diff --git a/README.md b/README.md
index 34f050e5..7be20081 100644
--- a/README.md
+++ b/README.md
@@ -79,6 +79,12 @@ additional stores from interactive `cr init` under **Configure secrets
 storage**. The built-in `local-os` store is read-only configuration and cannot
 be removed.
 
+Interactive `cr init` treats credential stores, repository access, LLM runtimes,
+reviewer entities, and review profiles as separate reusable building blocks.
+Configure repository access to define how `cr` accesses Git repositories as the
+current user; review profiles then select one configured repository-access entry
+instead of editing Git credentials inline.
+
 Interactive `cr init` discovers available secrets backends by default so it can
 offer local 1Password account/vault choices and passive backend availability
 checks. Use `cr init --secret-backend-discovery=safe` to skip active inventory
@@ -221,8 +227,11 @@ Host matching is case-insensitive after normalization, while namespace and repo
 matching are case-sensitive after trimming whitespace. An explicit `--profile`
 bypasses repository routing. Route targets still use the profile's configured
 auth mode. Passing `--profile ""` is invalid.
-For GitHub App auth, `cr review` can use the PR owner/repo to look up the app
-installation when `github_app_installation_id` is not staged.
+For GitHub App reviewer entities, the review profile chooses whether `cr review`
+discovers the installation from each PR owner/repo or uses one pinned
+installation ID stored in profile config. Discovery is the normal choice for
+profiles routed to multiple organizations or users; pinning is only appropriate
+when every route for that profile uses the same installation.
 
 Add or replace one credential later:
 
@@ -307,7 +316,8 @@ profiles:
     agent_sources:
       - ~/.config/codereview/agents
     review_policy:
-      major_event: comment
+      major_event: request_changes
+      resolve_threads: auto
 ```
 
 For adapter-managed LLM credentials, use `auth: subscription` and omit
@@ -396,15 +406,17 @@ When deploying a profile without the interactive wizard, run
 then use `set-credential` only for secrets that you are intentionally staging
 outside init. Example:
 
-`github_app_installation_id` is optional for `cr review`, which can discover
-the installation from the PR repository. Stage it when you want `cr me` and
-other commands without repository context to work.
+GitHub App reviewer credentials store the App ID and private key only. The
+review profile stores installation routing: `discover_from_repository` for PR
+context lookup, or `pinned` with one numeric installation ID when every route for
+that profile shares the same installation.
 
 ```bash
 cr --profile work init --non-interactive \
   --git-host github.com \
   --git-credential-ref codereview/work \
   --reviewer-auth-mode github_app \
+  --reviewer-github-app-id "$GITHUB_APP_ID" \
   --reviewer-credential-ref codereview/work-reviewer-app \
   --llm-provider anthropic \
   --llm-auth api_key \
@@ -418,13 +430,6 @@ printf '%s' "$USER_GITHUB_TOKEN" | cr set-credential \
   --stdin \
   --overwrite
 
-printf '%s' "$GITHUB_APP_ID" | cr set-credential \
-  --store local-os \
-  --name codereview/work-reviewer-app \
-  --key github_app_id \
-  --stdin \
-  --overwrite
-
 printf '%s' "$GITHUB_APP_PRIVATE_KEY" | cr set-credential \
   --store local-os \
   --name codereview/work-reviewer-app \
@@ -432,14 +437,6 @@ printf '%s' "$GITHUB_APP_PRIVATE_KEY" | cr set-credential \
   --stdin \
   --overwrite
 
-# Optional: needed for cr me and other commands without repository context.
-printf '%s' "$GITHUB_APP_INSTALLATION_ID" | cr set-credential \
-  --store local-os \
-  --name codereview/work-reviewer-app \
-  --key github_app_installation_id \
-  --stdin \
-  --overwrite
-
 printf '%s' "$ANTHROPIC_API_KEY" | cr set-credential \
   --store local-os \
   --name codereview/work-llm \
@@ -496,10 +493,9 @@ profiles:
     agent_sources:
       - ~/.config/codereview/agents
     review_policy:
-      major_event: comment
+      major_event: request_changes
       allow_self_approve: false
       resolve_threads: auto
-      resolve_after: 24h
 data:
   retention:
     max_age_days: 90
@@ -593,7 +589,8 @@ Credential key matrix:
 |---------------|---------|---------------|---------------|---------------|-------------|
 | `git.credential` | User Git host auth | `pat` | `git_token` | None | Supported |
 | `reviewer_credentials.credential` | Reviewer Git host auth | `pat` | `git_token` | None | Supported; must use a distinct credential location from `git.credential` in the same profile |
-| `git.credential` / `reviewer_credentials.credential` | Git host auth | `github_app` | `github_app_id`, `github_app_private_key` | `github_app_installation_id` | Supported for GitHub. `cr review` can discover the installation from the PR repository when the optional installation ID is omitted; commands without repository context require it |
+| `git.github_app.app_id` / reviewer entity `github_app.app_id` | Git host auth | `github_app` | Config field, not a credential key | None | Non-secret GitHub App ID stored in config. Scripted init uses `--git-github-app-id` or `--reviewer-github-app-id` |
+| `git.credential` / reviewer entity credential | Git host auth | `github_app` | `github_app_private_key` | None | Supported for GitHub. Reviewer GitHub App installation routing lives on `profiles.<name>.reviewer.github_app_installation`, not in the credential bundle |
 | `git.credential` / `reviewer_credentials.credential` | Git host auth | `oauth_device` | None | None | Reserved; config recognizes the mode but v1 rejects it and does not accept future keys such as `git_oauth_access_token` or `git_oauth_refresh_token` |
 | `llm.credential` | Anthropic direct API auth | `api_key` + `anthropic` | `anthropic_api_key` | None | Supported |
 | `llm.credential` | OpenAI direct API auth | `api_key` + `openai` | `openai_api_key` | None | Supported |
@@ -718,15 +715,28 @@ Prints the build version as `cr <version-info>`. It takes no arguments.
 cr init [flags]
 ```
 
-Creates or updates non-secret config. In v1, `--non-interactive` is required.
-If the selected profile already exists, pass `--replace-profile` to replace the
-profile config.
+Creates or updates non-secret config. If the selected profile already exists,
+pass `--replace-profile` to replace the profile config.
+
+Without `--non-interactive`, `cr init` opens an interactive workspace builder.
+The main menu stages changes in reusable areas before a final commit:
+
+1. Configure secrets storage
+2. Configure repository access
+3. Configure LLM runtimes
+4. Configure reviewer entities
+5. Configure review profiles
+6. Configure global settings
+
+Review profiles compose repository access, reviewer entity, and LLM runtime
+selections. Repository access must be configured before creating a review
+profile.
 
 Flags:
 
 | Flag | Semantics |
 |------|-----------|
-| `--non-interactive` | Required in v1. Run without prompts. |
+| `--non-interactive` | Run without prompts. |
 | `--git-host <host>` | Git host, default `github.com`. The PR host must match this value. |
 | `--git-credential-ref <name>` | Credential name for Git auth. Defaults to `codereview/<profile>`. |
 | `--git-token-stdin` | Read the Git token from stdin and write key `git_token`. |
@@ -743,19 +753,19 @@ Flags:
 | `--llm-api-key-from-env <env>` | Read the LLM API key from an environment variable and write `anthropic_api_key` or `openai_api_key` according to `--llm-provider`. |
 | `--secret-backend-discovery <mode>` | Interactive secrets-backend discovery mode: `full` runs active inventory probes such as 1Password account/vault lookup, `safe` uses only passive availability checks, and `off` skips backend discovery. Defaults to `full`; `CR_SECRET_BACKEND_DISCOVERY` can set the same value when the flag is omitted. |
 | `--agent-source <path>` | Add a trusted agent source directory. Repeatable. |
-| `--major-event <policy>` | `comment` or `request_changes`. Controls review event for major findings. |
+| `--major-event <policy>` | `comment` or `request_changes`. Controls review event for major findings. Defaults to `request_changes`. |
 | `--allow-self-approve` | Store profile policy allowing self approval. Live review can still require `--allow-self-approve` depending on invocation. |
-| `--resolve-threads <policy>` | `auto` or `never`. Empty leaves thread resolution unset. |
-| `--resolve-after <duration>` | Store a validated duration such as `24h` for future thread-resolution policy. Current review planning uses `resolve_threads`/`--no-resolve-threads`, not this delay. |
+| `--resolve-threads <policy>` | `auto` or `never`. Defaults to `auto`. |
 | `--overwrite` | Replace existing keyring entries written by this command. |
 | `--replace-profile` | Replace an existing profile config. |
 
 Only one stdin secret ingress flag may be used at a time. PAT reviewer
 credentials use key `git_token` under their own credential name, so
 `--reviewer-credential-ref` must differ from `--git-credential-ref`. GitHub App
-reviewer credentials use `github_app_id` and `github_app_private_key`, plus
-optional `github_app_installation_id`; `init` does not accept reviewer token
-ingress for `--reviewer-auth-mode github_app`. LLM API-key ingress requires
+reviewers store their non-secret App ID in config via `--reviewer-github-app-id`
+and use `github_app_private_key` as the only credential-store key; installation
+routing is profile config, not a credential key. `init` does not accept
+reviewer token ingress for `--reviewer-auth-mode github_app`. LLM API-key ingress requires
 `--llm-auth api_key`. `--overwrite` with API-key auth requires an LLM key
 ingress flag. `--allow-self-review` is intentionally runtime-only on
 `cr review`; `init` only stores the profile-level self-approval policy.
@@ -767,12 +777,12 @@ cr set-credential --store <id> --name <credential-name> --key <key> (--stdin | -
 ```
 
 Writes one secret value to the selected credential store. Globally allowed keys are
-`git_token`, `github_app_id`, `github_app_private_key`,
-`github_app_installation_id`, `anthropic_api_key`, and `openai_api_key`. When
+`git_token`, `github_app_private_key`, `anthropic_api_key`, and
+`openai_api_key`. When
 `config.yml` declares the target credential location, `set-credential` narrows
 that global allowlist to the exact key set expected for that credential. PAT
-user Git credentials and PAT reviewer credentials use `git_token`; GitHub App credentials use `github_app_id`,
-`github_app_private_key`, and optional `github_app_installation_id`; Anthropic
+user Git credentials and PAT reviewer credentials use `git_token`; GitHub App
+credentials use `github_app_private_key`; Anthropic
 LLM API-key credentials use `anthropic_api_key`; OpenAI LLM API-key credentials use
 `openai_api_key`.
 
diff --git a/docs/init-config-surface.md b/docs/init-config-surface.md
index 12416ae3..106b7c86 100644
--- a/docs/init-config-surface.md
+++ b/docs/init-config-surface.md
@@ -42,47 +42,38 @@ intentionally unsupported.
 | Path | Interactive handling | Scripted owner | Defaults and second-run prepopulation | Mutation semantics | Helper/command owner and expected tests |
 |------|----------------------|----------------|---------------------------------------|--------------------|-----------------------------------------|
 | config.secrets.stores | Configure secrets storage creates and edits user-configured credential stores. The built-in OS credential store is projected as `local-os` and is not persisted here. | Interactive main-menu secrets-storage flow only. Scripted credential writes choose an existing store explicitly. | Omitted means only the built-in OS credential store is available. Existing stores are pre-populated in the inventory. | Store ids must not be `local-os`. Store metadata is non-secret. Creating, editing, and deleting configured stores never deletes credential values. | #356 establishes explicit stores and removes ambient/default credential-store selection. |
+| config.repository_access | Configure repository access creates and edits reusable Git host/user credential definitions independently from review profiles. Profiles select one configured repository access item when composing a reviewer. | Interactive main-menu repository-access flow only for now. Future config commands may own scripted repository-access CRUD. | Omitted means no reusable repository access is configured yet. Existing profile Git blocks may be projected into repository access during the staged rewrite. | Repository access names are stable ids. Definitions store host, auth mode, non-secret GitHub App ID when applicable, and an explicit credential location. They never store secret values. | Repository-access data model tests and init repository-access UX tests. |
 | config.llm_runtimes | Configure LLM runtimes creates and edits reusable runtime definitions independently from review profiles. Profiles select one configured runtime when composing a reviewer. | Interactive main-menu LLM runtime flow only for now. Future config commands may own scripted runtime CRUD. | Omitted means no reusable runtimes are configured yet. The profile editor can send the user to the runtime flow when no runtime exists. Existing runtimes are pre-populated in the inventory. | Runtime names are stable ids. Subscription runtimes store only non-secret provider/auth/adapter settings. API-key runtimes store an explicit credential location and never the secret value. Deleting a runtime requires affected profiles to select a replacement or be edited. | #356 makes runtime setup standalone and keeps profile composition explicit. |
 | config.repository_profiles[] | Route editor opens directly with existing namespace and repo routes prefilled so the user can edit them in place or blank the field to remove all routes for the profile. | Existing `cr config route set` and `cr config route unset`; #186 documents route commands. #187 must not add a nested multi-route init grammar. | Empty or omitted means no automatic repository profile selection; runtime commands require `--profile` until a matching route is configured. Existing routes are prefilled on later runs. | Leaving the prefilled text unchanged preserves routes. Mutations must converge through shared route helpers and preserve unrelated routes. Blanking the field removes the profile's routes. | #177 extracts route helpers. #185 tests list/edit/remove, route canonicalization, and preservation. |
 | config.repository_profiles[].profile | Route wizard selects the profile that a route resolves to. | Existing `cr config route set --profile <name> ...`. | No default inside an entry; required when a route exists. Existing profile is pre-populated. | Overwrite only to an existing profile. Profile rename updates matching route entries. | #177 profile rename/route reference helper. #185 tests rename updates and invalid profile rejection. |
 | config.repository_profiles[].match.host | Route wizard derives from selected profile host or pasted PR URL. | Existing `cr config route set --host`. | Required for a route. Existing host is pre-populated and normalized. | Must match the target profile's `git.host`. Host edits on a profile with routes are blocked or reconciled by #185. | #177 route helper, #185 PR URL derivation and host/profile validation tests. |
 | config.repository_profiles[].match.namespace | Route wizard asks for owner/org or derives from PR URL. | Existing `cr config route set --namespace`. | Required for a route. Existing namespace is pre-populated. | Overwrite validates non-empty and preserves repo-vs-namespace route identity. | #177 route helper. #185 namespace route tests. |
 | config.repository_profiles[].match.repos[] | Route wizard supports namespace-wide route when omitted or repo-specific routes when provided. | Existing repeatable `cr config route set --repo` and `cr config route unset --repo`. | Omitted means namespace-wide route. Existing repos are pre-populated in deterministic order. | Preserve on skip. Add/edit/remove dedupes and sorts via shared route helper. Clear repos converts only when the user explicitly chooses namespace-wide routing. | #177 route helper. #185 repo route and namespace conversion tests. |
-| config.profiles.<name> | Core profile wizard selects existing profile, creates a new profile, or renames an existing profile. | Existing global `--profile` with `cr init --non-interactive` owns scripted create/replace. Scripted rename is intentionally unsupported by init and belongs to future profile-management command design. | When `cr init` starts without a global `--profile`, it suggests `default` as the new profile name. Existing profile names are pre-populated. | Create requires a valid profile body. Rename preserves credential locations by default, updates repository routes, and does not delete old credential-store entries. | #177 profile rename helper. #180 tests create/select/rename and validation. |
-| config.profiles.<name>.git.host | Core profile wizard edits Git host. | Existing `cr init --git-host`; existing route commands own route-safe scripted changes. | Current init defaults to `github.com`. Existing value is pre-populated. | Set validates non-empty normalized host. If routes reference the profile and reconciliation is not selected, block or defer the edit. | #180 blocks/defer route-unsafe host edits. #185 implements reconciliation tests. |
-| config.profiles.<name>.git.auth_mode | Core profile wizard chooses `pat` or `github_app`; `oauth_device` remains reserved. | `cr init --git-auth-mode`, parallel to existing reviewer auth mode. Current init otherwise defaults user Git auth to PAT. | Existing value is pre-populated. New profile defaults to `pat`. | Overwrite only to supported v1 modes. Switching auth modes re-plans credential keys but does not delete old secrets. | #179 credential-ref/key-spec planner. #180 auth-mode prompt tests. |
-| config.profiles.<name>.git.credential.store | User Git auth chooses an existing credential store before any secret ingress. | Interactive credential-writing flows and scripted `cr set-credential --store`. | New profiles start with `local-os` selected. Existing store id is pre-populated. | Must be `local-os` or a configured store id. Store setup is not available inline from this flow. | #356 explicit destination tests. |
-| config.profiles.<name>.git.credential.name | User Git auth names the credential bundle before any secret ingress. | Interactive credential-writing flows and scripted `cr set-credential --name`. | New profile defaults to `codereview/<profile>`. Existing name is pre-populated and preserved by default. | Must use the `codereview/<profile>` credential grammar. It must differ from other credentials in the same profile when the store also matches. | #356 explicit credential-location tests. |
-| config.profiles.<name>.git.identity_cache | Not shown as an editable init field. Preserve only. | Intentionally unsupported for init and config mutation. Runtime identity refresh owns it. | Existing cache is preserved. New profiles omit it. | Preserve unless a future explicit cache invalidation ticket owns behavior. Profile rename does not rewrite cache contents. | Preserve-only regression in #177/#180. |
-| config.profiles.<name>.reviewer_credentials | Optional reviewer credential section. Wizard supports skip, preserve, enable, edit, or clear reviewer config. | Existing `cr init --reviewer-credential-ref` and `--reviewer-auth-mode` own enable/edit. `cr init --disable-reviewer` owns scripted removal. | Omitted means posting uses Git credentials. Existing section is pre-populated. | Clear removes the whole section. Enable requires auth mode and credential location. The store/name pair must differ from Git and LLM credential locations. | #179 planner and #180 optional section tests. #181 secret ingress tests. |
-| config.profiles.<name>.reviewer_credentials.auth_mode | Reviewer wizard chooses PAT or GitHub App; `oauth_device` remains reserved. | Existing `cr init --reviewer-auth-mode`. | Current init defaults reviewer mode to `pat` when reviewer credentials are requested. Existing value is pre-populated. | Overwrite only to supported v1 modes. Switching modes re-plans key specs and preserves old secrets unless explicit overwrite/migration occurs. | #179 credential bundle tests for PAT and GitHub App. |
-| config.profiles.<name>.reviewer_credentials.credential.store | Reviewer Git auth chooses an existing credential store before any secret ingress. | Interactive credential-writing flows and scripted `cr set-credential --store`. | New reviewer credentials start with `local-os` selected unless the user chooses another configured store. Existing store id is pre-populated. | Must be `local-os` or a configured store id. Store setup is not available inline from this flow. | #356 explicit destination tests. |
-| config.profiles.<name>.reviewer_credentials.credential.name | Reviewer Git auth names the credential bundle before any secret ingress. | Interactive credential-writing flows and scripted `cr set-credential --name`. | New reviewer section defaults to `codereview/<profile>-reviewer`, or `codereview/<label>-reviewer` when the user types a new reviewer entity label. Existing name is pre-populated and preserved. | Must use the `codereview/<profile>` credential grammar. It must differ from Git and LLM credentials in the same profile when the store also matches. | #356 explicit credential-location tests. |
-| config.profiles.<name>.reviewer_credentials.display_name | Reviewer wizard lets the user set or clear a human-friendly label for a separate reviewer entity. | Interactive `cr init` only for now. No dedicated scripted owner yet. | Empty means chooser labels fall back to deterministic credential-ref/profile-derived text. Existing value is pre-populated. | Preserve on skip. Overwrite trims surrounding whitespace. Clear is valid and returns the entity to fallback labeling. Conflicting labels across profiles that share one reviewer identity do not create duplicate identities; the shared chooser entry falls back to deterministic identity text until one label wins. | #244 tests round-trip, validation, shared-identity conflict fallback, and chooser labeling. |
-| config.profiles.<name>.reviewer_credentials.identity_cache | Not shown as an editable init field. Preserve only. | Intentionally unsupported for init and config mutation. Runtime identity refresh owns it. | Existing cache is preserved. New reviewer sections omit it. | Preserve unless a future explicit cache invalidation ticket owns behavior. | Preserve-only regression in #177/#180. |
-| config.profiles.<name>.llm.provider | Core profile wizard chooses provider. | Existing `cr init --llm-provider`. | Current init defaults to `anthropic`. Existing value is pre-populated. | Overwrite validates provider and may require compatible auth/adapter/key specs. | #179 provider credential planning. #180 provider/auth/adapter compatibility tests. |
-| config.profiles.<name>.llm.auth | Core profile wizard chooses subscription or API key auth. | Existing `cr init --llm-auth`. | Current init defaults to `subscription`. Existing value is pre-populated. | Subscription requires empty `llm.credential`; API key requires a provider-supported credential location and secret plan. | #179 planner tests subscription/API-key transitions. #181 ingress tests. |
-| config.profiles.<name>.llm.adapter | Core profile wizard chooses compatible adapter. | Existing `cr init --llm-adapter`. | Current init defaults to `claude_cli`. Existing value is pre-populated. | Overwrite validates provider/auth compatibility, including `openai+codex_cli+subscription` and `pi+pi_rpc+subscription`. | #180 compatibility tests. |
-| config.profiles.<name>.llm.credential.store | LLM API-key auth chooses an existing credential store before any secret ingress. | Interactive credential-writing flows and scripted `cr set-credential --store`. | Omitted for subscription auth. API-key auth starts with `local-os` selected unless the user chooses another configured store. Existing store id is pre-populated. | Must be empty for subscription auth. Must be `local-os` or a configured store id for API-key auth. Store setup is not available inline from this flow. | #356 explicit destination tests. |
-| config.profiles.<name>.llm.credential.name | LLM API-key auth names the credential bundle before any secret ingress. | Interactive credential-writing flows and scripted `cr set-credential --name`. | Omitted for subscription auth. API-key auth defaults to `codereview/<profile>-llm`. Existing name is pre-populated. | Must be empty for subscription auth. Must use the `codereview/<profile>` credential grammar for API-key auth. It must differ from Git/reviewer credentials in the same profile when the store also matches. | #356 explicit credential-location tests. |
-| config.profiles.<name>.llm.model_map | Model-tier mapping editor opens directly with the effective tier mappings for the selected runtime. Built-in mappings are shown in-place, configured overrides are shown in-place, and unmapped tiers stay visibly empty. | Existing `cr config llm models set/unset/reset`; #186 documents this scripted sequence. #187 must not add model-map init flags. | Omitted uses provider/adapter built-ins. Existing overrides are merged into the visible effective values. | Leaving a built-in value unchanged keeps the built-in mapping without serializing a redundant override. Entering a different value stores an explicit override. Clearing a prefilled override falls back to the built-in mapping when one exists, otherwise leaves the tier unmapped. | #182 tests add/edit/remove/reset and invalid entries, plus prompt-level round trips for keeping and clearing prefilled override-backed tiers. |
-| config.profiles.<name>.llm.reviewer_model_tier | Core profile wizard frames this as a minimum reviewer model tier and offers the built-in small baseline or explicit small, medium, and large baselines. | `cr init --llm-reviewer-model-tier` and `--clear-llm-reviewer-model-tier`, because no config command currently mutates this field directly. | Omitted means effective small baseline. Existing value is pre-populated. | Preserve on skip. Reset clears field. Set validates model tier. | #180 prompt tests. #187 flag persistence tests. |
+| config.profiles.<name> | Core profile wizard selects existing profile, creates a new profile, or renames an existing profile. | Existing global `--profile` with `cr init --non-interactive` owns scripted create/replace. Scripted rename is intentionally unsupported by init and belongs to future profile-management command design. | New profile names start blank. Existing profile names are pre-populated. | Create requires a valid profile body. Rename preserves credential locations by default, updates repository routes, and does not delete old credential-store entries. | #177 profile rename helper. #180 tests create/select/rename and validation. |
+| config.profiles.<name>.repository_access | Review profile composition selects one configured repository access definition. | Interactive review-profile flow only for now. Existing `cr init --git-*` flags populate or update repository access during the staged CLI rewrite. | New profiles require an explicit repository access selection. Existing legacy profile Git blocks may be projected into this field during the staged rewrite. | Must reference `config.repository_access`. Route host validation uses the selected repository access Git host. | Repository-access reference validation tests and init profile composition tests. |
+| config.reviewer_entities | Configure reviewer entities creates and edits reusable posting identities independently from review profiles. Entity definitions include host, auth mode, credential location, display name, and identity cache. | Interactive main-menu reviewer-entity flow only for now. Future config commands may own scripted reviewer-entity CRUD. | Omitted means no separate reviewer identities are configured yet. Profiles can still choose `git_identity`. Existing entities are pre-populated in the inventory. | Entity names are stable ids. PAT and GitHub App entities store explicit credential locations and never the secret values. Deleting a referenced entity requires affected profiles to select a replacement or use Git identity. | First-class reviewer-entity data model tests and init reviewer-entity UX tests. |
+| config.profiles.<name>.reviewer.kind | Review profile composition chooses whether posting uses the profile Git account or a configured reviewer entity. | Interactive review-profile flow only for now. | New profiles require an explicit choice. Existing value is pre-populated. | `git_identity` requires empty `reviewer.entity`; `entity` requires an existing reviewer entity whose host matches profile Git host. | First-class reviewer-reference validation tests. |
+| config.profiles.<name>.reviewer.entity | Review profile composition selects one configured reviewer entity when `reviewer.kind` is `entity`. | Interactive review-profile flow only for now. | Empty for `git_identity`. Existing entity reference is pre-populated. | Must reference `config.reviewer_entities`. The entity credential must differ from Git and selected LLM runtime credentials when the store also matches. | First-class reviewer-reference validation tests. |
+| config.profiles.<name>.reviewer.github_app_installation.mode | Review profile composition chooses how a GitHub App reviewer entity resolves its installation. | Interactive review-profile flow only for now. | Required when `reviewer.entity` uses GitHub App auth. New GitHub App reviewer selections default to `discover_from_repository`. | `discover_from_repository` resolves from PR repository context; `pinned` requires `installation_id`. Must be empty for PAT and Git identity reviewers. | GitHub App reviewer installation routing tests. |
+| config.profiles.<name>.reviewer.github_app_installation.installation_id | Review profile composition stores an optional pinned GitHub App installation id for this profile. | Interactive review-profile flow only for now. | Empty unless installation mode is `pinned`. | Must be a decimal GitHub App installation id when present. This is profile routing data, not secret material. | GitHub App reviewer installation routing tests. |
+| config.profiles.<name>.llm_runtime | Review profile composition selects one configured LLM runtime by name. | Interactive review-profile flow only for now. Future config commands may own scripted profile composition. | New profiles require an explicit runtime choice. Existing runtime reference is pre-populated. | Must reference `config.llm_runtimes`. API-key runtime credentials must differ from Git and selected reviewer entity credentials when the store also matches. | First-class LLM-runtime reference validation tests. |
 | config.profiles.<name>.agent_sources[] | Direct trusted-directory editor shows existing profile agent-source paths in one multiline field with explanatory notes about trust and separate repo-local `.codereview/agents` discovery. | Existing `cr init --agent-source`; existing `cr config agent-source add/remove`; #186 docs sequence. | Omitted means no additional profile-specific trusted directories. Existing values are pre-populated line-by-line. | Preserve on skip. Clearing the field removes all profile-specific agent sources. Entered paths are normalized and deduped through the shared config-edit helper. | #177 extracts helper. #183 tests add/remove/reset/preserve. #289 prompt tests cover explanatory copy, multiline entry, and Back. |
-| config.profiles.<name>.review_policy.major_event | Review-policy wizard chooses comment or request_changes. | Existing `cr init --major-event`. | Current init defaults to `comment`. Existing value is pre-populated. | Preserve on skip. Set validates enum. Reset clears to normalized default `comment`. | #183 tests prompt, reset, and validation. |
+| config.profiles.<name>.review_policy.major_event | Review-policy wizard chooses request_changes or comment. | Existing `cr init --major-event`. | Current init defaults to `request_changes`. Existing value is pre-populated. | Preserve on skip. Set validates enum. Reset clears to normalized default `request_changes`. | #183 tests prompt, reset, and validation. |
 | config.profiles.<name>.review_policy.allow_self_approve | Review-policy wizard toggles durable self-approval policy. | Existing `cr init --allow-self-approve`. | Current init defaults false. Existing value is pre-populated. | Preserve on skip. Set true/false explicitly. Runtime `cr review --allow-self-approve` remains separate. | #183 tests true/false preservation. |
-| config.profiles.<name>.review_policy.resolve_threads | Review-policy wizard chooses unset, auto, or never. | Existing `cr init --resolve-threads`. | Empty means normal runtime behavior. Existing value is pre-populated. | Preserve on skip. Reset clears field. Set validates enum. Runtime `--no-resolve-threads` remains one-shot. | #183 tests unset/auto/never. |
-| config.profiles.<name>.review_policy.resolve_after | Review-policy wizard edits or clears the configured duration. | Existing `cr init --resolve-after`. | Empty means no configured delay. Existing value is pre-populated. | Preserve on skip. Reset clears field. Set validates Go duration. | #183 tests duration validation and clear. |
+| config.profiles.<name>.review_policy.resolve_threads | Review-policy wizard chooses auto or never. | Existing `cr init --resolve-threads`. | Current init defaults to `auto`. Existing value is pre-populated. | Preserve on skip. Set validates enum. Runtime `--no-resolve-threads` remains one-shot. | #183 tests auto/never. |
 | config.data.retention.max_age_days | Global retention editor shows one direct `Maximum run-data age in days` field plus explanatory run-data copy. | New `cr config retention set/reset` from #178. #187 must not add retention init flags without amending this contract. | Omitted normalizes to 90. Explicit `0` means keep forever. Existing value is pre-populated with the effective current value, including `0` for keep forever. | Preserve on skip. Blank input resets to the 90-day default. Set accepts non-negative days. `0` keeps posted-review run data indefinitely. | #178 command tests and #184 wizard tests cover omitted/default vs explicit 0. #290 prompt tests cover direct prefills, blank-to-default reset, and Back. |
 | config.data.retention.enforcement | Not shown in interactive init; retained as command-level/power-user config. | New `cr config retention set/reset` from #178. #187 must not add retention init flags without amending this contract. | Omitted normalizes to `at_write`. Existing value is preserved when init edits retention. | Interactive init preserves the current enforcement value. `cr config retention` remains the path for explicit `at_write` vs `manual_only` changes. | #178 command tests and #184 wizard tests cover reset/manual-only. #290 init tests cover preservation when editing max age. |
 
 ## Profile Lifecycle Semantics
 
-Each credential-writing workflow stores an explicit credential location in the
-profile: `credential.store` plus `credential.name`. The built-in OS credential
-store is always addressable as `local-os`, and user-configured stores live under
+Each credential-writing workflow stores an explicit credential location:
+`credential.store` plus `credential.name`. User Git locations live on
+repository access definitions, reviewer locations live on reviewer entities, and
+LLM API-key locations live on LLM runtimes. The built-in OS credential store is
+always addressable as `local-os`, and user-configured stores live under
 `secrets.stores`. Runtime code must use the credential location attached to the
-Git, reviewer, or LLM credential being read or written; it must not infer a
-destination from a profile-level or global credential-store default.
+specific Git, reviewer, or LLM credential being read or written; it must not
+infer a destination from a profile-level or global credential-store default.
 
 The same `credential.name` may appear in different stores. Within one profile,
 credential locations must not collide when both the store and name match.
@@ -141,7 +132,7 @@ secret ingress.
 |---------|---------------|-------------|---------------|---------------|--------------------------------|----------------|
 | User Git auth | `pat` | `codereview/<profile>` | `git_token` | None | Keep preserves existing store/name and key. Defer stores the credential location and prints follow-up `cr set-credential --store ... --name ...`. Overwrite writes `git_token` through the selected credential store only. | Profile rename preserves the credential location. Regenerate only with explicit key migration or overwrite. |
 | Reviewer Git auth | `pat` | `codereview/<profile>-reviewer`, or label-derived for new interactive reviewer entities | `git_token` | None | Interactive reviewer setup collects `git_token` inline before staging a new or changed reviewer credential location. Keep preserves an unchanged credential location. Clearing the reviewer section removes the location from config but does not delete secrets. | Profile rename and reviewer label edits preserve existing credential locations. No implicit rename/migration. |
-| User or reviewer Git auth | `github_app` | Same purpose-specific defaults as PAT | `github_app_id`, `github_app_private_key` | `github_app_installation_id` | Keep preserves bundle. Interactive reviewer setup collects required GitHub App keys inline before staging a new or changed reviewer credential location; optional installation ID may be left blank. Scripted/deferred flows print one follow-up command per required key. Overwrite writes only keys the user provided, with required-key validation before saving. | Migration is bundle-wide and explicit only: never leave config pointing at a partially moved bundle. |
+| User Git auth or reviewer entity auth | `github_app` | Same purpose-specific defaults as PAT | `github_app_private_key` | None | Keep preserves bundle. GitHub App IDs are non-secret config (`github_app.app_id`). Interactive reviewer setup collects the App ID as config and the private key as the only secret before staging a new or changed reviewer credential location. Reviewer profile installation routing is stored in `profiles.<name>.reviewer.github_app_installation`, not the credential bundle. Scripted/deferred flows print a follow-up command for the private key only. Overwrite writes only keys the user provided, with required-key validation before saving. | Migration is explicit only: never leave config pointing at a partially moved credential location. |
 | Git auth | `oauth_device` | None | None | None | Unsupported in v1. The wizard must not offer it as a selectable mode. | Future OAuth work must amend this document. |
 | LLM API key | `anthropic` + `api_key` | `codereview/<profile>-llm` | `anthropic_api_key` | None | Keep preserves existing credential location. Defer stores the location only if the key already exists or follow-up is clearly rendered. Overwrite writes provider key through the selected credential store. | Preserve custom locations on rename. Regeneration requires explicit migration/overwrite. |
 | LLM API key | `openai` + `api_key` | `codereview/<profile>-llm` | `openai_api_key` | None | Same as Anthropic API-key auth. | Same as Anthropic API-key auth. |
diff --git a/docs/init-ux-contract.md b/docs/init-ux-contract.md
index b01a0237..2ac3d200 100644
--- a/docs/init-ux-contract.md
+++ b/docs/init-ux-contract.md
@@ -24,22 +24,22 @@ Use this document to answer:
 
 Interactive `init` should use these primary user-facing terms:
 
-- **Git scope**: the Git host and main Git credentials that define where a
-  review profile operates. Examples for v1 are `github.com` and GitHub
-  Enterprise hosts such as `github.mycompany.com`.
+- **Repository access**: the reusable Git host and current-user Git credentials
+  that define how `cr` accesses repositories. Examples for v1 are `github.com`
+  and GitHub Enterprise hosts such as `github.mycompany.com`.
 - **Reviewer entity**: the actor that posts `COMMENT`, `APPROVE`, or
   `REQUEST_CHANGES` on pull requests.
 - **LLM runtime**: the way reviewer agents run and authenticate, such as Claude
   CLI subscription auth, Codex CLI subscription auth, Pi local runtime, or a
   direct API-key-backed provider path.
-- **Review profile**: one saved profile assembled from a Git scope, an LLM
-  runtime, and a reviewer entity, plus its related review policy, routes, and
-  optional advanced settings.
+- **Review profile**: one saved profile assembled from repository access, an
+  LLM runtime, and a reviewer entity, plus its related review policy, routes,
+  and optional advanced settings.
 
 Supporting language is allowed when it helps teach the model:
 
 - A profile is the saved result.
-- A Git scope is the thing the user chooses while assembling that profile.
+- Repository access is the thing the user chooses while assembling that profile.
 - Credential storage is user-facing as **credential store** plus **credential
   name**. The name is the full visible `codereview/...` path written to the
   selected store.
@@ -48,7 +48,7 @@ Supporting language is allowed when it helps teach the model:
 
 Interactive `cr init` should teach this composition:
 
-`Git scope + reviewer entity + LLM runtime = review profile`
+`Repository access + reviewer entity + LLM runtime = review profile`
 
 The user should understand:
 
@@ -59,7 +59,7 @@ The user should understand:
 The user should not need to understand the on-disk config schema in order to
 complete the primary path.
 
-## GitHub Scope For V1
+## GitHub Repository Access For V1
 
 Prompt language for Git hosts should stay GitHub and GitHub Enterprise oriented
 for v1.
@@ -78,17 +78,20 @@ profiles before saving.
 
 The intended top-level shape is:
 
-1. Configure LLM runtimes
-2. Configure reviewer entities
-3. Configure review profiles
-4. Configure global settings
-5. Configure secrets management
-6. Commit staged changes and exit
-7. Discard staged changes and exit
+1. Configure secrets storage
+2. Configure repository access
+3. Configure LLM runtimes
+4. Configure reviewer entities
+5. Configure review profiles
+6. Configure global settings
+7. Commit staged changes and exit
+8. Discard staged changes and exit
 
 This ordering is intentional:
 
 - LLM runtime setup is usually obvious to the user and easy to reason about.
+- Repository access setup makes current-user Git host and credential routing a
+  reusable building block instead of profile-local inline fields.
 - Reviewer entity setup gives the user a clear explanation for who will post
   reviews and why they may need a separate actor.
 - Review profiles compose those earlier choices into saved working
@@ -110,7 +113,7 @@ For a first-time user, interactive `init` should:
 The first-run user should be able to understand:
 
 - what a profile is
-- what Git scope means
+- what repository access means
 - what a reviewer entity is
 - why an LLM runtime is required
 - what is optional versus required to make a profile usable
@@ -126,7 +129,7 @@ When editing an existing profile, interactive `init` should:
 - default destructive changes to preserve
 - surface missing required secrets early enough for the user to react before the
   final save
-- keep route reconciliation tied to Git scope changes
+- keep route reconciliation tied to repository access changes
 - preserve the existing rename/default/route semantics owned by shared helpers
 
 ## Commit And Discard Semantics
@@ -166,8 +169,9 @@ entity setup should show non-secret, per-key credential readiness for the
 selected reviewer credential location:
 
 - PAT reviewers show `git_token`.
-- GitHub App reviewers show required `github_app_id` and
-  `github_app_private_key`, plus optional `github_app_installation_id`.
+- GitHub App reviewers show non-secret GitHub App ID as config plus required
+  `github_app_private_key` readiness. Installation routing is review-profile
+  config, not a reviewer credential key.
 - Each key may be shown as `missing`, `existing`, `staged`, `skipped optional`,
   `deferred`, `optional`, or `status unavailable`.
 - `missing` means the backend was consulted and no staged or existing value was
@@ -193,9 +197,9 @@ secret values, and the final readiness summary should continue to report
 follow-up credential work without leaking values.
 
 All credential-bearing init flows should show equivalent non-secret destination
-context before collecting secret values. This includes Git credentials, reviewer
-PAT/GitHub App credentials, and LLM API keys handled by the shared credential
-collector.
+context before collecting secret values. This includes repository-access Git
+credentials, reviewer PAT/GitHub App credentials, and LLM API keys handled by
+the shared credential collector.
 
 Destination summaries should include:
 
@@ -214,18 +218,22 @@ environment variable names may be shown only as backend-auth env var names.
 
 ## Draft-Local Reuse Rules
 
-LLM runtimes and reviewer entities are reusable **within the current interactive
-`init` session only**.
+Repository access definitions, LLM runtimes, and reviewer entities are reusable
+saved building blocks.
 
 That means:
 
+- interactive draft state may name and reuse repository access across multiple
+  draft profiles
 - interactive draft state may name and reuse LLM runtimes across multiple draft
   profiles
 - interactive draft state may name and reuse reviewer entities across multiple
   draft profiles
-- no new persisted top-level runtime/entity schema is introduced in `config.yml`
-- existing saved profiles are not auto-deduped into shared runtime/entity
-  objects on reload
+- committed repository access definitions are persisted under
+  `repository_access`
+- committed LLM runtimes are persisted under `llm_runtimes`
+- committed reviewer entities are persisted under `reviewer_entities`
+- saved profiles reference those building blocks by name
 
 API-key-backed LLM runtimes may be reused across multiple profiles by selecting
 the same draft runtime and the same credential store/name. If a user wants two
@@ -247,7 +255,7 @@ contextual variants of the same fallback choice, such as:
 
 This means:
 
-- the review is posted with the profile's main Git credentials
+- the review is posted with the profile's selected repository access credentials
 - no separate reviewer credential location is created for that choice
 - in the current schema, that exports as `ReviewerCredentials=nil`
 
@@ -293,13 +301,15 @@ all of those profiles rather than only the active profile.
 Interactive `init` may hide the raw schema, but the contract between user terms
 and saved config must stay stable:
 
-- **Git scope** maps to `profile.git`, plus repository-route implications when
-  the profile participates in `repository_profiles`.
-- **LLM runtime** maps to `profile.llm`, including the provider, auth mode,
-  adapter, and any optional LLM credential location implied by API-key auth.
-- **Reviewer entity** maps to `profile.reviewer_credentials` when separate
-  credentials are configured, or to `nil` when the user selected `Use a
-  profile's Git account (no separate reviewer entity)`.
+- **Repository access** maps to a saved `repository_access.<name>` entry. A
+  profile selects it with `profiles.<profile>.repository_access`, and runtime
+  code resolves `profile.git` from that selection.
+- **LLM runtime** maps to a saved `llm_runtimes.<name>` entry. A profile selects
+  it with `profiles.<profile>.llm_runtime`.
+- **Reviewer entity** maps to a saved `reviewer_entities.<name>` entry. A
+  profile selects it with `profiles.<profile>.reviewer.kind: entity` and
+  `profiles.<profile>.reviewer.entity`. The Git-account fallback maps to
+  `profiles.<profile>.reviewer.kind: git_identity`.
 - **Review profile** maps to one saved entry under `profiles.<name>`.
 
 This section is intentionally high level. The detailed field inventory and
@@ -311,17 +321,19 @@ Interactive `init` should show credential storage as an explicit destination
 choice, not as a hidden default.
 
 Primary-path users should choose a credential store and see or edit the full
-credential name. There is no namespace, label, or prefix prompt. Instead:
+credential name when configuring the building block that owns that credential.
+There is no namespace, label, or prefix prompt. Instead:
 
 - defaults should be generated automatically
+- repository access owns current-user Git credential locations
 - new reviewer defaults may follow the typed entity label, for example
   `rianjs-bot` becomes `codereview/rianjs-bot-reviewer`
 - changing an existing reviewer display name must not migrate or rename the
   existing credential name
-- users who need an override may edit the relevant inline **credential name**
-  fields for Git, reviewer, or LLM secrets
-- irrelevant reviewer/LLM credential-name fields should stay hidden when the
-  profile is using its Git account or a subscription runtime
+- users who need an override may edit the relevant **credential name** field on
+  the repository-access, reviewer-entity, or LLM-runtime building block
+- irrelevant reviewer/LLM credential-name fields should stay hidden when a
+  reviewer entity uses no separate secret or a runtime uses subscription auth
 - any advanced path should still explain that these names are non-secret
   pointers to credential-store entries, not the secrets themselves
 - users who need to change where secrets are stored should configure/select a
@@ -339,7 +351,7 @@ The top-level auxiliary areas should cover:
 - secrets-storage settings for credential-store/backend behavior
 
 These settings matter, but they are not part of the primary
-`Git scope + reviewer entity + LLM runtime = review profile` model.
+`Repository access + reviewer entity + LLM runtime = review profile` model.
 
 ## Non-Interactive Regression Contract
 
diff --git a/internal/cmd/configcmd/configcmd.go b/internal/cmd/configcmd/configcmd.go
index 37376c47..38f76dbb 100644
--- a/internal/cmd/configcmd/configcmd.go
+++ b/internal/cmd/configcmd/configcmd.go
@@ -696,10 +696,16 @@ func newLLMCommand(opts *root.Options) *cobra.Command {
 			if err != nil {
 				return err
 			}
-			if profile.LLM.ModelMap == nil {
-				profile.LLM.ModelMap = config.ModelMap{}
+			runtimeName, runtime, err := activeProfileLLMRuntime(cfg, profileName, profile)
+			if err != nil {
+				return cmderr.Config(err)
 			}
-			profile.LLM.ModelMap[string(tier)] = model
+			if runtime.ModelMap == nil {
+				runtime.ModelMap = config.ModelMap{}
+			}
+			runtime.ModelMap[string(tier)] = model
+			cfg.LLMRuntimes[runtimeName] = runtime
+			profile.LLM = runtime
 			cfg.Profiles[profileName] = profile
 			if err := saveConfigFile(path, cfg); err != nil {
 				return cmderr.Config(err)
@@ -727,12 +733,18 @@ func newLLMCommand(opts *root.Options) *cobra.Command {
 			if err != nil {
 				return err
 			}
-			if profile.LLM.ModelMap != nil {
-				delete(profile.LLM.ModelMap, string(tier))
-				if len(profile.LLM.ModelMap) == 0 {
-					profile.LLM.ModelMap = nil
+			runtimeName, runtime, err := activeProfileLLMRuntime(cfg, profileName, profile)
+			if err != nil {
+				return cmderr.Config(err)
+			}
+			if runtime.ModelMap != nil {
+				delete(runtime.ModelMap, string(tier))
+				if len(runtime.ModelMap) == 0 {
+					runtime.ModelMap = nil
 				}
 			}
+			cfg.LLMRuntimes[runtimeName] = runtime
+			profile.LLM = runtime
 			cfg.Profiles[profileName] = profile
 			if err := saveConfigFile(path, cfg); err != nil {
 				return cmderr.Config(err)
@@ -766,7 +778,13 @@ func newLLMCommand(opts *root.Options) *cobra.Command {
 					return exitcode.Usage(fmt.Errorf("--provider %q does not match active profile provider %q", guard, profile.LLM.Provider))
 				}
 			}
-			profile.LLM.ModelMap = nil
+			runtimeName, runtime, err := activeProfileLLMRuntime(cfg, profileName, profile)
+			if err != nil {
+				return cmderr.Config(err)
+			}
+			runtime.ModelMap = nil
+			cfg.LLMRuntimes[runtimeName] = runtime
+			profile.LLM = runtime
 			cfg.Profiles[profileName] = profile
 			if err := saveConfigFile(path, cfg); err != nil {
 				return cmderr.Config(err)
@@ -899,6 +917,18 @@ func loadActiveProfile(opts *root.Options) (string, config.File, string, config.
 	return path, cfg, profileName, profile, nil
 }
 
+func activeProfileLLMRuntime(cfg config.File, profileName string, profile config.Profile) (string, config.LLMConfig, error) {
+	runtimeName := strings.TrimSpace(profile.LLMRuntime)
+	if runtimeName == "" {
+		return "", config.LLMConfig{}, fmt.Errorf("%w: profiles.%s.llm_runtime is required", config.ErrInvalid, profileName)
+	}
+	runtime, ok := cfg.LLMRuntimes[runtimeName]
+	if !ok {
+		return "", config.LLMConfig{}, fmt.Errorf("%w: profiles.%s.llm_runtime %q", config.ErrProfileNotFound, profileName, runtimeName)
+	}
+	return runtimeName, runtime, nil
+}
+
 func parseModelTierArg(raw string) (config.ModelTier, error) {
 	tier := config.ModelTier(strings.TrimSpace(raw))
 	if !tier.Valid() {
diff --git a/internal/cmd/configcmd/configcmd_test.go b/internal/cmd/configcmd/configcmd_test.go
index 03f1c0fb..9cabd2ae 100644
--- a/internal/cmd/configcmd/configcmd_test.go
+++ b/internal/cmd/configcmd/configcmd_test.go
@@ -877,6 +877,7 @@ func TestConfigShowGitHubAppCredentialStatus(t *testing.T) {
 	cfg := testConfig()
 	work := cfg.Profiles["work"]
 	work.ReviewerCredentials.AuthMode = config.GitAuthModeGitHubApp
+	work.ReviewerCredentials.GitHubApp = &config.GitHubAppConfig{AppID: "12345"}
 	cfg.Profiles["work"] = work
 	path := saveTestConfig(t, cfg)
 	cmd, out := newTestCommand(path)
@@ -897,9 +898,7 @@ func TestConfigShowGitHubAppCredentialStatus(t *testing.T) {
 	}
 	missing := false
 	want := []view.KeyStatus{
-		{Key: credentials.GitHubAppIDKey, Required: true, Present: &missing, Status: "missing"},
 		{Key: credentials.GitHubAppPrivateKeyKey, Required: true, Present: &missing, Status: "missing"},
-		{Key: credentials.GitHubAppInstallationIDKey, Required: false, Present: &missing, Status: "missing"},
 	}
 	if reviewer.Ref != "codereview/work-reviewer" || reviewer.Mode != "github_app" || !reflect.DeepEqual(reviewer.Keys, want) {
 		t.Fatalf("reviewer credential status = %#v, want app keys %#v", reviewer, want)
@@ -1453,7 +1452,7 @@ func TestConfigRetentionSetMutatesAndPreservesUnrelatedConfig(t *testing.T) {
 	if saved.Data.Retention.MaxAgeDaysValue() != 30 || saved.Data.Retention.Enforcement != config.RetentionManualOnly {
 		t.Fatalf("retention = %#v, want 30/manual_only", saved.Data.Retention)
 	}
-	if !reflect.DeepEqual(saved.Profiles, cfg.Profiles) {
+	if !reflect.DeepEqual(saved.Profiles, config.Normalize(cfg).Profiles) {
 		t.Fatalf("profiles = %#v, want preserved", saved.Profiles)
 	}
 	if !reflect.DeepEqual(saved.RepositoryProfiles, cfg.RepositoryProfiles) {
@@ -1595,7 +1594,7 @@ func TestConfigRetentionResetRestoresDefaultsAndPreservesConfig(t *testing.T) {
 	if saved.Data.Retention.MaxAgeDaysValue() != 90 || saved.Data.Retention.Enforcement != config.RetentionAtWrite {
 		t.Fatalf("retention = %#v, want 90/at_write", saved.Data.Retention)
 	}
-	if !reflect.DeepEqual(saved.Profiles, cfg.Profiles) {
+	if !reflect.DeepEqual(saved.Profiles, config.Normalize(cfg).Profiles) {
 		t.Fatalf("profiles = %#v, want preserved", saved.Profiles)
 	}
 	if !reflect.DeepEqual(saved.RepositoryProfiles, cfg.RepositoryProfiles) {
@@ -1871,6 +1870,11 @@ func TestConfigShowReservedAuthModeExitCode(t *testing.T) {
     test-memory:
       backend:
         kind: memory
+llm_runtimes:
+  claude-cli:
+    provider: anthropic
+    auth: subscription
+    adapter: claude_cli
 profiles:
   home:
     git:
@@ -1879,10 +1883,9 @@ profiles:
       credential:
         store: test-memory
         name: codereview/home
-    llm:
-      provider: anthropic
-      auth: subscription
-      adapter: claude_cli
+    reviewer:
+      kind: git_identity
+    llm_runtime: claude-cli
 `)
 	cmd, _ := newTestCommand(path)
 
@@ -1970,19 +1973,16 @@ func TestConfigClearGitHubAppCredentialMatrix(t *testing.T) {
 	cfg := fileBackendConfig(t)
 	home := cfg.Profiles["home"]
 	home.Git.AuthMode = config.GitAuthModeGitHubApp
+	home.Git.GitHubApp = &config.GitHubAppConfig{AppID: "12345"}
 	home.Git.CredentialRef = "codereview/home-app"
 	home.Git.Credential.Name = "codereview/home-app"
 	cfg.Profiles["home"] = home
 	path := saveTestConfig(t, cfg)
 	appKeys := []string{
-		credentials.GitHubAppIDKey,
-		credentials.GitHubAppInstallationIDKey,
 		credentials.GitHubAppPrivateKeyKey,
 	}
 	seedFileBackend(t, "home-app", map[string]string{
-		credentials.GitHubAppIDKey:             "12345",
-		credentials.GitHubAppPrivateKeyKey:     "private-key",
-		credentials.GitHubAppInstallationIDKey: "42",
+		credentials.GitHubAppPrivateKeyKey: "private-key",
 	})
 
 	dryRunCmd, dryRunOut := newTestCommand(path)
diff --git a/internal/cmd/credentialcmd/credentialcmd.go b/internal/cmd/credentialcmd/credentialcmd.go
index dd369b05..246022e4 100644
--- a/internal/cmd/credentialcmd/credentialcmd.go
+++ b/internal/cmd/credentialcmd/credentialcmd.go
@@ -151,33 +151,34 @@ func runSetCredential(cmd *cobra.Command, opts *root.Options, flags setCredentia
 }
 
 type initOptions struct {
-	nonInteractive     bool
-	gitHost            string
-	gitAuth            string
-	gitRef             string
-	reviewerRef        string
-	reviewerAuth       string
-	disableReviewer    bool
-	llmProvider        string
-	llmAuth            string
-	llmAdapter         string
-	llmRef             string
-	llmReviewerTier    string
-	clearLLMReviewer   bool
-	agentSources       []string
-	majorEvent         string
-	selfApprove        bool
-	resolveThreads     string
-	resolveAfter       string
-	gitTokenStdin      bool
-	gitTokenEnv        string
-	reviewerTokenStdin bool
-	reviewerTokenEnv   string
-	llmKeyStdin        bool
-	llmKeyEnv          string
-	overwrite          bool
-	replaceProfile     bool
-	secretsDiscovery   string
+	nonInteractive      bool
+	gitHost             string
+	gitAuth             string
+	gitGitHubAppID      string
+	gitRef              string
+	reviewerRef         string
+	reviewerAuth        string
+	reviewerGitHubAppID string
+	disableReviewer     bool
+	llmProvider         string
+	llmAuth             string
+	llmAdapter          string
+	llmRef              string
+	llmReviewerTier     string
+	clearLLMReviewer    bool
+	agentSources        []string
+	majorEvent          string
+	selfApprove         bool
+	resolveThreads      string
+	gitTokenStdin       bool
+	gitTokenEnv         string
+	reviewerTokenStdin  bool
+	reviewerTokenEnv    string
+	llmKeyStdin         bool
+	llmKeyEnv           string
+	overwrite           bool
+	replaceProfile      bool
+	secretsDiscovery    string
 }
 
 type initPrompter interface {
@@ -216,6 +217,10 @@ type initLLMRuntimePrompter interface {
 	EditLLMRuntime(initLLMRuntimePrompt) (initDraft, error)
 }
 
+type initRepositoryAccessPrompter interface {
+	EditRepositoryAccess(initRepositoryAccessPrompt) (initDraft, error)
+}
+
 type initReviewerEntityPrompter interface {
 	EditReviewerEntity(initReviewerEntityPrompt) (initDraft, error)
 }
@@ -225,76 +230,92 @@ type initFinalizePrompter interface {
 }
 
 type initPromptContext struct {
-	RequestedProfileName         string
-	ExistingProfileName          string
-	ExistingProfile              *config.Profile
-	ExistingProfileNames         []string
-	ExistingConfig               config.File
-	BackendArg                   string
-	BackendFlagSet               bool
-	GitScopes                    map[string]initGitScopeDraft
-	ProfileGitScopes             map[string]string
-	ReviewerEntities             map[string]initReviewerEntityDraft
-	ProfileReviewerEntities      map[string]string
-	ReviewerCredentialStatuses   []initReviewerCredentialStatus
-	SecretsProfiles              []config.EffectiveSecretsProfile
-	ProfileSecretsProfiles       map[string]string
-	BrokenProfileSecretsProfiles map[string]string
-	LLMRuntimes                  map[string]initLLMRuntimeDraft
-	ProfileLLMRuntimes           map[string]string
-	ProfileWarnings              map[string][]string
-	PendingProfileDeletes        map[string]initPendingProfileDelete
-	PendingReviewerEntityDeletes map[string]initPendingReviewerEntityDelete
-	PendingLLMRuntimeDeletes     map[string]initPendingLLMRuntimeDelete
+	RequestedProfileName               string
+	ExistingProfileName                string
+	ExistingProfile                    *config.Profile
+	ExistingProfileNames               []string
+	ExistingConfig                     config.File
+	BackendArg                         string
+	BackendFlagSet                     bool
+	GitScopes                          map[string]initGitScopeDraft
+	ProfileGitScopes                   map[string]string
+	StandaloneRepositoryAccessMode     bool
+	RepositoryAccessCredentialStatuses []initReviewerCredentialStatus
+	ReviewerEntities                   map[string]initReviewerEntityDraft
+	ProfileReviewerEntities            map[string]string
+	ReviewerCredentialStatuses         []initReviewerCredentialStatus
+	StandaloneReviewerEntityMode       bool
+	SecretsProfiles                    []config.EffectiveSecretsProfile
+	ProfileSecretsProfiles             map[string]string
+	BrokenProfileSecretsProfiles       map[string]string
+	LLMRuntimes                        map[string]initLLMRuntimeDraft
+	ProfileLLMRuntimes                 map[string]string
+	ProfileWarnings                    map[string][]string
+	PendingProfileDeletes              map[string]initPendingProfileDelete
+	PendingRepositoryAccessDeletes     map[string]initPendingRepositoryAccessDelete
+	PendingReviewerEntityDeletes       map[string]initPendingReviewerEntityDelete
+	PendingLLMRuntimeDeletes           map[string]initPendingLLMRuntimeDelete
 }
 
 type initDraftAction string
 
 const (
-	initDraftActionNone                     initDraftAction = ""
-	initDraftActionDeleteProfile            initDraftAction = "delete_profile"
-	initDraftActionUndoDeleteProfile        initDraftAction = "undo_delete_profile"
-	initDraftActionDeleteReviewerEntity     initDraftAction = "delete_reviewer_entity"
-	initDraftActionUndoDeleteReviewerEntity initDraftAction = "undo_delete_reviewer_entity"
-	initDraftActionDeleteLLMRuntime         initDraftAction = "delete_llm_runtime"
-	initDraftActionUndoDeleteLLMRuntime     initDraftAction = "undo_delete_llm_runtime"
+	initDraftActionNone                       initDraftAction = ""
+	initDraftActionDeleteProfile              initDraftAction = "delete_profile"
+	initDraftActionUndoDeleteProfile          initDraftAction = "undo_delete_profile"
+	initDraftActionDeleteRepositoryAccess     initDraftAction = "delete_repository_access"
+	initDraftActionUndoDeleteRepositoryAccess initDraftAction = "undo_delete_repository_access"
+	initDraftActionDeleteReviewerEntity       initDraftAction = "delete_reviewer_entity"
+	initDraftActionUndoDeleteReviewerEntity   initDraftAction = "undo_delete_reviewer_entity"
+	initDraftActionDeleteLLMRuntime           initDraftAction = "delete_llm_runtime"
+	initDraftActionUndoDeleteLLMRuntime       initDraftAction = "undo_delete_llm_runtime"
 )
 
 type initDraft struct {
-	Action                       initDraftAction
-	ActionTarget                 string
-	OriginalProfileName          string
-	ProfileName                  string
-	GitHost                      string
-	GitAuth                      string
-	GitCredentialStore           string
-	GitCredentialRef             string
-	ReviewerEnabled              bool
-	ReviewerAuth                 string
-	ReviewerCredentialStore      string
-	ReviewerCredentialRef        string
-	ReviewerDisplayName          string
-	ReviewerCredentialWriteRef   string
-	ReviewerCredentialWriteStore credentials.ResolvedSecretsProfile
-	ReviewerCredentialWrites     map[string]string
-	ReviewerCredentialOverwrite  bool
-	ReviewerCredentialSatisfied  bool
-	SecretsProfile               string
-	LLMProvider                  string
-	LLMAuth                      string
-	LLMAdapter                   string
-	LLMReviewerModelTier         string
-	LLMCredentialStore           string
-	LLMCredentialRef             string
-	AdvancedStorageLabels        bool
-	RoutesSet                    bool
-	Routes                       []configedit.RepositoryRouteSpec
-	ModelMapSet                  bool
-	ModelMap                     config.ModelMap
-	AgentSourcesSet              bool
-	AgentSources                 []string
-	ReviewPolicySet              bool
-	ReviewPolicy                 config.ReviewPolicy
+	Action                            initDraftAction
+	ActionTarget                      string
+	OriginalProfileName               string
+	ProfileName                       string
+	RepositoryAccessName              string
+	GitHost                           string
+	GitAuth                           string
+	GitHubAppID                       string
+	GitCredentialStore                string
+	GitCredentialRef                  string
+	ReviewerEnabled                   bool
+	ReviewerAuth                      string
+	ReviewerCredentialStore           string
+	ReviewerCredentialRef             string
+	ReviewerGitHubAppID               string
+	ReviewerDisplayName               string
+	ReviewerGitHubAppInstallationMode string
+	ReviewerGitHubAppInstallationID   string
+	GitCredentialWriteRef             string
+	GitCredentialWriteStore           credentials.ResolvedSecretsProfile
+	GitCredentialWrites               map[string]string
+	GitCredentialOverwrite            bool
+	GitCredentialSatisfied            bool
+	ReviewerCredentialWriteRef        string
+	ReviewerCredentialWriteStore      credentials.ResolvedSecretsProfile
+	ReviewerCredentialWrites          map[string]string
+	ReviewerCredentialOverwrite       bool
+	ReviewerCredentialSatisfied       bool
+	SecretsProfile                    string
+	LLMProvider                       string
+	LLMAuth                           string
+	LLMAdapter                        string
+	LLMReviewerModelTier              string
+	LLMCredentialStore                string
+	LLMCredentialRef                  string
+	AdvancedStorageLabels             bool
+	RoutesSet                         bool
+	Routes                            []configedit.RepositoryRouteSpec
+	ModelMapSet                       bool
+	ModelMap                          config.ModelMap
+	AgentSourcesSet                   bool
+	AgentSources                      []string
+	ReviewPolicySet                   bool
+	ReviewPolicy                      config.ReviewPolicy
 }
 
 type initModelMapPrompt struct {
@@ -381,6 +402,7 @@ type initMenuAction string
 
 const (
 	initMenuActionLLMRuntimes       initMenuAction = "llm_runtimes"
+	initMenuActionRepositoryAccess  initMenuAction = "repository_access"
 	initMenuActionReviewerEntities  initMenuAction = "reviewer_entities"
 	initMenuActionReviewProfiles    initMenuAction = "review_profiles"
 	initMenuActionGlobalSettings    initMenuAction = "global_settings"
@@ -395,20 +417,25 @@ var (
 )
 
 type initMenuPrompt struct {
-	HasWorkspace         bool
-	LLMRuntimeCount      int
-	ReviewerEntityCount  int
-	ReviewProfileCount   int
-	CanConfigureLLM      bool
-	CanConfigureReviewer bool
-	CanSave              bool
-	ActiveProfileName    string
+	HasWorkspace          bool
+	RepositoryAccessCount int
+	LLMRuntimeCount       int
+	ReviewerEntityCount   int
+	ReviewProfileCount    int
+	CanConfigureLLM       bool
+	CanConfigureReviewer  bool
+	CanSave               bool
+	ActiveProfileName     string
 }
 
 type initLLMRuntimePrompt struct {
 	Context initPromptContext
 }
 
+type initRepositoryAccessPrompt struct {
+	Context initPromptContext
+}
+
 type initReviewerEntityPrompt struct {
 	Context initPromptContext
 }
@@ -418,6 +445,7 @@ type initDeps struct {
 	profileV2Prompter    initPrompter
 	menuPrompter         initMenuPrompter
 	llmRuntimePrompter   initLLMRuntimePrompter
+	repositoryPrompter   initRepositoryAccessPrompter
 	reviewerPrompter     initReviewerEntityPrompter
 	finalizePrompter     initFinalizePrompter
 	modelMapPrompter     initModelMapPrompter
@@ -493,22 +521,23 @@ type initSessionPlan struct {
 }
 
 type initSessionDraft struct {
-	path                         string
-	originalCfg                  config.File
-	cfg                          config.File
-	requestedProfileName         string
-	backendFlagSet               bool
-	saveRequested                bool
-	workspace                    *initWorkspaceDraft
-	touchedProfiles              map[string]string
-	writes                       map[string]map[string]string
-	credentialWriteStores        map[string]credentials.ResolvedSecretsProfile
-	credentialDecisions          map[initCredentialDecisionKey]initCredentialDecisionKind
-	overwriteRefs                map[string]bool
-	satisfiedRefs                map[string]bool
-	pendingProfileDeletes        map[string]initPendingProfileDelete
-	pendingReviewerEntityDeletes map[string]initPendingReviewerEntityDelete
-	pendingLLMRuntimeDeletes     map[string]initPendingLLMRuntimeDelete
+	path                           string
+	originalCfg                    config.File
+	cfg                            config.File
+	requestedProfileName           string
+	backendFlagSet                 bool
+	saveRequested                  bool
+	workspace                      *initWorkspaceDraft
+	touchedProfiles                map[string]string
+	writes                         map[string]map[string]string
+	credentialWriteStores          map[string]credentials.ResolvedSecretsProfile
+	credentialDecisions            map[initCredentialDecisionKey]initCredentialDecisionKind
+	overwriteRefs                  map[string]bool
+	satisfiedRefs                  map[string]bool
+	pendingProfileDeletes          map[string]initPendingProfileDelete
+	pendingRepositoryAccessDeletes map[string]initPendingRepositoryAccessDelete
+	pendingReviewerEntityDeletes   map[string]initPendingReviewerEntityDelete
+	pendingLLMRuntimeDeletes       map[string]initPendingLLMRuntimeDelete
 }
 
 type initPendingProfileDelete struct {
@@ -522,16 +551,26 @@ type initPendingProfileDelete struct {
 	TouchedOriginal   string
 }
 
+type initPendingRepositoryAccessDelete struct {
+	Name   string
+	Access config.RepositoryAccessConfig
+}
+
 type initPendingReviewerEntityDelete struct {
-	EntityName string
-	Affected   map[string]config.ReviewerCredentials
+	EntityName       string
+	Entity           *config.ReviewerEntity
+	ProfileReviewers map[string]config.ProfileReviewer
+	Affected         map[string]config.ReviewerCredentials
 }
 
 type initPendingLLMRuntimeDelete struct {
 	RuntimeName        string
 	Replacement        initLLMRuntimeDraft
+	ReplacementName    string
+	AddedReplacement   bool
 	Applied            map[string]config.LLMConfig
 	Original           map[string]config.LLMConfig
+	OriginalRefs       map[string]string
 	StandaloneOriginal *config.LLMConfig
 }
 
@@ -539,6 +578,7 @@ type initGitScopeDraft struct {
 	Name            string
 	Host            string
 	AuthMode        config.GitAuthMode
+	GitHubAppID     string
 	CredentialStore string
 	CredentialRef   string
 }
@@ -555,6 +595,7 @@ type initReviewerEntityDraft struct {
 	Name            string
 	Kind            initReviewerEntityKind
 	AuthMode        config.GitAuthMode
+	AppID           string
 	CredentialStore string
 	CredentialRef   string
 	DisplayName     string
@@ -574,13 +615,15 @@ const (
 )
 
 type initLLMRuntimeDraft struct {
-	Name            string
-	Preset          initLLMRuntimePreset
-	Provider        config.LLMProvider
-	Auth            config.LLMAuth
-	Adapter         config.LLMAdapter
-	CredentialStore string
-	CredentialRef   string
+	Name              string
+	Preset            initLLMRuntimePreset
+	Provider          config.LLMProvider
+	Auth              config.LLMAuth
+	Adapter           config.LLMAdapter
+	CredentialStore   string
+	CredentialRef     string
+	ModelMap          config.ModelMap
+	ReviewerModelTier config.ModelTier
 }
 
 type initStore interface {
@@ -675,6 +718,7 @@ func defaultInitDeps() initDeps {
 	return initDeps{
 		menuPrompter:         nil,
 		llmRuntimePrompter:   nil,
+		repositoryPrompter:   nil,
 		reviewerPrompter:     nil,
 		finalizePrompter:     nil,
 		modelMapPrompter:     nil,
@@ -710,6 +754,9 @@ func (deps initDeps) withDefaults() initDeps {
 	if deps.llmRuntimePrompter == nil {
 		deps.llmRuntimePrompter = defaults.llmRuntimePrompter
 	}
+	if deps.repositoryPrompter == nil {
+		deps.repositoryPrompter = defaults.repositoryPrompter
+	}
 	if deps.reviewerPrompter == nil {
 		deps.reviewerPrompter = defaults.reviewerPrompter
 	}
@@ -775,7 +822,7 @@ func newInitCommand(opts *root.Options) *cobra.Command {
 		llmProvider:      string(config.LLMProviderAnthropic),
 		llmAuth:          string(config.LLMAuthSubscription),
 		llmAdapter:       string(config.LLMAdapterClaudeCLI),
-		majorEvent:       string(config.ReviewMajorEventComment),
+		majorEvent:       string(config.ReviewMajorEventRequestChanges),
 		secretsDiscovery: string(initSecretsBackendDiscoveryModeFull),
 	}
 	cmd := &cobra.Command{
@@ -794,9 +841,11 @@ func newInitCommand(opts *root.Options) *cobra.Command {
 	cmd.Flags().BoolVar(&flags.nonInteractive, "non-interactive", false, "Run without prompts")
 	cmd.Flags().StringVar(&flags.gitHost, "git-host", flags.gitHost, "Git host")
 	cmd.Flags().StringVar(&flags.gitAuth, "git-auth-mode", flags.gitAuth, "Git credential auth mode")
+	cmd.Flags().StringVar(&flags.gitGitHubAppID, "git-github-app-id", "", "GitHub App ID for Git github_app auth")
 	cmd.Flags().StringVar(&flags.gitRef, "git-credential-ref", "", "Git credential name")
 	cmd.Flags().StringVar(&flags.reviewerRef, "reviewer-credential-ref", "", "Reviewer credential name")
 	cmd.Flags().StringVar(&flags.reviewerAuth, "reviewer-auth-mode", flags.reviewerAuth, "Reviewer credential auth mode")
+	cmd.Flags().StringVar(&flags.reviewerGitHubAppID, "reviewer-github-app-id", "", "GitHub App ID for reviewer github_app auth")
 	cmd.Flags().BoolVar(&flags.disableReviewer, "disable-reviewer", false, "Disable separate reviewer credentials")
 	cmd.Flags().StringVar(&flags.llmProvider, "llm-provider", flags.llmProvider, "LLM provider")
 	cmd.Flags().StringVar(&flags.llmAuth, "llm-auth", flags.llmAuth, "LLM auth mode")
@@ -807,8 +856,7 @@ func newInitCommand(opts *root.Options) *cobra.Command {
 	cmd.Flags().StringArrayVar(&flags.agentSources, "agent-source", nil, "Agent source ref (repeatable)")
 	cmd.Flags().StringVar(&flags.majorEvent, "major-event", flags.majorEvent, "Major finding event policy")
 	cmd.Flags().BoolVar(&flags.selfApprove, "allow-self-approve", false, "Allow self approval")
-	cmd.Flags().StringVar(&flags.resolveThreads, "resolve-threads", "", "Thread resolution policy")
-	cmd.Flags().StringVar(&flags.resolveAfter, "resolve-after", "", "Duration before thread resolution")
+	cmd.Flags().StringVar(&flags.resolveThreads, "resolve-threads", string(config.ResolveThreadsAuto), "Thread resolution policy")
 	cmd.Flags().BoolVar(&flags.gitTokenStdin, "git-token-stdin", false, "Read the Git token from stdin")
 	cmd.Flags().StringVar(&flags.gitTokenEnv, "git-token-from-env", "", "Read the Git token from this environment variable")
 	cmd.Flags().BoolVar(&flags.reviewerTokenStdin, "reviewer-token-stdin", false, "Read the reviewer Git token from stdin")
@@ -993,6 +1041,12 @@ type huhInitLLMRuntimePrompter struct {
 	editorRunner    initLLMRuntimeEditorRunner
 }
 
+type huhInitRepositoryAccessPrompter struct {
+	stdin        io.Reader
+	stderr       io.Writer
+	editorRunner initRepositoryAccessEditorRunner
+}
+
 type huhInitReviewerEntityPrompter struct {
 	stdin           io.Reader
 	stderr          io.Writer
@@ -1019,14 +1073,22 @@ func newHuhInitMenuPrompter(opts *root.Options) initMenuPrompter {
 
 func newHuhInitLLMRuntimePrompter(opts *root.Options) initLLMRuntimePrompter {
 	return huhInitLLMRuntimePrompter{
-		stdin:   opts.Stdin,
-		stderr:  opts.Stderr,
-		checker: defaultInitLLMRuntimeAvailabilityNote,
+		stdin:           opts.Stdin,
+		stderr:          opts.Stderr,
+		inventoryRunner: runInitInventory,
+		checker:         defaultInitLLMRuntimeAvailabilityNote,
 	}
 }
 
+func newHuhInitRepositoryAccessPrompter(opts *root.Options) initRepositoryAccessPrompter {
+	return huhInitRepositoryAccessPrompter{stdin: opts.Stdin, stderr: opts.Stderr}
+}
+
 func newHuhInitReviewerEntityPrompter(opts *root.Options) initReviewerEntityPrompter {
-	return huhInitReviewerEntityPrompter{stdin: opts.Stdin, stderr: opts.Stderr}
+	return huhInitReviewerEntityPrompter{
+		stdin:  opts.Stdin,
+		stderr: opts.Stderr,
+	}
 }
 
 func newHuhInitFinalizePrompter(opts *root.Options) initFinalizePrompter {
@@ -1186,22 +1248,24 @@ func bootstrapInteractiveInitSession(cmd *cobra.Command, opts *root.Options, fla
 }
 
 func buildInteractiveInitMenuPrompt(session initSessionDraft) initMenuPrompt {
+	gitScopes, _ := buildInitGitScopeInventory(session.cfg)
 	llmRuntimes, _ := buildInitLLMRuntimeInventory(session.cfg)
 	reviewerEntities, _ := buildInitReviewerEntityInventory(session.cfg)
 	prompt := initMenuPrompt{
-		HasWorkspace:        session.workspace != nil,
-		LLMRuntimeCount:     len(llmRuntimes),
-		ReviewerEntityCount: countConfiguredInitReviewerEntities(reviewerEntities),
-		ReviewProfileCount:  len(session.cfg.Profiles),
-		CanConfigureLLM:     true,
-		CanSave:             initSessionCanCommitWithoutWorkspace(session),
+		HasWorkspace:          session.workspace != nil,
+		RepositoryAccessCount: len(gitScopes),
+		LLMRuntimeCount:       len(llmRuntimes),
+		ReviewerEntityCount:   countConfiguredInitReviewerEntities(reviewerEntities),
+		ReviewProfileCount:    len(session.cfg.Profiles),
+		CanConfigureLLM:       true,
+		CanConfigureReviewer:  true,
+		CanSave:               initSessionCanCommitWithoutWorkspace(session),
 	}
 	if session.workspace == nil {
 		return prompt
 	}
 	prompt.ActiveProfileName = session.workspace.profileName
 	prompt.CanConfigureLLM = true
-	prompt.CanConfigureReviewer = true
 	prompt.CanSave = true
 	return prompt
 }
@@ -1237,14 +1301,15 @@ func currentInteractiveInitPromptContextBase(session initSessionDraft) initPromp
 		existingProfile = &profileCopy
 	}
 	return initPromptContext{
-		RequestedProfileName:         session.requestedProfileName,
-		ExistingProfileName:          existingProfileName,
-		ExistingProfile:              existingProfile,
-		ExistingProfileNames:         sortedProfileNames(session.cfg.Profiles),
-		ExistingConfig:               session.cfg,
-		PendingProfileDeletes:        session.pendingProfileDeletes,
-		PendingReviewerEntityDeletes: session.pendingReviewerEntityDeletes,
-		PendingLLMRuntimeDeletes:     session.pendingLLMRuntimeDeletes,
+		RequestedProfileName:           session.requestedProfileName,
+		ExistingProfileName:            existingProfileName,
+		ExistingProfile:                existingProfile,
+		ExistingProfileNames:           sortedProfileNames(session.cfg.Profiles),
+		ExistingConfig:                 session.cfg,
+		PendingProfileDeletes:          session.pendingProfileDeletes,
+		PendingRepositoryAccessDeletes: session.pendingRepositoryAccessDeletes,
+		PendingReviewerEntityDeletes:   session.pendingReviewerEntityDeletes,
+		PendingLLMRuntimeDeletes:       session.pendingLLMRuntimeDeletes,
 	}
 }
 
@@ -1260,6 +1325,8 @@ func runInteractiveInitMenuLoop(cmd *cobra.Command, opts *root.Options, flags in
 			return initSessionDraft{}, err
 		}
 		switch action {
+		case initMenuActionRepositoryAccess:
+			session, err = editInteractiveInitRepositoryAccess(cmd, opts, flags, deps, session)
 		case initMenuActionLLMRuntimes:
 			session, err = loopInteractiveInitLLMRuntime(cmd, opts, flags, deps, session)
 		case initMenuActionReviewerEntities:
@@ -1293,6 +1360,92 @@ func runInteractiveInitMenuLoop(cmd *cobra.Command, opts *root.Options, flags in
 	}
 }
 
+func editInteractiveInitRepositoryAccess(_ *cobra.Command, opts *root.Options, _ initOptions, deps initDeps, session initSessionDraft) (initSessionDraft, error) {
+	prompter := deps.repositoryPrompter
+	if prompter == nil {
+		prompter = newHuhInitRepositoryAccessPrompter(opts)
+	}
+	promptCtx := currentInteractiveInitRepositoryAccessPromptContext(opts, deps, session)
+	promptCtx.StandaloneRepositoryAccessMode = true
+	draft, err := prompter.EditRepositoryAccess(initRepositoryAccessPrompt{Context: promptCtx})
+	if errors.Is(err, errInitNavigateBack) {
+		return session, nil
+	}
+	if err != nil {
+		return initSessionDraft{}, err
+	}
+	switch draft.Action {
+	case initDraftActionNone:
+	case initDraftActionDeleteRepositoryAccess:
+		session, err := deleteInteractiveInitRepositoryAccess(session, draft.ActionTarget)
+		return session, err
+	case initDraftActionUndoDeleteRepositoryAccess:
+		session, err := undoInteractiveInitRepositoryAccessDelete(session, draft.ActionTarget)
+		return session, err
+	case initDraftActionDeleteProfile, initDraftActionUndoDeleteProfile, initDraftActionDeleteReviewerEntity, initDraftActionUndoDeleteReviewerEntity, initDraftActionDeleteLLMRuntime, initDraftActionUndoDeleteLLMRuntime:
+		return initSessionDraft{}, fmt.Errorf("unsupported repository-access draft action %q", draft.Action)
+	}
+	session, err = stageStandaloneInteractiveInitRepositoryAccess(session, draft)
+	if err != nil {
+		return initSessionDraft{}, err
+	}
+	session = mergeGitCredentialDraftWrites(session, draft)
+	return session, nil
+}
+
+func stageStandaloneInteractiveInitRepositoryAccess(session initSessionDraft, draft initDraft) (initSessionDraft, error) {
+	name := strings.TrimSpace(draft.RepositoryAccessName)
+	if name == "" {
+		name = strings.TrimSpace(draft.ActionTarget)
+	}
+	if name == "" {
+		return initSessionDraft{}, exitcode.Usage(errors.New("repository access name is required"))
+	}
+	scope := initGitScopeDraft{
+		Name:            name,
+		Host:            strings.TrimSpace(draft.GitHost),
+		AuthMode:        config.GitAuthMode(draft.GitAuth),
+		GitHubAppID:     strings.TrimSpace(draft.GitHubAppID),
+		CredentialStore: initCredentialStoreDraftValue(draft.GitCredentialStore),
+		CredentialRef:   strings.TrimSpace(draft.GitCredentialRef),
+	}
+	if scope.Host == "" {
+		return initSessionDraft{}, exitcode.Usage(errors.New("git host is required"))
+	}
+	if scope.AuthMode == "" {
+		scope.AuthMode = config.GitAuthModePAT
+	}
+	if scope.CredentialStore == "" {
+		scope.CredentialStore = initCredentialStoreDefaultID()
+	}
+	if scope.CredentialRef == "" {
+		ref, err := initCredentialRefFromSeed(name)
+		if err != nil {
+			return initSessionDraft{}, exitcode.Usage(err)
+		}
+		scope.CredentialRef = ref
+	}
+
+	working := cloneInitConfigFile(session.cfg)
+	if working.RepositoryAccess == nil {
+		working.RepositoryAccess = map[string]config.RepositoryAccessConfig{}
+	}
+	var previous *config.GitConfig
+	if existing, ok := working.RepositoryAccess[name]; ok {
+		existingGit := existing.Git
+		previous = &existingGit
+	}
+	working.RepositoryAccess[name] = normalizeInitRepositoryAccessConfig(config.RepositoryAccessConfig{
+		DisplayName: name,
+		Git:         scope.exportConfig(previous),
+	})
+	if err := config.Validate(working); err != nil {
+		return initSessionDraft{}, cmderr.Config(err)
+	}
+	session.cfg = config.Normalize(working)
+	return rebuildInteractiveInitWorkspace(session, preferredInteractiveInitProfile(session)), nil
+}
+
 func loopInteractiveInitProfileV2(cmd *cobra.Command, opts *root.Options, flags initOptions, deps initDeps, session initSessionDraft) (initSessionDraft, error) {
 	prompter := deps.profileV2Prompter
 	if prompter == nil {
@@ -1351,7 +1504,10 @@ func completeInteractiveInitProfileV2Draft(ctx initPromptContext, draft initDraf
 			draft.ReviewPolicy = ctx.ExistingProfile.ReviewPolicy
 		}
 		if draft.ReviewPolicy.MajorEvent == "" {
-			draft.ReviewPolicy.MajorEvent = config.ReviewMajorEventComment
+			draft.ReviewPolicy.MajorEvent = config.ReviewMajorEventRequestChanges
+		}
+		if draft.ReviewPolicy.ResolveThreads == "" {
+			draft.ReviewPolicy.ResolveThreads = config.ResolveThreadsAuto
 		}
 		draft.ReviewPolicySet = true
 	}
@@ -1388,7 +1544,7 @@ func applyInteractiveInitProfileDraft(cmd *cobra.Command, opts *root.Options, fl
 	case initDraftActionUndoDeleteProfile:
 		session, err := undoInteractiveInitProfileDelete(session, draft.ActionTarget)
 		return session, err == nil, err
-	case initDraftActionDeleteReviewerEntity, initDraftActionUndoDeleteReviewerEntity, initDraftActionDeleteLLMRuntime, initDraftActionUndoDeleteLLMRuntime:
+	case initDraftActionDeleteRepositoryAccess, initDraftActionUndoDeleteRepositoryAccess, initDraftActionDeleteReviewerEntity, initDraftActionUndoDeleteReviewerEntity, initDraftActionDeleteLLMRuntime, initDraftActionUndoDeleteLLMRuntime:
 		return initSessionDraft{}, false, fmt.Errorf("unsupported review-profile draft action %q", draft.Action)
 	}
 	workspace, err := buildInteractiveInitWorkspace(cmd, opts, flags, deps, session.path, session.cfg, draft)
@@ -1460,15 +1616,6 @@ func applyInteractiveInitProfileDraft(cmd *cobra.Command, opts *root.Options, fl
 	session.cfg = cloneInitConfigFile(workspace.cfg)
 	session.requestedProfileName = workspace.profileName
 	session = recordTouchedProfile(session, workspace.profileName, draft.OriginalProfileName)
-	if deps.menuPrompter != nil || deps.prompter == nil {
-		session, err = collectInteractiveInitSessionWorkspaceSecrets(opts, deps, session, []string{"git", "reviewer_credentials", "llm"})
-		if errors.Is(err, errInitNavigateBack) {
-			return session, false, nil
-		}
-		if err != nil {
-			return initSessionDraft{}, false, err
-		}
-	}
 	return session, true, nil
 }
 
@@ -1507,7 +1654,7 @@ func editInteractiveInitLLMRuntimeStep(cmd *cobra.Command, opts *root.Options, f
 	case initDraftActionUndoDeleteLLMRuntime:
 		session, err := undoInteractiveInitLLMRuntimeDelete(session, draft.ActionTarget)
 		return session, err == nil, err
-	case initDraftActionDeleteProfile, initDraftActionUndoDeleteProfile, initDraftActionDeleteReviewerEntity, initDraftActionUndoDeleteReviewerEntity:
+	case initDraftActionDeleteProfile, initDraftActionUndoDeleteProfile, initDraftActionDeleteRepositoryAccess, initDraftActionUndoDeleteRepositoryAccess, initDraftActionDeleteReviewerEntity, initDraftActionUndoDeleteReviewerEntity:
 		return initSessionDraft{}, false, fmt.Errorf("unsupported LLM-runtime draft action %q", draft.Action)
 	}
 	if session.workspace == nil {
@@ -1552,7 +1699,7 @@ func stageStandaloneInteractiveInitLLMRuntime(session initSessionDraft, draft in
 		name = uniqueInitLLMRuntimeName(buildInitStandaloneLLMRuntimeNameSet(working.LLMRuntimes), runtime.suggestedName())
 	}
 	if runtime.Auth == config.LLMAuthAPIKey && strings.TrimSpace(runtime.CredentialRef) == "" {
-		ref, err := credentials.FormatRef(name)
+		ref, err := initCredentialRefFromSeed(name)
 		if err != nil {
 			return initSessionDraft{}, exitcode.Usage(err)
 		}
@@ -1574,6 +1721,10 @@ func buildInitStandaloneLLMRuntimeNameSet(runtimes map[string]config.LLMConfig)
 	return existing
 }
 
+func buildInitLLMRuntimeDraftNameSet(runtimes map[string]config.LLMConfig) map[string]initLLMRuntimeDraft {
+	return buildInitStandaloneLLMRuntimeNameSet(runtimes)
+}
+
 func loopInteractiveInitReviewerEntity(cmd *cobra.Command, opts *root.Options, flags initOptions, deps initDeps, session initSessionDraft) (initSessionDraft, error) {
 	for {
 		var stayInCategory bool
@@ -1588,15 +1739,13 @@ func loopInteractiveInitReviewerEntity(cmd *cobra.Command, opts *root.Options, f
 	}
 }
 
-func editInteractiveInitReviewerEntityStep(cmd *cobra.Command, opts *root.Options, flags initOptions, deps initDeps, session initSessionDraft) (initSessionDraft, bool, error) {
-	if session.workspace == nil {
-		return initSessionDraft{}, false, exitcode.Usage(errors.New("configure a review profile before editing reviewer entities"))
-	}
+func editInteractiveInitReviewerEntityStep(_ *cobra.Command, opts *root.Options, flags initOptions, deps initDeps, session initSessionDraft) (initSessionDraft, bool, error) {
 	prompter := deps.reviewerPrompter
 	if prompter == nil {
 		prompter = newHuhInitReviewerEntityPrompter(opts)
 	}
 	promptCtx := currentInteractiveInitReviewerEntityPromptContext(opts, deps, session)
+	promptCtx.StandaloneReviewerEntityMode = true
 	draft, err := prompter.EditReviewerEntity(initReviewerEntityPrompt{Context: promptCtx})
 	if errors.Is(err, errInitNavigateBack) {
 		return session, false, nil
@@ -1612,30 +1761,19 @@ func editInteractiveInitReviewerEntityStep(cmd *cobra.Command, opts *root.Option
 	case initDraftActionUndoDeleteReviewerEntity:
 		session, err := undoInteractiveInitReviewerEntityDelete(session, draft.ActionTarget)
 		return session, err == nil, err
-	case initDraftActionDeleteProfile, initDraftActionUndoDeleteProfile, initDraftActionDeleteLLMRuntime, initDraftActionUndoDeleteLLMRuntime:
+	case initDraftActionDeleteProfile, initDraftActionUndoDeleteProfile, initDraftActionDeleteRepositoryAccess, initDraftActionUndoDeleteRepositoryAccess, initDraftActionDeleteLLMRuntime, initDraftActionUndoDeleteLLMRuntime:
 		return initSessionDraft{}, false, fmt.Errorf("unsupported reviewer-entity draft action %q", draft.Action)
 	}
-	previousCfg := cloneInitConfigFile(session.cfg)
-	previousEntity := initReviewerEntityDraft{}
-	if draft.ActionTarget != "" {
-		if entity, ok := promptCtx.ReviewerEntities[draft.ActionTarget]; ok {
-			previousEntity = entity
-		}
+	if !draft.ReviewerEnabled {
+		return session, false, nil
 	}
-	workspace, err := buildInteractiveInitWorkspace(cmd, opts, flags, deps, session.path, session.cfg, draft)
+	session, err = stageStandaloneInteractiveInitReviewerEntity(session, flags, draft)
 	if err != nil {
 		return initSessionDraft{}, false, err
 	}
-	session.cfg = cloneInitConfigFile(workspace.cfg)
-	nextEntity := initReviewerEntityDraft{}
-	if profile, ok := session.cfg.Profiles[workspace.profileName]; ok {
-		nextEntity = initReviewerEntityDraftFromConfig(profile)
-	}
-	session.cfg = propagateSharedReviewerEntityChanges(previousCfg, session.cfg, workspace.profileName, previousEntity, nextEntity)
-	session = rebuildInteractiveInitWorkspace(session, workspace.profileName)
-	session.requestedProfileName = workspace.profileName
 	session = mergeReviewerCredentialDraftWrites(session, draft)
 	if session.workspace != nil {
+		workspace := *session.workspace
 		credentialPlan, err := planInitCredentialsWithConfig(session.cfg, workspace.previousProfile, session.workspace.profile, projectInitPlannedWriteKeys(session.writes))
 		if err != nil {
 			return initSessionDraft{}, false, cmderr.Config(err)
@@ -1643,10 +1781,133 @@ func editInteractiveInitReviewerEntityStep(cmd *cobra.Command, opts *root.Option
 		session.workspace.previousProfile = workspace.previousProfile
 		session.workspace.credentialPlan = credentialPlan
 	}
-	session = recordTouchedProfile(session, workspace.profileName, draft.OriginalProfileName)
 	return session, false, nil
 }
 
+func stageStandaloneInteractiveInitReviewerEntity(session initSessionDraft, flags initOptions, draft initDraft) (initSessionDraft, error) {
+	entity := initReviewerEntityDraftFromSeedDraft(draft)
+	if entity.Kind == initReviewerEntityKindUseGitIdentity {
+		return initSessionDraft{}, exitcode.Usage(errors.New("reviewer entity auth mode is required"))
+	}
+	if strings.TrimSpace(entity.CredentialStore) == "" {
+		entity.CredentialStore = initCredentialStoreDefaultID()
+	}
+	working := cloneInitConfigFile(session.cfg)
+	if working.ReviewerEntities == nil {
+		working.ReviewerEntities = map[string]config.ReviewerEntity{}
+	}
+	name := strings.TrimSpace(firstNonEmpty(draft.ActionTarget, entity.Name))
+	if name == "" {
+		name = uniqueInitReviewerEntityName(buildInitStandaloneReviewerEntityNameSet(working.ReviewerEntities), entity.suggestedName())
+	}
+	var previous *config.ReviewerEntity
+	if existing, ok := working.ReviewerEntities[name]; ok {
+		existingCopy := existing
+		previous = &existingCopy
+	}
+	if strings.TrimSpace(entity.CredentialRef) == "" {
+		if previous != nil && strings.TrimSpace(previous.CredentialRef) != "" {
+			entity.CredentialRef = strings.TrimSpace(previous.CredentialRef)
+		} else {
+			ref, err := initCredentialRefFromSeed(name)
+			if err != nil {
+				return initSessionDraft{}, exitcode.Usage(err)
+			}
+			entity.CredentialRef = ref
+		}
+	}
+	if entity.AuthMode == "" || strings.TrimSpace(entity.CredentialRef) == "" {
+		return initSessionDraft{}, exitcode.Usage(errors.New("reviewer entity auth mode and credential name are required"))
+	}
+	working.ReviewerEntities[name] = entity.exportReviewerEntityConfig(previous, flags.gitHost)
+	if err := validateInteractiveInitGlobalConfig(working); err != nil {
+		return initSessionDraft{}, cmderr.Config(err)
+	}
+	session.cfg = config.Normalize(working)
+	return session, nil
+}
+
+func buildInitStandaloneReviewerEntityNameSet(entities map[string]config.ReviewerEntity) map[string]initReviewerEntityDraft {
+	existing := make(map[string]initReviewerEntityDraft, len(entities))
+	for name := range entities {
+		existing[name] = initReviewerEntityDraft{}
+	}
+	return existing
+}
+
+func mergeGitCredentialDraftWrites(session initSessionDraft, draft initDraft) initSessionDraft {
+	ref := strings.TrimSpace(draft.GitCredentialWriteRef)
+	if ref == "" {
+		return session
+	}
+	if session.writes == nil {
+		session.writes = map[string]map[string]string{}
+	}
+	if session.overwriteRefs == nil {
+		session.overwriteRefs = map[string]bool{}
+	}
+	if session.satisfiedRefs == nil {
+		session.satisfiedRefs = map[string]bool{}
+	}
+	if session.credentialWriteStores == nil {
+		session.credentialWriteStores = map[string]credentials.ResolvedSecretsProfile{}
+	}
+	hadStagedWrites := len(session.writes[ref]) > 0
+	if session.writes[ref] != nil {
+		session.writes[ref] = filterInitCredentialWritesForDraftGitMode(session.writes[ref], draft)
+		if len(session.writes[ref]) == 0 {
+			delete(session.writes, ref)
+		}
+	}
+	hasNewWrites := len(draft.GitCredentialWrites) > 0
+	if hasNewWrites {
+		for key, value := range draft.GitCredentialWrites {
+			addWrite(session.writes, ref, key, value)
+		}
+	}
+	if draft.GitCredentialOverwrite {
+		session.overwriteRefs[ref] = true
+	} else if hasNewWrites || !hadStagedWrites {
+		delete(session.overwriteRefs, ref)
+	}
+	if draft.GitCredentialSatisfied {
+		session.satisfiedRefs[ref] = true
+	} else {
+		delete(session.satisfiedRefs, ref)
+	}
+	session.credentialWriteStores[ref] = draft.GitCredentialWriteStore
+	return session
+}
+
+func filterInitCredentialWritesForDraftGitMode(writes map[string]string, draft initDraft) map[string]string {
+	if len(writes) == 0 {
+		return writes
+	}
+	ref := config.CredentialRef{
+		Purpose: "git",
+		Ref:     strings.TrimSpace(draft.GitCredentialWriteRef),
+		Mode:    strings.TrimSpace(draft.GitAuth),
+	}
+	if ref.Mode == "" {
+		ref.Mode = string(config.GitAuthModePAT)
+	}
+	specs, err := credentials.KeySpecsForPurpose(ref)
+	if err != nil {
+		return map[string]string{}
+	}
+	allowed := make(map[string]bool, len(specs))
+	for _, spec := range specs {
+		allowed[spec.Key] = true
+	}
+	filtered := make(map[string]string, len(writes))
+	for key, value := range writes {
+		if allowed[key] {
+			filtered[key] = value
+		}
+	}
+	return filtered
+}
+
 func mergeReviewerCredentialDraftWrites(session initSessionDraft, draft initDraft) initSessionDraft {
 	ref := strings.TrimSpace(draft.ReviewerCredentialWriteRef)
 	if ref == "" {
@@ -1720,37 +1981,6 @@ func filterInitCredentialWritesForDraftReviewerMode(writes map[string]string, dr
 	return filtered
 }
 
-func propagateSharedReviewerEntityChanges(priorCfg config.File, updatedCfg config.File, activeProfileName string, previousEntity initReviewerEntityDraft, nextEntity initReviewerEntityDraft) config.File {
-	if previousEntity.Kind == initReviewerEntityKindUseGitIdentity || previousEntity.identityKey() == "" {
-		return updatedCfg
-	}
-	identityKey := previousEntity.identityKey()
-	displayName := normalizeOptionalDisplayName(nextEntity.DisplayName)
-	credentialStore := initCredentialStoreDraftValue(nextEntity.CredentialStore)
-	credentialRef := strings.TrimSpace(nextEntity.CredentialRef)
-	for profileName, previousProfile := range priorCfg.Profiles {
-		if profileName == activeProfileName {
-			continue
-		}
-		if initReviewerEntityDraftFromConfig(previousProfile).identityKey() != identityKey {
-			continue
-		}
-		profile, ok := updatedCfg.Profiles[profileName]
-		if !ok || profile.ReviewerCredentials == nil {
-			continue
-		}
-		if initReviewerEntityDraftFromConfig(profile).identityKey() != identityKey {
-			continue
-		}
-		profile.ReviewerCredentials.AuthMode = nextEntity.AuthMode
-		profile.ReviewerCredentials.Credential = initCredentialLocation(credentialStore, credentialRef)
-		profile.ReviewerCredentials.CredentialRef = credentialRef
-		profile.ReviewerCredentials.DisplayName = displayName
-		updatedCfg.Profiles[profileName] = profile
-	}
-	return updatedCfg
-}
-
 func editInteractiveInitGlobalSettings(_ *cobra.Command, opts *root.Options, deps initDeps, session initSessionDraft) (initSessionDraft, error) {
 	cfg, err := collectInteractiveInitRetentionConfig(opts, deps, cloneInitConfigFile(session.cfg))
 	if errors.Is(err, errInitNavigateBack) {
@@ -1818,11 +2048,8 @@ func (p huhInitMenuPrompter) ChooseAction(prompt initMenuPrompt) (initMenuAction
 	return action, nil
 }
 
-func initMenuInitialAction(prompt initMenuPrompt) initMenuAction {
-	if prompt.HasWorkspace {
-		return initMenuActionSecretsManagement
-	}
-	return initMenuActionReviewProfiles
+func initMenuInitialAction(_ initMenuPrompt) initMenuAction {
+	return initMenuActionSecretsManagement
 }
 
 func initMenuDescription(prompt initMenuPrompt) string {
@@ -1909,7 +2136,7 @@ func (p huhInitLLMRuntimePrompter) editLLMRuntimeInventory(prompt initLLMRuntime
 	draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
 	for {
 		result, err := p.runInventory(initInventoryPrompt{
-			Title:       "LLM Runtime",
+			Title:       "LLM runtime",
 			Description: "Choose how reviewer agents run.",
 			Rows:        initLLMRuntimeInventoryRows(prompt.Context),
 			Width:       80,
@@ -2114,7 +2341,7 @@ func (p huhInitReviewerEntityPrompter) editReviewerEntityInventory(prompt initRe
 	draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
 	for {
 		result, err := p.runInventory(initInventoryPrompt{
-			Title:       "Reviewer Entity",
+			Title:       "Reviewer entity",
 			Description: reviewerEntitySelectionDescription(),
 			Rows:        initReviewerEntityInventoryRows(prompt.Context),
 			Width:       80,
@@ -2243,13 +2470,6 @@ func initReviewerEntityInventoryRows(ctx initPromptContext) []initInventoryRow {
 		})
 	}
 	rows = append(rows,
-		initInventoryRow{
-			ID:            string(initReviewerEntityKindUseGitIdentity),
-			Title:         focusedReviewerEntityFallbackLabel(ctx.ExistingProfile),
-			Kind:          initInventoryRowKindCommand,
-			PrimaryAction: initInventoryActionCommand,
-			Selectable:    true,
-		},
 		initInventoryRow{
 			ID:            string(initReviewerEntityKindPAT),
 			Title:         reviewerEntityTemplatePATLabel(),
@@ -2276,7 +2496,15 @@ func initReviewerEntityInventoryRows(ctx initPromptContext) []initInventoryRow {
 }
 
 func standardReviewerCredentialRef(profileName string) (string, error) {
-	return credentials.FormatRef(profileName + "-reviewer")
+	return initCredentialRefFromSeed(profileName + "-reviewer")
+}
+
+func standardReviewerCredentialRefForEntity(entity initReviewerEntityDraft) (string, error) {
+	name := strings.TrimSpace(entity.Name)
+	if name == "" {
+		name = entity.suggestedName()
+	}
+	return initCredentialRefFromSeed(name)
 }
 
 func (p huhInitPrompter) Run(ctx initPromptContext) (initDraft, error) {
@@ -2356,6 +2584,7 @@ func (p huhInitPrompter) Run(ctx initPromptContext) (initDraft, error) {
 			selectedGit := initGitScopeDraft{
 				Host:            draft.GitHost,
 				AuthMode:        config.GitAuthMode(draft.GitAuth),
+				GitHubAppID:     strings.TrimSpace(draft.GitHubAppID),
 				CredentialStore: initCredentialStoreDraftValue(draft.GitCredentialStore),
 				CredentialRef:   strings.TrimSpace(draft.GitCredentialRef),
 			}
@@ -2397,39 +2626,38 @@ func (p huhInitPrompter) Run(ctx initPromptContext) (initDraft, error) {
 			agentSourceText := strings.Join(draft.AgentSources, "\n")
 			policy := draft.ReviewPolicy
 			if policy.MajorEvent == "" {
-				policy.MajorEvent = config.ReviewMajorEventComment
+				policy.MajorEvent = config.ReviewMajorEventRequestChanges
+			}
+			if policy.ResolveThreads == "" {
+				policy.ResolveThreads = config.ResolveThreadsAuto
 			}
 			majorEvent := policy.MajorEvent
 			selfApproveChoice := initReviewPolicySelfApproveChoice(policy.AllowSelfApprove)
 			resolveThreads := string(policy.ResolveThreads)
-			resolveAfter := policy.ResolveAfter
 			profileAction := initDetailActionEdit
 
 			reviewPolicyFields := []huh.Field{
 				huh.NewSelect[config.ReviewMajorEvent]().
 					Title("Major findings event").
+					Description("Blocking findings always request changes. This controls what cr does when the highest severity is major: either request changes or leave a review comment.").
 					Options(
-						huh.NewOption("Comment", config.ReviewMajorEventComment),
 						huh.NewOption("Request changes", config.ReviewMajorEventRequestChanges),
+						huh.NewOption("Comment", config.ReviewMajorEventComment),
 					).
 					Value(&majorEvent),
 				huh.NewSelect[string]().
 					Title("Allow self-approve").
+					Description("Relevant when this profile posts using a user account. If that account authored the PR, cr downgrades approval to a comment unless enabled.").
 					Options(initReviewPolicySelfApproveOptions()...).
 					Value(&selfApproveChoice),
 				huh.NewSelect[string]().
 					Title("Resolve threads").
+					Description("Controls whether cr may mark inline discussion threads as \"resolved\" when it evaluates the dialog, and determines a decision has been made. When enabled, cr treats the final comment as the cached outcome of the discussion. This removes the discussion thread from future calls to the LLM provider, saving both time and tokens.").
 					Options(
-						huh.NewOption("Use built-in default", ""),
-						huh.NewOption("Auto-resolve", string(config.ResolveThreadsAuto)),
-						huh.NewOption("Never resolve", string(config.ResolveThreadsNever)),
+						huh.NewOption("Auto-resolve (recommended)", string(config.ResolveThreadsAuto)),
+						huh.NewOption("Never resolve automatically", string(config.ResolveThreadsNever)),
 					).
 					Value(&resolveThreads),
-				huh.NewInput().
-					Title("Resolve-after duration").
-					Description("Optional. Leave blank to clear. Example: 24h or 30m.").
-					Value(&resolveAfter).
-					Validate(validateOptionalDuration),
 			}
 			if len(modelMapFields) == 0 {
 				modelMapFields = append(modelMapFields, huh.NewNote().Description("No model tiers are available to configure."))
@@ -2628,12 +2856,15 @@ func (p huhInitPrompter) Run(ctx initPromptContext) (initDraft, error) {
 			draft.ModelMap = initModelMapFromEditorValues(modelMapLLM, modelMapValues)
 			draft.AgentSourcesSet = true
 			draft.AgentSources = strings.FieldsFunc(agentSourceText, func(r rune) bool { return r == '\n' || r == '\r' })
+			allowSelfApprove := initReviewPolicyAllowSelfApprove(selfApproveChoice)
+			if initProfileV2ReviewerEntityKindForSelection(selectedReviewerEntity, ctx.ReviewerEntities) == initReviewerEntityKindGitHubApp {
+				allowSelfApprove = false
+			}
 			draft.ReviewPolicySet = true
 			draft.ReviewPolicy = config.ReviewPolicy{
 				MajorEvent:       majorEvent,
-				AllowSelfApprove: initReviewPolicyAllowSelfApprove(selfApproveChoice),
+				AllowSelfApprove: allowSelfApprove,
 				ResolveThreads:   config.ResolveThreadsPolicy(strings.TrimSpace(resolveThreads)),
-				ResolveAfter:     strings.TrimSpace(resolveAfter),
 			}
 			draft.RoutesSet = true
 			draft.Routes = routes
@@ -2745,6 +2976,7 @@ func initReviewerEntityDraftFromSeedDraft(draft initDraft) initReviewerEntityDra
 	}
 	entity := initReviewerEntityDraft{
 		AuthMode:        config.GitAuthMode(draft.ReviewerAuth),
+		AppID:           firstNonEmpty(draft.ReviewerGitHubAppID, draft.ReviewerCredentialWrites[credentials.GitHubAppIDKey]),
 		CredentialStore: initCredentialStoreDraftValue(draft.ReviewerCredentialStore),
 		CredentialRef:   strings.TrimSpace(draft.ReviewerCredentialRef),
 		DisplayName:     normalizeOptionalDisplayName(draft.ReviewerDisplayName),
@@ -2773,6 +3005,32 @@ func initGitScopeOptions(scopes map[string]initGitScopeDraft) []huh.Option[strin
 	return options
 }
 
+func initRepositoryAccessProfileOptions(scopes map[string]initGitScopeDraft) []huh.Option[string] {
+	names := make([]string, 0, len(scopes))
+	for name := range scopes {
+		names = append(names, name)
+	}
+	sort.Strings(names)
+	options := make([]huh.Option[string], 0, len(names))
+	for _, name := range names {
+		scope := scopes[name]
+		options = append(options, huh.NewOption(initGitScopeLabel(scope), name))
+	}
+	return options
+}
+
+func firstInitGitScopeName(scopes map[string]initGitScopeDraft) string {
+	names := make([]string, 0, len(scopes))
+	for name := range scopes {
+		names = append(names, name)
+	}
+	sort.Strings(names)
+	if len(names) == 0 {
+		return ""
+	}
+	return names[0]
+}
+
 func initGitScopeLabel(scope initGitScopeDraft) string {
 	label := fmt.Sprintf("%s via %s", scope.Host, initGitAuthModeLabel(scope.AuthMode))
 	if strings.TrimSpace(scope.Name) != "" {
@@ -2801,6 +3059,7 @@ func applyGitScopeSelection(draft *initDraft, selection string, scopes map[strin
 	}
 	draft.GitHost = scope.Host
 	draft.GitAuth = string(scope.AuthMode)
+	draft.GitHubAppID = strings.TrimSpace(scope.GitHubAppID)
 	draft.GitCredentialStore = initCredentialStoreDraftValue(scope.CredentialStore)
 	if !draft.AdvancedStorageLabels {
 		draft.GitCredentialRef = scope.CredentialRef
@@ -2862,7 +3121,7 @@ func normalizeReviewerEntitySelectionValue(selection string, entities map[string
 }
 
 func reviewerEntitySelectionDescription() string {
-	return "Choose who posts COMMENT, APPROVE, or REQUEST_CHANGES for this profile. Profiles with no separate reviewer entity post using their profile Git account."
+	return "Choose who posts COMMENT, APPROVE, or REQUEST_CHANGES. Review profiles can use a reviewer entity or post using the profile Git account."
 }
 
 func buildInitSecretsProfileInventory(cfg config.File) ([]config.EffectiveSecretsProfile, map[string]string, map[string]string) {
@@ -3024,6 +3283,14 @@ func initStorageLabelUsesDefault(value, standard string) bool {
 	return value == "" || value == standard
 }
 
+func initCredentialRefFromSeed(seed string) (string, error) {
+	segment := credstore.EscapeRefSegment(strings.TrimSpace(seed))
+	if segment == "" {
+		return "", fmt.Errorf("credential name seed is required")
+	}
+	return credentials.FormatRef(segment)
+}
+
 type initStorageLabelFieldState struct {
 	Value       string
 	UsesDefault bool
@@ -3041,7 +3308,7 @@ func initStandardGitCredentialRef(profileName, selection string, scopes map[stri
 			return strings.TrimSpace(scope.CredentialRef), nil
 		}
 	}
-	return credentials.FormatRef(profileName)
+	return initCredentialRefFromSeed(profileName)
 }
 
 func initReviewerStorageLabelRelevant(selection string, entities map[string]initReviewerEntityDraft) bool {
@@ -3088,7 +3355,7 @@ func initStandardLLMCredentialRef(profileName, selection string, runtimes map[st
 	if runtime, ok := runtimes[selection]; ok && strings.TrimSpace(runtime.CredentialRef) != "" {
 		return strings.TrimSpace(runtime.CredentialRef), nil
 	}
-	return credentials.FormatRef(profileName + "-llm")
+	return initCredentialRefFromSeed(profileName + "-llm")
 }
 
 func normalizeInitProfileStorageLabels(draft *initDraft, selectedGitScope, selectedReviewerEntity, selectedLLMRuntime string, scopes map[string]initGitScopeDraft, entities map[string]initReviewerEntityDraft, runtimes map[string]initLLMRuntimeDraft, labels initStorageLabelNormalizationInput) error {
@@ -3247,6 +3514,7 @@ func applyReviewerEntityInventorySelection(draft *initDraft, selection string, e
 	}
 	draft.ReviewerEnabled = entity.Kind != initReviewerEntityKindUseGitIdentity
 	draft.ReviewerAuth = string(entity.AuthMode)
+	draft.ReviewerGitHubAppID = strings.TrimSpace(entity.AppID)
 	draft.ReviewerCredentialStore = initCredentialStoreDraftValue(entity.CredentialStore)
 	draft.ReviewerDisplayName = normalizeOptionalDisplayName(entity.DisplayName)
 	if !draft.AdvancedStorageLabels {
@@ -3259,6 +3527,7 @@ func applyReviewerEntitySelection(draft *initDraft, selection string) {
 	case initReviewerEntityKindUseGitIdentity:
 		draft.ReviewerEnabled = false
 		draft.ReviewerAuth = string(config.GitAuthModePAT)
+		draft.ReviewerGitHubAppID = ""
 		draft.ReviewerDisplayName = ""
 		if !draft.AdvancedStorageLabels {
 			draft.ReviewerCredentialRef = ""
@@ -3269,16 +3538,19 @@ func applyReviewerEntitySelection(draft *initDraft, selection string) {
 	case initReviewerEntityKindPAT:
 		draft.ReviewerEnabled = true
 		draft.ReviewerAuth = string(config.GitAuthModePAT)
+		draft.ReviewerGitHubAppID = ""
 	}
 }
 
 func initLLMRuntimeDraftFromSeedDraft(draft initDraft) initLLMRuntimeDraft {
 	return initLLMRuntimeDraftFromConfig(config.LLMConfig{
-		Provider:      config.LLMProvider(draft.LLMProvider),
-		Auth:          config.LLMAuth(draft.LLMAuth),
-		Adapter:       config.LLMAdapter(draft.LLMAdapter),
-		Credential:    initCredentialLocationIfName(draft.LLMCredentialStore, draft.LLMCredentialRef),
-		CredentialRef: strings.TrimSpace(draft.LLMCredentialRef),
+		Provider:          config.LLMProvider(draft.LLMProvider),
+		Auth:              config.LLMAuth(draft.LLMAuth),
+		Adapter:           config.LLMAdapter(draft.LLMAdapter),
+		Credential:        initCredentialLocationIfName(draft.LLMCredentialStore, draft.LLMCredentialRef),
+		CredentialRef:     strings.TrimSpace(draft.LLMCredentialRef),
+		ModelMap:          copyModelMap(draft.ModelMap),
+		ReviewerModelTier: config.ModelTier(strings.TrimSpace(draft.LLMReviewerModelTier)),
 	})
 }
 
@@ -3435,6 +3707,9 @@ func applyLLMRuntimeInventorySelection(draft *initDraft, selection string, runti
 		draft.LLMProvider = string(runtime.Provider)
 		draft.LLMAuth = string(runtime.Auth)
 		draft.LLMAdapter = string(runtime.Adapter)
+		draft.ModelMap = copyModelMap(runtime.ModelMap)
+		draft.ModelMapSet = true
+		draft.LLMReviewerModelTier = string(runtime.ReviewerModelTier)
 		if !draft.AdvancedStorageLabels {
 			draft.LLMCredentialStore = initCredentialStoreDraftValue(runtime.CredentialStore)
 			draft.LLMCredentialRef = runtime.CredentialRef
@@ -3677,13 +3952,15 @@ func (p huhInitReviewPolicyPrompter) EditReviewPolicy(prompt initReviewPolicyPro
 	action := initDetailActionEdit
 	policy := prompt.ReviewPolicy
 	if policy.MajorEvent == "" {
-		policy.MajorEvent = config.ReviewMajorEventComment
+		policy.MajorEvent = config.ReviewMajorEventRequestChanges
+	}
+	if policy.ResolveThreads == "" {
+		policy.ResolveThreads = config.ResolveThreadsAuto
 	}
 	majorEvent := policy.MajorEvent
 	selfApprove := policy.AllowSelfApprove
 	selfApproveChoice := initReviewPolicySelfApproveChoice(selfApprove)
 	resolveThreads := string(policy.ResolveThreads)
-	resolveAfter := policy.ResolveAfter
 	form := huh.NewForm(
 		huh.NewGroup(
 			huh.NewSelect[string]().
@@ -3697,28 +3974,25 @@ func (p huhInitReviewPolicyPrompter) EditReviewPolicy(prompt initReviewPolicyPro
 		huh.NewGroup(
 			huh.NewSelect[config.ReviewMajorEvent]().
 				Title("Major findings event").
+				Description("Blocking findings always request changes. This controls what cr does when the highest severity is major: either request changes or leave a review comment.").
 				Options(
-					huh.NewOption("Comment", config.ReviewMajorEventComment),
 					huh.NewOption("Request changes", config.ReviewMajorEventRequestChanges),
+					huh.NewOption("Comment", config.ReviewMajorEventComment),
 				).
 				Value(&majorEvent),
 			huh.NewSelect[string]().
 				Title("Allow self-approve").
+				Description("Relevant when this profile posts using a user account. If that account authored the PR, cr downgrades approval to a comment unless enabled.").
 				Options(initReviewPolicySelfApproveOptions()...).
 				Value(&selfApproveChoice),
 			huh.NewSelect[string]().
 				Title("Resolve threads").
+				Description("Controls whether cr may mark inline discussion threads as \"resolved\" when it evaluates the dialog, and determines a decision has been made. When enabled, cr treats the final comment as the cached outcome of the discussion. This removes the discussion thread from future calls to the LLM provider, saving both time and tokens.").
 				Options(
-					huh.NewOption("Use built-in default", ""),
-					huh.NewOption("Auto-resolve", string(config.ResolveThreadsAuto)),
-					huh.NewOption("Never resolve", string(config.ResolveThreadsNever)),
+					huh.NewOption("Auto-resolve (recommended)", string(config.ResolveThreadsAuto)),
+					huh.NewOption("Never resolve automatically", string(config.ResolveThreadsNever)),
 				).
 				Value(&resolveThreads),
-			huh.NewInput().
-				Title("Resolve-after duration").
-				Description("Optional. Leave blank to clear. Example: 24h or 30m.").
-				Value(&resolveAfter).
-				Validate(validateOptionalDuration),
 		).WithHideFunc(func() bool {
 			return action == initDetailActionBack
 		}).Title("Review Policy"),
@@ -3737,7 +4011,6 @@ func (p huhInitReviewPolicyPrompter) EditReviewPolicy(prompt initReviewPolicyPro
 			MajorEvent:       majorEvent,
 			AllowSelfApprove: selfApprove,
 			ResolveThreads:   config.ResolveThreadsPolicy(strings.TrimSpace(resolveThreads)),
-			ResolveAfter:     strings.TrimSpace(resolveAfter),
 		},
 	}, nil
 }
@@ -3925,6 +4198,30 @@ func validateOptionalDuration(value string) error {
 	return err
 }
 
+func validateOptionalGitHubAppInstallationID(value string) error {
+	trimmed := strings.TrimSpace(value)
+	if trimmed == "" {
+		return nil
+	}
+	if _, err := strconv.ParseInt(trimmed, 10, 64); err != nil {
+		return fmt.Errorf("GitHub App installation ID must be a decimal number")
+	}
+	return nil
+}
+
+func validateOptionalDecimalID(label string) func(string) error {
+	return func(value string) error {
+		trimmed := strings.TrimSpace(value)
+		if trimmed == "" {
+			return nil
+		}
+		if _, err := strconv.ParseInt(trimmed, 10, 64); err != nil {
+			return fmt.Errorf("%s must be a decimal number", label)
+		}
+		return nil
+	}
+}
+
 func validateRetentionMaxAgeDays(value string) error {
 	_, err := parseInteractiveRetentionMaxAgeDays(value)
 	return err
@@ -3993,6 +4290,9 @@ func seedInteractiveInitDraft(requestedProfileName string, existingProfileName s
 	if existingProfile != nil {
 		draft.GitHost = existingProfile.Git.Host
 		draft.GitAuth = string(existingProfile.Git.AuthMode)
+		if existingProfile.Git.GitHubApp != nil {
+			draft.GitHubAppID = strings.TrimSpace(existingProfile.Git.GitHubApp.AppID)
+		}
 		draft.GitCredentialStore = initCredentialStoreDraftValue(existingProfile.Git.Credential.Store)
 		draft.GitCredentialRef = firstNonEmpty(existingProfile.Git.Credential.Name, existingProfile.Git.CredentialRef)
 		draft.LLMProvider = string(existingProfile.LLM.Provider)
@@ -4005,9 +4305,17 @@ func seedInteractiveInitDraft(requestedProfileName string, existingProfileName s
 		draft.AgentSources = append([]string(nil), existingProfile.AgentSources...)
 		draft.ReviewPolicy = existingProfile.ReviewPolicy
 		draft.SecretsProfile = strings.TrimSpace(existingProfile.SecretsProfile)
+		if existingProfile.Reviewer.GitHubAppInstallation != nil {
+			installation := existingProfile.Reviewer.GitHubAppInstallation
+			draft.ReviewerGitHubAppInstallationMode = strings.TrimSpace(string(installation.Mode))
+			draft.ReviewerGitHubAppInstallationID = strings.TrimSpace(installation.InstallationID)
+		}
 		if existingProfile.ReviewerCredentials != nil {
 			draft.ReviewerEnabled = true
 			draft.ReviewerAuth = string(existingProfile.ReviewerCredentials.AuthMode)
+			if existingProfile.ReviewerCredentials.GitHubApp != nil {
+				draft.ReviewerGitHubAppID = strings.TrimSpace(existingProfile.ReviewerCredentials.GitHubApp.AppID)
+			}
 			draft.ReviewerCredentialStore = initCredentialStoreDraftValue(existingProfile.ReviewerCredentials.Credential.Store)
 			draft.ReviewerCredentialRef = firstNonEmpty(existingProfile.ReviewerCredentials.Credential.Name, existingProfile.ReviewerCredentials.CredentialRef)
 			draft.ReviewerDisplayName = normalizeOptionalDisplayName(existingProfile.ReviewerCredentials.DisplayName)
@@ -4084,6 +4392,7 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 		return initPlan{}, exitcode.Usage(fmt.Errorf("--llm-reviewer-model-tier and --clear-llm-reviewer-model-tier may not be used together; use one or the other"))
 	}
 	reviewerCredentialsConfigured := flags.reviewerRef != "" ||
+		flags.reviewerGitHubAppID != "" ||
 		flags.reviewerTokenStdin ||
 		flags.reviewerTokenEnv != "" ||
 		cmd.Flags().Changed("reviewer-auth-mode")
@@ -4115,9 +4424,9 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 		existingCopy := existing
 		previousProfile = &existingCopy
 	}
-	defaultGitRef, err := credentials.FormatRef(profileName)
+	defaultGitRef, err := initCredentialRefFromSeed(profileName)
 	if err != nil {
-		return initPlan{}, exitcode.Usage(fmt.Errorf("profile %q cannot be used as a credential name segment: %w", profileName, err))
+		return initPlan{}, exitcode.Usage(fmt.Errorf("profile %q cannot be used as a credential name seed: %w", profileName, err))
 	}
 	gitRef := flags.gitRef
 	if gitRef == "" {
@@ -4138,6 +4447,7 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 		return initPlan{}, exitcode.Usage(fmt.Errorf("--git-auth-mode %s is not supported in v1", flags.gitAuth))
 	}
 	reviewerRequested := flags.reviewerRef != "" ||
+		flags.reviewerGitHubAppID != "" ||
 		flags.reviewerTokenStdin ||
 		flags.reviewerTokenEnv != "" ||
 		cmd.Flags().Changed("reviewer-auth-mode")
@@ -4157,7 +4467,7 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 			if previousProfile != nil && previousProfile.ReviewerCredentials != nil && previousProfile.ReviewerCredentials.CredentialRef != "" {
 				reviewerRef = previousProfile.ReviewerCredentials.CredentialRef
 			} else {
-				reviewerRef, err = credentials.FormatRef(profileName + "-reviewer")
+				reviewerRef, err = initCredentialRefFromSeed(profileName + "-reviewer")
 				if err != nil {
 					return initPlan{}, exitcode.Usage(err)
 				}
@@ -4175,7 +4485,7 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 		if previousProfile != nil && previousProfile.LLM.Auth == config.LLMAuthAPIKey && previousProfile.LLM.CredentialRef != "" {
 			llmRef = previousProfile.LLM.CredentialRef
 		} else {
-			llmRef, err = credentials.FormatRef(profileName + "-llm")
+			llmRef, err = initCredentialRefFromSeed(profileName + "-llm")
 			if err != nil {
 				return initPlan{}, exitcode.Usage(err)
 			}
@@ -4189,6 +4499,30 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 	if gitMode != config.GitAuthModePAT && (flags.gitTokenStdin || flags.gitTokenEnv != "") {
 		return initPlan{}, exitcode.Usage(fmt.Errorf("git token ingress requires --git-auth-mode %s", config.GitAuthModePAT))
 	}
+	if gitMode != config.GitAuthModeGitHubApp && strings.TrimSpace(flags.gitGitHubAppID) != "" {
+		return initPlan{}, exitcode.Usage(fmt.Errorf("--git-github-app-id requires --git-auth-mode %s", config.GitAuthModeGitHubApp))
+	}
+	gitGitHubAppID := strings.TrimSpace(flags.gitGitHubAppID)
+	if gitMode == config.GitAuthModeGitHubApp {
+		if gitGitHubAppID == "" && previousProfile != nil && previousProfile.Git.GitHubApp != nil {
+			gitGitHubAppID = strings.TrimSpace(previousProfile.Git.GitHubApp.AppID)
+		}
+		if gitGitHubAppID == "" {
+			return initPlan{}, exitcode.Usage(fmt.Errorf("--git-github-app-id is required when --git-auth-mode is %s", config.GitAuthModeGitHubApp))
+		}
+	}
+	if reviewerMode != config.GitAuthModeGitHubApp && strings.TrimSpace(flags.reviewerGitHubAppID) != "" {
+		return initPlan{}, exitcode.Usage(fmt.Errorf("--reviewer-github-app-id requires --reviewer-auth-mode %s", config.GitAuthModeGitHubApp))
+	}
+	reviewerGitHubAppID := strings.TrimSpace(flags.reviewerGitHubAppID)
+	if reviewerRequested && reviewerMode == config.GitAuthModeGitHubApp {
+		if reviewerGitHubAppID == "" && previousProfile != nil && previousProfile.ReviewerCredentials != nil && previousProfile.ReviewerCredentials.GitHubApp != nil {
+			reviewerGitHubAppID = strings.TrimSpace(previousProfile.ReviewerCredentials.GitHubApp.AppID)
+		}
+		if reviewerGitHubAppID == "" {
+			return initPlan{}, exitcode.Usage(fmt.Errorf("--reviewer-github-app-id is required when --reviewer-auth-mode is %s", config.GitAuthModeGitHubApp))
+		}
+	}
 	gitSecret, hasGitSecret, err := readInitSecret(deps, opts.Stdin, flags.gitTokenStdin, flags.gitTokenEnv, "--git-token-stdin", "--git-token-from-env")
 	if err != nil {
 		return initPlan{}, exitcode.Usage(err)
@@ -4229,6 +4563,7 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 			Host:          flags.gitHost,
 			AuthMode:      gitMode,
 			Credential:    initCredentialLocation(gitStore, gitRef),
+			GitHubApp:     initGitHubAppConfigForAuth(gitMode, gitGitHubAppID),
 			CredentialRef: gitRef,
 		},
 		LLM: config.LLMConfig{
@@ -4242,7 +4577,6 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 			MajorEvent:       config.ReviewMajorEvent(flags.majorEvent),
 			AllowSelfApprove: flags.selfApprove,
 			ResolveThreads:   config.ResolveThreadsPolicy(flags.resolveThreads),
-			ResolveAfter:     flags.resolveAfter,
 		},
 	}
 	if llmRef != "" {
@@ -4257,10 +4591,12 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 		profile.ReviewerCredentials = &config.ReviewerCredentials{
 			AuthMode:      reviewerMode,
 			Credential:    initCredentialLocation(reviewerStore, reviewerRef),
+			GitHubApp:     initGitHubAppConfigForAuth(reviewerMode, reviewerGitHubAppID),
 			CredentialRef: reviewerRef,
 		}
 	}
 	if previousProfile != nil {
+		profile.LLMRuntime = previousProfile.LLMRuntime
 		profile.Git.IdentityCache = previousProfile.Git.IdentityCache
 		if previousProfile.LLM.ModelMap != nil {
 			modelMap := make(config.ModelMap, len(previousProfile.LLM.ModelMap))
@@ -4274,8 +4610,7 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 		}
 		if !cmd.Flags().Changed("major-event") &&
 			!cmd.Flags().Changed("allow-self-approve") &&
-			!cmd.Flags().Changed("resolve-threads") &&
-			!cmd.Flags().Changed("resolve-after") {
+			!cmd.Flags().Changed("resolve-threads") {
 			profile.ReviewPolicy = previousProfile.ReviewPolicy
 		}
 		if !cmd.Flags().Changed("llm-reviewer-model-tier") && !flags.clearLLMReviewer {
@@ -4293,7 +4628,9 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 			profile.ReviewerCredentials.IdentityCache = previousProfile.ReviewerCredentials.IdentityCache
 		}
 	}
-	cfg.Profiles[profileName] = profile
+	cfg, profile = materializeProfileRepositoryAccess(cfg, profileName, profile)
+	cfg, profile = materializeProfileReviewerEntity(cfg, profileName, profile)
+	cfg, profile = materializeProfileLLMRuntime(cfg, profileName, profile)
 
 	writes := map[string]map[string]string{}
 	if hasGitSecret {
@@ -4381,7 +4718,9 @@ func buildInteractiveInitWorkspace(cmd *cobra.Command, opts *root.Options, flags
 	if err != nil {
 		return initWorkspaceDraft{}, err
 	}
-	working.Profiles[profileName] = profile
+	working, profile = materializeProfileRepositoryAccess(working, profileName, profile)
+	working, profile = materializeProfileReviewerEntity(working, profileName, profile)
+	working, profile = materializeProfileLLMRuntime(working, profileName, profile)
 	if err := validateInteractiveInitConfig(initValidationConfigForProfileHost(working, profileName, previousProfile, profile.Git.Host)); err != nil {
 		return initWorkspaceDraft{}, cmderr.Config(err)
 	}
@@ -4512,6 +4851,21 @@ func buildInteractiveInitSessionPlan(opts *root.Options, session initSessionDraf
 			}
 		}
 	}
+	for _, entry := range standaloneRepositoryAccessPlanEntries(session.cfg, plannedWriteKeys) {
+		if len(plannedWriteKeys[entry.Ref.Ref]) == 0 {
+			continue
+		}
+		activeRefs[entry.Ref.Ref] = true
+		if err := mergeInteractiveInitSessionPlanEntry(entriesByKey, entry); err != nil {
+			return initSessionPlan{}, cmderr.Config(err)
+		}
+	}
+	for _, entry := range standaloneReviewerEntityPlanEntries(session.cfg, plannedWriteKeys) {
+		activeRefs[entry.Ref.Ref] = true
+		if err := mergeInteractiveInitSessionPlanEntry(entriesByKey, entry); err != nil {
+			return initSessionPlan{}, cmderr.Config(err)
+		}
+	}
 	entryKeys := make([]string, 0, len(entriesByKey))
 	for key := range entriesByKey {
 		entryKeys = append(entryKeys, key)
@@ -4573,6 +4927,45 @@ func mergeInteractiveInitSessionPlanEntry(entriesByKey map[string]initCredential
 	return nil
 }
 
+func standaloneRepositoryAccessPlanEntries(cfg config.File, plannedWriteKeys map[string][]string) []initCredentialPlanEntry {
+	names := make([]string, 0, len(cfg.RepositoryAccess))
+	for name := range cfg.RepositoryAccess {
+		names = append(names, name)
+	}
+	sort.Strings(names)
+	entries := make([]initCredentialPlanEntry, 0, len(names))
+	for _, name := range names {
+		access := cfg.RepositoryAccess[name]
+		ref := config.CredentialRef{
+			Purpose: "git",
+			Store:   initCredentialStoreDraftValue(access.Git.Credential.Store),
+			Ref:     strings.TrimSpace(firstNonEmpty(access.Git.Credential.Name, access.Git.CredentialRef)),
+			Mode:    string(access.Git.AuthMode),
+		}
+		if ref.Store == "" || ref.Ref == "" {
+			continue
+		}
+		resolved, err := credentials.ResolveCredentialStore(cfg, ref.Store)
+		if err != nil {
+			continue
+		}
+		specs, err := credentials.KeySpecsForPurpose(ref)
+		if err != nil {
+			continue
+		}
+		entry := initCredentialPlanEntry{
+			Ref:              ref,
+			SecretsProfile:   resolved,
+			KeySpecs:         append([]credentials.KeySpec(nil), specs...),
+			PlannedWriteKeys: append([]string(nil), plannedWriteKeys[ref.Ref]...),
+		}
+		entry.MissingRequiredKeys = missingRequiredInitCredentialKeys(entry.KeySpecs, entry.PlannedWriteKeys)
+		entry.State = classifyInitCredentialPlanEntry(entry)
+		entries = append(entries, entry)
+	}
+	return entries
+}
+
 func collectInteractiveInitSessionWorkspaceSecrets(opts *root.Options, deps initDeps, session initSessionDraft, purposes []string) (initSessionDraft, error) {
 	if session.workspace == nil {
 		return session, nil
@@ -4610,6 +5003,46 @@ func collectInteractiveInitSessionWorkspaceSecrets(opts *root.Options, deps init
 	return session, nil
 }
 
+func standaloneReviewerEntityPlanEntries(cfg config.File, plannedWriteKeys map[string][]string) []initCredentialPlanEntry {
+	cfg = config.Normalize(cfg)
+	names := make([]string, 0, len(cfg.ReviewerEntities))
+	for name := range cfg.ReviewerEntities {
+		names = append(names, name)
+	}
+	sort.Strings(names)
+	entries := make([]initCredentialPlanEntry, 0, len(names))
+	for _, name := range names {
+		entity := cfg.ReviewerEntities[name]
+		ref := config.CredentialRef{
+			Purpose: "reviewer_credentials",
+			Store:   strings.TrimSpace(entity.Credential.Store),
+			Ref:     strings.TrimSpace(entity.Credential.Name),
+			Mode:    string(entity.AuthMode),
+		}
+		if ref.Store == "" || ref.Ref == "" {
+			continue
+		}
+		resolved, err := credentials.ResolveCredentialStore(cfg, ref.Store)
+		if err != nil {
+			continue
+		}
+		specs, err := credentials.KeySpecsForPurpose(ref)
+		if err != nil {
+			continue
+		}
+		entry := initCredentialPlanEntry{
+			Ref:              ref,
+			SecretsProfile:   resolved,
+			KeySpecs:         append([]credentials.KeySpec(nil), specs...),
+			PlannedWriteKeys: append([]string(nil), plannedWriteKeys[ref.Ref]...),
+		}
+		entry.MissingRequiredKeys = missingRequiredInitCredentialKeys(entry.KeySpecs, entry.PlannedWriteKeys)
+		entry.State = classifyInitCredentialPlanEntry(entry)
+		entries = append(entries, entry)
+	}
+	return entries
+}
+
 func sortedTouchedProfileNames(session initSessionDraft) []string {
 	names := map[string]struct{}{}
 	for name := range session.touchedProfiles {
@@ -4627,6 +5060,9 @@ func ensureInitDeleteState(session *initSessionDraft) {
 	if session.pendingProfileDeletes == nil {
 		session.pendingProfileDeletes = map[string]initPendingProfileDelete{}
 	}
+	if session.pendingRepositoryAccessDeletes == nil {
+		session.pendingRepositoryAccessDeletes = map[string]initPendingRepositoryAccessDelete{}
+	}
 	if session.pendingReviewerEntityDeletes == nil {
 		session.pendingReviewerEntityDeletes = map[string]initPendingReviewerEntityDelete{}
 	}
@@ -4750,6 +5186,52 @@ func undoInteractiveInitProfileDelete(session initSessionDraft, profileName stri
 	return session, nil
 }
 
+func deleteInteractiveInitRepositoryAccess(session initSessionDraft, name string) (initSessionDraft, error) {
+	name = strings.TrimSpace(name)
+	if name == "" {
+		return initSessionDraft{}, exitcode.Usage(errors.New("repository access name is required"))
+	}
+	ensureInitDeleteState(&session)
+	if _, exists := session.pendingRepositoryAccessDeletes[name]; exists {
+		return session, nil
+	}
+	working := cloneInitConfigFile(session.cfg)
+	access, ok := working.RepositoryAccess[name]
+	if !ok {
+		return initSessionDraft{}, exitcode.Usage(fmt.Errorf("repository access %q is not deletable", name))
+	}
+	delete(working.RepositoryAccess, name)
+	if err := validateInteractiveInitGlobalConfig(working); err != nil {
+		return initSessionDraft{}, cmderr.Config(err)
+	}
+	session.pendingRepositoryAccessDeletes[name] = initPendingRepositoryAccessDelete{
+		Name:   name,
+		Access: access,
+	}
+	session.cfg = config.Normalize(working)
+	return rebuildInteractiveInitWorkspace(session, preferredInteractiveInitProfile(session)), nil
+}
+
+func undoInteractiveInitRepositoryAccessDelete(session initSessionDraft, name string) (initSessionDraft, error) {
+	name = strings.TrimSpace(name)
+	ensureInitDeleteState(&session)
+	pending, ok := session.pendingRepositoryAccessDeletes[name]
+	if !ok {
+		return session, nil
+	}
+	working := cloneInitConfigFile(session.cfg)
+	if working.RepositoryAccess == nil {
+		working.RepositoryAccess = map[string]config.RepositoryAccessConfig{}
+	}
+	working.RepositoryAccess[name] = pending.Access
+	if err := validateInteractiveInitGlobalConfig(working); err != nil {
+		return initSessionDraft{}, cmderr.Config(err)
+	}
+	delete(session.pendingRepositoryAccessDeletes, name)
+	session.cfg = config.Normalize(working)
+	return rebuildInteractiveInitWorkspace(session, preferredInteractiveInitProfile(session)), nil
+}
+
 func deleteInteractiveInitReviewerEntity(session initSessionDraft, entityName string) (initSessionDraft, error) {
 	entityName = strings.TrimSpace(entityName)
 	if entityName == "" {
@@ -4759,26 +5241,37 @@ func deleteInteractiveInitReviewerEntity(session initSessionDraft, entityName st
 	if _, exists := session.pendingReviewerEntityDeletes[entityName]; exists {
 		return session, nil
 	}
-	_, profileEntityNames := buildInitReviewerEntityInventory(session.cfg)
+	session.cfg = config.Normalize(session.cfg)
+	var originalEntity *config.ReviewerEntity
+	if session.cfg.ReviewerEntities != nil {
+		if entity, ok := session.cfg.ReviewerEntities[entityName]; ok {
+			entityCopy := entity
+			originalEntity = &entityCopy
+			delete(session.cfg.ReviewerEntities, entityName)
+		}
+	}
 	affected := map[string]config.ReviewerCredentials{}
-	for profileName, selected := range profileEntityNames {
-		if selected != entityName {
+	profileReviewers := map[string]config.ProfileReviewer{}
+	for profileName, profile := range session.cfg.Profiles {
+		if profile.Reviewer.Kind != config.ProfileReviewerKindEntity || profile.Reviewer.Entity != entityName {
 			continue
 		}
-		profile := session.cfg.Profiles[profileName]
-		if profile.ReviewerCredentials == nil {
-			continue
+		profileReviewers[profileName] = profile.Reviewer
+		if profile.ReviewerCredentials != nil {
+			affected[profileName] = *profile.ReviewerCredentials
 		}
-		affected[profileName] = *profile.ReviewerCredentials
-		cleared, _ := configedit.ClearReviewerCredentials(profile)
-		session.cfg.Profiles[profileName] = cleared
+		profile.Reviewer = config.ProfileReviewer{Kind: config.ProfileReviewerKindGitIdentity}
+		profile.ReviewerCredentials = nil
+		session.cfg.Profiles[profileName] = profile
 	}
-	if len(affected) == 0 {
+	if len(profileReviewers) == 0 && originalEntity == nil {
 		return initSessionDraft{}, exitcode.Usage(fmt.Errorf("reviewer entity %q is not deletable", entityName))
 	}
 	session.pendingReviewerEntityDeletes[entityName] = initPendingReviewerEntityDelete{
-		EntityName: entityName,
-		Affected:   affected,
+		EntityName:       entityName,
+		Entity:           originalEntity,
+		ProfileReviewers: profileReviewers,
+		Affected:         affected,
 	}
 	return rebuildInteractiveInitWorkspace(session, preferredInteractiveInitProfile(session)), nil
 }
@@ -4790,6 +5283,23 @@ func undoInteractiveInitReviewerEntityDelete(session initSessionDraft, entityNam
 	if !ok {
 		return session, nil
 	}
+	if pending.Entity != nil {
+		if session.cfg.ReviewerEntities == nil {
+			session.cfg.ReviewerEntities = map[string]config.ReviewerEntity{}
+		}
+		session.cfg.ReviewerEntities[entityName] = *pending.Entity
+	}
+	for profileName, reviewer := range pending.ProfileReviewers {
+		profile, ok := session.cfg.Profiles[profileName]
+		if !ok {
+			continue
+		}
+		if profile.Reviewer.Kind != config.ProfileReviewerKindGitIdentity {
+			continue
+		}
+		profile.Reviewer = reviewer
+		session.cfg.Profiles[profileName] = profile
+	}
 	for profileName, previous := range pending.Affected {
 		profile, ok := session.cfg.Profiles[profileName]
 		if !ok {
@@ -4818,8 +5328,10 @@ func deleteInteractiveInitLLMRuntime(session initSessionDraft, runtimeName strin
 	if _, exists := session.pendingLLMRuntimeDeletes[runtimeName]; exists {
 		return session, nil
 	}
-	_, profileRuntimeNames := buildInitLLMRuntimeInventory(session.cfg)
+	session.cfg = config.Normalize(session.cfg)
+	runtimes, profileRuntimeNames := buildInitLLMRuntimeInventory(session.cfg)
 	original := map[string]config.LLMConfig{}
+	originalRefs := map[string]string{}
 	applied := map[string]config.LLMConfig{}
 	var standaloneOriginal *config.LLMConfig
 	if session.cfg.LLMRuntimes != nil {
@@ -4829,18 +5341,44 @@ func deleteInteractiveInitLLMRuntime(session initSessionDraft, runtimeName strin
 			delete(session.cfg.LLMRuntimes, runtimeName)
 		}
 	}
+	replacementName := ""
+	replacementKey := replacement.identityKey()
+	for name, candidate := range runtimes {
+		if name == runtimeName {
+			continue
+		}
+		if candidate.identityKey() == replacementKey {
+			replacementName = name
+			break
+		}
+	}
+	addedReplacement := false
+	var replacementLLM config.LLMConfig
+	if replacementName != "" {
+		replacementLLM = session.cfg.LLMRuntimes[replacementName]
+	} else {
+		var err error
+		replacementLLM, err = initLLMConfigForReplacement("replacement", replacement)
+		if err != nil {
+			return initSessionDraft{}, err
+		}
+		if session.cfg.LLMRuntimes == nil {
+			session.cfg.LLMRuntimes = map[string]config.LLMConfig{}
+		}
+		replacementName = uniqueInitLLMRuntimeName(buildInitLLMRuntimeDraftNameSet(session.cfg.LLMRuntimes), replacement.suggestedName())
+		session.cfg.LLMRuntimes[replacementName] = replacementLLM
+		addedReplacement = true
+	}
 	for profileName, selected := range profileRuntimeNames {
 		if selected != runtimeName {
 			continue
 		}
 		profile := session.cfg.Profiles[profileName]
 		original[profileName] = cloneInitLLMConfig(profile.LLM)
-		nextLLM, err := initLLMConfigForReplacement(profileName, replacement)
-		if err != nil {
-			return initSessionDraft{}, err
-		}
-		applied[profileName] = cloneInitLLMConfig(nextLLM)
-		profile.LLM = nextLLM
+		originalRefs[profileName] = profile.LLMRuntime
+		applied[profileName] = cloneInitLLMConfig(replacementLLM)
+		profile.LLMRuntime = replacementName
+		profile.LLM = replacementLLM
 		session.cfg.Profiles[profileName] = profile
 	}
 	if len(original) == 0 && standaloneOriginal == nil {
@@ -4849,8 +5387,11 @@ func deleteInteractiveInitLLMRuntime(session initSessionDraft, runtimeName strin
 	session.pendingLLMRuntimeDeletes[runtimeName] = initPendingLLMRuntimeDelete{
 		RuntimeName:        runtimeName,
 		Replacement:        replacement,
+		ReplacementName:    replacementName,
+		AddedReplacement:   addedReplacement,
 		Applied:            applied,
 		Original:           original,
+		OriginalRefs:       originalRefs,
 		StandaloneOriginal: standaloneOriginal,
 	}
 	return rebuildInteractiveInitWorkspace(session, preferredInteractiveInitProfile(session)), nil
@@ -4872,6 +5413,7 @@ func undoInteractiveInitLLMRuntimeDelete(session initSessionDraft, runtimeName s
 		if !reflect.DeepEqual(profile.LLM, applied) {
 			continue
 		}
+		profile.LLMRuntime = pending.OriginalRefs[profileName]
 		profile.LLM = cloneInitLLMConfig(previous)
 		session.cfg.Profiles[profileName] = profile
 	}
@@ -4881,6 +5423,9 @@ func undoInteractiveInitLLMRuntimeDelete(session initSessionDraft, runtimeName s
 		}
 		session.cfg.LLMRuntimes[runtimeName] = cloneInitLLMConfig(*pending.StandaloneOriginal)
 	}
+	if pending.AddedReplacement && pending.ReplacementName != "" && !initLLMRuntimeReferenced(session.cfg, pending.ReplacementName) {
+		delete(session.cfg.LLMRuntimes, pending.ReplacementName)
+	}
 	delete(session.pendingLLMRuntimeDeletes, runtimeName)
 	return rebuildInteractiveInitWorkspace(session, preferredInteractiveInitProfile(session)), nil
 }
@@ -4893,7 +5438,7 @@ func initLLMConfigForReplacement(profileName string, runtime initLLMRuntimeDraft
 	if strings.TrimSpace(llm.CredentialRef) != "" {
 		return llm, nil
 	}
-	ref, err := credentials.FormatRef(profileName + "-llm")
+	ref, err := initCredentialRefFromSeed(profileName + "-llm")
 	if err != nil {
 		return config.LLMConfig{}, exitcode.Usage(err)
 	}
@@ -4901,14 +5446,32 @@ func initLLMConfigForReplacement(profileName string, runtime initLLMRuntimeDraft
 	return llm, nil
 }
 
+func initLLMRuntimeReferenced(cfg config.File, runtimeName string) bool {
+	runtimeName = strings.TrimSpace(runtimeName)
+	if runtimeName == "" {
+		return false
+	}
+	for _, profile := range cfg.Profiles {
+		if strings.TrimSpace(profile.LLMRuntime) == runtimeName {
+			return true
+		}
+	}
+	return false
+}
+
 func initCredentialEntryKey(ref config.CredentialRef) string {
 	return strings.Join([]string{ref.Store, ref.Purpose, ref.Ref, ref.Mode, ref.Provider}, "\x00")
 }
 
 func initGitScopeDraftFromConfig(git config.GitConfig) initGitScopeDraft {
+	appID := ""
+	if git.GitHubApp != nil {
+		appID = strings.TrimSpace(git.GitHubApp.AppID)
+	}
 	return initGitScopeDraft{
 		Host:            strings.TrimSpace(git.Host),
 		AuthMode:        git.AuthMode,
+		GitHubAppID:     appID,
 		CredentialStore: initCredentialStoreDraftValue(git.Credential.Store),
 		CredentialRef:   strings.TrimSpace(firstNonEmpty(git.Credential.Name, git.CredentialRef)),
 	}
@@ -4919,6 +5482,7 @@ func (scope initGitScopeDraft) exportConfig(previous *config.GitConfig) config.G
 		Host:          strings.TrimSpace(scope.Host),
 		AuthMode:      scope.AuthMode,
 		Credential:    initCredentialLocation(scope.CredentialStore, scope.CredentialRef),
+		GitHubApp:     initGitHubAppConfigForAuth(scope.AuthMode, scope.GitHubAppID),
 		CredentialRef: strings.TrimSpace(scope.CredentialRef),
 	}
 	if previous != nil && scope.matchesConfig(*previous) {
@@ -4932,6 +5496,7 @@ func (scope initGitScopeDraft) identityKey() string {
 	return strings.Join([]string{
 		config.NormalizeHost(scope.Host),
 		string(scope.AuthMode),
+		strings.TrimSpace(scope.GitHubAppID),
 		initCredentialStoreDraftValue(scope.CredentialStore),
 		strings.TrimSpace(scope.CredentialRef),
 	}, "\x00")
@@ -4950,16 +5515,35 @@ func (scope initGitScopeDraft) suggestedName() string {
 func (scope initGitScopeDraft) matchesConfig(previous config.GitConfig) bool {
 	return config.NormalizeHost(previous.Host) == config.NormalizeHost(scope.Host) &&
 		previous.AuthMode == scope.AuthMode &&
+		initGitHubAppIDForAuth(previous.AuthMode, previous.GitHubApp) == strings.TrimSpace(scope.GitHubAppID) &&
 		initCredentialStoreDraftValue(previous.Credential.Store) == initCredentialStoreDraftValue(scope.CredentialStore) &&
 		strings.TrimSpace(firstNonEmpty(previous.Credential.Name, previous.CredentialRef)) == strings.TrimSpace(scope.CredentialRef)
 }
 
 func buildInitGitScopeInventory(cfg config.File) (map[string]initGitScopeDraft, map[string]string) {
+	cfg = config.Normalize(cfg)
 	scopes := map[string]initGitScopeDraft{}
 	profileScopeNames := map[string]string{}
 	scopeNamesByKey := map[string]string{}
+	accessNames := make([]string, 0, len(cfg.RepositoryAccess))
+	for name := range cfg.RepositoryAccess {
+		accessNames = append(accessNames, name)
+	}
+	sort.Strings(accessNames)
+	for _, name := range accessNames {
+		scope := initGitScopeDraftFromConfig(cfg.RepositoryAccess[name].Git)
+		scope.Name = name
+		scopes[name] = scope
+		scopeNamesByKey[scope.identityKey()] = name
+	}
 	for _, profileName := range sortedProfileNames(cfg.Profiles) {
 		profile := cfg.Profiles[profileName]
+		if scopeName := strings.TrimSpace(profile.RepositoryAccess); scopeName != "" {
+			if _, ok := scopes[scopeName]; ok {
+				profileScopeNames[profileName] = scopeName
+				continue
+			}
+		}
 		scope := initGitScopeDraftFromConfig(profile.Git)
 		key := scope.identityKey()
 		if existingName, ok := scopeNamesByKey[key]; ok {
@@ -4998,6 +5582,7 @@ func initReviewerEntityDraftFromConfig(profile config.Profile) initReviewerEntit
 	}
 	entity := initReviewerEntityDraft{
 		AuthMode:        profile.ReviewerCredentials.AuthMode,
+		AppID:           initGitHubAppIDForAuth(profile.ReviewerCredentials.AuthMode, profile.ReviewerCredentials.GitHubApp),
 		CredentialStore: initCredentialStoreDraftValue(profile.ReviewerCredentials.Credential.Store),
 		CredentialRef:   strings.TrimSpace(firstNonEmpty(profile.ReviewerCredentials.Credential.Name, profile.ReviewerCredentials.CredentialRef)),
 		DisplayName:     normalizeOptionalDisplayName(profile.ReviewerCredentials.DisplayName),
@@ -5011,6 +5596,23 @@ func initReviewerEntityDraftFromConfig(profile config.Profile) initReviewerEntit
 	return entity
 }
 
+func initReviewerEntityDraftFromReviewerEntity(entity config.ReviewerEntity) initReviewerEntityDraft {
+	draft := initReviewerEntityDraft{
+		AuthMode:        entity.AuthMode,
+		AppID:           initGitHubAppIDForAuth(entity.AuthMode, entity.GitHubApp),
+		CredentialStore: initCredentialStoreDraftValue(entity.Credential.Store),
+		CredentialRef:   strings.TrimSpace(firstNonEmpty(entity.Credential.Name, entity.CredentialRef)),
+		DisplayName:     normalizeOptionalDisplayName(entity.DisplayName),
+	}
+	switch entity.AuthMode {
+	case config.GitAuthModeGitHubApp:
+		draft.Kind = initReviewerEntityKindGitHubApp
+	case config.GitAuthModePAT, config.GitAuthModeOAuthDevice:
+		draft.Kind = initReviewerEntityKindPAT
+	}
+	return draft
+}
+
 func (entity initReviewerEntityDraft) exportConfig(previous *config.ReviewerCredentials) *config.ReviewerCredentials {
 	if entity.Kind == initReviewerEntityKindUseGitIdentity {
 		return nil
@@ -5018,6 +5620,7 @@ func (entity initReviewerEntityDraft) exportConfig(previous *config.ReviewerCred
 	reviewer := &config.ReviewerCredentials{
 		AuthMode:      entity.AuthMode,
 		Credential:    initCredentialLocation(entity.CredentialStore, entity.CredentialRef),
+		GitHubApp:     initGitHubAppConfigForAuth(entity.AuthMode, entity.AppID),
 		CredentialRef: strings.TrimSpace(entity.CredentialRef),
 		DisplayName:   normalizeOptionalDisplayName(entity.DisplayName),
 	}
@@ -5027,6 +5630,29 @@ func (entity initReviewerEntityDraft) exportConfig(previous *config.ReviewerCred
 	return reviewer
 }
 
+func (entity initReviewerEntityDraft) exportReviewerEntityConfig(previous *config.ReviewerEntity, host string) config.ReviewerEntity {
+	reviewer := config.ReviewerEntity{
+		Host:          strings.TrimSpace(host),
+		AuthMode:      entity.AuthMode,
+		Credential:    initCredentialLocation(entity.CredentialStore, entity.CredentialRef),
+		GitHubApp:     initGitHubAppConfigForAuth(entity.AuthMode, entity.AppID),
+		CredentialRef: strings.TrimSpace(entity.CredentialRef),
+		DisplayName:   normalizeOptionalDisplayName(entity.DisplayName),
+	}
+	if previous != nil {
+		if reviewer.Host == "" {
+			reviewer.Host = previous.Host
+		}
+		if entity.matchesReviewerEntityConfig(*previous) {
+			reviewer.IdentityCache = previous.IdentityCache
+		}
+	}
+	if reviewer.Host == "" {
+		reviewer.Host = "github.com"
+	}
+	return reviewer
+}
+
 func (entity initReviewerEntityDraft) identityKey() string {
 	if entity.Kind == initReviewerEntityKindUseGitIdentity {
 		return string(entity.Kind)
@@ -5034,6 +5660,7 @@ func (entity initReviewerEntityDraft) identityKey() string {
 	return strings.Join([]string{
 		string(entity.Kind),
 		string(entity.AuthMode),
+		strings.TrimSpace(entity.AppID),
 		initCredentialStoreDraftValue(entity.CredentialStore),
 		strings.TrimSpace(entity.CredentialRef),
 	}, "\x00")
@@ -5054,48 +5681,70 @@ func (entity initReviewerEntityDraft) suggestedName() string {
 func (entity initReviewerEntityDraft) matchesConfig(previous config.ReviewerCredentials) bool {
 	return entity.Kind == initReviewerEntityDraftFromConfig(config.Profile{ReviewerCredentials: &previous}).Kind &&
 		previous.AuthMode == entity.AuthMode &&
+		initGitHubAppIDForAuth(previous.AuthMode, previous.GitHubApp) == strings.TrimSpace(entity.AppID) &&
+		initCredentialStoreDraftValue(previous.Credential.Store) == initCredentialStoreDraftValue(entity.CredentialStore) &&
+		strings.TrimSpace(firstNonEmpty(previous.Credential.Name, previous.CredentialRef)) == strings.TrimSpace(entity.CredentialRef)
+}
+
+func (entity initReviewerEntityDraft) matchesReviewerEntityConfig(previous config.ReviewerEntity) bool {
+	return entity.Kind == initReviewerEntityDraftFromReviewerEntity(previous).Kind &&
+		previous.AuthMode == entity.AuthMode &&
+		initGitHubAppIDForAuth(previous.AuthMode, previous.GitHubApp) == strings.TrimSpace(entity.AppID) &&
 		initCredentialStoreDraftValue(previous.Credential.Store) == initCredentialStoreDraftValue(entity.CredentialStore) &&
 		strings.TrimSpace(firstNonEmpty(previous.Credential.Name, previous.CredentialRef)) == strings.TrimSpace(entity.CredentialRef)
 }
 
+func initGitHubAppConfigForAuth(authMode config.GitAuthMode, appID string) *config.GitHubAppConfig {
+	if authMode != config.GitAuthModeGitHubApp {
+		return nil
+	}
+	return &config.GitHubAppConfig{AppID: strings.TrimSpace(appID)}
+}
+
+func initGitHubAppIDForAuth(authMode config.GitAuthMode, app *config.GitHubAppConfig) string {
+	if authMode != config.GitAuthModeGitHubApp || app == nil {
+		return ""
+	}
+	return strings.TrimSpace(app.AppID)
+}
+
 func buildInitReviewerEntityInventory(cfg config.File) (map[string]initReviewerEntityDraft, map[string]string) {
+	cfg = config.Normalize(cfg)
 	entities := map[string]initReviewerEntityDraft{}
 	profileEntityNames := map[string]string{}
-	entityNamesByKey := map[string]string{}
-	displayNamesByKey := map[string]map[string]struct{}{}
+
+	entityNames := make([]string, 0, len(cfg.ReviewerEntities))
+	for name := range cfg.ReviewerEntities {
+		entityNames = append(entityNames, name)
+	}
+	sort.Strings(entityNames)
+	for _, name := range entityNames {
+		entity := initReviewerEntityDraftFromReviewerEntity(cfg.ReviewerEntities[name])
+		entity.Name = name
+		entities[name] = entity
+	}
+
 	for _, profileName := range sortedProfileNames(cfg.Profiles) {
 		profile := cfg.Profiles[profileName]
-		entity := initReviewerEntityDraftFromConfig(profile)
-		key := entity.identityKey()
-		if entity.DisplayName != "" {
-			if _, ok := displayNamesByKey[key]; !ok {
-				displayNamesByKey[key] = map[string]struct{}{}
+		switch profile.Reviewer.Kind {
+		case config.ProfileReviewerKindGitIdentity:
+			profileEntityNames[profileName] = string(initReviewerEntityKindUseGitIdentity)
+			continue
+		case config.ProfileReviewerKindEntity:
+			if _, ok := entities[profile.Reviewer.Entity]; ok {
+				profileEntityNames[profileName] = profile.Reviewer.Entity
+				continue
 			}
-			displayNamesByKey[key][entity.DisplayName] = struct{}{}
 		}
-		if existingName, ok := entityNamesByKey[key]; ok {
-			profileEntityNames[profileName] = existingName
+		entity := initReviewerEntityDraftFromConfig(profile)
+		if entity.Kind == initReviewerEntityKindUseGitIdentity {
+			profileEntityNames[profileName] = string(initReviewerEntityKindUseGitIdentity)
 			continue
 		}
 		entity.Name = uniqueInitReviewerEntityName(entities, entity.suggestedName())
 		entities[entity.Name] = entity
-		entityNamesByKey[key] = entity.Name
 		profileEntityNames[profileName] = entity.Name
 	}
-	for name, entity := range entities {
-		displayNames := displayNamesByKey[entity.identityKey()]
-		noDisplayName := len(displayNames) == 0
-		conflictingDisplayNames := len(displayNames) > 1
-		if noDisplayName || conflictingDisplayNames {
-			entity.DisplayName = ""
-			entities[name] = entity
-			continue
-		}
-		for displayName := range displayNames {
-			entity.DisplayName = displayName
-		}
-		entities[name] = entity
-	}
 	return entities, profileEntityNames
 }
 
@@ -5117,12 +5766,14 @@ func uniqueInitReviewerEntityName(existing map[string]initReviewerEntityDraft, b
 
 func initLLMRuntimeDraftFromConfig(llm config.LLMConfig) initLLMRuntimeDraft {
 	runtime := initLLMRuntimeDraft{
-		Preset:          initLLMRuntimePresetCustom,
-		Provider:        llm.Provider,
-		Auth:            llm.Auth,
-		Adapter:         llm.Adapter,
-		CredentialStore: initCredentialStoreDraftValue(llm.Credential.Store),
-		CredentialRef:   strings.TrimSpace(firstNonEmpty(llm.Credential.Name, llm.CredentialRef)),
+		Preset:            initLLMRuntimePresetCustom,
+		Provider:          llm.Provider,
+		Auth:              llm.Auth,
+		Adapter:           llm.Adapter,
+		CredentialStore:   initCredentialStoreDraftValue(llm.Credential.Store),
+		CredentialRef:     strings.TrimSpace(firstNonEmpty(llm.Credential.Name, llm.CredentialRef)),
+		ModelMap:          copyModelMap(llm.ModelMap),
+		ReviewerModelTier: llm.ReviewerModelTier,
 	}
 	switch {
 	case runtime.Provider == config.LLMProviderAnthropic && runtime.Auth == config.LLMAuthSubscription && runtime.Adapter == config.LLMAdapterClaudeCLI:
@@ -5144,9 +5795,11 @@ func initLLMRuntimeDraftFromConfig(llm config.LLMConfig) initLLMRuntimeDraft {
 
 func (runtime initLLMRuntimeDraft) exportConfig() config.LLMConfig {
 	llm := config.LLMConfig{
-		Provider: runtime.Provider,
-		Auth:     runtime.Auth,
-		Adapter:  runtime.Adapter,
+		Provider:          runtime.Provider,
+		Auth:              runtime.Auth,
+		Adapter:           runtime.Adapter,
+		ModelMap:          copyModelMap(runtime.ModelMap),
+		ReviewerModelTier: runtime.ReviewerModelTier,
 	}
 	if runtime.Auth == config.LLMAuthAPIKey {
 		llm.Credential = initCredentialLocation(runtime.CredentialStore, runtime.CredentialRef)
@@ -5156,12 +5809,23 @@ func (runtime initLLMRuntimeDraft) exportConfig() config.LLMConfig {
 }
 
 func (runtime initLLMRuntimeDraft) identityKey() string {
+	modelKeys := make([]string, 0, len(runtime.ModelMap))
+	for tier := range runtime.ModelMap {
+		modelKeys = append(modelKeys, tier)
+	}
+	sort.Strings(modelKeys)
+	models := make([]string, 0, len(modelKeys))
+	for _, tier := range modelKeys {
+		models = append(models, tier+"="+strings.TrimSpace(runtime.ModelMap[tier]))
+	}
 	return strings.Join([]string{
 		string(runtime.Provider),
 		string(runtime.Auth),
 		string(runtime.Adapter),
 		initCredentialStoreDraftValue(runtime.CredentialStore),
 		strings.TrimSpace(runtime.CredentialRef),
+		strings.Join(models, "\x1f"),
+		string(runtime.ReviewerModelTier),
 	}, "\x00")
 }
 
@@ -5184,6 +5848,7 @@ func (runtime initLLMRuntimeDraft) suggestedName() string {
 }
 
 func buildInitLLMRuntimeInventory(cfg config.File) (map[string]initLLMRuntimeDraft, map[string]string) {
+	cfg = config.Normalize(cfg)
 	runtimes := map[string]initLLMRuntimeDraft{}
 	profileRuntimeNames := map[string]string{}
 	runtimeNamesByKey := map[string]string{}
@@ -5200,6 +5865,10 @@ func buildInitLLMRuntimeInventory(cfg config.File) (map[string]initLLMRuntimeDra
 	}
 	for _, profileName := range sortedProfileNames(cfg.Profiles) {
 		profile := cfg.Profiles[profileName]
+		if _, ok := runtimes[profile.LLMRuntime]; ok {
+			profileRuntimeNames[profileName] = profile.LLMRuntime
+			continue
+		}
 		runtime := initLLMRuntimeDraftFromConfig(profile.LLM)
 		key := runtime.identityKey()
 		if existingName, ok := runtimeNamesByKey[key]; ok {
@@ -5238,6 +5907,16 @@ func cloneInitConfigFile(cfg config.File) config.File {
 			cloned.Profiles[name] = cloneInitProfile(profile)
 		}
 	}
+	if cfg.RepositoryAccess != nil {
+		cloned.RepositoryAccess = make(map[string]config.RepositoryAccessConfig, len(cfg.RepositoryAccess))
+		for name, access := range cfg.RepositoryAccess {
+			if access.Git.GitHubApp != nil {
+				app := *access.Git.GitHubApp
+				access.Git.GitHubApp = &app
+			}
+			cloned.RepositoryAccess[name] = access
+		}
+	}
 	if len(cfg.RepositoryProfiles) > 0 {
 		cloned.RepositoryProfiles = make([]config.RepositoryProfile, len(cfg.RepositoryProfiles))
 		for i, route := range cfg.RepositoryProfiles {
@@ -5258,6 +5937,16 @@ func cloneInitConfigFile(cfg config.File) config.File {
 			cloned.LLMRuntimes[name] = cloneInitLLMConfig(runtime)
 		}
 	}
+	if cfg.ReviewerEntities != nil {
+		cloned.ReviewerEntities = make(map[string]config.ReviewerEntity, len(cfg.ReviewerEntities))
+		for name, entity := range cfg.ReviewerEntities {
+			if entity.GitHubApp != nil {
+				app := *entity.GitHubApp
+				entity.GitHubApp = &app
+			}
+			cloned.ReviewerEntities[name] = entity
+		}
+	}
 	cloned.Secrets = cloneInitSecretsConfig(cfg.Secrets)
 	return cloned
 }
@@ -5290,8 +5979,19 @@ func cloneInitSecretsStore(store config.SecretsStore) config.SecretsStore {
 
 func cloneInitProfile(profile config.Profile) config.Profile {
 	cloned := profile
+	if profile.Git.GitHubApp != nil {
+		app := *profile.Git.GitHubApp
+		cloned.Git.GitHubApp = &app
+	}
+	if profile.Reviewer.GitHubAppInstallation != nil {
+		cloned.Reviewer.GitHubAppInstallation = cloneProfileReviewerGitHubAppInstallation(profile.Reviewer.GitHubAppInstallation)
+	}
 	if profile.ReviewerCredentials != nil {
 		reviewer := *profile.ReviewerCredentials
+		if profile.ReviewerCredentials.GitHubApp != nil {
+			app := *profile.ReviewerCredentials.GitHubApp
+			reviewer.GitHubApp = &app
+		}
 		cloned.ReviewerCredentials = &reviewer
 	}
 	cloned.LLM = cloneInitLLMConfig(profile.LLM)
@@ -5349,12 +6049,13 @@ func synthesizeInteractiveProfile(flags initOptions, profileName string, previou
 		profile.LLM.Auth = config.LLMAuth(flags.llmAuth)
 		profile.LLM.Adapter = config.LLMAdapter(flags.llmAdapter)
 	}
-	defaultGitRef, err := credentials.FormatRef(profileName)
+	defaultGitRef, err := initCredentialRefFromSeed(profileName)
 	if err != nil {
-		return config.Profile{}, exitcode.Usage(fmt.Errorf("profile %q cannot be used as a credential name segment: %w", profileName, err))
+		return config.Profile{}, exitcode.Usage(fmt.Errorf("profile %q cannot be used as a credential name seed: %w", profileName, err))
 	}
 	profile.Git.Host = strings.TrimSpace(draft.GitHost)
 	profile.Git.AuthMode = config.GitAuthMode(draft.GitAuth)
+	profile.Git.GitHubApp = initGitHubAppConfigForAuth(profile.Git.AuthMode, draft.GitHubAppID)
 	profile.Git.CredentialRef = strings.TrimSpace(draft.GitCredentialRef)
 	if profile.Git.CredentialRef == "" {
 		profile.Git.CredentialRef = defaultGitRef
@@ -5369,7 +6070,7 @@ func synthesizeInteractiveProfile(flags initOptions, profileName string, previou
 		if reviewerRef == "" {
 			// A blank draft ref means "use this profile's standard reviewer secret location";
 			// expand it here so renames and shared-entity propagation can re-derive consistently.
-			reviewerRef, err = credentials.FormatRef(profileName + "-reviewer")
+			reviewerRef, err = initCredentialRefFromSeed(profileName + "-reviewer")
 			if err != nil {
 				return config.Profile{}, exitcode.Usage(err)
 			}
@@ -5377,6 +6078,7 @@ func synthesizeInteractiveProfile(flags initOptions, profileName string, previou
 		reviewer := config.ReviewerCredentials{
 			AuthMode:      config.GitAuthMode(draft.ReviewerAuth),
 			Credential:    initCredentialLocation(draft.ReviewerCredentialStore, reviewerRef),
+			GitHubApp:     initGitHubAppConfigForAuth(config.GitAuthMode(draft.ReviewerAuth), draft.ReviewerGitHubAppID),
 			CredentialRef: reviewerRef,
 			DisplayName:   normalizeOptionalDisplayName(draft.ReviewerDisplayName),
 		}
@@ -5385,8 +6087,10 @@ func synthesizeInteractiveProfile(flags initOptions, profileName string, previou
 			reviewer.IdentityCache = previousProfile.ReviewerCredentials.IdentityCache
 		}
 		profile.ReviewerCredentials = &reviewer
+		profile.Reviewer.GitHubAppInstallation = initProfileReviewerGitHubAppInstallationFromDraft(draft)
 	} else {
 		profile.ReviewerCredentials = nil
+		profile.Reviewer.GitHubAppInstallation = nil
 	}
 	profile.LLM.Provider = config.LLMProvider(draft.LLMProvider)
 	profile.LLM.Auth = config.LLMAuth(draft.LLMAuth)
@@ -5395,7 +6099,7 @@ func synthesizeInteractiveProfile(flags initOptions, profileName string, previou
 	if profile.LLM.Auth == config.LLMAuthAPIKey {
 		llmRef := strings.TrimSpace(draft.LLMCredentialRef)
 		if llmRef == "" {
-			llmRef, err = credentials.FormatRef(profileName + "-llm")
+			llmRef, err = initCredentialRefFromSeed(profileName + "-llm")
 			if err != nil {
 				return config.Profile{}, exitcode.Usage(err)
 			}
@@ -5423,6 +6127,240 @@ func synthesizeInteractiveProfile(flags initOptions, profileName string, previou
 	return profile, nil
 }
 
+func materializeProfileRepositoryAccess(cfg config.File, profileName string, profile config.Profile) (config.File, config.Profile) {
+	if cfg.RepositoryAccess == nil {
+		cfg.RepositoryAccess = map[string]config.RepositoryAccessConfig{}
+	}
+	access := normalizeInitRepositoryAccessConfig(config.RepositoryAccessConfig{Git: profile.Git})
+	targetScope := initGitScopeDraftFromConfig(access.Git)
+
+	if currentName := strings.TrimSpace(profile.RepositoryAccess); currentName != "" {
+		if current, ok := cfg.RepositoryAccess[currentName]; ok && initGitScopeDraftFromConfig(current.Git).identityKey() == targetScope.identityKey() {
+			profile.RepositoryAccess = currentName
+			profile.Git = current.Git
+			if cfg.Profiles == nil {
+				cfg.Profiles = map[string]config.Profile{}
+			}
+			cfg.Profiles[profileName] = profile
+			return cfg, profile
+		}
+	}
+
+	accessNames := make([]string, 0, len(cfg.RepositoryAccess))
+	for name := range cfg.RepositoryAccess {
+		accessNames = append(accessNames, name)
+	}
+	sort.Strings(accessNames)
+	for _, name := range accessNames {
+		existing := cfg.RepositoryAccess[name]
+		if initGitScopeDraftFromConfig(existing.Git).identityKey() != targetScope.identityKey() {
+			continue
+		}
+		profile.RepositoryAccess = name
+		profile.Git = existing.Git
+		if cfg.Profiles == nil {
+			cfg.Profiles = map[string]config.Profile{}
+		}
+		cfg.Profiles[profileName] = profile
+		return cfg, profile
+	}
+
+	accessName := uniqueInitRepositoryAccessName(cfg.RepositoryAccess, profileName+"-git")
+	cfg.RepositoryAccess[accessName] = access
+	profile.RepositoryAccess = accessName
+	profile.Git = access.Git
+	if cfg.Profiles == nil {
+		cfg.Profiles = map[string]config.Profile{}
+	}
+	cfg.Profiles[profileName] = profile
+	return cfg, profile
+}
+
+func normalizeInitRepositoryAccessConfig(access config.RepositoryAccessConfig) config.RepositoryAccessConfig {
+	cfg := config.Normalize(config.File{
+		RepositoryAccess: map[string]config.RepositoryAccessConfig{
+			"access": access,
+		},
+	})
+	return cfg.RepositoryAccess["access"]
+}
+
+func uniqueInitRepositoryAccessName(existing map[string]config.RepositoryAccessConfig, base string) string {
+	base = strings.TrimSpace(base)
+	if base == "" {
+		base = "repository-access"
+	}
+	if _, ok := existing[base]; !ok {
+		return base
+	}
+	for suffix := 2; ; suffix++ {
+		candidate := fmt.Sprintf("%s-%d", base, suffix)
+		if _, ok := existing[candidate]; !ok {
+			return candidate
+		}
+	}
+}
+
+func materializeProfileReviewerEntity(cfg config.File, profileName string, profile config.Profile) (config.File, config.Profile) {
+	if profile.ReviewerCredentials == nil {
+		profile.Reviewer = config.ProfileReviewer{Kind: config.ProfileReviewerKindGitIdentity}
+		if cfg.Profiles == nil {
+			cfg.Profiles = map[string]config.Profile{}
+		}
+		cfg.Profiles[profileName] = profile
+		return cfg, profile
+	}
+	if cfg.ReviewerEntities == nil {
+		cfg.ReviewerEntities = map[string]config.ReviewerEntity{}
+	}
+	entity := reviewerEntityConfigFromProfile(profile)
+
+	entityNames := make([]string, 0, len(cfg.ReviewerEntities))
+	for name := range cfg.ReviewerEntities {
+		entityNames = append(entityNames, name)
+	}
+	sort.Strings(entityNames)
+	for _, name := range entityNames {
+		existing := cfg.ReviewerEntities[name]
+		if !sameInitReviewerEntityConfigIdentity(existing, entity) {
+			continue
+		}
+		if displayName := normalizeOptionalDisplayName(entity.DisplayName); displayName != "" {
+			existing.DisplayName = displayName
+			cfg.ReviewerEntities[name] = existing
+		}
+		profile.Reviewer = initProfileReviewerForEntity(name, existing.AuthMode, profile.Reviewer.GitHubAppInstallation)
+		if cfg.Profiles == nil {
+			cfg.Profiles = map[string]config.Profile{}
+		}
+		cfg.Profiles[profileName] = profile
+		return cfg, profile
+	}
+
+	entityName := uniqueInitReviewerEntityName(buildInitStandaloneReviewerEntityNameSet(cfg.ReviewerEntities), profileName+"-reviewer")
+	cfg.ReviewerEntities[entityName] = entity
+	profile.Reviewer = initProfileReviewerForEntity(entityName, entity.AuthMode, profile.Reviewer.GitHubAppInstallation)
+	if cfg.Profiles == nil {
+		cfg.Profiles = map[string]config.Profile{}
+	}
+	cfg.Profiles[profileName] = profile
+	return cfg, profile
+}
+
+func initProfileReviewerForEntity(entityName string, authMode config.GitAuthMode, installation *config.ProfileReviewerGitHubAppInstallation) config.ProfileReviewer {
+	reviewer := config.ProfileReviewer{
+		Kind:   config.ProfileReviewerKindEntity,
+		Entity: strings.TrimSpace(entityName),
+	}
+	if authMode == config.GitAuthModeGitHubApp {
+		reviewer.GitHubAppInstallation = cloneProfileReviewerGitHubAppInstallation(installation)
+		if reviewer.GitHubAppInstallation == nil {
+			reviewer.GitHubAppInstallation = &config.ProfileReviewerGitHubAppInstallation{
+				Mode: config.ProfileReviewerGitHubAppInstallationDiscoverFromRepository,
+			}
+		}
+	}
+	return reviewer
+}
+
+func initProfileReviewerGitHubAppInstallationFromDraft(draft initDraft) *config.ProfileReviewerGitHubAppInstallation {
+	if !draft.ReviewerEnabled || config.GitAuthMode(draft.ReviewerAuth) != config.GitAuthModeGitHubApp {
+		return nil
+	}
+	mode := config.ProfileReviewerGitHubAppInstallationMode(strings.TrimSpace(draft.ReviewerGitHubAppInstallationMode))
+	if mode == "" {
+		mode = config.ProfileReviewerGitHubAppInstallationDiscoverFromRepository
+	}
+	installation := &config.ProfileReviewerGitHubAppInstallation{Mode: mode}
+	if mode == config.ProfileReviewerGitHubAppInstallationPinned {
+		installation.InstallationID = strings.TrimSpace(draft.ReviewerGitHubAppInstallationID)
+	}
+	return installation
+}
+
+func cloneProfileReviewerGitHubAppInstallation(installation *config.ProfileReviewerGitHubAppInstallation) *config.ProfileReviewerGitHubAppInstallation {
+	if installation == nil {
+		return nil
+	}
+	cloned := *installation
+	return &cloned
+}
+
+func reviewerEntityConfigFromProfile(profile config.Profile) config.ReviewerEntity {
+	reviewer := profile.ReviewerCredentials
+	if reviewer == nil {
+		return config.ReviewerEntity{}
+	}
+	ref := strings.TrimSpace(firstNonEmpty(reviewer.Credential.Name, reviewer.CredentialRef))
+	return normalizeInitReviewerEntityConfig(config.ReviewerEntity{
+		Host:          profile.Git.Host,
+		AuthMode:      reviewer.AuthMode,
+		Credential:    initCredentialLocation(reviewer.Credential.Store, ref),
+		GitHubApp:     initGitHubAppConfigForAuth(reviewer.AuthMode, initGitHubAppIDForAuth(reviewer.AuthMode, reviewer.GitHubApp)),
+		CredentialRef: ref,
+		DisplayName:   normalizeOptionalDisplayName(reviewer.DisplayName),
+		IdentityCache: reviewer.IdentityCache,
+	})
+}
+
+func sameInitReviewerEntityConfigIdentity(left, right config.ReviewerEntity) bool {
+	left = normalizeInitReviewerEntityConfig(left)
+	right = normalizeInitReviewerEntityConfig(right)
+	return config.NormalizeHost(left.Host) == config.NormalizeHost(right.Host) &&
+		left.AuthMode == right.AuthMode &&
+		initGitHubAppIDForAuth(left.AuthMode, left.GitHubApp) == initGitHubAppIDForAuth(right.AuthMode, right.GitHubApp) &&
+		initCredentialStoreDraftValue(left.Credential.Store) == initCredentialStoreDraftValue(right.Credential.Store) &&
+		strings.TrimSpace(left.Credential.Name) == strings.TrimSpace(right.Credential.Name)
+}
+
+func normalizeInitReviewerEntityConfig(entity config.ReviewerEntity) config.ReviewerEntity {
+	cfg := config.Normalize(config.File{
+		ReviewerEntities: map[string]config.ReviewerEntity{
+			"entity": entity,
+		},
+	})
+	return cfg.ReviewerEntities["entity"]
+}
+
+func materializeProfileLLMRuntime(cfg config.File, profileName string, profile config.Profile) (config.File, config.Profile) {
+	if cfg.LLMRuntimes == nil {
+		cfg.LLMRuntimes = map[string]config.LLMConfig{}
+	}
+	runtime := initLLMRuntimeDraftFromConfig(profile.LLM)
+	runtimeConfig := runtime.exportConfig()
+	runtimeKey := runtime.identityKey()
+
+	runtimeNames := make([]string, 0, len(cfg.LLMRuntimes))
+	for name := range cfg.LLMRuntimes {
+		runtimeNames = append(runtimeNames, name)
+	}
+	sort.Strings(runtimeNames)
+	for _, name := range runtimeNames {
+		if initLLMRuntimeDraftFromConfig(cfg.LLMRuntimes[name]).identityKey() == runtimeKey {
+			profile.LLMRuntime = name
+			profile.LLM = cloneInitLLMConfig(runtimeConfig)
+			if cfg.Profiles == nil {
+				cfg.Profiles = map[string]config.Profile{}
+			}
+			cfg.Profiles[profileName] = profile
+			return cfg, profile
+		}
+	}
+
+	runtimeName := strings.TrimSpace(profile.LLMRuntime)
+	if runtimeName == "" {
+		runtimeName = uniqueInitLLMRuntimeName(buildInitLLMRuntimeDraftNameSet(cfg.LLMRuntimes), runtime.suggestedName())
+	}
+	cfg.LLMRuntimes[runtimeName] = runtimeConfig
+	profile.LLMRuntime = runtimeName
+	profile.LLM = cloneInitLLMConfig(runtimeConfig)
+	if cfg.Profiles == nil {
+		cfg.Profiles = map[string]config.Profile{}
+	}
+	cfg.Profiles[profileName] = profile
+	return cfg, profile
+}
+
 func collectInteractiveInitModelMap(opts *root.Options, deps initDeps, plan initWorkspaceDraft) (initWorkspaceDraft, error) {
 	prompter := deps.modelMapPrompter
 	if prompter == nil {
@@ -5444,7 +6382,7 @@ func collectInteractiveInitModelMap(opts *root.Options, deps initDeps, plan init
 	nextProfile := plan.profile
 	nextProfile.LLM.ModelMap = normalizeInitModelMap(nextProfile.LLM, edit.ModelMap)
 	nextCfg := plan.cfg
-	nextCfg.Profiles[plan.profileName] = nextProfile
+	nextCfg, nextProfile = materializeProfileLLMRuntime(nextCfg, plan.profileName, nextProfile)
 	if err := config.Validate(nextCfg); err != nil {
 		return initWorkspaceDraft{}, cmderr.Config(err)
 	}
diff --git a/internal/cmd/credentialcmd/credentialcmd_test.go b/internal/cmd/credentialcmd/credentialcmd_test.go
index 39dbe1f7..03d30cc8 100644
--- a/internal/cmd/credentialcmd/credentialcmd_test.go
+++ b/internal/cmd/credentialcmd/credentialcmd_test.go
@@ -216,6 +216,7 @@ func TestSetCredentialUsesGitHubAppCredentialMatrix(t *testing.T) {
 			Store: testFileCredentialStoreID,
 			Name:  "codereview/work-reviewer",
 		},
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/work-reviewer",
 	}
 	cfg.Profiles["work"] = work
@@ -240,9 +241,7 @@ func TestSetCredentialUsesGitHubAppCredentialMatrix(t *testing.T) {
 		key   string
 		value string
 	}{
-		{key: credentials.GitHubAppIDKey, value: "12345"},
 		{key: credentials.GitHubAppPrivateKeyKey, value: "private-key-value"},
-		{key: credentials.GitHubAppInstallationIDKey, value: "67890"},
 	} {
 		cmd, _, _ = newTestCommand(path, strings.NewReader(write.value))
 		err = root.Execute(cmd, []string{
@@ -258,8 +257,6 @@ func TestSetCredentialUsesGitHubAppCredentialMatrix(t *testing.T) {
 		assertStored(t, "work-reviewer", write.key, write.value)
 	}
 	assertFileBundleKeys(t, "work-reviewer", []string{
-		credentials.GitHubAppIDKey,
-		credentials.GitHubAppInstallationIDKey,
 		credentials.GitHubAppPrivateKeyKey,
 	})
 }
@@ -268,7 +265,12 @@ func TestSetCredentialRejectsUnsupportedConfigBeforeIngress(t *testing.T) {
 	hermeticFileBackend(t)
 	t.Setenv("CR_FUTURE_TOKEN", "")
 	path := filepath.Join(t.TempDir(), "config.yml")
-	writeRawCredentialTestConfig(t, path, `profiles:
+	writeRawCredentialTestConfig(t, path, `llm_runtimes:
+  claude-cli:
+    provider: anthropic
+    auth: subscription
+    adapter: claude_cli
+profiles:
   future:
     git:
       host: github.com
@@ -276,10 +278,9 @@ func TestSetCredentialRejectsUnsupportedConfigBeforeIngress(t *testing.T) {
       credential:
         store: local-os
         name: codereview/future
-    llm:
-      provider: anthropic
-      auth: subscription
-      adapter: claude_cli
+    reviewer:
+      kind: git_identity
+    llm_runtime: claude-cli
 `)
 
 	tests := []struct {
@@ -514,6 +515,29 @@ func TestInitNonInteractiveWritesConfigAndSecret(t *testing.T) {
 	assertFakeStored(t, store, "default", credentials.GitTokenKey, "init-token")
 }
 
+func TestInitNonInteractiveNormalizesProfileNameCredentialRefs(t *testing.T) {
+	path := filepath.Join(t.TempDir(), "config.yml")
+	t.Setenv("CR_REVIEWER_TOKEN", "reviewer-token")
+	store := newFakeInitStore(nil)
+	flags := defaultNonInteractiveInitOptionsForTest()
+	flags.reviewerTokenEnv = "CR_REVIEWER_TOKEN"
+	_, _, err := runNonInteractiveInitWithFakeStore(t, path, "bad.profile", strings.NewReader(""), flags, store)
+	if err != nil {
+		t.Fatalf("Execute: %v", err)
+	}
+	cfg, err := config.Load(path)
+	if err != nil {
+		t.Fatalf("Load config: %v", err)
+	}
+	profile := cfg.Profiles["bad.profile"]
+	if profile.Git.CredentialRef != "codereview/bad_x2eprofile" {
+		t.Fatalf("Git.CredentialRef = %q, want normalized profile ref", profile.Git.CredentialRef)
+	}
+	if profile.ReviewerCredentials == nil || profile.ReviewerCredentials.CredentialRef != "codereview/bad_x2eprofile-reviewer" {
+		t.Fatalf("ReviewerCredentials = %#v, want normalized reviewer ref", profile.ReviewerCredentials)
+	}
+}
+
 func TestInitNonInteractiveWritesReviewerCredential(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	t.Setenv("CR_GIT_TOKEN", "git-token")
@@ -557,6 +581,7 @@ func TestInitNonInteractiveWritesGitHubAppReviewerConfigOnly(t *testing.T) {
 		"init",
 		"--non-interactive",
 		"--reviewer-auth-mode", string(config.GitAuthModeGitHubApp),
+		"--reviewer-github-app-id", "12345",
 	})
 	if err != nil {
 		t.Fatalf("Execute: %v", err)
@@ -569,11 +594,17 @@ func TestInitNonInteractiveWritesGitHubAppReviewerConfigOnly(t *testing.T) {
 	if reviewer == nil || reviewer.AuthMode != config.GitAuthModeGitHubApp || reviewer.CredentialRef != "codereview/default-reviewer" {
 		t.Fatalf("reviewer credentials = %#v, want github_app codereview/default-reviewer", reviewer)
 	}
-	for _, key := range []string{credentials.GitHubAppIDKey, credentials.GitHubAppPrivateKeyKey} {
+	if reviewer.GitHubApp == nil || reviewer.GitHubApp.AppID != "12345" {
+		t.Fatalf("reviewer github_app = %#v, want app_id 12345", reviewer.GitHubApp)
+	}
+	for _, key := range []string{credentials.GitHubAppPrivateKeyKey} {
 		if !strings.Contains(errOut.String(), "--key "+key+" --stdin") {
 			t.Fatalf("stderr = %q, want setup hint for %s", errOut.String(), key)
 		}
 	}
+	if strings.Contains(errOut.String(), "--key "+credentials.GitHubAppIDKey+" --stdin") {
+		t.Fatalf("stderr = %q, want app id omitted from secret setup hints", errOut.String())
+	}
 	if strings.Contains(errOut.String(), "--key "+credentials.GitHubAppInstallationIDKey+" --stdin") {
 		t.Fatalf("stderr = %q, want optional installation id omitted from required setup hints", errOut.String())
 	}
@@ -777,6 +808,7 @@ func TestPlanInitCredentials(t *testing.T) {
 		desired := basicProfile("work")
 		desired.ReviewerCredentials = &config.ReviewerCredentials{
 			AuthMode:      config.GitAuthModeGitHubApp,
+			GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 			CredentialRef: "codereview/work-reviewer",
 		}
 		entries, err := planInitCredentials(nil, desired, nil)
@@ -790,11 +822,7 @@ func TestPlanInitCredentials(t *testing.T) {
 		if entry.Ref.Purpose != "reviewer_credentials" || entry.Ref.Ref != "codereview/work-reviewer" || entry.State != initCredentialPlanStateDefer {
 			t.Fatalf("reviewer entry = %#v, want deferred reviewer app ref", entry)
 		}
-		want := []credentials.KeySpec{
-			{Key: credentials.GitHubAppIDKey, Required: true},
-			{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
-			{Key: credentials.GitHubAppInstallationIDKey, Required: false},
-		}
+		want := []credentials.KeySpec{{Key: credentials.GitHubAppPrivateKeyKey, Required: true}}
 		if !reflect.DeepEqual(entry.KeySpecs, want) {
 			t.Fatalf("key specs = %#v, want %#v", entry.KeySpecs, want)
 		}
@@ -919,24 +947,25 @@ func TestPlanInitCredentials(t *testing.T) {
 		}
 	})
 
-	t.Run("partial github app bundle reports missing required keys", func(t *testing.T) {
+	t.Run("github app private key not staged defers credential setup", func(t *testing.T) {
 		desired := basicProfile("work")
 		desired.Git.AuthMode = config.GitAuthModeGitHubApp
+		desired.Git.GitHubApp = &config.GitHubAppConfig{AppID: "12345"}
 		entries, err := planInitCredentials(nil, desired, map[string][]string{
-			"codereview/work": []string{credentials.GitHubAppIDKey},
+			"codereview/work": {},
 		})
 		if err != nil {
 			t.Fatalf("planInitCredentials: %v", err)
 		}
 		entry := entries[0]
-		if entry.State != initCredentialPlanStateMissingRequired {
-			t.Fatalf("state = %s, want missing_required", entry.State)
+		if entry.State != initCredentialPlanStateDefer {
+			t.Fatalf("state = %s, want defer", entry.State)
 		}
-		if !reflect.DeepEqual(entry.PlannedWriteKeys, []string{credentials.GitHubAppIDKey}) {
-			t.Fatalf("planned write keys = %#v, want github_app_id only", entry.PlannedWriteKeys)
+		if len(entry.PlannedWriteKeys) != 0 {
+			t.Fatalf("planned write keys = %#v, want none", entry.PlannedWriteKeys)
 		}
-		if !reflect.DeepEqual(entry.MissingRequiredKeys, []string{credentials.GitHubAppPrivateKeyKey}) {
-			t.Fatalf("missing required = %#v, want github_app_private_key", entry.MissingRequiredKeys)
+		if len(entry.MissingRequiredKeys) != 0 {
+			t.Fatalf("missing required = %#v, want none without staged writes", entry.MissingRequiredKeys)
 		}
 	})
 }
@@ -1064,6 +1093,7 @@ func TestBuildInteractiveInitSessionPlanUsesOriginalProfileForRenamedTouchedProf
 				},
 				ReviewerCredentials: &config.ReviewerCredentials{
 					AuthMode:      config.GitAuthModeGitHubApp,
+					GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 					CredentialRef: "codereview/work-reviewer",
 					DisplayName:   "Old label",
 				},
@@ -1449,6 +1479,7 @@ func TestInitGitAuthModeFlagSupportsGitHubApp(t *testing.T) {
 		"init",
 		"--non-interactive",
 		"--git-auth-mode", string(config.GitAuthModeGitHubApp),
+		"--git-github-app-id", "12345",
 	})
 	if err != nil {
 		t.Fatalf("Execute: %v", err)
@@ -1461,9 +1492,12 @@ func TestInitGitAuthModeFlagSupportsGitHubApp(t *testing.T) {
 	if got.Profiles["default"].Git.AuthMode != config.GitAuthModeGitHubApp {
 		t.Fatalf("git.auth_mode = %q, want github_app", got.Profiles["default"].Git.AuthMode)
 	}
+	if got.Profiles["default"].Git.GitHubApp == nil || got.Profiles["default"].Git.GitHubApp.AppID != "12345" {
+		t.Fatalf("git.github_app = %#v, want app_id 12345", got.Profiles["default"].Git.GitHubApp)
+	}
 	stderr := errOut.String()
-	if !strings.Contains(stderr, "--key "+credentials.GitHubAppIDKey+" --stdin") {
-		t.Fatalf("stderr = %q, want github app id follow-up hint", stderr)
+	if strings.Contains(stderr, "--key "+credentials.GitHubAppIDKey+" --stdin") {
+		t.Fatalf("stderr = %q, want no github app id follow-up hint", stderr)
 	}
 	if !strings.Contains(stderr, "--key "+credentials.GitHubAppPrivateKeyKey+" --stdin") {
 		t.Fatalf("stderr = %q, want github app private key follow-up hint", stderr)
@@ -1489,7 +1523,6 @@ func TestInitDisableReviewerClearsReviewerCredentials(t *testing.T) {
 		MajorEvent:       config.ReviewMajorEventRequestChanges,
 		AllowSelfApprove: true,
 		ResolveThreads:   config.ResolveThreadsNever,
-		ResolveAfter:     "24h",
 	}
 	if err := config.Save(path, config.File{
 		Profiles: map[string]config.Profile{
@@ -1517,7 +1550,7 @@ func TestInitDisableReviewerClearsReviewerCredentials(t *testing.T) {
 	}
 	expected := existing
 	expected.ReviewerCredentials = nil
-	expected = normalizeTestProfile(expected)
+	expected = normalizeTestProfileNamed("work", expected)
 	if !reflect.DeepEqual(got.Profiles["work"], expected) {
 		t.Fatalf("saved profile = %#v, want %#v", got.Profiles["work"], expected)
 	}
@@ -1607,7 +1640,6 @@ func TestInitLLMReviewerModelTierFlags(t *testing.T) {
 			MajorEvent:       config.ReviewMajorEventRequestChanges,
 			AllowSelfApprove: true,
 			ResolveThreads:   config.ResolveThreadsNever,
-			ResolveAfter:     "24h",
 		}
 		if err := config.Save(path, config.File{
 			Profiles: map[string]config.Profile{
@@ -1635,7 +1667,7 @@ func TestInitLLMReviewerModelTierFlags(t *testing.T) {
 		}
 		expected := existing
 		expected.LLM.ReviewerModelTier = ""
-		expected = normalizeTestProfile(expected)
+		expected = normalizeTestProfileNamed("work", expected)
 		if !reflect.DeepEqual(got.Profiles["work"], expected) {
 			t.Fatalf("saved profile = %#v, want %#v", got.Profiles["work"], expected)
 		}
@@ -1672,7 +1704,6 @@ func TestInitPlanApplyPreservesUnrelatedExistingConfig(t *testing.T) {
 		MajorEvent:       config.ReviewMajorEventRequestChanges,
 		AllowSelfApprove: true,
 		ResolveThreads:   config.ResolveThreadsNever,
-		ResolveAfter:     "24h",
 	}
 	existing := config.File{
 		Keyring: config.KeyringConfig{Backend: "file"},
@@ -1726,8 +1757,18 @@ func TestInitPlanApplyPreservesUnrelatedExistingConfig(t *testing.T) {
 		want.Profiles[name] = profile
 	}
 	want.Profiles["work"] = after.Profiles["work"]
+	want.RepositoryAccess = make(map[string]config.RepositoryAccessConfig, len(before.RepositoryAccess)+1)
+	for name, access := range before.RepositoryAccess {
+		want.RepositoryAccess[name] = access
+	}
+	want.RepositoryAccess[after.Profiles["work"].RepositoryAccess] = after.RepositoryAccess[after.Profiles["work"].RepositoryAccess]
+	want.LLMRuntimes = make(map[string]config.LLMConfig, len(before.LLMRuntimes)+1)
+	for name, runtime := range before.LLMRuntimes {
+		want.LLMRuntimes[name] = runtime
+	}
+	want.LLMRuntimes[after.Profiles["work"].LLMRuntime] = after.LLMRuntimes[after.Profiles["work"].LLMRuntime]
 	if !reflect.DeepEqual(after, want) {
-		t.Fatalf("config after init = %#v, want only work profile added to %#v", after, before)
+		t.Fatalf("config after init = %#v, want only work profile/runtime added to %#v", after, before)
 	}
 }
 
@@ -1926,6 +1967,7 @@ func TestInitGitScopeDraftRoundTripPreservesIdentityCacheFromPreviousProfile(t *
 		Host:          "https://github.mycompany.com/",
 		AuthMode:      config.GitAuthModeGitHubApp,
 		Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work"},
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/work",
 		IdentityCache: "rianjs-work",
 	}
@@ -1943,6 +1985,7 @@ func TestInitGitScopeDraftExportClearsIdentityCacheWhenShapeChanges(t *testing.T
 		Host:          "https://github.mycompany.com/",
 		AuthMode:      config.GitAuthModeGitHubApp,
 		Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work"},
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/work",
 		IdentityCache: "rianjs-work",
 	}
@@ -2011,6 +2054,7 @@ func TestInitReviewerEntityDraftRoundTripVariants(t *testing.T) {
 				p.ReviewerCredentials = &config.ReviewerCredentials{
 					AuthMode:      config.GitAuthModeGitHubApp,
 					Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work-reviewer"},
+					GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 					CredentialRef: "codereview/work-reviewer",
 					IdentityCache: "review-app",
 				}
@@ -2019,12 +2063,14 @@ func TestInitReviewerEntityDraftRoundTripVariants(t *testing.T) {
 			previous: &config.ReviewerCredentials{
 				AuthMode:      config.GitAuthModeGitHubApp,
 				Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work-reviewer"},
+				GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 				CredentialRef: "codereview/work-reviewer",
 				IdentityCache: "review-app",
 			},
 			want: &config.ReviewerCredentials{
 				AuthMode:      config.GitAuthModeGitHubApp,
 				Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work-reviewer"},
+				GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 				CredentialRef: "codereview/work-reviewer",
 				IdentityCache: "review-app",
 			},
@@ -2049,6 +2095,7 @@ func TestInitReviewerEntityDraftExportClearsIdentityCacheWhenShapeChanges(t *tes
 	previous := &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
 		Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work-reviewer"},
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/work-reviewer",
 		IdentityCache: "review-app",
 	}
@@ -2075,6 +2122,7 @@ func TestBuildInteractiveInitWorkspaceClearsReviewerDisplayNameWhenDraftLeavesIt
 	existing.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
 		Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work-reviewer"},
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/work-reviewer",
 		DisplayName:   "Old label",
 	}
@@ -2128,7 +2176,7 @@ func TestBuildInitGitScopeInventoryDeduplicatesNormalizedGitHubEnterpriseHost(t
 	}
 }
 
-func TestBuildInitGitScopeInventoryAssignsStableSuffixOnNameCollision(t *testing.T) {
+func TestBuildInitGitScopeInventoryUsesProjectedRepositoryAccessNames(t *testing.T) {
 	home := basicProfile("home")
 	work := basicProfile("work")
 	home.Git.Host = "github.com"
@@ -2150,8 +2198,8 @@ func TestBuildInitGitScopeInventoryAssignsStableSuffixOnNameCollision(t *testing
 	if profileScopeNames["home"] == profileScopeNames["work"] {
 		t.Fatalf("profileScopeNames = %#v, want distinct names for colliding scope bases", profileScopeNames)
 	}
-	if profileScopeNames["home"] != "github-com-pat" && profileScopeNames["work"] != "github-com-pat" {
-		t.Fatalf("profileScopeNames = %#v, want one unsuffixed base name", profileScopeNames)
+	if profileScopeNames["home"] != "home-git" || profileScopeNames["work"] != "work-git" {
+		t.Fatalf("profileScopeNames = %#v, want projected repository access names", profileScopeNames)
 	}
 	if initGitScopeLabel(scopes[profileScopeNames["home"]]) == initGitScopeLabel(scopes[profileScopeNames["work"]]) {
 		t.Fatalf("git scope labels should be distinguishable: %#v", profileScopeNames)
@@ -2180,11 +2228,11 @@ func TestBuildInitReviewerEntityInventoryVariantsAndDeduping(t *testing.T) {
 
 	entities, profileEntityNames := buildInitReviewerEntityInventory(cfg)
 
-	if len(entities) != 2 {
-		t.Fatalf("len(entities) = %d, want 2; entities=%#v", len(entities), entities)
+	if len(entities) != 1 {
+		t.Fatalf("len(entities) = %d, want 1; entities=%#v", len(entities), entities)
 	}
-	if profileEntityNames["home"] == profileEntityNames["work"] {
-		t.Fatalf("profileEntityNames = %#v, want self entity distinct from PAT reviewer", profileEntityNames)
+	if profileEntityNames["home"] != string(initReviewerEntityKindUseGitIdentity) {
+		t.Fatalf("profileEntityNames = %#v, want home to use Git identity fallback", profileEntityNames)
 	}
 	if profileEntityNames["work"] != profileEntityNames["bot"] {
 		t.Fatalf("profileEntityNames = %#v, want deduped PAT reviewer entity", profileEntityNames)
@@ -2217,8 +2265,8 @@ func TestBuildInitReviewerEntityInventoryAssignsStableSuffixOnNameCollision(t *t
 	if profileEntityNames["home"] == profileEntityNames["work"] {
 		t.Fatalf("profileEntityNames = %#v, want distinct names for colliding reviewer bases", profileEntityNames)
 	}
-	if profileEntityNames["home"] != "reviewer-pat" && profileEntityNames["work"] != "reviewer-pat" {
-		t.Fatalf("profileEntityNames = %#v, want one unsuffixed base name", profileEntityNames)
+	if profileEntityNames["home"] != "home-reviewer" || profileEntityNames["work"] != "work-reviewer" {
+		t.Fatalf("profileEntityNames = %#v, want profile-derived reviewer entity names", profileEntityNames)
 	}
 	if initReviewerEntityLabel(entities[profileEntityNames["home"]]) == initReviewerEntityLabel(entities[profileEntityNames["work"]]) {
 		t.Fatalf("reviewer labels should be distinguishable: %#v", profileEntityNames)
@@ -2395,19 +2443,18 @@ func TestInitReviewerEntityInventoryRowsUseNameFirstConfiguredLabels(t *testing.
 		t.Fatalf("configuredTitles = %#v, want %#v", got, want)
 	}
 	if got, want := commandIDs, []string{
-		string(initReviewerEntityKindUseGitIdentity),
 		string(initReviewerEntityKindPAT),
 		string(initReviewerEntityKindGitHubApp),
 		initBackSelection,
 	}; !reflect.DeepEqual(got, want) {
 		t.Fatalf("commandIDs = %#v, want %#v", got, want)
 	}
-	if got, want := commandTitles[1:], []string{
+	if got, want := commandTitles, []string{
 		reviewerEntityTemplatePATLabel(),
 		reviewerEntityTemplateGitHubAppLabel(),
 		"Back to main menu",
 	}; !reflect.DeepEqual(got, want) {
-		t.Fatalf("commandTitles[1:] = %#v, want %#v", got, want)
+		t.Fatalf("commandTitles = %#v, want %#v", got, want)
 	}
 }
 
@@ -2416,11 +2463,13 @@ func TestBuildInitReviewerEntityInventorySharedDisplayNameWinsWhenOnlyOneProfile
 	work := basicProfile("work")
 	home.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/open-cli-collective-rianjs-bot",
 		DisplayName:   "OC Collective bot",
 	}
 	work.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/open-cli-collective-rianjs-bot",
 	}
 
@@ -2440,20 +2489,28 @@ func TestBuildInitReviewerEntityInventorySharedDisplayNameWinsWhenOnlyOneProfile
 	}
 }
 
-func TestEditInteractiveInitReviewerEntityStepPropagatesSharedDisplayName(t *testing.T) {
+func TestEditInteractiveInitReviewerEntityStepUpdatesConfiguredEntity(t *testing.T) {
 	home := basicProfile("home")
 	work := basicProfile("work")
-	home.ReviewerCredentials = &config.ReviewerCredentials{
-		AuthMode:      config.GitAuthModeGitHubApp,
-		CredentialRef: "codereview/open-cli-collective-rianjs-bot",
-		DisplayName:   "Old home label",
-	}
-	work.ReviewerCredentials = &config.ReviewerCredentials{
-		AuthMode:      config.GitAuthModeGitHubApp,
-		CredentialRef: "codereview/open-cli-collective-rianjs-bot",
-		DisplayName:   "Old work label",
+	reviewer := config.ProfileReviewer{
+		Kind:   config.ProfileReviewerKindEntity,
+		Entity: "oc-collective-bot",
+		GitHubAppInstallation: &config.ProfileReviewerGitHubAppInstallation{
+			Mode: config.ProfileReviewerGitHubAppInstallationDiscoverFromRepository,
+		},
 	}
+	home.Reviewer = reviewer
+	work.Reviewer = reviewer
 	cfg := config.File{
+		ReviewerEntities: map[string]config.ReviewerEntity{
+			"oc-collective-bot": {
+				Host:          "github.com",
+				AuthMode:      config.GitAuthModeGitHubApp,
+				GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
+				CredentialRef: "codereview/open-cli-collective-rianjs-bot",
+				DisplayName:   "Old label",
+			},
+		},
 		Profiles: map[string]config.Profile{
 			"home": home,
 			"work": work,
@@ -2473,12 +2530,13 @@ func TestEditInteractiveInitReviewerEntityStepPropagatesSharedDisplayName(t *tes
 	draft := seedInteractiveInitDraft("home", "home", &home)
 	draft.ReviewerEnabled = true
 	draft.ReviewerAuth = string(config.GitAuthModeGitHubApp)
+	draft.ReviewerGitHubAppID = "12345"
 	draft.ReviewerCredentialRef = "codereview/open-cli-collective-rianjs-bot-renamed"
 	draft.ReviewerDisplayName = "OC Collective bot"
 
 	next, stayInCategory, err := editInteractiveInitReviewerEntityStep(&cobra.Command{}, &root.Options{}, initOptions{}, initDeps{
 		reviewerPrompter: initReviewerEntityPrompterFunc(func(_ initReviewerEntityPrompt) (initDraft, error) {
-			draft.ActionTarget = "reviewer-github-app"
+			draft.ActionTarget = "oc-collective-bot"
 			return draft, nil
 		}),
 		prompter: initPrompterFunc(func(_ initPromptContext) (initDraft, error) {
@@ -2492,8 +2550,21 @@ func TestEditInteractiveInitReviewerEntityStepPropagatesSharedDisplayName(t *tes
 	if stayInCategory {
 		t.Fatal("stayInCategory = true, want focused reviewer flow to return to main menu after stage")
 	}
+	entity := next.cfg.ReviewerEntities["oc-collective-bot"]
+	if got, want := entity.AuthMode, config.GitAuthModeGitHubApp; got != want {
+		t.Fatalf("entity auth mode = %q, want %q", got, want)
+	}
+	if got, want := entity.CredentialRef, "codereview/open-cli-collective-rianjs-bot-renamed"; got != want {
+		t.Fatalf("entity credential ref = %q, want %q", got, want)
+	}
+	if got, want := entity.DisplayName, "OC Collective bot"; got != want {
+		t.Fatalf("entity display name = %q, want %q", got, want)
+	}
 	for _, profileName := range []string{"home", "work"} {
 		profile := next.cfg.Profiles[profileName]
+		if got, want := profile.Reviewer, reviewer; !reflect.DeepEqual(got, want) {
+			t.Fatalf("%s reviewer selector = %#v, want %#v", profileName, got, want)
+		}
 		if profile.ReviewerCredentials == nil {
 			t.Fatalf("%s reviewer credentials cleared unexpectedly", profileName)
 		}
@@ -2509,18 +2580,9 @@ func TestEditInteractiveInitReviewerEntityStepPropagatesSharedDisplayName(t *tes
 	}
 }
 
-func TestEditInteractiveInitReviewerEntityStepPropagatesConcreteSharedReviewerRefAfterStandardNoOpEdit(t *testing.T) {
+func TestEditInteractiveInitReviewerEntityStepDefaultsBlankRefToStandaloneEntityRef(t *testing.T) {
 	home := basicProfile("home")
 	work := basicProfile("work")
-	home.ReviewerCredentials = &config.ReviewerCredentials{
-		AuthMode:      config.GitAuthModeGitHubApp,
-		CredentialRef: "codereview/home-reviewer",
-	}
-	work.ReviewerCredentials = &config.ReviewerCredentials{
-		AuthMode:      config.GitAuthModeGitHubApp,
-		CredentialRef: "codereview/home-reviewer",
-		DisplayName:   "Old work label",
-	}
 	cfg := config.File{
 		Profiles: map[string]config.Profile{
 			"home": home,
@@ -2541,6 +2603,7 @@ func TestEditInteractiveInitReviewerEntityStepPropagatesConcreteSharedReviewerRe
 	draft := seedInteractiveInitDraft("home", "home", &home)
 	draft.ReviewerEnabled = true
 	draft.ReviewerAuth = string(config.GitAuthModeGitHubApp)
+	draft.ReviewerGitHubAppID = "12345"
 	draft.ReviewerCredentialRef = ""
 	draft.ReviewerDisplayName = "OC Collective bot"
 
@@ -2560,34 +2623,30 @@ func TestEditInteractiveInitReviewerEntityStepPropagatesConcreteSharedReviewerRe
 	if stayInCategory {
 		t.Fatal("stayInCategory = true, want focused reviewer flow to return to main menu after stage")
 	}
-	for _, profileName := range []string{"home", "work"} {
-		profile := next.cfg.Profiles[profileName]
-		if profile.ReviewerCredentials == nil {
-			t.Fatalf("%s reviewer credentials cleared unexpectedly", profileName)
-		}
-		if got, want := profile.ReviewerCredentials.CredentialRef, "codereview/home-reviewer"; got != want {
-			t.Fatalf("%s credential ref = %q, want %q", profileName, got, want)
-		}
-		if got, want := profile.ReviewerCredentials.DisplayName, "OC Collective bot"; got != want {
-			t.Fatalf("%s display name = %q, want %q", profileName, got, want)
-		}
+	entity := next.cfg.ReviewerEntities["reviewer-github-app"]
+	if got, want := entity.CredentialRef, "codereview/reviewer-github-app"; got != want {
+		t.Fatalf("entity credential ref = %q, want %q", got, want)
+	}
+	if got, want := entity.DisplayName, "OC Collective bot"; got != want {
+		t.Fatalf("entity display name = %q, want %q", got, want)
 	}
 }
 
 func TestEditInteractiveInitReviewerEntityStepSelectingFallbackDoesNotPropagateSharedEntity(t *testing.T) {
 	home := basicProfile("home")
 	work := basicProfile("work")
-	home.ReviewerCredentials = &config.ReviewerCredentials{
-		AuthMode:      config.GitAuthModeGitHubApp,
-		CredentialRef: "codereview/open-cli-collective-rianjs-bot",
-		DisplayName:   "Old home label",
-	}
-	work.ReviewerCredentials = &config.ReviewerCredentials{
-		AuthMode:      config.GitAuthModeGitHubApp,
-		CredentialRef: "codereview/open-cli-collective-rianjs-bot",
-		DisplayName:   "Old work label",
-	}
+	home.Reviewer = config.ProfileReviewer{Kind: config.ProfileReviewerKindEntity, Entity: "oc-collective-bot"}
+	work.Reviewer = config.ProfileReviewer{Kind: config.ProfileReviewerKindEntity, Entity: "oc-collective-bot"}
 	cfg := config.File{
+		ReviewerEntities: map[string]config.ReviewerEntity{
+			"oc-collective-bot": {
+				Host:          "github.com",
+				AuthMode:      config.GitAuthModeGitHubApp,
+				GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
+				CredentialRef: "codereview/open-cli-collective-rianjs-bot",
+				DisplayName:   "Old label",
+			},
+		},
 		Profiles: map[string]config.Profile{
 			"home": home,
 			"work": work,
@@ -2625,14 +2684,15 @@ func TestEditInteractiveInitReviewerEntityStepSelectingFallbackDoesNotPropagateS
 	if stayInCategory {
 		t.Fatal("stayInCategory = true, want focused reviewer flow to return to main menu after stage")
 	}
-	if got := next.cfg.Profiles["home"].ReviewerCredentials; got != nil {
-		t.Fatalf("home reviewer credentials = %#v, want cleared fallback reviewer", got)
+	normalized := config.Normalize(next.cfg)
+	if got := normalized.Profiles["home"].Reviewer; got != (config.ProfileReviewer{Kind: config.ProfileReviewerKindEntity, Entity: "oc-collective-bot"}) {
+		t.Fatalf("home reviewer selector = %#v, want unchanged configured entity", got)
 	}
-	workProfile := next.cfg.Profiles["work"]
+	workProfile := normalized.Profiles["work"]
 	if workProfile.ReviewerCredentials == nil {
 		t.Fatal("work reviewer credentials cleared unexpectedly")
 	}
-	if got, want := workProfile.ReviewerCredentials.DisplayName, "Old work label"; got != want {
+	if got, want := workProfile.ReviewerCredentials.DisplayName, "Old label"; got != want {
 		t.Fatalf("work display name = %q, want %q", got, want)
 	}
 	if got, want := workProfile.ReviewerCredentials.CredentialRef, "codereview/open-cli-collective-rianjs-bot"; got != want {
@@ -2725,14 +2785,13 @@ func TestInitReviewerEntityInventoryRowsUseExplicitGitAccountFallbackLabels(t *t
 		t.Run(tc.name, func(t *testing.T) {
 			profile := basicProfile("home")
 			profile.Git = tc.git
-			rows := initReviewerEntityInventoryRows(initPromptContext{
-				ExistingProfile: &profile,
-			})
-			if len(rows) == 0 {
-				t.Fatal("rows = empty, want fallback command row")
+			label := profileEditorReviewerEntityFallbackLabel(initGitScopeDraftFromConfig(profile.Git), &profile)
+			options := initReviewerEntitySelectionOptions(map[string]initReviewerEntityDraft{}, label)
+			if len(options) == 0 {
+				t.Fatal("options = empty, want fallback option")
 			}
-			if got := rows[0].Title; got != tc.wantText {
-				t.Fatalf("fallback row = %q, want %q", got, tc.wantText)
+			if got := options[0].Key; got != tc.wantText {
+				t.Fatalf("fallback option = %q, want %q", got, tc.wantText)
 			}
 		})
 	}
@@ -3282,12 +3341,14 @@ func TestBuildInteractiveInitWorkspaceImportsGitScopeAndReviewerEntityInventory(
 	existing := basicProfile("work")
 	existing.Git.Host = "github.mycompany.com"
 	existing.Git.AuthMode = config.GitAuthModeGitHubApp
+	existing.Git.GitHubApp = &config.GitHubAppConfig{AppID: "12345"}
 	existing.Git.Credential = config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/office-git"}
 	existing.Git.CredentialRef = "codereview/office-git"
 	existing.Git.IdentityCache = "git-cache"
 	existing.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
 		Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/office-reviewer"},
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/office-reviewer",
 		IdentityCache: "reviewer-cache",
 	}
@@ -3385,6 +3446,7 @@ func TestInitInteractivePromptDrivenFlowStillExportsSeparateReviewerAfterDraftIn
 				GitCredentialRef:        "codereview/office-git",
 				ReviewerEnabled:         true,
 				ReviewerAuth:            string(config.GitAuthModeGitHubApp),
+				ReviewerGitHubAppID:     "12345",
 				ReviewerCredentialStore: config.LocalOSCredentialStoreID,
 				ReviewerCredentialRef:   "codereview/office-reviewer",
 				LLMProvider:             string(config.LLMProviderAnthropic),
@@ -3412,7 +3474,6 @@ func TestInitInteractivePromptDrivenFlowStillExportsSeparateReviewerAfterDraftIn
 					credentials.GitTokenKey: "existing-git-token",
 				},
 				"office-reviewer": {
-					credentials.GitHubAppIDKey:         "12345",
 					credentials.GitHubAppPrivateKeyKey: "private-key",
 				},
 			}), nil
@@ -3744,7 +3805,7 @@ func TestCollectInteractiveInitSecretsBackAfterPartialMultiKeyWriteDiscardsScrat
 			initSecretSourcePaste,
 			initSecretSourceBack,
 		},
-		pastes: []string{"12345"},
+		pastes: []string{"private-key"},
 	}
 	workspace, err := collectInteractiveInitSecrets(&cobra.Command{}, &root.Options{}, initDeps{
 		secretPrompter:     prompter,
@@ -3760,7 +3821,7 @@ func TestCollectInteractiveInitSecretsBackAfterPartialMultiKeyWriteDiscardsScrat
 	if err != nil {
 		t.Fatalf("collectInteractiveInitSecrets: %v", err)
 	}
-	if got := workspace.writes["codereview/default"][credentials.GitHubAppIDKey]; got != "" {
+	if got := workspace.writes["codereview/default"][credentials.GitHubAppPrivateKeyKey]; got != "" {
 		t.Fatalf("partial draft write = %q, want discarded after later source Back then defer", got)
 	}
 	if workspace.satisfiedRefs["codereview/default"] {
@@ -3904,12 +3965,12 @@ func testInitMultiKeySecretWorkspace() initWorkspaceDraft {
 				Mode:    string(config.GitAuthModeGitHubApp),
 			},
 			KeySpecs: []credentials.KeySpec{
-				{Key: credentials.GitHubAppIDKey, Required: true},
 				{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
+				{Key: credentials.GitTokenKey, Required: true},
 			},
 			MissingRequiredKeys: []string{
-				credentials.GitHubAppIDKey,
 				credentials.GitHubAppPrivateKeyKey,
+				credentials.GitTokenKey,
 			},
 			State: initCredentialPlanStateMissingRequired,
 		}},
@@ -3949,11 +4010,8 @@ func TestWriteInitCredentialPlanHintsUsesMissingRequiredKeysOnly(t *testing.T) {
 			Mode:    string(config.GitAuthModeGitHubApp),
 		},
 		KeySpecs: []credentials.KeySpec{
-			{Key: credentials.GitHubAppIDKey, Required: true},
 			{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
-			{Key: credentials.GitHubAppInstallationIDKey, Required: false},
 		},
-		PlannedWriteKeys:    []string{credentials.GitHubAppIDKey},
 		MissingRequiredKeys: []string{credentials.GitHubAppPrivateKeyKey},
 		State:               initCredentialPlanStateMissingRequired,
 	}
@@ -3982,9 +4040,7 @@ func TestWriteInitCredentialPlanHintsForDeferredGitHubAppUsesRequiredKeysOnly(t
 			Mode:    string(config.GitAuthModeGitHubApp),
 		},
 		KeySpecs: []credentials.KeySpec{
-			{Key: credentials.GitHubAppIDKey, Required: true},
 			{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
-			{Key: credentials.GitHubAppInstallationIDKey, Required: false},
 		},
 		State: initCredentialPlanStateDefer,
 	}
@@ -3993,7 +4049,7 @@ func TestWriteInitCredentialPlanHintsForDeferredGitHubAppUsesRequiredKeysOnly(t
 		t.Fatalf("writeInitCredentialPlanHints: %v", err)
 	}
 	got := stderr.String()
-	for _, key := range []string{credentials.GitHubAppIDKey, credentials.GitHubAppPrivateKeyKey} {
+	for _, key := range []string{credentials.GitHubAppPrivateKeyKey} {
 		if !strings.Contains(got, "cr set-credential --store local-os --name codereview/rianjs-bot --key "+key+" --stdin") {
 			t.Fatalf("stderr = %q, want required setup hint for %s", got, key)
 		}
@@ -5088,19 +5144,17 @@ func TestHuhInitReviewerEntityPrompterAccessibleConfiguredReviewerRoundTripsInMi
 		},
 	}
 	reviewerEntities, profileReviewerEntities := buildInitReviewerEntityInventory(cfg)
+	selectedReviewerEntity := profileReviewerEntities["work"]
 	var stderr bytes.Buffer
 	prompter := huhInitReviewerEntityPrompter{
-		stderr: &stderr,
-		editorRunner: stageReviewerEntityEditorRunner(t, map[initLinearFieldID]string{
-			initReviewerEntityFieldGitHubAppID:         "12345",
-			initReviewerEntityFieldGitHubAppPrivateKey: testReviewerGitHubAppPrivateKey(),
-		}, ""),
+		stderr:       &stderr,
+		editorRunner: stageReviewerEntityEditorRunner(t, nil, ""),
 		inventoryRunner: func(_ initInventoryPrompt, _ io.Reader, out io.Writer) (initInventoryResult, error) {
 			_, _ = io.WriteString(out, "custom-work-reviewer (PAT reviewer)\n")
 			return initInventoryResult{
 				Action: initInventoryActionEdit,
 				Row: initInventoryRow{
-					ID:    "reviewer-pat",
+					ID:    selectedReviewerEntity,
 					Title: "custom-work-reviewer (PAT reviewer)",
 				},
 			}, nil
@@ -5109,20 +5163,24 @@ func TestHuhInitReviewerEntityPrompterAccessibleConfiguredReviewerRoundTripsInMi
 
 	draft, err := prompter.EditReviewerEntity(initReviewerEntityPrompt{
 		Context: initPromptContext{
-			RequestedProfileName:    "home",
-			ExistingProfileName:     "home",
-			ExistingProfile:         &home,
-			ExistingConfig:          cfg,
-			ReviewerEntities:        reviewerEntities,
-			ProfileReviewerEntities: profileReviewerEntities,
+			RequestedProfileName:         "home",
+			ExistingProfileName:          "home",
+			ExistingProfile:              &home,
+			ExistingConfig:               cfg,
+			ReviewerEntities:             reviewerEntities,
+			ProfileReviewerEntities:      profileReviewerEntities,
+			StandaloneReviewerEntityMode: true,
 		},
 	})
 	if err != nil {
 		t.Fatalf("EditReviewerEntity: %v", err)
 	}
-	if !draft.ReviewerEnabled || draft.ReviewerAuth != string(config.GitAuthModePAT) || draft.ReviewerCredentialRef != "codereview/custom-work-reviewer" {
+	if !draft.ReviewerEnabled || draft.ReviewerAuth != string(config.GitAuthModePAT) || draft.ReviewerCredentialWriteRef != "codereview/custom-work-reviewer" {
 		t.Fatalf("draft reviewer = %#v, want configured PAT reviewer to round-trip intact", draft)
 	}
+	if draft.ReviewerCredentialRef != "" || draft.AdvancedStorageLabels {
+		t.Fatalf("draft reviewer location = %q / advanced=%v, want unchanged existing standalone entity location", draft.ReviewerCredentialRef, draft.AdvancedStorageLabels)
+	}
 }
 
 func TestHuhInitPrompterAccessibleRequestedNewProfilePreservesExplicitName(t *testing.T) {
@@ -6244,6 +6302,7 @@ func TestHuhInitReviewerEntityPrompterExistingReviewerFallbackSeedDoesNotPersist
 	existing := basicProfile("work")
 	existing.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/open-cli-collective-rianjs-bot",
 	}
 	draft := seedInteractiveInitDraft("work", "work", &existing)
@@ -6270,12 +6329,14 @@ func TestHuhInitReviewerEntityPrompterAccessibleShowsSeededDisplayNamePrompt(t *
 	existing := basicProfile("work")
 	existing.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/work-reviewer",
 		DisplayName:   "Old label",
 	}
 	draft := seedInteractiveInitDraft("work", "work", &existing)
 	draft.ReviewerEnabled = true
 	draft.ReviewerAuth = string(config.GitAuthModeGitHubApp)
+	draft.ReviewerGitHubAppID = "12345"
 	draft.ReviewerCredentialRef = "codereview/work-reviewer"
 	draft.ReviewerDisplayName = "Old label"
 	var stderr bytes.Buffer
@@ -6304,6 +6365,7 @@ func TestHuhInitReviewerEntityPrompterExistingReviewerCanEditLabel(t *testing.T)
 	existing := basicProfile("work")
 	existing.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/work-reviewer",
 	}
 	draft := seedInteractiveInitDraft("work", "work", &existing)
@@ -6339,23 +6401,30 @@ func TestHuhInitReviewerEntityPrompterExistingReviewerCanEditLabel(t *testing.T)
 func TestHuhInitReviewerEntityPrompterDefaultUsesLinearReviewerFlow(t *testing.T) {
 	existing := basicProfile("work")
 	var stderr bytes.Buffer
-	prompter := huhInitReviewerEntityPrompter{
-		stderr: &stderr,
-		editorRunner: func(editor initLinearEditor, _ io.Reader, out io.Writer) (initLinearEditorModel, error) {
-			model := newInitLinearEditorModel(editor, 160, 60)
-			model = selectInitLinearFieldValue(t, model, initReviewerEntityFieldSelection, string(initReviewerEntityKindPAT))
-			model.setFieldValue(initReviewerEntityFieldGitToken, "reviewer-pat")
-			model.afterFieldChange(model.document.fieldIndexByID(initReviewerEntityFieldGitToken))
-			model = focusInitLinearField(t, model, initReviewerEntityFieldAction)
-			model = selectInitLinearFieldValue(t, model, initReviewerEntityFieldAction, initDetailActionEdit)
-			_, _ = io.WriteString(out, model.View())
-			updated, _ := model.Update(tea.KeyMsg{Type: tea.KeyEnter})
-			next, ok := updated.(initLinearEditorModel)
-			if !ok {
-				t.Fatalf("Update returned %T, want initLinearEditorModel", updated)
-			}
-			return next, nil
-		},
+	prompter, ok := newHuhInitReviewerEntityPrompter(&root.Options{
+		Stdin:  strings.NewReader(""),
+		Stderr: &stderr,
+	}).(huhInitReviewerEntityPrompter)
+	if !ok {
+		t.Fatalf("newHuhInitReviewerEntityPrompter returned %T, want huhInitReviewerEntityPrompter", newHuhInitReviewerEntityPrompter(&root.Options{}))
+	}
+	if prompter.inventoryRunner != nil {
+		t.Fatal("reviewer entity prompter inventoryRunner = non-nil, want direct linear editor path")
+	}
+	prompter.editorRunner = func(editor initLinearEditor, _ io.Reader, out io.Writer) (initLinearEditorModel, error) {
+		model := newInitLinearEditorModel(editor, 160, 60)
+		model = selectInitLinearFieldValue(t, model, initReviewerEntityFieldSelection, string(initReviewerEntityKindPAT))
+		model.setFieldValue(initReviewerEntityFieldGitToken, "inline-secret-token")
+		model.afterFieldChange(model.document.fieldIndexByID(initReviewerEntityFieldGitToken))
+		model = focusInitLinearField(t, model, initReviewerEntityFieldAction)
+		model = selectInitLinearFieldValue(t, model, initReviewerEntityFieldAction, initDetailActionEdit)
+		_, _ = io.WriteString(out, model.View())
+		updated, _ := model.Update(tea.KeyMsg{Type: tea.KeyEnter})
+		next, ok := updated.(initLinearEditorModel)
+		if !ok {
+			t.Fatalf("Update returned %T, want initLinearEditorModel", updated)
+		}
+		return next, nil
 	}
 
 	draft, err := prompter.EditReviewerEntity(initReviewerEntityPrompt{Context: initPromptContext{
@@ -6370,7 +6439,7 @@ func TestHuhInitReviewerEntityPrompterDefaultUsesLinearReviewerFlow(t *testing.T
 	if !draft.ReviewerEnabled || draft.ReviewerAuth != string(config.GitAuthModePAT) {
 		t.Fatalf("draft = %#v, want PAT reviewer", draft)
 	}
-	if got := draft.ReviewerCredentialWrites[credentials.GitTokenKey]; got != "reviewer-pat" {
+	if got := draft.ReviewerCredentialWrites[credentials.GitTokenKey]; got != "inline-secret-token" {
 		t.Fatalf("staged reviewer PAT = %q, want inline token", got)
 	}
 	out := stderr.String()
@@ -6395,7 +6464,7 @@ func TestHuhInitReviewerEntityPrompterDefaultUsesLinearReviewerFlow(t *testing.T
 		}
 	}
 	assertContentOrder(t, out, "Reviewer entity", "Reviewer details", "Entity label", "Reviewer secret location", "Reviewer credential status", "Reviewer action")
-	if strings.Contains(out, "reviewer-pat") {
+	if strings.Contains(out, "inline-secret-token") {
 		t.Fatalf("stderr leaked reviewer PAT value:\n%s", out)
 	}
 	if strings.Contains(out, "Back to main menu") {
@@ -6403,6 +6472,41 @@ func TestHuhInitReviewerEntityPrompterDefaultUsesLinearReviewerFlow(t *testing.T
 	}
 }
 
+func TestReviewerEntityStandaloneLinearEditorUsesActionsWithoutProfileFallback(t *testing.T) {
+	ctx := initPromptContext{
+		StandaloneReviewerEntityMode: true,
+		ExistingConfig:               config.File{Profiles: map[string]config.Profile{}},
+	}
+	model := newInitLinearEditorModel(initReviewerEntityLinearEditor(ctx, initDraft{}), 160, 60)
+	selectionIndex := model.document.fieldIndexByID(initReviewerEntityFieldSelection)
+	if selectionIndex < 0 {
+		t.Fatal("reviewer entity selection field missing")
+	}
+	if got, want := model.document[selectionIndex].Title, "Actions"; got != want {
+		t.Fatalf("selection title = %q, want %q", got, want)
+	}
+	if got, want := model.document.selectedValue(initReviewerEntityFieldSelection), string(initReviewerEntityKindPAT); got != want {
+		t.Fatalf("default standalone reviewer selection = %q, want %q", got, want)
+	}
+	optionLabels := make([]string, 0, len(model.document[selectionIndex].Options))
+	for _, option := range model.document[selectionIndex].Options {
+		optionLabels = append(optionLabels, option.Label)
+	}
+	for _, forbidden := range []string{reviewerEntityTemplateFallbackLabel(), "Back to main menu"} {
+		if slices.Contains(optionLabels, forbidden) {
+			t.Fatalf("standalone reviewer options = %#v, want no %q", optionLabels, forbidden)
+		}
+	}
+	for _, want := range []string{reviewerEntityTemplatePATLabel(), reviewerEntityTemplateGitHubAppLabel()} {
+		if !slices.Contains(optionLabels, want) {
+			t.Fatalf("standalone reviewer options = %#v, want %q", optionLabels, want)
+		}
+	}
+	if model.document.fieldHidden(initReviewerEntityFieldLabel) || model.document.fieldHidden(initReviewerEntityFieldSecretLocation) {
+		t.Fatalf("PAT reviewer detail fields hidden = label:%v location:%v, want visible", model.document.fieldHidden(initReviewerEntityFieldLabel), model.document.fieldHidden(initReviewerEntityFieldSecretLocation))
+	}
+}
+
 func TestHuhInitReviewerEntityPrompterGitHubAppLinearFlowShowsCredentialBundleCopy(t *testing.T) {
 	existing := basicProfile("work")
 	var stderr bytes.Buffer
@@ -6440,40 +6544,36 @@ func TestHuhInitReviewerEntityPrompterGitHubAppLinearFlowShowsCredentialBundleCo
 	if !draft.ReviewerEnabled || draft.ReviewerAuth != string(config.GitAuthModeGitHubApp) {
 		t.Fatalf("draft = %#v, want GitHub App reviewer", draft)
 	}
-	if got := draft.ReviewerCredentialWrites[credentials.GitHubAppIDKey]; got != "12345" {
-		t.Fatalf("staged app id = %q, want inline app id", got)
+	if got := draft.ReviewerGitHubAppID; got != "12345" {
+		t.Fatalf("draft app id = %q, want inline app id", got)
+	}
+	if _, ok := draft.ReviewerCredentialWrites[credentials.GitHubAppIDKey]; ok {
+		t.Fatalf("staged app id secret write present: %#v", draft.ReviewerCredentialWrites)
 	}
 	if got := draft.ReviewerCredentialWrites[credentials.GitHubAppPrivateKeyKey]; got != privateKey {
 		t.Fatalf("staged private key = %q, want inline private key", got)
 	}
 	out := stderr.String()
 	for _, want := range []string{
-		"GitHub App reviewer. Required credential keys",
-		"Reviewer secret location",
-		"Credential name for this reviewer",
-		"This is a credential name, not a PAT",
-		"Reviewer credential status",
-		credentials.GitHubAppIDKey,
+		"GitHub App reviewer. GitHub App ID is saved in config.yml; required credential key: " + credentials.GitHubAppPrivateKeyKey,
+		"Reviewer private-key location",
+		"Credential name for this reviewer's GitHub App private key",
+		"GitHub App ID is saved in config.yml",
+		"Reviewer private-key status",
 		credentials.GitHubAppPrivateKeyKey,
-		credentials.GitHubAppInstallationIDKey,
 		"staged",
-		credentials.GitHubAppIDKey,
 		credentials.GitHubAppPrivateKeyKey,
 		"Reviewer credential values",
 		"GitHub App ID",
 		"GitHub App private key",
-		"Optional credential key: " + credentials.GitHubAppInstallationIDKey,
-		"optional",
 	} {
 		if !strings.Contains(out, want) {
 			t.Fatalf("stderr missing %q:\n%s", want, out)
 		}
 	}
-	assertContentOrder(t, out, "Reviewer secret location", "Reviewer credential status", "Reviewer action")
-	for _, leaked := range []string{"12345", privateKey} {
-		if strings.Contains(out, leaked) {
-			t.Fatalf("stderr leaked GitHub App secret value %q:\n%s", leaked, out)
-		}
+	assertContentOrder(t, out, "Reviewer private-key location", "Reviewer private-key status", "Reviewer action")
+	if strings.Contains(out, privateKey) {
+		t.Fatalf("stderr leaked GitHub App private key:\n%s", out)
 	}
 }
 
@@ -6503,8 +6603,8 @@ func TestReviewerEntityLinearEditorNewLabelDerivesDefaultSecretLocation(t *testi
 	if !strings.Contains(status, "Destination: "+initBuiltInOSCredentialStoreTitle()+" / codereview/rianjs-bot-reviewer") {
 		t.Fatalf("status = %q, want label-derived destination", status)
 	}
-	if !strings.Contains(status, credentials.GitHubAppIDKey) || !strings.Contains(status, string(initReviewerCredentialKeyMissing)) || strings.Contains(status, string(initReviewerCredentialKeyUnavailable)) {
-		t.Fatalf("status = %q, want label-derived ref to show missing required keys, not unavailable", status)
+	if strings.Contains(status, credentials.GitHubAppIDKey) || !strings.Contains(status, credentials.GitHubAppPrivateKeyKey) || !strings.Contains(status, string(initReviewerCredentialKeyMissing)) || strings.Contains(status, string(initReviewerCredentialKeyUnavailable)) {
+		t.Fatalf("status = %q, want label-derived ref to show missing private key, not app id or unavailable", status)
 	}
 }
 
@@ -6587,7 +6687,7 @@ func TestReviewerEntityExistingReviewerChangedRefRequiresInlineSecrets(t *testin
 		AuthMode:      config.GitAuthModePAT,
 		CredentialRef: "codereview/existing-reviewer",
 		DisplayName:   "Existing reviewer",
-	}, seed, true)
+	}, seed, true, false)
 	if err != nil {
 		t.Fatalf("newReviewerEntityEditorState: %v", err)
 	}
@@ -6712,8 +6812,8 @@ func TestReviewerEntityLinearEditorGitHubAppRequiresInlineSecretsBeforeStaging(t
 	if actionIndex < 0 {
 		t.Fatal("action field missing")
 	}
-	if got := blocked.document[actionIndex].Error; !strings.Contains(got, credentials.GitHubAppIDKey) || !strings.Contains(got, credentials.GitHubAppPrivateKeyKey) {
-		t.Fatalf("action error = %q, want missing GitHub App required keys", got)
+	if got := blocked.document[actionIndex].Error; !strings.Contains(got, "GitHub App ID") {
+		t.Fatalf("action error = %q, want missing GitHub App ID", got)
 	}
 
 	blocked.setFieldValue(initReviewerEntityFieldGitHubAppID, "12345")
@@ -6743,15 +6843,15 @@ func TestReviewerEntityLinearEditorGitHubAppRequiresInlineSecretsBeforeStaging(t
 	if got, want := draft.ReviewerCredentialWriteRef, "codereview/rianjs-bot-reviewer"; got != want {
 		t.Fatalf("ReviewerCredentialWriteRef = %q, want %q", got, want)
 	}
-	if got := draft.ReviewerCredentialWrites[credentials.GitHubAppIDKey]; got != "12345" {
-		t.Fatalf("staged github_app_id = %q, want 12345", got)
+	if got := draft.ReviewerGitHubAppID; got != "12345" {
+		t.Fatalf("draft github app id = %q, want 12345", got)
+	}
+	if _, ok := draft.ReviewerCredentialWrites[credentials.GitHubAppIDKey]; ok {
+		t.Fatalf("staged github_app_id secret write present: %#v", draft.ReviewerCredentialWrites)
 	}
 	if got := draft.ReviewerCredentialWrites[credentials.GitHubAppPrivateKeyKey]; got != privateKey {
 		t.Fatalf("staged private key = %q, want multiline key", got)
 	}
-	if _, ok := draft.ReviewerCredentialWrites[credentials.GitHubAppInstallationIDKey]; ok {
-		t.Fatalf("optional installation id staged unexpectedly: %#v", draft.ReviewerCredentialWrites)
-	}
 }
 
 func TestReviewerEntityLinearEditorLabelDerivedRefDoesNotMarkMissingStatusAsOverwrite(t *testing.T) {
@@ -6768,9 +6868,7 @@ func TestReviewerEntityLinearEditorLabelDerivedRefDoesNotMarkMissingStatusAsOver
 				Mode:    string(config.GitAuthModeGitHubApp),
 			},
 			Keys: []initReviewerCredentialKeyStatus{
-				{Key: credentials.GitHubAppIDKey, Required: true, State: initReviewerCredentialKeyMissing},
 				{Key: credentials.GitHubAppPrivateKeyKey, Required: true, State: initReviewerCredentialKeyMissing},
-				{Key: credentials.GitHubAppInstallationIDKey, Required: false, State: initReviewerCredentialKeyOptional},
 			},
 		}},
 	}
@@ -6810,9 +6908,7 @@ func TestReviewerEntityLinearEditorManualRefDoesNotMarkUnavailableStatusAsOverwr
 				Mode:    string(config.GitAuthModeGitHubApp),
 			},
 			Keys: []initReviewerCredentialKeyStatus{
-				{Key: credentials.GitHubAppIDKey, Required: true, State: initReviewerCredentialKeyMissing},
 				{Key: credentials.GitHubAppPrivateKeyKey, Required: true, State: initReviewerCredentialKeyMissing},
-				{Key: credentials.GitHubAppInstallationIDKey, Required: false, State: initReviewerCredentialKeyOptional},
 			},
 		}},
 	}
@@ -6853,9 +6949,7 @@ func TestReviewerEntityLinearEditorLabelDerivedRefPreservesBackendUnavailableSta
 			},
 			Unavailable: "credential backend status unavailable",
 			Keys: []initReviewerCredentialKeyStatus{
-				{Key: credentials.GitHubAppIDKey, Required: true, State: initReviewerCredentialKeyUnavailable},
 				{Key: credentials.GitHubAppPrivateKeyKey, Required: true, State: initReviewerCredentialKeyUnavailable},
-				{Key: credentials.GitHubAppInstallationIDKey, Required: false, State: initReviewerCredentialKeyUnavailable},
 			},
 		}},
 	}
@@ -6984,34 +7078,32 @@ func TestHuhInitReviewerEntityDetailsGitHubAppShowsCredentialBundleCopy(t *testi
 	if !nextDraft.ReviewerEnabled || nextDraft.ReviewerAuth != string(config.GitAuthModeGitHubApp) {
 		t.Fatalf("draft = %#v, want GitHub App reviewer", nextDraft)
 	}
-	if got := nextDraft.ReviewerCredentialWrites[credentials.GitHubAppIDKey]; got != "12345" {
-		t.Fatalf("staged app id = %q, want inline app id", got)
+	if got := nextDraft.ReviewerGitHubAppID; got != "12345" {
+		t.Fatalf("draft app id = %q, want inline app id", got)
+	}
+	if _, ok := nextDraft.ReviewerCredentialWrites[credentials.GitHubAppIDKey]; ok {
+		t.Fatalf("staged app id secret write present: %#v", nextDraft.ReviewerCredentialWrites)
 	}
 	if got := nextDraft.ReviewerCredentialWrites[credentials.GitHubAppPrivateKeyKey]; got != privateKey {
 		t.Fatalf("staged private key = %q, want inline private key", got)
 	}
 	out := stderr.String()
 	for _, want := range []string{
-		"GitHub App reviewer. Required credential keys",
-		"Reviewer secret location",
-		"Credential name for this reviewer",
-		"This is a credential name, not a PAT",
+		"GitHub App reviewer. GitHub App ID is saved in config.yml; required credential key: " + credentials.GitHubAppPrivateKeyKey,
+		"Reviewer private-key location",
+		"Credential name for this reviewer's GitHub App private key",
+		"GitHub App ID is saved in config.yml",
 		"Reviewer credential values",
 		"GitHub App ID",
 		"GitHub App private key",
-		credentials.GitHubAppIDKey,
 		credentials.GitHubAppPrivateKeyKey,
-		"Optional credential key: " + credentials.GitHubAppInstallationIDKey,
-		"optional",
 	} {
 		if !strings.Contains(out, want) {
 			t.Fatalf("stderr missing %q:\n%s", want, out)
 		}
 	}
-	for _, leaked := range []string{"12345", privateKey} {
-		if strings.Contains(out, leaked) {
-			t.Fatalf("stderr leaked GitHub App secret value %q:\n%s", leaked, out)
-		}
+	if strings.Contains(out, privateKey) {
+		t.Fatalf("stderr leaked GitHub App private key:\n%s", out)
 	}
 }
 
@@ -7045,9 +7137,7 @@ func TestHuhInitReviewerEntityDetailsPreservesPromptContextCredentialStore(t *te
 			},
 			SecretsProfile: resolved,
 			Keys: []initReviewerCredentialKeyStatus{
-				{Key: credentials.GitHubAppIDKey, Required: true, State: initReviewerCredentialKeyMissing},
 				{Key: credentials.GitHubAppPrivateKeyKey, Required: true, State: initReviewerCredentialKeyMissing},
-				{Key: credentials.GitHubAppInstallationIDKey, Required: false, State: initReviewerCredentialKeyOptional},
 			},
 		}},
 	}
@@ -7449,7 +7539,7 @@ func TestInitCredentialReadinessNoteNamesSelectedSecretsProfile(t *testing.T) {
 	}
 }
 
-func TestInitCredentialReadinessNoteLabelsGitHubAppRequiredAndOptionalKeys(t *testing.T) {
+func TestInitCredentialReadinessNoteLabelsGitHubAppRequiredKeys(t *testing.T) {
 	note := initCredentialReadinessNote(initCredentialPlanEntry{
 		Ref: config.CredentialRef{
 			Purpose: "reviewer_credentials",
@@ -7457,27 +7547,26 @@ func TestInitCredentialReadinessNoteLabelsGitHubAppRequiredAndOptionalKeys(t *te
 			Mode:    string(config.GitAuthModeGitHubApp),
 		},
 		KeySpecs: []credentials.KeySpec{
-			{Key: credentials.GitHubAppIDKey, Required: true},
 			{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
-			{Key: credentials.GitHubAppInstallationIDKey, Required: false},
 		},
 		State: initCredentialPlanStateDefer,
 	})
 	for _, want := range []string{
 		"reviewer deferred",
-		"required: " + credentials.GitHubAppIDKey + ", " + credentials.GitHubAppPrivateKeyKey,
-		"optional: " + credentials.GitHubAppInstallationIDKey,
 	} {
 		if !strings.Contains(note, want) {
 			t.Fatalf("note = %q, want %q", note, want)
 		}
 	}
-	if strings.Contains(note, "missing "+credentials.GitHubAppInstallationIDKey) || strings.Contains(note, "required: "+credentials.GitHubAppInstallationIDKey) {
-		t.Fatalf("note = %q, want installation id labeled optional only", note)
+	if strings.Contains(note, "required:") || strings.Contains(note, credentials.GitHubAppPrivateKeyKey) {
+		t.Fatalf("note = %q, want single-key GitHub App readiness copy without key summary", note)
+	}
+	if strings.Contains(note, "optional:") || strings.Contains(note, credentials.GitHubAppInstallationIDKey) {
+		t.Fatalf("note = %q, want no optional installation id copy", note)
 	}
 }
 
-func TestInitCredentialReadinessNoteLabelsPartialGitHubAppOptionalKey(t *testing.T) {
+func TestInitCredentialReadinessNoteLabelsPartialGitHubAppRequiredKeys(t *testing.T) {
 	note := initCredentialReadinessNote(initCredentialPlanEntry{
 		Ref: config.CredentialRef{
 			Purpose: "reviewer_credentials",
@@ -7485,23 +7574,20 @@ func TestInitCredentialReadinessNoteLabelsPartialGitHubAppOptionalKey(t *testing
 			Mode:    string(config.GitAuthModeGitHubApp),
 		},
 		KeySpecs: []credentials.KeySpec{
-			{Key: credentials.GitHubAppIDKey, Required: true},
 			{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
-			{Key: credentials.GitHubAppInstallationIDKey, Required: false},
 		},
 		MissingRequiredKeys: []string{credentials.GitHubAppPrivateKeyKey},
 		State:               initCredentialPlanStateMissingRequired,
 	})
 	for _, want := range []string{
-		"reviewer missing required " + credentials.GitHubAppPrivateKeyKey,
-		"optional: " + credentials.GitHubAppInstallationIDKey,
+		"reviewer missing " + credentials.GitHubAppPrivateKeyKey,
 	} {
 		if !strings.Contains(note, want) {
 			t.Fatalf("note = %q, want %q", note, want)
 		}
 	}
-	if strings.Contains(note, "missing "+credentials.GitHubAppInstallationIDKey) || strings.Contains(note, "required "+credentials.GitHubAppInstallationIDKey) {
-		t.Fatalf("note = %q, want optional installation id not treated as required", note)
+	if strings.Contains(note, "optional:") || strings.Contains(note, credentials.GitHubAppInstallationIDKey) {
+		t.Fatalf("note = %q, want no optional installation id copy", note)
 	}
 }
 
@@ -7509,12 +7595,11 @@ func TestInitProfileReadinessLineIncludesNotes(t *testing.T) {
 	line := initProfileReadinessLine(initProfileReadiness{
 		ProfileName: "work",
 		Ready:       false,
-		Notes:       []string{"reviewer deferred (required: github_app_id, github_app_private_key; optional: github_app_installation_id)"},
+		Notes:       []string{"reviewer deferred (required: github_app_private_key)"},
 	})
 	for _, want := range []string{
 		"- work: needs follow-up",
-		"required: github_app_id, github_app_private_key",
-		"optional: github_app_installation_id",
+		"required: github_app_private_key",
 	} {
 		if !strings.Contains(line, want) {
 			t.Fatalf("line = %q, want %q", line, want)
@@ -8381,7 +8466,21 @@ func TestHuhInitPrompterAccessibleHidesReviewerEntityLabelForProfileGitAccount(t
 
 	_, err := prompter.Run(initPromptContext{
 		RequestedProfileName: "default",
-		ExistingConfig:       config.File{Profiles: map[string]config.Profile{}},
+		ExistingConfig: config.File{
+			Profiles: map[string]config.Profile{},
+			RepositoryAccess: map[string]config.RepositoryAccessConfig{
+				testInitProfileV2GitScopeName: {
+					Git: config.GitConfig{
+						Host:     "github.com",
+						AuthMode: config.GitAuthModePAT,
+						Credential: config.CredentialLocation{
+							Store: config.LocalOSCredentialStoreID,
+							Name:  "codereview/github-work",
+						},
+					},
+				},
+			},
+		},
 	})
 	if err != nil {
 		t.Fatalf("Run: %v", err)
@@ -8675,11 +8774,10 @@ func TestHuhInitReviewPolicyPrompterAccessibleShowsFields(t *testing.T) {
 	var stderr bytes.Buffer
 	prompter := huhInitReviewPolicyPrompter{
 		stdin: strings.NewReader(strings.Join([]string{
-			"",    // Stage review-policy settings
-			"",    // keep comment
-			"",    // keep recommended self-approve false
-			"2",   // auto resolve
-			"24h", // resolve after
+			"", // Stage review-policy settings
+			"", // keep request changes
+			"", // keep recommended self-approve false
+			"", // keep auto resolve
 			"",
 		}, "\n")),
 		stderr: &stderr,
@@ -8694,16 +8792,22 @@ func TestHuhInitReviewPolicyPrompterAccessibleShowsFields(t *testing.T) {
 	if !edit.Apply {
 		t.Fatal("edit.Apply = false, want true")
 	}
-	if edit.ReviewPolicy.MajorEvent != config.ReviewMajorEventComment {
-		t.Fatalf("review policy = %#v, want default comment major_event", edit.ReviewPolicy)
+	if edit.ReviewPolicy.MajorEvent != config.ReviewMajorEventRequestChanges {
+		t.Fatalf("review policy = %#v, want default request_changes major_event", edit.ReviewPolicy)
 	}
 	if edit.ReviewPolicy.AllowSelfApprove {
 		t.Fatalf("review policy = %#v, want self-approve false on default path", edit.ReviewPolicy)
 	}
+	if edit.ReviewPolicy.ResolveThreads != config.ResolveThreadsAuto {
+		t.Fatalf("review policy = %#v, want auto resolve_threads", edit.ReviewPolicy)
+	}
 	out := stderr.String()
-	if !strings.Contains(out, "Major findings event") || !strings.Contains(out, "Resolve-after duration") {
+	if !strings.Contains(out, "Major findings event") || !strings.Contains(out, "Resolve threads") {
 		t.Fatalf("stderr = %q, want review-policy fields", out)
 	}
+	if !strings.Contains(out, "Auto-resolve (recommended)") || !strings.Contains(out, "Never resolve automatically") {
+		t.Fatalf("stderr = %q, want explicit resolve choices", out)
+	}
 	if !strings.Contains(out, "Do not allow self-approve (recommended)") || !strings.Contains(out, "Enable self-approve") {
 		t.Fatalf("stderr = %q, want explicit self-approve choices", out)
 	}
@@ -8882,11 +8986,11 @@ func TestInitInteractivePromptBuildsPlanAndPreservesOutOfScopeFields(t *testing.
 		MajorEvent:       config.ReviewMajorEventRequestChanges,
 		AllowSelfApprove: true,
 		ResolveThreads:   config.ResolveThreadsNever,
-		ResolveAfter:     "24h",
 	}
 	existing.LLM.ModelMap = config.ModelMap{"medium": "gpt-custom"}
 	existing.LLM.ReviewerModelTier = config.ModelTierLarge
 	existing.Git.AuthMode = config.GitAuthModeGitHubApp
+	existing.Git.GitHubApp = &config.GitHubAppConfig{AppID: "12345"}
 	existing.Git.IdentityCache = "git-cache"
 	existing.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModePAT,
@@ -8920,9 +9024,11 @@ func TestInitInteractivePromptBuildsPlanAndPreservesOutOfScopeFields(t *testing.
 				ProfileName:           "office",
 				GitHost:               "github.com",
 				GitAuth:               string(config.GitAuthModeGitHubApp),
+				GitHubAppID:           "12345",
 				GitCredentialRef:      "codereview/office-git",
 				ReviewerEnabled:       true,
 				ReviewerAuth:          string(config.GitAuthModeGitHubApp),
+				ReviewerGitHubAppID:   "67890",
 				ReviewerCredentialRef: "codereview/custom-office-reviewer",
 				LLMProvider:           string(config.LLMProviderOpenAI),
 				LLMAuth:               string(config.LLMAuthAPIKey),
@@ -9005,8 +9111,11 @@ func TestInitInteractivePromptBuildsPlanAndPreservesOutOfScopeFields(t *testing.
 	if !strings.Contains(stderr.String(), "set-credential --store local-os --name codereview/custom-office-llm --key "+credentials.OpenAIAPIKeyKey+" --stdin") {
 		t.Fatalf("stderr = %q, want deferred llm follow-up hint", stderr.String())
 	}
-	if !strings.Contains(stderr.String(), "set-credential --store local-os --name codereview/office-git --key "+credentials.GitHubAppIDKey+" --stdin") {
-		t.Fatalf("stderr = %q, want github app git follow-up hint", stderr.String())
+	if !strings.Contains(stderr.String(), "set-credential --store local-os --name codereview/office-git --key "+credentials.GitHubAppPrivateKeyKey+" --stdin") {
+		t.Fatalf("stderr = %q, want github app git private key follow-up hint", stderr.String())
+	}
+	if strings.Contains(stderr.String(), "set-credential --store local-os --name codereview/office-git --key "+credentials.GitHubAppIDKey+" --stdin") {
+		t.Fatalf("stderr = %q, want no github app id follow-up hint", stderr.String())
 	}
 	if route := cfg.RepositoryProfiles[0]; route.Profile != "office" {
 		t.Fatalf("repository route profile = %q, want office", route.Profile)
@@ -9094,7 +9203,6 @@ func TestEditInteractiveInitProfileSkipsInlineProfileDetailCollectors(t *testing
 		MajorEvent:       config.ReviewMajorEventRequestChanges,
 		AllowSelfApprove: true,
 		ResolveThreads:   config.ResolveThreadsNever,
-		ResolveAfter:     "24h",
 	}
 	deps := initDeps{
 		prompter: initPrompterFunc(func(initPromptContext) (initDraft, error) {
@@ -9210,6 +9318,119 @@ func TestLoopInteractiveInitProfileV2StagesDraftIntoSessionBeforeReentry(t *test
 	}
 }
 
+func TestLoopInteractiveInitProfileV2DoesNotPromptForSelectedPrimitiveCredentials(t *testing.T) {
+	path := filepath.Join(t.TempDir(), "config.yml")
+	repositoryAccessRef := "codereview/github-rianjs"
+	reviewerRef := "codereview/rianjs-bot-reviewer"
+	llmRef := "codereview/openai-runtime"
+	cfg := config.Normalize(config.File{
+		RepositoryAccess: map[string]config.RepositoryAccessConfig{
+			"github-rianjs": {
+				DisplayName: "github-rianjs",
+				Git: config.GitConfig{
+					Host:          "github.com",
+					AuthMode:      config.GitAuthModePAT,
+					Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: repositoryAccessRef},
+					CredentialRef: repositoryAccessRef,
+				},
+			},
+		},
+		ReviewerEntities: map[string]config.ReviewerEntity{
+			"rianjs-bot": {
+				Host:          "github.com",
+				AuthMode:      config.GitAuthModeGitHubApp,
+				Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: reviewerRef},
+				CredentialRef: reviewerRef,
+				GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
+				DisplayName:   "rianjs-bot",
+			},
+		},
+		LLMRuntimes: map[string]config.LLMConfig{
+			"openai-api": {
+				Provider:      config.LLMProviderOpenAI,
+				Auth:          config.LLMAuthAPIKey,
+				Adapter:       config.LLMAdapterOpenAIAPI,
+				Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: llmRef},
+				CredentialRef: llmRef,
+			},
+		},
+		Profiles: map[string]config.Profile{},
+	})
+	opts := &root.Options{
+		Stdin:      strings.NewReader(""),
+		Stdout:     &bytes.Buffer{},
+		Stderr:     &bytes.Buffer{},
+		ConfigPath: path,
+	}
+	session := initSessionDraft{
+		path:                 path,
+		originalCfg:          cloneInitConfigFile(cfg),
+		cfg:                  cloneInitConfigFile(cfg),
+		requestedProfileName: "rianjs",
+	}
+	calls := 0
+	secretPrompter := &fakeInitSecretPrompter{}
+	deps := initDeps{
+		profileV2Prompter: initPrompterFunc(func(ctx initPromptContext) (initDraft, error) {
+			calls++
+			if calls == 2 {
+				return initDraft{}, errInitNavigateBack
+			}
+			draft := seedInteractiveInitDraft("rianjs", "", nil)
+			applyGitScopeSelection(&draft, "github-rianjs", ctx.GitScopes)
+			applyReviewerEntityInventorySelection(&draft, "rianjs-bot", ctx.ReviewerEntities)
+			applyReviewerEntitySelection(&draft, string(initReviewerEntityDraftFromSeedDraft(draft).Kind))
+			applyLLMRuntimeInventorySelection(&draft, "openai-api", ctx.LLMRuntimes)
+			draft.RoutesSet = true
+			draft.Routes = []configedit.RepositoryRouteSpec{{
+				Host:      "github.com",
+				Namespace: "rianjs",
+			}}
+			draft.ModelMapSet = true
+			draft.AgentSourcesSet = true
+			draft.ReviewPolicySet = true
+			draft.ReviewPolicy = config.ReviewPolicy{
+				MajorEvent:     config.ReviewMajorEventRequestChanges,
+				ResolveThreads: config.ResolveThreadsAuto,
+			}
+			return draft, nil
+		}),
+		secretPrompter:     secretPrompter,
+		clipboardSupported: func() bool { return false },
+		openStore: func(string, bool, config.File) (initStore, error) {
+			t.Fatal("openStore should not be called for profile-owned prompts when repository access owns the PAT")
+			return nil, nil
+		},
+	}
+
+	next, err := loopInteractiveInitProfileV2(&cobra.Command{}, opts, initOptions{}, deps, session)
+	if err != nil {
+		t.Fatalf("loopInteractiveInitProfileV2: %v", err)
+	}
+	if calls != 2 {
+		t.Fatalf("profile v2 calls = %d, want stage then reentry", calls)
+	}
+	if len(secretPrompter.actionPrompts) != 0 || len(secretPrompter.sourcePrompts) != 0 {
+		t.Fatalf("secret prompts = actions:%d sources:%d, want profile staging to skip selected primitive credentials", len(secretPrompter.actionPrompts), len(secretPrompter.sourcePrompts))
+	}
+	profile := next.cfg.Profiles["rianjs"]
+	if profile.RepositoryAccess != "github-rianjs" {
+		t.Fatalf("repository_access = %q, want github-rianjs", profile.RepositoryAccess)
+	}
+	if profile.Git.CredentialRef != repositoryAccessRef {
+		t.Fatalf("git credential ref = %q, want selected repository access ref %q", profile.Git.CredentialRef, repositoryAccessRef)
+	}
+	if profile.Reviewer.Kind != config.ProfileReviewerKindEntity || profile.Reviewer.Entity != "rianjs-bot" {
+		t.Fatalf("reviewer = %#v, want selected rianjs-bot reviewer entity", profile.Reviewer)
+	}
+	if profile.ReviewerCredentials == nil || profile.ReviewerCredentials.CredentialRef != reviewerRef {
+		t.Fatalf("reviewer credentials = %#v, want selected reviewer ref %q", profile.ReviewerCredentials, reviewerRef)
+	}
+	if profile.LLMRuntime != "openai-api" || profile.LLM.CredentialRef != llmRef {
+		t.Fatalf("llm runtime/ref = %q/%q, want openai-api/%q", profile.LLMRuntime, profile.LLM.CredentialRef, llmRef)
+	}
+}
+
 func TestLoopInteractiveInitProfileV2AppliesInlineDetailDraftParity(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	existing := basicProfile("work")
@@ -9236,7 +9457,6 @@ func TestLoopInteractiveInitProfileV2AppliesInlineDetailDraftParity(t *testing.T
 		MajorEvent:       config.ReviewMajorEventRequestChanges,
 		AllowSelfApprove: true,
 		ResolveThreads:   config.ResolveThreadsNever,
-		ResolveAfter:     "24h",
 	}
 	deps := initDeps{
 		profileV2Prompter: initPrompterFunc(func(ctx initPromptContext) (initDraft, error) {
@@ -9480,8 +9700,8 @@ func TestCompleteInteractiveInitProfileV2DraftFillsUnsetFieldsAndDefaultsReviewP
 	if !draft.ReviewPolicySet {
 		t.Fatalf("ReviewPolicySet = false, want true")
 	}
-	if draft.ReviewPolicy.MajorEvent != config.ReviewMajorEventComment {
-		t.Fatalf("ReviewPolicy.MajorEvent = %q, want default comment", draft.ReviewPolicy.MajorEvent)
+	if draft.ReviewPolicy.MajorEvent != config.ReviewMajorEventRequestChanges {
+		t.Fatalf("ReviewPolicy.MajorEvent = %q, want default request_changes", draft.ReviewPolicy.MajorEvent)
 	}
 	if !draft.ReviewPolicy.AllowSelfApprove || draft.ReviewPolicy.ResolveThreads != config.ResolveThreadsNever {
 		t.Fatalf("ReviewPolicy = %#v, want existing fields preserved", draft.ReviewPolicy)
@@ -9568,8 +9788,7 @@ func TestInitInteractiveModelMapAddEditRemoveAndReset(t *testing.T) {
 			}
 			expected := existing
 			expected.LLM.ModelMap = copyModelMap(tt.want)
-			expected.ReviewPolicy.MajorEvent = config.ReviewMajorEventComment
-			expected = normalizeTestProfile(expected)
+			expected = normalizeTestProfileNamed("work", expected)
 			if !reflect.DeepEqual(cfg.Profiles["work"], expected) {
 				t.Fatalf("saved profile = %#v, want %#v", cfg.Profiles["work"], expected)
 			}
@@ -9700,7 +9919,6 @@ func TestInitInteractiveAgentSourcesPreserveAddRemoveAndReset(t *testing.T) {
 				MajorEvent:       config.ReviewMajorEventRequestChanges,
 				AllowSelfApprove: true,
 				ResolveThreads:   config.ResolveThreadsNever,
-				ResolveAfter:     "24h",
 			}
 			saveCredentialTestConfig(t, path, config.File{
 				Profiles: map[string]config.Profile{"work": existing},
@@ -9808,13 +10026,11 @@ func TestInitInteractiveReviewPolicyPreserveEditAndDefaults(t *testing.T) {
 				MajorEvent:       config.ReviewMajorEventRequestChanges,
 				AllowSelfApprove: true,
 				ResolveThreads:   config.ResolveThreadsNever,
-				ResolveAfter:     "24h",
 			}},
 			want: config.ReviewPolicy{
 				MajorEvent:       config.ReviewMajorEventRequestChanges,
 				AllowSelfApprove: true,
 				ResolveThreads:   config.ResolveThreadsNever,
-				ResolveAfter:     "24h",
 			},
 		},
 		{
@@ -9823,14 +10039,14 @@ func TestInitInteractiveReviewPolicyPreserveEditAndDefaults(t *testing.T) {
 				MajorEvent:       config.ReviewMajorEventRequestChanges,
 				AllowSelfApprove: true,
 				ResolveThreads:   config.ResolveThreadsAuto,
-				ResolveAfter:     "1h",
 			},
 			edit: initReviewPolicyEdit{Apply: true, ReviewPolicy: config.ReviewPolicy{
 				MajorEvent:       config.ReviewMajorEventComment,
 				AllowSelfApprove: false,
 			}},
 			want: config.ReviewPolicy{
-				MajorEvent: config.ReviewMajorEventComment,
+				MajorEvent:     config.ReviewMajorEventComment,
+				ResolveThreads: config.ResolveThreadsAuto,
 			},
 		},
 	}
@@ -9910,14 +10126,6 @@ func TestInitInteractiveReviewPolicyRejectsInvalidEntries(t *testing.T) {
 			}},
 			want: `review_policy.resolve_threads "always" is invalid`,
 		},
-		{
-			name: "invalid resolve_after",
-			edit: initReviewPolicyEdit{Apply: true, ReviewPolicy: config.ReviewPolicy{
-				MajorEvent:   config.ReviewMajorEventComment,
-				ResolveAfter: "tomorrow",
-			}},
-			want: `review_policy.resolve_after "tomorrow" is invalid`,
-		},
 	}
 
 	for _, tt := range tests {
@@ -10309,6 +10517,26 @@ func TestInitLinearEditorArrowKeysDoNotScrollFocusedInput(t *testing.T) {
 	}
 }
 
+func TestInitLinearEditorSpaceKeyEditsFocusedInputInsteadOfPagingDown(t *testing.T) {
+	const inputField initLinearFieldID = "input"
+	var document initLinearDocument
+	document.addEditableInput(inputField, "Input", "", "value", nil)
+	for i := 0; i < 20; i++ {
+		document.addSection(fmt.Sprintf("Section %02d", i), "Context line")
+	}
+	model := newInitLinearEditorModel(initLinearEditor{Document: document}, 120, 5)
+	beforeOffset := model.viewport.YOffset
+
+	model = updateInitLinearEditorModel(t, model, tea.KeyMsg{Type: tea.KeySpace})
+
+	if got, want := model.document.fieldValue(inputField), "value "; got != want {
+		t.Fatalf("input field value = %q, want %q", got, want)
+	}
+	if got := model.viewport.YOffset; got != beforeOffset {
+		t.Fatalf("viewport YOffset after input space = %d, want unchanged %d", got, beforeOffset)
+	}
+}
+
 func TestInitLinearEditorOnlyFocusedSelectedFieldShowsCaret(t *testing.T) {
 	const firstField initLinearFieldID = "first"
 	const secondField initLinearFieldID = "second"
@@ -12299,12 +12527,12 @@ func TestInitSecretsProfileBackendFromInputsSwitchingAwayFromOnePasswordClearsBa
 	}
 }
 
-func TestBuildInteractiveInitMenuPromptNoWorkspaceDisablesProfileDependentActions(t *testing.T) {
+func TestBuildInteractiveInitMenuPromptNoWorkspaceEnablesStandaloneEditors(t *testing.T) {
 	prompt := buildInteractiveInitMenuPrompt(initSessionDraft{
 		cfg: config.File{Profiles: map[string]config.Profile{}},
 	})
-	if !prompt.CanConfigureLLM || prompt.CanConfigureReviewer || prompt.CanSave {
-		t.Fatalf("prompt = %#v, want LLM enabled and reviewer/save disabled without a workspace", prompt)
+	if !prompt.CanConfigureLLM || !prompt.CanConfigureReviewer || prompt.CanSave {
+		t.Fatalf("prompt = %#v, want LLM/reviewer enabled and save disabled without a workspace", prompt)
 	}
 	if prompt.ReviewProfileCount != 0 || prompt.LLMRuntimeCount != 0 || prompt.ReviewerEntityCount != 0 {
 		t.Fatalf("prompt counts = %#v, want zero counts without a workspace", prompt)
@@ -12328,8 +12556,8 @@ func TestBuildInteractiveInitMenuPromptNoWorkspaceCanSaveStagedCredentialStore(t
 		originalCfg: original,
 		cfg:         next,
 	})
-	if !prompt.CanConfigureLLM || prompt.CanConfigureReviewer {
-		t.Fatalf("prompt = %#v, want LLM enabled and reviewer disabled without a workspace", prompt)
+	if !prompt.CanConfigureLLM || !prompt.CanConfigureReviewer {
+		t.Fatalf("prompt = %#v, want LLM/reviewer enabled without a workspace", prompt)
 	}
 	if !prompt.CanSave {
 		t.Fatalf("prompt = %#v, want store-only staged changes to enable commit", prompt)
@@ -12345,8 +12573,8 @@ func TestBuildInteractiveInitMenuPromptAfterDeletingLastProfileDisablesSaveAndFo
 	}
 
 	prompt := buildInteractiveInitMenuPrompt(session)
-	if !prompt.CanConfigureLLM || prompt.CanConfigureReviewer || prompt.CanSave {
-		t.Fatalf("prompt = %#v, want LLM enabled and save/reviewer disabled with zero-profile draft", prompt)
+	if !prompt.CanConfigureLLM || !prompt.CanConfigureReviewer || prompt.CanSave {
+		t.Fatalf("prompt = %#v, want LLM/reviewer enabled and save disabled with zero-profile draft", prompt)
 	}
 	if prompt.ReviewProfileCount != 0 || prompt.LLMRuntimeCount != 0 || prompt.ReviewerEntityCount != 0 {
 		t.Fatalf("prompt counts = %#v, want effective inventory counts at zero after deleting last profile", prompt)
@@ -12388,8 +12616,8 @@ func TestBuildInteractiveInitMenuPromptNoWorkspaceStillShowsExistingInventoryCou
 		originalCfg: cloneInitConfigFile(cfg),
 		cfg:         cfg,
 	})
-	if !prompt.CanConfigureLLM || prompt.CanConfigureReviewer || prompt.CanSave {
-		t.Fatalf("prompt = %#v, want LLM enabled and reviewer/save disabled without active workspace", prompt)
+	if !prompt.CanConfigureLLM || !prompt.CanConfigureReviewer || prompt.CanSave {
+		t.Fatalf("prompt = %#v, want LLM/reviewer enabled and save disabled without active workspace", prompt)
 	}
 	if prompt.LLMRuntimeCount != 2 || prompt.ReviewerEntityCount != 1 || prompt.ReviewProfileCount != 2 {
 		t.Fatalf("prompt counts = %#v, want existing inventory counts from session cfg", prompt)
@@ -12398,13 +12626,14 @@ func TestBuildInteractiveInitMenuPromptNoWorkspaceStillShowsExistingInventoryCou
 
 func TestInitMenuItemsOrdersRootMenuAndMovesCountsToDescriptions(t *testing.T) {
 	items := initMenuItems(initMenuPrompt{
-		HasWorkspace:         true,
-		LLMRuntimeCount:      2,
-		ReviewerEntityCount:  3,
-		ReviewProfileCount:   1,
-		CanConfigureLLM:      true,
-		CanConfigureReviewer: true,
-		CanSave:              true,
+		HasWorkspace:          true,
+		RepositoryAccessCount: 4,
+		LLMRuntimeCount:       2,
+		ReviewerEntityCount:   3,
+		ReviewProfileCount:    1,
+		CanConfigureLLM:       true,
+		CanConfigureReviewer:  true,
+		CanSave:               true,
 	})
 	var actions []initMenuAction
 	var titles []string
@@ -12419,6 +12648,7 @@ func TestInitMenuItemsOrdersRootMenuAndMovesCountsToDescriptions(t *testing.T) {
 	}
 	wantActions := []initMenuAction{
 		initMenuActionSecretsManagement,
+		initMenuActionRepositoryAccess,
 		initMenuActionLLMRuntimes,
 		initMenuActionReviewerEntities,
 		initMenuActionReviewProfiles,
@@ -12431,6 +12661,7 @@ func TestInitMenuItemsOrdersRootMenuAndMovesCountsToDescriptions(t *testing.T) {
 	}
 	assertContentOrder(t, strings.Join(titles, "\n"),
 		"Configure secrets storage",
+		"Configure repository access",
 		"Configure LLM runtimes",
 		"Configure reviewer entities",
 		"Configure review profiles",
@@ -12440,6 +12671,7 @@ func TestInitMenuItemsOrdersRootMenuAndMovesCountsToDescriptions(t *testing.T) {
 	)
 	joinedDescriptions := strings.Join(descriptions, "\n")
 	for _, want := range []string{
+		"4 repository access entries configured",
 		"2 runtimes configured",
 		"3 reviewer entities configured",
 		"1 profile configured",
@@ -12452,9 +12684,10 @@ func TestInitMenuItemsOrdersRootMenuAndMovesCountsToDescriptions(t *testing.T) {
 
 func TestInitMenuItemsUseInfrastructureDescriptionsBeforeConfiguredCounts(t *testing.T) {
 	items := initMenuItems(initMenuPrompt{
-		CanConfigureLLM:      true,
-		CanConfigureReviewer: true,
-		CanSave:              true,
+		RepositoryAccessCount: 1,
+		CanConfigureLLM:       true,
+		CanConfigureReviewer:  true,
+		CanSave:               true,
 	})
 	descriptions := map[initMenuAction]string{}
 	for _, item := range items {
@@ -12474,14 +12707,15 @@ func TestInitMenuItemsUseInfrastructureDescriptionsBeforeConfiguredCounts(t *tes
 
 func TestInitMenuStyledViewShowsRootMenuOrder(t *testing.T) {
 	model := newInitMenuModel(initMenuPrompt{
-		HasWorkspace:         true,
-		ActiveProfileName:    "default",
-		LLMRuntimeCount:      2,
-		ReviewerEntityCount:  3,
-		ReviewProfileCount:   1,
-		CanConfigureLLM:      true,
-		CanConfigureReviewer: true,
-		CanSave:              true,
+		HasWorkspace:          true,
+		ActiveProfileName:     "default",
+		RepositoryAccessCount: 4,
+		LLMRuntimeCount:       2,
+		ReviewerEntityCount:   3,
+		ReviewProfileCount:    1,
+		CanConfigureLLM:       true,
+		CanConfigureReviewer:  true,
+		CanSave:               true,
 	})
 	out := model.View()
 	assertContentOrder(t, out,
@@ -12490,6 +12724,8 @@ func TestInitMenuStyledViewShowsRootMenuOrder(t *testing.T) {
 		"Actions",
 		"Configure secrets storage",
 		"Credential stores for tokens and keys",
+		"Configure repository access",
+		"4 repository access entries configured",
 		"Configure LLM runtimes",
 		"2 runtimes configured",
 		"Configure reviewer entities",
@@ -12510,7 +12746,7 @@ func TestInitMenuStyledViewShowsRootMenuOrder(t *testing.T) {
 	if !strings.Contains(plainOut, "> [x] Configure secrets storage") {
 		t.Fatalf("view missing selected option marker:\n%s", out)
 	}
-	if !strings.Contains(plainOut, "  [ ] Configure LLM runtimes") {
+	if !strings.Contains(plainOut, "  [ ] Configure repository access") {
 		t.Fatalf("view missing unselected option marker:\n%s", out)
 	}
 	if strings.Contains(out, "Configure LLM runtimes (2)") || strings.Contains(out, "Configure review profiles (1)") {
@@ -12553,10 +12789,6 @@ func TestInitMenuDisabledRowsShowErrorWithoutQuitting(t *testing.T) {
 		action initMenuAction
 		reason string
 	}{
-		{
-			action: initMenuActionReviewerEntities,
-			reason: "configure a review profile before editing reviewer entities",
-		},
 		{
 			action: initMenuActionSave,
 			reason: "stage changes before committing",
@@ -12592,21 +12824,25 @@ func TestInitMenuDisabledRowsShowErrorWithoutQuitting(t *testing.T) {
 
 func TestInitMenuNavigationSkipsDisabledRows(t *testing.T) {
 	model := newInitMenuModel(initMenuPrompt{})
-	if got := model.items[model.selected].Action; got != initMenuActionReviewProfiles {
-		t.Fatalf("initial action = %q, want review profiles", got)
+	if got := model.items[model.selected].Action; got != initMenuActionSecretsManagement {
+		t.Fatalf("initial action = %q, want secrets management", got)
 	}
 
 	model.selected = initMenuSelectedIndex(model.items, initMenuActionSecretsManagement)
 	next, _ := model.Update(tea.KeyMsg{Type: tea.KeyDown})
 	result := next.(initMenuModel)
-	if got := result.items[result.selected].Action; got != initMenuActionLLMRuntimes {
-		t.Fatalf("after down selected action = %q, want LLM runtimes", got)
+	if got := result.items[result.selected].Action; got != initMenuActionRepositoryAccess {
+		t.Fatalf("after down selected action = %q, want repository access", got)
 	}
 
 	result.selected = initMenuSelectedIndex(result.items, initMenuActionReviewerEntities)
 	out := result.View()
-	if strings.Contains(out, "\x1b[38;5;42mConfigure reviewer entities") {
-		t.Fatalf("disabled selected row rendered with active selected color:\n%s", out)
+	plainOut := stripANSITest(out)
+	if !strings.Contains(plainOut, "> [x] Configure reviewer entities") {
+		t.Fatalf("selected reviewer row did not render active:\n%s", out)
+	}
+	if strings.Contains(plainOut, "Prerequisite: configure a review profile before editing reviewer entities") {
+		t.Fatalf("reviewer row rendered old profile prerequisite:\n%s", out)
 	}
 }
 
@@ -12641,7 +12877,7 @@ func TestHuhInitMenuPrompterAccessibleShowsMenuEntries(t *testing.T) {
 	t.Setenv("TERM", "dumb")
 	var stderr bytes.Buffer
 	prompter := huhInitMenuPrompter{
-		stdin:  strings.NewReader("7\n"),
+		stdin:  strings.NewReader("8\n"),
 		stderr: &stderr,
 	}
 	action, err := prompter.ChooseAction(initMenuPrompt{
@@ -12659,6 +12895,7 @@ func TestHuhInitMenuPrompterAccessibleShowsMenuEntries(t *testing.T) {
 	out := stderr.String()
 	for _, want := range []string{
 		"Configure secrets storage",
+		"Configure repository access",
 		"Configure LLM runtimes",
 		"Configure reviewer entities",
 		"Configure review profiles",
@@ -12681,6 +12918,7 @@ func TestHuhInitMenuPrompterAccessibleShowsMenuEntries(t *testing.T) {
 	}
 	assertContentOrder(t, out,
 		"Configure secrets storage",
+		"Configure repository access",
 		"Configure LLM runtimes",
 		"Configure reviewer entities",
 		"Configure review profiles",
@@ -12697,12 +12935,13 @@ func TestHuhInitMenuPrompterAccessibleNumericOrder(t *testing.T) {
 		want  initMenuAction
 	}{
 		{input: "1\n", want: initMenuActionSecretsManagement},
-		{input: "2\n", want: initMenuActionLLMRuntimes},
-		{input: "3\n", want: initMenuActionReviewerEntities},
-		{input: "4\n", want: initMenuActionReviewProfiles},
-		{input: "5\n", want: initMenuActionGlobalSettings},
-		{input: "6\n", want: initMenuActionSave},
-		{input: "7\n", want: initMenuActionExit},
+		{input: "2\n", want: initMenuActionRepositoryAccess},
+		{input: "3\n", want: initMenuActionLLMRuntimes},
+		{input: "4\n", want: initMenuActionReviewerEntities},
+		{input: "5\n", want: initMenuActionReviewProfiles},
+		{input: "6\n", want: initMenuActionGlobalSettings},
+		{input: "7\n", want: initMenuActionSave},
+		{input: "8\n", want: initMenuActionExit},
 	}
 	for _, tt := range tests {
 		var stderr bytes.Buffer
@@ -12711,13 +12950,14 @@ func TestHuhInitMenuPrompterAccessibleNumericOrder(t *testing.T) {
 			stderr: &stderr,
 		}
 		action, err := prompter.ChooseAction(initMenuPrompt{
-			HasWorkspace:         true,
-			LLMRuntimeCount:      2,
-			ReviewerEntityCount:  3,
-			ReviewProfileCount:   1,
-			CanConfigureLLM:      true,
-			CanConfigureReviewer: true,
-			CanSave:              true,
+			HasWorkspace:          true,
+			RepositoryAccessCount: 1,
+			LLMRuntimeCount:       2,
+			ReviewerEntityCount:   3,
+			ReviewProfileCount:    1,
+			CanConfigureLLM:       true,
+			CanConfigureReviewer:  true,
+			CanSave:               true,
 		})
 		if err != nil {
 			t.Fatalf("ChooseAction(%q): %v", tt.input, err)
@@ -12763,14 +13003,14 @@ func TestInitMenuInitialActionStartsAtSecretsManagementWhenWorkspaceIsActive(t *
 	}
 }
 
-func TestInitMenuInitialActionStartsAtReviewProfilesBeforeWorkspace(t *testing.T) {
+func TestInitMenuInitialActionStartsAtSecretsManagementBeforeWorkspace(t *testing.T) {
 	action := initMenuInitialAction(initMenuPrompt{})
-	if action != initMenuActionReviewProfiles {
-		t.Fatalf("action = %q, want review profiles before workspace-dependent actions are enabled", action)
+	if action != initMenuActionSecretsManagement {
+		t.Fatalf("action = %q, want secrets management before a workspace exists", action)
 	}
 }
 
-func TestHuhInitMenuPrompterDefaultStartsAtProfileSetupBeforeWorkspace(t *testing.T) {
+func TestHuhInitMenuPrompterDefaultStartsAtSecretsManagementBeforeWorkspace(t *testing.T) {
 	t.Setenv("TERM", "dumb")
 	var stderr bytes.Buffer
 	prompter := huhInitMenuPrompter{
@@ -12783,8 +13023,8 @@ func TestHuhInitMenuPrompterDefaultStartsAtProfileSetupBeforeWorkspace(t *testin
 	if err != nil {
 		t.Fatalf("ChooseAction: %v", err)
 	}
-	if action != initMenuActionReviewProfiles {
-		t.Fatalf("action = %q, want review profile setup before dependent workflows are enabled", action)
+	if action != initMenuActionSecretsManagement {
+		t.Fatalf("action = %q, want secrets management before a workspace exists", action)
 	}
 }
 
@@ -12793,8 +13033,8 @@ func TestHuhInitMenuPrompterAccessibleRejectsDisabledSaveUntilChangesStaged(t *t
 	var stderr bytes.Buffer
 	prompter := huhInitMenuPrompter{
 		stdin: strings.NewReader(strings.Join([]string{
-			"6", // Commit staged changes and exit (disabled)
-			"7", // Discard staged changes and exit
+			"7", // Commit staged changes and exit (disabled)
+			"8", // Discard staged changes and exit
 			"",
 		}, "\n")),
 		stderr: &stderr,
@@ -12815,7 +13055,7 @@ func TestHuhInitMenuPrompterAccessibleAllowsLLMBeforeProfileExists(t *testing.T)
 	t.Setenv("TERM", "dumb")
 	var stderr bytes.Buffer
 	prompter := huhInitMenuPrompter{
-		stdin:  strings.NewReader("2\n"),
+		stdin:  strings.NewReader("3\n"),
 		stderr: &stderr,
 	}
 	action, err := prompter.ChooseAction(initMenuPrompt{})
@@ -12830,26 +13070,22 @@ func TestHuhInitMenuPrompterAccessibleAllowsLLMBeforeProfileExists(t *testing.T)
 	}
 }
 
-func TestHuhInitMenuPrompterAccessibleRejectsDisabledReviewerUntilProfileExists(t *testing.T) {
+func TestHuhInitMenuPrompterAccessibleAllowsReviewerBeforeProfileExists(t *testing.T) {
 	t.Setenv("TERM", "dumb")
 	var stderr bytes.Buffer
 	prompter := huhInitMenuPrompter{
-		stdin: strings.NewReader(strings.Join([]string{
-			"3", // Configure reviewer entities (disabled)
-			"7", // Discard staged changes and exit
-			"",
-		}, "\n")),
+		stdin:  strings.NewReader("4\n"),
 		stderr: &stderr,
 	}
 	action, err := prompter.ChooseAction(initMenuPrompt{})
 	if err != nil {
 		t.Fatalf("ChooseAction: %v", err)
 	}
-	if action == initMenuActionReviewerEntities {
-		t.Fatalf("action = %q, want disabled reviewer selection to be rejected", action)
+	if action != initMenuActionReviewerEntities {
+		t.Fatalf("action = %q, want reviewer entities", action)
 	}
-	if !strings.Contains(stderr.String(), "configure a review profile before editing reviewer entities") {
-		t.Fatalf("stderr = %q, want disabled-reviewer validation message", stderr.String())
+	if strings.Contains(stderr.String(), "configure a review profile before editing reviewer entities") {
+		t.Fatalf("stderr = %q, want no disabled-reviewer validation message", stderr.String())
 	}
 }
 
@@ -12875,7 +13111,6 @@ func TestInitProfileV2ReadOnlyContentRendersTargetOrderWithRealData(t *testing.T
 		MajorEvent:       config.ReviewMajorEventRequestChanges,
 		AllowSelfApprove: true,
 		ResolveThreads:   config.ResolveThreadsAuto,
-		ResolveAfter:     "24h",
 	}
 	cfg := config.File{
 		Profiles: map[string]config.Profile{
@@ -12909,13 +13144,12 @@ func TestInitProfileV2ReadOnlyContentRendersTargetOrderWithRealData(t *testing.T
 
 	for _, want := range []string{
 		"Review profile",
+		"Repository access",
+		"github.enterprise via GitHub App",
 		"Profile name",
-		"> open-cli-collective",
+		"open-cli-collective",
 		"Automatic profile selection",
 		"github.com/open-cli-collective",
-		"Git scope",
-		"Git scope host",
-		"github.enterprise",
 		"Reviewer entity",
 		"OCC reviewer (GitHub App reviewer)",
 		"LLM runtime",
@@ -12928,14 +13162,7 @@ func TestInitProfileV2ReadOnlyContentRendersTargetOrderWithRealData(t *testing.T
 		"/opt/codereview/agents",
 		"Review policy",
 		"Request changes",
-		"Enable self-approve",
 		"Auto-resolve",
-		"24h",
-		"Git credentials",
-		"Git credential store",
-		initBuiltInOSCredentialStoreTitle(),
-		"Git credential name",
-		"codereview/custom-git",
 		"Profile action",
 		"Stage profile settings",
 		"Back without staging",
@@ -12944,6 +13171,9 @@ func TestInitProfileV2ReadOnlyContentRendersTargetOrderWithRealData(t *testing.T
 			t.Fatalf("content missing %q:\n%s", want, content)
 		}
 	}
+	if strings.Contains(content, "Enable self-approve") || strings.Contains(content, "Allow self-approve") {
+		t.Fatalf("content shows self-approve for GitHub App reviewer:\n%s", content)
+	}
 
 	assertContentOrder := func(parts ...string) {
 		t.Helper()
@@ -12960,19 +13190,29 @@ func TestInitProfileV2ReadOnlyContentRendersTargetOrderWithRealData(t *testing.T
 		}
 	}
 	assertContentOrder(
-		"Profile name",
+		"Repository access",
 		"Automatic profile selection",
 		"Route entries",
-		"Git scope",
 		"Reviewer entity",
 		"LLM runtime",
 		"Minimum reviewer model tier",
 		"Model tier mapping",
+		"Profile name",
 		"Additional reviewer-agent directories (optional)",
 		"Review policy",
-		"Git credentials",
 		"Profile action",
 	)
+	for _, absent := range []string{
+		"Git credentials",
+		"Git credential store",
+		"Git credential name",
+		"Git scope host",
+		"Git scope auth mode",
+	} {
+		if strings.Contains(content, absent) {
+			t.Fatalf("content contains removed profile-local Git control %q:\n%s", absent, content)
+		}
+	}
 }
 
 func TestInitProfileV2ReadOnlyModelFocusNavigationPreservesRouteGuidance(t *testing.T) {
@@ -13078,6 +13318,25 @@ func TestInitProfileV2ArrowKeysDoNotScrollFocusedInput(t *testing.T) {
 	}
 }
 
+func TestInitProfileV2SpaceKeyEditsFocusedInputInsteadOfPagingDown(t *testing.T) {
+	model := newInitProfileV2ReadOnlyModel(newTestInitProfileV2EditorWithSelections("monit", "github.com/rianjs", nil, nil), 120, 8)
+	model = focusInitProfileV2Field(t, model, initProfileV2FieldRoutes)
+	beforeOffset := model.viewport.YOffset
+	beforeFocus := model.focused
+
+	model = updateInitProfileV2ReadOnlyModel(t, model, tea.KeyMsg{Type: tea.KeySpace})
+
+	if model.focused != beforeFocus {
+		t.Fatalf("focused field = %d, want unchanged %d", model.focused, beforeFocus)
+	}
+	if got, want := model.document.fieldValue(initProfileV2FieldRoutes), "github.com/rianjs "; got != want {
+		t.Fatalf("route field value = %q, want %q", got, want)
+	}
+	if got := model.viewport.YOffset; got != beforeOffset {
+		t.Fatalf("viewport YOffset after input space = %d, want unchanged %d", got, beforeOffset)
+	}
+}
+
 func TestInitProfileV2OnlyFocusedSelectedFieldShowsCaret(t *testing.T) {
 	const firstField initProfileV2FieldID = "first"
 	const secondField initProfileV2FieldID = "second"
@@ -13327,45 +13586,23 @@ func TestInitProfileV2GitScopePreservesSelectedScopeInDraft(t *testing.T) {
 	}
 }
 
-func TestInitProfileV2GitScopeCustomEditsDraft(t *testing.T) {
-	model := newInitProfileV2ReadOnlyModel(newTestInitProfileV2EditorWithGitScope(
-		"monit",
-		"gitlab.com/SignalFT",
-		initCustomGitScopeSelection,
-		nil,
-		initDraft{
-			OriginalProfileName: "monit",
-			ProfileName:         "monit",
-			GitHost:             "github.enterprise",
-			GitAuth:             string(config.GitAuthModeGitHubApp),
+func TestInitProfileV2GitScopeRejectsRoutesForDifferentHost(t *testing.T) {
+	gitScopes := map[string]initGitScopeDraft{
+		"gitlab-work": {
+			Host:          "gitlab.com",
+			AuthMode:      config.GitAuthModePAT,
+			CredentialRef: "codereview/gitlab-work",
 		},
-	), 160, 24)
-
-	model = focusInitProfileV2Field(t, model, initProfileV2FieldGitHost)
-	model = updateInitProfileV2ReadOnlyModel(t, model, tea.KeyMsg{Type: tea.KeyCtrlU})
-	model = typeInitProfileV2Text(t, model, "gitlab.com")
-	model = focusInitProfileV2Field(t, model, initProfileV2FieldGitAuth)
-	model = updateInitProfileV2ReadOnlyModel(t, model, tea.KeyMsg{Type: tea.KeyUp})
-
-	draft, err := model.validatedDraft()
-	if err != nil {
-		t.Fatalf("validatedDraft: %v", err)
 	}
-	if draft.GitHost != "gitlab.com" || draft.GitAuth != string(config.GitAuthModePAT) {
-		t.Fatalf("draft Git = (%q,%q), want edited custom Git host/auth", draft.GitHost, draft.GitAuth)
-	}
-}
-
-func TestInitProfileV2GitScopeRejectsRoutesForDifferentHost(t *testing.T) {
 	model := newInitProfileV2ReadOnlyModel(newTestInitProfileV2EditorWithGitScope(
 		"monit",
 		"github.com/SignalFT",
-		initCustomGitScopeSelection,
-		nil,
+		"gitlab-work",
+		gitScopes,
 		initDraft{
 			OriginalProfileName: "monit",
 			ProfileName:         "monit",
-			GitHost:             "gitlab.com",
+			GitHost:             "github.com",
 			GitAuth:             string(config.GitAuthModePAT),
 		},
 	), 160, 24)
@@ -13379,7 +13616,7 @@ func TestInitProfileV2GitScopeRejectsRoutesForDifferentHost(t *testing.T) {
 func TestInitProfileV2SelectsDraftReviewerRuntimeAndModelTier(t *testing.T) {
 	// #nosec G101 -- test fixture credential reference, not a secret.
 	reviewerEntities := map[string]initReviewerEntityDraft{
-		"app-reviewer": {
+		"app-reviewer": { // #nosec G101 -- test fixture name, not credential material.
 			Kind:            initReviewerEntityKindGitHubApp,
 			AuthMode:        config.GitAuthModeGitHubApp,
 			CredentialStore: config.LocalOSCredentialStoreID,
@@ -13421,6 +13658,224 @@ func TestInitProfileV2SelectsDraftReviewerRuntimeAndModelTier(t *testing.T) {
 	if draft.LLMReviewerModelTier != string(config.ModelTierMedium) {
 		t.Fatalf("draft.LLMReviewerModelTier = %q, want medium", draft.LLMReviewerModelTier)
 	}
+	if draft.ReviewerGitHubAppInstallationMode != string(config.ProfileReviewerGitHubAppInstallationDiscoverFromRepository) || draft.ReviewerGitHubAppInstallationID != "" {
+		t.Fatalf("draft reviewer installation = (%q,%q), want discover with empty id", draft.ReviewerGitHubAppInstallationMode, draft.ReviewerGitHubAppInstallationID)
+	}
+}
+
+func TestInitProfileV2GitHubAppInstallationFieldsFollowReviewerSelection(t *testing.T) {
+	reviewerEntities := map[string]initReviewerEntityDraft{
+		"app-reviewer": { // #nosec G101 -- test fixture name, not credential material.
+			Kind:            initReviewerEntityKindGitHubApp,
+			AuthMode:        config.GitAuthModeGitHubApp,
+			CredentialStore: config.LocalOSCredentialStoreID,
+			CredentialRef:   "codereview/app-reviewer",
+			DisplayName:     "enterprise/reviewer-bot",
+		},
+		"pat-reviewer": {
+			Kind:            initReviewerEntityKindPAT,
+			AuthMode:        config.GitAuthModePAT,
+			CredentialStore: config.LocalOSCredentialStoreID,
+			CredentialRef:   "codereview/pat-reviewer",
+			DisplayName:     "enterprise/pat-bot",
+		},
+	}
+	llmRuntimes := map[string]initLLMRuntimeDraft{
+		"claude-work": {
+			Preset:   initLLMRuntimePresetClaudeCLISubscription,
+			Provider: config.LLMProviderAnthropic,
+			Auth:     config.LLMAuthSubscription,
+			Adapter:  config.LLMAdapterClaudeCLI,
+		},
+	}
+	model := newInitProfileV2ReadOnlyModel(newTestInitProfileV2EditorWithSelections("monit", "github.com/SignalFT", reviewerEntities, llmRuntimes), 160, 36)
+	sectionIndex := model.document.fieldIndexByID(initProfileV2FieldReviewerGitHubAppInstallationSection)
+	idIndex := model.document.fieldIndexByID(initProfileV2FieldReviewerGitHubAppInstallationID)
+	if sectionIndex < 0 || idIndex < 0 {
+		t.Fatal("GitHub App installation fields missing")
+	}
+	if !model.document[sectionIndex].Hidden {
+		t.Fatalf("GitHub App installation section visible for Git identity reviewer:\n%s", model.View())
+	}
+
+	model = selectInitProfileV2FieldValue(t, model, initProfileV2FieldReviewerEntity, "app-reviewer")
+	if model.document[sectionIndex].Hidden {
+		t.Fatalf("GitHub App installation section hidden for GitHub App reviewer:\n%s", model.View())
+	}
+	if model.document[idIndex].Hidden != true {
+		t.Fatalf("installation ID visible for discover mode:\n%s", model.View())
+	}
+	for _, want := range []string{
+		"Discover from PR repository at review time (recommended)",
+		"Pin one installation ID (advanced)",
+		"supports profiles",
+		"routed to multiple organizations or users",
+		"every route for this profile uses the same installation",
+	} {
+		if !strings.Contains(model.View(), want) {
+			t.Fatalf("view missing GitHub App installation copy %q:\n%s", want, model.View())
+		}
+	}
+	draft, err := model.validatedDraft()
+	if err != nil {
+		t.Fatalf("validatedDraft discover: %v", err)
+	}
+	if draft.ReviewerGitHubAppInstallationMode != string(config.ProfileReviewerGitHubAppInstallationDiscoverFromRepository) || draft.ReviewerGitHubAppInstallationID != "" {
+		t.Fatalf("draft discover installation = (%q,%q)", draft.ReviewerGitHubAppInstallationMode, draft.ReviewerGitHubAppInstallationID)
+	}
+
+	model = selectInitProfileV2FieldValue(t, model, initProfileV2FieldReviewerGitHubAppInstallationMode, string(config.ProfileReviewerGitHubAppInstallationPinned))
+	if model.document[idIndex].Hidden {
+		t.Fatalf("installation ID hidden for pinned mode:\n%s", model.View())
+	}
+	model = focusInitProfileV2Field(t, model, initProfileV2FieldReviewerGitHubAppInstallationID)
+	model = typeInitProfileV2Text(t, model, "123456")
+	draft, err = model.validatedDraft()
+	if err != nil {
+		t.Fatalf("validatedDraft pinned: %v", err)
+	}
+	if draft.ReviewerGitHubAppInstallationMode != string(config.ProfileReviewerGitHubAppInstallationPinned) || draft.ReviewerGitHubAppInstallationID != "123456" {
+		t.Fatalf("draft pinned installation = (%q,%q), want pinned 123456", draft.ReviewerGitHubAppInstallationMode, draft.ReviewerGitHubAppInstallationID)
+	}
+
+	model = selectInitProfileV2FieldValue(t, model, initProfileV2FieldReviewerEntity, "pat-reviewer")
+	if !model.document[sectionIndex].Hidden {
+		t.Fatalf("GitHub App installation section visible for PAT reviewer:\n%s", model.View())
+	}
+	draft, err = model.validatedDraft()
+	if err != nil {
+		t.Fatalf("validatedDraft PAT: %v", err)
+	}
+	if draft.ReviewerGitHubAppInstallationMode != "" || draft.ReviewerGitHubAppInstallationID != "" {
+		t.Fatalf("draft PAT installation = (%q,%q), want empty", draft.ReviewerGitHubAppInstallationMode, draft.ReviewerGitHubAppInstallationID)
+	}
+}
+
+func TestInitProfileV2GitHubAppInstallationPinnedIDValidation(t *testing.T) {
+	reviewerEntities := map[string]initReviewerEntityDraft{
+		// #nosec G101 -- test fixture name, not credential material.
+		"app-reviewer": {
+			Kind:            initReviewerEntityKindGitHubApp,
+			AuthMode:        config.GitAuthModeGitHubApp,
+			CredentialStore: config.LocalOSCredentialStoreID,
+			CredentialRef:   "codereview/app-reviewer",
+		},
+	}
+	model := newInitProfileV2ReadOnlyModel(newTestInitProfileV2EditorWithSelections("monit", "github.com/SignalFT", reviewerEntities, nil), 160, 36)
+	model = selectInitProfileV2FieldValue(t, model, initProfileV2FieldReviewerEntity, "app-reviewer")
+	model = selectInitProfileV2FieldValue(t, model, initProfileV2FieldReviewerGitHubAppInstallationMode, string(config.ProfileReviewerGitHubAppInstallationPinned))
+	if _, err := model.validatedDraft(); err == nil || !strings.Contains(err.Error(), "installation ID is required") {
+		t.Fatalf("validatedDraft empty pinned error = %v, want required installation ID", err)
+	}
+
+	model = focusInitProfileV2Field(t, model, initProfileV2FieldReviewerGitHubAppInstallationID)
+	model = typeInitProfileV2Text(t, model, "not-decimal")
+	if _, err := model.validatedDraft(); err == nil || !strings.Contains(err.Error(), "decimal") {
+		t.Fatalf("validatedDraft non-decimal error = %v, want decimal validation", err)
+	}
+}
+
+func TestSynthesizeInteractiveProfilePersistsPinnedGitHubAppInstallation(t *testing.T) {
+	draft := initDraft{
+		ProfileName:                       "monit",
+		GitHost:                           "github.com",
+		GitAuth:                           string(config.GitAuthModePAT),
+		GitCredentialRef:                  "codereview/monit",
+		ReviewerEnabled:                   true,
+		ReviewerAuth:                      string(config.GitAuthModeGitHubApp),
+		ReviewerCredentialStore:           config.LocalOSCredentialStoreID,
+		ReviewerCredentialRef:             "codereview/monit-reviewer",
+		ReviewerGitHubAppInstallationMode: string(config.ProfileReviewerGitHubAppInstallationPinned),
+		ReviewerGitHubAppInstallationID:   "987654",
+		LLMProvider:                       string(config.LLMProviderAnthropic),
+		LLMAuth:                           string(config.LLMAuthSubscription),
+		LLMAdapter:                        string(config.LLMAdapterClaudeCLI),
+	}
+	profile, err := synthesizeInteractiveProfile(initOptions{gitHost: "github.com"}, "monit", nil, draft)
+	if err != nil {
+		t.Fatalf("synthesizeInteractiveProfile: %v", err)
+	}
+	cfg, profile := materializeProfileReviewerEntity(config.File{}, "monit", profile)
+	got := profile.Reviewer.GitHubAppInstallation
+	if got == nil || got.Mode != config.ProfileReviewerGitHubAppInstallationPinned || got.InstallationID != "987654" {
+		t.Fatalf("profile reviewer installation = %#v, want pinned 987654", got)
+	}
+	if cfg.Profiles["monit"].Reviewer.GitHubAppInstallation == nil || cfg.Profiles["monit"].Reviewer.GitHubAppInstallation.InstallationID != "987654" {
+		t.Fatalf("config profile reviewer installation = %#v, want pinned 987654", cfg.Profiles["monit"].Reviewer.GitHubAppInstallation)
+	}
+}
+
+func TestInitCredentialRefFromSeedEscapesUnsafeCharacters(t *testing.T) {
+	tests := []struct {
+		name    string
+		seed    string
+		wantRef string
+	}{
+		{"plain ascii", "work", "codereview/work"},
+		{"digits and hyphen", "staging-2", "codereview/staging-2"},
+		{"underscore doubles", "github_rianjs", "codereview/github__rianjs"},
+		{"trims outer spaces", "  spaced name  ", "codereview/spaced_x20name"},
+		{"slash", "open-cli-collective/rianjs-bot", "codereview/open-cli-collective_x2frianjs-bot"},
+		{"backslash", `open-cli-collective\rianjs-bot`, "codereview/open-cli-collective_x5crianjs-bot"},
+		{"ascii punctuation", "a.b:c@d#e$f%g^h&i*j+k=1", "codereview/a_x2eb_x3ac_x40d_x23e_x24f_x25g_x5eh_x26i_x2aj_x2bk_x3d1"},
+		{"control characters", "line\nbreak\ttab", "codereview/line_x0abreak_x09tab"},
+		{"colon run", "foo::::::::::::::-bar", "codereview/foo" + strings.Repeat("_x3a", 14) + "-bar"},
+		{"accent and cjk", "Rían/机器人", "codereview/R_xc3_xadan_x2f_xe6_x9c_xba_xe5_x99_xa8_xe4_xba_xba"},
+		{"emoji", "reviewer 🤖🔥", "codereview/reviewer_x20_xf0_x9f_xa4_x96_xf0_x9f_x94_xa5"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := initCredentialRefFromSeed(tt.seed)
+			if err != nil {
+				t.Fatalf("initCredentialRefFromSeed(%q): %v", tt.seed, err)
+			}
+			if got != tt.wantRef {
+				t.Fatalf("initCredentialRefFromSeed(%q) = %q, want %q", tt.seed, got, tt.wantRef)
+			}
+			if _, err := credentials.ParseRef(got); err != nil {
+				t.Fatalf("normalized ref %q failed ParseRef: %v", got, err)
+			}
+		})
+	}
+}
+
+func TestInitCredentialRefFromSeedRejectsEmptySeed(t *testing.T) {
+	for _, seed := range []string{"", "   ", "\n\t"} {
+		t.Run(fmt.Sprintf("%q", seed), func(t *testing.T) {
+			if got, err := initCredentialRefFromSeed(seed); err == nil {
+				t.Fatalf("initCredentialRefFromSeed(%q) = %q, want error", seed, got)
+			}
+		})
+	}
+}
+
+func TestSynthesizeInteractiveProfileNormalizesProfileNameCredentialRefs(t *testing.T) {
+	draft := initDraft{
+		ProfileName:             "open-cli-collective/rianjs-bot",
+		GitHost:                 "github.com",
+		GitAuth:                 string(config.GitAuthModePAT),
+		GitCredentialStore:      config.LocalOSCredentialStoreID,
+		ReviewerEnabled:         true,
+		ReviewerAuth:            string(config.GitAuthModePAT),
+		ReviewerCredentialStore: config.LocalOSCredentialStoreID,
+		LLMProvider:             string(config.LLMProviderOpenAI),
+		LLMAuth:                 string(config.LLMAuthAPIKey),
+		LLMAdapter:              string(config.LLMAdapterOpenAIAPI),
+		LLMCredentialStore:      config.LocalOSCredentialStoreID,
+	}
+	profile, err := synthesizeInteractiveProfile(initOptions{gitHost: "github.com"}, "open-cli-collective/rianjs-bot", nil, draft)
+	if err != nil {
+		t.Fatalf("synthesizeInteractiveProfile: %v", err)
+	}
+	if profile.Git.CredentialRef != "codereview/open-cli-collective_x2frianjs-bot" {
+		t.Fatalf("Git.CredentialRef = %q, want normalized profile ref", profile.Git.CredentialRef)
+	}
+	if profile.ReviewerCredentials == nil || profile.ReviewerCredentials.CredentialRef != "codereview/open-cli-collective_x2frianjs-bot-reviewer" {
+		t.Fatalf("ReviewerCredentials = %#v, want normalized reviewer ref", profile.ReviewerCredentials)
+	}
+	if profile.LLM.CredentialRef != "codereview/open-cli-collective_x2frianjs-bot-llm" {
+		t.Fatalf("LLM.CredentialRef = %q, want normalized LLM ref", profile.LLM.CredentialRef)
+	}
 }
 
 func TestInitProfileV2NoRuntimeBootstrapRequestsExistingFlow(t *testing.T) {
@@ -13573,14 +14028,12 @@ func TestInitProfileV2ReviewPolicyDraftsSelections(t *testing.T) {
 		config.ReviewPolicy{},
 		"codereview/monit",
 		true,
-		nil,
-		initCustomGitScopeSelection,
+		testInitProfileV2GitScopes(),
+		testInitProfileV2GitScopeName,
 	), 160, 40)
 	model = selectInitProfileV2FieldValue(t, model, initProfileV2FieldReviewMajorEvent, string(config.ReviewMajorEventRequestChanges))
 	model = selectInitProfileV2FieldValue(t, model, initProfileV2FieldSelfApprove, initSelfApproveEnable)
 	model = selectInitProfileV2FieldValue(t, model, initProfileV2FieldResolveThreads, string(config.ResolveThreadsAuto))
-	model = focusInitProfileV2Field(t, model, initProfileV2FieldResolveAfter)
-	model = typeInitProfileV2Text(t, model, "24h")
 
 	draft, err := model.validatedDraft()
 	if err != nil {
@@ -13593,93 +14046,58 @@ func TestInitProfileV2ReviewPolicyDraftsSelections(t *testing.T) {
 		MajorEvent:       config.ReviewMajorEventRequestChanges,
 		AllowSelfApprove: true,
 		ResolveThreads:   config.ResolveThreadsAuto,
-		ResolveAfter:     "24h",
 	}
 	if !reflect.DeepEqual(draft.ReviewPolicy, want) {
 		t.Fatalf("draft.ReviewPolicy = %#v, want %#v", draft.ReviewPolicy, want)
 	}
 }
 
-func TestInitProfileV2ReviewPolicyRejectsInvalidDuration(t *testing.T) {
-	model := newInitProfileV2ReadOnlyModel(newTestInitProfileV2EditorWithReviewPolicyAndGitStorage(
-		"monit",
-		"github.com/SignalFT",
-		config.ReviewPolicy{},
-		"codereview/monit",
-		true,
-		nil,
-		initCustomGitScopeSelection,
-	), 160, 24)
-	model = focusInitProfileV2Field(t, model, initProfileV2FieldResolveAfter)
-	model = typeInitProfileV2Text(t, model, "tomorrow")
-
-	if !strings.Contains(model.View(), "invalid duration") {
-		index := model.document.fieldIndexByID(initProfileV2FieldResolveAfter)
-		if index < 0 || !strings.Contains(model.document[index].Error, "invalid duration") {
-			t.Fatalf("duration field error = %q, want invalid duration", model.document[index].Error)
-		}
-	}
-	if _, err := model.validatedDraft(); err == nil || !strings.Contains(err.Error(), "invalid duration") {
-		t.Fatalf("validatedDraft error = %v, want duration validation", err)
-	}
-}
-
-func TestInitProfileV2GitCredentialNameDraftsCustomName(t *testing.T) {
-	gitScopes := map[string]initGitScopeDraft{
-		"github-work": {
-			Host:            "github.com",
-			AuthMode:        config.GitAuthModePAT,
+func TestInitProfileV2ReviewPolicyHidesSelfApproveForGitHubAppReviewer(t *testing.T) {
+	reviewerEntities := map[string]initReviewerEntityDraft{
+		"app-reviewer": { // #nosec G101 -- test fixture name, not credential material.
+			Name:            "app-reviewer",
+			Kind:            initReviewerEntityKindGitHubApp,
+			AuthMode:        config.GitAuthModeGitHubApp,
+			AppID:           "12345",
 			CredentialStore: config.LocalOSCredentialStoreID,
-			CredentialRef:   "codereview/monit",
+			CredentialRef:   "codereview/app-reviewer",
+			DisplayName:     "App reviewer",
 		},
 	}
-	model := newInitProfileV2ReadOnlyModel(newTestInitProfileV2EditorWithReviewPolicyAndGitStorage(
-		"monit",
-		"github.com/SignalFT",
-		config.ReviewPolicy{},
-		"codereview/monit",
-		true,
-		gitScopes,
-		"github-work",
-	), 160, 40)
-	model = focusInitProfileV2Field(t, model, initProfileV2FieldGitCredentialName)
-	model = updateInitProfileV2ReadOnlyModel(t, model, tea.KeyMsg{Type: tea.KeyCtrlU})
-	model = typeInitProfileV2Text(t, model, "codereview/custom-monit-git")
+	llmRuntimes := map[string]initLLMRuntimeDraft{
+		"claude-work": {
+			Name:     "claude-work",
+			Preset:   initLLMRuntimePresetClaudeCLISubscription,
+			Provider: config.LLMProviderAnthropic,
+			Auth:     config.LLMAuthSubscription,
+			Adapter:  config.LLMAdapterClaudeCLI,
+		},
+	}
+	editor := newTestInitProfileV2EditorWithSelections("monit", "github.com/SignalFT", reviewerEntities, llmRuntimes)
+	initProfileV2AppendReviewPolicySection(&editor.Document, config.ReviewPolicy{
+		MajorEvent:       config.ReviewMajorEventRequestChanges,
+		AllowSelfApprove: true,
+		ResolveThreads:   config.ResolveThreadsAuto,
+	}, false)
+	model := newInitProfileV2ReadOnlyModel(editor, 160, 40)
+	model = selectInitProfileV2FieldValue(t, model, initProfileV2FieldReviewerEntity, "app-reviewer")
 
-	draft, err := model.validatedDraft()
-	if err != nil {
-		t.Fatalf("validatedDraft: %v", err)
+	index := model.document.fieldIndexByID(initProfileV2FieldSelfApprove)
+	if index < 0 {
+		t.Fatalf("self-approve field missing")
 	}
-	if draft.GitCredentialRef != "codereview/custom-monit-git" {
-		t.Fatalf("draft.GitCredentialRef = %q, want custom credential name", draft.GitCredentialRef)
+	if !model.document[index].Hidden {
+		t.Fatalf("self-approve hidden = false, want hidden for GitHub App reviewer")
 	}
-	if draft.GitCredentialStore != config.LocalOSCredentialStoreID {
-		t.Fatalf("draft.GitCredentialStore = %q, want local-os", draft.GitCredentialStore)
+	if strings.Contains(model.View(), "Allow self-approve") {
+		t.Fatalf("view shows self-approve for GitHub App reviewer:\n%s", model.View())
 	}
-}
-
-func TestInitProfileV2GitCredentialNameRejectsInvalidCredentialRef(t *testing.T) {
-	model := newInitProfileV2ReadOnlyModel(newTestInitProfileV2EditorWithReviewPolicyAndGitStorage(
-		"monit",
-		"github.com/SignalFT",
-		config.ReviewPolicy{},
-		"codereview/monit",
-		true,
-		nil,
-		initCustomGitScopeSelection,
-	), 160, 24)
-	model = focusInitProfileV2Field(t, model, initProfileV2FieldGitCredentialName)
-	model = updateInitProfileV2ReadOnlyModel(t, model, tea.KeyMsg{Type: tea.KeyCtrlU})
-	model = typeInitProfileV2Text(t, model, "not-a-ref")
-
-	if !strings.Contains(model.View(), "credential ref") {
-		index := model.document.fieldIndexByID(initProfileV2FieldGitCredentialName)
-		if index < 0 || !strings.Contains(model.document[index].Error, "credential ref") {
-			t.Fatalf("git credential name field error = %q, want credential-ref validation", model.document[index].Error)
-		}
+	draft, err := model.validatedDraft()
+	if err != nil {
+		t.Fatalf("validatedDraft: %v", err)
 	}
-	if _, err := model.validatedDraft(); err == nil {
-		t.Fatal("validatedDraft error = nil, want credential-ref validation")
+	if draft.ReviewPolicy.AllowSelfApprove {
+		t.Fatalf("AllowSelfApprove = true, want false for GitHub App reviewer")
 	}
 }
 
@@ -13718,22 +14136,92 @@ func TestInitProfileV2GitCredentialNameFollowsChangedScopeDefaultWhenUnedited(t
 	}
 }
 
-func TestInitProfileV2ProfileActionStagesValidatedDraft(t *testing.T) {
-	editor := newTestInitProfileV2Editor("monit", "github.com/SignalFT")
-	initProfileV2AppendProfileActionSection(&editor.Document)
-	model := newInitProfileV2ReadOnlyModel(editor, 160, 24)
-	model = updateInitProfileV2ReadOnlyModel(t, model, tea.KeyMsg{Type: tea.KeyCtrlU})
-	model = typeInitProfileV2Text(t, model, "monit-next")
-	model = focusInitProfileV2Field(t, model, initProfileV2FieldProfileAction)
-
-	updated, cmd := model.Update(tea.KeyMsg{Type: tea.KeyEnter})
-	next, ok := updated.(initProfileV2ReadOnlyModel)
-	if !ok {
-		t.Fatalf("Update returned %T, want initProfileV2ReadOnlyModel", updated)
-	}
-	if cmd == nil {
-		t.Fatal("Update returned nil command, want quit command after staging")
-	}
+func TestInitProfileV2ProfileNameUpdatesAutoManagedLLMCredentialName(t *testing.T) {
+	llmRuntimes := map[string]initLLMRuntimeDraft{
+		"openai-work": {
+			Name:            "openai-work",
+			Preset:          initLLMRuntimePresetOpenAIAPIKey,
+			Provider:        config.LLMProviderOpenAI,
+			Auth:            config.LLMAuthAPIKey,
+			Adapter:         config.LLMAdapterOpenAIAPI,
+			CredentialStore: config.LocalOSCredentialStoreID,
+		},
+	}
+	model := newInitProfileV2ReadOnlyModel(newTestInitProfileV2EditorWithRuntimeAndModelMap(
+		"work",
+		"github.com/SignalFT",
+		llmRuntimes,
+		"openai-work",
+	), 160, 40)
+	if got := model.document.fieldValue(initProfileV2FieldLLMCredentialName); got != "codereview/work-llm" {
+		t.Fatalf("initial LLM credential name = %q, want auto-managed work ref", got)
+	}
+	refIndex := model.document.fieldIndexByID(initProfileV2FieldLLMCredentialName)
+	if refIndex < 0 || !model.document[refIndex].AutoManaged {
+		t.Fatalf("LLM credential name AutoManaged = false, want true")
+	}
+
+	model = focusInitProfileV2Field(t, model, initProfileV2FieldProfileName)
+	model = updateInitProfileV2ReadOnlyModel(t, model, tea.KeyMsg{Type: tea.KeyCtrlU})
+	model = typeInitProfileV2Text(t, model, "open-cli-collective/rianjs-bot")
+
+	if got := model.document.fieldValue(initProfileV2FieldLLMCredentialName); got != "codereview/open-cli-collective_x2frianjs-bot-llm" {
+		t.Fatalf("LLM credential name after profile edit = %q, want normalized profile-derived ref", got)
+	}
+	draft, err := model.validatedDraft()
+	if err != nil {
+		t.Fatalf("validatedDraft: %v", err)
+	}
+	if draft.LLMCredentialRef != "codereview/open-cli-collective_x2frianjs-bot-llm" {
+		t.Fatalf("draft.LLMCredentialRef = %q, want normalized profile-derived ref", draft.LLMCredentialRef)
+	}
+}
+
+func TestInitProfileV2ManualLLMCredentialNameStopsProfileNameAutoUpdate(t *testing.T) {
+	llmRuntimes := map[string]initLLMRuntimeDraft{
+		"openai-work": {
+			Name:            "openai-work",
+			Preset:          initLLMRuntimePresetOpenAIAPIKey,
+			Provider:        config.LLMProviderOpenAI,
+			Auth:            config.LLMAuthAPIKey,
+			Adapter:         config.LLMAdapterOpenAIAPI,
+			CredentialStore: config.LocalOSCredentialStoreID,
+		},
+	}
+	model := newInitProfileV2ReadOnlyModel(newTestInitProfileV2EditorWithRuntimeAndModelMap(
+		"work",
+		"github.com/SignalFT",
+		llmRuntimes,
+		"openai-work",
+	), 160, 40)
+	model = focusInitProfileV2Field(t, model, initProfileV2FieldLLMCredentialName)
+	model = updateInitProfileV2ReadOnlyModel(t, model, tea.KeyMsg{Type: tea.KeyCtrlU})
+	model = typeInitProfileV2Text(t, model, "codereview/custom-llm")
+	model = focusInitProfileV2Field(t, model, initProfileV2FieldProfileName)
+	model = updateInitProfileV2ReadOnlyModel(t, model, tea.KeyMsg{Type: tea.KeyCtrlU})
+	model = typeInitProfileV2Text(t, model, "open-cli-collective/rianjs-bot")
+
+	if got := model.document.fieldValue(initProfileV2FieldLLMCredentialName); got != "codereview/custom-llm" {
+		t.Fatalf("manual LLM credential name = %q, want profile edit not to overwrite it", got)
+	}
+}
+
+func TestInitProfileV2ProfileActionStagesValidatedDraft(t *testing.T) {
+	editor := newTestInitProfileV2Editor("monit", "github.com/SignalFT")
+	initProfileV2AppendProfileActionSection(&editor.Document)
+	model := newInitProfileV2ReadOnlyModel(editor, 160, 24)
+	model = updateInitProfileV2ReadOnlyModel(t, model, tea.KeyMsg{Type: tea.KeyCtrlU})
+	model = typeInitProfileV2Text(t, model, "monit-next")
+	model = focusInitProfileV2Field(t, model, initProfileV2FieldProfileAction)
+
+	updated, cmd := model.Update(tea.KeyMsg{Type: tea.KeyEnter})
+	next, ok := updated.(initProfileV2ReadOnlyModel)
+	if !ok {
+		t.Fatalf("Update returned %T, want initProfileV2ReadOnlyModel", updated)
+	}
+	if cmd == nil {
+		t.Fatal("Update returned nil command, want quit command after staging")
+	}
 	if !next.result.StageProfile {
 		t.Fatalf("StageProfile = false, result = %#v", next.result)
 	}
@@ -13825,6 +14313,75 @@ func TestBubbleTeaInitProfileV2PrompterReturnsStagedDraft(t *testing.T) {
 	}
 }
 
+func TestBubbleTeaInitProfileV2PrompterCanStageProfileDelete(t *testing.T) {
+	profile := basicProfile("work")
+	prompter := bubbleTeaInitProfileV2Prompter{
+		inventoryRunner: func(_ initInventoryPrompt, _ io.Reader, _ io.Writer) (initInventoryResult, error) {
+			return initInventoryResult{
+				Action: initInventoryActionStageDelete,
+				Row: initInventoryRow{
+					ID:    "work",
+					Title: "work",
+				},
+			}, nil
+		},
+		profileEditorRunner: func(initProfileV2Editor) (initProfileV2EditorResult, error) {
+			t.Fatal("profile editor should not open for delete action")
+			return initProfileV2EditorResult{}, nil
+		},
+	}
+
+	draft, err := prompter.Run(initPromptContext{
+		RequestedProfileName: "work",
+		ExistingProfileName:  "work",
+		ExistingProfile:      &profile,
+		ExistingProfileNames: []string{"work"},
+		ExistingConfig:       config.File{Profiles: map[string]config.Profile{"work": profile}},
+	})
+	if err != nil {
+		t.Fatalf("Run: %v", err)
+	}
+	if draft.Action != initDraftActionDeleteProfile || draft.ActionTarget != "work" {
+		t.Fatalf("draft delete action = %#v, want delete work", draft)
+	}
+}
+
+func TestBubbleTeaInitProfileV2PrompterCanRestoreProfileDelete(t *testing.T) {
+	profile := basicProfile("home")
+	prompter := bubbleTeaInitProfileV2Prompter{
+		inventoryRunner: func(_ initInventoryPrompt, _ io.Reader, _ io.Writer) (initInventoryResult, error) {
+			return initInventoryResult{
+				Action: initInventoryActionRestore,
+				Row: initInventoryRow{
+					ID:    "work",
+					Title: "work (Staged for deletion)",
+				},
+			}, nil
+		},
+		profileEditorRunner: func(initProfileV2Editor) (initProfileV2EditorResult, error) {
+			t.Fatal("profile editor should not open for restore action")
+			return initProfileV2EditorResult{}, nil
+		},
+	}
+
+	draft, err := prompter.Run(initPromptContext{
+		RequestedProfileName: "home",
+		ExistingProfileName:  "home",
+		ExistingProfile:      &profile,
+		ExistingProfileNames: []string{"home"},
+		ExistingConfig:       config.File{Profiles: map[string]config.Profile{"home": profile}},
+		PendingProfileDeletes: map[string]initPendingProfileDelete{
+			"work": {ProfileName: "work"},
+		},
+	})
+	if err != nil {
+		t.Fatalf("Run: %v", err)
+	}
+	if draft.Action != initDraftActionUndoDeleteProfile || draft.ActionTarget != "work" {
+		t.Fatalf("draft restore action = %#v, want restore work", draft)
+	}
+}
+
 func TestBubbleTeaInitProfileV2PrompterSkipsChooserWhenNoProfilesExist(t *testing.T) {
 	inventoryCalled := false
 	editorCalls := 0
@@ -13847,7 +14404,21 @@ func TestBubbleTeaInitProfileV2PrompterSkipsChooserWhenNoProfilesExist(t *testin
 
 	_, err := prompter.Run(initPromptContext{
 		RequestedProfileName: "default",
-		ExistingConfig:       config.File{Profiles: map[string]config.Profile{}},
+		ExistingConfig: config.File{
+			Profiles: map[string]config.Profile{},
+			RepositoryAccess: map[string]config.RepositoryAccessConfig{
+				testInitProfileV2GitScopeName: {
+					Git: config.GitConfig{
+						Host:     "github.com",
+						AuthMode: config.GitAuthModePAT,
+						Credential: config.CredentialLocation{
+							Store: config.LocalOSCredentialStoreID,
+							Name:  "codereview/github-work",
+						},
+					},
+				},
+			},
+		},
 	})
 	if !errors.Is(err, errInitNavigateBack) {
 		t.Fatalf("Run error = %v, want direct create back to main menu", err)
@@ -14138,7 +14709,23 @@ func newTestInitProfileV2Editor(profileName string, routeText string) initProfil
 			GitHost:             "github.com",
 			GitAuth:             string(config.GitAuthModePAT),
 		},
-		Document: document,
+		GitScopes:        testInitProfileV2GitScopes(),
+		SelectedGitScope: testInitProfileV2GitScopeName,
+		Document:         document,
+	}
+}
+
+const testInitProfileV2GitScopeName = "github-work"
+
+func testInitProfileV2GitScopes() map[string]initGitScopeDraft {
+	return map[string]initGitScopeDraft{
+		testInitProfileV2GitScopeName: {
+			Name:            testInitProfileV2GitScopeName,
+			Host:            "github.com",
+			AuthMode:        config.GitAuthModePAT,
+			CredentialStore: config.LocalOSCredentialStoreID,
+			CredentialRef:   "codereview/github-work",
+		},
 	}
 }
 
@@ -14167,193 +14754,637 @@ func newTestInitProfileV2EditorWithSelections(profileName string, routeText stri
 		initReviewerEntitySelectionOptions(reviewerEntities, reviewerEntityGitAccountFallbackLabel(config.GitAuthModePAT, "")),
 		string(initReviewerEntityKindUseGitIdentity),
 	)
+	initProfileV2AppendReviewerGitHubAppInstallationSection(&document, string(initReviewerEntityKindUseGitIdentity), reviewerEntities, draft)
 	document.addEditableSelect(initProfileV2FieldLLMRuntime, "LLM runtime", "Choose how reviewer agents run for this profile.", llmRuntimeOptions, selectedLLMRuntime)
 	initProfileV2AppendLLMStorageSection(&document, storeOptions, draft.LLMCredentialStore, draft.LLMCredentialRef, !initLLMStorageLabelRelevant(selectedLLMRuntime, llmRuntimes))
 	document.addEditableSelect(initProfileV2FieldReviewerModelTier, initReviewerModelTierTitle, initReviewerModelTierDescription, initReviewerModelTierOptions(), draft.LLMReviewerModelTier)
 	return initProfileV2Editor{
 		Draft:                  draft,
+		GitScopes:              testInitProfileV2GitScopes(),
+		SelectedGitScope:       testInitProfileV2GitScopeName,
 		ReviewerEntities:       reviewerEntities,
 		LLMRuntimes:            llmRuntimes,
 		CredentialStoreOptions: storeOptions,
 		Document:               document,
 	}
-}
+}
+
+func newTestInitProfileV2EditorWithModelMap(profileName string, routeText string, llm config.LLMConfig, modelMap config.ModelMap) initProfileV2Editor {
+	draft := initDraft{
+		OriginalProfileName: profileName,
+		ProfileName:         profileName,
+		GitHost:             "github.com",
+		GitAuth:             string(config.GitAuthModePAT),
+		LLMProvider:         string(llm.Provider),
+		LLMAuth:             string(llm.Auth),
+		LLMAdapter:          string(llm.Adapter),
+		ModelMap:            copyModelMap(modelMap),
+	}
+	var document initProfileV2Document
+	document.addSection("Profile", "")
+	document.addEditableInput(initProfileV2FieldProfileName, "Profile name", "", profileName, validateProfileName)
+	initProfileV2AppendRouteSection(&document, routeText)
+	initProfileV2AppendModelMapSection(&document, llm, modelMap)
+	return initProfileV2Editor{
+		Draft:            draft,
+		GitScopes:        testInitProfileV2GitScopes(),
+		SelectedGitScope: testInitProfileV2GitScopeName,
+		Document:         document,
+	}
+}
+
+func newTestInitProfileV2EditorWithRuntimeAndModelMap(profileName string, routeText string, llmRuntimes map[string]initLLMRuntimeDraft, selectedRuntime string) initProfileV2Editor {
+	draft := initDraft{
+		OriginalProfileName: profileName,
+		ProfileName:         profileName,
+		GitHost:             "github.com",
+		GitAuth:             string(config.GitAuthModePAT),
+		LLMProvider:         string(config.LLMProviderAnthropic),
+		LLMAuth:             string(config.LLMAuthSubscription),
+		LLMAdapter:          string(config.LLMAdapterClaudeCLI),
+	}
+	if runtime, ok := llmRuntimes[selectedRuntime]; ok {
+		draft.LLMProvider = string(runtime.Provider)
+		draft.LLMAuth = string(runtime.Auth)
+		draft.LLMAdapter = string(runtime.Adapter)
+		draft.LLMCredentialStore = initCredentialStoreDraftValue(runtime.CredentialStore)
+		draft.LLMCredentialRef = runtime.CredentialRef
+	}
+	storeOptions := []huh.Option[string]{
+		huh.NewOption(initBuiltInOSCredentialStoreTitle()+" - "+initBuiltInOSCredentialStoreDescription(), config.LocalOSCredentialStoreID),
+	}
+	var document initProfileV2Document
+	document.addSection("Profile", "")
+	document.addEditableInput(initProfileV2FieldProfileName, "Profile name", "", profileName, validateProfileName)
+	initProfileV2AppendRouteSection(&document, routeText)
+	llmRuntimeOptions, normalizedRuntime := initProfileEditorLLMRuntimeSelection(llmRuntimes, selectedRuntime, draft)
+	document.addEditableSelect(initProfileV2FieldLLMRuntime, "LLM runtime", "Choose how reviewer agents run for this profile.", llmRuntimeOptions, normalizedRuntime)
+	initProfileV2AppendLLMStorageSection(&document, storeOptions, draft.LLMCredentialStore, draft.LLMCredentialRef, !initLLMStorageLabelRelevant(normalizedRuntime, llmRuntimes))
+	initProfileV2AppendModelMapSection(&document, initProfileEditorModelMapLLM(draft, normalizedRuntime, llmRuntimes), draft.ModelMap)
+	return initProfileV2Editor{
+		Draft:                  draft,
+		GitScopes:              testInitProfileV2GitScopes(),
+		SelectedGitScope:       testInitProfileV2GitScopeName,
+		LLMRuntimes:            llmRuntimes,
+		CredentialStoreOptions: storeOptions,
+		Document:               document,
+	}
+}
+
+func newTestInitProfileV2EditorWithAgentSources(profileName string, routeText string, agentSources []string) initProfileV2Editor {
+	draft := initDraft{
+		OriginalProfileName: profileName,
+		ProfileName:         profileName,
+		GitHost:             "github.com",
+		GitAuth:             string(config.GitAuthModePAT),
+		LLMProvider:         string(config.LLMProviderAnthropic),
+		LLMAuth:             string(config.LLMAuthSubscription),
+		LLMAdapter:          string(config.LLMAdapterClaudeCLI),
+		AgentSources:        append([]string(nil), agentSources...),
+	}
+	var document initProfileV2Document
+	document.addSection("Profile", "")
+	document.addEditableInput(initProfileV2FieldProfileName, "Profile name", "", profileName, validateProfileName)
+	initProfileV2AppendRouteSection(&document, routeText)
+	initProfileV2AppendAgentSourcesSection(&document, agentSources)
+	return initProfileV2Editor{
+		Draft:            draft,
+		GitScopes:        testInitProfileV2GitScopes(),
+		SelectedGitScope: testInitProfileV2GitScopeName,
+		Document:         document,
+	}
+}
+
+func newTestInitProfileV2EditorWithReviewPolicyAndGitStorage(profileName string, routeText string, policy config.ReviewPolicy, gitStorageLabel string, gitLabelUsesDefault bool, gitScopes map[string]initGitScopeDraft, selectedGitScope string) initProfileV2Editor {
+	draft := initDraft{
+		OriginalProfileName: profileName,
+		ProfileName:         profileName,
+		GitHost:             "github.com",
+		GitAuth:             string(config.GitAuthModePAT),
+		GitCredentialStore:  config.LocalOSCredentialStoreID,
+		GitCredentialRef:    strings.TrimSpace(gitStorageLabel),
+		LLMProvider:         string(config.LLMProviderAnthropic),
+		LLMAuth:             string(config.LLMAuthSubscription),
+		LLMAdapter:          string(config.LLMAdapterClaudeCLI),
+		ReviewPolicy:        policy,
+	}
+	storeOptions := []huh.Option[string]{
+		huh.NewOption(initBuiltInOSCredentialStoreTitle()+" - "+initBuiltInOSCredentialStoreDescription(), config.LocalOSCredentialStoreID),
+	}
+	var document initProfileV2Document
+	document.addSection("Profile", "")
+	document.addEditableInput(initProfileV2FieldProfileName, "Profile name", "", profileName, validateProfileName)
+	initProfileV2AppendRouteSection(&document, routeText)
+	if selectedGitScope != "" && selectedGitScope != initCustomGitScopeSelection {
+		initProfileV2AppendGitScopeSection(&document, selectedGitScope, initGitScopeOptions(gitScopes), draft, true)
+	}
+	initProfileV2AppendReviewPolicySection(&document, policy, false)
+	initProfileV2AppendGitStorageSection(&document, storeOptions, config.LocalOSCredentialStoreID, gitStorageLabel)
+	return initProfileV2Editor{
+		Draft:                      draft,
+		GitScopes:                  gitScopes,
+		CredentialStoreOptions:     storeOptions,
+		SelectedGitScope:           selectedGitScope,
+		InitialGitStorageLabel:     gitStorageLabel,
+		GitStorageLabelUsesDefault: gitLabelUsesDefault,
+		Document:                   document,
+	}
+}
+
+func newTestInitProfileV2EditorWithGitScope(profileName string, routeText string, selectedGitScope string, gitScopes map[string]initGitScopeDraft, draft initDraft) initProfileV2Editor {
+	var document initProfileV2Document
+	document.addSection("Profile", "")
+	document.addEditableInput(initProfileV2FieldProfileName, "Profile name", "", profileName, validateProfileName)
+	initProfileV2AppendRouteSection(&document, routeText)
+	initProfileV2AppendGitScopeSection(&document, selectedGitScope, initGitScopeOptions(gitScopes), draft, true)
+	return initProfileV2Editor{
+		Draft:            draft,
+		GitScopes:        gitScopes,
+		SelectedGitScope: selectedGitScope,
+		Document:         document,
+	}
+}
+
+func TestInitInteractiveMenuExitWithoutSaveLeavesConfigUntouched(t *testing.T) {
+	path := filepath.Join(t.TempDir(), "config.yml")
+	original := config.File{
+		Profiles: map[string]config.Profile{"work": basicProfile("work")},
+	}
+	saveCredentialTestConfig(t, path, original)
+	wantCfg, err := config.Load(path)
+	if err != nil {
+		t.Fatalf("Load initial config: %v", err)
+	}
+	opts := &root.Options{
+		Stdin:      strings.NewReader(""),
+		Stdout:     &bytes.Buffer{},
+		Stderr:     &bytes.Buffer{},
+		ConfigPath: path,
+	}
+	openStoreCalls := 0
+	deps := initDeps{
+		menuPrompter: &fakeInitMenuPrompter{
+			actions: []initMenuAction{initMenuActionExit},
+		},
+		secretPrompter: &fakeInitSecretPrompter{
+			actions: []initCredentialSecretAction{},
+		},
+		openStore: func(string, bool, config.File) (initStore, error) {
+			openStoreCalls++
+			return newFakeInitStore(map[string]map[string]string{}), nil
+		},
+		configPath: func(*root.Options) (string, error) { return path, nil },
+		loadConfig: loadConfigForInit,
+		saveConfig: config.Save,
+	}
+
+	if err := runInitWithDeps(&cobra.Command{}, opts, initOptions{}, deps); err != nil {
+		t.Fatalf("runInitWithDeps: %v", err)
+	}
+	cfg, err := config.Load(path)
+	if err != nil {
+		t.Fatalf("Load config: %v", err)
+	}
+	if !reflect.DeepEqual(cfg, wantCfg) {
+		t.Fatalf("config after exit-without-save = %#v, want %#v", cfg, wantCfg)
+	}
+	if openStoreCalls != 0 {
+		t.Fatalf("openStoreCalls = %d, want 0 on exit-without-save", openStoreCalls)
+	}
+}
+
+func TestInitInteractiveMenuStagesStandaloneRepositoryAccess(t *testing.T) {
+	path := filepath.Join(t.TempDir(), "config.yml")
+	writeRawCredentialTestConfig(t, path, "profiles: {}\n")
+	opts := &root.Options{
+		Stdin:      strings.NewReader(""),
+		Stdout:     &bytes.Buffer{},
+		Stderr:     &bytes.Buffer{},
+		ConfigPath: path,
+	}
+	menu := &fakeInitMenuPrompter{
+		actions: []initMenuAction{
+			initMenuActionRepositoryAccess,
+			initMenuActionSave,
+		},
+	}
+	repositoryPrompts := 0
+	deps := initDeps{
+		menuPrompter: menu,
+		repositoryPrompter: initRepositoryAccessPrompterFunc(func(prompt initRepositoryAccessPrompt) (initDraft, error) {
+			repositoryPrompts++
+			if repositoryPrompts > 1 {
+				return initDraft{}, errInitNavigateBack
+			}
+			if !prompt.Context.StandaloneRepositoryAccessMode {
+				t.Fatal("repository access prompt did not run in standalone mode")
+			}
+			if len(prompt.Context.GitScopes) != 0 {
+				t.Fatalf("GitScopes = %#v, want empty before creating repository access", prompt.Context.GitScopes)
+			}
+			return initDraft{
+				RepositoryAccessName: "work-git",
+				GitHost:              "github.company.com",
+				GitAuth:              string(config.GitAuthModePAT),
+				GitCredentialStore:   config.LocalOSCredentialStoreID,
+				GitCredentialRef:     "codereview/work-git",
+			}, nil
+		}),
+		configPath: func(*root.Options) (string, error) { return path, nil },
+		loadConfig: func(string) (config.File, bool, error) {
+			return config.File{Profiles: map[string]config.Profile{}}, false, nil
+		},
+		saveConfig: config.Save,
+	}
+
+	if err := runInitWithDeps(&cobra.Command{}, opts, initOptions{}, deps); err != nil {
+		t.Fatalf("runInitWithDeps: %v", err)
+	}
+	if repositoryPrompts != 1 {
+		t.Fatalf("repositoryPrompts = %d, want 1", repositoryPrompts)
+	}
+	if len(menu.prompts) != 2 {
+		t.Fatalf("menu prompts = %d, want repository access then save", len(menu.prompts))
+	}
+	if !menu.prompts[1].CanSave {
+		t.Fatalf("second menu prompt CanSave = false, want true after repository access staging")
+	}
+	cfg, err := config.Load(path)
+	if err != nil {
+		t.Fatalf("Load config: %v", err)
+	}
+	access, ok := cfg.RepositoryAccess["work-git"]
+	if !ok {
+		t.Fatalf("repository_access = %#v, want work-git", cfg.RepositoryAccess)
+	}
+	if access.DisplayName != "work-git" {
+		t.Fatalf("display_name = %q, want work-git", access.DisplayName)
+	}
+	if access.Git.Host != "github.company.com" || access.Git.AuthMode != config.GitAuthModePAT {
+		t.Fatalf("repository access git = %#v, want company PAT", access.Git)
+	}
+	if access.Git.Credential.Store != config.LocalOSCredentialStoreID || access.Git.Credential.Name != "codereview/work-git" {
+		t.Fatalf("repository access credential = %#v, want local-os/codereview/work-git", access.Git.Credential)
+	}
+}
+
+func TestInitRepositoryAccessEditorMarksConfiguredRepositoryAccessDeletable(t *testing.T) {
+	ctx := initPromptContext{
+		GitScopes: map[string]initGitScopeDraft{
+			"work-git": {
+				Name:            "work-git",
+				Host:            "github.com",
+				AuthMode:        config.GitAuthModePAT,
+				CredentialStore: config.LocalOSCredentialStoreID,
+				CredentialRef:   "codereview/work-git",
+			},
+		},
+		ExistingConfig: config.File{
+			RepositoryAccess: map[string]config.RepositoryAccessConfig{
+				"work-git": {
+					DisplayName: "work-git",
+					Git: config.GitConfig{
+						Host:     "github.com",
+						AuthMode: config.GitAuthModePAT,
+						Credential: config.CredentialLocation{
+							Store: config.LocalOSCredentialStoreID,
+							Name:  "codereview/work-git",
+						},
+					},
+				},
+			},
+		},
+	}
+	model := newInitLinearEditorModel(initRepositoryAccessLinearEditor(ctx, initDraft{}), 160, 60)
+	model = selectInitLinearFieldValue(t, model, initRepositoryAccessFieldSelection, "work-git")
+	selectionIndex := model.document.fieldIndexByID(initRepositoryAccessFieldSelection)
+	if selectionIndex < 0 {
+		t.Fatal("repository access selection field missing")
+	}
+	for _, option := range model.document[selectionIndex].Options {
+		if option.Value == "work-git" {
+			if !option.Deletable {
+				t.Fatalf("work-git option Deletable = false, want true")
+			}
+			return
+		}
+	}
+	t.Fatalf("work-git option missing: %#v", model.document[selectionIndex].Options)
+}
+
+func TestInitRepositoryAccessEditorMarksPendingRepositoryAccessRestorable(t *testing.T) {
+	ctx := initPromptContext{
+		PendingRepositoryAccessDeletes: map[string]initPendingRepositoryAccessDelete{
+			"work-git": {
+				Name: "work-git",
+			},
+		},
+	}
+	selection := initRepositoryAccessRestoreSelectionPrefix + "work-git"
+	model := newInitLinearEditorModel(initRepositoryAccessLinearEditor(ctx, initDraft{}), 160, 60)
+	model = selectInitLinearFieldValue(t, model, initRepositoryAccessFieldSelection, selection)
+	selectionIndex := model.document.fieldIndexByID(initRepositoryAccessFieldSelection)
+	if selectionIndex < 0 {
+		t.Fatal("repository access selection field missing")
+	}
+	for _, option := range model.document[selectionIndex].Options {
+		if option.Value != selection {
+			continue
+		}
+		if !option.Restorable {
+			t.Fatalf("pending work-git option Restorable = false, want true")
+		}
+		if !model.document.fieldHidden(initRepositoryAccessFieldName) || !model.document.fieldHidden(initRepositoryAccessFieldAction) {
+			t.Fatalf("repository access details hidden = name:%v action:%v, want both hidden", model.document.fieldHidden(initRepositoryAccessFieldName), model.document.fieldHidden(initRepositoryAccessFieldAction))
+		}
+		return
+	}
+	t.Fatalf("pending work-git option missing: %#v", model.document[selectionIndex].Options)
+}
+
+func TestDeleteInteractiveInitRepositoryAccessRemovesAndRestoresStandaloneEntry(t *testing.T) {
+	access := config.RepositoryAccessConfig{
+		DisplayName: "work-git",
+		Git: config.GitConfig{
+			Host:     "github.com",
+			AuthMode: config.GitAuthModePAT,
+			Credential: config.CredentialLocation{
+				Store: config.LocalOSCredentialStoreID,
+				Name:  "codereview/work-git",
+			},
+		},
+	}
+	session := initSessionDraft{
+		cfg: config.File{
+			RepositoryAccess: map[string]config.RepositoryAccessConfig{
+				"work-git": access,
+			},
+			Profiles: map[string]config.Profile{},
+		},
+	}
+
+	next, err := deleteInteractiveInitRepositoryAccess(session, "work-git")
+	if err != nil {
+		t.Fatalf("deleteInteractiveInitRepositoryAccess: %v", err)
+	}
+	if _, ok := next.cfg.RepositoryAccess["work-git"]; ok {
+		t.Fatalf("repository_access after delete = %#v, want work-git removed", next.cfg.RepositoryAccess)
+	}
+	if _, ok := next.pendingRepositoryAccessDeletes["work-git"]; !ok {
+		t.Fatalf("pendingRepositoryAccessDeletes = %#v, want work-git", next.pendingRepositoryAccessDeletes)
+	}
+
+	restored, err := undoInteractiveInitRepositoryAccessDelete(next, "work-git")
+	if err != nil {
+		t.Fatalf("undoInteractiveInitRepositoryAccessDelete: %v", err)
+	}
+	restoredAccess := restored.cfg.RepositoryAccess["work-git"]
+	if restoredAccess.DisplayName != access.DisplayName || restoredAccess.Git.Host != access.Git.Host || restoredAccess.Git.AuthMode != access.Git.AuthMode || restoredAccess.Git.Credential != access.Git.Credential {
+		t.Fatalf("restored repository access = %#v, want display/host/auth/credential from %#v", restoredAccess, access)
+	}
+	if _, ok := restored.pendingRepositoryAccessDeletes["work-git"]; ok {
+		t.Fatalf("pendingRepositoryAccessDeletes after undo = %#v, want cleared work-git", restored.pendingRepositoryAccessDeletes)
+	}
+}
+
+func TestInitInteractiveMenuDeletesStandaloneRepositoryAccessAndEnablesSave(t *testing.T) {
+	path := filepath.Join(t.TempDir(), "config.yml")
+	writeRawCredentialTestConfig(t, path, "profiles: {}\n")
+	opts := &root.Options{
+		Stdin:      strings.NewReader(""),
+		Stdout:     &bytes.Buffer{},
+		Stderr:     &bytes.Buffer{},
+		ConfigPath: path,
+	}
+	access := config.RepositoryAccessConfig{
+		DisplayName: "work-git",
+		Git: config.GitConfig{
+			Host:     "github.com",
+			AuthMode: config.GitAuthModePAT,
+			Credential: config.CredentialLocation{
+				Store: config.LocalOSCredentialStoreID,
+				Name:  "codereview/work-git",
+			},
+		},
+	}
+	menu := &fakeInitMenuPrompter{
+		actions: []initMenuAction{
+			initMenuActionRepositoryAccess,
+			initMenuActionSave,
+		},
+	}
+	deps := initDeps{
+		menuPrompter: menu,
+		repositoryPrompter: initRepositoryAccessPrompterFunc(func(prompt initRepositoryAccessPrompt) (initDraft, error) {
+			if !prompt.Context.StandaloneRepositoryAccessMode {
+				t.Fatal("repository access prompt did not run in standalone mode")
+			}
+			if _, ok := prompt.Context.ExistingConfig.RepositoryAccess["work-git"]; !ok {
+				t.Fatalf("prompt repository_access = %#v, want work-git", prompt.Context.ExistingConfig.RepositoryAccess)
+			}
+			return initDraft{
+				Action:       initDraftActionDeleteRepositoryAccess,
+				ActionTarget: "work-git",
+			}, nil
+		}),
+		configPath: func(*root.Options) (string, error) { return path, nil },
+		loadConfig: func(string) (config.File, bool, error) {
+			return config.File{
+				Profiles: map[string]config.Profile{},
+				RepositoryAccess: map[string]config.RepositoryAccessConfig{
+					"work-git": access,
+				},
+			}, true, nil
+		},
+		saveConfig: config.Save,
+	}
 
-func newTestInitProfileV2EditorWithModelMap(profileName string, routeText string, llm config.LLMConfig, modelMap config.ModelMap) initProfileV2Editor {
-	draft := initDraft{
-		OriginalProfileName: profileName,
-		ProfileName:         profileName,
-		GitHost:             "github.com",
-		GitAuth:             string(config.GitAuthModePAT),
-		LLMProvider:         string(llm.Provider),
-		LLMAuth:             string(llm.Auth),
-		LLMAdapter:          string(llm.Adapter),
-		ModelMap:            copyModelMap(modelMap),
+	if err := runInitWithDeps(&cobra.Command{}, opts, initOptions{}, deps); err != nil {
+		t.Fatalf("runInitWithDeps: %v", err)
 	}
-	var document initProfileV2Document
-	document.addSection("Profile", "")
-	document.addEditableInput(initProfileV2FieldProfileName, "Profile name", "", profileName, validateProfileName)
-	initProfileV2AppendRouteSection(&document, routeText)
-	initProfileV2AppendModelMapSection(&document, llm, modelMap)
-	return initProfileV2Editor{
-		Draft:    draft,
-		Document: document,
+	if len(menu.prompts) != 2 {
+		t.Fatalf("menu prompts = %d, want repository access then save", len(menu.prompts))
+	}
+	if !menu.prompts[1].CanSave {
+		t.Fatalf("second menu prompt CanSave = false, want true after repository access deletion")
+	}
+	cfg, err := config.Load(path)
+	if err != nil {
+		t.Fatalf("Load config: %v", err)
+	}
+	if _, ok := cfg.RepositoryAccess["work-git"]; ok {
+		t.Fatalf("repository_access after save = %#v, want work-git removed", cfg.RepositoryAccess)
 	}
 }
 
-func newTestInitProfileV2EditorWithRuntimeAndModelMap(profileName string, routeText string, llmRuntimes map[string]initLLMRuntimeDraft, selectedRuntime string) initProfileV2Editor {
-	draft := initDraft{
-		OriginalProfileName: profileName,
-		ProfileName:         profileName,
-		GitHost:             "github.com",
-		GitAuth:             string(config.GitAuthModePAT),
-		LLMProvider:         string(config.LLMProviderAnthropic),
-		LLMAuth:             string(config.LLMAuthSubscription),
-		LLMAdapter:          string(config.LLMAdapterClaudeCLI),
+func TestInitRepositoryAccessEditorDefaultsToLocalGitHubUsername(t *testing.T) {
+	oldGitConfig := initRepositoryAccessGitConfigValue
+	t.Cleanup(func() { initRepositoryAccessGitConfigValue = oldGitConfig })
+	initRepositoryAccessGitConfigValue = func(key string) string {
+		if key == "github.user" {
+			return "RianJS"
+		}
+		return ""
 	}
-	if runtime, ok := llmRuntimes[selectedRuntime]; ok {
-		draft.LLMProvider = string(runtime.Provider)
-		draft.LLMAuth = string(runtime.Auth)
-		draft.LLMAdapter = string(runtime.Adapter)
-		draft.LLMCredentialStore = initCredentialStoreDraftValue(runtime.CredentialStore)
-		draft.LLMCredentialRef = runtime.CredentialRef
+
+	model := newInitLinearEditorModel(initRepositoryAccessLinearEditor(initPromptContext{}, initDraft{}), 160, 40)
+
+	if got, want := model.document.fieldValue(initRepositoryAccessFieldName), "github-rianjs"; got != want {
+		t.Fatalf("repository access name = %q, want %q", got, want)
 	}
-	storeOptions := []huh.Option[string]{
-		huh.NewOption(initBuiltInOSCredentialStoreTitle()+" - "+initBuiltInOSCredentialStoreDescription(), config.LocalOSCredentialStoreID),
+	if got, want := model.document.fieldValue(initRepositoryAccessFieldCredentialName), "codereview/github-rianjs"; got != want {
+		t.Fatalf("credential name = %q, want %q", got, want)
 	}
-	var document initProfileV2Document
-	document.addSection("Profile", "")
-	document.addEditableInput(initProfileV2FieldProfileName, "Profile name", "", profileName, validateProfileName)
-	initProfileV2AppendRouteSection(&document, routeText)
-	llmRuntimeOptions, normalizedRuntime := initProfileEditorLLMRuntimeSelection(llmRuntimes, selectedRuntime, draft)
-	document.addEditableSelect(initProfileV2FieldLLMRuntime, "LLM runtime", "Choose how reviewer agents run for this profile.", llmRuntimeOptions, normalizedRuntime)
-	initProfileV2AppendLLMStorageSection(&document, storeOptions, draft.LLMCredentialStore, draft.LLMCredentialRef, !initLLMStorageLabelRelevant(normalizedRuntime, llmRuntimes))
-	initProfileV2AppendModelMapSection(&document, initProfileEditorModelMapLLM(draft, normalizedRuntime, llmRuntimes), draft.ModelMap)
-	return initProfileV2Editor{
-		Draft:                  draft,
-		LLMRuntimes:            llmRuntimes,
-		CredentialStoreOptions: storeOptions,
-		Document:               document,
+	refIndex := model.document.fieldIndexByID(initRepositoryAccessFieldCredentialName)
+	if refIndex < 0 || !model.document[refIndex].AutoManaged {
+		t.Fatalf("credential name AutoManaged = false, want true")
 	}
 }
 
-func newTestInitProfileV2EditorWithAgentSources(profileName string, routeText string, agentSources []string) initProfileV2Editor {
-	draft := initDraft{
-		OriginalProfileName: profileName,
-		ProfileName:         profileName,
-		GitHost:             "github.com",
-		GitAuth:             string(config.GitAuthModePAT),
-		LLMProvider:         string(config.LLMProviderAnthropic),
-		LLMAuth:             string(config.LLMAuthSubscription),
-		LLMAdapter:          string(config.LLMAdapterClaudeCLI),
-		AgentSources:        append([]string(nil), agentSources...),
+func TestInitRepositoryAccessEditorAutoUpdatesCredentialRefFromName(t *testing.T) {
+	oldGitConfig := initRepositoryAccessGitConfigValue
+	t.Cleanup(func() { initRepositoryAccessGitConfigValue = oldGitConfig })
+	initRepositoryAccessGitConfigValue = func(string) string { return "" }
+
+	model := newInitLinearEditorModel(initRepositoryAccessLinearEditor(initPromptContext{}, initDraft{}), 160, 40)
+	model = focusInitLinearField(t, model, initRepositoryAccessFieldName)
+	model = updateInitLinearEditorModel(t, model, tea.KeyMsg{Type: tea.KeyCtrlU})
+	model = typeInitLinearText(t, model, "github-rianjs")
+
+	if got, want := model.document.fieldValue(initRepositoryAccessFieldCredentialName), "codereview/github-rianjs"; got != want {
+		t.Fatalf("credential name = %q, want %q", got, want)
 	}
-	var document initProfileV2Document
-	document.addSection("Profile", "")
-	document.addEditableInput(initProfileV2FieldProfileName, "Profile name", "", profileName, validateProfileName)
-	initProfileV2AppendRouteSection(&document, routeText)
-	initProfileV2AppendAgentSourcesSection(&document, agentSources)
-	return initProfileV2Editor{
-		Draft:    draft,
-		Document: document,
+}
+
+func TestInitRepositoryAccessEditorManualCredentialRefStopsAutoUpdate(t *testing.T) {
+	oldGitConfig := initRepositoryAccessGitConfigValue
+	t.Cleanup(func() { initRepositoryAccessGitConfigValue = oldGitConfig })
+	initRepositoryAccessGitConfigValue = func(string) string { return "" }
+
+	model := newInitLinearEditorModel(initRepositoryAccessLinearEditor(initPromptContext{}, initDraft{}), 160, 40)
+	model = focusInitLinearField(t, model, initRepositoryAccessFieldCredentialName)
+	model = updateInitLinearEditorModel(t, model, tea.KeyMsg{Type: tea.KeyCtrlU})
+	model = typeInitLinearText(t, model, "codereview/custom-git")
+	model = focusInitLinearField(t, model, initRepositoryAccessFieldName)
+	model = updateInitLinearEditorModel(t, model, tea.KeyMsg{Type: tea.KeyCtrlU})
+	model = typeInitLinearText(t, model, "github-rianjs")
+
+	if got, want := model.document.fieldValue(initRepositoryAccessFieldCredentialName), "codereview/custom-git"; got != want {
+		t.Fatalf("credential name = %q, want manual override %q", got, want)
 	}
 }
 
-func newTestInitProfileV2EditorWithReviewPolicyAndGitStorage(profileName string, routeText string, policy config.ReviewPolicy, gitStorageLabel string, gitLabelUsesDefault bool, gitScopes map[string]initGitScopeDraft, selectedGitScope string) initProfileV2Editor {
-	draft := initDraft{
-		OriginalProfileName: profileName,
-		ProfileName:         profileName,
-		GitHost:             "github.com",
-		GitAuth:             string(config.GitAuthModePAT),
-		GitCredentialStore:  config.LocalOSCredentialStoreID,
-		GitCredentialRef:    strings.TrimSpace(gitStorageLabel),
-		LLMProvider:         string(config.LLMProviderAnthropic),
-		LLMAuth:             string(config.LLMAuthSubscription),
-		LLMAdapter:          string(config.LLMAdapterClaudeCLI),
-		ReviewPolicy:        policy,
+func TestInitRepositoryAccessEditorRequiresPATBeforeStaging(t *testing.T) {
+	oldGitConfig := initRepositoryAccessGitConfigValue
+	t.Cleanup(func() { initRepositoryAccessGitConfigValue = oldGitConfig })
+	initRepositoryAccessGitConfigValue = func(string) string { return "" }
+
+	model := newInitLinearEditorModel(initRepositoryAccessLinearEditor(initPromptContext{}, initDraft{}), 160, 60)
+	model = focusInitLinearField(t, model, initRepositoryAccessFieldAction)
+	updated, _ := model.Update(tea.KeyMsg{Type: tea.KeyEnter})
+	next, ok := updated.(initLinearEditorModel)
+	if !ok {
+		t.Fatalf("Update returned %T, want initLinearEditorModel", updated)
 	}
-	storeOptions := []huh.Option[string]{
-		huh.NewOption(initBuiltInOSCredentialStoreTitle()+" - "+initBuiltInOSCredentialStoreDescription(), config.LocalOSCredentialStoreID),
+	actionIndex := next.document.fieldIndexByID(initRepositoryAccessFieldAction)
+	if actionIndex < 0 || !strings.Contains(next.document[actionIndex].Error, "set repository access credentials before staging: git_token") {
+		t.Fatalf("action error = %q, want missing git_token", next.document[actionIndex].Error)
 	}
-	var document initProfileV2Document
-	document.addSection("Profile", "")
-	document.addEditableInput(initProfileV2FieldProfileName, "Profile name", "", profileName, validateProfileName)
-	initProfileV2AppendRouteSection(&document, routeText)
-	if selectedGitScope != "" && selectedGitScope != initCustomGitScopeSelection {
-		initProfileV2AppendGitScopeSection(&document, selectedGitScope, initGitScopeOptions(gitScopes), draft, true)
+}
+
+func TestInitRepositoryAccessEditorStagesPATCredentialWrite(t *testing.T) {
+	oldGitConfig := initRepositoryAccessGitConfigValue
+	t.Cleanup(func() { initRepositoryAccessGitConfigValue = oldGitConfig })
+	initRepositoryAccessGitConfigValue = func(string) string { return "" }
+
+	ctx := initPromptContext{}
+	model := newInitLinearEditorModel(initRepositoryAccessLinearEditor(ctx, initDraft{}), 160, 60)
+	model = focusInitLinearField(t, model, initRepositoryAccessFieldGitToken)
+	model = typeInitLinearText(t, model, "work-token")
+
+	draft := initRepositoryAccessDraftFromDocument(ctx, initDraft{}, model.document)
+	if got, want := draft.GitCredentialWriteRef, "codereview/github-com-pat"; got != want {
+		t.Fatalf("GitCredentialWriteRef = %q, want %q", got, want)
 	}
-	initProfileV2AppendReviewPolicySection(&document, policy)
-	initProfileV2AppendGitStorageSection(&document, storeOptions, config.LocalOSCredentialStoreID, gitStorageLabel)
-	return initProfileV2Editor{
-		Draft:                      draft,
-		GitScopes:                  gitScopes,
-		CredentialStoreOptions:     storeOptions,
-		SelectedGitScope:           selectedGitScope,
-		InitialGitStorageLabel:     gitStorageLabel,
-		GitStorageLabelUsesDefault: gitLabelUsesDefault,
-		Document:                   document,
+	if got := draft.GitCredentialWrites[credentials.GitTokenKey]; got != "work-token" {
+		t.Fatalf("git_token write = %q, want work-token", got)
+	}
+	if !draft.GitCredentialSatisfied {
+		t.Fatal("GitCredentialSatisfied = false, want true after staged PAT")
 	}
 }
 
-func newTestInitProfileV2EditorWithGitScope(profileName string, routeText string, selectedGitScope string, gitScopes map[string]initGitScopeDraft, draft initDraft) initProfileV2Editor {
-	var document initProfileV2Document
-	document.addSection("Profile", "")
-	document.addEditableInput(initProfileV2FieldProfileName, "Profile name", "", profileName, validateProfileName)
-	initProfileV2AppendRouteSection(&document, routeText)
-	initProfileV2AppendGitScopeSection(&document, selectedGitScope, initGitScopeOptions(gitScopes), draft, true)
-	return initProfileV2Editor{
-		Draft:            draft,
-		GitScopes:        gitScopes,
-		SelectedGitScope: selectedGitScope,
-		Document:         document,
+func TestInitRepositoryAccessEditorAcceptsExistingPATCredential(t *testing.T) {
+	oldGitConfig := initRepositoryAccessGitConfigValue
+	t.Cleanup(func() { initRepositoryAccessGitConfigValue = oldGitConfig })
+	initRepositoryAccessGitConfigValue = func(string) string { return "" }
+	resolved, err := credentials.ResolveCredentialStore(config.File{}, config.LocalOSCredentialStoreID)
+	if err != nil {
+		t.Fatalf("ResolveCredentialStore: %v", err)
+	}
+	ctx := initPromptContext{
+		RepositoryAccessCredentialStatuses: []initReviewerCredentialStatus{{
+			Ref:            config.CredentialRef{Purpose: "git", Store: config.LocalOSCredentialStoreID, Ref: "codereview/github-com-pat", Mode: string(config.GitAuthModePAT)},
+			SecretsProfile: resolved,
+			Keys:           []initReviewerCredentialKeyStatus{{Key: credentials.GitTokenKey, Required: true, State: initReviewerCredentialKeyExisting}},
+		}},
+	}
+	model := newInitLinearEditorModel(initRepositoryAccessLinearEditor(ctx, initDraft{}), 160, 60)
+
+	if err := validateRepositoryAccessDocument(ctx, model.document); err != nil {
+		t.Fatalf("validateRepositoryAccessDocument: %v", err)
 	}
 }
 
-func TestInitInteractiveMenuExitWithoutSaveLeavesConfigUntouched(t *testing.T) {
+func TestInitInteractiveMenuWritesStandaloneRepositoryAccessPAT(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
-	original := config.File{
-		Profiles: map[string]config.Profile{"work": basicProfile("work")},
-	}
-	saveCredentialTestConfig(t, path, original)
-	wantCfg, err := config.Load(path)
-	if err != nil {
-		t.Fatalf("Load initial config: %v", err)
-	}
+	writeRawCredentialTestConfig(t, path, "profiles: {}\n")
 	opts := &root.Options{
 		Stdin:      strings.NewReader(""),
 		Stdout:     &bytes.Buffer{},
 		Stderr:     &bytes.Buffer{},
 		ConfigPath: path,
 	}
-	openStoreCalls := 0
+	store := newFakeInitStore(map[string]map[string]string{})
+	resolved, err := credentials.ResolveCredentialStore(config.File{}, config.LocalOSCredentialStoreID)
+	if err != nil {
+		t.Fatalf("ResolveCredentialStore: %v", err)
+	}
 	deps := initDeps{
 		menuPrompter: &fakeInitMenuPrompter{
-			actions: []initMenuAction{initMenuActionExit},
-		},
-		secretPrompter: &fakeInitSecretPrompter{
-			actions: []initCredentialSecretAction{},
+			actions: []initMenuAction{
+				initMenuActionRepositoryAccess,
+				initMenuActionSave,
+			},
 		},
+		repositoryPrompter: initRepositoryAccessPrompterFunc(func(_ initRepositoryAccessPrompt) (initDraft, error) {
+			return initDraft{
+				RepositoryAccessName:    "work-git",
+				GitHost:                 "github.company.com",
+				GitAuth:                 string(config.GitAuthModePAT),
+				GitCredentialStore:      config.LocalOSCredentialStoreID,
+				GitCredentialRef:        "codereview/work-git",
+				GitCredentialWriteRef:   "codereview/work-git",
+				GitCredentialWriteStore: resolved,
+				GitCredentialWrites:     map[string]string{credentials.GitTokenKey: "work-token"},
+				GitCredentialSatisfied:  true,
+			}, nil
+		}),
 		openStore: func(string, bool, config.File) (initStore, error) {
-			openStoreCalls++
-			return newFakeInitStore(map[string]map[string]string{}), nil
+			return store, nil
 		},
 		configPath: func(*root.Options) (string, error) { return path, nil },
-		loadConfig: loadConfigForInit,
+		loadConfig: func(string) (config.File, bool, error) {
+			return config.File{Profiles: map[string]config.Profile{}}, false, nil
+		},
 		saveConfig: config.Save,
 	}
 
 	if err := runInitWithDeps(&cobra.Command{}, opts, initOptions{}, deps); err != nil {
 		t.Fatalf("runInitWithDeps: %v", err)
 	}
-	cfg, err := config.Load(path)
-	if err != nil {
-		t.Fatalf("Load config: %v", err)
-	}
-	if !reflect.DeepEqual(cfg, wantCfg) {
-		t.Fatalf("config after exit-without-save = %#v, want %#v", cfg, wantCfg)
-	}
-	if openStoreCalls != 0 {
-		t.Fatalf("openStoreCalls = %d, want 0 on exit-without-save", openStoreCalls)
+	if got := store.bundles["work-git"][credentials.GitTokenKey]; got != "work-token" {
+		t.Fatalf("stored git_token = %q, want work-token; bundles=%#v", got, store.bundles)
 	}
 }
 
@@ -14957,6 +15988,7 @@ func TestInitInteractiveMenuFocusedLLMRuntimePreservesUnrelatedProfileState(t *t
 	profile.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
 		Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work-reviewer"},
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		IdentityCache: "reviewer-cache",
 	}
 	profile.LLM.ModelMap = config.ModelMap{"medium": "claude-custom"}
@@ -14966,7 +15998,6 @@ func TestInitInteractiveMenuFocusedLLMRuntimePreservesUnrelatedProfileState(t *t
 		MajorEvent:       config.ReviewMajorEventRequestChanges,
 		AllowSelfApprove: true,
 		ResolveThreads:   config.ResolveThreadsNever,
-		ResolveAfter:     "24h",
 	}
 	wantRoutes := []config.RepositoryProfile{{
 		Profile: "work",
@@ -14980,7 +16011,7 @@ func TestInitInteractiveMenuFocusedLLMRuntimePreservesUnrelatedProfileState(t *t
 		RepositoryProfiles: wantRoutes,
 		Profiles:           map[string]config.Profile{"work": profile},
 	})
-	profile = normalizeTestProfile(profile)
+	profile = normalizeTestProfileNamed("work", profile)
 	opts := &root.Options{
 		Stdin:      strings.NewReader(""),
 		Stdout:     &bytes.Buffer{},
@@ -15069,7 +16100,7 @@ func TestInitInteractiveMenuFocusedLLMRuntimeNoOpSkipsStoreOnSaveAndPersistsGlob
 	saveCredentialTestConfig(t, path, config.File{
 		Profiles: map[string]config.Profile{"work": wantProfile},
 	})
-	wantProfile = normalizeTestProfile(wantProfile)
+	wantProfile = normalizeTestProfileNamed("work", wantProfile)
 	opts := &root.Options{
 		Stdin:      strings.NewReader(""),
 		Stdout:     &bytes.Buffer{},
@@ -15131,7 +16162,6 @@ func TestInitInteractiveMenuFocusedLLMRuntimeNoOpSkipsStoreOnSaveAndPersistsGlob
 	if cfg.Data.Retention.MaxAgeDaysValue() != 14 || cfg.Data.Retention.Enforcement != config.RetentionAtWrite {
 		t.Fatalf("retention = %#v, want 14/at_write", cfg.Data.Retention)
 	}
-	wantProfile.ReviewPolicy.MajorEvent = config.ReviewMajorEventComment
 	if !reflect.DeepEqual(cfg.Profiles["work"], wantProfile) {
 		t.Fatalf("profile = %#v, want unchanged %#v", cfg.Profiles["work"], wantProfile)
 	}
@@ -15280,6 +16310,7 @@ func TestInitInteractiveMenuFocusedReviewerEntityRebuildsSecretPlanning(t *testi
 			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
 			draft.ReviewerEnabled = true
 			draft.ReviewerAuth = string(config.GitAuthModeGitHubApp)
+			draft.ReviewerGitHubAppID = "12345"
 			return draft, nil
 		}),
 		retentionPrompter: initRetentionPrompterFunc(func(initRetentionPrompt) (initRetentionEdit, error) {
@@ -15302,8 +16333,7 @@ func TestInitInteractiveMenuFocusedReviewerEntityRebuildsSecretPlanning(t *testi
 				"default": {
 					credentials.GitTokenKey: "existing-token",
 				},
-				"default-reviewer": {
-					credentials.GitHubAppIDKey:         "12345",
+				"reviewer-github-app": {
 					credentials.GitHubAppPrivateKeyKey: "private-key",
 				},
 			}), nil
@@ -15323,14 +16353,25 @@ func TestInitInteractiveMenuFocusedReviewerEntityRebuildsSecretPlanning(t *testi
 		t.Fatalf("Load config: %v", err)
 	}
 	profile := cfg.Profiles["default"]
-	if profile.ReviewerCredentials == nil {
-		t.Fatal("reviewer credentials = nil, want focused reviewer edit to enable separate reviewer")
+	if profile.Reviewer.Kind != config.ProfileReviewerKindGitIdentity {
+		t.Fatalf("profile reviewer = %#v, want reusable reviewer entity to stay unattached until selected by profile", profile.Reviewer)
+	}
+	var gotEntity *config.ReviewerEntity
+	for name, entity := range cfg.ReviewerEntities {
+		if entity.AuthMode == config.GitAuthModeGitHubApp {
+			entityCopy := entity
+			gotEntity = &entityCopy
+			if name == "" {
+				t.Fatal("reviewer entity name is empty")
+			}
+			break
+		}
 	}
-	if profile.ReviewerCredentials.AuthMode != config.GitAuthModeGitHubApp {
-		t.Fatalf("reviewer credentials = %#v, want github app reviewer", profile.ReviewerCredentials)
+	if gotEntity == nil {
+		t.Fatalf("reviewer_entities = %#v, want staged GitHub App reviewer entity", cfg.ReviewerEntities)
 	}
-	if profile.ReviewerCredentials.CredentialRef == "" {
-		t.Fatalf("reviewer credential ref = %q, want generated ref after reviewer rebuild", profile.ReviewerCredentials.CredentialRef)
+	if gotEntity.CredentialRef == "" {
+		t.Fatalf("reviewer entity credential ref = %q, want generated ref after reviewer rebuild", gotEntity.CredentialRef)
 	}
 	if cfg.Keyring.Backend != "" || cfg.Data.Retention.MaxAgeDaysValue() != 14 || cfg.Data.Retention.Enforcement != config.RetentionAtWrite {
 		t.Fatalf("global settings after reviewer rebuild = %#v / %#v, want empty backend + 14/at_write", cfg.Keyring, cfg.Data.Retention)
@@ -15345,9 +16386,7 @@ func TestInitCredentialSecretPromptTitleReviewerKeys(t *testing.T) {
 			Mode:    string(config.GitAuthModeGitHubApp),
 		},
 		KeySpecs: []credentials.KeySpec{
-			{Key: credentials.GitHubAppIDKey, Required: true},
 			{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
-			{Key: credentials.GitHubAppInstallationIDKey, Required: false},
 		},
 	}
 	patEntry := initCredentialPlanEntry{
@@ -15369,7 +16408,7 @@ func TestInitCredentialSecretPromptTitleReviewerKeys(t *testing.T) {
 			got: initCredentialSecretPromptTitle(initCredentialSecretPrompt{
 				Entry: githubAppEntry,
 			}),
-			want: "How should init handle GitHub App reviewer secrets? (codereview/rianjs-bot) (required: github_app_id, github_app_private_key; optional: github_app_installation_id)",
+			want: "How should init handle GitHub App reviewer secrets? (codereview/rianjs-bot)",
 		},
 		{
 			name: "pat action title",
@@ -15690,25 +16729,20 @@ func TestInitReviewerCredentialStatusStates(t *testing.T) {
 			Mode:    string(config.GitAuthModeGitHubApp),
 		},
 		KeySpecs: []credentials.KeySpec{
-			{Key: credentials.GitHubAppIDKey, Required: true},
 			{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
-			{Key: credentials.GitHubAppInstallationIDKey, Required: false},
 		},
 	}
-	decisions := map[initCredentialDecisionKey]initCredentialDecisionKind{}
-	decisions[initCredentialDecisionMapKey(entry, credentials.GitHubAppInstallationIDKey)] = initCredentialDecisionSkipOptional
 
 	status := initReviewerCredentialStatusFromEntry(
 		entry,
 		map[string]string{credentials.GitHubAppPrivateKeyKey: "sentinel-private-key"},
-		decisions,
-		map[string]bool{credentials.GitHubAppIDKey: true},
+		map[initCredentialDecisionKey]initCredentialDecisionKind{},
+		map[string]bool{},
 		"",
 	)
 
-	assertReviewerCredentialKeyState(t, status, credentials.GitHubAppIDKey, initReviewerCredentialKeyExisting)
+	assertReviewerCredentialKeyAbsent(t, status, credentials.GitHubAppIDKey)
 	assertReviewerCredentialKeyState(t, status, credentials.GitHubAppPrivateKeyKey, initReviewerCredentialKeyStaged)
-	assertReviewerCredentialKeyState(t, status, credentials.GitHubAppInstallationIDKey, initReviewerCredentialKeySkippedOptional)
 	if strings.Contains(initReviewerCredentialStatusDescription(status), "sentinel-private-key") {
 		t.Fatalf("status description leaked secret value: %s", initReviewerCredentialStatusDescription(status))
 	}
@@ -15722,9 +16756,7 @@ func TestInitReviewerCredentialStatusDeferPreservesPartialExistingKeys(t *testin
 			Mode:    string(config.GitAuthModeGitHubApp),
 		},
 		KeySpecs: []credentials.KeySpec{
-			{Key: credentials.GitHubAppIDKey, Required: true},
 			{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
-			{Key: credentials.GitHubAppInstallationIDKey, Required: false},
 		},
 	}
 	decisions := map[initCredentialDecisionKey]initCredentialDecisionKind{}
@@ -15734,13 +16766,12 @@ func TestInitReviewerCredentialStatusDeferPreservesPartialExistingKeys(t *testin
 		entry,
 		nil,
 		decisions,
-		map[string]bool{credentials.GitHubAppIDKey: true},
+		map[string]bool{},
 		"",
 	)
 
-	assertReviewerCredentialKeyState(t, status, credentials.GitHubAppIDKey, initReviewerCredentialKeyExisting)
+	assertReviewerCredentialKeyAbsent(t, status, credentials.GitHubAppIDKey)
 	assertReviewerCredentialKeyState(t, status, credentials.GitHubAppPrivateKeyKey, initReviewerCredentialKeyDeferred)
-	assertReviewerCredentialKeyState(t, status, credentials.GitHubAppInstallationIDKey, initReviewerCredentialKeyOptional)
 }
 
 func TestInitReviewerCredentialStatusSelectionFiltersByAuthMode(t *testing.T) {
@@ -15756,7 +16787,6 @@ func TestInitReviewerCredentialStatusSelectionFiltersByAuthMode(t *testing.T) {
 					Mode:    string(config.GitAuthModeGitHubApp),
 				},
 				Keys: []initReviewerCredentialKeyStatus{
-					{Key: credentials.GitHubAppIDKey, Required: true, State: initReviewerCredentialKeyStaged},
 					{Key: credentials.GitHubAppPrivateKeyKey, Required: true, State: initReviewerCredentialKeyStaged},
 				},
 			},
@@ -15915,6 +16945,7 @@ func TestInitReviewerCredentialStatusDropsStagedWritesWhenSecretsStoreChanges(t
 	originalProfile.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:   config.GitAuthModeGitHubApp,
 		Credential: config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work-reviewer"},
+		GitHubApp:  &config.GitHubAppConfig{AppID: "12345"},
 	}
 	originalCfg := config.File{Profiles: map[string]config.Profile{"work": originalProfile}}
 	originalResolved, err := credentials.ResolveSecretsProfileForProfile(originalCfg, originalProfile)
@@ -15942,7 +16973,6 @@ func TestInitReviewerCredentialStatusDropsStagedWritesWhenSecretsStoreChanges(t
 		},
 		writes: map[string]map[string]string{
 			"codereview/work-reviewer": {
-				credentials.GitHubAppIDKey:         "12345",
 				credentials.GitHubAppPrivateKeyKey: "private-key",
 			},
 		},
@@ -15964,7 +16994,7 @@ func TestInitReviewerCredentialStatusDropsStagedWritesWhenSecretsStoreChanges(t
 
 	statuses := buildInteractiveInitReviewerCredentialStatuses(&root.Options{}, deps, session)
 	status := findReviewerCredentialStatusForTest(t, statuses, "codereview/work-reviewer", string(config.GitAuthModeGitHubApp))
-	assertReviewerCredentialKeyState(t, status, credentials.GitHubAppIDKey, initReviewerCredentialKeyMissing)
+	assertReviewerCredentialKeyAbsent(t, status, credentials.GitHubAppIDKey)
 	assertReviewerCredentialKeyState(t, status, credentials.GitHubAppPrivateKeyKey, initReviewerCredentialKeyMissing)
 }
 
@@ -16083,10 +17113,10 @@ func stageDraftInlineGitHubAppReviewerCredentials(draft *initDraft, ref string,
 	if strings.TrimSpace(draft.ReviewerCredentialStore) == "" {
 		draft.ReviewerCredentialStore = config.LocalOSCredentialStoreID
 	}
+	draft.ReviewerGitHubAppID = strings.TrimSpace(appID)
 	draft.ReviewerCredentialWriteRef = ref
 	draft.ReviewerCredentialWriteStore = testLocalOSResolvedCredentialStore()
 	draft.ReviewerCredentialWrites = map[string]string{
-		credentials.GitHubAppIDKey:         appID,
 		credentials.GitHubAppPrivateKeyKey: privateKey,
 	}
 	draft.ReviewerCredentialSatisfied = true
@@ -16122,8 +17152,8 @@ func TestMergeReviewerCredentialDraftWritesDropsStaleKeysWhenAuthModeChanges(t *
 		if _, ok := session.writes[ref][credentials.GitTokenKey]; ok {
 			t.Fatalf("writes[%q] kept stale PAT key: %#v", ref, session.writes[ref])
 		}
-		if got := session.writes[ref][credentials.GitHubAppIDKey]; got != "12345" {
-			t.Fatalf("github_app_id = %q, want current GitHub App staged value", got)
+		if _, ok := session.writes[ref][credentials.GitHubAppIDKey]; ok {
+			t.Fatalf("writes[%q] staged non-secret app id: %#v", ref, session.writes[ref])
 		}
 		if got := session.writes[ref][credentials.GitHubAppPrivateKeyKey]; got != privateKey {
 			t.Fatalf("github_app_private_key = %q, want current GitHub App staged value", got)
@@ -16135,6 +17165,7 @@ func TestMergeReviewerCredentialDraftWritesDropsStaleKeysWhenAuthModeChanges(t *
 		profile := basicProfile("work")
 		profile.ReviewerCredentials = &config.ReviewerCredentials{
 			AuthMode:      config.GitAuthModeGitHubApp,
+			GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 			CredentialRef: ref,
 		}
 		if _, err := planInitCredentialsWithConfig(config.File{Profiles: map[string]config.Profile{"work": profile}}, nil, profile, projectInitPlannedWriteKeys(session.writes)); err != nil {
@@ -16271,19 +17302,23 @@ func TestInitInteractiveMenuFocusedGitHubAppReviewerInlineWritesReadyWithoutHint
 		t.Fatalf("Load config: %v", err)
 	}
 	profile := got.Profiles["work"]
-	if profile.ReviewerCredentials == nil {
-		t.Fatal("reviewer credentials = nil, want deferred GitHub App reviewer saved")
+	if profile.Reviewer.Kind != config.ProfileReviewerKindGitIdentity {
+		t.Fatalf("profile reviewer = %#v, want standalone reviewer entity to remain unattached", profile.Reviewer)
 	}
-	if profile.ReviewerCredentials.AuthMode != config.GitAuthModeGitHubApp ||
-		profile.ReviewerCredentials.CredentialRef != "codereview/rianjs-bot" ||
-		profile.ReviewerCredentials.DisplayName != "rianjs-bot" {
-		t.Fatalf("reviewer credentials = %#v, want rianjs-bot GitHub App reviewer", profile.ReviewerCredentials)
+	entity := got.ReviewerEntities["reviewer-github-app"]
+	if entity.AuthMode != config.GitAuthModeGitHubApp ||
+		entity.CredentialRef != "codereview/rianjs-bot" ||
+		entity.DisplayName != "rianjs-bot" {
+		t.Fatalf("reviewer entity = %#v, want rianjs-bot GitHub App reviewer", entity)
+	}
+	if entity.GitHubApp == nil || entity.GitHubApp.AppID != "12345" {
+		t.Fatalf("reviewer entity GitHubApp = %#v, want app id 12345", entity.GitHubApp)
 	}
 	if len(secretPrompter.actionPrompts) != 0 || len(secretPrompter.sourcePrompts) != 0 {
 		t.Fatalf("secret prompts = actions:%d sources:%d, want inline reviewer credential collection only", len(secretPrompter.actionPrompts), len(secretPrompter.sourcePrompts))
 	}
-	if got := store.bundles["rianjs-bot"][credentials.GitHubAppIDKey]; got != "12345" {
-		t.Fatalf("stored app id = %q, want staged inline value", got)
+	if _, ok := store.bundles["rianjs-bot"][credentials.GitHubAppIDKey]; ok {
+		t.Fatalf("stored app id unexpectedly: %#v", store.bundles["rianjs-bot"])
 	}
 	if got := store.bundles["rianjs-bot"][credentials.GitHubAppPrivateKeyKey]; got != privateKey {
 		t.Fatalf("stored private key = %q, want staged inline private key", got)
@@ -16291,9 +17326,6 @@ func TestInitInteractiveMenuFocusedGitHubAppReviewerInlineWritesReadyWithoutHint
 	if _, ok := store.bundles["rianjs-bot"][credentials.GitHubAppInstallationIDKey]; ok {
 		t.Fatalf("installation id stored unexpectedly: %#v", store.bundles["rianjs-bot"])
 	}
-	if !strings.Contains(stdout.String(), "- work: ready") {
-		t.Fatalf("stdout = %q, want ready profile after inline reviewer credentials", stdout.String())
-	}
 	if strings.Contains(stdout.String(), "reviewer deferred") || strings.Contains(stderr.String(), "set-credential --store local-os --name codereview/rianjs-bot") {
 		t.Fatalf("stdout/stderr kept follow-up hint:\nstdout=%s\nstderr=%s", stdout.String(), stderr.String())
 	}
@@ -16363,8 +17395,8 @@ func TestInitInteractiveMenuFocusedGitHubAppReviewerInlineWritesBeforeCommitAndD
 	if len(secretPrompter.actionPrompts) != 0 || len(secretPrompter.sourcePrompts) != 0 {
 		t.Fatalf("secret prompts = actions:%d sources:%d, want no separate reviewer credential prompt", len(secretPrompter.actionPrompts), len(secretPrompter.sourcePrompts))
 	}
-	if got := store.bundles["rianjs-bot"][credentials.GitHubAppIDKey]; got != "12345" {
-		t.Fatalf("stored app id = %q, want staged value written at commit", got)
+	if _, ok := store.bundles["rianjs-bot"][credentials.GitHubAppIDKey]; ok {
+		t.Fatalf("stored app id unexpectedly: %#v", store.bundles["rianjs-bot"])
 	}
 	if got := store.bundles["rianjs-bot"][credentials.GitHubAppPrivateKeyKey]; got != privateKey {
 		t.Fatalf("stored private key = %q, want multi-line private key", got)
@@ -16375,9 +17407,6 @@ func TestInitInteractiveMenuFocusedGitHubAppReviewerInlineWritesBeforeCommitAndD
 	if strings.Contains(stderr.String(), "set-credential --store local-os --name codereview/rianjs-bot") {
 		t.Fatalf("stderr = %q, want no follow-up hints after set-now reviewer flow", stderr.String())
 	}
-	if !strings.Contains(stdout.String(), "- work: ready") {
-		t.Fatalf("stdout = %q, want ready profile after set-now reviewer flow", stdout.String())
-	}
 }
 
 func TestInitInteractiveMenuLabelDerivedReviewerRefDoesNotOverwriteUnconfiguredExistingBundle(t *testing.T) {
@@ -16399,7 +17428,6 @@ func TestInitInteractiveMenuLabelDerivedReviewerRefDoesNotOverwriteUnconfiguredE
 	store := newFakeInitStore(map[string]map[string]string{
 		"work": {credentials.GitTokenKey: "existing-token"},
 		"rianjs-bot-reviewer": {
-			credentials.GitHubAppIDKey:         "existing-app-id",
 			credentials.GitHubAppPrivateKeyKey: "existing-private-key",
 		},
 	})
@@ -16453,9 +17481,6 @@ func TestInitInteractiveMenuLabelDerivedReviewerRefDoesNotOverwriteUnconfiguredE
 	if err == nil || !strings.Contains(err.Error(), credstore.ErrExists.Error()) {
 		t.Fatalf("runInitWithDeps error = %v, want no-overwrite conflict", err)
 	}
-	if got := store.bundles["rianjs-bot-reviewer"][credentials.GitHubAppIDKey]; got != "existing-app-id" {
-		t.Fatalf("stored github_app_id = %q, want existing value preserved after conflict", got)
-	}
 	if got := store.bundles["rianjs-bot-reviewer"][credentials.GitHubAppPrivateKeyKey]; got != "existing-private-key" {
 		t.Fatalf("stored private key = %q, want existing value preserved after conflict", got)
 	}
@@ -16483,7 +17508,6 @@ func TestInitInteractiveMenuManualReviewerRefDoesNotOverwriteUnconfiguredExistin
 	store := newFakeInitStore(map[string]map[string]string{
 		"work": {credentials.GitTokenKey: "existing-token"},
 		"manual-reviewer": {
-			credentials.GitHubAppIDKey:         "existing-app-id",
 			credentials.GitHubAppPrivateKeyKey: "existing-private-key",
 		},
 	})
@@ -16537,9 +17561,6 @@ func TestInitInteractiveMenuManualReviewerRefDoesNotOverwriteUnconfiguredExistin
 	if err == nil || !strings.Contains(err.Error(), credstore.ErrExists.Error()) {
 		t.Fatalf("runInitWithDeps error = %v, want no-overwrite conflict", err)
 	}
-	if got := store.bundles["manual-reviewer"][credentials.GitHubAppIDKey]; got != "existing-app-id" {
-		t.Fatalf("stored github_app_id = %q, want existing value preserved after conflict", got)
-	}
 	if got := store.bundles["manual-reviewer"][credentials.GitHubAppPrivateKeyKey]; got != "existing-private-key" {
 		t.Fatalf("stored private key = %q, want existing value preserved after conflict", got)
 	}
@@ -16693,7 +17714,8 @@ func TestInitInteractiveMenuReviewerCredentialDecisionDropsAfterReviewerCleared(
 				draft.ReviewerCredentialRef = "codereview/rianjs-bot"
 				stageDraftInlineGitHubAppReviewerCredentials(&draft, draft.ReviewerCredentialRef, "12345", testReviewerGitHubAppPrivateKey())
 			case 2:
-				draft.ReviewerEnabled = false
+				draft.Action = initDraftActionDeleteReviewerEntity
+				draft.ActionTarget = "reviewer-github-app"
 			default:
 				return initDraft{}, errInitNavigateBack
 			}
@@ -16721,8 +17743,8 @@ func TestInitInteractiveMenuReviewerCredentialDecisionDropsAfterReviewerCleared(
 	if err != nil {
 		t.Fatalf("Load config: %v", err)
 	}
-	if got.Profiles["work"].ReviewerCredentials != nil {
-		t.Fatalf("reviewer credentials = %#v, want cleared reviewer", got.Profiles["work"].ReviewerCredentials)
+	if _, ok := got.ReviewerEntities["reviewer-github-app"]; ok {
+		t.Fatalf("reviewer_entities = %#v, want deleted standalone reviewer entity absent", got.ReviewerEntities)
 	}
 }
 
@@ -16762,11 +17784,13 @@ func TestInitInteractiveMenuReviewerCredentialDecisionDropsAfterReviewerRefChang
 			draft.ReviewerAuth = string(config.GitAuthModeGitHubApp)
 			switch reviewerPrompterCalls {
 			case 1:
+				draft.ActionTarget = "reviewer-github-app"
 				draft.ReviewerCredentialRef = "codereview/old-reviewer"
-				stageDraftInlineGitHubAppReviewerCredentials(&draft, draft.ReviewerCredentialRef, "old-app-id", testReviewerGitHubAppPrivateKey())
+				stageDraftInlineGitHubAppReviewerCredentials(&draft, draft.ReviewerCredentialRef, "111", testReviewerGitHubAppPrivateKey())
 			case 2:
+				draft.ActionTarget = "reviewer-github-app"
 				draft.ReviewerCredentialRef = "codereview/new-reviewer"
-				stageDraftInlineGitHubAppReviewerCredentials(&draft, draft.ReviewerCredentialRef, "new-app-id", testReviewerGitHubAppPrivateKey())
+				stageDraftInlineGitHubAppReviewerCredentials(&draft, draft.ReviewerCredentialRef, "222", testReviewerGitHubAppPrivateKey())
 			default:
 				return initDraft{}, errInitNavigateBack
 			}
@@ -16797,15 +17821,19 @@ func TestInitInteractiveMenuReviewerCredentialDecisionDropsAfterReviewerRefChang
 	if _, ok := store.bundles["old-reviewer"]; ok {
 		t.Fatalf("old reviewer bundle = %#v, want stale inline write filtered", store.bundles["old-reviewer"])
 	}
-	if got := store.bundles["new-reviewer"][credentials.GitHubAppIDKey]; got != "new-app-id" {
-		t.Fatalf("new reviewer app id = %q, want active inline write", got)
+	if _, ok := store.bundles["new-reviewer"][credentials.GitHubAppIDKey]; ok {
+		t.Fatalf("new reviewer stored app id unexpectedly: %#v", store.bundles["new-reviewer"])
 	}
 	got, err := config.Load(path)
 	if err != nil {
 		t.Fatalf("Load config: %v", err)
 	}
-	if got.Profiles["work"].ReviewerCredentials == nil || got.Profiles["work"].ReviewerCredentials.CredentialRef != "codereview/new-reviewer" {
-		t.Fatalf("reviewer credentials = %#v, want new reviewer ref", got.Profiles["work"].ReviewerCredentials)
+	entity := got.ReviewerEntities["reviewer-github-app"]
+	if entity.CredentialRef != "codereview/new-reviewer" {
+		t.Fatalf("reviewer entity = %#v, want new reviewer ref", entity)
+	}
+	if entity.GitHubApp == nil || entity.GitHubApp.AppID != "222" {
+		t.Fatalf("reviewer entity GitHubApp = %#v, want new app id", entity.GitHubApp)
 	}
 }
 
@@ -16841,7 +17869,7 @@ func TestInitInteractiveMenuReviewerSetNowDiscardDoesNotWriteConfigOrCredentials
 			draft.ReviewerEnabled = true
 			draft.ReviewerAuth = string(config.GitAuthModeGitHubApp)
 			draft.ReviewerCredentialRef = "codereview/rianjs-bot"
-			stageDraftInlineGitHubAppReviewerCredentials(&draft, draft.ReviewerCredentialRef, "sentinel-app-id", "sentinel-private-key")
+			stageDraftInlineGitHubAppReviewerCredentials(&draft, draft.ReviewerCredentialRef, "333", "sentinel-private-key")
 			return draft, nil
 		}),
 		secretPrompter: &fakeInitSecretPrompter{},
@@ -16976,16 +18004,15 @@ func TestInitInteractiveMenuReviewerCredentialStatusShowsStagedOnReentry(t *test
 				draft.ReviewerEnabled = true
 				draft.ReviewerAuth = string(config.GitAuthModeGitHubApp)
 				draft.ReviewerCredentialRef = "codereview/rianjs-bot"
-				stageDraftInlineGitHubAppReviewerCredentials(&draft, draft.ReviewerCredentialRef, "sentinel-app-id", "sentinel-private-key")
+				stageDraftInlineGitHubAppReviewerCredentials(&draft, draft.ReviewerCredentialRef, "444", "sentinel-private-key")
 				return draft, nil
 			case 2:
 				if len(prompt.Context.ReviewerCredentialStatuses) == 0 {
 					t.Fatalf("second prompt reviewer statuses empty; existing profile name = %q; staged profile = %#v", prompt.Context.ExistingProfileName, prompt.Context.ExistingConfig.Profiles["work"].ReviewerCredentials)
 				}
 				status := findReviewerCredentialStatusForTest(t, prompt.Context.ReviewerCredentialStatuses, "codereview/rianjs-bot", string(config.GitAuthModeGitHubApp))
-				assertReviewerCredentialKeyState(t, status, credentials.GitHubAppIDKey, initReviewerCredentialKeyStaged)
+				assertReviewerCredentialKeyAbsent(t, status, credentials.GitHubAppIDKey)
 				assertReviewerCredentialKeyState(t, status, credentials.GitHubAppPrivateKeyKey, initReviewerCredentialKeyStaged)
-				assertReviewerCredentialKeyState(t, status, credentials.GitHubAppInstallationIDKey, initReviewerCredentialKeyOptional)
 				description := initReviewerCredentialStatusDescription(status)
 				if strings.Contains(description, "sentinel") {
 					t.Fatalf("status leaked secret value: %s", description)
@@ -17048,6 +18075,7 @@ func TestInitInteractiveMenuFocusedReviewerEntitySavePreservesCustomCredentialRe
 		},
 		ReviewerCredentials: &config.ReviewerCredentials{
 			AuthMode:      config.GitAuthModeGitHubApp,
+			GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 			CredentialRef: "codereview/custom-work-reviewer",
 		},
 		LLM: config.LLMConfig{
@@ -17093,7 +18121,6 @@ func TestInitInteractiveMenuFocusedReviewerEntitySavePreservesCustomCredentialRe
 					credentials.GitTokenKey: "existing-token",
 				},
 				"custom-work-reviewer": {
-					credentials.GitHubAppIDKey:         "12345",
 					credentials.GitHubAppPrivateKeyKey: "private-key",
 				},
 			}), nil
@@ -17131,6 +18158,7 @@ func TestInitInteractiveMenuFocusedReviewerEntityLabelOnlySaveSkipsCredentialWri
 				},
 				ReviewerCredentials: &config.ReviewerCredentials{
 					AuthMode:      config.GitAuthModeGitHubApp,
+					GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 					CredentialRef: "codereview/work-reviewer",
 					DisplayName:   "Old label",
 				},
@@ -17155,7 +18183,6 @@ func TestInitInteractiveMenuFocusedReviewerEntityLabelOnlySaveSkipsCredentialWri
 			credentials.GitTokenKey: "existing-token",
 		},
 		"work-reviewer": {
-			credentials.GitHubAppIDKey:         "12345",
 			credentials.GitHubAppPrivateKeyKey: "private-key",
 		},
 	})
@@ -17179,6 +18206,7 @@ func TestInitInteractiveMenuFocusedReviewerEntityLabelOnlySaveSkipsCredentialWri
 				return initDraft{}, errInitNavigateBack
 			}
 			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
+			draft.ActionTarget = "work-reviewer"
 			draft.ReviewerEnabled = true
 			draft.ReviewerAuth = string(config.GitAuthModeGitHubApp)
 			draft.ReviewerDisplayName = "OC Collective bot"
@@ -17211,7 +18239,7 @@ func TestInitInteractiveMenuFocusedReviewerEntityLabelOnlySaveSkipsCredentialWri
 	}
 }
 
-func TestInitInteractiveMenuFocusedReviewerEntitySaveRestoresDefaultCredentialRefWhenDraftClearsCustomRef(t *testing.T) {
+func TestInitInteractiveMenuFocusedReviewerEntitySavePreservesExistingCredentialRefWhenDraftClearsRef(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	cfg := config.File{
 		Profiles: map[string]config.Profile{
@@ -17223,6 +18251,7 @@ func TestInitInteractiveMenuFocusedReviewerEntitySaveRestoresDefaultCredentialRe
 				},
 				ReviewerCredentials: &config.ReviewerCredentials{
 					AuthMode:      config.GitAuthModeGitHubApp,
+					GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 					CredentialRef: "codereview/custom-work-reviewer",
 				},
 				LLM: config.LLMConfig{
@@ -17258,6 +18287,7 @@ func TestInitInteractiveMenuFocusedReviewerEntitySaveRestoresDefaultCredentialRe
 				return initDraft{}, errInitNavigateBack
 			}
 			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
+			draft.ActionTarget = "work-reviewer"
 			draft.ReviewerEnabled = true
 			draft.ReviewerAuth = string(config.GitAuthModeGitHubApp)
 			draft.ReviewerCredentialRef = ""
@@ -17276,11 +18306,9 @@ func TestInitInteractiveMenuFocusedReviewerEntitySaveRestoresDefaultCredentialRe
 					credentials.GitTokenKey: "existing-token",
 				},
 				"work-reviewer": {
-					credentials.GitHubAppIDKey:         "12345",
 					credentials.GitHubAppPrivateKeyKey: "private-key",
 				},
 				"custom-work-reviewer": {
-					credentials.GitHubAppIDKey:         "legacy-id",
 					credentials.GitHubAppPrivateKeyKey: "legacy-private-key",
 				},
 			}), nil
@@ -17302,10 +18330,10 @@ func TestInitInteractiveMenuFocusedReviewerEntitySaveRestoresDefaultCredentialRe
 	}
 	profile := got.Profiles["work"]
 	if profile.ReviewerCredentials == nil {
-		t.Fatal("reviewer credentials = nil, want default reviewer ref restored after save")
+		t.Fatal("reviewer credentials = nil, want existing reviewer ref preserved after save")
 	}
-	if profile.ReviewerCredentials.CredentialRef != "codereview/work-reviewer" {
-		t.Fatalf("reviewer credential ref = %q, want generated default reviewer ref after clearing custom ref", profile.ReviewerCredentials.CredentialRef)
+	if profile.ReviewerCredentials.CredentialRef != "codereview/custom-work-reviewer" {
+		t.Fatalf("reviewer credential ref = %q, want existing reviewer ref preserved after clearing draft ref", profile.ReviewerCredentials.CredentialRef)
 	}
 }
 
@@ -17430,6 +18458,7 @@ func TestInitInteractiveMenuFocusedReviewerEntityDeleteUndoReturnsToMenu(t *test
 				profile := basicProfile("work")
 				profile.ReviewerCredentials = &config.ReviewerCredentials{
 					AuthMode:      config.GitAuthModeGitHubApp,
+					GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 					CredentialRef: "codereview/shared-reviewer",
 				}
 				return profile
@@ -17456,20 +18485,20 @@ func TestInitInteractiveMenuFocusedReviewerEntityDeleteUndoReturnsToMenu(t *test
 			reviewerCalls++
 			switch reviewerCalls {
 			case 1:
-				if _, ok := prompt.Context.ReviewerEntities["reviewer-github-app"]; !ok {
-					t.Fatalf("ReviewerEntities = %#v, want configured reviewer-github-app before delete", prompt.Context.ReviewerEntities)
+				if _, ok := prompt.Context.ReviewerEntities["work-reviewer"]; !ok {
+					t.Fatalf("ReviewerEntities = %#v, want configured work-reviewer before delete", prompt.Context.ReviewerEntities)
 				}
 				return initDraft{
 					Action:       initDraftActionDeleteReviewerEntity,
-					ActionTarget: "reviewer-github-app",
+					ActionTarget: "work-reviewer",
 				}, nil
 			case 2:
-				if _, ok := prompt.Context.PendingReviewerEntityDeletes["reviewer-github-app"]; !ok {
-					t.Fatalf("PendingReviewerEntityDeletes = %#v, want reviewer-github-app pending delete before undo", prompt.Context.PendingReviewerEntityDeletes)
+				if _, ok := prompt.Context.PendingReviewerEntityDeletes["work-reviewer"]; !ok {
+					t.Fatalf("PendingReviewerEntityDeletes = %#v, want work-reviewer pending delete before undo", prompt.Context.PendingReviewerEntityDeletes)
 				}
 				return initDraft{
 					Action:       initDraftActionUndoDeleteReviewerEntity,
-					ActionTarget: "reviewer-github-app",
+					ActionTarget: "work-reviewer",
 				}, nil
 			case 3:
 				return initDraft{}, errInitNavigateBack
@@ -17651,8 +18680,8 @@ func TestInitInteractiveMenuCanCommitLLMRuntimeBeforeReviewProfile(t *testing.T)
 	if len(menu.prompts) != 2 {
 		t.Fatalf("menu prompts = %#v, want main menu before category entry and after stage", menu.prompts)
 	}
-	if !menu.prompts[0].CanConfigureLLM || menu.prompts[0].CanConfigureReviewer || menu.prompts[0].CanSave {
-		t.Fatalf("initial prompt = %#v, want LLM enabled and reviewer/save disabled", menu.prompts[0])
+	if !menu.prompts[0].CanConfigureLLM || !menu.prompts[0].CanConfigureReviewer || menu.prompts[0].CanSave {
+		t.Fatalf("initial prompt = %#v, want LLM/reviewer enabled and save disabled", menu.prompts[0])
 	}
 	if !menu.prompts[1].CanSave {
 		t.Fatalf("post-stage menu prompt = %#v, want staged runtime edit to be saveable", menu.prompts[1])
@@ -18044,11 +19073,13 @@ func TestInitInteractiveMenuDeleteUndoAndSaveFlow(t *testing.T) {
 	work := basicProfile("work")
 	work.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/shared-reviewer",
 	}
 	home := basicProfile("home")
 	home.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/shared-reviewer",
 	}
 	saveCredentialTestConfig(t, path, config.File{
@@ -18111,16 +19142,16 @@ func TestInitInteractiveMenuDeleteUndoAndSaveFlow(t *testing.T) {
 			reviewerEdits++
 			switch reviewerEdits {
 			case 1:
-				if _, ok := prompt.Context.ReviewerEntities["reviewer-github-app"]; !ok {
-					t.Fatalf("ReviewerEntities = %#v, want configured reviewer-github-app inventory entry", prompt.Context.ReviewerEntities)
+				if _, ok := prompt.Context.ReviewerEntities["home-reviewer"]; !ok {
+					t.Fatalf("ReviewerEntities = %#v, want configured home-reviewer inventory entry", prompt.Context.ReviewerEntities)
 				}
 				return initDraft{
 					Action:       initDraftActionDeleteReviewerEntity,
-					ActionTarget: "reviewer-github-app",
+					ActionTarget: "home-reviewer",
 				}, nil
 			case 2:
-				if _, ok := prompt.Context.PendingReviewerEntityDeletes["reviewer-github-app"]; !ok {
-					t.Fatalf("PendingReviewerEntityDeletes = %#v, want reviewer-github-app pending delete before leaving category", prompt.Context.PendingReviewerEntityDeletes)
+				if _, ok := prompt.Context.PendingReviewerEntityDeletes["home-reviewer"]; !ok {
+					t.Fatalf("PendingReviewerEntityDeletes = %#v, want home-reviewer pending delete before leaving category", prompt.Context.PendingReviewerEntityDeletes)
 				}
 				return initDraft{}, errInitNavigateBack
 			default:
@@ -18769,10 +19800,14 @@ func TestInitInteractiveFinalizationKeyringOpenFailure(t *testing.T) {
 		Stderr:     &bytes.Buffer{},
 		ConfigPath: filepath.Join(t.TempDir(), "config.yml"),
 	}
+	resolved, err := credentials.ResolveCredentialStore(config.File{}, config.LocalOSCredentialStoreID)
+	if err != nil {
+		t.Fatalf("ResolveCredentialStore: %v", err)
+	}
 	deps := initDeps{
 		menuPrompter: &fakeInitMenuPrompter{
 			actions: []initMenuAction{
-				initMenuActionReviewProfiles,
+				initMenuActionRepositoryAccess,
 				initMenuActionSave,
 			},
 		},
@@ -18780,19 +19815,19 @@ func TestInitInteractiveFinalizationKeyringOpenFailure(t *testing.T) {
 			t.Fatal("finalize prompt should not run after keyring open failure")
 			return "", nil
 		}),
-		profileV2Prompter: initPrompterFunc(func(initPromptContext) (initDraft, error) {
+		repositoryPrompter: initRepositoryAccessPrompterFunc(func(initRepositoryAccessPrompt) (initDraft, error) {
 			return initDraft{
-				ProfileName: "default",
-				GitHost:     "github.com",
-				GitAuth:     string(config.GitAuthModePAT),
-				LLMProvider: string(config.LLMProviderAnthropic),
-				LLMAuth:     string(config.LLMAuthSubscription),
-				LLMAdapter:  string(config.LLMAdapterClaudeCLI),
+				RepositoryAccessName:    "github-rianjs",
+				GitHost:                 "github.com",
+				GitAuth:                 string(config.GitAuthModePAT),
+				GitCredentialStore:      config.LocalOSCredentialStoreID,
+				GitCredentialRef:        "codereview/github-rianjs",
+				GitCredentialWriteRef:   "codereview/github-rianjs",
+				GitCredentialWriteStore: resolved,
+				GitCredentialWrites:     map[string]string{credentials.GitTokenKey: "github-token"},
+				GitCredentialSatisfied:  true,
 			}, nil
 		}),
-		secretPrompter: &fakeInitSecretPrompter{
-			actions: []initCredentialSecretAction{initCredentialSecretActionSetNow},
-		},
 		openStore: func(string, bool, config.File) (initStore, error) {
 			return nil, errors.New("open failed")
 		},
@@ -18806,7 +19841,7 @@ func TestInitInteractiveFinalizationKeyringOpenFailure(t *testing.T) {
 		},
 	}
 
-	err := runInitWithDeps(&cobra.Command{}, opts, initOptions{}, deps)
+	err = runInitWithDeps(&cobra.Command{}, opts, initOptions{}, deps)
 	if err == nil || !strings.Contains(err.Error(), "open failed") {
 		t.Fatalf("error = %v, want keyring open failure", err)
 	}
@@ -18869,8 +19904,8 @@ func TestInitInteractiveMenuCanCommitSecretsStorageBeforeReviewProfile(t *testin
 	if menu.prompts[0].CanSave {
 		t.Fatalf("initial prompt = %#v, want commit disabled before staged changes", menu.prompts[0])
 	}
-	if !menu.prompts[1].CanSave || !menu.prompts[1].CanConfigureLLM || menu.prompts[1].CanConfigureReviewer {
-		t.Fatalf("post-edit prompt = %#v, want commit and LLM runtime configuration enabled without workspace", menu.prompts[1])
+	if !menu.prompts[1].CanSave || !menu.prompts[1].CanConfigureLLM || !menu.prompts[1].CanConfigureReviewer {
+		t.Fatalf("post-edit prompt = %#v, want commit, LLM runtime configuration, and reviewer entity configuration enabled without workspace", menu.prompts[1])
 	}
 	cfg, err := config.Load(path)
 	if err != nil {
@@ -18999,7 +20034,7 @@ func TestApplyInteractiveInitSessionPlanRejectsInvalidConfigBeforeKeyringWrite(t
 			return nil
 		},
 	}, plan)
-	if err == nil || !strings.Contains(err.Error(), "profiles.broken.git.host is required") {
+	if err == nil || !strings.Contains(err.Error(), "profiles.broken.repository_access is required") {
 		t.Fatalf("error = %v, want config validation failure", err)
 	}
 	if storeOpened {
@@ -19255,6 +20290,7 @@ func TestApplyInteractiveInitSessionPlanWritesReviewerSecretsToResolvedStore(t *
 	profile.SecretsProfile = "work-file"
 	profile.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/work-reviewer",
 	}
 	cfg := config.File{
@@ -19277,7 +20313,6 @@ func TestApplyInteractiveInitSessionPlanWritesReviewerSecretsToResolvedStore(t *
 		profileNames: []string{"work"},
 		writes: map[string]map[string]string{
 			"codereview/work-reviewer": {
-				credentials.GitHubAppIDKey:         "12345",
 				credentials.GitHubAppPrivateKeyKey: "private-key",
 			},
 		},
@@ -19289,9 +20324,7 @@ func TestApplyInteractiveInitSessionPlanWritesReviewerSecretsToResolvedStore(t *
 			},
 			SecretsProfile: resolved,
 			KeySpecs: []credentials.KeySpec{
-				{Key: credentials.GitHubAppIDKey, Required: true},
 				{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
-				{Key: credentials.GitHubAppInstallationIDKey, Required: false},
 			},
 			State: initCredentialPlanStateWrite,
 		}},
@@ -19313,8 +20346,8 @@ func TestApplyInteractiveInitSessionPlanWritesReviewerSecretsToResolvedStore(t *
 	if err != nil {
 		t.Fatalf("applyInteractiveInitSessionPlan: %v", err)
 	}
-	if got := workStore.bundles["work-reviewer"][credentials.GitHubAppIDKey]; got != "12345" {
-		t.Fatalf("stored reviewer app id = %q, want named-store value", got)
+	if _, ok := workStore.bundles["work-reviewer"][credentials.GitHubAppIDKey]; ok {
+		t.Fatalf("stored reviewer app id unexpectedly: %#v", workStore.bundles["work-reviewer"])
 	}
 	if got := workStore.bundles["work-reviewer"][credentials.GitHubAppPrivateKeyKey]; got != "private-key" {
 		t.Fatalf("stored reviewer private key = %q, want named-store value", got)
@@ -20416,6 +21449,7 @@ func TestInitInteractiveCanKeepExistingSecretsAfterInspectingTargetRef(t *testin
 
 func TestInitInteractiveCollectsGitHubAppBundle(t *testing.T) {
 	store := newFakeInitStore(nil)
+	var savedCfg config.File
 	opts := &root.Options{
 		Stdin:      strings.NewReader(""),
 		Stdout:     &bytes.Buffer{},
@@ -20428,6 +21462,7 @@ func TestInitInteractiveCollectsGitHubAppBundle(t *testing.T) {
 				ProfileName: "default",
 				GitHost:     "github.com",
 				GitAuth:     string(config.GitAuthModeGitHubApp),
+				GitHubAppID: "12345",
 				LLMProvider: string(config.LLMProviderAnthropic),
 				LLMAuth:     string(config.LLMAuthSubscription),
 				LLMAdapter:  string(config.LLMAdapterClaudeCLI),
@@ -20437,19 +21472,20 @@ func TestInitInteractiveCollectsGitHubAppBundle(t *testing.T) {
 			actions: []initCredentialSecretAction{initCredentialSecretActionSetNow},
 			sources: []initSecretSource{
 				initSecretSourcePaste,
-				initSecretSourceClipboard,
-				initSecretSourceSkip,
 			},
-			pastes: []string{"12345"},
+			pastes: []string{"private-key"},
 		},
 		clipboardSupported: func() bool { return true },
-		clipboardRead:      func() (string, error) { return "private-key", nil },
+		clipboardRead:      func() (string, error) { return "", nil },
 		configPath:         func(*root.Options) (string, error) { return opts.ConfigPath, nil },
 		loadConfig: func(string) (config.File, bool, error) {
 			return config.File{Profiles: map[string]config.Profile{}}, false, nil
 		},
-		saveConfig: func(string, config.File) error { return nil },
-		openStore:  func(string, bool, config.File) (initStore, error) { return store, nil },
+		saveConfig: func(_ string, cfg config.File) error {
+			savedCfg = cloneInitConfigFile(cfg)
+			return nil
+		},
+		openStore: func(string, bool, config.File) (initStore, error) { return store, nil },
 	}
 
 	err := runInitWithDeps(&cobra.Command{}, opts, initOptions{}, deps)
@@ -20457,12 +21493,15 @@ func TestInitInteractiveCollectsGitHubAppBundle(t *testing.T) {
 		t.Fatalf("runInitWithDeps: %v", err)
 	}
 	bundle := store.bundles["default"]
-	if bundle[credentials.GitHubAppIDKey] != "12345" {
-		t.Fatalf("github_app_id = %q, want 12345", bundle[credentials.GitHubAppIDKey])
+	if _, ok := bundle[credentials.GitHubAppIDKey]; ok {
+		t.Fatalf("github_app_id stored unexpectedly: %#v", bundle)
 	}
 	if bundle[credentials.GitHubAppPrivateKeyKey] != "private-key" {
 		t.Fatalf("github_app_private_key = %q, want private-key", bundle[credentials.GitHubAppPrivateKeyKey])
 	}
+	if savedCfg.Profiles["default"].Git.GitHubApp == nil || savedCfg.Profiles["default"].Git.GitHubApp.AppID != "12345" {
+		t.Fatalf("git github_app config = %#v, want app id 12345", savedCfg.Profiles["default"].Git.GitHubApp)
+	}
 	if _, ok := bundle[credentials.GitHubAppInstallationIDKey]; ok {
 		t.Fatalf("github_app_installation_id present, want skipped optional key")
 	}
@@ -20625,7 +21664,6 @@ func TestInitRejectsInvalidSecretAndProfileInputs(t *testing.T) {
 	}{
 		{name: "two stdin secrets", args: []string{"init", "--non-interactive", "--git-token-stdin", "--llm-api-key-stdin"}},
 		{name: "git and reviewer stdin secrets", args: []string{"init", "--non-interactive", "--git-token-stdin", "--reviewer-token-stdin"}},
-		{name: "invalid profile segment", args: []string{"--profile", "bad.profile", "init", "--non-interactive"}},
 		{name: "reviewer ref matches git ref", args: []string{"init", "--non-interactive", "--reviewer-credential-ref", "codereview/default"}},
 		{name: "unsupported git auth", args: []string{"init", "--non-interactive", "--git-auth-mode", string(config.GitAuthModeOAuthDevice)}},
 		{name: "git token ingress under github app", args: []string{"init", "--non-interactive", "--git-auth-mode", string(config.GitAuthModeGitHubApp), "--git-token-from-env", "CR_GIT_TOKEN"}},
@@ -20698,7 +21736,6 @@ func TestWriteBundlesLeavesStaleReviewerKeysForPostSaveCleanup(t *testing.T) {
 	}
 	written, err := writeBundles(store, map[string]map[string]string{
 		"codereview/work-reviewer": {
-			credentials.GitHubAppIDKey:         "12345",
 			credentials.GitHubAppPrivateKeyKey: "private-key",
 		},
 	}, false, nil)
@@ -20711,8 +21748,8 @@ func TestWriteBundlesLeavesStaleReviewerKeysForPostSaveCleanup(t *testing.T) {
 	if ok, err := store.Exists("work-reviewer", credentials.GitTokenKey); err != nil || !ok {
 		t.Fatalf("stale git_token exists = %t, err = %v; want retained until config save succeeds", ok, err)
 	}
-	if ok, err := store.Exists("work-reviewer", credentials.GitHubAppIDKey); err != nil || !ok {
-		t.Fatalf("github_app_id exists = %t, err = %v; want written", ok, err)
+	if ok, err := store.Exists("work-reviewer", credentials.GitHubAppPrivateKeyKey); err != nil || !ok {
+		t.Fatalf("github_app_private_key exists = %t, err = %v; want written", ok, err)
 	}
 }
 
@@ -20730,7 +21767,6 @@ func TestWriteBundlesKeepsStaleReviewerKeysRequiredByAnotherActiveMode(t *testin
 	}
 	if _, err := writeBundles(store, map[string]map[string]string{
 		"codereview/shared-reviewer": {
-			credentials.GitHubAppIDKey:         "12345",
 			credentials.GitHubAppPrivateKeyKey: "private-key",
 		},
 	}, false, nil); err != nil {
@@ -20753,6 +21789,7 @@ func TestApplyInteractiveInitSessionPlanDeletesStaleReviewerKeyWithoutWrites(t *
 	profile := basicProfile("work")
 	profile.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/work-reviewer",
 		DisplayName:   "work bot",
 	}
@@ -20785,9 +21822,7 @@ func TestApplyInteractiveInitSessionPlanDeletesStaleReviewerKeyWithoutWrites(t *
 			},
 			SecretsProfile: resolved,
 			KeySpecs: []credentials.KeySpec{
-				{Key: credentials.GitHubAppIDKey, Required: true},
 				{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
-				{Key: credentials.GitHubAppInstallationIDKey, Required: false},
 			},
 			State: initCredentialPlanStateKeepExisting,
 		}},
@@ -20809,14 +21844,14 @@ func TestApplyInteractiveInitSessionPlanDeletesStaleReviewerKeyWithoutWrites(t *
 	if ok, err := store.Exists("work-reviewer", credentials.GitTokenKey); err != nil || ok {
 		t.Fatalf("stale git_token exists = %t, err = %v; want deleted", ok, err)
 	}
-	if ok, err := store.Exists("work-reviewer", credentials.GitHubAppIDKey); err != nil || !ok {
-		t.Fatalf("github_app_id exists = %t, err = %v; want retained", ok, err)
+	if ok, err := store.Exists("work-reviewer", credentials.GitHubAppIDKey); err != nil || ok {
+		t.Fatalf("github_app_id exists = %t, err = %v; want deleted as stale legacy key", ok, err)
 	}
 	if ok, err := store.Exists("work-reviewer", credentials.GitHubAppPrivateKeyKey); err != nil || !ok {
 		t.Fatalf("github_app_private_key exists = %t, err = %v; want retained", ok, err)
 	}
-	if ok, err := store.Exists("work-reviewer", credentials.GitHubAppInstallationIDKey); err != nil || !ok {
-		t.Fatalf("github_app_installation_id exists = %t, err = %v; want retained", ok, err)
+	if ok, err := store.Exists("work-reviewer", credentials.GitHubAppInstallationIDKey); err != nil || ok {
+		t.Fatalf("github_app_installation_id exists = %t, err = %v; want deleted as stale legacy key", ok, err)
 	}
 }
 
@@ -20831,6 +21866,7 @@ func TestApplyInteractiveInitSessionPlanSaveFailureDoesNotDeleteStaleReviewerKey
 	profile := basicProfile("work")
 	profile.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/work-reviewer",
 	}
 	cfg := config.File{Profiles: map[string]config.Profile{"work": profile}}
@@ -20855,9 +21891,7 @@ func TestApplyInteractiveInitSessionPlanSaveFailureDoesNotDeleteStaleReviewerKey
 			},
 			SecretsProfile: resolved,
 			KeySpecs: []credentials.KeySpec{
-				{Key: credentials.GitHubAppIDKey, Required: true},
 				{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
-				{Key: credentials.GitHubAppInstallationIDKey, Required: false},
 			},
 			State: initCredentialPlanStateKeepExisting,
 		}},
@@ -20882,6 +21916,7 @@ func TestApplyInteractiveInitSessionPlanKeepsSharedRefPATKeyAfterStagedAuthSwitc
 	appProfile := basicProfile("app")
 	appProfile.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/shared-reviewer",
 	}
 	patProfile := basicProfile("pat")
@@ -20905,7 +21940,6 @@ func TestApplyInteractiveInitSessionPlanKeepsSharedRefPATKeyAfterStagedAuthSwitc
 		profileNames: []string{"app"},
 		writes: map[string]map[string]string{
 			"codereview/shared-reviewer": {
-				credentials.GitHubAppIDKey:         "12345",
 				credentials.GitHubAppPrivateKeyKey: "private-key",
 			},
 		},
@@ -20922,9 +21956,7 @@ func TestApplyInteractiveInitSessionPlanKeepsSharedRefPATKeyAfterStagedAuthSwitc
 			},
 			SecretsProfile: resolved,
 			KeySpecs: []credentials.KeySpec{
-				{Key: credentials.GitHubAppIDKey, Required: true},
 				{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
-				{Key: credentials.GitHubAppInstallationIDKey, Required: false},
 			},
 			State: initCredentialPlanStateWrite,
 		}},
@@ -20940,8 +21972,8 @@ func TestApplyInteractiveInitSessionPlanKeepsSharedRefPATKeyAfterStagedAuthSwitc
 	if ok, err := store.Exists("shared-reviewer", credentials.GitTokenKey); err != nil || !ok {
 		t.Fatalf("git_token exists = %t, err = %v; want retained for untouched PAT profile", ok, err)
 	}
-	if ok, err := store.Exists("shared-reviewer", credentials.GitHubAppIDKey); err != nil || !ok {
-		t.Fatalf("github_app_id exists = %t, err = %v; want staged app key written", ok, err)
+	if ok, err := store.Exists("shared-reviewer", credentials.GitHubAppIDKey); err != nil || ok {
+		t.Fatalf("github_app_id exists = %t, err = %v; want no staged app key", ok, err)
 	}
 }
 
@@ -20956,6 +21988,7 @@ func TestApplyInitPlanDeletesStaleReviewerKeyWithoutWrites(t *testing.T) {
 	profile := basicProfile("work")
 	profile.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/work-reviewer",
 		DisplayName:   "work bot",
 	}
@@ -20982,9 +22015,7 @@ func TestApplyInitPlanDeletesStaleReviewerKeyWithoutWrites(t *testing.T) {
 			},
 			SecretsProfile: resolved,
 			KeySpecs: []credentials.KeySpec{
-				{Key: credentials.GitHubAppIDKey, Required: true},
 				{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
-				{Key: credentials.GitHubAppInstallationIDKey, Required: false},
 			},
 			State: initCredentialPlanStateKeepExisting,
 		}},
@@ -21002,8 +22033,8 @@ func TestApplyInitPlanDeletesStaleReviewerKeyWithoutWrites(t *testing.T) {
 	if ok, err := store.Exists("work-reviewer", credentials.GitTokenKey); err != nil || ok {
 		t.Fatalf("stale git_token exists = %t, err = %v; want deleted", ok, err)
 	}
-	if ok, err := store.Exists("work-reviewer", credentials.GitHubAppIDKey); err != nil || !ok {
-		t.Fatalf("github_app_id exists = %t, err = %v; want retained", ok, err)
+	if ok, err := store.Exists("work-reviewer", credentials.GitHubAppIDKey); err != nil || ok {
+		t.Fatalf("github_app_id exists = %t, err = %v; want deleted as stale legacy key", ok, err)
 	}
 }
 
@@ -21027,15 +22058,14 @@ func TestStaleReviewerCleanupKeepsKeysRequiredByAnotherActiveModeWithoutWrites(t
 			Mode:    string(config.GitAuthModePAT),
 		},
 		KeySpecs: []credentials.KeySpec{
-			{Key: credentials.GitHubAppIDKey, Required: true},
 			{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
-			{Key: credentials.GitHubAppInstallationIDKey, Required: false},
 		},
 		State: initCredentialPlanStateKeepExisting,
 	}
 	appProfile := basicProfile("app")
 	appProfile.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/shared-reviewer",
 	}
 	patProfile := basicProfile("pat")
@@ -21065,12 +22095,15 @@ func TestStaleReviewerCleanupKeepsKeysRequiredByAnotherActiveModeWithoutWrites(t
 	if err != nil {
 		t.Fatalf("deleteStaleReviewerCredentialKeysForRefs: %v", err)
 	}
-	if len(cleanedRefs) != 0 {
-		t.Fatalf("cleaned refs = %#v, want none because both modes are active", cleanedRefs)
+	if !reflect.DeepEqual(cleanedRefs, []string{"codereview/shared-reviewer"}) {
+		t.Fatalf("cleaned refs = %#v, want shared reviewer stale legacy app id deleted", cleanedRefs)
 	}
 	if ok, err := store.Exists("shared-reviewer", credentials.GitTokenKey); err != nil || !ok {
 		t.Fatalf("git_token exists = %t, err = %v; want retained for active PAT entry", ok, err)
 	}
+	if ok, err := store.Exists("shared-reviewer", credentials.GitHubAppIDKey); err != nil || ok {
+		t.Fatalf("github_app_id exists = %t, err = %v; want deleted as stale legacy key", ok, err)
+	}
 }
 
 type fakeInitSecretPrompter struct {
@@ -21243,6 +22276,12 @@ func (f initLLMRuntimePrompterFunc) EditLLMRuntime(prompt initLLMRuntimePrompt)
 	return f(prompt)
 }
 
+type initRepositoryAccessPrompterFunc func(initRepositoryAccessPrompt) (initDraft, error)
+
+func (f initRepositoryAccessPrompterFunc) EditRepositoryAccess(prompt initRepositoryAccessPrompt) (initDraft, error) {
+	return f(prompt)
+}
+
 type initReviewerEntityPrompterFunc func(initReviewerEntityPrompt) (initDraft, error)
 
 func (f initReviewerEntityPrompterFunc) EditReviewerEntity(prompt initReviewerEntityPrompt) (initDraft, error) {
@@ -21489,13 +22528,13 @@ func basicProfile(profile string) config.Profile {
 	}
 }
 
-func normalizeTestProfile(profile config.Profile) config.Profile {
+func normalizeTestProfileNamed(name string, profile config.Profile) config.Profile {
 	cfg := config.Normalize(config.File{
 		Profiles: map[string]config.Profile{
-			"test": profile,
+			name: profile,
 		},
 	})
-	return cfg.Profiles["test"]
+	return cfg.Profiles[name]
 }
 
 func apiKeyProfile(profile string, provider config.LLMProvider) config.Profile {
diff --git a/internal/cmd/credentialcmd/init_inventory.go b/internal/cmd/credentialcmd/init_inventory.go
index b3089149..8e9b0937 100644
--- a/internal/cmd/credentialcmd/init_inventory.go
+++ b/internal/cmd/credentialcmd/init_inventory.go
@@ -284,43 +284,120 @@ func (m initInventoryModel) View() string {
 		// prompt starts, rather than appending the next form below stale content.
 		return ""
 	}
-	l := m.list
-	l.AdditionalShortHelpKeys = func() []key.Binding {
-		return m.helpBindings()
+	var lines []string
+	lines = append(lines, initLinearTheme.title.Render(m.title))
+	if m.desc != "" {
+		var descLines []string
+		initLinearAppendWrappedWithPrefix(&descLines, "", m.desc, initInventoryViewWidth(m))
+		for _, line := range descLines {
+			lines = append(lines, initLinearTheme.help.Render(line))
+		}
 	}
-	l.AdditionalFullHelpKeys = func() []key.Binding {
-		return m.helpBindings()
+	if filter := strings.TrimSpace(m.list.FilterValue()); filter != "" {
+		lines = append(lines, "", initLinearTheme.title.Render("Filter"), initLinearTheme.help.Render(filter))
 	}
-	if m.desc == "" {
-		return l.View()
+	lines = append(lines, m.renderRows()...)
+	lines = append(lines, "", initLinearTheme.help.Render(m.helpLine()))
+	return strings.Join(lines, "\n")
+}
+
+func (m initInventoryModel) renderRows() []string {
+	items := m.list.VisibleItems()
+	if len(items) == 0 {
+		return []string{"", initLinearTheme.help.Render("No matching entries")}
 	}
-	return m.desc + "\n\n" + l.View()
+	selectedIndex := m.list.Index()
+	var lines []string
+	currentSection := initInventoryRowKind("")
+	for index, item := range items {
+		inventoryItem, ok := item.(initInventoryItem)
+		if !ok {
+			continue
+		}
+		row := inventoryItem.row
+		if row.Kind != currentSection {
+			currentSection = row.Kind
+			lines = append(lines, "")
+			lines = append(lines, initLinearTheme.title.Render(initInventorySectionTitle(row.Kind)))
+		}
+		lines = append(lines, m.renderRow(row, index == selectedIndex)...)
+	}
+	return lines
 }
 
-func (m initInventoryModel) selectedRow() (initInventoryRow, bool) {
-	selected := m.list.SelectedItem()
-	if selected == nil {
-		return initInventoryRow{}, false
+func initInventorySectionTitle(kind initInventoryRowKind) string {
+	switch kind {
+	case initInventoryRowKindActive:
+		return "Configured"
+	case initInventoryRowKindPending:
+		return "Staged changes"
+	case initInventoryRowKindCommand:
+		return "Actions"
+	default:
+		return "Actions"
 	}
-	item, ok := selected.(initInventoryItem)
-	if !ok {
-		return initInventoryRow{}, false
+}
+
+func (m initInventoryModel) renderRow(row initInventoryRow, selected bool) []string {
+	prefix := "  [ ] "
+	if selected {
+		prefix = "> [x] "
 	}
-	return item.row, true
+	var titleLines []string
+	initLinearAppendWrappedWithPrefix(&titleLines, prefix, row.Title, initInventoryViewWidth(m))
+	title := strings.Join(titleLines, "\n")
+	switch {
+	case selected && initInventoryRowActionable(row):
+		title = initLinearStyleSelectedLine(title)
+	case !initInventoryRowActionable(row):
+		title = initLinearTheme.help.Render(title)
+	}
+	lines := []string{title}
+	if description := strings.TrimSpace(row.Description); description != "" {
+		var descriptionLines []string
+		initLinearAppendWrappedWithPrefix(&descriptionLines, "      ", description, initInventoryViewWidth(m))
+		for _, line := range descriptionLines {
+			lines = append(lines, initLinearTheme.help.Render(line))
+		}
+	}
+	return lines
 }
 
-func (m initInventoryModel) helpBindings() []key.Binding {
-	bindings := []key.Binding{m.keys.Select}
+func initInventoryViewWidth(m initInventoryModel) int {
+	if width := m.list.Width(); width > 0 {
+		return width
+	}
+	return 80
+}
+
+func initInventoryRowActionable(row initInventoryRow) bool {
+	return row.Selectable || row.Deletable || row.Restorable
+}
+
+func (m initInventoryModel) helpLine() string {
+	parts := []string{"up/k previous", "down/j next", "enter select"}
 	if row, ok := m.selectedRow(); ok {
 		if row.Deletable {
-			bindings = append(bindings, m.keys.Delete)
+			parts = append(parts, "d delete")
 		}
 		if row.Restorable {
-			bindings = append(bindings, m.keys.Restore)
+			parts = append(parts, "r restore")
 		}
 	}
-	bindings = append(bindings, m.keys.Back)
-	return bindings
+	parts = append(parts, "esc back")
+	return strings.Join(parts, " - ")
+}
+
+func (m initInventoryModel) selectedRow() (initInventoryRow, bool) {
+	selected := m.list.SelectedItem()
+	if selected == nil {
+		return initInventoryRow{}, false
+	}
+	item, ok := selected.(initInventoryItem)
+	if !ok {
+		return initInventoryRow{}, false
+	}
+	return item.row, true
 }
 
 func (r initInventoryRow) primaryAction() initInventoryAction {
diff --git a/internal/cmd/credentialcmd/init_inventory_test.go b/internal/cmd/credentialcmd/init_inventory_test.go
index aeeaf211..b6182569 100644
--- a/internal/cmd/credentialcmd/init_inventory_test.go
+++ b/internal/cmd/credentialcmd/init_inventory_test.go
@@ -66,6 +66,61 @@ func TestInitInventoryReordersRowsIntoActiveCommandAndPendingGroups(t *testing.T
 	}
 }
 
+func TestInitInventoryViewUsesLinearActionListDesign(t *testing.T) {
+	model := newInitInventoryModel(initInventoryPrompt{
+		Title:       "LLM runtime",
+		Description: "Choose how reviewer agents run.",
+		Width:       80,
+		Height:      20,
+		Rows: []initInventoryRow{
+			{ID: "claude-cli", Title: "Template: Claude CLI subscription", Kind: initInventoryRowKindCommand, PrimaryAction: initInventoryActionCommand, Selectable: true},
+			{ID: "codex-cli", Title: "Template: Codex CLI subscription", Kind: initInventoryRowKindCommand, PrimaryAction: initInventoryActionCommand, Selectable: true},
+			{ID: "back", Title: "Back to main menu", Kind: initInventoryRowKindCommand, PrimaryAction: initInventoryActionBack, Selectable: true},
+		},
+	})
+
+	out := model.View()
+	plainOut := stripANSITest(out)
+	assertContentOrder(t, plainOut,
+		"LLM runtime",
+		"Choose how reviewer agents run.",
+		"Actions",
+		"> [x] Template: Claude CLI subscription",
+		"  [ ] Template: Codex CLI subscription",
+		"  [ ] Back to main menu",
+	)
+	for _, oldChrome := range []string{"│ Template:", "↑/k up", "/ filter", "? more"} {
+		if strings.Contains(plainOut, oldChrome) {
+			t.Fatalf("view contains old list chrome %q:\n%s", oldChrome, out)
+		}
+	}
+}
+
+func TestInitInventoryViewGroupsConfiguredActionsAndPendingChanges(t *testing.T) {
+	model := newInitInventoryModel(initInventoryPrompt{
+		Title:       "Reviewer entity",
+		Description: "Choose who posts reviews.",
+		Rows: []initInventoryRow{
+			{ID: "pat", Title: "PAT reviewer", Description: "local-os / codereview/reviewer-pat", Kind: initInventoryRowKindActive, Selectable: true, Deletable: true},
+			{ID: "restore-app", Title: "GitHub App reviewer (Staged for deletion)", Kind: initInventoryRowKindPending, Restorable: true},
+			{ID: "create-pat", Title: "Configure new personal access token (PAT) reviewer", Kind: initInventoryRowKindCommand, PrimaryAction: initInventoryActionCommand, Selectable: true},
+			{ID: "back", Title: "Back to main menu", Kind: initInventoryRowKindCommand, PrimaryAction: initInventoryActionBack, Selectable: true},
+		},
+	})
+
+	plainOut := stripANSITest(model.View())
+	assertContentOrder(t, plainOut,
+		"Configured",
+		"> [x] PAT reviewer",
+		"local-os / codereview/reviewer-pat",
+		"Actions",
+		"Configure new personal access token (PAT) reviewer",
+		"Back to main menu",
+		"Staged changes",
+		"GitHub App reviewer (Staged for deletion)",
+	)
+}
+
 func TestInitInventoryDeleteKeyStagesDeletionForDeletableRow(t *testing.T) {
 	model := newInitInventoryModel(initInventoryPrompt{
 		Title:  "LLM runtime",
@@ -333,8 +388,8 @@ func TestInitReviewerEntityInventoryRowsSetExpectedCapabilities(t *testing.T) {
 		},
 	})
 
-	if len(rows) != 6 {
-		t.Fatalf("len(rows) = %d, want 6", len(rows))
+	if len(rows) != 5 {
+		t.Fatalf("len(rows) = %d, want 5", len(rows))
 	}
 	if got := rows[0]; got.Kind != initInventoryRowKindActive || !got.Selectable || !got.Deletable || got.Restorable || got.PrimaryAction != initInventoryActionNone {
 		t.Fatalf("active row = %#v, want selectable+deletable active reviewer entity", got)
@@ -343,24 +398,18 @@ func TestInitReviewerEntityInventoryRowsSetExpectedCapabilities(t *testing.T) {
 		t.Fatalf("pending row = %#v, want restorable pending reviewer entity", got)
 	}
 	if got := rows[2]; got.Kind != initInventoryRowKindCommand || !got.Selectable || got.PrimaryAction != initInventoryActionCommand {
-		t.Fatalf("fallback row = %#v, want selectable command fallback", got)
-	}
-	if got, want := rows[2].Title, "Use a profile's Git account (no separate reviewer entity)"; got != want {
-		t.Fatalf("fallback row title = %q, want %q", got, want)
-	}
-	if got := rows[3]; got.Kind != initInventoryRowKindCommand || !got.Selectable || got.PrimaryAction != initInventoryActionCommand {
 		t.Fatalf("pat row = %#v, want selectable command PAT template", got)
 	}
-	if got, want := rows[3].Title, "Configure new personal access token (PAT) reviewer"; got != want {
+	if got, want := rows[2].Title, "Configure new personal access token (PAT) reviewer"; got != want {
 		t.Fatalf("pat row title = %q, want %q", got, want)
 	}
-	if got := rows[4]; got.Kind != initInventoryRowKindCommand || !got.Selectable || got.PrimaryAction != initInventoryActionCommand {
+	if got := rows[3]; got.Kind != initInventoryRowKindCommand || !got.Selectable || got.PrimaryAction != initInventoryActionCommand {
 		t.Fatalf("github app row = %#v, want selectable command GitHub App template", got)
 	}
-	if got, want := rows[4].Title, "Configure new GitHub App reviewer"; got != want {
+	if got, want := rows[3].Title, "Configure new GitHub App reviewer"; got != want {
 		t.Fatalf("github app row title = %q, want %q", got, want)
 	}
-	if got := rows[5]; got.Kind != initInventoryRowKindCommand || !got.Selectable || got.PrimaryAction != initInventoryActionBack {
+	if got := rows[4]; got.Kind != initInventoryRowKindCommand || !got.Selectable || got.PrimaryAction != initInventoryActionBack {
 		t.Fatalf("back row = %#v, want selectable Back command", got)
 	}
 }
@@ -448,6 +497,30 @@ func TestInitProfileInventoryRowsSetExpectedCapabilities(t *testing.T) {
 	}
 }
 
+func TestInitProfileV2InventoryRowsKeepDeleteCapabilities(t *testing.T) {
+	rows := initProfileV2InventoryRows(initPromptContext{
+		ExistingProfileNames: []string{"home"},
+		ExistingConfig: config.File{
+			Profiles: map[string]config.Profile{
+				"home": {Git: config.GitConfig{Host: "github.com"}},
+			},
+		},
+		PendingProfileDeletes: map[string]initPendingProfileDelete{
+			"work": {ProfileName: "work"},
+		},
+	})
+
+	if len(rows) != 4 {
+		t.Fatalf("len(rows) = %d, want 4", len(rows))
+	}
+	if got := rows[0]; got.ID != "home" || !got.Deletable || got.Restorable {
+		t.Fatalf("active v2 row = %#v, want deletable home profile", got)
+	}
+	if got := rows[1]; got.ID != "work" || got.Deletable || !got.Restorable {
+		t.Fatalf("pending v2 row = %#v, want restorable work profile", got)
+	}
+}
+
 func TestInitProfileInventoryRowsShowRoutesAndSortBySpecificity(t *testing.T) {
 	rows := initProfileInventoryRows(initPromptContext{
 		ExistingProfileNames: []string{"default", "unrouted", "namespace", "repo"},
@@ -592,7 +665,7 @@ func TestInitInventoryViewShowsContextualHelpBindings(t *testing.T) {
 			t.Fatalf("view = %q, want %q", out, want)
 		}
 	}
-	for _, unwanted := range []string{"restore", "Actions", "Pending deletion"} {
+	for _, unwanted := range []string{"restore", "Pending deletion"} {
 		if strings.Contains(out, unwanted) {
 			t.Fatalf("view = %q, did not want %q for selected deletable row", out, unwanted)
 		}
diff --git a/internal/cmd/credentialcmd/init_linear_editor.go b/internal/cmd/credentialcmd/init_linear_editor.go
index d06d3e94..4d6426e3 100644
--- a/internal/cmd/credentialcmd/init_linear_editor.go
+++ b/internal/cmd/credentialcmd/init_linear_editor.go
@@ -444,6 +444,12 @@ func (m *initLinearEditorModel) handleFocusedInputKey(msg tea.KeyMsg) bool {
 		}
 		field.Value = initLinearInsertRunes(field.Value, field.Cursor, key.Runes)
 		field.Cursor += len(key.Runes)
+	case tea.KeySpace:
+		if msg.Alt {
+			return false
+		}
+		field.Value = initLinearInsertRunes(field.Value, field.Cursor, []rune{' '})
+		field.Cursor++
 	case tea.KeyBackspace, tea.KeyCtrlH:
 		field.Value, field.Cursor = initLinearDeleteBeforeCursor(field.Value, field.Cursor)
 	case tea.KeyDelete, tea.KeyCtrlD:
@@ -583,6 +589,14 @@ func (m *initLinearEditorModel) setFieldDescription(id initLinearFieldID, descri
 	m.document[index].Description = description
 }
 
+func (m *initLinearEditorModel) setFieldTitle(id initLinearFieldID, title string) {
+	index := m.document.fieldIndexByID(id)
+	if index < 0 {
+		return
+	}
+	m.document[index].Title = title
+}
+
 func (m *initLinearEditorModel) selectFieldValue(id initLinearFieldID, value string) {
 	index := m.document.fieldIndexByID(id)
 	if index < 0 {
diff --git a/internal/cmd/credentialcmd/init_llm_runtime_editor.go b/internal/cmd/credentialcmd/init_llm_runtime_editor.go
index 5d534e49..061a43c5 100644
--- a/internal/cmd/credentialcmd/init_llm_runtime_editor.go
+++ b/internal/cmd/credentialcmd/init_llm_runtime_editor.go
@@ -10,7 +10,6 @@ import (
 	"github.com/charmbracelet/huh"
 
 	"github.com/open-cli-collective/codereview-cli/internal/config"
-	"github.com/open-cli-collective/codereview-cli/internal/credentials"
 )
 
 type initLLMRuntimeEditorRunner func(initLinearEditor, io.Reader, io.Writer) (initLinearEditorModel, error)
@@ -488,7 +487,7 @@ func initLLMRuntimeDefaultCredentialName(ctx initPromptContext, draft initDraft,
 	if _, configured := ctx.LLMRuntimes[selection]; configured {
 		nameSeed = strings.TrimSpace(selection)
 	}
-	ref, err := credentials.FormatRef(nameSeed)
+	ref, err := initCredentialRefFromSeed(nameSeed)
 	if err != nil {
 		return ""
 	}
diff --git a/internal/cmd/credentialcmd/init_menu.go b/internal/cmd/credentialcmd/init_menu.go
index 223ea18d..c9562266 100644
--- a/internal/cmd/credentialcmd/init_menu.go
+++ b/internal/cmd/credentialcmd/init_menu.go
@@ -81,6 +81,11 @@ func initMenuItems(prompt initMenuPrompt) []initMenuItem {
 			Title:       "Configure secrets storage",
 			Description: "Credential stores for tokens and keys",
 		},
+		{
+			Action:      initMenuActionRepositoryAccess,
+			Title:       "Configure repository access",
+			Description: initMenuConfiguredDescription(prompt.RepositoryAccessCount, "repository access", "repository access entries", "Git hosts and user credentials"),
+		},
 		{
 			Action:      initMenuActionLLMRuntimes,
 			Title:       "Configure LLM runtimes",
@@ -137,15 +142,15 @@ func initMenuCountDescription(count int, singular, plural string) string {
 
 func initMenuDisabledReason(prompt initMenuPrompt, action initMenuAction) string {
 	switch action {
-	case initMenuActionReviewerEntities:
-		if !prompt.CanConfigureReviewer {
-			return "configure a review profile before editing reviewer entities"
-		}
 	case initMenuActionSave:
 		if !prompt.CanSave {
 			return "stage changes before committing"
 		}
-	case initMenuActionSecretsManagement, initMenuActionLLMRuntimes, initMenuActionReviewProfiles, initMenuActionGlobalSettings, initMenuActionExit:
+	case initMenuActionReviewProfiles:
+		if prompt.RepositoryAccessCount == 0 {
+			return "configure repository access before creating review profiles"
+		}
+	case initMenuActionSecretsManagement, initMenuActionRepositoryAccess, initMenuActionLLMRuntimes, initMenuActionReviewerEntities, initMenuActionGlobalSettings, initMenuActionExit:
 	}
 	return ""
 }
diff --git a/internal/cmd/credentialcmd/init_profile_v2.go b/internal/cmd/credentialcmd/init_profile_v2.go
index ba2fd801..9389f5bd 100644
--- a/internal/cmd/credentialcmd/init_profile_v2.go
+++ b/internal/cmd/credentialcmd/init_profile_v2.go
@@ -13,7 +13,6 @@ import (
 
 	"github.com/open-cli-collective/codereview-cli/internal/cmd/root"
 	"github.com/open-cli-collective/codereview-cli/internal/config"
-	"github.com/open-cli-collective/codereview-cli/internal/credentials"
 )
 
 type bubbleTeaInitProfileV2Prompter struct {
@@ -58,6 +57,16 @@ func (p bubbleTeaInitProfileV2Prompter) Run(ctx initPromptContext) (initDraft, e
 		switch result.Action {
 		case initInventoryActionBack:
 			return initDraft{}, errInitNavigateBack
+		case initInventoryActionRestore:
+			return initDraft{
+				Action:       initDraftActionUndoDeleteProfile,
+				ActionTarget: result.Row.ID,
+			}, nil
+		case initInventoryActionStageDelete:
+			return initDraft{
+				Action:       initDraftActionDeleteProfile,
+				ActionTarget: result.Row.ID,
+			}, nil
 		case initInventoryActionEdit, initInventoryActionCommand:
 			draft, staged, err := p.runProfileEditor(ctx, result.Row.ID)
 			if err != nil {
@@ -68,8 +77,6 @@ func (p bubbleTeaInitProfileV2Prompter) Run(ctx initPromptContext) (initDraft, e
 			}
 		case initInventoryActionNone:
 			continue
-		case initInventoryActionRestore, initInventoryActionStageDelete:
-			continue
 		default:
 			return initDraft{}, fmt.Errorf("unsupported profile v2 inventory action %q", result.Action)
 		}
@@ -165,12 +172,7 @@ func (p bubbleTeaInitProfileV2Prompter) runReadOnlyEditor(editor initProfileV2Ed
 }
 
 func initProfileV2InventoryRows(ctx initPromptContext) []initInventoryRow {
-	rows := initProfileInventoryRows(ctx)
-	for i := range rows {
-		rows[i].Deletable = false
-		rows[i].Restorable = false
-	}
-	return rows
+	return initProfileInventoryRows(ctx)
 }
 
 type initProfileV2ReadOnlyModel struct {
@@ -198,6 +200,10 @@ func newInitProfileV2ReadOnlyModel(editor initProfileV2Editor, width, height int
 	if height <= 0 {
 		height = 28
 	}
+	selectedGitScope := editor.SelectedGitScope
+	if selectedGitScope == "" {
+		selectedGitScope = firstInitGitScopeName(editor.GitScopes)
+	}
 	vp := viewport.New(width, max(height-2, 1))
 	model := initProfileV2ReadOnlyModel{
 		viewport:                   vp,
@@ -206,13 +212,14 @@ func newInitProfileV2ReadOnlyModel(editor initProfileV2Editor, width, height int
 		reviewerEntities:           maps.Clone(editor.ReviewerEntities),
 		llmRuntimes:                maps.Clone(editor.LLMRuntimes),
 		credentialStoreOptions:     append([]huh.Option[string](nil), editor.CredentialStoreOptions...),
-		selectedGitScope:           editor.SelectedGitScope,
+		selectedGitScope:           selectedGitScope,
 		initialGitStorageLabel:     editor.InitialGitStorageLabel,
 		gitStorageLabelUsesDefault: editor.GitStorageLabelUsesDefault,
 		document:                   editor.Document,
 		focused:                    editor.Document.firstFocusableField(),
 	}
 	model.syncGitScopeFields()
+	model.syncReviewerGitHubAppInstallationFields(false)
 	model.syncLLMCredentialFields(false)
 	model.syncModelMapFields()
 	model.validateAll()
@@ -322,25 +329,25 @@ func initProfileV2ReadOnlyDocument(ctx initPromptContext, selection string) (ini
 }
 
 func initProfileV2ReadOnlyEditor(ctx initPromptContext, selection string) (initProfileV2Editor, error) {
+	if ctx.GitScopes == nil || ctx.ProfileGitScopes == nil {
+		ctx.GitScopes, ctx.ProfileGitScopes = buildInitGitScopeInventory(ctx.ExistingConfig)
+	}
+	if len(ctx.GitScopes) == 0 {
+		return initProfileV2Editor{}, fmt.Errorf("configure repository access before creating review profiles")
+	}
 	selectedProfileName, selectedExistingProfile, requestedProfileName := initProfileV2Selection(ctx, selection)
 	draft := seedInteractiveInitDraft(requestedProfileName, selectedProfileName, selectedExistingProfile)
 	routeText := formatInitRouteSpecs(currentProfileRouteSpecs(ctx.ExistingConfig.RepositoryProfiles, selectedProfileName))
 
 	selectedGitScope := ctx.ProfileGitScopes[selectedProfileName]
 	if selectedGitScope == "" {
-		selectedGitScope = initCustomGitScopeSelection
-	}
-	selectedGit := initGitScopeDraft{
-		Host:            draft.GitHost,
-		AuthMode:        config.GitAuthMode(draft.GitAuth),
-		CredentialStore: initCredentialStoreDraftValue(draft.GitCredentialStore),
-		CredentialRef:   strings.TrimSpace(draft.GitCredentialRef),
+		selectedGitScope = firstInitGitScopeName(ctx.GitScopes)
 	}
-	if scopeName := ctx.ProfileGitScopes[selectedProfileName]; scopeName != "" {
-		if scope, ok := ctx.GitScopes[scopeName]; ok {
-			selectedGit = scope
-		}
+	if _, ok := ctx.GitScopes[selectedGitScope]; !ok {
+		selectedGitScope = firstInitGitScopeName(ctx.GitScopes)
 	}
+	applyGitScopeSelection(&draft, selectedGitScope, ctx.GitScopes)
+	selectedGit := ctx.GitScopes[selectedGitScope]
 
 	reviewerEntity := initReviewerEntityDraftFromSeedDraft(draft)
 	selectedReviewerEntity := ctx.ProfileReviewerEntities[selectedProfileName]
@@ -358,12 +365,6 @@ func initProfileV2ReadOnlyEditor(ctx initPromptContext, selection string) (initP
 	llmRuntimeOptions, selectedLLMRuntime := initProfileEditorLLMRuntimeSelection(llmRuntimes, ctx.ProfileLLMRuntimes[selectedProfileName], draft)
 	modelMapLLM := initProfileEditorModelMapLLM(draft, selectedLLMRuntime, llmRuntimes)
 
-	standardGitCredentialRef, err := initStandardGitCredentialRef(draft.ProfileName, selectedGitScope, ctx.GitScopes)
-	if err != nil {
-		return initProfileV2Editor{}, err
-	}
-	gitStorageLabel := initEffectiveStorageLabelValue(draft.GitCredentialRef, standardGitCredentialRef)
-	gitStorageLabelUsesDefault := initStorageLabelUsesDefault(gitStorageLabel, standardGitCredentialRef)
 	standardLLMCredentialRef, err := initStandardLLMCredentialRef(draft.ProfileName, selectedLLMRuntime, llmRuntimes)
 	if err != nil {
 		return initProfileV2Editor{}, err
@@ -371,35 +372,59 @@ func initProfileV2ReadOnlyEditor(ctx initPromptContext, selection string) (initP
 	if strings.TrimSpace(draft.LLMCredentialRef) == "" {
 		draft.LLMCredentialRef = standardLLMCredentialRef
 	}
+	llmCredentialAutoManaged := strings.TrimSpace(draft.LLMCredentialRef) != "" && strings.TrimSpace(draft.LLMCredentialRef) == strings.TrimSpace(standardLLMCredentialRef)
 	storeOptions := initCredentialStoreOptions(ctx.ExistingConfig)
 
 	var document initProfileV2Document
 	document.addSection("Review profile", "Repository routing and review composition.")
-	document.addEditableInput(initProfileV2FieldProfileName, "Profile name", "Human-friendly name for this review profile.", draft.ProfileName, validateProfileName)
+	initProfileV2AppendGitScopeSection(&document, selectedGitScope, initRepositoryAccessProfileOptions(ctx.GitScopes), draft, true)
 	initProfileV2AppendRouteSection(&document, routeText)
-	initProfileV2AppendGitScopeSection(&document, selectedGitScope, initGitScopeOptions(ctx.GitScopes), draft, selectedGitScope == initCustomGitScopeSelection || len(ctx.GitScopes) > 1)
 	document.addEditableSelect(initProfileV2FieldReviewerEntity, "Reviewer entity", reviewerEntitySelectionDescription(), reviewerEntityOptions, selectedReviewerEntity)
+	initProfileV2AppendReviewerGitHubAppInstallationSection(&document, selectedReviewerEntity, ctx.ReviewerEntities, draft)
 	document.addEditableSelect(initProfileV2FieldLLMRuntime, "LLM runtime", "Choose how reviewer agents run for this profile.", llmRuntimeOptions, selectedLLMRuntime)
 	initProfileV2AppendLLMStorageSection(&document, storeOptions, draft.LLMCredentialStore, draft.LLMCredentialRef, !initLLMStorageLabelRelevant(selectedLLMRuntime, llmRuntimes))
 	document.addEditableSelect(initProfileV2FieldReviewerModelTier, initReviewerModelTierTitle, initReviewerModelTierDescription, initReviewerModelTierOptions(), draft.LLMReviewerModelTier)
 	initProfileV2AppendModelMapSection(&document, modelMapLLM, draft.ModelMap)
+	profileNameInput := initProfileV2ProfileNameInput(ctx, selectedExistingProfile, draft)
+	profileNameValidate := validateProfileName
+	if selectedExistingProfile == nil && strings.TrimSpace(profileNameInput) == "" {
+		profileNameValidate = validateOptionalProfileName
+	}
+	document.addEditableInput(initProfileV2FieldProfileName, "Profile name", "Human-friendly name for this review profile.", profileNameInput, profileNameValidate)
 	initProfileV2AppendAgentSourcesSection(&document, draft.AgentSources)
-	initProfileV2AppendReviewPolicySection(&document, draft.ReviewPolicy)
-	initProfileV2AppendGitStorageSection(&document, storeOptions, draft.GitCredentialStore, gitStorageLabel)
+	initProfileV2AppendReviewPolicySection(&document, draft.ReviewPolicy, initProfileV2ReviewerEntityKindForSelection(selectedReviewerEntity, ctx.ReviewerEntities) == initReviewerEntityKindGitHubApp)
 	initProfileV2AppendProfileActionSection(&document)
+	if index := document.fieldIndexByID(initProfileV2FieldLLMCredentialName); index >= 0 {
+		document[index].AutoManaged = llmCredentialAutoManaged
+	}
 	return initProfileV2Editor{
-		Draft:                      draft,
-		GitScopes:                  maps.Clone(ctx.GitScopes),
-		ReviewerEntities:           maps.Clone(ctx.ReviewerEntities),
-		LLMRuntimes:                maps.Clone(llmRuntimes),
-		CredentialStoreOptions:     storeOptions,
-		SelectedGitScope:           selectedGitScope,
-		InitialGitStorageLabel:     gitStorageLabel,
-		GitStorageLabelUsesDefault: gitStorageLabelUsesDefault,
-		Document:                   document,
+		Draft:                  draft,
+		GitScopes:              maps.Clone(ctx.GitScopes),
+		ReviewerEntities:       maps.Clone(ctx.ReviewerEntities),
+		LLMRuntimes:            maps.Clone(llmRuntimes),
+		CredentialStoreOptions: storeOptions,
+		SelectedGitScope:       selectedGitScope,
+		Document:               document,
 	}, nil
 }
 
+func validateOptionalProfileName(value string) error {
+	if strings.TrimSpace(value) == "" {
+		return nil
+	}
+	return validateProfileName(value)
+}
+
+func initProfileV2ProfileNameInput(ctx initPromptContext, existingProfile *config.Profile, draft initDraft) string {
+	if existingProfile != nil {
+		return draft.ProfileName
+	}
+	if strings.TrimSpace(ctx.RequestedProfileName) == initialInitProfileName && strings.TrimSpace(draft.ProfileName) == initialInitProfileName {
+		return ""
+	}
+	return draft.ProfileName
+}
+
 func initProfileV2Selection(ctx initPromptContext, selection string) (string, *config.Profile, string) {
 	if selection == initCreateProfileSentinel {
 		return "", nil, initCreateProfileSeedName(ctx)
@@ -420,25 +445,28 @@ const (
 )
 
 const (
-	initProfileV2FieldProfileName          initProfileV2FieldID = "profile_name"
-	initProfileV2FieldRoutes               initProfileV2FieldID = "routes"
-	initProfileV2FieldGitScope             initProfileV2FieldID = "git_scope"
-	initProfileV2FieldGitHost              initProfileV2FieldID = "git_host"
-	initProfileV2FieldGitAuth              initProfileV2FieldID = "git_auth"
-	initProfileV2FieldReviewerEntity       initProfileV2FieldID = "reviewer_entity"
-	initProfileV2FieldLLMRuntime           initProfileV2FieldID = "llm_runtime"
-	initProfileV2FieldReviewerModelTier    initProfileV2FieldID = "reviewer_model_tier"
-	initProfileV2FieldAgentSources         initProfileV2FieldID = "agent_sources"
-	initProfileV2FieldReviewMajorEvent     initProfileV2FieldID = "review_major_event"
-	initProfileV2FieldSelfApprove          initProfileV2FieldID = "self_approve"
-	initProfileV2FieldResolveThreads       initProfileV2FieldID = "resolve_threads"
-	initProfileV2FieldResolveAfter         initProfileV2FieldID = "resolve_after"
-	initProfileV2FieldGitCredentialStore   initProfileV2FieldID = "git_credential_store" // #nosec G101 -- this is a field ID, not a secret value.
-	initProfileV2FieldGitCredentialName    initProfileV2FieldID = "git_credential_name"  // #nosec G101 -- this is a field ID, not a secret value.
-	initProfileV2FieldLLMCredentialSection initProfileV2FieldID = "llm_credentials_section"
-	initProfileV2FieldLLMCredentialStore   initProfileV2FieldID = "llm_credential_store" // #nosec G101 -- this is a field ID, not a secret value.
-	initProfileV2FieldLLMCredentialName    initProfileV2FieldID = "llm_credential_name"  // #nosec G101 -- this is a field ID, not a secret value.
-	initProfileV2FieldProfileAction        initProfileV2FieldID = "profile_action"
+	initProfileV2FieldProfileName                          initProfileV2FieldID = "profile_name"
+	initProfileV2FieldRoutes                               initProfileV2FieldID = "routes"
+	initProfileV2FieldGitScope                             initProfileV2FieldID = "git_scope"
+	initProfileV2FieldGitHost                              initProfileV2FieldID = "git_host"
+	initProfileV2FieldGitAuth                              initProfileV2FieldID = "git_auth"
+	initProfileV2FieldGitHubAppID                          initProfileV2FieldID = "git_github_app_id" // #nosec G101 -- this is a field ID, not a secret value.
+	initProfileV2FieldReviewerEntity                       initProfileV2FieldID = "reviewer_entity"
+	initProfileV2FieldReviewerGitHubAppInstallationSection initProfileV2FieldID = "reviewer_github_app_installation_section"
+	initProfileV2FieldReviewerGitHubAppInstallationMode    initProfileV2FieldID = "reviewer_github_app_installation_mode"
+	initProfileV2FieldReviewerGitHubAppInstallationID      initProfileV2FieldID = "reviewer_github_app_installation_id" // #nosec G101 -- this is a field ID, not a secret value.
+	initProfileV2FieldLLMRuntime                           initProfileV2FieldID = "llm_runtime"
+	initProfileV2FieldReviewerModelTier                    initProfileV2FieldID = "reviewer_model_tier"
+	initProfileV2FieldAgentSources                         initProfileV2FieldID = "agent_sources"
+	initProfileV2FieldReviewMajorEvent                     initProfileV2FieldID = "review_major_event"
+	initProfileV2FieldSelfApprove                          initProfileV2FieldID = "self_approve"
+	initProfileV2FieldResolveThreads                       initProfileV2FieldID = "resolve_threads"
+	initProfileV2FieldGitCredentialStore                   initProfileV2FieldID = "git_credential_store" // #nosec G101 -- this is a field ID, not a secret value.
+	initProfileV2FieldGitCredentialName                    initProfileV2FieldID = "git_credential_name"  // #nosec G101 -- this is a field ID, not a secret value.
+	initProfileV2FieldLLMCredentialSection                 initProfileV2FieldID = "llm_credentials_section"
+	initProfileV2FieldLLMCredentialStore                   initProfileV2FieldID = "llm_credential_store" // #nosec G101 -- this is a field ID, not a secret value.
+	initProfileV2FieldLLMCredentialName                    initProfileV2FieldID = "llm_credential_name"  // #nosec G101 -- this is a field ID, not a secret value.
+	initProfileV2FieldProfileAction                        initProfileV2FieldID = "profile_action"
 )
 
 func initProfileV2FieldModelMap(tier config.ModelTier) initProfileV2FieldID {
@@ -468,18 +496,61 @@ func initProfileV2AppendRouteSection(document *initProfileV2Document, routeText
 	document.addEditableInput(initProfileV2FieldRoutes, "Route entries", "Examples: github.com/YourOrg; github.com/YourOrg/repo; github.com/YourOrg [RepoA, RepoB]. Leave blank for explicit --profile selection only.", routeText, validateInitProfileV2RouteText)
 }
 
-func initProfileV2AppendGitScopeSection(document *initProfileV2Document, selectedScope string, scopeOptions []huh.Option[string], draft initDraft, visible bool) {
+func initProfileV2AppendGitScopeSection(document *initProfileV2Document, selectedScope string, scopeOptions []huh.Option[string], _ initDraft, visible bool) {
 	if !visible {
 		return
 	}
-	customHidden := selectedScope != initCustomGitScopeSelection
-	document.addSection("Git scope", "Choose an existing Git scope or configure host/auth settings for this profile.")
-	document.addEditableSelect(initProfileV2FieldGitScope, "Git scope", "", scopeOptions, selectedScope)
-	document.addEditableInput(initProfileV2FieldGitHost, "Git scope host", "Git host this review profile applies to, such as github.com or github.mycompany.com.", draft.GitHost, validateRequiredText("git host is required"), initProfileV2FieldOptions{Hidden: customHidden})
-	document.addEditableSelect(initProfileV2FieldGitAuth, "Git scope auth mode", "", []huh.Option[string]{
-		huh.NewOption("Personal access token", string(config.GitAuthModePAT)),
-		huh.NewOption("GitHub App", string(config.GitAuthModeGitHubApp)),
-	}, draft.GitAuth, initProfileV2FieldOptions{Hidden: customHidden})
+	document.addSection("Repository access", "Choose how cr accesses Git repositories for this profile.")
+	document.addEditableSelect(initProfileV2FieldGitScope, "Repository access", "", scopeOptions, selectedScope)
+}
+
+func initProfileV2AppendReviewerGitHubAppInstallationSection(document *initProfileV2Document, selectedReviewerEntity string, entities map[string]initReviewerEntityDraft, draft initDraft) {
+	hidden := initProfileV2ReviewerEntityKindForSelection(selectedReviewerEntity, entities) != initReviewerEntityKindGitHubApp
+	mode := config.ProfileReviewerGitHubAppInstallationMode(strings.TrimSpace(draft.ReviewerGitHubAppInstallationMode))
+	if mode == "" {
+		mode = config.ProfileReviewerGitHubAppInstallationDiscoverFromRepository
+	}
+	pinned := mode == config.ProfileReviewerGitHubAppInstallationPinned
+	document.addSectionField(
+		initProfileV2FieldReviewerGitHubAppInstallationSection,
+		"GitHub App installation",
+		"Choose how cr finds the GitHub App installation for this review profile. Discovery resolves the installation from each PR repository and supports profiles routed to multiple organizations or users. Pinning is only appropriate when every route for this profile uses the same installation.",
+		initProfileV2FieldOptions{Hidden: hidden},
+	)
+	document.addEditableSelect(
+		initProfileV2FieldReviewerGitHubAppInstallationMode,
+		"Installation lookup",
+		"",
+		initProfileV2ReviewerGitHubAppInstallationModeOptions(),
+		string(mode),
+		initProfileV2FieldOptions{Hidden: hidden},
+	)
+	document.addEditableInput(
+		initProfileV2FieldReviewerGitHubAppInstallationID,
+		"Installation ID",
+		"Required when pinning. Use one numeric GitHub App installation ID only when all routes for this profile share that installation.",
+		strings.TrimSpace(draft.ReviewerGitHubAppInstallationID),
+		validateOptionalGitHubAppInstallationID,
+		initProfileV2FieldOptions{Hidden: hidden || !pinned},
+	)
+}
+
+func initProfileV2ReviewerGitHubAppInstallationModeOptions() []huh.Option[string] {
+	return []huh.Option[string]{
+		huh.NewOption("Discover from PR repository at review time (recommended)", string(config.ProfileReviewerGitHubAppInstallationDiscoverFromRepository)),
+		huh.NewOption("Pin one installation ID (advanced)", string(config.ProfileReviewerGitHubAppInstallationPinned)),
+	}
+}
+
+func initProfileV2ReviewerEntityKindForSelection(selection string, entities map[string]initReviewerEntityDraft) initReviewerEntityKind {
+	switch initReviewerEntityKind(selection) {
+	case initReviewerEntityKindUseGitIdentity, initReviewerEntityKindPAT, initReviewerEntityKindGitHubApp:
+		return initReviewerEntityKind(selection)
+	}
+	if entity, ok := entities[selection]; ok {
+		return entity.Kind
+	}
+	return initReviewerEntityKindUseGitIdentity
 }
 
 func initProfileV2AppendModelMapSection(document *initProfileV2Document, llm config.LLMConfig, modelMap config.ModelMap) {
@@ -499,22 +570,23 @@ func initProfileV2AppendAgentSourcesSection(document *initProfileV2Document, sou
 	document.addEditableTextarea(initProfileV2FieldAgentSources, "Additional trusted reviewer-agent directories", "Paths are deduplicated and normalized before save.", strings.Join(sources, "\n"))
 }
 
-func initProfileV2AppendReviewPolicySection(document *initProfileV2Document, policy config.ReviewPolicy) {
+func initProfileV2AppendReviewPolicySection(document *initProfileV2Document, policy config.ReviewPolicy, hideSelfApprove bool) {
 	if policy.MajorEvent == "" {
-		policy.MajorEvent = config.ReviewMajorEventComment
+		policy.MajorEvent = config.ReviewMajorEventRequestChanges
+	}
+	if policy.ResolveThreads == "" {
+		policy.ResolveThreads = config.ResolveThreadsAuto
 	}
 	document.addSection("Review policy", "Choose how cr posts major findings and handles review threads.")
-	document.addEditableSelect(initProfileV2FieldReviewMajorEvent, "Major findings event", "", []huh.Option[string]{
-		huh.NewOption("Comment", string(config.ReviewMajorEventComment)),
+	document.addEditableSelect(initProfileV2FieldReviewMajorEvent, "Major findings event", "Blocking findings always request changes. This controls what cr does when the highest severity is major: either request changes or leave a review comment.", []huh.Option[string]{
 		huh.NewOption("Request changes", string(config.ReviewMajorEventRequestChanges)),
+		huh.NewOption("Comment", string(config.ReviewMajorEventComment)),
 	}, string(policy.MajorEvent))
-	document.addEditableSelect(initProfileV2FieldSelfApprove, "Allow self-approve", "", initReviewPolicySelfApproveOptions(), initReviewPolicySelfApproveChoice(policy.AllowSelfApprove))
-	document.addEditableSelect(initProfileV2FieldResolveThreads, "Resolve threads", "", []huh.Option[string]{
-		huh.NewOption("Use built-in default", ""),
-		huh.NewOption("Auto-resolve", string(config.ResolveThreadsAuto)),
-		huh.NewOption("Never resolve", string(config.ResolveThreadsNever)),
+	document.addEditableSelect(initProfileV2FieldSelfApprove, "Allow self-approve", "Relevant when this profile posts using a user account. If that account authored the PR, cr downgrades approval to a comment unless enabled.", initReviewPolicySelfApproveOptions(), initReviewPolicySelfApproveChoice(policy.AllowSelfApprove), initProfileV2FieldOptions{Hidden: hideSelfApprove})
+	document.addEditableSelect(initProfileV2FieldResolveThreads, "Resolve threads", "Controls whether cr may mark inline discussion threads as \"resolved\" when it evaluates the dialog, and determines a decision has been made. When enabled, cr treats the final comment as the cached outcome of the discussion. This removes the discussion thread from future calls to the LLM provider, saving both time and tokens.", []huh.Option[string]{
+		huh.NewOption("Auto-resolve (recommended)", string(config.ResolveThreadsAuto)),
+		huh.NewOption("Never resolve automatically", string(config.ResolveThreadsNever)),
 	}, string(policy.ResolveThreads))
-	document.addEditableInput(initProfileV2FieldResolveAfter, "Resolve-after duration", "Optional. Leave blank to clear. Example: 24h or 30m.", policy.ResolveAfter, validateOptionalDuration)
 }
 
 func initProfileV2AppendGitStorageSection(document *initProfileV2Document, storeOptions []huh.Option[string], storeID string, credentialName string) {
@@ -589,6 +661,12 @@ func (m *initProfileV2ReadOnlyModel) handleFocusedInputKey(msg tea.KeyMsg) bool
 		}
 		field.Value = initProfileV2InsertRunes(field.Value, field.Cursor, key.Runes)
 		field.Cursor += len(key.Runes)
+	case tea.KeySpace:
+		if msg.Alt {
+			return false
+		}
+		field.Value = initProfileV2InsertRunes(field.Value, field.Cursor, []rune{' '})
+		field.Cursor++
 	case tea.KeyBackspace, tea.KeyCtrlH:
 		field.Value, field.Cursor = initProfileV2DeleteBeforeCursor(field.Value, field.Cursor)
 	case tea.KeyDelete, tea.KeyCtrlD:
@@ -703,6 +781,25 @@ func (m *initProfileV2ReadOnlyModel) afterFieldChange(index int) {
 		m.syncGitScopeFields()
 		return
 	}
+	if id == initProfileV2FieldGitAuth {
+		m.syncGitScopeFields()
+		return
+	}
+	if id == initProfileV2FieldProfileName {
+		m.syncProfileNameDerivedCredentialFields()
+		return
+	}
+	if id == initProfileV2FieldLLMCredentialName {
+		m.document[index].AutoManaged = false
+	}
+	if id == initProfileV2FieldReviewerEntity {
+		m.syncReviewerGitHubAppInstallationFields(true)
+		return
+	}
+	if id == initProfileV2FieldReviewerGitHubAppInstallationMode {
+		m.syncReviewerGitHubAppInstallationFields(true)
+		return
+	}
 	if id == initProfileV2FieldLLMRuntime {
 		m.syncLLMCredentialFields(true)
 		m.syncModelMapFields()
@@ -744,29 +841,10 @@ func (m initProfileV2ReadOnlyModel) validatedDraft() (initDraft, error) {
 	if selectedGitScope == "" {
 		selectedGitScope = m.selectedGitScope
 	}
-	if selectedGitScope == "" {
-		selectedGitScope = initCustomGitScopeSelection
-	}
-	if selectedGitScope == initCustomGitScopeSelection {
-		gitHost := m.document.fieldValue(initProfileV2FieldGitHost)
-		if strings.TrimSpace(gitHost) != "" {
-			draft.GitHost = strings.TrimSpace(gitHost)
-		}
-		gitAuth := m.document.selectedValue(initProfileV2FieldGitAuth)
-		if gitAuth != "" {
-			draft.GitAuth = gitAuth
-		}
-	} else {
-		applyGitScopeSelection(&draft, selectedGitScope, m.gitScopes)
-	}
-	if m.document.fieldIndexByID(initProfileV2FieldGitCredentialName) >= 0 {
-		gitName := strings.TrimSpace(m.document.fieldValue(initProfileV2FieldGitCredentialName))
-		if err := validateRequiredCredentialRef(gitName); err != nil {
-			return draft, err
-		}
-		draft.GitCredentialStore = initCredentialStoreDraftValue(m.document.selectedValue(initProfileV2FieldGitCredentialStore))
-		draft.GitCredentialRef = gitName
+	if selectedGitScope == "" || selectedGitScope == initCustomGitScopeSelection {
+		return draft, fmt.Errorf("repository access is required")
 	}
+	applyGitScopeSelection(&draft, selectedGitScope, m.gitScopes)
 	if _, err := applyInitProfileRoutes(nil, draft.ProfileName, draft.GitHost, routes); err != nil {
 		return draft, err
 	}
@@ -776,6 +854,31 @@ func (m initProfileV2ReadOnlyModel) validatedDraft() (initDraft, error) {
 		reviewerMode := string(initReviewerEntityDraftFromSeedDraft(draft).Kind)
 		applyReviewerEntitySelection(&draft, reviewerMode)
 	}
+	if initProfileV2ReviewerEntityKindForSelection(selectedReviewerEntity, m.reviewerEntities) == initReviewerEntityKindGitHubApp {
+		mode := config.ProfileReviewerGitHubAppInstallationMode(strings.TrimSpace(m.document.selectedValue(initProfileV2FieldReviewerGitHubAppInstallationMode)))
+		if mode == "" {
+			mode = config.ProfileReviewerGitHubAppInstallationDiscoverFromRepository
+		}
+		draft.ReviewerGitHubAppInstallationMode = string(mode)
+		switch mode {
+		case config.ProfileReviewerGitHubAppInstallationDiscoverFromRepository:
+			draft.ReviewerGitHubAppInstallationID = ""
+		case config.ProfileReviewerGitHubAppInstallationPinned:
+			installationID := strings.TrimSpace(m.document.fieldValue(initProfileV2FieldReviewerGitHubAppInstallationID))
+			if installationID == "" {
+				return draft, fmt.Errorf("GitHub App installation ID is required when lookup is pinned")
+			}
+			if err := validateOptionalGitHubAppInstallationID(installationID); err != nil {
+				return draft, err
+			}
+			draft.ReviewerGitHubAppInstallationID = installationID
+		default:
+			return draft, fmt.Errorf("GitHub App installation lookup %q is invalid", mode)
+		}
+	} else {
+		draft.ReviewerGitHubAppInstallationMode = ""
+		draft.ReviewerGitHubAppInstallationID = ""
+	}
 	selectedLLMRuntime := m.document.selectedValue(initProfileV2FieldLLMRuntime)
 	if selectedLLMRuntime == initConfigureNewLLMRuntimeSelection {
 		return draft, fmt.Errorf("configure a new LLM runtime first")
@@ -836,6 +939,25 @@ func (m initProfileV2ReadOnlyModel) normalizeStorageLabels(*initDraft, string, s
 	return nil
 }
 
+func (m *initProfileV2ReadOnlyModel) syncProfileNameDerivedCredentialFields() {
+	index := m.document.fieldIndexByID(initProfileV2FieldLLMCredentialName)
+	if index < 0 || m.document[index].Hidden || !m.document[index].AutoManaged {
+		return
+	}
+	ref, err := initStandardLLMCredentialRef(
+		m.document.fieldValue(initProfileV2FieldProfileName),
+		m.document.selectedValue(initProfileV2FieldLLMRuntime),
+		m.llmRuntimes,
+	)
+	if err == nil && strings.TrimSpace(ref) != "" {
+		m.setFieldValue(initProfileV2FieldLLMCredentialName, ref)
+		if index = m.document.fieldIndexByID(initProfileV2FieldLLMCredentialName); index >= 0 {
+			m.document[index].AutoManaged = true
+		}
+	}
+	m.validateField(m.document.fieldIndexByID(initProfileV2FieldLLMCredentialName))
+}
+
 func (m *initProfileV2ReadOnlyModel) syncGitScopeFields() {
 	selectedGitScope := m.document.selectedValue(initProfileV2FieldGitScope)
 	if selectedGitScope == "" {
@@ -845,19 +967,18 @@ func (m *initProfileV2ReadOnlyModel) syncGitScopeFields() {
 		selectedGitScope = initCustomGitScopeSelection
 	}
 	m.selectedGitScope = selectedGitScope
-	custom := selectedGitScope == initCustomGitScopeSelection
-	if !custom {
-		if scope, ok := m.gitScopes[selectedGitScope]; ok {
-			m.setFieldValue(initProfileV2FieldGitHost, scope.Host)
-			m.selectFieldValue(initProfileV2FieldGitAuth, string(scope.AuthMode))
-			m.selectFieldValue(initProfileV2FieldGitCredentialStore, initCredentialStoreDraftValue(scope.CredentialStore))
-			if strings.TrimSpace(scope.CredentialRef) != "" {
-				m.setFieldValue(initProfileV2FieldGitCredentialName, scope.CredentialRef)
-			}
+	if scope, ok := m.gitScopes[selectedGitScope]; ok {
+		m.setFieldValue(initProfileV2FieldGitHost, scope.Host)
+		m.selectFieldValue(initProfileV2FieldGitAuth, string(scope.AuthMode))
+		m.setFieldValue(initProfileV2FieldGitHubAppID, scope.GitHubAppID)
+		m.selectFieldValue(initProfileV2FieldGitCredentialStore, initCredentialStoreDraftValue(scope.CredentialStore))
+		if strings.TrimSpace(scope.CredentialRef) != "" {
+			m.setFieldValue(initProfileV2FieldGitCredentialName, scope.CredentialRef)
 		}
 	}
-	m.setFieldHidden(initProfileV2FieldGitHost, !custom)
-	m.setFieldHidden(initProfileV2FieldGitAuth, !custom)
+	m.setFieldHidden(initProfileV2FieldGitHost, true)
+	m.setFieldHidden(initProfileV2FieldGitAuth, true)
+	m.setFieldHidden(initProfileV2FieldGitHubAppID, true)
 	if m.focused >= 0 && m.focused < len(m.document) && m.document[m.focused].Hidden {
 		m.focused = m.document.nextFocusableField(m.focused)
 		if m.focused >= len(m.document) || m.document[m.focused].Hidden {
@@ -867,6 +988,37 @@ func (m *initProfileV2ReadOnlyModel) syncGitScopeFields() {
 	m.validateAll()
 }
 
+func (m *initProfileV2ReadOnlyModel) syncReviewerGitHubAppInstallationFields(reset bool) {
+	kind := initProfileV2ReviewerEntityKindForSelection(m.document.selectedValue(initProfileV2FieldReviewerEntity), m.reviewerEntities)
+	visible := kind == initReviewerEntityKindGitHubApp
+	mode := config.ProfileReviewerGitHubAppInstallationMode(strings.TrimSpace(m.document.selectedValue(initProfileV2FieldReviewerGitHubAppInstallationMode)))
+	if mode == "" {
+		mode = config.ProfileReviewerGitHubAppInstallationDiscoverFromRepository
+		m.selectFieldValue(initProfileV2FieldReviewerGitHubAppInstallationMode, string(mode))
+	}
+	pinned := visible && mode == config.ProfileReviewerGitHubAppInstallationPinned
+	m.setFieldHidden(initProfileV2FieldReviewerGitHubAppInstallationSection, !visible)
+	m.setFieldHidden(initProfileV2FieldReviewerGitHubAppInstallationMode, !visible)
+	m.setFieldHidden(initProfileV2FieldReviewerGitHubAppInstallationID, !pinned)
+	m.setFieldHidden(initProfileV2FieldSelfApprove, visible)
+	if !visible {
+		m.selectFieldValue(initProfileV2FieldReviewerGitHubAppInstallationMode, string(config.ProfileReviewerGitHubAppInstallationDiscoverFromRepository))
+		m.setFieldValue(initProfileV2FieldReviewerGitHubAppInstallationID, "")
+	} else {
+		m.selectFieldValue(initProfileV2FieldSelfApprove, initSelfApproveDisallow)
+	}
+	if visible && reset && !pinned {
+		m.setFieldValue(initProfileV2FieldReviewerGitHubAppInstallationID, "")
+	}
+	if m.focused >= 0 && m.focused < len(m.document) && m.document[m.focused].Hidden {
+		m.focused = m.document.nextFocusableField(m.focused)
+		if m.focused >= len(m.document) || m.document[m.focused].Hidden {
+			m.focused = m.document.previousFocusableField(len(m.document))
+		}
+	}
+	m.validateField(m.document.fieldIndexByID(initProfileV2FieldReviewerGitHubAppInstallationID))
+}
+
 func (m *initProfileV2ReadOnlyModel) syncLLMCredentialFields(reset bool) {
 	selectedLLMRuntime := m.document.selectedValue(initProfileV2FieldLLMRuntime)
 	draft := m.draft
@@ -882,15 +1034,25 @@ func (m *initProfileV2ReadOnlyModel) syncLLMCredentialFields(reset bool) {
 	if !needsCredential {
 		return
 	}
-	if reset {
+	credentialNameIndex := m.document.fieldIndexByID(initProfileV2FieldLLMCredentialName)
+	shouldPopulate := reset
+	if !shouldPopulate && credentialNameIndex >= 0 && strings.TrimSpace(m.document[credentialNameIndex].Value) == "" {
+		shouldPopulate = true
+	}
+	if shouldPopulate {
+		autoManaged := false
 		if strings.TrimSpace(draft.LLMCredentialRef) == "" {
-			ref, err := credentials.FormatRef(strings.TrimSpace(m.document.fieldValue(initProfileV2FieldProfileName)) + "-llm")
+			ref, err := initStandardLLMCredentialRef(m.document.fieldValue(initProfileV2FieldProfileName), selectedLLMRuntime, m.llmRuntimes)
 			if err == nil {
 				draft.LLMCredentialRef = ref
+				autoManaged = true
 			}
 		}
 		m.selectFieldValue(initProfileV2FieldLLMCredentialStore, initCredentialStoreDraftValue(draft.LLMCredentialStore))
 		m.setFieldValue(initProfileV2FieldLLMCredentialName, draft.LLMCredentialRef)
+		if credentialNameIndex = m.document.fieldIndexByID(initProfileV2FieldLLMCredentialName); credentialNameIndex >= 0 {
+			m.document[credentialNameIndex].AutoManaged = autoManaged
+		}
 	}
 	m.validateField(m.document.fieldIndexByID(initProfileV2FieldLLMCredentialName))
 }
@@ -950,17 +1112,20 @@ func initProfileV2AgentSourcesFromDocument(document initProfileV2Document) []str
 func initProfileV2ReviewPolicyFromDocument(document initProfileV2Document) (config.ReviewPolicy, error) {
 	majorEvent := config.ReviewMajorEvent(document.selectedValue(initProfileV2FieldReviewMajorEvent))
 	if majorEvent == "" {
-		majorEvent = config.ReviewMajorEventComment
+		majorEvent = config.ReviewMajorEventRequestChanges
+	}
+	resolveThreads := config.ResolveThreadsPolicy(strings.TrimSpace(document.selectedValue(initProfileV2FieldResolveThreads)))
+	if resolveThreads == "" {
+		resolveThreads = config.ResolveThreadsAuto
 	}
-	resolveAfter := strings.TrimSpace(document.fieldValue(initProfileV2FieldResolveAfter))
-	if err := validateOptionalDuration(resolveAfter); err != nil {
-		return config.ReviewPolicy{}, err
+	allowSelfApprove := initReviewPolicyAllowSelfApprove(document.selectedValue(initProfileV2FieldSelfApprove))
+	if index := document.fieldIndexByID(initProfileV2FieldSelfApprove); index >= 0 && document[index].Hidden {
+		allowSelfApprove = false
 	}
 	return config.ReviewPolicy{
 		MajorEvent:       majorEvent,
-		AllowSelfApprove: initReviewPolicyAllowSelfApprove(document.selectedValue(initProfileV2FieldSelfApprove)),
-		ResolveThreads:   config.ResolveThreadsPolicy(strings.TrimSpace(document.selectedValue(initProfileV2FieldResolveThreads))),
-		ResolveAfter:     resolveAfter,
+		AllowSelfApprove: allowSelfApprove,
+		ResolveThreads:   resolveThreads,
 	}, nil
 }
 
@@ -1131,7 +1296,6 @@ var initProfileV2HeadingSet = func() map[string]bool {
 		"Major findings event":    true,
 		"Allow self-approve":      true,
 		"Resolve threads":         true,
-		"Resolve-after duration":  true,
 		"Git credentials":         true,
 		"Git credential store":    true,
 		"Git credential name":     true,
diff --git a/internal/cmd/credentialcmd/init_repository_access_editor.go b/internal/cmd/credentialcmd/init_repository_access_editor.go
new file mode 100644
index 00000000..eede39b5
--- /dev/null
+++ b/internal/cmd/credentialcmd/init_repository_access_editor.go
@@ -0,0 +1,574 @@
+package credentialcmd
+
+import (
+	"fmt"
+	"io"
+	"os/exec"
+	"sort"
+	"strings"
+
+	tea "github.com/charmbracelet/bubbletea"
+	"github.com/charmbracelet/huh"
+	"github.com/open-cli-collective/cli-common/credstore"
+
+	"github.com/open-cli-collective/codereview-cli/internal/config"
+	"github.com/open-cli-collective/codereview-cli/internal/credentials"
+)
+
+type initRepositoryAccessEditorRunner func(initLinearEditor, io.Reader, io.Writer) (initLinearEditorModel, error)
+
+const (
+	initRepositoryAccessFieldSelection           initLinearFieldID = "repository_access_selection"
+	initRepositoryAccessFieldName                initLinearFieldID = "repository_access_name"
+	initRepositoryAccessFieldHost                initLinearFieldID = "repository_access_host"
+	initRepositoryAccessFieldAuth                initLinearFieldID = "repository_access_auth"
+	initRepositoryAccessFieldGitHubAppID         initLinearFieldID = "repository_access_github_app_id"
+	initRepositoryAccessFieldCredentialStore     initLinearFieldID = "repository_access_credential_store"
+	initRepositoryAccessFieldCredentialName      initLinearFieldID = "repository_access_credential_name"
+	initRepositoryAccessFieldCredentialStatus    initLinearFieldID = "repository_access_credential_status"
+	initRepositoryAccessFieldCredentialValues    initLinearFieldID = "repository_access_credential_values"
+	initRepositoryAccessFieldGitToken            initLinearFieldID = "repository_access_git_token"
+	initRepositoryAccessFieldGitHubAppPrivateKey initLinearFieldID = "repository_access_github_app_private_key"
+	initRepositoryAccessFieldAction              initLinearFieldID = "repository_access_action"
+)
+
+const initConfigureNewRepositoryAccessSelection = "__configure_new_repository_access__"
+
+const initRepositoryAccessRestoreSelectionPrefix = "__restore_repository_access__:"
+
+var initRepositoryAccessGitConfigValue = func(key string) string {
+	out, err := exec.Command("git", "config", "--get", key).Output() // #nosec G204 -- callers pass fixed git config keys only.
+	if err != nil {
+		return ""
+	}
+	return strings.TrimSpace(string(out))
+}
+
+func (p huhInitRepositoryAccessPrompter) EditRepositoryAccess(prompt initRepositoryAccessPrompt) (initDraft, error) {
+	seed := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
+	editor := initRepositoryAccessLinearEditor(prompt.Context, seed)
+	model, err := p.runRepositoryAccessEditor(editor)
+	if err != nil {
+		return initDraft{}, err
+	}
+	switch model.resultAction {
+	case initDetailActionEdit:
+		return initRepositoryAccessDraftFromDocument(prompt.Context, seed, model.document), nil
+	case initLinearResultActionDelete:
+		selection := model.document.selectedValue(initRepositoryAccessFieldSelection)
+		return initDraft{
+			Action:       initDraftActionDeleteRepositoryAccess,
+			ActionTarget: selection,
+		}, nil
+	case initLinearResultActionRestore:
+		selection := model.document.selectedValue(initRepositoryAccessFieldSelection)
+		name, _ := initRepositoryAccessRestoreSelectionName(selection)
+		return initDraft{
+			Action:       initDraftActionUndoDeleteRepositoryAccess,
+			ActionTarget: name,
+		}, nil
+	default:
+		return initDraft{}, errInitNavigateBack
+	}
+}
+
+func (p huhInitRepositoryAccessPrompter) runRepositoryAccessEditor(editor initLinearEditor) (initLinearEditorModel, error) {
+	if p.editorRunner != nil {
+		return p.editorRunner(editor, p.stdin, p.stderr)
+	}
+	program := tea.NewProgram(newInitLinearEditorModel(editor, 100, 28), tea.WithInput(p.stdin), tea.WithOutput(p.stderr))
+	finalModel, err := program.Run()
+	if err != nil {
+		return initLinearEditorModel{}, err
+	}
+	model, ok := finalModel.(initLinearEditorModel)
+	if !ok {
+		return initLinearEditorModel{}, fmt.Errorf("repository access editor returned %T", finalModel)
+	}
+	return model, nil
+}
+
+func initRepositoryAccessLinearEditor(ctx initPromptContext, _ initDraft) initLinearEditor {
+	options := initRepositoryAccessSelectionOptionsForContext(ctx)
+	selection := initRepositoryAccessDefaultSelection(ctx, options)
+	scope := initRepositoryAccessScopeForSelection(ctx, selection)
+
+	var document initLinearDocument
+	document.addSection("Repository access", "Configure how cr accesses Git hosts as you. Review profiles select one repository access entry.")
+	document.addEditableSelect(initRepositoryAccessFieldSelection, "Repository access", "", options, selection)
+	document.addEditableInput(initRepositoryAccessFieldName, "Repository access name", "Stable name for this repository access entry.", scope.Name, validateRequiredText("repository access name is required"))
+	document.addEditableInput(initRepositoryAccessFieldHost, "Git host", "Git host this access entry applies to, such as github.com or github.mycompany.com.", scope.Host, validateRequiredText("git host is required"))
+	document.addEditableSelect(initRepositoryAccessFieldAuth, "Git auth mode", "", []huh.Option[string]{
+		huh.NewOption("Personal access token", string(config.GitAuthModePAT)),
+		huh.NewOption("GitHub App", string(config.GitAuthModeGitHubApp)),
+	}, string(scope.AuthMode))
+	document.addEditableInput(initRepositoryAccessFieldGitHubAppID, "GitHub App ID", "Numeric GitHub App ID. This is not a secret and is saved in config.yml.", scope.GitHubAppID, validateOptionalDecimalID("GitHub App ID"), initLinearFieldOptions{Hidden: scope.AuthMode != config.GitAuthModeGitHubApp})
+	document.addEditableSelect(initRepositoryAccessFieldCredentialStore, "Git credential store", "Where this access entry's Git credential is stored.", initCredentialStoreOptions(ctx.ExistingConfig), initCredentialStoreDraftValue(scope.CredentialStore))
+	document.addEditableInput(initRepositoryAccessFieldCredentialName, "Git credential name", "Full credential name under the selected store.", scope.CredentialRef, validateRequiredCredentialRef)
+	document.addSectionField(initRepositoryAccessFieldCredentialStatus, "Git credential status", "")
+	document.addSectionField(initRepositoryAccessFieldCredentialValues, "Git credential value", "Enter the required Git credential here. Values are hidden, staged in memory, and written only when you Commit staged changes and exit.")
+	document.addEditableSecretInput(initRepositoryAccessFieldGitToken, "GitHub PAT", "Required for repository access with personal access token auth. Leave blank only when the status above already shows git_token as existing or staged.", "", nil)
+	document.addEditableSecretTextarea(initRepositoryAccessFieldGitHubAppPrivateKey, "GitHub App private key", "Required for repository access with GitHub App auth. Paste the PEM private key; ctrl+j or alt+enter inserts a newline.", "")
+	document.addEditableSelect(initRepositoryAccessFieldAction, "Repository access action", "", []huh.Option[string]{
+		huh.NewOption("Stage repository access settings", initDetailActionEdit),
+		huh.NewOption("Back without staging", initDetailActionBack),
+	}, initDetailActionEdit)
+
+	editor := initLinearEditor{
+		Document: document,
+		OnFieldChange: func(model *initLinearEditorModel, index int) {
+			if index < 0 || index >= len(model.document) {
+				return
+			}
+			//nolint:exhaustive // This repository-access editor reacts only to fields that affect derived repository-access state.
+			switch model.document[index].ID {
+			case initRepositoryAccessFieldSelection:
+				initRepositoryAccessSyncFields(model, ctx)
+			case initRepositoryAccessFieldName:
+				initRepositoryAccessMaybeUpdateAutoCredentialRef(model)
+				initRepositoryAccessRefreshCredentialStatus(model, ctx)
+			case initRepositoryAccessFieldCredentialName:
+				model.document[index].AutoManaged = false
+				initRepositoryAccessRefreshCredentialStatus(model, ctx)
+			case initRepositoryAccessFieldCredentialStore:
+				initRepositoryAccessRefreshCredentialStatus(model, ctx)
+			case initRepositoryAccessFieldAuth:
+				initRepositoryAccessSyncGitHubAppField(model)
+				initRepositoryAccessSetCredentialFieldsHidden(model)
+				initRepositoryAccessClearCredentialFieldValues(model)
+				initRepositoryAccessRefreshCredentialStatus(model, ctx)
+			case initRepositoryAccessFieldGitToken, initRepositoryAccessFieldGitHubAppPrivateKey:
+				initRepositoryAccessRefreshCredentialStatus(model, ctx)
+			default:
+				return
+			}
+		},
+		OnEnter: func(model *initLinearEditorModel) (bool, tea.Cmd) {
+			if model.focused < 0 || model.focused >= len(model.document) {
+				return false, nil
+			}
+			if model.document[model.focused].ID != initRepositoryAccessFieldAction {
+				return false, nil
+			}
+			switch model.document.selectedValue(initRepositoryAccessFieldAction) {
+			case initDetailActionBack:
+				model.resultAction = initDetailActionBack
+				return true, tea.Quit
+			case initDetailActionEdit:
+				if err := validateRepositoryAccessDocument(ctx, model.document); err != nil {
+					model.document[model.focused].Error = err.Error()
+					model.relayout()
+					model.ensureFocusedVisible()
+					return true, nil
+				}
+				model.resultAction = initDetailActionEdit
+				return true, tea.Quit
+			default:
+				return true, nil
+			}
+		},
+	}
+	model := newInitLinearEditorModel(editor, 100, 28)
+	initRepositoryAccessSyncFields(&model, ctx)
+	editor.Document = model.document
+	return editor
+}
+
+func initRepositoryAccessSelectionOptions(scopes map[string]initGitScopeDraft) []huh.Option[string] {
+	names := make([]string, 0, len(scopes))
+	for name := range scopes {
+		names = append(names, name)
+	}
+	sort.Strings(names)
+	options := make([]huh.Option[string], 0, len(names)+1)
+	for _, name := range names {
+		options = append(options, huh.NewOption(initGitScopeLabel(scopes[name]), name))
+	}
+	options = append(options, huh.NewOption("Configure new repository access", initConfigureNewRepositoryAccessSelection))
+	return options
+}
+
+func initRepositoryAccessSelectionOptionsForContext(ctx initPromptContext) []huh.Option[string] {
+	options := initRepositoryAccessSelectionOptions(ctx.GitScopes)
+	pendingNames := make([]string, 0, len(ctx.PendingRepositoryAccessDeletes))
+	for name := range ctx.PendingRepositoryAccessDeletes {
+		pendingNames = append(pendingNames, name)
+	}
+	sort.Strings(pendingNames)
+	for _, name := range pendingNames {
+		options = append(options, huh.NewOption(repositoryAccessDeletePendingLabel(name), initRepositoryAccessRestoreSelectionPrefix+name))
+	}
+	return dedupeInitStringOptions(options)
+}
+
+func initRepositoryAccessDefaultSelection(ctx initPromptContext, options []huh.Option[string]) string {
+	if ctx.ExistingProfileName != "" {
+		if selected := strings.TrimSpace(ctx.ProfileGitScopes[ctx.ExistingProfileName]); selected != "" {
+			return normalizeInitStringSelectionValue(selected, options)
+		}
+	}
+	return normalizeInitStringSelectionValue(initConfigureNewRepositoryAccessSelection, options)
+}
+
+func initRepositoryAccessScopeForSelection(ctx initPromptContext, selection string) initGitScopeDraft {
+	if selection != initConfigureNewRepositoryAccessSelection {
+		if scope, ok := ctx.GitScopes[selection]; ok {
+			scope.Name = selection
+			return scope
+		}
+	}
+	name := uniqueInitGitScopeName(ctx.GitScopes, initGitScopeDraft{
+		Host:     "github.com",
+		AuthMode: config.GitAuthModePAT,
+	}.suggestedRepositoryAccessName())
+	return initGitScopeDraft{
+		Name:            name,
+		Host:            "github.com",
+		AuthMode:        config.GitAuthModePAT,
+		CredentialStore: initCredentialStoreDefaultID(),
+		CredentialRef:   initRepositoryAccessCredentialRef(name),
+	}
+}
+
+func initRepositoryAccessRestoreSelectionName(selection string) (string, bool) {
+	if !strings.HasPrefix(selection, initRepositoryAccessRestoreSelectionPrefix) {
+		return "", false
+	}
+	return strings.TrimPrefix(selection, initRepositoryAccessRestoreSelectionPrefix), true
+}
+
+func repositoryAccessDeletePendingLabel(name string) string {
+	name = strings.TrimSpace(name)
+	if name == "" {
+		return "Repository access (Staged for deletion)"
+	}
+	return fmt.Sprintf("%s (Staged for deletion)", name)
+}
+
+func initRepositoryAccessSyncFields(model *initLinearEditorModel, ctx initPromptContext) {
+	selection := model.document.selectedValue(initRepositoryAccessFieldSelection)
+	initRepositoryAccessSetSelectionOptions(model, ctx, selection)
+	scope := initRepositoryAccessScopeForSelection(ctx, selection)
+	hideDetails := false
+	if _, restore := initRepositoryAccessRestoreSelectionName(selection); restore {
+		hideDetails = true
+	}
+	model.setFieldValue(initRepositoryAccessFieldName, scope.Name)
+	model.setFieldValue(initRepositoryAccessFieldHost, scope.Host)
+	model.selectFieldValue(initRepositoryAccessFieldAuth, string(scope.AuthMode))
+	model.setFieldValue(initRepositoryAccessFieldGitHubAppID, scope.GitHubAppID)
+	model.selectFieldValue(initRepositoryAccessFieldCredentialStore, initCredentialStoreDraftValue(scope.CredentialStore))
+	model.setFieldValue(initRepositoryAccessFieldCredentialName, scope.CredentialRef)
+	if refIndex := model.document.fieldIndexByID(initRepositoryAccessFieldCredentialName); refIndex >= 0 {
+		model.document[refIndex].AutoManaged = initRepositoryAccessCredentialRef(scope.Name) == strings.TrimSpace(scope.CredentialRef)
+	}
+	initRepositoryAccessSetDetailsHidden(model, hideDetails)
+	if hideDetails {
+		return
+	}
+	initRepositoryAccessSyncGitHubAppField(model)
+	initRepositoryAccessSetCredentialFieldsHidden(model)
+	initRepositoryAccessClearCredentialFieldValues(model)
+	initRepositoryAccessRefreshCredentialStatus(model, ctx)
+}
+
+func initRepositoryAccessSetSelectionOptions(model *initLinearEditorModel, ctx initPromptContext, selected string) {
+	index := model.document.fieldIndexByID(initRepositoryAccessFieldSelection)
+	if index < 0 {
+		return
+	}
+	options := initLinearOptionsFromHuh(initRepositoryAccessSelectionOptionsForContext(ctx), selected)
+	for optionIndex := range options {
+		option := &options[optionIndex]
+		if _, configured := ctx.ExistingConfig.RepositoryAccess[option.Value]; configured {
+			option.Deletable = true
+		}
+		if _, restorable := initRepositoryAccessRestoreSelectionName(option.Value); restorable {
+			option.Restorable = true
+		}
+	}
+	model.document[index].Options = options
+}
+
+func initRepositoryAccessSetDetailsHidden(model *initLinearEditorModel, hidden bool) {
+	for _, id := range []initLinearFieldID{
+		initRepositoryAccessFieldName,
+		initRepositoryAccessFieldHost,
+		initRepositoryAccessFieldAuth,
+		initRepositoryAccessFieldCredentialStore,
+		initRepositoryAccessFieldCredentialName,
+		initRepositoryAccessFieldCredentialStatus,
+		initRepositoryAccessFieldCredentialValues,
+		initRepositoryAccessFieldAction,
+	} {
+		model.setFieldHidden(id, hidden)
+	}
+	if hidden {
+		for _, id := range []initLinearFieldID{
+			initRepositoryAccessFieldGitHubAppID,
+			initRepositoryAccessFieldGitToken,
+			initRepositoryAccessFieldGitHubAppPrivateKey,
+		} {
+			model.setFieldHidden(id, true)
+		}
+	}
+}
+
+func initRepositoryAccessMaybeUpdateAutoCredentialRef(model *initLinearEditorModel) {
+	refIndex := model.document.fieldIndexByID(initRepositoryAccessFieldCredentialName)
+	if refIndex < 0 || !model.document[refIndex].AutoManaged {
+		return
+	}
+	model.setFieldValue(initRepositoryAccessFieldCredentialName, initRepositoryAccessCredentialRef(model.document.fieldValue(initRepositoryAccessFieldName)))
+	if refIndex = model.document.fieldIndexByID(initRepositoryAccessFieldCredentialName); refIndex >= 0 {
+		model.document[refIndex].AutoManaged = true
+	}
+}
+
+func initRepositoryAccessCredentialRef(name string) string {
+	segment := credstore.EscapeRefSegment(strings.TrimSpace(name))
+	ref, err := credentials.FormatRef(segment)
+	if err != nil {
+		return ""
+	}
+	return ref
+}
+
+func (scope initGitScopeDraft) suggestedRepositoryAccessName() string {
+	if config.NormalizeHost(scope.Host) == "github.com" && scope.AuthMode == config.GitAuthModePAT {
+		if username := initRepositoryAccessLocalGitHubUsername(); username != "" {
+			return "github-" + username
+		}
+	}
+	return scope.suggestedName()
+}
+
+func initRepositoryAccessLocalGitHubUsername() string {
+	for _, key := range []string{"github.user", "github.username"} {
+		if username := normalizeRepositoryAccessNameSegment(initRepositoryAccessGitConfigValue(key)); username != "" {
+			return username
+		}
+	}
+	return ""
+}
+
+func normalizeRepositoryAccessNameSegment(value string) string {
+	segment := credstore.EscapeRefSegment(strings.TrimSpace(value))
+	segment = strings.Trim(segment, "-_")
+	return strings.ToLower(segment)
+}
+
+func initRepositoryAccessSetCredentialFieldsHidden(model *initLinearEditorModel) {
+	authMode := config.GitAuthMode(model.document.selectedValue(initRepositoryAccessFieldAuth))
+	model.setFieldHidden(initRepositoryAccessFieldGitToken, authMode != config.GitAuthModePAT)
+	model.setFieldHidden(initRepositoryAccessFieldGitHubAppPrivateKey, authMode != config.GitAuthModeGitHubApp)
+}
+
+func initRepositoryAccessClearCredentialFieldValues(model *initLinearEditorModel) {
+	for _, id := range []initLinearFieldID{
+		initRepositoryAccessFieldGitToken,
+		initRepositoryAccessFieldGitHubAppPrivateKey,
+	} {
+		model.setFieldValue(id, "")
+	}
+}
+
+func initRepositoryAccessCredentialFieldID(key string) initLinearFieldID {
+	switch key {
+	case credentials.GitTokenKey:
+		return initRepositoryAccessFieldGitToken
+	case credentials.GitHubAppPrivateKeyKey:
+		return initRepositoryAccessFieldGitHubAppPrivateKey
+	default:
+		return ""
+	}
+}
+
+func initRepositoryAccessRefreshCredentialStatus(model *initLinearEditorModel, ctx initPromptContext) {
+	if status, ok := repositoryAccessCredentialStatusForDocument(ctx, model.document); ok {
+		model.setFieldDescription(initRepositoryAccessFieldCredentialStatus, initRepositoryAccessCredentialStatusDescription(status))
+	}
+}
+
+func repositoryAccessCredentialStatusForDocument(ctx initPromptContext, document initLinearDocument) (initReviewerCredentialStatus, bool) {
+	status, ok := baseRepositoryAccessCredentialStatusForDocument(ctx, document)
+	if !ok {
+		return initReviewerCredentialStatus{}, false
+	}
+	return repositoryAccessCredentialStatusWithDocumentWrites(status, document), true
+}
+
+func baseRepositoryAccessCredentialStatusForDocument(ctx initPromptContext, document initLinearDocument) (initReviewerCredentialStatus, bool) {
+	ref := config.CredentialRef{
+		Purpose: "git",
+		Store:   initCredentialStoreDraftValue(document.selectedValue(initRepositoryAccessFieldCredentialStore)),
+		Ref:     strings.TrimSpace(document.fieldValue(initRepositoryAccessFieldCredentialName)),
+		Mode:    document.selectedValue(initRepositoryAccessFieldAuth),
+	}
+	if ref.Ref == "" {
+		return initReviewerCredentialStatus{}, false
+	}
+	for _, status := range ctx.RepositoryAccessCredentialStatuses {
+		if status.Ref.Purpose == ref.Purpose &&
+			initCredentialStoreDraftValue(status.Ref.Store) == initCredentialStoreDraftValue(ref.Store) &&
+			status.Ref.Ref == ref.Ref &&
+			status.Ref.Mode == ref.Mode {
+			return status, true
+		}
+	}
+	if initReviewerCredentialStatusListContainsUnavailable(ctx.RepositoryAccessCredentialStatuses) {
+		return synthesizeUnavailableReviewerCredentialStatus(ctx, ref), true
+	}
+	return synthesizeReviewerCredentialStatus(ctx, ref), true
+}
+
+func repositoryAccessCredentialStatusWithDocumentWrites(status initReviewerCredentialStatus, document initLinearDocument) initReviewerCredentialStatus {
+	status.Keys = append([]initReviewerCredentialKeyStatus(nil), status.Keys...)
+	for index, key := range status.Keys {
+		fieldID := initRepositoryAccessCredentialFieldID(key.Key)
+		if fieldID == "" || document.fieldHidden(fieldID) {
+			continue
+		}
+		if strings.TrimSpace(credentials.TrimSecretIngress(document.fieldValue(fieldID))) == "" {
+			continue
+		}
+		status.Keys[index].State = initReviewerCredentialKeyStaged
+	}
+	return status
+}
+
+func initRepositoryAccessCredentialStatusDescription(status initReviewerCredentialStatus) string {
+	return initReviewerCredentialStatusDescription(status)
+}
+
+func missingRepositoryAccessInlineCredentialKeys(ctx initPromptContext, status initReviewerCredentialStatus, document initLinearDocument) []string {
+	var missing []string
+	keepsCurrentRef := repositoryAccessKeepsCurrentCredentialRef(ctx, document)
+	for _, key := range status.Keys {
+		if !key.Required {
+			continue
+		}
+		switch key.State {
+		case initReviewerCredentialKeyExisting, initReviewerCredentialKeyStaged:
+			continue
+		case initReviewerCredentialKeyUnavailable:
+			if keepsCurrentRef {
+				continue
+			}
+		case initReviewerCredentialKeyMissing, initReviewerCredentialKeyDeferred, initReviewerCredentialKeySkippedOptional, initReviewerCredentialKeyOptional:
+		}
+		missing = append(missing, key.Key)
+	}
+	return missing
+}
+
+func repositoryAccessKeepsCurrentCredentialRef(ctx initPromptContext, document initLinearDocument) bool {
+	selection := document.selectedValue(initRepositoryAccessFieldSelection)
+	if selection == "" || selection == initConfigureNewRepositoryAccessSelection {
+		return false
+	}
+	scope, ok := ctx.GitScopes[selection]
+	if !ok {
+		return false
+	}
+	return initCredentialStoreDraftValue(document.selectedValue(initRepositoryAccessFieldCredentialStore)) == initCredentialStoreDraftValue(scope.CredentialStore) &&
+		strings.TrimSpace(document.fieldValue(initRepositoryAccessFieldCredentialName)) == strings.TrimSpace(scope.CredentialRef) &&
+		document.selectedValue(initRepositoryAccessFieldAuth) == string(scope.AuthMode)
+}
+
+func repositoryAccessCredentialWritesFromDocument(status initReviewerCredentialStatus, document initLinearDocument) (map[string]string, bool) {
+	writes := map[string]string{}
+	keyStates := make(map[string]initReviewerCredentialKeyState, len(status.Keys))
+	for _, key := range status.Keys {
+		keyStates[key.Key] = key.State
+	}
+	overwrite := false
+	for _, key := range status.Keys {
+		fieldID := initRepositoryAccessCredentialFieldID(key.Key)
+		if fieldID == "" || document.fieldHidden(fieldID) {
+			continue
+		}
+		value := credentials.TrimSecretIngress(document.fieldValue(fieldID))
+		if strings.TrimSpace(value) == "" {
+			continue
+		}
+		writes[key.Key] = value
+		if keyStates[key.Key] == initReviewerCredentialKeyExisting {
+			overwrite = true
+		}
+	}
+	return writes, overwrite
+}
+
+func initRepositoryAccessSyncGitHubAppField(model *initLinearEditorModel) {
+	authMode := config.GitAuthMode(model.document.selectedValue(initRepositoryAccessFieldAuth))
+	hidden := authMode != config.GitAuthModeGitHubApp
+	model.setFieldHidden(initRepositoryAccessFieldGitHubAppID, hidden)
+	if hidden {
+		model.setFieldValue(initRepositoryAccessFieldGitHubAppID, "")
+	}
+}
+
+func validateRepositoryAccessDocument(ctx initPromptContext, document initLinearDocument) error {
+	if err := validateRequiredText("repository access name is required")(document.fieldValue(initRepositoryAccessFieldName)); err != nil {
+		return err
+	}
+	if err := validateRequiredText("git host is required")(document.fieldValue(initRepositoryAccessFieldHost)); err != nil {
+		return err
+	}
+	if config.GitAuthMode(document.selectedValue(initRepositoryAccessFieldAuth)) == config.GitAuthModeGitHubApp {
+		appID := strings.TrimSpace(document.fieldValue(initRepositoryAccessFieldGitHubAppID))
+		if appID == "" {
+			return fmt.Errorf("GitHub App ID is required")
+		}
+		if err := validateOptionalDecimalID("GitHub App ID")(appID); err != nil {
+			return err
+		}
+	}
+	if err := validateRequiredCredentialRef(document.fieldValue(initRepositoryAccessFieldCredentialName)); err != nil {
+		return err
+	}
+	status, ok := repositoryAccessCredentialStatusForDocument(ctx, document)
+	if !ok {
+		return fmt.Errorf("git credential status unavailable")
+	}
+	if missing := missingRepositoryAccessInlineCredentialKeys(ctx, status, document); len(missing) > 0 {
+		return fmt.Errorf("set repository access credentials before staging: %s", strings.Join(missing, ", "))
+	}
+	return nil
+}
+
+func initRepositoryAccessDraftFromDocument(ctx initPromptContext, seed initDraft, document initLinearDocument) initDraft {
+	draft := seed
+	draft.RepositoryAccessName = strings.TrimSpace(document.fieldValue(initRepositoryAccessFieldName))
+	draft.GitHost = strings.TrimSpace(document.fieldValue(initRepositoryAccessFieldHost))
+	draft.GitAuth = document.selectedValue(initRepositoryAccessFieldAuth)
+	draft.GitHubAppID = strings.TrimSpace(document.fieldValue(initRepositoryAccessFieldGitHubAppID))
+	draft.GitCredentialStore = initCredentialStoreDraftValue(document.selectedValue(initRepositoryAccessFieldCredentialStore))
+	draft.GitCredentialRef = strings.TrimSpace(document.fieldValue(initRepositoryAccessFieldCredentialName))
+	applyRepositoryAccessCredentialDraftFromDocument(&draft, ctx, document)
+	selection := document.selectedValue(initRepositoryAccessFieldSelection)
+	if selection != "" && selection != initConfigureNewRepositoryAccessSelection {
+		draft.ActionTarget = selection
+	}
+	return draft
+}
+
+func applyRepositoryAccessCredentialDraftFromDocument(draft *initDraft, ctx initPromptContext, document initLinearDocument) {
+	originalStatus, ok := baseRepositoryAccessCredentialStatusForDocument(ctx, document)
+	if !ok {
+		return
+	}
+	status := repositoryAccessCredentialStatusWithDocumentWrites(originalStatus, document)
+	ref := strings.TrimSpace(status.Ref.Ref)
+	if ref == "" {
+		return
+	}
+	writes, overwrite := repositoryAccessCredentialWritesFromDocument(originalStatus, document)
+	draft.GitCredentialWriteRef = ref
+	draft.GitCredentialStore = initCredentialStoreDraftValue(status.Ref.Store)
+	draft.GitCredentialWriteStore = status.SecretsProfile
+	draft.GitCredentialWrites = writes
+	draft.GitCredentialOverwrite = overwrite
+	draft.GitCredentialSatisfied = repositoryAccessKeepsCurrentCredentialRef(ctx, document) || len(missingRepositoryAccessInlineCredentialKeys(ctx, status, document)) == 0
+}
diff --git a/internal/cmd/credentialcmd/init_reviewer_credential_status.go b/internal/cmd/credentialcmd/init_reviewer_credential_status.go
index 2b1c10b0..457c0611 100644
--- a/internal/cmd/credentialcmd/init_reviewer_credential_status.go
+++ b/internal/cmd/credentialcmd/init_reviewer_credential_status.go
@@ -45,6 +45,30 @@ func currentInteractiveInitReviewerEntityPromptContext(opts *root.Options, deps
 	return ctx
 }
 
+func currentInteractiveInitRepositoryAccessPromptContext(opts *root.Options, deps initDeps, session initSessionDraft) initPromptContext {
+	ctx := currentInteractiveInitInventoryPromptContext(session)
+	if opts != nil {
+		ctx.BackendArg = opts.Backend
+	}
+	ctx.BackendFlagSet = session.backendFlagSet
+	ctx.RepositoryAccessCredentialStatuses = buildInteractiveInitRepositoryAccessCredentialStatuses(opts, deps, session)
+	return ctx
+}
+
+func buildInteractiveInitRepositoryAccessCredentialStatuses(opts *root.Options, deps initDeps, session initSessionDraft) []initReviewerCredentialStatus {
+	plannedWriteKeys := projectInitPlannedWriteKeys(session.writes)
+	entries := standaloneRepositoryAccessPlanEntries(session.cfg, plannedWriteKeys)
+	writes, _, satisfiedRefs := filterInteractiveInitStagedCredentialStateByStore(
+		cloneInitWrites(session.writes),
+		map[string]bool{},
+		cloneInitBoolMap(session.satisfiedRefs),
+		session.credentialWriteStores,
+		entries,
+	)
+	entries = refreshInteractiveCredentialPlan(entries, projectInitPlannedWriteKeys(writes), satisfiedRefs)
+	return buildInteractiveInitCredentialStatuses(opts, deps, session, entries, writes, "git")
+}
+
 func buildInteractiveInitReviewerCredentialStatuses(opts *root.Options, deps initDeps, session initSessionDraft) []initReviewerCredentialStatus {
 	if session.workspace == nil {
 		return nil
@@ -60,6 +84,10 @@ func buildInteractiveInitReviewerCredentialStatuses(opts *root.Options, deps ini
 	)
 	plannedWriteKeys = projectInitPlannedWriteKeys(writes)
 	entries = refreshInteractiveCredentialPlan(entries, plannedWriteKeys, satisfiedRefs)
+	return buildInteractiveInitCredentialStatuses(opts, deps, session, entries, writes, "reviewer_credentials")
+}
+
+func buildInteractiveInitCredentialStatuses(opts *root.Options, deps initDeps, session initSessionDraft, entries []initCredentialPlanEntry, writes map[string]map[string]string, purpose string) []initReviewerCredentialStatus {
 	statuses := make([]initReviewerCredentialStatus, 0, len(entries))
 	stores := map[string]initStore{}
 	defer func() {
@@ -70,7 +98,7 @@ func buildInteractiveInitReviewerCredentialStatuses(opts *root.Options, deps ini
 		}
 	}()
 	for _, entry := range entries {
-		if entry.Ref.Purpose != "reviewer_credentials" || entry.State == initCredentialPlanStateClearRef {
+		if entry.Ref.Purpose != purpose || entry.State == initCredentialPlanStateClearRef {
 			continue
 		}
 		existing := map[string]bool{}
@@ -158,7 +186,7 @@ func appendSelectableReviewerCredentialPlanEntries(session initSessionDraft, pro
 	for _, entry := range entries {
 		seen[initCredentialEntryKey(entry.Ref)] = struct{}{}
 	}
-	if standardRef, err := credentials.FormatRef(session.workspace.profileName + "-reviewer"); err == nil {
+	if standardRef, err := initCredentialRefFromSeed(session.workspace.profileName + "-reviewer"); err == nil {
 		entries = appendReviewerCredentialPlanEntry(entries, seen, resolved, plannedWriteKeys, config.CredentialRef{
 			Purpose: "reviewer_credentials",
 			Store:   reviewerStoreID,
@@ -361,7 +389,11 @@ func initReviewerCredentialStatusDescription(status initReviewerCredentialStatus
 		}
 		lines = append(lines, trimmed)
 	}
-	lines = append(lines, "This is a credential name, not a PAT, GitHub App ID, private key, or installation ID.")
+	if config.GitAuthMode(status.Ref.Mode) == config.GitAuthModeGitHubApp {
+		lines = append(lines, "GitHub App ID is saved in config.yml. Secret values are collected separately.")
+	} else {
+		lines = append(lines, "This is a credential name, not a PAT or secret value.")
+	}
 	if strings.TrimSpace(status.Unavailable) != "" {
 		lines = append(lines, strings.TrimSpace(status.Unavailable)+".")
 	}
diff --git a/internal/cmd/credentialcmd/init_reviewer_entity_editor.go b/internal/cmd/credentialcmd/init_reviewer_entity_editor.go
index 8da8a17d..46354dc1 100644
--- a/internal/cmd/credentialcmd/init_reviewer_entity_editor.go
+++ b/internal/cmd/credentialcmd/init_reviewer_entity_editor.go
@@ -17,17 +17,17 @@ import (
 type initReviewerEntityEditorRunner func(initLinearEditor, io.Reader, io.Writer) (initLinearEditorModel, error)
 
 const (
-	initReviewerEntityFieldSelection               initLinearFieldID = "reviewer_entity_selection"
-	initReviewerEntityFieldLabel                   initLinearFieldID = "reviewer_entity_label"
-	initReviewerEntityFieldCredentialStore         initLinearFieldID = "reviewer_entity_credential_store"
-	initReviewerEntityFieldSecretLocation          initLinearFieldID = "reviewer_entity_secret_location"
-	initReviewerEntityFieldCredentialStatus        initLinearFieldID = "reviewer_entity_credential_status"
-	initReviewerEntityFieldCredentialValues        initLinearFieldID = "reviewer_entity_credential_values"
-	initReviewerEntityFieldGitToken                initLinearFieldID = "reviewer_entity_git_token"
-	initReviewerEntityFieldGitHubAppID             initLinearFieldID = "reviewer_entity_github_app_id"
-	initReviewerEntityFieldGitHubAppPrivateKey     initLinearFieldID = "reviewer_entity_github_app_private_key"
-	initReviewerEntityFieldGitHubAppInstallationID initLinearFieldID = "reviewer_entity_github_app_installation_id"
-	initReviewerEntityFieldAction                  initLinearFieldID = "reviewer_entity_action"
+	initReviewerEntityFieldSelection           initLinearFieldID = "reviewer_entity_selection"
+	initReviewerEntityFieldLabel               initLinearFieldID = "reviewer_entity_label"
+	initReviewerEntityFieldCredentialStore     initLinearFieldID = "reviewer_entity_credential_store"
+	initReviewerEntityFieldSecretLocation      initLinearFieldID = "reviewer_entity_secret_location"
+	initReviewerEntityFieldCredentialStatus    initLinearFieldID = "reviewer_entity_credential_status"
+	initReviewerEntityFieldGitHubAppDetails    initLinearFieldID = "reviewer_entity_github_app_details"
+	initReviewerEntityFieldCredentialValues    initLinearFieldID = "reviewer_entity_credential_values"
+	initReviewerEntityFieldGitToken            initLinearFieldID = "reviewer_entity_git_token"
+	initReviewerEntityFieldGitHubAppID         initLinearFieldID = "reviewer_entity_github_app_id"
+	initReviewerEntityFieldGitHubAppPrivateKey initLinearFieldID = "reviewer_entity_github_app_private_key"
+	initReviewerEntityFieldAction              initLinearFieldID = "reviewer_entity_action"
 )
 
 const (
@@ -72,7 +72,7 @@ func (p huhInitReviewerEntityPrompter) editReviewerEntityLinear(prompt initRevie
 }
 
 func (p huhInitReviewerEntityPrompter) editReviewerEntityFieldsLinear(ctx initPromptContext, entity initReviewerEntityDraft, seed initDraft, preserveCurrentLocation bool) (initDraft, bool, error) {
-	editorState, err := newReviewerEntityEditorState(entity, seed, preserveCurrentLocation)
+	editorState, err := newReviewerEntityEditorState(entity, seed, preserveCurrentLocation, ctx.StandaloneReviewerEntityMode)
 	if err != nil {
 		return initDraft{}, false, err
 	}
@@ -117,17 +117,32 @@ type reviewerEntityEditorState struct {
 	preserveCurrentLocation bool
 }
 
-func newReviewerEntityEditorState(entity initReviewerEntityDraft, seed initDraft, preserveCurrentLocation bool) (reviewerEntityEditorState, error) {
+func newReviewerEntityEditorState(entity initReviewerEntityDraft, seed initDraft, preserveCurrentLocation bool, standaloneReviewerEntityMode bool) (reviewerEntityEditorState, error) {
 	editDraft := seed
 	kind := entity.Kind
 	applyReviewerEntitySelection(&editDraft, string(kind))
+	if kind == initReviewerEntityKindGitHubApp {
+		editDraft.ReviewerGitHubAppID = strings.TrimSpace(entity.AppID)
+	} else {
+		editDraft.ReviewerGitHubAppID = ""
+	}
 	standardReviewerRef := ""
 	if kind != initReviewerEntityKindUseGitIdentity {
-		ref, err := standardReviewerCredentialRef(editDraft.ProfileName)
-		if err != nil {
-			return reviewerEntityEditorState{}, err
+		if preserveCurrentLocation && standaloneReviewerEntityMode && strings.TrimSpace(editDraft.ReviewerCredentialRef) != "" {
+			standardReviewerRef = strings.TrimSpace(editDraft.ReviewerCredentialRef)
+		} else if !standaloneReviewerEntityMode {
+			ref, err := standardReviewerCredentialRef(editDraft.ProfileName)
+			if err != nil {
+				return reviewerEntityEditorState{}, err
+			}
+			standardReviewerRef = ref
+		} else {
+			ref, err := standardReviewerCredentialRefForEntity(entity)
+			if err != nil {
+				return reviewerEntityEditorState{}, err
+			}
+			standardReviewerRef = ref
 		}
-		standardReviewerRef = ref
 	}
 	_, explicitDisplayName, fallbackLabelSeed := reviewerEntityEditorLabelSeed(entity)
 	return reviewerEntityEditorState{
@@ -169,6 +184,7 @@ func (s reviewerEntityEditorState) editor(ctx initPromptContext) initLinearEdito
 			labelInput,
 			validateOptionalDisplayName,
 		)
+		addReviewerEntityGitHubAppConfigFields(&document, s.kind, s.seed.ReviewerGitHubAppID, false)
 		document.addEditableSelect(
 			initReviewerEntityFieldCredentialStore,
 			"Reviewer credential store",
@@ -178,7 +194,7 @@ func (s reviewerEntityEditorState) editor(ctx initPromptContext) initLinearEdito
 		)
 		document.addEditableInput(
 			initReviewerEntityFieldSecretLocation,
-			"Reviewer secret location",
+			reviewerEntitySecretLocationTitle(s.kind),
 			reviewerEntitySecretLocationDescription(s.kind),
 			reviewerSecretLocation,
 			validateOptionalCredentialRef,
@@ -194,7 +210,7 @@ func (s reviewerEntityEditorState) editor(ctx initPromptContext) initLinearEdito
 		})
 		document.addSectionField(
 			initReviewerEntityFieldCredentialStatus,
-			"Reviewer credential status",
+			reviewerEntityCredentialStatusTitle(s.kind),
 			initReviewerCredentialStatusDescription(status),
 		)
 		addReviewerEntityCredentialValueFields(&document, s.kind, false)
@@ -266,6 +282,11 @@ func (s reviewerEntityEditorState) draftFromDocument(ctx initPromptContext, docu
 		return initDraft{}, err
 	}
 	editDraft.ReviewerCredentialStore = initCredentialStoreDraftValue(document.selectedValue(initReviewerEntityFieldCredentialStore))
+	appID, err := reviewerEntityGitHubAppIDFromDocument(s.kind, document)
+	if err != nil {
+		return initDraft{}, err
+	}
+	editDraft.ReviewerGitHubAppID = appID
 	if err := validateReviewerEntityInlineCredentials(ctx, s.seed, s, document); err != nil {
 		return initDraft{}, err
 	}
@@ -293,7 +314,7 @@ func initReviewerEntityLinearEditor(ctx initPromptContext, seed initDraft) initL
 	state, _ := reviewerEntityEditorStateForSelection(ctx, seed, selection)
 	var document initLinearDocument
 	document.addSection("Reviewer entity", reviewerEntitySelectionDescription())
-	document.addEditableSelect(initReviewerEntityFieldSelection, "Reviewer entity", "", options, selection)
+	document.addEditableSelect(initReviewerEntityFieldSelection, initReviewerEntitySelectionFieldTitle(ctx), initReviewerEntitySelectionFieldDescription(ctx), options, selection)
 	document.addSection("Reviewer details", "")
 	document.addEditableInput(
 		initReviewerEntityFieldLabel,
@@ -302,6 +323,7 @@ func initReviewerEntityLinearEditor(ctx initPromptContext, seed initDraft) initL
 		"",
 		validateOptionalDisplayName,
 	)
+	addReviewerEntityGitHubAppConfigFields(&document, state.kind, state.seed.ReviewerGitHubAppID, true)
 	document.addEditableSelect(
 		initReviewerEntityFieldCredentialStore,
 		"Reviewer credential store",
@@ -311,7 +333,7 @@ func initReviewerEntityLinearEditor(ctx initPromptContext, seed initDraft) initL
 	)
 	document.addEditableInput(
 		initReviewerEntityFieldSecretLocation,
-		"Reviewer secret location",
+		reviewerEntitySecretLocationTitle(state.kind),
 		reviewerEntitySecretLocationDescription(state.kind),
 		"",
 		validateOptionalCredentialRef,
@@ -381,7 +403,7 @@ func initReviewerEntityLinearEditor(ctx initPromptContext, seed initDraft) initL
 }
 
 func initReviewerEntityLinearSelectionOptions(ctx initPromptContext) []huh.Option[string] {
-	options := initReviewerEntityOptions(ctx.ReviewerEntities, focusedReviewerEntityFallbackLabel(ctx.ExistingProfile))
+	options := initReviewerEntityOptionsForContext(ctx)
 	pendingNames := make([]string, 0, len(ctx.PendingReviewerEntityDeletes))
 	for name := range ctx.PendingReviewerEntityDeletes {
 		pendingNames = append(pendingNames, name)
@@ -393,6 +415,38 @@ func initReviewerEntityLinearSelectionOptions(ctx initPromptContext) []huh.Optio
 	return dedupeInitStringOptions(options)
 }
 
+func initReviewerEntityOptionsForContext(ctx initPromptContext) []huh.Option[string] {
+	if !ctx.StandaloneReviewerEntityMode {
+		return initReviewerEntityOptions(ctx.ReviewerEntities, focusedReviewerEntityFallbackLabel(ctx.ExistingProfile))
+	}
+	names := configuredInitReviewerEntityNames(ctx.ReviewerEntities)
+	sort.Strings(names)
+	options := make([]huh.Option[string], 0, len(names)+2)
+	for _, name := range names {
+		entity := ctx.ReviewerEntities[name]
+		options = append(options, huh.NewOption(initReviewerEntityLabel(entity), name))
+	}
+	options = append(options,
+		huh.NewOption(reviewerEntityTemplatePATLabel(), string(initReviewerEntityKindPAT)),
+		huh.NewOption(reviewerEntityTemplateGitHubAppLabel(), string(initReviewerEntityKindGitHubApp)),
+	)
+	return dedupeInitStringOptions(options)
+}
+
+func initReviewerEntitySelectionFieldTitle(ctx initPromptContext) string {
+	if ctx.StandaloneReviewerEntityMode {
+		return "Actions"
+	}
+	return "Reviewer entity"
+}
+
+func initReviewerEntitySelectionFieldDescription(ctx initPromptContext) string {
+	if ctx.StandaloneReviewerEntityMode {
+		return "Configure a new reviewer entity or edit a configured reviewer entity."
+	}
+	return ""
+}
+
 func initReviewerEntityDefaultSelection(ctx initPromptContext, seed initDraft, options []huh.Option[string]) string {
 	if selected := strings.TrimSpace(ctx.ProfileReviewerEntities[ctx.ExistingProfileName]); selected != "" {
 		return normalizeInitStringSelectionValue(normalizeReviewerEntitySelectionValue(selected, ctx.ReviewerEntities), options)
@@ -426,6 +480,24 @@ func initReviewerEntityActionOptions(_ initPromptContext, selection string) []hu
 	return options
 }
 
+func addReviewerEntityGitHubAppConfigFields(document *initLinearDocument, kind initReviewerEntityKind, appID string, hidden bool) {
+	hideGitHubApp := hidden || kind != initReviewerEntityKindGitHubApp
+	document.addSectionField(
+		initReviewerEntityFieldGitHubAppDetails,
+		"GitHub App details",
+		"",
+		initLinearFieldOptions{Hidden: hideGitHubApp},
+	)
+	document.addEditableInput(
+		initReviewerEntityFieldGitHubAppID,
+		"GitHub App ID",
+		"Numeric GitHub App ID. This is not a secret and is saved in config.yml.",
+		strings.TrimSpace(appID),
+		validateOptionalDecimalID("GitHub App ID"),
+		initLinearFieldOptions{Hidden: hideGitHubApp},
+	)
+}
+
 func addReviewerEntityCredentialValueFields(document *initLinearDocument, kind initReviewerEntityKind, hidden bool) {
 	document.addSectionField(
 		initReviewerEntityFieldCredentialValues,
@@ -441,14 +513,6 @@ func addReviewerEntityCredentialValueFields(document *initLinearDocument, kind i
 		nil,
 		initLinearFieldOptions{Hidden: hidden || kind != initReviewerEntityKindPAT},
 	)
-	document.addEditableSecretInput(
-		initReviewerEntityFieldGitHubAppID,
-		"GitHub App ID",
-		"Required for GitHub App reviewers. This is stored as github_app_id at the destination above.",
-		"",
-		nil,
-		initLinearFieldOptions{Hidden: hidden || kind != initReviewerEntityKindGitHubApp},
-	)
 	document.addEditableSecretTextarea(
 		initReviewerEntityFieldGitHubAppPrivateKey,
 		"GitHub App private key",
@@ -458,14 +522,6 @@ func addReviewerEntityCredentialValueFields(document *initLinearDocument, kind i
 	if index := document.fieldIndexByID(initReviewerEntityFieldGitHubAppPrivateKey); index >= 0 {
 		(*document)[index].Hidden = hidden || kind != initReviewerEntityKindGitHubApp
 	}
-	document.addEditableSecretInput(
-		initReviewerEntityFieldGitHubAppInstallationID,
-		"GitHub App installation ID",
-		"Optional. Leave blank unless this reviewer must pin a specific installation.",
-		"",
-		nil,
-		initLinearFieldOptions{Hidden: hidden || kind != initReviewerEntityKindGitHubApp},
-	)
 }
 
 func initReviewerEntitySetCredentialFieldsHidden(model *initLinearEditorModel, kind initReviewerEntityKind, hideDetails bool) {
@@ -473,17 +529,22 @@ func initReviewerEntitySetCredentialFieldsHidden(model *initLinearEditorModel, k
 	hideGitHubApp := hideDetails || kind != initReviewerEntityKindGitHubApp
 	model.setFieldHidden(initReviewerEntityFieldCredentialValues, hideDetails)
 	model.setFieldHidden(initReviewerEntityFieldGitToken, hidePAT)
-	model.setFieldHidden(initReviewerEntityFieldGitHubAppID, hideGitHubApp)
 	model.setFieldHidden(initReviewerEntityFieldGitHubAppPrivateKey, hideGitHubApp)
-	model.setFieldHidden(initReviewerEntityFieldGitHubAppInstallationID, hideGitHubApp)
+}
+
+func initReviewerEntitySetGitHubAppConfigFieldsHidden(model *initLinearEditorModel, kind initReviewerEntityKind, hideDetails bool) {
+	hideGitHubApp := hideDetails || kind != initReviewerEntityKindGitHubApp
+	model.setFieldHidden(initReviewerEntityFieldGitHubAppDetails, hideGitHubApp)
+	model.setFieldHidden(initReviewerEntityFieldGitHubAppID, hideGitHubApp)
+	if hideGitHubApp {
+		model.setFieldValue(initReviewerEntityFieldGitHubAppID, "")
+	}
 }
 
 func initReviewerEntityClearCredentialFieldValues(model *initLinearEditorModel) {
 	for _, id := range []initLinearFieldID{
 		initReviewerEntityFieldGitToken,
-		initReviewerEntityFieldGitHubAppID,
 		initReviewerEntityFieldGitHubAppPrivateKey,
-		initReviewerEntityFieldGitHubAppInstallationID,
 	} {
 		model.setFieldValue(id, "")
 	}
@@ -532,12 +593,8 @@ func initReviewerEntityCredentialFieldKey(id initLinearFieldID) string {
 	switch id {
 	case initReviewerEntityFieldGitToken:
 		return credentials.GitTokenKey
-	case initReviewerEntityFieldGitHubAppID:
-		return credentials.GitHubAppIDKey
 	case initReviewerEntityFieldGitHubAppPrivateKey:
 		return credentials.GitHubAppPrivateKeyKey
-	case initReviewerEntityFieldGitHubAppInstallationID:
-		return credentials.GitHubAppInstallationIDKey
 	default:
 		return ""
 	}
@@ -547,12 +604,8 @@ func initReviewerEntityCredentialFieldID(key string) initLinearFieldID {
 	switch key {
 	case credentials.GitTokenKey:
 		return initReviewerEntityFieldGitToken
-	case credentials.GitHubAppIDKey:
-		return initReviewerEntityFieldGitHubAppID
 	case credentials.GitHubAppPrivateKeyKey:
 		return initReviewerEntityFieldGitHubAppPrivateKey
-	case credentials.GitHubAppInstallationIDKey:
-		return initReviewerEntityFieldGitHubAppInstallationID
 	default:
 		return ""
 	}
@@ -783,8 +836,11 @@ func initReviewerEntitySyncLinearFields(model *initLinearEditorModel, ctx initPr
 	model.setFieldHidden(initReviewerEntityFieldCredentialStore, hideDetails)
 	model.setFieldHidden(initReviewerEntityFieldSecretLocation, hideDetails)
 	model.setFieldHidden(initReviewerEntityFieldCredentialStatus, hideDetails)
+	initReviewerEntitySetGitHubAppConfigFieldsHidden(model, state.kind, hideDetails)
 	initReviewerEntitySetCredentialFieldsHidden(model, state.kind, hideDetails)
 	if !hideDetails {
+		model.setFieldTitle(initReviewerEntityFieldSecretLocation, reviewerEntitySecretLocationTitle(state.kind))
+		model.setFieldTitle(initReviewerEntityFieldCredentialStatus, reviewerEntityCredentialStatusTitle(state.kind))
 		model.setFieldDescription(initReviewerEntityFieldSecretLocation, reviewerEntitySecretLocationDescription(state.kind))
 	}
 	if resetDetails && !hideDetails {
@@ -808,6 +864,7 @@ func initReviewerEntitySyncLinearFields(model *initLinearEditorModel, ctx initPr
 			reviewerSecretLocation = initReviewerEntityDefaultSecretLocation(state, labelInput)
 		}
 		model.setFieldValue(initReviewerEntityFieldLabel, labelInput)
+		model.setFieldValue(initReviewerEntityFieldGitHubAppID, strings.TrimSpace(state.seed.ReviewerGitHubAppID))
 		model.selectFieldValue(initReviewerEntityFieldCredentialStore, initCredentialStoreDraftValue(state.seed.ReviewerCredentialStore))
 		model.setFieldValue(initReviewerEntityFieldSecretLocation, reviewerSecretLocation)
 		if locationIndex := model.document.fieldIndexByID(initReviewerEntityFieldSecretLocation); locationIndex >= 0 {
@@ -823,6 +880,20 @@ func initReviewerEntitySyncLinearFields(model *initLinearEditorModel, ctx initPr
 	}
 }
 
+func reviewerEntityGitHubAppIDFromDocument(kind initReviewerEntityKind, document initLinearDocument) (string, error) {
+	if kind != initReviewerEntityKindGitHubApp {
+		return "", nil
+	}
+	appID := strings.TrimSpace(document.fieldValue(initReviewerEntityFieldGitHubAppID))
+	if appID == "" {
+		return "", fmt.Errorf("GitHub App ID is required")
+	}
+	if err := validateOptionalDecimalID("GitHub App ID")(appID); err != nil {
+		return "", err
+	}
+	return appID, nil
+}
+
 func initReviewerEntityRefreshCredentialStatus(model *initLinearEditorModel, ctx initPromptContext, seed initDraft, state reviewerEntityEditorState) {
 	if status, ok := reviewerCredentialStatusForDocument(ctx, seed, state, model.document); ok {
 		model.setFieldDescription(initReviewerEntityFieldCredentialStatus, initReviewerCredentialStatusDescription(status))
@@ -851,14 +922,14 @@ func reviewerEntityEditorStateForSelection(ctx initPromptContext, seed initDraft
 	if entity, ok := ctx.ReviewerEntities[selection]; ok {
 		candidate := seed
 		applyReviewerEntityInventorySelection(&candidate, selection, ctx.ReviewerEntities)
-		return newReviewerEntityEditorState(entity, candidate, true)
+		return newReviewerEntityEditorState(entity, candidate, true, ctx.StandaloneReviewerEntityMode)
 	}
 	if _, restore := initReviewerEntityRestoreSelectionName(selection); restore {
-		return newReviewerEntityEditorState(initReviewerEntityDraft{Kind: initReviewerEntityKindUseGitIdentity}, seed, false)
+		return newReviewerEntityEditorState(initReviewerEntityDraft{Kind: initReviewerEntityKindUseGitIdentity}, seed, false, ctx.StandaloneReviewerEntityMode)
 	}
 	candidate := seed
 	applyReviewerEntityInventorySelection(&candidate, selection, ctx.ReviewerEntities)
-	return newReviewerEntityEditorState(initReviewerEntityDraft{Kind: initReviewerEntityKind(selection)}, candidate, false)
+	return newReviewerEntityEditorState(initReviewerEntityDraft{Kind: initReviewerEntityKind(selection)}, candidate, false, ctx.StandaloneReviewerEntityMode)
 }
 
 func reviewerEntityKindDetailDescription(kind initReviewerEntityKind) string {
@@ -866,18 +937,32 @@ func reviewerEntityKindDetailDescription(kind initReviewerEntityKind) string {
 	if kind != initReviewerEntityKindGitHubApp {
 		return label
 	}
-	return label + ". Required credential keys: " + credentials.GitHubAppIDKey + ", " + credentials.GitHubAppPrivateKeyKey + ". Optional credential key: " + credentials.GitHubAppInstallationIDKey + "."
+	return label + ". GitHub App ID is saved in config.yml; required credential key: " + credentials.GitHubAppPrivateKeyKey + "."
+}
+
+func reviewerEntitySecretLocationTitle(kind initReviewerEntityKind) string {
+	if kind == initReviewerEntityKindGitHubApp {
+		return "Reviewer private-key location"
+	}
+	return "Reviewer secret location"
+}
+
+func reviewerEntityCredentialStatusTitle(kind initReviewerEntityKind) string {
+	if kind == initReviewerEntityKindGitHubApp {
+		return "Reviewer private-key status"
+	}
+	return "Reviewer credential status"
 }
 
 func reviewerEntitySecretLocationDescription(kind initReviewerEntityKind) string {
-	base := "Credential name for this reviewer. This is where cr stores secret values in the selected credential store; it is not a PAT, GitHub App ID, private key, or installation ID. Change it only if you need a custom credential-store location."
 	if kind == initReviewerEntityKindPAT {
+		base := "Credential name for this reviewer. This is where cr stores the PAT in the selected credential store. Change it only if you need a custom credential-store location."
 		return base + " Store required secret " + credentials.GitTokenKey + " at this name."
 	}
 	if kind == initReviewerEntityKindGitHubApp {
-		return base + " Store required secrets " + credentials.GitHubAppIDKey + " and " + credentials.GitHubAppPrivateKeyKey + " at this name; " + credentials.GitHubAppInstallationIDKey + " is optional."
+		return "Credential name for this reviewer's GitHub App private key. Change it only if you need a custom credential-store location. Store required secret " + credentials.GitHubAppPrivateKeyKey + " at this name."
 	}
-	return base
+	return "Credential name for this reviewer. Change it only if you need a custom credential-store location."
 }
 
 func initReviewerEntityDraftFromDocument(ctx initPromptContext, seed initDraft, document initLinearDocument) (initDraft, error) {
@@ -900,6 +985,11 @@ func initReviewerEntityDraftFromDocument(ctx initPromptContext, seed initDraft,
 		return initDraft{}, err
 	}
 	editDraft.ReviewerCredentialStore = initCredentialStoreDraftValue(document.selectedValue(initReviewerEntityFieldCredentialStore))
+	appID, err := reviewerEntityGitHubAppIDFromDocument(state.kind, document)
+	if err != nil {
+		return initDraft{}, err
+	}
+	editDraft.ReviewerGitHubAppID = appID
 	if err := validateReviewerEntityInlineCredentials(ctx, seed, state, document); err != nil {
 		return initDraft{}, err
 	}
diff --git a/internal/cmd/mecmd/mecmd.go b/internal/cmd/mecmd/mecmd.go
index b75dc33d..c9f8208e 100644
--- a/internal/cmd/mecmd/mecmd.go
+++ b/internal/cmd/mecmd/mecmd.go
@@ -231,7 +231,11 @@ func (r *githubResolver) ResolveIdentity(ctx context.Context, profileName string
 		return gitprovider.Identity{}, err
 	}
 	defer store.Close()
-	client, credential, err := newClient(git, store, r.options)
+	options := r.options
+	if installationID := config.PinnedGitHubAppInstallationIDForGit(r.cfg.Profiles[profileName], git); installationID != "" {
+		options.InstallationID = installationID
+	}
+	client, credential, err := newClient(git, store, options)
 	if err != nil {
 		return gitprovider.Identity{}, err
 	}
diff --git a/internal/cmd/mecmd/mecmd_test.go b/internal/cmd/mecmd/mecmd_test.go
index c9e65088..c6472329 100644
--- a/internal/cmd/mecmd/mecmd_test.go
+++ b/internal/cmd/mecmd/mecmd_test.go
@@ -167,9 +167,7 @@ func TestMeReviewerGitHubAppAuthJSONUsesReviewerCredentialFlow(t *testing.T) {
 	defer store.Close()
 	privateKey := testPrivateKeyPEM(t)
 	if _, err := store.SetBundle("work-reviewer", map[string]string{
-		credentials.GitHubAppIDKey:             "12345",
-		credentials.GitHubAppPrivateKeyKey:     privateKey,
-		credentials.GitHubAppInstallationIDKey: "42",
+		credentials.GitHubAppPrivateKeyKey: privateKey,
 	}, credstore.WithOverwrite()); err != nil {
 		t.Fatalf("SetBundle reviewer: %v", err)
 	}
@@ -181,6 +179,14 @@ func TestMeReviewerGitHubAppAuthJSONUsesReviewerCredentialFlow(t *testing.T) {
 	cfg = withCredentialStore(cfg, testFileCredentialStoreID)
 	work := cfg.Profiles["work"]
 	work.ReviewerCredentials.AuthMode = config.GitAuthModeGitHubApp
+	work.ReviewerCredentials.GitHubApp = &config.GitHubAppConfig{AppID: "12345"}
+	cfg.Profiles["work"] = work
+	cfg = config.Normalize(cfg)
+	work = cfg.Profiles["work"]
+	work.Reviewer.GitHubAppInstallation = &config.ProfileReviewerGitHubAppInstallation{
+		Mode:           config.ProfileReviewerGitHubAppInstallationPinned,
+		InstallationID: "42",
+	}
 	cfg.Profiles["work"] = work
 	path := saveTestConfig(t, cfg)
 
@@ -461,7 +467,6 @@ func TestMeGitHubAppRequiresInstallationIDWithoutRepositoryContext(t *testing.T)
 	defer store.Close()
 	privateKey := testPrivateKeyPEM(t)
 	if _, err := store.SetBundle("home", map[string]string{
-		credentials.GitHubAppIDKey:         "12345",
 		credentials.GitHubAppPrivateKeyKey: privateKey,
 	}, credstore.WithOverwrite()); err != nil {
 		t.Fatalf("SetBundle home: %v", err)
@@ -469,6 +474,7 @@ func TestMeGitHubAppRequiresInstallationIDWithoutRepositoryContext(t *testing.T)
 	cfg := fileBackendConfig(t)
 	home := cfg.Profiles["home"]
 	home.Git.AuthMode = config.GitAuthModeGitHubApp
+	home.Git.GitHubApp = &config.GitHubAppConfig{AppID: "12345"}
 	cfg.Profiles["home"] = home
 	path := saveTestConfig(t, cfg)
 	var out bytes.Buffer
@@ -484,8 +490,8 @@ func TestMeGitHubAppRequiresInstallationIDWithoutRepositoryContext(t *testing.T)
 	if !errors.Is(err, gitprovider.ErrAuth) {
 		t.Fatalf("Execute error = %v, want ErrAuth", err)
 	}
-	if !strings.Contains(err.Error(), credentials.GitHubAppInstallationIDKey) {
-		t.Fatalf("Execute error = %v, want missing installation id detail", err)
+	if !strings.Contains(err.Error(), "installation discovery requires repository context") {
+		t.Fatalf("Execute error = %v, want missing repository context detail", err)
 	}
 	if strings.Contains(err.Error()+out.String(), privateKey) {
 		t.Fatalf("output leaked private key: err=%v out=%q", err, out.String())
@@ -498,15 +504,14 @@ func TestMeGitHubAppGitAuthJSONWithoutReviewerCredentials(t *testing.T) {
 	defer store.Close()
 	privateKey := testPrivateKeyPEM(t)
 	if _, err := store.SetBundle("home", map[string]string{
-		credentials.GitHubAppIDKey:             "12345",
-		credentials.GitHubAppPrivateKeyKey:     privateKey,
-		credentials.GitHubAppInstallationIDKey: "42",
+		credentials.GitHubAppPrivateKeyKey: privateKey,
 	}, credstore.WithOverwrite()); err != nil {
 		t.Fatalf("SetBundle home: %v", err)
 	}
 	cfg := fileBackendConfig(t)
 	home := cfg.Profiles["home"]
 	home.Git.AuthMode = config.GitAuthModeGitHubApp
+	home.Git.GitHubApp = &config.GitHubAppConfig{AppID: "12345"}
 	home.ReviewerCredentials = nil
 	cfg.Profiles["home"] = home
 	path := saveTestConfig(t, cfg)
@@ -535,8 +540,9 @@ func TestMeGitHubAppGitAuthJSONWithoutReviewerCredentials(t *testing.T) {
 		return &githubResolver{
 			cfg: cfg,
 			options: githubprovider.Options{
-				BaseURL:    server.URL,
-				GraphQLURL: server.URL + "/graphql",
+				BaseURL:        server.URL,
+				GraphQLURL:     server.URL + "/graphql",
+				InstallationID: "42",
 			},
 		}, nil, nil
 	})
@@ -567,6 +573,11 @@ func TestMeReservedAuthModeExitCode(t *testing.T) {
     test-memory:
       backend:
         kind: memory
+llm_runtimes:
+  claude-cli:
+    provider: anthropic
+    auth: subscription
+    adapter: claude_cli
 profiles:
   home:
     git:
@@ -575,10 +586,9 @@ profiles:
       credential:
         store: test-memory
         name: codereview/home
-    llm:
-      provider: anthropic
-      auth: subscription
-      adapter: claude_cli
+    reviewer:
+      kind: git_identity
+    llm_runtime: claude-cli
 `)
 	factoryOpened := false
 	cmd, _ := newTestCommandWithFactory(path, func(*cobra.Command, *root.Options, config.File) (identity.Resolver, func(), error) {
@@ -604,6 +614,20 @@ func TestMeReviewerGitHubAppAuthModeUsesResolver(t *testing.T) {
     test-memory:
       backend:
         kind: memory
+llm_runtimes:
+  claude-cli:
+    provider: anthropic
+    auth: subscription
+    adapter: claude_cli
+reviewer_entities:
+  work-reviewer:
+    host: github.com
+    auth_mode: github_app
+    github_app:
+      app_id: "12345"
+    credential:
+      store: test-memory
+      name: codereview/work-reviewer
 profiles:
   work:
     git:
@@ -612,15 +636,12 @@ profiles:
       credential:
         store: test-memory
         name: codereview/work
-    reviewer_credentials:
-      auth_mode: github_app
-      credential:
-        store: test-memory
-        name: codereview/work-reviewer
-    llm:
-      provider: anthropic
-      auth: subscription
-      adapter: claude_cli
+    reviewer:
+      kind: entity
+      entity: work-reviewer
+      github_app_installation:
+        mode: discover_from_repository
+    llm_runtime: claude-cli
 `)
 	resolver := &fakeResolver{
 		identities: map[string]gitprovider.Identity{"codereview/work-reviewer": {Login: "cr-reviewer[bot]", ID: "12345"}},
@@ -647,6 +668,18 @@ func TestMeAllReservedAuthModeDoesNotOpenResolverFactory(t *testing.T) {
     test-memory:
       backend:
         kind: memory
+llm_runtimes:
+  claude-cli:
+    provider: anthropic
+    auth: subscription
+    adapter: claude_cli
+reviewer_entities:
+  work-reviewer:
+    host: github.com
+    auth_mode: oauth_device
+    credential:
+      store: test-memory
+      name: codereview/work-reviewer
 profiles:
   home:
     git:
@@ -655,10 +688,9 @@ profiles:
       credential:
         store: test-memory
         name: codereview/home
-    llm:
-      provider: anthropic
-      auth: subscription
-      adapter: claude_cli
+    reviewer:
+      kind: git_identity
+    llm_runtime: claude-cli
   work:
     git:
       host: github.com
@@ -666,15 +698,10 @@ profiles:
       credential:
         store: test-memory
         name: codereview/work
-    reviewer_credentials:
-      auth_mode: oauth_device
-      credential:
-        store: test-memory
-        name: codereview/work-reviewer
-    llm:
-      provider: anthropic
-      auth: subscription
-      adapter: claude_cli
+    reviewer:
+      kind: entity
+      entity: work-reviewer
+    llm_runtime: claude-cli
 `)
 	factoryOpened := false
 	cmd, _ := newTestCommandWithFactory(path, func(*cobra.Command, *root.Options, config.File) (identity.Resolver, func(), error) {
@@ -697,6 +724,18 @@ func TestMeAllReservedGitAuthModeWithReviewerDoesNotOpenResolverFactory(t *testi
     test-memory:
       backend:
         kind: memory
+llm_runtimes:
+  claude-cli:
+    provider: anthropic
+    auth: subscription
+    adapter: claude_cli
+reviewer_entities:
+  work-reviewer:
+    host: github.com
+    auth_mode: pat
+    credential:
+      store: test-memory
+      name: codereview/work-reviewer
 profiles:
   home:
     git:
@@ -705,10 +744,9 @@ profiles:
       credential:
         store: test-memory
         name: codereview/home
-    llm:
-      provider: anthropic
-      auth: subscription
-      adapter: claude_cli
+    reviewer:
+      kind: git_identity
+    llm_runtime: claude-cli
   work:
     git:
       host: github.com
@@ -716,15 +754,10 @@ profiles:
       credential:
         store: test-memory
         name: codereview/work
-    reviewer_credentials:
-      auth_mode: pat
-      credential:
-        store: test-memory
-        name: codereview/work-reviewer
-    llm:
-      provider: anthropic
-      auth: subscription
-      adapter: claude_cli
+    reviewer:
+      kind: entity
+      entity: work-reviewer
+    llm_runtime: claude-cli
 `)
 	factoryOpened := false
 	cmd, _ := newTestCommandWithFactory(path, func(*cobra.Command, *root.Options, config.File) (identity.Resolver, func(), error) {
diff --git a/internal/cmd/noleak/noleak_test.go b/internal/cmd/noleak/noleak_test.go
index 6db5de8e..f938fc01 100644
--- a/internal/cmd/noleak/noleak_test.go
+++ b/internal/cmd/noleak/noleak_test.go
@@ -102,7 +102,8 @@ func TestCommandSurfacesDoNotLeakSeededSecrets(t *testing.T) {
 			args: func(*auditHarness) []string {
 				return []string{"set-credential", "--store", auditCredentialStoreID, "--name", "codereview/default-reviewer-app", "--key", credentials.GitHubAppInstallationIDKey, "--from-env", "CR_NOLEAK_APP_INSTALLATION_ID", "--overwrite"}
 			},
-			env: secretEnv,
+			env:     secretEnv,
+			wantErr: true,
 		},
 		{
 			name:    "set credential duplicate failure",
@@ -366,7 +367,6 @@ func newAuditHarness(t *testing.T) *auditHarness {
 		h.reviewerSecret,
 		h.llmSecret,
 		h.keyringSecret,
-		h.githubAppIDSecret,
 		h.githubAppPrivateKey,
 		h.githubAppInstallationIDSecret,
 		h.githubAppInstallationToken,
@@ -490,6 +490,7 @@ func (h *auditHarness) githubAppReviewerConfig() config.File {
 	profile := cfg.Profiles["default"]
 	profile.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		GitHubApp:     &config.GitHubAppConfig{AppID: h.githubAppIDSecret},
 		Credential:    config.CredentialLocation{Store: auditCredentialStoreID, Name: "codereview/default-reviewer-app"},
 		CredentialRef: "codereview/default-reviewer-app",
 	}
@@ -501,6 +502,7 @@ func (h *auditHarness) githubAppGitConfig() config.File {
 	cfg := h.config()
 	profile := cfg.Profiles["default"]
 	profile.Git.AuthMode = config.GitAuthModeGitHubApp
+	profile.Git.GitHubApp = &config.GitHubAppConfig{AppID: h.githubAppIDSecret}
 	profile.Git.Credential = config.CredentialLocation{Store: auditCredentialStoreID, Name: "codereview/default-app"}
 	profile.Git.CredentialRef = "codereview/default-app"
 	profile.ReviewerCredentials = nil
@@ -541,9 +543,7 @@ func (h *auditHarness) seedGitHubAppConfigShowCredentials(t *testing.T) {
 	cfg := h.githubAppReviewerConfig()
 	h.seedCredentialWrites(t, cfg, []credentialSeed{
 		{ref: "codereview/default", key: credentials.GitTokenKey, secret: h.gitSecret},
-		{ref: "codereview/default-reviewer-app", key: credentials.GitHubAppIDKey, secret: h.githubAppIDSecret},
 		{ref: "codereview/default-reviewer-app", key: credentials.GitHubAppPrivateKeyKey, secret: h.githubAppPrivateKey},
-		{ref: "codereview/default-reviewer-app", key: credentials.GitHubAppInstallationIDKey, secret: h.githubAppInstallationIDSecret},
 		{ref: "codereview/default-llm", key: credentials.AnthropicAPIKeyKey, secret: h.llmSecret},
 	})
 }
@@ -552,9 +552,7 @@ func (h *auditHarness) seedGitHubAppGitCredentials(t *testing.T) {
 	t.Helper()
 	cfg := h.githubAppGitConfig()
 	h.seedCredentialWrites(t, cfg, []credentialSeed{
-		{ref: "codereview/default-app", key: credentials.GitHubAppIDKey, secret: h.githubAppIDSecret},
 		{ref: "codereview/default-app", key: credentials.GitHubAppPrivateKeyKey, secret: h.githubAppPrivateKey},
-		{ref: "codereview/default-app", key: credentials.GitHubAppInstallationIDKey, secret: h.githubAppInstallationIDSecret},
 		{ref: "codereview/default-llm", key: credentials.AnthropicAPIKeyKey, secret: h.llmSecret},
 	})
 }
@@ -563,7 +561,6 @@ func (h *auditHarness) seedGitHubAppGitLookupCredentials(t *testing.T) {
 	t.Helper()
 	cfg := h.githubAppGitConfig()
 	h.seedCredentialWrites(t, cfg, []credentialSeed{
-		{ref: "codereview/default-app", key: credentials.GitHubAppIDKey, secret: h.githubAppIDSecret},
 		{ref: "codereview/default-app", key: credentials.GitHubAppPrivateKeyKey, secret: h.githubAppPrivateKey},
 		{ref: "codereview/default-llm", key: credentials.AnthropicAPIKeyKey, secret: h.llmSecret},
 	})
@@ -574,7 +571,6 @@ func (h *auditHarness) seedGitHubAppReviewerCredentials(t *testing.T) {
 	cfg := h.githubAppReviewerConfig()
 	h.seedCredentialWrites(t, cfg, []credentialSeed{
 		{ref: "codereview/default", key: credentials.GitTokenKey, secret: h.gitSecret},
-		{ref: "codereview/default-reviewer-app", key: credentials.GitHubAppIDKey, secret: h.githubAppIDSecret},
 		{ref: "codereview/default-reviewer-app", key: credentials.GitHubAppPrivateKeyKey, secret: h.githubAppPrivateKey},
 		{ref: "codereview/default-llm", key: credentials.AnthropicAPIKeyKey, secret: h.llmSecret},
 	})
@@ -694,11 +690,15 @@ func (h *auditHarness) openCredentialStore() (*credstore.Store, error) {
 }
 
 func (h *auditHarness) newGitHubProvider(git config.GitConfig, store githubprovider.TokenStore, lookup *githubprovider.InstallationLookup) (*githubprovider.Client, gitprovider.Credential, error) {
-	return githubprovider.NewFromGitConfig(git, store, githubprovider.Options{
+	opts := githubprovider.Options{
 		BaseURL:            h.githubURL,
 		GraphQLURL:         h.graphQLURL,
 		InstallationLookup: lookup,
-	})
+	}
+	if lookup == nil {
+		opts.InstallationID = h.githubAppInstallationIDSecret
+	}
+	return githubprovider.NewFromGitConfig(git, store, opts)
 }
 
 func gitConfigForReviewerAuth(profile config.Profile) config.GitConfig {
@@ -708,6 +708,7 @@ func gitConfigForReviewerAuth(profile config.Profile) config.GitConfig {
 	return config.GitConfig{
 		Host:          profile.Git.Host,
 		AuthMode:      profile.ReviewerCredentials.AuthMode,
+		GitHubApp:     profile.ReviewerCredentials.GitHubApp,
 		Credential:    profile.ReviewerCredentials.Credential,
 		CredentialRef: profile.ReviewerCredentials.CredentialRef,
 		IdentityCache: profile.ReviewerCredentials.IdentityCache,
diff --git a/internal/cmd/reviewcmd/reviewcmd.go b/internal/cmd/reviewcmd/reviewcmd.go
index 1620f12e..9e68eb3c 100644
--- a/internal/cmd/reviewcmd/reviewcmd.go
+++ b/internal/cmd/reviewcmd/reviewcmd.go
@@ -691,7 +691,7 @@ func newRuntime(cmd *cobra.Command, opts *root.Options, cfg config.File, profile
 		cleanup()
 		return Runtime{}, mapRunError(err)
 	}
-	provider, credential, err := newGitProvider(providerGit, providerStore, gitProviderOptions(runtimeOpts.PRRef))
+	provider, credential, err := newGitProvider(providerGit, providerStore, gitProviderOptions(profile, providerGit, runtimeOpts.PRRef))
 	if err != nil {
 		cleanup()
 		return Runtime{}, mapRunError(err)
@@ -747,10 +747,16 @@ func gitConfigForReviewerAuth(profile config.Profile) config.GitConfig {
 	if profile.ReviewerCredentials == nil {
 		return profile.Git
 	}
+	var githubApp *config.GitHubAppConfig
+	if profile.ReviewerCredentials.GitHubApp != nil {
+		app := *profile.ReviewerCredentials.GitHubApp
+		githubApp = &app
+	}
 	return config.GitConfig{
 		Host:          profile.Git.Host,
 		AuthMode:      profile.ReviewerCredentials.AuthMode,
 		Credential:    profile.ReviewerCredentials.Credential,
+		GitHubApp:     githubApp,
 		CredentialRef: profile.ReviewerCredentials.CredentialRef,
 		IdentityCache: profile.ReviewerCredentials.IdentityCache,
 	}
@@ -801,14 +807,19 @@ func normalizeRuntimeProfile(profile config.Profile) config.Profile {
 	}).Profiles["runtime"]
 }
 
-func gitProviderOptions(ref gitprovider.PRRef) githubprovider.Options {
-	if strings.TrimSpace(ref.Owner) == "" || strings.TrimSpace(ref.Repo) == "" {
-		return githubprovider.Options{}
+func gitProviderOptions(profile config.Profile, git config.GitConfig, ref gitprovider.PRRef) githubprovider.Options {
+	opts := githubprovider.Options{}
+	if installationID := config.PinnedGitHubAppInstallationIDForGit(profile, git); installationID != "" {
+		opts.InstallationID = installationID
+		return opts
+	}
+	if strings.TrimSpace(ref.Owner) != "" && strings.TrimSpace(ref.Repo) != "" {
+		opts.InstallationLookup = &githubprovider.InstallationLookup{
+			Owner: ref.Owner,
+			Repo:  ref.Repo,
+		}
 	}
-	return githubprovider.Options{InstallationLookup: &githubprovider.InstallationLookup{
-		Owner: ref.Owner,
-		Repo:  ref.Repo,
-	}}
+	return opts
 }
 
 func runtimeLayout() (statepaths.Layout, error) {
diff --git a/internal/cmd/reviewcmd/reviewcmd_test.go b/internal/cmd/reviewcmd/reviewcmd_test.go
index 27cba18d..2118b701 100644
--- a/internal/cmd/reviewcmd/reviewcmd_test.go
+++ b/internal/cmd/reviewcmd/reviewcmd_test.go
@@ -466,9 +466,11 @@ func TestNewRuntimePassesPRRefForGitHubAppInstallationLookup(t *testing.T) {
 	prRef := gitprovider.PRRef{Host: "github.com", Owner: "open-cli", Repo: "codereview-cli", Number: 76}
 
 	var gotLookup *githubprovider.InstallationLookup
+	var gotInstallationID string
 	withReviewRuntimeSeams(t,
 		func(_ config.GitConfig, _ githubprovider.TokenStore, opts githubprovider.Options) (gitprovider.GitProvider, gitprovider.Credential, error) {
 			gotLookup = opts.InstallationLookup
+			gotInstallationID = opts.InstallationID
 			return &gitprovider.Fake{}, gitprovider.Credential{Type: "github_app", Token: "installation-token", Login: "cr-reviewer[bot]"}, nil
 		},
 		func(context.Context, gitprovider.GitProvider, gitprovider.Credential, githubprovider.TokenStore, config.Profile) (gitprovider.Identity, error) {
@@ -490,6 +492,69 @@ func TestNewRuntimePassesPRRefForGitHubAppInstallationLookup(t *testing.T) {
 	if gotLookup == nil || gotLookup.Owner != "open-cli" || gotLookup.Repo != "codereview-cli" {
 		t.Fatalf("InstallationLookup = %#v, want PR owner/repo", gotLookup)
 	}
+	if gotInstallationID != "" {
+		t.Fatalf("InstallationID = %q, want empty for repository lookup", gotInstallationID)
+	}
+}
+
+func TestNewRuntimePassesPinnedGitHubAppReviewerInstallationID(t *testing.T) {
+	statedirtest.Hermetic(t)
+	cfg := testConfig()
+	cfg.Keyring.Backend = "memory"
+	cfg.ReviewerEntities = map[string]config.ReviewerEntity{
+		"cr-reviewer": {
+			Host:     "github.com",
+			AuthMode: config.GitAuthModeGitHubApp,
+			Credential: config.CredentialLocation{
+				Store: "test-memory",
+				Name:  "codereview/cr-reviewer",
+			},
+		},
+	}
+	profile := cfg.Profiles["home"]
+	profile.Reviewer = config.ProfileReviewer{
+		Kind:   config.ProfileReviewerKindEntity,
+		Entity: "cr-reviewer",
+		GitHubAppInstallation: &config.ProfileReviewerGitHubAppInstallation{
+			Mode:           config.ProfileReviewerGitHubAppInstallationPinned,
+			InstallationID: "42",
+		},
+	}
+	cfg.Profiles["home"] = profile
+	cfg = config.Normalize(cfg)
+	profile = cfg.Profiles["home"]
+	prRef := gitprovider.PRRef{Host: "github.com", Owner: "open-cli", Repo: "codereview-cli", Number: 76}
+
+	var gotLookup *githubprovider.InstallationLookup
+	var gotInstallationID string
+	withReviewRuntimeSeams(t,
+		func(_ config.GitConfig, _ githubprovider.TokenStore, opts githubprovider.Options) (gitprovider.GitProvider, gitprovider.Credential, error) {
+			gotLookup = opts.InstallationLookup
+			gotInstallationID = opts.InstallationID
+			return &gitprovider.Fake{}, gitprovider.Credential{Type: "github_app", Token: "installation-token", Login: "cr-reviewer[bot]"}, nil
+		},
+		func(context.Context, gitprovider.GitProvider, gitprovider.Credential, githubprovider.TokenStore, config.Profile) (gitprovider.Identity, error) {
+			return gitprovider.Identity{Login: "cr-reviewer[bot]", ID: "12345"}, nil
+		},
+		func(config.LLMConfig, *credstore.Store) (llm.Adapter, error) {
+			return &llm.FakeAdapter{NameValue: "fake-llm"}, nil
+		},
+	)
+	cmd := &cobra.Command{}
+	cmd.SetContext(context.Background())
+	runtime, err := newRuntime(cmd, &root.Options{Stderr: io.Discard}, cfg, profile, RuntimeOptions{PRRef: prRef})
+	if err != nil {
+		t.Fatalf("newRuntime: %v", err)
+	}
+	if runtime.Cleanup != nil {
+		runtime.Cleanup()
+	}
+	if gotInstallationID != "42" {
+		t.Fatalf("InstallationID = %q, want pinned id", gotInstallationID)
+	}
+	if gotLookup != nil {
+		t.Fatalf("InstallationLookup = %#v, want nil when pinned", gotLookup)
+	}
 }
 
 func TestNewRuntimeRejectsBackendOverrideForNamedSecretsProfile(t *testing.T) {
diff --git a/internal/config/config.go b/internal/config/config.go
index 4bc08a5e..549461cb 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -10,6 +10,7 @@ import (
 	"os"
 	"path/filepath"
 	"sort"
+	"strconv"
 	"strings"
 	"time"
 
@@ -43,11 +44,13 @@ var (
 
 // File is the root config.yml schema.
 type File struct {
-	Secrets            SecretsConfig        `yaml:"secrets,omitempty" json:"secrets,omitempty"`
-	LLMRuntimes        map[string]LLMConfig `yaml:"llm_runtimes,omitempty" json:"llm_runtimes,omitempty"`
-	RepositoryProfiles []RepositoryProfile  `yaml:"repository_profiles,omitempty" json:"repository_profiles,omitempty"`
-	Profiles           map[string]Profile   `yaml:"profiles,omitempty" json:"profiles,omitempty"`
-	Data               DataConfig           `yaml:"data,omitempty" json:"data"`
+	Secrets            SecretsConfig                     `yaml:"secrets,omitempty" json:"secrets,omitempty"`
+	RepositoryAccess   map[string]RepositoryAccessConfig `yaml:"repository_access,omitempty" json:"repository_access,omitempty"`
+	LLMRuntimes        map[string]LLMConfig              `yaml:"llm_runtimes,omitempty" json:"llm_runtimes,omitempty"`
+	ReviewerEntities   map[string]ReviewerEntity         `yaml:"reviewer_entities,omitempty" json:"reviewer_entities,omitempty"`
+	RepositoryProfiles []RepositoryProfile               `yaml:"repository_profiles,omitempty" json:"repository_profiles,omitempty"`
+	Profiles           map[string]Profile                `yaml:"profiles,omitempty" json:"profiles,omitempty"`
+	Data               DataConfig                        `yaml:"data,omitempty" json:"data"`
 
 	// Keyring is retained as an ignored in-memory compatibility field while
 	// credential-store runtime selection is rewritten. It is not config schema.
@@ -161,14 +164,60 @@ type EffectiveSecretsProfile = EffectiveSecretsStore
 
 // Profile is one named review profile.
 type Profile struct {
-	Git                 GitConfig            `yaml:"git" json:"git"`
-	ReviewerCredentials *ReviewerCredentials `yaml:"reviewer_credentials,omitempty" json:"reviewer_credentials,omitempty"`
-	LLM                 LLMConfig            `yaml:"llm" json:"llm"`
-	AgentSources        []string             `yaml:"agent_sources,omitempty" json:"agent_sources,omitempty"`
-	ReviewPolicy        ReviewPolicy         `yaml:"review_policy,omitempty" json:"review_policy"`
+	RepositoryAccess string          `yaml:"repository_access,omitempty" json:"repository_access,omitempty"`
+	Git              GitConfig       `yaml:"-" json:"-"`
+	Reviewer         ProfileReviewer `yaml:"reviewer" json:"reviewer"`
+	LLMRuntime       string          `yaml:"llm_runtime" json:"llm_runtime"`
+	AgentSources     []string        `yaml:"agent_sources,omitempty" json:"agent_sources,omitempty"`
+	ReviewPolicy     ReviewPolicy    `yaml:"review_policy,omitempty" json:"review_policy"`
 
 	// SecretsProfile is retained as an ignored in-memory compatibility field.
 	SecretsProfile string `yaml:"-" json:"-"`
+	// ReviewerCredentials is the resolved effective reviewer credential block
+	// derived from ReviewerEntities for runtime callers. It is not config schema.
+	ReviewerCredentials *ReviewerCredentials `yaml:"-" json:"-"`
+	// LLM is the resolved effective runtime derived from LLMRuntime for runtime
+	// callers. It is not config schema.
+	LLM LLMConfig `yaml:"-" json:"-"`
+}
+
+type profileYAML struct {
+	RepositoryAccess string          `yaml:"repository_access,omitempty" json:"repository_access,omitempty"`
+	Git              GitConfig       `yaml:"git,omitempty" json:"git,omitempty"`
+	Reviewer         ProfileReviewer `yaml:"reviewer" json:"reviewer"`
+	LLMRuntime       string          `yaml:"llm_runtime" json:"llm_runtime"`
+	AgentSources     []string        `yaml:"agent_sources,omitempty" json:"agent_sources,omitempty"`
+	ReviewPolicy     ReviewPolicy    `yaml:"review_policy,omitempty" json:"review_policy"`
+}
+
+// UnmarshalYAML accepts the legacy profile git block while the data model moves
+// to profiles selecting reusable repository_access entries.
+func (p *Profile) UnmarshalYAML(value *yaml.Node) error {
+	var raw profileYAML
+	if err := value.Decode(&raw); err != nil {
+		return err
+	}
+	*p = Profile{
+		RepositoryAccess: raw.RepositoryAccess,
+		Git:              raw.Git,
+		Reviewer:         raw.Reviewer,
+		LLMRuntime:       raw.LLMRuntime,
+		AgentSources:     raw.AgentSources,
+		ReviewPolicy:     raw.ReviewPolicy,
+	}
+	return nil
+}
+
+// MarshalYAML writes only the durable profile composition fields. Git is
+// resolved from repository_access at load/runtime boundaries.
+func (p Profile) MarshalYAML() (any, error) {
+	return profileYAML{
+		RepositoryAccess: p.RepositoryAccess,
+		Reviewer:         p.Reviewer,
+		LLMRuntime:       p.LLMRuntime,
+		AgentSources:     p.AgentSources,
+		ReviewPolicy:     p.ReviewPolicy,
+	}, nil
 }
 
 // GitConfig identifies the user's git-host credentials.
@@ -176,16 +225,95 @@ type GitConfig struct {
 	Host          string             `yaml:"host" json:"host"`
 	AuthMode      GitAuthMode        `yaml:"auth_mode" json:"auth_mode"`
 	Credential    CredentialLocation `yaml:"credential" json:"credential"`
+	GitHubApp     *GitHubAppConfig   `yaml:"github_app,omitempty" json:"github_app,omitempty"`
 	IdentityCache string             `yaml:"identity_cache,omitempty" json:"identity_cache,omitempty"`
 
 	// CredentialRef is retained as an ignored in-memory compatibility field.
 	CredentialRef string `yaml:"-" json:"-"`
 }
 
+// GitHubAppConfig stores non-secret GitHub App identifiers.
+type GitHubAppConfig struct {
+	AppID string `yaml:"app_id" json:"app_id"`
+}
+
+// RepositoryAccessConfig is one reusable Git host/user credential definition.
+type RepositoryAccessConfig struct {
+	DisplayName string    `yaml:"display_name,omitempty" json:"display_name,omitempty"`
+	Git         GitConfig `yaml:"git" json:"git"`
+}
+
 // ReviewerCredentials optionally identifies separate posting credentials.
 type ReviewerCredentials struct {
 	AuthMode      GitAuthMode        `yaml:"auth_mode" json:"auth_mode"`
 	Credential    CredentialLocation `yaml:"credential" json:"credential"`
+	GitHubApp     *GitHubAppConfig   `yaml:"github_app,omitempty" json:"github_app,omitempty"`
+	DisplayName   string             `yaml:"display_name,omitempty" json:"display_name,omitempty"`
+	IdentityCache string             `yaml:"identity_cache,omitempty" json:"identity_cache,omitempty"`
+
+	// CredentialRef is retained as an ignored in-memory compatibility field.
+	CredentialRef string `yaml:"-" json:"-"`
+}
+
+// ProfileReviewer selects the identity used to post review comments.
+type ProfileReviewer struct {
+	Kind                  ProfileReviewerKind                   `yaml:"kind" json:"kind"`
+	Entity                string                                `yaml:"entity,omitempty" json:"entity,omitempty"`
+	GitHubAppInstallation *ProfileReviewerGitHubAppInstallation `yaml:"github_app_installation,omitempty" json:"github_app_installation,omitempty"`
+}
+
+// ProfileReviewerKind identifies how a profile chooses its posting identity.
+type ProfileReviewerKind string
+
+// Profile reviewer kinds.
+const (
+	ProfileReviewerKindGitIdentity ProfileReviewerKind = "git_identity"
+	ProfileReviewerKindEntity      ProfileReviewerKind = "entity"
+)
+
+// Valid reports whether k is a known profile reviewer selector.
+func (k ProfileReviewerKind) Valid() bool {
+	switch k {
+	case ProfileReviewerKindGitIdentity, ProfileReviewerKindEntity:
+		return true
+	default:
+		return false
+	}
+}
+
+// ProfileReviewerGitHubAppInstallation selects the GitHub App installation a
+// profile uses when its reviewer entity is a GitHub App.
+type ProfileReviewerGitHubAppInstallation struct {
+	Mode           ProfileReviewerGitHubAppInstallationMode `yaml:"mode" json:"mode"`
+	InstallationID string                                   `yaml:"installation_id,omitempty" json:"installation_id,omitempty"`
+}
+
+// ProfileReviewerGitHubAppInstallationMode identifies how a profile resolves a
+// GitHub App installation.
+type ProfileReviewerGitHubAppInstallationMode string
+
+// GitHub App installation resolution modes.
+const (
+	ProfileReviewerGitHubAppInstallationDiscoverFromRepository ProfileReviewerGitHubAppInstallationMode = "discover_from_repository"
+	ProfileReviewerGitHubAppInstallationPinned                 ProfileReviewerGitHubAppInstallationMode = "pinned"
+)
+
+// Valid reports whether m is a known GitHub App installation resolution mode.
+func (m ProfileReviewerGitHubAppInstallationMode) Valid() bool {
+	switch m {
+	case ProfileReviewerGitHubAppInstallationDiscoverFromRepository, ProfileReviewerGitHubAppInstallationPinned:
+		return true
+	default:
+		return false
+	}
+}
+
+// ReviewerEntity is one reusable configured posting identity.
+type ReviewerEntity struct {
+	Host          string             `yaml:"host" json:"host"`
+	AuthMode      GitAuthMode        `yaml:"auth_mode" json:"auth_mode"`
+	Credential    CredentialLocation `yaml:"credential" json:"credential"`
+	GitHubApp     *GitHubAppConfig   `yaml:"github_app,omitempty" json:"github_app,omitempty"`
 	DisplayName   string             `yaml:"display_name,omitempty" json:"display_name,omitempty"`
 	IdentityCache string             `yaml:"identity_cache,omitempty" json:"identity_cache,omitempty"`
 
@@ -268,7 +396,6 @@ type ReviewPolicy struct {
 	MajorEvent       ReviewMajorEvent     `yaml:"major_event,omitempty" json:"major_event"`
 	AllowSelfApprove bool                 `yaml:"allow_self_approve,omitempty" json:"allow_self_approve"`
 	ResolveThreads   ResolveThreadsPolicy `yaml:"resolve_threads,omitempty" json:"resolve_threads,omitempty"`
-	ResolveAfter     string               `yaml:"resolve_after,omitempty" json:"resolve_after,omitempty"`
 }
 
 // DataConfig carries non-secret durable data policy.
@@ -636,7 +763,9 @@ func Save(path string, cfg File) error {
 func fileHasNoExplicitContent(cfg File) bool {
 	return cfg.Secrets.Stores == nil &&
 		cfg.Secrets.Profiles == nil &&
+		cfg.RepositoryAccess == nil &&
 		cfg.LLMRuntimes == nil &&
+		cfg.ReviewerEntities == nil &&
 		cfg.RepositoryProfiles == nil &&
 		cfg.Profiles == nil &&
 		cfg.Data.Retention.MaxAgeDays == nil &&
@@ -689,6 +818,14 @@ func Validate(cfg File) error {
 	if err := ValidateRetention(cfg.Data.Retention); err != nil {
 		return err
 	}
+	for name, access := range cfg.RepositoryAccess {
+		if strings.TrimSpace(name) == "" {
+			return invalid("repository_access name is required")
+		}
+		if err := validateRepositoryAccess(cfg.Secrets, name, access); err != nil {
+			return err
+		}
+	}
 	for name, runtime := range cfg.LLMRuntimes {
 		if strings.TrimSpace(name) == "" {
 			return invalid("llm_runtimes name is required")
@@ -702,6 +839,14 @@ func Validate(cfg File) error {
 			}
 		}
 	}
+	for name, entity := range cfg.ReviewerEntities {
+		if strings.TrimSpace(name) == "" {
+			return invalid("reviewer_entities name is required")
+		}
+		if err := validateReviewerEntity(cfg.Secrets, name, entity); err != nil {
+			return err
+		}
+	}
 	if len(cfg.Profiles) == 0 {
 		if len(cfg.RepositoryProfiles) > 0 {
 			return invalid("profiles is required")
@@ -712,10 +857,10 @@ func Validate(cfg File) error {
 		if strings.TrimSpace(name) == "" {
 			return invalid("profile name is required")
 		}
-		if err := validateProfile(name, profile); err != nil {
+		if err := validateProfile(cfg, name, profile); err != nil {
 			return err
 		}
-		if err := validateProfileCredentialStoreSelections(cfg.Secrets, name, profile); err != nil {
+		if err := validateProfileCredentialStoreSelections(cfg, name, profile); err != nil {
 			return err
 		}
 	}
@@ -859,7 +1004,7 @@ func ResolveProfileForRepositoryWithSource(cfg File, requestedName string, expli
 // CredentialRefs returns all credential-store refs declared by profile.
 func CredentialRefs(profile Profile) ([]CredentialRef, error) {
 	profile = profile.normalized()
-	if err := validateProfile("profile", profile); err != nil {
+	if err := validateEffectiveProfile("profile", profile); err != nil {
 		return nil, err
 	}
 
@@ -890,6 +1035,29 @@ func CredentialRefs(profile Profile) ([]CredentialRef, error) {
 	return refs, nil
 }
 
+// PinnedGitHubAppInstallationIDForGit returns the profile-level pinned
+// installation id that applies to git when git is the selected GitHub App
+// reviewer entity for profile.
+func PinnedGitHubAppInstallationIDForGit(profile Profile, git GitConfig) string {
+	profile = profile.normalized()
+	git = git.normalized()
+	if git.AuthMode != GitAuthModeGitHubApp || profile.ReviewerCredentials == nil {
+		return ""
+	}
+	if profile.Reviewer.Kind != ProfileReviewerKindEntity || profile.Reviewer.GitHubAppInstallation == nil {
+		return ""
+	}
+	installation := profile.Reviewer.GitHubAppInstallation.normalized()
+	if installation.Mode != ProfileReviewerGitHubAppInstallationPinned {
+		return ""
+	}
+	reviewerCredentials := profile.ReviewerCredentials.normalized()
+	if reviewerCredentials.AuthMode != GitAuthModeGitHubApp || !sameCredentialLocation(reviewerCredentials.Credential, git.Credential) {
+		return ""
+	}
+	return installation.InstallationID
+}
+
 func gitCredentialRef(purpose string, mode GitAuthMode, credential CredentialLocation) (CredentialRef, error) {
 	if !mode.Supported() {
 		return CredentialRef{}, fmt.Errorf("%w: %s auth_mode %q", ErrUnsupported, purpose, mode)
@@ -897,48 +1065,60 @@ func gitCredentialRef(purpose string, mode GitAuthMode, credential CredentialLoc
 	return CredentialRef{Purpose: purpose, Store: credential.Store, Ref: credential.Name, Mode: string(mode)}, nil
 }
 
-func validateProfile(name string, profile Profile) error {
-	if strings.TrimSpace(profile.Git.Host) == "" {
-		return invalid("profiles.%s.git.host is required", name)
-	}
-	if !profile.Git.AuthMode.Valid() {
-		return invalid("profiles.%s.git.auth_mode %q is invalid", name, profile.Git.AuthMode)
+func validateProfile(cfg File, name string, profile Profile) error {
+	if strings.TrimSpace(profile.RepositoryAccess) == "" {
+		return invalid("profiles.%s.repository_access is required", name)
 	}
-	if !profile.Git.AuthMode.Supported() {
-		return fmt.Errorf("%w: profiles.%s.git.auth_mode %q", ErrUnsupported, name, profile.Git.AuthMode)
+	if _, ok := cfg.RepositoryAccess[profile.RepositoryAccess]; !ok {
+		return fmt.Errorf("%w: profiles.%s.repository_access %q", ErrProfileNotFound, name, profile.RepositoryAccess)
 	}
-	if err := validateCredentialLocation(fmt.Sprintf("profiles.%s.git.credential", name), profile.Git.Credential); err != nil {
+	if err := validateGitConfig(fmt.Sprintf("profiles.%s.git", name), profile.Git); err != nil {
 		return err
 	}
-	if profile.ReviewerCredentials != nil {
-		if !profile.ReviewerCredentials.AuthMode.Valid() {
-			return invalid("profiles.%s.reviewer_credentials.auth_mode %q is invalid", name, profile.ReviewerCredentials.AuthMode)
+	if !profile.Reviewer.Kind.Valid() {
+		return invalid("profiles.%s.reviewer.kind %q is invalid", name, profile.Reviewer.Kind)
+	}
+	var reviewerEntity *ReviewerEntity
+	switch profile.Reviewer.Kind {
+	case ProfileReviewerKindGitIdentity:
+		if strings.TrimSpace(profile.Reviewer.Entity) != "" {
+			return invalid("profiles.%s.reviewer.entity must be empty for git_identity reviewer", name)
 		}
-		if !profile.ReviewerCredentials.AuthMode.Supported() {
-			return fmt.Errorf("%w: profiles.%s.reviewer_credentials.auth_mode %q", ErrUnsupported, name, profile.ReviewerCredentials.AuthMode)
+		if profile.Reviewer.GitHubAppInstallation != nil {
+			return invalid("profiles.%s.reviewer.github_app_installation must be empty for git_identity reviewer", name)
 		}
-		if err := validateCredentialLocation(fmt.Sprintf("profiles.%s.reviewer_credentials.credential", name), profile.ReviewerCredentials.Credential); err != nil {
-			return err
+	case ProfileReviewerKindEntity:
+		if strings.TrimSpace(profile.Reviewer.Entity) == "" {
+			return invalid("profiles.%s.reviewer.entity is required", name)
+		}
+		entity, ok := cfg.ReviewerEntities[profile.Reviewer.Entity]
+		if !ok {
+			return fmt.Errorf("%w: profiles.%s.reviewer.entity %q", ErrProfileNotFound, name, profile.Reviewer.Entity)
 		}
-		if sameCredentialLocation(profile.ReviewerCredentials.Credential, profile.Git.Credential) {
-			return invalid("profiles.%s.reviewer_credentials.credential must differ from git.credential when store and name match", name)
+		reviewerEntity = &entity
+		if normalizeConfigHost(entity.Host) != normalizeConfigHost(profile.Git.Host) {
+			return invalid("profiles.%s.reviewer.entity %q host %q must match git.host %q", name, profile.Reviewer.Entity, entity.Host, profile.Git.Host)
 		}
-		if err := validateOptionalSingleLine(fmt.Sprintf("profiles.%s.reviewer_credentials.display_name", name), profile.ReviewerCredentials.DisplayName); err != nil {
+		if sameCredentialLocation(entity.Credential, profile.Git.Credential) {
+			return invalid("profiles.%s.reviewer.entity %q credential must differ from git.credential when store and name match", name, profile.Reviewer.Entity)
+		}
+		if err := validateProfileReviewerInstallation(name, profile.Reviewer, entity); err != nil {
 			return err
 		}
 	}
-	if err := validateLLMConfig(fmt.Sprintf("profiles.%s.llm", name), profile.LLM); err != nil {
-		return err
+	if strings.TrimSpace(profile.LLMRuntime) == "" {
+		return invalid("profiles.%s.llm_runtime is required", name)
 	}
-	if profile.LLM.Auth == LLMAuthAPIKey {
-		if err := validateCredentialLocation(fmt.Sprintf("profiles.%s.llm.credential", name), profile.LLM.Credential); err != nil {
-			return err
-		}
-		if sameCredentialLocation(profile.LLM.Credential, profile.Git.Credential) {
-			return invalid("profiles.%s.llm.credential must differ from git.credential when store and name match", name)
+	runtime, ok := cfg.LLMRuntimes[profile.LLMRuntime]
+	if !ok {
+		return fmt.Errorf("%w: profiles.%s.llm_runtime %q", ErrProfileNotFound, name, profile.LLMRuntime)
+	}
+	if runtime.Auth == LLMAuthAPIKey {
+		if sameCredentialLocation(runtime.Credential, profile.Git.Credential) {
+			return invalid("profiles.%s.llm_runtime %q credential must differ from git.credential when store and name match", name, profile.LLMRuntime)
 		}
-		if profile.ReviewerCredentials != nil && sameCredentialLocation(profile.LLM.Credential, profile.ReviewerCredentials.Credential) {
-			return invalid("profiles.%s.llm.credential must differ from reviewer_credentials.credential when store and name match", name)
+		if reviewerEntity != nil && sameCredentialLocation(runtime.Credential, reviewerEntity.Credential) {
+			return invalid("profiles.%s.llm_runtime %q credential must differ from reviewer entity credential when store and name match", name, profile.LLMRuntime)
 		}
 	}
 	for index, source := range profile.AgentSources {
@@ -949,17 +1129,67 @@ func validateProfile(name string, profile Profile) error {
 	if !profile.ReviewPolicy.MajorEvent.Valid() {
 		return invalid("profiles.%s.review_policy.major_event %q is invalid", name, profile.ReviewPolicy.MajorEvent)
 	}
-	if profile.ReviewPolicy.ResolveThreads != "" && !profile.ReviewPolicy.ResolveThreads.Valid() {
+	if !profile.ReviewPolicy.ResolveThreads.Valid() {
 		return invalid("profiles.%s.review_policy.resolve_threads %q is invalid", name, profile.ReviewPolicy.ResolveThreads)
 	}
-	if profile.ReviewPolicy.ResolveAfter != "" {
-		if _, err := time.ParseDuration(profile.ReviewPolicy.ResolveAfter); err != nil {
-			return invalid("profiles.%s.review_policy.resolve_after %q is invalid: %v", name, profile.ReviewPolicy.ResolveAfter, err)
+	return nil
+}
+
+func validateProfileReviewerInstallation(profileName string, reviewer ProfileReviewer, entity ReviewerEntity) error {
+	path := fmt.Sprintf("profiles.%s.reviewer.github_app_installation", profileName)
+	if entity.AuthMode != GitAuthModeGitHubApp {
+		if reviewer.GitHubAppInstallation != nil {
+			return invalid("%s must be empty unless reviewer.entity uses github_app auth", path)
+		}
+		return nil
+	}
+	if reviewer.GitHubAppInstallation == nil {
+		return invalid("%s.mode is required for github_app reviewer entities", path)
+	}
+	installation := reviewer.GitHubAppInstallation.normalized()
+	if !installation.Mode.Valid() {
+		return invalid("%s.mode %q is invalid", path, installation.Mode)
+	}
+	switch installation.Mode {
+	case ProfileReviewerGitHubAppInstallationDiscoverFromRepository:
+		if strings.TrimSpace(installation.InstallationID) != "" {
+			return invalid("%s.installation_id must be empty when mode is discover_from_repository", path)
+		}
+	case ProfileReviewerGitHubAppInstallationPinned:
+		if strings.TrimSpace(installation.InstallationID) == "" {
+			return invalid("%s.installation_id is required when mode is pinned", path)
+		}
+		if _, err := strconv.ParseInt(installation.InstallationID, 10, 64); err != nil {
+			return invalid("%s.installation_id %q must be a decimal GitHub App installation ID", path, installation.InstallationID)
 		}
 	}
 	return nil
 }
 
+func validateEffectiveProfile(name string, profile Profile) error {
+	if err := validateGitConfig(name+".git", profile.Git); err != nil {
+		return err
+	}
+	if profile.ReviewerCredentials != nil {
+		if !profile.ReviewerCredentials.AuthMode.Valid() {
+			return invalid("%s.reviewer_credentials.auth_mode %q is invalid", name, profile.ReviewerCredentials.AuthMode)
+		}
+		if !profile.ReviewerCredentials.AuthMode.Supported() {
+			return fmt.Errorf("%w: %s.reviewer_credentials.auth_mode %q", ErrUnsupported, name, profile.ReviewerCredentials.AuthMode)
+		}
+		if err := validateCredentialLocation(name+".reviewer_credentials.credential", profile.ReviewerCredentials.Credential); err != nil {
+			return err
+		}
+		if err := validateGitHubAppConfig(name+".reviewer_credentials.github_app", profile.ReviewerCredentials.AuthMode, profile.ReviewerCredentials.GitHubApp); err != nil {
+			return err
+		}
+	}
+	if err := validateLLMConfig(name+".llm", profile.LLM); err != nil {
+		return err
+	}
+	return nil
+}
+
 func validateLLMConfig(field string, llm LLMConfig) error {
 	if !llm.Provider.Valid() {
 		return invalid("%s.provider %q is invalid", field, llm.Provider)
@@ -1011,9 +1241,85 @@ func validateLLMConfig(field string, llm LLMConfig) error {
 	return nil
 }
 
-func validateProfileCredentialStoreSelections(secrets SecretsConfig, name string, profile Profile) error {
-	for _, credential := range profileCredentialLocations(profile) {
-		if err := validateCredentialStoreSelection(secrets, fmt.Sprintf("profiles.%s.%s.credential.store", name, credential.path), credential.location.Store); err != nil {
+func validateReviewerEntity(secrets SecretsConfig, name string, entity ReviewerEntity) error {
+	if strings.TrimSpace(entity.Host) == "" {
+		return invalid("reviewer_entities.%s.host is required", name)
+	}
+	if !entity.AuthMode.Valid() {
+		return invalid("reviewer_entities.%s.auth_mode %q is invalid", name, entity.AuthMode)
+	}
+	if !entity.AuthMode.Supported() {
+		return fmt.Errorf("%w: reviewer_entities.%s.auth_mode %q", ErrUnsupported, name, entity.AuthMode)
+	}
+	if err := validateCredentialLocation(fmt.Sprintf("reviewer_entities.%s.credential", name), entity.Credential); err != nil {
+		return err
+	}
+	if err := validateCredentialStoreSelection(secrets, fmt.Sprintf("reviewer_entities.%s.credential.store", name), entity.Credential.Store); err != nil {
+		return err
+	}
+	if err := validateGitHubAppConfig(fmt.Sprintf("reviewer_entities.%s.github_app", name), entity.AuthMode, entity.GitHubApp); err != nil {
+		return err
+	}
+	if err := validateOptionalSingleLine(fmt.Sprintf("reviewer_entities.%s.display_name", name), entity.DisplayName); err != nil {
+		return err
+	}
+	return nil
+}
+
+func validateRepositoryAccess(secrets SecretsConfig, name string, access RepositoryAccessConfig) error {
+	if err := validateOptionalSingleLine(fmt.Sprintf("repository_access.%s.display_name", name), access.DisplayName); err != nil {
+		return err
+	}
+	if err := validateGitConfig(fmt.Sprintf("repository_access.%s.git", name), access.Git); err != nil {
+		return err
+	}
+	if err := validateCredentialStoreSelection(secrets, fmt.Sprintf("repository_access.%s.git.credential.store", name), access.Git.Credential.Store); err != nil {
+		return err
+	}
+	return nil
+}
+
+func validateGitConfig(path string, git GitConfig) error {
+	if strings.TrimSpace(git.Host) == "" {
+		return invalid("%s.host is required", path)
+	}
+	if !git.AuthMode.Valid() {
+		return invalid("%s.auth_mode %q is invalid", path, git.AuthMode)
+	}
+	if !git.AuthMode.Supported() {
+		return fmt.Errorf("%w: %s.auth_mode %q", ErrUnsupported, path, git.AuthMode)
+	}
+	if err := validateCredentialLocation(path+".credential", git.Credential); err != nil {
+		return err
+	}
+	if err := validateGitHubAppConfig(path+".github_app", git.AuthMode, git.GitHubApp); err != nil {
+		return err
+	}
+	return nil
+}
+
+func validateGitHubAppConfig(path string, authMode GitAuthMode, app *GitHubAppConfig) error {
+	if authMode != GitAuthModeGitHubApp {
+		if app != nil {
+			return invalid("%s must be empty unless auth_mode is github_app", path)
+		}
+		return nil
+	}
+	if app == nil {
+		return invalid("%s.app_id is required for github_app auth", path)
+	}
+	if strings.TrimSpace(app.AppID) == "" {
+		return invalid("%s.app_id is required for github_app auth", path)
+	}
+	if _, err := strconv.ParseInt(strings.TrimSpace(app.AppID), 10, 64); err != nil {
+		return invalid("%s.app_id %q must be a decimal GitHub App ID", path, app.AppID)
+	}
+	return nil
+}
+
+func validateProfileCredentialStoreSelections(cfg File, name string, profile Profile) error {
+	for _, credential := range profileCredentialLocations(cfg, profile) {
+		if err := validateCredentialStoreSelection(cfg.Secrets, fmt.Sprintf("profiles.%s.%s.credential.store", name, credential.path), credential.location.Store); err != nil {
 			return err
 		}
 	}
@@ -1025,21 +1331,22 @@ type profileCredentialLocation struct {
 	location CredentialLocation
 }
 
-func profileCredentialLocations(profile Profile) []profileCredentialLocation {
+func profileCredentialLocations(cfg File, profile Profile) []profileCredentialLocation {
 	locations := []profileCredentialLocation{{
 		path:     "git",
 		location: profile.Git.Credential,
 	}}
-	if profile.ReviewerCredentials != nil {
+	if profile.Reviewer.Kind == ProfileReviewerKindEntity {
+		entity := cfg.ReviewerEntities[profile.Reviewer.Entity]
 		locations = append(locations, profileCredentialLocation{
-			path:     "reviewer_credentials",
-			location: profile.ReviewerCredentials.Credential,
+			path:     "reviewer.entity",
+			location: entity.Credential,
 		})
 	}
-	if profile.LLM.Auth == LLMAuthAPIKey {
+	if runtime := cfg.LLMRuntimes[profile.LLMRuntime]; runtime.Auth == LLMAuthAPIKey {
 		locations = append(locations, profileCredentialLocation{
-			path:     "llm",
-			location: profile.LLM.Credential,
+			path:     "llm_runtime",
+			location: runtime.Credential,
 		})
 	}
 	return locations
@@ -1267,14 +1574,13 @@ func ValidateRetention(retention RetentionConfig) error {
 }
 
 func (cfg File) normalized() File {
-	if cfg.Profiles == nil {
-		cfg.Profiles = map[string]Profile{}
-	}
-	profiles := make(map[string]Profile, len(cfg.Profiles))
-	for name, profile := range cfg.Profiles {
-		profiles[name] = profile.normalized()
+	if cfg.RepositoryAccess != nil {
+		accesses := make(map[string]RepositoryAccessConfig, len(cfg.RepositoryAccess))
+		for name, access := range cfg.RepositoryAccess {
+			accesses[strings.TrimSpace(name)] = access.normalized()
+		}
+		cfg.RepositoryAccess = accesses
 	}
-	cfg.Profiles = profiles
 	if cfg.LLMRuntimes != nil {
 		runtimes := make(map[string]LLMConfig, len(cfg.LLMRuntimes))
 		for name, runtime := range cfg.LLMRuntimes {
@@ -1282,6 +1588,22 @@ func (cfg File) normalized() File {
 		}
 		cfg.LLMRuntimes = runtimes
 	}
+	if cfg.ReviewerEntities != nil {
+		entities := make(map[string]ReviewerEntity, len(cfg.ReviewerEntities))
+		for name, entity := range cfg.ReviewerEntities {
+			entities[strings.TrimSpace(name)] = entity.normalized()
+		}
+		cfg.ReviewerEntities = entities
+	}
+	if cfg.Profiles == nil {
+		cfg.Profiles = map[string]Profile{}
+	}
+	cfg = cfg.projectProfileComponentReferences()
+	profiles := make(map[string]Profile, len(cfg.Profiles))
+	for name, profile := range cfg.Profiles {
+		profiles[name] = cfg.resolveProfileRuntimeFields(profile.normalized())
+	}
+	cfg.Profiles = profiles
 	if len(cfg.RepositoryProfiles) > 0 {
 		routes := make([]RepositoryProfile, len(cfg.RepositoryProfiles))
 		for index, route := range cfg.RepositoryProfiles {
@@ -1304,6 +1626,266 @@ func (cfg File) normalized() File {
 	return cfg
 }
 
+func (cfg File) projectProfileComponentReferences() File {
+	repositoryAccessNamesByKey := map[string]string{}
+	for name, access := range cfg.RepositoryAccess {
+		repositoryAccessNamesByKey[repositoryAccessIdentityKey(access)] = name
+	}
+	runtimeNamesByKey := map[string]string{}
+	for name, runtime := range cfg.LLMRuntimes {
+		runtimeNamesByKey[llmRuntimeIdentityKey(runtime)] = name
+	}
+	reviewerNamesByKey := map[string]string{}
+	for name, entity := range cfg.ReviewerEntities {
+		reviewerNamesByKey[reviewerEntityIdentityKey(entity)] = name
+	}
+
+	profileNames := make([]string, 0, len(cfg.Profiles))
+	for name := range cfg.Profiles {
+		profileNames = append(profileNames, name)
+	}
+	sort.Strings(profileNames)
+	reviewerDisplayNameConflicts := map[string]bool{}
+	profiles := make(map[string]Profile, len(cfg.Profiles))
+	for _, name := range profileNames {
+		profile := cfg.Profiles[name]
+		profile = profile.normalized()
+		if strings.TrimSpace(profile.RepositoryAccess) == "" && !profile.Git.empty() {
+			access := repositoryAccessFromProfile(profile)
+			key := repositoryAccessIdentityKey(access)
+			accessName, ok := repositoryAccessNamesByKey[key]
+			if !ok {
+				if cfg.RepositoryAccess == nil {
+					cfg.RepositoryAccess = map[string]RepositoryAccessConfig{}
+				}
+				accessName = uniqueConfigComponentName(cfg.RepositoryAccess, suggestedRepositoryAccessName(name, access))
+				cfg.RepositoryAccess[accessName] = access
+				repositoryAccessNamesByKey[key] = accessName
+			}
+			profile.RepositoryAccess = accessName
+		}
+		if strings.TrimSpace(profile.LLMRuntime) == "" && !profile.LLM.empty() {
+			runtime := profile.LLM.normalized()
+			key := llmRuntimeIdentityKey(runtime)
+			runtimeName, ok := runtimeNamesByKey[key]
+			if !ok {
+				if cfg.LLMRuntimes == nil {
+					cfg.LLMRuntimes = map[string]LLMConfig{}
+				}
+				runtimeName = uniqueConfigComponentName(cfg.LLMRuntimes, suggestedLLMRuntimeName(runtime))
+				cfg.LLMRuntimes[runtimeName] = runtime
+				runtimeNamesByKey[key] = runtimeName
+			}
+			profile.LLMRuntime = runtimeName
+		}
+		if !profile.Reviewer.Kind.Valid() {
+			if profile.ReviewerCredentials == nil {
+				profile.Reviewer.Kind = ProfileReviewerKindGitIdentity
+			} else {
+				entity := reviewerEntityFromProfile(profile)
+				key := reviewerEntityIdentityKey(entity)
+				entityName, ok := reviewerNamesByKey[key]
+				if !ok {
+					if cfg.ReviewerEntities == nil {
+						cfg.ReviewerEntities = map[string]ReviewerEntity{}
+					}
+					entityName = uniqueConfigComponentName(cfg.ReviewerEntities, suggestedReviewerEntityName(name, entity))
+					cfg.ReviewerEntities[entityName] = entity
+					reviewerNamesByKey[key] = entityName
+				} else if existing := cfg.ReviewerEntities[entityName]; !reviewerDisplayNameConflicts[entityName] {
+					displayName := mergeProjectedReviewerEntityDisplayName(existing.DisplayName, entity.DisplayName)
+					if displayName == "" && strings.TrimSpace(existing.DisplayName) != "" && strings.TrimSpace(entity.DisplayName) != "" && strings.TrimSpace(existing.DisplayName) != strings.TrimSpace(entity.DisplayName) {
+						reviewerDisplayNameConflicts[entityName] = true
+					}
+					existing.DisplayName = displayName
+					cfg.ReviewerEntities[entityName] = existing
+				}
+				profile.Reviewer = projectedProfileReviewerForEntity(entityName, entity.AuthMode)
+			}
+		}
+		profiles[name] = profile
+	}
+	cfg.Profiles = profiles
+	return cfg
+}
+
+func projectedProfileReviewerForEntity(entityName string, authMode GitAuthMode) ProfileReviewer {
+	reviewer := ProfileReviewer{Kind: ProfileReviewerKindEntity, Entity: strings.TrimSpace(entityName)}
+	if authMode == GitAuthModeGitHubApp {
+		reviewer.GitHubAppInstallation = &ProfileReviewerGitHubAppInstallation{
+			Mode: ProfileReviewerGitHubAppInstallationDiscoverFromRepository,
+		}
+	}
+	return reviewer
+}
+
+func mergeProjectedReviewerEntityDisplayName(existing, next string) string {
+	existing = strings.TrimSpace(existing)
+	next = strings.TrimSpace(next)
+	switch {
+	case existing == "":
+		return next
+	case next == "":
+		return existing
+	case existing == next:
+		return existing
+	default:
+		return ""
+	}
+}
+
+func uniqueConfigComponentName[T any](existing map[string]T, base string) string {
+	base = strings.TrimSpace(base)
+	if base == "" {
+		base = "component"
+	}
+	if _, ok := existing[base]; !ok {
+		return base
+	}
+	for suffix := 2; ; suffix++ {
+		candidate := fmt.Sprintf("%s-%d", base, suffix)
+		if _, ok := existing[candidate]; !ok {
+			return candidate
+		}
+	}
+}
+
+func llmRuntimeIdentityKey(llm LLMConfig) string {
+	llm = llm.normalized()
+	modelKeys := make([]string, 0, len(llm.ModelMap))
+	for tier := range llm.ModelMap {
+		modelKeys = append(modelKeys, tier)
+	}
+	sort.Strings(modelKeys)
+	models := make([]string, 0, len(modelKeys))
+	for _, tier := range modelKeys {
+		models = append(models, tier+"="+strings.TrimSpace(llm.ModelMap[tier]))
+	}
+	return strings.Join([]string{
+		string(llm.Provider),
+		string(llm.Auth),
+		string(llm.Adapter),
+		llm.Credential.Store,
+		llm.Credential.Name,
+		strings.Join(models, "\x1f"),
+		string(llm.ReviewerModelTier),
+	}, "\x00")
+}
+
+func suggestedLLMRuntimeName(llm LLMConfig) string {
+	switch {
+	case llm.Provider == LLMProviderAnthropic && llm.Auth == LLMAuthSubscription && llm.Adapter == LLMAdapterClaudeCLI:
+		return "claude-cli"
+	case llm.Provider == LLMProviderOpenAI && llm.Auth == LLMAuthSubscription && llm.Adapter == LLMAdapterCodexCLI:
+		return "codex-cli"
+	case llm.Provider == LLMProviderPi && llm.Auth == LLMAuthSubscription && llm.Adapter == LLMAdapterPiRPC:
+		return "pi-local"
+	case llm.Provider == LLMProviderAnthropic && llm.Auth == LLMAuthAPIKey && llm.Adapter == LLMAdapterAnthropicAPI:
+		return "anthropic-api-key"
+	case llm.Provider == LLMProviderOpenAI && llm.Auth == LLMAuthAPIKey && llm.Adapter == LLMAdapterOpenAIAPI:
+		return "openai-api-key"
+	}
+	name := strings.Trim(strings.Join([]string{string(llm.Provider), string(llm.Auth), string(llm.Adapter)}, "-"), "-")
+	if name == "" {
+		return "llm-runtime"
+	}
+	return name
+}
+
+func reviewerEntityFromProfile(profile Profile) ReviewerEntity {
+	reviewer := profile.ReviewerCredentials.normalized()
+	return ReviewerEntity{
+		Host:          profile.Git.Host,
+		AuthMode:      reviewer.AuthMode,
+		Credential:    reviewer.Credential,
+		CredentialRef: reviewer.CredentialRef,
+		GitHubApp:     cloneGitHubAppConfig(reviewer.GitHubApp),
+		DisplayName:   reviewer.DisplayName,
+		IdentityCache: reviewer.IdentityCache,
+	}.normalized()
+}
+
+func reviewerEntityIdentityKey(entity ReviewerEntity) string {
+	entity = entity.normalized()
+	return strings.Join([]string{
+		entity.Host,
+		string(entity.AuthMode),
+		entity.Credential.Store,
+		entity.Credential.Name,
+		gitHubAppID(entity.GitHubApp),
+	}, "\x00")
+}
+
+func gitHubAppID(app *GitHubAppConfig) string {
+	if app == nil {
+		return ""
+	}
+	return strings.TrimSpace(app.AppID)
+}
+
+func suggestedReviewerEntityName(profileName string, entity ReviewerEntity) string {
+	prefix := strings.TrimSpace(profileName)
+	if prefix != "" {
+		return prefix + "-reviewer"
+	}
+	switch entity.AuthMode {
+	case GitAuthModeGitHubApp:
+		return "reviewer-github-app"
+	case GitAuthModePAT:
+		return "reviewer-pat"
+	case GitAuthModeOAuthDevice:
+		return "reviewer-oauth-device"
+	}
+	return "reviewer-entity"
+}
+
+func repositoryAccessFromProfile(profile Profile) RepositoryAccessConfig {
+	return RepositoryAccessConfig{
+		Git: profile.Git,
+	}.normalized()
+}
+
+func repositoryAccessIdentityKey(access RepositoryAccessConfig) string {
+	access = access.normalized()
+	return strings.Join([]string{
+		access.Git.Host,
+		string(access.Git.AuthMode),
+		access.Git.Credential.Store,
+		access.Git.Credential.Name,
+		gitHubAppID(access.Git.GitHubApp),
+	}, "\x00")
+}
+
+func suggestedRepositoryAccessName(profileName string, access RepositoryAccessConfig) string {
+	prefix := strings.TrimSpace(profileName)
+	if prefix != "" {
+		return prefix + "-git"
+	}
+	host := strings.ReplaceAll(access.normalized().Git.Host, ".", "-")
+	if strings.TrimSpace(host) != "" {
+		return host + "-git"
+	}
+	return "repository-access"
+}
+
+func (cfg File) resolveProfileRuntimeFields(profile Profile) Profile {
+	if access, ok := cfg.RepositoryAccess[profile.RepositoryAccess]; ok {
+		profile.Git = access.Git.normalized()
+	}
+	if runtime, ok := cfg.LLMRuntimes[profile.LLMRuntime]; ok {
+		profile.LLM = runtime.normalized()
+	}
+	switch profile.Reviewer.Kind {
+	case ProfileReviewerKindGitIdentity:
+		profile.ReviewerCredentials = nil
+	case ProfileReviewerKindEntity:
+		if entity, ok := cfg.ReviewerEntities[profile.Reviewer.Entity]; ok {
+			profile.ReviewerCredentials = entity.reviewerCredentials()
+		}
+	}
+	return profile
+}
+
 func (s SecretsConfig) normalized() SecretsConfig {
 	if s.Stores == nil {
 		s.Stores = map[string]SecretsStore{}
@@ -1402,7 +1984,10 @@ func IsOnePasswordSecretsBackend(kind SecretsBackendKind) bool {
 
 func (p Profile) normalized() Profile {
 	p.SecretsProfile = strings.TrimSpace(p.SecretsProfile)
+	p.RepositoryAccess = strings.TrimSpace(p.RepositoryAccess)
 	p.Git = p.Git.normalized()
+	p.Reviewer = p.Reviewer.normalized()
+	p.LLMRuntime = strings.TrimSpace(p.LLMRuntime)
 	if p.ReviewerCredentials != nil {
 		reviewer := p.ReviewerCredentials.normalized()
 		p.ReviewerCredentials = &reviewer
@@ -1412,7 +1997,25 @@ func (p Profile) normalized() Profile {
 	return p
 }
 
+func (r ProfileReviewer) normalized() ProfileReviewer {
+	r.Kind = ProfileReviewerKind(strings.TrimSpace(string(r.Kind)))
+	r.Entity = strings.TrimSpace(r.Entity)
+	if r.GitHubAppInstallation != nil {
+		installation := r.GitHubAppInstallation.normalized()
+		r.GitHubAppInstallation = &installation
+	}
+	return r
+}
+
+func (i ProfileReviewerGitHubAppInstallation) normalized() ProfileReviewerGitHubAppInstallation {
+	i.Mode = ProfileReviewerGitHubAppInstallationMode(strings.TrimSpace(string(i.Mode)))
+	i.InstallationID = strings.TrimSpace(i.InstallationID)
+	return i
+}
+
 func (g GitConfig) normalized() GitConfig {
+	g.Host = normalizeConfigHost(g.Host)
+	g.AuthMode = GitAuthMode(strings.TrimSpace(string(g.AuthMode)))
 	g.CredentialRef = strings.TrimSpace(g.CredentialRef)
 	g.Credential = g.Credential.normalized()
 	if g.Credential.Name == "" && g.CredentialRef != "" {
@@ -1422,9 +2025,25 @@ func (g GitConfig) normalized() GitConfig {
 		g.Credential.Name = g.CredentialRef
 	}
 	g.CredentialRef = g.Credential.Name
+	g.GitHubApp = normalizeGitHubAppForAuth(g.AuthMode, g.GitHubApp)
 	return g
 }
 
+func (g GitConfig) empty() bool {
+	g = g.normalized()
+	return g.Host == "" &&
+		g.AuthMode == "" &&
+		g.Credential.empty() &&
+		g.GitHubApp == nil &&
+		g.IdentityCache == ""
+}
+
+func (r RepositoryAccessConfig) normalized() RepositoryAccessConfig {
+	r.DisplayName = strings.TrimSpace(r.DisplayName)
+	r.Git = r.Git.normalized()
+	return r
+}
+
 func (r ReviewerCredentials) normalized() ReviewerCredentials {
 	r.CredentialRef = strings.TrimSpace(r.CredentialRef)
 	r.Credential = r.Credential.normalized()
@@ -1435,9 +2054,59 @@ func (r ReviewerCredentials) normalized() ReviewerCredentials {
 		r.Credential.Name = r.CredentialRef
 	}
 	r.CredentialRef = r.Credential.Name
+	r.GitHubApp = normalizeGitHubAppForAuth(r.AuthMode, r.GitHubApp)
 	return r
 }
 
+func (r ReviewerEntity) normalized() ReviewerEntity {
+	r.Host = normalizeConfigHost(r.Host)
+	r.AuthMode = GitAuthMode(strings.TrimSpace(string(r.AuthMode)))
+	r.CredentialRef = strings.TrimSpace(r.CredentialRef)
+	r.Credential = r.Credential.normalized()
+	if r.Credential.Name == "" && r.CredentialRef != "" {
+		if r.Credential.Store == "" {
+			r.Credential.Store = LocalOSCredentialStoreID
+		}
+		r.Credential.Name = r.CredentialRef
+	}
+	r.CredentialRef = r.Credential.Name
+	r.GitHubApp = normalizeGitHubAppForAuth(r.AuthMode, r.GitHubApp)
+	r.DisplayName = strings.TrimSpace(r.DisplayName)
+	r.IdentityCache = strings.TrimSpace(r.IdentityCache)
+	return r
+}
+
+func (r ReviewerEntity) reviewerCredentials() *ReviewerCredentials {
+	r = r.normalized()
+	return &ReviewerCredentials{
+		AuthMode:      r.AuthMode,
+		Credential:    r.Credential,
+		GitHubApp:     cloneGitHubAppConfig(r.GitHubApp),
+		DisplayName:   r.DisplayName,
+		IdentityCache: r.IdentityCache,
+		CredentialRef: r.Credential.Name,
+	}
+}
+
+func normalizeGitHubAppForAuth(authMode GitAuthMode, app *GitHubAppConfig) *GitHubAppConfig {
+	if app == nil {
+		return nil
+	}
+	normalized := GitHubAppConfig{AppID: strings.TrimSpace(app.AppID)}
+	if authMode != GitAuthModeGitHubApp {
+		return &normalized
+	}
+	return &normalized
+}
+
+func cloneGitHubAppConfig(app *GitHubAppConfig) *GitHubAppConfig {
+	if app == nil {
+		return nil
+	}
+	cloned := *app
+	return &cloned
+}
+
 func (l LLMConfig) normalized() LLMConfig {
 	l.CredentialRef = strings.TrimSpace(l.CredentialRef)
 	l.Credential = l.Credential.normalized()
@@ -1459,9 +2128,22 @@ func (l LLMConfig) normalized() LLMConfig {
 	return l
 }
 
+func (l LLMConfig) empty() bool {
+	return strings.TrimSpace(string(l.Provider)) == "" &&
+		strings.TrimSpace(string(l.Auth)) == "" &&
+		strings.TrimSpace(string(l.Adapter)) == "" &&
+		l.Credential.empty() &&
+		len(l.ModelMap) == 0 &&
+		strings.TrimSpace(string(l.ReviewerModelTier)) == "" &&
+		strings.TrimSpace(l.CredentialRef) == ""
+}
+
 func (p ReviewPolicy) normalized() ReviewPolicy {
 	if p.MajorEvent == "" {
-		p.MajorEvent = ReviewMajorEventComment
+		p.MajorEvent = ReviewMajorEventRequestChanges
+	}
+	if p.ResolveThreads == "" {
+		p.ResolveThreads = ResolveThreadsAuto
 	}
 	return p
 }
diff --git a/internal/config/config_test.go b/internal/config/config_test.go
index 446eba5b..db33b4ec 100644
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -174,7 +174,12 @@ func TestLoadRejectsInvalidEnums(t *testing.T) {
 
 func TestLoadAcceptsPiRPCSubscriptionProfile(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
-	writeFile(t, path, `profiles:
+	writeFile(t, path, `llm_runtimes:
+  pi-local:
+    provider: pi
+    auth: subscription
+    adapter: pi_rpc
+profiles:
   pi:
     git:
       host: github.com
@@ -182,10 +187,9 @@ func TestLoadAcceptsPiRPCSubscriptionProfile(t *testing.T) {
       credential:
         store: local-os
         name: codereview/pi
-    llm:
-      provider: pi
-      auth: subscription
-      adapter: pi_rpc
+    reviewer:
+      kind: git_identity
+    llm_runtime: pi-local
 `)
 	cfg, err := Load(path)
 	if err != nil {
@@ -206,7 +210,12 @@ func TestLoadAcceptsPiRPCSubscriptionProfile(t *testing.T) {
 
 func TestLoadAcceptsCodexCLISubscriptionProfile(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
-	writeFile(t, path, `profiles:
+	writeFile(t, path, `llm_runtimes:
+  codex-local:
+    provider: openai
+    auth: subscription
+    adapter: codex_cli
+profiles:
   codex:
     git:
       host: github.com
@@ -214,10 +223,9 @@ func TestLoadAcceptsCodexCLISubscriptionProfile(t *testing.T) {
       credential:
         store: local-os
         name: codereview/codex
-    llm:
-      provider: openai
-      auth: subscription
-      adapter: codex_cli
+    reviewer:
+      kind: git_identity
+    llm_runtime: codex-local
 `)
 	cfg, err := Load(path)
 	if err != nil {
@@ -239,33 +247,34 @@ func TestLoadAcceptsCodexCLISubscriptionProfile(t *testing.T) {
 func TestValidateRejectsInvalidPiCombinations(t *testing.T) {
 	tests := []struct {
 		name   string
-		mutate func(*Profile)
+		mutate func(*LLMConfig)
 	}{
-		{name: "api key auth", mutate: func(profile *Profile) {
-			profile.LLM.Auth = LLMAuthAPIKey
-			profile.LLM.CredentialRef = "codereview/pi-llm"
+		{name: "api key auth", mutate: func(llm *LLMConfig) {
+			llm.Auth = LLMAuthAPIKey
+			llm.CredentialRef = "codereview/pi-llm"
 		}},
-		{name: "claude cli adapter", mutate: func(profile *Profile) {
-			profile.LLM.Adapter = LLMAdapterClaudeCLI
+		{name: "claude cli adapter", mutate: func(llm *LLMConfig) {
+			llm.Adapter = LLMAdapterClaudeCLI
 		}},
-		{name: "anthropic api adapter", mutate: func(profile *Profile) {
-			profile.LLM.Adapter = LLMAdapterAnthropicAPI
+		{name: "anthropic api adapter", mutate: func(llm *LLMConfig) {
+			llm.Adapter = LLMAdapterAnthropicAPI
 		}},
-		{name: "pi rpc adapter with anthropic provider", mutate: func(profile *Profile) {
-			profile.LLM.Provider = LLMProviderAnthropic
+		{name: "pi rpc adapter with anthropic provider", mutate: func(llm *LLMConfig) {
+			llm.Provider = LLMProviderAnthropic
 		}},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cfg := validFile()
-			profile := cfg.Profiles["home"]
-			profile.LLM.Provider = LLMProviderPi
-			profile.LLM.Auth = LLMAuthSubscription
-			profile.LLM.Adapter = LLMAdapterPiRPC
-			profile.LLM.CredentialRef = ""
-			tt.mutate(&profile)
-			cfg.Profiles["home"] = profile
+			llm := cfg.LLMRuntimes["home-llm"]
+			llm.Provider = LLMProviderPi
+			llm.Auth = LLMAuthSubscription
+			llm.Adapter = LLMAdapterPiRPC
+			llm.CredentialRef = ""
+			llm.Credential = CredentialLocation{}
+			tt.mutate(&llm)
+			cfg.LLMRuntimes["home-llm"] = llm
 			err := Validate(cfg)
 			if !errors.Is(err, ErrInvalid) {
 				t.Fatalf("Validate error = %v, want ErrInvalid", err)
@@ -280,27 +289,28 @@ func TestValidateRejectsInvalidPiCombinations(t *testing.T) {
 func TestValidateRejectsInvalidCodexCLICombinations(t *testing.T) {
 	tests := []struct {
 		name   string
-		mutate func(*Profile)
+		mutate func(*LLMConfig)
 	}{
-		{name: "anthropic provider", mutate: func(profile *Profile) {
-			profile.LLM.Provider = LLMProviderAnthropic
+		{name: "anthropic provider", mutate: func(llm *LLMConfig) {
+			llm.Provider = LLMProviderAnthropic
 		}},
-		{name: "api key auth", mutate: func(profile *Profile) {
-			profile.LLM.Auth = LLMAuthAPIKey
-			profile.LLM.CredentialRef = "codereview/codex-llm"
+		{name: "api key auth", mutate: func(llm *LLMConfig) {
+			llm.Auth = LLMAuthAPIKey
+			llm.CredentialRef = "codereview/codex-llm"
 		}},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cfg := validFile()
-			profile := cfg.Profiles["home"]
-			profile.LLM.Provider = LLMProviderOpenAI
-			profile.LLM.Auth = LLMAuthSubscription
-			profile.LLM.Adapter = LLMAdapterCodexCLI
-			profile.LLM.CredentialRef = ""
-			tt.mutate(&profile)
-			cfg.Profiles["home"] = profile
+			llm := cfg.LLMRuntimes["home-llm"]
+			llm.Provider = LLMProviderOpenAI
+			llm.Auth = LLMAuthSubscription
+			llm.Adapter = LLMAdapterCodexCLI
+			llm.CredentialRef = ""
+			llm.Credential = CredentialLocation{}
+			tt.mutate(&llm)
+			cfg.LLMRuntimes["home-llm"] = llm
 			err := Validate(cfg)
 			if !errors.Is(err, ErrInvalid) {
 				t.Fatalf("Validate error = %v, want ErrInvalid", err)
@@ -314,14 +324,14 @@ func TestValidateRejectsInvalidCodexCLICombinations(t *testing.T) {
 
 func TestModelMapValidationAndResolution(t *testing.T) {
 	cfg := validFile()
-	profile := cfg.Profiles["home"]
-	profile.LLM.Provider = LLMProviderOpenAI
-	profile.LLM.Auth = LLMAuthSubscription
-	profile.LLM.Adapter = LLMAdapterCodexCLI
-	profile.LLM.ModelMap = ModelMap{
+	llm := cfg.LLMRuntimes["home-llm"]
+	llm.Provider = LLMProviderOpenAI
+	llm.Auth = LLMAuthSubscription
+	llm.Adapter = LLMAdapterCodexCLI
+	llm.ModelMap = ModelMap{
 		" medium ": " gpt-custom ",
 	}
-	cfg.Profiles["home"] = profile
+	cfg.LLMRuntimes["home-llm"] = llm
 
 	if err := Validate(cfg); err != nil {
 		t.Fatalf("Validate: %v", err)
@@ -347,9 +357,9 @@ func TestModelMapValidationAndResolution(t *testing.T) {
 
 func TestReviewerModelTierValidationAndNormalization(t *testing.T) {
 	cfg := validFile()
-	profile := cfg.Profiles["home"]
-	profile.LLM.ReviewerModelTier = " medium "
-	cfg.Profiles["home"] = profile
+	llm := cfg.LLMRuntimes["home-llm"]
+	llm.ReviewerModelTier = " medium "
+	cfg.LLMRuntimes["home-llm"] = llm
 
 	if err := Validate(cfg); err != nil {
 		t.Fatalf("Validate: %v", err)
@@ -365,9 +375,9 @@ func TestReviewerModelTierValidationAndNormalization(t *testing.T) {
 
 func TestValidateRejectsInvalidReviewerModelTier(t *testing.T) {
 	cfg := validFile()
-	profile := cfg.Profiles["home"]
-	profile.LLM.ReviewerModelTier = "flagship"
-	cfg.Profiles["home"] = profile
+	llm := cfg.LLMRuntimes["home-llm"]
+	llm.ReviewerModelTier = "flagship"
+	cfg.LLMRuntimes["home-llm"] = llm
 
 	err := Validate(cfg)
 	if !errors.Is(err, ErrInvalid) {
@@ -440,9 +450,9 @@ func TestValidateRejectsInvalidModelMap(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cfg := validFile()
-			profile := cfg.Profiles["home"]
-			profile.LLM.ModelMap = tt.modelMap
-			cfg.Profiles["home"] = profile
+			llm := cfg.LLMRuntimes["home-llm"]
+			llm.ModelMap = tt.modelMap
+			cfg.LLMRuntimes["home-llm"] = llm
 			err := Validate(cfg)
 			if !errors.Is(err, ErrInvalid) {
 				t.Fatalf("Validate error = %v, want ErrInvalid", err)
@@ -836,7 +846,9 @@ func TestCredentialRefs(t *testing.T) {
 func TestCredentialRefsIncludesGitHubAppModes(t *testing.T) {
 	profile := validFile().normalized().Profiles["work"]
 	profile.Git.AuthMode = GitAuthModeGitHubApp
+	profile.Git.GitHubApp = &GitHubAppConfig{AppID: "12345"}
 	profile.ReviewerCredentials.AuthMode = GitAuthModeGitHubApp
+	profile.ReviewerCredentials.GitHubApp = &GitHubAppConfig{AppID: "12345"}
 
 	refs, err := CredentialRefs(profile)
 	if err != nil {
@@ -852,6 +864,42 @@ func TestCredentialRefsIncludesGitHubAppModes(t *testing.T) {
 	}
 }
 
+func TestPinnedGitHubAppInstallationIDForGit(t *testing.T) {
+	profile := validFile().normalized().Profiles["work"]
+	profile.ReviewerCredentials = &ReviewerCredentials{
+		AuthMode:      GitAuthModeGitHubApp,
+		Credential:    CredentialLocation{Store: LocalOSCredentialStoreID, Name: "codereview/work-reviewer"},
+		CredentialRef: "codereview/work-reviewer",
+	}
+	profile.Reviewer = ProfileReviewer{
+		Kind:   ProfileReviewerKindEntity,
+		Entity: "work-reviewer",
+		GitHubAppInstallation: &ProfileReviewerGitHubAppInstallation{
+			Mode:           ProfileReviewerGitHubAppInstallationPinned,
+			InstallationID: "123456",
+		},
+	}
+	git := GitConfig{
+		Host:          "github.com",
+		AuthMode:      GitAuthModeGitHubApp,
+		CredentialRef: "codereview/work-reviewer",
+	}
+	if got := PinnedGitHubAppInstallationIDForGit(profile, git); got != "123456" {
+		t.Fatalf("PinnedGitHubAppInstallationIDForGit = %q, want 123456", got)
+	}
+
+	profile.Reviewer.GitHubAppInstallation.Mode = ProfileReviewerGitHubAppInstallationDiscoverFromRepository
+	profile.Reviewer.GitHubAppInstallation.InstallationID = ""
+	if got := PinnedGitHubAppInstallationIDForGit(profile, git); got != "" {
+		t.Fatalf("discover installation id = %q, want empty", got)
+	}
+
+	git.CredentialRef = "codereview/work"
+	if got := PinnedGitHubAppInstallationIDForGit(profile, git); got != "" {
+		t.Fatalf("unmatched credential installation id = %q, want empty", got)
+	}
+}
+
 func TestValidateAllowsCredentialStoresWithoutReviewProfiles(t *testing.T) {
 	cfg := File{
 		Secrets: SecretsConfig{
@@ -962,6 +1010,143 @@ func TestValidateAllowsLLMRuntimesWithoutReviewProfiles(t *testing.T) {
 	}
 }
 
+func TestValidateAllowsRepositoryAccessWithoutReviewProfiles(t *testing.T) {
+	cfg := File{
+		RepositoryAccess: map[string]RepositoryAccessConfig{
+			"personal-github": {
+				DisplayName: "Personal GitHub",
+				Git: GitConfig{
+					Host:     " GitHub.com ",
+					AuthMode: GitAuthModePAT,
+					Credential: CredentialLocation{
+						Store: LocalOSCredentialStoreID,
+						Name:  "codereview/personal-github",
+					},
+				},
+			},
+			"work-app": {
+				Git: GitConfig{
+					Host:     "github.example.com",
+					AuthMode: GitAuthModeGitHubApp,
+					Credential: CredentialLocation{
+						Store: LocalOSCredentialStoreID,
+						Name:  "codereview/work-github-app",
+					},
+					GitHubApp: &GitHubAppConfig{AppID: "12345"},
+				},
+			},
+		},
+	}
+	if err := Validate(cfg); err != nil {
+		t.Fatalf("Validate repository-access-only config: %v", err)
+	}
+
+	path := filepath.Join(t.TempDir(), "config.yml")
+	if err := Save(path, cfg); err != nil {
+		t.Fatalf("Save repository-access-only config: %v", err)
+	}
+	loaded, err := Load(path)
+	if err != nil {
+		t.Fatalf("Load repository-access-only config: %v", err)
+	}
+	if len(loaded.Profiles) != 0 {
+		t.Fatalf("loaded profiles = %#v, want none", loaded.Profiles)
+	}
+	if got := loaded.RepositoryAccess["personal-github"].Git.Host; got != "github.com" {
+		t.Fatalf("repository access host = %q, want github.com", got)
+	}
+	if got := loaded.RepositoryAccess["work-app"].Git.GitHubApp.AppID; got != "12345" {
+		t.Fatalf("repository access app id = %q, want 12345", got)
+	}
+}
+
+func TestValidateRepositoryAccess(t *testing.T) {
+	tests := []struct {
+		name    string
+		mutate  func(*File)
+		wantErr error
+		wantMsg string
+	}{
+		{
+			name: "blank name",
+			mutate: func(cfg *File) {
+				cfg.RepositoryAccess[" "] = cfg.RepositoryAccess["work"]
+				delete(cfg.RepositoryAccess, "work")
+			},
+			wantErr: ErrInvalid,
+			wantMsg: "repository_access name is required",
+		},
+		{
+			name: "missing host",
+			mutate: func(cfg *File) {
+				access := cfg.RepositoryAccess["work"]
+				access.Git.Host = ""
+				cfg.RepositoryAccess["work"] = access
+			},
+			wantErr: ErrInvalid,
+			wantMsg: "repository_access.work.git.host is required",
+		},
+		{
+			name: "unknown store",
+			mutate: func(cfg *File) {
+				access := cfg.RepositoryAccess["work"]
+				access.Git.Credential.Store = "missing"
+				cfg.RepositoryAccess["work"] = access
+			},
+			wantErr: ErrSecretsStoreNotFound,
+			wantMsg: `repository_access.work.git.credential.store "missing"`,
+		},
+		{
+			name: "github app requires app id",
+			mutate: func(cfg *File) {
+				access := cfg.RepositoryAccess["work"]
+				access.Git.AuthMode = GitAuthModeGitHubApp
+				access.Git.GitHubApp = nil
+				cfg.RepositoryAccess["work"] = access
+			},
+			wantErr: ErrInvalid,
+			wantMsg: "repository_access.work.git.github_app.app_id is required",
+		},
+		{
+			name: "pat rejects github app config",
+			mutate: func(cfg *File) {
+				access := cfg.RepositoryAccess["work"]
+				access.Git.GitHubApp = &GitHubAppConfig{AppID: "12345"}
+				cfg.RepositoryAccess["work"] = access
+			},
+			wantErr: ErrInvalid,
+			wantMsg: "repository_access.work.git.github_app must be empty unless auth_mode is github_app",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cfg := File{
+				RepositoryAccess: map[string]RepositoryAccessConfig{
+					"work": {
+						Git: GitConfig{
+							Host:     "github.com",
+							AuthMode: GitAuthModePAT,
+							Credential: CredentialLocation{
+								Store: LocalOSCredentialStoreID,
+								Name:  "codereview/work",
+							},
+						},
+					},
+				},
+			}
+			tt.mutate(&cfg)
+			err := Validate(cfg)
+			if !errors.Is(err, tt.wantErr) {
+				t.Fatalf("Validate error = %v, want %v", err, tt.wantErr)
+			}
+			if tt.wantMsg != "" && !strings.Contains(err.Error(), tt.wantMsg) {
+				t.Fatalf("Validate error = %q, want containing %q", err.Error(), tt.wantMsg)
+			}
+		})
+	}
+}
+
 func TestValidateSecretsStores(t *testing.T) {
 	tests := []struct {
 		name    string
@@ -1173,6 +1358,14 @@ func TestValidateSecretsStores(t *testing.T) {
 }
 
 func TestValidateCredentialLocations(t *testing.T) {
+	setProfileRepositoryAccessCredential := func(cfg *File, profileName string, location CredentialLocation) {
+		profile := cfg.Profiles[profileName]
+		access := cfg.RepositoryAccess[profile.RepositoryAccess]
+		access.Git.Credential = location
+		access.Git.CredentialRef = ""
+		cfg.RepositoryAccess[profile.RepositoryAccess] = access
+	}
+
 	tests := []struct {
 		name    string
 		mutate  func(*File)
@@ -1186,66 +1379,48 @@ func TestValidateCredentialLocations(t *testing.T) {
 					DisplayName: "Work File",
 					Backend:     SecretsStoreBackend{Kind: SecretsBackendKind(credstore.BackendFile)},
 				}
-				profile := cfg.Profiles["home"]
-				profile.Git.Credential = CredentialLocation{Store: "work-file", Name: "codereview/home"}
-				profile.Git.CredentialRef = ""
-				cfg.Profiles["home"] = profile
+				setProfileRepositoryAccessCredential(cfg, "home", CredentialLocation{Store: "work-file", Name: "codereview/home"})
 			},
 		},
 		{
 			name: "missing store",
 			mutate: func(cfg *File) {
-				profile := cfg.Profiles["home"]
-				profile.Git.Credential = CredentialLocation{Name: "codereview/home"}
-				profile.Git.CredentialRef = ""
-				cfg.Profiles["home"] = profile
+				setProfileRepositoryAccessCredential(cfg, "home", CredentialLocation{Name: "codereview/home"})
 			},
 			wantErr: ErrInvalid,
-			wantMsg: "profiles.home.git.credential.store is required",
+			wantMsg: "repository_access.home-git.git.credential.store is required",
 		},
 		{
 			name: "missing name",
 			mutate: func(cfg *File) {
-				profile := cfg.Profiles["home"]
-				profile.Git.Credential = CredentialLocation{Store: LocalOSCredentialStoreID}
-				profile.Git.CredentialRef = ""
-				cfg.Profiles["home"] = profile
+				setProfileRepositoryAccessCredential(cfg, "home", CredentialLocation{Store: LocalOSCredentialStoreID})
 			},
 			wantErr: ErrInvalid,
-			wantMsg: "profiles.home.git.credential.name is required",
+			wantMsg: "repository_access.home-git.git.credential.name is required",
 		},
 		{
 			name: "unknown configured store",
 			mutate: func(cfg *File) {
-				profile := cfg.Profiles["home"]
-				profile.Git.Credential = CredentialLocation{Store: "missing", Name: "codereview/home"}
-				profile.Git.CredentialRef = ""
-				cfg.Profiles["home"] = profile
+				setProfileRepositoryAccessCredential(cfg, "home", CredentialLocation{Store: "missing", Name: "codereview/home"})
 			},
 			wantErr: ErrSecretsStoreNotFound,
-			wantMsg: `profiles.home.git.credential.store "missing"`,
+			wantMsg: `repository_access.home-git.git.credential.store "missing"`,
 		},
 		{
 			name: "credential name invalid grammar",
 			mutate: func(cfg *File) {
-				profile := cfg.Profiles["home"]
-				profile.Git.Credential = CredentialLocation{Store: LocalOSCredentialStoreID, Name: "codereview/bad.profile"}
-				profile.Git.CredentialRef = ""
-				cfg.Profiles["home"] = profile
+				setProfileRepositoryAccessCredential(cfg, "home", CredentialLocation{Store: LocalOSCredentialStoreID, Name: "codereview/bad.profile"})
 			},
 			wantErr: ErrInvalid,
-			wantMsg: "profiles.home.git.credential.name is invalid",
+			wantMsg: "repository_access.home-git.git.credential.name is invalid",
 		},
 		{
 			name: "credential name wrong service",
 			mutate: func(cfg *File) {
-				profile := cfg.Profiles["home"]
-				profile.Git.Credential = CredentialLocation{Store: LocalOSCredentialStoreID, Name: "other/home"}
-				profile.Git.CredentialRef = ""
-				cfg.Profiles["home"] = profile
+				setProfileRepositoryAccessCredential(cfg, "home", CredentialLocation{Store: LocalOSCredentialStoreID, Name: "other/home"})
 			},
 			wantErr: ErrInvalid,
-			wantMsg: `profiles.home.git.credential.name must use service "codereview"`,
+			wantMsg: `repository_access.home-git.git.credential.name must use service "codereview"`,
 		},
 		{
 			name: "same credential name in different stores",
@@ -1254,26 +1429,24 @@ func TestValidateCredentialLocations(t *testing.T) {
 					DisplayName: "Work File",
 					Backend:     SecretsStoreBackend{Kind: SecretsBackendKind(credstore.BackendFile)},
 				}
-				profile := cfg.Profiles["work"]
-				profile.Git.Credential = CredentialLocation{Store: LocalOSCredentialStoreID, Name: "codereview/shared"}
-				profile.Git.CredentialRef = ""
-				profile.ReviewerCredentials.Credential = CredentialLocation{Store: "work-file", Name: "codereview/shared"}
-				profile.ReviewerCredentials.CredentialRef = ""
-				cfg.Profiles["work"] = profile
+				setProfileRepositoryAccessCredential(cfg, "work", CredentialLocation{Store: LocalOSCredentialStoreID, Name: "codereview/shared"})
+				entity := cfg.ReviewerEntities["work-reviewer"]
+				entity.Credential = CredentialLocation{Store: "work-file", Name: "codereview/shared"}
+				entity.CredentialRef = ""
+				cfg.ReviewerEntities["work-reviewer"] = entity
 			},
 		},
 		{
 			name: "same credential name in same store",
 			mutate: func(cfg *File) {
-				profile := cfg.Profiles["work"]
-				profile.Git.Credential = CredentialLocation{Store: LocalOSCredentialStoreID, Name: "codereview/shared"}
-				profile.Git.CredentialRef = ""
-				profile.ReviewerCredentials.Credential = CredentialLocation{Store: LocalOSCredentialStoreID, Name: "codereview/shared"}
-				profile.ReviewerCredentials.CredentialRef = ""
-				cfg.Profiles["work"] = profile
+				setProfileRepositoryAccessCredential(cfg, "work", CredentialLocation{Store: LocalOSCredentialStoreID, Name: "codereview/shared"})
+				entity := cfg.ReviewerEntities["work-reviewer"]
+				entity.Credential = CredentialLocation{Store: LocalOSCredentialStoreID, Name: "codereview/shared"}
+				entity.CredentialRef = ""
+				cfg.ReviewerEntities["work-reviewer"] = entity
 			},
 			wantErr: ErrInvalid,
-			wantMsg: "reviewer_credentials.credential must differ from git.credential",
+			wantMsg: "reviewer.entity \"work-reviewer\" credential must differ from git.credential",
 		},
 	}
 
@@ -1475,9 +1648,9 @@ func TestValidateRejectsReservedGitAuthModes(t *testing.T) {
 			cfg.Profiles["home"] = profile
 		}},
 		{name: "reviewer oauth_device", mutate: func(cfg *File) {
-			profile := cfg.Profiles["work"]
-			profile.ReviewerCredentials.AuthMode = GitAuthModeOAuthDevice
-			cfg.Profiles["work"] = profile
+			entity := cfg.ReviewerEntities["work-reviewer"]
+			entity.AuthMode = GitAuthModeOAuthDevice
+			cfg.ReviewerEntities["work-reviewer"] = entity
 		}},
 	}
 
@@ -1500,11 +1673,18 @@ func TestValidateAcceptsGitHubAppAuthModes(t *testing.T) {
 		{name: "git github_app", mutate: func(cfg *File) {
 			profile := cfg.Profiles["home"]
 			profile.Git.AuthMode = GitAuthModeGitHubApp
+			profile.Git.GitHubApp = &GitHubAppConfig{AppID: "12345"}
 			cfg.Profiles["home"] = profile
 		}},
 		{name: "reviewer github_app", mutate: func(cfg *File) {
+			entity := cfg.ReviewerEntities["work-reviewer"]
+			entity.AuthMode = GitAuthModeGitHubApp
+			entity.GitHubApp = &GitHubAppConfig{AppID: "12345"}
+			cfg.ReviewerEntities["work-reviewer"] = entity
 			profile := cfg.Profiles["work"]
-			profile.ReviewerCredentials.AuthMode = GitAuthModeGitHubApp
+			profile.Reviewer.GitHubAppInstallation = &ProfileReviewerGitHubAppInstallation{
+				Mode: ProfileReviewerGitHubAppInstallationDiscoverFromRepository,
+			}
 			cfg.Profiles["work"] = profile
 		}},
 	}
@@ -1520,6 +1700,124 @@ func TestValidateAcceptsGitHubAppAuthModes(t *testing.T) {
 	}
 }
 
+func TestValidateProfileReviewerGitHubAppInstallation(t *testing.T) {
+	githubAppReviewer := func(cfg *File) {
+		entity := cfg.ReviewerEntities["work-reviewer"]
+		entity.AuthMode = GitAuthModeGitHubApp
+		entity.GitHubApp = &GitHubAppConfig{AppID: "12345"}
+		cfg.ReviewerEntities["work-reviewer"] = entity
+	}
+	tests := []struct {
+		name    string
+		mutate  func(*File)
+		wantErr error
+		wantMsg string
+	}{
+		{
+			name: "discover from repository",
+			mutate: func(cfg *File) {
+				githubAppReviewer(cfg)
+				profile := cfg.Profiles["work"]
+				profile.Reviewer.GitHubAppInstallation = &ProfileReviewerGitHubAppInstallation{
+					Mode: ProfileReviewerGitHubAppInstallationDiscoverFromRepository,
+				}
+				cfg.Profiles["work"] = profile
+			},
+		},
+		{
+			name: "pinned installation",
+			mutate: func(cfg *File) {
+				githubAppReviewer(cfg)
+				profile := cfg.Profiles["work"]
+				profile.Reviewer.GitHubAppInstallation = &ProfileReviewerGitHubAppInstallation{
+					Mode:           ProfileReviewerGitHubAppInstallationPinned,
+					InstallationID: "123456",
+				}
+				cfg.Profiles["work"] = profile
+			},
+		},
+		{
+			name: "missing for github app reviewer",
+			mutate: func(cfg *File) {
+				githubAppReviewer(cfg)
+			},
+			wantErr: ErrInvalid,
+			wantMsg: "profiles.work.reviewer.github_app_installation.mode is required",
+		},
+		{
+			name: "pinned without id",
+			mutate: func(cfg *File) {
+				githubAppReviewer(cfg)
+				profile := cfg.Profiles["work"]
+				profile.Reviewer.GitHubAppInstallation = &ProfileReviewerGitHubAppInstallation{
+					Mode: ProfileReviewerGitHubAppInstallationPinned,
+				}
+				cfg.Profiles["work"] = profile
+			},
+			wantErr: ErrInvalid,
+			wantMsg: "installation_id is required",
+		},
+		{
+			name: "discover with id",
+			mutate: func(cfg *File) {
+				githubAppReviewer(cfg)
+				profile := cfg.Profiles["work"]
+				profile.Reviewer.GitHubAppInstallation = &ProfileReviewerGitHubAppInstallation{
+					Mode:           ProfileReviewerGitHubAppInstallationDiscoverFromRepository,
+					InstallationID: "123456",
+				}
+				cfg.Profiles["work"] = profile
+			},
+			wantErr: ErrInvalid,
+			wantMsg: "installation_id must be empty",
+		},
+		{
+			name: "pat reviewer with installation config",
+			mutate: func(cfg *File) {
+				profile := cfg.Profiles["work"]
+				profile.Reviewer.GitHubAppInstallation = &ProfileReviewerGitHubAppInstallation{
+					Mode: ProfileReviewerGitHubAppInstallationDiscoverFromRepository,
+				}
+				cfg.Profiles["work"] = profile
+			},
+			wantErr: ErrInvalid,
+			wantMsg: "must be empty unless reviewer.entity uses github_app auth",
+		},
+		{
+			name: "git identity with installation config",
+			mutate: func(cfg *File) {
+				profile := cfg.Profiles["home"]
+				profile.Reviewer.GitHubAppInstallation = &ProfileReviewerGitHubAppInstallation{
+					Mode: ProfileReviewerGitHubAppInstallationDiscoverFromRepository,
+				}
+				cfg.Profiles["home"] = profile
+			},
+			wantErr: ErrInvalid,
+			wantMsg: "must be empty for git_identity reviewer",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cfg := validFile()
+			tt.mutate(&cfg)
+			err := Validate(cfg)
+			if tt.wantErr == nil {
+				if err != nil {
+					t.Fatalf("Validate: %v", err)
+				}
+				return
+			}
+			if !errors.Is(err, tt.wantErr) {
+				t.Fatalf("Validate error = %v, want %v", err, tt.wantErr)
+			}
+			if tt.wantMsg != "" && !strings.Contains(err.Error(), tt.wantMsg) {
+				t.Fatalf("Validate error = %v, want message containing %q", err, tt.wantMsg)
+			}
+		})
+	}
+}
+
 func TestSaveRejectsReservedGitAuthModes(t *testing.T) {
 	tests := []struct {
 		name   string
@@ -1531,9 +1829,9 @@ func TestSaveRejectsReservedGitAuthModes(t *testing.T) {
 			cfg.Profiles["home"] = profile
 		}},
 		{name: "reviewer oauth_device", mutate: func(cfg *File) {
-			profile := cfg.Profiles["work"]
-			profile.ReviewerCredentials.AuthMode = GitAuthModeOAuthDevice
-			cfg.Profiles["work"] = profile
+			entity := cfg.ReviewerEntities["work-reviewer"]
+			entity.AuthMode = GitAuthModeOAuthDevice
+			cfg.ReviewerEntities["work-reviewer"] = entity
 		}},
 	}
 
@@ -1557,7 +1855,12 @@ func TestLoadRejectsReservedGitAuthModes(t *testing.T) {
 		name string
 		body string
 	}{
-		{name: "git oauth_device", body: `profiles:
+		{name: "git oauth_device", body: `llm_runtimes:
+  claude-local:
+    provider: anthropic
+    auth: subscription
+    adapter: claude_cli
+profiles:
   home:
     git:
       host: github.com
@@ -1565,12 +1868,23 @@ func TestLoadRejectsReservedGitAuthModes(t *testing.T) {
       credential:
         store: local-os
         name: codereview/home
-    llm:
-      provider: anthropic
-      auth: subscription
-      adapter: claude_cli
+    reviewer:
+      kind: git_identity
+    llm_runtime: claude-local
 `},
-		{name: "reviewer oauth_device", body: `profiles:
+		{name: "reviewer oauth_device", body: `llm_runtimes:
+  claude-local:
+    provider: anthropic
+    auth: subscription
+    adapter: claude_cli
+reviewer_entities:
+  work-reviewer:
+    host: github.com
+    auth_mode: oauth_device
+    credential:
+      store: local-os
+      name: codereview/work-reviewer
+profiles:
   work:
     git:
       host: github.com
@@ -1578,15 +1892,10 @@ func TestLoadRejectsReservedGitAuthModes(t *testing.T) {
       credential:
         store: local-os
         name: codereview/work
-    reviewer_credentials:
-      auth_mode: oauth_device
-      credential:
-        store: local-os
-        name: codereview/work-reviewer
-    llm:
-      provider: anthropic
-      auth: subscription
-      adapter: claude_cli
+    reviewer:
+      kind: entity
+      entity: work-reviewer
+    llm_runtime: claude-local
 `},
 	}
 
@@ -1604,7 +1913,21 @@ func TestLoadRejectsReservedGitAuthModes(t *testing.T) {
 
 func TestLoadAcceptsGitHubAppAuthMode(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
-	writeFile(t, path, `profiles:
+	writeFile(t, path, `llm_runtimes:
+  claude-local:
+    provider: anthropic
+    auth: subscription
+    adapter: claude_cli
+reviewer_entities:
+  work-reviewer:
+    host: github.com
+    auth_mode: github_app
+    credential:
+      store: local-os
+      name: codereview/work-reviewer
+    github_app:
+      app_id: "12345"
+profiles:
   work:
     git:
       host: github.com
@@ -1612,15 +1935,14 @@ func TestLoadAcceptsGitHubAppAuthMode(t *testing.T) {
       credential:
         store: local-os
         name: codereview/work
-    reviewer_credentials:
-      auth_mode: github_app
-      credential:
-        store: local-os
-        name: codereview/work-reviewer
-    llm:
-      provider: anthropic
-      auth: subscription
-      adapter: claude_cli
+      github_app:
+        app_id: "12345"
+    reviewer:
+      kind: entity
+      entity: work-reviewer
+      github_app_installation:
+        mode: discover_from_repository
+    llm_runtime: claude-local
 `)
 	cfg, err := Load(path)
 	if err != nil {
@@ -1634,7 +1956,24 @@ func TestLoadAcceptsGitHubAppAuthMode(t *testing.T) {
 
 func TestLoadRejectsMultilineReviewerDisplayName(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
-	writeFile(t, path, `profiles:
+	writeFile(t, path, `llm_runtimes:
+  claude-local:
+    provider: anthropic
+    auth: subscription
+    adapter: claude_cli
+reviewer_entities:
+  work-reviewer:
+    host: github.com
+    auth_mode: github_app
+    credential:
+      store: local-os
+      name: codereview/work-reviewer
+    github_app:
+      app_id: "12345"
+    display_name: |
+      line one
+      line two
+profiles:
   work:
     git:
       host: github.com
@@ -1642,24 +1981,18 @@ func TestLoadRejectsMultilineReviewerDisplayName(t *testing.T) {
       credential:
         store: local-os
         name: codereview/work
-    reviewer_credentials:
-      auth_mode: github_app
-      credential:
-        store: local-os
-        name: codereview/work-reviewer
-      display_name: |
-        line one
-        line two
-    llm:
-      provider: anthropic
-      auth: subscription
-      adapter: claude_cli
+      github_app:
+        app_id: "12345"
+    reviewer:
+      kind: entity
+      entity: work-reviewer
+    llm_runtime: claude-local
 `)
 	_, err := Load(path)
 	if !errors.Is(err, ErrInvalid) {
 		t.Fatalf("Load error = %v, want ErrInvalid", err)
 	}
-	if !strings.Contains(err.Error(), "reviewer_credentials.display_name") {
+	if !strings.Contains(err.Error(), "reviewer_entities.work-reviewer.display_name") {
 		t.Fatalf("Load error = %v, want display_name validation", err)
 	}
 }
@@ -1713,10 +2046,10 @@ func TestSubscriptionLLMCredentialsAreAdapterManaged(t *testing.T) {
 
 func TestAPIKeyLLMRequiresCredentialRef(t *testing.T) {
 	cfg := validFile()
-	profile := cfg.Profiles["work"]
-	profile.LLM.CredentialRef = ""
-	profile.LLM.Credential = CredentialLocation{}
-	cfg.Profiles["work"] = profile
+	llm := cfg.LLMRuntimes["work-llm"]
+	llm.CredentialRef = ""
+	llm.Credential = CredentialLocation{}
+	cfg.LLMRuntimes["work-llm"] = llm
 
 	if err := Validate(cfg); !errors.Is(err, ErrInvalid) {
 		t.Fatalf("Validate error = %v, want ErrInvalid", err)
@@ -1729,30 +2062,34 @@ func TestValidateRejectsInvalidCredentialRefs(t *testing.T) {
 		mutate func(*File)
 	}{
 		{name: "subscription LLM stored ref", mutate: func(cfg *File) {
-			profile := cfg.Profiles["home"]
-			profile.LLM.CredentialRef = "codereview/home-llm"
-			cfg.Profiles["home"] = profile
+			llm := cfg.LLMRuntimes["home-llm"]
+			llm.CredentialRef = "codereview/home-llm"
+			cfg.LLMRuntimes["home-llm"] = llm
 		}},
 		{name: "empty reviewer credential ref", mutate: func(cfg *File) {
-			profile := cfg.Profiles["work"]
-			profile.ReviewerCredentials.CredentialRef = ""
-			profile.ReviewerCredentials.Credential = CredentialLocation{}
-			cfg.Profiles["work"] = profile
+			entity := cfg.ReviewerEntities["work-reviewer"]
+			entity.CredentialRef = ""
+			entity.Credential = CredentialLocation{}
+			cfg.ReviewerEntities["work-reviewer"] = entity
 		}},
 		{name: "reviewer credential ref matches git credential ref", mutate: func(cfg *File) {
 			profile := cfg.Profiles["work"]
-			profile.ReviewerCredentials.CredentialRef = profile.Git.CredentialRef
 			cfg.Profiles["work"] = profile
+			entity := cfg.ReviewerEntities["work-reviewer"]
+			entity.CredentialRef = profile.Git.CredentialRef
+			cfg.ReviewerEntities["work-reviewer"] = entity
 		}},
 		{name: "llm credential ref matches git credential ref", mutate: func(cfg *File) {
 			profile := cfg.Profiles["work"]
-			profile.LLM.CredentialRef = profile.Git.CredentialRef
-			cfg.Profiles["work"] = profile
+			llm := cfg.LLMRuntimes["work-llm"]
+			llm.CredentialRef = profile.Git.CredentialRef
+			cfg.LLMRuntimes["work-llm"] = llm
 		}},
 		{name: "llm credential ref matches reviewer credential ref", mutate: func(cfg *File) {
-			profile := cfg.Profiles["work"]
-			profile.LLM.CredentialRef = profile.ReviewerCredentials.CredentialRef
-			cfg.Profiles["work"] = profile
+			entity := cfg.ReviewerEntities["work-reviewer"]
+			llm := cfg.LLMRuntimes["work-llm"]
+			llm.CredentialRef = entity.CredentialRef
+			cfg.LLMRuntimes["work-llm"] = llm
 		}},
 		{name: "git ref invalid chars", mutate: func(cfg *File) {
 			profile := cfg.Profiles["home"]
@@ -1765,9 +2102,9 @@ func TestValidateRejectsInvalidCredentialRefs(t *testing.T) {
 			cfg.Profiles["home"] = profile
 		}},
 		{name: "llm ref invalid chars", mutate: func(cfg *File) {
-			profile := cfg.Profiles["work"]
-			profile.LLM.CredentialRef = "codereview/work.llm"
-			cfg.Profiles["work"] = profile
+			llm := cfg.LLMRuntimes["work-llm"]
+			llm.CredentialRef = "codereview/work.llm"
+			cfg.LLMRuntimes["work-llm"] = llm
 		}},
 	}
 
@@ -1799,14 +2136,6 @@ func TestValidationCoversAgentSourcesReviewPolicyAndRetention(t *testing.T) {
 		t.Fatalf("bad resolve_threads Validate error = %v, want ErrInvalid", err)
 	}
 
-	cfg = validFile()
-	profile = cfg.Profiles["work"]
-	profile.ReviewPolicy.ResolveAfter = "two days"
-	cfg.Profiles["work"] = profile
-	if err := Validate(cfg); !errors.Is(err, ErrInvalid) {
-		t.Fatalf("bad resolve_after Validate error = %v, want ErrInvalid", err)
-	}
-
 	cfg = validFile()
 	cfg.Data.Retention.MaxAgeDays = intPtr(-1)
 	if err := Validate(cfg); !errors.Is(err, ErrInvalid) {
@@ -1817,7 +2146,12 @@ func TestValidationCoversAgentSourcesReviewPolicyAndRetention(t *testing.T) {
 func TestRetentionMaxAgeDefaultAndExplicitZero(t *testing.T) {
 	t.Run("omitted defaults to 90", func(t *testing.T) {
 		path := filepath.Join(t.TempDir(), "config.yml")
-		writeFile(t, path, `profiles:
+		writeFile(t, path, `llm_runtimes:
+  claude-local:
+    provider: anthropic
+    auth: subscription
+    adapter: claude_cli
+profiles:
   home:
     git:
       host: github.com
@@ -1825,10 +2159,9 @@ func TestRetentionMaxAgeDefaultAndExplicitZero(t *testing.T) {
       credential:
         store: local-os
         name: codereview/home
-    llm:
-      provider: anthropic
-      auth: subscription
-      adapter: claude_cli
+    reviewer:
+      kind: git_identity
+    llm_runtime: claude-local
 data:
   retention:
     enforcement: at_write
@@ -1844,7 +2177,12 @@ data:
 
 	t.Run("explicit zero means keep forever", func(t *testing.T) {
 		path := filepath.Join(t.TempDir(), "config.yml")
-		writeFile(t, path, `profiles:
+		writeFile(t, path, `llm_runtimes:
+  claude-local:
+    provider: anthropic
+    auth: subscription
+    adapter: claude_cli
+profiles:
   home:
     git:
       host: github.com
@@ -1852,10 +2190,9 @@ data:
       credential:
         store: local-os
         name: codereview/home
-    llm:
-      provider: anthropic
-      auth: subscription
-      adapter: claude_cli
+    reviewer:
+      kind: git_identity
+    llm_runtime: claude-local
 data:
   retention:
     max_age_days: 0
@@ -1894,6 +2231,28 @@ func TestValidateRetentionAppliesDefaultsAndPreservesExplicitZero(t *testing.T)
 
 func validFile() File {
 	return File{
+		LLMRuntimes: map[string]LLMConfig{
+			"home-llm": {
+				Provider: LLMProviderAnthropic,
+				Auth:     LLMAuthSubscription,
+				Adapter:  LLMAdapterClaudeCLI,
+			},
+			"work-llm": {
+				Provider:      LLMProviderAnthropic,
+				Auth:          LLMAuthAPIKey,
+				Adapter:       LLMAdapterAnthropicAPI,
+				CredentialRef: "codereview/work-llm",
+			},
+		},
+		ReviewerEntities: map[string]ReviewerEntity{
+			"work-reviewer": {
+				Host:          "github.com",
+				AuthMode:      GitAuthModePAT,
+				CredentialRef: "codereview/work-reviewer",
+				DisplayName:   "Work reviewer bot",
+				IdentityCache: "acme-review-bot",
+			},
+		},
 		Profiles: map[string]Profile{
 			"home": {
 				Git: GitConfig{
@@ -1902,11 +2261,8 @@ func validFile() File {
 					CredentialRef: "codereview/home",
 					IdentityCache: "rianjs",
 				},
-				LLM: LLMConfig{
-					Provider: LLMProviderAnthropic,
-					Auth:     LLMAuthSubscription,
-					Adapter:  LLMAdapterClaudeCLI,
-				},
+				Reviewer:     ProfileReviewer{Kind: ProfileReviewerKindGitIdentity},
+				LLMRuntime:   "home-llm",
 				AgentSources: []string{"~/dev/my-reviewers"},
 				ReviewPolicy: ReviewPolicy{
 					MajorEvent:       ReviewMajorEventComment,
@@ -1920,24 +2276,13 @@ func validFile() File {
 					CredentialRef: "codereview/work",
 					IdentityCache: "rianjs",
 				},
-				ReviewerCredentials: &ReviewerCredentials{
-					AuthMode:      GitAuthModePAT,
-					CredentialRef: "codereview/work-reviewer",
-					DisplayName:   "Work reviewer bot",
-					IdentityCache: "acme-review-bot",
-				},
-				LLM: LLMConfig{
-					Provider:      LLMProviderAnthropic,
-					Auth:          LLMAuthAPIKey,
-					Adapter:       LLMAdapterAnthropicAPI,
-					CredentialRef: "codereview/work-llm",
-				},
+				Reviewer:     ProfileReviewer{Kind: ProfileReviewerKindEntity, Entity: "work-reviewer"},
+				LLMRuntime:   "work-llm",
 				AgentSources: []string{"~/dev/work-reviewers"},
 				ReviewPolicy: ReviewPolicy{
 					MajorEvent:       ReviewMajorEventRequestChanges,
 					AllowSelfApprove: true,
 					ResolveThreads:   ResolveThreadsNever,
-					ResolveAfter:     "48h",
 				},
 			},
 		},
diff --git a/internal/config/init_surface_doc_test.go b/internal/config/init_surface_doc_test.go
index cf07f2ac..003996f9 100644
--- a/internal/config/init_surface_doc_test.go
+++ b/internal/config/init_surface_doc_test.go
@@ -68,7 +68,6 @@ func initSurfaceExpectedSchemaPaths() []string {
 	paths = append(paths,
 		"config.repository_profiles[]",
 		"config.profiles.<name>",
-		"config.profiles.<name>.reviewer_credentials",
 	)
 	sort.Strings(paths)
 	return paths
diff --git a/internal/credentials/credentials.go b/internal/credentials/credentials.go
index 2d211ba4..0ecb6999 100644
--- a/internal/credentials/credentials.go
+++ b/internal/credentials/credentials.go
@@ -29,13 +29,15 @@ const (
 
 	// GitTokenKey stores the Git host access token for PAT auth.
 	GitTokenKey = "git_token"
-	// GitHubAppIDKey stores the GitHub App JWT issuer, usually the app ID.
+	// GitHubAppIDKey is a removed legacy key name. App IDs now belong to
+	// non-secret config, not credential bundles.
 	// #nosec G101 -- this is a keyring item name, not a secret value.
 	GitHubAppIDKey = "github_app_id"
 	// GitHubAppPrivateKeyKey stores the GitHub App PEM private key.
 	// #nosec G101 -- this is a keyring item name, not a secret value.
 	GitHubAppPrivateKeyKey = "github_app_private_key"
-	// GitHubAppInstallationIDKey stores an optional explicit GitHub App installation ID.
+	// GitHubAppInstallationIDKey is a removed legacy key name. Installation
+	// routing now belongs to review profile config, not credential bundles.
 	// #nosec G101 -- this is a keyring item name, not a secret value.
 	GitHubAppInstallationIDKey = "github_app_installation_id"
 	// AnthropicAPIKeyKey stores the key name for Anthropic direct API adapters.
@@ -59,7 +61,7 @@ var (
 
 // AllowedKeys is cr's keyring write allowlist.
 func AllowedKeys() []string {
-	return []string{GitTokenKey, GitHubAppIDKey, GitHubAppPrivateKeyKey, GitHubAppInstallationIDKey, AnthropicAPIKeyKey, OpenAIAPIKeyKey}
+	return []string{GitTokenKey, GitHubAppPrivateKeyKey, AnthropicAPIKeyKey, OpenAIAPIKeyKey}
 }
 
 // Ref is a parsed cr credential name.
@@ -495,9 +497,7 @@ func KeySpecsForPurpose(ref config.CredentialRef) ([]KeySpec, error) {
 			return []KeySpec{{Key: GitTokenKey, Required: true}}, nil
 		case config.GitAuthModeGitHubApp:
 			return []KeySpec{
-				{Key: GitHubAppIDKey, Required: true},
 				{Key: GitHubAppPrivateKeyKey, Required: true},
-				{Key: GitHubAppInstallationIDKey, Required: false},
 			}, nil
 		case config.GitAuthModeOAuthDevice:
 			return nil, fmt.Errorf("%w: %s auth_mode %q", config.ErrUnsupported, ref.Purpose, mode)
diff --git a/internal/credentials/credentials_test.go b/internal/credentials/credentials_test.go
index 5a23a0e3..4c7cef9f 100644
--- a/internal/credentials/credentials_test.go
+++ b/internal/credentials/credentials_test.go
@@ -94,12 +94,14 @@ func TestStoreOptionsInvalidBackendFlag(t *testing.T) {
 }
 
 func TestAllowedKeysExactCredentialMatrix(t *testing.T) {
-	want := []string{GitTokenKey, GitHubAppIDKey, GitHubAppPrivateKeyKey, GitHubAppInstallationIDKey, AnthropicAPIKeyKey, OpenAIAPIKeyKey}
+	want := []string{GitTokenKey, GitHubAppPrivateKeyKey, AnthropicAPIKeyKey, OpenAIAPIKeyKey}
 	if got := AllowedKeys(); !reflect.DeepEqual(got, want) {
 		t.Fatalf("AllowedKeys = %#v, want %#v", got, want)
 	}
 
 	for _, key := range []string{
+		GitHubAppIDKey,
+		GitHubAppInstallationIDKey,
 		LegacyLLMAPIKeyKey,
 		"git_oauth_access_token",
 		"git_oauth_refresh_token",
@@ -130,18 +132,14 @@ func TestKeySpecsForPurposeCredentialMatrix(t *testing.T) {
 			name: "user git github app",
 			ref:  config.CredentialRef{Purpose: "git", Ref: "codereview/work", Mode: "github_app"},
 			want: []KeySpec{
-				{Key: GitHubAppIDKey, Required: true},
 				{Key: GitHubAppPrivateKeyKey, Required: true},
-				{Key: GitHubAppInstallationIDKey, Required: false},
 			},
 		},
 		{
 			name: "reviewer github app",
 			ref:  config.CredentialRef{Purpose: "reviewer_credentials", Ref: "codereview/work-reviewer", Mode: "github_app"},
 			want: []KeySpec{
-				{Key: GitHubAppIDKey, Required: true},
 				{Key: GitHubAppPrivateKeyKey, Required: true},
-				{Key: GitHubAppInstallationIDKey, Required: false},
 			},
 		},
 		{
@@ -209,7 +207,7 @@ func TestValidateAllowedKeyForConfigNarrowsDeclaredRefs(t *testing.T) {
 	if err := ValidateAllowedKeyForConfig(cfg, "codereview/git-a", AnthropicAPIKeyKey); !errors.Is(err, credstore.ErrKeyNotAllowed) {
 		t.Fatalf("ValidateAllowedKeyForConfig git llm key error = %v, want ErrKeyNotAllowed", err)
 	}
-	wantAppKeys := []string{GitHubAppIDKey, GitHubAppInstallationIDKey, GitHubAppPrivateKeyKey}
+	wantAppKeys := []string{GitHubAppPrivateKeyKey}
 	gotAppKeys, err := ExpectedKeysForConfigRef(cfg, "codereview/app")
 	if err != nil {
 		t.Fatalf("ExpectedKeysForConfigRef github_app: %v", err)
@@ -237,6 +235,7 @@ func TestValidateAllowedKeyForConfigNarrowsDeclaredRefs(t *testing.T) {
 func githubAppMatrixProfile(ref string) config.Profile {
 	p := matrixProfile(ref, "codereview/app-llm", config.LLMProviderAnthropic)
 	p.Git.AuthMode = config.GitAuthModeGitHubApp
+	p.Git.GitHubApp = &config.GitHubAppConfig{AppID: "12345"}
 	p.LLM.Auth = config.LLMAuthSubscription
 	p.LLM.Adapter = config.LLMAdapterClaudeCLI
 	p.LLM.CredentialRef = ""
@@ -534,7 +533,6 @@ func TestCredentialStatuses(t *testing.T) {
 				GitTokenKey: true,
 			},
 			"app": {
-				GitHubAppIDKey:         true,
 				GitHubAppPrivateKeyKey: true,
 			},
 			"llm": {
@@ -567,9 +565,7 @@ func TestCredentialStatuses(t *testing.T) {
 			Ref:     "codereview/app",
 			Mode:    "github_app",
 			Keys: []KeyStatus{
-				presentKeyStatus(GitHubAppIDKey, true),
 				presentKeyStatus(GitHubAppPrivateKeyKey, true),
-				missingKeyStatus(GitHubAppInstallationIDKey, false),
 			},
 		},
 		{
@@ -656,9 +652,7 @@ func TestCredentialStatusesUnknown(t *testing.T) {
 func TestCredentialStatusesPartialRequiredBundle(t *testing.T) {
 	store := fakeKeyStatusStore{
 		present: map[string]map[string]bool{
-			"app": {
-				GitHubAppIDKey: true,
-			},
+			"app": {},
 		},
 	}
 	ref := config.CredentialRef{
@@ -676,9 +670,7 @@ func TestCredentialStatusesPartialRequiredBundle(t *testing.T) {
 		Ref:     "codereview/app",
 		Mode:    "github_app",
 		Keys: []KeyStatus{
-			presentKeyStatus(GitHubAppIDKey, true),
 			missingKeyStatus(GitHubAppPrivateKeyKey, true),
-			missingKeyStatus(GitHubAppInstallationIDKey, false),
 		},
 	}
 	if !reflect.DeepEqual(got, want) {
@@ -699,12 +691,11 @@ func TestMissingRequiredKeys(t *testing.T) {
 		Ref:     "codereview/app",
 		Mode:    "github_app",
 		Keys: []KeyStatus{
-			missingKeyStatus(GitHubAppIDKey, true),
 			unknownKeyStatus(GitHubAppPrivateKeyKey, true, "boom"),
-			missingKeyStatus(GitHubAppInstallationIDKey, false),
+			missingKeyStatus("optional_test_key", false),
 		},
 	}
-	want := []string{GitHubAppIDKey}
+	var want []string
 	if got := MissingRequiredKeys(status); !reflect.DeepEqual(got, want) {
 		t.Fatalf("MissingRequiredKeys = %#v, want %#v", got, want)
 	}
diff --git a/internal/gitprovider/github/app_auth.go b/internal/gitprovider/github/app_auth.go
index 00b47fe3..fa0351aa 100644
--- a/internal/gitprovider/github/app_auth.go
+++ b/internal/gitprovider/github/app_auth.go
@@ -11,6 +11,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"encoding/pem"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -75,9 +76,9 @@ func newGitHubAppFromConfig(ctx context.Context, profile string, store TokenStor
 	if now == nil {
 		now = time.Now
 	}
-	issuer, err := readRequiredCredential(store, profile, credentials.GitHubAppIDKey)
-	if err != nil {
-		return nil, gitprovider.Credential{}, err
+	issuer := strings.TrimSpace(opts.AppID)
+	if issuer == "" {
+		return nil, gitprovider.Credential{}, gitprovider.WrapError(gitprovider.ErrAuth, "", fmt.Errorf("github app app_id is required in config for github_app auth"))
 	}
 	privateKeyPEM, err := readRequiredCredential(store, profile, credentials.GitHubAppPrivateKeyKey)
 	if err != nil {
@@ -87,12 +88,9 @@ func newGitHubAppFromConfig(ctx context.Context, profile string, store TokenStor
 	if err != nil {
 		return nil, gitprovider.Credential{}, gitprovider.WrapError(gitprovider.ErrAuth, "", err)
 	}
-	installationID, err := readOptionalCredential(store, profile, credentials.GitHubAppInstallationIDKey)
-	if err != nil {
-		return nil, gitprovider.Credential{}, err
-	}
+	installationID := strings.TrimSpace(opts.InstallationID)
 	if !canResolveInstallation(installationID, opts.InstallationLookup) {
-		return nil, gitprovider.Credential{}, gitprovider.WrapError(gitprovider.ErrAuth, "", fmt.Errorf("github app credential %s/%s is required without repository context", profile, credentials.GitHubAppInstallationIDKey))
+		return nil, gitprovider.Credential{}, gitprovider.WrapError(gitprovider.ErrAuth, "", fmt.Errorf("github app installation discovery requires repository context; pin an installation id or run against a repository"))
 	}
 	auth := &githubAppAuth{
 		issuer:         issuer,
@@ -170,14 +168,14 @@ func (a *githubAppAuth) resolveInstallation(ctx context.Context, op gitprovider.
 		endpoint := restURL(a.baseURL, "app", "installations", a.installationID)
 		var installation githubAppInstallation
 		if err := a.doAppREST(ctx, op, http.MethodGet, endpoint, jwt, nil, &installation); err != nil {
-			return githubAppInstallation{}, err
+			return githubAppInstallation{}, mapPinnedInstallationLookupError(op, a.installationID, err)
 		}
 		return installation, nil
 	}
 	endpoint := restURL(a.baseURL, "repos", a.lookup.Owner, a.lookup.Repo, "installation")
 	var installation githubAppInstallation
 	if err := a.doAppREST(ctx, op, http.MethodGet, endpoint, jwt, nil, &installation); err != nil {
-		return githubAppInstallation{}, err
+		return githubAppInstallation{}, mapRepositoryInstallationLookupError(op, a.lookup.Owner, a.lookup.Repo, err)
 	}
 	return installation, nil
 }
@@ -186,7 +184,7 @@ func (a *githubAppAuth) createInstallationToken(ctx context.Context, op gitprovi
 	endpoint := restURL(a.baseURL, "app", "installations", strconv.FormatInt(installationID, 10), "access_tokens")
 	var response installationTokenResponse
 	if err := a.doAppREST(ctx, op, http.MethodPost, endpoint, jwt, map[string]any{}, &response); err != nil {
-		return "", time.Time{}, err
+		return "", time.Time{}, mapCreateInstallationTokenError(op, strconv.FormatInt(installationID, 10), err)
 	}
 	if strings.TrimSpace(response.Token) == "" {
 		return "", time.Time{}, gitprovider.WrapError(gitprovider.ErrAuth, op, fmt.Errorf("github app installation token is empty"))
@@ -197,6 +195,40 @@ func (a *githubAppAuth) createInstallationToken(ctx context.Context, op gitprovi
 	return response.Token, response.ExpiresAt, nil
 }
 
+func mapPinnedInstallationLookupError(op gitprovider.Operation, installationID string, err error) error {
+	switch {
+	case errors.Is(err, gitprovider.ErrNotFound):
+		return gitprovider.WrapError(gitprovider.ErrNotFound, op, fmt.Errorf("github app installation %s was not found for this app; check the installation id configured on the review profile: %w", installationID, err))
+	case errors.Is(err, gitprovider.ErrPermission):
+		return gitprovider.WrapError(gitprovider.ErrPermission, op, fmt.Errorf("github app installation %s is not accessible to this app; check the installation id configured on the review profile: %w", installationID, err))
+	default:
+		return err
+	}
+}
+
+func mapRepositoryInstallationLookupError(op gitprovider.Operation, owner, repo string, err error) error {
+	repository := strings.Trim(strings.TrimSpace(owner)+"/"+strings.TrimSpace(repo), "/")
+	switch {
+	case errors.Is(err, gitprovider.ErrNotFound):
+		return gitprovider.WrapError(gitprovider.ErrNotFound, op, fmt.Errorf("github app is not installed for %s or cannot access that repository; install the app for this repository or pin the correct installation id on the review profile: %w", repository, err))
+	case errors.Is(err, gitprovider.ErrPermission):
+		return gitprovider.WrapError(gitprovider.ErrPermission, op, fmt.Errorf("github app cannot access installation information for %s; check app installation access and permissions: %w", repository, err))
+	default:
+		return err
+	}
+}
+
+func mapCreateInstallationTokenError(op gitprovider.Operation, installationID string, err error) error {
+	switch {
+	case errors.Is(err, gitprovider.ErrNotFound):
+		return gitprovider.WrapError(gitprovider.ErrNotFound, op, fmt.Errorf("github app installation %s was not found while creating an installation token: %w", installationID, err))
+	case errors.Is(err, gitprovider.ErrPermission):
+		return gitprovider.WrapError(gitprovider.ErrPermission, op, fmt.Errorf("github app installation %s cannot create an installation token with the requested access; check app installation access and permissions: %w", installationID, err))
+	default:
+		return err
+	}
+}
+
 func (a *githubAppAuth) doAppREST(ctx context.Context, op gitprovider.Operation, method, endpoint, jwt string, in any, out any) error {
 	var body *bytes.Reader
 	if in != nil {
@@ -279,17 +311,6 @@ func canResolveInstallation(installationID string, lookup *InstallationLookup) b
 	return lookup != nil && strings.TrimSpace(lookup.Owner) != "" && strings.TrimSpace(lookup.Repo) != ""
 }
 
-func readOptionalCredential(store TokenStore, profile, key string) (string, error) {
-	exists, err := store.Exists(profile, key)
-	if err != nil {
-		return "", gitprovider.WrapError(gitprovider.ErrAuth, "", fmt.Errorf("check github app credential %s/%s: %w", profile, key, err))
-	}
-	if !exists {
-		return "", nil
-	}
-	return readRequiredCredential(store, profile, key)
-}
-
 func parseGitHubAppPrivateKey(privateKeyPEM string) (*rsa.PrivateKey, error) {
 	block, _ := pem.Decode([]byte(privateKeyPEM))
 	if block == nil {
diff --git a/internal/gitprovider/github/app_auth_test.go b/internal/gitprovider/github/app_auth_test.go
index eb350a16..09c3e4ee 100644
--- a/internal/gitprovider/github/app_auth_test.go
+++ b/internal/gitprovider/github/app_auth_test.go
@@ -62,10 +62,11 @@ func TestNewFromGitConfigBuildsGitHubAppClientAndRefreshesToken(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client, credential, err := NewFromGitConfig(githubAppGitConfig("codereview/app"), githubAppStore(t, "app", "12345", privateKeyPEM, "42"), Options{
-		BaseURL:    server.URL,
-		GraphQLURL: server.URL + "/graphql",
-		Now:        func() time.Time { return now },
+	client, credential, err := NewFromGitConfig(githubAppGitConfig("codereview/app"), githubAppStore(t, "app", "12345", privateKeyPEM), Options{
+		BaseURL:        server.URL,
+		GraphQLURL:     server.URL + "/graphql",
+		Now:            func() time.Time { return now },
+		InstallationID: "42",
 	})
 	if err != nil {
 		t.Fatalf("NewFromGitConfig: %v", err)
@@ -122,7 +123,7 @@ func TestNewFromGitConfigUsesRepositoryInstallationLookup(t *testing.T) {
 	}))
 	defer server.Close()
 
-	_, credential, err := NewFromGitConfig(githubAppGitConfig("codereview/app"), githubAppStore(t, "app", "app-client-id", privateKey, ""), Options{
+	_, credential, err := NewFromGitConfig(githubAppGitConfigWithAppID("codereview/app", "app-client-id"), githubAppStore(t, "app", "app-client-id", privateKey), Options{
 		BaseURL:    server.URL + "/api/v3",
 		GraphQLURL: server.URL + "/api/graphql",
 		InstallationLookup: &InstallationLookup{
@@ -138,6 +139,60 @@ func TestNewFromGitConfigUsesRepositoryInstallationLookup(t *testing.T) {
 	}
 }
 
+func TestNewFromGitConfigExplainsMissingRepositoryInstallation(t *testing.T) {
+	privateKey := testPrivateKeyPEM(t)
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.EscapedPath() {
+		case "/repos/open-cli/codereview-cli/installation":
+			assertJWTAuth(t, r, "app-client-id")
+			http.NotFound(w, r)
+		default:
+			t.Fatalf("unexpected request %s %s", r.Method, r.URL.String())
+		}
+	}))
+	defer server.Close()
+
+	_, _, err := NewFromGitConfig(githubAppGitConfigWithAppID("codereview/app", "app-client-id"), githubAppStore(t, "app", "app-client-id", privateKey), Options{
+		BaseURL:    server.URL,
+		GraphQLURL: server.URL + "/graphql",
+		InstallationLookup: &InstallationLookup{
+			Owner: "open-cli",
+			Repo:  "codereview-cli",
+		},
+	})
+	if !errors.Is(err, gitprovider.ErrNotFound) {
+		t.Fatalf("NewFromGitConfig error = %v, want ErrNotFound", err)
+	}
+	if !strings.Contains(err.Error(), "github app is not installed for open-cli/codereview-cli or cannot access that repository") {
+		t.Fatalf("NewFromGitConfig error = %v, want repository installation detail", err)
+	}
+}
+
+func TestNewFromGitConfigExplainsMissingPinnedInstallation(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.EscapedPath() {
+		case "/app/installations/42":
+			assertJWTAuth(t, r, "12345")
+			http.NotFound(w, r)
+		default:
+			t.Fatalf("unexpected request %s %s", r.Method, r.URL.String())
+		}
+	}))
+	defer server.Close()
+
+	_, _, err := NewFromGitConfig(githubAppGitConfig("codereview/app"), githubAppStore(t, "app", "12345", testPrivateKeyPEM(t)), Options{
+		BaseURL:        server.URL,
+		GraphQLURL:     server.URL + "/graphql",
+		InstallationID: "42",
+	})
+	if !errors.Is(err, gitprovider.ErrNotFound) {
+		t.Fatalf("NewFromGitConfig error = %v, want ErrNotFound", err)
+	}
+	if !strings.Contains(err.Error(), "github app installation 42 was not found for this app") {
+		t.Fatalf("NewFromGitConfig error = %v, want pinned installation detail", err)
+	}
+}
+
 func TestGitHubAppClientUsesInstallationTokenForRESTWritesAndGraphQL(t *testing.T) {
 	var writeAuth, graphQLAuth string
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -174,9 +229,10 @@ func TestGitHubAppClientUsesInstallationTokenForRESTWritesAndGraphQL(t *testing.
 	}))
 	defer server.Close()
 
-	client, _, err := NewFromGitConfig(githubAppGitConfig("codereview/app"), githubAppStore(t, "app", "12345", testPrivateKeyPEM(t), "42"), Options{
-		BaseURL:    server.URL,
-		GraphQLURL: server.URL + "/graphql",
+	client, _, err := NewFromGitConfig(githubAppGitConfig("codereview/app"), githubAppStore(t, "app", "12345", testPrivateKeyPEM(t)), Options{
+		BaseURL:        server.URL,
+		GraphQLURL:     server.URL + "/graphql",
+		InstallationID: "42",
 	})
 	if err != nil {
 		t.Fatalf("NewFromGitConfig: %v", err)
@@ -194,10 +250,13 @@ func TestGitHubAppClientUsesInstallationTokenForRESTWritesAndGraphQL(t *testing.
 }
 
 func TestNewFromGitConfigRequiresInstallationIDWithoutLookup(t *testing.T) {
-	_, _, err := NewFromGitConfig(githubAppGitConfig("codereview/app"), githubAppStore(t, "app", "12345", testPrivateKeyPEM(t), ""), Options{})
+	_, _, err := NewFromGitConfig(githubAppGitConfig("codereview/app"), githubAppStore(t, "app", "12345", testPrivateKeyPEM(t)), Options{})
 	if !errors.Is(err, gitprovider.ErrAuth) {
 		t.Fatalf("NewFromGitConfig error = %v, want ErrAuth", err)
 	}
+	if !strings.Contains(err.Error(), "installation discovery requires repository context") {
+		t.Fatalf("NewFromGitConfig error = %v, want repository-context detail", err)
+	}
 	if strings.Contains(err.Error(), "PRIVATE KEY") {
 		t.Fatalf("error leaked private key material: %v", err)
 	}
@@ -222,9 +281,10 @@ func TestNewFromGitConfigRequiresGitHubAppIdentity(t *testing.T) {
 	}))
 	defer server.Close()
 
-	_, _, err := NewFromGitConfig(githubAppGitConfig("codereview/app"), githubAppStore(t, "app", "12345", testPrivateKeyPEM(t), "42"), Options{
-		BaseURL:    server.URL,
-		GraphQLURL: server.URL + "/graphql",
+	_, _, err := NewFromGitConfig(githubAppGitConfig("codereview/app"), githubAppStore(t, "app", "12345", testPrivateKeyPEM(t)), Options{
+		BaseURL:        server.URL,
+		GraphQLURL:     server.URL + "/graphql",
+		InstallationID: "42",
 	})
 	if !errors.Is(err, gitprovider.ErrAuth) {
 		t.Fatalf("NewFromGitConfig error = %v, want ErrAuth", err)
@@ -235,21 +295,22 @@ func TestNewFromGitConfigRequiresGitHubAppIdentity(t *testing.T) {
 }
 
 func githubAppGitConfig(ref string) config.GitConfig {
+	return githubAppGitConfigWithAppID(ref, "12345")
+}
+
+func githubAppGitConfigWithAppID(ref string, appID string) config.GitConfig {
 	return config.GitConfig{
 		Host:          "github.com",
 		AuthMode:      config.GitAuthModeGitHubApp,
+		GitHubApp:     &config.GitHubAppConfig{AppID: appID},
 		CredentialRef: ref,
 	}
 }
 
-func githubAppStore(_ *testing.T, profile, appID, privateKey, installationID string) tokenStore {
+func githubAppStore(_ *testing.T, profile, _ string, privateKey string) tokenStore {
 	values := map[string]string{
-		credentials.GitHubAppIDKey:         appID,
 		credentials.GitHubAppPrivateKeyKey: privateKey,
 	}
-	if installationID != "" {
-		values[credentials.GitHubAppInstallationIDKey] = installationID
-	}
 	return tokenStore{profile: values}
 }
 
diff --git a/internal/gitprovider/github/client.go b/internal/gitprovider/github/client.go
index 28e0ca4e..a0d1e200 100644
--- a/internal/gitprovider/github/client.go
+++ b/internal/gitprovider/github/client.go
@@ -46,6 +46,8 @@ type Options struct {
 	BaseURL            string
 	GraphQLURL         string
 	Now                func() time.Time
+	AppID              string
+	InstallationID     string
 	InstallationLookup *InstallationLookup
 }
 
@@ -110,6 +112,9 @@ func NewFromGitConfig(git config.GitConfig, store TokenStore, opts Options) (*Cl
 		return client, credential, nil
 	case config.GitAuthModeGitHubApp:
 		opts.Host = host
+		if git.GitHubApp != nil {
+			opts.AppID = strings.TrimSpace(git.GitHubApp.AppID)
+		}
 		ctx, cancel := context.WithTimeout(context.Background(), gitHubAppInitTimeout)
 		defer cancel()
 		return newGitHubAppFromConfig(ctx, parsed.Profile, store, opts)
diff --git a/internal/identity/identity.go b/internal/identity/identity.go
index 880c2830..c35d2fde 100644
--- a/internal/identity/identity.go
+++ b/internal/identity/identity.go
@@ -47,7 +47,7 @@ func Refresh(ctx context.Context, cfg config.File, profileName string, resolver
 	if err != nil {
 		return cfg, nil, false, err
 	}
-	cfg.Profiles[name] = updatedProfile
+	cfg = applyIdentityCacheUpdates(cfg, name, profile, updatedProfile, []ProfileResult{result})
 	return cfg, []ProfileResult{result}, changed, nil
 }
 
@@ -71,7 +71,7 @@ func RefreshAll(ctx context.Context, cfg config.File, resolver Resolver) (config
 		if err != nil {
 			return original, nil, false, err
 		}
-		updated.Profiles[name] = updatedProfile
+		updated = applyIdentityCacheUpdates(updated, name, profile, updatedProfile, profileResults)
 		results = append(results, profileResults...)
 		changed = changed || profileChanged
 	}
@@ -145,15 +145,56 @@ func identitySource(profile config.Profile) (CredentialSource, config.GitConfig,
 }
 
 func reviewerIdentitySource(profile config.Profile) (config.GitConfig, string) {
+	var githubApp *config.GitHubAppConfig
+	if profile.ReviewerCredentials.GitHubApp != nil {
+		app := *profile.ReviewerCredentials.GitHubApp
+		githubApp = &app
+	}
 	return config.GitConfig{
 		Host:          profile.Git.Host,
 		AuthMode:      profile.ReviewerCredentials.AuthMode,
+		Credential:    profile.ReviewerCredentials.Credential,
+		GitHubApp:     githubApp,
 		CredentialRef: profile.ReviewerCredentials.CredentialRef,
 		IdentityCache: profile.ReviewerCredentials.IdentityCache,
 	}, profile.ReviewerCredentials.IdentityCache
 }
 
+func applyIdentityCacheUpdates(cfg config.File, profileName string, original config.Profile, updated config.Profile, results []ProfileResult) config.File {
+	for _, result := range results {
+		if !result.IdentityCacheUpdated {
+			continue
+		}
+		switch result.CredentialSource {
+		case SourceGit:
+			accessName := strings.TrimSpace(original.RepositoryAccess)
+			if accessName != "" {
+				access, ok := cfg.RepositoryAccess[accessName]
+				if ok {
+					access.Git.IdentityCache = result.Identity.Login
+					cfg.RepositoryAccess[accessName] = access
+					continue
+				}
+			}
+			cfg.Profiles[profileName] = updated
+		case SourceReviewer:
+			if original.Reviewer.Kind == config.ProfileReviewerKindEntity {
+				entityName := strings.TrimSpace(original.Reviewer.Entity)
+				entity, ok := cfg.ReviewerEntities[entityName]
+				if ok {
+					entity.IdentityCache = result.Identity.Login
+					cfg.ReviewerEntities[entityName] = entity
+				}
+				continue
+			}
+			cfg.Profiles[profileName] = updated
+		}
+	}
+	return config.Normalize(cfg)
+}
+
 func normalizeForUpdate(cfg config.File) config.File {
+	cfg = config.Normalize(cfg)
 	if cfg.Profiles == nil {
 		cfg.Profiles = map[string]config.Profile{}
 		return cfg
@@ -169,5 +210,23 @@ func normalizeForUpdate(cfg config.File) config.File {
 		profiles[name] = profile
 	}
 	cfg.Profiles = profiles
+	if cfg.ReviewerEntities != nil {
+		entities := make(map[string]config.ReviewerEntity, len(cfg.ReviewerEntities))
+		for name, entity := range cfg.ReviewerEntities {
+			entities[name] = entity
+		}
+		cfg.ReviewerEntities = entities
+	}
+	if cfg.RepositoryAccess != nil {
+		accesses := make(map[string]config.RepositoryAccessConfig, len(cfg.RepositoryAccess))
+		for name, access := range cfg.RepositoryAccess {
+			if access.Git.GitHubApp != nil {
+				app := *access.Git.GitHubApp
+				access.Git.GitHubApp = &app
+			}
+			accesses[name] = access
+		}
+		cfg.RepositoryAccess = accesses
+	}
 	return cfg
 }
diff --git a/internal/pipeline/pipeline.go b/internal/pipeline/pipeline.go
index dd1f641d..79f10e74 100644
--- a/internal/pipeline/pipeline.go
+++ b/internal/pipeline/pipeline.go
@@ -791,7 +791,7 @@ func runSelectionPhase(ctx context.Context, opts Options, req selectionPhaseRequ
 	}
 	model, effort := runtimeConfig.model, runtimeConfig.effort
 
-	selectionPrompt, err := buildSelectionPrompt(req.ReviewPR, req.Catalog, req.ParsedDiff.Patches, req.Threads, req.SelectionPromptInstructions)
+	selectionPrompt, err := buildSelectionPrompt(req.ReviewPR, req.Catalog, req.ParsedDiff.Patches, req.Threads, req.MaxAgents, req.SelectionPromptInstructions)
 	if err != nil {
 		return llm.Selection{}, sessionDraft{}, err
 	}
@@ -812,12 +812,19 @@ func runSelectionPhase(ctx context.Context, opts Options, req selectionPhaseRequ
 	if err != nil {
 		return llm.Selection{}, selectionSession, err
 	}
-	if len(selection.SelectedAgents) > req.MaxAgents {
-		return llm.Selection{}, selectionSession, fmt.Errorf("pipeline: selected agents %d exceeds max %d", len(selection.SelectedAgents), req.MaxAgents)
-	}
+	selection = opts.capSelectionAgents(selection, req.MaxAgents)
 	return selection, selectionSession, nil
 }
 
+func (opts Options) capSelectionAgents(selection llm.Selection, maxAgents int) llm.Selection {
+	if maxAgents <= 0 || len(selection.SelectedAgents) <= maxAgents {
+		return selection
+	}
+	opts.emitWarning(fmt.Sprintf("orchestrator selected %d agents; using first %d due to max-agents", len(selection.SelectedAgents), maxAgents))
+	selection.SelectedAgents = append([]llm.SelectedAgent(nil), selection.SelectedAgents[:maxAgents]...)
+	return selection
+}
+
 func getReviewDiff(ctx context.Context, provider ReadProvider, ref gitprovider.PRRef, baseSHA, headSHA string, pinned bool) (gitprovider.UnifiedDiff, error) {
 	if !pinned {
 		return provider.GetDiff(ctx, ref)
@@ -1426,15 +1433,16 @@ func fetchFileOptional(ctx context.Context, provider ReadProvider, ref gitprovid
 
 const defaultSelectionTask = "select reviewer agents and thread actions; return selection JSON only"
 
-func buildSelectionPrompt(pr gitprovider.PR, catalog agents.Catalog, patches []FilePatch, threads []gitprovider.InlineThread, selectionInstructions string) (string, error) {
+func buildSelectionPrompt(pr gitprovider.PR, catalog agents.Catalog, patches []FilePatch, threads []gitprovider.InlineThread, maxAgents int, selectionInstructions string) (string, error) {
 	payload := map[string]any{
-		"task":            defaultSelectionTask,
-		"output_contract": selectionOutputContract(catalog.Agents, patches, threads),
-		"schema":          "selection",
-		"pr":              pr,
-		"agents":          selectionAgentPromptsFromCatalog(catalog),
-		"changed_files":   patchPaths(patches),
-		"threads":         threads,
+		"task":                defaultSelectionTask,
+		"output_contract":     selectionOutputContract(catalog.Agents, patches, threads, maxAgents),
+		"schema":              "selection",
+		"max_selected_agents": maxAgents,
+		"pr":                  pr,
+		"agents":              selectionAgentPromptsFromCatalog(catalog),
+		"changed_files":       patchPaths(patches),
+		"threads":             threads,
 	}
 	if instructions := strings.TrimSpace(selectionInstructions); instructions != "" {
 		payload["selection_instructions"] = instructions
@@ -1521,7 +1529,7 @@ type outputContract struct {
 	Example        any      `json:"example"`
 }
 
-func selectionOutputContract(agents []agents.Agent, patches []FilePatch, threads []gitprovider.InlineThread) outputContract {
+func selectionOutputContract(agents []agents.Agent, patches []FilePatch, threads []gitprovider.InlineThread, maxAgents int) outputContract {
 	agentIDs := make([]string, 0, len(agents))
 	for _, agent := range agents {
 		agentIDs = append(agentIDs, agent.ID)
@@ -1548,6 +1556,7 @@ func selectionOutputContract(agents []agents.Agent, patches []FilePatch, threads
 			"schema_version must be 1.",
 			"selected_agents[].agent_id must be one of the allowed_agent_ids.",
 			"selected_agents[].files must contain only paths from changed_files.",
+			"selected_agents must contain at most max_selected_agents entries, ordered from highest to lowest review value.",
 			"thread_actions must be an empty array when there are no threads.",
 		},
 		ResponseSchema: map[string]any{
@@ -1557,10 +1566,11 @@ func selectionOutputContract(agents []agents.Agent, patches []FilePatch, threads
 			"reasoning":       "string",
 		},
 		AllowedValues: map[string]any{
-			"allowed_agent_ids": agentIDs,
-			"changed_files":     changedFiles,
-			"known_thread_ids":  threadIDs,
-			"thread_decisions":  []string{"skip", "summarize_only", "summarize_and_resolve"},
+			"allowed_agent_ids":   agentIDs,
+			"changed_files":       changedFiles,
+			"known_thread_ids":    threadIDs,
+			"max_selected_agents": maxAgents,
+			"thread_decisions":    []string{"skip", "summarize_only", "summarize_and_resolve"},
 		},
 		Example: example,
 	}
diff --git a/internal/pipeline/pipeline_test.go b/internal/pipeline/pipeline_test.go
index 07c5053c..e98476b5 100644
--- a/internal/pipeline/pipeline_test.go
+++ b/internal/pipeline/pipeline_test.go
@@ -561,7 +561,7 @@ func TestSelectionOnlyRejectsInvalidSelection(t *testing.T) {
 	}
 }
 
-func TestSelectionOnlyEnforcesMaxAgents(t *testing.T) {
+func TestSelectionOnlyCapsMaxAgents(t *testing.T) {
 	ctx := context.Background()
 	provider, req := dryRunHarness(t)
 	dir := t.TempDir()
@@ -570,6 +570,7 @@ func TestSelectionOnlyEnforcesMaxAgents(t *testing.T) {
 	trustCurrentTempFixtures(t)
 	req.Profile.AgentSources = []string{dir}
 	adapter := &llm.FakeAdapter{NameValue: "fake-llm"}
+	var warnings bytes.Buffer
 	adapter.Queue(fakeLLMResult("selection-session", `{
 		"schema_version": 1,
 		"selected_agents": [
@@ -580,14 +581,28 @@ func TestSelectionOnlyEnforcesMaxAgents(t *testing.T) {
 		"reasoning": "too many"
 	}`, 10, 2))
 
-	_, err := SelectionOnly(ctx, Options{
+	result, err := SelectionOnly(ctx, Options{
 		Provider:  provider,
 		Adapter:   adapter,
 		Now:       fixedNow,
 		MaxAgents: 1,
+		Warnings:  &warnings,
 	}, selectionRequestFromReview(req, t.TempDir()))
-	if err == nil || !strings.Contains(err.Error(), "selected agents 2 exceeds max 1") {
-		t.Fatalf("SelectionOnly error = %v, want max-agent rejection", err)
+	if err != nil {
+		t.Fatalf("SelectionOnly: %v", err)
+	}
+	if len(result.Selection.SelectedAgents) != 1 || result.Selection.SelectedAgents[0].AgentID != "harness:alpha" {
+		t.Fatalf("selected agents = %#v, want first selected agent only", result.Selection.SelectedAgents)
+	}
+	if got := warnings.String(); !strings.Contains(got, "orchestrator selected 2 agents; using first 1 due to max-agents") {
+		t.Fatalf("warnings = %q, want max-agent cap warning", got)
+	}
+	requests := adapter.Requests()
+	if len(requests) != 1 {
+		t.Fatalf("adapter requests = %#v, want one selection request", requests)
+	}
+	if !strings.Contains(requests[0].Prompt, `"max_selected_agents": 1`) {
+		t.Fatalf("selection prompt = %q, want max_selected_agents", requests[0].Prompt)
 	}
 }
 
@@ -2228,7 +2243,7 @@ func TestDryRunRejectsSelfReviewWhenReviewerCredentialsMatchAuthor(t *testing.T)
 }
 
 func TestSelectionOutputContractExampleHasNoAgentsWhenCatalogEmpty(t *testing.T) {
-	contract := selectionOutputContract(nil, []FilePatch{{Path: "main.go"}}, nil)
+	contract := selectionOutputContract(nil, []FilePatch{{Path: "main.go"}}, nil, 3)
 	example, ok := contract.Example.(map[string]any)
 	if !ok {
 		t.Fatalf("Example = %#v, want map", contract.Example)
@@ -2242,6 +2257,39 @@ func TestSelectionOutputContractExampleHasNoAgentsWhenCatalogEmpty(t *testing.T)
 	}
 }
 
+func TestSelectionPromptIncludesMaxSelectedAgentsContract(t *testing.T) {
+	prompt, err := buildSelectionPrompt(
+		gitprovider.PR{},
+		agents.Catalog{Agents: []agents.Agent{{ID: "agent-1"}}},
+		[]FilePatch{{Path: "main.go"}},
+		nil,
+		3,
+		"",
+	)
+	if err != nil {
+		t.Fatalf("buildSelectionPrompt: %v", err)
+	}
+	var payload struct {
+		MaxSelectedAgents int `json:"max_selected_agents"`
+		OutputContract    struct {
+			Instructions  []string       `json:"instructions"`
+			AllowedValues map[string]any `json:"allowed_values"`
+		} `json:"output_contract"`
+	}
+	if err := json.Unmarshal([]byte(prompt), &payload); err != nil {
+		t.Fatalf("Unmarshal prompt: %v", err)
+	}
+	if payload.MaxSelectedAgents != 3 {
+		t.Fatalf("max_selected_agents = %d, want 3", payload.MaxSelectedAgents)
+	}
+	if got := payload.OutputContract.AllowedValues["max_selected_agents"]; got != float64(3) {
+		t.Fatalf("allowed max_selected_agents = %#v, want 3", got)
+	}
+	if !strings.Contains(strings.Join(payload.OutputContract.Instructions, "\n"), "at most max_selected_agents") {
+		t.Fatalf("instructions = %#v, want max-selected-agents guidance", payload.OutputContract.Instructions)
+	}
+}
+
 func TestFindingsOutputContractScopesAnchorToFindingItems(t *testing.T) {
 	contract := findingsOutputContract("agent-1", []string{"main.go"})
 	schema, ok := contract.ResponseSchema.(map[string]any)
diff --git a/internal/view/config.go b/internal/view/config.go
index 6516bcf4..2216b858 100644
--- a/internal/view/config.go
+++ b/internal/view/config.go
@@ -209,16 +209,21 @@ func RenderConfigText(w io.Writer, show ConfigShow) error {
 	if _, err := fmt.Fprintln(w, "Review policy:"); err != nil {
 		return err
 	}
-	if err := writeKV(w, "  Major event", string(show.Profile.ReviewPolicy.MajorEvent)); err != nil {
-		return err
+	majorEvent := show.Profile.ReviewPolicy.MajorEvent
+	if majorEvent == "" {
+		majorEvent = config.ReviewMajorEventRequestChanges
 	}
-	if err := writeKV(w, "  Allow self approve", fmt.Sprint(show.Profile.ReviewPolicy.AllowSelfApprove)); err != nil {
+	resolveThreads := show.Profile.ReviewPolicy.ResolveThreads
+	if resolveThreads == "" {
+		resolveThreads = config.ResolveThreadsAuto
+	}
+	if err := writeKV(w, "  Major event", string(majorEvent)); err != nil {
 		return err
 	}
-	if err := writeOptionalKV(w, "  Resolve threads", string(show.Profile.ReviewPolicy.ResolveThreads)); err != nil {
+	if err := writeKV(w, "  Allow self approve", fmt.Sprint(show.Profile.ReviewPolicy.AllowSelfApprove)); err != nil {
 		return err
 	}
-	if err := writeOptionalKV(w, "  Resolve after", show.Profile.ReviewPolicy.ResolveAfter); err != nil {
+	if err := writeKV(w, "  Resolve threads", string(resolveThreads)); err != nil {
 		return err
 	}
 
diff --git a/internal/view/config_test.go b/internal/view/config_test.go
index 3da99c1d..d9e67696 100644
--- a/internal/view/config_test.go
+++ b/internal/view/config_test.go
@@ -218,6 +218,7 @@ Credentials:
 Review policy:
   Major event: comment
   Allow self approve: false
+  Resolve threads: auto
 Data retention:
   Max age days: 90
   Enforcement: at_write
@@ -790,7 +791,6 @@ func workProfile() config.Profile {
 			MajorEvent:       config.ReviewMajorEventRequestChanges,
 			AllowSelfApprove: true,
 			ResolveThreads:   config.ResolveThreadsNever,
-			ResolveAfter:     "48h",
 		},
 	}
 }
diff --git a/version.txt b/version.txt
index 5a2a5806..b63ba696 100644
--- a/version.txt
+++ b/version.txt
@@ -1 +1 @@
-0.6
+0.9