@autohq/cli 0.1.89 → 0.1.90

package/dist/index.js

@@ -257,10 +257,10 @@ function mergeDefs(...defs) {
 function cloneDef(schema) {
   return mergeDefs(schema._zod.def);
 }
-function getElementAtPath(obj, path) {
-  if (!path)
+function getElementAtPath(obj, path2) {
+  if (!path2)
     return obj;
-  return path.reduce((acc, key) => acc?.[key], obj);
+  return path2.reduce((acc, key) => acc?.[key], obj);
 }
 function promiseAllObject(promisesObj) {
   const keys = Object.keys(promisesObj);
@@ -588,11 +588,11 @@ function explicitlyAborted(x, startIndex = 0) {
   }
   return false;
 }
-function prefixIssues(path, issues) {
+function prefixIssues(path2, issues) {
   return issues.map((iss) => {
     var _a3;
     (_a3 = iss).path ?? (_a3.path = []);
-    iss.path.unshift(path);
+    iss.path.unshift(path2);
     return iss;
   });
 }
@@ -810,16 +810,16 @@ function flattenError(error51, mapper = (issue2) => issue2.message) {
 }
 function formatError(error51, mapper = (issue2) => issue2.message) {
   const fieldErrors = { _errors: [] };
-  const processError = (error52, path = []) => {
+  const processError = (error52, path2 = []) => {
     for (const issue2 of error52.issues) {
       if (issue2.code === "invalid_union" && issue2.errors.length) {
-        issue2.errors.map((issues) => processError({ issues }, [...path, ...issue2.path]));
+        issue2.errors.map((issues) => processError({ issues }, [...path2, ...issue2.path]));
       } else if (issue2.code === "invalid_key") {
-        processError({ issues: issue2.issues }, [...path, ...issue2.path]);
+        processError({ issues: issue2.issues }, [...path2, ...issue2.path]);
       } else if (issue2.code === "invalid_element") {
-        processError({ issues: issue2.issues }, [...path, ...issue2.path]);
+        processError({ issues: issue2.issues }, [...path2, ...issue2.path]);
       } else {
-        const fullpath = [...path, ...issue2.path];
+        const fullpath = [...path2, ...issue2.path];
         if (fullpath.length === 0) {
           fieldErrors._errors.push(mapper(issue2));
         } else {
@@ -846,17 +846,17 @@ function formatError(error51, mapper = (issue2) => issue2.message) {
 }
 function treeifyError(error51, mapper = (issue2) => issue2.message) {
   const result = { errors: [] };
-  const processError = (error52, path = []) => {
+  const processError = (error52, path2 = []) => {
     var _a3, _b;
     for (const issue2 of error52.issues) {
       if (issue2.code === "invalid_union" && issue2.errors.length) {
-        issue2.errors.map((issues) => processError({ issues }, [...path, ...issue2.path]));
+        issue2.errors.map((issues) => processError({ issues }, [...path2, ...issue2.path]));
       } else if (issue2.code === "invalid_key") {
-        processError({ issues: issue2.issues }, [...path, ...issue2.path]);
+        processError({ issues: issue2.issues }, [...path2, ...issue2.path]);
       } else if (issue2.code === "invalid_element") {
-        processError({ issues: issue2.issues }, [...path, ...issue2.path]);
+        processError({ issues: issue2.issues }, [...path2, ...issue2.path]);
       } else {
-        const fullpath = [...path, ...issue2.path];
+        const fullpath = [...path2, ...issue2.path];
         if (fullpath.length === 0) {
           result.errors.push(mapper(issue2));
           continue;
@@ -888,8 +888,8 @@ function treeifyError(error51, mapper = (issue2) => issue2.message) {
 }
 function toDotPath(_path) {
   const segs = [];
-  const path = _path.map((seg) => typeof seg === "object" ? seg.key : seg);
-  for (const seg of path) {
+  const path2 = _path.map((seg) => typeof seg === "object" ? seg.key : seg);
+  for (const seg of path2) {
     if (typeof seg === "number")
       segs.push(`[${seg}]`);
     else if (typeof seg === "symbol")
@@ -14392,13 +14392,13 @@ function resolveRef(ref, ctx) {
   if (!ref.startsWith("#")) {
     throw new Error("External $ref is not supported, only local refs (#/...) are allowed");
   }
-  const path = ref.slice(1).split("/").filter(Boolean);
-  if (path.length === 0) {
+  const path2 = ref.slice(1).split("/").filter(Boolean);
+  if (path2.length === 0) {
     return ctx.rootSchema;
   }
   const defsKey = ctx.version === "draft-2020-12" ? "$defs" : "definitions";
-  if (path[0] === defsKey) {
-    const key = path[1];
+  if (path2[0] === defsKey) {
+    const key = path2[1];
     if (!key || !ctx.defs[key]) {
       throw new Error(`Reference not found: ${ref}`);
     }
@@ -15223,6 +15223,8 @@ var init_auth = __esm({
       "secrets:read",
       "secrets:write",
       "secrets:use",
+      "github:mcp",
+      "github:credentials",
       "projects:admin",
       "org:admin"
     ]);
@@ -16413,6 +16415,100 @@ var init_connections = __esm({
   }
 });
 
+// ../../packages/schemas/src/github-credentials.ts
+var CreateRunGithubCredentialRequestSchema, RunGithubCredentialResponseSchema;
+var init_github_credentials = __esm({
+  "../../packages/schemas/src/github-credentials.ts"() {
+    "use strict";
+    init_zod();
+    CreateRunGithubCredentialRequestSchema = external_exports.object({
+      host: external_exports.literal("github.com"),
+      path: external_exports.string().trim().min(1).optional()
+    });
+    RunGithubCredentialResponseSchema = external_exports.object({
+      username: external_exports.literal("x-access-token"),
+      password: external_exports.string().min(1),
+      expiresAt: external_exports.string().datetime()
+    });
+  }
+});
+
+// ../../packages/schemas/src/github-mcp-catalog.ts
+var GITHUB_MCP_TOOL_NAMES, GITHUB_MCP_WRITE_TOOLS, githubMcpToolNameSet, githubMcpWriteToolSet;
+var init_github_mcp_catalog = __esm({
+  "../../packages/schemas/src/github-mcp-catalog.ts"() {
+    "use strict";
+    GITHUB_MCP_TOOL_NAMES = [
+      "actions_get",
+      "actions_list",
+      "actions_run_trigger",
+      "add_comment_to_pending_review",
+      "add_issue_comment",
+      "add_reply_to_pull_request_comment",
+      "create_branch",
+      "create_or_update_file",
+      "create_pull_request",
+      "create_repository",
+      "delete_file",
+      "fork_repository",
+      "get_commit",
+      "get_file_contents",
+      "get_job_logs",
+      "get_label",
+      "get_latest_release",
+      "get_release_by_tag",
+      "get_tag",
+      "issue_read",
+      "issue_write",
+      "list_branches",
+      "list_commits",
+      "list_issue_types",
+      "list_issues",
+      "list_pull_requests",
+      "list_releases",
+      "list_repository_collaborators",
+      "list_tags",
+      "merge_pull_request",
+      "pull_request_read",
+      "pull_request_review_write",
+      "push_files",
+      "search_code",
+      "search_commits",
+      "search_issues",
+      "search_pull_requests",
+      "search_repositories",
+      "sub_issue_write",
+      "update_pull_request",
+      "update_pull_request_branch"
+    ];
+    GITHUB_MCP_WRITE_TOOLS = [
+      "actions_run_trigger",
+      "add_comment_to_pending_review",
+      "add_issue_comment",
+      "add_reply_to_pull_request_comment",
+      "create_branch",
+      "create_or_update_file",
+      "create_pull_request",
+      "create_repository",
+      "delete_file",
+      "fork_repository",
+      "issue_write",
+      "merge_pull_request",
+      "pull_request_review_write",
+      "push_files",
+      "sub_issue_write",
+      "update_pull_request",
+      "update_pull_request_branch"
+    ];
+    githubMcpToolNameSet = new Set(
+      GITHUB_MCP_TOOL_NAMES
+    );
+    githubMcpWriteToolSet = new Set(
+      GITHUB_MCP_WRITE_TOOLS
+    );
+  }
+});
+
 // ../../packages/schemas/src/secrets.ts
 var SECRET_ENCRYPTION_ALGORITHM, SecretEnvNameSchema, SecretCiphertextFieldSchema, SecretAesGcmIvSchema, SecretAesGcmAuthTagSchema, SecretEnvValueSchema, SecretEnvSchema, EncryptedSecretValueSchema, SecretSetRequestSchema, SecretMetadataSchema, SecretSetResponseSchema, SecretListResponseSchema, SecretDeleteResponseSchema;
 var init_secrets = __esm({
@@ -16600,7 +16696,7 @@ var init_mcp = __esm({
 });
 
 // ../../packages/schemas/src/mounts.ts
-var AbsoluteMountPathSchema, GITHUB_MOUNT_CAPABILITY_LEVELS, GithubMountCapabilityLevelSchema, GitMountAuthSchema, GitMountSchema, SessionMountSchema;
+var AbsoluteMountPathSchema, GITHUB_MOUNT_CAPABILITY_LEVELS, GithubMountCapabilityLevelSchema, DEFAULT_GITHUB_MOUNT_CAPABILITIES, GitMountAuthSchema, GitMountSchema, SessionMountSchema;
 var init_mounts = __esm({
   "../../packages/schemas/src/mounts.ts"() {
     "use strict";
@@ -16616,6 +16712,14 @@ var init_mounts = __esm({
     GithubMountCapabilityLevelSchema = external_exports.enum(
       GITHUB_MOUNT_CAPABILITY_LEVELS
     );
+    DEFAULT_GITHUB_MOUNT_CAPABILITIES = {
+      contents: "write",
+      pullRequests: "write",
+      issues: "write",
+      checks: "read",
+      actions: "read",
+      workflows: "none"
+    };
     GitMountAuthSchema = external_exports.discriminatedUnion("kind", [
       external_exports.object({
         kind: external_exports.literal("none")
@@ -16636,14 +16740,7 @@ var init_mounts = __esm({
           checks: GithubMountCapabilityLevelSchema.default("read"),
           actions: GithubMountCapabilityLevelSchema.default("read"),
           workflows: GithubMountCapabilityLevelSchema.default("none")
-        }).default({
-          contents: "write",
-          pullRequests: "write",
-          issues: "write",
-          checks: "read",
-          actions: "read",
-          workflows: "none"
-        })
+        }).default({ ...DEFAULT_GITHUB_MOUNT_CAPABILITIES })
       })
     ]);
     GitMountSchema = external_exports.object({
@@ -16759,12 +16856,13 @@ function remoteMcpToolSchema(input) {
     ]).default({ kind: "none" })
   });
 }
-var RESOURCE_KIND_TOOL, REMOTE_MCP_TRANSPORTS, LOCAL_TOOL_IMPLEMENTATIONS, SecretReferenceSchema, NoToolAuthSchema, McpOAuthToolAuthSchema, ConnectionToolAuthSchema, ConnectionsToolAuthSchema, ToolAliasSchema, RemoteMcpToolSchema, LocalAutoToolSchema, LocalPingToolSchema, LocalChatToolSchema, LocalToolSchema, ToolSpecSchema, ToolResourceSchema, ToolApplyRequestSchema, ToolConnectRequestSchema, ToolConnectResponseSchema, ToolConnectCompleteResponseSchema, ReferencedSessionToolRefSchema, ReferencedSessionToolRefsSchema, InlineSessionToolSchema, SessionToolRefSchema, SessionToolsSchema;
+var RESOURCE_KIND_TOOL, REMOTE_MCP_TRANSPORTS, LOCAL_TOOL_IMPLEMENTATIONS, SecretReferenceSchema, NoToolAuthSchema, McpOAuthToolAuthSchema, ConnectionToolAuthSchema, ConnectionsToolAuthSchema, ToolAliasSchema, RemoteMcpToolSchema, LocalAutoToolSchema, LocalPingToolSchema, LocalChatToolSchema, LocalToolSchema, GithubToolSchema, ToolSpecSchema, ToolResourceSchema, ToolApplyRequestSchema, ToolConnectRequestSchema, ToolConnectResponseSchema, ToolConnectCompleteResponseSchema, ReferencedSessionToolRefSchema, ReferencedSessionToolRefsSchema, InlineSessionToolSchema, SessionToolRefSchema, SessionToolsSchema;
 var init_tools = __esm({
   "../../packages/schemas/src/tools.ts"() {
     "use strict";
     init_zod();
     init_connections();
+    init_github_mcp_catalog();
     init_ids();
     init_resources();
     RESOURCE_KIND_TOOL = "tool";
@@ -16822,6 +16920,11 @@ var init_tools = __esm({
         error: `Unsupported local tool implementation. Supported implementations: ${LOCAL_TOOL_IMPLEMENTATIONS.join(", ")}`
       }
     );
+    GithubToolSchema = external_exports.object({
+      kind: external_exports.literal("github"),
+      description: external_exports.string().trim().min(1).optional(),
+      tools: external_exports.array(external_exports.enum(GITHUB_MCP_TOOL_NAMES)).min(1).optional()
+    });
     ToolSpecSchema = external_exports.discriminatedUnion("kind", [
       RemoteMcpToolSchema,
       LocalToolSchema
@@ -16871,6 +16974,10 @@ var init_tools = __esm({
           disabled: external_exports.boolean().optional()
         })
       )
+    ).or(
+      GithubToolSchema.extend({
+        disabled: external_exports.boolean().optional()
+      })
     );
     SessionToolRefSchema = InlineSessionToolSchema.or(
       ReferencedSessionToolRefSchema
@@ -17133,8 +17240,8 @@ function hasAutoAttributionsExists(trigger, expected) {
 function isChatMessageEvent(trigger) {
   return trigger.event.startsWith("chat.message.");
 }
-function hasFilterValue(trigger, path, expected) {
-  return trigger.where?.[path] === expected;
+function hasFilterValue(trigger, path2, expected) {
+  return trigger.where?.[path2] === expected;
 }
 var RESOURCE_KIND_SESSION, TriggerFilterScalarSchema, TriggerFilterPathSchema, TriggerFilterClauseSchema, TriggerFilterSchema, SessionTriggerCheckTimeoutSchema, TriggerEventSchema, TriggerEventsSchema, SessionTriggerSharedFields, SessionTriggerEventSourceFields, SessionTriggerBaseSchema, SessionTriggerDefinitionBaseSchema, SessionTriggerSchema, SessionApplyTriggerSchema, SessionHeartbeatTriggerBaseSchema, SessionHeartbeatTriggerSchema, SessionApplyHeartbeatTriggerSchema, SessionTriggerDefinitionSchema, SessionApplyTriggerDefinitionSchema, SessionTriggersSchema, SessionApplyTriggersSchema, AVATAR_ASSET_EXTENSIONS, MAX_AVATAR_ASSET_BYTES, SESSION_IDENTITY_DESCRIPTION_MAX_LENGTH, SHA256_HEX_PATTERN, SessionIdentitySchema, SessionSpecSchema, SessionApplySpecSchema, SessionStatusSchema, SessionResourceSchema, SessionApplyRequestSchema, SessionApplyTriggerReceiptSchema, SessionApplyResponseSchema, SESSION_TELEGRAM_IDENTITY_STATUSES, SessionTelegramIdentityStatusSchema, SessionPresenceIdentitySchema, SessionPresenceResponseSchema, SessionPresenceConnectRequestSchema, SessionPresenceConnectPendingSchema, SessionPresenceConnectResponseSchema, SessionPresenceIconRequestSchema, SessionPresenceIconResponseSchema, SessionPresenceCompleteResponseSchema;
 var init_sessions = __esm({
@@ -17156,17 +17263,17 @@ var init_sessions = __esm({
       external_exports.boolean()
     ]);
     TriggerFilterPathSchema = external_exports.string().refine(
-      (path) => {
-        if (path.length === 0 || path.trim() !== path) {
+      (path2) => {
+        if (path2.length === 0 || path2.trim() !== path2) {
           return false;
         }
-        if (path.startsWith("$.")) {
-          const segments = path.slice(2).split(".");
+        if (path2.startsWith("$.")) {
+          const segments = path2.slice(2).split(".");
           return segments.length > 0 && segments.every(
             (segment) => segment.length > 0 && segment.trim() === segment
           );
         }
-        return !path.includes(".");
+        return !path2.includes(".");
       },
       {
         message: "Trigger filter paths must be a single bare key or use $.path.segments"
@@ -17722,7 +17829,7 @@ var init_session_runs = __esm({
           external_exports.object({
             source: external_exports.literal("inline"),
             alias: ToolAliasSchema,
-            spec: RemoteMcpToolSchema.or(LocalToolSchema)
+            spec: RemoteMcpToolSchema.or(LocalToolSchema).or(GithubToolSchema)
           }),
           external_exports.object({
             source: external_exports.literal("resource"),
@@ -18294,6 +18401,8 @@ var init_src = __esm({
     init_conversation();
     init_conversation_reducer();
     init_connections();
+    init_github_credentials();
+    init_github_mcp_catalog();
     init_ids();
     init_environments();
     init_mcp();
@@ -18369,10 +18478,10 @@ var init_active_project = __esm({
 
 // src/lib/config/path.ts
 import { createHash } from "crypto";
-import { homedir } from "os";
+import { homedir as homedir2 } from "os";
 import { join, normalize } from "path";
 function defaultConfigPath() {
-  return process.env.AUTO_CLI_CONFIG ?? join(homedir(), ".auto", "config.yaml");
+  return process.env.AUTO_CLI_CONFIG ?? join(homedir2(), ".auto", "config.yaml");
 }
 function profilesDir(configPath = defaultConfigPath()) {
   return normalize(join(configPath, "..", PROFILES_DIR_NAME));
@@ -18404,9 +18513,9 @@ var init_path = __esm({
 // src/lib/config/file.ts
 import { chmodSync, mkdirSync as mkdirSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2 } from "fs";
 import { basename, dirname as dirname2, join as join2 } from "path";
-function readConfig(path = defaultConfigPath()) {
+function readConfig(path2 = defaultConfigPath()) {
   try {
-    const text = readFileSync2(path, "utf8");
+    const text = readFileSync2(path2, "utf8");
     const config2 = {};
     for (const line of text.split(/\r?\n/)) {
       const match = /^([A-Za-z0-9_]+):\s*(.*)$/.exec(line.trim());
@@ -18420,13 +18529,13 @@ function readConfig(path = defaultConfigPath()) {
     throw err;
   }
 }
-function writeConfig(config2, path = defaultConfigPath()) {
-  writeConfigFile(config2, path);
-  if (config2.userEmail && config2.serverUrl && basename(dirname2(path)) !== PROFILES_DIR_NAME) {
+function writeConfig(config2, path2 = defaultConfigPath()) {
+  writeConfigFile(config2, path2);
+  if (config2.userEmail && config2.serverUrl && basename(dirname2(path2)) !== PROFILES_DIR_NAME) {
     writeConfigFile(
       config2,
       join2(
-        dirname2(path),
+        dirname2(path2),
         PROFILES_DIR_NAME,
         profileFileName({
           userEmail: config2.userEmail,
@@ -18436,17 +18545,17 @@ function writeConfig(config2, path = defaultConfigPath()) {
     );
   }
 }
-function writeConfigFile(config2, path) {
-  mkdirSync2(dirname2(path), { recursive: true });
+function writeConfigFile(config2, path2) {
+  mkdirSync2(dirname2(path2), { recursive: true });
   const lines = CONFIG_KEYS.filter((key) => config2[key]).map(
     (key) => `${key}: ${config2[key]}`
   );
-  writeFileSync2(path, `${lines.join("\n")}
+  writeFileSync2(path2, `${lines.join("\n")}
 `, {
     encoding: "utf8",
     mode: 384
   });
-  chmodSync(path, 384);
+  chmodSync(path2, 384);
 }
 var CONFIG_KEYS;
 var init_file = __esm({
@@ -18604,38 +18713,38 @@ var init_http = __esm({
 });
 
 // src/lib/api/paths.ts
-function apiPath(path = "") {
-  return `${API_PREFIX}${cleanSubpath(path)}`;
+function apiPath(path2 = "") {
+  return `${API_PREFIX}${cleanSubpath(path2)}`;
 }
-function orgApiPath(organizationId, path = "") {
-  return apiPath(orgSubpath(organizationId, path));
+function orgApiPath(organizationId, path2 = "") {
+  return apiPath(orgSubpath(organizationId, path2));
 }
-function projectApiPath(project, path = "") {
+function projectApiPath(project, path2 = "") {
   return apiPath(
     orgSubpath(
       project.organizationId,
-      `/projects/${encodeURIComponent(project.projectId)}${cleanSubpath(path)}`
+      `/projects/${encodeURIComponent(project.projectId)}${cleanSubpath(path2)}`
     )
   );
 }
-function sessionApiPath(project, sessionName, path = "") {
+function sessionApiPath(project, sessionName, path2 = "") {
   return projectApiPath(
     project,
-    `/sessions/${encodeURIComponent(sessionName)}${cleanSubpath(path)}`
+    `/sessions/${encodeURIComponent(sessionName)}${cleanSubpath(path2)}`
   );
 }
-function runApiPath(runId, path = "") {
-  return apiPath(`/runs/${encodeURIComponent(runId)}${cleanSubpath(path)}`);
+function runApiPath(runId, path2 = "") {
+  return apiPath(`/runs/${encodeURIComponent(runId)}${cleanSubpath(path2)}`);
 }
-function cleanSubpath(path) {
-  const trimmed = path.trim();
+function cleanSubpath(path2) {
+  const trimmed = path2.trim();
   if (!trimmed) {
     return "";
   }
   return trimmed.startsWith("/") ? trimmed : `/${trimmed}`;
 }
-function orgSubpath(organizationId, path = "") {
-  return `/orgs/${encodeURIComponent(organizationId)}${cleanSubpath(path)}`;
+function orgSubpath(organizationId, path2 = "") {
+  return `/orgs/${encodeURIComponent(organizationId)}${cleanSubpath(path2)}`;
 }
 var API_PREFIX;
 var init_paths = __esm({
@@ -18927,9 +19036,9 @@ async function deleteProjectResource(context, request, options) {
   };
 }
 async function applyProjectResources(context, request, options) {
-  const path = projectApplyPath(context);
+  const path2 = projectApplyPath(context);
   const response = await context.authenticatedFetch(
-    context.apiUrl(path, options.apiBaseUrl),
+    context.apiUrl(path2, options.apiBaseUrl),
     {
       method: "POST",
       headers: {
@@ -19026,8 +19135,8 @@ function createApiClient(input) {
       explicit
     });
   }
-  function apiUrl(path, explicit) {
-    return `${apiBaseUrl(explicit)}${path}`;
+  function apiUrl(path2, explicit) {
+    return `${apiBaseUrl(explicit)}${path2}`;
   }
   function activeProject() {
     const config2 = readConfig(input.configPath);
@@ -19196,8 +19305,8 @@ function createApiClient(input) {
       headers: bootstrapAuthHeaders(init.headers)
     });
   }
-  async function requestJson(path, options = {}) {
-    const url2 = new URL(apiUrl(path, options.apiBaseUrl));
+  async function requestJson(path2, options = {}) {
+    const url2 = new URL(apiUrl(path2, options.apiBaseUrl));
     const searchParamEntries = Array.isArray(options.searchParams) ? options.searchParams : Object.entries(options.searchParams ?? {});
     for (const [name, value] of searchParamEntries) {
       url2.searchParams.append(name, value);
@@ -19581,7 +19690,7 @@ function createApiClient(input) {
     }),
     async setSecret(name, request, options = {}) {
       const organization = activeOrganization();
-      const path = options.projectId ? projectApiPath(
+      const path2 = options.projectId ? projectApiPath(
         {
           organizationId: organization.organizationId,
           projectId: options.projectId
@@ -19592,7 +19701,7 @@ function createApiClient(input) {
         `/secrets/${encodeURIComponent(name)}`
       );
       const response = await authenticatedFetch(
-        apiUrl(path, options.apiBaseUrl),
+        apiUrl(path2, options.apiBaseUrl),
         {
           method: "PUT",
           headers: {
@@ -19609,7 +19718,7 @@ function createApiClient(input) {
     },
     async listSecrets(options = {}) {
       const organization = activeOrganization();
-      const path = options.projectId ? projectApiPath(
+      const path2 = options.projectId ? projectApiPath(
         {
           organizationId: organization.organizationId,
           projectId: options.projectId
@@ -19617,7 +19726,7 @@ function createApiClient(input) {
         "/secrets"
       ) : orgApiPath(organization.organizationId, "/secrets");
       const response = await authenticatedFetch(
-        apiUrl(path, options.apiBaseUrl),
+        apiUrl(path2, options.apiBaseUrl),
         {},
         options.apiBaseUrl
       );
@@ -19628,7 +19737,7 @@ function createApiClient(input) {
     },
     async removeSecret(name, options = {}) {
       const organization = activeOrganization();
-      const path = options.projectId ? projectApiPath(
+      const path2 = options.projectId ? projectApiPath(
         {
           organizationId: organization.organizationId,
           projectId: options.projectId
@@ -19639,7 +19748,7 @@ function createApiClient(input) {
         `/secrets/${encodeURIComponent(name)}`
       );
       const response = await authenticatedFetch(
-        apiUrl(path, options.apiBaseUrl),
+        apiUrl(path2, options.apiBaseUrl),
         {
           method: "DELETE"
         },
@@ -20138,9 +20247,9 @@ var init_browser = __esm({
 });
 
 // src/lib/oauth/loopback.ts
-import { createServer } from "http";
+import { createServer as createServer2 } from "http";
 async function createOAuthLoopbackCallback(input) {
-  const path = input?.path ?? "/callback";
+  const path2 = input?.path ?? "/callback";
   const successHtml = input?.successHtml ?? renderOAuthLoopbackPage({
     status: "success",
     eyebrow: "Auto",
@@ -20159,9 +20268,9 @@ async function createOAuthLoopbackCallback(input) {
     resolveResult = resolve2;
     rejectResult = reject;
   });
-  const server = createServer((request, response) => {
+  const server = createServer2((request, response) => {
     const url2 = new URL(request.url ?? "/", "http://127.0.0.1");
-    if (url2.pathname !== path) {
+    if (url2.pathname !== path2) {
       response.writeHead(404).end("Not found");
       return;
     }
@@ -20203,7 +20312,7 @@ async function createOAuthLoopbackCallback(input) {
   const address = server.address();
   return {
     close: () => server.close(),
-    redirectUri: `http://127.0.0.1:${address.port}${path}`,
+    redirectUri: `http://127.0.0.1:${address.port}${path2}`,
     result
   };
 }
@@ -20585,12 +20694,12 @@ function readProjectApplyRequest(options) {
     throw new Error(`No resource files found in ${directory}`);
   }
   const resources = [];
-  for (const { kind, path } of files) {
-    const request = readApplyDocumentFile(path);
+  for (const { kind, path: path2 } of files) {
+    const request = readApplyDocumentFile(path2);
     for (const resource of request.resources) {
       if (resource.kind !== kind) {
         throw new Error(
-          `Resource kind "${resource.kind}" in ${path} does not match .auto/${APPLY_DIRECTORIES[kind]}`
+          `Resource kind "${resource.kind}" in ${path2} does not match .auto/${APPLY_DIRECTORIES[kind]}`
         );
       }
       resources.push(resource);
@@ -20642,15 +20751,15 @@ function applyFiles(root) {
   const files = [];
   for (const kind of APPLY_RESOURCE_ORDER) {
     const directory = APPLY_DIRECTORIES[kind];
-    const path = join3(root, directory);
+    const path2 = join3(root, directory);
     let entries;
     try {
-      entries = readdirSync(path, { withFileTypes: true });
+      entries = readdirSync(path2, { withFileTypes: true });
     } catch {
       continue;
     }
     files.push(
-      ...resourceApplyFiles(path, entries).map((file2) => ({
+      ...resourceApplyFiles(path2, entries).map((file2) => ({
         kind,
         path: file2
       }))
@@ -20658,8 +20767,8 @@ function applyFiles(root) {
   }
   return files;
 }
-function readApplyDocumentFile(path) {
-  const source = readFileSync3(path, "utf8");
+function readApplyDocumentFile(path2) {
+  const source = readFileSync3(path2, "utf8");
   let documents;
   try {
     documents = parseYamlDocuments(source).filter((document) => document.contents !== null).map((document) => document.toJSON());
@@ -20669,7 +20778,7 @@ function readApplyDocumentFile(path) {
     );
   }
   if (documents.length === 0) {
-    throw new Error(`Invalid apply file: ${path} is empty`);
+    throw new Error(`Invalid apply file: ${path2} is empty`);
   }
   if (documents.length === 1) {
     const system = ProjectApplySystemConfigSchema.safeParse(documents[0]);
@@ -20795,8 +20904,8 @@ function applyFileProjectRoot(file2) {
     dir = parent;
   }
 }
-function isInside(path, parent) {
-  return path.startsWith(`${parent}/`);
+function isInside(path2, parent) {
+  return path2.startsWith(`${parent}/`);
 }
 function applyCandidate(document) {
   if (!isRecord(document) || !("kind" in document)) {
@@ -20822,15 +20931,15 @@ function isRecord(value) {
 function resourceApplyFiles(directory, entries) {
   const files = [];
   for (const entry of entries) {
-    const path = join3(directory, entry.name);
+    const path2 = join3(directory, entry.name);
     if (entry.isDirectory()) {
       files.push(
-        ...resourceApplyFiles(path, readdirSync(path, { withFileTypes: true }))
+        ...resourceApplyFiles(path2, readdirSync(path2, { withFileTypes: true }))
       );
       continue;
     }
     if (entry.isFile() && /\.(json|ya?ml)$/i.test(entry.name)) {
-      files.push(path);
+      files.push(path2);
     }
   }
   return files.sort((left, right) => left.localeCompare(right));
@@ -20984,8 +21093,8 @@ function listProfiles(configPath = defaultConfigPath()) {
     throw err;
   }
   return entries.filter((entry) => entry.endsWith(".yaml")).sort().map((entry) => {
-    const path = join4(dir, entry);
-    return { path, config: readConfig(path) };
+    const path2 = join4(dir, entry);
+    return { path: path2, config: readConfig(path2) };
   }).filter((profile) => profile.config.userEmail);
 }
 function findAccountProfile(input) {
@@ -21490,7 +21599,7 @@ var init_package = __esm({
   "package.json"() {
     package_default = {
       name: "@autohq/cli",
-      version: "0.1.89",
+      version: "0.1.90",
       license: "SEE LICENSE IN README.md",
       publishConfig: {
         access: "public"
@@ -26616,6 +26725,156 @@ var init_launcher = __esm({
 // src/cli/program.ts
 import { Command, Option as Option3 } from "commander";
 
+// src/commands/agent-bridge/git-credentials.ts
+import { once } from "events";
+import { chmod, mkdir, readFile, writeFile } from "fs/promises";
+import { createServer } from "http";
+import { homedir } from "os";
+import path from "path";
+var RELAY_PATH = "/git-credential";
+function defaultGitCredentialPortFilePath() {
+  return path.join(homedir(), ".auto", "agent-bridge", "git-credential.json");
+}
+async function startGitCredentialRelay(input) {
+  const fetchImpl = input.fetchImpl ?? fetch;
+  let target = { url: input.url, accessToken: input.accessToken };
+  const server = createServer((request, response) => {
+    if (request.method !== "POST" || request.url !== RELAY_PATH) {
+      response.writeHead(404).end();
+      return;
+    }
+    const chunks = [];
+    request.on("data", (chunk) => chunks.push(chunk));
+    request.on("end", () => {
+      void (async () => {
+        try {
+          const upstream = await fetchImpl(target.url, {
+            method: "POST",
+            headers: {
+              authorization: `Bearer ${target.accessToken}`,
+              "content-type": "application/json"
+            },
+            body: Buffer.concat(chunks).toString("utf8") || "{}"
+          });
+          const body = await upstream.text();
+          response.writeHead(upstream.status, {
+            "content-type": upstream.headers.get("content-type") ?? "application/json"
+          }).end(body);
+        } catch (error51) {
+          response.writeHead(502, { "content-type": "application/json" }).end(
+            JSON.stringify({
+              error: error51 instanceof Error ? error51.message : String(error51)
+            })
+          );
+        }
+      })();
+    });
+  });
+  server.listen(0, "127.0.0.1");
+  await once(server, "listening");
+  server.unref();
+  const address = server.address();
+  if (!address || typeof address !== "object") {
+    server.close();
+    throw new Error("git credential relay failed to bind a loopback port");
+  }
+  const portFilePath = input.portFilePath ?? defaultGitCredentialPortFilePath();
+  await mkdir(path.dirname(portFilePath), { recursive: true });
+  await writeFile(portFilePath, JSON.stringify({ port: address.port }), {
+    mode: 384
+  });
+  await chmod(portFilePath, 384);
+  return {
+    port: address.port,
+    update: (next) => {
+      target = { url: next.url, accessToken: next.accessToken };
+    },
+    close: () => new Promise((resolve2) => {
+      server.close(() => resolve2());
+    })
+  };
+}
+async function runGitCredentialHelper(input) {
+  if (input.args.includes("--check")) {
+    return 0;
+  }
+  const operation = input.args.find((arg) => !arg.startsWith("-"));
+  if (operation === "store" || operation === "erase") {
+    return 0;
+  }
+  if (operation !== "get") {
+    input.writeError(`unsupported git credential operation: ${operation}`);
+    return 1;
+  }
+  try {
+    const attributes = parseGitCredentialAttributes(
+      await readStream(input.stdin)
+    );
+    if (attributes.protocol !== "https" || attributes.host !== "github.com") {
+      return 1;
+    }
+    const portFilePath = input.portFilePath ?? defaultGitCredentialPortFilePath();
+    const portFile = JSON.parse(await readFile(portFilePath, "utf8"));
+    if (typeof portFile.port !== "number") {
+      input.writeError("git credential relay port file is malformed");
+      return 1;
+    }
+    const response = await (input.fetchImpl ?? fetch)(
+      `http://127.0.0.1:${portFile.port}${RELAY_PATH}`,
+      {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({
+          host: attributes.host,
+          ...attributes.path ? { path: attributes.path } : {}
+        })
+      }
+    );
+    if (!response.ok) {
+      input.writeError(
+        `git credential broker rejected the request: ${response.status}`
+      );
+      return 1;
+    }
+    const credential = await response.json();
+    if (!credential.username || !credential.password) {
+      input.writeError("git credential broker returned no credential");
+      return 1;
+    }
+    input.writeOutput(`username=${credential.username}`);
+    input.writeOutput(`password=${credential.password}`);
+    const expiryUtc = credential.expiresAt ? Math.floor(new Date(credential.expiresAt).getTime() / 1e3) : void 0;
+    if (expiryUtc && Number.isFinite(expiryUtc)) {
+      input.writeOutput(`password_expiry_utc=${expiryUtc}`);
+    }
+    return 0;
+  } catch (error51) {
+    input.writeError(error51 instanceof Error ? error51.message : String(error51));
+    return 1;
+  }
+}
+function parseGitCredentialAttributes(raw) {
+  const attributes = {};
+  for (const line of raw.split("\n")) {
+    if (!line.trim()) {
+      continue;
+    }
+    const separator = line.indexOf("=");
+    if (separator <= 0) {
+      continue;
+    }
+    attributes[line.slice(0, separator)] = line.slice(separator + 1);
+  }
+  return attributes;
+}
+async function readStream(stream) {
+  const chunks = [];
+  for await (const chunk of stream) {
+    chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+  }
+  return Buffer.concat(chunks).toString("utf8");
+}
+
 // ../../packages/protocol/src/index.ts
 init_zod();
 var OpaqueIdSchema = external_exports.string().trim().min(1);
@@ -26724,7 +26983,14 @@ var AgentBridgeClaudeConfigSchema = external_exports.object({
 var RuntimeBridgeBootstrapPlaintextSchema = external_exports.object({
   version: external_exports.literal(1),
   outputSeqStart: external_exports.number().int().nonnegative(),
-  claude: AgentBridgeClaudeConfigSchema
+  claude: AgentBridgeClaudeConfigSchema,
+  // Endpoint + run token for the git credential broker. Present only when
+  // the run has GitHub App git mounts; rides the encrypted bootstrap so the
+  // token lives in agent-bridge memory, never on disk.
+  gitCredentials: external_exports.object({
+    url: external_exports.string().trim().min(1),
+    accessToken: external_exports.string().trim().min(1)
+  }).strict().optional()
 }).strict();
 var RuntimeBridgeEncryptedBootstrapSchema = external_exports.object({
   version: external_exports.literal(1),
@@ -26951,6 +27217,7 @@ async function runAgentBridgeSocket(options) {
       RUNTIME_BRIDGE_BOOTSTRAP_EVENT,
       createRuntimeBridgeBootstrapListener({
         token: options.token,
+        onBootstrap: options.onBootstrap,
         createHandler: (bootstrap) => options.createHandler({
           emitOutput: (output) => emitOutputWithAck(socket, output),
           claude: bootstrap.claude,
@@ -27049,6 +27316,7 @@ function createRuntimeBridgeBootstrapListener(input) {
       input.writeOutput?.(
         `agent_bridge_bootstrap_decrypted duration_ms=${Date.now() - decryptStartedAt}`
       );
+      await input.onBootstrap?.(bootstrap);
       let handler = input.getHandler();
       if (!handler) {
         handler = input.createHandler(bootstrap);
@@ -27885,21 +28153,21 @@ import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
 import { dirname } from "path";
 var AGENT_BRIDGE_RUNTIME_DIR = "/tmp/auto-bridge-runtime";
 var CLAUDE_SESSION_RESUME_PATH = `${AGENT_BRIDGE_RUNTIME_DIR}/claude-session-id`;
-function fileClaudeSessionResumeStore(path = CLAUDE_SESSION_RESUME_PATH) {
+function fileClaudeSessionResumeStore(path2 = CLAUDE_SESSION_RESUME_PATH) {
   return {
     read(runId) {
-      if (!existsSync(path)) {
+      if (!existsSync(path2)) {
         return null;
       }
-      const record2 = parseResumeRecord(readFileSync(path, "utf8"));
+      const record2 = parseResumeRecord(readFileSync(path2, "utf8"));
       if (!record2 || record2.runId !== runId) {
         return null;
       }
       return record2.sessionId;
     },
     write(record2) {
-      mkdirSync(dirname(path), { recursive: true });
-      writeFileSync(path, `${JSON.stringify(record2)}
+      mkdirSync(dirname(path2), { recursive: true });
+      writeFileSync(path2, `${JSON.stringify(record2)}
 `, "utf8");
     }
   };
@@ -28268,7 +28536,10 @@ function deliveryMessage(delivery) {
 // src/commands/agent-bridge/entrypoint.ts
 async function runAgentBridgeProcess(input) {
   const runAgentBridge = input.runAgentBridge ?? runAgentBridgeClaudeCode;
-  await runAgentBridge(agentBridgeOptionsFromEnv(input));
+  await runAgentBridge({
+    ...agentBridgeOptionsFromEnv(input),
+    onBootstrap: createGitCredentialRelayStarter(input.writeOutput)
+  });
 }
 function agentBridgeOptionsFromEnv(input) {
   return {
@@ -28277,6 +28548,37 @@ function agentBridgeOptionsFromEnv(input) {
     writeOutput: input.writeOutput
   };
 }
+function createGitCredentialRelayStarter(writeOutput) {
+  let relay;
+  let startup;
+  return async (bootstrap) => {
+    const gitCredentials = bootstrap.gitCredentials;
+    if (!gitCredentials) {
+      return;
+    }
+    if (relay) {
+      relay.update(gitCredentials);
+      return;
+    }
+    if (startup) {
+      const started = await startup;
+      started?.update(gitCredentials);
+      return;
+    }
+    startup = startGitCredentialRelay(gitCredentials).then((started) => {
+      relay = started;
+      writeOutput?.(`agent_bridge_git_credential_relay port=${started.port}`);
+      return started;
+    }).catch((error51) => {
+      startup = void 0;
+      writeOutput?.(
+        `agent_bridge_git_credential_relay_failed error=${error51 instanceof Error ? error51.message : String(error51)}`
+      );
+      return void 0;
+    });
+    await startup;
+  };
+}
 function requiredEnv(env, key) {
   const value = env[key]?.trim();
   if (!value) {
@@ -28287,12 +28589,25 @@ function requiredEnv(env, key) {
 
 // src/commands/agent-bridge/commands.ts
 function registerAgentBridgeCommands(program, context) {
-  program.command("agent-bridge", { hidden: true }).description("Run the internal runtime bridge wrapper.").action(async () => {
+  const agentBridge = program.command("agent-bridge", { hidden: true }).description("Run the internal runtime bridge wrapper.").action(async () => {
     await runAgentBridgeProcess({
       env: context.env,
       writeOutput: context.writeOutput
     });
   });
+  agentBridge.command("git-credential [operation]").description("git credential helper backed by the run's broker endpoint.").option("--check", "Exit 0 when the helper is available.").allowUnknownOption(true).action(async (operation, options) => {
+    const exitCode = await runGitCredentialHelper({
+      args: [
+        ...options.check ? ["--check"] : [],
+        ...operation ? [operation] : []
+      ],
+      stdin: process.stdin,
+      writeOutput: context.writeOutput,
+      writeError: (line) => process.stderr.write(`${line}
+`)
+    });
+    process.exitCode = exitCode;
+  });
 }
 
 // src/cli/options.ts
@@ -31214,7 +31529,7 @@ async function secretValue(input) {
     }
     value = envValue;
   } else if (input.options.stdin) {
-    value = await readStream(input.stdin, Boolean(input.options.raw));
+    value = await readStream2(input.stdin, Boolean(input.options.raw));
   } else {
     throw new Error(
       "Provide the secret value with --stdin, --value, or --from-env."
@@ -31227,7 +31542,7 @@ async function secretValue(input) {
   }
   return value;
 }
-async function readStream(stream, raw) {
+async function readStream2(stream, raw) {
   const chunks = [];
   for await (const chunk of stream) {
     chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(String(chunk)));
@@ -31457,7 +31772,7 @@ function withApiBaseUrl2(context, commandOptions) {
 init_resources2();
 init_browser();
 import { existsSync as existsSync2, mkdtempSync as mkdtempSync2, writeFileSync as writeFileSync4 } from "fs";
-import { homedir as homedir2, tmpdir as tmpdir2 } from "os";
+import { homedir as homedir3, tmpdir as tmpdir2 } from "os";
 import { join as join6 } from "path";
 var POLL_INTERVAL_MS = 2e3;
 var POLL_TIMEOUT_MS = 5 * 6e4;
@@ -31619,7 +31934,7 @@ async function promptForIconUploads(input, options) {
   }
 }
 function stagedLocationLabel(stagedPath) {
-  return stagedPath.startsWith(`${join6(homedir2(), "Downloads")}/`) ? "Downloads" : "the printed path";
+  return stagedPath.startsWith(`${join6(homedir3(), "Downloads")}/`) ? "Downloads" : "the printed path";
 }
 async function stageAvatarImage(input) {
   try {
@@ -31631,11 +31946,11 @@ async function stageAvatarImage(input) {
     }
     const contentType = response.headers.get("content-type") ?? "";
     const extension = contentType.includes("jpeg") ? ".jpg" : ".png";
-    const downloads = join6(homedir2(), "Downloads");
+    const downloads = join6(homedir3(), "Downloads");
     const directory = existsSync2(downloads) ? downloads : mkdtempSync2(join6(tmpdir2(), "auto-avatar-"));
-    const path = join6(directory, `${input.session}-avatar${extension}`);
-    writeFileSync4(path, Buffer.from(await response.arrayBuffer()));
-    return path;
+    const path2 = join6(directory, `${input.session}-avatar${extension}`);
+    writeFileSync4(path2, Buffer.from(await response.arrayBuffer()));
+    return path2;
   } catch {
     return void 0;
   }