@h-rig/runtime 0.0.6-alpha.2 → 0.0.6-alpha.20

package/dist/src/control-plane/hooks/inject-context.js

@@ -2484,8 +2484,8 @@ function githubStatusFor(issue) {
   return "open";
 }
 function selectedGitHubEnv() {
-  const token = process.env.RIG_GITHUB_SELECTED_TOKEN?.trim() ?? "";
-  return { GH_TOKEN: token, GITHUB_TOKEN: token };
+  const token = process.env.RIG_GITHUB_SELECTED_TOKEN?.trim() || process.env.RIG_GITHUB_TOKEN?.trim() || "";
+  return { GH_TOKEN: token, GITHUB_TOKEN: token, RIG_GITHUB_TOKEN: token };
 }
 function ghSpawnOptions() {
   return { encoding: "utf-8", env: { ...process.env, ...selectedGitHubEnv() } };

package/dist/src/control-plane/hooks/submodule-branch.js

@@ -1706,8 +1706,8 @@ function githubStatusFor(issue) {
   return "open";
 }
 function selectedGitHubEnv() {
-  const token = process.env.RIG_GITHUB_SELECTED_TOKEN?.trim() ?? "";
-  return { GH_TOKEN: token, GITHUB_TOKEN: token };
+  const token = process.env.RIG_GITHUB_SELECTED_TOKEN?.trim() || process.env.RIG_GITHUB_TOKEN?.trim() || "";
+  return { GH_TOKEN: token, GITHUB_TOKEN: token, RIG_GITHUB_TOKEN: token };
 }
 function ghSpawnOptions() {
   return { encoding: "utf-8", env: { ...process.env, ...selectedGitHubEnv() } };
@@ -4509,6 +4509,10 @@ function runtimeGitEnv(projectRoot) {
     }
     env[key] = value;
   }
+  const rigGithubToken = process.env.RIG_GITHUB_TOKEN?.trim() || "";
+  if (rigGithubToken && !env.GITHUB_TOKEN && !env.GH_TOKEN) {
+    env.GITHUB_TOKEN = rigGithubToken;
+  }
   if (!env.GITHUB_TOKEN && env.GH_TOKEN) {
     env.GITHUB_TOKEN = env.GH_TOKEN;
   }
@@ -4532,6 +4536,13 @@ function runtimeGitEnv(projectRoot) {
   if (!env.GH_TOKEN && env.GITHUB_TOKEN) {
     env.GH_TOKEN = env.GITHUB_TOKEN;
   }
+  const gitHubToken = env.GITHUB_TOKEN || env.GH_TOKEN || env.RIG_GITHUB_TOKEN || rigGithubToken;
+  if (gitHubToken) {
+    env.RIG_GITHUB_TOKEN = gitHubToken;
+    env.GITHUB_TOKEN = env.GITHUB_TOKEN || gitHubToken;
+    env.GH_TOKEN = env.GH_TOKEN || gitHubToken;
+    applyGitHubCredentialHelperEnv(env);
+  }
   if (runtimeKnownHosts && existsSync22(runtimeKnownHosts)) {
     const sshParts = [
       "ssh",
@@ -4548,6 +4559,14 @@ function runtimeGitEnv(projectRoot) {
   }
   return Object.keys(env).length > 0 ? env : undefined;
 }
+function applyGitHubCredentialHelperEnv(env) {
+  env.GIT_TERMINAL_PROMPT = "0";
+  env.GIT_CONFIG_COUNT = "2";
+  env.GIT_CONFIG_KEY_0 = "credential.helper";
+  env.GIT_CONFIG_VALUE_0 = "";
+  env.GIT_CONFIG_KEY_1 = "credential.helper";
+  env.GIT_CONFIG_VALUE_1 = '!f() { test "$1" = get || exit 0; token="${GITHUB_TOKEN:-${GH_TOKEN:-${RIG_GITHUB_TOKEN:-}}}"; test -n "$token" || exit 0; echo username=x-access-token; echo password="$token"; }; f';
+}
 function loadPersistedRuntimeSecrets(runtimeRoot) {
   if (!runtimeRoot) {
     return {};
@@ -7603,7 +7622,11 @@ async function ensureAgentRuntime(options) {
   mkdirSync21(runtime.binDir, { recursive: true });
   mkdirSync21(workspaceLayout.distDir, { recursive: true });
   prepareRuntimeWorkspace(options.projectRoot, workspaceDir);
-  await resetEphemeralTaskArtifacts(workspaceDir, options.taskId);
+  if (options.preserveTaskArtifacts) {
+    console.log(`[rig-agent] Preserving runtime task artifacts for resume of ${options.taskId}.`);
+  } else {
+    await resetEphemeralTaskArtifacts(workspaceDir, options.taskId);
+  }
   const ctx = {
     runtimeId: options.id,
     taskId: options.taskId,

package/dist/src/control-plane/hooks/task-runtime-start.js

@@ -1706,8 +1706,8 @@ function githubStatusFor(issue) {
   return "open";
 }
 function selectedGitHubEnv() {
-  const token = process.env.RIG_GITHUB_SELECTED_TOKEN?.trim() ?? "";
-  return { GH_TOKEN: token, GITHUB_TOKEN: token };
+  const token = process.env.RIG_GITHUB_SELECTED_TOKEN?.trim() || process.env.RIG_GITHUB_TOKEN?.trim() || "";
+  return { GH_TOKEN: token, GITHUB_TOKEN: token, RIG_GITHUB_TOKEN: token };
 }
 function ghSpawnOptions() {
   return { encoding: "utf-8", env: { ...process.env, ...selectedGitHubEnv() } };
@@ -4509,6 +4509,10 @@ function runtimeGitEnv(projectRoot) {
     }
     env[key] = value;
   }
+  const rigGithubToken = process.env.RIG_GITHUB_TOKEN?.trim() || "";
+  if (rigGithubToken && !env.GITHUB_TOKEN && !env.GH_TOKEN) {
+    env.GITHUB_TOKEN = rigGithubToken;
+  }
   if (!env.GITHUB_TOKEN && env.GH_TOKEN) {
     env.GITHUB_TOKEN = env.GH_TOKEN;
   }
@@ -4532,6 +4536,13 @@ function runtimeGitEnv(projectRoot) {
   if (!env.GH_TOKEN && env.GITHUB_TOKEN) {
     env.GH_TOKEN = env.GITHUB_TOKEN;
   }
+  const gitHubToken = env.GITHUB_TOKEN || env.GH_TOKEN || env.RIG_GITHUB_TOKEN || rigGithubToken;
+  if (gitHubToken) {
+    env.RIG_GITHUB_TOKEN = gitHubToken;
+    env.GITHUB_TOKEN = env.GITHUB_TOKEN || gitHubToken;
+    env.GH_TOKEN = env.GH_TOKEN || gitHubToken;
+    applyGitHubCredentialHelperEnv(env);
+  }
   if (runtimeKnownHosts && existsSync22(runtimeKnownHosts)) {
     const sshParts = [
       "ssh",
@@ -4548,6 +4559,14 @@ function runtimeGitEnv(projectRoot) {
   }
   return Object.keys(env).length > 0 ? env : undefined;
 }
+function applyGitHubCredentialHelperEnv(env) {
+  env.GIT_TERMINAL_PROMPT = "0";
+  env.GIT_CONFIG_COUNT = "2";
+  env.GIT_CONFIG_KEY_0 = "credential.helper";
+  env.GIT_CONFIG_VALUE_0 = "";
+  env.GIT_CONFIG_KEY_1 = "credential.helper";
+  env.GIT_CONFIG_VALUE_1 = '!f() { test "$1" = get || exit 0; token="${GITHUB_TOKEN:-${GH_TOKEN:-${RIG_GITHUB_TOKEN:-}}}"; test -n "$token" || exit 0; echo username=x-access-token; echo password="$token"; }; f';
+}
 function loadPersistedRuntimeSecrets(runtimeRoot) {
   if (!runtimeRoot) {
     return {};
@@ -7603,7 +7622,11 @@ async function ensureAgentRuntime(options) {
   mkdirSync21(runtime.binDir, { recursive: true });
   mkdirSync21(workspaceLayout.distDir, { recursive: true });
   prepareRuntimeWorkspace(options.projectRoot, workspaceDir);
-  await resetEphemeralTaskArtifacts(workspaceDir, options.taskId);
+  if (options.preserveTaskArtifacts) {
+    console.log(`[rig-agent] Preserving runtime task artifacts for resume of ${options.taskId}.`);
+  } else {
+    await resetEphemeralTaskArtifacts(workspaceDir, options.taskId);
+  }
   const ctx = {
     runtimeId: options.id,
     taskId: options.taskId,

package/dist/src/control-plane/native/git-ops.js

@@ -1365,6 +1365,30 @@ function sourceTaskConfigCandidates(projectRoot) {
 
 // packages/runtime/src/binary-run.ts
 var runtimeBinaryBuildQueue = Promise.resolve();
+// packages/runtime/src/control-plane/native/pr-review-gate.ts
+function strictMergeHeadShaFromGate(result, prUrl) {
+  if (!result.approved) {
+    throw new Error(`Refusing to merge ${prUrl}: strict merge gate is not approved.`);
+  }
+  if (result.evidence.prUrl !== prUrl) {
+    throw new Error(`Refusing to merge ${prUrl}: strict merge gate evidence belongs to ${result.evidence.prUrl}.`);
+  }
+  const headSha = result.evidence.headSha?.trim();
+  if (!headSha) {
+    throw new Error(`Refusing to merge ${prUrl}: strict merge gate did not provide a current head SHA.`);
+  }
+  if (!/^[0-9a-f]{40}$/i.test(headSha)) {
+    throw new Error(`Refusing to merge ${prUrl}: strict merge gate head is not a raw 40-character commit SHA.`);
+  }
+  if (!result.evidence.greptile.fresh || result.evidence.greptile.currentHeadSha !== headSha) {
+    throw new Error(`Refusing to merge ${prUrl}: strict merge gate approval is not tied to head ${headSha}.`);
+  }
+  if (result.evidence.greptile.mapping !== "score-5-of-5" && result.evidence.greptile.mapping !== "explicit-approved") {
+    throw new Error(`Refusing to merge ${prUrl}: strict merge gate mapping is ${result.evidence.greptile.mapping}.`);
+  }
+  return headSha;
+}
+
 // packages/runtime/src/control-plane/provider/runtime-instructions.ts
 var CLAUDE_ROUTER_TOOL_NAMES = [
   "`mcp__rig_runtime_tools__read`",
@@ -1575,12 +1599,12 @@ var TASK_ARTIFACT_STAGE_FALLBACK = new Set([
   "task-result.json",
   "validation-summary.json"
 ]);
-function resolveHostRigBinDir(root) {
-  return resolve11(root, ".rig", "bin");
-}
 function isRuntimeGatewayGitPath(candidate) {
   return /\/\.rig\/bin\/git$/.test(candidate.replace(/\\/g, "/"));
 }
+function isRuntimeGatewayGhPath(candidate) {
+  return /\/\.rig\/bin\/gh$/.test(candidate.replace(/\\/g, "/"));
+}
 function resolveOptionalMonorepoRoot(projectRoot) {
   const runtimeWorkspace = process.env.RIG_TASK_WORKSPACE?.trim();
   if (runtimeWorkspace && existsSync9(resolve11(runtimeWorkspace, ".git"))) {
@@ -1615,6 +1639,9 @@ function resolveGitBinary(projectRoot) {
   }
   return "git";
 }
+function escapeRegExp(value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
 function safeCurrentTaskId(projectRoot) {
   try {
     const taskId = currentTaskId(projectRoot);
@@ -1773,17 +1800,15 @@ function gitOpenPr(options) {
   const target = options.target || (taskId ? "monorepo" : "project");
   let repoRoot = options.projectRoot;
   let repoLabel = "project-rig";
-  let defaultBase = process.env.RIG_PR_BASE_PROJECT || "main";
+  const envBase = target === "monorepo" ? process.env.RIG_PR_BASE_MONOREPO?.trim() || "" : process.env.RIG_PR_BASE_PROJECT?.trim() || "";
   if (target === "monorepo") {
     repoRoot = resolveOptionalMonorepoRoot(options.projectRoot) || resolveMonorepoRoot2(options.projectRoot);
     repoLabel = "monorepo";
-    defaultBase = process.env.RIG_PR_BASE_MONOREPO || "main";
     if (taskId) {
       gitSyncBranch(options.projectRoot, taskId, "monorepo");
     }
   } else if (taskId) {
     gitSyncBranch(options.projectRoot, taskId, "project");
-    defaultBase = inferProjectBase(options.projectRoot, defaultBase);
   }
   if (!existsSync9(resolve11(repoRoot, ".git"))) {
     throw new Error(`Repository not available for open-pr target ${target}: ${repoRoot}`);
@@ -1792,9 +1817,9 @@ function gitOpenPr(options) {
   if (!branch || branch === "HEAD") {
     throw new Error(`Cannot open PR from detached HEAD in ${repoLabel}. Checkout a branch first.`);
   }
-  const base = options.base || defaultBase;
   const repoNameWithOwner = resolveRepoNameWithOwner(options.projectRoot, repoRoot);
   const networkRemote = resolveNetworkRemoteName(options.projectRoot, repoRoot, repoNameWithOwner);
+  const base = options.base || envBase || inferRepositoryDefaultBase(options.projectRoot, repoRoot, repoNameWithOwner, networkRemote, target === "project" ? inferProjectBase(options.projectRoot, "main") : "main");
   refreshRemoteBaseRef(options.projectRoot, repoRoot, base);
   let reviewer = (options.reviewer || "").trim();
   let reviewerSource = reviewer ? "flag" : undefined;
@@ -1830,10 +1855,11 @@ function gitOpenPr(options) {
     "",
     "## Task",
     `- beads: ${taskId || "n/a"}`,
+    ...defaultPrRunLines(taskId, repoNameWithOwner),
     "",
     "## Review",
     "- Completion verification will run validation, verifier review, and PR policy checks.",
-    "- When repository policy allows it, Rig enables GitHub auto-merge after approval."
+    "- When repository policy allows it, Rig attempts an immediate strict-gated, head-locked merge after approval."
   ].join(`
 `);
   const preCheck = runCapture2(withGhRepo([gh, "pr", "list", "--state", "merged", "--head", branch, "--json", "url,mergedAt", "--jq", ".[0]"], repoNameWithOwner), repoRoot);
@@ -1921,6 +1947,30 @@ function gitOpenPr(options) {
   }
   return result;
 }
+function defaultPrRunLines(taskId, repoNameWithOwner) {
+  const lines = [];
+  const runId = process.env.RIG_SERVER_RUN_ID?.trim();
+  if (runId) {
+    lines.push(`- Run: ${runId}`);
+  }
+  const closeout = defaultPrCloseoutLine(taskId, repoNameWithOwner);
+  if (closeout) {
+    lines.push(`- ${closeout}`);
+  }
+  return lines;
+}
+function defaultPrCloseoutLine(taskId, repoNameWithOwner) {
+  const sourceIssueId = loadRuntimeContextFromEnv()?.sourceTask?.sourceIssueId;
+  if (sourceIssueId) {
+    const match = sourceIssueId.match(/^([^#]+)#(\d+)$/);
+    if (match?.[1] && match[2]) {
+      const sourceRepo = match[1];
+      const issueNumber = match[2];
+      return sourceRepo.toLowerCase() === repoNameWithOwner.toLowerCase() ? `Closes #${issueNumber}` : `Closes ${sourceRepo}#${issueNumber}`;
+    }
+  }
+  return /^\d+$/.test(taskId) ? `Closes #${taskId}` : "";
+}
 function resolveTaskBranchRef(projectRoot, taskId) {
   return `rig/${resolveTaskBranchId(projectRoot, taskId)}`;
 }
@@ -2005,61 +2055,45 @@ function gitMergePr(options) {
     return { status: "already-merged", url: options.pr.url };
   }
   if (state !== "OPEN") {
-    throw new Error(`Cannot auto-merge PR ${options.pr.url}: state is ${state}.`);
+    throw new Error(`Cannot merge PR ${options.pr.url}: state is ${state}.`);
   }
   if (isDraft) {
-    throw new Error(`Cannot auto-merge draft PR ${options.pr.url}.`);
+    throw new Error(`Cannot merge draft PR ${options.pr.url}.`);
   }
+  const strictGateHeadSha = strictMergeHeadShaFromGate(options.strictGate, options.pr.url);
   const mergeArgs = withGhRepo([gh, "pr", "merge", options.pr.url], repoNameWithOwner);
   const method = options.method || "squash";
   mergeArgs.push(method === "merge" ? "--merge" : method === "rebase" ? "--rebase" : "--squash");
+  mergeArgs.push("--match-head-commit", strictGateHeadSha);
   if (options.deleteBranch !== false) {
     mergeArgs.push("--delete-branch");
   }
-  const autoMergeArgs = [...mergeArgs, "--auto"];
-  const autoMerge = runCapture2(autoMergeArgs, repoRoot);
-  if (autoMerge.exitCode === 0) {
-    const postAutoMergeState = readPrViewState(gh, repoRoot, repoNameWithOwner, options.pr.url);
-    if (postAutoMergeState.state === "MERGED" || postAutoMergeState.mergedAt) {
-      console.log(`Merged PR (${options.pr.repoLabel}): ${options.pr.url}`);
-      return { status: "merged", url: options.pr.url };
-    }
-    if (postAutoMergeState.state === "OPEN" && postAutoMergeState.autoMergeRequest) {
-      if (canAdminMergeApprovedPr(postAutoMergeState)) {
-        const adminMergeArgs = [...mergeArgs];
-        if (postAutoMergeState.headRefOid) {
-          adminMergeArgs.push("--match-head-commit", postAutoMergeState.headRefOid);
-        }
-        adminMergeArgs.push("--admin");
-        const adminMerge = runCapture2(adminMergeArgs, repoRoot);
-        if (adminMerge.exitCode === 0) {
-          const postAdminMergeState = readPrViewState(gh, repoRoot, repoNameWithOwner, options.pr.url);
-          if (postAdminMergeState.state === "MERGED" || postAdminMergeState.mergedAt) {
-            console.log(`Merged PR (${options.pr.repoLabel}) with admin fallback: ${options.pr.url}`);
-            return { status: "merged", url: options.pr.url };
-          }
-          throw new Error(`Admin merge command succeeded for PR ${options.pr.url} in ${options.pr.repoLabel}, but GitHub still reports it open.`);
-        }
-        const adminMergeMessage = `${adminMerge.stderr}
-${adminMerge.stdout}`.trim();
-        if (!/admin|administrator|permission|not permitted|not allowed/i.test(adminMergeMessage)) {
-          throw new Error(`Failed to admin-merge PR ${options.pr.url} in ${options.pr.repoLabel}: ${adminMergeMessage}`);
-        }
+  const directMerge = runCapture2(mergeArgs, repoRoot);
+  if (directMerge.exitCode === 0) {
+    console.log(`Merged PR (${options.pr.repoLabel}): ${options.pr.url}`);
+    return { status: "merged", url: options.pr.url };
+  }
+  const postDirectState = readPrViewState(gh, repoRoot, repoNameWithOwner, options.pr.url);
+  if (canAdminMergeApprovedPr(postDirectState)) {
+    const adminMergeArgs = [...mergeArgs, "--admin"];
+    const adminMerge = runCapture2(adminMergeArgs, repoRoot);
+    if (adminMerge.exitCode === 0) {
+      const postAdminMergeState = readPrViewState(gh, repoRoot, repoNameWithOwner, options.pr.url);
+      if (postAdminMergeState.state === "MERGED" || postAdminMergeState.mergedAt) {
+        console.log(`Merged PR (${options.pr.repoLabel}) with admin fallback: ${options.pr.url}`);
+        return { status: "merged", url: options.pr.url };
       }
-      console.log(`Auto-merge enabled (${options.pr.repoLabel}): ${options.pr.url}`);
-      return { status: "auto-merge-enabled", url: options.pr.url };
+      throw new Error(`Admin merge command succeeded for PR ${options.pr.url} in ${options.pr.repoLabel}, but GitHub still reports it open.`);
+    }
+    const adminMergeMessage = `${adminMerge.stderr}
+${adminMerge.stdout}`.trim();
+    if (!/admin|administrator|permission|not permitted|not allowed/i.test(adminMergeMessage)) {
+      throw new Error(`Failed to admin-merge PR ${options.pr.url} in ${options.pr.repoLabel}: ${adminMergeMessage}`);
     }
-    throw new Error(`Auto-merge command succeeded for PR ${options.pr.url} in ${options.pr.repoLabel}, but GitHub did not report a merged or auto-merge-enabled state.`);
-  }
-  const autoMergeMessage = `${autoMerge.stderr}
-${autoMerge.stdout}`.trim();
-  const autoMergeUnsupported = /auto.?merge.*(not enabled|not allowed|disabled|unsupported)|enablePullRequestAutoMerge|Auto merge is not allowed/i.test(autoMergeMessage);
-  if (!autoMergeUnsupported) {
-    throw new Error(`Failed to auto-merge PR ${options.pr.url} in ${options.pr.repoLabel}: ${autoMergeMessage}`);
   }
-  runOrThrow(options.projectRoot, mergeArgs, `Failed to merge PR ${options.pr.url} in ${options.pr.repoLabel}`);
-  console.log(`Merged PR (${options.pr.repoLabel}): ${options.pr.url}`);
-  return { status: "merged", url: options.pr.url };
+  const directMergeMessage = `${directMerge.stderr}
+${directMerge.stdout}`.trim();
+  throw new Error(`Failed to merge PR ${options.pr.url} in ${options.pr.repoLabel}: ${directMergeMessage}`);
 }
 function assertPrHasNoGitConflicts(prState, repoLabel, baseRef) {
   const mergeable = prState.mergeable.toUpperCase();
@@ -2171,32 +2205,19 @@ function resolveGithubCliBinary(projectRoot) {
   if (explicit) {
     candidates.add(explicit);
   }
+  for (const candidate of ["/usr/bin/gh", "/opt/homebrew/bin/gh", "/usr/local/bin/gh"]) {
+    candidates.add(candidate);
+  }
   const explicitPathEntries = (process.env.PATH || "").split(":").map((entry) => entry.trim()).filter(Boolean);
   for (const entry of explicitPathEntries) {
     candidates.add(resolve11(entry, "gh"));
   }
-  const hostProjectRoot = process.env.RIG_HOST_PROJECT_ROOT?.trim();
-  if (hostProjectRoot) {
-    candidates.add(resolve11(resolveHostRigBinDir(hostProjectRoot), "gh"));
-  }
-  candidates.add(resolve11(resolveHostRigBinDir(projectRoot), "gh"));
-  const runtimeContext = loadRuntimeContextFromEnv();
-  if (runtimeContext?.binDir) {
-    candidates.add(resolve11(runtimeContext.binDir, "gh"));
-  }
-  const runtimeHome = process.env.RIG_RUNTIME_HOME?.trim();
-  if (runtimeHome) {
-    candidates.add(resolve11(runtimeHome, "bin", "gh"));
-  }
-  for (const candidate of ["/opt/homebrew/bin/gh", "/usr/local/bin/gh", "/usr/bin/gh"]) {
-    candidates.add(candidate);
-  }
   const bunResolved = Bun.which("gh");
   if (bunResolved) {
     candidates.add(bunResolved);
   }
   for (const candidate of candidates) {
-    if (candidate && existsSync9(candidate)) {
+    if (candidate && existsSync9(candidate) && !isRuntimeGatewayGhPath(candidate)) {
       return candidate;
     }
   }
@@ -2345,6 +2366,32 @@ function withGhRepo(command, repoNameWithOwner) {
   }
   return [command[0], command[1], command[2], ...ghRepoArgs(repoNameWithOwner), ...command.slice(3)];
 }
+function inferRepositoryDefaultBase(projectRoot, repoRoot, repoNameWithOwner, remoteName, fallback) {
+  const remote = remoteName || "origin";
+  const symbolic = runCapture2(gitCmd(projectRoot, repoRoot, "symbolic-ref", "--short", `refs/remotes/${remote}/HEAD`), projectRoot);
+  if (symbolic.exitCode === 0) {
+    const ref = symbolic.stdout.trim().replace(new RegExp(`^${escapeRegExp(remote)}/`), "");
+    if (ref && ref !== "HEAD") {
+      return ref;
+    }
+  }
+  const lsRemote = runCapture2(gitCmd(projectRoot, repoRoot, "ls-remote", "--symref", remote, "HEAD"), projectRoot);
+  if (lsRemote.exitCode === 0) {
+    const match = lsRemote.stdout.match(/^ref:\s+refs\/heads\/([^\t\r\n]+)\s+HEAD/m);
+    if (match?.[1]) {
+      return match[1];
+    }
+  }
+  const gh = resolveGithubCliBinary(projectRoot);
+  if (gh && repoNameWithOwner) {
+    const api = runCapture2(withGhRepo([gh, "repo", "view", "--json", "defaultBranchRef", "--jq", ".defaultBranchRef.name"], repoNameWithOwner), repoRoot);
+    const branch = api.exitCode === 0 ? api.stdout.trim() : "";
+    if (branch) {
+      return branch;
+    }
+  }
+  return fallback;
+}
 function inferProjectBase(projectRoot, fallback) {
   const containing = runCapture2(gitCmd(projectRoot, projectRoot, "branch", "-r", "--contains", "HEAD"), projectRoot);
   if (containing.exitCode !== 0) {
@@ -2726,6 +2773,10 @@ function runtimeGitEnv(projectRoot) {
     }
     env[key] = value;
   }
+  const rigGithubToken = process.env.RIG_GITHUB_TOKEN?.trim() || "";
+  if (rigGithubToken && !env.GITHUB_TOKEN && !env.GH_TOKEN) {
+    env.GITHUB_TOKEN = rigGithubToken;
+  }
   if (!env.GITHUB_TOKEN && env.GH_TOKEN) {
     env.GITHUB_TOKEN = env.GH_TOKEN;
   }
@@ -2749,6 +2800,13 @@ function runtimeGitEnv(projectRoot) {
   if (!env.GH_TOKEN && env.GITHUB_TOKEN) {
     env.GH_TOKEN = env.GITHUB_TOKEN;
   }
+  const gitHubToken = env.GITHUB_TOKEN || env.GH_TOKEN || env.RIG_GITHUB_TOKEN || rigGithubToken;
+  if (gitHubToken) {
+    env.RIG_GITHUB_TOKEN = gitHubToken;
+    env.GITHUB_TOKEN = env.GITHUB_TOKEN || gitHubToken;
+    env.GH_TOKEN = env.GH_TOKEN || gitHubToken;
+    applyGitHubCredentialHelperEnv(env);
+  }
   if (runtimeKnownHosts && existsSync9(runtimeKnownHosts)) {
     const sshParts = [
       "ssh",
@@ -2765,6 +2823,14 @@ function runtimeGitEnv(projectRoot) {
   }
   return Object.keys(env).length > 0 ? env : undefined;
 }
+function applyGitHubCredentialHelperEnv(env) {
+  env.GIT_TERMINAL_PROMPT = "0";
+  env.GIT_CONFIG_COUNT = "2";
+  env.GIT_CONFIG_KEY_0 = "credential.helper";
+  env.GIT_CONFIG_VALUE_0 = "";
+  env.GIT_CONFIG_KEY_1 = "credential.helper";
+  env.GIT_CONFIG_VALUE_1 = '!f() { test "$1" = get || exit 0; token="${GITHUB_TOKEN:-${GH_TOKEN:-${RIG_GITHUB_TOKEN:-}}}"; test -n "$token" || exit 0; echo username=x-access-token; echo password="$token"; }; f';
+}
 function loadPersistedRuntimeSecrets(runtimeRoot) {
   if (!runtimeRoot) {
     return {};