@rizzmyrobot/mochi-cli 0.0.3 → 0.0.5

package/README.md

@@ -174,12 +174,12 @@ explicit-config live Telegram delivery and Bot API polling primitives, tests,
 and planning docs. The local V0 owner proof lives in
 [`docs/runtime/v0-manual-proof.md`](docs/runtime/v0-manual-proof.md).
 
-Mochi still does not publish player packages, host certification, open live HTTP
-ingress by default, expose public dashboard ingress, provide dashboard game
-control panels, run production Prom13us/Rizz play outside compatible-game
-contracts and server-validated proofs, support unsupported games, execute
-arbitrary live MCP tools, provide hosted accounts, or mutate game canon outside
-trusted game-owned validation.
+Mochi still does not publish preferred `@mochi/*` player packages, host
+certification, open live HTTP ingress by default, expose public dashboard
+ingress, provide dashboard game control panels, run production Prom13us/Rizz
+play outside compatible-game contracts and server-validated proofs, support
+unsupported games, execute arbitrary live MCP tools, provide hosted accounts, or
+mutate game canon outside trusted game-owned validation.
 
 Mochi uses the Apache-2.0 license. See `CONTRIBUTING.md`, `SECURITY.md`, and
 `PRIVACY.md` before opening public contributions, reporting vulnerabilities, or
@@ -192,28 +192,34 @@ as a default.
 
 ## Player Install
 
-Mochi is pre-alpha, and package publication is not live yet. The public player
-install path is npm/npx, not cloning the repository and running Bun. Until a
-release publishes trusted packages with provenance, treat these commands as the
-install-ready path under test rather than a live registry claim.
+Mochi is pre-alpha, and the fallback CLI package is registry-proven at
+`@rizzmyrobot/mochi-cli@0.0.4` by trusted publishing plus
+`npm view @rizzmyrobot/mochi-cli@0.0.4` proof. The public player install path is npm/npx,
+not cloning the repository and running Bun.
 
 Because `@mochi/*` npm ownership is not proven, the fallback package scope is
-the current public install target. The intended one-line player install is:
+the current public install target. The one-line player install is:
 
 ```bash
 npm install -g @rizzmyrobot/mochi-cli
 mochi onboard
 ```
 
-`mochi onboard` is the player first-run command. It shows provider choices,
-including MiniMax OAuth and Codex OAuth, and channel choices, including
-Telegram and Discord. MiniMax OAuth, OpenAI API-key refs, Telegram config,
-workspace seed files, local provider credential refs, and local Telegram token
-refs reuse the existing provider auth, configure, proof workspace seed,
-Telegram, Gateway, and secret-store packages. Codex OAuth is exposed as the
-external `codex login` path until Mochi has a Codex OAuth provider runtime.
-Discord is exposed as a product choice, but it does not accept or store Discord
-bot tokens until a Discord runtime package exists.
+`mochi onboard` is the player first-run command. In an interactive terminal it
+runs a real guided setup: choose MiniMax OAuth, OpenAI API key, or Codex OAuth;
+choose Telegram, Discord, or no channel; seed the proof workspace; write local
+runtime config refs; store local secrets; validate Telegram bot tokens with the
+Bot API `getMe` check; and print the exact `mochi talk` / `mochi telegram
+listen` proof commands to run next. Non-interactive `mochi onboard --guide`
+remains a no-write preview for CI, docs, and scripts.
+
+MiniMax OAuth, OpenAI API-key refs, Telegram config, workspace seed files,
+local provider credential refs, and local Telegram token refs reuse the existing
+provider auth, configure, proof workspace seed, Telegram, Gateway, and
+secret-store packages. Codex OAuth runs the external `codex login` path, but it
+is not yet a Mochi provider runtime for `mochi talk`. Discord is exposed as a
+product choice, but it does not accept or store Discord bot tokens until a
+Discord runtime package exists.
 
 npx follows the same fallback scope:
 
@@ -234,16 +240,21 @@ npx @mochi/cli gateway status --dry-run
 mochi onboard
 ```
 
-Current public install `gateway start/status/doctor` commands remain dry-run
-planning proofs. `mochi onboard` may write local workspace seed files, runtime
-config refs, and local secrets only when `--confirm` plus stdin secret flags are
-provided. It does not call providers, run OAuth token exchange, poll Telegram,
-send Telegram messages, connect Discord, connect games, submit production
-intents, or change game canon. The separate credentialed `talk` command can
-call a selected model provider for a local Mochi reply; contributor/runtime docs
-describe the local owner proof for credentialed provider and Telegram
-conversation, and the mock-game proof exercises a fixture provider response
-plus a trusted local adapter receipt.
+Current public install `gateway start --profile local --foreground` can start
+the proven local loopback Gateway; `gateway status` and `gateway doctor` can
+probe that local service. Dry-run planning remains available for setup review,
+and `gateway install-service --confirm` can write/remove reviewed local launchd
+or gated VPS systemd files without loading or starting them. Interactive
+`mochi onboard` may write local workspace seed files, runtime config refs, and
+local secrets; MiniMax OAuth may open a browser, start a loopback callback
+server, and call the provider token endpoint; Telegram setup may call only the
+Bot API `getMe` validation endpoint. It does not call model providers, poll
+Telegram, send Telegram messages, connect Discord, connect production games,
+submit production intents, or change game canon. The separate credentialed
+`talk` command can call a selected model provider for a local Mochi reply;
+contributor/runtime docs describe the local owner proof for credentialed
+provider and Telegram conversation, and the mock-game proof exercises a fixture
+provider response plus a trusted local adapter receipt.
 
 The local laptop Gateway install flow lives in
 [`docs/gateway/local-install.md`](docs/gateway/local-install.md).