@h-rig/cli 0.0.6-alpha.3 → 0.0.6-alpha.30

package/dist/src/commands/_policy.js

@@ -7,8 +7,6 @@ import { resolve } from "path";
 import { EventBus } from "@rig/runtime/control-plane/runtime/events";
 import { CliError } from "@rig/runtime/control-plane/errors";
 import { evaluate, loadPolicy, resolveAction } from "@rig/runtime/control-plane/runtime/guard";
-import { PluginManager } from "@rig/runtime/control-plane/runtime/plugins";
-import { loadRuntimeContextFromEnv } from "@rig/runtime/control-plane/runtime/context";
 import { buildBinary } from "@rig/runtime/control-plane/runtime/isolation";
 import { CliError as CliError2 } from "@rig/runtime/control-plane/errors";
 function formatCommand(parts) {

package/dist/src/commands/_preflight.js

@@ -3,8 +3,6 @@
 import { EventBus } from "@rig/runtime/control-plane/runtime/events";
 import { CliError } from "@rig/runtime/control-plane/errors";
 import { evaluate, loadPolicy, resolveAction } from "@rig/runtime/control-plane/runtime/guard";
-import { PluginManager } from "@rig/runtime/control-plane/runtime/plugins";
-import { loadRuntimeContextFromEnv } from "@rig/runtime/control-plane/runtime/context";
 import { buildBinary } from "@rig/runtime/control-plane/runtime/isolation";
 import { CliError as CliError2 } from "@rig/runtime/control-plane/errors";
 
@@ -88,17 +86,16 @@ function resolveSelectedConnection(projectRoot, options = {}) {
   const global = readGlobalConnections(options);
   const connection = global.connections[repo.selected];
   if (!connection) {
-    throw new CliError2(`Selected Rig connection "${repo.selected}" was not found. Run \`rig connect list\` or \`rig connect use local\`.`, 1);
+    throw new CliError2(`Selected Rig server "${repo.selected}" was not found. Run \`rig server list\` or \`rig server use local\`.`, 1);
   }
   return { alias: repo.selected, connection };
 }
 
 // packages/cli/src/commands/_server-client.ts
-import { spawnSync } from "child_process";
 import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
 import { resolve as resolve2 } from "path";
 import { ensureLocalRigServerConnection } from "@rig/runtime/local-server";
-var cachedGitHubBearerToken;
+var scopedGitHubBearerTokens = new Map;
 function cleanToken(value) {
   const trimmed = value?.trim();
   return trimmed ? trimmed : null;
@@ -115,25 +112,13 @@ function readPrivateRemoteSessionToken(projectRoot) {
   }
 }
 function readGitHubBearerTokenForRemote(projectRoot) {
-  if (cachedGitHubBearerToken !== undefined)
-    return cachedGitHubBearerToken;
+  const scopedKey = resolve2(projectRoot);
+  if (scopedGitHubBearerTokens.has(scopedKey))
+    return scopedGitHubBearerTokens.get(scopedKey) ?? null;
   const privateSession = readPrivateRemoteSessionToken(projectRoot);
-  if (privateSession) {
-    cachedGitHubBearerToken = privateSession;
-    return cachedGitHubBearerToken;
-  }
-  const envToken = cleanToken(process.env.RIG_GITHUB_TOKEN) ?? cleanToken(process.env.GITHUB_TOKEN) ?? cleanToken(process.env.GH_TOKEN);
-  if (envToken) {
-    cachedGitHubBearerToken = envToken;
-    return cachedGitHubBearerToken;
-  }
-  const result = spawnSync("gh", ["auth", "token"], {
-    encoding: "utf8",
-    timeout: 5000,
-    stdio: ["ignore", "pipe", "ignore"]
-  });
-  cachedGitHubBearerToken = result.status === 0 ? cleanToken(result.stdout) : null;
-  return cachedGitHubBearerToken;
+  if (privateSession)
+    return privateSession;
+  return cleanToken(process.env.RIG_SERVER_AUTH_TOKEN) ?? cleanToken(process.env.RIG_REMOTE_AUTH_TOKEN);
 }
 async function ensureServerForCli(projectRoot) {
   try {
@@ -202,78 +187,6 @@ async function requestServerJson(context, pathname, init = {}) {
   return payload;
 }
 
-// packages/cli/src/commands/_pi-install.ts
-import { existsSync as existsSync3, readFileSync as readFileSync3, rmSync } from "fs";
-import { homedir as homedir2 } from "os";
-import { resolve as resolve3 } from "path";
-var PI_RIG_PACKAGE_NAME = "@rig/pi-rig";
-async function defaultCommandRunner(command, options = {}) {
-  const proc = Bun.spawn(command, { cwd: options.cwd, stdout: "pipe", stderr: "pipe" });
-  const [stdout, stderr, exitCode] = await Promise.all([
-    new Response(proc.stdout).text(),
-    new Response(proc.stderr).text(),
-    proc.exited
-  ]);
-  return { exitCode, stdout, stderr };
-}
-function resolvePiRigExtensionPath(homeDir) {
-  return resolve3(homeDir, ".pi", "agent", "extensions", "pi-rig");
-}
-function resolvePiHomeDir(inputHomeDir) {
-  return inputHomeDir ?? process.env.RIG_PI_HOME_DIR?.trim() ?? homedir2();
-}
-function piListContainsPiRig(output) {
-  return output.split(/\r?\n/).some((line) => {
-    const normalized = line.trim();
-    return normalized.includes(PI_RIG_PACKAGE_NAME) || /(?:^|[\\/])packages[\\/]pi-rig(?:$|\s)/.test(normalized);
-  });
-}
-async function safeRun(runner, command, options) {
-  try {
-    return await runner(command, options);
-  } catch (error) {
-    return { exitCode: 1, stdout: "", stderr: error instanceof Error ? error.message : String(error) };
-  }
-}
-async function checkPiRigInstall(input = {}) {
-  const home = resolvePiHomeDir(input.homeDir);
-  const extensionPath = resolvePiRigExtensionPath(home);
-  if (process.env.RIG_TEST_FAKE_PI_INSTALL === "1") {
-    return {
-      extensionPath,
-      pi: { ok: true, label: "pi", detail: "fake-pi" },
-      piRig: { ok: true, label: "pi-rig global extension", detail: extensionPath }
-    };
-  }
-  const exists = input.exists ?? existsSync3;
-  const runner = input.commandRunner ?? defaultCommandRunner;
-  const piResult = await safeRun(runner, ["pi", "--version"]);
-  const piListResult = piResult.exitCode === 0 ? await safeRun(runner, ["pi", "list"]) : { exitCode: 1, stdout: "", stderr: "" };
-  const listedPiRig = piListResult.exitCode === 0 && piListContainsPiRig(`${piListResult.stdout}
-${piListResult.stderr}`);
-  const legacyBridge = exists(resolve3(extensionPath, "index.ts"));
-  const hasPiRig = listedPiRig;
-  return {
-    extensionPath,
-    pi: {
-      ok: piResult.exitCode === 0,
-      label: "pi",
-      detail: (piResult.stdout || piResult.stderr).trim() || undefined,
-      hint: piResult.exitCode === 0 ? undefined : "Install Pi or run `rig init --yes` to install/update the Pi runtime."
-    },
-    piRig: {
-      ok: hasPiRig,
-      label: "pi-rig global extension",
-      detail: hasPiRig ? piListResult.stdout.trim() || PI_RIG_PACKAGE_NAME : legacyBridge ? `${extensionPath} (legacy bridge; reinstall required)` : undefined,
-      hint: hasPiRig ? undefined : "Run `rig init --yes` to install/enable the global pi-rig package with `pi install`."
-    }
-  };
-}
-async function buildPiSetupChecks(input = {}) {
-  const status = await checkPiRigInstall(input);
-  return [status.pi, status.piRig];
-}
-
 // packages/cli/src/commands/_preflight.ts
 function preflightCheck(id, label, status, detail, remediation) {
   return {
@@ -329,6 +242,9 @@ function permissionAllowsPr(payload) {
   }
   return null;
 }
+function isNotFoundError(error) {
+  return /\b(404|not found)\b/i.test(message(error));
+}
 function projectCheckoutReady(payload) {
   if (!payload || typeof payload !== "object" || Array.isArray(payload))
     return null;
@@ -361,19 +277,33 @@ async function runFastTaskRunPreflight(context, options = {}) {
   const checks = [];
   const request = options.requestJson ?? ((pathname, init) => requestServerJson(context, pathname, init));
   const taskId = options.taskId?.trim() || null;
+  const requiresCurrentRunApi = Boolean(taskId);
+  const selectedServer = options.requestJson ? null : await ensureServerForCli(context.projectRoot).catch(() => null);
+  const allowLocalLegacyTaskRunCompatibility = selectedServer?.connectionKind === "local";
+  let legacyServerCompatibility = false;
   try {
     await request("/api/server/status");
     checks.push(preflightCheck("server", "Rig server reachable", "pass"));
   } catch (error) {
-    checks.push(preflightCheck("server", "Rig server reachable", "fail", message(error), "Start or select a reachable Rig server."));
+    if (isNotFoundError(error)) {
+      try {
+        await request("/health");
+        legacyServerCompatibility = !requiresCurrentRunApi || allowLocalLegacyTaskRunCompatibility;
+        checks.push(requiresCurrentRunApi && !allowLocalLegacyTaskRunCompatibility ? preflightCheck("server", "Rig server reachable", "fail", "legacy /health endpoint only; current task-run APIs are required", "Upgrade/select the Rig server before launching a task run.") : preflightCheck("server", "Rig server reachable", "pass", allowLocalLegacyTaskRunCompatibility ? "local legacy /health endpoint; submit endpoint will be authoritative" : "legacy /health endpoint"));
+      } catch (healthError) {
+        checks.push(preflightCheck("server", "Rig server reachable", "fail", message(healthError), "Start or select a reachable Rig server."));
+      }
+    } else {
+      checks.push(preflightCheck("server", "Rig server reachable", "fail", message(error), "Start or select a reachable Rig server."));
+    }
   }
   const repo = readRepoConnection(context.projectRoot);
-  checks.push(repo ? preflightCheck("project-link", "project linked to Rig connection", repo.project ? "pass" : "warn", `${repo.selected}${repo.project ? ` -> ${repo.project}` : ""}`, "Run `rig init --yes --repo owner/repo` to record the GitHub repo slug.") : preflightCheck("project-link", "project linked to Rig connection", "fail", "missing .rig/state/connection.json", "Run `rig init` or `rig connect use <alias|local>`."));
+  checks.push(repo ? preflightCheck("project-link", "project linked to Rig server", repo.project ? "pass" : "warn", `${repo.selected}${repo.project ? ` -> ${repo.project}` : ""}`, "Run `rig init --yes --repo owner/repo` to record the GitHub repo slug.") : preflightCheck("project-link", "project linked to Rig server", legacyServerCompatibility ? "warn" : "fail", "missing .rig/state/connection.json", "Run `rig init` or `rig server use <alias|local>`."));
   try {
     const auth = await request("/api/github/auth/status");
-    checks.push(isAuthenticated(auth) ? preflightCheck("github-auth", "GitHub auth valid", "pass") : preflightCheck("github-auth", "GitHub auth valid", "fail", "not authenticated", "Run `rig github auth import-gh` or `rig github auth token --token <token>`."));
+    checks.push(isAuthenticated(auth) ? preflightCheck("github-auth", "GitHub auth valid", "pass") : preflightCheck("github-auth", "GitHub auth valid", legacyServerCompatibility ? "warn" : "fail", "not authenticated", "Run `rig github auth import-gh` or `rig github auth token --token <token>`."));
   } catch (error) {
-    checks.push(preflightCheck("github-auth", "GitHub auth valid", "fail", message(error), "Fix GitHub auth on the selected Rig server."));
+    checks.push(preflightCheck("github-auth", "GitHub auth valid", legacyServerCompatibility ? "warn" : "fail", message(error), "Fix GitHub auth on the selected Rig server."));
   }
   try {
     const projection = await request("/api/workspace/task-projection");
@@ -401,9 +331,9 @@ async function runFastTaskRunPreflight(context, options = {}) {
     try {
       const tasks = await request(`/api/workspace/tasks?limit=200&refresh=1`);
       const found = Array.isArray(tasks) && tasks.some((task) => taskMatchesId(task, taskId));
-      checks.push(found ? preflightCheck("issue", "task/issue accessible", "pass", taskId) : preflightCheck("issue", "task/issue accessible", "fail", taskId, "Confirm the issue exists and matches the configured task filters."));
+      checks.push(found ? preflightCheck("issue", "task/issue accessible", "pass", taskId) : preflightCheck("issue", "task/issue accessible", legacyServerCompatibility ? "warn" : "fail", taskId, "Confirm the issue exists and matches the configured task filters."));
     } catch (error) {
-      checks.push(preflightCheck("issue", "task/issue accessible", "fail", message(error), "Fix the task source before launching a run."));
+      checks.push(preflightCheck("issue", "task/issue accessible", legacyServerCompatibility ? "warn" : "fail", message(error), "Fix the task source before launching a run."));
     }
     try {
       const runs = await request("/api/runs?limit=200");
@@ -414,14 +344,7 @@ async function runFastTaskRunPreflight(context, options = {}) {
     }
   }
   if ((options.runtimeAdapter ?? "pi") === "pi") {
-    const piChecks = await (options.piChecks ?? (() => buildPiSetupChecks()))().catch((error) => [{
-      ok: false,
-      label: "pi/pi-rig checks",
-      hint: message(error)
-    }]);
-    for (const pi of piChecks) {
-      checks.push(preflightCheck(pi.label === "pi" ? "pi" : "pi-rig", pi.label, pi.ok ? "pass" : "fail", pi.detail, pi.hint ?? (pi.ok ? undefined : "Run `rig init --yes` to install/update Pi and enable pi-rig.")));
-    }
+    checks.push(preflightCheck("runtime", "worker Pi SDK session daemon", "pass", selectedServer?.connectionKind === "remote" ? "remote worker-owned runtime" : "bundled server-owned runtime"));
   } else {
     checks.push(preflightCheck("runtime", "runtime adapter", "pass", options.runtimeAdapter));
   }

package/dist/src/commands/_run-driver-helpers.js

@@ -7,8 +7,6 @@ import { resolve as resolve3 } from "path";
 import { EventBus } from "@rig/runtime/control-plane/runtime/events";
 import { CliError } from "@rig/runtime/control-plane/errors";
 import { evaluate, loadPolicy, resolveAction } from "@rig/runtime/control-plane/runtime/guard";
-import { PluginManager } from "@rig/runtime/control-plane/runtime/plugins";
-import { loadRuntimeContextFromEnv } from "@rig/runtime/control-plane/runtime/context";
 import { buildBinary } from "@rig/runtime/control-plane/runtime/isolation";
 import { CliError as CliError2 } from "@rig/runtime/control-plane/errors";
 

package/dist/src/commands/_server-client.js

@@ -1,6 +1,5 @@
 // @bun
 // packages/cli/src/commands/_server-client.ts
-import { spawnSync } from "child_process";
 import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
 import { resolve as resolve2 } from "path";
 
@@ -8,8 +7,6 @@ import { resolve as resolve2 } from "path";
 import { EventBus } from "@rig/runtime/control-plane/runtime/events";
 import { CliError } from "@rig/runtime/control-plane/errors";
 import { evaluate, loadPolicy, resolveAction } from "@rig/runtime/control-plane/runtime/guard";
-import { PluginManager } from "@rig/runtime/control-plane/runtime/plugins";
-import { loadRuntimeContextFromEnv } from "@rig/runtime/control-plane/runtime/context";
 import { buildBinary } from "@rig/runtime/control-plane/runtime/isolation";
 import { CliError as CliError2 } from "@rig/runtime/control-plane/errors";
 
@@ -93,19 +90,20 @@ function resolveSelectedConnection(projectRoot, options = {}) {
   const global = readGlobalConnections(options);
   const connection = global.connections[repo.selected];
   if (!connection) {
-    throw new CliError2(`Selected Rig connection "${repo.selected}" was not found. Run \`rig connect list\` or \`rig connect use local\`.`, 1);
+    throw new CliError2(`Selected Rig server "${repo.selected}" was not found. Run \`rig server list\` or \`rig server use local\`.`, 1);
   }
   return { alias: repo.selected, connection };
 }
 
 // packages/cli/src/commands/_server-client.ts
-var cachedGitHubBearerToken;
+var scopedGitHubBearerTokens = new Map;
 function cleanToken(value) {
   const trimmed = value?.trim();
   return trimmed ? trimmed : null;
 }
-function setGitHubBearerTokenForCurrentProcess(token) {
-  cachedGitHubBearerToken = cleanToken(token ?? undefined);
+function setGitHubBearerTokenForCurrentProcess(token, projectRoot) {
+  const scopedKey = resolve2(projectRoot ?? process.cwd());
+  scopedGitHubBearerTokens.set(scopedKey, cleanToken(token ?? undefined));
 }
 function readPrivateRemoteSessionToken(projectRoot) {
   const path = resolve2(projectRoot, ".rig", "state", "github-auth.json");
@@ -119,25 +117,13 @@ function readPrivateRemoteSessionToken(projectRoot) {
   }
 }
 function readGitHubBearerTokenForRemote(projectRoot) {
-  if (cachedGitHubBearerToken !== undefined)
-    return cachedGitHubBearerToken;
+  const scopedKey = resolve2(projectRoot);
+  if (scopedGitHubBearerTokens.has(scopedKey))
+    return scopedGitHubBearerTokens.get(scopedKey) ?? null;
   const privateSession = readPrivateRemoteSessionToken(projectRoot);
-  if (privateSession) {
-    cachedGitHubBearerToken = privateSession;
-    return cachedGitHubBearerToken;
-  }
-  const envToken = cleanToken(process.env.RIG_GITHUB_TOKEN) ?? cleanToken(process.env.GITHUB_TOKEN) ?? cleanToken(process.env.GH_TOKEN);
-  if (envToken) {
-    cachedGitHubBearerToken = envToken;
-    return cachedGitHubBearerToken;
-  }
-  const result = spawnSync("gh", ["auth", "token"], {
-    encoding: "utf8",
-    timeout: 5000,
-    stdio: ["ignore", "pipe", "ignore"]
-  });
-  cachedGitHubBearerToken = result.status === 0 ? cleanToken(result.stdout) : null;
-  return cachedGitHubBearerToken;
+  if (privateSession)
+    return privateSession;
+  return cleanToken(process.env.RIG_SERVER_AUTH_TOKEN) ?? cleanToken(process.env.RIG_REMOTE_AUTH_TOKEN);
 }
 async function ensureServerForCli(projectRoot) {
   try {
@@ -275,16 +261,36 @@ async function registerProjectViaServer(context, input) {
 function sleep(ms) {
   return new Promise((resolve3) => setTimeout(resolve3, ms));
 }
+function isRetryableProjectRootSwitchError(error) {
+  if (!(error instanceof Error))
+    return false;
+  const message = error.message.toLowerCase();
+  return message.includes("rig server request failed (401): auth-required") || message.includes("rig server request failed (401): github-token-required") || message.includes("rig server request failed (502)") || message.includes("rig server request failed (503)") || message.includes("bad gateway") || message.includes("fetch failed") || message.includes("econnrefused") || message.includes("connection refused");
+}
 async function switchServerProjectRootViaServer(context, projectRoot, options = {}) {
-  const switched = await requestServerJson(context, "/api/server/project-root", {
-    method: "POST",
-    headers: { "content-type": "application/json" },
-    body: JSON.stringify({ projectRoot })
-  });
   const timeoutMs = options.timeoutMs ?? 30000;
   const pollMs = options.pollMs ?? 1000;
   const deadline = Date.now() + timeoutMs;
   let lastError;
+  let switched = null;
+  while (Date.now() < deadline) {
+    try {
+      switched = await requestServerJson(context, "/api/server/project-root", {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ projectRoot })
+      });
+      break;
+    } catch (error) {
+      lastError = error;
+      if (!isRetryableProjectRootSwitchError(error))
+        throw error;
+      await sleep(pollMs);
+    }
+  }
+  if (!switched) {
+    throw new CliError2(`Rig server did not accept project-root switch to ${projectRoot} before timeout (${lastError instanceof Error ? lastError.message : String(lastError ?? "no response")}).`, 1);
+  }
   while (Date.now() < deadline) {
     try {
       const status = await requestServerJson(context, "/api/server/status");
@@ -302,6 +308,14 @@ async function switchServerProjectRootViaServer(context, projectRoot, options =
   }
   throw new CliError2(`Rig server did not switch to ${projectRoot} before timeout (${lastError instanceof Error ? lastError.message : String(lastError ?? "no status")}).`, 1);
 }
+async function listRunsViaServer(context, options = {}) {
+  const url = new URL("http://rig.local/api/runs");
+  if (options.limit !== undefined)
+    url.searchParams.set("limit", String(options.limit));
+  const payload = await requestServerJson(context, `${url.pathname}${url.search}`);
+  const runs = Array.isArray(payload) ? payload : payload && typeof payload === "object" && !Array.isArray(payload) && Array.isArray(payload.runs) ? payload.runs : [];
+  return runs.filter((entry) => Boolean(entry && typeof entry === "object" && !Array.isArray(entry)));
+}
 async function getRunDetailsViaServer(context, runId) {
   const payload = await requestServerJson(context, `/api/runs/${encodeURIComponent(runId)}`);
   return payload && typeof payload === "object" && !Array.isArray(payload) ? payload : {};
@@ -315,6 +329,37 @@ async function getRunLogsViaServer(context, runId, options = {}) {
   const payload = await requestServerJson(context, `${url.pathname}${url.search}`);
   return payload && typeof payload === "object" && !Array.isArray(payload) ? payload : { entries: [] };
 }
+async function getRunTimelineViaServer(context, runId, options = {}) {
+  const url = new URL(`http://rig.local/api/runs/${encodeURIComponent(runId)}/timeline`);
+  if (options.limit !== undefined)
+    url.searchParams.set("limit", String(options.limit));
+  if (options.cursor)
+    url.searchParams.set("cursor", options.cursor);
+  const payload = await requestServerJson(context, `${url.pathname}${url.search}`);
+  return payload && typeof payload === "object" && !Array.isArray(payload) ? payload : { entries: [] };
+}
+async function ensureTaskLabelsViaServer(context) {
+  const payload = await requestServerJson(context, "/api/workspace/task-labels", { method: "POST" });
+  return payload && typeof payload === "object" && !Array.isArray(payload) ? payload : {};
+}
+async function listGitHubProjectsViaServer(context, owner) {
+  const url = new URL("http://rig.local/api/github/projects");
+  url.searchParams.set("owner", owner);
+  const payload = await requestServerJson(context, `${url.pathname}${url.search}`);
+  return payload && typeof payload === "object" && !Array.isArray(payload) ? payload : { projects: [] };
+}
+async function getGitHubProjectStatusFieldViaServer(context, projectId) {
+  const payload = await requestServerJson(context, `/api/github/projects/${encodeURIComponent(projectId)}/status-field`);
+  return payload && typeof payload === "object" && !Array.isArray(payload) ? payload : {};
+}
+async function updateWorkspaceTaskViaServer(context, input) {
+  const payload = await requestServerJson(context, "/api/tasks/update", {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify(input)
+  });
+  return payload && typeof payload === "object" && !Array.isArray(payload) ? payload : { ok: true };
+}
 async function stopRunViaServer(context, runId) {
   const payload = await requestServerJson(context, "/api/runs/stop", {
     method: "POST",
@@ -331,6 +376,74 @@ async function steerRunViaServer(context, runId, message) {
   });
   return payload && typeof payload === "object" && !Array.isArray(payload) ? payload : { ok: true };
 }
+async function getRunPiSessionViaServer(context, runId) {
+  const payload = await requestServerJson(context, `/api/runs/${encodeURIComponent(runId)}/pi`);
+  return payload && typeof payload === "object" && !Array.isArray(payload) ? payload : {};
+}
+async function getRunPiMessagesViaServer(context, runId) {
+  const payload = await requestServerJson(context, `/api/runs/${encodeURIComponent(runId)}/pi/messages`);
+  return payload && typeof payload === "object" && !Array.isArray(payload) ? payload : { messages: [] };
+}
+async function getRunPiStatusViaServer(context, runId) {
+  const payload = await requestServerJson(context, `/api/runs/${encodeURIComponent(runId)}/pi/status`);
+  return payload && typeof payload === "object" && !Array.isArray(payload) ? payload : {};
+}
+async function getRunPiCommandsViaServer(context, runId) {
+  const payload = await requestServerJson(context, `/api/runs/${encodeURIComponent(runId)}/pi/commands`);
+  return payload && typeof payload === "object" && !Array.isArray(payload) ? payload : { commands: [] };
+}
+async function sendRunPiPromptViaServer(context, runId, text, streamingBehavior) {
+  const payload = await requestServerJson(context, `/api/runs/${encodeURIComponent(runId)}/pi/prompt`, {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify({ text, streamingBehavior })
+  });
+  return payload && typeof payload === "object" && !Array.isArray(payload) ? payload : { accepted: true };
+}
+async function sendRunPiShellViaServer(context, runId, text) {
+  const payload = await requestServerJson(context, `/api/runs/${encodeURIComponent(runId)}/pi/shell`, {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify({ text })
+  });
+  return payload && typeof payload === "object" && !Array.isArray(payload) ? payload : { accepted: true };
+}
+async function runRunPiCommandViaServer(context, runId, text) {
+  const payload = await requestServerJson(context, `/api/runs/${encodeURIComponent(runId)}/pi/commands/run`, {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify({ text })
+  });
+  return payload && typeof payload === "object" && !Array.isArray(payload) ? payload : { type: "done" };
+}
+async function respondRunPiCommandViaServer(context, runId, requestId, value) {
+  const payload = await requestServerJson(context, `/api/runs/${encodeURIComponent(runId)}/pi/commands/respond`, {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify({ requestId, value })
+  });
+  return payload && typeof payload === "object" && !Array.isArray(payload) ? payload : { type: "done" };
+}
+async function respondRunPiExtensionUiViaServer(context, runId, requestId, valueOrCancel) {
+  const payload = await requestServerJson(context, `/api/runs/${encodeURIComponent(runId)}/pi/extension-ui/respond`, {
+    method: "POST",
+    headers: { "content-type": "application/json" },
+    body: JSON.stringify({ requestId, ...valueOrCancel })
+  });
+  return payload && typeof payload === "object" && !Array.isArray(payload) ? payload : { accepted: true };
+}
+async function abortRunPiViaServer(context, runId) {
+  const payload = await requestServerJson(context, `/api/runs/${encodeURIComponent(runId)}/pi/abort`, { method: "POST" });
+  return payload && typeof payload === "object" && !Array.isArray(payload) ? payload : { aborted: true };
+}
+async function buildRunPiEventsWebSocketUrl(context, runId) {
+  const server = await ensureServerForCli(context.projectRoot);
+  const url = new URL(`${server.baseUrl.replace(/\/+$/, "")}/api/runs/${encodeURIComponent(runId)}/pi/events`);
+  url.protocol = url.protocol === "https:" ? "wss:" : "ws:";
+  if (server.authToken)
+    url.searchParams.set("token", server.authToken);
+  return url.toString();
+}
 async function submitTaskRunViaServer(context, input) {
   const isTaskRun = Boolean(input.taskId);
   const endpoint = isTaskRun ? "/api/runs/task" : "/api/runs/adhoc";
@@ -363,20 +476,37 @@ async function submitTaskRunViaServer(context, input) {
   return { runId };
 }
 export {
+  updateWorkspaceTaskViaServer,
   switchServerProjectRootViaServer,
   submitTaskRunViaServer,
   stopRunViaServer,
   steerRunViaServer,
   setGitHubBearerTokenForCurrentProcess,
+  sendRunPiShellViaServer,
+  sendRunPiPromptViaServer,
   selectNextWorkspaceTaskViaServer,
+  runRunPiCommandViaServer,
+  respondRunPiExtensionUiViaServer,
+  respondRunPiCommandViaServer,
   requestServerJson,
   registerProjectViaServer,
   prepareRemoteCheckoutViaServer,
   postGitHubTokenViaServer,
   listWorkspaceTasksViaServer,
+  listRunsViaServer,
+  listGitHubProjectsViaServer,
   getWorkspaceTaskViaServer,
+  getRunTimelineViaServer,
+  getRunPiStatusViaServer,
+  getRunPiSessionViaServer,
+  getRunPiMessagesViaServer,
+  getRunPiCommandsViaServer,
   getRunLogsViaServer,
   getRunDetailsViaServer,
+  getGitHubProjectStatusFieldViaServer,
   getGitHubAuthStatusViaServer,
-  ensureServerForCli
+  ensureTaskLabelsViaServer,
+  ensureServerForCli,
+  buildRunPiEventsWebSocketUrl,
+  abortRunPiViaServer
 };

package/dist/src/commands/_snapshot-upload.js

@@ -4,7 +4,6 @@ import { mkdir, readdir, readFile, writeFile } from "fs/promises";
 import { dirname as dirname2, resolve as resolve3, relative, sep } from "path";
 
 // packages/cli/src/commands/_server-client.ts
-import { spawnSync } from "child_process";
 import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
 import { resolve as resolve2 } from "path";
 
@@ -12,8 +11,6 @@ import { resolve as resolve2 } from "path";
 import { EventBus } from "@rig/runtime/control-plane/runtime/events";
 import { CliError } from "@rig/runtime/control-plane/errors";
 import { evaluate, loadPolicy, resolveAction } from "@rig/runtime/control-plane/runtime/guard";
-import { PluginManager } from "@rig/runtime/control-plane/runtime/plugins";
-import { loadRuntimeContextFromEnv } from "@rig/runtime/control-plane/runtime/context";
 import { buildBinary } from "@rig/runtime/control-plane/runtime/isolation";
 import { CliError as CliError2 } from "@rig/runtime/control-plane/errors";
 
@@ -97,13 +94,13 @@ function resolveSelectedConnection(projectRoot, options = {}) {
   const global = readGlobalConnections(options);
   const connection = global.connections[repo.selected];
   if (!connection) {
-    throw new CliError2(`Selected Rig connection "${repo.selected}" was not found. Run \`rig connect list\` or \`rig connect use local\`.`, 1);
+    throw new CliError2(`Selected Rig server "${repo.selected}" was not found. Run \`rig server list\` or \`rig server use local\`.`, 1);
   }
   return { alias: repo.selected, connection };
 }
 
 // packages/cli/src/commands/_server-client.ts
-var cachedGitHubBearerToken;
+var scopedGitHubBearerTokens = new Map;
 function cleanToken(value) {
   const trimmed = value?.trim();
   return trimmed ? trimmed : null;
@@ -120,25 +117,13 @@ function readPrivateRemoteSessionToken(projectRoot) {
   }
 }
 function readGitHubBearerTokenForRemote(projectRoot) {
-  if (cachedGitHubBearerToken !== undefined)
-    return cachedGitHubBearerToken;
+  const scopedKey = resolve2(projectRoot);
+  if (scopedGitHubBearerTokens.has(scopedKey))
+    return scopedGitHubBearerTokens.get(scopedKey) ?? null;
   const privateSession = readPrivateRemoteSessionToken(projectRoot);
-  if (privateSession) {
-    cachedGitHubBearerToken = privateSession;
-    return cachedGitHubBearerToken;
-  }
-  const envToken = cleanToken(process.env.RIG_GITHUB_TOKEN) ?? cleanToken(process.env.GITHUB_TOKEN) ?? cleanToken(process.env.GH_TOKEN);
-  if (envToken) {
-    cachedGitHubBearerToken = envToken;
-    return cachedGitHubBearerToken;
-  }
-  const result = spawnSync("gh", ["auth", "token"], {
-    encoding: "utf8",
-    timeout: 5000,
-    stdio: ["ignore", "pipe", "ignore"]
-  });
-  cachedGitHubBearerToken = result.status === 0 ? cleanToken(result.stdout) : null;
-  return cachedGitHubBearerToken;
+  if (privateSession)
+    return privateSession;
+  return cleanToken(process.env.RIG_SERVER_AUTH_TOKEN) ?? cleanToken(process.env.RIG_REMOTE_AUTH_TOKEN);
 }
 async function ensureServerForCli(projectRoot) {
   try {