@h-rig/server 0.0.6-alpha.10 → 0.0.6-alpha.11

package/dist/src/index.js

@@ -663,9 +663,9 @@ function createRemoteOrchestrationSummary(input) {
 }
 // packages/server/src/server.ts
 import { spawn as spawn5 } from "child_process";
-import { existsSync as existsSync17, readdirSync as readdirSync5, readFileSync as readFileSync12, statSync as statSync6 } from "fs";
+import { existsSync as existsSync19, readdirSync as readdirSync5, readFileSync as readFileSync14, statSync as statSync6 } from "fs";
 import { open } from "fs/promises";
-import { dirname as dirname17, resolve as resolve22 } from "path";
+import { dirname as dirname20, resolve as resolve24 } from "path";
 import {
   listAuthorityArtifactRoots,
   listAuthorityRuns as listAuthorityRuns7,
@@ -3707,7 +3707,7 @@ function applyOrchestrationCommand2(state, command) {
 import { spawn as spawn3 } from "child_process";
 import { loadConfig } from "@rig/core/load-config";
 import { existsSync as existsSync7, mkdirSync as mkdirSync7, readFileSync as readFileSync4, statSync as statSync5, writeFileSync as writeFileSync6 } from "fs";
-import { dirname as dirname8, relative as relative2, resolve as resolve14 } from "path";
+import { dirname as dirname9, relative as relative2, resolve as resolve14 } from "path";
 import {
   listAuthorityRuns as listAuthorityRuns4,
   readAuthorityRun as readAuthorityRun4,
@@ -3831,8 +3831,8 @@ function summarizeRunValidationFailure(projectRoot, run) {
 
 // packages/server/src/server-helpers/github-auth-store.ts
 import { randomBytes } from "crypto";
-import { chmodSync, existsSync as existsSync6, mkdirSync as mkdirSync6, readFileSync as readFileSync3, writeFileSync as writeFileSync5 } from "fs";
-import { resolve as resolve13 } from "path";
+import { chmodSync, copyFileSync, existsSync as existsSync6, mkdirSync as mkdirSync6, readFileSync as readFileSync3, writeFileSync as writeFileSync5 } from "fs";
+import { dirname as dirname8, resolve as resolve13 } from "path";
 function cleanString(value) {
   return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
 }
@@ -3862,6 +3862,26 @@ function parseApiSessions(value) {
     }];
   });
 }
+function parsePendingDevice(value) {
+  if (!value || typeof value !== "object")
+    return null;
+  const record = value;
+  const pollId = cleanString(record.pollId);
+  const deviceCode = cleanString(record.deviceCode);
+  const expiresAt = cleanString(record.expiresAt);
+  const intervalSeconds = typeof record.intervalSeconds === "number" && Number.isFinite(record.intervalSeconds) ? Math.max(1, Math.floor(record.intervalSeconds)) : null;
+  if (!pollId || !deviceCode || !expiresAt || !intervalSeconds)
+    return null;
+  return { pollId, deviceCode, expiresAt, intervalSeconds };
+}
+function parsePendingDevices(value) {
+  if (!Array.isArray(value))
+    return [];
+  return value.flatMap((entry) => {
+    const pending = parsePendingDevice(entry);
+    return pending ? [pending] : [];
+  });
+}
 function readStoredAuth(stateFile) {
   if (!existsSync6(stateFile))
     return {};
@@ -3875,6 +3895,7 @@ function readStoredAuth(stateFile) {
       selectedRepo: cleanString(parsed.selectedRepo),
       tokenSource: parsed.tokenSource === "oauth-device" || parsed.tokenSource === "manual-token" || parsed.tokenSource === "env" ? parsed.tokenSource : undefined,
       pendingDevice: parsePendingDevice(parsed.pendingDevice),
+      pendingDevices: parsePendingDevices(parsed.pendingDevices),
       apiSessions: parseApiSessions(parsed.apiSessions),
       updatedAt: cleanString(parsed.updatedAt) ?? undefined
     };
@@ -3882,34 +3903,36 @@ function readStoredAuth(stateFile) {
     return {};
   }
 }
-function parsePendingDevice(value) {
-  if (!value || typeof value !== "object")
-    return null;
-  const record = value;
-  const pollId = cleanString(record.pollId);
-  const deviceCode = cleanString(record.deviceCode);
-  const expiresAt = cleanString(record.expiresAt);
-  const intervalSeconds = typeof record.intervalSeconds === "number" && Number.isFinite(record.intervalSeconds) ? Math.max(1, Math.floor(record.intervalSeconds)) : null;
-  if (!pollId || !deviceCode || !expiresAt || !intervalSeconds)
-    return null;
-  return { pollId, deviceCode, expiresAt, intervalSeconds };
-}
 function newApiSessionToken() {
   return `rig_${randomBytes(32).toString("base64url")}`;
 }
 function writeStoredAuth(stateFile, payload) {
-  mkdirSync6(resolve13(stateFile, ".."), { recursive: true });
+  mkdirSync6(dirname8(stateFile), { recursive: true });
   writeFileSync5(stateFile, `${JSON.stringify(payload, null, 2)}
 `, { encoding: "utf8", mode: 384 });
   try {
     chmodSync(stateFile, 384);
   } catch {}
 }
+function localProjectAuthStateFile(projectRoot) {
+  return resolve13(projectRoot, ".rig", "state", "github-auth.json");
+}
 function resolveGitHubAuthStateFile(projectRoot) {
   return resolve13(resolveServerAuthorityPaths(projectRoot).stateDir, "github-auth.json");
 }
-function createGitHubAuthStore(projectRoot) {
-  const stateFile = resolveGitHubAuthStateFile(projectRoot);
+function copyGitHubAuthStateToLocalProjectRoot(stateFile, projectRoot) {
+  const targetFile = localProjectAuthStateFile(projectRoot);
+  mkdirSync6(dirname8(targetFile), { recursive: true });
+  if (existsSync6(stateFile)) {
+    copyFileSync(stateFile, targetFile);
+    try {
+      chmodSync(targetFile, 384);
+    } catch {}
+    return;
+  }
+  writeStoredAuth(targetFile, {});
+}
+function createGitHubAuthStoreFromStateFile(stateFile) {
   return {
     stateFile,
     status(options) {
@@ -3939,6 +3962,7 @@ function createGitHubAuthStore(projectRoot) {
         scopes: input.scopes ?? [],
         selectedRepo: input.selectedRepo ?? previous.selectedRepo ?? null,
         pendingDevice: null,
+        pendingDevices: [],
         apiSessions: previous.apiSessions ?? [],
         updatedAt: new Date().toISOString()
       });
@@ -3967,15 +3991,24 @@ function createGitHubAuthStore(projectRoot) {
       const session = (previous.apiSessions ?? []).find((candidate) => candidate.token === clean);
       return session ? { login: cleanString(session.login), userId: cleanString(session.userId) } : null;
     },
-    copyToProjectRoot(projectRoot2) {
-      const targetFile = resolveGitHubAuthStateFile(projectRoot2);
+    copyToProjectRoot(projectRoot) {
+      const targetFile = resolveGitHubAuthStateFile(projectRoot);
       writeStoredAuth(targetFile, readStoredAuth(stateFile));
     },
+    copyToLocalProjectRoot(projectRoot) {
+      copyGitHubAuthStateToLocalProjectRoot(stateFile, projectRoot);
+    },
     savePendingDevice(input) {
       const previous = readStoredAuth(stateFile);
+      const pendingDevices = [
+        ...previous.pendingDevice ? [previous.pendingDevice] : [],
+        ...previous.pendingDevices ?? [],
+        input
+      ].filter((entry, index, entries) => entries.findIndex((candidate) => candidate.pollId === entry.pollId) === index);
       writeStoredAuth(stateFile, {
         ...previous,
-        pendingDevice: input,
+        pendingDevice: null,
+        pendingDevices,
         updatedAt: new Date().toISOString()
       });
     },
@@ -3988,23 +4021,32 @@ function createGitHubAuthStore(projectRoot) {
       });
     },
     readPendingDevice(pollId) {
-      const pending = readStoredAuth(stateFile).pendingDevice ?? null;
-      if (!pending || pending.pollId !== pollId)
+      const previous = readStoredAuth(stateFile);
+      const pending = [
+        ...previous.pendingDevice ? [previous.pendingDevice] : [],
+        ...previous.pendingDevices ?? []
+      ].find((entry) => entry.pollId === pollId) ?? null;
+      if (!pending)
         return null;
       if (Date.parse(pending.expiresAt) <= Date.now())
         return null;
       return pending;
     },
-    clearPendingDevice() {
+    clearPendingDevice(pollId) {
       const previous = readStoredAuth(stateFile);
+      const remaining = pollId ? (previous.pendingDevices ?? []).filter((entry) => entry.pollId !== pollId) : [];
       writeStoredAuth(stateFile, {
         ...previous,
         pendingDevice: null,
+        pendingDevices: remaining,
         updatedAt: new Date().toISOString()
       });
     }
   };
 }
+function createGitHubAuthStore(projectRoot) {
+  return createGitHubAuthStoreFromStateFile(resolveGitHubAuthStateFile(projectRoot));
+}
 
 // packages/server/src/server-helpers/github-projects.ts
 function asRecord(value) {
@@ -4743,7 +4785,7 @@ function resolveLocalRunCliProjectRoot(projectRoot) {
   }
   try {
     const monorepoRoot = resolveMonorepoRoot3(projectRoot);
-    const outerProjectRoot = dirname8(dirname8(monorepoRoot));
+    const outerProjectRoot = dirname9(dirname9(monorepoRoot));
     if (existsSync7(resolve14(outerProjectRoot, "packages/cli/bin/rig.ts"))) {
       return outerProjectRoot;
     }
@@ -4957,8 +4999,8 @@ async function reconcileScheduler(state, reason) {
 // packages/server/src/server-helpers/http-router.ts
 import { randomUUID } from "crypto";
 import { spawnSync as spawnSync3 } from "child_process";
-import { basename, dirname as dirname12, isAbsolute as isAbsolute3, resolve as resolve18 } from "path";
-import { copyFileSync, existsSync as existsSync11, mkdirSync as mkdirSync11, readFileSync as readFileSync7, writeFileSync as writeFileSync10 } from "fs";
+import { basename, dirname as dirname15, isAbsolute as isAbsolute4, resolve as resolve20 } from "path";
+import { copyFileSync as copyFileSync2, existsSync as existsSync13, mkdirSync as mkdirSync13, readFileSync as readFileSync9, writeFileSync as writeFileSync12 } from "fs";
 import {
   listAuthorityRuns as listAuthorityRuns5,
   readAuthorityRun as readAuthorityRun6,
@@ -4982,7 +5024,7 @@ import {
 } from "@rig/runtime/control-plane/remote";
 
 // packages/server/src/server-helpers/run-steering.ts
-import { dirname as dirname9, resolve as resolve15 } from "path";
+import { dirname as dirname10, resolve as resolve15 } from "path";
 import { existsSync as existsSync8, mkdirSync as mkdirSync8, readFileSync as readFileSync5 } from "fs";
 import { appendJsonlRecord as appendJsonlRecord2, readAuthorityRun as readAuthorityRun5, resolveAuthorityRunDir as resolveAuthorityRunDir4 } from "@rig/runtime/control-plane/authority-files";
 var steeringSequence = 0;
@@ -5069,7 +5111,7 @@ function queueRunSteeringMessage(projectRoot, runId, input) {
     delivered: false
   };
   const path = runSteeringPath(projectRoot, runId);
-  mkdirSync8(dirname9(path), { recursive: true });
+  mkdirSync8(dirname10(path), { recursive: true });
   appendJsonlRecord2(path, entry);
   appendRunTimelineEntry(projectRoot, runId, {
     id: entry.id,
@@ -5106,6 +5148,187 @@ import {
   updateConfiguredTaskSourceTask as updateConfiguredTaskSourceTask2
 } from "@rig/runtime/control-plane/tasks/source-lifecycle";
 
+// packages/server/src/server-helpers/github-api-session-index.ts
+import { chmodSync as chmodSync3, existsSync as existsSync10, mkdirSync as mkdirSync10, readFileSync as readFileSync7, writeFileSync as writeFileSync9 } from "fs";
+import { dirname as dirname12, resolve as resolve17 } from "path";
+
+// packages/server/src/server-helpers/github-user-namespace.ts
+import { chmodSync as chmodSync2, existsSync as existsSync9, mkdirSync as mkdirSync9, readFileSync as readFileSync6, writeFileSync as writeFileSync8 } from "fs";
+import { dirname as dirname11, isAbsolute as isAbsolute2, relative as relative3, resolve as resolve16 } from "path";
+function cleanString3(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
+}
+function sanitizePathSegment(value) {
+  return value.trim().toLowerCase().replace(/[^a-z0-9._-]/g, "-").replace(/^-+|-+$/g, "").slice(0, 96);
+}
+function deriveGitHubUserNamespaceKey(identity) {
+  const userId = cleanString3(identity.userId);
+  if (userId) {
+    const safeId = sanitizePathSegment(userId);
+    if (safeId)
+      return `ghu-${safeId}`;
+  }
+  const login = cleanString3(identity.login);
+  if (login) {
+    const safeLogin = sanitizePathSegment(login);
+    if (safeLogin)
+      return `ghu-login-${safeLogin}`;
+  }
+  throw new Error("GitHub user namespace requires a user id or login");
+}
+function resolveRemoteUserNamespacesRoot(projectRoot) {
+  const explicitRoot = cleanString3(process.env.RIG_REMOTE_USER_NAMESPACE_ROOT);
+  if (explicitRoot)
+    return resolve16(explicitRoot);
+  const stateDir2 = cleanString3(process.env.RIG_STATE_DIR);
+  if (stateDir2)
+    return resolve16(dirname11(resolve16(stateDir2)), "users");
+  return resolve16(projectRoot, ".rig", "users");
+}
+function resolveRemoteUserNamespace(projectRoot, identity) {
+  const key = deriveGitHubUserNamespaceKey(identity);
+  const root = resolve16(resolveRemoteUserNamespacesRoot(projectRoot), key);
+  const stateDir2 = resolve16(root, ".rig", "state");
+  return {
+    key,
+    userId: cleanString3(identity.userId),
+    login: cleanString3(identity.login),
+    root,
+    stateDir: stateDir2,
+    authStateFile: resolve16(stateDir2, "github-auth.json"),
+    metadataFile: resolve16(stateDir2, "user-namespace.json"),
+    checkoutBaseDir: resolve16(root, "remote-checkouts"),
+    snapshotBaseDir: resolve16(root, "remote-snapshots")
+  };
+}
+function serializeRemoteUserNamespace(namespace) {
+  return {
+    key: namespace.key,
+    userId: namespace.userId,
+    login: namespace.login,
+    root: namespace.root,
+    checkoutBaseDir: namespace.checkoutBaseDir,
+    snapshotBaseDir: namespace.snapshotBaseDir
+  };
+}
+function isPathInsideNamespace(namespaceRoot, candidatePath) {
+  const root = resolve16(namespaceRoot);
+  const candidate = resolve16(candidatePath);
+  const rel = relative3(root, candidate);
+  return rel === "" || !rel.startsWith("..") && !isAbsolute2(rel);
+}
+function writeRemoteUserNamespaceMetadata(namespace) {
+  mkdirSync9(namespace.stateDir, { recursive: true });
+  const previous = (() => {
+    if (!existsSync9(namespace.metadataFile))
+      return null;
+    try {
+      const parsed = JSON.parse(readFileSync6(namespace.metadataFile, "utf8"));
+      return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
+    } catch {
+      return null;
+    }
+  })();
+  const now = new Date().toISOString();
+  writeFileSync8(namespace.metadataFile, `${JSON.stringify({
+    key: namespace.key,
+    userId: namespace.userId,
+    login: namespace.login,
+    root: namespace.root,
+    checkoutBaseDir: namespace.checkoutBaseDir,
+    snapshotBaseDir: namespace.snapshotBaseDir,
+    createdAt: typeof previous?.createdAt === "string" ? previous.createdAt : now,
+    updatedAt: now
+  }, null, 2)}
+`, { encoding: "utf8", mode: 384 });
+  try {
+    chmodSync2(namespace.metadataFile, 384);
+  } catch {}
+}
+
+// packages/server/src/server-helpers/github-api-session-index.ts
+function cleanString4(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
+}
+function resolveGitHubApiSessionIndexFile(projectRoot) {
+  return resolve17(resolveRemoteUserNamespacesRoot(projectRoot), ".api-sessions.json");
+}
+function parseEntry(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value))
+    return null;
+  const record = value;
+  const token = cleanString4(record.token);
+  const namespaceKey = cleanString4(record.namespaceKey);
+  const namespaceRoot = cleanString4(record.namespaceRoot);
+  const authStateFile = cleanString4(record.authStateFile);
+  const checkoutBaseDir = cleanString4(record.checkoutBaseDir);
+  const snapshotBaseDir = cleanString4(record.snapshotBaseDir);
+  const createdAt = cleanString4(record.createdAt);
+  if (!token || !namespaceKey || !namespaceRoot || !authStateFile || !checkoutBaseDir || !snapshotBaseDir || !createdAt)
+    return null;
+  return {
+    token,
+    namespaceKey,
+    namespaceRoot,
+    authStateFile,
+    checkoutBaseDir,
+    snapshotBaseDir,
+    createdAt,
+    login: cleanString4(record.login),
+    userId: cleanString4(record.userId),
+    selectedRepo: cleanString4(record.selectedRepo)
+  };
+}
+function readIndex(indexFile) {
+  if (!existsSync10(indexFile))
+    return [];
+  try {
+    const parsed = JSON.parse(readFileSync7(indexFile, "utf8"));
+    return Array.isArray(parsed.sessions) ? parsed.sessions.flatMap((entry) => {
+      const parsedEntry = parseEntry(entry);
+      return parsedEntry ? [parsedEntry] : [];
+    }) : [];
+  } catch {
+    return [];
+  }
+}
+function writeIndex(indexFile, sessions) {
+  mkdirSync10(dirname12(indexFile), { recursive: true });
+  writeFileSync9(indexFile, `${JSON.stringify({ sessions }, null, 2)}
+`, { encoding: "utf8", mode: 384 });
+  try {
+    chmodSync3(indexFile, 384);
+  } catch {}
+}
+function registerGitHubApiSession(input) {
+  const cleanToken = cleanString4(input.token);
+  if (!cleanToken)
+    throw new Error("GitHub API session token is required");
+  const indexFile = resolveGitHubApiSessionIndexFile(input.projectRoot);
+  const createdAt = new Date().toISOString();
+  const entry = {
+    token: cleanToken,
+    login: input.namespace.login,
+    userId: input.namespace.userId,
+    namespaceKey: input.namespace.key,
+    namespaceRoot: input.namespace.root,
+    authStateFile: input.namespace.authStateFile,
+    checkoutBaseDir: input.namespace.checkoutBaseDir,
+    snapshotBaseDir: input.namespace.snapshotBaseDir,
+    selectedRepo: cleanString4(input.selectedRepo),
+    createdAt
+  };
+  const previous = readIndex(indexFile).filter((session) => session.token !== cleanToken);
+  writeIndex(indexFile, [...previous.slice(-199), entry]);
+  return entry;
+}
+function readGitHubApiSession(input) {
+  const cleanToken = cleanString4(input.token);
+  if (!cleanToken)
+    return null;
+  return readIndex(resolveGitHubApiSessionIndexFile(input.projectRoot)).find((entry) => entry.token === cleanToken) ?? null;
+}
+
 // packages/server/src/server-helpers/inspector-agent-lifecycle.ts
 function createInspectorAgentLifecycleController(options) {
   const initialDelayMs = Math.max(1, options.initialDelayMs ?? 5000);
@@ -5209,21 +5432,21 @@ function inspectorAgentLifecycleSnapshot(input) {
 // packages/server/src/server-helpers/project-registry.ts
 import { createHash as createHash2 } from "crypto";
 import { spawnSync as spawnSync2 } from "child_process";
-import { existsSync as existsSync9, mkdirSync as mkdirSync9, readFileSync as readFileSync6, readdirSync as readdirSync3, writeFileSync as writeFileSync8 } from "fs";
-import { dirname as dirname10, resolve as resolve16 } from "path";
+import { existsSync as existsSync11, mkdirSync as mkdirSync11, readFileSync as readFileSync8, readdirSync as readdirSync3, writeFileSync as writeFileSync10 } from "fs";
+import { dirname as dirname13, resolve as resolve18 } from "path";
 function normalizeRepoSlug(value) {
   const trimmed = value.trim();
   return /^[^/\s]+\/[^/\s]+$/.test(trimmed) ? trimmed : null;
 }
 function registryPath(projectRoot) {
-  return resolve16(projectRoot, ".rig", "state", "projects.json");
+  return resolve18(projectRoot, ".rig", "state", "projects.json");
 }
 function readRegistry(projectRoot) {
   const path = registryPath(projectRoot);
-  if (!existsSync9(path))
+  if (!existsSync11(path))
     return {};
   try {
-    const payload = JSON.parse(readFileSync6(path, "utf8"));
+    const payload = JSON.parse(readFileSync8(path, "utf8"));
     if (!payload || typeof payload !== "object" || Array.isArray(payload))
       return {};
     const projects = payload.projects;
@@ -5234,14 +5457,14 @@ function readRegistry(projectRoot) {
 }
 function writeRegistry(projectRoot, projects) {
   const path = registryPath(projectRoot);
-  mkdirSync9(dirname10(path), { recursive: true });
-  writeFileSync8(path, `${JSON.stringify({ projects }, null, 2)}
+  mkdirSync11(dirname13(path), { recursive: true });
+  writeFileSync10(path, `${JSON.stringify({ projects }, null, 2)}
 `, "utf8");
 }
 function resolveConfigPath(projectRoot) {
   for (const name of ["rig.config.ts", "rig.config.mts", "rig.config.json"]) {
-    const path = resolve16(projectRoot, name);
-    if (existsSync9(path))
+    const path = resolve18(projectRoot, name);
+    if (existsSync11(path))
       return path;
   }
   return null;
@@ -5250,7 +5473,7 @@ function hashFile(path) {
   if (!path)
     return null;
   try {
-    return createHash2("sha256").update(readFileSync6(path)).digest("hex");
+    return createHash2("sha256").update(readFileSync8(path)).digest("hex");
   } catch {
     return null;
   }
@@ -5266,11 +5489,11 @@ function readDefaultBranch(projectRoot) {
   return head.status === 0 && head.stdout.trim() && head.stdout.trim() !== "HEAD" ? head.stdout.trim() : null;
 }
 function buildRunSummary(projectRoot) {
-  const runsDir = resolve16(projectRoot, ".rig", "runs");
+  const runsDir = resolve18(projectRoot, ".rig", "runs");
   try {
     const runs = readdirSync3(runsDir, { withFileTypes: true }).filter((entry) => entry.isDirectory()).flatMap((entry) => {
       try {
-        const run = JSON.parse(readFileSync6(resolve16(runsDir, entry.name, "run.json"), "utf8"));
+        const run = JSON.parse(readFileSync8(resolve18(runsDir, entry.name, "run.json"), "utf8"));
         return [{ runId: typeof run.runId === "string" ? run.runId : entry.name, status: typeof run.status === "string" ? run.status : "unknown", updatedAt: typeof run.updatedAt === "string" ? run.updatedAt : "" }];
       } catch {
         return [];
@@ -5322,10 +5545,14 @@ function upsertProjectRecord(projectRoot, input) {
 function linkProjectCheckout(projectRoot, repoSlug, checkout) {
   return upsertProjectRecord(projectRoot, { repoSlug, checkout });
 }
+function projectRegistryContainsCheckout(projectRoot, checkoutPath) {
+  const target = resolve18(checkoutPath);
+  return Object.values(readRegistry(projectRoot)).some((project) => project.checkouts.some((checkout) => checkout.path ? resolve18(checkout.path) === target : false));
+}
 
 // packages/server/src/server-helpers/remote-checkout.ts
-import { existsSync as existsSync10, mkdirSync as mkdirSync10, writeFileSync as writeFileSync9 } from "fs";
-import { dirname as dirname11, isAbsolute as isAbsolute2, relative as relative3, resolve as resolve17 } from "path";
+import { existsSync as existsSync12, mkdirSync as mkdirSync12, writeFileSync as writeFileSync11 } from "fs";
+import { dirname as dirname14, isAbsolute as isAbsolute3, relative as relative4, resolve as resolve19 } from "path";
 function safeSlugSegments(repoSlug) {
   const segments = repoSlug.split("/").map((part) => part.trim()).filter(Boolean);
   if (segments.length !== 2 || segments.some((segment) => segment === "." || segment === ".." || segment.includes("\\"))) {
@@ -5342,7 +5569,7 @@ function safeCheckoutKey(value) {
 }
 function repoSlugPath(baseDir, repoSlug, checkoutKey) {
   const key = safeCheckoutKey(checkoutKey);
-  return resolve17(baseDir, ...key ? [key] : [], ...safeSlugSegments(repoSlug));
+  return resolve19(baseDir, ...key ? [key] : [], ...safeSlugSegments(repoSlug));
 }
 function sanitizeSnapshotId(value, fallback) {
   const raw = (value ?? fallback).trim();
@@ -5350,7 +5577,7 @@ function sanitizeSnapshotId(value, fallback) {
   return safe || fallback;
 }
 function assertWithinRoot(root, relativePath) {
-  if (!relativePath || isAbsolute2(relativePath) || relativePath.includes("\x00")) {
+  if (!relativePath || isAbsolute3(relativePath) || relativePath.includes("\x00")) {
     throw new Error(`Invalid snapshot file path: ${relativePath}`);
   }
   const normalizedRelative = relativePath.replace(/\\/g, "/");
@@ -5358,9 +5585,9 @@ function assertWithinRoot(root, relativePath) {
   if (segments.some((segment) => segment === "" || segment === "." || segment === "..")) {
     throw new Error(`Unsafe snapshot file path: ${relativePath}`);
   }
-  const target = resolve17(root, ...segments);
-  const rel = relative3(root, target);
-  if (rel === ".." || rel.split(/[\\/]/)[0] === ".." || isAbsolute2(rel)) {
+  const target = resolve19(root, ...segments);
+  const rel = relative4(root, target);
+  if (rel === ".." || rel.split(/[\\/]/)[0] === ".." || isAbsolute3(rel)) {
     throw new Error(`Snapshot file path escapes checkout root: ${relativePath}`);
   }
   return target;
@@ -5378,17 +5605,17 @@ function parseSnapshotArchiveContentBase64(contentBase64) {
 function extractUploadedSnapshotArchive(input) {
   const archive = decodeSnapshotArchive(input.archive);
   const snapshotId = sanitizeSnapshotId(input.snapshotId, `snapshot-${(input.now?.() ?? new Date).toISOString().replace(/[:.]/g, "-")}`);
-  const checkoutPath = resolve17(repoSlugPath(input.baseDir, input.repoSlug, input.checkoutKey), snapshotId);
-  mkdirSync10(checkoutPath, { recursive: true });
+  const checkoutPath = resolve19(repoSlugPath(input.baseDir, input.repoSlug, input.checkoutKey), snapshotId);
+  mkdirSync12(checkoutPath, { recursive: true });
   for (const file of archive.files) {
     if (!file || typeof file.path !== "string" || typeof file.contentBase64 !== "string") {
       throw new Error("Invalid snapshot archive file entry");
     }
     const target = assertWithinRoot(checkoutPath, file.path);
-    mkdirSync10(dirname11(target), { recursive: true });
-    writeFileSync9(target, Buffer.from(file.contentBase64, "base64"));
+    mkdirSync12(dirname14(target), { recursive: true });
+    writeFileSync11(target, Buffer.from(file.contentBase64, "base64"));
   }
-  writeFileSync9(resolve17(checkoutPath, ".rig-uploaded-snapshot.json"), `${JSON.stringify({
+  writeFileSync11(resolve19(checkoutPath, ".rig-uploaded-snapshot.json"), `${JSON.stringify({
     repoSlug: input.repoSlug,
     snapshotId,
     fileCount: archive.files.length,
@@ -5423,7 +5650,7 @@ function gitCredentialConfig(token) {
   };
 }
 async function prepareRemoteCheckout(input) {
-  const exists = input.exists ?? existsSync10;
+  const exists = input.exists ?? existsSync12;
   const strategy = input.strategy;
   if (strategy.kind === "uploaded-snapshot") {
     return extractUploadedSnapshotArchive({
@@ -5435,7 +5662,7 @@ async function prepareRemoteCheckout(input) {
     });
   }
   if (strategy.kind === "existing-path") {
-    const checkoutPath2 = resolve17(strategy.path);
+    const checkoutPath2 = resolve19(strategy.path);
     if (!exists(checkoutPath2)) {
       throw new Error(`Existing remote checkout path does not exist: ${checkoutPath2}`);
     }
@@ -5471,9 +5698,9 @@ function buildServerControlStatus() {
   };
 }
 function buildProjectConfigStatus(root) {
-  const hasConfigTs = existsSync11(resolve18(root, "rig.config.ts"));
-  const hasConfigJson = existsSync11(resolve18(root, "rig.config.json"));
-  const hasLegacyTaskConfig = existsSync11(resolve18(root, ".rig", "task-config.json"));
+  const hasConfigTs = existsSync13(resolve20(root, "rig.config.ts"));
+  const hasConfigJson = existsSync13(resolve20(root, "rig.config.json"));
+  const hasLegacyTaskConfig = existsSync13(resolve20(root, ".rig", "task-config.json"));
   let kind = "missing";
   if (hasConfigTs)
     kind = "rig-config-ts";
@@ -5509,24 +5736,24 @@ function repoParts(repoSlug) {
   return { owner, repo, slug: `${owner}/${repo}` };
 }
 function repairDir(checkoutPath) {
-  const dir = resolve18(checkoutPath, ".rig", "state", "repairs", new Date().toISOString().replace(/[:.]/g, "-"));
-  mkdirSync11(dir, { recursive: true });
+  const dir = resolve20(checkoutPath, ".rig", "state", "repairs", new Date().toISOString().replace(/[:.]/g, "-"));
+  mkdirSync13(dir, { recursive: true });
   return dir;
 }
 function backupCheckoutFile(checkoutPath, relativePath) {
-  const source = resolve18(checkoutPath, relativePath);
-  const backupPath = resolve18(repairDir(checkoutPath), relativePath.replace(/[\\/]/g, "__"));
-  mkdirSync11(dirname12(backupPath), { recursive: true });
-  copyFileSync(source, backupPath);
+  const source = resolve20(checkoutPath, relativePath);
+  const backupPath = resolve20(repairDir(checkoutPath), relativePath.replace(/[\\/]/g, "__"));
+  mkdirSync13(dirname15(backupPath), { recursive: true });
+  copyFileSync2(source, backupPath);
   return backupPath;
 }
 function parsePackageJsonLosslessly(checkoutPath) {
-  const packagePath = resolve18(checkoutPath, "package.json");
-  if (!existsSync11(packagePath)) {
+  const packagePath = resolve20(checkoutPath, "package.json");
+  if (!existsSync13(packagePath)) {
     return { existed: false, packageJson: { name: basename(checkoutPath) || "rig-project", private: true } };
   }
   try {
-    const parsed = JSON.parse(readFileSync7(packagePath, "utf8"));
+    const parsed = JSON.parse(readFileSync9(packagePath, "utf8"));
     return {
       existed: true,
       packageJson: parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : { name: basename(checkoutPath) || "rig-project", private: true }
@@ -5540,9 +5767,9 @@ function parsePackageJsonLosslessly(checkoutPath) {
   }
 }
 function ensureRemoteCheckoutRigPackageDeps(checkoutPath) {
-  const hasConfig = ["rig.config.ts", "rig.config.mts", "rig.config.json"].some((name) => existsSync11(resolve18(checkoutPath, name)));
-  const packagePath = resolve18(checkoutPath, "package.json");
-  if (!hasConfig && !existsSync11(packagePath)) {
+  const hasConfig = ["rig.config.ts", "rig.config.mts", "rig.config.json"].some((name) => existsSync13(resolve20(checkoutPath, name)));
+  const packagePath = resolve20(checkoutPath, "package.json");
+  if (!hasConfig && !existsSync13(packagePath)) {
     return { skipped: true, reason: "package.json and rig.config missing" };
   }
   const parsed = parsePackageJsonLosslessly(checkoutPath);
@@ -5561,7 +5788,7 @@ function ensureRemoteCheckoutRigPackageDeps(checkoutPath) {
   }
   const changed = !parsed.existed || Boolean(parsed.backupPath) || added.length > 0 || updated.length > 0 || existingDevDependencies !== devDependencies && (!existingDevDependencies || typeof existingDevDependencies !== "object" || Array.isArray(existingDevDependencies));
   if (changed) {
-    writeFileSync10(packagePath, `${JSON.stringify({ ...parsed.packageJson, devDependencies }, null, 2)}
+    writeFileSync12(packagePath, `${JSON.stringify({ ...parsed.packageJson, devDependencies }, null, 2)}
 `, "utf8");
   }
   return {
@@ -5587,11 +5814,11 @@ function configLooksStructurallyUsable(source) {
   return /taskSource\s*:/.test(source) && /workspace\s*:/.test(source) && /project\s*:/.test(source);
 }
 function ensureRemoteCheckoutRigConfig(checkoutPath, repoSlug, reason = "missing or incomplete rig config") {
-  const configPath = resolve18(checkoutPath, "rig.config.ts");
-  const existingConfigName = ["rig.config.ts", "rig.config.mts", "rig.config.json"].find((name) => existsSync11(resolve18(checkoutPath, name)));
+  const configPath = resolve20(checkoutPath, "rig.config.ts");
+  const existingConfigName = ["rig.config.ts", "rig.config.mts", "rig.config.json"].find((name) => existsSync13(resolve20(checkoutPath, name)));
   if (existingConfigName) {
-    const existingPath = resolve18(checkoutPath, existingConfigName);
-    const source = readFileSync7(existingPath, "utf8");
+    const existingPath = resolve20(checkoutPath, existingConfigName);
+    const source = readFileSync9(existingPath, "utf8");
     if (existingConfigName !== "rig.config.json" && configLooksStructurallyUsable(source)) {
       return { path: existingPath, changed: false, reason: "config structurally complete" };
     }
@@ -5605,7 +5832,7 @@ function ensureRemoteCheckoutRigConfig(checkoutPath, repoSlug, reason = "missing
     }
   }
   const backupPath = existingConfigName ? backupCheckoutFile(checkoutPath, existingConfigName) : undefined;
-  writeFileSync10(configPath, generatedRigConfigSource(repoSlug), "utf8");
+  writeFileSync12(configPath, generatedRigConfigSource(repoSlug), "utf8");
   return {
     path: configPath,
     changed: true,
@@ -5614,7 +5841,7 @@ function ensureRemoteCheckoutRigConfig(checkoutPath, repoSlug, reason = "missing
   };
 }
 function validateRemoteCheckoutRigConfig(checkoutPath) {
-  const configFile = ["rig.config.ts", "rig.config.mts", "rig.config.json"].find((name) => existsSync11(resolve18(checkoutPath, name)));
+  const configFile = ["rig.config.ts", "rig.config.mts", "rig.config.json"].find((name) => existsSync13(resolve20(checkoutPath, name)));
   if (!configFile)
     return { ok: false, error: "missing rig config" };
   if (process.env.RIG_TEST_SKIP_REMOTE_CHECKOUT_INSTALL === "1") {
@@ -5636,7 +5863,7 @@ function validateRemoteCheckoutRigConfig(checkoutPath) {
   return { ok: true, configFile };
 }
 function installRemoteCheckoutPackages(checkoutPath) {
-  if (!existsSync11(resolve18(checkoutPath, "package.json"))) {
+  if (!existsSync13(resolve20(checkoutPath, "package.json"))) {
     return { skipped: true, reason: "package.json missing" };
   }
   if (process.env.RIG_TEST_SKIP_REMOTE_CHECKOUT_INSTALL === "1") {
@@ -5649,8 +5876,8 @@ function installRemoteCheckoutPackages(checkoutPath) {
   return { ok: true, command: "bun install", stdout: result.stdout?.trim() || undefined };
 }
 function repairRemoteCheckoutForRig(checkoutPath, repoSlug) {
-  const hasConfig = ["rig.config.ts", "rig.config.mts", "rig.config.json"].some((name) => existsSync11(resolve18(checkoutPath, name)));
-  const hasPackage = existsSync11(resolve18(checkoutPath, "package.json"));
+  const hasConfig = ["rig.config.ts", "rig.config.mts", "rig.config.json"].some((name) => existsSync13(resolve20(checkoutPath, name)));
+  const hasPackage = existsSync13(resolve20(checkoutPath, "package.json"));
   if (!hasConfig && !hasPackage) {
     return {
       packageJson: { skipped: true, reason: "package.json and rig.config missing" },
@@ -5748,26 +5975,26 @@ function buildRemoteRunLogEntry(body, identifiers) {
 }
 function readGitHeadCommit(projectRoot) {
   try {
-    let gitDir = resolve18(projectRoot, ".git");
+    let gitDir = resolve20(projectRoot, ".git");
     try {
-      const dotGit = readFileSync7(gitDir, "utf8").trim();
+      const dotGit = readFileSync9(gitDir, "utf8").trim();
       const gitDirPrefix = "gitdir:";
       if (dotGit.startsWith(gitDirPrefix)) {
-        gitDir = resolve18(projectRoot, dotGit.slice(gitDirPrefix.length).trim());
+        gitDir = resolve20(projectRoot, dotGit.slice(gitDirPrefix.length).trim());
       }
     } catch {}
-    const head = readFileSync7(resolve18(gitDir, "HEAD"), "utf8").trim();
+    const head = readFileSync9(resolve20(gitDir, "HEAD"), "utf8").trim();
     const refPrefix = "ref:";
     if (!head.startsWith(refPrefix)) {
       return normalizeCommit(head);
     }
     const ref = head.slice(refPrefix.length).trim();
-    const refPath = resolve18(gitDir, ref);
-    if (existsSync11(refPath)) {
-      return normalizeCommit(readFileSync7(refPath, "utf8").trim());
+    const refPath = resolve20(gitDir, ref);
+    if (existsSync13(refPath)) {
+      return normalizeCommit(readFileSync9(refPath, "utf8").trim());
     }
-    const commonDir = normalizeString(readFileSync7(resolve18(gitDir, "commondir"), "utf8"));
-    return commonDir ? normalizeCommit(readFileSync7(resolve18(gitDir, commonDir, ref), "utf8").trim()) : null;
+    const commonDir = normalizeString(readFileSync9(resolve20(gitDir, "commondir"), "utf8"));
+    return commonDir ? normalizeCommit(readFileSync9(resolve20(gitDir, commonDir, ref), "utf8").trim()) : null;
   } catch {
     return null;
   }
@@ -5805,9 +6032,9 @@ function configuredRepoFromTaskSource(taskSource) {
   const repo = normalizeString(taskSource?.repo);
   return owner && repo ? `${owner}/${repo}` : null;
 }
-async function buildTaskSourceStatus(state, config) {
+async function buildTaskSourceStatus(state, config, requestAuth) {
   const diagnostics = state.snapshotService.getTaskSourceErrors();
-  const selectedRepo = createGitHubAuthStore(state.projectRoot).status({
+  const selectedRepo = requestScopedAuthStore(state.projectRoot, requestAuth).status({
     oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim())
   }).selectedRepo;
   try {
@@ -5905,31 +6132,83 @@ function normalizePrMode(value) {
   const mode = normalizeString(value);
   return mode === "auto" || mode === "ask" || mode === "off" ? mode : undefined;
 }
+function requestAuthResult(input) {
+  return {
+    authorized: input.authorized,
+    actor: input.actor ?? null,
+    reason: input.reason,
+    login: input.login ?? null,
+    userId: input.userId ?? null,
+    userNamespace: input.userNamespace ?? null,
+    authStateFile: input.authStateFile ?? null
+  };
+}
+function namespaceFromSessionIndex(entry) {
+  const stateDir2 = dirname15(entry.authStateFile);
+  return {
+    key: entry.namespaceKey,
+    userId: entry.userId,
+    login: entry.login,
+    root: entry.namespaceRoot,
+    stateDir: stateDir2,
+    authStateFile: entry.authStateFile,
+    metadataFile: resolve20(stateDir2, "user-namespace.json"),
+    checkoutBaseDir: entry.checkoutBaseDir,
+    snapshotBaseDir: entry.snapshotBaseDir
+  };
+}
 function authorizeRigHttpRequest(input) {
   if (input.legacyAuthorized) {
-    return { authorized: true, actor: "rig-local-server", reason: "server-token" };
+    return requestAuthResult({ authorized: true, actor: "rig-local-server", reason: "server-token" });
   }
   const bearer = bearerTokenFromRequest(input.req);
   const store = createGitHubAuthStore(input.projectRoot);
   const storedToken = store.readToken();
   const session = bearer ? store.readApiSession(bearer) : null;
   if (session) {
-    return { authorized: true, actor: session.login ?? "github-operator", reason: "github-session" };
+    return requestAuthResult({
+      authorized: true,
+      actor: session.login ?? "github-operator",
+      reason: "github-session",
+      login: session.login,
+      userId: session.userId,
+      authStateFile: store.stateFile
+    });
   }
   if (bearer && storedToken && bearer === storedToken) {
     const status = store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
-    return { authorized: true, actor: status.login ?? "github-operator", reason: "github-token" };
+    return requestAuthResult({
+      authorized: true,
+      actor: status.login ?? "github-operator",
+      reason: "github-token",
+      login: status.login,
+      userId: status.userId,
+      authStateFile: store.stateFile
+    });
+  }
+  const indexedSession = readGitHubApiSession({ projectRoot: input.projectRoot, token: bearer });
+  if (indexedSession) {
+    const userNamespace = namespaceFromSessionIndex(indexedSession);
+    return requestAuthResult({
+      authorized: true,
+      actor: indexedSession.login ?? "github-operator",
+      reason: "github-user-session",
+      login: indexedSession.login,
+      userId: indexedSession.userId,
+      userNamespace,
+      authStateFile: indexedSession.authStateFile
+    });
   }
   if (isPublicRigAuthBootstrapRoute(input.pathname)) {
-    return { authorized: true, actor: null, reason: "public-bootstrap" };
+    return requestAuthResult({ authorized: true, actor: null, reason: "public-bootstrap" });
   }
   if (!input.serverAuthToken && !storedToken) {
     if (isLoopbackRequest(input.req)) {
-      return { authorized: true, actor: null, reason: "loopback-dev-no-auth" };
+      return requestAuthResult({ authorized: true, actor: null, reason: "loopback-dev-no-auth" });
     }
-    return { authorized: false, actor: null, reason: "auth-required" };
+    return requestAuthResult({ authorized: false, actor: null, reason: "auth-required" });
   }
-  return { authorized: false, actor: null, reason: storedToken ? "github-token-required" : "auth-required" };
+  return requestAuthResult({ authorized: false, actor: null, reason: storedToken ? "github-token-required" : "auth-required" });
 }
 async function fetchGitHubUserInfo(token) {
   const response = await fetch("https://api.github.com/user", {
@@ -5949,6 +6228,67 @@ async function fetchGitHubUserInfo(token) {
     scopes: cleanHeaderScopes(response.headers.get("x-oauth-scopes"))
   };
 }
+function shouldWriteRootAuthCompat(projectRoot) {
+  if (process.env.RIG_REMOTE_USER_NAMESPACE_ROOT?.trim())
+    return false;
+  const stateDir2 = normalizeString(process.env.RIG_STATE_DIR);
+  if (!stateDir2)
+    return true;
+  return resolve20(stateDir2) === resolve20(projectRoot, ".rig", "state");
+}
+function requestScopedRegistryRoot(stateProjectRoot, requestAuth) {
+  return requestAuth.userNamespace?.root ?? stateProjectRoot;
+}
+function requestScopedAuthStore(stateProjectRoot, requestAuth) {
+  return requestAuth.authStateFile ? createGitHubAuthStoreFromStateFile(requestAuth.authStateFile) : createGitHubAuthStore(stateProjectRoot);
+}
+function userNamespaceResponse(namespace) {
+  return namespace ? serializeRemoteUserNamespace(namespace) : undefined;
+}
+function resolveNamespacedBaseDir(input) {
+  if (input.explicitBaseDir)
+    return input.explicitBaseDir;
+  const envBase = normalizeString(process.env[input.envName]);
+  if (input.userNamespace) {
+    return envBase ? resolve20(envBase, input.userNamespace.key) : input.userNamespace[input.legacySubdir === "remote-checkouts" ? "checkoutBaseDir" : "snapshotBaseDir"];
+  }
+  return envBase ?? (normalizeString(process.env.RIG_STATE_DIR) ? resolve20(normalizeString(process.env.RIG_STATE_DIR), input.legacySubdir) : resolve20(input.legacyProjectRoot, ".rig", input.legacySubdir));
+}
+function explicitCheckoutKey(body, checkoutInput, requestAuth) {
+  return normalizeString(body.checkoutKey) ?? normalizeString(checkoutInput.checkoutKey) ?? normalizeString(checkoutInput.key) ?? (requestAuth.userNamespace ? undefined : "default");
+}
+function saveGitHubTokenForRemoteUser(input) {
+  const namespace = resolveRemoteUserNamespace(input.projectRoot, { userId: input.user.userId, login: input.user.login });
+  writeRemoteUserNamespaceMetadata(namespace);
+  const store = createGitHubAuthStoreFromStateFile(namespace.authStateFile);
+  store.saveToken({
+    token: input.token,
+    tokenSource: input.tokenSource,
+    login: input.user.login,
+    userId: input.user.userId,
+    scopes: input.user.scopes,
+    selectedRepo: input.selectedRepo
+  });
+  const apiSession = store.createApiSession();
+  registerGitHubApiSession({ projectRoot: input.projectRoot, token: apiSession.token, namespace, selectedRepo: input.selectedRepo });
+  const requestedRoot = normalizeString(input.requestedProjectRoot);
+  if (requestedRoot && isAbsolute4(requestedRoot) && existsSync13(resolve20(requestedRoot))) {
+    copyGitHubAuthStateToLocalProjectRoot(namespace.authStateFile, resolve20(requestedRoot));
+  }
+  if (shouldWriteRootAuthCompat(input.projectRoot)) {
+    const rootStore = createGitHubAuthStore(input.projectRoot);
+    rootStore.saveToken({
+      token: input.token,
+      tokenSource: input.tokenSource,
+      login: input.user.login,
+      userId: input.user.userId,
+      scopes: input.user.scopes,
+      selectedRepo: input.selectedRepo
+    });
+    rootStore.createApiSession();
+  }
+  return { store, namespace, apiSessionToken: apiSession.token };
+}
 async function postGitHubForm(endpoint, body) {
   const response = await fetch(endpoint, {
     method: "POST",
@@ -5966,11 +6306,11 @@ function resolveRequestedProjectRoot(currentRoot, rawRoot) {
   const requestedRoot = normalizeString(rawRoot);
   if (!requestedRoot)
     return currentRoot;
-  if (!isAbsolute3(requestedRoot)) {
+  if (!isAbsolute4(requestedRoot)) {
     throw new Error("projectRoot must be an absolute path on the Rig server host");
   }
-  const normalizedRoot = resolve18(requestedRoot);
-  if (!existsSync11(normalizedRoot)) {
+  const normalizedRoot = resolve20(requestedRoot);
+  if (!existsSync13(normalizedRoot)) {
     throw new Error("projectRoot does not exist on the Rig server host");
   }
   return normalizedRoot;
@@ -6631,7 +6971,7 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
         }
         if (url.pathname === "/api/server/status") {
           const config = buildProjectConfigStatus(state.projectRoot);
-          const taskSource = await buildTaskSourceStatus(state, config);
+          const taskSource = await buildTaskSourceStatus(state, config, requestAuth);
           return deps.jsonResponse({
             ok: true,
             projectRoot: state.projectRoot,
@@ -6655,8 +6995,9 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             path: normalizeString(rawCheckout?.path) ?? state.projectRoot,
             ref: normalizeString(rawCheckout?.ref) ?? undefined
           } : undefined;
-          const record = upsertProjectRecord(state.projectRoot, { repoSlug, checkout });
-          return deps.jsonResponse({ ok: true, project: record });
+          const registryRoot = requestScopedRegistryRoot(state.projectRoot, requestAuth);
+          const record = upsertProjectRecord(registryRoot, { repoSlug, checkout });
+          return deps.jsonResponse({ ok: true, project: record, userNamespace: userNamespaceResponse(requestAuth.userNamespace) });
         }
         const snapshotUploadMatch = url.pathname.match(/^\/api\/projects\/(.+?)\/upload-snapshot$/);
         if (snapshotUploadMatch && req.method === "POST") {
@@ -6669,8 +7010,15 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           if (!archiveContentBase64) {
             return deps.badRequest("archiveContentBase64 is required");
           }
-          const baseDir = normalizeString(body.baseDir) ?? normalizeString(process.env.RIG_REMOTE_SNAPSHOT_BASE_DIR) ?? (normalizeString(process.env.RIG_STATE_DIR) ? resolve18(normalizeString(process.env.RIG_STATE_DIR), "remote-snapshots") : resolve18(state.projectRoot, ".rig", "remote-snapshots"));
-          const checkoutKey = normalizeString(body.checkoutKey) ?? "default";
+          const registryRoot = requestScopedRegistryRoot(state.projectRoot, requestAuth);
+          const baseDir = resolveNamespacedBaseDir({
+            explicitBaseDir: normalizeString(body.baseDir),
+            envName: "RIG_REMOTE_SNAPSHOT_BASE_DIR",
+            userNamespace: requestAuth.userNamespace,
+            legacyProjectRoot: state.projectRoot,
+            legacySubdir: "remote-snapshots"
+          });
+          const checkoutKey = explicitCheckoutKey(body, body, requestAuth);
           try {
             const archive = parseSnapshotArchiveContentBase64(archiveContentBase64);
             const checkout = extractUploadedSnapshotArchive({
@@ -6683,14 +7031,14 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             const checkoutRepair = repairRemoteCheckoutForRig(checkout.path, repoSlug);
             const packageInstall = installRemoteCheckoutPackages(checkout.path);
             const postInstallConfigValidation = validateRemoteCheckoutRigConfig(checkout.path);
-            const project = linkProjectCheckout(state.projectRoot, repoSlug, {
+            const project = linkProjectCheckout(registryRoot, repoSlug, {
               kind: "uploaded-snapshot",
               path: checkout.path,
               ref: checkout.snapshotId
             });
             deps.snapshotService.invalidate("uploaded-snapshot-checkout");
             deps.broadcastSnapshotInvalidation(state, "uploaded-snapshot-checkout");
-            return deps.jsonResponse({ ok: true, checkout, project, checkoutRepair, packageInstall, postInstallConfigValidation });
+            return deps.jsonResponse({ ok: true, checkout, project, checkoutRepair, packageInstall, postInstallConfigValidation, userNamespace: userNamespaceResponse(requestAuth.userNamespace) });
           } catch (error) {
             return deps.jsonResponse({
               ok: false,
@@ -6710,10 +7058,17 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           if (kind !== "managed-clone" && kind !== "current-ref" && kind !== "existing-path") {
             return deps.jsonResponse({ ok: false, error: "checkout kind must be managed-clone, current-ref, or existing-path" }, 400);
           }
-          const baseDir = normalizeString(body.baseDir) ?? normalizeString(checkoutInput.baseDir) ?? normalizeString(process.env.RIG_REMOTE_CHECKOUT_BASE_DIR) ?? (normalizeString(process.env.RIG_STATE_DIR) ? resolve18(normalizeString(process.env.RIG_STATE_DIR), "remote-checkouts") : resolve18(state.projectRoot, ".rig", "remote-checkouts"));
-          const checkoutKey = normalizeString(body.checkoutKey) ?? normalizeString(checkoutInput.checkoutKey) ?? normalizeString(checkoutInput.key) ?? "default";
+          const registryRoot = requestScopedRegistryRoot(state.projectRoot, requestAuth);
+          const baseDir = resolveNamespacedBaseDir({
+            explicitBaseDir: normalizeString(body.baseDir) ?? normalizeString(checkoutInput.baseDir),
+            envName: "RIG_REMOTE_CHECKOUT_BASE_DIR",
+            userNamespace: requestAuth.userNamespace,
+            legacyProjectRoot: state.projectRoot,
+            legacySubdir: "remote-checkouts"
+          });
+          const checkoutKey = explicitCheckoutKey(body, checkoutInput, requestAuth);
           const repoUrl = normalizeString(body.repoUrl) ?? normalizeString(checkoutInput.repoUrl) ?? `https://github.com/${repoSlug}.git`;
-          const credentialToken = createGitHubAuthStore(state.projectRoot).readToken();
+          const credentialToken = requestScopedAuthStore(state.projectRoot, requestAuth).readToken();
           try {
             const checkout = await prepareRemoteCheckout({
               command: runRemoteCheckoutCommand,
@@ -6722,14 +7077,14 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             const checkoutRepair = repairRemoteCheckoutForRig(checkout.path, repoSlug);
             const packageInstall = installRemoteCheckoutPackages(checkout.path);
             const postInstallConfigValidation = validateRemoteCheckoutRigConfig(checkout.path);
-            const project = linkProjectCheckout(state.projectRoot, repoSlug, {
+            const project = linkProjectCheckout(registryRoot, repoSlug, {
               kind: checkout.kind,
               path: checkout.path,
               ref: checkout.ref ?? checkout.snapshotId ?? undefined
             });
             deps.snapshotService.invalidate("remote-checkout-prepared");
             deps.broadcastSnapshotInvalidation(state, "remote-checkout-prepared");
-            return deps.jsonResponse({ ok: true, checkout, project, checkoutRepair, packageInstall, postInstallConfigValidation });
+            return deps.jsonResponse({ ok: true, checkout, project, checkoutRepair, packageInstall, postInstallConfigValidation, userNamespace: userNamespaceResponse(requestAuth.userNamespace) });
           } catch (error) {
             return deps.jsonResponse({ ok: false, error: error instanceof Error ? error.message : String(error) }, 400);
           }
@@ -6746,16 +7101,18 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             if (kind !== "local" && kind !== "managed-clone" && kind !== "current-ref" && kind !== "uploaded-snapshot" && kind !== "existing-path") {
               return deps.jsonResponse({ ok: false, error: "checkout kind is required" }, 400);
             }
-            const project = linkProjectCheckout(state.projectRoot, repoSlug, {
+            const registryRoot = requestScopedRegistryRoot(state.projectRoot, requestAuth);
+            const project = linkProjectCheckout(registryRoot, repoSlug, {
               kind,
               path: normalizeString(body.path) ?? state.projectRoot,
               ref: normalizeString(body.ref) ?? undefined
             });
-            return deps.jsonResponse({ ok: true, project });
+            return deps.jsonResponse({ ok: true, project, userNamespace: userNamespaceResponse(requestAuth.userNamespace) });
           }
           if (req.method === "GET") {
-            const project = getProjectRecord(state.projectRoot, repoSlug);
-            return project ? deps.jsonResponse({ ok: true, project }) : deps.notFound();
+            const registryRoot = requestScopedRegistryRoot(state.projectRoot, requestAuth);
+            const project = getProjectRecord(registryRoot, repoSlug);
+            return project ? deps.jsonResponse({ ok: true, project, userNamespace: userNamespaceResponse(requestAuth.userNamespace) }) : deps.notFound();
           }
         }
         if (url.pathname === "/api/server/project-root" && req.method === "POST") {
@@ -6764,13 +7121,26 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           if (!requestedRoot) {
             return deps.badRequest("projectRoot is required");
           }
-          if (!isAbsolute3(requestedRoot)) {
+          if (!isAbsolute4(requestedRoot)) {
             return deps.badRequest("projectRoot must be an absolute path on the Rig server host");
           }
-          const normalizedRoot = resolve18(requestedRoot);
-          const exists = existsSync11(normalizedRoot);
-          if (exists) {
-            createGitHubAuthStore(state.projectRoot).copyToProjectRoot(normalizedRoot);
+          const normalizedRoot = resolve20(requestedRoot);
+          const exists = existsSync13(normalizedRoot);
+          if (exists && requestAuth.userNamespace) {
+            const allowedByNamespace = isPathInsideNamespace(requestAuth.userNamespace.root, normalizedRoot);
+            const allowedByRegistry = projectRegistryContainsCheckout(requestAuth.userNamespace.root, normalizedRoot);
+            if (!allowedByNamespace && !allowedByRegistry) {
+              return deps.jsonResponse({
+                ok: false,
+                error: "Requested project root is outside the authenticated GitHub user namespace.",
+                projectRoot: state.projectRoot,
+                requestedProjectRoot: normalizedRoot,
+                userNamespace: userNamespaceResponse(requestAuth.userNamespace)
+              }, 403);
+            }
+            copyGitHubAuthStateToLocalProjectRoot(requestAuth.userNamespace.authStateFile, normalizedRoot);
+          } else if (exists) {
+            createGitHubAuthStore(state.projectRoot).copyToLocalProjectRoot(normalizedRoot);
           }
           const control = buildServerControlStatus();
           const switchCommand = process.env.RIG_PROJECT_ROOT_SWITCH_COMMAND?.trim();
@@ -6785,7 +7155,7 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
               message: "Requested project root does not exist on the Rig server host."
             }, 404);
           }
-          if (!existsSync11(resolve18(normalizedRoot, "rig.config.ts")) && !existsSync11(resolve18(normalizedRoot, "rig.config.json"))) {
+          if (!existsSync13(resolve20(normalizedRoot, "rig.config.ts")) && !existsSync13(resolve20(normalizedRoot, "rig.config.json"))) {
             return deps.jsonResponse({
               ok: false,
               projectRoot: state.projectRoot,
@@ -6820,6 +7190,7 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
               exists,
               control,
               requiresRestart: false,
+              userNamespace: userNamespaceResponse(requestAuth.userNamespace),
               message: "Project-root switch accepted. Rig server restart has been scheduled."
             }, 202);
           }
@@ -6834,11 +7205,11 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           }, 409);
         }
         if (url.pathname === "/api/github/auth/status") {
-          const store = createGitHubAuthStore(state.projectRoot);
-          return deps.jsonResponse({ ok: true, ...store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }) });
+          const store = requestScopedAuthStore(state.projectRoot, requestAuth);
+          return deps.jsonResponse({ ok: true, ...store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }), userNamespace: userNamespaceResponse(requestAuth.userNamespace) });
         }
         if (url.pathname === "/api/github/repo/permissions") {
-          const store = createGitHubAuthStore(state.projectRoot);
+          const store = requestScopedAuthStore(state.projectRoot, requestAuth);
           const auth = store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
           if (!auth.signedIn) {
             return deps.jsonResponse({ ok: false, signedIn: false, canOpenPullRequest: false, reason: "not-authenticated" }, 401);
@@ -6866,24 +7237,20 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           }
           try {
             const user = await fetchGitHubUserInfo(token);
-            const storeRoots = [
-              state.projectRoot,
-              ...requestedProjectRoot && isAbsolute3(requestedProjectRoot) && existsSync11(resolve18(requestedProjectRoot)) ? [resolve18(requestedProjectRoot)] : []
-            ].filter((root, index, roots) => roots.indexOf(root) === index);
-            const stores = storeRoots.map((root) => createGitHubAuthStore(root));
-            for (const store2 of stores) {
-              store2.saveToken({
-                token,
-                tokenSource: "manual-token",
-                login: user.login,
-                userId: user.userId,
-                scopes: user.scopes,
-                selectedRepo
-              });
-            }
-            const store = stores[stores.length - 1] ?? createGitHubAuthStore(state.projectRoot);
-            const apiSession = store.createApiSession();
-            return deps.jsonResponse({ ok: true, ...store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }), apiSessionToken: apiSession.token });
+            const saved = saveGitHubTokenForRemoteUser({
+              projectRoot: state.projectRoot,
+              token,
+              tokenSource: "manual-token",
+              user,
+              selectedRepo,
+              requestedProjectRoot
+            });
+            return deps.jsonResponse({
+              ok: true,
+              ...saved.store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }),
+              apiSessionToken: saved.apiSessionToken,
+              userNamespace: userNamespaceResponse(saved.namespace)
+            });
           } catch (error) {
             const message = error instanceof Error ? error.message : String(error);
             return deps.jsonResponse({ ok: false, error: message }, 400);
@@ -6950,9 +7317,21 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           }
           const token = result.payload.access_token;
           const user = await fetchGitHubUserInfo(token);
-          store.saveToken({ token, tokenSource: "oauth-device", login: user.login, userId: user.userId, scopes: user.scopes });
-          const apiSession = store.createApiSession();
-          return deps.jsonResponse({ ok: true, status: "signed-in", ...store.status({ oauthConfigured: true }), apiSessionToken: apiSession.token });
+          const saved = saveGitHubTokenForRemoteUser({
+            projectRoot: state.projectRoot,
+            token,
+            tokenSource: "oauth-device",
+            user,
+            selectedRepo: null
+          });
+          store.clearPendingDevice(pollId);
+          return deps.jsonResponse({
+            ok: true,
+            status: "signed-in",
+            ...saved.store.status({ oauthConfigured: true }),
+            apiSessionToken: saved.apiSessionToken,
+            userNamespace: userNamespaceResponse(saved.namespace)
+          });
         }
         if (url.pathname === "/api/github/repo/probe" && req.method === "POST") {
           const body = await deps.readJsonBody(req);
@@ -6961,7 +7340,7 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           if (!owner || !repo) {
             return deps.badRequest("owner and repo are required");
           }
-          const store = createGitHubAuthStore(state.projectRoot);
+          const store = requestScopedAuthStore(state.projectRoot, requestAuth);
           const authStatus = store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
           const probe = await probeGitHubRepository({ owner, repo, token: store.readToken(), scopes: authStatus.scopes });
           return deps.jsonResponse({ ok: probe.ok, probe }, probe.ok ? 200 : 400);
@@ -6982,7 +7361,7 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             return deps.badRequest(error instanceof Error ? error.message : String(error));
           }
           const authStatus = createGitHubAuthStore(state.projectRoot).status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
-          const configPath = resolve18(targetRoot, "rig.config.ts");
+          const configPath = resolve20(targetRoot, "rig.config.ts");
           const source = buildGitHubProjectConfigSource({
             projectName: rawProjectName,
             owner,
@@ -6994,8 +7373,8 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             ok: true,
             projectRoot: targetRoot,
             configPath,
-            exists: existsSync11(configPath),
-            requiresOverwrite: existsSync11(configPath),
+            exists: existsSync13(configPath),
+            requiresOverwrite: existsSync13(configPath),
             source,
             owner,
             repo,
@@ -7031,8 +7410,8 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             assignee,
             githubUserId: authStatus.userId ?? authStatus.login
           });
-          const configPath = resolve18(targetRoot, "rig.config.ts");
-          if (existsSync11(configPath) && !overwrite) {
+          const configPath = resolve20(targetRoot, "rig.config.ts");
+          if (existsSync13(configPath) && !overwrite) {
             return deps.jsonResponse({
               ok: false,
               error: "rig.config.ts already exists. Confirm overwrite to replace it; Rig will create a backup first.",
@@ -7048,11 +7427,11 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             return deps.jsonResponse({ ok: false, error: repoProbe.message, repoProbe }, 400);
           }
           let backupPath = null;
-          if (existsSync11(configPath)) {
+          if (existsSync13(configPath)) {
             backupPath = backupConfigPath(configPath);
-            copyFileSync(configPath, backupPath);
+            copyFileSync2(configPath, backupPath);
           }
-          writeFileSync10(configPath, source, "utf8");
+          writeFileSync12(configPath, source, "utf8");
           const selectedRepo = `${owner}/${repo}`;
           store.saveSelectedRepo(selectedRepo);
           const targetStore = createGitHubAuthStore(targetRoot);
@@ -7338,7 +7717,7 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
         }
         if (url.pathname === "/api/pi-rig/install" && req.method === "POST") {
           const configuredPackageSource = normalizeString(process.env.RIG_PI_RIG_PACKAGE_SOURCE);
-          const packageSource = configuredPackageSource ?? [process.env.RIG_HOST_PROJECT_ROOT, process.cwd(), state.projectRoot].map((root) => normalizeString(root)).filter((root) => Boolean(root)).map((root) => resolve18(root, "packages", "pi-rig")).find((candidate) => existsSync11(resolve18(candidate, "package.json"))) ?? "npm:@rig/pi-rig";
+          const packageSource = configuredPackageSource ?? [process.env.RIG_HOST_PROJECT_ROOT, process.cwd(), state.projectRoot].map((root) => normalizeString(root)).filter((root) => Boolean(root)).map((root) => resolve20(root, "packages", "pi-rig")).find((candidate) => existsSync13(resolve20(candidate, "package.json"))) ?? "npm:@rig/pi-rig";
           if (process.env.RIG_TEST_FAKE_PI_INSTALL === "1") {
             return deps.jsonResponse({ ok: true, installed: true, piOk: true, piRigOk: true, extensionPath: "remote:~/.pi/agent/extensions/pi-rig", packageSource });
           }
@@ -7654,9 +8033,9 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           } catch {
             return deps.badRequest("Invalid artifact path");
           }
-          mkdirSync11(dirname12(artifactPath), { recursive: true });
+          mkdirSync13(dirname15(artifactPath), { recursive: true });
           const bytes = Buffer.from(contentBase64, "base64");
-          writeFileSync10(artifactPath, bytes);
+          writeFileSync12(artifactPath, bytes);
           writeJsonFile4(`${artifactPath}.json`, {
             workspaceId: normalizeString(body.workspaceId) ?? RIG_WORKSPACE_ID,
             runId,
@@ -7818,12 +8197,12 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           try {
             const runsRoot = resolveAuthorityPaths(state.projectRoot).runsDir;
             const runRoot = deps.normalizeRelativePath(runsRoot, runId);
-            const artifactsRoot = resolve18(runRoot, "remote-artifacts");
+            const artifactsRoot = resolve20(runRoot, "remote-artifacts");
             artifactPath = deps.normalizeRelativePath(artifactsRoot, fileName);
           } catch {
             return deps.badRequest("Invalid artifact path");
           }
-          if (!existsSync11(artifactPath)) {
+          if (!existsSync13(artifactPath)) {
             return deps.notFound();
           }
           return new Response(Bun.file(artifactPath));
@@ -8716,8 +9095,8 @@ async function routeWebSocketRequest(state, deps, request) {
 }
 
 // packages/server/src/server-helpers/inspector-jobs.ts
-import { existsSync as existsSync15, mkdirSync as mkdirSync14, readFileSync as readFileSync10, writeFileSync as writeFileSync13 } from "fs";
-import { dirname as dirname15, resolve as resolve21 } from "path";
+import { existsSync as existsSync17, mkdirSync as mkdirSync16, readFileSync as readFileSync12, writeFileSync as writeFileSync15 } from "fs";
+import { dirname as dirname18, resolve as resolve23 } from "path";
 import { readJsonFile as readJsonFile3 } from "@rig/runtime/control-plane/authority-files";
 import { resolveMonorepoRoot as resolveMonorepoRoot5 } from "@rig/runtime/control-plane/native/utils";
 import { normalizeTaskLifecycleStatus as normalizeTaskLifecycleStatus2 } from "@rig/runtime/control-plane/state-sync/types";
@@ -8825,8 +9204,8 @@ import { randomUUID as randomUUID3 } from "crypto";
 
 // packages/server/src/inspector/mission.ts
 import { randomUUID as randomUUID2 } from "crypto";
-import { appendFileSync, existsSync as existsSync12, mkdirSync as mkdirSync12, readFileSync as readFileSync8, readdirSync as readdirSync4, renameSync, writeFileSync as writeFileSync11 } from "fs";
-import { dirname as dirname13, join, resolve as resolve19 } from "path";
+import { appendFileSync, existsSync as existsSync14, mkdirSync as mkdirSync14, readFileSync as readFileSync10, readdirSync as readdirSync4, renameSync, writeFileSync as writeFileSync13 } from "fs";
+import { dirname as dirname16, join, resolve as resolve21 } from "path";
 function isJsonValue(value) {
   if (value === null)
     return true;
@@ -8866,7 +9245,7 @@ function isRecord2(value) {
 }
 function readJsonRecord(path) {
   try {
-    const parsed = JSON.parse(readFileSync8(path, "utf8"));
+    const parsed = JSON.parse(readFileSync10(path, "utf8"));
     if (!isRecord2(parsed)) {
       return { ok: false, error: `Mission file ${path} does not contain an object` };
     }
@@ -8946,14 +9325,14 @@ function missionActionDetails(mission) {
   };
 }
 function writeJsonFile5(path, value) {
-  mkdirSync12(dirname13(path), { recursive: true });
+  mkdirSync14(dirname16(path), { recursive: true });
   const tempPath = `${path}.${process.pid}.${Date.now()}.tmp`;
-  writeFileSync11(tempPath, `${JSON.stringify(value, null, 2)}
+  writeFileSync13(tempPath, `${JSON.stringify(value, null, 2)}
 `, "utf8");
   renameSync(tempPath, path);
 }
 function resolveInspectorMissionPaths(projectRoot) {
-  const inspectorDir = resolve19(resolveRigServerPaths(projectRoot).stateDir, "inspector");
+  const inspectorDir = resolve21(resolveRigServerPaths(projectRoot).stateDir, "inspector");
   return {
     inspectorDir,
     missionsDir: join(inspectorDir, "missions"),
@@ -8962,8 +9341,8 @@ function resolveInspectorMissionPaths(projectRoot) {
 }
 function createInspectorMissionController(options) {
   const paths = resolveInspectorMissionPaths(options.projectRoot);
-  mkdirSync12(paths.missionsDir, { recursive: true });
-  mkdirSync12(paths.journalsDir, { recursive: true });
+  mkdirSync14(paths.missionsDir, { recursive: true });
+  mkdirSync14(paths.journalsDir, { recursive: true });
   const now = options.now ?? (() => new Date().toISOString());
   const nextId = options.idGenerator ?? (() => `mission:${randomUUID2()}`);
   function missionPath(missionId) {
@@ -8973,15 +9352,15 @@ function createInspectorMissionController(options) {
     return join(paths.journalsDir, `${missionId}.jsonl`);
   }
   function appendMissionJournal(entry) {
-    mkdirSync12(paths.journalsDir, { recursive: true });
+    mkdirSync14(paths.journalsDir, { recursive: true });
     appendFileSync(journalPath(entry.missionId), `${JSON.stringify(entry)}
 `, "utf8");
   }
   function listMissionJournal(missionId) {
     const path = journalPath(missionId);
-    if (!existsSync12(path))
+    if (!existsSync14(path))
       return [];
-    return readFileSync8(path, "utf8").split(`
+    return readFileSync10(path, "utf8").split(`
 `).filter((line) => line.trim().length > 0).map((line) => JSON.parse(line)).filter(isRecord2).map((entry) => ({
       id: typeof entry.id === "string" ? entry.id : `journal:${randomUUID2()}`,
       missionId,
@@ -8997,7 +9376,7 @@ function createInspectorMissionController(options) {
   }
   function readMissionOnly(missionId) {
     const path = missionPath(missionId);
-    if (!existsSync12(path)) {
+    if (!existsSync14(path)) {
       return { ok: false, error: `Mission ${missionId} was not found` };
     }
     const read = readJsonRecord(path);
@@ -9048,7 +9427,7 @@ function createInspectorMissionController(options) {
       const source = cloneJsonRecord(input.sourceTask);
       const missionId = nextId();
       const path = missionPath(missionId);
-      if (existsSync12(path)) {
+      if (existsSync14(path)) {
         const existing = readMissionOnly(missionId);
         if (!existing.ok)
           return existing;
@@ -10648,8 +11027,8 @@ function createCodexInspectorTransport(options) {
   const sendRequest = async (method, params) => {
     const id = nextRequestId;
     nextRequestId += 1;
-    const response = new Promise((resolve20, reject) => {
-      pendingResponses.set(id, { resolve: resolve20, reject });
+    const response = new Promise((resolve22, reject) => {
+      pendingResponses.set(id, { resolve: resolve22, reject });
     });
     response.catch(() => {});
     try {
@@ -10959,9 +11338,9 @@ function createCodexInspectorTransport(options) {
       }
       lastAssistantMessage = null;
       lastError = null;
-      const turnResult = new Promise((resolve20, reject) => {
+      const turnResult = new Promise((resolve22, reject) => {
         currentTurn = {
-          resolve: resolve20,
+          resolve: resolve22,
           reject,
           events: []
         };
@@ -11021,13 +11400,13 @@ function createCodexInspectorTransport(options) {
   };
 }
 function writeChildLine(child, line) {
-  return new Promise((resolve20, reject) => {
+  return new Promise((resolve22, reject) => {
     child.stdin.write(line, (error) => {
       if (error) {
         reject(error);
         return;
       }
-      resolve20();
+      resolve22();
     });
   });
 }
@@ -11040,10 +11419,10 @@ function terminateChild(child) {
   } catch {}
 }
 async function waitForChildSpawn(child) {
-  await new Promise((resolve20, reject) => {
+  await new Promise((resolve22, reject) => {
     const onSpawn = () => {
       cleanup();
-      resolve20();
+      resolve22();
     };
     const onError = (error) => {
       cleanup();
@@ -11555,8 +11934,8 @@ function createGlobalInspectorService(options) {
 
 // packages/server/src/inspector/upstream-sync.ts
 import { spawnSync as spawnSync4 } from "child_process";
-import { existsSync as existsSync13, mkdirSync as mkdirSync13, readFileSync as readFileSync9, writeFileSync as writeFileSync12 } from "fs";
-import { dirname as dirname14, resolve as resolve20 } from "path";
+import { existsSync as existsSync15, mkdirSync as mkdirSync15, readFileSync as readFileSync11, writeFileSync as writeFileSync14 } from "fs";
+import { dirname as dirname17, resolve as resolve22 } from "path";
 import { resolveMonorepoRoot as resolveMonorepoRoot4 } from "@rig/runtime/control-plane/native/utils";
 var UPSTREAM_VALIDATION_DESCRIPTIONS = {
   "integration:hg-auth-backport": "Preserves the upstream auth hardening cluster: nonce-backed node-client login, signature-aware JWT verification, shared-token onboarding semantics, and regression coverage.",
@@ -11694,34 +12073,34 @@ function defaultGitRunner(repoRoot, args) {
 }
 function upstreamStatePath(projectRoot, override) {
   if (override) {
-    return resolve20(override);
+    return resolve22(override);
   }
-  return resolve20(resolveRigServerPaths(projectRoot).stateDir, "inspector", "upstream-sync.json");
+  return resolve22(resolveRigServerPaths(projectRoot).stateDir, "inspector", "upstream-sync.json");
 }
 function readUpstreamState(projectRoot, statePath) {
   const path = upstreamStatePath(projectRoot, statePath);
-  if (!existsSync13(path)) {
+  if (!existsSync15(path)) {
     return null;
   }
   try {
-    return JSON.parse(readFileSync9(path, "utf-8"));
+    return JSON.parse(readFileSync11(path, "utf-8"));
   } catch {
     return null;
   }
 }
 function writeUpstreamState(projectRoot, state, statePath) {
   const path = upstreamStatePath(projectRoot, statePath);
-  mkdirSync13(dirname14(path), { recursive: true });
-  writeFileSync12(path, `${JSON.stringify(state, null, 2)}
+  mkdirSync15(dirname17(path), { recursive: true });
+  writeFileSync14(path, `${JSON.stringify(state, null, 2)}
 `, "utf8");
 }
 function readImportedRevision(projectRoot, upstreamsDocPath) {
   const monorepoRoot = resolveMonorepoRoot4(projectRoot);
-  const docPath = upstreamsDocPath ? resolve20(upstreamsDocPath) : resolve20(monorepoRoot, "docs", "UPSTREAMS.md");
-  if (!existsSync13(docPath)) {
+  const docPath = upstreamsDocPath ? resolve22(upstreamsDocPath) : resolve22(monorepoRoot, "docs", "UPSTREAMS.md");
+  if (!existsSync15(docPath)) {
     throw new Error(`UPSTREAMS.md not found at ${docPath}`);
   }
-  const docContent = readFileSync9(docPath, "utf-8");
+  const docContent = readFileSync11(docPath, "utf-8");
   const revision = parseImportedUpstreamRevision(docContent, "upstream") ?? parseImportedUpstreamRevision(docContent, "humoongate");
   if (!revision) {
     throw new Error(`Failed to parse upstream imported revision from ${docPath}`);
@@ -11743,7 +12122,7 @@ function resolveRemoteBranch(repoRoot, remote, gitRunner) {
   return null;
 }
 function isGitCheckout(path, gitRunner) {
-  if (!existsSync13(resolve20(path, ".git"))) {
+  if (!existsSync15(resolve22(path, ".git"))) {
     return false;
   }
   const result = gitRunner(path, ["rev-parse", "--is-inside-work-tree"]);
@@ -11752,12 +12131,12 @@ function isGitCheckout(path, gitRunner) {
 function resolveUpstreamCheckout(projectRoot, explicitCheckout, gitRunner) {
   const monorepoRoot = resolveMonorepoRoot4(projectRoot);
   const candidates = [
-    explicitCheckout ? resolve20(explicitCheckout) : "",
-    process.env.UPSTREAM_CHECKOUT?.trim() ? resolve20(process.env.UPSTREAM_CHECKOUT.trim()) : "",
-    process.env.HUMOONGATE_UPSTREAM_CHECKOUT?.trim() ? resolve20(process.env.HUMOONGATE_UPSTREAM_CHECKOUT.trim()) : "",
-    resolve20(projectRoot, "..", "humoongate"),
-    resolve20(monorepoRoot, "..", "humoongate"),
-    resolve20(monorepoRoot, "humoongate")
+    explicitCheckout ? resolve22(explicitCheckout) : "",
+    process.env.UPSTREAM_CHECKOUT?.trim() ? resolve22(process.env.UPSTREAM_CHECKOUT.trim()) : "",
+    process.env.HUMOONGATE_UPSTREAM_CHECKOUT?.trim() ? resolve22(process.env.HUMOONGATE_UPSTREAM_CHECKOUT.trim()) : "",
+    resolve22(projectRoot, "..", "humoongate"),
+    resolve22(monorepoRoot, "..", "humoongate"),
+    resolve22(monorepoRoot, "humoongate")
   ].filter(Boolean);
   for (const candidate of candidates) {
     if (isGitCheckout(candidate, gitRunner)) {
@@ -11993,10 +12372,10 @@ async function runUpstreamSyncScan(options) {
 }
 
 // packages/server/src/server-helpers/task-config.ts
-import { existsSync as existsSync14 } from "fs";
+import { existsSync as existsSync16 } from "fs";
 async function readTaskConfig(projectRoot) {
   const taskConfigPath = resolveRigServerPaths(projectRoot).taskConfigPath;
-  if (!existsSync14(taskConfigPath)) {
+  if (!existsSync16(taskConfigPath)) {
     return {};
   }
   try {
@@ -12032,11 +12411,11 @@ function resolveFollowupSourceCommit(input) {
 }
 async function createInspectorFollowupTask(projectRoot, input) {
   const monorepoRoot = resolveMonorepoRoot5(projectRoot);
-  const issuesPath = resolve21(monorepoRoot, ".beads", "issues.jsonl");
-  const taskStatePath = resolve21(monorepoRoot, ".beads", "task-state.json");
-  const taskConfigPath = resolve21(monorepoRoot, ".rig", "task-config.json");
-  mkdirSync14(dirname15(issuesPath), { recursive: true });
-  mkdirSync14(dirname15(taskConfigPath), { recursive: true });
+  const issuesPath = resolve23(monorepoRoot, ".beads", "issues.jsonl");
+  const taskStatePath = resolve23(monorepoRoot, ".beads", "task-state.json");
+  const taskConfigPath = resolve23(monorepoRoot, ".rig", "task-config.json");
+  mkdirSync16(dirname18(issuesPath), { recursive: true });
+  mkdirSync16(dirname18(taskConfigPath), { recursive: true });
   const summary = normalizeString(input.summary) ?? "Inspector follow-up";
   const description = normalizeString(input.description) ?? normalizeString(input.details?.description) ?? `Created by the global inspector: ${summary}`;
   const acceptanceCriteria = normalizeString(input.acceptanceCriteria) ?? "Investigate the detected drift and port the relevant changes into Rig.";
@@ -12055,7 +12434,7 @@ async function createInspectorFollowupTask(projectRoot, input) {
   const sourceKey = normalizeString(input.sourceKey) ?? normalizeString(input.details?.sourceKey);
   const createdAt = normalizeString(input.createdAt) ?? new Date().toISOString();
   const status = normalizeTaskLifecycleStatus2(normalizeString(input.status) ?? "open") ?? "open";
-  const existingIssueLines = existsSync15(issuesPath) ? readFileSync10(issuesPath, "utf8").split(/\r?\n/).map((line) => line.trim()).filter(Boolean) : [];
+  const existingIssueLines = existsSync17(issuesPath) ? readFileSync12(issuesPath, "utf8").split(/\r?\n/).map((line) => line.trim()).filter(Boolean) : [];
   const existingIssues = existingIssueLines.map((line) => {
     try {
       return JSON.parse(line);
@@ -12064,7 +12443,7 @@ async function createInspectorFollowupTask(projectRoot, input) {
     }
   }).filter((value) => value !== null);
   const existingIds = new Set(existingIssues.map((issue) => typeof issue.id === "string" ? issue.id : null).filter((value) => value !== null));
-  const rawTaskState = existsSync15(taskStatePath) ? readJsonFile3(taskStatePath, {}) : {};
+  const rawTaskState = existsSync17(taskStatePath) ? readJsonFile3(taskStatePath, {}) : {};
   const tasks = rawTaskState.tasks && typeof rawTaskState.tasks === "object" && !Array.isArray(rawTaskState.tasks) ? rawTaskState.tasks : {};
   const existingTaskIdFromSourceKey = sourceKey == null ? null : Object.entries(tasks).find(([, metadata]) => {
     if (!metadata || typeof metadata !== "object" || Array.isArray(metadata)) {
@@ -12090,7 +12469,7 @@ async function createInspectorFollowupTask(projectRoot, input) {
       updated_at: createdAt,
       labels: mergedLabels
     };
-    writeFileSync13(issuesPath, existingIssueLines.length > 0 ? `${existingIssueLines.join(`
+    writeFileSync15(issuesPath, existingIssueLines.length > 0 ? `${existingIssueLines.join(`
 `)}
 ${JSON.stringify(issueRecord)}
 ` : `${JSON.stringify(issueRecord)}
@@ -12108,7 +12487,7 @@ ${JSON.stringify(issueRecord)}
         labels: mergedLabels
       };
     });
-    writeFileSync13(issuesPath, `${updatedIssues.map((issue) => JSON.stringify(issue)).join(`
+    writeFileSync15(issuesPath, `${updatedIssues.map((issue) => JSON.stringify(issue)).join(`
 `)}
 `, "utf8");
   }
@@ -12131,14 +12510,14 @@ ${JSON.stringify(issueRecord)}
       }
     };
   }
-  writeFileSync13(taskConfigPath, `${JSON.stringify(taskConfig, null, 2)}
+  writeFileSync15(taskConfigPath, `${JSON.stringify(taskConfig, null, 2)}
 `, "utf8");
   tasks[taskId] = {
     status,
     sourceCommit: resolveFollowupSourceCommit(input),
     ...sourceKey ? { sourceKey } : {}
   };
-  writeFileSync13(taskStatePath, `${JSON.stringify({
+  writeFileSync15(taskStatePath, `${JSON.stringify({
     schemaVersion: 1,
     baseTrackerCommit: typeof rawTaskState.baseTrackerCommit === "string" ? rawTaskState.baseTrackerCommit : null,
     tasks
@@ -12446,12 +12825,12 @@ function isAuthorizedLinearWebhookRequest(req) {
 }
 
 // packages/server/src/server-helpers/notifications.ts
-import { existsSync as existsSync16, mkdirSync as mkdirSync15, readFileSync as readFileSync11 } from "fs";
-import { dirname as dirname16 } from "path";
+import { existsSync as existsSync18, mkdirSync as mkdirSync17, readFileSync as readFileSync13 } from "fs";
+import { dirname as dirname19 } from "path";
 async function loadNotificationConfig(path) {
-  if (!existsSync16(path)) {
+  if (!existsSync18(path)) {
     const defaultConfig = { targets: [] };
-    mkdirSync15(dirname16(path), { recursive: true });
+    mkdirSync17(dirname19(path), { recursive: true });
     await Bun.write(path, `${JSON.stringify(defaultConfig, null, 2)}
 `);
     return defaultConfig;
@@ -12466,10 +12845,10 @@ async function loadNotificationConfig(path) {
   }
 }
 function readRecentEvents(file, limit) {
-  if (!existsSync16(file)) {
+  if (!existsSync18(file)) {
     return [];
   }
-  const lines = readFileSync11(file, "utf-8").split(/\r?\n/).map((line) => line.trim()).filter(Boolean).slice(-limit);
+  const lines = readFileSync13(file, "utf-8").split(/\r?\n/).map((line) => line.trim()).filter(Boolean).slice(-limit);
   const events = [];
   for (const line of lines) {
     try {
@@ -12564,11 +12943,11 @@ function extractObjectLiteralBlock(source, property) {
 }
 function readFallbackIssueAnalysisConfig(projectRoot) {
   for (const fileName of ["rig.config.ts", "rig.config.json"]) {
-    const path = resolve22(projectRoot, fileName);
-    if (!existsSync17(path))
+    const path = resolve24(projectRoot, fileName);
+    if (!existsSync19(path))
       continue;
     try {
-      const source = readFileSync12(path, "utf8");
+      const source = readFileSync14(path, "utf8");
       if (fileName.endsWith(".json"))
         return JSON.parse(source);
       const issueBlock = extractObjectLiteralBlock(source, "issueAnalysis");
@@ -12701,8 +13080,8 @@ async function createIssueAnalysisRunnerForServerState(state, input) {
 async function withServerPathEnv(projectRoot, fn) {
   const waitForTurn = serverPathEnvQueue;
   let releaseTurn;
-  serverPathEnvQueue = new Promise((resolve23) => {
-    releaseTurn = resolve23;
+  serverPathEnvQueue = new Promise((resolve25) => {
+    releaseTurn = resolve25;
   });
   await waitForTurn;
   const paths = resolveServerAuthorityPaths(projectRoot);
@@ -12738,9 +13117,9 @@ async function withServerAuthorityEnvIfNeeded(projectRoot, fn) {
   return withServerPathEnv(projectRoot, fn);
 }
 async function readWorkspaceTasks(projectRoot) {
-  const issuesPath = resolve22(resolveMonorepoRoot6(projectRoot), ".beads", "issues.jsonl");
+  const issuesPath = resolve24(resolveMonorepoRoot6(projectRoot), ".beads", "issues.jsonl");
   const taskConfig = await readTaskConfig(projectRoot);
-  if (!existsSync17(issuesPath)) {
+  if (!existsSync19(issuesPath)) {
     return [];
   }
   const latestById = new Map;
@@ -12814,11 +13193,11 @@ function resolveTaskArtifactDirsFromRuns(projectRoot, taskId, knownRuns) {
       continue;
     add(run.artifactRoot);
     if (run.worktreePath) {
-      add(resolve22(run.worktreePath, "artifacts", taskId));
+      add(resolve24(run.worktreePath, "artifacts", taskId));
     }
   }
   for (const artifactsRoot of listAuthorityArtifactRoots(projectRoot)) {
-    add(resolve22(artifactsRoot, taskId));
+    add(resolve24(artifactsRoot, taskId));
   }
   return candidates;
 }
@@ -12832,7 +13211,7 @@ async function listArtifactSummaries(projectRoot, taskId, knownTaskIds, knownRun
     }
   }
   return taskIds.flatMap((currentTaskId) => {
-    const currentRoot = resolveTaskArtifactDirsFromRuns(projectRoot, currentTaskId, runs).find((path) => existsSync17(path));
+    const currentRoot = resolveTaskArtifactDirsFromRuns(projectRoot, currentTaskId, runs).find((path) => existsSync19(path));
     if (!currentRoot) {
       return [];
     }
@@ -12844,7 +13223,7 @@ async function listArtifactSummaries(projectRoot, taskId, knownTaskIds, knownRun
       taskId: currentTaskId,
       kind: "file",
       label: fileName,
-      path: resolve22(currentRoot, fileName),
+      path: resolve24(currentRoot, fileName),
       url: null,
       metadata: {
         fileName
@@ -12887,11 +13266,11 @@ function buildInspectorStreamPayload(state, sequence) {
 }
 function listRemoteRunArtifacts(projectRoot, runId) {
   const root = remoteArtifactsRoot(projectRoot, runId);
-  if (!existsSync17(root)) {
+  if (!existsSync19(root)) {
     return [];
   }
   return readdirSync5(root, { withFileTypes: true }).filter((entry) => entry.isFile()).filter((entry) => !entry.name.endsWith(".json")).map((entry) => {
-    const artifactPath = resolve22(root, entry.name);
+    const artifactPath = resolve24(root, entry.name);
     const stat = statSync6(artifactPath);
     const meta = readJsonFile4(`${artifactPath}.json`, null);
     return {
@@ -13133,8 +13512,8 @@ function fileStats(path) {
   }
 }
 function runFileCursor(projectRoot, run) {
-  const runDir = dirname17(runLogsPath(projectRoot, run.runId));
-  const runJson = fileStats(resolve22(runDir, "run.json"));
+  const runDir = dirname20(runLogsPath(projectRoot, run.runId));
+  const runJson = fileStats(resolve24(runDir, "run.json"));
   const timeline = fileStats(runTimelinePath(projectRoot, run.runId));
   const logs = fileStats(runLogsPath(projectRoot, run.runId));
   return {
@@ -13184,10 +13563,10 @@ function startRunFileWatcher(state, pollMs) {
   }, Math.max(250, Math.min(pollMs, 1000)));
 }
 function startPoller(state, pollMs) {
-  let offset = existsSync17(state.eventsFile) ? statSync6(state.eventsFile).size : 0;
+  let offset = existsSync19(state.eventsFile) ? statSync6(state.eventsFile).size : 0;
   return setInterval(async () => {
     try {
-      if (!existsSync17(state.eventsFile)) {
+      if (!existsSync19(state.eventsFile)) {
         return;
       }
       const file = await open(state.eventsFile, "r");
@@ -13315,7 +13694,7 @@ function resolveProjectRoot() {
   return resolveRigProjectRoot({
     envProjectRoot: process.env.PROJECT_RIG_ROOT ?? null,
     cwd: process.cwd(),
-    fallbackRoot: resolve22(import.meta.dir, "../..")
+    fallbackRoot: resolve24(import.meta.dir, "../..")
   });
 }
 var __testOnly = {