" : `
+  Note: \`${bin}\` has no \`--ref\` option here; update \`${bin}\` to pin the released \`main\` branch.`;
     console.log(`  \u2717 Auto-heal failed or was skipped. Run manually:
-  ${descriptor.recovery}`);
+  ${recovery}${note}`);
   }
 }
 
@@ -20629,7 +21731,7 @@ async function applyGcPlan(plan2, remote) {
     cleanupBranch: (branch, expectedHeadOid) => cleanupPrMergeLocalBranch(branch.branch, {
       beforeWorktrees,
       startingPath: branch.worktreePath,
-      pathExists: (p) => (0, import_node_fs28.existsSync)(p),
+      pathExists: (p) => (0, import_node_fs29.existsSync)(p),
       execGit: async (args) => (await execFileP2("git", args, { timeout: GIT_TIMEOUT_MS })).stdout,
       teardownWorktreeStage,
       deferredStore,
@@ -20652,7 +21754,7 @@ async function applyGcPlan(plan2, remote) {
   for (const wt of plan2.worktreeDirs) {
     try {
       const cleanupTarget = resolveSafeSiblingWorktreeCleanupTarget(wt.path, siblingRoot, {
-        realpath: (path2) => (0, import_node_fs28.realpathSync)(path2)
+        realpath: (path2) => (0, import_node_fs29.realpathSync)(path2)
       });
       if (!cleanupTarget.ok) {
         result.failed.push(`${wt.path}: ${cleanupTarget.reason}`);
@@ -20732,10 +21834,10 @@ async function runRulesSync(opts, io = consoleIo) {
   for (const entry of fetched) {
     if ("error" in entry) continue;
     const { file, source } = entry;
-    const current = (0, import_node_fs28.existsSync)(file) ? await (0, import_promises8.readFile)(file, "utf8") : null;
+    const current = (0, import_node_fs29.existsSync)(file) ? await (0, import_promises8.readFile)(file, "utf8") : null;
     if (needsUpdate(source, current)) {
       const slash = file.lastIndexOf("/");
-      if (slash > 0) (0, import_node_fs28.mkdirSync)(file.slice(0, slash), { recursive: true });
+      if (slash > 0) (0, import_node_fs29.mkdirSync)(file.slice(0, slash), { recursive: true });
       await (0, import_promises8.writeFile)(file, normalizeEol(source), "utf8");
       changed++;
       if (!opts.quiet) io.log(`mmi-cli rules: updated ${file}`);
@@ -20749,13 +21851,13 @@ rules.command("sync").option("--quiet", "stay silent unless something changed or
   if (!await runRulesSync(opts)) process.exitCode = 1;
 });
 rules.command("gitignore").option("--write", "upsert the managed block into .gitignore (default: check only, non-zero exit on drift)").description("verify (or --write) this repo's org-managed .gitignore block matches the SSOT").action((opts) => {
-  const path2 = (0, import_node_path25.join)(process.cwd(), ".gitignore");
-  const current = (0, import_node_fs28.existsSync)(path2) ? (0, import_node_fs28.readFileSync)(path2, "utf8") : null;
+  const path2 = (0, import_node_path26.join)(process.cwd(), ".gitignore");
+  const current = (0, import_node_fs29.existsSync)(path2) ? (0, import_node_fs29.readFileSync)(path2, "utf8") : null;
   const plan2 = planManagedGitignore(current);
   const drift = [...plan2.added.map((l) => `+${l}`), ...plan2.removed.map((l) => `-${l}`)].join(", ") || "block normalize";
   if (opts.write) {
     if (plan2.changed) {
-      (0, import_node_fs28.writeFileSync)(path2, plan2.content, "utf8");
+      (0, import_node_fs29.writeFileSync)(path2, plan2.content, "utf8");
       console.log(`mmi-cli rules gitignore: updated .gitignore (${drift})`);
     } else {
       console.log("mmi-cli rules gitignore: up to date");
@@ -20782,7 +21884,7 @@ async function runDocsSync(opts, io = consoleIo) {
         return null;
       }
     },
-    localContent: async (f) => (0, import_node_fs28.existsSync)(f) ? await (0, import_promises8.readFile)(f, "utf8") : null,
+    localContent: async (f) => (0, import_node_fs29.existsSync)(f) ? await (0, import_promises8.readFile)(f, "utf8") : null,
     writeDoc: async (f, c) => {
       await (0, import_promises8.writeFile)(f, c, "utf8");
     }
@@ -20796,6 +21898,7 @@ docs.command("sync").option("--quiet", "stay silent unless something changed or
 registerSagaCommands(program2);
 registerHandoffCommands(program2);
 registerCoopCommands(program2);
+registerOverlordCommands(program2);
 registerThrottleCommands(program2);
 program2.command("commands").description("print the command manifest \u2014 every subcommand + its flags (ground against this instead of guessing)").option("--json", "machine-readable JSON: { name, version, tree, index } \u2014 index is a flat list of every leaf command path").action((o) => {
   const manifest = buildCommandManifest(program2);
@@ -20934,7 +22037,7 @@ function runWorktreeInstall(command, cwd, quiet) {
   const file = isWin2 ? "cmd.exe" : bin;
   const spawnArgs = isWin2 ? ["/c", bin, ...args] : args;
   return new Promise((resolve6, reject) => {
-    const child = (0, import_node_child_process13.spawn)(file, spawnArgs, { cwd, stdio: quiet ? "ignore" : "inherit", windowsHide: true });
+    const child = (0, import_node_child_process15.spawn)(file, spawnArgs, { cwd, stdio: quiet ? "ignore" : "inherit", windowsHide: true });
     const timer = setTimeout(() => {
       try {
         child.kill();
@@ -20956,7 +22059,7 @@ function runWorktreeInstall(command, cwd, quiet) {
 async function primaryCheckoutRoot(worktreeRoot) {
   try {
     const out = (await execFileP2("git", ["-C", worktreeRoot, "rev-parse", "--path-format=absolute", "--git-common-dir"], { timeout: GIT_TIMEOUT_MS })).stdout.trim();
-    return out ? (0, import_node_path25.dirname)(out) : void 0;
+    return out ? (0, import_node_path26.dirname)(out) : void 0;
   } catch {
     return void 0;
   }
@@ -20969,28 +22072,28 @@ function makeProvisionDeps(worktreeRoot, quiet, log) {
   };
 }
 function acquireWorktreeSetupLock(worktreeRoot) {
-  const lockPath = (0, import_node_path25.join)(worktreeRoot, ".mmi", "worktree-setup.lock");
+  const lockPath = (0, import_node_path26.join)(worktreeRoot, ".mmi", "worktree-setup.lock");
   const take = () => {
-    const fd = (0, import_node_fs28.openSync)(lockPath, "wx");
+    const fd = (0, import_node_fs29.openSync)(lockPath, "wx");
     try {
-      (0, import_node_fs28.writeSync)(fd, String(Date.now()));
+      (0, import_node_fs29.writeSync)(fd, String(Date.now()));
     } finally {
-      (0, import_node_fs28.closeSync)(fd);
+      (0, import_node_fs29.closeSync)(fd);
     }
     return () => {
       try {
-        (0, import_node_fs28.rmSync)(lockPath, { force: true });
+        (0, import_node_fs29.rmSync)(lockPath, { force: true });
       } catch {
       }
     };
   };
   try {
-    (0, import_node_fs28.mkdirSync)((0, import_node_path25.dirname)(lockPath), { recursive: true });
+    (0, import_node_fs29.mkdirSync)((0, import_node_path26.dirname)(lockPath), { recursive: true });
     return take();
   } catch {
     try {
-      if (Date.now() - (0, import_node_fs28.statSync)(lockPath).mtimeMs > WORKTREE_SETUP_LOCK_TTL_MS) {
-        (0, import_node_fs28.rmSync)(lockPath, { force: true });
+      if (Date.now() - (0, import_node_fs29.statSync)(lockPath).mtimeMs > WORKTREE_SETUP_LOCK_TTL_MS) {
+        (0, import_node_fs29.rmSync)(lockPath, { force: true });
         return take();
       }
     } catch {
@@ -21152,7 +22255,7 @@ function scheduleRelatedDiscovery(o) {
   try {
     const args = ["issue", "discover-related", "--number", String(o.number), "--title", o.title, "--body", o.body];
     if (o.repo) args.push("--repo", o.repo);
-    (0, import_node_child_process13.spawn)(process.execPath, [process.argv[1], ...args], {
+    (0, import_node_child_process15.spawn)(process.execPath, [process.argv[1], ...args], {
       detached: true,
       stdio: "ignore",
       windowsHide: true,
@@ -21201,6 +22304,20 @@ tenant.command("control <owner/repo> <stage> <action>").description("run bounded
     return failGraceful(`tenant control: ${e.message}`);
   }
 });
+tenant.command("status <owner/repo> <stage>").description("read tenant runtime readiness without dispatching tenant-control: DEPLOY row, last deploy run, public URL probe, and TLS/Caddy/Cloudflare hints").option("--json", "machine-readable output").action(async (repo, stage2, _o) => {
+  if (!["dev", "rc", "main"].includes(stage2)) return fail("tenant status: <stage> must be dev, rc, or main");
+  const cfg = await loadConfig();
+  const result = await buildTenantRuntimeStatusFor(repo, stage2, cfg);
+  console.log(JSON.stringify(result, null, 2));
+  if (result.publicProbe?.ok === false) process.exitCode = 1;
+});
+tenant.command("readiness <owner/repo> <stage>").description("alias for tenant status: read-only tenant runtime readiness").option("--json", "machine-readable output").action(async (repo, stage2, _o) => {
+  if (!["dev", "rc", "main"].includes(stage2)) return fail("tenant readiness: <stage> must be dev, rc, or main");
+  const cfg = await loadConfig();
+  const result = await buildTenantRuntimeStatusFor(repo, stage2, cfg);
+  console.log(JSON.stringify(result, null, 2));
+  if (result.publicProbe?.ok === false) process.exitCode = 1;
+});
 tenant.command("redeploy <owner/repo> <stage>").description("re-dispatch the central tenant-deploy.yml for an already-promoted ref (no re-tag/merge); train-authority gated").option("--ref <ref>", "ref to deploy (defaults to the stage branch rc/main \u2014 the promoted ref)").option("--watch", "block on the dispatched run and report its outcome (gh run watch --exit-status)").option("--json", "machine-readable output").action(async (repo, stage2, o) => {
   if (stage2 !== "rc" && stage2 !== "main") return fail("tenant redeploy: <stage> must be rc or main");
   try {
@@ -21243,6 +22360,44 @@ async function resolveDnsBounded(host, timeoutMs = 3e3) {
   });
   return Promise.race([probe, timeout]);
 }
+async function probeHttpBounded(url, timeoutMs = 5e3) {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), timeoutMs);
+  timeout.unref?.();
+  try {
+    const res = await fetch(url, { method: "GET", signal: controller.signal });
+    return { ok: res.ok, status: res.status };
+  } catch (e) {
+    return { ok: false, error: e.message };
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+async function lastWorkflowRun(workflow) {
+  try {
+    const out = await execFileP2("gh", ["run", "list", "--repo", HUB_REPO3, "--workflow", workflow, "--limit", "1", "--json", "databaseId,url,status,conclusion,headBranch,headSha,createdAt"], { timeout: 2e4 });
+    const rows = JSON.parse(out.stdout || "[]");
+    return rows[0];
+  } catch {
+    return void 0;
+  }
+}
+async function buildTenantRuntimeStatusFor(target, stage2, cfg) {
+  const slug = slugOf(target);
+  const reg = registryClientDeps(cfg);
+  const facts = await fetchDeployFactsBySlug(slug, reg);
+  const deploy = facts?.stages[stage2] ?? null;
+  const publicUrl = publicUrlFromDeployFact(deploy);
+  const publicProbe = publicUrl ? await probeHttpBounded(publicUrl) : void 0;
+  return buildTenantRuntimeStatus({
+    repo: target,
+    slug,
+    stage: stage2,
+    deploy,
+    publicProbe,
+    lastTenantDeployRun: await lastWorkflowRun("tenant-deploy.yml")
+  });
+}
 async function v2ReadinessDeps(cfg) {
   const reg = registryClientDeps(cfg);
   return {
@@ -21257,6 +22412,11 @@ async function v2ReadinessDeps(cfg) {
       const status = await fetchDeployStatusBySlug(slug, reg);
       return Boolean(status?.deployState[stage2]);
     },
+    getDeployFact: async (slug, stage2) => {
+      const facts = await fetchDeployFactsBySlug(slug, reg);
+      const fact = facts?.stages[stage2];
+      return fact ? { port: fact.port, domain: fact.domain } : null;
+    },
     listSecrets: async (targetRepo2) => {
       const apiUrl = cfg.sagaApiUrl;
       if (!apiUrl) throw new Error("Hub API URL not configured \u2014 cannot verify secret names (set sagaApiUrl)");
@@ -21344,7 +22504,7 @@ deploys run centrally (tenant-deploy.yml); product repos carry no deploy files.
   }
 });
 project.command("resolve <owner/repo>").description("deploy coords for a stage \u2014 for diagnosis. NOTE: /deploy-coords is OIDC-gated (a deploy job\u2019s id-token), so a gh-token CLI cannot read it from a dev machine").option("--stage <main|rc>", "deploy stage", "main").option("--json", "machine-readable output").action((_repoOrRepo, o) => {
-  const msg = "project resolve: deploy coords are served only to a deploy workflow (GitHub OIDC id-token, repo-scoped). A gh-token CLI on a dev machine cannot read /deploy-coords; inspect the DEPLOY# item via a master registry (DDB) read instead.";
+  const msg = "project resolve: deploy coords are served only to a deploy workflow (GitHub OIDC id-token, repo-scoped). A gh-token CLI on a dev machine cannot read /deploy-coords; inspect nonsecret DEPLOY facts with `mmi-cli project deploy get`. Full coords stay OIDC-gated.";
   if (o.json) {
     console.log(JSON.stringify({ ok: false, stage: o.stage, error: msg }));
     process.exitCode = 1;
@@ -21352,6 +22512,37 @@ project.command("resolve <owner/repo>").description("deploy coords for a stage \
   }
   fail(msg);
 });
+var projectDeploy = project.command("deploy").description("read nonsecret DEPLOY# facts (domain, port, deploy path, substrate, host presence)");
+projectDeploy.command("get [owner/repo]").description("read nonsecret DEPLOY# facts for one project; defaults to the current repo").option("--stage <stage>", "dev | rc | main").option("--json", "machine-readable output").action(async (repoOrSlug, o) => {
+  const cfg = await loadConfig();
+  let target;
+  try {
+    target = await projectTarget("project deploy get", repoOrSlug);
+  } catch (e) {
+    return fail(e.message);
+  }
+  const out = await fetchDeployFactsBySlug(slugOf(target), registryClientDeps(cfg));
+  if (!out) return failGraceful(`project deploy get: Hub deploy facts read failed for ${target}`);
+  const stage2 = o.stage?.trim();
+  if (stage2 && !["dev", "rc", "main"].includes(stage2)) return fail("project deploy get: --stage must be dev, rc, or main");
+  const payload = stage2 ? { slug: out.slug, stage: stage2, deploy: out.stages[stage2] ?? null } : out;
+  console.log(JSON.stringify(payload));
+});
+projectDeploy.command("list [owner/repo]").description("alias for project deploy get; lists all stages by default").option("--stage <stage>", "dev | rc | main").option("--json", "machine-readable output").action(async (repoOrSlug, o) => {
+  const cfg = await loadConfig();
+  let target;
+  try {
+    target = await projectTarget("project deploy list", repoOrSlug);
+  } catch (e) {
+    return fail(e.message);
+  }
+  const out = await fetchDeployFactsBySlug(slugOf(target), registryClientDeps(cfg));
+  if (!out) return failGraceful(`project deploy list: Hub deploy facts read failed for ${target}`);
+  const stage2 = o.stage?.trim();
+  if (stage2 && !["dev", "rc", "main"].includes(stage2)) return fail("project deploy list: --stage must be dev, rc, or main");
+  const payload = stage2 ? { slug: out.slug, stage: stage2, deploy: out.stages[stage2] ?? null } : out;
+  console.log(JSON.stringify(payload));
+});
 project.command("doctor [owner/repo]").description("diagnose Hub v2 readiness for a repo without reading product repo files \u2014 appOwnedGaps are advisory templates; clear them with `project attest`; defaults to the current repo").option("--v2", "compatibility flag; v2 readiness is the default").option("--json", "machine-readable output").action(async (repo, _o) => {
   const cfg = await loadConfig();
   let target;
@@ -21444,6 +22635,31 @@ project.command("set [owner/repo]").description("upsert project META (idempotent
   const res = await upsertProject(slug, { ...patch, repo }, registryClientDeps(cfg));
   return reportWrite("project set", res);
 });
+var fullTrack = program2.command("full-track").description("direct-to-full-track readiness audits");
+fullTrack.command("readiness <owner/repo>").description("aggregate branch topology, train authority, deploy facts, endpoint health, and rcand readiness for direct -> full switches").option("--json", "machine-readable output").action(async (repo, _o) => {
+  const cfg = await loadConfig();
+  const reg = registryClientDeps(cfg);
+  const slug = slugOf(repo);
+  const [metaRead, deployFacts, authority, dev, rc, main] = await Promise.all([
+    fetchProjectBySlugChecked(slug, reg),
+    fetchDeployFactsBySlug(slug, reg),
+    fetchTrainAuthority(repo, reg),
+    buildTenantRuntimeStatusFor(repo, "dev", cfg),
+    buildTenantRuntimeStatusFor(repo, "rc", cfg),
+    buildTenantRuntimeStatusFor(repo, "main", cfg)
+  ]);
+  if (!metaRead.ok) return failGraceful(`full-track readiness: Hub registry read failed (${metaRead.error})`);
+  const report = buildFullTrackReadinessReport({
+    repo,
+    slug,
+    meta: metaRead.project,
+    deployFacts,
+    trainAuthority: authority.ok ? authority.authority : void 0,
+    runtime: { dev, rc, main }
+  });
+  console.log(JSON.stringify(report, null, 2));
+  if (!report.rcand.canApply) process.exitCode = 1;
+});
 project.command("set-deploy [owner/repo]").description("write the DEPLOY#<stage> Hetzner deploy coords for a tenant (master-only) \u2014 the explicit-coords path that seeds a freshly-bootstrapped tenant; defaults to the current repo").requiredOption("--stage <stage>", "dev | rc | main").option("--ssh-host <host>", "the box address the deploy ssh-es into (required for hetzner-ssh)").option("--ssh-user <user>", "ssh user (default root)").option("--port <port>", "loopback port the container binds / Caddy upstream (1..65535)").option("--substrate <substrate>", "hetzner-ssh (default)").option("--deploy-path <path>", "on-box per-stage release root (default /opt/mmi/<slug>/<stage>)").option("--service <name>", "systemd/compose service name (default the slug)").option("--domain <domain>", "canonical serving host (default the project edgeDomains[stage])").option("--alias <domain...>", "extra serving hostname the box Caddy answers (repeatable)").option("--json", "machine-readable output").action(async (repoOrSlug, o) => {
   const cfg = await loadConfig();
   let target;
@@ -21680,6 +22896,29 @@ issue.command("link-child <parent> <child>").description("link an existing issue
     return fail(`issue link-child: ${(err.stderr || err.message || String(e)).trim()}${note ? ` (${note})` : ""}`);
   }
 });
+issue.command("comment <ref>").description("post a Markdown comment to an issue and print {number,repo,url,commentUrl} JSON").option("--body <body>", "comment body (markdown; prefer --body-file for multiline Markdown)").option("--body-file <path|->", "read comment body from a UTF-8 file, or from stdin with -").option("--repo <owner/repo>", "repo for a bare ref (defaults to the current repo)").action(async (ref, o) => {
+  let parsed;
+  try {
+    parsed = parseIssueRef(ref);
+  } catch (e) {
+    return fail(`issue comment: ${e.message}`);
+  }
+  let body;
+  try {
+    body = await resolveIssueBody({ body: o.body, bodyFile: o.bodyFile }, { readFile: import_promises8.readFile, readStdin });
+  } catch (e) {
+    return fail(`issue comment: ${e.message}`);
+  }
+  const repo = await resolveRepo(parsed.repo ?? o.repo);
+  if (!repo) return fail("issue comment: could not resolve repo \u2014 pass --repo owner/repo");
+  try {
+    const result = await postIssueComment(defaultGitHubClient(), { ref, defaultRepo: repo, body });
+    console.log(JSON.stringify(result));
+  } catch (e) {
+    const err = e;
+    return fail(`issue comment: ${(err.stderr || err.message || String(e)).trim()}`);
+  }
+});
 issue.command("check <ref>").description("tick (or with --off untick) a task-list checkbox in an issue/epic body by its item text and print {number,repo,item,checked,changed} JSON").requiredOption("--item <text>", "the checklist item to match \u2014 exact item text, else a unique substring").option("--off", "untick the item ([x] \u2192 [ ]) instead of ticking it").option("--repo <owner/repo>", "repo for a bare ref (defaults to the current repo)").action(async (ref, o) => {
   let parsed;
   try {
@@ -21994,9 +23233,9 @@ pr.command("create").description("create a PR and print {number,url} JSON").opti
   console.log(JSON.stringify(created));
 });
 async function listCiWorkflowPaths(cwd = process.cwd()) {
-  const wfDir = (0, import_node_path25.join)(cwd, ".github", "workflows");
-  if (!(0, import_node_fs28.existsSync)(wfDir)) return [];
-  return (0, import_node_fs28.readdirSync)(wfDir).filter((name) => /\.(ya?ml)$/i.test(name)).map((name) => `.github/workflows/${name}`);
+  const wfDir = (0, import_node_path26.join)(cwd, ".github", "workflows");
+  if (!(0, import_node_fs29.existsSync)(wfDir)) return [];
+  return (0, import_node_fs29.readdirSync)(wfDir).filter((name) => /\.(ya?ml)$/i.test(name)).map((name) => `.github/workflows/${name}`);
 }
 async function resolveMergeCiPolicyForCheckout(repoOpt) {
   const repo = repoOpt ?? await resolveRepo();
@@ -22015,7 +23254,7 @@ function ciAuditDeps() {
     // Continuous CI delivery (#1550): the gate re-seed renders from the Hub's on-disk seed templates. The
     // reconcile runs IN the Hub checkout, so this is local-file I/O (no network fetch). Path is relative to
     // the repo root (e.g. skills/bootstrap/seeds/gate.template.yml).
-    readSeedFile: (path2) => (0, import_node_fs28.existsSync)(path2) ? (0, import_node_fs28.readFileSync)(path2, "utf8") : null
+    readSeedFile: (path2) => (0, import_node_fs29.existsSync)(path2) ? (0, import_node_fs29.readFileSync)(path2, "utf8") : null
   };
 }
 pr.command("ci-policy").description("report merge CI policy: wait-for-checks vs no-ci (for grind/build agents)").option("--json", "machine-readable output").option("--repo <owner/repo>", "target repo (defaults to the current checkout)").action(async (o) => {
@@ -22152,7 +23391,7 @@ async function remoteBranchExists2(branch, options = {}) {
 }
 var COMPOSE_TIMEOUT_MS = 12e4;
 function spawnDeferredGcSweep() {
-  spawnDetachedSelf(["gc", "sweep-deferred", "--quiet"], { spawn: import_node_child_process13.spawn, execPath: process.execPath, scriptPath: process.argv[1] });
+  spawnDetachedSelf(["gc", "sweep-deferred", "--quiet"], { spawn: import_node_child_process15.spawn, execPath: process.execPath, scriptPath: process.argv[1] });
 }
 async function createDeferredWorktreeStore() {
   try {
@@ -22168,7 +23407,7 @@ async function createDeferredWorktreeStore() {
       },
       write: async (entries) => {
         try {
-          await (0, import_promises8.mkdir)((0, import_node_path25.dirname)(registryPath), { recursive: true });
+          await (0, import_promises8.mkdir)((0, import_node_path26.dirname)(registryPath), { recursive: true });
           await (0, import_promises8.writeFile)(registryPath, serializeDeferredWorktrees(entries), "utf8");
         } catch {
         }
@@ -22182,13 +23421,13 @@ var realWorktreeDirRemover = {
   probe: (p) => {
     let st;
     try {
-      st = (0, import_node_fs28.lstatSync)(p);
+      st = (0, import_node_fs29.lstatSync)(p);
     } catch {
       return null;
     }
     if (st.isSymbolicLink()) return "link";
     try {
-      (0, import_node_fs28.readlinkSync)(p);
+      (0, import_node_fs29.readlinkSync)(p);
       return "link";
     } catch {
     }
@@ -22196,7 +23435,7 @@ var realWorktreeDirRemover = {
   },
   readdir: (p) => {
     try {
-      return (0, import_node_fs28.readdirSync)(p);
+      return (0, import_node_fs29.readdirSync)(p);
     } catch {
       return [];
     }
@@ -22205,9 +23444,9 @@ var realWorktreeDirRemover = {
   // leaving the target); a file symlink with unlink. rmdir first, fall back to unlink.
   detachLink: (p) => {
     try {
-      (0, import_node_fs28.rmdirSync)(p);
+      (0, import_node_fs29.rmdirSync)(p);
     } catch {
-      (0, import_node_fs28.unlinkSync)(p);
+      (0, import_node_fs29.unlinkSync)(p);
     }
   },
   removeTree: (p) => (0, import_promises8.rm)(p, { recursive: true, force: true, maxRetries: 5, retryDelay: 200 })
@@ -22237,9 +23476,9 @@ async function worktreeHasStageState(worktreePath) {
   }
 }
 function stageStateFileBelongsToWorktree(statePath, worktreePath) {
-  if (!(0, import_node_fs28.existsSync)(statePath)) return false;
+  if (!(0, import_node_fs29.existsSync)(statePath)) return false;
   try {
-    const state = JSON.parse((0, import_node_fs28.readFileSync)(statePath, "utf8"));
+    const state = JSON.parse((0, import_node_fs29.readFileSync)(statePath, "utf8"));
     const recordedCwd = typeof state.identity?.cwd === "string" ? state.identity.cwd : typeof state.cwd === "string" ? state.cwd : "";
     return Boolean(recordedCwd && isPathUnderDirectory(recordedCwd, worktreePath));
   } catch {
@@ -22312,7 +23551,7 @@ pr.command("merge <number>").description("merge a PR (squash by default) and cle
     } : await cleanupPrMergeLocalBranch(headRef, {
       beforeWorktrees,
       startingPath,
-      pathExists: (p) => (0, import_node_fs28.existsSync)(p),
+      pathExists: (p) => (0, import_node_fs29.existsSync)(p),
       execGit: async (args) => (await execFileP2("git", args, { timeout: GIT_TIMEOUT_MS })).stdout,
       teardownWorktreeStage,
       deferredStore,
@@ -22509,7 +23748,7 @@ function stageScopedRunOpts(o) {
   };
 }
 function printLine(value) {
-  (0, import_node_fs28.writeSync)(1, `${value}
+  (0, import_node_fs29.writeSync)(1, `${value}
 `);
 }
 function stageKeepAlive() {
@@ -22526,8 +23765,8 @@ async function resolveStage() {
     local,
     shell: shellFor(),
     registry: { deployModel: project2?.deployModel, portRange, error: read.ok ? void 0 : read.error },
-    hasCompose: (0, import_node_fs28.existsSync)((0, import_node_path25.join)(process.cwd(), "docker-compose.yml")),
-    hasEnvExample: (0, import_node_fs28.existsSync)((0, import_node_path25.join)(process.cwd(), ".env.example"))
+    hasCompose: (0, import_node_fs29.existsSync)((0, import_node_path26.join)(process.cwd(), "docker-compose.yml")),
+    hasEnvExample: (0, import_node_fs29.existsSync)((0, import_node_path26.join)(process.cwd(), ".env.example"))
   });
 }
 async function fetchStageVaultEnvMerge() {
@@ -22851,7 +24090,7 @@ async function resolveRcandPlanTargets() {
   }
 }
 for (const commandName of ["rcand", "release"]) {
-  program2.command(commandName).description(`plan ${commandName} train operations; mutations require explicit master-admin approval`).option("--json", "machine-readable output").option("--watch", "block on the deploy/publish workflow runs and report their outcomes").option("--apply", "execute the guarded master-only train after explicit approval").option("--announce-summary-file <path>", "release only: agent-curated summary lines for the Hub Slack announcement (#883)").option("--ack <shas>", "release only: comma-separated dev shas a human verified are in the candidate, overriding the hotfix-coverage guard for a conflicted port whose -x trailer was lost (#958)").option("--dev", "release only: full-track repos release development -> main directly, skipping rc (refuses if rc carries content not in development; no-op on direct-track repos) (#1062)").action(async (o) => {
+  program2.command(commandName).description(`plan ${commandName} train operations; mutations require explicit master-admin approval`).option("--json", "machine-readable output").option("--watch", "block on the deploy/publish workflow runs and report their outcomes").option("--apply", "execute the guarded master-only train after explicit approval").option("--announce-summary-file <path>", "release only: agent-curated summary lines for the Hub Slack announcement (#883)").option("--ack <shas>", "release only: comma-separated dev shas a human verified are in the candidate, overriding the hotfix-coverage guard for a conflicted port whose -x trailer was lost (#958)").option("--dev", "release only: full-track repos release development -> main directly, skipping rc (refuses if rc carries content not in development; no-op on direct-track repos) (#1062)").option("--repo <owner/repo>", "dry-run plan for a target repo without relying on the current checkout; --apply still uses the current checkout").action(async (o) => {
     try {
       await requireFreshTrainCli(commandName);
     } catch (e) {
@@ -22863,6 +24102,9 @@ for (const commandName of ["rcand", "release"]) {
     if (o.dev && commandName !== "release") {
       return fail("--dev applies only to release: it ships development -> main skipping rc, which rcand cannot do");
     }
+    if (o.apply && o.repo) {
+      return fail(`${commandName}: --repo is read-only for dry-run planning; --apply must run from the target repo checkout`);
+    }
     if (o.apply) {
       try {
         const ack = (o.ack ?? "").split(",").map((s) => s.trim()).filter(Boolean);
@@ -22872,8 +24114,8 @@ for (const commandName of ["rcand", "release"]) {
         return failGraceful(`${commandName}: ${e.message}`);
       }
     }
-    const repo = await resolveRepo();
-    const targets = commandName === "rcand" ? await resolveRcandPlanTargets() : void 0;
+    const repo = o.repo ?? await resolveRepo();
+    const targets = commandName === "rcand" && !o.repo ? await resolveRcandPlanTargets() : void 0;
     let releaseTrack;
     if (repo) {
       try {
@@ -22989,7 +24231,7 @@ bootstrap.command("verify <repo>").description("audit whether an existing repo i
     client: defaultGitHubClient(),
     projectMeta: meta,
     deployModel: typeof meta?.deployModel === "string" ? meta.deployModel : void 0,
-    readLocalFile: (path2) => path2 === "projects.json" && apiProjects != null ? apiProjects : (0, import_node_fs28.existsSync)(path2) ? (0, import_node_fs28.readFileSync)(path2, "utf8") : null,
+    readLocalFile: (path2) => path2 === "projects.json" && apiProjects != null ? apiProjects : (0, import_node_fs29.existsSync)(path2) ? (0, import_node_fs29.readFileSync)(path2, "utf8") : null,
     // requiredGcpApis is stored as an array by a JSON write, but `project set --var KEY=VALUE` stores a raw
     // comma-string — accept either so the seeded value verifies regardless of how it was written.
     requiredGcpApis: (() => {
@@ -23033,12 +24275,12 @@ bootstrap.command("apply <repo>").description("idempotent seed apply from skills
     return fail(`bootstrap apply: ${e.message}`);
   }
   const manifestPath = "skills/bootstrap/seeds/manifest.json";
-  if (!(0, import_node_fs28.existsSync)(manifestPath)) return fail(`bootstrap apply: ${manifestPath} not found; run from the MMI-Hub repo root`);
-  const manifest = loadBootstrapSeeds((0, import_node_fs28.readFileSync)(manifestPath, "utf8"));
+  if (!(0, import_node_fs29.existsSync)(manifestPath)) return fail(`bootstrap apply: ${manifestPath} not found; run from the MMI-Hub repo root`);
+  const manifest = loadBootstrapSeeds((0, import_node_fs29.readFileSync)(manifestPath, "utf8"));
   const baseBranch = o.class === "content" ? "main" : "development";
   const slug = parsedRepo.slug;
   const gh = async (args) => execFileP2("gh", args, { timeout: 2e4 });
-  const readFile7 = (p) => (0, import_node_fs28.existsSync)(p) ? (0, import_node_fs28.readFileSync)(p, "utf8") : null;
+  const readFile7 = (p) => (0, import_node_fs29.existsSync)(p) ? (0, import_node_fs29.readFileSync)(p, "utf8") : null;
   const enc = (p) => p.split("/").map(encodeURIComponent).join("/");
   const rawVars = {};
   for (const value of rawValues("--var")) {
@@ -23287,18 +24529,20 @@ access.command("audit").description("audit collaborator roles + train-branch pus
   const registryProjects = await fetchProjectsList(registryClientDeps(cfg));
   if (o.repo) {
     if (o.class !== "deployable" && o.class !== "content") return failGraceful("access audit: --class must be deployable or content");
-    targets = [{ repo: o.repo, class: o.class }];
+    const meta = registryProjects?.find((project2) => (project2.repos ?? []).some((repo) => repo.toLowerCase() === o.repo.toLowerCase())) ?? null;
+    const repoClass = o.class;
+    targets = [{ repo: o.repo, class: repoClass, releaseTrack: repoClass === "content" ? "trunk" : resolveReleaseTrack(meta, void 0, o.repo) }];
   } else {
-    const projectsJson = registryProjects ? JSON.stringify({ projects: registryProjects }) : (0, import_node_fs28.existsSync)("projects.json") ? (0, import_node_fs28.readFileSync)("projects.json", "utf8") : null;
+    const projectsJson = registryProjects ? JSON.stringify({ projects: registryProjects }) : (0, import_node_fs29.existsSync)("projects.json") ? (0, import_node_fs29.readFileSync)("projects.json", "utf8") : null;
     if (!projectsJson) return failGraceful("access audit: no project registry \u2014 Hub API unreachable and projects.json not found; run from the MMI-Hub repo root or pass --repo <owner/repo>");
-    const fanoutJson = (0, import_node_fs28.existsSync)(".github/fanout-targets.json") ? (0, import_node_fs28.readFileSync)(".github/fanout-targets.json", "utf8") : null;
+    const fanoutJson = (0, import_node_fs29.existsSync)(".github/fanout-targets.json") ? (0, import_node_fs29.readFileSync)(".github/fanout-targets.json", "utf8") : null;
     targets = loadAccessTargets(projectsJson, fanoutJson);
   }
   const derivedMatrix = registryProjects ? accessMatrixFromProjects(registryProjects) : {};
-  const fileMatrix = (0, import_node_fs28.existsSync)("access-matrix.json") ? loadAccessMatrix((0, import_node_fs28.readFileSync)("access-matrix.json", "utf8")) : {};
+  const fileMatrix = (0, import_node_fs29.existsSync)("access-matrix.json") ? loadAccessMatrix((0, import_node_fs29.readFileSync)("access-matrix.json", "utf8")) : {};
   const matrix = mergeAccessMatrix(fileMatrix, derivedMatrix);
   const derivedContracts = registryProjects ? dataAccessContractsFromProjects(registryProjects) : { consumers: {} };
-  const fileContracts = (0, import_node_fs28.existsSync)("data-access-contracts.json") ? loadDataAccessContracts((0, import_node_fs28.readFileSync)("data-access-contracts.json", "utf8")) : { consumers: {} };
+  const fileContracts = (0, import_node_fs29.existsSync)("data-access-contracts.json") ? loadDataAccessContracts((0, import_node_fs29.readFileSync)("data-access-contracts.json", "utf8")) : { consumers: {} };
   const dataAccess = mergeDataAccessContracts(fileContracts, derivedContracts);
   const report = await auditOrgAccess(targets, deps, matrix, dataAccess);
   console.log(o.json ? JSON.stringify(report, null, 2) : renderAccessReport(report));
@@ -23399,7 +24643,7 @@ program2.command("session-start").description("run the SessionStart verbs (rules
   } catch (e) {
     console.error(`[mmi-hook] saga session failed: ${e.message}`);
   }
-  spawnDetachedSelf(["docs", "sync", "--quiet"], { spawn: import_node_child_process13.spawn, execPath: process.execPath, scriptPath: process.argv[1] });
+  spawnDetachedSelf(["docs", "sync", "--quiet"], { spawn: import_node_child_process15.spawn, execPath: process.execPath, scriptPath: process.argv[1] });
   spawnDeferredGcSweep();
   let northstarInjected = false;
   const { parallel, sequential } = buildSessionStartPlan({
@@ -23441,7 +24685,7 @@ program2.command("session-start").description("run the SessionStart verbs (rules
       readBoard,
       // #1813: warm the slice cache out-of-band (detached, like docs sync) so the ~20s live read
       // never costs banner time and next session's glance renders instantly within budget.
-      scheduleRefresh: () => spawnDetachedSelf(["board", "slice-refresh", "--quiet"], { spawn: import_node_child_process13.spawn, execPath: process.execPath, scriptPath: process.argv[1] })
+      scheduleRefresh: () => spawnDetachedSelf(["board", "slice-refresh", "--quiet"], { spawn: import_node_child_process15.spawn, execPath: process.execPath, scriptPath: process.argv[1] })
     }),
     spineReconcile: async (io) => {
       const cfg = await loadConfig();
@@ -23465,7 +24709,7 @@ program2.command("session-start").description("run the SessionStart verbs (rules
   for (const line of scratchGcLines(process.cwd())) consoleIo.log(line);
   const worktreeBanner = worktreeAutoProvisionBanner(process.cwd());
   if (worktreeBanner) {
-    spawnDetachedSelf(["worktree", "setup", "--quiet"], { spawn: import_node_child_process13.spawn, execPath: process.execPath, scriptPath: process.argv[1] });
+    spawnDetachedSelf(["worktree", "setup", "--quiet"], { spawn: import_node_child_process15.spawn, execPath: process.execPath, scriptPath: process.argv[1] });
     consoleIo.log(worktreeBanner);
   }
 });