@mutmutco/cli 2.55.0 → 2.57.0

package/dist/main.cjs

@@ -4769,7 +4769,7 @@ async function correlateRun(deps, args) {
       "--limit",
       "10",
       "--json",
-      args.mode === "dispatch" ? "databaseId,url,event,createdAt" : "databaseId,url,event,createdAt,status,conclusion,headSha"
+      args.mode === "dispatch" ? "databaseId,url,event,createdAt,displayTitle" : "databaseId,url,event,createdAt,status,conclusion,headSha"
     ];
     let rows;
     try {
@@ -4779,24 +4779,27 @@ async function correlateRun(deps, args) {
       if (args.mode === "workflow") lastError = new Error(`could not list ${args.workflow} runs`);
       continue;
     }
-    const match = rows.filter((r) => {
+    const candidates = rows.filter((r) => {
       if (typeof r.databaseId !== "number") return false;
       if (args.mode === "dispatch") return r.event === "workflow_dispatch";
       return r.event === args.event && r.headSha === args.headSha;
-    }).map((r) => ({ row: r, created: Date.parse(r.createdAt ?? "") })).filter((c) => Number.isFinite(c.created) && c.created >= threshold).sort((a, b) => b.created - a.created)[0];
+    }).map((r) => ({ row: r, created: Date.parse(r.createdAt ?? "") })).filter((c) => Number.isFinite(c.created) && c.created >= threshold).sort((a, b) => b.created - a.created);
+    const tokens2 = args.mode === "dispatch" ? args.titleIncludes : void 0;
+    const titleMatch = tokens2 && tokens2.length ? candidates.find((c) => tokens2.every((t) => (c.row.displayTitle ?? "").includes(t))) : void 0;
+    const match = titleMatch ?? candidates[0];
     if (match) return { runId: match.row.databaseId, runUrl: match.row.url };
   }
   if (args.mode === "workflow" && !parsedAnyResponse && lastError) throw lastError;
   return {};
 }
-function correlateTenantRun(deps, since) {
-  return correlateRun(deps, { workflow: "tenant-deploy.yml", since, mode: "dispatch" });
+function correlateTenantRun(deps, since, titleIncludes) {
+  return correlateRun(deps, { workflow: "tenant-deploy.yml", since, mode: "dispatch", titleIncludes });
 }
 function correlatePublishRun(deps, since) {
   return correlateRun(deps, { workflow: "tenant-publish.yml", since, mode: "dispatch" });
 }
-function correlateControlRun(deps, since) {
-  return correlateRun(deps, { workflow: "tenant-control.yml", since, mode: "dispatch" });
+function correlateControlRun(deps, since, titleIncludes) {
+  return correlateRun(deps, { workflow: "tenant-control.yml", since, mode: "dispatch", titleIncludes });
 }
 async function correlateWorkflowRun(deps, args) {
   return correlateRun(deps, { ...args, mode: "workflow" });
@@ -4927,6 +4930,7 @@ async function waitForRequiredTrainChecks(deps, ctx, sha, required) {
   const sleep = resolveSleep(deps);
   let lastStatus = "not checked";
   let lastError;
+  const everObserved = /* @__PURE__ */ new Set();
   for (let attempt = 0; attempt < TRAIN_CHECK_ATTEMPTS; attempt++) {
     if (attempt > 0) await sleep(TRAIN_CHECK_DELAY_MS);
     let checkRuns;
@@ -4945,6 +4949,9 @@ async function waitForRequiredTrainChecks(deps, ctx, sha, required) {
       lastError = e.message || String(e);
       continue;
     }
+    for (const c of required) {
+      if (checkRuns.some((r) => r.name === c) || statuses.some((s) => s.context === c)) everObserved.add(c);
+    }
     const states = required.map((c) => [c, resolveContextState(c, checkRuns, statuses)]);
     lastStatus = states.map(([c, s]) => `${c}=${s}`).join(", ");
     const failed = states.filter(([, s]) => s === "failed").map(([c]) => c);
@@ -4955,8 +4962,11 @@ async function waitForRequiredTrainChecks(deps, ctx, sha, required) {
       return `required checks passed: ${required.join(", ")}`;
     }
   }
+  const waitedMin = Math.round((TRAIN_CHECK_ATTEMPTS - 1) * TRAIN_CHECK_DELAY_MS / 6e4);
+  const neverMaterialized = required.filter((c) => !everObserved.has(c));
+  const neverNote = neverMaterialized.length ? ` Never materialized on ${sha} (no check-run or commit status ever appeared \u2014 the workflow that produces them was likely not triggered by the tag event): ${neverMaterialized.join(", ")}.` : "";
   throw new Error(
-    `timed out waiting for required train checks on ${sha}: ${lastError ? `last error: ${lastError}` : lastStatus}`
+    `timed out after ~${waitedMin}m (${TRAIN_CHECK_ATTEMPTS} attempts) waiting for required train checks on ${sha}.${neverNote} Last observed: ${lastError ? `error: ${lastError}` : lastStatus}`
   );
 }
 function partialTrainRecoveryError(cause, input) {
@@ -5104,7 +5114,7 @@ async function dispatchDeploy(deps, ctx, stage2, ref, model, watch, autoRunSince
         deployStatus: "failure"
       };
     }
-    const { runId, runUrl } = await correlateTenantRun(deps, since);
+    const { runId, runUrl } = await correlateTenantRun(deps, since, [ctx.slug, stage2]);
     const deployStatus = watch ? await watchTenantRun(deps, runId) : "pending";
     return { note: `dispatched tenant-deploy.yml (slug=${ctx.slug}, ref=${ref}, stage=${stage2})`, runId, runUrl, deployStatus };
   }
@@ -5528,7 +5538,7 @@ async function runTenantControl(deps, options) {
       note: transport ? `tenant control ${action} dispatch failed (transport) \u2014 safe to retry` : `tenant control ${action} rejected: ${d.error ?? "request rejected by the Hub"}`
     };
   }
-  const { runId, runUrl } = await correlateControlRun(deps, since);
+  const { runId, runUrl } = await correlateControlRun(deps, since, [stage2, action]);
   const conclusion = watch ? await watchTenantRun(deps, runId) : "pending";
   const result = { ...base, dispatched: true, runId, runUrl, conclusion, note: "" };
   if (action === "retire") {
@@ -5540,6 +5550,7 @@ async function runTenantControl(deps, options) {
       result.serviceState = parseStatusSnippet(output).serviceState;
     } else {
       result.secrets = parseVerifySecrets(output);
+      result.secretsRaw = output;
     }
   }
   result.note = conclusion === "success" ? `tenant-control ${action} run succeeded` : conclusion === "failure" ? `tenant-control ${action} run failed \u2014 inspect the run` : runId == null ? `dispatched tenant-control.yml (${action}) \u2014 run not correlated; check the Actions tab` : `dispatched tenant-control.yml (${action}) \u2014 not watched`;
@@ -5594,7 +5605,7 @@ async function restoreDirtyOrgSpineToHead(deps, options = {}) {
 }
 
 // src/index.ts
-var import_node_child_process15 = require("node:child_process");
+var import_node_child_process14 = require("node:child_process");
 
 // src/cli-shared.ts
 var import_promises = require("node:fs/promises");
@@ -6289,6 +6300,23 @@ async function hubAuthToken(deps) {
   return (await hubAuthSession(deps))?.token;
 }
 
+// src/continuity-access.ts
+var CONTINUITY_OWNER_LOGIN = "jervaise";
+function continuityAllowedForLogin(login) {
+  return login?.trim().toLowerCase() === CONTINUITY_OWNER_LOGIN;
+}
+async function firstLogin(source, read) {
+  const login = (await read?.().catch(() => void 0))?.trim();
+  if (!login) return null;
+  return { allowed: continuityAllowedForLogin(login), login, source };
+}
+async function resolveContinuityAccess(deps) {
+  return await firstLogin("hub-session", deps.hubLogin) ?? await firstLogin("github", deps.ghLogin) ?? { allowed: false, source: "unknown" };
+}
+function formatContinuityAccessDenied(kind) {
+  return `${kind}: continuity is restricted to ${CONTINUITY_OWNER_LOGIN}`;
+}
+
 // src/stdin-inject.ts
 var import_node_fs6 = require("node:fs");
 var injectedStdin;
@@ -6363,6 +6391,22 @@ async function hubHeaders(extra = {}) {
   const base = { ...clientVersionHeaders(), ...extra };
   return t ? { ...base, Authorization: `Bearer ${t}` } : base;
 }
+async function continuityAccess() {
+  const cfg = await loadConfig();
+  return resolveContinuityAccess({
+    hubLogin: async () => (await hubAuthSession({ baseUrl: cfg.sagaApiUrl ?? defaultHubUrl(), githubToken }))?.login,
+    ghLogin: githubLogin
+  });
+}
+async function requireContinuityAccess(kind, opts = {}, io) {
+  const access2 = await continuityAccess();
+  if (access2.allowed) return true;
+  if (!opts.quiet) {
+    (io ?? consoleIo).err(formatContinuityAccessDenied(kind));
+    process.exitCode = 1;
+  }
+  return false;
+}
 var CONFIG_FILE = ".mmi/config.json";
 async function loadConfig() {
   let file = {};
@@ -6434,6 +6478,7 @@ async function postCaptureOnce(sagaApiUrl, body) {
   }
 }
 async function postCapture(capture, quiet = false) {
+  if (!await requireContinuityAccess("saga", { quiet })) return;
   const cfg = await loadConfig();
   if (!cfg.sagaApiUrl) {
     if (!quiet) console.error("mmi-cli saga: Hub API URL not configured");
@@ -6456,6 +6501,7 @@ function spawnSagaFlush() {
 }
 async function maybeSpawnHeadUpdate() {
   try {
+    if (!await requireContinuityAccess("saga", { quiet: true })) return;
     const gateKey = await sagaKey(await loadConfig());
     const tsPath = headTsPath(gateKey);
     if (!headGateDue(tsPath)) return;
@@ -6558,7 +6604,6 @@ function parseHookInput(stdin) {
 }
 
 // src/saga-health.ts
-var MEMORY_STALE_DAYS = 14;
 var SESSION_START_LIVENESS = { attempts: 1, timeoutMs: 3e3 };
 function buildHealth(i) {
   const problems = [];
@@ -6571,9 +6616,6 @@ function buildHealth(i) {
   if (i.reachable && i.authorized === false) problems.push("saga backend rejected authenticated state access");
   if (!i.key.sessionId || i.key.sessionId === "-") problems.push("unsafe session id");
   const warnings = [];
-  if (i.memoryAgeDays !== void 0 && i.memoryAgeDays > MEMORY_STALE_DAYS) {
-    warnings.push(`PROJECT MEMORY is ${Math.round(i.memoryAgeDays)}d stale \u2014 the saga-keeper may have stalled`);
-  }
   const safeToWrite = problems.length === 0;
   return {
     ok: safeToWrite,
@@ -6588,8 +6630,7 @@ function buildHealth(i) {
     key: i.key,
     source: i.source,
     problems,
-    warnings,
-    memoryAgeDays: i.memoryAgeDays
+    warnings
   };
 }
 function healthBanner(report) {
@@ -7662,6 +7703,7 @@ async function collectWaveStatus(deps) {
 
 // src/saga-commands.ts
 async function runNote(summary, o) {
+  if (!await requireContinuityAccess("saga")) return;
   const [sha, key] = await Promise.all([gitOut(["rev-parse", "--short", "HEAD"]), sagaKey(await loadConfig())]);
   const capture = buildNoteCapture(summary, o, (0, import_node_crypto3.randomUUID)(), { sha: sha || void 0, branch: key.branch });
   await postCapture(capture);
@@ -7675,6 +7717,10 @@ function resolveSummary(summary, o) {
   });
 }
 async function runSagaFlush(o, io = consoleIo) {
+  if (!await requireContinuityAccess("saga", { quiet: o.run }, io)) {
+    if (o.json) io.log(JSON.stringify({ flushed: 0, dropped: 0, remaining: 0, restricted: true }));
+    return;
+  }
   if (o.run) {
     try {
       const cfg2 = await loadConfig();
@@ -7698,6 +7744,7 @@ async function runSagaFlush(o, io = consoleIo) {
   io.log(`saga flush: rolled forward ${result.flushed}, dropped ${result.dropped.length}, ${result.remaining} still pending`);
 }
 async function runSagaShow(opts, io = consoleIo) {
+  if (!await requireContinuityAccess("saga", { quiet: opts.quiet }, io)) return;
   const cfg = await loadConfig();
   if (!cfg.sagaApiUrl) {
     if (opts.quiet) return;
@@ -7746,20 +7793,11 @@ async function probeSagaAccess(url, key) {
     return false;
   }
 }
-async function fetchMemoryAge(url, project2) {
-  try {
-    const qs = new URLSearchParams({ project: project2 }).toString();
-    const res = await fetch(`${url}/saga/memory-age?${qs}`, { headers: await hubHeaders(), signal: AbortSignal.timeout(8e3) });
-    if (!res.ok) return void 0;
-    const body = await res.json();
-    if (!body.updatedAt) return void 0;
-    const ms = Date.now() - Date.parse(body.updatedAt);
-    return Number.isFinite(ms) && ms >= 0 ? ms / 864e5 : void 0;
-  } catch {
-    return void 0;
-  }
-}
 async function runSagaHealth(o, io = consoleIo) {
+  if (!await requireContinuityAccess("saga", { quiet: o.quiet || o.banner }, io)) {
+    if (o.json) io.log(JSON.stringify({ ok: false, restricted: true, problems: ["continuity is restricted to jervaise"], warnings: [] }));
+    return;
+  }
   const cfg = await loadConfig();
   const session = resolveSessionId();
   const key = await sagaKey(cfg, session);
@@ -7770,7 +7808,6 @@ async function runSagaHealth(o, io = consoleIo) {
     cfg.sagaApiUrl ? probeBackend(cfg.sagaApiUrl, livenessOpts) : Promise.resolve({ reachable: false })
   ]);
   const authorized = o.banner ? void 0 : cfg.sagaApiUrl && liveness.reachable ? await probeSagaAccess(cfg.sagaApiUrl, key) : void 0;
-  const memoryAgeDays = o.banner ? void 0 : cfg.sagaApiUrl && liveness.reachable ? await fetchMemoryAge(cfg.sagaApiUrl, key.project) : void 0;
   const report = buildHealth({
     key,
     source,
@@ -7780,8 +7817,7 @@ async function runSagaHealth(o, io = consoleIo) {
     livenessMessage: liveness.message,
     authorized,
     sagaApiUrl: cfg.sagaApiUrl,
-    pendingNotes: readPending().length,
-    memoryAgeDays
+    pendingNotes: readPending().length
   });
   if (o.json) return io.log(JSON.stringify(report));
   if (o.banner) {
@@ -7798,6 +7834,7 @@ async function runSagaHealth(o, io = consoleIo) {
   if (report.pendingNotes > 0) io.log(` - ${report.pendingNotes} note(s) queued locally \u2014 \`mmi-cli saga flush\` to roll forward`);
 }
 async function fetchSagaHead(io = consoleIo) {
+  if (!await requireContinuityAccess("saga", {}, io)) return null;
   const cfg = await loadConfig();
   if (!cfg.sagaApiUrl) {
     io.err("saga snapshot: Hub API URL not configured");
@@ -7819,6 +7856,7 @@ async function fetchSagaHead(io = consoleIo) {
   }
 }
 async function postSnapshotNotes(plan2, anchorForce) {
+  if (!await requireContinuityAccess("saga")) return;
   const [sha, key] = await Promise.all([gitOut(["rev-parse", "--short", "HEAD"]), sagaKey(await loadConfig())]);
   const evidence = { sha: sha || void 0, branch: key.branch };
   for (const idx of [...plan2.clearIndices].sort((a, b) => b - a)) {
@@ -7853,7 +7891,7 @@ async function runSagaSnapshotSet(snapshot, opts = {}, io = consoleIo) {
   io.log(`saga snapshot: wrote ${snapshot.kind} snapshot (retired ${plan2.clearIndices.length}, ${plan2.queueOps.length + 1} capture(s))`);
 }
 function registerSagaCommands(program3) {
-  const saga = program3.command("saga").description("per-session continuity");
+  const saga = program3.command("saga").description("Jervaise-only per-session continuity");
   saga.command("note [summary]").description("record a one-line structured note into your saga (the per-turn capture)").option("--next <text>", 'set "where I left off" (NEXT)').option("--decision <text>", "append a verbatim decision").option("--queue-add <text>", "add a worklist item").option("--queue-done <n>", "mark worklist item N done").option("--verified", "mark this claim as checked against source (state: verified, else asserted)").option("--diagnostic", "isolate a probe write (state: diagnostic, source: probe) \u2014 never resume/LAST 5").option("--supersedes <key>", "retire prior decisions matching an evidence key (pr:N | file:path)").option("--anchor <intent>", "set the sprint North-Star (write-protected; needs --anchor-force to change)").option("--anchor-slug <slug>", "bind the anchor to a North Star plan slug (SSOT at plans/.../<slug>.md)").option("--anchor-force", "overwrite an existing anchor").option("--message-file <path|->", "read the summary from a UTF-8 file, or from stdin with - (avoids cmd.exe quoting)").action(async (summary, o) => {
     let text;
     try {
@@ -7873,9 +7911,10 @@ function registerSagaCommands(program3) {
     await runNote(text, { ...o, diagnostic: true });
   });
   saga.command("flush").option("--json", "machine-readable {flushed, dropped, remaining}").option("--run", "detached worker: drain the queue silently (spawned by note/capture)").description("roll the local pending-note queue forward (re-POST queued saga writes); reports what landed").action((o) => runSagaFlush(o));
-  saga.command("show").option("--quiet", "no-op silently when unconfigured/unreachable (SessionStart hook)").option("--latest-anywhere", "resume the newest saga across all repos (default: current repo)").description("print your resume block \u2014 current repo HEAD + project memory (where you left off)").action((opts) => runSagaShow(opts));
+  saga.command("show").option("--quiet", "no-op silently when unconfigured/unreachable (SessionStart hook)").option("--latest-anywhere", "resume the newest saga across all repos (default: current repo)").description("print your resume block \u2014 current repo HEAD + live decisions").action((opts) => runSagaShow(opts));
   saga.command("capture").option("--quiet", "capture silently (for the Stop hook)").description("per-turn deterministic capture (Stop hook): turn boundary + current sha + gated HEAD-update").action(async (opts) => {
     if (!isOrgRepoRoot()) return;
+    if (!await requireContinuityAccess("saga", { quiet: opts.quiet })) return;
     const hook = parseHookInput(await readStdin());
     if (hook.session_id) persistSession(hook.session_id);
     await postCapture({ event: "stop", id: (0, import_node_crypto3.randomUUID)(), source: "hook", sha: await gitOut(["rev-parse", "--short", "HEAD"]), surface: agentSurface() }, opts.quiet ?? false);
@@ -7883,10 +7922,12 @@ function registerSagaCommands(program3) {
   });
   saga.command("session").option("--quiet", "silent (for the SessionStart hook)").description("persist the harness session id for this repo (SessionStart hook)").action(async () => {
     if (!isOrgRepoRoot()) return;
+    if (!await requireContinuityAccess("saga", { quiet: true })) return;
     const hook = parseHookInput(await readStdin());
     if (hook.session_id) persistSession(hook.session_id);
   });
   saga.command("head-update").option("--run", "detached worker: fetch state, run the engine, post the curated HEAD").option("--quiet", "silent (Stop hook)").description("curate the smart HEAD in the background (engine via SAGA_HEAD_ENGINE; default local claude)").action(async (o) => {
+    if (!await requireContinuityAccess("saga", { quiet: o.quiet || o.run })) return;
     if (!o.run) {
       return maybeSpawnHeadUpdate();
     }
@@ -7911,6 +7952,7 @@ function registerSagaCommands(program3) {
     }
   });
   saga.command("key").option("--json", "machine-readable output").description("print the resolved saga key + session-id source (no write)").action(async (o) => {
+    if (!await requireContinuityAccess("saga")) return;
     const cfg = await loadConfig();
     const session = resolveSessionId();
     const key = await sagaKey(cfg, session);
@@ -8100,7 +8142,15 @@ async function fetchScopedSessions(url, project2, branch, retry = FOREGROUND_FET
   const qs = new URLSearchParams({ project: project2 });
   if (branch) qs.set("branch", branch);
   const res = await fetchWithRetry(fetch, `${url}/saga/sessions?${qs}`, { headers: await hubHeaders() }, retry);
-  if (!res.ok) return [];
+  if (!res.ok) {
+    let detail = "";
+    try {
+      const errBody = await res.clone().json();
+      detail = typeof errBody.error === "string" && errBody.error || typeof errBody.message === "string" && errBody.message || "";
+    } catch {
+    }
+    throw new Error(`saga sessions read failed (HTTP ${res.status})${detail ? `: ${detail}` : ""}`);
+  }
   const body = await res.json();
   return body.sessions ?? [];
 }
@@ -8169,11 +8219,11 @@ async function locateClaimedHandoff(key, claimedBySessionId, retry = FOREGROUND_
 }
 async function postKeyedNote(key, summary, options) {
   const cfg = await loadConfig();
-  if (!cfg.sagaApiUrl) fail("handoff: Hub API URL not configured");
+  if (!cfg.sagaApiUrl) return failGraceful("handoff: Hub API URL not configured");
   const sha = await gitOut(["rev-parse", "--short", "HEAD"]);
   const capture = buildNoteCapture(summary, options, (0, import_node_crypto4.randomUUID)(), { sha: sha || void 0, branch: key.branch });
   const result = await postCaptureOnce(cfg.sagaApiUrl, { ...capture, ...key });
-  if (!result.ok) fail(`handoff: write failed${result.status ? ` (HTTP ${result.status})` : ""}${result.message ? `: ${result.message}` : ""}`);
+  if (!result.ok) await failGraceful(`handoff: write failed${result.status ? ` (HTTP ${result.status})` : ""}${result.message ? `: ${result.message}` : ""}`);
 }
 function deriveOpenFields(summary, opts, head, key) {
   const northStarSlug = opts.northStarSlug ?? head.anchor?.slug;
@@ -8192,6 +8242,7 @@ function deriveOpenFields(summary, opts, head, key) {
   });
 }
 async function runHandoffOpen(summary, opts, io = consoleIo) {
+  if (!await requireContinuityAccess("handoff", {}, io)) return;
   let resolvedSummary = summary;
   if (summary !== void 0 || opts.messageFile !== void 0) {
     try {
@@ -8201,23 +8252,29 @@ async function runHandoffOpen(summary, opts, io = consoleIo) {
         noun: "message"
       });
     } catch (e) {
-      return fail(`handoff open: ${e.message}`);
+      return failGraceful(`handoff open: ${e.message}`);
     }
   }
   const current = await fetchCurrentState();
-  if (!current) return fail("handoff open: saga state unavailable");
+  if (!current) return failGraceful("handoff open: saga state unavailable");
   let record;
   try {
     record = deriveOpenFields(resolvedSummary, opts, current.head, current.key);
   } catch (e) {
-    return fail(`handoff open: ${e.message}`);
+    return failGraceful(`handoff open: ${e.message}`);
   }
   await postKeyedNote(current.key, `handoff opened ${record.key}`, { queueAdd: serializeHandoff(record), anchorSlug: record.northStarSlug });
   if (opts.json) return io.log(JSON.stringify({ ok: true, handoff: record }));
   io.log(`handoff open: ${formatHandoffLine({ index: -1, done: false, record })}`);
 }
 async function runHandoffList(opts, io = consoleIo) {
-  const { handoffs } = await collectScopedHandoffs({ includeClosed: opts.all });
+  if (!await requireContinuityAccess("handoff", {}, io)) return [];
+  let handoffs;
+  try {
+    ({ handoffs } = await collectScopedHandoffs({ includeClosed: opts.all }));
+  } catch (e) {
+    return failGraceful(`handoff list: ${e.message}`);
+  }
   if (opts.json) {
     io.log(JSON.stringify({ handoffs }, null, 2));
   } else if (!handoffs.length) {
@@ -8228,25 +8285,42 @@ async function runHandoffList(opts, io = consoleIo) {
   return handoffs;
 }
 async function runHandoffOffer(io = consoleIo, opts = {}) {
+  if (!await requireContinuityAccess("handoff", { quiet: opts.fast }, io)) return;
   const retry = opts.fast ? SESSION_START_FETCH : FOREGROUND_FETCH;
-  const { handoffs } = await collectScopedHandoffs({ retry });
+  let handoffs;
+  try {
+    ({ handoffs } = await collectScopedHandoffs({ retry }));
+  } catch {
+    return;
+  }
   if (!handoffs.length) return;
   io.log("Open handoffs:");
   for (const h of handoffs) io.log(`- ${formatHandoffLine(h)}`);
   io.log("Use `mmi-cli handoff accept <key>` to claim, `mmi-cli handoff cancel <key>` to close, or decline in chat to leave it open.");
 }
 async function closeSourceHandoff(key, state, opts = {}, io = consoleIo) {
+  if (!await requireContinuityAccess("handoff", {}, io)) return;
   const current = await sagaKey(await loadConfig(), resolveSessionId());
-  const located = await locateOpenHandoff(key);
+  let located;
+  try {
+    located = await locateOpenHandoff(key);
+  } catch (e) {
+    return failGraceful(`handoff ${state}: ${e.message}`);
+  }
   if (!located) {
     if (state === "claimed") {
-      const prior = await locateClaimedHandoff(key, current.sessionId);
+      let prior;
+      try {
+        prior = await locateClaimedHandoff(key, current.sessionId);
+      } catch (e) {
+        return failGraceful(`handoff ${state}: ${e.message}`);
+      }
       if (prior) {
         if (opts.json) return io.log(JSON.stringify({ ok: true, handoff: prior.record, idempotent: true }));
         return io.log(`handoff claimed: ${formatHandoffLine(prior)} (already accepted)`);
       }
     }
-    return fail(`handoff ${state}: no open handoff matching ${key}`);
+    return failGraceful(`handoff ${state}: no open handoff matching ${key}`);
   }
   const closed = closeHandoff(located.item.record, state, (/* @__PURE__ */ new Date()).toISOString(), state === "claimed" ? current.sessionId : void 0);
   const sourceBranch = located.item.record.sourceBranch ?? located.key.branch;
@@ -8274,13 +8348,76 @@ async function closeSourceHandoff(key, state, opts = {}, io = consoleIo) {
 var runHandoffAccept = (key, opts = {}, io = consoleIo) => closeSourceHandoff(key, "claimed", opts, io);
 var runHandoffCancel = (key, opts = {}, io = consoleIo) => closeSourceHandoff(key, "cancelled", opts, io);
 async function runHandoffDecline(key, opts = {}, io = consoleIo) {
-  const located = await locateOpenHandoff(key);
-  if (!located) return fail(`handoff decline: no open handoff matching ${key}`);
+  if (!await requireContinuityAccess("handoff", {}, io)) return;
+  let located;
+  try {
+    located = await locateOpenHandoff(key);
+  } catch (e) {
+    return failGraceful(`handoff decline: ${e.message}`);
+  }
+  if (!located) return failGraceful(`handoff decline: no open handoff matching ${key}`);
   if (opts.json) return io.log(JSON.stringify({ ok: true, unchanged: true, handoff: located.item.record }));
   io.log(`handoff decline: left open for re-offer \u2014 ${formatHandoffLine(located.item)}`);
 }
+async function resolveHandoffSummary(summary, messageFile, verb) {
+  if (summary === void 0 && messageFile === void 0) return summary;
+  try {
+    return await resolveTextArg({ value: summary, file: messageFile }, { readFile: import_promises3.readFile, readStdin }, {
+      value: "a summary argument",
+      file: "--message-file",
+      noun: "message"
+    });
+  } catch (e) {
+    return failGraceful(`handoff ${verb}: ${e.message}`);
+  }
+}
+async function runHandoffReplace(oldKey, summary, opts = {}, io = consoleIo) {
+  if (!await requireContinuityAccess("handoff", {}, io)) return;
+  const newKey = opts.key?.trim() || oldKey;
+  const resolvedSummary = await resolveHandoffSummary(summary, opts.messageFile, "replace");
+  let located;
+  try {
+    located = await locateOpenHandoff(oldKey);
+  } catch (e) {
+    return failGraceful(`handoff replace: ${e.message}`);
+  }
+  const current = await fetchCurrentState();
+  if (!current) return failGraceful("handoff replace: saga state unavailable");
+  let record;
+  try {
+    record = deriveOpenFields(resolvedSummary, { key: newKey, northStarSlug: opts.northStarSlug }, current.head, current.key);
+  } catch (e) {
+    return failGraceful(`handoff replace: ${e.message}`);
+  }
+  await postKeyedNote(current.key, `handoff opened ${record.key}`, { queueAdd: serializeHandoff(record), anchorSlug: record.northStarSlug });
+  if (located) {
+    const closed = closeHandoff(located.item.record, "cancelled", (/* @__PURE__ */ new Date()).toISOString());
+    await postKeyedNote(located.key, `handoff cancelled ${located.item.record.key}`, {
+      handoffClose: { index: located.item.index, closedText: serializeHandoff(closed) }
+    });
+  }
+  if (opts.json) {
+    return io.log(JSON.stringify({
+      ok: true,
+      replaced: located ? located.item.record.key : null,
+      supersededIndex: located ? located.item.index : null,
+      handoff: record
+    }));
+  }
+  if (located) {
+    io.log(`handoff replace: superseded ${located.item.record.key} (index ${located.item.index}) -> ${formatHandoffLine({ index: -1, done: false, record })}`);
+  } else {
+    io.log(`handoff replace: no open handoff matching ${oldKey} \u2014 opened ${formatHandoffLine({ index: -1, done: false, record })}`);
+  }
+}
+async function runHandoffEdit(key, summary, opts = {}, io = consoleIo) {
+  if (summary === void 0 && opts.messageFile === void 0) {
+    return failGraceful("handoff edit: a new summary is required (pass it as an argument or via --message-file)");
+  }
+  return runHandoffReplace(key, summary, { ...opts, key }, io);
+}
 function registerHandoffCommands(program3) {
-  const handoff = program3.command("handoff").description("explicit saga + North Star handoff lifecycle");
+  const handoff = program3.command("handoff").description("Jervaise-only saga + North Star handoff lifecycle");
   handoff.command("open [summary]").description("open a handoff bound to a North Star slug or a board issue (--key/--next)").option("--key <slug|#issue>", "handoff key: a North Star slug or a board issue (defaults to the current North Star slug)").option("--next <slug|#issue>", "alias for --key (mirrors `saga note --next`)").option("--north-star-slug <slug>", "North Star slug to bind (optional; omit for an issue-bound handoff)").option("--message-file <path|->", "read the handoff summary from a UTF-8 file, or from stdin with - (avoids cmd.exe quoting)").option("--json", "machine-readable output").action((summary, opts) => runHandoffOpen(summary, { ...opts, key: opts.key ?? opts.next }));
   handoff.command("list").description("list open handoffs for the current repo (any branch)").option("--all", "include claimed/cancelled records").option("--json", "machine-readable output").action(async (opts) => {
     await runHandoffList(opts);
@@ -8288,6 +8425,8 @@ function registerHandoffCommands(program3) {
   handoff.command("accept <key>").description("claim an open handoff and bind this session to its North Star").option("--json", "machine-readable output").action((key, opts) => runHandoffAccept(key, opts));
   handoff.command("cancel <key>").description("close an open handoff without claiming it").option("--json", "machine-readable output").action((key, opts) => runHandoffCancel(key, opts));
   handoff.command("decline <key>").description("leave an open handoff unchanged so it is re-offered later").option("--json", "machine-readable output").action((key, opts) => runHandoffDecline(key, opts));
+  handoff.command("replace <old-key> [summary]").description("supersede an open handoff: open a corrected one (--key) and cancel the stale one atomically").option("--key <slug|#issue>", "the corrected handoff key to open (defaults to <old-key> for an in-place edit)").option("--north-star-slug <slug>", "North Star slug to bind on the corrected handoff (optional)").option("--message-file <path|->", "read the corrected summary from a UTF-8 file, or stdin with - (avoids cmd.exe quoting)").option("--json", "machine-readable output").action((oldKey, summary, opts) => runHandoffReplace(oldKey, summary, opts));
+  handoff.command("edit <key> [summary]").description("update an open handoff's summary in place (supersedes the same key)").option("--north-star-slug <slug>", "North Star slug to bind (optional)").option("--message-file <path|->", "read the new summary from a UTF-8 file, or stdin with - (avoids cmd.exe quoting)").option("--json", "machine-readable output").action((key, summary, opts) => runHandoffEdit(key, summary, opts));
 }
 
 // src/coop-commands.ts
@@ -9694,16 +9833,21 @@ async function runSessionStart(parallel, sequential, io) {
   for (const lines of buffered) flush(lines, io);
   for (const step of sequential) flush(await runBufferedStep(step), io);
 }
-function buildSessionStartPlan(verbs) {
+function buildSessionStartPlan(verbs, opts = {}) {
+  const continuityEnabled = opts.continuityEnabled ?? true;
+  const continuitySteps = continuityEnabled ? [
+    { name: "saga show", run: verbs.sagaShow },
+    { name: "handoff offer", run: verbs.handoffOffer },
+    // northstar context (#1228): curated plan cards when relevance is high-confidence; silent otherwise.
+    { name: "northstar context", run: verbs.northstarContext },
+    { name: "saga health", run: verbs.sagaHealth }
+  ] : [];
   return {
     parallel: [
       { name: "rules sync", run: verbs.rulesSync },
-      { name: "saga show", run: verbs.sagaShow },
-      { name: "handoff offer", run: verbs.handoffOffer },
+      ...continuitySteps.slice(0, 2),
       { name: "coop pending", run: verbs.coopPending },
-      // northstar context (#1228): curated plan cards when relevance is high-confidence; silent otherwise.
-      { name: "northstar context", run: verbs.northstarContext },
-      { name: "saga health", run: verbs.sagaHealth },
+      ...continuitySteps.slice(2),
       // whoami (#879): the resolved human lands in the banner so agents act --for them without asking.
       // Identity reads are memoized process-wide, so this adds no extra gh/Hub round-trip.
       { name: "whoami", run: verbs.whoami },
@@ -9781,6 +9925,10 @@ function northstarPointer(injected = false) {
   }
   return "North Stars: run `mmi-cli northstar relevant` to load plans relevant to your task (`northstar list` for all).";
 }
+function sessionStartContinuityLines(opts) {
+  if (!opts.continuityEnabled) return [];
+  return [northstarPointer(opts.northstarInjected), ...planStoreLines(opts.cwd)];
+}
 function kbPointer() {
   return "MM-KB (org knowledge): start at `mmi-cli kb get kb/INDEX.md`, then `kb get <path>` \u2014 consult before inventing conventions or storing long-term docs.";
 }
@@ -9788,6 +9936,7 @@ function kbPointer() {
 // src/coop-commands.ts
 var FOREGROUND_FETCH2 = { attempts: 2, timeoutMs: 15e3 };
 var SESSION_START_FETCH2 = { attempts: 1, timeoutMs: 3e3 };
+var COOP_WAIT_DELAYS_MS = [6e4, 12e4, 18e4, 3e5, 6e5, 18e5];
 async function hubBase() {
   const cfg = await loadConfig();
   if (!cfg.sagaApiUrl) fail("Hub API URL not configured (sagaApiUrl)");
@@ -9822,11 +9971,124 @@ async function sessionContext() {
   const session = resolveSessionId();
   const branch = key.branch !== "-" ? key.branch : await gitOut(["rev-parse", "--abbrev-ref", "HEAD"]).catch(() => "development") ?? "development";
   const sessionId = session.id;
-  const surface = process.env.MMI_SURFACE ?? "cursor";
+  const surface = coopSurfaceFromEnv(process.env);
   const remote = await gitOut(["remote", "get-url", "origin"]).catch(() => "");
   const repo = remote.includes("github.com") ? remote.replace(/\.git$/, "").replace(/^.*github\.com[:/]/, "") : key.project !== "-" ? key.project : "mutmutco/MMI-Hub";
   return { branch, sessionId, surface, repo };
 }
+function coopSurfaceFromEnv(env) {
+  const explicit = env.MMI_AGENT_SURFACE?.trim();
+  if (explicit && ["claude", "codex", "cursor", "gemini", "opencode"].includes(explicit)) return explicit;
+  const has = (k) => Boolean(env[k]?.trim());
+  if (has("CODEX_THREAD_ID") || has("CODEX_HOME") || (env.CLAUDE_PLUGIN_ROOT ?? "").includes(".codex")) return "codex";
+  if (has("CURSOR_TRACE_ID") || has("CURSOR_USER") || has("CURSOR_SESSION_ID") || env.CURSOR_AGENT === "1" || has("CURSOR_EXTENSION_HOST_ROLE")) {
+    return "cursor";
+  }
+  if (has("OPENCODE_CLIENT") || has("OPENCODE_SERVER_USERNAME")) return "opencode";
+  if (has("CLAUDECODE") || has("CLAUDE_CODE_ENTRYPOINT") || has("CLAUDE_PLUGIN_ROOT")) return "claude";
+  return "shell";
+}
+function coopOpenPath(repo) {
+  return repo ? `/coop/status?repo=${encodeURIComponent(repo)}` : "/coop/status";
+}
+function parseTargetLogins(value) {
+  return (value ?? "").split(",").map((x) => x.trim().replace(/^@/, "")).filter(Boolean);
+}
+function categorizeOpenCoops(open, viewer) {
+  const login = viewer.login?.toLowerCase();
+  const repo = viewer.repo?.toLowerCase();
+  const categories = {
+    invitedToMe: [],
+    myAgents: [],
+    sameRepo: [],
+    internal: []
+  };
+  for (const coop of open) {
+    const targetLogins = (coop.targetLogins ?? []).map((x) => x.toLowerCase());
+    if (login && targetLogins.includes(login)) {
+      categories.invitedToMe.push(coop);
+    } else if (login && coop.coordinatorLogin.toLowerCase() === login) {
+      categories.myAgents.push(coop);
+    } else if (repo && coop.repo.toLowerCase() === repo) {
+      categories.sameRepo.push(coop);
+    } else {
+      categories.internal.push(coop);
+    }
+  }
+  return categories;
+}
+function formatOpenCoop(coop) {
+  const code = coop.sessionCode ?? coop.coopId;
+  const topic = coop.topic ?? "Untitled coop";
+  const target = coop.targetKind ? ` \xB7 target=${coop.targetKind}` : "";
+  return `  - ${code} \xB7 ${topic} \xB7 ${coop.repo}#${coop.issueNumber} \xB7 @${coop.coordinatorLogin}${target}`;
+}
+function formatOpenCoopCategories(categories) {
+  const sections = [
+    ["Invited to me", categories.invitedToMe],
+    ["My agents", categories.myAgents],
+    ["This repo", categories.sameRepo],
+    ["Internal / other repos", categories.internal]
+  ];
+  const lines = [];
+  let any = false;
+  for (const [title, rows] of sections) {
+    if (!rows.length) continue;
+    any = true;
+    lines.push(`${title}:`);
+    for (const row of rows) lines.push(formatOpenCoop(row));
+  }
+  return any ? lines.join("\n") : '[coop] no open sessions. Create one with `mmi-cli coop start --topic "<topic>" --target <own-agents|user|internal>`.';
+}
+async function printOpenCoops(res, repo) {
+  const open = res.open ?? [];
+  const [ctx, login] = await Promise.all([
+    sessionContext().catch(() => void 0),
+    githubLogin().catch(() => void 0)
+  ]);
+  consoleIo.log(formatOpenCoopCategories(categorizeOpenCoops(open, { repo: repo ?? ctx?.repo, login })));
+}
+function newCoopMessages(messages, seenCount) {
+  return messages.slice(seenCount);
+}
+function shouldStopCoopWait(status) {
+  if (status.coop?.state === "ended") return true;
+  return (status.messages ?? []).some((m) => m.phase === "SHOOK" || m.phase === "COOP_END");
+}
+async function runCoopWait(coopId, io, opts = {}) {
+  const statusPath = `/coop/status?coopId=${encodeURIComponent(coopId)}`;
+  let status = await getJson(statusPath);
+  let seenCount = status.messages?.length ?? 0;
+  if (shouldStopCoopWait(status)) {
+    if (!opts.json) io.log(`[coop wait] ${coopId} is already complete`);
+    else console.log(JSON.stringify({ coopId, status: "complete" }));
+    return;
+  }
+  for (const delayMs of COOP_WAIT_DELAYS_MS) {
+    if (!opts.json) io.log(`[coop wait] waiting ${Math.round(delayMs / 6e4)}m for ${coopId}`);
+    await new Promise((r) => setTimeout(r, delayMs));
+    status = await getJson(statusPath);
+    const messages = status.messages ?? [];
+    const fresh = newCoopMessages(messages, seenCount);
+    seenCount = messages.length;
+    if (opts.json) {
+      console.log(JSON.stringify({ coopId, messages: fresh, complete: shouldStopCoopWait(status) }));
+    } else {
+      for (const message of fresh) {
+        if (message.envelope) io.log(message.envelope);
+      }
+    }
+    if (shouldStopCoopWait(status)) {
+      if (!opts.json) io.log(`[coop wait] ${coopId} complete`);
+      return;
+    }
+  }
+  if (!opts.json) {
+    io.log(`[coop wait] no answer after bounded wait; ${coopId} remains open and can be joined later`);
+  } else {
+    console.log(JSON.stringify({ coopId, status: "timeout-open" }));
+  }
+}
 async function fetchCoopPending(retry = SESSION_START_FETCH2) {
   const body = await getJson("/coop/pending", retry);
   return body.pending ?? [];
@@ -9862,19 +10124,19 @@ async function runCoopDeliver(coopId, io, quiet = false) {
   if (!quiet) {
     io.log(`[coop deliver] ${coopId} \u2014 issue ${match.meta.issueUrl}`);
     for (const m of match.messages) io.log(m.envelope);
-    io.log("[coop deliver] Read the issue, reply via `mmi-cli coop say`, then mark delivered.");
+    io.log("[coop deliver] Coordinate in `#mmi-agents` via `mmi-cli coop say`; the issue keeps proof/context.");
   }
   await postJson("/coop/delivered", { coopId });
 }
 function registerCoopCommands(program3) {
   const coop = program3.command("coop").description("Cross-repo agent coordination (/coop skill)");
-  coop.command("start").description("Start a coop session (coordinator)").option("--repo <owner/name>", "coordinator repo (default: cwd origin)").option("--issue <n>", "existing issue number instead of creating one").option("--message-file <path>", "opening message file (or - for stdin)").option("--json", "machine output").action(async (opts) => {
+  coop.command("start").description("Start a coop session (coordinator)").option("--repo <owner/name>", "coordinator repo (default: cwd origin)").option("--issue <n>", "existing issue number instead of creating one").option("--topic <topic>", "human topic shown in open-session lists").option("--target <kind>", "human target: own-agents, user, or internal").option("--target-users <logins>", "comma-separated GitHub logins for inter-user coop").option("--message-file <path>", "opening message file (or - for stdin)").option("--json", "machine output").action(async (opts) => {
     const ctx = await sessionContext();
     const body = opts.messageFile ? await resolveTextArg(
       { file: opts.messageFile },
       { readFile: import_promises4.readFile, readStdin },
       { value: "a message argument", file: "--message-file", noun: "message" }
-    ) : "Coop session started \u2014 handshake on the linked issue.";
+    ) : "Coop session started - coordinate in #mmi-agents; the issue keeps proof/context.";
     const payload = {
       repo: opts.repo ?? ctx.repo,
       branch: ctx.branch,
@@ -9883,9 +10145,13 @@ function registerCoopCommands(program3) {
       body
     };
     if (opts.issue) payload.issueNumber = Number(opts.issue);
+    if (opts.topic) payload.topic = opts.topic;
+    if (opts.target) payload.targetKind = opts.target;
+    const targetLogins = parseTargetLogins(opts.targetUsers);
+    if (targetLogins.length) payload.targetLogins = targetLogins;
     const res = await postJson("/coop/start", payload);
     if (opts.json) console.log(JSON.stringify(res));
-    else consoleIo.log(`[coop] started ${res.coopId} \u2014 issue ${res.issue?.url ?? ""}`);
+    else consoleIo.log(`[coop] started ${res.coopId} (code ${res.sessionCode ?? res.coopId}) \u2014 issue ${res.issue?.url ?? ""}`);
   });
   coop.command("join <coopId>").description("Join a coop session").option("--cloud", "enable Cursor cloud wake for this joiner").option("--repo <owner/name>", "joiner repo (default: cwd)").option("--json", "machine output").action(async (coopId, opts) => {
     const ctx = await sessionContext();
@@ -9919,11 +10185,42 @@ function registerCoopCommands(program3) {
     });
     consoleIo.log(`[coop] said ${opts.phase} on ${coopId}`);
   });
+  coop.command("invite <coopId>").description("Post a human invite and optionally DM a target through the MMI Future Slack app").requiredOption("--target-user <login>", "target human GitHub login").option("--message-file <path>", "custom invite message file (or - for stdin)").option("--dm", "send a Slack DM in addition to the visible #mmi-agents invite").option("--slack-user <id>", "Slack user id for DM, used with conversations.open").option("--dm-channel <id>", "Slack DM channel id").option("--json", "machine output").action(async (coopId, opts) => {
+    const ctx = await sessionContext();
+    const body = opts.messageFile ? await resolveTextArg(
+      { file: opts.messageFile },
+      { readFile: import_promises4.readFile, readStdin },
+      { value: "a message argument", file: "--message-file", noun: "message" }
+    ) : void 0;
+    const res = await postJson("/coop/invite", {
+      coopId,
+      targetLogin: opts.targetUser,
+      body,
+      branch: ctx.branch,
+      sessionId: ctx.sessionId,
+      surface: ctx.surface,
+      dm: opts.dm === true,
+      slackUserId: opts.slackUser,
+      dmChannel: opts.dmChannel
+    });
+    if (opts.json) console.log(JSON.stringify(res));
+    else {
+      const out = res;
+      const suffix = out.dm && out.dm !== "not-requested" ? `; dm ${out.dm}${out.dmReason ? ` (${out.dmReason})` : ""}` : "";
+      consoleIo.log(`[coop] invited @${opts.targetUser} to ${coopId}${suffix}`);
+    }
+  });
   coop.command("status [coopId]").description("Show coop session status").option("--json", "machine output").action(async (coopId, opts) => {
-    const path2 = coopId ? `/coop/status?coopId=${encodeURIComponent(coopId)}` : "/coop/status";
+    const path2 = coopId ? `/coop/status?coopId=${encodeURIComponent(coopId)}` : coopOpenPath();
     const res = await getJson(path2);
     if (opts.json) console.log(JSON.stringify(res));
-    else console.log(JSON.stringify(res, null, 2));
+    else if (coopId) console.log(JSON.stringify(res, null, 2));
+    else await printOpenCoops(res);
+  });
+  coop.command("open").description("List open coop sessions for join-or-start").option("--repo <owner/name>", "filter open sessions to one repo").option("--json", "machine output").action(async (opts) => {
+    const res = await getJson(coopOpenPath(opts.repo));
+    if (opts.json) console.log(JSON.stringify(res));
+    else await printOpenCoops(res, opts.repo);
   });
   coop.command("pending").description("List pending coop messages for this login").option("--json", "machine output").action(async (opts) => {
     const pending = await fetchCoopPending();
@@ -9943,7 +10240,10 @@ function registerCoopCommands(program3) {
     await postJson("/coop/end", { coopId, body });
     consoleIo.log(`[coop] ended ${coopId}`);
   });
-  coop.command("watch <coopId>").description("Degraded poll \u2014 opt-in fallback when wake is unavailable").option("--interval <sec>", "poll interval seconds", "30").action(async (coopId, opts) => {
+  coop.command("wait <coopId>").description("Bounded poll for coop replies: 1m, 2m, 3m, 5m, 10m, 30m").option("--json", "machine output").action(async (coopId, opts) => {
+    await runCoopWait(coopId, consoleIo, { json: opts.json === true });
+  });
+  coop.command("watch <coopId>").description("Unbounded diagnostic poll for a coop session").option("--interval <sec>", "poll interval seconds", "30").action(async (coopId, opts) => {
     const ms = Math.max(5, Number(opts.interval) || 30) * 1e3;
     consoleIo.log(`[coop watch] polling ${coopId} every ${ms / 1e3}s (Ctrl+C to stop)`);
     for (; ; ) {
@@ -9956,9 +10256,8 @@ function registerCoopCommands(program3) {
 }
 
 // src/overlord.ts
-var import_node_child_process8 = require("node:child_process");
 var import_node_fs15 = require("node:fs");
-var import_node_os3 = require("node:os");
+var import_node_crypto5 = require("node:crypto");
 var import_node_path13 = require("node:path");
 
 // src/atomic-write.ts
@@ -9973,14 +10272,118 @@ function atomicWriteFileSync(path2, content) {
 var OVERLORD_DEFAULT_COUNT = 3;
 var OVERLORD_MIN_COUNT = 3;
 var OVERLORD_MAX_COUNT = 6;
+var OVERLORD_SERVANT_PARALLELISM = 6;
+function overlordServantParallelism() {
+  const parsed = Number(process.env.MMI_OVERLORD_SERVANT_PARALLELISM);
+  if (Number.isFinite(parsed) && parsed >= 1) return Math.min(Math.trunc(parsed), 16);
+  return OVERLORD_SERVANT_PARALLELISM;
+}
+var OVERLORD_DEFAULT_ENGINE = "fugu-api";
+var FUGU_API_DEFAULT_BASE_URL = "https://api.sakana.ai/v1";
+var FUGU_API_DEFAULT_MODEL = "fugu";
+var FUGU_API_DEFAULT_ULTRA_MODEL = "fugu-ultra";
+var FUGU_API_DEFAULT_TIMEOUT_MS = 9e4;
+var FUGU_API_DEFAULT_STARTUP_TIMEOUT_MS = 45e3;
+var FUGU_API_DEFAULT_MAX_ATTEMPTS = 3;
+var FUGU_API_RETRY_BASE_MS = 250;
+var FUGU_API_RETRY_CAP_MS = 8e3;
+var OVERLORD_HANDOFF_TIMEOUT_MS = 12e4;
+var SERVANT_REPORT_FIELDS = [
+  "name",
+  "role",
+  "state",
+  "assignment",
+  "evidence",
+  "changes",
+  "verification",
+  "blockers",
+  "recommended next action"
+];
+var SERVANT_REPORT_FIELD_SET = new Set(SERVANT_REPORT_FIELDS);
+function normalizeServantReportField(label) {
+  const normalized = label.trim().toLowerCase().replace(/[`*_]+/g, "").replace(/\s+/g, " ").replace(/:$/, "");
+  if (SERVANT_REPORT_FIELD_SET.has(normalized)) return normalized;
+  if (normalized === "next action") return "recommended next action";
+  return void 0;
+}
+function isVagueVerification(text) {
+  const normalized = (text ?? "").trim().toLowerCase();
+  if (!normalized) return true;
+  return ["done", "complete", "completed", "fixed", "looks good", "verified", "tested", "not tested", "n/a", "na", "none"].includes(normalized);
+}
+function isCompletionState(text) {
+  return /\b(done|complete|completed|fixed)\b/i.test(text ?? "");
+}
+function extractServantReportFields(text) {
+  const fields = {};
+  let currentField;
+  const append = (field, value) => {
+    const trimmed = value.trim();
+    fields[field] = fields[field] ? [fields[field], trimmed].filter(Boolean).join("\n") : trimmed;
+  };
+  for (const rawLine of text.split(/\r?\n/)) {
+    const line = rawLine.trim();
+    const colon = line.match(/^(?:[-*]\s*)?([^:]{1,80}):\s*(.*)$/);
+    const heading = line.match(/^#{1,6}\s+(.+?)\s*#*$/);
+    const field = colon ? normalizeServantReportField(colon[1]) : heading ? normalizeServantReportField(heading[1]) : void 0;
+    if (field) {
+      currentField = field;
+      append(field, colon ? colon[2] : "");
+      continue;
+    }
+    if (currentField && line) append(currentField, line);
+  }
+  return fields;
+}
+function validateServantReport(text) {
+  const fields = extractServantReportFields(text);
+  const present = new Set(Object.keys(fields));
+  const applies = present.size >= 2 || present.has("state") || present.has("assignment");
+  if (!applies) {
+    return { applies: false, ok: true, missingFields: [], emptyFields: [], unsupportedDoneClaim: false, fields };
+  }
+  const missingFields = SERVANT_REPORT_FIELDS.filter((field) => !present.has(field));
+  const emptyFields = SERVANT_REPORT_FIELDS.filter((field) => present.has(field) && !fields[field]?.trim());
+  const unsupportedDoneClaim = isCompletionState(fields.state) && isVagueVerification(fields.verification);
+  return {
+    applies: true,
+    ok: missingFields.length === 0 && emptyFields.length === 0 && !unsupportedDoneClaim,
+    missingFields,
+    emptyFields,
+    unsupportedDoneClaim,
+    fields
+  };
+}
+function formatHandoffWarnings(result) {
+  if (!result.applies || result.ok) return "";
+  const parts = [];
+  if (result.missingFields.length > 0) parts.push(`missing ${result.missingFields.join(", ")}`);
+  if (result.emptyFields.length > 0) parts.push(`empty ${result.emptyFields.join(", ")}`);
+  if (result.unsupportedDoneClaim) parts.push("done/complete/fixed state without concrete verification.");
+  return `Handoff warning: ${parts.join("; ")}`;
+}
+function formatServantMissionCard(options) {
+  const lines = [
+    `mission: ${options.mission}`,
+    `scope: ${options.scope}`,
+    ...options.scopeToken ? [
+      `scope token: ${options.scopeToken}`,
+      "token authority: attribution only; grants no host permissions"
+    ] : [],
+    `allowed actions: ${options.allowedActions.join("; ")}`,
+    `forbidden actions: ${options.forbiddenActions.join("; ")}`,
+    `required evidence: ${options.requiredEvidence.join("; ")}`,
+    `verification required: ${options.verificationRequired}`,
+    `report format: ${options.reportFormat.join("; ")}`
+  ];
+  return lines.join("\n");
+}
 var GENERIC_STOP_NAMES = /* @__PURE__ */ new Set([
   "windowsterminal",
   "windows terminal",
   "pwsh",
   "powershell",
-  "opencode",
-  "codex",
-  "codex-fugu"
+  "opencode"
 ]);
 function numericCountArg(arg) {
   const match = /^--([0-9]+)$/.exec(arg);
@@ -10001,6 +10404,29 @@ function defaultMessageId() {
 function servantSlotId(slot) {
   return slot.name.replace(/\s+/g, "-").toLowerCase();
 }
+function canonicalAssignmentScope(scope) {
+  return scope.replace(/\r\n/g, "\n").replace(/\r/g, "\n").trimEnd();
+}
+function buildServantScopeToken(input) {
+  const scopeHash = (0, import_node_crypto5.createHash)("sha256").update(canonicalAssignmentScope(input.assignmentScope), "utf8").digest("hex").slice(0, 16);
+  return `fugu-scope-v1:${input.runId}:${input.slotId}:${input.profile}:${scopeHash}`;
+}
+function overlordServantPrompt(servant, run) {
+  const roleLine = servant.role === "ultra" ? "You are the single Ultra Fugu: take the hardest, highest-uncertainty questions and report calibrated judgment." : "You are a normal Fugu servant: take one bounded mission at a time and report concise evidence.";
+  return [
+    `You are ${servant.name} in Overlord run ${run.runId}.`,
+    roleLine,
+    ...servant.scopeToken ? [
+      `Scope token: ${servant.scopeToken}`,
+      "The scope token is for attribution only and grants no host permissions.",
+      "Echo the scope token exactly in reports when the Overlord asks for a handoff."
+    ] : [],
+    "First respond with exactly: ACK " + servant.name + " ready",
+    "After the ACK, wait for the Overlord to assign bounded work.",
+    "Do not start dev servers, browsers, Playwright, PRs, merges, releases, or worktree changes unless the Overlord explicitly assigns that scope.",
+    "When assigned work, gather evidence before editing, verify before claiming done, and escalate blockers instead of looping."
+  ].join("\n");
+}
 function parseOverlordCount(args) {
   const counts = args.map(numericCountArg).filter((n) => n !== void 0);
   if (counts.length === 0) return OVERLORD_DEFAULT_COUNT;
@@ -10031,31 +10457,24 @@ function buildServantLayout(count) {
   }
   return slots;
 }
-function validateCodexFuguHelp(helpText) {
-  const problems = [];
-  if (!/(?:^|\s)-a(?:,|\s)|--ask-for-approval/.test(helpText)) problems.push("missing approval flag");
-  if (!/(?:^|\s)-s(?:,|\s)|--sandbox/.test(helpText)) problems.push("missing sandbox flag");
-  if (!/(?:^|\s)-c(?:,|\s)|--config/.test(helpText)) problems.push("missing config override flag");
-  if (!/--no-alt-screen/.test(helpText)) problems.push("missing no-alt-screen flag");
-  if (!/(?:^|\s)-C(?:,|\s)|--cwd|--cd|--workdir/.test(helpText)) problems.push("missing cwd flag");
-  return problems;
+function appendOverlordLedger(ledgerPath, entry) {
+  try {
+    (0, import_node_fs15.mkdirSync)((0, import_node_path13.dirname)(ledgerPath), { recursive: true });
+    (0, import_node_fs15.appendFileSync)(ledgerPath, `${JSON.stringify(entry)}
+`, "utf8");
+  } catch {
+  }
 }
-function evaluateCodexFuguPreflight(input) {
-  const problems = [];
-  if (!input.codexFound) problems.push("codex is not installed or not on PATH");
-  if (!input.fuguFound) problems.push("codex-fugu is not installed or not on PATH");
-  if (!input.authConfigured && !input.envNames.includes("OPENAI_API_KEY") && !input.envNames.includes("CODEX_API_KEY")) {
-    problems.push("missing API key environment: OPENAI_API_KEY or CODEX_API_KEY");
-  }
-  problems.push(...validateCodexFuguHelp(input.helpText ?? ""));
-  const status = input.statusText ?? "";
-  const modelCatalog = input.modelCatalogText ?? "";
-  if (!/\bfugu-ultra\b/i.test(`${status}
-${modelCatalog}`)) problems.push("fugu-ultra is not available");
-  if (/native windows codex[^\n]*\/c\/users|\/c\/users[^\n]*native windows codex/i.test(status)) {
-    problems.push("native Windows Codex is configured with a Git Bash /c/Users path");
+function appendServantJournal(journalPath, label, text, timestamp) {
+  if (!text || !text.trim()) return;
+  try {
+    (0, import_node_fs15.mkdirSync)((0, import_node_path13.dirname)(journalPath), { recursive: true });
+    (0, import_node_fs15.appendFileSync)(journalPath, `[${timestamp}] ${label}
+${text.trim()}
+
+`, "utf8");
+  } catch {
   }
-  return { ok: problems.length === 0, problems };
 }
 function defaultOverlordStatePath(cwd) {
   return (0, import_node_path13.join)(cwd, "tmp", "overlord", "runs.json");
@@ -10079,6 +10498,8 @@ function buildOverlordRun(options) {
   const runToken = options.runToken?.() ?? defaultRunToken();
   const statePath = defaultOverlordStatePath(options.cwd);
   const journalDir = (0, import_node_path13.join)(options.cwd, "tmp", "overlord", runId);
+  const engine = options.engine ?? OVERLORD_DEFAULT_ENGINE;
+  const provider = "sakana";
   const timestamp = isoNow(options.now);
   return {
     runId,
@@ -10090,38 +10511,33 @@ function buildOverlordRun(options) {
     worktree: options.cwd,
     statePath,
     journalDir,
-    servants: buildServantLayout(options.count).map((slot) => ({
-      ...slot,
-      slotId: servantSlotId(slot),
-      profile: "consultation",
-      state: "planned",
-      journalPath: (0, import_node_path13.join)(journalDir, `${servantSlotId(slot)}.log`),
-      composerSubmitMode: "unknown"
-    })),
+    ledgerPath: (0, import_node_path13.join)(journalDir, "ledger.jsonl"),
+    engine,
+    provider,
+    servants: buildServantLayout(options.count).map((slot) => {
+      const slotId = servantSlotId(slot);
+      const profile = "consultation";
+      return {
+        ...slot,
+        slotId,
+        profile,
+        state: "planned",
+        journalPath: (0, import_node_path13.join)(journalDir, `${slotId}.log`),
+        composerSubmitMode: "surface-api",
+        engine,
+        provider,
+        eventJournalPath: (0, import_node_path13.join)(journalDir, `${slotId}.events.jsonl`),
+        scopeToken: buildServantScopeToken({
+          runId,
+          slotId,
+          profile,
+          assignmentScope: options.task
+        })
+      };
+    }),
     ownedResources: []
   };
 }
-function recordOverlordHeartbeat(run, options) {
-  const timestamp = isoNow(options.now);
-  const controllerResource = {
-    kind: "process",
-    pid: options.controllerPid,
-    commandName: "mmi-cli overlord controller",
-    runId: run.runId,
-    runToken: run.runToken,
-    fingerprint: options.fingerprint
-  };
-  const others = run.ownedResources.filter((resource) => resource.commandName !== "mmi-cli overlord controller");
-  return {
-    ...run,
-    state: run.state === "starting" ? "active" : run.state,
-    updatedAt: timestamp,
-    controllerPid: options.controllerPid,
-    controllerFingerprint: options.fingerprint,
-    lastControllerHeartbeatAt: timestamp,
-    ownedResources: [controllerResource, ...others]
-  };
-}
 function buildOverlordStartupPlan(args, cwd) {
   const count = parseOverlordCount(args);
   const task = args.filter((arg) => numericCountArg(arg) === void 0).join(" ").trim();
@@ -10145,14 +10561,16 @@ function planStopResource(resource, context) {
 }
 function summarizeOverlordRun(run, probe) {
   const controller = run.controllerPid == null ? "not-started" : probe.isPidAlive(run.controllerPid) ? "alive" : "lost";
+  const now = probe.now?.() ?? /* @__PURE__ */ new Date();
   return {
     active: run.state !== "stopped" && run.state !== "failed",
     runId: run.runId,
     state: run.state,
     controller,
     servants: run.servants.map((servant) => {
-      if (servant.pid == null) return { name: servant.name, state: "not-started" };
-      if (!probe.isPidAlive(servant.pid)) return { name: servant.name, state: "lost" };
+      const progress = servantProgress(run, servant, now);
+      if (progress !== servant.state) return { name: servant.name, state: progress };
+      if (servant.pid != null && !probe.isPidAlive(servant.pid)) return { name: servant.name, state: "lost" };
       if (servant.state === "ready" && servant.lastAckAt && servant.composerSubmitMode !== "unknown") {
         return { name: servant.name, state: "ready" };
       }
@@ -10170,21 +10588,6 @@ function planOverlordRunStop(run) {
   }
   return { killPids, uncertain };
 }
-function controllerFingerprint(run) {
-  return `mmi-overlord-controller:${run.runId}:${run.worktree}`;
-}
-function defaultStartController(run) {
-  const scriptPath = (0, import_node_path13.join)(__dirname, "overlord-controller.cjs");
-  const fingerprint = controllerFingerprint(run);
-  const child = (0, import_node_child_process8.spawn)(process.execPath, [scriptPath, run.runId, run.statePath, fingerprint], {
-    detached: true,
-    stdio: "ignore",
-    windowsHide: true,
-    cwd: run.worktree
-  });
-  child.unref();
-  return { pid: child.pid, fingerprint };
-}
 function defaultIsPidAlive(pid) {
   if (!Number.isFinite(pid) || pid <= 0) return false;
   try {
@@ -10197,85 +10600,327 @@ function defaultIsPidAlive(pid) {
 function defaultKillPid(pid) {
   process.kill(pid);
 }
-function shellQuote2(arg) {
-  return /^[A-Za-z0-9_./:-]+$/.test(arg) ? arg : `"${arg.replace(/"/g, '\\"')}"`;
+function fuguApiTimeoutMs() {
+  const parsed = Number(process.env.MMI_OVERLORD_LLM_TIMEOUT_MS);
+  if (!Number.isFinite(parsed) || parsed <= 0) return FUGU_API_DEFAULT_TIMEOUT_MS;
+  return Math.min(Math.max(Math.trunc(parsed), 5e3), 6e5);
 }
-function boundedCommandText(command, args) {
-  const shell2 = process.platform === "win32";
-  const file = shell2 ? [command, ...args].map(shellQuote2).join(" ") : command;
-  const result = (0, import_node_child_process8.spawnSync)(file, shell2 ? [] : args, {
-    encoding: "utf8",
-    shell: shell2,
-    timeout: 5e3,
-    windowsHide: true,
-    env: {
-      ...process.env,
-      CODEX_FUGU_NO_NOTICE: "1",
-      CODEX_FUGU_NO_UPDATE: "1"
-    }
+function fuguApiStartupTimeoutMs() {
+  const workTimeout = fuguApiTimeoutMs();
+  const parsed = Number(process.env.MMI_OVERLORD_LLM_STARTUP_TIMEOUT_MS);
+  const chosen = Number.isFinite(parsed) && parsed > 0 ? Math.trunc(parsed) : FUGU_API_DEFAULT_STARTUP_TIMEOUT_MS;
+  return Math.min(Math.max(chosen, 5e3), workTimeout);
+}
+function fuguApiConfig() {
+  return {
+    baseUrl: (process.env.MMI_OVERLORD_LLM_BASE_URL ?? FUGU_API_DEFAULT_BASE_URL).replace(/\/+$/, ""),
+    apiKey: process.env.MMI_OVERLORD_LLM_API_KEY ?? process.env.SAKANA_API_KEY,
+    model: process.env.MMI_OVERLORD_LLM_MODEL ?? FUGU_API_DEFAULT_MODEL,
+    ultraModel: process.env.MMI_OVERLORD_LLM_ULTRA_MODEL ?? FUGU_API_DEFAULT_ULTRA_MODEL,
+    timeoutMs: fuguApiTimeoutMs()
+  };
+}
+function fuguApiModelForServant(config, servant) {
+  return servant.role === "ultra" ? config.ultraModel : config.model;
+}
+function fuguApiSystemMessage(servant, run) {
+  const roleLine = servant.role === "ultra" ? "You are the single Ultra Fugu servant. Take the hardest useful slice, surface risks, and give calibrated judgment." : "You are a normal Fugu servant. Take one bounded assignment at a time and report concise evidence.";
+  const contract = formatServantMissionCard({
+    mission: run.task,
+    scope: servant.role === "ultra" ? "consult on the highest-uncertainty slice assigned by the Overlord" : "consult on one bounded slice assigned by the Overlord",
+    scopeToken: servant.scopeToken,
+    allowedActions: ["inspect assigned evidence", "reason from provided context", "report findings"],
+    forbiddenActions: ["mutate files without explicit scope", "start stage/dev servers", "start browsers or Playwright", "open PRs or merges"],
+    requiredEvidence: ["cite source paths, command results, or observations when available", "separate evidence from inference"],
+    verificationRequired: "name the verification performed before any done/complete/fixed claim, or explain why verification is not applicable",
+    reportFormat: [...SERVANT_REPORT_FIELDS, "scope token"]
   });
-  const text = `${result.stdout ?? ""}
-${result.stderr ?? ""}`.trim();
-  if (result.error && result.error.code === "ENOENT") return { found: false, text };
-  return { found: !result.error, text };
+  return [
+    `You are ${servant.name} in Overlord run ${run.runId}.`,
+    roleLine,
+    "The Overlord is the only coordinator.",
+    "Do not claim ownership of the full mission.",
+    "Do not mutate files, branches, worktrees, stage/dev servers, browsers, PRs, or releases unless the Overlord explicitly grants that scope.",
+    "Gather evidence before acting.",
+    "Verify before claiming done.",
+    "Escalate blockers instead of looping.",
+    contract
+  ].join("\n");
 }
-function readFuguModelCatalogText() {
-  const codexHome = process.env.CODEX_HOME ?? (0, import_node_path13.join)((0, import_node_os3.homedir)(), ".codex");
-  const catalogPath = (0, import_node_path13.join)(codexHome, "fugu.json");
+async function collectFuguApiPreflight() {
+  const config = fuguApiConfig();
+  const problems = [];
+  if (!config.apiKey) problems.push("SAKANA_API_KEY or MMI_OVERLORD_LLM_API_KEY is not available");
+  if (!config.baseUrl) problems.push("Fugu API base URL is not configured");
+  if (!config.apiKey || !config.baseUrl) return { ok: false, problems };
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), Math.min(config.timeoutMs, 15e3));
   try {
-    return (0, import_node_fs15.existsSync)(catalogPath) ? (0, import_node_fs15.readFileSync)(catalogPath, "utf8") : "";
-  } catch {
-    return "";
+    const response = await fetch(`${config.baseUrl}/models`, {
+      method: "GET",
+      headers: { Authorization: `Bearer ${config.apiKey}` },
+      signal: controller.signal
+    });
+    if (!response.ok) {
+      problems.push(`Fugu API model probe returned HTTP ${response.status}`);
+    } else {
+      const body = await response.json();
+      const models = new Set((body.data ?? []).map((model) => model.id).filter((id) => Boolean(id)));
+      if (!models.has(config.model)) problems.push(`Fugu API model ${config.model} is not available`);
+      if (!models.has(config.ultraModel)) problems.push(`Fugu API ultra model ${config.ultraModel} is not available`);
+    }
+  } catch (e) {
+    problems.push(`Fugu API model probe failed: ${e instanceof Error ? e.message : String(e)}`);
+  } finally {
+    clearTimeout(timeout);
   }
+  return { ok: problems.length === 0, problems };
 }
-function hasCodexAuthEvidence() {
-  const codexHome = process.env.CODEX_HOME ?? (0, import_node_path13.join)((0, import_node_os3.homedir)(), ".codex");
-  return (0, import_node_fs15.existsSync)((0, import_node_path13.join)(codexHome, "auth.json"));
-}
-function collectCodexFuguPreflight() {
-  const codexHelp = boundedCommandText("codex", ["--help"]);
-  const fuguHelp = boundedCommandText("codex-fugu", ["--help"]);
-  const fuguStatus = boundedCommandText("codex-fugu", ["--status"]);
-  return evaluateCodexFuguPreflight({
-    codexFound: codexHelp.found,
-    fuguFound: fuguHelp.found,
-    helpText: fuguHelp.text || codexHelp.text,
-    statusText: fuguStatus.text,
-    modelCatalogText: readFuguModelCatalogText(),
-    authConfigured: hasCodexAuthEvidence(),
-    envNames: Object.keys(process.env)
-  });
+function mapFuguApiUsage(usage) {
+  if (!usage) return void 0;
+  const mapped = {
+    promptTokens: usage.prompt_tokens,
+    completionTokens: usage.completion_tokens,
+    totalTokens: usage.total_tokens
+  };
+  return Object.values(mapped).some((value) => typeof value === "number") ? mapped : void 0;
+}
+async function defaultRunFuguApi(run, servant, message, options) {
+  const config = fuguApiConfig();
+  if (!config.apiKey) return { ok: false, error: "SAKANA_API_KEY or MMI_OVERLORD_LLM_API_KEY is not available" };
+  const model = fuguApiModelForServant(config, servant);
+  const messages = [
+    ...servant.llmMessages ?? [{ role: "system", content: fuguApiSystemMessage(servant, run) }],
+    { role: "user", content: message }
+  ];
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), options?.timeoutMs ?? config.timeoutMs);
+  try {
+    const response = await fetch(`${config.baseUrl}/chat/completions`, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${config.apiKey}`,
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({
+        model,
+        messages,
+        temperature: 0.2
+      }),
+      signal: controller.signal
+    });
+    const requestId = response.headers.get("x-request-id") ?? response.headers.get("request-id") ?? void 0;
+    const json = await response.json().catch(() => void 0);
+    if (!response.ok) {
+      return {
+        ok: false,
+        model,
+        requestId,
+        error: json?.error?.message ?? `Fugu API returned HTTP ${response.status}`,
+        retryable: response.status === 429 || response.status >= 500
+      };
+    }
+    const text = json?.choices?.[0]?.message?.content?.trim() ?? "";
+    if (!text) return { ok: false, model, requestId, error: "Fugu API returned no assistant text" };
+    return {
+      ok: true,
+      text,
+      model,
+      requestId,
+      usage: mapFuguApiUsage(json?.usage),
+      messages: [...messages, { role: "assistant", content: text }]
+    };
+  } catch (e) {
+    const aborted = e instanceof Error && e.name === "AbortError";
+    return {
+      ok: false,
+      model,
+      error: aborted ? "Fugu API request timed out" : e instanceof Error ? e.message : String(e),
+      retryable: true
+    };
+  } finally {
+    clearTimeout(timeout);
+  }
 }
-function renderCodexFuguPreflightFailure(report) {
+function renderOverlordPreflightFailure(report) {
   const lines = [
     "Overlord setup needed",
-    "The servant pool was not started because Codex/Fugu preflight failed.",
+    "The servant pool was not started because Fugu preflight failed.",
     "",
     "Problems:",
     ...report.problems.map((problem) => `- ${problem}`),
     "",
     "Fixes:"
   ];
-  if (report.problems.some((problem) => problem.includes("codex is not installed"))) {
-    lines.push("- Install or update Codex, then confirm with `codex --version`.");
-  }
-  if (report.problems.some((problem) => problem.includes("codex-fugu is not installed"))) {
-    lines.push("- Install or repair codex-fugu, then confirm with `codex-fugu --status`.");
-  }
-  if (report.problems.some((problem) => problem.includes("missing API key"))) {
-    lines.push("- Set OPENAI_API_KEY or CODEX_API_KEY in the launching shell; do not paste key values into chat.");
-  }
-  if (report.problems.some((problem) => problem.includes("fugu-ultra"))) {
-    lines.push("- Recheck or update Fugu configs so `fugu-ultra` appears in the Fugu model catalog.");
+  if (report.problems.some((problem) => problem.includes("SAKANA_API_KEY") || problem.includes("Fugu API"))) {
+    lines.push("- Confirm `SAKANA_API_KEY` is available and `https://api.sakana.ai/v1/models` is reachable.");
   }
-  if (report.problems.some((problem) => problem.includes("missing ") && problem.includes("flag"))) {
-    lines.push("- Update Codex/Fugu until `codex-fugu --help` exposes approval, sandbox, config, cwd, and no-alt-screen flags.");
-  }
-  if (report.problems.some((problem) => problem.includes("/c/Users"))) {
-    lines.push("- Launch from a native shell adapter or repair Fugu path configuration so Windows paths stay native.");
+  if (report.problems.some((problem) => problem.includes("model") || problem.includes("fugu"))) {
+    lines.push("- Confirm the configured Fugu API models are exposed by `/models`.");
   }
   return lines.join("\n");
 }
+function markServantsStarting(run, timestamp) {
+  return {
+    ...run,
+    updatedAt: timestamp,
+    servants: run.servants.map((servant) => ({
+      ...servant,
+      state: "starting"
+    }))
+  };
+}
+async function mapWithConcurrency(items, limit, worker) {
+  const results = new Array(items.length);
+  let nextIndex = 0;
+  const workerCount = Math.min(Math.max(1, limit), items.length);
+  await Promise.all(Array.from({ length: workerCount }, async () => {
+    while (true) {
+      const index = nextIndex;
+      nextIndex += 1;
+      if (index >= items.length) return;
+      results[index] = await worker(items[index]);
+    }
+  }));
+  return results;
+}
+function hasCapturedFuguApiText(result) {
+  return result.ok && Boolean(result.text?.trim());
+}
+function updateFuguApiServant(servant, result, timestamp) {
+  const captured = hasCapturedFuguApiText(result);
+  return {
+    ...servant,
+    state: captured ? "ready" : "blocked",
+    llmModel: result.model ?? servant.llmModel,
+    llmMessages: result.messages ?? servant.llmMessages,
+    llmRequestId: result.requestId ?? servant.llmRequestId,
+    lastAckAt: captured ? timestamp : servant.lastAckAt,
+    lastUsefulSignalAt: captured ? timestamp : servant.lastUsefulSignalAt,
+    lastEventAt: timestamp,
+    lastMessageCompletedAt: captured ? timestamp : servant.lastMessageCompletedAt
+  };
+}
+function defaultSleep3(ms) {
+  return new Promise((resolve6) => setTimeout(resolve6, ms));
+}
+function fuguApiRetryConfig(sleep) {
+  const parsed = Number(process.env.MMI_OVERLORD_LLM_MAX_ATTEMPTS);
+  const maxAttempts = Number.isFinite(parsed) && parsed >= 1 ? Math.min(Math.trunc(parsed), 6) : FUGU_API_DEFAULT_MAX_ATTEMPTS;
+  return { maxAttempts, baseDelayMs: FUGU_API_RETRY_BASE_MS, sleep };
+}
+function fuguApiBackoffMs(attempt, baseDelayMs) {
+  const exponential = baseDelayMs * 2 ** (attempt - 1);
+  const capped = Math.min(exponential, FUGU_API_RETRY_CAP_MS);
+  const jitter = Math.random() * capped * 0.25;
+  return Math.round(capped + jitter);
+}
+async function callFuguApiRunner(runFuguApi, run, servant, message, retry, callOptions) {
+  const maxAttempts = Math.max(1, retry?.maxAttempts ?? 1);
+  const baseDelayMs = retry?.baseDelayMs ?? FUGU_API_RETRY_BASE_MS;
+  const sleep = retry?.sleep ?? defaultSleep3;
+  let attempt = 0;
+  for (; ; ) {
+    attempt += 1;
+    let result;
+    try {
+      result = await runFuguApi(run, servant, message, callOptions);
+    } catch (e) {
+      result = { ok: false, error: e instanceof Error ? e.message : String(e), retryable: true };
+    }
+    if (result.ok || !result.retryable || attempt >= maxAttempts) {
+      return { ...result, attempts: attempt };
+    }
+    await sleep(fuguApiBackoffMs(attempt, baseDelayMs));
+  }
+}
+function seedLazyServant(servant, run, timestamp) {
+  const config = fuguApiConfig();
+  const llmMessages = servant.llmMessages ?? [{ role: "system", content: fuguApiSystemMessage(servant, run) }];
+  return {
+    ...servant,
+    state: "ready",
+    llmModel: fuguApiModelForServant(config, servant),
+    llmMessages,
+    lastAckAt: timestamp,
+    lastUsefulSignalAt: timestamp,
+    lastEventAt: timestamp
+  };
+}
+async function startFuguApiServants(run, runFuguApi, now, retry) {
+  const startupCallOptions = { timeoutMs: fuguApiStartupTimeoutMs() };
+  const verifiedTargets = run.servants.filter((servant) => servant.role !== "ultra");
+  const results = await mapWithConcurrency(verifiedTargets, overlordServantParallelism(), async (servant) => ({
+    servant,
+    result: await callFuguApiRunner(runFuguApi, run, servant, overlordServantPrompt(servant, run), retry, startupCallOptions)
+  }));
+  const timestamp = isoNow(now);
+  const bySlot = /* @__PURE__ */ new Map();
+  for (const { servant, result } of results) {
+    bySlot.set(servant.slotId, result);
+    if (run.ledgerPath) appendOverlordLedger(run.ledgerPath, { at: timestamp, kind: "servant-start", ownerSlotId: servant.slotId, ok: hasCapturedFuguApiText(result), model: result.model, requestId: result.requestId, responseText: result.text, error: result.error, usage: result.usage });
+    appendServantJournal(servant.journalPath, "consultation", result.text, timestamp);
+  }
+  const servants = run.servants.map((servant) => servant.role === "ultra" ? seedLazyServant(servant, run, timestamp) : updateFuguApiServant(servant, bySlot.get(servant.slotId) ?? { ok: false, error: "missing Fugu API result" }, timestamp));
+  return { ...run, state: "active", updatedAt: timestamp, servants };
+}
+async function dispatchFuguApiMessage(run, message, runFuguApi, now, retry) {
+  const startedAt = isoNow(now);
+  const targets = run.servants.filter((servant) => message.target === "all" || servant.slotId === message.target || normalizeServantTarget(servant.name) === message.target);
+  const results = await mapWithConcurrency(targets, overlordServantParallelism(), async (servant) => ({
+    servant,
+    result: await callFuguApiRunner(runFuguApi, run, servant, message.text, retry)
+  }));
+  const completedAt = isoNow(now);
+  const successCount = results.filter(({ result }) => hasCapturedFuguApiText(result)).length;
+  const failureCount = Math.max(0, targets.length - successCount);
+  const state = targets.length > 0 && failureCount === 0 ? "completed" : successCount > 0 && message.target === "all" ? "partial" : "failed";
+  const responses = results.filter(({ result }) => result.text).map(({ servant, result }) => `${servant.slotId}: ${result.text}`);
+  const servantResults = results.map(({ servant, result }) => {
+    if (hasCapturedFuguApiText(result)) {
+      const warning = formatHandoffWarnings(validateServantReport(result.text ?? ""));
+      return {
+        slotId: servant.slotId,
+        state: "completed",
+        responseText: result.text?.trim(),
+        handoffWarnings: warning ? [warning] : void 0,
+        usage: result.usage
+      };
+    }
+    return {
+      slotId: servant.slotId,
+      state: "failed",
+      failureReason: result.error ?? "Fugu API servant returned no text"
+    };
+  });
+  const bySlot = /* @__PURE__ */ new Map();
+  for (const { servant, result } of results) {
+    bySlot.set(servant.slotId, result);
+    if (run.ledgerPath) appendOverlordLedger(run.ledgerPath, { at: completedAt, kind: "message-response", messageId: message.id, ownerSlotId: servant.slotId, ok: hasCapturedFuguApiText(result), model: result.model, requestId: result.requestId, responseText: result.text, error: result.error, usage: result.usage });
+    appendServantJournal(servant.journalPath, `message ${message.id}`, result.text, completedAt);
+  }
+  const nextServants = run.servants.map((servant) => {
+    const result = bySlot.get(servant.slotId);
+    return result ? updateFuguApiServant(servant, result, completedAt) : servant;
+  });
+  const nextMessage = {
+    ...message,
+    state,
+    startedAt,
+    completedAt: state === "completed" || state === "partial" ? completedAt : void 0,
+    failedAt: state === "failed" ? completedAt : void 0,
+    ackText: state === "completed" ? "Fugu API response captured" : state === "partial" ? "Fugu API partial response captured" : void 0,
+    responseText: responses.join("\n"),
+    failureReason: state === "completed" ? void 0 : state === "partial" ? `${failureCount} of ${targets.length} Fugu API servant calls failed or returned no text` : "one or more Fugu API servant calls failed or returned no text",
+    servantResults
+  };
+  return {
+    ...run,
+    updatedAt: completedAt,
+    servants: nextServants,
+    messages: [...(run.messages ?? []).filter((m) => m.id !== message.id), nextMessage]
+  };
+}
 function findActiveRun(registry2) {
   const runId = registry2.activeRunId;
   if (!runId) return void 0;
@@ -10290,17 +10935,120 @@ function hasServantTarget(run, target) {
     (servant) => servant.slotId === normalized || normalizeServantTarget(servant.name) === normalized
   );
 }
-function renderOverlordStatus(summary, run) {
-  const servants = summary.servants.map((servant) => `- ${servant.name}: ${servant.state}`).join("\n");
+function messageProgress(message, now = /* @__PURE__ */ new Date(), timeoutMs = OVERLORD_HANDOFF_TIMEOUT_MS) {
+  if (message.state === "partial") return "partial";
+  if (message.completedAt || message.state === "completed") return "completed";
+  if (message.failedAt || message.state === "failed") return "failed";
+  const startedAt = message.startedAt ?? message.deliveredAt;
+  if (!startedAt) return "queued";
+  const elapsed = now.getTime() - new Date(startedAt).getTime();
+  return Number.isFinite(elapsed) && elapsed >= timeoutMs ? "stalled" : "started";
+}
+function servantProgress(run, servant, now = /* @__PURE__ */ new Date()) {
+  const relevant = (run.messages ?? []).filter((message) => message.target === "all" || servant.slotId === message.target || normalizeServantTarget(servant.name) === message.target);
+  return relevant.some((message) => messageProgress(message, now) === "stalled") ? "stalled-after-delivery" : servant.state;
+}
+function humanSafeText(text, maxLength = 160) {
+  const redacted = (text ?? "").replace(/\bBearer\s+\S+/gi, "[redacted]").replace(/\b(api[_-]?key|token|secret)=\S+/gi, "$1=[redacted]").replace(/\b(sk|sakana|mmi)[-_][A-Za-z0-9_-]{10,}\b/g, "[redacted]").replace(/\s+/g, " ").trim();
+  if (redacted.length <= maxLength) return redacted;
+  return `${redacted.slice(0, Math.max(0, maxLength - 3)).trimEnd()}...`;
+}
+function renderOverlordSendSummary(message, statePath) {
+  const results = message?.servantResults ?? [];
+  const completed = results.filter((result) => result.state === "completed").length;
+  const blocked = results.filter((result) => result.state === "failed").length;
+  const state = message?.state ?? "failed";
+  const lines = [
+    `Message: ${message?.id ?? "unknown"}`,
+    `Target: ${message?.target ?? "unknown"}`,
+    `Result: ${state} - ${completed} completed, ${blocked} blocked.`
+  ];
+  for (const result of results.filter((item) => item.state === "failed").slice(0, 3)) {
+    lines.push(`Blocked: ${result.slotId} - ${humanSafeText(result.failureReason ?? "no reason reported")}`);
+  }
+  const hidden = Math.max(0, blocked - 3);
+  if (hidden > 0) lines.push(`Blocked: +${hidden} more`);
+  lines.push(`State: ${statePath}`);
+  return lines.join("\n");
+}
+function countValues(values, value) {
+  return values.filter((item) => item === value).length;
+}
+function latestServantFailureReason(run, slotId) {
+  for (const message of [...run.messages ?? []].reverse()) {
+    const result = message.servantResults?.find((item) => item.slotId === slotId && item.state === "failed");
+    if (result?.failureReason?.trim()) return result.failureReason;
+  }
+  return void 0;
+}
+function affectedServantStatusLabel(state, reason) {
+  if (state === "stalled-after-delivery") return "Stalled";
+  if (/\btimed?\s*out\b/i.test(reason ?? "")) return "Timed out";
+  return "Blocked";
+}
+function renderOverlordStatus(summary, run, now = /* @__PURE__ */ new Date()) {
+  const servantStates = summary.servants.map((servant) => servant.state);
+  const messageStates = (run.messages ?? []).map((message) => messageProgress(message, now));
+  const activeMessages = messageStates.filter((state) => state === "queued" || state === "started" || state === "stalled").length;
+  const blockedServants = summary.servants.filter((servant) => servant.state === "blocked" || servant.state === "stalled-after-delivery");
+  const latest = (run.messages ?? []).at(-1);
+  const latestState = latest ? messageProgress(latest, now) : void 0;
   return [
     `Overlord run ${summary.runId}`,
     `State: ${summary.state}`,
-    `Task: ${run.task || "not provided yet"}`,
-    `Controller: ${summary.controller}`,
-    "Servants:",
-    servants
+    `Mission: ${humanSafeText(run.task || "not provided yet")}`,
+    `Servants: ${countValues(servantStates, "ready")} ready, ${countValues(servantStates, "blocked") + countValues(servantStates, "stalled-after-delivery")} blocked, ${countValues(servantStates, "planned")} planned.`,
+    `Messages: ${countValues(messageStates, "completed")} completed, ${countValues(messageStates, "partial")} partial, ${countValues(messageStates, "failed")} failed, ${activeMessages} active.`,
+    ...blockedServants.slice(0, 3).map((servant) => {
+      const slotId = run.servants.find((item) => item.name === servant.name)?.slotId;
+      const reason = slotId ? latestServantFailureReason(run, slotId) : void 0;
+      const label = affectedServantStatusLabel(servant.state, reason);
+      const detail = reason ?? (servant.state === "stalled-after-delivery" ? "no recent update" : void 0);
+      return `${label}: ${servant.name}${detail ? ` - ${humanSafeText(detail)}` : ""}`;
+    }),
+    ...blockedServants.length > 3 ? [`Blocked: +${blockedServants.length - 3} more`] : [],
+    ...latest && latestState ? [`Latest: ${latest.id} ${latest.target} ${latestState}${latest.failureReason ? ` - ${humanSafeText(latest.failureReason)}` : ""}`] : [],
+    `Coordinator: ${summary.controller}`
   ].join("\n");
 }
+function usefulJournalLines(text) {
+  return text.split(/\r?\n/).map((line) => line.trim()).filter((line) => line && !/^fugu\s/i.test(line) && !/^›/.test(line) && !/^\[overlord\] launched/.test(line)).slice(-20);
+}
+var HANDOFF_SIGNAL = /\b(handoff|evidence|recommend(?:ed|ation|s)?|improvement|suggest(?:ion|s)?|next action|proposal|file)\b|`[^`]+`/i;
+var HANDOFF_MIN_RESPONSE_CHARS = 12;
+function parseJournalBlocks(raw) {
+  const blocks = [];
+  let current = null;
+  for (const line of raw.split(/\r?\n/)) {
+    const header = line.match(/^\[[^\]]+\]\s+(.+)$/);
+    if (header) {
+      if (current) blocks.push(current);
+      current = { label: header[1].trim(), body: "" };
+    } else if (current) {
+      current.body += (current.body ? "\n" : "") + line;
+    }
+  }
+  if (current) blocks.push(current);
+  return blocks;
+}
+function journalHasHandoff(raw, lines) {
+  for (const block of parseJournalBlocks(raw)) {
+    if (!block.label.startsWith("message ")) continue;
+    const body = block.body.trim();
+    if (body.length >= HANDOFF_MIN_RESPONSE_CHARS) return true;
+    if (validateServantReport(body).applies) return true;
+  }
+  return lines.some((line) => HANDOFF_SIGNAL.test(line));
+}
+function servantJournalSummary(servant) {
+  try {
+    const raw = (0, import_node_fs15.readFileSync)(servant.journalPath, "utf8");
+    const lines = usefulJournalLines(raw);
+    return { lines, hasHandoff: journalHasHandoff(raw, lines) };
+  } catch {
+    return { lines: [], hasHandoff: false };
+  }
+}
 function runJson(run, extra = {}) {
   return {
     ok: true,
@@ -10308,15 +11056,23 @@ function runJson(run, extra = {}) {
     state: run.state,
     task: run.task,
     count: run.servants.length,
+    engine: run.engine,
     controllerPid: run.controllerPid,
     statePath: run.statePath,
+    ledgerPath: run.ledgerPath,
     servants: run.servants.map((servant) => ({
       name: servant.name,
       role: servant.role,
       model: servant.model,
       state: servant.state,
       pid: servant.pid,
-      journalPath: servant.journalPath
+      journalPath: servant.journalPath,
+      engine: servant.engine,
+      opencodeSessionId: servant.opencodeSessionId,
+      scopeToken: servant.scopeToken,
+      llmModel: servant.llmModel,
+      llmRequestId: servant.llmRequestId,
+      llmConversationLength: servant.llmMessages?.length
     })),
     ...extra
   };
@@ -10327,23 +11083,33 @@ function wantsJson(options, command) {
 function countArgsFromOptions(options) {
   return ["3", "4", "5", "6"].filter((key) => options[key]).map((key) => `--${key}`);
 }
+function percentile(values, p) {
+  if (values.length === 0) return 0;
+  const sorted = [...values].sort((a, b) => a - b);
+  const rank = Math.ceil(p / 100 * sorted.length);
+  return sorted[Math.min(sorted.length - 1, Math.max(0, rank - 1))];
+}
 function registerOverlordCommands(program3, deps = {}) {
   const out = deps.out ?? ((text) => process.stdout.write(text));
   const err = deps.err ?? ((text) => process.stderr.write(text));
   const cwd = deps.cwd ?? (() => process.cwd());
   const now = deps.now ?? (() => /* @__PURE__ */ new Date());
-  const preflight2 = deps.preflight ?? collectCodexFuguPreflight;
-  const startController = deps.startController ?? defaultStartController;
+  const fuguApiPreflight = deps.fuguApiPreflight ?? collectFuguApiPreflight;
+  const runFuguApi = deps.runFuguApi ?? defaultRunFuguApi;
+  const fuguApiRetry = fuguApiRetryConfig(deps.sleep ?? defaultSleep3);
   const isPidAlive = deps.isPidAlive ?? defaultIsPidAlive;
   const killPid = deps.killPid ?? defaultKillPid;
-  const overlord = program3.command("overlord").description("coordinate one Ultra and normal Fugu servants for hard org work").allowUnknownOption(true).argument("[task...]", "task for the Overlord system").option("--3", "run one Ultra and two normal Fugus").option("--4", "run one Ultra and three normal Fugus").option("--5", "run one Ultra and four normal Fugus").option("--6", "run one Ultra and five normal Fugus").option("--json", "print machine-readable output").action((task = [], options) => {
+  const overlord = program3.command("overlord").description("coordinate one Ultra and normal Fugu servants for hard org work").allowUnknownOption(true).argument("[task...]", "task for the Overlord system").option("--3", "run one Ultra and two normal Fugus").option("--4", "run one Ultra and three normal Fugus").option("--5", "run one Ultra and four normal Fugus").option("--6", "run one Ultra and five normal Fugus").option("--engine <engine>", "servant engine: fugu-api", OVERLORD_DEFAULT_ENGINE).option("--json", "print machine-readable output").action(async (task = [], options) => {
     try {
       const args = [...countArgsFromOptions(options), ...task];
       const root = cwd();
       const plan2 = buildOverlordStartupPlan(args, root);
-      const preflightReport = preflight2();
+      const engine = `${options.engine ?? OVERLORD_DEFAULT_ENGINE}`;
+      if (engine !== "fugu-api") throw new Error("--engine must be fugu-api");
+      if (!options.json) out("Starting Overlord.\nLoading run registry...\nChecking Fugu API...\n");
+      const preflightReport = await fuguApiPreflight();
       if (!preflightReport.ok) {
-        err(`${renderCodexFuguPreflightFailure(preflightReport)}
+        err(`${renderOverlordPreflightFailure(preflightReport)}
 `);
         process.exitCode = 1;
         return;
@@ -10357,30 +11123,31 @@ function registerOverlordCommands(program3, deps = {}) {
         task: plan2.task,
         cwd: root,
         count: plan2.count,
+        engine,
         now,
         runId: deps.runId,
         runToken: deps.runToken
       });
       writeOverlordRegistry(plan2.statePath, { activeRunId: run.runId, runs: { ...registry2.runs, [run.runId]: run } });
-      const controller = startController(run);
-      if (controller.pid != null) {
-        run = recordOverlordHeartbeat(run, {
-          controllerPid: controller.pid,
-          fingerprint: controller.fingerprint,
-          now
-        });
-        writeOverlordRegistry(plan2.statePath, { activeRunId: run.runId, runs: { ...registry2.runs, [run.runId]: run } });
-      }
+      if (!options.json) out(`Summoning ${run.servants.length} Fugu servants...
+Preparing conversations...
+`);
+      run = markServantsStarting(run, isoNow(now));
+      writeOverlordRegistry(plan2.statePath, { activeRunId: run.runId, runs: { ...registry2.runs, [run.runId]: run } });
+      run = await startFuguApiServants(run, runFuguApi, now, fuguApiRetry);
+      writeOverlordRegistry(plan2.statePath, { activeRunId: run.runId, runs: { ...registry2.runs, [run.runId]: run } });
       if (options.json) out(`${JSON.stringify(runJson(run, { nextPhase: "consult-servants" }), null, 2)}
 `);
       else {
+        const ready = run.servants.filter((servant) => servant.state === "ready").length;
         out(`${[
-          "Overlord startup",
-          `Task: ${run.task || "not provided yet"}`,
+          `Ready: ${ready}/${run.servants.length} servants ready.`,
+          `Mission: ${humanSafeText(run.task || "not provided yet")}`,
           `Run: ${run.runId}`,
-          `Servants: ${run.servants.length} total`,
-          `Controller: ${run.controllerPid ? `started (pid ${run.controllerPid})` : "launch requested"}`,
-          "Next: consult servants, interview the human, then print an approved todo list."
+          "Engine: Fugu API",
+          "",
+          "Overlord is idle and ready for your instruction.",
+          "Next: I will consult the servants and interview you, then propose a todo list for your approval."
         ].join("\n")}
 `);
       }
@@ -10393,7 +11160,7 @@ function registerOverlordCommands(program3, deps = {}) {
       process.exitCode = 1;
     }
   });
-  overlord.command("send").description("queue an assignment or redirect for the active Overlord servant controller").argument("<target>", "servant slot id/name, or all").argument("[message...]", "message to deliver to the servant PTY").option("--json", "print machine-readable output").action((target, message = [], options, command) => {
+  overlord.command("send").description("queue an assignment or redirect for active Overlord servant conversations").argument("<target>", "servant slot id/name, or all").argument("[message...]", "message to deliver to the servant session").option("--json", "print machine-readable output").action(async (target, message = [], options, command) => {
     const json = wantsJson(options, command);
     try {
       const statePath = defaultOverlordStatePath(cwd());
@@ -10404,27 +11171,39 @@ function registerOverlordCommands(program3, deps = {}) {
       if (!hasServantTarget(run, normalized)) throw new Error(`unknown Overlord servant target: ${target}`);
       const text = message.join(" ").trim();
       if (!text) throw new Error("message is required");
+      const timestamp = isoNow(now);
       const queued = {
         id: deps.runId?.() ?? defaultMessageId(),
         target: normalized,
         text,
-        createdAt: isoNow(now)
+        createdAt: timestamp,
+        queuedAt: timestamp,
+        state: "queued"
       };
-      const next = {
+      if (run.engine !== "fugu-api") throw new Error("active Overlord run does not use the fugu-api engine");
+      if (!json) out(`Sending assignment to ${normalized}...
+Awaiting Fugu responses...
+`);
+      const started = {
         ...run,
-        updatedAt: isoNow(now),
-        messages: [...run.messages ?? [], queued]
+        updatedAt: timestamp,
+        messages: [...(run.messages ?? []).filter((m) => m.id !== queued.id), {
+          ...queued,
+          state: "started",
+          startedAt: timestamp
+        }]
       };
-      writeOverlordRegistry(statePath, {
-        ...registry2,
-        runs: { ...registry2.runs, [run.runId]: next }
-      });
-      const payload = { queued: 1, runId: run.runId, target: normalized, messageId: queued.id, statePath };
+      writeOverlordRegistry(statePath, { ...registry2, runs: { ...registry2.runs, [run.runId]: started } });
+      const dispatched = await dispatchFuguApiMessage(started, queued, runFuguApi, now, fuguApiRetry);
+      writeOverlordRegistry(statePath, { ...registry2, runs: { ...registry2.runs, [run.runId]: dispatched } });
+      const settled = (dispatched.messages ?? []).find((m) => m.id === queued.id);
+      const ok = settled?.state === "completed" || settled?.state === "partial";
+      const payload = { ok, runId: run.runId, target: normalized, messageId: queued.id, state: settled?.state, responseText: settled?.responseText, failureReason: settled?.failureReason, servantResults: settled?.servantResults, statePath };
       if (json) out(`${JSON.stringify(payload, null, 2)}
 `);
-      else out(`Queued message ${queued.id} for ${normalized}.
-State: ${statePath}
+      else out(`${renderOverlordSendSummary(settled, statePath)}
 `);
+      if (!ok) process.exitCode = 1;
     } catch (e) {
       const messageText = e instanceof Error ? e.message : String(e);
       if (json) out(`${JSON.stringify({ ok: false, error: messageText }, null, 2)}
@@ -10448,11 +11227,77 @@ State: ${payload2.statePath}
 `);
       return;
     }
-    const summary = summarizeOverlordRun(run, { isPidAlive });
-    const payload = { ...summary, statePath, task: run.task };
+    const summary = summarizeOverlordRun(run, { isPidAlive, now });
+    const current = now();
+    const payload = {
+      ...summary,
+      statePath,
+      task: run.task,
+      engine: run.engine,
+      ledgerPath: run.ledgerPath,
+      sessions: run.servants.map((servant) => ({
+        name: servant.name,
+        slotId: servant.slotId,
+        engine: servant.engine,
+        opencodeSessionId: servant.opencodeSessionId,
+        scopeToken: servant.scopeToken,
+        llmModel: servant.llmModel,
+        llmRequestId: servant.llmRequestId,
+        llmConversationLength: servant.llmMessages?.length,
+        eventJournalPath: servant.eventJournalPath,
+        lastEventAt: servant.lastEventAt,
+        lastMessageCompletedAt: servant.lastMessageCompletedAt
+      })),
+      messages: (run.messages ?? []).map((message) => ({
+        id: message.id,
+        target: message.target,
+        state: messageProgress(message, current),
+        queuedAt: message.queuedAt ?? message.createdAt,
+        startedAt: message.startedAt ?? message.deliveredAt,
+        completedAt: message.completedAt,
+        failedAt: message.failedAt,
+        ackText: message.ackText,
+        responseText: message.responseText,
+        eventJournalPath: message.eventJournalPath,
+        failureReason: message.failureReason
+      }))
+    };
+    if (json) out(`${JSON.stringify(payload, null, 2)}
+`);
+    else out(`${renderOverlordStatus(summary, run, current)}
+State: ${statePath}
+`);
+  });
+  overlord.command("collect").description("summarize servant handoff/liveness evidence from the active Overlord journals").option("--json", "print machine-readable output").action((options, command) => {
+    const json = wantsJson(options, command);
+    const statePath = defaultOverlordStatePath(cwd());
+    const registry2 = readOverlordRegistry(statePath);
+    const run = findActiveRun(registry2);
+    if (!run) {
+      const payload2 = { active: false, statePath, message: "no active Overlord run found" };
+      if (json) out(`${JSON.stringify(payload2, null, 2)}
+`);
+      else out(`No active Overlord run found.
+State: ${payload2.statePath}
+`);
+      return;
+    }
+    const current = now();
+    const servants = run.servants.map((servant) => {
+      const journal = servantJournalSummary(servant);
+      return {
+        slotId: servant.slotId,
+        name: servant.name,
+        state: servantProgress(run, servant, current),
+        hasHandoff: journal.hasHandoff,
+        journalPath: servant.journalPath,
+        lines: journal.lines
+      };
+    });
+    const payload = { active: true, runId: run.runId, statePath, servants };
     if (json) out(`${JSON.stringify(payload, null, 2)}
 `);
-    else out(`${renderOverlordStatus(summary, run)}
+    else out(`${servants.map((servant) => `${servant.name}: ${servant.state}; handoff=${servant.hasHandoff ? "yes" : "no"}; ${servant.journalPath}`).join("\n")}
 State: ${statePath}
 `);
   });
@@ -10502,17 +11347,128 @@ State: ${payload2.statePath}
 `);
     }
   });
+  overlord.command("canary").description("native Fugu API smoke: summon a small pool, verify a bounded response, stop cleanly").option("--3", "one Ultra and two normal Fugus").option("--4", "one Ultra and three normal Fugus").option("--5", "one Ultra and four normal Fugus").option("--6", "one Ultra and five normal Fugus").option("--json", "print machine-readable output").option("--repeat <n>", "run the smoke N times and report p50/p90 elapsed latency", "1").action(async (options, command) => {
+    const json = wantsJson(options, command);
+    const repeat = Math.min(Math.max(1, Math.trunc(Number(options.repeat) || 1)), 20);
+    const countArgs = countArgsFromOptions(options);
+    try {
+      if (!json) out("Overlord canary starting.\nChecking Fugu API...\n");
+      const preflight2 = await fuguApiPreflight();
+      if (!preflight2.ok) {
+        if (json) out(`${JSON.stringify({ ok: false, phase: "preflight", problems: preflight2.problems }, null, 2)}
+`);
+        else err(`${renderOverlordPreflightFailure(preflight2)}
+`);
+        process.exitCode = 1;
+        return;
+      }
+      const runOnce = async (verbose) => {
+        const startedAtMs = now().getTime();
+        const plan2 = buildOverlordStartupPlan(countArgs, cwd());
+        let run = buildOverlordRun({ task: "overlord canary smoke", cwd: cwd(), count: plan2.count, engine: "fugu-api", now, runId: deps.runId, runToken: deps.runToken });
+        if (verbose) out(`Summoning ${run.servants.length} Fugu servants...
+`);
+        run = markServantsStarting(run, isoNow(now));
+        run = await startFuguApiServants(run, runFuguApi, now, fuguApiRetry);
+        const ready = run.servants.filter((servant) => servant.state === "ready").length;
+        const problems = [];
+        let responded = 0;
+        let evidence;
+        if (ready === run.servants.length) {
+          if (verbose) out("Sending canary probe...\n");
+          const timestamp = isoNow(now);
+          const probe = {
+            id: `${deps.runId?.() ?? defaultMessageId()}-canary`,
+            target: "all",
+            text: "Reply with the single word READY and nothing else.",
+            createdAt: timestamp,
+            queuedAt: timestamp,
+            state: "queued"
+          };
+          run = await dispatchFuguApiMessage(run, probe, runFuguApi, now, fuguApiRetry);
+          const settled = (run.messages ?? []).find((message) => message.id === probe.id);
+          const results = settled?.servantResults ?? [];
+          responded = results.filter((result) => result.state === "completed" && result.responseText?.trim()).length;
+          evidence = results.find((result) => result.responseText?.trim())?.responseText?.trim();
+          if (responded !== run.servants.length) problems.push(`only ${responded}/${run.servants.length} servants returned text`);
+        } else {
+          problems.push(`only ${ready}/${run.servants.length} servants became ready`);
+        }
+        const stopPlan = planOverlordRunStop(run);
+        for (const pid of stopPlan.killPids) {
+          try {
+            killPid(pid);
+          } catch {
+          }
+        }
+        const cleanup = { stopped: stopPlan.killPids.length, uncertain: stopPlan.uncertain.length };
+        if (cleanup.uncertain > 0) problems.push(`${cleanup.uncertain} uncertain resource(s) left untouched`);
+        return { ok: problems.length === 0, runId: run.runId, requested: run.servants.length, ready, responded, elapsedMs: Math.max(0, now().getTime() - startedAtMs), evidence, cleanup, problems };
+      };
+      const runs = [];
+      for (let i = 0; i < repeat; i += 1) {
+        if (!json && repeat > 1) out(`Canary run ${i + 1}/${repeat}...
+`);
+        runs.push(await runOnce(!json && repeat === 1));
+      }
+      if (repeat === 1) {
+        const r = runs[0];
+        if (json) out(`${JSON.stringify({ ok: r.ok, runId: r.runId, requested: r.requested, ready: r.ready, responded: r.responded, elapsedMs: r.elapsedMs, evidence: r.evidence, cleanup: r.cleanup, problems: r.problems }, null, 2)}
+`);
+        else out(`${[
+          r.ok ? "Canary OK." : "Canary FAILED.",
+          `Ready: ${r.ready}/${r.requested}; Responded: ${r.responded}/${r.requested}`,
+          `Cleanup: stopped ${r.cleanup.stopped}, uncertain ${r.cleanup.uncertain}`,
+          ...r.problems.length ? [`Problems: ${r.problems.join("; ")}`] : []
+        ].join("\n")}
+`);
+        if (!r.ok) process.exitCode = 1;
+        return;
+      }
+      const elapsed = runs.map((r) => r.elapsedMs);
+      const passes = runs.filter((r) => r.ok).length;
+      const requested = runs[0].requested;
+      const ok = passes === runs.length;
+      const summary = {
+        ok,
+        repeat,
+        passes,
+        requested,
+        elapsedMs: { p50: percentile(elapsed, 50), p90: percentile(elapsed, 90), min: Math.min(...elapsed), max: Math.max(...elapsed) },
+        readyRate: runs.reduce((sum, r) => sum + r.ready, 0) / (runs.length * requested),
+        respondedRate: runs.reduce((sum, r) => sum + r.responded, 0) / (runs.length * requested),
+        problems: runs.flatMap((r, i) => r.problems.map((problem) => `run ${i + 1}: ${problem}`))
+      };
+      if (json) out(`${JSON.stringify(summary, null, 2)}
+`);
+      else out(`${[
+        ok ? `Canary bench OK (${passes}/${repeat} passed).` : `Canary bench: ${passes}/${repeat} passed.`,
+        `Elapsed p50 ${summary.elapsedMs.p50}ms, p90 ${summary.elapsedMs.p90}ms (min ${summary.elapsedMs.min}, max ${summary.elapsedMs.max})`,
+        `Ready rate ${(summary.readyRate * 100).toFixed(0)}%, responded rate ${(summary.respondedRate * 100).toFixed(0)}%`,
+        ...summary.problems.length ? [`Problems: ${summary.problems.join("; ")}`] : []
+      ].join("\n")}
+`);
+      if (!ok) process.exitCode = 1;
+    } catch (e) {
+      const message = e instanceof Error ? e.message : String(e);
+      if (json) out(`${JSON.stringify({ ok: false, error: message }, null, 2)}
+`);
+      else err(`overlord canary: ${message}
+`);
+      process.exitCode = 1;
+    }
+  });
   return overlord;
 }
 
 // src/throttle-commands.ts
-var import_node_child_process9 = require("node:child_process");
+var import_node_child_process8 = require("node:child_process");
 var import_node_fs16 = require("node:fs");
 var import_node_path14 = require("node:path");
 var THROTTLE_TRACE_REL = (0, import_node_path14.join)(".mmi", "throttle", "trace.jsonl");
 function resolveRepoGitRoot(cwd = process.cwd()) {
   try {
-    const root = (0, import_node_child_process9.execFileSync)("git", ["-C", cwd, "rev-parse", "--show-toplevel"], {
+    const root = (0, import_node_child_process8.execFileSync)("git", ["-C", cwd, "rev-parse", "--show-toplevel"], {
       encoding: "utf8",
       timeout: 5e3
     }).trim();
@@ -10661,7 +11617,7 @@ async function syncDocs(deps, docs2 = SYNCED_DOCS) {
 }
 
 // src/board.ts
-var import_node_child_process10 = require("node:child_process");
+var import_node_child_process9 = require("node:child_process");
 var import_node_util6 = require("node:util");
 
 // src/board-priority.ts
@@ -10769,7 +11725,7 @@ async function filterDependencyBlockedClaimables(items, client, opts = {}) {
 var BOARD_STATUSES = ["Todo", "In Progress", "In Review", "Done"];
 
 // src/board.ts
-var rawExecFileP3 = (0, import_node_util6.promisify)(import_node_child_process10.execFile);
+var rawExecFileP3 = (0, import_node_util6.promisify)(import_node_child_process9.execFile);
 var BOARD_GIT_TIMEOUT_MS = 1e4;
 var WRITE_PROBE_CONCURRENCY = 8;
 var CLAIM_CONCURRENCY = 5;
@@ -12232,6 +13188,8 @@ var MANAGED_GITIGNORE_LINES = [
   // Plan scratch at ANY depth (root plans/, cli/plans/, .cursor/plans/) — AI planning docs are S3-synced
   // via `mmi-cli northstar push` / auto-save on write; never git-tracked (AGENTS.md "Repo cleanliness", #1550, #1842).
   "**/plans/",
+  // Superpowers plan/spec output is scratch too; authoritative docs live directly under docs/.
+  "docs/superpowers/",
   ".playwright-mcp/",
   ".claude/worktrees/",
   // .mmi is agent/CI scratch — ignore the WHOLE tree at any depth (root + cli/.mmi, .github/workflows/.mmi,
@@ -12776,14 +13734,14 @@ async function auditRepoCi(repo, deps) {
   if (deployableGated) {
     checks.push({
       ok: hasGateWorkflow,
-      label: "gate workflow committed",
-      detail: hasGateWorkflow ? void 0 : `missing ${PRODUCT_GATE_PATH}`,
+      label: `gate workflow committed on ${baseBranch}`,
+      detail: hasGateWorkflow ? `read ${PRODUCT_GATE_PATH} at refs/heads/${baseBranch}` : `missing ${PRODUCT_GATE_PATH} at refs/heads/${baseBranch}`,
       remediation: `mmi-cli bootstrap apply ${repo} --class deployable --execute (seeds gate.yml)`
     });
     checks.push({
       ok: await contentExists(deps, repo, baseBranch, PRODUCT_RULESET_REF),
-      label: "product ruleset reference committed",
-      detail: `expected ${PRODUCT_RULESET_REF}`,
+      label: `product ruleset reference committed on ${baseBranch}`,
+      detail: `read ${PRODUCT_RULESET_REF} at refs/heads/${baseBranch}`,
       remediation: `mmi-cli bootstrap apply ${repo} --class deployable --execute`
     });
   }
@@ -13179,9 +14137,9 @@ async function resolveAutoAddBoardAttach(client, cfg, selector, priority, warn =
 
 // src/gh-create.ts
 var import_promises5 = require("node:fs/promises");
-var import_node_os4 = require("node:os");
+var import_node_os3 = require("node:os");
 var import_node_path17 = require("node:path");
-var import_node_crypto5 = require("node:crypto");
+var import_node_crypto6 = require("node:crypto");
 var ISSUE_TYPES = ["bug", "feature", "task"];
 var GH_MUTATION_TIMEOUT_MS = 12e4;
 function timeoutKillNote(err, timeoutMs) {
@@ -13221,7 +14179,7 @@ async function bodyArgsViaFile(args, deps = {}) {
   } };
   const write = deps.write ?? import_promises5.writeFile;
   const remove = deps.remove ?? import_promises5.unlink;
-  const file = (0, import_node_path17.join)(deps.dir ?? (0, import_node_os4.tmpdir)(), `mmi-gh-body-${process.pid}-${(0, import_node_crypto5.randomBytes)(4).toString("hex")}.md`);
+  const file = (0, import_node_path17.join)(deps.dir ?? (0, import_node_os3.tmpdir)(), `mmi-gh-body-${process.pid}-${(0, import_node_crypto6.randomBytes)(4).toString("hex")}.md`);
   await write(file, args[i + 1], "utf8");
   return {
     args: [...args.slice(0, i), "--body-file", file, ...args.slice(i + 2)],
@@ -14434,7 +15392,7 @@ function designSystemSnapshot(root) {
 }
 
 // src/design-system-registry.ts
-var import_node_crypto6 = require("node:crypto");
+var import_node_crypto7 = require("node:crypto");
 var import_node_fs20 = require("node:fs");
 var import_node_path19 = require("node:path");
 var DESIGN_SYSTEM_CACHE_DIR = ".mmi/design-system/components";
@@ -14497,7 +15455,7 @@ function scanCachedComponentNames(cacheDir) {
   return [...names].sort();
 }
 function contentHash(content) {
-  return (0, import_node_crypto6.createHash)("sha256").update(content, "utf8").digest("hex");
+  return (0, import_node_crypto7.createHash)("sha256").update(content, "utf8").digest("hex");
 }
 function buildRegistryComponentsCheck(input) {
   const base = {
@@ -14657,6 +15615,17 @@ function renderVerifySecrets(body) {
   if (ssmStatus !== "Success") {
     return { lines, failure: `verify-secrets did not complete (ssm status ${ssmStatus})${body?.commandId ? ` \u2014 command ${body.commandId}` : ""}` };
   }
+  if (secrets.length === 0) {
+    const raw = (body?.raw ?? "").trim();
+    if (/no required runtime secrets declared/i.test(raw)) {
+      return { lines: [raw], failure: null };
+    }
+    const detail = raw ? ` \u2014 on-box output: ${raw.replace(/\s+/g, " ").trim()}` : "";
+    return {
+      lines: raw ? raw.split("\n") : ["verify-secrets: no per-key verdicts returned"],
+      failure: `verify-secrets returned no per-key verdicts, so nothing was verified${detail}`
+    };
+  }
   const bad = counts.mismatch + counts.missing;
   if (bad > 0) {
     return { lines, failure: `${bad} of ${secrets.length} required secret(s) not matching the vault (${counts.mismatch} mismatch, ${counts.missing} missing)` };
@@ -14665,12 +15634,12 @@ function renderVerifySecrets(body) {
 }
 
 // src/hotfix-coverage.ts
-var import_node_child_process11 = require("node:child_process");
+var import_node_child_process10 = require("node:child_process");
 var CHERRY_TRAILER = /\(cherry picked from commit ([0-9a-f]{7,40})\)/g;
 function checkHotfixCoverage(options = {}) {
   const { cwd = process.cwd(), mainRef = "origin/main", rcRef = "origin/rc", manifestPaths = [] } = options;
   const ack = (options.ack ?? []).filter(Boolean);
-  const git = options.git ?? ((args, opts) => (0, import_node_child_process11.execFileSync)("git", args, { cwd, encoding: "utf8", input: opts?.input, stdio: ["pipe", "pipe", "pipe"] }));
+  const git = options.git ?? ((args, opts) => (0, import_node_child_process10.execFileSync)("git", args, { cwd, encoding: "utf8", input: opts?.input, stdio: ["pipe", "pipe", "pipe"] }));
   const revList = (range) => {
     const out = git(["rev-list", "--no-merges", range]).trim();
     return out ? out.split("\n") : [];
@@ -15483,7 +16452,8 @@ var OVERGRANT_ROLES = /* @__PURE__ */ new Set(["admin", "maintain"]);
 var REQUIRED_DATA_ACCESS = {
   "mutmutco/MM-Chat": [{ name: "kb-projection-reader", dbRole: "kb_reader", vaultParamNeedle: "KB_READ_DB_URL" }]
 };
-function lockedBranches(repoClass) {
+function lockedBranches(repoClass, releaseTrack) {
+  if (releaseTrack) return branchesForTrack(releaseTrack);
   return repoClass === "content" ? ["main"] : ["development", "rc", "main"];
 }
 function safeJson(text, fallback) {
@@ -15610,14 +16580,15 @@ function auditDataAccessContracts(repo, contracts = { consumers: {} }) {
   }
   return findings;
 }
-async function auditRepoAccess(repo, repoClass, owners, deps, projectAdmins = /* @__PURE__ */ new Set(), dataAccess) {
+async function auditRepoAccess(repo, repoClass, owners, deps, projectAdmins = /* @__PURE__ */ new Set(), dataAccess, releaseTrack) {
   const findings = [];
   findings.push(...await auditRepoCollaborators(repo, owners, deps));
   if (dataAccess) findings.push(...auditDataAccessContracts(repo, dataAccess));
-  for (const branch of lockedBranches(repoClass)) {
+  const track = releaseTrack ?? (repoClass === "content" ? "trunk" : void 0);
+  for (const branch of lockedBranches(repoClass, track)) {
     findings.push(...await auditTrainBranch(repo, branch, owners, deps, projectAdmins));
   }
-  return { repo, class: repoClass, ok: !findings.some((f) => f.severity === "high"), findings };
+  return { repo, class: repoClass, releaseTrack: track, ok: !findings.some((f) => f.severity === "high"), findings };
 }
 async function auditOrgBasePermission(deps) {
   const org = await restJson2(deps, `orgs/${OWNER}`, {});
@@ -15638,7 +16609,7 @@ async function auditOrgAccess(targets, deps, matrix = {}, dataAccess) {
   const orgFindings = await auditOrgBasePermission(deps);
   const repos = [];
   for (const target of targets) {
-    repos.push(await auditRepoAccess(target.repo, target.class, owners, deps, new Set(entriesValueByCanonicalRepo(matrix, target.repo) ?? []), dataAccess));
+    repos.push(await auditRepoAccess(target.repo, target.class, owners, deps, new Set(entriesValueByCanonicalRepo(matrix, target.repo) ?? []), dataAccess, target.releaseTrack));
   }
   const ok = orgFindings.every((f) => f.severity !== "high") && repos.every((r) => r.ok);
   return { ok, owners: [...owners], orgFindings, repos };
@@ -15658,7 +16629,8 @@ function loadAccessTargets(projectsJson, fanoutJson) {
       seen.add(repo);
       const repoName = repo.split("/").pop()?.toLowerCase() ?? repo.toLowerCase();
       const cls = project2.class === "content" || project2.deployModel === "content" || embeddedContent.has(repo.toLowerCase()) || embeddedContent.has(repoName) || legacyContentNames.has(repo.toLowerCase()) || legacyContentNames.has(repoName) ? "content" : "deployable";
-      targets.push({ repo, class: cls });
+      const releaseTrack = cls === "content" ? "trunk" : resolveReleaseTrack(project2, void 0, repo);
+      targets.push({ repo, class: cls, releaseTrack });
     }
   }
   return targets;
@@ -15708,7 +16680,7 @@ function renderAccessReport(report) {
     if (finding.remediation) lines.push(`      ${finding.remediation}`);
   }
   for (const repo of report.repos) {
-    lines.push(`${repo.ok ? "OK" : "FLAG"} ${repo.repo} (${repo.class})`);
+    lines.push(`${repo.ok ? "OK" : "FLAG"} ${repo.repo} (${repo.class}${repo.releaseTrack ? `, ${repo.releaseTrack}` : ""})`);
     for (const finding of repo.findings) {
       lines.push(`  [${finding.severity}] ${finding.kind}${finding.branch ? ` @${finding.branch}` : ""}: ${finding.detail}`);
       if (finding.remediation) lines.push(`      ${finding.remediation}`);
@@ -16254,6 +17226,23 @@ async function fetchDeployStatusBySlug(slug, deps) {
     return null;
   }
 }
+async function fetchDeployFactsBySlug(slug, deps) {
+  if (!deps.baseUrl || !slug) return null;
+  const token = await deps.token();
+  if (!token) return null;
+  try {
+    const res = await retriedFetch(deps, `${deps.baseUrl.replace(/\/$/, "")}/projects/${encodeURIComponent(slug)}/deploy-facts`, {
+      method: "GET",
+      headers: { Authorization: `Bearer ${token}` }
+    });
+    if (!res.ok) return null;
+    const body = await res.json();
+    if (!body?.stages) return null;
+    return { slug: body.slug ?? slug, stages: body.stages };
+  } catch {
+    return null;
+  }
+}
 async function fetchOrgConfig(deps) {
   if (!deps.baseUrl) return null;
   const token = await deps.token();
@@ -16427,7 +17416,7 @@ function attestedLine(att) {
   return `App-owned readiness attested by @${att.by} on ${att.at.slice(0, 10)} \u2014 the static checklist is cleared (the doctor reads no product repo files); re-run \`mmi-cli project attest\` after app-owned structural changes.`;
 }
 var CONTRACT_UNDECLARED_LINE = "No runtime secrets declared \u2014 declare requiredRuntimeSecrets (a per-stage name map) in the registry META, or attest the app needs none with an explicit empty stage map ({ dev: [], rc: [], main: [] }).";
-function appGapsFor(meta, model, slug, projectType) {
+function appGapsFor(meta, model, slug, projectType, mainDeployFact) {
   const attested = appAttestationOf(meta);
   const isTenantWeb = !(projectType === "content" || model === "content") && projectType !== "desktop-game" && projectType !== "cli-tool" && !(projectType === "non-deployable" || model === "none") && model !== "hub-serverless" && model !== "serverless" && model !== "registry-publish";
   const contractUndeclared = isTenantWeb && Boolean(meta) && !hasRuntimeSecretContract(meta?.requiredRuntimeSecrets);
@@ -16479,8 +17468,12 @@ function appGapsFor(meta, model, slug, projectType) {
   if (slug === "mmi-katip") {
     gaps.push("Katip-specific app plan: declare Google Workspace service-account requirements, use the service account numeric OAuth2 client ID for DWD, remove prod-hidden impersonation defaults, and make non-critical Google Workspace failures degrade instead of crash-looping.");
   }
-  if ((model === "solo-container" || model === "tenant-container") && typeof meta?.portRange?.start === "number") {
-    gaps.push(`Seed DEPLOY#main healthUrl to http://127.0.0.1:${meta.portRange.start}/health during bootstrap (tenant reconcile/control health gate \u2014 #1202).`);
+  if (model === "solo-container" || model === "tenant-container") {
+    if (typeof mainDeployFact?.port === "number") {
+      gaps.push(`Seed DEPLOY#main healthUrl to http://127.0.0.1:${mainDeployFact.port}/health during bootstrap (tenant reconcile/control health gate \u2014 #1202; port read from DEPLOY#main).`);
+    } else if (!appAttestationOf(meta)) {
+      gaps.push("Seed DEPLOY#main healthUrl from the DEPLOY#main edgeVhost.port during bootstrap (tenant reconcile/control health gate \u2014 #1202); doctor has no committed DEPLOY port to cite yet.");
+    }
   }
   if (!meta) gaps.unshift("No app-owned repo changes can be planned precisely until Hub registry META exists.");
   return gaps;
@@ -16525,7 +17518,7 @@ function sameNames(a, b) {
 function sameStageContract(a, b) {
   return STAGES.every((stage2) => sameNames(a[stage2], b[stage2]));
 }
-function buildV2HealPatch(repoOrSlug, meta) {
+function buildV2HealPatch(repoOrSlug, meta, mainDeployFact) {
   const slug = slugOfRepo(repoOrSlug);
   const repo = repoFrom(repoOrSlug, slug);
   const sub = defaultSubdomain(slug);
@@ -16563,7 +17556,7 @@ function buildV2HealPatch(repoOrSlug, meta) {
       patch.requiredRuntimeSecrets = next;
     }
   }
-  const appOwnedGaps = confidentType ? appGapsFor(meta, model, slug, confidentType) : [`Project type is unset and not derivable \u2014 classify with \`mmi-cli project set ${repo} --project-type <web-app|hub-service|content|desktop-game|non-deployable|cli-tool|worker> --deploy-model <tenant-container|solo-container|hub-serverless|serverless|registry-publish|content|none>\` before heal completes the v2 fields (prevents defaulting a non-web repo to tenant-container).`];
+  const appOwnedGaps = confidentType ? appGapsFor(meta, model, slug, confidentType, mainDeployFact) : [`Project type is unset and not derivable \u2014 classify with \`mmi-cli project set ${repo} --project-type <web-app|hub-service|content|desktop-game|non-deployable|cli-tool|worker> --deploy-model <tenant-container|solo-container|hub-serverless|serverless|registry-publish|content|none>\` before heal completes the v2 fields (prevents defaulting a non-web repo to tenant-container).`];
   if (boardRegistryGaps(meta).length) appOwnedGaps.unshift(boardRegistryGapMessage(repo));
   return { slug, patch, appOwnedGaps };
 }
@@ -16608,7 +17601,8 @@ async function buildV2Doctor(repoOrSlug, deps) {
   const meta = read.project;
   const projectType = resolveProjectType(meta, repo);
   const model = resolveDeployModel(meta, repo);
-  const autoHeal = buildV2HealPatch(repo, meta);
+  const mainDeployFact = meta && deps.getDeployFact ? await deps.getDeployFact(slug, "main") : null;
+  const autoHeal = buildV2HealPatch(repo, meta, mainDeployFact);
   if (!meta) {
     const emptySecrets = {
       dev: { required: [], present: [], missing: [] },
@@ -16678,48 +17672,194 @@ async function buildV2Doctor(repoOrSlug, deps) {
     appAttested: appAttestationOf(meta) ?? void 0
   };
 }
-function renderReadinessIssueBody(existingBody, report, opts = {}) {
-  const start = "<!-- mmi-v2-readiness:start -->";
-  const end = "<!-- mmi-v2-readiness:end -->";
-  const stageLines = STAGES.map((stage2) => {
-    const coordState = report.hubOwned.deployCoords[stage2];
-    const coords = !coordState.required ? "coords n/a" : coordState.ok ? "coords ok" : "coords missing/unverified";
-    const state = report.hubOwned.deployState[stage2];
-    const statePart = !state.required ? [] : [state.ok ? "deploy state stamped" : "deploy state not stamped"];
-    const missing = report.hubOwned.secrets[stage2].missing;
-    return `- ${stage2}: ${[coords, ...statePart].join("; ")}; ${missing.length ? `missing ${missing.join(", ")}` : "required secret names present"}`;
+function renderReadinessIssueBody(existingBody, report, opts = {}) {
+  const start = "<!-- mmi-v2-readiness:start -->";
+  const end = "<!-- mmi-v2-readiness:end -->";
+  const stageLines = STAGES.map((stage2) => {
+    const coordState = report.hubOwned.deployCoords[stage2];
+    const coords = !coordState.required ? "coords n/a" : coordState.ok ? "coords ok" : "coords missing/unverified";
+    const state = report.hubOwned.deployState[stage2];
+    const statePart = !state.required ? [] : [state.ok ? "deploy state stamped" : "deploy state not stamped"];
+    const missing = report.hubOwned.secrets[stage2].missing;
+    return `- ${stage2}: ${[coords, ...statePart].join("; ")}; ${missing.length ? `missing ${missing.join(", ")}` : "required secret names present"}`;
+  });
+  const section = [
+    start,
+    "## Hub v2 readiness",
+    "",
+    `Repo: ${report.repo}`,
+    `Project type: ${report.projectType ?? "(unresolved)"}`,
+    `Deploy model: ${report.deployModel ?? "(unresolved)"}`,
+    `Overall: ${report.ok ? "ready" : "not ready"}`,
+    "",
+    "### Hub-owned diagnosis",
+    `- META: ${report.hubOwned.meta.ok ? "ok" : `missing ${report.hubOwned.meta.missing.join(", ")}`}`,
+    ...stageLines,
+    ...report.secretsError ? [`- secrets UNVERIFIED (treated as not ready): ${report.secretsError}`] : [],
+    ...(report.edgeDomainWarnings ?? []).map(
+      (w) => `- \u26A0 edge domain does not resolve in DNS (advisory): ${w.stage} \u2192 ${w.host}; verify the registry edgeDomains value against the live public host`
+    ),
+    ...(report.runtimeSecretStreamWarnings ?? []).map(
+      (w) => `- \u26A0 required secrets provisioned but not in requiredRuntimeSecrets (advisory): ${w.stage} \u2192 ${w.names.join(", ")}; add them to the registry stream list or they will not be materialized into tenant.env`
+    ),
+    "",
+    "### Auto-heal applied / available",
+    ...opts.healed?.length ? opts.healed.map((x) => `- ${x}`) : report.autoHealAvailable.map((x) => `- ${x}`),
+    "",
+    "### App-owned implementation plan",
+    ...report.appOwnedGaps.map((x) => `- ${x}`),
+    end
+  ].join("\n");
+  const re = new RegExp(`${start}[\\s\\S]*?${end}`);
+  return re.test(existingBody) ? existingBody.replace(re, section) : `${existingBody.trim()}
+
+${section}`.trim();
+}
+
+// src/readiness-audit.ts
+function publicUrlFromDeployFact(fact) {
+  return fact?.domain ? `https://${fact.domain}` : void 0;
+}
+function tenantRuntimeHints(stage2, fact, probe) {
+  const hints = [];
+  if (!fact) {
+    hints.push(`DEPLOY#${stage2} row missing or state-only; seed deploy coords before runtime audit can prove the endpoint.`);
+    return hints;
+  }
+  if (!fact.sshHostPresent && fact.substrate === "hetzner-ssh") hints.push(`DEPLOY#${stage2} has hetzner-ssh substrate but no sshHost presence; tenant-deploy cannot reach the box.`);
+  if (!fact.domain) hints.push(`DEPLOY#${stage2} has no edgeVhost.domain; Cloudflare/Caddy public URL cannot be derived.`);
+  if (typeof fact.port !== "number") hints.push(`DEPLOY#${stage2} has no edgeVhost.port; Caddy upstream/healthUrl hints cannot be checked.`);
+  if (probe?.ok === false || probe?.status != null && probe.status >= 500) hints.push("Public URL probe failed; for Cloudflare 525 check Caddy TLS/origin certificate and Cloudflare SSL mode before changing app code.");
+  if (stage2 === "rc") hints.push("rc runtime is expected to be ephemeral: present between /rcand and /release, then retired after release.");
+  return hints;
+}
+function buildTenantRuntimeStatus(input) {
+  const publicUrl = publicUrlFromDeployFact(input.deploy);
+  return {
+    repo: input.repo,
+    slug: input.slug,
+    stage: input.stage,
+    deployRowPresent: Boolean(input.deploy?.present),
+    deploy: input.deploy ?? null,
+    publicUrl,
+    publicProbe: input.publicProbe,
+    lastTenantDeployRun: input.lastTenantDeployRun,
+    expectedEphemeralRc: input.stage === "rc",
+    hints: tenantRuntimeHints(input.stage, input.deploy, input.publicProbe)
+  };
+}
+function buildFullTrackReadinessReport(input) {
+  const releaseTrack = resolveReleaseTrack(input.meta, void 0, input.repo);
+  const branches = branchesForTrack(releaseTrack);
+  const reasons = [];
+  if (releaseTrack !== "full") reasons.push(`releaseTrack resolves ${releaseTrack}; set full for development -> rc -> main`);
+  if (!input.trainAuthority?.train) reasons.push("caller does not have train authority");
+  if (!input.deployFacts?.stages.rc?.present) reasons.push("DEPLOY#rc coords missing");
+  const rcRuntime = input.runtime.rc;
+  if (rcRuntime.publicProbe?.ok === false) reasons.push("rc public endpoint probe failed");
+  return {
+    repo: input.repo,
+    slug: input.slug,
+    releaseTrack,
+    branches,
+    trainAuthority: input.trainAuthority,
+    deployFacts: input.deployFacts,
+    rcand: { canApply: reasons.length === 0, reasons },
+    runtime: input.runtime
+  };
+}
+
+// src/oauth.ts
+var DEFAULT_DOMAINS = ["mutatismutandis.co", "mutmut.co"];
+var DEFAULT_CALLBACK_PATH = "/api/auth/callback";
+var ENV_PREFIXES = ["", "dev", "rc"];
+var LOOPBACK = ["http://localhost", "http://127.0.0.1"];
+var SSM_ENVS = ["dev", "rc", "main"];
+var SSM_NAMES = ["GOOGLE_CLIENT_ID", "GOOGLE_CLIENT_SECRET"];
+var uniq = (xs) => [...new Set(xs)];
+function defaultSubdomain2(slug) {
+  const i = slug.indexOf("-");
+  return i === -1 ? slug : slug.slice(i + 1);
+}
+function expectedHosts(cfg) {
+  const out = [];
+  for (const sub of cfg.subdomains) {
+    for (const domain of cfg.domains) {
+      const base = sub ? `${sub}.${domain}` : domain;
+      for (const env of ENV_PREFIXES) out.push(env ? `${env}.${base}` : base);
+    }
+  }
+  if (cfg.fofuSubdomain !== void 0) {
+    out.push(cfg.fofuSubdomain ? `${cfg.fofuSubdomain}.fofu.ai` : "fofu.ai");
+  }
+  return uniq(out);
+}
+function expectedJsOrigins(cfg) {
+  return uniq([...expectedHosts(cfg).map((h) => `https://${h}`), ...LOOPBACK]);
+}
+function expectedRedirectUris(cfg) {
+  const { callbackPath } = cfg;
+  return uniq([
+    ...expectedHosts(cfg).map((h) => `https://${h}${callbackPath}`),
+    ...LOOPBACK.map((l) => `${l}${callbackPath}`)
+  ]);
+}
+function oauthSsmKeys() {
+  return SSM_ENVS.flatMap((env) => SSM_NAMES.map((name) => `${env}/${name}`));
+}
+function parseOauthClientJson(input) {
+  let parsed;
+  try {
+    parsed = JSON.parse(input);
+  } catch {
+    throw new Error('not valid JSON \u2014 pipe the Google client JSON (the Console "Download JSON" file)');
+  }
+  const root = parsed ?? {};
+  const obj = root.web ?? root.installed ?? parsed;
+  const clientId = typeof obj?.client_id === "string" ? obj.client_id.trim() : "";
+  const clientSecret = typeof obj?.client_secret === "string" ? obj.client_secret.trim() : "";
+  if (!clientId || !clientSecret) {
+    throw new Error("missing client_id or client_secret in the JSON");
+  }
+  return { clientId, clientSecret };
+}
+function parseOauthConfig(mmiConfig, slug) {
+  const rawUnknown = mmiConfig?.oauth;
+  if (rawUnknown === void 0) throw new Error(`oauth is not configured for ${slug}`);
+  if (!rawUnknown || typeof rawUnknown !== "object" || Array.isArray(rawUnknown)) {
+    throw new Error("oauth must be an object when configured");
+  }
+  const raw = rawUnknown;
+  const subdomains = Array.isArray(raw.subdomains) && raw.subdomains.length > 0 ? raw.subdomains.map(String) : [defaultSubdomain2(slug)];
+  const domains = Array.isArray(raw.domains) && raw.domains.length > 0 ? raw.domains.map(String) : [...DEFAULT_DOMAINS];
+  const callbackPath = typeof raw.callbackPath === "string" && raw.callbackPath ? raw.callbackPath : DEFAULT_CALLBACK_PATH;
+  if (!callbackPath.startsWith("/")) {
+    throw new Error(`oauth.callbackPath must start with "/" (got ${JSON.stringify(callbackPath)})`);
+  }
+  if (callbackPath !== DEFAULT_CALLBACK_PATH) {
+    throw new Error(`oauth.callbackPath must be "${DEFAULT_CALLBACK_PATH}" (got ${JSON.stringify(callbackPath)})`);
+  }
+  const meta = mmiConfig ?? {};
+  const rawFofuSub = raw.fofuSubdomain;
+  const fofuSubdomain = meta.fofuEnabled === true ? typeof rawFofuSub === "string" ? rawFofuSub : defaultSubdomain2(slug) : void 0;
+  return { subdomains, domains, callbackPath, fofuSubdomain };
+}
+function probeRedirectUri(callbackPath, port = 9123) {
+  return `http://localhost:${port}${callbackPath}`;
+}
+function buildAuthorizeProbeUrl(clientId, redirectUri) {
+  const qs = new URLSearchParams({
+    client_id: clientId,
+    redirect_uri: redirectUri,
+    response_type: "code",
+    scope: "openid email",
+    access_type: "offline",
+    prompt: "consent"
   });
-  const section = [
-    start,
-    "## Hub v2 readiness",
-    "",
-    `Repo: ${report.repo}`,
-    `Project type: ${report.projectType ?? "(unresolved)"}`,
-    `Deploy model: ${report.deployModel ?? "(unresolved)"}`,
-    `Overall: ${report.ok ? "ready" : "not ready"}`,
-    "",
-    "### Hub-owned diagnosis",
-    `- META: ${report.hubOwned.meta.ok ? "ok" : `missing ${report.hubOwned.meta.missing.join(", ")}`}`,
-    ...stageLines,
-    ...report.secretsError ? [`- secrets UNVERIFIED (treated as not ready): ${report.secretsError}`] : [],
-    ...(report.edgeDomainWarnings ?? []).map(
-      (w) => `- \u26A0 edge domain does not resolve in DNS (advisory): ${w.stage} \u2192 ${w.host}; verify the registry edgeDomains value against the live public host`
-    ),
-    ...(report.runtimeSecretStreamWarnings ?? []).map(
-      (w) => `- \u26A0 required secrets provisioned but not in requiredRuntimeSecrets (advisory): ${w.stage} \u2192 ${w.names.join(", ")}; add them to the registry stream list or they will not be materialized into tenant.env`
-    ),
-    "",
-    "### Auto-heal applied / available",
-    ...opts.healed?.length ? opts.healed.map((x) => `- ${x}`) : report.autoHealAvailable.map((x) => `- ${x}`),
-    "",
-    "### App-owned implementation plan",
-    ...report.appOwnedGaps.map((x) => `- ${x}`),
-    end
-  ].join("\n");
-  const re = new RegExp(`${start}[\\s\\S]*?${end}`);
-  return re.test(existingBody) ? existingBody.replace(re, section) : `${existingBody.trim()}
-
-${section}`.trim();
+  return `https://accounts.google.com/o/oauth2/v2/auth?${qs.toString()}`;
+}
+function authorizeBodyHasMismatch(body) {
+  return /redirect_uri_mismatch/i.test(body);
 }
 
 // src/project-set.ts
@@ -16843,7 +17983,7 @@ function parseOauthVar(raw) {
   try {
     parsed = JSON.parse(raw);
   } catch {
-    throw new Error('project set: oauth must be JSON, e.g. {"subdomains":["app"],"domains":["example.co"],"callbackPath":"/auth/callback"}');
+    throw new Error(`project set: oauth must be JSON, e.g. {"subdomains":["app"],"domains":["example.co"],"callbackPath":"${DEFAULT_CALLBACK_PATH}"}`);
   }
   if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
     throw new Error("project set: oauth must be a {subdomains,domains,callbackPath,fofuSubdomain} object");
@@ -16858,7 +17998,11 @@ function parseOauthVar(raw) {
       out[key] = value.map((v) => v.trim());
     } else if (key === "callbackPath") {
       if (typeof value !== "string" || !value.trim()) throw new Error("project set: oauth.callbackPath must be a non-empty string");
-      out.callbackPath = value.trim();
+      const callbackPath = value.trim();
+      if (callbackPath !== DEFAULT_CALLBACK_PATH) {
+        throw new Error(`project set: oauth.callbackPath must be "${DEFAULT_CALLBACK_PATH}" (got ${JSON.stringify(callbackPath)})`);
+      }
+      out.callbackPath = callbackPath;
     } else if (key === "fofuSubdomain") {
       if (typeof value !== "string") throw new Error('project set: oauth.fofuSubdomain must be a string ("" selects the apex fofu.ai)');
       out.fofuSubdomain = value.trim();
@@ -17196,14 +18340,14 @@ function parseKbTree(stdout, prefix) {
 
 // src/northstar-commands.ts
 var import_node_fs22 = require("node:fs");
-var import_node_child_process12 = require("node:child_process");
+var import_node_child_process11 = require("node:child_process");
 var import_promises6 = require("node:fs/promises");
 var planSyncDetached = false;
 function detachPlanSync() {
   if (planSyncDetached) return;
   planSyncDetached = true;
   try {
-    (0, import_node_child_process12.spawn)(process.execPath, [process.argv[1], "northstar", "sync", "--quiet"], {
+    (0, import_node_child_process11.spawn)(process.execPath, [process.argv[1], "northstar", "sync", "--quiet"], {
       detached: true,
       stdio: "ignore",
       windowsHide: true,
@@ -17289,12 +18433,13 @@ function openInEditor(path2) {
     return;
   }
   try {
-    (0, import_node_child_process12.spawn)(editor, [path2], { stdio: "inherit" });
+    (0, import_node_child_process11.spawn)(editor, [path2], { stdio: "inherit" });
   } catch {
     console.log(`open ${path2} manually`);
   }
 }
 async function withPlan(quiet, run, io = consoleIo) {
+  if (!await requireContinuityAccess("northstar", { quiet }, io)) return;
   const cfg = await loadConfig();
   if (!cfg.sagaApiUrl) {
     if (!quiet) fail("plan: Hub API URL not configured");
@@ -17303,6 +18448,7 @@ async function withPlan(quiet, run, io = consoleIo) {
   await run(makePlanDeps(cfg, io));
 }
 async function runPlanAutosave(io = consoleIo, opts = {}) {
+  if (!await requireContinuityAccess("northstar", { quiet: opts.quiet }, io)) return [];
   const cfg = await loadConfig();
   if (!cfg.sagaApiUrl) {
     if (!opts.quiet) fail("plan: Hub API URL not configured");
@@ -17640,6 +18786,11 @@ async function secretsList(deps, opts) {
   const { secrets } = await res.json();
   deps.log(formatSecretList(secrets ?? []));
 }
+var CAPABILITIES_TIMEOUT_MS = 2e4;
+function isTimeoutError(e) {
+  const name = e?.name;
+  return name === "TimeoutError" || name === "AbortError";
+}
 function formatCapabilities(r) {
   const head = `@${r.login} on ${r.repo} \u2014 ${r.role}`;
   const items = [...r.capabilities ?? []].sort((a, b) => a.scope.localeCompare(b.scope));
@@ -17670,10 +18821,15 @@ async function secretsCapabilities(deps, opts) {
     res = await deps.fetch(`${deps.apiUrl}/secrets/capabilities?${qs}`, {
       method: "GET",
       headers: await deps.headers(),
-      signal: AbortSignal.timeout(TIMEOUT_MS2)
+      signal: AbortSignal.timeout(CAPABILITIES_TIMEOUT_MS)
     });
   } catch (e) {
-    deps.err(`access capabilities: ${e.message}`);
+    const message = e.message;
+    if (isTimeoutError(e)) {
+      deps.err(`access capabilities: timed out after ${CAPABILITIES_TIMEOUT_MS}ms while aggregating vault scopes for ${repo}. No access conclusion was made; retry with a warm Hub or run scoped reads such as \`mmi-cli secrets list --repo ${repo}\` while investigating the slow source.`);
+      return;
+    }
+    deps.err(`access capabilities: ${message}`);
     return;
   }
   if (!res.ok) {
@@ -18297,102 +19453,12 @@ function registerEdgeCommands(program3) {
   });
 }
 
-// src/oauth.ts
-var DEFAULT_DOMAINS = ["mutatismutandis.co", "mutmut.co"];
-var DEFAULT_CALLBACK_PATH = "/api/auth/callback";
-var ENV_PREFIXES = ["", "dev", "rc"];
-var LOOPBACK = ["http://localhost", "http://127.0.0.1"];
-var SSM_ENVS = ["dev", "rc", "main"];
-var SSM_NAMES = ["GOOGLE_CLIENT_ID", "GOOGLE_CLIENT_SECRET"];
-var uniq = (xs) => [...new Set(xs)];
-function defaultSubdomain2(slug) {
-  const i = slug.indexOf("-");
-  return i === -1 ? slug : slug.slice(i + 1);
-}
-function expectedHosts(cfg) {
-  const out = [];
-  for (const sub of cfg.subdomains) {
-    for (const domain of cfg.domains) {
-      const base = sub ? `${sub}.${domain}` : domain;
-      for (const env of ENV_PREFIXES) out.push(env ? `${env}.${base}` : base);
-    }
-  }
-  if (cfg.fofuSubdomain !== void 0) {
-    out.push(cfg.fofuSubdomain ? `${cfg.fofuSubdomain}.fofu.ai` : "fofu.ai");
-  }
-  return uniq(out);
-}
-function expectedJsOrigins(cfg) {
-  return uniq([...expectedHosts(cfg).map((h) => `https://${h}`), ...LOOPBACK]);
-}
-function expectedRedirectUris(cfg) {
-  const { callbackPath } = cfg;
-  return uniq([
-    ...expectedHosts(cfg).map((h) => `https://${h}${callbackPath}`),
-    ...LOOPBACK.map((l) => `${l}${callbackPath}`)
-  ]);
-}
-function oauthSsmKeys() {
-  return SSM_ENVS.flatMap((env) => SSM_NAMES.map((name) => `${env}/${name}`));
-}
-function parseOauthClientJson(input) {
-  let parsed;
-  try {
-    parsed = JSON.parse(input);
-  } catch {
-    throw new Error('not valid JSON \u2014 pipe the Google client JSON (the Console "Download JSON" file)');
-  }
-  const root = parsed ?? {};
-  const obj = root.web ?? root.installed ?? parsed;
-  const clientId = typeof obj?.client_id === "string" ? obj.client_id.trim() : "";
-  const clientSecret = typeof obj?.client_secret === "string" ? obj.client_secret.trim() : "";
-  if (!clientId || !clientSecret) {
-    throw new Error("missing client_id or client_secret in the JSON");
-  }
-  return { clientId, clientSecret };
-}
-function parseOauthConfig(mmiConfig, slug) {
-  const rawUnknown = mmiConfig?.oauth;
-  if (rawUnknown === void 0) throw new Error(`oauth is not configured for ${slug}`);
-  if (!rawUnknown || typeof rawUnknown !== "object" || Array.isArray(rawUnknown)) {
-    throw new Error("oauth must be an object when configured");
-  }
-  const raw = rawUnknown;
-  const subdomains = Array.isArray(raw.subdomains) && raw.subdomains.length > 0 ? raw.subdomains.map(String) : [defaultSubdomain2(slug)];
-  const domains = Array.isArray(raw.domains) && raw.domains.length > 0 ? raw.domains.map(String) : [...DEFAULT_DOMAINS];
-  const callbackPath = typeof raw.callbackPath === "string" && raw.callbackPath ? raw.callbackPath : DEFAULT_CALLBACK_PATH;
-  if (!callbackPath.startsWith("/")) {
-    throw new Error(`oauth.callbackPath must start with "/" (got ${JSON.stringify(callbackPath)})`);
-  }
-  const meta = mmiConfig ?? {};
-  const rawFofuSub = raw.fofuSubdomain;
-  const fofuSubdomain = meta.fofuEnabled === true ? typeof rawFofuSub === "string" ? rawFofuSub : defaultSubdomain2(slug) : void 0;
-  return { subdomains, domains, callbackPath, fofuSubdomain };
-}
-function probeRedirectUri(callbackPath, port = 9123) {
-  return `http://localhost:${port}${callbackPath}`;
-}
-function buildAuthorizeProbeUrl(clientId, redirectUri) {
-  const qs = new URLSearchParams({
-    client_id: clientId,
-    redirect_uri: redirectUri,
-    response_type: "code",
-    scope: "openid email",
-    access_type: "offline",
-    prompt: "consent"
-  });
-  return `https://accounts.google.com/o/oauth2/v2/auth?${qs.toString()}`;
-}
-function authorizeBodyHasMismatch(body) {
-  return /redirect_uri_mismatch/i.test(body);
-}
-
 // src/doctor-run.ts
 var import_node_fs28 = require("node:fs");
-var import_node_child_process14 = require("node:child_process");
+var import_node_child_process13 = require("node:child_process");
 var import_promises7 = require("node:fs/promises");
 var import_node_path25 = require("node:path");
-var import_node_os6 = require("node:os");
+var import_node_os5 = require("node:os");
 
 // src/plugin-guard.ts
 function buildPluginGuardDecision(i) {
@@ -18412,9 +19478,9 @@ function buildGuardSessionStartLine(state, opts = {}) {
 }
 
 // src/cursor-plugin-seed.ts
-var import_node_child_process13 = require("node:child_process");
+var import_node_child_process12 = require("node:child_process");
 var import_node_fs24 = require("node:fs");
-var import_node_os5 = require("node:os");
+var import_node_os4 = require("node:os");
 var import_node_path22 = require("node:path");
 var import_node_util7 = require("node:util");
 function isSemverVersion(v) {
@@ -18423,7 +19489,7 @@ function isSemverVersion(v) {
 var MMI_HUB_REPO = "mutmutco/MMI-Hub";
 var CURSOR_THIRD_PARTY_STATE_KEY = "cursor/thirdPartyExtensibilityEnabled";
 var PLUGIN_JSON_REL = ".cursor-plugin/plugin.json";
-var execFileBuffer = (0, import_node_util7.promisify)(import_node_child_process13.execFile);
+var execFileBuffer = (0, import_node_util7.promisify)(import_node_child_process12.execFile);
 function gitFetchReleaseTagArgs(hubCheckout, tag) {
   return ["-C", hubCheckout, "fetch", "origin", "tag", tag, "--quiet"];
 }
@@ -18432,13 +19498,13 @@ function ghReleaseTarballApiArgs(tag) {
 }
 function cursorUserGlobalStatePath() {
   if (process.platform === "win32") {
-    const base = process.env.APPDATA || (0, import_node_path22.join)((0, import_node_os5.homedir)(), "AppData", "Roaming");
+    const base = process.env.APPDATA || (0, import_node_path22.join)((0, import_node_os4.homedir)(), "AppData", "Roaming");
     return (0, import_node_path22.join)(base, "Cursor", "User", "globalStorage", "state.vscdb");
   }
   if (process.platform === "darwin") {
-    return (0, import_node_path22.join)((0, import_node_os5.homedir)(), "Library", "Application Support", "Cursor", "User", "globalStorage", "state.vscdb");
+    return (0, import_node_path22.join)((0, import_node_os4.homedir)(), "Library", "Application Support", "Cursor", "User", "globalStorage", "state.vscdb");
   }
-  return (0, import_node_path22.join)((0, import_node_os5.homedir)(), ".config", "Cursor", "User", "globalStorage", "state.vscdb");
+  return (0, import_node_path22.join)((0, import_node_os4.homedir)(), ".config", "Cursor", "User", "globalStorage", "state.vscdb");
 }
 async function readCursorThirdPartyExtensibilityEnabled(execFileP5) {
   const dbPath = cursorUserGlobalStatePath();
@@ -18594,6 +19660,17 @@ function buildContinuityFreshnessCheck(input) {
     fix: `local branch work is newer than ${stale.join(" + ")} continuity; run ${commands.join(" and ")}`
   };
 }
+function buildContinuityRestrictionNotice(input) {
+  const login = input.login?.trim() || "unknown";
+  return {
+    ok: true,
+    label: "saga / North Star continuity (Jervaise-only)",
+    fix: `continuity tools (saga, North Star, /handoff) are restricted to ${CONTINUITY_OWNER_LOGIN}; not available to ${login}. Your durable record is the board issue, PR, git history, and MM-KB. Hooks no-op these verbs for you and SessionStart omits the continuity steps. If stray local continuity state exists (.mmi/.session, .mmi/saga-pending.jsonl), remove it with: mmi-cli gc --scratch --apply (safe: it never touches config.json or a live queue).`
+  };
+}
+function continuityDoctorCheckForLogin(login) {
+  return login?.trim().toLowerCase() === CONTINUITY_OWNER_LOGIN ? "freshness" : "restriction";
+}
 var MMI_PLUGIN_ID = "mmi@mutmutco";
 var LEGACY_MMI_PLUGIN_ID = "mmi@mmi";
 var LEGACY_MMI_MARKETPLACE = "mmi";
@@ -19553,7 +20630,7 @@ function buildBrowserArtifactsCheck(input) {
   };
 }
 var KB_DRIFT_ADVISORY_LABEL = "KB registry-fact drift (advisory)";
-var KB_DRIFT_ADVISORY_FIX = "review kb-drift report on Hub (`node infra/saga-io.mjs get kb-drift/<date>.json`) and kb-keeper weekly digest; registry-owned facts belong in `mmi-cli project get`, not copied literals in MM-KB";
+var KB_DRIFT_ADVISORY_FIX = "review kb-drift report on Hub (`node infra/saga-io.mjs get kb-drift/<date>.json`); registry-owned facts belong in `mmi-cli project get`, not copied literals in MM-KB";
 function buildKbDriftAdvisoryCheck(input) {
   const base = {
     ok: true,
@@ -20036,7 +21113,7 @@ function reexecMmiCli(args) {
       }
     };
     const env = { ...process.env, [DOCTOR_POST_SELF_UPDATE_ENV]: "1" };
-    const child = isWin ? (0, import_node_child_process14.spawn)("cmd.exe", ["/c", "mmi-cli", ...args], { stdio: "inherit", env }) : (0, import_node_child_process14.spawn)("mmi-cli", args, { stdio: "inherit", env });
+    const child = isWin ? (0, import_node_child_process13.spawn)("cmd.exe", ["/c", "mmi-cli", ...args], { stdio: "inherit", env }) : (0, import_node_child_process13.spawn)("mmi-cli", args, { stdio: "inherit", env });
     child.on("error", () => done(-1));
     child.on("exit", (code) => done(code ?? 0));
   });
@@ -20093,7 +21170,7 @@ async function applyPluginHeal(token, surface, log, opts) {
 }
 var installedPluginsPath = (surface = detectSurface(process.env)) => {
   const homeDir = surface === "codex" ? ".codex" : ".claude";
-  return (0, import_node_path25.join)((0, import_node_os6.homedir)(), homeDir, "plugins", "installed_plugins.json");
+  return (0, import_node_path25.join)((0, import_node_os5.homedir)(), homeDir, "plugins", "installed_plugins.json");
 };
 function readInstalledPlugins(surface = detectSurface(process.env)) {
   try {
@@ -20108,13 +21185,13 @@ function snapshotPluginGuardInput(surface = detectSurface(process.env), isOrgRep
   return {
     isOrgRepo,
     installRecordPresent: hasUserInstallRecord(installed, MMI_PLUGIN_ID) || hasProjectInstallRecord(installed, MMI_PLUGIN_ID, process.cwd()),
-    marketplaceClonePresent: (0, import_node_fs28.existsSync)((0, import_node_path25.join)((0, import_node_os6.homedir)(), homeDir, "plugins", "marketplaces", "mutmutco")),
-    pluginCachePresent: (0, import_node_fs28.existsSync)((0, import_node_path25.join)((0, import_node_os6.homedir)(), homeDir, "plugins", "cache", "mutmutco", "mmi"))
+    marketplaceClonePresent: (0, import_node_fs28.existsSync)((0, import_node_path25.join)((0, import_node_os5.homedir)(), homeDir, "plugins", "marketplaces", "mutmutco")),
+    pluginCachePresent: (0, import_node_fs28.existsSync)((0, import_node_path25.join)((0, import_node_os5.homedir)(), homeDir, "plugins", "cache", "mutmutco", "mmi"))
   };
 }
 function installedPluginSources() {
   return ["claude", "codex"].map((surface) => {
-    const recordPath = (0, import_node_path25.join)((0, import_node_os6.homedir)(), `.${surface}`, "plugins", "installed_plugins.json");
+    const recordPath = (0, import_node_path25.join)((0, import_node_os5.homedir)(), `.${surface}`, "plugins", "installed_plugins.json");
     try {
       return { surface, installed: JSON.parse((0, import_node_fs28.readFileSync)(recordPath, "utf8")), recordPath };
     } catch {
@@ -20169,7 +21246,7 @@ function backupAndWriteInstalledPlugins(records, pluginId) {
   }
 }
 function opencodeConfigDir() {
-  return (0, import_node_path25.join)((0, import_node_os6.homedir)(), ".config", "opencode");
+  return (0, import_node_path25.join)((0, import_node_os5.homedir)(), ".config", "opencode");
 }
 function opencodeConfigPath() {
   return (0, import_node_path25.join)(opencodeConfigDir(), "opencode.jsonc");
@@ -20255,7 +21332,7 @@ function writeOpencodeCommandFiles() {
 function readOpencodeAdapterDiskVersion() {
   const candidates = [
     (0, import_node_path25.join)(opencodeConfigDir(), "node_modules", "@mutmutco", "opencode-mmi", "package.json"),
-    (0, import_node_path25.join)((0, import_node_os6.homedir)(), ".cache", "opencode", "node_modules", "@mutmutco", "opencode-mmi", "package.json")
+    (0, import_node_path25.join)((0, import_node_os5.homedir)(), ".cache", "opencode", "node_modules", "@mutmutco", "opencode-mmi", "package.json")
   ];
   for (const path2 of candidates) {
     try {
@@ -20290,13 +21367,13 @@ function opencodePluginVersionsForReport() {
 }
 function opencodeDesktopLogsRoot() {
   if (process.platform === "win32") {
-    const base = process.env.APPDATA || (0, import_node_path25.join)((0, import_node_os6.homedir)(), "AppData", "Roaming");
+    const base = process.env.APPDATA || (0, import_node_path25.join)((0, import_node_os5.homedir)(), "AppData", "Roaming");
     return (0, import_node_path25.join)(base, "ai.opencode.desktop", "logs");
   }
   if (process.platform === "darwin") {
-    return (0, import_node_path25.join)((0, import_node_os6.homedir)(), "Library", "Application Support", "ai.opencode.desktop", "logs");
+    return (0, import_node_path25.join)((0, import_node_os5.homedir)(), "Library", "Application Support", "ai.opencode.desktop", "logs");
   }
-  return (0, import_node_path25.join)((0, import_node_os6.homedir)(), ".config", "ai.opencode.desktop", "logs");
+  return (0, import_node_path25.join)((0, import_node_os5.homedir)(), ".config", "ai.opencode.desktop", "logs");
 }
 function opencodeDesktopBootstrapSnapshot() {
   const root = opencodeDesktopLogsRoot();
@@ -20312,7 +21389,7 @@ function opencodeDesktopBootstrapSnapshot() {
   }
 }
 function opencodeLegacyConfigSnapshot() {
-  const legacyPath = (0, import_node_path25.join)((0, import_node_os6.homedir)(), ".opencode", "opencode.json");
+  const legacyPath = (0, import_node_path25.join)((0, import_node_os5.homedir)(), ".opencode", "opencode.json");
   if (!(0, import_node_fs28.existsSync)(legacyPath)) return {};
   const content = readTextFile(legacyPath);
   if (content == null) return {};
@@ -20333,7 +21410,7 @@ function quarantineOpencodeLegacyConfig(legacyPath) {
   }
 }
 function cursorPluginCacheRoot() {
-  return (0, import_node_path25.join)((0, import_node_os6.homedir)(), ".cursor", "plugins", "cache", "mutmutco", "mmi");
+  return (0, import_node_path25.join)((0, import_node_os5.homedir)(), ".cursor", "plugins", "cache", "mutmutco", "mmi");
 }
 function cursorPluginCachePinSnapshots() {
   const root = cursorPluginCacheRoot();
@@ -20379,8 +21456,8 @@ function hubCheckoutForCursorSeed() {
 }
 function mmiPluginCacheRootSnapshots() {
   const roots = [
-    { surface: "claude", root: (0, import_node_path25.join)((0, import_node_os6.homedir)(), ".claude", "plugins", "cache", "mutmutco", "mmi") },
-    { surface: "codex", root: (0, import_node_path25.join)((0, import_node_os6.homedir)(), ".codex", "plugins", "cache", "mutmutco", "mmi") }
+    { surface: "claude", root: (0, import_node_path25.join)((0, import_node_os5.homedir)(), ".claude", "plugins", "cache", "mutmutco", "mmi") },
+    { surface: "codex", root: (0, import_node_path25.join)((0, import_node_os5.homedir)(), ".codex", "plugins", "cache", "mutmutco", "mmi") }
   ];
   return roots.flatMap(({ surface, root }) => {
     try {
@@ -20444,7 +21521,7 @@ async function clearNestedPluginTreeDir(targetPath) {
   try {
     if (!(0, import_node_fs28.existsSync)(targetPath)) return true;
     if (isWin) {
-      const emptyDir = (0, import_node_path25.join)((0, import_node_os6.tmpdir)(), `mmi-empty-${Date.now()}`);
+      const emptyDir = (0, import_node_path25.join)((0, import_node_os5.tmpdir)(), `mmi-empty-${Date.now()}`);
       (0, import_node_fs28.mkdirSync)(emptyDir, { recursive: true });
       try {
         await robocopyMirrorEmpty(emptyDir, targetPath);
@@ -20482,7 +21559,7 @@ function readTextFile(path2) {
 }
 function playwrightMcpConfigSnapshots() {
   const cwd = process.cwd();
-  const home = (0, import_node_os6.homedir)();
+  const home = (0, import_node_os5.homedir)();
   const candidates = [
     (0, import_node_path25.join)(cwd, ".mcp.json"),
     (0, import_node_path25.join)(cwd, ".cursor", "mcp.json"),
@@ -20995,7 +22072,7 @@ async function runDoctor(opts, io = consoleIo) {
       releasedVersion,
       hubCheckout: hubCheckoutForCursorSeed(),
       execFileP: execFileP2,
-      mkdtemp: (prefix) => (0, import_promises7.mkdtemp)((0, import_node_path25.join)((0, import_node_os6.tmpdir)(), prefix)),
+      mkdtemp: (prefix) => (0, import_promises7.mkdtemp)((0, import_node_path25.join)((0, import_node_os5.tmpdir)(), prefix)),
       log: (m) => io.err(m)
     });
     if (seeded) {
@@ -21087,15 +22164,19 @@ async function runDoctor(opts, io = consoleIo) {
     }
   }
   if (runExtended && !opts.banner) {
-    const continuity = readContinuityStamp();
-    checks.push(
-      buildContinuityFreshnessCheck({
-        isOrgRepo: Boolean(cfg.sagaApiUrl),
-        latestWorkAt: await latestBranchWorkAt(),
-        lastSagaNoteAt: continuity.lastSagaNoteAt,
-        lastNorthstarAt: latestNorthstarContinuityAt()
-      })
-    );
+    if (continuityDoctorCheckForLogin(login) === "freshness") {
+      const continuity = readContinuityStamp();
+      checks.push(
+        buildContinuityFreshnessCheck({
+          isOrgRepo: Boolean(cfg.sagaApiUrl),
+          latestWorkAt: await latestBranchWorkAt(),
+          lastSagaNoteAt: continuity.lastSagaNoteAt,
+          lastNorthstarAt: latestNorthstarContinuityAt()
+        })
+      );
+    } else {
+      checks.push(buildContinuityRestrictionNotice({ login: login?.trim() }));
+    }
   }
   if (runExtended) {
     const dashboardConsumer = await resolveDashboardConsumer(cfg);
@@ -21193,7 +22274,7 @@ function mergeGuardHook(settings) {
   next.hooks = hooks;
   return next;
 }
-var userScopeSettingsPath = (surface = detectSurface(process.env)) => (0, import_node_path25.join)((0, import_node_os6.homedir)(), surface === "codex" ? ".codex" : ".claude", "settings.json");
+var userScopeSettingsPath = (surface = detectSurface(process.env)) => (0, import_node_path25.join)((0, import_node_os5.homedir)(), surface === "codex" ? ".codex" : ".claude", "settings.json");
 function ensureUserScopeGuardHook(opts = {}) {
   const path2 = opts.settingsPath ?? userScopeSettingsPath();
   try {
@@ -21407,7 +22488,7 @@ async function requireFreshTrainCli(commandName) {
   throw new Error(`running mmi-cli ${report.currentVersion} is stale against released ${report.releasedVersion}; run doctor/update first so ${commandName} uses the current train path`);
 }
 var program2 = new Command();
-program2.name("mmi-cli").description("MMI Future CLI \u2014 org rules delivery, saga, KB. The engine the plugin SessionStart hook drives.").version(resolveClientVersion()).showHelpAfterError("(run `mmi-cli commands` to list every subcommand + its flags, or `mmi-cli commands --json` to ground against it)");
+program2.name("mmi-cli").description("MMI Future CLI \u2014 org rules delivery, Jervaise-only continuity, KB. The engine the plugin SessionStart hook drives.").version(resolveClientVersion()).showHelpAfterError("(run `mmi-cli commands` to list every subcommand + its flags, or `mmi-cli commands --json` to ground against it)");
 async function runRulesSync(opts, io = consoleIo) {
   const cfg = await loadConfig();
   if (isRulesSource(cfg.orgRulesSource)) {
@@ -21650,7 +22731,7 @@ function runWorktreeInstall(command, cwd, quiet) {
   const file = isWin2 ? "cmd.exe" : bin;
   const spawnArgs = isWin2 ? ["/c", bin, ...args] : args;
   return new Promise((resolve6, reject) => {
-    const child = (0, import_node_child_process15.spawn)(file, spawnArgs, { cwd, stdio: quiet ? "ignore" : "inherit", windowsHide: true });
+    const child = (0, import_node_child_process14.spawn)(file, spawnArgs, { cwd, stdio: quiet ? "ignore" : "inherit", windowsHide: true });
     const timer = setTimeout(() => {
       try {
         child.kill();
@@ -21868,7 +22949,7 @@ function scheduleRelatedDiscovery(o) {
   try {
     const args = ["issue", "discover-related", "--number", String(o.number), "--title", o.title, "--body", o.body];
     if (o.repo) args.push("--repo", o.repo);
-    (0, import_node_child_process15.spawn)(process.execPath, [process.argv[1], ...args], {
+    (0, import_node_child_process14.spawn)(process.execPath, [process.argv[1], ...args], {
       detached: true,
       stdio: "ignore",
       windowsHide: true,
@@ -21877,7 +22958,7 @@ function scheduleRelatedDiscovery(o) {
   } catch {
   }
 }
-var northstar = program2.command("northstar").description("North Star \u2014 your cross-device plans/SSOTs (S3-backed, git-clean)");
+var northstar = program2.command("northstar").description("North Star \u2014 Jervaise-only cross-device plans/SSOTs (S3-backed, git-clean)");
 registerNorthStarCommands(northstar);
 var plan = program2.command("plan").description("Alias for `northstar` (deprecated \u2014 use `northstar`)");
 plan.hook("preAction", () => {
@@ -21903,7 +22984,7 @@ tenant.command("control <owner/repo> <stage> <action>").description("run bounded
   try {
     const result = await runTenantControl(trainApplyDeps(), { repo, stage: stage2, action, watch: o.watch });
     if (!o.json && action === "verify-secrets" && result.secrets) {
-      const body = { ok: result.conclusion === "success", secrets: result.secrets, ssmStatus: result.conclusion === "success" ? "Success" : "Failed" };
+      const body = { ok: result.conclusion === "success", secrets: result.secrets, ssmStatus: result.conclusion === "success" ? "Success" : "Failed", raw: result.secretsRaw };
       const { lines, failure } = renderVerifySecrets(body);
       for (const line of lines) printLine(line);
       if (failure) return failGraceful(`tenant control ${stage2} verify-secrets: ${failure}`);
@@ -21917,6 +22998,20 @@ tenant.command("control <owner/repo> <stage> <action>").description("run bounded
     return failGraceful(`tenant control: ${e.message}`);
   }
 });
+tenant.command("status <owner/repo> <stage>").description("read tenant runtime readiness without dispatching tenant-control: DEPLOY row, last deploy run, public URL probe, and TLS/Caddy/Cloudflare hints").option("--json", "machine-readable output").action(async (repo, stage2, _o) => {
+  if (!["dev", "rc", "main"].includes(stage2)) return fail("tenant status: <stage> must be dev, rc, or main");
+  const cfg = await loadConfig();
+  const result = await buildTenantRuntimeStatusFor(repo, stage2, cfg);
+  console.log(JSON.stringify(result, null, 2));
+  if (result.publicProbe?.ok === false) process.exitCode = 1;
+});
+tenant.command("readiness <owner/repo> <stage>").description("alias for tenant status: read-only tenant runtime readiness").option("--json", "machine-readable output").action(async (repo, stage2, _o) => {
+  if (!["dev", "rc", "main"].includes(stage2)) return fail("tenant readiness: <stage> must be dev, rc, or main");
+  const cfg = await loadConfig();
+  const result = await buildTenantRuntimeStatusFor(repo, stage2, cfg);
+  console.log(JSON.stringify(result, null, 2));
+  if (result.publicProbe?.ok === false) process.exitCode = 1;
+});
 tenant.command("redeploy <owner/repo> <stage>").description("re-dispatch the central tenant-deploy.yml for an already-promoted ref (no re-tag/merge); train-authority gated").option("--ref <ref>", "ref to deploy (defaults to the stage branch rc/main \u2014 the promoted ref)").option("--watch", "block on the dispatched run and report its outcome (gh run watch --exit-status)").option("--json", "machine-readable output").action(async (repo, stage2, o) => {
   if (stage2 !== "rc" && stage2 !== "main") return fail("tenant redeploy: <stage> must be rc or main");
   try {
@@ -21959,6 +23054,44 @@ async function resolveDnsBounded(host, timeoutMs = 3e3) {
   });
   return Promise.race([probe, timeout]);
 }
+async function probeHttpBounded(url, timeoutMs = 5e3) {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), timeoutMs);
+  timeout.unref?.();
+  try {
+    const res = await fetch(url, { method: "GET", signal: controller.signal });
+    return { ok: res.ok, status: res.status };
+  } catch (e) {
+    return { ok: false, error: e.message };
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+async function lastWorkflowRun(workflow) {
+  try {
+    const out = await execFileP2("gh", ["run", "list", "--repo", HUB_REPO3, "--workflow", workflow, "--limit", "1", "--json", "databaseId,url,status,conclusion,headBranch,headSha,createdAt"], { timeout: 2e4 });
+    const rows = JSON.parse(out.stdout || "[]");
+    return rows[0];
+  } catch {
+    return void 0;
+  }
+}
+async function buildTenantRuntimeStatusFor(target, stage2, cfg) {
+  const slug = slugOf(target);
+  const reg = registryClientDeps(cfg);
+  const facts = await fetchDeployFactsBySlug(slug, reg);
+  const deploy = facts?.stages[stage2] ?? null;
+  const publicUrl = publicUrlFromDeployFact(deploy);
+  const publicProbe = publicUrl ? await probeHttpBounded(publicUrl) : void 0;
+  return buildTenantRuntimeStatus({
+    repo: target,
+    slug,
+    stage: stage2,
+    deploy,
+    publicProbe,
+    lastTenantDeployRun: await lastWorkflowRun("tenant-deploy.yml")
+  });
+}
 async function v2ReadinessDeps(cfg) {
   const reg = registryClientDeps(cfg);
   return {
@@ -21973,6 +23106,11 @@ async function v2ReadinessDeps(cfg) {
       const status = await fetchDeployStatusBySlug(slug, reg);
       return Boolean(status?.deployState[stage2]);
     },
+    getDeployFact: async (slug, stage2) => {
+      const facts = await fetchDeployFactsBySlug(slug, reg);
+      const fact = facts?.stages[stage2];
+      return fact ? { port: fact.port, domain: fact.domain } : null;
+    },
     listSecrets: async (targetRepo2) => {
       const apiUrl = cfg.sagaApiUrl;
       if (!apiUrl) throw new Error("Hub API URL not configured \u2014 cannot verify secret names (set sagaApiUrl)");
@@ -22060,7 +23198,7 @@ deploys run centrally (tenant-deploy.yml); product repos carry no deploy files.
   }
 });
 project.command("resolve <owner/repo>").description("deploy coords for a stage \u2014 for diagnosis. NOTE: /deploy-coords is OIDC-gated (a deploy job\u2019s id-token), so a gh-token CLI cannot read it from a dev machine").option("--stage <main|rc>", "deploy stage", "main").option("--json", "machine-readable output").action((_repoOrRepo, o) => {
-  const msg = "project resolve: deploy coords are served only to a deploy workflow (GitHub OIDC id-token, repo-scoped). A gh-token CLI on a dev machine cannot read /deploy-coords; inspect the DEPLOY# item via a master registry (DDB) read instead.";
+  const msg = "project resolve: deploy coords are served only to a deploy workflow (GitHub OIDC id-token, repo-scoped). A gh-token CLI on a dev machine cannot read /deploy-coords; inspect nonsecret DEPLOY facts with `mmi-cli project deploy get`. Full coords stay OIDC-gated.";
   if (o.json) {
     console.log(JSON.stringify({ ok: false, stage: o.stage, error: msg }));
     process.exitCode = 1;
@@ -22068,6 +23206,37 @@ project.command("resolve <owner/repo>").description("deploy coords for a stage \
   }
   fail(msg);
 });
+var projectDeploy = project.command("deploy").description("read nonsecret DEPLOY# facts (domain, port, deploy path, substrate, host presence)");
+projectDeploy.command("get [owner/repo]").description("read nonsecret DEPLOY# facts for one project; defaults to the current repo").option("--stage <stage>", "dev | rc | main").option("--json", "machine-readable output").action(async (repoOrSlug, o) => {
+  const cfg = await loadConfig();
+  let target;
+  try {
+    target = await projectTarget("project deploy get", repoOrSlug);
+  } catch (e) {
+    return fail(e.message);
+  }
+  const out = await fetchDeployFactsBySlug(slugOf(target), registryClientDeps(cfg));
+  if (!out) return failGraceful(`project deploy get: Hub deploy facts read failed for ${target}`);
+  const stage2 = o.stage?.trim();
+  if (stage2 && !["dev", "rc", "main"].includes(stage2)) return fail("project deploy get: --stage must be dev, rc, or main");
+  const payload = stage2 ? { slug: out.slug, stage: stage2, deploy: out.stages[stage2] ?? null } : out;
+  console.log(JSON.stringify(payload));
+});
+projectDeploy.command("list [owner/repo]").description("alias for project deploy get; lists all stages by default").option("--stage <stage>", "dev | rc | main").option("--json", "machine-readable output").action(async (repoOrSlug, o) => {
+  const cfg = await loadConfig();
+  let target;
+  try {
+    target = await projectTarget("project deploy list", repoOrSlug);
+  } catch (e) {
+    return fail(e.message);
+  }
+  const out = await fetchDeployFactsBySlug(slugOf(target), registryClientDeps(cfg));
+  if (!out) return failGraceful(`project deploy list: Hub deploy facts read failed for ${target}`);
+  const stage2 = o.stage?.trim();
+  if (stage2 && !["dev", "rc", "main"].includes(stage2)) return fail("project deploy list: --stage must be dev, rc, or main");
+  const payload = stage2 ? { slug: out.slug, stage: stage2, deploy: out.stages[stage2] ?? null } : out;
+  console.log(JSON.stringify(payload));
+});
 project.command("doctor [owner/repo]").description("diagnose Hub v2 readiness for a repo without reading product repo files \u2014 appOwnedGaps are advisory templates; clear them with `project attest`; defaults to the current repo").option("--v2", "compatibility flag; v2 readiness is the default").option("--json", "machine-readable output").action(async (repo, _o) => {
   const cfg = await loadConfig();
   let target;
@@ -22160,6 +23329,31 @@ project.command("set [owner/repo]").description("upsert project META (idempotent
   const res = await upsertProject(slug, { ...patch, repo }, registryClientDeps(cfg));
   return reportWrite("project set", res);
 });
+var fullTrack = program2.command("full-track").description("direct-to-full-track readiness audits");
+fullTrack.command("readiness <owner/repo>").description("aggregate branch topology, train authority, deploy facts, endpoint health, and rcand readiness for direct -> full switches").option("--json", "machine-readable output").action(async (repo, _o) => {
+  const cfg = await loadConfig();
+  const reg = registryClientDeps(cfg);
+  const slug = slugOf(repo);
+  const [metaRead, deployFacts, authority, dev, rc, main] = await Promise.all([
+    fetchProjectBySlugChecked(slug, reg),
+    fetchDeployFactsBySlug(slug, reg),
+    fetchTrainAuthority(repo, reg),
+    buildTenantRuntimeStatusFor(repo, "dev", cfg),
+    buildTenantRuntimeStatusFor(repo, "rc", cfg),
+    buildTenantRuntimeStatusFor(repo, "main", cfg)
+  ]);
+  if (!metaRead.ok) return failGraceful(`full-track readiness: Hub registry read failed (${metaRead.error})`);
+  const report = buildFullTrackReadinessReport({
+    repo,
+    slug,
+    meta: metaRead.project,
+    deployFacts,
+    trainAuthority: authority.ok ? authority.authority : void 0,
+    runtime: { dev, rc, main }
+  });
+  console.log(JSON.stringify(report, null, 2));
+  if (!report.rcand.canApply) process.exitCode = 1;
+});
 project.command("set-deploy [owner/repo]").description("write the DEPLOY#<stage> Hetzner deploy coords for a tenant (master-only) \u2014 the explicit-coords path that seeds a freshly-bootstrapped tenant; defaults to the current repo").requiredOption("--stage <stage>", "dev | rc | main").option("--ssh-host <host>", "the box address the deploy ssh-es into (required for hetzner-ssh)").option("--ssh-user <user>", "ssh user (default root)").option("--port <port>", "loopback port the container binds / Caddy upstream (1..65535)").option("--substrate <substrate>", "hetzner-ssh (default)").option("--deploy-path <path>", "on-box per-stage release root (default /opt/mmi/<slug>/<stage>)").option("--service <name>", "systemd/compose service name (default the slug)").option("--domain <domain>", "canonical serving host (default the project edgeDomains[stage])").option("--alias <domain...>", "extra serving hostname the box Caddy answers (repeatable)").option("--json", "machine-readable output").action(async (repoOrSlug, o) => {
   const cfg = await loadConfig();
   let target;
@@ -22891,7 +24085,7 @@ async function remoteBranchExists2(branch, options = {}) {
 }
 var COMPOSE_TIMEOUT_MS = 12e4;
 function spawnDeferredGcSweep() {
-  spawnDetachedSelf(["gc", "sweep-deferred", "--quiet"], { spawn: import_node_child_process15.spawn, execPath: process.execPath, scriptPath: process.argv[1] });
+  spawnDetachedSelf(["gc", "sweep-deferred", "--quiet"], { spawn: import_node_child_process14.spawn, execPath: process.execPath, scriptPath: process.argv[1] });
 }
 async function createDeferredWorktreeStore() {
   try {
@@ -23590,7 +24784,7 @@ async function resolveRcandPlanTargets() {
   }
 }
 for (const commandName of ["rcand", "release"]) {
-  program2.command(commandName).description(`plan ${commandName} train operations; mutations require explicit master-admin approval`).option("--json", "machine-readable output").option("--watch", "block on the deploy/publish workflow runs and report their outcomes").option("--apply", "execute the guarded master-only train after explicit approval").option("--announce-summary-file <path>", "release only: agent-curated summary lines for the Hub Slack announcement (#883)").option("--ack <shas>", "release only: comma-separated dev shas a human verified are in the candidate, overriding the hotfix-coverage guard for a conflicted port whose -x trailer was lost (#958)").option("--dev", "release only: full-track repos release development -> main directly, skipping rc (refuses if rc carries content not in development; no-op on direct-track repos) (#1062)").action(async (o) => {
+  program2.command(commandName).description(`plan ${commandName} train operations; mutations require explicit master-admin approval`).option("--json", "machine-readable output").option("--watch", "block on the deploy/publish workflow runs and report their outcomes").option("--apply", "execute the guarded master-only train after explicit approval").option("--announce-summary-file <path>", "release only: agent-curated summary lines for the Hub Slack announcement (#883)").option("--ack <shas>", "release only: comma-separated dev shas a human verified are in the candidate, overriding the hotfix-coverage guard for a conflicted port whose -x trailer was lost (#958)").option("--dev", "release only: full-track repos release development -> main directly, skipping rc (refuses if rc carries content not in development; no-op on direct-track repos) (#1062)").option("--repo <owner/repo>", "dry-run plan for a target repo without relying on the current checkout; --apply still uses the current checkout").action(async (o) => {
     try {
       await requireFreshTrainCli(commandName);
     } catch (e) {
@@ -23602,6 +24796,9 @@ for (const commandName of ["rcand", "release"]) {
     if (o.dev && commandName !== "release") {
       return fail("--dev applies only to release: it ships development -> main skipping rc, which rcand cannot do");
     }
+    if (o.apply && o.repo) {
+      return fail(`${commandName}: --repo is read-only for dry-run planning; --apply must run from the target repo checkout`);
+    }
     if (o.apply) {
       try {
         const ack = (o.ack ?? "").split(",").map((s) => s.trim()).filter(Boolean);
@@ -23611,8 +24808,8 @@ for (const commandName of ["rcand", "release"]) {
         return failGraceful(`${commandName}: ${e.message}`);
       }
     }
-    const repo = await resolveRepo();
-    const targets = commandName === "rcand" ? await resolveRcandPlanTargets() : void 0;
+    const repo = o.repo ?? await resolveRepo();
+    const targets = commandName === "rcand" && !o.repo ? await resolveRcandPlanTargets() : void 0;
     let releaseTrack;
     if (repo) {
       try {
@@ -24026,7 +25223,9 @@ access.command("audit").description("audit collaborator roles + train-branch pus
   const registryProjects = await fetchProjectsList(registryClientDeps(cfg));
   if (o.repo) {
     if (o.class !== "deployable" && o.class !== "content") return failGraceful("access audit: --class must be deployable or content");
-    targets = [{ repo: o.repo, class: o.class }];
+    const meta = registryProjects?.find((project2) => (project2.repos ?? []).some((repo) => repo.toLowerCase() === o.repo.toLowerCase())) ?? null;
+    const repoClass = o.class;
+    targets = [{ repo: o.repo, class: repoClass, releaseTrack: repoClass === "content" ? "trunk" : resolveReleaseTrack(meta, void 0, o.repo) }];
   } else {
     const projectsJson = registryProjects ? JSON.stringify({ projects: registryProjects }) : (0, import_node_fs29.existsSync)("projects.json") ? (0, import_node_fs29.readFileSync)("projects.json", "utf8") : null;
     if (!projectsJson) return failGraceful("access audit: no project registry \u2014 Hub API unreachable and projects.json not found; run from the MMI-Hub repo root or pass --repo <owner/repo>");
@@ -24126,85 +25325,90 @@ program2.command("doctor").description("check onboarding gates and auto-heal CLI
 ));
 program2.command("guard").description("detect a pruned/unresolved MMI plugin on disk; loud one-line stderr at session start").option("--session-start", "run in user-scope SessionStart mode").action((opts) => runGuard({ sessionStart: opts.sessionStart }));
 program2.command("plugin-heal").description("reinstall + re-enable the MMI plugin (recover from a marketplace prune)").action(() => runPluginHeal());
-program2.command("session-start").description("run the SessionStart verbs (rules sync, saga session+show, saga health, whoami, doctor, plan-store check) in one process; docs sync runs detached").action(async () => {
+program2.command("session-start").description("run the SessionStart verbs (rules sync, Jervaise-only continuity, whoami, doctor, plan-store check) in one process; docs sync runs detached").action(async () => {
   if (isInsideRepoSubdir(process.cwd())) {
     console.error("[mmi-hook] session-start: cwd is a repository SUBDIRECTORY \u2014 skipping the SessionStart hook (spine/docs/plan/saga delivery); run it from the repo root.");
     return;
   }
   if (!isOrgRepoRoot(process.cwd())) return;
-  try {
-    const hook = parseHookInput(await readStdin());
-    if (hook.session_id) persistSession(hook.session_id);
-  } catch (e) {
-    console.error(`[mmi-hook] saga session failed: ${e.message}`);
+  const continuityEnabled = (await continuityAccess().catch(() => ({ allowed: false }))).allowed;
+  if (continuityEnabled) {
+    try {
+      const hook = parseHookInput(await readStdin());
+      if (hook.session_id) persistSession(hook.session_id);
+    } catch (e) {
+      console.error(`[mmi-hook] saga session failed: ${e.message}`);
+    }
   }
-  spawnDetachedSelf(["docs", "sync", "--quiet"], { spawn: import_node_child_process15.spawn, execPath: process.execPath, scriptPath: process.argv[1] });
+  spawnDetachedSelf(["docs", "sync", "--quiet"], { spawn: import_node_child_process14.spawn, execPath: process.execPath, scriptPath: process.argv[1] });
   spawnDeferredGcSweep();
   let northstarInjected = false;
-  const { parallel, sequential } = buildSessionStartPlan({
-    rulesSync: (io) => runRulesSync({ quiet: true }, io),
-    sagaShow: (io) => runSagaShow({ quiet: true }, io),
-    handoffOffer: (io) => runHandoffOffer(io, { fast: true }),
-    coopPending: (io) => runCoopPendingBanner(io),
-    northstarContext: async (io) => {
-      const cfg = await loadConfig();
-      if (!cfg.sagaApiUrl) return;
-      const planDeps = makePlanDeps(cfg, io);
-      northstarInjected = await runNorthstarContext(io, {
-        loadPlans: () => scopedPlanList(planDeps),
-        readLocal: (slug) => planDeps.readLocal(slug),
-        // #1812: thread the saga HEAD's North Star anchor (its NEXT slug) into the relevance gate so
-        // the plan the agent is actively on is force-injected even on a generic branch with no token
-        // overlap. fetchSagaHead errors are swallowed via a silent io — a missing/failed HEAD just
-        // falls back to token-overlap scoring, never noises or blocks the banner.
-        gatherSignals: () => gatherRelevanceSignals({
-          anchorSlug: () => fetchSagaHead({ log: () => {
-          }, err: () => {
-          } }).then((h) => h?.anchor?.slug ?? void 0)
-        })
-      });
-    },
-    sagaHealth: (io) => runSagaHealth({ banner: true, quiet: true }, io),
-    // whoami (#879): surface the resolved human so agents act --for them without asking. Silent
-    // when unknown — a missing gh login must not noise or fail the banner.
-    whoami: async (io) => {
-      const report = await resolveWhoami({
-        hubSession: async () => hubAuthSession({ baseUrl: (await loadConfig()).sagaApiUrl ?? defaultHubUrl(), githubToken }),
-        ghLogin: githubLogin
-      });
-      const line = whoamiLine(report);
-      if (line) io.log(line);
-    },
-    boardSlice: (io) => runBoardSlice(io, {
-      loadConfig: () => loadConfigForRepo(),
-      readBoard,
-      // #1813: warm the slice cache out-of-band (detached, like docs sync) so the ~20s live read
-      // never costs banner time and next session's glance renders instantly within budget.
-      scheduleRefresh: () => spawnDetachedSelf(["board", "slice-refresh", "--quiet"], { spawn: import_node_child_process15.spawn, execPath: process.execPath, scriptPath: process.argv[1] })
-    }),
-    spineReconcile: async (io) => {
-      const cfg = await loadConfig();
-      const isSource = isRulesSource(cfg.orgRulesSource);
-      if (!isSource && !await isOrgRegisteredRepo(cfg)) return;
-      const restored = await restoreDirtyOrgSpineToHead(
-        { run: async (cmd, args) => (await execFileP2(cmd, args, { timeout: GIT_TIMEOUT_MS })).stdout },
-        { isRulesSource: isSource }
-      );
-      if (restored.length) {
-        io.log(`[mmi] reset ${restored.length} org-delivered file(s) to your branch \u2014 pull latest base to refresh (${restored.join(", ")})`);
-      }
+  const { parallel, sequential } = buildSessionStartPlan(
+    {
+      rulesSync: (io) => runRulesSync({ quiet: true }, io),
+      sagaShow: (io) => runSagaShow({ quiet: true }, io),
+      handoffOffer: (io) => runHandoffOffer(io, { fast: true }),
+      coopPending: (io) => runCoopPendingBanner(io),
+      northstarContext: async (io) => {
+        const cfg = await loadConfig();
+        if (!cfg.sagaApiUrl) return;
+        const planDeps = makePlanDeps(cfg, io);
+        northstarInjected = await runNorthstarContext(io, {
+          loadPlans: () => scopedPlanList(planDeps),
+          readLocal: (slug) => planDeps.readLocal(slug),
+          // #1812: thread the saga HEAD's North Star anchor (its NEXT slug) into the relevance gate so
+          // the plan the agent is actively on is force-injected even on a generic branch with no token
+          // overlap. fetchSagaHead errors are swallowed via a silent io — a missing/failed HEAD just
+          // falls back to token-overlap scoring, never noises or blocks the banner.
+          gatherSignals: () => gatherRelevanceSignals({
+            anchorSlug: () => fetchSagaHead({ log: () => {
+            }, err: () => {
+            } }).then((h) => h?.anchor?.slug ?? void 0)
+          })
+        });
+      },
+      sagaHealth: (io) => runSagaHealth({ banner: true, quiet: true }, io),
+      // whoami (#879): surface the resolved human so agents act --for them without asking. Silent
+      // when unknown — a missing gh login must not noise or fail the banner.
+      whoami: async (io) => {
+        const report = await resolveWhoami({
+          hubSession: async () => hubAuthSession({ baseUrl: (await loadConfig()).sagaApiUrl ?? defaultHubUrl(), githubToken }),
+          ghLogin: githubLogin
+        });
+        const line = whoamiLine(report);
+        if (line) io.log(line);
+      },
+      boardSlice: (io) => runBoardSlice(io, {
+        loadConfig: () => loadConfigForRepo(),
+        readBoard,
+        // #1813: warm the slice cache out-of-band (detached, like docs sync) so the ~20s live read
+        // never costs banner time and next session's glance renders instantly within budget.
+        scheduleRefresh: () => spawnDetachedSelf(["board", "slice-refresh", "--quiet"], { spawn: import_node_child_process14.spawn, execPath: process.execPath, scriptPath: process.argv[1] })
+      }),
+      spineReconcile: async (io) => {
+        const cfg = await loadConfig();
+        const isSource = isRulesSource(cfg.orgRulesSource);
+        if (!isSource && !await isOrgRegisteredRepo(cfg)) return;
+        const restored = await restoreDirtyOrgSpineToHead(
+          { run: async (cmd, args) => (await execFileP2(cmd, args, { timeout: GIT_TIMEOUT_MS })).stdout },
+          { isRulesSource: isSource }
+        );
+        if (restored.length) {
+          io.log(`[mmi] reset ${restored.length} org-delivered file(s) to your branch \u2014 pull latest base to refresh (${restored.join(", ")})`);
+        }
+      },
+      doctor: (io) => runDoctor({ banner: true }, io)
     },
-    doctor: (io) => runDoctor({ banner: true }, io)
-  });
+    { continuityEnabled }
+  );
   await runSessionStart(parallel, sequential, consoleIo);
-  consoleIo.log(northstarPointer(northstarInjected));
+  for (const line of sessionStartContinuityLines({ continuityEnabled, northstarInjected, cwd: process.cwd() })) consoleIo.log(line);
   consoleIo.log(kbPointer());
-  for (const line of planStoreLines(process.cwd())) consoleIo.log(line);
-  await runPlanAutosave(consoleIo, { quiet: true }).catch(() => void 0);
+  if (continuityEnabled) await runPlanAutosave(consoleIo, { quiet: true }).catch(() => void 0);
   for (const line of scratchGcLines(process.cwd())) consoleIo.log(line);
   const worktreeBanner = worktreeAutoProvisionBanner(process.cwd());
   if (worktreeBanner) {
-    spawnDetachedSelf(["worktree", "setup", "--quiet"], { spawn: import_node_child_process15.spawn, execPath: process.execPath, scriptPath: process.argv[1] });
+    spawnDetachedSelf(["worktree", "setup", "--quiet"], { spawn: import_node_child_process14.spawn, execPath: process.execPath, scriptPath: process.argv[1] });
     consoleIo.log(worktreeBanner);
   }
 });