cleargate 0.11.5 → 0.13.0

package/dist/cli.js

@@ -3,8 +3,9 @@ import {
   checkVerbMismatch,
   parseFrontmatter,
   reconcileDecomposition,
-  reconcileLifecycle
-} from "./chunk-HZPJ5QX4.js";
+  reconcileLifecycle,
+  walkActiveParents
+} from "./chunk-EG6YGT2O.js";
 import {
   AcquireError,
   acquireAccessToken,
@@ -22,7 +23,7 @@ import { Command } from "commander";
 // package.json
 var package_default = {
   name: "cleargate",
-  version: "0.11.5",
+  version: "0.13.0",
   private: false,
   type: "module",
   description: "Planning framework for Claude Code agents \u2014 sprint/epic/story protocol, five-role agent team (architect/developer/qa/devops/reporter), Karpathy-style awareness wiki.",
@@ -69,12 +70,11 @@ var package_default = {
     build: "tsup",
     dev: "tsup --watch",
     typecheck: "tsc --noEmit",
-    test: "tsx --test --test-reporter=spec 'test/**/*.node.test.ts'",
-    "test:file": "tsx --test --test-reporter=spec",
-    "test:vitest": "npm run build && vitest run",
-    "test:vitest:watch": "vitest",
-    "test:node": "tsx --test --test-reporter=spec 'test/**/*.node.test.ts'",
-    "test:node:file": "tsx --test --test-reporter=spec"
+    test: "tsx --test --test-concurrency=1 --experimental-test-module-mocks --test-reporter=spec 'test/**/*.node.test.ts' '!test/fixtures/**'",
+    "test:file": "tsx --test --test-concurrency=1 --experimental-test-module-mocks --test-reporter=spec",
+    "test:node": "tsx --test --test-concurrency=1 --experimental-test-module-mocks --test-reporter=spec 'test/**/*.node.test.ts' '!test/fixtures/**'",
+    "test:node:file": "tsx --test --test-concurrency=1 --experimental-test-module-mocks --test-reporter=spec",
+    "check:no-vitest": `node -e "const r=require('child_process').execSync('grep -rE \\"\\\\b(vitest|vi\\\\.fn|vi\\\\.mock|vi\\\\.spyOn|vi\\\\.stubGlobal|vi\\\\.useFakeTimers|vi\\\\.useRealTimers|vi\\\\.advanceTimersByTime|vi\\\\.hoisted)\\\\b\\" --include=\\"*.ts\\" --include=\\"*.js\\" --include=\\"*.mjs\\" --exclude-dir=test/fixtures . 2>/dev/null || true', {encoding:'utf8'}); if(r.trim()){console.error('vitest residue detected:\\\\n'+r); process.exit(1)} console.log('no vitest residue')"`
   },
   dependencies: {
     "@napi-rs/keyring": "^1.2.0",
@@ -89,10 +89,10 @@ var package_default = {
     "@types/js-yaml": "^4.0.9",
     "@types/node": "^24.0.0",
     "@types/pg": "^8.11.10",
+    "ts-morph": "28.0.0",
     tsup: "^8",
     tsx: "^4.21.0",
-    typescript: "^5.8.0",
-    vitest: "^2.1.0"
+    typescript: "^5.8.0"
   }
 };
 
@@ -1485,6 +1485,24 @@ var PREFIX_MAP = [
   { prefix: "BUG-", type: "bug", bucket: "bugs" },
   { prefix: "INITIATIVE-", type: "initiative", bucket: "initiatives" }
 ];
+var SPRINT_REPORT_FILENAMES = ["REPORT.md"];
+var SPRINT_REPORT_CANONICAL_RE = /^SPRINT-\d{2,}_REPORT\.md$/;
+function isSprintReportPath(relPath) {
+  const normalised = relPath.replace(/\\/g, "/");
+  const match = /\.cleargate\/sprint-runs\/(SPRINT-\d{2,})\/([^/]+)$/.exec(normalised);
+  if (!match) return false;
+  const filename = match[2];
+  return SPRINT_REPORT_FILENAMES.includes(filename) || SPRINT_REPORT_CANONICAL_RE.test(filename);
+}
+function deriveBucketFromReportPath(relPath) {
+  const normalised = relPath.replace(/\\/g, "/");
+  const match = /\.cleargate\/sprint-runs\/(SPRINT-\d{2,})\//.exec(normalised);
+  if (!match) {
+    throw new Error(`deriveBucketFromReportPath: cannot extract SPRINT-NN from: ${relPath}`);
+  }
+  const id = match[1];
+  return { type: "sprint", id, bucket: "sprints" };
+}
 function deriveBucket(filename) {
   const base = filename.includes("/") ? filename.split("/").pop() : filename;
   const stem = base.endsWith(".md") ? base.slice(0, -3) : base;
@@ -1605,6 +1623,12 @@ function serializePage(page, body) {
   if (page.sprint_cleargate_id !== void 0) {
     lines.push(`sprint_cleargate_id: "${page.sprint_cleargate_id}"`);
   }
+  if (page.report_raw_path !== void 0) {
+    lines.push(`report_raw_path: "${page.report_raw_path}"`);
+  }
+  if (page.last_report_ingest_commit !== void 0) {
+    lines.push(`last_report_ingest_commit: "${page.last_report_ingest_commit}"`);
+  }
   lines.push("---");
   const fm = lines.join("\n");
   return `${fm}
@@ -1627,7 +1651,9 @@ function parsePage(raw) {
   const last_contradict_sha = fm["last_contradict_sha"] !== void 0 ? String(fm["last_contradict_sha"]) : void 0;
   const parent_cleargate_id = fm["parent_cleargate_id"] !== void 0 ? String(fm["parent_cleargate_id"]) : void 0;
   const sprint_cleargate_id = fm["sprint_cleargate_id"] !== void 0 ? String(fm["sprint_cleargate_id"]) : void 0;
-  return { type, id, parent, children, status, remote_id, raw_path, last_ingest, last_ingest_commit, repo, last_contradict_sha, parent_cleargate_id, sprint_cleargate_id };
+  const report_raw_path = fm["report_raw_path"] !== void 0 ? String(fm["report_raw_path"]) : void 0;
+  const last_report_ingest_commit = fm["last_report_ingest_commit"] !== void 0 ? String(fm["last_report_ingest_commit"]) : void 0;
+  return { type, id, parent, children, status, remote_id, raw_path, last_ingest, last_ingest_commit, repo, last_contradict_sha, parent_cleargate_id, sprint_cleargate_id, report_raw_path, last_report_ingest_commit };
 }
 function parseFmRaw(raw) {
   const lines = raw.split("\n");
@@ -3146,28 +3172,33 @@ async function wikiIngestHandler(opts) {
   const rawPath = opts.rawPath;
   const absRawPath = path17.isAbsolute(rawPath) ? rawPath : path17.resolve(cwd, rawPath);
   const relRawPath = path17.relative(cwd, absRawPath).replace(/\\/g, "/");
-  const deliveryRoot = path17.join(cwd, ".cleargate", "delivery");
-  const deliveryRootNorm = deliveryRoot.replace(/\\/g, "/");
-  const absDeliveryRoot = deliveryRoot;
-  const relToDelivery = path17.relative(absDeliveryRoot, absRawPath);
-  if (relToDelivery.startsWith("..") || path17.isAbsolute(relToDelivery)) {
-    stderr(`wiki ingest: ${rawPath} not under .cleargate/delivery/
+  const isSprintReport = isSprintReportPath(relRawPath);
+  if (!isSprintReport) {
+    const deliveryRoot = path17.join(cwd, ".cleargate", "delivery");
+    const absDeliveryRoot = deliveryRoot;
+    const relToDelivery = path17.relative(absDeliveryRoot, absRawPath);
+    if (relToDelivery.startsWith("..") || path17.isAbsolute(relToDelivery)) {
+      stderr(`wiki ingest: ${rawPath} not under .cleargate/delivery/
 `);
-    exit(2);
-    return;
-  }
-  void deliveryRootNorm;
-  const isExcluded = EXCLUDED_SUFFIXES2.some((excl) => relRawPath.startsWith(excl));
-  if (isExcluded) {
-    stdout(`wiki ingest: ${rawPath} excluded (skip)
+      exit(2);
+      return;
+    }
+    const isExcluded = EXCLUDED_SUFFIXES2.some((excl) => relRawPath.startsWith(excl));
+    if (isExcluded) {
+      stdout(`wiki ingest: ${rawPath} excluded (skip)
 `);
-    exit(0);
-    return;
+      exit(0);
+      return;
+    }
   }
   const filename = path17.basename(absRawPath);
   let bucketInfo;
   try {
-    bucketInfo = deriveBucket(filename);
+    if (isSprintReport) {
+      bucketInfo = deriveBucketFromReportPath(relRawPath);
+    } else {
+      bucketInfo = deriveBucket(filename);
+    }
   } catch (e) {
     stderr(`wiki ingest: cannot determine bucket for ${rawPath}: ${e.message}
 `);
@@ -3210,16 +3241,26 @@ async function wikiIngestHandler(opts) {
   }
   const currentSha = getGitSha(absRawPath, gitRunner) ?? "";
   const pageExists = fs17.existsSync(pagePath);
-  if (pageExists && currentSha !== "") {
-    let isNoOp = false;
+  let existingPage;
+  if (pageExists) {
     try {
       const existingPageContent = fs17.readFileSync(pagePath, "utf8");
-      const existingPage = parsePage(existingPageContent);
-      if (existingPage.last_ingest_commit === currentSha) {
-        const contentUnchanged = checkContentUnchanged(absRawPath, currentSha, relRawPath, gitRunner);
-        if (contentUnchanged) {
+      existingPage = parsePage(existingPageContent);
+    } catch {
+    }
+  }
+  if (existingPage !== void 0 && currentSha !== "") {
+    let isNoOp = false;
+    try {
+      if (isSprintReport) {
+        if (existingPage.last_report_ingest_commit === currentSha) {
           isNoOp = true;
         }
+      } else {
+        if (existingPage.last_ingest_commit === currentSha) {
+          const contentUnchanged = checkContentUnchanged(absRawPath, currentSha, relRawPath, gitRunner);
+          if (contentUnchanged) isNoOp = true;
+        }
       }
     } catch {
     }
@@ -3231,36 +3272,53 @@ async function wikiIngestHandler(opts) {
     }
   }
   const action = pageExists ? "update" : "create";
-  let existingLastContradictSha;
-  if (pageExists) {
-    try {
-      const existingPageContent = fs17.readFileSync(pagePath, "utf8");
-      const existingPage = parsePage(existingPageContent);
-      existingLastContradictSha = existingPage.last_contradict_sha;
-    } catch {
-    }
-  }
+  const timestamp = now();
+  const existingLastContradictSha = existingPage?.last_contradict_sha;
+  const existingReportRawPath = existingPage?.report_raw_path;
+  const existingLastReportIngestCommit = existingPage?.last_report_ingest_commit;
   const parent = buildParentRef2(fm);
   const children = buildChildrenRefs2(fm);
-  const timestamp = now();
   const wikiPage = {
     type,
     id,
-    parent,
-    children,
-    status: String(fm["status"] ?? ""),
-    remote_id: String(fm["remote_id"] ?? ""),
-    raw_path: relRawPath,
+    parent: isSprintReport ? existingPage?.parent ?? "" : parent,
+    children: isSprintReport ? existingPage?.children ?? [] : children,
+    status: isSprintReport ? existingPage?.status ?? String(fm["status"] ?? "") : String(fm["status"] ?? ""),
+    remote_id: isSprintReport ? existingPage?.remote_id ?? String(fm["remote_id"] ?? "") : String(fm["remote_id"] ?? ""),
+    // raw_path tracks the plan file path; for report-only ingest preserve existing or use relRawPath as fallback
+    raw_path: isSprintReport ? existingPage?.raw_path ?? relRawPath : relRawPath,
     last_ingest: timestamp,
-    last_ingest_commit: currentSha,
+    // last_ingest_commit tracks the plan source; preserve when re-ingesting report
+    last_ingest_commit: isSprintReport ? existingPage?.last_ingest_commit ?? "" : currentSha,
     repo,
     // Carry forward last_contradict_sha so Phase 4 idempotency survives re-ingest
     ...existingLastContradictSha !== void 0 ? { last_contradict_sha: existingLastContradictSha } : {},
-    // Hierarchy keys (§11.7): read from raw fm — stamped at raw-side, not wiki-side
-    ...typeof fm["parent_cleargate_id"] === "string" ? { parent_cleargate_id: fm["parent_cleargate_id"] } : {},
-    ...typeof fm["sprint_cleargate_id"] === "string" ? { sprint_cleargate_id: fm["sprint_cleargate_id"] } : {}
+    // Hierarchy keys (§11.7): read from raw fm for plan ingest; preserve for report ingest
+    ...isSprintReport ? existingPage?.parent_cleargate_id !== void 0 ? { parent_cleargate_id: existingPage.parent_cleargate_id } : {} : typeof fm["parent_cleargate_id"] === "string" ? { parent_cleargate_id: fm["parent_cleargate_id"] } : {},
+    ...isSprintReport ? existingPage?.sprint_cleargate_id !== void 0 ? { sprint_cleargate_id: existingPage.sprint_cleargate_id } : {} : typeof fm["sprint_cleargate_id"] === "string" ? { sprint_cleargate_id: fm["sprint_cleargate_id"] } : {},
+    // CR-063 sprint-report fields
+    report_raw_path: isSprintReport ? relRawPath : existingReportRawPath ?? void 0,
+    last_report_ingest_commit: isSprintReport ? currentSha : existingLastReportIngestCommit ?? void 0
   };
-  const pageBody = buildPageBody2({ id, fm, body });
+  let existingPageBody = "";
+  if (existingPage !== void 0 && pageExists) {
+    try {
+      const existingPageContent = fs17.readFileSync(pagePath, "utf8");
+      const lines = existingPageContent.split("\n");
+      let closingDash = -1;
+      for (let i = 1; i < lines.length; i++) {
+        if (lines[i] === "---") {
+          closingDash = i;
+          break;
+        }
+      }
+      if (closingDash !== -1) {
+        existingPageBody = lines.slice(closingDash + 1).join("\n").replace(/^\n/, "");
+      }
+    } catch {
+    }
+  }
+  const pageBody = buildPageBody2({ id, fm, body, isSprintReport, existingPageBody });
   const pageContent = serializePage(wikiPage, pageBody);
   fs17.mkdirSync(pageDir, { recursive: true });
   fs17.writeFileSync(pagePath, pageContent, "utf8");
@@ -3338,7 +3396,37 @@ function buildChildrenRefs2(fm) {
     return `[[${s}]]`;
   });
 }
+function extractReportBlock(pageBody) {
+  const beginMarker = "<!-- BEGIN sprint-report -->";
+  const endMarker = "<!-- END sprint-report -->";
+  const beginIdx = pageBody.indexOf(beginMarker);
+  const endIdx = pageBody.indexOf(endMarker);
+  if (beginIdx === -1 || endIdx === -1 || endIdx <= beginIdx) return void 0;
+  return pageBody.slice(beginIdx, endIdx + endMarker.length);
+}
+function extractPlanStub(pageBody) {
+  const beginMarker = "<!-- BEGIN sprint-report -->";
+  const beginIdx = pageBody.indexOf(beginMarker);
+  if (beginIdx === -1) return pageBody;
+  return pageBody.slice(0, beginIdx);
+}
 function buildPageBody2(item) {
+  const { isSprintReport, existingPageBody } = item;
+  if (isSprintReport) {
+    const planStub = existingPageBody ? extractPlanStub(existingPageBody) : buildPlanStub(item);
+    const reportBlock = buildReportBlock(item.body);
+    return planStub + reportBlock;
+  } else {
+    const planStub = buildPlanStub(item);
+    const existingReportBlock = existingPageBody ? extractReportBlock(existingPageBody) : void 0;
+    if (existingReportBlock !== void 0) {
+      const stub = planStub.trimEnd() + "\n\n";
+      return stub + existingReportBlock + "\n";
+    }
+    return planStub;
+  }
+}
+function buildPlanStub(item) {
   const title = String(item.fm["title"] ?? item.id);
   const summary = String(
     item.fm["description"] ?? item.body.split("\n")[0] ?? "No summary available."
@@ -3362,6 +3450,16 @@ function buildPageBody2(item) {
     ""
   ].join("\n");
 }
+function buildReportBlock(reportBody) {
+  return [
+    "<!-- BEGIN sprint-report -->",
+    "## Sprint Report",
+    "",
+    reportBody.trim(),
+    "<!-- END sprint-report -->",
+    ""
+  ].join("\n");
+}
 function appendLogEntry(wikiRoot, entry) {
   const logPath = path17.join(wikiRoot, "log.md");
   const logEntry = [
@@ -5823,7 +5921,7 @@ async function writeCachedGate(absPath, result, opts) {
     throw new Error(`writeCachedGate: failed to parse frontmatter in ${absPath}`);
   }
   const existing = coerceCachedGate(fm["cached_gate_result"]);
-  if (existing && JSON.stringify(existing) === JSON.stringify(newResult)) {
+  if (existing && existing.pass === newResult.pass && JSON.stringify(existing.failing_criteria) === JSON.stringify(newResult.failing_criteria)) {
     return;
   }
   const newFm = {};
@@ -6365,22 +6463,50 @@ function reconcileLifecycleCliHandler(opts, cli) {
     });
     if (result.drift.length === 0) {
       stdoutFn(`lifecycle: clean (${result.clean} artifacts reconciled)`);
-      return exitFn(0);
-    }
-    stderrFn(`lifecycle: DRIFT detected (${result.drift.length} unreconciled artifacts):`);
-    for (const item of result.drift) {
-      stderrFn(
-        `  DRIFT: ${item.id} status=${item.actual_status ?? "missing"} in ${item.in_archive ? "archive" : "pending-sync"}, expected ${item.expected_status} (commit ${item.commit_shas[0] ?? "unknown"})`
-      );
-      stderrFn(
-        `    Remediation: git mv .cleargate/delivery/pending-sync/${item.file_path?.replace("pending-sync/", "") ?? item.id + "_*.md"} .cleargate/delivery/archive/ && update status: ${item.expected_status}`
-      );
+    } else {
+      stderrFn(`lifecycle: DRIFT detected (${result.drift.length} unreconciled artifacts):`);
+      for (const item of result.drift) {
+        stderrFn(
+          `  DRIFT: ${item.id} status=${item.actual_status ?? "missing"} in ${item.in_archive ? "archive" : "pending-sync"}, expected ${item.expected_status} (commit ${item.commit_shas[0] ?? "unknown"})`
+        );
+        stderrFn(
+          `    Remediation: git mv .cleargate/delivery/pending-sync/${item.file_path?.replace("pending-sync/", "") ?? item.id + "_*.md"} .cleargate/delivery/archive/ && update status: ${item.expected_status}`
+        );
+      }
+      if (!opts.parents) {
+        return exitFn(1);
+      }
     }
-    return exitFn(1);
   } catch (err) {
     stderrFn(`lifecycle reconciliation error: ${err instanceof Error ? err.message : String(err)}`);
-    return exitFn(1);
+    if (!opts.parents) {
+      return exitFn(1);
+    }
+  }
+  if (opts.parents) {
+    const archiveRoot = path31.join(deliveryRoot, "archive");
+    walkActiveParents({ deliveryRoot, archiveRoot }).then((results) => {
+      stdoutFn("Parent rollup audit (--parents):");
+      for (const r of results) {
+        if (r.verdict === "auto-flip") {
+          stdoutFn(
+            `  ${r.parent_id}  \u2713 proposed: Completed (${r.terminal_children.length}/${r.terminal_children.length} children Completed)`
+          );
+        } else if (r.verdict === "halt-partial" || r.verdict === "halt-zero-children") {
+          stdoutFn(`  ${r.parent_id}  \u2717 ${r.verdict}: ${r.halt_reason ?? "no details"}`);
+        } else if (r.verdict === "no-op") {
+        } else {
+          stdoutFn(`  ${r.parent_id}  ~ ${r.verdict}`);
+        }
+      }
+      exitFn(0);
+    }).catch((err) => {
+      stderrFn(`--parents audit error: ${err instanceof Error ? err.message : String(err)}`);
+      exitFn(0);
+    });
+    return;
   }
+  return exitFn(0);
 }
 function parseFileFrontmatter(raw) {
   const lines = raw.split("\n");
@@ -7037,6 +7163,10 @@ function refreshScopedGateCaches(sprintId, cwd, execFn) {
     if (!absPath) {
       continue;
     }
+    if (absPath.includes(`${path31.sep}archive${path31.sep}`)) {
+      result.skipped.push(id);
+      continue;
+    }
     let status = "";
     try {
       const raw = fs30.readFileSync(absPath, "utf8");
@@ -10244,6 +10374,7 @@ function getItemId3(fm) {
 }
 
 // src/commands/push.ts
+import * as fs40 from "fs";
 import * as fsPromises11 from "fs/promises";
 import * as path49 from "path";
 async function pushHandler(fileOrId, opts = {}) {
@@ -10253,6 +10384,13 @@ async function pushHandler(fileOrId, opts = {}) {
   const stderr = opts.stderr ?? ((s) => process.stderr.write(s));
   const exit = opts.exit ?? ((c) => process.exit(c));
   const nowFn = opts.now ?? (() => (/* @__PURE__ */ new Date()).toISOString());
+  const migrationLockPath = path49.join(projectRoot, ".cleargate", ".migration-lock");
+  if (fs40.existsSync(migrationLockPath)) {
+    stderr(`Error: CR-067 migration in progress (.migration-lock held); retry in 30s
+`);
+    exit(75);
+    return;
+  }
   const identity = resolveIdentity(projectRoot);
   const sprintRoot = resolveActiveSprintDir(projectRoot);
   async function resolveMcp() {
@@ -10320,6 +10458,19 @@ async function pushHandler(fileOrId, opts = {}) {
 async function handlePush(filePath, ctx) {
   const { projectRoot, identity, sprintRoot, nowFn, resolveMcp, stdout, stderr, exit } = ctx;
   const resolvedPath = path49.isAbsolute(filePath) ? filePath : path49.resolve(projectRoot, filePath);
+  if (SPRINT_RUNS_PATH_REGEX.test(resolvedPath)) {
+    if (!SPRINT_REPORT_PATH_REGEX.test(resolvedPath)) {
+      stderr(
+        `Error: path not in allowlist. Only sprint report files are accepted from sprint-runs/.
+  Allowed: .cleargate/sprint-runs/SPRINT-NN/REPORT.md
+           .cleargate/sprint-runs/SPRINT-NN/SPRINT-NN_REPORT.md
+  Got:     "${resolvedPath}"
+`
+      );
+      exit(2);
+      return;
+    }
+  }
   let rawContent;
   try {
     rawContent = await fsPromises11.readFile(resolvedPath, "utf8");
@@ -10349,7 +10500,7 @@ async function handlePush(filePath, ctx) {
     return;
   }
   const itemId = getItemId4(fm);
-  const type = getItemType2(fm);
+  const type = getItemTypeWithPathOverride(resolvedPath, fm);
   if (!type) {
     stderr(`Error: cannot determine item type from frontmatter in "${resolvedPath}".
 `);
@@ -10362,6 +10513,9 @@ async function handlePush(filePath, ctx) {
     if (h1) payloadForPush["title"] = h1;
   }
   payloadForPush["body"] = body;
+  if (payloadForPush["origin"] === void 0) {
+    payloadForPush["origin"] = "cleargate-cli";
+  }
   const mcp2 = await resolveMcp();
   let result;
   try {
@@ -10481,17 +10635,20 @@ async function writeAtomic8(filePath, content) {
   await fsPromises11.rename(tmpPath, filePath);
 }
 function getItemId4(fm) {
-  for (const key of ["story_id", "epic_id", "proposal_id", "cr_id", "bug_id"]) {
+  for (const key of ["story_id", "epic_id", "proposal_id", "sprint_id", "cr_id", "bug_id"]) {
     const val = fm[key];
     if (typeof val === "string" && val) return val;
   }
   return "unknown";
 }
+var SPRINT_RUNS_PATH_REGEX = /\.cleargate[\\/]sprint-runs[\\/]/;
+var SPRINT_REPORT_PATH_REGEX = /\.cleargate[\\/]sprint-runs[\\/]SPRINT-\d{2,}[\\/](REPORT|SPRINT-\d{2,}_REPORT)\.md$/;
 function getItemType2(fm) {
   const typeMap = {
     story_id: "story",
     epic_id: "epic",
     proposal_id: "proposal",
+    sprint_id: "sprint",
     cr_id: "cr",
     bug_id: "bug"
   };
@@ -10500,6 +10657,10 @@ function getItemType2(fm) {
   }
   return null;
 }
+function getItemTypeWithPathOverride(localPath, fm) {
+  if (SPRINT_REPORT_PATH_REGEX.test(localPath)) return "sprint_report";
+  return getItemType2(fm);
+}
 
 // src/commands/conflicts.ts
 import * as fsPromises12 from "fs/promises";
@@ -10625,7 +10786,7 @@ function formatEntry(entry) {
 }
 
 // src/commands/admin-login.ts
-import * as fs40 from "fs";
+import * as fs41 from "fs";
 import * as path51 from "path";
 import * as os7 from "os";
 var DEFAULT_MCP_URL = "http://localhost:3000";
@@ -10639,10 +10800,10 @@ function resolveAuthFilePath(opts) {
 }
 function writeAdminAuth(filePath, token) {
   const dir = path51.dirname(filePath);
-  fs40.mkdirSync(dir, { recursive: true });
+  fs41.mkdirSync(dir, { recursive: true });
   const payload = JSON.stringify({ version: 1, token }, null, 2);
-  fs40.writeFileSync(filePath, payload, { encoding: "utf8", mode: 384 });
-  fs40.chmodSync(filePath, 384);
+  fs41.writeFileSync(filePath, payload, { encoding: "utf8", mode: 384 });
+  fs41.chmodSync(filePath, 384);
 }
 async function adminLoginHandler(opts = {}) {
   const fetchFn = opts.fetch ?? globalThis.fetch;
@@ -10751,7 +10912,7 @@ async function adminLoginHandler(opts = {}) {
 }
 
 // src/commands/hotfix.ts
-import * as fs41 from "fs";
+import * as fs42 from "fs";
 import * as path52 from "path";
 function defaultExit4(code) {
   return process.exit(code);
@@ -10762,7 +10923,7 @@ function maxHotfixId(pendingDir) {
   let max = 0;
   let entries;
   try {
-    entries = fs41.readdirSync(pendingDir);
+    entries = fs42.readdirSync(pendingDir);
   } catch {
     return 0;
   }
@@ -10782,7 +10943,7 @@ function countActiveHotfixes(repoRoot) {
   let count = 0;
   let pendingEntries = [];
   try {
-    pendingEntries = fs41.readdirSync(pendingDir);
+    pendingEntries = fs42.readdirSync(pendingDir);
   } catch {
   }
   for (const entry of pendingEntries) {
@@ -10790,13 +10951,13 @@ function countActiveHotfixes(repoRoot) {
   }
   let archiveEntries = [];
   try {
-    archiveEntries = fs41.readdirSync(archiveDir);
+    archiveEntries = fs42.readdirSync(archiveDir);
   } catch {
   }
   for (const entry of archiveEntries) {
     if (entry.startsWith("HOTFIX-") && entry.endsWith(".md")) {
       try {
-        const stat = fs41.statSync(path52.join(archiveDir, entry));
+        const stat = fs42.statSync(path52.join(archiveDir, entry));
         if (stat.mtimeMs >= sevenDaysAgo) count++;
       } catch {
       }
@@ -10831,7 +10992,7 @@ function hotfixNewHandler(opts, cli) {
   const templatePath = resolveTemplatePath(repoRoot);
   let templateContent;
   try {
-    templateContent = fs41.readFileSync(templatePath, "utf8");
+    templateContent = fs42.readFileSync(templatePath, "utf8");
   } catch {
     stderrFn(`[cleargate hotfix new] template not found: ${templatePath}`);
     return exitFn(2);
@@ -10841,8 +11002,8 @@ function hotfixNewHandler(opts, cli) {
   const fileName = `${idStr}_${fileSlug}.md`;
   const outPath = path52.join(pendingDir, fileName);
   try {
-    fs41.mkdirSync(pendingDir, { recursive: true });
-    fs41.writeFileSync(outPath, content, "utf8");
+    fs42.mkdirSync(pendingDir, { recursive: true });
+    fs42.writeFileSync(outPath, content, "utf8");
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
     stderrFn(`[cleargate hotfix new] write failed: ${msg}`);
@@ -10926,8 +11087,25 @@ var AuthFetcher = class {
   }
 };
 
+// src/auth/service-token-fetcher.ts
+var ServiceTokenFetcher = class {
+  constructor(token) {
+    this.token = token;
+  }
+  token;
+  async getAccessToken() {
+    return this.token;
+  }
+};
+
 // src/commands/mcp-serve.ts
 var DEFAULT_BASE_URL = "https://cleargate-mcp.soula.ge";
+var ServiceToken401Error = class extends Error {
+  constructor() {
+    super("service-token-401");
+    this.name = "ServiceToken401Error";
+  }
+};
 async function mcpServeHandler(opts) {
   const fetchFn = opts.fetch ?? globalThis.fetch;
   const stdout = opts.stdout ?? ((s) => process.stdout.write(s));
@@ -10937,32 +11115,44 @@ async function mcpServeHandler(opts) {
     flags: { profile: opts.profile, mcpUrl: opts.mcpUrlFlag }
   });
   const baseUrl = cfg.mcpUrl ?? DEFAULT_BASE_URL;
-  const store = await (opts.createStore ?? createTokenStore)({
-    ...opts.keychainService !== void 0 ? { keychainService: opts.keychainService } : {},
-    ...opts.forceBackend !== void 0 ? { forceBackend: opts.forceBackend } : {}
-  });
-  const fetcher = new AuthFetcher({
-    baseUrl,
-    loadRefresh: () => store.load(opts.profile),
-    saveRefresh: (t) => store.save(opts.profile, t),
-    ...opts.fetch !== void 0 ? { fetch: opts.fetch } : {},
-    ...opts.now !== void 0 ? { now: opts.now } : {}
-  });
-  try {
-    await fetcher.getAccessToken();
-  } catch (err) {
-    if (err instanceof RefreshError) {
-      stderr(
-        `cleargate mcp serve: refresh failed (${err.status} ${err.code}). Run \`cleargate join <invite-url>\` to re-authenticate.
+  const serviceToken = process.env["CLEARGATE_SERVICE_TOKEN"] ?? "";
+  let fetcher;
+  let isServiceTokenMode;
+  if (serviceToken.length > 0) {
+    isServiceTokenMode = true;
+    fetcher = new ServiceTokenFetcher(serviceToken);
+    stderr("cleargate mcp serve: auth mode = service-token\n");
+  } else {
+    isServiceTokenMode = false;
+    const store = await (opts.createStore ?? createTokenStore)({
+      ...opts.keychainService !== void 0 ? { keychainService: opts.keychainService } : {},
+      ...opts.forceBackend !== void 0 ? { forceBackend: opts.forceBackend } : {}
+    });
+    const authFetcher = new AuthFetcher({
+      baseUrl,
+      loadRefresh: () => store.load(opts.profile),
+      saveRefresh: (t) => store.save(opts.profile, t),
+      ...opts.fetch !== void 0 ? { fetch: opts.fetch } : {},
+      ...opts.now !== void 0 ? { now: opts.now } : {}
+    });
+    fetcher = authFetcher;
+    stderr("cleargate mcp serve: auth mode = keychain-refresh\n");
+    try {
+      await authFetcher.getAccessToken();
+    } catch (err) {
+      if (err instanceof RefreshError) {
+        stderr(
+          `cleargate mcp serve: refresh failed (${err.status} ${err.code}). Run \`cleargate join <invite-url>\` to re-authenticate.
 `
-      );
-    } else {
-      stderr(
-        `cleargate mcp serve: ${err instanceof Error ? err.message : String(err)}
+        );
+      } else {
+        stderr(
+          `cleargate mcp serve: ${err instanceof Error ? err.message : String(err)}
 `
-      );
+        );
+      }
+      return exit(1);
     }
-    return exit(1);
   }
   const inputStream = opts.stdin ?? process.stdin;
   const rl = readline5.createInterface({
@@ -10973,8 +11163,23 @@ async function mcpServeHandler(opts) {
   for await (const line of rl) {
     if (!line.trim()) continue;
     try {
-      await proxyOne(line, baseUrl, fetcher, fetchFn, stdout, stderr);
+      await proxyOne(
+        line,
+        baseUrl,
+        fetcher,
+        isServiceTokenMode,
+        fetchFn,
+        stdout,
+        stderr
+      );
     } catch (err) {
+      if (err instanceof ServiceToken401Error) {
+        stderr(
+          `cleargate mcp serve: CLEARGATE_SERVICE_TOKEN rejected by /mcp (401). Issue a new token in the admin console: Tokens \u2192 Issue \u2192 copy snippet.
+`
+        );
+        return exit(1);
+      }
       const errMsg = err instanceof Error ? err.message : String(err);
       stderr(`cleargate mcp serve: proxy error: ${errMsg}
 `);
@@ -10991,7 +11196,7 @@ async function mcpServeHandler(opts) {
     }
   }
 }
-async function proxyOne(line, baseUrl, fetcher, fetchFn, stdout, stderr) {
+async function proxyOne(line, baseUrl, fetcher, isServiceTokenMode, fetchFn, stdout, stderr) {
   let parsed;
   try {
     parsed = JSON.parse(line);
@@ -11004,6 +11209,9 @@ async function proxyOne(line, baseUrl, fetcher, fetchFn, stdout, stderr) {
   let access = await fetcher.getAccessToken();
   let res = await postFrame(baseUrl, line, access, fetchFn);
   if (res.status === 401) {
+    if (isServiceTokenMode) {
+      throw new ServiceToken401Error();
+    }
     fetcher.invalidate();
     access = await fetcher.getAccessToken();
     res = await postFrame(baseUrl, line, access, fetchFn);
@@ -11222,8 +11430,8 @@ sprint.command("close <sprint-id>").description("close a sprint \u2014 validates
   }
   sprintCloseHandler(handlerOpts);
 });
-sprint.command("reconcile-lifecycle <sprint-id>").description("CR-017: check lifecycle status of artifacts referenced in this sprint's commits (exits 1 on drift)").option("--since <iso-date>", "start of git log range (default: sprint start_date or 90 days ago)").option("--until <iso-date>", "end of git log range (default: now)").action((sprintId, opts) => {
-  reconcileLifecycleCliHandler({ sprintId, since: opts.since, until: opts.until });
+sprint.command("reconcile-lifecycle <sprint-id>").description("CR-017: check lifecycle status of artifacts referenced in this sprint's commits (exits 1 on drift)").option("--since <iso-date>", "start of git log range (default: sprint start_date or 90 days ago)").option("--until <iso-date>", "end of git log range (default: now)").option("--parents", "audit parent (Epic/Sprint) rollup statuses; read-only (CR-066)").action((sprintId, opts) => {
+  reconcileLifecycleCliHandler({ sprintId, since: opts.since, until: opts.until, parents: opts.parents });
 });
 sprint.command("archive <sprint-id>").description("archive a completed sprint \u2014 move pending-sync files, clear .active, merge + delete sprint branch").option("--dry-run", "print the archive plan without making any changes").option("--allow-wiki-lint-debt", "CR-022 M5: waive wiki-lint findings during archive (mirrors --allow-drift pattern)").action(async (sprintId, opts) => {
   const handlerOpts = { sprintId };