@h-rig/cli 0.0.6-alpha.1 → 0.0.6-alpha.11

package/dist/src/commands/init.js

@@ -2,9 +2,9 @@
 var __require = import.meta.require;
 
 // packages/cli/src/commands/init.ts
-import { appendFileSync, existsSync as existsSync4, mkdirSync as mkdirSync2, readFileSync as readFileSync4, writeFileSync as writeFileSync2 } from "fs";
+import { appendFileSync, existsSync as existsSync5, mkdirSync as mkdirSync2, readFileSync as readFileSync5, writeFileSync as writeFileSync2 } from "fs";
 import { spawnSync as spawnSync2 } from "child_process";
-import { resolve as resolve5 } from "path";
+import { resolve as resolve6 } from "path";
 
 // packages/cli/src/runner.ts
 import { EventBus } from "@rig/runtime/control-plane/runtime/events";
@@ -154,6 +154,8 @@ function resolveSelectedConnection(projectRoot, options = {}) {
 
 // packages/cli/src/commands/_server-client.ts
 import { spawnSync } from "child_process";
+import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
+import { resolve as resolve2 } from "path";
 import { ensureLocalRigServerConnection } from "@rig/runtime/local-server";
 var cachedGitHubBearerToken;
 function cleanToken(value) {
@@ -163,9 +165,25 @@ function cleanToken(value) {
 function setGitHubBearerTokenForCurrentProcess(token) {
   cachedGitHubBearerToken = cleanToken(token ?? undefined);
 }
-function readGitHubBearerTokenForRemote() {
+function readPrivateRemoteSessionToken(projectRoot) {
+  const path = resolve2(projectRoot, ".rig", "state", "github-auth.json");
+  if (!existsSync2(path))
+    return null;
+  try {
+    const parsed = JSON.parse(readFileSync2(path, "utf8"));
+    return cleanToken(typeof parsed.apiSessionToken === "string" ? parsed.apiSessionToken : typeof parsed.sessionToken === "string" ? parsed.sessionToken : undefined);
+  } catch {
+    return null;
+  }
+}
+function readGitHubBearerTokenForRemote(projectRoot) {
   if (cachedGitHubBearerToken !== undefined)
     return cachedGitHubBearerToken;
+  const privateSession = readPrivateRemoteSessionToken(projectRoot);
+  if (privateSession) {
+    cachedGitHubBearerToken = privateSession;
+    return cachedGitHubBearerToken;
+  }
   const envToken = cleanToken(process.env.RIG_GITHUB_TOKEN) ?? cleanToken(process.env.GITHUB_TOKEN) ?? cleanToken(process.env.GH_TOKEN);
   if (envToken) {
     cachedGitHubBearerToken = envToken;
@@ -185,7 +203,7 @@ async function ensureServerForCli(projectRoot) {
     if (selected?.connection.kind === "remote") {
       return {
         baseUrl: selected.connection.baseUrl,
-        authToken: readGitHubBearerTokenForRemote(),
+        authToken: readGitHubBearerTokenForRemote(projectRoot),
         connectionKind: "remote"
       };
     }
@@ -249,7 +267,7 @@ async function postGitHubTokenViaServer(context, token, options = {}) {
   const payload = await requestServerJson(context, "/api/github/auth/token", {
     method: "POST",
     headers: { "content-type": "application/json" },
-    body: JSON.stringify({ token, selectedRepo: options.selectedRepo })
+    body: JSON.stringify({ token, selectedRepo: options.selectedRepo, projectRoot: options.projectRoot })
   });
   return payload && typeof payload === "object" && !Array.isArray(payload) ? payload : {};
 }
@@ -270,18 +288,38 @@ async function registerProjectViaServer(context, input) {
   return payload && typeof payload === "object" && !Array.isArray(payload) ? payload : {};
 }
 function sleep(ms) {
-  return new Promise((resolve2) => setTimeout(resolve2, ms));
+  return new Promise((resolve3) => setTimeout(resolve3, ms));
+}
+function isRetryableProjectRootSwitchError(error) {
+  if (!(error instanceof Error))
+    return false;
+  const message = error.message.toLowerCase();
+  return message.includes("rig server request failed (401): auth-required") || message.includes("rig server request failed (401): github-token-required") || message.includes("rig server request failed (502)") || message.includes("rig server request failed (503)") || message.includes("bad gateway") || message.includes("fetch failed") || message.includes("econnrefused") || message.includes("connection refused");
 }
 async function switchServerProjectRootViaServer(context, projectRoot, options = {}) {
-  const switched = await requestServerJson(context, "/api/server/project-root", {
-    method: "POST",
-    headers: { "content-type": "application/json" },
-    body: JSON.stringify({ projectRoot })
-  });
   const timeoutMs = options.timeoutMs ?? 30000;
   const pollMs = options.pollMs ?? 1000;
   const deadline = Date.now() + timeoutMs;
   let lastError;
+  let switched = null;
+  while (Date.now() < deadline) {
+    try {
+      switched = await requestServerJson(context, "/api/server/project-root", {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ projectRoot })
+      });
+      break;
+    } catch (error) {
+      lastError = error;
+      if (!isRetryableProjectRootSwitchError(error))
+        throw error;
+      await sleep(pollMs);
+    }
+  }
+  if (!switched) {
+    throw new CliError2(`Rig server did not accept project-root switch to ${projectRoot} before timeout (${lastError instanceof Error ? lastError.message : String(lastError ?? "no response")}).`, 1);
+  }
   while (Date.now() < deadline) {
     try {
       const status = await requestServerJson(context, "/api/server/status");
@@ -301,9 +339,9 @@ async function switchServerProjectRootViaServer(context, projectRoot, options =
 }
 
 // packages/cli/src/commands/_pi-install.ts
-import { existsSync as existsSync2, readFileSync as readFileSync2, rmSync } from "fs";
+import { existsSync as existsSync3, readFileSync as readFileSync3, rmSync } from "fs";
 import { homedir as homedir2 } from "os";
-import { resolve as resolve2 } from "path";
+import { resolve as resolve3 } from "path";
 var PI_RIG_PACKAGE_NAME = "@rig/pi-rig";
 var LEGACY_PI_RIG_MARKER = `// Managed by Rig. Source package: @rig/pi-rig.
 export { default } from '@rig/pi-rig';
@@ -318,11 +356,11 @@ async function defaultCommandRunner(command, options = {}) {
   return { exitCode, stdout, stderr };
 }
 function resolvePiRigExtensionPath(homeDir) {
-  return resolve2(homeDir, ".pi", "agent", "extensions", "pi-rig");
+  return resolve3(homeDir, ".pi", "agent", "extensions", "pi-rig");
 }
-function resolvePiRigPackageSource(projectRoot, exists = existsSync2) {
-  const localPackage = resolve2(projectRoot, "packages", "pi-rig");
-  if (exists(resolve2(localPackage, "package.json")))
+function resolvePiRigPackageSource(projectRoot, exists = existsSync3) {
+  const localPackage = resolve3(projectRoot, "packages", "pi-rig");
+  if (exists(resolve3(localPackage, "package.json")))
     return localPackage;
   return `npm:${PI_RIG_PACKAGE_NAME}`;
 }
@@ -373,13 +411,13 @@ async function ensurePiBinaryAvailable(input) {
     ...next.exitCode === 0 ? {} : { error: (next.stderr || next.stdout).trim() || "pi --version failed after install" }
   };
 }
-function removeManagedLegacyPiRigBridge(homeDir, exists = existsSync2) {
+function removeManagedLegacyPiRigBridge(homeDir, exists = existsSync3) {
   const extensionPath = resolvePiRigExtensionPath(homeDir);
-  const indexPath = resolve2(extensionPath, "index.ts");
+  const indexPath = resolve3(extensionPath, "index.ts");
   if (!exists(indexPath))
     return;
   try {
-    const content = readFileSync2(indexPath, "utf8");
+    const content = readFileSync3(indexPath, "utf8");
     if (content === LEGACY_PI_RIG_MARKER || content.includes("Managed by Rig. Source package: @rig/pi-rig")) {
       rmSync(extensionPath, { recursive: true, force: true });
     }
@@ -395,13 +433,13 @@ async function checkPiRigInstall(input = {}) {
       piRig: { ok: true, label: "pi-rig global extension", detail: extensionPath }
     };
   }
-  const exists = input.exists ?? existsSync2;
+  const exists = input.exists ?? existsSync3;
   const runner = input.commandRunner ?? defaultCommandRunner;
   const piResult = await safeRun(runner, ["pi", "--version"]);
   const piListResult = piResult.exitCode === 0 ? await safeRun(runner, ["pi", "list"]) : { exitCode: 1, stdout: "", stderr: "" };
   const listedPiRig = piListResult.exitCode === 0 && piListContainsPiRig(`${piListResult.stdout}
 ${piListResult.stderr}`);
-  const legacyBridge = exists(resolve2(extensionPath, "index.ts"));
+  const legacyBridge = exists(resolve3(extensionPath, "index.ts"));
   const hasPiRig = listedPiRig;
   return {
     extensionPath,
@@ -478,7 +516,7 @@ async function buildPiSetupChecks(input = {}) {
 
 // packages/cli/src/commands/_snapshot-upload.ts
 import { mkdir, readdir, readFile, writeFile } from "fs/promises";
-import { dirname as dirname2, resolve as resolve3, relative, sep } from "path";
+import { dirname as dirname2, resolve as resolve4, relative, sep } from "path";
 var SNAPSHOT_ARCHIVE_VERSION = 1;
 var SNAPSHOT_ARCHIVE_CONTENT_TYPE = "application/vnd.rig.snapshot+json";
 var DEFAULT_EXCLUDED_DIRECTORIES = new Set([
@@ -500,15 +538,15 @@ function assertManifestPath(root, relativePath) {
   if (!relativePath || relativePath.startsWith("/") || relativePath.includes("\x00")) {
     throw new Error(`Invalid snapshot path: ${relativePath}`);
   }
-  const resolved = resolve3(root, relativePath);
+  const resolved = resolve4(root, relativePath);
   const relativeToRoot = relative(root, resolved);
-  if (relativeToRoot.startsWith("..") || relativeToRoot === ".." || resolve3(relativeToRoot) === resolved) {
+  if (relativeToRoot.startsWith("..") || relativeToRoot === ".." || resolve4(relativeToRoot) === resolved) {
     throw new Error(`Snapshot path escapes project root: ${relativePath}`);
   }
   return resolved;
 }
 async function buildSnapshotUploadManifest(projectRoot, options = {}) {
-  const root = resolve3(projectRoot);
+  const root = resolve4(projectRoot);
   const excludedDirectories = [...new Set([
     ...DEFAULT_EXCLUDED_DIRECTORIES,
     ...options.excludedDirectories ?? []
@@ -520,7 +558,7 @@ async function buildSnapshotUploadManifest(projectRoot, options = {}) {
     for (const entry of entries) {
       if (entry.isDirectory() && excludedSet.has(entry.name))
         continue;
-      const fullPath = resolve3(dir, entry.name);
+      const fullPath = resolve4(dir, entry.name);
       if (entry.isDirectory()) {
         await visit(fullPath);
         continue;
@@ -568,8 +606,8 @@ async function uploadSnapshotArchiveViaServer(context, input) {
 }
 
 // packages/cli/src/commands/_doctor-checks.ts
-import { existsSync as existsSync3, readFileSync as readFileSync3 } from "fs";
-import { resolve as resolve4 } from "path";
+import { existsSync as existsSync4, readFileSync as readFileSync4 } from "fs";
+import { resolve as resolve5 } from "path";
 import { isSupportedBunVersion, MIN_SUPPORTED_BUN_VERSION } from "@rig/runtime/control-plane/setup-version";
 
 // packages/cli/src/commands/_parsers.ts
@@ -621,11 +659,11 @@ function repoSlugFromConfig(config) {
 function loadFallbackConfig(projectRoot) {
   const candidates = ["rig.config.ts", "rig.config.mts", "rig.config.json"];
   for (const name of candidates) {
-    const path = resolve4(projectRoot, name);
-    if (!existsSync3(path))
+    const path = resolve5(projectRoot, name);
+    if (!existsSync4(path))
       continue;
     try {
-      const source = readFileSync3(path, "utf8");
+      const source = readFileSync4(path, "utf8");
       if (name.endsWith(".json"))
         return JSON.parse(source);
       const owner = source.match(/owner\s*:\s*["']([^"']+)["']/)?.[1];
@@ -704,7 +742,7 @@ async function runRigDoctorChecks(options) {
   checks.push(check("bun", `bun >= ${MIN_SUPPORTED_BUN_VERSION}`, isSupportedBunVersion(bunVersion) ? "pass" : "fail", `found ${bunVersion}`, `Install Bun ${MIN_SUPPORTED_BUN_VERSION} or newer.`), check("git", "git", which("git") ? "pass" : "fail", which("git") ?? undefined, "Install git and ensure it is on PATH."), check("jq", "jq", which("jq") ? "pass" : "warn", which("jq") ?? undefined, "Install jq (for example `brew install jq`)."));
   const loadedConfig = await loadConfig(projectRoot).catch(() => null);
   const config = loadedConfig ?? loadFallbackConfig(projectRoot);
-  const hasConfigFile = ["rig.config.ts", "rig.config.mts", "rig.config.json"].some((name) => existsSync3(resolve4(projectRoot, name)));
+  const hasConfigFile = ["rig.config.ts", "rig.config.mts", "rig.config.json"].some((name) => existsSync4(resolve5(projectRoot, name)));
   checks.push(config ? check("config", "rig.config loadable", "pass") : check("config", "rig.config loadable", hasConfigFile ? "fail" : "fail", hasConfigFile ? "config file exists but failed to load" : "missing rig.config.ts/json", "Run `rig init` or fix the config error."));
   const taskSourceKind = config?.taskSource?.kind;
   checks.push(taskSourceKind ? check("task-source", "task source configured", "pass", taskSourceKind) : check("task-source", "task source configured", "fail", "missing taskSource", "Configure taskSource in rig.config.ts."));
@@ -790,10 +828,10 @@ function countDoctorFailures(checks) {
 }
 
 // packages/cli/src/commands/init.ts
-var RIG_CONFIG_PACKAGE_VERSION = "0.0.6-alpha.1";
+var RIG_CONFIG_PACKAGE_DIST_TAG = "latest";
 var RIG_CONFIG_DEV_DEPENDENCIES = {
-  "@rig/core": `npm:@h-rig/core@${RIG_CONFIG_PACKAGE_VERSION}`,
-  "@rig/standard-plugin": `npm:@h-rig/standard-plugin@${RIG_CONFIG_PACKAGE_VERSION}`
+  "@rig/core": `npm:@h-rig/core@${RIG_CONFIG_PACKAGE_DIST_TAG}`,
+  "@rig/standard-plugin": `npm:@h-rig/standard-plugin@${RIG_CONFIG_PACKAGE_DIST_TAG}`
 };
 function parseRepoSlugFromRemote(remoteUrl) {
   const trimmed = remoteUrl.trim();
@@ -813,20 +851,20 @@ function parseRepoSlug(value) {
   return { owner: match[1], repo: match[2], slug: `${match[1]}/${match[2]}` };
 }
 function ensureRigPrivateDirs(projectRoot) {
-  const rigDir = resolve5(projectRoot, ".rig");
-  mkdirSync2(resolve5(rigDir, "state"), { recursive: true });
-  mkdirSync2(resolve5(rigDir, "logs"), { recursive: true });
-  mkdirSync2(resolve5(rigDir, "runs"), { recursive: true });
-  mkdirSync2(resolve5(rigDir, "tmp"), { recursive: true });
-  mkdirSync2(resolve5(projectRoot, "artifacts"), { recursive: true });
-  const taskConfigPath = resolve5(rigDir, "task-config.json");
-  if (!existsSync4(taskConfigPath))
+  const rigDir = resolve6(projectRoot, ".rig");
+  mkdirSync2(resolve6(rigDir, "state"), { recursive: true });
+  mkdirSync2(resolve6(rigDir, "logs"), { recursive: true });
+  mkdirSync2(resolve6(rigDir, "runs"), { recursive: true });
+  mkdirSync2(resolve6(rigDir, "tmp"), { recursive: true });
+  mkdirSync2(resolve6(projectRoot, "artifacts"), { recursive: true });
+  const taskConfigPath = resolve6(rigDir, "task-config.json");
+  if (!existsSync5(taskConfigPath))
     writeFileSync2(taskConfigPath, `{}
 `, "utf-8");
 }
 function ensureGitignoreEntries(projectRoot) {
-  const path = resolve5(projectRoot, ".gitignore");
-  const existing = existsSync4(path) ? readFileSync4(path, "utf8") : "";
+  const path = resolve6(projectRoot, ".gitignore");
+  const existing = existsSync5(path) ? readFileSync5(path, "utf8") : "";
   const entries = [".rig/state/", ".rig/logs/", ".rig/runs/", ".rig/tmp/"];
   const missing = entries.filter((entry) => !existing.split(/\r?\n/).includes(entry));
   if (missing.length === 0)
@@ -839,14 +877,14 @@ function ensureGitignoreEntries(projectRoot) {
 `, "utf8");
 }
 function ensureRigConfigPackageDependencies(projectRoot) {
-  const path = resolve5(projectRoot, "package.json");
-  const existing = existsSync4(path) ? JSON.parse(readFileSync4(path, "utf8")) : {};
+  const path = resolve6(projectRoot, "package.json");
+  const existing = existsSync5(path) ? JSON.parse(readFileSync5(path, "utf8")) : {};
   const devDependencies = existing.devDependencies && typeof existing.devDependencies === "object" && !Array.isArray(existing.devDependencies) ? { ...existing.devDependencies } : {};
   for (const [name, spec] of Object.entries(RIG_CONFIG_DEV_DEPENDENCIES)) {
     devDependencies[name] = spec;
   }
   const next = {
-    ...existsSync4(path) ? existing : { name: "rig-project", private: true },
+    ...existsSync5(path) ? existing : { name: "rig-project", private: true },
     devDependencies
   };
   writeFileSync2(path, `${JSON.stringify(next, null, 2)}
@@ -916,15 +954,71 @@ async function promptSelect(prompts, options) {
     throw new CliError2("Init cancelled.", 1);
   return String(value);
 }
-async function pollDeviceAuthOnce(context, pollId) {
+function sleep2(ms) {
+  return new Promise((resolve7) => setTimeout(resolve7, ms));
+}
+function positiveIntFromEnv(name, fallback) {
+  const value = Number.parseInt(process.env[name] ?? "", 10);
+  return Number.isFinite(value) && value >= 0 ? value : fallback;
+}
+function apiSessionTokenFrom(payload) {
+  if (!payload || typeof payload !== "object" || Array.isArray(payload))
+    return null;
+  const token = payload.apiSessionToken;
+  return typeof token === "string" && token.trim() ? token.trim() : null;
+}
+function cleanPayloadString(value) {
+  return typeof value === "string" && value.trim() ? value.trim() : null;
+}
+function remoteGitHubAuthMetadata(payload) {
+  if (!payload)
+    return {};
+  const userNamespace = payload.userNamespace && typeof payload.userNamespace === "object" && !Array.isArray(payload.userNamespace) ? payload.userNamespace : null;
+  return {
+    ...cleanPayloadString(payload.login) ? { login: cleanPayloadString(payload.login) } : {},
+    ...cleanPayloadString(payload.userId) ? { userId: cleanPayloadString(payload.userId) } : {},
+    ...cleanPayloadString(userNamespace?.key) ? { userNamespaceKey: cleanPayloadString(userNamespace?.key) } : {},
+    ...cleanPayloadString(userNamespace?.root) ? { userNamespaceRoot: cleanPayloadString(userNamespace?.root) } : {},
+    ...cleanPayloadString(userNamespace?.checkoutBaseDir) ? { checkoutBaseDir: cleanPayloadString(userNamespace?.checkoutBaseDir) } : {},
+    ...cleanPayloadString(userNamespace?.snapshotBaseDir) ? { snapshotBaseDir: cleanPayloadString(userNamespace?.snapshotBaseDir) } : {}
+  };
+}
+function writeRemoteGitHubAuthState(projectRoot, input) {
+  writeFileSync2(resolve6(projectRoot, ".rig", "state", "github-auth.json"), `${JSON.stringify({
+    authenticated: true,
+    source: input.source,
+    storedOnServer: true,
+    selectedRepo: input.selectedRepo,
+    ...remoteGitHubAuthMetadata(input.authPayload ?? null),
+    ...input.apiSessionToken ? { apiSessionToken: input.apiSessionToken } : {},
+    updatedAt: new Date().toISOString()
+  }, null, 2)}
+`, "utf8");
+}
+async function pollDeviceAuthUntilComplete(context, pollId, firstPayload) {
   if (typeof pollId !== "string" || !pollId.trim())
     return null;
-  const payload = await requestServerJson(context, "/api/github/auth/device/poll", {
-    method: "POST",
-    headers: { "content-type": "application/json" },
-    body: JSON.stringify({ pollId })
-  }).catch(() => null);
-  return payload && typeof payload === "object" && !Array.isArray(payload) ? payload : null;
+  const intervalSeconds = typeof firstPayload.interval === "number" && Number.isFinite(firstPayload.interval) && firstPayload.interval > 0 ? firstPayload.interval : 5;
+  const timeoutMs = positiveIntFromEnv("RIG_DEVICE_AUTH_POLL_TIMEOUT_MS", 300000);
+  const intervalMs = positiveIntFromEnv("RIG_DEVICE_AUTH_POLL_INTERVAL_MS", Math.max(1000, intervalSeconds * 1000));
+  const deadline = Date.now() + timeoutMs;
+  let last = null;
+  do {
+    const payload = await requestServerJson(context, "/api/github/auth/device/poll", {
+      method: "POST",
+      headers: { "content-type": "application/json" },
+      body: JSON.stringify({ pollId })
+    }).catch(() => null);
+    last = payload && typeof payload === "object" && !Array.isArray(payload) ? payload : null;
+    const status = typeof last?.status === "string" ? last.status : null;
+    if (status === "signed-in" || status === "expired" || status === "cancelled" || status === "failed") {
+      return last;
+    }
+    if (timeoutMs <= 0)
+      return last;
+    await sleep2(intervalMs);
+  } while (Date.now() < deadline);
+  return last;
 }
 async function runControlPlaneInit(context, options) {
   const projectRoot = context.projectRoot;
@@ -947,9 +1041,9 @@ async function runControlPlaneInit(context, options) {
   });
   ensureRigPrivateDirs(projectRoot);
   ensureGitignoreEntries(projectRoot);
-  const configTsPath = resolve5(projectRoot, "rig.config.ts");
-  const configJsonPath = resolve5(projectRoot, "rig.config.json");
-  const configExists = existsSync4(configTsPath) || existsSync4(configJsonPath);
+  const configTsPath = resolve6(projectRoot, "rig.config.ts");
+  const configJsonPath = resolve6(projectRoot, "rig.config.json");
+  const configExists = existsSync5(configTsPath) || existsSync5(configJsonPath);
   if (!options.privateStateOnly) {
     if (configExists && !options.repair) {
       if (context.outputMode !== "json")
@@ -965,7 +1059,7 @@ async function runControlPlaneInit(context, options) {
     }
     ensureRigConfigPackageDependencies(projectRoot);
   }
-  writeFileSync2(resolve5(projectRoot, ".rig", "state", "project-link.json"), `${JSON.stringify({ repoSlug: repo.slug, connection: connectionAlias, linkedAt: new Date().toISOString() }, null, 2)}
+  writeFileSync2(resolve6(projectRoot, ".rig", "state", "project-link.json"), `${JSON.stringify({ repoSlug: repo.slug, connection: connectionAlias, linkedAt: new Date().toISOString() }, null, 2)}
 `, "utf8");
   const checkout = checkoutForInit(projectRoot, serverKind, options.remoteCheckout);
   let uploadedSnapshot = null;
@@ -987,10 +1081,15 @@ async function runControlPlaneInit(context, options) {
   const token = authMethod === "gh" && !options.githubToken ? readGhAuthToken() : options.githubToken?.trim();
   if (token) {
     githubAuth = await postGitHubTokenViaServer(context, token, { selectedRepo: repo.slug });
-    setGitHubBearerTokenForCurrentProcess(token);
+    const apiSessionToken = apiSessionTokenFrom(githubAuth);
+    setGitHubBearerTokenForCurrentProcess(apiSessionToken ?? token);
     if (serverKind === "remote") {
-      writeFileSync2(resolve5(projectRoot, ".rig", "state", "github-auth.json"), `${JSON.stringify({ authenticated: true, source: authMethod === "gh" ? "gh" : "init-token", storedOnServer: true, selectedRepo: repo.slug, updatedAt: new Date().toISOString() }, null, 2)}
-`, "utf8");
+      writeRemoteGitHubAuthState(projectRoot, {
+        source: authMethod === "gh" ? "gh" : "init-token",
+        selectedRepo: repo.slug,
+        apiSessionToken,
+        authPayload: githubAuth
+      });
     }
   } else if (authMethod === "device") {
     const payload = await requestServerJson(context, "/api/github/auth/device/start", {
@@ -999,9 +1098,22 @@ async function runControlPlaneInit(context, options) {
       body: JSON.stringify({ repoSlug: repo.slug })
     });
     deviceAuth = payload && typeof payload === "object" && !Array.isArray(payload) ? payload : {};
-    const completed = await pollDeviceAuthOnce(context, deviceAuth.pollId);
-    if (completed)
+    if (context.outputMode !== "json") {
+      const verificationUri = String(deviceAuth.verificationUri ?? deviceAuth.verification_uri ?? deviceAuth.verification_uri_complete ?? "the verification URL returned by the server");
+      const userCode = String(deviceAuth.userCode ?? deviceAuth.user_code ?? "the returned user code");
+      console.log(`GitHub device flow: open ${verificationUri} and enter ${userCode}. Waiting for authorization...`);
+    }
+    const completed = await pollDeviceAuthUntilComplete(context, deviceAuth.pollId, deviceAuth);
+    if (completed) {
+      const apiSessionToken = apiSessionTokenFrom(completed);
+      if (apiSessionToken) {
+        setGitHubBearerTokenForCurrentProcess(apiSessionToken);
+        if (serverKind === "remote") {
+          writeRemoteGitHubAuthState(projectRoot, { source: "device", selectedRepo: repo.slug, apiSessionToken, authPayload: completed });
+        }
+      }
       deviceAuth = { ...deviceAuth, poll: completed, completed: completed.status === "signed-in" };
+    }
   }
   let remoteCheckoutPreparation = null;
   if (serverKind === "remote" && options.remoteCheckout?.kind !== "uploaded-snapshot") {
@@ -1021,6 +1133,12 @@ async function runControlPlaneInit(context, options) {
   });
   const checkoutPath = typeof checkout.path === "string" ? checkout.path : null;
   const serverRootSwitch = serverKind === "remote" && checkoutPath ? await switchServerProjectRootViaServer(context, checkoutPath) : null;
+  if (serverRootSwitch && token) {
+    githubAuth = await postGitHubTokenViaServer(context, token, { selectedRepo: repo.slug, projectRoot: checkoutPath ?? undefined });
+    const apiSessionToken = apiSessionTokenFrom(githubAuth);
+    setGitHubBearerTokenForCurrentProcess(apiSessionToken ?? token);
+    writeRemoteGitHubAuthState(projectRoot, { source: authMethod === "gh" ? "gh" : "init-token", selectedRepo: repo.slug, apiSessionToken, authPayload: githubAuth });
+  }
   const activeProjectRegistration = serverRootSwitch ? await registerProjectViaServer(context, { repoSlug: repo.slug, checkout }) : null;
   const pi = serverKind === "remote" ? await ensureRemotePiRigInstalled({ requestJson: (pathname, init) => requestServerJson(context, pathname, init) }).catch((error) => ({
     remote: true,
@@ -1130,7 +1248,7 @@ function parseInitOptions(args) {
 async function runInteractiveControlPlaneInit(context, prompts) {
   prompts.intro?.("Initialize a Rig control-plane project");
   const projectRoot = context.projectRoot;
-  const existingConfig = existsSync4(resolve5(projectRoot, "rig.config.ts")) || existsSync4(resolve5(projectRoot, "rig.config.json"));
+  const existingConfig = existsSync5(resolve6(projectRoot, "rig.config.ts")) || existsSync5(resolve6(projectRoot, "rig.config.json"));
   let repair = false;
   let privateStateOnly = false;
   if (existingConfig) {
@@ -1230,7 +1348,7 @@ async function runInteractiveControlPlaneInit(context, prompts) {
   });
   const details = result.details && typeof result.details === "object" && !Array.isArray(result.details) ? result.details : {};
   const deviceAuth = details.deviceAuth && typeof details.deviceAuth === "object" && !Array.isArray(details.deviceAuth) ? details.deviceAuth : null;
-  const deviceMessage = deviceAuth ? ` GitHub device flow: open ${String(deviceAuth.verification_uri ?? deviceAuth.verification_uri_complete ?? "the verification URL returned by the server")} and enter ${String(deviceAuth.user_code ?? "the returned user code")}.` : "";
+  const deviceMessage = deviceAuth ? ` GitHub device flow: open ${String(deviceAuth.verificationUri ?? deviceAuth.verification_uri ?? deviceAuth.verification_uri_complete ?? "the verification URL returned by the server")} and enter ${String(deviceAuth.userCode ?? deviceAuth.user_code ?? "the returned user code")}.` : "";
   prompts.outro?.(`Rig project initialized.${deviceMessage} Next: rig doctor && rig task list`);
   return result;
 }

package/dist/src/commands/run.js

@@ -1,7 +1,7 @@
 // @bun
 // packages/cli/src/commands/run.ts
-import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
-import { resolve as resolve2 } from "path";
+import { existsSync as existsSync3, readFileSync as readFileSync3 } from "fs";
+import { resolve as resolve3 } from "path";
 import { createInterface as createInterface2 } from "readline/promises";
 
 // packages/cli/src/runner.ts
@@ -64,6 +64,7 @@ import {
   listOpenEpics,
   resolveDefaultEpic,
   runResume,
+  runRestart,
   runStatus,
   runStop,
   startRun,
@@ -85,6 +86,8 @@ function parsePositiveInt(value, option, fallback) {
 
 // packages/cli/src/commands/_server-client.ts
 import { spawnSync } from "child_process";
+import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
+import { resolve as resolve2 } from "path";
 import { ensureLocalRigServerConnection } from "@rig/runtime/local-server";
 
 // packages/cli/src/commands/_connection-state.ts
@@ -175,9 +178,25 @@ function cleanToken(value) {
   const trimmed = value?.trim();
   return trimmed ? trimmed : null;
 }
-function readGitHubBearerTokenForRemote() {
+function readPrivateRemoteSessionToken(projectRoot) {
+  const path = resolve2(projectRoot, ".rig", "state", "github-auth.json");
+  if (!existsSync2(path))
+    return null;
+  try {
+    const parsed = JSON.parse(readFileSync2(path, "utf8"));
+    return cleanToken(typeof parsed.apiSessionToken === "string" ? parsed.apiSessionToken : typeof parsed.sessionToken === "string" ? parsed.sessionToken : undefined);
+  } catch {
+    return null;
+  }
+}
+function readGitHubBearerTokenForRemote(projectRoot) {
   if (cachedGitHubBearerToken !== undefined)
     return cachedGitHubBearerToken;
+  const privateSession = readPrivateRemoteSessionToken(projectRoot);
+  if (privateSession) {
+    cachedGitHubBearerToken = privateSession;
+    return cachedGitHubBearerToken;
+  }
   const envToken = cleanToken(process.env.RIG_GITHUB_TOKEN) ?? cleanToken(process.env.GITHUB_TOKEN) ?? cleanToken(process.env.GH_TOKEN);
   if (envToken) {
     cachedGitHubBearerToken = envToken;
@@ -197,7 +216,7 @@ async function ensureServerForCli(projectRoot) {
     if (selected?.connection.kind === "remote") {
       return {
         baseUrl: selected.connection.baseUrl,
-        authToken: readGitHubBearerTokenForRemote(),
+        authToken: readGitHubBearerTokenForRemote(projectRoot),
         connectionKind: "remote"
       };
     }
@@ -388,6 +407,17 @@ async function attachRunOperatorView(context, input) {
 }
 
 // packages/cli/src/commands/run.ts
+function normalizeRemoteRunDetails(payload) {
+  const run = payload.run;
+  if (!run || typeof run !== "object" || Array.isArray(run))
+    return null;
+  return {
+    ...run,
+    ...Array.isArray(payload.timeline) ? { timeline: payload.timeline } : {},
+    ...Array.isArray(payload.approvals) ? { approvals: payload.approvals } : {},
+    ...Array.isArray(payload.userInputs) ? { userInputs: payload.userInputs } : {}
+  };
+}
 function shouldPromptForEpicSelection(context, command, promptEpic, noEpicPrompt) {
   if (noEpicPrompt) {
     return false;
@@ -526,7 +556,7 @@ async function executeRun(context, args) {
       if (!run.value) {
         throw new CliError2("run show requires --run <id>.");
       }
-      const record = readAuthorityRun(context.projectRoot, run.value);
+      const record = readAuthorityRun(context.projectRoot, run.value) ?? normalizeRemoteRunDetails(await getRunDetailsViaServer(context, run.value).catch(() => ({})));
       if (!record) {
         throw new CliError2(`Run not found: ${run.value}`, 2);
       }
@@ -545,7 +575,7 @@ async function executeRun(context, args) {
       if (!run.value) {
         throw new CliError2("run timeline requires --run <id>.");
       }
-      const timelinePath = resolve2(resolveAuthorityRunDir(context.projectRoot, run.value), "timeline.jsonl");
+      const timelinePath = resolve3(resolveAuthorityRunDir(context.projectRoot, run.value), "timeline.jsonl");
       const printEvents = () => {
         const events2 = readJsonlFile(timelinePath);
         if (context.outputMode === "text") {
@@ -557,12 +587,12 @@ async function executeRun(context, args) {
       };
       const events = printEvents();
       if (follow.value && context.outputMode === "text") {
-        let lastLength = existsSync2(timelinePath) ? readFileSync2(timelinePath, "utf8").length : 0;
+        let lastLength = existsSync3(timelinePath) ? readFileSync3(timelinePath, "utf8").length : 0;
         while (true) {
           await Bun.sleep(1000);
-          if (!existsSync2(timelinePath))
+          if (!existsSync3(timelinePath))
             continue;
-          const next = readFileSync2(timelinePath, "utf8");
+          const next = readFileSync3(timelinePath, "utf8");
           if (next.length <= lastLength)
             continue;
           const delta = next.slice(lastLength);
@@ -707,6 +737,20 @@ async function executeRun(context, args) {
       }
       return { ok: true, group: "run", command, details: resumed };
     }
+    case "restart": {
+      requireNoExtraArgs(rest, "bun run rig run restart");
+      if (context.dryRun) {
+        if (context.outputMode === "text") {
+          console.log("[dry-run] rig run restart");
+        }
+        return { ok: true, group: "run", command };
+      }
+      const restarted = await runRestart(context.projectRoot, runtimeContext);
+      if (context.outputMode === "text") {
+        console.log(`Restarted run: ${restarted.runId}`);
+      }
+      return { ok: true, group: "run", command, details: restarted };
+    }
     case "stop": {
       const runOption = takeOption(rest, "--run");
       const positionalRunId = runOption.rest.length > 0 ? runOption.rest[0] : undefined;