@h-rig/github-provider-plugin 0.0.6-alpha.157 → 0.0.6-alpha.159

package/dist/src/profile-ops.d.ts

@@ -0,0 +1,8 @@
+/**
+ * profile-ops.ts — re-export shim. The execution/review profile read/write IO
+ * was relocated to the floor (`@rig/core/profile-ops`) so the CLI seed,
+ * cli-surface, and bundle lifecycle use it as DATA without a cross-plugin impl
+ * import. This shim preserves the `@rig/github-provider-plugin/profile-ops`
+ * subpath; implementation now lives in @rig/core.
+ */
+export { setProfile, setReviewProfile, showProfile, showReviewProfile } from "@rig/core/profile-ops";

package/dist/src/profile-ops.js

@@ -0,0 +1,9 @@
+// @bun
+// packages/github-provider-plugin/src/profile-ops.ts
+import { setProfile, setReviewProfile, showProfile, showReviewProfile } from "@rig/core/profile-ops";
+export {
+  showReviewProfile,
+  showProfile,
+  setReviewProfile,
+  setProfile
+};

package/dist/src/service.js

@@ -1,40 +1,6 @@
 // @bun
-// packages/github-provider-plugin/src/credentials.ts
-function selectedRepoTokenKey(input) {
-  return `user:${input.userId}|repo:${input.owner}/${input.repo}|workspace:${input.workspaceId}`;
-}
-function cleanToken(value) {
-  const trimmed = value?.trim() ?? "";
-  return trimmed.length > 0 ? trimmed : null;
-}
-function createGitHubCredentialProvider(options = {}) {
-  const sessionTokens = options.sessionTokens ?? {};
-  const hostToken = cleanToken(options.hostToken ?? process.env.GH_TOKEN ?? null);
-  return {
-    async resolveGitHubToken(input) {
-      const owner = input.owner.trim();
-      const repo = input.repo.trim();
-      const workspaceId = input.workspaceId.trim();
-      const userId = input.userId?.trim() ?? "";
-      if (input.purpose === "selected-repo") {
-        if (!owner || !repo || !workspaceId || !userId) {
-          throw new Error("No signed-in GitHub token is available for the selected repo; sign in to GitHub for this workspace.");
-        }
-        const token = cleanToken(sessionTokens[selectedRepoTokenKey({ owner, repo, workspaceId, userId })]);
-        if (!token) {
-          throw new Error("No signed-in GitHub token is available for the selected repo; sign in to GitHub for this workspace.");
-        }
-        return { token, source: "signed-in-user" };
-      }
-      if (hostToken) {
-        return { token: hostToken, source: "host-admin-fallback" };
-      }
-      throw new Error("No host GitHub token is configured for the explicit admin fallback operation.");
-    }
-  };
-}
-
 // packages/github-provider-plugin/src/service.ts
+import { createGitHubCredentialProvider } from "@rig/github-lib";
 var githubProviderService = {
   createCredentialProvider: (options) => createGitHubCredentialProvider(options)
 };

package/dist/src/token-env.d.ts

@@ -0,0 +1,3 @@
+export declare function cleanToken(value: string | null | undefined): string | null;
+export declare function authStateToken(env?: Record<string, string | undefined>): string | null;
+export declare function resolveGitHubAuthToken(env?: Record<string, string | undefined>): string | null;

package/dist/src/token-env.js

@@ -0,0 +1,26 @@
+// @bun
+// packages/github-provider-plugin/src/token-env.ts
+import { existsSync, readFileSync } from "fs";
+function cleanToken(value) {
+  const trimmed = value?.trim() ?? "";
+  return trimmed.length > 0 ? trimmed : null;
+}
+function authStateToken(env = process.env) {
+  const file = env.RIG_GITHUB_AUTH_STATE_FILE?.trim();
+  if (!file || !existsSync(file))
+    return null;
+  try {
+    const parsed = JSON.parse(readFileSync(file, "utf8"));
+    return cleanToken(typeof parsed.token === "string" ? parsed.token : undefined);
+  } catch {
+    return null;
+  }
+}
+function resolveGitHubAuthToken(env = process.env) {
+  return cleanToken(env.RIG_GITHUB_TOKEN) ?? cleanToken(env.GH_TOKEN) ?? cleanToken(env.GITHUB_TOKEN) ?? authStateToken(env);
+}
+export {
+  resolveGitHubAuthToken,
+  cleanToken,
+  authStateToken
+};

package/dist/src/triage-run.js

@@ -1,6 +1,6 @@
 // @bun
 // packages/github-provider-plugin/src/triage-run.ts
-import { buildPluginHostContext } from "@rig/runtime/control-plane/plugin-host-context";
+import { buildPluginHostContext } from "@rig/core/plugin-host-context";
 
 // packages/github-provider-plugin/src/issue-analysis.ts
 import { createHash } from "crypto";
@@ -223,7 +223,7 @@ function createIssueAnalysisWriteBack(input) {
         throw new Error("Issue analysis writeback requires removeLabels for labelsToRemove.");
       await input.target.removeLabels(issue.id, uniqueLabels(result.labelsToRemove));
     }
-    const comment = (input.buildStatusComment ?? defaultStatusComment)({ issue, result, reason });
+    const comment = (input.buildStatusComment ?? defaultStatusComment)({ issue, result, ...reason !== undefined ? { reason } : {} });
     if (comment?.trim()) {
       if (!input.target.updateTask)
         throw new Error("Issue analysis writeback requires updateTask for sticky status comments.");
@@ -248,7 +248,7 @@ function sourceWithWriteBackCapabilities(source) {
   if (typeof candidate.updateTask !== "function")
     return null;
   return {
-    get: candidate.get?.bind(candidate),
+    ...typeof candidate.get === "function" ? { get: candidate.get.bind(candidate) } : {},
     updateTask: candidate.updateTask.bind(candidate),
     ...typeof candidate.addLabels === "function" ? { addLabels: candidate.addLabels.bind(candidate) } : {},
     ...typeof candidate.removeLabels === "function" ? { removeLabels: candidate.removeLabels.bind(candidate) } : {},
@@ -277,8 +277,8 @@ function createConfiguredIssueAnalysisRunner(input) {
   if (!target)
     return null;
   const analyzer = input.analyzer ?? createPiIssueAnalyzer({
-    runCommand: input.runCommand,
-    model: input.context.config.issueAnalysis?.model
+    ...input.runCommand ? { runCommand: input.runCommand } : {},
+    ...input.context.config.issueAnalysis?.model ? { model: input.context.config.issueAnalysis.model } : {}
   });
   const baseWriteBack = createIssueAnalysisWriteBack({ target });
   const service = createIssueAnalysisService({
@@ -291,7 +291,7 @@ function createConfiguredIssueAnalysisRunner(input) {
   return createContinuousIssueAnalysisRunner({
     loadIssues: async () => [...await source.list()],
     service,
-    intervalMs: input.intervalMs,
+    ...input.intervalMs !== undefined ? { intervalMs: input.intervalMs } : {},
     reason: "continuous-issue-analysis",
     ...input.setIntervalFn ? { setIntervalFn: input.setIntervalFn } : {},
     ...input.clearIntervalFn ? { clearIntervalFn: input.clearIntervalFn } : {},
@@ -312,7 +312,7 @@ function createIssueAnalysisService(input) {
         const result = await input.analyzer({ issue, neighbors, prompt });
         analyzedHashes.set(issue.id, hash);
         if (result.metadataPatch || result.labelsToAdd?.length || result.labelsToRemove?.length || result.generatedIssues?.length) {
-          await input.writeBack?.({ issue, result, reason: options.reason });
+          await input.writeBack?.({ issue, result, ...options.reason !== undefined ? { reason: options.reason } : {} });
         }
         results.push({ issue, result });
       }
@@ -390,7 +390,9 @@ async function loadContext(projectRoot) {
   if (!context)
     return null;
   return {
-    config: context.config,
+    config: {
+      ...context.config.issueAnalysis ? { issueAnalysis: context.config.issueAnalysis } : {}
+    },
     taskSourceRegistry: context.taskSourceRegistry
   };
 }
@@ -448,8 +450,8 @@ async function runIssueAnalysisTriage(options) {
   const runner = createConfiguredIssueAnalysisRunner({
     projectRoot: options.projectRoot,
     context,
-    analyzer: options.analyzer,
-    runCommand: options.runCommand,
+    ...options.analyzer ? { analyzer: options.analyzer } : {},
+    ...options.runCommand ? { runCommand: options.runCommand } : {},
     onWriteBack: refreshSnapshotAfterWriteBack
   });
   if (!runner) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@h-rig/github-provider-plugin",
-  "version": "0.0.6-alpha.157",
+  "version": "0.0.6-alpha.159",
   "type": "module",
   "description": "Swappable GitHub SCM-provider capability plugin for Rig (auth, credentials, Projects, issue analysis).",
   "license": "UNLICENSED",
@@ -17,9 +17,29 @@
       "types": "./dist/src/plugin.d.ts",
       "import": "./dist/src/plugin.js"
     },
+    "./lib": {
+      "types": "./dist/src/lib.d.ts",
+      "import": "./dist/src/lib.js"
+    },
     "./index": {
       "types": "./dist/src/index.d.ts",
       "import": "./dist/src/index.js"
+    },
+    "./identity": {
+      "types": "./dist/src/identity.d.ts",
+      "import": "./dist/src/identity.js"
+    },
+    "./identity-env": {
+      "types": "./dist/src/identity-env.d.ts",
+      "import": "./dist/src/identity-env.js"
+    },
+    "./token-env": {
+      "types": "./dist/src/token-env.d.ts",
+      "import": "./dist/src/token-env.js"
+    },
+    "./profile-ops": {
+      "types": "./dist/src/profile-ops.d.ts",
+      "import": "./dist/src/profile-ops.js"
     }
   },
   "engines": {
@@ -29,8 +49,8 @@
   "module": "./dist/src/index.js",
   "types": "./dist/src/index.d.ts",
   "dependencies": {
-    "@rig/contracts": "npm:@h-rig/contracts@0.0.6-alpha.157",
-    "@rig/core": "npm:@h-rig/core@0.0.6-alpha.157",
-    "@rig/runtime": "npm:@h-rig/runtime@0.0.6-alpha.157"
+    "@rig/contracts": "npm:@h-rig/contracts@0.0.6-alpha.159",
+    "@rig/core": "npm:@h-rig/core@0.0.6-alpha.159",
+    "@rig/github-lib": "npm:@h-rig/github-lib@0.0.6-alpha.159"
   }
 }

package/dist/src/auth-store.d.ts

@@ -1,42 +0,0 @@
-import type { GitHubAuthStatus } from "@rig/contracts";
-export type { GitHubAuthStatus };
-type PendingDeviceFlow = {
-    readonly pollId: string;
-    readonly deviceCode: string;
-    readonly expiresAt: string;
-    readonly intervalSeconds: number;
-};
-export type GitHubAuthStore = {
-    readonly stateFile: string;
-    readonly status: (options?: {
-        oauthConfigured?: boolean;
-    }) => GitHubAuthStatus;
-    readonly readToken: () => string | null;
-    readonly saveToken: (input: {
-        readonly token: string;
-        readonly tokenSource: "oauth-device" | "manual-token";
-        readonly login?: string | null;
-        readonly userId?: string | null;
-        readonly scopes?: readonly string[];
-        readonly selectedRepo?: string | null;
-    }) => void;
-    readonly createApiSession: () => {
-        token: string;
-        login: string | null;
-        userId: string | null;
-    };
-    readonly readApiSession: (token: string) => {
-        login: string | null;
-        userId: string | null;
-    } | null;
-    readonly copyToProjectRoot: (projectRoot: string) => void;
-    readonly copyToLocalProjectRoot: (projectRoot: string) => void;
-    readonly savePendingDevice: (input: PendingDeviceFlow) => void;
-    readonly saveSelectedRepo: (selectedRepo: string | null) => void;
-    readonly readPendingDevice: (pollId: string) => PendingDeviceFlow | null;
-    readonly clearPendingDevice: (pollId?: string) => void;
-};
-export declare function resolveGitHubAuthStateFile(projectRoot: string): string;
-export declare function copyGitHubAuthStateToLocalProjectRoot(stateFile: string, projectRoot: string): void;
-export declare function createGitHubAuthStoreFromStateFile(stateFile: string): GitHubAuthStore;
-export declare function createGitHubAuthStore(projectRoot: string): GitHubAuthStore;

package/dist/src/auth-store.js

@@ -1,226 +0,0 @@
-// @bun
-// packages/github-provider-plugin/src/auth-store.ts
-import { randomBytes } from "crypto";
-import { chmodSync, copyFileSync, existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
-import { dirname, resolve } from "path";
-import { resolveRigStatePaths } from "@rig/runtime/control-plane/server-paths";
-function cleanString(value) {
-  return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
-}
-function cleanScopes(value) {
-  if (!Array.isArray(value))
-    return [];
-  return value.flatMap((entry) => {
-    const clean = cleanString(entry);
-    return clean ? [clean] : [];
-  });
-}
-function parseApiSessions(value) {
-  if (!Array.isArray(value))
-    return [];
-  return value.flatMap((entry) => {
-    if (!entry || typeof entry !== "object" || Array.isArray(entry))
-      return [];
-    const record = entry;
-    const token = cleanString(record.token);
-    if (!token)
-      return [];
-    return [{
-      token,
-      login: cleanString(record.login),
-      userId: cleanString(record.userId),
-      createdAt: cleanString(record.createdAt) ?? undefined
-    }];
-  });
-}
-function parsePendingDevice(value) {
-  if (!value || typeof value !== "object")
-    return null;
-  const record = value;
-  const pollId = cleanString(record.pollId);
-  const deviceCode = cleanString(record.deviceCode);
-  const expiresAt = cleanString(record.expiresAt);
-  const intervalSeconds = typeof record.intervalSeconds === "number" && Number.isFinite(record.intervalSeconds) ? Math.max(1, Math.floor(record.intervalSeconds)) : null;
-  if (!pollId || !deviceCode || !expiresAt || !intervalSeconds)
-    return null;
-  return { pollId, deviceCode, expiresAt, intervalSeconds };
-}
-function parsePendingDevices(value) {
-  if (!Array.isArray(value))
-    return [];
-  return value.flatMap((entry) => {
-    const pending = parsePendingDevice(entry);
-    return pending ? [pending] : [];
-  });
-}
-function readStoredAuth(stateFile) {
-  if (!existsSync(stateFile))
-    return {};
-  try {
-    const parsed = JSON.parse(readFileSync(stateFile, "utf8"));
-    return {
-      ...cleanString(parsed.token) ? { token: cleanString(parsed.token) } : {},
-      login: cleanString(parsed.login),
-      userId: cleanString(parsed.userId),
-      scopes: cleanScopes(parsed.scopes),
-      selectedRepo: cleanString(parsed.selectedRepo),
-      tokenSource: parsed.tokenSource === "oauth-device" || parsed.tokenSource === "manual-token" || parsed.tokenSource === "env" ? parsed.tokenSource : undefined,
-      pendingDevice: parsePendingDevice(parsed.pendingDevice),
-      pendingDevices: parsePendingDevices(parsed.pendingDevices),
-      apiSessions: parseApiSessions(parsed.apiSessions),
-      updatedAt: cleanString(parsed.updatedAt) ?? undefined
-    };
-  } catch {
-    return {};
-  }
-}
-function newApiSessionToken() {
-  return `rig_${randomBytes(32).toString("base64url")}`;
-}
-function writeStoredAuth(stateFile, payload) {
-  mkdirSync(dirname(stateFile), { recursive: true });
-  writeFileSync(stateFile, `${JSON.stringify(payload, null, 2)}
-`, { encoding: "utf8", mode: 384 });
-  try {
-    chmodSync(stateFile, 384);
-  } catch {}
-}
-function localProjectAuthStateFile(projectRoot) {
-  return resolve(projectRoot, ".rig", "state", "github-auth.json");
-}
-function resolveGitHubAuthStateFile(projectRoot) {
-  return resolve(resolveRigStatePaths(projectRoot).stateDir, "github-auth.json");
-}
-function copyGitHubAuthStateToLocalProjectRoot(stateFile, projectRoot) {
-  const targetFile = localProjectAuthStateFile(projectRoot);
-  mkdirSync(dirname(targetFile), { recursive: true });
-  if (existsSync(stateFile)) {
-    copyFileSync(stateFile, targetFile);
-    try {
-      chmodSync(targetFile, 384);
-    } catch {}
-    return;
-  }
-  writeStoredAuth(targetFile, {});
-}
-function createGitHubAuthStoreFromStateFile(stateFile) {
-  return {
-    stateFile,
-    status(options) {
-      const stored = readStoredAuth(stateFile);
-      const token = cleanString(stored.token);
-      return {
-        signedIn: Boolean(token),
-        login: cleanString(stored.login),
-        userId: cleanString(stored.userId),
-        scopes: cleanScopes(stored.scopes),
-        selectedRepo: cleanString(stored.selectedRepo),
-        oauthConfigured: options?.oauthConfigured === true,
-        tokenSource: token ? stored.tokenSource ?? "manual-token" : null
-      };
-    },
-    readToken() {
-      return cleanString(readStoredAuth(stateFile).token);
-    },
-    saveToken(input) {
-      const previous = readStoredAuth(stateFile);
-      writeStoredAuth(stateFile, {
-        ...previous,
-        token: input.token,
-        tokenSource: input.tokenSource,
-        login: input.login ?? null,
-        userId: input.userId ?? null,
-        scopes: input.scopes ?? [],
-        selectedRepo: input.selectedRepo ?? previous.selectedRepo ?? null,
-        pendingDevice: null,
-        pendingDevices: [],
-        apiSessions: previous.apiSessions ?? [],
-        updatedAt: new Date().toISOString()
-      });
-    },
-    createApiSession() {
-      const previous = readStoredAuth(stateFile);
-      const token = newApiSessionToken();
-      const session = {
-        token,
-        login: cleanString(previous.login),
-        userId: cleanString(previous.userId),
-        createdAt: new Date().toISOString()
-      };
-      writeStoredAuth(stateFile, {
-        ...previous,
-        apiSessions: [...(previous.apiSessions ?? []).slice(-9), session],
-        updatedAt: new Date().toISOString()
-      });
-      return { token, login: session.login ?? null, userId: session.userId ?? null };
-    },
-    readApiSession(token) {
-      const clean = cleanString(token);
-      if (!clean)
-        return null;
-      const previous = readStoredAuth(stateFile);
-      const session = (previous.apiSessions ?? []).find((candidate) => candidate.token === clean);
-      return session ? { login: cleanString(session.login), userId: cleanString(session.userId) } : null;
-    },
-    copyToProjectRoot(projectRoot) {
-      const targetFile = resolveGitHubAuthStateFile(projectRoot);
-      writeStoredAuth(targetFile, readStoredAuth(stateFile));
-    },
-    copyToLocalProjectRoot(projectRoot) {
-      copyGitHubAuthStateToLocalProjectRoot(stateFile, projectRoot);
-    },
-    savePendingDevice(input) {
-      const previous = readStoredAuth(stateFile);
-      const pendingDevices = [
-        ...previous.pendingDevice ? [previous.pendingDevice] : [],
-        ...previous.pendingDevices ?? [],
-        input
-      ].filter((entry, index, entries) => entries.findIndex((candidate) => candidate.pollId === entry.pollId) === index);
-      writeStoredAuth(stateFile, {
-        ...previous,
-        pendingDevice: null,
-        pendingDevices,
-        updatedAt: new Date().toISOString()
-      });
-    },
-    saveSelectedRepo(selectedRepo) {
-      const previous = readStoredAuth(stateFile);
-      writeStoredAuth(stateFile, {
-        ...previous,
-        selectedRepo: selectedRepo ?? null,
-        updatedAt: new Date().toISOString()
-      });
-    },
-    readPendingDevice(pollId) {
-      const previous = readStoredAuth(stateFile);
-      const pending = [
-        ...previous.pendingDevice ? [previous.pendingDevice] : [],
-        ...previous.pendingDevices ?? []
-      ].find((entry) => entry.pollId === pollId) ?? null;
-      if (!pending)
-        return null;
-      if (Date.parse(pending.expiresAt) <= Date.now())
-        return null;
-      return pending;
-    },
-    clearPendingDevice(pollId) {
-      const previous = readStoredAuth(stateFile);
-      const remaining = pollId ? (previous.pendingDevices ?? []).filter((entry) => entry.pollId !== pollId) : [];
-      writeStoredAuth(stateFile, {
-        ...previous,
-        pendingDevice: null,
-        pendingDevices: remaining,
-        updatedAt: new Date().toISOString()
-      });
-    }
-  };
-}
-function createGitHubAuthStore(projectRoot) {
-  return createGitHubAuthStoreFromStateFile(resolveGitHubAuthStateFile(projectRoot));
-}
-export {
-  resolveGitHubAuthStateFile,
-  createGitHubAuthStoreFromStateFile,
-  createGitHubAuthStore,
-  copyGitHubAuthStateToLocalProjectRoot
-};

package/dist/src/credentials.d.ts

@@ -1,20 +0,0 @@
-import type { GitHubCredentialProvider, GitHubCredentialProviderOptions, GitHubStateCredentialProviderOptions } from "@rig/contracts";
-export type { GitHubCredentialProvider, GitHubCredentialProviderOptions, GitHubCredentialPurpose, GitHubCredentialSource, GitHubStateCredentialProviderOptions, ResolveGitHubTokenInput, ResolvedGitHubToken, } from "@rig/contracts";
-/**
- * Session-token-map credential provider. Selected-repo operations resolve from
- * the per-session token map; admin-fallback resolves from the host token.
- */
-export declare function createGitHubCredentialProvider(options?: GitHubCredentialProviderOptions): GitHubCredentialProvider;
-/**
- * Env-only credential provider. Selected-repo reads `RIG_GITHUB_SELECTED_TOKEN`
- * (browser-selected public repos read without a token); admin-fallback reads the
- * host token env vars. Consolidated here from task-sources so the credential
- * abstraction has a single home.
- */
-export declare function createEnvGitHubCredentialProvider(): GitHubCredentialProvider;
-/**
- * State-file-backed credential provider. Resolves the signed-in token from a
- * `github-auth.json` discovered across explicit/state/project-root candidates,
- * falling back to host token env vars. Consolidated here from task-sources.
- */
-export declare function createStateGitHubCredentialProvider(options?: GitHubStateCredentialProviderOptions): GitHubCredentialProvider;

package/dist/src/credentials.js

@@ -1,118 +0,0 @@
-// @bun
-// packages/github-provider-plugin/src/credentials.ts
-import { existsSync, readFileSync } from "fs";
-import { resolve } from "path";
-function selectedRepoTokenKey(input) {
-  return `user:${input.userId}|repo:${input.owner}/${input.repo}|workspace:${input.workspaceId}`;
-}
-function cleanToken(value) {
-  const trimmed = value?.trim() ?? "";
-  return trimmed.length > 0 ? trimmed : null;
-}
-function createGitHubCredentialProvider(options = {}) {
-  const sessionTokens = options.sessionTokens ?? {};
-  const hostToken = cleanToken(options.hostToken ?? process.env.GH_TOKEN ?? null);
-  return {
-    async resolveGitHubToken(input) {
-      const owner = input.owner.trim();
-      const repo = input.repo.trim();
-      const workspaceId = input.workspaceId.trim();
-      const userId = input.userId?.trim() ?? "";
-      if (input.purpose === "selected-repo") {
-        if (!owner || !repo || !workspaceId || !userId) {
-          throw new Error("No signed-in GitHub token is available for the selected repo; sign in to GitHub for this workspace.");
-        }
-        const token = cleanToken(sessionTokens[selectedRepoTokenKey({ owner, repo, workspaceId, userId })]);
-        if (!token) {
-          throw new Error("No signed-in GitHub token is available for the selected repo; sign in to GitHub for this workspace.");
-        }
-        return { token, source: "signed-in-user" };
-      }
-      if (hostToken) {
-        return { token: hostToken, source: "host-admin-fallback" };
-      }
-      throw new Error("No host GitHub token is configured for the explicit admin fallback operation.");
-    }
-  };
-}
-function createEnvGitHubCredentialProvider() {
-  return {
-    async resolveGitHubToken(input) {
-      if (input.purpose === "selected-repo") {
-        return { token: cleanToken(process.env.RIG_GITHUB_SELECTED_TOKEN ?? null) ?? "", source: "signed-in-user" };
-      }
-      const token = cleanToken(process.env.RIG_GITHUB_TOKEN ?? process.env.GH_TOKEN ?? process.env.GITHUB_TOKEN ?? null);
-      if (!token) {
-        throw new Error("No host GitHub token is configured for admin fallback.");
-      }
-      return { token, source: "host-admin-fallback" };
-    }
-  };
-}
-function createStateGitHubCredentialProvider(options = {}) {
-  const addCandidate = (candidates, path) => {
-    const trimmed = path?.trim();
-    if (!trimmed)
-      return;
-    const resolved = resolve(trimmed);
-    if (!candidates.includes(resolved))
-      candidates.push(resolved);
-  };
-  const addStateDir = (candidates, dir) => {
-    const trimmed = dir?.trim();
-    if (!trimmed)
-      return;
-    addCandidate(candidates, resolve(trimmed, "github-auth.json"));
-  };
-  const addProjectStateDir = (candidates, root) => {
-    const trimmed = root?.trim();
-    if (!trimmed)
-      return;
-    addStateDir(candidates, resolve(trimmed, ".rig", "state"));
-  };
-  const stateFileCandidates = () => {
-    const candidates = [];
-    addCandidate(candidates, options.stateFile ?? process.env.RIG_GITHUB_AUTH_STATE_FILE);
-    addStateDir(candidates, options.stateDir);
-    addStateDir(candidates, process.env.RIG_STATE_DIR);
-    addProjectStateDir(candidates, process.env.PROJECT_RIG_ROOT);
-    addProjectStateDir(candidates, process.env.RIG_PROJECT_ROOT);
-    addProjectStateDir(candidates, process.env.RIG_HOST_PROJECT_ROOT);
-    addProjectStateDir(candidates, process.cwd());
-    return candidates;
-  };
-  const readToken = () => {
-    for (const stateFile of stateFileCandidates()) {
-      if (!existsSync(stateFile))
-        continue;
-      try {
-        const parsed = JSON.parse(readFileSync(stateFile, "utf8"));
-        const token = typeof parsed.token === "string" ? cleanToken(parsed.token) : null;
-        if (token)
-          return token;
-      } catch {}
-    }
-    return null;
-  };
-  return {
-    async resolveGitHubToken(input) {
-      const token = readToken();
-      if (input.purpose === "selected-repo") {
-        return { token: token ?? cleanToken(process.env.RIG_GITHUB_SELECTED_TOKEN ?? null) ?? "", source: "signed-in-user" };
-      }
-      if (token) {
-        return { token, source: "signed-in-user" };
-      }
-      const fallback = cleanToken(process.env.RIG_GITHUB_TOKEN ?? process.env.GH_TOKEN ?? process.env.GITHUB_TOKEN ?? null);
-      if (!fallback) {
-        throw new Error("No signed-in GitHub token is stored for Rig and no host admin fallback token is configured.");
-      }
-      return { token: fallback, source: "host-admin-fallback" };
-    }
-  };
-}
-export {
-  createStateGitHubCredentialProvider,
-  createGitHubCredentialProvider,
-  createEnvGitHubCredentialProvider
-};