@openthink/stamp 1.2.0 → 1.3.0

package/dist/index.js

@@ -56,10 +56,13 @@ import { dirname as dirname3, join as join3 } from "path";
 // src/lib/agentsMd.ts
 import { existsSync, readFileSync, writeFileSync } from "fs";
 import { join } from "path";
-var STAMP_BEGIN = "<!-- stamp:begin (managed by stamp-cli \u2014 do not edit between markers) -->";
+var STAMP_BEGIN = "<!-- stamp:begin (managed by `stamp init` \u2014 do not edit between markers) -->";
 var STAMP_END = "<!-- stamp:end -->";
-var STAMP_CLAUDE_BEGIN = "<!-- stamp:claude:begin (managed by stamp-cli \u2014 do not edit between markers) -->";
-var STAMP_CLAUDE_END = "<!-- stamp:claude:end -->";
+var STAMP_BEGIN_LEGACY = "<!-- stamp:begin (managed by stamp-cli \u2014 do not edit between markers) -->";
+var STAMP_CLAUDE_BEGIN_LEGACY = "<!-- stamp:claude:begin (managed by stamp-cli \u2014 do not edit between markers) -->";
+var STAMP_CLAUDE_END_LEGACY = "<!-- stamp:claude:end -->";
+var STAMP_BEGIN_PREFIX = "<!-- stamp:begin ";
+var STAMP_CLAUDE_BEGIN_PREFIX = "<!-- stamp:claude:begin ";
 var REVIEW_LOOP_HEURISTIC = `### Knowing when to stop the review loop (diminishing returns)
 
 Each \`stamp review\` run is non-trivial \u2014 reviewer LLM calls, your context, and amend
@@ -248,6 +251,20 @@ attestation, so the audit trail is preserved even without server-side rejection.
 
 ${REVIEW_LOOP_HEURISTIC}
 `;
+function findManagedBlock(text, openPrefix, closeMarker) {
+  let searchStart = 0;
+  while (searchStart < text.length) {
+    const candidateIdx = text.indexOf(openPrefix, searchStart);
+    if (candidateIdx === -1) return null;
+    if (candidateIdx === 0 || text[candidateIdx - 1] === "\n") {
+      const closeStart = text.indexOf(closeMarker, candidateIdx);
+      if (closeStart === -1) return null;
+      return { beginIdx: candidateIdx, afterEnd: closeStart + closeMarker.length };
+    }
+    searchStart = candidateIdx + 1;
+  }
+  return null;
+}
 function injectStampSection(existing, mode = "server-gated") {
   const body = mode === "server-gated" ? STAMP_AGENTS_SECTION_SERVER_GATED : STAMP_AGENTS_SECTION_LOCAL_ONLY;
   const stampBlock = `${STAMP_BEGIN}
@@ -263,12 +280,10 @@ Guidance for AI agents working in this repository.
 ${stampBlock}
 `;
   }
-  const beginIdx = existing.indexOf(STAMP_BEGIN);
-  const endIdx = existing.indexOf(STAMP_END);
-  if (beginIdx !== -1 && endIdx !== -1 && endIdx > beginIdx) {
-    const before = existing.slice(0, beginIdx);
-    const afterStart = endIdx + STAMP_END.length;
-    const after = existing.slice(afterStart);
+  const found = findManagedBlock(existing, STAMP_BEGIN_PREFIX, STAMP_END);
+  if (found) {
+    const before = existing.slice(0, found.beginIdx);
+    const after = existing.slice(found.afterEnd);
     return `${before}${stampBlock}${after}`;
   }
   return `${existing.trimEnd()}
@@ -285,7 +300,7 @@ function ensureAgentsMd(repoRoot, mode = "server-gated") {
   const existing = readFileSync(path2, "utf8");
   const updated = injectStampSection(existing, mode);
   if (updated === existing) return "unchanged";
-  const action = existing.includes(STAMP_BEGIN) ? "replaced" : "appended";
+  const action = existing.includes(STAMP_BEGIN) || existing.includes(STAMP_BEGIN_LEGACY) ? "replaced" : "appended";
   writeFileSync(path2, updated);
   return action;
 }
@@ -306,6 +321,8 @@ stamp merge feature --into main         # signs the merge
 git push origin main                    # OR \`stamp push main\` if origin is a stamp server
 \`\`\`
 
+Key commands: \`stamp provision\` \u2014 provision a new repo; \`stamp review\` \u2014 run reviewers; \`stamp merge\` \u2014 sign a merge; \`stamp push\` \u2014 push to a stamp server.
+
 **The full reference is at [\`AGENTS.md\`](./AGENTS.md) at the repo root** \u2014
 read it before any git command. It covers the mode (server-gated vs.
 local-only), what NOT to do, where things live, and how to recover when stamp
@@ -316,11 +333,11 @@ blocks you.
 (there's nothing to review against). Recent \`stamp init\` runs do this commit
 automatically. Every subsequent change goes through the stamp flow.`;
 function injectClaudeSection(existing) {
-  const stampBlock = `${STAMP_CLAUDE_BEGIN}
+  const stampBlock = `${STAMP_BEGIN}
 
 ${STAMP_CLAUDE_SECTION.trimEnd()}
 
-${STAMP_CLAUDE_END}`;
+${STAMP_END}`;
   if (existing === void 0 || existing.trim() === "") {
     return `# CLAUDE.md
 
@@ -329,12 +346,10 @@ Project-specific instructions for Claude Code (auto-loaded into the model's cont
 ${stampBlock}
 `;
   }
-  const beginIdx = existing.indexOf(STAMP_CLAUDE_BEGIN);
-  const endIdx = existing.indexOf(STAMP_CLAUDE_END);
-  if (beginIdx !== -1 && endIdx !== -1 && endIdx > beginIdx) {
-    const before = existing.slice(0, beginIdx);
-    const afterStart = endIdx + STAMP_CLAUDE_END.length;
-    const after = existing.slice(afterStart);
+  const found = findManagedBlock(existing, STAMP_BEGIN_PREFIX, STAMP_END) ?? findManagedBlock(existing, STAMP_CLAUDE_BEGIN_PREFIX, STAMP_CLAUDE_END_LEGACY);
+  if (found) {
+    const before = existing.slice(0, found.beginIdx);
+    const after = existing.slice(found.afterEnd);
     return `${before}${stampBlock}${after}`;
   }
   return `${existing.trimEnd()}
@@ -351,7 +366,7 @@ function ensureClaudeMd(repoRoot) {
   const existing = readFileSync(path2, "utf8");
   const updated = injectClaudeSection(existing);
   if (updated === existing) return "unchanged";
-  const action = existing.includes(STAMP_CLAUDE_BEGIN) ? "replaced" : "appended";
+  const action = existing.includes(STAMP_BEGIN) || existing.includes(STAMP_BEGIN_LEGACY) || existing.includes(STAMP_CLAUDE_BEGIN_LEGACY) ? "replaced" : "appended";
   writeFileSync(path2, updated);
   return action;
 }
@@ -2832,11 +2847,12 @@ function branchExists(name, cwd) {
 }
 
 // src/commands/init.ts
-import { existsSync as existsSync7, writeFileSync as writeFileSync6 } from "fs";
-import { join as join4 } from "path";
+import { existsSync as existsSync9, writeFileSync as writeFileSync7 } from "fs";
+import { join as join5 } from "path";
 
 // src/lib/ghRuleset.ts
 import { spawnSync as spawnSync3 } from "child_process";
+var STAMP_MIRROR_DEPLOY_KEY_TITLE = "stamp-mirror";
 function checkGhAvailable() {
   const v = spawnSync3("gh", ["--version"], {
     stdio: ["ignore", "pipe", "pipe"],
@@ -2980,6 +2996,330 @@ function applyStampRuleset(owner, repo, actor) {
     return { status: "created" };
   }
 }
+function findDeployKey(owner, repo, title) {
+  const r = spawnSync3(
+    "gh",
+    [
+      "api",
+      `/repos/${owner}/${repo}/keys`,
+      "--jq",
+      // JSON.stringify produces a valid jq string literal (double-quoted,
+      // with backslash/quote escapes), so a title containing quotes or
+      // backslashes can't break the jq filter or smuggle a different
+      // selector.
+      `[.[] | select(.title == ${JSON.stringify(title)})][0].id // empty`
+    ],
+    { stdio: ["ignore", "pipe", "pipe"], encoding: "utf8" }
+  );
+  if (r.status !== 0) return null;
+  const trimmed = r.stdout.trim();
+  if (!trimmed) return null;
+  const id = Number(trimmed);
+  return Number.isFinite(id) ? id : null;
+}
+function registerDeployKey(owner, repo, title, publicKey) {
+  const ctx = `${owner}/${repo} (deploy key "${title}")`;
+  const existing = findDeployKey(owner, repo, title);
+  if (existing !== null) {
+    return { status: "exists", keyId: existing };
+  }
+  const body = { title, key: publicKey, read_only: false };
+  const r = spawnSync3(
+    "gh",
+    [
+      "api",
+      "-X",
+      "POST",
+      `/repos/${owner}/${repo}/keys`,
+      "--input",
+      "-"
+    ],
+    {
+      input: JSON.stringify(body),
+      stdio: ["pipe", "pipe", "pipe"],
+      encoding: "utf8"
+    }
+  );
+  if (r.status !== 0) {
+    const stderr = (r.stderr ?? "").trim();
+    const stdout = (r.stdout ?? "").trim();
+    const detail = stderr || stdout || `gh api exited ${r.status}`;
+    return {
+      status: "failed",
+      error: `${ctx}: ${detail}`
+    };
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(r.stdout);
+  } catch (err) {
+    return {
+      status: "failed",
+      error: `${ctx}: registered, but couldn't parse keyId from gh response (${err instanceof Error ? err.message : String(err)}). A keyId is required to wire the key into a Ruleset bypass actor; inspect with \`gh api /repos/${owner}/${repo}/keys\`.`
+    };
+  }
+  const keyId = typeof parsed.id === "number" ? parsed.id : NaN;
+  if (!Number.isFinite(keyId)) {
+    return {
+      status: "failed",
+      error: `${ctx}: registered, but gh response did not include a numeric keyId. A keyId is required to wire the key into a Ruleset bypass actor; inspect with \`gh api /repos/${owner}/${repo}/keys\`.`
+    };
+  }
+  return { status: "created", keyId };
+}
+function fetchDeployKeyPublic(owner, repo, keyId) {
+  const r = spawnSync3(
+    "gh",
+    ["api", `/repos/${owner}/${repo}/keys/${keyId}`, "--jq", ".key"],
+    { stdio: ["ignore", "pipe", "pipe"], encoding: "utf8" }
+  );
+  if (r.status !== 0) return null;
+  const trimmed = r.stdout.trim();
+  return trimmed.length > 0 ? trimmed : null;
+}
+function deleteDeployKey(owner, repo, keyId) {
+  const r = spawnSync3(
+    "gh",
+    ["api", "-X", "DELETE", `/repos/${owner}/${repo}/keys/${keyId}`],
+    { stdio: ["ignore", "pipe", "pipe"], encoding: "utf8" }
+  );
+  if (r.status === 0) return { status: "deleted" };
+  const stderr = (r.stderr ?? "").trim();
+  if (stderr.includes("HTTP 404") || /Not Found/i.test(stderr)) {
+    return { status: "deleted" };
+  }
+  return {
+    status: "failed",
+    error: `${owner}/${repo} keyId=${keyId}: ${stderr || `gh api exited ${r.status}`}`
+  };
+}
+function getRulesetBypassActors(owner, repo, rulesetId) {
+  const r = spawnSync3(
+    "gh",
+    [
+      "api",
+      `/repos/${owner}/${repo}/rulesets/${rulesetId}`,
+      "--jq",
+      ".bypass_actors"
+    ],
+    { stdio: ["ignore", "pipe", "pipe"], encoding: "utf8" }
+  );
+  if (r.status !== 0) return null;
+  try {
+    const parsed = JSON.parse(r.stdout);
+    if (!Array.isArray(parsed)) return null;
+    return parsed.filter((e) => {
+      if (typeof e !== "object" || e === null) return false;
+      const o = e;
+      return (typeof o["actor_id"] === "number" || o["actor_id"] === null) && typeof o["actor_type"] === "string" && typeof o["bypass_mode"] === "string";
+    });
+  } catch {
+    return null;
+  }
+}
+function replaceBypassActors(owner, repo, rulesetId, desiredActors) {
+  const current = getRulesetBypassActors(owner, repo, rulesetId);
+  if (current === null) {
+    return {
+      status: "failed",
+      error: `${owner}/${repo} ruleset ${rulesetId}: could not read current bypass_actors`
+    };
+  }
+  if (bypassActorListsEqual(current, desiredActors)) {
+    return { status: "unchanged" };
+  }
+  const body = { bypass_actors: desiredActors };
+  const r = spawnSync3(
+    "gh",
+    [
+      "api",
+      "-X",
+      "PUT",
+      `/repos/${owner}/${repo}/rulesets/${rulesetId}`,
+      "--input",
+      "-"
+    ],
+    {
+      input: JSON.stringify(body),
+      stdio: ["pipe", "pipe", "pipe"],
+      encoding: "utf8"
+    }
+  );
+  if (r.status !== 0) {
+    const stderr = (r.stderr ?? "").trim();
+    const stdout = (r.stdout ?? "").trim();
+    return {
+      status: "failed",
+      error: `${owner}/${repo} ruleset ${rulesetId}: ${stderr || stdout || `gh api exited ${r.status}`}`
+    };
+  }
+  return { status: "updated" };
+}
+function bypassActorListsEqual(a, b) {
+  if (a.length !== b.length) return false;
+  const aSet = new Set(a.map(normalizeBypassActor));
+  return b.every((e) => aSet.has(normalizeBypassActor(e)));
+}
+function normalizeBypassActor(e) {
+  const id = e.actor_type === "OrganizationAdmin" && (e.actor_id === null || e.actor_id === 1) ? "ORGADMIN" : String(e.actor_id);
+  return `${e.actor_type}:${id}:${e.bypass_mode}`;
+}
+function computeDesiredBypassActors(current, deployKeyId, flags) {
+  const out = [];
+  for (const a of current) {
+    if (a.actor_type === "OrganizationAdmin" && flags.removeOrgadmin) {
+      continue;
+    }
+    if (a.actor_type === "DeployKey") {
+      continue;
+    }
+    out.push(a);
+  }
+  out.push({
+    actor_id: deployKeyId,
+    actor_type: "DeployKey",
+    bypass_mode: "always"
+  });
+  return out;
+}
+
+// src/lib/oteamConfig.ts
+import { existsSync as existsSync7, readFileSync as readFileSync6, renameSync as renameSync2, writeFileSync as writeFileSync6 } from "fs";
+import { homedir } from "os";
+import { join as join4 } from "path";
+var OTEAM_CONFIG_PATH = join4(homedir(), ".open-team", "config.json");
+function readOteamConfig(configPath = OTEAM_CONFIG_PATH) {
+  if (!existsSync7(configPath)) return null;
+  try {
+    const parsed = JSON.parse(readFileSync6(configPath, "utf8"));
+    if (Array.isArray(parsed)) {
+      throw new Error("config must be a JSON object, not an array");
+    }
+    return parsed;
+  } catch (err) {
+    throw new Error(
+      `${configPath}: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+}
+function patchStampHost(host, configPath = OTEAM_CONFIG_PATH) {
+  let config2 = {};
+  if (existsSync7(configPath)) {
+    try {
+      const parsed = JSON.parse(readFileSync6(configPath, "utf8"));
+      if (typeof parsed === "object" && parsed !== null && !Array.isArray(parsed)) {
+        config2 = parsed;
+      }
+    } catch (err) {
+      throw new Error(
+        `${configPath}: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
+  const existing = config2.stamp;
+  const stamp = typeof existing === "object" && existing !== null ? { ...existing } : {};
+  stamp["host"] = host;
+  config2["stamp"] = stamp;
+  const tmp = `${configPath}.tmp`;
+  try {
+    writeFileSync6(tmp, JSON.stringify(config2, null, 2) + "\n", "utf8");
+    renameSync2(tmp, configPath);
+  } catch (err) {
+    throw new Error(
+      `${configPath}: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+}
+
+// src/lib/serverConfig.ts
+import { existsSync as existsSync8, readFileSync as readFileSync7 } from "fs";
+import { parse as parseYaml4 } from "yaml";
+var DEFAULT_USER = "git";
+var DEFAULT_REPO_ROOT = "/srv/git";
+var USER_RE = /^[A-Za-z0-9_][A-Za-z0-9._-]*$/;
+var HOST_RE = /^[A-Za-z0-9]([A-Za-z0-9.-]*[A-Za-z0-9])?$/;
+var REPO_ROOT_RE = /^(\/[A-Za-z0-9_-][A-Za-z0-9._-]*)+\/?$/;
+function describeShape2(field) {
+  switch (field) {
+    case "user":
+      return "alphanumerics + . _ -, must not start with -";
+    case "host":
+      return "hostname-shaped (alphanumerics + . -, must start and end with alphanumeric)";
+    case "repo_root_prefix":
+      return "absolute path with alphanumeric/. _ - segments, no .. components";
+  }
+}
+function validateField(field, value, contextPath) {
+  const re = field === "user" ? USER_RE : field === "host" ? HOST_RE : REPO_ROOT_RE;
+  if (!re.test(value)) {
+    throw new Error(
+      `${contextPath}: '${field}' has an invalid shape (got ${JSON.stringify(value)}). Allowed: ${describeShape2(field)}.`
+    );
+  }
+}
+function loadServerConfig() {
+  const path2 = userServerConfigPath();
+  if (!existsSync8(path2)) return null;
+  let raw;
+  try {
+    raw = readFileSync7(path2, "utf8");
+  } catch (err) {
+    throw new Error(
+      `failed to read ${path2}: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  return parseServerConfig(raw, path2);
+}
+function parseServerConfig(raw, contextPath = "<inline>") {
+  const parsed = parseYaml4(raw);
+  if (!parsed || typeof parsed !== "object") {
+    throw new Error(`${contextPath}: must be a YAML mapping with at least 'host' and 'port'`);
+  }
+  const obj = parsed;
+  if (typeof obj.host !== "string" || !obj.host.trim()) {
+    throw new Error(`${contextPath}: 'host' is required and must be a non-empty string`);
+  }
+  if (typeof obj.port !== "number" || !Number.isInteger(obj.port) || obj.port < 1 || obj.port > 65535) {
+    throw new Error(`${contextPath}: 'port' is required and must be an integer 1..65535`);
+  }
+  const host = obj.host.trim();
+  validateField("host", host, contextPath);
+  const user = typeof obj.user === "string" && obj.user.trim() ? obj.user.trim() : DEFAULT_USER;
+  validateField("user", user, contextPath);
+  const repoRootPrefix = typeof obj.repo_root_prefix === "string" && obj.repo_root_prefix.trim() ? obj.repo_root_prefix.trim() : DEFAULT_REPO_ROOT;
+  validateField("repo_root_prefix", repoRootPrefix, contextPath);
+  return {
+    host,
+    port: obj.port,
+    user,
+    repoRootPrefix
+  };
+}
+function parseServerFlag(value, context = "--server") {
+  const m = value.trim().match(/^([^:]+):(\d+)$/);
+  if (!m) {
+    throw new Error(
+      `${context} must be in the form <host>:<port> (got "${value}")`
+    );
+  }
+  const port = Number(m[2]);
+  if (!Number.isInteger(port) || port < 1 || port > 65535) {
+    throw new Error(
+      `${context}: port must be an integer 1..65535 (got "${m[2]}")`
+    );
+  }
+  const host = m[1];
+  validateField("host", host, context);
+  return {
+    host,
+    port,
+    user: DEFAULT_USER,
+    repoRootPrefix: DEFAULT_REPO_ROOT
+  };
+}
+function bareRepoSshUrl(cfg, repoName) {
+  return `ssh://${cfg.user}@${cfg.host}:${cfg.port}${cfg.repoRootPrefix}/${repoName}.git`;
+}
 
 // src/commands/init.ts
 function runInit(opts = {}) {
@@ -3004,41 +3344,41 @@ That command handles the bare-repo creation, clone, bootstrap merge, GitHub mirr
 For local-only / advisory use against this GitHub repo: re-run with \`stamp init --mode local-only\`. That mode is honest about the lack of server-side enforcement (signed merges still work, but \`git push origin main\` will not be rejected by the remote).`
     );
   }
-  const alreadyHasConfig = existsSync7(configFile);
+  const alreadyHasConfig = existsSync9(configFile);
   ensureDir(configDir);
   ensureDir(reviewersDir);
   ensureDir(trustedKeysDir);
   if (!alreadyHasConfig) {
     if (opts.minimal) {
-      writeFileSync6(configFile, stringifyConfig(MINIMAL_CONFIG));
-      writeFileSync6(join4(reviewersDir, "example.md"), EXAMPLE_REVIEWER_PROMPT);
+      writeFileSync7(configFile, stringifyConfig(MINIMAL_CONFIG));
+      writeFileSync7(join5(reviewersDir, "example.md"), EXAMPLE_REVIEWER_PROMPT);
     } else {
-      writeFileSync6(configFile, stringifyConfig(DEFAULT_CONFIG));
-      writeFileSync6(
-        join4(reviewersDir, "security.md"),
+      writeFileSync7(configFile, stringifyConfig(DEFAULT_CONFIG));
+      writeFileSync7(
+        join5(reviewersDir, "security.md"),
         DEFAULT_SECURITY_PROMPT
       );
-      writeFileSync6(
-        join4(reviewersDir, "standards.md"),
+      writeFileSync7(
+        join5(reviewersDir, "standards.md"),
         DEFAULT_STANDARDS_PROMPT
       );
-      writeFileSync6(
-        join4(reviewersDir, "product.md"),
+      writeFileSync7(
+        join5(reviewersDir, "product.md"),
         DEFAULT_PRODUCT_PROMPT
       );
     }
   }
   const { keypair, created: keyCreated } = ensureUserKeypair();
   const userCfg = loadOrCreateUserConfig();
-  const pubKeyPath = join4(
+  const pubKeyPath = join5(
     trustedKeysDir,
     publicKeyFingerprintFilename(keypair.fingerprint)
   );
-  const keyDeposited = !existsSync7(pubKeyPath);
+  const keyDeposited = !existsSync9(pubKeyPath);
   if (keyDeposited) {
-    writeFileSync6(pubKeyPath, keypair.publicKeyPem);
+    writeFileSync7(pubKeyPath, keypair.publicKeyPem);
   }
-  const dbExisted = existsSync7(stateDbPath);
+  const dbExisted = existsSync9(stateDbPath);
   const db = openDb(stateDbPath);
   db.close();
   const agentsMdAction = opts.agentsMd === false ? "skipped" : ensureAgentsMd(repoRoot, effectiveMode);
@@ -3078,6 +3418,9 @@ For local-only / advisory use against this GitHub repo: re-run with \`stamp init
   if (opts.bootstrapCommit !== false) {
     printBootstrapCommitResult(runBootstrapCommit(repoRoot, scaffoldOrSync));
   }
+  if (opts.oteam !== false) {
+    maybeOfferOteamHostFill();
+  }
   const ghProtectOpt = opts.ghProtect !== false;
   if (ghProtectOpt && remoteClass.shape === "forge-direct" && remoteClass.forge === "github.com" && remoteClass.url) {
     applyGitHubRulesetWithReporting(remoteClass.url);
@@ -3168,8 +3511,8 @@ function runBootstrapCommit(repoRoot, scaffoldOrSync) {
     return { kind: "skipped-already-tracked" };
   }
   const toAdd = [".stamp"];
-  if (existsSync7(join4(repoRoot, "AGENTS.md"))) toAdd.push("AGENTS.md");
-  if (existsSync7(join4(repoRoot, "CLAUDE.md"))) toAdd.push("CLAUDE.md");
+  if (existsSync9(join5(repoRoot, "AGENTS.md"))) toAdd.push("AGENTS.md");
+  if (existsSync9(join5(repoRoot, "CLAUDE.md"))) toAdd.push("CLAUDE.md");
   runGit(["add", ...toAdd], repoRoot);
   let hasStagedChanges = false;
   try {
@@ -3295,6 +3638,44 @@ function applyGitHubRulesetWithReporting(remoteUrl) {
       break;
   }
 }
+function maybeOfferOteamHostFill() {
+  if (!process.stdin.isTTY || !process.stdout.isTTY) return;
+  let oteamCfg;
+  try {
+    oteamCfg = readOteamConfig();
+  } catch {
+    return;
+  }
+  if (oteamCfg === null) return;
+  const cfg = oteamCfg;
+  const stamp = cfg.stamp;
+  if (stamp?.host) return;
+  let serverCfg;
+  try {
+    serverCfg = loadServerConfig();
+  } catch {
+    return;
+  }
+  if (!serverCfg) return;
+  const host = serverCfg.host;
+  process.stdout.write(
+    `Set oteam's \`stamp.host\` to "${host}"? [y/N] `
+  );
+  const answer = readLineSync().trim().toLowerCase();
+  if (answer !== "y" && answer !== "yes") return;
+  try {
+    patchStampHost(host);
+    console.log(
+      `oteam config: stamp.host set to "${host}" in ~/.open-team/config.json`
+    );
+    console.log();
+  } catch (err) {
+    console.log(
+      `warning: could not patch ~/.open-team/config.json: ${err instanceof Error ? err.message : String(err)}`
+    );
+    console.log();
+  }
+}
 function resolveMode(userMode, remoteClass) {
   const warnings = [];
   if (userMode === "local-only") {
@@ -3337,104 +3718,401 @@ function resolveMode(userMode, remoteClass) {
 }
 
 // src/commands/provision.ts
-import { spawnSync as spawnSync4 } from "child_process";
-import { existsSync as existsSync9, mkdtempSync, rmSync, writeFileSync as writeFileSync7 } from "fs";
+import { spawnSync as spawnSync6 } from "child_process";
+import { existsSync as existsSync11, mkdtempSync, readFileSync as readFileSync8, rmSync, writeFileSync as writeFileSync9 } from "fs";
 import { tmpdir } from "os";
-import { join as join5, resolve as resolvePath } from "path";
+import { join as join6, resolve as resolvePath } from "path";
+import { parse as parseYaml5 } from "yaml";
 
-// src/lib/serverConfig.ts
-import { existsSync as existsSync8, readFileSync as readFileSync6 } from "fs";
-import { parse as parseYaml4 } from "yaml";
-var DEFAULT_USER = "git";
-var DEFAULT_REPO_ROOT = "/srv/git";
-var USER_RE = /^[A-Za-z0-9_][A-Za-z0-9._-]*$/;
-var HOST_RE = /^[A-Za-z0-9]([A-Za-z0-9.-]*[A-Za-z0-9])?$/;
-var REPO_ROOT_RE = /^(\/[A-Za-z0-9_-][A-Za-z0-9._-]*)+\/?$/;
-function describeShape2(field) {
-  switch (field) {
-    case "user":
-      return "alphanumerics + . _ -, must not start with -";
-    case "host":
-      return "hostname-shaped (alphanumerics + . -, must start and end with alphanumeric)";
-    case "repo_root_prefix":
-      return "absolute path with alphanumeric/. _ - segments, no .. components";
+// src/commands/server.ts
+import { spawnSync as spawnSync5 } from "child_process";
+import { existsSync as existsSync10, mkdirSync as mkdirSync4, renameSync as renameSync3, unlinkSync as unlinkSync2, writeFileSync as writeFileSync8 } from "fs";
+import { dirname as dirname4 } from "path";
+import { stringify as stringifyYaml2 } from "yaml";
+
+// src/lib/perRepoKey.ts
+var VALID_OWNER = /^[A-Za-z0-9-]+$/;
+var VALID_REPO = /^[A-Za-z0-9._-]+$/;
+var SSH_CLIENT_KEY_DIR = "/srv/git/.ssh-client-keys";
+function computePerRepoKeyPath(githubRepo) {
+  if (typeof githubRepo !== "string" || githubRepo.length === 0) {
+    throw new Error("computePerRepoKeyPath: githubRepo must be a non-empty string");
+  }
+  if (githubRepo.startsWith("-")) {
+    throw new Error(
+      `computePerRepoKeyPath: githubRepo must not start with '-': ${githubRepo}`
+    );
+  }
+  if (githubRepo.includes("..")) {
+    throw new Error(
+      `computePerRepoKeyPath: githubRepo must not contain '..': ${githubRepo}`
+    );
+  }
+  const slashCount = (githubRepo.match(/\//g) ?? []).length;
+  if (slashCount !== 1) {
+    throw new Error(
+      `computePerRepoKeyPath: githubRepo must be exactly <owner>/<repo>: ${githubRepo}`
+    );
+  }
+  const [owner, repo] = githubRepo.split("/");
+  if (!owner || !repo) {
+    throw new Error(
+      `computePerRepoKeyPath: owner and repo halves must both be non-empty: ${githubRepo}`
+    );
   }
+  if (!VALID_OWNER.test(owner)) {
+    throw new Error(
+      `computePerRepoKeyPath: owner must match [A-Za-z0-9-]+ (got "${owner}" in "${githubRepo}")`
+    );
+  }
+  if (!VALID_REPO.test(repo)) {
+    throw new Error(
+      `computePerRepoKeyPath: repo must match [A-Za-z0-9._-]+ (got "${repo}" in "${githubRepo}")`
+    );
+  }
+  return `${SSH_CLIENT_KEY_DIR}/${owner}_${repo}_ed25519`;
 }
-function validateField(field, value, contextPath) {
-  const re = field === "user" ? USER_RE : field === "host" ? HOST_RE : REPO_ROOT_RE;
-  if (!re.test(value)) {
+
+// src/commands/serverRepo.ts
+import { spawnSync as spawnSync4 } from "child_process";
+import { createInterface } from "readline";
+async function runServerRepoDelete(opts) {
+  const name = normalizeRepoName(opts.name);
+  if (opts.alsoGithub !== void 0) validateGithubRepoSpec(opts.alsoGithub);
+  const server2 = resolveServer(opts.server);
+  const action = opts.purge ? "PURGE (irreversible)" : "soft-delete (recoverable via restore)";
+  console.log(`About to ${action} bare repo: ${name}`);
+  console.log(`On server: ${server2.user}@${server2.host}:${server2.port}`);
+  if (opts.alsoGithub) {
+    console.log(
+      `Also: gh repo delete ${opts.alsoGithub} (PERMANENT, no GitHub-side undo)`
+    );
+  }
+  console.log();
+  if (!opts.yes) {
+    const expected = opts.purge ? `purge ${name}` : `delete ${name}`;
+    const got = await prompt(`Type "${expected}" to confirm: `);
+    if (got.trim() !== expected) {
+      console.log("note: aborted");
+      return;
+    }
+  }
+  const args = ["delete-stamp-repo", name];
+  if (opts.purge) args.push("--purge");
+  const result = spawnSync4(
+    "ssh",
+    ["-p", String(server2.port), "--", `${server2.user}@${server2.host}`, ...args],
+    { stdio: ["ignore", "inherit", "inherit"] }
+  );
+  if (result.status !== 0) {
     throw new Error(
-      `${contextPath}: '${field}' has an invalid shape (got ${JSON.stringify(value)}). Allowed: ${describeShape2(field)}.`
+      `server-side delete failed (exit ${result.status}). The bare repo on the stamp server was NOT touched. If you see "command not found", the server image is older than 0.7.3 \u2014 redeploy it first.`
+    );
+  }
+  if (!opts.purge) {
+    console.log();
+    console.log(`Recovery:`);
+    console.log(`  stamp server-repos restore ${name}                 # bring it back`);
+    console.log(`  stamp server-repos delete ${name} --purge          # nuke for real`);
+  }
+  if (opts.alsoGithub) {
+    if (!opts.yes) {
+      const expected = `delete github ${opts.alsoGithub}`;
+      const got = await prompt(
+        `Server-side done. To ALSO delete the GitHub mirror, type "${expected}" (or anything else to skip): `
+      );
+      if (got.trim() !== expected) {
+        console.log(
+          `note: skipped GitHub delete; mirror at https://github.com/${opts.alsoGithub} is intact`
+        );
+        return;
+      }
+    }
+    const ghResult = spawnSync4(
+      "gh",
+      ["repo", "delete", opts.alsoGithub, "--yes"],
+      { stdio: ["ignore", "inherit", "inherit"] }
     );
+    if (ghResult.status !== 0) {
+      throw new Error(
+        `GitHub repo delete failed (exit ${ghResult.status}). Server-side delete already succeeded; the GitHub mirror is still present at https://github.com/${opts.alsoGithub}.`
+      );
+    }
   }
 }
-function loadServerConfig() {
-  const path2 = userServerConfigPath();
-  if (!existsSync8(path2)) return null;
-  let raw;
-  try {
-    raw = readFileSync6(path2, "utf8");
-  } catch (err) {
+async function runServerRepoRestore(opts) {
+  const name = normalizeRepoName(opts.name);
+  const asName = opts.asName !== void 0 ? normalizeRepoName(opts.asName) : void 0;
+  if (opts.from !== void 0) validateTrashEntryName(opts.from);
+  const server2 = resolveServer(opts.server);
+  const args = ["restore-stamp-repo", name];
+  if (opts.from) {
+    args.push("--from", opts.from);
+  }
+  if (asName) {
+    args.push("--as", asName);
+  }
+  const result = spawnSync4(
+    "ssh",
+    ["-p", String(server2.port), "--", `${server2.user}@${server2.host}`, ...args],
+    { stdio: ["ignore", "inherit", "inherit"] }
+  );
+  if (result.status !== 0) {
     throw new Error(
-      `failed to read ${path2}: ${err instanceof Error ? err.message : String(err)}`
+      `server-side restore failed (exit ${result.status}). Run \`stamp server-repos list --trash\` to see what's available.`
     );
   }
-  return parseServerConfig(raw, path2);
 }
-function parseServerConfig(raw, contextPath = "<inline>") {
-  const parsed = parseYaml4(raw);
-  if (!parsed || typeof parsed !== "object") {
-    throw new Error(`${contextPath}: must be a YAML mapping with at least 'host' and 'port'`);
+function runServerRepoList(opts) {
+  const server2 = resolveServer(opts.server);
+  if (opts.trash) {
+    const result2 = spawnSync4(
+      "ssh",
+      ["-p", String(server2.port), "--", `${server2.user}@${server2.host}`, "list-trash"],
+      { stdio: ["ignore", "inherit", "inherit"] }
+    );
+    if (result2.status !== 0) {
+      throw new Error(
+        `list --trash failed (exit ${result2.status}). If you see "command not found", the server image is older than 0.7.3 \u2014 redeploy it first.`
+      );
+    }
+    return;
   }
-  const obj = parsed;
-  if (typeof obj.host !== "string" || !obj.host.trim()) {
-    throw new Error(`${contextPath}: 'host' is required and must be a non-empty string`);
+  const result = spawnSync4(
+    "ssh",
+    [
+      "-p",
+      String(server2.port),
+      "--",
+      `${server2.user}@${server2.host}`,
+      "ls",
+      "-1",
+      "/srv/git/"
+    ],
+    { stdio: ["ignore", "pipe", "inherit"], encoding: "utf8" }
+  );
+  if (result.status !== 0) {
+    throw new Error(`list failed (exit ${result.status}).`);
   }
-  if (typeof obj.port !== "number" || !Number.isInteger(obj.port) || obj.port < 1 || obj.port > 65535) {
-    throw new Error(`${contextPath}: 'port' is required and must be an integer 1..65535`);
+  const entries = filterLiveBareRepoNames(result.stdout);
+  if (entries.length === 0) {
+    console.log("(no live bare repos)");
+    return;
   }
-  const host = obj.host.trim();
-  validateField("host", host, contextPath);
-  const user = typeof obj.user === "string" && obj.user.trim() ? obj.user.trim() : DEFAULT_USER;
-  validateField("user", user, contextPath);
-  const repoRootPrefix = typeof obj.repo_root_prefix === "string" && obj.repo_root_prefix.trim() ? obj.repo_root_prefix.trim() : DEFAULT_REPO_ROOT;
-  validateField("repo_root_prefix", repoRootPrefix, contextPath);
-  return {
-    host,
-    port: obj.port,
-    user,
-    repoRootPrefix
-  };
+  for (const e of entries) console.log(e);
 }
-function parseServerFlag(value, context = "--server") {
-  const m = value.trim().match(/^([^:]+):(\d+)$/);
-  if (!m) {
+function resolveServer(serverFlag) {
+  const server2 = serverFlag ? parseServerFlag(serverFlag) : loadServerConfig();
+  if (!server2) {
     throw new Error(
-      `${context} must be in the form <host>:<port> (got "${value}")`
+      `no stamp server configured. Either:
+  - create ~/.stamp/server.yml with at least:
+      host: <ssh-host>
+      port: <ssh-port>
+  - or pass --server <host>:<port> on the command line.`
     );
   }
-  const port = Number(m[2]);
-  if (!Number.isInteger(port) || port < 1 || port > 65535) {
-    throw new Error(
-      `${context}: port must be an integer 1..65535 (got "${m[2]}")`
+  return server2;
+}
+var UsageError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "UsageError";
+  }
+};
+function normalizeRepoName(name) {
+  const canonical = name.endsWith(".git") ? name.slice(0, -4) : name;
+  validateRepoName(canonical);
+  return canonical;
+}
+function filterLiveBareRepoNames(rawOutput) {
+  return rawOutput.split("\n").map((s) => s.trim()).filter(Boolean).filter((s) => s.endsWith(".git")).map((s) => s.slice(0, -4)).filter((s) => s.length > 0);
+}
+function validateRepoName(name) {
+  if (!/^[A-Za-z0-9_][A-Za-z0-9._-]*$/.test(name) || name.includes("..")) {
+    throw new UsageError(
+      `repo name must start with [A-Za-z0-9_], match [A-Za-z0-9._-]+, and not contain '..' (got "${name}")`
     );
   }
-  const host = m[1];
-  validateField("host", host, context);
-  return {
-    host,
-    port,
-    user: DEFAULT_USER,
-    repoRootPrefix: DEFAULT_REPO_ROOT
+}
+function validateTrashEntryName(entry) {
+  if (!/^[0-9]{8}T[0-9]{6}Z-[A-Za-z0-9_][A-Za-z0-9._-]*\.git$/.test(entry)) {
+    throw new UsageError(
+      `--from must match <YYYYMMDDTHHMMSSZ>-<name>.git (got "${entry}"). Run \`stamp server-repos list --trash\` to see valid entry names.`
+    );
+  }
+}
+function validateGithubRepoSpec(spec) {
+  if (!/^[A-Za-z0-9_][A-Za-z0-9-]*\/[A-Za-z0-9_][A-Za-z0-9._-]*$/.test(spec)) {
+    throw new UsageError(
+      `--also-github must be <owner>/<repo> with no leading '-' on either segment (got "${spec}")`
+    );
+  }
+}
+function prompt(question) {
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise((resolve2) => {
+    rl.question(question, (answer) => {
+      rl.close();
+      resolve2(answer);
+    });
+  });
+}
+
+// src/commands/server.ts
+function formatServerConfigYaml(opts) {
+  const body = {
+    host: opts.host,
+    port: opts.port
   };
+  if (opts.user && opts.user.trim()) body.user = opts.user.trim();
+  if (opts.repoRootPrefix && opts.repoRootPrefix.trim()) {
+    body.repo_root_prefix = opts.repoRootPrefix.trim();
+  }
+  return stringifyYaml2(body);
 }
-function bareRepoSshUrl(cfg, repoName) {
-  return `ssh://${cfg.user}@${cfg.host}:${cfg.port}${cfg.repoRootPrefix}/${repoName}.git`;
+function runServerConfig(opts) {
+  const modes = [opts.hostPort, opts.show, opts.unset].filter(Boolean).length;
+  if (modes !== 1) {
+    throw new UsageError(
+      "stamp server config: provide exactly one of <host:port>, --show, or --unset"
+    );
+  }
+  if ((opts.show || opts.unset) && (opts.user || opts.repoRootPrefix)) {
+    throw new UsageError(
+      "stamp server config: --user and --repo-root-prefix only apply when writing (they conflict with --show / --unset)"
+    );
+  }
+  if (opts.show) return showConfig();
+  if (opts.unset) return unsetConfig();
+  return writeConfig(opts);
+}
+function showConfig() {
+  const path2 = userServerConfigPath();
+  if (!existsSync10(path2)) {
+    console.log(`note: no stamp server configured (${path2} does not exist)`);
+    console.log(`note: run \`stamp server config <host:port>\` to create one`);
+    return;
+  }
+  const cfg = loadServerConfig();
+  if (!cfg) {
+    console.log(`note: no stamp server configured`);
+    return;
+  }
+  console.log(`config:           ${path2}`);
+  console.log(`host:             ${cfg.host}`);
+  console.log(`port:             ${cfg.port}`);
+  console.log(`user:             ${cfg.user}`);
+  console.log(`repo_root_prefix: ${cfg.repoRootPrefix}`);
+}
+function unsetConfig() {
+  const path2 = userServerConfigPath();
+  if (!existsSync10(path2)) {
+    console.log(`note: ${path2} does not exist; nothing to remove`);
+    return;
+  }
+  unlinkSync2(path2);
+  console.log(`removed ${path2}`);
+}
+function fetchServerPubkey(server2, mirror) {
+  const sshArgs = [
+    "-p",
+    String(server2.port),
+    "--",
+    `${server2.user}@${server2.host}`,
+    "stamp-server-pubkey"
+  ];
+  if (mirror) {
+    sshArgs.push(`${mirror.owner}/${mirror.repo}`);
+  }
+  const result = spawnSync5("ssh", sshArgs, {
+    stdio: ["ignore", "pipe", "inherit"],
+    encoding: "utf8"
+  });
+  if (result.status !== 0) {
+    const target = mirror ? ` for ${mirror.owner}/${mirror.repo}` : "";
+    throw new Error(
+      `stamp server pubkey${target} failed (exit ${result.status}) against ${server2.user}@${server2.host}:${server2.port}. If you see "command not found", the server image predates the deploy-key feature \u2014 redeploy it first.`
+    );
+  }
+  return result.stdout.trim();
+}
+function runServerPubkey(opts) {
+  const server2 = resolveServer(opts.server);
+  let mirror;
+  if (opts.repo) {
+    try {
+      computePerRepoKeyPath(opts.repo);
+    } catch (err) {
+      throw new UsageError(
+        `--repo ${err instanceof Error ? err.message.replace(/^computePerRepoKeyPath:\s*/, "") : String(err)}`
+      );
+    }
+    const slashIdx = opts.repo.indexOf("/");
+    mirror = {
+      owner: opts.repo.slice(0, slashIdx),
+      repo: opts.repo.slice(slashIdx + 1)
+    };
+  }
+  const pubkey = fetchServerPubkey(server2, mirror);
+  process.stdout.write(`${pubkey}
+`);
+}
+function writeConfig(opts) {
+  let parsed;
+  try {
+    parsed = parseServerFlag(opts.hostPort, "stamp server config: <host:port>");
+  } catch (err) {
+    throw new UsageError(err instanceof Error ? err.message : String(err));
+  }
+  const yaml = formatServerConfigYaml({
+    host: parsed.host,
+    port: parsed.port,
+    user: opts.user,
+    repoRootPrefix: opts.repoRootPrefix
+  });
+  const path2 = userServerConfigPath();
+  const dir = dirname4(path2);
+  if (!existsSync10(dir)) mkdirSync4(dir, { recursive: true, mode: 448 });
+  const tmp = `${path2}.tmp.${process.pid}`;
+  writeFileSync8(tmp, yaml, { mode: 384 });
+  renameSync3(tmp, path2);
+  console.log(`wrote ${path2}`);
+  console.log(`host:             ${parsed.host}`);
+  console.log(`port:             ${parsed.port}`);
+  if (opts.user && opts.user.trim()) {
+    console.log(`user:             ${opts.user.trim()}`);
+  }
+  if (opts.repoRootPrefix && opts.repoRootPrefix.trim()) {
+    console.log(`repo_root_prefix: ${opts.repoRootPrefix.trim()}`);
+  }
 }
 
 // src/commands/provision.ts
 async function runProvision(opts) {
-  validateRepoName(opts.name);
+  if (opts.migrateExisting && opts.migrateBypass) {
+    throw new Error(
+      `--migrate-existing and --migrate-bypass are mutually exclusive: the first moves a forge-direct repo to server-gated topology, the second changes the bypass-actor shape on an already-server-gated repo.`
+    );
+  }
+  if (opts.removeOrgadmin && !opts.migrateBypass) {
+    throw new Error(
+      `--remove-orgadmin is only meaningful with --migrate-bypass`
+    );
+  }
+  if (!opts.migrateBypass) {
+    if (!opts.name) {
+      throw new Error(
+        `stamp provision requires a <name> argument (the bare repo name on the stamp server). If you meant to migrate an already-server-gated repo's Ruleset bypass instead, pass --migrate-bypass (identifies the target via cwd's .stamp/mirror.yml; no <name> needed).`
+      );
+    }
+    validateRepoName2(opts.name);
+  } else if (opts.name) {
+    console.log(
+      `note: <name> argument ignored under --migrate-bypass; the target is identified by .stamp/mirror.yml in the cwd.`
+    );
+    console.log();
+  }
   if (opts.org !== void 0) validateOrgName(opts.org);
   const server2 = opts.server ? parseServerFlag(opts.server) : loadServerConfig();
   if (!server2) {
@@ -3448,12 +4126,16 @@ async function runProvision(opts) {
 See docs/quickstart-server.md for how to deploy a stamp server first.`
     );
   }
+  if (opts.migrateBypass) {
+    await runMigrateBypass(opts, server2);
+    return;
+  }
   if (opts.migrateExisting) {
     await runMigrateExisting(opts, server2);
     return;
   }
   const cloneTarget = resolvePath(opts.into ?? opts.name);
-  if (existsSync9(cloneTarget)) {
+  if (existsSync11(cloneTarget)) {
     throw new Error(
       `clone destination already exists: ${cloneTarget}. Move or remove it, or pass --into <other-path>.`
     );
@@ -3481,11 +4163,11 @@ Provisioning bare repo on ${server2.host}:${server2.port}`);
   process.chdir(cloneTarget);
   await runBootstrap({});
   if (mirrorRepo && !opts.noRuleset) {
-    applyMirrorRuleset(mirrorRepo);
+    applyMirrorRuleset(mirrorRepo, server2);
   }
   printSuccess({ cloneTarget, server: server2, repoName: opts.name, mirrorRepo });
 }
-function validateRepoName(name) {
+function validateRepoName2(name) {
   if (!/^[A-Za-z0-9_][A-Za-z0-9._-]*$/.test(name)) {
     throw new Error(
       `repo name must start with [A-Za-z0-9_] and match [A-Za-z0-9._-]+ (got "${name}")`
@@ -3518,13 +4200,19 @@ function printPlan2(args) {
   }
   if (args.opts.org && !args.opts.noMirror && !args.opts.noRuleset) {
     console.log(fmt("GitHub Ruleset", "apply stamp-mirror-only on the mirror repo"));
+    console.log(
+      fmt(
+        "bypass actor",
+        `org repo \u2192 stamp-server deploy key "${STAMP_MIRROR_DEPLOY_KEY_TITLE}" (auto-registered or reused); personal repo \u2192 your gh-authed user`
+      )
+    );
   } else {
     console.log(fmt("GitHub Ruleset", "skipped"));
   }
   console.log(bar);
 }
 function provisionBareRepoOnServer(server2, name) {
-  const result = spawnSync4(
+  const result = spawnSync6(
     "ssh",
     [
       "-p",
@@ -3550,7 +4238,7 @@ function createGithubMirrorRepo(owner, repo, privateRepo) {
     );
   }
   const visibility = privateRepo ? "--private" : "--public";
-  const result = spawnSync4(
+  const result = spawnSync6(
     "gh",
     ["repo", "create", `${owner}/${repo}`, visibility],
     { stdio: ["ignore", "inherit", "inherit"] }
@@ -3573,28 +4261,67 @@ function writeMirrorYml(cloneTarget, mirror) {
   #   - "v*"
 `;
   const path2 = `${cloneTarget}/.stamp/mirror.yml`;
-  writeFileSync7(path2, yml);
+  writeFileSync9(path2, yml);
   console.log(`Wrote mirror.yml \u2192 .stamp/mirror.yml (${mirror.owner}/${mirror.repo})`);
 }
-function applyMirrorRuleset(mirror) {
-  const user = lookupAuthenticatedUserId();
-  if (!user) {
+function applyMirrorRuleset(mirror, server2) {
+  const existing = findExistingStampRuleset(mirror.owner, mirror.repo);
+  if (existing !== null) {
     console.log(
-      `note: GitHub Ruleset auto-apply skipped \u2014 couldn't look up the gh-authenticated user.`
+      `GitHub Ruleset: stamp-mirror-only already present on ${mirror.owner}/${mirror.repo}. Not modified.`
     );
-    console.log(`      Try \`gh auth status\` and re-apply manually via docs/github-ruleset-setup.md.`);
     return;
   }
   const ownerType = lookupRepoOwnerType(mirror.owner, mirror.repo);
   if (ownerType === null) {
     console.log(
-      `note: GitHub Ruleset auto-apply skipped \u2014 couldn't determine whether ${mirror.owner}/${mirror.repo} is a personal or org repo.`
+      `warning: GitHub Ruleset auto-apply skipped \u2014 couldn't determine whether ${mirror.owner}/${mirror.repo} is a personal or org repo.`
     );
-    console.log(`      For manual setup, see docs/github-ruleset-setup.md.`);
+    console.log(`         For manual setup, see docs/github-ruleset-setup.md.`);
     return;
   }
-  const actor = ownerType === "Organization" ? { type: "OrganizationAdmin", id: 1 } : { type: "User", id: user.id };
-  const actorDescription = actor.type === "OrganizationAdmin" ? "any org admin (your gh-authed user must be one to push as bypass)" : `${user.login}, id ${user.id}`;
+  let actor;
+  let actorDescription;
+  if (ownerType === "Organization") {
+    let pubkey;
+    try {
+      pubkey = fetchServerPubkey(server2, mirror);
+    } catch (err) {
+      console.log(
+        `warning: GitHub Ruleset auto-apply skipped \u2014 couldn't fetch stamp server pubkey: ${err instanceof Error ? err.message : String(err)}`
+      );
+      console.log(`         For manual setup, see docs/github-ruleset-setup.md.`);
+      return;
+    }
+    const reg = registerDeployKey(
+      mirror.owner,
+      mirror.repo,
+      STAMP_MIRROR_DEPLOY_KEY_TITLE,
+      pubkey
+    );
+    if (reg.status === "failed") {
+      console.log(`warning: GitHub Ruleset auto-apply skipped \u2014 deploy-key registration failed: ${reg.error}`);
+      console.log(`         For manual setup, see docs/github-ruleset-setup.md.`);
+      return;
+    }
+    const verb = reg.status === "created" ? "registered" : "reused";
+    console.log(
+      `Deploy key: ${verb} "${STAMP_MIRROR_DEPLOY_KEY_TITLE}" on ${mirror.owner}/${mirror.repo} (id ${reg.keyId}).`
+    );
+    actor = { type: "DeployKey", id: reg.keyId };
+    actorDescription = `stamp-server deploy key "${STAMP_MIRROR_DEPLOY_KEY_TITLE}", id ${reg.keyId}`;
+  } else {
+    const user = lookupAuthenticatedUserId();
+    if (!user) {
+      console.log(
+        `warning: GitHub Ruleset auto-apply skipped \u2014 couldn't look up the gh-authenticated user.`
+      );
+      console.log(`         Try \`gh auth status\` and re-apply manually via docs/github-ruleset-setup.md.`);
+      return;
+    }
+    actor = { type: "User", id: user.id };
+    actorDescription = `${user.login}, id ${user.id}`;
+  }
   const result = applyStampRuleset(mirror.owner, mirror.repo, actor);
   switch (result.status) {
     case "created":
@@ -3658,9 +4385,9 @@ async function runMigrateExisting(opts, server2) {
     console.log("\n(dry run \u2014 no changes made)");
     return;
   }
-  const stagingDir = mkdtempSync(join5(tmpdir(), "stamp-migrate-"));
-  const bareCloneDir = join5(stagingDir, `${opts.name}.git`);
-  const tarballPath = join5(stagingDir, `${opts.name}.tar.gz`);
+  const stagingDir = mkdtempSync(join6(tmpdir(), "stamp-migrate-"));
+  const bareCloneDir = join6(stagingDir, `${opts.name}.git`);
+  const tarballPath = join6(stagingDir, `${opts.name}.tar.gz`);
   try {
     console.log(`
 Building bare-clone tarball of existing repo`);
@@ -3682,7 +4409,7 @@ Building bare-clone tarball of existing repo`);
     writeMirrorYml(repoRoot, mirrorParse);
   }
   if (!opts.noMirror && !opts.noRuleset) {
-    applyMirrorRuleset(mirrorParse);
+    applyMirrorRuleset(mirrorParse, server2);
   }
   printMigrateSuccess({ repoRoot, server: server2, repoName: opts.name, mirror: mirrorParse, opts });
 }
@@ -3696,9 +4423,9 @@ function ensureCwdIsGitRepo(cwd) {
   }
 }
 function ensureStampInitDone(cwd) {
-  if (!existsSync9(join5(cwd, ".stamp", "config.yml"))) {
+  if (!existsSync11(join6(cwd, ".stamp", "config.yml"))) {
     throw new Error(
-      `--migrate-existing expects this repo to already be stamp-init'd (${join5(cwd, ".stamp/config.yml")} not found). Run \`stamp init --mode local-only\` first, calibrate your reviewers, then re-run with --migrate-existing.`
+      `--migrate-existing expects this repo to already be stamp-init'd (${join6(cwd, ".stamp/config.yml")} not found). Run \`stamp init --mode local-only\` first, calibrate your reviewers, then re-run with --migrate-existing.`
     );
   }
 }
@@ -3728,7 +4455,7 @@ function ensureWorkingTreeClean(cwd) {
   }
 }
 function runTarGz(parentDir, dirName, outputPath) {
-  const result = spawnSync4("tar", ["-czf", outputPath, "-C", parentDir, dirName], {
+  const result = spawnSync6("tar", ["-czf", outputPath, "-C", parentDir, dirName], {
     stdio: ["ignore", "inherit", "inherit"]
   });
   if (result.status !== 0) {
@@ -3738,7 +4465,7 @@ function runTarGz(parentDir, dirName, outputPath) {
   }
 }
 function scpToServer(server2, localPath, remotePath) {
-  const result = spawnSync4(
+  const result = spawnSync6(
     "scp",
     [
       "-P",
@@ -3756,7 +4483,7 @@ function scpToServer(server2, localPath, remotePath) {
   }
 }
 function sshRunNewStampRepoFromTarball(server2, name, remoteTarballPath) {
-  const result = spawnSync4(
+  const result = spawnSync6(
     "ssh",
     [
       "-p",
@@ -3822,196 +4549,249 @@ mirror.yml was added to .stamp/. Commit it through the normal stamp flow:`);
     console.log(`  stamp push main`);
   }
 }
-
-// src/commands/serverRepo.ts
-import { spawnSync as spawnSync5 } from "child_process";
-import { createInterface } from "readline";
-async function runServerRepoDelete(opts) {
-  const name = normalizeRepoName(opts.name);
-  if (opts.alsoGithub !== void 0) validateGithubRepoSpec(opts.alsoGithub);
-  const server2 = resolveServer(opts.server);
-  const action = opts.purge ? "PURGE (irreversible)" : "soft-delete (recoverable via restore)";
-  console.log(`About to ${action} bare repo: ${name}`);
-  console.log(`On server: ${server2.user}@${server2.host}:${server2.port}`);
-  if (opts.alsoGithub) {
-    console.log(
-      `Also: gh repo delete ${opts.alsoGithub} (PERMANENT, no GitHub-side undo)`
+function readMirrorYmlGithubRepo(repoRoot) {
+  const path2 = join6(repoRoot, ".stamp", "mirror.yml");
+  if (!existsSync11(path2)) {
+    throw new Error(
+      `${path2} not found \u2014 --migrate-bypass operates on an already-server-gated repo, but this cwd has no .stamp/mirror.yml. If the repo is not yet server-gated, provision it first with \`stamp provision --migrate-existing\`.`
     );
   }
-  console.log();
-  if (!opts.yes) {
-    const expected = opts.purge ? `purge ${name}` : `delete ${name}`;
-    const got = await prompt(`Type "${expected}" to confirm: `);
-    if (got.trim() !== expected) {
-      console.log("note: aborted");
-      return;
-    }
-  }
-  const args = ["delete-stamp-repo", name];
-  if (opts.purge) args.push("--purge");
-  const result = spawnSync5(
-    "ssh",
-    ["-p", String(server2.port), "--", `${server2.user}@${server2.host}`, ...args],
-    { stdio: ["ignore", "inherit", "inherit"] }
-  );
-  if (result.status !== 0) {
+  let raw;
+  try {
+    raw = readFileSync8(path2, "utf8");
+  } catch (err) {
     throw new Error(
-      `server-side delete failed (exit ${result.status}). The bare repo on the stamp server was NOT touched. If you see "command not found", the server image is older than 0.7.3 \u2014 redeploy it first.`
+      `could not read ${path2}: ${err instanceof Error ? err.message : String(err)}`
     );
   }
-  if (!opts.purge) {
-    console.log();
-    console.log(`Recovery:`);
-    console.log(`  stamp server-repos restore ${name}                 # bring it back`);
-    console.log(`  stamp server-repos delete ${name} --purge          # nuke for real`);
-  }
-  if (opts.alsoGithub) {
-    if (!opts.yes) {
-      const expected = `delete github ${opts.alsoGithub}`;
-      const got = await prompt(
-        `Server-side done. To ALSO delete the GitHub mirror, type "${expected}" (or anything else to skip): `
-      );
-      if (got.trim() !== expected) {
-        console.log(
-          `note: skipped GitHub delete; mirror at https://github.com/${opts.alsoGithub} is intact`
-        );
-        return;
-      }
-    }
-    const ghResult = spawnSync5(
-      "gh",
-      ["repo", "delete", opts.alsoGithub, "--yes"],
-      { stdio: ["ignore", "inherit", "inherit"] }
+  let parsed;
+  try {
+    parsed = parseYaml5(raw);
+  } catch (err) {
+    throw new Error(
+      `${path2} failed to parse as YAML: ${err instanceof Error ? err.message : String(err)}`
     );
-    if (ghResult.status !== 0) {
-      throw new Error(
-        `GitHub repo delete failed (exit ${ghResult.status}). Server-side delete already succeeded; the GitHub mirror is still present at https://github.com/${opts.alsoGithub}.`
-      );
-    }
-  }
-}
-async function runServerRepoRestore(opts) {
-  const name = normalizeRepoName(opts.name);
-  const asName = opts.asName !== void 0 ? normalizeRepoName(opts.asName) : void 0;
-  if (opts.from !== void 0) validateTrashEntryName(opts.from);
-  const server2 = resolveServer(opts.server);
-  const args = ["restore-stamp-repo", name];
-  if (opts.from) {
-    args.push("--from", opts.from);
   }
-  if (asName) {
-    args.push("--as", asName);
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw new Error(`${path2} is empty or not a map`);
   }
-  const result = spawnSync5(
-    "ssh",
-    ["-p", String(server2.port), "--", `${server2.user}@${server2.host}`, ...args],
-    { stdio: ["ignore", "inherit", "inherit"] }
-  );
-  if (result.status !== 0) {
+  const obj = parsed;
+  const gh = obj["github"];
+  if (!gh || typeof gh !== "object" || Array.isArray(gh)) {
+    throw new Error(`${path2} has no usable 'github' map`);
+  }
+  const repoStr = gh["repo"];
+  if (typeof repoStr !== "string" || !/^[A-Za-z0-9._-]+\/[A-Za-z0-9._-]+$/.test(repoStr)) {
     throw new Error(
-      `server-side restore failed (exit ${result.status}). Run \`stamp server-repos list --trash\` to see what's available.`
+      `${path2} github.repo is missing or not of form 'owner/repo' (got ${JSON.stringify(repoStr)})`
     );
   }
+  const slashIdx = repoStr.indexOf("/");
+  return {
+    owner: repoStr.slice(0, slashIdx),
+    repo: repoStr.slice(slashIdx + 1)
+  };
 }
-function runServerRepoList(opts) {
-  const server2 = resolveServer(opts.server);
-  if (opts.trash) {
-    const result2 = spawnSync5(
-      "ssh",
-      ["-p", String(server2.port), "--", `${server2.user}@${server2.host}`, "list-trash"],
-      { stdio: ["ignore", "inherit", "inherit"] }
+async function runMigrateBypass(opts, server2) {
+  const repoRoot = process.cwd();
+  const mirror = readMirrorYmlGithubRepo(repoRoot);
+  const ghCheck = checkGhAvailable();
+  if (!ghCheck.available) {
+    throw new Error(
+      `--migrate-bypass requires gh: ${ghCheck.reason}. Install/authenticate gh, then re-run.`
     );
-    if (result2.status !== 0) {
-      throw new Error(
-        `list --trash failed (exit ${result2.status}). If you see "command not found", the server image is older than 0.7.3 \u2014 redeploy it first.`
-      );
-    }
+  }
+  printMigrateBypassPlan({ mirror, server: server2, opts });
+  if (opts.dryRun) {
+    console.log("\n(dry run \u2014 no changes made)");
     return;
   }
-  const result = spawnSync5(
-    "ssh",
-    [
-      "-p",
-      String(server2.port),
-      "--",
-      `${server2.user}@${server2.host}`,
-      "ls",
-      "-1",
-      "/srv/git/"
-    ],
-    { stdio: ["ignore", "pipe", "inherit"], encoding: "utf8" }
+  console.log(`
+Fetching per-repo deploy key from stamp server`);
+  let pubkey;
+  try {
+    pubkey = fetchServerPubkey(server2, mirror);
+  } catch (err) {
+    throw new Error(
+      `failed to fetch per-repo pubkey for ${mirror.owner}/${mirror.repo} from ${server2.user}@${server2.host}:${server2.port}: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  console.log(`Checking existing deploy keys on ${mirror.owner}/${mirror.repo}`);
+  const existingKeyId = findDeployKey(
+    mirror.owner,
+    mirror.repo,
+    STAMP_MIRROR_DEPLOY_KEY_TITLE
   );
-  if (result.status !== 0) {
-    throw new Error(`list failed (exit ${result.status}).`);
+  let deployKeyId;
+  if (existingKeyId !== null) {
+    const existingBody = fetchDeployKeyPublic(
+      mirror.owner,
+      mirror.repo,
+      existingKeyId
+    );
+    if (existingBody === pubkey) {
+      console.log(
+        `Deploy key: "${STAMP_MIRROR_DEPLOY_KEY_TITLE}" already matches per-repo pubkey (keyId ${existingKeyId}). No change.`
+      );
+      deployKeyId = existingKeyId;
+    } else {
+      console.log(
+        `Deploy key: "${STAMP_MIRROR_DEPLOY_KEY_TITLE}" is registered but doesn't match the per-repo pubkey (keyId ${existingKeyId}). Deleting before re-registering.`
+      );
+      const del = deleteDeployKey(mirror.owner, mirror.repo, existingKeyId);
+      if (del.status === "failed") {
+        throw new Error(`deploy-key cleanup failed: ${del.error}`);
+      }
+      deployKeyId = registerStampMirrorKey(mirror, pubkey);
+    }
+  } else {
+    deployKeyId = registerStampMirrorKey(mirror, pubkey);
   }
-  const entries = filterLiveBareRepoNames(result.stdout);
-  if (entries.length === 0) {
-    console.log("(no live bare repos)");
+  console.log(`Looking up stamp-mirror-only ruleset on ${mirror.owner}/${mirror.repo}`);
+  const rulesetId = findExistingStampRuleset(mirror.owner, mirror.repo);
+  if (rulesetId === null) {
+    console.log(
+      `note: no \`stamp-mirror-only\` Ruleset on ${mirror.owner}/${mirror.repo}. Deploy key is registered; no bypass list to update.`
+    );
+    console.log(
+      `      If this repo is server-gated only (no GitHub-side enforcement), that's expected and you're done.`
+    );
+    console.log(
+      `      If you EXPECTED a Ruleset, it may use a non-canonical name (e.g. think-cli's \`Protect Main\`) \u2014 rename to \`stamp-mirror-only\` in the GitHub UI and re-run, or migrate by hand.`
+    );
+    if (opts.removeOrgadmin) {
+      console.log(
+        `      --remove-orgadmin requested but there's no Ruleset bypass list to modify; ignoring.`
+      );
+    }
+    printMigrateBypassSuccess({
+      mirror,
+      server: server2,
+      opts,
+      rulesetUpdated: false
+    });
     return;
   }
-  for (const e of entries) console.log(e);
-}
-function resolveServer(serverFlag) {
-  const server2 = serverFlag ? parseServerFlag(serverFlag) : loadServerConfig();
-  if (!server2) {
+  console.log(`Reading current bypass_actors on ruleset ${rulesetId}`);
+  const current = getRulesetBypassActors(mirror.owner, mirror.repo, rulesetId);
+  if (current === null) {
     throw new Error(
-      `no stamp server configured. Either:
-  - create ~/.stamp/server.yml with at least:
-      host: <ssh-host>
-      port: <ssh-port>
-  - or pass --server <host>:<port> on the command line.`
+      `could not read bypass_actors on ${mirror.owner}/${mirror.repo} ruleset ${rulesetId}`
     );
   }
-  return server2;
-}
-var UsageError = class extends Error {
-  constructor(message) {
-    super(message);
-    this.name = "UsageError";
+  const desired = computeDesiredBypassActors(current, deployKeyId, {
+    removeOrgadmin: opts.removeOrgadmin === true
+  });
+  const result = replaceBypassActors(
+    mirror.owner,
+    mirror.repo,
+    rulesetId,
+    desired
+  );
+  if (result.status === "failed") {
+    throw new Error(`ruleset bypass update failed: ${result.error}`);
   }
-};
-function normalizeRepoName(name) {
-  const canonical = name.endsWith(".git") ? name.slice(0, -4) : name;
-  validateRepoName2(canonical);
-  return canonical;
+  if (result.status === "updated") {
+    console.log(
+      `Ruleset bypass: updated to [${desired.map((a) => a.actor_type).join(", ")}].`
+    );
+  } else {
+    console.log(`Ruleset bypass: already up to date. No change.`);
+  }
+  printMigrateBypassSuccess({ mirror, server: server2, opts, rulesetUpdated: true });
 }
-function filterLiveBareRepoNames(rawOutput) {
-  return rawOutput.split("\n").map((s) => s.trim()).filter(Boolean).filter((s) => s.endsWith(".git")).map((s) => s.slice(0, -4)).filter((s) => s.length > 0);
+function registerStampMirrorKey(mirror, pubkey) {
+  const reg = registerDeployKey(
+    mirror.owner,
+    mirror.repo,
+    STAMP_MIRROR_DEPLOY_KEY_TITLE,
+    pubkey
+  );
+  if (reg.status === "failed") {
+    throw new Error(`deploy-key registration failed: ${reg.error}`);
+  }
+  console.log(
+    `Deploy key: registered "${STAMP_MIRROR_DEPLOY_KEY_TITLE}" on ${mirror.owner}/${mirror.repo} (id ${reg.keyId}).`
+  );
+  return reg.keyId;
 }
-function validateRepoName2(name) {
-  if (!/^[A-Za-z0-9_][A-Za-z0-9._-]*$/.test(name) || name.includes("..")) {
-    throw new UsageError(
-      `repo name must start with [A-Za-z0-9_], match [A-Za-z0-9._-]+, and not contain '..' (got "${name}")`
+function printMigrateBypassPlan(args) {
+  const bar = "\u2500".repeat(72);
+  console.log(bar);
+  console.log("stamp provision --migrate-bypass \u2014 plan");
+  console.log(bar);
+  console.log(fmt("mirror", `${args.mirror.owner}/${args.mirror.repo}`));
+  console.log(fmt("stamp server", `${args.server.user}@${args.server.host}:${args.server.port}`));
+  console.log(
+    fmt(
+      "deploy key",
+      `fetch per-repo pubkey from server; register as "${STAMP_MIRROR_DEPLOY_KEY_TITLE}" on the mirror (replacing any prior entry under that title)`
+    )
+  );
+  console.log(
+    fmt(
+      "ruleset",
+      `add DeployKey actor to stamp-mirror-only bypass list` + (args.opts.removeOrgadmin ? `; remove OrganizationAdmin (--remove-orgadmin)` : `; preserve OrganizationAdmin`)
+    )
+  );
+  console.log(bar);
+  if (args.opts.removeOrgadmin) {
+    console.log(
+      `warning: --remove-orgadmin strips the OrganizationAdmin bypass before any push-verification step runs. Verify the DeployKey transport works (one stamp push) before running this.`
     );
   }
 }
-function validateTrashEntryName(entry) {
-  if (!/^[0-9]{8}T[0-9]{6}Z-[A-Za-z0-9_][A-Za-z0-9._-]*\.git$/.test(entry)) {
-    throw new UsageError(
-      `--from must match <YYYYMMDDTHHMMSSZ>-<name>.git (got "${entry}"). Run \`stamp server-repos list --trash\` to see valid entry names.`
+function printMigrateBypassSuccess(args) {
+  const bar = "\u2500".repeat(72);
+  console.log(`
+${bar}`);
+  console.log(
+    args.rulesetUpdated ? `\u2713 bypass migrated` : `\u2713 deploy key registered (no ruleset to migrate)`
+  );
+  console.log(bar);
+  console.log(fmt("mirror", `${args.mirror.owner}/${args.mirror.repo}`));
+  if (args.rulesetUpdated) {
+    console.log(
+      fmt(
+        "bypass actors",
+        args.opts.removeOrgadmin ? `DeployKey (OrganizationAdmin removed)` : `OrganizationAdmin + DeployKey`
+      )
+    );
+  } else {
+    console.log(
+      fmt(
+        "bypass actors",
+        `n/a (no stamp-mirror-only Ruleset on this repo \u2014 server-gated only)`
+      )
     );
   }
-}
-function validateGithubRepoSpec(spec) {
-  if (!/^[A-Za-z0-9_][A-Za-z0-9-]*\/[A-Za-z0-9_][A-Za-z0-9._-]*$/.test(spec)) {
-    throw new UsageError(
-      `--also-github must be <owner>/<repo> with no leading '-' on either segment (got "${spec}")`
+  console.log(bar);
+  if (!args.rulesetUpdated) {
+    console.log(
+      `
+Deploy key is registered; the next stamp push's mirror leg will use it.
+No GitHub Ruleset was found on this repo, so there's no bypass enforcement
+to verify. If you want GitHub-side protection, apply the stamp-mirror-only
+Ruleset separately (see docs/github-ruleset-setup.md).`
+    );
+  } else if (!args.opts.removeOrgadmin) {
+    console.log(
+      `
+Next: do a stamp merge + push to verify the DeployKey transport works,
+then re-run with --remove-orgadmin to drop the OrganizationAdmin fallback.`
+    );
+  } else {
+    console.log(
+      `
+The stamp-mirror-only Ruleset now bypasses ONLY via the per-repo deploy key.
+Direct \`git push origin main\` from any non-stamp source will be rejected.`
     );
   }
 }
-function prompt(question) {
-  const rl = createInterface({ input: process.stdin, output: process.stdout });
-  return new Promise((resolve2) => {
-    rl.question(question, (answer) => {
-      rl.close();
-      resolve2(answer);
-    });
-  });
-}
 
 // src/commands/keys.ts
-import { existsSync as existsSync10, readdirSync as readdirSync2, readFileSync as readFileSync7, writeFileSync as writeFileSync8 } from "fs";
-import { basename, join as join6 } from "path";
+import { existsSync as existsSync12, readdirSync as readdirSync2, readFileSync as readFileSync9, writeFileSync as writeFileSync10 } from "fs";
+import { basename, join as join7 } from "path";
 function keysGenerate() {
   const existing = loadUserKeypair();
   if (existing) {
@@ -4044,7 +4824,7 @@ function keysList() {
     const repoRoot = findRepoRoot();
     const trustedDir = stampTrustedKeysDir(repoRoot);
     console.log(`repo trusted keys: ${trustedDir}/`);
-    if (!existsSync10(trustedDir)) {
+    if (!existsSync12(trustedDir)) {
       console.log("  (directory does not exist \u2014 run `stamp init`)");
       return;
     }
@@ -4055,7 +4835,7 @@ function keysList() {
     }
     for (const file of pubFiles.sort()) {
       try {
-        const pem = readFileSync7(join6(trustedDir, file), "utf8");
+        const pem = readFileSync9(join7(trustedDir, file), "utf8");
         const fp = fingerprintFromPem(pem);
         const marker = local && fp === local.fingerprint ? " (you)" : "";
         console.log(`  ${fp}${marker}  [${file}]`);
@@ -4074,15 +4854,15 @@ function keysExport() {
 function keysTrust(pubFile) {
   const repoRoot = findRepoRoot();
   const trustedDir = stampTrustedKeysDir(repoRoot);
-  if (!existsSync10(trustedDir)) {
+  if (!existsSync12(trustedDir)) {
     throw new Error(
       `no ${trustedDir} \u2014 run \`stamp init\` first to create the trust store`
     );
   }
-  if (!existsSync10(pubFile)) {
+  if (!existsSync12(pubFile)) {
     throw new Error(`public key file not found: ${pubFile}`);
   }
-  const pem = readFileSync7(pubFile, "utf8");
+  const pem = readFileSync9(pubFile, "utf8");
   let fingerprint;
   try {
     fingerprint = fingerprintFromPem(pem);
@@ -4092,12 +4872,12 @@ function keysTrust(pubFile) {
     );
   }
   const filename = publicKeyFingerprintFilename(fingerprint);
-  const dest = join6(trustedDir, filename);
-  if (existsSync10(dest)) {
+  const dest = join7(trustedDir, filename);
+  if (existsSync12(dest)) {
     console.log(`${fingerprint} is already trusted (${basename(dest)})`);
     return;
   }
-  writeFileSync8(dest, pem);
+  writeFileSync10(dest, pem);
   console.log(`trusted ${fingerprint}`);
   console.log(`  \u2192 ${dest}`);
   console.log();
@@ -4105,11 +4885,11 @@ function keysTrust(pubFile) {
 }
 
 // src/commands/log.ts
-import { existsSync as existsSync11 } from "fs";
+import { existsSync as existsSync13 } from "fs";
 function runLog(opts) {
   const repoRoot = findRepoRoot();
   const configPath = stampConfigFile(repoRoot);
-  if (!existsSync11(configPath)) {
+  if (!existsSync13(configPath)) {
     throw new Error(
       `no .stamp/config.yml at ${configPath}. Run \`stamp init\` first.`
     );
@@ -4226,7 +5006,7 @@ function printCommitDetail(sha, repoRoot) {
 }
 function collectReviewProse(repoRoot, payload) {
   const dbPath = stampStateDbPath(repoRoot);
-  if (!existsSync11(dbPath)) return [];
+  if (!existsSync13(dbPath)) return [];
   const db = openDb(dbPath);
   try {
     const rows = latestReviews(db, payload.base_sha, payload.head_sha);
@@ -4240,7 +5020,7 @@ function printReviewHistory(repoRoot, limit, diff) {
   const configPath = stampConfigFile(repoRoot);
   loadConfig(configPath);
   const dbPath = stampStateDbPath(repoRoot);
-  if (!existsSync11(dbPath)) {
+  if (!existsSync13(dbPath)) {
     console.log("No reviews recorded yet.");
     return;
   }
@@ -4281,8 +5061,8 @@ function printReviewHistory(repoRoot, limit, diff) {
 }
 
 // src/commands/prune.ts
-import { existsSync as existsSync12, readdirSync as readdirSync3, statSync as statSync2, unlinkSync as unlinkSync2 } from "fs";
-import { join as join7 } from "path";
+import { existsSync as existsSync14, readdirSync as readdirSync3, statSync as statSync2, unlinkSync as unlinkSync3 } from "fs";
+import { join as join8 } from "path";
 
 // src/lib/duration.ts
 function parseRetentionDuration(input) {
@@ -4311,15 +5091,15 @@ function runPrune(opts) {
   );
   const repoRoot = findRepoRoot();
   const dbPath = stampStateDbPath(repoRoot);
-  const spoolDir = join7(gitCommonDir(repoRoot), "stamp", "failed-parses");
+  const spoolDir = join8(gitCommonDir(repoRoot), "stamp", "failed-parses");
   const spoolCutoffMs = Date.now() - durationMs;
-  if (!existsSync12(dbPath) && !existsSync12(spoolDir)) {
+  if (!existsSync14(dbPath) && !existsSync14(spoolDir)) {
     console.log(
       `note: nothing to prune (neither ${dbPath} nor ${spoolDir} exists \u2014 both are created on first \`stamp review\`)`
     );
     return;
   }
-  const db = existsSync12(dbPath) ? openDb(dbPath) : null;
+  const db = existsSync14(dbPath) ? openDb(dbPath) : null;
   try {
     if (opts.dryRun) {
       let any2 = false;
@@ -4379,10 +5159,10 @@ function runPrune(opts) {
   }
 }
 function peekFailedParseSpools(spoolDir, cutoffMs) {
-  if (!existsSync12(spoolDir)) return [];
+  if (!existsSync14(spoolDir)) return [];
   const out = [];
   for (const entry of readdirSync3(spoolDir)) {
-    const filepath = join7(spoolDir, entry);
+    const filepath = join8(spoolDir, entry);
     let stat;
     try {
       stat = statSync2(filepath);
@@ -4399,7 +5179,7 @@ function pruneFailedParseSpools(spoolDir, cutoffMs) {
   let deleted = 0;
   for (const filepath of targets) {
     try {
-      unlinkSync2(filepath);
+      unlinkSync3(filepath);
       deleted++;
     } catch {
     }
@@ -4415,96 +5195,8 @@ function printPerReviewer(rows) {
   }
 }
 
-// src/commands/server.ts
-import { existsSync as existsSync13, mkdirSync as mkdirSync4, renameSync as renameSync2, unlinkSync as unlinkSync3, writeFileSync as writeFileSync9 } from "fs";
-import { dirname as dirname4 } from "path";
-import { stringify as stringifyYaml2 } from "yaml";
-function formatServerConfigYaml(opts) {
-  const body = {
-    host: opts.host,
-    port: opts.port
-  };
-  if (opts.user && opts.user.trim()) body.user = opts.user.trim();
-  if (opts.repoRootPrefix && opts.repoRootPrefix.trim()) {
-    body.repo_root_prefix = opts.repoRootPrefix.trim();
-  }
-  return stringifyYaml2(body);
-}
-function runServerConfig(opts) {
-  const modes = [opts.hostPort, opts.show, opts.unset].filter(Boolean).length;
-  if (modes !== 1) {
-    throw new UsageError(
-      "stamp server config: provide exactly one of <host:port>, --show, or --unset"
-    );
-  }
-  if ((opts.show || opts.unset) && (opts.user || opts.repoRootPrefix)) {
-    throw new UsageError(
-      "stamp server config: --user and --repo-root-prefix only apply when writing (they conflict with --show / --unset)"
-    );
-  }
-  if (opts.show) return showConfig();
-  if (opts.unset) return unsetConfig();
-  return writeConfig(opts);
-}
-function showConfig() {
-  const path2 = userServerConfigPath();
-  if (!existsSync13(path2)) {
-    console.log(`note: no stamp server configured (${path2} does not exist)`);
-    console.log(`note: run \`stamp server config <host:port>\` to create one`);
-    return;
-  }
-  const cfg = loadServerConfig();
-  if (!cfg) {
-    console.log(`note: no stamp server configured`);
-    return;
-  }
-  console.log(`config:           ${path2}`);
-  console.log(`host:             ${cfg.host}`);
-  console.log(`port:             ${cfg.port}`);
-  console.log(`user:             ${cfg.user}`);
-  console.log(`repo_root_prefix: ${cfg.repoRootPrefix}`);
-}
-function unsetConfig() {
-  const path2 = userServerConfigPath();
-  if (!existsSync13(path2)) {
-    console.log(`note: ${path2} does not exist; nothing to remove`);
-    return;
-  }
-  unlinkSync3(path2);
-  console.log(`removed ${path2}`);
-}
-function writeConfig(opts) {
-  let parsed;
-  try {
-    parsed = parseServerFlag(opts.hostPort, "stamp server config: <host:port>");
-  } catch (err) {
-    throw new UsageError(err instanceof Error ? err.message : String(err));
-  }
-  const yaml = formatServerConfigYaml({
-    host: parsed.host,
-    port: parsed.port,
-    user: opts.user,
-    repoRootPrefix: opts.repoRootPrefix
-  });
-  const path2 = userServerConfigPath();
-  const dir = dirname4(path2);
-  if (!existsSync13(dir)) mkdirSync4(dir, { recursive: true, mode: 448 });
-  const tmp = `${path2}.tmp.${process.pid}`;
-  writeFileSync9(tmp, yaml, { mode: 384 });
-  renameSync2(tmp, path2);
-  console.log(`wrote ${path2}`);
-  console.log(`host:             ${parsed.host}`);
-  console.log(`port:             ${parsed.port}`);
-  if (opts.user && opts.user.trim()) {
-    console.log(`user:             ${opts.user.trim()}`);
-  }
-  if (opts.repoRootPrefix && opts.repoRootPrefix.trim()) {
-    console.log(`repo_root_prefix: ${opts.repoRootPrefix.trim()}`);
-  }
-}
-
 // src/commands/config.ts
-import { existsSync as existsSync14 } from "fs";
+import { existsSync as existsSync15 } from "fs";
 function runConfigReviewersSet(opts) {
   if (!isValidReviewerName(opts.reviewer)) {
     throw new UsageError(
@@ -4577,7 +5269,7 @@ function runConfigReviewersClear(opts) {
 }
 function runConfigReviewersShow() {
   const path2 = userConfigPath();
-  if (!existsSync14(path2)) {
+  if (!existsSync15(path2)) {
     console.log(`note: no per-user stamp config (${path2} does not exist).`);
     console.log(
       `      Defaults will apply on next \`stamp init\` or \`stamp review\`:`
@@ -4622,30 +5314,30 @@ function loadOrEmpty() {
 }
 
 // src/commands/reviewers.ts
-import { spawnSync as spawnSync6 } from "child_process";
+import { spawnSync as spawnSync7 } from "child_process";
 import {
-  existsSync as existsSync16,
-  readFileSync as readFileSync9,
+  existsSync as existsSync17,
+  readFileSync as readFileSync11,
   statSync as statSync3,
   unlinkSync as unlinkSync4,
-  writeFileSync as writeFileSync11
+  writeFileSync as writeFileSync12
 } from "fs";
-import { join as join9, relative, resolve } from "path";
-import { parse as parseYaml5, stringify as stringifyYaml3 } from "yaml";
+import { join as join10, relative, resolve } from "path";
+import { parse as parseYaml6, stringify as stringifyYaml3 } from "yaml";
 
 // src/lib/reviewerLock.ts
-import { existsSync as existsSync15, readFileSync as readFileSync8, writeFileSync as writeFileSync10 } from "fs";
-import { join as join8 } from "path";
+import { existsSync as existsSync16, readFileSync as readFileSync10, writeFileSync as writeFileSync11 } from "fs";
+import { join as join9 } from "path";
 var LOCK_FILE_VERSION = 1;
 var LOCK_DRIFT_EXIT = 3;
 function lockFilePath(repoRoot, reviewerName) {
-  return join8(repoRoot, ".stamp", "reviewers", `${reviewerName}.lock.json`);
+  return join9(repoRoot, ".stamp", "reviewers", `${reviewerName}.lock.json`);
 }
 function readLockFile(repoRoot, reviewerName) {
   const path2 = lockFilePath(repoRoot, reviewerName);
-  if (!existsSync15(path2)) return null;
+  if (!existsSync16(path2)) return null;
   try {
-    const raw = readFileSync8(path2, "utf8");
+    const raw = readFileSync10(path2, "utf8");
     const parsed = JSON.parse(raw);
     if (typeof parsed.version !== "number" || typeof parsed.source !== "string" || typeof parsed.ref !== "string" || typeof parsed.reviewer !== "string" || typeof parsed.prompt_sha256 !== "string" || typeof parsed.tools_sha256 !== "string" || typeof parsed.mcp_sha256 !== "string") {
       throw new Error(`malformed lock file at ${path2}`);
@@ -4659,20 +5351,20 @@ function readLockFile(repoRoot, reviewerName) {
 }
 function writeLockFile(repoRoot, reviewerName, lock) {
   const path2 = lockFilePath(repoRoot, reviewerName);
-  writeFileSync10(path2, JSON.stringify(lock, null, 2) + "\n", "utf8");
+  writeFileSync11(path2, JSON.stringify(lock, null, 2) + "\n", "utf8");
 }
 function checkReviewerDrift(repoRoot, reviewerName, def) {
   const lock = readLockFile(repoRoot, reviewerName);
   if (!lock) {
     return unpinnedResult();
   }
-  const promptPath = join8(repoRoot, def.prompt);
-  if (!existsSync15(promptPath)) {
+  const promptPath = join9(repoRoot, def.prompt);
+  if (!existsSync16(promptPath)) {
     throw new Error(
       `reviewer "${reviewerName}" has a lock file but its prompt "${def.prompt}" does not exist on disk. Re-run 'stamp reviewers fetch ${reviewerName} --from ${lock.source}@${lock.ref}' to restore it, or delete the lock file to un-pin the reviewer.`
     );
   }
-  const promptBytes = readFileSync8(promptPath);
+  const promptBytes = readFileSync10(promptPath);
   const observedPrompt = hashPromptBytes(promptBytes);
   const observedTools = hashTools(def.tools);
   const observedMcp = hashMcpServers(def.mcp_servers);
@@ -4753,7 +5445,7 @@ function reviewersList() {
     const def = config2.reviewers[name];
     const abs = resolve(repoRoot, def.prompt);
     let annotation = "";
-    if (!existsSync16(abs)) {
+    if (!existsSync17(abs)) {
       annotation = "  MISSING";
     } else {
       const size = statSync3(abs).size;
@@ -4792,19 +5484,19 @@ function reviewersAdd(name, opts = {}) {
   }
   const promptRel = `.stamp/reviewers/${name}.md`;
   const promptAbs = resolve(repoRoot, promptRel);
-  if (existsSync16(promptAbs)) {
+  if (existsSync17(promptAbs)) {
     throw new Error(
       `${promptRel} already exists on disk but is not in config. Either delete the file or add it to config manually.`
     );
   }
-  writeFileSync11(
+  writeFileSync12(
     promptAbs,
     `# ${name}
 
 ${EXAMPLE_REVIEWER_PROMPT.split("\n").slice(2).join("\n")}`
   );
   config2.reviewers[name] = { prompt: promptRel };
-  writeFileSync11(configPath, stringifyConfig(config2));
+  writeFileSync12(configPath, stringifyConfig(config2));
   console.log(`reviewer "${name}" added.`);
   console.log(`  prompt file: ${promptRel}`);
   console.log(`  registered in .stamp/config.yml`);
@@ -4839,11 +5531,11 @@ function reviewersRemove(name, opts = {}) {
     );
   }
   delete config2.reviewers[name];
-  writeFileSync11(configPath, stringifyConfig(config2));
+  writeFileSync12(configPath, stringifyConfig(config2));
   console.log(`reviewer "${name}" removed from .stamp/config.yml`);
   if (opts.deleteFile) {
     const promptAbs = resolve(repoRoot, def.prompt);
-    if (existsSync16(promptAbs)) {
+    if (existsSync17(promptAbs)) {
       unlinkSync4(promptAbs);
       console.log(`deleted ${def.prompt}`);
     }
@@ -4874,8 +5566,8 @@ async function reviewersTest(name, diff) {
   console.log(`  prompt sourced from working tree (test/iteration use case)`);
   console.log();
   const def = config2.reviewers[name];
-  const promptPath = join9(repoRoot, def.prompt);
-  const systemPrompt = readFileSync9(promptPath, "utf8");
+  const promptPath = join10(repoRoot, def.prompt);
+  const systemPrompt = readFileSync11(promptPath, "utf8");
   const result = await invokeReviewer({
     reviewer: name,
     config: config2,
@@ -4902,7 +5594,7 @@ function reviewersShow(name, opts) {
     );
   }
   const dbPath = stampStateDbPath(repoRoot);
-  if (!existsSync16(dbPath)) {
+  if (!existsSync17(dbPath)) {
     console.log("No reviews recorded yet (no state.db).");
     return;
   }
@@ -4992,7 +5684,7 @@ async function reviewersFetch(reviewerName, opts) {
     opts.expectMcpSha
   );
   const reviewersDir = stampReviewersDir(repoRoot);
-  if (!existsSync16(reviewersDir)) {
+  if (!existsSync17(reviewersDir)) {
     throw new Error(
       `${reviewersDir} does not exist \u2014 run \`stamp init\` first.`
     );
@@ -5005,7 +5697,7 @@ async function reviewersFetch(reviewerName, opts) {
   let tools;
   let mcpServers;
   if (configYaml !== null) {
-    const parsed = parseYaml5(configYaml) ?? {};
+    const parsed = parseYaml6(configYaml) ?? {};
     if (Array.isArray(parsed.tools)) {
       tools = parseToolsLoose(parsed.tools);
     }
@@ -5013,7 +5705,7 @@ async function reviewersFetch(reviewerName, opts) {
       mcpServers = validateMcpServersFromSource(parsed.mcp_servers, source, ref);
     }
   }
-  const promptPath = join9(reviewersDir, `${reviewerName}.md`);
+  const promptPath = join10(reviewersDir, `${reviewerName}.md`);
   const promptBytes = Buffer.from(promptText, "utf8");
   const promptSha = hashPromptBytes(promptBytes);
   const toolsSha = hashTools(tools);
@@ -5037,7 +5729,7 @@ async function reviewersFetch(reviewerName, opts) {
       mcpSha
     );
   }
-  writeFileSync11(promptPath, promptBytes);
+  writeFileSync12(promptPath, promptBytes);
   const lock = {
     version: LOCK_FILE_VERSION,
     source,
@@ -5266,7 +5958,7 @@ function buildConfigYamlHint(reviewerName, tools, mcpServers) {
 }
 function launchEditor(path2) {
   const editor = process.env["EDITOR"] ?? process.env["VISUAL"] ?? (process.platform === "win32" ? "notepad" : "vi");
-  const result = spawnSync6(editor, [path2], { stdio: "inherit" });
+  const result = spawnSync7(editor, [path2], { stdio: "inherit" });
   if (result.error) {
     throw new Error(
       `failed to launch editor "${editor}": ${result.error.message}`
@@ -5278,11 +5970,11 @@ function launchEditor(path2) {
 }
 
 // src/commands/status.ts
-import { existsSync as existsSync17 } from "fs";
+import { existsSync as existsSync18 } from "fs";
 function runStatus(opts) {
   const repoRoot = findRepoRoot();
   const configPath = stampConfigFile(repoRoot);
-  if (!existsSync17(configPath)) {
+  if (!existsSync18(configPath)) {
     throw new Error(
       `no .stamp/config.yml at ${configPath}. Run \`stamp init\` first.`
     );
@@ -5350,17 +6042,17 @@ function printGate(result, base_sha, head_sha) {
 }
 
 // src/commands/update.ts
-import { spawnSync as spawnSync7 } from "child_process";
+import { spawnSync as spawnSync8 } from "child_process";
 
 // src/lib/version.ts
-import { readFileSync as readFileSync10 } from "fs";
-import { dirname as dirname5, join as join10 } from "path";
+import { readFileSync as readFileSync12 } from "fs";
+import { dirname as dirname5, join as join11 } from "path";
 import { fileURLToPath } from "url";
 function readPackageVersion() {
   const here = dirname5(fileURLToPath(import.meta.url));
   for (let dir = here, i = 0; i < 6; i++) {
     try {
-      const raw = readFileSync10(join10(dir, "package.json"), "utf8");
+      const raw = readFileSync12(join11(dir, "package.json"), "utf8");
       const pkg = JSON.parse(raw);
       if (pkg.name === "@openthink/stamp" && pkg.version) return pkg.version;
     } catch {
@@ -5391,7 +6083,7 @@ function runUpdate() {
 `);
   process.stdout.write(`checking npm registry for latest...
 `);
-  const viewResult = spawnSync7("npm", ["view", PKG_NAME, "version"], {
+  const viewResult = spawnSync8("npm", ["view", PKG_NAME, "version"], {
     encoding: "utf8"
   });
   if (viewResult.error || viewResult.status !== 0) {
@@ -5425,7 +6117,7 @@ function runUpdate() {
   }
   process.stdout.write(`installing ${PKG_NAME}@${latest}...
 `);
-  const installResult = spawnSync7(
+  const installResult = spawnSync8(
     "npm",
     ["install", "-g", `${PKG_NAME}@${latest}`],
     { stdio: "inherit" }
@@ -5446,9 +6138,9 @@ through that tool instead \u2014 this command only uses 'npm install -g'.`
 }
 
 // src/commands/verify.ts
-import { execFileSync as execFileSync2, spawnSync as spawnSync8 } from "child_process";
+import { execFileSync as execFileSync2, spawnSync as spawnSync9 } from "child_process";
 function loadConfigAtSha(sha, repoRoot) {
-  const result = spawnSync8(
+  const result = spawnSync9(
     "git",
     ["show", `${sha}:.stamp/config.yml`],
     { cwd: repoRoot, encoding: "utf8", maxBuffer: 16 * 1024 * 1024 }
@@ -5694,6 +6386,9 @@ program.command("init").description(
   "--remote <name>",
   "remote name to inspect for deployment-shape detection (default: origin)",
   "origin"
+).option(
+  "--no-oteam",
+  "bypass the oteam-detection prompt that offers to fill stamp.host in ~/.open-team/config.json"
 ).action(
   (opts) => {
     try {
@@ -5714,7 +6409,8 @@ program.command("init").description(
         bootstrapCommit: opts.bootstrapCommit,
         ghProtect: opts.ghProtect,
         mode,
-        remote: opts.remote
+        remote: opts.remote,
+        oteam: opts.oteam
       });
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
@@ -5757,8 +6453,8 @@ program.command("bootstrap").description(
     }
   }
 );
-program.command("provision <name>").description(
-  "single-command server-gated repo setup: provision a bare repo on the stamp server (~/.stamp/server.yml or --server), clone it, run bootstrap, optionally create a GitHub mirror + apply the Ruleset"
+program.command("provision [name]").description(
+  "single-command server-gated repo setup: provision a bare repo on the stamp server (~/.stamp/server.yml or --server), clone it, run bootstrap, optionally create a GitHub mirror + apply the Ruleset. With --migrate-bypass, migrate an existing server-gated repo's Ruleset bypass from OrganizationAdmin to a per-repo DeployKey actor (cwd's .stamp/mirror.yml identifies the target; <name> is ignored)."
 ).option(
   "--server <host:port>",
   "override ~/.stamp/server.yml with an inline endpoint"
@@ -5774,11 +6470,22 @@ program.command("provision <name>").description(
 ).option("--no-mirror", "skip GitHub mirror creation + .stamp/mirror.yml").option("--no-ruleset", "skip applying the GitHub Ruleset on the mirror").option("--dry-run", "print the plan without making changes").option(
   "--migrate-existing",
   "brownfield: migrate the existing repo at cwd (with .stamp/ committed and origin \u2192 github) to server-gated; preserves history, renames origin \u2192 github, points new origin at the stamp server"
+).option(
+  "--migrate-bypass",
+  "migrate an existing server-gated repo's stamp-mirror-only Ruleset bypass actor from OrganizationAdmin to a per-repo DeployKey. Identifies the target via cwd's .stamp/mirror.yml. Additive by default (DeployKey added alongside existing actors); pair with --remove-orgadmin to also strip OrganizationAdmin from the bypass list"
+).option(
+  "--remove-orgadmin",
+  "under --migrate-bypass, also remove OrganizationAdmin from the ruleset's bypass list. Verify the DeployKey transport works (one stamp push) before running this \u2014 there is no automated push-verification step"
 ).action(
   async (name, opts) => {
     try {
       await runProvision({
-        name,
+        // ProvisionOptions.name is typed `string` so the rest of the
+        // downstream readers don't have to narrow. Empty placeholder
+        // for --migrate-bypass (which doesn't read it); the validation
+        // block in runProvision requires a non-empty name in all other
+        // modes.
+        name: name ?? "",
         server: opts.server,
         org: opts.org,
         into: opts.into,
@@ -5786,7 +6493,9 @@ program.command("provision <name>").description(
         noMirror: !opts.mirror,
         noRuleset: !opts.ruleset,
         dryRun: opts.dryRun,
-        migrateExisting: opts.migrateExisting
+        migrateExisting: opts.migrateExisting,
+        migrateBypass: opts.migrateBypass,
+        removeOrgadmin: opts.removeOrgadmin
       });
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
@@ -5821,6 +6530,21 @@ server.command("config [host:port]").description(
     }
   }
 );
+server.command("pubkey").description(
+  "print a stamp-server-managed GitHub mirror-push deploy-key public half \u2014 single OpenSSH line, pipe-able into `gh api -X POST /repos/:o/:r/keys --field key=@-` to register as a deploy key. Without --repo, returns the legacy shared key (back-compat). With --repo <owner/repo>, returns a per-repo key that the server lazily generates on first request \u2014 preferred for new migrations because GitHub rejects re-registering the same key on a second repo."
+).option(
+  "--server <host:port>",
+  "override ~/.stamp/server.yml for this call"
+).option(
+  "--repo <owner>/<repo>",
+  "fetch the per-repo deploy key for this GitHub mirror (lazy-generated server-side on first request)"
+).action((opts) => {
+  try {
+    runServerPubkey({ server: opts.server, repo: opts.repo });
+  } catch (err) {
+    handleCliError(err);
+  }
+});
 var config = program.command("config").description(
   "manage per-user stamp config at ~/.stamp/config.yml \u2014 operator-level knobs that shouldn't be committed. Per-repo policy lives in `.stamp/config.yml`."
 );