@h-rig/server 0.0.6-alpha.0

package/dist/src/server-helpers/http-router.js

@@ -0,0 +1,3781 @@
+// @bun
+var __require = import.meta.require;
+
+// packages/server/src/server-helpers/http-router.ts
+import { randomUUID } from "crypto";
+import { spawnSync as spawnSync2 } from "child_process";
+import { basename, dirname as dirname6, isAbsolute as isAbsolute2, resolve as resolve11 } from "path";
+import { copyFileSync, existsSync as existsSync8, mkdirSync as mkdirSync7, readFileSync as readFileSync5, writeFileSync as writeFileSync7 } from "fs";
+
+// packages/server/src/server.ts
+import {
+  listAuthorityArtifactRoots,
+  listAuthorityRuns as listAuthorityRuns6,
+  readJsonFile as readJsonFile4,
+  readJsonlFile as readJsonlFile3
+} from "@rig/runtime/control-plane/authority-files";
+import { normalizeTaskLifecycleStatus as normalizeTaskLifecycleStatus3 } from "@rig/runtime/control-plane/state-sync/types";
+import {
+  readWorkspaceSummary
+} from "@rig/runtime/control-plane/native/workspace-ops";
+import { resolveMonorepoRoot as resolveMonorepoRoot6 } from "@rig/runtime/control-plane/native/utils";
+
+// packages/server/src/bootstrap.ts
+import { RIG_DEFINITION_DIRNAME, resolveMonorepoRoot } from "@rig/runtime";
+
+// packages/server/src/websocket.ts
+import {
+  WS_CHANNELS
+} from "@rig/contracts";
+function handleWebSocketUpgrade(args) {
+  if (!args.server || args.req.headers.get("upgrade")?.toLowerCase() !== "websocket") {
+    return null;
+  }
+  const url = new URL(args.req.url);
+  const token = url.searchParams.get("token");
+  if (args.authToken && token !== args.authToken) {
+    return Response.json({ ok: false, error: "Unauthorized WebSocket connection" }, { status: 401 });
+  }
+  const upgraded = args.server.upgrade(args.req, {
+    data: { connectedAt: args.connectedAt ?? new Date().toISOString() }
+  });
+  if (upgraded) {
+    return new Response(null);
+  }
+  return Response.json({ ok: false, error: "WebSocket upgrade failed" }, { status: 400 });
+}
+
+// packages/server/src/server-helpers/normalizers.ts
+function normalizeString(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
+}
+function normalizeStringArray(value) {
+  return Array.isArray(value) ? value.map((entry) => normalizeString(entry)).filter((entry) => entry !== null) : [];
+}
+function normalizeRuntimeAdapter(value) {
+  const normalized = normalizeString(value)?.toLowerCase();
+  if (!normalized) {
+    return "pi";
+  }
+  if (normalized === "codex" || normalized === "codex-cli" || normalized === "codex-app-server" || normalized === "gpt-codex") {
+    return "codex";
+  }
+  if (normalized === "pi" || normalized === "rig-pi" || normalized === "@rig/pi") {
+    return "pi";
+  }
+  return "claude-code";
+}
+
+// packages/server/src/server-helpers/run-io.ts
+import { dirname, resolve } from "path";
+import { closeSync, existsSync, mkdirSync, openSync, readSync, statSync, writeFileSync } from "fs";
+import { createReadStream } from "fs";
+import { createInterface } from "readline";
+import {
+  listAuthorityRuns,
+  readAuthorityRun,
+  readJsonlFile,
+  resolveAuthorityRunDir
+} from "@rig/runtime/control-plane/authority-files";
+function matchesRunFilter(entry, filter) {
+  return (!filter.runId || entry.runId === filter.runId) && (!filter.taskId || entry.taskId === filter.taskId);
+}
+function readApprovalsForRuns(projectRoot, runs, filter = {}) {
+  return runs.filter((entry) => matchesRunFilter(entry, filter)).flatMap((entry) => readJsonlFile(resolve(resolveAuthorityRunDir(projectRoot, entry.runId), "approvals.jsonl")).flatMap((record) => {
+    if (!record || typeof record !== "object") {
+      return [];
+    }
+    const value = record;
+    return [
+      {
+        runId: entry.runId,
+        taskId: entry.taskId,
+        requestId: normalizeString(value.requestId) ?? normalizeString(value.id),
+        status: normalizeString(value.status),
+        record: value
+      }
+    ];
+  }));
+}
+function readApprovals(projectRoot, filter = {}) {
+  return readApprovalsForRuns(projectRoot, listAuthorityRuns(projectRoot), filter);
+}
+function readUserInputsForRuns(projectRoot, runs, filter = {}) {
+  return runs.filter((entry) => matchesRunFilter(entry, filter)).flatMap((entry) => readJsonlFile(resolve(resolveAuthorityRunDir(projectRoot, entry.runId), "user-input.jsonl")).flatMap((record) => {
+    if (!record || typeof record !== "object") {
+      return [];
+    }
+    const value = record;
+    return [
+      {
+        runId: entry.runId,
+        taskId: entry.taskId,
+        requestId: normalizeString(value.requestId) ?? normalizeString(value.id),
+        status: normalizeString(value.status),
+        record: value
+      }
+    ];
+  }));
+}
+function readUserInputs(projectRoot, filter = {}) {
+  return readUserInputsForRuns(projectRoot, listAuthorityRuns(projectRoot), filter);
+}
+function writeRunJsonlFile(projectRoot, runId, fileName, rows) {
+  const filePath = resolve(resolveAuthorityRunDir(projectRoot, runId), fileName);
+  mkdirSync(dirname(filePath), { recursive: true });
+  const next = rows.map((row) => JSON.stringify(row)).join(`
+`);
+  writeFileSync(filePath, next.length > 0 ? `${next}
+` : "", "utf8");
+}
+function resolveApproval(projectRoot, input) {
+  const approvalsPath = resolve(resolveAuthorityRunDir(projectRoot, input.runId), "approvals.jsonl");
+  const approvals = readJsonlFile(approvalsPath);
+  const resolvedAt = new Date().toISOString();
+  const rows = approvals.map((entry) => entry.requestId === input.requestId || entry.id === input.requestId ? {
+    ...entry,
+    status: "resolved",
+    decision: input.decision,
+    note: input.note ?? null,
+    resolvedAt
+  } : entry);
+  writeRunJsonlFile(projectRoot, input.runId, "approvals.jsonl", rows);
+  return { ok: true, runId: input.runId, requestId: input.requestId, decision: input.decision };
+}
+function respondToUserInput(projectRoot, input) {
+  const requestsPath = resolve(resolveAuthorityRunDir(projectRoot, input.runId), "user-input.jsonl");
+  const requests = readJsonlFile(requestsPath);
+  const resolvedAt = new Date().toISOString();
+  const rows = requests.map((entry) => entry.requestId === input.requestId || entry.id === input.requestId ? {
+    ...entry,
+    status: "resolved",
+    answers: input.answers,
+    respondedAt: resolvedAt,
+    resolvedAt
+  } : entry);
+  writeRunJsonlFile(projectRoot, input.runId, "user-input.jsonl", rows);
+  return { ok: true, runId: input.runId, requestId: input.requestId, answers: input.answers };
+}
+function isGenericRunFailure(value) {
+  return typeof value === "string" && /^Task run failed \([^)]*\)$/i.test(value.trim());
+}
+function summarizeUsefulRunError(projectRoot, runId, fallback) {
+  const logs = readJsonlFileTail(runLogsPath(projectRoot, runId), { limit: 80, maxBytes: 512 * 1024 }).filter((entry) => Boolean(entry && typeof entry === "object" && !Array.isArray(entry)));
+  const errorLines = logs.filter((entry) => normalizeString(entry.tone) === "error" || normalizeString(entry.status) === "failed").map((entry) => normalizeString(entry.detail)).filter((entry) => Boolean(entry && !isGenericRunFailure(entry)));
+  const taskSourceFailure = errorLines.find((line) => /failed to update task source/i.test(line));
+  if (taskSourceFailure)
+    return `Task source update failed: ${taskSourceFailure}`;
+  const moduleFailure = errorLines.find((line) => /cannot find module/i.test(line));
+  if (moduleFailure)
+    return `Runtime module resolution failed: ${moduleFailure}`;
+  const providerFailure = errorLines.find((line) => /no api key found|unauthorized|authentication failed|invalid api key/i.test(line));
+  if (providerFailure)
+    return `Provider authentication failed: ${providerFailure}`;
+  const nonGeneric = errorLines.at(-1);
+  return nonGeneric ?? (typeof fallback === "string" ? fallback : null);
+}
+function readRunDetails(projectRoot, runId) {
+  const run = readAuthorityRun(projectRoot, runId);
+  if (!run) {
+    return null;
+  }
+  const usefulErrorText = isGenericRunFailure(run.errorText) ? summarizeUsefulRunError(projectRoot, runId, run.errorText) : null;
+  return {
+    run: usefulErrorText ? { ...run, errorText: usefulErrorText } : run,
+    timeline: readJsonlFile(resolve(resolveAuthorityRunDir(projectRoot, runId), "timeline.jsonl")),
+    approvals: readApprovals(projectRoot, { runId }),
+    userInputs: readUserInputs(projectRoot, { runId })
+  };
+}
+function runTimelinePath(projectRoot, runId) {
+  return resolve(resolveAuthorityRunDir(projectRoot, runId), "timeline.jsonl");
+}
+function runLogsPath(projectRoot, runId) {
+  return resolve(resolveAuthorityRunDir(projectRoot, runId), "logs.jsonl");
+}
+function parseJsonlRecords(lines) {
+  return lines.map((line) => line.trim()).filter(Boolean).flatMap((line) => {
+    try {
+      return [JSON.parse(line)];
+    } catch {
+      return [];
+    }
+  });
+}
+function readJsonlFileTail(path, options) {
+  const limit = Math.max(0, Math.trunc(options.limit));
+  if (limit === 0 || !existsSync(path))
+    return [];
+  const maxBytes = Math.max(1024, Math.trunc(options.maxBytes ?? 256 * 1024));
+  const size = statSync(path).size;
+  if (size === 0)
+    return [];
+  const start = Math.max(0, size - maxBytes);
+  const length = size - start;
+  const buffer = Buffer.alloc(length);
+  const fd = openSync(path, "r");
+  try {
+    readSync(fd, buffer, 0, length, start);
+  } finally {
+    closeSync(fd);
+  }
+  const text = buffer.toString("utf8");
+  const lines = text.split(/\r?\n/);
+  const completeLines = start > 0 ? lines.slice(1) : lines;
+  return parseJsonlRecords(completeLines.filter(Boolean).slice(-limit));
+}
+var INITIAL_RUN_LOG_TAIL_MAX_BYTES = 8 * 1024 * 1024;
+async function readRunLogsPage(projectRoot, runId, options = {}) {
+  const limit = Math.max(1, Math.min(Math.trunc(options.limit ?? 200), 500));
+  const cursor = options.cursor == null ? null : Number.parseInt(options.cursor, 10);
+  const logsPath = runLogsPath(projectRoot, runId);
+  if ((options.cursor == null || !Number.isFinite(cursor)) && existsSync(logsPath)) {
+    const size = statSync(logsPath).size;
+    if (size > INITIAL_RUN_LOG_TAIL_MAX_BYTES) {
+      const tail = readJsonlFileTail(logsPath, {
+        limit,
+        maxBytes: INITIAL_RUN_LOG_TAIL_MAX_BYTES
+      }).filter((entry) => Boolean(entry && typeof entry === "object" && !Array.isArray(entry)));
+      return {
+        entries: tail.toReversed(),
+        nextCursor: null,
+        hasMore: true
+      };
+    }
+  }
+  const endExclusive = cursor == null || !Number.isFinite(cursor) ? Number.POSITIVE_INFINITY : Math.max(0, cursor);
+  const window = [];
+  let index = 0;
+  let hasMore = false;
+  const stream = createReadStream(logsPath, { encoding: "utf8" });
+  stream.on("error", (error) => {
+    if (error.code !== "ENOENT") {
+      stream.destroy(error);
+    }
+  });
+  const lines = createInterface({ input: stream, crlfDelay: Infinity });
+  try {
+    for await (const line of lines) {
+      const currentIndex = index;
+      index += 1;
+      if (currentIndex >= endExclusive) {
+        break;
+      }
+      const trimmed = line.trim();
+      if (trimmed.length === 0) {
+        continue;
+      }
+      try {
+        const parsed = JSON.parse(trimmed);
+        if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+          window.push({ index: currentIndex, entry: parsed });
+        }
+      } catch {
+        window.push({
+          index: currentIndex,
+          entry: { title: "Unparsed log line", detail: line, tone: "info" }
+        });
+      }
+      if (window.length > limit) {
+        window.shift();
+        hasMore = true;
+      }
+    }
+  } catch (error) {
+    const code = error.code;
+    if (code !== "ENOENT") {
+      throw error;
+    }
+  }
+  return {
+    entries: window.toReversed().map((item) => item.entry),
+    nextCursor: hasMore ? String(window[0]?.index ?? 0) : null,
+    hasMore
+  };
+}
+function remoteArtifactsRoot(projectRoot, runId) {
+  return resolve(resolveAuthorityRunDir(projectRoot, runId), "remote-artifacts");
+}
+
+// packages/server/src/server-helpers/server-paths.ts
+import { dirname as dirname2, resolve as resolve2 } from "path";
+import { resolveMonorepoRoot as resolveMonorepoRoot2 } from "@rig/runtime/control-plane/native/utils";
+function resolveServerAuthorityPaths(projectRoot) {
+  const taskWorkspace = process.env.RIG_TASK_WORKSPACE?.trim();
+  const explicitStateDir = process.env.RIG_STATE_DIR?.trim();
+  const explicitLogsDir = process.env.RIG_LOGS_DIR?.trim();
+  const explicitSessionFile = process.env.RIG_SESSION_FILE?.trim();
+  const monorepoRoot = resolveMonorepoRoot2(projectRoot);
+  const stateRoot = taskWorkspace ? resolve2(taskWorkspace, ".rig") : explicitStateDir ? dirname2(resolve2(explicitStateDir)) : explicitLogsDir ? dirname2(resolve2(explicitLogsDir)) : explicitSessionFile ? dirname2(dirname2(resolve2(explicitSessionFile))) : resolve2(monorepoRoot, ".rig");
+  const stateDir = explicitStateDir ? resolve2(explicitStateDir) : resolve2(stateRoot, "state");
+  const logsDir = explicitLogsDir ? resolve2(explicitLogsDir) : resolve2(stateRoot, "logs");
+  const sessionFile = explicitSessionFile ? resolve2(explicitSessionFile) : resolve2(stateRoot, "session", "session.json");
+  const artifactsDir = taskWorkspace ? resolve2(taskWorkspace, "artifacts") : resolve2(monorepoRoot, "artifacts");
+  return {
+    stateRoot,
+    stateDir,
+    logsDir,
+    controlPlaneEventsFile: resolve2(logsDir, "control-plane.events.jsonl"),
+    sessionFile,
+    artifactsDir
+  };
+}
+
+// packages/server/src/server-helpers/snapshot-service.ts
+import { listAgentRuntimes } from "@rig/runtime/control-plane/runtime/isolation";
+
+// packages/server/src/server-helpers/snapshot-orchestrator.ts
+import {
+  listAuthorityRuns as listAuthorityRuns3,
+  readAuthorityRun as readAuthorityRun2
+} from "@rig/runtime/control-plane/authority-files";
+
+// packages/server/src/server-helpers/queue-state.ts
+import { resolve as resolve3 } from "path";
+import { readJsonFile, writeJsonFile } from "@rig/runtime/control-plane/authority-files";
+function resolveQueueStatePath(projectRoot) {
+  return resolve3(resolveServerAuthorityPaths(projectRoot).stateDir, "task-queue.json");
+}
+function readQueueState(projectRoot) {
+  const queue = readJsonFile(resolveQueueStatePath(projectRoot), null);
+  if (!Array.isArray(queue))
+    return [];
+  return queue.filter((entry) => entry && typeof entry === "object").map((entry, index) => ({
+    taskId: normalizeString(entry.taskId),
+    score: typeof entry.score === "number" ? Math.max(0, Math.trunc(entry.score)) : 0,
+    unblockCount: typeof entry.unblockCount === "number" ? Math.max(0, Math.trunc(entry.unblockCount)) : 0,
+    position: typeof entry.position === "number" ? Math.max(0, Math.trunc(entry.position)) : index
+  })).filter((entry) => Boolean(entry.taskId)).sort((left, right) => right.score - left.score || left.position - right.position).map((entry, index) => ({ ...entry, position: index }));
+}
+function writeQueueState(projectRoot, queue) {
+  writeJsonFile(resolveQueueStatePath(projectRoot), queue);
+}
+function dequeueTaskState(projectRoot, taskId) {
+  const next = readQueueState(projectRoot).filter((entry) => entry.taskId !== taskId).map((entry, index) => ({ ...entry, position: index }));
+  writeQueueState(projectRoot, next);
+  return next;
+}
+
+// packages/server/src/server-helpers/remote-snapshots.ts
+import { listAuthorityRemoteEndpoints } from "@rig/runtime/control-plane/authority-files";
+
+// packages/server/src/server-helpers/conversation-snapshot.ts
+import {
+  listAuthorityRuns as listAuthorityRuns2,
+  readJsonlFile as readJsonlFile2
+} from "@rig/runtime/control-plane/authority-files";
+var snapshotCache = new Map;
+
+// packages/server/src/server-helpers/plugin-host-cache.ts
+import { existsSync as existsSync2, statSync as statSync2 } from "fs";
+import { resolve as resolve4 } from "path";
+var contextCache = new Map;
+var taskListCache = new Map;
+function getPluginHostConfigMtime(projectRoot) {
+  for (const name of ["rig.config.ts", "rig.config.json"]) {
+    const path = resolve4(projectRoot, name);
+    if (existsSync2(path)) {
+      try {
+        return statSync2(path).mtimeMs;
+      } catch {
+        return null;
+      }
+    }
+  }
+  return null;
+}
+async function getCachedPluginHostContext(projectRoot) {
+  const mtimeMs = getPluginHostConfigMtime(projectRoot);
+  if (mtimeMs === null) {
+    contextCache.delete(projectRoot);
+    return null;
+  }
+  const cached = contextCache.get(projectRoot);
+  if (cached && cached.mtimeMs === mtimeMs && cached.ctx) {
+    return cached.ctx;
+  }
+  try {
+    const { buildPluginHostContext } = await import("@rig/runtime/control-plane/plugin-host-context");
+    const ctx = await buildPluginHostContext(projectRoot);
+    if (!ctx) {
+      contextCache.delete(projectRoot);
+      return null;
+    }
+    contextCache.set(projectRoot, { mtimeMs, ctx });
+    return ctx;
+  } catch (err) {
+    contextCache.delete(projectRoot);
+    throw err;
+  }
+}
+
+// packages/server/src/server-helpers/task-projection.ts
+import { existsSync as existsSync3, mkdirSync as mkdirSync2, readFileSync, writeFileSync as writeFileSync2 } from "fs";
+import { resolve as resolve5 } from "path";
+function projectionPath(projectRoot) {
+  return resolve5(projectRoot, ".rig", "state", "task-projection.json");
+}
+function stateDir(projectRoot) {
+  return resolve5(projectRoot, ".rig", "state");
+}
+function cloneTask(task) {
+  return { ...task };
+}
+function writeTaskProjection(projectRoot, input) {
+  const activeByTask = new Map((input.activeRuns ?? []).map((run) => [run.taskId, run]));
+  const tasks = input.tasks.map((task) => {
+    const projected = cloneTask(task);
+    const active = activeByTask.get(task.id);
+    if (active) {
+      projected.status = "in_progress";
+      projected.activeRun = {
+        runId: active.runId,
+        ...active.status ? { status: active.status } : {},
+        ...active.stage ? { stage: active.stage } : {}
+      };
+    }
+    return projected;
+  });
+  const snapshot = {
+    version: 1,
+    source: input.source,
+    reason: input.reason,
+    refreshedAt: input.refreshedAt ?? new Date().toISOString(),
+    tasks
+  };
+  mkdirSync2(stateDir(projectRoot), { recursive: true });
+  writeFileSync2(projectionPath(projectRoot), JSON.stringify(snapshot, null, 2), "utf8");
+  return snapshot;
+}
+function readTaskProjection(projectRoot) {
+  const file = projectionPath(projectRoot);
+  if (!existsSync3(file))
+    return null;
+  try {
+    const parsed = JSON.parse(readFileSync(file, "utf8"));
+    return parsed && parsed.version === 1 && Array.isArray(parsed.tasks) ? parsed : null;
+  } catch {
+    return null;
+  }
+}
+async function refreshTaskProjection(projectRoot, input) {
+  const tasks = typeof input.tasks === "function" ? await input.tasks() : input.tasks;
+  const activeRuns = typeof input.activeRuns === "function" ? await input.activeRuns() : input.activeRuns;
+  return writeTaskProjection(projectRoot, {
+    source: input.source,
+    reason: input.reason ?? "refresh",
+    tasks,
+    activeRuns
+  });
+}
+
+// packages/server/src/server-helpers/terminal-runtime.ts
+import { WS_CHANNELS as WS_CHANNELS2 } from "@rig/contracts";
+
+// packages/server/src/server-helpers/broadcasters.ts
+import { RIG_WS_CHANNELS } from "@rig/contracts";
+
+// packages/server/src/server-helpers/run-writers.ts
+import { resolve as resolve6 } from "path";
+import {
+  appendJsonlRecord,
+  readAuthorityRun as readAuthorityRun3,
+  resolveAuthorityRunDir as resolveAuthorityRunDir2,
+  writeJsonFile as writeJsonFile2
+} from "@rig/runtime/control-plane/authority-files";
+function appendRunTimelineEntry(projectRoot, runId, value) {
+  if (!readAuthorityRun3(projectRoot, runId)) {
+    return;
+  }
+  appendJsonlRecord(runTimelinePath(projectRoot, runId), value);
+  patchRunRecord(projectRoot, runId, {});
+}
+function patchRunRecord(projectRoot, runId, patch) {
+  const current = readAuthorityRun3(projectRoot, runId);
+  if (!current) {
+    throw new Error(`Run not found: ${runId}`);
+  }
+  const next = {
+    ...current,
+    ...patch,
+    updatedAt: normalizeString(patch.updatedAt) ?? new Date().toISOString()
+  };
+  writeJsonFile2(resolve6(resolveAuthorityRunDir2(projectRoot, runId), "run.json"), next);
+  return next;
+}
+
+// packages/server/src/server-helpers/terminal-runtime.ts
+var DEFAULT_TERMINAL_SHELL = process.env.SHELL || "/bin/zsh";
+
+// packages/server/src/server-helpers/run-mutations.ts
+import { loadConfig } from "@rig/core/load-config";
+import {
+  listAuthorityRuns as listAuthorityRuns4,
+  readAuthorityRun as readAuthorityRun4,
+  resolveAuthorityRunDir as resolveAuthorityRunDir3,
+  writeJsonFile as writeJsonFile3
+} from "@rig/runtime/control-plane/authority-files";
+import { readPublishedRigServerStateSync } from "@rig/runtime/local-server";
+import { resolveMonorepoRoot as resolveMonorepoRoot3 } from "@rig/runtime/control-plane/native/utils";
+import {
+  buildTaskRunLifecycleComment,
+  updateConfiguredTaskSourceTask
+} from "@rig/runtime/control-plane/tasks/source-lifecycle";
+
+// packages/server/src/scheduler.ts
+import { normalizeTaskLifecycleStatus } from "@rig/runtime/control-plane/state-sync/types";
+var TERMINAL_RUN_STATUSES = new Set(["done", "completed", "error", "failed", "stopped", "cancelled"]);
+var RUNNABLE_TASK_STATUSES = new Set(["draft", "open", "ready", "queued"]);
+var REMOTE_READY_STATUSES = new Set(["ready", "idle", "connected"]);
+
+// packages/server/src/server-helpers/validation-failure.ts
+import {
+  readJsonFile as readJsonFile2,
+  resolveTaskArtifactDirs
+} from "@rig/runtime/control-plane/authority-files";
+
+// packages/server/src/server-helpers/github-auth-store.ts
+import { chmodSync, existsSync as existsSync4, mkdirSync as mkdirSync3, readFileSync as readFileSync2, writeFileSync as writeFileSync3 } from "fs";
+import { resolve as resolve7 } from "path";
+function cleanString(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
+}
+function cleanScopes(value) {
+  if (!Array.isArray(value))
+    return [];
+  return value.flatMap((entry) => {
+    const clean = cleanString(entry);
+    return clean ? [clean] : [];
+  });
+}
+function readStoredAuth(stateFile) {
+  if (!existsSync4(stateFile))
+    return {};
+  try {
+    const parsed = JSON.parse(readFileSync2(stateFile, "utf8"));
+    return {
+      ...cleanString(parsed.token) ? { token: cleanString(parsed.token) } : {},
+      login: cleanString(parsed.login),
+      userId: cleanString(parsed.userId),
+      scopes: cleanScopes(parsed.scopes),
+      selectedRepo: cleanString(parsed.selectedRepo),
+      tokenSource: parsed.tokenSource === "oauth-device" || parsed.tokenSource === "manual-token" || parsed.tokenSource === "env" ? parsed.tokenSource : undefined,
+      pendingDevice: parsePendingDevice(parsed.pendingDevice),
+      updatedAt: cleanString(parsed.updatedAt) ?? undefined
+    };
+  } catch {
+    return {};
+  }
+}
+function parsePendingDevice(value) {
+  if (!value || typeof value !== "object")
+    return null;
+  const record = value;
+  const pollId = cleanString(record.pollId);
+  const deviceCode = cleanString(record.deviceCode);
+  const expiresAt = cleanString(record.expiresAt);
+  const intervalSeconds = typeof record.intervalSeconds === "number" && Number.isFinite(record.intervalSeconds) ? Math.max(1, Math.floor(record.intervalSeconds)) : null;
+  if (!pollId || !deviceCode || !expiresAt || !intervalSeconds)
+    return null;
+  return { pollId, deviceCode, expiresAt, intervalSeconds };
+}
+function writeStoredAuth(stateFile, payload) {
+  mkdirSync3(resolve7(stateFile, ".."), { recursive: true });
+  writeFileSync3(stateFile, `${JSON.stringify(payload, null, 2)}
+`, { encoding: "utf8", mode: 384 });
+  try {
+    chmodSync(stateFile, 384);
+  } catch {}
+}
+function resolveGitHubAuthStateFile(projectRoot) {
+  return resolve7(resolveServerAuthorityPaths(projectRoot).stateDir, "github-auth.json");
+}
+function createGitHubAuthStore(projectRoot) {
+  const stateFile = resolveGitHubAuthStateFile(projectRoot);
+  return {
+    stateFile,
+    status(options) {
+      const stored = readStoredAuth(stateFile);
+      const token = cleanString(stored.token);
+      return {
+        signedIn: Boolean(token),
+        login: cleanString(stored.login),
+        userId: cleanString(stored.userId),
+        scopes: cleanScopes(stored.scopes),
+        selectedRepo: cleanString(stored.selectedRepo),
+        oauthConfigured: options?.oauthConfigured === true,
+        tokenSource: token ? stored.tokenSource ?? "manual-token" : null
+      };
+    },
+    readToken() {
+      return cleanString(readStoredAuth(stateFile).token);
+    },
+    saveToken(input) {
+      const previous = readStoredAuth(stateFile);
+      writeStoredAuth(stateFile, {
+        ...previous,
+        token: input.token,
+        tokenSource: input.tokenSource,
+        login: input.login ?? null,
+        userId: input.userId ?? null,
+        scopes: input.scopes ?? [],
+        selectedRepo: input.selectedRepo ?? previous.selectedRepo ?? null,
+        pendingDevice: null,
+        updatedAt: new Date().toISOString()
+      });
+    },
+    savePendingDevice(input) {
+      const previous = readStoredAuth(stateFile);
+      writeStoredAuth(stateFile, {
+        ...previous,
+        pendingDevice: input,
+        updatedAt: new Date().toISOString()
+      });
+    },
+    saveSelectedRepo(selectedRepo) {
+      const previous = readStoredAuth(stateFile);
+      writeStoredAuth(stateFile, {
+        ...previous,
+        selectedRepo: selectedRepo ?? null,
+        updatedAt: new Date().toISOString()
+      });
+    },
+    readPendingDevice(pollId) {
+      const pending = readStoredAuth(stateFile).pendingDevice ?? null;
+      if (!pending || pending.pollId !== pollId)
+        return null;
+      if (Date.parse(pending.expiresAt) <= Date.now())
+        return null;
+      return pending;
+    },
+    clearPendingDevice() {
+      const previous = readStoredAuth(stateFile);
+      writeStoredAuth(stateFile, {
+        ...previous,
+        pendingDevice: null,
+        updatedAt: new Date().toISOString()
+      });
+    }
+  };
+}
+
+// packages/server/src/server-helpers/github-projects.ts
+function asRecord(value) {
+  return value && typeof value === "object" && !Array.isArray(value) ? value : null;
+}
+function asString(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value : undefined;
+}
+async function defaultGraphQLFetch(query, variables, token) {
+  const response = await fetch("https://api.github.com/graphql", {
+    method: "POST",
+    headers: {
+      "content-type": "application/json",
+      authorization: `Bearer ${token}`,
+      accept: "application/vnd.github+json"
+    },
+    body: JSON.stringify({ query, variables })
+  });
+  const json = await response.json().catch(() => ({}));
+  if (!response.ok || json.errors) {
+    throw new Error(`GitHub Projects GraphQL request failed: ${JSON.stringify(json.errors ?? { status: response.status })}`);
+  }
+  return json.data;
+}
+async function resolveProjectStatusField(input) {
+  const query = `
+    query RigProjectStatusField($projectId: ID!) {
+      node(id: $projectId) {
+        ... on ProjectV2 {
+          fields(first: 50) {
+            nodes {
+              ... on ProjectV2FieldCommon { id name }
+              ... on ProjectV2SingleSelectField { id name options { id name } }
+            }
+          }
+        }
+      }
+    }
+  `;
+  const fetchGraphQL = input.fetchGraphQL ?? defaultGraphQLFetch;
+  const data = await fetchGraphQL(query, { projectId: input.projectId }, input.token);
+  const fields = asRecord(asRecord(asRecord(data)?.node)?.fields)?.nodes;
+  for (const node of Array.isArray(fields) ? fields : []) {
+    const record = asRecord(node);
+    if (asString(record?.name)?.toLowerCase() !== "status")
+      continue;
+    const id = asString(record?.id);
+    if (!id)
+      continue;
+    const options = Array.isArray(record?.options) ? record.options.flatMap((option) => {
+      const optionRecord = asRecord(option);
+      const optionId = asString(optionRecord?.id);
+      const name = asString(optionRecord?.name);
+      return optionId && name ? [{ id: optionId, name }] : [];
+    }) : [];
+    return { id, name: "Status", options };
+  }
+  throw new Error(`GitHub Project ${input.projectId} does not expose a Status single-select field.`);
+}
+async function ensureIssueProjectItem(input) {
+  const query = `
+    query RigFindProjectIssueItem($projectId: ID!, $issueNodeId: ID!) {
+      node(id: $projectId) {
+        ... on ProjectV2 {
+          items(first: 100) { nodes { id content { ... on Issue { id } } } }
+        }
+      }
+    }
+  `;
+  const fetchGraphQL = input.fetchGraphQL ?? defaultGraphQLFetch;
+  const data = await fetchGraphQL(query, { projectId: input.projectId, issueNodeId: input.issueNodeId }, input.token);
+  const nodes = asRecord(asRecord(asRecord(data)?.node)?.items)?.nodes;
+  for (const node of Array.isArray(nodes) ? nodes : []) {
+    const record = asRecord(node);
+    const content = asRecord(record?.content);
+    if (asString(content?.id) === input.issueNodeId) {
+      const id2 = asString(record?.id);
+      if (id2)
+        return { id: id2, created: false };
+    }
+  }
+  const mutation = `
+    mutation RigAddIssueToProject($projectId: ID!, $contentId: ID!) {
+      addProjectV2ItemById(input: { projectId: $projectId, contentId: $contentId }) { item { id } }
+    }
+  `;
+  const created = await fetchGraphQL(mutation, { projectId: input.projectId, contentId: input.issueNodeId }, input.token);
+  const addResult = asRecord(asRecord(created)?.addProjectV2ItemById);
+  const id = asString(asRecord(addResult?.item)?.id);
+  if (!id)
+    throw new Error("GitHub Project item creation did not return an item id.");
+  return { id, created: true };
+}
+async function updateIssueProjectStatus(input) {
+  const mutation = `
+    mutation RigUpdateProjectStatus($projectId: ID!, $itemId: ID!, $fieldId: ID!, $optionId: String!) {
+      updateProjectV2ItemFieldValue(input: {
+        projectId: $projectId,
+        itemId: $itemId,
+        fieldId: $fieldId,
+        value: { singleSelectOptionId: $optionId }
+      }) { projectV2Item { id } }
+    }
+  `;
+  const fetchGraphQL = input.fetchGraphQL ?? defaultGraphQLFetch;
+  await fetchGraphQL(mutation, {
+    projectId: input.projectId,
+    itemId: input.itemId,
+    fieldId: input.fieldId,
+    optionId: input.optionId
+  }, input.token);
+}
+
+// packages/server/src/server-helpers/github-project-status-sync.ts
+var DEFAULT_PROJECT_STATUSES = {
+  running: "In Progress",
+  prOpen: "In Review",
+  ciFixing: "In Review",
+  done: "Done",
+  needsAttention: "Needs Attention"
+};
+function lifecycleStatusForTaskStatus(status) {
+  const normalized = status?.trim().toLowerCase().replace(/[-\s]+/g, "_");
+  if (!normalized)
+    return null;
+  if (normalized === "closed" || normalized === "done")
+    return "done";
+  if (normalized === "under_review" || normalized === "review" || normalized === "pr_open")
+    return "prOpen";
+  if (normalized === "ci_fixing" || normalized === "fixing")
+    return "ciFixing";
+  if (normalized === "failed" || normalized === "needs_attention" || normalized === "blocked")
+    return "needsAttention";
+  if (normalized === "in_progress" || normalized === "running" || normalized === "ready" || normalized === "open")
+    return "running";
+  return null;
+}
+function cleanString2(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
+}
+function projectConfigFrom(config) {
+  if (!config || typeof config !== "object" || Array.isArray(config))
+    return null;
+  const root = config;
+  return root.github?.projects ?? null;
+}
+async function syncGitHubProjectStatusForTaskUpdate(input) {
+  const projects = projectConfigFrom(input.config);
+  if (!projects?.enabled)
+    return { synced: false, reason: "project-sync-disabled" };
+  const projectId = cleanString2(projects.projectId);
+  if (!projectId)
+    return { synced: false, reason: "missing-project-id" };
+  const token = cleanString2(input.token);
+  if (!token)
+    return { synced: false, reason: "missing-token" };
+  const lifecycleStatus = lifecycleStatusForTaskStatus(input.status);
+  if (!lifecycleStatus)
+    return { synced: false, reason: "missing-status" };
+  const issueNodeId = cleanString2(input.issueNodeId);
+  if (!issueNodeId)
+    return { synced: false, reason: "missing-issue-node-id" };
+  const projectStatus = cleanString2(projects.statuses?.[lifecycleStatus]) ?? DEFAULT_PROJECT_STATUSES[lifecycleStatus];
+  const field = await resolveProjectStatusField({ projectId, token, fetchGraphQL: input.fetchGraphQL });
+  const option = field.options.find((candidate) => candidate.name.toLowerCase() === projectStatus.toLowerCase() || candidate.id === projectStatus);
+  if (!option)
+    return { synced: false, reason: "missing-project-status-option" };
+  const item = await ensureIssueProjectItem({ projectId, issueNodeId, token, fetchGraphQL: input.fetchGraphQL });
+  await updateIssueProjectStatus({
+    projectId,
+    itemId: item.id,
+    fieldId: cleanString2(projects.statusFieldId) ?? field.id,
+    optionId: option.id,
+    token,
+    fetchGraphQL: input.fetchGraphQL
+  });
+  return { synced: true, lifecycleStatus, projectStatus, itemId: item.id };
+}
+function extractGitHubIssueNodeId(task) {
+  if (!task || typeof task !== "object" || Array.isArray(task))
+    return null;
+  const record = task;
+  const direct = cleanString2(record.issueNodeId) ?? cleanString2(record.nodeId) ?? cleanString2(record.node_id);
+  if (direct)
+    return direct;
+  const raw = record.raw;
+  if (!raw || typeof raw !== "object" || Array.isArray(raw))
+    return null;
+  const rawRecord = raw;
+  return cleanString2(rawRecord.id) ?? cleanString2(rawRecord.nodeId) ?? cleanString2(rawRecord.node_id);
+}
+
+// packages/server/src/server-helpers/run-mutations.ts
+var TERMINAL_RUN_STATUSES2 = new Set([
+  "completed",
+  "complete",
+  "done",
+  "merged",
+  "closed",
+  "failed",
+  "cancelled",
+  "canceled",
+  "needs_attention",
+  "needs-attention",
+  "stopped"
+]);
+var ORPHANABLE_LOCAL_RUN_STATUSES = new Set(["preparing", "running"]);
+
+// packages/server/src/server-helpers/ws-router.ts
+import {
+  ORCHESTRATION_WS_CHANNELS,
+  ORCHESTRATION_WS_METHODS,
+  RIG_WS_METHODS,
+  WS_METHODS
+} from "@rig/contracts";
+import {
+  listManagedRemoteEndpoints,
+  removeManagedRemoteEndpoint,
+  resolveRemoteEndpoint,
+  upsertManagedRemoteEndpoint,
+  RemoteWsClient
+} from "@rig/runtime/control-plane/remote";
+import { deleteRunState } from "@rig/runtime/control-plane/native/run-ops";
+import { readAuthorityRun as readAuthorityRun5 } from "@rig/runtime/control-plane/authority-files";
+
+// packages/server/src/server-helpers/inspector-jobs.ts
+import { readJsonFile as readJsonFile3 } from "@rig/runtime/control-plane/authority-files";
+import { resolveMonorepoRoot as resolveMonorepoRoot5 } from "@rig/runtime/control-plane/native/utils";
+import { normalizeTaskLifecycleStatus as normalizeTaskLifecycleStatus2 } from "@rig/runtime/control-plane/state-sync/types";
+
+// packages/server/src/inspector/discovery.ts
+import {
+  runStatus
+} from "@rig/runtime/control-plane/native/run-ops";
+import {
+  listAuthorityRuns as listAuthorityRuns5,
+  readAuthorityRun as readAuthorityRun6
+} from "@rig/runtime/control-plane/authority-files";
+
+// packages/server/src/inspector/service.ts
+var ACTIVE_RUN_STATUSES = new Set(["preparing", "running", "validating", "reviewing"]);
+
+// packages/server/src/inspector/upstream-sync.ts
+import { resolveMonorepoRoot as resolveMonorepoRoot4 } from "@rig/runtime/control-plane/native/utils";
+var UPSTREAM_VALIDATION_DESCRIPTIONS = {
+  "integration:hg-auth-backport": "Preserves the upstream auth hardening cluster: nonce-backed node-client login, signature-aware JWT verification, shared-token onboarding semantics, and regression coverage.",
+  "integration:hg-core-security-backport": "Preserves the vendored core-app and backend security fixes for OTP validation, NoSQL/operator hardening, AES/encryption behavior, and rate-limit or redirect-state protections.",
+  "integration:hg-boundary-hardening": "Preserves boundary-safe CORS behavior and credential lookup error hygiene across the vendored backend and the extracted credentials-service analogue.",
+  "integration:hg-uudl-runtime": "Preserves the upstream uudl runtime/package fixes: production dependency placement, path-resolution/runtime bootstrap behavior, AWS/MSK environment detection, KMS coverage, and a compiling UUDL tree.",
+  "boundary:hg-auth-triage": "Requires a durable keep/adapt/reject triage record for the post-import auth policy and mobile-wallet SIWE commits so the watcher does not keep rediscovering the same ambiguity.",
+  "boundary:hg-upstream-triage": "Requires a durable keep/adapt/reject triage record for service-relevant upstream commits that do not match the current portable catalog, including commit hashes, touched paths, and follow-up routing decisions."
+};
+var CLUSTERS = {
+  "auth-hardening": {
+    classification: "portable-now",
+    title: "[HG-001] Preserve upstream auth and shared-token hardening across extracted auth work",
+    description: "Backport clearly portable auth changes introduced upstream after imported revision 58b56e15: 3196d5c (node-client login nonce), bb5b74f (JWT signature validation), and 92011ead (shared token verification for wallet signup onboarding). Apply them where they belong in this repo: hp-auth-service, hp-gateway if verification semantics surface there, and the upstream monorepo auth owner flows for the remaining wallet-login/shared-token work. This task must preserve the security behavior, not just copy code. It should explicitly reconcile with bd-k0y-10, bd-k0y-11, bd-k0y-12, and bd-k0y-13.",
+    acceptanceCriteria: "Map upstream commits 3196d5c, bb5b74f, and 92011ead to exact local targets; preserve nonce-backed node-client login, JWT signature validation, and shared-token verification behavior; add automated tests that fail without the hardening; document any deliberate non-ports.",
+    role: "extractor",
+    scope: [
+      "repos/spliter-monorepo/microservices/hp-auth-service/**",
+      "repos/spliter-monorepo/microservices/hp-gateway/**",
+      "repos/spliter-monorepo/humoongate/moongate/core-app/**"
+    ],
+    validation: ["integration:hg-auth-backport", "boundary:changed-files"],
+    validationDescriptions: {
+      "integration:hg-auth-backport": UPSTREAM_VALIDATION_DESCRIPTIONS["integration:hg-auth-backport"]
+    },
+    labels: ["upstream:monorepo", "kind:backport", "cluster:auth"]
+  },
+  "core-security": {
+    classification: "portable-now",
+    title: "[HG-002] Backport core-app and backend security fixes from post-import upstream",
+    description: "Backport the clearly portable security fixes from efdae709 (OTP validation bypass), f63830d (NoSQL operator injection hardening), d7f6919 (AES encryption), and af86ac16 (three critical/high vulnerabilities). Preserve the behavior in the vendored auth owner and the touched backend query surfaces instead of treating these as optional cleanups. The high-value touched files from af86ac16 must be reviewed and ported or consciously waived with rationale.",
+    acceptanceCriteria: "Review and port the exact security behaviors from efdae709, f63830d, d7f6919, and af86ac16; cover the listed core-app and backend touched files; add regression tests for OTP bypass, NoSQL operator injection, AES/encryption behavior, and rate-limit or redirect-state hardening; document any consciously waived upstream changes.",
+    role: "mechanic",
+    scope: [
+      "repos/spliter-monorepo/humoongate/moongate/core-app/**",
+      "repos/spliter-monorepo/humoongate/humanity/hp-backend-ts/**"
+    ],
+    validation: ["integration:hg-core-security-backport", "boundary:changed-files"],
+    validationDescriptions: {
+      "integration:hg-core-security-backport": UPSTREAM_VALIDATION_DESCRIPTIONS["integration:hg-core-security-backport"]
+    },
+    labels: ["upstream:monorepo", "kind:backport", "cluster:security"]
+  },
+  "boundary-hardening": {
+    classification: "portable-now",
+    title: "[HG-003] Backport request-boundary hardening for CORS and credential lookup flows",
+    description: "Backport the clearly portable boundary hardening from 083bbe4 (CORS config) and 36d52fba (credential lookup error hygiene). Preserve request-boundary behavior in the vendored backend and any analogous extracted credential-facing service seams so attackers cannot learn internals from credential lookup failures or exploit inconsistent CORS policy.",
+    acceptanceCriteria: "Port the exact request-boundary behavior from 083bbe4 and 36d52fba; preserve safe CORS policy and credential lookup error hygiene; add tests showing callers do not receive overly detailed credential lookup failures; document any extracted-service analogue that must mirror the behavior.",
+    role: "mechanic",
+    scope: [
+      "repos/spliter-monorepo/humoongate/humanity/hp-backend-ts/**",
+      "repos/spliter-monorepo/microservices/hp-credentials-service/**"
+    ],
+    validation: ["integration:hg-boundary-hardening", "boundary:changed-files"],
+    validationDescriptions: {
+      "integration:hg-boundary-hardening": UPSTREAM_VALIDATION_DESCRIPTIONS["integration:hg-boundary-hardening"]
+    },
+    labels: ["upstream:monorepo", "kind:backport", "cluster:boundary"]
+  },
+  "uudl-runtime": {
+    classification: "portable-now",
+    title: "[HG-004] Backport uudl runtime and packaging fixes from upstream",
+    description: "Backport the clearly portable uudl runtime fixes from 2141b4c, 1fa56d7, a9a0a99, 9fcfa6e, and ea5cb03. Preserve the runtime behavior rather than cherry-picking filenames: production dependency placement, tsconfig-paths resolution, aggregator cycle removal, AWS/MSK environment detection, and local KMS wiring all need to be reflected in whichever UUDL runtime this repo still owns.",
+    acceptanceCriteria: "Port the runtime behaviors from 2141b4c, 1fa56d7, a9a0a99, 9fcfa6e, and ea5cb03; preserve production dependency placement, tsconfig-paths runtime resolution, aggregator cycle removal, AWS/MSK environment detection, and local KMS configuration; add runtime-focused tests or smoke coverage for each preserved behavior.",
+    role: "extractor",
+    scope: ["repos/spliter-monorepo/humoongate/humanity/hp-uudl/**"],
+    validation: ["integration:hg-uudl-runtime", "boundary:changed-files"],
+    validationDescriptions: {
+      "integration:hg-uudl-runtime": UPSTREAM_VALIDATION_DESCRIPTIONS["integration:hg-uudl-runtime"]
+    },
+    labels: ["upstream:monorepo", "kind:backport", "cluster:uudl"]
+  },
+  "auth-triage": {
+    classification: "needs-human-triage",
+    title: "[HG-005] Triage post-import auth policy deltas and mobile-wallet SIWE changes",
+    description: "Review the upstream changes that are relevant but not safely auto-portable: 1262b75 (JWT_EXPIRES_IN 1d -> 7d), 15036424 (unlink-wallet endpoint and Wallet.default fix), and d4a47015 (unlink-wallet error handling). Produce an explicit keep/adapt/reject decision for each commit with rationale tied to the extracted auth plan, core-app ownership, and current threat model, and record the result in artifacts/bd-2ztk.5/decision-log.md so future agents do not silently re-litigate these decisions.",
+    acceptanceCriteria: "For 1262b75, 15036424, and d4a47015, produce explicit keep/adapt/reject decisions with rationale tied to auth ownership and threat model; record the decision in artifacts/bd-2ztk.5/decision-log.md; identify any follow-on implementation tasks if the answer is keep or adapt.",
+    role: "architect",
+    scope: ["artifacts/bd-2ztk.5/**", "docs/research/**"],
+    validation: ["boundary:hg-auth-triage"],
+    validationDescriptions: {
+      "boundary:hg-auth-triage": UPSTREAM_VALIDATION_DESCRIPTIONS["boundary:hg-auth-triage"]
+    },
+    labels: ["upstream:monorepo", "kind:backport", "cluster:triage"]
+  },
+  "generic-triage": {
+    classification: "needs-human-triage",
+    title: "[HG-007] Triage uncatalogued service-relevant upstream commits",
+    description: "Review future upstream commits that touch service-relevant paths but do not match the current portable-now catalog. For each commit or batch, produce keep/adapt/reject decisions with rationale, cite the touched paths and why they matter here, and either route them into an existing backport task or open a new follow-up task when they are worth preserving.",
+    acceptanceCriteria: "For each uncatalogued service-relevant upstream commit or batch, record keep/adapt/reject decisions with rationale in artifacts/bd-2ztk.7/decision-log.md; cite the commit hashes and touched paths; and either attach the work to an existing backport task or open a new follow-up task when preservation is warranted.",
+    role: "architect",
+    scope: ["artifacts/bd-2ztk.7/**", "docs/research/**"],
+    validation: ["boundary:hg-upstream-triage"],
+    validationDescriptions: {
+      "boundary:hg-upstream-triage": UPSTREAM_VALIDATION_DESCRIPTIONS["boundary:hg-upstream-triage"]
+    },
+    labels: ["upstream:monorepo", "kind:backport", "cluster:triage"]
+  }
+};
+
+// packages/server/src/server-helpers/inspector-agent-lifecycle.ts
+function inspectorAgentLifecycleSnapshot(input) {
+  const agentSnapshot = input.agent?.snapshot() ?? null;
+  return {
+    service: {
+      available: input.inspector !== null,
+      running: input.inspector?.isRunning() ?? false
+    },
+    agent: {
+      available: input.agent !== null,
+      status: input.retry?.disabled ? "disabled" : agentSnapshot?.status ?? "unavailable",
+      retry: input.retry
+    }
+  };
+}
+
+// packages/server/src/server.ts
+var RIG_WORKSPACE_ID = "rig-local-workspace";
+var serverPathEnvQueue = Promise.resolve();
+if (false) {}
+
+// packages/server/src/server-helpers/http-router.ts
+import {
+  listAuthorityRuns as listAuthorityRuns7,
+  readAuthorityRun as readAuthorityRun8,
+  resolveAuthorityPaths,
+  writeJsonFile as writeJsonFile4
+} from "@rig/runtime/control-plane/authority-files";
+import {
+  mutateWorkspaceServiceFabric as mutateWorkspaceServiceFabric2,
+  readTaskArtifactPreview as readTaskArtifactPreview2,
+  readWorkspaceRemoteFleet as readWorkspaceRemoteFleet2,
+  readWorkspaceTopology as readWorkspaceTopology2
+} from "@rig/runtime/control-plane/native/workspace-ops";
+import {
+  doctorManagedRemoteEndpoints,
+  listManagedRemoteEndpoints as listManagedRemoteEndpoints2,
+  removeManagedRemoteEndpoint as removeManagedRemoteEndpoint2,
+  resolveRemoteEndpoint as resolveRemoteEndpoint2,
+  updateManagedRemoteEndpointInAuthority,
+  upsertManagedRemoteEndpoint as upsertManagedRemoteEndpoint2,
+  RemoteWsClient as RemoteWsClient2
+} from "@rig/runtime/control-plane/remote";
+
+// packages/server/src/server-helpers/run-steering.ts
+import { dirname as dirname3, resolve as resolve8 } from "path";
+import { existsSync as existsSync5, mkdirSync as mkdirSync4, readFileSync as readFileSync3 } from "fs";
+import { appendJsonlRecord as appendJsonlRecord2, readAuthorityRun as readAuthorityRun7, resolveAuthorityRunDir as resolveAuthorityRunDir4 } from "@rig/runtime/control-plane/authority-files";
+var steeringSequence = 0;
+function runSteeringPath(projectRoot, runId) {
+  return resolve8(resolveAuthorityRunDir4(projectRoot, runId), "steering.jsonl");
+}
+function readJsonl(path) {
+  if (!existsSync5(path))
+    return [];
+  return readFileSync3(path, "utf8").split(/\r?\n/).map((line) => line.trim()).filter(Boolean).flatMap((line) => {
+    try {
+      const value = JSON.parse(line);
+      return value && typeof value === "object" && !Array.isArray(value) ? [value] : [];
+    } catch {
+      return [];
+    }
+  });
+}
+function normalizeQueuedMessage(record) {
+  const id = typeof record.id === "string" ? record.id : null;
+  const runId = typeof record.runId === "string" ? record.runId : null;
+  const message = typeof record.message === "string" ? record.message : null;
+  if (!id || !runId || !message)
+    return null;
+  return {
+    id,
+    runId,
+    message,
+    actor: typeof record.actor === "string" ? record.actor : "operator",
+    createdAt: typeof record.createdAt === "string" ? record.createdAt : new Date().toISOString(),
+    delivered: record.delivered === true
+  };
+}
+function readQueuedRunSteeringMessages(projectRoot, runId) {
+  const latestById = new Map;
+  for (const record of readJsonl(runSteeringPath(projectRoot, runId))) {
+    const message = normalizeQueuedMessage(record);
+    if (message)
+      latestById.set(message.id, message);
+  }
+  return Array.from(latestById.values());
+}
+function markQueuedRunSteeringMessagesDelivered(projectRoot, runId, ids) {
+  const requested = new Set(ids.map((id) => id.trim()).filter(Boolean));
+  if (requested.size === 0)
+    return [];
+  const existing = readQueuedRunSteeringMessages(projectRoot, runId);
+  const deliveredAt = new Date().toISOString();
+  const path = runSteeringPath(projectRoot, runId);
+  const delivered = [];
+  for (const entry of existing) {
+    if (!requested.has(entry.id) || entry.delivered)
+      continue;
+    appendJsonlRecord2(path, { ...entry, delivered: true, deliveredAt });
+    delivered.push(entry.id);
+  }
+  if (delivered.length > 0) {
+    appendRunTimelineEntry(projectRoot, runId, {
+      id: `steering-ack:${runId}:${Date.now()}`,
+      type: "rig_bridge_event",
+      text: `Delivered ${delivered.length} steering message${delivered.length === 1 ? "" : "s"}`,
+      createdAt: deliveredAt,
+      state: "completed",
+      payload: { kind: "steering-delivered", messageIds: delivered }
+    });
+    patchRunRecord(projectRoot, runId, { latestSteeringDeliveredAt: deliveredAt });
+  }
+  return delivered;
+}
+function queueRunSteeringMessage(projectRoot, runId, input) {
+  const run = readAuthorityRun7(projectRoot, runId);
+  if (!run)
+    throw new Error(`Run not found: ${runId}`);
+  const text = input.message.trim();
+  if (!text)
+    throw new Error("message is required");
+  const createdAt = new Date().toISOString();
+  const entry = {
+    id: `steer:${runId}:${Date.now()}:${++steeringSequence}`,
+    runId,
+    message: text,
+    actor: input.actor?.trim() || "operator",
+    createdAt,
+    delivered: false
+  };
+  const path = runSteeringPath(projectRoot, runId);
+  mkdirSync4(dirname3(path), { recursive: true });
+  appendJsonlRecord2(path, entry);
+  appendRunTimelineEntry(projectRoot, runId, {
+    id: entry.id,
+    type: "operator_message",
+    text,
+    createdAt,
+    state: "queued"
+  });
+  patchRunRecord(projectRoot, runId, { latestSteeringAt: createdAt });
+  return entry;
+}
+function appendRunBridgeEvent(projectRoot, runId, event) {
+  const kind = typeof event.kind === "string" ? event.kind : "event";
+  const createdAt = typeof event.createdAt === "string" ? event.createdAt : new Date().toISOString();
+  if (kind === "status") {
+    patchRunRecord(projectRoot, runId, { statusDetail: event.message ?? event.status ?? null, updatedAt: createdAt });
+  }
+  if (kind === "artifact" || kind === "task-metadata" || kind === "status") {
+    appendRunTimelineEntry(projectRoot, runId, {
+      id: `pi-rig:${kind}:${Date.now()}`,
+      type: "rig_bridge_event",
+      text: typeof event.message === "string" ? event.message : JSON.stringify(event),
+      createdAt,
+      state: "completed",
+      payload: event
+    });
+  }
+}
+
+// packages/server/src/server-helpers/http-router.ts
+import { buildRigInitConfigSource } from "@rig/core";
+import {
+  buildTaskRunLifecycleComment as buildTaskRunLifecycleComment2,
+  updateConfiguredTaskSourceTask as updateConfiguredTaskSourceTask2
+} from "@rig/runtime/control-plane/tasks/source-lifecycle";
+
+// packages/server/src/server-helpers/project-registry.ts
+import { createHash } from "crypto";
+import { spawnSync } from "child_process";
+import { existsSync as existsSync6, mkdirSync as mkdirSync5, readFileSync as readFileSync4, readdirSync, writeFileSync as writeFileSync5 } from "fs";
+import { dirname as dirname4, resolve as resolve9 } from "path";
+function normalizeRepoSlug(value) {
+  const trimmed = value.trim();
+  return /^[^/\s]+\/[^/\s]+$/.test(trimmed) ? trimmed : null;
+}
+function registryPath(projectRoot) {
+  return resolve9(projectRoot, ".rig", "state", "projects.json");
+}
+function readRegistry(projectRoot) {
+  const path = registryPath(projectRoot);
+  if (!existsSync6(path))
+    return {};
+  try {
+    const payload = JSON.parse(readFileSync4(path, "utf8"));
+    if (!payload || typeof payload !== "object" || Array.isArray(payload))
+      return {};
+    const projects = payload.projects;
+    return projects && typeof projects === "object" && !Array.isArray(projects) ? projects : {};
+  } catch {
+    return {};
+  }
+}
+function writeRegistry(projectRoot, projects) {
+  const path = registryPath(projectRoot);
+  mkdirSync5(dirname4(path), { recursive: true });
+  writeFileSync5(path, `${JSON.stringify({ projects }, null, 2)}
+`, "utf8");
+}
+function resolveConfigPath(projectRoot) {
+  for (const name of ["rig.config.ts", "rig.config.mts", "rig.config.json"]) {
+    const path = resolve9(projectRoot, name);
+    if (existsSync6(path))
+      return path;
+  }
+  return null;
+}
+function hashFile(path) {
+  if (!path)
+    return null;
+  try {
+    return createHash("sha256").update(readFileSync4(path)).digest("hex");
+  } catch {
+    return null;
+  }
+}
+function buildConfigStatus(projectRoot) {
+  return resolveConfigPath(projectRoot) ? "valid" : "missing";
+}
+function readDefaultBranch(projectRoot) {
+  const origin = spawnSync("git", ["-C", projectRoot, "symbolic-ref", "--short", "refs/remotes/origin/HEAD"], { encoding: "utf8", timeout: 5000 });
+  if (origin.status === 0 && origin.stdout.trim())
+    return origin.stdout.trim().replace(/^origin\//, "");
+  const head = spawnSync("git", ["-C", projectRoot, "rev-parse", "--abbrev-ref", "HEAD"], { encoding: "utf8", timeout: 5000 });
+  return head.status === 0 && head.stdout.trim() && head.stdout.trim() !== "HEAD" ? head.stdout.trim() : null;
+}
+function buildRunSummary(projectRoot) {
+  const runsDir = resolve9(projectRoot, ".rig", "runs");
+  try {
+    const runs = readdirSync(runsDir, { withFileTypes: true }).filter((entry) => entry.isDirectory()).flatMap((entry) => {
+      try {
+        const run = JSON.parse(readFileSync4(resolve9(runsDir, entry.name, "run.json"), "utf8"));
+        return [{ runId: typeof run.runId === "string" ? run.runId : entry.name, status: typeof run.status === "string" ? run.status : "unknown", updatedAt: typeof run.updatedAt === "string" ? run.updatedAt : "" }];
+      } catch {
+        return [];
+      }
+    });
+    const active = runs.filter((run) => !["completed", "failed", "cancelled", "canceled", "stopped", "closed", "merged", "needs_attention"].includes(run.status.toLowerCase())).length;
+    const latest = runs.toSorted((left, right) => right.updatedAt.localeCompare(left.updatedAt))[0]?.runId ?? null;
+    return { total: runs.length, active, latestRunId: latest };
+  } catch {
+    return { total: 0, active: 0, latestRunId: null };
+  }
+}
+function getProjectRecord(projectRoot, repoSlug) {
+  const normalized = normalizeRepoSlug(repoSlug);
+  if (!normalized)
+    return null;
+  return readRegistry(projectRoot)[normalized] ?? null;
+}
+function upsertProjectRecord(projectRoot, input) {
+  const repoSlug = normalizeRepoSlug(input.repoSlug);
+  if (!repoSlug)
+    throw new Error(`Invalid repo slug: ${input.repoSlug}`);
+  const now = new Date().toISOString();
+  const projects = readRegistry(projectRoot);
+  const existing = projects[repoSlug];
+  const checkout = input.checkout ? { ...input.checkout, createdAt: input.checkout.createdAt ?? now } : null;
+  const checkouts = checkout ? [...(existing?.checkouts ?? []).filter((entry) => !(entry.kind === checkout.kind && entry.path === checkout.path)), checkout] : existing?.checkouts ?? [];
+  const configPath = resolveConfigPath(projectRoot);
+  const configStatus = buildConfigStatus(projectRoot);
+  const authStatus = input.githubAuthStatus ?? existing?.github.authStatus ?? "unauthenticated";
+  const record = {
+    repoSlug,
+    defaultBranch: readDefaultBranch(projectRoot) ?? existing?.defaultBranch ?? null,
+    checkouts,
+    configStatus,
+    config: { status: configStatus, hash: hashFile(configPath), path: configPath },
+    github: { authStatus },
+    taskSource: existing?.taskSource ?? { health: "unknown", lastCheckedAt: null },
+    runs: buildRunSummary(projectRoot),
+    workers: existing?.workers ?? { localAvailable: true, remoteAvailable: false, remoteCount: 0 },
+    operatorPermissions: existing?.operatorPermissions ?? { canRead: true, canRun: authStatus === "authenticated", canControl: authStatus === "authenticated" },
+    createdAt: existing?.createdAt ?? now,
+    updatedAt: now
+  };
+  projects[repoSlug] = record;
+  writeRegistry(projectRoot, projects);
+  return record;
+}
+function linkProjectCheckout(projectRoot, repoSlug, checkout) {
+  return upsertProjectRecord(projectRoot, { repoSlug, checkout });
+}
+
+// packages/server/src/server-helpers/remote-checkout.ts
+import { existsSync as existsSync7, mkdirSync as mkdirSync6, writeFileSync as writeFileSync6 } from "fs";
+import { dirname as dirname5, isAbsolute, relative, resolve as resolve10 } from "path";
+function safeSlugSegments(repoSlug) {
+  const segments = repoSlug.split("/").map((part) => part.trim()).filter(Boolean);
+  if (segments.length !== 2 || segments.some((segment) => segment === "." || segment === ".." || segment.includes("\\"))) {
+    throw new Error("repoSlug must be owner/repo");
+  }
+  return segments;
+}
+function safeCheckoutKey(value) {
+  const raw = value?.trim();
+  if (!raw)
+    return null;
+  const safe = raw.replace(/[^a-zA-Z0-9._-]/g, "-").replace(/^-+|-+$/g, "");
+  return safe || null;
+}
+function repoSlugPath(baseDir, repoSlug, checkoutKey) {
+  const key = safeCheckoutKey(checkoutKey);
+  return resolve10(baseDir, ...key ? [key] : [], ...safeSlugSegments(repoSlug));
+}
+function sanitizeSnapshotId(value, fallback) {
+  const raw = (value ?? fallback).trim();
+  const safe = raw.replace(/[^a-zA-Z0-9._-]/g, "-").replace(/^-+|-+$/g, "");
+  return safe || fallback;
+}
+function assertWithinRoot(root, relativePath) {
+  if (!relativePath || isAbsolute(relativePath) || relativePath.includes("\x00")) {
+    throw new Error(`Invalid snapshot file path: ${relativePath}`);
+  }
+  const normalizedRelative = relativePath.replace(/\\/g, "/");
+  const segments = normalizedRelative.split("/");
+  if (segments.some((segment) => segment === "" || segment === "." || segment === "..")) {
+    throw new Error(`Unsafe snapshot file path: ${relativePath}`);
+  }
+  const target = resolve10(root, ...segments);
+  const rel = relative(root, target);
+  if (rel === ".." || rel.split(/[\\/]/)[0] === ".." || isAbsolute(rel)) {
+    throw new Error(`Snapshot file path escapes checkout root: ${relativePath}`);
+  }
+  return target;
+}
+function decodeSnapshotArchive(archive) {
+  if (!archive || typeof archive !== "object" || archive.version !== 1 || !Array.isArray(archive.files)) {
+    throw new Error("Unsupported snapshot archive payload");
+  }
+  return archive;
+}
+function parseSnapshotArchiveContentBase64(contentBase64) {
+  const json = Buffer.from(contentBase64, "base64").toString("utf8");
+  return decodeSnapshotArchive(JSON.parse(json));
+}
+function extractUploadedSnapshotArchive(input) {
+  const archive = decodeSnapshotArchive(input.archive);
+  const snapshotId = sanitizeSnapshotId(input.snapshotId, `snapshot-${(input.now?.() ?? new Date).toISOString().replace(/[:.]/g, "-")}`);
+  const checkoutPath = resolve10(repoSlugPath(input.baseDir, input.repoSlug, input.checkoutKey), snapshotId);
+  mkdirSync6(checkoutPath, { recursive: true });
+  for (const file of archive.files) {
+    if (!file || typeof file.path !== "string" || typeof file.contentBase64 !== "string") {
+      throw new Error("Invalid snapshot archive file entry");
+    }
+    const target = assertWithinRoot(checkoutPath, file.path);
+    mkdirSync6(dirname5(target), { recursive: true });
+    writeFileSync6(target, Buffer.from(file.contentBase64, "base64"));
+  }
+  writeFileSync6(resolve10(checkoutPath, ".rig-uploaded-snapshot.json"), `${JSON.stringify({
+    repoSlug: input.repoSlug,
+    snapshotId,
+    fileCount: archive.files.length,
+    archiveCreatedAt: archive.createdAt ?? null,
+    extractedAt: (input.now?.() ?? new Date).toISOString()
+  }, null, 2)}
+`, "utf8");
+  return { kind: "uploaded-snapshot", path: checkoutPath, fileCount: archive.files.length, snapshotId };
+}
+async function runChecked(command, args, cwd, env) {
+  const result = await command(args, cwd || env ? { ...cwd ? { cwd } : {}, ...env ? { env } : {} } : undefined);
+  if (result.exitCode !== 0) {
+    throw new Error(`${args.join(" ")} failed (${result.exitCode}): ${result.stderr ?? result.stdout ?? ""}`.trim());
+  }
+  return result;
+}
+function gitCredentialConfig(token) {
+  const clean = token?.trim();
+  if (!clean)
+    return { args: [] };
+  return {
+    args: [
+      "-c",
+      "credential.helper=",
+      "-c",
+      'credential.helper=!f() { test "$1" = get && echo username=x-access-token && echo password="$RIG_GIT_CREDENTIAL_TOKEN"; }; f'
+    ],
+    env: {
+      RIG_GIT_CREDENTIAL_TOKEN: clean,
+      GIT_TERMINAL_PROMPT: "0"
+    }
+  };
+}
+async function prepareRemoteCheckout(input) {
+  const exists = input.exists ?? existsSync7;
+  const strategy = input.strategy;
+  if (strategy.kind === "uploaded-snapshot") {
+    return extractUploadedSnapshotArchive({
+      repoSlug: strategy.repoSlug,
+      baseDir: strategy.baseDir,
+      archive: strategy.archive,
+      snapshotId: strategy.snapshotId,
+      checkoutKey: strategy.checkoutKey
+    });
+  }
+  if (strategy.kind === "existing-path") {
+    const checkoutPath2 = resolve10(strategy.path);
+    if (!exists(checkoutPath2)) {
+      throw new Error(`Existing remote checkout path does not exist: ${checkoutPath2}`);
+    }
+    await runChecked(input.command, ["git", "-C", checkoutPath2, "rev-parse", "--is-inside-work-tree"]);
+    return { kind: "existing-path", path: checkoutPath2 };
+  }
+  const checkoutPath = repoSlugPath(strategy.baseDir, strategy.repoSlug, strategy.checkoutKey);
+  const credentials = gitCredentialConfig(strategy.credentialToken);
+  if (!exists(checkoutPath)) {
+    await runChecked(input.command, ["git", ...credentials.args, "clone", strategy.repoUrl, checkoutPath], undefined, credentials.env);
+  }
+  if (strategy.kind === "current-ref") {
+    const ref = strategy.ref.trim();
+    if (!ref)
+      throw new Error("current-ref checkout requires a ref");
+    await runChecked(input.command, ["git", "-C", checkoutPath, ...credentials.args, "fetch", "origin", ref], undefined, credentials.env);
+    await runChecked(input.command, ["git", "-C", checkoutPath, "checkout", ref]);
+    return { kind: "current-ref", path: checkoutPath, ref };
+  }
+  return { kind: "managed-clone", path: checkoutPath };
+}
+
+// packages/server/src/server-helpers/http-router.ts
+function buildServerControlStatus() {
+  const switchCommand = process.env.RIG_PROJECT_ROOT_SWITCH_COMMAND?.trim();
+  const switchable = Boolean(switchCommand);
+  return {
+    mode: switchable ? "switchable" : "restart-required",
+    canSwitchProjectRoot: switchable,
+    requiresRestart: !switchable,
+    switchEndpoint: "/api/server/project-root",
+    reason: switchable ? "This Rig server can switch project roots through its configured supervisor restart hook; restarts are handled automatically." : "This Rig server is bound to one project root at startup. Browser/remote project paths are server-host paths; switching requires a trusted supervisor restart."
+  };
+}
+function buildProjectConfigStatus(root) {
+  const hasConfigTs = existsSync8(resolve11(root, "rig.config.ts"));
+  const hasConfigJson = existsSync8(resolve11(root, "rig.config.json"));
+  const hasLegacyTaskConfig = existsSync8(resolve11(root, ".rig", "task-config.json"));
+  let kind = "missing";
+  if (hasConfigTs)
+    kind = "rig-config-ts";
+  else if (hasConfigJson)
+    kind = "rig-config-json";
+  else if (hasLegacyTaskConfig)
+    kind = "legacy-task-config";
+  return {
+    projectRoot: root,
+    kind,
+    hasConfigTs,
+    hasConfigJson,
+    hasLegacyTaskConfig,
+    suggestion: kind === "missing" ? "Run `rig init` in the project root to scaffold rig.config.ts." : null
+  };
+}
+function normalizeCommit(value) {
+  const raw = normalizeString(value);
+  return raw && /^[0-9a-f]{7,40}$/i.test(raw) ? raw : null;
+}
+function asPlainRecord(value) {
+  return value && typeof value === "object" && !Array.isArray(value) ? value : null;
+}
+var RIG_CONFIG_PACKAGE_VERSION = "0.0.6-alpha.0";
+var RIG_CONFIG_DEV_DEPENDENCIES = {
+  "@rig/core": `npm:@h-rig/core@${RIG_CONFIG_PACKAGE_VERSION}`,
+  "@rig/standard-plugin": `npm:@h-rig/standard-plugin@${RIG_CONFIG_PACKAGE_VERSION}`
+};
+function repoParts(repoSlug) {
+  const [owner, repo] = repoSlug.split("/");
+  if (!owner || !repo)
+    return { owner: "owner", repo: basename(repoSlug) || "repo", slug: repoSlug || "owner/repo" };
+  return { owner, repo, slug: `${owner}/${repo}` };
+}
+function repairDir(checkoutPath) {
+  const dir = resolve11(checkoutPath, ".rig", "state", "repairs", new Date().toISOString().replace(/[:.]/g, "-"));
+  mkdirSync7(dir, { recursive: true });
+  return dir;
+}
+function backupCheckoutFile(checkoutPath, relativePath) {
+  const source = resolve11(checkoutPath, relativePath);
+  const backupPath = resolve11(repairDir(checkoutPath), relativePath.replace(/[\\/]/g, "__"));
+  mkdirSync7(dirname6(backupPath), { recursive: true });
+  copyFileSync(source, backupPath);
+  return backupPath;
+}
+function parsePackageJsonLosslessly(checkoutPath) {
+  const packagePath = resolve11(checkoutPath, "package.json");
+  if (!existsSync8(packagePath)) {
+    return { existed: false, packageJson: { name: basename(checkoutPath) || "rig-project", private: true } };
+  }
+  try {
+    const parsed = JSON.parse(readFileSync5(packagePath, "utf8"));
+    return {
+      existed: true,
+      packageJson: parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : { name: basename(checkoutPath) || "rig-project", private: true }
+    };
+  } catch {
+    return {
+      existed: true,
+      backupPath: backupCheckoutFile(checkoutPath, "package.json"),
+      packageJson: { name: basename(checkoutPath) || "rig-project", private: true }
+    };
+  }
+}
+function ensureRemoteCheckoutRigPackageDeps(checkoutPath) {
+  const hasConfig = ["rig.config.ts", "rig.config.mts", "rig.config.json"].some((name) => existsSync8(resolve11(checkoutPath, name)));
+  const packagePath = resolve11(checkoutPath, "package.json");
+  if (!hasConfig && !existsSync8(packagePath)) {
+    return { skipped: true, reason: "package.json and rig.config missing" };
+  }
+  const parsed = parsePackageJsonLosslessly(checkoutPath);
+  const existingDevDependencies = parsed.packageJson.devDependencies;
+  const devDependencies = existingDevDependencies && typeof existingDevDependencies === "object" && !Array.isArray(existingDevDependencies) ? { ...existingDevDependencies } : {};
+  const added = [];
+  const updated = [];
+  for (const [name, spec] of Object.entries(RIG_CONFIG_DEV_DEPENDENCIES)) {
+    if (devDependencies[name] === spec)
+      continue;
+    if (Object.prototype.hasOwnProperty.call(devDependencies, name))
+      updated.push(name);
+    else
+      added.push(name);
+    devDependencies[name] = spec;
+  }
+  const changed = !parsed.existed || Boolean(parsed.backupPath) || added.length > 0 || updated.length > 0 || existingDevDependencies !== devDependencies && (!existingDevDependencies || typeof existingDevDependencies !== "object" || Array.isArray(existingDevDependencies));
+  if (changed) {
+    writeFileSync7(packagePath, `${JSON.stringify({ ...parsed.packageJson, devDependencies }, null, 2)}
+`, "utf8");
+  }
+  return {
+    path: packagePath,
+    existed: parsed.existed,
+    changed,
+    ...parsed.backupPath ? { backupPath: parsed.backupPath } : {},
+    added,
+    updated,
+    required: RIG_CONFIG_DEV_DEPENDENCIES
+  };
+}
+function generatedRigConfigSource(repoSlug) {
+  const parts = repoParts(repoSlug);
+  return buildRigInitConfigSource({
+    projectName: parts.slug,
+    projectRepo: parts.slug,
+    taskSource: { kind: "github-issues", owner: parts.owner, repo: parts.repo },
+    useStandardPlugin: true
+  });
+}
+function configLooksStructurallyUsable(source) {
+  return /taskSource\s*:/.test(source) && /workspace\s*:/.test(source) && /project\s*:/.test(source);
+}
+function ensureRemoteCheckoutRigConfig(checkoutPath, repoSlug, reason = "missing or incomplete rig config") {
+  const configPath = resolve11(checkoutPath, "rig.config.ts");
+  const existingConfigName = ["rig.config.ts", "rig.config.mts", "rig.config.json"].find((name) => existsSync8(resolve11(checkoutPath, name)));
+  if (existingConfigName) {
+    const existingPath = resolve11(checkoutPath, existingConfigName);
+    const source = readFileSync5(existingPath, "utf8");
+    if (existingConfigName !== "rig.config.json" && configLooksStructurallyUsable(source)) {
+      return { path: existingPath, changed: false, reason: "config structurally complete" };
+    }
+    if (existingConfigName === "rig.config.json") {
+      try {
+        const parsed = JSON.parse(source);
+        if (parsed && typeof parsed === "object" && !Array.isArray(parsed) && "taskSource" in parsed && "workspace" in parsed && "project" in parsed) {
+          return { path: existingPath, changed: false, reason: "config structurally complete" };
+        }
+      } catch {}
+    }
+  }
+  const backupPath = existingConfigName ? backupCheckoutFile(checkoutPath, existingConfigName) : undefined;
+  writeFileSync7(configPath, generatedRigConfigSource(repoSlug), "utf8");
+  return {
+    path: configPath,
+    changed: true,
+    reason,
+    ...backupPath ? { backupPath } : {}
+  };
+}
+function validateRemoteCheckoutRigConfig(checkoutPath) {
+  const configFile = ["rig.config.ts", "rig.config.mts", "rig.config.json"].find((name) => existsSync8(resolve11(checkoutPath, name)));
+  if (!configFile)
+    return { ok: false, error: "missing rig config" };
+  if (process.env.RIG_TEST_SKIP_REMOTE_CHECKOUT_INSTALL === "1") {
+    return { skipped: true, reason: "test install skipped", configFile };
+  }
+  const script = [
+    `const mod = await import(\`./${configFile}\`);`,
+    `const config = mod.default ?? mod.config ?? mod;`,
+    `if (!config || typeof config !== "object") throw new Error("config did not export an object");`,
+    `if (!config.project) throw new Error("missing project");`,
+    `if (!config.taskSource) throw new Error("missing taskSource");`,
+    `if (!config.workspace) throw new Error("missing workspace");`
+  ].join(`
+`);
+  const result = spawnSync2("bun", ["-e", script], { cwd: checkoutPath, env: process.env, encoding: "utf8" });
+  if (result.error || result.status !== 0) {
+    return { ok: false, configFile, error: result.error instanceof Error ? result.error.message : result.stderr || result.stdout || `exit ${result.status ?? "unknown"}` };
+  }
+  return { ok: true, configFile };
+}
+function installRemoteCheckoutPackages(checkoutPath) {
+  if (!existsSync8(resolve11(checkoutPath, "package.json"))) {
+    return { skipped: true, reason: "package.json missing" };
+  }
+  if (process.env.RIG_TEST_SKIP_REMOTE_CHECKOUT_INSTALL === "1") {
+    return { skipped: true, command: "bun install" };
+  }
+  const result = spawnSync2("bun", ["install"], { cwd: checkoutPath, env: process.env, encoding: "utf8" });
+  if (result.error || result.status !== 0) {
+    throw new Error(`bun install failed in ${checkoutPath}: ${result.error instanceof Error ? result.error.message : result.stderr || result.stdout || `exit ${result.status ?? "unknown"}`}`);
+  }
+  return { ok: true, command: "bun install", stdout: result.stdout?.trim() || undefined };
+}
+function repairRemoteCheckoutForRig(checkoutPath, repoSlug) {
+  const hasConfig = ["rig.config.ts", "rig.config.mts", "rig.config.json"].some((name) => existsSync8(resolve11(checkoutPath, name)));
+  const hasPackage = existsSync8(resolve11(checkoutPath, "package.json"));
+  if (!hasConfig && !hasPackage) {
+    return {
+      packageJson: { skipped: true, reason: "package.json and rig.config missing" },
+      config: { skipped: true, reason: "package.json and rig.config missing" },
+      configValidation: { skipped: true, reason: "package.json and rig.config missing" }
+    };
+  }
+  let config = ensureRemoteCheckoutRigConfig(checkoutPath, repoSlug);
+  const packageJson = ensureRemoteCheckoutRigPackageDeps(checkoutPath);
+  const validation = validateRemoteCheckoutRigConfig(checkoutPath);
+  if (validation.ok === false) {
+    config = ensureRemoteCheckoutRigConfig(checkoutPath, repoSlug, `config validation failed: ${String(validation.error ?? "unknown")}`);
+  }
+  return { packageJson, config, configValidation: validation };
+}
+async function runRemoteCheckoutCommand(args, options) {
+  const result = spawnSync2(args[0], args.slice(1), {
+    cwd: options?.cwd,
+    env: { ...process.env, ...options?.env ?? {} },
+    encoding: "utf8"
+  });
+  return {
+    exitCode: typeof result.status === "number" ? result.status : result.error ? 1 : 0,
+    stdout: result.stdout || undefined,
+    stderr: result.stderr || (result.error instanceof Error ? result.error.message : undefined)
+  };
+}
+function buildRemoteRunLogPayload(value, identifiers) {
+  const payload = asPlainRecord(value);
+  if (payload) {
+    return { ...payload, ...identifiers };
+  }
+  return value === undefined ? identifiers : { ...identifiers, rawPayload: value };
+}
+function runSourceTaskIdentity(run) {
+  const sourceTask = run.sourceTask;
+  return sourceTask && typeof sourceTask === "object" && !Array.isArray(sourceTask) ? sourceTask : null;
+}
+async function updateRemoteRunTaskSourceLifecycle(projectRoot, run, status, summary, errorText) {
+  if (!run.taskId)
+    return;
+  try {
+    await updateConfiguredTaskSourceTask2(projectRoot, {
+      taskId: run.taskId,
+      sourceTask: runSourceTaskIdentity(run),
+      update: {
+        status,
+        comment: buildTaskRunLifecycleComment2({
+          runId: run.runId,
+          status,
+          summary,
+          runtimeWorkspace: normalizeString(run.worktreePath),
+          logsDir: normalizeString(run.logRoot),
+          sessionDir: normalizeString(run.sessionPath),
+          errorText
+        })
+      }
+    });
+  } catch (error) {
+    const message = `Failed to update task source for ${run.taskId} to ${status}: ${error instanceof Error ? error.message : String(error)}`;
+    patchRunRecord(projectRoot, run.runId, {
+      errorText: [normalizeString(run.errorText), message].filter(Boolean).join(`
+`) || message
+    });
+  }
+}
+function buildRemoteRunLogEntry(body, identifiers) {
+  const reserved = new Set([
+    "workspaceId",
+    "runId",
+    "hostId",
+    "leaseId",
+    "id",
+    "title",
+    "detail",
+    "tone",
+    "status",
+    "payload",
+    "createdAt"
+  ]);
+  const extras = Object.fromEntries(Object.entries(body).filter(([key]) => !reserved.has(key)));
+  return {
+    ...extras,
+    id: `log:${identifiers.runId}:${Date.now()}`,
+    title: normalizeString(body.title) ?? "Remote log",
+    detail: typeof body.detail === "string" ? body.detail : null,
+    tone: normalizeString(body.tone) ?? "info",
+    status: normalizeString(body.status),
+    payload: buildRemoteRunLogPayload(body.payload, {
+      hostId: identifiers.hostId,
+      leaseId: identifiers.leaseId
+    }),
+    createdAt: normalizeString(body.createdAt) ?? new Date().toISOString()
+  };
+}
+function readGitHeadCommit(projectRoot) {
+  try {
+    let gitDir = resolve11(projectRoot, ".git");
+    try {
+      const dotGit = readFileSync5(gitDir, "utf8").trim();
+      const gitDirPrefix = "gitdir:";
+      if (dotGit.startsWith(gitDirPrefix)) {
+        gitDir = resolve11(projectRoot, dotGit.slice(gitDirPrefix.length).trim());
+      }
+    } catch {}
+    const head = readFileSync5(resolve11(gitDir, "HEAD"), "utf8").trim();
+    const refPrefix = "ref:";
+    if (!head.startsWith(refPrefix)) {
+      return normalizeCommit(head);
+    }
+    const ref = head.slice(refPrefix.length).trim();
+    const refPath = resolve11(gitDir, ref);
+    if (existsSync8(refPath)) {
+      return normalizeCommit(readFileSync5(refPath, "utf8").trim());
+    }
+    const commonDir = normalizeString(readFileSync5(resolve11(gitDir, "commondir"), "utf8"));
+    return commonDir ? normalizeCommit(readFileSync5(resolve11(gitDir, commonDir, ref), "utf8").trim()) : null;
+  } catch {
+    return null;
+  }
+}
+function isAuthorizedInspectorStreamRequest(req, authToken) {
+  if (!authToken)
+    return true;
+  const header = req.headers.get("authorization");
+  const match = header?.match(/^Bearer\s+(.+)$/i);
+  if (match?.[1] === authToken)
+    return true;
+  try {
+    return new URL(req.url).searchParams.get("token") === authToken;
+  } catch {
+    return false;
+  }
+}
+function buildDeploymentStatus(projectRoot) {
+  const envCommit = normalizeCommit(process.env.RIG_COMMIT_SHA ?? process.env.GITHUB_SHA ?? process.env.VERCEL_GIT_COMMIT_SHA ?? process.env.RAILWAY_GIT_COMMIT_SHA ?? process.env.COMMIT_SHA);
+  const gitCommit = envCommit ?? readGitHeadCommit(projectRoot);
+  return {
+    currentCommit: gitCommit,
+    commitSource: envCommit ? "env" : gitCommit ? "git" : null,
+    routes: [
+      "/api/server/status",
+      "/api/workspace/tasks",
+      "/api/snapshot",
+      "/api/github/auth/status",
+      "/api/project/github"
+    ]
+  };
+}
+function configuredRepoFromTaskSource(taskSource) {
+  const owner = normalizeString(taskSource?.owner);
+  const repo = normalizeString(taskSource?.repo);
+  return owner && repo ? `${owner}/${repo}` : null;
+}
+async function buildTaskSourceStatus(state, config) {
+  const diagnostics = state.snapshotService.getTaskSourceErrors();
+  const selectedRepo = createGitHubAuthStore(state.projectRoot).status({
+    oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim())
+  }).selectedRepo;
+  try {
+    const ctx = await getCachedPluginHostContext(state.projectRoot);
+    const taskSource = ctx?.config.taskSource && typeof ctx.config.taskSource === "object" ? ctx.config.taskSource : null;
+    const kind = normalizeString(taskSource?.kind) ?? (config.kind === "legacy-task-config" ? "legacy-task-config" : null);
+    const registered = kind ? ctx?.taskSourceRegistry.list().some((source) => source.kind === kind) ?? false : false;
+    const configuredRepo = configuredRepoFromTaskSource(taskSource);
+    const staleSelectedRepo = kind === "github-issues" && Boolean(selectedRepo && configuredRepo && selectedRepo !== configuredRepo);
+    const staleDiagnostics = diagnostics.length > 0;
+    return {
+      kind,
+      registered,
+      configuredRepo,
+      selectedRepo,
+      stale: staleSelectedRepo || staleDiagnostics,
+      staleReason: staleSelectedRepo ? `Selected GitHub repo ${selectedRepo} does not match configured task source ${configuredRepo}.` : staleDiagnostics ? "Task source has read diagnostics." : null,
+      diagnostics
+    };
+  } catch (error) {
+    return {
+      kind: config.kind === "legacy-task-config" ? "legacy-task-config" : null,
+      registered: false,
+      configuredRepo: null,
+      selectedRepo,
+      stale: true,
+      staleReason: error instanceof Error ? error.message : String(error),
+      diagnostics
+    };
+  }
+}
+function cleanHeaderScopes(value) {
+  if (!value)
+    return [];
+  return value.split(",").map((scope) => scope.trim()).filter(Boolean);
+}
+function bearerTokenFromRequest(req) {
+  const header = req.headers.get("authorization");
+  if (!header)
+    return null;
+  const match = header.match(/^Bearer\s+(.+)$/i);
+  return match ? match[1]?.trim() || null : null;
+}
+function isLoopbackRequest(req) {
+  try {
+    const hostname = new URL(req.url).hostname.toLowerCase();
+    return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1" || hostname === "[::1]";
+  } catch {
+    return false;
+  }
+}
+function isPublicRigAuthBootstrapRoute(pathname) {
+  return pathname === "/" || pathname === "/health" || pathname === "/api/health" || pathname === "/api/server/status" || pathname === "/api/github/auth/status" || pathname === "/api/github/auth/token" || pathname === "/api/github/auth/device/start" || pathname === "/api/github/auth/device/poll";
+}
+function normalizePrMode(value) {
+  const mode = normalizeString(value);
+  return mode === "auto" || mode === "ask" || mode === "off" ? mode : undefined;
+}
+function authorizeRigHttpRequest(input) {
+  if (input.legacyAuthorized) {
+    return { authorized: true, actor: "rig-local-server", reason: "server-token" };
+  }
+  const bearer = bearerTokenFromRequest(input.req);
+  const store = createGitHubAuthStore(input.projectRoot);
+  const storedToken = store.readToken();
+  if (bearer && storedToken && bearer === storedToken) {
+    const status = store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
+    return { authorized: true, actor: status.login ?? "github-operator", reason: "github-token" };
+  }
+  if (isPublicRigAuthBootstrapRoute(input.pathname)) {
+    return { authorized: true, actor: null, reason: "public-bootstrap" };
+  }
+  if (!input.serverAuthToken && !storedToken && isLoopbackRequest(input.req)) {
+    return { authorized: true, actor: null, reason: "loopback-dev-no-auth" };
+  }
+  return { authorized: false, actor: null, reason: storedToken ? "github-token-required" : "auth-required" };
+}
+async function fetchGitHubUserInfo(token) {
+  const response = await fetch("https://api.github.com/user", {
+    headers: {
+      accept: "application/vnd.github+json",
+      authorization: `Bearer ${token}`,
+      "user-agent": "rig-server"
+    }
+  });
+  if (!response.ok) {
+    throw new Error(`GitHub user lookup failed (${response.status})`);
+  }
+  const payload = await response.json().catch(() => ({}));
+  return {
+    login: typeof payload.login === "string" ? payload.login : null,
+    userId: typeof payload.id === "number" || typeof payload.id === "string" ? String(payload.id) : null,
+    scopes: cleanHeaderScopes(response.headers.get("x-oauth-scopes"))
+  };
+}
+async function postGitHubForm(endpoint, body) {
+  const response = await fetch(endpoint, {
+    method: "POST",
+    headers: {
+      accept: "application/json",
+      "content-type": "application/x-www-form-urlencoded",
+      "user-agent": "rig-server"
+    },
+    body: new URLSearchParams(body)
+  });
+  const payload = await response.json().catch(() => ({}));
+  return { status: response.status, payload };
+}
+function resolveRequestedProjectRoot(currentRoot, rawRoot) {
+  const requestedRoot = normalizeString(rawRoot);
+  if (!requestedRoot)
+    return currentRoot;
+  if (!isAbsolute2(requestedRoot)) {
+    throw new Error("projectRoot must be an absolute path on the Rig server host");
+  }
+  const normalizedRoot = resolve11(requestedRoot);
+  if (!existsSync8(normalizedRoot)) {
+    throw new Error("projectRoot does not exist on the Rig server host");
+  }
+  return normalizedRoot;
+}
+function runProjectRootSwitchIfNeeded(currentRoot, targetRoot) {
+  if (targetRoot === currentRoot)
+    return { switched: false, message: null };
+  const switchCommand = process.env.RIG_PROJECT_ROOT_SWITCH_COMMAND?.trim();
+  if (!switchCommand) {
+    throw new Error("Project root switch command is not configured on this Rig server.");
+  }
+  const result = spawnSync2(switchCommand, [targetRoot], {
+    cwd: currentRoot,
+    env: process.env,
+    encoding: "utf8"
+  });
+  if (result.error || result.status !== 0) {
+    throw new Error(result.error instanceof Error ? result.error.message : result.stderr || result.stdout || `Project-root switch command failed (${result.status ?? "unknown"}).`);
+  }
+  return { switched: true, message: "Project-root switch accepted. Rig server restart has been scheduled." };
+}
+function buildGitHubProjectConfigSource(input) {
+  return [
+    `import { defineConfig } from "@rig/core";`,
+    `import standard, { createStateGitHubCredentialProvider } from "@rig/standard-plugin";`,
+    ``,
+    `export default defineConfig({`,
+    `  project: { name: ${JSON.stringify(input.projectName ?? input.repo)} },`,
+    `  plugins: [standard({`,
+    `    githubCredentialProvider: createStateGitHubCredentialProvider(),`,
+    `    githubWorkspaceId: ${JSON.stringify(`${input.owner}/${input.repo}`)},`,
+    `    githubUserId: process.env.RIG_GITHUB_USER_ID ?? ${JSON.stringify(input.githubUserId ?? "server-selected-user")},`,
+    `  })],`,
+    `  taskSource: {`,
+    `    kind: "github-issues",`,
+    `    owner: ${JSON.stringify(input.owner)},`,
+    `    repo: ${JSON.stringify(input.repo)},`,
+    `    state: "open",`,
+    ...input.assignee ? [`    options: { assignee: ${JSON.stringify(input.assignee)} },`] : [],
+    `  },`,
+    `  workspace: { mainRepo: ".", isolation: "worktree" },`,
+    `});`,
+    ``
+  ].join(`
+`);
+}
+async function probeGitHubRepository(input) {
+  const headers = {
+    accept: "application/vnd.github+json",
+    "user-agent": "rig-server"
+  };
+  if (input.token) {
+    headers.authorization = `Bearer ${input.token}`;
+  }
+  try {
+    const response = await fetch(`https://api.github.com/repos/${encodeURIComponent(input.owner)}/${encodeURIComponent(input.repo)}`, { headers });
+    const payload = await response.json().catch(() => ({}));
+    if (response.ok) {
+      return {
+        ok: true,
+        owner: input.owner,
+        repo: input.repo,
+        status: response.status,
+        authenticated: Boolean(input.token),
+        authenticationRequired: payload.private === true && !input.token,
+        fullName: typeof payload.full_name === "string" ? payload.full_name : `${input.owner}/${input.repo}`,
+        private: typeof payload.private === "boolean" ? payload.private : null,
+        message: input.token ? "Repository access verified with signed-in GitHub credentials." : "Public repository access verified without credentials.",
+        scopes: input.scopes
+      };
+    }
+    const authenticationRequired = !input.token && (response.status === 401 || response.status === 403 || response.status === 404);
+    return {
+      ok: false,
+      owner: input.owner,
+      repo: input.repo,
+      status: response.status,
+      authenticated: Boolean(input.token),
+      authenticationRequired,
+      fullName: null,
+      private: null,
+      message: authenticationRequired ? "Repository is private, missing, or inaccessible without GitHub sign-in. Sign in before saving this config." : typeof payload.message === "string" ? payload.message : `GitHub repository probe failed (${response.status}).`,
+      scopes: input.scopes
+    };
+  } catch (error) {
+    return {
+      ok: false,
+      owner: input.owner,
+      repo: input.repo,
+      status: 0,
+      authenticated: Boolean(input.token),
+      authenticationRequired: !input.token,
+      fullName: null,
+      private: null,
+      message: error instanceof Error ? error.message : "GitHub repository probe failed.",
+      scopes: input.scopes
+    };
+  }
+}
+function backupConfigPath(configPath) {
+  return `${configPath}.bak.${new Date().toISOString().replace(/[.:]/g, "-")}`;
+}
+function stringValue(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
+}
+function recordValue(value) {
+  return value && typeof value === "object" && !Array.isArray(value) ? value : null;
+}
+function taskAssigneeLogins(task) {
+  const record = recordValue(task);
+  if (!record)
+    return [];
+  const direct = Array.isArray(record.assignees) ? record.assignees : [];
+  const raw = recordValue(record.raw);
+  const rawAssignees = raw && Array.isArray(raw.assignees) ? raw.assignees : [];
+  return [...direct, ...rawAssignees].flatMap((entry) => {
+    if (typeof entry === "string")
+      return [entry];
+    const login = stringValue(recordValue(entry)?.login);
+    return login ? [login] : [];
+  });
+}
+function taskMatchesState(task, state) {
+  const record = recordValue(task);
+  if (!record)
+    return false;
+  const normalized = state.trim().toLowerCase();
+  const rawState = stringValue(recordValue(record.raw)?.state)?.toLowerCase();
+  if (rawState)
+    return rawState === normalized;
+  const status = stringValue(record.status)?.toLowerCase();
+  if (normalized === "open")
+    return status !== "closed";
+  if (normalized === "closed")
+    return status === "closed";
+  return status === normalized;
+}
+function resolveAssigneeFilter(projectRoot, value) {
+  const assignee = stringValue(value)?.trim();
+  if (!assignee)
+    return null;
+  const normalized = assignee.toLowerCase();
+  if (normalized !== "@me" && normalized !== "me")
+    return assignee;
+  const authLogin = createGitHubAuthStore(projectRoot).status({
+    oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim())
+  }).login;
+  return stringValue(authLogin) ?? stringValue(process.env.RIG_GITHUB_USER_LOGIN) ?? stringValue(process.env.RIG_GITHUB_LOGIN) ?? stringValue(process.env.GITHUB_ACTOR) ?? assignee;
+}
+function activeTaskRunProjections(projectRoot) {
+  return listAuthorityRuns7(projectRoot).filter((run) => !["completed", "failed", "cancelled", "stopped"].includes(String(run.status ?? "").toLowerCase())).flatMap((run) => run.taskId ? [{
+    taskId: run.taskId,
+    runId: run.runId,
+    status: normalizeString(run.status) ?? undefined,
+    stage: normalizeString(run.stage) ?? undefined
+  }] : []);
+}
+function taskIdOf(task) {
+  return stringValue(recordValue(task)?.id);
+}
+function taskDependencies(task) {
+  const record = recordValue(task);
+  const deps = record?.dependencies ?? record?.deps;
+  return Array.isArray(deps) ? deps.flatMap((entry) => typeof entry === "string" && entry.trim() ? [entry.trim()] : []) : [];
+}
+function selectNextWorkspaceTask(projectRoot, tasks) {
+  const activeTaskIds = new Set(activeTaskRunProjections(projectRoot).map((entry) => entry.taskId));
+  const byId = new Map(tasks.flatMap((task) => {
+    const id = taskIdOf(task);
+    return id ? [[id, task]] : [];
+  }));
+  const runnable = tasks.filter((task) => {
+    const id = taskIdOf(task);
+    if (!id || activeTaskIds.has(id))
+      return false;
+    const status = stringValue(recordValue(task)?.status)?.toLowerCase() ?? "open";
+    if (["blocked", "failed", "closed", "completed", "cancelled", "canceled"].includes(status))
+      return false;
+    return taskDependencies(task).every((dep) => {
+      const dependency = byId.get(dep);
+      const depStatus = stringValue(recordValue(dependency)?.status)?.toLowerCase();
+      return depStatus === "closed" || depStatus === "completed";
+    });
+  });
+  if (runnable.length === 0)
+    return null;
+  const queue = readQueueState(projectRoot);
+  const queueRank = new Map(queue.map((entry, index) => [entry.taskId, { score: entry.score, position: index }]));
+  return runnable.toSorted((left, right) => {
+    const leftId = taskIdOf(left) ?? "";
+    const rightId = taskIdOf(right) ?? "";
+    const leftQueue = queueRank.get(leftId);
+    const rightQueue = queueRank.get(rightId);
+    if (leftQueue || rightQueue) {
+      return (rightQueue?.score ?? -1) - (leftQueue?.score ?? -1) || (leftQueue?.position ?? 999999) - (rightQueue?.position ?? 999999);
+    }
+    const leftStatus = stringValue(recordValue(left)?.status)?.toLowerCase() === "ready" ? 1 : 0;
+    const rightStatus = stringValue(recordValue(right)?.status)?.toLowerCase() === "ready" ? 1 : 0;
+    if (leftStatus !== rightStatus)
+      return rightStatus - leftStatus;
+    const leftPriority = typeof recordValue(left)?.priority === "number" ? recordValue(left).priority : 0;
+    const rightPriority = typeof recordValue(right)?.priority === "number" ? recordValue(right).priority : 0;
+    return rightPriority - leftPriority || leftId.localeCompare(rightId);
+  })[0] ?? null;
+}
+function filterWorkspaceTasks(projectRoot, tasks, searchParams) {
+  if (!Array.isArray(tasks))
+    return [];
+  let filtered = tasks;
+  const assignee = resolveAssigneeFilter(projectRoot, searchParams.get("assignee"));
+  if (assignee) {
+    filtered = filtered.filter((task) => taskAssigneeLogins(task).some((login) => login.toLowerCase() === assignee.toLowerCase()));
+  }
+  const state = stringValue(searchParams.get("state"));
+  if (state) {
+    filtered = filtered.filter((task) => taskMatchesState(task, state));
+  }
+  const status = stringValue(searchParams.get("status"));
+  if (status) {
+    filtered = filtered.filter((task) => stringValue(recordValue(task)?.status)?.toLowerCase() === status.toLowerCase());
+  }
+  const limit = Number.parseInt(searchParams.get("limit") || "", 10);
+  if (Number.isFinite(limit) && limit > 0) {
+    filtered = filtered.slice(0, Math.min(limit, 500));
+  }
+  return filtered;
+}
+function redactRemoteEndpoint(endpoint) {
+  const { token, ...rest } = endpoint;
+  return {
+    ...rest,
+    token: "",
+    tokenConfigured: token.trim().length > 0
+  };
+}
+function isSecretKey(key) {
+  const normalized = key.toLowerCase();
+  return normalized === "token" || normalized === "authtoken" || normalized === "authorization" || normalized === "connectiontoken" || normalized === "access_token" || normalized === "secret";
+}
+function redactSecretFields(value) {
+  if (Array.isArray(value)) {
+    return value.map((entry) => redactSecretFields(entry));
+  }
+  const record = recordValue(value);
+  if (!record) {
+    return value;
+  }
+  const redacted = {};
+  for (const [key, entry] of Object.entries(record)) {
+    redacted[key] = isSecretKey(key) && typeof entry === "string" ? entry.trim().length > 0 ? "[redacted]" : "" : redactSecretFields(entry);
+  }
+  return redacted;
+}
+function validateRemoteLease(deps, state, input) {
+  const run = readAuthorityRun8(state.projectRoot, input.runId);
+  if (!run) {
+    return { ok: false, response: deps.jsonResponse({ ok: false, error: "Remote run not found" }, 404) };
+  }
+  if (run.mode !== "remote") {
+    return { ok: false, response: deps.jsonResponse({ ok: false, error: "Run is not remote-owned" }, 409) };
+  }
+  if (run.hostId !== input.hostId || run.endpointId !== input.leaseId) {
+    return {
+      ok: false,
+      response: deps.jsonResponse({ ok: false, error: "Remote lease does not own this run" }, 409)
+    };
+  }
+  return { ok: true, run };
+}
+function createRigServerFetch(state, deps) {
+  return async function fetchHandler(req, server) {
+    return deps.withServerPathEnv(state.projectRoot, async () => {
+      const browserOrigin = deps.resolveAllowedBrowserOrigin(req);
+      const finalizeResponse = (response) => deps.withCorsHeaders(response, req, browserOrigin);
+      const upgradeResponse = handleWebSocketUpgrade({
+        req,
+        server,
+        authToken: state.authToken
+      });
+      if (upgradeResponse) {
+        return upgradeResponse;
+      }
+      return finalizeResponse(await (async () => {
+        const url = new URL(req.url);
+        if (req.method === "OPTIONS" && browserOrigin && req.headers.has("access-control-request-method")) {
+          return new Response(null, { status: 204 });
+        }
+        if (url.pathname === "/health" || url.pathname === "/api/health") {
+          const queryToken = url.searchParams.get("token");
+          const headerToken = (() => {
+            const header = req.headers.get("authorization");
+            if (!header)
+              return null;
+            const match = header.match(/^Bearer\s+(.+)$/i);
+            return match ? match[1] : null;
+          })();
+          const callerToken = queryToken ?? headerToken;
+          if (callerToken !== null || state.authToken !== null) {
+            if (callerToken !== state.authToken) {
+              return deps.jsonResponse({ ok: false, error: "Token mismatch" }, 401);
+            }
+          }
+          return deps.jsonResponse({
+            ok: true,
+            projectRoot: state.projectRoot,
+            subscribers: state.subscribers.size,
+            sockets: state.sockets.size,
+            eventsFile: state.eventsFile,
+            notifications: state.targets.length
+          });
+        }
+        const isLinearWebhook = url.pathname === "/api/linear/webhook" && req.method === "POST";
+        const isInspectorStream = url.pathname === "/api/inspector/stream" && req.method === "GET";
+        const legacyAuthorizedHttpRequest = isInspectorStream && isAuthorizedInspectorStreamRequest(req, state.authToken) ? true : deps.isAuthorizedHttpRequest(req, state.authToken);
+        const requestAuth = authorizeRigHttpRequest({
+          req,
+          pathname: url.pathname,
+          projectRoot: state.projectRoot,
+          serverAuthToken: state.authToken,
+          legacyAuthorized: legacyAuthorizedHttpRequest
+        });
+        const authorizedLinearWebhook = isLinearWebhook && deps.isAuthorizedLinearWebhookRequest(req);
+        if (!requestAuth.authorized && !authorizedLinearWebhook) {
+          return deps.jsonResponse({ ok: false, error: "Unauthorized HTTP request", reason: requestAuth.reason }, 401);
+        }
+        if (url.pathname === "/") {
+          const inspectorSnapshot = state.inspector?.snapshot() ?? null;
+          const inspectorAgentSnapshot = state.inspectorAgent?.snapshot() ?? null;
+          return deps.htmlResponse(`<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>Rig Server</title>
+    <style>
+      :root { color-scheme: dark; }
+      body {
+        margin: 0;
+        background: #0b1020;
+        color: #e6ecff;
+        font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, monospace;
+      }
+      main {
+        max-width: 960px;
+        margin: 0 auto;
+        padding: 32px 24px 48px;
+      }
+      h1, h2 { margin: 0 0 12px; }
+      p { color: #bfd0ff; line-height: 1.55; }
+      .card {
+        margin-top: 18px;
+        padding: 16px 18px;
+        border-radius: 14px;
+        border: 1px solid rgba(255,255,255,0.12);
+        background: rgba(255,255,255,0.04);
+      }
+      ul { padding-left: 18px; margin: 0; }
+      li { margin: 8px 0; }
+      a { color: #8dc2ff; }
+      code { color: #ffffff; }
+      .muted { color: #8ea2d9; }
+    </style>
+  </head>
+  <body>
+    <main>
+      <h1>Rig Server</h1>
+      <p>Control-plane API and live global inspector overlay for this workspace.</p>
+      <section class="card">
+        <h2>Status</h2>
+        <ul>
+          <li><strong>Project root:</strong> <code>${deps.escapeHtml(state.projectRoot)}</code></li>
+          <li><strong>Inspector service:</strong> <code>${state.inspector?.isRunning() ? "running" : "stopped"}</code></li>
+          <li><strong>Inspector agent:</strong> <code>${deps.escapeHtml(inspectorAgentSnapshot?.status ?? "unavailable")}</code></li>
+          <li><strong>Active inspector runs:</strong> <code>${String(inspectorSnapshot?.activeRuns?.length ?? 0)}</code></li>
+        </ul>
+      </section>
+      <section class="card">
+        <h2>Useful endpoints</h2>
+        <ul>
+          <li><a href="/health">/health</a></li>
+          <li><a href="/api/snapshot">/api/snapshot</a></li>
+          <li><a href="/api/inspector/snapshot">/api/inspector/snapshot</a></li>
+          <li><a href="/events/recent">/events/recent</a></li>
+        </ul>
+      </section>
+      <p class="muted">Use the JSON APIs for automation and deep inspection. This root page exists to make the server legible in a browser.</p>
+    </main>
+  </body>
+</html>`);
+        }
+        if (url.pathname === "/events/recent") {
+          const limit = Number.parseInt(url.searchParams.get("limit") || "50", 10);
+          return deps.jsonResponse(deps.readRecentEvents(state.eventsFile, Number.isFinite(limit) ? Math.max(1, Math.min(limit, 500)) : 50));
+        }
+        if (url.pathname === "/events/stream") {
+          const stream = new ReadableStream({
+            start(controller) {
+              state.subscribers.add(controller);
+              controller.enqueue(`event: ready
+data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
+
+`);
+            },
+            cancel() {
+              for (const controller of state.subscribers) {
+                if (controller.desiredSize === null) {
+                  state.subscribers.delete(controller);
+                }
+              }
+            }
+          });
+          return new Response(stream, {
+            headers: {
+              "Content-Type": "text/event-stream",
+              "Cache-Control": "no-cache",
+              Connection: "keep-alive"
+            }
+          });
+        }
+        if (url.pathname === "/notify/test" && req.method === "POST") {
+          const event = {
+            id: `http-test-${Date.now()}`,
+            runId: "manual",
+            timestamp: new Date().toISOString(),
+            type: state.eventType,
+            payload: { trigger: "http" }
+          };
+          const sent = await deps.dispatchEventToTargets(event, state.targets);
+          return deps.jsonResponse({ ok: true, sent, eventType: state.eventType });
+        }
+        if (url.pathname === "/api/workspace/summary") {
+          return deps.jsonResponse(await deps.readWorkspaceSummaryRecord(state.projectRoot));
+        }
+        if (url.pathname === "/api/workspace/topology") {
+          return deps.jsonResponse(readWorkspaceTopology2(state.projectRoot));
+        }
+        if (url.pathname === "/api/workspace/remote-hosts") {
+          return deps.jsonResponse(readWorkspaceRemoteFleet2(state.projectRoot));
+        }
+        if (url.pathname === "/api/workspace/service-fabric/status") {
+          return deps.jsonResponse(await mutateWorkspaceServiceFabric2(state.projectRoot, "verify"));
+        }
+        if (req.method === "POST" && (url.pathname === "/api/workspace/service-fabric/up" || url.pathname === "/api/workspace/service-fabric/verify" || url.pathname === "/api/workspace/service-fabric/down")) {
+          const body = await deps.readJsonBody(req);
+          const services = Array.isArray(body.services) ? body.services.flatMap((entry) => typeof entry === "string" ? [entry] : []) : [];
+          const action = url.pathname.split("/").at(-1);
+          if (action !== "up" && action !== "verify" && action !== "down") {
+            return deps.notFound();
+          }
+          try {
+            return deps.jsonResponse(await mutateWorkspaceServiceFabric2(state.projectRoot, action, services));
+          } catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            return deps.jsonResponse({ ok: false, error: message }, action === "verify" ? 400 : 501);
+          }
+        }
+        if (url.pathname === "/api/workspace/task-projection") {
+          return deps.jsonResponse({ ok: true, projection: readTaskProjection(state.projectRoot) });
+        }
+        if (url.pathname === "/api/workspace/task-projection/refresh" && req.method === "POST") {
+          const projection = state.taskProjectionReconciler ? await state.taskProjectionReconciler.tick("http-refresh") : await refreshTaskProjection(state.projectRoot, {
+            source: "snapshot-service",
+            reason: "http-refresh",
+            tasks: () => deps.snapshotService.getWorkspaceTasks(),
+            activeRuns: () => Promise.resolve(activeTaskRunProjections(state.projectRoot))
+          });
+          deps.broadcastSnapshotInvalidation(state, "task-projection-refresh");
+          return deps.jsonResponse({ ok: true, projection });
+        }
+        const taskDetailsMatch = url.pathname.match(/^\/api\/workspace\/tasks\/([^/]+)$/);
+        if (taskDetailsMatch && taskDetailsMatch[1] !== "next") {
+          const taskId = decodeURIComponent(taskDetailsMatch[1] ?? "");
+          const diagnostics = deps.snapshotService.getTaskSourceErrors();
+          const projection = readTaskProjection(state.projectRoot) ?? await refreshTaskProjection(state.projectRoot, {
+            source: "snapshot-service",
+            reason: "workspace-task-details-read",
+            tasks: () => deps.snapshotService.getWorkspaceTasks(),
+            activeRuns: () => Promise.resolve(activeTaskRunProjections(state.projectRoot))
+          });
+          const task = projection.tasks.find((entry) => entry.id === taskId || String(entry.raw?.number ?? "") === taskId) ?? null;
+          return task ? deps.jsonResponse({ ok: true, task, diagnostics }) : deps.notFound();
+        }
+        if (url.pathname === "/api/workspace/tasks" || url.pathname === "/api/workspace/tasks/next") {
+          const diagnostics = deps.snapshotService.getTaskSourceErrors();
+          const refreshFromSnapshotService = (reason) => refreshTaskProjection(state.projectRoot, {
+            source: "snapshot-service",
+            reason,
+            tasks: () => deps.snapshotService.getWorkspaceTasks(),
+            activeRuns: () => Promise.resolve(activeTaskRunProjections(state.projectRoot))
+          });
+          const shouldRefresh = url.searchParams.get("refresh") === "1";
+          const projection = shouldRefresh ? await refreshFromSnapshotService("workspace-tasks-refresh") : readTaskProjection(state.projectRoot) ?? await refreshFromSnapshotService("workspace-tasks-read");
+          const allTasks = projection.tasks;
+          if (allTasks.length === 0 && diagnostics.length > 0) {
+            return deps.jsonResponse({
+              ok: false,
+              error: "Task source returned no tasks because the configured source failed.",
+              diagnostics
+            }, 502);
+          }
+          const tasks = filterWorkspaceTasks(state.projectRoot, allTasks, url.searchParams);
+          if (url.pathname === "/api/workspace/tasks/next") {
+            return deps.jsonResponse({ task: selectNextWorkspaceTask(state.projectRoot, tasks), count: tasks.length, diagnostics, projection: { refreshedAt: projection.refreshedAt, reason: projection.reason } });
+          }
+          return deps.jsonResponse(tasks);
+        }
+        if (url.pathname === "/api/tasks/update" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const id = normalizeString(body.id);
+          if (!id) {
+            return deps.badRequest("id is required");
+          }
+          const update = {
+            ...normalizeString(body.status) ? { status: normalizeString(body.status) } : {},
+            ...normalizeString(body.comment) ? { comment: normalizeString(body.comment) } : {},
+            ...normalizeString(body.title) ? { title: normalizeString(body.title) } : {},
+            ...typeof body.body === "string" ? { body: body.body } : {}
+          };
+          const ctx = await getCachedPluginHostContext(state.projectRoot);
+          const [source] = ctx?.taskSourceRegistry.list() ?? [];
+          if (!source) {
+            return deps.badRequest("No task source is configured");
+          }
+          const taskBeforeUpdate = source.get ? await source.get(id).catch(() => {
+            return;
+          }) : (await deps.snapshotService.getWorkspaceTasks().catch(() => [])).find((task) => task.id === id);
+          if (source.updateTask) {
+            await source.updateTask(id, update);
+          } else if (update.status && source.updateStatus) {
+            await source.updateStatus(id, update.status);
+          } else {
+            return deps.badRequest("Configured task source does not support updates");
+          }
+          const issueNodeId = normalizeString(body.issueNodeId) ?? extractGitHubIssueNodeId(taskBeforeUpdate);
+          const projectSync = update.status ? await syncGitHubProjectStatusForTaskUpdate({
+            taskId: id,
+            status: update.status,
+            issueNodeId,
+            token: createGitHubAuthStore(state.projectRoot).readToken(),
+            config: ctx?.config
+          }).catch((error) => ({ synced: false, reason: `error:${error instanceof Error ? error.message : String(error)}` })) : { synced: false, reason: "missing-status" };
+          deps.snapshotService.invalidate("github-issue-updated");
+          await state.taskProjectionReconciler?.tick("github-issue-updated").catch(() => {
+            return;
+          });
+          deps.broadcastSnapshotInvalidation(state, "github-issue-updated");
+          return deps.jsonResponse({ ok: true, id, projectSync });
+        }
+        if (url.pathname === "/api/workspace/task-labels") {
+          return deps.jsonResponse({
+            ok: true,
+            ready: true,
+            labelsReady: true,
+            labels: [
+              "ready",
+              "blocked",
+              "in-progress",
+              "under-review",
+              "failed",
+              "cancelled",
+              "rig:running",
+              "rig:pr-open",
+              "rig:ci-fixing",
+              "rig:done",
+              "rig:needs-attention"
+            ],
+            note: "GitHub issue lifecycle labels are created on demand by the configured task source when supported."
+          });
+        }
+        if (url.pathname === "/api/server/status") {
+          const config = buildProjectConfigStatus(state.projectRoot);
+          const taskSource = await buildTaskSourceStatus(state, config);
+          return deps.jsonResponse({
+            ok: true,
+            projectRoot: state.projectRoot,
+            sourceKind: taskSource.kind,
+            config,
+            control: buildServerControlStatus(),
+            deployment: buildDeploymentStatus(state.projectRoot),
+            taskSource
+          });
+        }
+        if (url.pathname === "/api/projects" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const repoSlug = normalizeString(body.repoSlug);
+          if (!repoSlug || !normalizeRepoSlug(repoSlug)) {
+            return deps.jsonResponse({ ok: false, error: "repoSlug must be owner/repo" }, 400);
+          }
+          const rawCheckout = asPlainRecord(body.checkout);
+          const checkoutKind = normalizeString(rawCheckout?.kind);
+          const checkout = checkoutKind === "local" || checkoutKind === "managed-clone" || checkoutKind === "current-ref" || checkoutKind === "uploaded-snapshot" || checkoutKind === "existing-path" ? {
+            kind: checkoutKind,
+            path: normalizeString(rawCheckout?.path) ?? state.projectRoot,
+            ref: normalizeString(rawCheckout?.ref) ?? undefined
+          } : undefined;
+          const record = upsertProjectRecord(state.projectRoot, { repoSlug, checkout });
+          return deps.jsonResponse({ ok: true, project: record });
+        }
+        const snapshotUploadMatch = url.pathname.match(/^\/api\/projects\/(.+?)\/upload-snapshot$/);
+        if (snapshotUploadMatch && req.method === "POST") {
+          const repoSlug = decodeURIComponent(snapshotUploadMatch[1] ?? "");
+          if (!normalizeRepoSlug(repoSlug)) {
+            return deps.jsonResponse({ ok: false, error: "repoSlug must be owner/repo" }, 400);
+          }
+          const body = await deps.readJsonBody(req);
+          const archiveContentBase64 = normalizeString(body.archiveContentBase64);
+          if (!archiveContentBase64) {
+            return deps.badRequest("archiveContentBase64 is required");
+          }
+          const baseDir = normalizeString(body.baseDir) ?? normalizeString(process.env.RIG_REMOTE_SNAPSHOT_BASE_DIR) ?? (normalizeString(process.env.RIG_STATE_DIR) ? resolve11(normalizeString(process.env.RIG_STATE_DIR), "remote-snapshots") : resolve11(state.projectRoot, ".rig", "remote-snapshots"));
+          const checkoutKey = normalizeString(body.checkoutKey) ?? "default";
+          try {
+            const archive = parseSnapshotArchiveContentBase64(archiveContentBase64);
+            const checkout = extractUploadedSnapshotArchive({
+              repoSlug,
+              baseDir,
+              archive,
+              snapshotId: normalizeString(body.snapshotId) ?? undefined,
+              checkoutKey
+            });
+            const checkoutRepair = repairRemoteCheckoutForRig(checkout.path, repoSlug);
+            const packageInstall = installRemoteCheckoutPackages(checkout.path);
+            const postInstallConfigValidation = validateRemoteCheckoutRigConfig(checkout.path);
+            const project = linkProjectCheckout(state.projectRoot, repoSlug, {
+              kind: "uploaded-snapshot",
+              path: checkout.path,
+              ref: checkout.snapshotId
+            });
+            deps.snapshotService.invalidate("uploaded-snapshot-checkout");
+            deps.broadcastSnapshotInvalidation(state, "uploaded-snapshot-checkout");
+            return deps.jsonResponse({ ok: true, checkout, project, checkoutRepair, packageInstall, postInstallConfigValidation });
+          } catch (error) {
+            return deps.jsonResponse({
+              ok: false,
+              error: error instanceof Error ? error.message : String(error)
+            }, 400);
+          }
+        }
+        const prepareCheckoutMatch = url.pathname.match(/^\/api\/projects\/(.+?)\/prepare-checkout$/);
+        if (prepareCheckoutMatch && req.method === "POST") {
+          const repoSlug = decodeURIComponent(prepareCheckoutMatch[1] ?? "");
+          if (!normalizeRepoSlug(repoSlug)) {
+            return deps.jsonResponse({ ok: false, error: "repoSlug must be owner/repo" }, 400);
+          }
+          const body = await deps.readJsonBody(req);
+          const checkoutInput = asPlainRecord(body.checkout) ?? asPlainRecord(body.strategy) ?? body;
+          const kind = normalizeString(checkoutInput.kind) ?? "managed-clone";
+          if (kind !== "managed-clone" && kind !== "current-ref" && kind !== "existing-path") {
+            return deps.jsonResponse({ ok: false, error: "checkout kind must be managed-clone, current-ref, or existing-path" }, 400);
+          }
+          const baseDir = normalizeString(body.baseDir) ?? normalizeString(checkoutInput.baseDir) ?? normalizeString(process.env.RIG_REMOTE_CHECKOUT_BASE_DIR) ?? (normalizeString(process.env.RIG_STATE_DIR) ? resolve11(normalizeString(process.env.RIG_STATE_DIR), "remote-checkouts") : resolve11(state.projectRoot, ".rig", "remote-checkouts"));
+          const checkoutKey = normalizeString(body.checkoutKey) ?? normalizeString(checkoutInput.checkoutKey) ?? normalizeString(checkoutInput.key) ?? "default";
+          const repoUrl = normalizeString(body.repoUrl) ?? normalizeString(checkoutInput.repoUrl) ?? `https://github.com/${repoSlug}.git`;
+          const credentialToken = createGitHubAuthStore(state.projectRoot).readToken();
+          try {
+            const checkout = await prepareRemoteCheckout({
+              command: runRemoteCheckoutCommand,
+              strategy: kind === "current-ref" ? { kind: "current-ref", repoSlug, repoUrl, baseDir, checkoutKey, ref: normalizeString(checkoutInput.ref) ?? "HEAD", credentialToken } : kind === "existing-path" ? { kind: "existing-path", path: normalizeString(checkoutInput.path) ?? state.projectRoot } : { kind: "managed-clone", repoSlug, repoUrl, baseDir, checkoutKey, credentialToken }
+            });
+            const checkoutRepair = repairRemoteCheckoutForRig(checkout.path, repoSlug);
+            const packageInstall = installRemoteCheckoutPackages(checkout.path);
+            const postInstallConfigValidation = validateRemoteCheckoutRigConfig(checkout.path);
+            const project = linkProjectCheckout(state.projectRoot, repoSlug, {
+              kind: checkout.kind,
+              path: checkout.path,
+              ref: checkout.ref ?? checkout.snapshotId ?? undefined
+            });
+            deps.snapshotService.invalidate("remote-checkout-prepared");
+            deps.broadcastSnapshotInvalidation(state, "remote-checkout-prepared");
+            return deps.jsonResponse({ ok: true, checkout, project, checkoutRepair, packageInstall, postInstallConfigValidation });
+          } catch (error) {
+            return deps.jsonResponse({ ok: false, error: error instanceof Error ? error.message : String(error) }, 400);
+          }
+        }
+        const projectMatch = url.pathname.match(/^\/api\/projects\/(.+?)(?:\/link-checkout)?$/);
+        if (projectMatch) {
+          const repoSlug = decodeURIComponent(projectMatch[1] ?? "");
+          if (!normalizeRepoSlug(repoSlug)) {
+            return deps.jsonResponse({ ok: false, error: "repoSlug must be owner/repo" }, 400);
+          }
+          if (url.pathname.endsWith("/link-checkout") && req.method === "POST") {
+            const body = await deps.readJsonBody(req);
+            const kind = normalizeString(body.kind);
+            if (kind !== "local" && kind !== "managed-clone" && kind !== "current-ref" && kind !== "uploaded-snapshot" && kind !== "existing-path") {
+              return deps.jsonResponse({ ok: false, error: "checkout kind is required" }, 400);
+            }
+            const project = linkProjectCheckout(state.projectRoot, repoSlug, {
+              kind,
+              path: normalizeString(body.path) ?? state.projectRoot,
+              ref: normalizeString(body.ref) ?? undefined
+            });
+            return deps.jsonResponse({ ok: true, project });
+          }
+          if (req.method === "GET") {
+            const project = getProjectRecord(state.projectRoot, repoSlug);
+            return project ? deps.jsonResponse({ ok: true, project }) : deps.notFound();
+          }
+        }
+        if (url.pathname === "/api/server/project-root" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const requestedRoot = normalizeString(body.projectRoot);
+          if (!requestedRoot) {
+            return deps.badRequest("projectRoot is required");
+          }
+          if (!isAbsolute2(requestedRoot)) {
+            return deps.badRequest("projectRoot must be an absolute path on the Rig server host");
+          }
+          const normalizedRoot = resolve11(requestedRoot);
+          const exists = existsSync8(normalizedRoot);
+          const control = buildServerControlStatus();
+          const switchCommand = process.env.RIG_PROJECT_ROOT_SWITCH_COMMAND?.trim();
+          if (!exists) {
+            return deps.jsonResponse({
+              ok: false,
+              projectRoot: state.projectRoot,
+              requestedProjectRoot: normalizedRoot,
+              exists,
+              control,
+              requiresRestart: true,
+              message: "Requested project root does not exist on the Rig server host."
+            }, 404);
+          }
+          if (!existsSync8(resolve11(normalizedRoot, "rig.config.ts")) && !existsSync8(resolve11(normalizedRoot, "rig.config.json"))) {
+            return deps.jsonResponse({
+              ok: false,
+              projectRoot: state.projectRoot,
+              requestedProjectRoot: normalizedRoot,
+              exists,
+              control,
+              requiresRestart: true,
+              message: "Requested project root exists but has no rig.config.ts or rig.config.json."
+            }, 400);
+          }
+          if (switchCommand) {
+            const result = spawnSync2(switchCommand, [normalizedRoot], {
+              cwd: state.projectRoot,
+              env: process.env,
+              encoding: "utf8"
+            });
+            if (result.error || result.status !== 0) {
+              return deps.jsonResponse({
+                ok: false,
+                projectRoot: state.projectRoot,
+                requestedProjectRoot: normalizedRoot,
+                exists,
+                control,
+                requiresRestart: true,
+                message: result.error instanceof Error ? result.error.message : result.stderr || result.stdout || `Project-root switch command failed (${result.status ?? "unknown"}).`
+              }, 500);
+            }
+            return deps.jsonResponse({
+              ok: true,
+              projectRoot: state.projectRoot,
+              requestedProjectRoot: normalizedRoot,
+              exists,
+              control,
+              requiresRestart: false,
+              message: "Project-root switch accepted. Rig server restart has been scheduled."
+            }, 202);
+          }
+          return deps.jsonResponse({
+            ok: false,
+            projectRoot: state.projectRoot,
+            requestedProjectRoot: normalizedRoot,
+            exists,
+            control,
+            requiresRestart: true,
+            message: "Project root is bound when the Rig server starts. Restart the server or supervisor with this server-host path to switch projects."
+          }, 409);
+        }
+        if (url.pathname === "/api/github/auth/status") {
+          const store = createGitHubAuthStore(state.projectRoot);
+          return deps.jsonResponse({ ok: true, ...store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }) });
+        }
+        if (url.pathname === "/api/github/repo/permissions") {
+          const store = createGitHubAuthStore(state.projectRoot);
+          const auth = store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
+          if (!auth.signedIn) {
+            return deps.jsonResponse({ ok: false, signedIn: false, canOpenPullRequest: false, reason: "not-authenticated" }, 401);
+          }
+          const scopeSet = new Set(auth.scopes.map((scope) => scope.toLowerCase()));
+          const broadEnough = scopeSet.has("repo") || scopeSet.has("public_repo") || auth.scopes.length === 0;
+          return deps.jsonResponse({
+            ok: true,
+            signedIn: true,
+            login: auth.login,
+            scopes: auth.scopes,
+            canOpenPullRequest: broadEnough,
+            pullRequests: broadEnough,
+            push: broadEnough,
+            reason: broadEnough ? "stored-token" : "token-scope-unverified"
+          });
+        }
+        if (url.pathname === "/api/github/auth/token" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const token = normalizeString(body.token);
+          const selectedRepo = normalizeString(body.selectedRepo);
+          if (!token) {
+            return deps.badRequest("token is required");
+          }
+          try {
+            const user = await fetchGitHubUserInfo(token);
+            const store = createGitHubAuthStore(state.projectRoot);
+            store.saveToken({
+              token,
+              tokenSource: "manual-token",
+              login: user.login,
+              userId: user.userId,
+              scopes: user.scopes,
+              selectedRepo
+            });
+            return deps.jsonResponse({ ok: true, ...store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }) });
+          } catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            return deps.jsonResponse({ ok: false, error: message }, 400);
+          }
+        }
+        if (url.pathname === "/api/github/auth/device/start" && req.method === "POST") {
+          const clientId = normalizeString(process.env.RIG_GITHUB_OAUTH_CLIENT_ID);
+          if (!clientId) {
+            return deps.jsonResponse({ ok: false, oauthConfigured: false, error: "RIG_GITHUB_OAUTH_CLIENT_ID is not configured." }, 400);
+          }
+          const body = await deps.readJsonBody(req);
+          const scope = normalizeString(body.scope) ?? "repo read:user user:email";
+          const result = await postGitHubForm("https://github.com/login/device/code", {
+            client_id: clientId,
+            scope
+          });
+          if (result.status < 200 || result.status >= 300 || typeof result.payload.device_code !== "string") {
+            return deps.jsonResponse({ ok: false, error: typeof result.payload.error_description === "string" ? result.payload.error_description : "GitHub device flow start failed." }, 400);
+          }
+          const pollId = randomUUID();
+          const expiresIn = typeof result.payload.expires_in === "number" ? result.payload.expires_in : 900;
+          const interval = typeof result.payload.interval === "number" ? result.payload.interval : 5;
+          createGitHubAuthStore(state.projectRoot).savePendingDevice({
+            pollId,
+            deviceCode: result.payload.device_code,
+            expiresAt: new Date(Date.now() + expiresIn * 1000).toISOString(),
+            intervalSeconds: interval
+          });
+          return deps.jsonResponse({
+            ok: true,
+            pollId,
+            userCode: typeof result.payload.user_code === "string" ? result.payload.user_code : "",
+            verificationUri: typeof result.payload.verification_uri === "string" ? result.payload.verification_uri : "https://github.com/login/device",
+            expiresIn,
+            interval
+          });
+        }
+        if (url.pathname === "/api/github/auth/device/poll" && req.method === "POST") {
+          const clientId = normalizeString(process.env.RIG_GITHUB_OAUTH_CLIENT_ID);
+          if (!clientId) {
+            return deps.jsonResponse({ ok: false, oauthConfigured: false, error: "RIG_GITHUB_OAUTH_CLIENT_ID is not configured." }, 400);
+          }
+          const body = await deps.readJsonBody(req);
+          const pollId = normalizeString(body.pollId);
+          if (!pollId) {
+            return deps.badRequest("pollId is required");
+          }
+          const store = createGitHubAuthStore(state.projectRoot);
+          const pending = store.readPendingDevice(pollId);
+          if (!pending) {
+            return deps.jsonResponse({ ok: false, status: "expired", error: "GitHub device flow expired or unknown." }, 410);
+          }
+          const result = await postGitHubForm("https://github.com/login/oauth/access_token", {
+            client_id: clientId,
+            device_code: pending.deviceCode,
+            grant_type: "urn:ietf:params:oauth:grant-type:device_code"
+          });
+          const error = typeof result.payload.error === "string" ? result.payload.error : null;
+          if (error === "authorization_pending" || error === "slow_down") {
+            return deps.jsonResponse({ ok: true, status: error, interval: error === "slow_down" ? pending.intervalSeconds + 5 : pending.intervalSeconds });
+          }
+          if (error || typeof result.payload.access_token !== "string") {
+            return deps.jsonResponse({ ok: false, status: "error", error: typeof result.payload.error_description === "string" ? result.payload.error_description : "GitHub device authorization failed." }, 400);
+          }
+          const token = result.payload.access_token;
+          const user = await fetchGitHubUserInfo(token);
+          store.saveToken({ token, tokenSource: "oauth-device", login: user.login, userId: user.userId, scopes: user.scopes });
+          return deps.jsonResponse({ ok: true, status: "signed-in", ...store.status({ oauthConfigured: true }) });
+        }
+        if (url.pathname === "/api/github/repo/probe" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const owner = normalizeString(body.owner);
+          const repo = normalizeString(body.repo);
+          if (!owner || !repo) {
+            return deps.badRequest("owner and repo are required");
+          }
+          const store = createGitHubAuthStore(state.projectRoot);
+          const authStatus = store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
+          const probe = await probeGitHubRepository({ owner, repo, token: store.readToken(), scopes: authStatus.scopes });
+          return deps.jsonResponse({ ok: probe.ok, probe }, probe.ok ? 200 : 400);
+        }
+        if (url.pathname === "/api/project/github/preview" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const owner = normalizeString(body.owner);
+          const repo = normalizeString(body.repo);
+          const rawProjectName = normalizeString(body.projectName);
+          const assignee = normalizeString(body.assignee);
+          if (!owner || !repo) {
+            return deps.badRequest("owner and repo are required");
+          }
+          let targetRoot;
+          try {
+            targetRoot = resolveRequestedProjectRoot(state.projectRoot, body.projectRoot);
+          } catch (error) {
+            return deps.badRequest(error instanceof Error ? error.message : String(error));
+          }
+          const authStatus = createGitHubAuthStore(state.projectRoot).status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
+          const configPath = resolve11(targetRoot, "rig.config.ts");
+          const source = buildGitHubProjectConfigSource({
+            projectName: rawProjectName,
+            owner,
+            repo,
+            assignee,
+            githubUserId: authStatus.userId ?? authStatus.login
+          });
+          return deps.jsonResponse({
+            ok: true,
+            projectRoot: targetRoot,
+            configPath,
+            exists: existsSync8(configPath),
+            requiresOverwrite: existsSync8(configPath),
+            source,
+            owner,
+            repo,
+            assignee
+          });
+        }
+        if (url.pathname === "/api/project/github" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const owner = normalizeString(body.owner);
+          const repo = normalizeString(body.repo);
+          const rawProjectName = normalizeString(body.projectName);
+          const assignee = normalizeString(body.assignee);
+          const overwrite = body.overwrite === true;
+          if (!owner || !repo) {
+            return deps.badRequest("owner and repo are required");
+          }
+          let targetRoot;
+          try {
+            targetRoot = resolveRequestedProjectRoot(state.projectRoot, body.projectRoot);
+          } catch (error) {
+            return deps.badRequest(error instanceof Error ? error.message : String(error));
+          }
+          const store = createGitHubAuthStore(state.projectRoot);
+          const authStatus = store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
+          const token = store.readToken();
+          if (!token) {
+            return deps.jsonResponse({ ok: false, error: "Sign in with GitHub or save a PAT before configuring GitHub Issues." }, 401);
+          }
+          const source = buildGitHubProjectConfigSource({
+            projectName: rawProjectName,
+            owner,
+            repo,
+            assignee,
+            githubUserId: authStatus.userId ?? authStatus.login
+          });
+          const configPath = resolve11(targetRoot, "rig.config.ts");
+          if (existsSync8(configPath) && !overwrite) {
+            return deps.jsonResponse({
+              ok: false,
+              error: "rig.config.ts already exists. Confirm overwrite to replace it; Rig will create a backup first.",
+              existingConfig: true,
+              requiresOverwrite: true,
+              projectRoot: targetRoot,
+              configPath,
+              previewSource: source
+            }, 409);
+          }
+          const repoProbe = await probeGitHubRepository({ owner, repo, token, scopes: authStatus.scopes });
+          if (!repoProbe.ok) {
+            return deps.jsonResponse({ ok: false, error: repoProbe.message, repoProbe }, 400);
+          }
+          let backupPath = null;
+          if (existsSync8(configPath)) {
+            backupPath = backupConfigPath(configPath);
+            copyFileSync(configPath, backupPath);
+          }
+          writeFileSync7(configPath, source, "utf8");
+          const selectedRepo = `${owner}/${repo}`;
+          store.saveSelectedRepo(selectedRepo);
+          const targetStore = createGitHubAuthStore(targetRoot);
+          const targetToken = store.readToken();
+          if (targetToken) {
+            targetStore.saveToken({
+              token: targetToken,
+              tokenSource: authStatus.tokenSource === "oauth-device" ? "oauth-device" : "manual-token",
+              login: authStatus.login,
+              userId: authStatus.userId,
+              scopes: authStatus.scopes,
+              selectedRepo
+            });
+          } else {
+            targetStore.saveSelectedRepo(selectedRepo);
+          }
+          const switchResult = runProjectRootSwitchIfNeeded(state.projectRoot, targetRoot);
+          deps.snapshotService.invalidate("project-github-config-updated");
+          deps.broadcastSnapshotInvalidation(state, "project-github-config-updated");
+          return deps.jsonResponse({
+            ok: true,
+            projectRoot: targetRoot,
+            configPath,
+            backupPath,
+            owner,
+            repo,
+            assignee,
+            source,
+            repoProbe,
+            switched: switchResult.switched,
+            message: switchResult.message ?? undefined
+          });
+        }
+        if (url.pathname === "/api/project/config-status") {
+          return deps.jsonResponse(buildProjectConfigStatus(state.projectRoot));
+        }
+        if (url.pathname === "/api/snapshot") {
+          const payload = await deps.snapshotService.getRigSnapshot();
+          return deps.jsonResponse({
+            workspace: payload.workspace,
+            workspaces: payload.snapshot.workspaces,
+            graphs: payload.graphs,
+            tasks: payload.tasks,
+            runs: payload.runs,
+            approvals: payload.approvals,
+            userInputs: payload.userInputs,
+            artifacts: payload.artifacts,
+            queue: payload.queue,
+            taskSourceDiagnostics: deps.snapshotService.getTaskSourceErrors(),
+            updatedAt: payload.snapshot.updatedAt
+          });
+        }
+        if (url.pathname === "/api/inspector/snapshot") {
+          const snapshot = state.inspector ? state.inspector.snapshot() : {
+            activeRuns: [],
+            recentFindings: [],
+            followups: [],
+            analysisReports: [],
+            availableTools: []
+          };
+          return deps.jsonResponse({
+            ...snapshot,
+            agent: state.inspectorAgent?.snapshot() ?? null,
+            lifecycle: inspectorAgentLifecycleSnapshot({
+              inspector: state.inspector,
+              agent: state.inspectorAgent,
+              retry: state.inspectorAgentLifecycle?.snapshot() ?? null
+            })
+          });
+        }
+        if (url.pathname === "/api/inspector/stream") {
+          const once = deps.isTruthyQuery(url.searchParams.get("once"));
+          const pollMs = deps.normalizePositiveIntQuery(url.searchParams.get("pollMs"), 1000);
+          let timer = null;
+          let closed = false;
+          const stream = new ReadableStream({
+            start(controller) {
+              let sequence = 0;
+              let lastFingerprint = null;
+              const stop = () => {
+                if (timer) {
+                  clearInterval(timer);
+                  timer = null;
+                }
+              };
+              const emitSnapshot = () => {
+                if (closed) {
+                  return;
+                }
+                const payload = deps.buildInspectorStreamPayload(state, sequence + 1);
+                const fingerprint = JSON.stringify({
+                  snapshot: payload.snapshot,
+                  agent: payload.agent,
+                  journal: payload.journal
+                });
+                if (!once && fingerprint === lastFingerprint) {
+                  return;
+                }
+                sequence += 1;
+                lastFingerprint = fingerprint;
+                controller.enqueue(deps.formatSseEvent("snapshot", { ...payload, sequence }));
+                if (once) {
+                  closed = true;
+                  stop();
+                  controller.close();
+                }
+              };
+              try {
+                emitSnapshot();
+              } catch (error) {
+                controller.enqueue(deps.formatSseEvent("error", {
+                  message: error instanceof Error ? error.message : String(error)
+                }));
+                controller.close();
+                return;
+              }
+              if (!once) {
+                timer = setInterval(() => {
+                  try {
+                    emitSnapshot();
+                  } catch (error) {
+                    if (!closed) {
+                      controller.enqueue(deps.formatSseEvent("error", {
+                        message: error instanceof Error ? error.message : String(error)
+                      }));
+                      closed = true;
+                      stop();
+                      controller.close();
+                    }
+                  }
+                }, pollMs);
+              }
+            },
+            cancel() {
+              closed = true;
+              if (timer) {
+                clearInterval(timer);
+                timer = null;
+              }
+            }
+          });
+          return new Response(stream, {
+            headers: {
+              "Content-Type": "text/event-stream",
+              "Cache-Control": "no-cache",
+              Connection: "keep-alive"
+            }
+          });
+        }
+        if (url.pathname === "/api/inspector/tools/invoke" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const name = normalizeString(body.name);
+          const input = body.input && typeof body.input === "object" ? body.input : {};
+          if (!name) {
+            return deps.badRequest("name is required");
+          }
+          if (!state.inspector) {
+            return deps.jsonResponse({ status: "unavailable", summary: "Inspector is not available", details: null }, 503);
+          }
+          return deps.jsonResponse(await state.inspector.invokeTool(name, input));
+        }
+        if (url.pathname === "/api/runs") {
+          const limit = Number.parseInt(url.searchParams.get("limit") || "100", 10);
+          const runs = listAuthorityRuns7(state.projectRoot).slice(0, Number.isFinite(limit) ? Math.max(1, Math.min(limit, 500)) : 100);
+          return deps.jsonResponse(runs);
+        }
+        if (url.pathname === "/api/runs/task" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const runId = normalizeString(body.runId) ?? crypto.randomUUID();
+          const taskId = normalizeString(body.taskId);
+          if (!taskId) {
+            return deps.badRequest("taskId is required");
+          }
+          const createdAt = new Date().toISOString();
+          const executionTarget = normalizeString(body.executionTarget) === "remote" ? "remote" : "local";
+          try {
+            await deps.createRunRecord(state.projectRoot, {
+              runId,
+              workspaceId: RIG_WORKSPACE_ID,
+              taskId,
+              title: normalizeString(body.title) ?? undefined,
+              runtimeAdapter: normalizeRuntimeAdapter(body.runtimeAdapter),
+              model: normalizeString(body.model) ?? undefined,
+              runtimeMode: normalizeString(body.runtimeMode) ?? undefined,
+              interactionMode: normalizeString(body.interactionMode) ?? undefined,
+              executionTarget,
+              remoteHostId: normalizeString(body.remoteHostId),
+              initialPrompt: normalizeString(body.initialPrompt) ?? undefined,
+              baselineMode: normalizeString(body.baselineMode) ?? undefined,
+              prMode: normalizePrMode(body.prMode),
+              initiatedBy: requestAuth.actor,
+              createdAt
+            });
+          } catch (error) {
+            return deps.jsonResponse({ ok: false, error: error instanceof Error ? error.message : String(error) }, /active Rig run/i.test(error instanceof Error ? error.message : String(error)) ? 409 : 400);
+          }
+          dequeueTaskState(state.projectRoot, taskId);
+          deps.broadcastSnapshotInvalidation(state);
+          if (executionTarget === "local") {
+            queueMicrotask(() => {
+              deps.startLocalRun(state, runId).catch((error) => {
+                console.error("[server] failed to start local task run", error);
+              });
+            });
+          }
+          queueMicrotask(() => {
+            deps.reconcileScheduler(state, "api-task-run-created");
+          });
+          return deps.jsonResponse({ ok: true, runId, createdAt, accepted: true });
+        }
+        if (url.pathname === "/api/runs/adhoc" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const runId = normalizeString(body.runId) ?? crypto.randomUUID();
+          const title = normalizeString(body.title) ?? `Run ${runId}`;
+          const initialPrompt = normalizeString(body.initialPrompt);
+          if (!initialPrompt && !title) {
+            return deps.badRequest("title or initialPrompt is required");
+          }
+          const createdAt = new Date().toISOString();
+          const executionTarget = normalizeString(body.executionTarget) === "remote" ? "remote" : "local";
+          await deps.createRunRecord(state.projectRoot, {
+            runId,
+            workspaceId: RIG_WORKSPACE_ID,
+            title,
+            runtimeAdapter: normalizeRuntimeAdapter(body.runtimeAdapter),
+            model: normalizeString(body.model) ?? undefined,
+            runtimeMode: normalizeString(body.runtimeMode) ?? undefined,
+            interactionMode: normalizeString(body.interactionMode) ?? undefined,
+            executionTarget,
+            remoteHostId: normalizeString(body.remoteHostId),
+            initialPrompt: initialPrompt ?? title,
+            baselineMode: normalizeString(body.baselineMode) ?? undefined,
+            prMode: normalizePrMode(body.prMode),
+            initiatedBy: requestAuth.actor,
+            createdAt
+          });
+          deps.broadcastSnapshotInvalidation(state);
+          if (executionTarget === "local") {
+            queueMicrotask(() => {
+              deps.startLocalRun(state, runId).catch((error) => {
+                console.error("[server] failed to start local adhoc run", error);
+              });
+            });
+          }
+          return deps.jsonResponse({ ok: true, runId, createdAt, accepted: true });
+        }
+        if (url.pathname === "/api/runs/stop" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const runId = normalizeString(body.runId);
+          const createdAt = normalizeString(body.createdAt) ?? new Date().toISOString();
+          if (!runId) {
+            return deps.badRequest("runId is required");
+          }
+          try {
+            deps.stopRunRecord(state, { runId, createdAt }).catch((error) => {
+              console.error("[server] failed to stop run", error);
+            });
+            deps.broadcastSnapshotInvalidation(state);
+            queueMicrotask(() => {
+              deps.reconcileScheduler(state, "api-run-stopped");
+            });
+            return deps.jsonResponse({ ok: true, runId, createdAt, accepted: true });
+          } catch (error) {
+            return deps.jsonResponse({ ok: false, error: error instanceof Error ? error.message : String(error) }, 400);
+          }
+        }
+        if (url.pathname === "/api/runs/resume" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const runId = normalizeString(body.runId);
+          const createdAt = normalizeString(body.createdAt) ?? new Date().toISOString();
+          const promptOverride = normalizeString(body.promptOverride);
+          if (!runId) {
+            return deps.badRequest("runId is required");
+          }
+          try {
+            await deps.resumeRunRecord(state, { runId, createdAt, promptOverride });
+            deps.broadcastSnapshotInvalidation(state);
+            return deps.jsonResponse({ ok: true, runId, createdAt });
+          } catch (error) {
+            return deps.jsonResponse({ ok: false, error: error instanceof Error ? error.message : String(error) }, 400);
+          }
+        }
+        if (url.pathname === "/api/pi-rig/install" && req.method === "POST") {
+          const configuredPackageSource = normalizeString(process.env.RIG_PI_RIG_PACKAGE_SOURCE);
+          const packageSource = configuredPackageSource ?? [process.env.RIG_HOST_PROJECT_ROOT, process.cwd(), state.projectRoot].map((root) => normalizeString(root)).filter((root) => Boolean(root)).map((root) => resolve11(root, "packages", "pi-rig")).find((candidate) => existsSync8(resolve11(candidate, "package.json"))) ?? "npm:@rig/pi-rig";
+          if (process.env.RIG_TEST_FAKE_PI_INSTALL === "1") {
+            return deps.jsonResponse({ ok: true, installed: true, piOk: true, piRigOk: true, extensionPath: "remote:~/.pi/agent/extensions/pi-rig", packageSource });
+          }
+          let version = spawnSync2("pi", ["--version"], { cwd: state.projectRoot, env: process.env, encoding: "utf8" });
+          let piInstalledOrUpdated = false;
+          if (version.error || version.status !== 0) {
+            const installCommand = normalizeString(process.env.RIG_PI_INSTALL_COMMAND) ?? "bunx @earendil-works/pi@latest install";
+            const parts = installCommand.match(/(?:[^\s"']+|"[^"]*"|'[^']*')+/g)?.map((part) => part.replace(/^['"]|['"]$/g, "")) ?? [];
+            if (parts.length > 0) {
+              const piInstall = spawnSync2(parts[0], parts.slice(1), { cwd: state.projectRoot, env: process.env, encoding: "utf8" });
+              piInstalledOrUpdated = true;
+              if (!piInstall.error && piInstall.status === 0) {
+                version = spawnSync2("pi", ["--version"], { cwd: state.projectRoot, env: process.env, encoding: "utf8" });
+              }
+            }
+            if (version.error || version.status !== 0) {
+              return deps.jsonResponse({
+                ok: false,
+                installed: false,
+                piOk: false,
+                piRigOk: false,
+                piInstalledOrUpdated,
+                error: version.error instanceof Error ? version.error.message : version.stderr || version.stdout || "pi --version failed",
+                extensionPath: "remote:~/.pi/agent/extensions/pi-rig"
+              }, 200);
+            }
+          }
+          const install = spawnSync2("pi", ["install", packageSource], { cwd: state.projectRoot, env: process.env, encoding: "utf8" });
+          const installed = !install.error && install.status === 0;
+          return deps.jsonResponse({
+            ok: installed,
+            installed,
+            piOk: true,
+            piRigOk: installed,
+            piVersion: version.stdout.trim() || version.stderr.trim() || undefined,
+            piInstalledOrUpdated,
+            extensionPath: "remote:~/.pi/agent/extensions/pi-rig",
+            packageSource,
+            ...installed ? {} : { error: install.error instanceof Error ? install.error.message : install.stderr || install.stdout || `pi install failed (${install.status ?? "unknown"})` }
+          }, 200);
+        }
+        if (url.pathname === "/api/remote/endpoints" && req.method === "GET") {
+          return deps.jsonResponse({
+            endpoints: listManagedRemoteEndpoints2(undefined, state.projectRoot).map((endpoint) => redactRemoteEndpoint(endpoint))
+          });
+        }
+        if (url.pathname === "/api/remote/endpoints/doctor") {
+          return deps.jsonResponse(doctorManagedRemoteEndpoints(state.projectRoot));
+        }
+        if (url.pathname === "/api/remote/endpoints" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const alias = normalizeString(body.alias);
+          const host = normalizeString(body.host);
+          const token = normalizeString(body.token);
+          const port = typeof body.port === "number" ? body.port : typeof body.port === "string" ? Number.parseInt(body.port, 10) : NaN;
+          if (!alias || !host || !Number.isFinite(port) || port <= 0) {
+            return deps.badRequest("alias, host, and port are required");
+          }
+          const endpoint = upsertManagedRemoteEndpoint2({ alias, host, port, token: token ?? undefined }, undefined, state.projectRoot);
+          return deps.jsonResponse({ endpoint: redactRemoteEndpoint(endpoint) });
+        }
+        if (url.pathname === "/api/remote/endpoints/update" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const updated = updateManagedRemoteEndpointInAuthority(state.projectRoot, {
+            endpointId: normalizeString(body.endpointId) ?? undefined,
+            alias: normalizeString(body.alias) ?? undefined,
+            host: normalizeString(body.host) ?? undefined,
+            port: typeof body.port === "number" ? body.port : typeof body.port === "string" ? Number.parseInt(body.port, 10) : undefined,
+            token: normalizeString(body.token) ?? undefined
+          });
+          if (!updated) {
+            return deps.jsonResponse({ ok: false, error: "Remote endpoint not found" }, 404);
+          }
+          return deps.jsonResponse({ endpoint: redactRemoteEndpoint(updated) });
+        }
+        if (url.pathname === "/api/remote/endpoints/remove" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const alias = normalizeString(body.alias);
+          if (!alias) {
+            return deps.badRequest("alias is required");
+          }
+          const removed = removeManagedRemoteEndpoint2(alias, undefined, state.projectRoot);
+          return removed ? deps.jsonResponse({ ok: true, alias }) : deps.jsonResponse({ ok: false, error: "Remote endpoint not found" }, 404);
+        }
+        if (url.pathname === "/api/remote/endpoints/test" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          try {
+            const endpoint = resolveRemoteEndpoint2({
+              projectRoot: state.projectRoot,
+              remoteAlias: normalizeString(body.alias) ?? undefined,
+              host: normalizeString(body.host) ?? undefined,
+              port: typeof body.port === "number" ? String(body.port) : normalizeString(body.port) ?? undefined,
+              token: normalizeString(body.token) ?? undefined
+            });
+            const client = new RemoteWsClient2(endpoint);
+            await client.connect();
+            const response = await client.ping();
+            client.disconnect();
+            return deps.jsonResponse({
+              ok: true,
+              endpoint: {
+                alias: endpoint.alias ?? null,
+                host: endpoint.host,
+                port: endpoint.port,
+                tokenConfigured: endpoint.token.trim().length > 0
+              },
+              response: redactSecretFields(response)
+            });
+          } catch (error) {
+            return deps.jsonResponse({ ok: false, error: error instanceof Error ? error.message : String(error) }, 502);
+          }
+        }
+        if (url.pathname === "/api/remote/hosts/register" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const workspaceId = normalizeString(body.workspaceId) ?? RIG_WORKSPACE_ID;
+          const hostId = normalizeString(body.hostId);
+          const name = normalizeString(body.name);
+          const baseUrl = normalizeString(body.baseUrl);
+          if (!hostId || !name || !baseUrl) {
+            return deps.badRequest("hostId, name, and baseUrl are required");
+          }
+          const acceptedAt = new Date().toISOString();
+          state.remoteHosts.set(hostId, {
+            workspaceId,
+            hostId,
+            name,
+            baseUrl,
+            workspacePath: normalizeString(body.workspacePath),
+            transport: normalizeString(body.transport) ?? "websocket",
+            hostname: normalizeString(body.hostname),
+            region: normalizeString(body.region),
+            labels: normalizeStringArray(body.labels),
+            capabilities: normalizeStringArray(body.capabilities),
+            runtimeAdapters: normalizeStringArray(body.runtimeAdapters),
+            status: normalizeString(body.status) ?? "ready",
+            currentLeaseCount: typeof body.currentLeaseCount === "number" ? body.currentLeaseCount : Number(body.currentLeaseCount ?? 0) || 0,
+            registeredAt: acceptedAt,
+            lastHeartbeatAt: acceptedAt
+          });
+          deps.broadcastSnapshotInvalidation(state);
+          await deps.reconcileScheduler(state, "remote-host-registered");
+          return deps.jsonResponse({
+            ok: true,
+            workspaceId,
+            hostId,
+            acceptedAt,
+            heartbeatIntervalMs: 15000
+          });
+        }
+        if (url.pathname === "/api/remote/hosts/heartbeat" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const hostId = normalizeString(body.hostId);
+          if (!hostId) {
+            return deps.badRequest("hostId is required");
+          }
+          const existing = state.remoteHosts.get(hostId);
+          if (!existing) {
+            return deps.jsonResponse({ ok: false, error: "Remote host not registered" }, 404);
+          }
+          const acceptedAt = new Date().toISOString();
+          state.remoteHosts.set(hostId, {
+            ...existing,
+            status: normalizeString(body.status) ?? existing.status,
+            currentLeaseCount: typeof body.currentLeaseCount === "number" ? body.currentLeaseCount : Number(body.currentLeaseCount ?? existing.currentLeaseCount) || existing.currentLeaseCount,
+            lastHeartbeatAt: normalizeString(body.observedAt) ?? acceptedAt
+          });
+          deps.broadcastSnapshotInvalidation(state);
+          await deps.reconcileScheduler(state, "remote-host-heartbeat");
+          return deps.jsonResponse({
+            ok: true,
+            workspaceId: existing.workspaceId,
+            hostId,
+            acceptedAt,
+            heartbeatIntervalMs: 15000
+          });
+        }
+        if (url.pathname === "/api/remote/runs/claim" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const workspaceId = normalizeString(body.workspaceId) ?? RIG_WORKSPACE_ID;
+          const hostId = normalizeString(body.hostId);
+          if (!hostId) {
+            return deps.badRequest("hostId is required");
+          }
+          const runtimeAdapters = normalizeStringArray(body.runtimeAdapters).map((entry) => normalizeRuntimeAdapter(entry));
+          const claimed = await deps.claimRemoteRun(state, hostId, runtimeAdapters);
+          return deps.jsonResponse({
+            ok: true,
+            workspaceId,
+            hostId,
+            acceptedAt: new Date().toISOString(),
+            lease: claimed.lease,
+            bundle: claimed.bundle
+          });
+        }
+        if (url.pathname === "/api/remote/runs/start" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const runId = normalizeString(body.runId);
+          const leaseId = normalizeString(body.leaseId);
+          const hostId = normalizeString(body.hostId);
+          if (!runId || !leaseId || !hostId) {
+            return deps.badRequest("runId, leaseId, and hostId are required");
+          }
+          const leaseValidation = validateRemoteLease(deps, state, { runId, hostId, leaseId });
+          if (!leaseValidation.ok) {
+            return leaseValidation.response;
+          }
+          patchRunRecord(state.projectRoot, runId, {
+            status: "running",
+            startedAt: new Date().toISOString(),
+            hostId,
+            endpointId: leaseId
+          });
+          await deps.enqueueRunLinearEvent(state.projectRoot, {
+            type: "run.started",
+            runId,
+            taskId: leaseValidation.run.taskId ?? null,
+            timestamp: new Date().toISOString(),
+            agent: leaseValidation.run.runtimeAdapter ?? "remote",
+            summary: "Remote run accepted"
+          });
+          deps.broadcastSnapshotInvalidation(state);
+          return deps.jsonResponse({
+            ok: true,
+            workspaceId: normalizeString(body.workspaceId) ?? RIG_WORKSPACE_ID,
+            hostId,
+            runId,
+            leaseId,
+            runtimeId: `remote-${runId}`,
+            acceptedAt: new Date().toISOString()
+          });
+        }
+        if (url.pathname === "/api/remote/runs/log" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const runId = normalizeString(body.runId);
+          const leaseId = normalizeString(body.leaseId);
+          const hostId = normalizeString(body.hostId);
+          if (!runId || !leaseId || !hostId) {
+            return deps.badRequest("runId, leaseId, and hostId are required");
+          }
+          const leaseValidation = validateRemoteLease(deps, state, { runId, hostId, leaseId });
+          if (!leaseValidation.ok) {
+            return leaseValidation.response;
+          }
+          deps.appendRunLogEntryAndBroadcast(state, runId, buildRemoteRunLogEntry(body, { runId, hostId, leaseId }), "remote-run-log");
+          patchRunRecord(state.projectRoot, runId, {
+            updatedAt: new Date().toISOString(),
+            hostId,
+            endpointId: leaseId
+          });
+          return deps.jsonResponse({
+            ok: true,
+            workspaceId: normalizeString(body.workspaceId) ?? RIG_WORKSPACE_ID,
+            hostId,
+            runId,
+            leaseId,
+            acceptedAt: new Date().toISOString()
+          });
+        }
+        if (url.pathname === "/api/remote/runs/message" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const runId = normalizeString(body.runId);
+          const leaseId = normalizeString(body.leaseId);
+          const hostId = normalizeString(body.hostId);
+          const text = typeof body.text === "string" ? body.text : null;
+          if (!runId || !leaseId || !hostId || text === null) {
+            return deps.badRequest("runId, leaseId, hostId, and text are required");
+          }
+          const leaseValidation = validateRemoteLease(deps, state, { runId, hostId, leaseId });
+          if (!leaseValidation.ok) {
+            return leaseValidation.response;
+          }
+          appendRunTimelineEntry(state.projectRoot, runId, {
+            id: normalizeString(body.messageId) ?? `message:${runId}:assistant`,
+            type: "assistant_message",
+            text,
+            state: normalizeString(body.state) ?? "completed",
+            createdAt: new Date().toISOString(),
+            completedAt: normalizeString(body.state) === "streaming" ? null : new Date().toISOString()
+          });
+          patchRunRecord(state.projectRoot, runId, {
+            updatedAt: new Date().toISOString(),
+            hostId,
+            endpointId: leaseId,
+            latestMessageId: normalizeString(body.messageId)
+          });
+          deps.broadcastSnapshotInvalidation(state);
+          return deps.jsonResponse({
+            ok: true,
+            workspaceId: normalizeString(body.workspaceId) ?? RIG_WORKSPACE_ID,
+            hostId,
+            runId,
+            leaseId,
+            acceptedAt: new Date().toISOString()
+          });
+        }
+        if (url.pathname === "/api/remote/runs/artifact" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const runId = normalizeString(body.runId);
+          const leaseId = normalizeString(body.leaseId);
+          const hostId = normalizeString(body.hostId);
+          const filename = normalizeString(body.filename);
+          const contentBase64 = normalizeString(body.contentBase64);
+          if (!runId || !leaseId || !hostId || !filename || !contentBase64) {
+            return deps.badRequest("runId, leaseId, hostId, filename, and contentBase64 are required");
+          }
+          const leaseValidation = validateRemoteLease(deps, state, { runId, hostId, leaseId });
+          if (!leaseValidation.ok) {
+            return leaseValidation.response;
+          }
+          let artifactPath;
+          try {
+            artifactPath = deps.normalizeRelativePath(remoteArtifactsRoot(state.projectRoot, runId), filename);
+          } catch {
+            return deps.badRequest("Invalid artifact path");
+          }
+          mkdirSync7(dirname6(artifactPath), { recursive: true });
+          const bytes = Buffer.from(contentBase64, "base64");
+          writeFileSync7(artifactPath, bytes);
+          writeJsonFile4(`${artifactPath}.json`, {
+            workspaceId: normalizeString(body.workspaceId) ?? RIG_WORKSPACE_ID,
+            runId,
+            hostId,
+            leaseId,
+            kind: normalizeString(body.kind) ?? "artifact",
+            label: normalizeString(body.label) ?? filename,
+            filename,
+            contentType: normalizeString(body.contentType) ?? "application/octet-stream",
+            uploadedAt: new Date().toISOString()
+          });
+          deps.broadcastSnapshotInvalidation(state);
+          return deps.jsonResponse({
+            ok: true,
+            workspaceId: normalizeString(body.workspaceId) ?? RIG_WORKSPACE_ID,
+            hostId,
+            runId,
+            leaseId,
+            acceptedAt: new Date().toISOString(),
+            artifactPath
+          });
+        }
+        if (url.pathname === "/api/remote/runs/complete" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const runId = normalizeString(body.runId);
+          const leaseId = normalizeString(body.leaseId);
+          const hostId = normalizeString(body.hostId);
+          if (!runId || !leaseId || !hostId) {
+            return deps.badRequest("runId, leaseId, and hostId are required");
+          }
+          const leaseValidation = validateRemoteLease(deps, state, { runId, hostId, leaseId });
+          if (!leaseValidation.ok) {
+            return leaseValidation.response;
+          }
+          const run = leaseValidation.run;
+          const completedAt = new Date().toISOString();
+          patchRunRecord(state.projectRoot, runId, {
+            status: "completed",
+            completedAt,
+            hostId,
+            endpointId: leaseId
+          });
+          await updateRemoteRunTaskSourceLifecycle(state.projectRoot, { ...run, status: "completed", completedAt, hostId, endpointId: leaseId }, "closed", "Remote Rig task run completed and closed this task.");
+          await deps.enqueueRunLinearEvent(state.projectRoot, {
+            type: "run.completed",
+            runId,
+            taskId: run.taskId ?? null,
+            timestamp: new Date().toISOString(),
+            agent: run.runtimeAdapter ?? "remote",
+            summary: "Remote run completed"
+          });
+          deps.broadcastSnapshotInvalidation(state);
+          await deps.reconcileScheduler(state, "remote-run-completed");
+          return deps.jsonResponse({
+            ok: true,
+            workspaceId: normalizeString(body.workspaceId) ?? RIG_WORKSPACE_ID,
+            hostId,
+            runId,
+            leaseId,
+            acceptedAt: new Date().toISOString()
+          });
+        }
+        if (url.pathname === "/api/remote/runs/fail" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const runId = normalizeString(body.runId);
+          const leaseId = normalizeString(body.leaseId);
+          const hostId = normalizeString(body.hostId);
+          if (!runId || !leaseId || !hostId) {
+            return deps.badRequest("runId, leaseId, and hostId are required");
+          }
+          const leaseValidation = validateRemoteLease(deps, state, { runId, hostId, leaseId });
+          if (!leaseValidation.ok) {
+            return leaseValidation.response;
+          }
+          const run = leaseValidation.run;
+          const completedAt = new Date().toISOString();
+          const errorText = normalizeString(body.errorText);
+          patchRunRecord(state.projectRoot, runId, {
+            status: "failed",
+            completedAt,
+            hostId,
+            endpointId: leaseId,
+            errorText
+          });
+          await updateRemoteRunTaskSourceLifecycle(state.projectRoot, { ...run, status: "failed", completedAt, hostId, endpointId: leaseId, errorText }, "failed", "Remote Rig task run failed.", errorText);
+          await deps.enqueueRunLinearEvent(state.projectRoot, {
+            type: "run.failed",
+            runId,
+            taskId: run.taskId ?? null,
+            timestamp: new Date().toISOString(),
+            agent: run.runtimeAdapter ?? "remote",
+            summary: errorText ?? "Remote run failed"
+          });
+          deps.appendRunLogEntryAndBroadcast(state, runId, {
+            id: `log:${runId}:remote-fail`,
+            title: "Remote run failed",
+            detail: errorText,
+            tone: "error",
+            status: "failed",
+            createdAt: new Date().toISOString()
+          }, "remote-run-failed");
+          await deps.reconcileScheduler(state, "remote-run-failed");
+          return deps.jsonResponse({
+            ok: true,
+            workspaceId: normalizeString(body.workspaceId) ?? RIG_WORKSPACE_ID,
+            hostId,
+            runId,
+            leaseId,
+            acceptedAt: new Date().toISOString()
+          });
+        }
+        if (url.pathname === "/api/remote/runs/release" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const runId = normalizeString(body.runId);
+          const leaseId = normalizeString(body.leaseId);
+          const hostId = normalizeString(body.hostId);
+          if (!runId || !leaseId || !hostId) {
+            return deps.badRequest("runId, leaseId, and hostId are required");
+          }
+          const leaseValidation = validateRemoteLease(deps, state, { runId, hostId, leaseId });
+          if (!leaseValidation.ok) {
+            return leaseValidation.response;
+          }
+          const run = leaseValidation.run;
+          if (run.status !== "completed" && run.status !== "failed" && run.status !== "stopped") {
+            patchRunRecord(state.projectRoot, runId, {
+              status: "queued",
+              hostId: null,
+              endpointId: null
+            });
+          }
+          deps.broadcastSnapshotInvalidation(state);
+          await deps.reconcileScheduler(state, "remote-run-released");
+          return deps.jsonResponse({
+            ok: true,
+            workspaceId: normalizeString(body.workspaceId) ?? RIG_WORKSPACE_ID,
+            hostId,
+            runId,
+            leaseId,
+            acceptedAt: new Date().toISOString()
+          });
+        }
+        if (url.pathname === "/api/remote/runs/artifacts" && req.method === "GET") {
+          const runId = url.searchParams.get("runId");
+          if (!runId) {
+            return deps.badRequest("runId is required");
+          }
+          return deps.jsonResponse({
+            workspaceId: url.searchParams.get("workspaceId") ?? RIG_WORKSPACE_ID,
+            runId,
+            artifacts: deps.listRemoteRunArtifacts(state.projectRoot, runId)
+          });
+        }
+        if (url.pathname.startsWith("/api/remote/runs/artifacts/") && req.method === "GET") {
+          const [, , , , , runIdEncoded, fileNameEncoded] = url.pathname.split("/");
+          const runId = decodeURIComponent(runIdEncoded ?? "");
+          const fileName = decodeURIComponent(fileNameEncoded ?? "");
+          let artifactPath;
+          try {
+            const runsRoot = resolveAuthorityPaths(state.projectRoot).runsDir;
+            const runRoot = deps.normalizeRelativePath(runsRoot, runId);
+            const artifactsRoot = resolve11(runRoot, "remote-artifacts");
+            artifactPath = deps.normalizeRelativePath(artifactsRoot, fileName);
+          } catch {
+            return deps.badRequest("Invalid artifact path");
+          }
+          if (!existsSync8(artifactPath)) {
+            return deps.notFound();
+          }
+          return new Response(Bun.file(artifactPath));
+        }
+        const runLogsMatch = url.pathname.match(/^\/api\/runs\/([^/]+)\/logs$/);
+        if (runLogsMatch) {
+          const runId = decodeURIComponent(runLogsMatch[1]);
+          const limit = Number.parseInt(url.searchParams.get("limit") || "500", 10);
+          const cursor = normalizeString(url.searchParams.get("cursor"));
+          const page = await readRunLogsPage(state.projectRoot, runId, { limit, cursor });
+          return deps.jsonResponse(page);
+        }
+        const runSteerMatch = url.pathname.match(/^\/api\/runs\/([^/]+)\/steer$/);
+        if (runSteerMatch && req.method === "POST") {
+          const runId = decodeURIComponent(runSteerMatch[1]);
+          const body = await deps.readJsonBody(req);
+          const message = normalizeString(body.message);
+          if (!message) {
+            return deps.badRequest("message is required");
+          }
+          try {
+            const entry = queueRunSteeringMessage(state.projectRoot, runId, {
+              message,
+              actor: normalizeString(body.actor) ?? requestAuth.actor ?? "operator"
+            });
+            deps.broadcastSnapshotInvalidation(state, "run-steering-queued");
+            return deps.jsonResponse({ ok: true, runId, queued: true, message: entry });
+          } catch (error) {
+            return deps.jsonResponse({ ok: false, error: error instanceof Error ? error.message : String(error) }, 404);
+          }
+        }
+        const runSteeringAckMatch = url.pathname.match(/^\/api\/runs\/([^/]+)\/steering\/ack$/);
+        if (runSteeringAckMatch && req.method === "POST") {
+          const runId = decodeURIComponent(runSteeringAckMatch[1]);
+          const body = await deps.readJsonBody(req);
+          const ids = Array.isArray(body.ids) ? body.ids.flatMap((entry) => typeof entry === "string" ? [entry] : []) : [];
+          const delivered = markQueuedRunSteeringMessagesDelivered(state.projectRoot, runId, ids);
+          if (delivered.length > 0)
+            deps.broadcastSnapshotInvalidation(state, "run-steering-delivered");
+          return deps.jsonResponse({ ok: true, runId, delivered });
+        }
+        const runSteeringMatch = url.pathname.match(/^\/api\/runs\/([^/]+)\/steering$/);
+        if (runSteeringMatch) {
+          const runId = decodeURIComponent(runSteeringMatch[1]);
+          const messages = readQueuedRunSteeringMessages(state.projectRoot, runId).filter((entry) => !entry.delivered);
+          if (url.searchParams.get("ack") === "1" && messages.length > 0) {
+            const delivered = markQueuedRunSteeringMessagesDelivered(state.projectRoot, runId, messages.map((entry) => entry.id));
+            deps.broadcastSnapshotInvalidation(state, "run-steering-delivered");
+            return deps.jsonResponse({ ok: true, runId, messages, delivered });
+          }
+          return deps.jsonResponse({ ok: true, runId, messages });
+        }
+        const runEventMatch = url.pathname.match(/^\/api\/runs\/([^/]+)\/events$/);
+        if (runEventMatch && req.method === "POST") {
+          const runId = decodeURIComponent(runEventMatch[1]);
+          const body = await deps.readJsonBody(req);
+          try {
+            appendRunBridgeEvent(state.projectRoot, runId, body);
+            deps.broadcastSnapshotInvalidation(state, "run-bridge-event");
+            return deps.jsonResponse({ ok: true, runId });
+          } catch (error) {
+            return deps.jsonResponse({ ok: false, error: error instanceof Error ? error.message : String(error) }, 404);
+          }
+        }
+        if (url.pathname.startsWith("/api/runs/")) {
+          const runId = decodeURIComponent(url.pathname.slice("/api/runs/".length));
+          const details = readRunDetails(state.projectRoot, runId);
+          return details ? deps.jsonResponse(details) : deps.notFound();
+        }
+        if (url.pathname === "/api/inbox/approvals") {
+          return deps.jsonResponse(readApprovals(state.projectRoot, {
+            runId: url.searchParams.get("runId"),
+            taskId: url.searchParams.get("taskId")
+          }));
+        }
+        if (url.pathname === "/api/inbox/approvals/resolve" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const runId = normalizeString(body.runId);
+          const requestId = normalizeString(body.requestId);
+          const decision = normalizeString(body.decision);
+          if (!runId || !requestId || decision !== "approve" && decision !== "reject") {
+            return deps.badRequest("runId, requestId, and decision=approve|reject are required");
+          }
+          return deps.jsonResponse(resolveApproval(state.projectRoot, {
+            runId,
+            requestId,
+            decision,
+            note: normalizeString(body.note)
+          }));
+        }
+        if (url.pathname === "/api/inbox/inputs") {
+          return deps.jsonResponse(readUserInputs(state.projectRoot, {
+            runId: url.searchParams.get("runId"),
+            taskId: url.searchParams.get("taskId")
+          }));
+        }
+        if (url.pathname === "/api/inbox/inputs/respond" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const runId = normalizeString(body.runId);
+          const requestId = normalizeString(body.requestId);
+          const answers = body.answers && typeof body.answers === "object" ? Object.fromEntries(Object.entries(body.answers).flatMap(([key, value]) => typeof value === "string" ? [[key, value]] : [])) : {};
+          if (!runId || !requestId || Object.keys(answers).length === 0) {
+            return deps.badRequest("runId, requestId, and string-valued answers are required");
+          }
+          return deps.jsonResponse(respondToUserInput(state.projectRoot, { runId, requestId, answers }));
+        }
+        if (url.pathname === "/api/linear/status") {
+          return deps.jsonResponse({ removed: true, reason: "linear/beads sync removed" }, 410);
+        }
+        if (url.pathname === "/api/linear/webhook" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const eventId = normalizeString(body.id) ?? `linear-webhook-${Date.now()}`;
+          await deps.appendLinearInboxEvent(state.projectRoot, {
+            eventId,
+            source: "webhook",
+            event: body
+          });
+          return deps.jsonResponse({ ok: true, eventId });
+        }
+        if (url.pathname === "/api/artifacts/preview") {
+          const taskId = url.searchParams.get("taskId");
+          const fileName = url.searchParams.get("fileName");
+          const maxBytes = Number.parseInt(url.searchParams.get("maxBytes") || "65536", 10);
+          if (!taskId || !fileName) {
+            return deps.badRequest("taskId and fileName are required");
+          }
+          try {
+            return deps.jsonResponse(readTaskArtifactPreview2(state.projectRoot, taskId, fileName, Number.isFinite(maxBytes) ? Math.max(1, maxBytes) : 64 * 1024));
+          } catch (error) {
+            return deps.jsonResponse({ ok: false, error: error instanceof Error ? error.message : String(error) }, 404);
+          }
+        }
+        return deps.notFound();
+      })());
+    });
+  };
+}
+export {
+  createRigServerFetch
+};