@mutmutco/cli 2.55.0 → 2.56.0

package/dist/main.cjs

@@ -9862,7 +9862,7 @@ async function runCoopDeliver(coopId, io, quiet = false) {
   if (!quiet) {
     io.log(`[coop deliver] ${coopId} \u2014 issue ${match.meta.issueUrl}`);
     for (const m of match.messages) io.log(m.envelope);
-    io.log("[coop deliver] Read the issue, reply via `mmi-cli coop say`, then mark delivered.");
+    io.log("[coop deliver] Coordinate in `#mmi-agents` via `mmi-cli coop say`; the issue keeps proof/context.");
   }
   await postJson("/coop/delivered", { coopId });
 }
@@ -9874,7 +9874,7 @@ function registerCoopCommands(program3) {
       { file: opts.messageFile },
       { readFile: import_promises4.readFile, readStdin },
       { value: "a message argument", file: "--message-file", noun: "message" }
-    ) : "Coop session started \u2014 handshake on the linked issue.";
+    ) : "Coop session started - coordinate in #mmi-agents; the issue keeps proof/context.";
     const payload = {
       repo: opts.repo ?? ctx.repo,
       branch: ctx.branch,
@@ -9973,6 +9973,7 @@ function atomicWriteFileSync(path2, content) {
 var OVERLORD_DEFAULT_COUNT = 3;
 var OVERLORD_MIN_COUNT = 3;
 var OVERLORD_MAX_COUNT = 6;
+var OVERLORD_HANDOFF_TIMEOUT_MS = 12e4;
 var GENERIC_STOP_NAMES = /* @__PURE__ */ new Set([
   "windowsterminal",
   "windows terminal",
@@ -10001,6 +10002,17 @@ function defaultMessageId() {
 function servantSlotId(slot) {
   return slot.name.replace(/\s+/g, "-").toLowerCase();
 }
+function overlordServantPrompt(servant, run) {
+  const roleLine = servant.role === "ultra" ? "You are the single Ultra Fugu: take the hardest, highest-uncertainty questions and report calibrated judgment." : "You are a normal Fugu servant: take one bounded mission at a time and report concise evidence.";
+  return [
+    `You are ${servant.name} in Overlord run ${run.runId}.`,
+    roleLine,
+    "First respond with exactly: ACK " + servant.name + " ready",
+    "After the ACK, wait for the Overlord to assign bounded work.",
+    "Do not start dev servers, browsers, Playwright, PRs, merges, releases, or worktree changes unless the Overlord explicitly assigns that scope.",
+    "When assigned work, gather evidence before editing, verify before claiming done, and escalate blockers instead of looping."
+  ].join("\n");
+}
 function parseOverlordCount(args) {
   const counts = args.map(numericCountArg).filter((n) => n !== void 0);
   if (counts.length === 0) return OVERLORD_DEFAULT_COUNT;
@@ -10057,6 +10069,64 @@ ${modelCatalog}`)) problems.push("fugu-ultra is not available");
   }
   return { ok: problems.length === 0, problems };
 }
+function evaluateOpenCodePreflight(input) {
+  const problems = [];
+  if (!input.found) problems.push("opencode is not installed or not on PATH");
+  if (!/sakana\/fugu\b/i.test(input.modelsText ?? "")) problems.push("sakana/fugu is not available");
+  if (!/sakana\/fugu-ultra\b/i.test(input.modelsText ?? "")) problems.push("sakana/fugu-ultra is not available");
+  const probe = input.jsonProbeText ?? "";
+  if (probe && !/(sessionID|sessionId|step_finish|finish)/i.test(probe)) problems.push("opencode run --format json did not emit session or finish events");
+  return { ok: problems.length === 0, problems };
+}
+function buildOpenCodeLaunch(slot, message, sessionId) {
+  const model = slot.role === "ultra" ? "sakana/fugu-ultra" : "sakana/fugu";
+  const args = ["run", "-m", model, "--format", "json"];
+  if (sessionId) args.push("--session", sessionId);
+  args.push(message);
+  return { command: "opencode", args };
+}
+function parseOpenCodeEvents(raw) {
+  const events = [];
+  const trimmed = (raw ?? "").trim();
+  if (!trimmed) return { text: "", finished: false, events };
+  const pushParsed = (chunk) => {
+    const t = chunk.trim();
+    if (!t) return;
+    try {
+      events.push(JSON.parse(t));
+    } catch {
+    }
+  };
+  try {
+    const whole = JSON.parse(trimmed);
+    if (Array.isArray(whole)) events.push(...whole);
+    else events.push(whole);
+  } catch {
+    for (const line of trimmed.split(/\r?\n/)) pushParsed(line);
+  }
+  let sessionId;
+  let text = "";
+  let finished = false;
+  for (const ev of events) {
+    if (!ev || typeof ev !== "object") continue;
+    const e = ev;
+    const sid = e.sessionID ?? e.sessionId ?? e.session?.id;
+    if (typeof sid === "string" && sid) sessionId = sid;
+    const type = typeof e.type === "string" ? e.type : void 0;
+    if (typeof e.text === "string") text += e.text;
+    else if (type === "text" && typeof e.content === "string") text += e.content;
+    if (type === "step_finish" || type === "finish" || e.finishReason || e.finish_reason) finished = true;
+  }
+  return { sessionId, text: text.trim(), finished, events };
+}
+function appendOverlordLedger(ledgerPath, entry) {
+  try {
+    (0, import_node_fs15.mkdirSync)((0, import_node_path13.dirname)(ledgerPath), { recursive: true });
+    (0, import_node_fs15.appendFileSync)(ledgerPath, `${JSON.stringify(entry)}
+`, "utf8");
+  } catch {
+  }
+}
 function defaultOverlordStatePath(cwd) {
   return (0, import_node_path13.join)(cwd, "tmp", "overlord", "runs.json");
 }
@@ -10079,6 +10149,7 @@ function buildOverlordRun(options) {
   const runToken = options.runToken?.() ?? defaultRunToken();
   const statePath = defaultOverlordStatePath(options.cwd);
   const journalDir = (0, import_node_path13.join)(options.cwd, "tmp", "overlord", runId);
+  const engine = options.engine ?? "codex-fugu";
   const timestamp = isoNow(options.now);
   return {
     runId,
@@ -10090,13 +10161,21 @@ function buildOverlordRun(options) {
     worktree: options.cwd,
     statePath,
     journalDir,
+    ledgerPath: (0, import_node_path13.join)(journalDir, "ledger.jsonl"),
+    engine,
+    provider: engine === "opencode" ? "opencode" : "codex",
+    opencodeVersion: options.opencodeVersion,
     servants: buildServantLayout(options.count).map((slot) => ({
       ...slot,
       slotId: servantSlotId(slot),
       profile: "consultation",
       state: "planned",
       journalPath: (0, import_node_path13.join)(journalDir, `${servantSlotId(slot)}.log`),
-      composerSubmitMode: "unknown"
+      composerSubmitMode: engine === "opencode" ? "surface-api" : "unknown",
+      engine,
+      provider: engine === "opencode" ? "opencode" : "codex",
+      opencodeVersion: options.opencodeVersion,
+      eventJournalPath: engine === "opencode" ? (0, import_node_path13.join)(journalDir, `${servantSlotId(slot)}.events.jsonl`) : void 0
     })),
     ownedResources: []
   };
@@ -10145,14 +10224,18 @@ function planStopResource(resource, context) {
 }
 function summarizeOverlordRun(run, probe) {
   const controller = run.controllerPid == null ? "not-started" : probe.isPidAlive(run.controllerPid) ? "alive" : "lost";
+  const now = probe.now?.() ?? /* @__PURE__ */ new Date();
   return {
     active: run.state !== "stopped" && run.state !== "failed",
     runId: run.runId,
     state: run.state,
     controller,
     servants: run.servants.map((servant) => {
+      if (run.engine === "opencode" || servant.engine === "opencode") return { name: servant.name, state: servantProgress(run, servant, now) };
       if (servant.pid == null) return { name: servant.name, state: "not-started" };
       if (!probe.isPidAlive(servant.pid)) return { name: servant.name, state: "lost" };
+      const progress = servantProgress(run, servant, now);
+      if (progress !== servant.state) return { name: servant.name, state: progress };
       if (servant.state === "ready" && servant.lastAckAt && servant.composerSubmitMode !== "unknown") {
         return { name: servant.name, state: "ready" };
       }
@@ -10185,6 +10268,37 @@ function defaultStartController(run) {
   child.unref();
   return { pid: child.pid, fingerprint };
 }
+function defaultRunOpenCode(run, servant, message, sessionId) {
+  const launch = buildOpenCodeLaunch(servant, message, sessionId ?? servant.opencodeSessionId);
+  const shell2 = process.platform === "win32";
+  const file = shell2 ? [launch.command, ...launch.args].map(shellQuote2).join(" ") : launch.command;
+  const result = (0, import_node_child_process8.spawnSync)(file, shell2 ? [] : launch.args, {
+    encoding: "utf8",
+    shell: shell2,
+    cwd: run.worktree,
+    timeout: 6e5,
+    windowsHide: true,
+    env: { ...process.env }
+  });
+  if (result.error && result.error.code === "ENOENT") {
+    return { ok: false, error: "opencode is not installed or not on PATH" };
+  }
+  const raw = `${result.stdout ?? ""}
+${result.stderr ?? ""}`;
+  if (servant.eventJournalPath) {
+    try {
+      (0, import_node_fs15.mkdirSync)((0, import_node_path13.dirname)(servant.eventJournalPath), { recursive: true });
+      (0, import_node_fs15.appendFileSync)(servant.eventJournalPath, `${raw.trim()}
+`, "utf8");
+    } catch {
+    }
+  }
+  const parsed = parseOpenCodeEvents(raw);
+  if (result.status !== 0 && !parsed.finished) {
+    return { ok: false, sessionId: parsed.sessionId, text: parsed.text, error: `opencode run exited ${result.status ?? "with error"}`, events: parsed.events };
+  }
+  return { ok: true, sessionId: parsed.sessionId, text: parsed.text, events: parsed.events };
+}
 function defaultIsPidAlive(pid) {
   if (!Number.isFinite(pid) || pid <= 0) return false;
   try {
@@ -10232,6 +10346,15 @@ function hasCodexAuthEvidence() {
   const codexHome = process.env.CODEX_HOME ?? (0, import_node_path13.join)((0, import_node_os3.homedir)(), ".codex");
   return (0, import_node_fs15.existsSync)((0, import_node_path13.join)(codexHome, "auth.json"));
 }
+function collectOpenCodePreflight() {
+  const version = boundedCommandText("opencode", ["--version"]);
+  const models = boundedCommandText("opencode", ["models"]);
+  return evaluateOpenCodePreflight({
+    found: version.found,
+    versionText: version.text,
+    modelsText: models.text
+  });
+}
 function collectCodexFuguPreflight() {
   const codexHelp = boundedCommandText("codex", ["--help"]);
   const fuguHelp = boundedCommandText("codex-fugu", ["--help"]);
@@ -10276,6 +10399,57 @@ function renderCodexFuguPreflightFailure(report) {
   }
   return lines.join("\n");
 }
+function updateOpenCodeServant(run, servant, result, timestamp) {
+  return {
+    ...servant,
+    state: result.ok ? "ready" : "blocked",
+    opencodeSessionId: result.sessionId ?? servant.opencodeSessionId,
+    lastAckAt: result.ok ? timestamp : servant.lastAckAt,
+    lastUsefulSignalAt: result.ok ? timestamp : servant.lastUsefulSignalAt,
+    lastEventAt: timestamp,
+    lastMessageCompletedAt: result.ok ? timestamp : servant.lastMessageCompletedAt
+  };
+}
+function startOpenCodeServants(run, runOpenCode, now) {
+  const timestamp = isoNow(now);
+  const servants = run.servants.map((servant) => {
+    const result = runOpenCode(run, servant, overlordServantPrompt(servant, run));
+    if (run.ledgerPath) appendOverlordLedger(run.ledgerPath, { at: timestamp, kind: "servant-start", ownerSlotId: servant.slotId, ok: result.ok, sessionId: result.sessionId, responseText: result.text, error: result.error });
+    return updateOpenCodeServant(run, servant, result, timestamp);
+  });
+  return { ...run, state: "active", updatedAt: timestamp, servants };
+}
+function dispatchOpenCodeMessage(run, message, runOpenCode, now) {
+  const timestamp = isoNow(now);
+  const targets = run.servants.filter((servant) => message.target === "all" || servant.slotId === message.target || normalizeServantTarget(servant.name) === message.target);
+  const responses = [];
+  let ok = targets.length > 0;
+  const nextServants = run.servants.map((servant) => {
+    if (!targets.some((target) => target.slotId === servant.slotId)) return servant;
+    const result = runOpenCode(run, servant, message.text, servant.opencodeSessionId);
+    if (!result.ok) ok = false;
+    if (result.text) responses.push(`${servant.slotId}: ${result.text}`);
+    if (run.ledgerPath) appendOverlordLedger(run.ledgerPath, { at: timestamp, kind: "message-response", messageId: message.id, ownerSlotId: servant.slotId, ok: result.ok, sessionId: result.sessionId, responseText: result.text, error: result.error });
+    return updateOpenCodeServant(run, servant, result, timestamp);
+  });
+  const nextMessage = {
+    ...message,
+    state: ok ? "completed" : "failed",
+    startedAt: timestamp,
+    completedAt: ok ? timestamp : void 0,
+    failedAt: ok ? void 0 : timestamp,
+    ackText: ok ? "opencode response captured" : void 0,
+    responseText: responses.join("\n"),
+    failureReason: ok ? void 0 : "one or more OpenCode servant calls failed",
+    eventJournalPath: targets.map((target) => target.eventJournalPath).filter(Boolean).join(",")
+  };
+  return {
+    ...run,
+    updatedAt: timestamp,
+    servants: nextServants,
+    messages: [...(run.messages ?? []).filter((m) => m.id !== message.id), nextMessage]
+  };
+}
 function findActiveRun(registry2) {
   const runId = registry2.activeRunId;
   if (!runId) return void 0;
@@ -10290,17 +10464,42 @@ function hasServantTarget(run, target) {
     (servant) => servant.slotId === normalized || normalizeServantTarget(servant.name) === normalized
   );
 }
+function messageProgress(message, now = /* @__PURE__ */ new Date(), timeoutMs = OVERLORD_HANDOFF_TIMEOUT_MS) {
+  if (message.completedAt || message.state === "completed") return "completed";
+  if (message.failedAt || message.state === "failed") return "failed";
+  const startedAt = message.startedAt ?? message.deliveredAt;
+  if (!startedAt) return "queued";
+  const elapsed = now.getTime() - new Date(startedAt).getTime();
+  return Number.isFinite(elapsed) && elapsed >= timeoutMs ? "stalled" : "started";
+}
+function servantProgress(run, servant, now = /* @__PURE__ */ new Date()) {
+  const relevant = (run.messages ?? []).filter((message) => message.target === "all" || servant.slotId === message.target || normalizeServantTarget(servant.name) === message.target);
+  return relevant.some((message) => messageProgress(message, now) === "stalled") ? "stalled-after-delivery" : servant.state;
+}
 function renderOverlordStatus(summary, run) {
   const servants = summary.servants.map((servant) => `- ${servant.name}: ${servant.state}`).join("\n");
+  const messages = (run.messages ?? []).map((message) => `- ${message.id}: ${message.target} ${messageProgress(message)}`).join("\n");
   return [
     `Overlord run ${summary.runId}`,
     `State: ${summary.state}`,
     `Task: ${run.task || "not provided yet"}`,
     `Controller: ${summary.controller}`,
     "Servants:",
-    servants
+    servants,
+    ...messages ? ["Messages:", messages] : []
   ].join("\n");
 }
+function usefulJournalLines(text) {
+  return text.split(/\r?\n/).map((line) => line.trim()).filter((line) => line && !/^fugu\s/i.test(line) && !/^›/.test(line) && !/^\[overlord\] launched/.test(line)).slice(-20);
+}
+function servantJournalSummary(servant) {
+  try {
+    const lines = usefulJournalLines((0, import_node_fs15.readFileSync)(servant.journalPath, "utf8"));
+    return { lines, hasHandoff: lines.some((line) => /\b(handoff|evidence|recommended|recommendation)\b/i.test(line)) };
+  } catch {
+    return { lines: [], hasHandoff: false };
+  }
+}
 function runJson(run, extra = {}) {
   return {
     ok: true,
@@ -10308,15 +10507,19 @@ function runJson(run, extra = {}) {
     state: run.state,
     task: run.task,
     count: run.servants.length,
+    engine: run.engine,
     controllerPid: run.controllerPid,
     statePath: run.statePath,
+    ledgerPath: run.ledgerPath,
     servants: run.servants.map((servant) => ({
       name: servant.name,
       role: servant.role,
       model: servant.model,
       state: servant.state,
       pid: servant.pid,
-      journalPath: servant.journalPath
+      journalPath: servant.journalPath,
+      engine: servant.engine,
+      opencodeSessionId: servant.opencodeSessionId
     })),
     ...extra
   };
@@ -10333,15 +10536,19 @@ function registerOverlordCommands(program3, deps = {}) {
   const cwd = deps.cwd ?? (() => process.cwd());
   const now = deps.now ?? (() => /* @__PURE__ */ new Date());
   const preflight2 = deps.preflight ?? collectCodexFuguPreflight;
+  const opencodePreflight = deps.opencodePreflight ?? collectOpenCodePreflight;
   const startController = deps.startController ?? defaultStartController;
+  const runOpenCode = deps.runOpenCode ?? defaultRunOpenCode;
   const isPidAlive = deps.isPidAlive ?? defaultIsPidAlive;
   const killPid = deps.killPid ?? defaultKillPid;
-  const overlord = program3.command("overlord").description("coordinate one Ultra and normal Fugu servants for hard org work").allowUnknownOption(true).argument("[task...]", "task for the Overlord system").option("--3", "run one Ultra and two normal Fugus").option("--4", "run one Ultra and three normal Fugus").option("--5", "run one Ultra and four normal Fugus").option("--6", "run one Ultra and five normal Fugus").option("--json", "print machine-readable output").action((task = [], options) => {
+  const overlord = program3.command("overlord").description("coordinate one Ultra and normal Fugu servants for hard org work").allowUnknownOption(true).argument("[task...]", "task for the Overlord system").option("--3", "run one Ultra and two normal Fugus").option("--4", "run one Ultra and three normal Fugus").option("--5", "run one Ultra and four normal Fugus").option("--6", "run one Ultra and five normal Fugus").option("--engine <engine>", "servant engine: opencode or codex-fugu", "codex-fugu").option("--json", "print machine-readable output").action((task = [], options) => {
     try {
       const args = [...countArgsFromOptions(options), ...task];
       const root = cwd();
       const plan2 = buildOverlordStartupPlan(args, root);
-      const preflightReport = preflight2();
+      const engine = `${options.engine ?? "codex-fugu"}`;
+      if (engine !== "codex-fugu" && engine !== "opencode") throw new Error("--engine must be opencode or codex-fugu");
+      const preflightReport = engine === "opencode" ? opencodePreflight() : preflight2();
       if (!preflightReport.ok) {
         err(`${renderCodexFuguPreflightFailure(preflightReport)}
 `);
@@ -10357,19 +10564,25 @@ function registerOverlordCommands(program3, deps = {}) {
         task: plan2.task,
         cwd: root,
         count: plan2.count,
+        engine,
         now,
         runId: deps.runId,
         runToken: deps.runToken
       });
       writeOverlordRegistry(plan2.statePath, { activeRunId: run.runId, runs: { ...registry2.runs, [run.runId]: run } });
-      const controller = startController(run);
-      if (controller.pid != null) {
-        run = recordOverlordHeartbeat(run, {
-          controllerPid: controller.pid,
-          fingerprint: controller.fingerprint,
-          now
-        });
+      if (engine === "opencode") {
+        run = startOpenCodeServants(run, runOpenCode, now);
         writeOverlordRegistry(plan2.statePath, { activeRunId: run.runId, runs: { ...registry2.runs, [run.runId]: run } });
+      } else {
+        const controller = startController(run);
+        if (controller.pid != null) {
+          run = recordOverlordHeartbeat(run, {
+            controllerPid: controller.pid,
+            fingerprint: controller.fingerprint,
+            now
+          });
+          writeOverlordRegistry(plan2.statePath, { activeRunId: run.runId, runs: { ...registry2.runs, [run.runId]: run } });
+        }
       }
       if (options.json) out(`${JSON.stringify(runJson(run, { nextPhase: "consult-servants" }), null, 2)}
 `);
@@ -10404,15 +10617,32 @@ function registerOverlordCommands(program3, deps = {}) {
       if (!hasServantTarget(run, normalized)) throw new Error(`unknown Overlord servant target: ${target}`);
       const text = message.join(" ").trim();
       if (!text) throw new Error("message is required");
+      const timestamp = isoNow(now);
       const queued = {
         id: deps.runId?.() ?? defaultMessageId(),
         target: normalized,
         text,
-        createdAt: isoNow(now)
+        createdAt: timestamp,
+        queuedAt: timestamp,
+        state: "queued"
       };
+      if (run.engine === "opencode") {
+        const dispatched = dispatchOpenCodeMessage(run, queued, runOpenCode, now);
+        writeOverlordRegistry(statePath, { ...registry2, runs: { ...registry2.runs, [run.runId]: dispatched } });
+        const settled = (dispatched.messages ?? []).find((m) => m.id === queued.id);
+        const ok = settled?.state === "completed";
+        const payload2 = { ok, runId: run.runId, target: normalized, messageId: queued.id, state: settled?.state, responseText: settled?.responseText, statePath };
+        if (json) out(`${JSON.stringify(payload2, null, 2)}
+`);
+        else out(`Message ${queued.id} ${ok ? "completed" : "failed"} for ${normalized}.
+State: ${statePath}
+`);
+        if (!ok) process.exitCode = 1;
+        return;
+      }
       const next = {
         ...run,
-        updatedAt: isoNow(now),
+        updatedAt: timestamp,
         messages: [...run.messages ?? [], queued]
       };
       writeOverlordRegistry(statePath, {
@@ -10448,12 +10678,74 @@ State: ${payload2.statePath}
 `);
       return;
     }
-    const summary = summarizeOverlordRun(run, { isPidAlive });
-    const payload = { ...summary, statePath, task: run.task };
+    const summary = summarizeOverlordRun(run, { isPidAlive, now });
+    const current = now();
+    const payload = {
+      ...summary,
+      statePath,
+      task: run.task,
+      engine: run.engine,
+      ledgerPath: run.ledgerPath,
+      sessions: run.servants.map((servant) => ({
+        name: servant.name,
+        slotId: servant.slotId,
+        engine: servant.engine,
+        opencodeSessionId: servant.opencodeSessionId,
+        eventJournalPath: servant.eventJournalPath,
+        lastEventAt: servant.lastEventAt,
+        lastMessageCompletedAt: servant.lastMessageCompletedAt
+      })),
+      messages: (run.messages ?? []).map((message) => ({
+        id: message.id,
+        target: message.target,
+        state: messageProgress(message, current),
+        queuedAt: message.queuedAt ?? message.createdAt,
+        startedAt: message.startedAt ?? message.deliveredAt,
+        completedAt: message.completedAt,
+        failedAt: message.failedAt,
+        ackText: message.ackText,
+        responseText: message.responseText,
+        eventJournalPath: message.eventJournalPath,
+        failureReason: message.failureReason
+      }))
+    };
     if (json) out(`${JSON.stringify(payload, null, 2)}
 `);
     else out(`${renderOverlordStatus(summary, run)}
 State: ${statePath}
+`);
+  });
+  overlord.command("collect").description("summarize servant handoff/liveness evidence from the active Overlord journals").option("--json", "print machine-readable output").action((options, command) => {
+    const json = wantsJson(options, command);
+    const statePath = defaultOverlordStatePath(cwd());
+    const registry2 = readOverlordRegistry(statePath);
+    const run = findActiveRun(registry2);
+    if (!run) {
+      const payload2 = { active: false, statePath, message: "no active Overlord run found" };
+      if (json) out(`${JSON.stringify(payload2, null, 2)}
+`);
+      else out(`No active Overlord run found.
+State: ${payload2.statePath}
+`);
+      return;
+    }
+    const current = now();
+    const servants = run.servants.map((servant) => {
+      const journal = servantJournalSummary(servant);
+      return {
+        slotId: servant.slotId,
+        name: servant.name,
+        state: servantProgress(run, servant, current),
+        hasHandoff: journal.hasHandoff,
+        journalPath: servant.journalPath,
+        lines: journal.lines
+      };
+    });
+    const payload = { active: true, runId: run.runId, statePath, servants };
+    if (json) out(`${JSON.stringify(payload, null, 2)}
+`);
+    else out(`${servants.map((servant) => `${servant.name}: ${servant.state}; handoff=${servant.hasHandoff ? "yes" : "no"}; ${servant.journalPath}`).join("\n")}
+State: ${statePath}
 `);
   });
   overlord.command("stop").description("stop only exact run-owned Overlord resources").option("--json", "print machine-readable output").action((options, command) => {
@@ -12776,14 +13068,14 @@ async function auditRepoCi(repo, deps) {
   if (deployableGated) {
     checks.push({
       ok: hasGateWorkflow,
-      label: "gate workflow committed",
-      detail: hasGateWorkflow ? void 0 : `missing ${PRODUCT_GATE_PATH}`,
+      label: `gate workflow committed on ${baseBranch}`,
+      detail: hasGateWorkflow ? `read ${PRODUCT_GATE_PATH} at refs/heads/${baseBranch}` : `missing ${PRODUCT_GATE_PATH} at refs/heads/${baseBranch}`,
       remediation: `mmi-cli bootstrap apply ${repo} --class deployable --execute (seeds gate.yml)`
     });
     checks.push({
       ok: await contentExists(deps, repo, baseBranch, PRODUCT_RULESET_REF),
-      label: "product ruleset reference committed",
-      detail: `expected ${PRODUCT_RULESET_REF}`,
+      label: `product ruleset reference committed on ${baseBranch}`,
+      detail: `read ${PRODUCT_RULESET_REF} at refs/heads/${baseBranch}`,
       remediation: `mmi-cli bootstrap apply ${repo} --class deployable --execute`
     });
   }
@@ -15483,7 +15775,8 @@ var OVERGRANT_ROLES = /* @__PURE__ */ new Set(["admin", "maintain"]);
 var REQUIRED_DATA_ACCESS = {
   "mutmutco/MM-Chat": [{ name: "kb-projection-reader", dbRole: "kb_reader", vaultParamNeedle: "KB_READ_DB_URL" }]
 };
-function lockedBranches(repoClass) {
+function lockedBranches(repoClass, releaseTrack) {
+  if (releaseTrack) return branchesForTrack(releaseTrack);
   return repoClass === "content" ? ["main"] : ["development", "rc", "main"];
 }
 function safeJson(text, fallback) {
@@ -15610,14 +15903,15 @@ function auditDataAccessContracts(repo, contracts = { consumers: {} }) {
   }
   return findings;
 }
-async function auditRepoAccess(repo, repoClass, owners, deps, projectAdmins = /* @__PURE__ */ new Set(), dataAccess) {
+async function auditRepoAccess(repo, repoClass, owners, deps, projectAdmins = /* @__PURE__ */ new Set(), dataAccess, releaseTrack) {
   const findings = [];
   findings.push(...await auditRepoCollaborators(repo, owners, deps));
   if (dataAccess) findings.push(...auditDataAccessContracts(repo, dataAccess));
-  for (const branch of lockedBranches(repoClass)) {
+  const track = releaseTrack ?? (repoClass === "content" ? "trunk" : void 0);
+  for (const branch of lockedBranches(repoClass, track)) {
     findings.push(...await auditTrainBranch(repo, branch, owners, deps, projectAdmins));
   }
-  return { repo, class: repoClass, ok: !findings.some((f) => f.severity === "high"), findings };
+  return { repo, class: repoClass, releaseTrack: track, ok: !findings.some((f) => f.severity === "high"), findings };
 }
 async function auditOrgBasePermission(deps) {
   const org = await restJson2(deps, `orgs/${OWNER}`, {});
@@ -15638,7 +15932,7 @@ async function auditOrgAccess(targets, deps, matrix = {}, dataAccess) {
   const orgFindings = await auditOrgBasePermission(deps);
   const repos = [];
   for (const target of targets) {
-    repos.push(await auditRepoAccess(target.repo, target.class, owners, deps, new Set(entriesValueByCanonicalRepo(matrix, target.repo) ?? []), dataAccess));
+    repos.push(await auditRepoAccess(target.repo, target.class, owners, deps, new Set(entriesValueByCanonicalRepo(matrix, target.repo) ?? []), dataAccess, target.releaseTrack));
   }
   const ok = orgFindings.every((f) => f.severity !== "high") && repos.every((r) => r.ok);
   return { ok, owners: [...owners], orgFindings, repos };
@@ -15658,7 +15952,8 @@ function loadAccessTargets(projectsJson, fanoutJson) {
       seen.add(repo);
       const repoName = repo.split("/").pop()?.toLowerCase() ?? repo.toLowerCase();
       const cls = project2.class === "content" || project2.deployModel === "content" || embeddedContent.has(repo.toLowerCase()) || embeddedContent.has(repoName) || legacyContentNames.has(repo.toLowerCase()) || legacyContentNames.has(repoName) ? "content" : "deployable";
-      targets.push({ repo, class: cls });
+      const releaseTrack = cls === "content" ? "trunk" : resolveReleaseTrack(project2, void 0, repo);
+      targets.push({ repo, class: cls, releaseTrack });
     }
   }
   return targets;
@@ -15708,7 +16003,7 @@ function renderAccessReport(report) {
     if (finding.remediation) lines.push(`      ${finding.remediation}`);
   }
   for (const repo of report.repos) {
-    lines.push(`${repo.ok ? "OK" : "FLAG"} ${repo.repo} (${repo.class})`);
+    lines.push(`${repo.ok ? "OK" : "FLAG"} ${repo.repo} (${repo.class}${repo.releaseTrack ? `, ${repo.releaseTrack}` : ""})`);
     for (const finding of repo.findings) {
       lines.push(`  [${finding.severity}] ${finding.kind}${finding.branch ? ` @${finding.branch}` : ""}: ${finding.detail}`);
       if (finding.remediation) lines.push(`      ${finding.remediation}`);
@@ -16254,6 +16549,23 @@ async function fetchDeployStatusBySlug(slug, deps) {
     return null;
   }
 }
+async function fetchDeployFactsBySlug(slug, deps) {
+  if (!deps.baseUrl || !slug) return null;
+  const token = await deps.token();
+  if (!token) return null;
+  try {
+    const res = await retriedFetch(deps, `${deps.baseUrl.replace(/\/$/, "")}/projects/${encodeURIComponent(slug)}/deploy-facts`, {
+      method: "GET",
+      headers: { Authorization: `Bearer ${token}` }
+    });
+    if (!res.ok) return null;
+    const body = await res.json();
+    if (!body?.stages) return null;
+    return { slug: body.slug ?? slug, stages: body.stages };
+  } catch {
+    return null;
+  }
+}
 async function fetchOrgConfig(deps) {
   if (!deps.baseUrl) return null;
   const token = await deps.token();
@@ -16427,7 +16739,7 @@ function attestedLine(att) {
   return `App-owned readiness attested by @${att.by} on ${att.at.slice(0, 10)} \u2014 the static checklist is cleared (the doctor reads no product repo files); re-run \`mmi-cli project attest\` after app-owned structural changes.`;
 }
 var CONTRACT_UNDECLARED_LINE = "No runtime secrets declared \u2014 declare requiredRuntimeSecrets (a per-stage name map) in the registry META, or attest the app needs none with an explicit empty stage map ({ dev: [], rc: [], main: [] }).";
-function appGapsFor(meta, model, slug, projectType) {
+function appGapsFor(meta, model, slug, projectType, mainDeployFact) {
   const attested = appAttestationOf(meta);
   const isTenantWeb = !(projectType === "content" || model === "content") && projectType !== "desktop-game" && projectType !== "cli-tool" && !(projectType === "non-deployable" || model === "none") && model !== "hub-serverless" && model !== "serverless" && model !== "registry-publish";
   const contractUndeclared = isTenantWeb && Boolean(meta) && !hasRuntimeSecretContract(meta?.requiredRuntimeSecrets);
@@ -16479,8 +16791,12 @@ function appGapsFor(meta, model, slug, projectType) {
   if (slug === "mmi-katip") {
     gaps.push("Katip-specific app plan: declare Google Workspace service-account requirements, use the service account numeric OAuth2 client ID for DWD, remove prod-hidden impersonation defaults, and make non-critical Google Workspace failures degrade instead of crash-looping.");
   }
-  if ((model === "solo-container" || model === "tenant-container") && typeof meta?.portRange?.start === "number") {
-    gaps.push(`Seed DEPLOY#main healthUrl to http://127.0.0.1:${meta.portRange.start}/health during bootstrap (tenant reconcile/control health gate \u2014 #1202).`);
+  if (model === "solo-container" || model === "tenant-container") {
+    if (typeof mainDeployFact?.port === "number") {
+      gaps.push(`Seed DEPLOY#main healthUrl to http://127.0.0.1:${mainDeployFact.port}/health during bootstrap (tenant reconcile/control health gate \u2014 #1202; port read from DEPLOY#main).`);
+    } else if (!appAttestationOf(meta)) {
+      gaps.push("Seed DEPLOY#main healthUrl from the DEPLOY#main edgeVhost.port during bootstrap (tenant reconcile/control health gate \u2014 #1202); doctor has no committed DEPLOY port to cite yet.");
+    }
   }
   if (!meta) gaps.unshift("No app-owned repo changes can be planned precisely until Hub registry META exists.");
   return gaps;
@@ -16525,7 +16841,7 @@ function sameNames(a, b) {
 function sameStageContract(a, b) {
   return STAGES.every((stage2) => sameNames(a[stage2], b[stage2]));
 }
-function buildV2HealPatch(repoOrSlug, meta) {
+function buildV2HealPatch(repoOrSlug, meta, mainDeployFact) {
   const slug = slugOfRepo(repoOrSlug);
   const repo = repoFrom(repoOrSlug, slug);
   const sub = defaultSubdomain(slug);
@@ -16563,7 +16879,7 @@ function buildV2HealPatch(repoOrSlug, meta) {
       patch.requiredRuntimeSecrets = next;
     }
   }
-  const appOwnedGaps = confidentType ? appGapsFor(meta, model, slug, confidentType) : [`Project type is unset and not derivable \u2014 classify with \`mmi-cli project set ${repo} --project-type <web-app|hub-service|content|desktop-game|non-deployable|cli-tool|worker> --deploy-model <tenant-container|solo-container|hub-serverless|serverless|registry-publish|content|none>\` before heal completes the v2 fields (prevents defaulting a non-web repo to tenant-container).`];
+  const appOwnedGaps = confidentType ? appGapsFor(meta, model, slug, confidentType, mainDeployFact) : [`Project type is unset and not derivable \u2014 classify with \`mmi-cli project set ${repo} --project-type <web-app|hub-service|content|desktop-game|non-deployable|cli-tool|worker> --deploy-model <tenant-container|solo-container|hub-serverless|serverless|registry-publish|content|none>\` before heal completes the v2 fields (prevents defaulting a non-web repo to tenant-container).`];
   if (boardRegistryGaps(meta).length) appOwnedGaps.unshift(boardRegistryGapMessage(repo));
   return { slug, patch, appOwnedGaps };
 }
@@ -16608,7 +16924,8 @@ async function buildV2Doctor(repoOrSlug, deps) {
   const meta = read.project;
   const projectType = resolveProjectType(meta, repo);
   const model = resolveDeployModel(meta, repo);
-  const autoHeal = buildV2HealPatch(repo, meta);
+  const mainDeployFact = meta && deps.getDeployFact ? await deps.getDeployFact(slug, "main") : null;
+  const autoHeal = buildV2HealPatch(repo, meta, mainDeployFact);
   if (!meta) {
     const emptySecrets = {
       dev: { required: [], present: [], missing: [] },
@@ -16722,6 +17039,152 @@ function renderReadinessIssueBody(existingBody, report, opts = {}) {
 ${section}`.trim();
 }
 
+// src/readiness-audit.ts
+function publicUrlFromDeployFact(fact) {
+  return fact?.domain ? `https://${fact.domain}` : void 0;
+}
+function tenantRuntimeHints(stage2, fact, probe) {
+  const hints = [];
+  if (!fact) {
+    hints.push(`DEPLOY#${stage2} row missing or state-only; seed deploy coords before runtime audit can prove the endpoint.`);
+    return hints;
+  }
+  if (!fact.sshHostPresent && fact.substrate === "hetzner-ssh") hints.push(`DEPLOY#${stage2} has hetzner-ssh substrate but no sshHost presence; tenant-deploy cannot reach the box.`);
+  if (!fact.domain) hints.push(`DEPLOY#${stage2} has no edgeVhost.domain; Cloudflare/Caddy public URL cannot be derived.`);
+  if (typeof fact.port !== "number") hints.push(`DEPLOY#${stage2} has no edgeVhost.port; Caddy upstream/healthUrl hints cannot be checked.`);
+  if (probe?.ok === false || probe?.status != null && probe.status >= 500) hints.push("Public URL probe failed; for Cloudflare 525 check Caddy TLS/origin certificate and Cloudflare SSL mode before changing app code.");
+  if (stage2 === "rc") hints.push("rc runtime is expected to be ephemeral: present between /rcand and /release, then retired after release.");
+  return hints;
+}
+function buildTenantRuntimeStatus(input) {
+  const publicUrl = publicUrlFromDeployFact(input.deploy);
+  return {
+    repo: input.repo,
+    slug: input.slug,
+    stage: input.stage,
+    deployRowPresent: Boolean(input.deploy?.present),
+    deploy: input.deploy ?? null,
+    publicUrl,
+    publicProbe: input.publicProbe,
+    lastTenantDeployRun: input.lastTenantDeployRun,
+    expectedEphemeralRc: input.stage === "rc",
+    hints: tenantRuntimeHints(input.stage, input.deploy, input.publicProbe)
+  };
+}
+function buildFullTrackReadinessReport(input) {
+  const releaseTrack = resolveReleaseTrack(input.meta, void 0, input.repo);
+  const branches = branchesForTrack(releaseTrack);
+  const reasons = [];
+  if (releaseTrack !== "full") reasons.push(`releaseTrack resolves ${releaseTrack}; set full for development -> rc -> main`);
+  if (!input.trainAuthority?.train) reasons.push("caller does not have train authority");
+  if (!input.deployFacts?.stages.rc?.present) reasons.push("DEPLOY#rc coords missing");
+  const rcRuntime = input.runtime.rc;
+  if (rcRuntime.publicProbe?.ok === false) reasons.push("rc public endpoint probe failed");
+  return {
+    repo: input.repo,
+    slug: input.slug,
+    releaseTrack,
+    branches,
+    trainAuthority: input.trainAuthority,
+    deployFacts: input.deployFacts,
+    rcand: { canApply: reasons.length === 0, reasons },
+    runtime: input.runtime
+  };
+}
+
+// src/oauth.ts
+var DEFAULT_DOMAINS = ["mutatismutandis.co", "mutmut.co"];
+var DEFAULT_CALLBACK_PATH = "/api/auth/callback";
+var ENV_PREFIXES = ["", "dev", "rc"];
+var LOOPBACK = ["http://localhost", "http://127.0.0.1"];
+var SSM_ENVS = ["dev", "rc", "main"];
+var SSM_NAMES = ["GOOGLE_CLIENT_ID", "GOOGLE_CLIENT_SECRET"];
+var uniq = (xs) => [...new Set(xs)];
+function defaultSubdomain2(slug) {
+  const i = slug.indexOf("-");
+  return i === -1 ? slug : slug.slice(i + 1);
+}
+function expectedHosts(cfg) {
+  const out = [];
+  for (const sub of cfg.subdomains) {
+    for (const domain of cfg.domains) {
+      const base = sub ? `${sub}.${domain}` : domain;
+      for (const env of ENV_PREFIXES) out.push(env ? `${env}.${base}` : base);
+    }
+  }
+  if (cfg.fofuSubdomain !== void 0) {
+    out.push(cfg.fofuSubdomain ? `${cfg.fofuSubdomain}.fofu.ai` : "fofu.ai");
+  }
+  return uniq(out);
+}
+function expectedJsOrigins(cfg) {
+  return uniq([...expectedHosts(cfg).map((h) => `https://${h}`), ...LOOPBACK]);
+}
+function expectedRedirectUris(cfg) {
+  const { callbackPath } = cfg;
+  return uniq([
+    ...expectedHosts(cfg).map((h) => `https://${h}${callbackPath}`),
+    ...LOOPBACK.map((l) => `${l}${callbackPath}`)
+  ]);
+}
+function oauthSsmKeys() {
+  return SSM_ENVS.flatMap((env) => SSM_NAMES.map((name) => `${env}/${name}`));
+}
+function parseOauthClientJson(input) {
+  let parsed;
+  try {
+    parsed = JSON.parse(input);
+  } catch {
+    throw new Error('not valid JSON \u2014 pipe the Google client JSON (the Console "Download JSON" file)');
+  }
+  const root = parsed ?? {};
+  const obj = root.web ?? root.installed ?? parsed;
+  const clientId = typeof obj?.client_id === "string" ? obj.client_id.trim() : "";
+  const clientSecret = typeof obj?.client_secret === "string" ? obj.client_secret.trim() : "";
+  if (!clientId || !clientSecret) {
+    throw new Error("missing client_id or client_secret in the JSON");
+  }
+  return { clientId, clientSecret };
+}
+function parseOauthConfig(mmiConfig, slug) {
+  const rawUnknown = mmiConfig?.oauth;
+  if (rawUnknown === void 0) throw new Error(`oauth is not configured for ${slug}`);
+  if (!rawUnknown || typeof rawUnknown !== "object" || Array.isArray(rawUnknown)) {
+    throw new Error("oauth must be an object when configured");
+  }
+  const raw = rawUnknown;
+  const subdomains = Array.isArray(raw.subdomains) && raw.subdomains.length > 0 ? raw.subdomains.map(String) : [defaultSubdomain2(slug)];
+  const domains = Array.isArray(raw.domains) && raw.domains.length > 0 ? raw.domains.map(String) : [...DEFAULT_DOMAINS];
+  const callbackPath = typeof raw.callbackPath === "string" && raw.callbackPath ? raw.callbackPath : DEFAULT_CALLBACK_PATH;
+  if (!callbackPath.startsWith("/")) {
+    throw new Error(`oauth.callbackPath must start with "/" (got ${JSON.stringify(callbackPath)})`);
+  }
+  if (callbackPath !== DEFAULT_CALLBACK_PATH) {
+    throw new Error(`oauth.callbackPath must be "${DEFAULT_CALLBACK_PATH}" (got ${JSON.stringify(callbackPath)})`);
+  }
+  const meta = mmiConfig ?? {};
+  const rawFofuSub = raw.fofuSubdomain;
+  const fofuSubdomain = meta.fofuEnabled === true ? typeof rawFofuSub === "string" ? rawFofuSub : defaultSubdomain2(slug) : void 0;
+  return { subdomains, domains, callbackPath, fofuSubdomain };
+}
+function probeRedirectUri(callbackPath, port = 9123) {
+  return `http://localhost:${port}${callbackPath}`;
+}
+function buildAuthorizeProbeUrl(clientId, redirectUri) {
+  const qs = new URLSearchParams({
+    client_id: clientId,
+    redirect_uri: redirectUri,
+    response_type: "code",
+    scope: "openid email",
+    access_type: "offline",
+    prompt: "consent"
+  });
+  return `https://accounts.google.com/o/oauth2/v2/auth?${qs.toString()}`;
+}
+function authorizeBodyHasMismatch(body) {
+  return /redirect_uri_mismatch/i.test(body);
+}
+
 // src/project-set.ts
 var UNSET_KEYS = ["oauth", "requiredRuntimeSecrets", "edgeDomains", "requiredGcpApis", "publishRequired", "publishDir", "dsManifestPath", "dashboard", "fofuEnabled", "consumesDesignSystem", "ci", "requiredChecks", "gate"];
 var UNSET_KEY_SET = new Set(UNSET_KEYS);
@@ -16843,7 +17306,7 @@ function parseOauthVar(raw) {
   try {
     parsed = JSON.parse(raw);
   } catch {
-    throw new Error('project set: oauth must be JSON, e.g. {"subdomains":["app"],"domains":["example.co"],"callbackPath":"/auth/callback"}');
+    throw new Error(`project set: oauth must be JSON, e.g. {"subdomains":["app"],"domains":["example.co"],"callbackPath":"${DEFAULT_CALLBACK_PATH}"}`);
   }
   if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
     throw new Error("project set: oauth must be a {subdomains,domains,callbackPath,fofuSubdomain} object");
@@ -16858,7 +17321,11 @@ function parseOauthVar(raw) {
       out[key] = value.map((v) => v.trim());
     } else if (key === "callbackPath") {
       if (typeof value !== "string" || !value.trim()) throw new Error("project set: oauth.callbackPath must be a non-empty string");
-      out.callbackPath = value.trim();
+      const callbackPath = value.trim();
+      if (callbackPath !== DEFAULT_CALLBACK_PATH) {
+        throw new Error(`project set: oauth.callbackPath must be "${DEFAULT_CALLBACK_PATH}" (got ${JSON.stringify(callbackPath)})`);
+      }
+      out.callbackPath = callbackPath;
     } else if (key === "fofuSubdomain") {
       if (typeof value !== "string") throw new Error('project set: oauth.fofuSubdomain must be a string ("" selects the apex fofu.ai)');
       out.fofuSubdomain = value.trim();
@@ -17640,6 +18107,11 @@ async function secretsList(deps, opts) {
   const { secrets } = await res.json();
   deps.log(formatSecretList(secrets ?? []));
 }
+var CAPABILITIES_TIMEOUT_MS = 2e4;
+function isTimeoutError(e) {
+  const name = e?.name;
+  return name === "TimeoutError" || name === "AbortError";
+}
 function formatCapabilities(r) {
   const head = `@${r.login} on ${r.repo} \u2014 ${r.role}`;
   const items = [...r.capabilities ?? []].sort((a, b) => a.scope.localeCompare(b.scope));
@@ -17670,10 +18142,15 @@ async function secretsCapabilities(deps, opts) {
     res = await deps.fetch(`${deps.apiUrl}/secrets/capabilities?${qs}`, {
       method: "GET",
       headers: await deps.headers(),
-      signal: AbortSignal.timeout(TIMEOUT_MS2)
+      signal: AbortSignal.timeout(CAPABILITIES_TIMEOUT_MS)
     });
   } catch (e) {
-    deps.err(`access capabilities: ${e.message}`);
+    const message = e.message;
+    if (isTimeoutError(e)) {
+      deps.err(`access capabilities: timed out after ${CAPABILITIES_TIMEOUT_MS}ms while aggregating vault scopes for ${repo}. No access conclusion was made; retry with a warm Hub or run scoped reads such as \`mmi-cli secrets list --repo ${repo}\` while investigating the slow source.`);
+      return;
+    }
+    deps.err(`access capabilities: ${message}`);
     return;
   }
   if (!res.ok) {
@@ -18297,96 +18774,6 @@ function registerEdgeCommands(program3) {
   });
 }
 
-// src/oauth.ts
-var DEFAULT_DOMAINS = ["mutatismutandis.co", "mutmut.co"];
-var DEFAULT_CALLBACK_PATH = "/api/auth/callback";
-var ENV_PREFIXES = ["", "dev", "rc"];
-var LOOPBACK = ["http://localhost", "http://127.0.0.1"];
-var SSM_ENVS = ["dev", "rc", "main"];
-var SSM_NAMES = ["GOOGLE_CLIENT_ID", "GOOGLE_CLIENT_SECRET"];
-var uniq = (xs) => [...new Set(xs)];
-function defaultSubdomain2(slug) {
-  const i = slug.indexOf("-");
-  return i === -1 ? slug : slug.slice(i + 1);
-}
-function expectedHosts(cfg) {
-  const out = [];
-  for (const sub of cfg.subdomains) {
-    for (const domain of cfg.domains) {
-      const base = sub ? `${sub}.${domain}` : domain;
-      for (const env of ENV_PREFIXES) out.push(env ? `${env}.${base}` : base);
-    }
-  }
-  if (cfg.fofuSubdomain !== void 0) {
-    out.push(cfg.fofuSubdomain ? `${cfg.fofuSubdomain}.fofu.ai` : "fofu.ai");
-  }
-  return uniq(out);
-}
-function expectedJsOrigins(cfg) {
-  return uniq([...expectedHosts(cfg).map((h) => `https://${h}`), ...LOOPBACK]);
-}
-function expectedRedirectUris(cfg) {
-  const { callbackPath } = cfg;
-  return uniq([
-    ...expectedHosts(cfg).map((h) => `https://${h}${callbackPath}`),
-    ...LOOPBACK.map((l) => `${l}${callbackPath}`)
-  ]);
-}
-function oauthSsmKeys() {
-  return SSM_ENVS.flatMap((env) => SSM_NAMES.map((name) => `${env}/${name}`));
-}
-function parseOauthClientJson(input) {
-  let parsed;
-  try {
-    parsed = JSON.parse(input);
-  } catch {
-    throw new Error('not valid JSON \u2014 pipe the Google client JSON (the Console "Download JSON" file)');
-  }
-  const root = parsed ?? {};
-  const obj = root.web ?? root.installed ?? parsed;
-  const clientId = typeof obj?.client_id === "string" ? obj.client_id.trim() : "";
-  const clientSecret = typeof obj?.client_secret === "string" ? obj.client_secret.trim() : "";
-  if (!clientId || !clientSecret) {
-    throw new Error("missing client_id or client_secret in the JSON");
-  }
-  return { clientId, clientSecret };
-}
-function parseOauthConfig(mmiConfig, slug) {
-  const rawUnknown = mmiConfig?.oauth;
-  if (rawUnknown === void 0) throw new Error(`oauth is not configured for ${slug}`);
-  if (!rawUnknown || typeof rawUnknown !== "object" || Array.isArray(rawUnknown)) {
-    throw new Error("oauth must be an object when configured");
-  }
-  const raw = rawUnknown;
-  const subdomains = Array.isArray(raw.subdomains) && raw.subdomains.length > 0 ? raw.subdomains.map(String) : [defaultSubdomain2(slug)];
-  const domains = Array.isArray(raw.domains) && raw.domains.length > 0 ? raw.domains.map(String) : [...DEFAULT_DOMAINS];
-  const callbackPath = typeof raw.callbackPath === "string" && raw.callbackPath ? raw.callbackPath : DEFAULT_CALLBACK_PATH;
-  if (!callbackPath.startsWith("/")) {
-    throw new Error(`oauth.callbackPath must start with "/" (got ${JSON.stringify(callbackPath)})`);
-  }
-  const meta = mmiConfig ?? {};
-  const rawFofuSub = raw.fofuSubdomain;
-  const fofuSubdomain = meta.fofuEnabled === true ? typeof rawFofuSub === "string" ? rawFofuSub : defaultSubdomain2(slug) : void 0;
-  return { subdomains, domains, callbackPath, fofuSubdomain };
-}
-function probeRedirectUri(callbackPath, port = 9123) {
-  return `http://localhost:${port}${callbackPath}`;
-}
-function buildAuthorizeProbeUrl(clientId, redirectUri) {
-  const qs = new URLSearchParams({
-    client_id: clientId,
-    redirect_uri: redirectUri,
-    response_type: "code",
-    scope: "openid email",
-    access_type: "offline",
-    prompt: "consent"
-  });
-  return `https://accounts.google.com/o/oauth2/v2/auth?${qs.toString()}`;
-}
-function authorizeBodyHasMismatch(body) {
-  return /redirect_uri_mismatch/i.test(body);
-}
-
 // src/doctor-run.ts
 var import_node_fs28 = require("node:fs");
 var import_node_child_process14 = require("node:child_process");
@@ -21917,6 +22304,20 @@ tenant.command("control <owner/repo> <stage> <action>").description("run bounded
     return failGraceful(`tenant control: ${e.message}`);
   }
 });
+tenant.command("status <owner/repo> <stage>").description("read tenant runtime readiness without dispatching tenant-control: DEPLOY row, last deploy run, public URL probe, and TLS/Caddy/Cloudflare hints").option("--json", "machine-readable output").action(async (repo, stage2, _o) => {
+  if (!["dev", "rc", "main"].includes(stage2)) return fail("tenant status: <stage> must be dev, rc, or main");
+  const cfg = await loadConfig();
+  const result = await buildTenantRuntimeStatusFor(repo, stage2, cfg);
+  console.log(JSON.stringify(result, null, 2));
+  if (result.publicProbe?.ok === false) process.exitCode = 1;
+});
+tenant.command("readiness <owner/repo> <stage>").description("alias for tenant status: read-only tenant runtime readiness").option("--json", "machine-readable output").action(async (repo, stage2, _o) => {
+  if (!["dev", "rc", "main"].includes(stage2)) return fail("tenant readiness: <stage> must be dev, rc, or main");
+  const cfg = await loadConfig();
+  const result = await buildTenantRuntimeStatusFor(repo, stage2, cfg);
+  console.log(JSON.stringify(result, null, 2));
+  if (result.publicProbe?.ok === false) process.exitCode = 1;
+});
 tenant.command("redeploy <owner/repo> <stage>").description("re-dispatch the central tenant-deploy.yml for an already-promoted ref (no re-tag/merge); train-authority gated").option("--ref <ref>", "ref to deploy (defaults to the stage branch rc/main \u2014 the promoted ref)").option("--watch", "block on the dispatched run and report its outcome (gh run watch --exit-status)").option("--json", "machine-readable output").action(async (repo, stage2, o) => {
   if (stage2 !== "rc" && stage2 !== "main") return fail("tenant redeploy: <stage> must be rc or main");
   try {
@@ -21959,6 +22360,44 @@ async function resolveDnsBounded(host, timeoutMs = 3e3) {
   });
   return Promise.race([probe, timeout]);
 }
+async function probeHttpBounded(url, timeoutMs = 5e3) {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), timeoutMs);
+  timeout.unref?.();
+  try {
+    const res = await fetch(url, { method: "GET", signal: controller.signal });
+    return { ok: res.ok, status: res.status };
+  } catch (e) {
+    return { ok: false, error: e.message };
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+async function lastWorkflowRun(workflow) {
+  try {
+    const out = await execFileP2("gh", ["run", "list", "--repo", HUB_REPO3, "--workflow", workflow, "--limit", "1", "--json", "databaseId,url,status,conclusion,headBranch,headSha,createdAt"], { timeout: 2e4 });
+    const rows = JSON.parse(out.stdout || "[]");
+    return rows[0];
+  } catch {
+    return void 0;
+  }
+}
+async function buildTenantRuntimeStatusFor(target, stage2, cfg) {
+  const slug = slugOf(target);
+  const reg = registryClientDeps(cfg);
+  const facts = await fetchDeployFactsBySlug(slug, reg);
+  const deploy = facts?.stages[stage2] ?? null;
+  const publicUrl = publicUrlFromDeployFact(deploy);
+  const publicProbe = publicUrl ? await probeHttpBounded(publicUrl) : void 0;
+  return buildTenantRuntimeStatus({
+    repo: target,
+    slug,
+    stage: stage2,
+    deploy,
+    publicProbe,
+    lastTenantDeployRun: await lastWorkflowRun("tenant-deploy.yml")
+  });
+}
 async function v2ReadinessDeps(cfg) {
   const reg = registryClientDeps(cfg);
   return {
@@ -21973,6 +22412,11 @@ async function v2ReadinessDeps(cfg) {
       const status = await fetchDeployStatusBySlug(slug, reg);
       return Boolean(status?.deployState[stage2]);
     },
+    getDeployFact: async (slug, stage2) => {
+      const facts = await fetchDeployFactsBySlug(slug, reg);
+      const fact = facts?.stages[stage2];
+      return fact ? { port: fact.port, domain: fact.domain } : null;
+    },
     listSecrets: async (targetRepo2) => {
       const apiUrl = cfg.sagaApiUrl;
       if (!apiUrl) throw new Error("Hub API URL not configured \u2014 cannot verify secret names (set sagaApiUrl)");
@@ -22060,7 +22504,7 @@ deploys run centrally (tenant-deploy.yml); product repos carry no deploy files.
   }
 });
 project.command("resolve <owner/repo>").description("deploy coords for a stage \u2014 for diagnosis. NOTE: /deploy-coords is OIDC-gated (a deploy job\u2019s id-token), so a gh-token CLI cannot read it from a dev machine").option("--stage <main|rc>", "deploy stage", "main").option("--json", "machine-readable output").action((_repoOrRepo, o) => {
-  const msg = "project resolve: deploy coords are served only to a deploy workflow (GitHub OIDC id-token, repo-scoped). A gh-token CLI on a dev machine cannot read /deploy-coords; inspect the DEPLOY# item via a master registry (DDB) read instead.";
+  const msg = "project resolve: deploy coords are served only to a deploy workflow (GitHub OIDC id-token, repo-scoped). A gh-token CLI on a dev machine cannot read /deploy-coords; inspect nonsecret DEPLOY facts with `mmi-cli project deploy get`. Full coords stay OIDC-gated.";
   if (o.json) {
     console.log(JSON.stringify({ ok: false, stage: o.stage, error: msg }));
     process.exitCode = 1;
@@ -22068,6 +22512,37 @@ project.command("resolve <owner/repo>").description("deploy coords for a stage \
   }
   fail(msg);
 });
+var projectDeploy = project.command("deploy").description("read nonsecret DEPLOY# facts (domain, port, deploy path, substrate, host presence)");
+projectDeploy.command("get [owner/repo]").description("read nonsecret DEPLOY# facts for one project; defaults to the current repo").option("--stage <stage>", "dev | rc | main").option("--json", "machine-readable output").action(async (repoOrSlug, o) => {
+  const cfg = await loadConfig();
+  let target;
+  try {
+    target = await projectTarget("project deploy get", repoOrSlug);
+  } catch (e) {
+    return fail(e.message);
+  }
+  const out = await fetchDeployFactsBySlug(slugOf(target), registryClientDeps(cfg));
+  if (!out) return failGraceful(`project deploy get: Hub deploy facts read failed for ${target}`);
+  const stage2 = o.stage?.trim();
+  if (stage2 && !["dev", "rc", "main"].includes(stage2)) return fail("project deploy get: --stage must be dev, rc, or main");
+  const payload = stage2 ? { slug: out.slug, stage: stage2, deploy: out.stages[stage2] ?? null } : out;
+  console.log(JSON.stringify(payload));
+});
+projectDeploy.command("list [owner/repo]").description("alias for project deploy get; lists all stages by default").option("--stage <stage>", "dev | rc | main").option("--json", "machine-readable output").action(async (repoOrSlug, o) => {
+  const cfg = await loadConfig();
+  let target;
+  try {
+    target = await projectTarget("project deploy list", repoOrSlug);
+  } catch (e) {
+    return fail(e.message);
+  }
+  const out = await fetchDeployFactsBySlug(slugOf(target), registryClientDeps(cfg));
+  if (!out) return failGraceful(`project deploy list: Hub deploy facts read failed for ${target}`);
+  const stage2 = o.stage?.trim();
+  if (stage2 && !["dev", "rc", "main"].includes(stage2)) return fail("project deploy list: --stage must be dev, rc, or main");
+  const payload = stage2 ? { slug: out.slug, stage: stage2, deploy: out.stages[stage2] ?? null } : out;
+  console.log(JSON.stringify(payload));
+});
 project.command("doctor [owner/repo]").description("diagnose Hub v2 readiness for a repo without reading product repo files \u2014 appOwnedGaps are advisory templates; clear them with `project attest`; defaults to the current repo").option("--v2", "compatibility flag; v2 readiness is the default").option("--json", "machine-readable output").action(async (repo, _o) => {
   const cfg = await loadConfig();
   let target;
@@ -22160,6 +22635,31 @@ project.command("set [owner/repo]").description("upsert project META (idempotent
   const res = await upsertProject(slug, { ...patch, repo }, registryClientDeps(cfg));
   return reportWrite("project set", res);
 });
+var fullTrack = program2.command("full-track").description("direct-to-full-track readiness audits");
+fullTrack.command("readiness <owner/repo>").description("aggregate branch topology, train authority, deploy facts, endpoint health, and rcand readiness for direct -> full switches").option("--json", "machine-readable output").action(async (repo, _o) => {
+  const cfg = await loadConfig();
+  const reg = registryClientDeps(cfg);
+  const slug = slugOf(repo);
+  const [metaRead, deployFacts, authority, dev, rc, main] = await Promise.all([
+    fetchProjectBySlugChecked(slug, reg),
+    fetchDeployFactsBySlug(slug, reg),
+    fetchTrainAuthority(repo, reg),
+    buildTenantRuntimeStatusFor(repo, "dev", cfg),
+    buildTenantRuntimeStatusFor(repo, "rc", cfg),
+    buildTenantRuntimeStatusFor(repo, "main", cfg)
+  ]);
+  if (!metaRead.ok) return failGraceful(`full-track readiness: Hub registry read failed (${metaRead.error})`);
+  const report = buildFullTrackReadinessReport({
+    repo,
+    slug,
+    meta: metaRead.project,
+    deployFacts,
+    trainAuthority: authority.ok ? authority.authority : void 0,
+    runtime: { dev, rc, main }
+  });
+  console.log(JSON.stringify(report, null, 2));
+  if (!report.rcand.canApply) process.exitCode = 1;
+});
 project.command("set-deploy [owner/repo]").description("write the DEPLOY#<stage> Hetzner deploy coords for a tenant (master-only) \u2014 the explicit-coords path that seeds a freshly-bootstrapped tenant; defaults to the current repo").requiredOption("--stage <stage>", "dev | rc | main").option("--ssh-host <host>", "the box address the deploy ssh-es into (required for hetzner-ssh)").option("--ssh-user <user>", "ssh user (default root)").option("--port <port>", "loopback port the container binds / Caddy upstream (1..65535)").option("--substrate <substrate>", "hetzner-ssh (default)").option("--deploy-path <path>", "on-box per-stage release root (default /opt/mmi/<slug>/<stage>)").option("--service <name>", "systemd/compose service name (default the slug)").option("--domain <domain>", "canonical serving host (default the project edgeDomains[stage])").option("--alias <domain...>", "extra serving hostname the box Caddy answers (repeatable)").option("--json", "machine-readable output").action(async (repoOrSlug, o) => {
   const cfg = await loadConfig();
   let target;
@@ -23590,7 +24090,7 @@ async function resolveRcandPlanTargets() {
   }
 }
 for (const commandName of ["rcand", "release"]) {
-  program2.command(commandName).description(`plan ${commandName} train operations; mutations require explicit master-admin approval`).option("--json", "machine-readable output").option("--watch", "block on the deploy/publish workflow runs and report their outcomes").option("--apply", "execute the guarded master-only train after explicit approval").option("--announce-summary-file <path>", "release only: agent-curated summary lines for the Hub Slack announcement (#883)").option("--ack <shas>", "release only: comma-separated dev shas a human verified are in the candidate, overriding the hotfix-coverage guard for a conflicted port whose -x trailer was lost (#958)").option("--dev", "release only: full-track repos release development -> main directly, skipping rc (refuses if rc carries content not in development; no-op on direct-track repos) (#1062)").action(async (o) => {
+  program2.command(commandName).description(`plan ${commandName} train operations; mutations require explicit master-admin approval`).option("--json", "machine-readable output").option("--watch", "block on the deploy/publish workflow runs and report their outcomes").option("--apply", "execute the guarded master-only train after explicit approval").option("--announce-summary-file <path>", "release only: agent-curated summary lines for the Hub Slack announcement (#883)").option("--ack <shas>", "release only: comma-separated dev shas a human verified are in the candidate, overriding the hotfix-coverage guard for a conflicted port whose -x trailer was lost (#958)").option("--dev", "release only: full-track repos release development -> main directly, skipping rc (refuses if rc carries content not in development; no-op on direct-track repos) (#1062)").option("--repo <owner/repo>", "dry-run plan for a target repo without relying on the current checkout; --apply still uses the current checkout").action(async (o) => {
     try {
       await requireFreshTrainCli(commandName);
     } catch (e) {
@@ -23602,6 +24102,9 @@ for (const commandName of ["rcand", "release"]) {
     if (o.dev && commandName !== "release") {
       return fail("--dev applies only to release: it ships development -> main skipping rc, which rcand cannot do");
     }
+    if (o.apply && o.repo) {
+      return fail(`${commandName}: --repo is read-only for dry-run planning; --apply must run from the target repo checkout`);
+    }
     if (o.apply) {
       try {
         const ack = (o.ack ?? "").split(",").map((s) => s.trim()).filter(Boolean);
@@ -23611,8 +24114,8 @@ for (const commandName of ["rcand", "release"]) {
         return failGraceful(`${commandName}: ${e.message}`);
       }
     }
-    const repo = await resolveRepo();
-    const targets = commandName === "rcand" ? await resolveRcandPlanTargets() : void 0;
+    const repo = o.repo ?? await resolveRepo();
+    const targets = commandName === "rcand" && !o.repo ? await resolveRcandPlanTargets() : void 0;
     let releaseTrack;
     if (repo) {
       try {
@@ -24026,7 +24529,9 @@ access.command("audit").description("audit collaborator roles + train-branch pus
   const registryProjects = await fetchProjectsList(registryClientDeps(cfg));
   if (o.repo) {
     if (o.class !== "deployable" && o.class !== "content") return failGraceful("access audit: --class must be deployable or content");
-    targets = [{ repo: o.repo, class: o.class }];
+    const meta = registryProjects?.find((project2) => (project2.repos ?? []).some((repo) => repo.toLowerCase() === o.repo.toLowerCase())) ?? null;
+    const repoClass = o.class;
+    targets = [{ repo: o.repo, class: repoClass, releaseTrack: repoClass === "content" ? "trunk" : resolveReleaseTrack(meta, void 0, o.repo) }];
   } else {
     const projectsJson = registryProjects ? JSON.stringify({ projects: registryProjects }) : (0, import_node_fs29.existsSync)("projects.json") ? (0, import_node_fs29.readFileSync)("projects.json", "utf8") : null;
     if (!projectsJson) return failGraceful("access audit: no project registry \u2014 Hub API unreachable and projects.json not found; run from the MMI-Hub repo root or pass --repo <owner/repo>");

package/dist/overlord-controller.cjs

@@ -240,7 +240,7 @@ function deliverPendingMessages() {
   if (!run?.messages?.length) return;
   let changed = false;
   const nextMessages = run.messages.map((message) => {
-    if (message.deliveredAt) return message;
+    if (message.startedAt || message.completedAt || message.failedAt || message.deliveredAt) return message;
     const targets = messageTargets(run, message.target);
     if (!targets.length) return message;
     const liveTargets = targets.map((servant) => servants.get(servant.slotId));
@@ -248,7 +248,7 @@ function deliverPendingMessages() {
     for (const child of liveTargets) child?.write(`${message.text}\r
 `);
     changed = true;
-    return { ...message, deliveredAt: (/* @__PURE__ */ new Date()).toISOString() };
+    return { ...message, state: "started", startedAt: (/* @__PURE__ */ new Date()).toISOString() };
   });
   if (!changed) return;
   writeOverlordRegistry(statePath, {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mutmutco/cli",
-  "version": "2.55.0",
+  "version": "2.56.0",
   "description": "MMI Future CLI — delivers the org rules (whole-file), plus saga and KB access. The cross-IDE engine the plugin's SessionStart hook drives.",
   "type": "module",
   "license": "UNLICENSED",