@h-rig/server 0.0.6-alpha.2 → 0.0.6-alpha.21

package/dist/src/server-helpers/http-router.js

@@ -4,8 +4,8 @@ var __require = import.meta.require;
 // packages/server/src/server-helpers/http-router.ts
 import { randomUUID } from "crypto";
 import { spawnSync as spawnSync2 } from "child_process";
-import { basename, dirname as dirname6, isAbsolute as isAbsolute2, resolve as resolve11 } from "path";
-import { copyFileSync, existsSync as existsSync8, mkdirSync as mkdirSync7, readFileSync as readFileSync5, writeFileSync as writeFileSync7 } from "fs";
+import { basename, dirname as dirname9, isAbsolute as isAbsolute3, resolve as resolve13 } from "path";
+import { copyFileSync as copyFileSync2, existsSync as existsSync10, mkdirSync as mkdirSync9, readFileSync as readFileSync7, writeFileSync as writeFileSync9 } from "fs";
 
 // packages/server/src/server.ts
 import {
@@ -224,6 +224,18 @@ function readJsonlFileTail(path, options) {
   const completeLines = start > 0 ? lines.slice(1) : lines;
   return parseJsonlRecords(completeLines.filter(Boolean).slice(-limit));
 }
+async function readRunTimelinePage(projectRoot, runId, options = {}) {
+  const limit = Math.max(1, Math.min(Math.trunc(options.limit ?? 200), 500));
+  const cursor = options.cursor == null ? 0 : Number.parseInt(options.cursor, 10);
+  const entries = readJsonlFile(runTimelinePath(projectRoot, runId)).filter((entry) => Boolean(entry && typeof entry === "object" && !Array.isArray(entry)));
+  const startInclusive = Number.isFinite(cursor) ? Math.max(0, Math.min(cursor, entries.length)) : 0;
+  const endExclusive = Math.min(entries.length, startInclusive + limit);
+  return {
+    entries: entries.slice(startInclusive, endExclusive).map((entry, offset) => ({ ...entry, cursor: startInclusive + offset + 1 })),
+    nextCursor: String(endExclusive),
+    hasMore: endExclusive < entries.length
+  };
+}
 var INITIAL_RUN_LOG_TAIL_MAX_BYTES = 8 * 1024 * 1024;
 async function readRunLogsPage(projectRoot, runId, options = {}) {
   const limit = Math.max(1, Math.min(Math.trunc(options.limit ?? 200), 500));
@@ -469,6 +481,273 @@ async function refreshTaskProjection(projectRoot, input) {
   });
 }
 
+// packages/server/src/server-helpers/issue-analysis.ts
+import { createHash } from "crypto";
+function stableIssueHash(issue) {
+  const labels = Array.isArray(issue.labels) ? [...issue.labels].map(String).sort() : [];
+  const body = typeof issue.body === "string" ? issue.body : "";
+  const title = typeof issue.title === "string" ? issue.title : "";
+  return createHash("sha256").update(JSON.stringify({ id: issue.id, title, body, labels, deps: issue.deps, status: issue.status })).digest("hex");
+}
+function renderIssueAnalysisPrompt(input) {
+  const issue = input.issue;
+  const neighbors = input.neighbors ?? [];
+  return [
+    "You are Rig issue analysis running inside Pi.",
+    "Return JSON only with optional metadataPatch, labelsToAdd, labelsToRemove, and generatedIssues.",
+    "Preserve all human-authored issue body content. Only propose edits for Rig-owned metadata/status sections, labels, and generated issues.",
+    "Generated issues must be concrete, minimal follow-up tasks and will be labeled rig:generated by Rig.",
+    "",
+    "Issue:",
+    JSON.stringify({
+      id: issue.id,
+      title: issue.title,
+      body: issue.body,
+      labels: issue.labels,
+      deps: issue.deps,
+      status: issue.status
+    }, null, 2),
+    "",
+    "Neighbor tasks:",
+    JSON.stringify(neighbors.map((task) => ({ id: task.id, title: task.title, status: task.status, deps: task.deps })), null, 2)
+  ].join(`
+`);
+}
+function isRecord(value) {
+  return Boolean(value && typeof value === "object" && !Array.isArray(value));
+}
+function stringArray(value) {
+  if (!Array.isArray(value))
+    return;
+  return value.map(String).filter((entry) => entry.trim().length > 0);
+}
+function generatedIssues(value) {
+  if (!Array.isArray(value))
+    return;
+  return value.flatMap((entry) => {
+    if (!isRecord(entry) || typeof entry.title !== "string")
+      return [];
+    return [{
+      title: entry.title,
+      body: typeof entry.body === "string" ? entry.body : "",
+      labels: stringArray(entry.labels) ?? [],
+      ...Array.isArray(entry.dependsOn) ? { dependsOn: entry.dependsOn.map(String) } : {}
+    }];
+  });
+}
+function findJsonLikeText(value) {
+  if (typeof value === "string") {
+    const trimmed = value.trim();
+    if (trimmed.startsWith("{") || trimmed.startsWith("```"))
+      return trimmed;
+    return null;
+  }
+  if (Array.isArray(value)) {
+    for (const entry of value) {
+      const found = findJsonLikeText(entry);
+      if (found)
+        return found;
+    }
+    return null;
+  }
+  if (!isRecord(value))
+    return null;
+  for (const key of ["text", "content", "message", "output_text", "response", "stdout"]) {
+    const found = findJsonLikeText(value[key]);
+    if (found)
+      return found;
+  }
+  for (const entry of Object.values(value)) {
+    const found = findJsonLikeText(entry);
+    if (found)
+      return found;
+  }
+  return null;
+}
+function candidateAnalysisObject(value) {
+  if (!isRecord(value))
+    return null;
+  if (isRecord(value.result))
+    return candidateAnalysisObject(value.result) ?? value.result;
+  if (isRecord(value.analysis))
+    return candidateAnalysisObject(value.analysis) ?? value.analysis;
+  if (isRecord(value.metadataPatch) || Array.isArray(value.labelsToAdd) || Array.isArray(value.labelsToRemove) || Array.isArray(value.generatedIssues)) {
+    return value;
+  }
+  const nested = findJsonLikeText(value);
+  if (nested && nested !== JSON.stringify(value)) {
+    try {
+      const parsedNested = JSON.parse(nested.match(/```(?:json)?\s*([\s\S]*?)\s*```/i)?.[1]?.trim() ?? nested);
+      return candidateAnalysisObject(parsedNested);
+    } catch {
+      return null;
+    }
+  }
+  return null;
+}
+function parseIssueAnalysisResult(raw) {
+  let parsed = raw;
+  if (typeof raw === "string") {
+    const trimmed = raw.trim();
+    const fenced = trimmed.match(/```(?:json)?\s*([\s\S]*?)\s*```/i)?.[1]?.trim();
+    try {
+      parsed = JSON.parse(fenced ?? trimmed);
+    } catch {
+      const lastJsonLine = trimmed.split(/\r?\n/).reverse().find((line) => line.trim().startsWith("{"));
+      parsed = lastJsonLine ? JSON.parse(lastJsonLine) : {};
+    }
+  }
+  const candidate = candidateAnalysisObject(parsed);
+  if (!candidate)
+    return {};
+  const result = {};
+  if (isRecord(candidate.metadataPatch))
+    result.metadataPatch = candidate.metadataPatch;
+  const add = stringArray(candidate.labelsToAdd);
+  if (add?.length)
+    result.labelsToAdd = add;
+  const remove = stringArray(candidate.labelsToRemove);
+  if (remove?.length)
+    result.labelsToRemove = remove;
+  const generated = generatedIssues(candidate.generatedIssues);
+  if (generated?.length)
+    result.generatedIssues = generated;
+  return result;
+}
+function createDefaultPiIssueAnalysisCommandRunner() {
+  return async (command, args, options) => {
+    const env = options.env ? { ...process.env, ...options.env } : process.env;
+    const proc = Bun.spawn([command, ...args], {
+      stdout: "pipe",
+      stderr: "pipe",
+      env
+    });
+    let timedOut = false;
+    const timer = setTimeout(() => {
+      timedOut = true;
+      proc.kill();
+    }, options.timeoutMs);
+    try {
+      const [stdout, stderr, exitCode] = await Promise.all([
+        new Response(proc.stdout).text(),
+        new Response(proc.stderr).text(),
+        proc.exited
+      ]);
+      return {
+        exitCode: timedOut && exitCode === 0 ? 1 : exitCode,
+        stdout,
+        stderr: timedOut && stderr.trim().length === 0 ? `Pi issue analysis timed out after ${options.timeoutMs}ms` : stderr
+      };
+    } finally {
+      clearTimeout(timer);
+    }
+  };
+}
+function createPiIssueAnalyzer(input = {}) {
+  const piBinary = input.piBinary ?? process.env.RIG_ISSUE_ANALYSIS_PI_BINARY ?? "pi";
+  const timeoutMs = Math.max(1000, Math.trunc(input.timeoutMs ?? Number(process.env.RIG_ISSUE_ANALYSIS_TIMEOUT_MS ?? 120000)));
+  const runCommand = input.runCommand ?? createDefaultPiIssueAnalysisCommandRunner();
+  return async ({ prompt }) => {
+    const args = ["--print", "--mode", "json", "--no-session"];
+    const provider = input.provider?.trim() || process.env.RIG_ISSUE_ANALYSIS_PROVIDER?.trim() || process.env.RIG_PI_PROVIDER?.trim();
+    const model = input.model?.trim() || process.env.RIG_ISSUE_ANALYSIS_MODEL?.trim() || process.env.RIG_PI_MODEL?.trim() || "openai-codex/gpt-5.5";
+    if (provider)
+      args.push("--provider", provider);
+    if (model)
+      args.push("--model", model);
+    args.push(prompt);
+    const result = await runCommand(piBinary, args, { timeoutMs, ...input.env ? { env: input.env } : {} });
+    if (result.exitCode !== 0) {
+      throw new Error(`Pi issue analysis failed (exit ${result.exitCode}): ${result.stderr ?? result.stdout}`);
+    }
+    return parseIssueAnalysisResult(result.stdout);
+  };
+}
+function defaultStatusComment(input) {
+  const changes = [
+    input.result.metadataPatch ? "metadata" : null,
+    input.result.labelsToAdd?.length ? `labels added: ${input.result.labelsToAdd.join(", ")}` : null,
+    input.result.labelsToRemove?.length ? `labels removed: ${input.result.labelsToRemove.join(", ")}` : null,
+    input.result.generatedIssues?.length ? `generated issues: ${input.result.generatedIssues.length}` : null
+  ].filter((entry) => Boolean(entry));
+  if (changes.length === 0)
+    return null;
+  return [
+    "<!-- rig:status-comment -->",
+    "### Rig issue analysis",
+    "",
+    `Analyzed issue ${input.issue.id}${input.reason ? ` (${input.reason})` : ""}.`,
+    "",
+    ...changes.map((change) => `- ${change}`)
+  ].join(`
+`);
+}
+function uniqueLabels(labels, required = []) {
+  return [...new Set([...labels ?? [], ...required].map((label) => label.trim()).filter(Boolean))];
+}
+function createIssueAnalysisWriteBack(input) {
+  return async ({ issue, result, reason }) => {
+    if (result.metadataPatch && Object.keys(result.metadataPatch).length > 0) {
+      if (!input.target.updateTask)
+        throw new Error("Issue analysis writeback requires updateTask for metadata patches.");
+      await input.target.updateTask(issue.id, { metadata: result.metadataPatch });
+    }
+    if (result.labelsToAdd?.length) {
+      if (!input.target.addLabels)
+        throw new Error("Issue analysis writeback requires addLabels for labelsToAdd.");
+      await input.target.addLabels(issue.id, uniqueLabels(result.labelsToAdd));
+    }
+    if (result.labelsToRemove?.length) {
+      if (!input.target.removeLabels)
+        throw new Error("Issue analysis writeback requires removeLabels for labelsToRemove.");
+      await input.target.removeLabels(issue.id, uniqueLabels(result.labelsToRemove));
+    }
+    const comment = (input.buildStatusComment ?? defaultStatusComment)({ issue, result, reason });
+    if (comment?.trim()) {
+      if (!input.target.updateTask)
+        throw new Error("Issue analysis writeback requires updateTask for sticky status comments.");
+      await input.target.updateTask(issue.id, { comment });
+    }
+    for (const generated of result.generatedIssues ?? []) {
+      if (!input.target.createIssue)
+        throw new Error("Issue analysis writeback requires createIssue for generated issues.");
+      await input.target.createIssue({
+        title: generated.title,
+        body: generated.dependsOn?.length ? `${generated.body.trimEnd()}
+
+depends-on: ${generated.dependsOn.map((dep) => dep.startsWith("#") ? dep : `#${dep}`).join(", ")}
+` : generated.body,
+        labels: uniqueLabels(generated.labels, ["rig:generated"])
+      });
+    }
+  };
+}
+function createIssueAnalysisService(input) {
+  const analyzedHashes = new Map;
+  return {
+    async analyze(issues, options = {}) {
+      const results = [];
+      const neighbors = options.neighbors ?? issues;
+      for (const issue of issues) {
+        const hash = stableIssueHash(issue);
+        if (analyzedHashes.get(issue.id) === hash)
+          continue;
+        const prompt = renderIssueAnalysisPrompt({ issue, neighbors: neighbors.filter((candidate) => candidate.id !== issue.id) });
+        const result = await input.analyzer({ issue, neighbors, prompt });
+        analyzedHashes.set(issue.id, hash);
+        if (result.metadataPatch || result.labelsToAdd?.length || result.labelsToRemove?.length || result.generatedIssues?.length) {
+          await input.writeBack?.({ issue, result, reason: options.reason });
+        }
+        results.push({ issue, result });
+      }
+      return results;
+    },
+    clearCache() {
+      analyzedHashes.clear();
+    }
+  };
+}
+
 // packages/server/src/server-helpers/terminal-runtime.ts
 import { WS_CHANNELS as WS_CHANNELS2 } from "@rig/contracts";
 
@@ -521,6 +800,11 @@ import {
   buildTaskRunLifecycleComment,
   updateConfiguredTaskSourceTask
 } from "@rig/runtime/control-plane/tasks/source-lifecycle";
+import {
+  closeIssueAfterMergedPr,
+  commitRunChanges,
+  runPrAutomation
+} from "@rig/runtime/control-plane/native/pr-automation";
 
 // packages/server/src/scheduler.ts
 import { normalizeTaskLifecycleStatus } from "@rig/runtime/control-plane/state-sync/types";
@@ -536,8 +820,8 @@ import {
 
 // packages/server/src/server-helpers/github-auth-store.ts
 import { randomBytes } from "crypto";
-import { chmodSync, existsSync as existsSync4, mkdirSync as mkdirSync3, readFileSync as readFileSync2, writeFileSync as writeFileSync3 } from "fs";
-import { resolve as resolve7 } from "path";
+import { chmodSync, copyFileSync, existsSync as existsSync4, mkdirSync as mkdirSync3, readFileSync as readFileSync2, writeFileSync as writeFileSync3 } from "fs";
+import { dirname as dirname3, resolve as resolve7 } from "path";
 function cleanString(value) {
   return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
 }
@@ -567,6 +851,26 @@ function parseApiSessions(value) {
     }];
   });
 }
+function parsePendingDevice(value) {
+  if (!value || typeof value !== "object")
+    return null;
+  const record = value;
+  const pollId = cleanString(record.pollId);
+  const deviceCode = cleanString(record.deviceCode);
+  const expiresAt = cleanString(record.expiresAt);
+  const intervalSeconds = typeof record.intervalSeconds === "number" && Number.isFinite(record.intervalSeconds) ? Math.max(1, Math.floor(record.intervalSeconds)) : null;
+  if (!pollId || !deviceCode || !expiresAt || !intervalSeconds)
+    return null;
+  return { pollId, deviceCode, expiresAt, intervalSeconds };
+}
+function parsePendingDevices(value) {
+  if (!Array.isArray(value))
+    return [];
+  return value.flatMap((entry) => {
+    const pending = parsePendingDevice(entry);
+    return pending ? [pending] : [];
+  });
+}
 function readStoredAuth(stateFile) {
   if (!existsSync4(stateFile))
     return {};
@@ -580,6 +884,7 @@ function readStoredAuth(stateFile) {
       selectedRepo: cleanString(parsed.selectedRepo),
       tokenSource: parsed.tokenSource === "oauth-device" || parsed.tokenSource === "manual-token" || parsed.tokenSource === "env" ? parsed.tokenSource : undefined,
       pendingDevice: parsePendingDevice(parsed.pendingDevice),
+      pendingDevices: parsePendingDevices(parsed.pendingDevices),
       apiSessions: parseApiSessions(parsed.apiSessions),
       updatedAt: cleanString(parsed.updatedAt) ?? undefined
     };
@@ -587,34 +892,36 @@ function readStoredAuth(stateFile) {
     return {};
   }
 }
-function parsePendingDevice(value) {
-  if (!value || typeof value !== "object")
-    return null;
-  const record = value;
-  const pollId = cleanString(record.pollId);
-  const deviceCode = cleanString(record.deviceCode);
-  const expiresAt = cleanString(record.expiresAt);
-  const intervalSeconds = typeof record.intervalSeconds === "number" && Number.isFinite(record.intervalSeconds) ? Math.max(1, Math.floor(record.intervalSeconds)) : null;
-  if (!pollId || !deviceCode || !expiresAt || !intervalSeconds)
-    return null;
-  return { pollId, deviceCode, expiresAt, intervalSeconds };
-}
 function newApiSessionToken() {
   return `rig_${randomBytes(32).toString("base64url")}`;
 }
 function writeStoredAuth(stateFile, payload) {
-  mkdirSync3(resolve7(stateFile, ".."), { recursive: true });
+  mkdirSync3(dirname3(stateFile), { recursive: true });
   writeFileSync3(stateFile, `${JSON.stringify(payload, null, 2)}
 `, { encoding: "utf8", mode: 384 });
   try {
     chmodSync(stateFile, 384);
   } catch {}
 }
+function localProjectAuthStateFile(projectRoot) {
+  return resolve7(projectRoot, ".rig", "state", "github-auth.json");
+}
 function resolveGitHubAuthStateFile(projectRoot) {
   return resolve7(resolveServerAuthorityPaths(projectRoot).stateDir, "github-auth.json");
 }
-function createGitHubAuthStore(projectRoot) {
-  const stateFile = resolveGitHubAuthStateFile(projectRoot);
+function copyGitHubAuthStateToLocalProjectRoot(stateFile, projectRoot) {
+  const targetFile = localProjectAuthStateFile(projectRoot);
+  mkdirSync3(dirname3(targetFile), { recursive: true });
+  if (existsSync4(stateFile)) {
+    copyFileSync(stateFile, targetFile);
+    try {
+      chmodSync(targetFile, 384);
+    } catch {}
+    return;
+  }
+  writeStoredAuth(targetFile, {});
+}
+function createGitHubAuthStoreFromStateFile(stateFile) {
   return {
     stateFile,
     status(options) {
@@ -644,6 +951,7 @@ function createGitHubAuthStore(projectRoot) {
         scopes: input.scopes ?? [],
         selectedRepo: input.selectedRepo ?? previous.selectedRepo ?? null,
         pendingDevice: null,
+        pendingDevices: [],
         apiSessions: previous.apiSessions ?? [],
         updatedAt: new Date().toISOString()
       });
@@ -672,15 +980,24 @@ function createGitHubAuthStore(projectRoot) {
       const session = (previous.apiSessions ?? []).find((candidate) => candidate.token === clean);
       return session ? { login: cleanString(session.login), userId: cleanString(session.userId) } : null;
     },
-    copyToProjectRoot(projectRoot2) {
-      const targetFile = resolveGitHubAuthStateFile(projectRoot2);
+    copyToProjectRoot(projectRoot) {
+      const targetFile = resolveGitHubAuthStateFile(projectRoot);
       writeStoredAuth(targetFile, readStoredAuth(stateFile));
     },
+    copyToLocalProjectRoot(projectRoot) {
+      copyGitHubAuthStateToLocalProjectRoot(stateFile, projectRoot);
+    },
     savePendingDevice(input) {
       const previous = readStoredAuth(stateFile);
+      const pendingDevices = [
+        ...previous.pendingDevice ? [previous.pendingDevice] : [],
+        ...previous.pendingDevices ?? [],
+        input
+      ].filter((entry, index, entries) => entries.findIndex((candidate) => candidate.pollId === entry.pollId) === index);
       writeStoredAuth(stateFile, {
         ...previous,
-        pendingDevice: input,
+        pendingDevice: null,
+        pendingDevices,
         updatedAt: new Date().toISOString()
       });
     },
@@ -693,23 +1010,32 @@ function createGitHubAuthStore(projectRoot) {
       });
     },
     readPendingDevice(pollId) {
-      const pending = readStoredAuth(stateFile).pendingDevice ?? null;
-      if (!pending || pending.pollId !== pollId)
+      const previous = readStoredAuth(stateFile);
+      const pending = [
+        ...previous.pendingDevice ? [previous.pendingDevice] : [],
+        ...previous.pendingDevices ?? []
+      ].find((entry) => entry.pollId === pollId) ?? null;
+      if (!pending)
         return null;
       if (Date.parse(pending.expiresAt) <= Date.now())
         return null;
       return pending;
     },
-    clearPendingDevice() {
+    clearPendingDevice(pollId) {
       const previous = readStoredAuth(stateFile);
+      const remaining = pollId ? (previous.pendingDevices ?? []).filter((entry) => entry.pollId !== pollId) : [];
       writeStoredAuth(stateFile, {
         ...previous,
         pendingDevice: null,
+        pendingDevices: remaining,
         updatedAt: new Date().toISOString()
       });
     }
   };
 }
+function createGitHubAuthStore(projectRoot) {
+  return createGitHubAuthStoreFromStateFile(resolveGitHubAuthStateFile(projectRoot));
+}
 
 // packages/server/src/server-helpers/github-projects.ts
 function asRecord(value) {
@@ -718,6 +1044,9 @@ function asRecord(value) {
 function asString(value) {
   return typeof value === "string" && value.trim().length > 0 ? value : undefined;
 }
+function asNumber(value) {
+  return typeof value === "number" && Number.isFinite(value) ? value : undefined;
+}
 async function defaultGraphQLFetch(query, variables, token) {
   const response = await fetch("https://api.github.com/graphql", {
     method: "POST",
@@ -734,6 +1063,32 @@ async function defaultGraphQLFetch(query, variables, token) {
   }
   return json.data;
 }
+function projectNodesFrom(data) {
+  const root = asRecord(data);
+  const owner = asRecord(root?.organization) ?? asRecord(root?.user);
+  const projects = asRecord(owner?.projectsV2);
+  const nodes = projects?.nodes;
+  return Array.isArray(nodes) ? nodes : [];
+}
+async function listGitHubProjects(input) {
+  const query = `
+    query RigListProjects($owner: String!, $first: Int!) {
+      organization(login: $owner) { projectsV2(first: $first, orderBy: { field: UPDATED_AT, direction: DESC }) { nodes { id number title url } } }
+      user(login: $owner) { projectsV2(first: $first, orderBy: { field: UPDATED_AT, direction: DESC }) { nodes { id number title url } } }
+    }
+  `;
+  const fetchGraphQL = input.fetchGraphQL ?? defaultGraphQLFetch;
+  const data = await fetchGraphQL(query, { owner: input.owner, first: input.first ?? 20 }, input.token);
+  return projectNodesFrom(data).flatMap((node) => {
+    const record = asRecord(node);
+    const id = asString(record?.id);
+    const number = asNumber(record?.number);
+    const title = asString(record?.title);
+    if (!id || number === undefined || !title)
+      return [];
+    return [{ id, number, title, ...asString(record?.url) ? { url: asString(record?.url) } : {} }];
+  });
+}
 async function resolveProjectStatusField(input) {
   const query = `
     query RigProjectStatusField($projectId: ID!) {
@@ -828,6 +1183,7 @@ var DEFAULT_PROJECT_STATUSES = {
   running: "In Progress",
   prOpen: "In Review",
   ciFixing: "In Review",
+  merging: "Merging",
   done: "Done",
   needsAttention: "Needs Attention"
 };
@@ -841,6 +1197,8 @@ function lifecycleStatusForTaskStatus(status) {
     return "prOpen";
   if (normalized === "ci_fixing" || normalized === "fixing")
     return "ciFixing";
+  if (normalized === "merging" || normalized === "merge")
+    return "merging";
   if (normalized === "failed" || normalized === "needs_attention" || normalized === "blocked")
     return "needsAttention";
   if (normalized === "in_progress" || normalized === "running" || normalized === "ready" || normalized === "open")
@@ -916,7 +1274,8 @@ var TERMINAL_RUN_STATUSES2 = new Set([
   "needs-attention",
   "stopped"
 ]);
-var ORPHANABLE_LOCAL_RUN_STATUSES = new Set(["preparing", "running"]);
+var RESUMABLE_SERVER_CLOSEOUT_STATUSES = new Set(["pending", "running"]);
+var ACTIVE_LOCAL_RUN_STATUSES = new Set(["created", "preparing", "running", "validating", "reviewing"]);
 
 // packages/server/src/server-helpers/ws-router.ts
 import {
@@ -1098,7 +1457,7 @@ import {
 } from "@rig/runtime/control-plane/remote";
 
 // packages/server/src/server-helpers/run-steering.ts
-import { dirname as dirname3, resolve as resolve8 } from "path";
+import { dirname as dirname4, resolve as resolve8 } from "path";
 import { existsSync as existsSync5, mkdirSync as mkdirSync4, readFileSync as readFileSync3 } from "fs";
 import { appendJsonlRecord as appendJsonlRecord2, readAuthorityRun as readAuthorityRun7, resolveAuthorityRunDir as resolveAuthorityRunDir4 } from "@rig/runtime/control-plane/authority-files";
 var steeringSequence = 0;
@@ -1185,7 +1544,7 @@ function queueRunSteeringMessage(projectRoot, runId, input) {
     delivered: false
   };
   const path = runSteeringPath(projectRoot, runId);
-  mkdirSync4(dirname3(path), { recursive: true });
+  mkdirSync4(dirname4(path), { recursive: true });
   appendJsonlRecord2(path, entry);
   appendRunTimelineEntry(projectRoot, runId, {
     id: entry.id,
@@ -1222,24 +1581,205 @@ import {
   updateConfiguredTaskSourceTask as updateConfiguredTaskSourceTask2
 } from "@rig/runtime/control-plane/tasks/source-lifecycle";
 
+// packages/server/src/server-helpers/github-api-session-index.ts
+import { chmodSync as chmodSync3, existsSync as existsSync7, mkdirSync as mkdirSync6, readFileSync as readFileSync5, writeFileSync as writeFileSync6 } from "fs";
+import { dirname as dirname6, resolve as resolve10 } from "path";
+
+// packages/server/src/server-helpers/github-user-namespace.ts
+import { chmodSync as chmodSync2, existsSync as existsSync6, mkdirSync as mkdirSync5, readFileSync as readFileSync4, writeFileSync as writeFileSync5 } from "fs";
+import { dirname as dirname5, isAbsolute, relative, resolve as resolve9 } from "path";
+function cleanString3(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
+}
+function sanitizePathSegment(value) {
+  return value.trim().toLowerCase().replace(/[^a-z0-9._-]/g, "-").replace(/^-+|-+$/g, "").slice(0, 96);
+}
+function deriveGitHubUserNamespaceKey(identity) {
+  const userId = cleanString3(identity.userId);
+  if (userId) {
+    const safeId = sanitizePathSegment(userId);
+    if (safeId)
+      return `ghu-${safeId}`;
+  }
+  const login = cleanString3(identity.login);
+  if (login) {
+    const safeLogin = sanitizePathSegment(login);
+    if (safeLogin)
+      return `ghu-login-${safeLogin}`;
+  }
+  throw new Error("GitHub user namespace requires a user id or login");
+}
+function resolveRemoteUserNamespacesRoot(projectRoot) {
+  const explicitRoot = cleanString3(process.env.RIG_REMOTE_USER_NAMESPACE_ROOT);
+  if (explicitRoot)
+    return resolve9(explicitRoot);
+  const stateDir2 = cleanString3(process.env.RIG_STATE_DIR);
+  if (stateDir2)
+    return resolve9(dirname5(resolve9(stateDir2)), "users");
+  return resolve9(projectRoot, ".rig", "users");
+}
+function resolveRemoteUserNamespace(projectRoot, identity) {
+  const key = deriveGitHubUserNamespaceKey(identity);
+  const root = resolve9(resolveRemoteUserNamespacesRoot(projectRoot), key);
+  const stateDir2 = resolve9(root, ".rig", "state");
+  return {
+    key,
+    userId: cleanString3(identity.userId),
+    login: cleanString3(identity.login),
+    root,
+    stateDir: stateDir2,
+    authStateFile: resolve9(stateDir2, "github-auth.json"),
+    metadataFile: resolve9(stateDir2, "user-namespace.json"),
+    checkoutBaseDir: resolve9(root, "remote-checkouts"),
+    snapshotBaseDir: resolve9(root, "remote-snapshots")
+  };
+}
+function serializeRemoteUserNamespace(namespace) {
+  return {
+    key: namespace.key,
+    userId: namespace.userId,
+    login: namespace.login,
+    root: namespace.root,
+    checkoutBaseDir: namespace.checkoutBaseDir,
+    snapshotBaseDir: namespace.snapshotBaseDir
+  };
+}
+function isPathInsideNamespace(namespaceRoot, candidatePath) {
+  const root = resolve9(namespaceRoot);
+  const candidate = resolve9(candidatePath);
+  const rel = relative(root, candidate);
+  return rel === "" || !rel.startsWith("..") && !isAbsolute(rel);
+}
+function writeRemoteUserNamespaceMetadata(namespace) {
+  mkdirSync5(namespace.stateDir, { recursive: true });
+  const previous = (() => {
+    if (!existsSync6(namespace.metadataFile))
+      return null;
+    try {
+      const parsed = JSON.parse(readFileSync4(namespace.metadataFile, "utf8"));
+      return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
+    } catch {
+      return null;
+    }
+  })();
+  const now = new Date().toISOString();
+  writeFileSync5(namespace.metadataFile, `${JSON.stringify({
+    key: namespace.key,
+    userId: namespace.userId,
+    login: namespace.login,
+    root: namespace.root,
+    checkoutBaseDir: namespace.checkoutBaseDir,
+    snapshotBaseDir: namespace.snapshotBaseDir,
+    createdAt: typeof previous?.createdAt === "string" ? previous.createdAt : now,
+    updatedAt: now
+  }, null, 2)}
+`, { encoding: "utf8", mode: 384 });
+  try {
+    chmodSync2(namespace.metadataFile, 384);
+  } catch {}
+}
+
+// packages/server/src/server-helpers/github-api-session-index.ts
+function cleanString4(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
+}
+function resolveGitHubApiSessionIndexFile(projectRoot) {
+  return resolve10(resolveRemoteUserNamespacesRoot(projectRoot), ".api-sessions.json");
+}
+function parseEntry(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value))
+    return null;
+  const record = value;
+  const token = cleanString4(record.token);
+  const namespaceKey = cleanString4(record.namespaceKey);
+  const namespaceRoot = cleanString4(record.namespaceRoot);
+  const authStateFile = cleanString4(record.authStateFile);
+  const checkoutBaseDir = cleanString4(record.checkoutBaseDir);
+  const snapshotBaseDir = cleanString4(record.snapshotBaseDir);
+  const createdAt = cleanString4(record.createdAt);
+  if (!token || !namespaceKey || !namespaceRoot || !authStateFile || !checkoutBaseDir || !snapshotBaseDir || !createdAt)
+    return null;
+  return {
+    token,
+    namespaceKey,
+    namespaceRoot,
+    authStateFile,
+    checkoutBaseDir,
+    snapshotBaseDir,
+    createdAt,
+    login: cleanString4(record.login),
+    userId: cleanString4(record.userId),
+    selectedRepo: cleanString4(record.selectedRepo)
+  };
+}
+function readIndex(indexFile) {
+  if (!existsSync7(indexFile))
+    return [];
+  try {
+    const parsed = JSON.parse(readFileSync5(indexFile, "utf8"));
+    return Array.isArray(parsed.sessions) ? parsed.sessions.flatMap((entry) => {
+      const parsedEntry = parseEntry(entry);
+      return parsedEntry ? [parsedEntry] : [];
+    }) : [];
+  } catch {
+    return [];
+  }
+}
+function writeIndex(indexFile, sessions) {
+  mkdirSync6(dirname6(indexFile), { recursive: true });
+  writeFileSync6(indexFile, `${JSON.stringify({ sessions }, null, 2)}
+`, { encoding: "utf8", mode: 384 });
+  try {
+    chmodSync3(indexFile, 384);
+  } catch {}
+}
+function registerGitHubApiSession(input) {
+  const cleanToken = cleanString4(input.token);
+  if (!cleanToken)
+    throw new Error("GitHub API session token is required");
+  const indexFile = resolveGitHubApiSessionIndexFile(input.projectRoot);
+  const createdAt = new Date().toISOString();
+  const entry = {
+    token: cleanToken,
+    login: input.namespace.login,
+    userId: input.namespace.userId,
+    namespaceKey: input.namespace.key,
+    namespaceRoot: input.namespace.root,
+    authStateFile: input.namespace.authStateFile,
+    checkoutBaseDir: input.namespace.checkoutBaseDir,
+    snapshotBaseDir: input.namespace.snapshotBaseDir,
+    selectedRepo: cleanString4(input.selectedRepo),
+    createdAt
+  };
+  const previous = readIndex(indexFile).filter((session) => session.token !== cleanToken);
+  writeIndex(indexFile, [...previous.slice(-199), entry]);
+  return entry;
+}
+function readGitHubApiSession(input) {
+  const cleanToken = cleanString4(input.token);
+  if (!cleanToken)
+    return null;
+  return readIndex(resolveGitHubApiSessionIndexFile(input.projectRoot)).find((entry) => entry.token === cleanToken) ?? null;
+}
+
 // packages/server/src/server-helpers/project-registry.ts
-import { createHash } from "crypto";
+import { createHash as createHash2 } from "crypto";
 import { spawnSync } from "child_process";
-import { existsSync as existsSync6, mkdirSync as mkdirSync5, readFileSync as readFileSync4, readdirSync, writeFileSync as writeFileSync5 } from "fs";
-import { dirname as dirname4, resolve as resolve9 } from "path";
+import { existsSync as existsSync8, mkdirSync as mkdirSync7, readFileSync as readFileSync6, readdirSync, writeFileSync as writeFileSync7 } from "fs";
+import { dirname as dirname7, resolve as resolve11 } from "path";
 function normalizeRepoSlug(value) {
   const trimmed = value.trim();
   return /^[^/\s]+\/[^/\s]+$/.test(trimmed) ? trimmed : null;
 }
 function registryPath(projectRoot) {
-  return resolve9(projectRoot, ".rig", "state", "projects.json");
+  return resolve11(projectRoot, ".rig", "state", "projects.json");
 }
 function readRegistry(projectRoot) {
   const path = registryPath(projectRoot);
-  if (!existsSync6(path))
+  if (!existsSync8(path))
     return {};
   try {
-    const payload = JSON.parse(readFileSync4(path, "utf8"));
+    const payload = JSON.parse(readFileSync6(path, "utf8"));
     if (!payload || typeof payload !== "object" || Array.isArray(payload))
       return {};
     const projects = payload.projects;
@@ -1250,14 +1790,14 @@ function readRegistry(projectRoot) {
 }
 function writeRegistry(projectRoot, projects) {
   const path = registryPath(projectRoot);
-  mkdirSync5(dirname4(path), { recursive: true });
-  writeFileSync5(path, `${JSON.stringify({ projects }, null, 2)}
+  mkdirSync7(dirname7(path), { recursive: true });
+  writeFileSync7(path, `${JSON.stringify({ projects }, null, 2)}
 `, "utf8");
 }
 function resolveConfigPath(projectRoot) {
   for (const name of ["rig.config.ts", "rig.config.mts", "rig.config.json"]) {
-    const path = resolve9(projectRoot, name);
-    if (existsSync6(path))
+    const path = resolve11(projectRoot, name);
+    if (existsSync8(path))
       return path;
   }
   return null;
@@ -1266,7 +1806,7 @@ function hashFile(path) {
   if (!path)
     return null;
   try {
-    return createHash("sha256").update(readFileSync4(path)).digest("hex");
+    return createHash2("sha256").update(readFileSync6(path)).digest("hex");
   } catch {
     return null;
   }
@@ -1282,11 +1822,11 @@ function readDefaultBranch(projectRoot) {
   return head.status === 0 && head.stdout.trim() && head.stdout.trim() !== "HEAD" ? head.stdout.trim() : null;
 }
 function buildRunSummary(projectRoot) {
-  const runsDir = resolve9(projectRoot, ".rig", "runs");
+  const runsDir = resolve11(projectRoot, ".rig", "runs");
   try {
     const runs = readdirSync(runsDir, { withFileTypes: true }).filter((entry) => entry.isDirectory()).flatMap((entry) => {
       try {
-        const run = JSON.parse(readFileSync4(resolve9(runsDir, entry.name, "run.json"), "utf8"));
+        const run = JSON.parse(readFileSync6(resolve11(runsDir, entry.name, "run.json"), "utf8"));
         return [{ runId: typeof run.runId === "string" ? run.runId : entry.name, status: typeof run.status === "string" ? run.status : "unknown", updatedAt: typeof run.updatedAt === "string" ? run.updatedAt : "" }];
       } catch {
         return [];
@@ -1338,10 +1878,14 @@ function upsertProjectRecord(projectRoot, input) {
 function linkProjectCheckout(projectRoot, repoSlug, checkout) {
   return upsertProjectRecord(projectRoot, { repoSlug, checkout });
 }
+function projectRegistryContainsCheckout(projectRoot, checkoutPath) {
+  const target = resolve11(checkoutPath);
+  return Object.values(readRegistry(projectRoot)).some((project) => project.checkouts.some((checkout) => checkout.path ? resolve11(checkout.path) === target : false));
+}
 
 // packages/server/src/server-helpers/remote-checkout.ts
-import { existsSync as existsSync7, mkdirSync as mkdirSync6, writeFileSync as writeFileSync6 } from "fs";
-import { dirname as dirname5, isAbsolute, relative, resolve as resolve10 } from "path";
+import { existsSync as existsSync9, mkdirSync as mkdirSync8, writeFileSync as writeFileSync8 } from "fs";
+import { dirname as dirname8, isAbsolute as isAbsolute2, relative as relative2, resolve as resolve12 } from "path";
 function safeSlugSegments(repoSlug) {
   const segments = repoSlug.split("/").map((part) => part.trim()).filter(Boolean);
   if (segments.length !== 2 || segments.some((segment) => segment === "." || segment === ".." || segment.includes("\\"))) {
@@ -1358,7 +1902,7 @@ function safeCheckoutKey(value) {
 }
 function repoSlugPath(baseDir, repoSlug, checkoutKey) {
   const key = safeCheckoutKey(checkoutKey);
-  return resolve10(baseDir, ...key ? [key] : [], ...safeSlugSegments(repoSlug));
+  return resolve12(baseDir, ...key ? [key] : [], ...safeSlugSegments(repoSlug));
 }
 function sanitizeSnapshotId(value, fallback) {
   const raw = (value ?? fallback).trim();
@@ -1366,7 +1910,7 @@ function sanitizeSnapshotId(value, fallback) {
   return safe || fallback;
 }
 function assertWithinRoot(root, relativePath) {
-  if (!relativePath || isAbsolute(relativePath) || relativePath.includes("\x00")) {
+  if (!relativePath || isAbsolute2(relativePath) || relativePath.includes("\x00")) {
     throw new Error(`Invalid snapshot file path: ${relativePath}`);
   }
   const normalizedRelative = relativePath.replace(/\\/g, "/");
@@ -1374,9 +1918,9 @@ function assertWithinRoot(root, relativePath) {
   if (segments.some((segment) => segment === "" || segment === "." || segment === "..")) {
     throw new Error(`Unsafe snapshot file path: ${relativePath}`);
   }
-  const target = resolve10(root, ...segments);
-  const rel = relative(root, target);
-  if (rel === ".." || rel.split(/[\\/]/)[0] === ".." || isAbsolute(rel)) {
+  const target = resolve12(root, ...segments);
+  const rel = relative2(root, target);
+  if (rel === ".." || rel.split(/[\\/]/)[0] === ".." || isAbsolute2(rel)) {
     throw new Error(`Snapshot file path escapes checkout root: ${relativePath}`);
   }
   return target;
@@ -1394,17 +1938,17 @@ function parseSnapshotArchiveContentBase64(contentBase64) {
 function extractUploadedSnapshotArchive(input) {
   const archive = decodeSnapshotArchive(input.archive);
   const snapshotId = sanitizeSnapshotId(input.snapshotId, `snapshot-${(input.now?.() ?? new Date).toISOString().replace(/[:.]/g, "-")}`);
-  const checkoutPath = resolve10(repoSlugPath(input.baseDir, input.repoSlug, input.checkoutKey), snapshotId);
-  mkdirSync6(checkoutPath, { recursive: true });
+  const checkoutPath = resolve12(repoSlugPath(input.baseDir, input.repoSlug, input.checkoutKey), snapshotId);
+  mkdirSync8(checkoutPath, { recursive: true });
   for (const file of archive.files) {
     if (!file || typeof file.path !== "string" || typeof file.contentBase64 !== "string") {
       throw new Error("Invalid snapshot archive file entry");
     }
     const target = assertWithinRoot(checkoutPath, file.path);
-    mkdirSync6(dirname5(target), { recursive: true });
-    writeFileSync6(target, Buffer.from(file.contentBase64, "base64"));
+    mkdirSync8(dirname8(target), { recursive: true });
+    writeFileSync8(target, Buffer.from(file.contentBase64, "base64"));
   }
-  writeFileSync6(resolve10(checkoutPath, ".rig-uploaded-snapshot.json"), `${JSON.stringify({
+  writeFileSync8(resolve12(checkoutPath, ".rig-uploaded-snapshot.json"), `${JSON.stringify({
     repoSlug: input.repoSlug,
     snapshotId,
     fileCount: archive.files.length,
@@ -1439,7 +1983,7 @@ function gitCredentialConfig(token) {
   };
 }
 async function prepareRemoteCheckout(input) {
-  const exists = input.exists ?? existsSync7;
+  const exists = input.exists ?? existsSync9;
   const strategy = input.strategy;
   if (strategy.kind === "uploaded-snapshot") {
     return extractUploadedSnapshotArchive({
@@ -1451,7 +1995,7 @@ async function prepareRemoteCheckout(input) {
     });
   }
   if (strategy.kind === "existing-path") {
-    const checkoutPath2 = resolve10(strategy.path);
+    const checkoutPath2 = resolve12(strategy.path);
     if (!exists(checkoutPath2)) {
       throw new Error(`Existing remote checkout path does not exist: ${checkoutPath2}`);
     }
@@ -1487,9 +2031,9 @@ function buildServerControlStatus() {
   };
 }
 function buildProjectConfigStatus(root) {
-  const hasConfigTs = existsSync8(resolve11(root, "rig.config.ts"));
-  const hasConfigJson = existsSync8(resolve11(root, "rig.config.json"));
-  const hasLegacyTaskConfig = existsSync8(resolve11(root, ".rig", "task-config.json"));
+  const hasConfigTs = existsSync10(resolve13(root, "rig.config.ts"));
+  const hasConfigJson = existsSync10(resolve13(root, "rig.config.json"));
+  const hasLegacyTaskConfig = existsSync10(resolve13(root, ".rig", "task-config.json"));
   let kind = "missing";
   if (hasConfigTs)
     kind = "rig-config-ts";
@@ -1506,6 +2050,75 @@ function buildProjectConfigStatus(root) {
     suggestion: kind === "missing" ? "Run `rig init` in the project root to scaffold rig.config.ts." : null
   };
 }
+var RIG_GITHUB_LIFECYCLE_LABELS = [
+  "ready",
+  "blocked",
+  "in-progress",
+  "under-review",
+  "failed",
+  "cancelled",
+  "rig:running",
+  "rig:pr-open",
+  "rig:ci-fixing",
+  "rig:merging",
+  "rig:done",
+  "rig:needs-attention"
+];
+function githubProjectsEnabled(config) {
+  if (!config || typeof config !== "object" || Array.isArray(config))
+    return false;
+  const root = config;
+  const github = root.github && typeof root.github === "object" && !Array.isArray(root.github) ? root.github : null;
+  const projects = github?.projects && typeof github.projects === "object" && !Array.isArray(github.projects) ? github.projects : null;
+  return projects?.enabled === true;
+}
+function githubIssueSourceRepo(config) {
+  if (!config || typeof config !== "object" || Array.isArray(config))
+    return null;
+  const root = config;
+  const taskSource = root.taskSource && typeof root.taskSource === "object" && !Array.isArray(root.taskSource) ? root.taskSource : null;
+  const owner = normalizeString(taskSource?.owner);
+  const repo = normalizeString(taskSource?.repo);
+  if (taskSource?.kind === "github-issues" && owner && repo)
+    return { owner, repo };
+  const project = root.project && typeof root.project === "object" && !Array.isArray(root.project) ? root.project : null;
+  const slug = normalizeString(project?.repo) ?? normalizeString(project?.name);
+  const match = slug?.match(/^([^/]+)\/([^/]+)$/);
+  return match ? { owner: match[1], repo: match[2] } : null;
+}
+async function ensureGitHubLifecycleLabels(projectRoot, config) {
+  const repo = githubIssueSourceRepo(config);
+  if (!repo)
+    return { ok: false, ready: false, labelsReady: false, reason: "not-github-issues-source", labels: RIG_GITHUB_LIFECYCLE_LABELS };
+  const token = createGitHubAuthStore(projectRoot).readToken();
+  if (!token)
+    return { ok: false, ready: false, labelsReady: false, reason: "missing-token", repo, labels: RIG_GITHUB_LIFECYCLE_LABELS };
+  const existingResponse = await fetch(`https://api.github.com/repos/${repo.owner}/${repo.repo}/labels?per_page=100`, {
+    headers: { accept: "application/vnd.github+json", authorization: `Bearer ${token}`, "user-agent": "rig-server" }
+  });
+  const existingJson = await existingResponse.json().catch(() => []);
+  const existing = new Set(Array.isArray(existingJson) ? existingJson.flatMap((entry) => entry && typeof entry === "object" && typeof entry.name === "string" ? [entry.name] : []) : []);
+  const created = [];
+  const alreadyPresent = [];
+  const failed = [];
+  for (const label of RIG_GITHUB_LIFECYCLE_LABELS) {
+    if (existing.has(label)) {
+      alreadyPresent.push(label);
+      continue;
+    }
+    const response = await fetch(`https://api.github.com/repos/${repo.owner}/${repo.repo}/labels`, {
+      method: "POST",
+      headers: { accept: "application/vnd.github+json", authorization: `Bearer ${token}`, "content-type": "application/json", "user-agent": "rig-server" },
+      body: JSON.stringify({ name: label, color: label.startsWith("rig:") ? "6f42c1" : "ededed", description: label.startsWith("rig:") ? "Task status managed by Rig" : "Task lifecycle status managed by Rig" })
+    });
+    if (response.ok || response.status === 422) {
+      (response.status === 422 ? alreadyPresent : created).push(label);
+    } else {
+      failed.push({ label, error: await response.text().catch(() => response.statusText) });
+    }
+  }
+  return { ok: failed.length === 0, ready: failed.length === 0, labelsReady: failed.length === 0, repo, labels: RIG_GITHUB_LIFECYCLE_LABELS, created, existing: alreadyPresent, failed };
+}
 function normalizeCommit(value) {
   const raw = normalizeString(value);
   return raw && /^[0-9a-f]{7,40}$/i.test(raw) ? raw : null;
@@ -1525,24 +2138,24 @@ function repoParts(repoSlug) {
   return { owner, repo, slug: `${owner}/${repo}` };
 }
 function repairDir(checkoutPath) {
-  const dir = resolve11(checkoutPath, ".rig", "state", "repairs", new Date().toISOString().replace(/[:.]/g, "-"));
-  mkdirSync7(dir, { recursive: true });
+  const dir = resolve13(checkoutPath, ".rig", "state", "repairs", new Date().toISOString().replace(/[:.]/g, "-"));
+  mkdirSync9(dir, { recursive: true });
   return dir;
 }
 function backupCheckoutFile(checkoutPath, relativePath) {
-  const source = resolve11(checkoutPath, relativePath);
-  const backupPath = resolve11(repairDir(checkoutPath), relativePath.replace(/[\\/]/g, "__"));
-  mkdirSync7(dirname6(backupPath), { recursive: true });
-  copyFileSync(source, backupPath);
+  const source = resolve13(checkoutPath, relativePath);
+  const backupPath = resolve13(repairDir(checkoutPath), relativePath.replace(/[\\/]/g, "__"));
+  mkdirSync9(dirname9(backupPath), { recursive: true });
+  copyFileSync2(source, backupPath);
   return backupPath;
 }
 function parsePackageJsonLosslessly(checkoutPath) {
-  const packagePath = resolve11(checkoutPath, "package.json");
-  if (!existsSync8(packagePath)) {
+  const packagePath = resolve13(checkoutPath, "package.json");
+  if (!existsSync10(packagePath)) {
     return { existed: false, packageJson: { name: basename(checkoutPath) || "rig-project", private: true } };
   }
   try {
-    const parsed = JSON.parse(readFileSync5(packagePath, "utf8"));
+    const parsed = JSON.parse(readFileSync7(packagePath, "utf8"));
     return {
       existed: true,
       packageJson: parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : { name: basename(checkoutPath) || "rig-project", private: true }
@@ -1556,9 +2169,9 @@ function parsePackageJsonLosslessly(checkoutPath) {
   }
 }
 function ensureRemoteCheckoutRigPackageDeps(checkoutPath) {
-  const hasConfig = ["rig.config.ts", "rig.config.mts", "rig.config.json"].some((name) => existsSync8(resolve11(checkoutPath, name)));
-  const packagePath = resolve11(checkoutPath, "package.json");
-  if (!hasConfig && !existsSync8(packagePath)) {
+  const hasConfig = ["rig.config.ts", "rig.config.mts", "rig.config.json"].some((name) => existsSync10(resolve13(checkoutPath, name)));
+  const packagePath = resolve13(checkoutPath, "package.json");
+  if (!hasConfig && !existsSync10(packagePath)) {
     return { skipped: true, reason: "package.json and rig.config missing" };
   }
   const parsed = parsePackageJsonLosslessly(checkoutPath);
@@ -1577,7 +2190,7 @@ function ensureRemoteCheckoutRigPackageDeps(checkoutPath) {
   }
   const changed = !parsed.existed || Boolean(parsed.backupPath) || added.length > 0 || updated.length > 0 || existingDevDependencies !== devDependencies && (!existingDevDependencies || typeof existingDevDependencies !== "object" || Array.isArray(existingDevDependencies));
   if (changed) {
-    writeFileSync7(packagePath, `${JSON.stringify({ ...parsed.packageJson, devDependencies }, null, 2)}
+    writeFileSync9(packagePath, `${JSON.stringify({ ...parsed.packageJson, devDependencies }, null, 2)}
 `, "utf8");
   }
   return {
@@ -1603,11 +2216,11 @@ function configLooksStructurallyUsable(source) {
   return /taskSource\s*:/.test(source) && /workspace\s*:/.test(source) && /project\s*:/.test(source);
 }
 function ensureRemoteCheckoutRigConfig(checkoutPath, repoSlug, reason = "missing or incomplete rig config") {
-  const configPath = resolve11(checkoutPath, "rig.config.ts");
-  const existingConfigName = ["rig.config.ts", "rig.config.mts", "rig.config.json"].find((name) => existsSync8(resolve11(checkoutPath, name)));
+  const configPath = resolve13(checkoutPath, "rig.config.ts");
+  const existingConfigName = ["rig.config.ts", "rig.config.mts", "rig.config.json"].find((name) => existsSync10(resolve13(checkoutPath, name)));
   if (existingConfigName) {
-    const existingPath = resolve11(checkoutPath, existingConfigName);
-    const source = readFileSync5(existingPath, "utf8");
+    const existingPath = resolve13(checkoutPath, existingConfigName);
+    const source = readFileSync7(existingPath, "utf8");
     if (existingConfigName !== "rig.config.json" && configLooksStructurallyUsable(source)) {
       return { path: existingPath, changed: false, reason: "config structurally complete" };
     }
@@ -1621,7 +2234,7 @@ function ensureRemoteCheckoutRigConfig(checkoutPath, repoSlug, reason = "missing
     }
   }
   const backupPath = existingConfigName ? backupCheckoutFile(checkoutPath, existingConfigName) : undefined;
-  writeFileSync7(configPath, generatedRigConfigSource(repoSlug), "utf8");
+  writeFileSync9(configPath, generatedRigConfigSource(repoSlug), "utf8");
   return {
     path: configPath,
     changed: true,
@@ -1630,7 +2243,7 @@ function ensureRemoteCheckoutRigConfig(checkoutPath, repoSlug, reason = "missing
   };
 }
 function validateRemoteCheckoutRigConfig(checkoutPath) {
-  const configFile = ["rig.config.ts", "rig.config.mts", "rig.config.json"].find((name) => existsSync8(resolve11(checkoutPath, name)));
+  const configFile = ["rig.config.ts", "rig.config.mts", "rig.config.json"].find((name) => existsSync10(resolve13(checkoutPath, name)));
   if (!configFile)
     return { ok: false, error: "missing rig config" };
   if (process.env.RIG_TEST_SKIP_REMOTE_CHECKOUT_INSTALL === "1") {
@@ -1652,7 +2265,7 @@ function validateRemoteCheckoutRigConfig(checkoutPath) {
   return { ok: true, configFile };
 }
 function installRemoteCheckoutPackages(checkoutPath) {
-  if (!existsSync8(resolve11(checkoutPath, "package.json"))) {
+  if (!existsSync10(resolve13(checkoutPath, "package.json"))) {
     return { skipped: true, reason: "package.json missing" };
   }
   if (process.env.RIG_TEST_SKIP_REMOTE_CHECKOUT_INSTALL === "1") {
@@ -1665,8 +2278,8 @@ function installRemoteCheckoutPackages(checkoutPath) {
   return { ok: true, command: "bun install", stdout: result.stdout?.trim() || undefined };
 }
 function repairRemoteCheckoutForRig(checkoutPath, repoSlug) {
-  const hasConfig = ["rig.config.ts", "rig.config.mts", "rig.config.json"].some((name) => existsSync8(resolve11(checkoutPath, name)));
-  const hasPackage = existsSync8(resolve11(checkoutPath, "package.json"));
+  const hasConfig = ["rig.config.ts", "rig.config.mts", "rig.config.json"].some((name) => existsSync10(resolve13(checkoutPath, name)));
+  const hasPackage = existsSync10(resolve13(checkoutPath, "package.json"));
   if (!hasConfig && !hasPackage) {
     return {
       packageJson: { skipped: true, reason: "package.json and rig.config missing" },
@@ -1764,26 +2377,26 @@ function buildRemoteRunLogEntry(body, identifiers) {
 }
 function readGitHeadCommit(projectRoot) {
   try {
-    let gitDir = resolve11(projectRoot, ".git");
+    let gitDir = resolve13(projectRoot, ".git");
     try {
-      const dotGit = readFileSync5(gitDir, "utf8").trim();
+      const dotGit = readFileSync7(gitDir, "utf8").trim();
       const gitDirPrefix = "gitdir:";
       if (dotGit.startsWith(gitDirPrefix)) {
-        gitDir = resolve11(projectRoot, dotGit.slice(gitDirPrefix.length).trim());
+        gitDir = resolve13(projectRoot, dotGit.slice(gitDirPrefix.length).trim());
       }
     } catch {}
-    const head = readFileSync5(resolve11(gitDir, "HEAD"), "utf8").trim();
+    const head = readFileSync7(resolve13(gitDir, "HEAD"), "utf8").trim();
     const refPrefix = "ref:";
     if (!head.startsWith(refPrefix)) {
       return normalizeCommit(head);
     }
     const ref = head.slice(refPrefix.length).trim();
-    const refPath = resolve11(gitDir, ref);
-    if (existsSync8(refPath)) {
-      return normalizeCommit(readFileSync5(refPath, "utf8").trim());
+    const refPath = resolve13(gitDir, ref);
+    if (existsSync10(refPath)) {
+      return normalizeCommit(readFileSync7(refPath, "utf8").trim());
     }
-    const commonDir = normalizeString(readFileSync5(resolve11(gitDir, "commondir"), "utf8"));
-    return commonDir ? normalizeCommit(readFileSync5(resolve11(gitDir, commonDir, ref), "utf8").trim()) : null;
+    const commonDir = normalizeString(readFileSync7(resolve13(gitDir, "commondir"), "utf8"));
+    return commonDir ? normalizeCommit(readFileSync7(resolve13(gitDir, commonDir, ref), "utf8").trim()) : null;
   } catch {
     return null;
   }
@@ -1821,9 +2434,9 @@ function configuredRepoFromTaskSource(taskSource) {
   const repo = normalizeString(taskSource?.repo);
   return owner && repo ? `${owner}/${repo}` : null;
 }
-async function buildTaskSourceStatus(state, config) {
+async function buildTaskSourceStatus(state, config, requestAuth) {
   const diagnostics = state.snapshotService.getTaskSourceErrors();
-  const selectedRepo = createGitHubAuthStore(state.projectRoot).status({
+  const selectedRepo = requestScopedAuthStore(state.projectRoot, requestAuth).status({
     oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim())
   }).selectedRepo;
   try {
@@ -1876,37 +2489,146 @@ function isLoopbackRequest(req) {
   }
 }
 function isPublicRigAuthBootstrapRoute(pathname) {
-  return pathname === "/" || pathname === "/health" || pathname === "/api/health" || pathname === "/api/github/auth/status" || pathname === "/api/github/auth/token" || pathname === "/api/github/auth/device/start" || pathname === "/api/github/auth/device/poll";
+  return pathname === "/" || pathname === "/install" || pathname === "/health" || pathname === "/api/health" || pathname === "/api/github/auth/status" || pathname === "/api/github/auth/token" || pathname === "/api/github/auth/device/start" || pathname === "/api/github/auth/device/poll";
+}
+function buildRigInstallScript() {
+  return `#!/usr/bin/env bash
+set -euo pipefail
+
+say() {
+  printf 'rig-install: %s
+' "$*"
+}
+
+if ! command -v bun >/dev/null 2>&1; then
+  say "Bun not found; installing Bun first"
+  curl -fsSL https://bun.sh/install | bash
+  export BUN_INSTALL="\${BUN_INSTALL:-$HOME/.bun}"
+  export PATH="$BUN_INSTALL/bin:$PATH"
+fi
+
+if ! command -v bun >/dev/null 2>&1; then
+  printf 'rig-install: bun install completed, but bun is still not on PATH. Add ~/.bun/bin to PATH and retry.
+' >&2
+  exit 1
+fi
+
+say "Installing @h-rig/cli@latest"
+bun add -g --force @h-rig/cli@latest
+
+export BUN_INSTALL="\${BUN_INSTALL:-$HOME/.bun}"
+BUN_RIG="$BUN_INSTALL/bin/rig"
+if [ ! -x "$BUN_RIG" ]; then
+  printf 'rig-install: expected Bun global rig at %s but it was not executable.
+' "$BUN_RIG" >&2
+  exit 1
+fi
+
+USER_BIN="$HOME/.local/bin"
+mkdir -p "$USER_BIN"
+cat > "$USER_BIN/rig" <<'RIG_SHIM'
+#!/usr/bin/env bash
+set -euo pipefail
+exec "\${BUN_INSTALL:-$HOME/.bun}/bin/rig" "$@"
+RIG_SHIM
+chmod +x "$USER_BIN/rig"
+
+export PATH="$USER_BIN:$BUN_INSTALL/bin:$PATH"
+if command -v hash >/dev/null 2>&1; then hash -r; fi
+
+if ! command -v rig >/dev/null 2>&1; then
+  printf 'rig-install: rig installed, but rig is not on PATH. Add %s and %s/bin to PATH and retry.
+' "$USER_BIN" "$BUN_INSTALL" >&2
+  exit 1
+fi
+
+say "Verifying rig"
+"$BUN_RIG" --help >/dev/null
+rig --help >/dev/null
+say "Done. Run: rig --help"
+`;
 }
 function normalizePrMode(value) {
   const mode = normalizeString(value);
   return mode === "auto" || mode === "ask" || mode === "off" ? mode : undefined;
 }
+function requestAuthResult(input) {
+  return {
+    authorized: input.authorized,
+    actor: input.actor ?? null,
+    reason: input.reason,
+    login: input.login ?? null,
+    userId: input.userId ?? null,
+    userNamespace: input.userNamespace ?? null,
+    authStateFile: input.authStateFile ?? null
+  };
+}
+function namespaceFromSessionIndex(entry) {
+  const stateDir2 = dirname9(entry.authStateFile);
+  return {
+    key: entry.namespaceKey,
+    userId: entry.userId,
+    login: entry.login,
+    root: entry.namespaceRoot,
+    stateDir: stateDir2,
+    authStateFile: entry.authStateFile,
+    metadataFile: resolve13(stateDir2, "user-namespace.json"),
+    checkoutBaseDir: entry.checkoutBaseDir,
+    snapshotBaseDir: entry.snapshotBaseDir
+  };
+}
 function authorizeRigHttpRequest(input) {
   if (input.legacyAuthorized) {
-    return { authorized: true, actor: "rig-local-server", reason: "server-token" };
+    return requestAuthResult({ authorized: true, actor: "rig-local-server", reason: "server-token" });
   }
   const bearer = bearerTokenFromRequest(input.req);
   const store = createGitHubAuthStore(input.projectRoot);
   const storedToken = store.readToken();
   const session = bearer ? store.readApiSession(bearer) : null;
   if (session) {
-    return { authorized: true, actor: session.login ?? "github-operator", reason: "github-session" };
+    return requestAuthResult({
+      authorized: true,
+      actor: session.login ?? "github-operator",
+      reason: "github-session",
+      login: session.login,
+      userId: session.userId,
+      authStateFile: store.stateFile
+    });
   }
   if (bearer && storedToken && bearer === storedToken) {
     const status = store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
-    return { authorized: true, actor: status.login ?? "github-operator", reason: "github-token" };
+    return requestAuthResult({
+      authorized: true,
+      actor: status.login ?? "github-operator",
+      reason: "github-token",
+      login: status.login,
+      userId: status.userId,
+      authStateFile: store.stateFile
+    });
+  }
+  const indexedSession = readGitHubApiSession({ projectRoot: input.projectRoot, token: bearer });
+  if (indexedSession) {
+    const userNamespace = namespaceFromSessionIndex(indexedSession);
+    return requestAuthResult({
+      authorized: true,
+      actor: indexedSession.login ?? "github-operator",
+      reason: "github-user-session",
+      login: indexedSession.login,
+      userId: indexedSession.userId,
+      userNamespace,
+      authStateFile: indexedSession.authStateFile
+    });
   }
   if (isPublicRigAuthBootstrapRoute(input.pathname)) {
-    return { authorized: true, actor: null, reason: "public-bootstrap" };
+    return requestAuthResult({ authorized: true, actor: null, reason: "public-bootstrap" });
   }
   if (!input.serverAuthToken && !storedToken) {
     if (isLoopbackRequest(input.req)) {
-      return { authorized: true, actor: null, reason: "loopback-dev-no-auth" };
+      return requestAuthResult({ authorized: true, actor: null, reason: "loopback-dev-no-auth" });
     }
-    return { authorized: false, actor: null, reason: "auth-required" };
+    return requestAuthResult({ authorized: false, actor: null, reason: "auth-required" });
   }
-  return { authorized: false, actor: null, reason: storedToken ? "github-token-required" : "auth-required" };
+  return requestAuthResult({ authorized: false, actor: null, reason: storedToken ? "github-token-required" : "auth-required" });
 }
 async function fetchGitHubUserInfo(token) {
   const response = await fetch("https://api.github.com/user", {
@@ -1926,6 +2648,67 @@ async function fetchGitHubUserInfo(token) {
     scopes: cleanHeaderScopes(response.headers.get("x-oauth-scopes"))
   };
 }
+function shouldWriteRootAuthCompat(projectRoot) {
+  if (process.env.RIG_REMOTE_USER_NAMESPACE_ROOT?.trim())
+    return false;
+  const stateDir2 = normalizeString(process.env.RIG_STATE_DIR);
+  if (!stateDir2)
+    return true;
+  return resolve13(stateDir2) === resolve13(projectRoot, ".rig", "state");
+}
+function requestScopedRegistryRoot(stateProjectRoot, requestAuth) {
+  return requestAuth.userNamespace?.root ?? stateProjectRoot;
+}
+function requestScopedAuthStore(stateProjectRoot, requestAuth) {
+  return requestAuth.authStateFile ? createGitHubAuthStoreFromStateFile(requestAuth.authStateFile) : createGitHubAuthStore(stateProjectRoot);
+}
+function userNamespaceResponse(namespace) {
+  return namespace ? serializeRemoteUserNamespace(namespace) : undefined;
+}
+function resolveNamespacedBaseDir(input) {
+  if (input.explicitBaseDir)
+    return input.explicitBaseDir;
+  const envBase = normalizeString(process.env[input.envName]);
+  if (input.userNamespace) {
+    return envBase ? resolve13(envBase, input.userNamespace.key) : input.userNamespace[input.legacySubdir === "remote-checkouts" ? "checkoutBaseDir" : "snapshotBaseDir"];
+  }
+  return envBase ?? (normalizeString(process.env.RIG_STATE_DIR) ? resolve13(normalizeString(process.env.RIG_STATE_DIR), input.legacySubdir) : resolve13(input.legacyProjectRoot, ".rig", input.legacySubdir));
+}
+function explicitCheckoutKey(body, checkoutInput, requestAuth) {
+  return normalizeString(body.checkoutKey) ?? normalizeString(checkoutInput.checkoutKey) ?? normalizeString(checkoutInput.key) ?? (requestAuth.userNamespace ? undefined : "default");
+}
+function saveGitHubTokenForRemoteUser(input) {
+  const namespace = resolveRemoteUserNamespace(input.projectRoot, { userId: input.user.userId, login: input.user.login });
+  writeRemoteUserNamespaceMetadata(namespace);
+  const store = createGitHubAuthStoreFromStateFile(namespace.authStateFile);
+  store.saveToken({
+    token: input.token,
+    tokenSource: input.tokenSource,
+    login: input.user.login,
+    userId: input.user.userId,
+    scopes: input.user.scopes,
+    selectedRepo: input.selectedRepo
+  });
+  const apiSession = store.createApiSession();
+  registerGitHubApiSession({ projectRoot: input.projectRoot, token: apiSession.token, namespace, selectedRepo: input.selectedRepo });
+  const requestedRoot = normalizeString(input.requestedProjectRoot);
+  if (requestedRoot && isAbsolute3(requestedRoot) && existsSync10(resolve13(requestedRoot))) {
+    copyGitHubAuthStateToLocalProjectRoot(namespace.authStateFile, resolve13(requestedRoot));
+  }
+  if (shouldWriteRootAuthCompat(input.projectRoot)) {
+    const rootStore = createGitHubAuthStore(input.projectRoot);
+    rootStore.saveToken({
+      token: input.token,
+      tokenSource: input.tokenSource,
+      login: input.user.login,
+      userId: input.user.userId,
+      scopes: input.user.scopes,
+      selectedRepo: input.selectedRepo
+    });
+    rootStore.createApiSession();
+  }
+  return { store, namespace, apiSessionToken: apiSession.token };
+}
 async function postGitHubForm(endpoint, body) {
   const response = await fetch(endpoint, {
     method: "POST",
@@ -1943,11 +2726,11 @@ function resolveRequestedProjectRoot(currentRoot, rawRoot) {
   const requestedRoot = normalizeString(rawRoot);
   if (!requestedRoot)
     return currentRoot;
-  if (!isAbsolute2(requestedRoot)) {
+  if (!isAbsolute3(requestedRoot)) {
     throw new Error("projectRoot must be an absolute path on the Rig server host");
   }
-  const normalizedRoot = resolve11(requestedRoot);
-  if (!existsSync8(normalizedRoot)) {
+  const normalizedRoot = resolve13(requestedRoot);
+  if (!existsSync10(normalizedRoot)) {
     throw new Error("projectRoot does not exist on the Rig server host");
   }
   return normalizedRoot;
@@ -2175,6 +2958,27 @@ function filterWorkspaceTasks(projectRoot, tasks, searchParams) {
   }
   return filtered;
 }
+function issueAnalysisTargetFor(source) {
+  if (!source)
+    return null;
+  const candidate = source;
+  if (typeof candidate.updateTask !== "function")
+    return null;
+  return {
+    ...typeof candidate.get === "function" ? { get: candidate.get.bind(candidate) } : {},
+    updateTask: candidate.updateTask.bind(candidate),
+    ...typeof candidate.addLabels === "function" ? { addLabels: candidate.addLabels.bind(candidate) } : {},
+    ...typeof candidate.removeLabels === "function" ? { removeLabels: candidate.removeLabels.bind(candidate) } : {},
+    ...typeof candidate.createIssue === "function" ? { createIssue: candidate.createIssue.bind(candidate) } : {}
+  };
+}
+function uniqueStringList(value) {
+  const raw = Array.isArray(value) ? value : typeof value === "string" ? [value] : [];
+  return [...new Set(raw.map((entry) => String(entry).trim()).filter(Boolean))];
+}
+function taskRecordId(task) {
+  return String(task.id ?? "");
+}
 function redactRemoteEndpoint(endpoint) {
   const { token, ...rest } = endpoint;
   return {
@@ -2259,6 +3063,13 @@ function createRigServerFetch(state, deps) {
             notifications: state.targets.length
           });
         }
+        if (url.pathname === "/install" && req.method === "GET") {
+          return new Response(buildRigInstallScript(), {
+            headers: {
+              "Content-Type": "text/x-shellscript; charset=utf-8"
+            }
+          });
+        }
         const isLinearWebhook = url.pathname === "/api/linear/webhook" && req.method === "POST";
         const isInspectorStream = url.pathname === "/api/inspector/stream" && req.method === "GET";
         const legacyAuthorizedHttpRequest = Boolean(state.authToken) && (isInspectorStream && isAuthorizedInspectorStreamRequest(req, state.authToken) ? true : deps.isAuthorizedHttpRequest(req, state.authToken));
@@ -2471,16 +3282,12 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           if (!source) {
             return deps.badRequest("No task source is configured");
           }
+          if (!source.updateTask && !(update.status && source.updateStatus)) {
+            return deps.badRequest("Configured task source does not support updates");
+          }
           const taskBeforeUpdate = source.get ? await source.get(id).catch(() => {
             return;
           }) : (await deps.snapshotService.getWorkspaceTasks().catch(() => [])).find((task) => task.id === id);
-          if (source.updateTask) {
-            await source.updateTask(id, update);
-          } else if (update.status && source.updateStatus) {
-            await source.updateStatus(id, update.status);
-          } else {
-            return deps.badRequest("Configured task source does not support updates");
-          }
           const issueNodeId = normalizeString(body.issueNodeId) ?? extractGitHubIssueNodeId(taskBeforeUpdate);
           const projectSync = update.status ? await syncGitHubProjectStatusForTaskUpdate({
             taskId: id,
@@ -2489,6 +3296,35 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             token: createGitHubAuthStore(state.projectRoot).readToken(),
             config: ctx?.config
           }).catch((error) => ({ synced: false, reason: `error:${error instanceof Error ? error.message : String(error)}` })) : { synced: false, reason: "missing-status" };
+          if (update.status && githubProjectsEnabled(ctx?.config) && projectSync.synced === false) {
+            return deps.jsonResponse({ ok: false, id, projectSync, error: `GitHub Project status sync failed: ${String(projectSync.reason)}` }, 502);
+          }
+          try {
+            if (source.updateTask) {
+              await source.updateTask(id, update);
+            } else if (update.status && source.updateStatus) {
+              await source.updateStatus(id, update.status);
+            }
+          } catch (error) {
+            let rollback = null;
+            const previousStatus = normalizeString(taskBeforeUpdate?.status) ?? normalizeString(taskBeforeUpdate?.sourceStatus);
+            if (update.status && previousStatus && githubProjectsEnabled(ctx?.config) && projectSync.synced !== false) {
+              rollback = await syncGitHubProjectStatusForTaskUpdate({
+                taskId: id,
+                status: previousStatus,
+                issueNodeId,
+                token: createGitHubAuthStore(state.projectRoot).readToken(),
+                config: ctx?.config
+              }).catch((rollbackError) => ({ synced: false, reason: `rollback-error:${rollbackError instanceof Error ? rollbackError.message : String(rollbackError)}` }));
+            }
+            return deps.jsonResponse({
+              ok: false,
+              id,
+              projectSync,
+              rollback,
+              error: `Task source update failed: ${error instanceof Error ? error.message : String(error)}`
+            }, 502);
+          }
           deps.snapshotService.invalidate("github-issue-updated");
           await state.taskProjectionReconciler?.tick("github-issue-updated").catch(() => {
             return;
@@ -2497,29 +3333,105 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           return deps.jsonResponse({ ok: true, id, projectSync });
         }
         if (url.pathname === "/api/workspace/task-labels") {
+          const ctx = await getCachedPluginHostContext(state.projectRoot).catch(() => null);
+          if (url.searchParams.get("ensure") === "1" || req.method === "POST") {
+            return deps.jsonResponse(await ensureGitHubLifecycleLabels(state.projectRoot, ctx?.config));
+          }
           return deps.jsonResponse({
             ok: true,
             ready: true,
             labelsReady: true,
-            labels: [
-              "ready",
-              "blocked",
-              "in-progress",
-              "under-review",
-              "failed",
-              "cancelled",
-              "rig:running",
-              "rig:pr-open",
-              "rig:ci-fixing",
-              "rig:done",
-              "rig:needs-attention"
-            ],
-            note: "GitHub issue lifecycle labels are created on demand by the configured task source when supported."
+            labels: [...RIG_GITHUB_LIFECYCLE_LABELS],
+            note: "Lifecycle labels are required during init; call POST /api/workspace/task-labels or ?ensure=1 to proactively create them."
+          });
+        }
+        if (url.pathname === "/api/github/projects" && req.method === "GET") {
+          const owner = normalizeString(url.searchParams.get("owner"));
+          if (!owner)
+            return deps.badRequest("owner is required");
+          const token = createGitHubAuthStore(state.projectRoot).readToken();
+          if (!token)
+            return deps.jsonResponse({ ok: false, error: "missing-token", projects: [] }, 401);
+          const projects = await listGitHubProjects({ owner, token }).catch((error) => {
+            throw new Error(error instanceof Error ? error.message : String(error));
+          });
+          return deps.jsonResponse({ ok: true, projects });
+        }
+        const projectStatusMatch = url.pathname.match(/^\/api\/github\/projects\/([^/]+)\/status-field$/);
+        if (projectStatusMatch && req.method === "GET") {
+          const projectId = decodeURIComponent(projectStatusMatch[1]);
+          const token = createGitHubAuthStore(state.projectRoot).readToken();
+          if (!token)
+            return deps.jsonResponse({ ok: false, error: "missing-token" }, 401);
+          const field = await resolveProjectStatusField({ projectId, token }).catch((error) => {
+            throw new Error(error instanceof Error ? error.message : String(error));
+          });
+          return deps.jsonResponse({ ok: true, field });
+        }
+        if (url.pathname === "/api/workspace/issue-analysis/run" && req.method === "POST") {
+          const body = await deps.readJsonBody(req);
+          const ids = uniqueStringList(body.ids ?? body.id);
+          const analyzeAll = deps.isTruthyQuery(String(body.all ?? ""));
+          if (ids.length === 0 && !analyzeAll) {
+            return deps.badRequest("ids is required unless all=true");
+          }
+          const ctx = await getCachedPluginHostContext(state.projectRoot);
+          const [source] = ctx?.taskSourceRegistry.list() ?? [];
+          const target = issueAnalysisTargetFor(source);
+          if (!source || !target) {
+            return deps.badRequest("Configured task source does not support issue-analysis writeback");
+          }
+          const allTasks = [...await source.list()];
+          const issues = analyzeAll ? allTasks.slice(0, Math.max(1, Math.min(25, Number(body.limit ?? 25) || 25))) : (await Promise.all(ids.map(async (id) => {
+            const cached = allTasks.find((task) => taskRecordId(task) === id);
+            if (cached)
+              return cached;
+            return typeof source.get === "function" ? await source.get(id) : undefined;
+          }))).filter((task) => Boolean(task));
+          if (issues.length === 0) {
+            return deps.jsonResponse({ ok: false, error: "No matching issues found for issue analysis", ids }, 404);
+          }
+          const config = ctx?.config && typeof ctx.config === "object" ? ctx.config : {};
+          const issueAnalysis = config.issueAnalysis && typeof config.issueAnalysis === "object" ? config.issueAnalysis : {};
+          const runtime = config.runtime && typeof config.runtime === "object" ? config.runtime : {};
+          const model = normalizeString(issueAnalysis.model) ?? normalizeString(runtime.model);
+          const service = createIssueAnalysisService({
+            analyzer: createPiIssueAnalyzer({
+              ...model ? { model } : {},
+              env: { RIG_PROJECT_ROOT: state.projectRoot }
+            }),
+            writeBack: createIssueAnalysisWriteBack({ target })
+          });
+          const reason = normalizeString(body.reason) ?? "http-issue-analysis";
+          let results;
+          try {
+            results = await service.analyze(issues, { reason, neighbors: ids.length > 0 ? issues : allTasks });
+          } catch (error) {
+            return deps.jsonResponse({
+              ok: false,
+              error: `Issue analysis failed: ${error instanceof Error ? error.message : String(error)}`,
+              reason,
+              ids: issues.map((issue) => issue.id)
+            }, 502);
+          }
+          deps.snapshotService.invalidate("issue-analysis-http-run");
+          await state.taskProjectionReconciler?.tick("issue-analysis-http-run").catch(() => {
+            return;
+          });
+          deps.broadcastSnapshotInvalidation(state, "issue-analysis-http-run");
+          return deps.jsonResponse({
+            ok: true,
+            reason,
+            analyzed: results.map((entry) => ({
+              id: entry.issue.id,
+              title: entry.issue.title ?? null,
+              result: entry.result
+            }))
           });
         }
         if (url.pathname === "/api/server/status") {
           const config = buildProjectConfigStatus(state.projectRoot);
-          const taskSource = await buildTaskSourceStatus(state, config);
+          const taskSource = await buildTaskSourceStatus(state, config, requestAuth);
           return deps.jsonResponse({
             ok: true,
             projectRoot: state.projectRoot,
@@ -2543,8 +3455,9 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             path: normalizeString(rawCheckout?.path) ?? state.projectRoot,
             ref: normalizeString(rawCheckout?.ref) ?? undefined
           } : undefined;
-          const record = upsertProjectRecord(state.projectRoot, { repoSlug, checkout });
-          return deps.jsonResponse({ ok: true, project: record });
+          const registryRoot = requestScopedRegistryRoot(state.projectRoot, requestAuth);
+          const record = upsertProjectRecord(registryRoot, { repoSlug, checkout });
+          return deps.jsonResponse({ ok: true, project: record, userNamespace: userNamespaceResponse(requestAuth.userNamespace) });
         }
         const snapshotUploadMatch = url.pathname.match(/^\/api\/projects\/(.+?)\/upload-snapshot$/);
         if (snapshotUploadMatch && req.method === "POST") {
@@ -2557,8 +3470,15 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           if (!archiveContentBase64) {
             return deps.badRequest("archiveContentBase64 is required");
           }
-          const baseDir = normalizeString(body.baseDir) ?? normalizeString(process.env.RIG_REMOTE_SNAPSHOT_BASE_DIR) ?? (normalizeString(process.env.RIG_STATE_DIR) ? resolve11(normalizeString(process.env.RIG_STATE_DIR), "remote-snapshots") : resolve11(state.projectRoot, ".rig", "remote-snapshots"));
-          const checkoutKey = normalizeString(body.checkoutKey) ?? "default";
+          const registryRoot = requestScopedRegistryRoot(state.projectRoot, requestAuth);
+          const baseDir = resolveNamespacedBaseDir({
+            explicitBaseDir: normalizeString(body.baseDir),
+            envName: "RIG_REMOTE_SNAPSHOT_BASE_DIR",
+            userNamespace: requestAuth.userNamespace,
+            legacyProjectRoot: state.projectRoot,
+            legacySubdir: "remote-snapshots"
+          });
+          const checkoutKey = explicitCheckoutKey(body, body, requestAuth);
           try {
             const archive = parseSnapshotArchiveContentBase64(archiveContentBase64);
             const checkout = extractUploadedSnapshotArchive({
@@ -2571,14 +3491,14 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             const checkoutRepair = repairRemoteCheckoutForRig(checkout.path, repoSlug);
             const packageInstall = installRemoteCheckoutPackages(checkout.path);
             const postInstallConfigValidation = validateRemoteCheckoutRigConfig(checkout.path);
-            const project = linkProjectCheckout(state.projectRoot, repoSlug, {
+            const project = linkProjectCheckout(registryRoot, repoSlug, {
               kind: "uploaded-snapshot",
               path: checkout.path,
               ref: checkout.snapshotId
             });
             deps.snapshotService.invalidate("uploaded-snapshot-checkout");
             deps.broadcastSnapshotInvalidation(state, "uploaded-snapshot-checkout");
-            return deps.jsonResponse({ ok: true, checkout, project, checkoutRepair, packageInstall, postInstallConfigValidation });
+            return deps.jsonResponse({ ok: true, checkout, project, checkoutRepair, packageInstall, postInstallConfigValidation, userNamespace: userNamespaceResponse(requestAuth.userNamespace) });
           } catch (error) {
             return deps.jsonResponse({
               ok: false,
@@ -2598,10 +3518,17 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           if (kind !== "managed-clone" && kind !== "current-ref" && kind !== "existing-path") {
             return deps.jsonResponse({ ok: false, error: "checkout kind must be managed-clone, current-ref, or existing-path" }, 400);
           }
-          const baseDir = normalizeString(body.baseDir) ?? normalizeString(checkoutInput.baseDir) ?? normalizeString(process.env.RIG_REMOTE_CHECKOUT_BASE_DIR) ?? (normalizeString(process.env.RIG_STATE_DIR) ? resolve11(normalizeString(process.env.RIG_STATE_DIR), "remote-checkouts") : resolve11(state.projectRoot, ".rig", "remote-checkouts"));
-          const checkoutKey = normalizeString(body.checkoutKey) ?? normalizeString(checkoutInput.checkoutKey) ?? normalizeString(checkoutInput.key) ?? "default";
+          const registryRoot = requestScopedRegistryRoot(state.projectRoot, requestAuth);
+          const baseDir = resolveNamespacedBaseDir({
+            explicitBaseDir: normalizeString(body.baseDir) ?? normalizeString(checkoutInput.baseDir),
+            envName: "RIG_REMOTE_CHECKOUT_BASE_DIR",
+            userNamespace: requestAuth.userNamespace,
+            legacyProjectRoot: state.projectRoot,
+            legacySubdir: "remote-checkouts"
+          });
+          const checkoutKey = explicitCheckoutKey(body, checkoutInput, requestAuth);
           const repoUrl = normalizeString(body.repoUrl) ?? normalizeString(checkoutInput.repoUrl) ?? `https://github.com/${repoSlug}.git`;
-          const credentialToken = createGitHubAuthStore(state.projectRoot).readToken();
+          const credentialToken = requestScopedAuthStore(state.projectRoot, requestAuth).readToken();
           try {
             const checkout = await prepareRemoteCheckout({
               command: runRemoteCheckoutCommand,
@@ -2610,14 +3537,14 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             const checkoutRepair = repairRemoteCheckoutForRig(checkout.path, repoSlug);
             const packageInstall = installRemoteCheckoutPackages(checkout.path);
             const postInstallConfigValidation = validateRemoteCheckoutRigConfig(checkout.path);
-            const project = linkProjectCheckout(state.projectRoot, repoSlug, {
+            const project = linkProjectCheckout(registryRoot, repoSlug, {
               kind: checkout.kind,
               path: checkout.path,
               ref: checkout.ref ?? checkout.snapshotId ?? undefined
             });
             deps.snapshotService.invalidate("remote-checkout-prepared");
             deps.broadcastSnapshotInvalidation(state, "remote-checkout-prepared");
-            return deps.jsonResponse({ ok: true, checkout, project, checkoutRepair, packageInstall, postInstallConfigValidation });
+            return deps.jsonResponse({ ok: true, checkout, project, checkoutRepair, packageInstall, postInstallConfigValidation, userNamespace: userNamespaceResponse(requestAuth.userNamespace) });
           } catch (error) {
             return deps.jsonResponse({ ok: false, error: error instanceof Error ? error.message : String(error) }, 400);
           }
@@ -2634,16 +3561,18 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             if (kind !== "local" && kind !== "managed-clone" && kind !== "current-ref" && kind !== "uploaded-snapshot" && kind !== "existing-path") {
               return deps.jsonResponse({ ok: false, error: "checkout kind is required" }, 400);
             }
-            const project = linkProjectCheckout(state.projectRoot, repoSlug, {
+            const registryRoot = requestScopedRegistryRoot(state.projectRoot, requestAuth);
+            const project = linkProjectCheckout(registryRoot, repoSlug, {
               kind,
               path: normalizeString(body.path) ?? state.projectRoot,
               ref: normalizeString(body.ref) ?? undefined
             });
-            return deps.jsonResponse({ ok: true, project });
+            return deps.jsonResponse({ ok: true, project, userNamespace: userNamespaceResponse(requestAuth.userNamespace) });
           }
           if (req.method === "GET") {
-            const project = getProjectRecord(state.projectRoot, repoSlug);
-            return project ? deps.jsonResponse({ ok: true, project }) : deps.notFound();
+            const registryRoot = requestScopedRegistryRoot(state.projectRoot, requestAuth);
+            const project = getProjectRecord(registryRoot, repoSlug);
+            return project ? deps.jsonResponse({ ok: true, project, userNamespace: userNamespaceResponse(requestAuth.userNamespace) }) : deps.notFound();
           }
         }
         if (url.pathname === "/api/server/project-root" && req.method === "POST") {
@@ -2652,13 +3581,26 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           if (!requestedRoot) {
             return deps.badRequest("projectRoot is required");
           }
-          if (!isAbsolute2(requestedRoot)) {
+          if (!isAbsolute3(requestedRoot)) {
             return deps.badRequest("projectRoot must be an absolute path on the Rig server host");
           }
-          const normalizedRoot = resolve11(requestedRoot);
-          const exists = existsSync8(normalizedRoot);
-          if (exists) {
-            createGitHubAuthStore(state.projectRoot).copyToProjectRoot(normalizedRoot);
+          const normalizedRoot = resolve13(requestedRoot);
+          const exists = existsSync10(normalizedRoot);
+          if (exists && requestAuth.userNamespace) {
+            const allowedByNamespace = isPathInsideNamespace(requestAuth.userNamespace.root, normalizedRoot);
+            const allowedByRegistry = projectRegistryContainsCheckout(requestAuth.userNamespace.root, normalizedRoot);
+            if (!allowedByNamespace && !allowedByRegistry) {
+              return deps.jsonResponse({
+                ok: false,
+                error: "Requested project root is outside the authenticated GitHub user namespace.",
+                projectRoot: state.projectRoot,
+                requestedProjectRoot: normalizedRoot,
+                userNamespace: userNamespaceResponse(requestAuth.userNamespace)
+              }, 403);
+            }
+            copyGitHubAuthStateToLocalProjectRoot(requestAuth.userNamespace.authStateFile, normalizedRoot);
+          } else if (exists) {
+            createGitHubAuthStore(state.projectRoot).copyToLocalProjectRoot(normalizedRoot);
           }
           const control = buildServerControlStatus();
           const switchCommand = process.env.RIG_PROJECT_ROOT_SWITCH_COMMAND?.trim();
@@ -2673,7 +3615,7 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
               message: "Requested project root does not exist on the Rig server host."
             }, 404);
           }
-          if (!existsSync8(resolve11(normalizedRoot, "rig.config.ts")) && !existsSync8(resolve11(normalizedRoot, "rig.config.json"))) {
+          if (!existsSync10(resolve13(normalizedRoot, "rig.config.ts")) && !existsSync10(resolve13(normalizedRoot, "rig.config.json"))) {
             return deps.jsonResponse({
               ok: false,
               projectRoot: state.projectRoot,
@@ -2708,6 +3650,7 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
               exists,
               control,
               requiresRestart: false,
+              userNamespace: userNamespaceResponse(requestAuth.userNamespace),
               message: "Project-root switch accepted. Rig server restart has been scheduled."
             }, 202);
           }
@@ -2722,11 +3665,11 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           }, 409);
         }
         if (url.pathname === "/api/github/auth/status") {
-          const store = createGitHubAuthStore(state.projectRoot);
-          return deps.jsonResponse({ ok: true, ...store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }) });
+          const store = requestScopedAuthStore(state.projectRoot, requestAuth);
+          return deps.jsonResponse({ ok: true, ...store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }), userNamespace: userNamespaceResponse(requestAuth.userNamespace) });
         }
         if (url.pathname === "/api/github/repo/permissions") {
-          const store = createGitHubAuthStore(state.projectRoot);
+          const store = requestScopedAuthStore(state.projectRoot, requestAuth);
           const auth = store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
           if (!auth.signedIn) {
             return deps.jsonResponse({ ok: false, signedIn: false, canOpenPullRequest: false, reason: "not-authenticated" }, 401);
@@ -2754,24 +3697,20 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           }
           try {
             const user = await fetchGitHubUserInfo(token);
-            const storeRoots = [
-              state.projectRoot,
-              ...requestedProjectRoot && isAbsolute2(requestedProjectRoot) && existsSync8(resolve11(requestedProjectRoot)) ? [resolve11(requestedProjectRoot)] : []
-            ].filter((root, index, roots) => roots.indexOf(root) === index);
-            const stores = storeRoots.map((root) => createGitHubAuthStore(root));
-            for (const store2 of stores) {
-              store2.saveToken({
-                token,
-                tokenSource: "manual-token",
-                login: user.login,
-                userId: user.userId,
-                scopes: user.scopes,
-                selectedRepo
-              });
-            }
-            const store = stores[stores.length - 1] ?? createGitHubAuthStore(state.projectRoot);
-            const apiSession = store.createApiSession();
-            return deps.jsonResponse({ ok: true, ...store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }), apiSessionToken: apiSession.token });
+            const saved = saveGitHubTokenForRemoteUser({
+              projectRoot: state.projectRoot,
+              token,
+              tokenSource: "manual-token",
+              user,
+              selectedRepo,
+              requestedProjectRoot
+            });
+            return deps.jsonResponse({
+              ok: true,
+              ...saved.store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }),
+              apiSessionToken: saved.apiSessionToken,
+              userNamespace: userNamespaceResponse(saved.namespace)
+            });
           } catch (error) {
             const message = error instanceof Error ? error.message : String(error);
             return deps.jsonResponse({ ok: false, error: message }, 400);
@@ -2838,9 +3777,21 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           }
           const token = result.payload.access_token;
           const user = await fetchGitHubUserInfo(token);
-          store.saveToken({ token, tokenSource: "oauth-device", login: user.login, userId: user.userId, scopes: user.scopes });
-          const apiSession = store.createApiSession();
-          return deps.jsonResponse({ ok: true, status: "signed-in", ...store.status({ oauthConfigured: true }), apiSessionToken: apiSession.token });
+          const saved = saveGitHubTokenForRemoteUser({
+            projectRoot: state.projectRoot,
+            token,
+            tokenSource: "oauth-device",
+            user,
+            selectedRepo: null
+          });
+          store.clearPendingDevice(pollId);
+          return deps.jsonResponse({
+            ok: true,
+            status: "signed-in",
+            ...saved.store.status({ oauthConfigured: true }),
+            apiSessionToken: saved.apiSessionToken,
+            userNamespace: userNamespaceResponse(saved.namespace)
+          });
         }
         if (url.pathname === "/api/github/repo/probe" && req.method === "POST") {
           const body = await deps.readJsonBody(req);
@@ -2849,7 +3800,7 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           if (!owner || !repo) {
             return deps.badRequest("owner and repo are required");
           }
-          const store = createGitHubAuthStore(state.projectRoot);
+          const store = requestScopedAuthStore(state.projectRoot, requestAuth);
           const authStatus = store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
           const probe = await probeGitHubRepository({ owner, repo, token: store.readToken(), scopes: authStatus.scopes });
           return deps.jsonResponse({ ok: probe.ok, probe }, probe.ok ? 200 : 400);
@@ -2870,7 +3821,7 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             return deps.badRequest(error instanceof Error ? error.message : String(error));
           }
           const authStatus = createGitHubAuthStore(state.projectRoot).status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
-          const configPath = resolve11(targetRoot, "rig.config.ts");
+          const configPath = resolve13(targetRoot, "rig.config.ts");
           const source = buildGitHubProjectConfigSource({
             projectName: rawProjectName,
             owner,
@@ -2882,8 +3833,8 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             ok: true,
             projectRoot: targetRoot,
             configPath,
-            exists: existsSync8(configPath),
-            requiresOverwrite: existsSync8(configPath),
+            exists: existsSync10(configPath),
+            requiresOverwrite: existsSync10(configPath),
             source,
             owner,
             repo,
@@ -2919,8 +3870,8 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             assignee,
             githubUserId: authStatus.userId ?? authStatus.login
           });
-          const configPath = resolve11(targetRoot, "rig.config.ts");
-          if (existsSync8(configPath) && !overwrite) {
+          const configPath = resolve13(targetRoot, "rig.config.ts");
+          if (existsSync10(configPath) && !overwrite) {
             return deps.jsonResponse({
               ok: false,
               error: "rig.config.ts already exists. Confirm overwrite to replace it; Rig will create a backup first.",
@@ -2936,11 +3887,11 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             return deps.jsonResponse({ ok: false, error: repoProbe.message, repoProbe }, 400);
           }
           let backupPath = null;
-          if (existsSync8(configPath)) {
+          if (existsSync10(configPath)) {
             backupPath = backupConfigPath(configPath);
-            copyFileSync(configPath, backupPath);
+            copyFileSync2(configPath, backupPath);
           }
-          writeFileSync7(configPath, source, "utf8");
+          writeFileSync9(configPath, source, "utf8");
           const selectedRepo = `${owner}/${repo}`;
           store.saveSelectedRepo(selectedRepo);
           const targetStore = createGitHubAuthStore(targetRoot);
@@ -3212,11 +4163,12 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           const runId = normalizeString(body.runId);
           const createdAt = normalizeString(body.createdAt) ?? new Date().toISOString();
           const promptOverride = normalizeString(body.promptOverride);
+          const restart = body.restart === true;
           if (!runId) {
             return deps.badRequest("runId is required");
           }
           try {
-            await deps.resumeRunRecord(state, { runId, createdAt, promptOverride });
+            await deps.resumeRunRecord(state, { runId, createdAt, promptOverride, restart });
             deps.broadcastSnapshotInvalidation(state);
             return deps.jsonResponse({ ok: true, runId, createdAt });
           } catch (error) {
@@ -3225,7 +4177,7 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
         }
         if (url.pathname === "/api/pi-rig/install" && req.method === "POST") {
           const configuredPackageSource = normalizeString(process.env.RIG_PI_RIG_PACKAGE_SOURCE);
-          const packageSource = configuredPackageSource ?? [process.env.RIG_HOST_PROJECT_ROOT, process.cwd(), state.projectRoot].map((root) => normalizeString(root)).filter((root) => Boolean(root)).map((root) => resolve11(root, "packages", "pi-rig")).find((candidate) => existsSync8(resolve11(candidate, "package.json"))) ?? "npm:@rig/pi-rig";
+          const packageSource = configuredPackageSource ?? [process.env.RIG_HOST_PROJECT_ROOT, process.cwd(), state.projectRoot].map((root) => normalizeString(root)).filter((root) => Boolean(root)).map((root) => resolve13(root, "packages", "pi-rig")).find((candidate) => existsSync10(resolve13(candidate, "package.json"))) ?? "npm:@h-rig/pi-rig";
           if (process.env.RIG_TEST_FAKE_PI_INSTALL === "1") {
             return deps.jsonResponse({ ok: true, installed: true, piOk: true, piRigOk: true, extensionPath: "remote:~/.pi/agent/extensions/pi-rig", packageSource });
           }
@@ -3541,9 +4493,9 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           } catch {
             return deps.badRequest("Invalid artifact path");
           }
-          mkdirSync7(dirname6(artifactPath), { recursive: true });
+          mkdirSync9(dirname9(artifactPath), { recursive: true });
           const bytes = Buffer.from(contentBase64, "base64");
-          writeFileSync7(artifactPath, bytes);
+          writeFileSync9(artifactPath, bytes);
           writeJsonFile4(`${artifactPath}.json`, {
             workspaceId: normalizeString(body.workspaceId) ?? RIG_WORKSPACE_ID,
             runId,
@@ -3580,13 +4532,75 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           }
           const run = leaseValidation.run;
           const completedAt = new Date().toISOString();
+          const workspaceDir = normalizeString(body.workspaceDir) ?? normalizeString(body.runtimeWorkspace) ?? normalizeString(run.worktreePath);
+          if (run.taskId && workspaceDir) {
+            patchRunRecord(state.projectRoot, runId, {
+              status: "reviewing",
+              completedAt: null,
+              hostId,
+              endpointId: leaseId,
+              worktreePath: workspaceDir,
+              serverCloseout: {
+                status: "pending",
+                phase: "queued",
+                requestedAt: completedAt,
+                updatedAt: completedAt,
+                runtimeWorkspace: workspaceDir,
+                branch: normalizeString(body.branch) ?? normalizeString(run.branch) ?? `rig/${run.taskId}-${runId}`,
+                taskId: run.taskId,
+                source: "remote-complete"
+              }
+            });
+            deps.appendRunLogEntryAndBroadcast(state, runId, {
+              id: `log:${runId}:remote-server-closeout-requested`,
+              title: "Server-owned closeout requested",
+              detail: "Remote run completed provider work and handed commit/PR/review/merge closeout to the Rig server.",
+              tone: "info",
+              status: "reviewing",
+              createdAt: completedAt,
+              payload: { workspaceDir, hostId, leaseId }
+            }, "remote-server-closeout-requested");
+            deps.runServerOwnedPrCloseout(state, runId).catch((error) => {
+              const detail = error instanceof Error ? error.message : String(error);
+              patchRunRecord(state.projectRoot, runId, {
+                status: "failed",
+                completedAt: new Date().toISOString(),
+                errorText: detail,
+                serverCloseout: {
+                  status: "failed",
+                  phase: "failed",
+                  updatedAt: new Date().toISOString(),
+                  error: detail
+                }
+              });
+              deps.appendRunLogEntryAndBroadcast(state, runId, {
+                id: `log:${runId}:remote-server-closeout-failed`,
+                title: "Server-owned closeout failed",
+                detail,
+                tone: "error",
+                status: "failed",
+                createdAt: new Date().toISOString()
+              }, "remote-server-closeout-failed");
+            }).finally(() => {
+              deps.reconcileScheduler(state, "remote-server-closeout-terminal");
+            });
+            deps.broadcastSnapshotInvalidation(state);
+            return deps.jsonResponse({
+              ok: true,
+              workspaceId: normalizeString(body.workspaceId) ?? RIG_WORKSPACE_ID,
+              hostId,
+              runId,
+              leaseId,
+              closeout: "server-owned",
+              acceptedAt: new Date().toISOString()
+            });
+          }
           patchRunRecord(state.projectRoot, runId, {
             status: "completed",
             completedAt,
             hostId,
             endpointId: leaseId
           });
-          await updateRemoteRunTaskSourceLifecycle(state.projectRoot, { ...run, status: "completed", completedAt, hostId, endpointId: leaseId }, "closed", "Remote Rig task run completed and closed this task.");
           await deps.enqueueRunLinearEvent(state.projectRoot, {
             type: "run.completed",
             runId,
@@ -3705,12 +4719,12 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           try {
             const runsRoot = resolveAuthorityPaths(state.projectRoot).runsDir;
             const runRoot = deps.normalizeRelativePath(runsRoot, runId);
-            const artifactsRoot = resolve11(runRoot, "remote-artifacts");
+            const artifactsRoot = resolve13(runRoot, "remote-artifacts");
             artifactPath = deps.normalizeRelativePath(artifactsRoot, fileName);
           } catch {
             return deps.badRequest("Invalid artifact path");
           }
-          if (!existsSync8(artifactPath)) {
+          if (!existsSync10(artifactPath)) {
             return deps.notFound();
           }
           return new Response(Bun.file(artifactPath));
@@ -3723,6 +4737,14 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           const page = await readRunLogsPage(state.projectRoot, runId, { limit, cursor });
           return deps.jsonResponse(page);
         }
+        const runTimelineMatch = url.pathname.match(/^\/api\/runs\/([^/]+)\/timeline$/);
+        if (runTimelineMatch) {
+          const runId = decodeURIComponent(runTimelineMatch[1]);
+          const limit = Number.parseInt(url.searchParams.get("limit") || "500", 10);
+          const cursor = normalizeString(url.searchParams.get("cursor"));
+          const page = await readRunTimelinePage(state.projectRoot, runId, { limit, cursor });
+          return deps.jsonResponse(page);
+        }
         const runSteerMatch = url.pathname.match(/^\/api\/runs\/([^/]+)\/steer$/);
         if (runSteerMatch && req.method === "POST") {
           const runId = decodeURIComponent(runSteerMatch[1]);