@h-rig/github-provider-plugin 0.0.6-alpha.156

package/dist/src/index.js

@@ -0,0 +1,1247 @@
+// @bun
+var __defProp = Object.defineProperty;
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: __exportSetter.bind(all, name)
+    });
+};
+var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
+
+// packages/github-provider-plugin/src/credentials.ts
+import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
+import { resolve as resolve2 } from "path";
+function selectedRepoTokenKey(input) {
+  return `user:${input.userId}|repo:${input.owner}/${input.repo}|workspace:${input.workspaceId}`;
+}
+function cleanToken(value) {
+  const trimmed = value?.trim() ?? "";
+  return trimmed.length > 0 ? trimmed : null;
+}
+function createGitHubCredentialProvider(options = {}) {
+  const sessionTokens = options.sessionTokens ?? {};
+  const hostToken = cleanToken(options.hostToken ?? process.env.GH_TOKEN ?? null);
+  return {
+    async resolveGitHubToken(input) {
+      const owner = input.owner.trim();
+      const repo = input.repo.trim();
+      const workspaceId = input.workspaceId.trim();
+      const userId = input.userId?.trim() ?? "";
+      if (input.purpose === "selected-repo") {
+        if (!owner || !repo || !workspaceId || !userId) {
+          throw new Error("No signed-in GitHub token is available for the selected repo; sign in to GitHub for this workspace.");
+        }
+        const token = cleanToken(sessionTokens[selectedRepoTokenKey({ owner, repo, workspaceId, userId })]);
+        if (!token) {
+          throw new Error("No signed-in GitHub token is available for the selected repo; sign in to GitHub for this workspace.");
+        }
+        return { token, source: "signed-in-user" };
+      }
+      if (hostToken) {
+        return { token: hostToken, source: "host-admin-fallback" };
+      }
+      throw new Error("No host GitHub token is configured for the explicit admin fallback operation.");
+    }
+  };
+}
+function createEnvGitHubCredentialProvider() {
+  return {
+    async resolveGitHubToken(input) {
+      if (input.purpose === "selected-repo") {
+        return { token: cleanToken(process.env.RIG_GITHUB_SELECTED_TOKEN ?? null) ?? "", source: "signed-in-user" };
+      }
+      const token = cleanToken(process.env.RIG_GITHUB_TOKEN ?? process.env.GH_TOKEN ?? process.env.GITHUB_TOKEN ?? null);
+      if (!token) {
+        throw new Error("No host GitHub token is configured for admin fallback.");
+      }
+      return { token, source: "host-admin-fallback" };
+    }
+  };
+}
+function createStateGitHubCredentialProvider(options = {}) {
+  const addCandidate = (candidates, path) => {
+    const trimmed = path?.trim();
+    if (!trimmed)
+      return;
+    const resolved = resolve2(trimmed);
+    if (!candidates.includes(resolved))
+      candidates.push(resolved);
+  };
+  const addStateDir = (candidates, dir) => {
+    const trimmed = dir?.trim();
+    if (!trimmed)
+      return;
+    addCandidate(candidates, resolve2(trimmed, "github-auth.json"));
+  };
+  const addProjectStateDir = (candidates, root) => {
+    const trimmed = root?.trim();
+    if (!trimmed)
+      return;
+    addStateDir(candidates, resolve2(trimmed, ".rig", "state"));
+  };
+  const stateFileCandidates = () => {
+    const candidates = [];
+    addCandidate(candidates, options.stateFile ?? process.env.RIG_GITHUB_AUTH_STATE_FILE);
+    addStateDir(candidates, options.stateDir);
+    addStateDir(candidates, process.env.RIG_STATE_DIR);
+    addProjectStateDir(candidates, process.env.PROJECT_RIG_ROOT);
+    addProjectStateDir(candidates, process.env.RIG_PROJECT_ROOT);
+    addProjectStateDir(candidates, process.env.RIG_HOST_PROJECT_ROOT);
+    addProjectStateDir(candidates, process.cwd());
+    return candidates;
+  };
+  const readToken = () => {
+    for (const stateFile of stateFileCandidates()) {
+      if (!existsSync2(stateFile))
+        continue;
+      try {
+        const parsed = JSON.parse(readFileSync2(stateFile, "utf8"));
+        const token = typeof parsed.token === "string" ? cleanToken(parsed.token) : null;
+        if (token)
+          return token;
+      } catch {}
+    }
+    return null;
+  };
+  return {
+    async resolveGitHubToken(input) {
+      const token = readToken();
+      if (input.purpose === "selected-repo") {
+        return { token: token ?? cleanToken(process.env.RIG_GITHUB_SELECTED_TOKEN ?? null) ?? "", source: "signed-in-user" };
+      }
+      if (token) {
+        return { token, source: "signed-in-user" };
+      }
+      const fallback = cleanToken(process.env.RIG_GITHUB_TOKEN ?? process.env.GH_TOKEN ?? process.env.GITHUB_TOKEN ?? null);
+      if (!fallback) {
+        throw new Error("No signed-in GitHub token is stored for Rig and no host admin fallback token is configured.");
+      }
+      return { token: fallback, source: "host-admin-fallback" };
+    }
+  };
+}
+var init_credentials = () => {};
+
+// packages/github-provider-plugin/src/service.ts
+var exports_service = {};
+__export(exports_service, {
+  githubProviderService: () => githubProviderService
+});
+var githubProviderService;
+var init_service = __esm(() => {
+  init_credentials();
+  githubProviderService = {
+    createCredentialProvider: (options) => createGitHubCredentialProvider(options)
+  };
+});
+
+// packages/github-provider-plugin/src/auth-store.ts
+import { randomBytes } from "crypto";
+import { chmodSync, copyFileSync, existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
+import { dirname, resolve } from "path";
+import { resolveRigStatePaths } from "@rig/runtime/control-plane/server-paths";
+function cleanString(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
+}
+function cleanScopes(value) {
+  if (!Array.isArray(value))
+    return [];
+  return value.flatMap((entry) => {
+    const clean = cleanString(entry);
+    return clean ? [clean] : [];
+  });
+}
+function parseApiSessions(value) {
+  if (!Array.isArray(value))
+    return [];
+  return value.flatMap((entry) => {
+    if (!entry || typeof entry !== "object" || Array.isArray(entry))
+      return [];
+    const record = entry;
+    const token = cleanString(record.token);
+    if (!token)
+      return [];
+    return [{
+      token,
+      login: cleanString(record.login),
+      userId: cleanString(record.userId),
+      createdAt: cleanString(record.createdAt) ?? undefined
+    }];
+  });
+}
+function parsePendingDevice(value) {
+  if (!value || typeof value !== "object")
+    return null;
+  const record = value;
+  const pollId = cleanString(record.pollId);
+  const deviceCode = cleanString(record.deviceCode);
+  const expiresAt = cleanString(record.expiresAt);
+  const intervalSeconds = typeof record.intervalSeconds === "number" && Number.isFinite(record.intervalSeconds) ? Math.max(1, Math.floor(record.intervalSeconds)) : null;
+  if (!pollId || !deviceCode || !expiresAt || !intervalSeconds)
+    return null;
+  return { pollId, deviceCode, expiresAt, intervalSeconds };
+}
+function parsePendingDevices(value) {
+  if (!Array.isArray(value))
+    return [];
+  return value.flatMap((entry) => {
+    const pending = parsePendingDevice(entry);
+    return pending ? [pending] : [];
+  });
+}
+function readStoredAuth(stateFile) {
+  if (!existsSync(stateFile))
+    return {};
+  try {
+    const parsed = JSON.parse(readFileSync(stateFile, "utf8"));
+    return {
+      ...cleanString(parsed.token) ? { token: cleanString(parsed.token) } : {},
+      login: cleanString(parsed.login),
+      userId: cleanString(parsed.userId),
+      scopes: cleanScopes(parsed.scopes),
+      selectedRepo: cleanString(parsed.selectedRepo),
+      tokenSource: parsed.tokenSource === "oauth-device" || parsed.tokenSource === "manual-token" || parsed.tokenSource === "env" ? parsed.tokenSource : undefined,
+      pendingDevice: parsePendingDevice(parsed.pendingDevice),
+      pendingDevices: parsePendingDevices(parsed.pendingDevices),
+      apiSessions: parseApiSessions(parsed.apiSessions),
+      updatedAt: cleanString(parsed.updatedAt) ?? undefined
+    };
+  } catch {
+    return {};
+  }
+}
+function newApiSessionToken() {
+  return `rig_${randomBytes(32).toString("base64url")}`;
+}
+function writeStoredAuth(stateFile, payload) {
+  mkdirSync(dirname(stateFile), { recursive: true });
+  writeFileSync(stateFile, `${JSON.stringify(payload, null, 2)}
+`, { encoding: "utf8", mode: 384 });
+  try {
+    chmodSync(stateFile, 384);
+  } catch {}
+}
+function localProjectAuthStateFile(projectRoot) {
+  return resolve(projectRoot, ".rig", "state", "github-auth.json");
+}
+function resolveGitHubAuthStateFile(projectRoot) {
+  return resolve(resolveRigStatePaths(projectRoot).stateDir, "github-auth.json");
+}
+function copyGitHubAuthStateToLocalProjectRoot(stateFile, projectRoot) {
+  const targetFile = localProjectAuthStateFile(projectRoot);
+  mkdirSync(dirname(targetFile), { recursive: true });
+  if (existsSync(stateFile)) {
+    copyFileSync(stateFile, targetFile);
+    try {
+      chmodSync(targetFile, 384);
+    } catch {}
+    return;
+  }
+  writeStoredAuth(targetFile, {});
+}
+function createGitHubAuthStoreFromStateFile(stateFile) {
+  return {
+    stateFile,
+    status(options) {
+      const stored = readStoredAuth(stateFile);
+      const token = cleanString(stored.token);
+      return {
+        signedIn: Boolean(token),
+        login: cleanString(stored.login),
+        userId: cleanString(stored.userId),
+        scopes: cleanScopes(stored.scopes),
+        selectedRepo: cleanString(stored.selectedRepo),
+        oauthConfigured: options?.oauthConfigured === true,
+        tokenSource: token ? stored.tokenSource ?? "manual-token" : null
+      };
+    },
+    readToken() {
+      return cleanString(readStoredAuth(stateFile).token);
+    },
+    saveToken(input) {
+      const previous = readStoredAuth(stateFile);
+      writeStoredAuth(stateFile, {
+        ...previous,
+        token: input.token,
+        tokenSource: input.tokenSource,
+        login: input.login ?? null,
+        userId: input.userId ?? null,
+        scopes: input.scopes ?? [],
+        selectedRepo: input.selectedRepo ?? previous.selectedRepo ?? null,
+        pendingDevice: null,
+        pendingDevices: [],
+        apiSessions: previous.apiSessions ?? [],
+        updatedAt: new Date().toISOString()
+      });
+    },
+    createApiSession() {
+      const previous = readStoredAuth(stateFile);
+      const token = newApiSessionToken();
+      const session = {
+        token,
+        login: cleanString(previous.login),
+        userId: cleanString(previous.userId),
+        createdAt: new Date().toISOString()
+      };
+      writeStoredAuth(stateFile, {
+        ...previous,
+        apiSessions: [...(previous.apiSessions ?? []).slice(-9), session],
+        updatedAt: new Date().toISOString()
+      });
+      return { token, login: session.login ?? null, userId: session.userId ?? null };
+    },
+    readApiSession(token) {
+      const clean = cleanString(token);
+      if (!clean)
+        return null;
+      const previous = readStoredAuth(stateFile);
+      const session = (previous.apiSessions ?? []).find((candidate) => candidate.token === clean);
+      return session ? { login: cleanString(session.login), userId: cleanString(session.userId) } : null;
+    },
+    copyToProjectRoot(projectRoot) {
+      const targetFile = resolveGitHubAuthStateFile(projectRoot);
+      writeStoredAuth(targetFile, readStoredAuth(stateFile));
+    },
+    copyToLocalProjectRoot(projectRoot) {
+      copyGitHubAuthStateToLocalProjectRoot(stateFile, projectRoot);
+    },
+    savePendingDevice(input) {
+      const previous = readStoredAuth(stateFile);
+      const pendingDevices = [
+        ...previous.pendingDevice ? [previous.pendingDevice] : [],
+        ...previous.pendingDevices ?? [],
+        input
+      ].filter((entry, index, entries) => entries.findIndex((candidate) => candidate.pollId === entry.pollId) === index);
+      writeStoredAuth(stateFile, {
+        ...previous,
+        pendingDevice: null,
+        pendingDevices,
+        updatedAt: new Date().toISOString()
+      });
+    },
+    saveSelectedRepo(selectedRepo) {
+      const previous = readStoredAuth(stateFile);
+      writeStoredAuth(stateFile, {
+        ...previous,
+        selectedRepo: selectedRepo ?? null,
+        updatedAt: new Date().toISOString()
+      });
+    },
+    readPendingDevice(pollId) {
+      const previous = readStoredAuth(stateFile);
+      const pending = [
+        ...previous.pendingDevice ? [previous.pendingDevice] : [],
+        ...previous.pendingDevices ?? []
+      ].find((entry) => entry.pollId === pollId) ?? null;
+      if (!pending)
+        return null;
+      if (Date.parse(pending.expiresAt) <= Date.now())
+        return null;
+      return pending;
+    },
+    clearPendingDevice(pollId) {
+      const previous = readStoredAuth(stateFile);
+      const remaining = pollId ? (previous.pendingDevices ?? []).filter((entry) => entry.pollId !== pollId) : [];
+      writeStoredAuth(stateFile, {
+        ...previous,
+        pendingDevice: null,
+        pendingDevices: remaining,
+        updatedAt: new Date().toISOString()
+      });
+    }
+  };
+}
+function createGitHubAuthStore(projectRoot) {
+  return createGitHubAuthStoreFromStateFile(resolveGitHubAuthStateFile(projectRoot));
+}
+
+// packages/github-provider-plugin/src/index.ts
+init_credentials();
+
+// packages/github-provider-plugin/src/projects.ts
+function asRecord(value) {
+  return value && typeof value === "object" && !Array.isArray(value) ? value : null;
+}
+function asString(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value : undefined;
+}
+function asNumber(value) {
+  return typeof value === "number" && Number.isFinite(value) ? value : undefined;
+}
+async function defaultGraphQLFetch(query, variables, token) {
+  const response = await fetch("https://api.github.com/graphql", {
+    method: "POST",
+    headers: {
+      "content-type": "application/json",
+      authorization: `Bearer ${token}`,
+      accept: "application/vnd.github+json"
+    },
+    body: JSON.stringify({ query, variables })
+  });
+  const json = await response.json().catch(() => ({}));
+  if (!response.ok || json.errors) {
+    throw new Error(`GitHub Projects GraphQL request failed: ${JSON.stringify(json.errors ?? { status: response.status })}`);
+  }
+  return json.data;
+}
+function projectNodesFrom(data) {
+  const root = asRecord(data);
+  const owner = asRecord(root?.organization) ?? asRecord(root?.user);
+  const projects = asRecord(owner?.projectsV2);
+  const nodes = projects?.nodes;
+  return Array.isArray(nodes) ? nodes : [];
+}
+async function listGitHubProjects(input) {
+  const query = `
+    query RigListProjects($owner: String!, $first: Int!) {
+      organization(login: $owner) { projectsV2(first: $first, orderBy: { field: UPDATED_AT, direction: DESC }) { nodes { id number title url } } }
+      user(login: $owner) { projectsV2(first: $first, orderBy: { field: UPDATED_AT, direction: DESC }) { nodes { id number title url } } }
+    }
+  `;
+  const fetchGraphQL = input.fetchGraphQL ?? defaultGraphQLFetch;
+  const data = await fetchGraphQL(query, { owner: input.owner, first: input.first ?? 20 }, input.token);
+  return projectNodesFrom(data).flatMap((node) => {
+    const record = asRecord(node);
+    const id = asString(record?.id);
+    const number = asNumber(record?.number);
+    const title = asString(record?.title);
+    if (!id || number === undefined || !title)
+      return [];
+    return [{ id, number, title, ...asString(record?.url) ? { url: asString(record?.url) } : {} }];
+  });
+}
+async function resolveProjectStatusField(input) {
+  const query = `
+    query RigProjectStatusField($projectId: ID!) {
+      node(id: $projectId) {
+        ... on ProjectV2 {
+          fields(first: 50) {
+            nodes {
+              ... on ProjectV2FieldCommon { id name }
+              ... on ProjectV2SingleSelectField { id name options { id name } }
+            }
+          }
+        }
+      }
+    }
+  `;
+  const fetchGraphQL = input.fetchGraphQL ?? defaultGraphQLFetch;
+  const data = await fetchGraphQL(query, { projectId: input.projectId }, input.token);
+  const fields = asRecord(asRecord(asRecord(data)?.node)?.fields)?.nodes;
+  for (const node of Array.isArray(fields) ? fields : []) {
+    const record = asRecord(node);
+    if (asString(record?.name)?.toLowerCase() !== "status")
+      continue;
+    const id = asString(record?.id);
+    if (!id)
+      continue;
+    const options = Array.isArray(record?.options) ? record.options.flatMap((option) => {
+      const optionRecord = asRecord(option);
+      const optionId = asString(optionRecord?.id);
+      const name = asString(optionRecord?.name);
+      return optionId && name ? [{ id: optionId, name }] : [];
+    }) : [];
+    return { id, name: "Status", options };
+  }
+  throw new Error(`GitHub Project ${input.projectId} does not expose a Status single-select field.`);
+}
+async function ensureIssueProjectItem(input) {
+  const query = `
+    query RigFindProjectIssueItem($projectId: ID!, $issueNodeId: ID!) {
+      node(id: $projectId) {
+        ... on ProjectV2 {
+          items(first: 100) { nodes { id content { ... on Issue { id } } } }
+        }
+      }
+    }
+  `;
+  const fetchGraphQL = input.fetchGraphQL ?? defaultGraphQLFetch;
+  const data = await fetchGraphQL(query, { projectId: input.projectId, issueNodeId: input.issueNodeId }, input.token);
+  const nodes = asRecord(asRecord(asRecord(data)?.node)?.items)?.nodes;
+  for (const node of Array.isArray(nodes) ? nodes : []) {
+    const record = asRecord(node);
+    const content = asRecord(record?.content);
+    if (asString(content?.id) === input.issueNodeId) {
+      const id2 = asString(record?.id);
+      if (id2)
+        return { id: id2, created: false };
+    }
+  }
+  const mutation = `
+    mutation RigAddIssueToProject($projectId: ID!, $contentId: ID!) {
+      addProjectV2ItemById(input: { projectId: $projectId, contentId: $contentId }) { item { id } }
+    }
+  `;
+  const created = await fetchGraphQL(mutation, { projectId: input.projectId, contentId: input.issueNodeId }, input.token);
+  const addResult = asRecord(asRecord(created)?.addProjectV2ItemById);
+  const id = asString(asRecord(addResult?.item)?.id);
+  if (!id)
+    throw new Error("GitHub Project item creation did not return an item id.");
+  return { id, created: true };
+}
+async function updateIssueProjectStatus(input) {
+  const mutation = `
+    mutation RigUpdateProjectStatus($projectId: ID!, $itemId: ID!, $fieldId: ID!, $optionId: String!) {
+      updateProjectV2ItemFieldValue(input: {
+        projectId: $projectId,
+        itemId: $itemId,
+        fieldId: $fieldId,
+        value: { singleSelectOptionId: $optionId }
+      }) { projectV2Item { id } }
+    }
+  `;
+  const fetchGraphQL = input.fetchGraphQL ?? defaultGraphQLFetch;
+  await fetchGraphQL(mutation, {
+    projectId: input.projectId,
+    itemId: input.itemId,
+    fieldId: input.fieldId,
+    optionId: input.optionId
+  }, input.token);
+}
+// packages/github-provider-plugin/src/github-api.ts
+import { randomUUID } from "crypto";
+function normalizeString(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
+}
+function normalizeScopes(value) {
+  if (Array.isArray(value)) {
+    return value.flatMap((entry) => {
+      const normalized = normalizeString(entry);
+      return normalized ? [normalized] : [];
+    });
+  }
+  if (typeof value === "string") {
+    return value.split(/[ ,]+/).map((entry) => entry.trim()).filter(Boolean);
+  }
+  return [];
+}
+async function defaultPostGitHubForm(endpoint, body) {
+  const response = await fetch(endpoint, {
+    method: "POST",
+    headers: {
+      accept: "application/json",
+      "content-type": "application/x-www-form-urlencoded",
+      "user-agent": "rig"
+    },
+    body: new URLSearchParams(body)
+  });
+  const payload = await response.json().catch(() => ({}));
+  return { status: response.status, payload };
+}
+async function fetchGitHubUserInfo(token) {
+  const response = await fetch("https://api.github.com/user", {
+    headers: {
+      accept: "application/vnd.github+json",
+      authorization: `Bearer ${token}`,
+      "user-agent": "rig"
+    }
+  });
+  const payload = await response.json().catch(() => ({}));
+  if (!response.ok) {
+    throw new Error(typeof payload.message === "string" ? payload.message : `GitHub user lookup failed (${response.status}).`);
+  }
+  const login = normalizeString(payload.login);
+  const id = typeof payload.id === "number" ? String(payload.id) : normalizeString(payload.id);
+  if (!login || !id) {
+    throw new Error("GitHub user lookup did not return login/id.");
+  }
+  return { login, id, scopes: normalizeScopes(response.headers.get("x-oauth-scopes")) };
+}
+function resolveGitHubAuthStatus(input) {
+  return createGitHubAuthStore(input.projectRoot).status({ oauthConfigured: input.oauthConfigured });
+}
+async function saveGitHubTokenForProject(input) {
+  const token = normalizeString(input.token);
+  if (!token) {
+    throw new Error("token is required");
+  }
+  const user = await (input.fetchUser ?? fetchGitHubUserInfo)(token);
+  const store = createGitHubAuthStore(input.projectRoot);
+  store.saveToken({
+    token,
+    tokenSource: input.tokenSource ?? "manual-token",
+    login: user.login,
+    userId: user.id,
+    scopes: user.scopes ?? [],
+    selectedRepo: input.selectedRepo ?? undefined
+  });
+  return { ok: true, ...store.status({ oauthConfigured: true }) };
+}
+async function beginGitHubDeviceFlow(input) {
+  const clientId = normalizeString(input.clientId);
+  if (!clientId) {
+    throw new Error("clientId is required");
+  }
+  const postForm = input.postForm ?? defaultPostGitHubForm;
+  const result = await postForm("https://github.com/login/device/code", {
+    client_id: clientId,
+    scope: normalizeString(input.scope) ?? "repo read:project user:email"
+  });
+  const deviceCode = normalizeString(result.payload.device_code);
+  if (result.status < 200 || result.status >= 300 || !deviceCode) {
+    throw new Error(normalizeString(result.payload.error_description) ?? "GitHub device flow start failed.");
+  }
+  const expiresIn = typeof result.payload.expires_in === "number" ? result.payload.expires_in : 900;
+  const intervalSeconds = typeof result.payload.interval === "number" ? result.payload.interval : 5;
+  const pollId = randomUUID();
+  createGitHubAuthStore(input.projectRoot).savePendingDevice({
+    pollId,
+    deviceCode,
+    expiresAt: new Date(Date.now() + expiresIn * 1000).toISOString(),
+    intervalSeconds
+  });
+  if (input.selectedRepo) {
+    createGitHubAuthStore(input.projectRoot).saveSelectedRepo(input.selectedRepo);
+  }
+  return {
+    ok: true,
+    pollId,
+    userCode: normalizeString(result.payload.user_code),
+    verificationUri: normalizeString(result.payload.verification_uri),
+    expiresIn,
+    intervalSeconds
+  };
+}
+async function pollGitHubDeviceFlow(input) {
+  const clientId = normalizeString(input.clientId);
+  if (!clientId) {
+    throw new Error("clientId is required");
+  }
+  const store = createGitHubAuthStore(input.projectRoot);
+  const pending = store.readPendingDevice(input.pollId);
+  if (!pending) {
+    return { ok: false, status: "expired", error: "GitHub device flow expired or unknown." };
+  }
+  const result = await (input.postForm ?? defaultPostGitHubForm)("https://github.com/login/oauth/access_token", {
+    client_id: clientId,
+    device_code: pending.deviceCode,
+    grant_type: "urn:ietf:params:oauth:grant-type:device_code"
+  });
+  const error = normalizeString(result.payload.error);
+  if (error === "authorization_pending" || error === "slow_down") {
+    return {
+      ok: false,
+      status: error === "slow_down" ? "slow-down" : "pending",
+      intervalSeconds: error === "slow_down" ? pending.intervalSeconds + 5 : pending.intervalSeconds
+    };
+  }
+  if (error || typeof result.payload.access_token !== "string") {
+    return {
+      ok: false,
+      status: "error",
+      error: normalizeString(result.payload.error_description) ?? "GitHub device authorization failed."
+    };
+  }
+  const token = result.payload.access_token;
+  const user = await (input.fetchUser ?? fetchGitHubUserInfo)(token);
+  store.saveToken({
+    token,
+    tokenSource: "oauth-device",
+    login: user.login,
+    userId: user.id,
+    scopes: user.scopes ?? normalizeScopes(result.payload.scope),
+    selectedRepo: input.selectedRepo ?? undefined
+  });
+  store.clearPendingDevice(input.pollId);
+  return { ok: true, status: "signed-in", ...store.status({ oauthConfigured: true }) };
+}
+function checkGitHubRepoPermissions(input) {
+  const store = createGitHubAuthStore(input.projectRoot);
+  const auth = store.status({ oauthConfigured: input.oauthConfigured });
+  if (!auth.signedIn) {
+    return { ok: false, signedIn: false, canOpenPullRequest: false, reason: "not-authenticated" };
+  }
+  const normalizedScopes = auth.scopes.map((scope) => scope.toLowerCase());
+  const broadEnough = normalizedScopes.includes("repo") || normalizedScopes.includes("public_repo");
+  return {
+    ok: true,
+    signedIn: true,
+    login: auth.login,
+    scopes: auth.scopes,
+    canOpenPullRequest: broadEnough,
+    pullRequests: broadEnough,
+    push: broadEnough,
+    reason: broadEnough ? "stored-token" : "token-scope-unverified"
+  };
+}
+async function probeGitHubRepository(input) {
+  const headers = {
+    accept: "application/vnd.github+json",
+    "user-agent": "rig"
+  };
+  if (input.token) {
+    headers.authorization = `Bearer ${input.token}`;
+  }
+  try {
+    const response = await (input.fetchRepository ?? fetch)(`https://api.github.com/repos/${encodeURIComponent(input.owner)}/${encodeURIComponent(input.repo)}`, { headers });
+    const payload = await response.json().catch(() => ({}));
+    if (response.ok) {
+      return {
+        ok: true,
+        owner: input.owner,
+        repo: input.repo,
+        status: response.status,
+        authenticated: Boolean(input.token),
+        authenticationRequired: payload.private === true && !input.token,
+        fullName: typeof payload.full_name === "string" ? payload.full_name : `${input.owner}/${input.repo}`,
+        private: typeof payload.private === "boolean" ? payload.private : null,
+        message: input.token ? "Repository access verified with signed-in GitHub credentials." : "Public repository access verified without credentials.",
+        scopes: input.scopes
+      };
+    }
+    const authenticationRequired = !input.token && (response.status === 401 || response.status === 403 || response.status === 404);
+    return {
+      ok: false,
+      owner: input.owner,
+      repo: input.repo,
+      status: response.status,
+      authenticated: Boolean(input.token),
+      authenticationRequired,
+      fullName: null,
+      private: null,
+      message: authenticationRequired ? "Repository is private, missing, or inaccessible without GitHub sign-in. Sign in before saving this config." : typeof payload.message === "string" ? payload.message : `GitHub repository probe failed (${response.status}).`,
+      scopes: input.scopes
+    };
+  } catch (error) {
+    return {
+      ok: false,
+      owner: input.owner,
+      repo: input.repo,
+      status: 0,
+      authenticated: Boolean(input.token),
+      authenticationRequired: !input.token,
+      fullName: null,
+      private: null,
+      message: error instanceof Error ? error.message : "GitHub repository probe failed.",
+      scopes: input.scopes
+    };
+  }
+}
+// packages/github-provider-plugin/src/issue-analysis.ts
+import { createHash } from "crypto";
+function stableIssueHash(issue) {
+  const labels = Array.isArray(issue.labels) ? [...issue.labels].map(String).sort() : [];
+  const body = typeof issue.body === "string" ? issue.body : "";
+  const title = typeof issue.title === "string" ? issue.title : "";
+  return createHash("sha256").update(JSON.stringify({ id: issue.id, title, body, labels, deps: issue.deps, status: issue.status })).digest("hex");
+}
+function renderIssueAnalysisPrompt(input) {
+  const issue = input.issue;
+  const neighbors = input.neighbors ?? [];
+  return [
+    "You are Rig issue analysis running inside Pi.",
+    "Return JSON only with optional metadataPatch, labelsToAdd, labelsToRemove, and generatedIssues; analyze backlog dependencies, children, readiness, size, risk, and planning.",
+    "Preserve all human-authored issue body content. Only propose edits for Rig-owned metadata/status sections, labels, and generated issues.",
+    "Generated issues must be concrete, minimal follow-up tasks and will be labeled rig:generated by Rig.",
+    "",
+    "Issue:",
+    JSON.stringify({
+      id: issue.id,
+      title: issue.title,
+      body: issue.body,
+      labels: issue.labels,
+      deps: issue.deps,
+      status: issue.status
+    }, null, 2),
+    "",
+    "Neighbor tasks:",
+    JSON.stringify(neighbors.map((task) => ({ id: task.id, title: task.title, status: task.status, deps: task.deps })), null, 2)
+  ].join(`
+`);
+}
+function isRecord(value) {
+  return Boolean(value && typeof value === "object" && !Array.isArray(value));
+}
+function stringArray(value) {
+  if (!Array.isArray(value))
+    return;
+  return value.map(String).filter((entry) => entry.trim().length > 0);
+}
+function generatedIssues(value) {
+  if (!Array.isArray(value))
+    return;
+  return value.flatMap((entry) => {
+    if (!isRecord(entry) || typeof entry.title !== "string")
+      return [];
+    return [{
+      title: entry.title,
+      body: typeof entry.body === "string" ? entry.body : "",
+      labels: stringArray(entry.labels) ?? [],
+      ...Array.isArray(entry.dependsOn) ? { dependsOn: entry.dependsOn.map(String) } : {}
+    }];
+  });
+}
+function findJsonLikeText(value) {
+  if (typeof value === "string") {
+    const trimmed = value.trim();
+    if (trimmed.startsWith("{") || trimmed.startsWith("```"))
+      return trimmed;
+    return null;
+  }
+  if (Array.isArray(value)) {
+    for (const entry of value) {
+      const found = findJsonLikeText(entry);
+      if (found)
+        return found;
+    }
+    return null;
+  }
+  if (!isRecord(value))
+    return null;
+  for (const key of ["text", "content", "message", "output_text", "response", "stdout"]) {
+    const found = findJsonLikeText(value[key]);
+    if (found)
+      return found;
+  }
+  for (const entry of Object.values(value)) {
+    const found = findJsonLikeText(entry);
+    if (found)
+      return found;
+  }
+  return null;
+}
+function candidateAnalysisObject(value) {
+  if (!isRecord(value))
+    return null;
+  if (isRecord(value.result))
+    return candidateAnalysisObject(value.result) ?? value.result;
+  if (isRecord(value.analysis))
+    return candidateAnalysisObject(value.analysis) ?? value.analysis;
+  if (isRecord(value.metadataPatch) || Array.isArray(value.labelsToAdd) || Array.isArray(value.labelsToRemove) || Array.isArray(value.generatedIssues)) {
+    return value;
+  }
+  const nested = findJsonLikeText(value);
+  if (nested && nested !== JSON.stringify(value)) {
+    try {
+      const parsedNested = JSON.parse(nested.match(/```(?:json)?\s*([\s\S]*?)\s*```/i)?.[1]?.trim() ?? nested);
+      return candidateAnalysisObject(parsedNested);
+    } catch {
+      return null;
+    }
+  }
+  return null;
+}
+function parseIssueAnalysisResult(raw) {
+  let parsed = raw;
+  if (typeof raw === "string") {
+    const trimmed = raw.trim();
+    const fenced = trimmed.match(/```(?:json)?\s*([\s\S]*?)\s*```/i)?.[1]?.trim();
+    try {
+      parsed = JSON.parse(fenced ?? trimmed);
+    } catch {
+      const lastJsonLine = trimmed.split(/\r?\n/).reverse().find((line) => line.trim().startsWith("{"));
+      parsed = lastJsonLine ? JSON.parse(lastJsonLine) : {};
+    }
+  }
+  const candidate = candidateAnalysisObject(parsed);
+  if (!candidate)
+    return {};
+  const result = {};
+  if (isRecord(candidate.metadataPatch))
+    result.metadataPatch = candidate.metadataPatch;
+  const add = stringArray(candidate.labelsToAdd);
+  if (add?.length)
+    result.labelsToAdd = add;
+  const remove = stringArray(candidate.labelsToRemove);
+  if (remove?.length)
+    result.labelsToRemove = remove;
+  const generated = generatedIssues(candidate.generatedIssues);
+  if (generated?.length)
+    result.generatedIssues = generated;
+  return result;
+}
+function createDefaultPiIssueAnalysisCommandRunner() {
+  return async (command, args, options) => {
+    const env = options.env ? { ...process.env, ...options.env } : process.env;
+    const proc = Bun.spawn([command, ...args], {
+      stdout: "pipe",
+      stderr: "pipe",
+      env
+    });
+    let timedOut = false;
+    const timer = setTimeout(() => {
+      timedOut = true;
+      proc.kill();
+    }, options.timeoutMs);
+    try {
+      const [stdout, stderr, exitCode] = await Promise.all([
+        new Response(proc.stdout).text(),
+        new Response(proc.stderr).text(),
+        proc.exited
+      ]);
+      return {
+        exitCode: timedOut && exitCode === 0 ? 1 : exitCode,
+        stdout,
+        stderr: timedOut && stderr.trim().length === 0 ? `Pi issue analysis timed out after ${options.timeoutMs}ms` : stderr
+      };
+    } finally {
+      clearTimeout(timer);
+    }
+  };
+}
+function createPiIssueAnalyzer(input = {}) {
+  const piBinary = input.piBinary ?? process.env.RIG_ISSUE_ANALYSIS_PI_BINARY ?? "pi";
+  const timeoutMs = Math.max(1000, Math.trunc(input.timeoutMs ?? Number(process.env.RIG_ISSUE_ANALYSIS_TIMEOUT_MS ?? 120000)));
+  const runCommand = input.runCommand ?? createDefaultPiIssueAnalysisCommandRunner();
+  return async ({ prompt }) => {
+    const args = ["--print", "--mode", "json", "--no-session"];
+    const provider = input.provider?.trim() || process.env.RIG_ISSUE_ANALYSIS_PROVIDER?.trim() || process.env.RIG_PI_PROVIDER?.trim();
+    const model = input.model?.trim() || process.env.RIG_ISSUE_ANALYSIS_MODEL?.trim() || process.env.RIG_PI_MODEL?.trim() || "openai-codex/gpt-5.5";
+    if (provider)
+      args.push("--provider", provider);
+    if (model)
+      args.push("--model", model);
+    args.push(prompt);
+    const result = await runCommand(piBinary, args, { timeoutMs, ...input.env ? { env: input.env } : {} });
+    if (result.exitCode !== 0) {
+      throw new Error(`Pi issue analysis failed (exit ${result.exitCode}): ${result.stderr ?? result.stdout}`);
+    }
+    return parseIssueAnalysisResult(result.stdout);
+  };
+}
+function defaultStatusComment(input) {
+  const changes = [
+    input.result.metadataPatch ? "metadata" : null,
+    input.result.labelsToAdd?.length ? `labels added: ${input.result.labelsToAdd.join(", ")}` : null,
+    input.result.labelsToRemove?.length ? `labels removed: ${input.result.labelsToRemove.join(", ")}` : null,
+    input.result.generatedIssues?.length ? `generated issues: ${input.result.generatedIssues.length}` : null
+  ].filter((entry) => Boolean(entry));
+  if (changes.length === 0)
+    return null;
+  return [
+    "<!-- rig:status-comment -->",
+    "### Rig issue analysis",
+    "",
+    `Analyzed issue ${input.issue.id}${input.reason ? ` (${input.reason})` : ""}.`,
+    "",
+    ...changes.map((change) => `- ${change}`)
+  ].join(`
+`);
+}
+function uniqueLabels(labels, required = []) {
+  return [...new Set([...labels ?? [], ...required].map((label) => label.trim()).filter(Boolean))];
+}
+function createIssueAnalysisWriteBack(input) {
+  return async ({ issue, result, reason }) => {
+    if (result.metadataPatch && Object.keys(result.metadataPatch).length > 0) {
+      if (!input.target.updateTask)
+        throw new Error("Issue analysis writeback requires updateTask for metadata patches.");
+      await input.target.updateTask(issue.id, { metadata: result.metadataPatch });
+    }
+    if (result.labelsToAdd?.length) {
+      if (!input.target.addLabels)
+        throw new Error("Issue analysis writeback requires addLabels for labelsToAdd.");
+      await input.target.addLabels(issue.id, uniqueLabels(result.labelsToAdd));
+    }
+    if (result.labelsToRemove?.length) {
+      if (!input.target.removeLabels)
+        throw new Error("Issue analysis writeback requires removeLabels for labelsToRemove.");
+      await input.target.removeLabels(issue.id, uniqueLabels(result.labelsToRemove));
+    }
+    const comment = (input.buildStatusComment ?? defaultStatusComment)({ issue, result, reason });
+    if (comment?.trim()) {
+      if (!input.target.updateTask)
+        throw new Error("Issue analysis writeback requires updateTask for sticky status comments.");
+      await input.target.updateTask(issue.id, { comment });
+    }
+    for (const generated of result.generatedIssues ?? []) {
+      if (!input.target.createIssue)
+        throw new Error("Issue analysis writeback requires createIssue for generated issues.");
+      await input.target.createIssue({
+        title: generated.title,
+        body: generated.dependsOn?.length ? `${generated.body.trimEnd()}
+
+depends-on: ${generated.dependsOn.map((dep) => dep.startsWith("#") ? dep : `#${dep}`).join(", ")}
+` : generated.body,
+        labels: uniqueLabels(generated.labels, ["rig:generated"])
+      });
+    }
+  };
+}
+function sourceWithWriteBackCapabilities(source) {
+  const candidate = source;
+  if (typeof candidate.updateTask !== "function")
+    return null;
+  return {
+    get: candidate.get?.bind(candidate),
+    updateTask: candidate.updateTask.bind(candidate),
+    ...typeof candidate.addLabels === "function" ? { addLabels: candidate.addLabels.bind(candidate) } : {},
+    ...typeof candidate.removeLabels === "function" ? { removeLabels: candidate.removeLabels.bind(candidate) } : {},
+    ...typeof candidate.createIssue === "function" ? { createIssue: candidate.createIssue.bind(candidate) } : {}
+  };
+}
+function issueAnalysisEnabled(config) {
+  const issueAnalysis = config.issueAnalysis;
+  if (!issueAnalysis)
+    return false;
+  if (issueAnalysis.enabled !== true)
+    return false;
+  if (issueAnalysis.mode === "off")
+    return false;
+  if (issueAnalysis.harness && issueAnalysis.harness !== "pi")
+    return false;
+  return true;
+}
+function createConfiguredIssueAnalysisRunner(input) {
+  if (!issueAnalysisEnabled(input.context.config))
+    return null;
+  const source = input.context.taskSourceRegistry.list()[0];
+  if (!source)
+    return null;
+  const target = sourceWithWriteBackCapabilities(source);
+  if (!target)
+    return null;
+  const analyzer = input.analyzer ?? createPiIssueAnalyzer({
+    runCommand: input.runCommand,
+    model: input.context.config.issueAnalysis?.model
+  });
+  const baseWriteBack = createIssueAnalysisWriteBack({ target });
+  const service = createIssueAnalysisService({
+    analyzer,
+    writeBack: async (writeBackInput) => {
+      await baseWriteBack(writeBackInput);
+      await input.onWriteBack?.();
+    }
+  });
+  return createContinuousIssueAnalysisRunner({
+    loadIssues: async () => [...await source.list()],
+    service,
+    intervalMs: input.intervalMs,
+    reason: "continuous-issue-analysis",
+    ...input.setIntervalFn ? { setIntervalFn: input.setIntervalFn } : {},
+    ...input.clearIntervalFn ? { clearIntervalFn: input.clearIntervalFn } : {},
+    ...input.onError ? { onError: input.onError } : {}
+  });
+}
+function createIssueAnalysisService(input) {
+  const analyzedHashes = new Map;
+  return {
+    async analyze(issues, options = {}) {
+      const results = [];
+      const neighbors = options.neighbors ?? issues;
+      for (const issue of issues) {
+        const hash = stableIssueHash(issue);
+        if (analyzedHashes.get(issue.id) === hash)
+          continue;
+        const prompt = renderIssueAnalysisPrompt({ issue, neighbors: neighbors.filter((candidate) => candidate.id !== issue.id) });
+        const result = await input.analyzer({ issue, neighbors, prompt });
+        analyzedHashes.set(issue.id, hash);
+        if (result.metadataPatch || result.labelsToAdd?.length || result.labelsToRemove?.length || result.generatedIssues?.length) {
+          await input.writeBack?.({ issue, result, reason: options.reason });
+        }
+        results.push({ issue, result });
+      }
+      return results;
+    },
+    clearCache() {
+      analyzedHashes.clear();
+    }
+  };
+}
+function createContinuousIssueAnalysisRunner(input) {
+  const intervalMs = Math.max(1000, Math.trunc(input.intervalMs ?? 60000));
+  const setIntervalFn = input.setIntervalFn ?? ((callback, ms) => setInterval(() => {
+    callback();
+  }, ms));
+  const clearIntervalFn = input.clearIntervalFn ?? ((timer2) => clearInterval(timer2));
+  let timer;
+  let running = false;
+  let inFlight = null;
+  const tick = async (reason = input.reason ?? "continuous") => {
+    if (inFlight)
+      return inFlight;
+    inFlight = (async () => {
+      const issues = await input.loadIssues();
+      return input.service.analyze(issues, { reason });
+    })();
+    try {
+      return await inFlight;
+    } finally {
+      inFlight = null;
+    }
+  };
+  return {
+    start() {
+      if (running)
+        return;
+      running = true;
+      timer = setIntervalFn(async () => {
+        try {
+          await tick();
+        } catch (error) {
+          input.onError?.(error);
+        }
+      }, intervalMs);
+    },
+    stop() {
+      if (!running)
+        return;
+      running = false;
+      if (timer !== undefined)
+        clearIntervalFn(timer);
+      timer = undefined;
+    },
+    tick,
+    isRunning() {
+      return running;
+    }
+  };
+}
+// packages/github-provider-plugin/src/triage-run.ts
+import { buildPluginHostContext } from "@rig/runtime/control-plane/plugin-host-context";
+function summarizeResults(results) {
+  return results.reduce((summary, entry) => {
+    if (entry.result.metadataPatch && Object.keys(entry.result.metadataPatch).length > 0) {
+      summary.metadataPatches += 1;
+    }
+    summary.labelsAdded += entry.result.labelsToAdd?.length ?? 0;
+    summary.labelsRemoved += entry.result.labelsToRemove?.length ?? 0;
+    summary.generatedIssues += entry.result.generatedIssues?.length ?? 0;
+    return summary;
+  }, { metadataPatches: 0, labelsAdded: 0, labelsRemoved: 0, generatedIssues: 0 });
+}
+async function loadContext(projectRoot) {
+  const context = await buildPluginHostContext(projectRoot);
+  if (!context)
+    return null;
+  return {
+    config: context.config,
+    taskSourceRegistry: context.taskSourceRegistry
+  };
+}
+async function runIssueAnalysisTriage(options) {
+  const reason = options.reason?.trim() || "triage";
+  const context = options.context ?? await loadContext(options.projectRoot);
+  if (!context) {
+    return {
+      ok: true,
+      enabled: false,
+      reason,
+      sourceId: null,
+      sourceKind: null,
+      analyzedIssues: 0,
+      metadataPatches: 0,
+      labelsAdded: 0,
+      labelsRemoved: 0,
+      generatedIssues: 0,
+      writeBackRefreshes: 0,
+      refreshedIssueCount: null,
+      skippedReason: "no-config"
+    };
+  }
+  const source = context.taskSourceRegistry.list()[0] ?? null;
+  const sourceId = source?.id ?? null;
+  const sourceKind = source?.kind ?? null;
+  if (!issueAnalysisEnabled(context.config)) {
+    return {
+      ok: true,
+      enabled: false,
+      reason,
+      sourceId,
+      sourceKind,
+      analyzedIssues: 0,
+      metadataPatches: 0,
+      labelsAdded: 0,
+      labelsRemoved: 0,
+      generatedIssues: 0,
+      writeBackRefreshes: 0,
+      refreshedIssueCount: null,
+      skippedReason: "disabled"
+    };
+  }
+  if (!source) {
+    throw new Error("Issue analysis is enabled, but no configured task source is registered.");
+  }
+  let writeBackRefreshes = 0;
+  let refreshedIssueCount = null;
+  const refreshSnapshotAfterWriteBack = async () => {
+    writeBackRefreshes += 1;
+    const refreshed = await source.list();
+    refreshedIssueCount = refreshed.length;
+    await options.onWriteBack?.();
+  };
+  const runner = createConfiguredIssueAnalysisRunner({
+    projectRoot: options.projectRoot,
+    context,
+    analyzer: options.analyzer,
+    runCommand: options.runCommand,
+    onWriteBack: refreshSnapshotAfterWriteBack
+  });
+  if (!runner) {
+    throw new Error(`Issue analysis is enabled for ${sourceKind ?? "the configured source"}, but that task source does not expose Rig write-back capabilities.`);
+  }
+  const results = await runner.tick(reason);
+  const summary = summarizeResults(results);
+  return {
+    ok: true,
+    enabled: true,
+    reason,
+    sourceId,
+    sourceKind,
+    analyzedIssues: results.length,
+    ...summary,
+    writeBackRefreshes,
+    refreshedIssueCount
+  };
+}
+// packages/github-provider-plugin/src/plugin.ts
+import { definePlugin } from "@rig/core/config";
+import { GITHUB_PROVIDER_CAPABILITY_ID } from "@rig/contracts";
+var GITHUB_PROVIDER_PLUGIN_NAME = "@rig/github-provider-plugin";
+var githubProviderPlugin = definePlugin({
+  name: GITHUB_PROVIDER_PLUGIN_NAME,
+  version: "0.0.0-alpha.1",
+  contributes: {
+    capabilities: [
+      {
+        id: GITHUB_PROVIDER_CAPABILITY_ID,
+        title: "GitHub SCM provider",
+        description: "Resolve GitHub credentials for the configured SCM provider.",
+        run: async () => (await Promise.resolve().then(() => (init_service(), exports_service))).githubProviderService
+      }
+    ]
+  }
+});
+function createGitHubProviderPlugin() {
+  return githubProviderPlugin;
+}
+export {
+  updateIssueProjectStatus,
+  saveGitHubTokenForProject,
+  runIssueAnalysisTriage,
+  resolveProjectStatusField,
+  resolveGitHubAuthStatus,
+  resolveGitHubAuthStateFile,
+  renderIssueAnalysisPrompt,
+  probeGitHubRepository,
+  pollGitHubDeviceFlow,
+  parseIssueAnalysisResult,
+  listGitHubProjects,
+  issueAnalysisEnabled,
+  githubProviderPlugin,
+  fetchGitHubUserInfo,
+  ensureIssueProjectItem,
+  createStateGitHubCredentialProvider,
+  createPiIssueAnalyzer,
+  createIssueAnalysisWriteBack,
+  createIssueAnalysisService,
+  createGitHubProviderPlugin,
+  createGitHubCredentialProvider,
+  createGitHubAuthStoreFromStateFile,
+  createGitHubAuthStore,
+  createEnvGitHubCredentialProvider,
+  createDefaultPiIssueAnalysisCommandRunner,
+  createContinuousIssueAnalysisRunner,
+  createConfiguredIssueAnalysisRunner,
+  copyGitHubAuthStateToLocalProjectRoot,
+  checkGitHubRepoPermissions,
+  beginGitHubDeviceFlow,
+  GITHUB_PROVIDER_PLUGIN_NAME
+};