@h-rig/github-provider-plugin 0.0.6-alpha.156 → 0.0.6-alpha.158

package/dist/src/plugin.js

@@ -15,59 +15,812 @@ var __export = (target, all) => {
 };
 var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
 
-// packages/github-provider-plugin/src/credentials.ts
-function selectedRepoTokenKey(input) {
-  return `user:${input.userId}|repo:${input.owner}/${input.repo}|workspace:${input.workspaceId}`;
+// packages/github-provider-plugin/src/issue-analysis.ts
+import { createHash } from "crypto";
+function stableIssueHash(issue) {
+  const labels = Array.isArray(issue.labels) ? [...issue.labels].map(String).sort() : [];
+  const body = typeof issue.body === "string" ? issue.body : "";
+  const title = typeof issue.title === "string" ? issue.title : "";
+  return createHash("sha256").update(JSON.stringify({ id: issue.id, title, body, labels, deps: issue.deps, status: issue.status })).digest("hex");
 }
-function cleanToken(value) {
-  const trimmed = value?.trim() ?? "";
-  return trimmed.length > 0 ? trimmed : null;
+function renderIssueAnalysisPrompt(input) {
+  const issue = input.issue;
+  const neighbors = input.neighbors ?? [];
+  return [
+    "You are Rig issue analysis running inside Pi.",
+    "Return JSON only with optional metadataPatch, labelsToAdd, labelsToRemove, and generatedIssues; analyze backlog dependencies, children, readiness, size, risk, and planning.",
+    "Preserve all human-authored issue body content. Only propose edits for Rig-owned metadata/status sections, labels, and generated issues.",
+    "Generated issues must be concrete, minimal follow-up tasks and will be labeled rig:generated by Rig.",
+    "",
+    "Issue:",
+    JSON.stringify({
+      id: issue.id,
+      title: issue.title,
+      body: issue.body,
+      labels: issue.labels,
+      deps: issue.deps,
+      status: issue.status
+    }, null, 2),
+    "",
+    "Neighbor tasks:",
+    JSON.stringify(neighbors.map((task) => ({ id: task.id, title: task.title, status: task.status, deps: task.deps })), null, 2)
+  ].join(`
+`);
 }
-function createGitHubCredentialProvider(options = {}) {
-  const sessionTokens = options.sessionTokens ?? {};
-  const hostToken = cleanToken(options.hostToken ?? process.env.GH_TOKEN ?? null);
+function isRecord(value) {
+  return Boolean(value && typeof value === "object" && !Array.isArray(value));
+}
+function stringArray(value) {
+  if (!Array.isArray(value))
+    return;
+  return value.map(String).filter((entry) => entry.trim().length > 0);
+}
+function generatedIssues(value) {
+  if (!Array.isArray(value))
+    return;
+  return value.flatMap((entry) => {
+    if (!isRecord(entry) || typeof entry.title !== "string")
+      return [];
+    return [{
+      title: entry.title,
+      body: typeof entry.body === "string" ? entry.body : "",
+      labels: stringArray(entry.labels) ?? [],
+      ...Array.isArray(entry.dependsOn) ? { dependsOn: entry.dependsOn.map(String) } : {}
+    }];
+  });
+}
+function findJsonLikeText(value) {
+  if (typeof value === "string") {
+    const trimmed = value.trim();
+    if (trimmed.startsWith("{") || trimmed.startsWith("```"))
+      return trimmed;
+    return null;
+  }
+  if (Array.isArray(value)) {
+    for (const entry of value) {
+      const found = findJsonLikeText(entry);
+      if (found)
+        return found;
+    }
+    return null;
+  }
+  if (!isRecord(value))
+    return null;
+  for (const key of ["text", "content", "message", "output_text", "response", "stdout"]) {
+    const found = findJsonLikeText(value[key]);
+    if (found)
+      return found;
+  }
+  for (const entry of Object.values(value)) {
+    const found = findJsonLikeText(entry);
+    if (found)
+      return found;
+  }
+  return null;
+}
+function candidateAnalysisObject(value) {
+  if (!isRecord(value))
+    return null;
+  if (isRecord(value.result))
+    return candidateAnalysisObject(value.result) ?? value.result;
+  if (isRecord(value.analysis))
+    return candidateAnalysisObject(value.analysis) ?? value.analysis;
+  if (isRecord(value.metadataPatch) || Array.isArray(value.labelsToAdd) || Array.isArray(value.labelsToRemove) || Array.isArray(value.generatedIssues)) {
+    return value;
+  }
+  const nested = findJsonLikeText(value);
+  if (nested && nested !== JSON.stringify(value)) {
+    try {
+      const parsedNested = JSON.parse(nested.match(/```(?:json)?\s*([\s\S]*?)\s*```/i)?.[1]?.trim() ?? nested);
+      return candidateAnalysisObject(parsedNested);
+    } catch {
+      return null;
+    }
+  }
+  return null;
+}
+function parseIssueAnalysisResult(raw) {
+  let parsed = raw;
+  if (typeof raw === "string") {
+    const trimmed = raw.trim();
+    const fenced = trimmed.match(/```(?:json)?\s*([\s\S]*?)\s*```/i)?.[1]?.trim();
+    try {
+      parsed = JSON.parse(fenced ?? trimmed);
+    } catch {
+      const lastJsonLine = trimmed.split(/\r?\n/).reverse().find((line) => line.trim().startsWith("{"));
+      parsed = lastJsonLine ? JSON.parse(lastJsonLine) : {};
+    }
+  }
+  const candidate = candidateAnalysisObject(parsed);
+  if (!candidate)
+    return {};
+  const result = {};
+  if (isRecord(candidate.metadataPatch))
+    result.metadataPatch = candidate.metadataPatch;
+  const add = stringArray(candidate.labelsToAdd);
+  if (add?.length)
+    result.labelsToAdd = add;
+  const remove = stringArray(candidate.labelsToRemove);
+  if (remove?.length)
+    result.labelsToRemove = remove;
+  const generated = generatedIssues(candidate.generatedIssues);
+  if (generated?.length)
+    result.generatedIssues = generated;
+  return result;
+}
+function createDefaultPiIssueAnalysisCommandRunner() {
+  return async (command, args, options) => {
+    const env = options.env ? { ...process.env, ...options.env } : process.env;
+    const proc = Bun.spawn([command, ...args], {
+      stdout: "pipe",
+      stderr: "pipe",
+      env
+    });
+    let timedOut = false;
+    const timer = setTimeout(() => {
+      timedOut = true;
+      proc.kill();
+    }, options.timeoutMs);
+    try {
+      const [stdout, stderr, exitCode] = await Promise.all([
+        new Response(proc.stdout).text(),
+        new Response(proc.stderr).text(),
+        proc.exited
+      ]);
+      return {
+        exitCode: timedOut && exitCode === 0 ? 1 : exitCode,
+        stdout,
+        stderr: timedOut && stderr.trim().length === 0 ? `Pi issue analysis timed out after ${options.timeoutMs}ms` : stderr
+      };
+    } finally {
+      clearTimeout(timer);
+    }
+  };
+}
+function createPiIssueAnalyzer(input = {}) {
+  const piBinary = input.piBinary ?? process.env.RIG_ISSUE_ANALYSIS_PI_BINARY ?? "pi";
+  const timeoutMs = Math.max(1000, Math.trunc(input.timeoutMs ?? Number(process.env.RIG_ISSUE_ANALYSIS_TIMEOUT_MS ?? 120000)));
+  const runCommand = input.runCommand ?? createDefaultPiIssueAnalysisCommandRunner();
+  return async ({ prompt }) => {
+    const args = ["--print", "--mode", "json", "--no-session"];
+    const provider = input.provider?.trim() || process.env.RIG_ISSUE_ANALYSIS_PROVIDER?.trim() || process.env.RIG_PI_PROVIDER?.trim();
+    const model = input.model?.trim() || process.env.RIG_ISSUE_ANALYSIS_MODEL?.trim() || process.env.RIG_PI_MODEL?.trim() || "openai-codex/gpt-5.5";
+    if (provider)
+      args.push("--provider", provider);
+    if (model)
+      args.push("--model", model);
+    args.push(prompt);
+    const result = await runCommand(piBinary, args, { timeoutMs, ...input.env ? { env: input.env } : {} });
+    if (result.exitCode !== 0) {
+      throw new Error(`Pi issue analysis failed (exit ${result.exitCode}): ${result.stderr ?? result.stdout}`);
+    }
+    return parseIssueAnalysisResult(result.stdout);
+  };
+}
+function defaultStatusComment(input) {
+  const changes = [
+    input.result.metadataPatch ? "metadata" : null,
+    input.result.labelsToAdd?.length ? `labels added: ${input.result.labelsToAdd.join(", ")}` : null,
+    input.result.labelsToRemove?.length ? `labels removed: ${input.result.labelsToRemove.join(", ")}` : null,
+    input.result.generatedIssues?.length ? `generated issues: ${input.result.generatedIssues.length}` : null
+  ].filter((entry) => Boolean(entry));
+  if (changes.length === 0)
+    return null;
+  return [
+    "<!-- rig:status-comment -->",
+    "### Rig issue analysis",
+    "",
+    `Analyzed issue ${input.issue.id}${input.reason ? ` (${input.reason})` : ""}.`,
+    "",
+    ...changes.map((change) => `- ${change}`)
+  ].join(`
+`);
+}
+function uniqueLabels(labels, required = []) {
+  return [...new Set([...labels ?? [], ...required].map((label) => label.trim()).filter(Boolean))];
+}
+function createIssueAnalysisWriteBack(input) {
+  return async ({ issue, result, reason }) => {
+    if (result.metadataPatch && Object.keys(result.metadataPatch).length > 0) {
+      if (!input.target.updateTask)
+        throw new Error("Issue analysis writeback requires updateTask for metadata patches.");
+      await input.target.updateTask(issue.id, { metadata: result.metadataPatch });
+    }
+    if (result.labelsToAdd?.length) {
+      if (!input.target.addLabels)
+        throw new Error("Issue analysis writeback requires addLabels for labelsToAdd.");
+      await input.target.addLabels(issue.id, uniqueLabels(result.labelsToAdd));
+    }
+    if (result.labelsToRemove?.length) {
+      if (!input.target.removeLabels)
+        throw new Error("Issue analysis writeback requires removeLabels for labelsToRemove.");
+      await input.target.removeLabels(issue.id, uniqueLabels(result.labelsToRemove));
+    }
+    const comment = (input.buildStatusComment ?? defaultStatusComment)({ issue, result, ...reason !== undefined ? { reason } : {} });
+    if (comment?.trim()) {
+      if (!input.target.updateTask)
+        throw new Error("Issue analysis writeback requires updateTask for sticky status comments.");
+      await input.target.updateTask(issue.id, { comment });
+    }
+    for (const generated of result.generatedIssues ?? []) {
+      if (!input.target.createIssue)
+        throw new Error("Issue analysis writeback requires createIssue for generated issues.");
+      await input.target.createIssue({
+        title: generated.title,
+        body: generated.dependsOn?.length ? `${generated.body.trimEnd()}
+
+depends-on: ${generated.dependsOn.map((dep) => dep.startsWith("#") ? dep : `#${dep}`).join(", ")}
+` : generated.body,
+        labels: uniqueLabels(generated.labels, ["rig:generated"])
+      });
+    }
+  };
+}
+function sourceWithWriteBackCapabilities(source) {
+  const candidate = source;
+  if (typeof candidate.updateTask !== "function")
+    return null;
   return {
-    async resolveGitHubToken(input) {
-      const owner = input.owner.trim();
-      const repo = input.repo.trim();
-      const workspaceId = input.workspaceId.trim();
-      const userId = input.userId?.trim() ?? "";
-      if (input.purpose === "selected-repo") {
-        if (!owner || !repo || !workspaceId || !userId) {
-          throw new Error("No signed-in GitHub token is available for the selected repo; sign in to GitHub for this workspace.");
-        }
-        const token = cleanToken(sessionTokens[selectedRepoTokenKey({ owner, repo, workspaceId, userId })]);
-        if (!token) {
-          throw new Error("No signed-in GitHub token is available for the selected repo; sign in to GitHub for this workspace.");
+    ...typeof candidate.get === "function" ? { get: candidate.get.bind(candidate) } : {},
+    updateTask: candidate.updateTask.bind(candidate),
+    ...typeof candidate.addLabels === "function" ? { addLabels: candidate.addLabels.bind(candidate) } : {},
+    ...typeof candidate.removeLabels === "function" ? { removeLabels: candidate.removeLabels.bind(candidate) } : {},
+    ...typeof candidate.createIssue === "function" ? { createIssue: candidate.createIssue.bind(candidate) } : {}
+  };
+}
+function issueAnalysisEnabled(config) {
+  const issueAnalysis = config.issueAnalysis;
+  if (!issueAnalysis)
+    return false;
+  if (issueAnalysis.enabled !== true)
+    return false;
+  if (issueAnalysis.mode === "off")
+    return false;
+  if (issueAnalysis.harness && issueAnalysis.harness !== "pi")
+    return false;
+  return true;
+}
+function createConfiguredIssueAnalysisRunner(input) {
+  if (!issueAnalysisEnabled(input.context.config))
+    return null;
+  const source = input.context.taskSourceRegistry.list()[0];
+  if (!source)
+    return null;
+  const target = sourceWithWriteBackCapabilities(source);
+  if (!target)
+    return null;
+  const analyzer = input.analyzer ?? createPiIssueAnalyzer({
+    ...input.runCommand ? { runCommand: input.runCommand } : {},
+    ...input.context.config.issueAnalysis?.model ? { model: input.context.config.issueAnalysis.model } : {}
+  });
+  const baseWriteBack = createIssueAnalysisWriteBack({ target });
+  const service = createIssueAnalysisService({
+    analyzer,
+    writeBack: async (writeBackInput) => {
+      await baseWriteBack(writeBackInput);
+      await input.onWriteBack?.();
+    }
+  });
+  return createContinuousIssueAnalysisRunner({
+    loadIssues: async () => [...await source.list()],
+    service,
+    ...input.intervalMs !== undefined ? { intervalMs: input.intervalMs } : {},
+    reason: "continuous-issue-analysis",
+    ...input.setIntervalFn ? { setIntervalFn: input.setIntervalFn } : {},
+    ...input.clearIntervalFn ? { clearIntervalFn: input.clearIntervalFn } : {},
+    ...input.onError ? { onError: input.onError } : {}
+  });
+}
+function createIssueAnalysisService(input) {
+  const analyzedHashes = new Map;
+  return {
+    async analyze(issues, options = {}) {
+      const results = [];
+      const neighbors = options.neighbors ?? issues;
+      for (const issue of issues) {
+        const hash = stableIssueHash(issue);
+        if (analyzedHashes.get(issue.id) === hash)
+          continue;
+        const prompt = renderIssueAnalysisPrompt({ issue, neighbors: neighbors.filter((candidate) => candidate.id !== issue.id) });
+        const result = await input.analyzer({ issue, neighbors, prompt });
+        analyzedHashes.set(issue.id, hash);
+        if (result.metadataPatch || result.labelsToAdd?.length || result.labelsToRemove?.length || result.generatedIssues?.length) {
+          await input.writeBack?.({ issue, result, ...options.reason !== undefined ? { reason: options.reason } : {} });
         }
-        return { token, source: "signed-in-user" };
+        results.push({ issue, result });
       }
-      if (hostToken) {
-        return { token: hostToken, source: "host-admin-fallback" };
-      }
-      throw new Error("No host GitHub token is configured for the explicit admin fallback operation.");
+      return results;
+    },
+    clearCache() {
+      analyzedHashes.clear();
+    }
+  };
+}
+function createContinuousIssueAnalysisRunner(input) {
+  const intervalMs = Math.max(1000, Math.trunc(input.intervalMs ?? 60000));
+  const setIntervalFn = input.setIntervalFn ?? ((callback, ms) => setInterval(() => {
+    callback();
+  }, ms));
+  const clearIntervalFn = input.clearIntervalFn ?? ((timer2) => clearInterval(timer2));
+  let timer;
+  let running = false;
+  let inFlight = null;
+  const tick = async (reason = input.reason ?? "continuous") => {
+    if (inFlight)
+      return inFlight;
+    inFlight = (async () => {
+      const issues = await input.loadIssues();
+      return input.service.analyze(issues, { reason });
+    })();
+    try {
+      return await inFlight;
+    } finally {
+      inFlight = null;
+    }
+  };
+  return {
+    start() {
+      if (running)
+        return;
+      running = true;
+      timer = setIntervalFn(async () => {
+        try {
+          await tick();
+        } catch (error) {
+          input.onError?.(error);
+        }
+      }, intervalMs);
+    },
+    stop() {
+      if (!running)
+        return;
+      running = false;
+      if (timer !== undefined)
+        clearIntervalFn(timer);
+      timer = undefined;
+    },
+    tick,
+    isRunning() {
+      return running;
     }
   };
 }
-var init_credentials = () => {};
+var init_issue_analysis = () => {};
+
+// packages/github-provider-plugin/src/triage-run.ts
+var exports_triage_run = {};
+__export(exports_triage_run, {
+  runIssueAnalysisTriage: () => runIssueAnalysisTriage
+});
+import { buildPluginHostContext } from "@rig/core/plugin-host-context";
+function summarizeResults(results) {
+  return results.reduce((summary, entry) => {
+    if (entry.result.metadataPatch && Object.keys(entry.result.metadataPatch).length > 0) {
+      summary.metadataPatches += 1;
+    }
+    summary.labelsAdded += entry.result.labelsToAdd?.length ?? 0;
+    summary.labelsRemoved += entry.result.labelsToRemove?.length ?? 0;
+    summary.generatedIssues += entry.result.generatedIssues?.length ?? 0;
+    return summary;
+  }, { metadataPatches: 0, labelsAdded: 0, labelsRemoved: 0, generatedIssues: 0 });
+}
+async function loadContext(projectRoot) {
+  const context = await buildPluginHostContext(projectRoot);
+  if (!context)
+    return null;
+  return {
+    config: {
+      ...context.config.issueAnalysis ? { issueAnalysis: context.config.issueAnalysis } : {}
+    },
+    taskSourceRegistry: context.taskSourceRegistry
+  };
+}
+async function runIssueAnalysisTriage(options) {
+  const reason = options.reason?.trim() || "triage";
+  const context = options.context ?? await loadContext(options.projectRoot);
+  if (!context) {
+    return {
+      ok: true,
+      enabled: false,
+      reason,
+      sourceId: null,
+      sourceKind: null,
+      analyzedIssues: 0,
+      metadataPatches: 0,
+      labelsAdded: 0,
+      labelsRemoved: 0,
+      generatedIssues: 0,
+      writeBackRefreshes: 0,
+      refreshedIssueCount: null,
+      skippedReason: "no-config"
+    };
+  }
+  const source = context.taskSourceRegistry.list()[0] ?? null;
+  const sourceId = source?.id ?? null;
+  const sourceKind = source?.kind ?? null;
+  if (!issueAnalysisEnabled(context.config)) {
+    return {
+      ok: true,
+      enabled: false,
+      reason,
+      sourceId,
+      sourceKind,
+      analyzedIssues: 0,
+      metadataPatches: 0,
+      labelsAdded: 0,
+      labelsRemoved: 0,
+      generatedIssues: 0,
+      writeBackRefreshes: 0,
+      refreshedIssueCount: null,
+      skippedReason: "disabled"
+    };
+  }
+  if (!source) {
+    throw new Error("Issue analysis is enabled, but no configured task source is registered.");
+  }
+  let writeBackRefreshes = 0;
+  let refreshedIssueCount = null;
+  const refreshSnapshotAfterWriteBack = async () => {
+    writeBackRefreshes += 1;
+    const refreshed = await source.list();
+    refreshedIssueCount = refreshed.length;
+    await options.onWriteBack?.();
+  };
+  const runner = createConfiguredIssueAnalysisRunner({
+    projectRoot: options.projectRoot,
+    context,
+    ...options.analyzer ? { analyzer: options.analyzer } : {},
+    ...options.runCommand ? { runCommand: options.runCommand } : {},
+    onWriteBack: refreshSnapshotAfterWriteBack
+  });
+  if (!runner) {
+    throw new Error(`Issue analysis is enabled for ${sourceKind ?? "the configured source"}, but that task source does not expose Rig write-back capabilities.`);
+  }
+  const results = await runner.tick(reason);
+  const summary = summarizeResults(results);
+  return {
+    ok: true,
+    enabled: true,
+    reason,
+    sourceId,
+    sourceKind,
+    analyzedIssues: results.length,
+    ...summary,
+    writeBackRefreshes,
+    refreshedIssueCount
+  };
+}
+var init_triage_run = __esm(() => {
+  init_issue_analysis();
+});
+
+// packages/github-provider-plugin/src/identity.ts
+import {
+  RIG_WORKFLOW_STARTED
+} from "@rig/contracts";
+function stringField(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : undefined;
+}
+function numericStringField(value) {
+  return typeof value === "number" && Number.isInteger(value) ? String(value) : stringField(value);
+}
+function asRecord(value) {
+  return value && typeof value === "object" && !Array.isArray(value) ? value : null;
+}
+function customEntries(entries) {
+  const customs = [];
+  for (const entry of entries) {
+    if (entry.type === "custom")
+      customs.push(entry);
+  }
+  return customs;
+}
+function candidateFromStartedData(data) {
+  const record = asRecord(data);
+  if (!record)
+    return null;
+  const owner = asRecord(record.owner);
+  const selectedRepo = stringField(record.selectedRepo);
+  const githubUserId = stringField(owner?.githubUserId) ?? numericStringField(record.githubUserId) ?? numericStringField(record.userId);
+  const login = stringField(owner?.login) ?? stringField(record.login);
+  const namespaceKey = stringField(owner?.namespaceKey) ?? stringField(record.namespaceKey) ?? stringField(record.userNamespaceKey);
+  if (!selectedRepo && !githubUserId && !login && !namespaceKey)
+    return null;
+  return { selectedRepo, githubUserId, login, namespaceKey, source: "workflow-metadata" };
+}
+function workflowIdentityCandidate(entries) {
+  const customs = customEntries(entries);
+  for (let index = customs.length - 1;index >= 0; index -= 1) {
+    const entry = customs[index];
+    if (entry?.customType !== RIG_WORKFLOW_STARTED)
+      continue;
+    const candidate = candidateFromStartedData(entry.data);
+    if (candidate)
+      return candidate;
+  }
+  return null;
+}
+function ompGitHubIdentityCandidate(ctx) {
+  const account = asRecord(ctx.modelRegistry?.authStorage?.getOAuthAccountIdentity?.("github-copilot", ctx.sessionManager.getSessionId()));
+  if (!account)
+    return null;
+  const githubUserId = stringField(account.accountId);
+  const login = stringField(account.login) ?? stringField(account.email);
+  if (!githubUserId && !login)
+    return null;
+  return {
+    githubUserId,
+    login,
+    namespaceKey: githubUserId ? `gh:${githubUserId}` : undefined,
+    source: "omp-github-copilot-auth"
+  };
+}
+function envField(name) {
+  return stringField(process.env[name]);
+}
+function envIdentityCandidate() {
+  const selectedRepo = envField("RIG_SELECTED_REPO");
+  const githubUserId = envField("RIG_GITHUB_USER_ID");
+  const login = envField("RIG_GITHUB_LOGIN");
+  const namespaceKey = envField("RIG_GITHUB_NAMESPACE_KEY") ?? (githubUserId ? `gh:${githubUserId}` : undefined);
+  if (!selectedRepo && !githubUserId && !login && !namespaceKey)
+    return null;
+  return {
+    selectedRepo,
+    githubUserId,
+    login,
+    namespaceKey,
+    source: "rig-public-identity-env"
+  };
+}
+function mergeSource(sources, source) {
+  if (source && !sources.includes(source))
+    sources.push(source);
+}
+function completeIdentity(candidate, sources) {
+  const selectedRepo = stringField(candidate.selectedRepo);
+  const githubUserId = stringField(candidate.githubUserId);
+  const login = stringField(candidate.login);
+  const namespaceKey = stringField(candidate.namespaceKey) ?? (githubUserId ? `gh:${githubUserId}` : undefined);
+  if (!selectedRepo || !githubUserId || !login || !namespaceKey)
+    return null;
+  const uniqueSources = [];
+  for (const value of sources) {
+    if (!uniqueSources.includes(value))
+      uniqueSources.push(value);
+  }
+  return {
+    selectedRepo,
+    owner: { githubUserId, login, namespaceKey },
+    source: uniqueSources.join("+")
+  };
+}
+function resolveRigIdentity(ctx) {
+  const workflow = workflowIdentityCandidate(ctx.sessionManager.getBranch());
+  const omp = ompGitHubIdentityCandidate(ctx);
+  const env = envIdentityCandidate();
+  const sources = [];
+  const selectedRepo = workflow?.selectedRepo ?? env?.selectedRepo;
+  const githubUserId = workflow?.githubUserId ?? omp?.githubUserId ?? env?.githubUserId;
+  const login = workflow?.login ?? omp?.login ?? env?.login;
+  const namespaceKey = workflow?.namespaceKey ?? omp?.namespaceKey ?? env?.namespaceKey;
+  if (workflow && (workflow.selectedRepo || workflow.githubUserId || workflow.login || workflow.namespaceKey))
+    mergeSource(sources, workflow.source);
+  if (omp && (!workflow?.githubUserId || !workflow?.login || !workflow?.namespaceKey))
+    mergeSource(sources, omp.source);
+  if (env && (!workflow?.selectedRepo && env.selectedRepo || !workflow?.githubUserId && !omp?.githubUserId && env.githubUserId || !workflow?.login && !omp?.login && env.login || !workflow?.namespaceKey && !omp?.namespaceKey && env.namespaceKey))
+    mergeSource(sources, env.source);
+  return completeIdentity({ selectedRepo, githubUserId, login, namespaceKey, source: sources.join("+") }, sources);
+}
+function resolveRigIdentityFilter(ctx) {
+  const identity = resolveRigIdentity(ctx);
+  if (!identity)
+    return null;
+  return {
+    cwd: ctx.sessionManager.getCwd(),
+    selectedRepo: identity.selectedRepo,
+    githubUserId: identity.owner.githubUserId,
+    namespaceKey: identity.owner.namespaceKey
+  };
+}
+var init_identity = () => {};
+
+// packages/github-provider-plugin/src/identity-env.ts
+var exports_identity_env = {};
+__export(exports_identity_env, {
+  stripRunChildCredentialEnv: () => stripRunChildCredentialEnv,
+  resolveRigIdentityFilter: () => resolveRigIdentityFilter,
+  resolveRigIdentity: () => resolveRigIdentity,
+  resolveIdentityEnv: () => resolveIdentityEnv,
+  identityFilterFromEnv: () => identityFilterFromEnv,
+  applyIdentityEnv: () => applyIdentityEnv,
+  RUN_CHILD_STRIPPED_CREDENTIAL_ENV_KEYS: () => RUN_CHILD_STRIPPED_CREDENTIAL_ENV_KEYS
+});
+import { existsSync, readFileSync } from "fs";
+import { resolve } from "path";
+function stringField2(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : undefined;
+}
+function githubUserId(value) {
+  if (typeof value === "number" && Number.isInteger(value))
+    return String(value);
+  return stringField2(value);
+}
+function readJsonRecord(path) {
+  if (!existsSync(path))
+    return null;
+  try {
+    const parsed = JSON.parse(readFileSync(path, "utf8"));
+    return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
+  } catch {
+    return null;
+  }
+}
+function resolveIdentityEnv(workspaceRoot) {
+  const stateDir = resolve(workspaceRoot, ".rig", "state");
+  const auth = readJsonRecord(resolve(stateDir, "github-auth.json"));
+  const connection = readJsonRecord(resolve(stateDir, "connection.json"));
+  const projectLink = readJsonRecord(resolve(stateDir, "project-link.json"));
+  const values = {};
+  const selectedRepo = stringField2(auth?.selectedRepo) ?? stringField2(connection?.project) ?? stringField2(projectLink?.repoSlug);
+  const userId = githubUserId(auth?.userId);
+  const login = stringField2(auth?.login);
+  const namespaceKey = stringField2(auth?.userNamespaceKey);
+  if (selectedRepo)
+    values.RIG_SELECTED_REPO = selectedRepo;
+  if (userId)
+    values.RIG_GITHUB_USER_ID = userId;
+  if (login)
+    values.RIG_GITHUB_LOGIN = login;
+  if (namespaceKey)
+    values.RIG_GITHUB_NAMESPACE_KEY = namespaceKey;
+  return values;
+}
+function applyIdentityEnv(workspaceRoot) {
+  const previous = new Map;
+  for (const key of [...PUBLIC_IDENTITY_ENV_KEYS, ...RIG_STATE_ENV_KEYS])
+    previous.set(key, process.env[key]);
+  const stateDir = resolve(workspaceRoot, ".rig", "state");
+  const auth = readJsonRecord(resolve(stateDir, "github-auth.json"));
+  const connection = readJsonRecord(resolve(stateDir, "connection.json"));
+  const projectLink = readJsonRecord(resolve(stateDir, "project-link.json"));
+  const values = { ...resolveIdentityEnv(workspaceRoot) };
+  values.RIG_GITHUB_AUTH_STATE_FILE = resolve(stateDir, "github-auth.json");
+  const hasLocalIdentityState = Boolean(auth || connection || projectLink);
+  for (const key of [...PUBLIC_IDENTITY_ENV_KEYS, ...RIG_STATE_ENV_KEYS]) {
+    const value = values[key];
+    if (value)
+      process.env[key] = value;
+    else if (hasLocalIdentityState)
+      delete process.env[key];
+  }
+  return () => {
+    for (const key of [...PUBLIC_IDENTITY_ENV_KEYS, ...RIG_STATE_ENV_KEYS]) {
+      const value = previous.get(key);
+      if (value === undefined)
+        delete process.env[key];
+      else
+        process.env[key] = value;
+    }
+  };
+}
+function identityFilterFromEnv() {
+  return {
+    ...process.env.RIG_SELECTED_REPO ? { selectedRepo: process.env.RIG_SELECTED_REPO } : {},
+    ...process.env.RIG_GITHUB_USER_ID ? { githubUserId: process.env.RIG_GITHUB_USER_ID } : {},
+    ...process.env.RIG_GITHUB_NAMESPACE_KEY ? { namespaceKey: process.env.RIG_GITHUB_NAMESPACE_KEY } : {}
+  };
+}
+function stripRunChildCredentialEnv(env = process.env) {
+  const next = { ...env };
+  for (const key of RUN_CHILD_STRIPPED_CREDENTIAL_ENV_KEYS)
+    delete next[key];
+  return next;
+}
+var PUBLIC_IDENTITY_ENV_KEYS, RIG_STATE_ENV_KEYS, RUN_CHILD_STRIPPED_CREDENTIAL_ENV_KEYS;
+var init_identity_env = __esm(() => {
+  init_identity();
+  PUBLIC_IDENTITY_ENV_KEYS = [
+    "RIG_SELECTED_REPO",
+    "RIG_GITHUB_USER_ID",
+    "RIG_GITHUB_LOGIN",
+    "RIG_GITHUB_NAMESPACE_KEY"
+  ];
+  RIG_STATE_ENV_KEYS = [
+    "RIG_GITHUB_AUTH_STATE_FILE"
+  ];
+  RUN_CHILD_STRIPPED_CREDENTIAL_ENV_KEYS = [
+    "RIG_GITHUB_TOKEN",
+    "RIG_GITHUB_SELECTED_TOKEN",
+    "GH_TOKEN",
+    "GITHUB_TOKEN"
+  ];
+});
 
 // packages/github-provider-plugin/src/service.ts
 var exports_service = {};
 __export(exports_service, {
   githubProviderService: () => githubProviderService
 });
+import { createGitHubCredentialProvider } from "@rig/github-lib";
 var githubProviderService;
 var init_service = __esm(() => {
-  init_credentials();
   githubProviderService = {
     createCredentialProvider: (options) => createGitHubCredentialProvider(options)
   };
 });
 
 // packages/github-provider-plugin/src/plugin.ts
+import { spawnSync } from "child_process";
 import { definePlugin } from "@rig/core/config";
-import { GITHUB_PROVIDER_CAPABILITY_ID } from "@rig/contracts";
+import { defineCapability } from "@rig/core/capability";
+import {
+  GITHUB_PROVIDER_CAPABILITY_ID,
+  ISSUE_TRIAGE,
+  RUN_IDENTITY_ENV
+} from "@rig/contracts";
+var IssueTriageCap = defineCapability(ISSUE_TRIAGE);
+var issueTriageService = async () => {
+  const { runIssueAnalysisTriage: runIssueAnalysisTriage2 } = await Promise.resolve().then(() => (init_triage_run(), exports_triage_run));
+  return {
+    runTriage: (input) => runIssueAnalysisTriage2({ projectRoot: input.projectRoot, ...input.reason !== undefined ? { reason: input.reason } : {} })
+  };
+};
+var RunIdentityEnvCap = defineCapability(RUN_IDENTITY_ENV);
+var runIdentityEnvService = async () => {
+  const {
+    resolveIdentityEnv: resolveIdentityEnv2,
+    applyIdentityEnv: applyIdentityEnv2,
+    identityFilterFromEnv: identityFilterFromEnv2,
+    stripRunChildCredentialEnv: stripRunChildCredentialEnv2,
+    resolveRigIdentity: resolveRigIdentity2,
+    resolveRigIdentityFilter: resolveRigIdentityFilter2
+  } = await Promise.resolve().then(() => (init_identity_env(), exports_identity_env));
+  return {
+    resolveIdentityEnv: resolveIdentityEnv2,
+    applyIdentityEnv: applyIdentityEnv2,
+    identityFilterFromEnv: identityFilterFromEnv2,
+    stripRunChildCredentialEnv: stripRunChildCredentialEnv2,
+    resolveRigIdentity: resolveRigIdentity2,
+    resolveRigIdentityFilter: resolveRigIdentityFilter2
+  };
+};
 var GITHUB_PROVIDER_PLUGIN_NAME = "@rig/github-provider-plugin";
+function parseGitHubSlugFromRemote(remoteUrl) {
+  const match = remoteUrl.trim().match(/github\.com[:/]([^/\s]+)\/([^/\s]+?)(?:\.git)?\/?$/i);
+  return match ? `${match[1]}/${match[2]}` : null;
+}
+function detectGitHubRepoSlug(projectRoot) {
+  try {
+    const result = spawnSync("git", ["-C", projectRoot, "remote", "get-url", "origin"], {
+      encoding: "utf8",
+      timeout: 5000
+    });
+    if (result.status !== 0 || result.error)
+      return null;
+    return parseGitHubSlugFromRemote(result.stdout.trim());
+  } catch {
+    return null;
+  }
+}
+function githubConfigDefaults(context) {
+  const slug = context.repoSlug ?? detectGitHubRepoSlug(context.projectRoot);
+  if (!slug)
+    return null;
+  const [owner, repo] = slug.split("/", 2);
+  if (!owner || !repo)
+    return null;
+  return {
+    project: { name: slug, repo: slug },
+    taskSource: { kind: "github-issues", owner, repo, state: "open" },
+    github: { issueUpdates: "lifecycle", projects: { enabled: false } },
+    standard: {
+      githubWorkspaceId: slug,
+      githubUserId: process.env.RIG_GITHUB_USER_ID ?? "server-selected-user"
+    },
+    issueAnalysis: { enabled: true, harness: "pi", mode: "continuous" }
+  };
+}
 var githubProviderPlugin = definePlugin({
   name: GITHUB_PROVIDER_PLUGIN_NAME,
   version: "0.0.0-alpha.1",
@@ -78,8 +831,14 @@ var githubProviderPlugin = definePlugin({
         title: "GitHub SCM provider",
         description: "Resolve GitHub credentials for the configured SCM provider.",
         run: async () => (await Promise.resolve().then(() => (init_service(), exports_service))).githubProviderService
-      }
-    ]
+      },
+      IssueTriageCap.provide(issueTriageService, { title: "GitHub issue-analysis triage" }),
+      RunIdentityEnvCap.provide(runIdentityEnvService, {
+        title: "GitHub/Rig run identity env",
+        description: "Resolve GitHub/Rig identity, hydrate public identity env, and strip run-scoped credential tokens."
+      })
+    ],
+    config: { defaults: githubConfigDefaults }
   }
 });
 function createGitHubProviderPlugin() {
@@ -87,7 +846,9 @@ function createGitHubProviderPlugin() {
 }
 var plugin_default = githubProviderPlugin;
 export {
+  parseGitHubSlugFromRemote,
   githubProviderPlugin,
+  detectGitHubRepoSlug,
   plugin_default as default,
   createGitHubProviderPlugin,
   GITHUB_PROVIDER_PLUGIN_NAME