@h-rig/runtime 0.0.6-alpha.1 → 0.0.6-alpha.3

package/dist/bin/rig-agent-dispatch.js

@@ -5887,6 +5887,10 @@ async function runtimeEnv(projectRoot, runtime) {
       env[key] = value;
     }
   }
+  const rigGithubToken = process.env.RIG_GITHUB_TOKEN?.trim() || "";
+  if (rigGithubToken && !env.GITHUB_TOKEN && !env.GH_TOKEN) {
+    env.GITHUB_TOKEN = rigGithubToken;
+  }
   const fallbackGithubToken = !env.GITHUB_TOKEN && !env.GH_TOKEN ? await resolveGithubCliAuthToken(hostGhBinary) : "";
   if (fallbackGithubToken) {
     env.GITHUB_TOKEN = fallbackGithubToken;
@@ -5897,6 +5901,13 @@ async function runtimeEnv(projectRoot, runtime) {
   if (!env.GH_TOKEN && env.GITHUB_TOKEN) {
     env.GH_TOKEN = env.GITHUB_TOKEN;
   }
+  const gitHubToken = env.GITHUB_TOKEN || env.GH_TOKEN || rigGithubToken;
+  if (gitHubToken) {
+    env.RIG_GITHUB_TOKEN = gitHubToken;
+    env.GITHUB_TOKEN = env.GITHUB_TOKEN || gitHubToken;
+    env.GH_TOKEN = env.GH_TOKEN || gitHubToken;
+    applyGitHubCredentialHelperEnv(env);
+  }
   if (!env.GREPTILE_GITHUB_TOKEN && env.GITHUB_TOKEN) {
     env.GREPTILE_GITHUB_TOKEN = env.GITHUB_TOKEN;
   }
@@ -5977,12 +5988,21 @@ async function materializeRuntimeCertBundle(runtime) {
   }
   return targetPath;
 }
+function applyGitHubCredentialHelperEnv(env) {
+  env.GIT_TERMINAL_PROMPT = "0";
+  env.GIT_CONFIG_COUNT = "2";
+  env.GIT_CONFIG_KEY_0 = "credential.helper";
+  env.GIT_CONFIG_VALUE_0 = "";
+  env.GIT_CONFIG_KEY_1 = "credential.helper";
+  env.GIT_CONFIG_VALUE_1 = '!f() { test "$1" = get || exit 0; token="${GITHUB_TOKEN:-${GH_TOKEN:-${RIG_GITHUB_TOKEN:-}}}"; test -n "$token" || exit 0; echo username=x-access-token; echo password="$token"; }; f';
+}
 function persistRuntimeSecrets(runtimeRoot, env) {
   const secretsPath = resolve25(runtimeRoot, "runtime-secrets.json");
   const persisted = {};
   for (const key of [
     "GITHUB_TOKEN",
     "GH_TOKEN",
+    "RIG_GITHUB_TOKEN",
     "GREPTILE_GITHUB_TOKEN",
     "GREPTILE_API_KEY",
     "AI_REVIEW_MODE",
@@ -9193,6 +9213,18 @@ async function runAgentWrapper(options = {}) {
     console.error(`[rig-agent] Failed to provision runtime: ${error}`);
     return 1;
   }
+  try {
+    await waitForDirtyBaselineReady(runtime, taskId);
+  } catch (error) {
+    emitWrapperEvent("runtime.baseline.failed", {
+      runtimeId: runtime.id,
+      taskId,
+      workspaceDir: runtime.workspaceDir,
+      error: error instanceof Error ? error.message : String(error)
+    });
+    console.error(`[rig-agent] Failed to apply selected baseline before provider launch: ${error}`);
+    return 1;
+  }
   const providerArgs = buildProviderArgs(provider, runtime, argv);
   const providerCommand = [providerBinary(provider), ...providerArgs];
   emitWrapperEvent("provider.launch", {
@@ -9413,6 +9445,34 @@ function providerBinary(provider) {
 function emitWrapperEvent(type, payload) {
   console.log(`__RIG_WRAPPER_EVENT__${JSON.stringify({ type, payload, at: new Date().toISOString() })}`);
 }
+function sleep(ms) {
+  return new Promise((resolveSleep) => setTimeout(resolveSleep, ms));
+}
+async function waitForDirtyBaselineReady(runtime, taskId) {
+  const readyFile = process.env.RIG_DIRTY_BASELINE_READY_FILE?.trim();
+  if (process.env.RIG_BASELINE_MODE !== "dirty-snapshot" || !readyFile)
+    return;
+  const timeoutMs = Number.parseInt(process.env.RIG_DIRTY_BASELINE_TIMEOUT_MS ?? "30000", 10);
+  const deadline = Date.now() + (Number.isFinite(timeoutMs) && timeoutMs > 0 ? timeoutMs : 30000);
+  emitWrapperEvent("runtime.baseline.waiting", {
+    runtimeId: runtime.id,
+    taskId,
+    workspaceDir: runtime.workspaceDir,
+    readyFile
+  });
+  while (!existsSync33(readyFile)) {
+    if (Date.now() >= deadline) {
+      throw new Error(`Timed out waiting for dirty baseline ready file: ${readyFile}`);
+    }
+    await sleep(50);
+  }
+  emitWrapperEvent("runtime.baseline.completed", {
+    runtimeId: runtime.id,
+    taskId,
+    workspaceDir: runtime.workspaceDir,
+    readyFile
+  });
+}
 async function resolveTaskId(projectRoot, monorepoRoot) {
   if (process.env.RIG_TASK_ID) {
     return process.env.RIG_TASK_ID;

package/dist/bin/rig-agent.js

@@ -6389,7 +6389,7 @@ This file records approaches that did not work.
 `, "utf-8");
   }
   const content = readFileSync12(failedPath, "utf-8");
-  const attempts = (content.match(new RegExp(`^## ${escapeRegExp(activeTask)}\\b`, "gm")) || []).length + 1;
+  const attempts = (content.match(new RegExp(`^## ${escapeRegExp2(activeTask)}\\b`, "gm")) || []).length + 1;
   appendFileSync(failedPath, `
 ## ${activeTask} - Attempt ${attempts} (${nowIso()})
 
@@ -6885,7 +6885,7 @@ function printArtifactSection(path, header) {
   process.stdout.write(readFileSync12(path, "utf-8"));
   console.log("");
 }
-function escapeRegExp(value) {
+function escapeRegExp2(value) {
   return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
 function changedFilesForTask(projectRoot, taskId, scoped) {
@@ -7112,17 +7112,15 @@ function gitOpenPr(options) {
   const target = options.target || (taskId ? "monorepo" : "project");
   let repoRoot = options.projectRoot;
   let repoLabel = "project-rig";
-  let defaultBase = process.env.RIG_PR_BASE_PROJECT || "main";
+  const envBase = target === "monorepo" ? process.env.RIG_PR_BASE_MONOREPO?.trim() || "" : process.env.RIG_PR_BASE_PROJECT?.trim() || "";
   if (target === "monorepo") {
     repoRoot = resolveOptionalMonorepoRoot(options.projectRoot) || resolveMonorepoRoot2(options.projectRoot);
     repoLabel = "monorepo";
-    defaultBase = process.env.RIG_PR_BASE_MONOREPO || "main";
     if (taskId) {
       gitSyncBranch(options.projectRoot, taskId, "monorepo");
     }
   } else if (taskId) {
     gitSyncBranch(options.projectRoot, taskId, "project");
-    defaultBase = inferProjectBase(options.projectRoot, defaultBase);
   }
   if (!existsSync22(resolve26(repoRoot, ".git"))) {
     throw new Error(`Repository not available for open-pr target ${target}: ${repoRoot}`);
@@ -7131,9 +7129,9 @@ function gitOpenPr(options) {
   if (!branch || branch === "HEAD") {
     throw new Error(`Cannot open PR from detached HEAD in ${repoLabel}. Checkout a branch first.`);
   }
-  const base = options.base || defaultBase;
   const repoNameWithOwner = resolveRepoNameWithOwner(options.projectRoot, repoRoot);
   const networkRemote = resolveNetworkRemoteName(options.projectRoot, repoRoot, repoNameWithOwner);
+  const base = options.base || envBase || inferRepositoryDefaultBase(options.projectRoot, repoRoot, repoNameWithOwner, networkRemote, target === "project" ? inferProjectBase(options.projectRoot, "main") : "main");
   refreshRemoteBaseRef(options.projectRoot, repoRoot, base);
   let reviewer = (options.reviewer || "").trim();
   let reviewerSource = reviewer ? "flag" : undefined;
@@ -7559,6 +7557,32 @@ function withGhRepo(command, repoNameWithOwner) {
   }
   return [command[0], command[1], command[2], ...ghRepoArgs(repoNameWithOwner), ...command.slice(3)];
 }
+function inferRepositoryDefaultBase(projectRoot, repoRoot, repoNameWithOwner, remoteName, fallback) {
+  const remote = remoteName || "origin";
+  const symbolic = runCapture2(gitCmd(projectRoot, repoRoot, "symbolic-ref", "--short", `refs/remotes/${remote}/HEAD`), projectRoot);
+  if (symbolic.exitCode === 0) {
+    const ref = symbolic.stdout.trim().replace(new RegExp(`^${escapeRegExp(remote)}/`), "");
+    if (ref && ref !== "HEAD") {
+      return ref;
+    }
+  }
+  const lsRemote = runCapture2(gitCmd(projectRoot, repoRoot, "ls-remote", "--symref", remote, "HEAD"), projectRoot);
+  if (lsRemote.exitCode === 0) {
+    const match = lsRemote.stdout.match(/^ref:\s+refs\/heads\/([^\t\r\n]+)\s+HEAD/m);
+    if (match?.[1]) {
+      return match[1];
+    }
+  }
+  const gh = resolveGithubCliBinary(projectRoot);
+  if (gh && repoNameWithOwner) {
+    const api = runCapture2(withGhRepo([gh, "repo", "view", "--json", "defaultBranchRef", "--jq", ".defaultBranchRef.name"], repoNameWithOwner), repoRoot);
+    const branch = api.exitCode === 0 ? api.stdout.trim() : "";
+    if (branch) {
+      return branch;
+    }
+  }
+  return fallback;
+}
 function inferProjectBase(projectRoot, fallback) {
   const containing = runCapture2(gitCmd(projectRoot, projectRoot, "branch", "-r", "--contains", "HEAD"), projectRoot);
   if (containing.exitCode !== 0) {
@@ -7940,6 +7964,10 @@ function runtimeGitEnv(projectRoot) {
     }
     env[key] = value;
   }
+  const rigGithubToken = process.env.RIG_GITHUB_TOKEN?.trim() || "";
+  if (rigGithubToken && !env.GITHUB_TOKEN && !env.GH_TOKEN) {
+    env.GITHUB_TOKEN = rigGithubToken;
+  }
   if (!env.GITHUB_TOKEN && env.GH_TOKEN) {
     env.GITHUB_TOKEN = env.GH_TOKEN;
   }
@@ -7963,6 +7991,13 @@ function runtimeGitEnv(projectRoot) {
   if (!env.GH_TOKEN && env.GITHUB_TOKEN) {
     env.GH_TOKEN = env.GITHUB_TOKEN;
   }
+  const gitHubToken = env.GITHUB_TOKEN || env.GH_TOKEN || env.RIG_GITHUB_TOKEN || rigGithubToken;
+  if (gitHubToken) {
+    env.RIG_GITHUB_TOKEN = gitHubToken;
+    env.GITHUB_TOKEN = env.GITHUB_TOKEN || gitHubToken;
+    env.GH_TOKEN = env.GH_TOKEN || gitHubToken;
+    applyGitHubCredentialHelperEnv(env);
+  }
   if (runtimeKnownHosts && existsSync22(runtimeKnownHosts)) {
     const sshParts = [
       "ssh",
@@ -7979,6 +8014,14 @@ function runtimeGitEnv(projectRoot) {
   }
   return Object.keys(env).length > 0 ? env : undefined;
 }
+function applyGitHubCredentialHelperEnv(env) {
+  env.GIT_TERMINAL_PROMPT = "0";
+  env.GIT_CONFIG_COUNT = "2";
+  env.GIT_CONFIG_KEY_0 = "credential.helper";
+  env.GIT_CONFIG_VALUE_0 = "";
+  env.GIT_CONFIG_KEY_1 = "credential.helper";
+  env.GIT_CONFIG_VALUE_1 = '!f() { test "$1" = get || exit 0; token="${GITHUB_TOKEN:-${GH_TOKEN:-${RIG_GITHUB_TOKEN:-}}}"; test -n "$token" || exit 0; echo username=x-access-token; echo password="$token"; }; f';
+}
 function loadPersistedRuntimeSecrets(runtimeRoot) {
   if (!runtimeRoot) {
     return {};

package/dist/src/control-plane/agent-wrapper.js

@@ -5887,6 +5887,10 @@ async function runtimeEnv(projectRoot, runtime) {
       env[key] = value;
     }
   }
+  const rigGithubToken = process.env.RIG_GITHUB_TOKEN?.trim() || "";
+  if (rigGithubToken && !env.GITHUB_TOKEN && !env.GH_TOKEN) {
+    env.GITHUB_TOKEN = rigGithubToken;
+  }
   const fallbackGithubToken = !env.GITHUB_TOKEN && !env.GH_TOKEN ? await resolveGithubCliAuthToken(hostGhBinary) : "";
   if (fallbackGithubToken) {
     env.GITHUB_TOKEN = fallbackGithubToken;
@@ -5897,6 +5901,13 @@ async function runtimeEnv(projectRoot, runtime) {
   if (!env.GH_TOKEN && env.GITHUB_TOKEN) {
     env.GH_TOKEN = env.GITHUB_TOKEN;
   }
+  const gitHubToken = env.GITHUB_TOKEN || env.GH_TOKEN || rigGithubToken;
+  if (gitHubToken) {
+    env.RIG_GITHUB_TOKEN = gitHubToken;
+    env.GITHUB_TOKEN = env.GITHUB_TOKEN || gitHubToken;
+    env.GH_TOKEN = env.GH_TOKEN || gitHubToken;
+    applyGitHubCredentialHelperEnv(env);
+  }
   if (!env.GREPTILE_GITHUB_TOKEN && env.GITHUB_TOKEN) {
     env.GREPTILE_GITHUB_TOKEN = env.GITHUB_TOKEN;
   }
@@ -5977,12 +5988,21 @@ async function materializeRuntimeCertBundle(runtime) {
   }
   return targetPath;
 }
+function applyGitHubCredentialHelperEnv(env) {
+  env.GIT_TERMINAL_PROMPT = "0";
+  env.GIT_CONFIG_COUNT = "2";
+  env.GIT_CONFIG_KEY_0 = "credential.helper";
+  env.GIT_CONFIG_VALUE_0 = "";
+  env.GIT_CONFIG_KEY_1 = "credential.helper";
+  env.GIT_CONFIG_VALUE_1 = '!f() { test "$1" = get || exit 0; token="${GITHUB_TOKEN:-${GH_TOKEN:-${RIG_GITHUB_TOKEN:-}}}"; test -n "$token" || exit 0; echo username=x-access-token; echo password="$token"; }; f';
+}
 function persistRuntimeSecrets(runtimeRoot, env) {
   const secretsPath = resolve25(runtimeRoot, "runtime-secrets.json");
   const persisted = {};
   for (const key of [
     "GITHUB_TOKEN",
     "GH_TOKEN",
+    "RIG_GITHUB_TOKEN",
     "GREPTILE_GITHUB_TOKEN",
     "GREPTILE_API_KEY",
     "AI_REVIEW_MODE",
@@ -9193,6 +9213,18 @@ async function runAgentWrapper(options = {}) {
     console.error(`[rig-agent] Failed to provision runtime: ${error}`);
     return 1;
   }
+  try {
+    await waitForDirtyBaselineReady(runtime, taskId);
+  } catch (error) {
+    emitWrapperEvent("runtime.baseline.failed", {
+      runtimeId: runtime.id,
+      taskId,
+      workspaceDir: runtime.workspaceDir,
+      error: error instanceof Error ? error.message : String(error)
+    });
+    console.error(`[rig-agent] Failed to apply selected baseline before provider launch: ${error}`);
+    return 1;
+  }
   const providerArgs = buildProviderArgs(provider, runtime, argv);
   const providerCommand = [providerBinary(provider), ...providerArgs];
   emitWrapperEvent("provider.launch", {
@@ -9413,6 +9445,34 @@ function providerBinary(provider) {
 function emitWrapperEvent(type, payload) {
   console.log(`__RIG_WRAPPER_EVENT__${JSON.stringify({ type, payload, at: new Date().toISOString() })}`);
 }
+function sleep(ms) {
+  return new Promise((resolveSleep) => setTimeout(resolveSleep, ms));
+}
+async function waitForDirtyBaselineReady(runtime, taskId) {
+  const readyFile = process.env.RIG_DIRTY_BASELINE_READY_FILE?.trim();
+  if (process.env.RIG_BASELINE_MODE !== "dirty-snapshot" || !readyFile)
+    return;
+  const timeoutMs = Number.parseInt(process.env.RIG_DIRTY_BASELINE_TIMEOUT_MS ?? "30000", 10);
+  const deadline = Date.now() + (Number.isFinite(timeoutMs) && timeoutMs > 0 ? timeoutMs : 30000);
+  emitWrapperEvent("runtime.baseline.waiting", {
+    runtimeId: runtime.id,
+    taskId,
+    workspaceDir: runtime.workspaceDir,
+    readyFile
+  });
+  while (!existsSync33(readyFile)) {
+    if (Date.now() >= deadline) {
+      throw new Error(`Timed out waiting for dirty baseline ready file: ${readyFile}`);
+    }
+    await sleep(50);
+  }
+  emitWrapperEvent("runtime.baseline.completed", {
+    runtimeId: runtime.id,
+    taskId,
+    workspaceDir: runtime.workspaceDir,
+    readyFile
+  });
+}
 async function resolveTaskId(projectRoot, monorepoRoot) {
   if (process.env.RIG_TASK_ID) {
     return process.env.RIG_TASK_ID;

package/dist/src/control-plane/harness-main.js

@@ -5461,7 +5461,7 @@ This file records approaches that did not work.
 `, "utf-8");
   }
   const content = readFileSync10(failedPath, "utf-8");
-  const attempts = (content.match(new RegExp(`^## ${escapeRegExp(activeTask)}\\b`, "gm")) || []).length + 1;
+  const attempts = (content.match(new RegExp(`^## ${escapeRegExp2(activeTask)}\\b`, "gm")) || []).length + 1;
   appendFileSync(failedPath, `
 ## ${activeTask} - Attempt ${attempts} (${nowIso()})
 
@@ -5960,7 +5960,7 @@ function printArtifactSection(path, header) {
   process.stdout.write(readFileSync10(path, "utf-8"));
   console.log("");
 }
-function escapeRegExp(value) {
+function escapeRegExp2(value) {
   return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
 function changedFilesForTask(projectRoot, taskId, scoped) {
@@ -6187,17 +6187,15 @@ function gitOpenPr(options) {
   const target = options.target || (taskId ? "monorepo" : "project");
   let repoRoot = options.projectRoot;
   let repoLabel = "project-rig";
-  let defaultBase = process.env.RIG_PR_BASE_PROJECT || "main";
+  const envBase = target === "monorepo" ? process.env.RIG_PR_BASE_MONOREPO?.trim() || "" : process.env.RIG_PR_BASE_PROJECT?.trim() || "";
   if (target === "monorepo") {
     repoRoot = resolveOptionalMonorepoRoot(options.projectRoot) || resolveMonorepoRoot2(options.projectRoot);
     repoLabel = "monorepo";
-    defaultBase = process.env.RIG_PR_BASE_MONOREPO || "main";
     if (taskId) {
       gitSyncBranch(options.projectRoot, taskId, "monorepo");
     }
   } else if (taskId) {
     gitSyncBranch(options.projectRoot, taskId, "project");
-    defaultBase = inferProjectBase(options.projectRoot, defaultBase);
   }
   if (!existsSync21(resolve24(repoRoot, ".git"))) {
     throw new Error(`Repository not available for open-pr target ${target}: ${repoRoot}`);
@@ -6206,9 +6204,9 @@ function gitOpenPr(options) {
   if (!branch || branch === "HEAD") {
     throw new Error(`Cannot open PR from detached HEAD in ${repoLabel}. Checkout a branch first.`);
   }
-  const base = options.base || defaultBase;
   const repoNameWithOwner = resolveRepoNameWithOwner(options.projectRoot, repoRoot);
   const networkRemote = resolveNetworkRemoteName(options.projectRoot, repoRoot, repoNameWithOwner);
+  const base = options.base || envBase || inferRepositoryDefaultBase(options.projectRoot, repoRoot, repoNameWithOwner, networkRemote, target === "project" ? inferProjectBase(options.projectRoot, "main") : "main");
   refreshRemoteBaseRef(options.projectRoot, repoRoot, base);
   let reviewer = (options.reviewer || "").trim();
   let reviewerSource = reviewer ? "flag" : undefined;
@@ -6659,6 +6657,32 @@ function withGhRepo(command, repoNameWithOwner) {
   }
   return [command[0], command[1], command[2], ...ghRepoArgs(repoNameWithOwner), ...command.slice(3)];
 }
+function inferRepositoryDefaultBase(projectRoot, repoRoot, repoNameWithOwner, remoteName, fallback) {
+  const remote = remoteName || "origin";
+  const symbolic = runCapture2(gitCmd(projectRoot, repoRoot, "symbolic-ref", "--short", `refs/remotes/${remote}/HEAD`), projectRoot);
+  if (symbolic.exitCode === 0) {
+    const ref = symbolic.stdout.trim().replace(new RegExp(`^${escapeRegExp(remote)}/`), "");
+    if (ref && ref !== "HEAD") {
+      return ref;
+    }
+  }
+  const lsRemote = runCapture2(gitCmd(projectRoot, repoRoot, "ls-remote", "--symref", remote, "HEAD"), projectRoot);
+  if (lsRemote.exitCode === 0) {
+    const match = lsRemote.stdout.match(/^ref:\s+refs\/heads\/([^\t\r\n]+)\s+HEAD/m);
+    if (match?.[1]) {
+      return match[1];
+    }
+  }
+  const gh = resolveGithubCliBinary(projectRoot);
+  if (gh && repoNameWithOwner) {
+    const api = runCapture2(withGhRepo([gh, "repo", "view", "--json", "defaultBranchRef", "--jq", ".defaultBranchRef.name"], repoNameWithOwner), repoRoot);
+    const branch = api.exitCode === 0 ? api.stdout.trim() : "";
+    if (branch) {
+      return branch;
+    }
+  }
+  return fallback;
+}
 function inferProjectBase(projectRoot, fallback) {
   const containing = runCapture2(gitCmd(projectRoot, projectRoot, "branch", "-r", "--contains", "HEAD"), projectRoot);
   if (containing.exitCode !== 0) {
@@ -7040,6 +7064,10 @@ function runtimeGitEnv(projectRoot) {
     }
     env[key] = value;
   }
+  const rigGithubToken = process.env.RIG_GITHUB_TOKEN?.trim() || "";
+  if (rigGithubToken && !env.GITHUB_TOKEN && !env.GH_TOKEN) {
+    env.GITHUB_TOKEN = rigGithubToken;
+  }
   if (!env.GITHUB_TOKEN && env.GH_TOKEN) {
     env.GITHUB_TOKEN = env.GH_TOKEN;
   }
@@ -7063,6 +7091,13 @@ function runtimeGitEnv(projectRoot) {
   if (!env.GH_TOKEN && env.GITHUB_TOKEN) {
     env.GH_TOKEN = env.GITHUB_TOKEN;
   }
+  const gitHubToken = env.GITHUB_TOKEN || env.GH_TOKEN || env.RIG_GITHUB_TOKEN || rigGithubToken;
+  if (gitHubToken) {
+    env.RIG_GITHUB_TOKEN = gitHubToken;
+    env.GITHUB_TOKEN = env.GITHUB_TOKEN || gitHubToken;
+    env.GH_TOKEN = env.GH_TOKEN || gitHubToken;
+    applyGitHubCredentialHelperEnv(env);
+  }
   if (runtimeKnownHosts && existsSync21(runtimeKnownHosts)) {
     const sshParts = [
       "ssh",
@@ -7079,6 +7114,14 @@ function runtimeGitEnv(projectRoot) {
   }
   return Object.keys(env).length > 0 ? env : undefined;
 }
+function applyGitHubCredentialHelperEnv(env) {
+  env.GIT_TERMINAL_PROMPT = "0";
+  env.GIT_CONFIG_COUNT = "2";
+  env.GIT_CONFIG_KEY_0 = "credential.helper";
+  env.GIT_CONFIG_VALUE_0 = "";
+  env.GIT_CONFIG_KEY_1 = "credential.helper";
+  env.GIT_CONFIG_VALUE_1 = '!f() { test "$1" = get || exit 0; token="${GITHUB_TOKEN:-${GH_TOKEN:-${RIG_GITHUB_TOKEN:-}}}"; test -n "$token" || exit 0; echo username=x-access-token; echo password="$token"; }; f';
+}
 function loadPersistedRuntimeSecrets(runtimeRoot) {
   if (!runtimeRoot) {
     return {};

package/dist/src/control-plane/hooks/completion-verification.js

@@ -5,7 +5,7 @@
 import { appendFileSync as appendFileSync2, existsSync as existsSync21, mkdirSync as mkdirSync11, readFileSync as readFileSync12, writeFileSync as writeFileSync11 } from "fs";
 import { resolve as resolve24 } from "path";
 import {
-  escapeRegExp,
+  escapeRegExp as escapeRegExp2,
   resolveBunCli,
   resolveBunCliInvocation,
   resolveProjectRoot,
@@ -6101,17 +6101,15 @@ function gitOpenPr(options) {
   const target = options.target || (taskId ? "monorepo" : "project");
   let repoRoot = options.projectRoot;
   let repoLabel = "project-rig";
-  let defaultBase = process.env.RIG_PR_BASE_PROJECT || "main";
+  const envBase = target === "monorepo" ? process.env.RIG_PR_BASE_MONOREPO?.trim() || "" : process.env.RIG_PR_BASE_PROJECT?.trim() || "";
   if (target === "monorepo") {
     repoRoot = resolveOptionalMonorepoRoot(options.projectRoot) || resolveMonorepoRoot2(options.projectRoot);
     repoLabel = "monorepo";
-    defaultBase = process.env.RIG_PR_BASE_MONOREPO || "main";
     if (taskId) {
       gitSyncBranch(options.projectRoot, taskId, "monorepo");
     }
   } else if (taskId) {
     gitSyncBranch(options.projectRoot, taskId, "project");
-    defaultBase = inferProjectBase(options.projectRoot, defaultBase);
   }
   if (!existsSync20(resolve23(repoRoot, ".git"))) {
     throw new Error(`Repository not available for open-pr target ${target}: ${repoRoot}`);
@@ -6120,9 +6118,9 @@ function gitOpenPr(options) {
   if (!branch || branch === "HEAD") {
     throw new Error(`Cannot open PR from detached HEAD in ${repoLabel}. Checkout a branch first.`);
   }
-  const base = options.base || defaultBase;
   const repoNameWithOwner = resolveRepoNameWithOwner(options.projectRoot, repoRoot);
   const networkRemote = resolveNetworkRemoteName(options.projectRoot, repoRoot, repoNameWithOwner);
+  const base = options.base || envBase || inferRepositoryDefaultBase(options.projectRoot, repoRoot, repoNameWithOwner, networkRemote, target === "project" ? inferProjectBase(options.projectRoot, "main") : "main");
   refreshRemoteBaseRef(options.projectRoot, repoRoot, base);
   let reviewer = (options.reviewer || "").trim();
   let reviewerSource = reviewer ? "flag" : undefined;
@@ -6669,6 +6667,32 @@ function withGhRepo(command, repoNameWithOwner) {
   }
   return [command[0], command[1], command[2], ...ghRepoArgs(repoNameWithOwner), ...command.slice(3)];
 }
+function inferRepositoryDefaultBase(projectRoot, repoRoot, repoNameWithOwner, remoteName, fallback) {
+  const remote = remoteName || "origin";
+  const symbolic = runCapture2(gitCmd(projectRoot, repoRoot, "symbolic-ref", "--short", `refs/remotes/${remote}/HEAD`), projectRoot);
+  if (symbolic.exitCode === 0) {
+    const ref = symbolic.stdout.trim().replace(new RegExp(`^${escapeRegExp(remote)}/`), "");
+    if (ref && ref !== "HEAD") {
+      return ref;
+    }
+  }
+  const lsRemote = runCapture2(gitCmd(projectRoot, repoRoot, "ls-remote", "--symref", remote, "HEAD"), projectRoot);
+  if (lsRemote.exitCode === 0) {
+    const match = lsRemote.stdout.match(/^ref:\s+refs\/heads\/([^\t\r\n]+)\s+HEAD/m);
+    if (match?.[1]) {
+      return match[1];
+    }
+  }
+  const gh = resolveGithubCliBinary(projectRoot);
+  if (gh && repoNameWithOwner) {
+    const api = runCapture2(withGhRepo([gh, "repo", "view", "--json", "defaultBranchRef", "--jq", ".defaultBranchRef.name"], repoNameWithOwner), repoRoot);
+    const branch = api.exitCode === 0 ? api.stdout.trim() : "";
+    if (branch) {
+      return branch;
+    }
+  }
+  return fallback;
+}
 function inferProjectBase(projectRoot, fallback) {
   const containing = runCapture2(gitCmd(projectRoot, projectRoot, "branch", "-r", "--contains", "HEAD"), projectRoot);
   if (containing.exitCode !== 0) {
@@ -7013,6 +7037,10 @@ function runtimeGitEnv(projectRoot) {
     }
     env[key] = value;
   }
+  const rigGithubToken = process.env.RIG_GITHUB_TOKEN?.trim() || "";
+  if (rigGithubToken && !env.GITHUB_TOKEN && !env.GH_TOKEN) {
+    env.GITHUB_TOKEN = rigGithubToken;
+  }
   if (!env.GITHUB_TOKEN && env.GH_TOKEN) {
     env.GITHUB_TOKEN = env.GH_TOKEN;
   }
@@ -7036,6 +7064,13 @@ function runtimeGitEnv(projectRoot) {
   if (!env.GH_TOKEN && env.GITHUB_TOKEN) {
     env.GH_TOKEN = env.GITHUB_TOKEN;
   }
+  const gitHubToken = env.GITHUB_TOKEN || env.GH_TOKEN || env.RIG_GITHUB_TOKEN || rigGithubToken;
+  if (gitHubToken) {
+    env.RIG_GITHUB_TOKEN = gitHubToken;
+    env.GITHUB_TOKEN = env.GITHUB_TOKEN || gitHubToken;
+    env.GH_TOKEN = env.GH_TOKEN || gitHubToken;
+    applyGitHubCredentialHelperEnv(env);
+  }
   if (runtimeKnownHosts && existsSync20(runtimeKnownHosts)) {
     const sshParts = [
       "ssh",
@@ -7052,6 +7087,14 @@ function runtimeGitEnv(projectRoot) {
   }
   return Object.keys(env).length > 0 ? env : undefined;
 }
+function applyGitHubCredentialHelperEnv(env) {
+  env.GIT_TERMINAL_PROMPT = "0";
+  env.GIT_CONFIG_COUNT = "2";
+  env.GIT_CONFIG_KEY_0 = "credential.helper";
+  env.GIT_CONFIG_VALUE_0 = "";
+  env.GIT_CONFIG_KEY_1 = "credential.helper";
+  env.GIT_CONFIG_VALUE_1 = '!f() { test "$1" = get || exit 0; token="${GITHUB_TOKEN:-${GH_TOKEN:-${RIG_GITHUB_TOKEN:-}}}"; test -n "$token" || exit 0; echo username=x-access-token; echo password="$token"; }; f';
+}
 function loadPersistedRuntimeSecrets(runtimeRoot) {
   if (!runtimeRoot) {
     return {};
@@ -7493,7 +7536,7 @@ async function recordVerifierFailure(projectRoot, taskId, paths) {
   let attempts = 1;
   if (existsSync21(failedApproachesPath)) {
     const content = readFileSync12(failedApproachesPath, "utf-8");
-    attempts = (content.match(new RegExp(`^## ${escapeRegExp(taskId)}\\b`, "gm")) || []).length + 1;
+    attempts = (content.match(new RegExp(`^## ${escapeRegExp2(taskId)}\\b`, "gm")) || []).length + 1;
   } else {
     mkdirSync11(resolve24(failedApproachesPath, ".."), { recursive: true });
     writeFileSync11(failedApproachesPath, `# Failed Approaches

package/dist/src/control-plane/hooks/submodule-branch.js

@@ -4509,6 +4509,10 @@ function runtimeGitEnv(projectRoot) {
     }
     env[key] = value;
   }
+  const rigGithubToken = process.env.RIG_GITHUB_TOKEN?.trim() || "";
+  if (rigGithubToken && !env.GITHUB_TOKEN && !env.GH_TOKEN) {
+    env.GITHUB_TOKEN = rigGithubToken;
+  }
   if (!env.GITHUB_TOKEN && env.GH_TOKEN) {
     env.GITHUB_TOKEN = env.GH_TOKEN;
   }
@@ -4532,6 +4536,13 @@ function runtimeGitEnv(projectRoot) {
   if (!env.GH_TOKEN && env.GITHUB_TOKEN) {
     env.GH_TOKEN = env.GITHUB_TOKEN;
   }
+  const gitHubToken = env.GITHUB_TOKEN || env.GH_TOKEN || env.RIG_GITHUB_TOKEN || rigGithubToken;
+  if (gitHubToken) {
+    env.RIG_GITHUB_TOKEN = gitHubToken;
+    env.GITHUB_TOKEN = env.GITHUB_TOKEN || gitHubToken;
+    env.GH_TOKEN = env.GH_TOKEN || gitHubToken;
+    applyGitHubCredentialHelperEnv(env);
+  }
   if (runtimeKnownHosts && existsSync22(runtimeKnownHosts)) {
     const sshParts = [
       "ssh",
@@ -4548,6 +4559,14 @@ function runtimeGitEnv(projectRoot) {
   }
   return Object.keys(env).length > 0 ? env : undefined;
 }
+function applyGitHubCredentialHelperEnv(env) {
+  env.GIT_TERMINAL_PROMPT = "0";
+  env.GIT_CONFIG_COUNT = "2";
+  env.GIT_CONFIG_KEY_0 = "credential.helper";
+  env.GIT_CONFIG_VALUE_0 = "";
+  env.GIT_CONFIG_KEY_1 = "credential.helper";
+  env.GIT_CONFIG_VALUE_1 = '!f() { test "$1" = get || exit 0; token="${GITHUB_TOKEN:-${GH_TOKEN:-${RIG_GITHUB_TOKEN:-}}}"; test -n "$token" || exit 0; echo username=x-access-token; echo password="$token"; }; f';
+}
 function loadPersistedRuntimeSecrets(runtimeRoot) {
   if (!runtimeRoot) {
     return {};

package/dist/src/control-plane/hooks/task-runtime-start.js

@@ -4509,6 +4509,10 @@ function runtimeGitEnv(projectRoot) {
     }
     env[key] = value;
   }
+  const rigGithubToken = process.env.RIG_GITHUB_TOKEN?.trim() || "";
+  if (rigGithubToken && !env.GITHUB_TOKEN && !env.GH_TOKEN) {
+    env.GITHUB_TOKEN = rigGithubToken;
+  }
   if (!env.GITHUB_TOKEN && env.GH_TOKEN) {
     env.GITHUB_TOKEN = env.GH_TOKEN;
   }
@@ -4532,6 +4536,13 @@ function runtimeGitEnv(projectRoot) {
   if (!env.GH_TOKEN && env.GITHUB_TOKEN) {
     env.GH_TOKEN = env.GITHUB_TOKEN;
   }
+  const gitHubToken = env.GITHUB_TOKEN || env.GH_TOKEN || env.RIG_GITHUB_TOKEN || rigGithubToken;
+  if (gitHubToken) {
+    env.RIG_GITHUB_TOKEN = gitHubToken;
+    env.GITHUB_TOKEN = env.GITHUB_TOKEN || gitHubToken;
+    env.GH_TOKEN = env.GH_TOKEN || gitHubToken;
+    applyGitHubCredentialHelperEnv(env);
+  }
   if (runtimeKnownHosts && existsSync22(runtimeKnownHosts)) {
     const sshParts = [
       "ssh",
@@ -4548,6 +4559,14 @@ function runtimeGitEnv(projectRoot) {
   }
   return Object.keys(env).length > 0 ? env : undefined;
 }
+function applyGitHubCredentialHelperEnv(env) {
+  env.GIT_TERMINAL_PROMPT = "0";
+  env.GIT_CONFIG_COUNT = "2";
+  env.GIT_CONFIG_KEY_0 = "credential.helper";
+  env.GIT_CONFIG_VALUE_0 = "";
+  env.GIT_CONFIG_KEY_1 = "credential.helper";
+  env.GIT_CONFIG_VALUE_1 = '!f() { test "$1" = get || exit 0; token="${GITHUB_TOKEN:-${GH_TOKEN:-${RIG_GITHUB_TOKEN:-}}}"; test -n "$token" || exit 0; echo username=x-access-token; echo password="$token"; }; f';
+}
 function loadPersistedRuntimeSecrets(runtimeRoot) {
   if (!runtimeRoot) {
     return {};

package/dist/src/control-plane/native/git-ops.js

@@ -1773,17 +1773,15 @@ function gitOpenPr(options) {
   const target = options.target || (taskId ? "monorepo" : "project");
   let repoRoot = options.projectRoot;
   let repoLabel = "project-rig";
-  let defaultBase = process.env.RIG_PR_BASE_PROJECT || "main";
+  const envBase = target === "monorepo" ? process.env.RIG_PR_BASE_MONOREPO?.trim() || "" : process.env.RIG_PR_BASE_PROJECT?.trim() || "";
   if (target === "monorepo") {
     repoRoot = resolveOptionalMonorepoRoot(options.projectRoot) || resolveMonorepoRoot2(options.projectRoot);
     repoLabel = "monorepo";
-    defaultBase = process.env.RIG_PR_BASE_MONOREPO || "main";
     if (taskId) {
       gitSyncBranch(options.projectRoot, taskId, "monorepo");
     }
   } else if (taskId) {
     gitSyncBranch(options.projectRoot, taskId, "project");
-    defaultBase = inferProjectBase(options.projectRoot, defaultBase);
   }
   if (!existsSync9(resolve11(repoRoot, ".git"))) {
     throw new Error(`Repository not available for open-pr target ${target}: ${repoRoot}`);
@@ -1792,9 +1790,9 @@ function gitOpenPr(options) {
   if (!branch || branch === "HEAD") {
     throw new Error(`Cannot open PR from detached HEAD in ${repoLabel}. Checkout a branch first.`);
   }
-  const base = options.base || defaultBase;
   const repoNameWithOwner = resolveRepoNameWithOwner(options.projectRoot, repoRoot);
   const networkRemote = resolveNetworkRemoteName(options.projectRoot, repoRoot, repoNameWithOwner);
+  const base = options.base || envBase || inferRepositoryDefaultBase(options.projectRoot, repoRoot, repoNameWithOwner, networkRemote, target === "project" ? inferProjectBase(options.projectRoot, "main") : "main");
   refreshRemoteBaseRef(options.projectRoot, repoRoot, base);
   let reviewer = (options.reviewer || "").trim();
   let reviewerSource = reviewer ? "flag" : undefined;
@@ -2345,6 +2343,32 @@ function withGhRepo(command, repoNameWithOwner) {
   }
   return [command[0], command[1], command[2], ...ghRepoArgs(repoNameWithOwner), ...command.slice(3)];
 }
+function inferRepositoryDefaultBase(projectRoot, repoRoot, repoNameWithOwner, remoteName, fallback) {
+  const remote = remoteName || "origin";
+  const symbolic = runCapture2(gitCmd(projectRoot, repoRoot, "symbolic-ref", "--short", `refs/remotes/${remote}/HEAD`), projectRoot);
+  if (symbolic.exitCode === 0) {
+    const ref = symbolic.stdout.trim().replace(new RegExp(`^${escapeRegExp(remote)}/`), "");
+    if (ref && ref !== "HEAD") {
+      return ref;
+    }
+  }
+  const lsRemote = runCapture2(gitCmd(projectRoot, repoRoot, "ls-remote", "--symref", remote, "HEAD"), projectRoot);
+  if (lsRemote.exitCode === 0) {
+    const match = lsRemote.stdout.match(/^ref:\s+refs\/heads\/([^\t\r\n]+)\s+HEAD/m);
+    if (match?.[1]) {
+      return match[1];
+    }
+  }
+  const gh = resolveGithubCliBinary(projectRoot);
+  if (gh && repoNameWithOwner) {
+    const api = runCapture2(withGhRepo([gh, "repo", "view", "--json", "defaultBranchRef", "--jq", ".defaultBranchRef.name"], repoNameWithOwner), repoRoot);
+    const branch = api.exitCode === 0 ? api.stdout.trim() : "";
+    if (branch) {
+      return branch;
+    }
+  }
+  return fallback;
+}
 function inferProjectBase(projectRoot, fallback) {
   const containing = runCapture2(gitCmd(projectRoot, projectRoot, "branch", "-r", "--contains", "HEAD"), projectRoot);
   if (containing.exitCode !== 0) {
@@ -2726,6 +2750,10 @@ function runtimeGitEnv(projectRoot) {
     }
     env[key] = value;
   }
+  const rigGithubToken = process.env.RIG_GITHUB_TOKEN?.trim() || "";
+  if (rigGithubToken && !env.GITHUB_TOKEN && !env.GH_TOKEN) {
+    env.GITHUB_TOKEN = rigGithubToken;
+  }
   if (!env.GITHUB_TOKEN && env.GH_TOKEN) {
     env.GITHUB_TOKEN = env.GH_TOKEN;
   }
@@ -2749,6 +2777,13 @@ function runtimeGitEnv(projectRoot) {
   if (!env.GH_TOKEN && env.GITHUB_TOKEN) {
     env.GH_TOKEN = env.GITHUB_TOKEN;
   }
+  const gitHubToken = env.GITHUB_TOKEN || env.GH_TOKEN || env.RIG_GITHUB_TOKEN || rigGithubToken;
+  if (gitHubToken) {
+    env.RIG_GITHUB_TOKEN = gitHubToken;
+    env.GITHUB_TOKEN = env.GITHUB_TOKEN || gitHubToken;
+    env.GH_TOKEN = env.GH_TOKEN || gitHubToken;
+    applyGitHubCredentialHelperEnv(env);
+  }
   if (runtimeKnownHosts && existsSync9(runtimeKnownHosts)) {
     const sshParts = [
       "ssh",
@@ -2765,6 +2800,14 @@ function runtimeGitEnv(projectRoot) {
   }
   return Object.keys(env).length > 0 ? env : undefined;
 }
+function applyGitHubCredentialHelperEnv(env) {
+  env.GIT_TERMINAL_PROMPT = "0";
+  env.GIT_CONFIG_COUNT = "2";
+  env.GIT_CONFIG_KEY_0 = "credential.helper";
+  env.GIT_CONFIG_VALUE_0 = "";
+  env.GIT_CONFIG_KEY_1 = "credential.helper";
+  env.GIT_CONFIG_VALUE_1 = '!f() { test "$1" = get || exit 0; token="${GITHUB_TOKEN:-${GH_TOKEN:-${RIG_GITHUB_TOKEN:-}}}"; test -n "$token" || exit 0; echo username=x-access-token; echo password="$token"; }; f';
+}
 function loadPersistedRuntimeSecrets(runtimeRoot) {
   if (!runtimeRoot) {
     return {};

package/dist/src/control-plane/native/harness-cli.js

@@ -5455,7 +5455,7 @@ This file records approaches that did not work.
 `, "utf-8");
   }
   const content = readFileSync10(failedPath, "utf-8");
-  const attempts = (content.match(new RegExp(`^## ${escapeRegExp(activeTask)}\\b`, "gm")) || []).length + 1;
+  const attempts = (content.match(new RegExp(`^## ${escapeRegExp2(activeTask)}\\b`, "gm")) || []).length + 1;
   appendFileSync(failedPath, `
 ## ${activeTask} - Attempt ${attempts} (${nowIso()})
 
@@ -5954,7 +5954,7 @@ function printArtifactSection(path, header) {
   process.stdout.write(readFileSync10(path, "utf-8"));
   console.log("");
 }
-function escapeRegExp(value) {
+function escapeRegExp2(value) {
   return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
 function changedFilesForTask(projectRoot, taskId, scoped) {
@@ -6181,17 +6181,15 @@ function gitOpenPr(options) {
   const target = options.target || (taskId ? "monorepo" : "project");
   let repoRoot = options.projectRoot;
   let repoLabel = "project-rig";
-  let defaultBase = process.env.RIG_PR_BASE_PROJECT || "main";
+  const envBase = target === "monorepo" ? process.env.RIG_PR_BASE_MONOREPO?.trim() || "" : process.env.RIG_PR_BASE_PROJECT?.trim() || "";
   if (target === "monorepo") {
     repoRoot = resolveOptionalMonorepoRoot(options.projectRoot) || resolveMonorepoRoot2(options.projectRoot);
     repoLabel = "monorepo";
-    defaultBase = process.env.RIG_PR_BASE_MONOREPO || "main";
     if (taskId) {
       gitSyncBranch(options.projectRoot, taskId, "monorepo");
     }
   } else if (taskId) {
     gitSyncBranch(options.projectRoot, taskId, "project");
-    defaultBase = inferProjectBase(options.projectRoot, defaultBase);
   }
   if (!existsSync21(resolve24(repoRoot, ".git"))) {
     throw new Error(`Repository not available for open-pr target ${target}: ${repoRoot}`);
@@ -6200,9 +6198,9 @@ function gitOpenPr(options) {
   if (!branch || branch === "HEAD") {
     throw new Error(`Cannot open PR from detached HEAD in ${repoLabel}. Checkout a branch first.`);
   }
-  const base = options.base || defaultBase;
   const repoNameWithOwner = resolveRepoNameWithOwner(options.projectRoot, repoRoot);
   const networkRemote = resolveNetworkRemoteName(options.projectRoot, repoRoot, repoNameWithOwner);
+  const base = options.base || envBase || inferRepositoryDefaultBase(options.projectRoot, repoRoot, repoNameWithOwner, networkRemote, target === "project" ? inferProjectBase(options.projectRoot, "main") : "main");
   refreshRemoteBaseRef(options.projectRoot, repoRoot, base);
   let reviewer = (options.reviewer || "").trim();
   let reviewerSource = reviewer ? "flag" : undefined;
@@ -6653,6 +6651,32 @@ function withGhRepo(command, repoNameWithOwner) {
   }
   return [command[0], command[1], command[2], ...ghRepoArgs(repoNameWithOwner), ...command.slice(3)];
 }
+function inferRepositoryDefaultBase(projectRoot, repoRoot, repoNameWithOwner, remoteName, fallback) {
+  const remote = remoteName || "origin";
+  const symbolic = runCapture2(gitCmd(projectRoot, repoRoot, "symbolic-ref", "--short", `refs/remotes/${remote}/HEAD`), projectRoot);
+  if (symbolic.exitCode === 0) {
+    const ref = symbolic.stdout.trim().replace(new RegExp(`^${escapeRegExp(remote)}/`), "");
+    if (ref && ref !== "HEAD") {
+      return ref;
+    }
+  }
+  const lsRemote = runCapture2(gitCmd(projectRoot, repoRoot, "ls-remote", "--symref", remote, "HEAD"), projectRoot);
+  if (lsRemote.exitCode === 0) {
+    const match = lsRemote.stdout.match(/^ref:\s+refs\/heads\/([^\t\r\n]+)\s+HEAD/m);
+    if (match?.[1]) {
+      return match[1];
+    }
+  }
+  const gh = resolveGithubCliBinary(projectRoot);
+  if (gh && repoNameWithOwner) {
+    const api = runCapture2(withGhRepo([gh, "repo", "view", "--json", "defaultBranchRef", "--jq", ".defaultBranchRef.name"], repoNameWithOwner), repoRoot);
+    const branch = api.exitCode === 0 ? api.stdout.trim() : "";
+    if (branch) {
+      return branch;
+    }
+  }
+  return fallback;
+}
 function inferProjectBase(projectRoot, fallback) {
   const containing = runCapture2(gitCmd(projectRoot, projectRoot, "branch", "-r", "--contains", "HEAD"), projectRoot);
   if (containing.exitCode !== 0) {
@@ -7034,6 +7058,10 @@ function runtimeGitEnv(projectRoot) {
     }
     env[key] = value;
   }
+  const rigGithubToken = process.env.RIG_GITHUB_TOKEN?.trim() || "";
+  if (rigGithubToken && !env.GITHUB_TOKEN && !env.GH_TOKEN) {
+    env.GITHUB_TOKEN = rigGithubToken;
+  }
   if (!env.GITHUB_TOKEN && env.GH_TOKEN) {
     env.GITHUB_TOKEN = env.GH_TOKEN;
   }
@@ -7057,6 +7085,13 @@ function runtimeGitEnv(projectRoot) {
   if (!env.GH_TOKEN && env.GITHUB_TOKEN) {
     env.GH_TOKEN = env.GITHUB_TOKEN;
   }
+  const gitHubToken = env.GITHUB_TOKEN || env.GH_TOKEN || env.RIG_GITHUB_TOKEN || rigGithubToken;
+  if (gitHubToken) {
+    env.RIG_GITHUB_TOKEN = gitHubToken;
+    env.GITHUB_TOKEN = env.GITHUB_TOKEN || gitHubToken;
+    env.GH_TOKEN = env.GH_TOKEN || gitHubToken;
+    applyGitHubCredentialHelperEnv(env);
+  }
   if (runtimeKnownHosts && existsSync21(runtimeKnownHosts)) {
     const sshParts = [
       "ssh",
@@ -7073,6 +7108,14 @@ function runtimeGitEnv(projectRoot) {
   }
   return Object.keys(env).length > 0 ? env : undefined;
 }
+function applyGitHubCredentialHelperEnv(env) {
+  env.GIT_TERMINAL_PROMPT = "0";
+  env.GIT_CONFIG_COUNT = "2";
+  env.GIT_CONFIG_KEY_0 = "credential.helper";
+  env.GIT_CONFIG_VALUE_0 = "";
+  env.GIT_CONFIG_KEY_1 = "credential.helper";
+  env.GIT_CONFIG_VALUE_1 = '!f() { test "$1" = get || exit 0; token="${GITHUB_TOKEN:-${GH_TOKEN:-${RIG_GITHUB_TOKEN:-}}}"; test -n "$token" || exit 0; echo username=x-access-token; echo password="$token"; }; f';
+}
 function loadPersistedRuntimeSecrets(runtimeRoot) {
   if (!runtimeRoot) {
     return {};

package/dist/src/control-plane/native/task-ops.js

@@ -5634,7 +5634,7 @@ This file records approaches that did not work.
 `, "utf-8");
   }
   const content = readFileSync10(failedPath, "utf-8");
-  const attempts = (content.match(new RegExp(`^## ${escapeRegExp(activeTask)}\\b`, "gm")) || []).length + 1;
+  const attempts = (content.match(new RegExp(`^## ${escapeRegExp2(activeTask)}\\b`, "gm")) || []).length + 1;
   appendFileSync(failedPath, `
 ## ${activeTask} - Attempt ${attempts} (${nowIso()})
 
@@ -6290,7 +6290,7 @@ function printArtifactSection(path, header) {
   process.stdout.write(readFileSync10(path, "utf-8"));
   console.log("");
 }
-function escapeRegExp(value) {
+function escapeRegExp2(value) {
   return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
 function changedFilesForTask(projectRoot, taskId, scoped) {

package/dist/src/control-plane/runtime/index.js

@@ -6331,6 +6331,10 @@ async function runtimeEnv(projectRoot, runtime) {
       env[key] = value;
     }
   }
+  const rigGithubToken = process.env.RIG_GITHUB_TOKEN?.trim() || "";
+  if (rigGithubToken && !env.GITHUB_TOKEN && !env.GH_TOKEN) {
+    env.GITHUB_TOKEN = rigGithubToken;
+  }
   const fallbackGithubToken = !env.GITHUB_TOKEN && !env.GH_TOKEN ? await resolveGithubCliAuthToken(hostGhBinary) : "";
   if (fallbackGithubToken) {
     env.GITHUB_TOKEN = fallbackGithubToken;
@@ -6341,6 +6345,13 @@ async function runtimeEnv(projectRoot, runtime) {
   if (!env.GH_TOKEN && env.GITHUB_TOKEN) {
     env.GH_TOKEN = env.GITHUB_TOKEN;
   }
+  const gitHubToken = env.GITHUB_TOKEN || env.GH_TOKEN || rigGithubToken;
+  if (gitHubToken) {
+    env.RIG_GITHUB_TOKEN = gitHubToken;
+    env.GITHUB_TOKEN = env.GITHUB_TOKEN || gitHubToken;
+    env.GH_TOKEN = env.GH_TOKEN || gitHubToken;
+    applyGitHubCredentialHelperEnv(env);
+  }
   if (!env.GREPTILE_GITHUB_TOKEN && env.GITHUB_TOKEN) {
     env.GREPTILE_GITHUB_TOKEN = env.GITHUB_TOKEN;
   }
@@ -6436,12 +6447,21 @@ async function materializeRuntimeCertBundle(runtime) {
   }
   return targetPath;
 }
+function applyGitHubCredentialHelperEnv(env) {
+  env.GIT_TERMINAL_PROMPT = "0";
+  env.GIT_CONFIG_COUNT = "2";
+  env.GIT_CONFIG_KEY_0 = "credential.helper";
+  env.GIT_CONFIG_VALUE_0 = "";
+  env.GIT_CONFIG_KEY_1 = "credential.helper";
+  env.GIT_CONFIG_VALUE_1 = '!f() { test "$1" = get || exit 0; token="${GITHUB_TOKEN:-${GH_TOKEN:-${RIG_GITHUB_TOKEN:-}}}"; test -n "$token" || exit 0; echo username=x-access-token; echo password="$token"; }; f';
+}
 function persistRuntimeSecrets(runtimeRoot, env) {
   const secretsPath = resolve27(runtimeRoot, "runtime-secrets.json");
   const persisted = {};
   for (const key of [
     "GITHUB_TOKEN",
     "GH_TOKEN",
+    "RIG_GITHUB_TOKEN",
     "GREPTILE_GITHUB_TOKEN",
     "GREPTILE_API_KEY",
     "AI_REVIEW_MODE",

package/dist/src/control-plane/runtime/isolation/home.js

@@ -863,6 +863,10 @@ async function runtimeEnv(projectRoot, runtime) {
       env[key] = value;
     }
   }
+  const rigGithubToken = process.env.RIG_GITHUB_TOKEN?.trim() || "";
+  if (rigGithubToken && !env.GITHUB_TOKEN && !env.GH_TOKEN) {
+    env.GITHUB_TOKEN = rigGithubToken;
+  }
   const fallbackGithubToken = !env.GITHUB_TOKEN && !env.GH_TOKEN ? await resolveGithubCliAuthToken(hostGhBinary) : "";
   if (fallbackGithubToken) {
     env.GITHUB_TOKEN = fallbackGithubToken;
@@ -873,6 +877,13 @@ async function runtimeEnv(projectRoot, runtime) {
   if (!env.GH_TOKEN && env.GITHUB_TOKEN) {
     env.GH_TOKEN = env.GITHUB_TOKEN;
   }
+  const gitHubToken = env.GITHUB_TOKEN || env.GH_TOKEN || rigGithubToken;
+  if (gitHubToken) {
+    env.RIG_GITHUB_TOKEN = gitHubToken;
+    env.GITHUB_TOKEN = env.GITHUB_TOKEN || gitHubToken;
+    env.GH_TOKEN = env.GH_TOKEN || gitHubToken;
+    applyGitHubCredentialHelperEnv(env);
+  }
   if (!env.GREPTILE_GITHUB_TOKEN && env.GITHUB_TOKEN) {
     env.GREPTILE_GITHUB_TOKEN = env.GITHUB_TOKEN;
   }
@@ -968,12 +979,21 @@ async function materializeRuntimeCertBundle(runtime) {
   }
   return targetPath;
 }
+function applyGitHubCredentialHelperEnv(env) {
+  env.GIT_TERMINAL_PROMPT = "0";
+  env.GIT_CONFIG_COUNT = "2";
+  env.GIT_CONFIG_KEY_0 = "credential.helper";
+  env.GIT_CONFIG_VALUE_0 = "";
+  env.GIT_CONFIG_KEY_1 = "credential.helper";
+  env.GIT_CONFIG_VALUE_1 = '!f() { test "$1" = get || exit 0; token="${GITHUB_TOKEN:-${GH_TOKEN:-${RIG_GITHUB_TOKEN:-}}}"; test -n "$token" || exit 0; echo username=x-access-token; echo password="$token"; }; f';
+}
 function persistRuntimeSecrets(runtimeRoot, env) {
   const secretsPath = resolve7(runtimeRoot, "runtime-secrets.json");
   const persisted = {};
   for (const key of [
     "GITHUB_TOKEN",
     "GH_TOKEN",
+    "RIG_GITHUB_TOKEN",
     "GREPTILE_GITHUB_TOKEN",
     "GREPTILE_API_KEY",
     "AI_REVIEW_MODE",

package/dist/src/control-plane/runtime/isolation/index.js

@@ -5631,6 +5631,10 @@ async function runtimeEnv(projectRoot, runtime) {
       env[key] = value;
     }
   }
+  const rigGithubToken = process.env.RIG_GITHUB_TOKEN?.trim() || "";
+  if (rigGithubToken && !env.GITHUB_TOKEN && !env.GH_TOKEN) {
+    env.GITHUB_TOKEN = rigGithubToken;
+  }
   const fallbackGithubToken = !env.GITHUB_TOKEN && !env.GH_TOKEN ? await resolveGithubCliAuthToken(hostGhBinary) : "";
   if (fallbackGithubToken) {
     env.GITHUB_TOKEN = fallbackGithubToken;
@@ -5641,6 +5645,13 @@ async function runtimeEnv(projectRoot, runtime) {
   if (!env.GH_TOKEN && env.GITHUB_TOKEN) {
     env.GH_TOKEN = env.GITHUB_TOKEN;
   }
+  const gitHubToken = env.GITHUB_TOKEN || env.GH_TOKEN || rigGithubToken;
+  if (gitHubToken) {
+    env.RIG_GITHUB_TOKEN = gitHubToken;
+    env.GITHUB_TOKEN = env.GITHUB_TOKEN || gitHubToken;
+    env.GH_TOKEN = env.GH_TOKEN || gitHubToken;
+    applyGitHubCredentialHelperEnv(env);
+  }
   if (!env.GREPTILE_GITHUB_TOKEN && env.GITHUB_TOKEN) {
     env.GREPTILE_GITHUB_TOKEN = env.GITHUB_TOKEN;
   }
@@ -5736,12 +5747,21 @@ async function materializeRuntimeCertBundle(runtime) {
   }
   return targetPath;
 }
+function applyGitHubCredentialHelperEnv(env) {
+  env.GIT_TERMINAL_PROMPT = "0";
+  env.GIT_CONFIG_COUNT = "2";
+  env.GIT_CONFIG_KEY_0 = "credential.helper";
+  env.GIT_CONFIG_VALUE_0 = "";
+  env.GIT_CONFIG_KEY_1 = "credential.helper";
+  env.GIT_CONFIG_VALUE_1 = '!f() { test "$1" = get || exit 0; token="${GITHUB_TOKEN:-${GH_TOKEN:-${RIG_GITHUB_TOKEN:-}}}"; test -n "$token" || exit 0; echo username=x-access-token; echo password="$token"; }; f';
+}
 function persistRuntimeSecrets(runtimeRoot, env) {
   const secretsPath = resolve25(runtimeRoot, "runtime-secrets.json");
   const persisted = {};
   for (const key of [
     "GITHUB_TOKEN",
     "GH_TOKEN",
+    "RIG_GITHUB_TOKEN",
     "GREPTILE_GITHUB_TOKEN",
     "GREPTILE_API_KEY",
     "AI_REVIEW_MODE",

package/dist/src/control-plane/runtime/isolation/runner.js

@@ -2261,6 +2261,10 @@ async function runtimeEnv(projectRoot, runtime) {
       env[key] = value;
     }
   }
+  const rigGithubToken = process.env.RIG_GITHUB_TOKEN?.trim() || "";
+  if (rigGithubToken && !env.GITHUB_TOKEN && !env.GH_TOKEN) {
+    env.GITHUB_TOKEN = rigGithubToken;
+  }
   const fallbackGithubToken = !env.GITHUB_TOKEN && !env.GH_TOKEN ? await resolveGithubCliAuthToken(hostGhBinary) : "";
   if (fallbackGithubToken) {
     env.GITHUB_TOKEN = fallbackGithubToken;
@@ -2271,6 +2275,13 @@ async function runtimeEnv(projectRoot, runtime) {
   if (!env.GH_TOKEN && env.GITHUB_TOKEN) {
     env.GH_TOKEN = env.GITHUB_TOKEN;
   }
+  const gitHubToken = env.GITHUB_TOKEN || env.GH_TOKEN || rigGithubToken;
+  if (gitHubToken) {
+    env.RIG_GITHUB_TOKEN = gitHubToken;
+    env.GITHUB_TOKEN = env.GITHUB_TOKEN || gitHubToken;
+    env.GH_TOKEN = env.GH_TOKEN || gitHubToken;
+    applyGitHubCredentialHelperEnv(env);
+  }
   if (!env.GREPTILE_GITHUB_TOKEN && env.GITHUB_TOKEN) {
     env.GREPTILE_GITHUB_TOKEN = env.GITHUB_TOKEN;
   }
@@ -2318,12 +2329,21 @@ async function materializeRuntimeCertBundle(runtime) {
   }
   return targetPath;
 }
+function applyGitHubCredentialHelperEnv(env) {
+  env.GIT_TERMINAL_PROMPT = "0";
+  env.GIT_CONFIG_COUNT = "2";
+  env.GIT_CONFIG_KEY_0 = "credential.helper";
+  env.GIT_CONFIG_VALUE_0 = "";
+  env.GIT_CONFIG_KEY_1 = "credential.helper";
+  env.GIT_CONFIG_VALUE_1 = '!f() { test "$1" = get || exit 0; token="${GITHUB_TOKEN:-${GH_TOKEN:-${RIG_GITHUB_TOKEN:-}}}"; test -n "$token" || exit 0; echo username=x-access-token; echo password="$token"; }; f';
+}
 function persistRuntimeSecrets(runtimeRoot, env) {
   const secretsPath = resolve11(runtimeRoot, "runtime-secrets.json");
   const persisted = {};
   for (const key of [
     "GITHUB_TOKEN",
     "GH_TOKEN",
+    "RIG_GITHUB_TOKEN",
     "GREPTILE_GITHUB_TOKEN",
     "GREPTILE_API_KEY",
     "AI_REVIEW_MODE",

package/dist/src/control-plane/runtime/isolation.js

@@ -5631,6 +5631,10 @@ async function runtimeEnv(projectRoot, runtime) {
       env[key] = value;
     }
   }
+  const rigGithubToken = process.env.RIG_GITHUB_TOKEN?.trim() || "";
+  if (rigGithubToken && !env.GITHUB_TOKEN && !env.GH_TOKEN) {
+    env.GITHUB_TOKEN = rigGithubToken;
+  }
   const fallbackGithubToken = !env.GITHUB_TOKEN && !env.GH_TOKEN ? await resolveGithubCliAuthToken(hostGhBinary) : "";
   if (fallbackGithubToken) {
     env.GITHUB_TOKEN = fallbackGithubToken;
@@ -5641,6 +5645,13 @@ async function runtimeEnv(projectRoot, runtime) {
   if (!env.GH_TOKEN && env.GITHUB_TOKEN) {
     env.GH_TOKEN = env.GITHUB_TOKEN;
   }
+  const gitHubToken = env.GITHUB_TOKEN || env.GH_TOKEN || rigGithubToken;
+  if (gitHubToken) {
+    env.RIG_GITHUB_TOKEN = gitHubToken;
+    env.GITHUB_TOKEN = env.GITHUB_TOKEN || gitHubToken;
+    env.GH_TOKEN = env.GH_TOKEN || gitHubToken;
+    applyGitHubCredentialHelperEnv(env);
+  }
   if (!env.GREPTILE_GITHUB_TOKEN && env.GITHUB_TOKEN) {
     env.GREPTILE_GITHUB_TOKEN = env.GITHUB_TOKEN;
   }
@@ -5736,12 +5747,21 @@ async function materializeRuntimeCertBundle(runtime) {
   }
   return targetPath;
 }
+function applyGitHubCredentialHelperEnv(env) {
+  env.GIT_TERMINAL_PROMPT = "0";
+  env.GIT_CONFIG_COUNT = "2";
+  env.GIT_CONFIG_KEY_0 = "credential.helper";
+  env.GIT_CONFIG_VALUE_0 = "";
+  env.GIT_CONFIG_KEY_1 = "credential.helper";
+  env.GIT_CONFIG_VALUE_1 = '!f() { test "$1" = get || exit 0; token="${GITHUB_TOKEN:-${GH_TOKEN:-${RIG_GITHUB_TOKEN:-}}}"; test -n "$token" || exit 0; echo username=x-access-token; echo password="$token"; }; f';
+}
 function persistRuntimeSecrets(runtimeRoot, env) {
   const secretsPath = resolve25(runtimeRoot, "runtime-secrets.json");
   const persisted = {};
   for (const key of [
     "GITHUB_TOKEN",
     "GH_TOKEN",
+    "RIG_GITHUB_TOKEN",
     "GREPTILE_GITHUB_TOKEN",
     "GREPTILE_API_KEY",
     "AI_REVIEW_MODE",

package/dist/src/control-plane/runtime/queue.js

@@ -6355,6 +6355,10 @@ async function runtimeEnv(projectRoot, runtime) {
       env[key] = value;
     }
   }
+  const rigGithubToken = process.env.RIG_GITHUB_TOKEN?.trim() || "";
+  if (rigGithubToken && !env.GITHUB_TOKEN && !env.GH_TOKEN) {
+    env.GITHUB_TOKEN = rigGithubToken;
+  }
   const fallbackGithubToken = !env.GITHUB_TOKEN && !env.GH_TOKEN ? await resolveGithubCliAuthToken(hostGhBinary) : "";
   if (fallbackGithubToken) {
     env.GITHUB_TOKEN = fallbackGithubToken;
@@ -6365,6 +6369,13 @@ async function runtimeEnv(projectRoot, runtime) {
   if (!env.GH_TOKEN && env.GITHUB_TOKEN) {
     env.GH_TOKEN = env.GITHUB_TOKEN;
   }
+  const gitHubToken = env.GITHUB_TOKEN || env.GH_TOKEN || rigGithubToken;
+  if (gitHubToken) {
+    env.RIG_GITHUB_TOKEN = gitHubToken;
+    env.GITHUB_TOKEN = env.GITHUB_TOKEN || gitHubToken;
+    env.GH_TOKEN = env.GH_TOKEN || gitHubToken;
+    applyGitHubCredentialHelperEnv(env);
+  }
   if (!env.GREPTILE_GITHUB_TOKEN && env.GITHUB_TOKEN) {
     env.GREPTILE_GITHUB_TOKEN = env.GITHUB_TOKEN;
   }
@@ -6460,12 +6471,21 @@ async function materializeRuntimeCertBundle(runtime) {
   }
   return targetPath;
 }
+function applyGitHubCredentialHelperEnv(env) {
+  env.GIT_TERMINAL_PROMPT = "0";
+  env.GIT_CONFIG_COUNT = "2";
+  env.GIT_CONFIG_KEY_0 = "credential.helper";
+  env.GIT_CONFIG_VALUE_0 = "";
+  env.GIT_CONFIG_KEY_1 = "credential.helper";
+  env.GIT_CONFIG_VALUE_1 = '!f() { test "$1" = get || exit 0; token="${GITHUB_TOKEN:-${GH_TOKEN:-${RIG_GITHUB_TOKEN:-}}}"; test -n "$token" || exit 0; echo username=x-access-token; echo password="$token"; }; f';
+}
 function persistRuntimeSecrets(runtimeRoot, env) {
   const secretsPath = resolve27(runtimeRoot, "runtime-secrets.json");
   const persisted = {};
   for (const key of [
     "GITHUB_TOKEN",
     "GH_TOKEN",
+    "RIG_GITHUB_TOKEN",
     "GREPTILE_GITHUB_TOKEN",
     "GREPTILE_API_KEY",
     "AI_REVIEW_MODE",

package/native/darwin-arm64/rig-git.build-manifest.json

@@ -0,0 +1,4 @@
+{
+  "version": 1,
+  "buildKey": "{\"version\":1,\"sourcePath\":\"/var/folders/zr/6js4xbjs3bgf46v76j145mlw0000gn/T/rig-native/rig-git-darwin-arm64\",\"sourceDigest\":\"5d1f9d17af5789a15328b4c4aff2b155962bd9d8e180812fa67a30c1685b2bf3\"}"
+}

package/native/darwin-arm64/rig-shell.build-manifest.json

@@ -0,0 +1,4 @@
+{
+  "version": 1,
+  "buildKey": "{\"version\":1,\"sourcePath\":\"/var/folders/zr/6js4xbjs3bgf46v76j145mlw0000gn/T/rig-native/rig-shell-darwin-arm64\",\"sourceDigest\":\"082addd699beb1eb87d242208741012bba54becf7e2c3cd85904c68c200be3e3\"}"
+}

package/native/darwin-arm64/rig-tools.build-manifest.json

@@ -0,0 +1,4 @@
+{
+  "version": 1,
+  "buildKey": "{\"version\":1,\"sourcePath\":\"/var/folders/zr/6js4xbjs3bgf46v76j145mlw0000gn/T/rig-native/rig-tools-darwin-arm64\",\"sourceDigest\":\"a0950e37e897d520196d93e5487bade084e5f0cad45c57843b4e9f16a6421da8\"}"
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@h-rig/runtime",
-  "version": "0.0.6-alpha.1",
+  "version": "0.0.6-alpha.3",
   "type": "module",
   "description": "Rig package",
   "license": "UNLICENSED",
@@ -64,11 +64,11 @@
   "module": "./dist/src/index.js",
   "dependencies": {
     "@libsql/client": "^0.17.2",
-    "@rig/contracts": "npm:@h-rig/contracts@0.0.6-alpha.1",
-    "@rig/core": "npm:@h-rig/core@0.0.6-alpha.1",
-    "@rig/hook-kit": "npm:@h-rig/hook-kit@0.0.6-alpha.1",
-    "@rig/shared": "npm:@h-rig/shared@0.0.6-alpha.1",
-    "@rig/validator-kit": "npm:@h-rig/validator-kit@0.0.6-alpha.1",
+    "@rig/contracts": "npm:@h-rig/contracts@0.0.6-alpha.3",
+    "@rig/core": "npm:@h-rig/core@0.0.6-alpha.3",
+    "@rig/hook-kit": "npm:@h-rig/hook-kit@0.0.6-alpha.3",
+    "@rig/shared": "npm:@h-rig/shared@0.0.6-alpha.3",
+    "@rig/validator-kit": "npm:@h-rig/validator-kit@0.0.6-alpha.3",
     "effect": "4.0.0-beta.78",
     "smol-toml": "^1.6.0"
   }

package/native/darwin-arm64/manifest.json

@@ -1 +0,0 @@
-{"platform":"darwin-arm64","suffix":"dylib","builtAt":"2026-06-07T22:55:24Z"}

package/native/linux-x64/manifest.json

@@ -1 +0,0 @@
-{"platform":"linux-x64","suffix":"so","builtAt":"2026-06-07T22:56:41Z"}