@mutmutco/opencode-mmi 2.48.0

package/skills/grind/references/auto.md

@@ -0,0 +1,107 @@
+# grind `--auto` — fully autonomous mode (load when `--auto` is passed)
+
+Hand off the prompt and walk away. `--auto` has **zero interactive gates** — it never waits on
+the human. It overrides specific phases of the loop in `SKILL.md`; everything not listed here is
+unchanged.
+
+- **No gates.** Both Gate 1 (direction) and Gate 2 (merge) are removed. No decision point pauses
+  for input.
+- **Authority.** Passing `--auto` is the human's explicit, durable, up-front authorization to
+  merge *this run's* PR into `development` — never `rc`/`main`, never a promotion (the train
+  skills stay human-only). Probe `mmi-cli access role <owner/repo>` at run start; proceed only when
+  `train: true` (master or project-admin). The real guard remains GitHub branch protection (fail-closed)
+  under the human's own `gh` token.
+- **Bounded, not interactive.** The safety cap stays. On cap OR stuck you cannot ask (afk), so
+  you **terminate and report**: open a `[WIP]` PR, do not merge.
+
+## Phase 00 — Plan the set (when given more than one issue)
+Read every issue (title, body, labels, linked code). First drop any **not-grindable** issue (per
+the Hard rule) — unclaimed, no branch/PR, just a line in the final report. Partition the rest into
+execution groups — **mode per group, not one global mode.** No override flags; you always decide.
+- **Batch** → one shared worktree/branch → one PR that `Closes` every issue in the group. Stay
+  there until PR/integration; don't bounce to main for routine re-sync. For issues
+  that are facets of one change (same files/module, no independent value).
+- **Parallel** → each issue its own worktree + PR, run concurrently. For independent issues
+  (disjoint files, no dependency). Fastest.
+- **Serialize** → one PR after another in dependency order (ties by issue number); each branches from
+  the prior's merged result. For sequential same-repo/session work, reuse the active worktree
+  until the group/session ends; create a new worktree only at a real branch/PR boundary, for true
+  parallel work, on user ask, real base drift, or a broken/unsafe worktree.
+
+Procedure: map shared files + stated dependencies → group → run. **A committed generated
+artifact counts as a shared file:** when 2+ items rebuild the same checked-in bundle (e.g.
+`cli/dist/*`), classify them as overlapping even when their source files are disjoint — prefer
+**serialize** or **batch**. When parallel is still chosen, plan an explicit rebase + rebuild +
+retest step for every follow-on PR, never treating the conflict as a surprise. A real set may mix
+modes (e.g.
+`{950,951}` batched, `{952}` parallel, `{953}` serialized after `952`). **Concurrency bound:**
+at most **3 grind loops run at once**; the rest queue. Claim every **partitioned** (grindable)
+issue `--for <login>` before its work, in every mode — never the not-grindable ones already dropped.
+If `/stage` is running, keep it attached to the active worktree; don't restart it for git
+bookkeeping. If a new worktree is truly needed, stop/destroy/recreate stage there, or warn
+first when intent is unclear.
+
+## Phase 0a — Models (auto)
+Run **Phase 0a′** silently first (class, routing, ultra, escalation).
+
+**Default (2-model, not ultra):** builder = current host model; verifier = a *different* model
+(Opus, or Sonnet if builder is Opus); synthesizer = verifier. Routing from class table — usually
+**Budget** for bug/task, **Balanced** for feature/research. Bug/task: prefer cheaper builder when
+tiers exist; feature/research: prefer stronger builder.
+
+**Ultra (explicit `--ultra` or auto-ultra):** pick three models **actively mixing vendors** when the
+host allows; hard lenses on verifier; soft lenses on third model; synthesizer = third or verifier;
+routing = **Ultra**.
+Explicit `--ultra` applies YOLO dimensions (planning, tools, fusion, caps) per `references/routing.md`
+§ Explicit `--ultra`; auto-ultra alone does **not**.
+
+On a host that cannot enumerate models, use one model for all roles and note degradation in the
+report. Never pretend cross-vendor ultra ran when it did not.
+
+## Phase 0b — Frame (auto, no gate)
+(Not-grindable issues were already dropped — in Phase 00 for a set, or Phase 0a′ for a lone issue.)
+Auto-decide explore-vs-convergent from the ask (open-ended → explore; `--explore` forces it on).
+Run **multi-agent planning + judge** when auto-gated (always under explicit `--ultra`). In explore,
+brainstorm + judge or **generative fusion** when auto-gated — **auto-pick the winning approach** —
+no wait. File/claim the item(s), write the criteria, push to North Star, then go straight to Phase 1.
+`saga note` multi-plan winner, tool policy, and fusion path when active.
+
+## Phase 4 — PR → CI-merge loop (replaces Gate 2)
+
+**Start (`--auto` only):** `mmi-cli access role <owner/repo> --json` — abort the run if `train: false`
+before building (fail fast; do not waste a full grind on a PR you cannot land).
+
+0. **Base freshness (#1906):** doctrine § worktree hygiene per worktree.
+1. Open the PR (squash; normal title — `[WIP]` only on a cap/stuck hand-off). **Pass `--head` to
+   `pr create` explicitly** — `mmi-cli pr create --base development --head <grind-branch> …`; the
+   default `--head` is the current branch, which is `development` when Phase 4 runs from the main
+   checkout (per step 2's Windows rule), and that errors with `head == base`.
+2. **Land** — `(Recommended)` one call: `mmi-cli pr land <n> --json` (train probe → `ci-policy` →
+   `checks-wait` → `merge --auto` → poll enqueued auto-merge → branch/worktree cleanup → return the
+   checkout to an up-to-date `development`). Base must be `development`. Never land promotion PRs.
+   Cleanup is **automatic at the branch/PR boundary** — a successful land/merge removes that grind
+   worktree + local branch and fast-forwards the checkout onto `development` (when its tree is clean);
+   never hand-run `git checkout development` / `git worktree remove` afterward (#1606). For shared
+   sequential same-repo work, make the execution group one branch/PR where possible; do not land each
+   issue separately and then pretend the same active worktree continues. Active-batch PR:
+   `pr land <n> --preserve-worktree --json` skips local cleanup; clean at end (#1888).
+   **Windows:** run land/merge from
+   the **main repo checkout** (not the grind worktree cwd) so post-merge cleanup can rmdir the worktree
+   (#1444).
+   - **Background-land wake signal (#1617):** if you run `pr land` in the background, the
+     task-completion notification IS your wake signal — the harness re-invokes you when the land
+     finishes. Do **not** schedule a self-firing wakeup with `/grind` as its prompt as a "fallback"
+     for a backgrounded land; it fires redundantly *after* the land already merged and re-enters a
+     finished grind (the **already-resolved guard** in Phase 0a then no-ops it). A genuine watchdog
+     must be a long-interval **status check**, never a `/grind` re-invocation.
+3. **Manual path** (when debugging land): probe `mmi-cli pr ci-policy --json`; when `policy` is `no-ci`
+   skip check polling after local verify; else `mmi-cli pr checks-wait <n>`. On green (or no-ci skip),
+   `mmi-cli pr merge <n> --auto` (add `--preserve-worktree` for active batches; not bare, #973). If merge
+   returns `auto-merge-enqueued`, poll `gh pr view` until `MERGED` before declaring success or cleaning
+   up worktrees (#1440).
+4. CI **red** → treat failing checks as blockers, triage + fix per Phase 3, push, re-land. CI-fix rounds
+   cap **3** (**5** under explicit `--ultra`); exceeding = stuck → terminate + report (PR open, not merged).
+5. Merge **rejected for permission** → leave the green PR open; report merge needs an authorized human
+   (`train: false` or not on push allowlist).
+6. Run **## Retro**, then **## End-of-grind summary** per issue — merged / PR-open / WIP-stopped, CI state,
+   rounds run, issues filed/fixed.

package/skills/grind/references/build-notes.md

@@ -0,0 +1,56 @@
+# grind Phase 1 — build gotchas (load when implementing / before verifying locally)
+
+Detail pulled from `SKILL.md` § Phase 1. The operational spine (cut worktree, implement to criteria, write tests, run repo checks, checkpoint-verify, re-tackle) stays in `SKILL.md`; these are the failure-mode notes.
+
+- **Edit the worktree, not the primary checkout.** All edits must target the worktree path you just
+  cut — it is a *separate* working tree from the primary checkout. Before trusting a green local
+  verification, confirm `git -C <worktree> status` lists exactly the files you changed. Two false-green
+  signatures to treat as "edits landed in the wrong tree, re-check": (a) the test count is unchanged
+  despite added test cases, or (b) `cli/dist` shows no diff after a `cli/src` edit. Re-point edits at
+  the worktree and re-verify before opening the PR.
+- **Verify every edited file is clean UTF-8 before running checks** — no NUL (`U+0000`), no zero-width /
+  soft-hyphen chars (`U+200B`-`U+200D`, `U+2060`, `U+FEFF`, `U+00AD`), no mojibake. A `git diff --stat`
+  showing `Bin` for a text file, or `file` reporting `data`, is the signal. When a literal MUST hold an
+  invisible or non-ASCII character (a regex class, a test fixture, a dedup key), build it from an escape
+  sequence or char-code — never by typing the raw character (the host's editor can inject one silently).
+- **A "mojibake" report seen only in terminal/console output is a false positive — verify the stored
+  bytes before treating it as a defect (#1609).** A Windows console on a non-UTF-8 code page (the common
+  default) renders clean UTF-8 bytes through CP1252, so a correctly stored em-dash / arrow / ellipsis
+  looks corrupted (e.g. an em-dash as `â€"`).
+  Before any lens files an encoding/mojibake blocker, or any builder rewrites a file to "fix" it, `grep`
+  the source for mojibake markers (`â€`, `Ã`, `Â`) — only stored-byte corruption counts. Never edit
+  source to fix mojibake observed only in console rendering: that injects real corruption while chasing
+  a phantom (AGENTS: "fix mojibake, don't propagate it" — but only REAL mojibake).
+- **Windows worktree — warm the build first (#1630).** On a fresh Windows worktree, a full `cli`
+  suite run can **false-fail** on tests that `execFile` `build.mjs`: esbuild's first cold build (and
+  concurrent builds across test files) can exceed a short per-test timeout. Warm it once
+  (`node build.mjs`) before the suite and/or raise `--testTimeout`. A test that fails *inside* a
+  `build.mjs`/esbuild exec (a timeout, or "Command failed: node build.mjs") on a cold/concurrent
+  worktree is a **probable environment flake** — re-run that file in isolation to confirm before
+  triaging it as a code blocker. CI runs Linux with warm caches and does not hit this (generalizes
+  the #1588 "validate the harness/inputs first" guidance).
+- **Mirror the repo's CI gate once before PR — not at every checkpoint.** Read the gate workflow (e.g.
+  `.github/workflows/gate.yml`) and run its read-only build/test steps locally — especially
+  artifact-parity checks (e.g. a committed `dist/` that must match a rebuild). Commit regenerated
+  artifacts before opening the PR; a locally-green branch that fails the gate on artifact drift
+  wastes a CI round. **When the diff touches a spine/surface path** — `AGENTS.md`, `CLAUDE.md`,
+  `GEMINI.md`, root `*.md`, `skills/**`, `plugins/**`, `hooks/**`, `.github/workflows/**`, or org
+  docs — the local gate-mirror MUST run the **infra** job's static-guard tests too (`cd infra &&
+  npm ci && npx vitest run plugin-set` at minimum; ideally the full `infra` `npm test`), not only the
+  `cli` suite + `scripts/check-*.mjs`. Those scripts validate structure/mirror sync but do **not**
+  assert the byte-identical plain-language-copy contract that `infra/plugin-set.test.mjs` pins.
+- **`plugin-set` is not enough when you change a tested module (#1700).** `npx vitest run plugin-set`
+  pins only the plugin-set contract — it does **not** run the rest of the `infra` suite. So when the diff
+  rewrites or alters the **export surface** of an existing `scripts/**` or `infra/**` module, a green
+  `plugin-set` can hide a co-located test that imports that module and now breaks (a dropped re-export
+  resolves to `undefined`, and the test misreads it as missing). Before opening the PR: grep for files
+  importing the changed module (`from '.*<module>'`) and run the **full** `cd infra && npm test` — or at
+  minimum each importing `*.test.mjs` — not just `plugin-set`.
+- **IO/syscall-boundary changes need a real run, not just mocks (#1588).** For a fix at an IO boundary
+  (stdin, fs, sockets, process spawn), mocked unit tests and the diff-review panel can both pass while
+  real behavior regresses — they exercise in-memory mocks, not the syscall. A green panel is necessary but
+  not sufficient: such a change also needs a **real end-to-end run on the target platform** before you trust
+  it. When a real run regresses after a change, **validate the test harness and inputs first** — shell
+  escaping, payload validity, env contamination — before re-debugging the code; a malformed fixture commonly
+  masquerades as a code regression. And don't rewrite a proven IO primitive to satisfy a hardening nit — wrap
+  or bound it instead.

package/skills/grind/references/routing.md

@@ -0,0 +1,76 @@
+# grind routing detail — auto-ultra, explicit `--ultra`, model diversity, reasoning
+
+Loaded on demand from `SKILL.md` § Phase 0a′. The class table + the effort-tier flags live in `SKILL.md`; this file holds the ultra / cross-vendor / reasoning detail.
+
+## Auto-ultra detection
+
+**auto-ultra = true** (verify-panel uplift **only** — not whole-loop YOLO) when **any** of
+(log first match in saga):
+
+1. ~~User passed **`--ultra`**.~~ **Explicit `--ultra` is separate** — see **Flags** and
+   **§ Explicit `--ultra` vs auto-ultra**; it is **not** auto-ultra.
+2. **Priority `urgent`** + (`security` label OR auth/crypto/payments/PII/agent-facing trusted corpus).
+3. **`--explore`** + stated numeric SLA/metric with high blast radius.
+4. **Architectural / cross-cutting** scope (multi-module, public API break, migration).
+5. **Escalation:** after **2 failed verify rounds** on default routing, escalate to auto-ultra for round 3+
+   (once per grind; saga note). Interactive: announce; `--auto`: silent.
+
+**auto-ultra = false** (stay 2-model): docs/prose-only diffs; priority `low`; narrow bug with clear repro;
+user says "quick" / "small" in the prompt (explicit user instruction wins).
+
+**Explicit `--ultra` vs auto-ultra:**
+
+| Mode | Scope |
+|------|-------|
+| **Explicit `--ultra`** | Whole-loop YOLO — models, planning, tools, generative fusion when applicable, raised caps |
+| **auto-ultra** | Stronger verify panel only (≥3 models, Ultra routing, hard-lens double-pass) — **no** automatic multi-plan, tool lenses, fusion deliverable, or cap raises unless user also passed `--ultra` |
+
+When auto-ultra fires interactively, **confirm at Gate 1** (default yes) with cost note — list
+**auto-ultra dimensions only** (do not imply YOLO unless `--ultra` is also set).
+
+## Explicit `--ultra` — YOLO dimensions
+
+When the user passes **`--ultra`** (explicit, not auto-ultra alone):
+
+- **Models:** ≥3 distinct models; cross-vendor required when the host exposes them; report gaps —
+  never claim full ultra when diversity is unavailable.
+- **Routing:** Ultra/Paranoid on **every** verify round; hard lenses always double-pass on two models when possible.
+- **Phase 0b:** Always **multi-agent planning + judge** (N=3 planners, verifier-tier judge ≠ builders).
+- **Phase 2 tools:** Always enable bounded web search / sandbox repro on applicable lenses (see **§ Tool-enabled lenses** in `references/verify.md`).
+- **Generative fusion:** When class = Research or `--explore`, use the fusion deliverable path.
+- **Caps:** verify rounds **8**, CI-fix rounds **5** under `--auto` (still bounded — not infinite).
+- **Gate 1 (interactive):** List **all** YOLO dimensions enabled — not just model count.
+- **`--ultra --auto` final report:** State YOLO dimensions used per issue.
+
+## Cross-vendor model diversity (priority)
+
+**Actively prefer mixing vendors the host exposes** — cross-vendor diversity is the strongest
+independence signal. On Cursor: GPT, Claude, Composer, Kimi among others. On Claude Code:
+Anthropic tiers are one vendor — still assign **verifier ≠ builder** and pull a third from another
+host when ultra requires it.
+
+When ultra (explicit or auto), assign **≥3 distinct models** across **≥2 vendors when the host
+allows**:
+
+| Role | Assignment |
+|------|------------|
+| **Builder** | Strongest implementation model (class table may refine) |
+| **Verifier** | Top-tier; **different vendor** from builder when possible; hard lenses |
+| **Third model** | Soft lenses / split panel; **different vendor** from builder and verifier when possible |
+| **Synthesizer** | Third model if distinct; else verifier — **never builder** |
+
+**Routing under ultra:** treat as **Ultra** = Paranoid rules (verifier-tier soft lenses; hard-lens
+double-pass on **two different models** when host allows). If the host cannot supply 3 models or 2
+vendors, use maximum diversity available; document the gap at Gate 1 / final report — never claim
+ultra ran fully when it did not.
+
+## Reasoning effort under explicit `--ultra`
+
+When the user passes **explicit `--ultra`**, select **higher reasoning effort** wherever the host IDE
+exposes it (e.g. elevated thinking/reasoning tier on supported models). Apply to builder, verifier,
+third, synthesizer, and judge roles when the host offers per-model reasoning knobs.
+
+- **Announce** when elevated reasoning is selected — model + level — in the routing announcement block
+  and `mmi-cli saga note "reasoning=<model>:<level> …"`.
+- **Fallback:** when the host has no reasoning-effort knob, use the strongest available model tier and
+  note the gap in the announcement — do not block the grind.

package/skills/grind/references/verify.md

@@ -0,0 +1,83 @@
+# grind verify detail — lens prompts, tool-enabled lenses, Phase 2b notes
+
+Loaded on demand from `SKILL.md` § Phase 2 / 2b. The mechanism, the five lenses, the verbatim-diff
+pin, the `PanelReport` table, and the round-fail rule stay in `SKILL.md`; this file holds the
+lens-prompt clauses and the deeper synthesis notes.
+
+## Lens-prompt clauses (put these in EVERY lens prompt)
+
+**Verbatim includes test files.** Never abbreviate or summarize for **tests-actually-test**. A
+"commented-out / absent" verdict may be a paste artifact — re-check input before a fix round.
+
+**Lens abstention.** If a lens cannot see the full change, it returns
+`{"verdict":"cannot-verify"}` — it must NEVER emit an "absent / missing / commented-out" blocker
+from a file it could not read. **The orchestrator MUST put this abstention rule in every lens
+prompt** — a lens never told to abstain files false "missing test / missing code" blockers instead,
+and a hand-trimmed diff is the usual trigger (#1561). Every lens prompt must also carry an explicit
+diff-shape clause:
+
+> You are reading a unified DIFF, not whole files. Any function, type, or symbol that is *referenced
+> but not defined within the patch* is PRE-EXISTING code — assume it exists and works; NEVER report
+> it as "undefined", "missing", or "never defined". If you cannot see a definition you need to judge
+> a point, return `cannot-verify` for that point.
+
+This prevents diff-absent symbols from becoming ship-stoppers at the lens; Phase 2b's absence-claims
+drop rule remains the backstop.
+
+**Worktree isolation (#1621, #1895).** Phase 2: `isolation=worktree` — other checkouts may be stale.
+**Orchestrator MUST:** patch-only input; deny repo FS tools on lenses; stale-checkout clause in every lens prompt; re-run Phase 2 if a transcript shows disk reads — never triage disk-sourced blockers.
+Abstention + diff-shape rules above still apply; `cannot-verify` beats false absence.
+
+## Tool-enabled lenses (default expectation on applicable lenses)
+
+When an objective signal exists, hard lenses must anchor to it — failing test, typecheck error,
+sandbox repro, cited source — not bare judgment. Tool-enabled path (`webSearch`, `sandboxRepro`)
+is the **default expectation** on applicable lenses, not only an auto-gated extra. Populate
+`PanelReport.blockers[].sources` with objective anchors; opinion-only blockers require explicit
+justification when no signal was available.
+
+Eligible lenses may use **bounded tools** during Phase 2 — Fusion-style fact-check and repro —
+while Phase 2b synthesizer stays **tool-free** (lens JSON + diff stat only).
+
+| Tool | Use |
+|------|-----|
+| **Web search** | External fact-check (API version, CVE, deprecation, third-party behavior in criteria) |
+| **Sandboxed repro** | Read-only bash in worktree when issue body includes repro shell commands |
+
+**Auto-enable tools** when triggers match (no manual `--tools` required):
+
+| Trigger | Enable tools |
+|---------|--------------|
+| Criteria/body need external fact-check | Web search for that lens |
+| Issue body has repro shell commands | Sandboxed repro for `correctness` |
+| Prose/docs-only reduced panel | No |
+| Priority `low` + narrow bug, inline repro in diff | No (cost guard) |
+| **`isolation=worktree`** (grind default) | No sandbox repro / repo FS; web search only for external facts |
+| **auto-ultra** + external validation implied | Prefer tools on hard lenses (not repo FS under isolation) |
+| **Explicit `--ultra`** | Always on applicable lenses (not repo FS under isolation) |
+
+**Hygiene:** configurable allow/deny domain lists (org/repo-level) — exclude benchmark-leak
+domains (e.g. Stack Overflow, issue mirrors) from verify search. Default deny list in
+`cli/src/grind-policy.ts`. **Per-lens budget:** hard cap (3 queries/lens/round); `saga note` on exceed.
+
+**Diff-pinning preserved:** tools supplement — never replace — the pinned patch. Under
+`isolation=worktree`, repo FS tools stay forbidden even under ultra; cite builder test output from
+criteria, not lens shell into a stale checkout.
+
+## Phase 2b — deeper synthesis notes
+
+**Fusion doctrine:** IDE-native multi-model only; the agent orchestrates panels. No hosted grind provider.
+
+**`blind_spots`:** optionally spawn **one** targeted micro-lens on the highest-priority spot (not a
+full re-panel) before Phase 3 triage — at most once per round.
+
+**`contradictions`:** if the disagreement is **criteria/spec ambiguity** (lenses read the spec
+differently), stop and escalate to the human per **## Gates** — do not guess. If one lens is
+clearly wrong against consensus + diff, note it in the saga and triage real blockers only.
+
+**Absence-claims (#1621, #1895).** Drop "missing/absent/unimplemented/not fixed" blockers
+contradicted by the pinned patch or green builder tests. Drop blockers when lens logs show repo
+Read/Grep despite isolation — re-run Phase 2 patch-only instead of fixing phantom gaps.
+
+(`--auto`) No human escalation — pick the interpretation that satisfies the written criteria; if
+still ambiguous, fail the round and fix the criteria in the issue body before continuing.

package/skills/grind/templates/saga-snapshot.md

@@ -0,0 +1,28 @@
+# Grind saga keep — resume snapshot
+
+Enforced via **`mmi-cli saga snapshot`** (maps to saga HEAD — no parallel store). Checklist uses namespaced prefixes: `gs-open:`, `gs-resolved:`, `gs-ceiling:`.
+
+## Read-first on resume
+
+```bash
+mmi-cli saga snapshot show --kind grind
+```
+
+## Write-last each phase
+
+```bash
+mmi-cli saga note "grind phase=2b: …"
+mmi-cli saga snapshot set --kind grind \
+  --class bug --routing Balanced --ultra auto \
+  --criteria "…" --phase 2b --verify-round 2 --verify-cap 5 \
+  --open-blocker cfg-null-parse-42 \
+  --resolved-blocker typo-import-7 \
+  --verification-ceiling "CI green" \
+  --next-action "triage PanelReport blockers, round 3"
+```
+
+`set` retires prior active `gs-*` checklist rows before writing. Resolved/done rows are marked `done` on write.
+
+**NEXT format:** `grind class=… verify=N/cap | next action` — split on ` | ` only (pipes in next action are allowed).
+
+Stable blocker `id`s come from `synthesize-panel.md` / `PanelReport`.

package/skills/grind/templates/synthesize-panel.md

@@ -0,0 +1,104 @@
+# Grind panel synthesizer prompt
+
+Use this template for **Phase 2b — Synthesize**. Spawn one sub-agent on the **synthesizer model**
+(Phase 0a). The synthesizer reconciles parallel lens outputs — it does not re-review the diff from
+scratch and does not merge panel text into a narrative answer.
+
+## Inputs (provide all)
+
+1. **Success criteria / goal** — verbatim from the grind frame.
+2. **Lens outputs** — strict JSON from every lens that ran this round (full five, reduced prose
+   panel, or `--explore` goal judges). Label each with its lens name.
+3. **Diff excerpt or stat** — enough to anchor file/line references (`git diff --stat` minimum).
+   Do **not** include builder reasoning, session history, or implementation notes.
+
+## Hard rules for the synthesizer
+
+- Treat agreement across lenses as higher-confidence `consensus`.
+- Surface disagreements as `contradictions` — do not pick a winner silently.
+- Preserve `unique_insights` a single lens raised.
+- Flag `blind_spots` no lens addressed but the criteria/goal imply should be checked.
+- **Dedupe blockers** — same root cause across lenses → one blocker with stable `id`.
+- Assign each blocker a stable `id` (short kebab, e.g. `cfg-null-parse-42`) reused across rounds
+  when the root cause persists. **Convergence** requires the same `id` set on two consecutive
+  clean rounds (see Phase 3).
+- Each blocker must cite **objective anchors** in `sources` when available (test name, CI log,
+  repro command, file:line from a failing check) — not lens opinion alone.
+- Output **only** the JSON object below — no prose wrapper, no markdown fences.
+
+## Wrong-checkout false positives (#1621, #1895)
+
+Grind verify lenses run under **worktree isolation** — the orchestrator pins a patch file and denies
+repo FS tools. Guard against stale-checkout contamination anyway:
+
+- **Drop** any blocker whose evidence is "missing / absent / unimplemented / not fixed" when the
+  pinned patch or another lens contradicts it — treat as paste artifact or stale-checkout read.
+- **Drop** blockers when the orchestrator flagged the lens transcript for **disk reads** (Read/Grep
+  on repo paths despite isolation) — never ship-stop on that evidence alone.
+- **Prefer `cannot-verify`** over `fail` when a lens abstained because the patch was insufficient.
+- Record demoted items in `nits` or `unique_insights` with `"wrong-checkout-fp"` when useful for saga
+  audit — do not promote them to `blockers`.
+
+## Output schema (`PanelReport`)
+
+```json
+{
+  "consensus": ["Points most or all lenses agreed on — factual, specific"],
+  "contradictions": [
+    {
+      "topic": "What the lenses disagree about",
+      "stances": [
+        { "source": "lens-name or model", "stance": "..." }
+      ]
+    }
+  ],
+  "partial_coverage": [
+    {
+      "sources": ["lens-a", "lens-b"],
+      "point": "Only some lenses covered this"
+    }
+  ],
+  "unique_insights": [
+    { "source": "lens-name", "insight": "Something only one lens raised" }
+  ],
+  "blind_spots": ["Topics no lens addressed that criteria imply matter"],
+  "blockers": [
+    {
+      "id": "stable-kebab-id",
+      "title": "Short blocker title",
+      "file": "path/to/file",
+      "line": "42 or range",
+      "why": "Concrete reason this blocks shipping",
+      "sources": ["correctness", "security"]
+    }
+  ],
+  "nits": [
+    {
+      "title": "Advisory, non-blocking",
+      "file": "path/to/file",
+      "line": "10",
+      "why": "..."
+    }
+  ]
+}
+```
+
+## Phase 3 hints (for the builder — synthesizer does not act on these)
+
+The grind loop uses this report as follows:
+
+| Field | Action |
+|-------|--------|
+| `blockers` | Phase 3 — any blocker fails the round |
+| `nits` | Advisory — fold cheap fixes, file costly ones |
+| `blind_spots` | Optional **one** targeted micro-lens this round (not a full re-panel) |
+| `contradictions` | If criteria/spec ambiguity → human escalation; if one lens is wrong → note in synthesis, do not block on noise |
+| `consensus` | Elevated confidence; do not re-litigate unless a later round contradicts |
+
+## Degradation
+
+If the synthesizer returns invalid JSON or errors:
+
+1. Fall back to **raw lens blockers** — union all lens `blockers`, manual dedupe by file+line+title.
+2. `mmi-cli saga note "phase 2b: synthesize degraded, raw lens triage"`.
+3. Continue Phase 3 — synthesis is an uplift, not a hard dependency.

package/skills/handoff/SKILL.md

@@ -0,0 +1,67 @@
+---
+name: handoff
+description: Record or claim an explicit session handoff in the saga + North Star system that SessionStart resumes — open a handoff to leave work for a future session, accept a pending one, or cancel your own. Use when the user says "handoff" or "/handoff", asks to hand off work, leave a checkpoint for the next session, or claim a prior handoff, or invokes /handoff.
+---
+
+# /handoff — explicit saga handoff lifecycle
+
+Use when the user says `handoff` or `/handoff`, or asks to leave work for a future session or claim a prior handoff. This skill records an explicit handoff in the same saga + North Star system that SessionStart resumes.
+
+## Start
+
+1. Read the current repo context:
+   - `mmi-cli saga show`
+   - `mmi-cli saga key --json`
+   - `mmi-cli northstar relevant`
+2. If you are opening a handoff, identify the North Star slug or issue key. If the saga HEAD already has `northstar:<slug>`, use that slug unless the user names a different one.
+3. If you are accepting or cancelling, list open handoffs first:
+   - `mmi-cli handoff list`
+
+## Open
+
+When the user asks to hand off current work:
+
+```powershell
+mmi-cli handoff open --key "<slug-or-#issue>" --north-star-slug "<slug>" "<state snapshot + next action>"
+```
+
+The summary should be short and evidence-oriented: current branch, latest verified state, next action, and any blocker. Do not paste secrets or large logs. Keep the durable plan in North Star; the handoff is the session bridge.
+
+## Accept
+
+When the user chooses an open handoff:
+
+```powershell
+mmi-cli handoff accept "<slug-or-#issue>"
+mmi-cli northstar pull "<slug>"
+```
+
+Then corroborate the inherited state against git, GitHub, and the board before acting. The command closes the source mark and binds the accepting session saga anchor to the handoff's North Star slug. Handoffs are discovered repo-wide, so a handoff may have been opened on a different branch — `accept` shows that branch and a `git switch` hint when it differs from yours.
+
+## Cancel Or Decline
+
+Cancel closes an open handoff without claiming it:
+
+```powershell
+mmi-cli handoff cancel "<slug-or-#issue>"
+```
+
+Decline is deliberately non-destructive. It leaves the handoff open so it is offered again later:
+
+```powershell
+mmi-cli handoff decline "<slug-or-#issue>"
+```
+
+## Boundaries
+
+- Handoffs are same-login and same-repo (any branch): discovery is repo-scoped, enforced by the Hub session identity and the project-scoped saga read. `handoff list` shows each handoff's source branch.
+- Multiple open handoffs are allowed. Use the North Star slug or issue key as the handle.
+- Never treat a handoff as present truth. It is prior-session belief until verified.
+
+## Retro
+
+If this skill misfires, file one lesson on the Hub board:
+
+```powershell
+mmi-cli skill-lesson --skill handoff --title "<what misfired>" --body "<what; evidence; proposed amendment>"
+```