@h-rig/server 0.0.6-alpha.0 → 0.0.6-alpha.2

package/dist/src/index.js

@@ -2293,7 +2293,7 @@ async function buildRigSnapshotPayload(projectRoot, readers) {
   const taskSummaries = (await readers.readWorkspaceTasks(projectRoot)).map((task) => ({
     ...toTaskSummary(workspace.id, {
       ...task,
-      status: queuedTaskIds.has(task.id) && (task.status === "open" || task.status === "ready" || task.status === "draft") ? "queued" : task.status
+      status: queuedTaskIds.has(task.id) && (task.status === "open" || task.status === "ready" || task.status === "draft" || task.status === "failed" || task.sourceStatus === "failed") ? "queued" : task.status
     }),
     graphId: graph.id
   }));
@@ -3811,6 +3811,7 @@ function summarizeRunValidationFailure(projectRoot, run) {
 }
 
 // packages/server/src/server-helpers/github-auth-store.ts
+import { randomBytes } from "crypto";
 import { chmodSync, existsSync as existsSync6, mkdirSync as mkdirSync6, readFileSync as readFileSync3, writeFileSync as writeFileSync5 } from "fs";
 import { resolve as resolve13 } from "path";
 function cleanString(value) {
@@ -3824,6 +3825,24 @@ function cleanScopes(value) {
     return clean ? [clean] : [];
   });
 }
+function parseApiSessions(value) {
+  if (!Array.isArray(value))
+    return [];
+  return value.flatMap((entry) => {
+    if (!entry || typeof entry !== "object" || Array.isArray(entry))
+      return [];
+    const record = entry;
+    const token = cleanString(record.token);
+    if (!token)
+      return [];
+    return [{
+      token,
+      login: cleanString(record.login),
+      userId: cleanString(record.userId),
+      createdAt: cleanString(record.createdAt) ?? undefined
+    }];
+  });
+}
 function readStoredAuth(stateFile) {
   if (!existsSync6(stateFile))
     return {};
@@ -3837,6 +3856,7 @@ function readStoredAuth(stateFile) {
       selectedRepo: cleanString(parsed.selectedRepo),
       tokenSource: parsed.tokenSource === "oauth-device" || parsed.tokenSource === "manual-token" || parsed.tokenSource === "env" ? parsed.tokenSource : undefined,
       pendingDevice: parsePendingDevice(parsed.pendingDevice),
+      apiSessions: parseApiSessions(parsed.apiSessions),
       updatedAt: cleanString(parsed.updatedAt) ?? undefined
     };
   } catch {
@@ -3855,6 +3875,9 @@ function parsePendingDevice(value) {
     return null;
   return { pollId, deviceCode, expiresAt, intervalSeconds };
 }
+function newApiSessionToken() {
+  return `rig_${randomBytes(32).toString("base64url")}`;
+}
 function writeStoredAuth(stateFile, payload) {
   mkdirSync6(resolve13(stateFile, ".."), { recursive: true });
   writeFileSync5(stateFile, `${JSON.stringify(payload, null, 2)}
@@ -3897,9 +3920,38 @@ function createGitHubAuthStore(projectRoot) {
         scopes: input.scopes ?? [],
         selectedRepo: input.selectedRepo ?? previous.selectedRepo ?? null,
         pendingDevice: null,
+        apiSessions: previous.apiSessions ?? [],
         updatedAt: new Date().toISOString()
       });
     },
+    createApiSession() {
+      const previous = readStoredAuth(stateFile);
+      const token = newApiSessionToken();
+      const session = {
+        token,
+        login: cleanString(previous.login),
+        userId: cleanString(previous.userId),
+        createdAt: new Date().toISOString()
+      };
+      writeStoredAuth(stateFile, {
+        ...previous,
+        apiSessions: [...(previous.apiSessions ?? []).slice(-9), session],
+        updatedAt: new Date().toISOString()
+      });
+      return { token, login: session.login ?? null, userId: session.userId ?? null };
+    },
+    readApiSession(token) {
+      const clean = cleanString(token);
+      if (!clean)
+        return null;
+      const previous = readStoredAuth(stateFile);
+      const session = (previous.apiSessions ?? []).find((candidate) => candidate.token === clean);
+      return session ? { login: cleanString(session.login), userId: cleanString(session.userId) } : null;
+    },
+    copyToProjectRoot(projectRoot2) {
+      const targetFile = resolveGitHubAuthStateFile(projectRoot2);
+      writeStoredAuth(targetFile, readStoredAuth(stateFile));
+    },
     savePendingDevice(input) {
       const previous = readStoredAuth(stateFile);
       writeStoredAuth(stateFile, {
@@ -4197,15 +4249,36 @@ async function syncProjectStatusForRunLifecycle(projectRoot, run, status, config
   if (!run.taskId)
     return;
   const issueNodeId = extractGitHubIssueNodeId(runSourceTaskIdentity(run));
-  await syncGitHubProjectStatusForTaskUpdate({
-    taskId: run.taskId,
-    status,
-    issueNodeId,
-    token: createGitHubAuthStore(projectRoot).readToken(),
-    config
-  }).catch(() => {
-    return;
-  });
+  try {
+    const result = await syncGitHubProjectStatusForTaskUpdate({
+      taskId: run.taskId,
+      status,
+      issueNodeId,
+      token: createGitHubAuthStore(projectRoot).readToken(),
+      config
+    });
+    if (!result.synced && result.reason !== "project-sync-disabled") {
+      appendRunLogEntry(projectRoot, run.runId, {
+        id: `log:${run.runId}:github-project-sync:${status}`,
+        title: "GitHub Project sync skipped",
+        detail: `Project status sync for ${run.taskId} could not run: ${result.reason}.`,
+        tone: "warn",
+        status: "running",
+        createdAt: new Date().toISOString(),
+        payload: { reason: result.reason, issueNodeId }
+      });
+    }
+  } catch (error) {
+    appendRunLogEntry(projectRoot, run.runId, {
+      id: `log:${run.runId}:github-project-sync-error:${status}`,
+      title: "GitHub Project sync failed",
+      detail: error instanceof Error ? error.message : String(error),
+      tone: "error",
+      status: "running",
+      createdAt: new Date().toISOString(),
+      payload: { issueNodeId }
+    });
+  }
 }
 async function autoAssignRunIssue(projectRoot, run) {
   if (!run.taskId)
@@ -5393,10 +5466,10 @@ function normalizeCommit(value) {
 function asPlainRecord(value) {
   return value && typeof value === "object" && !Array.isArray(value) ? value : null;
 }
-var RIG_CONFIG_PACKAGE_VERSION = "0.0.6-alpha.0";
+var RIG_CONFIG_PACKAGE_DIST_TAG = "latest";
 var RIG_CONFIG_DEV_DEPENDENCIES = {
-  "@rig/core": `npm:@h-rig/core@${RIG_CONFIG_PACKAGE_VERSION}`,
-  "@rig/standard-plugin": `npm:@h-rig/standard-plugin@${RIG_CONFIG_PACKAGE_VERSION}`
+  "@rig/core": `npm:@h-rig/core@${RIG_CONFIG_PACKAGE_DIST_TAG}`,
+  "@rig/standard-plugin": `npm:@h-rig/standard-plugin@${RIG_CONFIG_PACKAGE_DIST_TAG}`
 };
 function repoParts(repoSlug) {
   const [owner, repo] = repoSlug.split("/");
@@ -5750,13 +5823,13 @@ function bearerTokenFromRequest(req) {
 function isLoopbackRequest(req) {
   try {
     const hostname = new URL(req.url).hostname.toLowerCase();
-    return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1" || hostname === "[::1]";
+    return hostname === "localhost" || hostname === "rig.local" || hostname.endsWith(".localhost") || hostname === "127.0.0.1" || hostname === "::1" || hostname === "[::1]";
   } catch {
     return false;
   }
 }
 function isPublicRigAuthBootstrapRoute(pathname) {
-  return pathname === "/" || pathname === "/health" || pathname === "/api/health" || pathname === "/api/server/status" || pathname === "/api/github/auth/status" || pathname === "/api/github/auth/token" || pathname === "/api/github/auth/device/start" || pathname === "/api/github/auth/device/poll";
+  return pathname === "/" || pathname === "/health" || pathname === "/api/health" || pathname === "/api/github/auth/status" || pathname === "/api/github/auth/token" || pathname === "/api/github/auth/device/start" || pathname === "/api/github/auth/device/poll";
 }
 function normalizePrMode(value) {
   const mode = normalizeString(value);
@@ -5769,6 +5842,10 @@ function authorizeRigHttpRequest(input) {
   const bearer = bearerTokenFromRequest(input.req);
   const store = createGitHubAuthStore(input.projectRoot);
   const storedToken = store.readToken();
+  const session = bearer ? store.readApiSession(bearer) : null;
+  if (session) {
+    return { authorized: true, actor: session.login ?? "github-operator", reason: "github-session" };
+  }
   if (bearer && storedToken && bearer === storedToken) {
     const status = store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
     return { authorized: true, actor: status.login ?? "github-operator", reason: "github-token" };
@@ -5776,8 +5853,11 @@ function authorizeRigHttpRequest(input) {
   if (isPublicRigAuthBootstrapRoute(input.pathname)) {
     return { authorized: true, actor: null, reason: "public-bootstrap" };
   }
-  if (!input.serverAuthToken && !storedToken && isLoopbackRequest(input.req)) {
-    return { authorized: true, actor: null, reason: "loopback-dev-no-auth" };
+  if (!input.serverAuthToken && !storedToken) {
+    if (isLoopbackRequest(input.req)) {
+      return { authorized: true, actor: null, reason: "loopback-dev-no-auth" };
+    }
+    return { authorized: false, actor: null, reason: "auth-required" };
   }
   return { authorized: false, actor: null, reason: storedToken ? "github-token-required" : "auth-required" };
 }
@@ -6008,7 +6088,7 @@ function selectNextWorkspaceTask(projectRoot, tasks) {
   if (runnable.length === 0)
     return null;
   const queue = readQueueState(projectRoot);
-  const queueRank = new Map(queue.map((entry, index) => [entry.taskId, { score: entry.score, position: index }]));
+  const queueRank = new Map(queue.map((entry, index) => [String(entry.taskId), { score: entry.score, position: index }]));
   return runnable.toSorted((left, right) => {
     const leftId = taskIdOf(left) ?? "";
     const rightId = taskIdOf(right) ?? "";
@@ -6134,7 +6214,7 @@ function createRigServerFetch(state, deps) {
         }
         const isLinearWebhook = url.pathname === "/api/linear/webhook" && req.method === "POST";
         const isInspectorStream = url.pathname === "/api/inspector/stream" && req.method === "GET";
-        const legacyAuthorizedHttpRequest = isInspectorStream && isAuthorizedInspectorStreamRequest(req, state.authToken) ? true : deps.isAuthorizedHttpRequest(req, state.authToken);
+        const legacyAuthorizedHttpRequest = Boolean(state.authToken) && (isInspectorStream && isAuthorizedInspectorStreamRequest(req, state.authToken) ? true : deps.isAuthorizedHttpRequest(req, state.authToken));
         const requestAuth = authorizeRigHttpRequest({
           req,
           pathname: url.pathname,
@@ -6530,6 +6610,9 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           }
           const normalizedRoot = resolve18(requestedRoot);
           const exists = existsSync11(normalizedRoot);
+          if (exists) {
+            createGitHubAuthStore(state.projectRoot).copyToProjectRoot(normalizedRoot);
+          }
           const control = buildServerControlStatus();
           const switchCommand = process.env.RIG_PROJECT_ROOT_SWITCH_COMMAND?.trim();
           if (!exists) {
@@ -6618,21 +6701,30 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           const body = await deps.readJsonBody(req);
           const token = normalizeString(body.token);
           const selectedRepo = normalizeString(body.selectedRepo);
+          const requestedProjectRoot = normalizeString(body.projectRoot);
           if (!token) {
             return deps.badRequest("token is required");
           }
           try {
             const user = await fetchGitHubUserInfo(token);
-            const store = createGitHubAuthStore(state.projectRoot);
-            store.saveToken({
-              token,
-              tokenSource: "manual-token",
-              login: user.login,
-              userId: user.userId,
-              scopes: user.scopes,
-              selectedRepo
-            });
-            return deps.jsonResponse({ ok: true, ...store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }) });
+            const storeRoots = [
+              state.projectRoot,
+              ...requestedProjectRoot && isAbsolute3(requestedProjectRoot) && existsSync11(resolve18(requestedProjectRoot)) ? [resolve18(requestedProjectRoot)] : []
+            ].filter((root, index, roots) => roots.indexOf(root) === index);
+            const stores = storeRoots.map((root) => createGitHubAuthStore(root));
+            for (const store2 of stores) {
+              store2.saveToken({
+                token,
+                tokenSource: "manual-token",
+                login: user.login,
+                userId: user.userId,
+                scopes: user.scopes,
+                selectedRepo
+              });
+            }
+            const store = stores[stores.length - 1] ?? createGitHubAuthStore(state.projectRoot);
+            const apiSession = store.createApiSession();
+            return deps.jsonResponse({ ok: true, ...store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }), apiSessionToken: apiSession.token });
           } catch (error) {
             const message = error instanceof Error ? error.message : String(error);
             return deps.jsonResponse({ ok: false, error: message }, 400);
@@ -6700,7 +6792,8 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           const token = result.payload.access_token;
           const user = await fetchGitHubUserInfo(token);
           store.saveToken({ token, tokenSource: "oauth-device", login: user.login, userId: user.userId, scopes: user.scopes });
-          return deps.jsonResponse({ ok: true, status: "signed-in", ...store.status({ oauthConfigured: true }) });
+          const apiSession = store.createApiSession();
+          return deps.jsonResponse({ ok: true, status: "signed-in", ...store.status({ oauthConfigured: true }), apiSessionToken: apiSession.token });
         }
         if (url.pathname === "/api/github/repo/probe" && req.method === "POST") {
           const body = await deps.readJsonBody(req);
@@ -12506,7 +12599,7 @@ async function readWorkspaceTasks(projectRoot) {
       description: normalizeString(entry.description),
       acceptanceCriteria: normalizeString(entry.acceptance_criteria),
       status: normalizedStatus ?? "unknown",
-      sourceStatus: normalizedStatus ? null : rawStatus,
+      sourceStatus: normalizedStatus && rawStatus !== normalizedStatus ? rawStatus : normalizedStatus ? null : rawStatus,
       priority: typeof entry.priority === "number" ? entry.priority : typeof entry.priority === "string" ? Number(entry.priority) : null,
       issueType: normalizeString(entry.issue_type),
       role: normalizeString(config.role) ?? null,

package/dist/src/server-helpers/github-auth-store.js

@@ -1,5 +1,6 @@
 // @bun
 // packages/server/src/server-helpers/github-auth-store.ts
+import { randomBytes } from "crypto";
 import { chmodSync, existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
 import { resolve as resolve2 } from "path";
 
@@ -39,6 +40,24 @@ function cleanScopes(value) {
     return clean ? [clean] : [];
   });
 }
+function parseApiSessions(value) {
+  if (!Array.isArray(value))
+    return [];
+  return value.flatMap((entry) => {
+    if (!entry || typeof entry !== "object" || Array.isArray(entry))
+      return [];
+    const record = entry;
+    const token = cleanString(record.token);
+    if (!token)
+      return [];
+    return [{
+      token,
+      login: cleanString(record.login),
+      userId: cleanString(record.userId),
+      createdAt: cleanString(record.createdAt) ?? undefined
+    }];
+  });
+}
 function readStoredAuth(stateFile) {
   if (!existsSync(stateFile))
     return {};
@@ -52,6 +71,7 @@ function readStoredAuth(stateFile) {
       selectedRepo: cleanString(parsed.selectedRepo),
       tokenSource: parsed.tokenSource === "oauth-device" || parsed.tokenSource === "manual-token" || parsed.tokenSource === "env" ? parsed.tokenSource : undefined,
       pendingDevice: parsePendingDevice(parsed.pendingDevice),
+      apiSessions: parseApiSessions(parsed.apiSessions),
       updatedAt: cleanString(parsed.updatedAt) ?? undefined
     };
   } catch {
@@ -70,6 +90,9 @@ function parsePendingDevice(value) {
     return null;
   return { pollId, deviceCode, expiresAt, intervalSeconds };
 }
+function newApiSessionToken() {
+  return `rig_${randomBytes(32).toString("base64url")}`;
+}
 function writeStoredAuth(stateFile, payload) {
   mkdirSync(resolve2(stateFile, ".."), { recursive: true });
   writeFileSync(stateFile, `${JSON.stringify(payload, null, 2)}
@@ -112,9 +135,38 @@ function createGitHubAuthStore(projectRoot) {
         scopes: input.scopes ?? [],
         selectedRepo: input.selectedRepo ?? previous.selectedRepo ?? null,
         pendingDevice: null,
+        apiSessions: previous.apiSessions ?? [],
         updatedAt: new Date().toISOString()
       });
     },
+    createApiSession() {
+      const previous = readStoredAuth(stateFile);
+      const token = newApiSessionToken();
+      const session = {
+        token,
+        login: cleanString(previous.login),
+        userId: cleanString(previous.userId),
+        createdAt: new Date().toISOString()
+      };
+      writeStoredAuth(stateFile, {
+        ...previous,
+        apiSessions: [...(previous.apiSessions ?? []).slice(-9), session],
+        updatedAt: new Date().toISOString()
+      });
+      return { token, login: session.login ?? null, userId: session.userId ?? null };
+    },
+    readApiSession(token) {
+      const clean = cleanString(token);
+      if (!clean)
+        return null;
+      const previous = readStoredAuth(stateFile);
+      const session = (previous.apiSessions ?? []).find((candidate) => candidate.token === clean);
+      return session ? { login: cleanString(session.login), userId: cleanString(session.userId) } : null;
+    },
+    copyToProjectRoot(projectRoot2) {
+      const targetFile = resolveGitHubAuthStateFile(projectRoot2);
+      writeStoredAuth(targetFile, readStoredAuth(stateFile));
+    },
     savePendingDevice(input) {
       const previous = readStoredAuth(stateFile);
       writeStoredAuth(stateFile, {

package/dist/src/server-helpers/http-router.js

@@ -535,6 +535,7 @@ import {
 } from "@rig/runtime/control-plane/authority-files";
 
 // packages/server/src/server-helpers/github-auth-store.ts
+import { randomBytes } from "crypto";
 import { chmodSync, existsSync as existsSync4, mkdirSync as mkdirSync3, readFileSync as readFileSync2, writeFileSync as writeFileSync3 } from "fs";
 import { resolve as resolve7 } from "path";
 function cleanString(value) {
@@ -548,6 +549,24 @@ function cleanScopes(value) {
     return clean ? [clean] : [];
   });
 }
+function parseApiSessions(value) {
+  if (!Array.isArray(value))
+    return [];
+  return value.flatMap((entry) => {
+    if (!entry || typeof entry !== "object" || Array.isArray(entry))
+      return [];
+    const record = entry;
+    const token = cleanString(record.token);
+    if (!token)
+      return [];
+    return [{
+      token,
+      login: cleanString(record.login),
+      userId: cleanString(record.userId),
+      createdAt: cleanString(record.createdAt) ?? undefined
+    }];
+  });
+}
 function readStoredAuth(stateFile) {
   if (!existsSync4(stateFile))
     return {};
@@ -561,6 +580,7 @@ function readStoredAuth(stateFile) {
       selectedRepo: cleanString(parsed.selectedRepo),
       tokenSource: parsed.tokenSource === "oauth-device" || parsed.tokenSource === "manual-token" || parsed.tokenSource === "env" ? parsed.tokenSource : undefined,
       pendingDevice: parsePendingDevice(parsed.pendingDevice),
+      apiSessions: parseApiSessions(parsed.apiSessions),
       updatedAt: cleanString(parsed.updatedAt) ?? undefined
     };
   } catch {
@@ -579,6 +599,9 @@ function parsePendingDevice(value) {
     return null;
   return { pollId, deviceCode, expiresAt, intervalSeconds };
 }
+function newApiSessionToken() {
+  return `rig_${randomBytes(32).toString("base64url")}`;
+}
 function writeStoredAuth(stateFile, payload) {
   mkdirSync3(resolve7(stateFile, ".."), { recursive: true });
   writeFileSync3(stateFile, `${JSON.stringify(payload, null, 2)}
@@ -621,8 +644,37 @@ function createGitHubAuthStore(projectRoot) {
         scopes: input.scopes ?? [],
         selectedRepo: input.selectedRepo ?? previous.selectedRepo ?? null,
         pendingDevice: null,
+        apiSessions: previous.apiSessions ?? [],
+        updatedAt: new Date().toISOString()
+      });
+    },
+    createApiSession() {
+      const previous = readStoredAuth(stateFile);
+      const token = newApiSessionToken();
+      const session = {
+        token,
+        login: cleanString(previous.login),
+        userId: cleanString(previous.userId),
+        createdAt: new Date().toISOString()
+      };
+      writeStoredAuth(stateFile, {
+        ...previous,
+        apiSessions: [...(previous.apiSessions ?? []).slice(-9), session],
         updatedAt: new Date().toISOString()
       });
+      return { token, login: session.login ?? null, userId: session.userId ?? null };
+    },
+    readApiSession(token) {
+      const clean = cleanString(token);
+      if (!clean)
+        return null;
+      const previous = readStoredAuth(stateFile);
+      const session = (previous.apiSessions ?? []).find((candidate) => candidate.token === clean);
+      return session ? { login: cleanString(session.login), userId: cleanString(session.userId) } : null;
+    },
+    copyToProjectRoot(projectRoot2) {
+      const targetFile = resolveGitHubAuthStateFile(projectRoot2);
+      writeStoredAuth(targetFile, readStoredAuth(stateFile));
     },
     savePendingDevice(input) {
       const previous = readStoredAuth(stateFile);
@@ -1461,10 +1513,10 @@ function normalizeCommit(value) {
 function asPlainRecord(value) {
   return value && typeof value === "object" && !Array.isArray(value) ? value : null;
 }
-var RIG_CONFIG_PACKAGE_VERSION = "0.0.6-alpha.0";
+var RIG_CONFIG_PACKAGE_DIST_TAG = "latest";
 var RIG_CONFIG_DEV_DEPENDENCIES = {
-  "@rig/core": `npm:@h-rig/core@${RIG_CONFIG_PACKAGE_VERSION}`,
-  "@rig/standard-plugin": `npm:@h-rig/standard-plugin@${RIG_CONFIG_PACKAGE_VERSION}`
+  "@rig/core": `npm:@h-rig/core@${RIG_CONFIG_PACKAGE_DIST_TAG}`,
+  "@rig/standard-plugin": `npm:@h-rig/standard-plugin@${RIG_CONFIG_PACKAGE_DIST_TAG}`
 };
 function repoParts(repoSlug) {
   const [owner, repo] = repoSlug.split("/");
@@ -1818,13 +1870,13 @@ function bearerTokenFromRequest(req) {
 function isLoopbackRequest(req) {
   try {
     const hostname = new URL(req.url).hostname.toLowerCase();
-    return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1" || hostname === "[::1]";
+    return hostname === "localhost" || hostname === "rig.local" || hostname.endsWith(".localhost") || hostname === "127.0.0.1" || hostname === "::1" || hostname === "[::1]";
   } catch {
     return false;
   }
 }
 function isPublicRigAuthBootstrapRoute(pathname) {
-  return pathname === "/" || pathname === "/health" || pathname === "/api/health" || pathname === "/api/server/status" || pathname === "/api/github/auth/status" || pathname === "/api/github/auth/token" || pathname === "/api/github/auth/device/start" || pathname === "/api/github/auth/device/poll";
+  return pathname === "/" || pathname === "/health" || pathname === "/api/health" || pathname === "/api/github/auth/status" || pathname === "/api/github/auth/token" || pathname === "/api/github/auth/device/start" || pathname === "/api/github/auth/device/poll";
 }
 function normalizePrMode(value) {
   const mode = normalizeString(value);
@@ -1837,6 +1889,10 @@ function authorizeRigHttpRequest(input) {
   const bearer = bearerTokenFromRequest(input.req);
   const store = createGitHubAuthStore(input.projectRoot);
   const storedToken = store.readToken();
+  const session = bearer ? store.readApiSession(bearer) : null;
+  if (session) {
+    return { authorized: true, actor: session.login ?? "github-operator", reason: "github-session" };
+  }
   if (bearer && storedToken && bearer === storedToken) {
     const status = store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
     return { authorized: true, actor: status.login ?? "github-operator", reason: "github-token" };
@@ -1844,8 +1900,11 @@ function authorizeRigHttpRequest(input) {
   if (isPublicRigAuthBootstrapRoute(input.pathname)) {
     return { authorized: true, actor: null, reason: "public-bootstrap" };
   }
-  if (!input.serverAuthToken && !storedToken && isLoopbackRequest(input.req)) {
-    return { authorized: true, actor: null, reason: "loopback-dev-no-auth" };
+  if (!input.serverAuthToken && !storedToken) {
+    if (isLoopbackRequest(input.req)) {
+      return { authorized: true, actor: null, reason: "loopback-dev-no-auth" };
+    }
+    return { authorized: false, actor: null, reason: "auth-required" };
   }
   return { authorized: false, actor: null, reason: storedToken ? "github-token-required" : "auth-required" };
 }
@@ -2076,7 +2135,7 @@ function selectNextWorkspaceTask(projectRoot, tasks) {
   if (runnable.length === 0)
     return null;
   const queue = readQueueState(projectRoot);
-  const queueRank = new Map(queue.map((entry, index) => [entry.taskId, { score: entry.score, position: index }]));
+  const queueRank = new Map(queue.map((entry, index) => [String(entry.taskId), { score: entry.score, position: index }]));
   return runnable.toSorted((left, right) => {
     const leftId = taskIdOf(left) ?? "";
     const rightId = taskIdOf(right) ?? "";
@@ -2202,7 +2261,7 @@ function createRigServerFetch(state, deps) {
         }
         const isLinearWebhook = url.pathname === "/api/linear/webhook" && req.method === "POST";
         const isInspectorStream = url.pathname === "/api/inspector/stream" && req.method === "GET";
-        const legacyAuthorizedHttpRequest = isInspectorStream && isAuthorizedInspectorStreamRequest(req, state.authToken) ? true : deps.isAuthorizedHttpRequest(req, state.authToken);
+        const legacyAuthorizedHttpRequest = Boolean(state.authToken) && (isInspectorStream && isAuthorizedInspectorStreamRequest(req, state.authToken) ? true : deps.isAuthorizedHttpRequest(req, state.authToken));
         const requestAuth = authorizeRigHttpRequest({
           req,
           pathname: url.pathname,
@@ -2598,6 +2657,9 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           }
           const normalizedRoot = resolve11(requestedRoot);
           const exists = existsSync8(normalizedRoot);
+          if (exists) {
+            createGitHubAuthStore(state.projectRoot).copyToProjectRoot(normalizedRoot);
+          }
           const control = buildServerControlStatus();
           const switchCommand = process.env.RIG_PROJECT_ROOT_SWITCH_COMMAND?.trim();
           if (!exists) {
@@ -2686,21 +2748,30 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           const body = await deps.readJsonBody(req);
           const token = normalizeString(body.token);
           const selectedRepo = normalizeString(body.selectedRepo);
+          const requestedProjectRoot = normalizeString(body.projectRoot);
           if (!token) {
             return deps.badRequest("token is required");
           }
           try {
             const user = await fetchGitHubUserInfo(token);
-            const store = createGitHubAuthStore(state.projectRoot);
-            store.saveToken({
-              token,
-              tokenSource: "manual-token",
-              login: user.login,
-              userId: user.userId,
-              scopes: user.scopes,
-              selectedRepo
-            });
-            return deps.jsonResponse({ ok: true, ...store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }) });
+            const storeRoots = [
+              state.projectRoot,
+              ...requestedProjectRoot && isAbsolute2(requestedProjectRoot) && existsSync8(resolve11(requestedProjectRoot)) ? [resolve11(requestedProjectRoot)] : []
+            ].filter((root, index, roots) => roots.indexOf(root) === index);
+            const stores = storeRoots.map((root) => createGitHubAuthStore(root));
+            for (const store2 of stores) {
+              store2.saveToken({
+                token,
+                tokenSource: "manual-token",
+                login: user.login,
+                userId: user.userId,
+                scopes: user.scopes,
+                selectedRepo
+              });
+            }
+            const store = stores[stores.length - 1] ?? createGitHubAuthStore(state.projectRoot);
+            const apiSession = store.createApiSession();
+            return deps.jsonResponse({ ok: true, ...store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }), apiSessionToken: apiSession.token });
           } catch (error) {
             const message = error instanceof Error ? error.message : String(error);
             return deps.jsonResponse({ ok: false, error: message }, 400);
@@ -2768,7 +2839,8 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           const token = result.payload.access_token;
           const user = await fetchGitHubUserInfo(token);
           store.saveToken({ token, tokenSource: "oauth-device", login: user.login, userId: user.userId, scopes: user.scopes });
-          return deps.jsonResponse({ ok: true, status: "signed-in", ...store.status({ oauthConfigured: true }) });
+          const apiSession = store.createApiSession();
+          return deps.jsonResponse({ ok: true, status: "signed-in", ...store.status({ oauthConfigured: true }), apiSessionToken: apiSession.token });
         }
         if (url.pathname === "/api/github/repo/probe" && req.method === "POST") {
           const body = await deps.readJsonBody(req);

package/dist/src/server-helpers/run-mutations.js

@@ -459,6 +459,7 @@ import {
 } from "@rig/runtime/control-plane/tasks/source-lifecycle";
 
 // packages/server/src/server-helpers/github-auth-store.ts
+import { randomBytes } from "crypto";
 import { chmodSync, existsSync as existsSync3, mkdirSync as mkdirSync3, readFileSync, writeFileSync as writeFileSync3 } from "fs";
 import { resolve as resolve6 } from "path";
 function cleanString(value) {
@@ -472,6 +473,24 @@ function cleanScopes(value) {
     return clean ? [clean] : [];
   });
 }
+function parseApiSessions(value) {
+  if (!Array.isArray(value))
+    return [];
+  return value.flatMap((entry) => {
+    if (!entry || typeof entry !== "object" || Array.isArray(entry))
+      return [];
+    const record = entry;
+    const token = cleanString(record.token);
+    if (!token)
+      return [];
+    return [{
+      token,
+      login: cleanString(record.login),
+      userId: cleanString(record.userId),
+      createdAt: cleanString(record.createdAt) ?? undefined
+    }];
+  });
+}
 function readStoredAuth(stateFile) {
   if (!existsSync3(stateFile))
     return {};
@@ -485,6 +504,7 @@ function readStoredAuth(stateFile) {
       selectedRepo: cleanString(parsed.selectedRepo),
       tokenSource: parsed.tokenSource === "oauth-device" || parsed.tokenSource === "manual-token" || parsed.tokenSource === "env" ? parsed.tokenSource : undefined,
       pendingDevice: parsePendingDevice(parsed.pendingDevice),
+      apiSessions: parseApiSessions(parsed.apiSessions),
       updatedAt: cleanString(parsed.updatedAt) ?? undefined
     };
   } catch {
@@ -503,6 +523,9 @@ function parsePendingDevice(value) {
     return null;
   return { pollId, deviceCode, expiresAt, intervalSeconds };
 }
+function newApiSessionToken() {
+  return `rig_${randomBytes(32).toString("base64url")}`;
+}
 function writeStoredAuth(stateFile, payload) {
   mkdirSync3(resolve6(stateFile, ".."), { recursive: true });
   writeFileSync3(stateFile, `${JSON.stringify(payload, null, 2)}
@@ -545,9 +568,38 @@ function createGitHubAuthStore(projectRoot) {
         scopes: input.scopes ?? [],
         selectedRepo: input.selectedRepo ?? previous.selectedRepo ?? null,
         pendingDevice: null,
+        apiSessions: previous.apiSessions ?? [],
         updatedAt: new Date().toISOString()
       });
     },
+    createApiSession() {
+      const previous = readStoredAuth(stateFile);
+      const token = newApiSessionToken();
+      const session = {
+        token,
+        login: cleanString(previous.login),
+        userId: cleanString(previous.userId),
+        createdAt: new Date().toISOString()
+      };
+      writeStoredAuth(stateFile, {
+        ...previous,
+        apiSessions: [...(previous.apiSessions ?? []).slice(-9), session],
+        updatedAt: new Date().toISOString()
+      });
+      return { token, login: session.login ?? null, userId: session.userId ?? null };
+    },
+    readApiSession(token) {
+      const clean = cleanString(token);
+      if (!clean)
+        return null;
+      const previous = readStoredAuth(stateFile);
+      const session = (previous.apiSessions ?? []).find((candidate) => candidate.token === clean);
+      return session ? { login: cleanString(session.login), userId: cleanString(session.userId) } : null;
+    },
+    copyToProjectRoot(projectRoot2) {
+      const targetFile = resolveGitHubAuthStateFile(projectRoot2);
+      writeStoredAuth(targetFile, readStoredAuth(stateFile));
+    },
     savePendingDevice(input) {
       const previous = readStoredAuth(stateFile);
       writeStoredAuth(stateFile, {
@@ -775,10 +827,10 @@ function extractGitHubIssueNodeId(task) {
 }
 
 // packages/server/src/server-helpers/http-router.ts
-var RIG_CONFIG_PACKAGE_VERSION = "0.0.6-alpha.0";
+var RIG_CONFIG_PACKAGE_DIST_TAG = "latest";
 var RIG_CONFIG_DEV_DEPENDENCIES = {
-  "@rig/core": `npm:@h-rig/core@${RIG_CONFIG_PACKAGE_VERSION}`,
-  "@rig/standard-plugin": `npm:@h-rig/standard-plugin@${RIG_CONFIG_PACKAGE_VERSION}`
+  "@rig/core": `npm:@h-rig/core@${RIG_CONFIG_PACKAGE_DIST_TAG}`,
+  "@rig/standard-plugin": `npm:@h-rig/standard-plugin@${RIG_CONFIG_PACKAGE_DIST_TAG}`
 };
 
 // packages/server/src/server-helpers/ws-router.ts
@@ -995,7 +1047,7 @@ async function readWorkspaceTasks(projectRoot) {
       description: normalizeString(entry.description),
       acceptanceCriteria: normalizeString(entry.acceptance_criteria),
       status: normalizedStatus ?? "unknown",
-      sourceStatus: normalizedStatus ? null : rawStatus,
+      sourceStatus: normalizedStatus && rawStatus !== normalizedStatus ? rawStatus : normalizedStatus ? null : rawStatus,
       priority: typeof entry.priority === "number" ? entry.priority : typeof entry.priority === "string" ? Number(entry.priority) : null,
       issueType: normalizeString(entry.issue_type),
       role: normalizeString(config.role) ?? null,
@@ -1120,15 +1172,36 @@ async function syncProjectStatusForRunLifecycle(projectRoot, run, status, config
   if (!run.taskId)
     return;
   const issueNodeId = extractGitHubIssueNodeId(runSourceTaskIdentity(run));
-  await syncGitHubProjectStatusForTaskUpdate({
-    taskId: run.taskId,
-    status,
-    issueNodeId,
-    token: createGitHubAuthStore(projectRoot).readToken(),
-    config
-  }).catch(() => {
-    return;
-  });
+  try {
+    const result = await syncGitHubProjectStatusForTaskUpdate({
+      taskId: run.taskId,
+      status,
+      issueNodeId,
+      token: createGitHubAuthStore(projectRoot).readToken(),
+      config
+    });
+    if (!result.synced && result.reason !== "project-sync-disabled") {
+      appendRunLogEntry(projectRoot, run.runId, {
+        id: `log:${run.runId}:github-project-sync:${status}`,
+        title: "GitHub Project sync skipped",
+        detail: `Project status sync for ${run.taskId} could not run: ${result.reason}.`,
+        tone: "warn",
+        status: "running",
+        createdAt: new Date().toISOString(),
+        payload: { reason: result.reason, issueNodeId }
+      });
+    }
+  } catch (error) {
+    appendRunLogEntry(projectRoot, run.runId, {
+      id: `log:${run.runId}:github-project-sync-error:${status}`,
+      title: "GitHub Project sync failed",
+      detail: error instanceof Error ? error.message : String(error),
+      tone: "error",
+      status: "running",
+      createdAt: new Date().toISOString(),
+      payload: { issueNodeId }
+    });
+  }
 }
 async function autoAssignRunIssue(projectRoot, run) {
   if (!run.taskId)

package/dist/src/server-helpers/snapshot-orchestrator.js

@@ -699,7 +699,7 @@ async function buildRigSnapshotPayload(projectRoot, readers) {
   const taskSummaries = (await readers.readWorkspaceTasks(projectRoot)).map((task) => ({
     ...toTaskSummary(workspace.id, {
       ...task,
-      status: queuedTaskIds.has(task.id) && (task.status === "open" || task.status === "ready" || task.status === "draft") ? "queued" : task.status
+      status: queuedTaskIds.has(task.id) && (task.status === "open" || task.status === "ready" || task.status === "draft" || task.status === "failed" || task.sourceStatus === "failed") ? "queued" : task.status
     }),
     graphId: graph.id
   }));

package/dist/src/server-helpers/snapshot-service.js

@@ -711,7 +711,7 @@ async function buildRigSnapshotPayload(projectRoot, readers) {
   const taskSummaries = (await readers.readWorkspaceTasks(projectRoot)).map((task) => ({
     ...toTaskSummary(workspace.id, {
       ...task,
-      status: queuedTaskIds.has(task.id) && (task.status === "open" || task.status === "ready" || task.status === "draft") ? "queued" : task.status
+      status: queuedTaskIds.has(task.id) && (task.status === "open" || task.status === "ready" || task.status === "draft" || task.status === "failed" || task.sourceStatus === "failed") ? "queued" : task.status
     }),
     graphId: graph.id
   }));

package/dist/src/server-helpers/ws-router.js

@@ -437,10 +437,10 @@ import {
   buildTaskRunLifecycleComment as buildTaskRunLifecycleComment2,
   updateConfiguredTaskSourceTask as updateConfiguredTaskSourceTask2
 } from "@rig/runtime/control-plane/tasks/source-lifecycle";
-var RIG_CONFIG_PACKAGE_VERSION = "0.0.6-alpha.0";
+var RIG_CONFIG_PACKAGE_DIST_TAG = "latest";
 var RIG_CONFIG_DEV_DEPENDENCIES = {
-  "@rig/core": `npm:@h-rig/core@${RIG_CONFIG_PACKAGE_VERSION}`,
-  "@rig/standard-plugin": `npm:@h-rig/standard-plugin@${RIG_CONFIG_PACKAGE_VERSION}`
+  "@rig/core": `npm:@h-rig/core@${RIG_CONFIG_PACKAGE_DIST_TAG}`,
+  "@rig/standard-plugin": `npm:@h-rig/standard-plugin@${RIG_CONFIG_PACKAGE_DIST_TAG}`
 };
 
 // packages/server/src/server-helpers/inspector-jobs.ts

package/dist/src/server.js

@@ -1786,7 +1786,7 @@ async function buildRigSnapshotPayload(projectRoot, readers) {
   const taskSummaries = (await readers.readWorkspaceTasks(projectRoot)).map((task) => ({
     ...toTaskSummary(workspace.id, {
       ...task,
-      status: queuedTaskIds.has(task.id) && (task.status === "open" || task.status === "ready" || task.status === "draft") ? "queued" : task.status
+      status: queuedTaskIds.has(task.id) && (task.status === "open" || task.status === "ready" || task.status === "draft" || task.status === "failed" || task.sourceStatus === "failed") ? "queued" : task.status
     }),
     graphId: graph.id
   }));
@@ -3304,6 +3304,7 @@ function summarizeRunValidationFailure(projectRoot, run) {
 }
 
 // packages/server/src/server-helpers/github-auth-store.ts
+import { randomBytes } from "crypto";
 import { chmodSync, existsSync as existsSync6, mkdirSync as mkdirSync6, readFileSync as readFileSync3, writeFileSync as writeFileSync5 } from "fs";
 import { resolve as resolve13 } from "path";
 function cleanString(value) {
@@ -3317,6 +3318,24 @@ function cleanScopes(value) {
     return clean ? [clean] : [];
   });
 }
+function parseApiSessions(value) {
+  if (!Array.isArray(value))
+    return [];
+  return value.flatMap((entry) => {
+    if (!entry || typeof entry !== "object" || Array.isArray(entry))
+      return [];
+    const record = entry;
+    const token = cleanString(record.token);
+    if (!token)
+      return [];
+    return [{
+      token,
+      login: cleanString(record.login),
+      userId: cleanString(record.userId),
+      createdAt: cleanString(record.createdAt) ?? undefined
+    }];
+  });
+}
 function readStoredAuth(stateFile) {
   if (!existsSync6(stateFile))
     return {};
@@ -3330,6 +3349,7 @@ function readStoredAuth(stateFile) {
       selectedRepo: cleanString(parsed.selectedRepo),
       tokenSource: parsed.tokenSource === "oauth-device" || parsed.tokenSource === "manual-token" || parsed.tokenSource === "env" ? parsed.tokenSource : undefined,
       pendingDevice: parsePendingDevice(parsed.pendingDevice),
+      apiSessions: parseApiSessions(parsed.apiSessions),
       updatedAt: cleanString(parsed.updatedAt) ?? undefined
     };
   } catch {
@@ -3348,6 +3368,9 @@ function parsePendingDevice(value) {
     return null;
   return { pollId, deviceCode, expiresAt, intervalSeconds };
 }
+function newApiSessionToken() {
+  return `rig_${randomBytes(32).toString("base64url")}`;
+}
 function writeStoredAuth(stateFile, payload) {
   mkdirSync6(resolve13(stateFile, ".."), { recursive: true });
   writeFileSync5(stateFile, `${JSON.stringify(payload, null, 2)}
@@ -3390,9 +3413,38 @@ function createGitHubAuthStore(projectRoot) {
         scopes: input.scopes ?? [],
         selectedRepo: input.selectedRepo ?? previous.selectedRepo ?? null,
         pendingDevice: null,
+        apiSessions: previous.apiSessions ?? [],
         updatedAt: new Date().toISOString()
       });
     },
+    createApiSession() {
+      const previous = readStoredAuth(stateFile);
+      const token = newApiSessionToken();
+      const session = {
+        token,
+        login: cleanString(previous.login),
+        userId: cleanString(previous.userId),
+        createdAt: new Date().toISOString()
+      };
+      writeStoredAuth(stateFile, {
+        ...previous,
+        apiSessions: [...(previous.apiSessions ?? []).slice(-9), session],
+        updatedAt: new Date().toISOString()
+      });
+      return { token, login: session.login ?? null, userId: session.userId ?? null };
+    },
+    readApiSession(token) {
+      const clean = cleanString(token);
+      if (!clean)
+        return null;
+      const previous = readStoredAuth(stateFile);
+      const session = (previous.apiSessions ?? []).find((candidate) => candidate.token === clean);
+      return session ? { login: cleanString(session.login), userId: cleanString(session.userId) } : null;
+    },
+    copyToProjectRoot(projectRoot2) {
+      const targetFile = resolveGitHubAuthStateFile(projectRoot2);
+      writeStoredAuth(targetFile, readStoredAuth(stateFile));
+    },
     savePendingDevice(input) {
       const previous = readStoredAuth(stateFile);
       writeStoredAuth(stateFile, {
@@ -3690,15 +3742,36 @@ async function syncProjectStatusForRunLifecycle(projectRoot, run, status, config
   if (!run.taskId)
     return;
   const issueNodeId = extractGitHubIssueNodeId(runSourceTaskIdentity(run));
-  await syncGitHubProjectStatusForTaskUpdate({
-    taskId: run.taskId,
-    status,
-    issueNodeId,
-    token: createGitHubAuthStore(projectRoot).readToken(),
-    config
-  }).catch(() => {
-    return;
-  });
+  try {
+    const result = await syncGitHubProjectStatusForTaskUpdate({
+      taskId: run.taskId,
+      status,
+      issueNodeId,
+      token: createGitHubAuthStore(projectRoot).readToken(),
+      config
+    });
+    if (!result.synced && result.reason !== "project-sync-disabled") {
+      appendRunLogEntry(projectRoot, run.runId, {
+        id: `log:${run.runId}:github-project-sync:${status}`,
+        title: "GitHub Project sync skipped",
+        detail: `Project status sync for ${run.taskId} could not run: ${result.reason}.`,
+        tone: "warn",
+        status: "running",
+        createdAt: new Date().toISOString(),
+        payload: { reason: result.reason, issueNodeId }
+      });
+    }
+  } catch (error) {
+    appendRunLogEntry(projectRoot, run.runId, {
+      id: `log:${run.runId}:github-project-sync-error:${status}`,
+      title: "GitHub Project sync failed",
+      detail: error instanceof Error ? error.message : String(error),
+      tone: "error",
+      status: "running",
+      createdAt: new Date().toISOString(),
+      payload: { issueNodeId }
+    });
+  }
 }
 async function autoAssignRunIssue(projectRoot, run) {
   if (!run.taskId)
@@ -4886,10 +4959,10 @@ function normalizeCommit(value) {
 function asPlainRecord(value) {
   return value && typeof value === "object" && !Array.isArray(value) ? value : null;
 }
-var RIG_CONFIG_PACKAGE_VERSION = "0.0.6-alpha.0";
+var RIG_CONFIG_PACKAGE_DIST_TAG = "latest";
 var RIG_CONFIG_DEV_DEPENDENCIES = {
-  "@rig/core": `npm:@h-rig/core@${RIG_CONFIG_PACKAGE_VERSION}`,
-  "@rig/standard-plugin": `npm:@h-rig/standard-plugin@${RIG_CONFIG_PACKAGE_VERSION}`
+  "@rig/core": `npm:@h-rig/core@${RIG_CONFIG_PACKAGE_DIST_TAG}`,
+  "@rig/standard-plugin": `npm:@h-rig/standard-plugin@${RIG_CONFIG_PACKAGE_DIST_TAG}`
 };
 function repoParts(repoSlug) {
   const [owner, repo] = repoSlug.split("/");
@@ -5243,13 +5316,13 @@ function bearerTokenFromRequest(req) {
 function isLoopbackRequest(req) {
   try {
     const hostname = new URL(req.url).hostname.toLowerCase();
-    return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1" || hostname === "[::1]";
+    return hostname === "localhost" || hostname === "rig.local" || hostname.endsWith(".localhost") || hostname === "127.0.0.1" || hostname === "::1" || hostname === "[::1]";
   } catch {
     return false;
   }
 }
 function isPublicRigAuthBootstrapRoute(pathname) {
-  return pathname === "/" || pathname === "/health" || pathname === "/api/health" || pathname === "/api/server/status" || pathname === "/api/github/auth/status" || pathname === "/api/github/auth/token" || pathname === "/api/github/auth/device/start" || pathname === "/api/github/auth/device/poll";
+  return pathname === "/" || pathname === "/health" || pathname === "/api/health" || pathname === "/api/github/auth/status" || pathname === "/api/github/auth/token" || pathname === "/api/github/auth/device/start" || pathname === "/api/github/auth/device/poll";
 }
 function normalizePrMode(value) {
   const mode = normalizeString(value);
@@ -5262,6 +5335,10 @@ function authorizeRigHttpRequest(input) {
   const bearer = bearerTokenFromRequest(input.req);
   const store = createGitHubAuthStore(input.projectRoot);
   const storedToken = store.readToken();
+  const session = bearer ? store.readApiSession(bearer) : null;
+  if (session) {
+    return { authorized: true, actor: session.login ?? "github-operator", reason: "github-session" };
+  }
   if (bearer && storedToken && bearer === storedToken) {
     const status = store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
     return { authorized: true, actor: status.login ?? "github-operator", reason: "github-token" };
@@ -5269,8 +5346,11 @@ function authorizeRigHttpRequest(input) {
   if (isPublicRigAuthBootstrapRoute(input.pathname)) {
     return { authorized: true, actor: null, reason: "public-bootstrap" };
   }
-  if (!input.serverAuthToken && !storedToken && isLoopbackRequest(input.req)) {
-    return { authorized: true, actor: null, reason: "loopback-dev-no-auth" };
+  if (!input.serverAuthToken && !storedToken) {
+    if (isLoopbackRequest(input.req)) {
+      return { authorized: true, actor: null, reason: "loopback-dev-no-auth" };
+    }
+    return { authorized: false, actor: null, reason: "auth-required" };
   }
   return { authorized: false, actor: null, reason: storedToken ? "github-token-required" : "auth-required" };
 }
@@ -5501,7 +5581,7 @@ function selectNextWorkspaceTask(projectRoot, tasks) {
   if (runnable.length === 0)
     return null;
   const queue = readQueueState(projectRoot);
-  const queueRank = new Map(queue.map((entry, index) => [entry.taskId, { score: entry.score, position: index }]));
+  const queueRank = new Map(queue.map((entry, index) => [String(entry.taskId), { score: entry.score, position: index }]));
   return runnable.toSorted((left, right) => {
     const leftId = taskIdOf(left) ?? "";
     const rightId = taskIdOf(right) ?? "";
@@ -5627,7 +5707,7 @@ function createRigServerFetch(state, deps) {
         }
         const isLinearWebhook = url.pathname === "/api/linear/webhook" && req.method === "POST";
         const isInspectorStream = url.pathname === "/api/inspector/stream" && req.method === "GET";
-        const legacyAuthorizedHttpRequest = isInspectorStream && isAuthorizedInspectorStreamRequest(req, state.authToken) ? true : deps.isAuthorizedHttpRequest(req, state.authToken);
+        const legacyAuthorizedHttpRequest = Boolean(state.authToken) && (isInspectorStream && isAuthorizedInspectorStreamRequest(req, state.authToken) ? true : deps.isAuthorizedHttpRequest(req, state.authToken));
         const requestAuth = authorizeRigHttpRequest({
           req,
           pathname: url.pathname,
@@ -6023,6 +6103,9 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           }
           const normalizedRoot = resolve18(requestedRoot);
           const exists = existsSync11(normalizedRoot);
+          if (exists) {
+            createGitHubAuthStore(state.projectRoot).copyToProjectRoot(normalizedRoot);
+          }
           const control = buildServerControlStatus();
           const switchCommand = process.env.RIG_PROJECT_ROOT_SWITCH_COMMAND?.trim();
           if (!exists) {
@@ -6111,21 +6194,30 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           const body = await deps.readJsonBody(req);
           const token = normalizeString(body.token);
           const selectedRepo = normalizeString(body.selectedRepo);
+          const requestedProjectRoot = normalizeString(body.projectRoot);
           if (!token) {
             return deps.badRequest("token is required");
           }
           try {
             const user = await fetchGitHubUserInfo(token);
-            const store = createGitHubAuthStore(state.projectRoot);
-            store.saveToken({
-              token,
-              tokenSource: "manual-token",
-              login: user.login,
-              userId: user.userId,
-              scopes: user.scopes,
-              selectedRepo
-            });
-            return deps.jsonResponse({ ok: true, ...store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }) });
+            const storeRoots = [
+              state.projectRoot,
+              ...requestedProjectRoot && isAbsolute3(requestedProjectRoot) && existsSync11(resolve18(requestedProjectRoot)) ? [resolve18(requestedProjectRoot)] : []
+            ].filter((root, index, roots) => roots.indexOf(root) === index);
+            const stores = storeRoots.map((root) => createGitHubAuthStore(root));
+            for (const store2 of stores) {
+              store2.saveToken({
+                token,
+                tokenSource: "manual-token",
+                login: user.login,
+                userId: user.userId,
+                scopes: user.scopes,
+                selectedRepo
+              });
+            }
+            const store = stores[stores.length - 1] ?? createGitHubAuthStore(state.projectRoot);
+            const apiSession = store.createApiSession();
+            return deps.jsonResponse({ ok: true, ...store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }), apiSessionToken: apiSession.token });
           } catch (error) {
             const message = error instanceof Error ? error.message : String(error);
             return deps.jsonResponse({ ok: false, error: message }, 400);
@@ -6193,7 +6285,8 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           const token = result.payload.access_token;
           const user = await fetchGitHubUserInfo(token);
           store.saveToken({ token, tokenSource: "oauth-device", login: user.login, userId: user.userId, scopes: user.scopes });
-          return deps.jsonResponse({ ok: true, status: "signed-in", ...store.status({ oauthConfigured: true }) });
+          const apiSession = store.createApiSession();
+          return deps.jsonResponse({ ok: true, status: "signed-in", ...store.status({ oauthConfigured: true }), apiSessionToken: apiSession.token });
         }
         if (url.pathname === "/api/github/repo/probe" && req.method === "POST") {
           const body = await deps.readJsonBody(req);
@@ -11999,7 +12092,7 @@ async function readWorkspaceTasks(projectRoot) {
       description: normalizeString(entry.description),
       acceptanceCriteria: normalizeString(entry.acceptance_criteria),
       status: normalizedStatus ?? "unknown",
-      sourceStatus: normalizedStatus ? null : rawStatus,
+      sourceStatus: normalizedStatus && rawStatus !== normalizedStatus ? rawStatus : normalizedStatus ? null : rawStatus,
       priority: typeof entry.priority === "number" ? entry.priority : typeof entry.priority === "string" ? Number(entry.priority) : null,
       issueType: normalizeString(entry.issue_type),
       role: normalizeString(config.role) ?? null,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@h-rig/server",
-  "version": "0.0.6-alpha.0",
+  "version": "0.0.6-alpha.2",
   "type": "module",
   "description": "Rig package",
   "license": "UNLICENSED",
@@ -25,9 +25,9 @@
     "rig-server": "./dist/src/server.js"
   },
   "dependencies": {
-    "@rig/contracts": "npm:@h-rig/contracts@0.0.6-alpha.0",
-    "@rig/core": "npm:@h-rig/core@0.0.6-alpha.0",
-    "@rig/runtime": "npm:@h-rig/runtime@0.0.6-alpha.0",
+    "@rig/contracts": "npm:@h-rig/contracts@0.0.6-alpha.2",
+    "@rig/core": "npm:@h-rig/core@0.0.6-alpha.2",
+    "@rig/runtime": "npm:@h-rig/runtime@0.0.6-alpha.2",
     "effect": "4.0.0-beta.78"
   }
 }