@h-rig/server 0.0.6-alpha.0

package/dist/src/server-helpers/ws-router.js

@@ -0,0 +1,1308 @@
+// @bun
+// packages/server/src/server-helpers/ws-router.ts
+import {
+  ORCHESTRATION_WS_CHANNELS,
+  ORCHESTRATION_WS_METHODS,
+  RIG_WS_METHODS,
+  WS_METHODS
+} from "@rig/contracts";
+import {
+  listManagedRemoteEndpoints as listManagedRemoteEndpoints2,
+  removeManagedRemoteEndpoint as removeManagedRemoteEndpoint2,
+  resolveRemoteEndpoint as resolveRemoteEndpoint2,
+  upsertManagedRemoteEndpoint as upsertManagedRemoteEndpoint2,
+  RemoteWsClient as RemoteWsClient2
+} from "@rig/runtime/control-plane/remote";
+import { deleteRunState } from "@rig/runtime/control-plane/native/run-ops";
+import { readAuthorityRun as readAuthorityRun8 } from "@rig/runtime/control-plane/authority-files";
+
+// packages/server/src/server.ts
+import {
+  listAuthorityArtifactRoots,
+  listAuthorityRuns as listAuthorityRuns7,
+  readJsonFile as readJsonFile4,
+  readJsonlFile as readJsonlFile3
+} from "@rig/runtime/control-plane/authority-files";
+import { normalizeTaskLifecycleStatus as normalizeTaskLifecycleStatus3 } from "@rig/runtime/control-plane/state-sync/types";
+import {
+  readWorkspaceSummary
+} from "@rig/runtime/control-plane/native/workspace-ops";
+import { resolveMonorepoRoot as resolveMonorepoRoot6 } from "@rig/runtime/control-plane/native/utils";
+
+// packages/server/src/bootstrap.ts
+import { RIG_DEFINITION_DIRNAME, resolveMonorepoRoot } from "@rig/runtime";
+
+// packages/server/src/websocket.ts
+import {
+  WS_CHANNELS
+} from "@rig/contracts";
+
+// packages/server/src/server-helpers/normalizers.ts
+function normalizeString(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
+}
+
+// packages/server/src/server-helpers/run-io.ts
+import { dirname, resolve } from "path";
+import { closeSync, existsSync, mkdirSync, openSync, readSync, statSync, writeFileSync } from "fs";
+import { createReadStream } from "fs";
+import { createInterface } from "readline";
+import {
+  listAuthorityRuns,
+  readAuthorityRun,
+  readJsonlFile,
+  resolveAuthorityRunDir
+} from "@rig/runtime/control-plane/authority-files";
+function writeRunJsonlFile(projectRoot, runId, fileName, rows) {
+  const filePath = resolve(resolveAuthorityRunDir(projectRoot, runId), fileName);
+  mkdirSync(dirname(filePath), { recursive: true });
+  const next = rows.map((row) => JSON.stringify(row)).join(`
+`);
+  writeFileSync(filePath, next.length > 0 ? `${next}
+` : "", "utf8");
+}
+function resolveApproval(projectRoot, input) {
+  const approvalsPath = resolve(resolveAuthorityRunDir(projectRoot, input.runId), "approvals.jsonl");
+  const approvals = readJsonlFile(approvalsPath);
+  const resolvedAt = new Date().toISOString();
+  const rows = approvals.map((entry) => entry.requestId === input.requestId || entry.id === input.requestId ? {
+    ...entry,
+    status: "resolved",
+    decision: input.decision,
+    note: input.note ?? null,
+    resolvedAt
+  } : entry);
+  writeRunJsonlFile(projectRoot, input.runId, "approvals.jsonl", rows);
+  return { ok: true, runId: input.runId, requestId: input.requestId, decision: input.decision };
+}
+function respondToUserInput(projectRoot, input) {
+  const requestsPath = resolve(resolveAuthorityRunDir(projectRoot, input.runId), "user-input.jsonl");
+  const requests = readJsonlFile(requestsPath);
+  const resolvedAt = new Date().toISOString();
+  const rows = requests.map((entry) => entry.requestId === input.requestId || entry.id === input.requestId ? {
+    ...entry,
+    status: "resolved",
+    answers: input.answers,
+    respondedAt: resolvedAt,
+    resolvedAt
+  } : entry);
+  writeRunJsonlFile(projectRoot, input.runId, "user-input.jsonl", rows);
+  return { ok: true, runId: input.runId, requestId: input.requestId, answers: input.answers };
+}
+function runLogsPath(projectRoot, runId) {
+  return resolve(resolveAuthorityRunDir(projectRoot, runId), "logs.jsonl");
+}
+function parseJsonlRecords(lines) {
+  return lines.map((line) => line.trim()).filter(Boolean).flatMap((line) => {
+    try {
+      return [JSON.parse(line)];
+    } catch {
+      return [];
+    }
+  });
+}
+function readJsonlFileTail(path, options) {
+  const limit = Math.max(0, Math.trunc(options.limit));
+  if (limit === 0 || !existsSync(path))
+    return [];
+  const maxBytes = Math.max(1024, Math.trunc(options.maxBytes ?? 256 * 1024));
+  const size = statSync(path).size;
+  if (size === 0)
+    return [];
+  const start = Math.max(0, size - maxBytes);
+  const length = size - start;
+  const buffer = Buffer.alloc(length);
+  const fd = openSync(path, "r");
+  try {
+    readSync(fd, buffer, 0, length, start);
+  } finally {
+    closeSync(fd);
+  }
+  const text = buffer.toString("utf8");
+  const lines = text.split(/\r?\n/);
+  const completeLines = start > 0 ? lines.slice(1) : lines;
+  return parseJsonlRecords(completeLines.filter(Boolean).slice(-limit));
+}
+var INITIAL_RUN_LOG_TAIL_MAX_BYTES = 8 * 1024 * 1024;
+async function readRunLogsPage(projectRoot, runId, options = {}) {
+  const limit = Math.max(1, Math.min(Math.trunc(options.limit ?? 200), 500));
+  const cursor = options.cursor == null ? null : Number.parseInt(options.cursor, 10);
+  const logsPath = runLogsPath(projectRoot, runId);
+  if ((options.cursor == null || !Number.isFinite(cursor)) && existsSync(logsPath)) {
+    const size = statSync(logsPath).size;
+    if (size > INITIAL_RUN_LOG_TAIL_MAX_BYTES) {
+      const tail = readJsonlFileTail(logsPath, {
+        limit,
+        maxBytes: INITIAL_RUN_LOG_TAIL_MAX_BYTES
+      }).filter((entry) => Boolean(entry && typeof entry === "object" && !Array.isArray(entry)));
+      return {
+        entries: tail.toReversed(),
+        nextCursor: null,
+        hasMore: true
+      };
+    }
+  }
+  const endExclusive = cursor == null || !Number.isFinite(cursor) ? Number.POSITIVE_INFINITY : Math.max(0, cursor);
+  const window = [];
+  let index = 0;
+  let hasMore = false;
+  const stream = createReadStream(logsPath, { encoding: "utf8" });
+  stream.on("error", (error) => {
+    if (error.code !== "ENOENT") {
+      stream.destroy(error);
+    }
+  });
+  const lines = createInterface({ input: stream, crlfDelay: Infinity });
+  try {
+    for await (const line of lines) {
+      const currentIndex = index;
+      index += 1;
+      if (currentIndex >= endExclusive) {
+        break;
+      }
+      const trimmed = line.trim();
+      if (trimmed.length === 0) {
+        continue;
+      }
+      try {
+        const parsed = JSON.parse(trimmed);
+        if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+          window.push({ index: currentIndex, entry: parsed });
+        }
+      } catch {
+        window.push({
+          index: currentIndex,
+          entry: { title: "Unparsed log line", detail: line, tone: "info" }
+        });
+      }
+      if (window.length > limit) {
+        window.shift();
+        hasMore = true;
+      }
+    }
+  } catch (error) {
+    const code = error.code;
+    if (code !== "ENOENT") {
+      throw error;
+    }
+  }
+  return {
+    entries: window.toReversed().map((item) => item.entry),
+    nextCursor: hasMore ? String(window[0]?.index ?? 0) : null,
+    hasMore
+  };
+}
+
+// packages/server/src/server-helpers/server-paths.ts
+import { dirname as dirname2, resolve as resolve2 } from "path";
+import { resolveMonorepoRoot as resolveMonorepoRoot2 } from "@rig/runtime/control-plane/native/utils";
+function resolveServerAuthorityPaths(projectRoot) {
+  const taskWorkspace = process.env.RIG_TASK_WORKSPACE?.trim();
+  const explicitStateDir = process.env.RIG_STATE_DIR?.trim();
+  const explicitLogsDir = process.env.RIG_LOGS_DIR?.trim();
+  const explicitSessionFile = process.env.RIG_SESSION_FILE?.trim();
+  const monorepoRoot = resolveMonorepoRoot2(projectRoot);
+  const stateRoot = taskWorkspace ? resolve2(taskWorkspace, ".rig") : explicitStateDir ? dirname2(resolve2(explicitStateDir)) : explicitLogsDir ? dirname2(resolve2(explicitLogsDir)) : explicitSessionFile ? dirname2(dirname2(resolve2(explicitSessionFile))) : resolve2(monorepoRoot, ".rig");
+  const stateDir = explicitStateDir ? resolve2(explicitStateDir) : resolve2(stateRoot, "state");
+  const logsDir = explicitLogsDir ? resolve2(explicitLogsDir) : resolve2(stateRoot, "logs");
+  const sessionFile = explicitSessionFile ? resolve2(explicitSessionFile) : resolve2(stateRoot, "session", "session.json");
+  const artifactsDir = taskWorkspace ? resolve2(taskWorkspace, "artifacts") : resolve2(monorepoRoot, "artifacts");
+  return {
+    stateRoot,
+    stateDir,
+    logsDir,
+    controlPlaneEventsFile: resolve2(logsDir, "control-plane.events.jsonl"),
+    sessionFile,
+    artifactsDir
+  };
+}
+
+// packages/server/src/server-helpers/snapshot-service.ts
+import { listAgentRuntimes } from "@rig/runtime/control-plane/runtime/isolation";
+
+// packages/server/src/server-helpers/snapshot-orchestrator.ts
+import {
+  listAuthorityRuns as listAuthorityRuns3,
+  readAuthorityRun as readAuthorityRun2
+} from "@rig/runtime/control-plane/authority-files";
+
+// packages/server/src/server-helpers/queue-state.ts
+import { resolve as resolve3 } from "path";
+import { readJsonFile, writeJsonFile } from "@rig/runtime/control-plane/authority-files";
+function resolveQueueStatePath(projectRoot) {
+  return resolve3(resolveServerAuthorityPaths(projectRoot).stateDir, "task-queue.json");
+}
+function readQueueState(projectRoot) {
+  const queue = readJsonFile(resolveQueueStatePath(projectRoot), null);
+  if (!Array.isArray(queue))
+    return [];
+  return queue.filter((entry) => entry && typeof entry === "object").map((entry, index) => ({
+    taskId: normalizeString(entry.taskId),
+    score: typeof entry.score === "number" ? Math.max(0, Math.trunc(entry.score)) : 0,
+    unblockCount: typeof entry.unblockCount === "number" ? Math.max(0, Math.trunc(entry.unblockCount)) : 0,
+    position: typeof entry.position === "number" ? Math.max(0, Math.trunc(entry.position)) : index
+  })).filter((entry) => Boolean(entry.taskId)).sort((left, right) => right.score - left.score || left.position - right.position).map((entry, index) => ({ ...entry, position: index }));
+}
+function writeQueueState(projectRoot, queue) {
+  writeJsonFile(resolveQueueStatePath(projectRoot), queue);
+}
+function enqueueTaskState(projectRoot, taskId, score) {
+  const queue = readQueueState(projectRoot).filter((entry) => entry.taskId !== taskId);
+  const next = [
+    ...queue,
+    {
+      taskId,
+      score: Math.max(0, Math.trunc(score)),
+      unblockCount: 0,
+      position: queue.length
+    }
+  ].sort((left, right) => right.score - left.score || left.position - right.position).map((entry, index) => ({ ...entry, position: index }));
+  writeQueueState(projectRoot, next);
+  return next;
+}
+function dequeueTaskState(projectRoot, taskId) {
+  const next = readQueueState(projectRoot).filter((entry) => entry.taskId !== taskId).map((entry, index) => ({ ...entry, position: index }));
+  writeQueueState(projectRoot, next);
+  return next;
+}
+
+// packages/server/src/server-helpers/remote-snapshots.ts
+import { listAuthorityRemoteEndpoints } from "@rig/runtime/control-plane/authority-files";
+function hostToRemoteEndpoint(host) {
+  let hostName = "127.0.0.1";
+  let port = 7890;
+  try {
+    const url = new URL(host.baseUrl);
+    hostName = url.hostname || hostName;
+    port = Number.parseInt(url.port || "80", 10) || port;
+  } catch {}
+  return {
+    id: host.hostId,
+    alias: host.name,
+    host: hostName,
+    port,
+    token: "",
+    tokenConfigured: false,
+    autoConnect: true,
+    addedAt: host.registeredAt,
+    lastConnectedAt: host.lastHeartbeatAt
+  };
+}
+function buildRemoteEndpointSnapshot(projectRoot, remoteHosts) {
+  const authorityEndpoints = listAuthorityRemoteEndpoints(projectRoot).map((entry) => ({
+    id: entry.id,
+    alias: entry.alias,
+    host: entry.host,
+    port: entry.port,
+    token: "",
+    tokenConfigured: entry.token.trim().length > 0,
+    autoConnect: entry.autoConnect,
+    addedAt: entry.addedAt,
+    lastConnectedAt: entry.lastConnectedAt
+  }));
+  const hostEndpoints = Array.from(remoteHosts.values()).map(hostToRemoteEndpoint);
+  const deduped = new Map;
+  for (const entry of [...authorityEndpoints, ...hostEndpoints]) {
+    deduped.set(entry.id, entry);
+  }
+  return Array.from(deduped.values()).sort((left, right) => left.alias.localeCompare(right.alias));
+}
+
+// packages/server/src/server-helpers/conversation-snapshot.ts
+import {
+  listAuthorityRuns as listAuthorityRuns2,
+  readJsonlFile as readJsonlFile2
+} from "@rig/runtime/control-plane/authority-files";
+var snapshotCache = new Map;
+
+// packages/server/src/server-helpers/plugin-host-cache.ts
+var contextCache = new Map;
+var taskListCache = new Map;
+
+// packages/server/src/server-helpers/terminal-runtime.ts
+import { WS_CHANNELS as WS_CHANNELS2 } from "@rig/contracts";
+
+// packages/server/src/server-helpers/broadcasters.ts
+import { RIG_WS_CHANNELS } from "@rig/contracts";
+
+// packages/server/src/server-helpers/run-writers.ts
+import {
+  appendJsonlRecord,
+  readAuthorityRun as readAuthorityRun3,
+  resolveAuthorityRunDir as resolveAuthorityRunDir2,
+  writeJsonFile as writeJsonFile2
+} from "@rig/runtime/control-plane/authority-files";
+
+// packages/server/src/server-helpers/event-emitter.ts
+function nextSequence(carrier) {
+  const current = carrier.sequence ?? 0;
+  const next = current + 1;
+  carrier.sequence = next;
+  return next;
+}
+
+// packages/server/src/server-helpers/terminal-sessions.ts
+function terminalSessionKey(threadId, terminalId) {
+  return `${threadId}::${terminalId}`;
+}
+function terminalSnapshot(session) {
+  return {
+    threadId: session.threadId,
+    terminalId: session.terminalId,
+    cwd: session.cwd,
+    status: session.status,
+    pid: session.pid,
+    history: session.history,
+    exitCode: session.exitCode,
+    exitSignal: session.exitSignal,
+    updatedAt: session.updatedAt
+  };
+}
+
+// packages/server/src/server-helpers/terminal-runtime.ts
+var DEFAULT_TERMINAL_SHELL = process.env.SHELL || "/bin/zsh";
+
+// packages/server/src/server-helpers/run-mutations.ts
+import { loadConfig } from "@rig/core/load-config";
+import {
+  listAuthorityRuns as listAuthorityRuns4,
+  readAuthorityRun as readAuthorityRun4,
+  resolveAuthorityRunDir as resolveAuthorityRunDir3,
+  writeJsonFile as writeJsonFile3
+} from "@rig/runtime/control-plane/authority-files";
+import { readPublishedRigServerStateSync } from "@rig/runtime/local-server";
+import { resolveMonorepoRoot as resolveMonorepoRoot3 } from "@rig/runtime/control-plane/native/utils";
+import {
+  buildTaskRunLifecycleComment,
+  updateConfiguredTaskSourceTask
+} from "@rig/runtime/control-plane/tasks/source-lifecycle";
+
+// packages/server/src/scheduler.ts
+import { normalizeTaskLifecycleStatus } from "@rig/runtime/control-plane/state-sync/types";
+var TERMINAL_RUN_STATUSES = new Set(["done", "completed", "error", "failed", "stopped", "cancelled"]);
+var RUNNABLE_TASK_STATUSES = new Set(["draft", "open", "ready", "queued"]);
+var REMOTE_READY_STATUSES = new Set(["ready", "idle", "connected"]);
+
+// packages/server/src/server-helpers/validation-failure.ts
+import {
+  readJsonFile as readJsonFile2,
+  resolveTaskArtifactDirs
+} from "@rig/runtime/control-plane/authority-files";
+
+// packages/server/src/server-helpers/run-mutations.ts
+var TERMINAL_RUN_STATUSES2 = new Set([
+  "completed",
+  "complete",
+  "done",
+  "merged",
+  "closed",
+  "failed",
+  "cancelled",
+  "canceled",
+  "needs_attention",
+  "needs-attention",
+  "stopped"
+]);
+var ORPHANABLE_LOCAL_RUN_STATUSES = new Set(["preparing", "running"]);
+
+// packages/server/src/server-helpers/http-router.ts
+import {
+  listAuthorityRuns as listAuthorityRuns5,
+  readAuthorityRun as readAuthorityRun6,
+  resolveAuthorityPaths,
+  writeJsonFile as writeJsonFile4
+} from "@rig/runtime/control-plane/authority-files";
+import {
+  mutateWorkspaceServiceFabric,
+  readTaskArtifactPreview,
+  readWorkspaceRemoteFleet,
+  readWorkspaceTopology
+} from "@rig/runtime/control-plane/native/workspace-ops";
+import {
+  doctorManagedRemoteEndpoints,
+  listManagedRemoteEndpoints,
+  removeManagedRemoteEndpoint,
+  resolveRemoteEndpoint,
+  updateManagedRemoteEndpointInAuthority,
+  upsertManagedRemoteEndpoint,
+  RemoteWsClient
+} from "@rig/runtime/control-plane/remote";
+
+// packages/server/src/server-helpers/run-steering.ts
+import { appendJsonlRecord as appendJsonlRecord2, readAuthorityRun as readAuthorityRun5, resolveAuthorityRunDir as resolveAuthorityRunDir4 } from "@rig/runtime/control-plane/authority-files";
+
+// packages/server/src/server-helpers/http-router.ts
+import { buildRigInitConfigSource } from "@rig/core";
+import {
+  buildTaskRunLifecycleComment as buildTaskRunLifecycleComment2,
+  updateConfiguredTaskSourceTask as updateConfiguredTaskSourceTask2
+} from "@rig/runtime/control-plane/tasks/source-lifecycle";
+var RIG_CONFIG_PACKAGE_VERSION = "0.0.6-alpha.0";
+var RIG_CONFIG_DEV_DEPENDENCIES = {
+  "@rig/core": `npm:@h-rig/core@${RIG_CONFIG_PACKAGE_VERSION}`,
+  "@rig/standard-plugin": `npm:@h-rig/standard-plugin@${RIG_CONFIG_PACKAGE_VERSION}`
+};
+
+// packages/server/src/server-helpers/inspector-jobs.ts
+import { readJsonFile as readJsonFile3 } from "@rig/runtime/control-plane/authority-files";
+import { resolveMonorepoRoot as resolveMonorepoRoot5 } from "@rig/runtime/control-plane/native/utils";
+import { normalizeTaskLifecycleStatus as normalizeTaskLifecycleStatus2 } from "@rig/runtime/control-plane/state-sync/types";
+
+// packages/server/src/inspector/discovery.ts
+import {
+  runStatus
+} from "@rig/runtime/control-plane/native/run-ops";
+import {
+  listAuthorityRuns as listAuthorityRuns6,
+  readAuthorityRun as readAuthorityRun7
+} from "@rig/runtime/control-plane/authority-files";
+
+// packages/server/src/inspector/service.ts
+var ACTIVE_RUN_STATUSES = new Set(["preparing", "running", "validating", "reviewing"]);
+
+// packages/server/src/inspector/upstream-sync.ts
+import { resolveMonorepoRoot as resolveMonorepoRoot4 } from "@rig/runtime/control-plane/native/utils";
+var UPSTREAM_VALIDATION_DESCRIPTIONS = {
+  "integration:hg-auth-backport": "Preserves the upstream auth hardening cluster: nonce-backed node-client login, signature-aware JWT verification, shared-token onboarding semantics, and regression coverage.",
+  "integration:hg-core-security-backport": "Preserves the vendored core-app and backend security fixes for OTP validation, NoSQL/operator hardening, AES/encryption behavior, and rate-limit or redirect-state protections.",
+  "integration:hg-boundary-hardening": "Preserves boundary-safe CORS behavior and credential lookup error hygiene across the vendored backend and the extracted credentials-service analogue.",
+  "integration:hg-uudl-runtime": "Preserves the upstream uudl runtime/package fixes: production dependency placement, path-resolution/runtime bootstrap behavior, AWS/MSK environment detection, KMS coverage, and a compiling UUDL tree.",
+  "boundary:hg-auth-triage": "Requires a durable keep/adapt/reject triage record for the post-import auth policy and mobile-wallet SIWE commits so the watcher does not keep rediscovering the same ambiguity.",
+  "boundary:hg-upstream-triage": "Requires a durable keep/adapt/reject triage record for service-relevant upstream commits that do not match the current portable catalog, including commit hashes, touched paths, and follow-up routing decisions."
+};
+var CLUSTERS = {
+  "auth-hardening": {
+    classification: "portable-now",
+    title: "[HG-001] Preserve upstream auth and shared-token hardening across extracted auth work",
+    description: "Backport clearly portable auth changes introduced upstream after imported revision 58b56e15: 3196d5c (node-client login nonce), bb5b74f (JWT signature validation), and 92011ead (shared token verification for wallet signup onboarding). Apply them where they belong in this repo: hp-auth-service, hp-gateway if verification semantics surface there, and the upstream monorepo auth owner flows for the remaining wallet-login/shared-token work. This task must preserve the security behavior, not just copy code. It should explicitly reconcile with bd-k0y-10, bd-k0y-11, bd-k0y-12, and bd-k0y-13.",
+    acceptanceCriteria: "Map upstream commits 3196d5c, bb5b74f, and 92011ead to exact local targets; preserve nonce-backed node-client login, JWT signature validation, and shared-token verification behavior; add automated tests that fail without the hardening; document any deliberate non-ports.",
+    role: "extractor",
+    scope: [
+      "repos/spliter-monorepo/microservices/hp-auth-service/**",
+      "repos/spliter-monorepo/microservices/hp-gateway/**",
+      "repos/spliter-monorepo/humoongate/moongate/core-app/**"
+    ],
+    validation: ["integration:hg-auth-backport", "boundary:changed-files"],
+    validationDescriptions: {
+      "integration:hg-auth-backport": UPSTREAM_VALIDATION_DESCRIPTIONS["integration:hg-auth-backport"]
+    },
+    labels: ["upstream:monorepo", "kind:backport", "cluster:auth"]
+  },
+  "core-security": {
+    classification: "portable-now",
+    title: "[HG-002] Backport core-app and backend security fixes from post-import upstream",
+    description: "Backport the clearly portable security fixes from efdae709 (OTP validation bypass), f63830d (NoSQL operator injection hardening), d7f6919 (AES encryption), and af86ac16 (three critical/high vulnerabilities). Preserve the behavior in the vendored auth owner and the touched backend query surfaces instead of treating these as optional cleanups. The high-value touched files from af86ac16 must be reviewed and ported or consciously waived with rationale.",
+    acceptanceCriteria: "Review and port the exact security behaviors from efdae709, f63830d, d7f6919, and af86ac16; cover the listed core-app and backend touched files; add regression tests for OTP bypass, NoSQL operator injection, AES/encryption behavior, and rate-limit or redirect-state hardening; document any consciously waived upstream changes.",
+    role: "mechanic",
+    scope: [
+      "repos/spliter-monorepo/humoongate/moongate/core-app/**",
+      "repos/spliter-monorepo/humoongate/humanity/hp-backend-ts/**"
+    ],
+    validation: ["integration:hg-core-security-backport", "boundary:changed-files"],
+    validationDescriptions: {
+      "integration:hg-core-security-backport": UPSTREAM_VALIDATION_DESCRIPTIONS["integration:hg-core-security-backport"]
+    },
+    labels: ["upstream:monorepo", "kind:backport", "cluster:security"]
+  },
+  "boundary-hardening": {
+    classification: "portable-now",
+    title: "[HG-003] Backport request-boundary hardening for CORS and credential lookup flows",
+    description: "Backport the clearly portable boundary hardening from 083bbe4 (CORS config) and 36d52fba (credential lookup error hygiene). Preserve request-boundary behavior in the vendored backend and any analogous extracted credential-facing service seams so attackers cannot learn internals from credential lookup failures or exploit inconsistent CORS policy.",
+    acceptanceCriteria: "Port the exact request-boundary behavior from 083bbe4 and 36d52fba; preserve safe CORS policy and credential lookup error hygiene; add tests showing callers do not receive overly detailed credential lookup failures; document any extracted-service analogue that must mirror the behavior.",
+    role: "mechanic",
+    scope: [
+      "repos/spliter-monorepo/humoongate/humanity/hp-backend-ts/**",
+      "repos/spliter-monorepo/microservices/hp-credentials-service/**"
+    ],
+    validation: ["integration:hg-boundary-hardening", "boundary:changed-files"],
+    validationDescriptions: {
+      "integration:hg-boundary-hardening": UPSTREAM_VALIDATION_DESCRIPTIONS["integration:hg-boundary-hardening"]
+    },
+    labels: ["upstream:monorepo", "kind:backport", "cluster:boundary"]
+  },
+  "uudl-runtime": {
+    classification: "portable-now",
+    title: "[HG-004] Backport uudl runtime and packaging fixes from upstream",
+    description: "Backport the clearly portable uudl runtime fixes from 2141b4c, 1fa56d7, a9a0a99, 9fcfa6e, and ea5cb03. Preserve the runtime behavior rather than cherry-picking filenames: production dependency placement, tsconfig-paths resolution, aggregator cycle removal, AWS/MSK environment detection, and local KMS wiring all need to be reflected in whichever UUDL runtime this repo still owns.",
+    acceptanceCriteria: "Port the runtime behaviors from 2141b4c, 1fa56d7, a9a0a99, 9fcfa6e, and ea5cb03; preserve production dependency placement, tsconfig-paths runtime resolution, aggregator cycle removal, AWS/MSK environment detection, and local KMS configuration; add runtime-focused tests or smoke coverage for each preserved behavior.",
+    role: "extractor",
+    scope: ["repos/spliter-monorepo/humoongate/humanity/hp-uudl/**"],
+    validation: ["integration:hg-uudl-runtime", "boundary:changed-files"],
+    validationDescriptions: {
+      "integration:hg-uudl-runtime": UPSTREAM_VALIDATION_DESCRIPTIONS["integration:hg-uudl-runtime"]
+    },
+    labels: ["upstream:monorepo", "kind:backport", "cluster:uudl"]
+  },
+  "auth-triage": {
+    classification: "needs-human-triage",
+    title: "[HG-005] Triage post-import auth policy deltas and mobile-wallet SIWE changes",
+    description: "Review the upstream changes that are relevant but not safely auto-portable: 1262b75 (JWT_EXPIRES_IN 1d -> 7d), 15036424 (unlink-wallet endpoint and Wallet.default fix), and d4a47015 (unlink-wallet error handling). Produce an explicit keep/adapt/reject decision for each commit with rationale tied to the extracted auth plan, core-app ownership, and current threat model, and record the result in artifacts/bd-2ztk.5/decision-log.md so future agents do not silently re-litigate these decisions.",
+    acceptanceCriteria: "For 1262b75, 15036424, and d4a47015, produce explicit keep/adapt/reject decisions with rationale tied to auth ownership and threat model; record the decision in artifacts/bd-2ztk.5/decision-log.md; identify any follow-on implementation tasks if the answer is keep or adapt.",
+    role: "architect",
+    scope: ["artifacts/bd-2ztk.5/**", "docs/research/**"],
+    validation: ["boundary:hg-auth-triage"],
+    validationDescriptions: {
+      "boundary:hg-auth-triage": UPSTREAM_VALIDATION_DESCRIPTIONS["boundary:hg-auth-triage"]
+    },
+    labels: ["upstream:monorepo", "kind:backport", "cluster:triage"]
+  },
+  "generic-triage": {
+    classification: "needs-human-triage",
+    title: "[HG-007] Triage uncatalogued service-relevant upstream commits",
+    description: "Review future upstream commits that touch service-relevant paths but do not match the current portable-now catalog. For each commit or batch, produce keep/adapt/reject decisions with rationale, cite the touched paths and why they matter here, and either route them into an existing backport task or open a new follow-up task when they are worth preserving.",
+    acceptanceCriteria: "For each uncatalogued service-relevant upstream commit or batch, record keep/adapt/reject decisions with rationale in artifacts/bd-2ztk.7/decision-log.md; cite the commit hashes and touched paths; and either attach the work to an existing backport task or open a new follow-up task when preservation is warranted.",
+    role: "architect",
+    scope: ["artifacts/bd-2ztk.7/**", "docs/research/**"],
+    validation: ["boundary:hg-upstream-triage"],
+    validationDescriptions: {
+      "boundary:hg-upstream-triage": UPSTREAM_VALIDATION_DESCRIPTIONS["boundary:hg-upstream-triage"]
+    },
+    labels: ["upstream:monorepo", "kind:backport", "cluster:triage"]
+  }
+};
+
+// packages/server/src/server.ts
+var RIG_WORKSPACE_ID = "rig-local-workspace";
+var serverPathEnvQueue = Promise.resolve();
+if (false) {}
+
+// packages/server/src/server-helpers/ws-router.ts
+function redactRemoteEndpoint(endpoint) {
+  const { token, ...rest } = endpoint;
+  return {
+    ...rest,
+    token: "",
+    tokenConfigured: token.trim().length > 0
+  };
+}
+async function routeWebSocketRequest(state, deps, request) {
+  return deps.withServerPathEnv(state.projectRoot, async () => {
+    const body = request.body;
+    switch (body._tag) {
+      case RIG_WS_METHODS.getSnapshot: {
+        return deps.snapshotService.getEngineSnapshot({
+          remoteHosts: state.remoteHosts,
+          remoteConnections: state.remoteConnections,
+          sequence: state.sequence,
+          runProcesses: state.runProcesses
+        });
+      }
+      case RIG_WS_METHODS.replayEvents: {
+        const fromSequenceExclusive = typeof body.fromSequenceExclusive === "number" ? body.fromSequenceExclusive : Number(body.fromSequenceExclusive ?? 0);
+        const from = Number.isFinite(fromSequenceExclusive) ? fromSequenceExclusive : 0;
+        const limitRaw = typeof body.limit === "number" ? body.limit : Number(body.limit ?? 1000);
+        const limit = Number.isFinite(limitRaw) ? Math.max(1, Math.min(Math.trunc(limitRaw), 1000)) : 1000;
+        const replay = [];
+        for (let index = state.eventJournal.length - 1;index >= 0 && replay.length < limit; index -= 1) {
+          const event = state.eventJournal[index];
+          if (event && event.sequence > from) {
+            replay.push(event);
+          }
+        }
+        return replay.reverse();
+      }
+      case RIG_WS_METHODS.listWorkspaces: {
+        const workspace = await deps.readWorkspaceSummaryRecord(state.projectRoot);
+        return [workspace];
+      }
+      case RIG_WS_METHODS.getWorkspace: {
+        const workspaceId = normalizeString(body.workspaceId) ?? RIG_WORKSPACE_ID;
+        const payload = await deps.snapshotService.getRigSnapshot();
+        const taskIds = new Set(payload.tasks.filter((task) => task.workspaceId === workspaceId).map((task) => task.id));
+        const runIds = new Set(payload.runs.filter((run) => run.workspaceId === workspaceId).map((run) => run.id));
+        return {
+          workspace: payload.workspace.id === workspaceId ? payload.workspace : null,
+          graph: payload.graphs.find((graph) => graph.workspaceId === workspaceId) ?? null,
+          tasks: payload.tasks.filter((task) => task.workspaceId === workspaceId),
+          runs: payload.runs.filter((run) => run.workspaceId === workspaceId),
+          approvals: payload.approvals.filter((approval) => runIds.has(approval.runId)),
+          userInputs: payload.userInputs.filter((entry) => runIds.has(entry.runId)),
+          artifacts: payload.artifacts.filter((artifact) => artifact.taskId && taskIds.has(artifact.taskId)),
+          updatedAt: payload.snapshot.updatedAt
+        };
+      }
+      case RIG_WS_METHODS.getRunLogs: {
+        const runId = normalizeString(body.runId);
+        if (!runId) {
+          throw new Error("runId is required");
+        }
+        const limit = typeof body.limit === "number" ? body.limit : undefined;
+        const cursor = normalizeString(body.cursor);
+        return readRunLogsPage(state.projectRoot, runId, { limit, cursor });
+      }
+      case RIG_WS_METHODS.createAdhocRun: {
+        const runId = normalizeString(body.runId);
+        const workspaceId = normalizeString(body.workspaceId);
+        const title = normalizeString(body.title);
+        const createdAt = normalizeString(body.createdAt) ?? new Date().toISOString();
+        if (!runId || !workspaceId || !title) {
+          throw new Error("runId, workspaceId, and title are required");
+        }
+        await deps.createRunRecord(state.projectRoot, {
+          runId,
+          workspaceId,
+          title,
+          runtimeAdapter: normalizeString(body.runtimeAdapter) ?? undefined,
+          model: normalizeString(body.model) ?? undefined,
+          runtimeMode: normalizeString(body.runtimeMode) ?? undefined,
+          interactionMode: normalizeString(body.interactionMode) ?? undefined,
+          executionTarget: normalizeString(body.executionTarget) === "remote" ? "remote" : "local",
+          remoteHostId: normalizeString(body.remoteHostId),
+          initialPrompt: normalizeString(body.initialPrompt) ?? undefined,
+          createdAt
+        });
+        if (normalizeString(body.executionTarget) !== "remote") {
+          queueMicrotask(() => {
+            deps.startLocalRun(state, runId).catch((error) => {
+              console.error("[server] failed to start local adhoc run", error);
+            });
+          });
+        }
+        const event = deps.emitRigEvent(state, {
+          type: "rig.run.created",
+          aggregateId: runId,
+          payload: { runId, workspaceId, title, taskId: null },
+          createdAt
+        });
+        deps.broadcastSnapshotInvalidation(state, "run-created");
+        return { sequence: event.sequence };
+      }
+      case RIG_WS_METHODS.createTaskRun: {
+        const runId = normalizeString(body.runId);
+        const workspaceId = normalizeString(body.workspaceId);
+        const taskId = normalizeString(body.taskId);
+        const createdAt = normalizeString(body.createdAt) ?? new Date().toISOString();
+        if (!runId || !workspaceId || !taskId) {
+          throw new Error("runId, workspaceId, and taskId are required");
+        }
+        dequeueTaskState(state.projectRoot, taskId);
+        await deps.createRunRecord(state.projectRoot, {
+          runId,
+          workspaceId,
+          taskId,
+          runtimeAdapter: normalizeString(body.runtimeAdapter) ?? undefined,
+          model: normalizeString(body.model) ?? undefined,
+          runtimeMode: normalizeString(body.runtimeMode) ?? undefined,
+          interactionMode: normalizeString(body.interactionMode) ?? undefined,
+          executionTarget: normalizeString(body.executionTarget) === "remote" ? "remote" : "local",
+          remoteHostId: normalizeString(body.remoteHostId),
+          initialPrompt: normalizeString(body.initialPrompt) ?? undefined,
+          createdAt
+        });
+        if (normalizeString(body.executionTarget) !== "remote") {
+          queueMicrotask(() => {
+            deps.startLocalRun(state, runId).catch((error) => {
+              console.error("[server] failed to start local task run", error);
+            });
+          });
+        }
+        const event = deps.emitRigEvent(state, {
+          type: "rig.task.run-created",
+          aggregateId: taskId,
+          payload: { runId, workspaceId, taskId },
+          createdAt
+        });
+        deps.broadcastSnapshotInvalidation(state, "task-run-created");
+        queueMicrotask(() => {
+          deps.reconcileScheduler(state, "task-run-created");
+        });
+        return { sequence: event.sequence, accepted: true };
+      }
+      case RIG_WS_METHODS.deleteRun: {
+        const runId = normalizeString(body.runId);
+        const createdAt = normalizeString(body.createdAt) ?? new Date().toISOString();
+        const purgeTaskArtifacts = body.purgeTaskArtifacts === true;
+        if (!runId) {
+          throw new Error("runId is required");
+        }
+        if (state.runProcesses.has(runId)) {
+          await deps.stopRunRecord(state, { runId, createdAt });
+        }
+        const result = await deleteRunState(state.projectRoot, {
+          runId,
+          purgeRuntime: true,
+          purgeTaskArtifacts
+        });
+        const event = deps.emitRigEvent(state, {
+          type: "rig.run.deleted",
+          aggregateId: runId,
+          payload: {
+            runId,
+            taskId: result.taskId,
+            runtimeIds: result.runtimeIds,
+            taskArtifactsDeleted: result.taskArtifactsDeleted
+          },
+          createdAt
+        });
+        deps.broadcastSnapshotInvalidation(state, "run-deleted");
+        return { sequence: event.sequence };
+      }
+      case RIG_WS_METHODS.enqueueTask: {
+        const taskId = normalizeString(body.taskId);
+        const createdAt = normalizeString(body.createdAt) ?? new Date().toISOString();
+        const score = typeof body.score === "number" ? body.score : Number(body.score ?? 100);
+        if (!taskId || !Number.isFinite(score)) {
+          throw new Error("taskId and numeric score are required");
+        }
+        const queue = enqueueTaskState(state.projectRoot, taskId, score);
+        const event = deps.emitRigEvent(state, {
+          type: "rig.task.enqueued",
+          aggregateId: taskId,
+          payload: { taskId, score, queueLength: queue.length },
+          createdAt
+        });
+        deps.broadcastSnapshotInvalidation(state, "task-enqueued");
+        await deps.reconcileScheduler(state, "task-enqueued");
+        return { sequence: event.sequence };
+      }
+      case RIG_WS_METHODS.resumeRun: {
+        const runId = normalizeString(body.runId);
+        const createdAt = normalizeString(body.createdAt) ?? new Date().toISOString();
+        const promptOverride = normalizeString(body.promptOverride);
+        if (!runId) {
+          throw new Error("runId is required");
+        }
+        await deps.resumeRunRecord(state, { runId, createdAt, promptOverride });
+        const event = deps.emitRigEvent(state, {
+          type: "rig.run.resumed",
+          aggregateId: runId,
+          payload: { runId, promptOverride: promptOverride ?? null },
+          createdAt
+        });
+        deps.broadcastSnapshotInvalidation(state, "run-resumed");
+        return { sequence: event.sequence };
+      }
+      case RIG_WS_METHODS.submitRunMessage: {
+        const runId = normalizeString(body.runId);
+        const messageId = normalizeString(body.messageId);
+        const text = normalizeString(body.text);
+        const createdAt = normalizeString(body.createdAt) ?? new Date().toISOString();
+        if (!runId || !messageId || text === null) {
+          throw new Error("runId, messageId, and text are required");
+        }
+        const run = readAuthorityRun8(state.projectRoot, runId);
+        if (!run) {
+          throw new Error(`Run not found: ${runId}`);
+        }
+        if (run.mode === "local") {
+          if (state.runProcesses.has(runId)) {
+            throw new Error("Run is already active. Wait for the current turn to finish before sending another message.");
+          }
+          await deps.startLocalRun(state, runId, { promptOverride: text });
+        } else {
+          deps.appendRunMessage(state.projectRoot, {
+            runId,
+            messageId,
+            text,
+            attachments: Array.isArray(body.attachments) ? body.attachments : undefined,
+            createdAt
+          });
+        }
+        const event = deps.emitRigEvent(state, {
+          type: "rig.run.message-submitted",
+          aggregateId: runId,
+          payload: { runId, messageId },
+          createdAt
+        });
+        deps.broadcastSnapshotInvalidation(state, "run-message");
+        return { sequence: event.sequence };
+      }
+      case RIG_WS_METHODS.interruptRun: {
+        const runId = normalizeString(body.runId);
+        const createdAt = normalizeString(body.createdAt) ?? new Date().toISOString();
+        if (!runId) {
+          throw new Error("runId is required");
+        }
+        deps.stopRunRecord(state, { runId, createdAt }).catch((error) => {
+          console.error("[server] failed to interrupt run", error);
+        });
+        const event = deps.emitRigEvent(state, {
+          type: "rig.run.interrupted",
+          aggregateId: runId,
+          payload: { runId },
+          createdAt
+        });
+        deps.broadcastSnapshotInvalidation(state, "run-interrupted");
+        return { sequence: event.sequence };
+      }
+      case RIG_WS_METHODS.stopRun: {
+        const runId = normalizeString(body.runId);
+        const createdAt = normalizeString(body.createdAt) ?? new Date().toISOString();
+        if (!runId) {
+          throw new Error("runId is required");
+        }
+        deps.stopRunRecord(state, {
+          runId,
+          createdAt
+        }).catch((error) => {
+          console.error("[server] failed to stop run", error);
+        });
+        const event = deps.emitRigEvent(state, {
+          type: "rig.run.stopped",
+          aggregateId: runId,
+          payload: { runId },
+          createdAt
+        });
+        deps.broadcastSnapshotInvalidation(state, "run-stopped");
+        queueMicrotask(() => {
+          deps.reconcileScheduler(state, "run-stopped");
+        });
+        return { sequence: event.sequence, accepted: true };
+      }
+      case RIG_WS_METHODS.resolveApproval: {
+        const runId = normalizeString(body.runId);
+        const requestId = normalizeString(body.requestId);
+        const decision = normalizeString(body.decision);
+        if (!runId || !requestId || decision !== "accept" && decision !== "acceptForSession" && decision !== "decline" && decision !== "cancel") {
+          throw new Error("runId, requestId, and decision accept|acceptForSession|decline|cancel are required");
+        }
+        resolveApproval(state.projectRoot, {
+          runId,
+          requestId,
+          decision: decision === "decline" || decision === "cancel" ? "reject" : "approve"
+        });
+        const event = deps.emitRigEvent(state, {
+          type: "rig.approval.resolved",
+          aggregateId: runId,
+          payload: { runId, requestId, decision }
+        });
+        deps.broadcastSnapshotInvalidation(state, "approval-resolved");
+        return { sequence: event.sequence };
+      }
+      case RIG_WS_METHODS.resolveUserInput: {
+        const runId = normalizeString(body.runId);
+        const requestId = normalizeString(body.requestId);
+        const answers = body.answers && typeof body.answers === "object" ? Object.fromEntries(Object.entries(body.answers).flatMap(([key, value]) => typeof value === "string" ? [[key, value]] : [])) : {};
+        if (!runId || !requestId || Object.keys(answers).length === 0) {
+          throw new Error("runId, requestId, and string-valued answers are required");
+        }
+        respondToUserInput(state.projectRoot, { runId, requestId, answers });
+        const event = deps.emitRigEvent(state, {
+          type: "rig.user-input.resolved",
+          aggregateId: runId,
+          payload: { runId, requestId }
+        });
+        deps.broadcastSnapshotInvalidation(state, "user-input-resolved");
+        return { sequence: event.sequence };
+      }
+      case RIG_WS_METHODS.getTaskArtifacts: {
+        const taskId = normalizeString(body.taskId);
+        if (!taskId) {
+          throw new Error("taskId is required");
+        }
+        return await deps.listArtifactSummaries(state.projectRoot, taskId);
+      }
+      case ORCHESTRATION_WS_METHODS.getSnapshot:
+        return deps.buildOrchestrationSnapshot(state);
+      case ORCHESTRATION_WS_METHODS.dispatchCommand: {
+        const command = body.command && typeof body.command === "object" ? body.command : null;
+        if (!command) {
+          throw new Error("command is required");
+        }
+        deps.applyOrchestrationCommand(state, command);
+        const sequence = nextSequence(state);
+        deps.broadcastPush(state, {
+          type: "push",
+          channel: ORCHESTRATION_WS_CHANNELS.domainEvent,
+          data: {
+            sequence,
+            eventId: `event-${sequence}`,
+            aggregateKind: "thread",
+            aggregateId: normalizeString(command.threadId) ?? normalizeString(command.projectId) ?? "orchestration",
+            occurredAt: normalizeString(command.createdAt) ?? new Date().toISOString(),
+            commandId: normalizeString(command.commandId),
+            causationEventId: null,
+            correlationId: normalizeString(command.commandId),
+            metadata: {},
+            type: `${normalizeString(command.type) ?? "command"}.accepted`,
+            payload: command
+          }
+        });
+        return { sequence };
+      }
+      case ORCHESTRATION_WS_METHODS.getTurnDiff:
+      case ORCHESTRATION_WS_METHODS.getFullThreadDiff: {
+        const threadId = normalizeString(body.threadId);
+        if (!threadId) {
+          throw new Error("threadId is required");
+        }
+        const fromTurnCount = typeof body.fromTurnCount === "number" ? body.fromTurnCount : Number(body.fromTurnCount ?? 0);
+        const toTurnCount = typeof body.toTurnCount === "number" ? body.toTurnCount : Number(body.toTurnCount ?? 0);
+        return {
+          threadId,
+          fromTurnCount: Number.isFinite(fromTurnCount) ? Math.max(0, fromTurnCount) : 0,
+          toTurnCount: Number.isFinite(toTurnCount) ? Math.max(0, toTurnCount) : 0,
+          diff: ""
+        };
+      }
+      case ORCHESTRATION_WS_METHODS.replayEvents:
+        return [];
+      case WS_METHODS.serverGetConfig:
+        return deps.buildServerConfig(state);
+      case WS_METHODS.serverUpsertKeybinding:
+        return {
+          keybindings: [],
+          issues: []
+        };
+      case WS_METHODS.projectsListDirectory: {
+        const cwd = normalizeString(body.cwd);
+        const relativePath = normalizeString(body.relativePath);
+        const limit = typeof body.limit === "number" ? body.limit : Number(body.limit ?? 200);
+        if (!cwd || !relativePath || !Number.isFinite(limit)) {
+          throw new Error("cwd, relativePath, and limit are required");
+        }
+        return deps.listDirectoryEntries({ cwd, relativePath, limit });
+      }
+      case WS_METHODS.projectsReadFile: {
+        const cwd = normalizeString(body.cwd);
+        const relativePath = normalizeString(body.relativePath);
+        if (!cwd || !relativePath) {
+          throw new Error("cwd and relativePath are required");
+        }
+        return deps.readProjectFile({ cwd, relativePath });
+      }
+      case WS_METHODS.projectsWriteFile: {
+        const cwd = normalizeString(body.cwd);
+        const relativePath = normalizeString(body.relativePath);
+        const contents = typeof body.contents === "string" ? body.contents : null;
+        if (!cwd || !relativePath || contents === null) {
+          throw new Error("cwd, relativePath, and contents are required");
+        }
+        return deps.writeProjectFile({ cwd, relativePath, contents });
+      }
+      case WS_METHODS.projectsSearchEntries: {
+        const cwd = normalizeString(body.cwd);
+        const query = normalizeString(body.query);
+        const limit = typeof body.limit === "number" ? body.limit : Number(body.limit ?? 100);
+        if (!cwd || !query || !Number.isFinite(limit)) {
+          throw new Error("cwd, query, and limit are required");
+        }
+        return deps.searchProjectEntries({ cwd, query, limit });
+      }
+      case WS_METHODS.shellOpenInEditor: {
+        const cwd = normalizeString(body.cwd);
+        const editor = normalizeString(body.editor);
+        if (!cwd || !editor) {
+          throw new Error("cwd and editor are required");
+        }
+        deps.openInEditor(cwd, editor);
+        return {};
+      }
+      case WS_METHODS.gitStatus: {
+        const cwd = normalizeString(body.cwd);
+        if (!cwd)
+          throw new Error("cwd is required");
+        return deps.readGitStatus(cwd);
+      }
+      case WS_METHODS.gitReadWorkingTreePatch: {
+        const cwd = normalizeString(body.cwd);
+        if (!cwd)
+          throw new Error("cwd is required");
+        return deps.readGitPatch(cwd, normalizeString(body.relativePath) ?? undefined);
+      }
+      case WS_METHODS.gitListBranches: {
+        const cwd = normalizeString(body.cwd);
+        if (!cwd)
+          throw new Error("cwd is required");
+        return deps.listGitBranches(cwd);
+      }
+      case WS_METHODS.gitCheckout: {
+        const cwd = normalizeString(body.cwd);
+        const branch = normalizeString(body.branch);
+        if (!cwd || !branch)
+          throw new Error("cwd and branch are required");
+        const result = deps.gitResult(cwd, ["checkout", branch]);
+        if (result.exitCode !== 0)
+          throw new Error(result.stderr || "git checkout failed");
+        return {};
+      }
+      case WS_METHODS.gitCreateBranch: {
+        const cwd = normalizeString(body.cwd);
+        const branch = normalizeString(body.branch);
+        if (!cwd || !branch)
+          throw new Error("cwd and branch are required");
+        const result = deps.gitResult(cwd, ["branch", branch]);
+        if (result.exitCode !== 0)
+          throw new Error(result.stderr || "git branch failed");
+        return {};
+      }
+      case WS_METHODS.gitCreateWorktree: {
+        const cwd = normalizeString(body.cwd);
+        const branch = normalizeString(body.branch);
+        const newBranch = normalizeString(body.newBranch);
+        const worktreePath = normalizeString(body.path);
+        if (!cwd || !branch || !newBranch) {
+          throw new Error("cwd, branch, and newBranch are required");
+        }
+        return deps.createGitWorktree({ cwd, branch, newBranch, path: worktreePath });
+      }
+      case WS_METHODS.gitRemoveWorktree: {
+        const cwd = normalizeString(body.cwd);
+        const worktreePath = normalizeString(body.path);
+        if (!cwd || !worktreePath) {
+          throw new Error("cwd and path are required");
+        }
+        deps.removeGitWorktree({ cwd, path: worktreePath, force: body.force === true });
+        return {};
+      }
+      case WS_METHODS.gitInit: {
+        const cwd = normalizeString(body.cwd);
+        if (!cwd)
+          throw new Error("cwd is required");
+        const result = deps.gitResult(cwd, ["init"]);
+        if (result.exitCode !== 0)
+          throw new Error(result.stderr || "git init failed");
+        return {};
+      }
+      case WS_METHODS.gitPull: {
+        const cwd = normalizeString(body.cwd);
+        if (!cwd)
+          throw new Error("cwd is required");
+        const branch = deps.gitResult(cwd, ["branch", "--show-current"]).stdout.trim();
+        const result = deps.gitResult(cwd, ["pull", "--ff-only"]);
+        if (result.exitCode !== 0 && !result.stderr.includes("up to date")) {
+          throw new Error(result.stderr || "git pull failed");
+        }
+        const status = result.stdout.includes("Already up to date") || result.stderr.includes("up to date") ? "skipped_up_to_date" : "pulled";
+        return {
+          status,
+          branch,
+          upstreamBranch: branch || null
+        };
+      }
+      case WS_METHODS.gitRunStackedAction: {
+        const cwd = normalizeString(body.cwd);
+        const action = normalizeString(body.action);
+        if (!cwd || !action)
+          throw new Error("cwd and action are required");
+        const status = deps.readGitStatus(cwd);
+        const result = {
+          action,
+          branch: { status: "skipped_not_requested" },
+          commit: {
+            status: status.hasWorkingTreeChanges ? "created" : "skipped_no_changes",
+            ...status.branch ? { subject: status.branch } : {}
+          },
+          push: { status: "skipped_not_requested" },
+          pr: { status: "skipped_not_requested" }
+        };
+        return result;
+      }
+      case WS_METHODS.terminalOpen: {
+        const threadId = normalizeString(body.threadId);
+        const terminalId = normalizeString(body.terminalId);
+        const cwd = normalizeString(body.cwd);
+        if (!threadId || !terminalId || !cwd) {
+          throw new Error("threadId, terminalId, and cwd are required");
+        }
+        const env = body.env && typeof body.env === "object" ? Object.fromEntries(Object.entries(body.env).flatMap(([key, value]) => typeof value === "string" ? [[key, value]] : [])) : undefined;
+        const session = deps.getOrCreateTerminalSession(state, { threadId, terminalId, cwd, env });
+        return terminalSnapshot(session);
+      }
+      case WS_METHODS.terminalWrite: {
+        const threadId = normalizeString(body.threadId);
+        const terminalId = normalizeString(body.terminalId);
+        const data = typeof body.data === "string" ? body.data : null;
+        if (!threadId || !terminalId || data === null) {
+          throw new Error("threadId, terminalId, and data are required");
+        }
+        const session = state.terminalSessions.get(terminalSessionKey(threadId, terminalId));
+        if (!session?.child?.stdin)
+          throw new Error("Terminal session not found");
+        session.child.stdin.write(data);
+        session.updatedAt = new Date().toISOString();
+        return {};
+      }
+      case WS_METHODS.terminalResize:
+        return {};
+      case WS_METHODS.terminalClear: {
+        const threadId = normalizeString(body.threadId);
+        const terminalId = normalizeString(body.terminalId);
+        if (!threadId || !terminalId)
+          throw new Error("threadId and terminalId are required");
+        const session = state.terminalSessions.get(terminalSessionKey(threadId, terminalId));
+        if (!session)
+          throw new Error("Terminal session not found");
+        session.history = "";
+        session.updatedAt = new Date().toISOString();
+        deps.pushTerminalEvent(state, {
+          type: "cleared",
+          threadId,
+          terminalId,
+          createdAt: session.updatedAt
+        });
+        return {};
+      }
+      case WS_METHODS.terminalClose: {
+        const threadId = normalizeString(body.threadId);
+        const terminalId = normalizeString(body.terminalId) ?? "default";
+        if (!threadId)
+          throw new Error("threadId is required");
+        const sessionKey = terminalSessionKey(threadId, terminalId);
+        const session = state.terminalSessions.get(sessionKey);
+        if (session?.child) {
+          session.child.kill("SIGTERM");
+        }
+        state.terminalSessions.delete(sessionKey);
+        return {};
+      }
+      case WS_METHODS.remoteListEndpoints:
+        return listManagedRemoteEndpoints2(undefined, state.projectRoot).map((endpoint) => redactRemoteEndpoint(endpoint));
+      case WS_METHODS.remoteRegisterEndpoint: {
+        const alias = normalizeString(body.alias);
+        const host = normalizeString(body.host);
+        const token = normalizeString(body.token);
+        const port = typeof body.port === "number" ? body.port : Number(body.port);
+        if (!alias || !host || !Number.isFinite(port)) {
+          throw new Error("alias, host, and port are required");
+        }
+        const endpoint = upsertManagedRemoteEndpoint2({ alias, host, port, token: token ?? undefined }, undefined, state.projectRoot);
+        deps.emitRigEvent(state, {
+          type: "rig.remote.endpoint-registered",
+          aggregateId: endpoint.id,
+          payload: { endpointId: endpoint.id, alias, host, port }
+        });
+        deps.broadcastSnapshotInvalidation(state, "remote-endpoint-registered");
+        return redactRemoteEndpoint(endpoint);
+      }
+      case WS_METHODS.remoteRemoveEndpoint: {
+        const endpointId = normalizeString(body.endpointId);
+        if (!endpointId) {
+          throw new Error("endpointId is required");
+        }
+        const removed = removeManagedRemoteEndpoint2(endpointId, undefined, state.projectRoot);
+        if (!removed) {
+          throw new Error("Remote endpoint not found");
+        }
+        deps.emitRigEvent(state, {
+          type: "rig.remote.endpoint-removed",
+          aggregateId: endpointId,
+          payload: { endpointId }
+        });
+        deps.broadcastSnapshotInvalidation(state, "remote-endpoint-removed");
+        return { ok: true };
+      }
+      case WS_METHODS.remoteConnect: {
+        const endpointId = normalizeString(body.endpointId);
+        if (!endpointId) {
+          throw new Error("endpointId is required");
+        }
+        const endpoints = buildRemoteEndpointSnapshot(state.projectRoot, state.remoteHosts);
+        const endpoint = endpoints.find((entry) => entry.id === endpointId);
+        if (!endpoint) {
+          throw new Error("Remote endpoint not found");
+        }
+        const connectedAt = new Date().toISOString();
+        state.remoteConnections.set(endpointId, {
+          endpointId,
+          status: "connected",
+          error: null,
+          connectedAt,
+          tokenExpiresAt: null,
+          latencyMs: null,
+          subscribedEvents: []
+        });
+        deps.broadcastSnapshotInvalidation(state);
+        return {};
+      }
+      case WS_METHODS.remoteDisconnect: {
+        const endpointId = normalizeString(body.endpointId);
+        if (!endpointId) {
+          throw new Error("endpointId is required");
+        }
+        state.remoteConnections.set(endpointId, {
+          endpointId,
+          status: "disconnected",
+          error: null,
+          connectedAt: null,
+          tokenExpiresAt: null,
+          latencyMs: null,
+          subscribedEvents: []
+        });
+        deps.broadcastSnapshotInvalidation(state);
+        return {};
+      }
+      case WS_METHODS.remoteCreateRunForTask: {
+        const runId = normalizeString(body.runId);
+        const workspaceId = normalizeString(body.workspaceId);
+        const taskId = normalizeString(body.taskId);
+        const endpointId = normalizeString(body.endpointId);
+        const createdAt = normalizeString(body.createdAt) ?? new Date().toISOString();
+        if (!runId || !workspaceId || !taskId || !endpointId) {
+          throw new Error("runId, workspaceId, taskId, and endpointId are required");
+        }
+        await deps.createRunRecord(state.projectRoot, {
+          runId,
+          workspaceId,
+          taskId,
+          runtimeAdapter: normalizeString(body.runtimeAdapter) ?? undefined,
+          model: normalizeString(body.model) ?? undefined,
+          runtimeMode: normalizeString(body.runtimeMode) ?? undefined,
+          interactionMode: normalizeString(body.interactionMode) ?? undefined,
+          executionTarget: "remote",
+          remoteHostId: endpointId,
+          createdAt
+        });
+        const sequence = nextSequence(state);
+        deps.broadcastSnapshotInvalidation(state);
+        return { ok: true, sequence };
+      }
+      case WS_METHODS.remoteTerminalOpen: {
+        const threadId = normalizeString(body.threadId);
+        const terminalId = normalizeString(body.terminalId);
+        const cwd = normalizeString(body.cwd) ?? state.projectRoot;
+        if (!threadId || !terminalId) {
+          throw new Error("threadId and terminalId are required");
+        }
+        const env = body.env && typeof body.env === "object" ? Object.fromEntries(Object.entries(body.env).flatMap(([key, value]) => typeof value === "string" ? [[key, value]] : [])) : undefined;
+        return terminalSnapshot(deps.getOrCreateTerminalSession(state, { threadId, terminalId, cwd, env }));
+      }
+      case WS_METHODS.remoteTerminalWrite:
+        return routeWebSocketRequest(state, deps, {
+          id: request.id,
+          body: {
+            _tag: WS_METHODS.terminalWrite,
+            threadId: normalizeString(body.threadId) ?? "",
+            terminalId: normalizeString(body.terminalId) ?? "",
+            data: typeof body.data === "string" ? body.data : ""
+          }
+        });
+      case WS_METHODS.remoteTerminalResize:
+        return {};
+      case WS_METHODS.remoteTerminalClose:
+        return routeWebSocketRequest(state, deps, {
+          id: request.id,
+          body: {
+            _tag: WS_METHODS.terminalClose,
+            threadId: normalizeString(body.threadId) ?? "",
+            terminalId: normalizeString(body.terminalId) ?? ""
+          }
+        });
+      case WS_METHODS.remoteTestEndpoint: {
+        const host = normalizeString(body.host);
+        const token = normalizeString(body.token);
+        const port = typeof body.port === "number" ? body.port : Number(body.port);
+        if (!host || !Number.isFinite(port)) {
+          throw new Error("host and port are required");
+        }
+        const endpoint = resolveRemoteEndpoint2({
+          projectRoot: state.projectRoot,
+          host,
+          port: String(port),
+          token: token ?? undefined
+        });
+        const client = new RemoteWsClient2(endpoint);
+        const startedAt = Date.now();
+        await client.connect();
+        await client.ping();
+        client.disconnect();
+        return { latencyMs: Math.max(1, Date.now() - startedAt) };
+      }
+      default:
+        throw new Error(`Unsupported websocket method: ${String(body._tag)}`);
+    }
+  });
+}
+export {
+  routeWebSocketRequest
+};