@h-rig/server 0.0.6-alpha.0

package/dist/src/server-helpers/inspector-jobs.js

@@ -0,0 +1,4145 @@
+// @bun
+var __require = import.meta.require;
+
+// packages/server/src/server-helpers/inspector-jobs.ts
+import { existsSync as existsSync5, mkdirSync as mkdirSync5, readFileSync as readFileSync3, writeFileSync as writeFileSync4 } from "fs";
+import { dirname as dirname5, resolve as resolve5 } from "path";
+import { readJsonFile } from "@rig/runtime/control-plane/authority-files";
+import { resolveMonorepoRoot as resolveMonorepoRoot3 } from "@rig/runtime/control-plane/native/utils";
+import { normalizeTaskLifecycleStatus } from "@rig/runtime/control-plane/state-sync/types";
+
+// packages/server/src/inspector/agent-runtime.ts
+import { spawn } from "child_process";
+import { createHash } from "crypto";
+import { accessSync, constants, realpathSync } from "fs";
+import { createInterface } from "readline";
+
+// packages/server/src/inspector/prompt.ts
+function renderSkills(skills) {
+  return skills.map((skill) => `- ${skill.name}: ${skill.rationale}`).join(`
+`);
+}
+function stableJson(value) {
+  return JSON.stringify(value, null, 2);
+}
+function compactSnapshot(snapshot) {
+  const recentFindings = Array.isArray(snapshot.recentFindings) ? snapshot.recentFindings.filter((finding) => {
+    const kind = typeof finding.kind === "string" ? finding.kind : "";
+    const severity = typeof finding.severity === "string" ? finding.severity : "";
+    const source = typeof finding.source === "string" ? finding.source : "";
+    if (source === "inspector-agent") {
+      return false;
+    }
+    return kind !== "run.observed" || severity === "warn" || severity === "error";
+  }) : [];
+  return {
+    activeRuns: snapshot.activeRuns ?? [],
+    recentFindings,
+    followups: snapshot.followups ?? [],
+    analysisReports: snapshot.analysisReports ?? [],
+    availableTools: snapshot.availableTools ?? []
+  };
+}
+function buildInspectorBaseInstructions(options) {
+  return [
+    "You are Rig Global Inspector, the permanent supervisor for this workspace.",
+    "You operate as an out-of-band overlay around Rig execution, not inside the worker execution flow.",
+    "The lower runtime and provider layers are inspector-blind. Keep them that way.",
+    "App-server turns are transport boundaries only. They are not your operating model.",
+    "Stay broad, autonomous, and continuous in your judgment. Use turns only as a way to receive updates and emit progress.",
+    "Use full contextual judgment. There is no fixed intervention ladder.",
+    "You may patch task code or Rig itself, interrupt runs, relaunch runs, create follow-up tasks, run reviews, and improve the harness when confidence is high.",
+    "Be decisive, but stay surgical. Prefer the smallest action that materially improves the current situation.",
+    "Stay aware of all observable runs, the harness state, upstream drift tasks, and repeated failure patterns.",
+    "Document important findings and decisions through the inspector journal tools so the system retains a durable memory of what happened.",
+    "Treat TDD as the default for code and behavior changes unless a narrow recorded exception applies.",
+    "Before landing meaningful implementation work, run local review or another verification path that produces direct evidence.",
+    "When a human is not needed, do not wait. When a human is needed, create the right follow-up or journal note instead of stalling silently.",
+    "",
+    `Project root: ${options.projectRoot}`,
+    "",
+    "Required skills:",
+    renderSkills(options.requiredSkills),
+    "",
+    "Recommended skills:",
+    renderSkills(options.recommendedSkills)
+  ].join(`
+`);
+}
+function buildInspectorDeveloperInstructions(options) {
+  return [
+    "Operate pragmatically and keep momentum.",
+    "Use the native Codex capabilities and the semantic inspector tools together.",
+    "You are free to inspect, edit, test, relaunch, review, and continue as far as the current situation warrants.",
+    "Yield when you reach a useful checkpoint, need fresher external state, or detect that continued looping would be wasteful.",
+    "Prefer semantic inspector tools for journal, follow-up task, upstream-sync, review, and run-inspection operations.",
+    "Use shell, read, write, edit, and git directly when that is the fastest reliable way to diagnose or repair the system.",
+    "When you create or modify code, keep the red-green-refactor discipline visible in your reasoning and actions.",
+    "Before claiming something is fixed, verify it directly.",
+    "Spawn specialist child agents when parallel work is useful, but remain the full-context owner and take over when they are not doing the job well enough.",
+    "You are responsible both for task oversight and for Rig self-improvement when a clear win-win fix is available.",
+    "",
+    `Workspace root: ${options.projectRoot}`,
+    "",
+    "Skill catalog in scope:",
+    renderSkills([...options.requiredSkills, ...options.recommendedSkills])
+  ].join(`
+`);
+}
+function buildInspectorTurnPrompt(options) {
+  const compact = compactSnapshot(options.snapshot);
+  return [
+    "Rig inspector update.",
+    `reason: ${options.reason}`,
+    `timestamp: ${options.now}`,
+    "Review the current state and use broad judgment about whether intervention is warranted.",
+    "You may take multiple actions inside this turn if that is the most effective way to improve the situation.",
+    "Do not become noisy or repetitive when nothing material changed.",
+    "When you reach a useful checkpoint, emit one compact operator update in this form:",
+    "STATUS: <observed|acted|escalated|waiting>",
+    "NOTE: <one or two concise sentences>",
+    "Then yield so the server can deliver the next update when needed.",
+    "",
+    "Current snapshot:",
+    stableJson(compact)
+  ].join(`
+`);
+}
+
+// packages/server/src/inspector/tools.ts
+import { randomUUID as randomUUID2 } from "crypto";
+
+// packages/server/src/inspector/mission.ts
+import { randomUUID } from "crypto";
+import { appendFileSync, existsSync as existsSync2, mkdirSync as mkdirSync2, readFileSync, readdirSync, renameSync, writeFileSync as writeFileSync2 } from "fs";
+import { dirname as dirname2, join, resolve as resolve2 } from "path";
+
+// packages/server/src/bootstrap.ts
+import { existsSync, mkdirSync, unlinkSync, writeFileSync } from "fs";
+import { dirname, resolve } from "path";
+import { RIG_DEFINITION_DIRNAME, resolveMonorepoRoot } from "@rig/runtime";
+function normalizeOptionalString(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
+}
+function resolveRigServerPaths(projectRoot) {
+  const taskWorkspace = normalizeOptionalString(process.env.RIG_TASK_WORKSPACE);
+  const explicitStateDir = normalizeOptionalString(process.env.RIG_STATE_DIR);
+  const explicitLogsDir = normalizeOptionalString(process.env.RIG_LOGS_DIR);
+  const explicitSessionFile = normalizeOptionalString(process.env.RIG_SESSION_FILE);
+  const hostStateRoot = resolve(projectRoot, ".rig");
+  const monorepoRoot = resolveMonorepoRoot(projectRoot);
+  const monorepoStateRoot = resolve(monorepoRoot, ".rig");
+  const stateRoot = taskWorkspace ? resolve(taskWorkspace, ".rig") : explicitStateDir ? dirname(resolve(explicitStateDir)) : explicitLogsDir ? dirname(resolve(explicitLogsDir)) : explicitSessionFile ? dirname(dirname(resolve(explicitSessionFile))) : existsSync(hostStateRoot) ? hostStateRoot : monorepoStateRoot;
+  const stateDir = explicitStateDir ? resolve(explicitStateDir) : resolve(stateRoot, "state");
+  const logsDir = explicitLogsDir ? resolve(explicitLogsDir) : resolve(stateRoot, "logs");
+  const taskConfigPath = taskWorkspace ? resolve(taskWorkspace, ".rig", "task-config.json") : existsSync(resolve(projectRoot, ".rig", "task-config.json")) ? resolve(projectRoot, ".rig", "task-config.json") : resolve(monorepoStateRoot, "task-config.json");
+  return {
+    stateRoot,
+    stateDir,
+    logsDir,
+    controlPlaneEventsFile: resolve(logsDir, "control-plane.events.jsonl"),
+    taskConfigPath,
+    notificationsFile: resolve(projectRoot, "rig", "notifications", "targets.json"),
+    keybindingsPath: resolve(projectRoot, "rig", "keybindings.json")
+  };
+}
+
+// packages/server/src/inspector/mission.ts
+function isJsonValue(value) {
+  if (value === null)
+    return true;
+  const valueType = typeof value;
+  if (valueType === "string" || valueType === "number" || valueType === "boolean") {
+    return Number.isFinite(value) || valueType !== "number";
+  }
+  if (Array.isArray(value)) {
+    return value.every(isJsonValue);
+  }
+  if (valueType === "object") {
+    for (const entry of Object.values(value)) {
+      if (!isJsonValue(entry))
+        return false;
+    }
+    return true;
+  }
+  return false;
+}
+function toJsonRecord(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    return null;
+  }
+  const record = {};
+  for (const [key, entry] of Object.entries(value)) {
+    if (isJsonValue(entry)) {
+      record[key] = entry;
+    }
+  }
+  return record;
+}
+function cloneJsonRecord(value) {
+  return JSON.parse(JSON.stringify(value));
+}
+function isRecord(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+function readJsonRecord(path) {
+  try {
+    const parsed = JSON.parse(readFileSync(path, "utf8"));
+    if (!isRecord(parsed)) {
+      return { ok: false, error: `Mission file ${path} does not contain an object` };
+    }
+    return { ok: true, record: parsed };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    return { ok: false, error: message };
+  }
+}
+function parseMission(record) {
+  if (typeof record.missionId !== "string")
+    return { ok: false, error: "Mission is missing missionId" };
+  if (typeof record.owner !== "string")
+    return { ok: false, error: "Mission is missing owner" };
+  if (typeof record.status !== "string")
+    return { ok: false, error: "Mission is missing status" };
+  if (!isRecord(record.sourceTask))
+    return { ok: false, error: "Mission is missing sourceTask" };
+  if (!isJsonValue(record.sourceTask))
+    return { ok: false, error: "Mission sourceTask is not JSON-safe" };
+  const pendingEffects = Array.isArray(record.pendingEffects) ? record.pendingEffects.filter(isRecord).map((entry) => entry) : [];
+  const postedResults = Array.isArray(record.postedResults) ? record.postedResults.filter(isRecord).map((entry) => entry) : [];
+  const completionProof = isRecord(record.completionProof) ? record.completionProof : null;
+  return {
+    ok: true,
+    mission: {
+      missionId: record.missionId,
+      owner: record.owner,
+      sourceTask: cloneJsonRecord(record.sourceTask),
+      status: record.status,
+      summary: typeof record.summary === "string" ? record.summary : "Inspector mission",
+      pendingEffects,
+      postedResults,
+      completionProof,
+      createdAt: typeof record.createdAt === "string" ? record.createdAt : new Date(0).toISOString(),
+      updatedAt: typeof record.updatedAt === "string" ? record.updatedAt : new Date(0).toISOString()
+    }
+  };
+}
+function sourceTaskId(sourceTask) {
+  for (const key of ["sourceTaskId", "taskId", "id"]) {
+    const value = sourceTask[key];
+    if (typeof value === "string" && value.trim().length > 0) {
+      return value;
+    }
+  }
+  return null;
+}
+function terminalStatus(status) {
+  return status === "accepted" || status === "rejected";
+}
+function latestEffectResults(mission) {
+  const latestByEffect = new Map;
+  for (const result of mission.postedResults) {
+    latestByEffect.set(result.effectId, result);
+  }
+  return [...latestByEffect.values()];
+}
+function blockingResults(mission) {
+  return latestEffectResults(mission).filter((result) => result.status !== "completed");
+}
+function pendingEffects(mission) {
+  return mission.pendingEffects.filter((effect) => effect.status === "pending");
+}
+function missionStatusAfterPost(mission) {
+  if (blockingResults(mission).length > 0)
+    return "blocked";
+  if (pendingEffects(mission).length > 0)
+    return "awaiting_effect";
+  return "open";
+}
+function missionActionDetails(mission) {
+  return {
+    missionId: mission.missionId,
+    status: mission.status,
+    sourceTaskId: sourceTaskId(mission.sourceTask)
+  };
+}
+function writeJsonFile(path, value) {
+  mkdirSync2(dirname2(path), { recursive: true });
+  const tempPath = `${path}.${process.pid}.${Date.now()}.tmp`;
+  writeFileSync2(tempPath, `${JSON.stringify(value, null, 2)}
+`, "utf8");
+  renameSync(tempPath, path);
+}
+function resolveInspectorMissionPaths(projectRoot) {
+  const inspectorDir = resolve2(resolveRigServerPaths(projectRoot).stateDir, "inspector");
+  return {
+    inspectorDir,
+    missionsDir: join(inspectorDir, "missions"),
+    journalsDir: join(inspectorDir, "mission-journals")
+  };
+}
+function createInspectorMissionController(options) {
+  const paths = resolveInspectorMissionPaths(options.projectRoot);
+  mkdirSync2(paths.missionsDir, { recursive: true });
+  mkdirSync2(paths.journalsDir, { recursive: true });
+  const now = options.now ?? (() => new Date().toISOString());
+  const nextId = options.idGenerator ?? (() => `mission:${randomUUID()}`);
+  function missionPath(missionId) {
+    return join(paths.missionsDir, `${missionId}.json`);
+  }
+  function journalPath(missionId) {
+    return join(paths.journalsDir, `${missionId}.jsonl`);
+  }
+  function appendMissionJournal(entry) {
+    mkdirSync2(paths.journalsDir, { recursive: true });
+    appendFileSync(journalPath(entry.missionId), `${JSON.stringify(entry)}
+`, "utf8");
+  }
+  function listMissionJournal(missionId) {
+    const path = journalPath(missionId);
+    if (!existsSync2(path))
+      return [];
+    return readFileSync(path, "utf8").split(`
+`).filter((line) => line.trim().length > 0).map((line) => JSON.parse(line)).filter(isRecord).map((entry) => ({
+      id: typeof entry.id === "string" ? entry.id : `journal:${randomUUID()}`,
+      missionId,
+      kind: typeof entry.kind === "string" ? entry.kind : "mission.event",
+      summary: typeof entry.summary === "string" ? entry.summary : "Mission event",
+      actor: typeof entry.actor === "string" ? entry.actor : null,
+      details: toJsonRecord(entry.details),
+      createdAt: typeof entry.createdAt === "string" ? entry.createdAt : new Date(0).toISOString()
+    }));
+  }
+  function saveMission(mission) {
+    writeJsonFile(missionPath(mission.missionId), mission);
+  }
+  function readMissionOnly(missionId) {
+    const path = missionPath(missionId);
+    if (!existsSync2(path)) {
+      return { ok: false, error: `Mission ${missionId} was not found` };
+    }
+    const read = readJsonRecord(path);
+    if (!read.ok)
+      return read;
+    return parseMission(read.record);
+  }
+  function recordDecision(mission, input) {
+    options.journal?.appendDecision({
+      id: `decision:${mission.missionId}:${input.type}:${randomUUID()}`,
+      runId: mission.missionId,
+      dedupeKey: null,
+      decisionType: input.type,
+      summary: input.summary,
+      rationale: input.rationale,
+      details: input.details ?? missionActionDetails(mission),
+      createdAt: input.at
+    });
+  }
+  function recordAction(mission, input) {
+    options.journal?.appendAction({
+      id: `action:${mission.missionId}:${input.type}:${randomUUID()}`,
+      runId: mission.missionId,
+      dedupeKey: null,
+      actionType: input.type,
+      status: input.status,
+      target: input.target ?? `mission:${mission.missionId}`,
+      input: input.input ?? missionActionDetails(mission),
+      result: input.result ?? missionActionDetails(mission),
+      startedAt: input.startedAt,
+      completedAt: input.completedAt ?? input.startedAt
+    });
+  }
+  function appendEvent(mission, input) {
+    appendMissionJournal({
+      id: `event:${mission.missionId}:${input.kind}:${randomUUID()}`,
+      missionId: mission.missionId,
+      kind: input.kind,
+      summary: input.summary,
+      actor: input.actor ?? null,
+      details: input.details ?? missionActionDetails(mission),
+      createdAt: input.at
+    });
+  }
+  return {
+    paths,
+    createMission(input) {
+      const source = cloneJsonRecord(input.sourceTask);
+      const missionId = nextId();
+      const path = missionPath(missionId);
+      if (existsSync2(path)) {
+        const existing = readMissionOnly(missionId);
+        if (!existing.ok)
+          return existing;
+        return { ok: true, mission: existing.mission, journal: listMissionJournal(missionId) };
+      }
+      const at = now();
+      const mission = {
+        missionId,
+        owner: input.owner ?? "inspector-agent",
+        sourceTask: source,
+        status: "open",
+        summary: input.summary ?? (typeof source.title === "string" ? source.title : "Inspector mission"),
+        pendingEffects: [],
+        postedResults: [],
+        completionProof: null,
+        createdAt: at,
+        updatedAt: at
+      };
+      saveMission(mission);
+      appendEvent(mission, {
+        kind: "mission.created",
+        summary: mission.summary,
+        actor: mission.owner,
+        details: { ...missionActionDetails(mission), sourceTask: source },
+        at
+      });
+      recordDecision(mission, {
+        type: "mission.create",
+        summary: mission.summary,
+        rationale: "Inspector-agent accepted agency/controller ownership for the source task contract.",
+        details: { ...missionActionDetails(mission), sourceTask: source },
+        at
+      });
+      recordAction(mission, {
+        type: "mission.create",
+        status: "completed",
+        result: missionActionDetails(mission),
+        startedAt: at
+      });
+      return { ok: true, mission, journal: listMissionJournal(missionId) };
+    },
+    listMissions() {
+      return readdirSync(paths.missionsDir).filter((entry) => entry.endsWith(".json")).map((entry) => readMissionOnly(entry.slice(0, -".json".length))).filter((entry) => entry.ok).map((entry) => entry.mission).sort((left, right) => right.updatedAt.localeCompare(left.updatedAt));
+    },
+    readMission(missionId) {
+      const read = readMissionOnly(missionId);
+      if (!read.ok)
+        return read;
+      return { ok: true, mission: read.mission, journal: listMissionJournal(missionId) };
+    },
+    requestEffect(input) {
+      const read = readMissionOnly(input.missionId);
+      if (!read.ok)
+        return read;
+      const mission = read.mission;
+      if (terminalStatus(mission.status)) {
+        return { ok: false, error: `Mission ${mission.missionId} is terminal (${mission.status})` };
+      }
+      if (mission.pendingEffects.some((effect2) => effect2.effectId === input.effectId)) {
+        return { ok: false, error: `Mission ${mission.missionId} already has effect ${input.effectId}` };
+      }
+      const at = now();
+      const effect = {
+        effectId: input.effectId ?? `effect:${randomUUID()}`,
+        kind: input.kind,
+        executor: input.executor,
+        summary: input.summary,
+        input: input.input ?? null,
+        status: "pending",
+        requestedAt: at
+      };
+      mission.pendingEffects = [...mission.pendingEffects, effect];
+      mission.status = "awaiting_effect";
+      mission.updatedAt = at;
+      saveMission(mission);
+      appendEvent(mission, {
+        kind: "mission.effect.requested",
+        summary: input.summary,
+        actor: mission.owner,
+        details: { ...missionActionDetails(mission), effectId: effect.effectId, executor: effect.executor },
+        at
+      });
+      recordAction(mission, {
+        type: "mission.effect.request",
+        status: "completed",
+        target: effect.executor,
+        input: effect.input,
+        result: { ...missionActionDetails(mission), effectId: effect.effectId },
+        startedAt: at
+      });
+      return { ok: true, mission, journal: listMissionJournal(mission.missionId) };
+    },
+    postEffectResult(input) {
+      const read = readMissionOnly(input.missionId);
+      if (!read.ok)
+        return read;
+      const mission = read.mission;
+      if (terminalStatus(mission.status)) {
+        return { ok: false, error: `Mission ${mission.missionId} is terminal (${mission.status})` };
+      }
+      const effect = mission.pendingEffects.find((entry) => entry.effectId === input.effectId);
+      if (!effect) {
+        return { ok: false, error: `Mission ${mission.missionId} has no pending effect ${input.effectId}` };
+      }
+      if (effect.status !== "pending") {
+        const latestResult = mission.postedResults.filter((entry) => entry.effectId === input.effectId).at(-1);
+        if (!latestResult || latestResult.status !== "partial") {
+          return { ok: false, error: `Effect ${input.effectId} was already posted` };
+        }
+      }
+      const at = now();
+      effect.status = "posted";
+      const result = {
+        effectId: input.effectId,
+        status: input.status,
+        summary: input.summary,
+        result: input.result ?? null,
+        postedBy: input.postedBy ?? "provider-worker",
+        postedAt: at
+      };
+      mission.postedResults = [...mission.postedResults, result];
+      mission.status = missionStatusAfterPost(mission);
+      mission.updatedAt = at;
+      saveMission(mission);
+      appendEvent(mission, {
+        kind: "mission.effect.posted",
+        summary: input.summary,
+        actor: result.postedBy,
+        details: { ...missionActionDetails(mission), effectId: input.effectId, resultStatus: input.status },
+        at
+      });
+      recordAction(mission, {
+        type: "mission.effect.post",
+        status: input.status,
+        target: input.effectId,
+        input: { effectId: input.effectId },
+        result: result.result,
+        startedAt: at
+      });
+      if (input.status !== "completed") {
+        recordDecision(mission, {
+          type: "mission.block",
+          summary: input.summary,
+          rationale: "Provider-worker effect result was not complete; proof gate remains closed.",
+          details: { ...missionActionDetails(mission), effectId: input.effectId, resultStatus: input.status },
+          at
+        });
+      }
+      return { ok: true, mission, journal: listMissionJournal(mission.missionId) };
+    },
+    acceptMission(input) {
+      const read = readMissionOnly(input.missionId);
+      if (!read.ok)
+        return read;
+      const mission = read.mission;
+      const blockers = blockingResults(mission);
+      if (blockers.length > 0) {
+        return { ok: false, error: `Mission ${mission.missionId} has blocking effect result(s)` };
+      }
+      const pending = pendingEffects(mission);
+      if (pending.length > 0) {
+        return { ok: false, error: `Mission ${mission.missionId} has pending effect(s)` };
+      }
+      if (terminalStatus(mission.status)) {
+        return { ok: false, error: `Mission ${mission.missionId} is terminal (${mission.status})` };
+      }
+      const at = now();
+      const proof = {
+        proofId: `proof:${mission.missionId}:${randomUUID()}`,
+        missionId: mission.missionId,
+        sourceTaskId: sourceTaskId(mission.sourceTask),
+        status: "accepted",
+        acceptedBy: input.acceptedBy ?? "inspector-agent",
+        summary: input.summary,
+        evidence: input.evidence ?? [],
+        effectResultIds: latestEffectResults(mission).map((result) => result.effectId),
+        sourceTask: cloneJsonRecord(mission.sourceTask),
+        emittedAt: at
+      };
+      mission.status = "accepted";
+      mission.completionProof = proof;
+      mission.updatedAt = at;
+      saveMission(mission);
+      appendEvent(mission, {
+        kind: "mission.accepted",
+        summary: input.summary,
+        actor: proof.acceptedBy,
+        details: { ...missionActionDetails(mission), proofId: proof.proofId },
+        at
+      });
+      recordDecision(mission, {
+        type: "mission.accept",
+        summary: input.summary,
+        rationale: "All requested effects were posted as complete and the PR/source-task closeout readiness is accepted.",
+        details: { ...missionActionDetails(mission), proofId: proof.proofId, evidence: proof.evidence },
+        at
+      });
+      recordAction(mission, {
+        type: "mission.accept",
+        status: "completed",
+        result: { ...missionActionDetails(mission), proofId: proof.proofId },
+        startedAt: at
+      });
+      return { ok: true, mission, journal: listMissionJournal(mission.missionId), completionProof: proof };
+    },
+    rejectMission(input) {
+      const read = readMissionOnly(input.missionId);
+      if (!read.ok)
+        return read;
+      const mission = read.mission;
+      if (terminalStatus(mission.status)) {
+        return { ok: false, error: `Mission ${mission.missionId} is terminal (${mission.status})` };
+      }
+      const at = now();
+      mission.status = "rejected";
+      mission.completionProof = null;
+      mission.updatedAt = at;
+      saveMission(mission);
+      appendEvent(mission, {
+        kind: "mission.rejected",
+        summary: input.summary,
+        actor: input.rejectedBy ?? "inspector-agent",
+        details: { ...missionActionDetails(mission), rationale: input.rationale ?? "" },
+        at
+      });
+      recordDecision(mission, {
+        type: "mission.reject",
+        summary: input.summary,
+        rationale: input.rationale ?? "Inspector rejected mission closeout.",
+        details: missionActionDetails(mission),
+        at
+      });
+      recordAction(mission, {
+        type: "mission.reject",
+        status: "completed",
+        result: missionActionDetails(mission),
+        startedAt: at
+      });
+      return { ok: true, mission, journal: listMissionJournal(mission.missionId) };
+    },
+    blockMission(input) {
+      const read = readMissionOnly(input.missionId);
+      if (!read.ok)
+        return read;
+      const mission = read.mission;
+      if (terminalStatus(mission.status)) {
+        return { ok: false, error: `Mission ${mission.missionId} is terminal (${mission.status})` };
+      }
+      const at = now();
+      mission.status = "blocked";
+      mission.updatedAt = at;
+      saveMission(mission);
+      appendEvent(mission, {
+        kind: "mission.blocked",
+        summary: input.summary,
+        actor: input.blockedBy ?? "inspector-agent",
+        details: input.details ?? missionActionDetails(mission),
+        at
+      });
+      recordDecision(mission, {
+        type: "mission.block",
+        summary: input.summary,
+        rationale: "Inspector marked mission blocked; proof gate remains closed.",
+        details: input.details ?? missionActionDetails(mission),
+        at
+      });
+      return { ok: true, mission, journal: listMissionJournal(mission.missionId) };
+    },
+    completeMission(missionId) {
+      const read = readMissionOnly(missionId);
+      if (!read.ok)
+        return read;
+      const mission = read.mission;
+      if (mission.status !== "accepted" || !mission.completionProof) {
+        return { ok: false, error: `Mission ${missionId} must be accepted before completion proof can be completed` };
+      }
+      const at = now();
+      appendEvent(mission, {
+        kind: "mission.completed",
+        summary: "Mission completion proof read",
+        actor: mission.owner,
+        details: { ...missionActionDetails(mission), proofId: mission.completionProof.proofId },
+        at
+      });
+      recordAction(mission, {
+        type: "mission.complete",
+        status: "completed",
+        result: { ...missionActionDetails(mission), proofId: mission.completionProof.proofId },
+        startedAt: at
+      });
+      return {
+        ok: true,
+        mission,
+        journal: listMissionJournal(mission.missionId),
+        completionProof: mission.completionProof
+      };
+    }
+  };
+}
+
+// packages/server/src/inspector/provider-session.ts
+function uniqueStrings(values) {
+  return [...new Set(values.filter((value) => typeof value === "string" && value.length > 0))];
+}
+function withSupport(defaultValue, support, key) {
+  return typeof support?.[key] === "boolean" ? Boolean(support[key]) : defaultValue;
+}
+function normalizeProviderSession(run) {
+  const sessionLogPaths = uniqueStrings([run.sessionLogPath]);
+  const artifactRoots = uniqueStrings([run.artifactRoot]);
+  const eventSources = uniqueStrings([run.source, ...run.rawSourceKinds, run.sessionPath ? "session-file" : null]);
+  const capabilityHints = uniqueStrings([
+    sessionLogPaths.length > 0 ? "logs" : null,
+    artifactRoots.length > 0 ? "artifacts" : null,
+    run.worktreePath ? "workspace" : null,
+    run.conflictState !== "none" ? "conflict" : null,
+    run.threadId ? "thread" : null
+  ]);
+  const observabilityConfidence = sessionLogPaths.length > 0 && artifactRoots.length > 0 && run.threadId ? "high" : sessionLogPaths.length > 0 || artifactRoots.length > 0 || Boolean(run.threadId) ? "medium" : "low";
+  return {
+    provider: run.provider,
+    runId: run.runId,
+    taskId: run.taskId,
+    workspaceId: run.workspaceId,
+    workspaceDir: run.worktreePath,
+    runtimeAdapter: run.runtimeAdapter,
+    status: run.status,
+    startedAt: run.startedAt,
+    updatedAt: run.updatedAt,
+    completedAt: run.completedAt,
+    threadId: run.threadId,
+    sessionLogPaths,
+    artifactRoots,
+    eventSources,
+    observabilityConfidence,
+    rawSourceKinds: [...run.rawSourceKinds],
+    capabilityHints
+  };
+}
+function deriveInspectorCapabilitySet(session, support = {}) {
+  return {
+    discoverRuns: withSupport(true, support, "discoverRuns"),
+    inspectRuns: withSupport(true, support, "inspectRuns"),
+    readLogs: session.sessionLogPaths.length > 0 && withSupport(true, support, "readLogs"),
+    readArtifacts: session.artifactRoots.length > 0 && withSupport(true, support, "readArtifacts"),
+    callServerApis: withSupport(true, support, "callServerApis"),
+    interruptRuns: withSupport(false, support, "interruptRuns"),
+    stopRuns: withSupport(false, support, "stopRuns"),
+    resumeRuns: withSupport(false, support, "resumeRuns"),
+    relaunchRuns: withSupport(false, support, "relaunchRuns"),
+    patchRepo: session.workspaceDir !== null && withSupport(true, support, "patchRepo"),
+    patchHarness: session.workspaceDir !== null && withSupport(true, support, "patchHarness"),
+    createTasks: withSupport(false, support, "createTasks"),
+    runReviewerAgents: withSupport(false, support, "runReviewerAgents"),
+    provisionSkills: withSupport(true, support, "provisionSkills"),
+    scanUpstream: withSupport(false, support, "scanUpstream"),
+    writeJournal: withSupport(true, support, "writeJournal"),
+    spawnSpecialists: withSupport(false, support, "spawnSpecialists")
+  };
+}
+
+// packages/server/src/inspector/review.ts
+function buildLocalReviewRequest(options) {
+  return {
+    reviewerType: "local-reviewer",
+    runId: options.runId,
+    taskId: options.taskId,
+    focus: options.focus
+  };
+}
+
+// packages/server/src/inspector/skills.ts
+var UNIVERSAL_REQUIRED_SKILLS = [
+  {
+    name: "test-driven-development",
+    rationale: "Write failing tests first for code and behavior changes unless a narrow exception is recorded."
+  }
+];
+var INSPECTOR_REQUIRED_SKILLS = [
+  {
+    name: "verification-before-completion",
+    rationale: "Do not claim completion or stability without direct verification evidence."
+  },
+  {
+    name: "no-bs",
+    rationale: "Respect the machine no-bs gates, keep evidence up to date, and do not stop early."
+  }
+];
+var UNIVERSAL_RECOMMENDED_SKILLS = [
+  {
+    name: "verification-before-completion",
+    rationale: "Gather direct evidence before claiming a repair, review result, or task completion."
+  },
+  {
+    name: "systematic-debugging",
+    rationale: "Use disciplined debugging when a run, harness path, or validator fails."
+  },
+  {
+    name: "dispatching-parallel-agents",
+    rationale: "Split independent analysis and review work when that shortens the critical path."
+  },
+  {
+    name: "subagent-driven-development",
+    rationale: "Delegate bounded work to specialist subagents while keeping one context owner."
+  },
+  {
+    name: "requesting-code-review",
+    rationale: "Run local review before landing meaningful implementation work."
+  },
+  {
+    name: "receiving-code-review",
+    rationale: "Handle review feedback rigorously instead of applying it blindly."
+  },
+  {
+    name: "using-git-worktrees",
+    rationale: "Use isolated worktrees for risky or parallel implementation branches."
+  },
+  {
+    name: "writing-plans",
+    rationale: "Plan multi-step changes explicitly when the work is broad or risky."
+  },
+  {
+    name: "executing-plans",
+    rationale: "Execute validated plans in a staged, reviewable way."
+  },
+  {
+    name: "writing-skills",
+    rationale: "Improve or add agent skills when the harness needs new reusable behavior."
+  },
+  {
+    name: "find-skills",
+    rationale: "Discover existing local skills before inventing new workflows."
+  },
+  {
+    name: "openai-docs",
+    rationale: "Use primary OpenAI documentation when the inspector needs current provider facts."
+  },
+  {
+    name: "linear",
+    rationale: "Create or update follow-up work in the task tracker when oversight detects needed action."
+  },
+  {
+    name: "playwright",
+    rationale: "Inspect browser flows directly when a run touches web behavior or UI verification."
+  },
+  {
+    name: "playwright-interactive",
+    rationale: "Keep a live browser session when iterative UI inspection is more efficient than restarts."
+  }
+];
+var INSPECTOR_ONLY_RECOMMENDED_SKILLS = [
+  {
+    name: "vercel:agent-browser",
+    rationale: "Perform high-fidelity browser inspection when a run or preview needs interactive verification."
+  },
+  {
+    name: "vercel:agent-browser-verify",
+    rationale: "Run an automated visual gut-check against dev servers and previews."
+  },
+  {
+    name: "vercel:verification",
+    rationale: "Verify end-to-end browser to API behavior when the change spans multiple surfaces."
+  },
+  {
+    name: "vercel:investigation-mode",
+    rationale: "Triages broken or stuck flows systematically when the harness or a preview misbehaves."
+  }
+];
+function uniqueSkills(skills) {
+  const seen = new Set;
+  const deduped = [];
+  for (const skill of skills) {
+    if (seen.has(skill.name)) {
+      continue;
+    }
+    seen.add(skill.name);
+    deduped.push(skill);
+  }
+  return deduped;
+}
+function buildInspectorSkillCatalog(options) {
+  const required = [...UNIVERSAL_REQUIRED_SKILLS];
+  const recommended = [...UNIVERSAL_RECOMMENDED_SKILLS];
+  if (options.role === "inspector") {
+    required.push(...INSPECTOR_REQUIRED_SKILLS);
+    recommended.push(...INSPECTOR_ONLY_RECOMMENDED_SKILLS);
+  } else if (options.role === "reviewer") {
+    recommended.push({
+      name: "receiving-code-review",
+      rationale: "Review lanes should reason about findings carefully and defensibly."
+    });
+  }
+  if (options.taskKind === "bugfix") {
+    recommended.push({
+      name: "systematic-debugging",
+      rationale: "Bugfix work should start from a disciplined failure-class analysis."
+    });
+  }
+  return {
+    required: uniqueSkills(required),
+    recommended: uniqueSkills(recommended)
+  };
+}
+function buildSkillProvisioningDecision(options) {
+  const exceptionRecorded = Boolean(options.exception);
+  const catalog = buildInspectorSkillCatalog({
+    role: options.role,
+    taskKind: options.taskKind
+  });
+  const requiredSkills = catalog.required.map((skill) => skill.name);
+  const preferredSkills = catalog.recommended.map((skill) => skill.name);
+  return {
+    role: options.role,
+    taskKind: options.taskKind,
+    requiredSkills,
+    preferredSkills,
+    tddMode: exceptionRecorded ? "exception-recorded" : "required",
+    exceptionRecorded,
+    exception: options.exception ?? null
+  };
+}
+
+// packages/server/src/inspector/tools.ts
+function toJsonRecord2(value, fallbackKey = "value") {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    if (value == null) {
+      return null;
+    }
+    return { [fallbackKey]: value };
+  }
+  return value;
+}
+function toMissionJsonRecord(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    return null;
+  }
+  const parsed = JSON.parse(JSON.stringify(value));
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    return null;
+  }
+  return parsed;
+}
+function toMissionJsonRecordOrNull(value) {
+  if (value == null)
+    return null;
+  return toMissionJsonRecord(value);
+}
+function missionFailureStatus(error) {
+  if (error.includes("was not found"))
+    return "missing";
+  return "blocked";
+}
+function activeRunStatuses() {
+  return new Set(["preparing", "running", "validating", "reviewing"]);
+}
+function stableFollowupDedupeKey(originRunId, summary) {
+  return `followup:${originRunId ?? "global"}:${summary.trim().toLowerCase()}`;
+}
+var INSPECTOR_TOOL_DEFINITIONS = [
+  {
+    name: "read_inspector_snapshot",
+    description: "Read the current global inspector snapshot including active runs, recent findings, follow-ups, reports, and available semantic tools.",
+    inputSchema: {
+      type: "object",
+      properties: {},
+      additionalProperties: false
+    }
+  },
+  {
+    name: "discover_active_runs",
+    description: "List currently active Rig runs known to the inspector overlay.",
+    inputSchema: {
+      type: "object",
+      properties: {},
+      additionalProperties: false
+    }
+  },
+  {
+    name: "inspect_run",
+    description: "Inspect one run in detail, including session paths, capabilities, and recent journal observations.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        runId: { type: "string" }
+      },
+      required: ["runId"],
+      additionalProperties: false
+    }
+  },
+  {
+    name: "record_inspector_note",
+    description: "Append a durable note to the inspector journal.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        runId: { type: "string" },
+        summary: { type: "string" },
+        details: { type: "object" }
+      },
+      required: ["summary"],
+      additionalProperties: true
+    }
+  },
+  {
+    name: "list_inspector_missions",
+    description: "List durable inspector missions with status, pending effects, posted results, and completion proof state.",
+    inputSchema: {
+      type: "object",
+      properties: {},
+      additionalProperties: false
+    }
+  },
+  {
+    name: "create_inspector_mission",
+    description: "Create a durable inspector-owned mission for a source task contract. The sourceTask is preserved in the mission JSON state.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        sourceTask: { type: "object" },
+        owner: { type: "string" },
+        summary: { type: "string" }
+      },
+      required: ["sourceTask"],
+      additionalProperties: true
+    }
+  },
+  {
+    name: "read_inspector_mission",
+    description: "Read a durable inspector mission, including sourceTask, pending effects, posted results, proof, and mission journal.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        missionId: { type: "string" }
+      },
+      required: ["missionId"],
+      additionalProperties: false
+    }
+  },
+  {
+    name: "request_inspector_effect",
+    description: "Request a provider-worker effect for an inspector mission. Pending effects gate acceptance until posted.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        missionId: { type: "string" },
+        effectId: { type: "string" },
+        kind: { type: "string" },
+        executor: { type: "string" },
+        summary: { type: "string" },
+        input: { type: "object" }
+      },
+      required: ["missionId", "kind", "executor", "summary"],
+      additionalProperties: true
+    }
+  },
+  {
+    name: "post_inspector_effect_result",
+    description: "Post a provider-worker effect result. Partial, blocked, or failed results block completion proof.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        missionId: { type: "string" },
+        effectId: { type: "string" },
+        status: { type: "string", enum: ["completed", "partial", "blocked", "failed"] },
+        summary: { type: "string" },
+        result: { type: "object" },
+        postedBy: { type: "string" }
+      },
+      required: ["missionId", "effectId", "status", "summary"],
+      additionalProperties: true
+    }
+  },
+  {
+    name: "accept_inspector_mission",
+    description: "Accept a mission closeout and emit completionProof when no pending/blocking effects remain.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        missionId: { type: "string" },
+        acceptedBy: { type: "string" },
+        summary: { type: "string" },
+        evidence: { type: "array", items: { type: "string" } }
+      },
+      required: ["missionId", "summary"],
+      additionalProperties: true
+    }
+  },
+  {
+    name: "reject_inspector_mission",
+    description: "Reject a mission closeout without emitting completionProof.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        missionId: { type: "string" },
+        rejectedBy: { type: "string" },
+        summary: { type: "string" },
+        rationale: { type: "string" }
+      },
+      required: ["missionId", "summary"],
+      additionalProperties: true
+    }
+  },
+  {
+    name: "block_inspector_mission",
+    description: "Mark a mission blocked without emitting completionProof.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        missionId: { type: "string" },
+        blockedBy: { type: "string" },
+        summary: { type: "string" },
+        details: { type: "object" }
+      },
+      required: ["missionId", "summary"],
+      additionalProperties: true
+    }
+  },
+  {
+    name: "complete_inspector_mission",
+    description: "Return the accepted mission completionProof. This fails until the mission has been accepted.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        missionId: { type: "string" }
+      },
+      required: ["missionId"],
+      additionalProperties: false
+    }
+  },
+  {
+    name: "create_followup_task",
+    description: "Create or dedupe a structured follow-up task for work the inspector discovered.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        originRunId: { type: "string" },
+        summary: { type: "string" },
+        dedupeKey: { type: "string" },
+        details: { type: "object" }
+      },
+      required: ["summary"],
+      additionalProperties: true
+    }
+  },
+  {
+    name: "provision_skill",
+    description: "Return the role-aware Rig skill set that should be in force for an agent or specialist lane.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        runId: { type: "string" },
+        role: { type: "string" },
+        taskKind: { type: "string" },
+        exception: { type: "object" }
+      },
+      additionalProperties: true
+    }
+  },
+  {
+    name: "run_local_review",
+    description: "Run the local Rig reviewer/validator flow for a task.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        runId: { type: "string" },
+        taskId: { type: "string" },
+        focus: { type: "array", items: { type: "string" } }
+      },
+      required: ["taskId"],
+      additionalProperties: false
+    }
+  },
+  {
+    name: "scan_upstream_drift",
+    description: "Run the separate upstream-sync workflow and create follow-up tasks for needed ports.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        scanId: { type: "string" }
+      },
+      additionalProperties: true
+    }
+  },
+  {
+    name: "generate_analysis_report",
+    description: "Generate an inspector analysis report from journaled run and oversight data.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        reportId: { type: "string" },
+        reportType: { type: "string" },
+        runId: { type: "string" }
+      },
+      additionalProperties: true
+    }
+  }
+];
+function createInspectorToolRegistry(options) {
+  const now = options.now ?? (() => new Date().toISOString());
+  const missionController = options.projectRoot ? createInspectorMissionController({
+    projectRoot: options.projectRoot,
+    journal: options.journal,
+    now,
+    idGenerator: options.missionIdGenerator
+  }) : null;
+  const descriptors = {
+    read_inspector_snapshot: {
+      enabled: Boolean(options.snapshotReader),
+      async handler() {
+        if (!options.snapshotReader) {
+          return {
+            status: "unavailable",
+            summary: "read_inspector_snapshot is not configured",
+            details: null
+          };
+        }
+        const snapshot = options.snapshotReader();
+        return {
+          status: "completed",
+          summary: "Read current inspector snapshot",
+          details: snapshot
+        };
+      }
+    },
+    discover_active_runs: {
+      enabled: true,
+      async handler() {
+        const runs = options.discoverRuns().filter((run) => activeRunStatuses().has(run.status));
+        return {
+          status: "completed",
+          summary: `Discovered ${runs.length} active run(s)`,
+          details: runs
+        };
+      }
+    },
+    inspect_run: {
+      enabled: true,
+      async handler(input) {
+        const runId = typeof input.runId === "string" ? input.runId : "";
+        const run = options.discoverRuns().find((entry) => entry.runId === runId) ?? null;
+        if (!run) {
+          return {
+            status: "missing",
+            summary: `Run ${runId} was not found`,
+            details: null
+          };
+        }
+        const session = normalizeProviderSession(run);
+        const findings = options.journal.listRecentFindings({ limit: 50 }).filter((entry) => entry.runId === runId);
+        return {
+          status: "completed",
+          summary: `Inspected run ${runId}`,
+          details: {
+            run,
+            session,
+            capabilities: deriveInspectorCapabilitySet(session, options.capabilitySupport),
+            observations: findings,
+            paths: {
+              workspaceDir: run.worktreePath,
+              artifactRoot: run.artifactRoot,
+              logRoot: run.logRoot,
+              sessionPath: run.sessionPath,
+              sessionLogPath: run.sessionLogPath
+            }
+          }
+        };
+      }
+    },
+    record_inspector_note: {
+      enabled: true,
+      async handler(input) {
+        const runId = typeof input.runId === "string" ? input.runId : null;
+        const summary = typeof input.summary === "string" ? input.summary : "Inspector note";
+        const details = toJsonRecord2(input.details);
+        const result = options.journal.appendObservation({
+          id: `note:${runId ?? "global"}:${randomUUID2()}`,
+          runId,
+          dedupeKey: null,
+          kind: "inspector.note",
+          severity: "info",
+          source: "inspector",
+          summary,
+          details,
+          createdAt: now()
+        });
+        return {
+          status: result.ok ? "completed" : "failed",
+          summary,
+          details: result.ok ? result.record : { error: result.error }
+        };
+      }
+    },
+    list_inspector_missions: {
+      enabled: Boolean(missionController),
+      async handler() {
+        if (!missionController) {
+          return { status: "unavailable", summary: "mission storage is not configured", details: null };
+        }
+        const missions = missionController.listMissions();
+        return {
+          status: "completed",
+          summary: `Listed ${missions.length} inspector mission(s)`,
+          details: { missions }
+        };
+      }
+    },
+    create_inspector_mission: {
+      enabled: Boolean(missionController),
+      async handler(input) {
+        if (!missionController) {
+          return { status: "unavailable", summary: "mission storage is not configured", details: null };
+        }
+        const sourceTask = toMissionJsonRecord(input.sourceTask);
+        if (!sourceTask) {
+          return { status: "failed", summary: "sourceTask must be a JSON object", details: null };
+        }
+        const result = missionController.createMission({
+          sourceTask,
+          owner: typeof input.owner === "string" ? input.owner : undefined,
+          summary: typeof input.summary === "string" ? input.summary : undefined
+        });
+        if (!result.ok) {
+          return { status: missionFailureStatus(result.error), summary: result.error, details: null };
+        }
+        return {
+          status: "completed",
+          summary: `Created inspector mission ${result.mission.missionId}`,
+          details: { ...result.mission, journal: result.journal }
+        };
+      }
+    },
+    read_inspector_mission: {
+      enabled: Boolean(missionController),
+      async handler(input) {
+        if (!missionController) {
+          return { status: "unavailable", summary: "mission storage is not configured", details: null };
+        }
+        const missionId = typeof input.missionId === "string" ? input.missionId : "";
+        const result = missionController.readMission(missionId);
+        if (!result.ok) {
+          return { status: missionFailureStatus(result.error), summary: result.error, details: null };
+        }
+        return {
+          status: "completed",
+          summary: `Read inspector mission ${missionId}`,
+          details: { ...result.mission, journal: result.journal }
+        };
+      }
+    },
+    request_inspector_effect: {
+      enabled: Boolean(missionController),
+      async handler(input) {
+        if (!missionController) {
+          return { status: "unavailable", summary: "mission storage is not configured", details: null };
+        }
+        const missionId = typeof input.missionId === "string" ? input.missionId : "";
+        const kind = typeof input.kind === "string" ? input.kind : "provider_worker";
+        const executor = typeof input.executor === "string" ? input.executor : "worker";
+        const summary = typeof input.summary === "string" ? input.summary : "Inspector effect requested";
+        const result = missionController.requestEffect({
+          missionId,
+          effectId: typeof input.effectId === "string" ? input.effectId : undefined,
+          kind,
+          executor,
+          summary,
+          input: toMissionJsonRecordOrNull(input.input)
+        });
+        if (!result.ok) {
+          return { status: missionFailureStatus(result.error), summary: result.error, details: null };
+        }
+        return {
+          status: "completed",
+          summary,
+          details: { ...result.mission, journal: result.journal }
+        };
+      }
+    },
+    post_inspector_effect_result: {
+      enabled: Boolean(missionController),
+      async handler(input) {
+        if (!missionController) {
+          return { status: "unavailable", summary: "mission storage is not configured", details: null };
+        }
+        const status = typeof input.status === "string" ? input.status : "failed";
+        if (!["completed", "partial", "blocked", "failed"].includes(status)) {
+          return { status: "failed", summary: `Unsupported effect result status: ${status}`, details: null };
+        }
+        const result = missionController.postEffectResult({
+          missionId: typeof input.missionId === "string" ? input.missionId : "",
+          effectId: typeof input.effectId === "string" ? input.effectId : "",
+          status,
+          summary: typeof input.summary === "string" ? input.summary : "Inspector effect result posted",
+          result: toMissionJsonRecordOrNull(input.result),
+          postedBy: typeof input.postedBy === "string" ? input.postedBy : undefined
+        });
+        if (!result.ok) {
+          return { status: missionFailureStatus(result.error), summary: result.error, details: null };
+        }
+        return {
+          status: result.mission.status === "blocked" ? "blocked" : "completed",
+          summary: typeof input.summary === "string" ? input.summary : "Inspector effect result posted",
+          details: { ...result.mission, journal: result.journal }
+        };
+      }
+    },
+    accept_inspector_mission: {
+      enabled: Boolean(missionController),
+      async handler(input) {
+        if (!missionController) {
+          return { status: "unavailable", summary: "mission storage is not configured", details: null };
+        }
+        const result = missionController.acceptMission({
+          missionId: typeof input.missionId === "string" ? input.missionId : "",
+          acceptedBy: typeof input.acceptedBy === "string" ? input.acceptedBy : undefined,
+          summary: typeof input.summary === "string" ? input.summary : "Inspector mission accepted",
+          evidence: Array.isArray(input.evidence) ? input.evidence.filter((entry) => typeof entry === "string") : undefined
+        });
+        if (!result.ok) {
+          return { status: missionFailureStatus(result.error), summary: result.error, details: null };
+        }
+        return {
+          status: "completed",
+          summary: result.completionProof.summary,
+          details: { ...result.mission, journal: result.journal, completionProof: result.completionProof }
+        };
+      }
+    },
+    reject_inspector_mission: {
+      enabled: Boolean(missionController),
+      async handler(input) {
+        if (!missionController) {
+          return { status: "unavailable", summary: "mission storage is not configured", details: null };
+        }
+        const result = missionController.rejectMission({
+          missionId: typeof input.missionId === "string" ? input.missionId : "",
+          rejectedBy: typeof input.rejectedBy === "string" ? input.rejectedBy : undefined,
+          summary: typeof input.summary === "string" ? input.summary : "Inspector mission rejected",
+          rationale: typeof input.rationale === "string" ? input.rationale : undefined
+        });
+        if (!result.ok) {
+          return { status: missionFailureStatus(result.error), summary: result.error, details: null };
+        }
+        return {
+          status: "completed",
+          summary: result.mission.summary,
+          details: { ...result.mission, journal: result.journal }
+        };
+      }
+    },
+    block_inspector_mission: {
+      enabled: Boolean(missionController),
+      async handler(input) {
+        if (!missionController) {
+          return { status: "unavailable", summary: "mission storage is not configured", details: null };
+        }
+        const result = missionController.blockMission({
+          missionId: typeof input.missionId === "string" ? input.missionId : "",
+          blockedBy: typeof input.blockedBy === "string" ? input.blockedBy : undefined,
+          summary: typeof input.summary === "string" ? input.summary : "Inspector mission blocked",
+          details: toMissionJsonRecordOrNull(input.details)
+        });
+        if (!result.ok) {
+          return { status: missionFailureStatus(result.error), summary: result.error, details: null };
+        }
+        return {
+          status: "blocked",
+          summary: result.mission.summary,
+          details: { ...result.mission, journal: result.journal }
+        };
+      }
+    },
+    complete_inspector_mission: {
+      enabled: Boolean(missionController),
+      async handler(input) {
+        if (!missionController) {
+          return { status: "unavailable", summary: "mission storage is not configured", details: null };
+        }
+        const missionId = typeof input.missionId === "string" ? input.missionId : "";
+        const result = missionController.completeMission(missionId);
+        if (!result.ok) {
+          return { status: missionFailureStatus(result.error), summary: result.error, details: null };
+        }
+        return {
+          status: "completed",
+          summary: `Completed inspector mission ${missionId}`,
+          details: { ...result.mission, journal: result.journal, completionProof: result.completionProof }
+        };
+      }
+    },
+    create_followup_task: {
+      enabled: true,
+      async handler(input) {
+        const originRunId = typeof input.originRunId === "string" ? input.originRunId : null;
+        const summary = typeof input.summary === "string" ? input.summary : "Inspector follow-up";
+        const details = toJsonRecord2(input.details);
+        const dedupeKey = typeof input.dedupeKey === "string" && input.dedupeKey.trim().length > 0 ? input.dedupeKey.trim() : stableFollowupDedupeKey(originRunId, summary);
+        const createdAt = now();
+        const record = {
+          id: `followup:${randomUUID2()}`,
+          originRunId,
+          dedupeKey,
+          taskId: null,
+          kind: "followup-task",
+          status: "proposed",
+          summary,
+          details,
+          createdAt
+        };
+        const result = options.journal.appendFollowup(record);
+        let createdTask = null;
+        if (result.ok && result.changed && options.followupTaskRunner) {
+          createdTask = await options.followupTaskRunner({
+            ...input,
+            summary,
+            originRunId,
+            dedupeKey
+          });
+          const taskDetails = toJsonRecord2(createdTask.details);
+          const taskId = typeof taskDetails?.taskId === "string" ? taskDetails.taskId : null;
+          if (taskId) {
+            options.journal.attachFollowupTask({
+              dedupeKey,
+              taskId,
+              status: "created",
+              details: taskDetails
+            });
+          }
+        }
+        options.journal.appendAction({
+          id: `action:followup:${randomUUID2()}`,
+          runId: originRunId,
+          dedupeKey: null,
+          actionType: "create_followup_task",
+          status: createdTask?.status ?? (result.ok ? "completed" : "failed"),
+          target: originRunId ? `run:${originRunId}` : "global",
+          input: {
+            summary,
+            dedupeKey
+          },
+          result: toJsonRecord2(createdTask?.details ?? record),
+          startedAt: createdAt,
+          completedAt: now()
+        });
+        return {
+          status: createdTask?.status ?? (result.ok ? "completed" : "failed"),
+          summary,
+          details: {
+            followup: result.ok ? record : { error: result.error },
+            createdTask: createdTask?.details ?? null
+          }
+        };
+      }
+    },
+    provision_skill: {
+      enabled: true,
+      async handler(input) {
+        const role = typeof input.role === "string" ? input.role : "worker";
+        const taskKind = typeof input.taskKind === "string" ? input.taskKind : "code-change";
+        const exception = input.exception && typeof input.exception === "object" ? input.exception : null;
+        const decision = buildSkillProvisioningDecision({
+          role,
+          taskKind,
+          exception: exception && typeof exception.reason === "string" && typeof exception.category === "string" ? { reason: exception.reason, category: exception.category } : undefined
+        });
+        const createdAt = now();
+        options.journal.appendDecision({
+          id: `decision:skills:${randomUUID2()}`,
+          runId: typeof input.runId === "string" ? input.runId : null,
+          dedupeKey: null,
+          decisionType: "skill-provisioning",
+          summary: `Provisioned skills for ${role}`,
+          rationale: "Inspector provisions role-aware skills before execution or review.",
+          details: decision,
+          createdAt
+        });
+        options.journal.appendAction({
+          id: `action:skills:${randomUUID2()}`,
+          runId: typeof input.runId === "string" ? input.runId : null,
+          dedupeKey: null,
+          actionType: "provision_skill",
+          status: "completed",
+          target: role,
+          input: { role, taskKind },
+          result: decision,
+          startedAt: createdAt,
+          completedAt: createdAt
+        });
+        return {
+          status: "completed",
+          summary: `Provisioned skills for ${role}`,
+          details: decision
+        };
+      }
+    },
+    run_local_review: {
+      enabled: Boolean(options.reviewRunner),
+      async handler(input) {
+        if (!options.reviewRunner) {
+          return {
+            status: "unavailable",
+            summary: "run_local_review is not configured",
+            details: null
+          };
+        }
+        const request = buildLocalReviewRequest({
+          runId: typeof input.runId === "string" ? input.runId : "",
+          taskId: typeof input.taskId === "string" ? input.taskId : null,
+          focus: Array.isArray(input.focus) ? input.focus.filter((entry) => typeof entry === "string") : []
+        });
+        const startedAt = now();
+        const result = await options.reviewRunner(request);
+        options.journal.appendReview({
+          id: `review:${request.runId || "global"}:${randomUUID2()}`,
+          runId: request.runId || null,
+          dedupeKey: null,
+          reviewerType: request.reviewerType,
+          status: result.status,
+          findings: {
+            summary: result.summary,
+            details: toJsonRecord2(result.details)
+          },
+          createdAt: startedAt
+        });
+        options.journal.appendAction({
+          id: `action:review:${randomUUID2()}`,
+          runId: request.runId || null,
+          dedupeKey: null,
+          actionType: "run_local_review",
+          status: result.status,
+          target: request.taskId ?? request.runId,
+          input: request,
+          result: {
+            summary: result.summary,
+            details: toJsonRecord2(result.details)
+          },
+          startedAt,
+          completedAt: now()
+        });
+        return result;
+      }
+    },
+    scan_upstream_drift: {
+      enabled: Boolean(options.upstreamScanRunner),
+      async handler(input) {
+        if (!options.upstreamScanRunner) {
+          return {
+            status: "unavailable",
+            summary: "scan_upstream_drift is not configured",
+            details: null
+          };
+        }
+        const startedAt = now();
+        const result = await options.upstreamScanRunner(input);
+        options.journal.appendAction({
+          id: `action:upstream:${randomUUID2()}`,
+          runId: typeof input.runId === "string" ? input.runId : null,
+          dedupeKey: null,
+          actionType: "scan_upstream_drift",
+          status: result.status,
+          target: "workspace",
+          input: toJsonRecord2(input),
+          result: {
+            summary: result.summary,
+            details: toJsonRecord2(result.details)
+          },
+          startedAt,
+          completedAt: now()
+        });
+        return result;
+      }
+    },
+    generate_analysis_report: {
+      enabled: Boolean(options.analysisRunner),
+      async handler(input) {
+        if (!options.analysisRunner) {
+          return {
+            status: "unavailable",
+            summary: "generate_analysis_report is not configured",
+            details: null
+          };
+        }
+        const startedAt = now();
+        const result = await options.analysisRunner(input);
+        options.journal.appendAction({
+          id: `action:analysis:${randomUUID2()}`,
+          runId: typeof input.runId === "string" ? input.runId : null,
+          dedupeKey: null,
+          actionType: "generate_analysis_report",
+          status: result.status,
+          target: typeof input.reportType === "string" ? input.reportType : "default",
+          input: toJsonRecord2(input),
+          result: {
+            summary: result.summary,
+            details: toJsonRecord2(result.details)
+          },
+          startedAt,
+          completedAt: now()
+        });
+        return result;
+      }
+    }
+  };
+  return {
+    list() {
+      return Object.entries(descriptors).filter(([, descriptor]) => descriptor.enabled).map(([name]) => name).sort();
+    },
+    async invoke(name, input) {
+      const descriptor = descriptors[name];
+      if (!descriptor) {
+        return {
+          status: "missing",
+          summary: `Unknown inspector tool: ${name}`,
+          details: null
+        };
+      }
+      if (!descriptor.enabled) {
+        return {
+          status: "unavailable",
+          summary: `${name} is not configured`,
+          details: null
+        };
+      }
+      return descriptor.handler(input);
+    }
+  };
+}
+
+// packages/server/src/inspector/agent-runtime.ts
+var DEFAULT_CLIENT_INFO = {
+  name: "rig_global_inspector",
+  title: "Rig Global Inspector",
+  version: "0.1.0"
+};
+function createInspectorAgentRuntime(options) {
+  const now = options.now ?? (() => new Date().toISOString());
+  const pollMs = Math.max(100, options.pollMs ?? 2000);
+  const startTimeoutMs = Math.max(1000, options.startTimeoutMs ?? 20000);
+  const model = options.model ?? process.env.RIG_INSPECTOR_MODEL ?? null;
+  const skills = [...options.requiredSkills, ...options.recommendedSkills];
+  const transport = options.transportFactory?.() ?? createCodexInspectorTransport({
+    model
+  });
+  const baseInstructions = buildInspectorBaseInstructions({
+    projectRoot: options.projectRoot,
+    requiredSkills: options.requiredSkills,
+    recommendedSkills: options.recommendedSkills
+  });
+  const developerInstructions = buildInspectorDeveloperInstructions({
+    projectRoot: options.projectRoot,
+    requiredSkills: options.requiredSkills,
+    recommendedSkills: options.recommendedSkills
+  });
+  let pollTimer = null;
+  let status = "stopped";
+  let threadId = null;
+  let processId = null;
+  let lastFingerprint = null;
+  let lastPromptAt = null;
+  let lastTurnCompletedAt = null;
+  let lastAssistantMessage = null;
+  let lastError = null;
+  let inFlight = null;
+  let pendingTurn = null;
+  const dispatchPrompt = async (turn) => {
+    status = "running";
+    lastPromptAt = now();
+    try {
+      const result = await transport.sendTurn(turn.prompt);
+      lastAssistantMessage = result.assistantMessage;
+      lastTurnCompletedAt = now();
+      lastError = result.error;
+      lastFingerprint = turn.fingerprint;
+      status = result.status === "completed" ? "idle" : "errored";
+      if (options.journal) {
+        if (result.assistantMessage) {
+          options.journal.appendObservation({
+            id: `inspector-agent-message:${Date.now()}`,
+            runId: null,
+            dedupeKey: null,
+            kind: "agent.message",
+            severity: "info",
+            source: "inspector-agent",
+            summary: result.assistantMessage.split(`
+`)[0].slice(0, 240),
+            details: {
+              status: result.status,
+              message: result.assistantMessage
+            },
+            createdAt: now()
+          });
+        }
+        if (result.error) {
+          options.journal.appendObservation({
+            id: `inspector-agent-error:${Date.now()}`,
+            runId: null,
+            dedupeKey: null,
+            kind: "agent.error",
+            severity: "warn",
+            source: "inspector-agent",
+            summary: result.error,
+            details: {
+              status: result.status
+            },
+            createdAt: now()
+          });
+        }
+      }
+    } catch (error) {
+      lastError = error instanceof Error ? error.message : String(error);
+      status = "errored";
+      if (options.journal) {
+        options.journal.appendObservation({
+          id: `inspector-agent-crash:${Date.now()}`,
+          runId: null,
+          dedupeKey: null,
+          kind: "agent.error",
+          severity: "warn",
+          source: "inspector-agent",
+          summary: lastError,
+          details: null,
+          createdAt: now()
+        });
+      }
+    } finally {
+      inFlight = null;
+      if (pendingTurn) {
+        const next = pendingTurn;
+        pendingTurn = null;
+        if (next.fingerprint === lastFingerprint) {
+          return;
+        }
+        inFlight = dispatchPrompt(next);
+        await inFlight;
+      }
+    }
+  };
+  const queuePrompt = async (turn) => {
+    if (inFlight) {
+      pendingTurn = turn;
+      return false;
+    }
+    inFlight = dispatchPrompt(turn);
+    await inFlight;
+    return true;
+  };
+  const tickNow = async (reason) => {
+    if (status === "stopped" || status === "starting") {
+      return false;
+    }
+    const snapshot = options.snapshotProvider();
+    const prompt = buildInspectorTurnPrompt({
+      reason,
+      snapshot,
+      now: now()
+    });
+    const fingerprint = hashSnapshot(snapshot);
+    if (reason !== "startup" && fingerprint === lastFingerprint) {
+      return false;
+    }
+    return queuePrompt({
+      fingerprint,
+      prompt
+    });
+  };
+  return {
+    async start() {
+      if (status === "starting" || status === "idle" || status === "running") {
+        return false;
+      }
+      if (status === "errored") {
+        await transport.stop().catch(() => {});
+        threadId = null;
+        processId = null;
+      }
+      status = "starting";
+      try {
+        const started = await withTimeout(transport.startSession({
+          projectRoot: options.projectRoot,
+          model,
+          baseInstructions,
+          developerInstructions,
+          dynamicTools: INSPECTOR_TOOL_DEFINITIONS,
+          invokeDynamicTool: options.invokeDynamicTool
+        }), startTimeoutMs, `Inspector agent start timed out after ${startTimeoutMs}ms`);
+        threadId = started.threadId;
+        processId = started.processId;
+        status = "idle";
+        pollTimer = setInterval(() => {
+          tickNow("poll").catch((error) => {
+            lastError = error instanceof Error ? error.message : String(error);
+            status = "errored";
+          });
+        }, pollMs);
+        await tickNow("startup");
+        return true;
+      } catch (error) {
+        lastError = error instanceof Error ? error.message : String(error);
+        status = "errored";
+        throw error;
+      }
+    },
+    async stop() {
+      if (pollTimer) {
+        clearInterval(pollTimer);
+      }
+      pollTimer = null;
+      pendingTurn = null;
+      await transport.stop();
+      status = "stopped";
+      threadId = null;
+      processId = null;
+    },
+    isRunning() {
+      return status !== "stopped";
+    },
+    tickNow,
+    snapshot() {
+      return {
+        ...transport.snapshot(),
+        status,
+        threadId,
+        processId,
+        queueDepth: pendingTurn ? 1 : 0,
+        lastFingerprint,
+        lastPromptAt,
+        lastTurnCompletedAt,
+        lastAssistantMessage,
+        lastError,
+        model,
+        skills
+      };
+    }
+  };
+}
+function hashPrompt(prompt) {
+  return createHash("sha1").update(prompt).digest("hex");
+}
+function hashSnapshot(snapshot) {
+  const compact = {
+    activeRuns: snapshot.activeRuns ?? [],
+    recentFindings: (snapshot.recentFindings ?? []).filter((finding) => {
+      const kind = typeof finding.kind === "string" ? finding.kind : "";
+      const severity = typeof finding.severity === "string" ? finding.severity : "";
+      const source = typeof finding.source === "string" ? finding.source : "";
+      if (source === "inspector-agent") {
+        return false;
+      }
+      return kind !== "run.observed" || severity === "warn" || severity === "error";
+    }),
+    followups: snapshot.followups ?? [],
+    analysisReports: snapshot.analysisReports ?? [],
+    availableTools: snapshot.availableTools ?? []
+  };
+  return hashPrompt(JSON.stringify(compact));
+}
+function createCodexInspectorTransport(options) {
+  const turnTimeoutMs = Math.max(5000, options.turnTimeoutMs ?? 45000);
+  let child = null;
+  let threadId = null;
+  let processId = null;
+  let status = "stopped";
+  let lastAssistantMessage = null;
+  let lastError = null;
+  const pendingResponses = new Map;
+  const assistantMessageText = new Map;
+  const inFlightToolCalls = new Set;
+  const recentProtocolEvents = [];
+  let nextRequestId = 1;
+  let sendQueue = Promise.resolve();
+  let currentTurn = null;
+  let invokeDynamicTool = null;
+  const rememberProtocolEvent = (event) => {
+    recentProtocolEvents.push(event);
+    if (recentProtocolEvents.length > 25) {
+      recentProtocolEvents.splice(0, recentProtocolEvents.length - 25);
+    }
+  };
+  const sendMessage = async (payload) => {
+    if (!child) {
+      throw new Error("Inspector agent session is not started.");
+    }
+    const activeChild = child;
+    if (activeChild.stdin.destroyed || !activeChild.stdin.writable) {
+      throw new Error(lastError ?? "Inspector agent transport is not writable.");
+    }
+    rememberProtocolEvent({
+      at: new Date().toISOString(),
+      direction: "send",
+      kind: payload.method ? "request" : "response",
+      method: typeof payload.method === "string" ? payload.method : `response:${String(payload.id ?? "unknown")}`
+    });
+    const line = `${JSON.stringify(payload)}
+`;
+    sendQueue = sendQueue.then(() => writeChildLine(activeChild, line));
+    await sendQueue;
+  };
+  const sendRequest = async (method, params) => {
+    const id = nextRequestId;
+    nextRequestId += 1;
+    const response = new Promise((resolve3, reject) => {
+      pendingResponses.set(id, { resolve: resolve3, reject });
+    });
+    response.catch(() => {});
+    try {
+      await sendMessage({ id, method, params });
+    } catch (error) {
+      pendingResponses.delete(id);
+      throw error;
+    }
+    return response;
+  };
+  const sendResponse = async (id, result) => {
+    await sendMessage({ id, result });
+  };
+  const sendError = async (id, message) => {
+    await sendMessage({
+      id,
+      error: {
+        code: -32603,
+        message
+      }
+    });
+  };
+  const trackToolCall = (call) => {
+    inFlightToolCalls.add(call);
+    call.finally(() => inFlightToolCalls.delete(call)).catch((err) => {
+      console.warn("[inspector/agent-runtime] in-flight tool call failure:", err);
+    });
+  };
+  const handleServerRequest = (message) => {
+    const method = message.method;
+    const requestId = message.id;
+    if (!method || requestId === undefined) {
+      return;
+    }
+    if (method === "item/tool/call") {
+      const params = message.params ?? {};
+      const toolName = normalizeString(params.tool);
+      const toolArgs = asRecord(params.arguments) ?? {};
+      const toolCall = (async () => {
+        if (!toolName || !invokeDynamicTool) {
+          rememberProtocolEvent({
+            at: new Date().toISOString(),
+            direction: "recv",
+            kind: "request",
+            method: "item/tool/call:malformed"
+          });
+          await sendError(requestId, "Malformed inspector dynamic tool call.");
+          return;
+        }
+        try {
+          const invocation = await invokeDynamicTool(toolName, toolArgs);
+          await sendResponse(requestId, {
+            contentItems: [
+              {
+                type: "inputText",
+                text: typeof invocation.details === "string" ? invocation.details : JSON.stringify({
+                  status: invocation.status,
+                  summary: invocation.summary,
+                  details: invocation.details
+                }, null, 2)
+              }
+            ],
+            success: invocation.status !== "failed" && invocation.status !== "missing"
+          });
+        } catch (error) {
+          const messageText = error instanceof Error ? error.message : String(error);
+          await sendResponse(requestId, {
+            contentItems: [{ type: "inputText", text: messageText }],
+            success: false
+          });
+        }
+      })();
+      trackToolCall(toolCall);
+      return;
+    }
+    if (method === "item/commandExecution/requestApproval" || method === "item/fileChange/requestApproval") {
+      trackToolCall(sendResponse(requestId, { decision: "approved_for_session" }));
+      return;
+    }
+    if (method === "item/permissions/requestApproval") {
+      trackToolCall(sendResponse(requestId, {
+        permissions: asRecord(message.params)?.permissions ?? {},
+        scope: "session"
+      }));
+      return;
+    }
+    if (method === "item/tool/requestUserInput") {
+      trackToolCall(sendResponse(requestId, { answers: {} }));
+      return;
+    }
+    if (method === "mcpServer/elicitation/request") {
+      trackToolCall(sendResponse(requestId, { action: "decline" }));
+      return;
+    }
+    if (method === "applyPatchApproval" || method === "execCommandApproval") {
+      trackToolCall(sendResponse(requestId, { decision: "approved_for_session" }));
+      return;
+    }
+    trackToolCall(sendError(requestId, `Unsupported inspector app-server request: ${method}`));
+  };
+  const handleNotification = (message) => {
+    const method = message.method;
+    const params = message.params ?? {};
+    if (!method) {
+      return;
+    }
+    if (method === "thread/started") {
+      const thread = asRecord(params.thread);
+      threadId = normalizeString(thread?.id);
+      status = "idle";
+      return;
+    }
+    if (method === "turn/started") {
+      status = "running";
+      currentTurn?.events.push({ method, params });
+      return;
+    }
+    if (method === "item/agentMessage/delta") {
+      const itemId = normalizeString(params.itemId);
+      const delta = typeof params.delta === "string" ? params.delta : "";
+      if (itemId && delta) {
+        assistantMessageText.set(itemId, `${assistantMessageText.get(itemId) ?? ""}${delta}`);
+      }
+      return;
+    }
+    if (method === "item/completed") {
+      const item = asRecord(params.item);
+      const itemType = normalizeString(item?.type);
+      const itemId = normalizeString(item?.id);
+      currentTurn?.events.push({ method, params });
+      if (itemType === "agentMessage" && itemId) {
+        const finalText = normalizeString(item?.text) ?? assistantMessageText.get(itemId) ?? "";
+        assistantMessageText.delete(itemId);
+        if (finalText.trim()) {
+          lastAssistantMessage = finalText.trim();
+        }
+      }
+      return;
+    }
+    if (method === "error") {
+      lastError = normalizeString(params.message) ?? JSON.stringify(params);
+      currentTurn?.events.push({ method, params });
+      return;
+    }
+    if (method === "turn/completed") {
+      const turn = asRecord(params.turn);
+      const error = asRecord(turn?.error);
+      const completion = {
+        status: normalizeString(turn?.status) ?? "failed",
+        error: normalizeString(error?.message),
+        assistantMessage: lastAssistantMessage,
+        events: currentTurn?.events ?? []
+      };
+      status = completion.status === "completed" ? "idle" : "errored";
+      currentTurn?.resolve(completion);
+      currentTurn = null;
+      return;
+    }
+  };
+  const bootstrapChild = (config) => {
+    const codexExecutable = resolveCodexExecutable();
+    child = spawn(codexExecutable, ["app-server"], {
+      cwd: config.projectRoot,
+      env: process.env,
+      stdio: ["pipe", "pipe", "pipe"]
+    });
+    processId = child.pid ?? null;
+    const stdout = createInterface({ input: child.stdout });
+    const stderr = createInterface({ input: child.stderr });
+    stdout.on("line", (line) => {
+      const trimmed = line.trim();
+      if (!trimmed) {
+        return;
+      }
+      let message;
+      try {
+        message = JSON.parse(trimmed);
+      } catch {
+        return;
+      }
+      if (message.method) {
+        if (message.id !== undefined) {
+          rememberProtocolEvent({
+            at: new Date().toISOString(),
+            direction: "recv",
+            kind: "request",
+            method: message.method
+          });
+          handleServerRequest(message);
+        } else {
+          rememberProtocolEvent({
+            at: new Date().toISOString(),
+            direction: "recv",
+            kind: "notification",
+            method: message.method
+          });
+          handleNotification(message);
+        }
+        return;
+      }
+      if (message.id !== undefined) {
+        rememberProtocolEvent({
+          at: new Date().toISOString(),
+          direction: "recv",
+          kind: "response",
+          method: `response:${String(message.id)}`
+        });
+        const pending = pendingResponses.get(message.id);
+        if (!pending) {
+          return;
+        }
+        pendingResponses.delete(message.id);
+        if (message.error) {
+          pending.reject(new Error(formatJsonRpcError(message.error)));
+        } else {
+          pending.resolve(message.result ?? {});
+        }
+      }
+    });
+    stderr.on("line", (line) => {
+      if (line.trim()) {
+        rememberProtocolEvent({
+          at: new Date().toISOString(),
+          direction: "recv",
+          kind: "stderr",
+          method: line.trim().slice(0, 240)
+        });
+        lastError = line.trim();
+      }
+    });
+    child.once("error", (error) => {
+      const message = error instanceof Error ? error.message : String(error);
+      lastError = message;
+      status = "errored";
+      for (const [id, pending] of pendingResponses.entries()) {
+        pending.reject(new Error(message));
+        pendingResponses.delete(id);
+      }
+      if (currentTurn) {
+        currentTurn.reject(new Error(message));
+        currentTurn = null;
+      }
+      threadId = null;
+      processId = null;
+      child = null;
+    });
+    child.once("close", (code, signal) => {
+      const exitMessage = `Inspector app-server exited (${String(code ?? signal ?? "unknown")})`;
+      for (const [id, pending] of pendingResponses.entries()) {
+        pending.reject(new Error(exitMessage));
+        pendingResponses.delete(id);
+      }
+      if (currentTurn) {
+        currentTurn.reject(new Error(exitMessage));
+        currentTurn = null;
+      }
+      status = "stopped";
+      lastError = exitMessage;
+      threadId = null;
+      processId = null;
+      child = null;
+    });
+    return child;
+  };
+  return {
+    async startSession(config) {
+      if (child) {
+        return { threadId, processId };
+      }
+      invokeDynamicTool = config.invokeDynamicTool;
+      status = "starting";
+      const activeChild = bootstrapChild(config);
+      await waitForChildSpawn(activeChild);
+      await sendRequest("initialize", {
+        clientInfo: DEFAULT_CLIENT_INFO,
+        capabilities: {
+          experimentalApi: true
+        }
+      });
+      const started = await sendRequest("thread/start", {
+        model: config.model ?? options.model ?? null,
+        cwd: config.projectRoot,
+        approvalPolicy: "never",
+        sandbox: "danger-full-access",
+        serviceName: "rig_global_inspector",
+        personality: "pragmatic",
+        ephemeral: false,
+        baseInstructions: config.baseInstructions,
+        developerInstructions: config.developerInstructions,
+        dynamicTools: config.dynamicTools
+      });
+      const thread = asRecord(started.thread);
+      threadId = normalizeString(thread?.id) ?? threadId;
+      if (!threadId) {
+        const preview = JSON.stringify(started).slice(0, 400);
+        throw new Error(`Codex thread/start response did not include thread.id (got: ${preview}). ` + `Likely codex protocol version mismatch \u2014 current Rig speaks codex 0.130 schema.`);
+      }
+      status = "idle";
+      return { threadId, processId };
+    },
+    async sendTurn(prompt) {
+      if (!child || !threadId) {
+        throw new Error("Inspector agent session is not ready.");
+      }
+      if (currentTurn) {
+        throw new Error("Inspector agent turn already in progress.");
+      }
+      lastAssistantMessage = null;
+      lastError = null;
+      const turnResult = new Promise((resolve3, reject) => {
+        currentTurn = {
+          resolve: resolve3,
+          reject,
+          events: []
+        };
+      });
+      try {
+        await sendRequest("turn/start", {
+          threadId,
+          approvalPolicy: "never",
+          input: [
+            {
+              type: "text",
+              text: prompt,
+              text_elements: []
+            }
+          ]
+        });
+      } catch (error) {
+        currentTurn = null;
+        throw error;
+      }
+      let result;
+      try {
+        result = await withTimeout(turnResult, turnTimeoutMs, `Inspector agent turn timed out after ${turnTimeoutMs}ms`);
+      } catch (error) {
+        currentTurn = null;
+        if (child) {
+          terminateChild(child);
+          child = null;
+        }
+        throw error;
+      }
+      if (inFlightToolCalls.size > 0) {
+        await Promise.allSettled(Array.from(inFlightToolCalls));
+      }
+      return result;
+    },
+    snapshot() {
+      return {
+        status,
+        threadId,
+        processId,
+        queueDepth: 0,
+        lastAssistantMessage,
+        lastError,
+        recentProtocolEvents: [...recentProtocolEvents]
+      };
+    },
+    async stop() {
+      if (child) {
+        terminateChild(child);
+        child = null;
+      }
+      status = "stopped";
+      threadId = null;
+      processId = null;
+    }
+  };
+}
+function writeChildLine(child, line) {
+  return new Promise((resolve3, reject) => {
+    child.stdin.write(line, (error) => {
+      if (error) {
+        reject(error);
+        return;
+      }
+      resolve3();
+    });
+  });
+}
+function terminateChild(child) {
+  if (child.killed) {
+    return;
+  }
+  try {
+    child.kill("SIGTERM");
+  } catch {}
+}
+async function waitForChildSpawn(child) {
+  await new Promise((resolve3, reject) => {
+    const onSpawn = () => {
+      cleanup();
+      resolve3();
+    };
+    const onError = (error) => {
+      cleanup();
+      reject(error);
+    };
+    const cleanup = () => {
+      child.off("spawn", onSpawn);
+      child.off("error", onError);
+    };
+    child.once("spawn", onSpawn);
+    child.once("error", onError);
+  });
+}
+function resolveCodexExecutable() {
+  const candidate = process.env.RIG_INSPECTOR_CODEX_BIN ?? Bun.which("codex");
+  if (!candidate) {
+    throw new Error("Codex CLI is not available on PATH for the inspector app-server.");
+  }
+  let resolvedCandidate;
+  try {
+    resolvedCandidate = realpathSync(candidate);
+  } catch {
+    throw new Error(`Codex CLI is not executable for the inspector app-server: ${candidate}`);
+  }
+  try {
+    accessSync(resolvedCandidate, constants.X_OK);
+  } catch {
+    throw new Error(`Codex CLI is not executable for the inspector app-server: ${candidate}`);
+  }
+  return resolvedCandidate;
+}
+function asRecord(value) {
+  return value && typeof value === "object" && !Array.isArray(value) ? value : null;
+}
+function normalizeString(value) {
+  if (typeof value !== "string") {
+    return null;
+  }
+  const trimmed = value.trim();
+  return trimmed.length > 0 ? trimmed : null;
+}
+function formatJsonRpcError(error) {
+  if (!error) {
+    return "Unknown app-server error";
+  }
+  const parts = [error.message, error.data ? JSON.stringify(error.data) : null].filter(Boolean);
+  return parts.join(" ");
+}
+async function withTimeout(promise, timeoutMs, message) {
+  let timer = null;
+  try {
+    return await Promise.race([
+      promise,
+      new Promise((_, reject) => {
+        timer = setTimeout(() => reject(new Error(message)), timeoutMs);
+      })
+    ]);
+  } finally {
+    if (timer) {
+      clearTimeout(timer);
+    }
+  }
+}
+
+// packages/server/src/inspector/analysis.ts
+function summarizeInspectorJournal(options) {
+  const now = options.now ?? (() => new Date().toISOString());
+  const counts = options.journal.getCounts();
+  const activeRuns = options.journal.listActiveRuns();
+  const recentFindings = options.journal.listRecentFindings({ limit: 50 });
+  const severityCounts = recentFindings.reduce((acc, finding) => {
+    acc[finding.severity] = (acc[finding.severity] ?? 0) + 1;
+    return acc;
+  }, {});
+  const conflictCount = activeRuns.filter((run) => run.conflictState !== "none").length;
+  const summary = `Inspector journal summary: observations=${counts.observations}, decisions=${counts.decisions}, ` + `actions=${counts.actions}, followups=${counts.followups}, activeRuns=${activeRuns.length}, conflicts=${conflictCount}`;
+  options.journal.appendAnalysisReport({
+    id: options.reportId,
+    dedupeKey: `${options.reportType}:${options.reportId}`,
+    reportType: options.reportType,
+    status: "completed",
+    summary,
+    details: {
+      ...counts,
+      activeRuns: activeRuns.length,
+      conflictCount,
+      severityCounts
+    },
+    createdAt: now()
+  });
+  return {
+    status: "completed",
+    summary,
+    details: {
+      ...counts,
+      activeRuns: activeRuns.length,
+      conflictCount,
+      severityCounts
+    }
+  };
+}
+
+// packages/server/src/inspector/journal.ts
+import { Database } from "bun:sqlite";
+import { mkdirSync as mkdirSync3 } from "fs";
+import { dirname as dirname3, resolve as resolve3 } from "path";
+var SCHEMA = [
+  `CREATE TABLE IF NOT EXISTS inspector_runs (
+    run_id TEXT PRIMARY KEY,
+    workspace_id TEXT,
+    task_id TEXT,
+    runtime_adapter TEXT,
+    provider TEXT,
+    status TEXT NOT NULL,
+    conflict_state TEXT NOT NULL DEFAULT 'none',
+    conflict_summary TEXT,
+    source TEXT,
+    title TEXT,
+    started_at TEXT,
+    updated_at TEXT NOT NULL,
+    completed_at TEXT
+  )`,
+  `CREATE TABLE IF NOT EXISTS inspector_observations (
+    id TEXT PRIMARY KEY,
+    run_id TEXT,
+    dedupe_key TEXT,
+    kind TEXT NOT NULL,
+    severity TEXT NOT NULL,
+    source TEXT NOT NULL,
+    summary TEXT NOT NULL,
+    details_json TEXT,
+    created_at TEXT NOT NULL
+  )`,
+  `CREATE TABLE IF NOT EXISTS inspector_decisions (
+    id TEXT PRIMARY KEY,
+    run_id TEXT,
+    dedupe_key TEXT,
+    decision_type TEXT NOT NULL,
+    summary TEXT NOT NULL,
+    rationale TEXT NOT NULL,
+    details_json TEXT,
+    created_at TEXT NOT NULL
+  )`,
+  `CREATE TABLE IF NOT EXISTS inspector_actions (
+    id TEXT PRIMARY KEY,
+    run_id TEXT,
+    dedupe_key TEXT,
+    action_type TEXT NOT NULL,
+    status TEXT NOT NULL,
+    target TEXT,
+    input_json TEXT,
+    result_json TEXT,
+    started_at TEXT NOT NULL,
+    completed_at TEXT
+  )`,
+  `CREATE TABLE IF NOT EXISTS inspector_reviews (
+    id TEXT PRIMARY KEY,
+    run_id TEXT,
+    dedupe_key TEXT,
+    reviewer_type TEXT NOT NULL,
+    status TEXT NOT NULL,
+    findings_json TEXT,
+    created_at TEXT NOT NULL
+  )`,
+  `CREATE TABLE IF NOT EXISTS inspector_followups (
+    id TEXT PRIMARY KEY,
+    origin_run_id TEXT,
+    dedupe_key TEXT,
+    task_id TEXT,
+    kind TEXT NOT NULL,
+    status TEXT NOT NULL,
+    summary TEXT NOT NULL,
+    details_json TEXT,
+    created_at TEXT NOT NULL
+  )`,
+  `CREATE TABLE IF NOT EXISTS upstream_sync_scans (
+    id TEXT PRIMARY KEY,
+    dedupe_key TEXT,
+    started_at TEXT NOT NULL,
+    completed_at TEXT,
+    status TEXT NOT NULL,
+    summary TEXT NOT NULL,
+    details_json TEXT
+  )`,
+  `CREATE TABLE IF NOT EXISTS analysis_reports (
+    id TEXT PRIMARY KEY,
+    dedupe_key TEXT,
+    report_type TEXT NOT NULL,
+    status TEXT NOT NULL,
+    summary TEXT NOT NULL,
+    details_json TEXT,
+    created_at TEXT NOT NULL
+  )`,
+  `CREATE UNIQUE INDEX IF NOT EXISTS idx_inspector_observations_dedupe
+    ON inspector_observations(dedupe_key) WHERE dedupe_key IS NOT NULL`,
+  `CREATE UNIQUE INDEX IF NOT EXISTS idx_inspector_decisions_dedupe
+    ON inspector_decisions(dedupe_key) WHERE dedupe_key IS NOT NULL`,
+  `CREATE UNIQUE INDEX IF NOT EXISTS idx_inspector_actions_dedupe
+    ON inspector_actions(dedupe_key) WHERE dedupe_key IS NOT NULL`,
+  `CREATE UNIQUE INDEX IF NOT EXISTS idx_inspector_reviews_dedupe
+    ON inspector_reviews(dedupe_key) WHERE dedupe_key IS NOT NULL`,
+  `CREATE UNIQUE INDEX IF NOT EXISTS idx_inspector_followups_dedupe
+    ON inspector_followups(dedupe_key) WHERE dedupe_key IS NOT NULL`,
+  `CREATE UNIQUE INDEX IF NOT EXISTS idx_upstream_sync_scans_dedupe
+    ON upstream_sync_scans(dedupe_key) WHERE dedupe_key IS NOT NULL`,
+  `CREATE UNIQUE INDEX IF NOT EXISTS idx_analysis_reports_dedupe
+    ON analysis_reports(dedupe_key) WHERE dedupe_key IS NOT NULL`,
+  `CREATE INDEX IF NOT EXISTS idx_inspector_runs_status_updated
+    ON inspector_runs(status, updated_at DESC)`,
+  `CREATE INDEX IF NOT EXISTS idx_inspector_observations_run_created
+    ON inspector_observations(run_id, created_at DESC)`
+];
+function jsonText(value) {
+  return value == null ? null : JSON.stringify(value);
+}
+function parseJsonRecord(value) {
+  if (typeof value !== "string" || value.length === 0) {
+    return null;
+  }
+  return JSON.parse(value);
+}
+function normalizeError(error) {
+  return error instanceof Error ? error.message : String(error);
+}
+function safeWrite(sqlite, record, fn) {
+  try {
+    fn();
+    const row = sqlite.prepare("SELECT changes() AS count").get();
+    return { ok: true, record, changed: Number(row?.count ?? 0) > 0 };
+  } catch (error) {
+    return { ok: false, error: normalizeError(error) };
+  }
+}
+function resolveInspectorJournalPath(projectRoot) {
+  return resolve3(resolveRigServerPaths(projectRoot).stateDir, "inspector", "journal.sqlite");
+}
+function createInspectorJournal(options) {
+  const dbPath = resolve3(options.dbPath ?? resolveInspectorJournalPath(options.projectRoot));
+  mkdirSync3(dirname3(dbPath), { recursive: true });
+  const sqlite = new Database(dbPath, { create: true, strict: true });
+  sqlite.exec("PRAGMA journal_mode = WAL");
+  sqlite.exec("PRAGMA busy_timeout = 50");
+  for (const statement of SCHEMA) {
+    sqlite.exec(statement);
+  }
+  const upsertRunStatement = sqlite.prepare(`
+    INSERT INTO inspector_runs (
+      run_id, workspace_id, task_id, runtime_adapter, provider, status, conflict_state, conflict_summary,
+      source, title, started_at, updated_at, completed_at
+    ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    ON CONFLICT(run_id) DO UPDATE SET
+      workspace_id = excluded.workspace_id,
+      task_id = excluded.task_id,
+      runtime_adapter = excluded.runtime_adapter,
+      provider = excluded.provider,
+      status = excluded.status,
+      conflict_state = excluded.conflict_state,
+      conflict_summary = excluded.conflict_summary,
+      source = excluded.source,
+      title = excluded.title,
+      started_at = excluded.started_at,
+      updated_at = excluded.updated_at,
+      completed_at = excluded.completed_at
+  `);
+  const observationStatement = sqlite.prepare(`
+    INSERT OR IGNORE INTO inspector_observations (
+      id, run_id, dedupe_key, kind, severity, source, summary, details_json, created_at
+    ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+  `);
+  const decisionStatement = sqlite.prepare(`
+    INSERT OR IGNORE INTO inspector_decisions (
+      id, run_id, dedupe_key, decision_type, summary, rationale, details_json, created_at
+    ) VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+  `);
+  const actionStatement = sqlite.prepare(`
+    INSERT OR IGNORE INTO inspector_actions (
+      id, run_id, dedupe_key, action_type, status, target, input_json, result_json, started_at, completed_at
+    ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+  `);
+  const reviewStatement = sqlite.prepare(`
+    INSERT OR IGNORE INTO inspector_reviews (
+      id, run_id, dedupe_key, reviewer_type, status, findings_json, created_at
+    ) VALUES (?, ?, ?, ?, ?, ?, ?)
+  `);
+  const followupStatement = sqlite.prepare(`
+    INSERT OR IGNORE INTO inspector_followups (
+      id, origin_run_id, dedupe_key, task_id, kind, status, summary, details_json, created_at
+    ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+  `);
+  const scanStatement = sqlite.prepare(`
+    INSERT OR IGNORE INTO upstream_sync_scans (
+      id, dedupe_key, started_at, completed_at, status, summary, details_json
+    ) VALUES (?, ?, ?, ?, ?, ?, ?)
+  `);
+  const reportStatement = sqlite.prepare(`
+    INSERT OR IGNORE INTO analysis_reports (
+      id, dedupe_key, report_type, status, summary, details_json, created_at
+    ) VALUES (?, ?, ?, ?, ?, ?, ?)
+  `);
+  const attachFollowupTaskStatement = sqlite.prepare(`
+    UPDATE inspector_followups
+    SET task_id = ?, status = ?, details_json = ?
+    WHERE dedupe_key = ?
+  `);
+  const getFollowupByDedupeKeyStatement = sqlite.prepare(`
+    SELECT id, origin_run_id, dedupe_key, task_id, kind, status, summary, details_json, created_at
+    FROM inspector_followups
+    WHERE dedupe_key = ?
+    LIMIT 1
+  `);
+  const listActiveRunsStatement = sqlite.prepare(`
+    SELECT
+      run_id,
+      workspace_id,
+      task_id,
+      runtime_adapter,
+      provider,
+      status,
+      conflict_state,
+      conflict_summary,
+      source,
+      title,
+      started_at,
+      updated_at,
+      completed_at
+    FROM inspector_runs
+    WHERE status IN ('preparing', 'running', 'validating', 'reviewing')
+    ORDER BY updated_at DESC
+  `);
+  const listRecentFindingsStatement = sqlite.prepare(`
+    SELECT id, run_id, kind, severity, source, summary, details_json, created_at
+    FROM inspector_observations
+    ORDER BY created_at DESC
+    LIMIT ?
+  `);
+  const listRecentDecisionsStatement = sqlite.prepare(`
+    SELECT id, run_id, decision_type, summary, rationale, details_json, created_at
+    FROM inspector_decisions
+    ORDER BY created_at DESC
+    LIMIT ?
+  `);
+  const listRecentActionsStatement = sqlite.prepare(`
+    SELECT id, run_id, action_type, status, target, input_json, result_json, started_at, completed_at
+    FROM inspector_actions
+    ORDER BY started_at DESC
+    LIMIT ?
+  `);
+  function mapFollowupRow(row) {
+    return {
+      id: String(row.id),
+      originRunId: row.origin_run_id == null ? null : String(row.origin_run_id),
+      dedupeKey: row.dedupe_key == null ? null : String(row.dedupe_key),
+      taskId: row.task_id == null ? null : String(row.task_id),
+      kind: String(row.kind),
+      status: String(row.status),
+      summary: String(row.summary),
+      details: parseJsonRecord(row.details_json),
+      createdAt: String(row.created_at)
+    };
+  }
+  return {
+    path: dbPath,
+    upsertRun(record) {
+      return safeWrite(sqlite, record, () => {
+        upsertRunStatement.run(record.runId, record.workspaceId, record.taskId, record.runtimeAdapter, record.provider, record.status, record.conflictState, record.conflictSummary, record.source, record.title, record.startedAt, record.updatedAt, record.completedAt);
+      });
+    },
+    appendObservation(record) {
+      return safeWrite(sqlite, record, () => {
+        observationStatement.run(record.id, record.runId, record.dedupeKey ?? null, record.kind, record.severity, record.source, record.summary, jsonText(record.details), record.createdAt);
+      });
+    },
+    appendDecision(record) {
+      return safeWrite(sqlite, record, () => {
+        decisionStatement.run(record.id, record.runId, record.dedupeKey ?? null, record.decisionType, record.summary, record.rationale, jsonText(record.details), record.createdAt);
+      });
+    },
+    appendAction(record) {
+      return safeWrite(sqlite, record, () => {
+        actionStatement.run(record.id, record.runId, record.dedupeKey ?? null, record.actionType, record.status, record.target, jsonText(record.input), jsonText(record.result), record.startedAt, record.completedAt);
+      });
+    },
+    appendReview(record) {
+      return safeWrite(sqlite, record, () => {
+        reviewStatement.run(record.id, record.runId, record.dedupeKey ?? null, record.reviewerType, record.status, jsonText(record.findings), record.createdAt);
+      });
+    },
+    appendFollowup(record) {
+      return safeWrite(sqlite, record, () => {
+        followupStatement.run(record.id, record.originRunId, record.dedupeKey ?? null, record.taskId, record.kind, record.status, record.summary, jsonText(record.details), record.createdAt);
+      });
+    },
+    attachFollowupTask(input) {
+      const record = {
+        dedupeKey: input.dedupeKey,
+        taskId: input.taskId,
+        status: input.status,
+        details: input.details ?? null
+      };
+      return safeWrite(sqlite, record, () => {
+        attachFollowupTaskStatement.run(input.taskId, input.status, jsonText(input.details), input.dedupeKey);
+      });
+    },
+    getFollowupByDedupeKey(dedupeKey) {
+      const row = getFollowupByDedupeKeyStatement.get(dedupeKey);
+      return row ? mapFollowupRow(row) : null;
+    },
+    appendUpstreamSyncScan(record) {
+      return safeWrite(sqlite, record, () => {
+        scanStatement.run(record.id, record.dedupeKey ?? null, record.startedAt, record.completedAt, record.status, record.summary, jsonText(record.details));
+      });
+    },
+    appendAnalysisReport(record) {
+      return safeWrite(sqlite, record, () => {
+        reportStatement.run(record.id, record.dedupeKey ?? null, record.reportType, record.status, record.summary, jsonText(record.details), record.createdAt);
+      });
+    },
+    listActiveRuns() {
+      return listActiveRunsStatement.all().map((row) => ({
+        runId: String(row.run_id),
+        workspaceId: row.workspace_id == null ? null : String(row.workspace_id),
+        taskId: row.task_id == null ? null : String(row.task_id),
+        runtimeAdapter: row.runtime_adapter == null ? null : String(row.runtime_adapter),
+        provider: row.provider == null ? null : String(row.provider),
+        status: String(row.status),
+        conflictState: String(row.conflict_state),
+        conflictSummary: row.conflict_summary == null ? null : String(row.conflict_summary),
+        source: row.source == null ? null : String(row.source),
+        title: row.title == null ? null : String(row.title),
+        startedAt: row.started_at == null ? null : String(row.started_at),
+        updatedAt: String(row.updated_at),
+        completedAt: row.completed_at == null ? null : String(row.completed_at)
+      }));
+    },
+    listRecentFindings(options2 = {}) {
+      const limit = options2.limit ?? 10;
+      return listRecentFindingsStatement.all(limit).map((row) => ({
+        id: String(row.id),
+        runId: row.run_id == null ? null : String(row.run_id),
+        kind: String(row.kind),
+        severity: String(row.severity),
+        source: String(row.source),
+        summary: String(row.summary),
+        details: parseJsonRecord(row.details_json),
+        createdAt: String(row.created_at)
+      }));
+    },
+    listRecentDecisions(options2 = {}) {
+      const limit = options2.limit ?? 10;
+      return listRecentDecisionsStatement.all(limit).map((row) => ({
+        id: String(row.id),
+        runId: row.run_id == null ? null : String(row.run_id),
+        decisionType: String(row.decision_type),
+        summary: String(row.summary),
+        rationale: String(row.rationale),
+        details: parseJsonRecord(row.details_json),
+        createdAt: String(row.created_at)
+      }));
+    },
+    listRecentActions(options2 = {}) {
+      const limit = options2.limit ?? 10;
+      return listRecentActionsStatement.all(limit).map((row) => ({
+        id: String(row.id),
+        runId: row.run_id == null ? null : String(row.run_id),
+        actionType: String(row.action_type),
+        status: String(row.status),
+        target: row.target == null ? null : String(row.target),
+        input: parseJsonRecord(row.input_json),
+        result: parseJsonRecord(row.result_json),
+        startedAt: String(row.started_at),
+        completedAt: row.completed_at == null ? null : String(row.completed_at)
+      }));
+    },
+    listDecisions(runId) {
+      return sqlite.prepare(`
+        SELECT id, run_id, decision_type, summary, rationale, details_json, created_at
+        FROM inspector_decisions
+        WHERE run_id = ?
+        ORDER BY created_at DESC
+      `).all(runId).map((row) => ({
+        id: String(row.id),
+        runId: row.run_id == null ? null : String(row.run_id),
+        decisionType: String(row.decision_type),
+        summary: String(row.summary),
+        rationale: String(row.rationale),
+        details: parseJsonRecord(row.details_json),
+        createdAt: String(row.created_at)
+      }));
+    },
+    listActions(runId) {
+      return sqlite.prepare(`
+        SELECT id, run_id, action_type, status, target, input_json, result_json, started_at, completed_at
+        FROM inspector_actions
+        WHERE run_id = ?
+        ORDER BY started_at DESC
+      `).all(runId).map((row) => ({
+        id: String(row.id),
+        runId: row.run_id == null ? null : String(row.run_id),
+        actionType: String(row.action_type),
+        status: String(row.status),
+        target: row.target == null ? null : String(row.target),
+        input: parseJsonRecord(row.input_json),
+        result: parseJsonRecord(row.result_json),
+        startedAt: String(row.started_at),
+        completedAt: row.completed_at == null ? null : String(row.completed_at)
+      }));
+    },
+    listReviews(runId) {
+      return sqlite.prepare(`
+        SELECT id, run_id, reviewer_type, status, findings_json, created_at
+        FROM inspector_reviews
+        WHERE run_id = ?
+        ORDER BY created_at DESC
+      `).all(runId).map((row) => ({
+        id: String(row.id),
+        runId: row.run_id == null ? null : String(row.run_id),
+        reviewerType: String(row.reviewer_type),
+        status: String(row.status),
+        findings: parseJsonRecord(row.findings_json),
+        createdAt: String(row.created_at)
+      }));
+    },
+    listFollowups() {
+      return sqlite.prepare(`
+        SELECT id, origin_run_id, dedupe_key, task_id, kind, status, summary, details_json, created_at
+        FROM inspector_followups
+        ORDER BY created_at DESC
+      `).all().map(mapFollowupRow);
+    },
+    listUpstreamSyncScans() {
+      return sqlite.prepare(`
+        SELECT id, started_at, completed_at, status, summary, details_json
+        FROM upstream_sync_scans
+        ORDER BY started_at DESC
+      `).all().map((row) => ({
+        id: String(row.id),
+        startedAt: String(row.started_at),
+        completedAt: row.completed_at == null ? null : String(row.completed_at),
+        status: String(row.status),
+        summary: String(row.summary),
+        details: parseJsonRecord(row.details_json)
+      }));
+    },
+    listAnalysisReports() {
+      return sqlite.prepare(`
+        SELECT id, report_type, status, summary, details_json, created_at
+        FROM analysis_reports
+        ORDER BY created_at DESC
+      `).all().map((row) => ({
+        id: String(row.id),
+        reportType: String(row.report_type),
+        status: String(row.status),
+        summary: String(row.summary),
+        details: parseJsonRecord(row.details_json),
+        createdAt: String(row.created_at)
+      }));
+    },
+    getCounts() {
+      const row = sqlite.prepare(`
+        SELECT
+          (SELECT COUNT(*) FROM inspector_observations) AS observations,
+          (SELECT COUNT(*) FROM inspector_decisions) AS decisions,
+          (SELECT COUNT(*) FROM inspector_actions) AS actions,
+          (SELECT COUNT(*) FROM inspector_followups) AS followups
+      `).get();
+      return {
+        observations: Number(row?.observations ?? 0),
+        decisions: Number(row?.decisions ?? 0),
+        actions: Number(row?.actions ?? 0),
+        followups: Number(row?.followups ?? 0)
+      };
+    },
+    beginExclusiveTransaction() {
+      sqlite.exec("BEGIN EXCLUSIVE");
+    },
+    rollbackTransaction() {
+      sqlite.exec("ROLLBACK");
+    },
+    close() {
+      sqlite.close();
+    }
+  };
+}
+
+// packages/server/src/inspector/discovery.ts
+import {
+  runStatus
+} from "@rig/runtime/control-plane/native/run-ops";
+import {
+  listAuthorityRuns,
+  readAuthorityRun
+} from "@rig/runtime/control-plane/authority-files";
+function providerFromRuntimeAdapter(runtimeAdapter) {
+  if (!runtimeAdapter) {
+    return null;
+  }
+  return runtimeAdapter;
+}
+function uniqueStrings2(values) {
+  return [...new Set(values.filter((value) => typeof value === "string" && value.length > 0))];
+}
+function preferString(...values) {
+  return values.find((value) => typeof value === "string" && value.length > 0) ?? null;
+}
+function chooseStatus(surfaces) {
+  const authority = surfaces.find((surface) => surface.source === "authority-record");
+  if (authority?.status) {
+    return authority.status;
+  }
+  return preferString(...surfaces.map((surface) => surface.status)) ?? "unknown";
+}
+function chooseUpdatedAt(surfaces) {
+  const timestamps = uniqueStrings2(surfaces.map((surface) => surface.updatedAt)).sort();
+  return timestamps.at(-1) ?? "";
+}
+function buildConflict(surfaces) {
+  const statuses = uniqueStrings2(surfaces.map((surface) => surface.status));
+  const titles = uniqueStrings2(surfaces.map((surface) => surface.title));
+  const activeSurface = surfaces.find((surface) => new Set(["preparing", "running", "validating", "reviewing"]).has(surface.status));
+  const authoritySurface = surfaces.find((surface) => surface.source === "authority-record");
+  if (activeSurface && authoritySurface && new Set(["failed", "stopped", "completed", "done"]).has(authoritySurface.status)) {
+    return {
+      state: "stale-active",
+      summary: `Run ${authoritySurface.runId} is still reported active by ${activeSurface.source} but authority says ${authoritySurface.status}.`
+    };
+  }
+  if (statuses.length > 1 || titles.length > 1) {
+    const sourceSummary = surfaces.map((surface) => `${surface.source}:${surface.status}:${surface.title}`).join(" | ");
+    return {
+      state: "source-disagreement",
+      summary: `Conflicting run surfaces for ${surfaces[0]?.runId ?? "unknown"}: ${sourceSummary}`
+    };
+  }
+  return { state: "none", summary: null };
+}
+function mergeRunSurfaces(surfaces) {
+  const authority = surfaces.find((surface) => surface.source === "authority-record") ?? null;
+  const conflict = buildConflict(surfaces);
+  return {
+    runId: surfaces[0].runId,
+    workspaceId: preferString(authority?.workspaceId, ...surfaces.map((surface) => surface.workspaceId)),
+    taskId: preferString(authority?.taskId, ...surfaces.map((surface) => surface.taskId)),
+    provider: preferString(authority?.provider, ...surfaces.map((surface) => surface.provider)),
+    runtimeAdapter: preferString(authority?.runtimeAdapter, ...surfaces.map((surface) => surface.runtimeAdapter)),
+    threadId: preferString(authority?.threadId, ...surfaces.map((surface) => surface.threadId)),
+    status: chooseStatus(surfaces),
+    title: preferString(authority?.title, ...surfaces.map((surface) => surface.title)) ?? surfaces[0].runId,
+    source: authority?.source ?? surfaces[0].source,
+    rawSourceKinds: uniqueStrings2(surfaces.map((surface) => surface.source)),
+    conflictState: conflict.state,
+    conflictSummary: conflict.summary,
+    worktreePath: preferString(authority?.worktreePath, ...surfaces.map((surface) => surface.worktreePath)),
+    artifactRoot: preferString(authority?.artifactRoot, ...surfaces.map((surface) => surface.artifactRoot)),
+    logRoot: preferString(authority?.logRoot, ...surfaces.map((surface) => surface.logRoot)),
+    sessionPath: preferString(authority?.sessionPath, ...surfaces.map((surface) => surface.sessionPath)),
+    sessionLogPath: preferString(authority?.sessionLogPath, ...surfaces.map((surface) => surface.sessionLogPath)),
+    startedAt: preferString(authority?.startedAt, ...surfaces.map((surface) => surface.startedAt)),
+    updatedAt: chooseUpdatedAt(surfaces),
+    completedAt: preferString(authority?.completedAt, ...surfaces.map((surface) => surface.completedAt))
+  };
+}
+function discoverInspectorRuns(options) {
+  const summary = options.statusSummary ?? runStatus(options.projectRoot);
+  const discovered = new Map;
+  const pushSurface = (surface) => {
+    const existing = discovered.get(surface.runId) ?? [];
+    existing.push(surface);
+    discovered.set(surface.runId, existing);
+  };
+  for (const authorityEntry of listAuthorityRuns(options.projectRoot)) {
+    const run = readAuthorityRun(options.projectRoot, authorityEntry.runId);
+    if (!run) {
+      continue;
+    }
+    pushSurface({
+      runId: run.runId,
+      workspaceId: run.workspaceId ?? null,
+      taskId: run.taskId ?? null,
+      provider: providerFromRuntimeAdapter(run.runtimeAdapter ?? null),
+      runtimeAdapter: run.runtimeAdapter ?? null,
+      threadId: run.threadId ?? null,
+      status: run.status ?? "unknown",
+      title: run.title ?? run.taskId ?? run.runId,
+      source: "authority-record",
+      worktreePath: run.worktreePath ?? null,
+      artifactRoot: run.artifactRoot ?? null,
+      logRoot: run.logRoot ?? null,
+      sessionPath: run.sessionPath ?? null,
+      sessionLogPath: run.sessionLogPath ?? null,
+      startedAt: run.startedAt ?? null,
+      updatedAt: run.updatedAt,
+      completedAt: run.completedAt ?? null
+    });
+  }
+  for (const entry of [...summary.activeRuns, ...summary.recentRuns]) {
+    pushSurface({
+      runId: entry.runId,
+      workspaceId: null,
+      taskId: entry.taskId ?? null,
+      provider: null,
+      runtimeAdapter: null,
+      threadId: null,
+      status: entry.status,
+      title: entry.title,
+      source: "run-status",
+      worktreePath: null,
+      artifactRoot: null,
+      logRoot: null,
+      sessionPath: null,
+      sessionLogPath: null,
+      startedAt: null,
+      updatedAt: "",
+      completedAt: null
+    });
+  }
+  return [...discovered.values()].map((surfaces) => mergeRunSurfaces(surfaces)).sort((left, right) => right.updatedAt.localeCompare(left.updatedAt));
+}
+
+// packages/server/src/inspector/reconcile.ts
+function decisionTypeForStatus(status) {
+  switch (status) {
+    case "failed":
+      return "investigate-failure";
+    case "stopped":
+      return "inspect-stop";
+    default:
+      return null;
+  }
+}
+function reconcileInspectorRuns(options) {
+  const now = options.now ?? (() => new Date().toISOString());
+  let observedCount = 0;
+  let decisionCount = 0;
+  let actionCount = 0;
+  for (const run of options.runs) {
+    options.journal.upsertRun({
+      runId: run.runId,
+      workspaceId: run.workspaceId,
+      taskId: run.taskId,
+      runtimeAdapter: run.runtimeAdapter,
+      provider: run.provider,
+      status: run.status,
+      conflictState: run.conflictState,
+      conflictSummary: run.conflictSummary,
+      source: run.source,
+      title: run.title,
+      startedAt: run.startedAt,
+      updatedAt: run.updatedAt,
+      completedAt: run.completedAt
+    });
+    const observation = options.journal.appendObservation({
+      id: `observation:${run.runId}:${options.reason}:${run.updatedAt}`,
+      runId: run.runId,
+      dedupeKey: `run:${run.runId}:status:${run.status}:updated:${run.updatedAt}`,
+      kind: "run.observed",
+      severity: run.status === "failed" ? "warn" : "info",
+      source: run.source,
+      summary: `Observed run ${run.title}`,
+      details: {
+        reason: options.reason,
+        status: run.status,
+        provider: run.provider,
+        runtimeAdapter: run.runtimeAdapter,
+        conflictState: run.conflictState,
+        rawSourceKinds: run.rawSourceKinds
+      },
+      createdAt: now()
+    });
+    if (observation.ok && observation.changed) {
+      observedCount += 1;
+    }
+    const action = options.journal.appendAction({
+      id: `action:${run.runId}:${options.reason}:${run.updatedAt}`,
+      runId: run.runId,
+      dedupeKey: `action:${run.runId}:observe:${run.updatedAt}`,
+      actionType: "observe",
+      status: "completed",
+      target: `run:${run.runId}`,
+      input: { reason: options.reason },
+      result: { status: run.status },
+      startedAt: now(),
+      completedAt: now()
+    });
+    if (action.ok && action.changed) {
+      actionCount += 1;
+    }
+    const decisionType = decisionTypeForStatus(run.status);
+    if (decisionType) {
+      const decision = options.journal.appendDecision({
+        id: `decision:${run.runId}:${decisionType}:${run.updatedAt}`,
+        runId: run.runId,
+        dedupeKey: `decision:${run.runId}:${decisionType}:${run.updatedAt}`,
+        decisionType,
+        summary: `Investigate ${run.title}`,
+        rationale: `Run status ${run.status} requires inspector attention.`,
+        details: {
+          reason: options.reason,
+          status: run.status
+        },
+        createdAt: now()
+      });
+      if (decision.ok && decision.changed) {
+        decisionCount += 1;
+      }
+    }
+    if (run.conflictState !== "none") {
+      const conflictDecision = options.journal.appendDecision({
+        id: `decision:${run.runId}:conflict:${run.updatedAt}`,
+        runId: run.runId,
+        dedupeKey: `decision:${run.runId}:conflict:${run.updatedAt}`,
+        decisionType: "inspect-conflict",
+        summary: `Resolve ${run.title} observation conflict`,
+        rationale: run.conflictSummary ?? "Observed run surfaces disagree and require inspector review.",
+        details: {
+          reason: options.reason,
+          conflictState: run.conflictState,
+          conflictSummary: run.conflictSummary
+        },
+        createdAt: now()
+      });
+      if (conflictDecision.ok && conflictDecision.changed) {
+        decisionCount += 1;
+      }
+    }
+  }
+  return {
+    discoveredCount: options.runs.length,
+    observedCount,
+    decisionCount,
+    actionCount
+  };
+}
+
+// packages/server/src/inspector/service.ts
+function buildCapabilitySupport(options) {
+  return {
+    discoverRuns: true,
+    inspectRuns: true,
+    readLogs: true,
+    readArtifacts: true,
+    callServerApis: true,
+    createTasks: Boolean(options.followupTaskRunner),
+    runReviewerAgents: Boolean(options.reviewRunner),
+    provisionSkills: true,
+    scanUpstream: Boolean(options.upstreamSyncRunner),
+    writeJournal: true,
+    spawnSpecialists: Boolean(options.reviewRunner || options.analysisRunner || options.upstreamSyncRunner)
+  };
+}
+var ACTIVE_RUN_STATUSES = new Set(["preparing", "running", "validating", "reviewing"]);
+function rankRunRecency(run) {
+  const updatedAt = Date.parse(run.updatedAt);
+  if (Number.isFinite(updatedAt)) {
+    return updatedAt;
+  }
+  const startedAt = run.startedAt ? Date.parse(run.startedAt) : Number.NaN;
+  if (Number.isFinite(startedAt)) {
+    return startedAt;
+  }
+  return Number.NEGATIVE_INFINITY;
+}
+function visibleActiveRunKey(run) {
+  if (!run.taskId) {
+    return run.runId;
+  }
+  return [
+    run.workspaceId ?? "workspace:unknown",
+    run.taskId,
+    run.worktreePath ?? "worktree:unknown"
+  ].join("::");
+}
+function selectVisibleActiveRuns(runs) {
+  const latestByKey = new Map;
+  for (const run of runs) {
+    if (!ACTIVE_RUN_STATUSES.has(run.status) || run.conflictState === "stale-active") {
+      continue;
+    }
+    const key = visibleActiveRunKey(run);
+    const current = latestByKey.get(key);
+    if (!current || rankRunRecency(run) >= rankRunRecency(current)) {
+      latestByKey.set(key, run);
+    }
+  }
+  return [...latestByKey.values()].sort((left, right) => rankRunRecency(right) - rankRunRecency(left));
+}
+function createGlobalInspectorService(options) {
+  const discoverRuns = options.discoverRuns ?? (() => discoverInspectorRuns({ projectRoot: options.projectRoot }));
+  const now = options.now ?? (() => new Date().toISOString());
+  const pollMs = Math.max(10, options.pollMs ?? 1000);
+  const upstreamSyncMs = options.upstreamSyncMs == null ? 24 * 60 * 60 * 1000 : options.upstreamSyncMs > 0 ? Math.max(1000, options.upstreamSyncMs) : null;
+  const upstreamSyncOnStart = options.upstreamSyncOnStart ?? false;
+  const analysisMs = Math.max(1000, options.analysisMs ?? 60 * 60 * 1000);
+  const capabilitySupport = buildCapabilitySupport(options);
+  const readSnapshot = () => {
+    const activeRuns = selectVisibleActiveRuns(discoverRuns()).map((run) => {
+      const session = normalizeProviderSession(run);
+      return {
+        run,
+        session,
+        capabilities: deriveInspectorCapabilitySet(session, capabilitySupport)
+      };
+    });
+    return {
+      activeRuns,
+      recentFindings: options.journal.listRecentFindings({ limit: 20 }),
+      followups: options.journal.listFollowups(),
+      analysisReports: options.journal.listAnalysisReports(),
+      availableTools: toolRegistry.list()
+    };
+  };
+  const toolRegistry = createInspectorToolRegistry({
+    journal: options.journal,
+    projectRoot: options.projectRoot,
+    discoverRuns,
+    snapshotReader: readSnapshot,
+    reviewRunner: options.reviewRunner,
+    upstreamScanRunner: options.upstreamSyncRunner,
+    analysisRunner: options.analysisRunner,
+    followupTaskRunner: options.followupTaskRunner,
+    capabilitySupport,
+    now
+  });
+  let pollTimer = null;
+  let upstreamTimer = null;
+  let analysisTimer = null;
+  const reconcileOnce = (reason) => {
+    return reconcileInspectorRuns({
+      journal: options.journal,
+      runs: discoverRuns(),
+      reason,
+      now
+    });
+  };
+  return {
+    projectRoot: options.projectRoot,
+    start() {
+      if (pollTimer || upstreamTimer || analysisTimer) {
+        return false;
+      }
+      pollTimer = setInterval(() => {
+        try {
+          reconcileOnce("poll");
+        } catch {}
+      }, pollMs);
+      if (options.upstreamSyncRunner) {
+        if (upstreamSyncOnStart) {
+          Promise.resolve(options.upstreamSyncRunner({ trigger: "startup" })).catch(() => {});
+        }
+        if (upstreamSyncMs !== null) {
+          upstreamTimer = setInterval(() => {
+            Promise.resolve(options.upstreamSyncRunner?.({ trigger: "scheduled" })).catch(() => {});
+          }, upstreamSyncMs);
+        }
+      }
+      if (options.analysisRunner) {
+        analysisTimer = setInterval(() => {
+          Promise.resolve(options.analysisRunner?.({ trigger: "scheduled", reportType: "run-health" })).catch(() => {});
+        }, analysisMs);
+      }
+      return true;
+    },
+    stop() {
+      if (pollTimer)
+        clearInterval(pollTimer);
+      if (upstreamTimer)
+        clearInterval(upstreamTimer);
+      if (analysisTimer)
+        clearInterval(analysisTimer);
+      pollTimer = null;
+      upstreamTimer = null;
+      analysisTimer = null;
+    },
+    isRunning() {
+      return pollTimer !== null || upstreamTimer !== null || analysisTimer !== null;
+    },
+    snapshot() {
+      return readSnapshot();
+    },
+    async invokeTool(name, input) {
+      return toolRegistry.invoke(name, input);
+    },
+    reconcileOnce,
+    async runUpstreamSyncOnce(input = {}) {
+      await options.upstreamSyncRunner?.(input);
+    },
+    async runAnalysisOnce(input = {}) {
+      await options.analysisRunner?.(input);
+    }
+  };
+}
+
+// packages/server/src/inspector/upstream-sync.ts
+import { spawnSync } from "child_process";
+import { existsSync as existsSync3, mkdirSync as mkdirSync4, readFileSync as readFileSync2, writeFileSync as writeFileSync3 } from "fs";
+import { dirname as dirname4, resolve as resolve4 } from "path";
+import { resolveMonorepoRoot as resolveMonorepoRoot2 } from "@rig/runtime/control-plane/native/utils";
+var UPSTREAM_VALIDATION_DESCRIPTIONS = {
+  "integration:hg-auth-backport": "Preserves the upstream auth hardening cluster: nonce-backed node-client login, signature-aware JWT verification, shared-token onboarding semantics, and regression coverage.",
+  "integration:hg-core-security-backport": "Preserves the vendored core-app and backend security fixes for OTP validation, NoSQL/operator hardening, AES/encryption behavior, and rate-limit or redirect-state protections.",
+  "integration:hg-boundary-hardening": "Preserves boundary-safe CORS behavior and credential lookup error hygiene across the vendored backend and the extracted credentials-service analogue.",
+  "integration:hg-uudl-runtime": "Preserves the upstream uudl runtime/package fixes: production dependency placement, path-resolution/runtime bootstrap behavior, AWS/MSK environment detection, KMS coverage, and a compiling UUDL tree.",
+  "boundary:hg-auth-triage": "Requires a durable keep/adapt/reject triage record for the post-import auth policy and mobile-wallet SIWE commits so the watcher does not keep rediscovering the same ambiguity.",
+  "boundary:hg-upstream-triage": "Requires a durable keep/adapt/reject triage record for service-relevant upstream commits that do not match the current portable catalog, including commit hashes, touched paths, and follow-up routing decisions."
+};
+var CLUSTERS = {
+  "auth-hardening": {
+    classification: "portable-now",
+    title: "[HG-001] Preserve upstream auth and shared-token hardening across extracted auth work",
+    description: "Backport clearly portable auth changes introduced upstream after imported revision 58b56e15: 3196d5c (node-client login nonce), bb5b74f (JWT signature validation), and 92011ead (shared token verification for wallet signup onboarding). Apply them where they belong in this repo: hp-auth-service, hp-gateway if verification semantics surface there, and the upstream monorepo auth owner flows for the remaining wallet-login/shared-token work. This task must preserve the security behavior, not just copy code. It should explicitly reconcile with bd-k0y-10, bd-k0y-11, bd-k0y-12, and bd-k0y-13.",
+    acceptanceCriteria: "Map upstream commits 3196d5c, bb5b74f, and 92011ead to exact local targets; preserve nonce-backed node-client login, JWT signature validation, and shared-token verification behavior; add automated tests that fail without the hardening; document any deliberate non-ports.",
+    role: "extractor",
+    scope: [
+      "repos/spliter-monorepo/microservices/hp-auth-service/**",
+      "repos/spliter-monorepo/microservices/hp-gateway/**",
+      "repos/spliter-monorepo/humoongate/moongate/core-app/**"
+    ],
+    validation: ["integration:hg-auth-backport", "boundary:changed-files"],
+    validationDescriptions: {
+      "integration:hg-auth-backport": UPSTREAM_VALIDATION_DESCRIPTIONS["integration:hg-auth-backport"]
+    },
+    labels: ["upstream:monorepo", "kind:backport", "cluster:auth"]
+  },
+  "core-security": {
+    classification: "portable-now",
+    title: "[HG-002] Backport core-app and backend security fixes from post-import upstream",
+    description: "Backport the clearly portable security fixes from efdae709 (OTP validation bypass), f63830d (NoSQL operator injection hardening), d7f6919 (AES encryption), and af86ac16 (three critical/high vulnerabilities). Preserve the behavior in the vendored auth owner and the touched backend query surfaces instead of treating these as optional cleanups. The high-value touched files from af86ac16 must be reviewed and ported or consciously waived with rationale.",
+    acceptanceCriteria: "Review and port the exact security behaviors from efdae709, f63830d, d7f6919, and af86ac16; cover the listed core-app and backend touched files; add regression tests for OTP bypass, NoSQL operator injection, AES/encryption behavior, and rate-limit or redirect-state hardening; document any consciously waived upstream changes.",
+    role: "mechanic",
+    scope: [
+      "repos/spliter-monorepo/humoongate/moongate/core-app/**",
+      "repos/spliter-monorepo/humoongate/humanity/hp-backend-ts/**"
+    ],
+    validation: ["integration:hg-core-security-backport", "boundary:changed-files"],
+    validationDescriptions: {
+      "integration:hg-core-security-backport": UPSTREAM_VALIDATION_DESCRIPTIONS["integration:hg-core-security-backport"]
+    },
+    labels: ["upstream:monorepo", "kind:backport", "cluster:security"]
+  },
+  "boundary-hardening": {
+    classification: "portable-now",
+    title: "[HG-003] Backport request-boundary hardening for CORS and credential lookup flows",
+    description: "Backport the clearly portable boundary hardening from 083bbe4 (CORS config) and 36d52fba (credential lookup error hygiene). Preserve request-boundary behavior in the vendored backend and any analogous extracted credential-facing service seams so attackers cannot learn internals from credential lookup failures or exploit inconsistent CORS policy.",
+    acceptanceCriteria: "Port the exact request-boundary behavior from 083bbe4 and 36d52fba; preserve safe CORS policy and credential lookup error hygiene; add tests showing callers do not receive overly detailed credential lookup failures; document any extracted-service analogue that must mirror the behavior.",
+    role: "mechanic",
+    scope: [
+      "repos/spliter-monorepo/humoongate/humanity/hp-backend-ts/**",
+      "repos/spliter-monorepo/microservices/hp-credentials-service/**"
+    ],
+    validation: ["integration:hg-boundary-hardening", "boundary:changed-files"],
+    validationDescriptions: {
+      "integration:hg-boundary-hardening": UPSTREAM_VALIDATION_DESCRIPTIONS["integration:hg-boundary-hardening"]
+    },
+    labels: ["upstream:monorepo", "kind:backport", "cluster:boundary"]
+  },
+  "uudl-runtime": {
+    classification: "portable-now",
+    title: "[HG-004] Backport uudl runtime and packaging fixes from upstream",
+    description: "Backport the clearly portable uudl runtime fixes from 2141b4c, 1fa56d7, a9a0a99, 9fcfa6e, and ea5cb03. Preserve the runtime behavior rather than cherry-picking filenames: production dependency placement, tsconfig-paths resolution, aggregator cycle removal, AWS/MSK environment detection, and local KMS wiring all need to be reflected in whichever UUDL runtime this repo still owns.",
+    acceptanceCriteria: "Port the runtime behaviors from 2141b4c, 1fa56d7, a9a0a99, 9fcfa6e, and ea5cb03; preserve production dependency placement, tsconfig-paths runtime resolution, aggregator cycle removal, AWS/MSK environment detection, and local KMS configuration; add runtime-focused tests or smoke coverage for each preserved behavior.",
+    role: "extractor",
+    scope: ["repos/spliter-monorepo/humoongate/humanity/hp-uudl/**"],
+    validation: ["integration:hg-uudl-runtime", "boundary:changed-files"],
+    validationDescriptions: {
+      "integration:hg-uudl-runtime": UPSTREAM_VALIDATION_DESCRIPTIONS["integration:hg-uudl-runtime"]
+    },
+    labels: ["upstream:monorepo", "kind:backport", "cluster:uudl"]
+  },
+  "auth-triage": {
+    classification: "needs-human-triage",
+    title: "[HG-005] Triage post-import auth policy deltas and mobile-wallet SIWE changes",
+    description: "Review the upstream changes that are relevant but not safely auto-portable: 1262b75 (JWT_EXPIRES_IN 1d -> 7d), 15036424 (unlink-wallet endpoint and Wallet.default fix), and d4a47015 (unlink-wallet error handling). Produce an explicit keep/adapt/reject decision for each commit with rationale tied to the extracted auth plan, core-app ownership, and current threat model, and record the result in artifacts/bd-2ztk.5/decision-log.md so future agents do not silently re-litigate these decisions.",
+    acceptanceCriteria: "For 1262b75, 15036424, and d4a47015, produce explicit keep/adapt/reject decisions with rationale tied to auth ownership and threat model; record the decision in artifacts/bd-2ztk.5/decision-log.md; identify any follow-on implementation tasks if the answer is keep or adapt.",
+    role: "architect",
+    scope: ["artifacts/bd-2ztk.5/**", "docs/research/**"],
+    validation: ["boundary:hg-auth-triage"],
+    validationDescriptions: {
+      "boundary:hg-auth-triage": UPSTREAM_VALIDATION_DESCRIPTIONS["boundary:hg-auth-triage"]
+    },
+    labels: ["upstream:monorepo", "kind:backport", "cluster:triage"]
+  },
+  "generic-triage": {
+    classification: "needs-human-triage",
+    title: "[HG-007] Triage uncatalogued service-relevant upstream commits",
+    description: "Review future upstream commits that touch service-relevant paths but do not match the current portable-now catalog. For each commit or batch, produce keep/adapt/reject decisions with rationale, cite the touched paths and why they matter here, and either route them into an existing backport task or open a new follow-up task when they are worth preserving.",
+    acceptanceCriteria: "For each uncatalogued service-relevant upstream commit or batch, record keep/adapt/reject decisions with rationale in artifacts/bd-2ztk.7/decision-log.md; cite the commit hashes and touched paths; and either attach the work to an existing backport task or open a new follow-up task when preservation is warranted.",
+    role: "architect",
+    scope: ["artifacts/bd-2ztk.7/**", "docs/research/**"],
+    validation: ["boundary:hg-upstream-triage"],
+    validationDescriptions: {
+      "boundary:hg-upstream-triage": UPSTREAM_VALIDATION_DESCRIPTIONS["boundary:hg-upstream-triage"]
+    },
+    labels: ["upstream:monorepo", "kind:backport", "cluster:triage"]
+  }
+};
+var RELEVANT_PREFIXES = [
+  "humanity/hp-backend-ts/",
+  "humanity/hp-dev-api/",
+  "humanity/hp-uudl/",
+  "moongate/core-app/",
+  "moongate/models/",
+  "packages/",
+  "shared-migrations/"
+];
+var IGNORE_PATTERNS = [
+  /hp-next|dashboard|frontend/i,
+  /CODEOWNERS|CodeRabbit|security-workflow|workflow housekeeping/i,
+  /npm registry|workspace packages to npm/i,
+  /bulk event|organizer/i
+];
+function parseImportedUpstreamRevision(doc, upstreamName = "upstream") {
+  const sectionPattern = new RegExp(`##\\s+${upstreamName}\\b([\\s\\S]*?)(?:\\n##\\s+|$)`, "i");
+  const sectionMatch = doc.match(sectionPattern);
+  if (!sectionMatch) {
+    return null;
+  }
+  const revisionMatch = sectionMatch[1]?.match(/Imported revision:\s*`([0-9a-f]{40})`/i);
+  return revisionMatch?.[1] ?? null;
+}
+function normalizeGitResult(result) {
+  return {
+    exitCode: result.status ?? 1,
+    stdout: typeof result.stdout === "string" ? result.stdout : result.stdout?.toString("utf8") ?? "",
+    stderr: typeof result.stderr === "string" ? result.stderr : result.stderr?.toString("utf8") ?? ""
+  };
+}
+function defaultGitRunner(repoRoot, args) {
+  return normalizeGitResult(spawnSync("git", ["-C", repoRoot, ...args], {
+    encoding: "utf8"
+  }));
+}
+function upstreamStatePath(projectRoot, override) {
+  if (override) {
+    return resolve4(override);
+  }
+  return resolve4(resolveRigServerPaths(projectRoot).stateDir, "inspector", "upstream-sync.json");
+}
+function readUpstreamState(projectRoot, statePath) {
+  const path = upstreamStatePath(projectRoot, statePath);
+  if (!existsSync3(path)) {
+    return null;
+  }
+  try {
+    return JSON.parse(readFileSync2(path, "utf-8"));
+  } catch {
+    return null;
+  }
+}
+function writeUpstreamState(projectRoot, state, statePath) {
+  const path = upstreamStatePath(projectRoot, statePath);
+  mkdirSync4(dirname4(path), { recursive: true });
+  writeFileSync3(path, `${JSON.stringify(state, null, 2)}
+`, "utf8");
+}
+function readImportedRevision(projectRoot, upstreamsDocPath) {
+  const monorepoRoot = resolveMonorepoRoot2(projectRoot);
+  const docPath = upstreamsDocPath ? resolve4(upstreamsDocPath) : resolve4(monorepoRoot, "docs", "UPSTREAMS.md");
+  if (!existsSync3(docPath)) {
+    throw new Error(`UPSTREAMS.md not found at ${docPath}`);
+  }
+  const docContent = readFileSync2(docPath, "utf-8");
+  const revision = parseImportedUpstreamRevision(docContent, "upstream") ?? parseImportedUpstreamRevision(docContent, "humoongate");
+  if (!revision) {
+    throw new Error(`Failed to parse upstream imported revision from ${docPath}`);
+  }
+  return revision;
+}
+function resolveRemoteBranch(repoRoot, remote, gitRunner) {
+  const symbolic = gitRunner(repoRoot, ["symbolic-ref", `refs/remotes/${remote}/HEAD`]);
+  const symbolicRef = symbolic.stdout.trim();
+  if (symbolic.exitCode === 0 && symbolicRef.length > 0) {
+    return symbolicRef.replace(/^refs\/remotes\//, "");
+  }
+  for (const fallback of [`${remote}/main`, `${remote}/master`]) {
+    const showRef = gitRunner(repoRoot, ["show-ref", "--verify", `refs/remotes/${fallback}`]);
+    if (showRef.exitCode === 0) {
+      return fallback;
+    }
+  }
+  return null;
+}
+function isGitCheckout(path, gitRunner) {
+  if (!existsSync3(resolve4(path, ".git"))) {
+    return false;
+  }
+  const result = gitRunner(path, ["rev-parse", "--is-inside-work-tree"]);
+  return result.exitCode === 0 && result.stdout.trim() === "true";
+}
+function resolveUpstreamCheckout(projectRoot, explicitCheckout, gitRunner) {
+  const monorepoRoot = resolveMonorepoRoot2(projectRoot);
+  const candidates = [
+    explicitCheckout ? resolve4(explicitCheckout) : "",
+    process.env.UPSTREAM_CHECKOUT?.trim() ? resolve4(process.env.UPSTREAM_CHECKOUT.trim()) : "",
+    process.env.HUMOONGATE_UPSTREAM_CHECKOUT?.trim() ? resolve4(process.env.HUMOONGATE_UPSTREAM_CHECKOUT.trim()) : "",
+    resolve4(projectRoot, "..", "humoongate"),
+    resolve4(monorepoRoot, "..", "humoongate"),
+    resolve4(monorepoRoot, "humoongate")
+  ].filter(Boolean);
+  for (const candidate of candidates) {
+    if (isGitCheckout(candidate, gitRunner)) {
+      return candidate;
+    }
+  }
+  throw new Error(`Unable to locate an authoritative upstream checkout. Checked: ${candidates.join(", ")}`);
+}
+function parseCommitLog(output) {
+  const commits = [];
+  let current = null;
+  for (const rawLine of output.split(/\r?\n/)) {
+    const line = rawLine.trim();
+    if (line === "__COMMIT__") {
+      if (current) {
+        commits.push(current);
+      }
+      current = null;
+      continue;
+    }
+    if (!line) {
+      continue;
+    }
+    if (!current) {
+      const [sha, date, ...rest] = line.split("\t");
+      if (!sha || !date) {
+        continue;
+      }
+      current = {
+        sha,
+        date,
+        summary: rest.join("\t").trim(),
+        paths: []
+      };
+      continue;
+    }
+    current.paths.push(line);
+  }
+  if (current) {
+    commits.push(current);
+  }
+  return commits;
+}
+function relevantPaths(paths) {
+  return paths.filter((path) => RELEVANT_PREFIXES.some((prefix) => path.startsWith(prefix)));
+}
+function classifyCommit(commit) {
+  const summary = commit.summary.toLowerCase();
+  const paths = relevantPaths(commit.paths);
+  const pathText = paths.join(" ").toLowerCase();
+  const signature = `${summary}
+${pathText}`;
+  if (IGNORE_PATTERNS.some((pattern) => pattern.test(signature))) {
+    return { classification: "ignore", clusterKey: null };
+  }
+  if (/jwt_expires_in|unlink-wallet|mobile wallet|siwe endpoint/i.test(signature)) {
+    return { classification: "needs-human-triage", clusterKey: "auth-triage" };
+  }
+  if (/node-client login use nonce|jwt signature validation|shared token verification|wallet signup onboarding/i.test(signature)) {
+    return { classification: "portable-now", clusterKey: "auth-hardening" };
+  }
+  if (/otp validation bypass|otp queries|aes encryption|critical\/high vulnerabilities|redirect jwt steal/i.test(signature)) {
+    return { classification: "portable-now", clusterKey: "core-security" };
+  }
+  if (/cors config|credential lookup errors/i.test(signature)) {
+    return { classification: "portable-now", clusterKey: "boundary-hardening" };
+  }
+  if (paths.some((path) => path.startsWith("humanity/hp-uudl/")) && /tsconfig-paths|circular dependency|msk|kms port|runtime|production dependenc/i.test(signature)) {
+    return { classification: "portable-now", clusterKey: "uudl-runtime" };
+  }
+  if (paths.length > 0) {
+    return { classification: "needs-human-triage", clusterKey: "generic-triage" };
+  }
+  return { classification: "ignore", clusterKey: null };
+}
+function scanUpstream(options) {
+  const now = options.now ?? (() => new Date().toISOString());
+  const gitRunner = options.gitRunner ?? defaultGitRunner;
+  const remote = options.remote ?? "origin";
+  const baselineSha = options.baselineSha ?? readImportedRevision(options.projectRoot, options.upstreamsDocPath);
+  const checkoutPath = resolveUpstreamCheckout(options.projectRoot, options.explicitCheckout, gitRunner);
+  if (options.fetch !== false) {
+    const fetchResult = gitRunner(checkoutPath, ["fetch", remote]);
+    if (fetchResult.exitCode !== 0) {
+      throw new Error(`Failed to fetch ${remote} in ${checkoutPath}: ${fetchResult.stderr || fetchResult.stdout}`);
+    }
+  }
+  const branch = options.branch ?? resolveRemoteBranch(checkoutPath, remote, gitRunner);
+  if (!branch) {
+    throw new Error(`Failed to resolve tracked branch for remote ${remote} in ${checkoutPath}`);
+  }
+  const headResult = gitRunner(checkoutPath, ["rev-parse", branch]);
+  if (headResult.exitCode !== 0 || !headResult.stdout.trim()) {
+    throw new Error(`Failed to resolve latest upstream head for ${branch}: ${headResult.stderr || headResult.stdout}`);
+  }
+  const latestHeadSha = headResult.stdout.trim();
+  const state = readUpstreamState(options.projectRoot, options.statePath);
+  let sinceSha = state?.lastProcessedCommit || baselineSha;
+  const ancestorCheck = gitRunner(checkoutPath, ["merge-base", "--is-ancestor", sinceSha, branch]);
+  if (ancestorCheck.exitCode !== 0) {
+    sinceSha = baselineSha;
+  }
+  const logResult = gitRunner(checkoutPath, [
+    "log",
+    "--reverse",
+    "--date=short",
+    "--name-only",
+    "--pretty=format:__COMMIT__%n%H%x09%cs%x09%s",
+    `${sinceSha}..${branch}`
+  ]);
+  if (logResult.exitCode !== 0) {
+    throw new Error(`Failed to collect upstream commits: ${logResult.stderr || logResult.stdout}`);
+  }
+  const commits = parseCommitLog(logResult.stdout);
+  const grouped = new Map;
+  for (const commit of commits) {
+    const classification = classifyCommit(commit);
+    if (!classification.clusterKey) {
+      continue;
+    }
+    const existing = grouped.get(classification.clusterKey) ?? [];
+    existing.push(commit);
+    grouped.set(classification.clusterKey, existing);
+  }
+  const findings = Array.from(grouped.entries()).map(([clusterKey, clusterCommits]) => {
+    const definition = CLUSTERS[clusterKey];
+    const newestCommit = clusterCommits[clusterCommits.length - 1];
+    return {
+      key: `upstream:${definition.classification}:${clusterKey}:${newestCommit.sha}`,
+      summary: definition.title,
+      details: {
+        remote,
+        branch,
+        checkoutPath,
+        baselineSha,
+        sinceSha,
+        latestHeadSha,
+        classification: definition.classification,
+        clusterKey,
+        description: definition.description,
+        acceptanceCriteria: definition.acceptanceCriteria,
+        role: definition.role,
+        scope: definition.scope,
+        validation: definition.validation,
+        validationDescriptions: definition.validationDescriptions,
+        labels: definition.labels,
+        commits: clusterCommits.map((commit) => ({
+          sha: commit.sha,
+          date: commit.date,
+          summary: commit.summary,
+          paths: relevantPaths(commit.paths)
+        }))
+      }
+    };
+  });
+  const groupedCommitCount = Array.from(grouped.values()).reduce((sum, clusterCommits) => sum + clusterCommits.length, 0);
+  return {
+    baselineSha,
+    sinceSha,
+    latestHeadSha,
+    checkoutPath,
+    remote,
+    branch,
+    scannedCommitCount: commits.length,
+    ignoredCommitCount: Math.max(0, commits.length - groupedCommitCount),
+    findings,
+    statePath: upstreamStatePath(options.projectRoot, options.statePath)
+  };
+}
+async function runUpstreamSyncScan(options) {
+  const now = options.now ?? (() => new Date().toISOString());
+  const startedAt = now();
+  let followupCount = 0;
+  const createdTaskIds = [];
+  for (const finding of options.findings) {
+    const existingFollowup = options.journal.getFollowupByDedupeKey(finding.key);
+    if (!existingFollowup) {
+      const result = options.journal.appendFollowup({
+        id: `upstream-followup:${finding.key}`,
+        originRunId: null,
+        dedupeKey: finding.key,
+        taskId: null,
+        kind: "upstream-drift",
+        status: "proposed",
+        summary: finding.summary,
+        details: finding.details ?? null,
+        createdAt: startedAt
+      });
+      if (!result.ok) {
+        throw new Error(`Failed to record upstream follow-up ${finding.key}: ${result.error}`);
+      }
+      if (result.changed) {
+        followupCount += 1;
+      }
+    }
+    const followup = options.journal.getFollowupByDedupeKey(finding.key);
+    if (options.createTask && followup?.taskId == null) {
+      const created = await options.createTask(finding);
+      if (created.taskId) {
+        createdTaskIds.push(created.taskId);
+        const attachment = options.journal.attachFollowupTask({
+          dedupeKey: finding.key,
+          taskId: created.taskId,
+          status: "created",
+          details: finding.details && created.details ? { ...finding.details, followupTask: created.details } : created.details ?? finding.details ?? null
+        });
+        if (!attachment.ok) {
+          throw new Error(`Failed to attach task ${created.taskId} to upstream follow-up ${finding.key}: ${attachment.error}`);
+        }
+      }
+    }
+  }
+  const summary = options.findings.length === 0 ? "No upstream drift findings" : `Detected ${options.findings.length} upstream drift finding(s)`;
+  options.journal.appendUpstreamSyncScan({
+    id: options.scanId,
+    dedupeKey: options.scanId,
+    startedAt,
+    completedAt: startedAt,
+    status: "completed",
+    summary,
+    details: {
+      findingKeys: options.findings.map((finding) => finding.key),
+      followupCount,
+      createdTaskIds
+    }
+  });
+  return {
+    status: "completed",
+    summary,
+    followupCount,
+    createdTaskIds
+  };
+}
+
+// packages/server/src/server-helpers/normalizers.ts
+function normalizeString2(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
+}
+function normalizeStringArray(value) {
+  return Array.isArray(value) ? value.map((entry) => normalizeString2(entry)).filter((entry) => entry !== null) : [];
+}
+
+// packages/server/src/server-helpers/task-config.ts
+import { existsSync as existsSync4 } from "fs";
+async function readTaskConfig(projectRoot) {
+  const taskConfigPath = resolveRigServerPaths(projectRoot).taskConfigPath;
+  if (!existsSync4(taskConfigPath)) {
+    return {};
+  }
+  try {
+    const parsed = await Bun.file(taskConfigPath).json();
+    return parsed ?? {};
+  } catch {
+    return {};
+  }
+}
+
+// packages/server/src/server-helpers/inspector-jobs.ts
+function nextInspectorTaskId(existingIds, timestamp) {
+  const datePart = timestamp.slice(0, 10).replace(/-/g, "");
+  let sequence = 1;
+  while (true) {
+    const candidate = `bd-inspector-${datePart}-${String(sequence).padStart(2, "0")}`;
+    if (!existingIds.has(candidate)) {
+      return candidate;
+    }
+    sequence += 1;
+  }
+}
+function normalizeValidationDescriptions(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    return {};
+  }
+  const entries = Object.entries(value).filter((entry) => typeof entry[0] === "string" && typeof entry[1] === "string").map(([key, description]) => [key.trim(), description.trim()]).filter(([key, description]) => key.length > 0 && description.length > 0);
+  return Object.fromEntries(entries);
+}
+function resolveFollowupSourceCommit(input) {
+  const details = input.details && typeof input.details === "object" && !Array.isArray(input.details) ? input.details : null;
+  return normalizeString2(input.sourceCommit) ?? normalizeString2(details?.latestHeadSha) ?? normalizeString2(details?.latestSha) ?? normalizeString2(details?.sourceCommit) ?? normalizeString2(details?.headSha) ?? undefined;
+}
+async function createInspectorFollowupTask(projectRoot, input) {
+  const monorepoRoot = resolveMonorepoRoot3(projectRoot);
+  const issuesPath = resolve5(monorepoRoot, ".beads", "issues.jsonl");
+  const taskStatePath = resolve5(monorepoRoot, ".beads", "task-state.json");
+  const taskConfigPath = resolve5(monorepoRoot, ".rig", "task-config.json");
+  mkdirSync5(dirname5(issuesPath), { recursive: true });
+  mkdirSync5(dirname5(taskConfigPath), { recursive: true });
+  const summary = normalizeString2(input.summary) ?? "Inspector follow-up";
+  const description = normalizeString2(input.description) ?? normalizeString2(input.details?.description) ?? `Created by the global inspector: ${summary}`;
+  const acceptanceCriteria = normalizeString2(input.acceptanceCriteria) ?? "Investigate the detected drift and port the relevant changes into Rig.";
+  const role = normalizeString2(input.role) ?? "mechanic";
+  const scope = normalizeStringArray(input.scope).concat(normalizeStringArray(input.details?.scope)).filter(Boolean);
+  const validation = normalizeStringArray(input.validation).concat(normalizeStringArray(input.details?.validation)).filter(Boolean);
+  const validationDescriptions = {
+    ...normalizeValidationDescriptions(input.validationDescriptions),
+    ...normalizeValidationDescriptions(input.details?.validationDescriptions)
+  };
+  const labels = [
+    "origin:inspector",
+    "workflow:inspector-followup",
+    ...normalizeStringArray(input.labels)
+  ];
+  const sourceKey = normalizeString2(input.sourceKey) ?? normalizeString2(input.details?.sourceKey);
+  const createdAt = normalizeString2(input.createdAt) ?? new Date().toISOString();
+  const status = normalizeTaskLifecycleStatus(normalizeString2(input.status) ?? "open") ?? "open";
+  const existingIssueLines = existsSync5(issuesPath) ? readFileSync3(issuesPath, "utf8").split(/\r?\n/).map((line) => line.trim()).filter(Boolean) : [];
+  const existingIssues = existingIssueLines.map((line) => {
+    try {
+      return JSON.parse(line);
+    } catch {
+      return null;
+    }
+  }).filter((value) => value !== null);
+  const existingIds = new Set(existingIssues.map((issue) => typeof issue.id === "string" ? issue.id : null).filter((value) => value !== null));
+  const rawTaskState = existsSync5(taskStatePath) ? readJsonFile(taskStatePath, {}) : {};
+  const tasks = rawTaskState.tasks && typeof rawTaskState.tasks === "object" && !Array.isArray(rawTaskState.tasks) ? rawTaskState.tasks : {};
+  const existingTaskIdFromSourceKey = sourceKey == null ? null : Object.entries(tasks).find(([, metadata]) => {
+    if (!metadata || typeof metadata !== "object" || Array.isArray(metadata)) {
+      return false;
+    }
+    return normalizeString2(metadata.sourceKey) === sourceKey;
+  })?.[0] ?? null;
+  const existingIssue = (existingTaskIdFromSourceKey ? existingIssues.find((issue) => normalizeString2(issue.id) === existingTaskIdFromSourceKey && normalizeString2(issue.status) !== "closed") : null) ?? existingIssues.find((issue) => normalizeString2(issue.title) === summary && normalizeString2(issue.status) !== "closed");
+  const taskId = normalizeString2(existingIssue?.id) ?? existingTaskIdFromSourceKey ?? nextInspectorTaskId(existingIds, createdAt);
+  const mergedLabels = Array.from(new Set([
+    ...normalizeStringArray(existingIssue?.labels),
+    ...labels
+  ]));
+  if (!existingIssue) {
+    const issueRecord = {
+      id: taskId,
+      title: summary,
+      description,
+      acceptance_criteria: acceptanceCriteria,
+      status,
+      issue_type: "task",
+      created_at: createdAt,
+      updated_at: createdAt,
+      labels: mergedLabels
+    };
+    writeFileSync4(issuesPath, existingIssueLines.length > 0 ? `${existingIssueLines.join(`
+`)}
+${JSON.stringify(issueRecord)}
+` : `${JSON.stringify(issueRecord)}
+`, "utf8");
+  } else {
+    const updatedIssues = existingIssues.map((issue) => {
+      if (normalizeString2(issue.id) !== taskId) {
+        return issue;
+      }
+      return {
+        ...issue,
+        description,
+        acceptance_criteria: acceptanceCriteria,
+        updated_at: createdAt,
+        labels: mergedLabels
+      };
+    });
+    writeFileSync4(issuesPath, `${updatedIssues.map((issue) => JSON.stringify(issue)).join(`
+`)}
+`, "utf8");
+  }
+  const taskConfig = await readTaskConfig(projectRoot);
+  const meta = taskConfig._meta && typeof taskConfig._meta === "object" && !Array.isArray(taskConfig._meta) ? taskConfig._meta : {};
+  const existingDescriptions = normalizeValidationDescriptions(meta.validation_descriptions);
+  taskConfig[taskId] = {
+    role,
+    description,
+    acceptance_criteria: acceptanceCriteria,
+    scope: scope.length > 0 ? scope : [`artifacts/${taskId}/**`],
+    validation: validation.length > 0 ? validation : ["boundary:changed-files"]
+  };
+  if (Object.keys({ ...existingDescriptions, ...validationDescriptions }).length > 0) {
+    taskConfig._meta = {
+      ...meta,
+      validation_descriptions: {
+        ...existingDescriptions,
+        ...validationDescriptions
+      }
+    };
+  }
+  writeFileSync4(taskConfigPath, `${JSON.stringify(taskConfig, null, 2)}
+`, "utf8");
+  tasks[taskId] = {
+    status,
+    sourceCommit: resolveFollowupSourceCommit(input),
+    ...sourceKey ? { sourceKey } : {}
+  };
+  writeFileSync4(taskStatePath, `${JSON.stringify({
+    schemaVersion: 1,
+    baseTrackerCommit: typeof rawTaskState.baseTrackerCommit === "string" ? rawTaskState.baseTrackerCommit : null,
+    tasks
+  }, null, 2)}
+`, "utf8");
+  return {
+    status: "completed",
+    summary: `${existingIssue ? "Reused" : "Created"} inspector follow-up task ${taskId}`,
+    details: {
+      taskId,
+      status,
+      role,
+      scope: taskConfig[taskId]?.scope ?? [],
+      validation: taskConfig[taskId]?.validation ?? []
+    }
+  };
+}
+async function runInspectorLocalReview(projectRoot, input) {
+  const taskId = normalizeString2(input.taskId);
+  if (!taskId) {
+    return {
+      status: "unavailable",
+      summary: "Local review requires a taskId",
+      details: null
+    };
+  }
+  const [{ RuntimeEventBus }, { PluginManager }, { verifyTask }] = await Promise.all([
+    import("@rig/runtime/control-plane/runtime/events"),
+    import("@rig/runtime/control-plane/runtime/plugins"),
+    import("@rig/runtime/control-plane/native/verifier")
+  ]);
+  const eventBus = new RuntimeEventBus({ projectRoot, runId: `inspector-review:${taskId}` });
+  const plugins = await PluginManager.load({
+    projectRoot,
+    runId: `inspector-review:${taskId}`,
+    eventBus
+  });
+  const outcome = await verifyTask({
+    projectRoot,
+    taskId,
+    plugins,
+    skipAiReview: true
+  });
+  return {
+    status: outcome.approved ? "completed" : "failed",
+    summary: outcome.approved ? `Local review approved for ${taskId}` : `Local review rejected for ${taskId}`,
+    details: outcome
+  };
+}
+async function runInspectorUpstreamSync(projectRoot, journal, input) {
+  const scanId = normalizeString2(input.scanId) ?? `scheduled:${new Date().toISOString().slice(0, 10)}`;
+  try {
+    const scan = scanUpstream({ projectRoot });
+    const result = await runUpstreamSyncScan({
+      journal,
+      scanId,
+      findings: scan.findings,
+      createTask: (finding) => {
+        const details = finding.details ?? {};
+        const commitSummary = typeof details.commits === "object" && Array.isArray(details.commits) ? [
+          `Upstream remote: ${String(details.remote ?? "")}`,
+          `Tracked branch: ${String(details.branch ?? "")}`,
+          `Imported baseline: ${String(details.baselineSha ?? "")}`,
+          `Scanned since: ${String(details.sinceSha ?? "")}`,
+          "",
+          "Recent upstream commits:",
+          ...details.commits.map((commit) => `- ${(commit.sha ?? "").slice(0, 12)} ${commit.date ?? ""} ${commit.summary ?? ""}`.trim())
+        ].join(`
+`) : "";
+        return createInspectorFollowupTask(projectRoot, {
+          summary: finding.summary,
+          description: [normalizeString2(details.description) ?? "", commitSummary].filter(Boolean).join(`
+
+`),
+          acceptanceCriteria: normalizeString2(details.acceptanceCriteria),
+          sourceCommit: normalizeString2(details.latestHeadSha),
+          sourceKey: finding.key,
+          details,
+          scope: Array.isArray(details.scope) ? details.scope : [],
+          validation: Array.isArray(details.validation) ? details.validation : [],
+          validationDescriptions: details.validationDescriptions && typeof details.validationDescriptions === "object" && !Array.isArray(details.validationDescriptions) ? details.validationDescriptions : undefined,
+          labels: [
+            ...normalizeStringArray(details.labels),
+            `remote:${String(details.remote ?? "unknown")}`,
+            `classification:${String(details.classification ?? "unknown")}`,
+            "kind:upstream-drift"
+          ]
+        }).then((taskResult) => ({
+          taskId: taskResult.details && typeof taskResult.details === "object" && !Array.isArray(taskResult.details) && typeof taskResult.details.taskId === "string" ? taskResult.details.taskId : null,
+          details: taskResult.details && typeof taskResult.details === "object" && !Array.isArray(taskResult.details) ? taskResult.details : null
+        }));
+      }
+    });
+    writeUpstreamState(projectRoot, {
+      baselineSha: scan.baselineSha,
+      lastProcessedCommit: scan.latestHeadSha,
+      latestHeadSha: scan.latestHeadSha,
+      checkoutPath: scan.checkoutPath,
+      branch: scan.branch,
+      updatedAt: new Date().toISOString()
+    }, scan.statePath);
+    return {
+      status: result.status,
+      summary: result.summary,
+      details: {
+        baselineSha: scan.baselineSha,
+        sinceSha: scan.sinceSha,
+        latestHeadSha: scan.latestHeadSha,
+        checkoutPath: scan.checkoutPath,
+        branch: scan.branch,
+        scannedCommitCount: scan.scannedCommitCount,
+        ignoredCommitCount: scan.ignoredCommitCount,
+        followupCount: result.followupCount,
+        createdTaskIds: result.createdTaskIds
+      }
+    };
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    if (/Unable to locate an authoritative upstream checkout/i.test(message)) {
+      return {
+        status: "completed",
+        summary: "No upstream drift findings",
+        details: {
+          checkoutMissing: true,
+          reason: message,
+          followupCount: 0,
+          createdTaskIds: []
+        }
+      };
+    }
+    return {
+      status: "failed",
+      summary: `Upstream sync failed: ${message}`,
+      details: null
+    };
+  }
+}
+function createServerInspector(projectRoot, scheduleOptions = {}) {
+  try {
+    const journal = createInspectorJournal({ projectRoot });
+    const service = createGlobalInspectorService({
+      projectRoot,
+      journal,
+      upstreamSyncMs: scheduleOptions.upstreamSyncMs,
+      upstreamSyncOnStart: scheduleOptions.upstreamSyncOnStart,
+      reviewRunner: (input) => runInspectorLocalReview(projectRoot, input),
+      followupTaskRunner: (input) => createInspectorFollowupTask(projectRoot, input),
+      upstreamSyncRunner: (input) => runInspectorUpstreamSync(projectRoot, journal, input),
+      analysisRunner: async (input) => summarizeInspectorJournal({
+        journal,
+        reportId: typeof input.reportId === "string" && input.reportId.trim().length > 0 ? input.reportId : `analysis:${new Date().toISOString()}`,
+        reportType: typeof input.reportType === "string" && input.reportType.trim().length > 0 ? input.reportType : "run-health"
+      })
+    });
+    service.reconcileOnce("startup");
+    return service;
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    console.error(`[server] inspector bootstrap failed: ${message}`);
+    return null;
+  }
+}
+function createServerInspectorAgent(projectRoot, inspector) {
+  if (!inspector) {
+    return null;
+  }
+  try {
+    const journal = createInspectorJournal({ projectRoot });
+    const catalog = buildInspectorSkillCatalog({
+      role: "inspector",
+      taskKind: "code-change"
+    });
+    return createInspectorAgentRuntime({
+      projectRoot,
+      journal,
+      snapshotProvider: () => inspector.snapshot(),
+      invokeDynamicTool: (name, input) => inspector.invokeTool(name, input),
+      requiredSkills: catalog.required,
+      recommendedSkills: catalog.recommended
+    });
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    console.error(`[server] inspector agent bootstrap failed: ${message}`);
+    return null;
+  }
+}
+export {
+  runInspectorUpstreamSync,
+  runInspectorLocalReview,
+  resolveFollowupSourceCommit,
+  normalizeValidationDescriptions,
+  nextInspectorTaskId,
+  createServerInspectorAgent,
+  createServerInspector,
+  createInspectorFollowupTask
+};