@h-rig/server 0.0.6-alpha.22 → 0.0.6-alpha.23

package/dist/src/index.js

@@ -1530,14 +1530,29 @@ function summarizeUsefulRunError(projectRoot, runId, fallback) {
   const nonGeneric = errorLines.at(-1);
   return nonGeneric ?? (typeof fallback === "string" ? fallback : null);
 }
+function readRunPiSessionMetadata(projectRoot, runId) {
+  const run = readAuthorityRun(projectRoot, runId);
+  const metadata = run?.piSessionPrivate;
+  if (!metadata || typeof metadata !== "object" || Array.isArray(metadata))
+    return null;
+  const record = metadata;
+  const publicMetadata = record.public;
+  const daemonConnection = record.daemonConnection;
+  if (!publicMetadata || typeof publicMetadata !== "object" || Array.isArray(publicMetadata))
+    return null;
+  if (!daemonConnection || typeof daemonConnection !== "object" || Array.isArray(daemonConnection))
+    return null;
+  return metadata;
+}
 function readRunDetails(projectRoot, runId) {
   const run = readAuthorityRun(projectRoot, runId);
   if (!run) {
     return null;
   }
   const usefulErrorText = isGenericRunFailure(run.errorText) ? summarizeUsefulRunError(projectRoot, runId, run.errorText) : null;
+  const { piSessionPrivate: _piSessionPrivate, ...publicRun } = run;
   return {
-    run: usefulErrorText ? { ...run, errorText: usefulErrorText } : run,
+    run: usefulErrorText ? { ...publicRun, errorText: usefulErrorText } : publicRun,
     timeline: readJsonlFile(resolve4(resolveAuthorityRunDir(projectRoot, runId), "timeline.jsonl")),
     approvals: readApprovals(projectRoot, { runId }),
     userInputs: readUserInputs(projectRoot, { runId })
@@ -3244,6 +3259,12 @@ function patchRunRecord(projectRoot, runId, patch) {
   writeJsonFile2(resolve11(resolveAuthorityRunDir2(projectRoot, runId), "run.json"), next);
   return next;
 }
+function patchRunPiSessionMetadata(projectRoot, runId, metadata) {
+  return patchRunRecord(projectRoot, runId, {
+    piSession: metadata?.public ?? null,
+    piSessionPrivate: metadata
+  });
+}
 function buildRunStartPatch(startedAt) {
   return {
     status: "preparing",
@@ -4435,10 +4456,10 @@ function closeoutPhasePatch(phase, status, extra = {}) {
   const updatedAt = new Date().toISOString();
   return {
     serverCloseout: {
+      ...extra,
       phase,
       status,
-      updatedAt,
-      ...extra
+      updatedAt
     }
   };
 }
@@ -4556,6 +4577,58 @@ async function updateRunTaskSourceLifecycle(projectRoot, run, status, summary, o
     });
   }
 }
+async function markServerOwnedCloseoutFailed(state, runId, error) {
+  const detail = error instanceof Error ? error.message : String(error);
+  const current = readAuthorityRun4(state.projectRoot, runId);
+  patchRunRecord(state.projectRoot, runId, {
+    status: "failed",
+    completedAt: new Date().toISOString(),
+    errorText: detail,
+    ...closeoutPhasePatch("failed", "failed", { error: detail })
+  });
+  appendRunLogEntryAndBroadcast(state, runId, {
+    id: `log:${runId}:server-closeout-failed`,
+    title: "Server-owned closeout failed",
+    detail,
+    tone: "error",
+    status: "failed",
+    createdAt: new Date().toISOString()
+  }, "server-closeout-failed");
+  if (current?.taskId) {
+    await updateRunTaskSourceLifecycle(state.projectRoot, { ...current, status: "failed", errorText: detail }, "failed", "Rig server-owned closeout failed.", { errorText: detail }).catch((sourceError) => {
+      appendRunLogEntry(state.projectRoot, runId, {
+        id: `log:${runId}:task-source-closeout-failed-update`,
+        title: "Task source closeout failure update failed",
+        detail: sourceError instanceof Error ? sourceError.message : String(sourceError),
+        tone: "error",
+        status: "failed",
+        createdAt: new Date().toISOString()
+      });
+    });
+  }
+}
+function scheduleServerOwnedPrCloseout(state, runId, reason) {
+  const startedAt = new Date().toISOString();
+  state.runProcesses.set(runId, {
+    runId,
+    child: null,
+    startedAt,
+    stopped: false
+  });
+  queueMicrotask(() => {
+    withServerAuthorityEnvIfNeeded(state.projectRoot, async () => {
+      try {
+        await runServerOwnedPrCloseout(state, runId);
+      } catch (error) {
+        await markServerOwnedCloseoutFailed(state, runId, error);
+      } finally {
+        state.runProcesses.delete(runId);
+        broadcastSnapshotInvalidation(state, `server-closeout-${reason}-terminal`);
+        await reconcileScheduler(state, `server-closeout-${reason}-terminal`);
+      }
+    });
+  });
+}
 async function runServerOwnedPrCloseout(state, runId) {
   const run = readAuthorityRun4(state.projectRoot, runId);
   if (!run)
@@ -4567,7 +4640,7 @@ async function runServerOwnedPrCloseout(state, runId) {
   if (!taskId)
     throw new Error("Server-owned closeout requires a task id.");
   const workspace = normalizeString(closeout.runtimeWorkspace) ?? normalizeString(run.worktreePath) ?? state.projectRoot;
-  const branch = normalizeString(closeout.branch) ?? `rig/${taskId}-${runId}`;
+  let branch = normalizeString(closeout.branch) ?? `rig/${taskId}-${runId}`;
   const config = await loadRigLifecycleConfig(state.projectRoot);
   const runPrMode = normalizeString(run.prMode);
   const prMode = runPrMode === "auto" || runPrMode === "ask" || runPrMode === "off" ? runPrMode : config?.pr?.mode ?? "off";
@@ -4641,6 +4714,12 @@ async function runServerOwnedPrCloseout(state, runId) {
   const githubEnv = githubToken ? { RIG_GITHUB_TOKEN: githubToken, GITHUB_TOKEN: githubToken, GH_TOKEN: githubToken } : {};
   const gitCommand = createCommandRunner("git", githubEnv);
   const ghCommand = createCommandRunner("gh", githubEnv);
+  const workspaceBranch = await gitCommand(["rev-parse", "--abbrev-ref", "HEAD"], { cwd: workspace });
+  const currentWorkspaceBranch = workspaceBranch.exitCode === 0 ? normalizeString(workspaceBranch.stdout) : null;
+  if (currentWorkspaceBranch && currentWorkspaceBranch !== "HEAD" && currentWorkspaceBranch !== branch) {
+    appendCloseoutStage(state, runId, "branch", `Using runtime workspace branch ${currentWorkspaceBranch} instead of recorded branch ${branch}.`, "reviewing", "info");
+    branch = currentWorkspaceBranch;
+  }
   const setCloseout = (phase, status, extra = {}) => {
     const previous = closeoutRecord(readCurrentRun()) ?? closeout;
     patchRunRecord(state.projectRoot, runId, {
@@ -5011,6 +5090,25 @@ async function startLocalRun(state, runId, options) {
             broadcastSnapshotInvalidation(state);
             continue;
           }
+          if (line.startsWith("__RIG_WRAPPER_EVENT__")) {
+            try {
+              const wrapperEvent = JSON.parse(line.slice("__RIG_WRAPPER_EVENT__".length));
+              const eventType = normalizeString(wrapperEvent.type);
+              const payload = wrapperEvent.payload && typeof wrapperEvent.payload === "object" && !Array.isArray(wrapperEvent.payload) ? wrapperEvent.payload : {};
+              if (eventType === "pi.session.ready" && payload.privateMetadata && typeof payload.privateMetadata === "object" && !Array.isArray(payload.privateMetadata)) {
+                patchRunPiSessionMetadata(state.projectRoot, runId, payload.privateMetadata);
+              }
+              appendRunTimelineEntry(state.projectRoot, runId, {
+                id: `timeline:${runId}:${Date.now()}:wrapper:${eventType ?? "event"}`,
+                type: "wrapper-event",
+                eventType,
+                payload,
+                createdAt: normalizeString(wrapperEvent.at) ?? new Date().toISOString()
+              });
+            } catch {}
+            broadcastSnapshotInvalidation(state, "wrapper-event");
+            continue;
+          }
           appendRunLogEntryAndBroadcast(state, runId, {
             id: `log:${runId}:${Date.now()}`,
             title,
@@ -5039,7 +5137,13 @@ async function startLocalRun(state, runId, options) {
         if (!current) {
           return;
         }
-        if (exit.code !== 0 && current.status !== "completed" && current.status !== "stopped") {
+        if (closeoutRecord(current)?.status === "pending") {
+          try {
+            await runServerOwnedPrCloseout(state, runId);
+          } catch (closeoutError) {
+            await markServerOwnedCloseoutFailed(state, runId, closeoutError);
+          }
+        } else if (exit.code !== 0 && current.status !== "completed" && current.status !== "stopped") {
           const completedAt = current.completedAt ?? new Date().toISOString();
           const failureSummary = normalizeString(current.errorText) ?? summarizeRunValidationFailure(state.projectRoot, current) ?? `Rig task-run exited with code ${String(exit.code ?? "unknown")}`;
           if (current.status !== "failed") {
@@ -5074,38 +5178,6 @@ ${sourceFailure}` });
             agent: current.runtimeAdapter,
             summary: failureSummary
           });
-        } else if (closeoutRecord(current)?.status === "pending") {
-          try {
-            await runServerOwnedPrCloseout(state, runId);
-          } catch (closeoutError) {
-            const closeoutFailure = closeoutError instanceof Error ? closeoutError.message : String(closeoutError);
-            patchRunRecord(state.projectRoot, runId, {
-              status: "failed",
-              completedAt: new Date().toISOString(),
-              errorText: closeoutFailure,
-              ...closeoutPhasePatch("failed", "failed", { error: closeoutFailure })
-            });
-            appendRunLogEntryAndBroadcast(state, runId, {
-              id: `log:${runId}:server-closeout-failed`,
-              title: "Server-owned closeout failed",
-              detail: closeoutFailure,
-              tone: "error",
-              status: "failed",
-              createdAt: new Date().toISOString()
-            }, "server-closeout-failed");
-            if (current.taskId) {
-              await updateRunTaskSourceLifecycle(state.projectRoot, { ...current, status: "failed", errorText: closeoutFailure }, "failed", "Rig server-owned closeout failed.", { errorText: closeoutFailure }).catch((error) => {
-                appendRunLogEntry(state.projectRoot, runId, {
-                  id: `log:${runId}:task-source-closeout-failed-update`,
-                  title: "Task source closeout failure update failed",
-                  detail: error instanceof Error ? error.message : String(error),
-                  tone: "error",
-                  status: "failed",
-                  createdAt: new Date().toISOString()
-                });
-              });
-            }
-          }
         }
         broadcastSnapshotInvalidation(state);
       } catch (error) {
@@ -5194,8 +5266,14 @@ async function resumeRunRecord(state, input) {
   }
   const closeout = closeoutRecord(run);
   const closeoutStatus = normalizeString(closeout?.status)?.toLowerCase() ?? "";
-  if (RESUMABLE_SERVER_CLOSEOUT_STATUSES.has(closeoutStatus)) {
-    await runServerOwnedPrCloseout(state, input.runId);
+  if (EXPLICIT_RESUMABLE_SERVER_CLOSEOUT_STATUSES.has(closeoutStatus)) {
+    patchRunRecord(state.projectRoot, input.runId, {
+      status: "reviewing",
+      completedAt: null,
+      errorText: null,
+      ...closeoutPhasePatch("queued", "pending", { ...closeout, resumedAt: input.createdAt })
+    });
+    scheduleServerOwnedPrCloseout(state, input.runId, "explicit-resume");
     return;
   }
   await startLocalRun(state, input.runId, { promptOverride: input.promptOverride ?? null, resume: input.restart !== true });
@@ -5283,6 +5361,7 @@ function removeTaskIdsFromQueueState(projectRoot, taskIds) {
   return next;
 }
 var RESUMABLE_SERVER_CLOSEOUT_STATUSES = new Set(["pending", "running"]);
+var EXPLICIT_RESUMABLE_SERVER_CLOSEOUT_STATUSES = new Set(["pending", "running", "needs_attention"]);
 var ACTIVE_LOCAL_RUN_STATUSES = new Set(["created", "preparing", "running", "validating", "reviewing"]);
 function processExists(pid) {
   if (!Number.isInteger(pid) || pid <= 0)
@@ -5298,7 +5377,23 @@ function recoverStaleLocalRun(projectRoot, run) {
   const record = run;
   if (run.mode !== "local")
     return false;
+  const closeout = closeoutRecord(record);
+  const closeoutStatus = normalizeString(closeout?.status)?.toLowerCase() ?? "";
   const status = normalizeString(record.status)?.toLowerCase() ?? "";
+  if (RESUMABLE_SERVER_CLOSEOUT_STATUSES.has(closeoutStatus))
+    return false;
+  if (closeoutStatus === "needs_attention") {
+    if (!ACTIVE_LOCAL_RUN_STATUSES.has(status))
+      return false;
+    const completedAt2 = record.completedAt ?? new Date().toISOString();
+    patchRunRecord(projectRoot, run.runId, {
+      status: "needs_attention",
+      completedAt: completedAt2,
+      errorText: normalizeString(record.errorText) ?? (Array.isArray(closeout?.feedback) ? closeout.feedback.map(String).join(`
+`) : null)
+    });
+    return true;
+  }
   if (!ACTIVE_LOCAL_RUN_STATUSES.has(status))
     return false;
   const serverPid = typeof record.serverPid === "number" ? record.serverPid : null;
@@ -5355,15 +5450,7 @@ async function reconcileScheduler(state, reason) {
             status: "reviewing",
             createdAt: new Date().toISOString()
           });
-          await runServerOwnedPrCloseout(state, run.runId).catch((error) => {
-            const detail = error instanceof Error ? error.message : String(error);
-            patchRunRecord(state.projectRoot, run.runId, {
-              status: "failed",
-              completedAt: new Date().toISOString(),
-              errorText: detail,
-              ...closeoutPhasePatch("failed", "failed", { error: detail })
-            });
-          });
+          scheduleServerOwnedPrCloseout(state, run.runId, "auto-resume");
           changed = true;
         }
         if (changed) {
@@ -5445,7 +5532,7 @@ import { basename, dirname as dirname15, isAbsolute as isAbsolute4, resolve as r
 import { copyFileSync as copyFileSync2, existsSync as existsSync13, mkdirSync as mkdirSync13, readFileSync as readFileSync9, writeFileSync as writeFileSync12 } from "fs";
 import {
   listAuthorityRuns as listAuthorityRuns5,
-  readAuthorityRun as readAuthorityRun6,
+  readAuthorityRun as readAuthorityRun7,
   resolveAuthorityPaths,
   writeJsonFile as writeJsonFile4
 } from "@rig/runtime/control-plane/authority-files";
@@ -5465,10 +5552,64 @@ import {
   RemoteWsClient
 } from "@rig/runtime/control-plane/remote";
 
+// packages/server/src/server-helpers/pi-session-proxy.ts
+import { readAuthorityRun as readAuthorityRun5 } from "@rig/runtime/control-plane/authority-files";
+function resolveRunPiSessionProxy(projectRoot, runId) {
+  const run = readAuthorityRun5(projectRoot, runId);
+  if (!run)
+    return null;
+  const privateMetadata = readRunPiSessionMetadata(projectRoot, runId);
+  if (!privateMetadata)
+    return { pending: true, runId, status: typeof run.status === "string" ? run.status : undefined };
+  const connection = privateMetadata.daemonConnection;
+  if (connection.mode !== "http")
+    throw new Error("Only loopback HTTP Rig Pi session daemon connections are supported");
+  const token = tokenFromRef(connection.tokenRef);
+  if (!token)
+    throw new Error("Rig Pi session daemon token is unavailable");
+  return {
+    runId,
+    sessionId: privateMetadata.public.sessionId,
+    metadata: privateMetadata.public,
+    privateMetadata,
+    baseUrl: connection.baseUrl.replace(/\/+$/, ""),
+    token
+  };
+}
+async function proxyRunPiHttp(projectRoot, runId, input) {
+  const resolved = resolveRunPiSessionProxy(projectRoot, runId);
+  if (resolved === null)
+    return { status: 404, payload: { ok: false, error: "Run not found" } };
+  if ("pending" in resolved)
+    return { status: 409, payload: { ready: false, runId, status: resolved.status, retryAfterMs: 500 } };
+  const response = await fetch(`${resolved.baseUrl}${input.daemonPath}`, {
+    method: input.method,
+    headers: {
+      authorization: `Bearer ${resolved.token}`,
+      ...input.body === undefined ? {} : { "content-type": "application/json" }
+    },
+    body: input.body === undefined ? undefined : JSON.stringify(input.body)
+  });
+  const text = await response.text();
+  const payload = text.trim() ? JSON.parse(text) : null;
+  return { status: response.status, payload };
+}
+function buildRunPiDaemonWebSocketUrl(resolved) {
+  const url = new URL(`${resolved.baseUrl}/sessions/${encodeURIComponent(resolved.sessionId)}/events`);
+  url.protocol = url.protocol === "https:" ? "wss:" : "ws:";
+  url.searchParams.set("token", resolved.token);
+  return url.toString();
+}
+function tokenFromRef(ref) {
+  if (ref.startsWith("inline:"))
+    return ref.slice("inline:".length) || null;
+  return null;
+}
+
 // packages/server/src/server-helpers/run-steering.ts
 import { dirname as dirname10, resolve as resolve15 } from "path";
 import { existsSync as existsSync8, mkdirSync as mkdirSync8, readFileSync as readFileSync5 } from "fs";
-import { appendJsonlRecord as appendJsonlRecord2, readAuthorityRun as readAuthorityRun5, resolveAuthorityRunDir as resolveAuthorityRunDir4 } from "@rig/runtime/control-plane/authority-files";
+import { appendJsonlRecord as appendJsonlRecord2, readAuthorityRun as readAuthorityRun6, resolveAuthorityRunDir as resolveAuthorityRunDir4 } from "@rig/runtime/control-plane/authority-files";
 var steeringSequence = 0;
 function runSteeringPath(projectRoot, runId) {
   return resolve15(resolveAuthorityRunDir4(projectRoot, runId), "steering.jsonl");
@@ -5537,7 +5678,7 @@ function markQueuedRunSteeringMessagesDelivered(projectRoot, runId, ids) {
   return delivered;
 }
 function queueRunSteeringMessage(projectRoot, runId, input) {
-  const run = readAuthorityRun5(projectRoot, runId);
+  const run = readAuthorityRun6(projectRoot, runId);
   if (!run)
     throw new Error(`Run not found: ${runId}`);
   const text = input.message.trim();
@@ -6525,7 +6666,8 @@ function isAuthorizedInspectorStreamRequest(req, authToken) {
 }
 function buildDeploymentStatus(projectRoot) {
   const envCommit = normalizeCommit(process.env.RIG_COMMIT_SHA ?? process.env.GITHUB_SHA ?? process.env.VERCEL_GIT_COMMIT_SHA ?? process.env.RAILWAY_GIT_COMMIT_SHA ?? process.env.COMMIT_SHA);
-  const gitCommit = envCommit ?? readGitHeadCommit(projectRoot);
+  const deploymentRoot = normalizeString(process.env.RIG_HOST_PROJECT_ROOT) ?? projectRoot;
+  const gitCommit = envCommit ?? readGitHeadCommit(deploymentRoot) ?? readGitHeadCommit(projectRoot);
   return {
     currentCommit: gitCommit,
     commitSource: envCommit ? "env" : gitCommit ? "git" : null,
@@ -7115,7 +7257,7 @@ function redactSecretFields(value) {
   return redacted;
 }
 function validateRemoteLease(deps, state, input) {
-  const run = readAuthorityRun6(state.projectRoot, input.runId);
+  const run = readAuthorityRun7(state.projectRoot, input.runId);
   if (!run) {
     return { ok: false, response: deps.jsonResponse({ ok: false, error: "Remote run not found" }, 404) };
   }
@@ -7135,6 +7277,43 @@ function createRigServerFetch(state, deps) {
     return deps.withServerPathEnv(state.projectRoot, async () => {
       const browserOrigin = deps.resolveAllowedBrowserOrigin(req);
       const finalizeResponse = (response) => deps.withCorsHeaders(response, req, browserOrigin);
+      const earlyUrl = new URL(req.url);
+      const piEventsWsMatch = earlyUrl.pathname.match(/^\/api\/runs\/([^/]+)\/pi\/events$/);
+      if (piEventsWsMatch && req.headers.get("upgrade")?.toLowerCase() === "websocket") {
+        const queryToken = earlyUrl.searchParams.get("token");
+        const authHeaders = new Headers(req.headers);
+        if (queryToken && !authHeaders.has("authorization")) {
+          authHeaders.set("authorization", `Bearer ${queryToken}`);
+        }
+        const legacyAuthorized = Boolean(state.authToken && queryToken === state.authToken);
+        const requestAuth = authorizeRigHttpRequest({
+          req: new Request(req.url, { method: req.method, headers: authHeaders }),
+          pathname: earlyUrl.pathname,
+          projectRoot: state.projectRoot,
+          serverAuthToken: state.authToken,
+          legacyAuthorized
+        });
+        if (!requestAuth.authorized) {
+          return deps.jsonResponse({ ok: false, error: "Unauthorized WebSocket connection", reason: requestAuth.reason }, 401);
+        }
+        const runId = decodeURIComponent(piEventsWsMatch[1]);
+        const resolved = resolveRunPiSessionProxy(state.projectRoot, runId);
+        if (resolved === null)
+          return deps.jsonResponse({ ok: false, error: "Run not found" }, 404);
+        if ("pending" in resolved)
+          return deps.jsonResponse({ ready: false, runId, status: resolved.status, retryAfterMs: 500 }, 202);
+        if (!server)
+          return deps.jsonResponse({ ok: false, error: "WebSocket upgrade unavailable" }, 400);
+        const upgraded = server.upgrade(req, {
+          data: {
+            kind: "pi-session-proxy",
+            connectedAt: new Date().toISOString(),
+            upstreamUrl: buildRunPiDaemonWebSocketUrl(resolved),
+            runId
+          }
+        });
+        return upgraded ? new Response(null) : deps.jsonResponse({ ok: false, error: "WebSocket upgrade failed" }, 400);
+      }
       const upgradeResponse = handleWebSocketUpgrade({
         req,
         server,
@@ -8873,6 +9052,49 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             return deps.jsonResponse({ ok: false, error: error instanceof Error ? error.message : String(error) }, 404);
           }
         }
+        const runPiMatch = url.pathname.match(/^\/api\/runs\/([^/]+)\/pi(?:\/(.*))?$/);
+        if (runPiMatch) {
+          const runId = decodeURIComponent(runPiMatch[1]);
+          const action = runPiMatch[2] || "";
+          const resolved = resolveRunPiSessionProxy(state.projectRoot, runId);
+          if (resolved === null)
+            return deps.notFound();
+          if ("pending" in resolved) {
+            if (action === "" && req.method === "GET") {
+              return deps.jsonResponse({ ready: false, runId, status: resolved.status, retryAfterMs: 500 }, 202);
+            }
+            return deps.jsonResponse({ ready: false, runId, status: resolved.status, retryAfterMs: 500, error: "Pi session is not ready" }, 409);
+          }
+          if (action === "" && req.method === "GET")
+            return deps.jsonResponse({ ready: true, metadata: resolved.metadata });
+          const body = req.method === "GET" ? undefined : await deps.readJsonBody(req);
+          const sessionPath = `/sessions/${encodeURIComponent(resolved.sessionId)}`;
+          const daemonPath = (() => {
+            if (action === "messages" && req.method === "GET")
+              return `${sessionPath}/messages`;
+            if (action === "status" && req.method === "GET")
+              return `${sessionPath}/status`;
+            if (action === "commands" && req.method === "GET")
+              return `${sessionPath}/commands`;
+            if (action === "prompt" && req.method === "POST")
+              return `${sessionPath}/prompt`;
+            if (action === "shell" && req.method === "POST")
+              return `${sessionPath}/shell`;
+            if (action === "commands/run" && req.method === "POST")
+              return `${sessionPath}/commands/run`;
+            if (action === "commands/respond" && req.method === "POST")
+              return `${sessionPath}/commands/respond`;
+            if (action === "extension-ui/respond" && req.method === "POST")
+              return `${sessionPath}/extension-ui/respond`;
+            if (action === "abort" && req.method === "POST")
+              return `${sessionPath}/abort`;
+            return null;
+          })();
+          if (!daemonPath)
+            return deps.notFound();
+          const proxied = await proxyRunPiHttp(state.projectRoot, runId, { method: req.method, daemonPath, body });
+          return deps.jsonResponse(proxied.payload, proxied.status);
+        }
         const runSteeringAckMatch = url.pathname.match(/^\/api\/runs\/([^/]+)\/steering\/ack$/);
         if (runSteeringAckMatch && req.method === "POST") {
           const runId = decodeURIComponent(runSteeringAckMatch[1]);
@@ -8995,7 +9217,7 @@ import {
   RemoteWsClient as RemoteWsClient2
 } from "@rig/runtime/control-plane/remote";
 import { deleteRunState } from "@rig/runtime/control-plane/native/run-ops";
-import { readAuthorityRun as readAuthorityRun7 } from "@rig/runtime/control-plane/authority-files";
+import { readAuthorityRun as readAuthorityRun8 } from "@rig/runtime/control-plane/authority-files";
 function redactRemoteEndpoint2(endpoint) {
   const { token, ...rest } = endpoint;
   return {
@@ -9209,7 +9431,7 @@ async function routeWebSocketRequest(state, deps, request) {
         if (!runId || !messageId || text === null) {
           throw new Error("runId, messageId, and text are required");
         }
-        const run = readAuthorityRun7(state.projectRoot, runId);
+        const run = readAuthorityRun8(state.projectRoot, runId);
         if (!run) {
           throw new Error(`Run not found: ${runId}`);
         }
@@ -12170,7 +12392,7 @@ import {
 } from "@rig/runtime/control-plane/native/run-ops";
 import {
   listAuthorityRuns as listAuthorityRuns6,
-  readAuthorityRun as readAuthorityRun8
+  readAuthorityRun as readAuthorityRun9
 } from "@rig/runtime/control-plane/authority-files";
 function providerFromRuntimeAdapter(runtimeAdapter) {
   if (!runtimeAdapter) {
@@ -12250,7 +12472,7 @@ function discoverInspectorRuns(options) {
     discovered.set(surface.runId, existing);
   };
   for (const authorityEntry of listAuthorityRuns6(options.projectRoot)) {
-    const run = readAuthorityRun8(options.projectRoot, authorityEntry.runId);
+    const run = readAuthorityRun9(options.projectRoot, authorityEntry.runId);
     if (!run) {
       continue;
     }
@@ -14250,6 +14472,26 @@ function startPoller(state, pollMs) {
     }
   }, pollMs);
 }
+function attachPiSessionProxySocket(ws) {
+  if (ws.data.kind !== "pi-session-proxy")
+    return;
+  const upstream = new WebSocket(ws.data.upstreamUrl);
+  ws.__rigPiUpstream = upstream;
+  upstream.addEventListener("message", (event) => {
+    if (ws.readyState === 1)
+      ws.send(typeof event.data === "string" ? event.data : event.data);
+  });
+  upstream.addEventListener("close", () => {
+    try {
+      ws.close();
+    } catch {}
+  });
+  upstream.addEventListener("error", () => {
+    try {
+      ws.close(1011, "Upstream Pi session stream failed");
+    } catch {}
+  });
+}
 async function createRigServer(options, projectRoot = resolveProjectRoot()) {
   const state = await createRigServerState(projectRoot, options.eventType, options.authToken, {
     upstreamSyncMs: options.upstreamSyncMs,
@@ -14262,10 +14504,20 @@ async function createRigServer(options, projectRoot = resolveProjectRoot()) {
     fetch: (req, server2) => createRigServerFetch2(state)(req, server2),
     websocket: {
       open(ws) {
+        if (ws.data.kind === "pi-session-proxy") {
+          attachPiSessionProxySocket(ws);
+          return;
+        }
         state.sockets.add(ws);
         sendWebSocketResponse(ws, buildServerWelcomePush(state.projectRoot));
       },
       async message(ws, raw) {
+        if (ws.data.kind === "pi-session-proxy") {
+          const upstream = ws.__rigPiUpstream;
+          if (upstream?.readyState === WebSocket.OPEN)
+            upstream.send(raw);
+          return;
+        }
         const request = parseWebSocketRequestEnvelope(typeof raw === "string" ? raw : Buffer.from(raw).toString("utf8"));
         if (!request) {
           sendWebSocketResponse(ws, {
@@ -14288,6 +14540,10 @@ async function createRigServer(options, projectRoot = resolveProjectRoot()) {
         }
       },
       close(ws) {
+        if (ws.data.kind === "pi-session-proxy") {
+          ws.__rigPiUpstream?.close();
+          return;
+        }
         state.sockets.delete(ws);
       }
     }