@h-rig/server 0.0.6-alpha.10 → 0.0.6-alpha.12

package/dist/src/server-helpers/http-router.js

@@ -4,8 +4,8 @@ var __require = import.meta.require;
 // packages/server/src/server-helpers/http-router.ts
 import { randomUUID } from "crypto";
 import { spawnSync as spawnSync2 } from "child_process";
-import { basename, dirname as dirname6, isAbsolute as isAbsolute2, resolve as resolve11 } from "path";
-import { copyFileSync, existsSync as existsSync8, mkdirSync as mkdirSync7, readFileSync as readFileSync5, writeFileSync as writeFileSync7 } from "fs";
+import { basename, dirname as dirname9, isAbsolute as isAbsolute3, resolve as resolve13 } from "path";
+import { copyFileSync as copyFileSync2, existsSync as existsSync10, mkdirSync as mkdirSync9, readFileSync as readFileSync7, writeFileSync as writeFileSync9 } from "fs";
 
 // packages/server/src/server.ts
 import {
@@ -803,8 +803,8 @@ import {
 
 // packages/server/src/server-helpers/github-auth-store.ts
 import { randomBytes } from "crypto";
-import { chmodSync, existsSync as existsSync4, mkdirSync as mkdirSync3, readFileSync as readFileSync2, writeFileSync as writeFileSync3 } from "fs";
-import { resolve as resolve7 } from "path";
+import { chmodSync, copyFileSync, existsSync as existsSync4, mkdirSync as mkdirSync3, readFileSync as readFileSync2, writeFileSync as writeFileSync3 } from "fs";
+import { dirname as dirname3, resolve as resolve7 } from "path";
 function cleanString(value) {
   return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
 }
@@ -834,6 +834,26 @@ function parseApiSessions(value) {
     }];
   });
 }
+function parsePendingDevice(value) {
+  if (!value || typeof value !== "object")
+    return null;
+  const record = value;
+  const pollId = cleanString(record.pollId);
+  const deviceCode = cleanString(record.deviceCode);
+  const expiresAt = cleanString(record.expiresAt);
+  const intervalSeconds = typeof record.intervalSeconds === "number" && Number.isFinite(record.intervalSeconds) ? Math.max(1, Math.floor(record.intervalSeconds)) : null;
+  if (!pollId || !deviceCode || !expiresAt || !intervalSeconds)
+    return null;
+  return { pollId, deviceCode, expiresAt, intervalSeconds };
+}
+function parsePendingDevices(value) {
+  if (!Array.isArray(value))
+    return [];
+  return value.flatMap((entry) => {
+    const pending = parsePendingDevice(entry);
+    return pending ? [pending] : [];
+  });
+}
 function readStoredAuth(stateFile) {
   if (!existsSync4(stateFile))
     return {};
@@ -847,6 +867,7 @@ function readStoredAuth(stateFile) {
       selectedRepo: cleanString(parsed.selectedRepo),
       tokenSource: parsed.tokenSource === "oauth-device" || parsed.tokenSource === "manual-token" || parsed.tokenSource === "env" ? parsed.tokenSource : undefined,
       pendingDevice: parsePendingDevice(parsed.pendingDevice),
+      pendingDevices: parsePendingDevices(parsed.pendingDevices),
       apiSessions: parseApiSessions(parsed.apiSessions),
       updatedAt: cleanString(parsed.updatedAt) ?? undefined
     };
@@ -854,34 +875,36 @@ function readStoredAuth(stateFile) {
     return {};
   }
 }
-function parsePendingDevice(value) {
-  if (!value || typeof value !== "object")
-    return null;
-  const record = value;
-  const pollId = cleanString(record.pollId);
-  const deviceCode = cleanString(record.deviceCode);
-  const expiresAt = cleanString(record.expiresAt);
-  const intervalSeconds = typeof record.intervalSeconds === "number" && Number.isFinite(record.intervalSeconds) ? Math.max(1, Math.floor(record.intervalSeconds)) : null;
-  if (!pollId || !deviceCode || !expiresAt || !intervalSeconds)
-    return null;
-  return { pollId, deviceCode, expiresAt, intervalSeconds };
-}
 function newApiSessionToken() {
   return `rig_${randomBytes(32).toString("base64url")}`;
 }
 function writeStoredAuth(stateFile, payload) {
-  mkdirSync3(resolve7(stateFile, ".."), { recursive: true });
+  mkdirSync3(dirname3(stateFile), { recursive: true });
   writeFileSync3(stateFile, `${JSON.stringify(payload, null, 2)}
 `, { encoding: "utf8", mode: 384 });
   try {
     chmodSync(stateFile, 384);
   } catch {}
 }
+function localProjectAuthStateFile(projectRoot) {
+  return resolve7(projectRoot, ".rig", "state", "github-auth.json");
+}
 function resolveGitHubAuthStateFile(projectRoot) {
   return resolve7(resolveServerAuthorityPaths(projectRoot).stateDir, "github-auth.json");
 }
-function createGitHubAuthStore(projectRoot) {
-  const stateFile = resolveGitHubAuthStateFile(projectRoot);
+function copyGitHubAuthStateToLocalProjectRoot(stateFile, projectRoot) {
+  const targetFile = localProjectAuthStateFile(projectRoot);
+  mkdirSync3(dirname3(targetFile), { recursive: true });
+  if (existsSync4(stateFile)) {
+    copyFileSync(stateFile, targetFile);
+    try {
+      chmodSync(targetFile, 384);
+    } catch {}
+    return;
+  }
+  writeStoredAuth(targetFile, {});
+}
+function createGitHubAuthStoreFromStateFile(stateFile) {
   return {
     stateFile,
     status(options) {
@@ -911,6 +934,7 @@ function createGitHubAuthStore(projectRoot) {
         scopes: input.scopes ?? [],
         selectedRepo: input.selectedRepo ?? previous.selectedRepo ?? null,
         pendingDevice: null,
+        pendingDevices: [],
         apiSessions: previous.apiSessions ?? [],
         updatedAt: new Date().toISOString()
       });
@@ -939,15 +963,24 @@ function createGitHubAuthStore(projectRoot) {
       const session = (previous.apiSessions ?? []).find((candidate) => candidate.token === clean);
       return session ? { login: cleanString(session.login), userId: cleanString(session.userId) } : null;
     },
-    copyToProjectRoot(projectRoot2) {
-      const targetFile = resolveGitHubAuthStateFile(projectRoot2);
+    copyToProjectRoot(projectRoot) {
+      const targetFile = resolveGitHubAuthStateFile(projectRoot);
       writeStoredAuth(targetFile, readStoredAuth(stateFile));
     },
+    copyToLocalProjectRoot(projectRoot) {
+      copyGitHubAuthStateToLocalProjectRoot(stateFile, projectRoot);
+    },
     savePendingDevice(input) {
       const previous = readStoredAuth(stateFile);
+      const pendingDevices = [
+        ...previous.pendingDevice ? [previous.pendingDevice] : [],
+        ...previous.pendingDevices ?? [],
+        input
+      ].filter((entry, index, entries) => entries.findIndex((candidate) => candidate.pollId === entry.pollId) === index);
       writeStoredAuth(stateFile, {
         ...previous,
-        pendingDevice: input,
+        pendingDevice: null,
+        pendingDevices,
         updatedAt: new Date().toISOString()
       });
     },
@@ -960,23 +993,32 @@ function createGitHubAuthStore(projectRoot) {
       });
     },
     readPendingDevice(pollId) {
-      const pending = readStoredAuth(stateFile).pendingDevice ?? null;
-      if (!pending || pending.pollId !== pollId)
+      const previous = readStoredAuth(stateFile);
+      const pending = [
+        ...previous.pendingDevice ? [previous.pendingDevice] : [],
+        ...previous.pendingDevices ?? []
+      ].find((entry) => entry.pollId === pollId) ?? null;
+      if (!pending)
         return null;
       if (Date.parse(pending.expiresAt) <= Date.now())
         return null;
       return pending;
     },
-    clearPendingDevice() {
+    clearPendingDevice(pollId) {
       const previous = readStoredAuth(stateFile);
+      const remaining = pollId ? (previous.pendingDevices ?? []).filter((entry) => entry.pollId !== pollId) : [];
       writeStoredAuth(stateFile, {
         ...previous,
         pendingDevice: null,
+        pendingDevices: remaining,
         updatedAt: new Date().toISOString()
       });
     }
   };
 }
+function createGitHubAuthStore(projectRoot) {
+  return createGitHubAuthStoreFromStateFile(resolveGitHubAuthStateFile(projectRoot));
+}
 
 // packages/server/src/server-helpers/github-projects.ts
 function asRecord(value) {
@@ -1365,7 +1407,7 @@ import {
 } from "@rig/runtime/control-plane/remote";
 
 // packages/server/src/server-helpers/run-steering.ts
-import { dirname as dirname3, resolve as resolve8 } from "path";
+import { dirname as dirname4, resolve as resolve8 } from "path";
 import { existsSync as existsSync5, mkdirSync as mkdirSync4, readFileSync as readFileSync3 } from "fs";
 import { appendJsonlRecord as appendJsonlRecord2, readAuthorityRun as readAuthorityRun7, resolveAuthorityRunDir as resolveAuthorityRunDir4 } from "@rig/runtime/control-plane/authority-files";
 var steeringSequence = 0;
@@ -1452,7 +1494,7 @@ function queueRunSteeringMessage(projectRoot, runId, input) {
     delivered: false
   };
   const path = runSteeringPath(projectRoot, runId);
-  mkdirSync4(dirname3(path), { recursive: true });
+  mkdirSync4(dirname4(path), { recursive: true });
   appendJsonlRecord2(path, entry);
   appendRunTimelineEntry(projectRoot, runId, {
     id: entry.id,
@@ -1489,24 +1531,205 @@ import {
   updateConfiguredTaskSourceTask as updateConfiguredTaskSourceTask2
 } from "@rig/runtime/control-plane/tasks/source-lifecycle";
 
+// packages/server/src/server-helpers/github-api-session-index.ts
+import { chmodSync as chmodSync3, existsSync as existsSync7, mkdirSync as mkdirSync6, readFileSync as readFileSync5, writeFileSync as writeFileSync6 } from "fs";
+import { dirname as dirname6, resolve as resolve10 } from "path";
+
+// packages/server/src/server-helpers/github-user-namespace.ts
+import { chmodSync as chmodSync2, existsSync as existsSync6, mkdirSync as mkdirSync5, readFileSync as readFileSync4, writeFileSync as writeFileSync5 } from "fs";
+import { dirname as dirname5, isAbsolute, relative, resolve as resolve9 } from "path";
+function cleanString3(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
+}
+function sanitizePathSegment(value) {
+  return value.trim().toLowerCase().replace(/[^a-z0-9._-]/g, "-").replace(/^-+|-+$/g, "").slice(0, 96);
+}
+function deriveGitHubUserNamespaceKey(identity) {
+  const userId = cleanString3(identity.userId);
+  if (userId) {
+    const safeId = sanitizePathSegment(userId);
+    if (safeId)
+      return `ghu-${safeId}`;
+  }
+  const login = cleanString3(identity.login);
+  if (login) {
+    const safeLogin = sanitizePathSegment(login);
+    if (safeLogin)
+      return `ghu-login-${safeLogin}`;
+  }
+  throw new Error("GitHub user namespace requires a user id or login");
+}
+function resolveRemoteUserNamespacesRoot(projectRoot) {
+  const explicitRoot = cleanString3(process.env.RIG_REMOTE_USER_NAMESPACE_ROOT);
+  if (explicitRoot)
+    return resolve9(explicitRoot);
+  const stateDir2 = cleanString3(process.env.RIG_STATE_DIR);
+  if (stateDir2)
+    return resolve9(dirname5(resolve9(stateDir2)), "users");
+  return resolve9(projectRoot, ".rig", "users");
+}
+function resolveRemoteUserNamespace(projectRoot, identity) {
+  const key = deriveGitHubUserNamespaceKey(identity);
+  const root = resolve9(resolveRemoteUserNamespacesRoot(projectRoot), key);
+  const stateDir2 = resolve9(root, ".rig", "state");
+  return {
+    key,
+    userId: cleanString3(identity.userId),
+    login: cleanString3(identity.login),
+    root,
+    stateDir: stateDir2,
+    authStateFile: resolve9(stateDir2, "github-auth.json"),
+    metadataFile: resolve9(stateDir2, "user-namespace.json"),
+    checkoutBaseDir: resolve9(root, "remote-checkouts"),
+    snapshotBaseDir: resolve9(root, "remote-snapshots")
+  };
+}
+function serializeRemoteUserNamespace(namespace) {
+  return {
+    key: namespace.key,
+    userId: namespace.userId,
+    login: namespace.login,
+    root: namespace.root,
+    checkoutBaseDir: namespace.checkoutBaseDir,
+    snapshotBaseDir: namespace.snapshotBaseDir
+  };
+}
+function isPathInsideNamespace(namespaceRoot, candidatePath) {
+  const root = resolve9(namespaceRoot);
+  const candidate = resolve9(candidatePath);
+  const rel = relative(root, candidate);
+  return rel === "" || !rel.startsWith("..") && !isAbsolute(rel);
+}
+function writeRemoteUserNamespaceMetadata(namespace) {
+  mkdirSync5(namespace.stateDir, { recursive: true });
+  const previous = (() => {
+    if (!existsSync6(namespace.metadataFile))
+      return null;
+    try {
+      const parsed = JSON.parse(readFileSync4(namespace.metadataFile, "utf8"));
+      return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
+    } catch {
+      return null;
+    }
+  })();
+  const now = new Date().toISOString();
+  writeFileSync5(namespace.metadataFile, `${JSON.stringify({
+    key: namespace.key,
+    userId: namespace.userId,
+    login: namespace.login,
+    root: namespace.root,
+    checkoutBaseDir: namespace.checkoutBaseDir,
+    snapshotBaseDir: namespace.snapshotBaseDir,
+    createdAt: typeof previous?.createdAt === "string" ? previous.createdAt : now,
+    updatedAt: now
+  }, null, 2)}
+`, { encoding: "utf8", mode: 384 });
+  try {
+    chmodSync2(namespace.metadataFile, 384);
+  } catch {}
+}
+
+// packages/server/src/server-helpers/github-api-session-index.ts
+function cleanString4(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
+}
+function resolveGitHubApiSessionIndexFile(projectRoot) {
+  return resolve10(resolveRemoteUserNamespacesRoot(projectRoot), ".api-sessions.json");
+}
+function parseEntry(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value))
+    return null;
+  const record = value;
+  const token = cleanString4(record.token);
+  const namespaceKey = cleanString4(record.namespaceKey);
+  const namespaceRoot = cleanString4(record.namespaceRoot);
+  const authStateFile = cleanString4(record.authStateFile);
+  const checkoutBaseDir = cleanString4(record.checkoutBaseDir);
+  const snapshotBaseDir = cleanString4(record.snapshotBaseDir);
+  const createdAt = cleanString4(record.createdAt);
+  if (!token || !namespaceKey || !namespaceRoot || !authStateFile || !checkoutBaseDir || !snapshotBaseDir || !createdAt)
+    return null;
+  return {
+    token,
+    namespaceKey,
+    namespaceRoot,
+    authStateFile,
+    checkoutBaseDir,
+    snapshotBaseDir,
+    createdAt,
+    login: cleanString4(record.login),
+    userId: cleanString4(record.userId),
+    selectedRepo: cleanString4(record.selectedRepo)
+  };
+}
+function readIndex(indexFile) {
+  if (!existsSync7(indexFile))
+    return [];
+  try {
+    const parsed = JSON.parse(readFileSync5(indexFile, "utf8"));
+    return Array.isArray(parsed.sessions) ? parsed.sessions.flatMap((entry) => {
+      const parsedEntry = parseEntry(entry);
+      return parsedEntry ? [parsedEntry] : [];
+    }) : [];
+  } catch {
+    return [];
+  }
+}
+function writeIndex(indexFile, sessions) {
+  mkdirSync6(dirname6(indexFile), { recursive: true });
+  writeFileSync6(indexFile, `${JSON.stringify({ sessions }, null, 2)}
+`, { encoding: "utf8", mode: 384 });
+  try {
+    chmodSync3(indexFile, 384);
+  } catch {}
+}
+function registerGitHubApiSession(input) {
+  const cleanToken = cleanString4(input.token);
+  if (!cleanToken)
+    throw new Error("GitHub API session token is required");
+  const indexFile = resolveGitHubApiSessionIndexFile(input.projectRoot);
+  const createdAt = new Date().toISOString();
+  const entry = {
+    token: cleanToken,
+    login: input.namespace.login,
+    userId: input.namespace.userId,
+    namespaceKey: input.namespace.key,
+    namespaceRoot: input.namespace.root,
+    authStateFile: input.namespace.authStateFile,
+    checkoutBaseDir: input.namespace.checkoutBaseDir,
+    snapshotBaseDir: input.namespace.snapshotBaseDir,
+    selectedRepo: cleanString4(input.selectedRepo),
+    createdAt
+  };
+  const previous = readIndex(indexFile).filter((session) => session.token !== cleanToken);
+  writeIndex(indexFile, [...previous.slice(-199), entry]);
+  return entry;
+}
+function readGitHubApiSession(input) {
+  const cleanToken = cleanString4(input.token);
+  if (!cleanToken)
+    return null;
+  return readIndex(resolveGitHubApiSessionIndexFile(input.projectRoot)).find((entry) => entry.token === cleanToken) ?? null;
+}
+
 // packages/server/src/server-helpers/project-registry.ts
 import { createHash as createHash2 } from "crypto";
 import { spawnSync } from "child_process";
-import { existsSync as existsSync6, mkdirSync as mkdirSync5, readFileSync as readFileSync4, readdirSync, writeFileSync as writeFileSync5 } from "fs";
-import { dirname as dirname4, resolve as resolve9 } from "path";
+import { existsSync as existsSync8, mkdirSync as mkdirSync7, readFileSync as readFileSync6, readdirSync, writeFileSync as writeFileSync7 } from "fs";
+import { dirname as dirname7, resolve as resolve11 } from "path";
 function normalizeRepoSlug(value) {
   const trimmed = value.trim();
   return /^[^/\s]+\/[^/\s]+$/.test(trimmed) ? trimmed : null;
 }
 function registryPath(projectRoot) {
-  return resolve9(projectRoot, ".rig", "state", "projects.json");
+  return resolve11(projectRoot, ".rig", "state", "projects.json");
 }
 function readRegistry(projectRoot) {
   const path = registryPath(projectRoot);
-  if (!existsSync6(path))
+  if (!existsSync8(path))
     return {};
   try {
-    const payload = JSON.parse(readFileSync4(path, "utf8"));
+    const payload = JSON.parse(readFileSync6(path, "utf8"));
     if (!payload || typeof payload !== "object" || Array.isArray(payload))
       return {};
     const projects = payload.projects;
@@ -1517,14 +1740,14 @@ function readRegistry(projectRoot) {
 }
 function writeRegistry(projectRoot, projects) {
   const path = registryPath(projectRoot);
-  mkdirSync5(dirname4(path), { recursive: true });
-  writeFileSync5(path, `${JSON.stringify({ projects }, null, 2)}
+  mkdirSync7(dirname7(path), { recursive: true });
+  writeFileSync7(path, `${JSON.stringify({ projects }, null, 2)}
 `, "utf8");
 }
 function resolveConfigPath(projectRoot) {
   for (const name of ["rig.config.ts", "rig.config.mts", "rig.config.json"]) {
-    const path = resolve9(projectRoot, name);
-    if (existsSync6(path))
+    const path = resolve11(projectRoot, name);
+    if (existsSync8(path))
       return path;
   }
   return null;
@@ -1533,7 +1756,7 @@ function hashFile(path) {
   if (!path)
     return null;
   try {
-    return createHash2("sha256").update(readFileSync4(path)).digest("hex");
+    return createHash2("sha256").update(readFileSync6(path)).digest("hex");
   } catch {
     return null;
   }
@@ -1549,11 +1772,11 @@ function readDefaultBranch(projectRoot) {
   return head.status === 0 && head.stdout.trim() && head.stdout.trim() !== "HEAD" ? head.stdout.trim() : null;
 }
 function buildRunSummary(projectRoot) {
-  const runsDir = resolve9(projectRoot, ".rig", "runs");
+  const runsDir = resolve11(projectRoot, ".rig", "runs");
   try {
     const runs = readdirSync(runsDir, { withFileTypes: true }).filter((entry) => entry.isDirectory()).flatMap((entry) => {
       try {
-        const run = JSON.parse(readFileSync4(resolve9(runsDir, entry.name, "run.json"), "utf8"));
+        const run = JSON.parse(readFileSync6(resolve11(runsDir, entry.name, "run.json"), "utf8"));
         return [{ runId: typeof run.runId === "string" ? run.runId : entry.name, status: typeof run.status === "string" ? run.status : "unknown", updatedAt: typeof run.updatedAt === "string" ? run.updatedAt : "" }];
       } catch {
         return [];
@@ -1605,10 +1828,14 @@ function upsertProjectRecord(projectRoot, input) {
 function linkProjectCheckout(projectRoot, repoSlug, checkout) {
   return upsertProjectRecord(projectRoot, { repoSlug, checkout });
 }
+function projectRegistryContainsCheckout(projectRoot, checkoutPath) {
+  const target = resolve11(checkoutPath);
+  return Object.values(readRegistry(projectRoot)).some((project) => project.checkouts.some((checkout) => checkout.path ? resolve11(checkout.path) === target : false));
+}
 
 // packages/server/src/server-helpers/remote-checkout.ts
-import { existsSync as existsSync7, mkdirSync as mkdirSync6, writeFileSync as writeFileSync6 } from "fs";
-import { dirname as dirname5, isAbsolute, relative, resolve as resolve10 } from "path";
+import { existsSync as existsSync9, mkdirSync as mkdirSync8, writeFileSync as writeFileSync8 } from "fs";
+import { dirname as dirname8, isAbsolute as isAbsolute2, relative as relative2, resolve as resolve12 } from "path";
 function safeSlugSegments(repoSlug) {
   const segments = repoSlug.split("/").map((part) => part.trim()).filter(Boolean);
   if (segments.length !== 2 || segments.some((segment) => segment === "." || segment === ".." || segment.includes("\\"))) {
@@ -1625,7 +1852,7 @@ function safeCheckoutKey(value) {
 }
 function repoSlugPath(baseDir, repoSlug, checkoutKey) {
   const key = safeCheckoutKey(checkoutKey);
-  return resolve10(baseDir, ...key ? [key] : [], ...safeSlugSegments(repoSlug));
+  return resolve12(baseDir, ...key ? [key] : [], ...safeSlugSegments(repoSlug));
 }
 function sanitizeSnapshotId(value, fallback) {
   const raw = (value ?? fallback).trim();
@@ -1633,7 +1860,7 @@ function sanitizeSnapshotId(value, fallback) {
   return safe || fallback;
 }
 function assertWithinRoot(root, relativePath) {
-  if (!relativePath || isAbsolute(relativePath) || relativePath.includes("\x00")) {
+  if (!relativePath || isAbsolute2(relativePath) || relativePath.includes("\x00")) {
     throw new Error(`Invalid snapshot file path: ${relativePath}`);
   }
   const normalizedRelative = relativePath.replace(/\\/g, "/");
@@ -1641,9 +1868,9 @@ function assertWithinRoot(root, relativePath) {
   if (segments.some((segment) => segment === "" || segment === "." || segment === "..")) {
     throw new Error(`Unsafe snapshot file path: ${relativePath}`);
   }
-  const target = resolve10(root, ...segments);
-  const rel = relative(root, target);
-  if (rel === ".." || rel.split(/[\\/]/)[0] === ".." || isAbsolute(rel)) {
+  const target = resolve12(root, ...segments);
+  const rel = relative2(root, target);
+  if (rel === ".." || rel.split(/[\\/]/)[0] === ".." || isAbsolute2(rel)) {
     throw new Error(`Snapshot file path escapes checkout root: ${relativePath}`);
   }
   return target;
@@ -1661,17 +1888,17 @@ function parseSnapshotArchiveContentBase64(contentBase64) {
 function extractUploadedSnapshotArchive(input) {
   const archive = decodeSnapshotArchive(input.archive);
   const snapshotId = sanitizeSnapshotId(input.snapshotId, `snapshot-${(input.now?.() ?? new Date).toISOString().replace(/[:.]/g, "-")}`);
-  const checkoutPath = resolve10(repoSlugPath(input.baseDir, input.repoSlug, input.checkoutKey), snapshotId);
-  mkdirSync6(checkoutPath, { recursive: true });
+  const checkoutPath = resolve12(repoSlugPath(input.baseDir, input.repoSlug, input.checkoutKey), snapshotId);
+  mkdirSync8(checkoutPath, { recursive: true });
   for (const file of archive.files) {
     if (!file || typeof file.path !== "string" || typeof file.contentBase64 !== "string") {
       throw new Error("Invalid snapshot archive file entry");
     }
     const target = assertWithinRoot(checkoutPath, file.path);
-    mkdirSync6(dirname5(target), { recursive: true });
-    writeFileSync6(target, Buffer.from(file.contentBase64, "base64"));
+    mkdirSync8(dirname8(target), { recursive: true });
+    writeFileSync8(target, Buffer.from(file.contentBase64, "base64"));
   }
-  writeFileSync6(resolve10(checkoutPath, ".rig-uploaded-snapshot.json"), `${JSON.stringify({
+  writeFileSync8(resolve12(checkoutPath, ".rig-uploaded-snapshot.json"), `${JSON.stringify({
     repoSlug: input.repoSlug,
     snapshotId,
     fileCount: archive.files.length,
@@ -1706,7 +1933,7 @@ function gitCredentialConfig(token) {
   };
 }
 async function prepareRemoteCheckout(input) {
-  const exists = input.exists ?? existsSync7;
+  const exists = input.exists ?? existsSync9;
   const strategy = input.strategy;
   if (strategy.kind === "uploaded-snapshot") {
     return extractUploadedSnapshotArchive({
@@ -1718,7 +1945,7 @@ async function prepareRemoteCheckout(input) {
     });
   }
   if (strategy.kind === "existing-path") {
-    const checkoutPath2 = resolve10(strategy.path);
+    const checkoutPath2 = resolve12(strategy.path);
     if (!exists(checkoutPath2)) {
       throw new Error(`Existing remote checkout path does not exist: ${checkoutPath2}`);
     }
@@ -1754,9 +1981,9 @@ function buildServerControlStatus() {
   };
 }
 function buildProjectConfigStatus(root) {
-  const hasConfigTs = existsSync8(resolve11(root, "rig.config.ts"));
-  const hasConfigJson = existsSync8(resolve11(root, "rig.config.json"));
-  const hasLegacyTaskConfig = existsSync8(resolve11(root, ".rig", "task-config.json"));
+  const hasConfigTs = existsSync10(resolve13(root, "rig.config.ts"));
+  const hasConfigJson = existsSync10(resolve13(root, "rig.config.json"));
+  const hasLegacyTaskConfig = existsSync10(resolve13(root, ".rig", "task-config.json"));
   let kind = "missing";
   if (hasConfigTs)
     kind = "rig-config-ts";
@@ -1792,24 +2019,24 @@ function repoParts(repoSlug) {
   return { owner, repo, slug: `${owner}/${repo}` };
 }
 function repairDir(checkoutPath) {
-  const dir = resolve11(checkoutPath, ".rig", "state", "repairs", new Date().toISOString().replace(/[:.]/g, "-"));
-  mkdirSync7(dir, { recursive: true });
+  const dir = resolve13(checkoutPath, ".rig", "state", "repairs", new Date().toISOString().replace(/[:.]/g, "-"));
+  mkdirSync9(dir, { recursive: true });
   return dir;
 }
 function backupCheckoutFile(checkoutPath, relativePath) {
-  const source = resolve11(checkoutPath, relativePath);
-  const backupPath = resolve11(repairDir(checkoutPath), relativePath.replace(/[\\/]/g, "__"));
-  mkdirSync7(dirname6(backupPath), { recursive: true });
-  copyFileSync(source, backupPath);
+  const source = resolve13(checkoutPath, relativePath);
+  const backupPath = resolve13(repairDir(checkoutPath), relativePath.replace(/[\\/]/g, "__"));
+  mkdirSync9(dirname9(backupPath), { recursive: true });
+  copyFileSync2(source, backupPath);
   return backupPath;
 }
 function parsePackageJsonLosslessly(checkoutPath) {
-  const packagePath = resolve11(checkoutPath, "package.json");
-  if (!existsSync8(packagePath)) {
+  const packagePath = resolve13(checkoutPath, "package.json");
+  if (!existsSync10(packagePath)) {
     return { existed: false, packageJson: { name: basename(checkoutPath) || "rig-project", private: true } };
   }
   try {
-    const parsed = JSON.parse(readFileSync5(packagePath, "utf8"));
+    const parsed = JSON.parse(readFileSync7(packagePath, "utf8"));
     return {
       existed: true,
       packageJson: parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : { name: basename(checkoutPath) || "rig-project", private: true }
@@ -1823,9 +2050,9 @@ function parsePackageJsonLosslessly(checkoutPath) {
   }
 }
 function ensureRemoteCheckoutRigPackageDeps(checkoutPath) {
-  const hasConfig = ["rig.config.ts", "rig.config.mts", "rig.config.json"].some((name) => existsSync8(resolve11(checkoutPath, name)));
-  const packagePath = resolve11(checkoutPath, "package.json");
-  if (!hasConfig && !existsSync8(packagePath)) {
+  const hasConfig = ["rig.config.ts", "rig.config.mts", "rig.config.json"].some((name) => existsSync10(resolve13(checkoutPath, name)));
+  const packagePath = resolve13(checkoutPath, "package.json");
+  if (!hasConfig && !existsSync10(packagePath)) {
     return { skipped: true, reason: "package.json and rig.config missing" };
   }
   const parsed = parsePackageJsonLosslessly(checkoutPath);
@@ -1844,7 +2071,7 @@ function ensureRemoteCheckoutRigPackageDeps(checkoutPath) {
   }
   const changed = !parsed.existed || Boolean(parsed.backupPath) || added.length > 0 || updated.length > 0 || existingDevDependencies !== devDependencies && (!existingDevDependencies || typeof existingDevDependencies !== "object" || Array.isArray(existingDevDependencies));
   if (changed) {
-    writeFileSync7(packagePath, `${JSON.stringify({ ...parsed.packageJson, devDependencies }, null, 2)}
+    writeFileSync9(packagePath, `${JSON.stringify({ ...parsed.packageJson, devDependencies }, null, 2)}
 `, "utf8");
   }
   return {
@@ -1870,11 +2097,11 @@ function configLooksStructurallyUsable(source) {
   return /taskSource\s*:/.test(source) && /workspace\s*:/.test(source) && /project\s*:/.test(source);
 }
 function ensureRemoteCheckoutRigConfig(checkoutPath, repoSlug, reason = "missing or incomplete rig config") {
-  const configPath = resolve11(checkoutPath, "rig.config.ts");
-  const existingConfigName = ["rig.config.ts", "rig.config.mts", "rig.config.json"].find((name) => existsSync8(resolve11(checkoutPath, name)));
+  const configPath = resolve13(checkoutPath, "rig.config.ts");
+  const existingConfigName = ["rig.config.ts", "rig.config.mts", "rig.config.json"].find((name) => existsSync10(resolve13(checkoutPath, name)));
   if (existingConfigName) {
-    const existingPath = resolve11(checkoutPath, existingConfigName);
-    const source = readFileSync5(existingPath, "utf8");
+    const existingPath = resolve13(checkoutPath, existingConfigName);
+    const source = readFileSync7(existingPath, "utf8");
     if (existingConfigName !== "rig.config.json" && configLooksStructurallyUsable(source)) {
       return { path: existingPath, changed: false, reason: "config structurally complete" };
     }
@@ -1888,7 +2115,7 @@ function ensureRemoteCheckoutRigConfig(checkoutPath, repoSlug, reason = "missing
     }
   }
   const backupPath = existingConfigName ? backupCheckoutFile(checkoutPath, existingConfigName) : undefined;
-  writeFileSync7(configPath, generatedRigConfigSource(repoSlug), "utf8");
+  writeFileSync9(configPath, generatedRigConfigSource(repoSlug), "utf8");
   return {
     path: configPath,
     changed: true,
@@ -1897,7 +2124,7 @@ function ensureRemoteCheckoutRigConfig(checkoutPath, repoSlug, reason = "missing
   };
 }
 function validateRemoteCheckoutRigConfig(checkoutPath) {
-  const configFile = ["rig.config.ts", "rig.config.mts", "rig.config.json"].find((name) => existsSync8(resolve11(checkoutPath, name)));
+  const configFile = ["rig.config.ts", "rig.config.mts", "rig.config.json"].find((name) => existsSync10(resolve13(checkoutPath, name)));
   if (!configFile)
     return { ok: false, error: "missing rig config" };
   if (process.env.RIG_TEST_SKIP_REMOTE_CHECKOUT_INSTALL === "1") {
@@ -1919,7 +2146,7 @@ function validateRemoteCheckoutRigConfig(checkoutPath) {
   return { ok: true, configFile };
 }
 function installRemoteCheckoutPackages(checkoutPath) {
-  if (!existsSync8(resolve11(checkoutPath, "package.json"))) {
+  if (!existsSync10(resolve13(checkoutPath, "package.json"))) {
     return { skipped: true, reason: "package.json missing" };
   }
   if (process.env.RIG_TEST_SKIP_REMOTE_CHECKOUT_INSTALL === "1") {
@@ -1932,8 +2159,8 @@ function installRemoteCheckoutPackages(checkoutPath) {
   return { ok: true, command: "bun install", stdout: result.stdout?.trim() || undefined };
 }
 function repairRemoteCheckoutForRig(checkoutPath, repoSlug) {
-  const hasConfig = ["rig.config.ts", "rig.config.mts", "rig.config.json"].some((name) => existsSync8(resolve11(checkoutPath, name)));
-  const hasPackage = existsSync8(resolve11(checkoutPath, "package.json"));
+  const hasConfig = ["rig.config.ts", "rig.config.mts", "rig.config.json"].some((name) => existsSync10(resolve13(checkoutPath, name)));
+  const hasPackage = existsSync10(resolve13(checkoutPath, "package.json"));
   if (!hasConfig && !hasPackage) {
     return {
       packageJson: { skipped: true, reason: "package.json and rig.config missing" },
@@ -2031,26 +2258,26 @@ function buildRemoteRunLogEntry(body, identifiers) {
 }
 function readGitHeadCommit(projectRoot) {
   try {
-    let gitDir = resolve11(projectRoot, ".git");
+    let gitDir = resolve13(projectRoot, ".git");
     try {
-      const dotGit = readFileSync5(gitDir, "utf8").trim();
+      const dotGit = readFileSync7(gitDir, "utf8").trim();
       const gitDirPrefix = "gitdir:";
       if (dotGit.startsWith(gitDirPrefix)) {
-        gitDir = resolve11(projectRoot, dotGit.slice(gitDirPrefix.length).trim());
+        gitDir = resolve13(projectRoot, dotGit.slice(gitDirPrefix.length).trim());
       }
     } catch {}
-    const head = readFileSync5(resolve11(gitDir, "HEAD"), "utf8").trim();
+    const head = readFileSync7(resolve13(gitDir, "HEAD"), "utf8").trim();
     const refPrefix = "ref:";
     if (!head.startsWith(refPrefix)) {
       return normalizeCommit(head);
     }
     const ref = head.slice(refPrefix.length).trim();
-    const refPath = resolve11(gitDir, ref);
-    if (existsSync8(refPath)) {
-      return normalizeCommit(readFileSync5(refPath, "utf8").trim());
+    const refPath = resolve13(gitDir, ref);
+    if (existsSync10(refPath)) {
+      return normalizeCommit(readFileSync7(refPath, "utf8").trim());
     }
-    const commonDir = normalizeString(readFileSync5(resolve11(gitDir, "commondir"), "utf8"));
-    return commonDir ? normalizeCommit(readFileSync5(resolve11(gitDir, commonDir, ref), "utf8").trim()) : null;
+    const commonDir = normalizeString(readFileSync7(resolve13(gitDir, "commondir"), "utf8"));
+    return commonDir ? normalizeCommit(readFileSync7(resolve13(gitDir, commonDir, ref), "utf8").trim()) : null;
   } catch {
     return null;
   }
@@ -2088,9 +2315,9 @@ function configuredRepoFromTaskSource(taskSource) {
   const repo = normalizeString(taskSource?.repo);
   return owner && repo ? `${owner}/${repo}` : null;
 }
-async function buildTaskSourceStatus(state, config) {
+async function buildTaskSourceStatus(state, config, requestAuth) {
   const diagnostics = state.snapshotService.getTaskSourceErrors();
-  const selectedRepo = createGitHubAuthStore(state.projectRoot).status({
+  const selectedRepo = requestScopedAuthStore(state.projectRoot, requestAuth).status({
     oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim())
   }).selectedRepo;
   try {
@@ -2188,31 +2415,83 @@ function normalizePrMode(value) {
   const mode = normalizeString(value);
   return mode === "auto" || mode === "ask" || mode === "off" ? mode : undefined;
 }
+function requestAuthResult(input) {
+  return {
+    authorized: input.authorized,
+    actor: input.actor ?? null,
+    reason: input.reason,
+    login: input.login ?? null,
+    userId: input.userId ?? null,
+    userNamespace: input.userNamespace ?? null,
+    authStateFile: input.authStateFile ?? null
+  };
+}
+function namespaceFromSessionIndex(entry) {
+  const stateDir2 = dirname9(entry.authStateFile);
+  return {
+    key: entry.namespaceKey,
+    userId: entry.userId,
+    login: entry.login,
+    root: entry.namespaceRoot,
+    stateDir: stateDir2,
+    authStateFile: entry.authStateFile,
+    metadataFile: resolve13(stateDir2, "user-namespace.json"),
+    checkoutBaseDir: entry.checkoutBaseDir,
+    snapshotBaseDir: entry.snapshotBaseDir
+  };
+}
 function authorizeRigHttpRequest(input) {
   if (input.legacyAuthorized) {
-    return { authorized: true, actor: "rig-local-server", reason: "server-token" };
+    return requestAuthResult({ authorized: true, actor: "rig-local-server", reason: "server-token" });
   }
   const bearer = bearerTokenFromRequest(input.req);
   const store = createGitHubAuthStore(input.projectRoot);
   const storedToken = store.readToken();
   const session = bearer ? store.readApiSession(bearer) : null;
   if (session) {
-    return { authorized: true, actor: session.login ?? "github-operator", reason: "github-session" };
+    return requestAuthResult({
+      authorized: true,
+      actor: session.login ?? "github-operator",
+      reason: "github-session",
+      login: session.login,
+      userId: session.userId,
+      authStateFile: store.stateFile
+    });
   }
   if (bearer && storedToken && bearer === storedToken) {
     const status = store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
-    return { authorized: true, actor: status.login ?? "github-operator", reason: "github-token" };
+    return requestAuthResult({
+      authorized: true,
+      actor: status.login ?? "github-operator",
+      reason: "github-token",
+      login: status.login,
+      userId: status.userId,
+      authStateFile: store.stateFile
+    });
+  }
+  const indexedSession = readGitHubApiSession({ projectRoot: input.projectRoot, token: bearer });
+  if (indexedSession) {
+    const userNamespace = namespaceFromSessionIndex(indexedSession);
+    return requestAuthResult({
+      authorized: true,
+      actor: indexedSession.login ?? "github-operator",
+      reason: "github-user-session",
+      login: indexedSession.login,
+      userId: indexedSession.userId,
+      userNamespace,
+      authStateFile: indexedSession.authStateFile
+    });
   }
   if (isPublicRigAuthBootstrapRoute(input.pathname)) {
-    return { authorized: true, actor: null, reason: "public-bootstrap" };
+    return requestAuthResult({ authorized: true, actor: null, reason: "public-bootstrap" });
   }
   if (!input.serverAuthToken && !storedToken) {
     if (isLoopbackRequest(input.req)) {
-      return { authorized: true, actor: null, reason: "loopback-dev-no-auth" };
+      return requestAuthResult({ authorized: true, actor: null, reason: "loopback-dev-no-auth" });
     }
-    return { authorized: false, actor: null, reason: "auth-required" };
+    return requestAuthResult({ authorized: false, actor: null, reason: "auth-required" });
   }
-  return { authorized: false, actor: null, reason: storedToken ? "github-token-required" : "auth-required" };
+  return requestAuthResult({ authorized: false, actor: null, reason: storedToken ? "github-token-required" : "auth-required" });
 }
 async function fetchGitHubUserInfo(token) {
   const response = await fetch("https://api.github.com/user", {
@@ -2232,6 +2511,67 @@ async function fetchGitHubUserInfo(token) {
     scopes: cleanHeaderScopes(response.headers.get("x-oauth-scopes"))
   };
 }
+function shouldWriteRootAuthCompat(projectRoot) {
+  if (process.env.RIG_REMOTE_USER_NAMESPACE_ROOT?.trim())
+    return false;
+  const stateDir2 = normalizeString(process.env.RIG_STATE_DIR);
+  if (!stateDir2)
+    return true;
+  return resolve13(stateDir2) === resolve13(projectRoot, ".rig", "state");
+}
+function requestScopedRegistryRoot(stateProjectRoot, requestAuth) {
+  return requestAuth.userNamespace?.root ?? stateProjectRoot;
+}
+function requestScopedAuthStore(stateProjectRoot, requestAuth) {
+  return requestAuth.authStateFile ? createGitHubAuthStoreFromStateFile(requestAuth.authStateFile) : createGitHubAuthStore(stateProjectRoot);
+}
+function userNamespaceResponse(namespace) {
+  return namespace ? serializeRemoteUserNamespace(namespace) : undefined;
+}
+function resolveNamespacedBaseDir(input) {
+  if (input.explicitBaseDir)
+    return input.explicitBaseDir;
+  const envBase = normalizeString(process.env[input.envName]);
+  if (input.userNamespace) {
+    return envBase ? resolve13(envBase, input.userNamespace.key) : input.userNamespace[input.legacySubdir === "remote-checkouts" ? "checkoutBaseDir" : "snapshotBaseDir"];
+  }
+  return envBase ?? (normalizeString(process.env.RIG_STATE_DIR) ? resolve13(normalizeString(process.env.RIG_STATE_DIR), input.legacySubdir) : resolve13(input.legacyProjectRoot, ".rig", input.legacySubdir));
+}
+function explicitCheckoutKey(body, checkoutInput, requestAuth) {
+  return normalizeString(body.checkoutKey) ?? normalizeString(checkoutInput.checkoutKey) ?? normalizeString(checkoutInput.key) ?? (requestAuth.userNamespace ? undefined : "default");
+}
+function saveGitHubTokenForRemoteUser(input) {
+  const namespace = resolveRemoteUserNamespace(input.projectRoot, { userId: input.user.userId, login: input.user.login });
+  writeRemoteUserNamespaceMetadata(namespace);
+  const store = createGitHubAuthStoreFromStateFile(namespace.authStateFile);
+  store.saveToken({
+    token: input.token,
+    tokenSource: input.tokenSource,
+    login: input.user.login,
+    userId: input.user.userId,
+    scopes: input.user.scopes,
+    selectedRepo: input.selectedRepo
+  });
+  const apiSession = store.createApiSession();
+  registerGitHubApiSession({ projectRoot: input.projectRoot, token: apiSession.token, namespace, selectedRepo: input.selectedRepo });
+  const requestedRoot = normalizeString(input.requestedProjectRoot);
+  if (requestedRoot && isAbsolute3(requestedRoot) && existsSync10(resolve13(requestedRoot))) {
+    copyGitHubAuthStateToLocalProjectRoot(namespace.authStateFile, resolve13(requestedRoot));
+  }
+  if (shouldWriteRootAuthCompat(input.projectRoot)) {
+    const rootStore = createGitHubAuthStore(input.projectRoot);
+    rootStore.saveToken({
+      token: input.token,
+      tokenSource: input.tokenSource,
+      login: input.user.login,
+      userId: input.user.userId,
+      scopes: input.user.scopes,
+      selectedRepo: input.selectedRepo
+    });
+    rootStore.createApiSession();
+  }
+  return { store, namespace, apiSessionToken: apiSession.token };
+}
 async function postGitHubForm(endpoint, body) {
   const response = await fetch(endpoint, {
     method: "POST",
@@ -2249,11 +2589,11 @@ function resolveRequestedProjectRoot(currentRoot, rawRoot) {
   const requestedRoot = normalizeString(rawRoot);
   if (!requestedRoot)
     return currentRoot;
-  if (!isAbsolute2(requestedRoot)) {
+  if (!isAbsolute3(requestedRoot)) {
     throw new Error("projectRoot must be an absolute path on the Rig server host");
   }
-  const normalizedRoot = resolve11(requestedRoot);
-  if (!existsSync8(normalizedRoot)) {
+  const normalizedRoot = resolve13(requestedRoot);
+  if (!existsSync10(normalizedRoot)) {
     throw new Error("projectRoot does not exist on the Rig server host");
   }
   return normalizedRoot;
@@ -2914,7 +3254,7 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
         }
         if (url.pathname === "/api/server/status") {
           const config = buildProjectConfigStatus(state.projectRoot);
-          const taskSource = await buildTaskSourceStatus(state, config);
+          const taskSource = await buildTaskSourceStatus(state, config, requestAuth);
           return deps.jsonResponse({
             ok: true,
             projectRoot: state.projectRoot,
@@ -2938,8 +3278,9 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             path: normalizeString(rawCheckout?.path) ?? state.projectRoot,
             ref: normalizeString(rawCheckout?.ref) ?? undefined
           } : undefined;
-          const record = upsertProjectRecord(state.projectRoot, { repoSlug, checkout });
-          return deps.jsonResponse({ ok: true, project: record });
+          const registryRoot = requestScopedRegistryRoot(state.projectRoot, requestAuth);
+          const record = upsertProjectRecord(registryRoot, { repoSlug, checkout });
+          return deps.jsonResponse({ ok: true, project: record, userNamespace: userNamespaceResponse(requestAuth.userNamespace) });
         }
         const snapshotUploadMatch = url.pathname.match(/^\/api\/projects\/(.+?)\/upload-snapshot$/);
         if (snapshotUploadMatch && req.method === "POST") {
@@ -2952,8 +3293,15 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           if (!archiveContentBase64) {
             return deps.badRequest("archiveContentBase64 is required");
           }
-          const baseDir = normalizeString(body.baseDir) ?? normalizeString(process.env.RIG_REMOTE_SNAPSHOT_BASE_DIR) ?? (normalizeString(process.env.RIG_STATE_DIR) ? resolve11(normalizeString(process.env.RIG_STATE_DIR), "remote-snapshots") : resolve11(state.projectRoot, ".rig", "remote-snapshots"));
-          const checkoutKey = normalizeString(body.checkoutKey) ?? "default";
+          const registryRoot = requestScopedRegistryRoot(state.projectRoot, requestAuth);
+          const baseDir = resolveNamespacedBaseDir({
+            explicitBaseDir: normalizeString(body.baseDir),
+            envName: "RIG_REMOTE_SNAPSHOT_BASE_DIR",
+            userNamespace: requestAuth.userNamespace,
+            legacyProjectRoot: state.projectRoot,
+            legacySubdir: "remote-snapshots"
+          });
+          const checkoutKey = explicitCheckoutKey(body, body, requestAuth);
           try {
             const archive = parseSnapshotArchiveContentBase64(archiveContentBase64);
             const checkout = extractUploadedSnapshotArchive({
@@ -2966,14 +3314,14 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             const checkoutRepair = repairRemoteCheckoutForRig(checkout.path, repoSlug);
             const packageInstall = installRemoteCheckoutPackages(checkout.path);
             const postInstallConfigValidation = validateRemoteCheckoutRigConfig(checkout.path);
-            const project = linkProjectCheckout(state.projectRoot, repoSlug, {
+            const project = linkProjectCheckout(registryRoot, repoSlug, {
               kind: "uploaded-snapshot",
               path: checkout.path,
               ref: checkout.snapshotId
             });
             deps.snapshotService.invalidate("uploaded-snapshot-checkout");
             deps.broadcastSnapshotInvalidation(state, "uploaded-snapshot-checkout");
-            return deps.jsonResponse({ ok: true, checkout, project, checkoutRepair, packageInstall, postInstallConfigValidation });
+            return deps.jsonResponse({ ok: true, checkout, project, checkoutRepair, packageInstall, postInstallConfigValidation, userNamespace: userNamespaceResponse(requestAuth.userNamespace) });
           } catch (error) {
             return deps.jsonResponse({
               ok: false,
@@ -2993,10 +3341,17 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           if (kind !== "managed-clone" && kind !== "current-ref" && kind !== "existing-path") {
             return deps.jsonResponse({ ok: false, error: "checkout kind must be managed-clone, current-ref, or existing-path" }, 400);
           }
-          const baseDir = normalizeString(body.baseDir) ?? normalizeString(checkoutInput.baseDir) ?? normalizeString(process.env.RIG_REMOTE_CHECKOUT_BASE_DIR) ?? (normalizeString(process.env.RIG_STATE_DIR) ? resolve11(normalizeString(process.env.RIG_STATE_DIR), "remote-checkouts") : resolve11(state.projectRoot, ".rig", "remote-checkouts"));
-          const checkoutKey = normalizeString(body.checkoutKey) ?? normalizeString(checkoutInput.checkoutKey) ?? normalizeString(checkoutInput.key) ?? "default";
+          const registryRoot = requestScopedRegistryRoot(state.projectRoot, requestAuth);
+          const baseDir = resolveNamespacedBaseDir({
+            explicitBaseDir: normalizeString(body.baseDir) ?? normalizeString(checkoutInput.baseDir),
+            envName: "RIG_REMOTE_CHECKOUT_BASE_DIR",
+            userNamespace: requestAuth.userNamespace,
+            legacyProjectRoot: state.projectRoot,
+            legacySubdir: "remote-checkouts"
+          });
+          const checkoutKey = explicitCheckoutKey(body, checkoutInput, requestAuth);
           const repoUrl = normalizeString(body.repoUrl) ?? normalizeString(checkoutInput.repoUrl) ?? `https://github.com/${repoSlug}.git`;
-          const credentialToken = createGitHubAuthStore(state.projectRoot).readToken();
+          const credentialToken = requestScopedAuthStore(state.projectRoot, requestAuth).readToken();
           try {
             const checkout = await prepareRemoteCheckout({
               command: runRemoteCheckoutCommand,
@@ -3005,14 +3360,14 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             const checkoutRepair = repairRemoteCheckoutForRig(checkout.path, repoSlug);
             const packageInstall = installRemoteCheckoutPackages(checkout.path);
             const postInstallConfigValidation = validateRemoteCheckoutRigConfig(checkout.path);
-            const project = linkProjectCheckout(state.projectRoot, repoSlug, {
+            const project = linkProjectCheckout(registryRoot, repoSlug, {
               kind: checkout.kind,
               path: checkout.path,
               ref: checkout.ref ?? checkout.snapshotId ?? undefined
             });
             deps.snapshotService.invalidate("remote-checkout-prepared");
             deps.broadcastSnapshotInvalidation(state, "remote-checkout-prepared");
-            return deps.jsonResponse({ ok: true, checkout, project, checkoutRepair, packageInstall, postInstallConfigValidation });
+            return deps.jsonResponse({ ok: true, checkout, project, checkoutRepair, packageInstall, postInstallConfigValidation, userNamespace: userNamespaceResponse(requestAuth.userNamespace) });
           } catch (error) {
             return deps.jsonResponse({ ok: false, error: error instanceof Error ? error.message : String(error) }, 400);
           }
@@ -3029,16 +3384,18 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             if (kind !== "local" && kind !== "managed-clone" && kind !== "current-ref" && kind !== "uploaded-snapshot" && kind !== "existing-path") {
               return deps.jsonResponse({ ok: false, error: "checkout kind is required" }, 400);
             }
-            const project = linkProjectCheckout(state.projectRoot, repoSlug, {
+            const registryRoot = requestScopedRegistryRoot(state.projectRoot, requestAuth);
+            const project = linkProjectCheckout(registryRoot, repoSlug, {
               kind,
               path: normalizeString(body.path) ?? state.projectRoot,
               ref: normalizeString(body.ref) ?? undefined
             });
-            return deps.jsonResponse({ ok: true, project });
+            return deps.jsonResponse({ ok: true, project, userNamespace: userNamespaceResponse(requestAuth.userNamespace) });
           }
           if (req.method === "GET") {
-            const project = getProjectRecord(state.projectRoot, repoSlug);
-            return project ? deps.jsonResponse({ ok: true, project }) : deps.notFound();
+            const registryRoot = requestScopedRegistryRoot(state.projectRoot, requestAuth);
+            const project = getProjectRecord(registryRoot, repoSlug);
+            return project ? deps.jsonResponse({ ok: true, project, userNamespace: userNamespaceResponse(requestAuth.userNamespace) }) : deps.notFound();
           }
         }
         if (url.pathname === "/api/server/project-root" && req.method === "POST") {
@@ -3047,13 +3404,26 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           if (!requestedRoot) {
             return deps.badRequest("projectRoot is required");
           }
-          if (!isAbsolute2(requestedRoot)) {
+          if (!isAbsolute3(requestedRoot)) {
             return deps.badRequest("projectRoot must be an absolute path on the Rig server host");
           }
-          const normalizedRoot = resolve11(requestedRoot);
-          const exists = existsSync8(normalizedRoot);
-          if (exists) {
-            createGitHubAuthStore(state.projectRoot).copyToProjectRoot(normalizedRoot);
+          const normalizedRoot = resolve13(requestedRoot);
+          const exists = existsSync10(normalizedRoot);
+          if (exists && requestAuth.userNamespace) {
+            const allowedByNamespace = isPathInsideNamespace(requestAuth.userNamespace.root, normalizedRoot);
+            const allowedByRegistry = projectRegistryContainsCheckout(requestAuth.userNamespace.root, normalizedRoot);
+            if (!allowedByNamespace && !allowedByRegistry) {
+              return deps.jsonResponse({
+                ok: false,
+                error: "Requested project root is outside the authenticated GitHub user namespace.",
+                projectRoot: state.projectRoot,
+                requestedProjectRoot: normalizedRoot,
+                userNamespace: userNamespaceResponse(requestAuth.userNamespace)
+              }, 403);
+            }
+            copyGitHubAuthStateToLocalProjectRoot(requestAuth.userNamespace.authStateFile, normalizedRoot);
+          } else if (exists) {
+            createGitHubAuthStore(state.projectRoot).copyToLocalProjectRoot(normalizedRoot);
           }
           const control = buildServerControlStatus();
           const switchCommand = process.env.RIG_PROJECT_ROOT_SWITCH_COMMAND?.trim();
@@ -3068,7 +3438,7 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
               message: "Requested project root does not exist on the Rig server host."
             }, 404);
           }
-          if (!existsSync8(resolve11(normalizedRoot, "rig.config.ts")) && !existsSync8(resolve11(normalizedRoot, "rig.config.json"))) {
+          if (!existsSync10(resolve13(normalizedRoot, "rig.config.ts")) && !existsSync10(resolve13(normalizedRoot, "rig.config.json"))) {
             return deps.jsonResponse({
               ok: false,
               projectRoot: state.projectRoot,
@@ -3103,6 +3473,7 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
               exists,
               control,
               requiresRestart: false,
+              userNamespace: userNamespaceResponse(requestAuth.userNamespace),
               message: "Project-root switch accepted. Rig server restart has been scheduled."
             }, 202);
           }
@@ -3117,11 +3488,11 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           }, 409);
         }
         if (url.pathname === "/api/github/auth/status") {
-          const store = createGitHubAuthStore(state.projectRoot);
-          return deps.jsonResponse({ ok: true, ...store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }) });
+          const store = requestScopedAuthStore(state.projectRoot, requestAuth);
+          return deps.jsonResponse({ ok: true, ...store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }), userNamespace: userNamespaceResponse(requestAuth.userNamespace) });
         }
         if (url.pathname === "/api/github/repo/permissions") {
-          const store = createGitHubAuthStore(state.projectRoot);
+          const store = requestScopedAuthStore(state.projectRoot, requestAuth);
           const auth = store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
           if (!auth.signedIn) {
             return deps.jsonResponse({ ok: false, signedIn: false, canOpenPullRequest: false, reason: "not-authenticated" }, 401);
@@ -3149,24 +3520,20 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           }
           try {
             const user = await fetchGitHubUserInfo(token);
-            const storeRoots = [
-              state.projectRoot,
-              ...requestedProjectRoot && isAbsolute2(requestedProjectRoot) && existsSync8(resolve11(requestedProjectRoot)) ? [resolve11(requestedProjectRoot)] : []
-            ].filter((root, index, roots) => roots.indexOf(root) === index);
-            const stores = storeRoots.map((root) => createGitHubAuthStore(root));
-            for (const store2 of stores) {
-              store2.saveToken({
-                token,
-                tokenSource: "manual-token",
-                login: user.login,
-                userId: user.userId,
-                scopes: user.scopes,
-                selectedRepo
-              });
-            }
-            const store = stores[stores.length - 1] ?? createGitHubAuthStore(state.projectRoot);
-            const apiSession = store.createApiSession();
-            return deps.jsonResponse({ ok: true, ...store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }), apiSessionToken: apiSession.token });
+            const saved = saveGitHubTokenForRemoteUser({
+              projectRoot: state.projectRoot,
+              token,
+              tokenSource: "manual-token",
+              user,
+              selectedRepo,
+              requestedProjectRoot
+            });
+            return deps.jsonResponse({
+              ok: true,
+              ...saved.store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }),
+              apiSessionToken: saved.apiSessionToken,
+              userNamespace: userNamespaceResponse(saved.namespace)
+            });
           } catch (error) {
             const message = error instanceof Error ? error.message : String(error);
             return deps.jsonResponse({ ok: false, error: message }, 400);
@@ -3233,9 +3600,21 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           }
           const token = result.payload.access_token;
           const user = await fetchGitHubUserInfo(token);
-          store.saveToken({ token, tokenSource: "oauth-device", login: user.login, userId: user.userId, scopes: user.scopes });
-          const apiSession = store.createApiSession();
-          return deps.jsonResponse({ ok: true, status: "signed-in", ...store.status({ oauthConfigured: true }), apiSessionToken: apiSession.token });
+          const saved = saveGitHubTokenForRemoteUser({
+            projectRoot: state.projectRoot,
+            token,
+            tokenSource: "oauth-device",
+            user,
+            selectedRepo: null
+          });
+          store.clearPendingDevice(pollId);
+          return deps.jsonResponse({
+            ok: true,
+            status: "signed-in",
+            ...saved.store.status({ oauthConfigured: true }),
+            apiSessionToken: saved.apiSessionToken,
+            userNamespace: userNamespaceResponse(saved.namespace)
+          });
         }
         if (url.pathname === "/api/github/repo/probe" && req.method === "POST") {
           const body = await deps.readJsonBody(req);
@@ -3244,7 +3623,7 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           if (!owner || !repo) {
             return deps.badRequest("owner and repo are required");
           }
-          const store = createGitHubAuthStore(state.projectRoot);
+          const store = requestScopedAuthStore(state.projectRoot, requestAuth);
           const authStatus = store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
           const probe = await probeGitHubRepository({ owner, repo, token: store.readToken(), scopes: authStatus.scopes });
           return deps.jsonResponse({ ok: probe.ok, probe }, probe.ok ? 200 : 400);
@@ -3265,7 +3644,7 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             return deps.badRequest(error instanceof Error ? error.message : String(error));
           }
           const authStatus = createGitHubAuthStore(state.projectRoot).status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
-          const configPath = resolve11(targetRoot, "rig.config.ts");
+          const configPath = resolve13(targetRoot, "rig.config.ts");
           const source = buildGitHubProjectConfigSource({
             projectName: rawProjectName,
             owner,
@@ -3277,8 +3656,8 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             ok: true,
             projectRoot: targetRoot,
             configPath,
-            exists: existsSync8(configPath),
-            requiresOverwrite: existsSync8(configPath),
+            exists: existsSync10(configPath),
+            requiresOverwrite: existsSync10(configPath),
             source,
             owner,
             repo,
@@ -3314,8 +3693,8 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             assignee,
             githubUserId: authStatus.userId ?? authStatus.login
           });
-          const configPath = resolve11(targetRoot, "rig.config.ts");
-          if (existsSync8(configPath) && !overwrite) {
+          const configPath = resolve13(targetRoot, "rig.config.ts");
+          if (existsSync10(configPath) && !overwrite) {
             return deps.jsonResponse({
               ok: false,
               error: "rig.config.ts already exists. Confirm overwrite to replace it; Rig will create a backup first.",
@@ -3331,11 +3710,11 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             return deps.jsonResponse({ ok: false, error: repoProbe.message, repoProbe }, 400);
           }
           let backupPath = null;
-          if (existsSync8(configPath)) {
+          if (existsSync10(configPath)) {
             backupPath = backupConfigPath(configPath);
-            copyFileSync(configPath, backupPath);
+            copyFileSync2(configPath, backupPath);
           }
-          writeFileSync7(configPath, source, "utf8");
+          writeFileSync9(configPath, source, "utf8");
           const selectedRepo = `${owner}/${repo}`;
           store.saveSelectedRepo(selectedRepo);
           const targetStore = createGitHubAuthStore(targetRoot);
@@ -3621,7 +4000,7 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
         }
         if (url.pathname === "/api/pi-rig/install" && req.method === "POST") {
           const configuredPackageSource = normalizeString(process.env.RIG_PI_RIG_PACKAGE_SOURCE);
-          const packageSource = configuredPackageSource ?? [process.env.RIG_HOST_PROJECT_ROOT, process.cwd(), state.projectRoot].map((root) => normalizeString(root)).filter((root) => Boolean(root)).map((root) => resolve11(root, "packages", "pi-rig")).find((candidate) => existsSync8(resolve11(candidate, "package.json"))) ?? "npm:@rig/pi-rig";
+          const packageSource = configuredPackageSource ?? [process.env.RIG_HOST_PROJECT_ROOT, process.cwd(), state.projectRoot].map((root) => normalizeString(root)).filter((root) => Boolean(root)).map((root) => resolve13(root, "packages", "pi-rig")).find((candidate) => existsSync10(resolve13(candidate, "package.json"))) ?? "npm:@rig/pi-rig";
           if (process.env.RIG_TEST_FAKE_PI_INSTALL === "1") {
             return deps.jsonResponse({ ok: true, installed: true, piOk: true, piRigOk: true, extensionPath: "remote:~/.pi/agent/extensions/pi-rig", packageSource });
           }
@@ -3937,9 +4316,9 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           } catch {
             return deps.badRequest("Invalid artifact path");
           }
-          mkdirSync7(dirname6(artifactPath), { recursive: true });
+          mkdirSync9(dirname9(artifactPath), { recursive: true });
           const bytes = Buffer.from(contentBase64, "base64");
-          writeFileSync7(artifactPath, bytes);
+          writeFileSync9(artifactPath, bytes);
           writeJsonFile4(`${artifactPath}.json`, {
             workspaceId: normalizeString(body.workspaceId) ?? RIG_WORKSPACE_ID,
             runId,
@@ -3982,7 +4361,6 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             hostId,
             endpointId: leaseId
           });
-          await updateRemoteRunTaskSourceLifecycle(state.projectRoot, { ...run, status: "completed", completedAt, hostId, endpointId: leaseId }, "closed", "Remote Rig task run completed and closed this task.");
           await deps.enqueueRunLinearEvent(state.projectRoot, {
             type: "run.completed",
             runId,
@@ -4101,12 +4479,12 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           try {
             const runsRoot = resolveAuthorityPaths(state.projectRoot).runsDir;
             const runRoot = deps.normalizeRelativePath(runsRoot, runId);
-            const artifactsRoot = resolve11(runRoot, "remote-artifacts");
+            const artifactsRoot = resolve13(runRoot, "remote-artifacts");
             artifactPath = deps.normalizeRelativePath(artifactsRoot, fileName);
           } catch {
             return deps.badRequest("Invalid artifact path");
           }
-          if (!existsSync8(artifactPath)) {
+          if (!existsSync10(artifactPath)) {
             return deps.notFound();
           }
           return new Response(Bun.file(artifactPath));