@mutmutco/opencode-mmi 2.52.0 → 2.53.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mutmutco/opencode-mmi",
-  "version": "2.52.0",
+  "version": "2.53.0",
   "description": "MMI Future OpenCode adapter — registers mmi, secrets, stage, rcand, release, hotfix, bootstrap, grind, build, handoff, coop, and browser-automation skills, workflow commands, and deterministic guardrail hooks.",
   "type": "module",
   "main": "./dist/index.js",

package/skills/grind/SKILL.md

@@ -49,7 +49,9 @@ Flags:
   in parallel), never loop one-by-one. Resolve `<login>` yourself — the session banner's
   `current human:` line, else `mmi-cli whoami` — and echo who you're claiming for; ask only
   when whoami returns `unknown`. Branch from the latest `origin/development` in a worktree
-  (`../mmi-worktrees/<branch>`). Never push `rc`/`main`.
+  (`../mmi-worktrees/<branch>`), unless the issue body explicitly mandates a dependency/WIP branch;
+  that path is a stacked PR that `--auto` may open + CI-verify but cannot auto-land (#2059). Never
+  push `rc`/`main`.
 - **Verifier ≠ builder.** Verifier (and hard lenses) must use a **different model** from builder
   whenever the host exposes two models. Under `--ultra`, the third model must also differ from
   builder; synthesizer is never builder.
@@ -310,6 +312,10 @@ Auto-detection rules are also encoded in `cli/src/grind-policy.ts` (test fixture
 PRs merge). Before each Phase 2 round, `git fetch origin development` and rebase the grind branch
 onto `origin/development` (or merge when rebase is unsafe) so the pinned diff reflects **only this
 grind's commits** — never reverse-deltas from merged siblings that would produce false blockers.
+Once a grind branch is already pushed to a PR, do **not** refresh it with `--force` or
+`--force-with-lease`: prefer `mmi-cli pr land`'s own base-freshness handling, or merge
+`origin/development` into the branch and push. If a true rebase is unavoidable, stop with a `[WIP]`
+PR/report instead of force-pushing unless the user's current message explicitly authorizes it (#2058).
 
 **Mechanism:** spawn parallel lenses → each returns strict JSON → Phase 2b synthesizer produces
 `PanelReport` → triage uses **`PanelReport.blockers` only**. Not vote, not debate.
@@ -324,7 +330,10 @@ round.** The orchestrator MUST hand each lens the *verbatim* diff — never a su
 rendering. Form (a) inline verbatim `git diff` only when verifying from the **same checkout** that
 holds the change. **Grind default `isolation=worktree`:** form (b) only — write
 `git -C <worktree> diff …` to `tmp/grind-verify-<round>.patch` and pass that path; never rely on
-lens CWD.
+lens CWD. The pinned diff **MUST include untracked new files** — bare `git diff` omits them, so a
+build that adds new modules/tests is invisible to lenses and can draw a false `cannot-verify`.
+Stage first (`git -C <worktree> add -A && git -C <worktree> diff --cached -- ':!cli/dist' > tmp/grind-verify-<round>.patch`)
+or `git -C <worktree> add -N <new files>` before the diff (#2057).
 
 **Lens-prompt clauses → `references/verify.md`.** Every lens prompt MUST carry: the **verbatim-includes-test-files** rule, the **abstention** rule (`cannot-verify`, never a false "absent/missing" blocker), the **diff-shape** clause (a referenced-but-undefined symbol is pre-existing — never flag it), and the **worktree-isolation** clause (patch-only, deny repo FS, stale-checkout warning). The exact wording lives in `references/verify.md` — load it before spawning lenses.
 

package/skills/grind/references/auto.md

@@ -71,7 +71,9 @@ no wait. File/claim the item(s), write the criteria, push to North Star, then go
 **Start (`--auto` only):** `mmi-cli access role <owner/repo> --json` — abort the run if `train: false`
 before building (fail fast; do not waste a full grind on a PR you cannot land).
 
-0. **Base freshness (#1906):** doctrine § worktree hygiene per worktree.
+0. **Base freshness (#1906):** doctrine § worktree hygiene per worktree. If the PR branch is already
+   pushed, refresh by merge (non-rewriting) or let `pr land` handle base freshness — never force-push a
+   pushed PR branch. A rebase that would require force-push = stop and report `[WIP]`, do not force (#2058).
 1. Open the PR (squash; normal title — `[WIP]` only on a cap/stuck hand-off). **Pass `--head` to
    `pr create` explicitly** — `mmi-cli pr create --base development --head <grind-branch> …`; the
    default `--head` is the current branch, which is `development` when Phase 4 runs from the main
@@ -79,6 +81,10 @@ before building (fail fast; do not waste a full grind on a PR you cannot land).
 2. **Land** — `(Recommended)` one call: `mmi-cli pr land <n> --json` (train probe → `ci-policy` →
    `checks-wait` → `merge --auto` → poll enqueued auto-merge → branch/worktree cleanup → return the
    checkout to an up-to-date `development`). Base must be `development`. Never land promotion PRs.
+   **Issue-mandated non-`development` base (#2059):** when the issue body requires a specific
+   dependency/WIP branch, `--auto` may open and CI-verify a stacked PR against that base, but must not
+   auto-land — `pr land` correctly refuses non-`development` bases. Stop and report that auto-merge is
+   blocked until the stack base reaches `development`.
    Cleanup is **automatic at the branch/PR boundary** — a successful land/merge removes that grind
    worktree + local branch and fast-forwards the checkout onto `development` (when its tree is clean);
    never hand-run `git checkout development` / `git worktree remove` / `git push origin --delete` afterward

package/skills/grind/references/verify.md

@@ -75,9 +75,12 @@ full re-panel) before Phase 3 triage — at most once per round.
 differently), stop and escalate to the human per **## Gates** — do not guess. If one lens is
 clearly wrong against consensus + diff, note it in the saga and triage real blockers only.
 
-**Absence-claims (#1621, #1895).** Drop "missing/absent/unimplemented/not fixed" blockers
+**Absence-claims (#1621, #1895, #2057).** Drop "missing/absent/unimplemented/not fixed" blockers
 contradicted by the pinned patch or green builder tests. Drop blockers when lens logs show repo
-Read/Grep despite isolation — re-run Phase 2 patch-only instead of fixing phantom gaps.
+Read/Grep despite isolation — re-run Phase 2 patch-only instead of fixing phantom gaps. A
+`cannot-verify` / "absent" verdict on a whole new module or test file is usually a patch-pin gap, not
+a defect: bare `git diff` excludes untracked files. Confirm the pin staged new files or used `add -N`,
+then re-pin and re-run before triaging.
 
 (`--auto`) No human escalation — pick the interpretation that satisfies the written criteria; if
 still ambiguous, fail the round and fix the criteria in the issue body before continuing.

package/skills/secrets/SKILL.md

@@ -12,13 +12,13 @@ description: Manage this repo's secrets — list/get/set/edit/rm/use the PROJECT
 Secrets in the org split by **blast radius + who manages them** (not by storage — both tiers are SSM
 SecureString + KMS, and **a value is never echoed to chat or logs**):
 
-- **PROJECT tier** — `/mmi-future/<slug>/dev/*`. Lower-blast dev/throwaway working secrets (a scraper key,
-  a third-party API key, a throwaway SaaS account). The repo's **project-admin self-serves** these via
-  `/secrets`, on their **GitHub role alone** — no AWS, no waiting on the master.
-- **ORG tier** — everything else under the slug (`rc/*`, `main/*` prod secrets) plus shared/infra
-  (`/mmi-future/{shared,cloudflare,docs,mmi-hub}/*`). **Crown jewels, master-gated.** A project-admin
-  reaches an org-tier secret only via a master **grant**; the master is unrestricted (and **is** a
-  project-admin of every repo — master ⊇ project-admin).
+- **YOUR REPO** — `/mmi-future/<slug>/{dev,rc,main}/*` for a repo you are project-admin of. You
+  **self-serve your own repo's full tree** — dev, rc, AND main prod secrets — via `/secrets`, on your
+  **GitHub role alone**, no AWS, no waiting on the master (#2032).
+- **ORG-INFRA** — the shared/infra namespaces (`/mmi-future/{shared,cloudflare,docs,mmi-hub}/*`), at
+  **every** tier (their `dev/` holds Hetzner/AWS/CF tokens + Hub tooling). **Crown jewels, master-only.**
+  A project-admin reaches one of these only via a master **grant**; the master is unrestricted (master ⊇
+  project-admin).
 
 A bare `<KEY>` defaults into the **project tier** (`dev/`). To touch the org tier you name the env
 explicitly: `main/GOOGLE_CLIENT_SECRET`, `rc/DB_URL`.
@@ -80,17 +80,18 @@ first, then write every canonical vault tier that still needs that key. For keys
 <KEY>` repeats the same probe later without printing the value. If the verifier fails, treat the rotation as
 incomplete even if the vault write itself succeeded.
 
-## Step 2 — org-tier elevation (master-only)
+## Step 2 — org-infra elevation (master-only)
 
-A project-admin who needs a specific **org-tier** secret asks the master. The master grants a **scoped,
-auditable** standing access to that one key (or revokes it). These verbs are **master-only** — the backend
-403s anyone else.
+Your own repo's full tree (dev/rc/main) is already self-serve (#2032). The **org-infra** namespaces
+(`shared`/`cloudflare`/`docs`/`mmi-hub`, every tier) stay master-only. A project-admin who needs one of
+those keys asks the master, who grants a **scoped, auditable** standing access to that one key (or revokes
+it). These verbs are **master-only** — the backend 403s anyone else.
 
 ```bash
-# MASTER: let @oguz-mut manage one org-tier secret in Pulse
-mmi-cli secrets grant mutmutco/Pulse oguz-mut main/GOOGLE_CLIENT_SECRET
+# MASTER: let @oguz-mut manage one org-infra (Hub-tier) secret
+mmi-cli secrets grant mutmutco/MMI-Hub oguz-mut main/SOME_SHARED_KEY
 # MASTER: withdraw it
-mmi-cli secrets revoke mutmutco/Pulse oguz-mut main/GOOGLE_CLIENT_SECRET
+mmi-cli secrets revoke mutmutco/MMI-Hub oguz-mut main/SOME_SHARED_KEY
 ```
 
 The master can also just operate the org-tier op directly while guiding (master ⊇ project-admin). Org-tier