@h-rig/server 0.0.6-alpha.1 → 0.0.6-alpha.3

package/dist/src/server-helpers/run-mutations.js

@@ -459,6 +459,7 @@ import {
 } from "@rig/runtime/control-plane/tasks/source-lifecycle";
 
 // packages/server/src/server-helpers/github-auth-store.ts
+import { randomBytes } from "crypto";
 import { chmodSync, existsSync as existsSync3, mkdirSync as mkdirSync3, readFileSync, writeFileSync as writeFileSync3 } from "fs";
 import { resolve as resolve6 } from "path";
 function cleanString(value) {
@@ -472,6 +473,24 @@ function cleanScopes(value) {
     return clean ? [clean] : [];
   });
 }
+function parseApiSessions(value) {
+  if (!Array.isArray(value))
+    return [];
+  return value.flatMap((entry) => {
+    if (!entry || typeof entry !== "object" || Array.isArray(entry))
+      return [];
+    const record = entry;
+    const token = cleanString(record.token);
+    if (!token)
+      return [];
+    return [{
+      token,
+      login: cleanString(record.login),
+      userId: cleanString(record.userId),
+      createdAt: cleanString(record.createdAt) ?? undefined
+    }];
+  });
+}
 function readStoredAuth(stateFile) {
   if (!existsSync3(stateFile))
     return {};
@@ -485,6 +504,7 @@ function readStoredAuth(stateFile) {
       selectedRepo: cleanString(parsed.selectedRepo),
       tokenSource: parsed.tokenSource === "oauth-device" || parsed.tokenSource === "manual-token" || parsed.tokenSource === "env" ? parsed.tokenSource : undefined,
       pendingDevice: parsePendingDevice(parsed.pendingDevice),
+      apiSessions: parseApiSessions(parsed.apiSessions),
       updatedAt: cleanString(parsed.updatedAt) ?? undefined
     };
   } catch {
@@ -503,6 +523,9 @@ function parsePendingDevice(value) {
     return null;
   return { pollId, deviceCode, expiresAt, intervalSeconds };
 }
+function newApiSessionToken() {
+  return `rig_${randomBytes(32).toString("base64url")}`;
+}
 function writeStoredAuth(stateFile, payload) {
   mkdirSync3(resolve6(stateFile, ".."), { recursive: true });
   writeFileSync3(stateFile, `${JSON.stringify(payload, null, 2)}
@@ -545,9 +568,38 @@ function createGitHubAuthStore(projectRoot) {
         scopes: input.scopes ?? [],
         selectedRepo: input.selectedRepo ?? previous.selectedRepo ?? null,
         pendingDevice: null,
+        apiSessions: previous.apiSessions ?? [],
         updatedAt: new Date().toISOString()
       });
     },
+    createApiSession() {
+      const previous = readStoredAuth(stateFile);
+      const token = newApiSessionToken();
+      const session = {
+        token,
+        login: cleanString(previous.login),
+        userId: cleanString(previous.userId),
+        createdAt: new Date().toISOString()
+      };
+      writeStoredAuth(stateFile, {
+        ...previous,
+        apiSessions: [...(previous.apiSessions ?? []).slice(-9), session],
+        updatedAt: new Date().toISOString()
+      });
+      return { token, login: session.login ?? null, userId: session.userId ?? null };
+    },
+    readApiSession(token) {
+      const clean = cleanString(token);
+      if (!clean)
+        return null;
+      const previous = readStoredAuth(stateFile);
+      const session = (previous.apiSessions ?? []).find((candidate) => candidate.token === clean);
+      return session ? { login: cleanString(session.login), userId: cleanString(session.userId) } : null;
+    },
+    copyToProjectRoot(projectRoot2) {
+      const targetFile = resolveGitHubAuthStateFile(projectRoot2);
+      writeStoredAuth(targetFile, readStoredAuth(stateFile));
+    },
     savePendingDevice(input) {
       const previous = readStoredAuth(stateFile);
       writeStoredAuth(stateFile, {
@@ -775,10 +827,10 @@ function extractGitHubIssueNodeId(task) {
 }
 
 // packages/server/src/server-helpers/http-router.ts
-var RIG_CONFIG_PACKAGE_VERSION = "0.0.6-alpha.1";
+var RIG_CONFIG_PACKAGE_DIST_TAG = "latest";
 var RIG_CONFIG_DEV_DEPENDENCIES = {
-  "@rig/core": `npm:@h-rig/core@${RIG_CONFIG_PACKAGE_VERSION}`,
-  "@rig/standard-plugin": `npm:@h-rig/standard-plugin@${RIG_CONFIG_PACKAGE_VERSION}`
+  "@rig/core": `npm:@h-rig/core@${RIG_CONFIG_PACKAGE_DIST_TAG}`,
+  "@rig/standard-plugin": `npm:@h-rig/standard-plugin@${RIG_CONFIG_PACKAGE_DIST_TAG}`
 };
 
 // packages/server/src/server-helpers/ws-router.ts
@@ -995,7 +1047,7 @@ async function readWorkspaceTasks(projectRoot) {
       description: normalizeString(entry.description),
       acceptanceCriteria: normalizeString(entry.acceptance_criteria),
       status: normalizedStatus ?? "unknown",
-      sourceStatus: normalizedStatus ? null : rawStatus,
+      sourceStatus: normalizedStatus && rawStatus !== normalizedStatus ? rawStatus : normalizedStatus ? null : rawStatus,
       priority: typeof entry.priority === "number" ? entry.priority : typeof entry.priority === "string" ? Number(entry.priority) : null,
       issueType: normalizeString(entry.issue_type),
       role: normalizeString(config.role) ?? null,
@@ -1120,15 +1172,36 @@ async function syncProjectStatusForRunLifecycle(projectRoot, run, status, config
   if (!run.taskId)
     return;
   const issueNodeId = extractGitHubIssueNodeId(runSourceTaskIdentity(run));
-  await syncGitHubProjectStatusForTaskUpdate({
-    taskId: run.taskId,
-    status,
-    issueNodeId,
-    token: createGitHubAuthStore(projectRoot).readToken(),
-    config
-  }).catch(() => {
-    return;
-  });
+  try {
+    const result = await syncGitHubProjectStatusForTaskUpdate({
+      taskId: run.taskId,
+      status,
+      issueNodeId,
+      token: createGitHubAuthStore(projectRoot).readToken(),
+      config
+    });
+    if (!result.synced && result.reason !== "project-sync-disabled") {
+      appendRunLogEntry(projectRoot, run.runId, {
+        id: `log:${run.runId}:github-project-sync:${status}`,
+        title: "GitHub Project sync skipped",
+        detail: `Project status sync for ${run.taskId} could not run: ${result.reason}.`,
+        tone: "warn",
+        status: "running",
+        createdAt: new Date().toISOString(),
+        payload: { reason: result.reason, issueNodeId }
+      });
+    }
+  } catch (error) {
+    appendRunLogEntry(projectRoot, run.runId, {
+      id: `log:${run.runId}:github-project-sync-error:${status}`,
+      title: "GitHub Project sync failed",
+      detail: error instanceof Error ? error.message : String(error),
+      tone: "error",
+      status: "running",
+      createdAt: new Date().toISOString(),
+      payload: { issueNodeId }
+    });
+  }
 }
 async function autoAssignRunIssue(projectRoot, run) {
   if (!run.taskId)
@@ -1402,7 +1475,11 @@ async function startLocalRun(state, runId, options) {
           RIG_SERVER_INTERNAL_EXEC: "1",
           ...serverUrl ? { RIG_SERVER_URL: serverUrl } : {},
           ...bridgeAuthToken ? { RIG_AUTH_TOKEN: bridgeAuthToken } : {},
-          ...bridgeGitHubToken ? { RIG_GITHUB_TOKEN: bridgeGitHubToken } : {}
+          ...bridgeGitHubToken ? {
+            RIG_GITHUB_TOKEN: bridgeGitHubToken,
+            GITHUB_TOKEN: bridgeGitHubToken,
+            GH_TOKEN: bridgeGitHubToken
+          } : {}
         },
         stdio: ["ignore", "pipe", "pipe"]
       });

package/dist/src/server-helpers/snapshot-orchestrator.js

@@ -699,7 +699,7 @@ async function buildRigSnapshotPayload(projectRoot, readers) {
   const taskSummaries = (await readers.readWorkspaceTasks(projectRoot)).map((task) => ({
     ...toTaskSummary(workspace.id, {
       ...task,
-      status: queuedTaskIds.has(task.id) && (task.status === "open" || task.status === "ready" || task.status === "draft") ? "queued" : task.status
+      status: queuedTaskIds.has(task.id) && (task.status === "open" || task.status === "ready" || task.status === "draft" || task.status === "failed" || task.sourceStatus === "failed") ? "queued" : task.status
     }),
     graphId: graph.id
   }));

package/dist/src/server-helpers/snapshot-service.js

@@ -711,7 +711,7 @@ async function buildRigSnapshotPayload(projectRoot, readers) {
   const taskSummaries = (await readers.readWorkspaceTasks(projectRoot)).map((task) => ({
     ...toTaskSummary(workspace.id, {
       ...task,
-      status: queuedTaskIds.has(task.id) && (task.status === "open" || task.status === "ready" || task.status === "draft") ? "queued" : task.status
+      status: queuedTaskIds.has(task.id) && (task.status === "open" || task.status === "ready" || task.status === "draft" || task.status === "failed" || task.sourceStatus === "failed") ? "queued" : task.status
     }),
     graphId: graph.id
   }));

package/dist/src/server-helpers/ws-router.js

@@ -437,10 +437,10 @@ import {
   buildTaskRunLifecycleComment as buildTaskRunLifecycleComment2,
   updateConfiguredTaskSourceTask as updateConfiguredTaskSourceTask2
 } from "@rig/runtime/control-plane/tasks/source-lifecycle";
-var RIG_CONFIG_PACKAGE_VERSION = "0.0.6-alpha.1";
+var RIG_CONFIG_PACKAGE_DIST_TAG = "latest";
 var RIG_CONFIG_DEV_DEPENDENCIES = {
-  "@rig/core": `npm:@h-rig/core@${RIG_CONFIG_PACKAGE_VERSION}`,
-  "@rig/standard-plugin": `npm:@h-rig/standard-plugin@${RIG_CONFIG_PACKAGE_VERSION}`
+  "@rig/core": `npm:@h-rig/core@${RIG_CONFIG_PACKAGE_DIST_TAG}`,
+  "@rig/standard-plugin": `npm:@h-rig/standard-plugin@${RIG_CONFIG_PACKAGE_DIST_TAG}`
 };
 
 // packages/server/src/server-helpers/inspector-jobs.ts

package/dist/src/server.js

@@ -1786,7 +1786,7 @@ async function buildRigSnapshotPayload(projectRoot, readers) {
   const taskSummaries = (await readers.readWorkspaceTasks(projectRoot)).map((task) => ({
     ...toTaskSummary(workspace.id, {
       ...task,
-      status: queuedTaskIds.has(task.id) && (task.status === "open" || task.status === "ready" || task.status === "draft") ? "queued" : task.status
+      status: queuedTaskIds.has(task.id) && (task.status === "open" || task.status === "ready" || task.status === "draft" || task.status === "failed" || task.sourceStatus === "failed") ? "queued" : task.status
     }),
     graphId: graph.id
   }));
@@ -2463,7 +2463,10 @@ function createPiIssueAnalyzer(input = {}) {
   const runCommand = input.runCommand ?? createDefaultPiIssueAnalysisCommandRunner();
   return async ({ prompt }) => {
     const args = ["--print", "--mode", "json", "--no-session"];
-    const model = input.model?.trim() || process.env.RIG_ISSUE_ANALYSIS_MODEL?.trim() || "openai-codex/gpt-5.5";
+    const provider = input.provider?.trim() || process.env.RIG_ISSUE_ANALYSIS_PROVIDER?.trim() || process.env.RIG_PI_PROVIDER?.trim();
+    const model = input.model?.trim() || process.env.RIG_ISSUE_ANALYSIS_MODEL?.trim() || process.env.RIG_PI_MODEL?.trim() || "openai-codex/gpt-5.5";
+    if (provider)
+      args.push("--provider", provider);
     if (model)
       args.push("--model", model);
     args.push(prompt);
@@ -3304,6 +3307,7 @@ function summarizeRunValidationFailure(projectRoot, run) {
 }
 
 // packages/server/src/server-helpers/github-auth-store.ts
+import { randomBytes } from "crypto";
 import { chmodSync, existsSync as existsSync6, mkdirSync as mkdirSync6, readFileSync as readFileSync3, writeFileSync as writeFileSync5 } from "fs";
 import { resolve as resolve13 } from "path";
 function cleanString(value) {
@@ -3317,6 +3321,24 @@ function cleanScopes(value) {
     return clean ? [clean] : [];
   });
 }
+function parseApiSessions(value) {
+  if (!Array.isArray(value))
+    return [];
+  return value.flatMap((entry) => {
+    if (!entry || typeof entry !== "object" || Array.isArray(entry))
+      return [];
+    const record = entry;
+    const token = cleanString(record.token);
+    if (!token)
+      return [];
+    return [{
+      token,
+      login: cleanString(record.login),
+      userId: cleanString(record.userId),
+      createdAt: cleanString(record.createdAt) ?? undefined
+    }];
+  });
+}
 function readStoredAuth(stateFile) {
   if (!existsSync6(stateFile))
     return {};
@@ -3330,6 +3352,7 @@ function readStoredAuth(stateFile) {
       selectedRepo: cleanString(parsed.selectedRepo),
       tokenSource: parsed.tokenSource === "oauth-device" || parsed.tokenSource === "manual-token" || parsed.tokenSource === "env" ? parsed.tokenSource : undefined,
       pendingDevice: parsePendingDevice(parsed.pendingDevice),
+      apiSessions: parseApiSessions(parsed.apiSessions),
       updatedAt: cleanString(parsed.updatedAt) ?? undefined
     };
   } catch {
@@ -3348,6 +3371,9 @@ function parsePendingDevice(value) {
     return null;
   return { pollId, deviceCode, expiresAt, intervalSeconds };
 }
+function newApiSessionToken() {
+  return `rig_${randomBytes(32).toString("base64url")}`;
+}
 function writeStoredAuth(stateFile, payload) {
   mkdirSync6(resolve13(stateFile, ".."), { recursive: true });
   writeFileSync5(stateFile, `${JSON.stringify(payload, null, 2)}
@@ -3390,9 +3416,38 @@ function createGitHubAuthStore(projectRoot) {
         scopes: input.scopes ?? [],
         selectedRepo: input.selectedRepo ?? previous.selectedRepo ?? null,
         pendingDevice: null,
+        apiSessions: previous.apiSessions ?? [],
         updatedAt: new Date().toISOString()
       });
     },
+    createApiSession() {
+      const previous = readStoredAuth(stateFile);
+      const token = newApiSessionToken();
+      const session = {
+        token,
+        login: cleanString(previous.login),
+        userId: cleanString(previous.userId),
+        createdAt: new Date().toISOString()
+      };
+      writeStoredAuth(stateFile, {
+        ...previous,
+        apiSessions: [...(previous.apiSessions ?? []).slice(-9), session],
+        updatedAt: new Date().toISOString()
+      });
+      return { token, login: session.login ?? null, userId: session.userId ?? null };
+    },
+    readApiSession(token) {
+      const clean = cleanString(token);
+      if (!clean)
+        return null;
+      const previous = readStoredAuth(stateFile);
+      const session = (previous.apiSessions ?? []).find((candidate) => candidate.token === clean);
+      return session ? { login: cleanString(session.login), userId: cleanString(session.userId) } : null;
+    },
+    copyToProjectRoot(projectRoot2) {
+      const targetFile = resolveGitHubAuthStateFile(projectRoot2);
+      writeStoredAuth(targetFile, readStoredAuth(stateFile));
+    },
     savePendingDevice(input) {
       const previous = readStoredAuth(stateFile);
       writeStoredAuth(stateFile, {
@@ -3690,15 +3745,36 @@ async function syncProjectStatusForRunLifecycle(projectRoot, run, status, config
   if (!run.taskId)
     return;
   const issueNodeId = extractGitHubIssueNodeId(runSourceTaskIdentity(run));
-  await syncGitHubProjectStatusForTaskUpdate({
-    taskId: run.taskId,
-    status,
-    issueNodeId,
-    token: createGitHubAuthStore(projectRoot).readToken(),
-    config
-  }).catch(() => {
-    return;
-  });
+  try {
+    const result = await syncGitHubProjectStatusForTaskUpdate({
+      taskId: run.taskId,
+      status,
+      issueNodeId,
+      token: createGitHubAuthStore(projectRoot).readToken(),
+      config
+    });
+    if (!result.synced && result.reason !== "project-sync-disabled") {
+      appendRunLogEntry(projectRoot, run.runId, {
+        id: `log:${run.runId}:github-project-sync:${status}`,
+        title: "GitHub Project sync skipped",
+        detail: `Project status sync for ${run.taskId} could not run: ${result.reason}.`,
+        tone: "warn",
+        status: "running",
+        createdAt: new Date().toISOString(),
+        payload: { reason: result.reason, issueNodeId }
+      });
+    }
+  } catch (error) {
+    appendRunLogEntry(projectRoot, run.runId, {
+      id: `log:${run.runId}:github-project-sync-error:${status}`,
+      title: "GitHub Project sync failed",
+      detail: error instanceof Error ? error.message : String(error),
+      tone: "error",
+      status: "running",
+      createdAt: new Date().toISOString(),
+      payload: { issueNodeId }
+    });
+  }
 }
 async function autoAssignRunIssue(projectRoot, run) {
   if (!run.taskId)
@@ -3972,7 +4048,11 @@ async function startLocalRun(state, runId, options) {
           RIG_SERVER_INTERNAL_EXEC: "1",
           ...serverUrl ? { RIG_SERVER_URL: serverUrl } : {},
           ...bridgeAuthToken ? { RIG_AUTH_TOKEN: bridgeAuthToken } : {},
-          ...bridgeGitHubToken ? { RIG_GITHUB_TOKEN: bridgeGitHubToken } : {}
+          ...bridgeGitHubToken ? {
+            RIG_GITHUB_TOKEN: bridgeGitHubToken,
+            GITHUB_TOKEN: bridgeGitHubToken,
+            GH_TOKEN: bridgeGitHubToken
+          } : {}
         },
         stdio: ["ignore", "pipe", "pipe"]
       });
@@ -4886,10 +4966,10 @@ function normalizeCommit(value) {
 function asPlainRecord(value) {
   return value && typeof value === "object" && !Array.isArray(value) ? value : null;
 }
-var RIG_CONFIG_PACKAGE_VERSION = "0.0.6-alpha.1";
+var RIG_CONFIG_PACKAGE_DIST_TAG = "latest";
 var RIG_CONFIG_DEV_DEPENDENCIES = {
-  "@rig/core": `npm:@h-rig/core@${RIG_CONFIG_PACKAGE_VERSION}`,
-  "@rig/standard-plugin": `npm:@h-rig/standard-plugin@${RIG_CONFIG_PACKAGE_VERSION}`
+  "@rig/core": `npm:@h-rig/core@${RIG_CONFIG_PACKAGE_DIST_TAG}`,
+  "@rig/standard-plugin": `npm:@h-rig/standard-plugin@${RIG_CONFIG_PACKAGE_DIST_TAG}`
 };
 function repoParts(repoSlug) {
   const [owner, repo] = repoSlug.split("/");
@@ -5243,13 +5323,13 @@ function bearerTokenFromRequest(req) {
 function isLoopbackRequest(req) {
   try {
     const hostname = new URL(req.url).hostname.toLowerCase();
-    return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1" || hostname === "[::1]";
+    return hostname === "localhost" || hostname === "rig.local" || hostname.endsWith(".localhost") || hostname === "127.0.0.1" || hostname === "::1" || hostname === "[::1]";
   } catch {
     return false;
   }
 }
 function isPublicRigAuthBootstrapRoute(pathname) {
-  return pathname === "/" || pathname === "/health" || pathname === "/api/health" || pathname === "/api/server/status" || pathname === "/api/github/auth/status" || pathname === "/api/github/auth/token" || pathname === "/api/github/auth/device/start" || pathname === "/api/github/auth/device/poll";
+  return pathname === "/" || pathname === "/health" || pathname === "/api/health" || pathname === "/api/github/auth/status" || pathname === "/api/github/auth/token" || pathname === "/api/github/auth/device/start" || pathname === "/api/github/auth/device/poll";
 }
 function normalizePrMode(value) {
   const mode = normalizeString(value);
@@ -5262,6 +5342,10 @@ function authorizeRigHttpRequest(input) {
   const bearer = bearerTokenFromRequest(input.req);
   const store = createGitHubAuthStore(input.projectRoot);
   const storedToken = store.readToken();
+  const session = bearer ? store.readApiSession(bearer) : null;
+  if (session) {
+    return { authorized: true, actor: session.login ?? "github-operator", reason: "github-session" };
+  }
   if (bearer && storedToken && bearer === storedToken) {
     const status = store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
     return { authorized: true, actor: status.login ?? "github-operator", reason: "github-token" };
@@ -5269,8 +5353,11 @@ function authorizeRigHttpRequest(input) {
   if (isPublicRigAuthBootstrapRoute(input.pathname)) {
     return { authorized: true, actor: null, reason: "public-bootstrap" };
   }
-  if (!input.serverAuthToken && !storedToken && isLoopbackRequest(input.req)) {
-    return { authorized: true, actor: null, reason: "loopback-dev-no-auth" };
+  if (!input.serverAuthToken && !storedToken) {
+    if (isLoopbackRequest(input.req)) {
+      return { authorized: true, actor: null, reason: "loopback-dev-no-auth" };
+    }
+    return { authorized: false, actor: null, reason: "auth-required" };
   }
   return { authorized: false, actor: null, reason: storedToken ? "github-token-required" : "auth-required" };
 }
@@ -5501,7 +5588,7 @@ function selectNextWorkspaceTask(projectRoot, tasks) {
   if (runnable.length === 0)
     return null;
   const queue = readQueueState(projectRoot);
-  const queueRank = new Map(queue.map((entry, index) => [entry.taskId, { score: entry.score, position: index }]));
+  const queueRank = new Map(queue.map((entry, index) => [String(entry.taskId), { score: entry.score, position: index }]));
   return runnable.toSorted((left, right) => {
     const leftId = taskIdOf(left) ?? "";
     const rightId = taskIdOf(right) ?? "";
@@ -5541,6 +5628,27 @@ function filterWorkspaceTasks(projectRoot, tasks, searchParams) {
   }
   return filtered;
 }
+function issueAnalysisTargetFor(source) {
+  if (!source)
+    return null;
+  const candidate = source;
+  if (typeof candidate.updateTask !== "function")
+    return null;
+  return {
+    ...typeof candidate.get === "function" ? { get: candidate.get.bind(candidate) } : {},
+    updateTask: candidate.updateTask.bind(candidate),
+    ...typeof candidate.addLabels === "function" ? { addLabels: candidate.addLabels.bind(candidate) } : {},
+    ...typeof candidate.removeLabels === "function" ? { removeLabels: candidate.removeLabels.bind(candidate) } : {},
+    ...typeof candidate.createIssue === "function" ? { createIssue: candidate.createIssue.bind(candidate) } : {}
+  };
+}
+function uniqueStringList(value) {
+  const raw = Array.isArray(value) ? value : typeof value === "string" ? [value] : [];
+  return [...new Set(raw.map((entry) => String(entry).trim()).filter(Boolean))];
+}
+function taskRecordId(task) {
+  return String(task.id ?? "");
+}
 function redactRemoteEndpoint(endpoint) {
   const { token, ...rest } = endpoint;
   return {
@@ -5627,7 +5735,7 @@ function createRigServerFetch(state, deps) {
         }
         const isLinearWebhook = url.pathname === "/api/linear/webhook" && req.method === "POST";
         const isInspectorStream = url.pathname === "/api/inspector/stream" && req.method === "GET";
-        const legacyAuthorizedHttpRequest = isInspectorStream && isAuthorizedInspectorStreamRequest(req, state.authToken) ? true : deps.isAuthorizedHttpRequest(req, state.authToken);
+        const legacyAuthorizedHttpRequest = Boolean(state.authToken) && (isInspectorStream && isAuthorizedInspectorStreamRequest(req, state.authToken) ? true : deps.isAuthorizedHttpRequest(req, state.authToken));
         const requestAuth = authorizeRigHttpRequest({
           req,
           pathname: url.pathname,
@@ -5883,6 +5991,67 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             note: "GitHub issue lifecycle labels are created on demand by the configured task source when supported."
           });
         }
+        if (url.pathname === "/api/workspace/issue-analysis/run" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const ids = uniqueStringList(body.ids ?? body.id);
+          const analyzeAll = deps.isTruthyQuery(String(body.all ?? ""));
+          if (ids.length === 0 && !analyzeAll) {
+            return deps.badRequest("ids is required unless all=true");
+          }
+          const ctx = await getCachedPluginHostContext(state.projectRoot);
+          const [source] = ctx?.taskSourceRegistry.list() ?? [];
+          const target = issueAnalysisTargetFor(source);
+          if (!source || !target) {
+            return deps.badRequest("Configured task source does not support issue-analysis writeback");
+          }
+          const allTasks = [...await source.list()];
+          const issues = analyzeAll ? allTasks.slice(0, Math.max(1, Math.min(25, Number(body.limit ?? 25) || 25))) : (await Promise.all(ids.map(async (id) => {
+            const cached = allTasks.find((task) => taskRecordId(task) === id);
+            if (cached)
+              return cached;
+            return typeof source.get === "function" ? await source.get(id) : undefined;
+          }))).filter((task) => Boolean(task));
+          if (issues.length === 0) {
+            return deps.jsonResponse({ ok: false, error: "No matching issues found for issue analysis", ids }, 404);
+          }
+          const config = ctx?.config && typeof ctx.config === "object" ? ctx.config : {};
+          const issueAnalysis = config.issueAnalysis && typeof config.issueAnalysis === "object" ? config.issueAnalysis : {};
+          const runtime = config.runtime && typeof config.runtime === "object" ? config.runtime : {};
+          const model = normalizeString(issueAnalysis.model) ?? normalizeString(runtime.model);
+          const service = createIssueAnalysisService({
+            analyzer: createPiIssueAnalyzer({
+              ...model ? { model } : {},
+              env: { RIG_PROJECT_ROOT: state.projectRoot }
+            }),
+            writeBack: createIssueAnalysisWriteBack({ target })
+          });
+          const reason = normalizeString(body.reason) ?? "http-issue-analysis";
+          let results;
+          try {
+            results = await service.analyze(issues, { reason, neighbors: ids.length > 0 ? issues : allTasks });
+          } catch (error) {
+            return deps.jsonResponse({
+              ok: false,
+              error: `Issue analysis failed: ${error instanceof Error ? error.message : String(error)}`,
+              reason,
+              ids: issues.map((issue) => issue.id)
+            }, 502);
+          }
+          deps.snapshotService.invalidate("issue-analysis-http-run");
+          await state.taskProjectionReconciler?.tick("issue-analysis-http-run").catch(() => {
+            return;
+          });
+          deps.broadcastSnapshotInvalidation(state, "issue-analysis-http-run");
+          return deps.jsonResponse({
+            ok: true,
+            reason,
+            analyzed: results.map((entry) => ({
+              id: entry.issue.id,
+              title: entry.issue.title ?? null,
+              result: entry.result
+            }))
+          });
+        }
         if (url.pathname === "/api/server/status") {
           const config = buildProjectConfigStatus(state.projectRoot);
           const taskSource = await buildTaskSourceStatus(state, config);
@@ -6023,6 +6192,9 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           }
           const normalizedRoot = resolve18(requestedRoot);
           const exists = existsSync11(normalizedRoot);
+          if (exists) {
+            createGitHubAuthStore(state.projectRoot).copyToProjectRoot(normalizedRoot);
+          }
           const control = buildServerControlStatus();
           const switchCommand = process.env.RIG_PROJECT_ROOT_SWITCH_COMMAND?.trim();
           if (!exists) {
@@ -6111,21 +6283,30 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           const body = await deps.readJsonBody(req);
           const token = normalizeString(body.token);
           const selectedRepo = normalizeString(body.selectedRepo);
+          const requestedProjectRoot = normalizeString(body.projectRoot);
           if (!token) {
             return deps.badRequest("token is required");
           }
           try {
             const user = await fetchGitHubUserInfo(token);
-            const store = createGitHubAuthStore(state.projectRoot);
-            store.saveToken({
-              token,
-              tokenSource: "manual-token",
-              login: user.login,
-              userId: user.userId,
-              scopes: user.scopes,
-              selectedRepo
-            });
-            return deps.jsonResponse({ ok: true, ...store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }) });
+            const storeRoots = [
+              state.projectRoot,
+              ...requestedProjectRoot && isAbsolute3(requestedProjectRoot) && existsSync11(resolve18(requestedProjectRoot)) ? [resolve18(requestedProjectRoot)] : []
+            ].filter((root, index, roots) => roots.indexOf(root) === index);
+            const stores = storeRoots.map((root) => createGitHubAuthStore(root));
+            for (const store2 of stores) {
+              store2.saveToken({
+                token,
+                tokenSource: "manual-token",
+                login: user.login,
+                userId: user.userId,
+                scopes: user.scopes,
+                selectedRepo
+              });
+            }
+            const store = stores[stores.length - 1] ?? createGitHubAuthStore(state.projectRoot);
+            const apiSession = store.createApiSession();
+            return deps.jsonResponse({ ok: true, ...store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }), apiSessionToken: apiSession.token });
           } catch (error) {
             const message = error instanceof Error ? error.message : String(error);
             return deps.jsonResponse({ ok: false, error: message }, 400);
@@ -6193,7 +6374,8 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           const token = result.payload.access_token;
           const user = await fetchGitHubUserInfo(token);
           store.saveToken({ token, tokenSource: "oauth-device", login: user.login, userId: user.userId, scopes: user.scopes });
-          return deps.jsonResponse({ ok: true, status: "signed-in", ...store.status({ oauthConfigured: true }) });
+          const apiSession = store.createApiSession();
+          return deps.jsonResponse({ ok: true, status: "signed-in", ...store.status({ oauthConfigured: true }), apiSessionToken: apiSession.token });
         }
         if (url.pathname === "/api/github/repo/probe" && req.method === "POST") {
           const body = await deps.readJsonBody(req);
@@ -11999,7 +12181,7 @@ async function readWorkspaceTasks(projectRoot) {
       description: normalizeString(entry.description),
       acceptanceCriteria: normalizeString(entry.acceptance_criteria),
       status: normalizedStatus ?? "unknown",
-      sourceStatus: normalizedStatus ? null : rawStatus,
+      sourceStatus: normalizedStatus && rawStatus !== normalizedStatus ? rawStatus : normalizedStatus ? null : rawStatus,
       priority: typeof entry.priority === "number" ? entry.priority : typeof entry.priority === "string" ? Number(entry.priority) : null,
       issueType: normalizeString(entry.issue_type),
       role: normalizeString(config.role) ?? null,
@@ -12479,6 +12661,7 @@ async function createRigServer(options, projectRoot = resolveProjectRoot()) {
   const server = Bun.serve({
     hostname: options.host,
     port: options.port,
+    idleTimeout: Math.max(10, Math.min(255, Number.parseInt(process.env.RIG_SERVER_IDLE_TIMEOUT_SECONDS || "255", 10) || 255)),
     fetch: (req, server2) => createRigServerFetch2(state)(req, server2),
     websocket: {
       open(ws) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@h-rig/server",
-  "version": "0.0.6-alpha.1",
+  "version": "0.0.6-alpha.3",
   "type": "module",
   "description": "Rig package",
   "license": "UNLICENSED",
@@ -25,9 +25,9 @@
     "rig-server": "./dist/src/server.js"
   },
   "dependencies": {
-    "@rig/contracts": "npm:@h-rig/contracts@0.0.6-alpha.1",
-    "@rig/core": "npm:@h-rig/core@0.0.6-alpha.1",
-    "@rig/runtime": "npm:@h-rig/runtime@0.0.6-alpha.1",
+    "@rig/contracts": "npm:@h-rig/contracts@0.0.6-alpha.3",
+    "@rig/core": "npm:@h-rig/core@0.0.6-alpha.3",
+    "@rig/runtime": "npm:@h-rig/runtime@0.0.6-alpha.3",
     "effect": "4.0.0-beta.78"
   }
 }