@reddoorla/maintenance 0.33.0 → 0.35.0

package/dist/cli/bin.js

@@ -19,13 +19,17 @@ function defaultCredentialsPath() {
 }
 function parseEnvFile(contents) {
   const out = {};
-  for (const rawLine of contents.split(/\r?\n/)) {
-    const line = rawLine.trim();
-    if (!line || line.startsWith("#")) continue;
+  const lines = contents.split(/\r?\n/);
+  for (let i = 0; i < lines.length; i++) {
+    const trimmed = lines[i].trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const line = trimmed.replace(/^export\s+/, "");
     const eq = line.indexOf("=");
-    if (eq <= 0) continue;
-    const key = line.slice(0, eq).trim();
-    if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(key)) continue;
+    const key = eq > 0 ? line.slice(0, eq).trim() : "";
+    if (eq <= 0 || !/^[A-Za-z_][A-Za-z0-9_]*$/.test(key)) {
+      console.warn(`credentials: skipping unparseable line ${i + 1}: ${trimmed}`);
+      continue;
+    }
     let value = line.slice(eq + 1).trim();
     if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
       value = value.slice(1, -1);
@@ -57,76 +61,19 @@ var init_credentials = __esm({
   }
 });
 
-// src/audits/util/spawn.ts
-import { spawn } from "child_process";
-function makeSpawn(internals = {}) {
-  const spawnImpl = internals.spawnImpl ?? spawn;
-  const killImpl = internals.killImpl ?? ((pid, sig) => process.kill(pid, sig));
-  const killGraceMs = internals.killGraceMs ?? 5e3;
-  const maxOutputBytes = internals.maxOutputBytes ?? 10 * 1024 * 1024;
-  return (cmd, args, opts = {}) => new Promise((resolve12, reject) => {
-    const streaming = opts.streaming === true;
-    const child = spawnImpl(cmd, [...args], {
-      cwd: opts.cwd,
-      env: opts.env ?? process.env,
-      stdio: streaming ? ["ignore", "inherit", "inherit"] : ["ignore", "pipe", "pipe"],
-      // Detach ONLY when a timeout can fire: the child then leads its own
-      // process group, so the timeout can kill the WHOLE tree (vite, and
-      // Chromium under lhci/playwright) via process.kill(-pid), not just the
-      // npx/pnpm wrapper. Without it, killing the wrapper orphaned the
-      // grandchildren — a zombie vite squatting its port, Chrome left running.
-      // We do NOT detach timeout-less streaming calls (pnpm install/up):
-      // detaching gains nothing there (no timeout → no group-kill) and would
-      // break terminal Ctrl-C, which only reaches the foreground group — i.e.
-      // it would re-orphan the very children this guards. We never unref() the
-      // child since we still await it.
-      detached: opts.timeoutMs !== void 0
-    });
-    const cap = (acc, chunk) => {
-      if (acc.length >= maxOutputBytes) return acc;
-      const next = acc + chunk;
-      return next.length > maxOutputBytes ? next.slice(0, maxOutputBytes) + TRUNCATION_MARKER : next;
-    };
-    let stdout = "";
-    let stderr = "";
-    if (!streaming) {
-      child.stdout?.on("data", (chunk) => stdout = cap(stdout, String(chunk)));
-      child.stderr?.on("data", (chunk) => stderr = cap(stderr, String(chunk)));
-    }
-    const killGroup = (sig) => {
-      if (child.pid === void 0) return;
-      try {
-        killImpl(-child.pid, sig);
-      } catch {
-      }
-    };
-    let killTimer;
-    const timer = opts.timeoutMs ? setTimeout(() => {
-      killGroup("SIGTERM");
-      killTimer = setTimeout(() => killGroup("SIGKILL"), killGraceMs);
-      killTimer.unref();
-      reject(new Error(`spawn timeout after ${opts.timeoutMs}ms: ${cmd}`));
-    }, opts.timeoutMs) : void 0;
-    const clearTimers = () => {
-      if (timer) clearTimeout(timer);
-      if (killTimer) clearTimeout(killTimer);
-    };
-    child.on("error", (err) => {
-      clearTimers();
-      reject(err);
-    });
-    child.on("close", (code) => {
-      clearTimers();
-      resolve12({ code: code ?? -1, stdout, stderr });
-    });
-  });
+// src/util/url.ts
+function isHttpUrl(s) {
+  let parsed;
+  try {
+    parsed = new URL(s);
+  } catch {
+    return false;
+  }
+  return parsed.protocol === "http:" || parsed.protocol === "https:";
 }
-var TRUNCATION_MARKER, defaultSpawn;
-var init_spawn = __esm({
-  "src/audits/util/spawn.ts"() {
+var init_url = __esm({
+  "src/util/url.ts"() {
     "use strict";
-    TRUNCATION_MARKER = "\n\u2026[output truncated]";
-    defaultSpawn = makeSpawn();
   }
 });
 
@@ -171,6 +118,7 @@ __export(websites_exports, {
   mapRow: () => mapRow,
   siteSlug: () => siteSlug,
   updateA11yCounts: () => updateA11yCounts,
+  updateAuditFields: () => updateAuditFields,
   updateDepsCounts: () => updateDepsCounts,
   updateGitHubSignals: () => updateGitHubSignals,
   updateLaunched: () => updateLaunched,
@@ -255,23 +203,19 @@ async function getWebsiteBySlug(base, slug) {
   });
   return rows.find((w) => siteSlug(w.name) === slug) ?? null;
 }
-async function updateScores(base, recordId, scores) {
-  const fields = {
+function scoreFields(scores) {
+  return {
     pScore: scores.performance,
     rScore: scores.accessibility,
     bpScore: scores.bestPractices,
     seoScore: scores.seo,
     "Last lighthouse audit at": (/* @__PURE__ */ new Date()).toISOString()
   };
-  await base(WEBSITES_TABLE).update([{ id: recordId, fields }]);
 }
-async function updateA11yCounts(base, recordId, counts) {
-  const fields = {
-    "A11y Violations": counts.violations
-  };
-  await base(WEBSITES_TABLE).update([{ id: recordId, fields }]);
+function a11yFields(counts) {
+  return { "A11y Violations": counts.violations };
 }
-async function updateDepsCounts(base, recordId, counts) {
+function depsFields(counts) {
   const fields = {
     "Deps Drifted": counts.drifted,
     "Deps Major Behind": counts.majorBehind
@@ -279,16 +223,36 @@ async function updateDepsCounts(base, recordId, counts) {
   if (counts.outdated !== null) {
     fields["Deps Outdated"] = counts.outdated;
   }
-  await base(WEBSITES_TABLE).update([{ id: recordId, fields }]);
+  return fields;
 }
-async function updateSecurityCounts(base, recordId, counts) {
-  const fields = {
+function securityFields(counts) {
+  return {
     "Security Vulns Critical": counts.critical,
     "Security Vulns High": counts.high,
     "Security Vulns Moderate": counts.moderate,
     "Security Vulns Low": counts.low
   };
+}
+async function updateScores(base, recordId, scores) {
+  await base(WEBSITES_TABLE).update([{ id: recordId, fields: scoreFields(scores) }]);
+}
+async function updateA11yCounts(base, recordId, counts) {
+  await base(WEBSITES_TABLE).update([{ id: recordId, fields: a11yFields(counts) }]);
+}
+async function updateDepsCounts(base, recordId, counts) {
+  await base(WEBSITES_TABLE).update([{ id: recordId, fields: depsFields(counts) }]);
+}
+async function updateSecurityCounts(base, recordId, counts) {
+  await base(WEBSITES_TABLE).update([{ id: recordId, fields: securityFields(counts) }]);
+}
+async function updateAuditFields(base, recordId, audits) {
+  const fields = {};
+  if (audits.scores) Object.assign(fields, scoreFields(audits.scores));
+  if (audits.a11y) Object.assign(fields, a11yFields(audits.a11y));
+  if (audits.deps) Object.assign(fields, depsFields(audits.deps));
+  if (audits.security) Object.assign(fields, securityFields(audits.security));
   await base(WEBSITES_TABLE).update([{ id: recordId, fields }]);
+  return fields;
 }
 async function updateGitHubSignals(base, recordId, signals) {
   const fields = {
@@ -327,16 +291,28 @@ function fromAirtableBase(base, opts = {}) {
       );
     }
     const websites = await listWebsites(base);
-    return websites.filter((w) => AUDITABLE_STATUSES.has(w.status ?? "") && w.url.length > 0).map((w) => {
+    return websites.filter((w) => AUDITABLE_STATUSES.has(w.status ?? "") && w.url.length > 0).flatMap((w) => {
       const slug = siteSlug(w.name);
+      if (slug.length === 0) {
+        console.warn(
+          `[inventory] skipping "${w.name}" (row ${w.id}): Name has no slug-able characters (empty slug)`
+        );
+        return [];
+      }
       const site = {
         path: `${workdir}/${slug}`,
         name: slug,
-        deployedUrl: w.url,
         meta: { airtableRowId: w.id, displayName: w.name }
       };
+      if (isHttpUrl(w.url)) {
+        site.deployedUrl = w.url;
+      } else {
+        console.warn(
+          `[inventory] skipping deployed audit for "${w.name}": url is not http(s): ${JSON.stringify(w.url)}`
+        );
+      }
       if (w.gitRepo) site.gitRepo = w.gitRepo;
-      return site;
+      return [site];
     });
   };
 }
@@ -345,6 +321,7 @@ var init_airtable = __esm({
   "src/inventory/airtable.ts"() {
     "use strict";
     init_websites();
+    init_url();
     AUDITABLE_STATUSES = /* @__PURE__ */ new Set(["maintenance", "launch period"]);
   }
 });
@@ -357,7 +334,7 @@ __export(lighthouse_airtable_exports, {
   resolveSlugFromCwd: () => resolveSlugFromCwd
 });
 import { readFile as readFile7 } from "fs/promises";
-import { join as join9 } from "path";
+import { join as join10 } from "path";
 function hasRealScores(result) {
   if (result.audit !== "lighthouse") return false;
   const details = result.details ?? {};
@@ -382,7 +359,7 @@ function lighthouseScoresFromResult(result) {
 }
 async function resolveSlugFromCwd(cwd) {
   try {
-    const pkgPath = join9(cwd, "package.json");
+    const pkgPath = join10(cwd, "package.json");
     const raw = await readFile7(pkgPath, "utf-8");
     const pkg = JSON.parse(raw);
     if (!pkg.name) throw new Error("package.json has no 'name' field");
@@ -488,30 +465,34 @@ async function writeAuditsToAirtable(args) {
     throw Object.assign(new Error(`No Websites row matched slug "${slug}"`), { exitCode: 2 });
   }
   const writes = [];
+  const audits = {};
   const lhHasScores = hasRealScores(lhResult);
   if (lhHasScores) {
     const scores = lighthouseScoresFromResult(lhResult);
-    await updateScores(base, target.id, scores);
+    audits.scores = scores;
     writes.push({ audit: "lighthouse", counts: scores });
   }
   const a11y = results.find((r) => r.audit === "a11y");
   if (a11y && hasA11yCounts(a11y)) {
     const counts = a11yCountsFromResult(a11y);
-    await updateA11yCounts(base, target.id, counts);
+    audits.a11y = counts;
     writes.push({ audit: "a11y", counts });
   }
   const deps = results.find((r) => r.audit === "deps");
   if (deps && hasDepsCounts(deps)) {
     const counts = depsCountsFromResult(deps);
-    await updateDepsCounts(base, target.id, counts);
+    audits.deps = counts;
     writes.push({ audit: "deps", counts });
   }
   const sec = results.find((r) => r.audit === "security");
   if (sec && hasSecurityCounts(sec)) {
     const counts = securityCountsFromResult(sec);
-    await updateSecurityCounts(base, target.id, counts);
+    audits.security = counts;
     writes.push({ audit: "security", counts });
   }
+  if (Object.keys(audits).length > 0) {
+    await updateAuditFields(base, target.id, audits);
+  }
   if (!lhHasScores) {
     const persisted = writes.map((w) => w.audit);
     throw Object.assign(
@@ -566,187 +547,16 @@ var init_write_audits_to_airtable = __esm({
   }
 });
 
-// src/github/gh.ts
-function mapRollupState(state) {
-  switch (state) {
-    case "SUCCESS":
-      return "passing";
-    case "FAILURE":
-    case "ERROR":
-      return "failing";
-    case "PENDING":
-    case "EXPECTED":
-      return "pending";
-    default:
-      return "none";
-  }
+// src/reports/airtable/reports.ts
+function toReportType(raw) {
+  if (raw && REPORT_TYPES.includes(raw)) return raw;
+  if (raw)
+    console.warn(`[reports] unknown Report type ${JSON.stringify(raw)} \u2014 treating as Maintenance`);
+  return "Maintenance";
 }
-function makeGitHub(deps) {
-  const spawn2 = deps.spawn ?? defaultSpawn;
-  const env = { ...process.env, GH_TOKEN: deps.token };
-  async function gh(args) {
-    const r = await spawn2("gh", args, { env, timeoutMs: 6e4 });
-    if (r.code !== 0) throw new Error(`gh ${args[0]} failed (code ${r.code}): ${r.stderr.trim()}`);
-    return r.stdout;
-  }
-  return {
-    async openPullRequest(repo, pr) {
-      const out = await gh([
-        "pr",
-        "create",
-        "--repo",
-        repo,
-        "--head",
-        pr.head,
-        "--base",
-        pr.base,
-        "--title",
-        pr.title,
-        "--body",
-        pr.body
-      ]);
-      return { url: out.trim() };
-    },
-    async enableRepoAutoMerge(repo) {
-      await gh(["api", "-X", "PATCH", `repos/${repo}`, "-F", "allow_auto_merge=true"]);
-    },
-    async protectBranch(repo, branch, requiredChecks) {
-      const args = [
-        "api",
-        "-X",
-        "PUT",
-        `repos/${repo}/branches/${branch}/protection`,
-        "-H",
-        "Accept: application/vnd.github+json",
-        "-F",
-        "required_status_checks[strict]=true",
-        ...requiredChecks.flatMap((c) => ["-f", `required_status_checks[contexts][]=${c}`]),
-        "-F",
-        "enforce_admins=true",
-        "-F",
-        "required_pull_request_reviews=null",
-        "-F",
-        "restrictions=null"
-      ];
-      await gh(args);
-    },
-    async setRepoSecret(repo, name, value) {
-      await gh(["secret", "set", name, "--repo", repo, "--body", value]);
-    },
-    async repoExists(repo) {
-      const r = await spawn2("gh", ["api", `repos/${repo}`], { env, timeoutMs: 6e4 });
-      return r.code === 0;
-    },
-    async defaultBranch(repo) {
-      const out = await gh(["api", `repos/${repo}`, "--jq", ".default_branch"]);
-      return out.trim();
-    },
-    // filesOnBranch and branchProtectionContexts call `spawn` directly (not the
-    // throwing `gh()` helper) because a 404 is an expected, meaningful answer —
-    // "file/protection absent" — not an error. The remaining readers use `gh()`
-    // since a non-200 there is a genuine failure (e.g. missing token scope).
-    async filesOnBranch(repo, branch, paths) {
-      const present = [];
-      for (const p of paths) {
-        const r = await spawn2("gh", [`api`, `repos/${repo}/contents/${p}?ref=${branch}`], {
-          env,
-          timeoutMs: 6e4
-        });
-        if (r.code === 0) present.push(p);
-      }
-      return present;
-    },
-    async branchProtectionContexts(repo, branch) {
-      const r = await spawn2(
-        "gh",
-        [
-          "api",
-          `repos/${repo}/branches/${branch}/protection`,
-          "--jq",
-          ".required_status_checks.contexts[]?"
-        ],
-        { env, timeoutMs: 6e4 }
-      );
-      if (r.code !== 0) return [];
-      return r.stdout.split("\n").map((l) => l.trim()).filter((l) => l.length > 0);
-    },
-    async secretExists(repo, name) {
-      const out = await gh(["api", `repos/${repo}/actions/secrets`, "--jq", ".secrets[].name"]);
-      return out.split("\n").map((l) => l.trim()).includes(name);
-    },
-    async autoMergeEnabled(repo) {
-      const out = await gh(["api", `repos/${repo}`, "--jq", ".allow_auto_merge"]);
-      return out.trim() === "true";
-    },
-    async findOpenSelfUpdatingPR(repo) {
-      const out = await gh([
-        "api",
-        `repos/${repo}/pulls?state=open`,
-        "--jq",
-        '.[] | select(.head.ref | startswith("maint/self-updating-")) | .html_url'
-      ]);
-      const first = out.split("\n").map((l) => l.trim()).find((l) => l.length > 0);
-      return first ?? null;
-    },
-    async openPullRequests(repo) {
-      const [owner, name, ...rest] = repo.split("/");
-      if (!owner || !name || rest.length > 0) {
-        throw new Error(`openPullRequests: expected "owner/repo", got "${repo}"`);
-      }
-      const query = "query($owner:String!,$name:String!){repository(owner:$owner,name:$name){pullRequests(states:OPEN,first:100,orderBy:{field:CREATED_AT,direction:DESC}){nodes{number title url headRefName commits(last:1){nodes{commit{statusCheckRollup{state}}}}}}}}";
-      const out = await gh([
-        "api",
-        "graphql",
-        "-f",
-        `query=${query}`,
-        "-F",
-        `owner=${owner}`,
-        "-F",
-        `name=${name}`
-      ]);
-      const parsed = JSON.parse(out);
-      const nodes = parsed.data?.repository?.pullRequests?.nodes ?? [];
-      return nodes.map((n) => ({
-        number: n.number,
-        title: n.title,
-        url: n.url,
-        headRef: n.headRefName,
-        ciState: mapRollupState(n.commits?.nodes?.[0]?.commit?.statusCheckRollup?.state)
-      }));
-    },
-    async defaultBranchStatus(repo) {
-      const [owner, name, ...rest] = repo.split("/");
-      if (!owner || !name || rest.length > 0) {
-        throw new Error(`defaultBranchStatus: expected "owner/repo", got "${repo}"`);
-      }
-      const query = "query($owner:String!,$name:String!){repository(owner:$owner,name:$name){defaultBranchRef{target{... on Commit{committedDate statusCheckRollup{state}}}}}}";
-      const out = await gh([
-        "api",
-        "graphql",
-        "-f",
-        `query=${query}`,
-        "-F",
-        `owner=${owner}`,
-        "-F",
-        `name=${name}`
-      ]);
-      const parsed = JSON.parse(out);
-      const target = parsed.data?.repository?.defaultBranchRef?.target;
-      return {
-        ciState: mapRollupState(target?.statusCheckRollup?.state),
-        lastCommitAt: target?.committedDate ?? null
-      };
-    }
-  };
+function isPendingApproval(r) {
+  return r.draftReady && !r.approvedToSend && r.sentAt === null;
 }
-var init_gh = __esm({
-  "src/github/gh.ts"() {
-    "use strict";
-    init_spawn();
-  }
-});
-
-// src/reports/airtable/reports.ts
 function mapRow2(rec) {
   const f = rec.fields;
   const linkSites = f["Site"] ?? [];
@@ -755,7 +565,7 @@ function mapRow2(rec) {
     id: rec.id,
     reportId: String(f["Report ID"] ?? ""),
     siteId: linkSites[0] ?? "",
-    reportType: f["Report type"] ?? "Maintenance",
+    reportType: toReportType(f["Report type"]),
     period: f["Period"] ?? null,
     periodStart: f["Period start"] ?? null,
     periodEnd: f["Period end"] ?? null,
@@ -821,6 +631,16 @@ async function createDraft(base, input) {
 async function setDraftReady(base, recordId, ready) {
   await base(REPORTS_TABLE).update([{ id: recordId, fields: { "Draft ready": ready } }]);
 }
+async function updateReportScores(base, recordId, scores, completedOn) {
+  const fields = {
+    "Lighthouse \u2014 Performance": scores.performance,
+    "Lighthouse \u2014 Accessibility": scores.accessibility,
+    "Lighthouse \u2014 Best Practices": scores.bestPractices,
+    "Lighthouse \u2014 SEO": scores.seo
+  };
+  if (completedOn) fields["Completed on"] = ymd(completedOn);
+  await base(REPORTS_TABLE).update([{ id: recordId, fields }]);
+}
 async function listSendableReports(base) {
   const out = [];
   await base(REPORTS_TABLE).select({
@@ -844,13 +664,12 @@ async function listReportsForSite(base, siteId) {
   return (await listAllReports(base)).filter((r) => r.siteId === siteId);
 }
 async function stampSent(base, recordId, sentAt, messageId) {
+  const fields = { "Sent at": sentAt.toISOString() };
+  if (messageId !== null) fields["Resend message ID"] = messageId;
   await base(REPORTS_TABLE).update([
     {
       id: recordId,
-      fields: {
-        "Sent at": sentAt.toISOString(),
-        "Resend message ID": messageId
-      }
+      fields
     }
   ]);
 }
@@ -865,11 +684,12 @@ async function findReportByPeriod(base, siteId, reportType, period) {
   });
   return rows.find((r) => r.siteId === siteId) ?? null;
 }
-var REPORTS_TABLE;
+var REPORTS_TABLE, REPORT_TYPES;
 var init_reports = __esm({
   "src/reports/airtable/reports.ts"() {
     "use strict";
     REPORTS_TABLE = "Reports";
+    REPORT_TYPES = ["Maintenance", "Testing", "Launch"];
   }
 });
 
@@ -937,18 +757,18 @@ var init_copy = __esm({
 // src/reports/maintenance-email/assets/index.ts
 import { readFile as readFile13 } from "fs/promises";
 import { existsSync as existsSync3 } from "fs";
-import { dirname as dirname4, join as join24 } from "path";
+import { dirname as dirname4, join as join25 } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 function resolveAssetsDir() {
   if (cachedAssetsDir) return cachedAssetsDir;
   let dir = dirname4(fileURLToPath2(import.meta.url));
   while (true) {
-    const srcCandidate = join24(dir, "src", "reports", "maintenance-email", "assets", "check.png");
+    const srcCandidate = join25(dir, "src", "reports", "maintenance-email", "assets", "check.png");
     if (existsSync3(srcCandidate)) {
       cachedAssetsDir = dirname4(srcCandidate);
       return cachedAssetsDir;
     }
-    const distCandidate = join24(dir, "dist", "reports", "maintenance-email", "assets", "check.png");
+    const distCandidate = join25(dir, "dist", "reports", "maintenance-email", "assets", "check.png");
     if (existsSync3(distCandidate)) {
       cachedAssetsDir = dirname4(distCandidate);
       return cachedAssetsDir;
@@ -965,8 +785,8 @@ function resolveAssetsDir() {
 async function loadBundledImages() {
   const assetsDir = resolveAssetsDir();
   const [check, blurred] = await Promise.all([
-    readFile13(join24(assetsDir, "check.png")),
-    readFile13(join24(assetsDir, "blurredTests.jpg"))
+    readFile13(join25(assetsDir, "check.png")),
+    readFile13(join25(assetsDir, "blurredTests.jpg"))
   ]);
   return {
     check: {
@@ -993,9 +813,19 @@ var init_assets = __esm({
   }
 });
 
+// src/util/html.ts
+function escapeHtml(s) {
+  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
+}
+var init_html = __esm({
+  "src/util/html.ts"() {
+    "use strict";
+  }
+});
+
 // src/reports/maintenance-email/template.ts
 function fmtDate(d) {
-  if (!d) return "";
+  if (!d || Number.isNaN(d.getTime())) return "";
   const mm = String(d.getUTCMonth() + 1).padStart(2, "0");
   const dd = String(d.getUTCDate()).padStart(2, "0");
   const yyyy = d.getUTCFullYear();
@@ -1004,9 +834,6 @@ function fmtDate(d) {
 function fmtUsers(n) {
   return n.toLocaleString("en-US");
 }
-function escapeXml(s) {
-  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
-}
 function trendText(color, text) {
   return `<mj-text color="${color}" font-family="helvetica, sans-serif" font-size="16px" font-weight="300" line-height="24px">${text}</mj-text>`;
 }
@@ -1024,14 +851,14 @@ function analyticsTrendLine(cur, prev) {
   return trendText(TREND_NEUTRAL, `No change vs last period (${fmtUsers(prev)})`);
 }
 function maintenanceChecksSection(copy, searchPosition) {
-  const googleLabel = searchPosition !== void 0 ? `Page 1 Google Result (#${searchPosition})` : copy.maintenanceChecks[3];
+  const googleLabel = searchPosition !== void 0 ? `Page 1 Google Result (#${searchPosition})` : copy.maintenanceChecks[3] ?? "";
   const rows = copy.maintenanceChecks.map((label, i) => i === 3 ? googleLabel : label);
   return rows.map(
     (label, i) => `
     <mj-section background-color="white" padding="0px"${i === rows.length - 1 ? ' padding-bottom="36px"' : ""}>
       <mj-group>
         <mj-column padding-left="0px" width="90%"${i < rows.length - 1 ? ' border-bottom="solid #CCCCCC 1px"' : ""}>
-          <mj-text height="25px" padding-left="0px" color="#757575" padding-top="20px" padding-bottom="7.5px" font-size="16px">${label}</mj-text>
+          <mj-text height="25px" padding-left="0px" color="#757575" padding-top="20px" padding-bottom="7.5px" font-size="16px">${escapeXml(label)}</mj-text>
         </mj-column>
         <mj-column width="10%"${i < rows.length - 1 ? ' border-bottom="solid #CCCCCC 1px"' : ""} padding-top="15px">
           <mj-image align="right" padding-right="0px" width="20px" height="20px" padding-top="2.5px" padding-bottom="15px" src="${CHECK_PNG}" />
@@ -1047,7 +874,7 @@ function testingChecklistSection(copy) {
     <mj-section background-color="#F4F4F4" padding="0px"${i === rows.length - 1 ? ' padding-bottom="60px"' : ""}>
       <mj-group>
         <mj-column width="90%" padding-left="0px"${i < rows.length - 1 ? ' border-bottom="solid #CCCCCC 1px"' : ""}>
-          <mj-text height="25px" padding-left="0px" color="#757575" padding-top="20px" padding-bottom="7.5px" font-size="16px">${label}</mj-text>
+          <mj-text height="25px" padding-left="0px" color="#757575" padding-top="20px" padding-bottom="7.5px" font-size="16px">${escapeXml(label)}</mj-text>
         </mj-column>
         <mj-column width="10%"${i < rows.length - 1 ? ' border-bottom="solid #CCCCCC 1px"' : ""} padding-top="15px">
           <mj-image align="right" padding-right="0px" width="20px" height="20px" padding-top="2.5px" padding-bottom="15px" src="${CHECK_PNG}" />
@@ -1083,7 +910,7 @@ function commentarySection(text, copy) {
     <mj-section background-color="white">
       <mj-column>
         <mj-text color="#C00" font-size="20px" font-weight="700" padding-top="55px">${escapeXml(copy.notesHeader)}</mj-text>
-        <mj-text color="#757575" font-family="helvetica, sans-serif" font-size="16px" font-weight="300" line-height="24px">${escapeXml(text).replace(/\n/g, "<br/>")}</mj-text>
+        <mj-text color="#757575" font-family="helvetica, sans-serif" font-size="16px" font-weight="300" line-height="24px">${escapeXml(text).replace(/\r\n?|\n/g, "<br/>")}</mj-text>
       </mj-column>
     </mj-section>`;
 }
@@ -1093,7 +920,7 @@ function hasHeaderDims(data) {
 function headerImageTag(data) {
   const src = `cid:${data.headerImageCid}`;
   const alt = `${escapeXml(data.siteName)} maintenance report`;
-  const href = escapeXml(data.siteUrl);
+  const href = isHttpUrl(data.siteUrl) ? escapeXml(data.siteUrl) : "#";
   if (hasHeaderDims(data)) {
     return `<mj-image href="${href}" src="${src}" alt="${alt}" width="${data.headerWidth}px" css-class="rd-header" container-background-color="${data.headerBgColor}" />`;
   }
@@ -1170,7 +997,7 @@ function buildMjml(data) {
     (line, i) => i === copy.contact.length - 1 ? `<mj-text font-family="helvetica, sans-serif" font-size="24px" font-weight="300" padding-top="0px" line-height="30px" padding-bottom="36px">${escapeXml(line)}</mj-text>` : `<mj-text font-family="helvetica, sans-serif" font-size="24px" font-weight="300" line-height="30px">${escapeXml(line)}</mj-text>`
   ).join("\n        ")}
         <mj-divider border-width="1px" border-style="solid" border-color="#CCCCCC" padding="0" />
-        <mj-text color="#757575" font-family="helvetica, sans-serif" font-size="12px" font-weight="300" padding-top="24px" line-height="20px" font-style="italic">Copyright ${(/* @__PURE__ */ new Date()).getUTCFullYear()} Reddoor Creative, LLC. All rights reserved.</mj-text>
+        <mj-text color="#757575" font-family="helvetica, sans-serif" font-size="12px" font-weight="300" padding-top="24px" line-height="20px" font-style="italic">Copyright ${(/* @__PURE__ */ new Date()).getUTCFullYear()} ${escapeXml(copy.footerOrg)}. All rights reserved.</mj-text>
         <mj-text color="#757575" font-family="helvetica, sans-serif" font-size="12px" font-weight="700" line-height="16px" padding-top="0" padding-bottom="0px">Our mailing address is:</mj-text>
         ${[copy.footerOrg, ...copy.footerAddress].map(
     (line) => `<mj-text color="#757575" font-family="helvetica, sans-serif" font-size="12px" font-weight="300" line-height="16px" padding-top="0" padding-bottom="0px">${escapeXml(line)}</mj-text>`
@@ -1180,12 +1007,15 @@ function buildMjml(data) {
   </mj-body>
 </mjml>`;
 }
-var CHECK_PNG, BLURRED_TESTS, TREND_UP, TREND_NEUTRAL;
+var escapeXml, CHECK_PNG, BLURRED_TESTS, TREND_UP, TREND_NEUTRAL;
 var init_template = __esm({
   "src/reports/maintenance-email/template.ts"() {
     "use strict";
     init_copy();
     init_assets();
+    init_html();
+    init_url();
+    escapeXml = escapeHtml;
     CHECK_PNG = `cid:${CHECK_CID}`;
     BLURRED_TESTS = `cid:${BLURRED_CID}`;
     TREND_UP = "#2E7D32";
@@ -1272,6 +1102,11 @@ var init_render = __esm({
 });
 
 // src/reports/airtable/attachments.ts
+function looksLikeHtml(bytes) {
+  const start = bytes[0] === 239 && bytes[1] === 187 && bytes[2] === 191 ? 3 : 0;
+  const head = Buffer.from(bytes.slice(start, start + 64)).toString("ascii").replace(/^[\s]+/, "").toLowerCase();
+  return head.startsWith("<!doctype html") || head.startsWith("<html") || head.startsWith("<head");
+}
 async function fetchAttachmentBytes(url) {
   const res = await fetch(url);
   if (!res.ok) {
@@ -1281,7 +1116,14 @@ async function fetchAttachmentBytes(url) {
   }
   const contentType = res.headers.get("content-type") ?? "application/octet-stream";
   const ab = await res.arrayBuffer();
-  return { bytes: new Uint8Array(ab), contentType };
+  const bytes = new Uint8Array(ab);
+  const isImageType = contentType.toLowerCase().startsWith("image/");
+  if (!isImageType && looksLikeHtml(bytes)) {
+    throw new Error(
+      `Airtable attachment did not return image data (content-type="${contentType}", body looks like an HTML page \u2014 the signed URL may have expired) (url=${url})`
+    );
+  }
+  return { bytes, contentType };
 }
 async function uploadAttachment(recordId, fieldName, body, filename, contentType) {
   const apiKey = process.env.AIRTABLE_PAT;
@@ -1342,10 +1184,31 @@ var init_resend = __esm({
   }
 });
 
+// src/reports/send/idempotency.ts
+function isIdempotencyConflict(err) {
+  const message = err instanceof Error ? err.message : String(err);
+  if (/idempotency key has been used/i.test(message)) return true;
+  const e = err;
+  if (e.name === "invalid_idempotent_request") return true;
+  if (e.statusCode === 409) return true;
+  return false;
+}
+var init_idempotency = __esm({
+  "src/reports/send/idempotency.ts"() {
+    "use strict";
+  }
+});
+
 // src/alerts/digest-collectors.ts
 function dashboardUrl(baseUrl, siteName) {
   return `${baseUrl.replace(/\/$/, "")}/s/${siteSlug(siteName)}`;
 }
+function gitHubSignalsStale(swept, now) {
+  if (swept === null) return true;
+  const ageMs = now.getTime() - Date.parse(swept);
+  if (!Number.isFinite(ageMs)) return true;
+  return ageMs > GITHUB_SIGNALS_STALE_DAYS * MS_PER_DAY2;
+}
 function collectVulnAlerts(sites, baseUrl) {
   const items = [];
   for (const s of sites) {
@@ -1403,42 +1266,48 @@ function collectDeliveryFailures(reports, sitesById, baseUrl) {
   }
   return items;
 }
-function renovateFindingsToAttention(result) {
+function collectRenovateAlerts(sites, baseUrl, now = /* @__PURE__ */ new Date()) {
   const items = [];
-  for (const f of result.findings) {
+  for (const s of sites) {
+    if (gitHubSignalsStale(s.githubSignalsAt, now)) continue;
+    const n = s.renovateFailingCis ?? 0;
+    if (n <= 0) continue;
     items.push({
-      key: `renovate:${f.repo}#${f.pr.number}`,
+      key: `renovate:${s.id}`,
       kind: "renovate",
-      siteName: f.site,
-      title: `Renovate update failing CI: ${f.pr.title}`,
-      url: f.pr.url,
+      siteName: s.name,
+      title: `${n} Renovate ${n === 1 ? "PR" : "PRs"} failing CI`,
+      url: dashboardUrl(baseUrl, s.name),
       severity: "warning",
-      metric: 1
+      metric: n
     });
   }
-  if (result.skipped.length > 0) {
+  return items;
+}
+function collectCiAlerts(sites, baseUrl, now = /* @__PURE__ */ new Date()) {
+  const items = [];
+  for (const s of sites) {
+    if (gitHubSignalsStale(s.githubSignalsAt, now)) continue;
+    if (s.defaultBranchCi !== "failing") continue;
     items.push({
-      key: "renovate:skipped",
-      kind: "renovate",
-      siteName: "Fleet checks",
-      title: `Couldn't check ${result.skipped.length} repo(s) for failing Renovate PRs`,
+      key: `ci:${s.id}`,
+      kind: "ci",
+      siteName: s.name,
+      title: "Default-branch CI failing",
+      url: dashboardUrl(baseUrl, s.name),
       severity: "warning",
-      metric: result.skipped.length
+      metric: 1
     });
   }
   return items;
 }
-function buildRenovateProbe() {
-  const token = process.env.RENOVATE_TOKEN?.trim() || process.env.GH_TOKEN?.trim();
-  if (!token) return void 0;
-  return makeGitHub({ token }).openPullRequests;
-}
-var LIGHTHOUSE_FLOOR, LIGHTHOUSE_CATEGORIES2;
+var GITHUB_SIGNALS_STALE_DAYS, MS_PER_DAY2, LIGHTHOUSE_FLOOR, LIGHTHOUSE_CATEGORIES2;
 var init_digest_collectors = __esm({
   "src/alerts/digest-collectors.ts"() {
     "use strict";
     init_websites();
-    init_gh();
+    GITHUB_SIGNALS_STALE_DAYS = 3;
+    MS_PER_DAY2 = 24 * 60 * 60 * 1e3;
     LIGHTHOUSE_FLOOR = 75;
     LIGHTHOUSE_CATEGORIES2 = [
       { field: "pScore", slug: "performance", label: "Performance" },
@@ -1449,48 +1318,6 @@ var init_digest_collectors = __esm({
   }
 });
 
-// src/alerts/renovate.ts
-function isRenovatePR(pr) {
-  return RENOVATE_HEAD_PREFIXES.some((p) => pr.headRef.startsWith(p));
-}
-function isFailingRenovatePR(pr) {
-  return isRenovatePR(pr) && pr.ciState === "failing";
-}
-function siteLabel2(site) {
-  const display = site.meta?.["displayName"];
-  if (typeof display === "string" && display.length > 0) return display;
-  if (typeof site.name === "string" && site.name.length > 0) return site.name;
-  return "unknown";
-}
-async function collectRenovateFailures(sites, probe) {
-  const findings = [];
-  const skipped = [];
-  for (const site of sites) {
-    const repo = site.gitRepo;
-    if (!repo) continue;
-    let prs;
-    try {
-      prs = await probe(repo);
-    } catch {
-      skipped.push(repo);
-      continue;
-    }
-    for (const pr of prs) {
-      if (isFailingRenovatePR(pr)) {
-        findings.push({ site: siteLabel2(site), repo, pr });
-      }
-    }
-  }
-  return { findings, skipped };
-}
-var RENOVATE_HEAD_PREFIXES;
-var init_renovate = __esm({
-  "src/alerts/renovate.ts"() {
-    "use strict";
-    RENOVATE_HEAD_PREFIXES = ["renovate/", "renovate-"];
-  }
-});
-
 // src/alerts/digest-state.ts
 function diffAttention(items, prior, today) {
   const tagged = [];
@@ -1563,9 +1390,6 @@ __export(digest_exports, {
   renderDigestHtml: () => renderDigestHtml,
   runDigest: () => runDigest
 });
-function esc(s) {
-  return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
-}
 function readySection(items) {
   const heading = `<h2 style="color:${RED2};font-family:helvetica,sans-serif;font-size:20px;font-weight:700;margin:32px 0 8px">Ready for your yes</h2>`;
   if (items.length === 0) {
@@ -1573,11 +1397,11 @@ function readySection(items) {
   }
   const rows = items.map((it) => {
     const safeUrl = it.dashboardUrl.startsWith("https://") ? it.dashboardUrl : void 0;
-    const link = safeUrl ? `<a href="${esc(safeUrl)}" style="${ANCHOR_STYLE}">review &amp; approve</a>` : `review &amp; approve`;
+    const link = safeUrl ? `<a href="${escapeHtml(safeUrl)}" style="${ANCHOR_STYLE}">review &amp; approve</a>` : `review &amp; approve`;
     return `
       <tr>
         <td style="color:${GREY2};font-family:helvetica,sans-serif;font-size:16px;line-height:24px;padding-bottom:8px">
-          <strong style="color:#222">${esc(it.siteName)}</strong> \u2014 ${esc(it.reportType)} (${esc(it.period)})
+          <strong style="color:#222">${escapeHtml(it.siteName)}</strong> \u2014 ${escapeHtml(it.reportType)} (${escapeHtml(it.period)})
           \u2014 ${link}
         </td>
       </tr>`;
@@ -1608,7 +1432,7 @@ function attentionSection(items) {
     );
     const rows = sorted.map((it) => {
       const safeUrl = it.url?.startsWith("https://") ? it.url : void 0;
-      const titleHtml = safeUrl ? `<a href="${esc(safeUrl)}" style="${ANCHOR_STYLE}">${esc(it.title)}</a>` : esc(it.title);
+      const titleHtml = safeUrl ? `<a href="${escapeHtml(safeUrl)}" style="${ANCHOR_STYLE}">${escapeHtml(it.title)}</a>` : escapeHtml(it.title);
       return `
           <tr>
             <td style="color:${GREY2};font-family:helvetica,sans-serif;font-size:16px;line-height:24px;padding-bottom:8px">${attentionBadge(it.status)}${titleHtml}</td>
@@ -1616,7 +1440,7 @@ function attentionSection(items) {
     }).join("");
     return `
       <tr>
-        <td style="color:#222;font-family:helvetica,sans-serif;font-size:16px;font-weight:700;padding:8px 0 4px">${esc(siteName)}</td>
+        <td style="color:#222;font-family:helvetica,sans-serif;font-size:16px;font-weight:700;padding:8px 0 4px">${escapeHtml(siteName)}</td>
       </tr>
       ${rows}`;
   }).join("");
@@ -1625,18 +1449,8 @@ function attentionSection(items) {
 function digestDateKey(d) {
   return d.toISOString().slice(0, 10);
 }
-function isIdempotencyConflict(err) {
-  const message = err instanceof Error ? err.message : String(err);
-  if (/idempotency key has been used/i.test(message)) return true;
-  const e = err;
-  if (e.name === "invalid_idempotent_request") return true;
-  if (e.statusCode === 409) return true;
-  return false;
-}
 async function listPendingApproval(base) {
-  return (await listAllReports(base)).filter(
-    (r) => r.draftReady && !r.approvedToSend && r.sentAt === null
-  );
+  return (await listAllReports(base)).filter(isPendingApproval);
 }
 function runCollector(label, fn) {
   try {
@@ -1646,33 +1460,17 @@ function runCollector(label, fn) {
     return [];
   }
 }
-async function runCollectorAsync(label, fn) {
-  try {
-    return await fn();
-  } catch (e) {
-    console.warn(`\u26A0 attention collector "${label}" failed: ${e.message}`);
-    return [];
-  }
-}
 async function collectAttention(deps) {
   const reports = deps.reports ?? await listAllReports(deps.base);
   const websites = deps.websites ?? await listWebsites(deps.base);
+  const now = deps.now ?? /* @__PURE__ */ new Date();
   const sitesById = new Map(websites.map((w) => [w.id, w]));
-  const renovate = deps.renovateProbe ? await runCollectorAsync("renovate", async () => {
-    const sites = websites.map((w) => ({
-      path: "",
-      name: w.name,
-      meta: {},
-      ...w.gitRepo ? { gitRepo: w.gitRepo } : {}
-    }));
-    const result = await collectRenovateFailures(sites, deps.renovateProbe);
-    return renovateFindingsToAttention(result);
-  }) : [];
   return [
     ...runCollector("vuln", () => collectVulnAlerts(websites, deps.baseUrl)),
     ...runCollector("delivery", () => collectDeliveryFailures(reports, sitesById, deps.baseUrl)),
     ...runCollector("lighthouse", () => collectLighthouseAlerts(websites, deps.baseUrl)),
-    ...renovate
+    ...runCollector("renovate", () => collectRenovateAlerts(websites, deps.baseUrl, now)),
+    ...runCollector("ci", () => collectCiAlerts(websites, deps.baseUrl, now))
   ];
 }
 async function runDigest(options) {
@@ -1682,25 +1480,26 @@ async function runDigest(options) {
     const reports = await listAllReports(base);
     const websites = await listWebsites(base);
     const sites = new Map(websites.map((w) => [w.id, w]));
-    const pending = reports.filter((r) => r.draftReady && !r.approvedToSend && r.sentAt === null);
+    const pending = reports.filter(isPendingApproval);
     const readyForYourYes = [];
+    const baseUrl = options.baseUrl.replace(/\/$/, "");
     for (const r of pending) {
       const site = sites.get(r.siteId);
       if (!site) continue;
+      const slug = siteSlug(site.name);
       readyForYourYes.push({
         siteName: site.name,
         reportType: r.reportType,
         period: r.period ?? "\u2014",
-        dashboardUrl: `${options.baseUrl.replace(/\/$/, "")}/s/${siteSlug(site.name)}`
+        dashboardUrl: slug ? `${baseUrl}/s/${slug}` : baseUrl
       });
     }
-    const renovateProbe = buildRenovateProbe();
     const collected = await collectAttention({
       base,
       baseUrl: options.baseUrl,
       websites,
       reports,
-      ...renovateProbe ? { renovateProbe } : {}
+      now: today
     });
     const prior = await readDigestState(base);
     const { tagged, next } = diffAttention(collected, prior, digestDateKey(today));
@@ -1781,9 +1580,10 @@ var init_digest = __esm({
     init_reports();
     init_websites();
     init_resend();
+    init_idempotency();
     init_digest_collectors();
-    init_renovate();
     init_digest_state();
+    init_html();
     GREY2 = "#757575";
     RED2 = "#C00";
     ANCHOR_STYLE = `color:${RED2};font-family:helvetica,sans-serif`;
@@ -1892,30 +1692,6 @@ async function sendOne(client, base, site, report) {
       `Report ${report.reportId} has no Lighthouse scores \u2014 all four cells (Lighthouse \u2014 Performance / Accessibility / Best Practices / SEO) must be numeric on the Reports row; one non-numeric or blank cell nulls all four`
     );
   }
-  const original = await fetchAttachmentBytes(site.headerImage.url);
-  const header = await prepareHeaderImage(original.bytes);
-  const bundled = await loadBundledImages();
-  const slug = siteSlug(site.name);
-  const cidName = `${slug}-header`;
-  const { html } = await renderReportHtml({
-    siteName: site.name,
-    siteUrl: site.url,
-    reportType: report.reportType,
-    completedOn: report.completedOn ? new Date(report.completedOn) : /* @__PURE__ */ new Date(),
-    lighthouse: report.lighthouse,
-    gaUsersCurrent: report.gaUsersCurrent ?? void 0,
-    gaUsersPrevious: report.gaUsersPrevious ?? void 0,
-    searchPosition: report.searchFoundPage1 && report.searchPosition !== null ? report.searchPosition : void 0,
-    lastTestedDate: report.lastTestedDate ? new Date(report.lastTestedDate) : null,
-    commentary: report.commentary,
-    copy: resolveCopy(site),
-    headerImageCid: cidName,
-    headerWidth: header.displayWidth,
-    headerHeight: header.displayHeight,
-    headerBgColor: header.placeholderColor
-  });
-  const reportDate = report.completedOn ? new Date(report.completedOn) : /* @__PURE__ */ new Date();
-  const subject = report.subjectOverride ?? `${site.name} \u2014 ${monthYear(reportDate)} ${report.reportType} Report`;
   const explicitTo = parseAddresses(site.reportRecipientsTo);
   const fallbackTo = parseAddresses(site.pointOfContact);
   const to = explicitTo ?? fallbackTo ?? [];
@@ -1941,6 +1717,30 @@ async function sendOne(client, base, site, report) {
       }
     }
   }
+  const original = await fetchAttachmentBytes(site.headerImage.url);
+  const header = await prepareHeaderImage(original.bytes);
+  const bundled = await loadBundledImages();
+  const slug = siteSlug(site.name);
+  const cidName = `${slug}-header`;
+  const { html } = await renderReportHtml({
+    siteName: site.name,
+    siteUrl: site.url,
+    reportType: report.reportType,
+    completedOn: report.completedOn ? new Date(report.completedOn) : /* @__PURE__ */ new Date(),
+    lighthouse: report.lighthouse,
+    gaUsersCurrent: report.gaUsersCurrent ?? void 0,
+    gaUsersPrevious: report.gaUsersPrevious ?? void 0,
+    searchPosition: report.searchFoundPage1 && report.searchPosition !== null ? report.searchPosition : void 0,
+    lastTestedDate: report.lastTestedDate ? new Date(report.lastTestedDate) : null,
+    commentary: report.commentary,
+    copy: resolveCopy(site),
+    headerImageCid: cidName,
+    headerWidth: header.displayWidth,
+    headerHeight: header.displayHeight,
+    headerBgColor: header.placeholderColor
+  });
+  const reportDate = report.completedOn ? new Date(report.completedOn) : /* @__PURE__ */ new Date();
+  const subject = report.subjectOverride ?? `${site.name} \u2014 ${monthYear(reportDate)} ${report.reportType} Report`;
   const payload = {
     from: FROM_ADDRESS2,
     to,
@@ -1976,7 +1776,17 @@ async function sendOne(client, base, site, report) {
     idempotencyKey: `report:${report.id}`
   };
   if (cc) payload.cc = cc;
-  const result = await client.send(payload);
+  let result;
+  try {
+    result = await client.send(payload);
+  } catch (err) {
+    if (isIdempotencyConflict(err)) {
+      await stampSent(base, report.id, /* @__PURE__ */ new Date(), null);
+      console.log(`\u21BB already sent (idempotency conflict), stamped: ${report.reportId}`);
+      return "idempotent-conflict";
+    }
+    throw err;
+  }
   await stampSent(base, report.id, /* @__PURE__ */ new Date(), result.messageId);
   return result.messageId;
 }
@@ -2016,6 +1826,7 @@ var init_orchestrate = __esm({
     init_assets();
     init_header_image();
     init_resend();
+    init_idempotency();
     FROM_ADDRESS2 = "Reddoor Reports <reports@reddoorla.com>";
     REPLY_TO = "info@reddoorla.com";
     MONTHS2 = [
@@ -2045,8 +1856,85 @@ import { cac } from "cac";
 import { resolve as resolve2 } from "path";
 import { Listr } from "listr2";
 
-// src/audits/index.ts
-init_spawn();
+// src/audits/util/spawn.ts
+import { spawn } from "child_process";
+import { StringDecoder } from "string_decoder";
+var TRUNCATION_MARKER = "\n\u2026[output truncated]";
+function makeSpawn(internals = {}) {
+  const spawnImpl = internals.spawnImpl ?? spawn;
+  const killImpl = internals.killImpl ?? ((pid, sig) => process.kill(pid, sig));
+  const killGraceMs = internals.killGraceMs ?? 5e3;
+  const maxOutputBytes = internals.maxOutputBytes ?? 10 * 1024 * 1024;
+  return (cmd, args, opts = {}) => new Promise((resolve12, reject) => {
+    const streaming = opts.streaming === true;
+    const child = spawnImpl(cmd, [...args], {
+      cwd: opts.cwd,
+      env: opts.env ?? process.env,
+      stdio: streaming ? ["ignore", "inherit", "inherit"] : ["ignore", "pipe", "pipe"],
+      // Detach ONLY when a timeout can fire: the child then leads its own
+      // process group, so the timeout can kill the WHOLE tree (vite, and
+      // Chromium under lhci/playwright) via process.kill(-pid), not just the
+      // npx/pnpm wrapper. Without it, killing the wrapper orphaned the
+      // grandchildren — a zombie vite squatting its port, Chrome left running.
+      // We do NOT detach timeout-less streaming calls (pnpm install/up):
+      // detaching gains nothing there (no timeout → no group-kill) and would
+      // break terminal Ctrl-C, which only reaches the foreground group — i.e.
+      // it would re-orphan the very children this guards. We never unref() the
+      // child since we still await it.
+      detached: opts.timeoutMs !== void 0
+    });
+    const cap = (acc, chunk) => {
+      if (acc.length >= maxOutputBytes) return acc;
+      const next = acc + chunk;
+      return next.length > maxOutputBytes ? next.slice(0, maxOutputBytes) + TRUNCATION_MARKER : next;
+    };
+    let stdout = "";
+    let stderr = "";
+    const outDecoder = new StringDecoder("utf-8");
+    const errDecoder = new StringDecoder("utf-8");
+    if (!streaming) {
+      child.stdout?.on(
+        "data",
+        (chunk) => stdout = cap(stdout, outDecoder.write(chunk))
+      );
+      child.stderr?.on(
+        "data",
+        (chunk) => stderr = cap(stderr, errDecoder.write(chunk))
+      );
+    }
+    const killGroup = (sig) => {
+      if (child.pid === void 0) return;
+      try {
+        killImpl(-child.pid, sig);
+      } catch {
+      }
+    };
+    let killTimer;
+    const timer = opts.timeoutMs ? setTimeout(() => {
+      killGroup("SIGTERM");
+      killTimer = setTimeout(() => killGroup("SIGKILL"), killGraceMs);
+      killTimer.unref();
+      reject(new Error(`spawn timeout after ${opts.timeoutMs}ms: ${cmd}`));
+    }, opts.timeoutMs) : void 0;
+    const clearTimers = () => {
+      if (timer) clearTimeout(timer);
+      if (killTimer) clearTimeout(killTimer);
+    };
+    child.on("error", (err) => {
+      clearTimers();
+      reject(err);
+    });
+    child.on("close", (code) => {
+      clearTimers();
+      if (!streaming) {
+        stdout = cap(stdout, outDecoder.end());
+        stderr = cap(stderr, errDecoder.end());
+      }
+      resolve12({ code: code ?? -1, stdout, stderr });
+    });
+  });
+}
+var defaultSpawn = makeSpawn();
 
 // src/audits/deps.ts
 import { readFile } from "fs/promises";
@@ -2054,7 +1942,7 @@ import { join as join3 } from "path";
 
 // src/util/site.ts
 function siteLabel(site) {
-  return site.name ?? site.path;
+  return site.name || site.path;
 }
 
 // src/configs/baseline-versions.ts
@@ -2096,9 +1984,6 @@ var baselineVersions = {
   "@zerodevx/svelte-img": "^2.1.2"
 };
 
-// src/audits/deps.ts
-init_spawn();
-
 // src/audits/deps-outdated.ts
 import { stat } from "fs/promises";
 import { join as join2 } from "path";
@@ -2278,7 +2163,6 @@ async function lintAudit(ctx) {
 }
 
 // src/audits/security.ts
-init_spawn();
 function classify(v) {
   if (v.critical > 0 || v.high > 0) return "fail";
   if (v.moderate > 0 || v.low > 0) return "warn";
@@ -2453,9 +2337,6 @@ var lighthouseConfig = {
   }
 };
 
-// src/audits/lighthouse.ts
-init_spawn();
-
 // src/audits/util/site-config.ts
 import { readFile as readFile3 } from "fs/promises";
 import { join as join5 } from "path";
@@ -2557,7 +2438,8 @@ function categoryFromAssertion(a) {
   return colonIdx >= 0 ? a.name.slice(colonIdx + 1) : a.name;
 }
 function messageForAssertion(a) {
-  return `${a.name} ${a.operator} ${a.expected} (actual: ${a.actual.toFixed(2)})`;
+  const actual = typeof a.actual === "number" ? a.actual.toFixed(2) : "n/a";
+  return `${a.name} ${a.operator} ${a.expected} (actual: ${actual})`;
 }
 async function parseLhciResults(resultsDir, label, raw) {
   const manifest = await readLhrEntries(resultsDir);
@@ -2724,7 +2606,6 @@ var playwrightA11yConfig = defineConfig({
 });
 
 // src/audits/a11y.ts
-init_spawn();
 var RESULTS_REL = ".reddoor-a11y/results.json";
 async function readJsonMaybe2(path) {
   try {
@@ -2932,7 +2813,7 @@ function timedSpawn(timeoutMs) {
 async function runOneAudit(site, name) {
   if (!(name in REGISTRY)) throw new Error(`unknown audit: ${name}`);
   const spawn2 = timedSpawn(DEFAULT_AUDIT_TIMEOUT_MS);
-  const label = site.name ?? site.path;
+  const label = site.name || site.path;
   try {
     return await REGISTRY[name]({ site, spawn: spawn2 });
   } catch (err) {
@@ -2959,11 +2840,12 @@ import { resolve, extname } from "path";
 // src/inventory/local.ts
 import { basename } from "path";
 function localPath(path, opts = {}) {
-  const site = { path, name: opts.name ?? basename(path) };
+  const site = { path, name: opts.name || basename(path) };
   return async () => [site];
 }
 
 // src/inventory/json.ts
+init_url();
 import { readFile as readFile6 } from "fs/promises";
 import { isAbsolute } from "path";
 function validate(raw) {
@@ -2987,7 +2869,15 @@ function validate(raw) {
     if (typeof e.name === "string") site.name = e.name;
     if (typeof e.repoUrl === "string") site.repoUrl = e.repoUrl;
     if (typeof e.gitRepo === "string") site.gitRepo = e.gitRepo;
-    if (typeof e.deployedUrl === "string") site.deployedUrl = e.deployedUrl;
+    if (typeof e.deployedUrl === "string") {
+      if (isHttpUrl(e.deployedUrl)) {
+        site.deployedUrl = e.deployedUrl;
+      } else {
+        console.warn(
+          `[inventory] entry ${i}: ignoring deployedUrl that is not http(s): ${JSON.stringify(e.deployedUrl)}`
+        );
+      }
+    }
     if (typeof e.meta === "object" && e.meta !== null) {
       site.meta = e.meta;
     }
@@ -2996,7 +2886,15 @@ function validate(raw) {
 }
 function fromJsonFile(path) {
   return async () => {
-    const raw = JSON.parse(await readFile6(path, "utf-8"));
+    const text = await readFile6(path, "utf-8");
+    let raw;
+    try {
+      raw = JSON.parse(text);
+    } catch (e) {
+      throw new Error(`could not parse inventory file ${path}: ${e.message}`, {
+        cause: e
+      });
+    }
     return validate(raw);
   };
 }
@@ -3041,14 +2939,95 @@ async function resolveSites(input) {
 }
 
 // src/cli/fleet/clone-if-needed.ts
-init_spawn();
 import { stat as stat2, readdir as readdir2, mkdir } from "fs/promises";
 import { isAbsolute as isAbsolute2, join as join8 } from "path";
+
+// src/util/git.ts
+import { execFile } from "child_process";
+import { promisify } from "util";
+var exec = promisify(execFile);
+async function git(cwd, args) {
+  return exec("git", args, { cwd, env: process.env });
+}
+function branchName(recipe, when = /* @__PURE__ */ new Date()) {
+  const compact = when.toISOString().replace(/[-:.]/g, "");
+  return `maint/${recipe}-${compact}`;
+}
+async function currentBranch(cwd) {
+  const { stdout } = await git(cwd, ["rev-parse", "--abbrev-ref", "HEAD"]);
+  return stdout.trim();
+}
+async function isWorkingTreeClean(cwd) {
+  const { stdout } = await git(cwd, ["status", "--porcelain"]);
+  return stdout.trim().length === 0;
+}
+async function createBranch(cwd, name) {
+  await git(cwd, ["checkout", "-b", name]);
+}
+async function checkoutBranch(cwd, name) {
+  await git(cwd, ["checkout", name]);
+}
+async function forceCheckoutBranch(cwd, name) {
+  await git(cwd, ["checkout", "-f", name]);
+}
+async function deleteBranch(cwd, name) {
+  await git(cwd, ["branch", "-D", name]);
+}
+async function stageAll(cwd) {
+  await git(cwd, ["add", "-A"]);
+}
+async function listTrackedFiles(cwd) {
+  const { stdout } = await git(cwd, ["ls-files"]);
+  return stdout.split("\n").map((l) => l.trim()).filter((l) => l.length > 0);
+}
+async function removeFromIndex(cwd, paths) {
+  if (paths.length === 0) return;
+  await git(cwd, ["rm", "-r", "--cached", "--", ...paths]);
+}
+async function commit(cwd, message) {
+  await stageAll(cwd);
+  const { stdout: status } = await git(cwd, ["status", "--porcelain"]);
+  if (status.trim().length === 0) return null;
+  await git(cwd, ["commit", "-m", message]);
+  const { stdout: sha } = await git(cwd, ["rev-parse", "HEAD"]);
+  return sha.trim();
+}
+var OWNER_REPO_RE = /^[A-Za-z0-9._-]+\/[A-Za-z0-9._-]+$/;
+function isOwnerRepo(repo) {
+  if (repo.includes("..")) return false;
+  return OWNER_REPO_RE.test(repo);
+}
+function sameOwnerRepo(a, b) {
+  const na = isOwnerRepo(a.trim()) ? a.trim() : parseOwnerRepo(a);
+  const nb = isOwnerRepo(b.trim()) ? b.trim() : parseOwnerRepo(b);
+  if (na === null || nb === null) return false;
+  return na.toLowerCase() === nb.toLowerCase();
+}
+function parseOwnerRepo(remoteUrl) {
+  const trimmed = remoteUrl.trim().replace(/\.git$/, "").replace(/\/$/, "");
+  const scp = trimmed.match(/^[A-Za-z0-9._-]+@[A-Za-z0-9._-]+:(.+)$/);
+  const path = scp ? scp[1] : trimmed.replace(/^https?:\/\/[^/]+\//, "");
+  const segments = path.split("/").filter(Boolean);
+  if (segments.length < 2) return null;
+  return `${segments[segments.length - 2]}/${segments[segments.length - 1]}`;
+}
+async function getRemoteUrl(cwd) {
+  const { stdout } = await git(cwd, ["remote", "get-url", "origin"]);
+  return stdout.trim();
+}
+async function push(cwd, branch) {
+  await git(cwd, ["push", "-u", "origin", branch]);
+}
+
+// src/cli/fleet/clone-if-needed.ts
 function deriveNameFromRepoUrl(repoUrl) {
   const slash = repoUrl.split("/").pop() ?? repoUrl;
   return slash.replace(/\.git$/, "");
 }
 function assertSafeName(name) {
+  if (name.length === 0) {
+    throw new Error("unsafe site name (empty)");
+  }
   if (isAbsolute2(name)) {
     throw new Error(`unsafe site name (absolute path not allowed): ${name}`);
   }
@@ -3076,6 +3055,24 @@ async function isNonEmptyDir(path) {
     return false;
   }
 }
+function expectedRepoRef(site) {
+  return site.gitRepo ?? site.repoUrl ?? void 0;
+}
+async function assertCheckoutMatches(site, path, spawn2) {
+  const expected = expectedRepoRef(site);
+  if (!expected) return;
+  const r = await spawn2("git", ["-C", path, "remote", "get-url", "origin"], {
+    timeoutMs: 3e4
+  });
+  if (r.code !== 0) return;
+  const origin = r.stdout.trim();
+  if (origin.length === 0) return;
+  if (!sameOwnerRepo(origin, expected)) {
+    throw new Error(
+      `checkout at ${path} is the wrong repo: origin is ${JSON.stringify(origin)} but site expects ${JSON.stringify(expected)} (slug collision?) \u2014 refusing to reuse it`
+    );
+  }
+}
 var GIT_REPO_RE = /^[\w.-]+\/[\w.-]+$/;
 function resolveCloneUrl(site) {
   if (site.repoUrl) return site.repoUrl;
@@ -3086,22 +3083,26 @@ function resolveCloneUrl(site) {
   return `https://github.com/${site.gitRepo}.git`;
 }
 async function cloneIfNeeded(site, opts) {
-  if (await isNonEmptyDir(site.path)) return site;
+  const spawn2 = opts.spawn ?? defaultSpawn;
+  if (await isNonEmptyDir(site.path)) {
+    await assertCheckoutMatches(site, site.path, spawn2);
+    return site;
+  }
   const repoUrl = resolveCloneUrl(site);
   if (!repoUrl) {
     throw new Error(
       `site path does not exist (${site.path}) and no repoUrl or gitRepo is set \u2014 cannot clone`
     );
   }
-  const name = site.name ?? deriveNameFromRepoUrl(repoUrl);
+  const name = site.name || deriveNameFromRepoUrl(repoUrl);
   assertSafeName(name);
   assertSafeRepoUrl(repoUrl);
   const target = join8(opts.workdir, name);
   await mkdir(opts.workdir, { recursive: true });
   if (await isNonEmptyDir(target)) {
+    await assertCheckoutMatches(site, target, spawn2);
     return { ...site, name, path: target };
   }
-  const spawn2 = opts.spawn ?? defaultSpawn;
   const result = await spawn2("git", ["clone", "--", repoUrl, target], {
     cwd: opts.workdir,
     timeoutMs: 5 * 6e4
@@ -3112,6 +3113,52 @@ async function cloneIfNeeded(site, opts) {
   return { ...site, name, path: target };
 }
 
+// src/cli/fleet/prepare-sites.ts
+async function prepareFleetSites(sites, opts) {
+  const clone = opts.clone ?? cloneIfNeeded;
+  const needsCheckout = opts.needsCheckout ?? (() => true);
+  const settled = await Promise.all(
+    sites.map(async (site) => {
+      if (!needsCheckout(site)) return { ok: true, site };
+      try {
+        return { ok: true, site: await clone(site, { workdir: opts.workdir }) };
+      } catch (e) {
+        return { ok: false, site: site.name || site.path, reason: e.message };
+      }
+    })
+  );
+  const prepared = [];
+  const skipped = [];
+  for (const r of settled) {
+    if (r.ok) prepared.push(r.site);
+    else skipped.push({ site: r.site, reason: r.reason });
+  }
+  return { prepared, skipped };
+}
+function formatSkippedNotice(skipped) {
+  if (skipped.length === 0) return null;
+  const detail = skipped.map((s) => `${s.site} (${s.reason})`).join("; ");
+  return `\u26A0 ${skipped.length} site(s) skipped (could not prepare): ${detail}`;
+}
+function appendSkipNotice(output, skipped) {
+  const notice = formatSkippedNotice(skipped);
+  return notice ? `${output}
+
+${notice}` : output;
+}
+
+// src/cli/commands/audit.ts
+init_url();
+
+// src/util/fleet-workdir.ts
+import { tmpdir as tmpdir2 } from "os";
+import { join as join9 } from "path";
+function fleetWorkdir() {
+  const home = process.env.HOME?.trim();
+  const base = home ? home : tmpdir2();
+  return join9(base, ".reddoor-maint", "sites");
+}
+
 // src/cli/commands/audit.ts
 function parseOnly(value) {
   if (!value) return void 0;
@@ -3177,7 +3224,7 @@ function buildAuditTasks(sites, which, results, renderer, concurrency) {
   }
   return new Listr(
     sites.map((site) => {
-      const label = site.name ?? site.path;
+      const label = site.name || site.path;
       return {
         title: label,
         task: async (_ctx, task) => {
@@ -3245,10 +3292,10 @@ function applyDeployedUrl(sites, url) {
       { exitCode: 2 }
     );
   }
-  try {
-    new URL(url);
-  } catch {
-    throw Object.assign(new Error(`--url is not a valid URL: ${url}`), { exitCode: 2 });
+  if (!isHttpUrl(url)) {
+    throw Object.assign(new Error(`--url must be an http(s) URL (got: ${JSON.stringify(url)})`), {
+      exitCode: 2
+    });
   }
   return [{ ...sites[0], deployedUrl: url }];
 }
@@ -3278,18 +3325,25 @@ async function runAuditCommand(site, opts) {
     cwd
   });
   sites = applyDeployedUrl(sites, opts.url);
+  let skippedPrep = [];
   if (opts.fleet) {
-    const workdir = opts.workdir ?? `${process.env.HOME ?? ""}/.reddoor-maint/sites`;
-    sites = await Promise.all(
-      sites.map(
-        (s) => auditNeedsCheckout(s, which) ? cloneIfNeeded(s, { workdir }) : Promise.resolve(s)
-      )
-    );
+    const workdir = opts.workdir ?? fleetWorkdir();
+    const prep = await prepareFleetSites(sites, {
+      workdir,
+      needsCheckout: (s) => auditNeedsCheckout(s, which)
+    });
+    sites = prep.prepared;
+    skippedPrep = prep.skipped;
   }
   const results = [];
   const renderer = rendererFor(opts.json);
   await buildAuditTasks(sites, which, results, renderer, parseConcurrency(opts.concurrency)).run();
   let output = opts.json ? JSON.stringify(results, null, 2) : formatTable(results);
+  const skipNotice = formatSkippedNotice(skippedPrep);
+  if (skipNotice && !opts.json) output += `
+
+${skipNotice}`;
+  let writeBackFailed = false;
   if (opts.writeAirtable !== void 0) {
     const { openBase: openBase2, readAirtableConfig: readAirtableConfig2 } = await Promise.resolve().then(() => (init_client(), client_exports));
     const { listWebsites: listWebsites2 } = await Promise.resolve().then(() => (init_websites(), websites_exports));
@@ -3298,7 +3352,8 @@ async function runAuditCommand(site, opts) {
       const base = openBase2(readAirtableConfig2());
       const websites = await listWebsites2(base);
       const fleetWrite = await writeFleetAuditsToAirtable2({ base, websites, results });
-      output += `
+      if (fleetWrite.failed.length > 0) writeBackFailed = true;
+      if (!opts.json) output += `
 
 ${formatFleetWriteSummary2(fleetWrite)}`;
     } else {
@@ -3322,7 +3377,7 @@ ${formatFleetWriteSummary2(fleetWrite)}`;
         ],
         { renderer }
       ).run();
-      if (writeSummary) output += `
+      if (writeSummary && !opts.json) output += `
 
 ${formatWriteSummary(writeSummary)}`;
     }
@@ -3331,16 +3386,20 @@ ${formatWriteSummary(writeSummary)}`;
   if (notice && !opts.json) output += `
 
 ${notice}`;
-  return { output, code: auditExitCode(results, opts.failOnViolations === true) };
+  const code = Math.max(
+    auditExitCode(results, opts.failOnViolations === true),
+    writeBackFailed ? 1 : 0
+  );
+  return { output, code };
 }
 
 // src/cli/commands/sync-configs.ts
 import { readFile as readFile9 } from "fs/promises";
-import { join as join11, resolve as resolve3 } from "path";
+import { join as join12, resolve as resolve3 } from "path";
 
 // src/recipes/sync-configs.ts
 import { readFile as readFile8, writeFile as writeFile3, mkdir as mkdir2 } from "fs/promises";
-import { join as join10, dirname } from "path";
+import { join as join11, dirname } from "path";
 
 // src/recipes/sync-configs/templates.ts
 var eslint = {
@@ -3590,59 +3649,6 @@ function findTrackedArtifacts(tracked, canonical) {
   return matched;
 }
 
-// src/util/git.ts
-import { execFile } from "child_process";
-import { promisify } from "util";
-var exec = promisify(execFile);
-async function git(cwd, args) {
-  return exec("git", args, { cwd, env: process.env });
-}
-function branchName(recipe, when = /* @__PURE__ */ new Date()) {
-  const compact = when.toISOString().replace(/[-:.]/g, "");
-  return `maint/${recipe}-${compact}`;
-}
-async function isWorkingTreeClean(cwd) {
-  const { stdout } = await git(cwd, ["status", "--porcelain"]);
-  return stdout.trim().length === 0;
-}
-async function createBranch(cwd, name) {
-  await git(cwd, ["checkout", "-b", name]);
-}
-async function stageAll(cwd) {
-  await git(cwd, ["add", "-A"]);
-}
-async function listTrackedFiles(cwd) {
-  const { stdout } = await git(cwd, ["ls-files"]);
-  return stdout.split("\n").map((l) => l.trim()).filter((l) => l.length > 0);
-}
-async function removeFromIndex(cwd, paths) {
-  if (paths.length === 0) return;
-  await git(cwd, ["rm", "-r", "--cached", "--", ...paths]);
-}
-async function commit(cwd, message) {
-  await stageAll(cwd);
-  const { stdout: status } = await git(cwd, ["status", "--porcelain"]);
-  if (status.trim().length === 0) return null;
-  await git(cwd, ["commit", "-m", message]);
-  const { stdout: sha } = await git(cwd, ["rev-parse", "HEAD"]);
-  return sha.trim();
-}
-function parseOwnerRepo(remoteUrl) {
-  const trimmed = remoteUrl.trim().replace(/\.git$/, "").replace(/\/$/, "");
-  const scp = trimmed.match(/^[A-Za-z0-9._-]+@[A-Za-z0-9._-]+:(.+)$/);
-  const path = scp ? scp[1] : trimmed.replace(/^https?:\/\/[^/]+\//, "");
-  const segments = path.split("/").filter(Boolean);
-  if (segments.length < 2) return null;
-  return `${segments[segments.length - 2]}/${segments[segments.length - 1]}`;
-}
-async function getRemoteUrl(cwd) {
-  const { stdout } = await git(cwd, ["remote", "get-url", "origin"]);
-  return stdout.trim();
-}
-async function push(cwd, branch) {
-  await git(cwd, ["push", "-u", "origin", branch]);
-}
-
 // src/recipes/_with-recipe.ts
 async function withRecipe(body) {
   const label = siteLabel(body.site);
@@ -3671,19 +3677,60 @@ async function withRecipe(body) {
   if (!body.checkTreeFirst && !await isWorkingTreeClean(body.site.path)) {
     throw new Error(`refusing to run: working tree is not clean at ${body.site.path}`);
   }
+  let original = null;
+  try {
+    original = await currentBranch(body.site.path);
+  } catch {
+    original = null;
+  }
   const branch = branchName(body.name);
   await createBranch(body.site.path, branch);
-  const shas = [];
-  const result = await body.apply(planned.plan, {
-    cwd: body.site.path,
-    branch,
-    commit: async (msg) => {
-      const sha = await commit(body.site.path, msg);
-      if (sha) shas.push(sha);
-      return sha;
+  const restoreOriginal = async () => {
+    if (original === null || original === branch) return;
+    try {
+      await checkoutBranch(body.site.path, original);
+    } catch (err) {
+      console.warn(
+        `warning: could not restore branch ${original} after ${body.name}: ${err instanceof Error ? err.message : String(err)}`
+      );
     }
-  });
+  };
+  const restoreAfterFailure = async () => {
+    if (original === null || original === branch) return;
+    try {
+      await forceCheckoutBranch(body.site.path, original);
+    } catch (err) {
+      console.warn(
+        `warning: could not force-restore branch ${original} after failed ${body.name}: ${err instanceof Error ? err.message : String(err)}`
+      );
+      return;
+    }
+    try {
+      await deleteBranch(body.site.path, branch);
+    } catch (err) {
+      console.warn(
+        `warning: could not delete recipe branch ${branch} after failed ${body.name}: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  };
+  const shas = [];
+  let result;
+  try {
+    result = await body.apply(planned.plan, {
+      cwd: body.site.path,
+      branch,
+      commit: async (msg) => {
+        const sha = await commit(body.site.path, msg);
+        if (sha) shas.push(sha);
+        return sha;
+      }
+    });
+  } catch (err) {
+    await restoreAfterFailure();
+    throw err;
+  }
   if (result.kind === "failed") {
+    await restoreAfterFailure();
     return {
       recipe: body.name,
       site: label,
@@ -3692,6 +3739,9 @@ async function withRecipe(body) {
       notes: result.notes
     };
   }
+  if (shas.length === 0) {
+    await restoreOriginal();
+  }
   const notes = result.notes ? `${result.notes}; branch: ${branch}` : `branch: ${branch}`;
   return {
     recipe: body.name,
@@ -3739,7 +3789,7 @@ async function readMaybe(path) {
 async function planTemplateDiffs(cwd, templates) {
   const diffs = [];
   for (const t of templates) {
-    const existing = await readMaybe(join10(cwd, t.path));
+    const existing = await readMaybe(join11(cwd, t.path));
     if (existing === t.contents) continue;
     if (t.config === SVELTE_CONFIG && existing !== null && isSvelteConfigCompliant(existing)) {
       continue;
@@ -3752,7 +3802,7 @@ async function planTemplateDiffs(cwd, templates) {
   return diffs;
 }
 async function planGitignore(cwd) {
-  const existing = await readMaybe(join10(cwd, ".gitignore"));
+  const existing = await readMaybe(join11(cwd, ".gitignore"));
   const merge = mergeGitignore(existing, CANONICAL_GITIGNORE_ENTRIES);
   const tracked = await listTrackedFiles(cwd);
   const toUntrack = findTrackedArtifacts(tracked, CANONICAL_GITIGNORE_ENTRIES);
@@ -3760,7 +3810,7 @@ async function planGitignore(cwd) {
   return { kind: "apply", content: merge.content, toUntrack, added: merge.added };
 }
 async function applyGitignore(cwd, plan) {
-  await writeFile3(join10(cwd, ".gitignore"), plan.content, "utf-8");
+  await writeFile3(join11(cwd, ".gitignore"), plan.content, "utf-8");
   if (plan.toUntrack.length > 0) {
     await removeFromIndex(cwd, plan.toUntrack);
   }
@@ -3783,7 +3833,7 @@ async function syncConfigs(site, opts = {}) {
     },
     apply: async ({ templateDiffs, gitignorePlan }, { commit: commit2 }) => {
       for (const t of templateDiffs) {
-        const dest = join10(site.path, t.path);
+        const dest = join11(site.path, t.path);
         await mkdir2(dirname(dest), { recursive: true });
         await writeFile3(dest, t.contents, "utf-8");
         await commit2(`chore: sync ${t.config} config from @reddoorla/maintenance`);
@@ -3814,7 +3864,7 @@ function parseOnly2(value) {
 async function dryPlanGitignore(cwd) {
   let existing;
   try {
-    existing = await readFile9(join11(cwd, ".gitignore"), "utf-8");
+    existing = await readFile9(join12(cwd, ".gitignore"), "utf-8");
   } catch {
     return "would create .gitignore";
   }
@@ -3829,7 +3879,7 @@ async function dryPlan(cwd, which) {
   for (const t of templateTargets) {
     let existing = "";
     try {
-      existing = await readFile9(join11(cwd, t.path), "utf-8");
+      existing = await readFile9(join12(cwd, t.path), "utf-8");
     } catch {
     }
     if (existing !== t.contents) lines.push(`would update ${t.path} (config: ${t.config})`);
@@ -3853,32 +3903,34 @@ async function runSyncConfigsCommand(site, opts) {
     ...opts.fleet !== void 0 ? { fleet: opts.fleet } : {},
     cwd
   });
+  let skipped = [];
   if (opts.fleet) {
-    const workdir = opts.workdir ?? `${process.env.HOME ?? ""}/.reddoor-maint/sites`;
-    sites = await Promise.all(sites.map((s) => cloneIfNeeded(s, { workdir })));
+    const workdir = opts.workdir ?? fleetWorkdir();
+    const prep = await prepareFleetSites(sites, { workdir });
+    sites = prep.prepared;
+    skipped = prep.skipped;
   }
   if (opts.dry) {
     const blocks = [];
     for (const s of sites) {
-      blocks.push(`[${s.name ?? s.path}]
+      blocks.push(`[${s.name || s.path}]
 ` + await dryPlan(s.path, which));
     }
-    return { output: blocks.join("\n\n"), code: 0 };
+    return { output: appendSkipNotice(blocks.join("\n\n"), skipped), code: 0 };
   }
   const results = [];
   for (const s of sites) results.push(await syncConfigs(s, which ? { which } : {}));
   const output = results.map(formatResult).join("\n");
   const code = results.some((r) => r.status === "failed") ? 1 : 0;
-  return { output, code };
+  return { output: appendSkipNotice(output, skipped), code };
 }
 
 // src/cli/commands/bump-deps.ts
 import { resolve as resolve4 } from "path";
 
 // src/recipes/bump-deps.ts
-init_spawn();
 import { stat as stat3 } from "fs/promises";
-import { join as join12 } from "path";
+import { join as join13 } from "path";
 async function exists2(path) {
   try {
     await stat3(path);
@@ -3907,10 +3959,10 @@ async function bumpDeps(site, opts = {}) {
     // land on top of whatever else was in the tree.
     checkTreeFirst: true,
     plan: async () => {
-      const hasPnpmLock = await exists2(join12(site.path, "pnpm-lock.yaml"));
+      const hasPnpmLock = await exists2(join13(site.path, "pnpm-lock.yaml"));
       if (!hasPnpmLock) {
-        const hasNpmLock = await exists2(join12(site.path, "package-lock.json"));
-        const hasYarnLock = await exists2(join12(site.path, "yarn.lock"));
+        const hasNpmLock = await exists2(join13(site.path, "package-lock.json"));
+        const hasYarnLock = await exists2(join13(site.path, "yarn.lock"));
         if (hasNpmLock || hasYarnLock) {
           const competing = hasNpmLock ? "package-lock.json" : "yarn.lock";
           return {
@@ -3965,15 +4017,18 @@ async function runBumpDepsCommand(site, opts) {
     ...opts.fleet !== void 0 ? { fleet: opts.fleet } : {},
     cwd
   });
+  let skipped = [];
   if (opts.fleet) {
-    const workdir = opts.workdir ?? `${process.env.HOME ?? ""}/.reddoor-maint/sites`;
-    sites = await Promise.all(sites.map((s) => cloneIfNeeded(s, { workdir })));
+    const workdir = opts.workdir ?? fleetWorkdir();
+    const prep = await prepareFleetSites(sites, { workdir });
+    sites = prep.prepared;
+    skipped = prep.skipped;
   }
   const results = [];
   for (const s of sites) results.push(await bumpDeps(s, { group }));
   const output = results.map(formatResult2).join("\n");
   const code = results.some((r) => r.status === "failed") ? 1 : 0;
-  return { output, code };
+  return { output: appendSkipNotice(output, skipped), code };
 }
 
 // src/cli/commands/self-updating.ts
@@ -3981,7 +4036,7 @@ import { resolve as resolve5 } from "path";
 
 // src/recipes/self-updating/index.ts
 import { mkdir as mkdir3, writeFile as writeFile4 } from "fs/promises";
-import { dirname as dirname2, join as join13 } from "path";
+import { dirname as dirname2, join as join14 } from "path";
 
 // src/github/config.ts
 function readGitHubConfig() {
@@ -3991,25 +4046,230 @@ function readGitHubConfig() {
   return { token, renovateToken };
 }
 
+// src/github/gh.ts
+function assertUrlSegment(kind, value) {
+  const structural = /[\s?#%\\]|\.\./;
+  if (value.length === 0 || value.startsWith("/") || structural.test(value)) {
+    throw new Error(
+      `unsafe ${kind} for gh api path (illegal characters or traversal): ${JSON.stringify(value)}`
+    );
+  }
+}
+function mapRollupState(state) {
+  switch (state) {
+    case "SUCCESS":
+      return "passing";
+    case "FAILURE":
+    case "ERROR":
+      return "failing";
+    case "PENDING":
+    case "EXPECTED":
+      return "pending";
+    default:
+      return "none";
+  }
+}
+function makeGitHub(deps) {
+  const spawn2 = deps.spawn ?? defaultSpawn;
+  const env = { ...process.env, GH_TOKEN: deps.token };
+  async function gh(args) {
+    const r = await spawn2("gh", args, { env, timeoutMs: 6e4 });
+    if (r.code !== 0) throw new Error(`gh ${args[0]} failed (code ${r.code}): ${r.stderr.trim()}`);
+    return r.stdout;
+  }
+  return {
+    async openPullRequest(repo, pr) {
+      const out = await gh([
+        "pr",
+        "create",
+        "--repo",
+        repo,
+        "--head",
+        pr.head,
+        "--base",
+        pr.base,
+        "--title",
+        pr.title,
+        "--body",
+        pr.body
+      ]);
+      return { url: out.trim() };
+    },
+    async enableRepoAutoMerge(repo) {
+      await gh(["api", "-X", "PATCH", `repos/${repo}`, "-F", "allow_auto_merge=true"]);
+    },
+    async protectBranch(repo, branch, requiredChecks) {
+      assertUrlSegment("branch", branch);
+      const args = [
+        "api",
+        "-X",
+        "PUT",
+        `repos/${repo}/branches/${branch}/protection`,
+        "-H",
+        "Accept: application/vnd.github+json",
+        "-F",
+        "required_status_checks[strict]=true",
+        ...requiredChecks.flatMap((c) => ["-f", `required_status_checks[contexts][]=${c}`]),
+        "-F",
+        "enforce_admins=true",
+        "-F",
+        "required_pull_request_reviews=null",
+        "-F",
+        "restrictions=null"
+      ];
+      await gh(args);
+    },
+    async setRepoSecret(repo, name, value) {
+      await gh(["secret", "set", name, "--repo", repo, "--body", value]);
+    },
+    async repoExists(repo) {
+      const r = await spawn2("gh", ["api", `repos/${repo}`], { env, timeoutMs: 6e4 });
+      return r.code === 0;
+    },
+    async defaultBranch(repo) {
+      const out = await gh(["api", `repos/${repo}`, "--jq", ".default_branch"]);
+      return out.trim();
+    },
+    // filesOnBranch and branchProtectionContexts call `spawn` directly (not the
+    // throwing `gh()` helper) because a 404 is an expected, meaningful answer —
+    // "file/protection absent" — not an error. The remaining readers use `gh()`
+    // since a non-200 there is a genuine failure (e.g. missing token scope).
+    async filesOnBranch(repo, branch, paths) {
+      assertUrlSegment("branch", branch);
+      const present = [];
+      for (const p of paths) {
+        assertUrlSegment("path", p);
+        const r = await spawn2("gh", [`api`, `repos/${repo}/contents/${p}?ref=${branch}`], {
+          env,
+          timeoutMs: 6e4
+        });
+        if (r.code === 0) present.push(p);
+      }
+      return present;
+    },
+    async branchProtectionContexts(repo, branch) {
+      assertUrlSegment("branch", branch);
+      const r = await spawn2(
+        "gh",
+        [
+          "api",
+          `repos/${repo}/branches/${branch}/protection`,
+          "--jq",
+          ".required_status_checks.contexts[]?"
+        ],
+        { env, timeoutMs: 6e4 }
+      );
+      if (r.code !== 0) return [];
+      return r.stdout.split("\n").map((l) => l.trim()).filter((l) => l.length > 0);
+    },
+    async secretExists(repo, name) {
+      const out = await gh(["api", `repos/${repo}/actions/secrets`, "--jq", ".secrets[].name"]);
+      return out.split("\n").map((l) => l.trim()).includes(name);
+    },
+    async autoMergeEnabled(repo) {
+      const out = await gh(["api", `repos/${repo}`, "--jq", ".allow_auto_merge"]);
+      return out.trim() === "true";
+    },
+    async findOpenSelfUpdatingPR(repo) {
+      const out = await gh([
+        "api",
+        `repos/${repo}/pulls?state=open`,
+        "--jq",
+        '.[] | select(.head.ref | startswith("maint/self-updating-")) | .html_url'
+      ]);
+      const first = out.split("\n").map((l) => l.trim()).find((l) => l.length > 0);
+      return first ?? null;
+    },
+    async openPullRequests(repo) {
+      const [owner, name, ...rest] = repo.split("/");
+      if (!owner || !name || rest.length > 0) {
+        throw new Error(`openPullRequests: expected "owner/repo", got "${repo}"`);
+      }
+      const query = "query($owner:String!,$name:String!){repository(owner:$owner,name:$name){pullRequests(states:OPEN,first:100,orderBy:{field:CREATED_AT,direction:DESC}){nodes{number title url headRefName commits(last:1){nodes{commit{statusCheckRollup{state}}}}}}}}";
+      const out = await gh([
+        "api",
+        "graphql",
+        "-f",
+        `query=${query}`,
+        "-F",
+        `owner=${owner}`,
+        "-F",
+        `name=${name}`
+      ]);
+      const parsed = JSON.parse(out);
+      const nodes = parsed.data?.repository?.pullRequests?.nodes ?? [];
+      return nodes.map((n) => ({
+        number: n.number,
+        title: n.title,
+        url: n.url,
+        headRef: n.headRefName,
+        ciState: mapRollupState(n.commits?.nodes?.[0]?.commit?.statusCheckRollup?.state)
+      }));
+    },
+    async defaultBranchStatus(repo) {
+      const [owner, name, ...rest] = repo.split("/");
+      if (!owner || !name || rest.length > 0) {
+        throw new Error(`defaultBranchStatus: expected "owner/repo", got "${repo}"`);
+      }
+      const query = "query($owner:String!,$name:String!){repository(owner:$owner,name:$name){defaultBranchRef{target{... on Commit{committedDate statusCheckRollup{state}}}}}}";
+      const out = await gh([
+        "api",
+        "graphql",
+        "-f",
+        `query=${query}`,
+        "-F",
+        `owner=${owner}`,
+        "-F",
+        `name=${name}`
+      ]);
+      const parsed = JSON.parse(out);
+      const target = parsed.data?.repository?.defaultBranchRef?.target;
+      return {
+        ciState: mapRollupState(target?.statusCheckRollup?.state),
+        lastCommitAt: target?.committedDate ?? null
+      };
+    }
+  };
+}
+
 // src/recipes/self-updating/index.ts
-init_gh();
 var SELF_UPDATING_CONFIGS = ["ci", "renovate-action", "renovate-config"];
 var REQUIRED_CHECK = "ci / ci";
 function resultOf(site, status, notes, commits = []) {
   return { recipe: "self-updating", site: siteLabel(site), status, commits, notes };
 }
 async function resolveRepo(site) {
-  if (site.gitRepo) return site.gitRepo;
+  if (site.gitRepo) {
+    if (!isOwnerRepo(site.gitRepo)) {
+      throw new Error(
+        `refusing to act on malformed repo identity: expected "owner/repo", got ${JSON.stringify(site.gitRepo)}`
+      );
+    }
+    return site.gitRepo;
+  }
+  let fromOrigin;
   try {
-    return parseOwnerRepo(await getRemoteUrl(site.path));
+    fromOrigin = parseOwnerRepo(await getRemoteUrl(site.path));
   } catch {
     return null;
   }
+  if (fromOrigin === null) return null;
+  if (!isOwnerRepo(fromOrigin)) {
+    throw new Error(
+      `refusing to act on malformed repo identity from origin: ${JSON.stringify(fromOrigin)}`
+    );
+  }
+  return fromOrigin;
 }
 async function selfUpdating(site, deps = {}) {
   const templates = templatesByName([...SELF_UPDATING_CONFIGS]);
   const paths = templates.map((t) => t.path);
-  const repo = await resolveRepo(site);
+  let repo;
+  try {
+    repo = await resolveRepo(site);
+  } catch (err) {
+    return resultOf(site, "failed", err instanceof Error ? err.message : String(err));
+  }
   if (!repo) {
     return resultOf(
       site,
@@ -4025,6 +4285,8 @@ async function selfUpdating(site, deps = {}) {
   const base = await github.defaultBranch(repo).catch(() => "main");
   const actions = [];
   const commits = [];
+  let original = null;
+  let maintBranch = null;
   try {
     const present = await github.filesOnBranch(repo, base, paths);
     if (present.length < paths.length) {
@@ -4035,10 +4297,15 @@ async function selfUpdating(site, deps = {}) {
         if (!await isWorkingTreeClean(site.path)) {
           return resultOf(site, "failed", "working tree not clean \u2014 commit or stash first");
         }
-        const branch = branchName("self-updating");
-        await createBranch(site.path, branch);
+        try {
+          original = await currentBranch(site.path);
+        } catch {
+          original = null;
+        }
+        maintBranch = branchName("self-updating");
+        await createBranch(site.path, maintBranch);
         for (const t of templates) {
-          const dest = join13(site.path, t.path);
+          const dest = join14(site.path, t.path);
           await mkdir3(dirname2(dest), { recursive: true });
           await writeFile4(dest, t.contents, "utf-8");
         }
@@ -4047,9 +4314,9 @@ async function selfUpdating(site, deps = {}) {
           "ci: enable self-updating (CI + Renovate auto-merge)"
         );
         if (sha) commits.push(sha);
-        await (deps.pushBranch ?? push)(site.path, branch);
+        await (deps.pushBranch ?? push)(site.path, maintBranch);
         const pr = await github.openPullRequest(repo, {
-          head: branch,
+          head: maintBranch,
           base,
           title: "Enable self-updating (CI + Renovate)",
           body: "Adds the unified CI gate, nightly Renovate, and auto-merge for patch/minor updates."
@@ -4061,8 +4328,10 @@ async function selfUpdating(site, deps = {}) {
       await github.enableRepoAutoMerge(repo);
       actions.push("enabled auto-merge");
     }
-    if (!(await github.branchProtectionContexts(repo, base)).includes(REQUIRED_CHECK)) {
-      await github.protectBranch(repo, base, [REQUIRED_CHECK]);
+    const existingContexts = await github.branchProtectionContexts(repo, base);
+    if (!existingContexts.includes(REQUIRED_CHECK)) {
+      const contexts = [.../* @__PURE__ */ new Set([...existingContexts, REQUIRED_CHECK])];
+      await github.protectBranch(repo, base, contexts);
       actions.push(`required "${REQUIRED_CHECK}" check on ${base}`);
     }
     if (!await github.secretExists(repo, "RENOVATE_TOKEN")) {
@@ -4073,6 +4342,16 @@ async function selfUpdating(site, deps = {}) {
     const done = actions.length ? ` (completed: ${actions.join("; ")})` : "";
     const message = err instanceof Error ? err.message : String(err);
     return resultOf(site, "failed", `${message}${done}`, commits);
+  } finally {
+    if (maintBranch !== null && original !== null && original !== maintBranch) {
+      try {
+        await checkoutBranch(site.path, original);
+      } catch (err) {
+        console.warn(
+          `warning: could not restore branch ${original} after self-updating: ${err instanceof Error ? err.message : String(err)}`
+        );
+      }
+    }
   }
   return actions.length ? resultOf(site, "applied", actions.join("; "), commits) : resultOf(site, "noop", "already self-updating", commits);
 }
@@ -4091,20 +4370,26 @@ async function runSelfUpdatingCommand(site, opts) {
     ...opts.fleet !== void 0 ? { fleet: opts.fleet } : {},
     cwd
   });
+  let skipped = [];
   if (opts.fleet) {
-    const workdir = opts.workdir ?? `${process.env.HOME ?? ""}/.reddoor-maint/sites`;
-    sites = await Promise.all(sites.map((s) => cloneIfNeeded(s, { workdir })));
+    const workdir = opts.workdir ?? fleetWorkdir();
+    const prep = await prepareFleetSites(sites, { workdir });
+    sites = prep.prepared;
+    skipped = prep.skipped;
   }
   if (opts.dry) {
     return {
-      output: sites.map((s) => `[${s.name ?? s.path}] would enable self-updating`).join("\n"),
+      output: appendSkipNotice(
+        sites.map((s) => `[${s.name || s.path}] would enable self-updating`).join("\n"),
+        skipped
+      ),
       code: 0
     };
   }
   const results = [];
   for (const s of sites) results.push(await selfUpdating(s));
   return {
-    output: results.map(formatResult3).join("\n"),
+    output: appendSkipNotice(results.map(formatResult3).join("\n"), skipped),
     code: results.some((r) => r.status === "failed") ? 1 : 0
   };
 }
@@ -4113,7 +4398,7 @@ async function runSelfUpdatingCommand(site, opts) {
 import { resolve as resolve6 } from "path";
 
 // src/recipes/svelte-5/index.ts
-import { join as join19 } from "path";
+import { join as join20 } from "path";
 
 // src/util/pkg.ts
 import { readFile as readFile10, writeFile as writeFile5 } from "fs/promises";
@@ -4161,11 +4446,8 @@ function bumpDep(pkg, name, version2, opts = {}) {
   return next;
 }
 
-// src/recipes/svelte-5/index.ts
-init_spawn();
-
 // src/recipes/svelte-5/step-bump-versions.ts
-import { join as join14 } from "path";
+import { join as join15 } from "path";
 var SVELTE_5_VERSIONS = {
   svelte: "^5.55.5",
   "@sveltejs/kit": "^2.59.0",
@@ -4178,7 +4460,7 @@ var SVELTE_5_VERSIONS = {
   "typescript-svelte-plugin": "^0.3.52"
 };
 async function bumpToSvelte5Versions(cwd) {
-  const pkgPath = join14(cwd, "package.json");
+  const pkgPath = join15(cwd, "package.json");
   const pkg = await readPackageJson(pkgPath);
   let next = pkg;
   for (const [name, version2] of Object.entries(SVELTE_5_VERSIONS)) {
@@ -4191,7 +4473,7 @@ async function bumpToSvelte5Versions(cwd) {
 
 // src/recipes/svelte-5/step-svelte-config.ts
 import { readFile as readFile11, writeFile as writeFile6 } from "fs/promises";
-import { join as join15 } from "path";
+import { join as join16 } from "path";
 var VITE_PLUGIN_PKG = "@sveltejs/vite-plugin-svelte";
 var IMPORT_FROM_VITE_PLUGIN = new RegExp(
   String.raw`^import\s+\{\s*([^}]+?)\s*\}\s+from\s+["']` + VITE_PLUGIN_PKG.replace(/[/]/g, "\\/") + String.raw`["'];?[ \t]*\n`,
@@ -4232,7 +4514,7 @@ function dropPreprocessKey(source) {
   return source.slice(0, m.index) + source.slice(tailIdx).replace(new RegExp(`^${indent}\\n`), "");
 }
 async function migrateSvelteConfig(cwd) {
-  const path = join15(cwd, "svelte.config.js");
+  const path = join16(cwd, "svelte.config.js");
   let src;
   try {
     src = await readFile11(path, "utf-8");
@@ -4248,7 +4530,6 @@ async function migrateSvelteConfig(cwd) {
 }
 
 // src/recipes/svelte-5/step-svelte-migrate.ts
-init_spawn();
 async function runSvelteMigrate(cwd, spawn2 = defaultSpawn) {
   try {
     const { code, stderr } = await spawn2(
@@ -4270,10 +4551,9 @@ async function runSvelteMigrate(cwd, spawn2 = defaultSpawn) {
 }
 
 // src/recipes/svelte-5/step-tailwind-upgrade.ts
-init_spawn();
-import { join as join16 } from "path";
+import { join as join17 } from "path";
 async function upgradeTailwind(cwd, spawn2 = defaultSpawn) {
-  const pkg = await readPackageJson(join16(cwd, "package.json"));
+  const pkg = await readPackageJson(join17(cwd, "package.json"));
   const tailwindVersion = pkg.devDependencies?.tailwindcss ?? pkg.dependencies?.tailwindcss;
   if (!tailwindVersion) return { ran: false, reason: "tailwindcss not installed" };
   if (/^\^?4\./.test(tailwindVersion)) return { ran: false, reason: "already on tailwind 4.x" };
@@ -4295,7 +4575,7 @@ async function upgradeTailwind(cwd, spawn2 = defaultSpawn) {
 
 // src/recipes/svelte-5/step-gotchas.ts
 import { readFile as readFile12, writeFile as writeFile7 } from "fs/promises";
-import { join as join17 } from "path";
+import { join as join18 } from "path";
 import { glob as glob2 } from "tinyglobby";
 
 // src/recipes/svelte-5/codemods/on-event-to-handler.ts
@@ -4641,7 +4921,7 @@ async function planGotchaCodemods(cwd) {
   const changes = [];
   const relPaths = await glob2(SVELTE_GLOBS, { cwd, ignore: IGNORE2, absolute: false });
   for (const rel of relPaths) {
-    const path = join17(cwd, rel);
+    const path = join18(cwd, rel);
     const before = await readFile12(path, "utf-8");
     const after = CODEMODS.reduce((s, fn) => fn(s), before);
     if (after !== before) changes.push({ rel, after });
@@ -4651,13 +4931,12 @@ async function planGotchaCodemods(cwd) {
 async function applyGotchaCodemods(cwd) {
   const changes = await planGotchaCodemods(cwd);
   for (const c of changes) {
-    await writeFile7(join17(cwd, c.rel), c.after, "utf-8");
+    await writeFile7(join18(cwd, c.rel), c.after, "utf-8");
   }
   return { filesChanged: changes.length };
 }
 
 // src/recipes/svelte-5/step-verify.ts
-init_spawn();
 async function verifyMigration(cwd, spawn2 = defaultSpawn) {
   let install;
   try {
@@ -4676,7 +4955,7 @@ async function verifyMigration(cwd, spawn2 = defaultSpawn) {
 
 // src/recipes/svelte-5/step-summary.ts
 import { writeFile as writeFile8 } from "fs/promises";
-import { join as join18 } from "path";
+import { join as join19 } from "path";
 async function writeMigrationSummary(input) {
   const lines = [
     `# Svelte 4 \u2192 5 migration summary`,
@@ -4693,7 +4972,7 @@ async function writeMigrationSummary(input) {
     `- Verify Playwright a11y tests still pass.`
   ];
   const content = lines.join("\n") + "\n";
-  const path = join18(input.cwd, "MIGRATION_SVELTE_5.md");
+  const path = join19(input.cwd, "MIGRATION_SVELTE_5.md");
   await writeFile8(path, content, "utf-8");
   return path;
 }
@@ -4701,7 +4980,7 @@ async function writeMigrationSummary(input) {
 // src/recipes/svelte-5/index.ts
 async function alreadyOnSvelte5(cwd) {
   try {
-    const pkg = await readPackageJson(join19(cwd, "package.json"));
+    const pkg = await readPackageJson(join20(cwd, "package.json"));
     const v = pkg.devDependencies?.svelte ?? pkg.dependencies?.svelte;
     return !!v && /^\^?5\./.test(v);
   } catch {
@@ -4776,9 +5055,12 @@ async function runUpgradeCommand(upgradeName, site, opts = {}) {
     ...opts.fleet !== void 0 ? { fleet: opts.fleet } : {},
     cwd
   });
+  let skipped = [];
   if (opts.fleet) {
-    const workdir = opts.workdir ?? `${process.env.HOME ?? ""}/.reddoor-maint/sites`;
-    sites = await Promise.all(sites.map((s) => cloneIfNeeded(s, { workdir })));
+    const workdir = opts.workdir ?? fleetWorkdir();
+    const prep = await prepareFleetSites(sites, { workdir });
+    sites = prep.prepared;
+    skipped = prep.skipped;
   }
   const results = [];
   for (const s of sites) {
@@ -4788,7 +5070,7 @@ async function runUpgradeCommand(upgradeName, site, opts = {}) {
   }
   const output = results.map(formatResult4).join("\n");
   const code = results.some((r) => r.status === "failed") ? 1 : 0;
-  return { output, code };
+  return { output: appendSkipNotice(output, skipped), code };
 }
 
 // src/cli/commands/convert-to-pnpm.ts
@@ -4796,8 +5078,7 @@ import { resolve as resolve7 } from "path";
 
 // src/recipes/convert-to-pnpm.ts
 import { rm as rm3, stat as stat4 } from "fs/promises";
-import { join as join20 } from "path";
-init_spawn();
+import { join as join21 } from "path";
 
 // src/recipes/convert-to-pnpm/script-rewrites.ts
 function rewriteScriptForPnpm(script) {
@@ -4830,9 +5111,9 @@ async function exists3(path) {
 async function convertToPnpm(site, opts = {}) {
   const spawn2 = opts.spawn ?? defaultSpawn;
   const pnpmVersion = opts.pnpmVersion ?? DEFAULT_PNPM_VERSION;
-  const pnpmLockPath = join20(site.path, "pnpm-lock.yaml");
-  const npmLockPath = join20(site.path, "package-lock.json");
-  const yarnLockPath = join20(site.path, "yarn.lock");
+  const pnpmLockPath = join21(site.path, "pnpm-lock.yaml");
+  const npmLockPath = join21(site.path, "package-lock.json");
+  const yarnLockPath = join21(site.path, "yarn.lock");
   return withRecipe({
     name: "convert-to-pnpm",
     site,
@@ -4855,7 +5136,7 @@ async function convertToPnpm(site, opts = {}) {
       if (hasYarnLock) await rm3(yarnLockPath, { force: true });
       const sourceLock = hasNpmLock ? "package-lock.json" : "yarn.lock";
       await commit2(`chore(pnpm): remove ${sourceLock}`);
-      const pkgPath = join20(cwd, "package.json");
+      const pkgPath = join21(cwd, "package.json");
       const pkg = await readPackageJson(pkgPath);
       const next = { ...pkg, packageManager: `pnpm@${pnpmVersion}` };
       if (pkg.scripts && typeof pkg.scripts === "object") {
@@ -4868,7 +5149,7 @@ async function convertToPnpm(site, opts = {}) {
       }
       await writePackageJson(pkgPath, next);
       await commit2("chore(pnpm): pin packageManager + rewrite npm scripts");
-      await rm3(join20(cwd, "node_modules"), { recursive: true, force: true });
+      await rm3(join21(cwd, "node_modules"), { recursive: true, force: true });
       const installResult = await spawn2("pnpm", ["install"], { cwd, streaming: true });
       if (installResult.code !== 0) {
         return { kind: "failed", notes: `pnpm install failed (exit ${installResult.code})` };
@@ -4893,15 +5174,18 @@ async function runConvertToPnpmCommand(site, opts) {
     ...opts.fleet !== void 0 ? { fleet: opts.fleet } : {},
     cwd
   });
+  let skipped = [];
   if (opts.fleet) {
-    const workdir = opts.workdir ?? `${process.env.HOME ?? ""}/.reddoor-maint/sites`;
-    sites = await Promise.all(sites.map((s) => cloneIfNeeded(s, { workdir })));
+    const workdir = opts.workdir ?? fleetWorkdir();
+    const prep = await prepareFleetSites(sites, { workdir });
+    sites = prep.prepared;
+    skipped = prep.skipped;
   }
   const results = [];
   for (const s of sites) results.push(await convertToPnpm(s));
   const output = results.map(formatResult5).join("\n");
   const code = results.some((r) => r.status === "failed") ? 1 : 0;
-  return { output, code };
+  return { output: appendSkipNotice(output, skipped), code };
 }
 
 // src/cli/commands/onboard.ts
@@ -4909,18 +5193,17 @@ import { resolve as resolve8 } from "path";
 
 // src/recipes/onboard.ts
 import { stat as stat5 } from "fs/promises";
-import { join as join22 } from "path";
-init_spawn();
+import { join as join23 } from "path";
 
 // src/util/self-version.ts
 import { readFileSync as readFileSync2, existsSync as existsSync2 } from "fs";
 import { fileURLToPath } from "url";
-import { dirname as dirname3, join as join21 } from "path";
+import { dirname as dirname3, join as join22 } from "path";
 function selfPackageVersion(callerImportMetaUrl) {
   try {
     let dir = dirname3(fileURLToPath(callerImportMetaUrl));
     while (true) {
-      const candidate = join21(dir, "package.json");
+      const candidate = join22(dir, "package.json");
       if (existsSync2(candidate)) {
         const raw = readFileSync2(candidate, "utf-8");
         const pkg = JSON.parse(raw);
@@ -4991,13 +5274,13 @@ async function onboard(site, opts = {}) {
     name: "onboard",
     site,
     plan: async () => {
-      if (!await exists4(join22(site.path, "pnpm-lock.yaml"))) {
+      if (!await exists4(join23(site.path, "pnpm-lock.yaml"))) {
         return {
           kind: "failed",
           notes: "no pnpm-lock.yaml at site root \u2014 run convert-to-pnpm first"
         };
       }
-      const pkgPath = join22(site.path, "package.json");
+      const pkgPath = join23(site.path, "package.json");
       const pkg = await readPackageJson(pkgPath);
       const toAdd = [];
       if (!isDeclared(pkg, PACKAGE_NAME)) {
@@ -5020,7 +5303,7 @@ async function onboard(site, opts = {}) {
       return { kind: "apply", plan: { pkg, toAdd } };
     },
     apply: async ({ pkg, toAdd }, { commit: commit2, cwd }) => {
-      const pkgPath = join22(cwd, "package.json");
+      const pkgPath = join23(cwd, "package.json");
       let next = pkg;
       for (const dep of toAdd) {
         next = bumpDep(next, dep.name, dep.version);
@@ -5071,9 +5354,12 @@ async function runOnboardCommand(site, opts) {
     ...opts.fleet !== void 0 ? { fleet: opts.fleet } : {},
     cwd
   });
+  let skipped = [];
   if (opts.fleet) {
-    const workdir = opts.workdir ?? `${process.env.HOME ?? ""}/.reddoor-maint/sites`;
-    sites = await Promise.all(sites.map((s) => cloneIfNeeded(s, { workdir })));
+    const workdir = opts.workdir ?? fleetWorkdir();
+    const prep = await prepareFleetSites(sites, { workdir });
+    sites = prep.prepared;
+    skipped = prep.skipped;
   }
   const results = [];
   for (const s of sites) {
@@ -5081,7 +5367,7 @@ async function runOnboardCommand(site, opts) {
   }
   const output = results.map(formatResult6).join("\n");
   const code = results.some((r) => r.status === "failed") ? 1 : 0;
-  return { output, code };
+  return { output: appendSkipNotice(output, skipped), code };
 }
 
 // src/cli/commands/svelte-codemods.ts
@@ -5089,7 +5375,7 @@ import { resolve as resolve9 } from "path";
 
 // src/recipes/svelte-codemods.ts
 import { writeFile as writeFile9 } from "fs/promises";
-import { join as join23 } from "path";
+import { join as join24 } from "path";
 async function svelteCodemods(site) {
   return withRecipe({
     name: "svelte-codemods",
@@ -5103,7 +5389,7 @@ async function svelteCodemods(site) {
     },
     apply: async (changes, { commit: commit2, cwd }) => {
       for (const c of changes) {
-        await writeFile9(join23(cwd, c.rel), c.after, "utf-8");
+        await writeFile9(join24(cwd, c.rel), c.after, "utf-8");
       }
       await commit2(`refactor(svelte5): apply codemods (${changes.length} files)`);
       return { kind: "ok" };
@@ -5125,15 +5411,18 @@ async function runSvelteCodemodsCommand(site, opts) {
     ...opts.fleet !== void 0 ? { fleet: opts.fleet } : {},
     cwd
   });
+  let skipped = [];
   if (opts.fleet) {
-    const workdir = opts.workdir ?? `${process.env.HOME ?? ""}/.reddoor-maint/sites`;
-    sites = await Promise.all(sites.map((s) => cloneIfNeeded(s, { workdir })));
+    const workdir = opts.workdir ?? fleetWorkdir();
+    const prep = await prepareFleetSites(sites, { workdir });
+    sites = prep.prepared;
+    skipped = prep.skipped;
   }
   const results = [];
   for (const s of sites) results.push(await svelteCodemods(s));
   const output = results.map(formatResult7).join("\n");
   const code = results.some((r) => r.status === "failed") ? 1 : 0;
-  return { output, code };
+  return { output: appendSkipNotice(output, skipped), code };
 }
 
 // src/cli/commands/report.ts
@@ -5179,8 +5468,15 @@ function findDueReports(websites, reports, today) {
   for (const site of websites) {
     if (site.status !== null && !ELIGIBLE_STATUSES.has(site.status)) continue;
     for (const type of ["Maintenance", "Testing"]) {
-      const freq = type === "Maintenance" ? site.maintenanceFreq : site.testingFreq;
-      if (freq === "None") continue;
+      const rawFreq = type === "Maintenance" ? site.maintenanceFreq : site.testingFreq;
+      const freq = typeof rawFreq === "string" ? rawFreq.trim() : rawFreq;
+      if (freq === "None" || freq === "") continue;
+      if (!(freq in MONTHS)) {
+        console.warn(
+          `\u26A0 ${site.name}: unrecognized ${type === "Maintenance" ? "maintenance" : "testing"} frequency '${rawFreq}' \u2014 not scheduling; fix the Airtable value`
+        );
+        continue;
+      }
       const lastSent = lastSentForType(reports, site.id, type);
       const fallback = type === "Maintenance" ? site.maintenanceDay : site.testingDay;
       const baseIso = lastSent ?? fallback;
@@ -5214,11 +5510,11 @@ import { dirname as dirname6 } from "path";
 
 // src/reports/ga/config.ts
 init_credentials();
-import { dirname as dirname5, join as join25 } from "path";
+import { dirname as dirname5, join as join26 } from "path";
 function readGaConfig() {
   const subject = process.env.GA_SUBJECT?.trim();
   if (!subject) return null;
-  const keyPath = process.env.GA_SA_KEY_PATH?.trim() || join25(dirname5(defaultCredentialsPath()), "ga-service-account.json");
+  const keyPath = process.env.GA_SA_KEY_PATH?.trim() || join26(dirname5(defaultCredentialsPath()), "ga-service-account.json");
   return { subject, keyPath };
 }
 
@@ -5377,6 +5673,10 @@ async function draftReportForSite(base, siteRow, reportType, options = {}) {
     return { reportRow: null, htmlPath: path, html, softFailures };
   }
   if (base === null) throw new Error("base required when previewOnly=false");
+  if (options.completeRowId) {
+    await finishDraftRow(base, options.completeRowId, slug, periodEnd, html);
+    return { reportRow: options.existingRow ?? null, htmlPath: null, html, softFailures };
+  }
   const reportId = `${siteRow.name} \u2014 ${reportType} \u2014 ${periodEnd.toISOString().slice(0, 10)}`;
   const created = await createDraft(base, {
     reportId,
@@ -5392,11 +5692,14 @@ async function draftReportForSite(base, siteRow, reportType, options = {}) {
     ...search ? { searchFoundPage1: search.foundOnPage1 } : {},
     ...search?.foundOnPage1 && search.position !== null ? { searchPosition: search.position } : {}
   });
-  const htmlFilename = `${slug}-${periodEnd.toISOString().slice(0, 10)}.html`;
-  await uploadAttachment(created.id, "Rendered HTML", html, htmlFilename, "text/html");
-  await setDraftReady(base, created.id, true);
+  await finishDraftRow(base, created.id, slug, periodEnd, html);
   return { reportRow: created, htmlPath: null, html, softFailures };
 }
+async function finishDraftRow(base, rowId, slug, periodEnd, html) {
+  const htmlFilename = `${slug}-${periodEnd.toISOString().slice(0, 10)}.html`;
+  await uploadAttachment(rowId, "Rendered HTML", html, htmlFilename, "text/html");
+  await setDraftReady(base, rowId, true);
+}
 var NO_ENRICHMENT = { value: null, softFailed: false };
 async function fetchGaUsers(siteRow, periodStart, periodEnd) {
   const cfg = readGaConfig();
@@ -5484,12 +5787,39 @@ async function draftDueReports(base, today) {
   let skipped = 0;
   for (const item of due) {
     const period = reportPeriodKey(item.dueDate);
-    const already = reports.some(
+    const existing = reports.find(
       (r) => r.siteId === item.site.id && r.reportType === item.reportType && r.period === period
     );
-    if (already) {
+    if (existing) {
+      if (existing.draftReady) {
+        skipped++;
+        lines.push(`\u2022 skipped (already drafted ${period}): ${item.site.name} ${item.reportType}`);
+        continue;
+      }
+      try {
+        const result = await draftReportForSite(base, item.site, item.reportType, {
+          period,
+          completeRowId: existing.id,
+          existingRow: existing
+        });
+        existing.draftReady = true;
+        lines.push(
+          `\u2713 completed half-made draft: ${result.reportRow?.reportId ?? existing.reportId}`
+        );
+        if (result.softFailures.length > 0) softFailedSites++;
+      } catch (e) {
+        lines.push(`\u2717 failed: ${item.site.name} ${item.reportType} \u2014 ${e.message}`);
+      }
+      continue;
+    }
+    const pendingEarlier = reports.find(
+      (r) => r.siteId === item.site.id && r.reportType === item.reportType && r.sentAt === null && r.period !== null && r.period < period
+    );
+    if (pendingEarlier) {
       skipped++;
-      lines.push(`\u2022 skipped (already drafted ${period}): ${item.site.name} ${item.reportType}`);
+      lines.push(
+        `\u2022 skipped: ${item.site.name} ${item.reportType} already has an unsent ${pendingEarlier.period} draft pending approval`
+      );
       continue;
     }
     try {
@@ -5502,7 +5832,7 @@ async function draftDueReports(base, today) {
     }
   }
   if (skipped > 0) {
-    lines.push(`\u2022 ${skipped} already drafted this period`);
+    lines.push(`\u2022 ${skipped} already drafted or pending this period`);
   }
   if (softFailedSites > 0) {
     lines.push(
@@ -5532,7 +5862,7 @@ import { resolve as resolve10 } from "path";
 
 // src/recipes/a11y-fixtures-page/index.ts
 import { access, mkdir as mkdir5, writeFile as writeFile11 } from "fs/promises";
-import { dirname as dirname7, join as join26 } from "path";
+import { dirname as dirname7, join as join27 } from "path";
 
 // src/recipes/a11y-fixtures-page/template.ts
 var A11Y_FIXTURES_PAGE_RELATIVE = "src/routes/dev/a11y-fixtures/+page.svelte";
@@ -5583,7 +5913,7 @@ async function fileExists(path) {
   }
 }
 async function a11yFixturesPage(site) {
-  const target = join26(site.path, A11Y_FIXTURES_PAGE_RELATIVE);
+  const target = join27(site.path, A11Y_FIXTURES_PAGE_RELATIVE);
   return withRecipe({
     name: "a11y-fixtures-page",
     site,
@@ -5678,15 +6008,18 @@ async function runInitCommand(site, opts) {
     ...opts.fleet !== void 0 ? { fleet: opts.fleet } : {},
     cwd
   });
+  let skipped = [];
   if (opts.fleet) {
-    const workdir = opts.workdir ?? `${process.env.HOME ?? ""}/.reddoor-maint/sites`;
-    sites = await Promise.all(sites.map((s) => cloneIfNeeded(s, { workdir })));
+    const workdir = opts.workdir ?? fleetWorkdir();
+    const prep = await prepareFleetSites(sites, { workdir });
+    sites = prep.prepared;
+    skipped = prep.skipped;
   }
   const results = [];
   for (const s of sites) results.push(await init(s));
   const output = results.map(formatResult8).join("\n\n");
   const code = results.some((r) => exitCodeFor(r) !== 0) ? 1 : 0;
-  return { output, code };
+  return { output: appendSkipNotice(output, skipped), code };
 }
 
 // src/cli/commands/launch.ts
@@ -5755,7 +6088,12 @@ async function launch(site, deps = {}) {
   let report;
   try {
     const existing = await findReportByPeriod(base, target.id, "Launch", period);
-    report = existing ?? await createDraft(base, draftInputFor(target, scores, today, period));
+    if (existing) {
+      await updateReportScores(base, existing.id, scores, today);
+      report = existing;
+    } else {
+      report = await createDraft(base, draftInputFor(target, scores, today, period));
+    }
   } catch (err) {
     steps.push({ name: "draft", result: errorOf(err) });
     return stop();
@@ -5849,8 +6187,16 @@ async function runLaunchCommand(site, opts) {
 init_client();
 init_websites();
 
+// src/alerts/renovate.ts
+var RENOVATE_HEAD_PREFIXES = ["renovate/", "renovate-"];
+function isRenovatePR(pr) {
+  return RENOVATE_HEAD_PREFIXES.some((p) => pr.headRef.startsWith(p));
+}
+function isFailingRenovatePR(pr) {
+  return isRenovatePR(pr) && pr.ciState === "failing";
+}
+
 // src/audits/github-signals.ts
-init_renovate();
 async function collectGitHubSignals(sites, deps, onSkip = () => {
 }) {
   const rows = [];
@@ -5877,8 +6223,10 @@ async function collectGitHubSignals(sites, deps, onSkip = () => {
 }
 
 // src/cli/commands/github-signals.ts
-init_gh();
 init_write_audits_to_airtable();
+function githubSignalsExitCode(written, failed) {
+  return failed > written ? 1 : 0;
+}
 async function runGitHubSignalsCommand(opts) {
   if (!opts.fleet || !opts.writeAirtable) {
     return { output: "github-signals currently supports only --fleet --write-airtable", code: 2 };
@@ -5935,18 +6283,18 @@ async function runGitHubSignalsCommand(opts) {
   for (const repo of skipped) result.failed.push({ slug: repo, error: "probe failed (skipped)" });
   return {
     output: formatFleetWriteSummary(result),
-    code: result.failed.length > 0 && result.written.length === 0 ? 1 : 0
+    code: githubSignalsExitCode(result.written.length, result.failed.length)
   };
 }
 
 // src/cli/version.ts
 import { readFileSync as readFileSync5, existsSync as existsSync4 } from "fs";
-import { dirname as dirname8, join as join27 } from "path";
+import { dirname as dirname8, join as join28 } from "path";
 function resolvePackageVersion(fromDir) {
   try {
     let dir = fromDir;
     while (true) {
-      const candidate = join27(dir, "package.json");
+      const candidate = join28(dir, "package.json");
       if (existsSync4(candidate)) {
         const raw = readFileSync5(candidate, "utf-8");
         const pkg = JSON.parse(raw);
@@ -5989,7 +6337,8 @@ async function runOrExit(fn, opts) {
   try {
     const { output, code } = await fn();
     console.log(output);
-    process.exit(code);
+    process.exitCode = code;
+    return;
   } catch (err) {
     const e = err;
     console.error(opts.verbose ? e.stack ?? e.message : e.message ?? String(err));
@@ -6110,5 +6459,15 @@ cli.command(
 );
 cli.help();
 cli.version(version);
+cli.on("command:*", () => {
+  const unknown = cli.args[0] ?? process.argv[2] ?? "";
+  console.error(
+    `error: unknown command '${unknown}'. Run 'reddoor-maint --help' to see available commands.`
+  );
+  process.exit(1);
+});
 cli.parse();
+export {
+  runOrExit
+};
 //# sourceMappingURL=bin.js.map