npm - @openthink/stamp - Versions diffs - 1.2.0 → 1.3.1 - Mend

@openthink/stamp 1.2.0 → 1.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/README.md +27 -0
package/dist/hooks/post-receive.cjs +91 -9
package/dist/hooks/post-receive.cjs.map +1 -1
package/dist/index.js +1166 -442
package/dist/index.js.map +1 -1
package/package.json +1 -1

package/dist/index.js CHANGED Viewed

@@ -56,10 +56,13 @@ import { dirname as dirname3, join as join3 } from "path";
 // src/lib/agentsMd.ts
 import { existsSync, readFileSync, writeFileSync } from "fs";
 import { join } from "path";
-var STAMP_BEGIN = "<!-- stamp:begin (managed by stamp-cli \u2014 do not edit between markers) -->";
+var STAMP_BEGIN = "<!-- stamp:begin (managed by `stamp init` \u2014 do not edit between markers) -->";
 var STAMP_END = "<!-- stamp:end -->";
-var STAMP_CLAUDE_BEGIN = "<!-- stamp:claude:begin (managed by stamp-cli \u2014 do not edit between markers) -->";
-var STAMP_CLAUDE_END = "<!-- stamp:claude:end -->";
+var STAMP_BEGIN_LEGACY = "<!-- stamp:begin (managed by stamp-cli \u2014 do not edit between markers) -->";
+var STAMP_CLAUDE_BEGIN_LEGACY = "<!-- stamp:claude:begin (managed by stamp-cli \u2014 do not edit between markers) -->";
+var STAMP_CLAUDE_END_LEGACY = "<!-- stamp:claude:end -->";
+var STAMP_BEGIN_PREFIX = "<!-- stamp:begin ";
+var STAMP_CLAUDE_BEGIN_PREFIX = "<!-- stamp:claude:begin ";
 var REVIEW_LOOP_HEURISTIC = `### Knowing when to stop the review loop (diminishing returns)
 Each \`stamp review\` run is non-trivial \u2014 reviewer LLM calls, your context, and amend
@@ -248,6 +251,20 @@ attestation, so the audit trail is preserved even without server-side rejection.
 ${REVIEW_LOOP_HEURISTIC}
 `;
+function findManagedBlock(text, openPrefix, closeMarker) {
+  let searchStart = 0;
+  while (searchStart < text.length) {
+    const candidateIdx = text.indexOf(openPrefix, searchStart);
+    if (candidateIdx === -1) return null;
+    if (candidateIdx === 0 || text[candidateIdx - 1] === "\n") {
+      const closeStart = text.indexOf(closeMarker, candidateIdx);
+      if (closeStart === -1) return null;
+      return { beginIdx: candidateIdx, afterEnd: closeStart + closeMarker.length };
+    }
+    searchStart = candidateIdx + 1;
+  }
+  return null;
+}
 function injectStampSection(existing, mode = "server-gated") {
   const body = mode === "server-gated" ? STAMP_AGENTS_SECTION_SERVER_GATED : STAMP_AGENTS_SECTION_LOCAL_ONLY;
   const stampBlock = `${STAMP_BEGIN}
@@ -263,12 +280,10 @@ Guidance for AI agents working in this repository.
 ${stampBlock}
 `;
   }
-  const beginIdx = existing.indexOf(STAMP_BEGIN);
-  const endIdx = existing.indexOf(STAMP_END);
-  if (beginIdx !== -1 && endIdx !== -1 && endIdx > beginIdx) {
-    const before = existing.slice(0, beginIdx);
-    const afterStart = endIdx + STAMP_END.length;
-    const after = existing.slice(afterStart);
+  const found = findManagedBlock(existing, STAMP_BEGIN_PREFIX, STAMP_END);
+  if (found) {
+    const before = existing.slice(0, found.beginIdx);
+    const after = existing.slice(found.afterEnd);
     return `${before}${stampBlock}${after}`;
   }
   return `${existing.trimEnd()}
@@ -285,7 +300,7 @@ function ensureAgentsMd(repoRoot, mode = "server-gated") {
   const existing = readFileSync(path2, "utf8");
   const updated = injectStampSection(existing, mode);
   if (updated === existing) return "unchanged";
-  const action = existing.includes(STAMP_BEGIN) ? "replaced" : "appended";
+  const action = existing.includes(STAMP_BEGIN) || existing.includes(STAMP_BEGIN_LEGACY) ? "replaced" : "appended";
   writeFileSync(path2, updated);
   return action;
 }
@@ -306,6 +321,8 @@ stamp merge feature --into main         # signs the merge
 git push origin main                    # OR \`stamp push main\` if origin is a stamp server
 \`\`\`
+Key commands: \`stamp provision\` \u2014 provision a new repo; \`stamp review\` \u2014 run reviewers; \`stamp merge\` \u2014 sign a merge; \`stamp push\` \u2014 push to a stamp server.
 **The full reference is at [\`AGENTS.md\`](./AGENTS.md) at the repo root** \u2014
 read it before any git command. It covers the mode (server-gated vs.
 local-only), what NOT to do, where things live, and how to recover when stamp
@@ -316,11 +333,11 @@ blocks you.
 (there's nothing to review against). Recent \`stamp init\` runs do this commit
 automatically. Every subsequent change goes through the stamp flow.`;
 function injectClaudeSection(existing) {
-  const stampBlock = `${STAMP_CLAUDE_BEGIN}
+  const stampBlock = `${STAMP_BEGIN}
 ${STAMP_CLAUDE_SECTION.trimEnd()}
-${STAMP_CLAUDE_END}`;
+${STAMP_END}`;
   if (existing === void 0 || existing.trim() === "") {
     return `# CLAUDE.md
@@ -329,12 +346,10 @@ Project-specific instructions for Claude Code (auto-loaded into the model's cont
 ${stampBlock}
 `;
   }
-  const beginIdx = existing.indexOf(STAMP_CLAUDE_BEGIN);
-  const endIdx = existing.indexOf(STAMP_CLAUDE_END);
-  if (beginIdx !== -1 && endIdx !== -1 && endIdx > beginIdx) {
-    const before = existing.slice(0, beginIdx);
-    const afterStart = endIdx + STAMP_CLAUDE_END.length;
-    const after = existing.slice(afterStart);
+  const found = findManagedBlock(existing, STAMP_BEGIN_PREFIX, STAMP_END) ?? findManagedBlock(existing, STAMP_CLAUDE_BEGIN_PREFIX, STAMP_CLAUDE_END_LEGACY);
+  if (found) {
+    const before = existing.slice(0, found.beginIdx);
+    const after = existing.slice(found.afterEnd);
     return `${before}${stampBlock}${after}`;
   }
   return `${existing.trimEnd()}
@@ -351,7 +366,7 @@ function ensureClaudeMd(repoRoot) {
   const existing = readFileSync(path2, "utf8");
   const updated = injectClaudeSection(existing);
   if (updated === existing) return "unchanged";
-  const action = existing.includes(STAMP_CLAUDE_BEGIN) ? "replaced" : "appended";
+  const action = existing.includes(STAMP_BEGIN) || existing.includes(STAMP_BEGIN_LEGACY) || existing.includes(STAMP_CLAUDE_BEGIN_LEGACY) ? "replaced" : "appended";
   writeFileSync(path2, updated);
   return action;
 }
@@ -2832,11 +2847,12 @@ function branchExists(name, cwd) {
 }
 // src/commands/init.ts
-import { existsSync as existsSync7, writeFileSync as writeFileSync6 } from "fs";
-import { join as join4 } from "path";
+import { existsSync as existsSync9, writeFileSync as writeFileSync7 } from "fs";
+import { join as join5 } from "path";
 // src/lib/ghRuleset.ts
 import { spawnSync as spawnSync3 } from "child_process";
+var STAMP_MIRROR_DEPLOY_KEY_TITLE = "stamp-mirror";
 function checkGhAvailable() {
   const v = spawnSync3("gh", ["--version"], {
     stdio: ["ignore", "pipe", "pipe"],
@@ -2980,6 +2996,330 @@ function applyStampRuleset(owner, repo, actor) {
     return { status: "created" };
   }
 }
+function findDeployKey(owner, repo, title) {
+  const r = spawnSync3(
+    "gh",
+    [
+      "api",
+      `/repos/${owner}/${repo}/keys`,
+      "--jq",
+      // JSON.stringify produces a valid jq string literal (double-quoted,
+      // with backslash/quote escapes), so a title containing quotes or
+      // backslashes can't break the jq filter or smuggle a different
+      // selector.
+      `[.[] | select(.title == ${JSON.stringify(title)})][0].id // empty`
+    ],
+    { stdio: ["ignore", "pipe", "pipe"], encoding: "utf8" }
+  );
+  if (r.status !== 0) return null;
+  const trimmed = r.stdout.trim();
+  if (!trimmed) return null;
+  const id = Number(trimmed);
+  return Number.isFinite(id) ? id : null;
+}
+function registerDeployKey(owner, repo, title, publicKey) {
+  const ctx = `${owner}/${repo} (deploy key "${title}")`;
+  const existing = findDeployKey(owner, repo, title);
+  if (existing !== null) {
+    return { status: "exists", keyId: existing };
+  }
+  const body = { title, key: publicKey, read_only: false };
+  const r = spawnSync3(
+    "gh",
+    [
+      "api",
+      "-X",
+      "POST",
+      `/repos/${owner}/${repo}/keys`,
+      "--input",
+      "-"
+    ],
+    {
+      input: JSON.stringify(body),
+      stdio: ["pipe", "pipe", "pipe"],
+      encoding: "utf8"
+    }
+  );
+  if (r.status !== 0) {
+    const stderr = (r.stderr ?? "").trim();
+    const stdout = (r.stdout ?? "").trim();
+    const detail = stderr || stdout || `gh api exited ${r.status}`;
+    return {
+      status: "failed",
+      error: `${ctx}: ${detail}`
+    };
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(r.stdout);
+  } catch (err) {
+    return {
+      status: "failed",
+      error: `${ctx}: registered, but couldn't parse keyId from gh response (${err instanceof Error ? err.message : String(err)}). A keyId is required to wire the key into a Ruleset bypass actor; inspect with \`gh api /repos/${owner}/${repo}/keys\`.`
+    };
+  }
+  const keyId = typeof parsed.id === "number" ? parsed.id : NaN;
+  if (!Number.isFinite(keyId)) {
+    return {
+      status: "failed",
+      error: `${ctx}: registered, but gh response did not include a numeric keyId. A keyId is required to wire the key into a Ruleset bypass actor; inspect with \`gh api /repos/${owner}/${repo}/keys\`.`
+    };
+  }
+  return { status: "created", keyId };
+}
+function fetchDeployKeyPublic(owner, repo, keyId) {
+  const r = spawnSync3(
+    "gh",
+    ["api", `/repos/${owner}/${repo}/keys/${keyId}`, "--jq", ".key"],
+    { stdio: ["ignore", "pipe", "pipe"], encoding: "utf8" }
+  );
+  if (r.status !== 0) return null;
+  const trimmed = r.stdout.trim();
+  return trimmed.length > 0 ? trimmed : null;
+}
+function deleteDeployKey(owner, repo, keyId) {
+  const r = spawnSync3(
+    "gh",
+    ["api", "-X", "DELETE", `/repos/${owner}/${repo}/keys/${keyId}`],
+    { stdio: ["ignore", "pipe", "pipe"], encoding: "utf8" }
+  );
+  if (r.status === 0) return { status: "deleted" };
+  const stderr = (r.stderr ?? "").trim();
+  if (stderr.includes("HTTP 404") || /Not Found/i.test(stderr)) {
+    return { status: "deleted" };
+  }
+  return {
+    status: "failed",
+    error: `${owner}/${repo} keyId=${keyId}: ${stderr || `gh api exited ${r.status}`}`
+  };
+}
+function getRulesetBypassActors(owner, repo, rulesetId) {
+  const r = spawnSync3(
+    "gh",
+    [
+      "api",
+      `/repos/${owner}/${repo}/rulesets/${rulesetId}`,
+      "--jq",
+      ".bypass_actors"
+    ],
+    { stdio: ["ignore", "pipe", "pipe"], encoding: "utf8" }
+  );
+  if (r.status !== 0) return null;
+  try {
+    const parsed = JSON.parse(r.stdout);
+    if (!Array.isArray(parsed)) return null;
+    return parsed.filter((e) => {
+      if (typeof e !== "object" || e === null) return false;
+      const o = e;
+      return (typeof o["actor_id"] === "number" || o["actor_id"] === null) && typeof o["actor_type"] === "string" && typeof o["bypass_mode"] === "string";
+    });
+  } catch {
+    return null;
+  }
+}
+function replaceBypassActors(owner, repo, rulesetId, desiredActors) {
+  const current = getRulesetBypassActors(owner, repo, rulesetId);
+  if (current === null) {
+    return {
+      status: "failed",
+      error: `${owner}/${repo} ruleset ${rulesetId}: could not read current bypass_actors`
+    };
+  }
+  if (bypassActorListsEqual(current, desiredActors)) {
+    return { status: "unchanged" };
+  }
+  const body = { bypass_actors: desiredActors };
+  const r = spawnSync3(
+    "gh",
+    [
+      "api",
+      "-X",
+      "PUT",
+      `/repos/${owner}/${repo}/rulesets/${rulesetId}`,
+      "--input",
+      "-"
+    ],
+    {
+      input: JSON.stringify(body),
+      stdio: ["pipe", "pipe", "pipe"],
+      encoding: "utf8"
+    }
+  );
+  if (r.status !== 0) {
+    const stderr = (r.stderr ?? "").trim();
+    const stdout = (r.stdout ?? "").trim();
+    return {
+      status: "failed",
+      error: `${owner}/${repo} ruleset ${rulesetId}: ${stderr || stdout || `gh api exited ${r.status}`}`
+    };
+  }
+  return { status: "updated" };
+}
+function bypassActorListsEqual(a, b) {
+  if (a.length !== b.length) return false;
+  const aSet = new Set(a.map(normalizeBypassActor));
+  return b.every((e) => aSet.has(normalizeBypassActor(e)));
+}
+function normalizeBypassActor(e) {
+  const id = e.actor_type === "OrganizationAdmin" && (e.actor_id === null || e.actor_id === 1) ? "ORGADMIN" : String(e.actor_id);
+  return `${e.actor_type}:${id}:${e.bypass_mode}`;
+}
+function computeDesiredBypassActors(current, deployKeyId, flags) {
+  const out = [];
+  for (const a of current) {
+    if (a.actor_type === "OrganizationAdmin" && flags.removeOrgadmin) {
+      continue;
+    }
+    if (a.actor_type === "DeployKey") {
+      continue;
+    }
+    out.push(a);
+  }
+  out.push({
+    actor_id: deployKeyId,
+    actor_type: "DeployKey",
+    bypass_mode: "always"
+  });
+  return out;
+}
+// src/lib/oteamConfig.ts
+import { existsSync as existsSync7, readFileSync as readFileSync6, renameSync as renameSync2, writeFileSync as writeFileSync6 } from "fs";
+import { homedir } from "os";
+import { join as join4 } from "path";
+var OTEAM_CONFIG_PATH = join4(homedir(), ".open-team", "config.json");
+function readOteamConfig(configPath = OTEAM_CONFIG_PATH) {
+  if (!existsSync7(configPath)) return null;
+  try {
+    const parsed = JSON.parse(readFileSync6(configPath, "utf8"));
+    if (Array.isArray(parsed)) {
+      throw new Error("config must be a JSON object, not an array");
+    }
+    return parsed;
+  } catch (err) {
+    throw new Error(
+      `${configPath}: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+}
+function patchStampHost(host, configPath = OTEAM_CONFIG_PATH) {
+  let config2 = {};
+  if (existsSync7(configPath)) {
+    try {
+      const parsed = JSON.parse(readFileSync6(configPath, "utf8"));
+      if (typeof parsed === "object" && parsed !== null && !Array.isArray(parsed)) {
+        config2 = parsed;
+      }
+    } catch (err) {
+      throw new Error(
+        `${configPath}: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
+  const existing = config2.stamp;
+  const stamp = typeof existing === "object" && existing !== null ? { ...existing } : {};
+  stamp["host"] = host;
+  config2["stamp"] = stamp;
+  const tmp = `${configPath}.tmp`;
+  try {
+    writeFileSync6(tmp, JSON.stringify(config2, null, 2) + "\n", "utf8");
+    renameSync2(tmp, configPath);
+  } catch (err) {
+    throw new Error(
+      `${configPath}: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+}
+// src/lib/serverConfig.ts
+import { existsSync as existsSync8, readFileSync as readFileSync7 } from "fs";
+import { parse as parseYaml4 } from "yaml";
+var DEFAULT_USER = "git";
+var DEFAULT_REPO_ROOT = "/srv/git";
+var USER_RE = /^[A-Za-z0-9_][A-Za-z0-9._-]*$/;
+var HOST_RE = /^[A-Za-z0-9]([A-Za-z0-9.-]*[A-Za-z0-9])?$/;
+var REPO_ROOT_RE = /^(\/[A-Za-z0-9_-][A-Za-z0-9._-]*)+\/?$/;
+function describeShape2(field) {
+  switch (field) {
+    case "user":
+      return "alphanumerics + . _ -, must not start with -";
+    case "host":
+      return "hostname-shaped (alphanumerics + . -, must start and end with alphanumeric)";
+    case "repo_root_prefix":
+      return "absolute path with alphanumeric/. _ - segments, no .. components";
+  }
+}
+function validateField(field, value, contextPath) {
+  const re = field === "user" ? USER_RE : field === "host" ? HOST_RE : REPO_ROOT_RE;
+  if (!re.test(value)) {
+    throw new Error(
+      `${contextPath}: '${field}' has an invalid shape (got ${JSON.stringify(value)}). Allowed: ${describeShape2(field)}.`
+    );
+  }
+}
+function loadServerConfig() {
+  const path2 = userServerConfigPath();
+  if (!existsSync8(path2)) return null;
+  let raw;
+  try {
+    raw = readFileSync7(path2, "utf8");
+  } catch (err) {
+    throw new Error(
+      `failed to read ${path2}: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  return parseServerConfig(raw, path2);
+}
+function parseServerConfig(raw, contextPath = "<inline>") {
+  const parsed = parseYaml4(raw);
+  if (!parsed || typeof parsed !== "object") {
+    throw new Error(`${contextPath}: must be a YAML mapping with at least 'host' and 'port'`);
+  }
+  const obj = parsed;
+  if (typeof obj.host !== "string" || !obj.host.trim()) {
+    throw new Error(`${contextPath}: 'host' is required and must be a non-empty string`);
+  }
+  if (typeof obj.port !== "number" || !Number.isInteger(obj.port) || obj.port < 1 || obj.port > 65535) {
+    throw new Error(`${contextPath}: 'port' is required and must be an integer 1..65535`);
+  }
+  const host = obj.host.trim();
+  validateField("host", host, contextPath);
+  const user = typeof obj.user === "string" && obj.user.trim() ? obj.user.trim() : DEFAULT_USER;
+  validateField("user", user, contextPath);
+  const repoRootPrefix = typeof obj.repo_root_prefix === "string" && obj.repo_root_prefix.trim() ? obj.repo_root_prefix.trim() : DEFAULT_REPO_ROOT;
+  validateField("repo_root_prefix", repoRootPrefix, contextPath);
+  return {
+    host,
+    port: obj.port,
+    user,
+    repoRootPrefix
+  };
+}
+function parseServerFlag(value, context = "--server") {
+  const m = value.trim().match(/^([^:]+):(\d+)$/);
+  if (!m) {
+    throw new Error(
+      `${context} must be in the form <host>:<port> (got "${value}")`
+    );
+  }
+  const port = Number(m[2]);
+  if (!Number.isInteger(port) || port < 1 || port > 65535) {
+    throw new Error(
+      `${context}: port must be an integer 1..65535 (got "${m[2]}")`
+    );
+  }
+  const host = m[1];
+  validateField("host", host, context);
+  return {
+    host,
+    port,
+    user: DEFAULT_USER,
+    repoRootPrefix: DEFAULT_REPO_ROOT
+  };
+}
+function bareRepoSshUrl(cfg, repoName) {
+  return `ssh://${cfg.user}@${cfg.host}:${cfg.port}${cfg.repoRootPrefix}/${repoName}.git`;
+}
 // src/commands/init.ts
 function runInit(opts = {}) {
@@ -3004,41 +3344,41 @@ That command handles the bare-repo creation, clone, bootstrap merge, GitHub mirr
 For local-only / advisory use against this GitHub repo: re-run with \`stamp init --mode local-only\`. That mode is honest about the lack of server-side enforcement (signed merges still work, but \`git push origin main\` will not be rejected by the remote).`
     );
   }
-  const alreadyHasConfig = existsSync7(configFile);
+  const alreadyHasConfig = existsSync9(configFile);
   ensureDir(configDir);
   ensureDir(reviewersDir);
   ensureDir(trustedKeysDir);
   if (!alreadyHasConfig) {
     if (opts.minimal) {
-      writeFileSync6(configFile, stringifyConfig(MINIMAL_CONFIG));
-      writeFileSync6(join4(reviewersDir, "example.md"), EXAMPLE_REVIEWER_PROMPT);
+      writeFileSync7(configFile, stringifyConfig(MINIMAL_CONFIG));
+      writeFileSync7(join5(reviewersDir, "example.md"), EXAMPLE_REVIEWER_PROMPT);
     } else {
-      writeFileSync6(configFile, stringifyConfig(DEFAULT_CONFIG));
-      writeFileSync6(
-        join4(reviewersDir, "security.md"),
+      writeFileSync7(configFile, stringifyConfig(DEFAULT_CONFIG));
+      writeFileSync7(
+        join5(reviewersDir, "security.md"),
         DEFAULT_SECURITY_PROMPT
       );
-      writeFileSync6(
-        join4(reviewersDir, "standards.md"),
+      writeFileSync7(
+        join5(reviewersDir, "standards.md"),
         DEFAULT_STANDARDS_PROMPT
       );
-      writeFileSync6(
-        join4(reviewersDir, "product.md"),
+      writeFileSync7(
+        join5(reviewersDir, "product.md"),
         DEFAULT_PRODUCT_PROMPT
       );
     }
   }
   const { keypair, created: keyCreated } = ensureUserKeypair();
   const userCfg = loadOrCreateUserConfig();
-  const pubKeyPath = join4(
+  const pubKeyPath = join5(
     trustedKeysDir,
     publicKeyFingerprintFilename(keypair.fingerprint)
   );
-  const keyDeposited = !existsSync7(pubKeyPath);
+  const keyDeposited = !existsSync9(pubKeyPath);
   if (keyDeposited) {
-    writeFileSync6(pubKeyPath, keypair.publicKeyPem);
+    writeFileSync7(pubKeyPath, keypair.publicKeyPem);
   }
-  const dbExisted = existsSync7(stateDbPath);
+  const dbExisted = existsSync9(stateDbPath);
   const db = openDb(stateDbPath);
   db.close();
   const agentsMdAction = opts.agentsMd === false ? "skipped" : ensureAgentsMd(repoRoot, effectiveMode);
@@ -3078,6 +3418,9 @@ For local-only / advisory use against this GitHub repo: re-run with \`stamp init
   if (opts.bootstrapCommit !== false) {
     printBootstrapCommitResult(runBootstrapCommit(repoRoot, scaffoldOrSync));
   }
+  if (opts.oteam !== false) {
+    maybeOfferOteamHostFill();
+  }
   const ghProtectOpt = opts.ghProtect !== false;
   if (ghProtectOpt && remoteClass.shape === "forge-direct" && remoteClass.forge === "github.com" && remoteClass.url) {
     applyGitHubRulesetWithReporting(remoteClass.url);
@@ -3168,8 +3511,8 @@ function runBootstrapCommit(repoRoot, scaffoldOrSync) {
     return { kind: "skipped-already-tracked" };
   }
   const toAdd = [".stamp"];
-  if (existsSync7(join4(repoRoot, "AGENTS.md"))) toAdd.push("AGENTS.md");
-  if (existsSync7(join4(repoRoot, "CLAUDE.md"))) toAdd.push("CLAUDE.md");
+  if (existsSync9(join5(repoRoot, "AGENTS.md"))) toAdd.push("AGENTS.md");
+  if (existsSync9(join5(repoRoot, "CLAUDE.md"))) toAdd.push("CLAUDE.md");
   runGit(["add", ...toAdd], repoRoot);
   let hasStagedChanges = false;
   try {
@@ -3295,6 +3638,44 @@ function applyGitHubRulesetWithReporting(remoteUrl) {
       break;
   }
 }
+function maybeOfferOteamHostFill() {
+  if (!process.stdin.isTTY || !process.stdout.isTTY) return;
+  let oteamCfg;
+  try {
+    oteamCfg = readOteamConfig();
+  } catch {
+    return;
+  }
+  if (oteamCfg === null) return;
+  const cfg = oteamCfg;
+  const stamp = cfg.stamp;
+  if (stamp?.host) return;
+  let serverCfg;
+  try {
+    serverCfg = loadServerConfig();
+  } catch {
+    return;
+  }
+  if (!serverCfg) return;
+  const host = serverCfg.host;
+  process.stdout.write(
+    `Set oteam's \`stamp.host\` to "${host}"? [y/N] `
+  );
+  const answer = readLineSync().trim().toLowerCase();
+  if (answer !== "y" && answer !== "yes") return;
+  try {
+    patchStampHost(host);
+    console.log(
+      `oteam config: stamp.host set to "${host}" in ~/.open-team/config.json`
+    );
+    console.log();
+  } catch (err) {
+    console.log(
+      `warning: could not patch ~/.open-team/config.json: ${err instanceof Error ? err.message : String(err)}`
+    );
+    console.log();
+  }
+}
 function resolveMode(userMode, remoteClass) {
   const warnings = [];
   if (userMode === "local-only") {
@@ -3337,104 +3718,401 @@ function resolveMode(userMode, remoteClass) {
 }
 // src/commands/provision.ts
-import { spawnSync as spawnSync4 } from "child_process";
-import { existsSync as existsSync9, mkdtempSync, rmSync, writeFileSync as writeFileSync7 } from "fs";
+import { spawnSync as spawnSync6 } from "child_process";
+import { existsSync as existsSync11, mkdtempSync, readFileSync as readFileSync8, rmSync, writeFileSync as writeFileSync9 } from "fs";
 import { tmpdir } from "os";
-import { join as join5, resolve as resolvePath } from "path";
+import { join as join6, resolve as resolvePath } from "path";
+import { parse as parseYaml5 } from "yaml";
-// src/lib/serverConfig.ts
-import { existsSync as existsSync8, readFileSync as readFileSync6 } from "fs";
-import { parse as parseYaml4 } from "yaml";
-var DEFAULT_USER = "git";
-var DEFAULT_REPO_ROOT = "/srv/git";
-var USER_RE = /^[A-Za-z0-9_][A-Za-z0-9._-]*$/;
-var HOST_RE = /^[A-Za-z0-9]([A-Za-z0-9.-]*[A-Za-z0-9])?$/;
-var REPO_ROOT_RE = /^(\/[A-Za-z0-9_-][A-Za-z0-9._-]*)+\/?$/;
-function describeShape2(field) {
-  switch (field) {
-    case "user":
-      return "alphanumerics + . _ -, must not start with -";
-    case "host":
-      return "hostname-shaped (alphanumerics + . -, must start and end with alphanumeric)";
-    case "repo_root_prefix":
-      return "absolute path with alphanumeric/. _ - segments, no .. components";
+// src/commands/server.ts
+import { spawnSync as spawnSync5 } from "child_process";
+import { existsSync as existsSync10, mkdirSync as mkdirSync4, renameSync as renameSync3, unlinkSync as unlinkSync2, writeFileSync as writeFileSync8 } from "fs";
+import { dirname as dirname4 } from "path";
+import { stringify as stringifyYaml2 } from "yaml";
+// src/lib/perRepoKey.ts
+var VALID_OWNER = /^[A-Za-z0-9-]+$/;
+var VALID_REPO = /^[A-Za-z0-9._-]+$/;
+var SSH_CLIENT_KEY_DIR = "/srv/git/.ssh-client-keys";
+function computePerRepoKeyPath(githubRepo) {
+  if (typeof githubRepo !== "string" || githubRepo.length === 0) {
+    throw new Error("computePerRepoKeyPath: githubRepo must be a non-empty string");
+  }
+  if (githubRepo.startsWith("-")) {
+    throw new Error(
+      `computePerRepoKeyPath: githubRepo must not start with '-': ${githubRepo}`
+    );
+  }
+  if (githubRepo.includes("..")) {
+    throw new Error(
+      `computePerRepoKeyPath: githubRepo must not contain '..': ${githubRepo}`
+    );
+  }
+  const slashCount = (githubRepo.match(/\//g) ?? []).length;
+  if (slashCount !== 1) {
+    throw new Error(
+      `computePerRepoKeyPath: githubRepo must be exactly <owner>/<repo>: ${githubRepo}`
+    );
+  }
+  const [owner, repo] = githubRepo.split("/");
+  if (!owner || !repo) {
+    throw new Error(
+      `computePerRepoKeyPath: owner and repo halves must both be non-empty: ${githubRepo}`
+    );
   }
+  if (!VALID_OWNER.test(owner)) {
+    throw new Error(
+      `computePerRepoKeyPath: owner must match [A-Za-z0-9-]+ (got "${owner}" in "${githubRepo}")`
+    );
+  }
+  if (!VALID_REPO.test(repo)) {
+    throw new Error(
+      `computePerRepoKeyPath: repo must match [A-Za-z0-9._-]+ (got "${repo}" in "${githubRepo}")`
+    );
+  }
+  return `${SSH_CLIENT_KEY_DIR}/${owner}_${repo}_ed25519`;
 }
-function validateField(field, value, contextPath) {
-  const re = field === "user" ? USER_RE : field === "host" ? HOST_RE : REPO_ROOT_RE;
-  if (!re.test(value)) {
+// src/commands/serverRepo.ts
+import { spawnSync as spawnSync4 } from "child_process";
+import { createInterface } from "readline";
+async function runServerRepoDelete(opts) {
+  const name = normalizeRepoName(opts.name);
+  if (opts.alsoGithub !== void 0) validateGithubRepoSpec(opts.alsoGithub);
+  const server2 = resolveServer(opts.server);
+  const action = opts.purge ? "PURGE (irreversible)" : "soft-delete (recoverable via restore)";
+  console.log(`About to ${action} bare repo: ${name}`);
+  console.log(`On server: ${server2.user}@${server2.host}:${server2.port}`);
+  if (opts.alsoGithub) {
+    console.log(
+      `Also: gh repo delete ${opts.alsoGithub} (PERMANENT, no GitHub-side undo)`
+    );
+  }
+  console.log();
+  if (!opts.yes) {
+    const expected = opts.purge ? `purge ${name}` : `delete ${name}`;
+    const got = await prompt(`Type "${expected}" to confirm: `);
+    if (got.trim() !== expected) {
+      console.log("note: aborted");
+      return;
+    }
+  }
+  const args = ["delete-stamp-repo", name];
+  if (opts.purge) args.push("--purge");
+  const result = spawnSync4(
+    "ssh",
+    ["-p", String(server2.port), "--", `${server2.user}@${server2.host}`, ...args],
+    { stdio: ["ignore", "inherit", "inherit"] }
+  );
+  if (result.status !== 0) {
     throw new Error(
-      `${contextPath}: '${field}' has an invalid shape (got ${JSON.stringify(value)}). Allowed: ${describeShape2(field)}.`
+      `server-side delete failed (exit ${result.status}). The bare repo on the stamp server was NOT touched. If you see "command not found", the server image is older than 0.7.3 \u2014 redeploy it first.`
+    );
+  }
+  if (!opts.purge) {
+    console.log();
+    console.log(`Recovery:`);
+    console.log(`  stamp server-repos restore ${name}                 # bring it back`);
+    console.log(`  stamp server-repos delete ${name} --purge          # nuke for real`);
+  }
+  if (opts.alsoGithub) {
+    if (!opts.yes) {
+      const expected = `delete github ${opts.alsoGithub}`;
+      const got = await prompt(
+        `Server-side done. To ALSO delete the GitHub mirror, type "${expected}" (or anything else to skip): `
+      );
+      if (got.trim() !== expected) {
+        console.log(
+          `note: skipped GitHub delete; mirror at https://github.com/${opts.alsoGithub} is intact`
+        );
+        return;
+      }
+    }
+    const ghResult = spawnSync4(
+      "gh",
+      ["repo", "delete", opts.alsoGithub, "--yes"],
+      { stdio: ["ignore", "inherit", "inherit"] }
     );
+    if (ghResult.status !== 0) {
+      throw new Error(
+        `GitHub repo delete failed (exit ${ghResult.status}). Server-side delete already succeeded; the GitHub mirror is still present at https://github.com/${opts.alsoGithub}.`
+      );
+    }
   }
 }
-function loadServerConfig() {
-  const path2 = userServerConfigPath();
-  if (!existsSync8(path2)) return null;
-  let raw;
-  try {
-    raw = readFileSync6(path2, "utf8");
-  } catch (err) {
+async function runServerRepoRestore(opts) {
+  const name = normalizeRepoName(opts.name);
+  const asName = opts.asName !== void 0 ? normalizeRepoName(opts.asName) : void 0;
+  if (opts.from !== void 0) validateTrashEntryName(opts.from);
+  const server2 = resolveServer(opts.server);
+  const args = ["restore-stamp-repo", name];
+  if (opts.from) {
+    args.push("--from", opts.from);
+  }
+  if (asName) {
+    args.push("--as", asName);
+  }
+  const result = spawnSync4(
+    "ssh",
+    ["-p", String(server2.port), "--", `${server2.user}@${server2.host}`, ...args],
+    { stdio: ["ignore", "inherit", "inherit"] }
+  );
+  if (result.status !== 0) {
     throw new Error(
-      `failed to read ${path2}: ${err instanceof Error ? err.message : String(err)}`
+      `server-side restore failed (exit ${result.status}). Run \`stamp server-repos list --trash\` to see what's available.`
     );
   }
-  return parseServerConfig(raw, path2);
 }
-function parseServerConfig(raw, contextPath = "<inline>") {
-  const parsed = parseYaml4(raw);
-  if (!parsed || typeof parsed !== "object") {
-    throw new Error(`${contextPath}: must be a YAML mapping with at least 'host' and 'port'`);
+function runServerRepoList(opts) {
+  const server2 = resolveServer(opts.server);
+  if (opts.trash) {
+    const result2 = spawnSync4(
+      "ssh",
+      ["-p", String(server2.port), "--", `${server2.user}@${server2.host}`, "list-trash"],
+      { stdio: ["ignore", "inherit", "inherit"] }
+    );
+    if (result2.status !== 0) {
+      throw new Error(
+        `list --trash failed (exit ${result2.status}). If you see "command not found", the server image is older than 0.7.3 \u2014 redeploy it first.`
+      );
+    }
+    return;
   }
-  const obj = parsed;
-  if (typeof obj.host !== "string" || !obj.host.trim()) {
-    throw new Error(`${contextPath}: 'host' is required and must be a non-empty string`);
+  const result = spawnSync4(
+    "ssh",
+    [
+      "-p",
+      String(server2.port),
+      "--",
+      `${server2.user}@${server2.host}`,
+      "ls",
+      "-1",
+      "/srv/git/"
+    ],
+    { stdio: ["ignore", "pipe", "inherit"], encoding: "utf8" }
+  );
+  if (result.status !== 0) {
+    throw new Error(`list failed (exit ${result.status}).`);
   }
-  if (typeof obj.port !== "number" || !Number.isInteger(obj.port) || obj.port < 1 || obj.port > 65535) {
-    throw new Error(`${contextPath}: 'port' is required and must be an integer 1..65535`);
+  const entries = filterLiveBareRepoNames(result.stdout);
+  if (entries.length === 0) {
+    console.log("(no live bare repos)");
+    return;
   }
-  const host = obj.host.trim();
-  validateField("host", host, contextPath);
-  const user = typeof obj.user === "string" && obj.user.trim() ? obj.user.trim() : DEFAULT_USER;
-  validateField("user", user, contextPath);
-  const repoRootPrefix = typeof obj.repo_root_prefix === "string" && obj.repo_root_prefix.trim() ? obj.repo_root_prefix.trim() : DEFAULT_REPO_ROOT;
-  validateField("repo_root_prefix", repoRootPrefix, contextPath);
-  return {
-    host,
-    port: obj.port,
-    user,
-    repoRootPrefix
-  };
+  for (const e of entries) console.log(e);
 }
-function parseServerFlag(value, context = "--server") {
-  const m = value.trim().match(/^([^:]+):(\d+)$/);
-  if (!m) {
+function resolveServer(serverFlag) {
+  const server2 = serverFlag ? parseServerFlag(serverFlag) : loadServerConfig();
+  if (!server2) {
     throw new Error(
-      `${context} must be in the form <host>:<port> (got "${value}")`
+      `no stamp server configured. Either:
+  - create ~/.stamp/server.yml with at least:
+      host: <ssh-host>
+      port: <ssh-port>
+  - or pass --server <host>:<port> on the command line.`
     );
   }
-  const port = Number(m[2]);
-  if (!Number.isInteger(port) || port < 1 || port > 65535) {
-    throw new Error(
-      `${context}: port must be an integer 1..65535 (got "${m[2]}")`
+  return server2;
+}
+var UsageError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "UsageError";
+  }
+};
+function normalizeRepoName(name) {
+  const canonical = name.endsWith(".git") ? name.slice(0, -4) : name;
+  validateRepoName(canonical);
+  return canonical;
+}
+function filterLiveBareRepoNames(rawOutput) {
+  return rawOutput.split("\n").map((s) => s.trim()).filter(Boolean).filter((s) => s.endsWith(".git")).map((s) => s.slice(0, -4)).filter((s) => s.length > 0);
+}
+function validateRepoName(name) {
+  if (!/^[A-Za-z0-9_][A-Za-z0-9._-]*$/.test(name) || name.includes("..")) {
+    throw new UsageError(
+      `repo name must start with [A-Za-z0-9_], match [A-Za-z0-9._-]+, and not contain '..' (got "${name}")`
     );
   }
-  const host = m[1];
-  validateField("host", host, context);
-  return {
-    host,
-    port,
-    user: DEFAULT_USER,
-    repoRootPrefix: DEFAULT_REPO_ROOT
+}
+function validateTrashEntryName(entry) {
+  if (!/^[0-9]{8}T[0-9]{6}Z-[A-Za-z0-9_][A-Za-z0-9._-]*\.git$/.test(entry)) {
+    throw new UsageError(
+      `--from must match <YYYYMMDDTHHMMSSZ>-<name>.git (got "${entry}"). Run \`stamp server-repos list --trash\` to see valid entry names.`
+    );
+  }
+}
+function validateGithubRepoSpec(spec) {
+  if (!/^[A-Za-z0-9_][A-Za-z0-9-]*\/[A-Za-z0-9_][A-Za-z0-9._-]*$/.test(spec)) {
+    throw new UsageError(
+      `--also-github must be <owner>/<repo> with no leading '-' on either segment (got "${spec}")`
+    );
+  }
+}
+function prompt(question) {
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise((resolve2) => {
+    rl.question(question, (answer) => {
+      rl.close();
+      resolve2(answer);
+    });
+  });
+}
+// src/commands/server.ts
+function formatServerConfigYaml(opts) {
+  const body = {
+    host: opts.host,
+    port: opts.port
   };
+  if (opts.user && opts.user.trim()) body.user = opts.user.trim();
+  if (opts.repoRootPrefix && opts.repoRootPrefix.trim()) {
+    body.repo_root_prefix = opts.repoRootPrefix.trim();
+  }
+  return stringifyYaml2(body);
 }
-function bareRepoSshUrl(cfg, repoName) {
-  return `ssh://${cfg.user}@${cfg.host}:${cfg.port}${cfg.repoRootPrefix}/${repoName}.git`;
+function runServerConfig(opts) {
+  const modes = [opts.hostPort, opts.show, opts.unset].filter(Boolean).length;
+  if (modes !== 1) {
+    throw new UsageError(
+      "stamp server config: provide exactly one of <host:port>, --show, or --unset"
+    );
+  }
+  if ((opts.show || opts.unset) && (opts.user || opts.repoRootPrefix)) {
+    throw new UsageError(
+      "stamp server config: --user and --repo-root-prefix only apply when writing (they conflict with --show / --unset)"
+    );
+  }
+  if (opts.show) return showConfig();
+  if (opts.unset) return unsetConfig();
+  return writeConfig(opts);
+}
+function showConfig() {
+  const path2 = userServerConfigPath();
+  if (!existsSync10(path2)) {
+    console.log(`note: no stamp server configured (${path2} does not exist)`);
+    console.log(`note: run \`stamp server config <host:port>\` to create one`);
+    return;
+  }
+  const cfg = loadServerConfig();
+  if (!cfg) {
+    console.log(`note: no stamp server configured`);
+    return;
+  }
+  console.log(`config:           ${path2}`);
+  console.log(`host:             ${cfg.host}`);
+  console.log(`port:             ${cfg.port}`);
+  console.log(`user:             ${cfg.user}`);
+  console.log(`repo_root_prefix: ${cfg.repoRootPrefix}`);
+}
+function unsetConfig() {
+  const path2 = userServerConfigPath();
+  if (!existsSync10(path2)) {
+    console.log(`note: ${path2} does not exist; nothing to remove`);
+    return;
+  }
+  unlinkSync2(path2);
+  console.log(`removed ${path2}`);
+}
+function fetchServerPubkey(server2, mirror) {
+  const sshArgs = [
+    "-p",
+    String(server2.port),
+    "--",
+    `${server2.user}@${server2.host}`,
+    "stamp-server-pubkey"
+  ];
+  if (mirror) {
+    sshArgs.push(`${mirror.owner}/${mirror.repo}`);
+  }
+  const result = spawnSync5("ssh", sshArgs, {
+    stdio: ["ignore", "pipe", "inherit"],
+    encoding: "utf8"
+  });
+  if (result.status !== 0) {
+    const target = mirror ? ` for ${mirror.owner}/${mirror.repo}` : "";
+    throw new Error(
+      `stamp server pubkey${target} failed (exit ${result.status}) against ${server2.user}@${server2.host}:${server2.port}. If you see "command not found", the server image predates the deploy-key feature \u2014 redeploy it first.`
+    );
+  }
+  return result.stdout.trim();
+}
+function runServerPubkey(opts) {
+  const server2 = resolveServer(opts.server);
+  let mirror;
+  if (opts.repo) {
+    try {
+      computePerRepoKeyPath(opts.repo);
+    } catch (err) {
+      throw new UsageError(
+        `--repo ${err instanceof Error ? err.message.replace(/^computePerRepoKeyPath:\s*/, "") : String(err)}`
+      );
+    }
+    const slashIdx = opts.repo.indexOf("/");
+    mirror = {
+      owner: opts.repo.slice(0, slashIdx),
+      repo: opts.repo.slice(slashIdx + 1)
+    };
+  }
+  const pubkey = fetchServerPubkey(server2, mirror);
+  process.stdout.write(`${pubkey}
+`);
+}
+function writeConfig(opts) {
+  let parsed;
+  try {
+    parsed = parseServerFlag(opts.hostPort, "stamp server config: <host:port>");
+  } catch (err) {
+    throw new UsageError(err instanceof Error ? err.message : String(err));
+  }
+  const yaml = formatServerConfigYaml({
+    host: parsed.host,
+    port: parsed.port,
+    user: opts.user,
+    repoRootPrefix: opts.repoRootPrefix
+  });
+  const path2 = userServerConfigPath();
+  const dir = dirname4(path2);
+  if (!existsSync10(dir)) mkdirSync4(dir, { recursive: true, mode: 448 });
+  const tmp = `${path2}.tmp.${process.pid}`;
+  writeFileSync8(tmp, yaml, { mode: 384 });
+  renameSync3(tmp, path2);
+  console.log(`wrote ${path2}`);
+  console.log(`host:             ${parsed.host}`);
+  console.log(`port:             ${parsed.port}`);
+  if (opts.user && opts.user.trim()) {
+    console.log(`user:             ${opts.user.trim()}`);
+  }
+  if (opts.repoRootPrefix && opts.repoRootPrefix.trim()) {
+    console.log(`repo_root_prefix: ${opts.repoRootPrefix.trim()}`);
+  }
 }
 // src/commands/provision.ts
 async function runProvision(opts) {
-  validateRepoName(opts.name);
+  if (opts.migrateExisting && opts.migrateBypass) {
+    throw new Error(
+      `--migrate-existing and --migrate-bypass are mutually exclusive: the first moves a forge-direct repo to server-gated topology, the second changes the bypass-actor shape on an already-server-gated repo.`
+    );
+  }
+  if (opts.removeOrgadmin && !opts.migrateBypass) {
+    throw new Error(
+      `--remove-orgadmin is only meaningful with --migrate-bypass`
+    );
+  }
+  if (!opts.migrateBypass) {
+    if (!opts.name) {
+      throw new Error(
+        `stamp provision requires a <name> argument (the bare repo name on the stamp server). If you meant to migrate an already-server-gated repo's Ruleset bypass instead, pass --migrate-bypass (identifies the target via cwd's .stamp/mirror.yml; no <name> needed).`
+      );
+    }
+    validateRepoName2(opts.name);
+  } else if (opts.name) {
+    console.log(
+      `note: <name> argument ignored under --migrate-bypass; the target is identified by .stamp/mirror.yml in the cwd.`
+    );
+    console.log();
+  }
   if (opts.org !== void 0) validateOrgName(opts.org);
   const server2 = opts.server ? parseServerFlag(opts.server) : loadServerConfig();
   if (!server2) {
@@ -3448,12 +4126,16 @@ async function runProvision(opts) {
 See docs/quickstart-server.md for how to deploy a stamp server first.`
     );
   }
+  if (opts.migrateBypass) {
+    await runMigrateBypass(opts, server2);
+    return;
+  }
   if (opts.migrateExisting) {
     await runMigrateExisting(opts, server2);
     return;
   }
   const cloneTarget = resolvePath(opts.into ?? opts.name);
-  if (existsSync9(cloneTarget)) {
+  if (existsSync11(cloneTarget)) {
     throw new Error(
       `clone destination already exists: ${cloneTarget}. Move or remove it, or pass --into <other-path>.`
     );
@@ -3481,11 +4163,11 @@ Provisioning bare repo on ${server2.host}:${server2.port}`);
   process.chdir(cloneTarget);
   await runBootstrap({});
   if (mirrorRepo && !opts.noRuleset) {
-    applyMirrorRuleset(mirrorRepo);
+    applyMirrorRuleset(mirrorRepo, server2);
   }
   printSuccess({ cloneTarget, server: server2, repoName: opts.name, mirrorRepo });
 }
-function validateRepoName(name) {
+function validateRepoName2(name) {
   if (!/^[A-Za-z0-9_][A-Za-z0-9._-]*$/.test(name)) {
     throw new Error(
       `repo name must start with [A-Za-z0-9_] and match [A-Za-z0-9._-]+ (got "${name}")`
@@ -3518,13 +4200,19 @@ function printPlan2(args) {
   }
   if (args.opts.org && !args.opts.noMirror && !args.opts.noRuleset) {
     console.log(fmt("GitHub Ruleset", "apply stamp-mirror-only on the mirror repo"));
+    console.log(
+      fmt(
+        "bypass actor",
+        `org repo \u2192 stamp-server deploy key "${STAMP_MIRROR_DEPLOY_KEY_TITLE}" (auto-registered or reused); personal repo \u2192 your gh-authed user`
+      )
+    );
   } else {
     console.log(fmt("GitHub Ruleset", "skipped"));
   }
   console.log(bar);
 }
 function provisionBareRepoOnServer(server2, name) {
-  const result = spawnSync4(
+  const result = spawnSync6(
     "ssh",
     [
       "-p",
@@ -3550,7 +4238,7 @@ function createGithubMirrorRepo(owner, repo, privateRepo) {
     );
   }
   const visibility = privateRepo ? "--private" : "--public";
-  const result = spawnSync4(
+  const result = spawnSync6(
     "gh",
     ["repo", "create", `${owner}/${repo}`, visibility],
     { stdio: ["ignore", "inherit", "inherit"] }
@@ -3573,28 +4261,67 @@ function writeMirrorYml(cloneTarget, mirror) {
   #   - "v*"
 `;
   const path2 = `${cloneTarget}/.stamp/mirror.yml`;
-  writeFileSync7(path2, yml);
+  writeFileSync9(path2, yml);
   console.log(`Wrote mirror.yml \u2192 .stamp/mirror.yml (${mirror.owner}/${mirror.repo})`);
 }
-function applyMirrorRuleset(mirror) {
-  const user = lookupAuthenticatedUserId();
-  if (!user) {
+function applyMirrorRuleset(mirror, server2) {
+  const existing = findExistingStampRuleset(mirror.owner, mirror.repo);
+  if (existing !== null) {
     console.log(
-      `note: GitHub Ruleset auto-apply skipped \u2014 couldn't look up the gh-authenticated user.`
+      `GitHub Ruleset: stamp-mirror-only already present on ${mirror.owner}/${mirror.repo}. Not modified.`
     );
-    console.log(`      Try \`gh auth status\` and re-apply manually via docs/github-ruleset-setup.md.`);
     return;
   }
   const ownerType = lookupRepoOwnerType(mirror.owner, mirror.repo);
   if (ownerType === null) {
     console.log(
-      `note: GitHub Ruleset auto-apply skipped \u2014 couldn't determine whether ${mirror.owner}/${mirror.repo} is a personal or org repo.`
+      `warning: GitHub Ruleset auto-apply skipped \u2014 couldn't determine whether ${mirror.owner}/${mirror.repo} is a personal or org repo.`
     );
-    console.log(`      For manual setup, see docs/github-ruleset-setup.md.`);
+    console.log(`         For manual setup, see docs/github-ruleset-setup.md.`);
     return;
   }
-  const actor = ownerType === "Organization" ? { type: "OrganizationAdmin", id: 1 } : { type: "User", id: user.id };
-  const actorDescription = actor.type === "OrganizationAdmin" ? "any org admin (your gh-authed user must be one to push as bypass)" : `${user.login}, id ${user.id}`;
+  let actor;
+  let actorDescription;
+  if (ownerType === "Organization") {
+    let pubkey;
+    try {
+      pubkey = fetchServerPubkey(server2, mirror);
+    } catch (err) {
+      console.log(
+        `warning: GitHub Ruleset auto-apply skipped \u2014 couldn't fetch stamp server pubkey: ${err instanceof Error ? err.message : String(err)}`
+      );
+      console.log(`         For manual setup, see docs/github-ruleset-setup.md.`);
+      return;
+    }
+    const reg = registerDeployKey(
+      mirror.owner,
+      mirror.repo,
+      STAMP_MIRROR_DEPLOY_KEY_TITLE,
+      pubkey
+    );
+    if (reg.status === "failed") {
+      console.log(`warning: GitHub Ruleset auto-apply skipped \u2014 deploy-key registration failed: ${reg.error}`);
+      console.log(`         For manual setup, see docs/github-ruleset-setup.md.`);
+      return;
+    }
+    const verb = reg.status === "created" ? "registered" : "reused";
+    console.log(
+      `Deploy key: ${verb} "${STAMP_MIRROR_DEPLOY_KEY_TITLE}" on ${mirror.owner}/${mirror.repo} (id ${reg.keyId}).`
+    );
+    actor = { type: "DeployKey", id: reg.keyId };
+    actorDescription = `stamp-server deploy key "${STAMP_MIRROR_DEPLOY_KEY_TITLE}", id ${reg.keyId}`;
+  } else {
+    const user = lookupAuthenticatedUserId();
+    if (!user) {
+      console.log(
+        `warning: GitHub Ruleset auto-apply skipped \u2014 couldn't look up the gh-authenticated user.`
+      );
+      console.log(`         Try \`gh auth status\` and re-apply manually via docs/github-ruleset-setup.md.`);
+      return;
+    }
+    actor = { type: "User", id: user.id };
+    actorDescription = `${user.login}, id ${user.id}`;
+  }
   const result = applyStampRuleset(mirror.owner, mirror.repo, actor);
   switch (result.status) {
     case "created":
@@ -3658,9 +4385,9 @@ async function runMigrateExisting(opts, server2) {
     console.log("\n(dry run \u2014 no changes made)");
     return;
   }
-  const stagingDir = mkdtempSync(join5(tmpdir(), "stamp-migrate-"));
-  const bareCloneDir = join5(stagingDir, `${opts.name}.git`);
-  const tarballPath = join5(stagingDir, `${opts.name}.tar.gz`);
+  const stagingDir = mkdtempSync(join6(tmpdir(), "stamp-migrate-"));
+  const bareCloneDir = join6(stagingDir, `${opts.name}.git`);
+  const tarballPath = join6(stagingDir, `${opts.name}.tar.gz`);
   try {
     console.log(`
 Building bare-clone tarball of existing repo`);
@@ -3682,7 +4409,7 @@ Building bare-clone tarball of existing repo`);
     writeMirrorYml(repoRoot, mirrorParse);
   }
   if (!opts.noMirror && !opts.noRuleset) {
-    applyMirrorRuleset(mirrorParse);
+    applyMirrorRuleset(mirrorParse, server2);
   }
   printMigrateSuccess({ repoRoot, server: server2, repoName: opts.name, mirror: mirrorParse, opts });
 }
@@ -3696,9 +4423,9 @@ function ensureCwdIsGitRepo(cwd) {
   }
 }
 function ensureStampInitDone(cwd) {
-  if (!existsSync9(join5(cwd, ".stamp", "config.yml"))) {
+  if (!existsSync11(join6(cwd, ".stamp", "config.yml"))) {
     throw new Error(
-      `--migrate-existing expects this repo to already be stamp-init'd (${join5(cwd, ".stamp/config.yml")} not found). Run \`stamp init --mode local-only\` first, calibrate your reviewers, then re-run with --migrate-existing.`
+      `--migrate-existing expects this repo to already be stamp-init'd (${join6(cwd, ".stamp/config.yml")} not found). Run \`stamp init --mode local-only\` first, calibrate your reviewers, then re-run with --migrate-existing.`
     );
   }
 }
@@ -3728,7 +4455,7 @@ function ensureWorkingTreeClean(cwd) {
   }
 }
 function runTarGz(parentDir, dirName, outputPath) {
-  const result = spawnSync4("tar", ["-czf", outputPath, "-C", parentDir, dirName], {
+  const result = spawnSync6("tar", ["-czf", outputPath, "-C", parentDir, dirName], {
     stdio: ["ignore", "inherit", "inherit"]
   });
   if (result.status !== 0) {
@@ -3738,7 +4465,7 @@ function runTarGz(parentDir, dirName, outputPath) {
   }
 }
 function scpToServer(server2, localPath, remotePath) {
-  const result = spawnSync4(
+  const result = spawnSync6(
     "scp",
     [
       "-P",
@@ -3756,7 +4483,7 @@ function scpToServer(server2, localPath, remotePath) {
   }
 }
 function sshRunNewStampRepoFromTarball(server2, name, remoteTarballPath) {
-  const result = spawnSync4(
+  const result = spawnSync6(
     "ssh",
     [
       "-p",
@@ -3822,196 +4549,249 @@ mirror.yml was added to .stamp/. Commit it through the normal stamp flow:`);
     console.log(`  stamp push main`);
   }
 }
-// src/commands/serverRepo.ts
-import { spawnSync as spawnSync5 } from "child_process";
-import { createInterface } from "readline";
-async function runServerRepoDelete(opts) {
-  const name = normalizeRepoName(opts.name);
-  if (opts.alsoGithub !== void 0) validateGithubRepoSpec(opts.alsoGithub);
-  const server2 = resolveServer(opts.server);
-  const action = opts.purge ? "PURGE (irreversible)" : "soft-delete (recoverable via restore)";
-  console.log(`About to ${action} bare repo: ${name}`);
-  console.log(`On server: ${server2.user}@${server2.host}:${server2.port}`);
-  if (opts.alsoGithub) {
-    console.log(
-      `Also: gh repo delete ${opts.alsoGithub} (PERMANENT, no GitHub-side undo)`
+function readMirrorYmlGithubRepo(repoRoot) {
+  const path2 = join6(repoRoot, ".stamp", "mirror.yml");
+  if (!existsSync11(path2)) {
+    throw new Error(
+      `${path2} not found \u2014 --migrate-bypass operates on an already-server-gated repo, but this cwd has no .stamp/mirror.yml. If the repo is not yet server-gated, provision it first with \`stamp provision --migrate-existing\`.`
     );
   }
-  console.log();
-  if (!opts.yes) {
-    const expected = opts.purge ? `purge ${name}` : `delete ${name}`;
-    const got = await prompt(`Type "${expected}" to confirm: `);
-    if (got.trim() !== expected) {
-      console.log("note: aborted");
-      return;
-    }
-  }
-  const args = ["delete-stamp-repo", name];
-  if (opts.purge) args.push("--purge");
-  const result = spawnSync5(
-    "ssh",
-    ["-p", String(server2.port), "--", `${server2.user}@${server2.host}`, ...args],
-    { stdio: ["ignore", "inherit", "inherit"] }
-  );
-  if (result.status !== 0) {
+  let raw;
+  try {
+    raw = readFileSync8(path2, "utf8");
+  } catch (err) {
     throw new Error(
-      `server-side delete failed (exit ${result.status}). The bare repo on the stamp server was NOT touched. If you see "command not found", the server image is older than 0.7.3 \u2014 redeploy it first.`
+      `could not read ${path2}: ${err instanceof Error ? err.message : String(err)}`
     );
   }
-  if (!opts.purge) {
-    console.log();
-    console.log(`Recovery:`);
-    console.log(`  stamp server-repos restore ${name}                 # bring it back`);
-    console.log(`  stamp server-repos delete ${name} --purge          # nuke for real`);
-  }
-  if (opts.alsoGithub) {
-    if (!opts.yes) {
-      const expected = `delete github ${opts.alsoGithub}`;
-      const got = await prompt(
-        `Server-side done. To ALSO delete the GitHub mirror, type "${expected}" (or anything else to skip): `
-      );
-      if (got.trim() !== expected) {
-        console.log(
-          `note: skipped GitHub delete; mirror at https://github.com/${opts.alsoGithub} is intact`
-        );
-        return;
-      }
-    }
-    const ghResult = spawnSync5(
-      "gh",
-      ["repo", "delete", opts.alsoGithub, "--yes"],
-      { stdio: ["ignore", "inherit", "inherit"] }
+  let parsed;
+  try {
+    parsed = parseYaml5(raw);
+  } catch (err) {
+    throw new Error(
+      `${path2} failed to parse as YAML: ${err instanceof Error ? err.message : String(err)}`
     );
-    if (ghResult.status !== 0) {
-      throw new Error(
-        `GitHub repo delete failed (exit ${ghResult.status}). Server-side delete already succeeded; the GitHub mirror is still present at https://github.com/${opts.alsoGithub}.`
-      );
-    }
-  }
-}
-async function runServerRepoRestore(opts) {
-  const name = normalizeRepoName(opts.name);
-  const asName = opts.asName !== void 0 ? normalizeRepoName(opts.asName) : void 0;
-  if (opts.from !== void 0) validateTrashEntryName(opts.from);
-  const server2 = resolveServer(opts.server);
-  const args = ["restore-stamp-repo", name];
-  if (opts.from) {
-    args.push("--from", opts.from);
   }
-  if (asName) {
-    args.push("--as", asName);
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw new Error(`${path2} is empty or not a map`);
   }
-  const result = spawnSync5(
-    "ssh",
-    ["-p", String(server2.port), "--", `${server2.user}@${server2.host}`, ...args],
-    { stdio: ["ignore", "inherit", "inherit"] }
-  );
-  if (result.status !== 0) {
+  const obj = parsed;
+  const gh = obj["github"];
+  if (!gh || typeof gh !== "object" || Array.isArray(gh)) {
+    throw new Error(`${path2} has no usable 'github' map`);
+  }
+  const repoStr = gh["repo"];
+  if (typeof repoStr !== "string" || !/^[A-Za-z0-9._-]+\/[A-Za-z0-9._-]+$/.test(repoStr)) {
     throw new Error(
-      `server-side restore failed (exit ${result.status}). Run \`stamp server-repos list --trash\` to see what's available.`
+      `${path2} github.repo is missing or not of form 'owner/repo' (got ${JSON.stringify(repoStr)})`
     );
   }
+  const slashIdx = repoStr.indexOf("/");
+  return {
+    owner: repoStr.slice(0, slashIdx),
+    repo: repoStr.slice(slashIdx + 1)
+  };
 }
-function runServerRepoList(opts) {
-  const server2 = resolveServer(opts.server);
-  if (opts.trash) {
-    const result2 = spawnSync5(
-      "ssh",
-      ["-p", String(server2.port), "--", `${server2.user}@${server2.host}`, "list-trash"],
-      { stdio: ["ignore", "inherit", "inherit"] }
+async function runMigrateBypass(opts, server2) {
+  const repoRoot = process.cwd();
+  const mirror = readMirrorYmlGithubRepo(repoRoot);
+  const ghCheck = checkGhAvailable();
+  if (!ghCheck.available) {
+    throw new Error(
+      `--migrate-bypass requires gh: ${ghCheck.reason}. Install/authenticate gh, then re-run.`
     );
-    if (result2.status !== 0) {
-      throw new Error(
-        `list --trash failed (exit ${result2.status}). If you see "command not found", the server image is older than 0.7.3 \u2014 redeploy it first.`
-      );
-    }
+  }
+  printMigrateBypassPlan({ mirror, server: server2, opts });
+  if (opts.dryRun) {
+    console.log("\n(dry run \u2014 no changes made)");
     return;
   }
-  const result = spawnSync5(
-    "ssh",
-    [
-      "-p",
-      String(server2.port),
-      "--",
-      `${server2.user}@${server2.host}`,
-      "ls",
-      "-1",
-      "/srv/git/"
-    ],
-    { stdio: ["ignore", "pipe", "inherit"], encoding: "utf8" }
+  console.log(`
+Fetching per-repo deploy key from stamp server`);
+  let pubkey;
+  try {
+    pubkey = fetchServerPubkey(server2, mirror);
+  } catch (err) {
+    throw new Error(
+      `failed to fetch per-repo pubkey for ${mirror.owner}/${mirror.repo} from ${server2.user}@${server2.host}:${server2.port}: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  console.log(`Checking existing deploy keys on ${mirror.owner}/${mirror.repo}`);
+  const existingKeyId = findDeployKey(
+    mirror.owner,
+    mirror.repo,
+    STAMP_MIRROR_DEPLOY_KEY_TITLE
   );
-  if (result.status !== 0) {
-    throw new Error(`list failed (exit ${result.status}).`);
+  let deployKeyId;
+  if (existingKeyId !== null) {
+    const existingBody = fetchDeployKeyPublic(
+      mirror.owner,
+      mirror.repo,
+      existingKeyId
+    );
+    if (existingBody === pubkey) {
+      console.log(
+        `Deploy key: "${STAMP_MIRROR_DEPLOY_KEY_TITLE}" already matches per-repo pubkey (keyId ${existingKeyId}). No change.`
+      );
+      deployKeyId = existingKeyId;
+    } else {
+      console.log(
+        `Deploy key: "${STAMP_MIRROR_DEPLOY_KEY_TITLE}" is registered but doesn't match the per-repo pubkey (keyId ${existingKeyId}). Deleting before re-registering.`
+      );
+      const del = deleteDeployKey(mirror.owner, mirror.repo, existingKeyId);
+      if (del.status === "failed") {
+        throw new Error(`deploy-key cleanup failed: ${del.error}`);
+      }
+      deployKeyId = registerStampMirrorKey(mirror, pubkey);
+    }
+  } else {
+    deployKeyId = registerStampMirrorKey(mirror, pubkey);
   }
-  const entries = filterLiveBareRepoNames(result.stdout);
-  if (entries.length === 0) {
-    console.log("(no live bare repos)");
+  console.log(`Looking up stamp-mirror-only ruleset on ${mirror.owner}/${mirror.repo}`);
+  const rulesetId = findExistingStampRuleset(mirror.owner, mirror.repo);
+  if (rulesetId === null) {
+    console.log(
+      `note: no \`stamp-mirror-only\` Ruleset on ${mirror.owner}/${mirror.repo}. Deploy key is registered; no bypass list to update.`
+    );
+    console.log(
+      `      If this repo is server-gated only (no GitHub-side enforcement), that's expected and you're done.`
+    );
+    console.log(
+      `      If you EXPECTED a Ruleset, it may use a non-canonical name (e.g. think-cli's \`Protect Main\`) \u2014 rename to \`stamp-mirror-only\` in the GitHub UI and re-run, or migrate by hand.`
+    );
+    if (opts.removeOrgadmin) {
+      console.log(
+        `      --remove-orgadmin requested but there's no Ruleset bypass list to modify; ignoring.`
+      );
+    }
+    printMigrateBypassSuccess({
+      mirror,
+      server: server2,
+      opts,
+      rulesetUpdated: false
+    });
     return;
   }
-  for (const e of entries) console.log(e);
-}
-function resolveServer(serverFlag) {
-  const server2 = serverFlag ? parseServerFlag(serverFlag) : loadServerConfig();
-  if (!server2) {
+  console.log(`Reading current bypass_actors on ruleset ${rulesetId}`);
+  const current = getRulesetBypassActors(mirror.owner, mirror.repo, rulesetId);
+  if (current === null) {
     throw new Error(
-      `no stamp server configured. Either:
-  - create ~/.stamp/server.yml with at least:
-      host: <ssh-host>
-      port: <ssh-port>
-  - or pass --server <host>:<port> on the command line.`
+      `could not read bypass_actors on ${mirror.owner}/${mirror.repo} ruleset ${rulesetId}`
     );
   }
-  return server2;
-}
-var UsageError = class extends Error {
-  constructor(message) {
-    super(message);
-    this.name = "UsageError";
+  const desired = computeDesiredBypassActors(current, deployKeyId, {
+    removeOrgadmin: opts.removeOrgadmin === true
+  });
+  const result = replaceBypassActors(
+    mirror.owner,
+    mirror.repo,
+    rulesetId,
+    desired
+  );
+  if (result.status === "failed") {
+    throw new Error(`ruleset bypass update failed: ${result.error}`);
   }
-};
-function normalizeRepoName(name) {
-  const canonical = name.endsWith(".git") ? name.slice(0, -4) : name;
-  validateRepoName2(canonical);
-  return canonical;
+  if (result.status === "updated") {
+    console.log(
+      `Ruleset bypass: updated to [${desired.map((a) => a.actor_type).join(", ")}].`
+    );
+  } else {
+    console.log(`Ruleset bypass: already up to date. No change.`);
+  }
+  printMigrateBypassSuccess({ mirror, server: server2, opts, rulesetUpdated: true });
 }
-function filterLiveBareRepoNames(rawOutput) {
-  return rawOutput.split("\n").map((s) => s.trim()).filter(Boolean).filter((s) => s.endsWith(".git")).map((s) => s.slice(0, -4)).filter((s) => s.length > 0);
+function registerStampMirrorKey(mirror, pubkey) {
+  const reg = registerDeployKey(
+    mirror.owner,
+    mirror.repo,
+    STAMP_MIRROR_DEPLOY_KEY_TITLE,
+    pubkey
+  );
+  if (reg.status === "failed") {
+    throw new Error(`deploy-key registration failed: ${reg.error}`);
+  }
+  console.log(
+    `Deploy key: registered "${STAMP_MIRROR_DEPLOY_KEY_TITLE}" on ${mirror.owner}/${mirror.repo} (id ${reg.keyId}).`
+  );
+  return reg.keyId;
 }
-function validateRepoName2(name) {
-  if (!/^[A-Za-z0-9_][A-Za-z0-9._-]*$/.test(name) || name.includes("..")) {
-    throw new UsageError(
-      `repo name must start with [A-Za-z0-9_], match [A-Za-z0-9._-]+, and not contain '..' (got "${name}")`
+function printMigrateBypassPlan(args) {
+  const bar = "\u2500".repeat(72);
+  console.log(bar);
+  console.log("stamp provision --migrate-bypass \u2014 plan");
+  console.log(bar);
+  console.log(fmt("mirror", `${args.mirror.owner}/${args.mirror.repo}`));
+  console.log(fmt("stamp server", `${args.server.user}@${args.server.host}:${args.server.port}`));
+  console.log(
+    fmt(
+      "deploy key",
+      `fetch per-repo pubkey from server; register as "${STAMP_MIRROR_DEPLOY_KEY_TITLE}" on the mirror (replacing any prior entry under that title)`
+    )
+  );
+  console.log(
+    fmt(
+      "ruleset",
+      `add DeployKey actor to stamp-mirror-only bypass list` + (args.opts.removeOrgadmin ? `; remove OrganizationAdmin (--remove-orgadmin)` : `; preserve OrganizationAdmin`)
+    )
+  );
+  console.log(bar);
+  if (args.opts.removeOrgadmin) {
+    console.log(
+      `warning: --remove-orgadmin strips the OrganizationAdmin bypass before any push-verification step runs. Verify the DeployKey transport works (one stamp push) before running this.`
     );
   }
 }
-function validateTrashEntryName(entry) {
-  if (!/^[0-9]{8}T[0-9]{6}Z-[A-Za-z0-9_][A-Za-z0-9._-]*\.git$/.test(entry)) {
-    throw new UsageError(
-      `--from must match <YYYYMMDDTHHMMSSZ>-<name>.git (got "${entry}"). Run \`stamp server-repos list --trash\` to see valid entry names.`
+function printMigrateBypassSuccess(args) {
+  const bar = "\u2500".repeat(72);
+  console.log(`
+${bar}`);
+  console.log(
+    args.rulesetUpdated ? `\u2713 bypass migrated` : `\u2713 deploy key registered (no ruleset to migrate)`
+  );
+  console.log(bar);
+  console.log(fmt("mirror", `${args.mirror.owner}/${args.mirror.repo}`));
+  if (args.rulesetUpdated) {
+    console.log(
+      fmt(
+        "bypass actors",
+        args.opts.removeOrgadmin ? `DeployKey (OrganizationAdmin removed)` : `OrganizationAdmin + DeployKey`
+      )
+    );
+  } else {
+    console.log(
+      fmt(
+        "bypass actors",
+        `n/a (no stamp-mirror-only Ruleset on this repo \u2014 server-gated only)`
+      )
     );
   }
-}
-function validateGithubRepoSpec(spec) {
-  if (!/^[A-Za-z0-9_][A-Za-z0-9-]*\/[A-Za-z0-9_][A-Za-z0-9._-]*$/.test(spec)) {
-    throw new UsageError(
-      `--also-github must be <owner>/<repo> with no leading '-' on either segment (got "${spec}")`
+  console.log(bar);
+  if (!args.rulesetUpdated) {
+    console.log(
+      `
+Deploy key is registered; the next stamp push's mirror leg will use it.
+No GitHub Ruleset was found on this repo, so there's no bypass enforcement
+to verify. If you want GitHub-side protection, apply the stamp-mirror-only
+Ruleset separately (see docs/github-ruleset-setup.md).`
+    );
+  } else if (!args.opts.removeOrgadmin) {
+    console.log(
+      `
+Next: do a stamp merge + push to verify the DeployKey transport works,
+then re-run with --remove-orgadmin to drop the OrganizationAdmin fallback.`
+    );
+  } else {
+    console.log(
+      `
+The stamp-mirror-only Ruleset now bypasses ONLY via the per-repo deploy key.
+Direct \`git push origin main\` from any non-stamp source will be rejected.`
     );
   }
 }
-function prompt(question) {
-  const rl = createInterface({ input: process.stdin, output: process.stdout });
-  return new Promise((resolve2) => {
-    rl.question(question, (answer) => {
-      rl.close();
-      resolve2(answer);
-    });
-  });
-}
 // src/commands/keys.ts
-import { existsSync as existsSync10, readdirSync as readdirSync2, readFileSync as readFileSync7, writeFileSync as writeFileSync8 } from "fs";
-import { basename, join as join6 } from "path";
+import { existsSync as existsSync12, readdirSync as readdirSync2, readFileSync as readFileSync9, writeFileSync as writeFileSync10 } from "fs";
+import { basename, join as join7 } from "path";
 function keysGenerate() {
   const existing = loadUserKeypair();
   if (existing) {
@@ -4044,7 +4824,7 @@ function keysList() {
     const repoRoot = findRepoRoot();
     const trustedDir = stampTrustedKeysDir(repoRoot);
     console.log(`repo trusted keys: ${trustedDir}/`);
-    if (!existsSync10(trustedDir)) {
+    if (!existsSync12(trustedDir)) {
       console.log("  (directory does not exist \u2014 run `stamp init`)");
       return;
     }
@@ -4055,7 +4835,7 @@ function keysList() {
     }
     for (const file of pubFiles.sort()) {
       try {
-        const pem = readFileSync7(join6(trustedDir, file), "utf8");
+        const pem = readFileSync9(join7(trustedDir, file), "utf8");
         const fp = fingerprintFromPem(pem);
         const marker = local && fp === local.fingerprint ? " (you)" : "";
         console.log(`  ${fp}${marker}  [${file}]`);
@@ -4074,15 +4854,15 @@ function keysExport() {
 function keysTrust(pubFile) {
   const repoRoot = findRepoRoot();
   const trustedDir = stampTrustedKeysDir(repoRoot);
-  if (!existsSync10(trustedDir)) {
+  if (!existsSync12(trustedDir)) {
     throw new Error(
       `no ${trustedDir} \u2014 run \`stamp init\` first to create the trust store`
     );
   }
-  if (!existsSync10(pubFile)) {
+  if (!existsSync12(pubFile)) {
     throw new Error(`public key file not found: ${pubFile}`);
   }
-  const pem = readFileSync7(pubFile, "utf8");
+  const pem = readFileSync9(pubFile, "utf8");
   let fingerprint;
   try {
     fingerprint = fingerprintFromPem(pem);
@@ -4092,12 +4872,12 @@ function keysTrust(pubFile) {
     );
   }
   const filename = publicKeyFingerprintFilename(fingerprint);
-  const dest = join6(trustedDir, filename);
-  if (existsSync10(dest)) {
+  const dest = join7(trustedDir, filename);
+  if (existsSync12(dest)) {
     console.log(`${fingerprint} is already trusted (${basename(dest)})`);
     return;
   }
-  writeFileSync8(dest, pem);
+  writeFileSync10(dest, pem);
   console.log(`trusted ${fingerprint}`);
   console.log(`  \u2192 ${dest}`);
   console.log();
@@ -4105,11 +4885,11 @@ function keysTrust(pubFile) {
 }
 // src/commands/log.ts
-import { existsSync as existsSync11 } from "fs";
+import { existsSync as existsSync13 } from "fs";
 function runLog(opts) {
   const repoRoot = findRepoRoot();
   const configPath = stampConfigFile(repoRoot);
-  if (!existsSync11(configPath)) {
+  if (!existsSync13(configPath)) {
     throw new Error(
       `no .stamp/config.yml at ${configPath}. Run \`stamp init\` first.`
     );
@@ -4226,7 +5006,7 @@ function printCommitDetail(sha, repoRoot) {
 }
 function collectReviewProse(repoRoot, payload) {
   const dbPath = stampStateDbPath(repoRoot);
-  if (!existsSync11(dbPath)) return [];
+  if (!existsSync13(dbPath)) return [];
   const db = openDb(dbPath);
   try {
     const rows = latestReviews(db, payload.base_sha, payload.head_sha);
@@ -4240,7 +5020,7 @@ function printReviewHistory(repoRoot, limit, diff) {
   const configPath = stampConfigFile(repoRoot);
   loadConfig(configPath);
   const dbPath = stampStateDbPath(repoRoot);
-  if (!existsSync11(dbPath)) {
+  if (!existsSync13(dbPath)) {
     console.log("No reviews recorded yet.");
     return;
   }
@@ -4281,8 +5061,8 @@ function printReviewHistory(repoRoot, limit, diff) {
 }
 // src/commands/prune.ts
-import { existsSync as existsSync12, readdirSync as readdirSync3, statSync as statSync2, unlinkSync as unlinkSync2 } from "fs";
-import { join as join7 } from "path";
+import { existsSync as existsSync14, readdirSync as readdirSync3, statSync as statSync2, unlinkSync as unlinkSync3 } from "fs";
+import { join as join8 } from "path";
 // src/lib/duration.ts
 function parseRetentionDuration(input) {
@@ -4311,15 +5091,15 @@ function runPrune(opts) {
   );
   const repoRoot = findRepoRoot();
   const dbPath = stampStateDbPath(repoRoot);
-  const spoolDir = join7(gitCommonDir(repoRoot), "stamp", "failed-parses");
+  const spoolDir = join8(gitCommonDir(repoRoot), "stamp", "failed-parses");
   const spoolCutoffMs = Date.now() - durationMs;
-  if (!existsSync12(dbPath) && !existsSync12(spoolDir)) {
+  if (!existsSync14(dbPath) && !existsSync14(spoolDir)) {
     console.log(
       `note: nothing to prune (neither ${dbPath} nor ${spoolDir} exists \u2014 both are created on first \`stamp review\`)`
     );
     return;
   }
-  const db = existsSync12(dbPath) ? openDb(dbPath) : null;
+  const db = existsSync14(dbPath) ? openDb(dbPath) : null;
   try {
     if (opts.dryRun) {
       let any2 = false;
@@ -4379,10 +5159,10 @@ function runPrune(opts) {
   }
 }
 function peekFailedParseSpools(spoolDir, cutoffMs) {
-  if (!existsSync12(spoolDir)) return [];
+  if (!existsSync14(spoolDir)) return [];
   const out = [];
   for (const entry of readdirSync3(spoolDir)) {
-    const filepath = join7(spoolDir, entry);
+    const filepath = join8(spoolDir, entry);
     let stat;
     try {
       stat = statSync2(filepath);
@@ -4399,7 +5179,7 @@ function pruneFailedParseSpools(spoolDir, cutoffMs) {
   let deleted = 0;
   for (const filepath of targets) {
     try {
-      unlinkSync2(filepath);
+      unlinkSync3(filepath);
       deleted++;
     } catch {
     }
@@ -4415,96 +5195,8 @@ function printPerReviewer(rows) {
   }
 }
-// src/commands/server.ts
-import { existsSync as existsSync13, mkdirSync as mkdirSync4, renameSync as renameSync2, unlinkSync as unlinkSync3, writeFileSync as writeFileSync9 } from "fs";
-import { dirname as dirname4 } from "path";
-import { stringify as stringifyYaml2 } from "yaml";
-function formatServerConfigYaml(opts) {
-  const body = {
-    host: opts.host,
-    port: opts.port
-  };
-  if (opts.user && opts.user.trim()) body.user = opts.user.trim();
-  if (opts.repoRootPrefix && opts.repoRootPrefix.trim()) {
-    body.repo_root_prefix = opts.repoRootPrefix.trim();
-  }
-  return stringifyYaml2(body);
-}
-function runServerConfig(opts) {
-  const modes = [opts.hostPort, opts.show, opts.unset].filter(Boolean).length;
-  if (modes !== 1) {
-    throw new UsageError(
-      "stamp server config: provide exactly one of <host:port>, --show, or --unset"
-    );
-  }
-  if ((opts.show || opts.unset) && (opts.user || opts.repoRootPrefix)) {
-    throw new UsageError(
-      "stamp server config: --user and --repo-root-prefix only apply when writing (they conflict with --show / --unset)"
-    );
-  }
-  if (opts.show) return showConfig();
-  if (opts.unset) return unsetConfig();
-  return writeConfig(opts);
-}
-function showConfig() {
-  const path2 = userServerConfigPath();
-  if (!existsSync13(path2)) {
-    console.log(`note: no stamp server configured (${path2} does not exist)`);
-    console.log(`note: run \`stamp server config <host:port>\` to create one`);
-    return;
-  }
-  const cfg = loadServerConfig();
-  if (!cfg) {
-    console.log(`note: no stamp server configured`);
-    return;
-  }
-  console.log(`config:           ${path2}`);
-  console.log(`host:             ${cfg.host}`);
-  console.log(`port:             ${cfg.port}`);
-  console.log(`user:             ${cfg.user}`);
-  console.log(`repo_root_prefix: ${cfg.repoRootPrefix}`);
-}
-function unsetConfig() {
-  const path2 = userServerConfigPath();
-  if (!existsSync13(path2)) {
-    console.log(`note: ${path2} does not exist; nothing to remove`);
-    return;
-  }
-  unlinkSync3(path2);
-  console.log(`removed ${path2}`);
-}
-function writeConfig(opts) {
-  let parsed;
-  try {
-    parsed = parseServerFlag(opts.hostPort, "stamp server config: <host:port>");
-  } catch (err) {
-    throw new UsageError(err instanceof Error ? err.message : String(err));
-  }
-  const yaml = formatServerConfigYaml({
-    host: parsed.host,
-    port: parsed.port,
-    user: opts.user,
-    repoRootPrefix: opts.repoRootPrefix
-  });
-  const path2 = userServerConfigPath();
-  const dir = dirname4(path2);
-  if (!existsSync13(dir)) mkdirSync4(dir, { recursive: true, mode: 448 });
-  const tmp = `${path2}.tmp.${process.pid}`;
-  writeFileSync9(tmp, yaml, { mode: 384 });
-  renameSync2(tmp, path2);
-  console.log(`wrote ${path2}`);
-  console.log(`host:             ${parsed.host}`);
-  console.log(`port:             ${parsed.port}`);
-  if (opts.user && opts.user.trim()) {
-    console.log(`user:             ${opts.user.trim()}`);
-  }
-  if (opts.repoRootPrefix && opts.repoRootPrefix.trim()) {
-    console.log(`repo_root_prefix: ${opts.repoRootPrefix.trim()}`);
-  }
-}
 // src/commands/config.ts
-import { existsSync as existsSync14 } from "fs";
+import { existsSync as existsSync15 } from "fs";
 function runConfigReviewersSet(opts) {
   if (!isValidReviewerName(opts.reviewer)) {
     throw new UsageError(
@@ -4577,7 +5269,7 @@ function runConfigReviewersClear(opts) {
 }
 function runConfigReviewersShow() {
   const path2 = userConfigPath();
-  if (!existsSync14(path2)) {
+  if (!existsSync15(path2)) {
     console.log(`note: no per-user stamp config (${path2} does not exist).`);
     console.log(
       `      Defaults will apply on next \`stamp init\` or \`stamp review\`:`
@@ -4622,30 +5314,30 @@ function loadOrEmpty() {
 }
 // src/commands/reviewers.ts
-import { spawnSync as spawnSync6 } from "child_process";
+import { spawnSync as spawnSync7 } from "child_process";
 import {
-  existsSync as existsSync16,
-  readFileSync as readFileSync9,
+  existsSync as existsSync17,
+  readFileSync as readFileSync11,
   statSync as statSync3,
   unlinkSync as unlinkSync4,
-  writeFileSync as writeFileSync11
+  writeFileSync as writeFileSync12
 } from "fs";
-import { join as join9, relative, resolve } from "path";
-import { parse as parseYaml5, stringify as stringifyYaml3 } from "yaml";
+import { join as join10, relative, resolve } from "path";
+import { parse as parseYaml6, stringify as stringifyYaml3 } from "yaml";
 // src/lib/reviewerLock.ts
-import { existsSync as existsSync15, readFileSync as readFileSync8, writeFileSync as writeFileSync10 } from "fs";
-import { join as join8 } from "path";
+import { existsSync as existsSync16, readFileSync as readFileSync10, writeFileSync as writeFileSync11 } from "fs";
+import { join as join9 } from "path";
 var LOCK_FILE_VERSION = 1;
 var LOCK_DRIFT_EXIT = 3;
 function lockFilePath(repoRoot, reviewerName) {
-  return join8(repoRoot, ".stamp", "reviewers", `${reviewerName}.lock.json`);
+  return join9(repoRoot, ".stamp", "reviewers", `${reviewerName}.lock.json`);
 }
 function readLockFile(repoRoot, reviewerName) {
   const path2 = lockFilePath(repoRoot, reviewerName);
-  if (!existsSync15(path2)) return null;
+  if (!existsSync16(path2)) return null;
   try {
-    const raw = readFileSync8(path2, "utf8");
+    const raw = readFileSync10(path2, "utf8");
     const parsed = JSON.parse(raw);
     if (typeof parsed.version !== "number" || typeof parsed.source !== "string" || typeof parsed.ref !== "string" || typeof parsed.reviewer !== "string" || typeof parsed.prompt_sha256 !== "string" || typeof parsed.tools_sha256 !== "string" || typeof parsed.mcp_sha256 !== "string") {
       throw new Error(`malformed lock file at ${path2}`);
@@ -4659,20 +5351,20 @@ function readLockFile(repoRoot, reviewerName) {
 }
 function writeLockFile(repoRoot, reviewerName, lock) {
   const path2 = lockFilePath(repoRoot, reviewerName);
-  writeFileSync10(path2, JSON.stringify(lock, null, 2) + "\n", "utf8");
+  writeFileSync11(path2, JSON.stringify(lock, null, 2) + "\n", "utf8");
 }
 function checkReviewerDrift(repoRoot, reviewerName, def) {
   const lock = readLockFile(repoRoot, reviewerName);
   if (!lock) {
     return unpinnedResult();
   }
-  const promptPath = join8(repoRoot, def.prompt);
-  if (!existsSync15(promptPath)) {
+  const promptPath = join9(repoRoot, def.prompt);
+  if (!existsSync16(promptPath)) {
     throw new Error(
       `reviewer "${reviewerName}" has a lock file but its prompt "${def.prompt}" does not exist on disk. Re-run 'stamp reviewers fetch ${reviewerName} --from ${lock.source}@${lock.ref}' to restore it, or delete the lock file to un-pin the reviewer.`
     );
   }
-  const promptBytes = readFileSync8(promptPath);
+  const promptBytes = readFileSync10(promptPath);
   const observedPrompt = hashPromptBytes(promptBytes);
   const observedTools = hashTools(def.tools);
   const observedMcp = hashMcpServers(def.mcp_servers);
@@ -4753,7 +5445,7 @@ function reviewersList() {
     const def = config2.reviewers[name];
     const abs = resolve(repoRoot, def.prompt);
     let annotation = "";
-    if (!existsSync16(abs)) {
+    if (!existsSync17(abs)) {
       annotation = "  MISSING";
     } else {
       const size = statSync3(abs).size;
@@ -4792,19 +5484,19 @@ function reviewersAdd(name, opts = {}) {
   }
   const promptRel = `.stamp/reviewers/${name}.md`;
   const promptAbs = resolve(repoRoot, promptRel);
-  if (existsSync16(promptAbs)) {
+  if (existsSync17(promptAbs)) {
     throw new Error(
       `${promptRel} already exists on disk but is not in config. Either delete the file or add it to config manually.`
     );
   }
-  writeFileSync11(
+  writeFileSync12(
     promptAbs,
     `# ${name}
 ${EXAMPLE_REVIEWER_PROMPT.split("\n").slice(2).join("\n")}`
   );
   config2.reviewers[name] = { prompt: promptRel };
-  writeFileSync11(configPath, stringifyConfig(config2));
+  writeFileSync12(configPath, stringifyConfig(config2));
   console.log(`reviewer "${name}" added.`);
   console.log(`  prompt file: ${promptRel}`);
   console.log(`  registered in .stamp/config.yml`);
@@ -4839,11 +5531,11 @@ function reviewersRemove(name, opts = {}) {
     );
   }
   delete config2.reviewers[name];
-  writeFileSync11(configPath, stringifyConfig(config2));
+  writeFileSync12(configPath, stringifyConfig(config2));
   console.log(`reviewer "${name}" removed from .stamp/config.yml`);
   if (opts.deleteFile) {
     const promptAbs = resolve(repoRoot, def.prompt);
-    if (existsSync16(promptAbs)) {
+    if (existsSync17(promptAbs)) {
       unlinkSync4(promptAbs);
       console.log(`deleted ${def.prompt}`);
     }
@@ -4874,8 +5566,8 @@ async function reviewersTest(name, diff) {
   console.log(`  prompt sourced from working tree (test/iteration use case)`);
   console.log();
   const def = config2.reviewers[name];
-  const promptPath = join9(repoRoot, def.prompt);
-  const systemPrompt = readFileSync9(promptPath, "utf8");
+  const promptPath = join10(repoRoot, def.prompt);
+  const systemPrompt = readFileSync11(promptPath, "utf8");
   const result = await invokeReviewer({
     reviewer: name,
     config: config2,
@@ -4902,7 +5594,7 @@ function reviewersShow(name, opts) {
     );
   }
   const dbPath = stampStateDbPath(repoRoot);
-  if (!existsSync16(dbPath)) {
+  if (!existsSync17(dbPath)) {
     console.log("No reviews recorded yet (no state.db).");
     return;
   }
@@ -4992,7 +5684,7 @@ async function reviewersFetch(reviewerName, opts) {
     opts.expectMcpSha
   );
   const reviewersDir = stampReviewersDir(repoRoot);
-  if (!existsSync16(reviewersDir)) {
+  if (!existsSync17(reviewersDir)) {
     throw new Error(
       `${reviewersDir} does not exist \u2014 run \`stamp init\` first.`
     );
@@ -5005,7 +5697,7 @@ async function reviewersFetch(reviewerName, opts) {
   let tools;
   let mcpServers;
   if (configYaml !== null) {
-    const parsed = parseYaml5(configYaml) ?? {};
+    const parsed = parseYaml6(configYaml) ?? {};
     if (Array.isArray(parsed.tools)) {
       tools = parseToolsLoose(parsed.tools);
     }
@@ -5013,7 +5705,7 @@ async function reviewersFetch(reviewerName, opts) {
       mcpServers = validateMcpServersFromSource(parsed.mcp_servers, source, ref);
     }
   }
-  const promptPath = join9(reviewersDir, `${reviewerName}.md`);
+  const promptPath = join10(reviewersDir, `${reviewerName}.md`);
   const promptBytes = Buffer.from(promptText, "utf8");
   const promptSha = hashPromptBytes(promptBytes);
   const toolsSha = hashTools(tools);
@@ -5037,7 +5729,7 @@ async function reviewersFetch(reviewerName, opts) {
       mcpSha
     );
   }
-  writeFileSync11(promptPath, promptBytes);
+  writeFileSync12(promptPath, promptBytes);
   const lock = {
     version: LOCK_FILE_VERSION,
     source,
@@ -5266,7 +5958,7 @@ function buildConfigYamlHint(reviewerName, tools, mcpServers) {
 }
 function launchEditor(path2) {
   const editor = process.env["EDITOR"] ?? process.env["VISUAL"] ?? (process.platform === "win32" ? "notepad" : "vi");
-  const result = spawnSync6(editor, [path2], { stdio: "inherit" });
+  const result = spawnSync7(editor, [path2], { stdio: "inherit" });
   if (result.error) {
     throw new Error(
       `failed to launch editor "${editor}": ${result.error.message}`
@@ -5278,11 +5970,11 @@ function launchEditor(path2) {
 }
 // src/commands/status.ts
-import { existsSync as existsSync17 } from "fs";
+import { existsSync as existsSync18 } from "fs";
 function runStatus(opts) {
   const repoRoot = findRepoRoot();
   const configPath = stampConfigFile(repoRoot);
-  if (!existsSync17(configPath)) {
+  if (!existsSync18(configPath)) {
     throw new Error(
       `no .stamp/config.yml at ${configPath}. Run \`stamp init\` first.`
     );
@@ -5350,17 +6042,17 @@ function printGate(result, base_sha, head_sha) {
 }
 // src/commands/update.ts
-import { spawnSync as spawnSync7 } from "child_process";
+import { spawnSync as spawnSync8 } from "child_process";
 // src/lib/version.ts
-import { readFileSync as readFileSync10 } from "fs";
-import { dirname as dirname5, join as join10 } from "path";
+import { readFileSync as readFileSync12 } from "fs";
+import { dirname as dirname5, join as join11 } from "path";
 import { fileURLToPath } from "url";
 function readPackageVersion() {
   const here = dirname5(fileURLToPath(import.meta.url));
   for (let dir = here, i = 0; i < 6; i++) {
     try {
-      const raw = readFileSync10(join10(dir, "package.json"), "utf8");
+      const raw = readFileSync12(join11(dir, "package.json"), "utf8");
       const pkg = JSON.parse(raw);
       if (pkg.name === "@openthink/stamp" && pkg.version) return pkg.version;
     } catch {
@@ -5391,7 +6083,7 @@ function runUpdate() {
 `);
   process.stdout.write(`checking npm registry for latest...
 `);
-  const viewResult = spawnSync7("npm", ["view", PKG_NAME, "version"], {
+  const viewResult = spawnSync8("npm", ["view", PKG_NAME, "version"], {
     encoding: "utf8"
   });
   if (viewResult.error || viewResult.status !== 0) {
@@ -5425,7 +6117,7 @@ function runUpdate() {
   }
   process.stdout.write(`installing ${PKG_NAME}@${latest}...
 `);
-  const installResult = spawnSync7(
+  const installResult = spawnSync8(
     "npm",
     ["install", "-g", `${PKG_NAME}@${latest}`],
     { stdio: "inherit" }
@@ -5446,9 +6138,9 @@ through that tool instead \u2014 this command only uses 'npm install -g'.`
 }
 // src/commands/verify.ts
-import { execFileSync as execFileSync2, spawnSync as spawnSync8 } from "child_process";
+import { execFileSync as execFileSync2, spawnSync as spawnSync9 } from "child_process";
 function loadConfigAtSha(sha, repoRoot) {
-  const result = spawnSync8(
+  const result = spawnSync9(
     "git",
     ["show", `${sha}:.stamp/config.yml`],
     { cwd: repoRoot, encoding: "utf8", maxBuffer: 16 * 1024 * 1024 }
@@ -5694,6 +6386,9 @@ program.command("init").description(
   "--remote <name>",
   "remote name to inspect for deployment-shape detection (default: origin)",
   "origin"
+).option(
+  "--no-oteam",
+  "bypass the oteam-detection prompt that offers to fill stamp.host in ~/.open-team/config.json"
 ).action(
   (opts) => {
     try {
@@ -5714,7 +6409,8 @@ program.command("init").description(
         bootstrapCommit: opts.bootstrapCommit,
         ghProtect: opts.ghProtect,
         mode,
-        remote: opts.remote
+        remote: opts.remote,
+        oteam: opts.oteam
       });
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
@@ -5757,8 +6453,8 @@ program.command("bootstrap").description(
     }
   }
 );
-program.command("provision <name>").description(
-  "single-command server-gated repo setup: provision a bare repo on the stamp server (~/.stamp/server.yml or --server), clone it, run bootstrap, optionally create a GitHub mirror + apply the Ruleset"
+program.command("provision [name]").description(
+  "single-command server-gated repo setup: provision a bare repo on the stamp server (~/.stamp/server.yml or --server), clone it, run bootstrap, optionally create a GitHub mirror + apply the Ruleset. With --migrate-bypass, migrate an existing server-gated repo's Ruleset bypass from OrganizationAdmin to a per-repo DeployKey actor (cwd's .stamp/mirror.yml identifies the target; <name> is ignored)."
 ).option(
   "--server <host:port>",
   "override ~/.stamp/server.yml with an inline endpoint"
@@ -5774,11 +6470,22 @@ program.command("provision <name>").description(
 ).option("--no-mirror", "skip GitHub mirror creation + .stamp/mirror.yml").option("--no-ruleset", "skip applying the GitHub Ruleset on the mirror").option("--dry-run", "print the plan without making changes").option(
   "--migrate-existing",
   "brownfield: migrate the existing repo at cwd (with .stamp/ committed and origin \u2192 github) to server-gated; preserves history, renames origin \u2192 github, points new origin at the stamp server"
+).option(
+  "--migrate-bypass",
+  "migrate an existing server-gated repo's stamp-mirror-only Ruleset bypass actor from OrganizationAdmin to a per-repo DeployKey. Identifies the target via cwd's .stamp/mirror.yml. Additive by default (DeployKey added alongside existing actors); pair with --remove-orgadmin to also strip OrganizationAdmin from the bypass list"
+).option(
+  "--remove-orgadmin",
+  "under --migrate-bypass, also remove OrganizationAdmin from the ruleset's bypass list. Verify the DeployKey transport works (one stamp push) before running this \u2014 there is no automated push-verification step"
 ).action(
   async (name, opts) => {
     try {
       await runProvision({
-        name,
+        // ProvisionOptions.name is typed `string` so the rest of the
+        // downstream readers don't have to narrow. Empty placeholder
+        // for --migrate-bypass (which doesn't read it); the validation
+        // block in runProvision requires a non-empty name in all other
+        // modes.
+        name: name ?? "",
         server: opts.server,
         org: opts.org,
         into: opts.into,
@@ -5786,7 +6493,9 @@ program.command("provision <name>").description(
         noMirror: !opts.mirror,
         noRuleset: !opts.ruleset,
         dryRun: opts.dryRun,
-        migrateExisting: opts.migrateExisting
+        migrateExisting: opts.migrateExisting,
+        migrateBypass: opts.migrateBypass,
+        removeOrgadmin: opts.removeOrgadmin
       });
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
@@ -5821,6 +6530,21 @@ server.command("config [host:port]").description(
     }
   }
 );
+server.command("pubkey").description(
+  "print a stamp-server-managed GitHub mirror-push deploy-key public half \u2014 single OpenSSH line, pipe-able into `gh api -X POST /repos/:o/:r/keys --field key=@-` to register as a deploy key. Without --repo, returns the legacy shared key (back-compat). With --repo <owner/repo>, returns a per-repo key that the server lazily generates on first request \u2014 preferred for new migrations because GitHub rejects re-registering the same key on a second repo."
+).option(
+  "--server <host:port>",
+  "override ~/.stamp/server.yml for this call"
+).option(
+  "--repo <owner>/<repo>",
+  "fetch the per-repo deploy key for this GitHub mirror (lazy-generated server-side on first request)"
+).action((opts) => {
+  try {
+    runServerPubkey({ server: opts.server, repo: opts.repo });
+  } catch (err) {
+    handleCliError(err);
+  }
+});
 var config = program.command("config").description(
   "manage per-user stamp config at ~/.stamp/config.yml \u2014 operator-level knobs that shouldn't be committed. Per-repo policy lives in `.stamp/config.yml`."
 );
@@ -5905,7 +6629,7 @@ serverRepo.command("restore <name>").description("restore the most recent soft-d
   }
 );
 program.command("review").description(
-  "run configured reviewer(s) against a diff. Reviewer config + prompts are sourced from the merge-base tree (security: prevents feature-branch self-review). For lock-file drift checks, use `stamp reviewers verify` (which exits 3 on drift)."
+  "run configured reviewer(s) against a diff. Reviewer config + prompts are sourced from the merge-base tree (security: prevents feature-branch self-review). For lock-file drift checks, use `stamp reviewers verify` (which exits 3 on drift). Reviewer execution budgets are env-tunable: STAMP_REVIEWER_MAX_TURNS (default 8) caps the model/tool round-trip count, STAMP_REVIEWER_TIMEOUT_MS (default 300000) bounds wall-clock time. Raise them when a reviewer with heavy lookup tools (Linear / GitHub MCP, multi-file Read) fails with subtype=error_max_turns or the abort message \u2014 see docs/troubleshooting.md."
 ).requiredOption("--diff <revspec>", "git revspec to review, e.g. main..HEAD").option("--only <reviewer>", "run a single reviewer by name").option(
   "--allow-large",
   "bypass the 200KB diff size cap (raise STAMP_REVIEW_DIFF_CAP_BYTES for a different threshold)"