@h-rig/server 0.0.6-alpha.3 → 0.0.6-alpha.31

package/dist/src/server.js

@@ -1,11 +1,12 @@
+#!/usr/bin/env bun
 // @bun
 var __require = import.meta.require;
 
 // packages/server/src/server.ts
 import { spawn as spawn5 } from "child_process";
-import { existsSync as existsSync17, readdirSync as readdirSync5, readFileSync as readFileSync12, statSync as statSync6 } from "fs";
+import { existsSync as existsSync19, readdirSync as readdirSync5, readFileSync as readFileSync14, statSync as statSync6 } from "fs";
 import { open } from "fs/promises";
-import { dirname as dirname17, resolve as resolve22 } from "path";
+import { dirname as dirname20, resolve as resolve24 } from "path";
 import {
   listAuthorityArtifactRoots,
   listAuthorityRuns as listAuthorityRuns7,
@@ -1023,14 +1024,29 @@ function summarizeUsefulRunError(projectRoot, runId, fallback) {
   const nonGeneric = errorLines.at(-1);
   return nonGeneric ?? (typeof fallback === "string" ? fallback : null);
 }
+function readRunPiSessionMetadata(projectRoot, runId) {
+  const run = readAuthorityRun(projectRoot, runId);
+  const metadata = run?.piSessionPrivate;
+  if (!metadata || typeof metadata !== "object" || Array.isArray(metadata))
+    return null;
+  const record = metadata;
+  const publicMetadata = record.public;
+  const daemonConnection = record.daemonConnection;
+  if (!publicMetadata || typeof publicMetadata !== "object" || Array.isArray(publicMetadata))
+    return null;
+  if (!daemonConnection || typeof daemonConnection !== "object" || Array.isArray(daemonConnection))
+    return null;
+  return metadata;
+}
 function readRunDetails(projectRoot, runId) {
   const run = readAuthorityRun(projectRoot, runId);
   if (!run) {
     return null;
   }
   const usefulErrorText = isGenericRunFailure(run.errorText) ? summarizeUsefulRunError(projectRoot, runId, run.errorText) : null;
+  const { piSessionPrivate: _piSessionPrivate, ...publicRun } = run;
   return {
-    run: usefulErrorText ? { ...run, errorText: usefulErrorText } : run,
+    run: usefulErrorText ? { ...publicRun, errorText: usefulErrorText } : publicRun,
     timeline: readJsonlFile(resolve4(resolveAuthorityRunDir(projectRoot, runId), "timeline.jsonl")),
     approvals: readApprovals(projectRoot, { runId }),
     userInputs: readUserInputs(projectRoot, { runId })
@@ -1073,6 +1089,18 @@ function readJsonlFileTail(path, options) {
   const completeLines = start > 0 ? lines.slice(1) : lines;
   return parseJsonlRecords(completeLines.filter(Boolean).slice(-limit));
 }
+async function readRunTimelinePage(projectRoot, runId, options = {}) {
+  const limit = Math.max(1, Math.min(Math.trunc(options.limit ?? 200), 500));
+  const cursor = options.cursor == null ? 0 : Number.parseInt(options.cursor, 10);
+  const entries = readJsonlFile(runTimelinePath(projectRoot, runId)).filter((entry) => Boolean(entry && typeof entry === "object" && !Array.isArray(entry)));
+  const startInclusive = Number.isFinite(cursor) ? Math.max(0, Math.min(cursor, entries.length)) : 0;
+  const endExclusive = Math.min(entries.length, startInclusive + limit);
+  return {
+    entries: entries.slice(startInclusive, endExclusive).map((entry, offset) => ({ ...entry, cursor: startInclusive + offset + 1 })),
+    nextCursor: String(endExclusive),
+    hasMore: endExclusive < entries.length
+  };
+}
 var INITIAL_RUN_LOG_TAIL_MAX_BYTES = 8 * 1024 * 1024;
 async function readRunLogsPage(projectRoot, runId, options = {}) {
   const limit = Math.max(1, Math.min(Math.trunc(options.limit ?? 200), 500));
@@ -2312,7 +2340,6 @@ function createGitHubTaskReconciler(input) {
 }
 
 // packages/server/src/server-helpers/issue-analysis.ts
-import { execFile } from "child_process";
 import { createHash } from "crypto";
 function stableIssueHash(issue) {
   const labels = Array.isArray(issue.labels) ? [...issue.labels].map(String).sort() : [];
@@ -2446,16 +2473,33 @@ function parseIssueAnalysisResult(raw) {
   return result;
 }
 function createDefaultPiIssueAnalysisCommandRunner() {
-  return (command, args, options) => new Promise((resolve11) => {
-    execFile(command, [...args], {
-      timeout: options.timeoutMs,
-      maxBuffer: 10 * 1024 * 1024,
-      env: options.env ? { ...process.env, ...options.env } : process.env
-    }, (error, stdout, stderr) => {
-      const exitCode = typeof error?.code === "number" ? error.code : error ? 1 : 0;
-      resolve11({ exitCode, stdout: String(stdout ?? ""), stderr: String(stderr ?? "") });
+  return async (command, args, options) => {
+    const env = options.env ? { ...process.env, ...options.env } : process.env;
+    const proc = Bun.spawn([command, ...args], {
+      stdout: "pipe",
+      stderr: "pipe",
+      env
     });
-  });
+    let timedOut = false;
+    const timer = setTimeout(() => {
+      timedOut = true;
+      proc.kill();
+    }, options.timeoutMs);
+    try {
+      const [stdout, stderr, exitCode] = await Promise.all([
+        new Response(proc.stdout).text(),
+        new Response(proc.stderr).text(),
+        proc.exited
+      ]);
+      return {
+        exitCode: timedOut && exitCode === 0 ? 1 : exitCode,
+        stdout,
+        stderr: timedOut && stderr.trim().length === 0 ? `Pi issue analysis timed out after ${options.timeoutMs}ms` : stderr
+      };
+    } finally {
+      clearTimeout(timer);
+    }
+  };
 }
 function createPiIssueAnalyzer(input = {}) {
   const piBinary = input.piBinary ?? process.env.RIG_ISSUE_ANALYSIS_PI_BINARY ?? "pi";
@@ -2709,13 +2753,18 @@ function patchRunRecord(projectRoot, runId, patch) {
   writeJsonFile2(resolve11(resolveAuthorityRunDir2(projectRoot, runId), "run.json"), next);
   return next;
 }
+function patchRunPiSessionMetadata(projectRoot, runId, metadata) {
+  return patchRunRecord(projectRoot, runId, {
+    piSession: metadata?.public ?? null,
+    piSessionPrivate: metadata
+  });
+}
 function buildRunStartPatch(startedAt) {
   return {
     status: "preparing",
     startedAt,
     completedAt: null,
-    errorText: null,
-    serverPid: process.pid
+    errorText: null
   };
 }
 
@@ -3184,7 +3233,7 @@ function applyOrchestrationCommand(state, command) {
 import { spawn as spawn3 } from "child_process";
 import { loadConfig } from "@rig/core/load-config";
 import { existsSync as existsSync7, mkdirSync as mkdirSync7, readFileSync as readFileSync4, statSync as statSync5, writeFileSync as writeFileSync6 } from "fs";
-import { dirname as dirname8, relative as relative2, resolve as resolve14 } from "path";
+import { dirname as dirname9, relative as relative2, resolve as resolve14 } from "path";
 import {
   listAuthorityRuns as listAuthorityRuns4,
   readAuthorityRun as readAuthorityRun4,
@@ -3197,6 +3246,11 @@ import {
   buildTaskRunLifecycleComment,
   updateConfiguredTaskSourceTask
 } from "@rig/runtime/control-plane/tasks/source-lifecycle";
+import {
+  closeIssueAfterMergedPr,
+  commitRunChanges,
+  runPrAutomation
+} from "@rig/runtime/control-plane/native/pr-automation";
 
 // packages/server/src/scheduler.ts
 import { normalizeTaskLifecycleStatus } from "@rig/runtime/control-plane/state-sync/types";
@@ -3308,8 +3362,8 @@ function summarizeRunValidationFailure(projectRoot, run) {
 
 // packages/server/src/server-helpers/github-auth-store.ts
 import { randomBytes } from "crypto";
-import { chmodSync, existsSync as existsSync6, mkdirSync as mkdirSync6, readFileSync as readFileSync3, writeFileSync as writeFileSync5 } from "fs";
-import { resolve as resolve13 } from "path";
+import { chmodSync, copyFileSync, existsSync as existsSync6, mkdirSync as mkdirSync6, readFileSync as readFileSync3, writeFileSync as writeFileSync5 } from "fs";
+import { dirname as dirname8, resolve as resolve13 } from "path";
 function cleanString(value) {
   return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
 }
@@ -3339,6 +3393,26 @@ function parseApiSessions(value) {
     }];
   });
 }
+function parsePendingDevice(value) {
+  if (!value || typeof value !== "object")
+    return null;
+  const record = value;
+  const pollId = cleanString(record.pollId);
+  const deviceCode = cleanString(record.deviceCode);
+  const expiresAt = cleanString(record.expiresAt);
+  const intervalSeconds = typeof record.intervalSeconds === "number" && Number.isFinite(record.intervalSeconds) ? Math.max(1, Math.floor(record.intervalSeconds)) : null;
+  if (!pollId || !deviceCode || !expiresAt || !intervalSeconds)
+    return null;
+  return { pollId, deviceCode, expiresAt, intervalSeconds };
+}
+function parsePendingDevices(value) {
+  if (!Array.isArray(value))
+    return [];
+  return value.flatMap((entry) => {
+    const pending = parsePendingDevice(entry);
+    return pending ? [pending] : [];
+  });
+}
 function readStoredAuth(stateFile) {
   if (!existsSync6(stateFile))
     return {};
@@ -3352,6 +3426,7 @@ function readStoredAuth(stateFile) {
       selectedRepo: cleanString(parsed.selectedRepo),
       tokenSource: parsed.tokenSource === "oauth-device" || parsed.tokenSource === "manual-token" || parsed.tokenSource === "env" ? parsed.tokenSource : undefined,
       pendingDevice: parsePendingDevice(parsed.pendingDevice),
+      pendingDevices: parsePendingDevices(parsed.pendingDevices),
       apiSessions: parseApiSessions(parsed.apiSessions),
       updatedAt: cleanString(parsed.updatedAt) ?? undefined
     };
@@ -3359,34 +3434,36 @@ function readStoredAuth(stateFile) {
     return {};
   }
 }
-function parsePendingDevice(value) {
-  if (!value || typeof value !== "object")
-    return null;
-  const record = value;
-  const pollId = cleanString(record.pollId);
-  const deviceCode = cleanString(record.deviceCode);
-  const expiresAt = cleanString(record.expiresAt);
-  const intervalSeconds = typeof record.intervalSeconds === "number" && Number.isFinite(record.intervalSeconds) ? Math.max(1, Math.floor(record.intervalSeconds)) : null;
-  if (!pollId || !deviceCode || !expiresAt || !intervalSeconds)
-    return null;
-  return { pollId, deviceCode, expiresAt, intervalSeconds };
-}
 function newApiSessionToken() {
   return `rig_${randomBytes(32).toString("base64url")}`;
 }
 function writeStoredAuth(stateFile, payload) {
-  mkdirSync6(resolve13(stateFile, ".."), { recursive: true });
+  mkdirSync6(dirname8(stateFile), { recursive: true });
   writeFileSync5(stateFile, `${JSON.stringify(payload, null, 2)}
 `, { encoding: "utf8", mode: 384 });
   try {
     chmodSync(stateFile, 384);
   } catch {}
 }
+function localProjectAuthStateFile(projectRoot) {
+  return resolve13(projectRoot, ".rig", "state", "github-auth.json");
+}
 function resolveGitHubAuthStateFile(projectRoot) {
   return resolve13(resolveServerAuthorityPaths(projectRoot).stateDir, "github-auth.json");
 }
-function createGitHubAuthStore(projectRoot) {
-  const stateFile = resolveGitHubAuthStateFile(projectRoot);
+function copyGitHubAuthStateToLocalProjectRoot(stateFile, projectRoot) {
+  const targetFile = localProjectAuthStateFile(projectRoot);
+  mkdirSync6(dirname8(targetFile), { recursive: true });
+  if (existsSync6(stateFile)) {
+    copyFileSync(stateFile, targetFile);
+    try {
+      chmodSync(targetFile, 384);
+    } catch {}
+    return;
+  }
+  writeStoredAuth(targetFile, {});
+}
+function createGitHubAuthStoreFromStateFile(stateFile) {
   return {
     stateFile,
     status(options) {
@@ -3416,6 +3493,7 @@ function createGitHubAuthStore(projectRoot) {
         scopes: input.scopes ?? [],
         selectedRepo: input.selectedRepo ?? previous.selectedRepo ?? null,
         pendingDevice: null,
+        pendingDevices: [],
         apiSessions: previous.apiSessions ?? [],
         updatedAt: new Date().toISOString()
       });
@@ -3444,15 +3522,24 @@ function createGitHubAuthStore(projectRoot) {
       const session = (previous.apiSessions ?? []).find((candidate) => candidate.token === clean);
       return session ? { login: cleanString(session.login), userId: cleanString(session.userId) } : null;
     },
-    copyToProjectRoot(projectRoot2) {
-      const targetFile = resolveGitHubAuthStateFile(projectRoot2);
+    copyToProjectRoot(projectRoot) {
+      const targetFile = resolveGitHubAuthStateFile(projectRoot);
       writeStoredAuth(targetFile, readStoredAuth(stateFile));
     },
+    copyToLocalProjectRoot(projectRoot) {
+      copyGitHubAuthStateToLocalProjectRoot(stateFile, projectRoot);
+    },
     savePendingDevice(input) {
       const previous = readStoredAuth(stateFile);
+      const pendingDevices = [
+        ...previous.pendingDevice ? [previous.pendingDevice] : [],
+        ...previous.pendingDevices ?? [],
+        input
+      ].filter((entry, index, entries) => entries.findIndex((candidate) => candidate.pollId === entry.pollId) === index);
       writeStoredAuth(stateFile, {
         ...previous,
-        pendingDevice: input,
+        pendingDevice: null,
+        pendingDevices,
         updatedAt: new Date().toISOString()
       });
     },
@@ -3465,23 +3552,32 @@ function createGitHubAuthStore(projectRoot) {
       });
     },
     readPendingDevice(pollId) {
-      const pending = readStoredAuth(stateFile).pendingDevice ?? null;
-      if (!pending || pending.pollId !== pollId)
+      const previous = readStoredAuth(stateFile);
+      const pending = [
+        ...previous.pendingDevice ? [previous.pendingDevice] : [],
+        ...previous.pendingDevices ?? []
+      ].find((entry) => entry.pollId === pollId) ?? null;
+      if (!pending)
         return null;
       if (Date.parse(pending.expiresAt) <= Date.now())
         return null;
       return pending;
     },
-    clearPendingDevice() {
+    clearPendingDevice(pollId) {
       const previous = readStoredAuth(stateFile);
+      const remaining = pollId ? (previous.pendingDevices ?? []).filter((entry) => entry.pollId !== pollId) : [];
       writeStoredAuth(stateFile, {
         ...previous,
         pendingDevice: null,
+        pendingDevices: remaining,
         updatedAt: new Date().toISOString()
       });
     }
   };
 }
+function createGitHubAuthStore(projectRoot) {
+  return createGitHubAuthStoreFromStateFile(resolveGitHubAuthStateFile(projectRoot));
+}
 
 // packages/server/src/server-helpers/github-projects.ts
 function asRecord(value) {
@@ -3490,6 +3586,9 @@ function asRecord(value) {
 function asString(value) {
   return typeof value === "string" && value.trim().length > 0 ? value : undefined;
 }
+function asNumber(value) {
+  return typeof value === "number" && Number.isFinite(value) ? value : undefined;
+}
 async function defaultGraphQLFetch(query, variables, token) {
   const response = await fetch("https://api.github.com/graphql", {
     method: "POST",
@@ -3506,6 +3605,32 @@ async function defaultGraphQLFetch(query, variables, token) {
   }
   return json.data;
 }
+function projectNodesFrom(data) {
+  const root = asRecord(data);
+  const owner = asRecord(root?.organization) ?? asRecord(root?.user);
+  const projects = asRecord(owner?.projectsV2);
+  const nodes = projects?.nodes;
+  return Array.isArray(nodes) ? nodes : [];
+}
+async function listGitHubProjects(input) {
+  const query = `
+    query RigListProjects($owner: String!, $first: Int!) {
+      organization(login: $owner) { projectsV2(first: $first, orderBy: { field: UPDATED_AT, direction: DESC }) { nodes { id number title url } } }
+      user(login: $owner) { projectsV2(first: $first, orderBy: { field: UPDATED_AT, direction: DESC }) { nodes { id number title url } } }
+    }
+  `;
+  const fetchGraphQL = input.fetchGraphQL ?? defaultGraphQLFetch;
+  const data = await fetchGraphQL(query, { owner: input.owner, first: input.first ?? 20 }, input.token);
+  return projectNodesFrom(data).flatMap((node) => {
+    const record = asRecord(node);
+    const id = asString(record?.id);
+    const number = asNumber(record?.number);
+    const title = asString(record?.title);
+    if (!id || number === undefined || !title)
+      return [];
+    return [{ id, number, title, ...asString(record?.url) ? { url: asString(record?.url) } : {} }];
+  });
+}
 async function resolveProjectStatusField(input) {
   const query = `
     query RigProjectStatusField($projectId: ID!) {
@@ -3600,6 +3725,7 @@ var DEFAULT_PROJECT_STATUSES = {
   running: "In Progress",
   prOpen: "In Review",
   ciFixing: "In Review",
+  merging: "Merging",
   done: "Done",
   needsAttention: "Needs Attention"
 };
@@ -3613,6 +3739,8 @@ function lifecycleStatusForTaskStatus(status) {
     return "prOpen";
   if (normalized === "ci_fixing" || normalized === "fixing")
     return "ciFixing";
+  if (normalized === "merging" || normalized === "merge")
+    return "merging";
   if (normalized === "failed" || normalized === "needs_attention" || normalized === "blocked")
     return "needsAttention";
   if (normalized === "in_progress" || normalized === "running" || normalized === "ready" || normalized === "open")
@@ -3741,9 +3869,14 @@ function parseIssueRef(sourceTask, fallbackTaskId) {
     return null;
   return null;
 }
+function githubProjectsEnabled(config) {
+  const github = config?.github && typeof config.github === "object" && !Array.isArray(config.github) ? config.github : null;
+  const projects = github?.projects && typeof github.projects === "object" && !Array.isArray(github.projects) ? github.projects : null;
+  return projects?.enabled === true;
+}
 async function syncProjectStatusForRunLifecycle(projectRoot, run, status, config) {
   if (!run.taskId)
-    return;
+    return false;
   const issueNodeId = extractGitHubIssueNodeId(runSourceTaskIdentity(run));
   try {
     const result = await syncGitHubProjectStatusForTaskUpdate({
@@ -3754,28 +3887,86 @@ async function syncProjectStatusForRunLifecycle(projectRoot, run, status, config
       config
     });
     if (!result.synced && result.reason !== "project-sync-disabled") {
+      const detail = `Project status sync for ${run.taskId} could not run: ${result.reason}.`;
       appendRunLogEntry(projectRoot, run.runId, {
         id: `log:${run.runId}:github-project-sync:${status}`,
         title: "GitHub Project sync skipped",
-        detail: `Project status sync for ${run.taskId} could not run: ${result.reason}.`,
+        detail,
         tone: "warn",
         status: "running",
         createdAt: new Date().toISOString(),
         payload: { reason: result.reason, issueNodeId }
       });
+      if (githubProjectsEnabled(config)) {
+        throw new Error(detail);
+      }
+      return false;
     }
+    return result.synced === true;
   } catch (error) {
+    const detail = error instanceof Error ? error.message : String(error);
     appendRunLogEntry(projectRoot, run.runId, {
       id: `log:${run.runId}:github-project-sync-error:${status}`,
       title: "GitHub Project sync failed",
-      detail: error instanceof Error ? error.message : String(error),
+      detail,
       tone: "error",
       status: "running",
       createdAt: new Date().toISOString(),
       payload: { issueNodeId }
     });
+    if (githubProjectsEnabled(config)) {
+      throw new Error(detail);
+    }
+    return false;
   }
 }
+function createCommandRunner(binary, extraEnv = {}) {
+  return async (args, options) => {
+    const child = spawn3(binary, [...args], {
+      cwd: options?.cwd,
+      env: { ...process.env, ...extraEnv },
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+    const stdoutChunks = [];
+    const stderrChunks = [];
+    child.stdout?.on("data", (chunk) => stdoutChunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(String(chunk))));
+    child.stderr?.on("data", (chunk) => stderrChunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(String(chunk))));
+    const exitCode = await new Promise((resolve15) => {
+      child.once("error", () => resolve15(1));
+      child.once("close", (code) => resolve15(code ?? 1));
+    });
+    return {
+      exitCode,
+      stdout: Buffer.concat(stdoutChunks).toString("utf8"),
+      stderr: Buffer.concat(stderrChunks).toString("utf8")
+    };
+  };
+}
+function closeoutRecord(run) {
+  const value = run.serverCloseout;
+  return value && typeof value === "object" && !Array.isArray(value) ? value : null;
+}
+function closeoutPhasePatch(phase, status, extra = {}) {
+  const updatedAt = new Date().toISOString();
+  return {
+    serverCloseout: {
+      ...extra,
+      phase,
+      status,
+      updatedAt
+    }
+  };
+}
+function appendCloseoutStage(state, runId, phase, detail, status = "reviewing", tone = "info") {
+  appendRunLogEntryAndBroadcast(state, runId, {
+    id: `log:${runId}:server-closeout:${phase}:${Date.now()}`,
+    title: `Server closeout: ${phase}`,
+    detail,
+    tone,
+    status,
+    createdAt: new Date().toISOString()
+  }, `server-closeout-${phase}`);
+}
 async function autoAssignRunIssue(projectRoot, run) {
   if (!run.taskId)
     return;
@@ -3805,7 +3996,7 @@ async function updateRunTaskSourceLifecycle(projectRoot, run, status, summary, o
     return;
   }
   const config = await loadRigLifecycleConfig(projectRoot);
-  await syncProjectStatusForRunLifecycle(projectRoot, run, status, config);
+  const projectSynced = await syncProjectStatusForRunLifecycle(projectRoot, run, status, config);
   if (status === "in_progress") {
     await autoAssignRunIssue(projectRoot, run);
   }
@@ -3821,24 +4012,53 @@ async function updateRunTaskSourceLifecycle(projectRoot, run, status, summary, o
     });
     return;
   }
-  const result = await updateConfiguredTaskSourceTask(projectRoot, {
-    taskId: run.taskId,
-    sourceTask: runSourceTaskIdentity(run),
-    update: {
-      status,
-      comment: buildTaskRunLifecycleComment({
-        runId: run.runId,
+  const sourceTask = runSourceTaskIdentity(run);
+  const previousStatus = normalizeString(sourceTask?.status) ?? normalizeString(sourceTask?.sourceStatus);
+  const rollbackProjectSync = async () => {
+    if (!projectSynced || !previousStatus || !run.taskId || !githubProjectsEnabled(config))
+      return;
+    await syncGitHubProjectStatusForTaskUpdate({
+      taskId: run.taskId,
+      status: previousStatus,
+      issueNodeId: extractGitHubIssueNodeId(sourceTask),
+      token: createGitHubAuthStore(projectRoot).readToken(),
+      config
+    }).catch((rollbackError) => {
+      appendRunLogEntry(projectRoot, run.runId, {
+        id: `log:${run.runId}:github-project-sync-rollback:${status}`,
+        title: "GitHub Project sync rollback failed",
+        detail: rollbackError instanceof Error ? rollbackError.message : String(rollbackError),
+        tone: "error",
+        status: "running",
+        createdAt: new Date().toISOString()
+      });
+    });
+  };
+  let result;
+  try {
+    result = await updateConfiguredTaskSourceTask(projectRoot, {
+      taskId: run.taskId,
+      sourceTask,
+      update: {
         status,
-        summary,
-        runtimeWorkspace: normalizeString(run.worktreePath),
-        logsDir: normalizeString(run.logRoot),
-        sessionDir: normalizeString(run.sessionPath),
-        errorText: options.errorText ?? normalizeString(run.errorText)
-      })
-    }
-  });
+        comment: buildTaskRunLifecycleComment({
+          runId: run.runId,
+          status,
+          summary,
+          runtimeWorkspace: normalizeString(run.worktreePath),
+          logsDir: normalizeString(run.logRoot),
+          sessionDir: normalizeString(run.sessionPath),
+          errorText: options.errorText ?? normalizeString(run.errorText)
+        })
+      }
+    });
+  } catch (error) {
+    await rollbackProjectSync();
+    throw error;
+  }
   if (!result.updated) {
     if (result.source === "plugin" || result.sourceKind) {
+      await rollbackProjectSync();
       throw new Error(`Configured task source${result.sourceKind ? ` (${result.sourceKind})` : ""} did not accept lifecycle update for ${result.taskId}.`);
     }
     appendRunLogEntry(projectRoot, run.runId, {
@@ -3851,6 +4071,277 @@ async function updateRunTaskSourceLifecycle(projectRoot, run, status, summary, o
     });
   }
 }
+async function markServerOwnedCloseoutFailed(state, runId, error) {
+  const detail = error instanceof Error ? error.message : String(error);
+  const current = readAuthorityRun4(state.projectRoot, runId);
+  patchRunRecord(state.projectRoot, runId, {
+    status: "failed",
+    completedAt: new Date().toISOString(),
+    errorText: detail,
+    ...closeoutPhasePatch("failed", "failed", { error: detail })
+  });
+  appendRunLogEntryAndBroadcast(state, runId, {
+    id: `log:${runId}:server-closeout-failed`,
+    title: "Server-owned closeout failed",
+    detail,
+    tone: "error",
+    status: "failed",
+    createdAt: new Date().toISOString()
+  }, "server-closeout-failed");
+  if (current?.taskId) {
+    await updateRunTaskSourceLifecycle(state.projectRoot, { ...current, status: "failed", errorText: detail }, "failed", "Rig server-owned closeout failed.", { errorText: detail }).catch((sourceError) => {
+      appendRunLogEntry(state.projectRoot, runId, {
+        id: `log:${runId}:task-source-closeout-failed-update`,
+        title: "Task source closeout failure update failed",
+        detail: sourceError instanceof Error ? sourceError.message : String(sourceError),
+        tone: "error",
+        status: "failed",
+        createdAt: new Date().toISOString()
+      });
+    });
+  }
+}
+function scheduleServerOwnedPrCloseout(state, runId, reason) {
+  const startedAt = new Date().toISOString();
+  state.runProcesses.set(runId, {
+    runId,
+    child: null,
+    startedAt,
+    stopped: false
+  });
+  queueMicrotask(() => {
+    withServerAuthorityEnvIfNeeded(state.projectRoot, async () => {
+      try {
+        await runServerOwnedPrCloseout(state, runId);
+      } catch (error) {
+        await markServerOwnedCloseoutFailed(state, runId, error);
+      } finally {
+        state.runProcesses.delete(runId);
+        broadcastSnapshotInvalidation(state, `server-closeout-${reason}-terminal`);
+        await reconcileScheduler(state, `server-closeout-${reason}-terminal`);
+      }
+    });
+  });
+}
+async function runServerOwnedPrCloseout(state, runId) {
+  const run = readAuthorityRun4(state.projectRoot, runId);
+  if (!run)
+    throw new Error(`Run not found: ${runId}`);
+  const closeout = closeoutRecord(run);
+  if (!closeout)
+    return;
+  const taskId = normalizeString(closeout.taskId) ?? normalizeString(run.taskId);
+  if (!taskId)
+    throw new Error("Server-owned closeout requires a task id.");
+  const workspace = normalizeString(closeout.runtimeWorkspace) ?? normalizeString(run.worktreePath) ?? state.projectRoot;
+  let branch = normalizeString(closeout.branch) ?? `rig/${taskId}-${runId}`;
+  const config = await loadRigLifecycleConfig(state.projectRoot);
+  const runPrMode = normalizeString(run.prMode);
+  const prMode = runPrMode === "auto" || runPrMode === "ask" || runPrMode === "off" ? runPrMode : config?.pr?.mode ?? "off";
+  const effectiveConfig = {
+    ...config ?? {},
+    pr: {
+      ...config?.pr ?? {},
+      mode: prMode,
+      autoFixChecks: false,
+      autoFixReview: false
+    }
+  };
+  const readCurrentRun = () => readAuthorityRun4(state.projectRoot, runId) ?? run;
+  const sourceTask = runSourceTaskIdentity(run);
+  const closeoutPhase = normalizeString(closeout.phase)?.toLowerCase() ?? "";
+  const closeoutStatus = normalizeString(closeout.status)?.toLowerCase() ?? "";
+  const closeoutPrUrl = normalizeString(closeout.prUrl);
+  if (closeoutPhase === "completed" || closeoutStatus === "completed") {
+    return;
+  }
+  if (closeoutPhase === "close-source" && closeoutPrUrl) {
+    patchRunRecord(state.projectRoot, runId, {
+      status: "reviewing",
+      ...closeoutPhasePatch("close-source", "running", { ...closeout, prUrl: closeoutPrUrl, taskId, runtimeWorkspace: workspace, branch })
+    });
+    await closeIssueAfterMergedPr({
+      projectRoot: state.projectRoot,
+      taskId,
+      runId,
+      prUrl: closeoutPrUrl,
+      sourceTask,
+      updateTaskSource: async (projectRoot, input) => {
+        await updateRunTaskSourceLifecycle(projectRoot, readCurrentRun(), "closed", "Rig merged the pull request and closed this task source.");
+        return { updated: true, taskId: input.taskId, status: input.update.status, source: "server", sourceKind: "server" };
+      }
+    });
+    const completedAt = new Date().toISOString();
+    patchRunRecord(state.projectRoot, runId, {
+      status: "completed",
+      completedAt,
+      errorText: null,
+      ...closeoutPhasePatch("completed", "completed", { ...closeout, prUrl: closeoutPrUrl, iterations: closeout.iterations, completedAt })
+    });
+    appendCloseoutStage(state, runId, "completed", `PR merged and issue closed: ${closeoutPrUrl}`, "completed", "info");
+    emitRigEvent(state, {
+      type: "rig.run.completed",
+      aggregateId: runId,
+      payload: { runId, taskId, prUrl: closeoutPrUrl, closeout: "merged" },
+      createdAt: completedAt
+    });
+    return;
+  }
+  if (prMode === "off" || prMode === "ask") {
+    const completedAt = new Date().toISOString();
+    patchRunRecord(state.projectRoot, runId, {
+      status: "completed",
+      completedAt,
+      errorText: null,
+      ...closeoutPhasePatch("completed", "completed", { taskId, runtimeWorkspace: workspace, branch, reason: prMode === "ask" ? "pr-mode-ask" : "pr-mode-off" })
+    });
+    appendCloseoutStage(state, runId, "completed", prMode === "ask" ? "Validation completed; PR creation awaits operator approval." : "Validation completed; PR automation disabled.", "completed", "info");
+    emitRigEvent(state, {
+      type: "rig.run.completed",
+      aggregateId: runId,
+      payload: { runId, taskId, closeout: "skipped", reason: prMode === "ask" ? "pr-mode-ask" : "pr-mode-off" },
+      createdAt: completedAt
+    });
+    return;
+  }
+  const githubToken = createGitHubAuthStore(state.projectRoot).readToken();
+  const githubEnv = githubToken ? { RIG_GITHUB_TOKEN: githubToken, GITHUB_TOKEN: githubToken, GH_TOKEN: githubToken } : {};
+  const gitCommand = createCommandRunner("git", githubEnv);
+  const ghCommand = createCommandRunner("gh", githubEnv);
+  const workspaceBranch = await gitCommand(["rev-parse", "--abbrev-ref", "HEAD"], { cwd: workspace });
+  const currentWorkspaceBranch = workspaceBranch.exitCode === 0 ? normalizeString(workspaceBranch.stdout) : null;
+  if (currentWorkspaceBranch && currentWorkspaceBranch !== "HEAD" && currentWorkspaceBranch !== branch) {
+    appendCloseoutStage(state, runId, "branch", `Using runtime workspace branch ${currentWorkspaceBranch} instead of recorded branch ${branch}.`, "reviewing", "info");
+    branch = currentWorkspaceBranch;
+  }
+  const setCloseout = (phase, status, extra = {}) => {
+    const previous = closeoutRecord(readCurrentRun()) ?? closeout;
+    patchRunRecord(state.projectRoot, runId, {
+      status: status === "failed" ? "failed" : status === "needs_attention" ? "needs_attention" : "reviewing",
+      ...closeoutPhasePatch(phase, status, { ...previous, ...extra })
+    });
+  };
+  setCloseout("commit", "running", { runtimeWorkspace: workspace, branch, taskId });
+  appendCloseoutStage(state, runId, "commit", `Committing changes in ${workspace}.`, "reviewing", "tool");
+  const commit = await commitRunChanges({ cwd: workspace, message: `rig: complete task ${taskId}`, command: gitCommand });
+  appendCloseoutStage(state, runId, "commit", commit.committed ? "Committed run workspace changes." : "No workspace changes to commit.", "reviewing", "tool");
+  setCloseout("push", "running", { runtimeWorkspace: workspace, branch, taskId });
+  const push = await gitCommand(["push", "--set-upstream", "origin", branch], { cwd: workspace });
+  if (push.exitCode !== 0) {
+    throw new Error(`git push --set-upstream origin ${branch} failed (${push.exitCode}): ${push.stderr ?? push.stdout ?? ""}`.trim());
+  }
+  const sourceTaskForPr = {
+    title: normalizeString(sourceTask?.title) ?? normalizeString(run.title)
+  };
+  const artifactRoot = resolve14(state.projectRoot, "artifacts", taskId);
+  setCloseout("pr-review-merge", "running", { runtimeWorkspace: workspace, branch, taskId, artifactRoot });
+  const pr = await runPrAutomation({
+    projectRoot: workspace,
+    taskId,
+    runId,
+    branch,
+    config: effectiveConfig,
+    sourceTask: sourceTaskForPr,
+    artifactRoot,
+    command: ghCommand,
+    gitCommand,
+    steerPi: async (message) => {
+      appendCloseoutStage(state, runId, "feedback", message, "reviewing", "info");
+      appendRunTimelineEntry(state.projectRoot, runId, {
+        id: `message:${runId}:server-closeout-feedback:${Date.now()}`,
+        type: "user_message",
+        text: message,
+        createdAt: new Date().toISOString(),
+        state: "completed"
+      });
+    },
+    lifecycle: {
+      onPrOpened: async ({ prUrl }) => {
+        setCloseout("pr-opened", "running", { prUrl, runtimeWorkspace: workspace, branch, taskId, artifactRoot });
+        appendCloseoutStage(state, runId, "open-pr", prUrl, "reviewing", "tool");
+        await updateRunTaskSourceLifecycle(state.projectRoot, readCurrentRun(), "under_review", "Rig opened a pull request for this task.");
+      },
+      onReviewCiStarted: ({ prUrl, iteration }) => appendCloseoutStage(state, runId, "review-ci", `${prUrl} (iteration ${iteration})`, "reviewing", "info"),
+      onFeedback: async ({ feedback }) => {
+        appendCloseoutStage(state, runId, "feedback", feedback.join(`
+`), "reviewing", "error");
+        await updateRunTaskSourceLifecycle(state.projectRoot, readCurrentRun(), "ci_fixing", "Rig is fixing CI/review feedback for this task.");
+      },
+      onMergeStarted: async ({ prUrl }) => {
+        setCloseout("merge", "running", { prUrl, runtimeWorkspace: workspace, branch, taskId, artifactRoot });
+        appendCloseoutStage(state, runId, "merge", prUrl, "reviewing", "tool");
+        await updateRunTaskSourceLifecycle(state.projectRoot, readCurrentRun(), "merging", "Rig is merging the pull request for this task.");
+      },
+      onMerged: ({ prUrl }) => {
+        setCloseout("close-source", "running", { prUrl, runtimeWorkspace: workspace, branch, taskId, artifactRoot, merged: true });
+        appendCloseoutStage(state, runId, "merge", prUrl, "reviewing", "tool");
+      }
+    }
+  });
+  if (pr.status === "merged" && pr.prUrl) {
+    setCloseout("close-source", "running", { prUrl: pr.prUrl, iterations: pr.iterations });
+    await closeIssueAfterMergedPr({
+      projectRoot: state.projectRoot,
+      taskId,
+      runId,
+      prUrl: pr.prUrl,
+      sourceTask,
+      updateTaskSource: async (projectRoot, input) => {
+        await updateRunTaskSourceLifecycle(projectRoot, readCurrentRun(), "closed", "Rig merged the pull request and closed this task source.");
+        return { updated: true, taskId: input.taskId, status: input.update.status, source: "server", sourceKind: "server" };
+      }
+    });
+    const completedAt = new Date().toISOString();
+    patchRunRecord(state.projectRoot, runId, {
+      status: "completed",
+      completedAt,
+      errorText: null,
+      ...closeoutPhasePatch("completed", "completed", { prUrl: pr.prUrl, iterations: pr.iterations, completedAt })
+    });
+    appendCloseoutStage(state, runId, "completed", `PR merged and issue closed: ${pr.prUrl}`, "completed", "info");
+    emitRigEvent(state, {
+      type: "rig.run.completed",
+      aggregateId: runId,
+      payload: { runId, taskId, prUrl: pr.prUrl, closeout: "merged" },
+      createdAt: completedAt
+    });
+    return;
+  }
+  if (pr.status === "opened" && pr.prUrl) {
+    const completedAt = new Date().toISOString();
+    patchRunRecord(state.projectRoot, runId, {
+      status: "completed",
+      completedAt,
+      errorText: null,
+      ...closeoutPhasePatch("completed", "completed", { prUrl: pr.prUrl, iterations: pr.iterations })
+    });
+    appendCloseoutStage(state, runId, "completed", `PR ready without merge: ${pr.prUrl}`, "completed", "info");
+    emitRigEvent(state, {
+      type: "rig.run.completed",
+      aggregateId: runId,
+      payload: { runId, taskId, prUrl: pr.prUrl, closeout: "pr-ready" },
+      createdAt: completedAt
+    });
+    return;
+  }
+  const detail = pr.actionableFeedback.join(`
+`) || "PR automation did not merge the PR.";
+  await updateRunTaskSourceLifecycle(state.projectRoot, readCurrentRun(), "needs_attention", "Rig needs operator attention before this task can proceed.", { errorText: detail }).catch((error) => {
+    appendCloseoutStage(state, runId, "needs-attention-update", error instanceof Error ? error.message : String(error), "needs_attention", "error");
+  });
+  patchRunRecord(state.projectRoot, runId, {
+    status: "needs_attention",
+    completedAt: new Date().toISOString(),
+    errorText: detail,
+    ...closeoutPhasePatch("needs_attention", "needs_attention", { feedback: pr.actionableFeedback, prUrl: pr.prUrl ?? null, iterations: pr.iterations })
+  });
+  appendCloseoutStage(state, runId, "needs-attention", detail, "needs_attention", "error");
+  emitRigEvent(state, {
+    type: "rig.run.needs-attention",
+    aggregateId: runId,
+    payload: { runId, taskId, error: detail, prUrl: pr.prUrl ?? null }
+  });
+}
 var TERMINAL_RUN_STATUSES2 = new Set([
   "completed",
   "complete",
@@ -3876,11 +4367,23 @@ function assertNoActiveRunForTask(projectRoot, taskId, newRunId) {
     return;
   throw new Error(`Task ${taskId} already has an active Rig run: ${existing.runId}`);
 }
+async function resolveSourceTaskForRun(projectRoot, taskId, readTasks) {
+  const fromReader = (await readTasks(projectRoot)).find((task) => task.id === taskId) ?? null;
+  if (fromReader)
+    return fromReader;
+  const projected = readTaskProjection(projectRoot)?.tasks.find((task) => String(task.id) === taskId) ?? null;
+  if (projected)
+    return projected;
+  if (readTasks !== readWorkspaceTasks) {
+    return (await readWorkspaceTasks(projectRoot)).find((task) => task.id === taskId) ?? null;
+  }
+  return null;
+}
 async function createRunRecord(projectRoot, input, readTasks = readWorkspaceTasks) {
   if ("taskId" in input && input.taskId) {
     assertNoActiveRunForTask(projectRoot, input.taskId, input.runId);
   }
-  const sourceTask = "taskId" in input && input.taskId ? (await readTasks(projectRoot)).find((task) => task.id === input.taskId) ?? null : null;
+  const sourceTask = "taskId" in input && input.taskId ? await resolveSourceTaskForRun(projectRoot, input.taskId, readTasks) : null;
   const taskTitle = sourceTask?.title ?? ("taskId" in input && input.taskId ? input.taskId : null);
   const runDir = resolveAuthorityRunDir3(projectRoot, input.runId);
   const runRecord = {
@@ -3952,6 +4455,7 @@ async function startLocalRun(state, runId, options) {
     throw new Error(`Run not found: ${runId}`);
   }
   const startedAt = new Date().toISOString();
+  const resumeMode = options?.resume === true;
   state.runProcesses.set(runId, {
     runId,
     child: null,
@@ -3968,9 +4472,9 @@ async function startLocalRun(state, runId, options) {
     summary: run.title
   });
   appendRunLogEntry(state.projectRoot, runId, {
-    id: `log:${runId}:prepare`,
-    title: "Rig task run starting",
-    detail: run.taskId ?? run.title,
+    id: `log:${runId}:${resumeMode ? "resume" : "prepare"}`,
+    title: resumeMode ? "Rig task run resuming" : "Rig task run starting",
+    detail: resumeMode ? `Resuming ${run.taskId ?? run.title ?? runId} after server restart or operator resume.` : run.taskId ?? run.title,
     tone: "info",
     status: "preparing",
     createdAt: startedAt
@@ -4046,12 +4550,17 @@ async function startLocalRun(state, runId, options) {
           RIG_HOST_PROJECT_ROOT: cliProjectRoot,
           RIG_RUNTIME_BASE_REF: process.env.RIG_RUNTIME_BASE_REF ?? "HEAD",
           RIG_SERVER_INTERNAL_EXEC: "1",
+          RIG_SERVER_OWNS_CLOSEOUT: "1",
           ...serverUrl ? { RIG_SERVER_URL: serverUrl } : {},
           ...bridgeAuthToken ? { RIG_AUTH_TOKEN: bridgeAuthToken } : {},
           ...bridgeGitHubToken ? {
             RIG_GITHUB_TOKEN: bridgeGitHubToken,
             GITHUB_TOKEN: bridgeGitHubToken,
             GH_TOKEN: bridgeGitHubToken
+          } : {},
+          ...resumeMode ? {
+            RIG_RUN_RESUME: "1",
+            RIG_RUNTIME_ARTIFACT_CLEANUP: "preserve"
           } : {}
         },
         stdio: ["ignore", "pipe", "pipe"]
@@ -4075,6 +4584,25 @@ async function startLocalRun(state, runId, options) {
             broadcastSnapshotInvalidation(state);
             continue;
           }
+          if (line.startsWith("__RIG_WRAPPER_EVENT__")) {
+            try {
+              const wrapperEvent = JSON.parse(line.slice("__RIG_WRAPPER_EVENT__".length));
+              const eventType = normalizeString(wrapperEvent.type);
+              const payload = wrapperEvent.payload && typeof wrapperEvent.payload === "object" && !Array.isArray(wrapperEvent.payload) ? wrapperEvent.payload : {};
+              if (eventType === "pi.session.ready" && payload.privateMetadata && typeof payload.privateMetadata === "object" && !Array.isArray(payload.privateMetadata)) {
+                patchRunPiSessionMetadata(state.projectRoot, runId, payload.privateMetadata);
+              }
+              appendRunTimelineEntry(state.projectRoot, runId, {
+                id: `timeline:${runId}:${Date.now()}:wrapper:${eventType ?? "event"}`,
+                type: "wrapper-event",
+                eventType,
+                payload,
+                createdAt: normalizeString(wrapperEvent.at) ?? new Date().toISOString()
+              });
+            } catch {}
+            broadcastSnapshotInvalidation(state, "wrapper-event");
+            continue;
+          }
           appendRunLogEntryAndBroadcast(state, runId, {
             id: `log:${runId}:${Date.now()}`,
             title,
@@ -4103,7 +4631,13 @@ async function startLocalRun(state, runId, options) {
         if (!current) {
           return;
         }
-        if (exit.code !== 0 && current.status !== "completed" && current.status !== "stopped") {
+        if (closeoutRecord(current)?.status === "pending") {
+          try {
+            await runServerOwnedPrCloseout(state, runId);
+          } catch (closeoutError) {
+            await markServerOwnedCloseoutFailed(state, runId, closeoutError);
+          }
+        } else if (exit.code !== 0 && current.status !== "completed" && current.status !== "stopped") {
           const completedAt = current.completedAt ?? new Date().toISOString();
           const failureSummary = normalizeString(current.errorText) ?? summarizeRunValidationFailure(state.projectRoot, current) ?? `Rig task-run exited with code ${String(exit.code ?? "unknown")}`;
           if (current.status !== "failed") {
@@ -4203,7 +4737,7 @@ function resolveLocalRunCliProjectRoot(projectRoot) {
   }
   try {
     const monorepoRoot = resolveMonorepoRoot3(projectRoot);
-    const outerProjectRoot = dirname8(dirname8(monorepoRoot));
+    const outerProjectRoot = dirname9(dirname9(monorepoRoot));
     if (existsSync7(resolve14(outerProjectRoot, "packages/cli/bin/rig.ts"))) {
       return outerProjectRoot;
     }
@@ -4224,7 +4758,19 @@ async function resumeRunRecord(state, input) {
   if (run.status === "completed") {
     throw new Error("Completed runs cannot be resumed.");
   }
-  await startLocalRun(state, input.runId, { promptOverride: input.promptOverride ?? null });
+  const closeout = closeoutRecord(run);
+  const closeoutStatus = normalizeString(closeout?.status)?.toLowerCase() ?? "";
+  if (EXPLICIT_RESUMABLE_SERVER_CLOSEOUT_STATUSES.has(closeoutStatus)) {
+    patchRunRecord(state.projectRoot, input.runId, {
+      status: "reviewing",
+      completedAt: null,
+      errorText: null,
+      ...closeoutPhasePatch("queued", "pending", { ...closeout, resumedAt: input.createdAt })
+    });
+    scheduleServerOwnedPrCloseout(state, input.runId, "explicit-resume");
+    return;
+  }
+  await startLocalRun(state, input.runId, { promptOverride: input.promptOverride ?? null, resume: input.restart !== true });
 }
 function appendRunMessage(projectRoot, input) {
   const run = readAuthorityRun4(projectRoot, input.runId);
@@ -4308,34 +4854,63 @@ function removeTaskIdsFromQueueState(projectRoot, taskIds) {
   writeQueueState(projectRoot, next);
   return next;
 }
-var ORPHANABLE_LOCAL_RUN_STATUSES = new Set(["preparing", "running"]);
-function reconcileOrphanedLocalRuns(state, runs, nowIso) {
-  let changed = false;
-  for (const run of runs) {
-    const status = normalizeString(run.status)?.toLowerCase() ?? "";
-    const serverPid = run.serverPid;
-    const wasStartedByRigServer = typeof serverPid === "number" || typeof serverPid === "string";
-    if (run.mode !== "local" || !wasStartedByRigServer || !ORPHANABLE_LOCAL_RUN_STATUSES.has(status) || state.runProcesses.has(run.runId)) {
-      continue;
-    }
-    const detail = "Recovered stale local run after Rig server restart; no live child process was attached to this server instance.";
-    patchRunRecord(state.projectRoot, run.runId, {
-      status: "failed",
-      completedAt: run.completedAt ?? nowIso,
-      updatedAt: nowIso,
-      errorText: detail
-    });
-    appendRunLogEntry(state.projectRoot, run.runId, {
-      id: `log:${run.runId}:stale-local-run`,
-      title: "Run marked stale after server restart",
-      detail,
-      tone: "error",
-      status: "failed",
-      createdAt: nowIso
+var RESUMABLE_SERVER_CLOSEOUT_STATUSES = new Set(["pending", "running"]);
+var EXPLICIT_RESUMABLE_SERVER_CLOSEOUT_STATUSES = new Set(["pending", "running", "needs_attention"]);
+var ACTIVE_LOCAL_RUN_STATUSES = new Set(["created", "preparing", "running", "validating", "reviewing"]);
+function processExists(pid) {
+  if (!Number.isInteger(pid) || pid <= 0)
+    return false;
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function recoverStaleLocalRun(projectRoot, run) {
+  const record = run;
+  if (run.mode !== "local")
+    return false;
+  const closeout = closeoutRecord(record);
+  const closeoutStatus = normalizeString(closeout?.status)?.toLowerCase() ?? "";
+  const status = normalizeString(record.status)?.toLowerCase() ?? "";
+  if (RESUMABLE_SERVER_CLOSEOUT_STATUSES.has(closeoutStatus))
+    return false;
+  if (closeoutStatus === "needs_attention") {
+    if (!ACTIVE_LOCAL_RUN_STATUSES.has(status))
+      return false;
+    const completedAt2 = record.completedAt ?? new Date().toISOString();
+    patchRunRecord(projectRoot, run.runId, {
+      status: "needs_attention",
+      completedAt: completedAt2,
+      errorText: normalizeString(record.errorText) ?? (Array.isArray(closeout?.feedback) ? closeout.feedback.map(String).join(`
+`) : null)
     });
-    changed = true;
+    return true;
   }
-  return changed;
+  if (!ACTIVE_LOCAL_RUN_STATUSES.has(status))
+    return false;
+  const serverPid = typeof record.serverPid === "number" ? record.serverPid : null;
+  const childPid = typeof record.pid === "number" ? record.pid : null;
+  if (serverPid === null && childPid === null)
+    return false;
+  const hasLiveRecordedProcess = [serverPid, childPid].some((pid) => typeof pid === "number" && processExists(pid));
+  if (hasLiveRecordedProcess && serverPid === process.pid)
+    return false;
+  const completedAt = new Date().toISOString();
+  patchRunRecord(projectRoot, run.runId, {
+    status: "failed",
+    completedAt,
+    errorText: `Recovered stale local run ${run.runId} after server startup; no active server-owned process was tracking it.`
+  });
+  return true;
+}
+function collectResumableServerCloseouts(state, runs) {
+  return runs.filter((run) => {
+    const closeout = closeoutRecord(run);
+    const closeoutStatus = normalizeString(closeout?.status)?.toLowerCase() ?? "";
+    return run.mode === "local" && RESUMABLE_SERVER_CLOSEOUT_STATUSES.has(closeoutStatus) && !state.runProcesses.has(run.runId);
+  });
 }
 async function reconcileScheduler(state, reason) {
   if (state.scheduler.reconciling) {
@@ -4350,7 +4925,28 @@ async function reconcileScheduler(state, reason) {
         const queue = readQueueState(state.projectRoot);
         const tasks = await state.snapshotService.getWorkspaceTasks();
         let runs = listAuthorityRuns4(state.projectRoot);
-        let changed = reconcileOrphanedLocalRuns(state, runs, new Date().toISOString());
+        let changed = false;
+        for (const run of runs) {
+          if (!state.runProcesses.has(run.runId) && recoverStaleLocalRun(state.projectRoot, run)) {
+            changed = true;
+          }
+        }
+        if (changed) {
+          runs = listAuthorityRuns4(state.projectRoot);
+        }
+        const resumableCloseouts = collectResumableServerCloseouts(state, runs);
+        for (const run of resumableCloseouts) {
+          appendRunLogEntry(state.projectRoot, run.runId, {
+            id: `log:${run.runId}:server-closeout-auto-resume:${Date.now()}`,
+            title: "Server-owned closeout auto-resume scheduled",
+            detail: `Rig server recovered closeout checkpoint ${run.runId} after ${reason}; resuming the server-owned lifecycle phase.`,
+            tone: "info",
+            status: "reviewing",
+            createdAt: new Date().toISOString()
+          });
+          scheduleServerOwnedPrCloseout(state, run.runId, "auto-resume");
+          changed = true;
+        }
         if (changed) {
           runs = listAuthorityRuns4(state.projectRoot);
         }
@@ -4426,11 +5022,11 @@ async function reconcileScheduler(state, reason) {
 // packages/server/src/server-helpers/http-router.ts
 import { randomUUID } from "crypto";
 import { spawnSync as spawnSync3 } from "child_process";
-import { basename, dirname as dirname12, isAbsolute as isAbsolute3, resolve as resolve18 } from "path";
-import { copyFileSync, existsSync as existsSync11, mkdirSync as mkdirSync11, readFileSync as readFileSync7, writeFileSync as writeFileSync10 } from "fs";
+import { basename, dirname as dirname15, isAbsolute as isAbsolute4, resolve as resolve20 } from "path";
+import { copyFileSync as copyFileSync2, existsSync as existsSync13, mkdirSync as mkdirSync13, readFileSync as readFileSync9, writeFileSync as writeFileSync12 } from "fs";
 import {
   listAuthorityRuns as listAuthorityRuns5,
-  readAuthorityRun as readAuthorityRun6,
+  readAuthorityRun as readAuthorityRun7,
   resolveAuthorityPaths,
   writeJsonFile as writeJsonFile4
 } from "@rig/runtime/control-plane/authority-files";
@@ -4450,10 +5046,64 @@ import {
   RemoteWsClient
 } from "@rig/runtime/control-plane/remote";
 
+// packages/server/src/server-helpers/pi-session-proxy.ts
+import { readAuthorityRun as readAuthorityRun5 } from "@rig/runtime/control-plane/authority-files";
+function resolveRunPiSessionProxy(projectRoot, runId) {
+  const run = readAuthorityRun5(projectRoot, runId);
+  if (!run)
+    return null;
+  const privateMetadata = readRunPiSessionMetadata(projectRoot, runId);
+  if (!privateMetadata)
+    return { pending: true, runId, status: typeof run.status === "string" ? run.status : undefined };
+  const connection = privateMetadata.daemonConnection;
+  if (connection.mode !== "http")
+    throw new Error("Only loopback HTTP Rig Pi session daemon connections are supported");
+  const token = tokenFromRef(connection.tokenRef);
+  if (!token)
+    throw new Error("Rig Pi session daemon token is unavailable");
+  return {
+    runId,
+    sessionId: privateMetadata.public.sessionId,
+    metadata: privateMetadata.public,
+    privateMetadata,
+    baseUrl: connection.baseUrl.replace(/\/+$/, ""),
+    token
+  };
+}
+async function proxyRunPiHttp(projectRoot, runId, input) {
+  const resolved = resolveRunPiSessionProxy(projectRoot, runId);
+  if (resolved === null)
+    return { status: 404, payload: { ok: false, error: "Run not found" } };
+  if ("pending" in resolved)
+    return { status: 409, payload: { ready: false, runId, status: resolved.status, retryAfterMs: 500 } };
+  const response = await fetch(`${resolved.baseUrl}${input.daemonPath}`, {
+    method: input.method,
+    headers: {
+      authorization: `Bearer ${resolved.token}`,
+      ...input.body === undefined ? {} : { "content-type": "application/json" }
+    },
+    body: input.body === undefined ? undefined : JSON.stringify(input.body)
+  });
+  const text = await response.text();
+  const payload = text.trim() ? JSON.parse(text) : null;
+  return { status: response.status, payload };
+}
+function buildRunPiDaemonWebSocketUrl(resolved) {
+  const url = new URL(`${resolved.baseUrl}/sessions/${encodeURIComponent(resolved.sessionId)}/events`);
+  url.protocol = url.protocol === "https:" ? "wss:" : "ws:";
+  url.searchParams.set("token", resolved.token);
+  return url.toString();
+}
+function tokenFromRef(ref) {
+  if (ref.startsWith("inline:"))
+    return ref.slice("inline:".length) || null;
+  return null;
+}
+
 // packages/server/src/server-helpers/run-steering.ts
-import { dirname as dirname9, resolve as resolve15 } from "path";
+import { dirname as dirname10, resolve as resolve15 } from "path";
 import { existsSync as existsSync8, mkdirSync as mkdirSync8, readFileSync as readFileSync5 } from "fs";
-import { appendJsonlRecord as appendJsonlRecord2, readAuthorityRun as readAuthorityRun5, resolveAuthorityRunDir as resolveAuthorityRunDir4 } from "@rig/runtime/control-plane/authority-files";
+import { appendJsonlRecord as appendJsonlRecord2, readAuthorityRun as readAuthorityRun6, resolveAuthorityRunDir as resolveAuthorityRunDir4 } from "@rig/runtime/control-plane/authority-files";
 var steeringSequence = 0;
 function runSteeringPath(projectRoot, runId) {
   return resolve15(resolveAuthorityRunDir4(projectRoot, runId), "steering.jsonl");
@@ -4522,7 +5172,7 @@ function markQueuedRunSteeringMessagesDelivered(projectRoot, runId, ids) {
   return delivered;
 }
 function queueRunSteeringMessage(projectRoot, runId, input) {
-  const run = readAuthorityRun5(projectRoot, runId);
+  const run = readAuthorityRun6(projectRoot, runId);
   if (!run)
     throw new Error(`Run not found: ${runId}`);
   const text = input.message.trim();
@@ -4538,7 +5188,7 @@ function queueRunSteeringMessage(projectRoot, runId, input) {
     delivered: false
   };
   const path = runSteeringPath(projectRoot, runId);
-  mkdirSync8(dirname9(path), { recursive: true });
+  mkdirSync8(dirname10(path), { recursive: true });
   appendJsonlRecord2(path, entry);
   appendRunTimelineEntry(projectRoot, runId, {
     id: entry.id,
@@ -4575,6 +5225,187 @@ import {
   updateConfiguredTaskSourceTask as updateConfiguredTaskSourceTask2
 } from "@rig/runtime/control-plane/tasks/source-lifecycle";
 
+// packages/server/src/server-helpers/github-api-session-index.ts
+import { chmodSync as chmodSync3, existsSync as existsSync10, mkdirSync as mkdirSync10, readFileSync as readFileSync7, writeFileSync as writeFileSync9 } from "fs";
+import { dirname as dirname12, resolve as resolve17 } from "path";
+
+// packages/server/src/server-helpers/github-user-namespace.ts
+import { chmodSync as chmodSync2, existsSync as existsSync9, mkdirSync as mkdirSync9, readFileSync as readFileSync6, writeFileSync as writeFileSync8 } from "fs";
+import { dirname as dirname11, isAbsolute as isAbsolute2, relative as relative3, resolve as resolve16 } from "path";
+function cleanString3(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
+}
+function sanitizePathSegment(value) {
+  return value.trim().toLowerCase().replace(/[^a-z0-9._-]/g, "-").replace(/^-+|-+$/g, "").slice(0, 96);
+}
+function deriveGitHubUserNamespaceKey(identity) {
+  const userId = cleanString3(identity.userId);
+  if (userId) {
+    const safeId = sanitizePathSegment(userId);
+    if (safeId)
+      return `ghu-${safeId}`;
+  }
+  const login = cleanString3(identity.login);
+  if (login) {
+    const safeLogin = sanitizePathSegment(login);
+    if (safeLogin)
+      return `ghu-login-${safeLogin}`;
+  }
+  throw new Error("GitHub user namespace requires a user id or login");
+}
+function resolveRemoteUserNamespacesRoot(projectRoot) {
+  const explicitRoot = cleanString3(process.env.RIG_REMOTE_USER_NAMESPACE_ROOT);
+  if (explicitRoot)
+    return resolve16(explicitRoot);
+  const stateDir2 = cleanString3(process.env.RIG_STATE_DIR);
+  if (stateDir2)
+    return resolve16(dirname11(resolve16(stateDir2)), "users");
+  return resolve16(projectRoot, ".rig", "users");
+}
+function resolveRemoteUserNamespace(projectRoot, identity) {
+  const key = deriveGitHubUserNamespaceKey(identity);
+  const root = resolve16(resolveRemoteUserNamespacesRoot(projectRoot), key);
+  const stateDir2 = resolve16(root, ".rig", "state");
+  return {
+    key,
+    userId: cleanString3(identity.userId),
+    login: cleanString3(identity.login),
+    root,
+    stateDir: stateDir2,
+    authStateFile: resolve16(stateDir2, "github-auth.json"),
+    metadataFile: resolve16(stateDir2, "user-namespace.json"),
+    checkoutBaseDir: resolve16(root, "remote-checkouts"),
+    snapshotBaseDir: resolve16(root, "remote-snapshots")
+  };
+}
+function serializeRemoteUserNamespace(namespace) {
+  return {
+    key: namespace.key,
+    userId: namespace.userId,
+    login: namespace.login,
+    root: namespace.root,
+    checkoutBaseDir: namespace.checkoutBaseDir,
+    snapshotBaseDir: namespace.snapshotBaseDir
+  };
+}
+function isPathInsideNamespace(namespaceRoot, candidatePath) {
+  const root = resolve16(namespaceRoot);
+  const candidate = resolve16(candidatePath);
+  const rel = relative3(root, candidate);
+  return rel === "" || !rel.startsWith("..") && !isAbsolute2(rel);
+}
+function writeRemoteUserNamespaceMetadata(namespace) {
+  mkdirSync9(namespace.stateDir, { recursive: true });
+  const previous = (() => {
+    if (!existsSync9(namespace.metadataFile))
+      return null;
+    try {
+      const parsed = JSON.parse(readFileSync6(namespace.metadataFile, "utf8"));
+      return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
+    } catch {
+      return null;
+    }
+  })();
+  const now = new Date().toISOString();
+  writeFileSync8(namespace.metadataFile, `${JSON.stringify({
+    key: namespace.key,
+    userId: namespace.userId,
+    login: namespace.login,
+    root: namespace.root,
+    checkoutBaseDir: namespace.checkoutBaseDir,
+    snapshotBaseDir: namespace.snapshotBaseDir,
+    createdAt: typeof previous?.createdAt === "string" ? previous.createdAt : now,
+    updatedAt: now
+  }, null, 2)}
+`, { encoding: "utf8", mode: 384 });
+  try {
+    chmodSync2(namespace.metadataFile, 384);
+  } catch {}
+}
+
+// packages/server/src/server-helpers/github-api-session-index.ts
+function cleanString4(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
+}
+function resolveGitHubApiSessionIndexFile(projectRoot) {
+  return resolve17(resolveRemoteUserNamespacesRoot(projectRoot), ".api-sessions.json");
+}
+function parseEntry(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value))
+    return null;
+  const record = value;
+  const token = cleanString4(record.token);
+  const namespaceKey = cleanString4(record.namespaceKey);
+  const namespaceRoot = cleanString4(record.namespaceRoot);
+  const authStateFile = cleanString4(record.authStateFile);
+  const checkoutBaseDir = cleanString4(record.checkoutBaseDir);
+  const snapshotBaseDir = cleanString4(record.snapshotBaseDir);
+  const createdAt = cleanString4(record.createdAt);
+  if (!token || !namespaceKey || !namespaceRoot || !authStateFile || !checkoutBaseDir || !snapshotBaseDir || !createdAt)
+    return null;
+  return {
+    token,
+    namespaceKey,
+    namespaceRoot,
+    authStateFile,
+    checkoutBaseDir,
+    snapshotBaseDir,
+    createdAt,
+    login: cleanString4(record.login),
+    userId: cleanString4(record.userId),
+    selectedRepo: cleanString4(record.selectedRepo)
+  };
+}
+function readIndex(indexFile) {
+  if (!existsSync10(indexFile))
+    return [];
+  try {
+    const parsed = JSON.parse(readFileSync7(indexFile, "utf8"));
+    return Array.isArray(parsed.sessions) ? parsed.sessions.flatMap((entry) => {
+      const parsedEntry = parseEntry(entry);
+      return parsedEntry ? [parsedEntry] : [];
+    }) : [];
+  } catch {
+    return [];
+  }
+}
+function writeIndex(indexFile, sessions) {
+  mkdirSync10(dirname12(indexFile), { recursive: true });
+  writeFileSync9(indexFile, `${JSON.stringify({ sessions }, null, 2)}
+`, { encoding: "utf8", mode: 384 });
+  try {
+    chmodSync3(indexFile, 384);
+  } catch {}
+}
+function registerGitHubApiSession(input) {
+  const cleanToken = cleanString4(input.token);
+  if (!cleanToken)
+    throw new Error("GitHub API session token is required");
+  const indexFile = resolveGitHubApiSessionIndexFile(input.projectRoot);
+  const createdAt = new Date().toISOString();
+  const entry = {
+    token: cleanToken,
+    login: input.namespace.login,
+    userId: input.namespace.userId,
+    namespaceKey: input.namespace.key,
+    namespaceRoot: input.namespace.root,
+    authStateFile: input.namespace.authStateFile,
+    checkoutBaseDir: input.namespace.checkoutBaseDir,
+    snapshotBaseDir: input.namespace.snapshotBaseDir,
+    selectedRepo: cleanString4(input.selectedRepo),
+    createdAt
+  };
+  const previous = readIndex(indexFile).filter((session) => session.token !== cleanToken);
+  writeIndex(indexFile, [...previous.slice(-199), entry]);
+  return entry;
+}
+function readGitHubApiSession(input) {
+  const cleanToken = cleanString4(input.token);
+  if (!cleanToken)
+    return null;
+  return readIndex(resolveGitHubApiSessionIndexFile(input.projectRoot)).find((entry) => entry.token === cleanToken) ?? null;
+}
+
 // packages/server/src/server-helpers/inspector-agent-lifecycle.ts
 function createInspectorAgentLifecycleController(options) {
   const initialDelayMs = Math.max(1, options.initialDelayMs ?? 5000);
@@ -4678,21 +5509,21 @@ function inspectorAgentLifecycleSnapshot(input) {
 // packages/server/src/server-helpers/project-registry.ts
 import { createHash as createHash2 } from "crypto";
 import { spawnSync as spawnSync2 } from "child_process";
-import { existsSync as existsSync9, mkdirSync as mkdirSync9, readFileSync as readFileSync6, readdirSync as readdirSync3, writeFileSync as writeFileSync8 } from "fs";
-import { dirname as dirname10, resolve as resolve16 } from "path";
+import { existsSync as existsSync11, mkdirSync as mkdirSync11, readFileSync as readFileSync8, readdirSync as readdirSync3, writeFileSync as writeFileSync10 } from "fs";
+import { dirname as dirname13, resolve as resolve18 } from "path";
 function normalizeRepoSlug(value) {
   const trimmed = value.trim();
   return /^[^/\s]+\/[^/\s]+$/.test(trimmed) ? trimmed : null;
 }
 function registryPath(projectRoot) {
-  return resolve16(projectRoot, ".rig", "state", "projects.json");
+  return resolve18(projectRoot, ".rig", "state", "projects.json");
 }
 function readRegistry(projectRoot) {
   const path = registryPath(projectRoot);
-  if (!existsSync9(path))
+  if (!existsSync11(path))
     return {};
   try {
-    const payload = JSON.parse(readFileSync6(path, "utf8"));
+    const payload = JSON.parse(readFileSync8(path, "utf8"));
     if (!payload || typeof payload !== "object" || Array.isArray(payload))
       return {};
     const projects = payload.projects;
@@ -4703,14 +5534,14 @@ function readRegistry(projectRoot) {
 }
 function writeRegistry(projectRoot, projects) {
   const path = registryPath(projectRoot);
-  mkdirSync9(dirname10(path), { recursive: true });
-  writeFileSync8(path, `${JSON.stringify({ projects }, null, 2)}
+  mkdirSync11(dirname13(path), { recursive: true });
+  writeFileSync10(path, `${JSON.stringify({ projects }, null, 2)}
 `, "utf8");
 }
 function resolveConfigPath(projectRoot) {
   for (const name of ["rig.config.ts", "rig.config.mts", "rig.config.json"]) {
-    const path = resolve16(projectRoot, name);
-    if (existsSync9(path))
+    const path = resolve18(projectRoot, name);
+    if (existsSync11(path))
       return path;
   }
   return null;
@@ -4719,7 +5550,7 @@ function hashFile(path) {
   if (!path)
     return null;
   try {
-    return createHash2("sha256").update(readFileSync6(path)).digest("hex");
+    return createHash2("sha256").update(readFileSync8(path)).digest("hex");
   } catch {
     return null;
   }
@@ -4735,11 +5566,11 @@ function readDefaultBranch(projectRoot) {
   return head.status === 0 && head.stdout.trim() && head.stdout.trim() !== "HEAD" ? head.stdout.trim() : null;
 }
 function buildRunSummary(projectRoot) {
-  const runsDir = resolve16(projectRoot, ".rig", "runs");
+  const runsDir = resolve18(projectRoot, ".rig", "runs");
   try {
     const runs = readdirSync3(runsDir, { withFileTypes: true }).filter((entry) => entry.isDirectory()).flatMap((entry) => {
       try {
-        const run = JSON.parse(readFileSync6(resolve16(runsDir, entry.name, "run.json"), "utf8"));
+        const run = JSON.parse(readFileSync8(resolve18(runsDir, entry.name, "run.json"), "utf8"));
         return [{ runId: typeof run.runId === "string" ? run.runId : entry.name, status: typeof run.status === "string" ? run.status : "unknown", updatedAt: typeof run.updatedAt === "string" ? run.updatedAt : "" }];
       } catch {
         return [];
@@ -4791,10 +5622,14 @@ function upsertProjectRecord(projectRoot, input) {
 function linkProjectCheckout(projectRoot, repoSlug, checkout) {
   return upsertProjectRecord(projectRoot, { repoSlug, checkout });
 }
+function projectRegistryContainsCheckout(projectRoot, checkoutPath) {
+  const target = resolve18(checkoutPath);
+  return Object.values(readRegistry(projectRoot)).some((project) => project.checkouts.some((checkout) => checkout.path ? resolve18(checkout.path) === target : false));
+}
 
 // packages/server/src/server-helpers/remote-checkout.ts
-import { existsSync as existsSync10, mkdirSync as mkdirSync10, writeFileSync as writeFileSync9 } from "fs";
-import { dirname as dirname11, isAbsolute as isAbsolute2, relative as relative3, resolve as resolve17 } from "path";
+import { existsSync as existsSync12, mkdirSync as mkdirSync12, writeFileSync as writeFileSync11 } from "fs";
+import { dirname as dirname14, isAbsolute as isAbsolute3, relative as relative4, resolve as resolve19 } from "path";
 function safeSlugSegments(repoSlug) {
   const segments = repoSlug.split("/").map((part) => part.trim()).filter(Boolean);
   if (segments.length !== 2 || segments.some((segment) => segment === "." || segment === ".." || segment.includes("\\"))) {
@@ -4811,7 +5646,7 @@ function safeCheckoutKey(value) {
 }
 function repoSlugPath(baseDir, repoSlug, checkoutKey) {
   const key = safeCheckoutKey(checkoutKey);
-  return resolve17(baseDir, ...key ? [key] : [], ...safeSlugSegments(repoSlug));
+  return resolve19(baseDir, ...key ? [key] : [], ...safeSlugSegments(repoSlug));
 }
 function sanitizeSnapshotId(value, fallback) {
   const raw = (value ?? fallback).trim();
@@ -4819,7 +5654,7 @@ function sanitizeSnapshotId(value, fallback) {
   return safe || fallback;
 }
 function assertWithinRoot(root, relativePath) {
-  if (!relativePath || isAbsolute2(relativePath) || relativePath.includes("\x00")) {
+  if (!relativePath || isAbsolute3(relativePath) || relativePath.includes("\x00")) {
     throw new Error(`Invalid snapshot file path: ${relativePath}`);
   }
   const normalizedRelative = relativePath.replace(/\\/g, "/");
@@ -4827,9 +5662,9 @@ function assertWithinRoot(root, relativePath) {
   if (segments.some((segment) => segment === "" || segment === "." || segment === "..")) {
     throw new Error(`Unsafe snapshot file path: ${relativePath}`);
   }
-  const target = resolve17(root, ...segments);
-  const rel = relative3(root, target);
-  if (rel === ".." || rel.split(/[\\/]/)[0] === ".." || isAbsolute2(rel)) {
+  const target = resolve19(root, ...segments);
+  const rel = relative4(root, target);
+  if (rel === ".." || rel.split(/[\\/]/)[0] === ".." || isAbsolute3(rel)) {
     throw new Error(`Snapshot file path escapes checkout root: ${relativePath}`);
   }
   return target;
@@ -4847,17 +5682,17 @@ function parseSnapshotArchiveContentBase64(contentBase64) {
 function extractUploadedSnapshotArchive(input) {
   const archive = decodeSnapshotArchive(input.archive);
   const snapshotId = sanitizeSnapshotId(input.snapshotId, `snapshot-${(input.now?.() ?? new Date).toISOString().replace(/[:.]/g, "-")}`);
-  const checkoutPath = resolve17(repoSlugPath(input.baseDir, input.repoSlug, input.checkoutKey), snapshotId);
-  mkdirSync10(checkoutPath, { recursive: true });
+  const checkoutPath = resolve19(repoSlugPath(input.baseDir, input.repoSlug, input.checkoutKey), snapshotId);
+  mkdirSync12(checkoutPath, { recursive: true });
   for (const file of archive.files) {
     if (!file || typeof file.path !== "string" || typeof file.contentBase64 !== "string") {
       throw new Error("Invalid snapshot archive file entry");
     }
     const target = assertWithinRoot(checkoutPath, file.path);
-    mkdirSync10(dirname11(target), { recursive: true });
-    writeFileSync9(target, Buffer.from(file.contentBase64, "base64"));
+    mkdirSync12(dirname14(target), { recursive: true });
+    writeFileSync11(target, Buffer.from(file.contentBase64, "base64"));
   }
-  writeFileSync9(resolve17(checkoutPath, ".rig-uploaded-snapshot.json"), `${JSON.stringify({
+  writeFileSync11(resolve19(checkoutPath, ".rig-uploaded-snapshot.json"), `${JSON.stringify({
     repoSlug: input.repoSlug,
     snapshotId,
     fileCount: archive.files.length,
@@ -4892,7 +5727,7 @@ function gitCredentialConfig(token) {
   };
 }
 async function prepareRemoteCheckout(input) {
-  const exists = input.exists ?? existsSync10;
+  const exists = input.exists ?? existsSync12;
   const strategy = input.strategy;
   if (strategy.kind === "uploaded-snapshot") {
     return extractUploadedSnapshotArchive({
@@ -4904,7 +5739,7 @@ async function prepareRemoteCheckout(input) {
     });
   }
   if (strategy.kind === "existing-path") {
-    const checkoutPath2 = resolve17(strategy.path);
+    const checkoutPath2 = resolve19(strategy.path);
     if (!exists(checkoutPath2)) {
       throw new Error(`Existing remote checkout path does not exist: ${checkoutPath2}`);
     }
@@ -4940,9 +5775,9 @@ function buildServerControlStatus() {
   };
 }
 function buildProjectConfigStatus(root) {
-  const hasConfigTs = existsSync11(resolve18(root, "rig.config.ts"));
-  const hasConfigJson = existsSync11(resolve18(root, "rig.config.json"));
-  const hasLegacyTaskConfig = existsSync11(resolve18(root, ".rig", "task-config.json"));
+  const hasConfigTs = existsSync13(resolve20(root, "rig.config.ts"));
+  const hasConfigJson = existsSync13(resolve20(root, "rig.config.json"));
+  const hasLegacyTaskConfig = existsSync13(resolve20(root, ".rig", "task-config.json"));
   let kind = "missing";
   if (hasConfigTs)
     kind = "rig-config-ts";
@@ -4959,6 +5794,75 @@ function buildProjectConfigStatus(root) {
     suggestion: kind === "missing" ? "Run `rig init` in the project root to scaffold rig.config.ts." : null
   };
 }
+var RIG_GITHUB_LIFECYCLE_LABELS = [
+  "ready",
+  "blocked",
+  "in-progress",
+  "under-review",
+  "failed",
+  "cancelled",
+  "rig:running",
+  "rig:pr-open",
+  "rig:ci-fixing",
+  "rig:merging",
+  "rig:done",
+  "rig:needs-attention"
+];
+function githubProjectsEnabled2(config) {
+  if (!config || typeof config !== "object" || Array.isArray(config))
+    return false;
+  const root = config;
+  const github = root.github && typeof root.github === "object" && !Array.isArray(root.github) ? root.github : null;
+  const projects = github?.projects && typeof github.projects === "object" && !Array.isArray(github.projects) ? github.projects : null;
+  return projects?.enabled === true;
+}
+function githubIssueSourceRepo(config) {
+  if (!config || typeof config !== "object" || Array.isArray(config))
+    return null;
+  const root = config;
+  const taskSource = root.taskSource && typeof root.taskSource === "object" && !Array.isArray(root.taskSource) ? root.taskSource : null;
+  const owner = normalizeString(taskSource?.owner);
+  const repo = normalizeString(taskSource?.repo);
+  if (taskSource?.kind === "github-issues" && owner && repo)
+    return { owner, repo };
+  const project = root.project && typeof root.project === "object" && !Array.isArray(root.project) ? root.project : null;
+  const slug = normalizeString(project?.repo) ?? normalizeString(project?.name);
+  const match = slug?.match(/^([^/]+)\/([^/]+)$/);
+  return match ? { owner: match[1], repo: match[2] } : null;
+}
+async function ensureGitHubLifecycleLabels(projectRoot, config) {
+  const repo = githubIssueSourceRepo(config);
+  if (!repo)
+    return { ok: false, ready: false, labelsReady: false, reason: "not-github-issues-source", labels: RIG_GITHUB_LIFECYCLE_LABELS };
+  const token = createGitHubAuthStore(projectRoot).readToken();
+  if (!token)
+    return { ok: false, ready: false, labelsReady: false, reason: "missing-token", repo, labels: RIG_GITHUB_LIFECYCLE_LABELS };
+  const existingResponse = await fetch(`https://api.github.com/repos/${repo.owner}/${repo.repo}/labels?per_page=100`, {
+    headers: { accept: "application/vnd.github+json", authorization: `Bearer ${token}`, "user-agent": "rig-server" }
+  });
+  const existingJson = await existingResponse.json().catch(() => []);
+  const existing = new Set(Array.isArray(existingJson) ? existingJson.flatMap((entry) => entry && typeof entry === "object" && typeof entry.name === "string" ? [entry.name] : []) : []);
+  const created = [];
+  const alreadyPresent = [];
+  const failed = [];
+  for (const label of RIG_GITHUB_LIFECYCLE_LABELS) {
+    if (existing.has(label)) {
+      alreadyPresent.push(label);
+      continue;
+    }
+    const response = await fetch(`https://api.github.com/repos/${repo.owner}/${repo.repo}/labels`, {
+      method: "POST",
+      headers: { accept: "application/vnd.github+json", authorization: `Bearer ${token}`, "content-type": "application/json", "user-agent": "rig-server" },
+      body: JSON.stringify({ name: label, color: label.startsWith("rig:") ? "6f42c1" : "ededed", description: label.startsWith("rig:") ? "Task status managed by Rig" : "Task lifecycle status managed by Rig" })
+    });
+    if (response.ok || response.status === 422) {
+      (response.status === 422 ? alreadyPresent : created).push(label);
+    } else {
+      failed.push({ label, error: await response.text().catch(() => response.statusText) });
+    }
+  }
+  return { ok: failed.length === 0, ready: failed.length === 0, labelsReady: failed.length === 0, repo, labels: RIG_GITHUB_LIFECYCLE_LABELS, created, existing: alreadyPresent, failed };
+}
 function normalizeCommit(value) {
   const raw = normalizeString(value);
   return raw && /^[0-9a-f]{7,40}$/i.test(raw) ? raw : null;
@@ -4978,24 +5882,24 @@ function repoParts(repoSlug) {
   return { owner, repo, slug: `${owner}/${repo}` };
 }
 function repairDir(checkoutPath) {
-  const dir = resolve18(checkoutPath, ".rig", "state", "repairs", new Date().toISOString().replace(/[:.]/g, "-"));
-  mkdirSync11(dir, { recursive: true });
+  const dir = resolve20(checkoutPath, ".rig", "state", "repairs", new Date().toISOString().replace(/[:.]/g, "-"));
+  mkdirSync13(dir, { recursive: true });
   return dir;
 }
 function backupCheckoutFile(checkoutPath, relativePath) {
-  const source = resolve18(checkoutPath, relativePath);
-  const backupPath = resolve18(repairDir(checkoutPath), relativePath.replace(/[\\/]/g, "__"));
-  mkdirSync11(dirname12(backupPath), { recursive: true });
-  copyFileSync(source, backupPath);
+  const source = resolve20(checkoutPath, relativePath);
+  const backupPath = resolve20(repairDir(checkoutPath), relativePath.replace(/[\\/]/g, "__"));
+  mkdirSync13(dirname15(backupPath), { recursive: true });
+  copyFileSync2(source, backupPath);
   return backupPath;
 }
 function parsePackageJsonLosslessly(checkoutPath) {
-  const packagePath = resolve18(checkoutPath, "package.json");
-  if (!existsSync11(packagePath)) {
+  const packagePath = resolve20(checkoutPath, "package.json");
+  if (!existsSync13(packagePath)) {
     return { existed: false, packageJson: { name: basename(checkoutPath) || "rig-project", private: true } };
   }
   try {
-    const parsed = JSON.parse(readFileSync7(packagePath, "utf8"));
+    const parsed = JSON.parse(readFileSync9(packagePath, "utf8"));
     return {
       existed: true,
       packageJson: parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : { name: basename(checkoutPath) || "rig-project", private: true }
@@ -5009,9 +5913,9 @@ function parsePackageJsonLosslessly(checkoutPath) {
   }
 }
 function ensureRemoteCheckoutRigPackageDeps(checkoutPath) {
-  const hasConfig = ["rig.config.ts", "rig.config.mts", "rig.config.json"].some((name) => existsSync11(resolve18(checkoutPath, name)));
-  const packagePath = resolve18(checkoutPath, "package.json");
-  if (!hasConfig && !existsSync11(packagePath)) {
+  const hasConfig = ["rig.config.ts", "rig.config.mts", "rig.config.json"].some((name) => existsSync13(resolve20(checkoutPath, name)));
+  const packagePath = resolve20(checkoutPath, "package.json");
+  if (!hasConfig && !existsSync13(packagePath)) {
     return { skipped: true, reason: "package.json and rig.config missing" };
   }
   const parsed = parsePackageJsonLosslessly(checkoutPath);
@@ -5030,7 +5934,7 @@ function ensureRemoteCheckoutRigPackageDeps(checkoutPath) {
   }
   const changed = !parsed.existed || Boolean(parsed.backupPath) || added.length > 0 || updated.length > 0 || existingDevDependencies !== devDependencies && (!existingDevDependencies || typeof existingDevDependencies !== "object" || Array.isArray(existingDevDependencies));
   if (changed) {
-    writeFileSync10(packagePath, `${JSON.stringify({ ...parsed.packageJson, devDependencies }, null, 2)}
+    writeFileSync12(packagePath, `${JSON.stringify({ ...parsed.packageJson, devDependencies }, null, 2)}
 `, "utf8");
   }
   return {
@@ -5056,11 +5960,11 @@ function configLooksStructurallyUsable(source) {
   return /taskSource\s*:/.test(source) && /workspace\s*:/.test(source) && /project\s*:/.test(source);
 }
 function ensureRemoteCheckoutRigConfig(checkoutPath, repoSlug, reason = "missing or incomplete rig config") {
-  const configPath = resolve18(checkoutPath, "rig.config.ts");
-  const existingConfigName = ["rig.config.ts", "rig.config.mts", "rig.config.json"].find((name) => existsSync11(resolve18(checkoutPath, name)));
+  const configPath = resolve20(checkoutPath, "rig.config.ts");
+  const existingConfigName = ["rig.config.ts", "rig.config.mts", "rig.config.json"].find((name) => existsSync13(resolve20(checkoutPath, name)));
   if (existingConfigName) {
-    const existingPath = resolve18(checkoutPath, existingConfigName);
-    const source = readFileSync7(existingPath, "utf8");
+    const existingPath = resolve20(checkoutPath, existingConfigName);
+    const source = readFileSync9(existingPath, "utf8");
     if (existingConfigName !== "rig.config.json" && configLooksStructurallyUsable(source)) {
       return { path: existingPath, changed: false, reason: "config structurally complete" };
     }
@@ -5074,7 +5978,7 @@ function ensureRemoteCheckoutRigConfig(checkoutPath, repoSlug, reason = "missing
     }
   }
   const backupPath = existingConfigName ? backupCheckoutFile(checkoutPath, existingConfigName) : undefined;
-  writeFileSync10(configPath, generatedRigConfigSource(repoSlug), "utf8");
+  writeFileSync12(configPath, generatedRigConfigSource(repoSlug), "utf8");
   return {
     path: configPath,
     changed: true,
@@ -5083,7 +5987,7 @@ function ensureRemoteCheckoutRigConfig(checkoutPath, repoSlug, reason = "missing
   };
 }
 function validateRemoteCheckoutRigConfig(checkoutPath) {
-  const configFile = ["rig.config.ts", "rig.config.mts", "rig.config.json"].find((name) => existsSync11(resolve18(checkoutPath, name)));
+  const configFile = ["rig.config.ts", "rig.config.mts", "rig.config.json"].find((name) => existsSync13(resolve20(checkoutPath, name)));
   if (!configFile)
     return { ok: false, error: "missing rig config" };
   if (process.env.RIG_TEST_SKIP_REMOTE_CHECKOUT_INSTALL === "1") {
@@ -5105,7 +6009,7 @@ function validateRemoteCheckoutRigConfig(checkoutPath) {
   return { ok: true, configFile };
 }
 function installRemoteCheckoutPackages(checkoutPath) {
-  if (!existsSync11(resolve18(checkoutPath, "package.json"))) {
+  if (!existsSync13(resolve20(checkoutPath, "package.json"))) {
     return { skipped: true, reason: "package.json missing" };
   }
   if (process.env.RIG_TEST_SKIP_REMOTE_CHECKOUT_INSTALL === "1") {
@@ -5118,8 +6022,8 @@ function installRemoteCheckoutPackages(checkoutPath) {
   return { ok: true, command: "bun install", stdout: result.stdout?.trim() || undefined };
 }
 function repairRemoteCheckoutForRig(checkoutPath, repoSlug) {
-  const hasConfig = ["rig.config.ts", "rig.config.mts", "rig.config.json"].some((name) => existsSync11(resolve18(checkoutPath, name)));
-  const hasPackage = existsSync11(resolve18(checkoutPath, "package.json"));
+  const hasConfig = ["rig.config.ts", "rig.config.mts", "rig.config.json"].some((name) => existsSync13(resolve20(checkoutPath, name)));
+  const hasPackage = existsSync13(resolve20(checkoutPath, "package.json"));
   if (!hasConfig && !hasPackage) {
     return {
       packageJson: { skipped: true, reason: "package.json and rig.config missing" },
@@ -5217,26 +6121,26 @@ function buildRemoteRunLogEntry(body, identifiers) {
 }
 function readGitHeadCommit(projectRoot) {
   try {
-    let gitDir = resolve18(projectRoot, ".git");
+    let gitDir = resolve20(projectRoot, ".git");
     try {
-      const dotGit = readFileSync7(gitDir, "utf8").trim();
+      const dotGit = readFileSync9(gitDir, "utf8").trim();
       const gitDirPrefix = "gitdir:";
       if (dotGit.startsWith(gitDirPrefix)) {
-        gitDir = resolve18(projectRoot, dotGit.slice(gitDirPrefix.length).trim());
+        gitDir = resolve20(projectRoot, dotGit.slice(gitDirPrefix.length).trim());
       }
     } catch {}
-    const head = readFileSync7(resolve18(gitDir, "HEAD"), "utf8").trim();
+    const head = readFileSync9(resolve20(gitDir, "HEAD"), "utf8").trim();
     const refPrefix = "ref:";
     if (!head.startsWith(refPrefix)) {
       return normalizeCommit(head);
     }
     const ref = head.slice(refPrefix.length).trim();
-    const refPath = resolve18(gitDir, ref);
-    if (existsSync11(refPath)) {
-      return normalizeCommit(readFileSync7(refPath, "utf8").trim());
+    const refPath = resolve20(gitDir, ref);
+    if (existsSync13(refPath)) {
+      return normalizeCommit(readFileSync9(refPath, "utf8").trim());
     }
-    const commonDir = normalizeString(readFileSync7(resolve18(gitDir, "commondir"), "utf8"));
-    return commonDir ? normalizeCommit(readFileSync7(resolve18(gitDir, commonDir, ref), "utf8").trim()) : null;
+    const commonDir = normalizeString(readFileSync9(resolve20(gitDir, "commondir"), "utf8"));
+    return commonDir ? normalizeCommit(readFileSync9(resolve20(gitDir, commonDir, ref), "utf8").trim()) : null;
   } catch {
     return null;
   }
@@ -5256,7 +6160,8 @@ function isAuthorizedInspectorStreamRequest(req, authToken) {
 }
 function buildDeploymentStatus(projectRoot) {
   const envCommit = normalizeCommit(process.env.RIG_COMMIT_SHA ?? process.env.GITHUB_SHA ?? process.env.VERCEL_GIT_COMMIT_SHA ?? process.env.RAILWAY_GIT_COMMIT_SHA ?? process.env.COMMIT_SHA);
-  const gitCommit = envCommit ?? readGitHeadCommit(projectRoot);
+  const deploymentRoot = normalizeString(process.env.RIG_HOST_PROJECT_ROOT) ?? projectRoot;
+  const gitCommit = envCommit ?? readGitHeadCommit(deploymentRoot) ?? readGitHeadCommit(projectRoot);
   return {
     currentCommit: gitCommit,
     commitSource: envCommit ? "env" : gitCommit ? "git" : null,
@@ -5274,9 +6179,9 @@ function configuredRepoFromTaskSource(taskSource) {
   const repo = normalizeString(taskSource?.repo);
   return owner && repo ? `${owner}/${repo}` : null;
 }
-async function buildTaskSourceStatus(state, config) {
+async function buildTaskSourceStatus(state, config, requestAuth) {
   const diagnostics = state.snapshotService.getTaskSourceErrors();
-  const selectedRepo = createGitHubAuthStore(state.projectRoot).status({
+  const selectedRepo = requestScopedAuthStore(state.projectRoot, requestAuth).status({
     oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim())
   }).selectedRepo;
   try {
@@ -5329,37 +6234,146 @@ function isLoopbackRequest(req) {
   }
 }
 function isPublicRigAuthBootstrapRoute(pathname) {
-  return pathname === "/" || pathname === "/health" || pathname === "/api/health" || pathname === "/api/github/auth/status" || pathname === "/api/github/auth/token" || pathname === "/api/github/auth/device/start" || pathname === "/api/github/auth/device/poll";
+  return pathname === "/" || pathname === "/install" || pathname === "/health" || pathname === "/api/health" || pathname === "/api/github/auth/status" || pathname === "/api/github/auth/token" || pathname === "/api/github/auth/device/start" || pathname === "/api/github/auth/device/poll";
+}
+function buildRigInstallScript() {
+  return `#!/usr/bin/env bash
+set -euo pipefail
+
+say() {
+  printf 'rig-install: %s
+' "$*"
+}
+
+if ! command -v bun >/dev/null 2>&1; then
+  say "Bun not found; installing Bun first"
+  curl -fsSL https://bun.sh/install | bash
+  export BUN_INSTALL="\${BUN_INSTALL:-$HOME/.bun}"
+  export PATH="$BUN_INSTALL/bin:$PATH"
+fi
+
+if ! command -v bun >/dev/null 2>&1; then
+  printf 'rig-install: bun install completed, but bun is still not on PATH. Add ~/.bun/bin to PATH and retry.
+' >&2
+  exit 1
+fi
+
+say "Installing @h-rig/cli@latest"
+bun add -g --force @h-rig/cli@latest
+
+export BUN_INSTALL="\${BUN_INSTALL:-$HOME/.bun}"
+BUN_RIG="$BUN_INSTALL/bin/rig"
+if [ ! -x "$BUN_RIG" ]; then
+  printf 'rig-install: expected Bun global rig at %s but it was not executable.
+' "$BUN_RIG" >&2
+  exit 1
+fi
+
+USER_BIN="$HOME/.local/bin"
+mkdir -p "$USER_BIN"
+cat > "$USER_BIN/rig" <<'RIG_SHIM'
+#!/usr/bin/env bash
+set -euo pipefail
+exec "\${BUN_INSTALL:-$HOME/.bun}/bin/rig" "$@"
+RIG_SHIM
+chmod +x "$USER_BIN/rig"
+
+export PATH="$USER_BIN:$BUN_INSTALL/bin:$PATH"
+if command -v hash >/dev/null 2>&1; then hash -r; fi
+
+if ! command -v rig >/dev/null 2>&1; then
+  printf 'rig-install: rig installed, but rig is not on PATH. Add %s and %s/bin to PATH and retry.
+' "$USER_BIN" "$BUN_INSTALL" >&2
+  exit 1
+fi
+
+say "Verifying rig"
+"$BUN_RIG" --help >/dev/null
+rig --help >/dev/null
+say "Done. Run: rig --help"
+`;
 }
 function normalizePrMode(value) {
   const mode = normalizeString(value);
   return mode === "auto" || mode === "ask" || mode === "off" ? mode : undefined;
 }
+function requestAuthResult(input) {
+  return {
+    authorized: input.authorized,
+    actor: input.actor ?? null,
+    reason: input.reason,
+    login: input.login ?? null,
+    userId: input.userId ?? null,
+    userNamespace: input.userNamespace ?? null,
+    authStateFile: input.authStateFile ?? null
+  };
+}
+function namespaceFromSessionIndex(entry) {
+  const stateDir2 = dirname15(entry.authStateFile);
+  return {
+    key: entry.namespaceKey,
+    userId: entry.userId,
+    login: entry.login,
+    root: entry.namespaceRoot,
+    stateDir: stateDir2,
+    authStateFile: entry.authStateFile,
+    metadataFile: resolve20(stateDir2, "user-namespace.json"),
+    checkoutBaseDir: entry.checkoutBaseDir,
+    snapshotBaseDir: entry.snapshotBaseDir
+  };
+}
 function authorizeRigHttpRequest(input) {
   if (input.legacyAuthorized) {
-    return { authorized: true, actor: "rig-local-server", reason: "server-token" };
+    return requestAuthResult({ authorized: true, actor: "rig-local-server", reason: "server-token" });
   }
   const bearer = bearerTokenFromRequest(input.req);
   const store = createGitHubAuthStore(input.projectRoot);
   const storedToken = store.readToken();
   const session = bearer ? store.readApiSession(bearer) : null;
   if (session) {
-    return { authorized: true, actor: session.login ?? "github-operator", reason: "github-session" };
+    return requestAuthResult({
+      authorized: true,
+      actor: session.login ?? "github-operator",
+      reason: "github-session",
+      login: session.login,
+      userId: session.userId,
+      authStateFile: store.stateFile
+    });
   }
   if (bearer && storedToken && bearer === storedToken) {
     const status = store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
-    return { authorized: true, actor: status.login ?? "github-operator", reason: "github-token" };
+    return requestAuthResult({
+      authorized: true,
+      actor: status.login ?? "github-operator",
+      reason: "github-token",
+      login: status.login,
+      userId: status.userId,
+      authStateFile: store.stateFile
+    });
+  }
+  const indexedSession = readGitHubApiSession({ projectRoot: input.projectRoot, token: bearer });
+  if (indexedSession) {
+    const userNamespace = namespaceFromSessionIndex(indexedSession);
+    return requestAuthResult({
+      authorized: true,
+      actor: indexedSession.login ?? "github-operator",
+      reason: "github-user-session",
+      login: indexedSession.login,
+      userId: indexedSession.userId,
+      userNamespace,
+      authStateFile: indexedSession.authStateFile
+    });
   }
   if (isPublicRigAuthBootstrapRoute(input.pathname)) {
-    return { authorized: true, actor: null, reason: "public-bootstrap" };
+    return requestAuthResult({ authorized: true, actor: null, reason: "public-bootstrap" });
   }
   if (!input.serverAuthToken && !storedToken) {
     if (isLoopbackRequest(input.req)) {
-      return { authorized: true, actor: null, reason: "loopback-dev-no-auth" };
+      return requestAuthResult({ authorized: true, actor: null, reason: "loopback-dev-no-auth" });
     }
-    return { authorized: false, actor: null, reason: "auth-required" };
+    return requestAuthResult({ authorized: false, actor: null, reason: "auth-required" });
   }
-  return { authorized: false, actor: null, reason: storedToken ? "github-token-required" : "auth-required" };
+  return requestAuthResult({ authorized: false, actor: null, reason: storedToken ? "github-token-required" : "auth-required" });
 }
 async function fetchGitHubUserInfo(token) {
   const response = await fetch("https://api.github.com/user", {
@@ -5379,6 +6393,67 @@ async function fetchGitHubUserInfo(token) {
     scopes: cleanHeaderScopes(response.headers.get("x-oauth-scopes"))
   };
 }
+function shouldWriteRootAuthCompat(projectRoot) {
+  if (process.env.RIG_REMOTE_USER_NAMESPACE_ROOT?.trim())
+    return false;
+  const stateDir2 = normalizeString(process.env.RIG_STATE_DIR);
+  if (!stateDir2)
+    return true;
+  return resolve20(stateDir2) === resolve20(projectRoot, ".rig", "state");
+}
+function requestScopedRegistryRoot(stateProjectRoot, requestAuth) {
+  return requestAuth.userNamespace?.root ?? stateProjectRoot;
+}
+function requestScopedAuthStore(stateProjectRoot, requestAuth) {
+  return requestAuth.authStateFile ? createGitHubAuthStoreFromStateFile(requestAuth.authStateFile) : createGitHubAuthStore(stateProjectRoot);
+}
+function userNamespaceResponse(namespace) {
+  return namespace ? serializeRemoteUserNamespace(namespace) : undefined;
+}
+function resolveNamespacedBaseDir(input) {
+  if (input.explicitBaseDir)
+    return input.explicitBaseDir;
+  const envBase = normalizeString(process.env[input.envName]);
+  if (input.userNamespace) {
+    return envBase ? resolve20(envBase, input.userNamespace.key) : input.userNamespace[input.legacySubdir === "remote-checkouts" ? "checkoutBaseDir" : "snapshotBaseDir"];
+  }
+  return envBase ?? (normalizeString(process.env.RIG_STATE_DIR) ? resolve20(normalizeString(process.env.RIG_STATE_DIR), input.legacySubdir) : resolve20(input.legacyProjectRoot, ".rig", input.legacySubdir));
+}
+function explicitCheckoutKey(body, checkoutInput, requestAuth) {
+  return normalizeString(body.checkoutKey) ?? normalizeString(checkoutInput.checkoutKey) ?? normalizeString(checkoutInput.key) ?? (requestAuth.userNamespace ? undefined : "default");
+}
+function saveGitHubTokenForRemoteUser(input) {
+  const namespace = resolveRemoteUserNamespace(input.projectRoot, { userId: input.user.userId, login: input.user.login });
+  writeRemoteUserNamespaceMetadata(namespace);
+  const store = createGitHubAuthStoreFromStateFile(namespace.authStateFile);
+  store.saveToken({
+    token: input.token,
+    tokenSource: input.tokenSource,
+    login: input.user.login,
+    userId: input.user.userId,
+    scopes: input.user.scopes,
+    selectedRepo: input.selectedRepo
+  });
+  const apiSession = store.createApiSession();
+  registerGitHubApiSession({ projectRoot: input.projectRoot, token: apiSession.token, namespace, selectedRepo: input.selectedRepo });
+  const requestedRoot = normalizeString(input.requestedProjectRoot);
+  if (requestedRoot && isAbsolute4(requestedRoot) && existsSync13(resolve20(requestedRoot))) {
+    copyGitHubAuthStateToLocalProjectRoot(namespace.authStateFile, resolve20(requestedRoot));
+  }
+  if (shouldWriteRootAuthCompat(input.projectRoot)) {
+    const rootStore = createGitHubAuthStore(input.projectRoot);
+    rootStore.saveToken({
+      token: input.token,
+      tokenSource: input.tokenSource,
+      login: input.user.login,
+      userId: input.user.userId,
+      scopes: input.user.scopes,
+      selectedRepo: input.selectedRepo
+    });
+    rootStore.createApiSession();
+  }
+  return { store, namespace, apiSessionToken: apiSession.token };
+}
 async function postGitHubForm(endpoint, body) {
   const response = await fetch(endpoint, {
     method: "POST",
@@ -5396,11 +6471,11 @@ function resolveRequestedProjectRoot(currentRoot, rawRoot) {
   const requestedRoot = normalizeString(rawRoot);
   if (!requestedRoot)
     return currentRoot;
-  if (!isAbsolute3(requestedRoot)) {
+  if (!isAbsolute4(requestedRoot)) {
     throw new Error("projectRoot must be an absolute path on the Rig server host");
   }
-  const normalizedRoot = resolve18(requestedRoot);
-  if (!existsSync11(normalizedRoot)) {
+  const normalizedRoot = resolve20(requestedRoot);
+  if (!existsSync13(normalizedRoot)) {
     throw new Error("projectRoot does not exist on the Rig server host");
   }
   return normalizedRoot;
@@ -5676,7 +6751,7 @@ function redactSecretFields(value) {
   return redacted;
 }
 function validateRemoteLease(deps, state, input) {
-  const run = readAuthorityRun6(state.projectRoot, input.runId);
+  const run = readAuthorityRun7(state.projectRoot, input.runId);
   if (!run) {
     return { ok: false, response: deps.jsonResponse({ ok: false, error: "Remote run not found" }, 404) };
   }
@@ -5696,6 +6771,43 @@ function createRigServerFetch(state, deps) {
     return deps.withServerPathEnv(state.projectRoot, async () => {
       const browserOrigin = deps.resolveAllowedBrowserOrigin(req);
       const finalizeResponse = (response) => deps.withCorsHeaders(response, req, browserOrigin);
+      const earlyUrl = new URL(req.url);
+      const piEventsWsMatch = earlyUrl.pathname.match(/^\/api\/runs\/([^/]+)\/pi\/events$/);
+      if (piEventsWsMatch && req.headers.get("upgrade")?.toLowerCase() === "websocket") {
+        const queryToken = earlyUrl.searchParams.get("token");
+        const authHeaders = new Headers(req.headers);
+        if (queryToken && !authHeaders.has("authorization")) {
+          authHeaders.set("authorization", `Bearer ${queryToken}`);
+        }
+        const legacyAuthorized = Boolean(state.authToken && queryToken === state.authToken);
+        const requestAuth = authorizeRigHttpRequest({
+          req: new Request(req.url, { method: req.method, headers: authHeaders }),
+          pathname: earlyUrl.pathname,
+          projectRoot: state.projectRoot,
+          serverAuthToken: state.authToken,
+          legacyAuthorized
+        });
+        if (!requestAuth.authorized) {
+          return deps.jsonResponse({ ok: false, error: "Unauthorized WebSocket connection", reason: requestAuth.reason }, 401);
+        }
+        const runId = decodeURIComponent(piEventsWsMatch[1]);
+        const resolved = resolveRunPiSessionProxy(state.projectRoot, runId);
+        if (resolved === null)
+          return deps.jsonResponse({ ok: false, error: "Run not found" }, 404);
+        if ("pending" in resolved)
+          return deps.jsonResponse({ ready: false, runId, status: resolved.status, retryAfterMs: 500 }, 202);
+        if (!server)
+          return deps.jsonResponse({ ok: false, error: "WebSocket upgrade unavailable" }, 400);
+        const upgraded = server.upgrade(req, {
+          data: {
+            kind: "pi-session-proxy",
+            connectedAt: new Date().toISOString(),
+            upstreamUrl: buildRunPiDaemonWebSocketUrl(resolved),
+            runId
+          }
+        });
+        return upgraded ? new Response(null) : deps.jsonResponse({ ok: false, error: "WebSocket upgrade failed" }, 400);
+      }
       const upgradeResponse = handleWebSocketUpgrade({
         req,
         server,
@@ -5733,6 +6845,13 @@ function createRigServerFetch(state, deps) {
             notifications: state.targets.length
           });
         }
+        if (url.pathname === "/install" && req.method === "GET") {
+          return new Response(buildRigInstallScript(), {
+            headers: {
+              "Content-Type": "text/x-shellscript; charset=utf-8"
+            }
+          });
+        }
         const isLinearWebhook = url.pathname === "/api/linear/webhook" && req.method === "POST";
         const isInspectorStream = url.pathname === "/api/inspector/stream" && req.method === "GET";
         const legacyAuthorizedHttpRequest = Boolean(state.authToken) && (isInspectorStream && isAuthorizedInspectorStreamRequest(req, state.authToken) ? true : deps.isAuthorizedHttpRequest(req, state.authToken));
@@ -5945,16 +7064,12 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           if (!source) {
             return deps.badRequest("No task source is configured");
           }
+          if (!source.updateTask && !(update.status && source.updateStatus)) {
+            return deps.badRequest("Configured task source does not support updates");
+          }
           const taskBeforeUpdate = source.get ? await source.get(id).catch(() => {
             return;
           }) : (await deps.snapshotService.getWorkspaceTasks().catch(() => [])).find((task) => task.id === id);
-          if (source.updateTask) {
-            await source.updateTask(id, update);
-          } else if (update.status && source.updateStatus) {
-            await source.updateStatus(id, update.status);
-          } else {
-            return deps.badRequest("Configured task source does not support updates");
-          }
           const issueNodeId = normalizeString(body.issueNodeId) ?? extractGitHubIssueNodeId(taskBeforeUpdate);
           const projectSync = update.status ? await syncGitHubProjectStatusForTaskUpdate({
             taskId: id,
@@ -5963,6 +7078,35 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             token: createGitHubAuthStore(state.projectRoot).readToken(),
             config: ctx?.config
           }).catch((error) => ({ synced: false, reason: `error:${error instanceof Error ? error.message : String(error)}` })) : { synced: false, reason: "missing-status" };
+          if (update.status && githubProjectsEnabled2(ctx?.config) && projectSync.synced === false) {
+            return deps.jsonResponse({ ok: false, id, projectSync, error: `GitHub Project status sync failed: ${String(projectSync.reason)}` }, 502);
+          }
+          try {
+            if (source.updateTask) {
+              await source.updateTask(id, update);
+            } else if (update.status && source.updateStatus) {
+              await source.updateStatus(id, update.status);
+            }
+          } catch (error) {
+            let rollback = null;
+            const previousStatus = normalizeString(taskBeforeUpdate?.status) ?? normalizeString(taskBeforeUpdate?.sourceStatus);
+            if (update.status && previousStatus && githubProjectsEnabled2(ctx?.config) && projectSync.synced !== false) {
+              rollback = await syncGitHubProjectStatusForTaskUpdate({
+                taskId: id,
+                status: previousStatus,
+                issueNodeId,
+                token: createGitHubAuthStore(state.projectRoot).readToken(),
+                config: ctx?.config
+              }).catch((rollbackError) => ({ synced: false, reason: `rollback-error:${rollbackError instanceof Error ? rollbackError.message : String(rollbackError)}` }));
+            }
+            return deps.jsonResponse({
+              ok: false,
+              id,
+              projectSync,
+              rollback,
+              error: `Task source update failed: ${error instanceof Error ? error.message : String(error)}`
+            }, 502);
+          }
           deps.snapshotService.invalidate("github-issue-updated");
           await state.taskProjectionReconciler?.tick("github-issue-updated").catch(() => {
             return;
@@ -5971,25 +7115,40 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           return deps.jsonResponse({ ok: true, id, projectSync });
         }
         if (url.pathname === "/api/workspace/task-labels") {
+          const ctx = await getCachedPluginHostContext(state.projectRoot).catch(() => null);
+          if (url.searchParams.get("ensure") === "1" || req.method === "POST") {
+            return deps.jsonResponse(await ensureGitHubLifecycleLabels(state.projectRoot, ctx?.config));
+          }
           return deps.jsonResponse({
             ok: true,
             ready: true,
             labelsReady: true,
-            labels: [
-              "ready",
-              "blocked",
-              "in-progress",
-              "under-review",
-              "failed",
-              "cancelled",
-              "rig:running",
-              "rig:pr-open",
-              "rig:ci-fixing",
-              "rig:done",
-              "rig:needs-attention"
-            ],
-            note: "GitHub issue lifecycle labels are created on demand by the configured task source when supported."
+            labels: [...RIG_GITHUB_LIFECYCLE_LABELS],
+            note: "Lifecycle labels are required during init; call POST /api/workspace/task-labels or ?ensure=1 to proactively create them."
+          });
+        }
+        if (url.pathname === "/api/github/projects" && req.method === "GET") {
+          const owner = normalizeString(url.searchParams.get("owner"));
+          if (!owner)
+            return deps.badRequest("owner is required");
+          const token = createGitHubAuthStore(state.projectRoot).readToken();
+          if (!token)
+            return deps.jsonResponse({ ok: false, error: "missing-token", projects: [] }, 401);
+          const projects = await listGitHubProjects({ owner, token }).catch((error) => {
+            throw new Error(error instanceof Error ? error.message : String(error));
+          });
+          return deps.jsonResponse({ ok: true, projects });
+        }
+        const projectStatusMatch = url.pathname.match(/^\/api\/github\/projects\/([^/]+)\/status-field$/);
+        if (projectStatusMatch && req.method === "GET") {
+          const projectId = decodeURIComponent(projectStatusMatch[1]);
+          const token = createGitHubAuthStore(state.projectRoot).readToken();
+          if (!token)
+            return deps.jsonResponse({ ok: false, error: "missing-token" }, 401);
+          const field = await resolveProjectStatusField({ projectId, token }).catch((error) => {
+            throw new Error(error instanceof Error ? error.message : String(error));
           });
+          return deps.jsonResponse({ ok: true, field });
         }
         if (url.pathname === "/api/workspace/issue-analysis/run" && req.method === "POST") {
           const body = await deps.readJsonBody(req);
@@ -6054,7 +7213,7 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
         }
         if (url.pathname === "/api/server/status") {
           const config = buildProjectConfigStatus(state.projectRoot);
-          const taskSource = await buildTaskSourceStatus(state, config);
+          const taskSource = await buildTaskSourceStatus(state, config, requestAuth);
           return deps.jsonResponse({
             ok: true,
             projectRoot: state.projectRoot,
@@ -6078,8 +7237,9 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             path: normalizeString(rawCheckout?.path) ?? state.projectRoot,
             ref: normalizeString(rawCheckout?.ref) ?? undefined
           } : undefined;
-          const record = upsertProjectRecord(state.projectRoot, { repoSlug, checkout });
-          return deps.jsonResponse({ ok: true, project: record });
+          const registryRoot = requestScopedRegistryRoot(state.projectRoot, requestAuth);
+          const record = upsertProjectRecord(registryRoot, { repoSlug, checkout });
+          return deps.jsonResponse({ ok: true, project: record, userNamespace: userNamespaceResponse(requestAuth.userNamespace) });
         }
         const snapshotUploadMatch = url.pathname.match(/^\/api\/projects\/(.+?)\/upload-snapshot$/);
         if (snapshotUploadMatch && req.method === "POST") {
@@ -6092,8 +7252,15 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           if (!archiveContentBase64) {
             return deps.badRequest("archiveContentBase64 is required");
           }
-          const baseDir = normalizeString(body.baseDir) ?? normalizeString(process.env.RIG_REMOTE_SNAPSHOT_BASE_DIR) ?? (normalizeString(process.env.RIG_STATE_DIR) ? resolve18(normalizeString(process.env.RIG_STATE_DIR), "remote-snapshots") : resolve18(state.projectRoot, ".rig", "remote-snapshots"));
-          const checkoutKey = normalizeString(body.checkoutKey) ?? "default";
+          const registryRoot = requestScopedRegistryRoot(state.projectRoot, requestAuth);
+          const baseDir = resolveNamespacedBaseDir({
+            explicitBaseDir: normalizeString(body.baseDir),
+            envName: "RIG_REMOTE_SNAPSHOT_BASE_DIR",
+            userNamespace: requestAuth.userNamespace,
+            legacyProjectRoot: state.projectRoot,
+            legacySubdir: "remote-snapshots"
+          });
+          const checkoutKey = explicitCheckoutKey(body, body, requestAuth);
           try {
             const archive = parseSnapshotArchiveContentBase64(archiveContentBase64);
             const checkout = extractUploadedSnapshotArchive({
@@ -6106,14 +7273,14 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             const checkoutRepair = repairRemoteCheckoutForRig(checkout.path, repoSlug);
             const packageInstall = installRemoteCheckoutPackages(checkout.path);
             const postInstallConfigValidation = validateRemoteCheckoutRigConfig(checkout.path);
-            const project = linkProjectCheckout(state.projectRoot, repoSlug, {
+            const project = linkProjectCheckout(registryRoot, repoSlug, {
               kind: "uploaded-snapshot",
               path: checkout.path,
               ref: checkout.snapshotId
             });
             deps.snapshotService.invalidate("uploaded-snapshot-checkout");
             deps.broadcastSnapshotInvalidation(state, "uploaded-snapshot-checkout");
-            return deps.jsonResponse({ ok: true, checkout, project, checkoutRepair, packageInstall, postInstallConfigValidation });
+            return deps.jsonResponse({ ok: true, checkout, project, checkoutRepair, packageInstall, postInstallConfigValidation, userNamespace: userNamespaceResponse(requestAuth.userNamespace) });
           } catch (error) {
             return deps.jsonResponse({
               ok: false,
@@ -6133,10 +7300,17 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           if (kind !== "managed-clone" && kind !== "current-ref" && kind !== "existing-path") {
             return deps.jsonResponse({ ok: false, error: "checkout kind must be managed-clone, current-ref, or existing-path" }, 400);
           }
-          const baseDir = normalizeString(body.baseDir) ?? normalizeString(checkoutInput.baseDir) ?? normalizeString(process.env.RIG_REMOTE_CHECKOUT_BASE_DIR) ?? (normalizeString(process.env.RIG_STATE_DIR) ? resolve18(normalizeString(process.env.RIG_STATE_DIR), "remote-checkouts") : resolve18(state.projectRoot, ".rig", "remote-checkouts"));
-          const checkoutKey = normalizeString(body.checkoutKey) ?? normalizeString(checkoutInput.checkoutKey) ?? normalizeString(checkoutInput.key) ?? "default";
+          const registryRoot = requestScopedRegistryRoot(state.projectRoot, requestAuth);
+          const baseDir = resolveNamespacedBaseDir({
+            explicitBaseDir: normalizeString(body.baseDir) ?? normalizeString(checkoutInput.baseDir),
+            envName: "RIG_REMOTE_CHECKOUT_BASE_DIR",
+            userNamespace: requestAuth.userNamespace,
+            legacyProjectRoot: state.projectRoot,
+            legacySubdir: "remote-checkouts"
+          });
+          const checkoutKey = explicitCheckoutKey(body, checkoutInput, requestAuth);
           const repoUrl = normalizeString(body.repoUrl) ?? normalizeString(checkoutInput.repoUrl) ?? `https://github.com/${repoSlug}.git`;
-          const credentialToken = createGitHubAuthStore(state.projectRoot).readToken();
+          const credentialToken = requestScopedAuthStore(state.projectRoot, requestAuth).readToken();
           try {
             const checkout = await prepareRemoteCheckout({
               command: runRemoteCheckoutCommand,
@@ -6145,14 +7319,14 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             const checkoutRepair = repairRemoteCheckoutForRig(checkout.path, repoSlug);
             const packageInstall = installRemoteCheckoutPackages(checkout.path);
             const postInstallConfigValidation = validateRemoteCheckoutRigConfig(checkout.path);
-            const project = linkProjectCheckout(state.projectRoot, repoSlug, {
+            const project = linkProjectCheckout(registryRoot, repoSlug, {
               kind: checkout.kind,
               path: checkout.path,
               ref: checkout.ref ?? checkout.snapshotId ?? undefined
             });
             deps.snapshotService.invalidate("remote-checkout-prepared");
             deps.broadcastSnapshotInvalidation(state, "remote-checkout-prepared");
-            return deps.jsonResponse({ ok: true, checkout, project, checkoutRepair, packageInstall, postInstallConfigValidation });
+            return deps.jsonResponse({ ok: true, checkout, project, checkoutRepair, packageInstall, postInstallConfigValidation, userNamespace: userNamespaceResponse(requestAuth.userNamespace) });
           } catch (error) {
             return deps.jsonResponse({ ok: false, error: error instanceof Error ? error.message : String(error) }, 400);
           }
@@ -6169,16 +7343,18 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             if (kind !== "local" && kind !== "managed-clone" && kind !== "current-ref" && kind !== "uploaded-snapshot" && kind !== "existing-path") {
               return deps.jsonResponse({ ok: false, error: "checkout kind is required" }, 400);
             }
-            const project = linkProjectCheckout(state.projectRoot, repoSlug, {
+            const registryRoot = requestScopedRegistryRoot(state.projectRoot, requestAuth);
+            const project = linkProjectCheckout(registryRoot, repoSlug, {
               kind,
               path: normalizeString(body.path) ?? state.projectRoot,
               ref: normalizeString(body.ref) ?? undefined
             });
-            return deps.jsonResponse({ ok: true, project });
+            return deps.jsonResponse({ ok: true, project, userNamespace: userNamespaceResponse(requestAuth.userNamespace) });
           }
           if (req.method === "GET") {
-            const project = getProjectRecord(state.projectRoot, repoSlug);
-            return project ? deps.jsonResponse({ ok: true, project }) : deps.notFound();
+            const registryRoot = requestScopedRegistryRoot(state.projectRoot, requestAuth);
+            const project = getProjectRecord(registryRoot, repoSlug);
+            return project ? deps.jsonResponse({ ok: true, project, userNamespace: userNamespaceResponse(requestAuth.userNamespace) }) : deps.notFound();
           }
         }
         if (url.pathname === "/api/server/project-root" && req.method === "POST") {
@@ -6187,13 +7363,26 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           if (!requestedRoot) {
             return deps.badRequest("projectRoot is required");
           }
-          if (!isAbsolute3(requestedRoot)) {
+          if (!isAbsolute4(requestedRoot)) {
             return deps.badRequest("projectRoot must be an absolute path on the Rig server host");
           }
-          const normalizedRoot = resolve18(requestedRoot);
-          const exists = existsSync11(normalizedRoot);
-          if (exists) {
-            createGitHubAuthStore(state.projectRoot).copyToProjectRoot(normalizedRoot);
+          const normalizedRoot = resolve20(requestedRoot);
+          const exists = existsSync13(normalizedRoot);
+          if (exists && requestAuth.userNamespace) {
+            const allowedByNamespace = isPathInsideNamespace(requestAuth.userNamespace.root, normalizedRoot);
+            const allowedByRegistry = projectRegistryContainsCheckout(requestAuth.userNamespace.root, normalizedRoot);
+            if (!allowedByNamespace && !allowedByRegistry) {
+              return deps.jsonResponse({
+                ok: false,
+                error: "Requested project root is outside the authenticated GitHub user namespace.",
+                projectRoot: state.projectRoot,
+                requestedProjectRoot: normalizedRoot,
+                userNamespace: userNamespaceResponse(requestAuth.userNamespace)
+              }, 403);
+            }
+            copyGitHubAuthStateToLocalProjectRoot(requestAuth.userNamespace.authStateFile, normalizedRoot);
+          } else if (exists) {
+            createGitHubAuthStore(state.projectRoot).copyToLocalProjectRoot(normalizedRoot);
           }
           const control = buildServerControlStatus();
           const switchCommand = process.env.RIG_PROJECT_ROOT_SWITCH_COMMAND?.trim();
@@ -6208,7 +7397,7 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
               message: "Requested project root does not exist on the Rig server host."
             }, 404);
           }
-          if (!existsSync11(resolve18(normalizedRoot, "rig.config.ts")) && !existsSync11(resolve18(normalizedRoot, "rig.config.json"))) {
+          if (!existsSync13(resolve20(normalizedRoot, "rig.config.ts")) && !existsSync13(resolve20(normalizedRoot, "rig.config.json"))) {
             return deps.jsonResponse({
               ok: false,
               projectRoot: state.projectRoot,
@@ -6243,6 +7432,7 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
               exists,
               control,
               requiresRestart: false,
+              userNamespace: userNamespaceResponse(requestAuth.userNamespace),
               message: "Project-root switch accepted. Rig server restart has been scheduled."
             }, 202);
           }
@@ -6257,11 +7447,11 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           }, 409);
         }
         if (url.pathname === "/api/github/auth/status") {
-          const store = createGitHubAuthStore(state.projectRoot);
-          return deps.jsonResponse({ ok: true, ...store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }) });
+          const store = requestScopedAuthStore(state.projectRoot, requestAuth);
+          return deps.jsonResponse({ ok: true, ...store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }), userNamespace: userNamespaceResponse(requestAuth.userNamespace) });
         }
         if (url.pathname === "/api/github/repo/permissions") {
-          const store = createGitHubAuthStore(state.projectRoot);
+          const store = requestScopedAuthStore(state.projectRoot, requestAuth);
           const auth = store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
           if (!auth.signedIn) {
             return deps.jsonResponse({ ok: false, signedIn: false, canOpenPullRequest: false, reason: "not-authenticated" }, 401);
@@ -6289,24 +7479,20 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           }
           try {
             const user = await fetchGitHubUserInfo(token);
-            const storeRoots = [
-              state.projectRoot,
-              ...requestedProjectRoot && isAbsolute3(requestedProjectRoot) && existsSync11(resolve18(requestedProjectRoot)) ? [resolve18(requestedProjectRoot)] : []
-            ].filter((root, index, roots) => roots.indexOf(root) === index);
-            const stores = storeRoots.map((root) => createGitHubAuthStore(root));
-            for (const store2 of stores) {
-              store2.saveToken({
-                token,
-                tokenSource: "manual-token",
-                login: user.login,
-                userId: user.userId,
-                scopes: user.scopes,
-                selectedRepo
-              });
-            }
-            const store = stores[stores.length - 1] ?? createGitHubAuthStore(state.projectRoot);
-            const apiSession = store.createApiSession();
-            return deps.jsonResponse({ ok: true, ...store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }), apiSessionToken: apiSession.token });
+            const saved = saveGitHubTokenForRemoteUser({
+              projectRoot: state.projectRoot,
+              token,
+              tokenSource: "manual-token",
+              user,
+              selectedRepo,
+              requestedProjectRoot
+            });
+            return deps.jsonResponse({
+              ok: true,
+              ...saved.store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) }),
+              apiSessionToken: saved.apiSessionToken,
+              userNamespace: userNamespaceResponse(saved.namespace)
+            });
           } catch (error) {
             const message = error instanceof Error ? error.message : String(error);
             return deps.jsonResponse({ ok: false, error: message }, 400);
@@ -6373,9 +7559,21 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           }
           const token = result.payload.access_token;
           const user = await fetchGitHubUserInfo(token);
-          store.saveToken({ token, tokenSource: "oauth-device", login: user.login, userId: user.userId, scopes: user.scopes });
-          const apiSession = store.createApiSession();
-          return deps.jsonResponse({ ok: true, status: "signed-in", ...store.status({ oauthConfigured: true }), apiSessionToken: apiSession.token });
+          const saved = saveGitHubTokenForRemoteUser({
+            projectRoot: state.projectRoot,
+            token,
+            tokenSource: "oauth-device",
+            user,
+            selectedRepo: null
+          });
+          store.clearPendingDevice(pollId);
+          return deps.jsonResponse({
+            ok: true,
+            status: "signed-in",
+            ...saved.store.status({ oauthConfigured: true }),
+            apiSessionToken: saved.apiSessionToken,
+            userNamespace: userNamespaceResponse(saved.namespace)
+          });
         }
         if (url.pathname === "/api/github/repo/probe" && req.method === "POST") {
           const body = await deps.readJsonBody(req);
@@ -6384,7 +7582,7 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           if (!owner || !repo) {
             return deps.badRequest("owner and repo are required");
           }
-          const store = createGitHubAuthStore(state.projectRoot);
+          const store = requestScopedAuthStore(state.projectRoot, requestAuth);
           const authStatus = store.status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
           const probe = await probeGitHubRepository({ owner, repo, token: store.readToken(), scopes: authStatus.scopes });
           return deps.jsonResponse({ ok: probe.ok, probe }, probe.ok ? 200 : 400);
@@ -6405,7 +7603,7 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             return deps.badRequest(error instanceof Error ? error.message : String(error));
           }
           const authStatus = createGitHubAuthStore(state.projectRoot).status({ oauthConfigured: Boolean(process.env.RIG_GITHUB_OAUTH_CLIENT_ID?.trim()) });
-          const configPath = resolve18(targetRoot, "rig.config.ts");
+          const configPath = resolve20(targetRoot, "rig.config.ts");
           const source = buildGitHubProjectConfigSource({
             projectName: rawProjectName,
             owner,
@@ -6417,8 +7615,8 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             ok: true,
             projectRoot: targetRoot,
             configPath,
-            exists: existsSync11(configPath),
-            requiresOverwrite: existsSync11(configPath),
+            exists: existsSync13(configPath),
+            requiresOverwrite: existsSync13(configPath),
             source,
             owner,
             repo,
@@ -6454,8 +7652,8 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             assignee,
             githubUserId: authStatus.userId ?? authStatus.login
           });
-          const configPath = resolve18(targetRoot, "rig.config.ts");
-          if (existsSync11(configPath) && !overwrite) {
+          const configPath = resolve20(targetRoot, "rig.config.ts");
+          if (existsSync13(configPath) && !overwrite) {
             return deps.jsonResponse({
               ok: false,
               error: "rig.config.ts already exists. Confirm overwrite to replace it; Rig will create a backup first.",
@@ -6471,11 +7669,11 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             return deps.jsonResponse({ ok: false, error: repoProbe.message, repoProbe }, 400);
           }
           let backupPath = null;
-          if (existsSync11(configPath)) {
+          if (existsSync13(configPath)) {
             backupPath = backupConfigPath(configPath);
-            copyFileSync(configPath, backupPath);
+            copyFileSync2(configPath, backupPath);
           }
-          writeFileSync10(configPath, source, "utf8");
+          writeFileSync12(configPath, source, "utf8");
           const selectedRepo = `${owner}/${repo}`;
           store.saveSelectedRepo(selectedRepo);
           const targetStore = createGitHubAuthStore(targetRoot);
@@ -6747,11 +7945,12 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           const runId = normalizeString(body.runId);
           const createdAt = normalizeString(body.createdAt) ?? new Date().toISOString();
           const promptOverride = normalizeString(body.promptOverride);
+          const restart = body.restart === true;
           if (!runId) {
             return deps.badRequest("runId is required");
           }
           try {
-            await deps.resumeRunRecord(state, { runId, createdAt, promptOverride });
+            await deps.resumeRunRecord(state, { runId, createdAt, promptOverride, restart });
             deps.broadcastSnapshotInvalidation(state);
             return deps.jsonResponse({ ok: true, runId, createdAt });
           } catch (error) {
@@ -6760,7 +7959,7 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
         }
         if (url.pathname === "/api/pi-rig/install" && req.method === "POST") {
           const configuredPackageSource = normalizeString(process.env.RIG_PI_RIG_PACKAGE_SOURCE);
-          const packageSource = configuredPackageSource ?? [process.env.RIG_HOST_PROJECT_ROOT, process.cwd(), state.projectRoot].map((root) => normalizeString(root)).filter((root) => Boolean(root)).map((root) => resolve18(root, "packages", "pi-rig")).find((candidate) => existsSync11(resolve18(candidate, "package.json"))) ?? "npm:@rig/pi-rig";
+          const packageSource = configuredPackageSource ?? [process.env.RIG_HOST_PROJECT_ROOT, process.cwd(), state.projectRoot].map((root) => normalizeString(root)).filter((root) => Boolean(root)).map((root) => resolve20(root, "packages", "pi-rig")).find((candidate) => existsSync13(resolve20(candidate, "package.json"))) ?? "npm:@h-rig/pi-rig";
           if (process.env.RIG_TEST_FAKE_PI_INSTALL === "1") {
             return deps.jsonResponse({ ok: true, installed: true, piOk: true, piRigOk: true, extensionPath: "remote:~/.pi/agent/extensions/pi-rig", packageSource });
           }
@@ -7076,9 +8275,9 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           } catch {
             return deps.badRequest("Invalid artifact path");
           }
-          mkdirSync11(dirname12(artifactPath), { recursive: true });
+          mkdirSync13(dirname15(artifactPath), { recursive: true });
           const bytes = Buffer.from(contentBase64, "base64");
-          writeFileSync10(artifactPath, bytes);
+          writeFileSync12(artifactPath, bytes);
           writeJsonFile4(`${artifactPath}.json`, {
             workspaceId: normalizeString(body.workspaceId) ?? RIG_WORKSPACE_ID,
             runId,
@@ -7115,13 +8314,75 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           }
           const run = leaseValidation.run;
           const completedAt = new Date().toISOString();
+          const workspaceDir = normalizeString(body.workspaceDir) ?? normalizeString(body.runtimeWorkspace) ?? normalizeString(run.worktreePath);
+          if (run.taskId && workspaceDir) {
+            patchRunRecord(state.projectRoot, runId, {
+              status: "reviewing",
+              completedAt: null,
+              hostId,
+              endpointId: leaseId,
+              worktreePath: workspaceDir,
+              serverCloseout: {
+                status: "pending",
+                phase: "queued",
+                requestedAt: completedAt,
+                updatedAt: completedAt,
+                runtimeWorkspace: workspaceDir,
+                branch: normalizeString(body.branch) ?? normalizeString(run.branch) ?? `rig/${run.taskId}-${runId}`,
+                taskId: run.taskId,
+                source: "remote-complete"
+              }
+            });
+            deps.appendRunLogEntryAndBroadcast(state, runId, {
+              id: `log:${runId}:remote-server-closeout-requested`,
+              title: "Server-owned closeout requested",
+              detail: "Remote run completed provider work and handed commit/PR/review/merge closeout to the Rig server.",
+              tone: "info",
+              status: "reviewing",
+              createdAt: completedAt,
+              payload: { workspaceDir, hostId, leaseId }
+            }, "remote-server-closeout-requested");
+            deps.runServerOwnedPrCloseout(state, runId).catch((error) => {
+              const detail = error instanceof Error ? error.message : String(error);
+              patchRunRecord(state.projectRoot, runId, {
+                status: "failed",
+                completedAt: new Date().toISOString(),
+                errorText: detail,
+                serverCloseout: {
+                  status: "failed",
+                  phase: "failed",
+                  updatedAt: new Date().toISOString(),
+                  error: detail
+                }
+              });
+              deps.appendRunLogEntryAndBroadcast(state, runId, {
+                id: `log:${runId}:remote-server-closeout-failed`,
+                title: "Server-owned closeout failed",
+                detail,
+                tone: "error",
+                status: "failed",
+                createdAt: new Date().toISOString()
+              }, "remote-server-closeout-failed");
+            }).finally(() => {
+              deps.reconcileScheduler(state, "remote-server-closeout-terminal");
+            });
+            deps.broadcastSnapshotInvalidation(state);
+            return deps.jsonResponse({
+              ok: true,
+              workspaceId: normalizeString(body.workspaceId) ?? RIG_WORKSPACE_ID,
+              hostId,
+              runId,
+              leaseId,
+              closeout: "server-owned",
+              acceptedAt: new Date().toISOString()
+            });
+          }
           patchRunRecord(state.projectRoot, runId, {
             status: "completed",
             completedAt,
             hostId,
             endpointId: leaseId
           });
-          await updateRemoteRunTaskSourceLifecycle(state.projectRoot, { ...run, status: "completed", completedAt, hostId, endpointId: leaseId }, "closed", "Remote Rig task run completed and closed this task.");
           await deps.enqueueRunLinearEvent(state.projectRoot, {
             type: "run.completed",
             runId,
@@ -7240,12 +8501,12 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           try {
             const runsRoot = resolveAuthorityPaths(state.projectRoot).runsDir;
             const runRoot = deps.normalizeRelativePath(runsRoot, runId);
-            const artifactsRoot = resolve18(runRoot, "remote-artifacts");
+            const artifactsRoot = resolve20(runRoot, "remote-artifacts");
             artifactPath = deps.normalizeRelativePath(artifactsRoot, fileName);
           } catch {
             return deps.badRequest("Invalid artifact path");
           }
-          if (!existsSync11(artifactPath)) {
+          if (!existsSync13(artifactPath)) {
             return deps.notFound();
           }
           return new Response(Bun.file(artifactPath));
@@ -7258,6 +8519,14 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
           const page = await readRunLogsPage(state.projectRoot, runId, { limit, cursor });
           return deps.jsonResponse(page);
         }
+        const runTimelineMatch = url.pathname.match(/^\/api\/runs\/([^/]+)\/timeline$/);
+        if (runTimelineMatch) {
+          const runId = decodeURIComponent(runTimelineMatch[1]);
+          const limit = Number.parseInt(url.searchParams.get("limit") || "500", 10);
+          const cursor = normalizeString(url.searchParams.get("cursor"));
+          const page = await readRunTimelinePage(state.projectRoot, runId, { limit, cursor });
+          return deps.jsonResponse(page);
+        }
         const runSteerMatch = url.pathname.match(/^\/api\/runs\/([^/]+)\/steer$/);
         if (runSteerMatch && req.method === "POST") {
           const runId = decodeURIComponent(runSteerMatch[1]);
@@ -7277,6 +8546,49 @@ data: ${JSON.stringify({ connectedAt: new Date().toISOString() })}
             return deps.jsonResponse({ ok: false, error: error instanceof Error ? error.message : String(error) }, 404);
           }
         }
+        const runPiMatch = url.pathname.match(/^\/api\/runs\/([^/]+)\/pi(?:\/(.*))?$/);
+        if (runPiMatch) {
+          const runId = decodeURIComponent(runPiMatch[1]);
+          const action = runPiMatch[2] || "";
+          const resolved = resolveRunPiSessionProxy(state.projectRoot, runId);
+          if (resolved === null)
+            return deps.notFound();
+          if ("pending" in resolved) {
+            if (action === "" && req.method === "GET") {
+              return deps.jsonResponse({ ready: false, runId, status: resolved.status, retryAfterMs: 500 }, 202);
+            }
+            return deps.jsonResponse({ ready: false, runId, status: resolved.status, retryAfterMs: 500, error: "Pi session is not ready" }, 409);
+          }
+          if (action === "" && req.method === "GET")
+            return deps.jsonResponse({ ready: true, metadata: resolved.metadata });
+          const body = req.method === "GET" ? undefined : await deps.readJsonBody(req);
+          const sessionPath = `/sessions/${encodeURIComponent(resolved.sessionId)}`;
+          const daemonPath = (() => {
+            if (action === "messages" && req.method === "GET")
+              return `${sessionPath}/messages`;
+            if (action === "status" && req.method === "GET")
+              return `${sessionPath}/status`;
+            if (action === "commands" && req.method === "GET")
+              return `${sessionPath}/commands`;
+            if (action === "prompt" && req.method === "POST")
+              return `${sessionPath}/prompt`;
+            if (action === "shell" && req.method === "POST")
+              return `${sessionPath}/shell`;
+            if (action === "commands/run" && req.method === "POST")
+              return `${sessionPath}/commands/run`;
+            if (action === "commands/respond" && req.method === "POST")
+              return `${sessionPath}/commands/respond`;
+            if (action === "extension-ui/respond" && req.method === "POST")
+              return `${sessionPath}/extension-ui/respond`;
+            if (action === "abort" && req.method === "POST")
+              return `${sessionPath}/abort`;
+            return null;
+          })();
+          if (!daemonPath)
+            return deps.notFound();
+          const proxied = await proxyRunPiHttp(state.projectRoot, runId, { method: req.method, daemonPath, body });
+          return deps.jsonResponse(proxied.payload, proxied.status);
+        }
         const runSteeringAckMatch = url.pathname.match(/^\/api\/runs\/([^/]+)\/steering\/ack$/);
         if (runSteeringAckMatch && req.method === "POST") {
           const runId = decodeURIComponent(runSteeringAckMatch[1]);
@@ -7399,7 +8711,7 @@ import {
   RemoteWsClient as RemoteWsClient2
 } from "@rig/runtime/control-plane/remote";
 import { deleteRunState } from "@rig/runtime/control-plane/native/run-ops";
-import { readAuthorityRun as readAuthorityRun7 } from "@rig/runtime/control-plane/authority-files";
+import { readAuthorityRun as readAuthorityRun8 } from "@rig/runtime/control-plane/authority-files";
 function redactRemoteEndpoint2(endpoint) {
   const { token, ...rest } = endpoint;
   return {
@@ -7613,7 +8925,7 @@ async function routeWebSocketRequest(state, deps, request) {
         if (!runId || !messageId || text === null) {
           throw new Error("runId, messageId, and text are required");
         }
-        const run = readAuthorityRun7(state.projectRoot, runId);
+        const run = readAuthorityRun8(state.projectRoot, runId);
         if (!run) {
           throw new Error(`Run not found: ${runId}`);
         }
@@ -8138,8 +9450,8 @@ async function routeWebSocketRequest(state, deps, request) {
 }
 
 // packages/server/src/server-helpers/inspector-jobs.ts
-import { existsSync as existsSync15, mkdirSync as mkdirSync14, readFileSync as readFileSync10, writeFileSync as writeFileSync13 } from "fs";
-import { dirname as dirname15, resolve as resolve21 } from "path";
+import { existsSync as existsSync17, mkdirSync as mkdirSync16, readFileSync as readFileSync12, writeFileSync as writeFileSync15 } from "fs";
+import { dirname as dirname18, resolve as resolve23 } from "path";
 import { readJsonFile as readJsonFile3 } from "@rig/runtime/control-plane/authority-files";
 import { resolveMonorepoRoot as resolveMonorepoRoot5 } from "@rig/runtime/control-plane/native/utils";
 import { normalizeTaskLifecycleStatus as normalizeTaskLifecycleStatus2 } from "@rig/runtime/control-plane/state-sync/types";
@@ -8247,8 +9559,8 @@ import { randomUUID as randomUUID3 } from "crypto";
 
 // packages/server/src/inspector/mission.ts
 import { randomUUID as randomUUID2 } from "crypto";
-import { appendFileSync, existsSync as existsSync12, mkdirSync as mkdirSync12, readFileSync as readFileSync8, readdirSync as readdirSync4, renameSync, writeFileSync as writeFileSync11 } from "fs";
-import { dirname as dirname13, join, resolve as resolve19 } from "path";
+import { appendFileSync, existsSync as existsSync14, mkdirSync as mkdirSync14, readFileSync as readFileSync10, readdirSync as readdirSync4, renameSync, writeFileSync as writeFileSync13 } from "fs";
+import { dirname as dirname16, join, resolve as resolve21 } from "path";
 function isJsonValue(value) {
   if (value === null)
     return true;
@@ -8288,7 +9600,7 @@ function isRecord2(value) {
 }
 function readJsonRecord(path) {
   try {
-    const parsed = JSON.parse(readFileSync8(path, "utf8"));
+    const parsed = JSON.parse(readFileSync10(path, "utf8"));
     if (!isRecord2(parsed)) {
       return { ok: false, error: `Mission file ${path} does not contain an object` };
     }
@@ -8368,14 +9680,14 @@ function missionActionDetails(mission) {
   };
 }
 function writeJsonFile5(path, value) {
-  mkdirSync12(dirname13(path), { recursive: true });
+  mkdirSync14(dirname16(path), { recursive: true });
   const tempPath = `${path}.${process.pid}.${Date.now()}.tmp`;
-  writeFileSync11(tempPath, `${JSON.stringify(value, null, 2)}
+  writeFileSync13(tempPath, `${JSON.stringify(value, null, 2)}
 `, "utf8");
   renameSync(tempPath, path);
 }
 function resolveInspectorMissionPaths(projectRoot) {
-  const inspectorDir = resolve19(resolveRigServerPaths(projectRoot).stateDir, "inspector");
+  const inspectorDir = resolve21(resolveRigServerPaths(projectRoot).stateDir, "inspector");
   return {
     inspectorDir,
     missionsDir: join(inspectorDir, "missions"),
@@ -8384,8 +9696,8 @@ function resolveInspectorMissionPaths(projectRoot) {
 }
 function createInspectorMissionController(options) {
   const paths = resolveInspectorMissionPaths(options.projectRoot);
-  mkdirSync12(paths.missionsDir, { recursive: true });
-  mkdirSync12(paths.journalsDir, { recursive: true });
+  mkdirSync14(paths.missionsDir, { recursive: true });
+  mkdirSync14(paths.journalsDir, { recursive: true });
   const now = options.now ?? (() => new Date().toISOString());
   const nextId = options.idGenerator ?? (() => `mission:${randomUUID2()}`);
   function missionPath(missionId) {
@@ -8395,15 +9707,15 @@ function createInspectorMissionController(options) {
     return join(paths.journalsDir, `${missionId}.jsonl`);
   }
   function appendMissionJournal(entry) {
-    mkdirSync12(paths.journalsDir, { recursive: true });
+    mkdirSync14(paths.journalsDir, { recursive: true });
     appendFileSync(journalPath(entry.missionId), `${JSON.stringify(entry)}
 `, "utf8");
   }
   function listMissionJournal(missionId) {
     const path = journalPath(missionId);
-    if (!existsSync12(path))
+    if (!existsSync14(path))
       return [];
-    return readFileSync8(path, "utf8").split(`
+    return readFileSync10(path, "utf8").split(`
 `).filter((line) => line.trim().length > 0).map((line) => JSON.parse(line)).filter(isRecord2).map((entry) => ({
       id: typeof entry.id === "string" ? entry.id : `journal:${randomUUID2()}`,
       missionId,
@@ -8419,7 +9731,7 @@ function createInspectorMissionController(options) {
   }
   function readMissionOnly(missionId) {
     const path = missionPath(missionId);
-    if (!existsSync12(path)) {
+    if (!existsSync14(path)) {
       return { ok: false, error: `Mission ${missionId} was not found` };
     }
     const read = readJsonRecord(path);
@@ -8470,7 +9782,7 @@ function createInspectorMissionController(options) {
       const source = cloneJsonRecord(input.sourceTask);
       const missionId = nextId();
       const path = missionPath(missionId);
-      if (existsSync12(path)) {
+      if (existsSync14(path)) {
         const existing = readMissionOnly(missionId);
         if (!existing.ok)
           return existing;
@@ -10070,8 +11382,8 @@ function createCodexInspectorTransport(options) {
   const sendRequest = async (method, params) => {
     const id = nextRequestId;
     nextRequestId += 1;
-    const response = new Promise((resolve20, reject) => {
-      pendingResponses.set(id, { resolve: resolve20, reject });
+    const response = new Promise((resolve22, reject) => {
+      pendingResponses.set(id, { resolve: resolve22, reject });
     });
     response.catch(() => {});
     try {
@@ -10381,9 +11693,9 @@ function createCodexInspectorTransport(options) {
       }
       lastAssistantMessage = null;
       lastError = null;
-      const turnResult = new Promise((resolve20, reject) => {
+      const turnResult = new Promise((resolve22, reject) => {
         currentTurn = {
-          resolve: resolve20,
+          resolve: resolve22,
           reject,
           events: []
         };
@@ -10443,13 +11755,13 @@ function createCodexInspectorTransport(options) {
   };
 }
 function writeChildLine(child, line) {
-  return new Promise((resolve20, reject) => {
+  return new Promise((resolve22, reject) => {
     child.stdin.write(line, (error) => {
       if (error) {
         reject(error);
         return;
       }
-      resolve20();
+      resolve22();
     });
   });
 }
@@ -10462,10 +11774,10 @@ function terminateChild(child) {
   } catch {}
 }
 async function waitForChildSpawn(child) {
-  await new Promise((resolve20, reject) => {
+  await new Promise((resolve22, reject) => {
     const onSpawn = () => {
       cleanup();
-      resolve20();
+      resolve22();
     };
     const onError = (error) => {
       cleanup();
@@ -10574,7 +11886,7 @@ import {
 } from "@rig/runtime/control-plane/native/run-ops";
 import {
   listAuthorityRuns as listAuthorityRuns6,
-  readAuthorityRun as readAuthorityRun8
+  readAuthorityRun as readAuthorityRun9
 } from "@rig/runtime/control-plane/authority-files";
 function providerFromRuntimeAdapter(runtimeAdapter) {
   if (!runtimeAdapter) {
@@ -10654,7 +11966,7 @@ function discoverInspectorRuns(options) {
     discovered.set(surface.runId, existing);
   };
   for (const authorityEntry of listAuthorityRuns6(options.projectRoot)) {
-    const run = readAuthorityRun8(options.projectRoot, authorityEntry.runId);
+    const run = readAuthorityRun9(options.projectRoot, authorityEntry.runId);
     if (!run) {
       continue;
     }
@@ -10977,8 +12289,8 @@ function createGlobalInspectorService(options) {
 
 // packages/server/src/inspector/upstream-sync.ts
 import { spawnSync as spawnSync4 } from "child_process";
-import { existsSync as existsSync13, mkdirSync as mkdirSync13, readFileSync as readFileSync9, writeFileSync as writeFileSync12 } from "fs";
-import { dirname as dirname14, resolve as resolve20 } from "path";
+import { existsSync as existsSync15, mkdirSync as mkdirSync15, readFileSync as readFileSync11, writeFileSync as writeFileSync14 } from "fs";
+import { dirname as dirname17, resolve as resolve22 } from "path";
 import { resolveMonorepoRoot as resolveMonorepoRoot4 } from "@rig/runtime/control-plane/native/utils";
 var UPSTREAM_VALIDATION_DESCRIPTIONS = {
   "integration:hg-auth-backport": "Preserves the upstream auth hardening cluster: nonce-backed node-client login, signature-aware JWT verification, shared-token onboarding semantics, and regression coverage.",
@@ -11116,34 +12428,34 @@ function defaultGitRunner(repoRoot, args) {
 }
 function upstreamStatePath(projectRoot, override) {
   if (override) {
-    return resolve20(override);
+    return resolve22(override);
   }
-  return resolve20(resolveRigServerPaths(projectRoot).stateDir, "inspector", "upstream-sync.json");
+  return resolve22(resolveRigServerPaths(projectRoot).stateDir, "inspector", "upstream-sync.json");
 }
 function readUpstreamState(projectRoot, statePath) {
   const path = upstreamStatePath(projectRoot, statePath);
-  if (!existsSync13(path)) {
+  if (!existsSync15(path)) {
     return null;
   }
   try {
-    return JSON.parse(readFileSync9(path, "utf-8"));
+    return JSON.parse(readFileSync11(path, "utf-8"));
   } catch {
     return null;
   }
 }
 function writeUpstreamState(projectRoot, state, statePath) {
   const path = upstreamStatePath(projectRoot, statePath);
-  mkdirSync13(dirname14(path), { recursive: true });
-  writeFileSync12(path, `${JSON.stringify(state, null, 2)}
+  mkdirSync15(dirname17(path), { recursive: true });
+  writeFileSync14(path, `${JSON.stringify(state, null, 2)}
 `, "utf8");
 }
 function readImportedRevision(projectRoot, upstreamsDocPath) {
   const monorepoRoot = resolveMonorepoRoot4(projectRoot);
-  const docPath = upstreamsDocPath ? resolve20(upstreamsDocPath) : resolve20(monorepoRoot, "docs", "UPSTREAMS.md");
-  if (!existsSync13(docPath)) {
+  const docPath = upstreamsDocPath ? resolve22(upstreamsDocPath) : resolve22(monorepoRoot, "docs", "UPSTREAMS.md");
+  if (!existsSync15(docPath)) {
     throw new Error(`UPSTREAMS.md not found at ${docPath}`);
   }
-  const docContent = readFileSync9(docPath, "utf-8");
+  const docContent = readFileSync11(docPath, "utf-8");
   const revision = parseImportedUpstreamRevision(docContent, "upstream") ?? parseImportedUpstreamRevision(docContent, "humoongate");
   if (!revision) {
     throw new Error(`Failed to parse upstream imported revision from ${docPath}`);
@@ -11165,7 +12477,7 @@ function resolveRemoteBranch(repoRoot, remote, gitRunner) {
   return null;
 }
 function isGitCheckout(path, gitRunner) {
-  if (!existsSync13(resolve20(path, ".git"))) {
+  if (!existsSync15(resolve22(path, ".git"))) {
     return false;
   }
   const result = gitRunner(path, ["rev-parse", "--is-inside-work-tree"]);
@@ -11174,12 +12486,12 @@ function isGitCheckout(path, gitRunner) {
 function resolveUpstreamCheckout(projectRoot, explicitCheckout, gitRunner) {
   const monorepoRoot = resolveMonorepoRoot4(projectRoot);
   const candidates = [
-    explicitCheckout ? resolve20(explicitCheckout) : "",
-    process.env.UPSTREAM_CHECKOUT?.trim() ? resolve20(process.env.UPSTREAM_CHECKOUT.trim()) : "",
-    process.env.HUMOONGATE_UPSTREAM_CHECKOUT?.trim() ? resolve20(process.env.HUMOONGATE_UPSTREAM_CHECKOUT.trim()) : "",
-    resolve20(projectRoot, "..", "humoongate"),
-    resolve20(monorepoRoot, "..", "humoongate"),
-    resolve20(monorepoRoot, "humoongate")
+    explicitCheckout ? resolve22(explicitCheckout) : "",
+    process.env.UPSTREAM_CHECKOUT?.trim() ? resolve22(process.env.UPSTREAM_CHECKOUT.trim()) : "",
+    process.env.HUMOONGATE_UPSTREAM_CHECKOUT?.trim() ? resolve22(process.env.HUMOONGATE_UPSTREAM_CHECKOUT.trim()) : "",
+    resolve22(projectRoot, "..", "humoongate"),
+    resolve22(monorepoRoot, "..", "humoongate"),
+    resolve22(monorepoRoot, "humoongate")
   ].filter(Boolean);
   for (const candidate of candidates) {
     if (isGitCheckout(candidate, gitRunner)) {
@@ -11415,10 +12727,10 @@ async function runUpstreamSyncScan(options) {
 }
 
 // packages/server/src/server-helpers/task-config.ts
-import { existsSync as existsSync14 } from "fs";
+import { existsSync as existsSync16 } from "fs";
 async function readTaskConfig(projectRoot) {
   const taskConfigPath = resolveRigServerPaths(projectRoot).taskConfigPath;
-  if (!existsSync14(taskConfigPath)) {
+  if (!existsSync16(taskConfigPath)) {
     return {};
   }
   try {
@@ -11454,11 +12766,11 @@ function resolveFollowupSourceCommit(input) {
 }
 async function createInspectorFollowupTask(projectRoot, input) {
   const monorepoRoot = resolveMonorepoRoot5(projectRoot);
-  const issuesPath = resolve21(monorepoRoot, ".beads", "issues.jsonl");
-  const taskStatePath = resolve21(monorepoRoot, ".beads", "task-state.json");
-  const taskConfigPath = resolve21(monorepoRoot, ".rig", "task-config.json");
-  mkdirSync14(dirname15(issuesPath), { recursive: true });
-  mkdirSync14(dirname15(taskConfigPath), { recursive: true });
+  const issuesPath = resolve23(monorepoRoot, ".beads", "issues.jsonl");
+  const taskStatePath = resolve23(monorepoRoot, ".beads", "task-state.json");
+  const taskConfigPath = resolve23(monorepoRoot, ".rig", "task-config.json");
+  mkdirSync16(dirname18(issuesPath), { recursive: true });
+  mkdirSync16(dirname18(taskConfigPath), { recursive: true });
   const summary = normalizeString(input.summary) ?? "Inspector follow-up";
   const description = normalizeString(input.description) ?? normalizeString(input.details?.description) ?? `Created by the global inspector: ${summary}`;
   const acceptanceCriteria = normalizeString(input.acceptanceCriteria) ?? "Investigate the detected drift and port the relevant changes into Rig.";
@@ -11477,7 +12789,7 @@ async function createInspectorFollowupTask(projectRoot, input) {
   const sourceKey = normalizeString(input.sourceKey) ?? normalizeString(input.details?.sourceKey);
   const createdAt = normalizeString(input.createdAt) ?? new Date().toISOString();
   const status = normalizeTaskLifecycleStatus2(normalizeString(input.status) ?? "open") ?? "open";
-  const existingIssueLines = existsSync15(issuesPath) ? readFileSync10(issuesPath, "utf8").split(/\r?\n/).map((line) => line.trim()).filter(Boolean) : [];
+  const existingIssueLines = existsSync17(issuesPath) ? readFileSync12(issuesPath, "utf8").split(/\r?\n/).map((line) => line.trim()).filter(Boolean) : [];
   const existingIssues = existingIssueLines.map((line) => {
     try {
       return JSON.parse(line);
@@ -11486,7 +12798,7 @@ async function createInspectorFollowupTask(projectRoot, input) {
     }
   }).filter((value) => value !== null);
   const existingIds = new Set(existingIssues.map((issue) => typeof issue.id === "string" ? issue.id : null).filter((value) => value !== null));
-  const rawTaskState = existsSync15(taskStatePath) ? readJsonFile3(taskStatePath, {}) : {};
+  const rawTaskState = existsSync17(taskStatePath) ? readJsonFile3(taskStatePath, {}) : {};
   const tasks = rawTaskState.tasks && typeof rawTaskState.tasks === "object" && !Array.isArray(rawTaskState.tasks) ? rawTaskState.tasks : {};
   const existingTaskIdFromSourceKey = sourceKey == null ? null : Object.entries(tasks).find(([, metadata]) => {
     if (!metadata || typeof metadata !== "object" || Array.isArray(metadata)) {
@@ -11512,7 +12824,7 @@ async function createInspectorFollowupTask(projectRoot, input) {
       updated_at: createdAt,
       labels: mergedLabels
     };
-    writeFileSync13(issuesPath, existingIssueLines.length > 0 ? `${existingIssueLines.join(`
+    writeFileSync15(issuesPath, existingIssueLines.length > 0 ? `${existingIssueLines.join(`
 `)}
 ${JSON.stringify(issueRecord)}
 ` : `${JSON.stringify(issueRecord)}
@@ -11530,7 +12842,7 @@ ${JSON.stringify(issueRecord)}
         labels: mergedLabels
       };
     });
-    writeFileSync13(issuesPath, `${updatedIssues.map((issue) => JSON.stringify(issue)).join(`
+    writeFileSync15(issuesPath, `${updatedIssues.map((issue) => JSON.stringify(issue)).join(`
 `)}
 `, "utf8");
   }
@@ -11553,14 +12865,14 @@ ${JSON.stringify(issueRecord)}
       }
     };
   }
-  writeFileSync13(taskConfigPath, `${JSON.stringify(taskConfig, null, 2)}
+  writeFileSync15(taskConfigPath, `${JSON.stringify(taskConfig, null, 2)}
 `, "utf8");
   tasks[taskId] = {
     status,
     sourceCommit: resolveFollowupSourceCommit(input),
     ...sourceKey ? { sourceKey } : {}
   };
-  writeFileSync13(taskStatePath, `${JSON.stringify({
+  writeFileSync15(taskStatePath, `${JSON.stringify({
     schemaVersion: 1,
     baseTrackerCommit: typeof rawTaskState.baseTrackerCommit === "string" ? rawTaskState.baseTrackerCommit : null,
     tasks
@@ -11587,21 +12899,10 @@ async function runInspectorLocalReview(projectRoot, input) {
       details: null
     };
   }
-  const [{ RuntimeEventBus }, { PluginManager }, { verifyTask }] = await Promise.all([
-    import("@rig/runtime/control-plane/runtime/events"),
-    import("@rig/runtime/control-plane/runtime/plugins"),
-    import("@rig/runtime/control-plane/native/verifier")
-  ]);
-  const eventBus = new RuntimeEventBus({ projectRoot, runId: `inspector-review:${taskId}` });
-  const plugins = await PluginManager.load({
-    projectRoot,
-    runId: `inspector-review:${taskId}`,
-    eventBus
-  });
+  const { verifyTask } = await import("@rig/runtime/control-plane/native/verifier");
   const outcome = await verifyTask({
     projectRoot,
     taskId,
-    plugins,
     skipAiReview: true
   });
   return {
@@ -11868,12 +13169,12 @@ function isAuthorizedLinearWebhookRequest(req) {
 }
 
 // packages/server/src/server-helpers/notifications.ts
-import { existsSync as existsSync16, mkdirSync as mkdirSync15, readFileSync as readFileSync11 } from "fs";
-import { dirname as dirname16 } from "path";
+import { existsSync as existsSync18, mkdirSync as mkdirSync17, readFileSync as readFileSync13 } from "fs";
+import { dirname as dirname19 } from "path";
 async function loadNotificationConfig(path) {
-  if (!existsSync16(path)) {
+  if (!existsSync18(path)) {
     const defaultConfig = { targets: [] };
-    mkdirSync15(dirname16(path), { recursive: true });
+    mkdirSync17(dirname19(path), { recursive: true });
     await Bun.write(path, `${JSON.stringify(defaultConfig, null, 2)}
 `);
     return defaultConfig;
@@ -11888,10 +13189,10 @@ async function loadNotificationConfig(path) {
   }
 }
 function readRecentEvents(file, limit) {
-  if (!existsSync16(file)) {
+  if (!existsSync18(file)) {
     return [];
   }
-  const lines = readFileSync11(file, "utf-8").split(/\r?\n/).map((line) => line.trim()).filter(Boolean).slice(-limit);
+  const lines = readFileSync13(file, "utf-8").split(/\r?\n/).map((line) => line.trim()).filter(Boolean).slice(-limit);
   const events = [];
   for (const line of lines) {
     try {
@@ -11986,11 +13287,11 @@ function extractObjectLiteralBlock(source, property) {
 }
 function readFallbackIssueAnalysisConfig(projectRoot) {
   for (const fileName of ["rig.config.ts", "rig.config.json"]) {
-    const path = resolve22(projectRoot, fileName);
-    if (!existsSync17(path))
+    const path = resolve24(projectRoot, fileName);
+    if (!existsSync19(path))
       continue;
     try {
-      const source = readFileSync12(path, "utf8");
+      const source = readFileSync14(path, "utf8");
       if (fileName.endsWith(".json"))
         return JSON.parse(source);
       const issueBlock = extractObjectLiteralBlock(source, "issueAnalysis");
@@ -12123,8 +13424,8 @@ async function createIssueAnalysisRunnerForServerState(state, input) {
 async function withServerPathEnv(projectRoot, fn) {
   const waitForTurn = serverPathEnvQueue;
   let releaseTurn;
-  serverPathEnvQueue = new Promise((resolve23) => {
-    releaseTurn = resolve23;
+  serverPathEnvQueue = new Promise((resolve25) => {
+    releaseTurn = resolve25;
   });
   await waitForTurn;
   const paths = resolveServerAuthorityPaths(projectRoot);
@@ -12160,9 +13461,9 @@ async function withServerAuthorityEnvIfNeeded(projectRoot, fn) {
   return withServerPathEnv(projectRoot, fn);
 }
 async function readWorkspaceTasks(projectRoot) {
-  const issuesPath = resolve22(resolveMonorepoRoot6(projectRoot), ".beads", "issues.jsonl");
+  const issuesPath = resolve24(resolveMonorepoRoot6(projectRoot), ".beads", "issues.jsonl");
   const taskConfig = await readTaskConfig(projectRoot);
-  if (!existsSync17(issuesPath)) {
+  if (!existsSync19(issuesPath)) {
     return [];
   }
   const latestById = new Map;
@@ -12236,11 +13537,11 @@ function resolveTaskArtifactDirsFromRuns(projectRoot, taskId, knownRuns) {
       continue;
     add(run.artifactRoot);
     if (run.worktreePath) {
-      add(resolve22(run.worktreePath, "artifacts", taskId));
+      add(resolve24(run.worktreePath, "artifacts", taskId));
     }
   }
   for (const artifactsRoot of listAuthorityArtifactRoots(projectRoot)) {
-    add(resolve22(artifactsRoot, taskId));
+    add(resolve24(artifactsRoot, taskId));
   }
   return candidates;
 }
@@ -12254,7 +13555,7 @@ async function listArtifactSummaries(projectRoot, taskId, knownTaskIds, knownRun
     }
   }
   return taskIds.flatMap((currentTaskId) => {
-    const currentRoot = resolveTaskArtifactDirsFromRuns(projectRoot, currentTaskId, runs).find((path) => existsSync17(path));
+    const currentRoot = resolveTaskArtifactDirsFromRuns(projectRoot, currentTaskId, runs).find((path) => existsSync19(path));
     if (!currentRoot) {
       return [];
     }
@@ -12266,7 +13567,7 @@ async function listArtifactSummaries(projectRoot, taskId, knownTaskIds, knownRun
       taskId: currentTaskId,
       kind: "file",
       label: fileName,
-      path: resolve22(currentRoot, fileName),
+      path: resolve24(currentRoot, fileName),
       url: null,
       metadata: {
         fileName
@@ -12309,11 +13610,11 @@ function buildInspectorStreamPayload(state, sequence) {
 }
 function listRemoteRunArtifacts(projectRoot, runId) {
   const root = remoteArtifactsRoot(projectRoot, runId);
-  if (!existsSync17(root)) {
+  if (!existsSync19(root)) {
     return [];
   }
   return readdirSync5(root, { withFileTypes: true }).filter((entry) => entry.isFile()).filter((entry) => !entry.name.endsWith(".json")).map((entry) => {
-    const artifactPath = resolve22(root, entry.name);
+    const artifactPath = resolve24(root, entry.name);
     const stat = statSync6(artifactPath);
     const meta = readJsonFile4(`${artifactPath}.json`, null);
     return {
@@ -12474,6 +13775,7 @@ function buildHttpRouterDeps(state) {
     startLocalRun,
     stopRunRecord,
     resumeRunRecord,
+    runServerOwnedPrCloseout,
     claimRemoteRun,
     listRemoteRunArtifacts,
     broadcastSnapshotInvalidation,
@@ -12555,8 +13857,8 @@ function fileStats(path) {
   }
 }
 function runFileCursor(projectRoot, run) {
-  const runDir = dirname17(runLogsPath(projectRoot, run.runId));
-  const runJson = fileStats(resolve22(runDir, "run.json"));
+  const runDir = dirname20(runLogsPath(projectRoot, run.runId));
+  const runJson = fileStats(resolve24(runDir, "run.json"));
   const timeline = fileStats(runTimelinePath(projectRoot, run.runId));
   const logs = fileStats(runLogsPath(projectRoot, run.runId));
   return {
@@ -12606,10 +13908,10 @@ function startRunFileWatcher(state, pollMs) {
   }, Math.max(250, Math.min(pollMs, 1000)));
 }
 function startPoller(state, pollMs) {
-  let offset = existsSync17(state.eventsFile) ? statSync6(state.eventsFile).size : 0;
+  let offset = existsSync19(state.eventsFile) ? statSync6(state.eventsFile).size : 0;
   return setInterval(async () => {
     try {
-      if (!existsSync17(state.eventsFile)) {
+      if (!existsSync19(state.eventsFile)) {
         return;
       }
       const file = await open(state.eventsFile, "r");
@@ -12653,6 +13955,26 @@ function startPoller(state, pollMs) {
     }
   }, pollMs);
 }
+function attachPiSessionProxySocket(ws) {
+  if (ws.data.kind !== "pi-session-proxy")
+    return;
+  const upstream = new WebSocket(ws.data.upstreamUrl);
+  ws.__rigPiUpstream = upstream;
+  upstream.addEventListener("message", (event) => {
+    if (ws.readyState === 1)
+      ws.send(typeof event.data === "string" ? event.data : event.data);
+  });
+  upstream.addEventListener("close", () => {
+    try {
+      ws.close();
+    } catch {}
+  });
+  upstream.addEventListener("error", () => {
+    try {
+      ws.close(1011, "Upstream Pi session stream failed");
+    } catch {}
+  });
+}
 async function createRigServer(options, projectRoot = resolveProjectRoot()) {
   const state = await createRigServerState(projectRoot, options.eventType, options.authToken, {
     upstreamSyncMs: options.upstreamSyncMs,
@@ -12665,10 +13987,20 @@ async function createRigServer(options, projectRoot = resolveProjectRoot()) {
     fetch: (req, server2) => createRigServerFetch2(state)(req, server2),
     websocket: {
       open(ws) {
+        if (ws.data.kind === "pi-session-proxy") {
+          attachPiSessionProxySocket(ws);
+          return;
+        }
         state.sockets.add(ws);
         sendWebSocketResponse(ws, buildServerWelcomePush(state.projectRoot));
       },
       async message(ws, raw) {
+        if (ws.data.kind === "pi-session-proxy") {
+          const upstream = ws.__rigPiUpstream;
+          if (upstream?.readyState === WebSocket.OPEN)
+            upstream.send(raw);
+          return;
+        }
         const request = parseWebSocketRequestEnvelope(typeof raw === "string" ? raw : Buffer.from(raw).toString("utf8"));
         if (!request) {
           sendWebSocketResponse(ws, {
@@ -12691,6 +14023,10 @@ async function createRigServer(options, projectRoot = resolveProjectRoot()) {
         }
       },
       close(ws) {
+        if (ws.data.kind === "pi-session-proxy") {
+          ws.__rigPiUpstream?.close();
+          return;
+        }
         state.sockets.delete(ws);
       }
     }
@@ -12737,7 +14073,7 @@ function resolveProjectRoot() {
   return resolveRigProjectRoot({
     envProjectRoot: process.env.PROJECT_RIG_ROOT ?? null,
     cwd: process.cwd(),
-    fallbackRoot: resolve22(import.meta.dir, "../..")
+    fallbackRoot: resolve24(import.meta.dir, "../..")
   });
 }
 var __testOnly = {