npm - @h-rig/server - Versions diffs - 0.0.6-alpha.1 → 0.0.6-alpha.11 - Mend

@h-rig/server 0.0.6-alpha.1 → 0.0.6-alpha.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/README.md +23 -0
package/dist/src/index.js +920 -287
package/dist/src/server-helpers/github-api-session-index.js +107 -0
package/dist/src/server-helpers/github-auth-store.js +117 -21
package/dist/src/server-helpers/github-user-namespace.js +102 -0
package/dist/src/server-helpers/http-router.js +998 -151
package/dist/src/server-helpers/issue-analysis.js +30 -11
package/dist/src/server-helpers/project-registry.js +5 -0
package/dist/src/server-helpers/run-mutations.js +248 -103
package/dist/src/server-helpers/snapshot-orchestrator.js +1 -1
package/dist/src/server-helpers/snapshot-service.js +1 -1
package/dist/src/server-helpers/ws-router.js +4 -4
package/dist/src/server.js +921 -287
package/package.json +4 -4

package/dist/src/server-helpers/http-router.js CHANGED Viewed

@@ -4,8 +4,8 @@ var __require = import.meta.require;
 // packages/server/src/server-helpers/http-router.ts
 import { randomUUID } from "crypto";
 import { spawnSync as spawnSync2 } from "child_process";
-import { basename, dirname as dirname6, isAbsolute as isAbsolute2, resolve as resolve11 } from "path";
-import { copyFileSync, existsSync as existsSync8, mkdirSync as mkdirSync7, readFileSync as readFileSync5, writeFileSync as writeFileSync7 } from "fs";
+import { basename, dirname as dirname9, isAbsolute as isAbsolute3, resolve as resolve13 } from "path";
+import { copyFileSync as copyFileSync2, existsSync as existsSync10, mkdirSync as mkdirSync9, readFileSync as readFileSync7, writeFileSync as writeFileSync9 } from "fs";
 // packages/server/src/server.ts
 import {
@@ -469,6 +469,273 @@ async function refreshTaskProjection(projectRoot, input) {
   });
 }
+// packages/server/src/server-helpers/issue-analysis.ts
+import { createHash } from "crypto";
+function stableIssueHash(issue) {
+  const labels = Array.isArray(issue.labels) ? [...issue.labels].map(String).sort() : [];
+  const body = typeof issue.body === "string" ? issue.body : "";
+  const title = typeof issue.title === "string" ? issue.title : "";
+  return createHash("sha256").update(JSON.stringify({ id: issue.id, title, body, labels, deps: issue.deps, status: issue.status })).digest("hex");
+}
+function renderIssueAnalysisPrompt(input) {
+  const issue = input.issue;
+  const neighbors = input.neighbors ?? [];
+  return [
+    "You are Rig issue analysis running inside Pi.",
+    "Return JSON only with optional metadataPatch, labelsToAdd, labelsToRemove, and generatedIssues.",
+    "Preserve all human-authored issue body content. Only propose edits for Rig-owned metadata/status sections, labels, and generated issues.",
+    "Generated issues must be concrete, minimal follow-up tasks and will be labeled rig:generated by Rig.",
+    "",
+    "Issue:",
+    JSON.stringify({
+      id: issue.id,
+      title: issue.title,
+      body: issue.body,
+      labels: issue.labels,
+      deps: issue.deps,
+      status: issue.status
+    }, null, 2),
+    "",
+    "Neighbor tasks:",
+    JSON.stringify(neighbors.map((task) => ({ id: task.id, title: task.title, status: task.status, deps: task.deps })), null, 2)
+  ].join(`
+`);
+}
+function isRecord(value) {
+  return Boolean(value && typeof value === "object" && !Array.isArray(value));
+}
+function stringArray(value) {
+  if (!Array.isArray(value))
+    return;
+  return value.map(String).filter((entry) => entry.trim().length > 0);
+}
+function generatedIssues(value) {
+  if (!Array.isArray(value))
+    return;
+  return value.flatMap((entry) => {
+    if (!isRecord(entry) || typeof entry.title !== "string")
+      return [];
+    return [{
+      title: entry.title,
+      body: typeof entry.body === "string" ? entry.body : "",
+      labels: stringArray(entry.labels) ?? [],
+      ...Array.isArray(entry.dependsOn) ? { dependsOn: entry.dependsOn.map(String) } : {}
+    }];
+  });
+}
+function findJsonLikeText(value) {
+  if (typeof value === "string") {
+    const trimmed = value.trim();
+    if (trimmed.startsWith("{") || trimmed.startsWith("```"))
+      return trimmed;
+    return null;
+  }
+  if (Array.isArray(value)) {
+    for (const entry of value) {
+      const found = findJsonLikeText(entry);
+      if (found)
+        return found;
+    }
+    return null;
+  }
+  if (!isRecord(value))
+    return null;
+  for (const key of ["text", "content", "message", "output_text", "response", "stdout"]) {
+    const found = findJsonLikeText(value[key]);
+    if (found)
+      return found;
+  }
+  for (const entry of Object.values(value)) {
+    const found = findJsonLikeText(entry);
+    if (found)
+      return found;
+  }
+  return null;
+}
+function candidateAnalysisObject(value) {
+  if (!isRecord(value))
+    return null;
+  if (isRecord(value.result))
+    return candidateAnalysisObject(value.result) ?? value.result;
+  if (isRecord(value.analysis))
+    return candidateAnalysisObject(value.analysis) ?? value.analysis;
+  if (isRecord(value.metadataPatch) || Array.isArray(value.labelsToAdd) || Array.isArray(value.labelsToRemove) || Array.isArray(value.generatedIssues)) {
+    return value;
+  }
+  const nested = findJsonLikeText(value);
+  if (nested && nested !== JSON.stringify(value)) {
+    try {
+      const parsedNested = JSON.parse(nested.match(/```(?:json)?\s*([\s\S]*?)\s*```/i)?.[1]?.trim() ?? nested);
+      return candidateAnalysisObject(parsedNested);
+    } catch {
+      return null;
+    }
+  }
+  return null;
+}
+function parseIssueAnalysisResult(raw) {
+  let parsed = raw;
+  if (typeof raw === "string") {
+    const trimmed = raw.trim();
+    const fenced = trimmed.match(/```(?:json)?\s*([\s\S]*?)\s*```/i)?.[1]?.trim();
+    try {
+      parsed = JSON.parse(fenced ?? trimmed);
+    } catch {
+      const lastJsonLine = trimmed.split(/\r?\n/).reverse().find((line) => line.trim().startsWith("{"));
+      parsed = lastJsonLine ? JSON.parse(lastJsonLine) : {};
+    }
+  }
+  const candidate = candidateAnalysisObject(parsed);
+  if (!candidate)
+    return {};
+  const result = {};
+  if (isRecord(candidate.metadataPatch))
+    result.metadataPatch = candidate.metadataPatch;
+  const add = stringArray(candidate.labelsToAdd);
+  if (add?.length)
+    result.labelsToAdd = add;
+  const remove = stringArray(candidate.labelsToRemove);
+  if (remove?.length)
+    result.labelsToRemove = remove;
+  const generated = generatedIssues(candidate.generatedIssues);
+  if (generated?.length)
+    result.generatedIssues = generated;
+  return result;
+}
+function createDefaultPiIssueAnalysisCommandRunner() {
+  return async (command, args, options) => {
+    const env = options.env ? { ...process.env, ...options.env } : process.env;
+    const proc = Bun.spawn([command, ...args], {
+      stdout: "pipe",
+      stderr: "pipe",
+      env
+    });
+    let timedOut = false;
+    const timer = setTimeout(() => {
+      timedOut = true;
+      proc.kill();
+    }, options.timeoutMs);
+    try {
+      const [stdout, stderr, exitCode] = await Promise.all([
+        new Response(proc.stdout).text(),
+        new Response(proc.stderr).text(),
+        proc.exited
+      ]);
+      return {
+        exitCode: timedOut && exitCode === 0 ? 1 : exitCode,
+        stdout,
+        stderr: timedOut && stderr.trim().length === 0 ? `Pi issue analysis timed out after ${options.timeoutMs}ms` : stderr
+      };
+    } finally {
+      clearTimeout(timer);
+    }
+  };
+}
+function createPiIssueAnalyzer(input = {}) {
+  const piBinary = input.piBinary ?? process.env.RIG_ISSUE_ANALYSIS_PI_BINARY ?? "pi";
+  const timeoutMs = Math.max(1000, Math.trunc(input.timeoutMs ?? Number(process.env.RIG_ISSUE_ANALYSIS_TIMEOUT_MS ?? 120000)));
+  const runCommand = input.runCommand ?? createDefaultPiIssueAnalysisCommandRunner();
+  return async ({ prompt }) => {
+    const args = ["--print", "--mode", "json", "--no-session"];
+    const provider = input.provider?.trim() || process.env.RIG_ISSUE_ANALYSIS_PROVIDER?.trim() || process.env.RIG_PI_PROVIDER?.trim();
+    const model = input.model?.trim() || process.env.RIG_ISSUE_ANALYSIS_MODEL?.trim() || process.env.RIG_PI_MODEL?.trim() || "openai-codex/gpt-5.5";
+    if (provider)
+      args.push("--provider", provider);
+    if (model)
+      args.push("--model", model);
+    args.push(prompt);
+    const result = await runCommand(piBinary, args, { timeoutMs, ...input.env ? { env: input.env } : {} });
+    if (result.exitCode !== 0) {
+      throw new Error(`Pi issue analysis failed (exit ${result.exitCode}): ${result.stderr ?? result.stdout}`);
+    }
+    return parseIssueAnalysisResult(result.stdout);
+  };
+}
+function defaultStatusComment(input) {
+  const changes = [
+    input.result.metadataPatch ? "metadata" : null,
+    input.result.labelsToAdd?.length ? `labels added: ${input.result.labelsToAdd.join(", ")}` : null,
+    input.result.labelsToRemove?.length ? `labels removed: ${input.result.labelsToRemove.join(", ")}` : null,
+    input.result.generatedIssues?.length ? `generated issues: ${input.result.generatedIssues.length}` : null
+  ].filter((entry) => Boolean(entry));
+  if (changes.length === 0)
+    return null;
+  return [
+    "<!-- rig:status-comment -->",
+    "### Rig issue analysis",
+    "",
+    `Analyzed issue ${input.issue.id}${input.reason ? ` (${input.reason})` : ""}.`,
+    "",
+    ...changes.map((change) => `- ${change}`)
+  ].join(`
+`);
+}
+function uniqueLabels(labels, required = []) {
+  return [...new Set([...labels ?? [], ...required].map((label) => label.trim()).filter(Boolean))];
+}
+function createIssueAnalysisWriteBack(input) {
+  return async ({ issue, result, reason }) => {
+    if (result.metadataPatch && Object.keys(result.metadataPatch).length > 0) {
+      if (!input.target.updateTask)
+        throw new Error("Issue analysis writeback requires updateTask for metadata patches.");
+      await input.target.updateTask(issue.id, { metadata: result.metadataPatch });
+    }
+    if (result.labelsToAdd?.length) {
+      if (!input.target.addLabels)
+        throw new Error("Issue analysis writeback requires addLabels for labelsToAdd.");
+      await input.target.addLabels(issue.id, uniqueLabels(result.labelsToAdd));
+    }
+    if (result.labelsToRemove?.length) {
+      if (!input.target.removeLabels)
+        throw new Error("Issue analysis writeback requires removeLabels for labelsToRemove.");
+      await input.target.removeLabels(issue.id, uniqueLabels(result.labelsToRemove));
+    }
+    const comment = (input.buildStatusComment ?? defaultStatusComment)({ issue, result, reason });
+    if (comment?.trim()) {
+      if (!input.target.updateTask)
+        throw new Error("Issue analysis writeback requires updateTask for sticky status comments.");
+      await input.target.updateTask(issue.id, { comment });
+    }
+    for (const generated of result.generatedIssues ?? []) {
+      if (!input.target.createIssue)
+        throw new Error("Issue analysis writeback requires createIssue for generated issues.");
+      await input.target.createIssue({
+        title: generated.title,
+        body: generated.dependsOn?.length ? `${generated.body.trimEnd()}
+depends-on: ${generated.dependsOn.map((dep) => dep.startsWith("#") ? dep : `#${dep}`).join(", ")}
+` : generated.body,
+        labels: uniqueLabels(generated.labels, ["rig:generated"])
+      });
+    }
+  };
+}
+function createIssueAnalysisService(input) {
+  const analyzedHashes = new Map;
+  return {
+    async analyze(issues, options = {}) {
+      const results = [];
+      const neighbors = options.neighbors ?? issues;
+      for (const issue of issues) {
+        const hash = stableIssueHash(issue);
+        if (analyzedHashes.get(issue.id) === hash)
+          continue;
+        const prompt = renderIssueAnalysisPrompt({ issue, neighbors: neighbors.filter((candidate) => candidate.id !== issue.id) });
+        const result = await input.analyzer({ issue, neighbors, prompt });
+        analyzedHashes.set(issue.id, hash);
+        if (result.metadataPatch || result.labelsToAdd?.length || result.labelsToRemove?.length || result.generatedIssues?.length) {
+          await input.writeBack?.({ issue, result, reason: options.reason });
+        }
+        results.push({ issue, result });
+      }
+      return results;
+    },
+    clearCache() {
+      analyzedHashes.clear();
+    }
+  };
+}
 // packages/server/src/server-helpers/terminal-runtime.ts
 import { WS_CHANNELS as WS_CHANNELS2 } from "@rig/contracts";
@@ -535,8 +802,9 @@ import {
 } from "@rig/runtime/control-plane/authority-files";
 // packages/server/src/server-helpers/github-auth-store.ts
-import { chmodSync, existsSync as existsSync4, mkdirSync as mkdirSync3, readFileSync as readFileSync2, writeFileSync as writeFileSync3 } from "fs";
-import { resolve as resolve7 } from "path";
+import { randomBytes } from "crypto";
+import { chmodSync, copyFileSync, existsSync as existsSync4, mkdirSync as mkdirSync3, readFileSync as readFileSync2, writeFileSync as writeFileSync3 } from "fs";
+import { dirname as dirname3, resolve as resolve7 } from "path";
 function cleanString(value) {
   return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
 }
@@ -548,6 +816,44 @@ function cleanScopes(value) {
     return clean ? [clean] : [];
   });
 }
+function parseApiSessions(value) {
+  if (!Array.isArray(value))
+    return [];
+  return value.flatMap((entry) => {
+    if (!entry || typeof entry !== "object" || Array.isArray(entry))
+      return [];
+    const record = entry;
+    const token = cleanString(record.token);
+    if (!token)
+      return [];
+    return [{
+      token,
+      login: cleanString(record.login),
+      userId: cleanString(record.userId),
+      createdAt: cleanString(record.createdAt) ?? undefined
+    }];
+  });
+}
+function parsePendingDevice(value) {
+  if (!value || typeof value !== "object")
+    return null;
+  const record = value;
+  const pollId = cleanString(record.pollId);
+  const deviceCode = cleanString(record.deviceCode);
+  const expiresAt = cleanString(record.expiresAt);
+  const intervalSeconds = typeof record.intervalSeconds === "number" && Number.isFinite(record.intervalSeconds) ? Math.max(1, Math.floor(record.intervalSeconds)) : null;
+  if (!pollId || !deviceCode || !expiresAt || !intervalSeconds)
+    return null;
+  return { pollId, deviceCode, expiresAt, intervalSeconds };
+}
+function parsePendingDevices(value) {
+  if (!Array.isArray(value))
+    return [];
+  return value.flatMap((entry) => {
+    const pending = parsePendingDevice(entry);
+    return pending ? [pending] : [];
+  });
+}
 function readStoredAuth(stateFile) {
   if (!existsSync4(stateFile))
     return {};
@@ -561,37 +867,44 @@ function readStoredAuth(stateFile) {
       selectedRepo: cleanString(parsed.selectedRepo),
       tokenSource: parsed.tokenSource === "oauth-device" || parsed.tokenSource === "manual-token" || parsed.tokenSource === "env" ? parsed.tokenSource : undefined,
       pendingDevice: parsePendingDevice(parsed.pendingDevice),
+      pendingDevices: parsePendingDevices(parsed.pendingDevices),
+      apiSessions: parseApiSessions(parsed.apiSessions),
       updatedAt: cleanString(parsed.updatedAt) ?? undefined
     };
   } catch {
     return {};
   }
 }
-function parsePendingDevice(value) {
-  if (!value || typeof value !== "object")
-    return null;
-  const record = value;
-  const pollId = cleanString(record.pollId);
-  const deviceCode = cleanString(record.deviceCode);
-  const expiresAt = cleanString(record.expiresAt);
-  const intervalSeconds = typeof record.intervalSeconds === "number" && Number.isFinite(record.intervalSeconds) ? Math.max(1, Math.floor(record.intervalSeconds)) : null;
-  if (!pollId || !deviceCode || !expiresAt || !intervalSeconds)
-    return null;
-  return { pollId, deviceCode, expiresAt, intervalSeconds };
+function newApiSessionToken() {
+  return `rig_${randomBytes(32).toString("base64url")}`;
 }
 function writeStoredAuth(stateFile, payload) {
-  mkdirSync3(resolve7(stateFile, ".."), { recursive: true });
+  mkdirSync3(dirname3(stateFile), { recursive: true });
   writeFileSync3(stateFile, `${JSON.stringify(payload, null, 2)}
 `, { encoding: "utf8", mode: 384 });
   try {
     chmodSync(stateFile, 384);
   } catch {}
 }
+function localProjectAuthStateFile(projectRoot) {
+  return resolve7(projectRoot, ".rig", "state", "github-auth.json");
+}
 function resolveGitHubAuthStateFile(projectRoot) {
   return resolve7(resolveServerAuthorityPaths(projectRoot).stateDir, "github-auth.json");
 }
-function createGitHubAuthStore(projectRoot) {
-  const stateFile = resolveGitHubAuthStateFile(projectRoot);
+function copyGitHubAuthStateToLocalProjectRoot(stateFile, projectRoot) {
+  const targetFile = localProjectAuthStateFile(projectRoot);
+  mkdirSync3(dirname3(targetFile), { recursive: true });
+  if (existsSync4(stateFile)) {
+    copyFileSync(stateFile, targetFile);
+    try {
+      chmodSync(targetFile, 384);
+    } catch {}
+    return;
+  }
+  writeStoredAuth(targetFile, {});
+}
+function createGitHubAuthStoreFromStateFile(stateFile) {
   return {
     stateFile,
     status(options) {
@@ -621,14 +934,53 @@ function createGitHubAuthStore(projectRoot) {
         scopes: input.scopes ?? [],
         selectedRepo: input.selectedRepo ?? previous.selectedRepo ?? null,
         pendingDevice: null,
+        pendingDevices: [],
+        apiSessions: previous.apiSessions ?? [],
+        updatedAt: new Date().toISOString()
+      });
+    },
+    createApiSession() {
+      const previous = readStoredAuth(stateFile);
+      const token = newApiSessionToken();
+      const session = {
+        token,
+        login: cleanString(previous.login),
+        userId: cleanString(previous.userId),
+        createdAt: new Date().toISOString()
+      };
+      writeStoredAuth(stateFile, {
+        ...previous,
+        apiSessions: [...(previous.apiSessions ?? []).slice(-9), session],
         updatedAt: new Date().toISOString()
       });
+      return { token, login: session.login ?? null, userId: session.userId ?? null };
+    },
+    readApiSession(token) {
+      const clean = cleanString(token);
+      if (!clean)
+        return null;
+      const previous = readStoredAuth(stateFile);
+      const session = (previous.apiSessions ?? []).find((candidate) => candidate.token === clean);
+      return session ? { login: cleanString(session.login), userId: cleanString(session.userId) } : null;
+    },
+    copyToProjectRoot(projectRoot) {
+      const targetFile = resolveGitHubAuthStateFile(projectRoot);
+      writeStoredAuth(targetFile, readStoredAuth(stateFile));
+    },
+    copyToLocalProjectRoot(projectRoot) {
+      copyGitHubAuthStateToLocalProjectRoot(stateFile, projectRoot);
     },
     savePendingDevice(input) {
       const previous = readStoredAuth(stateFile);
+      const pendingDevices = [
+        ...previous.pendingDevice ? [previous.pendingDevice] : [],
+        ...previous.pendingDevices ?? [],
+        input
+      ].filter((entry, index, entries) => entries.findIndex((candidate) => candidate.pollId === entry.pollId) === index);
       writeStoredAuth(stateFile, {
         ...previous,
-        pendingDevice: input,
+        pendingDevice: null,
+        pendingDevices,
         updatedAt: new Date().toISOString()
       });
     },
@@ -641,23 +993,32 @@ function createGitHubAuthStore(projectRoot) {
       });
     },
     readPendingDevice(pollId) {
-      const pending = readStoredAuth(stateFile).pendingDevice ?? null;
-      if (!pending || pending.pollId !== pollId)
+      const previous = readStoredAuth(stateFile);
+      const pending = [
+        ...previous.pendingDevice ? [previous.pendingDevice] : [],
+        ...previous.pendingDevices ?? []
+      ].find((entry) => entry.pollId === pollId) ?? null;
+      if (!pending)
         return null;
       if (Date.parse(pending.expiresAt) <= Date.now())
         return null;
       return pending;
     },
-    clearPendingDevice() {
+    clearPendingDevice(pollId) {
       const previous = readStoredAuth(stateFile);
+      const remaining = pollId ? (previous.pendingDevices ?? []).filter((entry) => entry.pollId !== pollId) : [];
       writeStoredAuth(stateFile, {
         ...previous,
         pendingDevice: null,
+        pendingDevices: remaining,
         updatedAt: new Date().toISOString()
       });
     }
   };
 }
+function createGitHubAuthStore(projectRoot) {
+  return createGitHubAuthStoreFromStateFile(resolveGitHubAuthStateFile(projectRoot));
+}
 // packages/server/src/server-helpers/github-projects.ts
 function asRecord(value) {
@@ -864,7 +1225,7 @@ var TERMINAL_RUN_STATUSES2 = new Set([
   "needs-attention",
   "stopped"
 ]);
-var ORPHANABLE_LOCAL_RUN_STATUSES = new Set(["preparing", "running"]);
+var RESUMABLE_LOCAL_RUN_STATUSES = new Set(["created", "preparing", "running", "validating", "reviewing"]);
 // packages/server/src/server-helpers/ws-router.ts
 import {
@@ -1046,7 +1407,7 @@ import {
 } from "@rig/runtime/control-plane/remote";
 // packages/server/src/server-helpers/run-steering.ts
-import { dirname as dirname3, resolve as resolve8 } from "path";
+import { dirname as dirname4, resolve as resolve8 } from "path";
 import { existsSync as existsSync5, mkdirSync as mkdirSync4, readFileSync as readFileSync3 } from "fs";
 import { appendJsonlRecord as appendJsonlRecord2, readAuthorityRun as readAuthorityRun7, resolveAuthorityRunDir as resolveAuthorityRunDir4 } from "@rig/runtime/control-plane/authority-files";
 var steeringSequence = 0;
@@ -1133,7 +1494,7 @@ function queueRunSteeringMessage(projectRoot, runId, input) {
     delivered: false
   };
   const path = runSteeringPath(projectRoot, runId);
-  mkdirSync4(dirname3(path), { recursive: true });
+  mkdirSync4(dirname4(path), { recursive: true });
   appendJsonlRecord2(path, entry);
   appendRunTimelineEntry(projectRoot, runId, {
     id: entry.id,
@@ -1170,24 +1531,205 @@ import {
   updateConfiguredTaskSourceTask as updateConfiguredTaskSourceTask2
 } from "@rig/runtime/control-plane/tasks/source-lifecycle";
+// packages/server/src/server-helpers/github-api-session-index.ts
+import { chmodSync as chmodSync3, existsSync as existsSync7, mkdirSync as mkdirSync6, readFileSync as readFileSync5, writeFileSync as writeFileSync6 } from "fs";
+import { dirname as dirname6, resolve as resolve10 } from "path";
+// packages/server/src/server-helpers/github-user-namespace.ts
+import { chmodSync as chmodSync2, existsSync as existsSync6, mkdirSync as mkdirSync5, readFileSync as readFileSync4, writeFileSync as writeFileSync5 } from "fs";
+import { dirname as dirname5, isAbsolute, relative, resolve as resolve9 } from "path";
+function cleanString3(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
+}
+function sanitizePathSegment(value) {
+  return value.trim().toLowerCase().replace(/[^a-z0-9._-]/g, "-").replace(/^-+|-+$/g, "").slice(0, 96);
+}
+function deriveGitHubUserNamespaceKey(identity) {
+  const userId = cleanString3(identity.userId);
+  if (userId) {
+    const safeId = sanitizePathSegment(userId);
+    if (safeId)
+      return `ghu-${safeId}`;
+  }
+  const login = cleanString3(identity.login);
+  if (login) {
+    const safeLogin = sanitizePathSegment(login);
+    if (safeLogin)
+      return `ghu-login-${safeLogin}`;
+  }
+  throw new Error("GitHub user namespace requires a user id or login");
+}
+function resolveRemoteUserNamespacesRoot(projectRoot) {
+  const explicitRoot = cleanString3(process.env.RIG_REMOTE_USER_NAMESPACE_ROOT);
+  if (explicitRoot)
+    return resolve9(explicitRoot);
+  const stateDir2 = cleanString3(process.env.RIG_STATE_DIR);
+  if (stateDir2)
+    return resolve9(dirname5(resolve9(stateDir2)), "users");
+  return resolve9(projectRoot, ".rig", "users");
+}
+function resolveRemoteUserNamespace(projectRoot, identity) {
+  const key = deriveGitHubUserNamespaceKey(identity);
+  const root = resolve9(resolveRemoteUserNamespacesRoot(projectRoot), key);
+  const stateDir2 = resolve9(root, ".rig", "state");
+  return {
+    key,
+    userId: cleanString3(identity.userId),
+    login: cleanString3(identity.login),
+    root,
+    stateDir: stateDir2,
+    authStateFile: resolve9(stateDir2, "github-auth.json"),
+    metadataFile: resolve9(stateDir2, "user-namespace.json"),
+    checkoutBaseDir: resolve9(root, "remote-checkouts"),
+    snapshotBaseDir: resolve9(root, "remote-snapshots")
+  };
+}
+function serializeRemoteUserNamespace(namespace) {
+  return {
+    key: namespace.key,
+    userId: namespace.userId,
+    login: namespace.login,
+    root: namespace.root,
+    checkoutBaseDir: namespace.checkoutBaseDir,
+    snapshotBaseDir: namespace.snapshotBaseDir
+  };
+}
+function isPathInsideNamespace(namespaceRoot, candidatePath) {
+  const root = resolve9(namespaceRoot);
+  const candidate = resolve9(candidatePath);
+  const rel = relative(root, candidate);
+  return rel === "" || !rel.startsWith("..") && !isAbsolute(rel);
+}
+function writeRemoteUserNamespaceMetadata(namespace) {
+  mkdirSync5(namespace.stateDir, { recursive: true });
+  const previous = (() => {
+    if (!existsSync6(namespace.metadataFile))
+      return null;
+    try {
+      const parsed = JSON.parse(readFileSync4(namespace.metadataFile, "utf8"));
+      return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
+    } catch {
+      return null;
+    }
+  })();
+  const now = new Date().toISOString();
+  writeFileSync5(namespace.metadataFile, `${JSON.stringify({
+    key: namespace.key,
+    userId: namespace.userId,
+    login: namespace.login,
+    root: namespace.root,
+    checkoutBaseDir: namespace.checkoutBaseDir,
+    snapshotBaseDir: namespace.snapshotBaseDir,
+    createdAt: typeof previous?.createdAt === "string" ? previous.createdAt : now,
+    updatedAt: now
+  }, null, 2)}
+`, { encoding: "utf8", mode: 384 });
+  try {
+    chmodSync2(namespace.metadataFile, 384);
+  } catch {}
+}
+// packages/server/src/server-helpers/github-api-session-index.ts
+function cleanString4(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
+}
+function resolveGitHubApiSessionIndexFile(projectRoot) {
+  return resolve10(resolveRemoteUserNamespacesRoot(projectRoot), ".api-sessions.json");
+}
+function parseEntry(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value))
+    return null;
+  const record = value;
+  const token = cleanString4(record.token);
+  const namespaceKey = cleanString4(record.namespaceKey);
+  const namespaceRoot = cleanString4(record.namespaceRoot);
+  const authStateFile = cleanString4(record.authStateFile);
+  const checkoutBaseDir = cleanString4(record.checkoutBaseDir);
+  const snapshotBaseDir = cleanString4(record.snapshotBaseDir);
+  const createdAt = cleanString4(record.createdAt);
+  if (!token || !namespaceKey || !namespaceRoot || !authStateFile || !checkoutBaseDir || !snapshotBaseDir || !createdAt)
+    return null;
+  return {
+    token,
+    namespaceKey,
+    namespaceRoot,
+    authStateFile,
+    checkoutBaseDir,
+    snapshotBaseDir,
+    createdAt,
+    login: cleanString4(record.login),
+    userId: cleanString4(record.userId),
+    selectedRepo: cleanString4(record.selectedRepo)
+  };
+}
+function readIndex(indexFile) {
+  if (!existsSync7(indexFile))
+    return [];
+  try {
+    const parsed = JSON.parse(readFileSync5(indexFile, "utf8"));
+    return Array.isArray(parsed.sessions) ? parsed.sessions.flatMap((entry) => {
+      const parsedEntry = parseEntry(entry);
+      return parsedEntry ? [parsedEntry] : [];
+    }) : [];
+  } catch {
+    return [];
+  }
+}
+function writeIndex(indexFile, sessions) {
+  mkdirSync6(dirname6(indexFile), { recursive: true });
+  writeFileSync6(indexFile, `${JSON.stringify({ sessions }, null, 2)}
+`, { encoding: "utf8", mode: 384 });
+  try {
+    chmodSync3(indexFile, 384);
+  } catch {}
+}
+function registerGitHubApiSession(input) {
+  const cleanToken = cleanString4(input.token);
+  if (!cleanToken)
+    throw new Error("GitHub API session token is required");
+  const indexFile = resolveGitHubApiSessionIndexFile(input.projectRoot);
+  const createdAt = new Date().toISOString();
+  const entry = {
+    token: cleanToken,
+    login: input.namespace.login,
+    userId: input.namespace.userId,
+    namespaceKey: input.namespace.key,
+    namespaceRoot: input.namespace.root,
+    authStateFile: input.namespace.authStateFile,
+    checkoutBaseDir: input.namespace.checkoutBaseDir,
+    snapshotBaseDir: input.namespace.snapshotBaseDir,
+    selectedRepo: cleanString4(input.selectedRepo),
+    createdAt
+  };
+  const previous = readIndex(indexFile).filter((session) => session.token !== cleanToken);
+  writeIndex(indexFile, [...previous.slice(-199), entry]);
+  return entry;
+}
+function readGitHubApiSession(input) {
+  const cleanToken = cleanString4(input.token);
+  if (!cleanToken)
+    return null;
+  return readIndex(resolveGitHubApiSessionIndexFile(input.projectRoot)).find((entry) => entry.token === cleanToken) ?? null;
+}
 // packages/server/src/server-helpers/project-registry.ts
-import { createHash } from "crypto";
+import { createHash as createHash2 } from "crypto";
 import { spawnSync } from "child_process";
-import { existsSync as existsSync6, mkdirSync as mkdirSync5, readFileSync as readFileSync4, readdirSync, writeFileSync as writeFileSync5 } from "fs";
-import { dirname as dirname4, resolve as resolve9 } from "path";
+import { existsSync as existsSync8, mkdirSync as mkdirSync7, readFileSync as readFileSync6, readdirSync, writeFileSync as writeFileSync7 } from "fs";
+import { dirname as dirname7, resolve as resolve11 } from "path";
 function normalizeRepoSlug(value) {
   const trimmed = value.trim();
   return /^[^/\s]+\/[^/\s]+$/.test(trimmed) ? trimmed : null;
 }
 function registryPath(projectRoot) {
-  return resolve9(projectRoot, ".rig", "state", "projects.json");
+  return resolve11(projectRoot, ".rig", "state", "projects.json");
 }
 function readRegistry(projectRoot) {
   const path = registryPath(projectRoot);
-  if (!existsSync6(path))
+  if (!existsSync8(path))
     return {};
   try {
-    const payload = JSON.parse(readFileSync4(path, "utf8"));
+    const payload = JSON.parse(readFileSync6(path, "utf8"));
     if (!payload || typeof payload !== "object" || Array.isArray(payload))
       return {};
     const projects = payload.projects;
@@ -1198,14 +1740,14 @@ function readRegistry(projectRoot) {
 }
 function writeRegistry(projectRoot, projects) {
   const path = registryPath(projectRoot);
-  mkdirSync5(dirname4(path), { recursive: true });
-  writeFileSync5(path, `${JSON.stringify({ projects }, null, 2)}
+  mkdirSync7(dirname7(path), { recursive: true });
+  writeFileSync7(path, `${JSON.stringify({ projects }, null, 2)}
 `, "utf8");
 }
 function resolveConfigPath(projectRoot) {
   for (const name of ["rig.config.ts", "rig.config.mts", "rig.config.json"]) {
-    const path = resolve9(projectRoot, name);
-    if (existsSync6(path))
+    const path = resolve11(projectRoot, name);
+    if (existsSync8(path))
       return path;
   }
   return null;
@@ -1214,7 +1756,7 @@ function hashFile(path) {
   if (!path)
     return null;
   try {
-    return createHash("sha256").update(readFileSync4(path)).digest("hex");
+    return createHash2("sha256").update(readFileSync6(path)).digest("hex");
   } catch {
     return null;
   }
@@ -1230,11 +1772,11 @@ function readDefaultBranch(projectRoot) {
   return head.status === 0 && head.stdout.trim() && head.stdout.trim() !== "HEAD" ? head.stdout.trim() : null;
 }
 function buildRunSummary(projectRoot) {
-  const runsDir = resolve9(projectRoot, ".rig", "runs");
+  const runsDir = resolve11(projectRoot, ".rig", "runs");
   try {
     const runs = readdirSync(runsDir, { withFileTypes: true }).filter((entry) => entry.isDirectory()).flatMap((entry) => {
       try {
-        const run = JSON.parse(readFileSync4(resolve9(runsDir, entry.name, "run.json"), "utf8"));
+        const run = JSON.parse(readFileSync6(resolve11(runsDir, entry.name, "run.json"), "utf8"));
         return [{ runId: typeof run.runId === "string" ? run.runId : entry.name, status: typeof run.status === "string" ? run.status : "unknown", updatedAt: typeof run.updatedAt === "string" ? run.updatedAt : "" }];
       } catch {
         return [];
@@ -1286,10 +1828,14 @@ function upsertProjectRecord(projectRoot, input) {
 function linkProjectCheckout(projectRoot, repoSlug, checkout) {
   return upsertProjectRecord(projectRoot, { repoSlug, checkout });
 }
+function projectRegistryContainsCheckout(projectRoot, checkoutPath) {
+  const target = resolve11(checkoutPath);
+  return Object.values(readRegistry(projectRoot)).some((project) => project.checkouts.some((checkout) => checkout.path ? resolve11(checkout.path) === target : false));
+}
 // packages/server/src/server-helpers/remote-checkout.ts
-import { existsSync as existsSync7, mkdirSync as mkdirSync6, writeFileSync as writeFileSync6 } from "fs";
-import { dirname as dirname5, isAbsolute, relative, resolve as resolve10 } from "path";
+import { existsSync as existsSync9, mkdirSync as mkdirSync8, writeFileSync as writeFileSync8 } from "fs";
+import { dirname as dirname8, isAbsolute as isAbsolute2, relative as relative2, resolve as resolve12 } from "path";
 function safeSlugSegments(repoSlug) {
   const segments = repoSlug.split("/").map((part) => part.trim()).filter(Boolean);
   if (segments.length !== 2 || segments.some((segment) => segment === "." || segment === ".." || segment.includes("\\"))) {
@@ -1306,7 +1852,7 @@ function safeCheckoutKey(value) {
 }
 function repoSlugPath(baseDir, repoSlug, checkoutKey) {
   const key = safeCheckoutKey(checkoutKey);
-  return resolve10(baseDir, ...key ? [key] : [], ...safeSlugSegments(repoSlug));
+  return resolve12(baseDir, ...key ? [key] : [], ...safeSlugSegments(repoSlug));
 }
 function sanitizeSnapshotId(value, fallback) {
   const raw = (value ?? fallback).trim();
@@ -1314,7 +1860,7 @@ function sanitizeSnapshotId(value, fallback) {
   return safe || fallback;
 }
 function assertWithinRoot(root, relativePath) {
-  if (!relativePath || isAbsolute(relativePath) || relativePath.includes("\x00")) {
+  if (!relativePath || isAbsolute2(relativePath) || relativePath.includes("\x00")) {
     throw new Error(`Invalid snapshot file path: ${relativePath}`);
   }
   const normalizedRelative = relativePath.replace(/\\/g, "/");
@@ -1322,9 +1868,9 @@ function assertWithinRoot(root, relativePath) {
   if (segments.some((segment) => segment === "" || segment === "." || segment === "..")) {
     throw new Error(`Unsafe snapshot file path: ${relativePath}`);
   }
-  const target = resolve10(root, ...segments);
-  const rel = relative(root, target);
-  if (rel === ".." || rel.split(/[\\/]/)[0] === ".." || isAbsolute(rel)) {
+  const target = resolve12(root, ...segments);
+  const rel = relative2(root, target);
+  if (rel === ".." || rel.split(/[\\/]/)[0] === ".." || isAbsolute2(rel)) {
     throw new Error(`Snapshot file path escapes checkout root: ${relativePath}`);
   }
   return target;
@@ -1342,17 +1888,17 @@ function parseSnapshotArchiveContentBase64(contentBase64) {
 function extractUploadedSnapshotArchive(input) {
   const archive = decodeSnapshotArchive(input.archive);
   const snapshotId = sanitizeSnapshotId(input.snapshotId, `snapshot-${(input.now?.() ?? new Date).toISOString().replace(/[:.]/g, "-")}`);
-  const checkoutPath = resolve10(repoSlugPath(input.baseDir, input.repoSlug, input.checkoutKey), snapshotId);
-  mkdirSync6(checkoutPath, { recursive: true });
+  const checkoutPath = resolve12(repoSlugPath(input.baseDir, input.repoSlug, input.checkoutKey), snapshotId);
+  mkdirSync8(checkoutPath, { recursive: true });
   for (const file of archive.files) {
     if (!file || typeof file.path !== "string" || typeof file.contentBase64 !== "string") {
       throw new Error("Invalid snapshot archive file entry");
     }
     const target = assertWithinRoot(checkoutPath, file.path);
-    mkdirSync6(dirname5(target), { recursive: true });
-    writeFileSync6(target, Buffer.from(file.contentBase64, "base64"));
+    mkdirSync8(dirname8(target), { recursive: true });
+    writeFileSync8(target, Buffer.from(file.contentBase64, "base64"));
   }
-  writeFileSync6(resolve10(checkoutPath, ".rig-uploaded-snapshot.json"), `${JSON.stringify({
+  writeFileSync8(resolve12(checkoutPath, ".rig-uploaded-snapshot.json"), `${JSON.stringify({
     repoSlug: input.repoSlug,
     snapshotId,
     fileCount: archive.files.length,
@@ -1387,7 +1933,7 @@ function gitCredentialConfig(token) {
   };
 }
 async function prepareRemoteCheckout(input) {
-  const exists = input.exists ?? existsSync7;
+  const exists = input.exists ?? existsSync9;
   const strategy = input.strategy;
   if (strategy.kind === "uploaded-snapshot") {
     return extractUploadedSnapshotArchive({
@@ -1399,7 +1945,7 @@ async function prepareRemoteCheckout(input) {
     });
   }
   if (strategy.kind === "existing-path") {
-    const checkoutPath2 = resolve10(strategy.path);
+    const checkoutPath2 = resolve12(strategy.path);
     if (!exists(checkoutPath2)) {
       throw new Error(`Existing remote checkout path does not exist: ${checkoutPath2}`);
     }
@@ -1435,9 +1981,9 @@ function buildServerControlStatus() {
   };
 }
 function buildProjectConfigStatus(root) {
-  const hasConfigTs = existsSync8(resolve11(root, "rig.config.ts"));
-  const hasConfigJson = existsSync8(resolve11(root, "rig.config.json"));
-  const hasLegacyTaskConfig = existsSync8(resolve11(root, ".rig", "task-config.json"));
+  const hasConfigTs = existsSync10(resolve13(root, "rig.config.ts"));
+  const hasConfigJson = existsSync10(resolve13(root, "rig.config.json"));
+  const hasLegacyTaskConfig = existsSync10(resolve13(root, ".rig", "task-config.json"));
   let kind = "missing";
   if (hasConfigTs)
     kind = "rig-config-ts";
@@ -1461,10 +2007,10 @@ function normalizeCommit(value) {
 function asPlainRecord(value) {
   return value && typeof value === "object" && !Array.isArray(value) ? value : null;
 }
-var RIG_CONFIG_PACKAGE_VERSION = "0.0.6-alpha.1";
+var RIG_CONFIG_PACKAGE_DIST_TAG = "latest";
 var RIG_CONFIG_DEV_DEPENDENCIES = {
-  "@rig/core": `npm:@h-rig/core@${RIG_CONFIG_PACKAGE_VERSION}`,
-  "@rig/standard-plugin": `npm:@h-rig/standard-plugin@${RIG_CONFIG_PACKAGE_VERSION}`
+  "@rig/core": `npm:@h-rig/core@${RIG_CONFIG_PACKAGE_DIST_TAG}`,
+  "@rig/standard-plugin": `npm:@h-rig/standard-plugin@${RIG_CONFIG_PACKAGE_DIST_TAG}`
 };
 function repoParts(repoSlug) {
   const [owner, repo] = repoSlug.split("/");
@@ -1473,24 +2019,24 @@ function repoParts(repoSlug) {
   return { owner, repo, slug: `${owner}/${repo}` };
 }
 function repairDir(checkoutPath) {
-  const dir = resolve11(checkoutPath, ".rig", "state", "repairs", new Date().toISOString().replace(/[:.]/g, "-"));
-  mkdirSync7(dir, { recursive: true });
+  const dir = resolve13(checkoutPath, ".rig", "state", "repairs", new Date().toISOString().replace(/[:.]/g, "-"));
+  mkdirSync9(dir, { recursive: true });
   return dir;
 }
 function backupCheckoutFile(checkoutPath, relativePath) {
-  const source = resolve11(checkoutPath, relativePath);
-  const backupPath = resolve11(repairDir(checkoutPath), relativePath.replace(/[\\/]/g, "__"));
-  mkdirSync7(dirname6(backupPath), { recursive: true });
-  copyFileSync(source, backupPath);
+  const source = resolve13(checkoutPath, relativePath);
+  const backupPath = resolve13(repairDir(checkoutPath), relativePath.replace(/[\\/]/g, "__"));
+  mkdirSync9(dirname9(backupPath), { recursive: true });
+  copyFileSync2(source, backupPath);
   return backupPath;
 }
 function parsePackageJsonLosslessly(checkoutPath) {
-  const packagePath = resolve11(checkoutPath, "package.json");
-  if (!existsSync8(packagePath)) {
+  const packagePath = resolve13(checkoutPath, "package.json");
+  if (!existsSync10(packagePath)) {
     return { existed: false, packageJson: { name: basename(checkoutPath) || "rig-project", private: true } };
   }
   try {
-    const parsed = JSON.parse(readFileSync5(packagePath, "utf8"));
+    const parsed = JSON.parse(readFileSync7(packagePath, "utf8"));
     return {
       existed: true,
       packageJson: parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : { name: basename(checkoutPath) || "rig-project", private: true }
@@ -1504,9 +2050,9 @@ function parsePackageJsonLosslessly(checkoutPath) {
   }
 }
 function ensureRemoteCheckoutRigPackageDeps(checkoutPath) {
-  const hasConfig = ["rig.config.ts", "rig.config.mts", "rig.config.json"].some((name) => existsSync8(resolve11(checkoutPath, name)));
-  const packagePath = resolve11(checkoutPath, "package.json");
-  if (!hasConfig && !existsSync8(packagePath)) {
+  const hasConfig = ["rig.config.ts", "rig.config.mts", "rig.config.json"].some((name) => existsSync10(resolve13(checkoutPath, name)));
+  const packagePath = resolve13(checkoutPath, "package.json");
+  if (!hasConfig && !existsSync10(packagePath)) {
     return { skipped: true, reason: "package.json and rig.config missing" };
   }
   const parsed = parsePackageJsonLosslessly(checkoutPath);
@@ -1525,7 +2071,7 @@ function ensureRemoteCheckoutRigPackageDeps(checkoutPath) {
   }
   const changed = !parsed.existed || Boolean(parsed.backupPath) || added.length > 0 || updated.length > 0 || existingDevDependencies !== devDependencies && (!existingDevDependencies || typeof existingDevDependencies !== "object" || Array.isArray(existingDevDependencies));
   if (changed) {
-    writeFileSync7(packagePath, `${JSON.stringify({ ...parsed.packageJson, devDependencies }, null, 2)}
+    writeFileSync9(packagePath, `${JSON.stringify({ ...parsed.packageJson, devDependencies }, null, 2)}
 `, "utf8");
   }
   return {
@@ -1551,11 +2097,11 @@ function configLooksStructurallyUsable(source) {
   return /taskSource\s*:/.test(source) && /workspace\s*:/.test(source) && /project\s*:/.test(source);
 }
 function ensureRemoteCheckoutRigConfig(checkoutPath, repoSlug, reason = "missing or incomplete rig config") {
-  const configPath = resolve11(checkoutPath, "rig.config.ts");
-  const existingConfigName = ["rig.config.ts", "rig.config.mts", "rig.config.json"].find((name) => existsSync8(resolve11(checkoutPath, name)));
+  const configPath = resolve13(checkoutPath, "rig.config.ts");
+  const existingConfigName = ["rig.config.ts", "rig.config.mts", "rig.config.json"].find((name) => existsSync10(resolve13(checkoutPath, name)));
   if (existingConfigName) {
-    const existingPath = resolve11(checkoutPath, existingConfigName);
-    const source = readFileSync5(existingPath, "utf8");
+    const existingPath = resolve13(checkoutPath, existingConfigName);
+    const source = readFileSync7(existingPath, "utf8");
     if (existingConfigName !== "rig.config.json" && configLooksStructurallyUsable(source)) {
       return { path: existingPath, changed: false, reason: "config structurally complete" };
     }
@@ -1569,7 +2115,7 @@ function ensureRemoteCheckoutRigConfig(checkoutPath, repoSlug, reason = "missing
     }
   }
   const backupPath = existingConfigName ? backupCheckoutFile(checkoutPath, existingConfigName) : undefined;
-  writeFileSync7(configPath, generatedRigConfigSource(repoSlug), "utf8");
+  writeFileSync9(configPath, generatedRigConfigSource(repoSlug), "utf8");
   return {
     path: configPath,
     changed: true,
@@ -1578,7 +2124,7 @@ function ensureRemoteCheckoutRigConfig(checkoutPath, repoSlug, reason = "missing
   };
 }
 function validateRemoteCheckoutRigConfig(checkoutPath) {
-  const configFile = ["rig.config.ts", "rig.config.mts", "rig.config.json"].find((name) => existsSync8(resolve11(checkoutPath, name)));
+  const configFile = ["rig.config.ts", "rig.config.mts", "rig.config.json"].find((name) => existsSync10(resolve13(checkoutPath, name)));
   if (!configFile)
     return { ok: false, error: "missing rig config" };
   if (process.env.RIG_TEST_SKIP_REMOTE_CHECKOUT_INSTALL === "1") {
@@ -1600,7 +2146,7 @@ function validateRemoteCheckoutRigConfig(checkoutPath) {
   return { ok: true, configFile };
 }
 function installRemoteCheckoutPackages(checkoutPath) {
-  if (!existsSync8(resolve11(checkoutPath, "package.json"))) {
+  if (!existsSync10(resolve13(checkoutPath, "package.json"))) {
     return { skipped: true, reason: "package.json missing" };
   }
   if (process.env.RIG_TEST_SKIP_REMOTE_CHECKOUT_INSTALL === "1") {
@@ -1613,8 +2159,8 @@ function installRemoteCheckoutPackages(checkoutPath) {
   return { ok: true, command: "bun install", stdout: result.stdout?.trim() || undefined };
 }
 function repairRemoteCheckoutForRig(checkoutPath, repoSlug) {
-  const hasConfig = ["rig.config.ts", "rig.config.mts", "rig.config.json"].some((name) => existsSync8(resolve11(checkoutPath, name)));
-  const hasPackage = existsSync8(resolve11(checkoutPath, "package.json"));
+  const hasConfig = ["rig.config.ts", "rig.config.mts", "rig.config.json"].some((name) => existsSync10(resolve13(checkoutPath, name)));
+  const hasPackage = existsSync10(resolve13(checkoutPath, "package.json"));
   if (!hasConfig && !hasPackage) {
     return {
       packageJson: { skipped: true, reason: "package.json and rig.config missing" },
@@ -1712,26 +2258,26 @@ function buildRemoteRunLogEntry(body, identifiers) {
 }
 function readGitHeadCommit(projectRoot) {
   try {
-    let gitDir = resolve11(projectRoot, ".git");
+    let gitDir = resolve13(projectRoot, ".git");
     try {
-      const dotGit = readFileSync5(gitDir, "utf8").trim();
+      const dotGit = readFileSync7(gitDir, "utf8").trim();
       const gitDirPrefix = "gitdir:";
       if (dotGit.startsWith(gitDirPrefix)) {
-        gitDir = resolve11(projectRoot, dotGit.slice(gitDirPrefix.length).trim());
+        gitDir = resolve13(projectRoot, dotGit.slice(gitDirPrefix.length).trim());
       }
     } catch {}
-    const head = readFileSync5(resolve11(gitDir, "HEAD"), "utf8").trim();
+    const head = readFileSync7(resolve13(gitDir, "HEAD"), "utf8").trim();
     const refPrefix = "ref:";
     if (!head.startsWith(refPrefix)) {
       return normalizeCommit(head);
     }
     const ref = head.slice(refPrefix.length).trim();
-    const refPath = resolve11(gitDir, ref);
-    if (existsSync8(refPath)) {
-      return normalizeCommit(readFileSync5(refPath, "utf8").trim());
+    const refPath = resolve13(gitDir, ref);
+    if (existsSync10(refPath)) {
+      return normalizeCommit(readFileSync7(refPath, "utf8").trim());
     }
-    const commonDir = normalizeString(readFileSync5(resolve11(gitDir, "commondir"), "utf8"));
-    return commonDir ? normalizeCommit(readFileSync5(resolve11(gitDir, commonDir, ref), "utf8").trim()) : null;
+    const commonDir = normalizeString(readFileSync7(resolve13(gitDir, "commondir"), "utf8"));
+    return commonDir ? normalizeCommit(readFileSync7(resolve13(gitDir, commonDir, ref), "utf8").trim()) : null;
   } catch {
     return null;
   }
@@ -1769,9 +2315,9 @@ function configuredRepoFromTaskSource(taskSource) {
   const repo = normalizeString(taskSource?.repo);
   return owner && repo ? `${owner}/${repo}` : null;
 }
-async function buildTaskSourceStatus(state, config) {
+async function buildTaskSourceStatus(state, config, requestAuth) {
   const diagnostics = state.snapshotService.getTaskSourceErrors();
-  const selectedRepo = createGitHubAuthStore(state.projectRoot).status({
+  const selectedRepo = requestScopedAuthStore(state.projectRoot, requestAuth).status({
     oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim())
   }).selectedRepo;
   try {
@@ -1818,36 +2364,134 @@ function bearerTokenFromRequest(req) {
 function isLoopbackRequest(req) {
   try {
     const hostname = new URL(req.url).hostname.toLowerCase();
-    return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1" || hostname === "[::1]";
+    return hostname === "localhost" || hostname === "rig.local" || hostname.endsWith(".localhost") || hostname === "127.0.0.1" || hostname === "::1" || hostname === "[::1]";
   } catch {
     return false;
   }
 }
 function isPublicRigAuthBootstrapRoute(pathname) {
-  return pathname === "/" || pathname === "/health" || pathname === "/api/health" || pathname === "/api/server/status" || pathname === "/api/github/auth/status" || pathname === "/api/github/auth/token" || pathname === "/api/github/auth/device/start" || pathname === "/api/github/auth/device/poll";
+  return pathname === "/" || pathname === "/install" || pathname === "/health" || pathname === "/api/health" || pathname === "/api/github/auth/status" || pathname === "/api/github/auth/token" || pathname === "/api/github/auth/device/start" || pathname === "/api/github/auth/device/poll";
+}
+function buildRigInstallScript() {
+  return `#!/usr/bin/env bash
+set -euo pipefail
+say() {
+  printf 'rig-install: %s
+' "$*"
+}
+if ! command -v bun >/dev/null 2>&1; then
+  say "Bun not found; installing Bun first"
+  curl -fsSL https://bun.sh/install | bash
+  export BUN_INSTALL="\${BUN_INSTALL:-$HOME/.bun}"
+  export PATH="$BUN_INSTALL/bin:$PATH"
+fi
+if ! command -v bun >/dev/null 2>&1; then
+  printf 'rig-install: bun install completed, but bun is still not on PATH. Add ~/.bun/bin to PATH and retry.
+' >&2
+  exit 1
+fi
+say "Installing @h-rig/cli@latest"
+bun add -g @h-rig/cli@latest
+export BUN_INSTALL="\${BUN_INSTALL:-$HOME/.bun}"
+export PATH="$BUN_INSTALL/bin:$PATH"
+if ! command -v rig >/dev/null 2>&1; then
+  printf 'rig-install: rig installed, but rig is not on PATH. Add %s/bin to PATH and retry.
+' "$BUN_INSTALL" >&2
+  exit 1
+fi
+say "Verifying rig"
+rig --help >/dev/null
+say "Done. Run: rig --help"
+`;
 }
 function normalizePrMode(value) {
   const mode = normalizeString(value);
   return mode === "auto" || mode === "ask" || mode === "off" ? mode : undefined;
 }
+function requestAuthResult(input) {
+  return {
+    authorized: input.authorized,
+    actor: input.actor ?? null,
+    reason: input.reason,
+    login: input.login ?? null,
+    userId: input.userId ?? null,
+    userNamespace: input.userNamespace ?? null,
+    authStateFile: input.authStateFile ?? null
+  };
+}
+function namespaceFromSessionIndex(entry) {
+  const stateDir2 = dirname9(entry.authStateFile);
+  return {
+    key: entry.namespaceKey,
+    userId: entry.userId,
+    login: entry.login,
+    root: entry.namespaceRoot,
+    stateDir: stateDir2,
+    authStateFile: entry.authStateFile,
+    metadataFile: resolve13(stateDir2, "user-namespace.json"),
+    checkoutBaseDir: entry.checkoutBaseDir,
+    snapshotBaseDir: entry.snapshotBaseDir
+  };
+}
 function authorizeRigHttpRequest(input) {
   if (input.legacyAuthorized) {
-    return { authorized: true, actor: "rig-local-server", reason: "server-token" };
+    return requestAuthResult({ authorized: true, actor: "rig-local-server", reason: "server-token" });
   }
   const bearer = bearerTokenFromRequest(input.req);
   const store = createGitHubAuthStore(input.projectRoot);
   const storedToken = store.readToken();
+  const session = bearer ? store.readApiSession(bearer) : null;
+  if (session) {
+    return requestAuthResult({
+      authorized: true,
+      actor: session.login ?? "github-operator",
+      reason: "github-session",
+      login: session.login,
+      userId: session.userId,
+      authStateFile: store.stateFile
+    });
+  }
   if (bearer && storedToken && bearer === storedToken) {
     const status = store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
-    return { authorized: true, actor: status.login ?? "github-operator", reason: "github-token" };
+    return requestAuthResult({
+      authorized: true,
+      actor: status.login ?? "github-operator",
+      reason: "github-token",
+      login: status.login,
+      userId: status.userId,
+      authStateFile: store.stateFile
+    });
+  }
+  const indexedSession = readGitHubApiSession({ projectRoot: input.projectRoot, token: bearer });
+  if (indexedSession) {
+    const userNamespace = namespaceFromSessionIndex(indexedSession);
+    return requestAuthResult({
+      authorized: true,
+      actor: indexedSession.login ?? "github-operator",
+      reason: "github-user-session",
+      login: indexedSession.login,
+      userId: indexedSession.userId,
+      userNamespace,
+      authStateFile: indexedSession.authStateFile
+    });
   }
   if (isPublicRigAuthBootstrapRoute(input.pathname)) {
-    return { authorized: true, actor: null, reason: "public-bootstrap" };
+    return requestAuthResult({ authorized: true, actor: null, reason: "public-bootstrap" });
   }
-  if (!input.serverAuthToken && !storedToken && isLoopbackRequest(input.req)) {
-    return { authorized: true, actor: null, reason: "loopback-dev-no-auth" };
+  if (!input.serverAuthToken && !storedToken) {
+    if (isLoopbackRequest(input.req)) {
+      return requestAuthResult({ authorized: true, actor: null, reason: "loopback-dev-no-auth" });
+    }
+    return requestAuthResult({ authorized: false, actor: null, reason: "auth-required" });
   }
-  return { authorized: false, actor: null, reason: storedToken ? "github-token-required" : "auth-required" };
+  return requestAuthResult({ authorized: false, actor: null, reason: storedToken ? "github-token-required" : "auth-required" });
 }
 async function fetchGitHubUserInfo(token) {
   const response = await fetch("https://api.github.com/user", {
@@ -1867,6 +2511,67 @@ async function fetchGitHubUserInfo(token) {
     scopes: cleanHeaderScopes(response.headers.get("x-oauth-scopes"))
   };
 }
+function shouldWriteRootAuthCompat(projectRoot) {
+  if (process.env.RIG_REMOTE_USER_NAMESPACE_ROOT?.trim())
+    return false;
+  const stateDir2 = normalizeString(process.env.RIG_STATE_DIR);
+  if (!stateDir2)
+    return true;
+  return resolve13(stateDir2) === resolve13(projectRoot, ".rig", "state");
+}
+function requestScopedRegistryRoot(stateProjectRoot, requestAuth) {
+  return requestAuth.userNamespace?.root ?? stateProjectRoot;
+}
+function requestScopedAuthStore(stateProjectRoot, requestAuth) {
+  return requestAuth.authStateFile ? createGitHubAuthStoreFromStateFile(requestAuth.authStateFile) : createGitHubAuthStore(stateProjectRoot);
+}
+function userNamespaceResponse(namespace) {
+  return namespace ? serializeRemoteUserNamespace(namespace) : undefined;
+}
+function resolveNamespacedBaseDir(input) {
+  if (input.explicitBaseDir)
+    return input.explicitBaseDir;
+  const envBase = normalizeString(process.env[input.envName]);
+  if (input.userNamespace) {
+    return envBase ? resolve13(envBase, input.userNamespace.key) : input.userNamespace[input.legacySubdir === "remote-checkouts" ? "checkoutBaseDir" : "snapshotBaseDir"];
+  }
+  return envBase ?? (normalizeString(process.env.RIG_STATE_DIR) ? resolve13(normalizeString(process.env.RIG_STATE_DIR), input.legacySubdir) : resolve13(input.legacyProjectRoot, ".rig", input.legacySubdir));
+}
+function explicitCheckoutKey(body, checkoutInput, requestAuth) {
+  return normalizeString(body.checkoutKey) ?? normalizeString(checkoutInput.checkoutKey) ?? normalizeString(checkoutInput.key) ?? (requestAuth.userNamespace ? undefined : "default");
+}
+function saveGitHubTokenForRemoteUser(input) {
+  const namespace = resolveRemoteUserNamespace(input.projectRoot, { userId: input.user.userId, login: input.user.login });
+  writeRemoteUserNamespaceMetadata(namespace);
+  const store = createGitHubAuthStoreFromStateFile(namespace.authStateFile);
+  store.saveToken({
+    token: input.token,
+    tokenSource: input.tokenSource,
+    login: input.user.login,
+    userId: input.user.userId,
+    scopes: input.user.scopes,
+    selectedRepo: input.selectedRepo
+  });
+  const apiSession = store.createApiSession();
+  registerGitHubApiSession({ projectRoot: input.projectRoot, token: apiSession.token, namespace, selectedRepo: input.selectedRepo });
+  const requestedRoot = normalizeString(input.requestedProjectRoot);
+  if (requestedRoot && isAbsolute3(requestedRoot) && existsSync10(resolve13(requestedRoot))) {
+    copyGitHubAuthStateToLocalProjectRoot(namespace.authStateFile, resolve13(requestedRoot));
+  }
+  if (shouldWriteRootAuthCompat(input.projectRoot)) {
+    const rootStore = createGitHubAuthStore(input.projectRoot);
+    rootStore.saveToken({
+      token: input.token,
+      tokenSource: input.tokenSource,
+      login: input.user.login,
+      userId: input.user.userId,
+      scopes: input.user.scopes,
+      selectedRepo: input.selectedRepo
+    });
+    rootStore.createApiSession();
+  }
+  return { store, namespace, apiSessionToken: apiSession.token };
+}
 async function postGitHubForm(endpoint, body) {
   const response = await fetch(endpoint, {
     method: "POST",
@@ -1884,11 +2589,11 @@ function resolveRequestedProjectRoot(currentRoot, rawRoot) {
   const requestedRoot = normalizeString(rawRoot);
   if (!requestedRoot)
     return currentRoot;
-  if (!isAbsolute2(requestedRoot)) {
+  if (!isAbsolute3(requestedRoot)) {
     throw new Error("projectRoot must be an absolute path on the Rig server host");
   }
-  const normalizedRoot = resolve11(requestedRoot);
-  if (!existsSync8(normalizedRoot)) {
+  const normalizedRoot = resolve13(requestedRoot);
+  if (!existsSync10(normalizedRoot)) {
     throw new Error("projectRoot does not exist on the Rig server host");
   }
   return normalizedRoot;
@@ -2076,7 +2781,7 @@ function selectNextWorkspaceTask(projectRoot, tasks) {
   if (runnable.length === 0)
     return null;
   const queue = readQueueState(projectRoot);
-  const queueRank = new Map(queue.map((entry, index) => [entry.taskId, { score: entry.score, position: index }]));
+  const queueRank = new Map(queue.map((entry, index) => [String(entry.taskId), { score: entry.score, position: index }]));
   return runnable.toSorted((left, right) => {
     const leftId = taskIdOf(left) ?? "";
     const rightId = taskIdOf(right) ?? "";
@@ -2116,6 +2821,27 @@ function filterWorkspaceTasks(projectRoot, tasks, searchParams) {
   }
   return filtered;
 }
+function issueAnalysisTargetFor(source) {
+  if (!source)
+    return null;
+  const candidate = source;
+  if (typeof candidate.updateTask !== "function")
+    return null;
+  return {
+    ...typeof candidate.get === "function" ? { get: candidate.get.bind(candidate) } : {},
+    updateTask: candidate.updateTask.bind(candidate),
+    ...typeof candidate.addLabels === "function" ? { addLabels: candidate.addLabels.bind(candidate) } : {},
+    ...typeof candidate.removeLabels === "function" ? { removeLabels: candidate.removeLabels.bind(candidate) } : {},
+    ...typeof candidate.createIssue === "function" ? { createIssue: candidate.createIssue.bind(candidate) } : {}
+  };
+}
+function uniqueStringList(value) {
+  const raw = Array.isArray(value) ? value : typeof value === "string" ? [value] : [];
+  return [...new Set(raw.map((entry) => String(entry).trim()).filter(Boolean))];
+}
+function taskRecordId(task) {
+  return String(task.id ?? "");
+}
 function redactRemoteEndpoint(endpoint) {
   const { token, ...rest } = endpoint;
   return {
@@ -2200,9 +2926,16 @@ function createRigServerFetch(state, deps) {
             notifications: state.targets.length
           });
         }
+        if (url.pathname === "/install" && req.method === "GET") {
+          return new Response(buildRigInstallScript(), {
+            headers: {
+              "Content-Type": "text/x-shellscript; charset=utf-8"
+            }
+          });
+        }
         const isLinearWebhook = url.pathname === "/api/linear/webhook" && req.method === "POST";
         const isInspectorStream = url.pathname === "/api/inspector/stream" && req.method === "GET";
-        const legacyAuthorizedHttpRequest = isInspectorStream && isAuthorizedInspectorStreamRequest(req, state.authToken) ? true : deps.isAuthorizedHttpRequest(req, state.authToken);
+        const legacyAuthorizedHttpRequest = Boolean(state.authToken) && (isInspectorStream && isAuthorizedInspectorStreamRequest(req, state.authToken) ? true : deps.isAuthorizedHttpRequest(req, state.authToken));
         const requestAuth = authorizeRigHttpRequest({
           req,
           pathname: url.pathname,
@@ -2458,9 +3191,70 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             note: "GitHub issue lifecycle labels are created on demand by the configured task source when supported."
           });
         }
+        if (url.pathname === "/api/workspace/issue-analysis/run" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const ids = uniqueStringList(body.ids ?? body.id);
+          const analyzeAll = deps.isTruthyQuery(String(body.all ?? ""));
+          if (ids.length === 0 && !analyzeAll) {
+            return deps.badRequest("ids is required unless all=true");
+          }
+          const ctx = await getCachedPluginHostContext(state.projectRoot);
+          const [source] = ctx?.taskSourceRegistry.list() ?? [];
+          const target = issueAnalysisTargetFor(source);
+          if (!source || !target) {
+            return deps.badRequest("Configured task source does not support issue-analysis writeback");
+          }
+          const allTasks = [...await source.list()];
+          const issues = analyzeAll ? allTasks.slice(0, Math.max(1, Math.min(25, Number(body.limit ?? 25) || 25))) : (await Promise.all(ids.map(async (id) => {
+            const cached = allTasks.find((task) => taskRecordId(task) === id);
+            if (cached)
+              return cached;
+            return typeof source.get === "function" ? await source.get(id) : undefined;
+          }))).filter((task) => Boolean(task));
+          if (issues.length === 0) {
+            return deps.jsonResponse({ ok: false, error: "No matching issues found for issue analysis", ids }, 404);
+          }
+          const config = ctx?.config && typeof ctx.config === "object" ? ctx.config : {};
+          const issueAnalysis = config.issueAnalysis && typeof config.issueAnalysis === "object" ? config.issueAnalysis : {};
+          const runtime = config.runtime && typeof config.runtime === "object" ? config.runtime : {};
+          const model = normalizeString(issueAnalysis.model) ?? normalizeString(runtime.model);
+          const service = createIssueAnalysisService({
+            analyzer: createPiIssueAnalyzer({
+              ...model ? { model } : {},
+              env: { RIG_PROJECT_ROOT: state.projectRoot }
+            }),
+            writeBack: createIssueAnalysisWriteBack({ target })
+          });
+          const reason = normalizeString(body.reason) ?? "http-issue-analysis";
+          let results;
+          try {
+            results = await service.analyze(issues, { reason, neighbors: ids.length > 0 ? issues : allTasks });
+          } catch (error) {
+            return deps.jsonResponse({
+              ok: false,
+              error: `Issue analysis failed: ${error instanceof Error ? error.message : String(error)}`,
+              reason,
+              ids: issues.map((issue) => issue.id)
+            }, 502);
+          }
+          deps.snapshotService.invalidate("issue-analysis-http-run");
+          await state.taskProjectionReconciler?.tick("issue-analysis-http-run").catch(() => {
+            return;
+          });
+          deps.broadcastSnapshotInvalidation(state, "issue-analysis-http-run");
+          return deps.jsonResponse({
+            ok: true,
+            reason,
+            analyzed: results.map((entry) => ({
+              id: entry.issue.id,
+              title: entry.issue.title ?? null,
+              result: entry.result
+            }))
+          });
+        }
         if (url.pathname === "/api/server/status") {
           const config = buildProjectConfigStatus(state.projectRoot);
-          const taskSource = await buildTaskSourceStatus(state, config);
+          const taskSource = await buildTaskSourceStatus(state, config, requestAuth);
           return deps.jsonResponse({
             ok: true,
             projectRoot: state.projectRoot,
@@ -2484,8 +3278,9 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             path: normalizeString(rawCheckout?.path) ?? state.projectRoot,
             ref: normalizeString(rawCheckout?.ref) ?? undefined
           } : undefined;
-          const record = upsertProjectRecord(state.projectRoot, { repoSlug, checkout });
-          return deps.jsonResponse({ ok: true, project: record });
+          const registryRoot = requestScopedRegistryRoot(state.projectRoot, requestAuth);
+          const record = upsertProjectRecord(registryRoot, { repoSlug, checkout });
+          return deps.jsonResponse({ ok: true, project: record, userNamespace: userNamespaceResponse(requestAuth.userNamespace) });
         }
         const snapshotUploadMatch = url.pathname.match(/^\/api\/projects\/(.+?)\/upload-snapshot$/);
         if (snapshotUploadMatch && req.method === "POST") {
@@ -2498,8 +3293,15 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           if (!archiveContentBase64) {
             return deps.badRequest("archiveContentBase64 is required");
           }
-          const baseDir = normalizeString(body.baseDir) ?? normalizeString(process.env.RIG_REMOTE_SNAPSHOT_BASE_DIR) ?? (normalizeString(process.env.RIG_STATE_DIR) ? resolve11(normalizeString(process.env.RIG_STATE_DIR), "remote-snapshots") : resolve11(state.projectRoot, ".rig", "remote-snapshots"));
-          const checkoutKey = normalizeString(body.checkoutKey) ?? "default";
+          const registryRoot = requestScopedRegistryRoot(state.projectRoot, requestAuth);
+          const baseDir = resolveNamespacedBaseDir({
+            explicitBaseDir: normalizeString(body.baseDir),
+            envName: "RIG_REMOTE_SNAPSHOT_BASE_DIR",
+            userNamespace: requestAuth.userNamespace,
+            legacyProjectRoot: state.projectRoot,
+            legacySubdir: "remote-snapshots"
+          });
+          const checkoutKey = explicitCheckoutKey(body, body, requestAuth);
           try {
             const archive = parseSnapshotArchiveContentBase64(archiveContentBase64);
             const checkout = extractUploadedSnapshotArchive({
@@ -2512,14 +3314,14 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             const checkoutRepair = repairRemoteCheckoutForRig(checkout.path, repoSlug);
             const packageInstall = installRemoteCheckoutPackages(checkout.path);
             const postInstallConfigValidation = validateRemoteCheckoutRigConfig(checkout.path);
-            const project = linkProjectCheckout(state.projectRoot, repoSlug, {
+            const project = linkProjectCheckout(registryRoot, repoSlug, {
               kind: "uploaded-snapshot",
               path: checkout.path,
               ref: checkout.snapshotId
             });
             deps.snapshotService.invalidate("uploaded-snapshot-checkout");
             deps.broadcastSnapshotInvalidation(state, "uploaded-snapshot-checkout");
-            return deps.jsonResponse({ ok: true, checkout, project, checkoutRepair, packageInstall, postInstallConfigValidation });
+            return deps.jsonResponse({ ok: true, checkout, project, checkoutRepair, packageInstall, postInstallConfigValidation, userNamespace: userNamespaceResponse(requestAuth.userNamespace) });
           } catch (error) {
             return deps.jsonResponse({
               ok: false,
@@ -2539,10 +3341,17 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           if (kind !== "managed-clone" && kind !== "current-ref" && kind !== "existing-path") {
             return deps.jsonResponse({ ok: false, error: "checkout kind must be managed-clone, current-ref, or existing-path" }, 400);
           }
-          const baseDir = normalizeString(body.baseDir) ?? normalizeString(checkoutInput.baseDir) ?? normalizeString(process.env.RIG_REMOTE_CHECKOUT_BASE_DIR) ?? (normalizeString(process.env.RIG_STATE_DIR) ? resolve11(normalizeString(process.env.RIG_STATE_DIR), "remote-checkouts") : resolve11(state.projectRoot, ".rig", "remote-checkouts"));
-          const checkoutKey = normalizeString(body.checkoutKey) ?? normalizeString(checkoutInput.checkoutKey) ?? normalizeString(checkoutInput.key) ?? "default";
+          const registryRoot = requestScopedRegistryRoot(state.projectRoot, requestAuth);
+          const baseDir = resolveNamespacedBaseDir({
+            explicitBaseDir: normalizeString(body.baseDir) ?? normalizeString(checkoutInput.baseDir),
+            envName: "RIG_REMOTE_CHECKOUT_BASE_DIR",
+            userNamespace: requestAuth.userNamespace,
+            legacyProjectRoot: state.projectRoot,
+            legacySubdir: "remote-checkouts"
+          });
+          const checkoutKey = explicitCheckoutKey(body, checkoutInput, requestAuth);
           const repoUrl = normalizeString(body.repoUrl) ?? normalizeString(checkoutInput.repoUrl) ?? `https://github.com/${repoSlug}.git`;
-          const credentialToken = createGitHubAuthStore(state.projectRoot).readToken();
+          const credentialToken = requestScopedAuthStore(state.projectRoot, requestAuth).readToken();
           try {
             const checkout = await prepareRemoteCheckout({
               command: runRemoteCheckoutCommand,
@@ -2551,14 +3360,14 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             const checkoutRepair = repairRemoteCheckoutForRig(checkout.path, repoSlug);
             const packageInstall = installRemoteCheckoutPackages(checkout.path);
             const postInstallConfigValidation = validateRemoteCheckoutRigConfig(checkout.path);
-            const project = linkProjectCheckout(state.projectRoot, repoSlug, {
+            const project = linkProjectCheckout(registryRoot, repoSlug, {
               kind: checkout.kind,
               path: checkout.path,
               ref: checkout.ref ?? checkout.snapshotId ?? undefined
             });
             deps.snapshotService.invalidate("remote-checkout-prepared");
             deps.broadcastSnapshotInvalidation(state, "remote-checkout-prepared");
-            return deps.jsonResponse({ ok: true, checkout, project, checkoutRepair, packageInstall, postInstallConfigValidation });
+            return deps.jsonResponse({ ok: true, checkout, project, checkoutRepair, packageInstall, postInstallConfigValidation, userNamespace: userNamespaceResponse(requestAuth.userNamespace) });
           } catch (error) {
             return deps.jsonResponse({ ok: false, error: error instanceof Error ? error.message : String(error) }, 400);
           }
@@ -2575,16 +3384,18 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             if (kind !== "local" && kind !== "managed-clone" && kind !== "current-ref" && kind !== "uploaded-snapshot" && kind !== "existing-path") {
               return deps.jsonResponse({ ok: false, error: "checkout kind is required" }, 400);
             }
-            const project = linkProjectCheckout(state.projectRoot, repoSlug, {
+            const registryRoot = requestScopedRegistryRoot(state.projectRoot, requestAuth);
+            const project = linkProjectCheckout(registryRoot, repoSlug, {
               kind,
               path: normalizeString(body.path) ?? state.projectRoot,
               ref: normalizeString(body.ref) ?? undefined
             });
-            return deps.jsonResponse({ ok: true, project });
+            return deps.jsonResponse({ ok: true, project, userNamespace: userNamespaceResponse(requestAuth.userNamespace) });
           }
           if (req.method === "GET") {
-            const project = getProjectRecord(state.projectRoot, repoSlug);
-            return project ? deps.jsonResponse({ ok: true, project }) : deps.notFound();
+            const registryRoot = requestScopedRegistryRoot(state.projectRoot, requestAuth);
+            const project = getProjectRecord(registryRoot, repoSlug);
+            return project ? deps.jsonResponse({ ok: true, project, userNamespace: userNamespaceResponse(requestAuth.userNamespace) }) : deps.notFound();
           }
         }
         if (url.pathname === "/api/server/project-root" && req.method === "POST") {
@@ -2593,11 +3404,27 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           if (!requestedRoot) {
             return deps.badRequest("projectRoot is required");
           }
-          if (!isAbsolute2(requestedRoot)) {
+          if (!isAbsolute3(requestedRoot)) {
             return deps.badRequest("projectRoot must be an absolute path on the Rig server host");
           }
-          const normalizedRoot = resolve11(requestedRoot);
-          const exists = existsSync8(normalizedRoot);
+          const normalizedRoot = resolve13(requestedRoot);
+          const exists = existsSync10(normalizedRoot);
+          if (exists && requestAuth.userNamespace) {
+            const allowedByNamespace = isPathInsideNamespace(requestAuth.userNamespace.root, normalizedRoot);
+            const allowedByRegistry = projectRegistryContainsCheckout(requestAuth.userNamespace.root, normalizedRoot);
+            if (!allowedByNamespace && !allowedByRegistry) {
+              return deps.jsonResponse({
+                ok: false,
+                error: "Requested project root is outside the authenticated GitHub user namespace.",
+                projectRoot: state.projectRoot,
+                requestedProjectRoot: normalizedRoot,
+                userNamespace: userNamespaceResponse(requestAuth.userNamespace)
+              }, 403);
+            }
+            copyGitHubAuthStateToLocalProjectRoot(requestAuth.userNamespace.authStateFile, normalizedRoot);
+          } else if (exists) {
+            createGitHubAuthStore(state.projectRoot).copyToLocalProjectRoot(normalizedRoot);
+          }
           const control = buildServerControlStatus();
           const switchCommand = process.env.RIG_PROJECT_ROOT_SWITCH_COMMAND?.trim();
           if (!exists) {
@@ -2611,7 +3438,7 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
               message: "Requested project root does not exist on the Rig server host."
             }, 404);
           }
-          if (!existsSync8(resolve11(normalizedRoot, "rig.config.ts")) && !existsSync8(resolve11(normalizedRoot, "rig.config.json"))) {
+          if (!existsSync10(resolve13(normalizedRoot, "rig.config.ts")) && !existsSync10(resolve13(normalizedRoot, "rig.config.json"))) {
             return deps.jsonResponse({
               ok: false,
               projectRoot: state.projectRoot,
@@ -2646,6 +3473,7 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
               exists,
               control,
               requiresRestart: false,
+              userNamespace: userNamespaceResponse(requestAuth.userNamespace),
               message: "Project-root switch accepted. Rig server restart has been scheduled."
             }, 202);
           }
@@ -2660,11 +3488,11 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           }, 409);
         }
         if (url.pathname === "/api/github/auth/status") {
-          const store = createGitHubAuthStore(state.projectRoot);
-          return deps.jsonResponse({ ok: true, ...store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }) });
+          const store = requestScopedAuthStore(state.projectRoot, requestAuth);
+          return deps.jsonResponse({ ok: true, ...store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }), userNamespace: userNamespaceResponse(requestAuth.userNamespace) });
         }
         if (url.pathname === "/api/github/repo/permissions") {
-          const store = createGitHubAuthStore(state.projectRoot);
+          const store = requestScopedAuthStore(state.projectRoot, requestAuth);
           const auth = store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
           if (!auth.signedIn) {
             return deps.jsonResponse({ ok: false, signedIn: false, canOpenPullRequest: false, reason: "not-authenticated" }, 401);
@@ -2686,21 +3514,26 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           const body = await deps.readJsonBody(req);
           const token = normalizeString(body.token);
           const selectedRepo = normalizeString(body.selectedRepo);
+          const requestedProjectRoot = normalizeString(body.projectRoot);
           if (!token) {
             return deps.badRequest("token is required");
           }
           try {
             const user = await fetchGitHubUserInfo(token);
-            const store = createGitHubAuthStore(state.projectRoot);
-            store.saveToken({
+            const saved = saveGitHubTokenForRemoteUser({
+              projectRoot: state.projectRoot,
               token,
               tokenSource: "manual-token",
-              login: user.login,
-              userId: user.userId,
-              scopes: user.scopes,
-              selectedRepo
+              user,
+              selectedRepo,
+              requestedProjectRoot
+            });
+            return deps.jsonResponse({
+              ok: true,
+              ...saved.store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }),
+              apiSessionToken: saved.apiSessionToken,
+              userNamespace: userNamespaceResponse(saved.namespace)
             });
-            return deps.jsonResponse({ ok: true, ...store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }) });
           } catch (error) {
             const message = error instanceof Error ? error.message : String(error);
             return deps.jsonResponse({ ok: false, error: message }, 400);
@@ -2767,8 +3600,21 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           }
           const token = result.payload.access_token;
           const user = await fetchGitHubUserInfo(token);
-          store.saveToken({ token, tokenSource: "oauth-device", login: user.login, userId: user.userId, scopes: user.scopes });
-          return deps.jsonResponse({ ok: true, status: "signed-in", ...store.status({ oauthConfigured: true }) });
+          const saved = saveGitHubTokenForRemoteUser({
+            projectRoot: state.projectRoot,
+            token,
+            tokenSource: "oauth-device",
+            user,
+            selectedRepo: null
+          });
+          store.clearPendingDevice(pollId);
+          return deps.jsonResponse({
+            ok: true,
+            status: "signed-in",
+            ...saved.store.status({ oauthConfigured: true }),
+            apiSessionToken: saved.apiSessionToken,
+            userNamespace: userNamespaceResponse(saved.namespace)
+          });
         }
         if (url.pathname === "/api/github/repo/probe" && req.method === "POST") {
           const body = await deps.readJsonBody(req);
@@ -2777,7 +3623,7 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           if (!owner || !repo) {
             return deps.badRequest("owner and repo are required");
           }
-          const store = createGitHubAuthStore(state.projectRoot);
+          const store = requestScopedAuthStore(state.projectRoot, requestAuth);
           const authStatus = store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
           const probe = await probeGitHubRepository({ owner, repo, token: store.readToken(), scopes: authStatus.scopes });
           return deps.jsonResponse({ ok: probe.ok, probe }, probe.ok ? 200 : 400);
@@ -2798,7 +3644,7 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             return deps.badRequest(error instanceof Error ? error.message : String(error));
           }
           const authStatus = createGitHubAuthStore(state.projectRoot).status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
-          const configPath = resolve11(targetRoot, "rig.config.ts");
+          const configPath = resolve13(targetRoot, "rig.config.ts");
           const source = buildGitHubProjectConfigSource({
             projectName: rawProjectName,
             owner,
@@ -2810,8 +3656,8 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             ok: true,
             projectRoot: targetRoot,
             configPath,
-            exists: existsSync8(configPath),
-            requiresOverwrite: existsSync8(configPath),
+            exists: existsSync10(configPath),
+            requiresOverwrite: existsSync10(configPath),
             source,
             owner,
             repo,
@@ -2847,8 +3693,8 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             assignee,
             githubUserId: authStatus.userId ?? authStatus.login
           });
-          const configPath = resolve11(targetRoot, "rig.config.ts");
-          if (existsSync8(configPath) && !overwrite) {
+          const configPath = resolve13(targetRoot, "rig.config.ts");
+          if (existsSync10(configPath) && !overwrite) {
             return deps.jsonResponse({
               ok: false,
               error: "rig.config.ts already exists. Confirm overwrite to replace it; Rig will create a backup first.",
@@ -2864,11 +3710,11 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             return deps.jsonResponse({ ok: false, error: repoProbe.message, repoProbe }, 400);
           }
           let backupPath = null;
-          if (existsSync8(configPath)) {
+          if (existsSync10(configPath)) {
             backupPath = backupConfigPath(configPath);
-            copyFileSync(configPath, backupPath);
+            copyFileSync2(configPath, backupPath);
           }
-          writeFileSync7(configPath, source, "utf8");
+          writeFileSync9(configPath, source, "utf8");
           const selectedRepo = `${owner}/${repo}`;
           store.saveSelectedRepo(selectedRepo);
           const targetStore = createGitHubAuthStore(targetRoot);
@@ -3140,11 +3986,12 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           const runId = normalizeString(body.runId);
           const createdAt = normalizeString(body.createdAt) ?? new Date().toISOString();
           const promptOverride = normalizeString(body.promptOverride);
+          const restart = body.restart === true;
           if (!runId) {
             return deps.badRequest("runId is required");
           }
           try {
-            await deps.resumeRunRecord(state, { runId, createdAt, promptOverride });
+            await deps.resumeRunRecord(state, { runId, createdAt, promptOverride, restart });
             deps.broadcastSnapshotInvalidation(state);
             return deps.jsonResponse({ ok: true, runId, createdAt });
           } catch (error) {
@@ -3153,7 +4000,7 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
         }
         if (url.pathname === "/api/pi-rig/install" && req.method === "POST") {
           const configuredPackageSource = normalizeString(process.env.RIG_PI_RIG_PACKAGE_SOURCE);
-          const packageSource = configuredPackageSource ?? [process.env.RIG_HOST_PROJECT_ROOT, process.cwd(), state.projectRoot].map((root) => normalizeString(root)).filter((root) => Boolean(root)).map((root) => resolve11(root, "packages", "pi-rig")).find((candidate) => existsSync8(resolve11(candidate, "package.json"))) ?? "npm:@rig/pi-rig";
+          const packageSource = configuredPackageSource ?? [process.env.RIG_HOST_PROJECT_ROOT, process.cwd(), state.projectRoot].map((root) => normalizeString(root)).filter((root) => Boolean(root)).map((root) => resolve13(root, "packages", "pi-rig")).find((candidate) => existsSync10(resolve13(candidate, "package.json"))) ?? "npm:@rig/pi-rig";
           if (process.env.RIG_TEST_FAKE_PI_INSTALL === "1") {
             return deps.jsonResponse({ ok: true, installed: true, piOk: true, piRigOk: true, extensionPath: "remote:~/.pi/agent/extensions/pi-rig", packageSource });
           }
@@ -3469,9 +4316,9 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           } catch {
             return deps.badRequest("Invalid artifact path");
           }
-          mkdirSync7(dirname6(artifactPath), { recursive: true });
+          mkdirSync9(dirname9(artifactPath), { recursive: true });
           const bytes = Buffer.from(contentBase64, "base64");
-          writeFileSync7(artifactPath, bytes);
+          writeFileSync9(artifactPath, bytes);
           writeJsonFile4(`${artifactPath}.json`, {
             workspaceId: normalizeString(body.workspaceId) ?? RIG_WORKSPACE_ID,
             runId,
@@ -3633,12 +4480,12 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           try {
             const runsRoot = resolveAuthorityPaths(state.projectRoot).runsDir;
             const runRoot = deps.normalizeRelativePath(runsRoot, runId);
-            const artifactsRoot = resolve11(runRoot, "remote-artifacts");
+            const artifactsRoot = resolve13(runRoot, "remote-artifacts");
             artifactPath = deps.normalizeRelativePath(artifactsRoot, fileName);
           } catch {
             return deps.badRequest("Invalid artifact path");
           }
-          if (!existsSync8(artifactPath)) {
+          if (!existsSync10(artifactPath)) {
             return deps.notFound();
           }
           return new Response(Bun.file(artifactPath));