patchrelay 0.1.0

package/dist/http.js

@@ -0,0 +1,321 @@
+import fastify from "fastify";
+import rawBody from "fastify-raw-body";
+import { getBuildInfo } from "./build-info.js";
+export async function buildHttpServer(config, service, logger) {
+    const buildInfo = getBuildInfo();
+    const loopbackBind = isLoopbackBind(config.server.bind);
+    const managementRoutesEnabled = loopbackBind || config.operatorApi.enabled;
+    const app = fastify({
+        loggerInstance: logger,
+        bodyLimit: config.ingress.maxBodyBytes,
+        disableRequestLogging: true,
+    });
+    await app.register(rawBody, {
+        field: "rawBody",
+        global: false,
+        encoding: false,
+        runFirst: true,
+    });
+    app.get("/", async (_request, reply) => {
+        return reply
+            .type("text/html; charset=utf-8")
+            .send(`<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <title>PatchRelay</title>
+    <style>
+      :root {
+        color-scheme: light;
+        --bg: #f6f3ee;
+        --panel: rgba(255, 255, 255, 0.76);
+        --ink: #1f1d1a;
+        --muted: #6c665d;
+        --accent: #1e6a52;
+        --accent-2: #d2a24c;
+        --border: rgba(31, 29, 26, 0.12);
+      }
+
+      * {
+        box-sizing: border-box;
+      }
+
+      body {
+        margin: 0;
+        min-height: 100vh;
+        font-family: Georgia, "Times New Roman", serif;
+        color: var(--ink);
+        background:
+          radial-gradient(circle at top left, rgba(210, 162, 76, 0.24), transparent 34%),
+          radial-gradient(circle at bottom right, rgba(30, 106, 82, 0.16), transparent 28%),
+          linear-gradient(135deg, #efe7db 0%, var(--bg) 48%, #f7f5f1 100%);
+        display: grid;
+        place-items: center;
+        padding: 24px;
+      }
+
+      main {
+        width: min(760px, 100%);
+        background: var(--panel);
+        border: 1px solid var(--border);
+        border-radius: 24px;
+        padding: 40px 32px;
+        box-shadow: 0 30px 80px rgba(49, 42, 30, 0.12);
+        backdrop-filter: blur(14px);
+      }
+
+      .eyebrow {
+        margin: 0 0 12px;
+        font-size: 12px;
+        letter-spacing: 0.14em;
+        text-transform: uppercase;
+        color: var(--accent);
+      }
+
+      h1 {
+        margin: 0;
+        font-size: clamp(40px, 8vw, 72px);
+        line-height: 0.95;
+        font-weight: 700;
+      }
+
+      p {
+        margin: 18px 0 0;
+        font-size: 18px;
+        line-height: 1.6;
+        color: var(--muted);
+        max-width: 42rem;
+      }
+
+      .meta {
+        display: flex;
+        flex-wrap: wrap;
+        gap: 12px;
+        margin-top: 28px;
+      }
+
+      .chip {
+        display: inline-flex;
+        align-items: center;
+        border: 1px solid var(--border);
+        border-radius: 999px;
+        padding: 10px 14px;
+        font-size: 14px;
+        color: var(--ink);
+        background: rgba(255, 255, 255, 0.7);
+      }
+
+      code {
+        font-family: "SFMono-Regular", "Cascadia Code", "Fira Code", monospace;
+        font-size: 0.95em;
+      }
+
+      a {
+        color: var(--accent);
+        text-decoration: none;
+      }
+
+      a:hover {
+        text-decoration: underline;
+      }
+    </style>
+  </head>
+  <body>
+    <main>
+      <p class="eyebrow">PatchRelay</p>
+      <h1>Webhook in, worktree out.</h1>
+      <p>
+        PatchRelay listens for signed Linear webhooks, prepares an issue-specific worktree, and orchestrates
+        staged Codex runs through <code>codex app-server</code> with durable thread history and read-only reports.
+      </p>
+      <div class="meta">
+        <span class="chip">Health: <a href="${config.server.healthPath}">${config.server.healthPath}</a></span>
+        <span class="chip">Webhook: <code>${config.ingress.linearWebhookPath}</code></span>
+        <span class="chip">Version: <code>${buildInfo.version}</code></span>
+        <span class="chip">Commit: <code>${buildInfo.commit}</code></span>
+        <span class="chip">Logs: <code>${config.logging.filePath}</code></span>
+      </div>
+    </main>
+  </body>
+</html>`);
+    });
+    app.get(config.server.healthPath, async () => ({
+        ok: true,
+        service: buildInfo.service,
+        version: buildInfo.version,
+        commit: buildInfo.commit,
+        builtAt: buildInfo.builtAt,
+    }));
+    app.get(config.server.readinessPath, async (_request, reply) => {
+        const readiness = service.getReadiness();
+        return reply.code(readiness.ready ? 200 : 503).send({
+            ok: readiness.ready,
+            ...readiness,
+            service: buildInfo.service,
+            version: buildInfo.version,
+            commit: buildInfo.commit,
+        });
+    });
+    app.post(config.ingress.linearWebhookPath, {
+        config: {
+            rawBody: true,
+        },
+    }, async (request, reply) => {
+        const rawBody = typeof request.rawBody === "string" ? Buffer.from(request.rawBody) : request.rawBody;
+        if (!rawBody) {
+            return reply.code(400).send({ ok: false, reason: "missing_raw_body" });
+        }
+        const webhookId = getHeader(request, "linear-delivery");
+        if (!webhookId) {
+            return reply.code(400).send({ ok: false, reason: "missing_delivery_header" });
+        }
+        const result = await service.acceptWebhook({
+            webhookId,
+            headers: request.headers,
+            rawBody,
+        });
+        return reply.code(result.status).send(result.body);
+    });
+    if (config.operatorApi.enabled) {
+        app.addHook("onRequest", async (request, reply) => {
+            if (!request.url.startsWith("/api/")) {
+                return;
+            }
+            if (!isAuthorizedOperatorRequest(request, config)) {
+                return reply.code(401).send({ ok: false, reason: "operator_auth_required" });
+            }
+        });
+        app.get("/api/issues/:issueKey", async (request, reply) => {
+            const issueKey = request.params.issueKey;
+            const result = await service.getIssueOverview(issueKey);
+            if (!result) {
+                return reply.code(404).send({ ok: false, reason: "issue_not_found" });
+            }
+            return reply.send({ ok: true, ...result });
+        });
+        app.get("/api/issues/:issueKey/report", async (request, reply) => {
+            const issueKey = request.params.issueKey;
+            const result = await service.getIssueReport(issueKey);
+            if (!result) {
+                return reply.code(404).send({ ok: false, reason: "issue_not_found" });
+            }
+            return reply.send({ ok: true, ...result });
+        });
+        app.get("/api/issues/:issueKey/live", async (request, reply) => {
+            const issueKey = request.params.issueKey;
+            const result = await service.getActiveStageStatus(issueKey);
+            if (!result) {
+                return reply.code(404).send({ ok: false, reason: "active_stage_not_found" });
+            }
+            return reply.send({ ok: true, ...result });
+        });
+        app.get("/api/issues/:issueKey/stages/:stageRunId/events", async (request, reply) => {
+            const { issueKey, stageRunId } = request.params;
+            const result = await service.getStageEvents(issueKey, Number(stageRunId));
+            if (!result) {
+                return reply.code(404).send({ ok: false, reason: "stage_run_not_found" });
+            }
+            return reply.send({ ok: true, ...result });
+        });
+    }
+    if (managementRoutesEnabled) {
+        app.get("/api/installations", async (_request, reply) => {
+            return reply.send({ ok: true, installations: service.listLinearInstallations() });
+        });
+        app.get("/api/oauth/linear/start", async (request, reply) => {
+            const projectId = getQueryParam(request, "projectId");
+            const result = service.createLinearOAuthStart(projectId ? { projectId } : undefined);
+            return reply.send({ ok: true, ...result });
+        });
+        app.get("/api/oauth/linear/state/:state", async (request, reply) => {
+            const { state } = request.params;
+            const result = service.getLinearOAuthStateStatus(state);
+            if (!result) {
+                return reply.code(404).send({ ok: false, reason: "oauth_state_not_found" });
+            }
+            return reply.send({ ok: true, ...result });
+        });
+    }
+    app.get("/oauth/linear/callback", async (request, reply) => {
+        const code = getQueryParam(request, "code");
+        const state = getQueryParam(request, "state");
+        if (!code || !state) {
+            return reply.code(400).type("text/html; charset=utf-8").send(renderOAuthResult("Missing code or state."));
+        }
+        try {
+            const installation = await service.completeLinearOAuth({ code, state });
+            return reply
+                .type("text/html; charset=utf-8")
+                .send(renderOAuthResult(`Connected Linear installation #${installation.id}. You can close this window.`));
+        }
+        catch (error) {
+            return reply
+                .code(400)
+                .type("text/html; charset=utf-8")
+                .send(renderOAuthResult(error instanceof Error ? error.message : String(error)));
+        }
+    });
+    app.addHook("onResponse", async (request, reply) => {
+        if (reply.statusCode < 500) {
+            return;
+        }
+        request.log.error({
+            reqId: request.id,
+            method: request.method,
+            url: request.url,
+            statusCode: reply.statusCode,
+            responseTime: reply.elapsedTime,
+        }, "request failed");
+    });
+    return app;
+}
+function getHeader(request, name) {
+    const value = request.headers[name];
+    return typeof value === "string" ? value : undefined;
+}
+function isAuthorizedOperatorRequest(request, config) {
+    if (isLoopbackBind(config.server.bind)) {
+        return true;
+    }
+    if (!config.operatorApi.bearerToken) {
+        return true;
+    }
+    const auth = getHeader(request, "authorization");
+    return auth === `Bearer ${config.operatorApi.bearerToken}`;
+}
+function isLoopbackBind(bind) {
+    return bind === "127.0.0.1" || bind === "::1" || bind === "localhost";
+}
+function escapeHtml(value) {
+    return value
+        .replaceAll("&", "&amp;")
+        .replaceAll("<", "&lt;")
+        .replaceAll(">", "&gt;")
+        .replaceAll("\"", "&quot;");
+}
+function getQueryParam(request, key) {
+    const value = request.query?.[key];
+    return typeof value === "string" ? value : undefined;
+}
+function renderOAuthResult(message) {
+    return `<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <title>PatchRelay OAuth</title>
+    <style>
+      body { font-family: Georgia, "Times New Roman", serif; background: #f6f3ee; color: #1f1d1a; margin: 0; padding: 32px; }
+      main { max-width: 640px; margin: 10vh auto; background: rgba(255,255,255,0.82); border: 1px solid rgba(31,29,26,0.12); border-radius: 20px; padding: 32px; }
+      p { font-size: 18px; line-height: 1.6; }
+    </style>
+  </head>
+  <body>
+    <main>
+      <h1>PatchRelay</h1>
+      <p>${escapeHtml(message)}</p>
+    </main>
+  </body>
+</html>`;
+}

package/dist/index.js

@@ -0,0 +1,69 @@
+#!/usr/bin/env node
+import { dirname } from "node:path";
+import { runCli } from "./cli/index.js";
+import { CodexAppServerClient } from "./codex-app-server.js";
+import { getAdjacentEnvFilePaths, loadConfig } from "./config.js";
+import { PatchRelayDatabase } from "./db.js";
+import { enforceRuntimeFilePermissions, enforceServiceEnvPermissions } from "./file-permissions.js";
+import { buildHttpServer } from "./http.js";
+import { DatabaseBackedLinearClientProvider } from "./linear-client.js";
+import { createLogger } from "./logging.js";
+import { runPreflight } from "./preflight.js";
+import { PatchRelayService } from "./service.js";
+import { ensureDir } from "./utils.js";
+async function main() {
+    const cliExitCode = await runCli(process.argv.slice(2));
+    if (cliExitCode !== -1) {
+        process.exitCode = cliExitCode;
+        return;
+    }
+    const configPath = process.env.PATCHRELAY_CONFIG;
+    const config = loadConfig(configPath);
+    await enforceServiceEnvPermissions(getAdjacentEnvFilePaths(configPath).serviceEnvPath);
+    await ensureDir(dirname(config.database.path));
+    await ensureDir(dirname(config.logging.filePath));
+    if (config.logging.webhookArchiveDir) {
+        await ensureDir(config.logging.webhookArchiveDir);
+    }
+    for (const project of config.projects) {
+        await ensureDir(project.worktreeRoot);
+    }
+    await enforceRuntimeFilePermissions(config);
+    const preflight = await runPreflight(config);
+    const failedChecks = preflight.checks.filter((check) => check.status === "fail");
+    if (failedChecks.length > 0) {
+        throw new Error(["PatchRelay startup preflight failed:", ...failedChecks.map((check) => `- [${check.scope}] ${check.message}`)].join("\n"));
+    }
+    const logger = createLogger(config);
+    const db = new PatchRelayDatabase(config.database.path, config.database.wal);
+    db.runMigrations();
+    const codex = new CodexAppServerClient(config.runner.codex, logger);
+    const linearProvider = new DatabaseBackedLinearClientProvider(config, db, logger);
+    const service = new PatchRelayService(config, db, codex, linearProvider, logger);
+    await service.start();
+    const app = await buildHttpServer(config, service, logger);
+    await app.listen({
+        host: config.server.bind,
+        port: config.server.port,
+    });
+    logger.info({
+        bind: config.server.bind,
+        port: config.server.port,
+        webhookPath: config.ingress.linearWebhookPath,
+        configPath: process.env.PATCHRELAY_CONFIG,
+    }, "PatchRelay started");
+    const shutdown = async () => {
+        service.stop();
+        await app.close();
+    };
+    process.once("SIGINT", () => {
+        void shutdown();
+    });
+    process.once("SIGTERM", () => {
+        void shutdown();
+    });
+}
+main().catch((error) => {
+    process.stderr.write(`${error instanceof Error ? error.stack : String(error)}\n`);
+    process.exitCode = 1;
+});

package/dist/install.js

@@ -0,0 +1,302 @@
+import crypto from "node:crypto";
+import { basename, dirname } from "node:path";
+import { existsSync } from "node:fs";
+import { mkdir, readFile, writeFile } from "node:fs/promises";
+import { homedir } from "node:os";
+import { getDefaultConfigPath, getDefaultDatabasePath, getDefaultRuntimeEnvPath, getDefaultServiceEnvPath, getDefaultLogPath, getDefaultWebhookArchiveDir, getPatchRelayConfigDir, getPatchRelayDataDir, getPatchRelayStateDir, getSystemdUserPathUnitPath, getSystemdUserReloadUnitPath, getSystemdUserUnitPath, readBundledAsset, } from "./runtime-paths.js";
+import { loadConfig } from "./config.js";
+import { enforceArbitraryFilePermissions } from "./file-permissions.js";
+import { ensureAbsolutePath } from "./utils.js";
+function defaultProjectWorkflows() {
+    return [
+        {
+            id: "development",
+            when_state: "Start",
+            active_state: "Implementing",
+            workflow_file: "IMPLEMENTATION_WORKFLOW.md",
+            fallback_state: "Human Needed",
+        },
+        {
+            id: "review",
+            when_state: "Review",
+            active_state: "Reviewing",
+            workflow_file: "REVIEW_WORKFLOW.md",
+            fallback_state: "Human Needed",
+        },
+        {
+            id: "deploy",
+            when_state: "Deploy",
+            active_state: "Deploying",
+            workflow_file: "DEPLOY_WORKFLOW.md",
+            fallback_state: "Human Needed",
+        },
+        {
+            id: "cleanup",
+            when_state: "Cleanup",
+            active_state: "Cleaning Up",
+            workflow_file: "CLEANUP_WORKFLOW.md",
+            fallback_state: "Human Needed",
+        },
+    ];
+}
+function renderTemplate(template, replacements) {
+    const home = homedir();
+    const user = basename(home);
+    const rendered = template
+        .replaceAll("${PATCHRELAY_CONFIG:-/home/your-user/.config/patchrelay/patchrelay.json}", getDefaultConfigPath())
+        .replaceAll("${PATCHRELAY_DB_PATH:-/home/your-user/.local/state/patchrelay/patchrelay.sqlite}", getDefaultDatabasePath())
+        .replaceAll("${PATCHRELAY_LOG_FILE:-/home/your-user/.local/state/patchrelay/patchrelay.log}", getDefaultLogPath())
+        .replaceAll("/home/your-user/.config/patchrelay/runtime.env", getDefaultRuntimeEnvPath())
+        .replaceAll("/home/your-user/.config/patchrelay/service.env", getDefaultServiceEnvPath())
+        .replaceAll("/home/your-user/.config/patchrelay/patchrelay.json", getDefaultConfigPath())
+        .replaceAll("/home/your-user/.config/patchrelay", getPatchRelayConfigDir())
+        .replaceAll("/home/your-user/.local/state/patchrelay/webhooks", getDefaultWebhookArchiveDir())
+        .replaceAll("/home/your-user/.local/state/patchrelay", getPatchRelayStateDir())
+        .replaceAll("/home/your-user/.local/share/patchrelay", getPatchRelayDataDir())
+        .replaceAll("/home/your-user", home)
+        .replaceAll("your-user", user);
+    if (replacements?.publicBaseUrl) {
+        return rendered.replaceAll("https://patchrelay.example.com", replacements.publicBaseUrl);
+    }
+    return rendered;
+}
+function parseConfigObject(raw, configPath) {
+    const source = raw.trim() ? raw : "{}";
+    let parsed;
+    try {
+        parsed = JSON.parse(source);
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        throw new Error(`Invalid JSON config file: ${configPath}: ${message}`, {
+            cause: error,
+        });
+    }
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+        throw new Error(`Config file must contain a JSON object at the top level: ${configPath}`);
+    }
+    return parsed;
+}
+function stringifyConfig(config) {
+    return `${JSON.stringify(config, null, 2)}\n`;
+}
+function generateSecret(bytes = 32) {
+    return crypto.randomBytes(bytes).toString("hex");
+}
+function renderServiceEnvTemplate(template) {
+    return template
+        .replace("LINEAR_WEBHOOK_SECRET=replace-with-linear-webhook-secret", `LINEAR_WEBHOOK_SECRET=${generateSecret()}`)
+        .replace("PATCHRELAY_TOKEN_ENCRYPTION_KEY=replace-with-long-random-secret", `PATCHRELAY_TOKEN_ENCRYPTION_KEY=${generateSecret()}`);
+}
+async function writeTemplateFile(targetPath, content, force, options) {
+    if (!force && existsSync(targetPath)) {
+        if (options?.mode !== undefined) {
+            await enforceArbitraryFilePermissions(targetPath, options.mode);
+        }
+        return "skipped";
+    }
+    await mkdir(dirname(targetPath), { recursive: true });
+    await writeFile(targetPath, content, "utf8");
+    if (options?.mode !== undefined) {
+        await enforceArbitraryFilePermissions(targetPath, options.mode);
+    }
+    return "created";
+}
+async function applyPublicBaseUrlToConfig(configPath, publicBaseUrl) {
+    if (!publicBaseUrl || !existsSync(configPath)) {
+        return "skipped";
+    }
+    const original = await readFile(configPath, "utf8");
+    const document = parseConfigObject(original, configPath);
+    const server = document.server && typeof document.server === "object" && !Array.isArray(document.server)
+        ? { ...document.server }
+        : {};
+    server.public_base_url = publicBaseUrl;
+    document.server = server;
+    const next = stringifyConfig(document);
+    if (next === original) {
+        return "skipped";
+    }
+    await writeFile(configPath, next, "utf8");
+    return "updated";
+}
+export async function initializePatchRelayHome(options) {
+    const force = options?.force ?? false;
+    const publicBaseUrl = options?.publicBaseUrl;
+    const configDir = getPatchRelayConfigDir();
+    const runtimeEnvPath = getDefaultRuntimeEnvPath();
+    const serviceEnvPath = getDefaultServiceEnvPath();
+    const configPath = getDefaultConfigPath();
+    const stateDir = getPatchRelayStateDir();
+    const dataDir = getPatchRelayDataDir();
+    await mkdir(configDir, { recursive: true });
+    await mkdir(stateDir, { recursive: true });
+    await mkdir(dataDir, { recursive: true });
+    const runtimeEnvTemplate = renderTemplate(readBundledAsset("runtime.env.example"));
+    const serviceEnvTemplate = renderServiceEnvTemplate(readBundledAsset("service.env.example"));
+    const configTemplate = renderTemplate(readBundledAsset("config/patchrelay.example.json"), publicBaseUrl ? { publicBaseUrl } : undefined);
+    const runtimeEnvStatus = await writeTemplateFile(runtimeEnvPath, runtimeEnvTemplate, force);
+    const serviceEnvStatus = await writeTemplateFile(serviceEnvPath, serviceEnvTemplate, force, { mode: 0o600 });
+    const initialConfigStatus = await writeTemplateFile(configPath, configTemplate, force);
+    const configStatus = initialConfigStatus === "created" ? initialConfigStatus : await applyPublicBaseUrlToConfig(configPath, publicBaseUrl);
+    return {
+        configDir,
+        runtimeEnvPath,
+        serviceEnvPath,
+        configPath,
+        stateDir,
+        dataDir,
+        runtimeEnvStatus,
+        serviceEnvStatus,
+        configStatus,
+        ...(publicBaseUrl
+            ? {
+                publicBaseUrl,
+                webhookUrl: new URL("/webhooks/linear", publicBaseUrl).toString(),
+                oauthCallbackUrl: new URL("/oauth/linear/callback", publicBaseUrl).toString(),
+            }
+            : {}),
+    };
+}
+export async function installUserServiceUnits(options) {
+    const force = options?.force ?? false;
+    const unitPath = getSystemdUserUnitPath();
+    const reloadUnitPath = getSystemdUserReloadUnitPath();
+    const pathUnitPath = getSystemdUserPathUnitPath();
+    const serviceStatus = await writeTemplateFile(unitPath, renderTemplate(readBundledAsset("infra/patchrelay.service")), force);
+    const reloadStatus = await writeTemplateFile(reloadUnitPath, renderTemplate(readBundledAsset("infra/patchrelay-reload.service")), force);
+    const pathStatus = await writeTemplateFile(pathUnitPath, renderTemplate(readBundledAsset("infra/patchrelay.path")), force);
+    return {
+        unitPath,
+        reloadUnitPath,
+        pathUnitPath,
+        runtimeEnvPath: getDefaultRuntimeEnvPath(),
+        serviceEnvPath: getDefaultServiceEnvPath(),
+        configPath: getDefaultConfigPath(),
+        serviceStatus,
+        reloadStatus,
+        pathStatus,
+    };
+}
+export async function upsertProjectInConfig(options) {
+    const configPath = options.configPath ?? getDefaultConfigPath();
+    if (!existsSync(configPath)) {
+        throw new Error(`Config file not found: ${configPath}. Run "patchrelay init <public-base-url>" first so PatchRelay knows the public HTTPS origin for Linear.`);
+    }
+    const projectId = options.id.trim();
+    if (!projectId) {
+        throw new Error("Project id is required.");
+    }
+    const repoPath = ensureAbsolutePath(options.repoPath);
+    const issueKeyPrefixes = [...new Set((options.issueKeyPrefixes ?? []).map((value) => value.trim()).filter(Boolean))];
+    const linearTeamIds = [...new Set((options.linearTeamIds ?? []).map((value) => value.trim()).filter(Boolean))];
+    const original = await readFile(configPath, "utf8");
+    const parsed = parseConfigObject(original, configPath);
+    const existingProjects = Array.isArray(parsed.projects) ? parsed.projects : [];
+    const existingIndex = existingProjects.findIndex((project) => String(project.id ?? "") === projectId);
+    const existingProject = existingIndex >= 0 ? existingProjects[existingIndex] : undefined;
+    const nextProject = {
+        ...(existingProject ?? {}),
+        id: projectId,
+        repo_path: repoPath,
+        workflows: Array.isArray(existingProject?.workflows) && existingProject.workflows.length > 0
+            ? existingProject.workflows
+            : defaultProjectWorkflows(),
+    };
+    if (issueKeyPrefixes.length > 0) {
+        nextProject.issue_key_prefixes = issueKeyPrefixes;
+    }
+    else {
+        delete nextProject.issue_key_prefixes;
+    }
+    if (linearTeamIds.length > 0) {
+        nextProject.linear_team_ids = linearTeamIds;
+    }
+    else {
+        delete nextProject.linear_team_ids;
+    }
+    if (existingProjects.length - (existingProject ? 1 : 0) > 0 && issueKeyPrefixes.length === 0 && linearTeamIds.length === 0) {
+        throw new Error("Adding or updating a project in a multi-project config requires routing. Use --issue-prefix or --team-id.");
+    }
+    if (existingProjects.length - (existingProject ? 1 : 0) > 0) {
+        const unscoped = existingProjects.find((project, index) => {
+            if (index === existingIndex) {
+                return false;
+            }
+            const prefixes = Array.isArray(project.issue_key_prefixes) ? project.issue_key_prefixes : [];
+            const teamIds = Array.isArray(project.linear_team_ids) ? project.linear_team_ids : [];
+            const labels = Array.isArray(project.allow_labels) ? project.allow_labels : [];
+            return prefixes.length === 0 && teamIds.length === 0 && labels.length === 0;
+        });
+        if (unscoped) {
+            throw new Error(`Existing project ${String(unscoped.id ?? "unknown")} has no routing configured. Add routing before configuring multiple projects.`);
+        }
+    }
+    for (const prefix of issueKeyPrefixes) {
+        const owner = existingProjects.find((project, index) => index !== existingIndex &&
+            Array.isArray(project.issue_key_prefixes) &&
+            project.issue_key_prefixes.map(String).includes(prefix));
+        if (owner) {
+            throw new Error(`Issue key prefix "${prefix}" is already configured for project ${String(owner.id ?? "unknown")}`);
+        }
+    }
+    for (const teamId of linearTeamIds) {
+        const owner = existingProjects.find((project, index) => index !== existingIndex &&
+            Array.isArray(project.linear_team_ids) &&
+            project.linear_team_ids.map(String).includes(teamId));
+        if (owner) {
+            throw new Error(`Linear team id "${teamId}" is already configured for project ${String(owner.id ?? "unknown")}`);
+        }
+    }
+    const normalizedExistingProject = existingProject &&
+        JSON.stringify({
+            id: String(existingProject.id ?? ""),
+            repo_path: String(existingProject.repo_path ?? ""),
+            issue_key_prefixes: Array.isArray(existingProject.issue_key_prefixes)
+                ? existingProject.issue_key_prefixes.map(String)
+                : [],
+            linear_team_ids: Array.isArray(existingProject.linear_team_ids) ? existingProject.linear_team_ids.map(String) : [],
+        });
+    const normalizedNextProject = JSON.stringify({
+        id: String(nextProject.id ?? ""),
+        repo_path: String(nextProject.repo_path ?? ""),
+        issue_key_prefixes: issueKeyPrefixes,
+        linear_team_ids: linearTeamIds,
+    });
+    const status = existingProject === undefined ? "created" : normalizedExistingProject === normalizedNextProject ? "unchanged" : "updated";
+    const document = parseConfigObject(original, configPath);
+    if ("projects" in document && document.projects !== undefined && !Array.isArray(document.projects)) {
+        throw new Error(`Config file field "projects" must be a JSON array: ${configPath}`);
+    }
+    if (status !== "unchanged") {
+        const nextProjects = [...existingProjects];
+        if (existingIndex >= 0) {
+            nextProjects[existingIndex] = nextProject;
+        }
+        else {
+            nextProjects.push(nextProject);
+        }
+        document.projects = nextProjects;
+        const next = stringifyConfig(document);
+        await writeFile(configPath, next, "utf8");
+    }
+    try {
+        loadConfig(configPath, { profile: "write_config" });
+    }
+    catch (error) {
+        if (status !== "unchanged") {
+            await writeFile(configPath, original, "utf8");
+        }
+        throw error;
+    }
+    return {
+        configPath,
+        status,
+        project: {
+            id: projectId,
+            repoPath,
+            issueKeyPrefixes,
+            linearTeamIds,
+        },
+    };
+}