@h-rig/server 0.0.6-alpha.0 → 0.0.6-alpha.10

package/dist/src/server-helpers/http-router.js

@@ -469,6 +469,273 @@ async function refreshTaskProjection(projectRoot, input) {
   });
 }
 
+// packages/server/src/server-helpers/issue-analysis.ts
+import { createHash } from "crypto";
+function stableIssueHash(issue) {
+  const labels = Array.isArray(issue.labels) ? [...issue.labels].map(String).sort() : [];
+  const body = typeof issue.body === "string" ? issue.body : "";
+  const title = typeof issue.title === "string" ? issue.title : "";
+  return createHash("sha256").update(JSON.stringify({ id: issue.id, title, body, labels, deps: issue.deps, status: issue.status })).digest("hex");
+}
+function renderIssueAnalysisPrompt(input) {
+  const issue = input.issue;
+  const neighbors = input.neighbors ?? [];
+  return [
+    "You are Rig issue analysis running inside Pi.",
+    "Return JSON only with optional metadataPatch, labelsToAdd, labelsToRemove, and generatedIssues.",
+    "Preserve all human-authored issue body content. Only propose edits for Rig-owned metadata/status sections, labels, and generated issues.",
+    "Generated issues must be concrete, minimal follow-up tasks and will be labeled rig:generated by Rig.",
+    "",
+    "Issue:",
+    JSON.stringify({
+      id: issue.id,
+      title: issue.title,
+      body: issue.body,
+      labels: issue.labels,
+      deps: issue.deps,
+      status: issue.status
+    }, null, 2),
+    "",
+    "Neighbor tasks:",
+    JSON.stringify(neighbors.map((task) => ({ id: task.id, title: task.title, status: task.status, deps: task.deps })), null, 2)
+  ].join(`
+`);
+}
+function isRecord(value) {
+  return Boolean(value && typeof value === "object" && !Array.isArray(value));
+}
+function stringArray(value) {
+  if (!Array.isArray(value))
+    return;
+  return value.map(String).filter((entry) => entry.trim().length > 0);
+}
+function generatedIssues(value) {
+  if (!Array.isArray(value))
+    return;
+  return value.flatMap((entry) => {
+    if (!isRecord(entry) || typeof entry.title !== "string")
+      return [];
+    return [{
+      title: entry.title,
+      body: typeof entry.body === "string" ? entry.body : "",
+      labels: stringArray(entry.labels) ?? [],
+      ...Array.isArray(entry.dependsOn) ? { dependsOn: entry.dependsOn.map(String) } : {}
+    }];
+  });
+}
+function findJsonLikeText(value) {
+  if (typeof value === "string") {
+    const trimmed = value.trim();
+    if (trimmed.startsWith("{") || trimmed.startsWith("```"))
+      return trimmed;
+    return null;
+  }
+  if (Array.isArray(value)) {
+    for (const entry of value) {
+      const found = findJsonLikeText(entry);
+      if (found)
+        return found;
+    }
+    return null;
+  }
+  if (!isRecord(value))
+    return null;
+  for (const key of ["text", "content", "message", "output_text", "response", "stdout"]) {
+    const found = findJsonLikeText(value[key]);
+    if (found)
+      return found;
+  }
+  for (const entry of Object.values(value)) {
+    const found = findJsonLikeText(entry);
+    if (found)
+      return found;
+  }
+  return null;
+}
+function candidateAnalysisObject(value) {
+  if (!isRecord(value))
+    return null;
+  if (isRecord(value.result))
+    return candidateAnalysisObject(value.result) ?? value.result;
+  if (isRecord(value.analysis))
+    return candidateAnalysisObject(value.analysis) ?? value.analysis;
+  if (isRecord(value.metadataPatch) || Array.isArray(value.labelsToAdd) || Array.isArray(value.labelsToRemove) || Array.isArray(value.generatedIssues)) {
+    return value;
+  }
+  const nested = findJsonLikeText(value);
+  if (nested && nested !== JSON.stringify(value)) {
+    try {
+      const parsedNested = JSON.parse(nested.match(/```(?:json)?\s*([\s\S]*?)\s*```/i)?.[1]?.trim() ?? nested);
+      return candidateAnalysisObject(parsedNested);
+    } catch {
+      return null;
+    }
+  }
+  return null;
+}
+function parseIssueAnalysisResult(raw) {
+  let parsed = raw;
+  if (typeof raw === "string") {
+    const trimmed = raw.trim();
+    const fenced = trimmed.match(/```(?:json)?\s*([\s\S]*?)\s*```/i)?.[1]?.trim();
+    try {
+      parsed = JSON.parse(fenced ?? trimmed);
+    } catch {
+      const lastJsonLine = trimmed.split(/\r?\n/).reverse().find((line) => line.trim().startsWith("{"));
+      parsed = lastJsonLine ? JSON.parse(lastJsonLine) : {};
+    }
+  }
+  const candidate = candidateAnalysisObject(parsed);
+  if (!candidate)
+    return {};
+  const result = {};
+  if (isRecord(candidate.metadataPatch))
+    result.metadataPatch = candidate.metadataPatch;
+  const add = stringArray(candidate.labelsToAdd);
+  if (add?.length)
+    result.labelsToAdd = add;
+  const remove = stringArray(candidate.labelsToRemove);
+  if (remove?.length)
+    result.labelsToRemove = remove;
+  const generated = generatedIssues(candidate.generatedIssues);
+  if (generated?.length)
+    result.generatedIssues = generated;
+  return result;
+}
+function createDefaultPiIssueAnalysisCommandRunner() {
+  return async (command, args, options) => {
+    const env = options.env ? { ...process.env, ...options.env } : process.env;
+    const proc = Bun.spawn([command, ...args], {
+      stdout: "pipe",
+      stderr: "pipe",
+      env
+    });
+    let timedOut = false;
+    const timer = setTimeout(() => {
+      timedOut = true;
+      proc.kill();
+    }, options.timeoutMs);
+    try {
+      const [stdout, stderr, exitCode] = await Promise.all([
+        new Response(proc.stdout).text(),
+        new Response(proc.stderr).text(),
+        proc.exited
+      ]);
+      return {
+        exitCode: timedOut && exitCode === 0 ? 1 : exitCode,
+        stdout,
+        stderr: timedOut && stderr.trim().length === 0 ? `Pi issue analysis timed out after ${options.timeoutMs}ms` : stderr
+      };
+    } finally {
+      clearTimeout(timer);
+    }
+  };
+}
+function createPiIssueAnalyzer(input = {}) {
+  const piBinary = input.piBinary ?? process.env.RIG_ISSUE_ANALYSIS_PI_BINARY ?? "pi";
+  const timeoutMs = Math.max(1000, Math.trunc(input.timeoutMs ?? Number(process.env.RIG_ISSUE_ANALYSIS_TIMEOUT_MS ?? 120000)));
+  const runCommand = input.runCommand ?? createDefaultPiIssueAnalysisCommandRunner();
+  return async ({ prompt }) => {
+    const args = ["--print", "--mode", "json", "--no-session"];
+    const provider = input.provider?.trim() || process.env.RIG_ISSUE_ANALYSIS_PROVIDER?.trim() || process.env.RIG_PI_PROVIDER?.trim();
+    const model = input.model?.trim() || process.env.RIG_ISSUE_ANALYSIS_MODEL?.trim() || process.env.RIG_PI_MODEL?.trim() || "openai-codex/gpt-5.5";
+    if (provider)
+      args.push("--provider", provider);
+    if (model)
+      args.push("--model", model);
+    args.push(prompt);
+    const result = await runCommand(piBinary, args, { timeoutMs, ...input.env ? { env: input.env } : {} });
+    if (result.exitCode !== 0) {
+      throw new Error(`Pi issue analysis failed (exit ${result.exitCode}): ${result.stderr ?? result.stdout}`);
+    }
+    return parseIssueAnalysisResult(result.stdout);
+  };
+}
+function defaultStatusComment(input) {
+  const changes = [
+    input.result.metadataPatch ? "metadata" : null,
+    input.result.labelsToAdd?.length ? `labels added: ${input.result.labelsToAdd.join(", ")}` : null,
+    input.result.labelsToRemove?.length ? `labels removed: ${input.result.labelsToRemove.join(", ")}` : null,
+    input.result.generatedIssues?.length ? `generated issues: ${input.result.generatedIssues.length}` : null
+  ].filter((entry) => Boolean(entry));
+  if (changes.length === 0)
+    return null;
+  return [
+    "<!-- rig:status-comment -->",
+    "### Rig issue analysis",
+    "",
+    `Analyzed issue ${input.issue.id}${input.reason ? ` (${input.reason})` : ""}.`,
+    "",
+    ...changes.map((change) => `- ${change}`)
+  ].join(`
+`);
+}
+function uniqueLabels(labels, required = []) {
+  return [...new Set([...labels ?? [], ...required].map((label) => label.trim()).filter(Boolean))];
+}
+function createIssueAnalysisWriteBack(input) {
+  return async ({ issue, result, reason }) => {
+    if (result.metadataPatch && Object.keys(result.metadataPatch).length > 0) {
+      if (!input.target.updateTask)
+        throw new Error("Issue analysis writeback requires updateTask for metadata patches.");
+      await input.target.updateTask(issue.id, { metadata: result.metadataPatch });
+    }
+    if (result.labelsToAdd?.length) {
+      if (!input.target.addLabels)
+        throw new Error("Issue analysis writeback requires addLabels for labelsToAdd.");
+      await input.target.addLabels(issue.id, uniqueLabels(result.labelsToAdd));
+    }
+    if (result.labelsToRemove?.length) {
+      if (!input.target.removeLabels)
+        throw new Error("Issue analysis writeback requires removeLabels for labelsToRemove.");
+      await input.target.removeLabels(issue.id, uniqueLabels(result.labelsToRemove));
+    }
+    const comment = (input.buildStatusComment ?? defaultStatusComment)({ issue, result, reason });
+    if (comment?.trim()) {
+      if (!input.target.updateTask)
+        throw new Error("Issue analysis writeback requires updateTask for sticky status comments.");
+      await input.target.updateTask(issue.id, { comment });
+    }
+    for (const generated of result.generatedIssues ?? []) {
+      if (!input.target.createIssue)
+        throw new Error("Issue analysis writeback requires createIssue for generated issues.");
+      await input.target.createIssue({
+        title: generated.title,
+        body: generated.dependsOn?.length ? `${generated.body.trimEnd()}
+
+depends-on: ${generated.dependsOn.map((dep) => dep.startsWith("#") ? dep : `#${dep}`).join(", ")}
+` : generated.body,
+        labels: uniqueLabels(generated.labels, ["rig:generated"])
+      });
+    }
+  };
+}
+function createIssueAnalysisService(input) {
+  const analyzedHashes = new Map;
+  return {
+    async analyze(issues, options = {}) {
+      const results = [];
+      const neighbors = options.neighbors ?? issues;
+      for (const issue of issues) {
+        const hash = stableIssueHash(issue);
+        if (analyzedHashes.get(issue.id) === hash)
+          continue;
+        const prompt = renderIssueAnalysisPrompt({ issue, neighbors: neighbors.filter((candidate) => candidate.id !== issue.id) });
+        const result = await input.analyzer({ issue, neighbors, prompt });
+        analyzedHashes.set(issue.id, hash);
+        if (result.metadataPatch || result.labelsToAdd?.length || result.labelsToRemove?.length || result.generatedIssues?.length) {
+          await input.writeBack?.({ issue, result, reason: options.reason });
+        }
+        results.push({ issue, result });
+      }
+      return results;
+    },
+    clearCache() {
+      analyzedHashes.clear();
+    }
+  };
+}
+
 // packages/server/src/server-helpers/terminal-runtime.ts
 import { WS_CHANNELS as WS_CHANNELS2 } from "@rig/contracts";
 
@@ -535,6 +802,7 @@ import {
 } from "@rig/runtime/control-plane/authority-files";
 
 // packages/server/src/server-helpers/github-auth-store.ts
+import { randomBytes } from "crypto";
 import { chmodSync, existsSync as existsSync4, mkdirSync as mkdirSync3, readFileSync as readFileSync2, writeFileSync as writeFileSync3 } from "fs";
 import { resolve as resolve7 } from "path";
 function cleanString(value) {
@@ -548,6 +816,24 @@ function cleanScopes(value) {
     return clean ? [clean] : [];
   });
 }
+function parseApiSessions(value) {
+  if (!Array.isArray(value))
+    return [];
+  return value.flatMap((entry) => {
+    if (!entry || typeof entry !== "object" || Array.isArray(entry))
+      return [];
+    const record = entry;
+    const token = cleanString(record.token);
+    if (!token)
+      return [];
+    return [{
+      token,
+      login: cleanString(record.login),
+      userId: cleanString(record.userId),
+      createdAt: cleanString(record.createdAt) ?? undefined
+    }];
+  });
+}
 function readStoredAuth(stateFile) {
   if (!existsSync4(stateFile))
     return {};
@@ -561,6 +847,7 @@ function readStoredAuth(stateFile) {
       selectedRepo: cleanString(parsed.selectedRepo),
       tokenSource: parsed.tokenSource === "oauth-device" || parsed.tokenSource === "manual-token" || parsed.tokenSource === "env" ? parsed.tokenSource : undefined,
       pendingDevice: parsePendingDevice(parsed.pendingDevice),
+      apiSessions: parseApiSessions(parsed.apiSessions),
       updatedAt: cleanString(parsed.updatedAt) ?? undefined
     };
   } catch {
@@ -579,6 +866,9 @@ function parsePendingDevice(value) {
     return null;
   return { pollId, deviceCode, expiresAt, intervalSeconds };
 }
+function newApiSessionToken() {
+  return `rig_${randomBytes(32).toString("base64url")}`;
+}
 function writeStoredAuth(stateFile, payload) {
   mkdirSync3(resolve7(stateFile, ".."), { recursive: true });
   writeFileSync3(stateFile, `${JSON.stringify(payload, null, 2)}
@@ -621,8 +911,37 @@ function createGitHubAuthStore(projectRoot) {
         scopes: input.scopes ?? [],
         selectedRepo: input.selectedRepo ?? previous.selectedRepo ?? null,
         pendingDevice: null,
+        apiSessions: previous.apiSessions ?? [],
+        updatedAt: new Date().toISOString()
+      });
+    },
+    createApiSession() {
+      const previous = readStoredAuth(stateFile);
+      const token = newApiSessionToken();
+      const session = {
+        token,
+        login: cleanString(previous.login),
+        userId: cleanString(previous.userId),
+        createdAt: new Date().toISOString()
+      };
+      writeStoredAuth(stateFile, {
+        ...previous,
+        apiSessions: [...(previous.apiSessions ?? []).slice(-9), session],
         updatedAt: new Date().toISOString()
       });
+      return { token, login: session.login ?? null, userId: session.userId ?? null };
+    },
+    readApiSession(token) {
+      const clean = cleanString(token);
+      if (!clean)
+        return null;
+      const previous = readStoredAuth(stateFile);
+      const session = (previous.apiSessions ?? []).find((candidate) => candidate.token === clean);
+      return session ? { login: cleanString(session.login), userId: cleanString(session.userId) } : null;
+    },
+    copyToProjectRoot(projectRoot2) {
+      const targetFile = resolveGitHubAuthStateFile(projectRoot2);
+      writeStoredAuth(targetFile, readStoredAuth(stateFile));
     },
     savePendingDevice(input) {
       const previous = readStoredAuth(stateFile);
@@ -864,7 +1183,7 @@ var TERMINAL_RUN_STATUSES2 = new Set([
   "needs-attention",
   "stopped"
 ]);
-var ORPHANABLE_LOCAL_RUN_STATUSES = new Set(["preparing", "running"]);
+var RESUMABLE_LOCAL_RUN_STATUSES = new Set(["created", "preparing", "running", "validating", "reviewing"]);
 
 // packages/server/src/server-helpers/ws-router.ts
 import {
@@ -1171,7 +1490,7 @@ import {
 } from "@rig/runtime/control-plane/tasks/source-lifecycle";
 
 // packages/server/src/server-helpers/project-registry.ts
-import { createHash } from "crypto";
+import { createHash as createHash2 } from "crypto";
 import { spawnSync } from "child_process";
 import { existsSync as existsSync6, mkdirSync as mkdirSync5, readFileSync as readFileSync4, readdirSync, writeFileSync as writeFileSync5 } from "fs";
 import { dirname as dirname4, resolve as resolve9 } from "path";
@@ -1214,7 +1533,7 @@ function hashFile(path) {
   if (!path)
     return null;
   try {
-    return createHash("sha256").update(readFileSync4(path)).digest("hex");
+    return createHash2("sha256").update(readFileSync4(path)).digest("hex");
   } catch {
     return null;
   }
@@ -1461,10 +1780,10 @@ function normalizeCommit(value) {
 function asPlainRecord(value) {
   return value && typeof value === "object" && !Array.isArray(value) ? value : null;
 }
-var RIG_CONFIG_PACKAGE_VERSION = "0.0.6-alpha.0";
+var RIG_CONFIG_PACKAGE_DIST_TAG = "latest";
 var RIG_CONFIG_DEV_DEPENDENCIES = {
-  "@rig/core": `npm:@h-rig/core@${RIG_CONFIG_PACKAGE_VERSION}`,
-  "@rig/standard-plugin": `npm:@h-rig/standard-plugin@${RIG_CONFIG_PACKAGE_VERSION}`
+  "@rig/core": `npm:@h-rig/core@${RIG_CONFIG_PACKAGE_DIST_TAG}`,
+  "@rig/standard-plugin": `npm:@h-rig/standard-plugin@${RIG_CONFIG_PACKAGE_DIST_TAG}`
 };
 function repoParts(repoSlug) {
   const [owner, repo] = repoSlug.split("/");
@@ -1818,13 +2137,52 @@ function bearerTokenFromRequest(req) {
 function isLoopbackRequest(req) {
   try {
     const hostname = new URL(req.url).hostname.toLowerCase();
-    return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1" || hostname === "[::1]";
+    return hostname === "localhost" || hostname === "rig.local" || hostname.endsWith(".localhost") || hostname === "127.0.0.1" || hostname === "::1" || hostname === "[::1]";
   } catch {
     return false;
   }
 }
 function isPublicRigAuthBootstrapRoute(pathname) {
-  return pathname === "/" || pathname === "/health" || pathname === "/api/health" || pathname === "/api/server/status" || pathname === "/api/github/auth/status" || pathname === "/api/github/auth/token" || pathname === "/api/github/auth/device/start" || pathname === "/api/github/auth/device/poll";
+  return pathname === "/" || pathname === "/install" || pathname === "/health" || pathname === "/api/health" || pathname === "/api/github/auth/status" || pathname === "/api/github/auth/token" || pathname === "/api/github/auth/device/start" || pathname === "/api/github/auth/device/poll";
+}
+function buildRigInstallScript() {
+  return `#!/usr/bin/env bash
+set -euo pipefail
+
+say() {
+  printf 'rig-install: %s
+' "$*"
+}
+
+if ! command -v bun >/dev/null 2>&1; then
+  say "Bun not found; installing Bun first"
+  curl -fsSL https://bun.sh/install | bash
+  export BUN_INSTALL="\${BUN_INSTALL:-$HOME/.bun}"
+  export PATH="$BUN_INSTALL/bin:$PATH"
+fi
+
+if ! command -v bun >/dev/null 2>&1; then
+  printf 'rig-install: bun install completed, but bun is still not on PATH. Add ~/.bun/bin to PATH and retry.
+' >&2
+  exit 1
+fi
+
+say "Installing @h-rig/cli@latest"
+bun add -g @h-rig/cli@latest
+
+export BUN_INSTALL="\${BUN_INSTALL:-$HOME/.bun}"
+export PATH="$BUN_INSTALL/bin:$PATH"
+
+if ! command -v rig >/dev/null 2>&1; then
+  printf 'rig-install: rig installed, but rig is not on PATH. Add %s/bin to PATH and retry.
+' "$BUN_INSTALL" >&2
+  exit 1
+fi
+
+say "Verifying rig"
+rig --help >/dev/null
+say "Done. Run: rig --help"
+`;
 }
 function normalizePrMode(value) {
   const mode = normalizeString(value);
@@ -1837,6 +2195,10 @@ function authorizeRigHttpRequest(input) {
   const bearer = bearerTokenFromRequest(input.req);
   const store = createGitHubAuthStore(input.projectRoot);
   const storedToken = store.readToken();
+  const session = bearer ? store.readApiSession(bearer) : null;
+  if (session) {
+    return { authorized: true, actor: session.login ?? "github-operator", reason: "github-session" };
+  }
   if (bearer && storedToken && bearer === storedToken) {
     const status = store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
     return { authorized: true, actor: status.login ?? "github-operator", reason: "github-token" };
@@ -1844,8 +2206,11 @@ function authorizeRigHttpRequest(input) {
   if (isPublicRigAuthBootstrapRoute(input.pathname)) {
     return { authorized: true, actor: null, reason: "public-bootstrap" };
   }
-  if (!input.serverAuthToken && !storedToken && isLoopbackRequest(input.req)) {
-    return { authorized: true, actor: null, reason: "loopback-dev-no-auth" };
+  if (!input.serverAuthToken && !storedToken) {
+    if (isLoopbackRequest(input.req)) {
+      return { authorized: true, actor: null, reason: "loopback-dev-no-auth" };
+    }
+    return { authorized: false, actor: null, reason: "auth-required" };
   }
   return { authorized: false, actor: null, reason: storedToken ? "github-token-required" : "auth-required" };
 }
@@ -2076,7 +2441,7 @@ function selectNextWorkspaceTask(projectRoot, tasks) {
   if (runnable.length === 0)
     return null;
   const queue = readQueueState(projectRoot);
-  const queueRank = new Map(queue.map((entry, index) => [entry.taskId, { score: entry.score, position: index }]));
+  const queueRank = new Map(queue.map((entry, index) => [String(entry.taskId), { score: entry.score, position: index }]));
   return runnable.toSorted((left, right) => {
     const leftId = taskIdOf(left) ?? "";
     const rightId = taskIdOf(right) ?? "";
@@ -2116,6 +2481,27 @@ function filterWorkspaceTasks(projectRoot, tasks, searchParams) {
   }
   return filtered;
 }
+function issueAnalysisTargetFor(source) {
+  if (!source)
+    return null;
+  const candidate = source;
+  if (typeof candidate.updateTask !== "function")
+    return null;
+  return {
+    ...typeof candidate.get === "function" ? { get: candidate.get.bind(candidate) } : {},
+    updateTask: candidate.updateTask.bind(candidate),
+    ...typeof candidate.addLabels === "function" ? { addLabels: candidate.addLabels.bind(candidate) } : {},
+    ...typeof candidate.removeLabels === "function" ? { removeLabels: candidate.removeLabels.bind(candidate) } : {},
+    ...typeof candidate.createIssue === "function" ? { createIssue: candidate.createIssue.bind(candidate) } : {}
+  };
+}
+function uniqueStringList(value) {
+  const raw = Array.isArray(value) ? value : typeof value === "string" ? [value] : [];
+  return [...new Set(raw.map((entry) => String(entry).trim()).filter(Boolean))];
+}
+function taskRecordId(task) {
+  return String(task.id ?? "");
+}
 function redactRemoteEndpoint(endpoint) {
   const { token, ...rest } = endpoint;
   return {
@@ -2200,9 +2586,16 @@ function createRigServerFetch(state, deps) {
             notifications: state.targets.length
           });
         }
+        if (url.pathname === "/install" && req.method === "GET") {
+          return new Response(buildRigInstallScript(), {
+            headers: {
+              "Content-Type": "text/x-shellscript; charset=utf-8"
+            }
+          });
+        }
         const isLinearWebhook = url.pathname === "/api/linear/webhook" && req.method === "POST";
         const isInspectorStream = url.pathname === "/api/inspector/stream" && req.method === "GET";
-        const legacyAuthorizedHttpRequest = isInspectorStream && isAuthorizedInspectorStreamRequest(req, state.authToken) ? true : deps.isAuthorizedHttpRequest(req, state.authToken);
+        const legacyAuthorizedHttpRequest = Boolean(state.authToken) && (isInspectorStream && isAuthorizedInspectorStreamRequest(req, state.authToken) ? true : deps.isAuthorizedHttpRequest(req, state.authToken));
         const requestAuth = authorizeRigHttpRequest({
           req,
           pathname: url.pathname,
@@ -2458,6 +2851,67 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             note: "GitHub issue lifecycle labels are created on demand by the configured task source when supported."
           });
         }
+        if (url.pathname === "/api/workspace/issue-analysis/run" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const ids = uniqueStringList(body.ids ?? body.id);
+          const analyzeAll = deps.isTruthyQuery(String(body.all ?? ""));
+          if (ids.length === 0 && !analyzeAll) {
+            return deps.badRequest("ids is required unless all=true");
+          }
+          const ctx = await getCachedPluginHostContext(state.projectRoot);
+          const [source] = ctx?.taskSourceRegistry.list() ?? [];
+          const target = issueAnalysisTargetFor(source);
+          if (!source || !target) {
+            return deps.badRequest("Configured task source does not support issue-analysis writeback");
+          }
+          const allTasks = [...await source.list()];
+          const issues = analyzeAll ? allTasks.slice(0, Math.max(1, Math.min(25, Number(body.limit ?? 25) || 25))) : (await Promise.all(ids.map(async (id) => {
+            const cached = allTasks.find((task) => taskRecordId(task) === id);
+            if (cached)
+              return cached;
+            return typeof source.get === "function" ? await source.get(id) : undefined;
+          }))).filter((task) => Boolean(task));
+          if (issues.length === 0) {
+            return deps.jsonResponse({ ok: false, error: "No matching issues found for issue analysis", ids }, 404);
+          }
+          const config = ctx?.config && typeof ctx.config === "object" ? ctx.config : {};
+          const issueAnalysis = config.issueAnalysis && typeof config.issueAnalysis === "object" ? config.issueAnalysis : {};
+          const runtime = config.runtime && typeof config.runtime === "object" ? config.runtime : {};
+          const model = normalizeString(issueAnalysis.model) ?? normalizeString(runtime.model);
+          const service = createIssueAnalysisService({
+            analyzer: createPiIssueAnalyzer({
+              ...model ? { model } : {},
+              env: { RIG_PROJECT_ROOT: state.projectRoot }
+            }),
+            writeBack: createIssueAnalysisWriteBack({ target })
+          });
+          const reason = normalizeString(body.reason) ?? "http-issue-analysis";
+          let results;
+          try {
+            results = await service.analyze(issues, { reason, neighbors: ids.length > 0 ? issues : allTasks });
+          } catch (error) {
+            return deps.jsonResponse({
+              ok: false,
+              error: `Issue analysis failed: ${error instanceof Error ? error.message : String(error)}`,
+              reason,
+              ids: issues.map((issue) => issue.id)
+            }, 502);
+          }
+          deps.snapshotService.invalidate("issue-analysis-http-run");
+          await state.taskProjectionReconciler?.tick("issue-analysis-http-run").catch(() => {
+            return;
+          });
+          deps.broadcastSnapshotInvalidation(state, "issue-analysis-http-run");
+          return deps.jsonResponse({
+            ok: true,
+            reason,
+            analyzed: results.map((entry) => ({
+              id: entry.issue.id,
+              title: entry.issue.title ?? null,
+              result: entry.result
+            }))
+          });
+        }
         if (url.pathname === "/api/server/status") {
           const config = buildProjectConfigStatus(state.projectRoot);
           const taskSource = await buildTaskSourceStatus(state, config);
@@ -2598,6 +3052,9 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           }
           const normalizedRoot = resolve11(requestedRoot);
           const exists = existsSync8(normalizedRoot);
+          if (exists) {
+            createGitHubAuthStore(state.projectRoot).copyToProjectRoot(normalizedRoot);
+          }
           const control = buildServerControlStatus();
           const switchCommand = process.env.RIG_PROJECT_ROOT_SWITCH_COMMAND?.trim();
           if (!exists) {
@@ -2686,21 +3143,30 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           const body = await deps.readJsonBody(req);
           const token = normalizeString(body.token);
           const selectedRepo = normalizeString(body.selectedRepo);
+          const requestedProjectRoot = normalizeString(body.projectRoot);
           if (!token) {
             return deps.badRequest("token is required");
           }
           try {
             const user = await fetchGitHubUserInfo(token);
-            const store = createGitHubAuthStore(state.projectRoot);
-            store.saveToken({
-              token,
-              tokenSource: "manual-token",
-              login: user.login,
-              userId: user.userId,
-              scopes: user.scopes,
-              selectedRepo
-            });
-            return deps.jsonResponse({ ok: true, ...store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }) });
+            const storeRoots = [
+              state.projectRoot,
+              ...requestedProjectRoot && isAbsolute2(requestedProjectRoot) && existsSync8(resolve11(requestedProjectRoot)) ? [resolve11(requestedProjectRoot)] : []
+            ].filter((root, index, roots) => roots.indexOf(root) === index);
+            const stores = storeRoots.map((root) => createGitHubAuthStore(root));
+            for (const store2 of stores) {
+              store2.saveToken({
+                token,
+                tokenSource: "manual-token",
+                login: user.login,
+                userId: user.userId,
+                scopes: user.scopes,
+                selectedRepo
+              });
+            }
+            const store = stores[stores.length - 1] ?? createGitHubAuthStore(state.projectRoot);
+            const apiSession = store.createApiSession();
+            return deps.jsonResponse({ ok: true, ...store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }), apiSessionToken: apiSession.token });
           } catch (error) {
             const message = error instanceof Error ? error.message : String(error);
             return deps.jsonResponse({ ok: false, error: message }, 400);
@@ -2768,7 +3234,8 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           const token = result.payload.access_token;
           const user = await fetchGitHubUserInfo(token);
           store.saveToken({ token, tokenSource: "oauth-device", login: user.login, userId: user.userId, scopes: user.scopes });
-          return deps.jsonResponse({ ok: true, status: "signed-in", ...store.status({ oauthConfigured: true }) });
+          const apiSession = store.createApiSession();
+          return deps.jsonResponse({ ok: true, status: "signed-in", ...store.status({ oauthConfigured: true }), apiSessionToken: apiSession.token });
         }
         if (url.pathname === "/api/github/repo/probe" && req.method === "POST") {
           const body = await deps.readJsonBody(req);
@@ -3140,11 +3607,12 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           const runId = normalizeString(body.runId);
           const createdAt = normalizeString(body.createdAt) ?? new Date().toISOString();
           const promptOverride = normalizeString(body.promptOverride);
+          const restart = body.restart === true;
           if (!runId) {
             return deps.badRequest("runId is required");
           }
           try {
-            await deps.resumeRunRecord(state, { runId, createdAt, promptOverride });
+            await deps.resumeRunRecord(state, { runId, createdAt, promptOverride, restart });
             deps.broadcastSnapshotInvalidation(state);
             return deps.jsonResponse({ ok: true, runId, createdAt });
           } catch (error) {