@h-rig/github-provider-plugin 0.0.6-alpha.157 → 0.0.6-alpha.159

package/dist/src/index.js

@@ -15,715 +15,6 @@ var __export = (target, all) => {
 };
 var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
 
-// packages/github-provider-plugin/src/credentials.ts
-import { existsSync as existsSync2, readFileSync as readFileSync2 } from "fs";
-import { resolve as resolve2 } from "path";
-function selectedRepoTokenKey(input) {
-  return `user:${input.userId}|repo:${input.owner}/${input.repo}|workspace:${input.workspaceId}`;
-}
-function cleanToken(value) {
-  const trimmed = value?.trim() ?? "";
-  return trimmed.length > 0 ? trimmed : null;
-}
-function createGitHubCredentialProvider(options = {}) {
-  const sessionTokens = options.sessionTokens ?? {};
-  const hostToken = cleanToken(options.hostToken ?? process.env.GH_TOKEN ?? null);
-  return {
-    async resolveGitHubToken(input) {
-      const owner = input.owner.trim();
-      const repo = input.repo.trim();
-      const workspaceId = input.workspaceId.trim();
-      const userId = input.userId?.trim() ?? "";
-      if (input.purpose === "selected-repo") {
-        if (!owner || !repo || !workspaceId || !userId) {
-          throw new Error("No signed-in GitHub token is available for the selected repo; sign in to GitHub for this workspace.");
-        }
-        const token = cleanToken(sessionTokens[selectedRepoTokenKey({ owner, repo, workspaceId, userId })]);
-        if (!token) {
-          throw new Error("No signed-in GitHub token is available for the selected repo; sign in to GitHub for this workspace.");
-        }
-        return { token, source: "signed-in-user" };
-      }
-      if (hostToken) {
-        return { token: hostToken, source: "host-admin-fallback" };
-      }
-      throw new Error("No host GitHub token is configured for the explicit admin fallback operation.");
-    }
-  };
-}
-function createEnvGitHubCredentialProvider() {
-  return {
-    async resolveGitHubToken(input) {
-      if (input.purpose === "selected-repo") {
-        return { token: cleanToken(process.env.RIG_GITHUB_SELECTED_TOKEN ?? null) ?? "", source: "signed-in-user" };
-      }
-      const token = cleanToken(process.env.RIG_GITHUB_TOKEN ?? process.env.GH_TOKEN ?? process.env.GITHUB_TOKEN ?? null);
-      if (!token) {
-        throw new Error("No host GitHub token is configured for admin fallback.");
-      }
-      return { token, source: "host-admin-fallback" };
-    }
-  };
-}
-function createStateGitHubCredentialProvider(options = {}) {
-  const addCandidate = (candidates, path) => {
-    const trimmed = path?.trim();
-    if (!trimmed)
-      return;
-    const resolved = resolve2(trimmed);
-    if (!candidates.includes(resolved))
-      candidates.push(resolved);
-  };
-  const addStateDir = (candidates, dir) => {
-    const trimmed = dir?.trim();
-    if (!trimmed)
-      return;
-    addCandidate(candidates, resolve2(trimmed, "github-auth.json"));
-  };
-  const addProjectStateDir = (candidates, root) => {
-    const trimmed = root?.trim();
-    if (!trimmed)
-      return;
-    addStateDir(candidates, resolve2(trimmed, ".rig", "state"));
-  };
-  const stateFileCandidates = () => {
-    const candidates = [];
-    addCandidate(candidates, options.stateFile ?? process.env.RIG_GITHUB_AUTH_STATE_FILE);
-    addStateDir(candidates, options.stateDir);
-    addStateDir(candidates, process.env.RIG_STATE_DIR);
-    addProjectStateDir(candidates, process.env.PROJECT_RIG_ROOT);
-    addProjectStateDir(candidates, process.env.RIG_PROJECT_ROOT);
-    addProjectStateDir(candidates, process.env.RIG_HOST_PROJECT_ROOT);
-    addProjectStateDir(candidates, process.cwd());
-    return candidates;
-  };
-  const readToken = () => {
-    for (const stateFile of stateFileCandidates()) {
-      if (!existsSync2(stateFile))
-        continue;
-      try {
-        const parsed = JSON.parse(readFileSync2(stateFile, "utf8"));
-        const token = typeof parsed.token === "string" ? cleanToken(parsed.token) : null;
-        if (token)
-          return token;
-      } catch {}
-    }
-    return null;
-  };
-  return {
-    async resolveGitHubToken(input) {
-      const token = readToken();
-      if (input.purpose === "selected-repo") {
-        return { token: token ?? cleanToken(process.env.RIG_GITHUB_SELECTED_TOKEN ?? null) ?? "", source: "signed-in-user" };
-      }
-      if (token) {
-        return { token, source: "signed-in-user" };
-      }
-      const fallback = cleanToken(process.env.RIG_GITHUB_TOKEN ?? process.env.GH_TOKEN ?? process.env.GITHUB_TOKEN ?? null);
-      if (!fallback) {
-        throw new Error("No signed-in GitHub token is stored for Rig and no host admin fallback token is configured.");
-      }
-      return { token: fallback, source: "host-admin-fallback" };
-    }
-  };
-}
-var init_credentials = () => {};
-
-// packages/github-provider-plugin/src/service.ts
-var exports_service = {};
-__export(exports_service, {
-  githubProviderService: () => githubProviderService
-});
-var githubProviderService;
-var init_service = __esm(() => {
-  init_credentials();
-  githubProviderService = {
-    createCredentialProvider: (options) => createGitHubCredentialProvider(options)
-  };
-});
-
-// packages/github-provider-plugin/src/auth-store.ts
-import { randomBytes } from "crypto";
-import { chmodSync, copyFileSync, existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
-import { dirname, resolve } from "path";
-import { resolveRigStatePaths } from "@rig/runtime/control-plane/server-paths";
-function cleanString(value) {
-  return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
-}
-function cleanScopes(value) {
-  if (!Array.isArray(value))
-    return [];
-  return value.flatMap((entry) => {
-    const clean = cleanString(entry);
-    return clean ? [clean] : [];
-  });
-}
-function parseApiSessions(value) {
-  if (!Array.isArray(value))
-    return [];
-  return value.flatMap((entry) => {
-    if (!entry || typeof entry !== "object" || Array.isArray(entry))
-      return [];
-    const record = entry;
-    const token = cleanString(record.token);
-    if (!token)
-      return [];
-    return [{
-      token,
-      login: cleanString(record.login),
-      userId: cleanString(record.userId),
-      createdAt: cleanString(record.createdAt) ?? undefined
-    }];
-  });
-}
-function parsePendingDevice(value) {
-  if (!value || typeof value !== "object")
-    return null;
-  const record = value;
-  const pollId = cleanString(record.pollId);
-  const deviceCode = cleanString(record.deviceCode);
-  const expiresAt = cleanString(record.expiresAt);
-  const intervalSeconds = typeof record.intervalSeconds === "number" && Number.isFinite(record.intervalSeconds) ? Math.max(1, Math.floor(record.intervalSeconds)) : null;
-  if (!pollId || !deviceCode || !expiresAt || !intervalSeconds)
-    return null;
-  return { pollId, deviceCode, expiresAt, intervalSeconds };
-}
-function parsePendingDevices(value) {
-  if (!Array.isArray(value))
-    return [];
-  return value.flatMap((entry) => {
-    const pending = parsePendingDevice(entry);
-    return pending ? [pending] : [];
-  });
-}
-function readStoredAuth(stateFile) {
-  if (!existsSync(stateFile))
-    return {};
-  try {
-    const parsed = JSON.parse(readFileSync(stateFile, "utf8"));
-    return {
-      ...cleanString(parsed.token) ? { token: cleanString(parsed.token) } : {},
-      login: cleanString(parsed.login),
-      userId: cleanString(parsed.userId),
-      scopes: cleanScopes(parsed.scopes),
-      selectedRepo: cleanString(parsed.selectedRepo),
-      tokenSource: parsed.tokenSource === "oauth-device" || parsed.tokenSource === "manual-token" || parsed.tokenSource === "env" ? parsed.tokenSource : undefined,
-      pendingDevice: parsePendingDevice(parsed.pendingDevice),
-      pendingDevices: parsePendingDevices(parsed.pendingDevices),
-      apiSessions: parseApiSessions(parsed.apiSessions),
-      updatedAt: cleanString(parsed.updatedAt) ?? undefined
-    };
-  } catch {
-    return {};
-  }
-}
-function newApiSessionToken() {
-  return `rig_${randomBytes(32).toString("base64url")}`;
-}
-function writeStoredAuth(stateFile, payload) {
-  mkdirSync(dirname(stateFile), { recursive: true });
-  writeFileSync(stateFile, `${JSON.stringify(payload, null, 2)}
-`, { encoding: "utf8", mode: 384 });
-  try {
-    chmodSync(stateFile, 384);
-  } catch {}
-}
-function localProjectAuthStateFile(projectRoot) {
-  return resolve(projectRoot, ".rig", "state", "github-auth.json");
-}
-function resolveGitHubAuthStateFile(projectRoot) {
-  return resolve(resolveRigStatePaths(projectRoot).stateDir, "github-auth.json");
-}
-function copyGitHubAuthStateToLocalProjectRoot(stateFile, projectRoot) {
-  const targetFile = localProjectAuthStateFile(projectRoot);
-  mkdirSync(dirname(targetFile), { recursive: true });
-  if (existsSync(stateFile)) {
-    copyFileSync(stateFile, targetFile);
-    try {
-      chmodSync(targetFile, 384);
-    } catch {}
-    return;
-  }
-  writeStoredAuth(targetFile, {});
-}
-function createGitHubAuthStoreFromStateFile(stateFile) {
-  return {
-    stateFile,
-    status(options) {
-      const stored = readStoredAuth(stateFile);
-      const token = cleanString(stored.token);
-      return {
-        signedIn: Boolean(token),
-        login: cleanString(stored.login),
-        userId: cleanString(stored.userId),
-        scopes: cleanScopes(stored.scopes),
-        selectedRepo: cleanString(stored.selectedRepo),
-        oauthConfigured: options?.oauthConfigured === true,
-        tokenSource: token ? stored.tokenSource ?? "manual-token" : null
-      };
-    },
-    readToken() {
-      return cleanString(readStoredAuth(stateFile).token);
-    },
-    saveToken(input) {
-      const previous = readStoredAuth(stateFile);
-      writeStoredAuth(stateFile, {
-        ...previous,
-        token: input.token,
-        tokenSource: input.tokenSource,
-        login: input.login ?? null,
-        userId: input.userId ?? null,
-        scopes: input.scopes ?? [],
-        selectedRepo: input.selectedRepo ?? previous.selectedRepo ?? null,
-        pendingDevice: null,
-        pendingDevices: [],
-        apiSessions: previous.apiSessions ?? [],
-        updatedAt: new Date().toISOString()
-      });
-    },
-    createApiSession() {
-      const previous = readStoredAuth(stateFile);
-      const token = newApiSessionToken();
-      const session = {
-        token,
-        login: cleanString(previous.login),
-        userId: cleanString(previous.userId),
-        createdAt: new Date().toISOString()
-      };
-      writeStoredAuth(stateFile, {
-        ...previous,
-        apiSessions: [...(previous.apiSessions ?? []).slice(-9), session],
-        updatedAt: new Date().toISOString()
-      });
-      return { token, login: session.login ?? null, userId: session.userId ?? null };
-    },
-    readApiSession(token) {
-      const clean = cleanString(token);
-      if (!clean)
-        return null;
-      const previous = readStoredAuth(stateFile);
-      const session = (previous.apiSessions ?? []).find((candidate) => candidate.token === clean);
-      return session ? { login: cleanString(session.login), userId: cleanString(session.userId) } : null;
-    },
-    copyToProjectRoot(projectRoot) {
-      const targetFile = resolveGitHubAuthStateFile(projectRoot);
-      writeStoredAuth(targetFile, readStoredAuth(stateFile));
-    },
-    copyToLocalProjectRoot(projectRoot) {
-      copyGitHubAuthStateToLocalProjectRoot(stateFile, projectRoot);
-    },
-    savePendingDevice(input) {
-      const previous = readStoredAuth(stateFile);
-      const pendingDevices = [
-        ...previous.pendingDevice ? [previous.pendingDevice] : [],
-        ...previous.pendingDevices ?? [],
-        input
-      ].filter((entry, index, entries) => entries.findIndex((candidate) => candidate.pollId === entry.pollId) === index);
-      writeStoredAuth(stateFile, {
-        ...previous,
-        pendingDevice: null,
-        pendingDevices,
-        updatedAt: new Date().toISOString()
-      });
-    },
-    saveSelectedRepo(selectedRepo) {
-      const previous = readStoredAuth(stateFile);
-      writeStoredAuth(stateFile, {
-        ...previous,
-        selectedRepo: selectedRepo ?? null,
-        updatedAt: new Date().toISOString()
-      });
-    },
-    readPendingDevice(pollId) {
-      const previous = readStoredAuth(stateFile);
-      const pending = [
-        ...previous.pendingDevice ? [previous.pendingDevice] : [],
-        ...previous.pendingDevices ?? []
-      ].find((entry) => entry.pollId === pollId) ?? null;
-      if (!pending)
-        return null;
-      if (Date.parse(pending.expiresAt) <= Date.now())
-        return null;
-      return pending;
-    },
-    clearPendingDevice(pollId) {
-      const previous = readStoredAuth(stateFile);
-      const remaining = pollId ? (previous.pendingDevices ?? []).filter((entry) => entry.pollId !== pollId) : [];
-      writeStoredAuth(stateFile, {
-        ...previous,
-        pendingDevice: null,
-        pendingDevices: remaining,
-        updatedAt: new Date().toISOString()
-      });
-    }
-  };
-}
-function createGitHubAuthStore(projectRoot) {
-  return createGitHubAuthStoreFromStateFile(resolveGitHubAuthStateFile(projectRoot));
-}
-
-// packages/github-provider-plugin/src/index.ts
-init_credentials();
-
-// packages/github-provider-plugin/src/projects.ts
-function asRecord(value) {
-  return value && typeof value === "object" && !Array.isArray(value) ? value : null;
-}
-function asString(value) {
-  return typeof value === "string" && value.trim().length > 0 ? value : undefined;
-}
-function asNumber(value) {
-  return typeof value === "number" && Number.isFinite(value) ? value : undefined;
-}
-async function defaultGraphQLFetch(query, variables, token) {
-  const response = await fetch("https://api.github.com/graphql", {
-    method: "POST",
-    headers: {
-      "content-type": "application/json",
-      authorization: `Bearer ${token}`,
-      accept: "application/vnd.github+json"
-    },
-    body: JSON.stringify({ query, variables })
-  });
-  const json = await response.json().catch(() => ({}));
-  if (!response.ok || json.errors) {
-    throw new Error(`GitHub Projects GraphQL request failed: ${JSON.stringify(json.errors ?? { status: response.status })}`);
-  }
-  return json.data;
-}
-function projectNodesFrom(data) {
-  const root = asRecord(data);
-  const owner = asRecord(root?.organization) ?? asRecord(root?.user);
-  const projects = asRecord(owner?.projectsV2);
-  const nodes = projects?.nodes;
-  return Array.isArray(nodes) ? nodes : [];
-}
-async function listGitHubProjects(input) {
-  const query = `
-    query RigListProjects($owner: String!, $first: Int!) {
-      organization(login: $owner) { projectsV2(first: $first, orderBy: { field: UPDATED_AT, direction: DESC }) { nodes { id number title url } } }
-      user(login: $owner) { projectsV2(first: $first, orderBy: { field: UPDATED_AT, direction: DESC }) { nodes { id number title url } } }
-    }
-  `;
-  const fetchGraphQL = input.fetchGraphQL ?? defaultGraphQLFetch;
-  const data = await fetchGraphQL(query, { owner: input.owner, first: input.first ?? 20 }, input.token);
-  return projectNodesFrom(data).flatMap((node) => {
-    const record = asRecord(node);
-    const id = asString(record?.id);
-    const number = asNumber(record?.number);
-    const title = asString(record?.title);
-    if (!id || number === undefined || !title)
-      return [];
-    return [{ id, number, title, ...asString(record?.url) ? { url: asString(record?.url) } : {} }];
-  });
-}
-async function resolveProjectStatusField(input) {
-  const query = `
-    query RigProjectStatusField($projectId: ID!) {
-      node(id: $projectId) {
-        ... on ProjectV2 {
-          fields(first: 50) {
-            nodes {
-              ... on ProjectV2FieldCommon { id name }
-              ... on ProjectV2SingleSelectField { id name options { id name } }
-            }
-          }
-        }
-      }
-    }
-  `;
-  const fetchGraphQL = input.fetchGraphQL ?? defaultGraphQLFetch;
-  const data = await fetchGraphQL(query, { projectId: input.projectId }, input.token);
-  const fields = asRecord(asRecord(asRecord(data)?.node)?.fields)?.nodes;
-  for (const node of Array.isArray(fields) ? fields : []) {
-    const record = asRecord(node);
-    if (asString(record?.name)?.toLowerCase() !== "status")
-      continue;
-    const id = asString(record?.id);
-    if (!id)
-      continue;
-    const options = Array.isArray(record?.options) ? record.options.flatMap((option) => {
-      const optionRecord = asRecord(option);
-      const optionId = asString(optionRecord?.id);
-      const name = asString(optionRecord?.name);
-      return optionId && name ? [{ id: optionId, name }] : [];
-    }) : [];
-    return { id, name: "Status", options };
-  }
-  throw new Error(`GitHub Project ${input.projectId} does not expose a Status single-select field.`);
-}
-async function ensureIssueProjectItem(input) {
-  const query = `
-    query RigFindProjectIssueItem($projectId: ID!, $issueNodeId: ID!) {
-      node(id: $projectId) {
-        ... on ProjectV2 {
-          items(first: 100) { nodes { id content { ... on Issue { id } } } }
-        }
-      }
-    }
-  `;
-  const fetchGraphQL = input.fetchGraphQL ?? defaultGraphQLFetch;
-  const data = await fetchGraphQL(query, { projectId: input.projectId, issueNodeId: input.issueNodeId }, input.token);
-  const nodes = asRecord(asRecord(asRecord(data)?.node)?.items)?.nodes;
-  for (const node of Array.isArray(nodes) ? nodes : []) {
-    const record = asRecord(node);
-    const content = asRecord(record?.content);
-    if (asString(content?.id) === input.issueNodeId) {
-      const id2 = asString(record?.id);
-      if (id2)
-        return { id: id2, created: false };
-    }
-  }
-  const mutation = `
-    mutation RigAddIssueToProject($projectId: ID!, $contentId: ID!) {
-      addProjectV2ItemById(input: { projectId: $projectId, contentId: $contentId }) { item { id } }
-    }
-  `;
-  const created = await fetchGraphQL(mutation, { projectId: input.projectId, contentId: input.issueNodeId }, input.token);
-  const addResult = asRecord(asRecord(created)?.addProjectV2ItemById);
-  const id = asString(asRecord(addResult?.item)?.id);
-  if (!id)
-    throw new Error("GitHub Project item creation did not return an item id.");
-  return { id, created: true };
-}
-async function updateIssueProjectStatus(input) {
-  const mutation = `
-    mutation RigUpdateProjectStatus($projectId: ID!, $itemId: ID!, $fieldId: ID!, $optionId: String!) {
-      updateProjectV2ItemFieldValue(input: {
-        projectId: $projectId,
-        itemId: $itemId,
-        fieldId: $fieldId,
-        value: { singleSelectOptionId: $optionId }
-      }) { projectV2Item { id } }
-    }
-  `;
-  const fetchGraphQL = input.fetchGraphQL ?? defaultGraphQLFetch;
-  await fetchGraphQL(mutation, {
-    projectId: input.projectId,
-    itemId: input.itemId,
-    fieldId: input.fieldId,
-    optionId: input.optionId
-  }, input.token);
-}
-// packages/github-provider-plugin/src/github-api.ts
-import { randomUUID } from "crypto";
-function normalizeString(value) {
-  return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
-}
-function normalizeScopes(value) {
-  if (Array.isArray(value)) {
-    return value.flatMap((entry) => {
-      const normalized = normalizeString(entry);
-      return normalized ? [normalized] : [];
-    });
-  }
-  if (typeof value === "string") {
-    return value.split(/[ ,]+/).map((entry) => entry.trim()).filter(Boolean);
-  }
-  return [];
-}
-async function defaultPostGitHubForm(endpoint, body) {
-  const response = await fetch(endpoint, {
-    method: "POST",
-    headers: {
-      accept: "application/json",
-      "content-type": "application/x-www-form-urlencoded",
-      "user-agent": "rig"
-    },
-    body: new URLSearchParams(body)
-  });
-  const payload = await response.json().catch(() => ({}));
-  return { status: response.status, payload };
-}
-async function fetchGitHubUserInfo(token) {
-  const response = await fetch("https://api.github.com/user", {
-    headers: {
-      accept: "application/vnd.github+json",
-      authorization: `Bearer ${token}`,
-      "user-agent": "rig"
-    }
-  });
-  const payload = await response.json().catch(() => ({}));
-  if (!response.ok) {
-    throw new Error(typeof payload.message === "string" ? payload.message : `GitHub user lookup failed (${response.status}).`);
-  }
-  const login = normalizeString(payload.login);
-  const id = typeof payload.id === "number" ? String(payload.id) : normalizeString(payload.id);
-  if (!login || !id) {
-    throw new Error("GitHub user lookup did not return login/id.");
-  }
-  return { login, id, scopes: normalizeScopes(response.headers.get("x-oauth-scopes")) };
-}
-function resolveGitHubAuthStatus(input) {
-  return createGitHubAuthStore(input.projectRoot).status({ oauthConfigured: input.oauthConfigured });
-}
-async function saveGitHubTokenForProject(input) {
-  const token = normalizeString(input.token);
-  if (!token) {
-    throw new Error("token is required");
-  }
-  const user = await (input.fetchUser ?? fetchGitHubUserInfo)(token);
-  const store = createGitHubAuthStore(input.projectRoot);
-  store.saveToken({
-    token,
-    tokenSource: input.tokenSource ?? "manual-token",
-    login: user.login,
-    userId: user.id,
-    scopes: user.scopes ?? [],
-    selectedRepo: input.selectedRepo ?? undefined
-  });
-  return { ok: true, ...store.status({ oauthConfigured: true }) };
-}
-async function beginGitHubDeviceFlow(input) {
-  const clientId = normalizeString(input.clientId);
-  if (!clientId) {
-    throw new Error("clientId is required");
-  }
-  const postForm = input.postForm ?? defaultPostGitHubForm;
-  const result = await postForm("https://github.com/login/device/code", {
-    client_id: clientId,
-    scope: normalizeString(input.scope) ?? "repo read:project user:email"
-  });
-  const deviceCode = normalizeString(result.payload.device_code);
-  if (result.status < 200 || result.status >= 300 || !deviceCode) {
-    throw new Error(normalizeString(result.payload.error_description) ?? "GitHub device flow start failed.");
-  }
-  const expiresIn = typeof result.payload.expires_in === "number" ? result.payload.expires_in : 900;
-  const intervalSeconds = typeof result.payload.interval === "number" ? result.payload.interval : 5;
-  const pollId = randomUUID();
-  createGitHubAuthStore(input.projectRoot).savePendingDevice({
-    pollId,
-    deviceCode,
-    expiresAt: new Date(Date.now() + expiresIn * 1000).toISOString(),
-    intervalSeconds
-  });
-  if (input.selectedRepo) {
-    createGitHubAuthStore(input.projectRoot).saveSelectedRepo(input.selectedRepo);
-  }
-  return {
-    ok: true,
-    pollId,
-    userCode: normalizeString(result.payload.user_code),
-    verificationUri: normalizeString(result.payload.verification_uri),
-    expiresIn,
-    intervalSeconds
-  };
-}
-async function pollGitHubDeviceFlow(input) {
-  const clientId = normalizeString(input.clientId);
-  if (!clientId) {
-    throw new Error("clientId is required");
-  }
-  const store = createGitHubAuthStore(input.projectRoot);
-  const pending = store.readPendingDevice(input.pollId);
-  if (!pending) {
-    return { ok: false, status: "expired", error: "GitHub device flow expired or unknown." };
-  }
-  const result = await (input.postForm ?? defaultPostGitHubForm)("https://github.com/login/oauth/access_token", {
-    client_id: clientId,
-    device_code: pending.deviceCode,
-    grant_type: "urn:ietf:params:oauth:grant-type:device_code"
-  });
-  const error = normalizeString(result.payload.error);
-  if (error === "authorization_pending" || error === "slow_down") {
-    return {
-      ok: false,
-      status: error === "slow_down" ? "slow-down" : "pending",
-      intervalSeconds: error === "slow_down" ? pending.intervalSeconds + 5 : pending.intervalSeconds
-    };
-  }
-  if (error || typeof result.payload.access_token !== "string") {
-    return {
-      ok: false,
-      status: "error",
-      error: normalizeString(result.payload.error_description) ?? "GitHub device authorization failed."
-    };
-  }
-  const token = result.payload.access_token;
-  const user = await (input.fetchUser ?? fetchGitHubUserInfo)(token);
-  store.saveToken({
-    token,
-    tokenSource: "oauth-device",
-    login: user.login,
-    userId: user.id,
-    scopes: user.scopes ?? normalizeScopes(result.payload.scope),
-    selectedRepo: input.selectedRepo ?? undefined
-  });
-  store.clearPendingDevice(input.pollId);
-  return { ok: true, status: "signed-in", ...store.status({ oauthConfigured: true }) };
-}
-function checkGitHubRepoPermissions(input) {
-  const store = createGitHubAuthStore(input.projectRoot);
-  const auth = store.status({ oauthConfigured: input.oauthConfigured });
-  if (!auth.signedIn) {
-    return { ok: false, signedIn: false, canOpenPullRequest: false, reason: "not-authenticated" };
-  }
-  const normalizedScopes = auth.scopes.map((scope) => scope.toLowerCase());
-  const broadEnough = normalizedScopes.includes("repo") || normalizedScopes.includes("public_repo");
-  return {
-    ok: true,
-    signedIn: true,
-    login: auth.login,
-    scopes: auth.scopes,
-    canOpenPullRequest: broadEnough,
-    pullRequests: broadEnough,
-    push: broadEnough,
-    reason: broadEnough ? "stored-token" : "token-scope-unverified"
-  };
-}
-async function probeGitHubRepository(input) {
-  const headers = {
-    accept: "application/vnd.github+json",
-    "user-agent": "rig"
-  };
-  if (input.token) {
-    headers.authorization = `Bearer ${input.token}`;
-  }
-  try {
-    const response = await (input.fetchRepository ?? fetch)(`https://api.github.com/repos/${encodeURIComponent(input.owner)}/${encodeURIComponent(input.repo)}`, { headers });
-    const payload = await response.json().catch(() => ({}));
-    if (response.ok) {
-      return {
-        ok: true,
-        owner: input.owner,
-        repo: input.repo,
-        status: response.status,
-        authenticated: Boolean(input.token),
-        authenticationRequired: payload.private === true && !input.token,
-        fullName: typeof payload.full_name === "string" ? payload.full_name : `${input.owner}/${input.repo}`,
-        private: typeof payload.private === "boolean" ? payload.private : null,
-        message: input.token ? "Repository access verified with signed-in GitHub credentials." : "Public repository access verified without credentials.",
-        scopes: input.scopes
-      };
-    }
-    const authenticationRequired = !input.token && (response.status === 401 || response.status === 403 || response.status === 404);
-    return {
-      ok: false,
-      owner: input.owner,
-      repo: input.repo,
-      status: response.status,
-      authenticated: Boolean(input.token),
-      authenticationRequired,
-      fullName: null,
-      private: null,
-      message: authenticationRequired ? "Repository is private, missing, or inaccessible without GitHub sign-in. Sign in before saving this config." : typeof payload.message === "string" ? payload.message : `GitHub repository probe failed (${response.status}).`,
-      scopes: input.scopes
-    };
-  } catch (error) {
-    return {
-      ok: false,
-      owner: input.owner,
-      repo: input.repo,
-      status: 0,
-      authenticated: Boolean(input.token),
-      authenticationRequired: !input.token,
-      fullName: null,
-      private: null,
-      message: error instanceof Error ? error.message : "GitHub repository probe failed.",
-      scopes: input.scopes
-    };
-  }
-}
 // packages/github-provider-plugin/src/issue-analysis.ts
 import { createHash } from "crypto";
 function stableIssueHash(issue) {
@@ -945,7 +236,7 @@ function createIssueAnalysisWriteBack(input) {
         throw new Error("Issue analysis writeback requires removeLabels for labelsToRemove.");
       await input.target.removeLabels(issue.id, uniqueLabels(result.labelsToRemove));
     }
-    const comment = (input.buildStatusComment ?? defaultStatusComment)({ issue, result, reason });
+    const comment = (input.buildStatusComment ?? defaultStatusComment)({ issue, result, ...reason !== undefined ? { reason } : {} });
     if (comment?.trim()) {
       if (!input.target.updateTask)
         throw new Error("Issue analysis writeback requires updateTask for sticky status comments.");
@@ -970,7 +261,7 @@ function sourceWithWriteBackCapabilities(source) {
   if (typeof candidate.updateTask !== "function")
     return null;
   return {
-    get: candidate.get?.bind(candidate),
+    ...typeof candidate.get === "function" ? { get: candidate.get.bind(candidate) } : {},
     updateTask: candidate.updateTask.bind(candidate),
     ...typeof candidate.addLabels === "function" ? { addLabels: candidate.addLabels.bind(candidate) } : {},
     ...typeof candidate.removeLabels === "function" ? { removeLabels: candidate.removeLabels.bind(candidate) } : {},
@@ -999,8 +290,8 @@ function createConfiguredIssueAnalysisRunner(input) {
   if (!target)
     return null;
   const analyzer = input.analyzer ?? createPiIssueAnalyzer({
-    runCommand: input.runCommand,
-    model: input.context.config.issueAnalysis?.model
+    ...input.runCommand ? { runCommand: input.runCommand } : {},
+    ...input.context.config.issueAnalysis?.model ? { model: input.context.config.issueAnalysis.model } : {}
   });
   const baseWriteBack = createIssueAnalysisWriteBack({ target });
   const service = createIssueAnalysisService({
@@ -1013,7 +304,7 @@ function createConfiguredIssueAnalysisRunner(input) {
   return createContinuousIssueAnalysisRunner({
     loadIssues: async () => [...await source.list()],
     service,
-    intervalMs: input.intervalMs,
+    ...input.intervalMs !== undefined ? { intervalMs: input.intervalMs } : {},
     reason: "continuous-issue-analysis",
     ...input.setIntervalFn ? { setIntervalFn: input.setIntervalFn } : {},
     ...input.clearIntervalFn ? { clearIntervalFn: input.clearIntervalFn } : {},
@@ -1034,7 +325,7 @@ function createIssueAnalysisService(input) {
         const result = await input.analyzer({ issue, neighbors, prompt });
         analyzedHashes.set(issue.id, hash);
         if (result.metadataPatch || result.labelsToAdd?.length || result.labelsToRemove?.length || result.generatedIssues?.length) {
-          await input.writeBack?.({ issue, result, reason: options.reason });
+          await input.writeBack?.({ issue, result, ...options.reason !== undefined ? { reason: options.reason } : {} });
         }
         results.push({ issue, result });
       }
@@ -1094,8 +385,14 @@ function createContinuousIssueAnalysisRunner(input) {
     }
   };
 }
+var init_issue_analysis = () => {};
+
 // packages/github-provider-plugin/src/triage-run.ts
-import { buildPluginHostContext } from "@rig/runtime/control-plane/plugin-host-context";
+var exports_triage_run = {};
+__export(exports_triage_run, {
+  runIssueAnalysisTriage: () => runIssueAnalysisTriage
+});
+import { buildPluginHostContext } from "@rig/core/plugin-host-context";
 function summarizeResults(results) {
   return results.reduce((summary, entry) => {
     if (entry.result.metadataPatch && Object.keys(entry.result.metadataPatch).length > 0) {
@@ -1112,7 +409,9 @@ async function loadContext(projectRoot) {
   if (!context)
     return null;
   return {
-    config: context.config,
+    config: {
+      ...context.config.issueAnalysis ? { issueAnalysis: context.config.issueAnalysis } : {}
+    },
     taskSourceRegistry: context.taskSourceRegistry
   };
 }
@@ -1170,8 +469,8 @@ async function runIssueAnalysisTriage(options) {
   const runner = createConfiguredIssueAnalysisRunner({
     projectRoot: options.projectRoot,
     context,
-    analyzer: options.analyzer,
-    runCommand: options.runCommand,
+    ...options.analyzer ? { analyzer: options.analyzer } : {},
+    ...options.runCommand ? { runCommand: options.runCommand } : {},
     onWriteBack: refreshSnapshotAfterWriteBack
   });
   if (!runner) {
@@ -1191,10 +490,343 @@ async function runIssueAnalysisTriage(options) {
     refreshedIssueCount
   };
 }
+var init_triage_run = __esm(() => {
+  init_issue_analysis();
+});
+
+// packages/github-provider-plugin/src/identity.ts
+import {
+  RIG_WORKFLOW_STARTED
+} from "@rig/contracts";
+function stringField(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : undefined;
+}
+function numericStringField(value) {
+  return typeof value === "number" && Number.isInteger(value) ? String(value) : stringField(value);
+}
+function asRecord(value) {
+  return value && typeof value === "object" && !Array.isArray(value) ? value : null;
+}
+function customEntries(entries) {
+  const customs = [];
+  for (const entry of entries) {
+    if (entry.type === "custom")
+      customs.push(entry);
+  }
+  return customs;
+}
+function candidateFromStartedData(data) {
+  const record = asRecord(data);
+  if (!record)
+    return null;
+  const owner = asRecord(record.owner);
+  const selectedRepo = stringField(record.selectedRepo);
+  const githubUserId = stringField(owner?.githubUserId) ?? numericStringField(record.githubUserId) ?? numericStringField(record.userId);
+  const login = stringField(owner?.login) ?? stringField(record.login);
+  const namespaceKey = stringField(owner?.namespaceKey) ?? stringField(record.namespaceKey) ?? stringField(record.userNamespaceKey);
+  if (!selectedRepo && !githubUserId && !login && !namespaceKey)
+    return null;
+  return { selectedRepo, githubUserId, login, namespaceKey, source: "workflow-metadata" };
+}
+function workflowIdentityCandidate(entries) {
+  const customs = customEntries(entries);
+  for (let index = customs.length - 1;index >= 0; index -= 1) {
+    const entry = customs[index];
+    if (entry?.customType !== RIG_WORKFLOW_STARTED)
+      continue;
+    const candidate = candidateFromStartedData(entry.data);
+    if (candidate)
+      return candidate;
+  }
+  return null;
+}
+function ompGitHubIdentityCandidate(ctx) {
+  const account = asRecord(ctx.modelRegistry?.authStorage?.getOAuthAccountIdentity?.("github-copilot", ctx.sessionManager.getSessionId()));
+  if (!account)
+    return null;
+  const githubUserId = stringField(account.accountId);
+  const login = stringField(account.login) ?? stringField(account.email);
+  if (!githubUserId && !login)
+    return null;
+  return {
+    githubUserId,
+    login,
+    namespaceKey: githubUserId ? `gh:${githubUserId}` : undefined,
+    source: "omp-github-copilot-auth"
+  };
+}
+function envField(name) {
+  return stringField(process.env[name]);
+}
+function envIdentityCandidate() {
+  const selectedRepo = envField("RIG_SELECTED_REPO");
+  const githubUserId = envField("RIG_GITHUB_USER_ID");
+  const login = envField("RIG_GITHUB_LOGIN");
+  const namespaceKey = envField("RIG_GITHUB_NAMESPACE_KEY") ?? (githubUserId ? `gh:${githubUserId}` : undefined);
+  if (!selectedRepo && !githubUserId && !login && !namespaceKey)
+    return null;
+  return {
+    selectedRepo,
+    githubUserId,
+    login,
+    namespaceKey,
+    source: "rig-public-identity-env"
+  };
+}
+function mergeSource(sources, source) {
+  if (source && !sources.includes(source))
+    sources.push(source);
+}
+function completeIdentity(candidate, sources) {
+  const selectedRepo = stringField(candidate.selectedRepo);
+  const githubUserId = stringField(candidate.githubUserId);
+  const login = stringField(candidate.login);
+  const namespaceKey = stringField(candidate.namespaceKey) ?? (githubUserId ? `gh:${githubUserId}` : undefined);
+  if (!selectedRepo || !githubUserId || !login || !namespaceKey)
+    return null;
+  const uniqueSources = [];
+  for (const value of sources) {
+    if (!uniqueSources.includes(value))
+      uniqueSources.push(value);
+  }
+  return {
+    selectedRepo,
+    owner: { githubUserId, login, namespaceKey },
+    source: uniqueSources.join("+")
+  };
+}
+function resolveRigIdentity(ctx) {
+  const workflow = workflowIdentityCandidate(ctx.sessionManager.getBranch());
+  const omp = ompGitHubIdentityCandidate(ctx);
+  const env = envIdentityCandidate();
+  const sources = [];
+  const selectedRepo = workflow?.selectedRepo ?? env?.selectedRepo;
+  const githubUserId = workflow?.githubUserId ?? omp?.githubUserId ?? env?.githubUserId;
+  const login = workflow?.login ?? omp?.login ?? env?.login;
+  const namespaceKey = workflow?.namespaceKey ?? omp?.namespaceKey ?? env?.namespaceKey;
+  if (workflow && (workflow.selectedRepo || workflow.githubUserId || workflow.login || workflow.namespaceKey))
+    mergeSource(sources, workflow.source);
+  if (omp && (!workflow?.githubUserId || !workflow?.login || !workflow?.namespaceKey))
+    mergeSource(sources, omp.source);
+  if (env && (!workflow?.selectedRepo && env.selectedRepo || !workflow?.githubUserId && !omp?.githubUserId && env.githubUserId || !workflow?.login && !omp?.login && env.login || !workflow?.namespaceKey && !omp?.namespaceKey && env.namespaceKey))
+    mergeSource(sources, env.source);
+  return completeIdentity({ selectedRepo, githubUserId, login, namespaceKey, source: sources.join("+") }, sources);
+}
+function resolveRigIdentityFilter(ctx) {
+  const identity = resolveRigIdentity(ctx);
+  if (!identity)
+    return null;
+  return {
+    cwd: ctx.sessionManager.getCwd(),
+    selectedRepo: identity.selectedRepo,
+    githubUserId: identity.owner.githubUserId,
+    namespaceKey: identity.owner.namespaceKey
+  };
+}
+var init_identity = () => {};
+
+// packages/github-provider-plugin/src/identity-env.ts
+var exports_identity_env = {};
+__export(exports_identity_env, {
+  stripRunChildCredentialEnv: () => stripRunChildCredentialEnv,
+  resolveRigIdentityFilter: () => resolveRigIdentityFilter,
+  resolveRigIdentity: () => resolveRigIdentity,
+  resolveIdentityEnv: () => resolveIdentityEnv,
+  identityFilterFromEnv: () => identityFilterFromEnv,
+  applyIdentityEnv: () => applyIdentityEnv,
+  RUN_CHILD_STRIPPED_CREDENTIAL_ENV_KEYS: () => RUN_CHILD_STRIPPED_CREDENTIAL_ENV_KEYS
+});
+import { existsSync, readFileSync } from "fs";
+import { resolve } from "path";
+function stringField2(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : undefined;
+}
+function githubUserId(value) {
+  if (typeof value === "number" && Number.isInteger(value))
+    return String(value);
+  return stringField2(value);
+}
+function readJsonRecord(path) {
+  if (!existsSync(path))
+    return null;
+  try {
+    const parsed = JSON.parse(readFileSync(path, "utf8"));
+    return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
+  } catch {
+    return null;
+  }
+}
+function resolveIdentityEnv(workspaceRoot) {
+  const stateDir = resolve(workspaceRoot, ".rig", "state");
+  const auth = readJsonRecord(resolve(stateDir, "github-auth.json"));
+  const connection = readJsonRecord(resolve(stateDir, "connection.json"));
+  const projectLink = readJsonRecord(resolve(stateDir, "project-link.json"));
+  const values = {};
+  const selectedRepo = stringField2(auth?.selectedRepo) ?? stringField2(connection?.project) ?? stringField2(projectLink?.repoSlug);
+  const userId = githubUserId(auth?.userId);
+  const login = stringField2(auth?.login);
+  const namespaceKey = stringField2(auth?.userNamespaceKey);
+  if (selectedRepo)
+    values.RIG_SELECTED_REPO = selectedRepo;
+  if (userId)
+    values.RIG_GITHUB_USER_ID = userId;
+  if (login)
+    values.RIG_GITHUB_LOGIN = login;
+  if (namespaceKey)
+    values.RIG_GITHUB_NAMESPACE_KEY = namespaceKey;
+  return values;
+}
+function applyIdentityEnv(workspaceRoot) {
+  const previous = new Map;
+  for (const key of [...PUBLIC_IDENTITY_ENV_KEYS, ...RIG_STATE_ENV_KEYS])
+    previous.set(key, process.env[key]);
+  const stateDir = resolve(workspaceRoot, ".rig", "state");
+  const auth = readJsonRecord(resolve(stateDir, "github-auth.json"));
+  const connection = readJsonRecord(resolve(stateDir, "connection.json"));
+  const projectLink = readJsonRecord(resolve(stateDir, "project-link.json"));
+  const values = { ...resolveIdentityEnv(workspaceRoot) };
+  values.RIG_GITHUB_AUTH_STATE_FILE = resolve(stateDir, "github-auth.json");
+  const hasLocalIdentityState = Boolean(auth || connection || projectLink);
+  for (const key of [...PUBLIC_IDENTITY_ENV_KEYS, ...RIG_STATE_ENV_KEYS]) {
+    const value = values[key];
+    if (value)
+      process.env[key] = value;
+    else if (hasLocalIdentityState)
+      delete process.env[key];
+  }
+  return () => {
+    for (const key of [...PUBLIC_IDENTITY_ENV_KEYS, ...RIG_STATE_ENV_KEYS]) {
+      const value = previous.get(key);
+      if (value === undefined)
+        delete process.env[key];
+      else
+        process.env[key] = value;
+    }
+  };
+}
+function identityFilterFromEnv() {
+  return {
+    ...process.env.RIG_SELECTED_REPO ? { selectedRepo: process.env.RIG_SELECTED_REPO } : {},
+    ...process.env.RIG_GITHUB_USER_ID ? { githubUserId: process.env.RIG_GITHUB_USER_ID } : {},
+    ...process.env.RIG_GITHUB_NAMESPACE_KEY ? { namespaceKey: process.env.RIG_GITHUB_NAMESPACE_KEY } : {}
+  };
+}
+function stripRunChildCredentialEnv(env = process.env) {
+  const next = { ...env };
+  for (const key of RUN_CHILD_STRIPPED_CREDENTIAL_ENV_KEYS)
+    delete next[key];
+  return next;
+}
+var PUBLIC_IDENTITY_ENV_KEYS, RIG_STATE_ENV_KEYS, RUN_CHILD_STRIPPED_CREDENTIAL_ENV_KEYS;
+var init_identity_env = __esm(() => {
+  init_identity();
+  PUBLIC_IDENTITY_ENV_KEYS = [
+    "RIG_SELECTED_REPO",
+    "RIG_GITHUB_USER_ID",
+    "RIG_GITHUB_LOGIN",
+    "RIG_GITHUB_NAMESPACE_KEY"
+  ];
+  RIG_STATE_ENV_KEYS = [
+    "RIG_GITHUB_AUTH_STATE_FILE"
+  ];
+  RUN_CHILD_STRIPPED_CREDENTIAL_ENV_KEYS = [
+    "RIG_GITHUB_TOKEN",
+    "RIG_GITHUB_SELECTED_TOKEN",
+    "GH_TOKEN",
+    "GITHUB_TOKEN"
+  ];
+});
+
+// packages/github-provider-plugin/src/service.ts
+var exports_service = {};
+__export(exports_service, {
+  githubProviderService: () => githubProviderService
+});
+import { createGitHubCredentialProvider } from "@rig/github-lib";
+var githubProviderService;
+var init_service = __esm(() => {
+  githubProviderService = {
+    createCredentialProvider: (options) => createGitHubCredentialProvider(options)
+  };
+});
+
+// packages/github-provider-plugin/src/index.ts
+init_issue_analysis();
+init_triage_run();
+
+export * from "@rig/github-lib";
+
 // packages/github-provider-plugin/src/plugin.ts
+import { spawnSync } from "child_process";
 import { definePlugin } from "@rig/core/config";
-import { GITHUB_PROVIDER_CAPABILITY_ID } from "@rig/contracts";
+import { defineCapability } from "@rig/core/capability";
+import {
+  GITHUB_PROVIDER_CAPABILITY_ID,
+  ISSUE_TRIAGE,
+  RUN_IDENTITY_ENV
+} from "@rig/contracts";
+var IssueTriageCap = defineCapability(ISSUE_TRIAGE);
+var issueTriageService = async () => {
+  const { runIssueAnalysisTriage: runIssueAnalysisTriage2 } = await Promise.resolve().then(() => (init_triage_run(), exports_triage_run));
+  return {
+    runTriage: (input) => runIssueAnalysisTriage2({ projectRoot: input.projectRoot, ...input.reason !== undefined ? { reason: input.reason } : {} })
+  };
+};
+var RunIdentityEnvCap = defineCapability(RUN_IDENTITY_ENV);
+var runIdentityEnvService = async () => {
+  const {
+    resolveIdentityEnv: resolveIdentityEnv2,
+    applyIdentityEnv: applyIdentityEnv2,
+    identityFilterFromEnv: identityFilterFromEnv2,
+    stripRunChildCredentialEnv: stripRunChildCredentialEnv2,
+    resolveRigIdentity: resolveRigIdentity2,
+    resolveRigIdentityFilter: resolveRigIdentityFilter2
+  } = await Promise.resolve().then(() => (init_identity_env(), exports_identity_env));
+  return {
+    resolveIdentityEnv: resolveIdentityEnv2,
+    applyIdentityEnv: applyIdentityEnv2,
+    identityFilterFromEnv: identityFilterFromEnv2,
+    stripRunChildCredentialEnv: stripRunChildCredentialEnv2,
+    resolveRigIdentity: resolveRigIdentity2,
+    resolveRigIdentityFilter: resolveRigIdentityFilter2
+  };
+};
 var GITHUB_PROVIDER_PLUGIN_NAME = "@rig/github-provider-plugin";
+function parseGitHubSlugFromRemote(remoteUrl) {
+  const match = remoteUrl.trim().match(/github\.com[:/]([^/\s]+)\/([^/\s]+?)(?:\.git)?\/?$/i);
+  return match ? `${match[1]}/${match[2]}` : null;
+}
+function detectGitHubRepoSlug(projectRoot) {
+  try {
+    const result = spawnSync("git", ["-C", projectRoot, "remote", "get-url", "origin"], {
+      encoding: "utf8",
+      timeout: 5000
+    });
+    if (result.status !== 0 || result.error)
+      return null;
+    return parseGitHubSlugFromRemote(result.stdout.trim());
+  } catch {
+    return null;
+  }
+}
+function githubConfigDefaults(context) {
+  const slug = context.repoSlug ?? detectGitHubRepoSlug(context.projectRoot);
+  if (!slug)
+    return null;
+  const [owner, repo] = slug.split("/", 2);
+  if (!owner || !repo)
+    return null;
+  return {
+    project: { name: slug, repo: slug },
+    taskSource: { kind: "github-issues", owner, repo, state: "open" },
+    github: { issueUpdates: "lifecycle", projects: { enabled: false } },
+    standard: {
+      githubWorkspaceId: slug,
+      githubUserId: process.env.RIG_GITHUB_USER_ID ?? "server-selected-user"
+    },
+    issueAnalysis: { enabled: true, harness: "pi", mode: "continuous" }
+  };
+}
 var githubProviderPlugin = definePlugin({
   name: GITHUB_PROVIDER_PLUGIN_NAME,
   version: "0.0.0-alpha.1",
@@ -1205,43 +837,31 @@ var githubProviderPlugin = definePlugin({
         title: "GitHub SCM provider",
         description: "Resolve GitHub credentials for the configured SCM provider.",
         run: async () => (await Promise.resolve().then(() => (init_service(), exports_service))).githubProviderService
-      }
-    ]
+      },
+      IssueTriageCap.provide(issueTriageService, { title: "GitHub issue-analysis triage" }),
+      RunIdentityEnvCap.provide(runIdentityEnvService, {
+        title: "GitHub/Rig run identity env",
+        description: "Resolve GitHub/Rig identity, hydrate public identity env, and strip run-scoped credential tokens."
+      })
+    ],
+    config: { defaults: githubConfigDefaults }
   }
 });
 function createGitHubProviderPlugin() {
   return githubProviderPlugin;
 }
 export {
-  updateIssueProjectStatus,
-  saveGitHubTokenForProject,
   runIssueAnalysisTriage,
-  resolveProjectStatusField,
-  resolveGitHubAuthStatus,
-  resolveGitHubAuthStateFile,
   renderIssueAnalysisPrompt,
-  probeGitHubRepository,
-  pollGitHubDeviceFlow,
   parseIssueAnalysisResult,
-  listGitHubProjects,
   issueAnalysisEnabled,
   githubProviderPlugin,
-  fetchGitHubUserInfo,
-  ensureIssueProjectItem,
-  createStateGitHubCredentialProvider,
   createPiIssueAnalyzer,
   createIssueAnalysisWriteBack,
   createIssueAnalysisService,
   createGitHubProviderPlugin,
-  createGitHubCredentialProvider,
-  createGitHubAuthStoreFromStateFile,
-  createGitHubAuthStore,
-  createEnvGitHubCredentialProvider,
   createDefaultPiIssueAnalysisCommandRunner,
   createContinuousIssueAnalysisRunner,
   createConfiguredIssueAnalysisRunner,
-  copyGitHubAuthStateToLocalProjectRoot,
-  checkGitHubRepoPermissions,
-  beginGitHubDeviceFlow,
   GITHUB_PROVIDER_PLUGIN_NAME
 };