@h-rig/server 0.0.6-alpha.1 → 0.0.6-alpha.10

package/dist/src/index.js

@@ -2293,7 +2293,7 @@ async function buildRigSnapshotPayload(projectRoot, readers) {
   const taskSummaries = (await readers.readWorkspaceTasks(projectRoot)).map((task) => ({
     ...toTaskSummary(workspace.id, {
       ...task,
-      status: queuedTaskIds.has(task.id) && (task.status === "open" || task.status === "ready" || task.status === "draft") ? "queued" : task.status
+      status: queuedTaskIds.has(task.id) && (task.status === "open" || task.status === "ready" || task.status === "draft" || task.status === "failed" || task.sourceStatus === "failed") ? "queued" : task.status
     }),
     graphId: graph.id
   }));
@@ -2819,7 +2819,6 @@ function createGitHubTaskReconciler(input) {
 }
 
 // packages/server/src/server-helpers/issue-analysis.ts
-import { execFile } from "child_process";
 import { createHash } from "crypto";
 function stableIssueHash(issue) {
   const labels = Array.isArray(issue.labels) ? [...issue.labels].map(String).sort() : [];
@@ -2953,16 +2952,33 @@ function parseIssueAnalysisResult(raw) {
   return result;
 }
 function createDefaultPiIssueAnalysisCommandRunner() {
-  return (command, args, options) => new Promise((resolve11) => {
-    execFile(command, [...args], {
-      timeout: options.timeoutMs,
-      maxBuffer: 10 * 1024 * 1024,
-      env: options.env ? { ...process.env, ...options.env } : process.env
-    }, (error, stdout, stderr) => {
-      const exitCode = typeof error?.code === "number" ? error.code : error ? 1 : 0;
-      resolve11({ exitCode, stdout: String(stdout ?? ""), stderr: String(stderr ?? "") });
+  return async (command, args, options) => {
+    const env = options.env ? { ...process.env, ...options.env } : process.env;
+    const proc = Bun.spawn([command, ...args], {
+      stdout: "pipe",
+      stderr: "pipe",
+      env
     });
-  });
+    let timedOut = false;
+    const timer = setTimeout(() => {
+      timedOut = true;
+      proc.kill();
+    }, options.timeoutMs);
+    try {
+      const [stdout, stderr, exitCode] = await Promise.all([
+        new Response(proc.stdout).text(),
+        new Response(proc.stderr).text(),
+        proc.exited
+      ]);
+      return {
+        exitCode: timedOut && exitCode === 0 ? 1 : exitCode,
+        stdout,
+        stderr: timedOut && stderr.trim().length === 0 ? `Pi issue analysis timed out after ${options.timeoutMs}ms` : stderr
+      };
+    } finally {
+      clearTimeout(timer);
+    }
+  };
 }
 function createPiIssueAnalyzer(input = {}) {
   const piBinary = input.piBinary ?? process.env.RIG_ISSUE_ANALYSIS_PI_BINARY ?? "pi";
@@ -2970,7 +2986,10 @@ function createPiIssueAnalyzer(input = {}) {
   const runCommand = input.runCommand ?? createDefaultPiIssueAnalysisCommandRunner();
   return async ({ prompt }) => {
     const args = ["--print", "--mode", "json", "--no-session"];
-    const model = input.model?.trim() || process.env.RIG_ISSUE_ANALYSIS_MODEL?.trim() || "openai-codex/gpt-5.5";
+    const provider = input.provider?.trim() || process.env.RIG_ISSUE_ANALYSIS_PROVIDER?.trim() || process.env.RIG_PI_PROVIDER?.trim();
+    const model = input.model?.trim() || process.env.RIG_ISSUE_ANALYSIS_MODEL?.trim() || process.env.RIG_PI_MODEL?.trim() || "openai-codex/gpt-5.5";
+    if (provider)
+      args.push("--provider", provider);
     if (model)
       args.push("--model", model);
     args.push(prompt);
@@ -3811,6 +3830,7 @@ function summarizeRunValidationFailure(projectRoot, run) {
 }
 
 // packages/server/src/server-helpers/github-auth-store.ts
+import { randomBytes } from "crypto";
 import { chmodSync, existsSync as existsSync6, mkdirSync as mkdirSync6, readFileSync as readFileSync3, writeFileSync as writeFileSync5 } from "fs";
 import { resolve as resolve13 } from "path";
 function cleanString(value) {
@@ -3824,6 +3844,24 @@ function cleanScopes(value) {
     return clean ? [clean] : [];
   });
 }
+function parseApiSessions(value) {
+  if (!Array.isArray(value))
+    return [];
+  return value.flatMap((entry) => {
+    if (!entry || typeof entry !== "object" || Array.isArray(entry))
+      return [];
+    const record = entry;
+    const token = cleanString(record.token);
+    if (!token)
+      return [];
+    return [{
+      token,
+      login: cleanString(record.login),
+      userId: cleanString(record.userId),
+      createdAt: cleanString(record.createdAt) ?? undefined
+    }];
+  });
+}
 function readStoredAuth(stateFile) {
   if (!existsSync6(stateFile))
     return {};
@@ -3837,6 +3875,7 @@ function readStoredAuth(stateFile) {
       selectedRepo: cleanString(parsed.selectedRepo),
       tokenSource: parsed.tokenSource === "oauth-device" || parsed.tokenSource === "manual-token" || parsed.tokenSource === "env" ? parsed.tokenSource : undefined,
       pendingDevice: parsePendingDevice(parsed.pendingDevice),
+      apiSessions: parseApiSessions(parsed.apiSessions),
       updatedAt: cleanString(parsed.updatedAt) ?? undefined
     };
   } catch {
@@ -3855,6 +3894,9 @@ function parsePendingDevice(value) {
     return null;
   return { pollId, deviceCode, expiresAt, intervalSeconds };
 }
+function newApiSessionToken() {
+  return `rig_${randomBytes(32).toString("base64url")}`;
+}
 function writeStoredAuth(stateFile, payload) {
   mkdirSync6(resolve13(stateFile, ".."), { recursive: true });
   writeFileSync5(stateFile, `${JSON.stringify(payload, null, 2)}
@@ -3897,9 +3939,38 @@ function createGitHubAuthStore(projectRoot) {
         scopes: input.scopes ?? [],
         selectedRepo: input.selectedRepo ?? previous.selectedRepo ?? null,
         pendingDevice: null,
+        apiSessions: previous.apiSessions ?? [],
         updatedAt: new Date().toISOString()
       });
     },
+    createApiSession() {
+      const previous = readStoredAuth(stateFile);
+      const token = newApiSessionToken();
+      const session = {
+        token,
+        login: cleanString(previous.login),
+        userId: cleanString(previous.userId),
+        createdAt: new Date().toISOString()
+      };
+      writeStoredAuth(stateFile, {
+        ...previous,
+        apiSessions: [...(previous.apiSessions ?? []).slice(-9), session],
+        updatedAt: new Date().toISOString()
+      });
+      return { token, login: session.login ?? null, userId: session.userId ?? null };
+    },
+    readApiSession(token) {
+      const clean = cleanString(token);
+      if (!clean)
+        return null;
+      const previous = readStoredAuth(stateFile);
+      const session = (previous.apiSessions ?? []).find((candidate) => candidate.token === clean);
+      return session ? { login: cleanString(session.login), userId: cleanString(session.userId) } : null;
+    },
+    copyToProjectRoot(projectRoot2) {
+      const targetFile = resolveGitHubAuthStateFile(projectRoot2);
+      writeStoredAuth(targetFile, readStoredAuth(stateFile));
+    },
     savePendingDevice(input) {
       const previous = readStoredAuth(stateFile);
       writeStoredAuth(stateFile, {
@@ -4197,15 +4268,36 @@ async function syncProjectStatusForRunLifecycle(projectRoot, run, status, config
   if (!run.taskId)
     return;
   const issueNodeId = extractGitHubIssueNodeId(runSourceTaskIdentity(run));
-  await syncGitHubProjectStatusForTaskUpdate({
-    taskId: run.taskId,
-    status,
-    issueNodeId,
-    token: createGitHubAuthStore(projectRoot).readToken(),
-    config
-  }).catch(() => {
-    return;
-  });
+  try {
+    const result = await syncGitHubProjectStatusForTaskUpdate({
+      taskId: run.taskId,
+      status,
+      issueNodeId,
+      token: createGitHubAuthStore(projectRoot).readToken(),
+      config
+    });
+    if (!result.synced && result.reason !== "project-sync-disabled") {
+      appendRunLogEntry(projectRoot, run.runId, {
+        id: `log:${run.runId}:github-project-sync:${status}`,
+        title: "GitHub Project sync skipped",
+        detail: `Project status sync for ${run.taskId} could not run: ${result.reason}.`,
+        tone: "warn",
+        status: "running",
+        createdAt: new Date().toISOString(),
+        payload: { reason: result.reason, issueNodeId }
+      });
+    }
+  } catch (error) {
+    appendRunLogEntry(projectRoot, run.runId, {
+      id: `log:${run.runId}:github-project-sync-error:${status}`,
+      title: "GitHub Project sync failed",
+      detail: error instanceof Error ? error.message : String(error),
+      tone: "error",
+      status: "running",
+      createdAt: new Date().toISOString(),
+      payload: { issueNodeId }
+    });
+  }
 }
 async function autoAssignRunIssue(projectRoot, run) {
   if (!run.taskId)
@@ -4307,11 +4399,23 @@ function assertNoActiveRunForTask(projectRoot, taskId, newRunId) {
     return;
   throw new Error(`Task ${taskId} already has an active Rig run: ${existing.runId}`);
 }
+async function resolveSourceTaskForRun(projectRoot, taskId, readTasks) {
+  const fromReader = (await readTasks(projectRoot)).find((task) => task.id === taskId) ?? null;
+  if (fromReader)
+    return fromReader;
+  const projected = readTaskProjection(projectRoot)?.tasks.find((task) => String(task.id) === taskId) ?? null;
+  if (projected)
+    return projected;
+  if (readTasks !== readWorkspaceTasks) {
+    return (await readWorkspaceTasks(projectRoot)).find((task) => task.id === taskId) ?? null;
+  }
+  return null;
+}
 async function createRunRecord(projectRoot, input, readTasks = readWorkspaceTasks) {
   if ("taskId" in input && input.taskId) {
     assertNoActiveRunForTask(projectRoot, input.taskId, input.runId);
   }
-  const sourceTask = "taskId" in input && input.taskId ? (await readTasks(projectRoot)).find((task) => task.id === input.taskId) ?? null : null;
+  const sourceTask = "taskId" in input && input.taskId ? await resolveSourceTaskForRun(projectRoot, input.taskId, readTasks) : null;
   const taskTitle = sourceTask?.title ?? ("taskId" in input && input.taskId ? input.taskId : null);
   const runDir = resolveAuthorityRunDir3(projectRoot, input.runId);
   const runRecord = {
@@ -4383,6 +4487,7 @@ async function startLocalRun(state, runId, options) {
     throw new Error(`Run not found: ${runId}`);
   }
   const startedAt = new Date().toISOString();
+  const resumeMode = options?.resume === true;
   state.runProcesses.set(runId, {
     runId,
     child: null,
@@ -4399,9 +4504,9 @@ async function startLocalRun(state, runId, options) {
     summary: run.title
   });
   appendRunLogEntry(state.projectRoot, runId, {
-    id: `log:${runId}:prepare`,
-    title: "Rig task run starting",
-    detail: run.taskId ?? run.title,
+    id: `log:${runId}:${resumeMode ? "resume" : "prepare"}`,
+    title: resumeMode ? "Rig task run resuming" : "Rig task run starting",
+    detail: resumeMode ? `Resuming ${run.taskId ?? run.title ?? runId} after server restart or operator resume.` : run.taskId ?? run.title,
     tone: "info",
     status: "preparing",
     createdAt: startedAt
@@ -4479,7 +4584,15 @@ async function startLocalRun(state, runId, options) {
           RIG_SERVER_INTERNAL_EXEC: "1",
           ...serverUrl ? { RIG_SERVER_URL: serverUrl } : {},
           ...bridgeAuthToken ? { RIG_AUTH_TOKEN: bridgeAuthToken } : {},
-          ...bridgeGitHubToken ? { RIG_GITHUB_TOKEN: bridgeGitHubToken } : {}
+          ...bridgeGitHubToken ? {
+            RIG_GITHUB_TOKEN: bridgeGitHubToken,
+            GITHUB_TOKEN: bridgeGitHubToken,
+            GH_TOKEN: bridgeGitHubToken
+          } : {},
+          ...resumeMode ? {
+            RIG_RUN_RESUME: "1",
+            RIG_RUNTIME_ARTIFACT_CLEANUP: "preserve"
+          } : {}
         },
         stdio: ["ignore", "pipe", "pipe"]
       });
@@ -4651,7 +4764,7 @@ async function resumeRunRecord(state, input) {
   if (run.status === "completed") {
     throw new Error("Completed runs cannot be resumed.");
   }
-  await startLocalRun(state, input.runId, { promptOverride: input.promptOverride ?? null });
+  await startLocalRun(state, input.runId, { promptOverride: input.promptOverride ?? null, resume: input.restart !== true });
 }
 function appendRunMessage(projectRoot, input) {
   const run = readAuthorityRun4(projectRoot, input.runId);
@@ -4735,34 +4848,12 @@ function removeTaskIdsFromQueueState(projectRoot, taskIds) {
   writeQueueState(projectRoot, next);
   return next;
 }
-var ORPHANABLE_LOCAL_RUN_STATUSES = new Set(["preparing", "running"]);
-function reconcileOrphanedLocalRuns(state, runs, nowIso2) {
-  let changed = false;
-  for (const run of runs) {
+var RESUMABLE_LOCAL_RUN_STATUSES = new Set(["created", "preparing", "running", "validating", "reviewing"]);
+function collectResumableLocalRuns(state, runs) {
+  return runs.filter((run) => {
     const status = normalizeString(run.status)?.toLowerCase() ?? "";
-    const serverPid = run.serverPid;
-    const wasStartedByRigServer = typeof serverPid === "number" || typeof serverPid === "string";
-    if (run.mode !== "local" || !wasStartedByRigServer || !ORPHANABLE_LOCAL_RUN_STATUSES.has(status) || state.runProcesses.has(run.runId)) {
-      continue;
-    }
-    const detail = "Recovered stale local run after Rig server restart; no live child process was attached to this server instance.";
-    patchRunRecord(state.projectRoot, run.runId, {
-      status: "failed",
-      completedAt: run.completedAt ?? nowIso2,
-      updatedAt: nowIso2,
-      errorText: detail
-    });
-    appendRunLogEntry(state.projectRoot, run.runId, {
-      id: `log:${run.runId}:stale-local-run`,
-      title: "Run marked stale after server restart",
-      detail,
-      tone: "error",
-      status: "failed",
-      createdAt: nowIso2
-    });
-    changed = true;
-  }
-  return changed;
+    return run.mode === "local" && RESUMABLE_LOCAL_RUN_STATUSES.has(status) && !state.runProcesses.has(run.runId);
+  });
 }
 async function reconcileScheduler(state, reason) {
   if (state.scheduler.reconciling) {
@@ -4777,7 +4868,20 @@ async function reconcileScheduler(state, reason) {
         const queue = readQueueState(state.projectRoot);
         const tasks = await state.snapshotService.getWorkspaceTasks();
         let runs = listAuthorityRuns4(state.projectRoot);
-        let changed = reconcileOrphanedLocalRuns(state, runs, new Date().toISOString());
+        let changed = false;
+        const resumableRuns = collectResumableLocalRuns(state, runs);
+        for (const run of resumableRuns) {
+          appendRunLogEntry(state.projectRoot, run.runId, {
+            id: `log:${run.runId}:auto-resume:${Date.now()}`,
+            title: "Run auto-resume scheduled",
+            detail: `Rig server recovered nonterminal run ${run.runId} after ${reason}; resuming the same lifecycle instead of restarting it.`,
+            tone: "info",
+            status: "preparing",
+            createdAt: new Date().toISOString()
+          });
+          await startLocalRun(state, run.runId, { resume: true });
+          changed = true;
+        }
         if (changed) {
           runs = listAuthorityRuns4(state.projectRoot);
         }
@@ -5393,10 +5497,10 @@ function normalizeCommit(value) {
 function asPlainRecord(value) {
   return value && typeof value === "object" && !Array.isArray(value) ? value : null;
 }
-var RIG_CONFIG_PACKAGE_VERSION = "0.0.6-alpha.1";
+var RIG_CONFIG_PACKAGE_DIST_TAG = "latest";
 var RIG_CONFIG_DEV_DEPENDENCIES = {
-  "@rig/core": `npm:@h-rig/core@${RIG_CONFIG_PACKAGE_VERSION}`,
-  "@rig/standard-plugin": `npm:@h-rig/standard-plugin@${RIG_CONFIG_PACKAGE_VERSION}`
+  "@rig/core": `npm:@h-rig/core@${RIG_CONFIG_PACKAGE_DIST_TAG}`,
+  "@rig/standard-plugin": `npm:@h-rig/standard-plugin@${RIG_CONFIG_PACKAGE_DIST_TAG}`
 };
 function repoParts(repoSlug) {
   const [owner, repo] = repoSlug.split("/");
@@ -5750,13 +5854,52 @@ function bearerTokenFromRequest(req) {
 function isLoopbackRequest(req) {
   try {
     const hostname = new URL(req.url).hostname.toLowerCase();
-    return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1" || hostname === "[::1]";
+    return hostname === "localhost" || hostname === "rig.local" || hostname.endsWith(".localhost") || hostname === "127.0.0.1" || hostname === "::1" || hostname === "[::1]";
   } catch {
     return false;
   }
 }
 function isPublicRigAuthBootstrapRoute(pathname) {
-  return pathname === "/" || pathname === "/health" || pathname === "/api/health" || pathname === "/api/server/status" || pathname === "/api/github/auth/status" || pathname === "/api/github/auth/token" || pathname === "/api/github/auth/device/start" || pathname === "/api/github/auth/device/poll";
+  return pathname === "/" || pathname === "/install" || pathname === "/health" || pathname === "/api/health" || pathname === "/api/github/auth/status" || pathname === "/api/github/auth/token" || pathname === "/api/github/auth/device/start" || pathname === "/api/github/auth/device/poll";
+}
+function buildRigInstallScript() {
+  return `#!/usr/bin/env bash
+set -euo pipefail
+
+say() {
+  printf 'rig-install: %s
+' "$*"
+}
+
+if ! command -v bun >/dev/null 2>&1; then
+  say "Bun not found; installing Bun first"
+  curl -fsSL https://bun.sh/install | bash
+  export BUN_INSTALL="\${BUN_INSTALL:-$HOME/.bun}"
+  export PATH="$BUN_INSTALL/bin:$PATH"
+fi
+
+if ! command -v bun >/dev/null 2>&1; then
+  printf 'rig-install: bun install completed, but bun is still not on PATH. Add ~/.bun/bin to PATH and retry.
+' >&2
+  exit 1
+fi
+
+say "Installing @h-rig/cli@latest"
+bun add -g @h-rig/cli@latest
+
+export BUN_INSTALL="\${BUN_INSTALL:-$HOME/.bun}"
+export PATH="$BUN_INSTALL/bin:$PATH"
+
+if ! command -v rig >/dev/null 2>&1; then
+  printf 'rig-install: rig installed, but rig is not on PATH. Add %s/bin to PATH and retry.
+' "$BUN_INSTALL" >&2
+  exit 1
+fi
+
+say "Verifying rig"
+rig --help >/dev/null
+say "Done. Run: rig --help"
+`;
 }
 function normalizePrMode(value) {
   const mode = normalizeString(value);
@@ -5769,6 +5912,10 @@ function authorizeRigHttpRequest(input) {
   const bearer = bearerTokenFromRequest(input.req);
   const store = createGitHubAuthStore(input.projectRoot);
   const storedToken = store.readToken();
+  const session = bearer ? store.readApiSession(bearer) : null;
+  if (session) {
+    return { authorized: true, actor: session.login ?? "github-operator", reason: "github-session" };
+  }
   if (bearer && storedToken && bearer === storedToken) {
     const status = store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
     return { authorized: true, actor: status.login ?? "github-operator", reason: "github-token" };
@@ -5776,8 +5923,11 @@ function authorizeRigHttpRequest(input) {
   if (isPublicRigAuthBootstrapRoute(input.pathname)) {
     return { authorized: true, actor: null, reason: "public-bootstrap" };
   }
-  if (!input.serverAuthToken && !storedToken && isLoopbackRequest(input.req)) {
-    return { authorized: true, actor: null, reason: "loopback-dev-no-auth" };
+  if (!input.serverAuthToken && !storedToken) {
+    if (isLoopbackRequest(input.req)) {
+      return { authorized: true, actor: null, reason: "loopback-dev-no-auth" };
+    }
+    return { authorized: false, actor: null, reason: "auth-required" };
   }
   return { authorized: false, actor: null, reason: storedToken ? "github-token-required" : "auth-required" };
 }
@@ -6008,7 +6158,7 @@ function selectNextWorkspaceTask(projectRoot, tasks) {
   if (runnable.length === 0)
     return null;
   const queue = readQueueState(projectRoot);
-  const queueRank = new Map(queue.map((entry, index) => [entry.taskId, { score: entry.score, position: index }]));
+  const queueRank = new Map(queue.map((entry, index) => [String(entry.taskId), { score: entry.score, position: index }]));
   return runnable.toSorted((left, right) => {
     const leftId = taskIdOf(left) ?? "";
     const rightId = taskIdOf(right) ?? "";
@@ -6048,6 +6198,27 @@ function filterWorkspaceTasks(projectRoot, tasks, searchParams) {
   }
   return filtered;
 }
+function issueAnalysisTargetFor(source) {
+  if (!source)
+    return null;
+  const candidate = source;
+  if (typeof candidate.updateTask !== "function")
+    return null;
+  return {
+    ...typeof candidate.get === "function" ? { get: candidate.get.bind(candidate) } : {},
+    updateTask: candidate.updateTask.bind(candidate),
+    ...typeof candidate.addLabels === "function" ? { addLabels: candidate.addLabels.bind(candidate) } : {},
+    ...typeof candidate.removeLabels === "function" ? { removeLabels: candidate.removeLabels.bind(candidate) } : {},
+    ...typeof candidate.createIssue === "function" ? { createIssue: candidate.createIssue.bind(candidate) } : {}
+  };
+}
+function uniqueStringList(value) {
+  const raw = Array.isArray(value) ? value : typeof value === "string" ? [value] : [];
+  return [...new Set(raw.map((entry) => String(entry).trim()).filter(Boolean))];
+}
+function taskRecordId(task) {
+  return String(task.id ?? "");
+}
 function redactRemoteEndpoint(endpoint) {
   const { token, ...rest } = endpoint;
   return {
@@ -6132,9 +6303,16 @@ function createRigServerFetch(state, deps) {
             notifications: state.targets.length
           });
         }
+        if (url.pathname === "/install" && req.method === "GET") {
+          return new Response(buildRigInstallScript(), {
+            headers: {
+              "Content-Type": "text/x-shellscript; charset=utf-8"
+            }
+          });
+        }
         const isLinearWebhook = url.pathname === "/api/linear/webhook" && req.method === "POST";
         const isInspectorStream = url.pathname === "/api/inspector/stream" && req.method === "GET";
-        const legacyAuthorizedHttpRequest = isInspectorStream && isAuthorizedInspectorStreamRequest(req, state.authToken) ? true : deps.isAuthorizedHttpRequest(req, state.authToken);
+        const legacyAuthorizedHttpRequest = Boolean(state.authToken) && (isInspectorStream && isAuthorizedInspectorStreamRequest(req, state.authToken) ? true : deps.isAuthorizedHttpRequest(req, state.authToken));
         const requestAuth = authorizeRigHttpRequest({
           req,
           pathname: url.pathname,
@@ -6390,6 +6568,67 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             note: "GitHub issue lifecycle labels are created on demand by the configured task source when supported."
           });
         }
+        if (url.pathname === "/api/workspace/issue-analysis/run" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const ids = uniqueStringList(body.ids ?? body.id);
+          const analyzeAll = deps.isTruthyQuery(String(body.all ?? ""));
+          if (ids.length === 0 && !analyzeAll) {
+            return deps.badRequest("ids is required unless all=true");
+          }
+          const ctx = await getCachedPluginHostContext(state.projectRoot);
+          const [source] = ctx?.taskSourceRegistry.list() ?? [];
+          const target = issueAnalysisTargetFor(source);
+          if (!source || !target) {
+            return deps.badRequest("Configured task source does not support issue-analysis writeback");
+          }
+          const allTasks = [...await source.list()];
+          const issues = analyzeAll ? allTasks.slice(0, Math.max(1, Math.min(25, Number(body.limit ?? 25) || 25))) : (await Promise.all(ids.map(async (id) => {
+            const cached = allTasks.find((task) => taskRecordId(task) === id);
+            if (cached)
+              return cached;
+            return typeof source.get === "function" ? await source.get(id) : undefined;
+          }))).filter((task) => Boolean(task));
+          if (issues.length === 0) {
+            return deps.jsonResponse({ ok: false, error: "No matching issues found for issue analysis", ids }, 404);
+          }
+          const config = ctx?.config && typeof ctx.config === "object" ? ctx.config : {};
+          const issueAnalysis = config.issueAnalysis && typeof config.issueAnalysis === "object" ? config.issueAnalysis : {};
+          const runtime = config.runtime && typeof config.runtime === "object" ? config.runtime : {};
+          const model = normalizeString(issueAnalysis.model) ?? normalizeString(runtime.model);
+          const service = createIssueAnalysisService({
+            analyzer: createPiIssueAnalyzer({
+              ...model ? { model } : {},
+              env: { RIG_PROJECT_ROOT: state.projectRoot }
+            }),
+            writeBack: createIssueAnalysisWriteBack({ target })
+          });
+          const reason = normalizeString(body.reason) ?? "http-issue-analysis";
+          let results;
+          try {
+            results = await service.analyze(issues, { reason, neighbors: ids.length > 0 ? issues : allTasks });
+          } catch (error) {
+            return deps.jsonResponse({
+              ok: false,
+              error: `Issue analysis failed: ${error instanceof Error ? error.message : String(error)}`,
+              reason,
+              ids: issues.map((issue) => issue.id)
+            }, 502);
+          }
+          deps.snapshotService.invalidate("issue-analysis-http-run");
+          await state.taskProjectionReconciler?.tick("issue-analysis-http-run").catch(() => {
+            return;
+          });
+          deps.broadcastSnapshotInvalidation(state, "issue-analysis-http-run");
+          return deps.jsonResponse({
+            ok: true,
+            reason,
+            analyzed: results.map((entry) => ({
+              id: entry.issue.id,
+              title: entry.issue.title ?? null,
+              result: entry.result
+            }))
+          });
+        }
         if (url.pathname === "/api/server/status") {
           const config = buildProjectConfigStatus(state.projectRoot);
           const taskSource = await buildTaskSourceStatus(state, config);
@@ -6530,6 +6769,9 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           }
           const normalizedRoot = resolve18(requestedRoot);
           const exists = existsSync11(normalizedRoot);
+          if (exists) {
+            createGitHubAuthStore(state.projectRoot).copyToProjectRoot(normalizedRoot);
+          }
           const control = buildServerControlStatus();
           const switchCommand = process.env.RIG_PROJECT_ROOT_SWITCH_COMMAND?.trim();
           if (!exists) {
@@ -6618,21 +6860,30 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           const body = await deps.readJsonBody(req);
           const token = normalizeString(body.token);
           const selectedRepo = normalizeString(body.selectedRepo);
+          const requestedProjectRoot = normalizeString(body.projectRoot);
           if (!token) {
             return deps.badRequest("token is required");
           }
           try {
             const user = await fetchGitHubUserInfo(token);
-            const store = createGitHubAuthStore(state.projectRoot);
-            store.saveToken({
-              token,
-              tokenSource: "manual-token",
-              login: user.login,
-              userId: user.userId,
-              scopes: user.scopes,
-              selectedRepo
-            });
-            return deps.jsonResponse({ ok: true, ...store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }) });
+            const storeRoots = [
+              state.projectRoot,
+              ...requestedProjectRoot && isAbsolute3(requestedProjectRoot) && existsSync11(resolve18(requestedProjectRoot)) ? [resolve18(requestedProjectRoot)] : []
+            ].filter((root, index, roots) => roots.indexOf(root) === index);
+            const stores = storeRoots.map((root) => createGitHubAuthStore(root));
+            for (const store2 of stores) {
+              store2.saveToken({
+                token,
+                tokenSource: "manual-token",
+                login: user.login,
+                userId: user.userId,
+                scopes: user.scopes,
+                selectedRepo
+              });
+            }
+            const store = stores[stores.length - 1] ?? createGitHubAuthStore(state.projectRoot);
+            const apiSession = store.createApiSession();
+            return deps.jsonResponse({ ok: true, ...store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }), apiSessionToken: apiSession.token });
           } catch (error) {
             const message = error instanceof Error ? error.message : String(error);
             return deps.jsonResponse({ ok: false, error: message }, 400);
@@ -6700,7 +6951,8 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           const token = result.payload.access_token;
           const user = await fetchGitHubUserInfo(token);
           store.saveToken({ token, tokenSource: "oauth-device", login: user.login, userId: user.userId, scopes: user.scopes });
-          return deps.jsonResponse({ ok: true, status: "signed-in", ...store.status({ oauthConfigured: true }) });
+          const apiSession = store.createApiSession();
+          return deps.jsonResponse({ ok: true, status: "signed-in", ...store.status({ oauthConfigured: true }), apiSessionToken: apiSession.token });
         }
         if (url.pathname === "/api/github/repo/probe" && req.method === "POST") {
           const body = await deps.readJsonBody(req);
@@ -7072,11 +7324,12 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           const runId = normalizeString(body.runId);
           const createdAt = normalizeString(body.createdAt) ?? new Date().toISOString();
           const promptOverride = normalizeString(body.promptOverride);
+          const restart = body.restart === true;
           if (!runId) {
             return deps.badRequest("runId is required");
           }
           try {
-            await deps.resumeRunRecord(state, { runId, createdAt, promptOverride });
+            await deps.resumeRunRecord(state, { runId, createdAt, promptOverride, restart });
             deps.broadcastSnapshotInvalidation(state);
             return deps.jsonResponse({ ok: true, runId, createdAt });
           } catch (error) {
@@ -12506,7 +12759,7 @@ async function readWorkspaceTasks(projectRoot) {
       description: normalizeString(entry.description),
       acceptanceCriteria: normalizeString(entry.acceptance_criteria),
       status: normalizedStatus ?? "unknown",
-      sourceStatus: normalizedStatus ? null : rawStatus,
+      sourceStatus: normalizedStatus && rawStatus !== normalizedStatus ? rawStatus : normalizedStatus ? null : rawStatus,
       priority: typeof entry.priority === "number" ? entry.priority : typeof entry.priority === "string" ? Number(entry.priority) : null,
       issueType: normalizeString(entry.issue_type),
       role: normalizeString(config.role) ?? null,
@@ -12986,6 +13239,7 @@ async function createRigServer(options, projectRoot = resolveProjectRoot()) {
   const server = Bun.serve({
     hostname: options.host,
     port: options.port,
+    idleTimeout: Math.max(10, Math.min(255, Number.parseInt(process.env.RIG_SERVER_IDLE_TIMEOUT_SECONDS || "255", 10) || 255)),
     fetch: (req, server2) => createRigServerFetch2(state)(req, server2),
     websocket: {
       open(ws) {