From ae0c48de76c3a0e36a1c2944ea65b99ced4d40ce Mon Sep 17 00:00:00 2001
From: Rian Stockbower <rstockbower@gmail.com>
Date: Sun, 21 Jun 2026 18:48:10 -0400
Subject: [PATCH 01/27] Rethink credential storage and reviewer entity init
 model

---
 docs/init-config-surface.md                   |  19 +-
 docs/init-ux-contract.md                      |  30 +-
 internal/cmd/configcmd/configcmd.go           |  46 +-
 internal/cmd/configcmd/configcmd_test.go      |  16 +-
 internal/cmd/credentialcmd/credentialcmd.go   | 595 ++++++++++++++----
 .../cmd/credentialcmd/credentialcmd_test.go   | 359 ++++++-----
 .../cmd/credentialcmd/init_inventory_test.go  |  18 +-
 internal/cmd/credentialcmd/init_menu.go       |   6 +-
 internal/cmd/credentialcmd/init_profile_v2.go |  24 +-
 .../init_reviewer_entity_editor.go            |  28 +-
 internal/cmd/mecmd/mecmd_test.go              | 101 +--
 internal/config/config.go                     | 464 ++++++++++++--
 internal/config/config_test.go                | 370 ++++++-----
 internal/config/init_surface_doc_test.go      |   1 -
 internal/identity/identity.go                 |  37 +-
 15 files changed, 1513 insertions(+), 601 deletions(-)

diff --git a/docs/init-config-surface.md b/docs/init-config-surface.md
index 12416ae3..7b354f7f 100644
--- a/docs/init-config-surface.md
+++ b/docs/init-config-surface.md
@@ -48,25 +48,16 @@ intentionally unsupported.
 | config.repository_profiles[].match.host | Route wizard derives from selected profile host or pasted PR URL. | Existing `cr config route set --host`. | Required for a route. Existing host is pre-populated and normalized. | Must match the target profile's `git.host`. Host edits on a profile with routes are blocked or reconciled by #185. | #177 route helper, #185 PR URL derivation and host/profile validation tests. |
 | config.repository_profiles[].match.namespace | Route wizard asks for owner/org or derives from PR URL. | Existing `cr config route set --namespace`. | Required for a route. Existing namespace is pre-populated. | Overwrite validates non-empty and preserves repo-vs-namespace route identity. | #177 route helper. #185 namespace route tests. |
 | config.repository_profiles[].match.repos[] | Route wizard supports namespace-wide route when omitted or repo-specific routes when provided. | Existing repeatable `cr config route set --repo` and `cr config route unset --repo`. | Omitted means namespace-wide route. Existing repos are pre-populated in deterministic order. | Preserve on skip. Add/edit/remove dedupes and sorts via shared route helper. Clear repos converts only when the user explicitly chooses namespace-wide routing. | #177 route helper. #185 repo route and namespace conversion tests. |
-| config.profiles.<name> | Core profile wizard selects existing profile, creates a new profile, or renames an existing profile. | Existing global `--profile` with `cr init --non-interactive` owns scripted create/replace. Scripted rename is intentionally unsupported by init and belongs to future profile-management command design. | When `cr init` starts without a global `--profile`, it suggests `default` as the new profile name. Existing profile names are pre-populated. | Create requires a valid profile body. Rename preserves credential locations by default, updates repository routes, and does not delete old credential-store entries. | #177 profile rename helper. #180 tests create/select/rename and validation. |
+| config.profiles.<name> | Core profile wizard selects existing profile, creates a new profile, or renames an existing profile. | Existing global `--profile` with `cr init --non-interactive` owns scripted create/replace. Scripted rename is intentionally unsupported by init and belongs to future profile-management command design. | New profile names start blank. Existing profile names are pre-populated. | Create requires a valid profile body. Rename preserves credential locations by default, updates repository routes, and does not delete old credential-store entries. | #177 profile rename helper. #180 tests create/select/rename and validation. |
 | config.profiles.<name>.git.host | Core profile wizard edits Git host. | Existing `cr init --git-host`; existing route commands own route-safe scripted changes. | Current init defaults to `github.com`. Existing value is pre-populated. | Set validates non-empty normalized host. If routes reference the profile and reconciliation is not selected, block or defer the edit. | #180 blocks/defer route-unsafe host edits. #185 implements reconciliation tests. |
 | config.profiles.<name>.git.auth_mode | Core profile wizard chooses `pat` or `github_app`; `oauth_device` remains reserved. | `cr init --git-auth-mode`, parallel to existing reviewer auth mode. Current init otherwise defaults user Git auth to PAT. | Existing value is pre-populated. New profile defaults to `pat`. | Overwrite only to supported v1 modes. Switching auth modes re-plans credential keys but does not delete old secrets. | #179 credential-ref/key-spec planner. #180 auth-mode prompt tests. |
 | config.profiles.<name>.git.credential.store | User Git auth chooses an existing credential store before any secret ingress. | Interactive credential-writing flows and scripted `cr set-credential --store`. | New profiles start with `local-os` selected. Existing store id is pre-populated. | Must be `local-os` or a configured store id. Store setup is not available inline from this flow. | #356 explicit destination tests. |
 | config.profiles.<name>.git.credential.name | User Git auth names the credential bundle before any secret ingress. | Interactive credential-writing flows and scripted `cr set-credential --name`. | New profile defaults to `codereview/<profile>`. Existing name is pre-populated and preserved by default. | Must use the `codereview/<profile>` credential grammar. It must differ from other credentials in the same profile when the store also matches. | #356 explicit credential-location tests. |
 | config.profiles.<name>.git.identity_cache | Not shown as an editable init field. Preserve only. | Intentionally unsupported for init and config mutation. Runtime identity refresh owns it. | Existing cache is preserved. New profiles omit it. | Preserve unless a future explicit cache invalidation ticket owns behavior. Profile rename does not rewrite cache contents. | Preserve-only regression in #177/#180. |
-| config.profiles.<name>.reviewer_credentials | Optional reviewer credential section. Wizard supports skip, preserve, enable, edit, or clear reviewer config. | Existing `cr init --reviewer-credential-ref` and `--reviewer-auth-mode` own enable/edit. `cr init --disable-reviewer` owns scripted removal. | Omitted means posting uses Git credentials. Existing section is pre-populated. | Clear removes the whole section. Enable requires auth mode and credential location. The store/name pair must differ from Git and LLM credential locations. | #179 planner and #180 optional section tests. #181 secret ingress tests. |
-| config.profiles.<name>.reviewer_credentials.auth_mode | Reviewer wizard chooses PAT or GitHub App; `oauth_device` remains reserved. | Existing `cr init --reviewer-auth-mode`. | Current init defaults reviewer mode to `pat` when reviewer credentials are requested. Existing value is pre-populated. | Overwrite only to supported v1 modes. Switching modes re-plans key specs and preserves old secrets unless explicit overwrite/migration occurs. | #179 credential bundle tests for PAT and GitHub App. |
-| config.profiles.<name>.reviewer_credentials.credential.store | Reviewer Git auth chooses an existing credential store before any secret ingress. | Interactive credential-writing flows and scripted `cr set-credential --store`. | New reviewer credentials start with `local-os` selected unless the user chooses another configured store. Existing store id is pre-populated. | Must be `local-os` or a configured store id. Store setup is not available inline from this flow. | #356 explicit destination tests. |
-| config.profiles.<name>.reviewer_credentials.credential.name | Reviewer Git auth names the credential bundle before any secret ingress. | Interactive credential-writing flows and scripted `cr set-credential --name`. | New reviewer section defaults to `codereview/<profile>-reviewer`, or `codereview/<label>-reviewer` when the user types a new reviewer entity label. Existing name is pre-populated and preserved. | Must use the `codereview/<profile>` credential grammar. It must differ from Git and LLM credentials in the same profile when the store also matches. | #356 explicit credential-location tests. |
-| config.profiles.<name>.reviewer_credentials.display_name | Reviewer wizard lets the user set or clear a human-friendly label for a separate reviewer entity. | Interactive `cr init` only for now. No dedicated scripted owner yet. | Empty means chooser labels fall back to deterministic credential-ref/profile-derived text. Existing value is pre-populated. | Preserve on skip. Overwrite trims surrounding whitespace. Clear is valid and returns the entity to fallback labeling. Conflicting labels across profiles that share one reviewer identity do not create duplicate identities; the shared chooser entry falls back to deterministic identity text until one label wins. | #244 tests round-trip, validation, shared-identity conflict fallback, and chooser labeling. |
-| config.profiles.<name>.reviewer_credentials.identity_cache | Not shown as an editable init field. Preserve only. | Intentionally unsupported for init and config mutation. Runtime identity refresh owns it. | Existing cache is preserved. New reviewer sections omit it. | Preserve unless a future explicit cache invalidation ticket owns behavior. | Preserve-only regression in #177/#180. |
-| config.profiles.<name>.llm.provider | Core profile wizard chooses provider. | Existing `cr init --llm-provider`. | Current init defaults to `anthropic`. Existing value is pre-populated. | Overwrite validates provider and may require compatible auth/adapter/key specs. | #179 provider credential planning. #180 provider/auth/adapter compatibility tests. |
-| config.profiles.<name>.llm.auth | Core profile wizard chooses subscription or API key auth. | Existing `cr init --llm-auth`. | Current init defaults to `subscription`. Existing value is pre-populated. | Subscription requires empty `llm.credential`; API key requires a provider-supported credential location and secret plan. | #179 planner tests subscription/API-key transitions. #181 ingress tests. |
-| config.profiles.<name>.llm.adapter | Core profile wizard chooses compatible adapter. | Existing `cr init --llm-adapter`. | Current init defaults to `claude_cli`. Existing value is pre-populated. | Overwrite validates provider/auth compatibility, including `openai+codex_cli+subscription` and `pi+pi_rpc+subscription`. | #180 compatibility tests. |
-| config.profiles.<name>.llm.credential.store | LLM API-key auth chooses an existing credential store before any secret ingress. | Interactive credential-writing flows and scripted `cr set-credential --store`. | Omitted for subscription auth. API-key auth starts with `local-os` selected unless the user chooses another configured store. Existing store id is pre-populated. | Must be empty for subscription auth. Must be `local-os` or a configured store id for API-key auth. Store setup is not available inline from this flow. | #356 explicit destination tests. |
-| config.profiles.<name>.llm.credential.name | LLM API-key auth names the credential bundle before any secret ingress. | Interactive credential-writing flows and scripted `cr set-credential --name`. | Omitted for subscription auth. API-key auth defaults to `codereview/<profile>-llm`. Existing name is pre-populated. | Must be empty for subscription auth. Must use the `codereview/<profile>` credential grammar for API-key auth. It must differ from Git/reviewer credentials in the same profile when the store also matches. | #356 explicit credential-location tests. |
-| config.profiles.<name>.llm.model_map | Model-tier mapping editor opens directly with the effective tier mappings for the selected runtime. Built-in mappings are shown in-place, configured overrides are shown in-place, and unmapped tiers stay visibly empty. | Existing `cr config llm models set/unset/reset`; #186 documents this scripted sequence. #187 must not add model-map init flags. | Omitted uses provider/adapter built-ins. Existing overrides are merged into the visible effective values. | Leaving a built-in value unchanged keeps the built-in mapping without serializing a redundant override. Entering a different value stores an explicit override. Clearing a prefilled override falls back to the built-in mapping when one exists, otherwise leaves the tier unmapped. | #182 tests add/edit/remove/reset and invalid entries, plus prompt-level round trips for keeping and clearing prefilled override-backed tiers. |
-| config.profiles.<name>.llm.reviewer_model_tier | Core profile wizard frames this as a minimum reviewer model tier and offers the built-in small baseline or explicit small, medium, and large baselines. | `cr init --llm-reviewer-model-tier` and `--clear-llm-reviewer-model-tier`, because no config command currently mutates this field directly. | Omitted means effective small baseline. Existing value is pre-populated. | Preserve on skip. Reset clears field. Set validates model tier. | #180 prompt tests. #187 flag persistence tests. |
+| config.reviewer_entities | Configure reviewer entities creates and edits reusable posting identities independently from review profiles. Entity definitions include host, auth mode, credential location, display name, and identity cache. | Interactive main-menu reviewer-entity flow only for now. Future config commands may own scripted reviewer-entity CRUD. | Omitted means no separate reviewer identities are configured yet. Profiles can still choose `git_identity`. Existing entities are pre-populated in the inventory. | Entity names are stable ids. PAT and GitHub App entities store explicit credential locations and never the secret values. Deleting a referenced entity requires affected profiles to select a replacement or use Git identity. | First-class reviewer-entity data model tests and init reviewer-entity UX tests. |
+| config.profiles.<name>.reviewer.kind | Review profile composition chooses whether posting uses the profile Git account or a configured reviewer entity. | Interactive review-profile flow only for now. | New profiles require an explicit choice. Existing value is pre-populated. | `git_identity` requires empty `reviewer.entity`; `entity` requires an existing reviewer entity whose host matches profile Git host. | First-class reviewer-reference validation tests. |
+| config.profiles.<name>.reviewer.entity | Review profile composition selects one configured reviewer entity when `reviewer.kind` is `entity`. | Interactive review-profile flow only for now. | Empty for `git_identity`. Existing entity reference is pre-populated. | Must reference `config.reviewer_entities`. The entity credential must differ from Git and selected LLM runtime credentials when the store also matches. | First-class reviewer-reference validation tests. |
+| config.profiles.<name>.llm_runtime | Review profile composition selects one configured LLM runtime by name. | Interactive review-profile flow only for now. Future config commands may own scripted profile composition. | New profiles require an explicit runtime choice. Existing runtime reference is pre-populated. | Must reference `config.llm_runtimes`. API-key runtime credentials must differ from Git and selected reviewer entity credentials when the store also matches. | First-class LLM-runtime reference validation tests. |
 | config.profiles.<name>.agent_sources[] | Direct trusted-directory editor shows existing profile agent-source paths in one multiline field with explanatory notes about trust and separate repo-local `.codereview/agents` discovery. | Existing `cr init --agent-source`; existing `cr config agent-source add/remove`; #186 docs sequence. | Omitted means no additional profile-specific trusted directories. Existing values are pre-populated line-by-line. | Preserve on skip. Clearing the field removes all profile-specific agent sources. Entered paths are normalized and deduped through the shared config-edit helper. | #177 extracts helper. #183 tests add/remove/reset/preserve. #289 prompt tests cover explanatory copy, multiline entry, and Back. |
 | config.profiles.<name>.review_policy.major_event | Review-policy wizard chooses comment or request_changes. | Existing `cr init --major-event`. | Current init defaults to `comment`. Existing value is pre-populated. | Preserve on skip. Set validates enum. Reset clears to normalized default `comment`. | #183 tests prompt, reset, and validation. |
 | config.profiles.<name>.review_policy.allow_self_approve | Review-policy wizard toggles durable self-approval policy. | Existing `cr init --allow-self-approve`. | Current init defaults false. Existing value is pre-populated. | Preserve on skip. Set true/false explicitly. Runtime `cr review --allow-self-approve` remains separate. | #183 tests true/false preservation. |
diff --git a/docs/init-ux-contract.md b/docs/init-ux-contract.md
index b01a0237..1bdf33b0 100644
--- a/docs/init-ux-contract.md
+++ b/docs/init-ux-contract.md
@@ -78,11 +78,11 @@ profiles before saving.
 
 The intended top-level shape is:
 
-1. Configure LLM runtimes
-2. Configure reviewer entities
-3. Configure review profiles
-4. Configure global settings
-5. Configure secrets management
+1. Configure secrets storage
+2. Configure LLM runtimes
+3. Configure reviewer entities
+4. Configure review profiles
+5. Configure global settings
 6. Commit staged changes and exit
 7. Discard staged changes and exit
 
@@ -214,8 +214,7 @@ environment variable names may be shown only as backend-auth env var names.
 
 ## Draft-Local Reuse Rules
 
-LLM runtimes and reviewer entities are reusable **within the current interactive
-`init` session only**.
+LLM runtimes and reviewer entities are reusable saved building blocks.
 
 That means:
 
@@ -223,9 +222,9 @@ That means:
   profiles
 - interactive draft state may name and reuse reviewer entities across multiple
   draft profiles
-- no new persisted top-level runtime/entity schema is introduced in `config.yml`
-- existing saved profiles are not auto-deduped into shared runtime/entity
-  objects on reload
+- committed LLM runtimes are persisted under `llm_runtimes`
+- committed reviewer entities are persisted under `reviewer_entities`
+- saved profiles reference those building blocks by name
 
 API-key-backed LLM runtimes may be reused across multiple profiles by selecting
 the same draft runtime and the same credential store/name. If a user wants two
@@ -295,11 +294,12 @@ and saved config must stay stable:
 
 - **Git scope** maps to `profile.git`, plus repository-route implications when
   the profile participates in `repository_profiles`.
-- **LLM runtime** maps to `profile.llm`, including the provider, auth mode,
-  adapter, and any optional LLM credential location implied by API-key auth.
-- **Reviewer entity** maps to `profile.reviewer_credentials` when separate
-  credentials are configured, or to `nil` when the user selected `Use a
-  profile's Git account (no separate reviewer entity)`.
+- **LLM runtime** maps to a saved `llm_runtimes.<name>` entry. A profile selects
+  it with `profiles.<profile>.llm_runtime`.
+- **Reviewer entity** maps to a saved `reviewer_entities.<name>` entry. A
+  profile selects it with `profiles.<profile>.reviewer.kind: entity` and
+  `profiles.<profile>.reviewer.entity`. The Git-account fallback maps to
+  `profiles.<profile>.reviewer.kind: git_identity`.
 - **Review profile** maps to one saved entry under `profiles.<name>`.
 
 This section is intentionally high level. The detailed field inventory and
diff --git a/internal/cmd/configcmd/configcmd.go b/internal/cmd/configcmd/configcmd.go
index 37376c47..38f76dbb 100644
--- a/internal/cmd/configcmd/configcmd.go
+++ b/internal/cmd/configcmd/configcmd.go
@@ -696,10 +696,16 @@ func newLLMCommand(opts *root.Options) *cobra.Command {
 			if err != nil {
 				return err
 			}
-			if profile.LLM.ModelMap == nil {
-				profile.LLM.ModelMap = config.ModelMap{}
+			runtimeName, runtime, err := activeProfileLLMRuntime(cfg, profileName, profile)
+			if err != nil {
+				return cmderr.Config(err)
 			}
-			profile.LLM.ModelMap[string(tier)] = model
+			if runtime.ModelMap == nil {
+				runtime.ModelMap = config.ModelMap{}
+			}
+			runtime.ModelMap[string(tier)] = model
+			cfg.LLMRuntimes[runtimeName] = runtime
+			profile.LLM = runtime
 			cfg.Profiles[profileName] = profile
 			if err := saveConfigFile(path, cfg); err != nil {
 				return cmderr.Config(err)
@@ -727,12 +733,18 @@ func newLLMCommand(opts *root.Options) *cobra.Command {
 			if err != nil {
 				return err
 			}
-			if profile.LLM.ModelMap != nil {
-				delete(profile.LLM.ModelMap, string(tier))
-				if len(profile.LLM.ModelMap) == 0 {
-					profile.LLM.ModelMap = nil
+			runtimeName, runtime, err := activeProfileLLMRuntime(cfg, profileName, profile)
+			if err != nil {
+				return cmderr.Config(err)
+			}
+			if runtime.ModelMap != nil {
+				delete(runtime.ModelMap, string(tier))
+				if len(runtime.ModelMap) == 0 {
+					runtime.ModelMap = nil
 				}
 			}
+			cfg.LLMRuntimes[runtimeName] = runtime
+			profile.LLM = runtime
 			cfg.Profiles[profileName] = profile
 			if err := saveConfigFile(path, cfg); err != nil {
 				return cmderr.Config(err)
@@ -766,7 +778,13 @@ func newLLMCommand(opts *root.Options) *cobra.Command {
 					return exitcode.Usage(fmt.Errorf("--provider %q does not match active profile provider %q", guard, profile.LLM.Provider))
 				}
 			}
-			profile.LLM.ModelMap = nil
+			runtimeName, runtime, err := activeProfileLLMRuntime(cfg, profileName, profile)
+			if err != nil {
+				return cmderr.Config(err)
+			}
+			runtime.ModelMap = nil
+			cfg.LLMRuntimes[runtimeName] = runtime
+			profile.LLM = runtime
 			cfg.Profiles[profileName] = profile
 			if err := saveConfigFile(path, cfg); err != nil {
 				return cmderr.Config(err)
@@ -899,6 +917,18 @@ func loadActiveProfile(opts *root.Options) (string, config.File, string, config.
 	return path, cfg, profileName, profile, nil
 }
 
+func activeProfileLLMRuntime(cfg config.File, profileName string, profile config.Profile) (string, config.LLMConfig, error) {
+	runtimeName := strings.TrimSpace(profile.LLMRuntime)
+	if runtimeName == "" {
+		return "", config.LLMConfig{}, fmt.Errorf("%w: profiles.%s.llm_runtime is required", config.ErrInvalid, profileName)
+	}
+	runtime, ok := cfg.LLMRuntimes[runtimeName]
+	if !ok {
+		return "", config.LLMConfig{}, fmt.Errorf("%w: profiles.%s.llm_runtime %q", config.ErrProfileNotFound, profileName, runtimeName)
+	}
+	return runtimeName, runtime, nil
+}
+
 func parseModelTierArg(raw string) (config.ModelTier, error) {
 	tier := config.ModelTier(strings.TrimSpace(raw))
 	if !tier.Valid() {
diff --git a/internal/cmd/configcmd/configcmd_test.go b/internal/cmd/configcmd/configcmd_test.go
index 03f1c0fb..3b9ddc71 100644
--- a/internal/cmd/configcmd/configcmd_test.go
+++ b/internal/cmd/configcmd/configcmd_test.go
@@ -1453,7 +1453,7 @@ func TestConfigRetentionSetMutatesAndPreservesUnrelatedConfig(t *testing.T) {
 	if saved.Data.Retention.MaxAgeDaysValue() != 30 || saved.Data.Retention.Enforcement != config.RetentionManualOnly {
 		t.Fatalf("retention = %#v, want 30/manual_only", saved.Data.Retention)
 	}
-	if !reflect.DeepEqual(saved.Profiles, cfg.Profiles) {
+	if !reflect.DeepEqual(saved.Profiles, config.Normalize(cfg).Profiles) {
 		t.Fatalf("profiles = %#v, want preserved", saved.Profiles)
 	}
 	if !reflect.DeepEqual(saved.RepositoryProfiles, cfg.RepositoryProfiles) {
@@ -1595,7 +1595,7 @@ func TestConfigRetentionResetRestoresDefaultsAndPreservesConfig(t *testing.T) {
 	if saved.Data.Retention.MaxAgeDaysValue() != 90 || saved.Data.Retention.Enforcement != config.RetentionAtWrite {
 		t.Fatalf("retention = %#v, want 90/at_write", saved.Data.Retention)
 	}
-	if !reflect.DeepEqual(saved.Profiles, cfg.Profiles) {
+	if !reflect.DeepEqual(saved.Profiles, config.Normalize(cfg).Profiles) {
 		t.Fatalf("profiles = %#v, want preserved", saved.Profiles)
 	}
 	if !reflect.DeepEqual(saved.RepositoryProfiles, cfg.RepositoryProfiles) {
@@ -1871,6 +1871,11 @@ func TestConfigShowReservedAuthModeExitCode(t *testing.T) {
     test-memory:
       backend:
         kind: memory
+llm_runtimes:
+  claude-cli:
+    provider: anthropic
+    auth: subscription
+    adapter: claude_cli
 profiles:
   home:
     git:
@@ -1879,10 +1884,9 @@ profiles:
       credential:
         store: test-memory
         name: codereview/home
-    llm:
-      provider: anthropic
-      auth: subscription
-      adapter: claude_cli
+    reviewer:
+      kind: git_identity
+    llm_runtime: claude-cli
 `)
 	cmd, _ := newTestCommand(path)
 
diff --git a/internal/cmd/credentialcmd/credentialcmd.go b/internal/cmd/credentialcmd/credentialcmd.go
index dd369b05..25321345 100644
--- a/internal/cmd/credentialcmd/credentialcmd.go
+++ b/internal/cmd/credentialcmd/credentialcmd.go
@@ -237,6 +237,7 @@ type initPromptContext struct {
 	ReviewerEntities             map[string]initReviewerEntityDraft
 	ProfileReviewerEntities      map[string]string
 	ReviewerCredentialStatuses   []initReviewerCredentialStatus
+	StandaloneReviewerEntityMode bool
 	SecretsProfiles              []config.EffectiveSecretsProfile
 	ProfileSecretsProfiles       map[string]string
 	BrokenProfileSecretsProfiles map[string]string
@@ -523,15 +524,20 @@ type initPendingProfileDelete struct {
 }
 
 type initPendingReviewerEntityDelete struct {
-	EntityName string
-	Affected   map[string]config.ReviewerCredentials
+	EntityName       string
+	Entity           *config.ReviewerEntity
+	ProfileReviewers map[string]config.ProfileReviewer
+	Affected         map[string]config.ReviewerCredentials
 }
 
 type initPendingLLMRuntimeDelete struct {
 	RuntimeName        string
 	Replacement        initLLMRuntimeDraft
+	ReplacementName    string
+	AddedReplacement   bool
 	Applied            map[string]config.LLMConfig
 	Original           map[string]config.LLMConfig
+	OriginalRefs       map[string]string
 	StandaloneOriginal *config.LLMConfig
 }
 
@@ -574,13 +580,15 @@ const (
 )
 
 type initLLMRuntimeDraft struct {
-	Name            string
-	Preset          initLLMRuntimePreset
-	Provider        config.LLMProvider
-	Auth            config.LLMAuth
-	Adapter         config.LLMAdapter
-	CredentialStore string
-	CredentialRef   string
+	Name              string
+	Preset            initLLMRuntimePreset
+	Provider          config.LLMProvider
+	Auth              config.LLMAuth
+	Adapter           config.LLMAdapter
+	CredentialStore   string
+	CredentialRef     string
+	ModelMap          config.ModelMap
+	ReviewerModelTier config.ModelTier
 }
 
 type initStore interface {
@@ -1019,14 +1027,19 @@ func newHuhInitMenuPrompter(opts *root.Options) initMenuPrompter {
 
 func newHuhInitLLMRuntimePrompter(opts *root.Options) initLLMRuntimePrompter {
 	return huhInitLLMRuntimePrompter{
-		stdin:   opts.Stdin,
-		stderr:  opts.Stderr,
-		checker: defaultInitLLMRuntimeAvailabilityNote,
+		stdin:           opts.Stdin,
+		stderr:          opts.Stderr,
+		inventoryRunner: runInitInventory,
+		checker:         defaultInitLLMRuntimeAvailabilityNote,
 	}
 }
 
 func newHuhInitReviewerEntityPrompter(opts *root.Options) initReviewerEntityPrompter {
-	return huhInitReviewerEntityPrompter{stdin: opts.Stdin, stderr: opts.Stderr}
+	return huhInitReviewerEntityPrompter{
+		stdin:           opts.Stdin,
+		stderr:          opts.Stderr,
+		inventoryRunner: runInitInventory,
+	}
 }
 
 func newHuhInitFinalizePrompter(opts *root.Options) initFinalizePrompter {
@@ -1189,19 +1202,19 @@ func buildInteractiveInitMenuPrompt(session initSessionDraft) initMenuPrompt {
 	llmRuntimes, _ := buildInitLLMRuntimeInventory(session.cfg)
 	reviewerEntities, _ := buildInitReviewerEntityInventory(session.cfg)
 	prompt := initMenuPrompt{
-		HasWorkspace:        session.workspace != nil,
-		LLMRuntimeCount:     len(llmRuntimes),
-		ReviewerEntityCount: countConfiguredInitReviewerEntities(reviewerEntities),
-		ReviewProfileCount:  len(session.cfg.Profiles),
-		CanConfigureLLM:     true,
-		CanSave:             initSessionCanCommitWithoutWorkspace(session),
+		HasWorkspace:         session.workspace != nil,
+		LLMRuntimeCount:      len(llmRuntimes),
+		ReviewerEntityCount:  countConfiguredInitReviewerEntities(reviewerEntities),
+		ReviewProfileCount:   len(session.cfg.Profiles),
+		CanConfigureLLM:      true,
+		CanConfigureReviewer: true,
+		CanSave:              initSessionCanCommitWithoutWorkspace(session),
 	}
 	if session.workspace == nil {
 		return prompt
 	}
 	prompt.ActiveProfileName = session.workspace.profileName
 	prompt.CanConfigureLLM = true
-	prompt.CanConfigureReviewer = true
 	prompt.CanSave = true
 	return prompt
 }
@@ -1574,6 +1587,10 @@ func buildInitStandaloneLLMRuntimeNameSet(runtimes map[string]config.LLMConfig)
 	return existing
 }
 
+func buildInitLLMRuntimeDraftNameSet(runtimes map[string]config.LLMConfig) map[string]initLLMRuntimeDraft {
+	return buildInitStandaloneLLMRuntimeNameSet(runtimes)
+}
+
 func loopInteractiveInitReviewerEntity(cmd *cobra.Command, opts *root.Options, flags initOptions, deps initDeps, session initSessionDraft) (initSessionDraft, error) {
 	for {
 		var stayInCategory bool
@@ -1589,14 +1606,12 @@ func loopInteractiveInitReviewerEntity(cmd *cobra.Command, opts *root.Options, f
 }
 
 func editInteractiveInitReviewerEntityStep(cmd *cobra.Command, opts *root.Options, flags initOptions, deps initDeps, session initSessionDraft) (initSessionDraft, bool, error) {
-	if session.workspace == nil {
-		return initSessionDraft{}, false, exitcode.Usage(errors.New("configure a review profile before editing reviewer entities"))
-	}
 	prompter := deps.reviewerPrompter
 	if prompter == nil {
 		prompter = newHuhInitReviewerEntityPrompter(opts)
 	}
 	promptCtx := currentInteractiveInitReviewerEntityPromptContext(opts, deps, session)
+	promptCtx.StandaloneReviewerEntityMode = true
 	draft, err := prompter.EditReviewerEntity(initReviewerEntityPrompt{Context: promptCtx})
 	if errors.Is(err, errInitNavigateBack) {
 		return session, false, nil
@@ -1615,27 +1630,16 @@ func editInteractiveInitReviewerEntityStep(cmd *cobra.Command, opts *root.Option
 	case initDraftActionDeleteProfile, initDraftActionUndoDeleteProfile, initDraftActionDeleteLLMRuntime, initDraftActionUndoDeleteLLMRuntime:
 		return initSessionDraft{}, false, fmt.Errorf("unsupported reviewer-entity draft action %q", draft.Action)
 	}
-	previousCfg := cloneInitConfigFile(session.cfg)
-	previousEntity := initReviewerEntityDraft{}
-	if draft.ActionTarget != "" {
-		if entity, ok := promptCtx.ReviewerEntities[draft.ActionTarget]; ok {
-			previousEntity = entity
-		}
+	if !draft.ReviewerEnabled {
+		return session, false, nil
 	}
-	workspace, err := buildInteractiveInitWorkspace(cmd, opts, flags, deps, session.path, session.cfg, draft)
+	session, err = stageStandaloneInteractiveInitReviewerEntity(session, flags, draft)
 	if err != nil {
 		return initSessionDraft{}, false, err
 	}
-	session.cfg = cloneInitConfigFile(workspace.cfg)
-	nextEntity := initReviewerEntityDraft{}
-	if profile, ok := session.cfg.Profiles[workspace.profileName]; ok {
-		nextEntity = initReviewerEntityDraftFromConfig(profile)
-	}
-	session.cfg = propagateSharedReviewerEntityChanges(previousCfg, session.cfg, workspace.profileName, previousEntity, nextEntity)
-	session = rebuildInteractiveInitWorkspace(session, workspace.profileName)
-	session.requestedProfileName = workspace.profileName
 	session = mergeReviewerCredentialDraftWrites(session, draft)
 	if session.workspace != nil {
+		workspace := *session.workspace
 		credentialPlan, err := planInitCredentialsWithConfig(session.cfg, workspace.previousProfile, session.workspace.profile, projectInitPlannedWriteKeys(session.writes))
 		if err != nil {
 			return initSessionDraft{}, false, cmderr.Config(err)
@@ -1643,10 +1647,60 @@ func editInteractiveInitReviewerEntityStep(cmd *cobra.Command, opts *root.Option
 		session.workspace.previousProfile = workspace.previousProfile
 		session.workspace.credentialPlan = credentialPlan
 	}
-	session = recordTouchedProfile(session, workspace.profileName, draft.OriginalProfileName)
 	return session, false, nil
 }
 
+func stageStandaloneInteractiveInitReviewerEntity(session initSessionDraft, flags initOptions, draft initDraft) (initSessionDraft, error) {
+	entity := initReviewerEntityDraftFromSeedDraft(draft)
+	if entity.Kind == initReviewerEntityKindUseGitIdentity {
+		return initSessionDraft{}, exitcode.Usage(errors.New("reviewer entity auth mode is required"))
+	}
+	if strings.TrimSpace(entity.CredentialStore) == "" {
+		entity.CredentialStore = initCredentialStoreDefaultID()
+	}
+	working := cloneInitConfigFile(session.cfg)
+	if working.ReviewerEntities == nil {
+		working.ReviewerEntities = map[string]config.ReviewerEntity{}
+	}
+	name := strings.TrimSpace(firstNonEmpty(draft.ActionTarget, entity.Name))
+	if name == "" {
+		name = uniqueInitReviewerEntityName(buildInitStandaloneReviewerEntityNameSet(working.ReviewerEntities), entity.suggestedName())
+	}
+	var previous *config.ReviewerEntity
+	if existing, ok := working.ReviewerEntities[name]; ok {
+		existingCopy := existing
+		previous = &existingCopy
+	}
+	if strings.TrimSpace(entity.CredentialRef) == "" {
+		if previous != nil && strings.TrimSpace(previous.CredentialRef) != "" {
+			entity.CredentialRef = strings.TrimSpace(previous.CredentialRef)
+		} else {
+			ref, err := credentials.FormatRef(name)
+			if err != nil {
+				return initSessionDraft{}, exitcode.Usage(err)
+			}
+			entity.CredentialRef = ref
+		}
+	}
+	if entity.AuthMode == "" || strings.TrimSpace(entity.CredentialRef) == "" {
+		return initSessionDraft{}, exitcode.Usage(errors.New("reviewer entity auth mode and credential name are required"))
+	}
+	working.ReviewerEntities[name] = entity.exportReviewerEntityConfig(previous, flags.gitHost)
+	if err := validateInteractiveInitGlobalConfig(working); err != nil {
+		return initSessionDraft{}, cmderr.Config(err)
+	}
+	session.cfg = config.Normalize(working)
+	return session, nil
+}
+
+func buildInitStandaloneReviewerEntityNameSet(entities map[string]config.ReviewerEntity) map[string]initReviewerEntityDraft {
+	existing := make(map[string]initReviewerEntityDraft, len(entities))
+	for name := range entities {
+		existing[name] = initReviewerEntityDraft{}
+	}
+	return existing
+}
+
 func mergeReviewerCredentialDraftWrites(session initSessionDraft, draft initDraft) initSessionDraft {
 	ref := strings.TrimSpace(draft.ReviewerCredentialWriteRef)
 	if ref == "" {
@@ -1819,10 +1873,7 @@ func (p huhInitMenuPrompter) ChooseAction(prompt initMenuPrompt) (initMenuAction
 }
 
 func initMenuInitialAction(prompt initMenuPrompt) initMenuAction {
-	if prompt.HasWorkspace {
-		return initMenuActionSecretsManagement
-	}
-	return initMenuActionReviewProfiles
+	return initMenuActionSecretsManagement
 }
 
 func initMenuDescription(prompt initMenuPrompt) string {
@@ -2243,13 +2294,6 @@ func initReviewerEntityInventoryRows(ctx initPromptContext) []initInventoryRow {
 		})
 	}
 	rows = append(rows,
-		initInventoryRow{
-			ID:            string(initReviewerEntityKindUseGitIdentity),
-			Title:         focusedReviewerEntityFallbackLabel(ctx.ExistingProfile),
-			Kind:          initInventoryRowKindCommand,
-			PrimaryAction: initInventoryActionCommand,
-			Selectable:    true,
-		},
 		initInventoryRow{
 			ID:            string(initReviewerEntityKindPAT),
 			Title:         reviewerEntityTemplatePATLabel(),
@@ -2279,6 +2323,14 @@ func standardReviewerCredentialRef(profileName string) (string, error) {
 	return credentials.FormatRef(profileName + "-reviewer")
 }
 
+func standardReviewerCredentialRefForEntity(entity initReviewerEntityDraft) (string, error) {
+	name := strings.TrimSpace(entity.Name)
+	if name == "" {
+		name = entity.suggestedName()
+	}
+	return credentials.FormatRef(name)
+}
+
 func (p huhInitPrompter) Run(ctx initPromptContext) (initDraft, error) {
 	for {
 		result, err := p.runInventory(initInventoryPrompt{
@@ -2862,7 +2914,7 @@ func normalizeReviewerEntitySelectionValue(selection string, entities map[string
 }
 
 func reviewerEntitySelectionDescription() string {
-	return "Choose who posts COMMENT, APPROVE, or REQUEST_CHANGES for this profile. Profiles with no separate reviewer entity post using their profile Git account."
+	return "Choose who posts COMMENT, APPROVE, or REQUEST_CHANGES. Review profiles can use a reviewer entity or post using the profile Git account."
 }
 
 func buildInitSecretsProfileInventory(cfg config.File) ([]config.EffectiveSecretsProfile, map[string]string, map[string]string) {
@@ -3274,11 +3326,13 @@ func applyReviewerEntitySelection(draft *initDraft, selection string) {
 
 func initLLMRuntimeDraftFromSeedDraft(draft initDraft) initLLMRuntimeDraft {
 	return initLLMRuntimeDraftFromConfig(config.LLMConfig{
-		Provider:      config.LLMProvider(draft.LLMProvider),
-		Auth:          config.LLMAuth(draft.LLMAuth),
-		Adapter:       config.LLMAdapter(draft.LLMAdapter),
-		Credential:    initCredentialLocationIfName(draft.LLMCredentialStore, draft.LLMCredentialRef),
-		CredentialRef: strings.TrimSpace(draft.LLMCredentialRef),
+		Provider:          config.LLMProvider(draft.LLMProvider),
+		Auth:              config.LLMAuth(draft.LLMAuth),
+		Adapter:           config.LLMAdapter(draft.LLMAdapter),
+		Credential:        initCredentialLocationIfName(draft.LLMCredentialStore, draft.LLMCredentialRef),
+		CredentialRef:     strings.TrimSpace(draft.LLMCredentialRef),
+		ModelMap:          copyModelMap(draft.ModelMap),
+		ReviewerModelTier: config.ModelTier(strings.TrimSpace(draft.LLMReviewerModelTier)),
 	})
 }
 
@@ -3435,6 +3489,9 @@ func applyLLMRuntimeInventorySelection(draft *initDraft, selection string, runti
 		draft.LLMProvider = string(runtime.Provider)
 		draft.LLMAuth = string(runtime.Auth)
 		draft.LLMAdapter = string(runtime.Adapter)
+		draft.ModelMap = copyModelMap(runtime.ModelMap)
+		draft.ModelMapSet = true
+		draft.LLMReviewerModelTier = string(runtime.ReviewerModelTier)
 		if !draft.AdvancedStorageLabels {
 			draft.LLMCredentialStore = initCredentialStoreDraftValue(runtime.CredentialStore)
 			draft.LLMCredentialRef = runtime.CredentialRef
@@ -4261,6 +4318,7 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 		}
 	}
 	if previousProfile != nil {
+		profile.LLMRuntime = previousProfile.LLMRuntime
 		profile.Git.IdentityCache = previousProfile.Git.IdentityCache
 		if previousProfile.LLM.ModelMap != nil {
 			modelMap := make(config.ModelMap, len(previousProfile.LLM.ModelMap))
@@ -4293,7 +4351,8 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 			profile.ReviewerCredentials.IdentityCache = previousProfile.ReviewerCredentials.IdentityCache
 		}
 	}
-	cfg.Profiles[profileName] = profile
+	cfg, profile = materializeProfileReviewerEntity(cfg, profileName, profile)
+	cfg, profile = materializeProfileLLMRuntime(cfg, profileName, profile)
 
 	writes := map[string]map[string]string{}
 	if hasGitSecret {
@@ -4381,7 +4440,8 @@ func buildInteractiveInitWorkspace(cmd *cobra.Command, opts *root.Options, flags
 	if err != nil {
 		return initWorkspaceDraft{}, err
 	}
-	working.Profiles[profileName] = profile
+	working, profile = materializeProfileReviewerEntity(working, profileName, profile)
+	working, profile = materializeProfileLLMRuntime(working, profileName, profile)
 	if err := validateInteractiveInitConfig(initValidationConfigForProfileHost(working, profileName, previousProfile, profile.Git.Host)); err != nil {
 		return initWorkspaceDraft{}, cmderr.Config(err)
 	}
@@ -4512,6 +4572,12 @@ func buildInteractiveInitSessionPlan(opts *root.Options, session initSessionDraf
 			}
 		}
 	}
+	for _, entry := range standaloneReviewerEntityPlanEntries(session.cfg, plannedWriteKeys) {
+		activeRefs[entry.Ref.Ref] = true
+		if err := mergeInteractiveInitSessionPlanEntry(entriesByKey, entry); err != nil {
+			return initSessionPlan{}, cmderr.Config(err)
+		}
+	}
 	entryKeys := make([]string, 0, len(entriesByKey))
 	for key := range entriesByKey {
 		entryKeys = append(entryKeys, key)
@@ -4610,6 +4676,46 @@ func collectInteractiveInitSessionWorkspaceSecrets(opts *root.Options, deps init
 	return session, nil
 }
 
+func standaloneReviewerEntityPlanEntries(cfg config.File, plannedWriteKeys map[string][]string) []initCredentialPlanEntry {
+	cfg = config.Normalize(cfg)
+	names := make([]string, 0, len(cfg.ReviewerEntities))
+	for name := range cfg.ReviewerEntities {
+		names = append(names, name)
+	}
+	sort.Strings(names)
+	entries := make([]initCredentialPlanEntry, 0, len(names))
+	for _, name := range names {
+		entity := cfg.ReviewerEntities[name]
+		ref := config.CredentialRef{
+			Purpose: "reviewer_credentials",
+			Store:   strings.TrimSpace(entity.Credential.Store),
+			Ref:     strings.TrimSpace(entity.Credential.Name),
+			Mode:    string(entity.AuthMode),
+		}
+		if ref.Store == "" || ref.Ref == "" {
+			continue
+		}
+		resolved, err := credentials.ResolveCredentialStore(cfg, ref.Store)
+		if err != nil {
+			continue
+		}
+		specs, err := credentials.KeySpecsForPurpose(ref)
+		if err != nil {
+			continue
+		}
+		entry := initCredentialPlanEntry{
+			Ref:              ref,
+			SecretsProfile:   resolved,
+			KeySpecs:         append([]credentials.KeySpec(nil), specs...),
+			PlannedWriteKeys: append([]string(nil), plannedWriteKeys[ref.Ref]...),
+		}
+		entry.MissingRequiredKeys = missingRequiredInitCredentialKeys(entry.KeySpecs, entry.PlannedWriteKeys)
+		entry.State = classifyInitCredentialPlanEntry(entry)
+		entries = append(entries, entry)
+	}
+	return entries
+}
+
 func sortedTouchedProfileNames(session initSessionDraft) []string {
 	names := map[string]struct{}{}
 	for name := range session.touchedProfiles {
@@ -4759,26 +4865,37 @@ func deleteInteractiveInitReviewerEntity(session initSessionDraft, entityName st
 	if _, exists := session.pendingReviewerEntityDeletes[entityName]; exists {
 		return session, nil
 	}
-	_, profileEntityNames := buildInitReviewerEntityInventory(session.cfg)
+	session.cfg = config.Normalize(session.cfg)
+	var originalEntity *config.ReviewerEntity
+	if session.cfg.ReviewerEntities != nil {
+		if entity, ok := session.cfg.ReviewerEntities[entityName]; ok {
+			entityCopy := entity
+			originalEntity = &entityCopy
+			delete(session.cfg.ReviewerEntities, entityName)
+		}
+	}
 	affected := map[string]config.ReviewerCredentials{}
-	for profileName, selected := range profileEntityNames {
-		if selected != entityName {
+	profileReviewers := map[string]config.ProfileReviewer{}
+	for profileName, profile := range session.cfg.Profiles {
+		if profile.Reviewer.Kind != config.ProfileReviewerKindEntity || profile.Reviewer.Entity != entityName {
 			continue
 		}
-		profile := session.cfg.Profiles[profileName]
-		if profile.ReviewerCredentials == nil {
-			continue
+		profileReviewers[profileName] = profile.Reviewer
+		if profile.ReviewerCredentials != nil {
+			affected[profileName] = *profile.ReviewerCredentials
 		}
-		affected[profileName] = *profile.ReviewerCredentials
-		cleared, _ := configedit.ClearReviewerCredentials(profile)
-		session.cfg.Profiles[profileName] = cleared
+		profile.Reviewer = config.ProfileReviewer{Kind: config.ProfileReviewerKindGitIdentity}
+		profile.ReviewerCredentials = nil
+		session.cfg.Profiles[profileName] = profile
 	}
-	if len(affected) == 0 {
+	if len(profileReviewers) == 0 && originalEntity == nil {
 		return initSessionDraft{}, exitcode.Usage(fmt.Errorf("reviewer entity %q is not deletable", entityName))
 	}
 	session.pendingReviewerEntityDeletes[entityName] = initPendingReviewerEntityDelete{
-		EntityName: entityName,
-		Affected:   affected,
+		EntityName:       entityName,
+		Entity:           originalEntity,
+		ProfileReviewers: profileReviewers,
+		Affected:         affected,
 	}
 	return rebuildInteractiveInitWorkspace(session, preferredInteractiveInitProfile(session)), nil
 }
@@ -4790,6 +4907,23 @@ func undoInteractiveInitReviewerEntityDelete(session initSessionDraft, entityNam
 	if !ok {
 		return session, nil
 	}
+	if pending.Entity != nil {
+		if session.cfg.ReviewerEntities == nil {
+			session.cfg.ReviewerEntities = map[string]config.ReviewerEntity{}
+		}
+		session.cfg.ReviewerEntities[entityName] = *pending.Entity
+	}
+	for profileName, reviewer := range pending.ProfileReviewers {
+		profile, ok := session.cfg.Profiles[profileName]
+		if !ok {
+			continue
+		}
+		if profile.Reviewer.Kind != config.ProfileReviewerKindGitIdentity {
+			continue
+		}
+		profile.Reviewer = reviewer
+		session.cfg.Profiles[profileName] = profile
+	}
 	for profileName, previous := range pending.Affected {
 		profile, ok := session.cfg.Profiles[profileName]
 		if !ok {
@@ -4818,8 +4952,10 @@ func deleteInteractiveInitLLMRuntime(session initSessionDraft, runtimeName strin
 	if _, exists := session.pendingLLMRuntimeDeletes[runtimeName]; exists {
 		return session, nil
 	}
-	_, profileRuntimeNames := buildInitLLMRuntimeInventory(session.cfg)
+	session.cfg = config.Normalize(session.cfg)
+	runtimes, profileRuntimeNames := buildInitLLMRuntimeInventory(session.cfg)
 	original := map[string]config.LLMConfig{}
+	originalRefs := map[string]string{}
 	applied := map[string]config.LLMConfig{}
 	var standaloneOriginal *config.LLMConfig
 	if session.cfg.LLMRuntimes != nil {
@@ -4829,18 +4965,44 @@ func deleteInteractiveInitLLMRuntime(session initSessionDraft, runtimeName strin
 			delete(session.cfg.LLMRuntimes, runtimeName)
 		}
 	}
+	replacementName := ""
+	replacementKey := replacement.identityKey()
+	for name, candidate := range runtimes {
+		if name == runtimeName {
+			continue
+		}
+		if candidate.identityKey() == replacementKey {
+			replacementName = name
+			break
+		}
+	}
+	addedReplacement := false
+	replacementLLM := config.LLMConfig{}
+	if replacementName != "" {
+		replacementLLM = session.cfg.LLMRuntimes[replacementName]
+	} else {
+		var err error
+		replacementLLM, err = initLLMConfigForReplacement("replacement", replacement)
+		if err != nil {
+			return initSessionDraft{}, err
+		}
+		if session.cfg.LLMRuntimes == nil {
+			session.cfg.LLMRuntimes = map[string]config.LLMConfig{}
+		}
+		replacementName = uniqueInitLLMRuntimeName(buildInitLLMRuntimeDraftNameSet(session.cfg.LLMRuntimes), replacement.suggestedName())
+		session.cfg.LLMRuntimes[replacementName] = replacementLLM
+		addedReplacement = true
+	}
 	for profileName, selected := range profileRuntimeNames {
 		if selected != runtimeName {
 			continue
 		}
 		profile := session.cfg.Profiles[profileName]
 		original[profileName] = cloneInitLLMConfig(profile.LLM)
-		nextLLM, err := initLLMConfigForReplacement(profileName, replacement)
-		if err != nil {
-			return initSessionDraft{}, err
-		}
-		applied[profileName] = cloneInitLLMConfig(nextLLM)
-		profile.LLM = nextLLM
+		originalRefs[profileName] = profile.LLMRuntime
+		applied[profileName] = cloneInitLLMConfig(replacementLLM)
+		profile.LLMRuntime = replacementName
+		profile.LLM = replacementLLM
 		session.cfg.Profiles[profileName] = profile
 	}
 	if len(original) == 0 && standaloneOriginal == nil {
@@ -4849,8 +5011,11 @@ func deleteInteractiveInitLLMRuntime(session initSessionDraft, runtimeName strin
 	session.pendingLLMRuntimeDeletes[runtimeName] = initPendingLLMRuntimeDelete{
 		RuntimeName:        runtimeName,
 		Replacement:        replacement,
+		ReplacementName:    replacementName,
+		AddedReplacement:   addedReplacement,
 		Applied:            applied,
 		Original:           original,
+		OriginalRefs:       originalRefs,
 		StandaloneOriginal: standaloneOriginal,
 	}
 	return rebuildInteractiveInitWorkspace(session, preferredInteractiveInitProfile(session)), nil
@@ -4872,6 +5037,7 @@ func undoInteractiveInitLLMRuntimeDelete(session initSessionDraft, runtimeName s
 		if !reflect.DeepEqual(profile.LLM, applied) {
 			continue
 		}
+		profile.LLMRuntime = pending.OriginalRefs[profileName]
 		profile.LLM = cloneInitLLMConfig(previous)
 		session.cfg.Profiles[profileName] = profile
 	}
@@ -4881,6 +5047,9 @@ func undoInteractiveInitLLMRuntimeDelete(session initSessionDraft, runtimeName s
 		}
 		session.cfg.LLMRuntimes[runtimeName] = cloneInitLLMConfig(*pending.StandaloneOriginal)
 	}
+	if pending.AddedReplacement && pending.ReplacementName != "" && !initLLMRuntimeReferenced(session.cfg, pending.ReplacementName) {
+		delete(session.cfg.LLMRuntimes, pending.ReplacementName)
+	}
 	delete(session.pendingLLMRuntimeDeletes, runtimeName)
 	return rebuildInteractiveInitWorkspace(session, preferredInteractiveInitProfile(session)), nil
 }
@@ -4901,6 +5070,19 @@ func initLLMConfigForReplacement(profileName string, runtime initLLMRuntimeDraft
 	return llm, nil
 }
 
+func initLLMRuntimeReferenced(cfg config.File, runtimeName string) bool {
+	runtimeName = strings.TrimSpace(runtimeName)
+	if runtimeName == "" {
+		return false
+	}
+	for _, profile := range cfg.Profiles {
+		if strings.TrimSpace(profile.LLMRuntime) == runtimeName {
+			return true
+		}
+	}
+	return false
+}
+
 func initCredentialEntryKey(ref config.CredentialRef) string {
 	return strings.Join([]string{ref.Store, ref.Purpose, ref.Ref, ref.Mode, ref.Provider}, "\x00")
 }
@@ -5011,6 +5193,22 @@ func initReviewerEntityDraftFromConfig(profile config.Profile) initReviewerEntit
 	return entity
 }
 
+func initReviewerEntityDraftFromReviewerEntity(entity config.ReviewerEntity) initReviewerEntityDraft {
+	draft := initReviewerEntityDraft{
+		AuthMode:        entity.AuthMode,
+		CredentialStore: initCredentialStoreDraftValue(entity.Credential.Store),
+		CredentialRef:   strings.TrimSpace(firstNonEmpty(entity.Credential.Name, entity.CredentialRef)),
+		DisplayName:     normalizeOptionalDisplayName(entity.DisplayName),
+	}
+	switch entity.AuthMode {
+	case config.GitAuthModeGitHubApp:
+		draft.Kind = initReviewerEntityKindGitHubApp
+	case config.GitAuthModePAT, config.GitAuthModeOAuthDevice:
+		draft.Kind = initReviewerEntityKindPAT
+	}
+	return draft
+}
+
 func (entity initReviewerEntityDraft) exportConfig(previous *config.ReviewerCredentials) *config.ReviewerCredentials {
 	if entity.Kind == initReviewerEntityKindUseGitIdentity {
 		return nil
@@ -5027,6 +5225,28 @@ func (entity initReviewerEntityDraft) exportConfig(previous *config.ReviewerCred
 	return reviewer
 }
 
+func (entity initReviewerEntityDraft) exportReviewerEntityConfig(previous *config.ReviewerEntity, host string) config.ReviewerEntity {
+	reviewer := config.ReviewerEntity{
+		Host:          strings.TrimSpace(host),
+		AuthMode:      entity.AuthMode,
+		Credential:    initCredentialLocation(entity.CredentialStore, entity.CredentialRef),
+		CredentialRef: strings.TrimSpace(entity.CredentialRef),
+		DisplayName:   normalizeOptionalDisplayName(entity.DisplayName),
+	}
+	if previous != nil {
+		if reviewer.Host == "" {
+			reviewer.Host = previous.Host
+		}
+		if entity.matchesReviewerEntityConfig(*previous) {
+			reviewer.IdentityCache = previous.IdentityCache
+		}
+	}
+	if reviewer.Host == "" {
+		reviewer.Host = "github.com"
+	}
+	return reviewer
+}
+
 func (entity initReviewerEntityDraft) identityKey() string {
 	if entity.Kind == initReviewerEntityKindUseGitIdentity {
 		return string(entity.Kind)
@@ -5058,44 +5278,50 @@ func (entity initReviewerEntityDraft) matchesConfig(previous config.ReviewerCred
 		strings.TrimSpace(firstNonEmpty(previous.Credential.Name, previous.CredentialRef)) == strings.TrimSpace(entity.CredentialRef)
 }
 
+func (entity initReviewerEntityDraft) matchesReviewerEntityConfig(previous config.ReviewerEntity) bool {
+	return entity.Kind == initReviewerEntityDraftFromReviewerEntity(previous).Kind &&
+		previous.AuthMode == entity.AuthMode &&
+		initCredentialStoreDraftValue(previous.Credential.Store) == initCredentialStoreDraftValue(entity.CredentialStore) &&
+		strings.TrimSpace(firstNonEmpty(previous.Credential.Name, previous.CredentialRef)) == strings.TrimSpace(entity.CredentialRef)
+}
+
 func buildInitReviewerEntityInventory(cfg config.File) (map[string]initReviewerEntityDraft, map[string]string) {
+	cfg = config.Normalize(cfg)
 	entities := map[string]initReviewerEntityDraft{}
 	profileEntityNames := map[string]string{}
-	entityNamesByKey := map[string]string{}
-	displayNamesByKey := map[string]map[string]struct{}{}
+
+	entityNames := make([]string, 0, len(cfg.ReviewerEntities))
+	for name := range cfg.ReviewerEntities {
+		entityNames = append(entityNames, name)
+	}
+	sort.Strings(entityNames)
+	for _, name := range entityNames {
+		entity := initReviewerEntityDraftFromReviewerEntity(cfg.ReviewerEntities[name])
+		entity.Name = name
+		entities[name] = entity
+	}
+
 	for _, profileName := range sortedProfileNames(cfg.Profiles) {
 		profile := cfg.Profiles[profileName]
-		entity := initReviewerEntityDraftFromConfig(profile)
-		key := entity.identityKey()
-		if entity.DisplayName != "" {
-			if _, ok := displayNamesByKey[key]; !ok {
-				displayNamesByKey[key] = map[string]struct{}{}
+		switch profile.Reviewer.Kind {
+		case config.ProfileReviewerKindGitIdentity:
+			profileEntityNames[profileName] = string(initReviewerEntityKindUseGitIdentity)
+			continue
+		case config.ProfileReviewerKindEntity:
+			if _, ok := entities[profile.Reviewer.Entity]; ok {
+				profileEntityNames[profileName] = profile.Reviewer.Entity
+				continue
 			}
-			displayNamesByKey[key][entity.DisplayName] = struct{}{}
 		}
-		if existingName, ok := entityNamesByKey[key]; ok {
-			profileEntityNames[profileName] = existingName
+		entity := initReviewerEntityDraftFromConfig(profile)
+		if entity.Kind == initReviewerEntityKindUseGitIdentity {
+			profileEntityNames[profileName] = string(initReviewerEntityKindUseGitIdentity)
 			continue
 		}
 		entity.Name = uniqueInitReviewerEntityName(entities, entity.suggestedName())
 		entities[entity.Name] = entity
-		entityNamesByKey[key] = entity.Name
 		profileEntityNames[profileName] = entity.Name
 	}
-	for name, entity := range entities {
-		displayNames := displayNamesByKey[entity.identityKey()]
-		noDisplayName := len(displayNames) == 0
-		conflictingDisplayNames := len(displayNames) > 1
-		if noDisplayName || conflictingDisplayNames {
-			entity.DisplayName = ""
-			entities[name] = entity
-			continue
-		}
-		for displayName := range displayNames {
-			entity.DisplayName = displayName
-		}
-		entities[name] = entity
-	}
 	return entities, profileEntityNames
 }
 
@@ -5117,12 +5343,14 @@ func uniqueInitReviewerEntityName(existing map[string]initReviewerEntityDraft, b
 
 func initLLMRuntimeDraftFromConfig(llm config.LLMConfig) initLLMRuntimeDraft {
 	runtime := initLLMRuntimeDraft{
-		Preset:          initLLMRuntimePresetCustom,
-		Provider:        llm.Provider,
-		Auth:            llm.Auth,
-		Adapter:         llm.Adapter,
-		CredentialStore: initCredentialStoreDraftValue(llm.Credential.Store),
-		CredentialRef:   strings.TrimSpace(firstNonEmpty(llm.Credential.Name, llm.CredentialRef)),
+		Preset:            initLLMRuntimePresetCustom,
+		Provider:          llm.Provider,
+		Auth:              llm.Auth,
+		Adapter:           llm.Adapter,
+		CredentialStore:   initCredentialStoreDraftValue(llm.Credential.Store),
+		CredentialRef:     strings.TrimSpace(firstNonEmpty(llm.Credential.Name, llm.CredentialRef)),
+		ModelMap:          copyModelMap(llm.ModelMap),
+		ReviewerModelTier: llm.ReviewerModelTier,
 	}
 	switch {
 	case runtime.Provider == config.LLMProviderAnthropic && runtime.Auth == config.LLMAuthSubscription && runtime.Adapter == config.LLMAdapterClaudeCLI:
@@ -5144,9 +5372,11 @@ func initLLMRuntimeDraftFromConfig(llm config.LLMConfig) initLLMRuntimeDraft {
 
 func (runtime initLLMRuntimeDraft) exportConfig() config.LLMConfig {
 	llm := config.LLMConfig{
-		Provider: runtime.Provider,
-		Auth:     runtime.Auth,
-		Adapter:  runtime.Adapter,
+		Provider:          runtime.Provider,
+		Auth:              runtime.Auth,
+		Adapter:           runtime.Adapter,
+		ModelMap:          copyModelMap(runtime.ModelMap),
+		ReviewerModelTier: runtime.ReviewerModelTier,
 	}
 	if runtime.Auth == config.LLMAuthAPIKey {
 		llm.Credential = initCredentialLocation(runtime.CredentialStore, runtime.CredentialRef)
@@ -5156,12 +5386,23 @@ func (runtime initLLMRuntimeDraft) exportConfig() config.LLMConfig {
 }
 
 func (runtime initLLMRuntimeDraft) identityKey() string {
+	modelKeys := make([]string, 0, len(runtime.ModelMap))
+	for tier := range runtime.ModelMap {
+		modelKeys = append(modelKeys, tier)
+	}
+	sort.Strings(modelKeys)
+	models := make([]string, 0, len(modelKeys))
+	for _, tier := range modelKeys {
+		models = append(models, tier+"="+strings.TrimSpace(runtime.ModelMap[tier]))
+	}
 	return strings.Join([]string{
 		string(runtime.Provider),
 		string(runtime.Auth),
 		string(runtime.Adapter),
 		initCredentialStoreDraftValue(runtime.CredentialStore),
 		strings.TrimSpace(runtime.CredentialRef),
+		strings.Join(models, "\x1f"),
+		string(runtime.ReviewerModelTier),
 	}, "\x00")
 }
 
@@ -5184,6 +5425,7 @@ func (runtime initLLMRuntimeDraft) suggestedName() string {
 }
 
 func buildInitLLMRuntimeInventory(cfg config.File) (map[string]initLLMRuntimeDraft, map[string]string) {
+	cfg = config.Normalize(cfg)
 	runtimes := map[string]initLLMRuntimeDraft{}
 	profileRuntimeNames := map[string]string{}
 	runtimeNamesByKey := map[string]string{}
@@ -5200,6 +5442,10 @@ func buildInitLLMRuntimeInventory(cfg config.File) (map[string]initLLMRuntimeDra
 	}
 	for _, profileName := range sortedProfileNames(cfg.Profiles) {
 		profile := cfg.Profiles[profileName]
+		if _, ok := runtimes[profile.LLMRuntime]; ok {
+			profileRuntimeNames[profileName] = profile.LLMRuntime
+			continue
+		}
 		runtime := initLLMRuntimeDraftFromConfig(profile.LLM)
 		key := runtime.identityKey()
 		if existingName, ok := runtimeNamesByKey[key]; ok {
@@ -5258,6 +5504,12 @@ func cloneInitConfigFile(cfg config.File) config.File {
 			cloned.LLMRuntimes[name] = cloneInitLLMConfig(runtime)
 		}
 	}
+	if cfg.ReviewerEntities != nil {
+		cloned.ReviewerEntities = make(map[string]config.ReviewerEntity, len(cfg.ReviewerEntities))
+		for name, entity := range cfg.ReviewerEntities {
+			cloned.ReviewerEntities[name] = entity
+		}
+	}
 	cloned.Secrets = cloneInitSecretsConfig(cfg.Secrets)
 	return cloned
 }
@@ -5423,6 +5675,125 @@ func synthesizeInteractiveProfile(flags initOptions, profileName string, previou
 	return profile, nil
 }
 
+func materializeProfileReviewerEntity(cfg config.File, profileName string, profile config.Profile) (config.File, config.Profile) {
+	if profile.ReviewerCredentials == nil {
+		profile.Reviewer = config.ProfileReviewer{Kind: config.ProfileReviewerKindGitIdentity}
+		if cfg.Profiles == nil {
+			cfg.Profiles = map[string]config.Profile{}
+		}
+		cfg.Profiles[profileName] = profile
+		return cfg, profile
+	}
+	if cfg.ReviewerEntities == nil {
+		cfg.ReviewerEntities = map[string]config.ReviewerEntity{}
+	}
+	entity := reviewerEntityConfigFromProfile(profile)
+
+	entityNames := make([]string, 0, len(cfg.ReviewerEntities))
+	for name := range cfg.ReviewerEntities {
+		entityNames = append(entityNames, name)
+	}
+	sort.Strings(entityNames)
+	for _, name := range entityNames {
+		existing := cfg.ReviewerEntities[name]
+		if !sameInitReviewerEntityConfigIdentity(existing, entity) {
+			continue
+		}
+		if displayName := normalizeOptionalDisplayName(entity.DisplayName); displayName != "" {
+			existing.DisplayName = displayName
+			cfg.ReviewerEntities[name] = existing
+		}
+		profile.Reviewer = config.ProfileReviewer{Kind: config.ProfileReviewerKindEntity, Entity: name}
+		if cfg.Profiles == nil {
+			cfg.Profiles = map[string]config.Profile{}
+		}
+		cfg.Profiles[profileName] = profile
+		return cfg, profile
+	}
+
+	entityName := uniqueInitReviewerEntityName(buildInitStandaloneReviewerEntityNameSet(cfg.ReviewerEntities), profileName+"-reviewer")
+	cfg.ReviewerEntities[entityName] = entity
+	profile.Reviewer = config.ProfileReviewer{Kind: config.ProfileReviewerKindEntity, Entity: entityName}
+	if cfg.Profiles == nil {
+		cfg.Profiles = map[string]config.Profile{}
+	}
+	cfg.Profiles[profileName] = profile
+	return cfg, profile
+}
+
+func reviewerEntityConfigFromProfile(profile config.Profile) config.ReviewerEntity {
+	reviewer := profile.ReviewerCredentials
+	if reviewer == nil {
+		return config.ReviewerEntity{}
+	}
+	ref := strings.TrimSpace(firstNonEmpty(reviewer.Credential.Name, reviewer.CredentialRef))
+	return normalizeInitReviewerEntityConfig(config.ReviewerEntity{
+		Host:          profile.Git.Host,
+		AuthMode:      reviewer.AuthMode,
+		Credential:    initCredentialLocation(reviewer.Credential.Store, ref),
+		CredentialRef: ref,
+		DisplayName:   normalizeOptionalDisplayName(reviewer.DisplayName),
+		IdentityCache: reviewer.IdentityCache,
+	})
+}
+
+func sameInitReviewerEntityConfigIdentity(left, right config.ReviewerEntity) bool {
+	left = normalizeInitReviewerEntityConfig(left)
+	right = normalizeInitReviewerEntityConfig(right)
+	return config.NormalizeHost(left.Host) == config.NormalizeHost(right.Host) &&
+		left.AuthMode == right.AuthMode &&
+		initCredentialStoreDraftValue(left.Credential.Store) == initCredentialStoreDraftValue(right.Credential.Store) &&
+		strings.TrimSpace(left.Credential.Name) == strings.TrimSpace(right.Credential.Name)
+}
+
+func normalizeInitReviewerEntityConfig(entity config.ReviewerEntity) config.ReviewerEntity {
+	cfg := config.Normalize(config.File{
+		ReviewerEntities: map[string]config.ReviewerEntity{
+			"entity": entity,
+		},
+	})
+	return cfg.ReviewerEntities["entity"]
+}
+
+func materializeProfileLLMRuntime(cfg config.File, profileName string, profile config.Profile) (config.File, config.Profile) {
+	if cfg.LLMRuntimes == nil {
+		cfg.LLMRuntimes = map[string]config.LLMConfig{}
+	}
+	runtime := initLLMRuntimeDraftFromConfig(profile.LLM)
+	runtimeConfig := runtime.exportConfig()
+	runtimeKey := runtime.identityKey()
+
+	runtimeNames := make([]string, 0, len(cfg.LLMRuntimes))
+	for name := range cfg.LLMRuntimes {
+		runtimeNames = append(runtimeNames, name)
+	}
+	sort.Strings(runtimeNames)
+	for _, name := range runtimeNames {
+		if initLLMRuntimeDraftFromConfig(cfg.LLMRuntimes[name]).identityKey() == runtimeKey {
+			profile.LLMRuntime = name
+			profile.LLM = cloneInitLLMConfig(runtimeConfig)
+			if cfg.Profiles == nil {
+				cfg.Profiles = map[string]config.Profile{}
+			}
+			cfg.Profiles[profileName] = profile
+			return cfg, profile
+		}
+	}
+
+	runtimeName := strings.TrimSpace(profile.LLMRuntime)
+	if runtimeName == "" {
+		runtimeName = uniqueInitLLMRuntimeName(buildInitLLMRuntimeDraftNameSet(cfg.LLMRuntimes), runtime.suggestedName())
+	}
+	cfg.LLMRuntimes[runtimeName] = runtimeConfig
+	profile.LLMRuntime = runtimeName
+	profile.LLM = cloneInitLLMConfig(runtimeConfig)
+	if cfg.Profiles == nil {
+		cfg.Profiles = map[string]config.Profile{}
+	}
+	cfg.Profiles[profileName] = profile
+	return cfg, profile
+}
+
 func collectInteractiveInitModelMap(opts *root.Options, deps initDeps, plan initWorkspaceDraft) (initWorkspaceDraft, error) {
 	prompter := deps.modelMapPrompter
 	if prompter == nil {
@@ -5444,7 +5815,7 @@ func collectInteractiveInitModelMap(opts *root.Options, deps initDeps, plan init
 	nextProfile := plan.profile
 	nextProfile.LLM.ModelMap = normalizeInitModelMap(nextProfile.LLM, edit.ModelMap)
 	nextCfg := plan.cfg
-	nextCfg.Profiles[plan.profileName] = nextProfile
+	nextCfg, nextProfile = materializeProfileLLMRuntime(nextCfg, plan.profileName, nextProfile)
 	if err := config.Validate(nextCfg); err != nil {
 		return initWorkspaceDraft{}, cmderr.Config(err)
 	}
diff --git a/internal/cmd/credentialcmd/credentialcmd_test.go b/internal/cmd/credentialcmd/credentialcmd_test.go
index 39dbe1f7..8318dfe6 100644
--- a/internal/cmd/credentialcmd/credentialcmd_test.go
+++ b/internal/cmd/credentialcmd/credentialcmd_test.go
@@ -268,7 +268,12 @@ func TestSetCredentialRejectsUnsupportedConfigBeforeIngress(t *testing.T) {
 	hermeticFileBackend(t)
 	t.Setenv("CR_FUTURE_TOKEN", "")
 	path := filepath.Join(t.TempDir(), "config.yml")
-	writeRawCredentialTestConfig(t, path, `profiles:
+	writeRawCredentialTestConfig(t, path, `llm_runtimes:
+  claude-cli:
+    provider: anthropic
+    auth: subscription
+    adapter: claude_cli
+profiles:
   future:
     git:
       host: github.com
@@ -276,10 +281,9 @@ func TestSetCredentialRejectsUnsupportedConfigBeforeIngress(t *testing.T) {
       credential:
         store: local-os
         name: codereview/future
-    llm:
-      provider: anthropic
-      auth: subscription
-      adapter: claude_cli
+    reviewer:
+      kind: git_identity
+    llm_runtime: claude-cli
 `)
 
 	tests := []struct {
@@ -1517,7 +1521,7 @@ func TestInitDisableReviewerClearsReviewerCredentials(t *testing.T) {
 	}
 	expected := existing
 	expected.ReviewerCredentials = nil
-	expected = normalizeTestProfile(expected)
+	expected = normalizeTestProfileNamed("work", expected)
 	if !reflect.DeepEqual(got.Profiles["work"], expected) {
 		t.Fatalf("saved profile = %#v, want %#v", got.Profiles["work"], expected)
 	}
@@ -1635,7 +1639,7 @@ func TestInitLLMReviewerModelTierFlags(t *testing.T) {
 		}
 		expected := existing
 		expected.LLM.ReviewerModelTier = ""
-		expected = normalizeTestProfile(expected)
+		expected = normalizeTestProfileNamed("work", expected)
 		if !reflect.DeepEqual(got.Profiles["work"], expected) {
 			t.Fatalf("saved profile = %#v, want %#v", got.Profiles["work"], expected)
 		}
@@ -1726,8 +1730,13 @@ func TestInitPlanApplyPreservesUnrelatedExistingConfig(t *testing.T) {
 		want.Profiles[name] = profile
 	}
 	want.Profiles["work"] = after.Profiles["work"]
+	want.LLMRuntimes = make(map[string]config.LLMConfig, len(before.LLMRuntimes)+1)
+	for name, runtime := range before.LLMRuntimes {
+		want.LLMRuntimes[name] = runtime
+	}
+	want.LLMRuntimes[after.Profiles["work"].LLMRuntime] = after.LLMRuntimes[after.Profiles["work"].LLMRuntime]
 	if !reflect.DeepEqual(after, want) {
-		t.Fatalf("config after init = %#v, want only work profile added to %#v", after, before)
+		t.Fatalf("config after init = %#v, want only work profile/runtime added to %#v", after, before)
 	}
 }
 
@@ -2180,11 +2189,11 @@ func TestBuildInitReviewerEntityInventoryVariantsAndDeduping(t *testing.T) {
 
 	entities, profileEntityNames := buildInitReviewerEntityInventory(cfg)
 
-	if len(entities) != 2 {
-		t.Fatalf("len(entities) = %d, want 2; entities=%#v", len(entities), entities)
+	if len(entities) != 1 {
+		t.Fatalf("len(entities) = %d, want 1; entities=%#v", len(entities), entities)
 	}
-	if profileEntityNames["home"] == profileEntityNames["work"] {
-		t.Fatalf("profileEntityNames = %#v, want self entity distinct from PAT reviewer", profileEntityNames)
+	if profileEntityNames["home"] != string(initReviewerEntityKindUseGitIdentity) {
+		t.Fatalf("profileEntityNames = %#v, want home to use Git identity fallback", profileEntityNames)
 	}
 	if profileEntityNames["work"] != profileEntityNames["bot"] {
 		t.Fatalf("profileEntityNames = %#v, want deduped PAT reviewer entity", profileEntityNames)
@@ -2217,8 +2226,8 @@ func TestBuildInitReviewerEntityInventoryAssignsStableSuffixOnNameCollision(t *t
 	if profileEntityNames["home"] == profileEntityNames["work"] {
 		t.Fatalf("profileEntityNames = %#v, want distinct names for colliding reviewer bases", profileEntityNames)
 	}
-	if profileEntityNames["home"] != "reviewer-pat" && profileEntityNames["work"] != "reviewer-pat" {
-		t.Fatalf("profileEntityNames = %#v, want one unsuffixed base name", profileEntityNames)
+	if profileEntityNames["home"] != "home-reviewer" || profileEntityNames["work"] != "work-reviewer" {
+		t.Fatalf("profileEntityNames = %#v, want profile-derived reviewer entity names", profileEntityNames)
 	}
 	if initReviewerEntityLabel(entities[profileEntityNames["home"]]) == initReviewerEntityLabel(entities[profileEntityNames["work"]]) {
 		t.Fatalf("reviewer labels should be distinguishable: %#v", profileEntityNames)
@@ -2395,19 +2404,18 @@ func TestInitReviewerEntityInventoryRowsUseNameFirstConfiguredLabels(t *testing.
 		t.Fatalf("configuredTitles = %#v, want %#v", got, want)
 	}
 	if got, want := commandIDs, []string{
-		string(initReviewerEntityKindUseGitIdentity),
 		string(initReviewerEntityKindPAT),
 		string(initReviewerEntityKindGitHubApp),
 		initBackSelection,
 	}; !reflect.DeepEqual(got, want) {
 		t.Fatalf("commandIDs = %#v, want %#v", got, want)
 	}
-	if got, want := commandTitles[1:], []string{
+	if got, want := commandTitles, []string{
 		reviewerEntityTemplatePATLabel(),
 		reviewerEntityTemplateGitHubAppLabel(),
 		"Back to main menu",
 	}; !reflect.DeepEqual(got, want) {
-		t.Fatalf("commandTitles[1:] = %#v, want %#v", got, want)
+		t.Fatalf("commandTitles = %#v, want %#v", got, want)
 	}
 }
 
@@ -2440,20 +2448,20 @@ func TestBuildInitReviewerEntityInventorySharedDisplayNameWinsWhenOnlyOneProfile
 	}
 }
 
-func TestEditInteractiveInitReviewerEntityStepPropagatesSharedDisplayName(t *testing.T) {
+func TestEditInteractiveInitReviewerEntityStepUpdatesConfiguredEntity(t *testing.T) {
 	home := basicProfile("home")
 	work := basicProfile("work")
-	home.ReviewerCredentials = &config.ReviewerCredentials{
-		AuthMode:      config.GitAuthModeGitHubApp,
-		CredentialRef: "codereview/open-cli-collective-rianjs-bot",
-		DisplayName:   "Old home label",
-	}
-	work.ReviewerCredentials = &config.ReviewerCredentials{
-		AuthMode:      config.GitAuthModeGitHubApp,
-		CredentialRef: "codereview/open-cli-collective-rianjs-bot",
-		DisplayName:   "Old work label",
-	}
+	home.Reviewer = config.ProfileReviewer{Kind: config.ProfileReviewerKindEntity, Entity: "oc-collective-bot"}
+	work.Reviewer = config.ProfileReviewer{Kind: config.ProfileReviewerKindEntity, Entity: "oc-collective-bot"}
 	cfg := config.File{
+		ReviewerEntities: map[string]config.ReviewerEntity{
+			"oc-collective-bot": {
+				Host:          "github.com",
+				AuthMode:      config.GitAuthModeGitHubApp,
+				CredentialRef: "codereview/open-cli-collective-rianjs-bot",
+				DisplayName:   "Old label",
+			},
+		},
 		Profiles: map[string]config.Profile{
 			"home": home,
 			"work": work,
@@ -2478,7 +2486,7 @@ func TestEditInteractiveInitReviewerEntityStepPropagatesSharedDisplayName(t *tes
 
 	next, stayInCategory, err := editInteractiveInitReviewerEntityStep(&cobra.Command{}, &root.Options{}, initOptions{}, initDeps{
 		reviewerPrompter: initReviewerEntityPrompterFunc(func(_ initReviewerEntityPrompt) (initDraft, error) {
-			draft.ActionTarget = "reviewer-github-app"
+			draft.ActionTarget = "oc-collective-bot"
 			return draft, nil
 		}),
 		prompter: initPrompterFunc(func(_ initPromptContext) (initDraft, error) {
@@ -2492,8 +2500,21 @@ func TestEditInteractiveInitReviewerEntityStepPropagatesSharedDisplayName(t *tes
 	if stayInCategory {
 		t.Fatal("stayInCategory = true, want focused reviewer flow to return to main menu after stage")
 	}
+	entity := next.cfg.ReviewerEntities["oc-collective-bot"]
+	if got, want := entity.AuthMode, config.GitAuthModeGitHubApp; got != want {
+		t.Fatalf("entity auth mode = %q, want %q", got, want)
+	}
+	if got, want := entity.CredentialRef, "codereview/open-cli-collective-rianjs-bot-renamed"; got != want {
+		t.Fatalf("entity credential ref = %q, want %q", got, want)
+	}
+	if got, want := entity.DisplayName, "OC Collective bot"; got != want {
+		t.Fatalf("entity display name = %q, want %q", got, want)
+	}
 	for _, profileName := range []string{"home", "work"} {
 		profile := next.cfg.Profiles[profileName]
+		if got, want := profile.Reviewer, (config.ProfileReviewer{Kind: config.ProfileReviewerKindEntity, Entity: "oc-collective-bot"}); got != want {
+			t.Fatalf("%s reviewer selector = %#v, want %#v", profileName, got, want)
+		}
 		if profile.ReviewerCredentials == nil {
 			t.Fatalf("%s reviewer credentials cleared unexpectedly", profileName)
 		}
@@ -2509,18 +2530,9 @@ func TestEditInteractiveInitReviewerEntityStepPropagatesSharedDisplayName(t *tes
 	}
 }
 
-func TestEditInteractiveInitReviewerEntityStepPropagatesConcreteSharedReviewerRefAfterStandardNoOpEdit(t *testing.T) {
+func TestEditInteractiveInitReviewerEntityStepDefaultsBlankRefToStandaloneEntityRef(t *testing.T) {
 	home := basicProfile("home")
 	work := basicProfile("work")
-	home.ReviewerCredentials = &config.ReviewerCredentials{
-		AuthMode:      config.GitAuthModeGitHubApp,
-		CredentialRef: "codereview/home-reviewer",
-	}
-	work.ReviewerCredentials = &config.ReviewerCredentials{
-		AuthMode:      config.GitAuthModeGitHubApp,
-		CredentialRef: "codereview/home-reviewer",
-		DisplayName:   "Old work label",
-	}
 	cfg := config.File{
 		Profiles: map[string]config.Profile{
 			"home": home,
@@ -2560,34 +2572,29 @@ func TestEditInteractiveInitReviewerEntityStepPropagatesConcreteSharedReviewerRe
 	if stayInCategory {
 		t.Fatal("stayInCategory = true, want focused reviewer flow to return to main menu after stage")
 	}
-	for _, profileName := range []string{"home", "work"} {
-		profile := next.cfg.Profiles[profileName]
-		if profile.ReviewerCredentials == nil {
-			t.Fatalf("%s reviewer credentials cleared unexpectedly", profileName)
-		}
-		if got, want := profile.ReviewerCredentials.CredentialRef, "codereview/home-reviewer"; got != want {
-			t.Fatalf("%s credential ref = %q, want %q", profileName, got, want)
-		}
-		if got, want := profile.ReviewerCredentials.DisplayName, "OC Collective bot"; got != want {
-			t.Fatalf("%s display name = %q, want %q", profileName, got, want)
-		}
+	entity := next.cfg.ReviewerEntities["reviewer-github-app"]
+	if got, want := entity.CredentialRef, "codereview/reviewer-github-app"; got != want {
+		t.Fatalf("entity credential ref = %q, want %q", got, want)
+	}
+	if got, want := entity.DisplayName, "OC Collective bot"; got != want {
+		t.Fatalf("entity display name = %q, want %q", got, want)
 	}
 }
 
 func TestEditInteractiveInitReviewerEntityStepSelectingFallbackDoesNotPropagateSharedEntity(t *testing.T) {
 	home := basicProfile("home")
 	work := basicProfile("work")
-	home.ReviewerCredentials = &config.ReviewerCredentials{
-		AuthMode:      config.GitAuthModeGitHubApp,
-		CredentialRef: "codereview/open-cli-collective-rianjs-bot",
-		DisplayName:   "Old home label",
-	}
-	work.ReviewerCredentials = &config.ReviewerCredentials{
-		AuthMode:      config.GitAuthModeGitHubApp,
-		CredentialRef: "codereview/open-cli-collective-rianjs-bot",
-		DisplayName:   "Old work label",
-	}
+	home.Reviewer = config.ProfileReviewer{Kind: config.ProfileReviewerKindEntity, Entity: "oc-collective-bot"}
+	work.Reviewer = config.ProfileReviewer{Kind: config.ProfileReviewerKindEntity, Entity: "oc-collective-bot"}
 	cfg := config.File{
+		ReviewerEntities: map[string]config.ReviewerEntity{
+			"oc-collective-bot": {
+				Host:          "github.com",
+				AuthMode:      config.GitAuthModeGitHubApp,
+				CredentialRef: "codereview/open-cli-collective-rianjs-bot",
+				DisplayName:   "Old label",
+			},
+		},
 		Profiles: map[string]config.Profile{
 			"home": home,
 			"work": work,
@@ -2625,14 +2632,15 @@ func TestEditInteractiveInitReviewerEntityStepSelectingFallbackDoesNotPropagateS
 	if stayInCategory {
 		t.Fatal("stayInCategory = true, want focused reviewer flow to return to main menu after stage")
 	}
-	if got := next.cfg.Profiles["home"].ReviewerCredentials; got != nil {
-		t.Fatalf("home reviewer credentials = %#v, want cleared fallback reviewer", got)
+	normalized := config.Normalize(next.cfg)
+	if got := normalized.Profiles["home"].Reviewer; got != (config.ProfileReviewer{Kind: config.ProfileReviewerKindEntity, Entity: "oc-collective-bot"}) {
+		t.Fatalf("home reviewer selector = %#v, want unchanged configured entity", got)
 	}
-	workProfile := next.cfg.Profiles["work"]
+	workProfile := normalized.Profiles["work"]
 	if workProfile.ReviewerCredentials == nil {
 		t.Fatal("work reviewer credentials cleared unexpectedly")
 	}
-	if got, want := workProfile.ReviewerCredentials.DisplayName, "Old work label"; got != want {
+	if got, want := workProfile.ReviewerCredentials.DisplayName, "Old label"; got != want {
 		t.Fatalf("work display name = %q, want %q", got, want)
 	}
 	if got, want := workProfile.ReviewerCredentials.CredentialRef, "codereview/open-cli-collective-rianjs-bot"; got != want {
@@ -2725,14 +2733,13 @@ func TestInitReviewerEntityInventoryRowsUseExplicitGitAccountFallbackLabels(t *t
 		t.Run(tc.name, func(t *testing.T) {
 			profile := basicProfile("home")
 			profile.Git = tc.git
-			rows := initReviewerEntityInventoryRows(initPromptContext{
-				ExistingProfile: &profile,
-			})
-			if len(rows) == 0 {
-				t.Fatal("rows = empty, want fallback command row")
+			label := profileEditorReviewerEntityFallbackLabel(initGitScopeDraftFromConfig(profile.Git), &profile)
+			options := initReviewerEntitySelectionOptions(map[string]initReviewerEntityDraft{}, label)
+			if len(options) == 0 {
+				t.Fatal("options = empty, want fallback option")
 			}
-			if got := rows[0].Title; got != tc.wantText {
-				t.Fatalf("fallback row = %q, want %q", got, tc.wantText)
+			if got := options[0].Key; got != tc.wantText {
+				t.Fatalf("fallback option = %q, want %q", got, tc.wantText)
 			}
 		})
 	}
@@ -5088,19 +5095,17 @@ func TestHuhInitReviewerEntityPrompterAccessibleConfiguredReviewerRoundTripsInMi
 		},
 	}
 	reviewerEntities, profileReviewerEntities := buildInitReviewerEntityInventory(cfg)
+	selectedReviewerEntity := profileReviewerEntities["work"]
 	var stderr bytes.Buffer
 	prompter := huhInitReviewerEntityPrompter{
-		stderr: &stderr,
-		editorRunner: stageReviewerEntityEditorRunner(t, map[initLinearFieldID]string{
-			initReviewerEntityFieldGitHubAppID:         "12345",
-			initReviewerEntityFieldGitHubAppPrivateKey: testReviewerGitHubAppPrivateKey(),
-		}, ""),
+		stderr:       &stderr,
+		editorRunner: stageReviewerEntityEditorRunner(t, nil, ""),
 		inventoryRunner: func(_ initInventoryPrompt, _ io.Reader, out io.Writer) (initInventoryResult, error) {
 			_, _ = io.WriteString(out, "custom-work-reviewer (PAT reviewer)\n")
 			return initInventoryResult{
 				Action: initInventoryActionEdit,
 				Row: initInventoryRow{
-					ID:    "reviewer-pat",
+					ID:    selectedReviewerEntity,
 					Title: "custom-work-reviewer (PAT reviewer)",
 				},
 			}, nil
@@ -5109,20 +5114,24 @@ func TestHuhInitReviewerEntityPrompterAccessibleConfiguredReviewerRoundTripsInMi
 
 	draft, err := prompter.EditReviewerEntity(initReviewerEntityPrompt{
 		Context: initPromptContext{
-			RequestedProfileName:    "home",
-			ExistingProfileName:     "home",
-			ExistingProfile:         &home,
-			ExistingConfig:          cfg,
-			ReviewerEntities:        reviewerEntities,
-			ProfileReviewerEntities: profileReviewerEntities,
+			RequestedProfileName:         "home",
+			ExistingProfileName:          "home",
+			ExistingProfile:              &home,
+			ExistingConfig:               cfg,
+			ReviewerEntities:             reviewerEntities,
+			ProfileReviewerEntities:      profileReviewerEntities,
+			StandaloneReviewerEntityMode: true,
 		},
 	})
 	if err != nil {
 		t.Fatalf("EditReviewerEntity: %v", err)
 	}
-	if !draft.ReviewerEnabled || draft.ReviewerAuth != string(config.GitAuthModePAT) || draft.ReviewerCredentialRef != "codereview/custom-work-reviewer" {
+	if !draft.ReviewerEnabled || draft.ReviewerAuth != string(config.GitAuthModePAT) || draft.ReviewerCredentialWriteRef != "codereview/custom-work-reviewer" {
 		t.Fatalf("draft reviewer = %#v, want configured PAT reviewer to round-trip intact", draft)
 	}
+	if draft.ReviewerCredentialRef != "" || draft.AdvancedStorageLabels {
+		t.Fatalf("draft reviewer location = %q / advanced=%v, want unchanged existing standalone entity location", draft.ReviewerCredentialRef, draft.AdvancedStorageLabels)
+	}
 }
 
 func TestHuhInitPrompterAccessibleRequestedNewProfilePreservesExplicitName(t *testing.T) {
@@ -6344,7 +6353,7 @@ func TestHuhInitReviewerEntityPrompterDefaultUsesLinearReviewerFlow(t *testing.T
 		editorRunner: func(editor initLinearEditor, _ io.Reader, out io.Writer) (initLinearEditorModel, error) {
 			model := newInitLinearEditorModel(editor, 160, 60)
 			model = selectInitLinearFieldValue(t, model, initReviewerEntityFieldSelection, string(initReviewerEntityKindPAT))
-			model.setFieldValue(initReviewerEntityFieldGitToken, "reviewer-pat")
+			model.setFieldValue(initReviewerEntityFieldGitToken, "inline-secret-token")
 			model.afterFieldChange(model.document.fieldIndexByID(initReviewerEntityFieldGitToken))
 			model = focusInitLinearField(t, model, initReviewerEntityFieldAction)
 			model = selectInitLinearFieldValue(t, model, initReviewerEntityFieldAction, initDetailActionEdit)
@@ -6370,7 +6379,7 @@ func TestHuhInitReviewerEntityPrompterDefaultUsesLinearReviewerFlow(t *testing.T
 	if !draft.ReviewerEnabled || draft.ReviewerAuth != string(config.GitAuthModePAT) {
 		t.Fatalf("draft = %#v, want PAT reviewer", draft)
 	}
-	if got := draft.ReviewerCredentialWrites[credentials.GitTokenKey]; got != "reviewer-pat" {
+	if got := draft.ReviewerCredentialWrites[credentials.GitTokenKey]; got != "inline-secret-token" {
 		t.Fatalf("staged reviewer PAT = %q, want inline token", got)
 	}
 	out := stderr.String()
@@ -6395,7 +6404,7 @@ func TestHuhInitReviewerEntityPrompterDefaultUsesLinearReviewerFlow(t *testing.T
 		}
 	}
 	assertContentOrder(t, out, "Reviewer entity", "Reviewer details", "Entity label", "Reviewer secret location", "Reviewer credential status", "Reviewer action")
-	if strings.Contains(out, "reviewer-pat") {
+	if strings.Contains(out, "inline-secret-token") {
 		t.Fatalf("stderr leaked reviewer PAT value:\n%s", out)
 	}
 	if strings.Contains(out, "Back to main menu") {
@@ -6587,7 +6596,7 @@ func TestReviewerEntityExistingReviewerChangedRefRequiresInlineSecrets(t *testin
 		AuthMode:      config.GitAuthModePAT,
 		CredentialRef: "codereview/existing-reviewer",
 		DisplayName:   "Existing reviewer",
-	}, seed, true)
+	}, seed, true, false)
 	if err != nil {
 		t.Fatalf("newReviewerEntityEditorState: %v", err)
 	}
@@ -9569,7 +9578,7 @@ func TestInitInteractiveModelMapAddEditRemoveAndReset(t *testing.T) {
 			expected := existing
 			expected.LLM.ModelMap = copyModelMap(tt.want)
 			expected.ReviewPolicy.MajorEvent = config.ReviewMajorEventComment
-			expected = normalizeTestProfile(expected)
+			expected = normalizeTestProfileNamed("work", expected)
 			if !reflect.DeepEqual(cfg.Profiles["work"], expected) {
 				t.Fatalf("saved profile = %#v, want %#v", cfg.Profiles["work"], expected)
 			}
@@ -12299,12 +12308,12 @@ func TestInitSecretsProfileBackendFromInputsSwitchingAwayFromOnePasswordClearsBa
 	}
 }
 
-func TestBuildInteractiveInitMenuPromptNoWorkspaceDisablesProfileDependentActions(t *testing.T) {
+func TestBuildInteractiveInitMenuPromptNoWorkspaceEnablesStandaloneEditors(t *testing.T) {
 	prompt := buildInteractiveInitMenuPrompt(initSessionDraft{
 		cfg: config.File{Profiles: map[string]config.Profile{}},
 	})
-	if !prompt.CanConfigureLLM || prompt.CanConfigureReviewer || prompt.CanSave {
-		t.Fatalf("prompt = %#v, want LLM enabled and reviewer/save disabled without a workspace", prompt)
+	if !prompt.CanConfigureLLM || !prompt.CanConfigureReviewer || prompt.CanSave {
+		t.Fatalf("prompt = %#v, want LLM/reviewer enabled and save disabled without a workspace", prompt)
 	}
 	if prompt.ReviewProfileCount != 0 || prompt.LLMRuntimeCount != 0 || prompt.ReviewerEntityCount != 0 {
 		t.Fatalf("prompt counts = %#v, want zero counts without a workspace", prompt)
@@ -12328,8 +12337,8 @@ func TestBuildInteractiveInitMenuPromptNoWorkspaceCanSaveStagedCredentialStore(t
 		originalCfg: original,
 		cfg:         next,
 	})
-	if !prompt.CanConfigureLLM || prompt.CanConfigureReviewer {
-		t.Fatalf("prompt = %#v, want LLM enabled and reviewer disabled without a workspace", prompt)
+	if !prompt.CanConfigureLLM || !prompt.CanConfigureReviewer {
+		t.Fatalf("prompt = %#v, want LLM/reviewer enabled without a workspace", prompt)
 	}
 	if !prompt.CanSave {
 		t.Fatalf("prompt = %#v, want store-only staged changes to enable commit", prompt)
@@ -12345,8 +12354,8 @@ func TestBuildInteractiveInitMenuPromptAfterDeletingLastProfileDisablesSaveAndFo
 	}
 
 	prompt := buildInteractiveInitMenuPrompt(session)
-	if !prompt.CanConfigureLLM || prompt.CanConfigureReviewer || prompt.CanSave {
-		t.Fatalf("prompt = %#v, want LLM enabled and save/reviewer disabled with zero-profile draft", prompt)
+	if !prompt.CanConfigureLLM || !prompt.CanConfigureReviewer || prompt.CanSave {
+		t.Fatalf("prompt = %#v, want LLM/reviewer enabled and save disabled with zero-profile draft", prompt)
 	}
 	if prompt.ReviewProfileCount != 0 || prompt.LLMRuntimeCount != 0 || prompt.ReviewerEntityCount != 0 {
 		t.Fatalf("prompt counts = %#v, want effective inventory counts at zero after deleting last profile", prompt)
@@ -12388,8 +12397,8 @@ func TestBuildInteractiveInitMenuPromptNoWorkspaceStillShowsExistingInventoryCou
 		originalCfg: cloneInitConfigFile(cfg),
 		cfg:         cfg,
 	})
-	if !prompt.CanConfigureLLM || prompt.CanConfigureReviewer || prompt.CanSave {
-		t.Fatalf("prompt = %#v, want LLM enabled and reviewer/save disabled without active workspace", prompt)
+	if !prompt.CanConfigureLLM || !prompt.CanConfigureReviewer || prompt.CanSave {
+		t.Fatalf("prompt = %#v, want LLM/reviewer enabled and save disabled without active workspace", prompt)
 	}
 	if prompt.LLMRuntimeCount != 2 || prompt.ReviewerEntityCount != 1 || prompt.ReviewProfileCount != 2 {
 		t.Fatalf("prompt counts = %#v, want existing inventory counts from session cfg", prompt)
@@ -12553,10 +12562,6 @@ func TestInitMenuDisabledRowsShowErrorWithoutQuitting(t *testing.T) {
 		action initMenuAction
 		reason string
 	}{
-		{
-			action: initMenuActionReviewerEntities,
-			reason: "configure a review profile before editing reviewer entities",
-		},
 		{
 			action: initMenuActionSave,
 			reason: "stage changes before committing",
@@ -12592,8 +12597,8 @@ func TestInitMenuDisabledRowsShowErrorWithoutQuitting(t *testing.T) {
 
 func TestInitMenuNavigationSkipsDisabledRows(t *testing.T) {
 	model := newInitMenuModel(initMenuPrompt{})
-	if got := model.items[model.selected].Action; got != initMenuActionReviewProfiles {
-		t.Fatalf("initial action = %q, want review profiles", got)
+	if got := model.items[model.selected].Action; got != initMenuActionSecretsManagement {
+		t.Fatalf("initial action = %q, want secrets management", got)
 	}
 
 	model.selected = initMenuSelectedIndex(model.items, initMenuActionSecretsManagement)
@@ -12605,8 +12610,12 @@ func TestInitMenuNavigationSkipsDisabledRows(t *testing.T) {
 
 	result.selected = initMenuSelectedIndex(result.items, initMenuActionReviewerEntities)
 	out := result.View()
-	if strings.Contains(out, "\x1b[38;5;42mConfigure reviewer entities") {
-		t.Fatalf("disabled selected row rendered with active selected color:\n%s", out)
+	plainOut := stripANSITest(out)
+	if !strings.Contains(plainOut, "> [x] Configure reviewer entities") {
+		t.Fatalf("selected reviewer row did not render active:\n%s", out)
+	}
+	if strings.Contains(plainOut, "Prerequisite: configure a review profile before editing reviewer entities") {
+		t.Fatalf("reviewer row rendered old profile prerequisite:\n%s", out)
 	}
 }
 
@@ -12763,14 +12772,14 @@ func TestInitMenuInitialActionStartsAtSecretsManagementWhenWorkspaceIsActive(t *
 	}
 }
 
-func TestInitMenuInitialActionStartsAtReviewProfilesBeforeWorkspace(t *testing.T) {
+func TestInitMenuInitialActionStartsAtSecretsManagementBeforeWorkspace(t *testing.T) {
 	action := initMenuInitialAction(initMenuPrompt{})
-	if action != initMenuActionReviewProfiles {
-		t.Fatalf("action = %q, want review profiles before workspace-dependent actions are enabled", action)
+	if action != initMenuActionSecretsManagement {
+		t.Fatalf("action = %q, want secrets management before a workspace exists", action)
 	}
 }
 
-func TestHuhInitMenuPrompterDefaultStartsAtProfileSetupBeforeWorkspace(t *testing.T) {
+func TestHuhInitMenuPrompterDefaultStartsAtSecretsManagementBeforeWorkspace(t *testing.T) {
 	t.Setenv("TERM", "dumb")
 	var stderr bytes.Buffer
 	prompter := huhInitMenuPrompter{
@@ -12783,8 +12792,8 @@ func TestHuhInitMenuPrompterDefaultStartsAtProfileSetupBeforeWorkspace(t *testin
 	if err != nil {
 		t.Fatalf("ChooseAction: %v", err)
 	}
-	if action != initMenuActionReviewProfiles {
-		t.Fatalf("action = %q, want review profile setup before dependent workflows are enabled", action)
+	if action != initMenuActionSecretsManagement {
+		t.Fatalf("action = %q, want secrets management before a workspace exists", action)
 	}
 }
 
@@ -12830,26 +12839,22 @@ func TestHuhInitMenuPrompterAccessibleAllowsLLMBeforeProfileExists(t *testing.T)
 	}
 }
 
-func TestHuhInitMenuPrompterAccessibleRejectsDisabledReviewerUntilProfileExists(t *testing.T) {
+func TestHuhInitMenuPrompterAccessibleAllowsReviewerBeforeProfileExists(t *testing.T) {
 	t.Setenv("TERM", "dumb")
 	var stderr bytes.Buffer
 	prompter := huhInitMenuPrompter{
-		stdin: strings.NewReader(strings.Join([]string{
-			"3", // Configure reviewer entities (disabled)
-			"7", // Discard staged changes and exit
-			"",
-		}, "\n")),
+		stdin:  strings.NewReader("3\n"),
 		stderr: &stderr,
 	}
 	action, err := prompter.ChooseAction(initMenuPrompt{})
 	if err != nil {
 		t.Fatalf("ChooseAction: %v", err)
 	}
-	if action == initMenuActionReviewerEntities {
-		t.Fatalf("action = %q, want disabled reviewer selection to be rejected", action)
+	if action != initMenuActionReviewerEntities {
+		t.Fatalf("action = %q, want reviewer entities", action)
 	}
-	if !strings.Contains(stderr.String(), "configure a review profile before editing reviewer entities") {
-		t.Fatalf("stderr = %q, want disabled-reviewer validation message", stderr.String())
+	if strings.Contains(stderr.String(), "configure a review profile before editing reviewer entities") {
+		t.Fatalf("stderr = %q, want no disabled-reviewer validation message", stderr.String())
 	}
 }
 
@@ -14980,7 +14985,7 @@ func TestInitInteractiveMenuFocusedLLMRuntimePreservesUnrelatedProfileState(t *t
 		RepositoryProfiles: wantRoutes,
 		Profiles:           map[string]config.Profile{"work": profile},
 	})
-	profile = normalizeTestProfile(profile)
+	profile = normalizeTestProfileNamed("work", profile)
 	opts := &root.Options{
 		Stdin:      strings.NewReader(""),
 		Stdout:     &bytes.Buffer{},
@@ -15069,7 +15074,7 @@ func TestInitInteractiveMenuFocusedLLMRuntimeNoOpSkipsStoreOnSaveAndPersistsGlob
 	saveCredentialTestConfig(t, path, config.File{
 		Profiles: map[string]config.Profile{"work": wantProfile},
 	})
-	wantProfile = normalizeTestProfile(wantProfile)
+	wantProfile = normalizeTestProfileNamed("work", wantProfile)
 	opts := &root.Options{
 		Stdin:      strings.NewReader(""),
 		Stdout:     &bytes.Buffer{},
@@ -15302,7 +15307,7 @@ func TestInitInteractiveMenuFocusedReviewerEntityRebuildsSecretPlanning(t *testi
 				"default": {
 					credentials.GitTokenKey: "existing-token",
 				},
-				"default-reviewer": {
+				"reviewer-github-app": {
 					credentials.GitHubAppIDKey:         "12345",
 					credentials.GitHubAppPrivateKeyKey: "private-key",
 				},
@@ -15323,14 +15328,25 @@ func TestInitInteractiveMenuFocusedReviewerEntityRebuildsSecretPlanning(t *testi
 		t.Fatalf("Load config: %v", err)
 	}
 	profile := cfg.Profiles["default"]
-	if profile.ReviewerCredentials == nil {
-		t.Fatal("reviewer credentials = nil, want focused reviewer edit to enable separate reviewer")
+	if profile.Reviewer.Kind != config.ProfileReviewerKindGitIdentity {
+		t.Fatalf("profile reviewer = %#v, want reusable reviewer entity to stay unattached until selected by profile", profile.Reviewer)
+	}
+	var gotEntity *config.ReviewerEntity
+	for name, entity := range cfg.ReviewerEntities {
+		if entity.AuthMode == config.GitAuthModeGitHubApp {
+			entityCopy := entity
+			gotEntity = &entityCopy
+			if name == "" {
+				t.Fatal("reviewer entity name is empty")
+			}
+			break
+		}
 	}
-	if profile.ReviewerCredentials.AuthMode != config.GitAuthModeGitHubApp {
-		t.Fatalf("reviewer credentials = %#v, want github app reviewer", profile.ReviewerCredentials)
+	if gotEntity == nil {
+		t.Fatalf("reviewer_entities = %#v, want staged GitHub App reviewer entity", cfg.ReviewerEntities)
 	}
-	if profile.ReviewerCredentials.CredentialRef == "" {
-		t.Fatalf("reviewer credential ref = %q, want generated ref after reviewer rebuild", profile.ReviewerCredentials.CredentialRef)
+	if gotEntity.CredentialRef == "" {
+		t.Fatalf("reviewer entity credential ref = %q, want generated ref after reviewer rebuild", gotEntity.CredentialRef)
 	}
 	if cfg.Keyring.Backend != "" || cfg.Data.Retention.MaxAgeDaysValue() != 14 || cfg.Data.Retention.Enforcement != config.RetentionAtWrite {
 		t.Fatalf("global settings after reviewer rebuild = %#v / %#v, want empty backend + 14/at_write", cfg.Keyring, cfg.Data.Retention)
@@ -16271,13 +16287,14 @@ func TestInitInteractiveMenuFocusedGitHubAppReviewerInlineWritesReadyWithoutHint
 		t.Fatalf("Load config: %v", err)
 	}
 	profile := got.Profiles["work"]
-	if profile.ReviewerCredentials == nil {
-		t.Fatal("reviewer credentials = nil, want deferred GitHub App reviewer saved")
+	if profile.Reviewer.Kind != config.ProfileReviewerKindGitIdentity {
+		t.Fatalf("profile reviewer = %#v, want standalone reviewer entity to remain unattached", profile.Reviewer)
 	}
-	if profile.ReviewerCredentials.AuthMode != config.GitAuthModeGitHubApp ||
-		profile.ReviewerCredentials.CredentialRef != "codereview/rianjs-bot" ||
-		profile.ReviewerCredentials.DisplayName != "rianjs-bot" {
-		t.Fatalf("reviewer credentials = %#v, want rianjs-bot GitHub App reviewer", profile.ReviewerCredentials)
+	entity := got.ReviewerEntities["reviewer-github-app"]
+	if entity.AuthMode != config.GitAuthModeGitHubApp ||
+		entity.CredentialRef != "codereview/rianjs-bot" ||
+		entity.DisplayName != "rianjs-bot" {
+		t.Fatalf("reviewer entity = %#v, want rianjs-bot GitHub App reviewer", entity)
 	}
 	if len(secretPrompter.actionPrompts) != 0 || len(secretPrompter.sourcePrompts) != 0 {
 		t.Fatalf("secret prompts = actions:%d sources:%d, want inline reviewer credential collection only", len(secretPrompter.actionPrompts), len(secretPrompter.sourcePrompts))
@@ -16291,9 +16308,6 @@ func TestInitInteractiveMenuFocusedGitHubAppReviewerInlineWritesReadyWithoutHint
 	if _, ok := store.bundles["rianjs-bot"][credentials.GitHubAppInstallationIDKey]; ok {
 		t.Fatalf("installation id stored unexpectedly: %#v", store.bundles["rianjs-bot"])
 	}
-	if !strings.Contains(stdout.String(), "- work: ready") {
-		t.Fatalf("stdout = %q, want ready profile after inline reviewer credentials", stdout.String())
-	}
 	if strings.Contains(stdout.String(), "reviewer deferred") || strings.Contains(stderr.String(), "set-credential --store local-os --name codereview/rianjs-bot") {
 		t.Fatalf("stdout/stderr kept follow-up hint:\nstdout=%s\nstderr=%s", stdout.String(), stderr.String())
 	}
@@ -16375,9 +16389,6 @@ func TestInitInteractiveMenuFocusedGitHubAppReviewerInlineWritesBeforeCommitAndD
 	if strings.Contains(stderr.String(), "set-credential --store local-os --name codereview/rianjs-bot") {
 		t.Fatalf("stderr = %q, want no follow-up hints after set-now reviewer flow", stderr.String())
 	}
-	if !strings.Contains(stdout.String(), "- work: ready") {
-		t.Fatalf("stdout = %q, want ready profile after set-now reviewer flow", stdout.String())
-	}
 }
 
 func TestInitInteractiveMenuLabelDerivedReviewerRefDoesNotOverwriteUnconfiguredExistingBundle(t *testing.T) {
@@ -16693,7 +16704,8 @@ func TestInitInteractiveMenuReviewerCredentialDecisionDropsAfterReviewerCleared(
 				draft.ReviewerCredentialRef = "codereview/rianjs-bot"
 				stageDraftInlineGitHubAppReviewerCredentials(&draft, draft.ReviewerCredentialRef, "12345", testReviewerGitHubAppPrivateKey())
 			case 2:
-				draft.ReviewerEnabled = false
+				draft.Action = initDraftActionDeleteReviewerEntity
+				draft.ActionTarget = "reviewer-github-app"
 			default:
 				return initDraft{}, errInitNavigateBack
 			}
@@ -16721,8 +16733,8 @@ func TestInitInteractiveMenuReviewerCredentialDecisionDropsAfterReviewerCleared(
 	if err != nil {
 		t.Fatalf("Load config: %v", err)
 	}
-	if got.Profiles["work"].ReviewerCredentials != nil {
-		t.Fatalf("reviewer credentials = %#v, want cleared reviewer", got.Profiles["work"].ReviewerCredentials)
+	if _, ok := got.ReviewerEntities["reviewer-github-app"]; ok {
+		t.Fatalf("reviewer_entities = %#v, want deleted standalone reviewer entity absent", got.ReviewerEntities)
 	}
 }
 
@@ -16762,9 +16774,11 @@ func TestInitInteractiveMenuReviewerCredentialDecisionDropsAfterReviewerRefChang
 			draft.ReviewerAuth = string(config.GitAuthModeGitHubApp)
 			switch reviewerPrompterCalls {
 			case 1:
+				draft.ActionTarget = "reviewer-github-app"
 				draft.ReviewerCredentialRef = "codereview/old-reviewer"
 				stageDraftInlineGitHubAppReviewerCredentials(&draft, draft.ReviewerCredentialRef, "old-app-id", testReviewerGitHubAppPrivateKey())
 			case 2:
+				draft.ActionTarget = "reviewer-github-app"
 				draft.ReviewerCredentialRef = "codereview/new-reviewer"
 				stageDraftInlineGitHubAppReviewerCredentials(&draft, draft.ReviewerCredentialRef, "new-app-id", testReviewerGitHubAppPrivateKey())
 			default:
@@ -16804,8 +16818,9 @@ func TestInitInteractiveMenuReviewerCredentialDecisionDropsAfterReviewerRefChang
 	if err != nil {
 		t.Fatalf("Load config: %v", err)
 	}
-	if got.Profiles["work"].ReviewerCredentials == nil || got.Profiles["work"].ReviewerCredentials.CredentialRef != "codereview/new-reviewer" {
-		t.Fatalf("reviewer credentials = %#v, want new reviewer ref", got.Profiles["work"].ReviewerCredentials)
+	entity := got.ReviewerEntities["reviewer-github-app"]
+	if entity.CredentialRef != "codereview/new-reviewer" {
+		t.Fatalf("reviewer entity = %#v, want new reviewer ref", entity)
 	}
 }
 
@@ -17179,6 +17194,7 @@ func TestInitInteractiveMenuFocusedReviewerEntityLabelOnlySaveSkipsCredentialWri
 				return initDraft{}, errInitNavigateBack
 			}
 			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
+			draft.ActionTarget = "work-reviewer"
 			draft.ReviewerEnabled = true
 			draft.ReviewerAuth = string(config.GitAuthModeGitHubApp)
 			draft.ReviewerDisplayName = "OC Collective bot"
@@ -17211,7 +17227,7 @@ func TestInitInteractiveMenuFocusedReviewerEntityLabelOnlySaveSkipsCredentialWri
 	}
 }
 
-func TestInitInteractiveMenuFocusedReviewerEntitySaveRestoresDefaultCredentialRefWhenDraftClearsCustomRef(t *testing.T) {
+func TestInitInteractiveMenuFocusedReviewerEntitySavePreservesExistingCredentialRefWhenDraftClearsRef(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	cfg := config.File{
 		Profiles: map[string]config.Profile{
@@ -17258,6 +17274,7 @@ func TestInitInteractiveMenuFocusedReviewerEntitySaveRestoresDefaultCredentialRe
 				return initDraft{}, errInitNavigateBack
 			}
 			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
+			draft.ActionTarget = "work-reviewer"
 			draft.ReviewerEnabled = true
 			draft.ReviewerAuth = string(config.GitAuthModeGitHubApp)
 			draft.ReviewerCredentialRef = ""
@@ -17302,10 +17319,10 @@ func TestInitInteractiveMenuFocusedReviewerEntitySaveRestoresDefaultCredentialRe
 	}
 	profile := got.Profiles["work"]
 	if profile.ReviewerCredentials == nil {
-		t.Fatal("reviewer credentials = nil, want default reviewer ref restored after save")
+		t.Fatal("reviewer credentials = nil, want existing reviewer ref preserved after save")
 	}
-	if profile.ReviewerCredentials.CredentialRef != "codereview/work-reviewer" {
-		t.Fatalf("reviewer credential ref = %q, want generated default reviewer ref after clearing custom ref", profile.ReviewerCredentials.CredentialRef)
+	if profile.ReviewerCredentials.CredentialRef != "codereview/custom-work-reviewer" {
+		t.Fatalf("reviewer credential ref = %q, want existing reviewer ref preserved after clearing draft ref", profile.ReviewerCredentials.CredentialRef)
 	}
 }
 
@@ -17456,20 +17473,20 @@ func TestInitInteractiveMenuFocusedReviewerEntityDeleteUndoReturnsToMenu(t *test
 			reviewerCalls++
 			switch reviewerCalls {
 			case 1:
-				if _, ok := prompt.Context.ReviewerEntities["reviewer-github-app"]; !ok {
-					t.Fatalf("ReviewerEntities = %#v, want configured reviewer-github-app before delete", prompt.Context.ReviewerEntities)
+				if _, ok := prompt.Context.ReviewerEntities["work-reviewer"]; !ok {
+					t.Fatalf("ReviewerEntities = %#v, want configured work-reviewer before delete", prompt.Context.ReviewerEntities)
 				}
 				return initDraft{
 					Action:       initDraftActionDeleteReviewerEntity,
-					ActionTarget: "reviewer-github-app",
+					ActionTarget: "work-reviewer",
 				}, nil
 			case 2:
-				if _, ok := prompt.Context.PendingReviewerEntityDeletes["reviewer-github-app"]; !ok {
-					t.Fatalf("PendingReviewerEntityDeletes = %#v, want reviewer-github-app pending delete before undo", prompt.Context.PendingReviewerEntityDeletes)
+				if _, ok := prompt.Context.PendingReviewerEntityDeletes["work-reviewer"]; !ok {
+					t.Fatalf("PendingReviewerEntityDeletes = %#v, want work-reviewer pending delete before undo", prompt.Context.PendingReviewerEntityDeletes)
 				}
 				return initDraft{
 					Action:       initDraftActionUndoDeleteReviewerEntity,
-					ActionTarget: "reviewer-github-app",
+					ActionTarget: "work-reviewer",
 				}, nil
 			case 3:
 				return initDraft{}, errInitNavigateBack
@@ -17651,8 +17668,8 @@ func TestInitInteractiveMenuCanCommitLLMRuntimeBeforeReviewProfile(t *testing.T)
 	if len(menu.prompts) != 2 {
 		t.Fatalf("menu prompts = %#v, want main menu before category entry and after stage", menu.prompts)
 	}
-	if !menu.prompts[0].CanConfigureLLM || menu.prompts[0].CanConfigureReviewer || menu.prompts[0].CanSave {
-		t.Fatalf("initial prompt = %#v, want LLM enabled and reviewer/save disabled", menu.prompts[0])
+	if !menu.prompts[0].CanConfigureLLM || !menu.prompts[0].CanConfigureReviewer || menu.prompts[0].CanSave {
+		t.Fatalf("initial prompt = %#v, want LLM/reviewer enabled and save disabled", menu.prompts[0])
 	}
 	if !menu.prompts[1].CanSave {
 		t.Fatalf("post-stage menu prompt = %#v, want staged runtime edit to be saveable", menu.prompts[1])
@@ -18111,16 +18128,16 @@ func TestInitInteractiveMenuDeleteUndoAndSaveFlow(t *testing.T) {
 			reviewerEdits++
 			switch reviewerEdits {
 			case 1:
-				if _, ok := prompt.Context.ReviewerEntities["reviewer-github-app"]; !ok {
-					t.Fatalf("ReviewerEntities = %#v, want configured reviewer-github-app inventory entry", prompt.Context.ReviewerEntities)
+				if _, ok := prompt.Context.ReviewerEntities["home-reviewer"]; !ok {
+					t.Fatalf("ReviewerEntities = %#v, want configured home-reviewer inventory entry", prompt.Context.ReviewerEntities)
 				}
 				return initDraft{
 					Action:       initDraftActionDeleteReviewerEntity,
-					ActionTarget: "reviewer-github-app",
+					ActionTarget: "home-reviewer",
 				}, nil
 			case 2:
-				if _, ok := prompt.Context.PendingReviewerEntityDeletes["reviewer-github-app"]; !ok {
-					t.Fatalf("PendingReviewerEntityDeletes = %#v, want reviewer-github-app pending delete before leaving category", prompt.Context.PendingReviewerEntityDeletes)
+				if _, ok := prompt.Context.PendingReviewerEntityDeletes["home-reviewer"]; !ok {
+					t.Fatalf("PendingReviewerEntityDeletes = %#v, want home-reviewer pending delete before leaving category", prompt.Context.PendingReviewerEntityDeletes)
 				}
 				return initDraft{}, errInitNavigateBack
 			default:
@@ -18869,8 +18886,8 @@ func TestInitInteractiveMenuCanCommitSecretsStorageBeforeReviewProfile(t *testin
 	if menu.prompts[0].CanSave {
 		t.Fatalf("initial prompt = %#v, want commit disabled before staged changes", menu.prompts[0])
 	}
-	if !menu.prompts[1].CanSave || !menu.prompts[1].CanConfigureLLM || menu.prompts[1].CanConfigureReviewer {
-		t.Fatalf("post-edit prompt = %#v, want commit and LLM runtime configuration enabled without workspace", menu.prompts[1])
+	if !menu.prompts[1].CanSave || !menu.prompts[1].CanConfigureLLM || !menu.prompts[1].CanConfigureReviewer {
+		t.Fatalf("post-edit prompt = %#v, want commit, LLM runtime configuration, and reviewer entity configuration enabled without workspace", menu.prompts[1])
 	}
 	cfg, err := config.Load(path)
 	if err != nil {
@@ -21490,12 +21507,16 @@ func basicProfile(profile string) config.Profile {
 }
 
 func normalizeTestProfile(profile config.Profile) config.Profile {
+	return normalizeTestProfileNamed("test", profile)
+}
+
+func normalizeTestProfileNamed(name string, profile config.Profile) config.Profile {
 	cfg := config.Normalize(config.File{
 		Profiles: map[string]config.Profile{
-			"test": profile,
+			name: profile,
 		},
 	})
-	return cfg.Profiles["test"]
+	return cfg.Profiles[name]
 }
 
 func apiKeyProfile(profile string, provider config.LLMProvider) config.Profile {
diff --git a/internal/cmd/credentialcmd/init_inventory_test.go b/internal/cmd/credentialcmd/init_inventory_test.go
index aeeaf211..2631c5c7 100644
--- a/internal/cmd/credentialcmd/init_inventory_test.go
+++ b/internal/cmd/credentialcmd/init_inventory_test.go
@@ -333,8 +333,8 @@ func TestInitReviewerEntityInventoryRowsSetExpectedCapabilities(t *testing.T) {
 		},
 	})
 
-	if len(rows) != 6 {
-		t.Fatalf("len(rows) = %d, want 6", len(rows))
+	if len(rows) != 5 {
+		t.Fatalf("len(rows) = %d, want 5", len(rows))
 	}
 	if got := rows[0]; got.Kind != initInventoryRowKindActive || !got.Selectable || !got.Deletable || got.Restorable || got.PrimaryAction != initInventoryActionNone {
 		t.Fatalf("active row = %#v, want selectable+deletable active reviewer entity", got)
@@ -343,24 +343,18 @@ func TestInitReviewerEntityInventoryRowsSetExpectedCapabilities(t *testing.T) {
 		t.Fatalf("pending row = %#v, want restorable pending reviewer entity", got)
 	}
 	if got := rows[2]; got.Kind != initInventoryRowKindCommand || !got.Selectable || got.PrimaryAction != initInventoryActionCommand {
-		t.Fatalf("fallback row = %#v, want selectable command fallback", got)
-	}
-	if got, want := rows[2].Title, "Use a profile's Git account (no separate reviewer entity)"; got != want {
-		t.Fatalf("fallback row title = %q, want %q", got, want)
-	}
-	if got := rows[3]; got.Kind != initInventoryRowKindCommand || !got.Selectable || got.PrimaryAction != initInventoryActionCommand {
 		t.Fatalf("pat row = %#v, want selectable command PAT template", got)
 	}
-	if got, want := rows[3].Title, "Configure new personal access token (PAT) reviewer"; got != want {
+	if got, want := rows[2].Title, "Configure new personal access token (PAT) reviewer"; got != want {
 		t.Fatalf("pat row title = %q, want %q", got, want)
 	}
-	if got := rows[4]; got.Kind != initInventoryRowKindCommand || !got.Selectable || got.PrimaryAction != initInventoryActionCommand {
+	if got := rows[3]; got.Kind != initInventoryRowKindCommand || !got.Selectable || got.PrimaryAction != initInventoryActionCommand {
 		t.Fatalf("github app row = %#v, want selectable command GitHub App template", got)
 	}
-	if got, want := rows[4].Title, "Configure new GitHub App reviewer"; got != want {
+	if got, want := rows[3].Title, "Configure new GitHub App reviewer"; got != want {
 		t.Fatalf("github app row title = %q, want %q", got, want)
 	}
-	if got := rows[5]; got.Kind != initInventoryRowKindCommand || !got.Selectable || got.PrimaryAction != initInventoryActionBack {
+	if got := rows[4]; got.Kind != initInventoryRowKindCommand || !got.Selectable || got.PrimaryAction != initInventoryActionBack {
 		t.Fatalf("back row = %#v, want selectable Back command", got)
 	}
 }
diff --git a/internal/cmd/credentialcmd/init_menu.go b/internal/cmd/credentialcmd/init_menu.go
index 223ea18d..698c6f59 100644
--- a/internal/cmd/credentialcmd/init_menu.go
+++ b/internal/cmd/credentialcmd/init_menu.go
@@ -137,15 +137,11 @@ func initMenuCountDescription(count int, singular, plural string) string {
 
 func initMenuDisabledReason(prompt initMenuPrompt, action initMenuAction) string {
 	switch action {
-	case initMenuActionReviewerEntities:
-		if !prompt.CanConfigureReviewer {
-			return "configure a review profile before editing reviewer entities"
-		}
 	case initMenuActionSave:
 		if !prompt.CanSave {
 			return "stage changes before committing"
 		}
-	case initMenuActionSecretsManagement, initMenuActionLLMRuntimes, initMenuActionReviewProfiles, initMenuActionGlobalSettings, initMenuActionExit:
+	case initMenuActionSecretsManagement, initMenuActionLLMRuntimes, initMenuActionReviewerEntities, initMenuActionReviewProfiles, initMenuActionGlobalSettings, initMenuActionExit:
 	}
 	return ""
 }
diff --git a/internal/cmd/credentialcmd/init_profile_v2.go b/internal/cmd/credentialcmd/init_profile_v2.go
index ba2fd801..32b861e3 100644
--- a/internal/cmd/credentialcmd/init_profile_v2.go
+++ b/internal/cmd/credentialcmd/init_profile_v2.go
@@ -375,7 +375,12 @@ func initProfileV2ReadOnlyEditor(ctx initPromptContext, selection string) (initP
 
 	var document initProfileV2Document
 	document.addSection("Review profile", "Repository routing and review composition.")
-	document.addEditableInput(initProfileV2FieldProfileName, "Profile name", "Human-friendly name for this review profile.", draft.ProfileName, validateProfileName)
+	profileNameInput := initProfileV2ProfileNameInput(ctx, selectedExistingProfile, draft)
+	profileNameValidate := validateProfileName
+	if selectedExistingProfile == nil && strings.TrimSpace(profileNameInput) == "" {
+		profileNameValidate = validateOptionalProfileName
+	}
+	document.addEditableInput(initProfileV2FieldProfileName, "Profile name", "Human-friendly name for this review profile.", profileNameInput, profileNameValidate)
 	initProfileV2AppendRouteSection(&document, routeText)
 	initProfileV2AppendGitScopeSection(&document, selectedGitScope, initGitScopeOptions(ctx.GitScopes), draft, selectedGitScope == initCustomGitScopeSelection || len(ctx.GitScopes) > 1)
 	document.addEditableSelect(initProfileV2FieldReviewerEntity, "Reviewer entity", reviewerEntitySelectionDescription(), reviewerEntityOptions, selectedReviewerEntity)
@@ -400,6 +405,23 @@ func initProfileV2ReadOnlyEditor(ctx initPromptContext, selection string) (initP
 	}, nil
 }
 
+func validateOptionalProfileName(value string) error {
+	if strings.TrimSpace(value) == "" {
+		return nil
+	}
+	return validateProfileName(value)
+}
+
+func initProfileV2ProfileNameInput(ctx initPromptContext, existingProfile *config.Profile, draft initDraft) string {
+	if existingProfile != nil {
+		return draft.ProfileName
+	}
+	if strings.TrimSpace(ctx.RequestedProfileName) == initialInitProfileName && strings.TrimSpace(draft.ProfileName) == initialInitProfileName {
+		return ""
+	}
+	return draft.ProfileName
+}
+
 func initProfileV2Selection(ctx initPromptContext, selection string) (string, *config.Profile, string) {
 	if selection == initCreateProfileSentinel {
 		return "", nil, initCreateProfileSeedName(ctx)
diff --git a/internal/cmd/credentialcmd/init_reviewer_entity_editor.go b/internal/cmd/credentialcmd/init_reviewer_entity_editor.go
index 8da8a17d..dc1dc86e 100644
--- a/internal/cmd/credentialcmd/init_reviewer_entity_editor.go
+++ b/internal/cmd/credentialcmd/init_reviewer_entity_editor.go
@@ -72,7 +72,7 @@ func (p huhInitReviewerEntityPrompter) editReviewerEntityLinear(prompt initRevie
 }
 
 func (p huhInitReviewerEntityPrompter) editReviewerEntityFieldsLinear(ctx initPromptContext, entity initReviewerEntityDraft, seed initDraft, preserveCurrentLocation bool) (initDraft, bool, error) {
-	editorState, err := newReviewerEntityEditorState(entity, seed, preserveCurrentLocation)
+	editorState, err := newReviewerEntityEditorState(entity, seed, preserveCurrentLocation, ctx.StandaloneReviewerEntityMode)
 	if err != nil {
 		return initDraft{}, false, err
 	}
@@ -117,17 +117,27 @@ type reviewerEntityEditorState struct {
 	preserveCurrentLocation bool
 }
 
-func newReviewerEntityEditorState(entity initReviewerEntityDraft, seed initDraft, preserveCurrentLocation bool) (reviewerEntityEditorState, error) {
+func newReviewerEntityEditorState(entity initReviewerEntityDraft, seed initDraft, preserveCurrentLocation bool, standaloneReviewerEntityMode bool) (reviewerEntityEditorState, error) {
 	editDraft := seed
 	kind := entity.Kind
 	applyReviewerEntitySelection(&editDraft, string(kind))
 	standardReviewerRef := ""
 	if kind != initReviewerEntityKindUseGitIdentity {
-		ref, err := standardReviewerCredentialRef(editDraft.ProfileName)
-		if err != nil {
-			return reviewerEntityEditorState{}, err
+		if preserveCurrentLocation && standaloneReviewerEntityMode && strings.TrimSpace(editDraft.ReviewerCredentialRef) != "" {
+			standardReviewerRef = strings.TrimSpace(editDraft.ReviewerCredentialRef)
+		} else if !standaloneReviewerEntityMode {
+			ref, err := standardReviewerCredentialRef(editDraft.ProfileName)
+			if err != nil {
+				return reviewerEntityEditorState{}, err
+			}
+			standardReviewerRef = ref
+		} else {
+			ref, err := standardReviewerCredentialRefForEntity(entity)
+			if err != nil {
+				return reviewerEntityEditorState{}, err
+			}
+			standardReviewerRef = ref
 		}
-		standardReviewerRef = ref
 	}
 	_, explicitDisplayName, fallbackLabelSeed := reviewerEntityEditorLabelSeed(entity)
 	return reviewerEntityEditorState{
@@ -851,14 +861,14 @@ func reviewerEntityEditorStateForSelection(ctx initPromptContext, seed initDraft
 	if entity, ok := ctx.ReviewerEntities[selection]; ok {
 		candidate := seed
 		applyReviewerEntityInventorySelection(&candidate, selection, ctx.ReviewerEntities)
-		return newReviewerEntityEditorState(entity, candidate, true)
+		return newReviewerEntityEditorState(entity, candidate, true, ctx.StandaloneReviewerEntityMode)
 	}
 	if _, restore := initReviewerEntityRestoreSelectionName(selection); restore {
-		return newReviewerEntityEditorState(initReviewerEntityDraft{Kind: initReviewerEntityKindUseGitIdentity}, seed, false)
+		return newReviewerEntityEditorState(initReviewerEntityDraft{Kind: initReviewerEntityKindUseGitIdentity}, seed, false, ctx.StandaloneReviewerEntityMode)
 	}
 	candidate := seed
 	applyReviewerEntityInventorySelection(&candidate, selection, ctx.ReviewerEntities)
-	return newReviewerEntityEditorState(initReviewerEntityDraft{Kind: initReviewerEntityKind(selection)}, candidate, false)
+	return newReviewerEntityEditorState(initReviewerEntityDraft{Kind: initReviewerEntityKind(selection)}, candidate, false, ctx.StandaloneReviewerEntityMode)
 }
 
 func reviewerEntityKindDetailDescription(kind initReviewerEntityKind) string {
diff --git a/internal/cmd/mecmd/mecmd_test.go b/internal/cmd/mecmd/mecmd_test.go
index c9e65088..8d8bc137 100644
--- a/internal/cmd/mecmd/mecmd_test.go
+++ b/internal/cmd/mecmd/mecmd_test.go
@@ -567,6 +567,11 @@ func TestMeReservedAuthModeExitCode(t *testing.T) {
     test-memory:
       backend:
         kind: memory
+llm_runtimes:
+  claude-cli:
+    provider: anthropic
+    auth: subscription
+    adapter: claude_cli
 profiles:
   home:
     git:
@@ -575,10 +580,9 @@ profiles:
       credential:
         store: test-memory
         name: codereview/home
-    llm:
-      provider: anthropic
-      auth: subscription
-      adapter: claude_cli
+    reviewer:
+      kind: git_identity
+    llm_runtime: claude-cli
 `)
 	factoryOpened := false
 	cmd, _ := newTestCommandWithFactory(path, func(*cobra.Command, *root.Options, config.File) (identity.Resolver, func(), error) {
@@ -604,6 +608,18 @@ func TestMeReviewerGitHubAppAuthModeUsesResolver(t *testing.T) {
     test-memory:
       backend:
         kind: memory
+llm_runtimes:
+  claude-cli:
+    provider: anthropic
+    auth: subscription
+    adapter: claude_cli
+reviewer_entities:
+  work-reviewer:
+    host: github.com
+    auth_mode: github_app
+    credential:
+      store: test-memory
+      name: codereview/work-reviewer
 profiles:
   work:
     git:
@@ -612,15 +628,10 @@ profiles:
       credential:
         store: test-memory
         name: codereview/work
-    reviewer_credentials:
-      auth_mode: github_app
-      credential:
-        store: test-memory
-        name: codereview/work-reviewer
-    llm:
-      provider: anthropic
-      auth: subscription
-      adapter: claude_cli
+    reviewer:
+      kind: entity
+      entity: work-reviewer
+    llm_runtime: claude-cli
 `)
 	resolver := &fakeResolver{
 		identities: map[string]gitprovider.Identity{"codereview/work-reviewer": {Login: "cr-reviewer[bot]", ID: "12345"}},
@@ -647,6 +658,18 @@ func TestMeAllReservedAuthModeDoesNotOpenResolverFactory(t *testing.T) {
     test-memory:
       backend:
         kind: memory
+llm_runtimes:
+  claude-cli:
+    provider: anthropic
+    auth: subscription
+    adapter: claude_cli
+reviewer_entities:
+  work-reviewer:
+    host: github.com
+    auth_mode: oauth_device
+    credential:
+      store: test-memory
+      name: codereview/work-reviewer
 profiles:
   home:
     git:
@@ -655,10 +678,9 @@ profiles:
       credential:
         store: test-memory
         name: codereview/home
-    llm:
-      provider: anthropic
-      auth: subscription
-      adapter: claude_cli
+    reviewer:
+      kind: git_identity
+    llm_runtime: claude-cli
   work:
     git:
       host: github.com
@@ -666,15 +688,10 @@ profiles:
       credential:
         store: test-memory
         name: codereview/work
-    reviewer_credentials:
-      auth_mode: oauth_device
-      credential:
-        store: test-memory
-        name: codereview/work-reviewer
-    llm:
-      provider: anthropic
-      auth: subscription
-      adapter: claude_cli
+    reviewer:
+      kind: entity
+      entity: work-reviewer
+    llm_runtime: claude-cli
 `)
 	factoryOpened := false
 	cmd, _ := newTestCommandWithFactory(path, func(*cobra.Command, *root.Options, config.File) (identity.Resolver, func(), error) {
@@ -697,6 +714,18 @@ func TestMeAllReservedGitAuthModeWithReviewerDoesNotOpenResolverFactory(t *testi
     test-memory:
       backend:
         kind: memory
+llm_runtimes:
+  claude-cli:
+    provider: anthropic
+    auth: subscription
+    adapter: claude_cli
+reviewer_entities:
+  work-reviewer:
+    host: github.com
+    auth_mode: pat
+    credential:
+      store: test-memory
+      name: codereview/work-reviewer
 profiles:
   home:
     git:
@@ -705,10 +734,9 @@ profiles:
       credential:
         store: test-memory
         name: codereview/home
-    llm:
-      provider: anthropic
-      auth: subscription
-      adapter: claude_cli
+    reviewer:
+      kind: git_identity
+    llm_runtime: claude-cli
   work:
     git:
       host: github.com
@@ -716,15 +744,10 @@ profiles:
       credential:
         store: test-memory
         name: codereview/work
-    reviewer_credentials:
-      auth_mode: pat
-      credential:
-        store: test-memory
-        name: codereview/work-reviewer
-    llm:
-      provider: anthropic
-      auth: subscription
-      adapter: claude_cli
+    reviewer:
+      kind: entity
+      entity: work-reviewer
+    llm_runtime: claude-cli
 `)
 	factoryOpened := false
 	cmd, _ := newTestCommandWithFactory(path, func(*cobra.Command, *root.Options, config.File) (identity.Resolver, func(), error) {
diff --git a/internal/config/config.go b/internal/config/config.go
index 4bc08a5e..e6bf0f7f 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -43,11 +43,12 @@ var (
 
 // File is the root config.yml schema.
 type File struct {
-	Secrets            SecretsConfig        `yaml:"secrets,omitempty" json:"secrets,omitempty"`
-	LLMRuntimes        map[string]LLMConfig `yaml:"llm_runtimes,omitempty" json:"llm_runtimes,omitempty"`
-	RepositoryProfiles []RepositoryProfile  `yaml:"repository_profiles,omitempty" json:"repository_profiles,omitempty"`
-	Profiles           map[string]Profile   `yaml:"profiles,omitempty" json:"profiles,omitempty"`
-	Data               DataConfig           `yaml:"data,omitempty" json:"data"`
+	Secrets            SecretsConfig             `yaml:"secrets,omitempty" json:"secrets,omitempty"`
+	LLMRuntimes        map[string]LLMConfig      `yaml:"llm_runtimes,omitempty" json:"llm_runtimes,omitempty"`
+	ReviewerEntities   map[string]ReviewerEntity `yaml:"reviewer_entities,omitempty" json:"reviewer_entities,omitempty"`
+	RepositoryProfiles []RepositoryProfile       `yaml:"repository_profiles,omitempty" json:"repository_profiles,omitempty"`
+	Profiles           map[string]Profile        `yaml:"profiles,omitempty" json:"profiles,omitempty"`
+	Data               DataConfig                `yaml:"data,omitempty" json:"data"`
 
 	// Keyring is retained as an ignored in-memory compatibility field while
 	// credential-store runtime selection is rewritten. It is not config schema.
@@ -161,14 +162,20 @@ type EffectiveSecretsProfile = EffectiveSecretsStore
 
 // Profile is one named review profile.
 type Profile struct {
-	Git                 GitConfig            `yaml:"git" json:"git"`
-	ReviewerCredentials *ReviewerCredentials `yaml:"reviewer_credentials,omitempty" json:"reviewer_credentials,omitempty"`
-	LLM                 LLMConfig            `yaml:"llm" json:"llm"`
-	AgentSources        []string             `yaml:"agent_sources,omitempty" json:"agent_sources,omitempty"`
-	ReviewPolicy        ReviewPolicy         `yaml:"review_policy,omitempty" json:"review_policy"`
+	Git          GitConfig       `yaml:"git" json:"git"`
+	Reviewer     ProfileReviewer `yaml:"reviewer" json:"reviewer"`
+	LLMRuntime   string          `yaml:"llm_runtime" json:"llm_runtime"`
+	AgentSources []string        `yaml:"agent_sources,omitempty" json:"agent_sources,omitempty"`
+	ReviewPolicy ReviewPolicy    `yaml:"review_policy,omitempty" json:"review_policy"`
 
 	// SecretsProfile is retained as an ignored in-memory compatibility field.
 	SecretsProfile string `yaml:"-" json:"-"`
+	// ReviewerCredentials is the resolved effective reviewer credential block
+	// derived from ReviewerEntities for runtime callers. It is not config schema.
+	ReviewerCredentials *ReviewerCredentials `yaml:"-" json:"-"`
+	// LLM is the resolved effective runtime derived from LLMRuntime for runtime
+	// callers. It is not config schema.
+	LLM LLMConfig `yaml:"-" json:"-"`
 }
 
 // GitConfig identifies the user's git-host credentials.
@@ -193,6 +200,43 @@ type ReviewerCredentials struct {
 	CredentialRef string `yaml:"-" json:"-"`
 }
 
+// ProfileReviewer selects the identity used to post review comments.
+type ProfileReviewer struct {
+	Kind   ProfileReviewerKind `yaml:"kind" json:"kind"`
+	Entity string              `yaml:"entity,omitempty" json:"entity,omitempty"`
+}
+
+// ProfileReviewerKind identifies how a profile chooses its posting identity.
+type ProfileReviewerKind string
+
+// Profile reviewer kinds.
+const (
+	ProfileReviewerKindGitIdentity ProfileReviewerKind = "git_identity"
+	ProfileReviewerKindEntity      ProfileReviewerKind = "entity"
+)
+
+// Valid reports whether k is a known profile reviewer selector.
+func (k ProfileReviewerKind) Valid() bool {
+	switch k {
+	case ProfileReviewerKindGitIdentity, ProfileReviewerKindEntity:
+		return true
+	default:
+		return false
+	}
+}
+
+// ReviewerEntity is one reusable configured posting identity.
+type ReviewerEntity struct {
+	Host          string             `yaml:"host" json:"host"`
+	AuthMode      GitAuthMode        `yaml:"auth_mode" json:"auth_mode"`
+	Credential    CredentialLocation `yaml:"credential" json:"credential"`
+	DisplayName   string             `yaml:"display_name,omitempty" json:"display_name,omitempty"`
+	IdentityCache string             `yaml:"identity_cache,omitempty" json:"identity_cache,omitempty"`
+
+	// CredentialRef is retained as an ignored in-memory compatibility field.
+	CredentialRef string `yaml:"-" json:"-"`
+}
+
 // RepositoryProfile routes repositories to profiles when --profile is omitted.
 type RepositoryProfile struct {
 	Profile string                 `yaml:"profile" json:"profile"`
@@ -637,6 +681,7 @@ func fileHasNoExplicitContent(cfg File) bool {
 	return cfg.Secrets.Stores == nil &&
 		cfg.Secrets.Profiles == nil &&
 		cfg.LLMRuntimes == nil &&
+		cfg.ReviewerEntities == nil &&
 		cfg.RepositoryProfiles == nil &&
 		cfg.Profiles == nil &&
 		cfg.Data.Retention.MaxAgeDays == nil &&
@@ -702,6 +747,14 @@ func Validate(cfg File) error {
 			}
 		}
 	}
+	for name, entity := range cfg.ReviewerEntities {
+		if strings.TrimSpace(name) == "" {
+			return invalid("reviewer_entities name is required")
+		}
+		if err := validateReviewerEntity(cfg.Secrets, name, entity); err != nil {
+			return err
+		}
+	}
 	if len(cfg.Profiles) == 0 {
 		if len(cfg.RepositoryProfiles) > 0 {
 			return invalid("profiles is required")
@@ -712,10 +765,10 @@ func Validate(cfg File) error {
 		if strings.TrimSpace(name) == "" {
 			return invalid("profile name is required")
 		}
-		if err := validateProfile(name, profile); err != nil {
+		if err := validateProfile(cfg, name, profile); err != nil {
 			return err
 		}
-		if err := validateProfileCredentialStoreSelections(cfg.Secrets, name, profile); err != nil {
+		if err := validateProfileCredentialStoreSelections(cfg, name, profile); err != nil {
 			return err
 		}
 	}
@@ -859,7 +912,7 @@ func ResolveProfileForRepositoryWithSource(cfg File, requestedName string, expli
 // CredentialRefs returns all credential-store refs declared by profile.
 func CredentialRefs(profile Profile) ([]CredentialRef, error) {
 	profile = profile.normalized()
-	if err := validateProfile("profile", profile); err != nil {
+	if err := validateEffectiveProfile("profile", profile); err != nil {
 		return nil, err
 	}
 
@@ -897,7 +950,7 @@ func gitCredentialRef(purpose string, mode GitAuthMode, credential CredentialLoc
 	return CredentialRef{Purpose: purpose, Store: credential.Store, Ref: credential.Name, Mode: string(mode)}, nil
 }
 
-func validateProfile(name string, profile Profile) error {
+func validateProfile(cfg File, name string, profile Profile) error {
 	if strings.TrimSpace(profile.Git.Host) == "" {
 		return invalid("profiles.%s.git.host is required", name)
 	}
@@ -910,35 +963,44 @@ func validateProfile(name string, profile Profile) error {
 	if err := validateCredentialLocation(fmt.Sprintf("profiles.%s.git.credential", name), profile.Git.Credential); err != nil {
 		return err
 	}
-	if profile.ReviewerCredentials != nil {
-		if !profile.ReviewerCredentials.AuthMode.Valid() {
-			return invalid("profiles.%s.reviewer_credentials.auth_mode %q is invalid", name, profile.ReviewerCredentials.AuthMode)
+	if !profile.Reviewer.Kind.Valid() {
+		return invalid("profiles.%s.reviewer.kind %q is invalid", name, profile.Reviewer.Kind)
+	}
+	var reviewerEntity *ReviewerEntity
+	switch profile.Reviewer.Kind {
+	case ProfileReviewerKindGitIdentity:
+		if strings.TrimSpace(profile.Reviewer.Entity) != "" {
+			return invalid("profiles.%s.reviewer.entity must be empty for git_identity reviewer", name)
 		}
-		if !profile.ReviewerCredentials.AuthMode.Supported() {
-			return fmt.Errorf("%w: profiles.%s.reviewer_credentials.auth_mode %q", ErrUnsupported, name, profile.ReviewerCredentials.AuthMode)
+	case ProfileReviewerKindEntity:
+		if strings.TrimSpace(profile.Reviewer.Entity) == "" {
+			return invalid("profiles.%s.reviewer.entity is required", name)
 		}
-		if err := validateCredentialLocation(fmt.Sprintf("profiles.%s.reviewer_credentials.credential", name), profile.ReviewerCredentials.Credential); err != nil {
-			return err
+		entity, ok := cfg.ReviewerEntities[profile.Reviewer.Entity]
+		if !ok {
+			return fmt.Errorf("%w: profiles.%s.reviewer.entity %q", ErrProfileNotFound, name, profile.Reviewer.Entity)
 		}
-		if sameCredentialLocation(profile.ReviewerCredentials.Credential, profile.Git.Credential) {
-			return invalid("profiles.%s.reviewer_credentials.credential must differ from git.credential when store and name match", name)
+		reviewerEntity = &entity
+		if normalizeConfigHost(entity.Host) != normalizeConfigHost(profile.Git.Host) {
+			return invalid("profiles.%s.reviewer.entity %q host %q must match git.host %q", name, profile.Reviewer.Entity, entity.Host, profile.Git.Host)
 		}
-		if err := validateOptionalSingleLine(fmt.Sprintf("profiles.%s.reviewer_credentials.display_name", name), profile.ReviewerCredentials.DisplayName); err != nil {
-			return err
+		if sameCredentialLocation(entity.Credential, profile.Git.Credential) {
+			return invalid("profiles.%s.reviewer.entity %q credential must differ from git.credential when store and name match", name, profile.Reviewer.Entity)
 		}
 	}
-	if err := validateLLMConfig(fmt.Sprintf("profiles.%s.llm", name), profile.LLM); err != nil {
-		return err
+	if strings.TrimSpace(profile.LLMRuntime) == "" {
+		return invalid("profiles.%s.llm_runtime is required", name)
 	}
-	if profile.LLM.Auth == LLMAuthAPIKey {
-		if err := validateCredentialLocation(fmt.Sprintf("profiles.%s.llm.credential", name), profile.LLM.Credential); err != nil {
-			return err
-		}
-		if sameCredentialLocation(profile.LLM.Credential, profile.Git.Credential) {
-			return invalid("profiles.%s.llm.credential must differ from git.credential when store and name match", name)
+	runtime, ok := cfg.LLMRuntimes[profile.LLMRuntime]
+	if !ok {
+		return fmt.Errorf("%w: profiles.%s.llm_runtime %q", ErrProfileNotFound, name, profile.LLMRuntime)
+	}
+	if runtime.Auth == LLMAuthAPIKey {
+		if sameCredentialLocation(runtime.Credential, profile.Git.Credential) {
+			return invalid("profiles.%s.llm_runtime %q credential must differ from git.credential when store and name match", name, profile.LLMRuntime)
 		}
-		if profile.ReviewerCredentials != nil && sameCredentialLocation(profile.LLM.Credential, profile.ReviewerCredentials.Credential) {
-			return invalid("profiles.%s.llm.credential must differ from reviewer_credentials.credential when store and name match", name)
+		if reviewerEntity != nil && sameCredentialLocation(runtime.Credential, reviewerEntity.Credential) {
+			return invalid("profiles.%s.llm_runtime %q credential must differ from reviewer entity credential when store and name match", name, profile.LLMRuntime)
 		}
 	}
 	for index, source := range profile.AgentSources {
@@ -960,6 +1022,36 @@ func validateProfile(name string, profile Profile) error {
 	return nil
 }
 
+func validateEffectiveProfile(name string, profile Profile) error {
+	if strings.TrimSpace(profile.Git.Host) == "" {
+		return invalid("%s.git.host is required", name)
+	}
+	if !profile.Git.AuthMode.Valid() {
+		return invalid("%s.git.auth_mode %q is invalid", name, profile.Git.AuthMode)
+	}
+	if !profile.Git.AuthMode.Supported() {
+		return fmt.Errorf("%w: %s.git.auth_mode %q", ErrUnsupported, name, profile.Git.AuthMode)
+	}
+	if err := validateCredentialLocation(name+".git.credential", profile.Git.Credential); err != nil {
+		return err
+	}
+	if profile.ReviewerCredentials != nil {
+		if !profile.ReviewerCredentials.AuthMode.Valid() {
+			return invalid("%s.reviewer_credentials.auth_mode %q is invalid", name, profile.ReviewerCredentials.AuthMode)
+		}
+		if !profile.ReviewerCredentials.AuthMode.Supported() {
+			return fmt.Errorf("%w: %s.reviewer_credentials.auth_mode %q", ErrUnsupported, name, profile.ReviewerCredentials.AuthMode)
+		}
+		if err := validateCredentialLocation(name+".reviewer_credentials.credential", profile.ReviewerCredentials.Credential); err != nil {
+			return err
+		}
+	}
+	if err := validateLLMConfig(name+".llm", profile.LLM); err != nil {
+		return err
+	}
+	return nil
+}
+
 func validateLLMConfig(field string, llm LLMConfig) error {
 	if !llm.Provider.Valid() {
 		return invalid("%s.provider %q is invalid", field, llm.Provider)
@@ -1011,9 +1103,31 @@ func validateLLMConfig(field string, llm LLMConfig) error {
 	return nil
 }
 
-func validateProfileCredentialStoreSelections(secrets SecretsConfig, name string, profile Profile) error {
-	for _, credential := range profileCredentialLocations(profile) {
-		if err := validateCredentialStoreSelection(secrets, fmt.Sprintf("profiles.%s.%s.credential.store", name, credential.path), credential.location.Store); err != nil {
+func validateReviewerEntity(secrets SecretsConfig, name string, entity ReviewerEntity) error {
+	if strings.TrimSpace(entity.Host) == "" {
+		return invalid("reviewer_entities.%s.host is required", name)
+	}
+	if !entity.AuthMode.Valid() {
+		return invalid("reviewer_entities.%s.auth_mode %q is invalid", name, entity.AuthMode)
+	}
+	if !entity.AuthMode.Supported() {
+		return fmt.Errorf("%w: reviewer_entities.%s.auth_mode %q", ErrUnsupported, name, entity.AuthMode)
+	}
+	if err := validateCredentialLocation(fmt.Sprintf("reviewer_entities.%s.credential", name), entity.Credential); err != nil {
+		return err
+	}
+	if err := validateCredentialStoreSelection(secrets, fmt.Sprintf("reviewer_entities.%s.credential.store", name), entity.Credential.Store); err != nil {
+		return err
+	}
+	if err := validateOptionalSingleLine(fmt.Sprintf("reviewer_entities.%s.display_name", name), entity.DisplayName); err != nil {
+		return err
+	}
+	return nil
+}
+
+func validateProfileCredentialStoreSelections(cfg File, name string, profile Profile) error {
+	for _, credential := range profileCredentialLocations(cfg, profile) {
+		if err := validateCredentialStoreSelection(cfg.Secrets, fmt.Sprintf("profiles.%s.%s.credential.store", name, credential.path), credential.location.Store); err != nil {
 			return err
 		}
 	}
@@ -1025,21 +1139,22 @@ type profileCredentialLocation struct {
 	location CredentialLocation
 }
 
-func profileCredentialLocations(profile Profile) []profileCredentialLocation {
+func profileCredentialLocations(cfg File, profile Profile) []profileCredentialLocation {
 	locations := []profileCredentialLocation{{
 		path:     "git",
 		location: profile.Git.Credential,
 	}}
-	if profile.ReviewerCredentials != nil {
+	if profile.Reviewer.Kind == ProfileReviewerKindEntity {
+		entity := cfg.ReviewerEntities[profile.Reviewer.Entity]
 		locations = append(locations, profileCredentialLocation{
-			path:     "reviewer_credentials",
-			location: profile.ReviewerCredentials.Credential,
+			path:     "reviewer.entity",
+			location: entity.Credential,
 		})
 	}
-	if profile.LLM.Auth == LLMAuthAPIKey {
+	if runtime := cfg.LLMRuntimes[profile.LLMRuntime]; runtime.Auth == LLMAuthAPIKey {
 		locations = append(locations, profileCredentialLocation{
-			path:     "llm",
-			location: profile.LLM.Credential,
+			path:     "llm_runtime",
+			location: runtime.Credential,
 		})
 	}
 	return locations
@@ -1267,14 +1382,6 @@ func ValidateRetention(retention RetentionConfig) error {
 }
 
 func (cfg File) normalized() File {
-	if cfg.Profiles == nil {
-		cfg.Profiles = map[string]Profile{}
-	}
-	profiles := make(map[string]Profile, len(cfg.Profiles))
-	for name, profile := range cfg.Profiles {
-		profiles[name] = profile.normalized()
-	}
-	cfg.Profiles = profiles
 	if cfg.LLMRuntimes != nil {
 		runtimes := make(map[string]LLMConfig, len(cfg.LLMRuntimes))
 		for name, runtime := range cfg.LLMRuntimes {
@@ -1282,6 +1389,22 @@ func (cfg File) normalized() File {
 		}
 		cfg.LLMRuntimes = runtimes
 	}
+	if cfg.ReviewerEntities != nil {
+		entities := make(map[string]ReviewerEntity, len(cfg.ReviewerEntities))
+		for name, entity := range cfg.ReviewerEntities {
+			entities[strings.TrimSpace(name)] = entity.normalized()
+		}
+		cfg.ReviewerEntities = entities
+	}
+	if cfg.Profiles == nil {
+		cfg.Profiles = map[string]Profile{}
+	}
+	cfg = cfg.projectProfileComponentReferences()
+	profiles := make(map[string]Profile, len(cfg.Profiles))
+	for name, profile := range cfg.Profiles {
+		profiles[name] = cfg.resolveProfileRuntimeFields(profile.normalized())
+	}
+	cfg.Profiles = profiles
 	if len(cfg.RepositoryProfiles) > 0 {
 		routes := make([]RepositoryProfile, len(cfg.RepositoryProfiles))
 		for index, route := range cfg.RepositoryProfiles {
@@ -1304,6 +1427,195 @@ func (cfg File) normalized() File {
 	return cfg
 }
 
+func (cfg File) projectProfileComponentReferences() File {
+	runtimeNamesByKey := map[string]string{}
+	for name, runtime := range cfg.LLMRuntimes {
+		runtimeNamesByKey[llmRuntimeIdentityKey(runtime)] = name
+	}
+	reviewerNamesByKey := map[string]string{}
+	for name, entity := range cfg.ReviewerEntities {
+		reviewerNamesByKey[reviewerEntityIdentityKey(entity)] = name
+	}
+
+	profileNames := make([]string, 0, len(cfg.Profiles))
+	for name := range cfg.Profiles {
+		profileNames = append(profileNames, name)
+	}
+	sort.Strings(profileNames)
+	reviewerDisplayNameConflicts := map[string]bool{}
+	profiles := make(map[string]Profile, len(cfg.Profiles))
+	for _, name := range profileNames {
+		profile := cfg.Profiles[name]
+		profile = profile.normalized()
+		if strings.TrimSpace(profile.LLMRuntime) == "" && !profile.LLM.empty() {
+			runtime := profile.LLM.normalized()
+			key := llmRuntimeIdentityKey(runtime)
+			runtimeName, ok := runtimeNamesByKey[key]
+			if !ok {
+				if cfg.LLMRuntimes == nil {
+					cfg.LLMRuntimes = map[string]LLMConfig{}
+				}
+				runtimeName = uniqueConfigComponentName(cfg.LLMRuntimes, suggestedLLMRuntimeName(runtime))
+				cfg.LLMRuntimes[runtimeName] = runtime
+				runtimeNamesByKey[key] = runtimeName
+			}
+			profile.LLMRuntime = runtimeName
+		}
+		if !profile.Reviewer.Kind.Valid() {
+			if profile.ReviewerCredentials == nil {
+				profile.Reviewer.Kind = ProfileReviewerKindGitIdentity
+			} else {
+				entity := reviewerEntityFromProfile(profile)
+				key := reviewerEntityIdentityKey(entity)
+				entityName, ok := reviewerNamesByKey[key]
+				if !ok {
+					if cfg.ReviewerEntities == nil {
+						cfg.ReviewerEntities = map[string]ReviewerEntity{}
+					}
+					entityName = uniqueConfigComponentName(cfg.ReviewerEntities, suggestedReviewerEntityName(name, entity))
+					cfg.ReviewerEntities[entityName] = entity
+					reviewerNamesByKey[key] = entityName
+				} else if existing := cfg.ReviewerEntities[entityName]; !reviewerDisplayNameConflicts[entityName] {
+					displayName := mergeProjectedReviewerEntityDisplayName(existing.DisplayName, entity.DisplayName)
+					if displayName == "" && strings.TrimSpace(existing.DisplayName) != "" && strings.TrimSpace(entity.DisplayName) != "" && strings.TrimSpace(existing.DisplayName) != strings.TrimSpace(entity.DisplayName) {
+						reviewerDisplayNameConflicts[entityName] = true
+					}
+					existing.DisplayName = displayName
+					cfg.ReviewerEntities[entityName] = existing
+				}
+				profile.Reviewer = ProfileReviewer{Kind: ProfileReviewerKindEntity, Entity: entityName}
+			}
+		}
+		profiles[name] = profile
+	}
+	cfg.Profiles = profiles
+	return cfg
+}
+
+func mergeProjectedReviewerEntityDisplayName(existing, next string) string {
+	existing = strings.TrimSpace(existing)
+	next = strings.TrimSpace(next)
+	switch {
+	case existing == "":
+		return next
+	case next == "":
+		return existing
+	case existing == next:
+		return existing
+	default:
+		return ""
+	}
+}
+
+func uniqueConfigComponentName[T any](existing map[string]T, base string) string {
+	base = strings.TrimSpace(base)
+	if base == "" {
+		base = "component"
+	}
+	if _, ok := existing[base]; !ok {
+		return base
+	}
+	for suffix := 2; ; suffix++ {
+		candidate := fmt.Sprintf("%s-%d", base, suffix)
+		if _, ok := existing[candidate]; !ok {
+			return candidate
+		}
+	}
+}
+
+func llmRuntimeIdentityKey(llm LLMConfig) string {
+	llm = llm.normalized()
+	modelKeys := make([]string, 0, len(llm.ModelMap))
+	for tier := range llm.ModelMap {
+		modelKeys = append(modelKeys, tier)
+	}
+	sort.Strings(modelKeys)
+	models := make([]string, 0, len(modelKeys))
+	for _, tier := range modelKeys {
+		models = append(models, tier+"="+strings.TrimSpace(llm.ModelMap[tier]))
+	}
+	return strings.Join([]string{
+		string(llm.Provider),
+		string(llm.Auth),
+		string(llm.Adapter),
+		llm.Credential.Store,
+		llm.Credential.Name,
+		strings.Join(models, "\x1f"),
+		string(llm.ReviewerModelTier),
+	}, "\x00")
+}
+
+func suggestedLLMRuntimeName(llm LLMConfig) string {
+	switch {
+	case llm.Provider == LLMProviderAnthropic && llm.Auth == LLMAuthSubscription && llm.Adapter == LLMAdapterClaudeCLI:
+		return "claude-cli"
+	case llm.Provider == LLMProviderOpenAI && llm.Auth == LLMAuthSubscription && llm.Adapter == LLMAdapterCodexCLI:
+		return "codex-cli"
+	case llm.Provider == LLMProviderPi && llm.Auth == LLMAuthSubscription && llm.Adapter == LLMAdapterPiRPC:
+		return "pi-local"
+	case llm.Provider == LLMProviderAnthropic && llm.Auth == LLMAuthAPIKey && llm.Adapter == LLMAdapterAnthropicAPI:
+		return "anthropic-api-key"
+	case llm.Provider == LLMProviderOpenAI && llm.Auth == LLMAuthAPIKey && llm.Adapter == LLMAdapterOpenAIAPI:
+		return "openai-api-key"
+	}
+	name := strings.Trim(strings.Join([]string{string(llm.Provider), string(llm.Auth), string(llm.Adapter)}, "-"), "-")
+	if name == "" {
+		return "llm-runtime"
+	}
+	return name
+}
+
+func reviewerEntityFromProfile(profile Profile) ReviewerEntity {
+	reviewer := profile.ReviewerCredentials.normalized()
+	return ReviewerEntity{
+		Host:          profile.Git.Host,
+		AuthMode:      reviewer.AuthMode,
+		Credential:    reviewer.Credential,
+		CredentialRef: reviewer.CredentialRef,
+		DisplayName:   reviewer.DisplayName,
+		IdentityCache: reviewer.IdentityCache,
+	}.normalized()
+}
+
+func reviewerEntityIdentityKey(entity ReviewerEntity) string {
+	entity = entity.normalized()
+	return strings.Join([]string{
+		entity.Host,
+		string(entity.AuthMode),
+		entity.Credential.Store,
+		entity.Credential.Name,
+	}, "\x00")
+}
+
+func suggestedReviewerEntityName(profileName string, entity ReviewerEntity) string {
+	prefix := strings.TrimSpace(profileName)
+	if prefix != "" {
+		return prefix + "-reviewer"
+	}
+	switch entity.AuthMode {
+	case GitAuthModeGitHubApp:
+		return "reviewer-github-app"
+	case GitAuthModePAT:
+		return "reviewer-pat"
+	}
+	return "reviewer-entity"
+}
+
+func (cfg File) resolveProfileRuntimeFields(profile Profile) Profile {
+	if runtime, ok := cfg.LLMRuntimes[profile.LLMRuntime]; ok {
+		profile.LLM = runtime.normalized()
+	}
+	switch profile.Reviewer.Kind {
+	case ProfileReviewerKindGitIdentity:
+		profile.ReviewerCredentials = nil
+	case ProfileReviewerKindEntity:
+		if entity, ok := cfg.ReviewerEntities[profile.Reviewer.Entity]; ok {
+			profile.ReviewerCredentials = entity.reviewerCredentials()
+		}
+	}
+	return profile
+}
+
 func (s SecretsConfig) normalized() SecretsConfig {
 	if s.Stores == nil {
 		s.Stores = map[string]SecretsStore{}
@@ -1403,6 +1715,8 @@ func IsOnePasswordSecretsBackend(kind SecretsBackendKind) bool {
 func (p Profile) normalized() Profile {
 	p.SecretsProfile = strings.TrimSpace(p.SecretsProfile)
 	p.Git = p.Git.normalized()
+	p.Reviewer = p.Reviewer.normalized()
+	p.LLMRuntime = strings.TrimSpace(p.LLMRuntime)
 	if p.ReviewerCredentials != nil {
 		reviewer := p.ReviewerCredentials.normalized()
 		p.ReviewerCredentials = &reviewer
@@ -1412,6 +1726,12 @@ func (p Profile) normalized() Profile {
 	return p
 }
 
+func (r ProfileReviewer) normalized() ProfileReviewer {
+	r.Kind = ProfileReviewerKind(strings.TrimSpace(string(r.Kind)))
+	r.Entity = strings.TrimSpace(r.Entity)
+	return r
+}
+
 func (g GitConfig) normalized() GitConfig {
 	g.CredentialRef = strings.TrimSpace(g.CredentialRef)
 	g.Credential = g.Credential.normalized()
@@ -1438,6 +1758,34 @@ func (r ReviewerCredentials) normalized() ReviewerCredentials {
 	return r
 }
 
+func (r ReviewerEntity) normalized() ReviewerEntity {
+	r.Host = normalizeConfigHost(r.Host)
+	r.AuthMode = GitAuthMode(strings.TrimSpace(string(r.AuthMode)))
+	r.CredentialRef = strings.TrimSpace(r.CredentialRef)
+	r.Credential = r.Credential.normalized()
+	if r.Credential.Name == "" && r.CredentialRef != "" {
+		if r.Credential.Store == "" {
+			r.Credential.Store = LocalOSCredentialStoreID
+		}
+		r.Credential.Name = r.CredentialRef
+	}
+	r.CredentialRef = r.Credential.Name
+	r.DisplayName = strings.TrimSpace(r.DisplayName)
+	r.IdentityCache = strings.TrimSpace(r.IdentityCache)
+	return r
+}
+
+func (r ReviewerEntity) reviewerCredentials() *ReviewerCredentials {
+	r = r.normalized()
+	return &ReviewerCredentials{
+		AuthMode:      r.AuthMode,
+		Credential:    r.Credential,
+		DisplayName:   r.DisplayName,
+		IdentityCache: r.IdentityCache,
+		CredentialRef: r.Credential.Name,
+	}
+}
+
 func (l LLMConfig) normalized() LLMConfig {
 	l.CredentialRef = strings.TrimSpace(l.CredentialRef)
 	l.Credential = l.Credential.normalized()
@@ -1459,6 +1807,16 @@ func (l LLMConfig) normalized() LLMConfig {
 	return l
 }
 
+func (l LLMConfig) empty() bool {
+	return strings.TrimSpace(string(l.Provider)) == "" &&
+		strings.TrimSpace(string(l.Auth)) == "" &&
+		strings.TrimSpace(string(l.Adapter)) == "" &&
+		l.Credential.empty() &&
+		len(l.ModelMap) == 0 &&
+		strings.TrimSpace(string(l.ReviewerModelTier)) == "" &&
+		strings.TrimSpace(l.CredentialRef) == ""
+}
+
 func (p ReviewPolicy) normalized() ReviewPolicy {
 	if p.MajorEvent == "" {
 		p.MajorEvent = ReviewMajorEventComment
diff --git a/internal/config/config_test.go b/internal/config/config_test.go
index 446eba5b..36ffac36 100644
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -174,7 +174,12 @@ func TestLoadRejectsInvalidEnums(t *testing.T) {
 
 func TestLoadAcceptsPiRPCSubscriptionProfile(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
-	writeFile(t, path, `profiles:
+	writeFile(t, path, `llm_runtimes:
+  pi-local:
+    provider: pi
+    auth: subscription
+    adapter: pi_rpc
+profiles:
   pi:
     git:
       host: github.com
@@ -182,10 +187,9 @@ func TestLoadAcceptsPiRPCSubscriptionProfile(t *testing.T) {
       credential:
         store: local-os
         name: codereview/pi
-    llm:
-      provider: pi
-      auth: subscription
-      adapter: pi_rpc
+    reviewer:
+      kind: git_identity
+    llm_runtime: pi-local
 `)
 	cfg, err := Load(path)
 	if err != nil {
@@ -206,7 +210,12 @@ func TestLoadAcceptsPiRPCSubscriptionProfile(t *testing.T) {
 
 func TestLoadAcceptsCodexCLISubscriptionProfile(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
-	writeFile(t, path, `profiles:
+	writeFile(t, path, `llm_runtimes:
+  codex-local:
+    provider: openai
+    auth: subscription
+    adapter: codex_cli
+profiles:
   codex:
     git:
       host: github.com
@@ -214,10 +223,9 @@ func TestLoadAcceptsCodexCLISubscriptionProfile(t *testing.T) {
       credential:
         store: local-os
         name: codereview/codex
-    llm:
-      provider: openai
-      auth: subscription
-      adapter: codex_cli
+    reviewer:
+      kind: git_identity
+    llm_runtime: codex-local
 `)
 	cfg, err := Load(path)
 	if err != nil {
@@ -239,33 +247,34 @@ func TestLoadAcceptsCodexCLISubscriptionProfile(t *testing.T) {
 func TestValidateRejectsInvalidPiCombinations(t *testing.T) {
 	tests := []struct {
 		name   string
-		mutate func(*Profile)
+		mutate func(*LLMConfig)
 	}{
-		{name: "api key auth", mutate: func(profile *Profile) {
-			profile.LLM.Auth = LLMAuthAPIKey
-			profile.LLM.CredentialRef = "codereview/pi-llm"
+		{name: "api key auth", mutate: func(llm *LLMConfig) {
+			llm.Auth = LLMAuthAPIKey
+			llm.CredentialRef = "codereview/pi-llm"
 		}},
-		{name: "claude cli adapter", mutate: func(profile *Profile) {
-			profile.LLM.Adapter = LLMAdapterClaudeCLI
+		{name: "claude cli adapter", mutate: func(llm *LLMConfig) {
+			llm.Adapter = LLMAdapterClaudeCLI
 		}},
-		{name: "anthropic api adapter", mutate: func(profile *Profile) {
-			profile.LLM.Adapter = LLMAdapterAnthropicAPI
+		{name: "anthropic api adapter", mutate: func(llm *LLMConfig) {
+			llm.Adapter = LLMAdapterAnthropicAPI
 		}},
-		{name: "pi rpc adapter with anthropic provider", mutate: func(profile *Profile) {
-			profile.LLM.Provider = LLMProviderAnthropic
+		{name: "pi rpc adapter with anthropic provider", mutate: func(llm *LLMConfig) {
+			llm.Provider = LLMProviderAnthropic
 		}},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cfg := validFile()
-			profile := cfg.Profiles["home"]
-			profile.LLM.Provider = LLMProviderPi
-			profile.LLM.Auth = LLMAuthSubscription
-			profile.LLM.Adapter = LLMAdapterPiRPC
-			profile.LLM.CredentialRef = ""
-			tt.mutate(&profile)
-			cfg.Profiles["home"] = profile
+			llm := cfg.LLMRuntimes["home-llm"]
+			llm.Provider = LLMProviderPi
+			llm.Auth = LLMAuthSubscription
+			llm.Adapter = LLMAdapterPiRPC
+			llm.CredentialRef = ""
+			llm.Credential = CredentialLocation{}
+			tt.mutate(&llm)
+			cfg.LLMRuntimes["home-llm"] = llm
 			err := Validate(cfg)
 			if !errors.Is(err, ErrInvalid) {
 				t.Fatalf("Validate error = %v, want ErrInvalid", err)
@@ -280,27 +289,28 @@ func TestValidateRejectsInvalidPiCombinations(t *testing.T) {
 func TestValidateRejectsInvalidCodexCLICombinations(t *testing.T) {
 	tests := []struct {
 		name   string
-		mutate func(*Profile)
+		mutate func(*LLMConfig)
 	}{
-		{name: "anthropic provider", mutate: func(profile *Profile) {
-			profile.LLM.Provider = LLMProviderAnthropic
+		{name: "anthropic provider", mutate: func(llm *LLMConfig) {
+			llm.Provider = LLMProviderAnthropic
 		}},
-		{name: "api key auth", mutate: func(profile *Profile) {
-			profile.LLM.Auth = LLMAuthAPIKey
-			profile.LLM.CredentialRef = "codereview/codex-llm"
+		{name: "api key auth", mutate: func(llm *LLMConfig) {
+			llm.Auth = LLMAuthAPIKey
+			llm.CredentialRef = "codereview/codex-llm"
 		}},
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cfg := validFile()
-			profile := cfg.Profiles["home"]
-			profile.LLM.Provider = LLMProviderOpenAI
-			profile.LLM.Auth = LLMAuthSubscription
-			profile.LLM.Adapter = LLMAdapterCodexCLI
-			profile.LLM.CredentialRef = ""
-			tt.mutate(&profile)
-			cfg.Profiles["home"] = profile
+			llm := cfg.LLMRuntimes["home-llm"]
+			llm.Provider = LLMProviderOpenAI
+			llm.Auth = LLMAuthSubscription
+			llm.Adapter = LLMAdapterCodexCLI
+			llm.CredentialRef = ""
+			llm.Credential = CredentialLocation{}
+			tt.mutate(&llm)
+			cfg.LLMRuntimes["home-llm"] = llm
 			err := Validate(cfg)
 			if !errors.Is(err, ErrInvalid) {
 				t.Fatalf("Validate error = %v, want ErrInvalid", err)
@@ -314,14 +324,14 @@ func TestValidateRejectsInvalidCodexCLICombinations(t *testing.T) {
 
 func TestModelMapValidationAndResolution(t *testing.T) {
 	cfg := validFile()
-	profile := cfg.Profiles["home"]
-	profile.LLM.Provider = LLMProviderOpenAI
-	profile.LLM.Auth = LLMAuthSubscription
-	profile.LLM.Adapter = LLMAdapterCodexCLI
-	profile.LLM.ModelMap = ModelMap{
+	llm := cfg.LLMRuntimes["home-llm"]
+	llm.Provider = LLMProviderOpenAI
+	llm.Auth = LLMAuthSubscription
+	llm.Adapter = LLMAdapterCodexCLI
+	llm.ModelMap = ModelMap{
 		" medium ": " gpt-custom ",
 	}
-	cfg.Profiles["home"] = profile
+	cfg.LLMRuntimes["home-llm"] = llm
 
 	if err := Validate(cfg); err != nil {
 		t.Fatalf("Validate: %v", err)
@@ -347,9 +357,9 @@ func TestModelMapValidationAndResolution(t *testing.T) {
 
 func TestReviewerModelTierValidationAndNormalization(t *testing.T) {
 	cfg := validFile()
-	profile := cfg.Profiles["home"]
-	profile.LLM.ReviewerModelTier = " medium "
-	cfg.Profiles["home"] = profile
+	llm := cfg.LLMRuntimes["home-llm"]
+	llm.ReviewerModelTier = " medium "
+	cfg.LLMRuntimes["home-llm"] = llm
 
 	if err := Validate(cfg); err != nil {
 		t.Fatalf("Validate: %v", err)
@@ -365,9 +375,9 @@ func TestReviewerModelTierValidationAndNormalization(t *testing.T) {
 
 func TestValidateRejectsInvalidReviewerModelTier(t *testing.T) {
 	cfg := validFile()
-	profile := cfg.Profiles["home"]
-	profile.LLM.ReviewerModelTier = "flagship"
-	cfg.Profiles["home"] = profile
+	llm := cfg.LLMRuntimes["home-llm"]
+	llm.ReviewerModelTier = "flagship"
+	cfg.LLMRuntimes["home-llm"] = llm
 
 	err := Validate(cfg)
 	if !errors.Is(err, ErrInvalid) {
@@ -440,9 +450,9 @@ func TestValidateRejectsInvalidModelMap(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			cfg := validFile()
-			profile := cfg.Profiles["home"]
-			profile.LLM.ModelMap = tt.modelMap
-			cfg.Profiles["home"] = profile
+			llm := cfg.LLMRuntimes["home-llm"]
+			llm.ModelMap = tt.modelMap
+			cfg.LLMRuntimes["home-llm"] = llm
 			err := Validate(cfg)
 			if !errors.Is(err, ErrInvalid) {
 				t.Fatalf("Validate error = %v, want ErrInvalid", err)
@@ -1257,9 +1267,11 @@ func TestValidateCredentialLocations(t *testing.T) {
 				profile := cfg.Profiles["work"]
 				profile.Git.Credential = CredentialLocation{Store: LocalOSCredentialStoreID, Name: "codereview/shared"}
 				profile.Git.CredentialRef = ""
-				profile.ReviewerCredentials.Credential = CredentialLocation{Store: "work-file", Name: "codereview/shared"}
-				profile.ReviewerCredentials.CredentialRef = ""
 				cfg.Profiles["work"] = profile
+				entity := cfg.ReviewerEntities["work-reviewer"]
+				entity.Credential = CredentialLocation{Store: "work-file", Name: "codereview/shared"}
+				entity.CredentialRef = ""
+				cfg.ReviewerEntities["work-reviewer"] = entity
 			},
 		},
 		{
@@ -1268,12 +1280,14 @@ func TestValidateCredentialLocations(t *testing.T) {
 				profile := cfg.Profiles["work"]
 				profile.Git.Credential = CredentialLocation{Store: LocalOSCredentialStoreID, Name: "codereview/shared"}
 				profile.Git.CredentialRef = ""
-				profile.ReviewerCredentials.Credential = CredentialLocation{Store: LocalOSCredentialStoreID, Name: "codereview/shared"}
-				profile.ReviewerCredentials.CredentialRef = ""
 				cfg.Profiles["work"] = profile
+				entity := cfg.ReviewerEntities["work-reviewer"]
+				entity.Credential = CredentialLocation{Store: LocalOSCredentialStoreID, Name: "codereview/shared"}
+				entity.CredentialRef = ""
+				cfg.ReviewerEntities["work-reviewer"] = entity
 			},
 			wantErr: ErrInvalid,
-			wantMsg: "reviewer_credentials.credential must differ from git.credential",
+			wantMsg: "reviewer.entity \"work-reviewer\" credential must differ from git.credential",
 		},
 	}
 
@@ -1475,9 +1489,9 @@ func TestValidateRejectsReservedGitAuthModes(t *testing.T) {
 			cfg.Profiles["home"] = profile
 		}},
 		{name: "reviewer oauth_device", mutate: func(cfg *File) {
-			profile := cfg.Profiles["work"]
-			profile.ReviewerCredentials.AuthMode = GitAuthModeOAuthDevice
-			cfg.Profiles["work"] = profile
+			entity := cfg.ReviewerEntities["work-reviewer"]
+			entity.AuthMode = GitAuthModeOAuthDevice
+			cfg.ReviewerEntities["work-reviewer"] = entity
 		}},
 	}
 
@@ -1503,9 +1517,9 @@ func TestValidateAcceptsGitHubAppAuthModes(t *testing.T) {
 			cfg.Profiles["home"] = profile
 		}},
 		{name: "reviewer github_app", mutate: func(cfg *File) {
-			profile := cfg.Profiles["work"]
-			profile.ReviewerCredentials.AuthMode = GitAuthModeGitHubApp
-			cfg.Profiles["work"] = profile
+			entity := cfg.ReviewerEntities["work-reviewer"]
+			entity.AuthMode = GitAuthModeGitHubApp
+			cfg.ReviewerEntities["work-reviewer"] = entity
 		}},
 	}
 
@@ -1531,9 +1545,9 @@ func TestSaveRejectsReservedGitAuthModes(t *testing.T) {
 			cfg.Profiles["home"] = profile
 		}},
 		{name: "reviewer oauth_device", mutate: func(cfg *File) {
-			profile := cfg.Profiles["work"]
-			profile.ReviewerCredentials.AuthMode = GitAuthModeOAuthDevice
-			cfg.Profiles["work"] = profile
+			entity := cfg.ReviewerEntities["work-reviewer"]
+			entity.AuthMode = GitAuthModeOAuthDevice
+			cfg.ReviewerEntities["work-reviewer"] = entity
 		}},
 	}
 
@@ -1557,7 +1571,12 @@ func TestLoadRejectsReservedGitAuthModes(t *testing.T) {
 		name string
 		body string
 	}{
-		{name: "git oauth_device", body: `profiles:
+		{name: "git oauth_device", body: `llm_runtimes:
+  claude-local:
+    provider: anthropic
+    auth: subscription
+    adapter: claude_cli
+profiles:
   home:
     git:
       host: github.com
@@ -1565,12 +1584,23 @@ func TestLoadRejectsReservedGitAuthModes(t *testing.T) {
       credential:
         store: local-os
         name: codereview/home
-    llm:
-      provider: anthropic
-      auth: subscription
-      adapter: claude_cli
+    reviewer:
+      kind: git_identity
+    llm_runtime: claude-local
 `},
-		{name: "reviewer oauth_device", body: `profiles:
+		{name: "reviewer oauth_device", body: `llm_runtimes:
+  claude-local:
+    provider: anthropic
+    auth: subscription
+    adapter: claude_cli
+reviewer_entities:
+  work-reviewer:
+    host: github.com
+    auth_mode: oauth_device
+    credential:
+      store: local-os
+      name: codereview/work-reviewer
+profiles:
   work:
     git:
       host: github.com
@@ -1578,15 +1608,10 @@ func TestLoadRejectsReservedGitAuthModes(t *testing.T) {
       credential:
         store: local-os
         name: codereview/work
-    reviewer_credentials:
-      auth_mode: oauth_device
-      credential:
-        store: local-os
-        name: codereview/work-reviewer
-    llm:
-      provider: anthropic
-      auth: subscription
-      adapter: claude_cli
+    reviewer:
+      kind: entity
+      entity: work-reviewer
+    llm_runtime: claude-local
 `},
 	}
 
@@ -1604,7 +1629,19 @@ func TestLoadRejectsReservedGitAuthModes(t *testing.T) {
 
 func TestLoadAcceptsGitHubAppAuthMode(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
-	writeFile(t, path, `profiles:
+	writeFile(t, path, `llm_runtimes:
+  claude-local:
+    provider: anthropic
+    auth: subscription
+    adapter: claude_cli
+reviewer_entities:
+  work-reviewer:
+    host: github.com
+    auth_mode: github_app
+    credential:
+      store: local-os
+      name: codereview/work-reviewer
+profiles:
   work:
     git:
       host: github.com
@@ -1612,15 +1649,10 @@ func TestLoadAcceptsGitHubAppAuthMode(t *testing.T) {
       credential:
         store: local-os
         name: codereview/work
-    reviewer_credentials:
-      auth_mode: github_app
-      credential:
-        store: local-os
-        name: codereview/work-reviewer
-    llm:
-      provider: anthropic
-      auth: subscription
-      adapter: claude_cli
+    reviewer:
+      kind: entity
+      entity: work-reviewer
+    llm_runtime: claude-local
 `)
 	cfg, err := Load(path)
 	if err != nil {
@@ -1634,7 +1666,22 @@ func TestLoadAcceptsGitHubAppAuthMode(t *testing.T) {
 
 func TestLoadRejectsMultilineReviewerDisplayName(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
-	writeFile(t, path, `profiles:
+	writeFile(t, path, `llm_runtimes:
+  claude-local:
+    provider: anthropic
+    auth: subscription
+    adapter: claude_cli
+reviewer_entities:
+  work-reviewer:
+    host: github.com
+    auth_mode: github_app
+    credential:
+      store: local-os
+      name: codereview/work-reviewer
+    display_name: |
+      line one
+      line two
+profiles:
   work:
     git:
       host: github.com
@@ -1642,24 +1689,16 @@ func TestLoadRejectsMultilineReviewerDisplayName(t *testing.T) {
       credential:
         store: local-os
         name: codereview/work
-    reviewer_credentials:
-      auth_mode: github_app
-      credential:
-        store: local-os
-        name: codereview/work-reviewer
-      display_name: |
-        line one
-        line two
-    llm:
-      provider: anthropic
-      auth: subscription
-      adapter: claude_cli
+    reviewer:
+      kind: entity
+      entity: work-reviewer
+    llm_runtime: claude-local
 `)
 	_, err := Load(path)
 	if !errors.Is(err, ErrInvalid) {
 		t.Fatalf("Load error = %v, want ErrInvalid", err)
 	}
-	if !strings.Contains(err.Error(), "reviewer_credentials.display_name") {
+	if !strings.Contains(err.Error(), "reviewer_entities.work-reviewer.display_name") {
 		t.Fatalf("Load error = %v, want display_name validation", err)
 	}
 }
@@ -1713,10 +1752,10 @@ func TestSubscriptionLLMCredentialsAreAdapterManaged(t *testing.T) {
 
 func TestAPIKeyLLMRequiresCredentialRef(t *testing.T) {
 	cfg := validFile()
-	profile := cfg.Profiles["work"]
-	profile.LLM.CredentialRef = ""
-	profile.LLM.Credential = CredentialLocation{}
-	cfg.Profiles["work"] = profile
+	llm := cfg.LLMRuntimes["work-llm"]
+	llm.CredentialRef = ""
+	llm.Credential = CredentialLocation{}
+	cfg.LLMRuntimes["work-llm"] = llm
 
 	if err := Validate(cfg); !errors.Is(err, ErrInvalid) {
 		t.Fatalf("Validate error = %v, want ErrInvalid", err)
@@ -1729,30 +1768,34 @@ func TestValidateRejectsInvalidCredentialRefs(t *testing.T) {
 		mutate func(*File)
 	}{
 		{name: "subscription LLM stored ref", mutate: func(cfg *File) {
-			profile := cfg.Profiles["home"]
-			profile.LLM.CredentialRef = "codereview/home-llm"
-			cfg.Profiles["home"] = profile
+			llm := cfg.LLMRuntimes["home-llm"]
+			llm.CredentialRef = "codereview/home-llm"
+			cfg.LLMRuntimes["home-llm"] = llm
 		}},
 		{name: "empty reviewer credential ref", mutate: func(cfg *File) {
-			profile := cfg.Profiles["work"]
-			profile.ReviewerCredentials.CredentialRef = ""
-			profile.ReviewerCredentials.Credential = CredentialLocation{}
-			cfg.Profiles["work"] = profile
+			entity := cfg.ReviewerEntities["work-reviewer"]
+			entity.CredentialRef = ""
+			entity.Credential = CredentialLocation{}
+			cfg.ReviewerEntities["work-reviewer"] = entity
 		}},
 		{name: "reviewer credential ref matches git credential ref", mutate: func(cfg *File) {
 			profile := cfg.Profiles["work"]
-			profile.ReviewerCredentials.CredentialRef = profile.Git.CredentialRef
 			cfg.Profiles["work"] = profile
+			entity := cfg.ReviewerEntities["work-reviewer"]
+			entity.CredentialRef = profile.Git.CredentialRef
+			cfg.ReviewerEntities["work-reviewer"] = entity
 		}},
 		{name: "llm credential ref matches git credential ref", mutate: func(cfg *File) {
 			profile := cfg.Profiles["work"]
-			profile.LLM.CredentialRef = profile.Git.CredentialRef
-			cfg.Profiles["work"] = profile
+			llm := cfg.LLMRuntimes["work-llm"]
+			llm.CredentialRef = profile.Git.CredentialRef
+			cfg.LLMRuntimes["work-llm"] = llm
 		}},
 		{name: "llm credential ref matches reviewer credential ref", mutate: func(cfg *File) {
-			profile := cfg.Profiles["work"]
-			profile.LLM.CredentialRef = profile.ReviewerCredentials.CredentialRef
-			cfg.Profiles["work"] = profile
+			entity := cfg.ReviewerEntities["work-reviewer"]
+			llm := cfg.LLMRuntimes["work-llm"]
+			llm.CredentialRef = entity.CredentialRef
+			cfg.LLMRuntimes["work-llm"] = llm
 		}},
 		{name: "git ref invalid chars", mutate: func(cfg *File) {
 			profile := cfg.Profiles["home"]
@@ -1765,9 +1808,9 @@ func TestValidateRejectsInvalidCredentialRefs(t *testing.T) {
 			cfg.Profiles["home"] = profile
 		}},
 		{name: "llm ref invalid chars", mutate: func(cfg *File) {
-			profile := cfg.Profiles["work"]
-			profile.LLM.CredentialRef = "codereview/work.llm"
-			cfg.Profiles["work"] = profile
+			llm := cfg.LLMRuntimes["work-llm"]
+			llm.CredentialRef = "codereview/work.llm"
+			cfg.LLMRuntimes["work-llm"] = llm
 		}},
 	}
 
@@ -1817,7 +1860,12 @@ func TestValidationCoversAgentSourcesReviewPolicyAndRetention(t *testing.T) {
 func TestRetentionMaxAgeDefaultAndExplicitZero(t *testing.T) {
 	t.Run("omitted defaults to 90", func(t *testing.T) {
 		path := filepath.Join(t.TempDir(), "config.yml")
-		writeFile(t, path, `profiles:
+		writeFile(t, path, `llm_runtimes:
+  claude-local:
+    provider: anthropic
+    auth: subscription
+    adapter: claude_cli
+profiles:
   home:
     git:
       host: github.com
@@ -1825,10 +1873,9 @@ func TestRetentionMaxAgeDefaultAndExplicitZero(t *testing.T) {
       credential:
         store: local-os
         name: codereview/home
-    llm:
-      provider: anthropic
-      auth: subscription
-      adapter: claude_cli
+    reviewer:
+      kind: git_identity
+    llm_runtime: claude-local
 data:
   retention:
     enforcement: at_write
@@ -1844,7 +1891,12 @@ data:
 
 	t.Run("explicit zero means keep forever", func(t *testing.T) {
 		path := filepath.Join(t.TempDir(), "config.yml")
-		writeFile(t, path, `profiles:
+		writeFile(t, path, `llm_runtimes:
+  claude-local:
+    provider: anthropic
+    auth: subscription
+    adapter: claude_cli
+profiles:
   home:
     git:
       host: github.com
@@ -1852,10 +1904,9 @@ data:
       credential:
         store: local-os
         name: codereview/home
-    llm:
-      provider: anthropic
-      auth: subscription
-      adapter: claude_cli
+    reviewer:
+      kind: git_identity
+    llm_runtime: claude-local
 data:
   retention:
     max_age_days: 0
@@ -1894,6 +1945,28 @@ func TestValidateRetentionAppliesDefaultsAndPreservesExplicitZero(t *testing.T)
 
 func validFile() File {
 	return File{
+		LLMRuntimes: map[string]LLMConfig{
+			"home-llm": {
+				Provider: LLMProviderAnthropic,
+				Auth:     LLMAuthSubscription,
+				Adapter:  LLMAdapterClaudeCLI,
+			},
+			"work-llm": {
+				Provider:      LLMProviderAnthropic,
+				Auth:          LLMAuthAPIKey,
+				Adapter:       LLMAdapterAnthropicAPI,
+				CredentialRef: "codereview/work-llm",
+			},
+		},
+		ReviewerEntities: map[string]ReviewerEntity{
+			"work-reviewer": {
+				Host:          "github.com",
+				AuthMode:      GitAuthModePAT,
+				CredentialRef: "codereview/work-reviewer",
+				DisplayName:   "Work reviewer bot",
+				IdentityCache: "acme-review-bot",
+			},
+		},
 		Profiles: map[string]Profile{
 			"home": {
 				Git: GitConfig{
@@ -1902,11 +1975,8 @@ func validFile() File {
 					CredentialRef: "codereview/home",
 					IdentityCache: "rianjs",
 				},
-				LLM: LLMConfig{
-					Provider: LLMProviderAnthropic,
-					Auth:     LLMAuthSubscription,
-					Adapter:  LLMAdapterClaudeCLI,
-				},
+				Reviewer:     ProfileReviewer{Kind: ProfileReviewerKindGitIdentity},
+				LLMRuntime:   "home-llm",
 				AgentSources: []string{"~/dev/my-reviewers"},
 				ReviewPolicy: ReviewPolicy{
 					MajorEvent:       ReviewMajorEventComment,
@@ -1920,18 +1990,8 @@ func validFile() File {
 					CredentialRef: "codereview/work",
 					IdentityCache: "rianjs",
 				},
-				ReviewerCredentials: &ReviewerCredentials{
-					AuthMode:      GitAuthModePAT,
-					CredentialRef: "codereview/work-reviewer",
-					DisplayName:   "Work reviewer bot",
-					IdentityCache: "acme-review-bot",
-				},
-				LLM: LLMConfig{
-					Provider:      LLMProviderAnthropic,
-					Auth:          LLMAuthAPIKey,
-					Adapter:       LLMAdapterAnthropicAPI,
-					CredentialRef: "codereview/work-llm",
-				},
+				Reviewer:     ProfileReviewer{Kind: ProfileReviewerKindEntity, Entity: "work-reviewer"},
+				LLMRuntime:   "work-llm",
 				AgentSources: []string{"~/dev/work-reviewers"},
 				ReviewPolicy: ReviewPolicy{
 					MajorEvent:       ReviewMajorEventRequestChanges,
diff --git a/internal/config/init_surface_doc_test.go b/internal/config/init_surface_doc_test.go
index cf07f2ac..003996f9 100644
--- a/internal/config/init_surface_doc_test.go
+++ b/internal/config/init_surface_doc_test.go
@@ -68,7 +68,6 @@ func initSurfaceExpectedSchemaPaths() []string {
 	paths = append(paths,
 		"config.repository_profiles[]",
 		"config.profiles.<name>",
-		"config.profiles.<name>.reviewer_credentials",
 	)
 	sort.Strings(paths)
 	return paths
diff --git a/internal/identity/identity.go b/internal/identity/identity.go
index 880c2830..ca2a6ea0 100644
--- a/internal/identity/identity.go
+++ b/internal/identity/identity.go
@@ -47,7 +47,7 @@ func Refresh(ctx context.Context, cfg config.File, profileName string, resolver
 	if err != nil {
 		return cfg, nil, false, err
 	}
-	cfg.Profiles[name] = updatedProfile
+	cfg = applyIdentityCacheUpdates(cfg, name, profile, updatedProfile, []ProfileResult{result})
 	return cfg, []ProfileResult{result}, changed, nil
 }
 
@@ -71,7 +71,7 @@ func RefreshAll(ctx context.Context, cfg config.File, resolver Resolver) (config
 		if err != nil {
 			return original, nil, false, err
 		}
-		updated.Profiles[name] = updatedProfile
+		updated = applyIdentityCacheUpdates(updated, name, profile, updatedProfile, profileResults)
 		results = append(results, profileResults...)
 		changed = changed || profileChanged
 	}
@@ -148,12 +148,38 @@ func reviewerIdentitySource(profile config.Profile) (config.GitConfig, string) {
 	return config.GitConfig{
 		Host:          profile.Git.Host,
 		AuthMode:      profile.ReviewerCredentials.AuthMode,
+		Credential:    profile.ReviewerCredentials.Credential,
 		CredentialRef: profile.ReviewerCredentials.CredentialRef,
 		IdentityCache: profile.ReviewerCredentials.IdentityCache,
 	}, profile.ReviewerCredentials.IdentityCache
 }
 
+func applyIdentityCacheUpdates(cfg config.File, profileName string, original config.Profile, updated config.Profile, results []ProfileResult) config.File {
+	for _, result := range results {
+		if !result.IdentityCacheUpdated {
+			continue
+		}
+		switch result.CredentialSource {
+		case SourceGit:
+			cfg.Profiles[profileName] = updated
+		case SourceReviewer:
+			if original.Reviewer.Kind == config.ProfileReviewerKindEntity {
+				entityName := strings.TrimSpace(original.Reviewer.Entity)
+				entity, ok := cfg.ReviewerEntities[entityName]
+				if ok {
+					entity.IdentityCache = result.Identity.Login
+					cfg.ReviewerEntities[entityName] = entity
+				}
+				continue
+			}
+			cfg.Profiles[profileName] = updated
+		}
+	}
+	return config.Normalize(cfg)
+}
+
 func normalizeForUpdate(cfg config.File) config.File {
+	cfg = config.Normalize(cfg)
 	if cfg.Profiles == nil {
 		cfg.Profiles = map[string]config.Profile{}
 		return cfg
@@ -169,5 +195,12 @@ func normalizeForUpdate(cfg config.File) config.File {
 		profiles[name] = profile
 	}
 	cfg.Profiles = profiles
+	if cfg.ReviewerEntities != nil {
+		entities := make(map[string]config.ReviewerEntity, len(cfg.ReviewerEntities))
+		for name, entity := range cfg.ReviewerEntities {
+			entities[name] = entity
+		}
+		cfg.ReviewerEntities = entities
+	}
 	return cfg
 }

From 05b9cbfe65f797c91fcdf4eb8b0ea31b139bef78 Mon Sep 17 00:00:00 2001
From: Rian Stockbower <rstockbower@gmail.com>
Date: Sun, 21 Jun 2026 18:48:14 -0400
Subject: [PATCH 02/27] Bump minor version to 0.7

---
 version.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version.txt b/version.txt
index 5a2a5806..eb49d7c7 100644
--- a/version.txt
+++ b/version.txt
@@ -1 +1 @@
-0.6
+0.7

From aaee4bfa5562a0afe868f4aeb2385828eec6f7fb Mon Sep 17 00:00:00 2001
From: Rian Stockbower <rstockbower@gmail.com>
Date: Sun, 21 Jun 2026 19:16:51 -0400
Subject: [PATCH 03/27] Use linear design language for init inventory screens

---
 internal/cmd/credentialcmd/credentialcmd.go   |   4 +-
 internal/cmd/credentialcmd/init_inventory.go  | 107 ++++++++++++++++--
 .../cmd/credentialcmd/init_inventory_test.go  |  57 +++++++++-
 3 files changed, 157 insertions(+), 11 deletions(-)

diff --git a/internal/cmd/credentialcmd/credentialcmd.go b/internal/cmd/credentialcmd/credentialcmd.go
index 25321345..768a1f2f 100644
--- a/internal/cmd/credentialcmd/credentialcmd.go
+++ b/internal/cmd/credentialcmd/credentialcmd.go
@@ -1960,7 +1960,7 @@ func (p huhInitLLMRuntimePrompter) editLLMRuntimeInventory(prompt initLLMRuntime
 	draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
 	for {
 		result, err := p.runInventory(initInventoryPrompt{
-			Title:       "LLM Runtime",
+			Title:       "LLM runtime",
 			Description: "Choose how reviewer agents run.",
 			Rows:        initLLMRuntimeInventoryRows(prompt.Context),
 			Width:       80,
@@ -2165,7 +2165,7 @@ func (p huhInitReviewerEntityPrompter) editReviewerEntityInventory(prompt initRe
 	draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
 	for {
 		result, err := p.runInventory(initInventoryPrompt{
-			Title:       "Reviewer Entity",
+			Title:       "Reviewer entity",
 			Description: reviewerEntitySelectionDescription(),
 			Rows:        initReviewerEntityInventoryRows(prompt.Context),
 			Width:       80,
diff --git a/internal/cmd/credentialcmd/init_inventory.go b/internal/cmd/credentialcmd/init_inventory.go
index b3089149..a56d1f76 100644
--- a/internal/cmd/credentialcmd/init_inventory.go
+++ b/internal/cmd/credentialcmd/init_inventory.go
@@ -284,17 +284,108 @@ func (m initInventoryModel) View() string {
 		// prompt starts, rather than appending the next form below stale content.
 		return ""
 	}
-	l := m.list
-	l.AdditionalShortHelpKeys = func() []key.Binding {
-		return m.helpBindings()
+	var lines []string
+	lines = append(lines, initLinearTheme.title.Render(m.title))
+	if m.desc != "" {
+		var descLines []string
+		initLinearAppendWrappedWithPrefix(&descLines, "", m.desc, initInventoryViewWidth(m))
+		for _, line := range descLines {
+			lines = append(lines, initLinearTheme.help.Render(line))
+		}
+	}
+	if filter := strings.TrimSpace(m.list.FilterValue()); filter != "" {
+		lines = append(lines, "", initLinearTheme.title.Render("Filter"), initLinearTheme.help.Render(filter))
+	}
+	lines = append(lines, m.renderRows()...)
+	lines = append(lines, "", initLinearTheme.help.Render(m.helpLine()))
+	return strings.Join(lines, "\n")
+}
+
+func (m initInventoryModel) renderRows() []string {
+	items := m.list.VisibleItems()
+	if len(items) == 0 {
+		return []string{"", initLinearTheme.help.Render("No matching entries")}
+	}
+	selectedIndex := m.list.Index()
+	var lines []string
+	currentSection := initInventoryRowKind("")
+	for index, item := range items {
+		inventoryItem, ok := item.(initInventoryItem)
+		if !ok {
+			continue
+		}
+		row := inventoryItem.row
+		if row.Kind != currentSection {
+			currentSection = row.Kind
+			lines = append(lines, "")
+			lines = append(lines, initLinearTheme.title.Render(initInventorySectionTitle(row.Kind)))
+		}
+		lines = append(lines, m.renderRow(row, index == selectedIndex)...)
+	}
+	return lines
+}
+
+func initInventorySectionTitle(kind initInventoryRowKind) string {
+	switch kind {
+	case initInventoryRowKindActive:
+		return "Configured"
+	case initInventoryRowKindPending:
+		return "Staged changes"
+	case initInventoryRowKindCommand:
+		return "Actions"
+	default:
+		return "Actions"
+	}
+}
+
+func (m initInventoryModel) renderRow(row initInventoryRow, selected bool) []string {
+	prefix := "  [ ] "
+	if selected {
+		prefix = "> [x] "
 	}
-	l.AdditionalFullHelpKeys = func() []key.Binding {
-		return m.helpBindings()
+	var titleLines []string
+	initLinearAppendWrappedWithPrefix(&titleLines, prefix, row.Title, initInventoryViewWidth(m))
+	title := strings.Join(titleLines, "\n")
+	switch {
+	case selected && initInventoryRowActionable(row):
+		title = initLinearStyleSelectedLine(title)
+	case !initInventoryRowActionable(row):
+		title = initLinearTheme.help.Render(title)
 	}
-	if m.desc == "" {
-		return l.View()
+	lines := []string{title}
+	if description := strings.TrimSpace(row.Description); description != "" {
+		var descriptionLines []string
+		initLinearAppendWrappedWithPrefix(&descriptionLines, "      ", description, initInventoryViewWidth(m))
+		for _, line := range descriptionLines {
+			lines = append(lines, initLinearTheme.help.Render(line))
+		}
+	}
+	return lines
+}
+
+func initInventoryViewWidth(m initInventoryModel) int {
+	if width := m.list.Width(); width > 0 {
+		return width
+	}
+	return 80
+}
+
+func initInventoryRowActionable(row initInventoryRow) bool {
+	return row.Selectable || row.Deletable || row.Restorable
+}
+
+func (m initInventoryModel) helpLine() string {
+	parts := []string{"up/k previous", "down/j next", "enter select"}
+	if row, ok := m.selectedRow(); ok {
+		if row.Deletable {
+			parts = append(parts, "d delete")
+		}
+		if row.Restorable {
+			parts = append(parts, "r restore")
+		}
 	}
-	return m.desc + "\n\n" + l.View()
+	parts = append(parts, "esc back")
+	return strings.Join(parts, " - ")
 }
 
 func (m initInventoryModel) selectedRow() (initInventoryRow, bool) {
diff --git a/internal/cmd/credentialcmd/init_inventory_test.go b/internal/cmd/credentialcmd/init_inventory_test.go
index 2631c5c7..74f814e9 100644
--- a/internal/cmd/credentialcmd/init_inventory_test.go
+++ b/internal/cmd/credentialcmd/init_inventory_test.go
@@ -66,6 +66,61 @@ func TestInitInventoryReordersRowsIntoActiveCommandAndPendingGroups(t *testing.T
 	}
 }
 
+func TestInitInventoryViewUsesLinearActionListDesign(t *testing.T) {
+	model := newInitInventoryModel(initInventoryPrompt{
+		Title:       "LLM runtime",
+		Description: "Choose how reviewer agents run.",
+		Width:       80,
+		Height:      20,
+		Rows: []initInventoryRow{
+			{ID: "claude-cli", Title: "Template: Claude CLI subscription", Kind: initInventoryRowKindCommand, PrimaryAction: initInventoryActionCommand, Selectable: true},
+			{ID: "codex-cli", Title: "Template: Codex CLI subscription", Kind: initInventoryRowKindCommand, PrimaryAction: initInventoryActionCommand, Selectable: true},
+			{ID: "back", Title: "Back to main menu", Kind: initInventoryRowKindCommand, PrimaryAction: initInventoryActionBack, Selectable: true},
+		},
+	})
+
+	out := model.View()
+	plainOut := stripANSITest(out)
+	assertContentOrder(t, plainOut,
+		"LLM runtime",
+		"Choose how reviewer agents run.",
+		"Actions",
+		"> [x] Template: Claude CLI subscription",
+		"  [ ] Template: Codex CLI subscription",
+		"  [ ] Back to main menu",
+	)
+	for _, oldChrome := range []string{"│ Template:", "↑/k up", "/ filter", "? more"} {
+		if strings.Contains(plainOut, oldChrome) {
+			t.Fatalf("view contains old list chrome %q:\n%s", oldChrome, out)
+		}
+	}
+}
+
+func TestInitInventoryViewGroupsConfiguredActionsAndPendingChanges(t *testing.T) {
+	model := newInitInventoryModel(initInventoryPrompt{
+		Title:       "Reviewer entity",
+		Description: "Choose who posts reviews.",
+		Rows: []initInventoryRow{
+			{ID: "pat", Title: "PAT reviewer", Description: "local-os / codereview/reviewer-pat", Kind: initInventoryRowKindActive, Selectable: true, Deletable: true},
+			{ID: "restore-app", Title: "GitHub App reviewer (Staged for deletion)", Kind: initInventoryRowKindPending, Restorable: true},
+			{ID: "create-pat", Title: "Configure new personal access token (PAT) reviewer", Kind: initInventoryRowKindCommand, PrimaryAction: initInventoryActionCommand, Selectable: true},
+			{ID: "back", Title: "Back to main menu", Kind: initInventoryRowKindCommand, PrimaryAction: initInventoryActionBack, Selectable: true},
+		},
+	})
+
+	plainOut := stripANSITest(model.View())
+	assertContentOrder(t, plainOut,
+		"Configured",
+		"> [x] PAT reviewer",
+		"local-os / codereview/reviewer-pat",
+		"Actions",
+		"Configure new personal access token (PAT) reviewer",
+		"Back to main menu",
+		"Staged changes",
+		"GitHub App reviewer (Staged for deletion)",
+	)
+}
+
 func TestInitInventoryDeleteKeyStagesDeletionForDeletableRow(t *testing.T) {
 	model := newInitInventoryModel(initInventoryPrompt{
 		Title:  "LLM runtime",
@@ -586,7 +641,7 @@ func TestInitInventoryViewShowsContextualHelpBindings(t *testing.T) {
 			t.Fatalf("view = %q, want %q", out, want)
 		}
 	}
-	for _, unwanted := range []string{"restore", "Actions", "Pending deletion"} {
+	for _, unwanted := range []string{"restore", "Pending deletion"} {
 		if strings.Contains(out, unwanted) {
 			t.Fatalf("view = %q, did not want %q for selected deletable row", out, unwanted)
 		}

From b9241eb95e85a4f043fda2e6ff8d5003e27711d4 Mon Sep 17 00:00:00 2001
From: Rian Stockbower <rstockbower@gmail.com>
Date: Sun, 21 Jun 2026 19:40:59 -0400
Subject: [PATCH 04/27] Add profile GitHub App installation routing model

---
 docs/init-config-surface.md    |   2 +
 internal/config/config.go      |  92 +++++++++++++++++++++++-
 internal/config/config_test.go | 124 +++++++++++++++++++++++++++++++++
 3 files changed, 215 insertions(+), 3 deletions(-)

diff --git a/docs/init-config-surface.md b/docs/init-config-surface.md
index 7b354f7f..2e455ae5 100644
--- a/docs/init-config-surface.md
+++ b/docs/init-config-surface.md
@@ -57,6 +57,8 @@ intentionally unsupported.
 | config.reviewer_entities | Configure reviewer entities creates and edits reusable posting identities independently from review profiles. Entity definitions include host, auth mode, credential location, display name, and identity cache. | Interactive main-menu reviewer-entity flow only for now. Future config commands may own scripted reviewer-entity CRUD. | Omitted means no separate reviewer identities are configured yet. Profiles can still choose `git_identity`. Existing entities are pre-populated in the inventory. | Entity names are stable ids. PAT and GitHub App entities store explicit credential locations and never the secret values. Deleting a referenced entity requires affected profiles to select a replacement or use Git identity. | First-class reviewer-entity data model tests and init reviewer-entity UX tests. |
 | config.profiles.<name>.reviewer.kind | Review profile composition chooses whether posting uses the profile Git account or a configured reviewer entity. | Interactive review-profile flow only for now. | New profiles require an explicit choice. Existing value is pre-populated. | `git_identity` requires empty `reviewer.entity`; `entity` requires an existing reviewer entity whose host matches profile Git host. | First-class reviewer-reference validation tests. |
 | config.profiles.<name>.reviewer.entity | Review profile composition selects one configured reviewer entity when `reviewer.kind` is `entity`. | Interactive review-profile flow only for now. | Empty for `git_identity`. Existing entity reference is pre-populated. | Must reference `config.reviewer_entities`. The entity credential must differ from Git and selected LLM runtime credentials when the store also matches. | First-class reviewer-reference validation tests. |
+| config.profiles.<name>.reviewer.github_app_installation.mode | Review profile composition chooses how a GitHub App reviewer entity resolves its installation. | Interactive review-profile flow only for now. | Required when `reviewer.entity` uses GitHub App auth. New GitHub App reviewer selections default to `discover_from_repository`. | `discover_from_repository` resolves from PR repository context; `pinned` requires `installation_id`. Must be empty for PAT and Git identity reviewers. | GitHub App reviewer installation routing tests. |
+| config.profiles.<name>.reviewer.github_app_installation.installation_id | Review profile composition stores an optional pinned GitHub App installation id for this profile. | Interactive review-profile flow only for now. | Empty unless installation mode is `pinned`. | Must be a decimal GitHub App installation id when present. This is profile routing data, not secret material. | GitHub App reviewer installation routing tests. |
 | config.profiles.<name>.llm_runtime | Review profile composition selects one configured LLM runtime by name. | Interactive review-profile flow only for now. Future config commands may own scripted profile composition. | New profiles require an explicit runtime choice. Existing runtime reference is pre-populated. | Must reference `config.llm_runtimes`. API-key runtime credentials must differ from Git and selected reviewer entity credentials when the store also matches. | First-class LLM-runtime reference validation tests. |
 | config.profiles.<name>.agent_sources[] | Direct trusted-directory editor shows existing profile agent-source paths in one multiline field with explanatory notes about trust and separate repo-local `.codereview/agents` discovery. | Existing `cr init --agent-source`; existing `cr config agent-source add/remove`; #186 docs sequence. | Omitted means no additional profile-specific trusted directories. Existing values are pre-populated line-by-line. | Preserve on skip. Clearing the field removes all profile-specific agent sources. Entered paths are normalized and deduped through the shared config-edit helper. | #177 extracts helper. #183 tests add/remove/reset/preserve. #289 prompt tests cover explanatory copy, multiline entry, and Back. |
 | config.profiles.<name>.review_policy.major_event | Review-policy wizard chooses comment or request_changes. | Existing `cr init --major-event`. | Current init defaults to `comment`. Existing value is pre-populated. | Preserve on skip. Set validates enum. Reset clears to normalized default `comment`. | #183 tests prompt, reset, and validation. |
diff --git a/internal/config/config.go b/internal/config/config.go
index e6bf0f7f..1df08bac 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -10,6 +10,7 @@ import (
 	"os"
 	"path/filepath"
 	"sort"
+	"strconv"
 	"strings"
 	"time"
 
@@ -202,8 +203,9 @@ type ReviewerCredentials struct {
 
 // ProfileReviewer selects the identity used to post review comments.
 type ProfileReviewer struct {
-	Kind   ProfileReviewerKind `yaml:"kind" json:"kind"`
-	Entity string              `yaml:"entity,omitempty" json:"entity,omitempty"`
+	Kind                  ProfileReviewerKind                   `yaml:"kind" json:"kind"`
+	Entity                string                                `yaml:"entity,omitempty" json:"entity,omitempty"`
+	GitHubAppInstallation *ProfileReviewerGitHubAppInstallation `yaml:"github_app_installation,omitempty" json:"github_app_installation,omitempty"`
 }
 
 // ProfileReviewerKind identifies how a profile chooses its posting identity.
@@ -225,6 +227,33 @@ func (k ProfileReviewerKind) Valid() bool {
 	}
 }
 
+// ProfileReviewerGitHubAppInstallation selects the GitHub App installation a
+// profile uses when its reviewer entity is a GitHub App.
+type ProfileReviewerGitHubAppInstallation struct {
+	Mode           ProfileReviewerGitHubAppInstallationMode `yaml:"mode" json:"mode"`
+	InstallationID string                                   `yaml:"installation_id,omitempty" json:"installation_id,omitempty"`
+}
+
+// ProfileReviewerGitHubAppInstallationMode identifies how a profile resolves a
+// GitHub App installation.
+type ProfileReviewerGitHubAppInstallationMode string
+
+// GitHub App installation resolution modes.
+const (
+	ProfileReviewerGitHubAppInstallationDiscoverFromRepository ProfileReviewerGitHubAppInstallationMode = "discover_from_repository"
+	ProfileReviewerGitHubAppInstallationPinned                 ProfileReviewerGitHubAppInstallationMode = "pinned"
+)
+
+// Valid reports whether m is a known GitHub App installation resolution mode.
+func (m ProfileReviewerGitHubAppInstallationMode) Valid() bool {
+	switch m {
+	case ProfileReviewerGitHubAppInstallationDiscoverFromRepository, ProfileReviewerGitHubAppInstallationPinned:
+		return true
+	default:
+		return false
+	}
+}
+
 // ReviewerEntity is one reusable configured posting identity.
 type ReviewerEntity struct {
 	Host          string             `yaml:"host" json:"host"`
@@ -972,6 +1001,9 @@ func validateProfile(cfg File, name string, profile Profile) error {
 		if strings.TrimSpace(profile.Reviewer.Entity) != "" {
 			return invalid("profiles.%s.reviewer.entity must be empty for git_identity reviewer", name)
 		}
+		if profile.Reviewer.GitHubAppInstallation != nil {
+			return invalid("profiles.%s.reviewer.github_app_installation must be empty for git_identity reviewer", name)
+		}
 	case ProfileReviewerKindEntity:
 		if strings.TrimSpace(profile.Reviewer.Entity) == "" {
 			return invalid("profiles.%s.reviewer.entity is required", name)
@@ -987,6 +1019,9 @@ func validateProfile(cfg File, name string, profile Profile) error {
 		if sameCredentialLocation(entity.Credential, profile.Git.Credential) {
 			return invalid("profiles.%s.reviewer.entity %q credential must differ from git.credential when store and name match", name, profile.Reviewer.Entity)
 		}
+		if err := validateProfileReviewerInstallation(name, profile.Reviewer, entity); err != nil {
+			return err
+		}
 	}
 	if strings.TrimSpace(profile.LLMRuntime) == "" {
 		return invalid("profiles.%s.llm_runtime is required", name)
@@ -1022,6 +1057,37 @@ func validateProfile(cfg File, name string, profile Profile) error {
 	return nil
 }
 
+func validateProfileReviewerInstallation(profileName string, reviewer ProfileReviewer, entity ReviewerEntity) error {
+	path := fmt.Sprintf("profiles.%s.reviewer.github_app_installation", profileName)
+	if entity.AuthMode != GitAuthModeGitHubApp {
+		if reviewer.GitHubAppInstallation != nil {
+			return invalid("%s must be empty unless reviewer.entity uses github_app auth", path)
+		}
+		return nil
+	}
+	if reviewer.GitHubAppInstallation == nil {
+		return invalid("%s.mode is required for github_app reviewer entities", path)
+	}
+	installation := reviewer.GitHubAppInstallation.normalized()
+	if !installation.Mode.Valid() {
+		return invalid("%s.mode %q is invalid", path, installation.Mode)
+	}
+	switch installation.Mode {
+	case ProfileReviewerGitHubAppInstallationDiscoverFromRepository:
+		if strings.TrimSpace(installation.InstallationID) != "" {
+			return invalid("%s.installation_id must be empty when mode is discover_from_repository", path)
+		}
+	case ProfileReviewerGitHubAppInstallationPinned:
+		if strings.TrimSpace(installation.InstallationID) == "" {
+			return invalid("%s.installation_id is required when mode is pinned", path)
+		}
+		if _, err := strconv.ParseInt(installation.InstallationID, 10, 64); err != nil {
+			return invalid("%s.installation_id %q must be a decimal GitHub App installation ID", path, installation.InstallationID)
+		}
+	}
+	return nil
+}
+
 func validateEffectiveProfile(name string, profile Profile) error {
 	if strings.TrimSpace(profile.Git.Host) == "" {
 		return invalid("%s.git.host is required", name)
@@ -1483,7 +1549,7 @@ func (cfg File) projectProfileComponentReferences() File {
 					existing.DisplayName = displayName
 					cfg.ReviewerEntities[entityName] = existing
 				}
-				profile.Reviewer = ProfileReviewer{Kind: ProfileReviewerKindEntity, Entity: entityName}
+				profile.Reviewer = projectedProfileReviewerForEntity(entityName, entity.AuthMode)
 			}
 		}
 		profiles[name] = profile
@@ -1492,6 +1558,16 @@ func (cfg File) projectProfileComponentReferences() File {
 	return cfg
 }
 
+func projectedProfileReviewerForEntity(entityName string, authMode GitAuthMode) ProfileReviewer {
+	reviewer := ProfileReviewer{Kind: ProfileReviewerKindEntity, Entity: strings.TrimSpace(entityName)}
+	if authMode == GitAuthModeGitHubApp {
+		reviewer.GitHubAppInstallation = &ProfileReviewerGitHubAppInstallation{
+			Mode: ProfileReviewerGitHubAppInstallationDiscoverFromRepository,
+		}
+	}
+	return reviewer
+}
+
 func mergeProjectedReviewerEntityDisplayName(existing, next string) string {
 	existing = strings.TrimSpace(existing)
 	next = strings.TrimSpace(next)
@@ -1729,9 +1805,19 @@ func (p Profile) normalized() Profile {
 func (r ProfileReviewer) normalized() ProfileReviewer {
 	r.Kind = ProfileReviewerKind(strings.TrimSpace(string(r.Kind)))
 	r.Entity = strings.TrimSpace(r.Entity)
+	if r.GitHubAppInstallation != nil {
+		installation := r.GitHubAppInstallation.normalized()
+		r.GitHubAppInstallation = &installation
+	}
 	return r
 }
 
+func (i ProfileReviewerGitHubAppInstallation) normalized() ProfileReviewerGitHubAppInstallation {
+	i.Mode = ProfileReviewerGitHubAppInstallationMode(strings.TrimSpace(string(i.Mode)))
+	i.InstallationID = strings.TrimSpace(i.InstallationID)
+	return i
+}
+
 func (g GitConfig) normalized() GitConfig {
 	g.CredentialRef = strings.TrimSpace(g.CredentialRef)
 	g.Credential = g.Credential.normalized()
diff --git a/internal/config/config_test.go b/internal/config/config_test.go
index 36ffac36..b23b1883 100644
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -1520,6 +1520,11 @@ func TestValidateAcceptsGitHubAppAuthModes(t *testing.T) {
 			entity := cfg.ReviewerEntities["work-reviewer"]
 			entity.AuthMode = GitAuthModeGitHubApp
 			cfg.ReviewerEntities["work-reviewer"] = entity
+			profile := cfg.Profiles["work"]
+			profile.Reviewer.GitHubAppInstallation = &ProfileReviewerGitHubAppInstallation{
+				Mode: ProfileReviewerGitHubAppInstallationDiscoverFromRepository,
+			}
+			cfg.Profiles["work"] = profile
 		}},
 	}
 
@@ -1534,6 +1539,123 @@ func TestValidateAcceptsGitHubAppAuthModes(t *testing.T) {
 	}
 }
 
+func TestValidateProfileReviewerGitHubAppInstallation(t *testing.T) {
+	githubAppReviewer := func(cfg *File) {
+		entity := cfg.ReviewerEntities["work-reviewer"]
+		entity.AuthMode = GitAuthModeGitHubApp
+		cfg.ReviewerEntities["work-reviewer"] = entity
+	}
+	tests := []struct {
+		name    string
+		mutate  func(*File)
+		wantErr error
+		wantMsg string
+	}{
+		{
+			name: "discover from repository",
+			mutate: func(cfg *File) {
+				githubAppReviewer(cfg)
+				profile := cfg.Profiles["work"]
+				profile.Reviewer.GitHubAppInstallation = &ProfileReviewerGitHubAppInstallation{
+					Mode: ProfileReviewerGitHubAppInstallationDiscoverFromRepository,
+				}
+				cfg.Profiles["work"] = profile
+			},
+		},
+		{
+			name: "pinned installation",
+			mutate: func(cfg *File) {
+				githubAppReviewer(cfg)
+				profile := cfg.Profiles["work"]
+				profile.Reviewer.GitHubAppInstallation = &ProfileReviewerGitHubAppInstallation{
+					Mode:           ProfileReviewerGitHubAppInstallationPinned,
+					InstallationID: "123456",
+				}
+				cfg.Profiles["work"] = profile
+			},
+		},
+		{
+			name: "missing for github app reviewer",
+			mutate: func(cfg *File) {
+				githubAppReviewer(cfg)
+			},
+			wantErr: ErrInvalid,
+			wantMsg: "profiles.work.reviewer.github_app_installation.mode is required",
+		},
+		{
+			name: "pinned without id",
+			mutate: func(cfg *File) {
+				githubAppReviewer(cfg)
+				profile := cfg.Profiles["work"]
+				profile.Reviewer.GitHubAppInstallation = &ProfileReviewerGitHubAppInstallation{
+					Mode: ProfileReviewerGitHubAppInstallationPinned,
+				}
+				cfg.Profiles["work"] = profile
+			},
+			wantErr: ErrInvalid,
+			wantMsg: "installation_id is required",
+		},
+		{
+			name: "discover with id",
+			mutate: func(cfg *File) {
+				githubAppReviewer(cfg)
+				profile := cfg.Profiles["work"]
+				profile.Reviewer.GitHubAppInstallation = &ProfileReviewerGitHubAppInstallation{
+					Mode:           ProfileReviewerGitHubAppInstallationDiscoverFromRepository,
+					InstallationID: "123456",
+				}
+				cfg.Profiles["work"] = profile
+			},
+			wantErr: ErrInvalid,
+			wantMsg: "installation_id must be empty",
+		},
+		{
+			name: "pat reviewer with installation config",
+			mutate: func(cfg *File) {
+				profile := cfg.Profiles["work"]
+				profile.Reviewer.GitHubAppInstallation = &ProfileReviewerGitHubAppInstallation{
+					Mode: ProfileReviewerGitHubAppInstallationDiscoverFromRepository,
+				}
+				cfg.Profiles["work"] = profile
+			},
+			wantErr: ErrInvalid,
+			wantMsg: "must be empty unless reviewer.entity uses github_app auth",
+		},
+		{
+			name: "git identity with installation config",
+			mutate: func(cfg *File) {
+				profile := cfg.Profiles["home"]
+				profile.Reviewer.GitHubAppInstallation = &ProfileReviewerGitHubAppInstallation{
+					Mode: ProfileReviewerGitHubAppInstallationDiscoverFromRepository,
+				}
+				cfg.Profiles["home"] = profile
+			},
+			wantErr: ErrInvalid,
+			wantMsg: "must be empty for git_identity reviewer",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cfg := validFile()
+			tt.mutate(&cfg)
+			err := Validate(cfg)
+			if tt.wantErr == nil {
+				if err != nil {
+					t.Fatalf("Validate: %v", err)
+				}
+				return
+			}
+			if !errors.Is(err, tt.wantErr) {
+				t.Fatalf("Validate error = %v, want %v", err, tt.wantErr)
+			}
+			if tt.wantMsg != "" && !strings.Contains(err.Error(), tt.wantMsg) {
+				t.Fatalf("Validate error = %v, want message containing %q", err, tt.wantMsg)
+			}
+		})
+	}
+}
+
 func TestSaveRejectsReservedGitAuthModes(t *testing.T) {
 	tests := []struct {
 		name   string
@@ -1652,6 +1774,8 @@ profiles:
     reviewer:
       kind: entity
       entity: work-reviewer
+      github_app_installation:
+        mode: discover_from_repository
     llm_runtime: claude-local
 `)
 	cfg, err := Load(path)

From 216dfae2bc1497d9f94cdfe337dad3245a66ba5c Mon Sep 17 00:00:00 2001
From: Rian Stockbower <rstockbower@gmail.com>
Date: Sun, 21 Jun 2026 19:46:34 -0400
Subject: [PATCH 05/27] Remove GitHub App installation ID from reviewer secrets

---
 internal/cmd/credentialcmd/credentialcmd.go   | 17 ++++-
 .../cmd/credentialcmd/credentialcmd_test.go   | 71 ++++++-------------
 .../init_reviewer_credential_status.go        |  2 +-
 .../init_reviewer_entity_editor.go            | 41 ++++-------
 internal/credentials/credentials.go           |  6 +-
 internal/credentials/credentials_test.go      | 11 ++-
 6 files changed, 57 insertions(+), 91 deletions(-)

diff --git a/internal/cmd/credentialcmd/credentialcmd.go b/internal/cmd/credentialcmd/credentialcmd.go
index 768a1f2f..19bfda33 100644
--- a/internal/cmd/credentialcmd/credentialcmd.go
+++ b/internal/cmd/credentialcmd/credentialcmd.go
@@ -5703,7 +5703,7 @@ func materializeProfileReviewerEntity(cfg config.File, profileName string, profi
 			existing.DisplayName = displayName
 			cfg.ReviewerEntities[name] = existing
 		}
-		profile.Reviewer = config.ProfileReviewer{Kind: config.ProfileReviewerKindEntity, Entity: name}
+		profile.Reviewer = initProfileReviewerForEntity(name, existing.AuthMode)
 		if cfg.Profiles == nil {
 			cfg.Profiles = map[string]config.Profile{}
 		}
@@ -5713,7 +5713,7 @@ func materializeProfileReviewerEntity(cfg config.File, profileName string, profi
 
 	entityName := uniqueInitReviewerEntityName(buildInitStandaloneReviewerEntityNameSet(cfg.ReviewerEntities), profileName+"-reviewer")
 	cfg.ReviewerEntities[entityName] = entity
-	profile.Reviewer = config.ProfileReviewer{Kind: config.ProfileReviewerKindEntity, Entity: entityName}
+	profile.Reviewer = initProfileReviewerForEntity(entityName, entity.AuthMode)
 	if cfg.Profiles == nil {
 		cfg.Profiles = map[string]config.Profile{}
 	}
@@ -5721,6 +5721,19 @@ func materializeProfileReviewerEntity(cfg config.File, profileName string, profi
 	return cfg, profile
 }
 
+func initProfileReviewerForEntity(entityName string, authMode config.GitAuthMode) config.ProfileReviewer {
+	reviewer := config.ProfileReviewer{
+		Kind:   config.ProfileReviewerKindEntity,
+		Entity: strings.TrimSpace(entityName),
+	}
+	if authMode == config.GitAuthModeGitHubApp {
+		reviewer.GitHubAppInstallation = &config.ProfileReviewerGitHubAppInstallation{
+			Mode: config.ProfileReviewerGitHubAppInstallationDiscoverFromRepository,
+		}
+	}
+	return reviewer
+}
+
 func reviewerEntityConfigFromProfile(profile config.Profile) config.ReviewerEntity {
 	reviewer := profile.ReviewerCredentials
 	if reviewer == nil {
diff --git a/internal/cmd/credentialcmd/credentialcmd_test.go b/internal/cmd/credentialcmd/credentialcmd_test.go
index 8318dfe6..37724d51 100644
--- a/internal/cmd/credentialcmd/credentialcmd_test.go
+++ b/internal/cmd/credentialcmd/credentialcmd_test.go
@@ -242,7 +242,6 @@ func TestSetCredentialUsesGitHubAppCredentialMatrix(t *testing.T) {
 	}{
 		{key: credentials.GitHubAppIDKey, value: "12345"},
 		{key: credentials.GitHubAppPrivateKeyKey, value: "private-key-value"},
-		{key: credentials.GitHubAppInstallationIDKey, value: "67890"},
 	} {
 		cmd, _, _ = newTestCommand(path, strings.NewReader(write.value))
 		err = root.Execute(cmd, []string{
@@ -259,7 +258,6 @@ func TestSetCredentialUsesGitHubAppCredentialMatrix(t *testing.T) {
 	}
 	assertFileBundleKeys(t, "work-reviewer", []string{
 		credentials.GitHubAppIDKey,
-		credentials.GitHubAppInstallationIDKey,
 		credentials.GitHubAppPrivateKeyKey,
 	})
 }
@@ -797,7 +795,6 @@ func TestPlanInitCredentials(t *testing.T) {
 		want := []credentials.KeySpec{
 			{Key: credentials.GitHubAppIDKey, Required: true},
 			{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
-			{Key: credentials.GitHubAppInstallationIDKey, Required: false},
 		}
 		if !reflect.DeepEqual(entry.KeySpecs, want) {
 			t.Fatalf("key specs = %#v, want %#v", entry.KeySpecs, want)
@@ -2451,8 +2448,15 @@ func TestBuildInitReviewerEntityInventorySharedDisplayNameWinsWhenOnlyOneProfile
 func TestEditInteractiveInitReviewerEntityStepUpdatesConfiguredEntity(t *testing.T) {
 	home := basicProfile("home")
 	work := basicProfile("work")
-	home.Reviewer = config.ProfileReviewer{Kind: config.ProfileReviewerKindEntity, Entity: "oc-collective-bot"}
-	work.Reviewer = config.ProfileReviewer{Kind: config.ProfileReviewerKindEntity, Entity: "oc-collective-bot"}
+	reviewer := config.ProfileReviewer{
+		Kind:   config.ProfileReviewerKindEntity,
+		Entity: "oc-collective-bot",
+		GitHubAppInstallation: &config.ProfileReviewerGitHubAppInstallation{
+			Mode: config.ProfileReviewerGitHubAppInstallationDiscoverFromRepository,
+		},
+	}
+	home.Reviewer = reviewer
+	work.Reviewer = reviewer
 	cfg := config.File{
 		ReviewerEntities: map[string]config.ReviewerEntity{
 			"oc-collective-bot": {
@@ -2512,7 +2516,7 @@ func TestEditInteractiveInitReviewerEntityStepUpdatesConfiguredEntity(t *testing
 	}
 	for _, profileName := range []string{"home", "work"} {
 		profile := next.cfg.Profiles[profileName]
-		if got, want := profile.Reviewer, (config.ProfileReviewer{Kind: config.ProfileReviewerKindEntity, Entity: "oc-collective-bot"}); got != want {
+		if got, want := profile.Reviewer, reviewer; !reflect.DeepEqual(got, want) {
 			t.Fatalf("%s reviewer selector = %#v, want %#v", profileName, got, want)
 		}
 		if profile.ReviewerCredentials == nil {
@@ -3958,7 +3962,6 @@ func TestWriteInitCredentialPlanHintsUsesMissingRequiredKeysOnly(t *testing.T) {
 		KeySpecs: []credentials.KeySpec{
 			{Key: credentials.GitHubAppIDKey, Required: true},
 			{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
-			{Key: credentials.GitHubAppInstallationIDKey, Required: false},
 		},
 		PlannedWriteKeys:    []string{credentials.GitHubAppIDKey},
 		MissingRequiredKeys: []string{credentials.GitHubAppPrivateKeyKey},
@@ -3991,7 +3994,6 @@ func TestWriteInitCredentialPlanHintsForDeferredGitHubAppUsesRequiredKeysOnly(t
 		KeySpecs: []credentials.KeySpec{
 			{Key: credentials.GitHubAppIDKey, Required: true},
 			{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
-			{Key: credentials.GitHubAppInstallationIDKey, Required: false},
 		},
 		State: initCredentialPlanStateDefer,
 	}
@@ -6464,15 +6466,12 @@ func TestHuhInitReviewerEntityPrompterGitHubAppLinearFlowShowsCredentialBundleCo
 		"Reviewer credential status",
 		credentials.GitHubAppIDKey,
 		credentials.GitHubAppPrivateKeyKey,
-		credentials.GitHubAppInstallationIDKey,
 		"staged",
 		credentials.GitHubAppIDKey,
 		credentials.GitHubAppPrivateKeyKey,
 		"Reviewer credential values",
 		"GitHub App ID",
 		"GitHub App private key",
-		"Optional credential key: " + credentials.GitHubAppInstallationIDKey,
-		"optional",
 	} {
 		if !strings.Contains(out, want) {
 			t.Fatalf("stderr missing %q:\n%s", want, out)
@@ -6758,9 +6757,6 @@ func TestReviewerEntityLinearEditorGitHubAppRequiresInlineSecretsBeforeStaging(t
 	if got := draft.ReviewerCredentialWrites[credentials.GitHubAppPrivateKeyKey]; got != privateKey {
 		t.Fatalf("staged private key = %q, want multiline key", got)
 	}
-	if _, ok := draft.ReviewerCredentialWrites[credentials.GitHubAppInstallationIDKey]; ok {
-		t.Fatalf("optional installation id staged unexpectedly: %#v", draft.ReviewerCredentialWrites)
-	}
 }
 
 func TestReviewerEntityLinearEditorLabelDerivedRefDoesNotMarkMissingStatusAsOverwrite(t *testing.T) {
@@ -6779,7 +6775,6 @@ func TestReviewerEntityLinearEditorLabelDerivedRefDoesNotMarkMissingStatusAsOver
 			Keys: []initReviewerCredentialKeyStatus{
 				{Key: credentials.GitHubAppIDKey, Required: true, State: initReviewerCredentialKeyMissing},
 				{Key: credentials.GitHubAppPrivateKeyKey, Required: true, State: initReviewerCredentialKeyMissing},
-				{Key: credentials.GitHubAppInstallationIDKey, Required: false, State: initReviewerCredentialKeyOptional},
 			},
 		}},
 	}
@@ -6821,7 +6816,6 @@ func TestReviewerEntityLinearEditorManualRefDoesNotMarkUnavailableStatusAsOverwr
 			Keys: []initReviewerCredentialKeyStatus{
 				{Key: credentials.GitHubAppIDKey, Required: true, State: initReviewerCredentialKeyMissing},
 				{Key: credentials.GitHubAppPrivateKeyKey, Required: true, State: initReviewerCredentialKeyMissing},
-				{Key: credentials.GitHubAppInstallationIDKey, Required: false, State: initReviewerCredentialKeyOptional},
 			},
 		}},
 	}
@@ -6864,7 +6858,6 @@ func TestReviewerEntityLinearEditorLabelDerivedRefPreservesBackendUnavailableSta
 			Keys: []initReviewerCredentialKeyStatus{
 				{Key: credentials.GitHubAppIDKey, Required: true, State: initReviewerCredentialKeyUnavailable},
 				{Key: credentials.GitHubAppPrivateKeyKey, Required: true, State: initReviewerCredentialKeyUnavailable},
-				{Key: credentials.GitHubAppInstallationIDKey, Required: false, State: initReviewerCredentialKeyUnavailable},
 			},
 		}},
 	}
@@ -7010,8 +7003,6 @@ func TestHuhInitReviewerEntityDetailsGitHubAppShowsCredentialBundleCopy(t *testi
 		"GitHub App private key",
 		credentials.GitHubAppIDKey,
 		credentials.GitHubAppPrivateKeyKey,
-		"Optional credential key: " + credentials.GitHubAppInstallationIDKey,
-		"optional",
 	} {
 		if !strings.Contains(out, want) {
 			t.Fatalf("stderr missing %q:\n%s", want, out)
@@ -7056,7 +7047,6 @@ func TestHuhInitReviewerEntityDetailsPreservesPromptContextCredentialStore(t *te
 			Keys: []initReviewerCredentialKeyStatus{
 				{Key: credentials.GitHubAppIDKey, Required: true, State: initReviewerCredentialKeyMissing},
 				{Key: credentials.GitHubAppPrivateKeyKey, Required: true, State: initReviewerCredentialKeyMissing},
-				{Key: credentials.GitHubAppInstallationIDKey, Required: false, State: initReviewerCredentialKeyOptional},
 			},
 		}},
 	}
@@ -7458,7 +7448,7 @@ func TestInitCredentialReadinessNoteNamesSelectedSecretsProfile(t *testing.T) {
 	}
 }
 
-func TestInitCredentialReadinessNoteLabelsGitHubAppRequiredAndOptionalKeys(t *testing.T) {
+func TestInitCredentialReadinessNoteLabelsGitHubAppRequiredKeys(t *testing.T) {
 	note := initCredentialReadinessNote(initCredentialPlanEntry{
 		Ref: config.CredentialRef{
 			Purpose: "reviewer_credentials",
@@ -7468,25 +7458,23 @@ func TestInitCredentialReadinessNoteLabelsGitHubAppRequiredAndOptionalKeys(t *te
 		KeySpecs: []credentials.KeySpec{
 			{Key: credentials.GitHubAppIDKey, Required: true},
 			{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
-			{Key: credentials.GitHubAppInstallationIDKey, Required: false},
 		},
 		State: initCredentialPlanStateDefer,
 	})
 	for _, want := range []string{
 		"reviewer deferred",
 		"required: " + credentials.GitHubAppIDKey + ", " + credentials.GitHubAppPrivateKeyKey,
-		"optional: " + credentials.GitHubAppInstallationIDKey,
 	} {
 		if !strings.Contains(note, want) {
 			t.Fatalf("note = %q, want %q", note, want)
 		}
 	}
-	if strings.Contains(note, "missing "+credentials.GitHubAppInstallationIDKey) || strings.Contains(note, "required: "+credentials.GitHubAppInstallationIDKey) {
-		t.Fatalf("note = %q, want installation id labeled optional only", note)
+	if strings.Contains(note, "optional:") || strings.Contains(note, credentials.GitHubAppInstallationIDKey) {
+		t.Fatalf("note = %q, want no optional installation id copy", note)
 	}
 }
 
-func TestInitCredentialReadinessNoteLabelsPartialGitHubAppOptionalKey(t *testing.T) {
+func TestInitCredentialReadinessNoteLabelsPartialGitHubAppRequiredKeys(t *testing.T) {
 	note := initCredentialReadinessNote(initCredentialPlanEntry{
 		Ref: config.CredentialRef{
 			Purpose: "reviewer_credentials",
@@ -7496,21 +7484,19 @@ func TestInitCredentialReadinessNoteLabelsPartialGitHubAppOptionalKey(t *testing
 		KeySpecs: []credentials.KeySpec{
 			{Key: credentials.GitHubAppIDKey, Required: true},
 			{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
-			{Key: credentials.GitHubAppInstallationIDKey, Required: false},
 		},
 		MissingRequiredKeys: []string{credentials.GitHubAppPrivateKeyKey},
 		State:               initCredentialPlanStateMissingRequired,
 	})
 	for _, want := range []string{
 		"reviewer missing required " + credentials.GitHubAppPrivateKeyKey,
-		"optional: " + credentials.GitHubAppInstallationIDKey,
 	} {
 		if !strings.Contains(note, want) {
 			t.Fatalf("note = %q, want %q", note, want)
 		}
 	}
-	if strings.Contains(note, "missing "+credentials.GitHubAppInstallationIDKey) || strings.Contains(note, "required "+credentials.GitHubAppInstallationIDKey) {
-		t.Fatalf("note = %q, want optional installation id not treated as required", note)
+	if strings.Contains(note, "optional:") || strings.Contains(note, credentials.GitHubAppInstallationIDKey) {
+		t.Fatalf("note = %q, want no optional installation id copy", note)
 	}
 }
 
@@ -7518,12 +7504,11 @@ func TestInitProfileReadinessLineIncludesNotes(t *testing.T) {
 	line := initProfileReadinessLine(initProfileReadiness{
 		ProfileName: "work",
 		Ready:       false,
-		Notes:       []string{"reviewer deferred (required: github_app_id, github_app_private_key; optional: github_app_installation_id)"},
+		Notes:       []string{"reviewer deferred (required: github_app_id, github_app_private_key)"},
 	})
 	for _, want := range []string{
 		"- work: needs follow-up",
 		"required: github_app_id, github_app_private_key",
-		"optional: github_app_installation_id",
 	} {
 		if !strings.Contains(line, want) {
 			t.Fatalf("line = %q, want %q", line, want)
@@ -15363,7 +15348,6 @@ func TestInitCredentialSecretPromptTitleReviewerKeys(t *testing.T) {
 		KeySpecs: []credentials.KeySpec{
 			{Key: credentials.GitHubAppIDKey, Required: true},
 			{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
-			{Key: credentials.GitHubAppInstallationIDKey, Required: false},
 		},
 	}
 	patEntry := initCredentialPlanEntry{
@@ -15385,7 +15369,7 @@ func TestInitCredentialSecretPromptTitleReviewerKeys(t *testing.T) {
 			got: initCredentialSecretPromptTitle(initCredentialSecretPrompt{
 				Entry: githubAppEntry,
 			}),
-			want: "How should init handle GitHub App reviewer secrets? (codereview/rianjs-bot) (required: github_app_id, github_app_private_key; optional: github_app_installation_id)",
+			want: "How should init handle GitHub App reviewer secrets? (codereview/rianjs-bot) (required: github_app_id, github_app_private_key)",
 		},
 		{
 			name: "pat action title",
@@ -15708,23 +15692,19 @@ func TestInitReviewerCredentialStatusStates(t *testing.T) {
 		KeySpecs: []credentials.KeySpec{
 			{Key: credentials.GitHubAppIDKey, Required: true},
 			{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
-			{Key: credentials.GitHubAppInstallationIDKey, Required: false},
 		},
 	}
-	decisions := map[initCredentialDecisionKey]initCredentialDecisionKind{}
-	decisions[initCredentialDecisionMapKey(entry, credentials.GitHubAppInstallationIDKey)] = initCredentialDecisionSkipOptional
 
 	status := initReviewerCredentialStatusFromEntry(
 		entry,
 		map[string]string{credentials.GitHubAppPrivateKeyKey: "sentinel-private-key"},
-		decisions,
+		map[initCredentialDecisionKey]initCredentialDecisionKind{},
 		map[string]bool{credentials.GitHubAppIDKey: true},
 		"",
 	)
 
 	assertReviewerCredentialKeyState(t, status, credentials.GitHubAppIDKey, initReviewerCredentialKeyExisting)
 	assertReviewerCredentialKeyState(t, status, credentials.GitHubAppPrivateKeyKey, initReviewerCredentialKeyStaged)
-	assertReviewerCredentialKeyState(t, status, credentials.GitHubAppInstallationIDKey, initReviewerCredentialKeySkippedOptional)
 	if strings.Contains(initReviewerCredentialStatusDescription(status), "sentinel-private-key") {
 		t.Fatalf("status description leaked secret value: %s", initReviewerCredentialStatusDescription(status))
 	}
@@ -15740,7 +15720,6 @@ func TestInitReviewerCredentialStatusDeferPreservesPartialExistingKeys(t *testin
 		KeySpecs: []credentials.KeySpec{
 			{Key: credentials.GitHubAppIDKey, Required: true},
 			{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
-			{Key: credentials.GitHubAppInstallationIDKey, Required: false},
 		},
 	}
 	decisions := map[initCredentialDecisionKey]initCredentialDecisionKind{}
@@ -15756,7 +15735,6 @@ func TestInitReviewerCredentialStatusDeferPreservesPartialExistingKeys(t *testin
 
 	assertReviewerCredentialKeyState(t, status, credentials.GitHubAppIDKey, initReviewerCredentialKeyExisting)
 	assertReviewerCredentialKeyState(t, status, credentials.GitHubAppPrivateKeyKey, initReviewerCredentialKeyDeferred)
-	assertReviewerCredentialKeyState(t, status, credentials.GitHubAppInstallationIDKey, initReviewerCredentialKeyOptional)
 }
 
 func TestInitReviewerCredentialStatusSelectionFiltersByAuthMode(t *testing.T) {
@@ -17000,7 +16978,6 @@ func TestInitInteractiveMenuReviewerCredentialStatusShowsStagedOnReentry(t *test
 				status := findReviewerCredentialStatusForTest(t, prompt.Context.ReviewerCredentialStatuses, "codereview/rianjs-bot", string(config.GitAuthModeGitHubApp))
 				assertReviewerCredentialKeyState(t, status, credentials.GitHubAppIDKey, initReviewerCredentialKeyStaged)
 				assertReviewerCredentialKeyState(t, status, credentials.GitHubAppPrivateKeyKey, initReviewerCredentialKeyStaged)
-				assertReviewerCredentialKeyState(t, status, credentials.GitHubAppInstallationIDKey, initReviewerCredentialKeyOptional)
 				description := initReviewerCredentialStatusDescription(status)
 				if strings.Contains(description, "sentinel") {
 					t.Fatalf("status leaked secret value: %s", description)
@@ -19308,7 +19285,6 @@ func TestApplyInteractiveInitSessionPlanWritesReviewerSecretsToResolvedStore(t *
 			KeySpecs: []credentials.KeySpec{
 				{Key: credentials.GitHubAppIDKey, Required: true},
 				{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
-				{Key: credentials.GitHubAppInstallationIDKey, Required: false},
 			},
 			State: initCredentialPlanStateWrite,
 		}},
@@ -20804,7 +20780,6 @@ func TestApplyInteractiveInitSessionPlanDeletesStaleReviewerKeyWithoutWrites(t *
 			KeySpecs: []credentials.KeySpec{
 				{Key: credentials.GitHubAppIDKey, Required: true},
 				{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
-				{Key: credentials.GitHubAppInstallationIDKey, Required: false},
 			},
 			State: initCredentialPlanStateKeepExisting,
 		}},
@@ -20832,8 +20807,8 @@ func TestApplyInteractiveInitSessionPlanDeletesStaleReviewerKeyWithoutWrites(t *
 	if ok, err := store.Exists("work-reviewer", credentials.GitHubAppPrivateKeyKey); err != nil || !ok {
 		t.Fatalf("github_app_private_key exists = %t, err = %v; want retained", ok, err)
 	}
-	if ok, err := store.Exists("work-reviewer", credentials.GitHubAppInstallationIDKey); err != nil || !ok {
-		t.Fatalf("github_app_installation_id exists = %t, err = %v; want retained", ok, err)
+	if ok, err := store.Exists("work-reviewer", credentials.GitHubAppInstallationIDKey); err != nil || ok {
+		t.Fatalf("github_app_installation_id exists = %t, err = %v; want deleted as stale legacy key", ok, err)
 	}
 }
 
@@ -20874,7 +20849,6 @@ func TestApplyInteractiveInitSessionPlanSaveFailureDoesNotDeleteStaleReviewerKey
 			KeySpecs: []credentials.KeySpec{
 				{Key: credentials.GitHubAppIDKey, Required: true},
 				{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
-				{Key: credentials.GitHubAppInstallationIDKey, Required: false},
 			},
 			State: initCredentialPlanStateKeepExisting,
 		}},
@@ -20941,7 +20915,6 @@ func TestApplyInteractiveInitSessionPlanKeepsSharedRefPATKeyAfterStagedAuthSwitc
 			KeySpecs: []credentials.KeySpec{
 				{Key: credentials.GitHubAppIDKey, Required: true},
 				{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
-				{Key: credentials.GitHubAppInstallationIDKey, Required: false},
 			},
 			State: initCredentialPlanStateWrite,
 		}},
@@ -21001,7 +20974,6 @@ func TestApplyInitPlanDeletesStaleReviewerKeyWithoutWrites(t *testing.T) {
 			KeySpecs: []credentials.KeySpec{
 				{Key: credentials.GitHubAppIDKey, Required: true},
 				{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
-				{Key: credentials.GitHubAppInstallationIDKey, Required: false},
 			},
 			State: initCredentialPlanStateKeepExisting,
 		}},
@@ -21046,7 +21018,6 @@ func TestStaleReviewerCleanupKeepsKeysRequiredByAnotherActiveModeWithoutWrites(t
 		KeySpecs: []credentials.KeySpec{
 			{Key: credentials.GitHubAppIDKey, Required: true},
 			{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
-			{Key: credentials.GitHubAppInstallationIDKey, Required: false},
 		},
 		State: initCredentialPlanStateKeepExisting,
 	}
diff --git a/internal/cmd/credentialcmd/init_reviewer_credential_status.go b/internal/cmd/credentialcmd/init_reviewer_credential_status.go
index 2b1c10b0..6fc8188b 100644
--- a/internal/cmd/credentialcmd/init_reviewer_credential_status.go
+++ b/internal/cmd/credentialcmd/init_reviewer_credential_status.go
@@ -361,7 +361,7 @@ func initReviewerCredentialStatusDescription(status initReviewerCredentialStatus
 		}
 		lines = append(lines, trimmed)
 	}
-	lines = append(lines, "This is a credential name, not a PAT, GitHub App ID, private key, or installation ID.")
+	lines = append(lines, "This is a credential name, not a PAT, GitHub App ID, or private key.")
 	if strings.TrimSpace(status.Unavailable) != "" {
 		lines = append(lines, strings.TrimSpace(status.Unavailable)+".")
 	}
diff --git a/internal/cmd/credentialcmd/init_reviewer_entity_editor.go b/internal/cmd/credentialcmd/init_reviewer_entity_editor.go
index dc1dc86e..4e1d5a35 100644
--- a/internal/cmd/credentialcmd/init_reviewer_entity_editor.go
+++ b/internal/cmd/credentialcmd/init_reviewer_entity_editor.go
@@ -17,17 +17,16 @@ import (
 type initReviewerEntityEditorRunner func(initLinearEditor, io.Reader, io.Writer) (initLinearEditorModel, error)
 
 const (
-	initReviewerEntityFieldSelection               initLinearFieldID = "reviewer_entity_selection"
-	initReviewerEntityFieldLabel                   initLinearFieldID = "reviewer_entity_label"
-	initReviewerEntityFieldCredentialStore         initLinearFieldID = "reviewer_entity_credential_store"
-	initReviewerEntityFieldSecretLocation          initLinearFieldID = "reviewer_entity_secret_location"
-	initReviewerEntityFieldCredentialStatus        initLinearFieldID = "reviewer_entity_credential_status"
-	initReviewerEntityFieldCredentialValues        initLinearFieldID = "reviewer_entity_credential_values"
-	initReviewerEntityFieldGitToken                initLinearFieldID = "reviewer_entity_git_token"
-	initReviewerEntityFieldGitHubAppID             initLinearFieldID = "reviewer_entity_github_app_id"
-	initReviewerEntityFieldGitHubAppPrivateKey     initLinearFieldID = "reviewer_entity_github_app_private_key"
-	initReviewerEntityFieldGitHubAppInstallationID initLinearFieldID = "reviewer_entity_github_app_installation_id"
-	initReviewerEntityFieldAction                  initLinearFieldID = "reviewer_entity_action"
+	initReviewerEntityFieldSelection           initLinearFieldID = "reviewer_entity_selection"
+	initReviewerEntityFieldLabel               initLinearFieldID = "reviewer_entity_label"
+	initReviewerEntityFieldCredentialStore     initLinearFieldID = "reviewer_entity_credential_store"
+	initReviewerEntityFieldSecretLocation      initLinearFieldID = "reviewer_entity_secret_location"
+	initReviewerEntityFieldCredentialStatus    initLinearFieldID = "reviewer_entity_credential_status"
+	initReviewerEntityFieldCredentialValues    initLinearFieldID = "reviewer_entity_credential_values"
+	initReviewerEntityFieldGitToken            initLinearFieldID = "reviewer_entity_git_token"
+	initReviewerEntityFieldGitHubAppID         initLinearFieldID = "reviewer_entity_github_app_id"
+	initReviewerEntityFieldGitHubAppPrivateKey initLinearFieldID = "reviewer_entity_github_app_private_key"
+	initReviewerEntityFieldAction              initLinearFieldID = "reviewer_entity_action"
 )
 
 const (
@@ -468,14 +467,6 @@ func addReviewerEntityCredentialValueFields(document *initLinearDocument, kind i
 	if index := document.fieldIndexByID(initReviewerEntityFieldGitHubAppPrivateKey); index >= 0 {
 		(*document)[index].Hidden = hidden || kind != initReviewerEntityKindGitHubApp
 	}
-	document.addEditableSecretInput(
-		initReviewerEntityFieldGitHubAppInstallationID,
-		"GitHub App installation ID",
-		"Optional. Leave blank unless this reviewer must pin a specific installation.",
-		"",
-		nil,
-		initLinearFieldOptions{Hidden: hidden || kind != initReviewerEntityKindGitHubApp},
-	)
 }
 
 func initReviewerEntitySetCredentialFieldsHidden(model *initLinearEditorModel, kind initReviewerEntityKind, hideDetails bool) {
@@ -485,7 +476,6 @@ func initReviewerEntitySetCredentialFieldsHidden(model *initLinearEditorModel, k
 	model.setFieldHidden(initReviewerEntityFieldGitToken, hidePAT)
 	model.setFieldHidden(initReviewerEntityFieldGitHubAppID, hideGitHubApp)
 	model.setFieldHidden(initReviewerEntityFieldGitHubAppPrivateKey, hideGitHubApp)
-	model.setFieldHidden(initReviewerEntityFieldGitHubAppInstallationID, hideGitHubApp)
 }
 
 func initReviewerEntityClearCredentialFieldValues(model *initLinearEditorModel) {
@@ -493,7 +483,6 @@ func initReviewerEntityClearCredentialFieldValues(model *initLinearEditorModel)
 		initReviewerEntityFieldGitToken,
 		initReviewerEntityFieldGitHubAppID,
 		initReviewerEntityFieldGitHubAppPrivateKey,
-		initReviewerEntityFieldGitHubAppInstallationID,
 	} {
 		model.setFieldValue(id, "")
 	}
@@ -546,8 +535,6 @@ func initReviewerEntityCredentialFieldKey(id initLinearFieldID) string {
 		return credentials.GitHubAppIDKey
 	case initReviewerEntityFieldGitHubAppPrivateKey:
 		return credentials.GitHubAppPrivateKeyKey
-	case initReviewerEntityFieldGitHubAppInstallationID:
-		return credentials.GitHubAppInstallationIDKey
 	default:
 		return ""
 	}
@@ -561,8 +548,6 @@ func initReviewerEntityCredentialFieldID(key string) initLinearFieldID {
 		return initReviewerEntityFieldGitHubAppID
 	case credentials.GitHubAppPrivateKeyKey:
 		return initReviewerEntityFieldGitHubAppPrivateKey
-	case credentials.GitHubAppInstallationIDKey:
-		return initReviewerEntityFieldGitHubAppInstallationID
 	default:
 		return ""
 	}
@@ -876,16 +861,16 @@ func reviewerEntityKindDetailDescription(kind initReviewerEntityKind) string {
 	if kind != initReviewerEntityKindGitHubApp {
 		return label
 	}
-	return label + ". Required credential keys: " + credentials.GitHubAppIDKey + ", " + credentials.GitHubAppPrivateKeyKey + ". Optional credential key: " + credentials.GitHubAppInstallationIDKey + "."
+	return label + ". Required credential keys: " + credentials.GitHubAppIDKey + ", " + credentials.GitHubAppPrivateKeyKey + "."
 }
 
 func reviewerEntitySecretLocationDescription(kind initReviewerEntityKind) string {
-	base := "Credential name for this reviewer. This is where cr stores secret values in the selected credential store; it is not a PAT, GitHub App ID, private key, or installation ID. Change it only if you need a custom credential-store location."
+	base := "Credential name for this reviewer. This is where cr stores secret values in the selected credential store; it is not a PAT, GitHub App ID, or private key. Change it only if you need a custom credential-store location."
 	if kind == initReviewerEntityKindPAT {
 		return base + " Store required secret " + credentials.GitTokenKey + " at this name."
 	}
 	if kind == initReviewerEntityKindGitHubApp {
-		return base + " Store required secrets " + credentials.GitHubAppIDKey + " and " + credentials.GitHubAppPrivateKeyKey + " at this name; " + credentials.GitHubAppInstallationIDKey + " is optional."
+		return base + " Store required secrets " + credentials.GitHubAppIDKey + " and " + credentials.GitHubAppPrivateKeyKey + " at this name."
 	}
 	return base
 }
diff --git a/internal/credentials/credentials.go b/internal/credentials/credentials.go
index 2d211ba4..16ed5f6f 100644
--- a/internal/credentials/credentials.go
+++ b/internal/credentials/credentials.go
@@ -35,7 +35,8 @@ const (
 	// GitHubAppPrivateKeyKey stores the GitHub App PEM private key.
 	// #nosec G101 -- this is a keyring item name, not a secret value.
 	GitHubAppPrivateKeyKey = "github_app_private_key"
-	// GitHubAppInstallationIDKey stores an optional explicit GitHub App installation ID.
+	// GitHubAppInstallationIDKey is a removed legacy key name. Installation
+	// routing now belongs to review profile config, not credential bundles.
 	// #nosec G101 -- this is a keyring item name, not a secret value.
 	GitHubAppInstallationIDKey = "github_app_installation_id"
 	// AnthropicAPIKeyKey stores the key name for Anthropic direct API adapters.
@@ -59,7 +60,7 @@ var (
 
 // AllowedKeys is cr's keyring write allowlist.
 func AllowedKeys() []string {
-	return []string{GitTokenKey, GitHubAppIDKey, GitHubAppPrivateKeyKey, GitHubAppInstallationIDKey, AnthropicAPIKeyKey, OpenAIAPIKeyKey}
+	return []string{GitTokenKey, GitHubAppIDKey, GitHubAppPrivateKeyKey, AnthropicAPIKeyKey, OpenAIAPIKeyKey}
 }
 
 // Ref is a parsed cr credential name.
@@ -497,7 +498,6 @@ func KeySpecsForPurpose(ref config.CredentialRef) ([]KeySpec, error) {
 			return []KeySpec{
 				{Key: GitHubAppIDKey, Required: true},
 				{Key: GitHubAppPrivateKeyKey, Required: true},
-				{Key: GitHubAppInstallationIDKey, Required: false},
 			}, nil
 		case config.GitAuthModeOAuthDevice:
 			return nil, fmt.Errorf("%w: %s auth_mode %q", config.ErrUnsupported, ref.Purpose, mode)
diff --git a/internal/credentials/credentials_test.go b/internal/credentials/credentials_test.go
index 5a23a0e3..ceb668f2 100644
--- a/internal/credentials/credentials_test.go
+++ b/internal/credentials/credentials_test.go
@@ -94,12 +94,13 @@ func TestStoreOptionsInvalidBackendFlag(t *testing.T) {
 }
 
 func TestAllowedKeysExactCredentialMatrix(t *testing.T) {
-	want := []string{GitTokenKey, GitHubAppIDKey, GitHubAppPrivateKeyKey, GitHubAppInstallationIDKey, AnthropicAPIKeyKey, OpenAIAPIKeyKey}
+	want := []string{GitTokenKey, GitHubAppIDKey, GitHubAppPrivateKeyKey, AnthropicAPIKeyKey, OpenAIAPIKeyKey}
 	if got := AllowedKeys(); !reflect.DeepEqual(got, want) {
 		t.Fatalf("AllowedKeys = %#v, want %#v", got, want)
 	}
 
 	for _, key := range []string{
+		GitHubAppInstallationIDKey,
 		LegacyLLMAPIKeyKey,
 		"git_oauth_access_token",
 		"git_oauth_refresh_token",
@@ -132,7 +133,6 @@ func TestKeySpecsForPurposeCredentialMatrix(t *testing.T) {
 			want: []KeySpec{
 				{Key: GitHubAppIDKey, Required: true},
 				{Key: GitHubAppPrivateKeyKey, Required: true},
-				{Key: GitHubAppInstallationIDKey, Required: false},
 			},
 		},
 		{
@@ -141,7 +141,6 @@ func TestKeySpecsForPurposeCredentialMatrix(t *testing.T) {
 			want: []KeySpec{
 				{Key: GitHubAppIDKey, Required: true},
 				{Key: GitHubAppPrivateKeyKey, Required: true},
-				{Key: GitHubAppInstallationIDKey, Required: false},
 			},
 		},
 		{
@@ -209,7 +208,7 @@ func TestValidateAllowedKeyForConfigNarrowsDeclaredRefs(t *testing.T) {
 	if err := ValidateAllowedKeyForConfig(cfg, "codereview/git-a", AnthropicAPIKeyKey); !errors.Is(err, credstore.ErrKeyNotAllowed) {
 		t.Fatalf("ValidateAllowedKeyForConfig git llm key error = %v, want ErrKeyNotAllowed", err)
 	}
-	wantAppKeys := []string{GitHubAppIDKey, GitHubAppInstallationIDKey, GitHubAppPrivateKeyKey}
+	wantAppKeys := []string{GitHubAppIDKey, GitHubAppPrivateKeyKey}
 	gotAppKeys, err := ExpectedKeysForConfigRef(cfg, "codereview/app")
 	if err != nil {
 		t.Fatalf("ExpectedKeysForConfigRef github_app: %v", err)
@@ -569,7 +568,6 @@ func TestCredentialStatuses(t *testing.T) {
 			Keys: []KeyStatus{
 				presentKeyStatus(GitHubAppIDKey, true),
 				presentKeyStatus(GitHubAppPrivateKeyKey, true),
-				missingKeyStatus(GitHubAppInstallationIDKey, false),
 			},
 		},
 		{
@@ -678,7 +676,6 @@ func TestCredentialStatusesPartialRequiredBundle(t *testing.T) {
 		Keys: []KeyStatus{
 			presentKeyStatus(GitHubAppIDKey, true),
 			missingKeyStatus(GitHubAppPrivateKeyKey, true),
-			missingKeyStatus(GitHubAppInstallationIDKey, false),
 		},
 	}
 	if !reflect.DeepEqual(got, want) {
@@ -701,7 +698,7 @@ func TestMissingRequiredKeys(t *testing.T) {
 		Keys: []KeyStatus{
 			missingKeyStatus(GitHubAppIDKey, true),
 			unknownKeyStatus(GitHubAppPrivateKeyKey, true, "boom"),
-			missingKeyStatus(GitHubAppInstallationIDKey, false),
+			missingKeyStatus("optional_test_key", false),
 		},
 	}
 	want := []string{GitHubAppIDKey}

From d4938d02e773a0c9facaeb5d52bb91a4f53f7552 Mon Sep 17 00:00:00 2001
From: Rian Stockbower <rstockbower@gmail.com>
Date: Sun, 21 Jun 2026 19:54:46 -0400
Subject: [PATCH 06/27] Route GitHub App installations through reviewer
 profiles

---
 internal/cmd/configcmd/configcmd_test.go     |  7 +-
 internal/cmd/mecmd/mecmd.go                  |  6 +-
 internal/cmd/mecmd/mecmd_test.go             | 28 +++---
 internal/cmd/noleak/noleak_test.go           | 13 +--
 internal/cmd/reviewcmd/reviewcmd.go          | 21 +++--
 internal/cmd/reviewcmd/reviewcmd_test.go     | 65 ++++++++++++++
 internal/config/config.go                    | 23 +++++
 internal/config/config_test.go               | 36 ++++++++
 internal/gitprovider/github/app_auth.go      | 59 ++++++++-----
 internal/gitprovider/github/app_auth_test.go | 89 ++++++++++++++++----
 internal/gitprovider/github/client.go        |  1 +
 11 files changed, 284 insertions(+), 64 deletions(-)

diff --git a/internal/cmd/configcmd/configcmd_test.go b/internal/cmd/configcmd/configcmd_test.go
index 3b9ddc71..123af2fb 100644
--- a/internal/cmd/configcmd/configcmd_test.go
+++ b/internal/cmd/configcmd/configcmd_test.go
@@ -899,7 +899,6 @@ func TestConfigShowGitHubAppCredentialStatus(t *testing.T) {
 	want := []view.KeyStatus{
 		{Key: credentials.GitHubAppIDKey, Required: true, Present: &missing, Status: "missing"},
 		{Key: credentials.GitHubAppPrivateKeyKey, Required: true, Present: &missing, Status: "missing"},
-		{Key: credentials.GitHubAppInstallationIDKey, Required: false, Present: &missing, Status: "missing"},
 	}
 	if reviewer.Ref != "codereview/work-reviewer" || reviewer.Mode != "github_app" || !reflect.DeepEqual(reviewer.Keys, want) {
 		t.Fatalf("reviewer credential status = %#v, want app keys %#v", reviewer, want)
@@ -1980,13 +1979,11 @@ func TestConfigClearGitHubAppCredentialMatrix(t *testing.T) {
 	path := saveTestConfig(t, cfg)
 	appKeys := []string{
 		credentials.GitHubAppIDKey,
-		credentials.GitHubAppInstallationIDKey,
 		credentials.GitHubAppPrivateKeyKey,
 	}
 	seedFileBackend(t, "home-app", map[string]string{
-		credentials.GitHubAppIDKey:             "12345",
-		credentials.GitHubAppPrivateKeyKey:     "private-key",
-		credentials.GitHubAppInstallationIDKey: "42",
+		credentials.GitHubAppIDKey:         "12345",
+		credentials.GitHubAppPrivateKeyKey: "private-key",
 	})
 
 	dryRunCmd, dryRunOut := newTestCommand(path)
diff --git a/internal/cmd/mecmd/mecmd.go b/internal/cmd/mecmd/mecmd.go
index b75dc33d..c9f8208e 100644
--- a/internal/cmd/mecmd/mecmd.go
+++ b/internal/cmd/mecmd/mecmd.go
@@ -231,7 +231,11 @@ func (r *githubResolver) ResolveIdentity(ctx context.Context, profileName string
 		return gitprovider.Identity{}, err
 	}
 	defer store.Close()
-	client, credential, err := newClient(git, store, r.options)
+	options := r.options
+	if installationID := config.PinnedGitHubAppInstallationIDForGit(r.cfg.Profiles[profileName], git); installationID != "" {
+		options.InstallationID = installationID
+	}
+	client, credential, err := newClient(git, store, options)
 	if err != nil {
 		return gitprovider.Identity{}, err
 	}
diff --git a/internal/cmd/mecmd/mecmd_test.go b/internal/cmd/mecmd/mecmd_test.go
index 8d8bc137..c9dfea1a 100644
--- a/internal/cmd/mecmd/mecmd_test.go
+++ b/internal/cmd/mecmd/mecmd_test.go
@@ -167,9 +167,8 @@ func TestMeReviewerGitHubAppAuthJSONUsesReviewerCredentialFlow(t *testing.T) {
 	defer store.Close()
 	privateKey := testPrivateKeyPEM(t)
 	if _, err := store.SetBundle("work-reviewer", map[string]string{
-		credentials.GitHubAppIDKey:             "12345",
-		credentials.GitHubAppPrivateKeyKey:     privateKey,
-		credentials.GitHubAppInstallationIDKey: "42",
+		credentials.GitHubAppIDKey:         "12345",
+		credentials.GitHubAppPrivateKeyKey: privateKey,
 	}, credstore.WithOverwrite()); err != nil {
 		t.Fatalf("SetBundle reviewer: %v", err)
 	}
@@ -182,6 +181,13 @@ func TestMeReviewerGitHubAppAuthJSONUsesReviewerCredentialFlow(t *testing.T) {
 	work := cfg.Profiles["work"]
 	work.ReviewerCredentials.AuthMode = config.GitAuthModeGitHubApp
 	cfg.Profiles["work"] = work
+	cfg = config.Normalize(cfg)
+	work = cfg.Profiles["work"]
+	work.Reviewer.GitHubAppInstallation = &config.ProfileReviewerGitHubAppInstallation{
+		Mode:           config.ProfileReviewerGitHubAppInstallationPinned,
+		InstallationID: "42",
+	}
+	cfg.Profiles["work"] = work
 	path := saveTestConfig(t, cfg)
 
 	var appJWTs []string
@@ -484,8 +490,8 @@ func TestMeGitHubAppRequiresInstallationIDWithoutRepositoryContext(t *testing.T)
 	if !errors.Is(err, gitprovider.ErrAuth) {
 		t.Fatalf("Execute error = %v, want ErrAuth", err)
 	}
-	if !strings.Contains(err.Error(), credentials.GitHubAppInstallationIDKey) {
-		t.Fatalf("Execute error = %v, want missing installation id detail", err)
+	if !strings.Contains(err.Error(), "installation discovery requires repository context") {
+		t.Fatalf("Execute error = %v, want missing repository context detail", err)
 	}
 	if strings.Contains(err.Error()+out.String(), privateKey) {
 		t.Fatalf("output leaked private key: err=%v out=%q", err, out.String())
@@ -498,9 +504,8 @@ func TestMeGitHubAppGitAuthJSONWithoutReviewerCredentials(t *testing.T) {
 	defer store.Close()
 	privateKey := testPrivateKeyPEM(t)
 	if _, err := store.SetBundle("home", map[string]string{
-		credentials.GitHubAppIDKey:             "12345",
-		credentials.GitHubAppPrivateKeyKey:     privateKey,
-		credentials.GitHubAppInstallationIDKey: "42",
+		credentials.GitHubAppIDKey:         "12345",
+		credentials.GitHubAppPrivateKeyKey: privateKey,
 	}, credstore.WithOverwrite()); err != nil {
 		t.Fatalf("SetBundle home: %v", err)
 	}
@@ -535,8 +540,9 @@ func TestMeGitHubAppGitAuthJSONWithoutReviewerCredentials(t *testing.T) {
 		return &githubResolver{
 			cfg: cfg,
 			options: githubprovider.Options{
-				BaseURL:    server.URL,
-				GraphQLURL: server.URL + "/graphql",
+				BaseURL:        server.URL,
+				GraphQLURL:     server.URL + "/graphql",
+				InstallationID: "42",
 			},
 		}, nil, nil
 	})
@@ -631,6 +637,8 @@ profiles:
     reviewer:
       kind: entity
       entity: work-reviewer
+      github_app_installation:
+        mode: discover_from_repository
     llm_runtime: claude-cli
 `)
 	resolver := &fakeResolver{
diff --git a/internal/cmd/noleak/noleak_test.go b/internal/cmd/noleak/noleak_test.go
index 6db5de8e..b60e38ac 100644
--- a/internal/cmd/noleak/noleak_test.go
+++ b/internal/cmd/noleak/noleak_test.go
@@ -102,7 +102,8 @@ func TestCommandSurfacesDoNotLeakSeededSecrets(t *testing.T) {
 			args: func(*auditHarness) []string {
 				return []string{"set-credential", "--store", auditCredentialStoreID, "--name", "codereview/default-reviewer-app", "--key", credentials.GitHubAppInstallationIDKey, "--from-env", "CR_NOLEAK_APP_INSTALLATION_ID", "--overwrite"}
 			},
-			env: secretEnv,
+			env:     secretEnv,
+			wantErr: true,
 		},
 		{
 			name:    "set credential duplicate failure",
@@ -543,7 +544,6 @@ func (h *auditHarness) seedGitHubAppConfigShowCredentials(t *testing.T) {
 		{ref: "codereview/default", key: credentials.GitTokenKey, secret: h.gitSecret},
 		{ref: "codereview/default-reviewer-app", key: credentials.GitHubAppIDKey, secret: h.githubAppIDSecret},
 		{ref: "codereview/default-reviewer-app", key: credentials.GitHubAppPrivateKeyKey, secret: h.githubAppPrivateKey},
-		{ref: "codereview/default-reviewer-app", key: credentials.GitHubAppInstallationIDKey, secret: h.githubAppInstallationIDSecret},
 		{ref: "codereview/default-llm", key: credentials.AnthropicAPIKeyKey, secret: h.llmSecret},
 	})
 }
@@ -554,7 +554,6 @@ func (h *auditHarness) seedGitHubAppGitCredentials(t *testing.T) {
 	h.seedCredentialWrites(t, cfg, []credentialSeed{
 		{ref: "codereview/default-app", key: credentials.GitHubAppIDKey, secret: h.githubAppIDSecret},
 		{ref: "codereview/default-app", key: credentials.GitHubAppPrivateKeyKey, secret: h.githubAppPrivateKey},
-		{ref: "codereview/default-app", key: credentials.GitHubAppInstallationIDKey, secret: h.githubAppInstallationIDSecret},
 		{ref: "codereview/default-llm", key: credentials.AnthropicAPIKeyKey, secret: h.llmSecret},
 	})
 }
@@ -694,11 +693,15 @@ func (h *auditHarness) openCredentialStore() (*credstore.Store, error) {
 }
 
 func (h *auditHarness) newGitHubProvider(git config.GitConfig, store githubprovider.TokenStore, lookup *githubprovider.InstallationLookup) (*githubprovider.Client, gitprovider.Credential, error) {
-	return githubprovider.NewFromGitConfig(git, store, githubprovider.Options{
+	opts := githubprovider.Options{
 		BaseURL:            h.githubURL,
 		GraphQLURL:         h.graphQLURL,
 		InstallationLookup: lookup,
-	})
+	}
+	if lookup == nil {
+		opts.InstallationID = h.githubAppInstallationIDSecret
+	}
+	return githubprovider.NewFromGitConfig(git, store, opts)
 }
 
 func gitConfigForReviewerAuth(profile config.Profile) config.GitConfig {
diff --git a/internal/cmd/reviewcmd/reviewcmd.go b/internal/cmd/reviewcmd/reviewcmd.go
index 1620f12e..3c23f921 100644
--- a/internal/cmd/reviewcmd/reviewcmd.go
+++ b/internal/cmd/reviewcmd/reviewcmd.go
@@ -691,7 +691,7 @@ func newRuntime(cmd *cobra.Command, opts *root.Options, cfg config.File, profile
 		cleanup()
 		return Runtime{}, mapRunError(err)
 	}
-	provider, credential, err := newGitProvider(providerGit, providerStore, gitProviderOptions(runtimeOpts.PRRef))
+	provider, credential, err := newGitProvider(providerGit, providerStore, gitProviderOptions(profile, providerGit, runtimeOpts.PRRef))
 	if err != nil {
 		cleanup()
 		return Runtime{}, mapRunError(err)
@@ -801,14 +801,19 @@ func normalizeRuntimeProfile(profile config.Profile) config.Profile {
 	}).Profiles["runtime"]
 }
 
-func gitProviderOptions(ref gitprovider.PRRef) githubprovider.Options {
-	if strings.TrimSpace(ref.Owner) == "" || strings.TrimSpace(ref.Repo) == "" {
-		return githubprovider.Options{}
+func gitProviderOptions(profile config.Profile, git config.GitConfig, ref gitprovider.PRRef) githubprovider.Options {
+	opts := githubprovider.Options{}
+	if installationID := config.PinnedGitHubAppInstallationIDForGit(profile, git); installationID != "" {
+		opts.InstallationID = installationID
+		return opts
 	}
-	return githubprovider.Options{InstallationLookup: &githubprovider.InstallationLookup{
-		Owner: ref.Owner,
-		Repo:  ref.Repo,
-	}}
+	if strings.TrimSpace(ref.Owner) != "" && strings.TrimSpace(ref.Repo) != "" {
+		opts.InstallationLookup = &githubprovider.InstallationLookup{
+			Owner: ref.Owner,
+			Repo:  ref.Repo,
+		}
+	}
+	return opts
 }
 
 func runtimeLayout() (statepaths.Layout, error) {
diff --git a/internal/cmd/reviewcmd/reviewcmd_test.go b/internal/cmd/reviewcmd/reviewcmd_test.go
index 27cba18d..2118b701 100644
--- a/internal/cmd/reviewcmd/reviewcmd_test.go
+++ b/internal/cmd/reviewcmd/reviewcmd_test.go
@@ -466,9 +466,11 @@ func TestNewRuntimePassesPRRefForGitHubAppInstallationLookup(t *testing.T) {
 	prRef := gitprovider.PRRef{Host: "github.com", Owner: "open-cli", Repo: "codereview-cli", Number: 76}
 
 	var gotLookup *githubprovider.InstallationLookup
+	var gotInstallationID string
 	withReviewRuntimeSeams(t,
 		func(_ config.GitConfig, _ githubprovider.TokenStore, opts githubprovider.Options) (gitprovider.GitProvider, gitprovider.Credential, error) {
 			gotLookup = opts.InstallationLookup
+			gotInstallationID = opts.InstallationID
 			return &gitprovider.Fake{}, gitprovider.Credential{Type: "github_app", Token: "installation-token", Login: "cr-reviewer[bot]"}, nil
 		},
 		func(context.Context, gitprovider.GitProvider, gitprovider.Credential, githubprovider.TokenStore, config.Profile) (gitprovider.Identity, error) {
@@ -490,6 +492,69 @@ func TestNewRuntimePassesPRRefForGitHubAppInstallationLookup(t *testing.T) {
 	if gotLookup == nil || gotLookup.Owner != "open-cli" || gotLookup.Repo != "codereview-cli" {
 		t.Fatalf("InstallationLookup = %#v, want PR owner/repo", gotLookup)
 	}
+	if gotInstallationID != "" {
+		t.Fatalf("InstallationID = %q, want empty for repository lookup", gotInstallationID)
+	}
+}
+
+func TestNewRuntimePassesPinnedGitHubAppReviewerInstallationID(t *testing.T) {
+	statedirtest.Hermetic(t)
+	cfg := testConfig()
+	cfg.Keyring.Backend = "memory"
+	cfg.ReviewerEntities = map[string]config.ReviewerEntity{
+		"cr-reviewer": {
+			Host:     "github.com",
+			AuthMode: config.GitAuthModeGitHubApp,
+			Credential: config.CredentialLocation{
+				Store: "test-memory",
+				Name:  "codereview/cr-reviewer",
+			},
+		},
+	}
+	profile := cfg.Profiles["home"]
+	profile.Reviewer = config.ProfileReviewer{
+		Kind:   config.ProfileReviewerKindEntity,
+		Entity: "cr-reviewer",
+		GitHubAppInstallation: &config.ProfileReviewerGitHubAppInstallation{
+			Mode:           config.ProfileReviewerGitHubAppInstallationPinned,
+			InstallationID: "42",
+		},
+	}
+	cfg.Profiles["home"] = profile
+	cfg = config.Normalize(cfg)
+	profile = cfg.Profiles["home"]
+	prRef := gitprovider.PRRef{Host: "github.com", Owner: "open-cli", Repo: "codereview-cli", Number: 76}
+
+	var gotLookup *githubprovider.InstallationLookup
+	var gotInstallationID string
+	withReviewRuntimeSeams(t,
+		func(_ config.GitConfig, _ githubprovider.TokenStore, opts githubprovider.Options) (gitprovider.GitProvider, gitprovider.Credential, error) {
+			gotLookup = opts.InstallationLookup
+			gotInstallationID = opts.InstallationID
+			return &gitprovider.Fake{}, gitprovider.Credential{Type: "github_app", Token: "installation-token", Login: "cr-reviewer[bot]"}, nil
+		},
+		func(context.Context, gitprovider.GitProvider, gitprovider.Credential, githubprovider.TokenStore, config.Profile) (gitprovider.Identity, error) {
+			return gitprovider.Identity{Login: "cr-reviewer[bot]", ID: "12345"}, nil
+		},
+		func(config.LLMConfig, *credstore.Store) (llm.Adapter, error) {
+			return &llm.FakeAdapter{NameValue: "fake-llm"}, nil
+		},
+	)
+	cmd := &cobra.Command{}
+	cmd.SetContext(context.Background())
+	runtime, err := newRuntime(cmd, &root.Options{Stderr: io.Discard}, cfg, profile, RuntimeOptions{PRRef: prRef})
+	if err != nil {
+		t.Fatalf("newRuntime: %v", err)
+	}
+	if runtime.Cleanup != nil {
+		runtime.Cleanup()
+	}
+	if gotInstallationID != "42" {
+		t.Fatalf("InstallationID = %q, want pinned id", gotInstallationID)
+	}
+	if gotLookup != nil {
+		t.Fatalf("InstallationLookup = %#v, want nil when pinned", gotLookup)
+	}
 }
 
 func TestNewRuntimeRejectsBackendOverrideForNamedSecretsProfile(t *testing.T) {
diff --git a/internal/config/config.go b/internal/config/config.go
index 1df08bac..140b2080 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -972,6 +972,29 @@ func CredentialRefs(profile Profile) ([]CredentialRef, error) {
 	return refs, nil
 }
 
+// PinnedGitHubAppInstallationIDForGit returns the profile-level pinned
+// installation id that applies to git when git is the selected GitHub App
+// reviewer entity for profile.
+func PinnedGitHubAppInstallationIDForGit(profile Profile, git GitConfig) string {
+	profile = profile.normalized()
+	git = git.normalized()
+	if git.AuthMode != GitAuthModeGitHubApp || profile.ReviewerCredentials == nil {
+		return ""
+	}
+	if profile.Reviewer.Kind != ProfileReviewerKindEntity || profile.Reviewer.GitHubAppInstallation == nil {
+		return ""
+	}
+	installation := profile.Reviewer.GitHubAppInstallation.normalized()
+	if installation.Mode != ProfileReviewerGitHubAppInstallationPinned {
+		return ""
+	}
+	reviewerCredentials := profile.ReviewerCredentials.normalized()
+	if reviewerCredentials.AuthMode != GitAuthModeGitHubApp || !sameCredentialLocation(reviewerCredentials.Credential, git.Credential) {
+		return ""
+	}
+	return installation.InstallationID
+}
+
 func gitCredentialRef(purpose string, mode GitAuthMode, credential CredentialLocation) (CredentialRef, error) {
 	if !mode.Supported() {
 		return CredentialRef{}, fmt.Errorf("%w: %s auth_mode %q", ErrUnsupported, purpose, mode)
diff --git a/internal/config/config_test.go b/internal/config/config_test.go
index b23b1883..a20a7b03 100644
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -862,6 +862,42 @@ func TestCredentialRefsIncludesGitHubAppModes(t *testing.T) {
 	}
 }
 
+func TestPinnedGitHubAppInstallationIDForGit(t *testing.T) {
+	profile := validFile().normalized().Profiles["work"]
+	profile.ReviewerCredentials = &ReviewerCredentials{
+		AuthMode:      GitAuthModeGitHubApp,
+		Credential:    CredentialLocation{Store: LocalOSCredentialStoreID, Name: "codereview/work-reviewer"},
+		CredentialRef: "codereview/work-reviewer",
+	}
+	profile.Reviewer = ProfileReviewer{
+		Kind:   ProfileReviewerKindEntity,
+		Entity: "work-reviewer",
+		GitHubAppInstallation: &ProfileReviewerGitHubAppInstallation{
+			Mode:           ProfileReviewerGitHubAppInstallationPinned,
+			InstallationID: "123456",
+		},
+	}
+	git := GitConfig{
+		Host:          "github.com",
+		AuthMode:      GitAuthModeGitHubApp,
+		CredentialRef: "codereview/work-reviewer",
+	}
+	if got := PinnedGitHubAppInstallationIDForGit(profile, git); got != "123456" {
+		t.Fatalf("PinnedGitHubAppInstallationIDForGit = %q, want 123456", got)
+	}
+
+	profile.Reviewer.GitHubAppInstallation.Mode = ProfileReviewerGitHubAppInstallationDiscoverFromRepository
+	profile.Reviewer.GitHubAppInstallation.InstallationID = ""
+	if got := PinnedGitHubAppInstallationIDForGit(profile, git); got != "" {
+		t.Fatalf("discover installation id = %q, want empty", got)
+	}
+
+	git.CredentialRef = "codereview/work"
+	if got := PinnedGitHubAppInstallationIDForGit(profile, git); got != "" {
+		t.Fatalf("unmatched credential installation id = %q, want empty", got)
+	}
+}
+
 func TestValidateAllowsCredentialStoresWithoutReviewProfiles(t *testing.T) {
 	cfg := File{
 		Secrets: SecretsConfig{
diff --git a/internal/gitprovider/github/app_auth.go b/internal/gitprovider/github/app_auth.go
index 00b47fe3..59ab051e 100644
--- a/internal/gitprovider/github/app_auth.go
+++ b/internal/gitprovider/github/app_auth.go
@@ -11,6 +11,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"encoding/pem"
+	"errors"
 	"fmt"
 	"io"
 	"net/http"
@@ -87,12 +88,9 @@ func newGitHubAppFromConfig(ctx context.Context, profile string, store TokenStor
 	if err != nil {
 		return nil, gitprovider.Credential{}, gitprovider.WrapError(gitprovider.ErrAuth, "", err)
 	}
-	installationID, err := readOptionalCredential(store, profile, credentials.GitHubAppInstallationIDKey)
-	if err != nil {
-		return nil, gitprovider.Credential{}, err
-	}
+	installationID := strings.TrimSpace(opts.InstallationID)
 	if !canResolveInstallation(installationID, opts.InstallationLookup) {
-		return nil, gitprovider.Credential{}, gitprovider.WrapError(gitprovider.ErrAuth, "", fmt.Errorf("github app credential %s/%s is required without repository context", profile, credentials.GitHubAppInstallationIDKey))
+		return nil, gitprovider.Credential{}, gitprovider.WrapError(gitprovider.ErrAuth, "", fmt.Errorf("github app installation discovery requires repository context; pin an installation id or run against a repository"))
 	}
 	auth := &githubAppAuth{
 		issuer:         issuer,
@@ -170,14 +168,14 @@ func (a *githubAppAuth) resolveInstallation(ctx context.Context, op gitprovider.
 		endpoint := restURL(a.baseURL, "app", "installations", a.installationID)
 		var installation githubAppInstallation
 		if err := a.doAppREST(ctx, op, http.MethodGet, endpoint, jwt, nil, &installation); err != nil {
-			return githubAppInstallation{}, err
+			return githubAppInstallation{}, mapPinnedInstallationLookupError(op, a.installationID, err)
 		}
 		return installation, nil
 	}
 	endpoint := restURL(a.baseURL, "repos", a.lookup.Owner, a.lookup.Repo, "installation")
 	var installation githubAppInstallation
 	if err := a.doAppREST(ctx, op, http.MethodGet, endpoint, jwt, nil, &installation); err != nil {
-		return githubAppInstallation{}, err
+		return githubAppInstallation{}, mapRepositoryInstallationLookupError(op, a.lookup.Owner, a.lookup.Repo, err)
 	}
 	return installation, nil
 }
@@ -186,7 +184,7 @@ func (a *githubAppAuth) createInstallationToken(ctx context.Context, op gitprovi
 	endpoint := restURL(a.baseURL, "app", "installations", strconv.FormatInt(installationID, 10), "access_tokens")
 	var response installationTokenResponse
 	if err := a.doAppREST(ctx, op, http.MethodPost, endpoint, jwt, map[string]any{}, &response); err != nil {
-		return "", time.Time{}, err
+		return "", time.Time{}, mapCreateInstallationTokenError(op, strconv.FormatInt(installationID, 10), err)
 	}
 	if strings.TrimSpace(response.Token) == "" {
 		return "", time.Time{}, gitprovider.WrapError(gitprovider.ErrAuth, op, fmt.Errorf("github app installation token is empty"))
@@ -197,6 +195,40 @@ func (a *githubAppAuth) createInstallationToken(ctx context.Context, op gitprovi
 	return response.Token, response.ExpiresAt, nil
 }
 
+func mapPinnedInstallationLookupError(op gitprovider.Operation, installationID string, err error) error {
+	switch {
+	case errors.Is(err, gitprovider.ErrNotFound):
+		return gitprovider.WrapError(gitprovider.ErrNotFound, op, fmt.Errorf("github app installation %s was not found for this app; check the installation id configured on the review profile: %w", installationID, err))
+	case errors.Is(err, gitprovider.ErrPermission):
+		return gitprovider.WrapError(gitprovider.ErrPermission, op, fmt.Errorf("github app installation %s is not accessible to this app; check the installation id configured on the review profile: %w", installationID, err))
+	default:
+		return err
+	}
+}
+
+func mapRepositoryInstallationLookupError(op gitprovider.Operation, owner, repo string, err error) error {
+	repository := strings.Trim(strings.TrimSpace(owner)+"/"+strings.TrimSpace(repo), "/")
+	switch {
+	case errors.Is(err, gitprovider.ErrNotFound):
+		return gitprovider.WrapError(gitprovider.ErrNotFound, op, fmt.Errorf("github app is not installed for %s or cannot access that repository; install the app for this repository or pin the correct installation id on the review profile: %w", repository, err))
+	case errors.Is(err, gitprovider.ErrPermission):
+		return gitprovider.WrapError(gitprovider.ErrPermission, op, fmt.Errorf("github app cannot access installation information for %s; check app installation access and permissions: %w", repository, err))
+	default:
+		return err
+	}
+}
+
+func mapCreateInstallationTokenError(op gitprovider.Operation, installationID string, err error) error {
+	switch {
+	case errors.Is(err, gitprovider.ErrNotFound):
+		return gitprovider.WrapError(gitprovider.ErrNotFound, op, fmt.Errorf("github app installation %s was not found while creating an installation token: %w", installationID, err))
+	case errors.Is(err, gitprovider.ErrPermission):
+		return gitprovider.WrapError(gitprovider.ErrPermission, op, fmt.Errorf("github app installation %s cannot create an installation token with the requested access; check app installation access and permissions: %w", installationID, err))
+	default:
+		return err
+	}
+}
+
 func (a *githubAppAuth) doAppREST(ctx context.Context, op gitprovider.Operation, method, endpoint, jwt string, in any, out any) error {
 	var body *bytes.Reader
 	if in != nil {
@@ -279,17 +311,6 @@ func canResolveInstallation(installationID string, lookup *InstallationLookup) b
 	return lookup != nil && strings.TrimSpace(lookup.Owner) != "" && strings.TrimSpace(lookup.Repo) != ""
 }
 
-func readOptionalCredential(store TokenStore, profile, key string) (string, error) {
-	exists, err := store.Exists(profile, key)
-	if err != nil {
-		return "", gitprovider.WrapError(gitprovider.ErrAuth, "", fmt.Errorf("check github app credential %s/%s: %w", profile, key, err))
-	}
-	if !exists {
-		return "", nil
-	}
-	return readRequiredCredential(store, profile, key)
-}
-
 func parseGitHubAppPrivateKey(privateKeyPEM string) (*rsa.PrivateKey, error) {
 	block, _ := pem.Decode([]byte(privateKeyPEM))
 	if block == nil {
diff --git a/internal/gitprovider/github/app_auth_test.go b/internal/gitprovider/github/app_auth_test.go
index eb350a16..b7aebb6e 100644
--- a/internal/gitprovider/github/app_auth_test.go
+++ b/internal/gitprovider/github/app_auth_test.go
@@ -62,10 +62,11 @@ func TestNewFromGitConfigBuildsGitHubAppClientAndRefreshesToken(t *testing.T) {
 	}))
 	defer server.Close()
 
-	client, credential, err := NewFromGitConfig(githubAppGitConfig("codereview/app"), githubAppStore(t, "app", "12345", privateKeyPEM, "42"), Options{
-		BaseURL:    server.URL,
-		GraphQLURL: server.URL + "/graphql",
-		Now:        func() time.Time { return now },
+	client, credential, err := NewFromGitConfig(githubAppGitConfig("codereview/app"), githubAppStore(t, "app", "12345", privateKeyPEM), Options{
+		BaseURL:        server.URL,
+		GraphQLURL:     server.URL + "/graphql",
+		Now:            func() time.Time { return now },
+		InstallationID: "42",
 	})
 	if err != nil {
 		t.Fatalf("NewFromGitConfig: %v", err)
@@ -122,7 +123,7 @@ func TestNewFromGitConfigUsesRepositoryInstallationLookup(t *testing.T) {
 	}))
 	defer server.Close()
 
-	_, credential, err := NewFromGitConfig(githubAppGitConfig("codereview/app"), githubAppStore(t, "app", "app-client-id", privateKey, ""), Options{
+	_, credential, err := NewFromGitConfig(githubAppGitConfig("codereview/app"), githubAppStore(t, "app", "app-client-id", privateKey), Options{
 		BaseURL:    server.URL + "/api/v3",
 		GraphQLURL: server.URL + "/api/graphql",
 		InstallationLookup: &InstallationLookup{
@@ -138,6 +139,60 @@ func TestNewFromGitConfigUsesRepositoryInstallationLookup(t *testing.T) {
 	}
 }
 
+func TestNewFromGitConfigExplainsMissingRepositoryInstallation(t *testing.T) {
+	privateKey := testPrivateKeyPEM(t)
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.EscapedPath() {
+		case "/repos/open-cli/codereview-cli/installation":
+			assertJWTAuth(t, r, "app-client-id")
+			http.NotFound(w, r)
+		default:
+			t.Fatalf("unexpected request %s %s", r.Method, r.URL.String())
+		}
+	}))
+	defer server.Close()
+
+	_, _, err := NewFromGitConfig(githubAppGitConfig("codereview/app"), githubAppStore(t, "app", "app-client-id", privateKey), Options{
+		BaseURL:    server.URL,
+		GraphQLURL: server.URL + "/graphql",
+		InstallationLookup: &InstallationLookup{
+			Owner: "open-cli",
+			Repo:  "codereview-cli",
+		},
+	})
+	if !errors.Is(err, gitprovider.ErrNotFound) {
+		t.Fatalf("NewFromGitConfig error = %v, want ErrNotFound", err)
+	}
+	if !strings.Contains(err.Error(), "github app is not installed for open-cli/codereview-cli or cannot access that repository") {
+		t.Fatalf("NewFromGitConfig error = %v, want repository installation detail", err)
+	}
+}
+
+func TestNewFromGitConfigExplainsMissingPinnedInstallation(t *testing.T) {
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		switch r.URL.EscapedPath() {
+		case "/app/installations/42":
+			assertJWTAuth(t, r, "12345")
+			http.NotFound(w, r)
+		default:
+			t.Fatalf("unexpected request %s %s", r.Method, r.URL.String())
+		}
+	}))
+	defer server.Close()
+
+	_, _, err := NewFromGitConfig(githubAppGitConfig("codereview/app"), githubAppStore(t, "app", "12345", testPrivateKeyPEM(t)), Options{
+		BaseURL:        server.URL,
+		GraphQLURL:     server.URL + "/graphql",
+		InstallationID: "42",
+	})
+	if !errors.Is(err, gitprovider.ErrNotFound) {
+		t.Fatalf("NewFromGitConfig error = %v, want ErrNotFound", err)
+	}
+	if !strings.Contains(err.Error(), "github app installation 42 was not found for this app") {
+		t.Fatalf("NewFromGitConfig error = %v, want pinned installation detail", err)
+	}
+}
+
 func TestGitHubAppClientUsesInstallationTokenForRESTWritesAndGraphQL(t *testing.T) {
 	var writeAuth, graphQLAuth string
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -174,9 +229,10 @@ func TestGitHubAppClientUsesInstallationTokenForRESTWritesAndGraphQL(t *testing.
 	}))
 	defer server.Close()
 
-	client, _, err := NewFromGitConfig(githubAppGitConfig("codereview/app"), githubAppStore(t, "app", "12345", testPrivateKeyPEM(t), "42"), Options{
-		BaseURL:    server.URL,
-		GraphQLURL: server.URL + "/graphql",
+	client, _, err := NewFromGitConfig(githubAppGitConfig("codereview/app"), githubAppStore(t, "app", "12345", testPrivateKeyPEM(t)), Options{
+		BaseURL:        server.URL,
+		GraphQLURL:     server.URL + "/graphql",
+		InstallationID: "42",
 	})
 	if err != nil {
 		t.Fatalf("NewFromGitConfig: %v", err)
@@ -194,10 +250,13 @@ func TestGitHubAppClientUsesInstallationTokenForRESTWritesAndGraphQL(t *testing.
 }
 
 func TestNewFromGitConfigRequiresInstallationIDWithoutLookup(t *testing.T) {
-	_, _, err := NewFromGitConfig(githubAppGitConfig("codereview/app"), githubAppStore(t, "app", "12345", testPrivateKeyPEM(t), ""), Options{})
+	_, _, err := NewFromGitConfig(githubAppGitConfig("codereview/app"), githubAppStore(t, "app", "12345", testPrivateKeyPEM(t)), Options{})
 	if !errors.Is(err, gitprovider.ErrAuth) {
 		t.Fatalf("NewFromGitConfig error = %v, want ErrAuth", err)
 	}
+	if !strings.Contains(err.Error(), "installation discovery requires repository context") {
+		t.Fatalf("NewFromGitConfig error = %v, want repository-context detail", err)
+	}
 	if strings.Contains(err.Error(), "PRIVATE KEY") {
 		t.Fatalf("error leaked private key material: %v", err)
 	}
@@ -222,9 +281,10 @@ func TestNewFromGitConfigRequiresGitHubAppIdentity(t *testing.T) {
 	}))
 	defer server.Close()
 
-	_, _, err := NewFromGitConfig(githubAppGitConfig("codereview/app"), githubAppStore(t, "app", "12345", testPrivateKeyPEM(t), "42"), Options{
-		BaseURL:    server.URL,
-		GraphQLURL: server.URL + "/graphql",
+	_, _, err := NewFromGitConfig(githubAppGitConfig("codereview/app"), githubAppStore(t, "app", "12345", testPrivateKeyPEM(t)), Options{
+		BaseURL:        server.URL,
+		GraphQLURL:     server.URL + "/graphql",
+		InstallationID: "42",
 	})
 	if !errors.Is(err, gitprovider.ErrAuth) {
 		t.Fatalf("NewFromGitConfig error = %v, want ErrAuth", err)
@@ -242,14 +302,11 @@ func githubAppGitConfig(ref string) config.GitConfig {
 	}
 }
 
-func githubAppStore(_ *testing.T, profile, appID, privateKey, installationID string) tokenStore {
+func githubAppStore(_ *testing.T, profile, appID, privateKey string) tokenStore {
 	values := map[string]string{
 		credentials.GitHubAppIDKey:         appID,
 		credentials.GitHubAppPrivateKeyKey: privateKey,
 	}
-	if installationID != "" {
-		values[credentials.GitHubAppInstallationIDKey] = installationID
-	}
 	return tokenStore{profile: values}
 }
 
diff --git a/internal/gitprovider/github/client.go b/internal/gitprovider/github/client.go
index 28e0ca4e..5b4cb6df 100644
--- a/internal/gitprovider/github/client.go
+++ b/internal/gitprovider/github/client.go
@@ -46,6 +46,7 @@ type Options struct {
 	BaseURL            string
 	GraphQLURL         string
 	Now                func() time.Time
+	InstallationID     string
 	InstallationLookup *InstallationLookup
 }
 

From 9b399d110ede3a4bfee9d1a38e38674ee3a9e919 Mon Sep 17 00:00:00 2001
From: Rian Stockbower <rstockbower@gmail.com>
Date: Mon, 22 Jun 2026 06:02:53 -0400
Subject: [PATCH 07/27] Add GitHub App installation profile UI

---
 README.md                                     |  34 ++--
 docs/init-config-surface.md                   |   2 +-
 docs/init-ux-contract.md                      |   3 +-
 internal/cmd/credentialcmd/credentialcmd.go   | 127 ++++++++++-----
 .../cmd/credentialcmd/credentialcmd_test.go   | 137 ++++++++++++++++
 internal/cmd/credentialcmd/init_profile_v2.go | 152 +++++++++++++++---
 6 files changed, 375 insertions(+), 80 deletions(-)

diff --git a/README.md b/README.md
index 34f050e5..6927d07d 100644
--- a/README.md
+++ b/README.md
@@ -221,8 +221,9 @@ Host matching is case-insensitive after normalization, while namespace and repo
 matching are case-sensitive after trimming whitespace. An explicit `--profile`
 bypasses repository routing. Route targets still use the profile's configured
 auth mode. Passing `--profile ""` is invalid.
-For GitHub App auth, `cr review` can use the PR owner/repo to look up the app
-installation when `github_app_installation_id` is not staged.
+For GitHub App reviewer entities, the review profile chooses whether `cr review`
+discovers the installation from the PR owner/repo or uses a pinned installation
+ID stored in profile config.
 
 Add or replace one credential later:
 
@@ -396,9 +397,10 @@ When deploying a profile without the interactive wizard, run
 then use `set-credential` only for secrets that you are intentionally staging
 outside init. Example:
 
-`github_app_installation_id` is optional for `cr review`, which can discover
-the installation from the PR repository. Stage it when you want `cr me` and
-other commands without repository context to work.
+GitHub App reviewer credentials store the App ID and private key only. The
+review profile stores installation routing: `discover_from_repository` for PR
+context lookup, or `pinned` with a numeric installation ID when commands without
+repository context should use one known installation.
 
 ```bash
 cr --profile work init --non-interactive \
@@ -432,14 +434,6 @@ printf '%s' "$GITHUB_APP_PRIVATE_KEY" | cr set-credential \
   --stdin \
   --overwrite
 
-# Optional: needed for cr me and other commands without repository context.
-printf '%s' "$GITHUB_APP_INSTALLATION_ID" | cr set-credential \
-  --store local-os \
-  --name codereview/work-reviewer-app \
-  --key github_app_installation_id \
-  --stdin \
-  --overwrite
-
 printf '%s' "$ANTHROPIC_API_KEY" | cr set-credential \
   --store local-os \
   --name codereview/work-llm \
@@ -593,7 +587,7 @@ Credential key matrix:
 |---------------|---------|---------------|---------------|---------------|-------------|
 | `git.credential` | User Git host auth | `pat` | `git_token` | None | Supported |
 | `reviewer_credentials.credential` | Reviewer Git host auth | `pat` | `git_token` | None | Supported; must use a distinct credential location from `git.credential` in the same profile |
-| `git.credential` / `reviewer_credentials.credential` | Git host auth | `github_app` | `github_app_id`, `github_app_private_key` | `github_app_installation_id` | Supported for GitHub. `cr review` can discover the installation from the PR repository when the optional installation ID is omitted; commands without repository context require it |
+| `git.credential` / reviewer entity credential | Git host auth | `github_app` | `github_app_id`, `github_app_private_key` | None | Supported for GitHub. Reviewer GitHub App installation routing lives on `profiles.<name>.reviewer.github_app_installation`, not in the credential bundle |
 | `git.credential` / `reviewer_credentials.credential` | Git host auth | `oauth_device` | None | None | Reserved; config recognizes the mode but v1 rejects it and does not accept future keys such as `git_oauth_access_token` or `git_oauth_refresh_token` |
 | `llm.credential` | Anthropic direct API auth | `api_key` + `anthropic` | `anthropic_api_key` | None | Supported |
 | `llm.credential` | OpenAI direct API auth | `api_key` + `openai` | `openai_api_key` | None | Supported |
@@ -753,9 +747,9 @@ Flags:
 Only one stdin secret ingress flag may be used at a time. PAT reviewer
 credentials use key `git_token` under their own credential name, so
 `--reviewer-credential-ref` must differ from `--git-credential-ref`. GitHub App
-reviewer credentials use `github_app_id` and `github_app_private_key`, plus
-optional `github_app_installation_id`; `init` does not accept reviewer token
-ingress for `--reviewer-auth-mode github_app`. LLM API-key ingress requires
+reviewer credentials use `github_app_id` and `github_app_private_key`;
+installation routing is profile config, not a credential key. `init` does not
+accept reviewer token ingress for `--reviewer-auth-mode github_app`. LLM API-key ingress requires
 `--llm-auth api_key`. `--overwrite` with API-key auth requires an LLM key
 ingress flag. `--allow-self-review` is intentionally runtime-only on
 `cr review`; `init` only stores the profile-level self-approval policy.
@@ -768,11 +762,11 @@ cr set-credential --store <id> --name <credential-name> --key <key> (--stdin | -
 
 Writes one secret value to the selected credential store. Globally allowed keys are
 `git_token`, `github_app_id`, `github_app_private_key`,
-`github_app_installation_id`, `anthropic_api_key`, and `openai_api_key`. When
+`anthropic_api_key`, and `openai_api_key`. When
 `config.yml` declares the target credential location, `set-credential` narrows
 that global allowlist to the exact key set expected for that credential. PAT
-user Git credentials and PAT reviewer credentials use `git_token`; GitHub App credentials use `github_app_id`,
-`github_app_private_key`, and optional `github_app_installation_id`; Anthropic
+user Git credentials and PAT reviewer credentials use `git_token`; GitHub App
+credentials use `github_app_id` and `github_app_private_key`; Anthropic
 LLM API-key credentials use `anthropic_api_key`; OpenAI LLM API-key credentials use
 `openai_api_key`.
 
diff --git a/docs/init-config-surface.md b/docs/init-config-surface.md
index 2e455ae5..a8d177be 100644
--- a/docs/init-config-surface.md
+++ b/docs/init-config-surface.md
@@ -134,7 +134,7 @@ secret ingress.
 |---------|---------------|-------------|---------------|---------------|--------------------------------|----------------|
 | User Git auth | `pat` | `codereview/<profile>` | `git_token` | None | Keep preserves existing store/name and key. Defer stores the credential location and prints follow-up `cr set-credential --store ... --name ...`. Overwrite writes `git_token` through the selected credential store only. | Profile rename preserves the credential location. Regenerate only with explicit key migration or overwrite. |
 | Reviewer Git auth | `pat` | `codereview/<profile>-reviewer`, or label-derived for new interactive reviewer entities | `git_token` | None | Interactive reviewer setup collects `git_token` inline before staging a new or changed reviewer credential location. Keep preserves an unchanged credential location. Clearing the reviewer section removes the location from config but does not delete secrets. | Profile rename and reviewer label edits preserve existing credential locations. No implicit rename/migration. |
-| User or reviewer Git auth | `github_app` | Same purpose-specific defaults as PAT | `github_app_id`, `github_app_private_key` | `github_app_installation_id` | Keep preserves bundle. Interactive reviewer setup collects required GitHub App keys inline before staging a new or changed reviewer credential location; optional installation ID may be left blank. Scripted/deferred flows print one follow-up command per required key. Overwrite writes only keys the user provided, with required-key validation before saving. | Migration is bundle-wide and explicit only: never leave config pointing at a partially moved bundle. |
+| User Git auth or reviewer entity auth | `github_app` | Same purpose-specific defaults as PAT | `github_app_id`, `github_app_private_key` | None | Keep preserves bundle. Interactive reviewer setup collects required GitHub App keys inline before staging a new or changed reviewer credential location. Reviewer profile installation routing is stored in `profiles.<name>.reviewer.github_app_installation`, not the credential bundle. Scripted/deferred flows print one follow-up command per required key. Overwrite writes only keys the user provided, with required-key validation before saving. | Migration is bundle-wide and explicit only: never leave config pointing at a partially moved bundle. |
 | Git auth | `oauth_device` | None | None | None | Unsupported in v1. The wizard must not offer it as a selectable mode. | Future OAuth work must amend this document. |
 | LLM API key | `anthropic` + `api_key` | `codereview/<profile>-llm` | `anthropic_api_key` | None | Keep preserves existing credential location. Defer stores the location only if the key already exists or follow-up is clearly rendered. Overwrite writes provider key through the selected credential store. | Preserve custom locations on rename. Regeneration requires explicit migration/overwrite. |
 | LLM API key | `openai` + `api_key` | `codereview/<profile>-llm` | `openai_api_key` | None | Same as Anthropic API-key auth. | Same as Anthropic API-key auth. |
diff --git a/docs/init-ux-contract.md b/docs/init-ux-contract.md
index 1bdf33b0..0452e8cd 100644
--- a/docs/init-ux-contract.md
+++ b/docs/init-ux-contract.md
@@ -167,7 +167,8 @@ selected reviewer credential location:
 
 - PAT reviewers show `git_token`.
 - GitHub App reviewers show required `github_app_id` and
-  `github_app_private_key`, plus optional `github_app_installation_id`.
+  `github_app_private_key`. Installation routing is review-profile config, not
+  a reviewer credential key.
 - Each key may be shown as `missing`, `existing`, `staged`, `skipped optional`,
   `deferred`, `optional`, or `status unavailable`.
 - `missing` means the backend was consulted and no staged or existing value was
diff --git a/internal/cmd/credentialcmd/credentialcmd.go b/internal/cmd/credentialcmd/credentialcmd.go
index 19bfda33..ac520fe3 100644
--- a/internal/cmd/credentialcmd/credentialcmd.go
+++ b/internal/cmd/credentialcmd/credentialcmd.go
@@ -262,40 +262,42 @@ const (
 )
 
 type initDraft struct {
-	Action                       initDraftAction
-	ActionTarget                 string
-	OriginalProfileName          string
-	ProfileName                  string
-	GitHost                      string
-	GitAuth                      string
-	GitCredentialStore           string
-	GitCredentialRef             string
-	ReviewerEnabled              bool
-	ReviewerAuth                 string
-	ReviewerCredentialStore      string
-	ReviewerCredentialRef        string
-	ReviewerDisplayName          string
-	ReviewerCredentialWriteRef   string
-	ReviewerCredentialWriteStore credentials.ResolvedSecretsProfile
-	ReviewerCredentialWrites     map[string]string
-	ReviewerCredentialOverwrite  bool
-	ReviewerCredentialSatisfied  bool
-	SecretsProfile               string
-	LLMProvider                  string
-	LLMAuth                      string
-	LLMAdapter                   string
-	LLMReviewerModelTier         string
-	LLMCredentialStore           string
-	LLMCredentialRef             string
-	AdvancedStorageLabels        bool
-	RoutesSet                    bool
-	Routes                       []configedit.RepositoryRouteSpec
-	ModelMapSet                  bool
-	ModelMap                     config.ModelMap
-	AgentSourcesSet              bool
-	AgentSources                 []string
-	ReviewPolicySet              bool
-	ReviewPolicy                 config.ReviewPolicy
+	Action                            initDraftAction
+	ActionTarget                      string
+	OriginalProfileName               string
+	ProfileName                       string
+	GitHost                           string
+	GitAuth                           string
+	GitCredentialStore                string
+	GitCredentialRef                  string
+	ReviewerEnabled                   bool
+	ReviewerAuth                      string
+	ReviewerCredentialStore           string
+	ReviewerCredentialRef             string
+	ReviewerDisplayName               string
+	ReviewerGitHubAppInstallationMode string
+	ReviewerGitHubAppInstallationID   string
+	ReviewerCredentialWriteRef        string
+	ReviewerCredentialWriteStore      credentials.ResolvedSecretsProfile
+	ReviewerCredentialWrites          map[string]string
+	ReviewerCredentialOverwrite       bool
+	ReviewerCredentialSatisfied       bool
+	SecretsProfile                    string
+	LLMProvider                       string
+	LLMAuth                           string
+	LLMAdapter                        string
+	LLMReviewerModelTier              string
+	LLMCredentialStore                string
+	LLMCredentialRef                  string
+	AdvancedStorageLabels             bool
+	RoutesSet                         bool
+	Routes                            []configedit.RepositoryRouteSpec
+	ModelMapSet                       bool
+	ModelMap                          config.ModelMap
+	AgentSourcesSet                   bool
+	AgentSources                      []string
+	ReviewPolicySet                   bool
+	ReviewPolicy                      config.ReviewPolicy
 }
 
 type initModelMapPrompt struct {
@@ -3982,6 +3984,17 @@ func validateOptionalDuration(value string) error {
 	return err
 }
 
+func validateOptionalGitHubAppInstallationID(value string) error {
+	trimmed := strings.TrimSpace(value)
+	if trimmed == "" {
+		return nil
+	}
+	if _, err := strconv.ParseInt(trimmed, 10, 64); err != nil {
+		return fmt.Errorf("GitHub App installation ID must be a decimal number")
+	}
+	return nil
+}
+
 func validateRetentionMaxAgeDays(value string) error {
 	_, err := parseInteractiveRetentionMaxAgeDays(value)
 	return err
@@ -4062,6 +4075,11 @@ func seedInteractiveInitDraft(requestedProfileName string, existingProfileName s
 		draft.AgentSources = append([]string(nil), existingProfile.AgentSources...)
 		draft.ReviewPolicy = existingProfile.ReviewPolicy
 		draft.SecretsProfile = strings.TrimSpace(existingProfile.SecretsProfile)
+		if existingProfile.Reviewer.GitHubAppInstallation != nil {
+			installation := existingProfile.Reviewer.GitHubAppInstallation
+			draft.ReviewerGitHubAppInstallationMode = strings.TrimSpace(string(installation.Mode))
+			draft.ReviewerGitHubAppInstallationID = strings.TrimSpace(installation.InstallationID)
+		}
 		if existingProfile.ReviewerCredentials != nil {
 			draft.ReviewerEnabled = true
 			draft.ReviewerAuth = string(existingProfile.ReviewerCredentials.AuthMode)
@@ -5542,6 +5560,9 @@ func cloneInitSecretsStore(store config.SecretsStore) config.SecretsStore {
 
 func cloneInitProfile(profile config.Profile) config.Profile {
 	cloned := profile
+	if profile.Reviewer.GitHubAppInstallation != nil {
+		cloned.Reviewer.GitHubAppInstallation = cloneProfileReviewerGitHubAppInstallation(profile.Reviewer.GitHubAppInstallation)
+	}
 	if profile.ReviewerCredentials != nil {
 		reviewer := *profile.ReviewerCredentials
 		cloned.ReviewerCredentials = &reviewer
@@ -5637,8 +5658,10 @@ func synthesizeInteractiveProfile(flags initOptions, profileName string, previou
 			reviewer.IdentityCache = previousProfile.ReviewerCredentials.IdentityCache
 		}
 		profile.ReviewerCredentials = &reviewer
+		profile.Reviewer.GitHubAppInstallation = initProfileReviewerGitHubAppInstallationFromDraft(draft)
 	} else {
 		profile.ReviewerCredentials = nil
+		profile.Reviewer.GitHubAppInstallation = nil
 	}
 	profile.LLM.Provider = config.LLMProvider(draft.LLMProvider)
 	profile.LLM.Auth = config.LLMAuth(draft.LLMAuth)
@@ -5703,7 +5726,7 @@ func materializeProfileReviewerEntity(cfg config.File, profileName string, profi
 			existing.DisplayName = displayName
 			cfg.ReviewerEntities[name] = existing
 		}
-		profile.Reviewer = initProfileReviewerForEntity(name, existing.AuthMode)
+		profile.Reviewer = initProfileReviewerForEntity(name, existing.AuthMode, profile.Reviewer.GitHubAppInstallation)
 		if cfg.Profiles == nil {
 			cfg.Profiles = map[string]config.Profile{}
 		}
@@ -5713,7 +5736,7 @@ func materializeProfileReviewerEntity(cfg config.File, profileName string, profi
 
 	entityName := uniqueInitReviewerEntityName(buildInitStandaloneReviewerEntityNameSet(cfg.ReviewerEntities), profileName+"-reviewer")
 	cfg.ReviewerEntities[entityName] = entity
-	profile.Reviewer = initProfileReviewerForEntity(entityName, entity.AuthMode)
+	profile.Reviewer = initProfileReviewerForEntity(entityName, entity.AuthMode, profile.Reviewer.GitHubAppInstallation)
 	if cfg.Profiles == nil {
 		cfg.Profiles = map[string]config.Profile{}
 	}
@@ -5721,19 +5744,45 @@ func materializeProfileReviewerEntity(cfg config.File, profileName string, profi
 	return cfg, profile
 }
 
-func initProfileReviewerForEntity(entityName string, authMode config.GitAuthMode) config.ProfileReviewer {
+func initProfileReviewerForEntity(entityName string, authMode config.GitAuthMode, installation *config.ProfileReviewerGitHubAppInstallation) config.ProfileReviewer {
 	reviewer := config.ProfileReviewer{
 		Kind:   config.ProfileReviewerKindEntity,
 		Entity: strings.TrimSpace(entityName),
 	}
 	if authMode == config.GitAuthModeGitHubApp {
-		reviewer.GitHubAppInstallation = &config.ProfileReviewerGitHubAppInstallation{
-			Mode: config.ProfileReviewerGitHubAppInstallationDiscoverFromRepository,
+		reviewer.GitHubAppInstallation = cloneProfileReviewerGitHubAppInstallation(installation)
+		if reviewer.GitHubAppInstallation == nil {
+			reviewer.GitHubAppInstallation = &config.ProfileReviewerGitHubAppInstallation{
+				Mode: config.ProfileReviewerGitHubAppInstallationDiscoverFromRepository,
+			}
 		}
 	}
 	return reviewer
 }
 
+func initProfileReviewerGitHubAppInstallationFromDraft(draft initDraft) *config.ProfileReviewerGitHubAppInstallation {
+	if !draft.ReviewerEnabled || config.GitAuthMode(draft.ReviewerAuth) != config.GitAuthModeGitHubApp {
+		return nil
+	}
+	mode := config.ProfileReviewerGitHubAppInstallationMode(strings.TrimSpace(draft.ReviewerGitHubAppInstallationMode))
+	if mode == "" {
+		mode = config.ProfileReviewerGitHubAppInstallationDiscoverFromRepository
+	}
+	installation := &config.ProfileReviewerGitHubAppInstallation{Mode: mode}
+	if mode == config.ProfileReviewerGitHubAppInstallationPinned {
+		installation.InstallationID = strings.TrimSpace(draft.ReviewerGitHubAppInstallationID)
+	}
+	return installation
+}
+
+func cloneProfileReviewerGitHubAppInstallation(installation *config.ProfileReviewerGitHubAppInstallation) *config.ProfileReviewerGitHubAppInstallation {
+	if installation == nil {
+		return nil
+	}
+	cloned := *installation
+	return &cloned
+}
+
 func reviewerEntityConfigFromProfile(profile config.Profile) config.ReviewerEntity {
 	reviewer := profile.ReviewerCredentials
 	if reviewer == nil {
diff --git a/internal/cmd/credentialcmd/credentialcmd_test.go b/internal/cmd/credentialcmd/credentialcmd_test.go
index 37724d51..e802962b 100644
--- a/internal/cmd/credentialcmd/credentialcmd_test.go
+++ b/internal/cmd/credentialcmd/credentialcmd_test.go
@@ -13411,6 +13411,142 @@ func TestInitProfileV2SelectsDraftReviewerRuntimeAndModelTier(t *testing.T) {
 	if draft.LLMReviewerModelTier != string(config.ModelTierMedium) {
 		t.Fatalf("draft.LLMReviewerModelTier = %q, want medium", draft.LLMReviewerModelTier)
 	}
+	if draft.ReviewerGitHubAppInstallationMode != string(config.ProfileReviewerGitHubAppInstallationDiscoverFromRepository) || draft.ReviewerGitHubAppInstallationID != "" {
+		t.Fatalf("draft reviewer installation = (%q,%q), want discover with empty id", draft.ReviewerGitHubAppInstallationMode, draft.ReviewerGitHubAppInstallationID)
+	}
+}
+
+func TestInitProfileV2GitHubAppInstallationFieldsFollowReviewerSelection(t *testing.T) {
+	reviewerEntities := map[string]initReviewerEntityDraft{
+		"app-reviewer": {
+			Kind:            initReviewerEntityKindGitHubApp,
+			AuthMode:        config.GitAuthModeGitHubApp,
+			CredentialStore: config.LocalOSCredentialStoreID,
+			CredentialRef:   "codereview/app-reviewer",
+			DisplayName:     "enterprise/reviewer-bot",
+		},
+		"pat-reviewer": {
+			Kind:            initReviewerEntityKindPAT,
+			AuthMode:        config.GitAuthModePAT,
+			CredentialStore: config.LocalOSCredentialStoreID,
+			CredentialRef:   "codereview/pat-reviewer",
+			DisplayName:     "enterprise/pat-bot",
+		},
+	}
+	llmRuntimes := map[string]initLLMRuntimeDraft{
+		"claude-work": {
+			Preset:   initLLMRuntimePresetClaudeCLISubscription,
+			Provider: config.LLMProviderAnthropic,
+			Auth:     config.LLMAuthSubscription,
+			Adapter:  config.LLMAdapterClaudeCLI,
+		},
+	}
+	model := newInitProfileV2ReadOnlyModel(newTestInitProfileV2EditorWithSelections("monit", "github.com/SignalFT", reviewerEntities, llmRuntimes), 160, 36)
+	sectionIndex := model.document.fieldIndexByID(initProfileV2FieldReviewerGitHubAppInstallationSection)
+	idIndex := model.document.fieldIndexByID(initProfileV2FieldReviewerGitHubAppInstallationID)
+	if sectionIndex < 0 || idIndex < 0 {
+		t.Fatal("GitHub App installation fields missing")
+	}
+	if !model.document[sectionIndex].Hidden {
+		t.Fatalf("GitHub App installation section visible for Git identity reviewer:\n%s", model.View())
+	}
+
+	model = selectInitProfileV2FieldValue(t, model, initProfileV2FieldReviewerEntity, "app-reviewer")
+	if model.document[sectionIndex].Hidden {
+		t.Fatalf("GitHub App installation section hidden for GitHub App reviewer:\n%s", model.View())
+	}
+	if model.document[idIndex].Hidden != true {
+		t.Fatalf("installation ID visible for discover mode:\n%s", model.View())
+	}
+	if !strings.Contains(model.View(), "Discover from PR repository at review time") {
+		t.Fatalf("view missing discovery option:\n%s", model.View())
+	}
+	draft, err := model.validatedDraft()
+	if err != nil {
+		t.Fatalf("validatedDraft discover: %v", err)
+	}
+	if draft.ReviewerGitHubAppInstallationMode != string(config.ProfileReviewerGitHubAppInstallationDiscoverFromRepository) || draft.ReviewerGitHubAppInstallationID != "" {
+		t.Fatalf("draft discover installation = (%q,%q)", draft.ReviewerGitHubAppInstallationMode, draft.ReviewerGitHubAppInstallationID)
+	}
+
+	model = selectInitProfileV2FieldValue(t, model, initProfileV2FieldReviewerGitHubAppInstallationMode, string(config.ProfileReviewerGitHubAppInstallationPinned))
+	if model.document[idIndex].Hidden {
+		t.Fatalf("installation ID hidden for pinned mode:\n%s", model.View())
+	}
+	model = focusInitProfileV2Field(t, model, initProfileV2FieldReviewerGitHubAppInstallationID)
+	model = typeInitProfileV2Text(t, model, "123456")
+	draft, err = model.validatedDraft()
+	if err != nil {
+		t.Fatalf("validatedDraft pinned: %v", err)
+	}
+	if draft.ReviewerGitHubAppInstallationMode != string(config.ProfileReviewerGitHubAppInstallationPinned) || draft.ReviewerGitHubAppInstallationID != "123456" {
+		t.Fatalf("draft pinned installation = (%q,%q), want pinned 123456", draft.ReviewerGitHubAppInstallationMode, draft.ReviewerGitHubAppInstallationID)
+	}
+
+	model = selectInitProfileV2FieldValue(t, model, initProfileV2FieldReviewerEntity, "pat-reviewer")
+	if !model.document[sectionIndex].Hidden {
+		t.Fatalf("GitHub App installation section visible for PAT reviewer:\n%s", model.View())
+	}
+	draft, err = model.validatedDraft()
+	if err != nil {
+		t.Fatalf("validatedDraft PAT: %v", err)
+	}
+	if draft.ReviewerGitHubAppInstallationMode != "" || draft.ReviewerGitHubAppInstallationID != "" {
+		t.Fatalf("draft PAT installation = (%q,%q), want empty", draft.ReviewerGitHubAppInstallationMode, draft.ReviewerGitHubAppInstallationID)
+	}
+}
+
+func TestInitProfileV2GitHubAppInstallationPinnedIDValidation(t *testing.T) {
+	reviewerEntities := map[string]initReviewerEntityDraft{
+		"app-reviewer": {
+			Kind:            initReviewerEntityKindGitHubApp,
+			AuthMode:        config.GitAuthModeGitHubApp,
+			CredentialStore: config.LocalOSCredentialStoreID,
+			CredentialRef:   "codereview/app-reviewer",
+		},
+	}
+	model := newInitProfileV2ReadOnlyModel(newTestInitProfileV2EditorWithSelections("monit", "github.com/SignalFT", reviewerEntities, nil), 160, 36)
+	model = selectInitProfileV2FieldValue(t, model, initProfileV2FieldReviewerEntity, "app-reviewer")
+	model = selectInitProfileV2FieldValue(t, model, initProfileV2FieldReviewerGitHubAppInstallationMode, string(config.ProfileReviewerGitHubAppInstallationPinned))
+	if _, err := model.validatedDraft(); err == nil || !strings.Contains(err.Error(), "installation ID is required") {
+		t.Fatalf("validatedDraft empty pinned error = %v, want required installation ID", err)
+	}
+
+	model = focusInitProfileV2Field(t, model, initProfileV2FieldReviewerGitHubAppInstallationID)
+	model = typeInitProfileV2Text(t, model, "not-decimal")
+	if _, err := model.validatedDraft(); err == nil || !strings.Contains(err.Error(), "decimal") {
+		t.Fatalf("validatedDraft non-decimal error = %v, want decimal validation", err)
+	}
+}
+
+func TestSynthesizeInteractiveProfilePersistsPinnedGitHubAppInstallation(t *testing.T) {
+	draft := initDraft{
+		ProfileName:                       "monit",
+		GitHost:                           "github.com",
+		GitAuth:                           string(config.GitAuthModePAT),
+		GitCredentialRef:                  "codereview/monit",
+		ReviewerEnabled:                   true,
+		ReviewerAuth:                      string(config.GitAuthModeGitHubApp),
+		ReviewerCredentialStore:           config.LocalOSCredentialStoreID,
+		ReviewerCredentialRef:             "codereview/monit-reviewer",
+		ReviewerGitHubAppInstallationMode: string(config.ProfileReviewerGitHubAppInstallationPinned),
+		ReviewerGitHubAppInstallationID:   "987654",
+		LLMProvider:                       string(config.LLMProviderAnthropic),
+		LLMAuth:                           string(config.LLMAuthSubscription),
+		LLMAdapter:                        string(config.LLMAdapterClaudeCLI),
+	}
+	profile, err := synthesizeInteractiveProfile(initOptions{gitHost: "github.com"}, "monit", nil, draft)
+	if err != nil {
+		t.Fatalf("synthesizeInteractiveProfile: %v", err)
+	}
+	cfg, profile := materializeProfileReviewerEntity(config.File{}, "monit", profile)
+	got := profile.Reviewer.GitHubAppInstallation
+	if got == nil || got.Mode != config.ProfileReviewerGitHubAppInstallationPinned || got.InstallationID != "987654" {
+		t.Fatalf("profile reviewer installation = %#v, want pinned 987654", got)
+	}
+	if cfg.Profiles["monit"].Reviewer.GitHubAppInstallation == nil || cfg.Profiles["monit"].Reviewer.GitHubAppInstallation.InstallationID != "987654" {
+		t.Fatalf("config profile reviewer installation = %#v, want pinned 987654", cfg.Profiles["monit"].Reviewer.GitHubAppInstallation)
+	}
 }
 
 func TestInitProfileV2NoRuntimeBootstrapRequestsExistingFlow(t *testing.T) {
@@ -14157,6 +14293,7 @@ func newTestInitProfileV2EditorWithSelections(profileName string, routeText stri
 		initReviewerEntitySelectionOptions(reviewerEntities, reviewerEntityGitAccountFallbackLabel(config.GitAuthModePAT, "")),
 		string(initReviewerEntityKindUseGitIdentity),
 	)
+	initProfileV2AppendReviewerGitHubAppInstallationSection(&document, string(initReviewerEntityKindUseGitIdentity), reviewerEntities, draft)
 	document.addEditableSelect(initProfileV2FieldLLMRuntime, "LLM runtime", "Choose how reviewer agents run for this profile.", llmRuntimeOptions, selectedLLMRuntime)
 	initProfileV2AppendLLMStorageSection(&document, storeOptions, draft.LLMCredentialStore, draft.LLMCredentialRef, !initLLMStorageLabelRelevant(selectedLLMRuntime, llmRuntimes))
 	document.addEditableSelect(initProfileV2FieldReviewerModelTier, initReviewerModelTierTitle, initReviewerModelTierDescription, initReviewerModelTierOptions(), draft.LLMReviewerModelTier)
diff --git a/internal/cmd/credentialcmd/init_profile_v2.go b/internal/cmd/credentialcmd/init_profile_v2.go
index 32b861e3..6b02a3f4 100644
--- a/internal/cmd/credentialcmd/init_profile_v2.go
+++ b/internal/cmd/credentialcmd/init_profile_v2.go
@@ -213,6 +213,7 @@ func newInitProfileV2ReadOnlyModel(editor initProfileV2Editor, width, height int
 		focused:                    editor.Document.firstFocusableField(),
 	}
 	model.syncGitScopeFields()
+	model.syncReviewerGitHubAppInstallationFields(false)
 	model.syncLLMCredentialFields(false)
 	model.syncModelMapFields()
 	model.validateAll()
@@ -384,6 +385,7 @@ func initProfileV2ReadOnlyEditor(ctx initPromptContext, selection string) (initP
 	initProfileV2AppendRouteSection(&document, routeText)
 	initProfileV2AppendGitScopeSection(&document, selectedGitScope, initGitScopeOptions(ctx.GitScopes), draft, selectedGitScope == initCustomGitScopeSelection || len(ctx.GitScopes) > 1)
 	document.addEditableSelect(initProfileV2FieldReviewerEntity, "Reviewer entity", reviewerEntitySelectionDescription(), reviewerEntityOptions, selectedReviewerEntity)
+	initProfileV2AppendReviewerGitHubAppInstallationSection(&document, selectedReviewerEntity, ctx.ReviewerEntities, draft)
 	document.addEditableSelect(initProfileV2FieldLLMRuntime, "LLM runtime", "Choose how reviewer agents run for this profile.", llmRuntimeOptions, selectedLLMRuntime)
 	initProfileV2AppendLLMStorageSection(&document, storeOptions, draft.LLMCredentialStore, draft.LLMCredentialRef, !initLLMStorageLabelRelevant(selectedLLMRuntime, llmRuntimes))
 	document.addEditableSelect(initProfileV2FieldReviewerModelTier, initReviewerModelTierTitle, initReviewerModelTierDescription, initReviewerModelTierOptions(), draft.LLMReviewerModelTier)
@@ -442,25 +444,28 @@ const (
 )
 
 const (
-	initProfileV2FieldProfileName          initProfileV2FieldID = "profile_name"
-	initProfileV2FieldRoutes               initProfileV2FieldID = "routes"
-	initProfileV2FieldGitScope             initProfileV2FieldID = "git_scope"
-	initProfileV2FieldGitHost              initProfileV2FieldID = "git_host"
-	initProfileV2FieldGitAuth              initProfileV2FieldID = "git_auth"
-	initProfileV2FieldReviewerEntity       initProfileV2FieldID = "reviewer_entity"
-	initProfileV2FieldLLMRuntime           initProfileV2FieldID = "llm_runtime"
-	initProfileV2FieldReviewerModelTier    initProfileV2FieldID = "reviewer_model_tier"
-	initProfileV2FieldAgentSources         initProfileV2FieldID = "agent_sources"
-	initProfileV2FieldReviewMajorEvent     initProfileV2FieldID = "review_major_event"
-	initProfileV2FieldSelfApprove          initProfileV2FieldID = "self_approve"
-	initProfileV2FieldResolveThreads       initProfileV2FieldID = "resolve_threads"
-	initProfileV2FieldResolveAfter         initProfileV2FieldID = "resolve_after"
-	initProfileV2FieldGitCredentialStore   initProfileV2FieldID = "git_credential_store" // #nosec G101 -- this is a field ID, not a secret value.
-	initProfileV2FieldGitCredentialName    initProfileV2FieldID = "git_credential_name"  // #nosec G101 -- this is a field ID, not a secret value.
-	initProfileV2FieldLLMCredentialSection initProfileV2FieldID = "llm_credentials_section"
-	initProfileV2FieldLLMCredentialStore   initProfileV2FieldID = "llm_credential_store" // #nosec G101 -- this is a field ID, not a secret value.
-	initProfileV2FieldLLMCredentialName    initProfileV2FieldID = "llm_credential_name"  // #nosec G101 -- this is a field ID, not a secret value.
-	initProfileV2FieldProfileAction        initProfileV2FieldID = "profile_action"
+	initProfileV2FieldProfileName                          initProfileV2FieldID = "profile_name"
+	initProfileV2FieldRoutes                               initProfileV2FieldID = "routes"
+	initProfileV2FieldGitScope                             initProfileV2FieldID = "git_scope"
+	initProfileV2FieldGitHost                              initProfileV2FieldID = "git_host"
+	initProfileV2FieldGitAuth                              initProfileV2FieldID = "git_auth"
+	initProfileV2FieldReviewerEntity                       initProfileV2FieldID = "reviewer_entity"
+	initProfileV2FieldReviewerGitHubAppInstallationSection initProfileV2FieldID = "reviewer_github_app_installation_section"
+	initProfileV2FieldReviewerGitHubAppInstallationMode    initProfileV2FieldID = "reviewer_github_app_installation_mode"
+	initProfileV2FieldReviewerGitHubAppInstallationID      initProfileV2FieldID = "reviewer_github_app_installation_id" // #nosec G101 -- this is a field ID, not a secret value.
+	initProfileV2FieldLLMRuntime                           initProfileV2FieldID = "llm_runtime"
+	initProfileV2FieldReviewerModelTier                    initProfileV2FieldID = "reviewer_model_tier"
+	initProfileV2FieldAgentSources                         initProfileV2FieldID = "agent_sources"
+	initProfileV2FieldReviewMajorEvent                     initProfileV2FieldID = "review_major_event"
+	initProfileV2FieldSelfApprove                          initProfileV2FieldID = "self_approve"
+	initProfileV2FieldResolveThreads                       initProfileV2FieldID = "resolve_threads"
+	initProfileV2FieldResolveAfter                         initProfileV2FieldID = "resolve_after"
+	initProfileV2FieldGitCredentialStore                   initProfileV2FieldID = "git_credential_store" // #nosec G101 -- this is a field ID, not a secret value.
+	initProfileV2FieldGitCredentialName                    initProfileV2FieldID = "git_credential_name"  // #nosec G101 -- this is a field ID, not a secret value.
+	initProfileV2FieldLLMCredentialSection                 initProfileV2FieldID = "llm_credentials_section"
+	initProfileV2FieldLLMCredentialStore                   initProfileV2FieldID = "llm_credential_store" // #nosec G101 -- this is a field ID, not a secret value.
+	initProfileV2FieldLLMCredentialName                    initProfileV2FieldID = "llm_credential_name"  // #nosec G101 -- this is a field ID, not a secret value.
+	initProfileV2FieldProfileAction                        initProfileV2FieldID = "profile_action"
 )
 
 func initProfileV2FieldModelMap(tier config.ModelTier) initProfileV2FieldID {
@@ -504,6 +509,55 @@ func initProfileV2AppendGitScopeSection(document *initProfileV2Document, selecte
 	}, draft.GitAuth, initProfileV2FieldOptions{Hidden: customHidden})
 }
 
+func initProfileV2AppendReviewerGitHubAppInstallationSection(document *initProfileV2Document, selectedReviewerEntity string, entities map[string]initReviewerEntityDraft, draft initDraft) {
+	hidden := initProfileV2ReviewerEntityKindForSelection(selectedReviewerEntity, entities) != initReviewerEntityKindGitHubApp
+	mode := config.ProfileReviewerGitHubAppInstallationMode(strings.TrimSpace(draft.ReviewerGitHubAppInstallationMode))
+	if mode == "" {
+		mode = config.ProfileReviewerGitHubAppInstallationDiscoverFromRepository
+	}
+	pinned := mode == config.ProfileReviewerGitHubAppInstallationPinned
+	document.addSectionField(
+		initProfileV2FieldReviewerGitHubAppInstallationSection,
+		"GitHub App installation",
+		"Choose how cr finds the GitHub App installation for this review profile.",
+		initProfileV2FieldOptions{Hidden: hidden},
+	)
+	document.addEditableSelect(
+		initProfileV2FieldReviewerGitHubAppInstallationMode,
+		"Installation lookup",
+		"",
+		initProfileV2ReviewerGitHubAppInstallationModeOptions(),
+		string(mode),
+		initProfileV2FieldOptions{Hidden: hidden},
+	)
+	document.addEditableInput(
+		initProfileV2FieldReviewerGitHubAppInstallationID,
+		"Installation ID",
+		"Required when you pin an installation. Use the numeric GitHub App installation ID.",
+		strings.TrimSpace(draft.ReviewerGitHubAppInstallationID),
+		validateOptionalGitHubAppInstallationID,
+		initProfileV2FieldOptions{Hidden: hidden || !pinned},
+	)
+}
+
+func initProfileV2ReviewerGitHubAppInstallationModeOptions() []huh.Option[string] {
+	return []huh.Option[string]{
+		huh.NewOption("Discover from PR repository at review time", string(config.ProfileReviewerGitHubAppInstallationDiscoverFromRepository)),
+		huh.NewOption("Pin an installation ID", string(config.ProfileReviewerGitHubAppInstallationPinned)),
+	}
+}
+
+func initProfileV2ReviewerEntityKindForSelection(selection string, entities map[string]initReviewerEntityDraft) initReviewerEntityKind {
+	switch initReviewerEntityKind(selection) {
+	case initReviewerEntityKindUseGitIdentity, initReviewerEntityKindPAT, initReviewerEntityKindGitHubApp:
+		return initReviewerEntityKind(selection)
+	}
+	if entity, ok := entities[selection]; ok {
+		return entity.Kind
+	}
+	return initReviewerEntityKindUseGitIdentity
+}
+
 func initProfileV2AppendModelMapSection(document *initProfileV2Document, llm config.LLMConfig, modelMap config.ModelMap) {
 	document.addSection("Model tier mapping", "")
 	existing := copyModelMap(modelMap)
@@ -725,6 +779,14 @@ func (m *initProfileV2ReadOnlyModel) afterFieldChange(index int) {
 		m.syncGitScopeFields()
 		return
 	}
+	if id == initProfileV2FieldReviewerEntity {
+		m.syncReviewerGitHubAppInstallationFields(true)
+		return
+	}
+	if id == initProfileV2FieldReviewerGitHubAppInstallationMode {
+		m.syncReviewerGitHubAppInstallationFields(true)
+		return
+	}
 	if id == initProfileV2FieldLLMRuntime {
 		m.syncLLMCredentialFields(true)
 		m.syncModelMapFields()
@@ -798,6 +860,31 @@ func (m initProfileV2ReadOnlyModel) validatedDraft() (initDraft, error) {
 		reviewerMode := string(initReviewerEntityDraftFromSeedDraft(draft).Kind)
 		applyReviewerEntitySelection(&draft, reviewerMode)
 	}
+	if initProfileV2ReviewerEntityKindForSelection(selectedReviewerEntity, m.reviewerEntities) == initReviewerEntityKindGitHubApp {
+		mode := config.ProfileReviewerGitHubAppInstallationMode(strings.TrimSpace(m.document.selectedValue(initProfileV2FieldReviewerGitHubAppInstallationMode)))
+		if mode == "" {
+			mode = config.ProfileReviewerGitHubAppInstallationDiscoverFromRepository
+		}
+		draft.ReviewerGitHubAppInstallationMode = string(mode)
+		switch mode {
+		case config.ProfileReviewerGitHubAppInstallationDiscoverFromRepository:
+			draft.ReviewerGitHubAppInstallationID = ""
+		case config.ProfileReviewerGitHubAppInstallationPinned:
+			installationID := strings.TrimSpace(m.document.fieldValue(initProfileV2FieldReviewerGitHubAppInstallationID))
+			if installationID == "" {
+				return draft, fmt.Errorf("GitHub App installation ID is required when lookup is pinned")
+			}
+			if err := validateOptionalGitHubAppInstallationID(installationID); err != nil {
+				return draft, err
+			}
+			draft.ReviewerGitHubAppInstallationID = installationID
+		default:
+			return draft, fmt.Errorf("GitHub App installation lookup %q is invalid", mode)
+		}
+	} else {
+		draft.ReviewerGitHubAppInstallationMode = ""
+		draft.ReviewerGitHubAppInstallationID = ""
+	}
 	selectedLLMRuntime := m.document.selectedValue(initProfileV2FieldLLMRuntime)
 	if selectedLLMRuntime == initConfigureNewLLMRuntimeSelection {
 		return draft, fmt.Errorf("configure a new LLM runtime first")
@@ -889,6 +976,33 @@ func (m *initProfileV2ReadOnlyModel) syncGitScopeFields() {
 	m.validateAll()
 }
 
+func (m *initProfileV2ReadOnlyModel) syncReviewerGitHubAppInstallationFields(reset bool) {
+	kind := initProfileV2ReviewerEntityKindForSelection(m.document.selectedValue(initProfileV2FieldReviewerEntity), m.reviewerEntities)
+	visible := kind == initReviewerEntityKindGitHubApp
+	mode := config.ProfileReviewerGitHubAppInstallationMode(strings.TrimSpace(m.document.selectedValue(initProfileV2FieldReviewerGitHubAppInstallationMode)))
+	if mode == "" {
+		mode = config.ProfileReviewerGitHubAppInstallationDiscoverFromRepository
+		m.selectFieldValue(initProfileV2FieldReviewerGitHubAppInstallationMode, string(mode))
+	}
+	pinned := visible && mode == config.ProfileReviewerGitHubAppInstallationPinned
+	m.setFieldHidden(initProfileV2FieldReviewerGitHubAppInstallationSection, !visible)
+	m.setFieldHidden(initProfileV2FieldReviewerGitHubAppInstallationMode, !visible)
+	m.setFieldHidden(initProfileV2FieldReviewerGitHubAppInstallationID, !pinned)
+	if !visible {
+		m.selectFieldValue(initProfileV2FieldReviewerGitHubAppInstallationMode, string(config.ProfileReviewerGitHubAppInstallationDiscoverFromRepository))
+		m.setFieldValue(initProfileV2FieldReviewerGitHubAppInstallationID, "")
+	} else if reset && !pinned {
+		m.setFieldValue(initProfileV2FieldReviewerGitHubAppInstallationID, "")
+	}
+	if m.focused >= 0 && m.focused < len(m.document) && m.document[m.focused].Hidden {
+		m.focused = m.document.nextFocusableField(m.focused)
+		if m.focused >= len(m.document) || m.document[m.focused].Hidden {
+			m.focused = m.document.previousFocusableField(len(m.document))
+		}
+	}
+	m.validateField(m.document.fieldIndexByID(initProfileV2FieldReviewerGitHubAppInstallationID))
+}
+
 func (m *initProfileV2ReadOnlyModel) syncLLMCredentialFields(reset bool) {
 	selectedLLMRuntime := m.document.selectedValue(initProfileV2FieldLLMRuntime)
 	draft := m.draft

From a21f1d202647450c0c3efc7ac985f9731fa1e8c9 Mon Sep 17 00:00:00 2001
From: Rian Stockbower <rstockbower@gmail.com>
Date: Mon, 22 Jun 2026 07:19:46 -0400
Subject: [PATCH 08/27] Move GitHub App IDs into config

---
 README.md                                     |  24 +-
 docs/init-config-surface.md                   |   3 +-
 docs/init-ux-contract.md                      |   6 +-
 internal/cmd/configcmd/configcmd_test.go      |   5 +-
 internal/cmd/credentialcmd/credentialcmd.go   | 161 +++++++--
 .../cmd/credentialcmd/credentialcmd_test.go   | 307 ++++++++++--------
 .../cmd/credentialcmd/init_linear_editor.go   |   8 +
 internal/cmd/credentialcmd/init_profile_v2.go |  28 ++
 .../init_reviewer_credential_status.go        |   6 +-
 .../init_reviewer_entity_editor.go            | 105 ++++--
 internal/cmd/mecmd/mecmd_test.go              |   8 +-
 internal/cmd/noleak/noleak_test.go            |   8 +-
 internal/cmd/reviewcmd/reviewcmd.go           |   6 +
 internal/config/config.go                     |  68 ++++
 internal/config/config_test.go                |  13 +
 internal/credentials/credentials.go           |   6 +-
 internal/credentials/credentials_test.go      |  18 +-
 internal/gitprovider/github/app_auth.go       |   6 +-
 internal/gitprovider/github/app_auth_test.go  |  10 +-
 internal/gitprovider/github/client.go         |   4 +
 internal/identity/identity.go                 |   6 +
 21 files changed, 570 insertions(+), 236 deletions(-)

diff --git a/README.md b/README.md
index 6927d07d..da026063 100644
--- a/README.md
+++ b/README.md
@@ -407,6 +407,7 @@ cr --profile work init --non-interactive \
   --git-host github.com \
   --git-credential-ref codereview/work \
   --reviewer-auth-mode github_app \
+  --reviewer-github-app-id "$GITHUB_APP_ID" \
   --reviewer-credential-ref codereview/work-reviewer-app \
   --llm-provider anthropic \
   --llm-auth api_key \
@@ -420,13 +421,6 @@ printf '%s' "$USER_GITHUB_TOKEN" | cr set-credential \
   --stdin \
   --overwrite
 
-printf '%s' "$GITHUB_APP_ID" | cr set-credential \
-  --store local-os \
-  --name codereview/work-reviewer-app \
-  --key github_app_id \
-  --stdin \
-  --overwrite
-
 printf '%s' "$GITHUB_APP_PRIVATE_KEY" | cr set-credential \
   --store local-os \
   --name codereview/work-reviewer-app \
@@ -587,7 +581,8 @@ Credential key matrix:
 |---------------|---------|---------------|---------------|---------------|-------------|
 | `git.credential` | User Git host auth | `pat` | `git_token` | None | Supported |
 | `reviewer_credentials.credential` | Reviewer Git host auth | `pat` | `git_token` | None | Supported; must use a distinct credential location from `git.credential` in the same profile |
-| `git.credential` / reviewer entity credential | Git host auth | `github_app` | `github_app_id`, `github_app_private_key` | None | Supported for GitHub. Reviewer GitHub App installation routing lives on `profiles.<name>.reviewer.github_app_installation`, not in the credential bundle |
+| `git.github_app.app_id` / reviewer entity `github_app.app_id` | Git host auth | `github_app` | Config field, not a credential key | None | Non-secret GitHub App ID stored in config. Scripted init uses `--git-github-app-id` or `--reviewer-github-app-id` |
+| `git.credential` / reviewer entity credential | Git host auth | `github_app` | `github_app_private_key` | None | Supported for GitHub. Reviewer GitHub App installation routing lives on `profiles.<name>.reviewer.github_app_installation`, not in the credential bundle |
 | `git.credential` / `reviewer_credentials.credential` | Git host auth | `oauth_device` | None | None | Reserved; config recognizes the mode but v1 rejects it and does not accept future keys such as `git_oauth_access_token` or `git_oauth_refresh_token` |
 | `llm.credential` | Anthropic direct API auth | `api_key` + `anthropic` | `anthropic_api_key` | None | Supported |
 | `llm.credential` | OpenAI direct API auth | `api_key` + `openai` | `openai_api_key` | None | Supported |
@@ -747,9 +742,10 @@ Flags:
 Only one stdin secret ingress flag may be used at a time. PAT reviewer
 credentials use key `git_token` under their own credential name, so
 `--reviewer-credential-ref` must differ from `--git-credential-ref`. GitHub App
-reviewer credentials use `github_app_id` and `github_app_private_key`;
-installation routing is profile config, not a credential key. `init` does not
-accept reviewer token ingress for `--reviewer-auth-mode github_app`. LLM API-key ingress requires
+reviewers store their non-secret App ID in config via `--reviewer-github-app-id`
+and use `github_app_private_key` as the only credential-store key; installation
+routing is profile config, not a credential key. `init` does not accept
+reviewer token ingress for `--reviewer-auth-mode github_app`. LLM API-key ingress requires
 `--llm-auth api_key`. `--overwrite` with API-key auth requires an LLM key
 ingress flag. `--allow-self-review` is intentionally runtime-only on
 `cr review`; `init` only stores the profile-level self-approval policy.
@@ -761,12 +757,12 @@ cr set-credential --store <id> --name <credential-name> --key <key> (--stdin | -
 ```
 
 Writes one secret value to the selected credential store. Globally allowed keys are
-`git_token`, `github_app_id`, `github_app_private_key`,
-`anthropic_api_key`, and `openai_api_key`. When
+`git_token`, `github_app_private_key`, `anthropic_api_key`, and
+`openai_api_key`. When
 `config.yml` declares the target credential location, `set-credential` narrows
 that global allowlist to the exact key set expected for that credential. PAT
 user Git credentials and PAT reviewer credentials use `git_token`; GitHub App
-credentials use `github_app_id` and `github_app_private_key`; Anthropic
+credentials use `github_app_private_key`; Anthropic
 LLM API-key credentials use `anthropic_api_key`; OpenAI LLM API-key credentials use
 `openai_api_key`.
 
diff --git a/docs/init-config-surface.md b/docs/init-config-surface.md
index a8d177be..888ff192 100644
--- a/docs/init-config-surface.md
+++ b/docs/init-config-surface.md
@@ -51,6 +51,7 @@ intentionally unsupported.
 | config.profiles.<name> | Core profile wizard selects existing profile, creates a new profile, or renames an existing profile. | Existing global `--profile` with `cr init --non-interactive` owns scripted create/replace. Scripted rename is intentionally unsupported by init and belongs to future profile-management command design. | New profile names start blank. Existing profile names are pre-populated. | Create requires a valid profile body. Rename preserves credential locations by default, updates repository routes, and does not delete old credential-store entries. | #177 profile rename helper. #180 tests create/select/rename and validation. |
 | config.profiles.<name>.git.host | Core profile wizard edits Git host. | Existing `cr init --git-host`; existing route commands own route-safe scripted changes. | Current init defaults to `github.com`. Existing value is pre-populated. | Set validates non-empty normalized host. If routes reference the profile and reconciliation is not selected, block or defer the edit. | #180 blocks/defer route-unsafe host edits. #185 implements reconciliation tests. |
 | config.profiles.<name>.git.auth_mode | Core profile wizard chooses `pat` or `github_app`; `oauth_device` remains reserved. | `cr init --git-auth-mode`, parallel to existing reviewer auth mode. Current init otherwise defaults user Git auth to PAT. | Existing value is pre-populated. New profile defaults to `pat`. | Overwrite only to supported v1 modes. Switching auth modes re-plans credential keys but does not delete old secrets. | #179 credential-ref/key-spec planner. #180 auth-mode prompt tests. |
+| config.profiles.<name>.git.github_app.app_id | Core profile wizard stores the non-secret GitHub App ID when user Git auth uses `github_app`. | `cr init --git-github-app-id` when `--git-auth-mode github_app` is used. | Required for GitHub App auth. Existing value is pre-populated. Empty for PAT auth. | Must be a decimal GitHub App ID. It is config, not credential-store secret material. Switching Git auth away from GitHub App clears it. | GitHub App config validation and init profile tests. |
 | config.profiles.<name>.git.credential.store | User Git auth chooses an existing credential store before any secret ingress. | Interactive credential-writing flows and scripted `cr set-credential --store`. | New profiles start with `local-os` selected. Existing store id is pre-populated. | Must be `local-os` or a configured store id. Store setup is not available inline from this flow. | #356 explicit destination tests. |
 | config.profiles.<name>.git.credential.name | User Git auth names the credential bundle before any secret ingress. | Interactive credential-writing flows and scripted `cr set-credential --name`. | New profile defaults to `codereview/<profile>`. Existing name is pre-populated and preserved by default. | Must use the `codereview/<profile>` credential grammar. It must differ from other credentials in the same profile when the store also matches. | #356 explicit credential-location tests. |
 | config.profiles.<name>.git.identity_cache | Not shown as an editable init field. Preserve only. | Intentionally unsupported for init and config mutation. Runtime identity refresh owns it. | Existing cache is preserved. New profiles omit it. | Preserve unless a future explicit cache invalidation ticket owns behavior. Profile rename does not rewrite cache contents. | Preserve-only regression in #177/#180. |
@@ -134,7 +135,7 @@ secret ingress.
 |---------|---------------|-------------|---------------|---------------|--------------------------------|----------------|
 | User Git auth | `pat` | `codereview/<profile>` | `git_token` | None | Keep preserves existing store/name and key. Defer stores the credential location and prints follow-up `cr set-credential --store ... --name ...`. Overwrite writes `git_token` through the selected credential store only. | Profile rename preserves the credential location. Regenerate only with explicit key migration or overwrite. |
 | Reviewer Git auth | `pat` | `codereview/<profile>-reviewer`, or label-derived for new interactive reviewer entities | `git_token` | None | Interactive reviewer setup collects `git_token` inline before staging a new or changed reviewer credential location. Keep preserves an unchanged credential location. Clearing the reviewer section removes the location from config but does not delete secrets. | Profile rename and reviewer label edits preserve existing credential locations. No implicit rename/migration. |
-| User Git auth or reviewer entity auth | `github_app` | Same purpose-specific defaults as PAT | `github_app_id`, `github_app_private_key` | None | Keep preserves bundle. Interactive reviewer setup collects required GitHub App keys inline before staging a new or changed reviewer credential location. Reviewer profile installation routing is stored in `profiles.<name>.reviewer.github_app_installation`, not the credential bundle. Scripted/deferred flows print one follow-up command per required key. Overwrite writes only keys the user provided, with required-key validation before saving. | Migration is bundle-wide and explicit only: never leave config pointing at a partially moved bundle. |
+| User Git auth or reviewer entity auth | `github_app` | Same purpose-specific defaults as PAT | `github_app_private_key` | None | Keep preserves bundle. GitHub App IDs are non-secret config (`github_app.app_id`). Interactive reviewer setup collects the App ID as config and the private key as the only secret before staging a new or changed reviewer credential location. Reviewer profile installation routing is stored in `profiles.<name>.reviewer.github_app_installation`, not the credential bundle. Scripted/deferred flows print a follow-up command for the private key only. Overwrite writes only keys the user provided, with required-key validation before saving. | Migration is explicit only: never leave config pointing at a partially moved credential location. |
 | Git auth | `oauth_device` | None | None | None | Unsupported in v1. The wizard must not offer it as a selectable mode. | Future OAuth work must amend this document. |
 | LLM API key | `anthropic` + `api_key` | `codereview/<profile>-llm` | `anthropic_api_key` | None | Keep preserves existing credential location. Defer stores the location only if the key already exists or follow-up is clearly rendered. Overwrite writes provider key through the selected credential store. | Preserve custom locations on rename. Regeneration requires explicit migration/overwrite. |
 | LLM API key | `openai` + `api_key` | `codereview/<profile>-llm` | `openai_api_key` | None | Same as Anthropic API-key auth. | Same as Anthropic API-key auth. |
diff --git a/docs/init-ux-contract.md b/docs/init-ux-contract.md
index 0452e8cd..31472174 100644
--- a/docs/init-ux-contract.md
+++ b/docs/init-ux-contract.md
@@ -166,9 +166,9 @@ entity setup should show non-secret, per-key credential readiness for the
 selected reviewer credential location:
 
 - PAT reviewers show `git_token`.
-- GitHub App reviewers show required `github_app_id` and
-  `github_app_private_key`. Installation routing is review-profile config, not
-  a reviewer credential key.
+- GitHub App reviewers show non-secret GitHub App ID as config plus required
+  `github_app_private_key` readiness. Installation routing is review-profile
+  config, not a reviewer credential key.
 - Each key may be shown as `missing`, `existing`, `staged`, `skipped optional`,
   `deferred`, `optional`, or `status unavailable`.
 - `missing` means the backend was consulted and no staged or existing value was
diff --git a/internal/cmd/configcmd/configcmd_test.go b/internal/cmd/configcmd/configcmd_test.go
index 123af2fb..9cabd2ae 100644
--- a/internal/cmd/configcmd/configcmd_test.go
+++ b/internal/cmd/configcmd/configcmd_test.go
@@ -877,6 +877,7 @@ func TestConfigShowGitHubAppCredentialStatus(t *testing.T) {
 	cfg := testConfig()
 	work := cfg.Profiles["work"]
 	work.ReviewerCredentials.AuthMode = config.GitAuthModeGitHubApp
+	work.ReviewerCredentials.GitHubApp = &config.GitHubAppConfig{AppID: "12345"}
 	cfg.Profiles["work"] = work
 	path := saveTestConfig(t, cfg)
 	cmd, out := newTestCommand(path)
@@ -897,7 +898,6 @@ func TestConfigShowGitHubAppCredentialStatus(t *testing.T) {
 	}
 	missing := false
 	want := []view.KeyStatus{
-		{Key: credentials.GitHubAppIDKey, Required: true, Present: &missing, Status: "missing"},
 		{Key: credentials.GitHubAppPrivateKeyKey, Required: true, Present: &missing, Status: "missing"},
 	}
 	if reviewer.Ref != "codereview/work-reviewer" || reviewer.Mode != "github_app" || !reflect.DeepEqual(reviewer.Keys, want) {
@@ -1973,16 +1973,15 @@ func TestConfigClearGitHubAppCredentialMatrix(t *testing.T) {
 	cfg := fileBackendConfig(t)
 	home := cfg.Profiles["home"]
 	home.Git.AuthMode = config.GitAuthModeGitHubApp
+	home.Git.GitHubApp = &config.GitHubAppConfig{AppID: "12345"}
 	home.Git.CredentialRef = "codereview/home-app"
 	home.Git.Credential.Name = "codereview/home-app"
 	cfg.Profiles["home"] = home
 	path := saveTestConfig(t, cfg)
 	appKeys := []string{
-		credentials.GitHubAppIDKey,
 		credentials.GitHubAppPrivateKeyKey,
 	}
 	seedFileBackend(t, "home-app", map[string]string{
-		credentials.GitHubAppIDKey:         "12345",
 		credentials.GitHubAppPrivateKeyKey: "private-key",
 	})
 
diff --git a/internal/cmd/credentialcmd/credentialcmd.go b/internal/cmd/credentialcmd/credentialcmd.go
index ac520fe3..8326b23b 100644
--- a/internal/cmd/credentialcmd/credentialcmd.go
+++ b/internal/cmd/credentialcmd/credentialcmd.go
@@ -151,33 +151,35 @@ func runSetCredential(cmd *cobra.Command, opts *root.Options, flags setCredentia
 }
 
 type initOptions struct {
-	nonInteractive     bool
-	gitHost            string
-	gitAuth            string
-	gitRef             string
-	reviewerRef        string
-	reviewerAuth       string
-	disableReviewer    bool
-	llmProvider        string
-	llmAuth            string
-	llmAdapter         string
-	llmRef             string
-	llmReviewerTier    string
-	clearLLMReviewer   bool
-	agentSources       []string
-	majorEvent         string
-	selfApprove        bool
-	resolveThreads     string
-	resolveAfter       string
-	gitTokenStdin      bool
-	gitTokenEnv        string
-	reviewerTokenStdin bool
-	reviewerTokenEnv   string
-	llmKeyStdin        bool
-	llmKeyEnv          string
-	overwrite          bool
-	replaceProfile     bool
-	secretsDiscovery   string
+	nonInteractive      bool
+	gitHost             string
+	gitAuth             string
+	gitGitHubAppID      string
+	gitRef              string
+	reviewerRef         string
+	reviewerAuth        string
+	reviewerGitHubAppID string
+	disableReviewer     bool
+	llmProvider         string
+	llmAuth             string
+	llmAdapter          string
+	llmRef              string
+	llmReviewerTier     string
+	clearLLMReviewer    bool
+	agentSources        []string
+	majorEvent          string
+	selfApprove         bool
+	resolveThreads      string
+	resolveAfter        string
+	gitTokenStdin       bool
+	gitTokenEnv         string
+	reviewerTokenStdin  bool
+	reviewerTokenEnv    string
+	llmKeyStdin         bool
+	llmKeyEnv           string
+	overwrite           bool
+	replaceProfile      bool
+	secretsDiscovery    string
 }
 
 type initPrompter interface {
@@ -268,12 +270,14 @@ type initDraft struct {
 	ProfileName                       string
 	GitHost                           string
 	GitAuth                           string
+	GitHubAppID                       string
 	GitCredentialStore                string
 	GitCredentialRef                  string
 	ReviewerEnabled                   bool
 	ReviewerAuth                      string
 	ReviewerCredentialStore           string
 	ReviewerCredentialRef             string
+	ReviewerGitHubAppID               string
 	ReviewerDisplayName               string
 	ReviewerGitHubAppInstallationMode string
 	ReviewerGitHubAppInstallationID   string
@@ -547,6 +551,7 @@ type initGitScopeDraft struct {
 	Name            string
 	Host            string
 	AuthMode        config.GitAuthMode
+	GitHubAppID     string
 	CredentialStore string
 	CredentialRef   string
 }
@@ -563,6 +568,7 @@ type initReviewerEntityDraft struct {
 	Name            string
 	Kind            initReviewerEntityKind
 	AuthMode        config.GitAuthMode
+	AppID           string
 	CredentialStore string
 	CredentialRef   string
 	DisplayName     string
@@ -804,9 +810,11 @@ func newInitCommand(opts *root.Options) *cobra.Command {
 	cmd.Flags().BoolVar(&flags.nonInteractive, "non-interactive", false, "Run without prompts")
 	cmd.Flags().StringVar(&flags.gitHost, "git-host", flags.gitHost, "Git host")
 	cmd.Flags().StringVar(&flags.gitAuth, "git-auth-mode", flags.gitAuth, "Git credential auth mode")
+	cmd.Flags().StringVar(&flags.gitGitHubAppID, "git-github-app-id", "", "GitHub App ID for Git github_app auth")
 	cmd.Flags().StringVar(&flags.gitRef, "git-credential-ref", "", "Git credential name")
 	cmd.Flags().StringVar(&flags.reviewerRef, "reviewer-credential-ref", "", "Reviewer credential name")
 	cmd.Flags().StringVar(&flags.reviewerAuth, "reviewer-auth-mode", flags.reviewerAuth, "Reviewer credential auth mode")
+	cmd.Flags().StringVar(&flags.reviewerGitHubAppID, "reviewer-github-app-id", "", "GitHub App ID for reviewer github_app auth")
 	cmd.Flags().BoolVar(&flags.disableReviewer, "disable-reviewer", false, "Disable separate reviewer credentials")
 	cmd.Flags().StringVar(&flags.llmProvider, "llm-provider", flags.llmProvider, "LLM provider")
 	cmd.Flags().StringVar(&flags.llmAuth, "llm-auth", flags.llmAuth, "LLM auth mode")
@@ -1799,6 +1807,7 @@ func propagateSharedReviewerEntityChanges(priorCfg config.File, updatedCfg confi
 			continue
 		}
 		profile.ReviewerCredentials.AuthMode = nextEntity.AuthMode
+		profile.ReviewerCredentials.GitHubApp = initGitHubAppConfigForAuth(nextEntity.AuthMode, nextEntity.AppID)
 		profile.ReviewerCredentials.Credential = initCredentialLocation(credentialStore, credentialRef)
 		profile.ReviewerCredentials.CredentialRef = credentialRef
 		profile.ReviewerCredentials.DisplayName = displayName
@@ -2410,6 +2419,7 @@ func (p huhInitPrompter) Run(ctx initPromptContext) (initDraft, error) {
 			selectedGit := initGitScopeDraft{
 				Host:            draft.GitHost,
 				AuthMode:        config.GitAuthMode(draft.GitAuth),
+				GitHubAppID:     strings.TrimSpace(draft.GitHubAppID),
 				CredentialStore: initCredentialStoreDraftValue(draft.GitCredentialStore),
 				CredentialRef:   strings.TrimSpace(draft.GitCredentialRef),
 			}
@@ -2799,6 +2809,7 @@ func initReviewerEntityDraftFromSeedDraft(draft initDraft) initReviewerEntityDra
 	}
 	entity := initReviewerEntityDraft{
 		AuthMode:        config.GitAuthMode(draft.ReviewerAuth),
+		AppID:           firstNonEmpty(draft.ReviewerGitHubAppID, draft.ReviewerCredentialWrites[credentials.GitHubAppIDKey]),
 		CredentialStore: initCredentialStoreDraftValue(draft.ReviewerCredentialStore),
 		CredentialRef:   strings.TrimSpace(draft.ReviewerCredentialRef),
 		DisplayName:     normalizeOptionalDisplayName(draft.ReviewerDisplayName),
@@ -2855,6 +2866,7 @@ func applyGitScopeSelection(draft *initDraft, selection string, scopes map[strin
 	}
 	draft.GitHost = scope.Host
 	draft.GitAuth = string(scope.AuthMode)
+	draft.GitHubAppID = strings.TrimSpace(scope.GitHubAppID)
 	draft.GitCredentialStore = initCredentialStoreDraftValue(scope.CredentialStore)
 	if !draft.AdvancedStorageLabels {
 		draft.GitCredentialRef = scope.CredentialRef
@@ -3301,6 +3313,7 @@ func applyReviewerEntityInventorySelection(draft *initDraft, selection string, e
 	}
 	draft.ReviewerEnabled = entity.Kind != initReviewerEntityKindUseGitIdentity
 	draft.ReviewerAuth = string(entity.AuthMode)
+	draft.ReviewerGitHubAppID = strings.TrimSpace(entity.AppID)
 	draft.ReviewerCredentialStore = initCredentialStoreDraftValue(entity.CredentialStore)
 	draft.ReviewerDisplayName = normalizeOptionalDisplayName(entity.DisplayName)
 	if !draft.AdvancedStorageLabels {
@@ -3313,6 +3326,7 @@ func applyReviewerEntitySelection(draft *initDraft, selection string) {
 	case initReviewerEntityKindUseGitIdentity:
 		draft.ReviewerEnabled = false
 		draft.ReviewerAuth = string(config.GitAuthModePAT)
+		draft.ReviewerGitHubAppID = ""
 		draft.ReviewerDisplayName = ""
 		if !draft.AdvancedStorageLabels {
 			draft.ReviewerCredentialRef = ""
@@ -3323,6 +3337,7 @@ func applyReviewerEntitySelection(draft *initDraft, selection string) {
 	case initReviewerEntityKindPAT:
 		draft.ReviewerEnabled = true
 		draft.ReviewerAuth = string(config.GitAuthModePAT)
+		draft.ReviewerGitHubAppID = ""
 	}
 }
 
@@ -3995,6 +4010,19 @@ func validateOptionalGitHubAppInstallationID(value string) error {
 	return nil
 }
 
+func validateOptionalDecimalID(label string) func(string) error {
+	return func(value string) error {
+		trimmed := strings.TrimSpace(value)
+		if trimmed == "" {
+			return nil
+		}
+		if _, err := strconv.ParseInt(trimmed, 10, 64); err != nil {
+			return fmt.Errorf("%s must be a decimal number", label)
+		}
+		return nil
+	}
+}
+
 func validateRetentionMaxAgeDays(value string) error {
 	_, err := parseInteractiveRetentionMaxAgeDays(value)
 	return err
@@ -4063,6 +4091,9 @@ func seedInteractiveInitDraft(requestedProfileName string, existingProfileName s
 	if existingProfile != nil {
 		draft.GitHost = existingProfile.Git.Host
 		draft.GitAuth = string(existingProfile.Git.AuthMode)
+		if existingProfile.Git.GitHubApp != nil {
+			draft.GitHubAppID = strings.TrimSpace(existingProfile.Git.GitHubApp.AppID)
+		}
 		draft.GitCredentialStore = initCredentialStoreDraftValue(existingProfile.Git.Credential.Store)
 		draft.GitCredentialRef = firstNonEmpty(existingProfile.Git.Credential.Name, existingProfile.Git.CredentialRef)
 		draft.LLMProvider = string(existingProfile.LLM.Provider)
@@ -4083,6 +4114,9 @@ func seedInteractiveInitDraft(requestedProfileName string, existingProfileName s
 		if existingProfile.ReviewerCredentials != nil {
 			draft.ReviewerEnabled = true
 			draft.ReviewerAuth = string(existingProfile.ReviewerCredentials.AuthMode)
+			if existingProfile.ReviewerCredentials.GitHubApp != nil {
+				draft.ReviewerGitHubAppID = strings.TrimSpace(existingProfile.ReviewerCredentials.GitHubApp.AppID)
+			}
 			draft.ReviewerCredentialStore = initCredentialStoreDraftValue(existingProfile.ReviewerCredentials.Credential.Store)
 			draft.ReviewerCredentialRef = firstNonEmpty(existingProfile.ReviewerCredentials.Credential.Name, existingProfile.ReviewerCredentials.CredentialRef)
 			draft.ReviewerDisplayName = normalizeOptionalDisplayName(existingProfile.ReviewerCredentials.DisplayName)
@@ -4159,6 +4193,7 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 		return initPlan{}, exitcode.Usage(fmt.Errorf("--llm-reviewer-model-tier and --clear-llm-reviewer-model-tier may not be used together; use one or the other"))
 	}
 	reviewerCredentialsConfigured := flags.reviewerRef != "" ||
+		flags.reviewerGitHubAppID != "" ||
 		flags.reviewerTokenStdin ||
 		flags.reviewerTokenEnv != "" ||
 		cmd.Flags().Changed("reviewer-auth-mode")
@@ -4213,6 +4248,7 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 		return initPlan{}, exitcode.Usage(fmt.Errorf("--git-auth-mode %s is not supported in v1", flags.gitAuth))
 	}
 	reviewerRequested := flags.reviewerRef != "" ||
+		flags.reviewerGitHubAppID != "" ||
 		flags.reviewerTokenStdin ||
 		flags.reviewerTokenEnv != "" ||
 		cmd.Flags().Changed("reviewer-auth-mode")
@@ -4264,6 +4300,30 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 	if gitMode != config.GitAuthModePAT && (flags.gitTokenStdin || flags.gitTokenEnv != "") {
 		return initPlan{}, exitcode.Usage(fmt.Errorf("git token ingress requires --git-auth-mode %s", config.GitAuthModePAT))
 	}
+	if gitMode != config.GitAuthModeGitHubApp && strings.TrimSpace(flags.gitGitHubAppID) != "" {
+		return initPlan{}, exitcode.Usage(fmt.Errorf("--git-github-app-id requires --git-auth-mode %s", config.GitAuthModeGitHubApp))
+	}
+	gitGitHubAppID := strings.TrimSpace(flags.gitGitHubAppID)
+	if gitMode == config.GitAuthModeGitHubApp {
+		if gitGitHubAppID == "" && previousProfile != nil && previousProfile.Git.GitHubApp != nil {
+			gitGitHubAppID = strings.TrimSpace(previousProfile.Git.GitHubApp.AppID)
+		}
+		if gitGitHubAppID == "" {
+			return initPlan{}, exitcode.Usage(fmt.Errorf("--git-github-app-id is required when --git-auth-mode is %s", config.GitAuthModeGitHubApp))
+		}
+	}
+	if reviewerMode != config.GitAuthModeGitHubApp && strings.TrimSpace(flags.reviewerGitHubAppID) != "" {
+		return initPlan{}, exitcode.Usage(fmt.Errorf("--reviewer-github-app-id requires --reviewer-auth-mode %s", config.GitAuthModeGitHubApp))
+	}
+	reviewerGitHubAppID := strings.TrimSpace(flags.reviewerGitHubAppID)
+	if reviewerRequested && reviewerMode == config.GitAuthModeGitHubApp {
+		if reviewerGitHubAppID == "" && previousProfile != nil && previousProfile.ReviewerCredentials != nil && previousProfile.ReviewerCredentials.GitHubApp != nil {
+			reviewerGitHubAppID = strings.TrimSpace(previousProfile.ReviewerCredentials.GitHubApp.AppID)
+		}
+		if reviewerGitHubAppID == "" {
+			return initPlan{}, exitcode.Usage(fmt.Errorf("--reviewer-github-app-id is required when --reviewer-auth-mode is %s", config.GitAuthModeGitHubApp))
+		}
+	}
 	gitSecret, hasGitSecret, err := readInitSecret(deps, opts.Stdin, flags.gitTokenStdin, flags.gitTokenEnv, "--git-token-stdin", "--git-token-from-env")
 	if err != nil {
 		return initPlan{}, exitcode.Usage(err)
@@ -4304,6 +4364,7 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 			Host:          flags.gitHost,
 			AuthMode:      gitMode,
 			Credential:    initCredentialLocation(gitStore, gitRef),
+			GitHubApp:     initGitHubAppConfigForAuth(gitMode, gitGitHubAppID),
 			CredentialRef: gitRef,
 		},
 		LLM: config.LLMConfig{
@@ -4332,6 +4393,7 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 		profile.ReviewerCredentials = &config.ReviewerCredentials{
 			AuthMode:      reviewerMode,
 			Credential:    initCredentialLocation(reviewerStore, reviewerRef),
+			GitHubApp:     initGitHubAppConfigForAuth(reviewerMode, reviewerGitHubAppID),
 			CredentialRef: reviewerRef,
 		}
 	}
@@ -5106,9 +5168,14 @@ func initCredentialEntryKey(ref config.CredentialRef) string {
 }
 
 func initGitScopeDraftFromConfig(git config.GitConfig) initGitScopeDraft {
+	appID := ""
+	if git.GitHubApp != nil {
+		appID = strings.TrimSpace(git.GitHubApp.AppID)
+	}
 	return initGitScopeDraft{
 		Host:            strings.TrimSpace(git.Host),
 		AuthMode:        git.AuthMode,
+		GitHubAppID:     appID,
 		CredentialStore: initCredentialStoreDraftValue(git.Credential.Store),
 		CredentialRef:   strings.TrimSpace(firstNonEmpty(git.Credential.Name, git.CredentialRef)),
 	}
@@ -5119,6 +5186,7 @@ func (scope initGitScopeDraft) exportConfig(previous *config.GitConfig) config.G
 		Host:          strings.TrimSpace(scope.Host),
 		AuthMode:      scope.AuthMode,
 		Credential:    initCredentialLocation(scope.CredentialStore, scope.CredentialRef),
+		GitHubApp:     initGitHubAppConfigForAuth(scope.AuthMode, scope.GitHubAppID),
 		CredentialRef: strings.TrimSpace(scope.CredentialRef),
 	}
 	if previous != nil && scope.matchesConfig(*previous) {
@@ -5132,6 +5200,7 @@ func (scope initGitScopeDraft) identityKey() string {
 	return strings.Join([]string{
 		config.NormalizeHost(scope.Host),
 		string(scope.AuthMode),
+		strings.TrimSpace(scope.GitHubAppID),
 		initCredentialStoreDraftValue(scope.CredentialStore),
 		strings.TrimSpace(scope.CredentialRef),
 	}, "\x00")
@@ -5150,6 +5219,7 @@ func (scope initGitScopeDraft) suggestedName() string {
 func (scope initGitScopeDraft) matchesConfig(previous config.GitConfig) bool {
 	return config.NormalizeHost(previous.Host) == config.NormalizeHost(scope.Host) &&
 		previous.AuthMode == scope.AuthMode &&
+		initGitHubAppIDForAuth(previous.AuthMode, previous.GitHubApp) == strings.TrimSpace(scope.GitHubAppID) &&
 		initCredentialStoreDraftValue(previous.Credential.Store) == initCredentialStoreDraftValue(scope.CredentialStore) &&
 		strings.TrimSpace(firstNonEmpty(previous.Credential.Name, previous.CredentialRef)) == strings.TrimSpace(scope.CredentialRef)
 }
@@ -5198,6 +5268,7 @@ func initReviewerEntityDraftFromConfig(profile config.Profile) initReviewerEntit
 	}
 	entity := initReviewerEntityDraft{
 		AuthMode:        profile.ReviewerCredentials.AuthMode,
+		AppID:           initGitHubAppIDForAuth(profile.ReviewerCredentials.AuthMode, profile.ReviewerCredentials.GitHubApp),
 		CredentialStore: initCredentialStoreDraftValue(profile.ReviewerCredentials.Credential.Store),
 		CredentialRef:   strings.TrimSpace(firstNonEmpty(profile.ReviewerCredentials.Credential.Name, profile.ReviewerCredentials.CredentialRef)),
 		DisplayName:     normalizeOptionalDisplayName(profile.ReviewerCredentials.DisplayName),
@@ -5214,6 +5285,7 @@ func initReviewerEntityDraftFromConfig(profile config.Profile) initReviewerEntit
 func initReviewerEntityDraftFromReviewerEntity(entity config.ReviewerEntity) initReviewerEntityDraft {
 	draft := initReviewerEntityDraft{
 		AuthMode:        entity.AuthMode,
+		AppID:           initGitHubAppIDForAuth(entity.AuthMode, entity.GitHubApp),
 		CredentialStore: initCredentialStoreDraftValue(entity.Credential.Store),
 		CredentialRef:   strings.TrimSpace(firstNonEmpty(entity.Credential.Name, entity.CredentialRef)),
 		DisplayName:     normalizeOptionalDisplayName(entity.DisplayName),
@@ -5234,6 +5306,7 @@ func (entity initReviewerEntityDraft) exportConfig(previous *config.ReviewerCred
 	reviewer := &config.ReviewerCredentials{
 		AuthMode:      entity.AuthMode,
 		Credential:    initCredentialLocation(entity.CredentialStore, entity.CredentialRef),
+		GitHubApp:     initGitHubAppConfigForAuth(entity.AuthMode, entity.AppID),
 		CredentialRef: strings.TrimSpace(entity.CredentialRef),
 		DisplayName:   normalizeOptionalDisplayName(entity.DisplayName),
 	}
@@ -5248,6 +5321,7 @@ func (entity initReviewerEntityDraft) exportReviewerEntityConfig(previous *confi
 		Host:          strings.TrimSpace(host),
 		AuthMode:      entity.AuthMode,
 		Credential:    initCredentialLocation(entity.CredentialStore, entity.CredentialRef),
+		GitHubApp:     initGitHubAppConfigForAuth(entity.AuthMode, entity.AppID),
 		CredentialRef: strings.TrimSpace(entity.CredentialRef),
 		DisplayName:   normalizeOptionalDisplayName(entity.DisplayName),
 	}
@@ -5272,6 +5346,7 @@ func (entity initReviewerEntityDraft) identityKey() string {
 	return strings.Join([]string{
 		string(entity.Kind),
 		string(entity.AuthMode),
+		strings.TrimSpace(entity.AppID),
 		initCredentialStoreDraftValue(entity.CredentialStore),
 		strings.TrimSpace(entity.CredentialRef),
 	}, "\x00")
@@ -5292,6 +5367,7 @@ func (entity initReviewerEntityDraft) suggestedName() string {
 func (entity initReviewerEntityDraft) matchesConfig(previous config.ReviewerCredentials) bool {
 	return entity.Kind == initReviewerEntityDraftFromConfig(config.Profile{ReviewerCredentials: &previous}).Kind &&
 		previous.AuthMode == entity.AuthMode &&
+		initGitHubAppIDForAuth(previous.AuthMode, previous.GitHubApp) == strings.TrimSpace(entity.AppID) &&
 		initCredentialStoreDraftValue(previous.Credential.Store) == initCredentialStoreDraftValue(entity.CredentialStore) &&
 		strings.TrimSpace(firstNonEmpty(previous.Credential.Name, previous.CredentialRef)) == strings.TrimSpace(entity.CredentialRef)
 }
@@ -5299,10 +5375,25 @@ func (entity initReviewerEntityDraft) matchesConfig(previous config.ReviewerCred
 func (entity initReviewerEntityDraft) matchesReviewerEntityConfig(previous config.ReviewerEntity) bool {
 	return entity.Kind == initReviewerEntityDraftFromReviewerEntity(previous).Kind &&
 		previous.AuthMode == entity.AuthMode &&
+		initGitHubAppIDForAuth(previous.AuthMode, previous.GitHubApp) == strings.TrimSpace(entity.AppID) &&
 		initCredentialStoreDraftValue(previous.Credential.Store) == initCredentialStoreDraftValue(entity.CredentialStore) &&
 		strings.TrimSpace(firstNonEmpty(previous.Credential.Name, previous.CredentialRef)) == strings.TrimSpace(entity.CredentialRef)
 }
 
+func initGitHubAppConfigForAuth(authMode config.GitAuthMode, appID string) *config.GitHubAppConfig {
+	if authMode != config.GitAuthModeGitHubApp {
+		return nil
+	}
+	return &config.GitHubAppConfig{AppID: strings.TrimSpace(appID)}
+}
+
+func initGitHubAppIDForAuth(authMode config.GitAuthMode, app *config.GitHubAppConfig) string {
+	if authMode != config.GitAuthModeGitHubApp || app == nil {
+		return ""
+	}
+	return strings.TrimSpace(app.AppID)
+}
+
 func buildInitReviewerEntityInventory(cfg config.File) (map[string]initReviewerEntityDraft, map[string]string) {
 	cfg = config.Normalize(cfg)
 	entities := map[string]initReviewerEntityDraft{}
@@ -5525,6 +5616,10 @@ func cloneInitConfigFile(cfg config.File) config.File {
 	if cfg.ReviewerEntities != nil {
 		cloned.ReviewerEntities = make(map[string]config.ReviewerEntity, len(cfg.ReviewerEntities))
 		for name, entity := range cfg.ReviewerEntities {
+			if entity.GitHubApp != nil {
+				app := *entity.GitHubApp
+				entity.GitHubApp = &app
+			}
 			cloned.ReviewerEntities[name] = entity
 		}
 	}
@@ -5560,11 +5655,19 @@ func cloneInitSecretsStore(store config.SecretsStore) config.SecretsStore {
 
 func cloneInitProfile(profile config.Profile) config.Profile {
 	cloned := profile
+	if profile.Git.GitHubApp != nil {
+		app := *profile.Git.GitHubApp
+		cloned.Git.GitHubApp = &app
+	}
 	if profile.Reviewer.GitHubAppInstallation != nil {
 		cloned.Reviewer.GitHubAppInstallation = cloneProfileReviewerGitHubAppInstallation(profile.Reviewer.GitHubAppInstallation)
 	}
 	if profile.ReviewerCredentials != nil {
 		reviewer := *profile.ReviewerCredentials
+		if profile.ReviewerCredentials.GitHubApp != nil {
+			app := *profile.ReviewerCredentials.GitHubApp
+			reviewer.GitHubApp = &app
+		}
 		cloned.ReviewerCredentials = &reviewer
 	}
 	cloned.LLM = cloneInitLLMConfig(profile.LLM)
@@ -5628,6 +5731,7 @@ func synthesizeInteractiveProfile(flags initOptions, profileName string, previou
 	}
 	profile.Git.Host = strings.TrimSpace(draft.GitHost)
 	profile.Git.AuthMode = config.GitAuthMode(draft.GitAuth)
+	profile.Git.GitHubApp = initGitHubAppConfigForAuth(profile.Git.AuthMode, draft.GitHubAppID)
 	profile.Git.CredentialRef = strings.TrimSpace(draft.GitCredentialRef)
 	if profile.Git.CredentialRef == "" {
 		profile.Git.CredentialRef = defaultGitRef
@@ -5650,6 +5754,7 @@ func synthesizeInteractiveProfile(flags initOptions, profileName string, previou
 		reviewer := config.ReviewerCredentials{
 			AuthMode:      config.GitAuthMode(draft.ReviewerAuth),
 			Credential:    initCredentialLocation(draft.ReviewerCredentialStore, reviewerRef),
+			GitHubApp:     initGitHubAppConfigForAuth(config.GitAuthMode(draft.ReviewerAuth), draft.ReviewerGitHubAppID),
 			CredentialRef: reviewerRef,
 			DisplayName:   normalizeOptionalDisplayName(draft.ReviewerDisplayName),
 		}
@@ -5793,6 +5898,7 @@ func reviewerEntityConfigFromProfile(profile config.Profile) config.ReviewerEnti
 		Host:          profile.Git.Host,
 		AuthMode:      reviewer.AuthMode,
 		Credential:    initCredentialLocation(reviewer.Credential.Store, ref),
+		GitHubApp:     initGitHubAppConfigForAuth(reviewer.AuthMode, initGitHubAppIDForAuth(reviewer.AuthMode, reviewer.GitHubApp)),
 		CredentialRef: ref,
 		DisplayName:   normalizeOptionalDisplayName(reviewer.DisplayName),
 		IdentityCache: reviewer.IdentityCache,
@@ -5804,6 +5910,7 @@ func sameInitReviewerEntityConfigIdentity(left, right config.ReviewerEntity) boo
 	right = normalizeInitReviewerEntityConfig(right)
 	return config.NormalizeHost(left.Host) == config.NormalizeHost(right.Host) &&
 		left.AuthMode == right.AuthMode &&
+		initGitHubAppIDForAuth(left.AuthMode, left.GitHubApp) == initGitHubAppIDForAuth(right.AuthMode, right.GitHubApp) &&
 		initCredentialStoreDraftValue(left.Credential.Store) == initCredentialStoreDraftValue(right.Credential.Store) &&
 		strings.TrimSpace(left.Credential.Name) == strings.TrimSpace(right.Credential.Name)
 }
diff --git a/internal/cmd/credentialcmd/credentialcmd_test.go b/internal/cmd/credentialcmd/credentialcmd_test.go
index e802962b..c7e3a36c 100644
--- a/internal/cmd/credentialcmd/credentialcmd_test.go
+++ b/internal/cmd/credentialcmd/credentialcmd_test.go
@@ -216,6 +216,7 @@ func TestSetCredentialUsesGitHubAppCredentialMatrix(t *testing.T) {
 			Store: testFileCredentialStoreID,
 			Name:  "codereview/work-reviewer",
 		},
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/work-reviewer",
 	}
 	cfg.Profiles["work"] = work
@@ -240,7 +241,6 @@ func TestSetCredentialUsesGitHubAppCredentialMatrix(t *testing.T) {
 		key   string
 		value string
 	}{
-		{key: credentials.GitHubAppIDKey, value: "12345"},
 		{key: credentials.GitHubAppPrivateKeyKey, value: "private-key-value"},
 	} {
 		cmd, _, _ = newTestCommand(path, strings.NewReader(write.value))
@@ -257,7 +257,6 @@ func TestSetCredentialUsesGitHubAppCredentialMatrix(t *testing.T) {
 		assertStored(t, "work-reviewer", write.key, write.value)
 	}
 	assertFileBundleKeys(t, "work-reviewer", []string{
-		credentials.GitHubAppIDKey,
 		credentials.GitHubAppPrivateKeyKey,
 	})
 }
@@ -559,6 +558,7 @@ func TestInitNonInteractiveWritesGitHubAppReviewerConfigOnly(t *testing.T) {
 		"init",
 		"--non-interactive",
 		"--reviewer-auth-mode", string(config.GitAuthModeGitHubApp),
+		"--reviewer-github-app-id", "12345",
 	})
 	if err != nil {
 		t.Fatalf("Execute: %v", err)
@@ -571,11 +571,17 @@ func TestInitNonInteractiveWritesGitHubAppReviewerConfigOnly(t *testing.T) {
 	if reviewer == nil || reviewer.AuthMode != config.GitAuthModeGitHubApp || reviewer.CredentialRef != "codereview/default-reviewer" {
 		t.Fatalf("reviewer credentials = %#v, want github_app codereview/default-reviewer", reviewer)
 	}
-	for _, key := range []string{credentials.GitHubAppIDKey, credentials.GitHubAppPrivateKeyKey} {
+	if reviewer.GitHubApp == nil || reviewer.GitHubApp.AppID != "12345" {
+		t.Fatalf("reviewer github_app = %#v, want app_id 12345", reviewer.GitHubApp)
+	}
+	for _, key := range []string{credentials.GitHubAppPrivateKeyKey} {
 		if !strings.Contains(errOut.String(), "--key "+key+" --stdin") {
 			t.Fatalf("stderr = %q, want setup hint for %s", errOut.String(), key)
 		}
 	}
+	if strings.Contains(errOut.String(), "--key "+credentials.GitHubAppIDKey+" --stdin") {
+		t.Fatalf("stderr = %q, want app id omitted from secret setup hints", errOut.String())
+	}
 	if strings.Contains(errOut.String(), "--key "+credentials.GitHubAppInstallationIDKey+" --stdin") {
 		t.Fatalf("stderr = %q, want optional installation id omitted from required setup hints", errOut.String())
 	}
@@ -779,6 +785,7 @@ func TestPlanInitCredentials(t *testing.T) {
 		desired := basicProfile("work")
 		desired.ReviewerCredentials = &config.ReviewerCredentials{
 			AuthMode:      config.GitAuthModeGitHubApp,
+			GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 			CredentialRef: "codereview/work-reviewer",
 		}
 		entries, err := planInitCredentials(nil, desired, nil)
@@ -792,10 +799,7 @@ func TestPlanInitCredentials(t *testing.T) {
 		if entry.Ref.Purpose != "reviewer_credentials" || entry.Ref.Ref != "codereview/work-reviewer" || entry.State != initCredentialPlanStateDefer {
 			t.Fatalf("reviewer entry = %#v, want deferred reviewer app ref", entry)
 		}
-		want := []credentials.KeySpec{
-			{Key: credentials.GitHubAppIDKey, Required: true},
-			{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
-		}
+		want := []credentials.KeySpec{{Key: credentials.GitHubAppPrivateKeyKey, Required: true}}
 		if !reflect.DeepEqual(entry.KeySpecs, want) {
 			t.Fatalf("key specs = %#v, want %#v", entry.KeySpecs, want)
 		}
@@ -920,24 +924,25 @@ func TestPlanInitCredentials(t *testing.T) {
 		}
 	})
 
-	t.Run("partial github app bundle reports missing required keys", func(t *testing.T) {
+	t.Run("github app private key not staged defers credential setup", func(t *testing.T) {
 		desired := basicProfile("work")
 		desired.Git.AuthMode = config.GitAuthModeGitHubApp
+		desired.Git.GitHubApp = &config.GitHubAppConfig{AppID: "12345"}
 		entries, err := planInitCredentials(nil, desired, map[string][]string{
-			"codereview/work": []string{credentials.GitHubAppIDKey},
+			"codereview/work": {},
 		})
 		if err != nil {
 			t.Fatalf("planInitCredentials: %v", err)
 		}
 		entry := entries[0]
-		if entry.State != initCredentialPlanStateMissingRequired {
-			t.Fatalf("state = %s, want missing_required", entry.State)
+		if entry.State != initCredentialPlanStateDefer {
+			t.Fatalf("state = %s, want defer", entry.State)
 		}
-		if !reflect.DeepEqual(entry.PlannedWriteKeys, []string{credentials.GitHubAppIDKey}) {
-			t.Fatalf("planned write keys = %#v, want github_app_id only", entry.PlannedWriteKeys)
+		if len(entry.PlannedWriteKeys) != 0 {
+			t.Fatalf("planned write keys = %#v, want none", entry.PlannedWriteKeys)
 		}
-		if !reflect.DeepEqual(entry.MissingRequiredKeys, []string{credentials.GitHubAppPrivateKeyKey}) {
-			t.Fatalf("missing required = %#v, want github_app_private_key", entry.MissingRequiredKeys)
+		if len(entry.MissingRequiredKeys) != 0 {
+			t.Fatalf("missing required = %#v, want none without staged writes", entry.MissingRequiredKeys)
 		}
 	})
 }
@@ -1065,6 +1070,7 @@ func TestBuildInteractiveInitSessionPlanUsesOriginalProfileForRenamedTouchedProf
 				},
 				ReviewerCredentials: &config.ReviewerCredentials{
 					AuthMode:      config.GitAuthModeGitHubApp,
+					GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 					CredentialRef: "codereview/work-reviewer",
 					DisplayName:   "Old label",
 				},
@@ -1450,6 +1456,7 @@ func TestInitGitAuthModeFlagSupportsGitHubApp(t *testing.T) {
 		"init",
 		"--non-interactive",
 		"--git-auth-mode", string(config.GitAuthModeGitHubApp),
+		"--git-github-app-id", "12345",
 	})
 	if err != nil {
 		t.Fatalf("Execute: %v", err)
@@ -1462,9 +1469,12 @@ func TestInitGitAuthModeFlagSupportsGitHubApp(t *testing.T) {
 	if got.Profiles["default"].Git.AuthMode != config.GitAuthModeGitHubApp {
 		t.Fatalf("git.auth_mode = %q, want github_app", got.Profiles["default"].Git.AuthMode)
 	}
+	if got.Profiles["default"].Git.GitHubApp == nil || got.Profiles["default"].Git.GitHubApp.AppID != "12345" {
+		t.Fatalf("git.github_app = %#v, want app_id 12345", got.Profiles["default"].Git.GitHubApp)
+	}
 	stderr := errOut.String()
-	if !strings.Contains(stderr, "--key "+credentials.GitHubAppIDKey+" --stdin") {
-		t.Fatalf("stderr = %q, want github app id follow-up hint", stderr)
+	if strings.Contains(stderr, "--key "+credentials.GitHubAppIDKey+" --stdin") {
+		t.Fatalf("stderr = %q, want no github app id follow-up hint", stderr)
 	}
 	if !strings.Contains(stderr, "--key "+credentials.GitHubAppPrivateKeyKey+" --stdin") {
 		t.Fatalf("stderr = %q, want github app private key follow-up hint", stderr)
@@ -1932,6 +1942,7 @@ func TestInitGitScopeDraftRoundTripPreservesIdentityCacheFromPreviousProfile(t *
 		Host:          "https://github.mycompany.com/",
 		AuthMode:      config.GitAuthModeGitHubApp,
 		Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work"},
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/work",
 		IdentityCache: "rianjs-work",
 	}
@@ -1949,6 +1960,7 @@ func TestInitGitScopeDraftExportClearsIdentityCacheWhenShapeChanges(t *testing.T
 		Host:          "https://github.mycompany.com/",
 		AuthMode:      config.GitAuthModeGitHubApp,
 		Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work"},
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/work",
 		IdentityCache: "rianjs-work",
 	}
@@ -2017,6 +2029,7 @@ func TestInitReviewerEntityDraftRoundTripVariants(t *testing.T) {
 				p.ReviewerCredentials = &config.ReviewerCredentials{
 					AuthMode:      config.GitAuthModeGitHubApp,
 					Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work-reviewer"},
+					GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 					CredentialRef: "codereview/work-reviewer",
 					IdentityCache: "review-app",
 				}
@@ -2025,12 +2038,14 @@ func TestInitReviewerEntityDraftRoundTripVariants(t *testing.T) {
 			previous: &config.ReviewerCredentials{
 				AuthMode:      config.GitAuthModeGitHubApp,
 				Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work-reviewer"},
+				GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 				CredentialRef: "codereview/work-reviewer",
 				IdentityCache: "review-app",
 			},
 			want: &config.ReviewerCredentials{
 				AuthMode:      config.GitAuthModeGitHubApp,
 				Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work-reviewer"},
+				GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 				CredentialRef: "codereview/work-reviewer",
 				IdentityCache: "review-app",
 			},
@@ -2055,6 +2070,7 @@ func TestInitReviewerEntityDraftExportClearsIdentityCacheWhenShapeChanges(t *tes
 	previous := &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
 		Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work-reviewer"},
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/work-reviewer",
 		IdentityCache: "review-app",
 	}
@@ -2081,6 +2097,7 @@ func TestBuildInteractiveInitWorkspaceClearsReviewerDisplayNameWhenDraftLeavesIt
 	existing.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
 		Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work-reviewer"},
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/work-reviewer",
 		DisplayName:   "Old label",
 	}
@@ -2421,11 +2438,13 @@ func TestBuildInitReviewerEntityInventorySharedDisplayNameWinsWhenOnlyOneProfile
 	work := basicProfile("work")
 	home.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/open-cli-collective-rianjs-bot",
 		DisplayName:   "OC Collective bot",
 	}
 	work.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/open-cli-collective-rianjs-bot",
 	}
 
@@ -2462,6 +2481,7 @@ func TestEditInteractiveInitReviewerEntityStepUpdatesConfiguredEntity(t *testing
 			"oc-collective-bot": {
 				Host:          "github.com",
 				AuthMode:      config.GitAuthModeGitHubApp,
+				GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 				CredentialRef: "codereview/open-cli-collective-rianjs-bot",
 				DisplayName:   "Old label",
 			},
@@ -2485,6 +2505,7 @@ func TestEditInteractiveInitReviewerEntityStepUpdatesConfiguredEntity(t *testing
 	draft := seedInteractiveInitDraft("home", "home", &home)
 	draft.ReviewerEnabled = true
 	draft.ReviewerAuth = string(config.GitAuthModeGitHubApp)
+	draft.ReviewerGitHubAppID = "12345"
 	draft.ReviewerCredentialRef = "codereview/open-cli-collective-rianjs-bot-renamed"
 	draft.ReviewerDisplayName = "OC Collective bot"
 
@@ -2557,6 +2578,7 @@ func TestEditInteractiveInitReviewerEntityStepDefaultsBlankRefToStandaloneEntity
 	draft := seedInteractiveInitDraft("home", "home", &home)
 	draft.ReviewerEnabled = true
 	draft.ReviewerAuth = string(config.GitAuthModeGitHubApp)
+	draft.ReviewerGitHubAppID = "12345"
 	draft.ReviewerCredentialRef = ""
 	draft.ReviewerDisplayName = "OC Collective bot"
 
@@ -2595,6 +2617,7 @@ func TestEditInteractiveInitReviewerEntityStepSelectingFallbackDoesNotPropagateS
 			"oc-collective-bot": {
 				Host:          "github.com",
 				AuthMode:      config.GitAuthModeGitHubApp,
+				GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 				CredentialRef: "codereview/open-cli-collective-rianjs-bot",
 				DisplayName:   "Old label",
 			},
@@ -3293,12 +3316,14 @@ func TestBuildInteractiveInitWorkspaceImportsGitScopeAndReviewerEntityInventory(
 	existing := basicProfile("work")
 	existing.Git.Host = "github.mycompany.com"
 	existing.Git.AuthMode = config.GitAuthModeGitHubApp
+	existing.Git.GitHubApp = &config.GitHubAppConfig{AppID: "12345"}
 	existing.Git.Credential = config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/office-git"}
 	existing.Git.CredentialRef = "codereview/office-git"
 	existing.Git.IdentityCache = "git-cache"
 	existing.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
 		Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/office-reviewer"},
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/office-reviewer",
 		IdentityCache: "reviewer-cache",
 	}
@@ -3396,6 +3421,7 @@ func TestInitInteractivePromptDrivenFlowStillExportsSeparateReviewerAfterDraftIn
 				GitCredentialRef:        "codereview/office-git",
 				ReviewerEnabled:         true,
 				ReviewerAuth:            string(config.GitAuthModeGitHubApp),
+				ReviewerGitHubAppID:     "12345",
 				ReviewerCredentialStore: config.LocalOSCredentialStoreID,
 				ReviewerCredentialRef:   "codereview/office-reviewer",
 				LLMProvider:             string(config.LLMProviderAnthropic),
@@ -3423,7 +3449,6 @@ func TestInitInteractivePromptDrivenFlowStillExportsSeparateReviewerAfterDraftIn
 					credentials.GitTokenKey: "existing-git-token",
 				},
 				"office-reviewer": {
-					credentials.GitHubAppIDKey:         "12345",
 					credentials.GitHubAppPrivateKeyKey: "private-key",
 				},
 			}), nil
@@ -3755,7 +3780,7 @@ func TestCollectInteractiveInitSecretsBackAfterPartialMultiKeyWriteDiscardsScrat
 			initSecretSourcePaste,
 			initSecretSourceBack,
 		},
-		pastes: []string{"12345"},
+		pastes: []string{"private-key"},
 	}
 	workspace, err := collectInteractiveInitSecrets(&cobra.Command{}, &root.Options{}, initDeps{
 		secretPrompter:     prompter,
@@ -3771,7 +3796,7 @@ func TestCollectInteractiveInitSecretsBackAfterPartialMultiKeyWriteDiscardsScrat
 	if err != nil {
 		t.Fatalf("collectInteractiveInitSecrets: %v", err)
 	}
-	if got := workspace.writes["codereview/default"][credentials.GitHubAppIDKey]; got != "" {
+	if got := workspace.writes["codereview/default"][credentials.GitHubAppPrivateKeyKey]; got != "" {
 		t.Fatalf("partial draft write = %q, want discarded after later source Back then defer", got)
 	}
 	if workspace.satisfiedRefs["codereview/default"] {
@@ -3915,12 +3940,12 @@ func testInitMultiKeySecretWorkspace() initWorkspaceDraft {
 				Mode:    string(config.GitAuthModeGitHubApp),
 			},
 			KeySpecs: []credentials.KeySpec{
-				{Key: credentials.GitHubAppIDKey, Required: true},
 				{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
+				{Key: credentials.GitTokenKey, Required: true},
 			},
 			MissingRequiredKeys: []string{
-				credentials.GitHubAppIDKey,
 				credentials.GitHubAppPrivateKeyKey,
+				credentials.GitTokenKey,
 			},
 			State: initCredentialPlanStateMissingRequired,
 		}},
@@ -3960,10 +3985,8 @@ func TestWriteInitCredentialPlanHintsUsesMissingRequiredKeysOnly(t *testing.T) {
 			Mode:    string(config.GitAuthModeGitHubApp),
 		},
 		KeySpecs: []credentials.KeySpec{
-			{Key: credentials.GitHubAppIDKey, Required: true},
 			{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
 		},
-		PlannedWriteKeys:    []string{credentials.GitHubAppIDKey},
 		MissingRequiredKeys: []string{credentials.GitHubAppPrivateKeyKey},
 		State:               initCredentialPlanStateMissingRequired,
 	}
@@ -3992,7 +4015,6 @@ func TestWriteInitCredentialPlanHintsForDeferredGitHubAppUsesRequiredKeysOnly(t
 			Mode:    string(config.GitAuthModeGitHubApp),
 		},
 		KeySpecs: []credentials.KeySpec{
-			{Key: credentials.GitHubAppIDKey, Required: true},
 			{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
 		},
 		State: initCredentialPlanStateDefer,
@@ -4002,7 +4024,7 @@ func TestWriteInitCredentialPlanHintsForDeferredGitHubAppUsesRequiredKeysOnly(t
 		t.Fatalf("writeInitCredentialPlanHints: %v", err)
 	}
 	got := stderr.String()
-	for _, key := range []string{credentials.GitHubAppIDKey, credentials.GitHubAppPrivateKeyKey} {
+	for _, key := range []string{credentials.GitHubAppPrivateKeyKey} {
 		if !strings.Contains(got, "cr set-credential --store local-os --name codereview/rianjs-bot --key "+key+" --stdin") {
 			t.Fatalf("stderr = %q, want required setup hint for %s", got, key)
 		}
@@ -6255,6 +6277,7 @@ func TestHuhInitReviewerEntityPrompterExistingReviewerFallbackSeedDoesNotPersist
 	existing := basicProfile("work")
 	existing.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/open-cli-collective-rianjs-bot",
 	}
 	draft := seedInteractiveInitDraft("work", "work", &existing)
@@ -6281,12 +6304,14 @@ func TestHuhInitReviewerEntityPrompterAccessibleShowsSeededDisplayNamePrompt(t *
 	existing := basicProfile("work")
 	existing.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/work-reviewer",
 		DisplayName:   "Old label",
 	}
 	draft := seedInteractiveInitDraft("work", "work", &existing)
 	draft.ReviewerEnabled = true
 	draft.ReviewerAuth = string(config.GitAuthModeGitHubApp)
+	draft.ReviewerGitHubAppID = "12345"
 	draft.ReviewerCredentialRef = "codereview/work-reviewer"
 	draft.ReviewerDisplayName = "Old label"
 	var stderr bytes.Buffer
@@ -6315,6 +6340,7 @@ func TestHuhInitReviewerEntityPrompterExistingReviewerCanEditLabel(t *testing.T)
 	existing := basicProfile("work")
 	existing.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/work-reviewer",
 	}
 	draft := seedInteractiveInitDraft("work", "work", &existing)
@@ -6451,23 +6477,24 @@ func TestHuhInitReviewerEntityPrompterGitHubAppLinearFlowShowsCredentialBundleCo
 	if !draft.ReviewerEnabled || draft.ReviewerAuth != string(config.GitAuthModeGitHubApp) {
 		t.Fatalf("draft = %#v, want GitHub App reviewer", draft)
 	}
-	if got := draft.ReviewerCredentialWrites[credentials.GitHubAppIDKey]; got != "12345" {
-		t.Fatalf("staged app id = %q, want inline app id", got)
+	if got := draft.ReviewerGitHubAppID; got != "12345" {
+		t.Fatalf("draft app id = %q, want inline app id", got)
+	}
+	if _, ok := draft.ReviewerCredentialWrites[credentials.GitHubAppIDKey]; ok {
+		t.Fatalf("staged app id secret write present: %#v", draft.ReviewerCredentialWrites)
 	}
 	if got := draft.ReviewerCredentialWrites[credentials.GitHubAppPrivateKeyKey]; got != privateKey {
 		t.Fatalf("staged private key = %q, want inline private key", got)
 	}
 	out := stderr.String()
 	for _, want := range []string{
-		"GitHub App reviewer. Required credential keys",
-		"Reviewer secret location",
-		"Credential name for this reviewer",
-		"This is a credential name, not a PAT",
-		"Reviewer credential status",
-		credentials.GitHubAppIDKey,
+		"GitHub App reviewer. GitHub App ID is saved in config.yml; required credential key: " + credentials.GitHubAppPrivateKeyKey,
+		"Reviewer private-key location",
+		"Credential name for this reviewer's GitHub App private key",
+		"GitHub App ID is saved in config.yml",
+		"Reviewer private-key status",
 		credentials.GitHubAppPrivateKeyKey,
 		"staged",
-		credentials.GitHubAppIDKey,
 		credentials.GitHubAppPrivateKeyKey,
 		"Reviewer credential values",
 		"GitHub App ID",
@@ -6477,11 +6504,9 @@ func TestHuhInitReviewerEntityPrompterGitHubAppLinearFlowShowsCredentialBundleCo
 			t.Fatalf("stderr missing %q:\n%s", want, out)
 		}
 	}
-	assertContentOrder(t, out, "Reviewer secret location", "Reviewer credential status", "Reviewer action")
-	for _, leaked := range []string{"12345", privateKey} {
-		if strings.Contains(out, leaked) {
-			t.Fatalf("stderr leaked GitHub App secret value %q:\n%s", leaked, out)
-		}
+	assertContentOrder(t, out, "Reviewer private-key location", "Reviewer private-key status", "Reviewer action")
+	if strings.Contains(out, privateKey) {
+		t.Fatalf("stderr leaked GitHub App private key:\n%s", out)
 	}
 }
 
@@ -6511,8 +6536,8 @@ func TestReviewerEntityLinearEditorNewLabelDerivesDefaultSecretLocation(t *testi
 	if !strings.Contains(status, "Destination: "+initBuiltInOSCredentialStoreTitle()+" / codereview/rianjs-bot-reviewer") {
 		t.Fatalf("status = %q, want label-derived destination", status)
 	}
-	if !strings.Contains(status, credentials.GitHubAppIDKey) || !strings.Contains(status, string(initReviewerCredentialKeyMissing)) || strings.Contains(status, string(initReviewerCredentialKeyUnavailable)) {
-		t.Fatalf("status = %q, want label-derived ref to show missing required keys, not unavailable", status)
+	if strings.Contains(status, credentials.GitHubAppIDKey) || !strings.Contains(status, credentials.GitHubAppPrivateKeyKey) || !strings.Contains(status, string(initReviewerCredentialKeyMissing)) || strings.Contains(status, string(initReviewerCredentialKeyUnavailable)) {
+		t.Fatalf("status = %q, want label-derived ref to show missing private key, not app id or unavailable", status)
 	}
 }
 
@@ -6720,8 +6745,8 @@ func TestReviewerEntityLinearEditorGitHubAppRequiresInlineSecretsBeforeStaging(t
 	if actionIndex < 0 {
 		t.Fatal("action field missing")
 	}
-	if got := blocked.document[actionIndex].Error; !strings.Contains(got, credentials.GitHubAppIDKey) || !strings.Contains(got, credentials.GitHubAppPrivateKeyKey) {
-		t.Fatalf("action error = %q, want missing GitHub App required keys", got)
+	if got := blocked.document[actionIndex].Error; !strings.Contains(got, "GitHub App ID") {
+		t.Fatalf("action error = %q, want missing GitHub App ID", got)
 	}
 
 	blocked.setFieldValue(initReviewerEntityFieldGitHubAppID, "12345")
@@ -6751,8 +6776,11 @@ func TestReviewerEntityLinearEditorGitHubAppRequiresInlineSecretsBeforeStaging(t
 	if got, want := draft.ReviewerCredentialWriteRef, "codereview/rianjs-bot-reviewer"; got != want {
 		t.Fatalf("ReviewerCredentialWriteRef = %q, want %q", got, want)
 	}
-	if got := draft.ReviewerCredentialWrites[credentials.GitHubAppIDKey]; got != "12345" {
-		t.Fatalf("staged github_app_id = %q, want 12345", got)
+	if got := draft.ReviewerGitHubAppID; got != "12345" {
+		t.Fatalf("draft github app id = %q, want 12345", got)
+	}
+	if _, ok := draft.ReviewerCredentialWrites[credentials.GitHubAppIDKey]; ok {
+		t.Fatalf("staged github_app_id secret write present: %#v", draft.ReviewerCredentialWrites)
 	}
 	if got := draft.ReviewerCredentialWrites[credentials.GitHubAppPrivateKeyKey]; got != privateKey {
 		t.Fatalf("staged private key = %q, want multiline key", got)
@@ -6773,7 +6801,6 @@ func TestReviewerEntityLinearEditorLabelDerivedRefDoesNotMarkMissingStatusAsOver
 				Mode:    string(config.GitAuthModeGitHubApp),
 			},
 			Keys: []initReviewerCredentialKeyStatus{
-				{Key: credentials.GitHubAppIDKey, Required: true, State: initReviewerCredentialKeyMissing},
 				{Key: credentials.GitHubAppPrivateKeyKey, Required: true, State: initReviewerCredentialKeyMissing},
 			},
 		}},
@@ -6814,7 +6841,6 @@ func TestReviewerEntityLinearEditorManualRefDoesNotMarkUnavailableStatusAsOverwr
 				Mode:    string(config.GitAuthModeGitHubApp),
 			},
 			Keys: []initReviewerCredentialKeyStatus{
-				{Key: credentials.GitHubAppIDKey, Required: true, State: initReviewerCredentialKeyMissing},
 				{Key: credentials.GitHubAppPrivateKeyKey, Required: true, State: initReviewerCredentialKeyMissing},
 			},
 		}},
@@ -6856,7 +6882,6 @@ func TestReviewerEntityLinearEditorLabelDerivedRefPreservesBackendUnavailableSta
 			},
 			Unavailable: "credential backend status unavailable",
 			Keys: []initReviewerCredentialKeyStatus{
-				{Key: credentials.GitHubAppIDKey, Required: true, State: initReviewerCredentialKeyUnavailable},
 				{Key: credentials.GitHubAppPrivateKeyKey, Required: true, State: initReviewerCredentialKeyUnavailable},
 			},
 		}},
@@ -6986,32 +7011,32 @@ func TestHuhInitReviewerEntityDetailsGitHubAppShowsCredentialBundleCopy(t *testi
 	if !nextDraft.ReviewerEnabled || nextDraft.ReviewerAuth != string(config.GitAuthModeGitHubApp) {
 		t.Fatalf("draft = %#v, want GitHub App reviewer", nextDraft)
 	}
-	if got := nextDraft.ReviewerCredentialWrites[credentials.GitHubAppIDKey]; got != "12345" {
-		t.Fatalf("staged app id = %q, want inline app id", got)
+	if got := nextDraft.ReviewerGitHubAppID; got != "12345" {
+		t.Fatalf("draft app id = %q, want inline app id", got)
+	}
+	if _, ok := nextDraft.ReviewerCredentialWrites[credentials.GitHubAppIDKey]; ok {
+		t.Fatalf("staged app id secret write present: %#v", nextDraft.ReviewerCredentialWrites)
 	}
 	if got := nextDraft.ReviewerCredentialWrites[credentials.GitHubAppPrivateKeyKey]; got != privateKey {
 		t.Fatalf("staged private key = %q, want inline private key", got)
 	}
 	out := stderr.String()
 	for _, want := range []string{
-		"GitHub App reviewer. Required credential keys",
-		"Reviewer secret location",
-		"Credential name for this reviewer",
-		"This is a credential name, not a PAT",
+		"GitHub App reviewer. GitHub App ID is saved in config.yml; required credential key: " + credentials.GitHubAppPrivateKeyKey,
+		"Reviewer private-key location",
+		"Credential name for this reviewer's GitHub App private key",
+		"GitHub App ID is saved in config.yml",
 		"Reviewer credential values",
 		"GitHub App ID",
 		"GitHub App private key",
-		credentials.GitHubAppIDKey,
 		credentials.GitHubAppPrivateKeyKey,
 	} {
 		if !strings.Contains(out, want) {
 			t.Fatalf("stderr missing %q:\n%s", want, out)
 		}
 	}
-	for _, leaked := range []string{"12345", privateKey} {
-		if strings.Contains(out, leaked) {
-			t.Fatalf("stderr leaked GitHub App secret value %q:\n%s", leaked, out)
-		}
+	if strings.Contains(out, privateKey) {
+		t.Fatalf("stderr leaked GitHub App private key:\n%s", out)
 	}
 }
 
@@ -7045,7 +7070,6 @@ func TestHuhInitReviewerEntityDetailsPreservesPromptContextCredentialStore(t *te
 			},
 			SecretsProfile: resolved,
 			Keys: []initReviewerCredentialKeyStatus{
-				{Key: credentials.GitHubAppIDKey, Required: true, State: initReviewerCredentialKeyMissing},
 				{Key: credentials.GitHubAppPrivateKeyKey, Required: true, State: initReviewerCredentialKeyMissing},
 			},
 		}},
@@ -7456,19 +7480,20 @@ func TestInitCredentialReadinessNoteLabelsGitHubAppRequiredKeys(t *testing.T) {
 			Mode:    string(config.GitAuthModeGitHubApp),
 		},
 		KeySpecs: []credentials.KeySpec{
-			{Key: credentials.GitHubAppIDKey, Required: true},
 			{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
 		},
 		State: initCredentialPlanStateDefer,
 	})
 	for _, want := range []string{
 		"reviewer deferred",
-		"required: " + credentials.GitHubAppIDKey + ", " + credentials.GitHubAppPrivateKeyKey,
 	} {
 		if !strings.Contains(note, want) {
 			t.Fatalf("note = %q, want %q", note, want)
 		}
 	}
+	if strings.Contains(note, "required:") || strings.Contains(note, credentials.GitHubAppPrivateKeyKey) {
+		t.Fatalf("note = %q, want single-key GitHub App readiness copy without key summary", note)
+	}
 	if strings.Contains(note, "optional:") || strings.Contains(note, credentials.GitHubAppInstallationIDKey) {
 		t.Fatalf("note = %q, want no optional installation id copy", note)
 	}
@@ -7482,14 +7507,13 @@ func TestInitCredentialReadinessNoteLabelsPartialGitHubAppRequiredKeys(t *testin
 			Mode:    string(config.GitAuthModeGitHubApp),
 		},
 		KeySpecs: []credentials.KeySpec{
-			{Key: credentials.GitHubAppIDKey, Required: true},
 			{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
 		},
 		MissingRequiredKeys: []string{credentials.GitHubAppPrivateKeyKey},
 		State:               initCredentialPlanStateMissingRequired,
 	})
 	for _, want := range []string{
-		"reviewer missing required " + credentials.GitHubAppPrivateKeyKey,
+		"reviewer missing " + credentials.GitHubAppPrivateKeyKey,
 	} {
 		if !strings.Contains(note, want) {
 			t.Fatalf("note = %q, want %q", note, want)
@@ -7504,11 +7528,11 @@ func TestInitProfileReadinessLineIncludesNotes(t *testing.T) {
 	line := initProfileReadinessLine(initProfileReadiness{
 		ProfileName: "work",
 		Ready:       false,
-		Notes:       []string{"reviewer deferred (required: github_app_id, github_app_private_key)"},
+		Notes:       []string{"reviewer deferred (required: github_app_private_key)"},
 	})
 	for _, want := range []string{
 		"- work: needs follow-up",
-		"required: github_app_id, github_app_private_key",
+		"required: github_app_private_key",
 	} {
 		if !strings.Contains(line, want) {
 			t.Fatalf("line = %q, want %q", line, want)
@@ -8881,6 +8905,7 @@ func TestInitInteractivePromptBuildsPlanAndPreservesOutOfScopeFields(t *testing.
 	existing.LLM.ModelMap = config.ModelMap{"medium": "gpt-custom"}
 	existing.LLM.ReviewerModelTier = config.ModelTierLarge
 	existing.Git.AuthMode = config.GitAuthModeGitHubApp
+	existing.Git.GitHubApp = &config.GitHubAppConfig{AppID: "12345"}
 	existing.Git.IdentityCache = "git-cache"
 	existing.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModePAT,
@@ -8914,9 +8939,11 @@ func TestInitInteractivePromptBuildsPlanAndPreservesOutOfScopeFields(t *testing.
 				ProfileName:           "office",
 				GitHost:               "github.com",
 				GitAuth:               string(config.GitAuthModeGitHubApp),
+				GitHubAppID:           "12345",
 				GitCredentialRef:      "codereview/office-git",
 				ReviewerEnabled:       true,
 				ReviewerAuth:          string(config.GitAuthModeGitHubApp),
+				ReviewerGitHubAppID:   "67890",
 				ReviewerCredentialRef: "codereview/custom-office-reviewer",
 				LLMProvider:           string(config.LLMProviderOpenAI),
 				LLMAuth:               string(config.LLMAuthAPIKey),
@@ -8999,8 +9026,11 @@ func TestInitInteractivePromptBuildsPlanAndPreservesOutOfScopeFields(t *testing.
 	if !strings.Contains(stderr.String(), "set-credential --store local-os --name codereview/custom-office-llm --key "+credentials.OpenAIAPIKeyKey+" --stdin") {
 		t.Fatalf("stderr = %q, want deferred llm follow-up hint", stderr.String())
 	}
-	if !strings.Contains(stderr.String(), "set-credential --store local-os --name codereview/office-git --key "+credentials.GitHubAppIDKey+" --stdin") {
-		t.Fatalf("stderr = %q, want github app git follow-up hint", stderr.String())
+	if !strings.Contains(stderr.String(), "set-credential --store local-os --name codereview/office-git --key "+credentials.GitHubAppPrivateKeyKey+" --stdin") {
+		t.Fatalf("stderr = %q, want github app git private key follow-up hint", stderr.String())
+	}
+	if strings.Contains(stderr.String(), "set-credential --store local-os --name codereview/office-git --key "+credentials.GitHubAppIDKey+" --stdin") {
+		t.Fatalf("stderr = %q, want no github app id follow-up hint", stderr.String())
 	}
 	if route := cfg.RepositoryProfiles[0]; route.Profile != "office" {
 		t.Fatalf("repository route profile = %q, want office", route.Profile)
@@ -15084,6 +15114,7 @@ func TestInitInteractiveMenuFocusedLLMRuntimePreservesUnrelatedProfileState(t *t
 	profile.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
 		Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work-reviewer"},
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		IdentityCache: "reviewer-cache",
 	}
 	profile.LLM.ModelMap = config.ModelMap{"medium": "claude-custom"}
@@ -15407,6 +15438,7 @@ func TestInitInteractiveMenuFocusedReviewerEntityRebuildsSecretPlanning(t *testi
 			draft := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
 			draft.ReviewerEnabled = true
 			draft.ReviewerAuth = string(config.GitAuthModeGitHubApp)
+			draft.ReviewerGitHubAppID = "12345"
 			return draft, nil
 		}),
 		retentionPrompter: initRetentionPrompterFunc(func(initRetentionPrompt) (initRetentionEdit, error) {
@@ -15430,7 +15462,6 @@ func TestInitInteractiveMenuFocusedReviewerEntityRebuildsSecretPlanning(t *testi
 					credentials.GitTokenKey: "existing-token",
 				},
 				"reviewer-github-app": {
-					credentials.GitHubAppIDKey:         "12345",
 					credentials.GitHubAppPrivateKeyKey: "private-key",
 				},
 			}), nil
@@ -15483,7 +15514,6 @@ func TestInitCredentialSecretPromptTitleReviewerKeys(t *testing.T) {
 			Mode:    string(config.GitAuthModeGitHubApp),
 		},
 		KeySpecs: []credentials.KeySpec{
-			{Key: credentials.GitHubAppIDKey, Required: true},
 			{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
 		},
 	}
@@ -15506,7 +15536,7 @@ func TestInitCredentialSecretPromptTitleReviewerKeys(t *testing.T) {
 			got: initCredentialSecretPromptTitle(initCredentialSecretPrompt{
 				Entry: githubAppEntry,
 			}),
-			want: "How should init handle GitHub App reviewer secrets? (codereview/rianjs-bot) (required: github_app_id, github_app_private_key)",
+			want: "How should init handle GitHub App reviewer secrets? (codereview/rianjs-bot)",
 		},
 		{
 			name: "pat action title",
@@ -15827,7 +15857,6 @@ func TestInitReviewerCredentialStatusStates(t *testing.T) {
 			Mode:    string(config.GitAuthModeGitHubApp),
 		},
 		KeySpecs: []credentials.KeySpec{
-			{Key: credentials.GitHubAppIDKey, Required: true},
 			{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
 		},
 	}
@@ -15836,11 +15865,11 @@ func TestInitReviewerCredentialStatusStates(t *testing.T) {
 		entry,
 		map[string]string{credentials.GitHubAppPrivateKeyKey: "sentinel-private-key"},
 		map[initCredentialDecisionKey]initCredentialDecisionKind{},
-		map[string]bool{credentials.GitHubAppIDKey: true},
+		map[string]bool{},
 		"",
 	)
 
-	assertReviewerCredentialKeyState(t, status, credentials.GitHubAppIDKey, initReviewerCredentialKeyExisting)
+	assertReviewerCredentialKeyAbsent(t, status, credentials.GitHubAppIDKey)
 	assertReviewerCredentialKeyState(t, status, credentials.GitHubAppPrivateKeyKey, initReviewerCredentialKeyStaged)
 	if strings.Contains(initReviewerCredentialStatusDescription(status), "sentinel-private-key") {
 		t.Fatalf("status description leaked secret value: %s", initReviewerCredentialStatusDescription(status))
@@ -15855,7 +15884,6 @@ func TestInitReviewerCredentialStatusDeferPreservesPartialExistingKeys(t *testin
 			Mode:    string(config.GitAuthModeGitHubApp),
 		},
 		KeySpecs: []credentials.KeySpec{
-			{Key: credentials.GitHubAppIDKey, Required: true},
 			{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
 		},
 	}
@@ -15866,11 +15894,11 @@ func TestInitReviewerCredentialStatusDeferPreservesPartialExistingKeys(t *testin
 		entry,
 		nil,
 		decisions,
-		map[string]bool{credentials.GitHubAppIDKey: true},
+		map[string]bool{},
 		"",
 	)
 
-	assertReviewerCredentialKeyState(t, status, credentials.GitHubAppIDKey, initReviewerCredentialKeyExisting)
+	assertReviewerCredentialKeyAbsent(t, status, credentials.GitHubAppIDKey)
 	assertReviewerCredentialKeyState(t, status, credentials.GitHubAppPrivateKeyKey, initReviewerCredentialKeyDeferred)
 }
 
@@ -15887,7 +15915,6 @@ func TestInitReviewerCredentialStatusSelectionFiltersByAuthMode(t *testing.T) {
 					Mode:    string(config.GitAuthModeGitHubApp),
 				},
 				Keys: []initReviewerCredentialKeyStatus{
-					{Key: credentials.GitHubAppIDKey, Required: true, State: initReviewerCredentialKeyStaged},
 					{Key: credentials.GitHubAppPrivateKeyKey, Required: true, State: initReviewerCredentialKeyStaged},
 				},
 			},
@@ -16046,6 +16073,7 @@ func TestInitReviewerCredentialStatusDropsStagedWritesWhenSecretsStoreChanges(t
 	originalProfile.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:   config.GitAuthModeGitHubApp,
 		Credential: config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: "codereview/work-reviewer"},
+		GitHubApp:  &config.GitHubAppConfig{AppID: "12345"},
 	}
 	originalCfg := config.File{Profiles: map[string]config.Profile{"work": originalProfile}}
 	originalResolved, err := credentials.ResolveSecretsProfileForProfile(originalCfg, originalProfile)
@@ -16073,7 +16101,6 @@ func TestInitReviewerCredentialStatusDropsStagedWritesWhenSecretsStoreChanges(t
 		},
 		writes: map[string]map[string]string{
 			"codereview/work-reviewer": {
-				credentials.GitHubAppIDKey:         "12345",
 				credentials.GitHubAppPrivateKeyKey: "private-key",
 			},
 		},
@@ -16095,7 +16122,7 @@ func TestInitReviewerCredentialStatusDropsStagedWritesWhenSecretsStoreChanges(t
 
 	statuses := buildInteractiveInitReviewerCredentialStatuses(&root.Options{}, deps, session)
 	status := findReviewerCredentialStatusForTest(t, statuses, "codereview/work-reviewer", string(config.GitAuthModeGitHubApp))
-	assertReviewerCredentialKeyState(t, status, credentials.GitHubAppIDKey, initReviewerCredentialKeyMissing)
+	assertReviewerCredentialKeyAbsent(t, status, credentials.GitHubAppIDKey)
 	assertReviewerCredentialKeyState(t, status, credentials.GitHubAppPrivateKeyKey, initReviewerCredentialKeyMissing)
 }
 
@@ -16214,10 +16241,10 @@ func stageDraftInlineGitHubAppReviewerCredentials(draft *initDraft, ref string,
 	if strings.TrimSpace(draft.ReviewerCredentialStore) == "" {
 		draft.ReviewerCredentialStore = config.LocalOSCredentialStoreID
 	}
+	draft.ReviewerGitHubAppID = strings.TrimSpace(appID)
 	draft.ReviewerCredentialWriteRef = ref
 	draft.ReviewerCredentialWriteStore = testLocalOSResolvedCredentialStore()
 	draft.ReviewerCredentialWrites = map[string]string{
-		credentials.GitHubAppIDKey:         appID,
 		credentials.GitHubAppPrivateKeyKey: privateKey,
 	}
 	draft.ReviewerCredentialSatisfied = true
@@ -16253,8 +16280,8 @@ func TestMergeReviewerCredentialDraftWritesDropsStaleKeysWhenAuthModeChanges(t *
 		if _, ok := session.writes[ref][credentials.GitTokenKey]; ok {
 			t.Fatalf("writes[%q] kept stale PAT key: %#v", ref, session.writes[ref])
 		}
-		if got := session.writes[ref][credentials.GitHubAppIDKey]; got != "12345" {
-			t.Fatalf("github_app_id = %q, want current GitHub App staged value", got)
+		if _, ok := session.writes[ref][credentials.GitHubAppIDKey]; ok {
+			t.Fatalf("writes[%q] staged non-secret app id: %#v", ref, session.writes[ref])
 		}
 		if got := session.writes[ref][credentials.GitHubAppPrivateKeyKey]; got != privateKey {
 			t.Fatalf("github_app_private_key = %q, want current GitHub App staged value", got)
@@ -16266,6 +16293,7 @@ func TestMergeReviewerCredentialDraftWritesDropsStaleKeysWhenAuthModeChanges(t *
 		profile := basicProfile("work")
 		profile.ReviewerCredentials = &config.ReviewerCredentials{
 			AuthMode:      config.GitAuthModeGitHubApp,
+			GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 			CredentialRef: ref,
 		}
 		if _, err := planInitCredentialsWithConfig(config.File{Profiles: map[string]config.Profile{"work": profile}}, nil, profile, projectInitPlannedWriteKeys(session.writes)); err != nil {
@@ -16411,11 +16439,14 @@ func TestInitInteractiveMenuFocusedGitHubAppReviewerInlineWritesReadyWithoutHint
 		entity.DisplayName != "rianjs-bot" {
 		t.Fatalf("reviewer entity = %#v, want rianjs-bot GitHub App reviewer", entity)
 	}
+	if entity.GitHubApp == nil || entity.GitHubApp.AppID != "12345" {
+		t.Fatalf("reviewer entity GitHubApp = %#v, want app id 12345", entity.GitHubApp)
+	}
 	if len(secretPrompter.actionPrompts) != 0 || len(secretPrompter.sourcePrompts) != 0 {
 		t.Fatalf("secret prompts = actions:%d sources:%d, want inline reviewer credential collection only", len(secretPrompter.actionPrompts), len(secretPrompter.sourcePrompts))
 	}
-	if got := store.bundles["rianjs-bot"][credentials.GitHubAppIDKey]; got != "12345" {
-		t.Fatalf("stored app id = %q, want staged inline value", got)
+	if _, ok := store.bundles["rianjs-bot"][credentials.GitHubAppIDKey]; ok {
+		t.Fatalf("stored app id unexpectedly: %#v", store.bundles["rianjs-bot"])
 	}
 	if got := store.bundles["rianjs-bot"][credentials.GitHubAppPrivateKeyKey]; got != privateKey {
 		t.Fatalf("stored private key = %q, want staged inline private key", got)
@@ -16492,8 +16523,8 @@ func TestInitInteractiveMenuFocusedGitHubAppReviewerInlineWritesBeforeCommitAndD
 	if len(secretPrompter.actionPrompts) != 0 || len(secretPrompter.sourcePrompts) != 0 {
 		t.Fatalf("secret prompts = actions:%d sources:%d, want no separate reviewer credential prompt", len(secretPrompter.actionPrompts), len(secretPrompter.sourcePrompts))
 	}
-	if got := store.bundles["rianjs-bot"][credentials.GitHubAppIDKey]; got != "12345" {
-		t.Fatalf("stored app id = %q, want staged value written at commit", got)
+	if _, ok := store.bundles["rianjs-bot"][credentials.GitHubAppIDKey]; ok {
+		t.Fatalf("stored app id unexpectedly: %#v", store.bundles["rianjs-bot"])
 	}
 	if got := store.bundles["rianjs-bot"][credentials.GitHubAppPrivateKeyKey]; got != privateKey {
 		t.Fatalf("stored private key = %q, want multi-line private key", got)
@@ -16525,7 +16556,6 @@ func TestInitInteractiveMenuLabelDerivedReviewerRefDoesNotOverwriteUnconfiguredE
 	store := newFakeInitStore(map[string]map[string]string{
 		"work": {credentials.GitTokenKey: "existing-token"},
 		"rianjs-bot-reviewer": {
-			credentials.GitHubAppIDKey:         "existing-app-id",
 			credentials.GitHubAppPrivateKeyKey: "existing-private-key",
 		},
 	})
@@ -16579,9 +16609,6 @@ func TestInitInteractiveMenuLabelDerivedReviewerRefDoesNotOverwriteUnconfiguredE
 	if err == nil || !strings.Contains(err.Error(), credstore.ErrExists.Error()) {
 		t.Fatalf("runInitWithDeps error = %v, want no-overwrite conflict", err)
 	}
-	if got := store.bundles["rianjs-bot-reviewer"][credentials.GitHubAppIDKey]; got != "existing-app-id" {
-		t.Fatalf("stored github_app_id = %q, want existing value preserved after conflict", got)
-	}
 	if got := store.bundles["rianjs-bot-reviewer"][credentials.GitHubAppPrivateKeyKey]; got != "existing-private-key" {
 		t.Fatalf("stored private key = %q, want existing value preserved after conflict", got)
 	}
@@ -16609,7 +16636,6 @@ func TestInitInteractiveMenuManualReviewerRefDoesNotOverwriteUnconfiguredExistin
 	store := newFakeInitStore(map[string]map[string]string{
 		"work": {credentials.GitTokenKey: "existing-token"},
 		"manual-reviewer": {
-			credentials.GitHubAppIDKey:         "existing-app-id",
 			credentials.GitHubAppPrivateKeyKey: "existing-private-key",
 		},
 	})
@@ -16663,9 +16689,6 @@ func TestInitInteractiveMenuManualReviewerRefDoesNotOverwriteUnconfiguredExistin
 	if err == nil || !strings.Contains(err.Error(), credstore.ErrExists.Error()) {
 		t.Fatalf("runInitWithDeps error = %v, want no-overwrite conflict", err)
 	}
-	if got := store.bundles["manual-reviewer"][credentials.GitHubAppIDKey]; got != "existing-app-id" {
-		t.Fatalf("stored github_app_id = %q, want existing value preserved after conflict", got)
-	}
 	if got := store.bundles["manual-reviewer"][credentials.GitHubAppPrivateKeyKey]; got != "existing-private-key" {
 		t.Fatalf("stored private key = %q, want existing value preserved after conflict", got)
 	}
@@ -16891,11 +16914,11 @@ func TestInitInteractiveMenuReviewerCredentialDecisionDropsAfterReviewerRefChang
 			case 1:
 				draft.ActionTarget = "reviewer-github-app"
 				draft.ReviewerCredentialRef = "codereview/old-reviewer"
-				stageDraftInlineGitHubAppReviewerCredentials(&draft, draft.ReviewerCredentialRef, "old-app-id", testReviewerGitHubAppPrivateKey())
+				stageDraftInlineGitHubAppReviewerCredentials(&draft, draft.ReviewerCredentialRef, "111", testReviewerGitHubAppPrivateKey())
 			case 2:
 				draft.ActionTarget = "reviewer-github-app"
 				draft.ReviewerCredentialRef = "codereview/new-reviewer"
-				stageDraftInlineGitHubAppReviewerCredentials(&draft, draft.ReviewerCredentialRef, "new-app-id", testReviewerGitHubAppPrivateKey())
+				stageDraftInlineGitHubAppReviewerCredentials(&draft, draft.ReviewerCredentialRef, "222", testReviewerGitHubAppPrivateKey())
 			default:
 				return initDraft{}, errInitNavigateBack
 			}
@@ -16926,8 +16949,8 @@ func TestInitInteractiveMenuReviewerCredentialDecisionDropsAfterReviewerRefChang
 	if _, ok := store.bundles["old-reviewer"]; ok {
 		t.Fatalf("old reviewer bundle = %#v, want stale inline write filtered", store.bundles["old-reviewer"])
 	}
-	if got := store.bundles["new-reviewer"][credentials.GitHubAppIDKey]; got != "new-app-id" {
-		t.Fatalf("new reviewer app id = %q, want active inline write", got)
+	if _, ok := store.bundles["new-reviewer"][credentials.GitHubAppIDKey]; ok {
+		t.Fatalf("new reviewer stored app id unexpectedly: %#v", store.bundles["new-reviewer"])
 	}
 	got, err := config.Load(path)
 	if err != nil {
@@ -16937,6 +16960,9 @@ func TestInitInteractiveMenuReviewerCredentialDecisionDropsAfterReviewerRefChang
 	if entity.CredentialRef != "codereview/new-reviewer" {
 		t.Fatalf("reviewer entity = %#v, want new reviewer ref", entity)
 	}
+	if entity.GitHubApp == nil || entity.GitHubApp.AppID != "222" {
+		t.Fatalf("reviewer entity GitHubApp = %#v, want new app id", entity.GitHubApp)
+	}
 }
 
 func TestInitInteractiveMenuReviewerSetNowDiscardDoesNotWriteConfigOrCredentials(t *testing.T) {
@@ -16971,7 +16997,7 @@ func TestInitInteractiveMenuReviewerSetNowDiscardDoesNotWriteConfigOrCredentials
 			draft.ReviewerEnabled = true
 			draft.ReviewerAuth = string(config.GitAuthModeGitHubApp)
 			draft.ReviewerCredentialRef = "codereview/rianjs-bot"
-			stageDraftInlineGitHubAppReviewerCredentials(&draft, draft.ReviewerCredentialRef, "sentinel-app-id", "sentinel-private-key")
+			stageDraftInlineGitHubAppReviewerCredentials(&draft, draft.ReviewerCredentialRef, "333", "sentinel-private-key")
 			return draft, nil
 		}),
 		secretPrompter: &fakeInitSecretPrompter{},
@@ -17106,14 +17132,14 @@ func TestInitInteractiveMenuReviewerCredentialStatusShowsStagedOnReentry(t *test
 				draft.ReviewerEnabled = true
 				draft.ReviewerAuth = string(config.GitAuthModeGitHubApp)
 				draft.ReviewerCredentialRef = "codereview/rianjs-bot"
-				stageDraftInlineGitHubAppReviewerCredentials(&draft, draft.ReviewerCredentialRef, "sentinel-app-id", "sentinel-private-key")
+				stageDraftInlineGitHubAppReviewerCredentials(&draft, draft.ReviewerCredentialRef, "444", "sentinel-private-key")
 				return draft, nil
 			case 2:
 				if len(prompt.Context.ReviewerCredentialStatuses) == 0 {
 					t.Fatalf("second prompt reviewer statuses empty; existing profile name = %q; staged profile = %#v", prompt.Context.ExistingProfileName, prompt.Context.ExistingConfig.Profiles["work"].ReviewerCredentials)
 				}
 				status := findReviewerCredentialStatusForTest(t, prompt.Context.ReviewerCredentialStatuses, "codereview/rianjs-bot", string(config.GitAuthModeGitHubApp))
-				assertReviewerCredentialKeyState(t, status, credentials.GitHubAppIDKey, initReviewerCredentialKeyStaged)
+				assertReviewerCredentialKeyAbsent(t, status, credentials.GitHubAppIDKey)
 				assertReviewerCredentialKeyState(t, status, credentials.GitHubAppPrivateKeyKey, initReviewerCredentialKeyStaged)
 				description := initReviewerCredentialStatusDescription(status)
 				if strings.Contains(description, "sentinel") {
@@ -17177,6 +17203,7 @@ func TestInitInteractiveMenuFocusedReviewerEntitySavePreservesCustomCredentialRe
 		},
 		ReviewerCredentials: &config.ReviewerCredentials{
 			AuthMode:      config.GitAuthModeGitHubApp,
+			GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 			CredentialRef: "codereview/custom-work-reviewer",
 		},
 		LLM: config.LLMConfig{
@@ -17222,7 +17249,6 @@ func TestInitInteractiveMenuFocusedReviewerEntitySavePreservesCustomCredentialRe
 					credentials.GitTokenKey: "existing-token",
 				},
 				"custom-work-reviewer": {
-					credentials.GitHubAppIDKey:         "12345",
 					credentials.GitHubAppPrivateKeyKey: "private-key",
 				},
 			}), nil
@@ -17260,6 +17286,7 @@ func TestInitInteractiveMenuFocusedReviewerEntityLabelOnlySaveSkipsCredentialWri
 				},
 				ReviewerCredentials: &config.ReviewerCredentials{
 					AuthMode:      config.GitAuthModeGitHubApp,
+					GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 					CredentialRef: "codereview/work-reviewer",
 					DisplayName:   "Old label",
 				},
@@ -17284,7 +17311,6 @@ func TestInitInteractiveMenuFocusedReviewerEntityLabelOnlySaveSkipsCredentialWri
 			credentials.GitTokenKey: "existing-token",
 		},
 		"work-reviewer": {
-			credentials.GitHubAppIDKey:         "12345",
 			credentials.GitHubAppPrivateKeyKey: "private-key",
 		},
 	})
@@ -17353,6 +17379,7 @@ func TestInitInteractiveMenuFocusedReviewerEntitySavePreservesExistingCredential
 				},
 				ReviewerCredentials: &config.ReviewerCredentials{
 					AuthMode:      config.GitAuthModeGitHubApp,
+					GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 					CredentialRef: "codereview/custom-work-reviewer",
 				},
 				LLM: config.LLMConfig{
@@ -17407,11 +17434,9 @@ func TestInitInteractiveMenuFocusedReviewerEntitySavePreservesExistingCredential
 					credentials.GitTokenKey: "existing-token",
 				},
 				"work-reviewer": {
-					credentials.GitHubAppIDKey:         "12345",
 					credentials.GitHubAppPrivateKeyKey: "private-key",
 				},
 				"custom-work-reviewer": {
-					credentials.GitHubAppIDKey:         "legacy-id",
 					credentials.GitHubAppPrivateKeyKey: "legacy-private-key",
 				},
 			}), nil
@@ -17561,6 +17586,7 @@ func TestInitInteractiveMenuFocusedReviewerEntityDeleteUndoReturnsToMenu(t *test
 				profile := basicProfile("work")
 				profile.ReviewerCredentials = &config.ReviewerCredentials{
 					AuthMode:      config.GitAuthModeGitHubApp,
+					GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 					CredentialRef: "codereview/shared-reviewer",
 				}
 				return profile
@@ -18175,11 +18201,13 @@ func TestInitInteractiveMenuDeleteUndoAndSaveFlow(t *testing.T) {
 	work := basicProfile("work")
 	work.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/shared-reviewer",
 	}
 	home := basicProfile("home")
 	home.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/shared-reviewer",
 	}
 	saveCredentialTestConfig(t, path, config.File{
@@ -19386,6 +19414,7 @@ func TestApplyInteractiveInitSessionPlanWritesReviewerSecretsToResolvedStore(t *
 	profile.SecretsProfile = "work-file"
 	profile.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/work-reviewer",
 	}
 	cfg := config.File{
@@ -19408,7 +19437,6 @@ func TestApplyInteractiveInitSessionPlanWritesReviewerSecretsToResolvedStore(t *
 		profileNames: []string{"work"},
 		writes: map[string]map[string]string{
 			"codereview/work-reviewer": {
-				credentials.GitHubAppIDKey:         "12345",
 				credentials.GitHubAppPrivateKeyKey: "private-key",
 			},
 		},
@@ -19420,7 +19448,6 @@ func TestApplyInteractiveInitSessionPlanWritesReviewerSecretsToResolvedStore(t *
 			},
 			SecretsProfile: resolved,
 			KeySpecs: []credentials.KeySpec{
-				{Key: credentials.GitHubAppIDKey, Required: true},
 				{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
 			},
 			State: initCredentialPlanStateWrite,
@@ -19443,8 +19470,8 @@ func TestApplyInteractiveInitSessionPlanWritesReviewerSecretsToResolvedStore(t *
 	if err != nil {
 		t.Fatalf("applyInteractiveInitSessionPlan: %v", err)
 	}
-	if got := workStore.bundles["work-reviewer"][credentials.GitHubAppIDKey]; got != "12345" {
-		t.Fatalf("stored reviewer app id = %q, want named-store value", got)
+	if _, ok := workStore.bundles["work-reviewer"][credentials.GitHubAppIDKey]; ok {
+		t.Fatalf("stored reviewer app id unexpectedly: %#v", workStore.bundles["work-reviewer"])
 	}
 	if got := workStore.bundles["work-reviewer"][credentials.GitHubAppPrivateKeyKey]; got != "private-key" {
 		t.Fatalf("stored reviewer private key = %q, want named-store value", got)
@@ -20546,6 +20573,7 @@ func TestInitInteractiveCanKeepExistingSecretsAfterInspectingTargetRef(t *testin
 
 func TestInitInteractiveCollectsGitHubAppBundle(t *testing.T) {
 	store := newFakeInitStore(nil)
+	var savedCfg config.File
 	opts := &root.Options{
 		Stdin:      strings.NewReader(""),
 		Stdout:     &bytes.Buffer{},
@@ -20558,6 +20586,7 @@ func TestInitInteractiveCollectsGitHubAppBundle(t *testing.T) {
 				ProfileName: "default",
 				GitHost:     "github.com",
 				GitAuth:     string(config.GitAuthModeGitHubApp),
+				GitHubAppID: "12345",
 				LLMProvider: string(config.LLMProviderAnthropic),
 				LLMAuth:     string(config.LLMAuthSubscription),
 				LLMAdapter:  string(config.LLMAdapterClaudeCLI),
@@ -20567,19 +20596,20 @@ func TestInitInteractiveCollectsGitHubAppBundle(t *testing.T) {
 			actions: []initCredentialSecretAction{initCredentialSecretActionSetNow},
 			sources: []initSecretSource{
 				initSecretSourcePaste,
-				initSecretSourceClipboard,
-				initSecretSourceSkip,
 			},
-			pastes: []string{"12345"},
+			pastes: []string{"private-key"},
 		},
 		clipboardSupported: func() bool { return true },
-		clipboardRead:      func() (string, error) { return "private-key", nil },
+		clipboardRead:      func() (string, error) { return "", nil },
 		configPath:         func(*root.Options) (string, error) { return opts.ConfigPath, nil },
 		loadConfig: func(string) (config.File, bool, error) {
 			return config.File{Profiles: map[string]config.Profile{}}, false, nil
 		},
-		saveConfig: func(string, config.File) error { return nil },
-		openStore:  func(string, bool, config.File) (initStore, error) { return store, nil },
+		saveConfig: func(_ string, cfg config.File) error {
+			savedCfg = cloneInitConfigFile(cfg)
+			return nil
+		},
+		openStore: func(string, bool, config.File) (initStore, error) { return store, nil },
 	}
 
 	err := runInitWithDeps(&cobra.Command{}, opts, initOptions{}, deps)
@@ -20587,12 +20617,15 @@ func TestInitInteractiveCollectsGitHubAppBundle(t *testing.T) {
 		t.Fatalf("runInitWithDeps: %v", err)
 	}
 	bundle := store.bundles["default"]
-	if bundle[credentials.GitHubAppIDKey] != "12345" {
-		t.Fatalf("github_app_id = %q, want 12345", bundle[credentials.GitHubAppIDKey])
+	if _, ok := bundle[credentials.GitHubAppIDKey]; ok {
+		t.Fatalf("github_app_id stored unexpectedly: %#v", bundle)
 	}
 	if bundle[credentials.GitHubAppPrivateKeyKey] != "private-key" {
 		t.Fatalf("github_app_private_key = %q, want private-key", bundle[credentials.GitHubAppPrivateKeyKey])
 	}
+	if savedCfg.Profiles["default"].Git.GitHubApp == nil || savedCfg.Profiles["default"].Git.GitHubApp.AppID != "12345" {
+		t.Fatalf("git github_app config = %#v, want app id 12345", savedCfg.Profiles["default"].Git.GitHubApp)
+	}
 	if _, ok := bundle[credentials.GitHubAppInstallationIDKey]; ok {
 		t.Fatalf("github_app_installation_id present, want skipped optional key")
 	}
@@ -20828,7 +20861,6 @@ func TestWriteBundlesLeavesStaleReviewerKeysForPostSaveCleanup(t *testing.T) {
 	}
 	written, err := writeBundles(store, map[string]map[string]string{
 		"codereview/work-reviewer": {
-			credentials.GitHubAppIDKey:         "12345",
 			credentials.GitHubAppPrivateKeyKey: "private-key",
 		},
 	}, false, nil)
@@ -20841,8 +20873,8 @@ func TestWriteBundlesLeavesStaleReviewerKeysForPostSaveCleanup(t *testing.T) {
 	if ok, err := store.Exists("work-reviewer", credentials.GitTokenKey); err != nil || !ok {
 		t.Fatalf("stale git_token exists = %t, err = %v; want retained until config save succeeds", ok, err)
 	}
-	if ok, err := store.Exists("work-reviewer", credentials.GitHubAppIDKey); err != nil || !ok {
-		t.Fatalf("github_app_id exists = %t, err = %v; want written", ok, err)
+	if ok, err := store.Exists("work-reviewer", credentials.GitHubAppPrivateKeyKey); err != nil || !ok {
+		t.Fatalf("github_app_private_key exists = %t, err = %v; want written", ok, err)
 	}
 }
 
@@ -20860,7 +20892,6 @@ func TestWriteBundlesKeepsStaleReviewerKeysRequiredByAnotherActiveMode(t *testin
 	}
 	if _, err := writeBundles(store, map[string]map[string]string{
 		"codereview/shared-reviewer": {
-			credentials.GitHubAppIDKey:         "12345",
 			credentials.GitHubAppPrivateKeyKey: "private-key",
 		},
 	}, false, nil); err != nil {
@@ -20883,6 +20914,7 @@ func TestApplyInteractiveInitSessionPlanDeletesStaleReviewerKeyWithoutWrites(t *
 	profile := basicProfile("work")
 	profile.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/work-reviewer",
 		DisplayName:   "work bot",
 	}
@@ -20915,7 +20947,6 @@ func TestApplyInteractiveInitSessionPlanDeletesStaleReviewerKeyWithoutWrites(t *
 			},
 			SecretsProfile: resolved,
 			KeySpecs: []credentials.KeySpec{
-				{Key: credentials.GitHubAppIDKey, Required: true},
 				{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
 			},
 			State: initCredentialPlanStateKeepExisting,
@@ -20938,8 +20969,8 @@ func TestApplyInteractiveInitSessionPlanDeletesStaleReviewerKeyWithoutWrites(t *
 	if ok, err := store.Exists("work-reviewer", credentials.GitTokenKey); err != nil || ok {
 		t.Fatalf("stale git_token exists = %t, err = %v; want deleted", ok, err)
 	}
-	if ok, err := store.Exists("work-reviewer", credentials.GitHubAppIDKey); err != nil || !ok {
-		t.Fatalf("github_app_id exists = %t, err = %v; want retained", ok, err)
+	if ok, err := store.Exists("work-reviewer", credentials.GitHubAppIDKey); err != nil || ok {
+		t.Fatalf("github_app_id exists = %t, err = %v; want deleted as stale legacy key", ok, err)
 	}
 	if ok, err := store.Exists("work-reviewer", credentials.GitHubAppPrivateKeyKey); err != nil || !ok {
 		t.Fatalf("github_app_private_key exists = %t, err = %v; want retained", ok, err)
@@ -20960,6 +20991,7 @@ func TestApplyInteractiveInitSessionPlanSaveFailureDoesNotDeleteStaleReviewerKey
 	profile := basicProfile("work")
 	profile.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/work-reviewer",
 	}
 	cfg := config.File{Profiles: map[string]config.Profile{"work": profile}}
@@ -20984,7 +21016,6 @@ func TestApplyInteractiveInitSessionPlanSaveFailureDoesNotDeleteStaleReviewerKey
 			},
 			SecretsProfile: resolved,
 			KeySpecs: []credentials.KeySpec{
-				{Key: credentials.GitHubAppIDKey, Required: true},
 				{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
 			},
 			State: initCredentialPlanStateKeepExisting,
@@ -21010,6 +21041,7 @@ func TestApplyInteractiveInitSessionPlanKeepsSharedRefPATKeyAfterStagedAuthSwitc
 	appProfile := basicProfile("app")
 	appProfile.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/shared-reviewer",
 	}
 	patProfile := basicProfile("pat")
@@ -21033,7 +21065,6 @@ func TestApplyInteractiveInitSessionPlanKeepsSharedRefPATKeyAfterStagedAuthSwitc
 		profileNames: []string{"app"},
 		writes: map[string]map[string]string{
 			"codereview/shared-reviewer": {
-				credentials.GitHubAppIDKey:         "12345",
 				credentials.GitHubAppPrivateKeyKey: "private-key",
 			},
 		},
@@ -21050,7 +21081,6 @@ func TestApplyInteractiveInitSessionPlanKeepsSharedRefPATKeyAfterStagedAuthSwitc
 			},
 			SecretsProfile: resolved,
 			KeySpecs: []credentials.KeySpec{
-				{Key: credentials.GitHubAppIDKey, Required: true},
 				{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
 			},
 			State: initCredentialPlanStateWrite,
@@ -21067,8 +21097,8 @@ func TestApplyInteractiveInitSessionPlanKeepsSharedRefPATKeyAfterStagedAuthSwitc
 	if ok, err := store.Exists("shared-reviewer", credentials.GitTokenKey); err != nil || !ok {
 		t.Fatalf("git_token exists = %t, err = %v; want retained for untouched PAT profile", ok, err)
 	}
-	if ok, err := store.Exists("shared-reviewer", credentials.GitHubAppIDKey); err != nil || !ok {
-		t.Fatalf("github_app_id exists = %t, err = %v; want staged app key written", ok, err)
+	if ok, err := store.Exists("shared-reviewer", credentials.GitHubAppIDKey); err != nil || ok {
+		t.Fatalf("github_app_id exists = %t, err = %v; want no staged app key", ok, err)
 	}
 }
 
@@ -21083,6 +21113,7 @@ func TestApplyInitPlanDeletesStaleReviewerKeyWithoutWrites(t *testing.T) {
 	profile := basicProfile("work")
 	profile.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/work-reviewer",
 		DisplayName:   "work bot",
 	}
@@ -21109,7 +21140,6 @@ func TestApplyInitPlanDeletesStaleReviewerKeyWithoutWrites(t *testing.T) {
 			},
 			SecretsProfile: resolved,
 			KeySpecs: []credentials.KeySpec{
-				{Key: credentials.GitHubAppIDKey, Required: true},
 				{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
 			},
 			State: initCredentialPlanStateKeepExisting,
@@ -21128,8 +21158,8 @@ func TestApplyInitPlanDeletesStaleReviewerKeyWithoutWrites(t *testing.T) {
 	if ok, err := store.Exists("work-reviewer", credentials.GitTokenKey); err != nil || ok {
 		t.Fatalf("stale git_token exists = %t, err = %v; want deleted", ok, err)
 	}
-	if ok, err := store.Exists("work-reviewer", credentials.GitHubAppIDKey); err != nil || !ok {
-		t.Fatalf("github_app_id exists = %t, err = %v; want retained", ok, err)
+	if ok, err := store.Exists("work-reviewer", credentials.GitHubAppIDKey); err != nil || ok {
+		t.Fatalf("github_app_id exists = %t, err = %v; want deleted as stale legacy key", ok, err)
 	}
 }
 
@@ -21153,7 +21183,6 @@ func TestStaleReviewerCleanupKeepsKeysRequiredByAnotherActiveModeWithoutWrites(t
 			Mode:    string(config.GitAuthModePAT),
 		},
 		KeySpecs: []credentials.KeySpec{
-			{Key: credentials.GitHubAppIDKey, Required: true},
 			{Key: credentials.GitHubAppPrivateKeyKey, Required: true},
 		},
 		State: initCredentialPlanStateKeepExisting,
@@ -21161,6 +21190,7 @@ func TestStaleReviewerCleanupKeepsKeysRequiredByAnotherActiveModeWithoutWrites(t
 	appProfile := basicProfile("app")
 	appProfile.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
 		CredentialRef: "codereview/shared-reviewer",
 	}
 	patProfile := basicProfile("pat")
@@ -21190,12 +21220,15 @@ func TestStaleReviewerCleanupKeepsKeysRequiredByAnotherActiveModeWithoutWrites(t
 	if err != nil {
 		t.Fatalf("deleteStaleReviewerCredentialKeysForRefs: %v", err)
 	}
-	if len(cleanedRefs) != 0 {
-		t.Fatalf("cleaned refs = %#v, want none because both modes are active", cleanedRefs)
+	if !reflect.DeepEqual(cleanedRefs, []string{"codereview/shared-reviewer"}) {
+		t.Fatalf("cleaned refs = %#v, want shared reviewer stale legacy app id deleted", cleanedRefs)
 	}
 	if ok, err := store.Exists("shared-reviewer", credentials.GitTokenKey); err != nil || !ok {
 		t.Fatalf("git_token exists = %t, err = %v; want retained for active PAT entry", ok, err)
 	}
+	if ok, err := store.Exists("shared-reviewer", credentials.GitHubAppIDKey); err != nil || ok {
+		t.Fatalf("github_app_id exists = %t, err = %v; want deleted as stale legacy key", ok, err)
+	}
 }
 
 type fakeInitSecretPrompter struct {
diff --git a/internal/cmd/credentialcmd/init_linear_editor.go b/internal/cmd/credentialcmd/init_linear_editor.go
index d06d3e94..3e7a2bac 100644
--- a/internal/cmd/credentialcmd/init_linear_editor.go
+++ b/internal/cmd/credentialcmd/init_linear_editor.go
@@ -583,6 +583,14 @@ func (m *initLinearEditorModel) setFieldDescription(id initLinearFieldID, descri
 	m.document[index].Description = description
 }
 
+func (m *initLinearEditorModel) setFieldTitle(id initLinearFieldID, title string) {
+	index := m.document.fieldIndexByID(id)
+	if index < 0 {
+		return
+	}
+	m.document[index].Title = title
+}
+
 func (m *initLinearEditorModel) selectFieldValue(id initLinearFieldID, value string) {
 	index := m.document.fieldIndexByID(id)
 	if index < 0 {
diff --git a/internal/cmd/credentialcmd/init_profile_v2.go b/internal/cmd/credentialcmd/init_profile_v2.go
index 6b02a3f4..b84dc62f 100644
--- a/internal/cmd/credentialcmd/init_profile_v2.go
+++ b/internal/cmd/credentialcmd/init_profile_v2.go
@@ -334,6 +334,7 @@ func initProfileV2ReadOnlyEditor(ctx initPromptContext, selection string) (initP
 	selectedGit := initGitScopeDraft{
 		Host:            draft.GitHost,
 		AuthMode:        config.GitAuthMode(draft.GitAuth),
+		GitHubAppID:     strings.TrimSpace(draft.GitHubAppID),
 		CredentialStore: initCredentialStoreDraftValue(draft.GitCredentialStore),
 		CredentialRef:   strings.TrimSpace(draft.GitCredentialRef),
 	}
@@ -449,6 +450,7 @@ const (
 	initProfileV2FieldGitScope                             initProfileV2FieldID = "git_scope"
 	initProfileV2FieldGitHost                              initProfileV2FieldID = "git_host"
 	initProfileV2FieldGitAuth                              initProfileV2FieldID = "git_auth"
+	initProfileV2FieldGitHubAppID                          initProfileV2FieldID = "git_github_app_id" // #nosec G101 -- this is a field ID, not a secret value.
 	initProfileV2FieldReviewerEntity                       initProfileV2FieldID = "reviewer_entity"
 	initProfileV2FieldReviewerGitHubAppInstallationSection initProfileV2FieldID = "reviewer_github_app_installation_section"
 	initProfileV2FieldReviewerGitHubAppInstallationMode    initProfileV2FieldID = "reviewer_github_app_installation_mode"
@@ -507,6 +509,7 @@ func initProfileV2AppendGitScopeSection(document *initProfileV2Document, selecte
 		huh.NewOption("Personal access token", string(config.GitAuthModePAT)),
 		huh.NewOption("GitHub App", string(config.GitAuthModeGitHubApp)),
 	}, draft.GitAuth, initProfileV2FieldOptions{Hidden: customHidden})
+	document.addEditableInput(initProfileV2FieldGitHubAppID, "GitHub App ID", "Numeric GitHub App ID. This is not a secret and is saved in config.yml.", draft.GitHubAppID, validateOptionalDecimalID("GitHub App ID"), initProfileV2FieldOptions{Hidden: customHidden || config.GitAuthMode(draft.GitAuth) != config.GitAuthModeGitHubApp})
 }
 
 func initProfileV2AppendReviewerGitHubAppInstallationSection(document *initProfileV2Document, selectedReviewerEntity string, entities map[string]initReviewerEntityDraft, draft initDraft) {
@@ -779,6 +782,10 @@ func (m *initProfileV2ReadOnlyModel) afterFieldChange(index int) {
 		m.syncGitScopeFields()
 		return
 	}
+	if id == initProfileV2FieldGitAuth {
+		m.syncGitScopeFields()
+		return
+	}
 	if id == initProfileV2FieldReviewerEntity {
 		m.syncReviewerGitHubAppInstallationFields(true)
 		return
@@ -840,6 +847,18 @@ func (m initProfileV2ReadOnlyModel) validatedDraft() (initDraft, error) {
 		if gitAuth != "" {
 			draft.GitAuth = gitAuth
 		}
+		if config.GitAuthMode(draft.GitAuth) == config.GitAuthModeGitHubApp {
+			appID := strings.TrimSpace(m.document.fieldValue(initProfileV2FieldGitHubAppID))
+			if appID == "" {
+				return draft, fmt.Errorf("GitHub App ID is required when Git scope auth mode is GitHub App")
+			}
+			if err := validateOptionalDecimalID("GitHub App ID")(appID); err != nil {
+				return draft, err
+			}
+			draft.GitHubAppID = appID
+		} else {
+			draft.GitHubAppID = ""
+		}
 	} else {
 		applyGitScopeSelection(&draft, selectedGitScope, m.gitScopes)
 	}
@@ -959,6 +978,7 @@ func (m *initProfileV2ReadOnlyModel) syncGitScopeFields() {
 		if scope, ok := m.gitScopes[selectedGitScope]; ok {
 			m.setFieldValue(initProfileV2FieldGitHost, scope.Host)
 			m.selectFieldValue(initProfileV2FieldGitAuth, string(scope.AuthMode))
+			m.setFieldValue(initProfileV2FieldGitHubAppID, scope.GitHubAppID)
 			m.selectFieldValue(initProfileV2FieldGitCredentialStore, initCredentialStoreDraftValue(scope.CredentialStore))
 			if strings.TrimSpace(scope.CredentialRef) != "" {
 				m.setFieldValue(initProfileV2FieldGitCredentialName, scope.CredentialRef)
@@ -967,6 +987,14 @@ func (m *initProfileV2ReadOnlyModel) syncGitScopeFields() {
 	}
 	m.setFieldHidden(initProfileV2FieldGitHost, !custom)
 	m.setFieldHidden(initProfileV2FieldGitAuth, !custom)
+	if !custom || config.GitAuthMode(m.document.selectedValue(initProfileV2FieldGitAuth)) != config.GitAuthModeGitHubApp {
+		m.setFieldHidden(initProfileV2FieldGitHubAppID, true)
+		if custom {
+			m.setFieldValue(initProfileV2FieldGitHubAppID, "")
+		}
+	} else {
+		m.setFieldHidden(initProfileV2FieldGitHubAppID, false)
+	}
 	if m.focused >= 0 && m.focused < len(m.document) && m.document[m.focused].Hidden {
 		m.focused = m.document.nextFocusableField(m.focused)
 		if m.focused >= len(m.document) || m.document[m.focused].Hidden {
diff --git a/internal/cmd/credentialcmd/init_reviewer_credential_status.go b/internal/cmd/credentialcmd/init_reviewer_credential_status.go
index 6fc8188b..0857c90d 100644
--- a/internal/cmd/credentialcmd/init_reviewer_credential_status.go
+++ b/internal/cmd/credentialcmd/init_reviewer_credential_status.go
@@ -361,7 +361,11 @@ func initReviewerCredentialStatusDescription(status initReviewerCredentialStatus
 		}
 		lines = append(lines, trimmed)
 	}
-	lines = append(lines, "This is a credential name, not a PAT, GitHub App ID, or private key.")
+	if config.GitAuthMode(status.Ref.Mode) == config.GitAuthModeGitHubApp {
+		lines = append(lines, "GitHub App ID is saved in config.yml. Secret values are collected separately.")
+	} else {
+		lines = append(lines, "This is a credential name, not a PAT or secret value.")
+	}
 	if strings.TrimSpace(status.Unavailable) != "" {
 		lines = append(lines, strings.TrimSpace(status.Unavailable)+".")
 	}
diff --git a/internal/cmd/credentialcmd/init_reviewer_entity_editor.go b/internal/cmd/credentialcmd/init_reviewer_entity_editor.go
index 4e1d5a35..625a98ed 100644
--- a/internal/cmd/credentialcmd/init_reviewer_entity_editor.go
+++ b/internal/cmd/credentialcmd/init_reviewer_entity_editor.go
@@ -22,6 +22,7 @@ const (
 	initReviewerEntityFieldCredentialStore     initLinearFieldID = "reviewer_entity_credential_store"
 	initReviewerEntityFieldSecretLocation      initLinearFieldID = "reviewer_entity_secret_location"
 	initReviewerEntityFieldCredentialStatus    initLinearFieldID = "reviewer_entity_credential_status"
+	initReviewerEntityFieldGitHubAppDetails    initLinearFieldID = "reviewer_entity_github_app_details"
 	initReviewerEntityFieldCredentialValues    initLinearFieldID = "reviewer_entity_credential_values"
 	initReviewerEntityFieldGitToken            initLinearFieldID = "reviewer_entity_git_token"
 	initReviewerEntityFieldGitHubAppID         initLinearFieldID = "reviewer_entity_github_app_id"
@@ -120,6 +121,11 @@ func newReviewerEntityEditorState(entity initReviewerEntityDraft, seed initDraft
 	editDraft := seed
 	kind := entity.Kind
 	applyReviewerEntitySelection(&editDraft, string(kind))
+	if kind == initReviewerEntityKindGitHubApp {
+		editDraft.ReviewerGitHubAppID = strings.TrimSpace(entity.AppID)
+	} else {
+		editDraft.ReviewerGitHubAppID = ""
+	}
 	standardReviewerRef := ""
 	if kind != initReviewerEntityKindUseGitIdentity {
 		if preserveCurrentLocation && standaloneReviewerEntityMode && strings.TrimSpace(editDraft.ReviewerCredentialRef) != "" {
@@ -178,6 +184,7 @@ func (s reviewerEntityEditorState) editor(ctx initPromptContext) initLinearEdito
 			labelInput,
 			validateOptionalDisplayName,
 		)
+		addReviewerEntityGitHubAppConfigFields(&document, s.kind, s.seed.ReviewerGitHubAppID, false)
 		document.addEditableSelect(
 			initReviewerEntityFieldCredentialStore,
 			"Reviewer credential store",
@@ -187,7 +194,7 @@ func (s reviewerEntityEditorState) editor(ctx initPromptContext) initLinearEdito
 		)
 		document.addEditableInput(
 			initReviewerEntityFieldSecretLocation,
-			"Reviewer secret location",
+			reviewerEntitySecretLocationTitle(s.kind),
 			reviewerEntitySecretLocationDescription(s.kind),
 			reviewerSecretLocation,
 			validateOptionalCredentialRef,
@@ -203,7 +210,7 @@ func (s reviewerEntityEditorState) editor(ctx initPromptContext) initLinearEdito
 		})
 		document.addSectionField(
 			initReviewerEntityFieldCredentialStatus,
-			"Reviewer credential status",
+			reviewerEntityCredentialStatusTitle(s.kind),
 			initReviewerCredentialStatusDescription(status),
 		)
 		addReviewerEntityCredentialValueFields(&document, s.kind, false)
@@ -275,6 +282,11 @@ func (s reviewerEntityEditorState) draftFromDocument(ctx initPromptContext, docu
 		return initDraft{}, err
 	}
 	editDraft.ReviewerCredentialStore = initCredentialStoreDraftValue(document.selectedValue(initReviewerEntityFieldCredentialStore))
+	appID, err := reviewerEntityGitHubAppIDFromDocument(s.kind, document)
+	if err != nil {
+		return initDraft{}, err
+	}
+	editDraft.ReviewerGitHubAppID = appID
 	if err := validateReviewerEntityInlineCredentials(ctx, s.seed, s, document); err != nil {
 		return initDraft{}, err
 	}
@@ -311,6 +323,7 @@ func initReviewerEntityLinearEditor(ctx initPromptContext, seed initDraft) initL
 		"",
 		validateOptionalDisplayName,
 	)
+	addReviewerEntityGitHubAppConfigFields(&document, state.kind, state.seed.ReviewerGitHubAppID, true)
 	document.addEditableSelect(
 		initReviewerEntityFieldCredentialStore,
 		"Reviewer credential store",
@@ -320,7 +333,7 @@ func initReviewerEntityLinearEditor(ctx initPromptContext, seed initDraft) initL
 	)
 	document.addEditableInput(
 		initReviewerEntityFieldSecretLocation,
-		"Reviewer secret location",
+		reviewerEntitySecretLocationTitle(state.kind),
 		reviewerEntitySecretLocationDescription(state.kind),
 		"",
 		validateOptionalCredentialRef,
@@ -435,6 +448,24 @@ func initReviewerEntityActionOptions(_ initPromptContext, selection string) []hu
 	return options
 }
 
+func addReviewerEntityGitHubAppConfigFields(document *initLinearDocument, kind initReviewerEntityKind, appID string, hidden bool) {
+	hideGitHubApp := hidden || kind != initReviewerEntityKindGitHubApp
+	document.addSectionField(
+		initReviewerEntityFieldGitHubAppDetails,
+		"GitHub App details",
+		"",
+		initLinearFieldOptions{Hidden: hideGitHubApp},
+	)
+	document.addEditableInput(
+		initReviewerEntityFieldGitHubAppID,
+		"GitHub App ID",
+		"Numeric GitHub App ID. This is not a secret and is saved in config.yml.",
+		strings.TrimSpace(appID),
+		validateOptionalDecimalID("GitHub App ID"),
+		initLinearFieldOptions{Hidden: hideGitHubApp},
+	)
+}
+
 func addReviewerEntityCredentialValueFields(document *initLinearDocument, kind initReviewerEntityKind, hidden bool) {
 	document.addSectionField(
 		initReviewerEntityFieldCredentialValues,
@@ -450,14 +481,6 @@ func addReviewerEntityCredentialValueFields(document *initLinearDocument, kind i
 		nil,
 		initLinearFieldOptions{Hidden: hidden || kind != initReviewerEntityKindPAT},
 	)
-	document.addEditableSecretInput(
-		initReviewerEntityFieldGitHubAppID,
-		"GitHub App ID",
-		"Required for GitHub App reviewers. This is stored as github_app_id at the destination above.",
-		"",
-		nil,
-		initLinearFieldOptions{Hidden: hidden || kind != initReviewerEntityKindGitHubApp},
-	)
 	document.addEditableSecretTextarea(
 		initReviewerEntityFieldGitHubAppPrivateKey,
 		"GitHub App private key",
@@ -474,14 +497,21 @@ func initReviewerEntitySetCredentialFieldsHidden(model *initLinearEditorModel, k
 	hideGitHubApp := hideDetails || kind != initReviewerEntityKindGitHubApp
 	model.setFieldHidden(initReviewerEntityFieldCredentialValues, hideDetails)
 	model.setFieldHidden(initReviewerEntityFieldGitToken, hidePAT)
-	model.setFieldHidden(initReviewerEntityFieldGitHubAppID, hideGitHubApp)
 	model.setFieldHidden(initReviewerEntityFieldGitHubAppPrivateKey, hideGitHubApp)
 }
 
+func initReviewerEntitySetGitHubAppConfigFieldsHidden(model *initLinearEditorModel, kind initReviewerEntityKind, hideDetails bool) {
+	hideGitHubApp := hideDetails || kind != initReviewerEntityKindGitHubApp
+	model.setFieldHidden(initReviewerEntityFieldGitHubAppDetails, hideGitHubApp)
+	model.setFieldHidden(initReviewerEntityFieldGitHubAppID, hideGitHubApp)
+	if hideGitHubApp {
+		model.setFieldValue(initReviewerEntityFieldGitHubAppID, "")
+	}
+}
+
 func initReviewerEntityClearCredentialFieldValues(model *initLinearEditorModel) {
 	for _, id := range []initLinearFieldID{
 		initReviewerEntityFieldGitToken,
-		initReviewerEntityFieldGitHubAppID,
 		initReviewerEntityFieldGitHubAppPrivateKey,
 	} {
 		model.setFieldValue(id, "")
@@ -531,8 +561,6 @@ func initReviewerEntityCredentialFieldKey(id initLinearFieldID) string {
 	switch id {
 	case initReviewerEntityFieldGitToken:
 		return credentials.GitTokenKey
-	case initReviewerEntityFieldGitHubAppID:
-		return credentials.GitHubAppIDKey
 	case initReviewerEntityFieldGitHubAppPrivateKey:
 		return credentials.GitHubAppPrivateKeyKey
 	default:
@@ -544,8 +572,6 @@ func initReviewerEntityCredentialFieldID(key string) initLinearFieldID {
 	switch key {
 	case credentials.GitTokenKey:
 		return initReviewerEntityFieldGitToken
-	case credentials.GitHubAppIDKey:
-		return initReviewerEntityFieldGitHubAppID
 	case credentials.GitHubAppPrivateKeyKey:
 		return initReviewerEntityFieldGitHubAppPrivateKey
 	default:
@@ -778,8 +804,11 @@ func initReviewerEntitySyncLinearFields(model *initLinearEditorModel, ctx initPr
 	model.setFieldHidden(initReviewerEntityFieldCredentialStore, hideDetails)
 	model.setFieldHidden(initReviewerEntityFieldSecretLocation, hideDetails)
 	model.setFieldHidden(initReviewerEntityFieldCredentialStatus, hideDetails)
+	initReviewerEntitySetGitHubAppConfigFieldsHidden(model, state.kind, hideDetails)
 	initReviewerEntitySetCredentialFieldsHidden(model, state.kind, hideDetails)
 	if !hideDetails {
+		model.setFieldTitle(initReviewerEntityFieldSecretLocation, reviewerEntitySecretLocationTitle(state.kind))
+		model.setFieldTitle(initReviewerEntityFieldCredentialStatus, reviewerEntityCredentialStatusTitle(state.kind))
 		model.setFieldDescription(initReviewerEntityFieldSecretLocation, reviewerEntitySecretLocationDescription(state.kind))
 	}
 	if resetDetails && !hideDetails {
@@ -803,6 +832,7 @@ func initReviewerEntitySyncLinearFields(model *initLinearEditorModel, ctx initPr
 			reviewerSecretLocation = initReviewerEntityDefaultSecretLocation(state, labelInput)
 		}
 		model.setFieldValue(initReviewerEntityFieldLabel, labelInput)
+		model.setFieldValue(initReviewerEntityFieldGitHubAppID, strings.TrimSpace(state.seed.ReviewerGitHubAppID))
 		model.selectFieldValue(initReviewerEntityFieldCredentialStore, initCredentialStoreDraftValue(state.seed.ReviewerCredentialStore))
 		model.setFieldValue(initReviewerEntityFieldSecretLocation, reviewerSecretLocation)
 		if locationIndex := model.document.fieldIndexByID(initReviewerEntityFieldSecretLocation); locationIndex >= 0 {
@@ -818,6 +848,20 @@ func initReviewerEntitySyncLinearFields(model *initLinearEditorModel, ctx initPr
 	}
 }
 
+func reviewerEntityGitHubAppIDFromDocument(kind initReviewerEntityKind, document initLinearDocument) (string, error) {
+	if kind != initReviewerEntityKindGitHubApp {
+		return "", nil
+	}
+	appID := strings.TrimSpace(document.fieldValue(initReviewerEntityFieldGitHubAppID))
+	if appID == "" {
+		return "", fmt.Errorf("GitHub App ID is required")
+	}
+	if err := validateOptionalDecimalID("GitHub App ID")(appID); err != nil {
+		return "", err
+	}
+	return appID, nil
+}
+
 func initReviewerEntityRefreshCredentialStatus(model *initLinearEditorModel, ctx initPromptContext, seed initDraft, state reviewerEntityEditorState) {
 	if status, ok := reviewerCredentialStatusForDocument(ctx, seed, state, model.document); ok {
 		model.setFieldDescription(initReviewerEntityFieldCredentialStatus, initReviewerCredentialStatusDescription(status))
@@ -861,18 +905,32 @@ func reviewerEntityKindDetailDescription(kind initReviewerEntityKind) string {
 	if kind != initReviewerEntityKindGitHubApp {
 		return label
 	}
-	return label + ". Required credential keys: " + credentials.GitHubAppIDKey + ", " + credentials.GitHubAppPrivateKeyKey + "."
+	return label + ". GitHub App ID is saved in config.yml; required credential key: " + credentials.GitHubAppPrivateKeyKey + "."
+}
+
+func reviewerEntitySecretLocationTitle(kind initReviewerEntityKind) string {
+	if kind == initReviewerEntityKindGitHubApp {
+		return "Reviewer private-key location"
+	}
+	return "Reviewer secret location"
+}
+
+func reviewerEntityCredentialStatusTitle(kind initReviewerEntityKind) string {
+	if kind == initReviewerEntityKindGitHubApp {
+		return "Reviewer private-key status"
+	}
+	return "Reviewer credential status"
 }
 
 func reviewerEntitySecretLocationDescription(kind initReviewerEntityKind) string {
-	base := "Credential name for this reviewer. This is where cr stores secret values in the selected credential store; it is not a PAT, GitHub App ID, or private key. Change it only if you need a custom credential-store location."
 	if kind == initReviewerEntityKindPAT {
+		base := "Credential name for this reviewer. This is where cr stores the PAT in the selected credential store. Change it only if you need a custom credential-store location."
 		return base + " Store required secret " + credentials.GitTokenKey + " at this name."
 	}
 	if kind == initReviewerEntityKindGitHubApp {
-		return base + " Store required secrets " + credentials.GitHubAppIDKey + " and " + credentials.GitHubAppPrivateKeyKey + " at this name."
+		return "Credential name for this reviewer's GitHub App private key. Change it only if you need a custom credential-store location. Store required secret " + credentials.GitHubAppPrivateKeyKey + " at this name."
 	}
-	return base
+	return "Credential name for this reviewer. Change it only if you need a custom credential-store location."
 }
 
 func initReviewerEntityDraftFromDocument(ctx initPromptContext, seed initDraft, document initLinearDocument) (initDraft, error) {
@@ -895,6 +953,11 @@ func initReviewerEntityDraftFromDocument(ctx initPromptContext, seed initDraft,
 		return initDraft{}, err
 	}
 	editDraft.ReviewerCredentialStore = initCredentialStoreDraftValue(document.selectedValue(initReviewerEntityFieldCredentialStore))
+	appID, err := reviewerEntityGitHubAppIDFromDocument(state.kind, document)
+	if err != nil {
+		return initDraft{}, err
+	}
+	editDraft.ReviewerGitHubAppID = appID
 	if err := validateReviewerEntityInlineCredentials(ctx, seed, state, document); err != nil {
 		return initDraft{}, err
 	}
diff --git a/internal/cmd/mecmd/mecmd_test.go b/internal/cmd/mecmd/mecmd_test.go
index c9dfea1a..c6472329 100644
--- a/internal/cmd/mecmd/mecmd_test.go
+++ b/internal/cmd/mecmd/mecmd_test.go
@@ -167,7 +167,6 @@ func TestMeReviewerGitHubAppAuthJSONUsesReviewerCredentialFlow(t *testing.T) {
 	defer store.Close()
 	privateKey := testPrivateKeyPEM(t)
 	if _, err := store.SetBundle("work-reviewer", map[string]string{
-		credentials.GitHubAppIDKey:         "12345",
 		credentials.GitHubAppPrivateKeyKey: privateKey,
 	}, credstore.WithOverwrite()); err != nil {
 		t.Fatalf("SetBundle reviewer: %v", err)
@@ -180,6 +179,7 @@ func TestMeReviewerGitHubAppAuthJSONUsesReviewerCredentialFlow(t *testing.T) {
 	cfg = withCredentialStore(cfg, testFileCredentialStoreID)
 	work := cfg.Profiles["work"]
 	work.ReviewerCredentials.AuthMode = config.GitAuthModeGitHubApp
+	work.ReviewerCredentials.GitHubApp = &config.GitHubAppConfig{AppID: "12345"}
 	cfg.Profiles["work"] = work
 	cfg = config.Normalize(cfg)
 	work = cfg.Profiles["work"]
@@ -467,7 +467,6 @@ func TestMeGitHubAppRequiresInstallationIDWithoutRepositoryContext(t *testing.T)
 	defer store.Close()
 	privateKey := testPrivateKeyPEM(t)
 	if _, err := store.SetBundle("home", map[string]string{
-		credentials.GitHubAppIDKey:         "12345",
 		credentials.GitHubAppPrivateKeyKey: privateKey,
 	}, credstore.WithOverwrite()); err != nil {
 		t.Fatalf("SetBundle home: %v", err)
@@ -475,6 +474,7 @@ func TestMeGitHubAppRequiresInstallationIDWithoutRepositoryContext(t *testing.T)
 	cfg := fileBackendConfig(t)
 	home := cfg.Profiles["home"]
 	home.Git.AuthMode = config.GitAuthModeGitHubApp
+	home.Git.GitHubApp = &config.GitHubAppConfig{AppID: "12345"}
 	cfg.Profiles["home"] = home
 	path := saveTestConfig(t, cfg)
 	var out bytes.Buffer
@@ -504,7 +504,6 @@ func TestMeGitHubAppGitAuthJSONWithoutReviewerCredentials(t *testing.T) {
 	defer store.Close()
 	privateKey := testPrivateKeyPEM(t)
 	if _, err := store.SetBundle("home", map[string]string{
-		credentials.GitHubAppIDKey:         "12345",
 		credentials.GitHubAppPrivateKeyKey: privateKey,
 	}, credstore.WithOverwrite()); err != nil {
 		t.Fatalf("SetBundle home: %v", err)
@@ -512,6 +511,7 @@ func TestMeGitHubAppGitAuthJSONWithoutReviewerCredentials(t *testing.T) {
 	cfg := fileBackendConfig(t)
 	home := cfg.Profiles["home"]
 	home.Git.AuthMode = config.GitAuthModeGitHubApp
+	home.Git.GitHubApp = &config.GitHubAppConfig{AppID: "12345"}
 	home.ReviewerCredentials = nil
 	cfg.Profiles["home"] = home
 	path := saveTestConfig(t, cfg)
@@ -623,6 +623,8 @@ reviewer_entities:
   work-reviewer:
     host: github.com
     auth_mode: github_app
+    github_app:
+      app_id: "12345"
     credential:
       store: test-memory
       name: codereview/work-reviewer
diff --git a/internal/cmd/noleak/noleak_test.go b/internal/cmd/noleak/noleak_test.go
index b60e38ac..f938fc01 100644
--- a/internal/cmd/noleak/noleak_test.go
+++ b/internal/cmd/noleak/noleak_test.go
@@ -367,7 +367,6 @@ func newAuditHarness(t *testing.T) *auditHarness {
 		h.reviewerSecret,
 		h.llmSecret,
 		h.keyringSecret,
-		h.githubAppIDSecret,
 		h.githubAppPrivateKey,
 		h.githubAppInstallationIDSecret,
 		h.githubAppInstallationToken,
@@ -491,6 +490,7 @@ func (h *auditHarness) githubAppReviewerConfig() config.File {
 	profile := cfg.Profiles["default"]
 	profile.ReviewerCredentials = &config.ReviewerCredentials{
 		AuthMode:      config.GitAuthModeGitHubApp,
+		GitHubApp:     &config.GitHubAppConfig{AppID: h.githubAppIDSecret},
 		Credential:    config.CredentialLocation{Store: auditCredentialStoreID, Name: "codereview/default-reviewer-app"},
 		CredentialRef: "codereview/default-reviewer-app",
 	}
@@ -502,6 +502,7 @@ func (h *auditHarness) githubAppGitConfig() config.File {
 	cfg := h.config()
 	profile := cfg.Profiles["default"]
 	profile.Git.AuthMode = config.GitAuthModeGitHubApp
+	profile.Git.GitHubApp = &config.GitHubAppConfig{AppID: h.githubAppIDSecret}
 	profile.Git.Credential = config.CredentialLocation{Store: auditCredentialStoreID, Name: "codereview/default-app"}
 	profile.Git.CredentialRef = "codereview/default-app"
 	profile.ReviewerCredentials = nil
@@ -542,7 +543,6 @@ func (h *auditHarness) seedGitHubAppConfigShowCredentials(t *testing.T) {
 	cfg := h.githubAppReviewerConfig()
 	h.seedCredentialWrites(t, cfg, []credentialSeed{
 		{ref: "codereview/default", key: credentials.GitTokenKey, secret: h.gitSecret},
-		{ref: "codereview/default-reviewer-app", key: credentials.GitHubAppIDKey, secret: h.githubAppIDSecret},
 		{ref: "codereview/default-reviewer-app", key: credentials.GitHubAppPrivateKeyKey, secret: h.githubAppPrivateKey},
 		{ref: "codereview/default-llm", key: credentials.AnthropicAPIKeyKey, secret: h.llmSecret},
 	})
@@ -552,7 +552,6 @@ func (h *auditHarness) seedGitHubAppGitCredentials(t *testing.T) {
 	t.Helper()
 	cfg := h.githubAppGitConfig()
 	h.seedCredentialWrites(t, cfg, []credentialSeed{
-		{ref: "codereview/default-app", key: credentials.GitHubAppIDKey, secret: h.githubAppIDSecret},
 		{ref: "codereview/default-app", key: credentials.GitHubAppPrivateKeyKey, secret: h.githubAppPrivateKey},
 		{ref: "codereview/default-llm", key: credentials.AnthropicAPIKeyKey, secret: h.llmSecret},
 	})
@@ -562,7 +561,6 @@ func (h *auditHarness) seedGitHubAppGitLookupCredentials(t *testing.T) {
 	t.Helper()
 	cfg := h.githubAppGitConfig()
 	h.seedCredentialWrites(t, cfg, []credentialSeed{
-		{ref: "codereview/default-app", key: credentials.GitHubAppIDKey, secret: h.githubAppIDSecret},
 		{ref: "codereview/default-app", key: credentials.GitHubAppPrivateKeyKey, secret: h.githubAppPrivateKey},
 		{ref: "codereview/default-llm", key: credentials.AnthropicAPIKeyKey, secret: h.llmSecret},
 	})
@@ -573,7 +571,6 @@ func (h *auditHarness) seedGitHubAppReviewerCredentials(t *testing.T) {
 	cfg := h.githubAppReviewerConfig()
 	h.seedCredentialWrites(t, cfg, []credentialSeed{
 		{ref: "codereview/default", key: credentials.GitTokenKey, secret: h.gitSecret},
-		{ref: "codereview/default-reviewer-app", key: credentials.GitHubAppIDKey, secret: h.githubAppIDSecret},
 		{ref: "codereview/default-reviewer-app", key: credentials.GitHubAppPrivateKeyKey, secret: h.githubAppPrivateKey},
 		{ref: "codereview/default-llm", key: credentials.AnthropicAPIKeyKey, secret: h.llmSecret},
 	})
@@ -711,6 +708,7 @@ func gitConfigForReviewerAuth(profile config.Profile) config.GitConfig {
 	return config.GitConfig{
 		Host:          profile.Git.Host,
 		AuthMode:      profile.ReviewerCredentials.AuthMode,
+		GitHubApp:     profile.ReviewerCredentials.GitHubApp,
 		Credential:    profile.ReviewerCredentials.Credential,
 		CredentialRef: profile.ReviewerCredentials.CredentialRef,
 		IdentityCache: profile.ReviewerCredentials.IdentityCache,
diff --git a/internal/cmd/reviewcmd/reviewcmd.go b/internal/cmd/reviewcmd/reviewcmd.go
index 3c23f921..9e68eb3c 100644
--- a/internal/cmd/reviewcmd/reviewcmd.go
+++ b/internal/cmd/reviewcmd/reviewcmd.go
@@ -747,10 +747,16 @@ func gitConfigForReviewerAuth(profile config.Profile) config.GitConfig {
 	if profile.ReviewerCredentials == nil {
 		return profile.Git
 	}
+	var githubApp *config.GitHubAppConfig
+	if profile.ReviewerCredentials.GitHubApp != nil {
+		app := *profile.ReviewerCredentials.GitHubApp
+		githubApp = &app
+	}
 	return config.GitConfig{
 		Host:          profile.Git.Host,
 		AuthMode:      profile.ReviewerCredentials.AuthMode,
 		Credential:    profile.ReviewerCredentials.Credential,
+		GitHubApp:     githubApp,
 		CredentialRef: profile.ReviewerCredentials.CredentialRef,
 		IdentityCache: profile.ReviewerCredentials.IdentityCache,
 	}
diff --git a/internal/config/config.go b/internal/config/config.go
index 140b2080..626640b9 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -184,16 +184,23 @@ type GitConfig struct {
 	Host          string             `yaml:"host" json:"host"`
 	AuthMode      GitAuthMode        `yaml:"auth_mode" json:"auth_mode"`
 	Credential    CredentialLocation `yaml:"credential" json:"credential"`
+	GitHubApp     *GitHubAppConfig   `yaml:"github_app,omitempty" json:"github_app,omitempty"`
 	IdentityCache string             `yaml:"identity_cache,omitempty" json:"identity_cache,omitempty"`
 
 	// CredentialRef is retained as an ignored in-memory compatibility field.
 	CredentialRef string `yaml:"-" json:"-"`
 }
 
+// GitHubAppConfig stores non-secret GitHub App identifiers.
+type GitHubAppConfig struct {
+	AppID string `yaml:"app_id" json:"app_id"`
+}
+
 // ReviewerCredentials optionally identifies separate posting credentials.
 type ReviewerCredentials struct {
 	AuthMode      GitAuthMode        `yaml:"auth_mode" json:"auth_mode"`
 	Credential    CredentialLocation `yaml:"credential" json:"credential"`
+	GitHubApp     *GitHubAppConfig   `yaml:"github_app,omitempty" json:"github_app,omitempty"`
 	DisplayName   string             `yaml:"display_name,omitempty" json:"display_name,omitempty"`
 	IdentityCache string             `yaml:"identity_cache,omitempty" json:"identity_cache,omitempty"`
 
@@ -259,6 +266,7 @@ type ReviewerEntity struct {
 	Host          string             `yaml:"host" json:"host"`
 	AuthMode      GitAuthMode        `yaml:"auth_mode" json:"auth_mode"`
 	Credential    CredentialLocation `yaml:"credential" json:"credential"`
+	GitHubApp     *GitHubAppConfig   `yaml:"github_app,omitempty" json:"github_app,omitempty"`
 	DisplayName   string             `yaml:"display_name,omitempty" json:"display_name,omitempty"`
 	IdentityCache string             `yaml:"identity_cache,omitempty" json:"identity_cache,omitempty"`
 
@@ -1015,6 +1023,9 @@ func validateProfile(cfg File, name string, profile Profile) error {
 	if err := validateCredentialLocation(fmt.Sprintf("profiles.%s.git.credential", name), profile.Git.Credential); err != nil {
 		return err
 	}
+	if err := validateGitHubAppConfig(fmt.Sprintf("profiles.%s.git.github_app", name), profile.Git.AuthMode, profile.Git.GitHubApp); err != nil {
+		return err
+	}
 	if !profile.Reviewer.Kind.Valid() {
 		return invalid("profiles.%s.reviewer.kind %q is invalid", name, profile.Reviewer.Kind)
 	}
@@ -1124,6 +1135,9 @@ func validateEffectiveProfile(name string, profile Profile) error {
 	if err := validateCredentialLocation(name+".git.credential", profile.Git.Credential); err != nil {
 		return err
 	}
+	if err := validateGitHubAppConfig(name+".git.github_app", profile.Git.AuthMode, profile.Git.GitHubApp); err != nil {
+		return err
+	}
 	if profile.ReviewerCredentials != nil {
 		if !profile.ReviewerCredentials.AuthMode.Valid() {
 			return invalid("%s.reviewer_credentials.auth_mode %q is invalid", name, profile.ReviewerCredentials.AuthMode)
@@ -1134,6 +1148,9 @@ func validateEffectiveProfile(name string, profile Profile) error {
 		if err := validateCredentialLocation(name+".reviewer_credentials.credential", profile.ReviewerCredentials.Credential); err != nil {
 			return err
 		}
+		if err := validateGitHubAppConfig(name+".reviewer_credentials.github_app", profile.ReviewerCredentials.AuthMode, profile.ReviewerCredentials.GitHubApp); err != nil {
+			return err
+		}
 	}
 	if err := validateLLMConfig(name+".llm", profile.LLM); err != nil {
 		return err
@@ -1208,12 +1225,34 @@ func validateReviewerEntity(secrets SecretsConfig, name string, entity ReviewerE
 	if err := validateCredentialStoreSelection(secrets, fmt.Sprintf("reviewer_entities.%s.credential.store", name), entity.Credential.Store); err != nil {
 		return err
 	}
+	if err := validateGitHubAppConfig(fmt.Sprintf("reviewer_entities.%s.github_app", name), entity.AuthMode, entity.GitHubApp); err != nil {
+		return err
+	}
 	if err := validateOptionalSingleLine(fmt.Sprintf("reviewer_entities.%s.display_name", name), entity.DisplayName); err != nil {
 		return err
 	}
 	return nil
 }
 
+func validateGitHubAppConfig(path string, authMode GitAuthMode, app *GitHubAppConfig) error {
+	if authMode != GitAuthModeGitHubApp {
+		if app != nil {
+			return invalid("%s must be empty unless auth_mode is github_app", path)
+		}
+		return nil
+	}
+	if app == nil {
+		return invalid("%s.app_id is required for github_app auth", path)
+	}
+	if strings.TrimSpace(app.AppID) == "" {
+		return invalid("%s.app_id is required for github_app auth", path)
+	}
+	if _, err := strconv.ParseInt(strings.TrimSpace(app.AppID), 10, 64); err != nil {
+		return invalid("%s.app_id %q must be a decimal GitHub App ID", path, app.AppID)
+	}
+	return nil
+}
+
 func validateProfileCredentialStoreSelections(cfg File, name string, profile Profile) error {
 	for _, credential := range profileCredentialLocations(cfg, profile) {
 		if err := validateCredentialStoreSelection(cfg.Secrets, fmt.Sprintf("profiles.%s.%s.credential.store", name, credential.path), credential.location.Store); err != nil {
@@ -1671,6 +1710,7 @@ func reviewerEntityFromProfile(profile Profile) ReviewerEntity {
 		AuthMode:      reviewer.AuthMode,
 		Credential:    reviewer.Credential,
 		CredentialRef: reviewer.CredentialRef,
+		GitHubApp:     cloneGitHubAppConfig(reviewer.GitHubApp),
 		DisplayName:   reviewer.DisplayName,
 		IdentityCache: reviewer.IdentityCache,
 	}.normalized()
@@ -1683,9 +1723,17 @@ func reviewerEntityIdentityKey(entity ReviewerEntity) string {
 		string(entity.AuthMode),
 		entity.Credential.Store,
 		entity.Credential.Name,
+		gitHubAppID(entity.GitHubApp),
 	}, "\x00")
 }
 
+func gitHubAppID(app *GitHubAppConfig) string {
+	if app == nil {
+		return ""
+	}
+	return strings.TrimSpace(app.AppID)
+}
+
 func suggestedReviewerEntityName(profileName string, entity ReviewerEntity) string {
 	prefix := strings.TrimSpace(profileName)
 	if prefix != "" {
@@ -1851,6 +1899,7 @@ func (g GitConfig) normalized() GitConfig {
 		g.Credential.Name = g.CredentialRef
 	}
 	g.CredentialRef = g.Credential.Name
+	g.GitHubApp = normalizeGitHubAppForAuth(g.AuthMode, g.GitHubApp)
 	return g
 }
 
@@ -1864,6 +1913,7 @@ func (r ReviewerCredentials) normalized() ReviewerCredentials {
 		r.Credential.Name = r.CredentialRef
 	}
 	r.CredentialRef = r.Credential.Name
+	r.GitHubApp = normalizeGitHubAppForAuth(r.AuthMode, r.GitHubApp)
 	return r
 }
 
@@ -1879,6 +1929,7 @@ func (r ReviewerEntity) normalized() ReviewerEntity {
 		r.Credential.Name = r.CredentialRef
 	}
 	r.CredentialRef = r.Credential.Name
+	r.GitHubApp = normalizeGitHubAppForAuth(r.AuthMode, r.GitHubApp)
 	r.DisplayName = strings.TrimSpace(r.DisplayName)
 	r.IdentityCache = strings.TrimSpace(r.IdentityCache)
 	return r
@@ -1889,12 +1940,29 @@ func (r ReviewerEntity) reviewerCredentials() *ReviewerCredentials {
 	return &ReviewerCredentials{
 		AuthMode:      r.AuthMode,
 		Credential:    r.Credential,
+		GitHubApp:     cloneGitHubAppConfig(r.GitHubApp),
 		DisplayName:   r.DisplayName,
 		IdentityCache: r.IdentityCache,
 		CredentialRef: r.Credential.Name,
 	}
 }
 
+func normalizeGitHubAppForAuth(authMode GitAuthMode, app *GitHubAppConfig) *GitHubAppConfig {
+	if authMode != GitAuthModeGitHubApp || app == nil {
+		return nil
+	}
+	normalized := GitHubAppConfig{AppID: strings.TrimSpace(app.AppID)}
+	return &normalized
+}
+
+func cloneGitHubAppConfig(app *GitHubAppConfig) *GitHubAppConfig {
+	if app == nil {
+		return nil
+	}
+	cloned := *app
+	return &cloned
+}
+
 func (l LLMConfig) normalized() LLMConfig {
 	l.CredentialRef = strings.TrimSpace(l.CredentialRef)
 	l.Credential = l.Credential.normalized()
diff --git a/internal/config/config_test.go b/internal/config/config_test.go
index a20a7b03..cdc5f688 100644
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -846,7 +846,9 @@ func TestCredentialRefs(t *testing.T) {
 func TestCredentialRefsIncludesGitHubAppModes(t *testing.T) {
 	profile := validFile().normalized().Profiles["work"]
 	profile.Git.AuthMode = GitAuthModeGitHubApp
+	profile.Git.GitHubApp = &GitHubAppConfig{AppID: "12345"}
 	profile.ReviewerCredentials.AuthMode = GitAuthModeGitHubApp
+	profile.ReviewerCredentials.GitHubApp = &GitHubAppConfig{AppID: "12345"}
 
 	refs, err := CredentialRefs(profile)
 	if err != nil {
@@ -1550,11 +1552,13 @@ func TestValidateAcceptsGitHubAppAuthModes(t *testing.T) {
 		{name: "git github_app", mutate: func(cfg *File) {
 			profile := cfg.Profiles["home"]
 			profile.Git.AuthMode = GitAuthModeGitHubApp
+			profile.Git.GitHubApp = &GitHubAppConfig{AppID: "12345"}
 			cfg.Profiles["home"] = profile
 		}},
 		{name: "reviewer github_app", mutate: func(cfg *File) {
 			entity := cfg.ReviewerEntities["work-reviewer"]
 			entity.AuthMode = GitAuthModeGitHubApp
+			entity.GitHubApp = &GitHubAppConfig{AppID: "12345"}
 			cfg.ReviewerEntities["work-reviewer"] = entity
 			profile := cfg.Profiles["work"]
 			profile.Reviewer.GitHubAppInstallation = &ProfileReviewerGitHubAppInstallation{
@@ -1579,6 +1583,7 @@ func TestValidateProfileReviewerGitHubAppInstallation(t *testing.T) {
 	githubAppReviewer := func(cfg *File) {
 		entity := cfg.ReviewerEntities["work-reviewer"]
 		entity.AuthMode = GitAuthModeGitHubApp
+		entity.GitHubApp = &GitHubAppConfig{AppID: "12345"}
 		cfg.ReviewerEntities["work-reviewer"] = entity
 	}
 	tests := []struct {
@@ -1799,6 +1804,8 @@ reviewer_entities:
     credential:
       store: local-os
       name: codereview/work-reviewer
+    github_app:
+      app_id: "12345"
 profiles:
   work:
     git:
@@ -1807,6 +1814,8 @@ profiles:
       credential:
         store: local-os
         name: codereview/work
+      github_app:
+        app_id: "12345"
     reviewer:
       kind: entity
       entity: work-reviewer
@@ -1838,6 +1847,8 @@ reviewer_entities:
     credential:
       store: local-os
       name: codereview/work-reviewer
+    github_app:
+      app_id: "12345"
     display_name: |
       line one
       line two
@@ -1849,6 +1860,8 @@ profiles:
       credential:
         store: local-os
         name: codereview/work
+      github_app:
+        app_id: "12345"
     reviewer:
       kind: entity
       entity: work-reviewer
diff --git a/internal/credentials/credentials.go b/internal/credentials/credentials.go
index 16ed5f6f..0ecb6999 100644
--- a/internal/credentials/credentials.go
+++ b/internal/credentials/credentials.go
@@ -29,7 +29,8 @@ const (
 
 	// GitTokenKey stores the Git host access token for PAT auth.
 	GitTokenKey = "git_token"
-	// GitHubAppIDKey stores the GitHub App JWT issuer, usually the app ID.
+	// GitHubAppIDKey is a removed legacy key name. App IDs now belong to
+	// non-secret config, not credential bundles.
 	// #nosec G101 -- this is a keyring item name, not a secret value.
 	GitHubAppIDKey = "github_app_id"
 	// GitHubAppPrivateKeyKey stores the GitHub App PEM private key.
@@ -60,7 +61,7 @@ var (
 
 // AllowedKeys is cr's keyring write allowlist.
 func AllowedKeys() []string {
-	return []string{GitTokenKey, GitHubAppIDKey, GitHubAppPrivateKeyKey, AnthropicAPIKeyKey, OpenAIAPIKeyKey}
+	return []string{GitTokenKey, GitHubAppPrivateKeyKey, AnthropicAPIKeyKey, OpenAIAPIKeyKey}
 }
 
 // Ref is a parsed cr credential name.
@@ -496,7 +497,6 @@ func KeySpecsForPurpose(ref config.CredentialRef) ([]KeySpec, error) {
 			return []KeySpec{{Key: GitTokenKey, Required: true}}, nil
 		case config.GitAuthModeGitHubApp:
 			return []KeySpec{
-				{Key: GitHubAppIDKey, Required: true},
 				{Key: GitHubAppPrivateKeyKey, Required: true},
 			}, nil
 		case config.GitAuthModeOAuthDevice:
diff --git a/internal/credentials/credentials_test.go b/internal/credentials/credentials_test.go
index ceb668f2..4c7cef9f 100644
--- a/internal/credentials/credentials_test.go
+++ b/internal/credentials/credentials_test.go
@@ -94,12 +94,13 @@ func TestStoreOptionsInvalidBackendFlag(t *testing.T) {
 }
 
 func TestAllowedKeysExactCredentialMatrix(t *testing.T) {
-	want := []string{GitTokenKey, GitHubAppIDKey, GitHubAppPrivateKeyKey, AnthropicAPIKeyKey, OpenAIAPIKeyKey}
+	want := []string{GitTokenKey, GitHubAppPrivateKeyKey, AnthropicAPIKeyKey, OpenAIAPIKeyKey}
 	if got := AllowedKeys(); !reflect.DeepEqual(got, want) {
 		t.Fatalf("AllowedKeys = %#v, want %#v", got, want)
 	}
 
 	for _, key := range []string{
+		GitHubAppIDKey,
 		GitHubAppInstallationIDKey,
 		LegacyLLMAPIKeyKey,
 		"git_oauth_access_token",
@@ -131,7 +132,6 @@ func TestKeySpecsForPurposeCredentialMatrix(t *testing.T) {
 			name: "user git github app",
 			ref:  config.CredentialRef{Purpose: "git", Ref: "codereview/work", Mode: "github_app"},
 			want: []KeySpec{
-				{Key: GitHubAppIDKey, Required: true},
 				{Key: GitHubAppPrivateKeyKey, Required: true},
 			},
 		},
@@ -139,7 +139,6 @@ func TestKeySpecsForPurposeCredentialMatrix(t *testing.T) {
 			name: "reviewer github app",
 			ref:  config.CredentialRef{Purpose: "reviewer_credentials", Ref: "codereview/work-reviewer", Mode: "github_app"},
 			want: []KeySpec{
-				{Key: GitHubAppIDKey, Required: true},
 				{Key: GitHubAppPrivateKeyKey, Required: true},
 			},
 		},
@@ -208,7 +207,7 @@ func TestValidateAllowedKeyForConfigNarrowsDeclaredRefs(t *testing.T) {
 	if err := ValidateAllowedKeyForConfig(cfg, "codereview/git-a", AnthropicAPIKeyKey); !errors.Is(err, credstore.ErrKeyNotAllowed) {
 		t.Fatalf("ValidateAllowedKeyForConfig git llm key error = %v, want ErrKeyNotAllowed", err)
 	}
-	wantAppKeys := []string{GitHubAppIDKey, GitHubAppPrivateKeyKey}
+	wantAppKeys := []string{GitHubAppPrivateKeyKey}
 	gotAppKeys, err := ExpectedKeysForConfigRef(cfg, "codereview/app")
 	if err != nil {
 		t.Fatalf("ExpectedKeysForConfigRef github_app: %v", err)
@@ -236,6 +235,7 @@ func TestValidateAllowedKeyForConfigNarrowsDeclaredRefs(t *testing.T) {
 func githubAppMatrixProfile(ref string) config.Profile {
 	p := matrixProfile(ref, "codereview/app-llm", config.LLMProviderAnthropic)
 	p.Git.AuthMode = config.GitAuthModeGitHubApp
+	p.Git.GitHubApp = &config.GitHubAppConfig{AppID: "12345"}
 	p.LLM.Auth = config.LLMAuthSubscription
 	p.LLM.Adapter = config.LLMAdapterClaudeCLI
 	p.LLM.CredentialRef = ""
@@ -533,7 +533,6 @@ func TestCredentialStatuses(t *testing.T) {
 				GitTokenKey: true,
 			},
 			"app": {
-				GitHubAppIDKey:         true,
 				GitHubAppPrivateKeyKey: true,
 			},
 			"llm": {
@@ -566,7 +565,6 @@ func TestCredentialStatuses(t *testing.T) {
 			Ref:     "codereview/app",
 			Mode:    "github_app",
 			Keys: []KeyStatus{
-				presentKeyStatus(GitHubAppIDKey, true),
 				presentKeyStatus(GitHubAppPrivateKeyKey, true),
 			},
 		},
@@ -654,9 +652,7 @@ func TestCredentialStatusesUnknown(t *testing.T) {
 func TestCredentialStatusesPartialRequiredBundle(t *testing.T) {
 	store := fakeKeyStatusStore{
 		present: map[string]map[string]bool{
-			"app": {
-				GitHubAppIDKey: true,
-			},
+			"app": {},
 		},
 	}
 	ref := config.CredentialRef{
@@ -674,7 +670,6 @@ func TestCredentialStatusesPartialRequiredBundle(t *testing.T) {
 		Ref:     "codereview/app",
 		Mode:    "github_app",
 		Keys: []KeyStatus{
-			presentKeyStatus(GitHubAppIDKey, true),
 			missingKeyStatus(GitHubAppPrivateKeyKey, true),
 		},
 	}
@@ -696,12 +691,11 @@ func TestMissingRequiredKeys(t *testing.T) {
 		Ref:     "codereview/app",
 		Mode:    "github_app",
 		Keys: []KeyStatus{
-			missingKeyStatus(GitHubAppIDKey, true),
 			unknownKeyStatus(GitHubAppPrivateKeyKey, true, "boom"),
 			missingKeyStatus("optional_test_key", false),
 		},
 	}
-	want := []string{GitHubAppIDKey}
+	var want []string
 	if got := MissingRequiredKeys(status); !reflect.DeepEqual(got, want) {
 		t.Fatalf("MissingRequiredKeys = %#v, want %#v", got, want)
 	}
diff --git a/internal/gitprovider/github/app_auth.go b/internal/gitprovider/github/app_auth.go
index 59ab051e..fa0351aa 100644
--- a/internal/gitprovider/github/app_auth.go
+++ b/internal/gitprovider/github/app_auth.go
@@ -76,9 +76,9 @@ func newGitHubAppFromConfig(ctx context.Context, profile string, store TokenStor
 	if now == nil {
 		now = time.Now
 	}
-	issuer, err := readRequiredCredential(store, profile, credentials.GitHubAppIDKey)
-	if err != nil {
-		return nil, gitprovider.Credential{}, err
+	issuer := strings.TrimSpace(opts.AppID)
+	if issuer == "" {
+		return nil, gitprovider.Credential{}, gitprovider.WrapError(gitprovider.ErrAuth, "", fmt.Errorf("github app app_id is required in config for github_app auth"))
 	}
 	privateKeyPEM, err := readRequiredCredential(store, profile, credentials.GitHubAppPrivateKeyKey)
 	if err != nil {
diff --git a/internal/gitprovider/github/app_auth_test.go b/internal/gitprovider/github/app_auth_test.go
index b7aebb6e..ef7bcb17 100644
--- a/internal/gitprovider/github/app_auth_test.go
+++ b/internal/gitprovider/github/app_auth_test.go
@@ -123,7 +123,7 @@ func TestNewFromGitConfigUsesRepositoryInstallationLookup(t *testing.T) {
 	}))
 	defer server.Close()
 
-	_, credential, err := NewFromGitConfig(githubAppGitConfig("codereview/app"), githubAppStore(t, "app", "app-client-id", privateKey), Options{
+	_, credential, err := NewFromGitConfig(githubAppGitConfigWithAppID("codereview/app", "app-client-id"), githubAppStore(t, "app", "app-client-id", privateKey), Options{
 		BaseURL:    server.URL + "/api/v3",
 		GraphQLURL: server.URL + "/api/graphql",
 		InstallationLookup: &InstallationLookup{
@@ -152,7 +152,7 @@ func TestNewFromGitConfigExplainsMissingRepositoryInstallation(t *testing.T) {
 	}))
 	defer server.Close()
 
-	_, _, err := NewFromGitConfig(githubAppGitConfig("codereview/app"), githubAppStore(t, "app", "app-client-id", privateKey), Options{
+	_, _, err := NewFromGitConfig(githubAppGitConfigWithAppID("codereview/app", "app-client-id"), githubAppStore(t, "app", "app-client-id", privateKey), Options{
 		BaseURL:    server.URL,
 		GraphQLURL: server.URL + "/graphql",
 		InstallationLookup: &InstallationLookup{
@@ -295,16 +295,20 @@ func TestNewFromGitConfigRequiresGitHubAppIdentity(t *testing.T) {
 }
 
 func githubAppGitConfig(ref string) config.GitConfig {
+	return githubAppGitConfigWithAppID(ref, "12345")
+}
+
+func githubAppGitConfigWithAppID(ref string, appID string) config.GitConfig {
 	return config.GitConfig{
 		Host:          "github.com",
 		AuthMode:      config.GitAuthModeGitHubApp,
+		GitHubApp:     &config.GitHubAppConfig{AppID: appID},
 		CredentialRef: ref,
 	}
 }
 
 func githubAppStore(_ *testing.T, profile, appID, privateKey string) tokenStore {
 	values := map[string]string{
-		credentials.GitHubAppIDKey:         appID,
 		credentials.GitHubAppPrivateKeyKey: privateKey,
 	}
 	return tokenStore{profile: values}
diff --git a/internal/gitprovider/github/client.go b/internal/gitprovider/github/client.go
index 5b4cb6df..a0d1e200 100644
--- a/internal/gitprovider/github/client.go
+++ b/internal/gitprovider/github/client.go
@@ -46,6 +46,7 @@ type Options struct {
 	BaseURL            string
 	GraphQLURL         string
 	Now                func() time.Time
+	AppID              string
 	InstallationID     string
 	InstallationLookup *InstallationLookup
 }
@@ -111,6 +112,9 @@ func NewFromGitConfig(git config.GitConfig, store TokenStore, opts Options) (*Cl
 		return client, credential, nil
 	case config.GitAuthModeGitHubApp:
 		opts.Host = host
+		if git.GitHubApp != nil {
+			opts.AppID = strings.TrimSpace(git.GitHubApp.AppID)
+		}
 		ctx, cancel := context.WithTimeout(context.Background(), gitHubAppInitTimeout)
 		defer cancel()
 		return newGitHubAppFromConfig(ctx, parsed.Profile, store, opts)
diff --git a/internal/identity/identity.go b/internal/identity/identity.go
index ca2a6ea0..550f64d9 100644
--- a/internal/identity/identity.go
+++ b/internal/identity/identity.go
@@ -145,10 +145,16 @@ func identitySource(profile config.Profile) (CredentialSource, config.GitConfig,
 }
 
 func reviewerIdentitySource(profile config.Profile) (config.GitConfig, string) {
+	var githubApp *config.GitHubAppConfig
+	if profile.ReviewerCredentials.GitHubApp != nil {
+		app := *profile.ReviewerCredentials.GitHubApp
+		githubApp = &app
+	}
 	return config.GitConfig{
 		Host:          profile.Git.Host,
 		AuthMode:      profile.ReviewerCredentials.AuthMode,
 		Credential:    profile.ReviewerCredentials.Credential,
+		GitHubApp:     githubApp,
 		CredentialRef: profile.ReviewerCredentials.CredentialRef,
 		IdentityCache: profile.ReviewerCredentials.IdentityCache,
 	}, profile.ReviewerCredentials.IdentityCache

From 3ab7725de595ea1b0e65522d190a429449937779 Mon Sep 17 00:00:00 2001
From: Rian Stockbower <rstockbower@gmail.com>
Date: Mon, 22 Jun 2026 07:25:12 -0400
Subject: [PATCH 09/27] Add repository access config schema

---
 docs/init-config-surface.md    |   1 +
 internal/config/config.go      | 108 ++++++++++++++++++--------
 internal/config/config_test.go | 137 +++++++++++++++++++++++++++++++++
 3 files changed, 213 insertions(+), 33 deletions(-)

diff --git a/docs/init-config-surface.md b/docs/init-config-surface.md
index 888ff192..d1ee45c1 100644
--- a/docs/init-config-surface.md
+++ b/docs/init-config-surface.md
@@ -42,6 +42,7 @@ intentionally unsupported.
 | Path | Interactive handling | Scripted owner | Defaults and second-run prepopulation | Mutation semantics | Helper/command owner and expected tests |
 |------|----------------------|----------------|---------------------------------------|--------------------|-----------------------------------------|
 | config.secrets.stores | Configure secrets storage creates and edits user-configured credential stores. The built-in OS credential store is projected as `local-os` and is not persisted here. | Interactive main-menu secrets-storage flow only. Scripted credential writes choose an existing store explicitly. | Omitted means only the built-in OS credential store is available. Existing stores are pre-populated in the inventory. | Store ids must not be `local-os`. Store metadata is non-secret. Creating, editing, and deleting configured stores never deletes credential values. | #356 establishes explicit stores and removes ambient/default credential-store selection. |
+| config.repository_access | Configure repository access creates and edits reusable Git host/user credential definitions independently from review profiles. Profiles select one configured repository access item when composing a reviewer. | Interactive main-menu repository-access flow only for now. Future config commands may own scripted repository-access CRUD. | Omitted means no reusable repository access is configured yet. Existing profile Git blocks may be projected into repository access during the staged rewrite. | Repository access names are stable ids. Definitions store host, auth mode, non-secret GitHub App ID when applicable, and an explicit credential location. They never store secret values. | Repository-access data model tests and init repository-access UX tests. |
 | config.llm_runtimes | Configure LLM runtimes creates and edits reusable runtime definitions independently from review profiles. Profiles select one configured runtime when composing a reviewer. | Interactive main-menu LLM runtime flow only for now. Future config commands may own scripted runtime CRUD. | Omitted means no reusable runtimes are configured yet. The profile editor can send the user to the runtime flow when no runtime exists. Existing runtimes are pre-populated in the inventory. | Runtime names are stable ids. Subscription runtimes store only non-secret provider/auth/adapter settings. API-key runtimes store an explicit credential location and never the secret value. Deleting a runtime requires affected profiles to select a replacement or be edited. | #356 makes runtime setup standalone and keeps profile composition explicit. |
 | config.repository_profiles[] | Route editor opens directly with existing namespace and repo routes prefilled so the user can edit them in place or blank the field to remove all routes for the profile. | Existing `cr config route set` and `cr config route unset`; #186 documents route commands. #187 must not add a nested multi-route init grammar. | Empty or omitted means no automatic repository profile selection; runtime commands require `--profile` until a matching route is configured. Existing routes are prefilled on later runs. | Leaving the prefilled text unchanged preserves routes. Mutations must converge through shared route helpers and preserve unrelated routes. Blanking the field removes the profile's routes. | #177 extracts route helpers. #185 tests list/edit/remove, route canonicalization, and preservation. |
 | config.repository_profiles[].profile | Route wizard selects the profile that a route resolves to. | Existing `cr config route set --profile <name> ...`. | No default inside an entry; required when a route exists. Existing profile is pre-populated. | Overwrite only to an existing profile. Profile rename updates matching route entries. | #177 profile rename/route reference helper. #185 tests rename updates and invalid profile rejection. |
diff --git a/internal/config/config.go b/internal/config/config.go
index 626640b9..20c8a32d 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -44,12 +44,13 @@ var (
 
 // File is the root config.yml schema.
 type File struct {
-	Secrets            SecretsConfig             `yaml:"secrets,omitempty" json:"secrets,omitempty"`
-	LLMRuntimes        map[string]LLMConfig      `yaml:"llm_runtimes,omitempty" json:"llm_runtimes,omitempty"`
-	ReviewerEntities   map[string]ReviewerEntity `yaml:"reviewer_entities,omitempty" json:"reviewer_entities,omitempty"`
-	RepositoryProfiles []RepositoryProfile       `yaml:"repository_profiles,omitempty" json:"repository_profiles,omitempty"`
-	Profiles           map[string]Profile        `yaml:"profiles,omitempty" json:"profiles,omitempty"`
-	Data               DataConfig                `yaml:"data,omitempty" json:"data"`
+	Secrets            SecretsConfig                     `yaml:"secrets,omitempty" json:"secrets,omitempty"`
+	RepositoryAccess   map[string]RepositoryAccessConfig `yaml:"repository_access,omitempty" json:"repository_access,omitempty"`
+	LLMRuntimes        map[string]LLMConfig              `yaml:"llm_runtimes,omitempty" json:"llm_runtimes,omitempty"`
+	ReviewerEntities   map[string]ReviewerEntity         `yaml:"reviewer_entities,omitempty" json:"reviewer_entities,omitempty"`
+	RepositoryProfiles []RepositoryProfile               `yaml:"repository_profiles,omitempty" json:"repository_profiles,omitempty"`
+	Profiles           map[string]Profile                `yaml:"profiles,omitempty" json:"profiles,omitempty"`
+	Data               DataConfig                        `yaml:"data,omitempty" json:"data"`
 
 	// Keyring is retained as an ignored in-memory compatibility field while
 	// credential-store runtime selection is rewritten. It is not config schema.
@@ -196,6 +197,12 @@ type GitHubAppConfig struct {
 	AppID string `yaml:"app_id" json:"app_id"`
 }
 
+// RepositoryAccessConfig is one reusable Git host/user credential definition.
+type RepositoryAccessConfig struct {
+	DisplayName string    `yaml:"display_name,omitempty" json:"display_name,omitempty"`
+	Git         GitConfig `yaml:"git" json:"git"`
+}
+
 // ReviewerCredentials optionally identifies separate posting credentials.
 type ReviewerCredentials struct {
 	AuthMode      GitAuthMode        `yaml:"auth_mode" json:"auth_mode"`
@@ -717,6 +724,7 @@ func Save(path string, cfg File) error {
 func fileHasNoExplicitContent(cfg File) bool {
 	return cfg.Secrets.Stores == nil &&
 		cfg.Secrets.Profiles == nil &&
+		cfg.RepositoryAccess == nil &&
 		cfg.LLMRuntimes == nil &&
 		cfg.ReviewerEntities == nil &&
 		cfg.RepositoryProfiles == nil &&
@@ -771,6 +779,14 @@ func Validate(cfg File) error {
 	if err := ValidateRetention(cfg.Data.Retention); err != nil {
 		return err
 	}
+	for name, access := range cfg.RepositoryAccess {
+		if strings.TrimSpace(name) == "" {
+			return invalid("repository_access name is required")
+		}
+		if err := validateRepositoryAccess(cfg.Secrets, name, access); err != nil {
+			return err
+		}
+	}
 	for name, runtime := range cfg.LLMRuntimes {
 		if strings.TrimSpace(name) == "" {
 			return invalid("llm_runtimes name is required")
@@ -1011,19 +1027,7 @@ func gitCredentialRef(purpose string, mode GitAuthMode, credential CredentialLoc
 }
 
 func validateProfile(cfg File, name string, profile Profile) error {
-	if strings.TrimSpace(profile.Git.Host) == "" {
-		return invalid("profiles.%s.git.host is required", name)
-	}
-	if !profile.Git.AuthMode.Valid() {
-		return invalid("profiles.%s.git.auth_mode %q is invalid", name, profile.Git.AuthMode)
-	}
-	if !profile.Git.AuthMode.Supported() {
-		return fmt.Errorf("%w: profiles.%s.git.auth_mode %q", ErrUnsupported, name, profile.Git.AuthMode)
-	}
-	if err := validateCredentialLocation(fmt.Sprintf("profiles.%s.git.credential", name), profile.Git.Credential); err != nil {
-		return err
-	}
-	if err := validateGitHubAppConfig(fmt.Sprintf("profiles.%s.git.github_app", name), profile.Git.AuthMode, profile.Git.GitHubApp); err != nil {
+	if err := validateGitConfig(fmt.Sprintf("profiles.%s.git", name), profile.Git); err != nil {
 		return err
 	}
 	if !profile.Reviewer.Kind.Valid() {
@@ -1123,19 +1127,7 @@ func validateProfileReviewerInstallation(profileName string, reviewer ProfileRev
 }
 
 func validateEffectiveProfile(name string, profile Profile) error {
-	if strings.TrimSpace(profile.Git.Host) == "" {
-		return invalid("%s.git.host is required", name)
-	}
-	if !profile.Git.AuthMode.Valid() {
-		return invalid("%s.git.auth_mode %q is invalid", name, profile.Git.AuthMode)
-	}
-	if !profile.Git.AuthMode.Supported() {
-		return fmt.Errorf("%w: %s.git.auth_mode %q", ErrUnsupported, name, profile.Git.AuthMode)
-	}
-	if err := validateCredentialLocation(name+".git.credential", profile.Git.Credential); err != nil {
-		return err
-	}
-	if err := validateGitHubAppConfig(name+".git.github_app", profile.Git.AuthMode, profile.Git.GitHubApp); err != nil {
+	if err := validateGitConfig(name+".git", profile.Git); err != nil {
 		return err
 	}
 	if profile.ReviewerCredentials != nil {
@@ -1234,6 +1226,38 @@ func validateReviewerEntity(secrets SecretsConfig, name string, entity ReviewerE
 	return nil
 }
 
+func validateRepositoryAccess(secrets SecretsConfig, name string, access RepositoryAccessConfig) error {
+	if err := validateOptionalSingleLine(fmt.Sprintf("repository_access.%s.display_name", name), access.DisplayName); err != nil {
+		return err
+	}
+	if err := validateGitConfig(fmt.Sprintf("repository_access.%s.git", name), access.Git); err != nil {
+		return err
+	}
+	if err := validateCredentialStoreSelection(secrets, fmt.Sprintf("repository_access.%s.git.credential.store", name), access.Git.Credential.Store); err != nil {
+		return err
+	}
+	return nil
+}
+
+func validateGitConfig(path string, git GitConfig) error {
+	if strings.TrimSpace(git.Host) == "" {
+		return invalid("%s.host is required", path)
+	}
+	if !git.AuthMode.Valid() {
+		return invalid("%s.auth_mode %q is invalid", path, git.AuthMode)
+	}
+	if !git.AuthMode.Supported() {
+		return fmt.Errorf("%w: %s.auth_mode %q", ErrUnsupported, path, git.AuthMode)
+	}
+	if err := validateCredentialLocation(path+".credential", git.Credential); err != nil {
+		return err
+	}
+	if err := validateGitHubAppConfig(path+".github_app", git.AuthMode, git.GitHubApp); err != nil {
+		return err
+	}
+	return nil
+}
+
 func validateGitHubAppConfig(path string, authMode GitAuthMode, app *GitHubAppConfig) error {
 	if authMode != GitAuthModeGitHubApp {
 		if app != nil {
@@ -1510,6 +1534,13 @@ func ValidateRetention(retention RetentionConfig) error {
 }
 
 func (cfg File) normalized() File {
+	if cfg.RepositoryAccess != nil {
+		accesses := make(map[string]RepositoryAccessConfig, len(cfg.RepositoryAccess))
+		for name, access := range cfg.RepositoryAccess {
+			accesses[strings.TrimSpace(name)] = access.normalized()
+		}
+		cfg.RepositoryAccess = accesses
+	}
 	if cfg.LLMRuntimes != nil {
 		runtimes := make(map[string]LLMConfig, len(cfg.LLMRuntimes))
 		for name, runtime := range cfg.LLMRuntimes {
@@ -1890,6 +1921,8 @@ func (i ProfileReviewerGitHubAppInstallation) normalized() ProfileReviewerGitHub
 }
 
 func (g GitConfig) normalized() GitConfig {
+	g.Host = normalizeConfigHost(g.Host)
+	g.AuthMode = GitAuthMode(strings.TrimSpace(string(g.AuthMode)))
 	g.CredentialRef = strings.TrimSpace(g.CredentialRef)
 	g.Credential = g.Credential.normalized()
 	if g.Credential.Name == "" && g.CredentialRef != "" {
@@ -1903,6 +1936,12 @@ func (g GitConfig) normalized() GitConfig {
 	return g
 }
 
+func (r RepositoryAccessConfig) normalized() RepositoryAccessConfig {
+	r.DisplayName = strings.TrimSpace(r.DisplayName)
+	r.Git = r.Git.normalized()
+	return r
+}
+
 func (r ReviewerCredentials) normalized() ReviewerCredentials {
 	r.CredentialRef = strings.TrimSpace(r.CredentialRef)
 	r.Credential = r.Credential.normalized()
@@ -1948,10 +1987,13 @@ func (r ReviewerEntity) reviewerCredentials() *ReviewerCredentials {
 }
 
 func normalizeGitHubAppForAuth(authMode GitAuthMode, app *GitHubAppConfig) *GitHubAppConfig {
-	if authMode != GitAuthModeGitHubApp || app == nil {
+	if app == nil {
 		return nil
 	}
 	normalized := GitHubAppConfig{AppID: strings.TrimSpace(app.AppID)}
+	if authMode != GitAuthModeGitHubApp {
+		return &normalized
+	}
 	return &normalized
 }
 
diff --git a/internal/config/config_test.go b/internal/config/config_test.go
index cdc5f688..9771d463 100644
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -1010,6 +1010,143 @@ func TestValidateAllowsLLMRuntimesWithoutReviewProfiles(t *testing.T) {
 	}
 }
 
+func TestValidateAllowsRepositoryAccessWithoutReviewProfiles(t *testing.T) {
+	cfg := File{
+		RepositoryAccess: map[string]RepositoryAccessConfig{
+			"personal-github": {
+				DisplayName: "Personal GitHub",
+				Git: GitConfig{
+					Host:     " GitHub.com ",
+					AuthMode: GitAuthModePAT,
+					Credential: CredentialLocation{
+						Store: LocalOSCredentialStoreID,
+						Name:  "codereview/personal-github",
+					},
+				},
+			},
+			"work-app": {
+				Git: GitConfig{
+					Host:     "github.example.com",
+					AuthMode: GitAuthModeGitHubApp,
+					Credential: CredentialLocation{
+						Store: LocalOSCredentialStoreID,
+						Name:  "codereview/work-github-app",
+					},
+					GitHubApp: &GitHubAppConfig{AppID: "12345"},
+				},
+			},
+		},
+	}
+	if err := Validate(cfg); err != nil {
+		t.Fatalf("Validate repository-access-only config: %v", err)
+	}
+
+	path := filepath.Join(t.TempDir(), "config.yml")
+	if err := Save(path, cfg); err != nil {
+		t.Fatalf("Save repository-access-only config: %v", err)
+	}
+	loaded, err := Load(path)
+	if err != nil {
+		t.Fatalf("Load repository-access-only config: %v", err)
+	}
+	if len(loaded.Profiles) != 0 {
+		t.Fatalf("loaded profiles = %#v, want none", loaded.Profiles)
+	}
+	if got := loaded.RepositoryAccess["personal-github"].Git.Host; got != "github.com" {
+		t.Fatalf("repository access host = %q, want github.com", got)
+	}
+	if got := loaded.RepositoryAccess["work-app"].Git.GitHubApp.AppID; got != "12345" {
+		t.Fatalf("repository access app id = %q, want 12345", got)
+	}
+}
+
+func TestValidateRepositoryAccess(t *testing.T) {
+	tests := []struct {
+		name    string
+		mutate  func(*File)
+		wantErr error
+		wantMsg string
+	}{
+		{
+			name: "blank name",
+			mutate: func(cfg *File) {
+				cfg.RepositoryAccess[" "] = cfg.RepositoryAccess["work"]
+				delete(cfg.RepositoryAccess, "work")
+			},
+			wantErr: ErrInvalid,
+			wantMsg: "repository_access name is required",
+		},
+		{
+			name: "missing host",
+			mutate: func(cfg *File) {
+				access := cfg.RepositoryAccess["work"]
+				access.Git.Host = ""
+				cfg.RepositoryAccess["work"] = access
+			},
+			wantErr: ErrInvalid,
+			wantMsg: "repository_access.work.git.host is required",
+		},
+		{
+			name: "unknown store",
+			mutate: func(cfg *File) {
+				access := cfg.RepositoryAccess["work"]
+				access.Git.Credential.Store = "missing"
+				cfg.RepositoryAccess["work"] = access
+			},
+			wantErr: ErrSecretsStoreNotFound,
+			wantMsg: `repository_access.work.git.credential.store "missing"`,
+		},
+		{
+			name: "github app requires app id",
+			mutate: func(cfg *File) {
+				access := cfg.RepositoryAccess["work"]
+				access.Git.AuthMode = GitAuthModeGitHubApp
+				access.Git.GitHubApp = nil
+				cfg.RepositoryAccess["work"] = access
+			},
+			wantErr: ErrInvalid,
+			wantMsg: "repository_access.work.git.github_app.app_id is required",
+		},
+		{
+			name: "pat rejects github app config",
+			mutate: func(cfg *File) {
+				access := cfg.RepositoryAccess["work"]
+				access.Git.GitHubApp = &GitHubAppConfig{AppID: "12345"}
+				cfg.RepositoryAccess["work"] = access
+			},
+			wantErr: ErrInvalid,
+			wantMsg: "repository_access.work.git.github_app must be empty unless auth_mode is github_app",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cfg := File{
+				RepositoryAccess: map[string]RepositoryAccessConfig{
+					"work": {
+						Git: GitConfig{
+							Host:     "github.com",
+							AuthMode: GitAuthModePAT,
+							Credential: CredentialLocation{
+								Store: LocalOSCredentialStoreID,
+								Name:  "codereview/work",
+							},
+						},
+					},
+				},
+			}
+			tt.mutate(&cfg)
+			err := Validate(cfg)
+			if !errors.Is(err, tt.wantErr) {
+				t.Fatalf("Validate error = %v, want %v", err, tt.wantErr)
+			}
+			if tt.wantMsg != "" && !strings.Contains(err.Error(), tt.wantMsg) {
+				t.Fatalf("Validate error = %q, want containing %q", err.Error(), tt.wantMsg)
+			}
+		})
+	}
+}
+
 func TestValidateSecretsStores(t *testing.T) {
 	tests := []struct {
 		name    string

From eb2b79792f9e5d533f3dcd2514ce62a9a09fc5f7 Mon Sep 17 00:00:00 2001
From: Rian Stockbower <rstockbower@gmail.com>
Date: Mon, 22 Jun 2026 07:34:03 -0400
Subject: [PATCH 10/27] Wire profiles through repository access

---
 docs/init-config-surface.md                   |  19 ++-
 internal/cmd/credentialcmd/credentialcmd.go   |  86 +++++++++++++
 .../cmd/credentialcmd/credentialcmd_test.go   |   7 +-
 internal/config/config.go                     | 116 +++++++++++++++++-
 internal/config/config_test.go                |  58 ++++-----
 internal/identity/identity.go                 |  20 +++
 6 files changed, 252 insertions(+), 54 deletions(-)

diff --git a/docs/init-config-surface.md b/docs/init-config-surface.md
index d1ee45c1..e0b31a09 100644
--- a/docs/init-config-surface.md
+++ b/docs/init-config-surface.md
@@ -50,12 +50,7 @@ intentionally unsupported.
 | config.repository_profiles[].match.namespace | Route wizard asks for owner/org or derives from PR URL. | Existing `cr config route set --namespace`. | Required for a route. Existing namespace is pre-populated. | Overwrite validates non-empty and preserves repo-vs-namespace route identity. | #177 route helper. #185 namespace route tests. |
 | config.repository_profiles[].match.repos[] | Route wizard supports namespace-wide route when omitted or repo-specific routes when provided. | Existing repeatable `cr config route set --repo` and `cr config route unset --repo`. | Omitted means namespace-wide route. Existing repos are pre-populated in deterministic order. | Preserve on skip. Add/edit/remove dedupes and sorts via shared route helper. Clear repos converts only when the user explicitly chooses namespace-wide routing. | #177 route helper. #185 repo route and namespace conversion tests. |
 | config.profiles.<name> | Core profile wizard selects existing profile, creates a new profile, or renames an existing profile. | Existing global `--profile` with `cr init --non-interactive` owns scripted create/replace. Scripted rename is intentionally unsupported by init and belongs to future profile-management command design. | New profile names start blank. Existing profile names are pre-populated. | Create requires a valid profile body. Rename preserves credential locations by default, updates repository routes, and does not delete old credential-store entries. | #177 profile rename helper. #180 tests create/select/rename and validation. |
-| config.profiles.<name>.git.host | Core profile wizard edits Git host. | Existing `cr init --git-host`; existing route commands own route-safe scripted changes. | Current init defaults to `github.com`. Existing value is pre-populated. | Set validates non-empty normalized host. If routes reference the profile and reconciliation is not selected, block or defer the edit. | #180 blocks/defer route-unsafe host edits. #185 implements reconciliation tests. |
-| config.profiles.<name>.git.auth_mode | Core profile wizard chooses `pat` or `github_app`; `oauth_device` remains reserved. | `cr init --git-auth-mode`, parallel to existing reviewer auth mode. Current init otherwise defaults user Git auth to PAT. | Existing value is pre-populated. New profile defaults to `pat`. | Overwrite only to supported v1 modes. Switching auth modes re-plans credential keys but does not delete old secrets. | #179 credential-ref/key-spec planner. #180 auth-mode prompt tests. |
-| config.profiles.<name>.git.github_app.app_id | Core profile wizard stores the non-secret GitHub App ID when user Git auth uses `github_app`. | `cr init --git-github-app-id` when `--git-auth-mode github_app` is used. | Required for GitHub App auth. Existing value is pre-populated. Empty for PAT auth. | Must be a decimal GitHub App ID. It is config, not credential-store secret material. Switching Git auth away from GitHub App clears it. | GitHub App config validation and init profile tests. |
-| config.profiles.<name>.git.credential.store | User Git auth chooses an existing credential store before any secret ingress. | Interactive credential-writing flows and scripted `cr set-credential --store`. | New profiles start with `local-os` selected. Existing store id is pre-populated. | Must be `local-os` or a configured store id. Store setup is not available inline from this flow. | #356 explicit destination tests. |
-| config.profiles.<name>.git.credential.name | User Git auth names the credential bundle before any secret ingress. | Interactive credential-writing flows and scripted `cr set-credential --name`. | New profile defaults to `codereview/<profile>`. Existing name is pre-populated and preserved by default. | Must use the `codereview/<profile>` credential grammar. It must differ from other credentials in the same profile when the store also matches. | #356 explicit credential-location tests. |
-| config.profiles.<name>.git.identity_cache | Not shown as an editable init field. Preserve only. | Intentionally unsupported for init and config mutation. Runtime identity refresh owns it. | Existing cache is preserved. New profiles omit it. | Preserve unless a future explicit cache invalidation ticket owns behavior. Profile rename does not rewrite cache contents. | Preserve-only regression in #177/#180. |
+| config.profiles.<name>.repository_access | Review profile composition selects one configured repository access definition. | Interactive review-profile flow only for now. Existing `cr init --git-*` flags populate or update repository access during the staged CLI rewrite. | New profiles require an explicit repository access selection. Existing legacy profile Git blocks may be projected into this field during the staged rewrite. | Must reference `config.repository_access`. Route host validation uses the selected repository access Git host. | Repository-access reference validation tests and init profile composition tests. |
 | config.reviewer_entities | Configure reviewer entities creates and edits reusable posting identities independently from review profiles. Entity definitions include host, auth mode, credential location, display name, and identity cache. | Interactive main-menu reviewer-entity flow only for now. Future config commands may own scripted reviewer-entity CRUD. | Omitted means no separate reviewer identities are configured yet. Profiles can still choose `git_identity`. Existing entities are pre-populated in the inventory. | Entity names are stable ids. PAT and GitHub App entities store explicit credential locations and never the secret values. Deleting a referenced entity requires affected profiles to select a replacement or use Git identity. | First-class reviewer-entity data model tests and init reviewer-entity UX tests. |
 | config.profiles.<name>.reviewer.kind | Review profile composition chooses whether posting uses the profile Git account or a configured reviewer entity. | Interactive review-profile flow only for now. | New profiles require an explicit choice. Existing value is pre-populated. | `git_identity` requires empty `reviewer.entity`; `entity` requires an existing reviewer entity whose host matches profile Git host. | First-class reviewer-reference validation tests. |
 | config.profiles.<name>.reviewer.entity | Review profile composition selects one configured reviewer entity when `reviewer.kind` is `entity`. | Interactive review-profile flow only for now. | Empty for `git_identity`. Existing entity reference is pre-populated. | Must reference `config.reviewer_entities`. The entity credential must differ from Git and selected LLM runtime credentials when the store also matches. | First-class reviewer-reference validation tests. |
@@ -72,12 +67,14 @@ intentionally unsupported.
 
 ## Profile Lifecycle Semantics
 
-Each credential-writing workflow stores an explicit credential location in the
-profile: `credential.store` plus `credential.name`. The built-in OS credential
-store is always addressable as `local-os`, and user-configured stores live under
+Each credential-writing workflow stores an explicit credential location:
+`credential.store` plus `credential.name`. User Git locations live on
+repository access definitions, reviewer locations live on reviewer entities, and
+LLM API-key locations live on LLM runtimes. The built-in OS credential store is
+always addressable as `local-os`, and user-configured stores live under
 `secrets.stores`. Runtime code must use the credential location attached to the
-Git, reviewer, or LLM credential being read or written; it must not infer a
-destination from a profile-level or global credential-store default.
+specific Git, reviewer, or LLM credential being read or written; it must not
+infer a destination from a profile-level or global credential-store default.
 
 The same `credential.name` may appear in different stores. Within one profile,
 credential locations must not collide when both the store and name match.
diff --git a/internal/cmd/credentialcmd/credentialcmd.go b/internal/cmd/credentialcmd/credentialcmd.go
index 8326b23b..7fcd0c09 100644
--- a/internal/cmd/credentialcmd/credentialcmd.go
+++ b/internal/cmd/credentialcmd/credentialcmd.go
@@ -4431,6 +4431,7 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 			profile.ReviewerCredentials.IdentityCache = previousProfile.ReviewerCredentials.IdentityCache
 		}
 	}
+	cfg, profile = materializeProfileRepositoryAccess(cfg, profileName, profile)
 	cfg, profile = materializeProfileReviewerEntity(cfg, profileName, profile)
 	cfg, profile = materializeProfileLLMRuntime(cfg, profileName, profile)
 
@@ -4520,6 +4521,7 @@ func buildInteractiveInitWorkspace(cmd *cobra.Command, opts *root.Options, flags
 	if err != nil {
 		return initWorkspaceDraft{}, err
 	}
+	working, profile = materializeProfileRepositoryAccess(working, profileName, profile)
 	working, profile = materializeProfileReviewerEntity(working, profileName, profile)
 	working, profile = materializeProfileLLMRuntime(working, profileName, profile)
 	if err := validateInteractiveInitConfig(initValidationConfigForProfileHost(working, profileName, previousProfile, profile.Git.Host)); err != nil {
@@ -5593,6 +5595,16 @@ func cloneInitConfigFile(cfg config.File) config.File {
 			cloned.Profiles[name] = cloneInitProfile(profile)
 		}
 	}
+	if cfg.RepositoryAccess != nil {
+		cloned.RepositoryAccess = make(map[string]config.RepositoryAccessConfig, len(cfg.RepositoryAccess))
+		for name, access := range cfg.RepositoryAccess {
+			if access.Git.GitHubApp != nil {
+				app := *access.Git.GitHubApp
+				access.Git.GitHubApp = &app
+			}
+			cloned.RepositoryAccess[name] = access
+		}
+	}
 	if len(cfg.RepositoryProfiles) > 0 {
 		cloned.RepositoryProfiles = make([]config.RepositoryProfile, len(cfg.RepositoryProfiles))
 		for i, route := range cfg.RepositoryProfiles {
@@ -5803,6 +5815,80 @@ func synthesizeInteractiveProfile(flags initOptions, profileName string, previou
 	return profile, nil
 }
 
+func materializeProfileRepositoryAccess(cfg config.File, profileName string, profile config.Profile) (config.File, config.Profile) {
+	if cfg.RepositoryAccess == nil {
+		cfg.RepositoryAccess = map[string]config.RepositoryAccessConfig{}
+	}
+	access := normalizeInitRepositoryAccessConfig(config.RepositoryAccessConfig{Git: profile.Git})
+	targetScope := initGitScopeDraftFromConfig(access.Git)
+
+	if currentName := strings.TrimSpace(profile.RepositoryAccess); currentName != "" {
+		if current, ok := cfg.RepositoryAccess[currentName]; ok && initGitScopeDraftFromConfig(current.Git).identityKey() == targetScope.identityKey() {
+			profile.RepositoryAccess = currentName
+			profile.Git = current.Git
+			if cfg.Profiles == nil {
+				cfg.Profiles = map[string]config.Profile{}
+			}
+			cfg.Profiles[profileName] = profile
+			return cfg, profile
+		}
+	}
+
+	accessNames := make([]string, 0, len(cfg.RepositoryAccess))
+	for name := range cfg.RepositoryAccess {
+		accessNames = append(accessNames, name)
+	}
+	sort.Strings(accessNames)
+	for _, name := range accessNames {
+		existing := cfg.RepositoryAccess[name]
+		if initGitScopeDraftFromConfig(existing.Git).identityKey() != targetScope.identityKey() {
+			continue
+		}
+		profile.RepositoryAccess = name
+		profile.Git = existing.Git
+		if cfg.Profiles == nil {
+			cfg.Profiles = map[string]config.Profile{}
+		}
+		cfg.Profiles[profileName] = profile
+		return cfg, profile
+	}
+
+	accessName := uniqueInitRepositoryAccessName(cfg.RepositoryAccess, profileName+"-git")
+	cfg.RepositoryAccess[accessName] = access
+	profile.RepositoryAccess = accessName
+	profile.Git = access.Git
+	if cfg.Profiles == nil {
+		cfg.Profiles = map[string]config.Profile{}
+	}
+	cfg.Profiles[profileName] = profile
+	return cfg, profile
+}
+
+func normalizeInitRepositoryAccessConfig(access config.RepositoryAccessConfig) config.RepositoryAccessConfig {
+	cfg := config.Normalize(config.File{
+		RepositoryAccess: map[string]config.RepositoryAccessConfig{
+			"access": access,
+		},
+	})
+	return cfg.RepositoryAccess["access"]
+}
+
+func uniqueInitRepositoryAccessName(existing map[string]config.RepositoryAccessConfig, base string) string {
+	base = strings.TrimSpace(base)
+	if base == "" {
+		base = "repository-access"
+	}
+	if _, ok := existing[base]; !ok {
+		return base
+	}
+	for suffix := 2; ; suffix++ {
+		candidate := fmt.Sprintf("%s-%d", base, suffix)
+		if _, ok := existing[candidate]; !ok {
+			return candidate
+		}
+	}
+}
+
 func materializeProfileReviewerEntity(cfg config.File, profileName string, profile config.Profile) (config.File, config.Profile) {
 	if profile.ReviewerCredentials == nil {
 		profile.Reviewer = config.ProfileReviewer{Kind: config.ProfileReviewerKindGitIdentity}
diff --git a/internal/cmd/credentialcmd/credentialcmd_test.go b/internal/cmd/credentialcmd/credentialcmd_test.go
index c7e3a36c..b6e2630a 100644
--- a/internal/cmd/credentialcmd/credentialcmd_test.go
+++ b/internal/cmd/credentialcmd/credentialcmd_test.go
@@ -1737,6 +1737,11 @@ func TestInitPlanApplyPreservesUnrelatedExistingConfig(t *testing.T) {
 		want.Profiles[name] = profile
 	}
 	want.Profiles["work"] = after.Profiles["work"]
+	want.RepositoryAccess = make(map[string]config.RepositoryAccessConfig, len(before.RepositoryAccess)+1)
+	for name, access := range before.RepositoryAccess {
+		want.RepositoryAccess[name] = access
+	}
+	want.RepositoryAccess[after.Profiles["work"].RepositoryAccess] = after.RepositoryAccess[after.Profiles["work"].RepositoryAccess]
 	want.LLMRuntimes = make(map[string]config.LLMConfig, len(before.LLMRuntimes)+1)
 	for name, runtime := range before.LLMRuntimes {
 		want.LLMRuntimes[name] = runtime
@@ -19158,7 +19163,7 @@ func TestApplyInteractiveInitSessionPlanRejectsInvalidConfigBeforeKeyringWrite(t
 			return nil
 		},
 	}, plan)
-	if err == nil || !strings.Contains(err.Error(), "profiles.broken.git.host is required") {
+	if err == nil || !strings.Contains(err.Error(), "profiles.broken.repository_access is required") {
 		t.Fatalf("error = %v, want config validation failure", err)
 	}
 	if storeOpened {
diff --git a/internal/config/config.go b/internal/config/config.go
index 20c8a32d..1c7832f7 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -164,11 +164,12 @@ type EffectiveSecretsProfile = EffectiveSecretsStore
 
 // Profile is one named review profile.
 type Profile struct {
-	Git          GitConfig       `yaml:"git" json:"git"`
-	Reviewer     ProfileReviewer `yaml:"reviewer" json:"reviewer"`
-	LLMRuntime   string          `yaml:"llm_runtime" json:"llm_runtime"`
-	AgentSources []string        `yaml:"agent_sources,omitempty" json:"agent_sources,omitempty"`
-	ReviewPolicy ReviewPolicy    `yaml:"review_policy,omitempty" json:"review_policy"`
+	RepositoryAccess string          `yaml:"repository_access,omitempty" json:"repository_access,omitempty"`
+	Git              GitConfig       `yaml:"-" json:"-"`
+	Reviewer         ProfileReviewer `yaml:"reviewer" json:"reviewer"`
+	LLMRuntime       string          `yaml:"llm_runtime" json:"llm_runtime"`
+	AgentSources     []string        `yaml:"agent_sources,omitempty" json:"agent_sources,omitempty"`
+	ReviewPolicy     ReviewPolicy    `yaml:"review_policy,omitempty" json:"review_policy"`
 
 	// SecretsProfile is retained as an ignored in-memory compatibility field.
 	SecretsProfile string `yaml:"-" json:"-"`
@@ -180,6 +181,45 @@ type Profile struct {
 	LLM LLMConfig `yaml:"-" json:"-"`
 }
 
+type profileYAML struct {
+	RepositoryAccess string          `yaml:"repository_access,omitempty" json:"repository_access,omitempty"`
+	Git              GitConfig       `yaml:"git,omitempty" json:"git,omitempty"`
+	Reviewer         ProfileReviewer `yaml:"reviewer" json:"reviewer"`
+	LLMRuntime       string          `yaml:"llm_runtime" json:"llm_runtime"`
+	AgentSources     []string        `yaml:"agent_sources,omitempty" json:"agent_sources,omitempty"`
+	ReviewPolicy     ReviewPolicy    `yaml:"review_policy,omitempty" json:"review_policy"`
+}
+
+// UnmarshalYAML accepts the legacy profile git block while the data model moves
+// to profiles selecting reusable repository_access entries.
+func (p *Profile) UnmarshalYAML(value *yaml.Node) error {
+	var raw profileYAML
+	if err := value.Decode(&raw); err != nil {
+		return err
+	}
+	*p = Profile{
+		RepositoryAccess: raw.RepositoryAccess,
+		Git:              raw.Git,
+		Reviewer:         raw.Reviewer,
+		LLMRuntime:       raw.LLMRuntime,
+		AgentSources:     raw.AgentSources,
+		ReviewPolicy:     raw.ReviewPolicy,
+	}
+	return nil
+}
+
+// MarshalYAML writes only the durable profile composition fields. Git is
+// resolved from repository_access at load/runtime boundaries.
+func (p Profile) MarshalYAML() (any, error) {
+	return profileYAML{
+		RepositoryAccess: p.RepositoryAccess,
+		Reviewer:         p.Reviewer,
+		LLMRuntime:       p.LLMRuntime,
+		AgentSources:     p.AgentSources,
+		ReviewPolicy:     p.ReviewPolicy,
+	}, nil
+}
+
 // GitConfig identifies the user's git-host credentials.
 type GitConfig struct {
 	Host          string             `yaml:"host" json:"host"`
@@ -1027,6 +1067,12 @@ func gitCredentialRef(purpose string, mode GitAuthMode, credential CredentialLoc
 }
 
 func validateProfile(cfg File, name string, profile Profile) error {
+	if strings.TrimSpace(profile.RepositoryAccess) == "" {
+		return invalid("profiles.%s.repository_access is required", name)
+	}
+	if _, ok := cfg.RepositoryAccess[profile.RepositoryAccess]; !ok {
+		return fmt.Errorf("%w: profiles.%s.repository_access %q", ErrProfileNotFound, name, profile.RepositoryAccess)
+	}
 	if err := validateGitConfig(fmt.Sprintf("profiles.%s.git", name), profile.Git); err != nil {
 		return err
 	}
@@ -1587,6 +1633,10 @@ func (cfg File) normalized() File {
 }
 
 func (cfg File) projectProfileComponentReferences() File {
+	repositoryAccessNamesByKey := map[string]string{}
+	for name, access := range cfg.RepositoryAccess {
+		repositoryAccessNamesByKey[repositoryAccessIdentityKey(access)] = name
+	}
 	runtimeNamesByKey := map[string]string{}
 	for name, runtime := range cfg.LLMRuntimes {
 		runtimeNamesByKey[llmRuntimeIdentityKey(runtime)] = name
@@ -1606,6 +1656,20 @@ func (cfg File) projectProfileComponentReferences() File {
 	for _, name := range profileNames {
 		profile := cfg.Profiles[name]
 		profile = profile.normalized()
+		if strings.TrimSpace(profile.RepositoryAccess) == "" && !profile.Git.empty() {
+			access := repositoryAccessFromProfile(profile)
+			key := repositoryAccessIdentityKey(access)
+			accessName, ok := repositoryAccessNamesByKey[key]
+			if !ok {
+				if cfg.RepositoryAccess == nil {
+					cfg.RepositoryAccess = map[string]RepositoryAccessConfig{}
+				}
+				accessName = uniqueConfigComponentName(cfg.RepositoryAccess, suggestedRepositoryAccessName(name, access))
+				cfg.RepositoryAccess[accessName] = access
+				repositoryAccessNamesByKey[key] = accessName
+			}
+			profile.RepositoryAccess = accessName
+		}
 		if strings.TrimSpace(profile.LLMRuntime) == "" && !profile.LLM.empty() {
 			runtime := profile.LLM.normalized()
 			key := llmRuntimeIdentityKey(runtime)
@@ -1779,7 +1843,39 @@ func suggestedReviewerEntityName(profileName string, entity ReviewerEntity) stri
 	return "reviewer-entity"
 }
 
+func repositoryAccessFromProfile(profile Profile) RepositoryAccessConfig {
+	return RepositoryAccessConfig{
+		Git: profile.Git,
+	}.normalized()
+}
+
+func repositoryAccessIdentityKey(access RepositoryAccessConfig) string {
+	access = access.normalized()
+	return strings.Join([]string{
+		access.Git.Host,
+		string(access.Git.AuthMode),
+		access.Git.Credential.Store,
+		access.Git.Credential.Name,
+		gitHubAppID(access.Git.GitHubApp),
+	}, "\x00")
+}
+
+func suggestedRepositoryAccessName(profileName string, access RepositoryAccessConfig) string {
+	prefix := strings.TrimSpace(profileName)
+	if prefix != "" {
+		return prefix + "-git"
+	}
+	host := strings.ReplaceAll(access.normalized().Git.Host, ".", "-")
+	if strings.TrimSpace(host) != "" {
+		return host + "-git"
+	}
+	return "repository-access"
+}
+
 func (cfg File) resolveProfileRuntimeFields(profile Profile) Profile {
+	if access, ok := cfg.RepositoryAccess[profile.RepositoryAccess]; ok {
+		profile.Git = access.Git.normalized()
+	}
 	if runtime, ok := cfg.LLMRuntimes[profile.LLMRuntime]; ok {
 		profile.LLM = runtime.normalized()
 	}
@@ -1892,6 +1988,7 @@ func IsOnePasswordSecretsBackend(kind SecretsBackendKind) bool {
 
 func (p Profile) normalized() Profile {
 	p.SecretsProfile = strings.TrimSpace(p.SecretsProfile)
+	p.RepositoryAccess = strings.TrimSpace(p.RepositoryAccess)
 	p.Git = p.Git.normalized()
 	p.Reviewer = p.Reviewer.normalized()
 	p.LLMRuntime = strings.TrimSpace(p.LLMRuntime)
@@ -1936,6 +2033,15 @@ func (g GitConfig) normalized() GitConfig {
 	return g
 }
 
+func (g GitConfig) empty() bool {
+	g = g.normalized()
+	return g.Host == "" &&
+		g.AuthMode == "" &&
+		g.Credential.empty() &&
+		g.GitHubApp == nil &&
+		g.IdentityCache == ""
+}
+
 func (r RepositoryAccessConfig) normalized() RepositoryAccessConfig {
 	r.DisplayName = strings.TrimSpace(r.DisplayName)
 	r.Git = r.Git.normalized()
diff --git a/internal/config/config_test.go b/internal/config/config_test.go
index 9771d463..becf2fe1 100644
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -1358,6 +1358,14 @@ func TestValidateSecretsStores(t *testing.T) {
 }
 
 func TestValidateCredentialLocations(t *testing.T) {
+	setProfileRepositoryAccessCredential := func(cfg *File, profileName string, location CredentialLocation) {
+		profile := cfg.Profiles[profileName]
+		access := cfg.RepositoryAccess[profile.RepositoryAccess]
+		access.Git.Credential = location
+		access.Git.CredentialRef = ""
+		cfg.RepositoryAccess[profile.RepositoryAccess] = access
+	}
+
 	tests := []struct {
 		name    string
 		mutate  func(*File)
@@ -1371,66 +1379,48 @@ func TestValidateCredentialLocations(t *testing.T) {
 					DisplayName: "Work File",
 					Backend:     SecretsStoreBackend{Kind: SecretsBackendKind(credstore.BackendFile)},
 				}
-				profile := cfg.Profiles["home"]
-				profile.Git.Credential = CredentialLocation{Store: "work-file", Name: "codereview/home"}
-				profile.Git.CredentialRef = ""
-				cfg.Profiles["home"] = profile
+				setProfileRepositoryAccessCredential(cfg, "home", CredentialLocation{Store: "work-file", Name: "codereview/home"})
 			},
 		},
 		{
 			name: "missing store",
 			mutate: func(cfg *File) {
-				profile := cfg.Profiles["home"]
-				profile.Git.Credential = CredentialLocation{Name: "codereview/home"}
-				profile.Git.CredentialRef = ""
-				cfg.Profiles["home"] = profile
+				setProfileRepositoryAccessCredential(cfg, "home", CredentialLocation{Name: "codereview/home"})
 			},
 			wantErr: ErrInvalid,
-			wantMsg: "profiles.home.git.credential.store is required",
+			wantMsg: "repository_access.home-git.git.credential.store is required",
 		},
 		{
 			name: "missing name",
 			mutate: func(cfg *File) {
-				profile := cfg.Profiles["home"]
-				profile.Git.Credential = CredentialLocation{Store: LocalOSCredentialStoreID}
-				profile.Git.CredentialRef = ""
-				cfg.Profiles["home"] = profile
+				setProfileRepositoryAccessCredential(cfg, "home", CredentialLocation{Store: LocalOSCredentialStoreID})
 			},
 			wantErr: ErrInvalid,
-			wantMsg: "profiles.home.git.credential.name is required",
+			wantMsg: "repository_access.home-git.git.credential.name is required",
 		},
 		{
 			name: "unknown configured store",
 			mutate: func(cfg *File) {
-				profile := cfg.Profiles["home"]
-				profile.Git.Credential = CredentialLocation{Store: "missing", Name: "codereview/home"}
-				profile.Git.CredentialRef = ""
-				cfg.Profiles["home"] = profile
+				setProfileRepositoryAccessCredential(cfg, "home", CredentialLocation{Store: "missing", Name: "codereview/home"})
 			},
 			wantErr: ErrSecretsStoreNotFound,
-			wantMsg: `profiles.home.git.credential.store "missing"`,
+			wantMsg: `repository_access.home-git.git.credential.store "missing"`,
 		},
 		{
 			name: "credential name invalid grammar",
 			mutate: func(cfg *File) {
-				profile := cfg.Profiles["home"]
-				profile.Git.Credential = CredentialLocation{Store: LocalOSCredentialStoreID, Name: "codereview/bad.profile"}
-				profile.Git.CredentialRef = ""
-				cfg.Profiles["home"] = profile
+				setProfileRepositoryAccessCredential(cfg, "home", CredentialLocation{Store: LocalOSCredentialStoreID, Name: "codereview/bad.profile"})
 			},
 			wantErr: ErrInvalid,
-			wantMsg: "profiles.home.git.credential.name is invalid",
+			wantMsg: "repository_access.home-git.git.credential.name is invalid",
 		},
 		{
 			name: "credential name wrong service",
 			mutate: func(cfg *File) {
-				profile := cfg.Profiles["home"]
-				profile.Git.Credential = CredentialLocation{Store: LocalOSCredentialStoreID, Name: "other/home"}
-				profile.Git.CredentialRef = ""
-				cfg.Profiles["home"] = profile
+				setProfileRepositoryAccessCredential(cfg, "home", CredentialLocation{Store: LocalOSCredentialStoreID, Name: "other/home"})
 			},
 			wantErr: ErrInvalid,
-			wantMsg: `profiles.home.git.credential.name must use service "codereview"`,
+			wantMsg: `repository_access.home-git.git.credential.name must use service "codereview"`,
 		},
 		{
 			name: "same credential name in different stores",
@@ -1439,10 +1429,7 @@ func TestValidateCredentialLocations(t *testing.T) {
 					DisplayName: "Work File",
 					Backend:     SecretsStoreBackend{Kind: SecretsBackendKind(credstore.BackendFile)},
 				}
-				profile := cfg.Profiles["work"]
-				profile.Git.Credential = CredentialLocation{Store: LocalOSCredentialStoreID, Name: "codereview/shared"}
-				profile.Git.CredentialRef = ""
-				cfg.Profiles["work"] = profile
+				setProfileRepositoryAccessCredential(cfg, "work", CredentialLocation{Store: LocalOSCredentialStoreID, Name: "codereview/shared"})
 				entity := cfg.ReviewerEntities["work-reviewer"]
 				entity.Credential = CredentialLocation{Store: "work-file", Name: "codereview/shared"}
 				entity.CredentialRef = ""
@@ -1452,10 +1439,7 @@ func TestValidateCredentialLocations(t *testing.T) {
 		{
 			name: "same credential name in same store",
 			mutate: func(cfg *File) {
-				profile := cfg.Profiles["work"]
-				profile.Git.Credential = CredentialLocation{Store: LocalOSCredentialStoreID, Name: "codereview/shared"}
-				profile.Git.CredentialRef = ""
-				cfg.Profiles["work"] = profile
+				setProfileRepositoryAccessCredential(cfg, "work", CredentialLocation{Store: LocalOSCredentialStoreID, Name: "codereview/shared"})
 				entity := cfg.ReviewerEntities["work-reviewer"]
 				entity.Credential = CredentialLocation{Store: LocalOSCredentialStoreID, Name: "codereview/shared"}
 				entity.CredentialRef = ""
diff --git a/internal/identity/identity.go b/internal/identity/identity.go
index 550f64d9..c35d2fde 100644
--- a/internal/identity/identity.go
+++ b/internal/identity/identity.go
@@ -167,6 +167,15 @@ func applyIdentityCacheUpdates(cfg config.File, profileName string, original con
 		}
 		switch result.CredentialSource {
 		case SourceGit:
+			accessName := strings.TrimSpace(original.RepositoryAccess)
+			if accessName != "" {
+				access, ok := cfg.RepositoryAccess[accessName]
+				if ok {
+					access.Git.IdentityCache = result.Identity.Login
+					cfg.RepositoryAccess[accessName] = access
+					continue
+				}
+			}
 			cfg.Profiles[profileName] = updated
 		case SourceReviewer:
 			if original.Reviewer.Kind == config.ProfileReviewerKindEntity {
@@ -208,5 +217,16 @@ func normalizeForUpdate(cfg config.File) config.File {
 		}
 		cfg.ReviewerEntities = entities
 	}
+	if cfg.RepositoryAccess != nil {
+		accesses := make(map[string]config.RepositoryAccessConfig, len(cfg.RepositoryAccess))
+		for name, access := range cfg.RepositoryAccess {
+			if access.Git.GitHubApp != nil {
+				app := *access.Git.GitHubApp
+				access.Git.GitHubApp = &app
+			}
+			accesses[name] = access
+		}
+		cfg.RepositoryAccess = accesses
+	}
 	return cfg
 }

From 7da738d391f670be5343a0e2d1b777831970eeb4 Mon Sep 17 00:00:00 2001
From: Rian Stockbower <rstockbower@gmail.com>
Date: Mon, 22 Jun 2026 07:47:07 -0400
Subject: [PATCH 11/27] Add repository access init flow

---
 internal/cmd/credentialcmd/credentialcmd.go   | 193 ++++++++++++---
 .../cmd/credentialcmd/credentialcmd_test.go   | 156 +++++++++---
 internal/cmd/credentialcmd/init_menu.go       |   7 +-
 .../init_repository_access_editor.go          | 225 ++++++++++++++++++
 4 files changed, 511 insertions(+), 70 deletions(-)
 create mode 100644 internal/cmd/credentialcmd/init_repository_access_editor.go

diff --git a/internal/cmd/credentialcmd/credentialcmd.go b/internal/cmd/credentialcmd/credentialcmd.go
index 7fcd0c09..b7a73057 100644
--- a/internal/cmd/credentialcmd/credentialcmd.go
+++ b/internal/cmd/credentialcmd/credentialcmd.go
@@ -218,6 +218,10 @@ type initLLMRuntimePrompter interface {
 	EditLLMRuntime(initLLMRuntimePrompt) (initDraft, error)
 }
 
+type initRepositoryAccessPrompter interface {
+	EditRepositoryAccess(initRepositoryAccessPrompt) (initDraft, error)
+}
+
 type initReviewerEntityPrompter interface {
 	EditReviewerEntity(initReviewerEntityPrompt) (initDraft, error)
 }
@@ -227,28 +231,29 @@ type initFinalizePrompter interface {
 }
 
 type initPromptContext struct {
-	RequestedProfileName         string
-	ExistingProfileName          string
-	ExistingProfile              *config.Profile
-	ExistingProfileNames         []string
-	ExistingConfig               config.File
-	BackendArg                   string
-	BackendFlagSet               bool
-	GitScopes                    map[string]initGitScopeDraft
-	ProfileGitScopes             map[string]string
-	ReviewerEntities             map[string]initReviewerEntityDraft
-	ProfileReviewerEntities      map[string]string
-	ReviewerCredentialStatuses   []initReviewerCredentialStatus
-	StandaloneReviewerEntityMode bool
-	SecretsProfiles              []config.EffectiveSecretsProfile
-	ProfileSecretsProfiles       map[string]string
-	BrokenProfileSecretsProfiles map[string]string
-	LLMRuntimes                  map[string]initLLMRuntimeDraft
-	ProfileLLMRuntimes           map[string]string
-	ProfileWarnings              map[string][]string
-	PendingProfileDeletes        map[string]initPendingProfileDelete
-	PendingReviewerEntityDeletes map[string]initPendingReviewerEntityDelete
-	PendingLLMRuntimeDeletes     map[string]initPendingLLMRuntimeDelete
+	RequestedProfileName           string
+	ExistingProfileName            string
+	ExistingProfile                *config.Profile
+	ExistingProfileNames           []string
+	ExistingConfig                 config.File
+	BackendArg                     string
+	BackendFlagSet                 bool
+	GitScopes                      map[string]initGitScopeDraft
+	ProfileGitScopes               map[string]string
+	StandaloneRepositoryAccessMode bool
+	ReviewerEntities               map[string]initReviewerEntityDraft
+	ProfileReviewerEntities        map[string]string
+	ReviewerCredentialStatuses     []initReviewerCredentialStatus
+	StandaloneReviewerEntityMode   bool
+	SecretsProfiles                []config.EffectiveSecretsProfile
+	ProfileSecretsProfiles         map[string]string
+	BrokenProfileSecretsProfiles   map[string]string
+	LLMRuntimes                    map[string]initLLMRuntimeDraft
+	ProfileLLMRuntimes             map[string]string
+	ProfileWarnings                map[string][]string
+	PendingProfileDeletes          map[string]initPendingProfileDelete
+	PendingReviewerEntityDeletes   map[string]initPendingReviewerEntityDelete
+	PendingLLMRuntimeDeletes       map[string]initPendingLLMRuntimeDelete
 }
 
 type initDraftAction string
@@ -268,6 +273,7 @@ type initDraft struct {
 	ActionTarget                      string
 	OriginalProfileName               string
 	ProfileName                       string
+	RepositoryAccessName              string
 	GitHost                           string
 	GitAuth                           string
 	GitHubAppID                       string
@@ -388,6 +394,7 @@ type initMenuAction string
 
 const (
 	initMenuActionLLMRuntimes       initMenuAction = "llm_runtimes"
+	initMenuActionRepositoryAccess  initMenuAction = "repository_access"
 	initMenuActionReviewerEntities  initMenuAction = "reviewer_entities"
 	initMenuActionReviewProfiles    initMenuAction = "review_profiles"
 	initMenuActionGlobalSettings    initMenuAction = "global_settings"
@@ -402,20 +409,25 @@ var (
 )
 
 type initMenuPrompt struct {
-	HasWorkspace         bool
-	LLMRuntimeCount      int
-	ReviewerEntityCount  int
-	ReviewProfileCount   int
-	CanConfigureLLM      bool
-	CanConfigureReviewer bool
-	CanSave              bool
-	ActiveProfileName    string
+	HasWorkspace          bool
+	RepositoryAccessCount int
+	LLMRuntimeCount       int
+	ReviewerEntityCount   int
+	ReviewProfileCount    int
+	CanConfigureLLM       bool
+	CanConfigureReviewer  bool
+	CanSave               bool
+	ActiveProfileName     string
 }
 
 type initLLMRuntimePrompt struct {
 	Context initPromptContext
 }
 
+type initRepositoryAccessPrompt struct {
+	Context initPromptContext
+}
+
 type initReviewerEntityPrompt struct {
 	Context initPromptContext
 }
@@ -425,6 +437,7 @@ type initDeps struct {
 	profileV2Prompter    initPrompter
 	menuPrompter         initMenuPrompter
 	llmRuntimePrompter   initLLMRuntimePrompter
+	repositoryPrompter   initRepositoryAccessPrompter
 	reviewerPrompter     initReviewerEntityPrompter
 	finalizePrompter     initFinalizePrompter
 	modelMapPrompter     initModelMapPrompter
@@ -691,6 +704,7 @@ func defaultInitDeps() initDeps {
 	return initDeps{
 		menuPrompter:         nil,
 		llmRuntimePrompter:   nil,
+		repositoryPrompter:   nil,
 		reviewerPrompter:     nil,
 		finalizePrompter:     nil,
 		modelMapPrompter:     nil,
@@ -726,6 +740,9 @@ func (deps initDeps) withDefaults() initDeps {
 	if deps.llmRuntimePrompter == nil {
 		deps.llmRuntimePrompter = defaults.llmRuntimePrompter
 	}
+	if deps.repositoryPrompter == nil {
+		deps.repositoryPrompter = defaults.repositoryPrompter
+	}
 	if deps.reviewerPrompter == nil {
 		deps.reviewerPrompter = defaults.reviewerPrompter
 	}
@@ -1011,6 +1028,12 @@ type huhInitLLMRuntimePrompter struct {
 	editorRunner    initLLMRuntimeEditorRunner
 }
 
+type huhInitRepositoryAccessPrompter struct {
+	stdin        io.Reader
+	stderr       io.Writer
+	editorRunner initRepositoryAccessEditorRunner
+}
+
 type huhInitReviewerEntityPrompter struct {
 	stdin           io.Reader
 	stderr          io.Writer
@@ -1044,6 +1067,10 @@ func newHuhInitLLMRuntimePrompter(opts *root.Options) initLLMRuntimePrompter {
 	}
 }
 
+func newHuhInitRepositoryAccessPrompter(opts *root.Options) initRepositoryAccessPrompter {
+	return huhInitRepositoryAccessPrompter{stdin: opts.Stdin, stderr: opts.Stderr}
+}
+
 func newHuhInitReviewerEntityPrompter(opts *root.Options) initReviewerEntityPrompter {
 	return huhInitReviewerEntityPrompter{
 		stdin:           opts.Stdin,
@@ -1209,16 +1236,18 @@ func bootstrapInteractiveInitSession(cmd *cobra.Command, opts *root.Options, fla
 }
 
 func buildInteractiveInitMenuPrompt(session initSessionDraft) initMenuPrompt {
+	gitScopes, _ := buildInitGitScopeInventory(session.cfg)
 	llmRuntimes, _ := buildInitLLMRuntimeInventory(session.cfg)
 	reviewerEntities, _ := buildInitReviewerEntityInventory(session.cfg)
 	prompt := initMenuPrompt{
-		HasWorkspace:         session.workspace != nil,
-		LLMRuntimeCount:      len(llmRuntimes),
-		ReviewerEntityCount:  countConfiguredInitReviewerEntities(reviewerEntities),
-		ReviewProfileCount:   len(session.cfg.Profiles),
-		CanConfigureLLM:      true,
-		CanConfigureReviewer: true,
-		CanSave:              initSessionCanCommitWithoutWorkspace(session),
+		HasWorkspace:          session.workspace != nil,
+		RepositoryAccessCount: len(gitScopes),
+		LLMRuntimeCount:       len(llmRuntimes),
+		ReviewerEntityCount:   countConfiguredInitReviewerEntities(reviewerEntities),
+		ReviewProfileCount:    len(session.cfg.Profiles),
+		CanConfigureLLM:       true,
+		CanConfigureReviewer:  true,
+		CanSave:               initSessionCanCommitWithoutWorkspace(session),
 	}
 	if session.workspace == nil {
 		return prompt
@@ -1283,6 +1312,8 @@ func runInteractiveInitMenuLoop(cmd *cobra.Command, opts *root.Options, flags in
 			return initSessionDraft{}, err
 		}
 		switch action {
+		case initMenuActionRepositoryAccess:
+			session, err = editInteractiveInitRepositoryAccess(cmd, opts, flags, deps, session)
 		case initMenuActionLLMRuntimes:
 			session, err = loopInteractiveInitLLMRuntime(cmd, opts, flags, deps, session)
 		case initMenuActionReviewerEntities:
@@ -1316,6 +1347,76 @@ func runInteractiveInitMenuLoop(cmd *cobra.Command, opts *root.Options, flags in
 	}
 }
 
+func editInteractiveInitRepositoryAccess(_ *cobra.Command, opts *root.Options, _ initOptions, deps initDeps, session initSessionDraft) (initSessionDraft, error) {
+	prompter := deps.repositoryPrompter
+	if prompter == nil {
+		prompter = newHuhInitRepositoryAccessPrompter(opts)
+	}
+	promptCtx := currentInteractiveInitInventoryPromptContext(session)
+	promptCtx.StandaloneRepositoryAccessMode = true
+	draft, err := prompter.EditRepositoryAccess(initRepositoryAccessPrompt{Context: promptCtx})
+	if errors.Is(err, errInitNavigateBack) {
+		return session, nil
+	}
+	if err != nil {
+		return initSessionDraft{}, err
+	}
+	return stageStandaloneInteractiveInitRepositoryAccess(session, draft)
+}
+
+func stageStandaloneInteractiveInitRepositoryAccess(session initSessionDraft, draft initDraft) (initSessionDraft, error) {
+	name := strings.TrimSpace(draft.RepositoryAccessName)
+	if name == "" {
+		name = strings.TrimSpace(draft.ActionTarget)
+	}
+	if name == "" {
+		return initSessionDraft{}, exitcode.Usage(errors.New("repository access name is required"))
+	}
+	scope := initGitScopeDraft{
+		Name:            name,
+		Host:            strings.TrimSpace(draft.GitHost),
+		AuthMode:        config.GitAuthMode(draft.GitAuth),
+		GitHubAppID:     strings.TrimSpace(draft.GitHubAppID),
+		CredentialStore: initCredentialStoreDraftValue(draft.GitCredentialStore),
+		CredentialRef:   strings.TrimSpace(draft.GitCredentialRef),
+	}
+	if scope.Host == "" {
+		return initSessionDraft{}, exitcode.Usage(errors.New("git host is required"))
+	}
+	if scope.AuthMode == "" {
+		scope.AuthMode = config.GitAuthModePAT
+	}
+	if scope.CredentialStore == "" {
+		scope.CredentialStore = initCredentialStoreDefaultID()
+	}
+	if scope.CredentialRef == "" {
+		ref, err := credentials.FormatRef(name)
+		if err != nil {
+			return initSessionDraft{}, exitcode.Usage(err)
+		}
+		scope.CredentialRef = ref
+	}
+
+	working := cloneInitConfigFile(session.cfg)
+	if working.RepositoryAccess == nil {
+		working.RepositoryAccess = map[string]config.RepositoryAccessConfig{}
+	}
+	var previous *config.GitConfig
+	if existing, ok := working.RepositoryAccess[name]; ok {
+		existingGit := existing.Git
+		previous = &existingGit
+	}
+	working.RepositoryAccess[name] = normalizeInitRepositoryAccessConfig(config.RepositoryAccessConfig{
+		DisplayName: name,
+		Git:         scope.exportConfig(previous),
+	})
+	if err := config.Validate(working); err != nil {
+		return initSessionDraft{}, cmderr.Config(err)
+	}
+	session.cfg = config.Normalize(working)
+	return rebuildInteractiveInitWorkspace(session, preferredInteractiveInitProfile(session)), nil
+}
+
 func loopInteractiveInitProfileV2(cmd *cobra.Command, opts *root.Options, flags initOptions, deps initDeps, session initSessionDraft) (initSessionDraft, error) {
 	prompter := deps.profileV2Prompter
 	if prompter == nil {
@@ -5227,11 +5328,29 @@ func (scope initGitScopeDraft) matchesConfig(previous config.GitConfig) bool {
 }
 
 func buildInitGitScopeInventory(cfg config.File) (map[string]initGitScopeDraft, map[string]string) {
+	cfg = config.Normalize(cfg)
 	scopes := map[string]initGitScopeDraft{}
 	profileScopeNames := map[string]string{}
 	scopeNamesByKey := map[string]string{}
+	accessNames := make([]string, 0, len(cfg.RepositoryAccess))
+	for name := range cfg.RepositoryAccess {
+		accessNames = append(accessNames, name)
+	}
+	sort.Strings(accessNames)
+	for _, name := range accessNames {
+		scope := initGitScopeDraftFromConfig(cfg.RepositoryAccess[name].Git)
+		scope.Name = name
+		scopes[name] = scope
+		scopeNamesByKey[scope.identityKey()] = name
+	}
 	for _, profileName := range sortedProfileNames(cfg.Profiles) {
 		profile := cfg.Profiles[profileName]
+		if scopeName := strings.TrimSpace(profile.RepositoryAccess); scopeName != "" {
+			if _, ok := scopes[scopeName]; ok {
+				profileScopeNames[profileName] = scopeName
+				continue
+			}
+		}
 		scope := initGitScopeDraftFromConfig(profile.Git)
 		key := scope.identityKey()
 		if existingName, ok := scopeNamesByKey[key]; ok {
diff --git a/internal/cmd/credentialcmd/credentialcmd_test.go b/internal/cmd/credentialcmd/credentialcmd_test.go
index b6e2630a..cf2b4af0 100644
--- a/internal/cmd/credentialcmd/credentialcmd_test.go
+++ b/internal/cmd/credentialcmd/credentialcmd_test.go
@@ -2156,7 +2156,7 @@ func TestBuildInitGitScopeInventoryDeduplicatesNormalizedGitHubEnterpriseHost(t
 	}
 }
 
-func TestBuildInitGitScopeInventoryAssignsStableSuffixOnNameCollision(t *testing.T) {
+func TestBuildInitGitScopeInventoryUsesProjectedRepositoryAccessNames(t *testing.T) {
 	home := basicProfile("home")
 	work := basicProfile("work")
 	home.Git.Host = "github.com"
@@ -2178,8 +2178,8 @@ func TestBuildInitGitScopeInventoryAssignsStableSuffixOnNameCollision(t *testing
 	if profileScopeNames["home"] == profileScopeNames["work"] {
 		t.Fatalf("profileScopeNames = %#v, want distinct names for colliding scope bases", profileScopeNames)
 	}
-	if profileScopeNames["home"] != "github-com-pat" && profileScopeNames["work"] != "github-com-pat" {
-		t.Fatalf("profileScopeNames = %#v, want one unsuffixed base name", profileScopeNames)
+	if profileScopeNames["home"] != "home-git" || profileScopeNames["work"] != "work-git" {
+		t.Fatalf("profileScopeNames = %#v, want projected repository access names", profileScopeNames)
 	}
 	if initGitScopeLabel(scopes[profileScopeNames["home"]]) == initGitScopeLabel(scopes[profileScopeNames["work"]]) {
 		t.Fatalf("git scope labels should be distinguishable: %#v", profileScopeNames)
@@ -12427,13 +12427,14 @@ func TestBuildInteractiveInitMenuPromptNoWorkspaceStillShowsExistingInventoryCou
 
 func TestInitMenuItemsOrdersRootMenuAndMovesCountsToDescriptions(t *testing.T) {
 	items := initMenuItems(initMenuPrompt{
-		HasWorkspace:         true,
-		LLMRuntimeCount:      2,
-		ReviewerEntityCount:  3,
-		ReviewProfileCount:   1,
-		CanConfigureLLM:      true,
-		CanConfigureReviewer: true,
-		CanSave:              true,
+		HasWorkspace:          true,
+		RepositoryAccessCount: 4,
+		LLMRuntimeCount:       2,
+		ReviewerEntityCount:   3,
+		ReviewProfileCount:    1,
+		CanConfigureLLM:       true,
+		CanConfigureReviewer:  true,
+		CanSave:               true,
 	})
 	var actions []initMenuAction
 	var titles []string
@@ -12448,6 +12449,7 @@ func TestInitMenuItemsOrdersRootMenuAndMovesCountsToDescriptions(t *testing.T) {
 	}
 	wantActions := []initMenuAction{
 		initMenuActionSecretsManagement,
+		initMenuActionRepositoryAccess,
 		initMenuActionLLMRuntimes,
 		initMenuActionReviewerEntities,
 		initMenuActionReviewProfiles,
@@ -12460,6 +12462,7 @@ func TestInitMenuItemsOrdersRootMenuAndMovesCountsToDescriptions(t *testing.T) {
 	}
 	assertContentOrder(t, strings.Join(titles, "\n"),
 		"Configure secrets storage",
+		"Configure repository access",
 		"Configure LLM runtimes",
 		"Configure reviewer entities",
 		"Configure review profiles",
@@ -12469,6 +12472,7 @@ func TestInitMenuItemsOrdersRootMenuAndMovesCountsToDescriptions(t *testing.T) {
 	)
 	joinedDescriptions := strings.Join(descriptions, "\n")
 	for _, want := range []string{
+		"4 repository access entries configured",
 		"2 runtimes configured",
 		"3 reviewer entities configured",
 		"1 profile configured",
@@ -12490,6 +12494,7 @@ func TestInitMenuItemsUseInfrastructureDescriptionsBeforeConfiguredCounts(t *tes
 		descriptions[item.Action] = item.Description
 	}
 	tests := map[initMenuAction]string{
+		initMenuActionRepositoryAccess: "Git hosts and user credentials",
 		initMenuActionLLMRuntimes:      "Model providers and runtime credentials",
 		initMenuActionReviewerEntities: "Reviewer identities and posting credentials",
 		initMenuActionReviewProfiles:   "Repository routing and review composition",
@@ -12503,14 +12508,15 @@ func TestInitMenuItemsUseInfrastructureDescriptionsBeforeConfiguredCounts(t *tes
 
 func TestInitMenuStyledViewShowsRootMenuOrder(t *testing.T) {
 	model := newInitMenuModel(initMenuPrompt{
-		HasWorkspace:         true,
-		ActiveProfileName:    "default",
-		LLMRuntimeCount:      2,
-		ReviewerEntityCount:  3,
-		ReviewProfileCount:   1,
-		CanConfigureLLM:      true,
-		CanConfigureReviewer: true,
-		CanSave:              true,
+		HasWorkspace:          true,
+		ActiveProfileName:     "default",
+		RepositoryAccessCount: 4,
+		LLMRuntimeCount:       2,
+		ReviewerEntityCount:   3,
+		ReviewProfileCount:    1,
+		CanConfigureLLM:       true,
+		CanConfigureReviewer:  true,
+		CanSave:               true,
 	})
 	out := model.View()
 	assertContentOrder(t, out,
@@ -12519,6 +12525,8 @@ func TestInitMenuStyledViewShowsRootMenuOrder(t *testing.T) {
 		"Actions",
 		"Configure secrets storage",
 		"Credential stores for tokens and keys",
+		"Configure repository access",
+		"4 repository access entries configured",
 		"Configure LLM runtimes",
 		"2 runtimes configured",
 		"Configure reviewer entities",
@@ -12539,7 +12547,7 @@ func TestInitMenuStyledViewShowsRootMenuOrder(t *testing.T) {
 	if !strings.Contains(plainOut, "> [x] Configure secrets storage") {
 		t.Fatalf("view missing selected option marker:\n%s", out)
 	}
-	if !strings.Contains(plainOut, "  [ ] Configure LLM runtimes") {
+	if !strings.Contains(plainOut, "  [ ] Configure repository access") {
 		t.Fatalf("view missing unselected option marker:\n%s", out)
 	}
 	if strings.Contains(out, "Configure LLM runtimes (2)") || strings.Contains(out, "Configure review profiles (1)") {
@@ -12624,8 +12632,8 @@ func TestInitMenuNavigationSkipsDisabledRows(t *testing.T) {
 	model.selected = initMenuSelectedIndex(model.items, initMenuActionSecretsManagement)
 	next, _ := model.Update(tea.KeyMsg{Type: tea.KeyDown})
 	result := next.(initMenuModel)
-	if got := result.items[result.selected].Action; got != initMenuActionLLMRuntimes {
-		t.Fatalf("after down selected action = %q, want LLM runtimes", got)
+	if got := result.items[result.selected].Action; got != initMenuActionRepositoryAccess {
+		t.Fatalf("after down selected action = %q, want repository access", got)
 	}
 
 	result.selected = initMenuSelectedIndex(result.items, initMenuActionReviewerEntities)
@@ -12670,7 +12678,7 @@ func TestHuhInitMenuPrompterAccessibleShowsMenuEntries(t *testing.T) {
 	t.Setenv("TERM", "dumb")
 	var stderr bytes.Buffer
 	prompter := huhInitMenuPrompter{
-		stdin:  strings.NewReader("7\n"),
+		stdin:  strings.NewReader("8\n"),
 		stderr: &stderr,
 	}
 	action, err := prompter.ChooseAction(initMenuPrompt{
@@ -12688,6 +12696,7 @@ func TestHuhInitMenuPrompterAccessibleShowsMenuEntries(t *testing.T) {
 	out := stderr.String()
 	for _, want := range []string{
 		"Configure secrets storage",
+		"Configure repository access",
 		"Configure LLM runtimes",
 		"Configure reviewer entities",
 		"Configure review profiles",
@@ -12710,6 +12719,7 @@ func TestHuhInitMenuPrompterAccessibleShowsMenuEntries(t *testing.T) {
 	}
 	assertContentOrder(t, out,
 		"Configure secrets storage",
+		"Configure repository access",
 		"Configure LLM runtimes",
 		"Configure reviewer entities",
 		"Configure review profiles",
@@ -12726,12 +12736,13 @@ func TestHuhInitMenuPrompterAccessibleNumericOrder(t *testing.T) {
 		want  initMenuAction
 	}{
 		{input: "1\n", want: initMenuActionSecretsManagement},
-		{input: "2\n", want: initMenuActionLLMRuntimes},
-		{input: "3\n", want: initMenuActionReviewerEntities},
-		{input: "4\n", want: initMenuActionReviewProfiles},
-		{input: "5\n", want: initMenuActionGlobalSettings},
-		{input: "6\n", want: initMenuActionSave},
-		{input: "7\n", want: initMenuActionExit},
+		{input: "2\n", want: initMenuActionRepositoryAccess},
+		{input: "3\n", want: initMenuActionLLMRuntimes},
+		{input: "4\n", want: initMenuActionReviewerEntities},
+		{input: "5\n", want: initMenuActionReviewProfiles},
+		{input: "6\n", want: initMenuActionGlobalSettings},
+		{input: "7\n", want: initMenuActionSave},
+		{input: "8\n", want: initMenuActionExit},
 	}
 	for _, tt := range tests {
 		var stderr bytes.Buffer
@@ -12822,8 +12833,8 @@ func TestHuhInitMenuPrompterAccessibleRejectsDisabledSaveUntilChangesStaged(t *t
 	var stderr bytes.Buffer
 	prompter := huhInitMenuPrompter{
 		stdin: strings.NewReader(strings.Join([]string{
-			"6", // Commit staged changes and exit (disabled)
-			"7", // Discard staged changes and exit
+			"7", // Commit staged changes and exit (disabled)
+			"8", // Discard staged changes and exit
 			"",
 		}, "\n")),
 		stderr: &stderr,
@@ -12844,7 +12855,7 @@ func TestHuhInitMenuPrompterAccessibleAllowsLLMBeforeProfileExists(t *testing.T)
 	t.Setenv("TERM", "dumb")
 	var stderr bytes.Buffer
 	prompter := huhInitMenuPrompter{
-		stdin:  strings.NewReader("2\n"),
+		stdin:  strings.NewReader("3\n"),
 		stderr: &stderr,
 	}
 	action, err := prompter.ChooseAction(initMenuPrompt{})
@@ -12863,7 +12874,7 @@ func TestHuhInitMenuPrompterAccessibleAllowsReviewerBeforeProfileExists(t *testi
 	t.Setenv("TERM", "dumb")
 	var stderr bytes.Buffer
 	prompter := huhInitMenuPrompter{
-		stdin:  strings.NewReader("3\n"),
+		stdin:  strings.NewReader("4\n"),
 		stderr: &stderr,
 	}
 	action, err := prompter.ChooseAction(initMenuPrompt{})
@@ -14519,6 +14530,81 @@ func TestInitInteractiveMenuExitWithoutSaveLeavesConfigUntouched(t *testing.T) {
 	}
 }
 
+func TestInitInteractiveMenuStagesStandaloneRepositoryAccess(t *testing.T) {
+	path := filepath.Join(t.TempDir(), "config.yml")
+	writeRawCredentialTestConfig(t, path, "profiles: {}\n")
+	opts := &root.Options{
+		Stdin:      strings.NewReader(""),
+		Stdout:     &bytes.Buffer{},
+		Stderr:     &bytes.Buffer{},
+		ConfigPath: path,
+	}
+	menu := &fakeInitMenuPrompter{
+		actions: []initMenuAction{
+			initMenuActionRepositoryAccess,
+			initMenuActionSave,
+		},
+	}
+	repositoryPrompts := 0
+	deps := initDeps{
+		menuPrompter: menu,
+		repositoryPrompter: initRepositoryAccessPrompterFunc(func(prompt initRepositoryAccessPrompt) (initDraft, error) {
+			repositoryPrompts++
+			if repositoryPrompts > 1 {
+				return initDraft{}, errInitNavigateBack
+			}
+			if !prompt.Context.StandaloneRepositoryAccessMode {
+				t.Fatal("repository access prompt did not run in standalone mode")
+			}
+			if len(prompt.Context.GitScopes) != 0 {
+				t.Fatalf("GitScopes = %#v, want empty before creating repository access", prompt.Context.GitScopes)
+			}
+			return initDraft{
+				RepositoryAccessName: "work-git",
+				GitHost:              "github.company.com",
+				GitAuth:              string(config.GitAuthModePAT),
+				GitCredentialStore:   config.LocalOSCredentialStoreID,
+				GitCredentialRef:     "codereview/work-git",
+			}, nil
+		}),
+		configPath: func(*root.Options) (string, error) { return path, nil },
+		loadConfig: func(string) (config.File, bool, error) {
+			return config.File{Profiles: map[string]config.Profile{}}, false, nil
+		},
+		saveConfig: config.Save,
+	}
+
+	if err := runInitWithDeps(&cobra.Command{}, opts, initOptions{}, deps); err != nil {
+		t.Fatalf("runInitWithDeps: %v", err)
+	}
+	if repositoryPrompts != 1 {
+		t.Fatalf("repositoryPrompts = %d, want 1", repositoryPrompts)
+	}
+	if len(menu.prompts) != 2 {
+		t.Fatalf("menu prompts = %d, want repository access then save", len(menu.prompts))
+	}
+	if !menu.prompts[1].CanSave {
+		t.Fatalf("second menu prompt CanSave = false, want true after repository access staging")
+	}
+	cfg, err := config.Load(path)
+	if err != nil {
+		t.Fatalf("Load config: %v", err)
+	}
+	access, ok := cfg.RepositoryAccess["work-git"]
+	if !ok {
+		t.Fatalf("repository_access = %#v, want work-git", cfg.RepositoryAccess)
+	}
+	if access.DisplayName != "work-git" {
+		t.Fatalf("display_name = %q, want work-git", access.DisplayName)
+	}
+	if access.Git.Host != "github.company.com" || access.Git.AuthMode != config.GitAuthModePAT {
+		t.Fatalf("repository access git = %#v, want company PAT", access.Git)
+	}
+	if access.Git.Credential.Store != config.LocalOSCredentialStoreID || access.Git.Credential.Name != "codereview/work-git" {
+		t.Fatalf("repository access credential = %#v, want local-os/codereview/work-git", access.Git.Credential)
+	}
+}
+
 func TestInitInteractiveMenuCarriesGlobalSettingsIntoFirstProfile(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	writeRawCredentialTestConfig(t, path, "profiles: {}\n")
@@ -21406,6 +21492,12 @@ func (f initLLMRuntimePrompterFunc) EditLLMRuntime(prompt initLLMRuntimePrompt)
 	return f(prompt)
 }
 
+type initRepositoryAccessPrompterFunc func(initRepositoryAccessPrompt) (initDraft, error)
+
+func (f initRepositoryAccessPrompterFunc) EditRepositoryAccess(prompt initRepositoryAccessPrompt) (initDraft, error) {
+	return f(prompt)
+}
+
 type initReviewerEntityPrompterFunc func(initReviewerEntityPrompt) (initDraft, error)
 
 func (f initReviewerEntityPrompterFunc) EditReviewerEntity(prompt initReviewerEntityPrompt) (initDraft, error) {
diff --git a/internal/cmd/credentialcmd/init_menu.go b/internal/cmd/credentialcmd/init_menu.go
index 698c6f59..a63ce977 100644
--- a/internal/cmd/credentialcmd/init_menu.go
+++ b/internal/cmd/credentialcmd/init_menu.go
@@ -81,6 +81,11 @@ func initMenuItems(prompt initMenuPrompt) []initMenuItem {
 			Title:       "Configure secrets storage",
 			Description: "Credential stores for tokens and keys",
 		},
+		{
+			Action:      initMenuActionRepositoryAccess,
+			Title:       "Configure repository access",
+			Description: initMenuConfiguredDescription(prompt.RepositoryAccessCount, "repository access", "repository access entries", "Git hosts and user credentials"),
+		},
 		{
 			Action:      initMenuActionLLMRuntimes,
 			Title:       "Configure LLM runtimes",
@@ -141,7 +146,7 @@ func initMenuDisabledReason(prompt initMenuPrompt, action initMenuAction) string
 		if !prompt.CanSave {
 			return "stage changes before committing"
 		}
-	case initMenuActionSecretsManagement, initMenuActionLLMRuntimes, initMenuActionReviewerEntities, initMenuActionReviewProfiles, initMenuActionGlobalSettings, initMenuActionExit:
+	case initMenuActionSecretsManagement, initMenuActionRepositoryAccess, initMenuActionLLMRuntimes, initMenuActionReviewerEntities, initMenuActionReviewProfiles, initMenuActionGlobalSettings, initMenuActionExit:
 	}
 	return ""
 }
diff --git a/internal/cmd/credentialcmd/init_repository_access_editor.go b/internal/cmd/credentialcmd/init_repository_access_editor.go
new file mode 100644
index 00000000..8226bc73
--- /dev/null
+++ b/internal/cmd/credentialcmd/init_repository_access_editor.go
@@ -0,0 +1,225 @@
+package credentialcmd
+
+import (
+	"fmt"
+	"io"
+	"sort"
+	"strings"
+
+	tea "github.com/charmbracelet/bubbletea"
+	"github.com/charmbracelet/huh"
+
+	"github.com/open-cli-collective/codereview-cli/internal/config"
+	"github.com/open-cli-collective/codereview-cli/internal/credentials"
+)
+
+type initRepositoryAccessEditorRunner func(initLinearEditor, io.Reader, io.Writer) (initLinearEditorModel, error)
+
+const (
+	initRepositoryAccessFieldSelection       initLinearFieldID = "repository_access_selection"
+	initRepositoryAccessFieldName            initLinearFieldID = "repository_access_name"
+	initRepositoryAccessFieldHost            initLinearFieldID = "repository_access_host"
+	initRepositoryAccessFieldAuth            initLinearFieldID = "repository_access_auth"
+	initRepositoryAccessFieldGitHubAppID     initLinearFieldID = "repository_access_github_app_id"
+	initRepositoryAccessFieldCredentialStore initLinearFieldID = "repository_access_credential_store"
+	initRepositoryAccessFieldCredentialName  initLinearFieldID = "repository_access_credential_name"
+	initRepositoryAccessFieldAction          initLinearFieldID = "repository_access_action"
+)
+
+const initConfigureNewRepositoryAccessSelection = "__configure_new_repository_access__"
+
+func (p huhInitRepositoryAccessPrompter) EditRepositoryAccess(prompt initRepositoryAccessPrompt) (initDraft, error) {
+	seed := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
+	editor := initRepositoryAccessLinearEditor(prompt.Context, seed)
+	model, err := p.runRepositoryAccessEditor(editor)
+	if err != nil {
+		return initDraft{}, err
+	}
+	switch model.resultAction {
+	case initDetailActionEdit:
+		return initRepositoryAccessDraftFromDocument(seed, model.document), nil
+	default:
+		return initDraft{}, errInitNavigateBack
+	}
+}
+
+func (p huhInitRepositoryAccessPrompter) runRepositoryAccessEditor(editor initLinearEditor) (initLinearEditorModel, error) {
+	if p.editorRunner != nil {
+		return p.editorRunner(editor, p.stdin, p.stderr)
+	}
+	program := tea.NewProgram(newInitLinearEditorModel(editor, 100, 28), tea.WithInput(p.stdin), tea.WithOutput(p.stderr))
+	finalModel, err := program.Run()
+	if err != nil {
+		return initLinearEditorModel{}, err
+	}
+	model, ok := finalModel.(initLinearEditorModel)
+	if !ok {
+		return initLinearEditorModel{}, fmt.Errorf("repository access editor returned %T", finalModel)
+	}
+	return model, nil
+}
+
+func initRepositoryAccessLinearEditor(ctx initPromptContext, seed initDraft) initLinearEditor {
+	options := initRepositoryAccessSelectionOptions(ctx.GitScopes)
+	selection := initRepositoryAccessDefaultSelection(ctx, options)
+	scope := initRepositoryAccessScopeForSelection(ctx, selection)
+
+	var document initLinearDocument
+	document.addSection("Repository access", "Configure how cr accesses Git hosts as you. Review profiles select one repository access entry.")
+	document.addEditableSelect(initRepositoryAccessFieldSelection, "Repository access", "", options, selection)
+	document.addEditableInput(initRepositoryAccessFieldName, "Repository access name", "Stable name for this repository access entry.", scope.Name, validateRequiredText("repository access name is required"))
+	document.addEditableInput(initRepositoryAccessFieldHost, "Git host", "Git host this access entry applies to, such as github.com or github.mycompany.com.", scope.Host, validateRequiredText("git host is required"))
+	document.addEditableSelect(initRepositoryAccessFieldAuth, "Git auth mode", "", []huh.Option[string]{
+		huh.NewOption("Personal access token", string(config.GitAuthModePAT)),
+		huh.NewOption("GitHub App", string(config.GitAuthModeGitHubApp)),
+	}, string(scope.AuthMode))
+	document.addEditableInput(initRepositoryAccessFieldGitHubAppID, "GitHub App ID", "Numeric GitHub App ID. This is not a secret and is saved in config.yml.", scope.GitHubAppID, validateOptionalDecimalID("GitHub App ID"), initLinearFieldOptions{Hidden: scope.AuthMode != config.GitAuthModeGitHubApp})
+	document.addEditableSelect(initRepositoryAccessFieldCredentialStore, "Git credential store", "Where this access entry's Git credential is stored.", initCredentialStoreOptions(ctx.ExistingConfig), initCredentialStoreDraftValue(scope.CredentialStore))
+	document.addEditableInput(initRepositoryAccessFieldCredentialName, "Git credential name", "Full credential name under the selected store.", scope.CredentialRef, validateRequiredCredentialRef)
+	document.addEditableSelect(initRepositoryAccessFieldAction, "Repository access action", "", []huh.Option[string]{
+		huh.NewOption("Stage repository access settings", initDetailActionEdit),
+		huh.NewOption("Back without staging", initDetailActionBack),
+	}, initDetailActionEdit)
+
+	editor := initLinearEditor{
+		Document: document,
+		OnFieldChange: func(model *initLinearEditorModel, index int) {
+			if index < 0 || index >= len(model.document) {
+				return
+			}
+			switch model.document[index].ID {
+			case initRepositoryAccessFieldSelection:
+				initRepositoryAccessSyncFields(model, ctx)
+			case initRepositoryAccessFieldAuth:
+				initRepositoryAccessSyncGitHubAppField(model)
+			}
+		},
+		OnEnter: func(model *initLinearEditorModel) (bool, tea.Cmd) {
+			if model.focused < 0 || model.focused >= len(model.document) {
+				return false, nil
+			}
+			if model.document[model.focused].ID != initRepositoryAccessFieldAction {
+				return false, nil
+			}
+			switch model.document.selectedValue(initRepositoryAccessFieldAction) {
+			case initDetailActionBack:
+				model.resultAction = initDetailActionBack
+				return true, tea.Quit
+			case initDetailActionEdit:
+				if err := validateRepositoryAccessDocument(model.document); err != nil {
+					model.document[model.focused].Error = err.Error()
+					model.relayout()
+					model.ensureFocusedVisible()
+					return true, nil
+				}
+				model.resultAction = initDetailActionEdit
+				return true, tea.Quit
+			default:
+				return true, nil
+			}
+		},
+	}
+	model := newInitLinearEditorModel(editor, 100, 28)
+	initRepositoryAccessSyncFields(&model, ctx)
+	editor.Document = model.document
+	return editor
+}
+
+func initRepositoryAccessSelectionOptions(scopes map[string]initGitScopeDraft) []huh.Option[string] {
+	names := make([]string, 0, len(scopes))
+	for name := range scopes {
+		names = append(names, name)
+	}
+	sort.Strings(names)
+	options := make([]huh.Option[string], 0, len(names)+1)
+	for _, name := range names {
+		options = append(options, huh.NewOption(initGitScopeLabel(scopes[name]), name))
+	}
+	options = append(options, huh.NewOption("Configure new repository access", initConfigureNewRepositoryAccessSelection))
+	return options
+}
+
+func initRepositoryAccessDefaultSelection(ctx initPromptContext, options []huh.Option[string]) string {
+	if ctx.ExistingProfileName != "" {
+		if selected := strings.TrimSpace(ctx.ProfileGitScopes[ctx.ExistingProfileName]); selected != "" {
+			return normalizeInitStringSelectionValue(selected, options)
+		}
+	}
+	return normalizeInitStringSelectionValue(initConfigureNewRepositoryAccessSelection, options)
+}
+
+func initRepositoryAccessScopeForSelection(ctx initPromptContext, selection string) initGitScopeDraft {
+	if selection != initConfigureNewRepositoryAccessSelection {
+		if scope, ok := ctx.GitScopes[selection]; ok {
+			scope.Name = selection
+			return scope
+		}
+	}
+	name := uniqueInitGitScopeName(ctx.GitScopes, initGitScopeDraft{
+		Host:     "github.com",
+		AuthMode: config.GitAuthModePAT,
+	}.suggestedName())
+	ref, _ := credentials.FormatRef(name)
+	return initGitScopeDraft{
+		Name:            name,
+		Host:            "github.com",
+		AuthMode:        config.GitAuthModePAT,
+		CredentialStore: initCredentialStoreDefaultID(),
+		CredentialRef:   ref,
+	}
+}
+
+func initRepositoryAccessSyncFields(model *initLinearEditorModel, ctx initPromptContext) {
+	selection := model.document.selectedValue(initRepositoryAccessFieldSelection)
+	scope := initRepositoryAccessScopeForSelection(ctx, selection)
+	model.setFieldValue(initRepositoryAccessFieldName, scope.Name)
+	model.setFieldValue(initRepositoryAccessFieldHost, scope.Host)
+	model.selectFieldValue(initRepositoryAccessFieldAuth, string(scope.AuthMode))
+	model.setFieldValue(initRepositoryAccessFieldGitHubAppID, scope.GitHubAppID)
+	model.selectFieldValue(initRepositoryAccessFieldCredentialStore, initCredentialStoreDraftValue(scope.CredentialStore))
+	model.setFieldValue(initRepositoryAccessFieldCredentialName, scope.CredentialRef)
+	initRepositoryAccessSyncGitHubAppField(model)
+}
+
+func initRepositoryAccessSyncGitHubAppField(model *initLinearEditorModel) {
+	authMode := config.GitAuthMode(model.document.selectedValue(initRepositoryAccessFieldAuth))
+	hidden := authMode != config.GitAuthModeGitHubApp
+	model.setFieldHidden(initRepositoryAccessFieldGitHubAppID, hidden)
+	if hidden {
+		model.setFieldValue(initRepositoryAccessFieldGitHubAppID, "")
+	}
+}
+
+func validateRepositoryAccessDocument(document initLinearDocument) error {
+	if err := validateRequiredText("repository access name is required")(document.fieldValue(initRepositoryAccessFieldName)); err != nil {
+		return err
+	}
+	if err := validateRequiredText("git host is required")(document.fieldValue(initRepositoryAccessFieldHost)); err != nil {
+		return err
+	}
+	if config.GitAuthMode(document.selectedValue(initRepositoryAccessFieldAuth)) == config.GitAuthModeGitHubApp {
+		appID := strings.TrimSpace(document.fieldValue(initRepositoryAccessFieldGitHubAppID))
+		if appID == "" {
+			return fmt.Errorf("GitHub App ID is required")
+		}
+		if err := validateOptionalDecimalID("GitHub App ID")(appID); err != nil {
+			return err
+		}
+	}
+	return validateRequiredCredentialRef(document.fieldValue(initRepositoryAccessFieldCredentialName))
+}
+
+func initRepositoryAccessDraftFromDocument(seed initDraft, document initLinearDocument) initDraft {
+	draft := seed
+	draft.RepositoryAccessName = strings.TrimSpace(document.fieldValue(initRepositoryAccessFieldName))
+	draft.GitHost = strings.TrimSpace(document.fieldValue(initRepositoryAccessFieldHost))
+	draft.GitAuth = document.selectedValue(initRepositoryAccessFieldAuth)
+	draft.GitHubAppID = strings.TrimSpace(document.fieldValue(initRepositoryAccessFieldGitHubAppID))
+	draft.GitCredentialStore = initCredentialStoreDraftValue(document.selectedValue(initRepositoryAccessFieldCredentialStore))
+	draft.GitCredentialRef = strings.TrimSpace(document.fieldValue(initRepositoryAccessFieldCredentialName))
+	selection := document.selectedValue(initRepositoryAccessFieldSelection)
+	if selection != "" && selection != initConfigureNewRepositoryAccessSelection {
+		draft.ActionTarget = selection
+	}
+	return draft
+}

From c9ca1454d702cf9d31dc02afc9c0343919ca375d Mon Sep 17 00:00:00 2001
From: Rian Stockbower <rstockbower@gmail.com>
Date: Mon, 22 Jun 2026 07:57:44 -0400
Subject: [PATCH 12/27] Make review profiles select repository access

---
 internal/cmd/credentialcmd/credentialcmd.go   |  26 ++
 .../cmd/credentialcmd/credentialcmd_test.go   | 224 ++++++++----------
 internal/cmd/credentialcmd/init_menu.go       |   6 +-
 internal/cmd/credentialcmd/init_profile_v2.go | 146 ++++--------
 4 files changed, 177 insertions(+), 225 deletions(-)

diff --git a/internal/cmd/credentialcmd/credentialcmd.go b/internal/cmd/credentialcmd/credentialcmd.go
index b7a73057..b0f8bb45 100644
--- a/internal/cmd/credentialcmd/credentialcmd.go
+++ b/internal/cmd/credentialcmd/credentialcmd.go
@@ -2939,6 +2939,32 @@ func initGitScopeOptions(scopes map[string]initGitScopeDraft) []huh.Option[strin
 	return options
 }
 
+func initRepositoryAccessProfileOptions(scopes map[string]initGitScopeDraft) []huh.Option[string] {
+	names := make([]string, 0, len(scopes))
+	for name := range scopes {
+		names = append(names, name)
+	}
+	sort.Strings(names)
+	options := make([]huh.Option[string], 0, len(names))
+	for _, name := range names {
+		scope := scopes[name]
+		options = append(options, huh.NewOption(initGitScopeLabel(scope), name))
+	}
+	return options
+}
+
+func firstInitGitScopeName(scopes map[string]initGitScopeDraft) string {
+	names := make([]string, 0, len(scopes))
+	for name := range scopes {
+		names = append(names, name)
+	}
+	sort.Strings(names)
+	if len(names) == 0 {
+		return ""
+	}
+	return names[0]
+}
+
 func initGitScopeLabel(scope initGitScopeDraft) string {
 	label := fmt.Sprintf("%s via %s", scope.Host, initGitAuthModeLabel(scope.AuthMode))
 	if strings.TrimSpace(scope.Name) != "" {
diff --git a/internal/cmd/credentialcmd/credentialcmd_test.go b/internal/cmd/credentialcmd/credentialcmd_test.go
index cf2b4af0..050c2f6f 100644
--- a/internal/cmd/credentialcmd/credentialcmd_test.go
+++ b/internal/cmd/credentialcmd/credentialcmd_test.go
@@ -8404,7 +8404,21 @@ func TestHuhInitPrompterAccessibleHidesReviewerEntityLabelForProfileGitAccount(t
 
 	_, err := prompter.Run(initPromptContext{
 		RequestedProfileName: "default",
-		ExistingConfig:       config.File{Profiles: map[string]config.Profile{}},
+		ExistingConfig: config.File{
+			Profiles: map[string]config.Profile{},
+			RepositoryAccess: map[string]config.RepositoryAccessConfig{
+				testInitProfileV2GitScopeName: {
+					Git: config.GitConfig{
+						Host:     "github.com",
+						AuthMode: config.GitAuthModePAT,
+						Credential: config.CredentialLocation{
+							Store: config.LocalOSCredentialStoreID,
+							Name:  "codereview/github-work",
+						},
+					},
+				},
+			},
+		},
 	})
 	if err != nil {
 		t.Fatalf("Run: %v", err)
@@ -12485,16 +12499,16 @@ func TestInitMenuItemsOrdersRootMenuAndMovesCountsToDescriptions(t *testing.T) {
 
 func TestInitMenuItemsUseInfrastructureDescriptionsBeforeConfiguredCounts(t *testing.T) {
 	items := initMenuItems(initMenuPrompt{
-		CanConfigureLLM:      true,
-		CanConfigureReviewer: true,
-		CanSave:              true,
+		RepositoryAccessCount: 1,
+		CanConfigureLLM:       true,
+		CanConfigureReviewer:  true,
+		CanSave:               true,
 	})
 	descriptions := map[initMenuAction]string{}
 	for _, item := range items {
 		descriptions[item.Action] = item.Description
 	}
 	tests := map[initMenuAction]string{
-		initMenuActionRepositoryAccess: "Git hosts and user credentials",
 		initMenuActionLLMRuntimes:      "Model providers and runtime credentials",
 		initMenuActionReviewerEntities: "Reviewer identities and posting credentials",
 		initMenuActionReviewProfiles:   "Repository routing and review composition",
@@ -12751,13 +12765,14 @@ func TestHuhInitMenuPrompterAccessibleNumericOrder(t *testing.T) {
 			stderr: &stderr,
 		}
 		action, err := prompter.ChooseAction(initMenuPrompt{
-			HasWorkspace:         true,
-			LLMRuntimeCount:      2,
-			ReviewerEntityCount:  3,
-			ReviewProfileCount:   1,
-			CanConfigureLLM:      true,
-			CanConfigureReviewer: true,
-			CanSave:              true,
+			HasWorkspace:          true,
+			RepositoryAccessCount: 1,
+			LLMRuntimeCount:       2,
+			ReviewerEntityCount:   3,
+			ReviewProfileCount:    1,
+			CanConfigureLLM:       true,
+			CanConfigureReviewer:  true,
+			CanSave:               true,
 		})
 		if err != nil {
 			t.Fatalf("ChooseAction(%q): %v", tt.input, err)
@@ -12945,13 +12960,12 @@ func TestInitProfileV2ReadOnlyContentRendersTargetOrderWithRealData(t *testing.T
 
 	for _, want := range []string{
 		"Review profile",
+		"Repository access",
+		"github.enterprise via GitHub App",
 		"Profile name",
-		"> open-cli-collective",
+		"open-cli-collective",
 		"Automatic profile selection",
 		"github.com/open-cli-collective",
-		"Git scope",
-		"Git scope host",
-		"github.enterprise",
 		"Reviewer entity",
 		"OCC reviewer (GitHub App reviewer)",
 		"LLM runtime",
@@ -12967,11 +12981,6 @@ func TestInitProfileV2ReadOnlyContentRendersTargetOrderWithRealData(t *testing.T
 		"Enable self-approve",
 		"Auto-resolve",
 		"24h",
-		"Git credentials",
-		"Git credential store",
-		initBuiltInOSCredentialStoreTitle(),
-		"Git credential name",
-		"codereview/custom-git",
 		"Profile action",
 		"Stage profile settings",
 		"Back without staging",
@@ -12996,19 +13005,29 @@ func TestInitProfileV2ReadOnlyContentRendersTargetOrderWithRealData(t *testing.T
 		}
 	}
 	assertContentOrder(
-		"Profile name",
+		"Repository access",
 		"Automatic profile selection",
 		"Route entries",
-		"Git scope",
 		"Reviewer entity",
 		"LLM runtime",
 		"Minimum reviewer model tier",
 		"Model tier mapping",
+		"Profile name",
 		"Additional reviewer-agent directories (optional)",
 		"Review policy",
-		"Git credentials",
 		"Profile action",
 	)
+	for _, absent := range []string{
+		"Git credentials",
+		"Git credential store",
+		"Git credential name",
+		"Git scope host",
+		"Git scope auth mode",
+	} {
+		if strings.Contains(content, absent) {
+			t.Fatalf("content contains removed profile-local Git control %q:\n%s", absent, content)
+		}
+	}
 }
 
 func TestInitProfileV2ReadOnlyModelFocusNavigationPreservesRouteGuidance(t *testing.T) {
@@ -13363,45 +13382,23 @@ func TestInitProfileV2GitScopePreservesSelectedScopeInDraft(t *testing.T) {
 	}
 }
 
-func TestInitProfileV2GitScopeCustomEditsDraft(t *testing.T) {
-	model := newInitProfileV2ReadOnlyModel(newTestInitProfileV2EditorWithGitScope(
-		"monit",
-		"gitlab.com/SignalFT",
-		initCustomGitScopeSelection,
-		nil,
-		initDraft{
-			OriginalProfileName: "monit",
-			ProfileName:         "monit",
-			GitHost:             "github.enterprise",
-			GitAuth:             string(config.GitAuthModeGitHubApp),
+func TestInitProfileV2GitScopeRejectsRoutesForDifferentHost(t *testing.T) {
+	gitScopes := map[string]initGitScopeDraft{
+		"gitlab-work": {
+			Host:          "gitlab.com",
+			AuthMode:      config.GitAuthModePAT,
+			CredentialRef: "codereview/gitlab-work",
 		},
-	), 160, 24)
-
-	model = focusInitProfileV2Field(t, model, initProfileV2FieldGitHost)
-	model = updateInitProfileV2ReadOnlyModel(t, model, tea.KeyMsg{Type: tea.KeyCtrlU})
-	model = typeInitProfileV2Text(t, model, "gitlab.com")
-	model = focusInitProfileV2Field(t, model, initProfileV2FieldGitAuth)
-	model = updateInitProfileV2ReadOnlyModel(t, model, tea.KeyMsg{Type: tea.KeyUp})
-
-	draft, err := model.validatedDraft()
-	if err != nil {
-		t.Fatalf("validatedDraft: %v", err)
 	}
-	if draft.GitHost != "gitlab.com" || draft.GitAuth != string(config.GitAuthModePAT) {
-		t.Fatalf("draft Git = (%q,%q), want edited custom Git host/auth", draft.GitHost, draft.GitAuth)
-	}
-}
-
-func TestInitProfileV2GitScopeRejectsRoutesForDifferentHost(t *testing.T) {
 	model := newInitProfileV2ReadOnlyModel(newTestInitProfileV2EditorWithGitScope(
 		"monit",
 		"github.com/SignalFT",
-		initCustomGitScopeSelection,
-		nil,
+		"gitlab-work",
+		gitScopes,
 		initDraft{
 			OriginalProfileName: "monit",
 			ProfileName:         "monit",
-			GitHost:             "gitlab.com",
+			GitHost:             "github.com",
 			GitAuth:             string(config.GitAuthModePAT),
 		},
 	), 160, 24)
@@ -13745,8 +13742,8 @@ func TestInitProfileV2ReviewPolicyDraftsSelections(t *testing.T) {
 		config.ReviewPolicy{},
 		"codereview/monit",
 		true,
-		nil,
-		initCustomGitScopeSelection,
+		testInitProfileV2GitScopes(),
+		testInitProfileV2GitScopeName,
 	), 160, 40)
 	model = selectInitProfileV2FieldValue(t, model, initProfileV2FieldReviewMajorEvent, string(config.ReviewMajorEventRequestChanges))
 	model = selectInitProfileV2FieldValue(t, model, initProfileV2FieldSelfApprove, initSelfApproveEnable)
@@ -13779,8 +13776,8 @@ func TestInitProfileV2ReviewPolicyRejectsInvalidDuration(t *testing.T) {
 		config.ReviewPolicy{},
 		"codereview/monit",
 		true,
-		nil,
-		initCustomGitScopeSelection,
+		testInitProfileV2GitScopes(),
+		testInitProfileV2GitScopeName,
 	), 160, 24)
 	model = focusInitProfileV2Field(t, model, initProfileV2FieldResolveAfter)
 	model = typeInitProfileV2Text(t, model, "tomorrow")
@@ -13796,65 +13793,6 @@ func TestInitProfileV2ReviewPolicyRejectsInvalidDuration(t *testing.T) {
 	}
 }
 
-func TestInitProfileV2GitCredentialNameDraftsCustomName(t *testing.T) {
-	gitScopes := map[string]initGitScopeDraft{
-		"github-work": {
-			Host:            "github.com",
-			AuthMode:        config.GitAuthModePAT,
-			CredentialStore: config.LocalOSCredentialStoreID,
-			CredentialRef:   "codereview/monit",
-		},
-	}
-	model := newInitProfileV2ReadOnlyModel(newTestInitProfileV2EditorWithReviewPolicyAndGitStorage(
-		"monit",
-		"github.com/SignalFT",
-		config.ReviewPolicy{},
-		"codereview/monit",
-		true,
-		gitScopes,
-		"github-work",
-	), 160, 40)
-	model = focusInitProfileV2Field(t, model, initProfileV2FieldGitCredentialName)
-	model = updateInitProfileV2ReadOnlyModel(t, model, tea.KeyMsg{Type: tea.KeyCtrlU})
-	model = typeInitProfileV2Text(t, model, "codereview/custom-monit-git")
-
-	draft, err := model.validatedDraft()
-	if err != nil {
-		t.Fatalf("validatedDraft: %v", err)
-	}
-	if draft.GitCredentialRef != "codereview/custom-monit-git" {
-		t.Fatalf("draft.GitCredentialRef = %q, want custom credential name", draft.GitCredentialRef)
-	}
-	if draft.GitCredentialStore != config.LocalOSCredentialStoreID {
-		t.Fatalf("draft.GitCredentialStore = %q, want local-os", draft.GitCredentialStore)
-	}
-}
-
-func TestInitProfileV2GitCredentialNameRejectsInvalidCredentialRef(t *testing.T) {
-	model := newInitProfileV2ReadOnlyModel(newTestInitProfileV2EditorWithReviewPolicyAndGitStorage(
-		"monit",
-		"github.com/SignalFT",
-		config.ReviewPolicy{},
-		"codereview/monit",
-		true,
-		nil,
-		initCustomGitScopeSelection,
-	), 160, 24)
-	model = focusInitProfileV2Field(t, model, initProfileV2FieldGitCredentialName)
-	model = updateInitProfileV2ReadOnlyModel(t, model, tea.KeyMsg{Type: tea.KeyCtrlU})
-	model = typeInitProfileV2Text(t, model, "not-a-ref")
-
-	if !strings.Contains(model.View(), "credential ref") {
-		index := model.document.fieldIndexByID(initProfileV2FieldGitCredentialName)
-		if index < 0 || !strings.Contains(model.document[index].Error, "credential ref") {
-			t.Fatalf("git credential name field error = %q, want credential-ref validation", model.document[index].Error)
-		}
-	}
-	if _, err := model.validatedDraft(); err == nil {
-		t.Fatal("validatedDraft error = nil, want credential-ref validation")
-	}
-}
-
 func TestInitProfileV2GitCredentialNameFollowsChangedScopeDefaultWhenUnedited(t *testing.T) {
 	gitScopes := map[string]initGitScopeDraft{
 		"old-git": {
@@ -14019,7 +13957,21 @@ func TestBubbleTeaInitProfileV2PrompterSkipsChooserWhenNoProfilesExist(t *testin
 
 	_, err := prompter.Run(initPromptContext{
 		RequestedProfileName: "default",
-		ExistingConfig:       config.File{Profiles: map[string]config.Profile{}},
+		ExistingConfig: config.File{
+			Profiles: map[string]config.Profile{},
+			RepositoryAccess: map[string]config.RepositoryAccessConfig{
+				testInitProfileV2GitScopeName: {
+					Git: config.GitConfig{
+						Host:     "github.com",
+						AuthMode: config.GitAuthModePAT,
+						Credential: config.CredentialLocation{
+							Store: config.LocalOSCredentialStoreID,
+							Name:  "codereview/github-work",
+						},
+					},
+				},
+			},
+		},
 	})
 	if !errors.Is(err, errInitNavigateBack) {
 		t.Fatalf("Run error = %v, want direct create back to main menu", err)
@@ -14310,7 +14262,23 @@ func newTestInitProfileV2Editor(profileName string, routeText string) initProfil
 			GitHost:             "github.com",
 			GitAuth:             string(config.GitAuthModePAT),
 		},
-		Document: document,
+		GitScopes:        testInitProfileV2GitScopes(),
+		SelectedGitScope: testInitProfileV2GitScopeName,
+		Document:         document,
+	}
+}
+
+const testInitProfileV2GitScopeName = "github-work"
+
+func testInitProfileV2GitScopes() map[string]initGitScopeDraft {
+	return map[string]initGitScopeDraft{
+		testInitProfileV2GitScopeName: {
+			Name:            testInitProfileV2GitScopeName,
+			Host:            "github.com",
+			AuthMode:        config.GitAuthModePAT,
+			CredentialStore: config.LocalOSCredentialStoreID,
+			CredentialRef:   "codereview/github-work",
+		},
 	}
 }
 
@@ -14345,6 +14313,8 @@ func newTestInitProfileV2EditorWithSelections(profileName string, routeText stri
 	document.addEditableSelect(initProfileV2FieldReviewerModelTier, initReviewerModelTierTitle, initReviewerModelTierDescription, initReviewerModelTierOptions(), draft.LLMReviewerModelTier)
 	return initProfileV2Editor{
 		Draft:                  draft,
+		GitScopes:              testInitProfileV2GitScopes(),
+		SelectedGitScope:       testInitProfileV2GitScopeName,
 		ReviewerEntities:       reviewerEntities,
 		LLMRuntimes:            llmRuntimes,
 		CredentialStoreOptions: storeOptions,
@@ -14369,8 +14339,10 @@ func newTestInitProfileV2EditorWithModelMap(profileName string, routeText string
 	initProfileV2AppendRouteSection(&document, routeText)
 	initProfileV2AppendModelMapSection(&document, llm, modelMap)
 	return initProfileV2Editor{
-		Draft:    draft,
-		Document: document,
+		Draft:            draft,
+		GitScopes:        testInitProfileV2GitScopes(),
+		SelectedGitScope: testInitProfileV2GitScopeName,
+		Document:         document,
 	}
 }
 
@@ -14404,6 +14376,8 @@ func newTestInitProfileV2EditorWithRuntimeAndModelMap(profileName string, routeT
 	initProfileV2AppendModelMapSection(&document, initProfileEditorModelMapLLM(draft, normalizedRuntime, llmRuntimes), draft.ModelMap)
 	return initProfileV2Editor{
 		Draft:                  draft,
+		GitScopes:              testInitProfileV2GitScopes(),
+		SelectedGitScope:       testInitProfileV2GitScopeName,
 		LLMRuntimes:            llmRuntimes,
 		CredentialStoreOptions: storeOptions,
 		Document:               document,
@@ -14427,8 +14401,10 @@ func newTestInitProfileV2EditorWithAgentSources(profileName string, routeText st
 	initProfileV2AppendRouteSection(&document, routeText)
 	initProfileV2AppendAgentSourcesSection(&document, agentSources)
 	return initProfileV2Editor{
-		Draft:    draft,
-		Document: document,
+		Draft:            draft,
+		GitScopes:        testInitProfileV2GitScopes(),
+		SelectedGitScope: testInitProfileV2GitScopeName,
+		Document:         document,
 	}
 }
 
diff --git a/internal/cmd/credentialcmd/init_menu.go b/internal/cmd/credentialcmd/init_menu.go
index a63ce977..c9562266 100644
--- a/internal/cmd/credentialcmd/init_menu.go
+++ b/internal/cmd/credentialcmd/init_menu.go
@@ -146,7 +146,11 @@ func initMenuDisabledReason(prompt initMenuPrompt, action initMenuAction) string
 		if !prompt.CanSave {
 			return "stage changes before committing"
 		}
-	case initMenuActionSecretsManagement, initMenuActionRepositoryAccess, initMenuActionLLMRuntimes, initMenuActionReviewerEntities, initMenuActionReviewProfiles, initMenuActionGlobalSettings, initMenuActionExit:
+	case initMenuActionReviewProfiles:
+		if prompt.RepositoryAccessCount == 0 {
+			return "configure repository access before creating review profiles"
+		}
+	case initMenuActionSecretsManagement, initMenuActionRepositoryAccess, initMenuActionLLMRuntimes, initMenuActionReviewerEntities, initMenuActionGlobalSettings, initMenuActionExit:
 	}
 	return ""
 }
diff --git a/internal/cmd/credentialcmd/init_profile_v2.go b/internal/cmd/credentialcmd/init_profile_v2.go
index b84dc62f..4e66a47d 100644
--- a/internal/cmd/credentialcmd/init_profile_v2.go
+++ b/internal/cmd/credentialcmd/init_profile_v2.go
@@ -198,6 +198,10 @@ func newInitProfileV2ReadOnlyModel(editor initProfileV2Editor, width, height int
 	if height <= 0 {
 		height = 28
 	}
+	selectedGitScope := editor.SelectedGitScope
+	if selectedGitScope == "" {
+		selectedGitScope = firstInitGitScopeName(editor.GitScopes)
+	}
 	vp := viewport.New(width, max(height-2, 1))
 	model := initProfileV2ReadOnlyModel{
 		viewport:                   vp,
@@ -206,7 +210,7 @@ func newInitProfileV2ReadOnlyModel(editor initProfileV2Editor, width, height int
 		reviewerEntities:           maps.Clone(editor.ReviewerEntities),
 		llmRuntimes:                maps.Clone(editor.LLMRuntimes),
 		credentialStoreOptions:     append([]huh.Option[string](nil), editor.CredentialStoreOptions...),
-		selectedGitScope:           editor.SelectedGitScope,
+		selectedGitScope:           selectedGitScope,
 		initialGitStorageLabel:     editor.InitialGitStorageLabel,
 		gitStorageLabelUsesDefault: editor.GitStorageLabelUsesDefault,
 		document:                   editor.Document,
@@ -323,26 +327,25 @@ func initProfileV2ReadOnlyDocument(ctx initPromptContext, selection string) (ini
 }
 
 func initProfileV2ReadOnlyEditor(ctx initPromptContext, selection string) (initProfileV2Editor, error) {
+	if ctx.GitScopes == nil || ctx.ProfileGitScopes == nil {
+		ctx.GitScopes, ctx.ProfileGitScopes = buildInitGitScopeInventory(ctx.ExistingConfig)
+	}
+	if len(ctx.GitScopes) == 0 {
+		return initProfileV2Editor{}, fmt.Errorf("configure repository access before creating review profiles")
+	}
 	selectedProfileName, selectedExistingProfile, requestedProfileName := initProfileV2Selection(ctx, selection)
 	draft := seedInteractiveInitDraft(requestedProfileName, selectedProfileName, selectedExistingProfile)
 	routeText := formatInitRouteSpecs(currentProfileRouteSpecs(ctx.ExistingConfig.RepositoryProfiles, selectedProfileName))
 
 	selectedGitScope := ctx.ProfileGitScopes[selectedProfileName]
 	if selectedGitScope == "" {
-		selectedGitScope = initCustomGitScopeSelection
+		selectedGitScope = firstInitGitScopeName(ctx.GitScopes)
 	}
-	selectedGit := initGitScopeDraft{
-		Host:            draft.GitHost,
-		AuthMode:        config.GitAuthMode(draft.GitAuth),
-		GitHubAppID:     strings.TrimSpace(draft.GitHubAppID),
-		CredentialStore: initCredentialStoreDraftValue(draft.GitCredentialStore),
-		CredentialRef:   strings.TrimSpace(draft.GitCredentialRef),
-	}
-	if scopeName := ctx.ProfileGitScopes[selectedProfileName]; scopeName != "" {
-		if scope, ok := ctx.GitScopes[scopeName]; ok {
-			selectedGit = scope
-		}
+	if _, ok := ctx.GitScopes[selectedGitScope]; !ok {
+		selectedGitScope = firstInitGitScopeName(ctx.GitScopes)
 	}
+	applyGitScopeSelection(&draft, selectedGitScope, ctx.GitScopes)
+	selectedGit := ctx.GitScopes[selectedGitScope]
 
 	reviewerEntity := initReviewerEntityDraftFromSeedDraft(draft)
 	selectedReviewerEntity := ctx.ProfileReviewerEntities[selectedProfileName]
@@ -360,12 +363,6 @@ func initProfileV2ReadOnlyEditor(ctx initPromptContext, selection string) (initP
 	llmRuntimeOptions, selectedLLMRuntime := initProfileEditorLLMRuntimeSelection(llmRuntimes, ctx.ProfileLLMRuntimes[selectedProfileName], draft)
 	modelMapLLM := initProfileEditorModelMapLLM(draft, selectedLLMRuntime, llmRuntimes)
 
-	standardGitCredentialRef, err := initStandardGitCredentialRef(draft.ProfileName, selectedGitScope, ctx.GitScopes)
-	if err != nil {
-		return initProfileV2Editor{}, err
-	}
-	gitStorageLabel := initEffectiveStorageLabelValue(draft.GitCredentialRef, standardGitCredentialRef)
-	gitStorageLabelUsesDefault := initStorageLabelUsesDefault(gitStorageLabel, standardGitCredentialRef)
 	standardLLMCredentialRef, err := initStandardLLMCredentialRef(draft.ProfileName, selectedLLMRuntime, llmRuntimes)
 	if err != nil {
 		return initProfileV2Editor{}, err
@@ -377,34 +374,31 @@ func initProfileV2ReadOnlyEditor(ctx initPromptContext, selection string) (initP
 
 	var document initProfileV2Document
 	document.addSection("Review profile", "Repository routing and review composition.")
-	profileNameInput := initProfileV2ProfileNameInput(ctx, selectedExistingProfile, draft)
-	profileNameValidate := validateProfileName
-	if selectedExistingProfile == nil && strings.TrimSpace(profileNameInput) == "" {
-		profileNameValidate = validateOptionalProfileName
-	}
-	document.addEditableInput(initProfileV2FieldProfileName, "Profile name", "Human-friendly name for this review profile.", profileNameInput, profileNameValidate)
+	initProfileV2AppendGitScopeSection(&document, selectedGitScope, initRepositoryAccessProfileOptions(ctx.GitScopes), draft, true)
 	initProfileV2AppendRouteSection(&document, routeText)
-	initProfileV2AppendGitScopeSection(&document, selectedGitScope, initGitScopeOptions(ctx.GitScopes), draft, selectedGitScope == initCustomGitScopeSelection || len(ctx.GitScopes) > 1)
 	document.addEditableSelect(initProfileV2FieldReviewerEntity, "Reviewer entity", reviewerEntitySelectionDescription(), reviewerEntityOptions, selectedReviewerEntity)
 	initProfileV2AppendReviewerGitHubAppInstallationSection(&document, selectedReviewerEntity, ctx.ReviewerEntities, draft)
 	document.addEditableSelect(initProfileV2FieldLLMRuntime, "LLM runtime", "Choose how reviewer agents run for this profile.", llmRuntimeOptions, selectedLLMRuntime)
 	initProfileV2AppendLLMStorageSection(&document, storeOptions, draft.LLMCredentialStore, draft.LLMCredentialRef, !initLLMStorageLabelRelevant(selectedLLMRuntime, llmRuntimes))
 	document.addEditableSelect(initProfileV2FieldReviewerModelTier, initReviewerModelTierTitle, initReviewerModelTierDescription, initReviewerModelTierOptions(), draft.LLMReviewerModelTier)
 	initProfileV2AppendModelMapSection(&document, modelMapLLM, draft.ModelMap)
+	profileNameInput := initProfileV2ProfileNameInput(ctx, selectedExistingProfile, draft)
+	profileNameValidate := validateProfileName
+	if selectedExistingProfile == nil && strings.TrimSpace(profileNameInput) == "" {
+		profileNameValidate = validateOptionalProfileName
+	}
+	document.addEditableInput(initProfileV2FieldProfileName, "Profile name", "Human-friendly name for this review profile.", profileNameInput, profileNameValidate)
 	initProfileV2AppendAgentSourcesSection(&document, draft.AgentSources)
 	initProfileV2AppendReviewPolicySection(&document, draft.ReviewPolicy)
-	initProfileV2AppendGitStorageSection(&document, storeOptions, draft.GitCredentialStore, gitStorageLabel)
 	initProfileV2AppendProfileActionSection(&document)
 	return initProfileV2Editor{
-		Draft:                      draft,
-		GitScopes:                  maps.Clone(ctx.GitScopes),
-		ReviewerEntities:           maps.Clone(ctx.ReviewerEntities),
-		LLMRuntimes:                maps.Clone(llmRuntimes),
-		CredentialStoreOptions:     storeOptions,
-		SelectedGitScope:           selectedGitScope,
-		InitialGitStorageLabel:     gitStorageLabel,
-		GitStorageLabelUsesDefault: gitStorageLabelUsesDefault,
-		Document:                   document,
+		Draft:                  draft,
+		GitScopes:              maps.Clone(ctx.GitScopes),
+		ReviewerEntities:       maps.Clone(ctx.ReviewerEntities),
+		LLMRuntimes:            maps.Clone(llmRuntimes),
+		CredentialStoreOptions: storeOptions,
+		SelectedGitScope:       selectedGitScope,
+		Document:               document,
 	}, nil
 }
 
@@ -497,19 +491,12 @@ func initProfileV2AppendRouteSection(document *initProfileV2Document, routeText
 	document.addEditableInput(initProfileV2FieldRoutes, "Route entries", "Examples: github.com/YourOrg; github.com/YourOrg/repo; github.com/YourOrg [RepoA, RepoB]. Leave blank for explicit --profile selection only.", routeText, validateInitProfileV2RouteText)
 }
 
-func initProfileV2AppendGitScopeSection(document *initProfileV2Document, selectedScope string, scopeOptions []huh.Option[string], draft initDraft, visible bool) {
+func initProfileV2AppendGitScopeSection(document *initProfileV2Document, selectedScope string, scopeOptions []huh.Option[string], _ initDraft, visible bool) {
 	if !visible {
 		return
 	}
-	customHidden := selectedScope != initCustomGitScopeSelection
-	document.addSection("Git scope", "Choose an existing Git scope or configure host/auth settings for this profile.")
-	document.addEditableSelect(initProfileV2FieldGitScope, "Git scope", "", scopeOptions, selectedScope)
-	document.addEditableInput(initProfileV2FieldGitHost, "Git scope host", "Git host this review profile applies to, such as github.com or github.mycompany.com.", draft.GitHost, validateRequiredText("git host is required"), initProfileV2FieldOptions{Hidden: customHidden})
-	document.addEditableSelect(initProfileV2FieldGitAuth, "Git scope auth mode", "", []huh.Option[string]{
-		huh.NewOption("Personal access token", string(config.GitAuthModePAT)),
-		huh.NewOption("GitHub App", string(config.GitAuthModeGitHubApp)),
-	}, draft.GitAuth, initProfileV2FieldOptions{Hidden: customHidden})
-	document.addEditableInput(initProfileV2FieldGitHubAppID, "GitHub App ID", "Numeric GitHub App ID. This is not a secret and is saved in config.yml.", draft.GitHubAppID, validateOptionalDecimalID("GitHub App ID"), initProfileV2FieldOptions{Hidden: customHidden || config.GitAuthMode(draft.GitAuth) != config.GitAuthModeGitHubApp})
+	document.addSection("Repository access", "Choose how cr accesses Git repositories for this profile.")
+	document.addEditableSelect(initProfileV2FieldGitScope, "Repository access", "", scopeOptions, selectedScope)
 }
 
 func initProfileV2AppendReviewerGitHubAppInstallationSection(document *initProfileV2Document, selectedReviewerEntity string, entities map[string]initReviewerEntityDraft, draft initDraft) {
@@ -835,41 +822,10 @@ func (m initProfileV2ReadOnlyModel) validatedDraft() (initDraft, error) {
 	if selectedGitScope == "" {
 		selectedGitScope = m.selectedGitScope
 	}
-	if selectedGitScope == "" {
-		selectedGitScope = initCustomGitScopeSelection
-	}
-	if selectedGitScope == initCustomGitScopeSelection {
-		gitHost := m.document.fieldValue(initProfileV2FieldGitHost)
-		if strings.TrimSpace(gitHost) != "" {
-			draft.GitHost = strings.TrimSpace(gitHost)
-		}
-		gitAuth := m.document.selectedValue(initProfileV2FieldGitAuth)
-		if gitAuth != "" {
-			draft.GitAuth = gitAuth
-		}
-		if config.GitAuthMode(draft.GitAuth) == config.GitAuthModeGitHubApp {
-			appID := strings.TrimSpace(m.document.fieldValue(initProfileV2FieldGitHubAppID))
-			if appID == "" {
-				return draft, fmt.Errorf("GitHub App ID is required when Git scope auth mode is GitHub App")
-			}
-			if err := validateOptionalDecimalID("GitHub App ID")(appID); err != nil {
-				return draft, err
-			}
-			draft.GitHubAppID = appID
-		} else {
-			draft.GitHubAppID = ""
-		}
-	} else {
-		applyGitScopeSelection(&draft, selectedGitScope, m.gitScopes)
-	}
-	if m.document.fieldIndexByID(initProfileV2FieldGitCredentialName) >= 0 {
-		gitName := strings.TrimSpace(m.document.fieldValue(initProfileV2FieldGitCredentialName))
-		if err := validateRequiredCredentialRef(gitName); err != nil {
-			return draft, err
-		}
-		draft.GitCredentialStore = initCredentialStoreDraftValue(m.document.selectedValue(initProfileV2FieldGitCredentialStore))
-		draft.GitCredentialRef = gitName
+	if selectedGitScope == "" || selectedGitScope == initCustomGitScopeSelection {
+		return draft, fmt.Errorf("repository access is required")
 	}
+	applyGitScopeSelection(&draft, selectedGitScope, m.gitScopes)
 	if _, err := applyInitProfileRoutes(nil, draft.ProfileName, draft.GitHost, routes); err != nil {
 		return draft, err
 	}
@@ -973,28 +929,18 @@ func (m *initProfileV2ReadOnlyModel) syncGitScopeFields() {
 		selectedGitScope = initCustomGitScopeSelection
 	}
 	m.selectedGitScope = selectedGitScope
-	custom := selectedGitScope == initCustomGitScopeSelection
-	if !custom {
-		if scope, ok := m.gitScopes[selectedGitScope]; ok {
-			m.setFieldValue(initProfileV2FieldGitHost, scope.Host)
-			m.selectFieldValue(initProfileV2FieldGitAuth, string(scope.AuthMode))
-			m.setFieldValue(initProfileV2FieldGitHubAppID, scope.GitHubAppID)
-			m.selectFieldValue(initProfileV2FieldGitCredentialStore, initCredentialStoreDraftValue(scope.CredentialStore))
-			if strings.TrimSpace(scope.CredentialRef) != "" {
-				m.setFieldValue(initProfileV2FieldGitCredentialName, scope.CredentialRef)
-			}
-		}
-	}
-	m.setFieldHidden(initProfileV2FieldGitHost, !custom)
-	m.setFieldHidden(initProfileV2FieldGitAuth, !custom)
-	if !custom || config.GitAuthMode(m.document.selectedValue(initProfileV2FieldGitAuth)) != config.GitAuthModeGitHubApp {
-		m.setFieldHidden(initProfileV2FieldGitHubAppID, true)
-		if custom {
-			m.setFieldValue(initProfileV2FieldGitHubAppID, "")
+	if scope, ok := m.gitScopes[selectedGitScope]; ok {
+		m.setFieldValue(initProfileV2FieldGitHost, scope.Host)
+		m.selectFieldValue(initProfileV2FieldGitAuth, string(scope.AuthMode))
+		m.setFieldValue(initProfileV2FieldGitHubAppID, scope.GitHubAppID)
+		m.selectFieldValue(initProfileV2FieldGitCredentialStore, initCredentialStoreDraftValue(scope.CredentialStore))
+		if strings.TrimSpace(scope.CredentialRef) != "" {
+			m.setFieldValue(initProfileV2FieldGitCredentialName, scope.CredentialRef)
 		}
-	} else {
-		m.setFieldHidden(initProfileV2FieldGitHubAppID, false)
 	}
+	m.setFieldHidden(initProfileV2FieldGitHost, true)
+	m.setFieldHidden(initProfileV2FieldGitAuth, true)
+	m.setFieldHidden(initProfileV2FieldGitHubAppID, true)
 	if m.focused >= 0 && m.focused < len(m.document) && m.document[m.focused].Hidden {
 		m.focused = m.document.nextFocusableField(m.focused)
 		if m.focused >= len(m.document) || m.document[m.focused].Hidden {

From 2c0b9fda7f9b40e98d180518bb6d1e1e4c59c594 Mon Sep 17 00:00:00 2001
From: Rian Stockbower <rstockbower@gmail.com>
Date: Mon, 22 Jun 2026 08:01:53 -0400
Subject: [PATCH 13/27] Update init docs for repository access

---
 README.md                | 27 ++++++++++++---
 docs/init-ux-contract.md | 71 +++++++++++++++++++++++-----------------
 version.txt              |  2 +-
 3 files changed, 65 insertions(+), 35 deletions(-)

diff --git a/README.md b/README.md
index da026063..40b93eea 100644
--- a/README.md
+++ b/README.md
@@ -79,6 +79,12 @@ additional stores from interactive `cr init` under **Configure secrets
 storage**. The built-in `local-os` store is read-only configuration and cannot
 be removed.
 
+Interactive `cr init` treats credential stores, repository access, LLM runtimes,
+reviewer entities, and review profiles as separate reusable building blocks.
+Configure repository access to define how `cr` accesses Git repositories as the
+current user; review profiles then select one configured repository-access entry
+instead of editing Git credentials inline.
+
 Interactive `cr init` discovers available secrets backends by default so it can
 offer local 1Password account/vault choices and passive backend availability
 checks. Use `cr init --secret-backend-discovery=safe` to skip active inventory
@@ -707,15 +713,28 @@ Prints the build version as `cr <version-info>`. It takes no arguments.
 cr init [flags]
 ```
 
-Creates or updates non-secret config. In v1, `--non-interactive` is required.
-If the selected profile already exists, pass `--replace-profile` to replace the
-profile config.
+Creates or updates non-secret config. If the selected profile already exists,
+pass `--replace-profile` to replace the profile config.
+
+Without `--non-interactive`, `cr init` opens an interactive workspace builder.
+The main menu stages changes in reusable areas before a final commit:
+
+1. Configure secrets storage
+2. Configure repository access
+3. Configure LLM runtimes
+4. Configure reviewer entities
+5. Configure review profiles
+6. Configure global settings
+
+Review profiles compose repository access, reviewer entity, and LLM runtime
+selections. Repository access must be configured before creating a review
+profile.
 
 Flags:
 
 | Flag | Semantics |
 |------|-----------|
-| `--non-interactive` | Required in v1. Run without prompts. |
+| `--non-interactive` | Run without prompts. |
 | `--git-host <host>` | Git host, default `github.com`. The PR host must match this value. |
 | `--git-credential-ref <name>` | Credential name for Git auth. Defaults to `codereview/<profile>`. |
 | `--git-token-stdin` | Read the Git token from stdin and write key `git_token`. |
diff --git a/docs/init-ux-contract.md b/docs/init-ux-contract.md
index 31472174..2ac3d200 100644
--- a/docs/init-ux-contract.md
+++ b/docs/init-ux-contract.md
@@ -24,22 +24,22 @@ Use this document to answer:
 
 Interactive `init` should use these primary user-facing terms:
 
-- **Git scope**: the Git host and main Git credentials that define where a
-  review profile operates. Examples for v1 are `github.com` and GitHub
-  Enterprise hosts such as `github.mycompany.com`.
+- **Repository access**: the reusable Git host and current-user Git credentials
+  that define how `cr` accesses repositories. Examples for v1 are `github.com`
+  and GitHub Enterprise hosts such as `github.mycompany.com`.
 - **Reviewer entity**: the actor that posts `COMMENT`, `APPROVE`, or
   `REQUEST_CHANGES` on pull requests.
 - **LLM runtime**: the way reviewer agents run and authenticate, such as Claude
   CLI subscription auth, Codex CLI subscription auth, Pi local runtime, or a
   direct API-key-backed provider path.
-- **Review profile**: one saved profile assembled from a Git scope, an LLM
-  runtime, and a reviewer entity, plus its related review policy, routes, and
-  optional advanced settings.
+- **Review profile**: one saved profile assembled from repository access, an
+  LLM runtime, and a reviewer entity, plus its related review policy, routes,
+  and optional advanced settings.
 
 Supporting language is allowed when it helps teach the model:
 
 - A profile is the saved result.
-- A Git scope is the thing the user chooses while assembling that profile.
+- Repository access is the thing the user chooses while assembling that profile.
 - Credential storage is user-facing as **credential store** plus **credential
   name**. The name is the full visible `codereview/...` path written to the
   selected store.
@@ -48,7 +48,7 @@ Supporting language is allowed when it helps teach the model:
 
 Interactive `cr init` should teach this composition:
 
-`Git scope + reviewer entity + LLM runtime = review profile`
+`Repository access + reviewer entity + LLM runtime = review profile`
 
 The user should understand:
 
@@ -59,7 +59,7 @@ The user should understand:
 The user should not need to understand the on-disk config schema in order to
 complete the primary path.
 
-## GitHub Scope For V1
+## GitHub Repository Access For V1
 
 Prompt language for Git hosts should stay GitHub and GitHub Enterprise oriented
 for v1.
@@ -79,16 +79,19 @@ profiles before saving.
 The intended top-level shape is:
 
 1. Configure secrets storage
-2. Configure LLM runtimes
-3. Configure reviewer entities
-4. Configure review profiles
-5. Configure global settings
-6. Commit staged changes and exit
-7. Discard staged changes and exit
+2. Configure repository access
+3. Configure LLM runtimes
+4. Configure reviewer entities
+5. Configure review profiles
+6. Configure global settings
+7. Commit staged changes and exit
+8. Discard staged changes and exit
 
 This ordering is intentional:
 
 - LLM runtime setup is usually obvious to the user and easy to reason about.
+- Repository access setup makes current-user Git host and credential routing a
+  reusable building block instead of profile-local inline fields.
 - Reviewer entity setup gives the user a clear explanation for who will post
   reviews and why they may need a separate actor.
 - Review profiles compose those earlier choices into saved working
@@ -110,7 +113,7 @@ For a first-time user, interactive `init` should:
 The first-run user should be able to understand:
 
 - what a profile is
-- what Git scope means
+- what repository access means
 - what a reviewer entity is
 - why an LLM runtime is required
 - what is optional versus required to make a profile usable
@@ -126,7 +129,7 @@ When editing an existing profile, interactive `init` should:
 - default destructive changes to preserve
 - surface missing required secrets early enough for the user to react before the
   final save
-- keep route reconciliation tied to Git scope changes
+- keep route reconciliation tied to repository access changes
 - preserve the existing rename/default/route semantics owned by shared helpers
 
 ## Commit And Discard Semantics
@@ -194,9 +197,9 @@ secret values, and the final readiness summary should continue to report
 follow-up credential work without leaking values.
 
 All credential-bearing init flows should show equivalent non-secret destination
-context before collecting secret values. This includes Git credentials, reviewer
-PAT/GitHub App credentials, and LLM API keys handled by the shared credential
-collector.
+context before collecting secret values. This includes repository-access Git
+credentials, reviewer PAT/GitHub App credentials, and LLM API keys handled by
+the shared credential collector.
 
 Destination summaries should include:
 
@@ -215,14 +218,19 @@ environment variable names may be shown only as backend-auth env var names.
 
 ## Draft-Local Reuse Rules
 
-LLM runtimes and reviewer entities are reusable saved building blocks.
+Repository access definitions, LLM runtimes, and reviewer entities are reusable
+saved building blocks.
 
 That means:
 
+- interactive draft state may name and reuse repository access across multiple
+  draft profiles
 - interactive draft state may name and reuse LLM runtimes across multiple draft
   profiles
 - interactive draft state may name and reuse reviewer entities across multiple
   draft profiles
+- committed repository access definitions are persisted under
+  `repository_access`
 - committed LLM runtimes are persisted under `llm_runtimes`
 - committed reviewer entities are persisted under `reviewer_entities`
 - saved profiles reference those building blocks by name
@@ -247,7 +255,7 @@ contextual variants of the same fallback choice, such as:
 
 This means:
 
-- the review is posted with the profile's main Git credentials
+- the review is posted with the profile's selected repository access credentials
 - no separate reviewer credential location is created for that choice
 - in the current schema, that exports as `ReviewerCredentials=nil`
 
@@ -293,8 +301,9 @@ all of those profiles rather than only the active profile.
 Interactive `init` may hide the raw schema, but the contract between user terms
 and saved config must stay stable:
 
-- **Git scope** maps to `profile.git`, plus repository-route implications when
-  the profile participates in `repository_profiles`.
+- **Repository access** maps to a saved `repository_access.<name>` entry. A
+  profile selects it with `profiles.<profile>.repository_access`, and runtime
+  code resolves `profile.git` from that selection.
 - **LLM runtime** maps to a saved `llm_runtimes.<name>` entry. A profile selects
   it with `profiles.<profile>.llm_runtime`.
 - **Reviewer entity** maps to a saved `reviewer_entities.<name>` entry. A
@@ -312,17 +321,19 @@ Interactive `init` should show credential storage as an explicit destination
 choice, not as a hidden default.
 
 Primary-path users should choose a credential store and see or edit the full
-credential name. There is no namespace, label, or prefix prompt. Instead:
+credential name when configuring the building block that owns that credential.
+There is no namespace, label, or prefix prompt. Instead:
 
 - defaults should be generated automatically
+- repository access owns current-user Git credential locations
 - new reviewer defaults may follow the typed entity label, for example
   `rianjs-bot` becomes `codereview/rianjs-bot-reviewer`
 - changing an existing reviewer display name must not migrate or rename the
   existing credential name
-- users who need an override may edit the relevant inline **credential name**
-  fields for Git, reviewer, or LLM secrets
-- irrelevant reviewer/LLM credential-name fields should stay hidden when the
-  profile is using its Git account or a subscription runtime
+- users who need an override may edit the relevant **credential name** field on
+  the repository-access, reviewer-entity, or LLM-runtime building block
+- irrelevant reviewer/LLM credential-name fields should stay hidden when a
+  reviewer entity uses no separate secret or a runtime uses subscription auth
 - any advanced path should still explain that these names are non-secret
   pointers to credential-store entries, not the secrets themselves
 - users who need to change where secrets are stored should configure/select a
@@ -340,7 +351,7 @@ The top-level auxiliary areas should cover:
 - secrets-storage settings for credential-store/backend behavior
 
 These settings matter, but they are not part of the primary
-`Git scope + reviewer entity + LLM runtime = review profile` model.
+`Repository access + reviewer entity + LLM runtime = review profile` model.
 
 ## Non-Interactive Regression Contract
 
diff --git a/version.txt b/version.txt
index eb49d7c7..aec258df 100644
--- a/version.txt
+++ b/version.txt
@@ -1 +1 @@
-0.7
+0.8

From ad219378a97351b21b31c930ed4689b820491c5c Mon Sep 17 00:00:00 2001
From: Rian Stockbower <rstockbower@gmail.com>
Date: Mon, 22 Jun 2026 09:43:25 -0400
Subject: [PATCH 14/27] Auto-sync repository access credential names

---
 .../cmd/credentialcmd/credentialcmd_test.go   | 57 ++++++++++++++++
 .../init_repository_access_editor.go          | 66 ++++++++++++++++++-
 2 files changed, 120 insertions(+), 3 deletions(-)

diff --git a/internal/cmd/credentialcmd/credentialcmd_test.go b/internal/cmd/credentialcmd/credentialcmd_test.go
index 050c2f6f..5f2044fa 100644
--- a/internal/cmd/credentialcmd/credentialcmd_test.go
+++ b/internal/cmd/credentialcmd/credentialcmd_test.go
@@ -14581,6 +14581,63 @@ func TestInitInteractiveMenuStagesStandaloneRepositoryAccess(t *testing.T) {
 	}
 }
 
+func TestInitRepositoryAccessEditorDefaultsToLocalGitHubUsername(t *testing.T) {
+	oldGitConfig := initRepositoryAccessGitConfigValue
+	t.Cleanup(func() { initRepositoryAccessGitConfigValue = oldGitConfig })
+	initRepositoryAccessGitConfigValue = func(key string) string {
+		if key == "github.user" {
+			return "RianJS"
+		}
+		return ""
+	}
+
+	model := newInitLinearEditorModel(initRepositoryAccessLinearEditor(initPromptContext{}, initDraft{}), 160, 40)
+
+	if got, want := model.document.fieldValue(initRepositoryAccessFieldName), "github-rianjs"; got != want {
+		t.Fatalf("repository access name = %q, want %q", got, want)
+	}
+	if got, want := model.document.fieldValue(initRepositoryAccessFieldCredentialName), "codereview/github-rianjs"; got != want {
+		t.Fatalf("credential name = %q, want %q", got, want)
+	}
+	refIndex := model.document.fieldIndexByID(initRepositoryAccessFieldCredentialName)
+	if refIndex < 0 || !model.document[refIndex].AutoManaged {
+		t.Fatalf("credential name AutoManaged = false, want true")
+	}
+}
+
+func TestInitRepositoryAccessEditorAutoUpdatesCredentialRefFromName(t *testing.T) {
+	oldGitConfig := initRepositoryAccessGitConfigValue
+	t.Cleanup(func() { initRepositoryAccessGitConfigValue = oldGitConfig })
+	initRepositoryAccessGitConfigValue = func(string) string { return "" }
+
+	model := newInitLinearEditorModel(initRepositoryAccessLinearEditor(initPromptContext{}, initDraft{}), 160, 40)
+	model = focusInitLinearField(t, model, initRepositoryAccessFieldName)
+	model = updateInitLinearEditorModel(t, model, tea.KeyMsg{Type: tea.KeyCtrlU})
+	model = typeInitLinearText(t, model, "github-rianjs")
+
+	if got, want := model.document.fieldValue(initRepositoryAccessFieldCredentialName), "codereview/github-rianjs"; got != want {
+		t.Fatalf("credential name = %q, want %q", got, want)
+	}
+}
+
+func TestInitRepositoryAccessEditorManualCredentialRefStopsAutoUpdate(t *testing.T) {
+	oldGitConfig := initRepositoryAccessGitConfigValue
+	t.Cleanup(func() { initRepositoryAccessGitConfigValue = oldGitConfig })
+	initRepositoryAccessGitConfigValue = func(string) string { return "" }
+
+	model := newInitLinearEditorModel(initRepositoryAccessLinearEditor(initPromptContext{}, initDraft{}), 160, 40)
+	model = focusInitLinearField(t, model, initRepositoryAccessFieldCredentialName)
+	model = updateInitLinearEditorModel(t, model, tea.KeyMsg{Type: tea.KeyCtrlU})
+	model = typeInitLinearText(t, model, "codereview/custom-git")
+	model = focusInitLinearField(t, model, initRepositoryAccessFieldName)
+	model = updateInitLinearEditorModel(t, model, tea.KeyMsg{Type: tea.KeyCtrlU})
+	model = typeInitLinearText(t, model, "github-rianjs")
+
+	if got, want := model.document.fieldValue(initRepositoryAccessFieldCredentialName), "codereview/custom-git"; got != want {
+		t.Fatalf("credential name = %q, want manual override %q", got, want)
+	}
+}
+
 func TestInitInteractiveMenuCarriesGlobalSettingsIntoFirstProfile(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	writeRawCredentialTestConfig(t, path, "profiles: {}\n")
diff --git a/internal/cmd/credentialcmd/init_repository_access_editor.go b/internal/cmd/credentialcmd/init_repository_access_editor.go
index 8226bc73..117fa6e5 100644
--- a/internal/cmd/credentialcmd/init_repository_access_editor.go
+++ b/internal/cmd/credentialcmd/init_repository_access_editor.go
@@ -3,11 +3,13 @@ package credentialcmd
 import (
 	"fmt"
 	"io"
+	"os/exec"
 	"sort"
 	"strings"
 
 	tea "github.com/charmbracelet/bubbletea"
 	"github.com/charmbracelet/huh"
+	"github.com/open-cli-collective/cli-common/credstore"
 
 	"github.com/open-cli-collective/codereview-cli/internal/config"
 	"github.com/open-cli-collective/codereview-cli/internal/credentials"
@@ -28,6 +30,14 @@ const (
 
 const initConfigureNewRepositoryAccessSelection = "__configure_new_repository_access__"
 
+var initRepositoryAccessGitConfigValue = func(key string) string {
+	out, err := exec.Command("git", "config", "--get", key).Output()
+	if err != nil {
+		return ""
+	}
+	return strings.TrimSpace(string(out))
+}
+
 func (p huhInitRepositoryAccessPrompter) EditRepositoryAccess(prompt initRepositoryAccessPrompt) (initDraft, error) {
 	seed := seedInteractiveInitDraft(prompt.Context.RequestedProfileName, prompt.Context.ExistingProfileName, prompt.Context.ExistingProfile)
 	editor := initRepositoryAccessLinearEditor(prompt.Context, seed)
@@ -90,6 +100,10 @@ func initRepositoryAccessLinearEditor(ctx initPromptContext, seed initDraft) ini
 			switch model.document[index].ID {
 			case initRepositoryAccessFieldSelection:
 				initRepositoryAccessSyncFields(model, ctx)
+			case initRepositoryAccessFieldName:
+				initRepositoryAccessMaybeUpdateAutoCredentialRef(model)
+			case initRepositoryAccessFieldCredentialName:
+				model.document[index].AutoManaged = false
 			case initRepositoryAccessFieldAuth:
 				initRepositoryAccessSyncGitHubAppField(model)
 			}
@@ -158,14 +172,13 @@ func initRepositoryAccessScopeForSelection(ctx initPromptContext, selection stri
 	name := uniqueInitGitScopeName(ctx.GitScopes, initGitScopeDraft{
 		Host:     "github.com",
 		AuthMode: config.GitAuthModePAT,
-	}.suggestedName())
-	ref, _ := credentials.FormatRef(name)
+	}.suggestedRepositoryAccessName())
 	return initGitScopeDraft{
 		Name:            name,
 		Host:            "github.com",
 		AuthMode:        config.GitAuthModePAT,
 		CredentialStore: initCredentialStoreDefaultID(),
-		CredentialRef:   ref,
+		CredentialRef:   initRepositoryAccessCredentialRef(name),
 	}
 }
 
@@ -178,9 +191,56 @@ func initRepositoryAccessSyncFields(model *initLinearEditorModel, ctx initPrompt
 	model.setFieldValue(initRepositoryAccessFieldGitHubAppID, scope.GitHubAppID)
 	model.selectFieldValue(initRepositoryAccessFieldCredentialStore, initCredentialStoreDraftValue(scope.CredentialStore))
 	model.setFieldValue(initRepositoryAccessFieldCredentialName, scope.CredentialRef)
+	if refIndex := model.document.fieldIndexByID(initRepositoryAccessFieldCredentialName); refIndex >= 0 {
+		model.document[refIndex].AutoManaged = initRepositoryAccessCredentialRef(scope.Name) == strings.TrimSpace(scope.CredentialRef)
+	}
 	initRepositoryAccessSyncGitHubAppField(model)
 }
 
+func initRepositoryAccessMaybeUpdateAutoCredentialRef(model *initLinearEditorModel) {
+	refIndex := model.document.fieldIndexByID(initRepositoryAccessFieldCredentialName)
+	if refIndex < 0 || !model.document[refIndex].AutoManaged {
+		return
+	}
+	model.setFieldValue(initRepositoryAccessFieldCredentialName, initRepositoryAccessCredentialRef(model.document.fieldValue(initRepositoryAccessFieldName)))
+	if refIndex = model.document.fieldIndexByID(initRepositoryAccessFieldCredentialName); refIndex >= 0 {
+		model.document[refIndex].AutoManaged = true
+	}
+}
+
+func initRepositoryAccessCredentialRef(name string) string {
+	segment := credstore.EscapeRefSegment(strings.TrimSpace(name))
+	ref, err := credentials.FormatRef(segment)
+	if err != nil {
+		return ""
+	}
+	return ref
+}
+
+func (scope initGitScopeDraft) suggestedRepositoryAccessName() string {
+	if config.NormalizeHost(scope.Host) == "github.com" && scope.AuthMode == config.GitAuthModePAT {
+		if username := initRepositoryAccessLocalGitHubUsername(); username != "" {
+			return "github-" + username
+		}
+	}
+	return scope.suggestedName()
+}
+
+func initRepositoryAccessLocalGitHubUsername() string {
+	for _, key := range []string{"github.user", "github.username"} {
+		if username := normalizeRepositoryAccessNameSegment(initRepositoryAccessGitConfigValue(key)); username != "" {
+			return username
+		}
+	}
+	return ""
+}
+
+func normalizeRepositoryAccessNameSegment(value string) string {
+	segment := credstore.EscapeRefSegment(strings.TrimSpace(value))
+	segment = strings.Trim(segment, "-_")
+	return strings.ToLower(segment)
+}
+
 func initRepositoryAccessSyncGitHubAppField(model *initLinearEditorModel) {
 	authMode := config.GitAuthMode(model.document.selectedValue(initRepositoryAccessFieldAuth))
 	hidden := authMode != config.GitAuthModeGitHubApp

From 307ab2f4ceefc0a0fc576f502ef6f6ba61aecb2d Mon Sep 17 00:00:00 2001
From: Rian Stockbower <rstockbower@gmail.com>
Date: Mon, 22 Jun 2026 09:58:38 -0400
Subject: [PATCH 15/27] Collect repository access credentials inline

---
 internal/cmd/credentialcmd/credentialcmd.go   | 182 ++++++++++++--
 .../cmd/credentialcmd/credentialcmd_test.go   | 114 +++++++++
 .../init_repository_access_editor.go          | 229 +++++++++++++++++-
 .../init_reviewer_credential_status.go        |  30 ++-
 4 files changed, 516 insertions(+), 39 deletions(-)

diff --git a/internal/cmd/credentialcmd/credentialcmd.go b/internal/cmd/credentialcmd/credentialcmd.go
index b0f8bb45..e725e74a 100644
--- a/internal/cmd/credentialcmd/credentialcmd.go
+++ b/internal/cmd/credentialcmd/credentialcmd.go
@@ -231,29 +231,30 @@ type initFinalizePrompter interface {
 }
 
 type initPromptContext struct {
-	RequestedProfileName           string
-	ExistingProfileName            string
-	ExistingProfile                *config.Profile
-	ExistingProfileNames           []string
-	ExistingConfig                 config.File
-	BackendArg                     string
-	BackendFlagSet                 bool
-	GitScopes                      map[string]initGitScopeDraft
-	ProfileGitScopes               map[string]string
-	StandaloneRepositoryAccessMode bool
-	ReviewerEntities               map[string]initReviewerEntityDraft
-	ProfileReviewerEntities        map[string]string
-	ReviewerCredentialStatuses     []initReviewerCredentialStatus
-	StandaloneReviewerEntityMode   bool
-	SecretsProfiles                []config.EffectiveSecretsProfile
-	ProfileSecretsProfiles         map[string]string
-	BrokenProfileSecretsProfiles   map[string]string
-	LLMRuntimes                    map[string]initLLMRuntimeDraft
-	ProfileLLMRuntimes             map[string]string
-	ProfileWarnings                map[string][]string
-	PendingProfileDeletes          map[string]initPendingProfileDelete
-	PendingReviewerEntityDeletes   map[string]initPendingReviewerEntityDelete
-	PendingLLMRuntimeDeletes       map[string]initPendingLLMRuntimeDelete
+	RequestedProfileName               string
+	ExistingProfileName                string
+	ExistingProfile                    *config.Profile
+	ExistingProfileNames               []string
+	ExistingConfig                     config.File
+	BackendArg                         string
+	BackendFlagSet                     bool
+	GitScopes                          map[string]initGitScopeDraft
+	ProfileGitScopes                   map[string]string
+	StandaloneRepositoryAccessMode     bool
+	RepositoryAccessCredentialStatuses []initReviewerCredentialStatus
+	ReviewerEntities                   map[string]initReviewerEntityDraft
+	ProfileReviewerEntities            map[string]string
+	ReviewerCredentialStatuses         []initReviewerCredentialStatus
+	StandaloneReviewerEntityMode       bool
+	SecretsProfiles                    []config.EffectiveSecretsProfile
+	ProfileSecretsProfiles             map[string]string
+	BrokenProfileSecretsProfiles       map[string]string
+	LLMRuntimes                        map[string]initLLMRuntimeDraft
+	ProfileLLMRuntimes                 map[string]string
+	ProfileWarnings                    map[string][]string
+	PendingProfileDeletes              map[string]initPendingProfileDelete
+	PendingReviewerEntityDeletes       map[string]initPendingReviewerEntityDelete
+	PendingLLMRuntimeDeletes           map[string]initPendingLLMRuntimeDelete
 }
 
 type initDraftAction string
@@ -287,6 +288,11 @@ type initDraft struct {
 	ReviewerDisplayName               string
 	ReviewerGitHubAppInstallationMode string
 	ReviewerGitHubAppInstallationID   string
+	GitCredentialWriteRef             string
+	GitCredentialWriteStore           credentials.ResolvedSecretsProfile
+	GitCredentialWrites               map[string]string
+	GitCredentialOverwrite            bool
+	GitCredentialSatisfied            bool
 	ReviewerCredentialWriteRef        string
 	ReviewerCredentialWriteStore      credentials.ResolvedSecretsProfile
 	ReviewerCredentialWrites          map[string]string
@@ -1352,7 +1358,7 @@ func editInteractiveInitRepositoryAccess(_ *cobra.Command, opts *root.Options, _
 	if prompter == nil {
 		prompter = newHuhInitRepositoryAccessPrompter(opts)
 	}
-	promptCtx := currentInteractiveInitInventoryPromptContext(session)
+	promptCtx := currentInteractiveInitRepositoryAccessPromptContext(opts, deps, session)
 	promptCtx.StandaloneRepositoryAccessMode = true
 	draft, err := prompter.EditRepositoryAccess(initRepositoryAccessPrompt{Context: promptCtx})
 	if errors.Is(err, errInitNavigateBack) {
@@ -1361,7 +1367,12 @@ func editInteractiveInitRepositoryAccess(_ *cobra.Command, opts *root.Options, _
 	if err != nil {
 		return initSessionDraft{}, err
 	}
-	return stageStandaloneInteractiveInitRepositoryAccess(session, draft)
+	session, err = stageStandaloneInteractiveInitRepositoryAccess(session, draft)
+	if err != nil {
+		return initSessionDraft{}, err
+	}
+	session = mergeGitCredentialDraftWrites(session, draft)
+	return session, nil
 }
 
 func stageStandaloneInteractiveInitRepositoryAccess(session initSessionDraft, draft initDraft) (initSessionDraft, error) {
@@ -1812,6 +1823,79 @@ func buildInitStandaloneReviewerEntityNameSet(entities map[string]config.Reviewe
 	return existing
 }
 
+func mergeGitCredentialDraftWrites(session initSessionDraft, draft initDraft) initSessionDraft {
+	ref := strings.TrimSpace(draft.GitCredentialWriteRef)
+	if ref == "" {
+		return session
+	}
+	if session.writes == nil {
+		session.writes = map[string]map[string]string{}
+	}
+	if session.overwriteRefs == nil {
+		session.overwriteRefs = map[string]bool{}
+	}
+	if session.satisfiedRefs == nil {
+		session.satisfiedRefs = map[string]bool{}
+	}
+	if session.credentialWriteStores == nil {
+		session.credentialWriteStores = map[string]credentials.ResolvedSecretsProfile{}
+	}
+	hadStagedWrites := len(session.writes[ref]) > 0
+	if session.writes[ref] != nil {
+		session.writes[ref] = filterInitCredentialWritesForDraftGitMode(session.writes[ref], draft)
+		if len(session.writes[ref]) == 0 {
+			delete(session.writes, ref)
+		}
+	}
+	hasNewWrites := len(draft.GitCredentialWrites) > 0
+	if hasNewWrites {
+		for key, value := range draft.GitCredentialWrites {
+			addWrite(session.writes, ref, key, value)
+		}
+	}
+	if draft.GitCredentialOverwrite {
+		session.overwriteRefs[ref] = true
+	} else if hasNewWrites || !hadStagedWrites {
+		delete(session.overwriteRefs, ref)
+	}
+	if draft.GitCredentialSatisfied {
+		session.satisfiedRefs[ref] = true
+	} else {
+		delete(session.satisfiedRefs, ref)
+	}
+	session.credentialWriteStores[ref] = draft.GitCredentialWriteStore
+	return session
+}
+
+func filterInitCredentialWritesForDraftGitMode(writes map[string]string, draft initDraft) map[string]string {
+	if len(writes) == 0 {
+		return writes
+	}
+	ref := config.CredentialRef{
+		Purpose: "git",
+		Ref:     strings.TrimSpace(draft.GitCredentialWriteRef),
+		Mode:    strings.TrimSpace(draft.GitAuth),
+	}
+	if ref.Mode == "" {
+		ref.Mode = string(config.GitAuthModePAT)
+	}
+	specs, err := credentials.KeySpecsForPurpose(ref)
+	if err != nil {
+		return map[string]string{}
+	}
+	allowed := make(map[string]bool, len(specs))
+	for _, spec := range specs {
+		allowed[spec.Key] = true
+	}
+	filtered := make(map[string]string, len(writes))
+	for key, value := range writes {
+		if allowed[key] {
+			filtered[key] = value
+		}
+	}
+	return filtered
+}
+
 func mergeReviewerCredentialDraftWrites(session initSessionDraft, draft initDraft) initSessionDraft {
 	ref := strings.TrimSpace(draft.ReviewerCredentialWriteRef)
 	if ref == "" {
@@ -4781,6 +4865,15 @@ func buildInteractiveInitSessionPlan(opts *root.Options, session initSessionDraf
 			}
 		}
 	}
+	for _, entry := range standaloneRepositoryAccessPlanEntries(session.cfg, plannedWriteKeys) {
+		if len(plannedWriteKeys[entry.Ref.Ref]) == 0 {
+			continue
+		}
+		activeRefs[entry.Ref.Ref] = true
+		if err := mergeInteractiveInitSessionPlanEntry(entriesByKey, entry); err != nil {
+			return initSessionPlan{}, cmderr.Config(err)
+		}
+	}
 	for _, entry := range standaloneReviewerEntityPlanEntries(session.cfg, plannedWriteKeys) {
 		activeRefs[entry.Ref.Ref] = true
 		if err := mergeInteractiveInitSessionPlanEntry(entriesByKey, entry); err != nil {
@@ -4848,6 +4941,45 @@ func mergeInteractiveInitSessionPlanEntry(entriesByKey map[string]initCredential
 	return nil
 }
 
+func standaloneRepositoryAccessPlanEntries(cfg config.File, plannedWriteKeys map[string][]string) []initCredentialPlanEntry {
+	names := make([]string, 0, len(cfg.RepositoryAccess))
+	for name := range cfg.RepositoryAccess {
+		names = append(names, name)
+	}
+	sort.Strings(names)
+	entries := make([]initCredentialPlanEntry, 0, len(names))
+	for _, name := range names {
+		access := cfg.RepositoryAccess[name]
+		ref := config.CredentialRef{
+			Purpose: "git",
+			Store:   initCredentialStoreDraftValue(access.Git.Credential.Store),
+			Ref:     strings.TrimSpace(firstNonEmpty(access.Git.Credential.Name, access.Git.CredentialRef)),
+			Mode:    string(access.Git.AuthMode),
+		}
+		if ref.Store == "" || ref.Ref == "" {
+			continue
+		}
+		resolved, err := credentials.ResolveCredentialStore(cfg, ref.Store)
+		if err != nil {
+			continue
+		}
+		specs, err := credentials.KeySpecsForPurpose(ref)
+		if err != nil {
+			continue
+		}
+		entry := initCredentialPlanEntry{
+			Ref:              ref,
+			SecretsProfile:   resolved,
+			KeySpecs:         append([]credentials.KeySpec(nil), specs...),
+			PlannedWriteKeys: append([]string(nil), plannedWriteKeys[ref.Ref]...),
+		}
+		entry.MissingRequiredKeys = missingRequiredInitCredentialKeys(entry.KeySpecs, entry.PlannedWriteKeys)
+		entry.State = classifyInitCredentialPlanEntry(entry)
+		entries = append(entries, entry)
+	}
+	return entries
+}
+
 func collectInteractiveInitSessionWorkspaceSecrets(opts *root.Options, deps initDeps, session initSessionDraft, purposes []string) (initSessionDraft, error) {
 	if session.workspace == nil {
 		return session, nil
diff --git a/internal/cmd/credentialcmd/credentialcmd_test.go b/internal/cmd/credentialcmd/credentialcmd_test.go
index 5f2044fa..4dcf154b 100644
--- a/internal/cmd/credentialcmd/credentialcmd_test.go
+++ b/internal/cmd/credentialcmd/credentialcmd_test.go
@@ -14638,6 +14638,120 @@ func TestInitRepositoryAccessEditorManualCredentialRefStopsAutoUpdate(t *testing
 	}
 }
 
+func TestInitRepositoryAccessEditorRequiresPATBeforeStaging(t *testing.T) {
+	oldGitConfig := initRepositoryAccessGitConfigValue
+	t.Cleanup(func() { initRepositoryAccessGitConfigValue = oldGitConfig })
+	initRepositoryAccessGitConfigValue = func(string) string { return "" }
+
+	model := newInitLinearEditorModel(initRepositoryAccessLinearEditor(initPromptContext{}, initDraft{}), 160, 60)
+	model = focusInitLinearField(t, model, initRepositoryAccessFieldAction)
+	updated, _ := model.Update(tea.KeyMsg{Type: tea.KeyEnter})
+	next, ok := updated.(initLinearEditorModel)
+	if !ok {
+		t.Fatalf("Update returned %T, want initLinearEditorModel", updated)
+	}
+	actionIndex := next.document.fieldIndexByID(initRepositoryAccessFieldAction)
+	if actionIndex < 0 || !strings.Contains(next.document[actionIndex].Error, "set repository access credentials before staging: git_token") {
+		t.Fatalf("action error = %q, want missing git_token", next.document[actionIndex].Error)
+	}
+}
+
+func TestInitRepositoryAccessEditorStagesPATCredentialWrite(t *testing.T) {
+	oldGitConfig := initRepositoryAccessGitConfigValue
+	t.Cleanup(func() { initRepositoryAccessGitConfigValue = oldGitConfig })
+	initRepositoryAccessGitConfigValue = func(string) string { return "" }
+
+	ctx := initPromptContext{}
+	model := newInitLinearEditorModel(initRepositoryAccessLinearEditor(ctx, initDraft{}), 160, 60)
+	model = focusInitLinearField(t, model, initRepositoryAccessFieldGitToken)
+	model = typeInitLinearText(t, model, "work-token")
+
+	draft := initRepositoryAccessDraftFromDocument(ctx, initDraft{}, model.document)
+	if got, want := draft.GitCredentialWriteRef, "codereview/github-com-pat"; got != want {
+		t.Fatalf("GitCredentialWriteRef = %q, want %q", got, want)
+	}
+	if got := draft.GitCredentialWrites[credentials.GitTokenKey]; got != "work-token" {
+		t.Fatalf("git_token write = %q, want work-token", got)
+	}
+	if !draft.GitCredentialSatisfied {
+		t.Fatal("GitCredentialSatisfied = false, want true after staged PAT")
+	}
+}
+
+func TestInitRepositoryAccessEditorAcceptsExistingPATCredential(t *testing.T) {
+	oldGitConfig := initRepositoryAccessGitConfigValue
+	t.Cleanup(func() { initRepositoryAccessGitConfigValue = oldGitConfig })
+	initRepositoryAccessGitConfigValue = func(string) string { return "" }
+	resolved, err := credentials.ResolveCredentialStore(config.File{}, config.LocalOSCredentialStoreID)
+	if err != nil {
+		t.Fatalf("ResolveCredentialStore: %v", err)
+	}
+	ctx := initPromptContext{
+		RepositoryAccessCredentialStatuses: []initReviewerCredentialStatus{{
+			Ref:            config.CredentialRef{Purpose: "git", Store: config.LocalOSCredentialStoreID, Ref: "codereview/github-com-pat", Mode: string(config.GitAuthModePAT)},
+			SecretsProfile: resolved,
+			Keys:           []initReviewerCredentialKeyStatus{{Key: credentials.GitTokenKey, Required: true, State: initReviewerCredentialKeyExisting}},
+		}},
+	}
+	model := newInitLinearEditorModel(initRepositoryAccessLinearEditor(ctx, initDraft{}), 160, 60)
+
+	if err := validateRepositoryAccessDocument(ctx, model.document); err != nil {
+		t.Fatalf("validateRepositoryAccessDocument: %v", err)
+	}
+}
+
+func TestInitInteractiveMenuWritesStandaloneRepositoryAccessPAT(t *testing.T) {
+	path := filepath.Join(t.TempDir(), "config.yml")
+	writeRawCredentialTestConfig(t, path, "profiles: {}\n")
+	opts := &root.Options{
+		Stdin:      strings.NewReader(""),
+		Stdout:     &bytes.Buffer{},
+		Stderr:     &bytes.Buffer{},
+		ConfigPath: path,
+	}
+	store := newFakeInitStore(map[string]map[string]string{})
+	resolved, err := credentials.ResolveCredentialStore(config.File{}, config.LocalOSCredentialStoreID)
+	if err != nil {
+		t.Fatalf("ResolveCredentialStore: %v", err)
+	}
+	deps := initDeps{
+		menuPrompter: &fakeInitMenuPrompter{
+			actions: []initMenuAction{
+				initMenuActionRepositoryAccess,
+				initMenuActionSave,
+			},
+		},
+		repositoryPrompter: initRepositoryAccessPrompterFunc(func(prompt initRepositoryAccessPrompt) (initDraft, error) {
+			return initDraft{
+				RepositoryAccessName:    "work-git",
+				GitHost:                 "github.company.com",
+				GitAuth:                 string(config.GitAuthModePAT),
+				GitCredentialStore:      config.LocalOSCredentialStoreID,
+				GitCredentialRef:        "codereview/work-git",
+				GitCredentialWriteRef:   "codereview/work-git",
+				GitCredentialWriteStore: resolved,
+				GitCredentialWrites:     map[string]string{credentials.GitTokenKey: "work-token"},
+				GitCredentialSatisfied:  true,
+			}, nil
+		}),
+		openStore: func(string, bool, config.File) (initStore, error) {
+			return store, nil
+		},
+		configPath: func(*root.Options) (string, error) { return path, nil },
+		loadConfig: func(string) (config.File, bool, error) {
+			return config.File{Profiles: map[string]config.Profile{}}, false, nil
+		},
+		saveConfig: config.Save,
+	}
+
+	if err := runInitWithDeps(&cobra.Command{}, opts, initOptions{}, deps); err != nil {
+		t.Fatalf("runInitWithDeps: %v", err)
+	}
+	if got := store.bundles["work-git"][credentials.GitTokenKey]; got != "work-token" {
+		t.Fatalf("stored git_token = %q, want work-token; bundles=%#v", got, store.bundles)
+	}
+}
+
 func TestInitInteractiveMenuCarriesGlobalSettingsIntoFirstProfile(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	writeRawCredentialTestConfig(t, path, "profiles: {}\n")
diff --git a/internal/cmd/credentialcmd/init_repository_access_editor.go b/internal/cmd/credentialcmd/init_repository_access_editor.go
index 117fa6e5..081d4c81 100644
--- a/internal/cmd/credentialcmd/init_repository_access_editor.go
+++ b/internal/cmd/credentialcmd/init_repository_access_editor.go
@@ -18,14 +18,18 @@ import (
 type initRepositoryAccessEditorRunner func(initLinearEditor, io.Reader, io.Writer) (initLinearEditorModel, error)
 
 const (
-	initRepositoryAccessFieldSelection       initLinearFieldID = "repository_access_selection"
-	initRepositoryAccessFieldName            initLinearFieldID = "repository_access_name"
-	initRepositoryAccessFieldHost            initLinearFieldID = "repository_access_host"
-	initRepositoryAccessFieldAuth            initLinearFieldID = "repository_access_auth"
-	initRepositoryAccessFieldGitHubAppID     initLinearFieldID = "repository_access_github_app_id"
-	initRepositoryAccessFieldCredentialStore initLinearFieldID = "repository_access_credential_store"
-	initRepositoryAccessFieldCredentialName  initLinearFieldID = "repository_access_credential_name"
-	initRepositoryAccessFieldAction          initLinearFieldID = "repository_access_action"
+	initRepositoryAccessFieldSelection           initLinearFieldID = "repository_access_selection"
+	initRepositoryAccessFieldName                initLinearFieldID = "repository_access_name"
+	initRepositoryAccessFieldHost                initLinearFieldID = "repository_access_host"
+	initRepositoryAccessFieldAuth                initLinearFieldID = "repository_access_auth"
+	initRepositoryAccessFieldGitHubAppID         initLinearFieldID = "repository_access_github_app_id"
+	initRepositoryAccessFieldCredentialStore     initLinearFieldID = "repository_access_credential_store"
+	initRepositoryAccessFieldCredentialName      initLinearFieldID = "repository_access_credential_name"
+	initRepositoryAccessFieldCredentialStatus    initLinearFieldID = "repository_access_credential_status"
+	initRepositoryAccessFieldCredentialValues    initLinearFieldID = "repository_access_credential_values"
+	initRepositoryAccessFieldGitToken            initLinearFieldID = "repository_access_git_token"
+	initRepositoryAccessFieldGitHubAppPrivateKey initLinearFieldID = "repository_access_github_app_private_key"
+	initRepositoryAccessFieldAction              initLinearFieldID = "repository_access_action"
 )
 
 const initConfigureNewRepositoryAccessSelection = "__configure_new_repository_access__"
@@ -47,7 +51,7 @@ func (p huhInitRepositoryAccessPrompter) EditRepositoryAccess(prompt initReposit
 	}
 	switch model.resultAction {
 	case initDetailActionEdit:
-		return initRepositoryAccessDraftFromDocument(seed, model.document), nil
+		return initRepositoryAccessDraftFromDocument(prompt.Context, seed, model.document), nil
 	default:
 		return initDraft{}, errInitNavigateBack
 	}
@@ -86,6 +90,10 @@ func initRepositoryAccessLinearEditor(ctx initPromptContext, seed initDraft) ini
 	document.addEditableInput(initRepositoryAccessFieldGitHubAppID, "GitHub App ID", "Numeric GitHub App ID. This is not a secret and is saved in config.yml.", scope.GitHubAppID, validateOptionalDecimalID("GitHub App ID"), initLinearFieldOptions{Hidden: scope.AuthMode != config.GitAuthModeGitHubApp})
 	document.addEditableSelect(initRepositoryAccessFieldCredentialStore, "Git credential store", "Where this access entry's Git credential is stored.", initCredentialStoreOptions(ctx.ExistingConfig), initCredentialStoreDraftValue(scope.CredentialStore))
 	document.addEditableInput(initRepositoryAccessFieldCredentialName, "Git credential name", "Full credential name under the selected store.", scope.CredentialRef, validateRequiredCredentialRef)
+	document.addSectionField(initRepositoryAccessFieldCredentialStatus, "Git credential status", "")
+	document.addSectionField(initRepositoryAccessFieldCredentialValues, "Git credential value", "Enter the required Git credential here. Values are hidden, staged in memory, and written only when you Commit staged changes and exit.")
+	document.addEditableSecretInput(initRepositoryAccessFieldGitToken, "GitHub PAT", "Required for repository access with personal access token auth. Leave blank only when the status above already shows git_token as existing or staged.", "", nil)
+	document.addEditableSecretTextarea(initRepositoryAccessFieldGitHubAppPrivateKey, "GitHub App private key", "Required for repository access with GitHub App auth. Paste the PEM private key; ctrl+j or alt+enter inserts a newline.", "")
 	document.addEditableSelect(initRepositoryAccessFieldAction, "Repository access action", "", []huh.Option[string]{
 		huh.NewOption("Stage repository access settings", initDetailActionEdit),
 		huh.NewOption("Back without staging", initDetailActionBack),
@@ -102,10 +110,19 @@ func initRepositoryAccessLinearEditor(ctx initPromptContext, seed initDraft) ini
 				initRepositoryAccessSyncFields(model, ctx)
 			case initRepositoryAccessFieldName:
 				initRepositoryAccessMaybeUpdateAutoCredentialRef(model)
+				initRepositoryAccessRefreshCredentialStatus(model, ctx)
 			case initRepositoryAccessFieldCredentialName:
 				model.document[index].AutoManaged = false
+				initRepositoryAccessRefreshCredentialStatus(model, ctx)
+			case initRepositoryAccessFieldCredentialStore:
+				initRepositoryAccessRefreshCredentialStatus(model, ctx)
 			case initRepositoryAccessFieldAuth:
 				initRepositoryAccessSyncGitHubAppField(model)
+				initRepositoryAccessSetCredentialFieldsHidden(model)
+				initRepositoryAccessClearCredentialFieldValues(model)
+				initRepositoryAccessRefreshCredentialStatus(model, ctx)
+			case initRepositoryAccessFieldGitToken, initRepositoryAccessFieldGitHubAppPrivateKey:
+				initRepositoryAccessRefreshCredentialStatus(model, ctx)
 			}
 		},
 		OnEnter: func(model *initLinearEditorModel) (bool, tea.Cmd) {
@@ -120,7 +137,7 @@ func initRepositoryAccessLinearEditor(ctx initPromptContext, seed initDraft) ini
 				model.resultAction = initDetailActionBack
 				return true, tea.Quit
 			case initDetailActionEdit:
-				if err := validateRepositoryAccessDocument(model.document); err != nil {
+				if err := validateRepositoryAccessDocument(ctx, model.document); err != nil {
 					model.document[model.focused].Error = err.Error()
 					model.relayout()
 					model.ensureFocusedVisible()
@@ -195,6 +212,9 @@ func initRepositoryAccessSyncFields(model *initLinearEditorModel, ctx initPrompt
 		model.document[refIndex].AutoManaged = initRepositoryAccessCredentialRef(scope.Name) == strings.TrimSpace(scope.CredentialRef)
 	}
 	initRepositoryAccessSyncGitHubAppField(model)
+	initRepositoryAccessSetCredentialFieldsHidden(model)
+	initRepositoryAccessClearCredentialFieldValues(model)
+	initRepositoryAccessRefreshCredentialStatus(model, ctx)
 }
 
 func initRepositoryAccessMaybeUpdateAutoCredentialRef(model *initLinearEditorModel) {
@@ -241,6 +261,159 @@ func normalizeRepositoryAccessNameSegment(value string) string {
 	return strings.ToLower(segment)
 }
 
+func initRepositoryAccessSetCredentialFieldsHidden(model *initLinearEditorModel) {
+	authMode := config.GitAuthMode(model.document.selectedValue(initRepositoryAccessFieldAuth))
+	model.setFieldHidden(initRepositoryAccessFieldGitToken, authMode != config.GitAuthModePAT)
+	model.setFieldHidden(initRepositoryAccessFieldGitHubAppPrivateKey, authMode != config.GitAuthModeGitHubApp)
+}
+
+func initRepositoryAccessClearCredentialFieldValues(model *initLinearEditorModel) {
+	for _, id := range []initLinearFieldID{
+		initRepositoryAccessFieldGitToken,
+		initRepositoryAccessFieldGitHubAppPrivateKey,
+	} {
+		model.setFieldValue(id, "")
+	}
+}
+
+func initRepositoryAccessCredentialFieldKey(id initLinearFieldID) string {
+	switch id {
+	case initRepositoryAccessFieldGitToken:
+		return credentials.GitTokenKey
+	case initRepositoryAccessFieldGitHubAppPrivateKey:
+		return credentials.GitHubAppPrivateKeyKey
+	default:
+		return ""
+	}
+}
+
+func initRepositoryAccessCredentialFieldID(key string) initLinearFieldID {
+	switch key {
+	case credentials.GitTokenKey:
+		return initRepositoryAccessFieldGitToken
+	case credentials.GitHubAppPrivateKeyKey:
+		return initRepositoryAccessFieldGitHubAppPrivateKey
+	default:
+		return ""
+	}
+}
+
+func initRepositoryAccessRefreshCredentialStatus(model *initLinearEditorModel, ctx initPromptContext) {
+	if status, ok := repositoryAccessCredentialStatusForDocument(ctx, model.document); ok {
+		model.setFieldDescription(initRepositoryAccessFieldCredentialStatus, initRepositoryAccessCredentialStatusDescription(status))
+	}
+}
+
+func repositoryAccessCredentialStatusForDocument(ctx initPromptContext, document initLinearDocument) (initReviewerCredentialStatus, bool) {
+	status, ok := baseRepositoryAccessCredentialStatusForDocument(ctx, document)
+	if !ok {
+		return initReviewerCredentialStatus{}, false
+	}
+	return repositoryAccessCredentialStatusWithDocumentWrites(status, document), true
+}
+
+func baseRepositoryAccessCredentialStatusForDocument(ctx initPromptContext, document initLinearDocument) (initReviewerCredentialStatus, bool) {
+	ref := config.CredentialRef{
+		Purpose: "git",
+		Store:   initCredentialStoreDraftValue(document.selectedValue(initRepositoryAccessFieldCredentialStore)),
+		Ref:     strings.TrimSpace(document.fieldValue(initRepositoryAccessFieldCredentialName)),
+		Mode:    document.selectedValue(initRepositoryAccessFieldAuth),
+	}
+	if ref.Ref == "" {
+		return initReviewerCredentialStatus{}, false
+	}
+	for _, status := range ctx.RepositoryAccessCredentialStatuses {
+		if status.Ref.Purpose == ref.Purpose &&
+			initCredentialStoreDraftValue(status.Ref.Store) == initCredentialStoreDraftValue(ref.Store) &&
+			status.Ref.Ref == ref.Ref &&
+			status.Ref.Mode == ref.Mode {
+			return status, true
+		}
+	}
+	if initReviewerCredentialStatusListContainsUnavailable(ctx.RepositoryAccessCredentialStatuses) {
+		return synthesizeUnavailableReviewerCredentialStatus(ctx, ref), true
+	}
+	return synthesizeReviewerCredentialStatus(ctx, ref), true
+}
+
+func repositoryAccessCredentialStatusWithDocumentWrites(status initReviewerCredentialStatus, document initLinearDocument) initReviewerCredentialStatus {
+	status.Keys = append([]initReviewerCredentialKeyStatus(nil), status.Keys...)
+	for index, key := range status.Keys {
+		fieldID := initRepositoryAccessCredentialFieldID(key.Key)
+		if fieldID == "" || document.fieldHidden(fieldID) {
+			continue
+		}
+		if strings.TrimSpace(credentials.TrimSecretIngress(document.fieldValue(fieldID))) == "" {
+			continue
+		}
+		status.Keys[index].State = initReviewerCredentialKeyStaged
+	}
+	return status
+}
+
+func initRepositoryAccessCredentialStatusDescription(status initReviewerCredentialStatus) string {
+	return initReviewerCredentialStatusDescription(status)
+}
+
+func missingRepositoryAccessInlineCredentialKeys(ctx initPromptContext, status initReviewerCredentialStatus, document initLinearDocument) []string {
+	var missing []string
+	keepsCurrentRef := repositoryAccessKeepsCurrentCredentialRef(ctx, document)
+	for _, key := range status.Keys {
+		if !key.Required {
+			continue
+		}
+		switch key.State {
+		case initReviewerCredentialKeyExisting, initReviewerCredentialKeyStaged:
+			continue
+		case initReviewerCredentialKeyUnavailable:
+			if keepsCurrentRef {
+				continue
+			}
+		case initReviewerCredentialKeyMissing, initReviewerCredentialKeyDeferred, initReviewerCredentialKeySkippedOptional, initReviewerCredentialKeyOptional:
+		}
+		missing = append(missing, key.Key)
+	}
+	return missing
+}
+
+func repositoryAccessKeepsCurrentCredentialRef(ctx initPromptContext, document initLinearDocument) bool {
+	selection := document.selectedValue(initRepositoryAccessFieldSelection)
+	if selection == "" || selection == initConfigureNewRepositoryAccessSelection {
+		return false
+	}
+	scope, ok := ctx.GitScopes[selection]
+	if !ok {
+		return false
+	}
+	return initCredentialStoreDraftValue(document.selectedValue(initRepositoryAccessFieldCredentialStore)) == initCredentialStoreDraftValue(scope.CredentialStore) &&
+		strings.TrimSpace(document.fieldValue(initRepositoryAccessFieldCredentialName)) == strings.TrimSpace(scope.CredentialRef) &&
+		document.selectedValue(initRepositoryAccessFieldAuth) == string(scope.AuthMode)
+}
+
+func repositoryAccessCredentialWritesFromDocument(status initReviewerCredentialStatus, document initLinearDocument) (map[string]string, bool) {
+	writes := map[string]string{}
+	keyStates := make(map[string]initReviewerCredentialKeyState, len(status.Keys))
+	for _, key := range status.Keys {
+		keyStates[key.Key] = key.State
+	}
+	overwrite := false
+	for _, key := range status.Keys {
+		fieldID := initRepositoryAccessCredentialFieldID(key.Key)
+		if fieldID == "" || document.fieldHidden(fieldID) {
+			continue
+		}
+		value := credentials.TrimSecretIngress(document.fieldValue(fieldID))
+		if strings.TrimSpace(value) == "" {
+			continue
+		}
+		writes[key.Key] = value
+		if keyStates[key.Key] == initReviewerCredentialKeyExisting {
+			overwrite = true
+		}
+	}
+	return writes, overwrite
+}
+
 func initRepositoryAccessSyncGitHubAppField(model *initLinearEditorModel) {
 	authMode := config.GitAuthMode(model.document.selectedValue(initRepositoryAccessFieldAuth))
 	hidden := authMode != config.GitAuthModeGitHubApp
@@ -250,7 +423,7 @@ func initRepositoryAccessSyncGitHubAppField(model *initLinearEditorModel) {
 	}
 }
 
-func validateRepositoryAccessDocument(document initLinearDocument) error {
+func validateRepositoryAccessDocument(ctx initPromptContext, document initLinearDocument) error {
 	if err := validateRequiredText("repository access name is required")(document.fieldValue(initRepositoryAccessFieldName)); err != nil {
 		return err
 	}
@@ -266,10 +439,20 @@ func validateRepositoryAccessDocument(document initLinearDocument) error {
 			return err
 		}
 	}
-	return validateRequiredCredentialRef(document.fieldValue(initRepositoryAccessFieldCredentialName))
+	if err := validateRequiredCredentialRef(document.fieldValue(initRepositoryAccessFieldCredentialName)); err != nil {
+		return err
+	}
+	status, ok := repositoryAccessCredentialStatusForDocument(ctx, document)
+	if !ok {
+		return fmt.Errorf("git credential status unavailable")
+	}
+	if missing := missingRepositoryAccessInlineCredentialKeys(ctx, status, document); len(missing) > 0 {
+		return fmt.Errorf("set repository access credentials before staging: %s", strings.Join(missing, ", "))
+	}
+	return nil
 }
 
-func initRepositoryAccessDraftFromDocument(seed initDraft, document initLinearDocument) initDraft {
+func initRepositoryAccessDraftFromDocument(ctx initPromptContext, seed initDraft, document initLinearDocument) initDraft {
 	draft := seed
 	draft.RepositoryAccessName = strings.TrimSpace(document.fieldValue(initRepositoryAccessFieldName))
 	draft.GitHost = strings.TrimSpace(document.fieldValue(initRepositoryAccessFieldHost))
@@ -277,9 +460,29 @@ func initRepositoryAccessDraftFromDocument(seed initDraft, document initLinearDo
 	draft.GitHubAppID = strings.TrimSpace(document.fieldValue(initRepositoryAccessFieldGitHubAppID))
 	draft.GitCredentialStore = initCredentialStoreDraftValue(document.selectedValue(initRepositoryAccessFieldCredentialStore))
 	draft.GitCredentialRef = strings.TrimSpace(document.fieldValue(initRepositoryAccessFieldCredentialName))
+	applyRepositoryAccessCredentialDraftFromDocument(&draft, ctx, document)
 	selection := document.selectedValue(initRepositoryAccessFieldSelection)
 	if selection != "" && selection != initConfigureNewRepositoryAccessSelection {
 		draft.ActionTarget = selection
 	}
 	return draft
 }
+
+func applyRepositoryAccessCredentialDraftFromDocument(draft *initDraft, ctx initPromptContext, document initLinearDocument) {
+	originalStatus, ok := baseRepositoryAccessCredentialStatusForDocument(ctx, document)
+	if !ok {
+		return
+	}
+	status := repositoryAccessCredentialStatusWithDocumentWrites(originalStatus, document)
+	ref := strings.TrimSpace(status.Ref.Ref)
+	if ref == "" {
+		return
+	}
+	writes, overwrite := repositoryAccessCredentialWritesFromDocument(originalStatus, document)
+	draft.GitCredentialWriteRef = ref
+	draft.GitCredentialStore = initCredentialStoreDraftValue(status.Ref.Store)
+	draft.GitCredentialWriteStore = status.SecretsProfile
+	draft.GitCredentialWrites = writes
+	draft.GitCredentialOverwrite = overwrite
+	draft.GitCredentialSatisfied = repositoryAccessKeepsCurrentCredentialRef(ctx, document) || len(missingRepositoryAccessInlineCredentialKeys(ctx, status, document)) == 0
+}
diff --git a/internal/cmd/credentialcmd/init_reviewer_credential_status.go b/internal/cmd/credentialcmd/init_reviewer_credential_status.go
index 0857c90d..bda457dc 100644
--- a/internal/cmd/credentialcmd/init_reviewer_credential_status.go
+++ b/internal/cmd/credentialcmd/init_reviewer_credential_status.go
@@ -45,6 +45,30 @@ func currentInteractiveInitReviewerEntityPromptContext(opts *root.Options, deps
 	return ctx
 }
 
+func currentInteractiveInitRepositoryAccessPromptContext(opts *root.Options, deps initDeps, session initSessionDraft) initPromptContext {
+	ctx := currentInteractiveInitInventoryPromptContext(session)
+	if opts != nil {
+		ctx.BackendArg = opts.Backend
+	}
+	ctx.BackendFlagSet = session.backendFlagSet
+	ctx.RepositoryAccessCredentialStatuses = buildInteractiveInitRepositoryAccessCredentialStatuses(opts, deps, session)
+	return ctx
+}
+
+func buildInteractiveInitRepositoryAccessCredentialStatuses(opts *root.Options, deps initDeps, session initSessionDraft) []initReviewerCredentialStatus {
+	plannedWriteKeys := projectInitPlannedWriteKeys(session.writes)
+	entries := standaloneRepositoryAccessPlanEntries(session.cfg, plannedWriteKeys)
+	writes, _, satisfiedRefs := filterInteractiveInitStagedCredentialStateByStore(
+		cloneInitWrites(session.writes),
+		map[string]bool{},
+		cloneInitBoolMap(session.satisfiedRefs),
+		session.credentialWriteStores,
+		entries,
+	)
+	entries = refreshInteractiveCredentialPlan(entries, projectInitPlannedWriteKeys(writes), satisfiedRefs)
+	return buildInteractiveInitCredentialStatuses(opts, deps, session, entries, writes, "git")
+}
+
 func buildInteractiveInitReviewerCredentialStatuses(opts *root.Options, deps initDeps, session initSessionDraft) []initReviewerCredentialStatus {
 	if session.workspace == nil {
 		return nil
@@ -60,6 +84,10 @@ func buildInteractiveInitReviewerCredentialStatuses(opts *root.Options, deps ini
 	)
 	plannedWriteKeys = projectInitPlannedWriteKeys(writes)
 	entries = refreshInteractiveCredentialPlan(entries, plannedWriteKeys, satisfiedRefs)
+	return buildInteractiveInitCredentialStatuses(opts, deps, session, entries, writes, "reviewer_credentials")
+}
+
+func buildInteractiveInitCredentialStatuses(opts *root.Options, deps initDeps, session initSessionDraft, entries []initCredentialPlanEntry, writes map[string]map[string]string, purpose string) []initReviewerCredentialStatus {
 	statuses := make([]initReviewerCredentialStatus, 0, len(entries))
 	stores := map[string]initStore{}
 	defer func() {
@@ -70,7 +98,7 @@ func buildInteractiveInitReviewerCredentialStatuses(opts *root.Options, deps ini
 		}
 	}()
 	for _, entry := range entries {
-		if entry.Ref.Purpose != "reviewer_credentials" || entry.State == initCredentialPlanStateClearRef {
+		if entry.Ref.Purpose != purpose || entry.State == initCredentialPlanStateClearRef {
 			continue
 		}
 		existing := map[string]bool{}

From ae06ff998524d9bc97e0305b1fc1f2cdd35c434f Mon Sep 17 00:00:00 2001
From: Rian Stockbower <rstockbower@gmail.com>
Date: Mon, 22 Jun 2026 10:10:18 -0400
Subject: [PATCH 16/27] Add repository access delete restore flow

---
 internal/cmd/credentialcmd/credentialcmd.go   | 138 +++++++++----
 .../cmd/credentialcmd/credentialcmd_test.go   | 189 ++++++++++++++++++
 .../init_repository_access_editor.go          |  96 ++++++++-
 3 files changed, 388 insertions(+), 35 deletions(-)

diff --git a/internal/cmd/credentialcmd/credentialcmd.go b/internal/cmd/credentialcmd/credentialcmd.go
index e725e74a..e53e23c7 100644
--- a/internal/cmd/credentialcmd/credentialcmd.go
+++ b/internal/cmd/credentialcmd/credentialcmd.go
@@ -253,6 +253,7 @@ type initPromptContext struct {
 	ProfileLLMRuntimes                 map[string]string
 	ProfileWarnings                    map[string][]string
 	PendingProfileDeletes              map[string]initPendingProfileDelete
+	PendingRepositoryAccessDeletes     map[string]initPendingRepositoryAccessDelete
 	PendingReviewerEntityDeletes       map[string]initPendingReviewerEntityDelete
 	PendingLLMRuntimeDeletes           map[string]initPendingLLMRuntimeDelete
 }
@@ -260,13 +261,15 @@ type initPromptContext struct {
 type initDraftAction string
 
 const (
-	initDraftActionNone                     initDraftAction = ""
-	initDraftActionDeleteProfile            initDraftAction = "delete_profile"
-	initDraftActionUndoDeleteProfile        initDraftAction = "undo_delete_profile"
-	initDraftActionDeleteReviewerEntity     initDraftAction = "delete_reviewer_entity"
-	initDraftActionUndoDeleteReviewerEntity initDraftAction = "undo_delete_reviewer_entity"
-	initDraftActionDeleteLLMRuntime         initDraftAction = "delete_llm_runtime"
-	initDraftActionUndoDeleteLLMRuntime     initDraftAction = "undo_delete_llm_runtime"
+	initDraftActionNone                       initDraftAction = ""
+	initDraftActionDeleteProfile              initDraftAction = "delete_profile"
+	initDraftActionUndoDeleteProfile          initDraftAction = "undo_delete_profile"
+	initDraftActionDeleteRepositoryAccess     initDraftAction = "delete_repository_access"
+	initDraftActionUndoDeleteRepositoryAccess initDraftAction = "undo_delete_repository_access"
+	initDraftActionDeleteReviewerEntity       initDraftAction = "delete_reviewer_entity"
+	initDraftActionUndoDeleteReviewerEntity   initDraftAction = "undo_delete_reviewer_entity"
+	initDraftActionDeleteLLMRuntime           initDraftAction = "delete_llm_runtime"
+	initDraftActionUndoDeleteLLMRuntime       initDraftAction = "undo_delete_llm_runtime"
 )
 
 type initDraft struct {
@@ -519,22 +522,23 @@ type initSessionPlan struct {
 }
 
 type initSessionDraft struct {
-	path                         string
-	originalCfg                  config.File
-	cfg                          config.File
-	requestedProfileName         string
-	backendFlagSet               bool
-	saveRequested                bool
-	workspace                    *initWorkspaceDraft
-	touchedProfiles              map[string]string
-	writes                       map[string]map[string]string
-	credentialWriteStores        map[string]credentials.ResolvedSecretsProfile
-	credentialDecisions          map[initCredentialDecisionKey]initCredentialDecisionKind
-	overwriteRefs                map[string]bool
-	satisfiedRefs                map[string]bool
-	pendingProfileDeletes        map[string]initPendingProfileDelete
-	pendingReviewerEntityDeletes map[string]initPendingReviewerEntityDelete
-	pendingLLMRuntimeDeletes     map[string]initPendingLLMRuntimeDelete
+	path                           string
+	originalCfg                    config.File
+	cfg                            config.File
+	requestedProfileName           string
+	backendFlagSet                 bool
+	saveRequested                  bool
+	workspace                      *initWorkspaceDraft
+	touchedProfiles                map[string]string
+	writes                         map[string]map[string]string
+	credentialWriteStores          map[string]credentials.ResolvedSecretsProfile
+	credentialDecisions            map[initCredentialDecisionKey]initCredentialDecisionKind
+	overwriteRefs                  map[string]bool
+	satisfiedRefs                  map[string]bool
+	pendingProfileDeletes          map[string]initPendingProfileDelete
+	pendingRepositoryAccessDeletes map[string]initPendingRepositoryAccessDelete
+	pendingReviewerEntityDeletes   map[string]initPendingReviewerEntityDelete
+	pendingLLMRuntimeDeletes       map[string]initPendingLLMRuntimeDelete
 }
 
 type initPendingProfileDelete struct {
@@ -548,6 +552,11 @@ type initPendingProfileDelete struct {
 	TouchedOriginal   string
 }
 
+type initPendingRepositoryAccessDelete struct {
+	Name   string
+	Access config.RepositoryAccessConfig
+}
+
 type initPendingReviewerEntityDelete struct {
 	EntityName       string
 	Entity           *config.ReviewerEntity
@@ -1295,14 +1304,15 @@ func currentInteractiveInitPromptContextBase(session initSessionDraft) initPromp
 		existingProfile = &profileCopy
 	}
 	return initPromptContext{
-		RequestedProfileName:         session.requestedProfileName,
-		ExistingProfileName:          existingProfileName,
-		ExistingProfile:              existingProfile,
-		ExistingProfileNames:         sortedProfileNames(session.cfg.Profiles),
-		ExistingConfig:               session.cfg,
-		PendingProfileDeletes:        session.pendingProfileDeletes,
-		PendingReviewerEntityDeletes: session.pendingReviewerEntityDeletes,
-		PendingLLMRuntimeDeletes:     session.pendingLLMRuntimeDeletes,
+		RequestedProfileName:           session.requestedProfileName,
+		ExistingProfileName:            existingProfileName,
+		ExistingProfile:                existingProfile,
+		ExistingProfileNames:           sortedProfileNames(session.cfg.Profiles),
+		ExistingConfig:                 session.cfg,
+		PendingProfileDeletes:          session.pendingProfileDeletes,
+		PendingRepositoryAccessDeletes: session.pendingRepositoryAccessDeletes,
+		PendingReviewerEntityDeletes:   session.pendingReviewerEntityDeletes,
+		PendingLLMRuntimeDeletes:       session.pendingLLMRuntimeDeletes,
 	}
 }
 
@@ -1367,6 +1377,17 @@ func editInteractiveInitRepositoryAccess(_ *cobra.Command, opts *root.Options, _
 	if err != nil {
 		return initSessionDraft{}, err
 	}
+	switch draft.Action {
+	case initDraftActionNone:
+	case initDraftActionDeleteRepositoryAccess:
+		session, err := deleteInteractiveInitRepositoryAccess(session, draft.ActionTarget)
+		return session, err
+	case initDraftActionUndoDeleteRepositoryAccess:
+		session, err := undoInteractiveInitRepositoryAccessDelete(session, draft.ActionTarget)
+		return session, err
+	case initDraftActionDeleteProfile, initDraftActionUndoDeleteProfile, initDraftActionDeleteReviewerEntity, initDraftActionUndoDeleteReviewerEntity, initDraftActionDeleteLLMRuntime, initDraftActionUndoDeleteLLMRuntime:
+		return initSessionDraft{}, fmt.Errorf("unsupported repository-access draft action %q", draft.Action)
+	}
 	session, err = stageStandaloneInteractiveInitRepositoryAccess(session, draft)
 	if err != nil {
 		return initSessionDraft{}, err
@@ -1523,7 +1544,7 @@ func applyInteractiveInitProfileDraft(cmd *cobra.Command, opts *root.Options, fl
 	case initDraftActionUndoDeleteProfile:
 		session, err := undoInteractiveInitProfileDelete(session, draft.ActionTarget)
 		return session, err == nil, err
-	case initDraftActionDeleteReviewerEntity, initDraftActionUndoDeleteReviewerEntity, initDraftActionDeleteLLMRuntime, initDraftActionUndoDeleteLLMRuntime:
+	case initDraftActionDeleteRepositoryAccess, initDraftActionUndoDeleteRepositoryAccess, initDraftActionDeleteReviewerEntity, initDraftActionUndoDeleteReviewerEntity, initDraftActionDeleteLLMRuntime, initDraftActionUndoDeleteLLMRuntime:
 		return initSessionDraft{}, false, fmt.Errorf("unsupported review-profile draft action %q", draft.Action)
 	}
 	workspace, err := buildInteractiveInitWorkspace(cmd, opts, flags, deps, session.path, session.cfg, draft)
@@ -1642,7 +1663,7 @@ func editInteractiveInitLLMRuntimeStep(cmd *cobra.Command, opts *root.Options, f
 	case initDraftActionUndoDeleteLLMRuntime:
 		session, err := undoInteractiveInitLLMRuntimeDelete(session, draft.ActionTarget)
 		return session, err == nil, err
-	case initDraftActionDeleteProfile, initDraftActionUndoDeleteProfile, initDraftActionDeleteReviewerEntity, initDraftActionUndoDeleteReviewerEntity:
+	case initDraftActionDeleteProfile, initDraftActionUndoDeleteProfile, initDraftActionDeleteRepositoryAccess, initDraftActionUndoDeleteRepositoryAccess, initDraftActionDeleteReviewerEntity, initDraftActionUndoDeleteReviewerEntity:
 		return initSessionDraft{}, false, fmt.Errorf("unsupported LLM-runtime draft action %q", draft.Action)
 	}
 	if session.workspace == nil {
@@ -1749,7 +1770,7 @@ func editInteractiveInitReviewerEntityStep(cmd *cobra.Command, opts *root.Option
 	case initDraftActionUndoDeleteReviewerEntity:
 		session, err := undoInteractiveInitReviewerEntityDelete(session, draft.ActionTarget)
 		return session, err == nil, err
-	case initDraftActionDeleteProfile, initDraftActionUndoDeleteProfile, initDraftActionDeleteLLMRuntime, initDraftActionUndoDeleteLLMRuntime:
+	case initDraftActionDeleteProfile, initDraftActionUndoDeleteProfile, initDraftActionDeleteRepositoryAccess, initDraftActionUndoDeleteRepositoryAccess, initDraftActionDeleteLLMRuntime, initDraftActionUndoDeleteLLMRuntime:
 		return initSessionDraft{}, false, fmt.Errorf("unsupported reviewer-entity draft action %q", draft.Action)
 	}
 	if !draft.ReviewerEnabled {
@@ -5074,6 +5095,9 @@ func ensureInitDeleteState(session *initSessionDraft) {
 	if session.pendingProfileDeletes == nil {
 		session.pendingProfileDeletes = map[string]initPendingProfileDelete{}
 	}
+	if session.pendingRepositoryAccessDeletes == nil {
+		session.pendingRepositoryAccessDeletes = map[string]initPendingRepositoryAccessDelete{}
+	}
 	if session.pendingReviewerEntityDeletes == nil {
 		session.pendingReviewerEntityDeletes = map[string]initPendingReviewerEntityDelete{}
 	}
@@ -5197,6 +5221,52 @@ func undoInteractiveInitProfileDelete(session initSessionDraft, profileName stri
 	return session, nil
 }
 
+func deleteInteractiveInitRepositoryAccess(session initSessionDraft, name string) (initSessionDraft, error) {
+	name = strings.TrimSpace(name)
+	if name == "" {
+		return initSessionDraft{}, exitcode.Usage(errors.New("repository access name is required"))
+	}
+	ensureInitDeleteState(&session)
+	if _, exists := session.pendingRepositoryAccessDeletes[name]; exists {
+		return session, nil
+	}
+	working := cloneInitConfigFile(session.cfg)
+	access, ok := working.RepositoryAccess[name]
+	if !ok {
+		return initSessionDraft{}, exitcode.Usage(fmt.Errorf("repository access %q is not deletable", name))
+	}
+	delete(working.RepositoryAccess, name)
+	if err := validateInteractiveInitGlobalConfig(working); err != nil {
+		return initSessionDraft{}, cmderr.Config(err)
+	}
+	session.pendingRepositoryAccessDeletes[name] = initPendingRepositoryAccessDelete{
+		Name:   name,
+		Access: access,
+	}
+	session.cfg = config.Normalize(working)
+	return rebuildInteractiveInitWorkspace(session, preferredInteractiveInitProfile(session)), nil
+}
+
+func undoInteractiveInitRepositoryAccessDelete(session initSessionDraft, name string) (initSessionDraft, error) {
+	name = strings.TrimSpace(name)
+	ensureInitDeleteState(&session)
+	pending, ok := session.pendingRepositoryAccessDeletes[name]
+	if !ok {
+		return session, nil
+	}
+	working := cloneInitConfigFile(session.cfg)
+	if working.RepositoryAccess == nil {
+		working.RepositoryAccess = map[string]config.RepositoryAccessConfig{}
+	}
+	working.RepositoryAccess[name] = pending.Access
+	if err := validateInteractiveInitGlobalConfig(working); err != nil {
+		return initSessionDraft{}, cmderr.Config(err)
+	}
+	delete(session.pendingRepositoryAccessDeletes, name)
+	session.cfg = config.Normalize(working)
+	return rebuildInteractiveInitWorkspace(session, preferredInteractiveInitProfile(session)), nil
+}
+
 func deleteInteractiveInitReviewerEntity(session initSessionDraft, entityName string) (initSessionDraft, error) {
 	entityName = strings.TrimSpace(entityName)
 	if entityName == "" {
diff --git a/internal/cmd/credentialcmd/credentialcmd_test.go b/internal/cmd/credentialcmd/credentialcmd_test.go
index 4dcf154b..6cf19f79 100644
--- a/internal/cmd/credentialcmd/credentialcmd_test.go
+++ b/internal/cmd/credentialcmd/credentialcmd_test.go
@@ -14581,6 +14581,195 @@ func TestInitInteractiveMenuStagesStandaloneRepositoryAccess(t *testing.T) {
 	}
 }
 
+func TestInitRepositoryAccessEditorMarksConfiguredRepositoryAccessDeletable(t *testing.T) {
+	ctx := initPromptContext{
+		GitScopes: map[string]initGitScopeDraft{
+			"work-git": {
+				Name:            "work-git",
+				Host:            "github.com",
+				AuthMode:        config.GitAuthModePAT,
+				CredentialStore: config.LocalOSCredentialStoreID,
+				CredentialRef:   "codereview/work-git",
+			},
+		},
+		ExistingConfig: config.File{
+			RepositoryAccess: map[string]config.RepositoryAccessConfig{
+				"work-git": {
+					DisplayName: "work-git",
+					Git: config.GitConfig{
+						Host:     "github.com",
+						AuthMode: config.GitAuthModePAT,
+						Credential: config.CredentialLocation{
+							Store: config.LocalOSCredentialStoreID,
+							Name:  "codereview/work-git",
+						},
+					},
+				},
+			},
+		},
+	}
+	model := newInitLinearEditorModel(initRepositoryAccessLinearEditor(ctx, initDraft{}), 160, 60)
+	model = selectInitLinearFieldValue(t, model, initRepositoryAccessFieldSelection, "work-git")
+	selectionIndex := model.document.fieldIndexByID(initRepositoryAccessFieldSelection)
+	if selectionIndex < 0 {
+		t.Fatal("repository access selection field missing")
+	}
+	for _, option := range model.document[selectionIndex].Options {
+		if option.Value == "work-git" {
+			if !option.Deletable {
+				t.Fatalf("work-git option Deletable = false, want true")
+			}
+			return
+		}
+	}
+	t.Fatalf("work-git option missing: %#v", model.document[selectionIndex].Options)
+}
+
+func TestInitRepositoryAccessEditorMarksPendingRepositoryAccessRestorable(t *testing.T) {
+	ctx := initPromptContext{
+		PendingRepositoryAccessDeletes: map[string]initPendingRepositoryAccessDelete{
+			"work-git": {
+				Name: "work-git",
+			},
+		},
+	}
+	selection := initRepositoryAccessRestoreSelectionPrefix + "work-git"
+	model := newInitLinearEditorModel(initRepositoryAccessLinearEditor(ctx, initDraft{}), 160, 60)
+	model = selectInitLinearFieldValue(t, model, initRepositoryAccessFieldSelection, selection)
+	selectionIndex := model.document.fieldIndexByID(initRepositoryAccessFieldSelection)
+	if selectionIndex < 0 {
+		t.Fatal("repository access selection field missing")
+	}
+	for _, option := range model.document[selectionIndex].Options {
+		if option.Value != selection {
+			continue
+		}
+		if !option.Restorable {
+			t.Fatalf("pending work-git option Restorable = false, want true")
+		}
+		if !model.document.fieldHidden(initRepositoryAccessFieldName) || !model.document.fieldHidden(initRepositoryAccessFieldAction) {
+			t.Fatalf("repository access details hidden = name:%v action:%v, want both hidden", model.document.fieldHidden(initRepositoryAccessFieldName), model.document.fieldHidden(initRepositoryAccessFieldAction))
+		}
+		return
+	}
+	t.Fatalf("pending work-git option missing: %#v", model.document[selectionIndex].Options)
+}
+
+func TestDeleteInteractiveInitRepositoryAccessRemovesAndRestoresStandaloneEntry(t *testing.T) {
+	access := config.RepositoryAccessConfig{
+		DisplayName: "work-git",
+		Git: config.GitConfig{
+			Host:     "github.com",
+			AuthMode: config.GitAuthModePAT,
+			Credential: config.CredentialLocation{
+				Store: config.LocalOSCredentialStoreID,
+				Name:  "codereview/work-git",
+			},
+		},
+	}
+	session := initSessionDraft{
+		cfg: config.File{
+			RepositoryAccess: map[string]config.RepositoryAccessConfig{
+				"work-git": access,
+			},
+			Profiles: map[string]config.Profile{},
+		},
+	}
+
+	next, err := deleteInteractiveInitRepositoryAccess(session, "work-git")
+	if err != nil {
+		t.Fatalf("deleteInteractiveInitRepositoryAccess: %v", err)
+	}
+	if _, ok := next.cfg.RepositoryAccess["work-git"]; ok {
+		t.Fatalf("repository_access after delete = %#v, want work-git removed", next.cfg.RepositoryAccess)
+	}
+	if _, ok := next.pendingRepositoryAccessDeletes["work-git"]; !ok {
+		t.Fatalf("pendingRepositoryAccessDeletes = %#v, want work-git", next.pendingRepositoryAccessDeletes)
+	}
+
+	restored, err := undoInteractiveInitRepositoryAccessDelete(next, "work-git")
+	if err != nil {
+		t.Fatalf("undoInteractiveInitRepositoryAccessDelete: %v", err)
+	}
+	restoredAccess := restored.cfg.RepositoryAccess["work-git"]
+	if restoredAccess.DisplayName != access.DisplayName || restoredAccess.Git.Host != access.Git.Host || restoredAccess.Git.AuthMode != access.Git.AuthMode || restoredAccess.Git.Credential != access.Git.Credential {
+		t.Fatalf("restored repository access = %#v, want display/host/auth/credential from %#v", restoredAccess, access)
+	}
+	if _, ok := restored.pendingRepositoryAccessDeletes["work-git"]; ok {
+		t.Fatalf("pendingRepositoryAccessDeletes after undo = %#v, want cleared work-git", restored.pendingRepositoryAccessDeletes)
+	}
+}
+
+func TestInitInteractiveMenuDeletesStandaloneRepositoryAccessAndEnablesSave(t *testing.T) {
+	path := filepath.Join(t.TempDir(), "config.yml")
+	writeRawCredentialTestConfig(t, path, "profiles: {}\n")
+	opts := &root.Options{
+		Stdin:      strings.NewReader(""),
+		Stdout:     &bytes.Buffer{},
+		Stderr:     &bytes.Buffer{},
+		ConfigPath: path,
+	}
+	access := config.RepositoryAccessConfig{
+		DisplayName: "work-git",
+		Git: config.GitConfig{
+			Host:     "github.com",
+			AuthMode: config.GitAuthModePAT,
+			Credential: config.CredentialLocation{
+				Store: config.LocalOSCredentialStoreID,
+				Name:  "codereview/work-git",
+			},
+		},
+	}
+	menu := &fakeInitMenuPrompter{
+		actions: []initMenuAction{
+			initMenuActionRepositoryAccess,
+			initMenuActionSave,
+		},
+	}
+	deps := initDeps{
+		menuPrompter: menu,
+		repositoryPrompter: initRepositoryAccessPrompterFunc(func(prompt initRepositoryAccessPrompt) (initDraft, error) {
+			if !prompt.Context.StandaloneRepositoryAccessMode {
+				t.Fatal("repository access prompt did not run in standalone mode")
+			}
+			if _, ok := prompt.Context.ExistingConfig.RepositoryAccess["work-git"]; !ok {
+				t.Fatalf("prompt repository_access = %#v, want work-git", prompt.Context.ExistingConfig.RepositoryAccess)
+			}
+			return initDraft{
+				Action:       initDraftActionDeleteRepositoryAccess,
+				ActionTarget: "work-git",
+			}, nil
+		}),
+		configPath: func(*root.Options) (string, error) { return path, nil },
+		loadConfig: func(string) (config.File, bool, error) {
+			return config.File{
+				Profiles: map[string]config.Profile{},
+				RepositoryAccess: map[string]config.RepositoryAccessConfig{
+					"work-git": access,
+				},
+			}, true, nil
+		},
+		saveConfig: config.Save,
+	}
+
+	if err := runInitWithDeps(&cobra.Command{}, opts, initOptions{}, deps); err != nil {
+		t.Fatalf("runInitWithDeps: %v", err)
+	}
+	if len(menu.prompts) != 2 {
+		t.Fatalf("menu prompts = %d, want repository access then save", len(menu.prompts))
+	}
+	if !menu.prompts[1].CanSave {
+		t.Fatalf("second menu prompt CanSave = false, want true after repository access deletion")
+	}
+	cfg, err := config.Load(path)
+	if err != nil {
+		t.Fatalf("Load config: %v", err)
+	}
+	if _, ok := cfg.RepositoryAccess["work-git"]; ok {
+		t.Fatalf("repository_access after save = %#v, want work-git removed", cfg.RepositoryAccess)
+	}
+}
+
 func TestInitRepositoryAccessEditorDefaultsToLocalGitHubUsername(t *testing.T) {
 	oldGitConfig := initRepositoryAccessGitConfigValue
 	t.Cleanup(func() { initRepositoryAccessGitConfigValue = oldGitConfig })
diff --git a/internal/cmd/credentialcmd/init_repository_access_editor.go b/internal/cmd/credentialcmd/init_repository_access_editor.go
index 081d4c81..324097d9 100644
--- a/internal/cmd/credentialcmd/init_repository_access_editor.go
+++ b/internal/cmd/credentialcmd/init_repository_access_editor.go
@@ -34,6 +34,8 @@ const (
 
 const initConfigureNewRepositoryAccessSelection = "__configure_new_repository_access__"
 
+const initRepositoryAccessRestoreSelectionPrefix = "__restore_repository_access__:"
+
 var initRepositoryAccessGitConfigValue = func(key string) string {
 	out, err := exec.Command("git", "config", "--get", key).Output()
 	if err != nil {
@@ -52,6 +54,19 @@ func (p huhInitRepositoryAccessPrompter) EditRepositoryAccess(prompt initReposit
 	switch model.resultAction {
 	case initDetailActionEdit:
 		return initRepositoryAccessDraftFromDocument(prompt.Context, seed, model.document), nil
+	case initLinearResultActionDelete:
+		selection := model.document.selectedValue(initRepositoryAccessFieldSelection)
+		return initDraft{
+			Action:       initDraftActionDeleteRepositoryAccess,
+			ActionTarget: selection,
+		}, nil
+	case initLinearResultActionRestore:
+		selection := model.document.selectedValue(initRepositoryAccessFieldSelection)
+		name, _ := initRepositoryAccessRestoreSelectionName(selection)
+		return initDraft{
+			Action:       initDraftActionUndoDeleteRepositoryAccess,
+			ActionTarget: name,
+		}, nil
 	default:
 		return initDraft{}, errInitNavigateBack
 	}
@@ -74,7 +89,7 @@ func (p huhInitRepositoryAccessPrompter) runRepositoryAccessEditor(editor initLi
 }
 
 func initRepositoryAccessLinearEditor(ctx initPromptContext, seed initDraft) initLinearEditor {
-	options := initRepositoryAccessSelectionOptions(ctx.GitScopes)
+	options := initRepositoryAccessSelectionOptionsForContext(ctx)
 	selection := initRepositoryAccessDefaultSelection(ctx, options)
 	scope := initRepositoryAccessScopeForSelection(ctx, selection)
 
@@ -170,6 +185,19 @@ func initRepositoryAccessSelectionOptions(scopes map[string]initGitScopeDraft) [
 	return options
 }
 
+func initRepositoryAccessSelectionOptionsForContext(ctx initPromptContext) []huh.Option[string] {
+	options := initRepositoryAccessSelectionOptions(ctx.GitScopes)
+	pendingNames := make([]string, 0, len(ctx.PendingRepositoryAccessDeletes))
+	for name := range ctx.PendingRepositoryAccessDeletes {
+		pendingNames = append(pendingNames, name)
+	}
+	sort.Strings(pendingNames)
+	for _, name := range pendingNames {
+		options = append(options, huh.NewOption(repositoryAccessDeletePendingLabel(name), initRepositoryAccessRestoreSelectionPrefix+name))
+	}
+	return dedupeInitStringOptions(options)
+}
+
 func initRepositoryAccessDefaultSelection(ctx initPromptContext, options []huh.Option[string]) string {
 	if ctx.ExistingProfileName != "" {
 		if selected := strings.TrimSpace(ctx.ProfileGitScopes[ctx.ExistingProfileName]); selected != "" {
@@ -199,9 +227,29 @@ func initRepositoryAccessScopeForSelection(ctx initPromptContext, selection stri
 	}
 }
 
+func initRepositoryAccessRestoreSelectionName(selection string) (string, bool) {
+	if !strings.HasPrefix(selection, initRepositoryAccessRestoreSelectionPrefix) {
+		return "", false
+	}
+	return strings.TrimPrefix(selection, initRepositoryAccessRestoreSelectionPrefix), true
+}
+
+func repositoryAccessDeletePendingLabel(name string) string {
+	name = strings.TrimSpace(name)
+	if name == "" {
+		return "Repository access (Staged for deletion)"
+	}
+	return fmt.Sprintf("%s (Staged for deletion)", name)
+}
+
 func initRepositoryAccessSyncFields(model *initLinearEditorModel, ctx initPromptContext) {
 	selection := model.document.selectedValue(initRepositoryAccessFieldSelection)
+	initRepositoryAccessSetSelectionOptions(model, ctx, selection)
 	scope := initRepositoryAccessScopeForSelection(ctx, selection)
+	hideDetails := false
+	if _, restore := initRepositoryAccessRestoreSelectionName(selection); restore {
+		hideDetails = true
+	}
 	model.setFieldValue(initRepositoryAccessFieldName, scope.Name)
 	model.setFieldValue(initRepositoryAccessFieldHost, scope.Host)
 	model.selectFieldValue(initRepositoryAccessFieldAuth, string(scope.AuthMode))
@@ -211,12 +259,58 @@ func initRepositoryAccessSyncFields(model *initLinearEditorModel, ctx initPrompt
 	if refIndex := model.document.fieldIndexByID(initRepositoryAccessFieldCredentialName); refIndex >= 0 {
 		model.document[refIndex].AutoManaged = initRepositoryAccessCredentialRef(scope.Name) == strings.TrimSpace(scope.CredentialRef)
 	}
+	initRepositoryAccessSetDetailsHidden(model, hideDetails)
+	if hideDetails {
+		return
+	}
 	initRepositoryAccessSyncGitHubAppField(model)
 	initRepositoryAccessSetCredentialFieldsHidden(model)
 	initRepositoryAccessClearCredentialFieldValues(model)
 	initRepositoryAccessRefreshCredentialStatus(model, ctx)
 }
 
+func initRepositoryAccessSetSelectionOptions(model *initLinearEditorModel, ctx initPromptContext, selected string) {
+	index := model.document.fieldIndexByID(initRepositoryAccessFieldSelection)
+	if index < 0 {
+		return
+	}
+	options := initLinearOptionsFromHuh(initRepositoryAccessSelectionOptionsForContext(ctx), selected)
+	for optionIndex := range options {
+		option := &options[optionIndex]
+		if _, configured := ctx.ExistingConfig.RepositoryAccess[option.Value]; configured {
+			option.Deletable = true
+		}
+		if _, restorable := initRepositoryAccessRestoreSelectionName(option.Value); restorable {
+			option.Restorable = true
+		}
+	}
+	model.document[index].Options = options
+}
+
+func initRepositoryAccessSetDetailsHidden(model *initLinearEditorModel, hidden bool) {
+	for _, id := range []initLinearFieldID{
+		initRepositoryAccessFieldName,
+		initRepositoryAccessFieldHost,
+		initRepositoryAccessFieldAuth,
+		initRepositoryAccessFieldCredentialStore,
+		initRepositoryAccessFieldCredentialName,
+		initRepositoryAccessFieldCredentialStatus,
+		initRepositoryAccessFieldCredentialValues,
+		initRepositoryAccessFieldAction,
+	} {
+		model.setFieldHidden(id, hidden)
+	}
+	if hidden {
+		for _, id := range []initLinearFieldID{
+			initRepositoryAccessFieldGitHubAppID,
+			initRepositoryAccessFieldGitToken,
+			initRepositoryAccessFieldGitHubAppPrivateKey,
+		} {
+			model.setFieldHidden(id, true)
+		}
+	}
+}
+
 func initRepositoryAccessMaybeUpdateAutoCredentialRef(model *initLinearEditorModel) {
 	refIndex := model.document.fieldIndexByID(initRepositoryAccessFieldCredentialName)
 	if refIndex < 0 || !model.document[refIndex].AutoManaged {

From 2efa0743d28a1f7ddba21c20defd73b5696387f0 Mon Sep 17 00:00:00 2001
From: Rian Stockbower <rstockbower@gmail.com>
Date: Mon, 22 Jun 2026 10:15:06 -0400
Subject: [PATCH 17/27] Flatten reviewer entity init flow

---
 internal/cmd/credentialcmd/credentialcmd.go   |  5 +-
 .../cmd/credentialcmd/credentialcmd_test.go   | 76 ++++++++++++++-----
 .../init_reviewer_entity_editor.go            | 36 ++++++++-
 3 files changed, 95 insertions(+), 22 deletions(-)

diff --git a/internal/cmd/credentialcmd/credentialcmd.go b/internal/cmd/credentialcmd/credentialcmd.go
index e53e23c7..6cd17680 100644
--- a/internal/cmd/credentialcmd/credentialcmd.go
+++ b/internal/cmd/credentialcmd/credentialcmd.go
@@ -1088,9 +1088,8 @@ func newHuhInitRepositoryAccessPrompter(opts *root.Options) initRepositoryAccess
 
 func newHuhInitReviewerEntityPrompter(opts *root.Options) initReviewerEntityPrompter {
 	return huhInitReviewerEntityPrompter{
-		stdin:           opts.Stdin,
-		stderr:          opts.Stderr,
-		inventoryRunner: runInitInventory,
+		stdin:  opts.Stdin,
+		stderr: opts.Stderr,
 	}
 }
 
diff --git a/internal/cmd/credentialcmd/credentialcmd_test.go b/internal/cmd/credentialcmd/credentialcmd_test.go
index 6cf19f79..ad26cbc2 100644
--- a/internal/cmd/credentialcmd/credentialcmd_test.go
+++ b/internal/cmd/credentialcmd/credentialcmd_test.go
@@ -6381,23 +6381,30 @@ func TestHuhInitReviewerEntityPrompterExistingReviewerCanEditLabel(t *testing.T)
 func TestHuhInitReviewerEntityPrompterDefaultUsesLinearReviewerFlow(t *testing.T) {
 	existing := basicProfile("work")
 	var stderr bytes.Buffer
-	prompter := huhInitReviewerEntityPrompter{
-		stderr: &stderr,
-		editorRunner: func(editor initLinearEditor, _ io.Reader, out io.Writer) (initLinearEditorModel, error) {
-			model := newInitLinearEditorModel(editor, 160, 60)
-			model = selectInitLinearFieldValue(t, model, initReviewerEntityFieldSelection, string(initReviewerEntityKindPAT))
-			model.setFieldValue(initReviewerEntityFieldGitToken, "inline-secret-token")
-			model.afterFieldChange(model.document.fieldIndexByID(initReviewerEntityFieldGitToken))
-			model = focusInitLinearField(t, model, initReviewerEntityFieldAction)
-			model = selectInitLinearFieldValue(t, model, initReviewerEntityFieldAction, initDetailActionEdit)
-			_, _ = io.WriteString(out, model.View())
-			updated, _ := model.Update(tea.KeyMsg{Type: tea.KeyEnter})
-			next, ok := updated.(initLinearEditorModel)
-			if !ok {
-				t.Fatalf("Update returned %T, want initLinearEditorModel", updated)
-			}
-			return next, nil
-		},
+	prompter, ok := newHuhInitReviewerEntityPrompter(&root.Options{
+		Stdin:  strings.NewReader(""),
+		Stderr: &stderr,
+	}).(huhInitReviewerEntityPrompter)
+	if !ok {
+		t.Fatalf("newHuhInitReviewerEntityPrompter returned %T, want huhInitReviewerEntityPrompter", newHuhInitReviewerEntityPrompter(&root.Options{}))
+	}
+	if prompter.inventoryRunner != nil {
+		t.Fatal("reviewer entity prompter inventoryRunner = non-nil, want direct linear editor path")
+	}
+	prompter.editorRunner = func(editor initLinearEditor, _ io.Reader, out io.Writer) (initLinearEditorModel, error) {
+		model := newInitLinearEditorModel(editor, 160, 60)
+		model = selectInitLinearFieldValue(t, model, initReviewerEntityFieldSelection, string(initReviewerEntityKindPAT))
+		model.setFieldValue(initReviewerEntityFieldGitToken, "inline-secret-token")
+		model.afterFieldChange(model.document.fieldIndexByID(initReviewerEntityFieldGitToken))
+		model = focusInitLinearField(t, model, initReviewerEntityFieldAction)
+		model = selectInitLinearFieldValue(t, model, initReviewerEntityFieldAction, initDetailActionEdit)
+		_, _ = io.WriteString(out, model.View())
+		updated, _ := model.Update(tea.KeyMsg{Type: tea.KeyEnter})
+		next, ok := updated.(initLinearEditorModel)
+		if !ok {
+			t.Fatalf("Update returned %T, want initLinearEditorModel", updated)
+		}
+		return next, nil
 	}
 
 	draft, err := prompter.EditReviewerEntity(initReviewerEntityPrompt{Context: initPromptContext{
@@ -6445,6 +6452,41 @@ func TestHuhInitReviewerEntityPrompterDefaultUsesLinearReviewerFlow(t *testing.T
 	}
 }
 
+func TestReviewerEntityStandaloneLinearEditorUsesActionsWithoutProfileFallback(t *testing.T) {
+	ctx := initPromptContext{
+		StandaloneReviewerEntityMode: true,
+		ExistingConfig:               config.File{Profiles: map[string]config.Profile{}},
+	}
+	model := newInitLinearEditorModel(initReviewerEntityLinearEditor(ctx, initDraft{}), 160, 60)
+	selectionIndex := model.document.fieldIndexByID(initReviewerEntityFieldSelection)
+	if selectionIndex < 0 {
+		t.Fatal("reviewer entity selection field missing")
+	}
+	if got, want := model.document[selectionIndex].Title, "Actions"; got != want {
+		t.Fatalf("selection title = %q, want %q", got, want)
+	}
+	if got, want := model.document.selectedValue(initReviewerEntityFieldSelection), string(initReviewerEntityKindPAT); got != want {
+		t.Fatalf("default standalone reviewer selection = %q, want %q", got, want)
+	}
+	optionLabels := make([]string, 0, len(model.document[selectionIndex].Options))
+	for _, option := range model.document[selectionIndex].Options {
+		optionLabels = append(optionLabels, option.Label)
+	}
+	for _, forbidden := range []string{reviewerEntityTemplateFallbackLabel(), "Back to main menu"} {
+		if slices.Contains(optionLabels, forbidden) {
+			t.Fatalf("standalone reviewer options = %#v, want no %q", optionLabels, forbidden)
+		}
+	}
+	for _, want := range []string{reviewerEntityTemplatePATLabel(), reviewerEntityTemplateGitHubAppLabel()} {
+		if !slices.Contains(optionLabels, want) {
+			t.Fatalf("standalone reviewer options = %#v, want %q", optionLabels, want)
+		}
+	}
+	if model.document.fieldHidden(initReviewerEntityFieldLabel) || model.document.fieldHidden(initReviewerEntityFieldSecretLocation) {
+		t.Fatalf("PAT reviewer detail fields hidden = label:%v location:%v, want visible", model.document.fieldHidden(initReviewerEntityFieldLabel), model.document.fieldHidden(initReviewerEntityFieldSecretLocation))
+	}
+}
+
 func TestHuhInitReviewerEntityPrompterGitHubAppLinearFlowShowsCredentialBundleCopy(t *testing.T) {
 	existing := basicProfile("work")
 	var stderr bytes.Buffer
diff --git a/internal/cmd/credentialcmd/init_reviewer_entity_editor.go b/internal/cmd/credentialcmd/init_reviewer_entity_editor.go
index 625a98ed..46354dc1 100644
--- a/internal/cmd/credentialcmd/init_reviewer_entity_editor.go
+++ b/internal/cmd/credentialcmd/init_reviewer_entity_editor.go
@@ -314,7 +314,7 @@ func initReviewerEntityLinearEditor(ctx initPromptContext, seed initDraft) initL
 	state, _ := reviewerEntityEditorStateForSelection(ctx, seed, selection)
 	var document initLinearDocument
 	document.addSection("Reviewer entity", reviewerEntitySelectionDescription())
-	document.addEditableSelect(initReviewerEntityFieldSelection, "Reviewer entity", "", options, selection)
+	document.addEditableSelect(initReviewerEntityFieldSelection, initReviewerEntitySelectionFieldTitle(ctx), initReviewerEntitySelectionFieldDescription(ctx), options, selection)
 	document.addSection("Reviewer details", "")
 	document.addEditableInput(
 		initReviewerEntityFieldLabel,
@@ -403,7 +403,7 @@ func initReviewerEntityLinearEditor(ctx initPromptContext, seed initDraft) initL
 }
 
 func initReviewerEntityLinearSelectionOptions(ctx initPromptContext) []huh.Option[string] {
-	options := initReviewerEntityOptions(ctx.ReviewerEntities, focusedReviewerEntityFallbackLabel(ctx.ExistingProfile))
+	options := initReviewerEntityOptionsForContext(ctx)
 	pendingNames := make([]string, 0, len(ctx.PendingReviewerEntityDeletes))
 	for name := range ctx.PendingReviewerEntityDeletes {
 		pendingNames = append(pendingNames, name)
@@ -415,6 +415,38 @@ func initReviewerEntityLinearSelectionOptions(ctx initPromptContext) []huh.Optio
 	return dedupeInitStringOptions(options)
 }
 
+func initReviewerEntityOptionsForContext(ctx initPromptContext) []huh.Option[string] {
+	if !ctx.StandaloneReviewerEntityMode {
+		return initReviewerEntityOptions(ctx.ReviewerEntities, focusedReviewerEntityFallbackLabel(ctx.ExistingProfile))
+	}
+	names := configuredInitReviewerEntityNames(ctx.ReviewerEntities)
+	sort.Strings(names)
+	options := make([]huh.Option[string], 0, len(names)+2)
+	for _, name := range names {
+		entity := ctx.ReviewerEntities[name]
+		options = append(options, huh.NewOption(initReviewerEntityLabel(entity), name))
+	}
+	options = append(options,
+		huh.NewOption(reviewerEntityTemplatePATLabel(), string(initReviewerEntityKindPAT)),
+		huh.NewOption(reviewerEntityTemplateGitHubAppLabel(), string(initReviewerEntityKindGitHubApp)),
+	)
+	return dedupeInitStringOptions(options)
+}
+
+func initReviewerEntitySelectionFieldTitle(ctx initPromptContext) string {
+	if ctx.StandaloneReviewerEntityMode {
+		return "Actions"
+	}
+	return "Reviewer entity"
+}
+
+func initReviewerEntitySelectionFieldDescription(ctx initPromptContext) string {
+	if ctx.StandaloneReviewerEntityMode {
+		return "Configure a new reviewer entity or edit a configured reviewer entity."
+	}
+	return ""
+}
+
 func initReviewerEntityDefaultSelection(ctx initPromptContext, seed initDraft, options []huh.Option[string]) string {
 	if selected := strings.TrimSpace(ctx.ProfileReviewerEntities[ctx.ExistingProfileName]); selected != "" {
 		return normalizeInitStringSelectionValue(normalizeReviewerEntitySelectionValue(selected, ctx.ReviewerEntities), options)

From 329fcc4755248b16031081dbf3c3f29ebbd0c547 Mon Sep 17 00:00:00 2001
From: Rian Stockbower <rstockbower@gmail.com>
Date: Mon, 22 Jun 2026 10:17:21 -0400
Subject: [PATCH 18/27] Bump version to 0.9

---
 version.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version.txt b/version.txt
index aec258df..b63ba696 100644
--- a/version.txt
+++ b/version.txt
@@ -1 +1 @@
-0.8
+0.9

From c5e52e191f0d340637a2b1dbef1933a652c2fa7a Mon Sep 17 00:00:00 2001
From: Rian Stockbower <rstockbower@gmail.com>
Date: Mon, 22 Jun 2026 13:37:13 -0400
Subject: [PATCH 19/27] Simplify review policy resolution settings

---
 README.md                                     |  11 +-
 docs/init-config-surface.md                   |   5 +-
 internal/cmd/credentialcmd/credentialcmd.go   |  65 +++++----
 .../cmd/credentialcmd/credentialcmd_test.go   | 123 +++++++++---------
 internal/cmd/credentialcmd/init_profile_v2.go |  48 ++++---
 internal/config/config.go                     |  13 +-
 internal/config/config_test.go                |   9 --
 internal/view/config.go                       |  15 ++-
 internal/view/config_test.go                  |   2 +-
 9 files changed, 147 insertions(+), 144 deletions(-)

diff --git a/README.md b/README.md
index 40b93eea..4b46d76a 100644
--- a/README.md
+++ b/README.md
@@ -314,7 +314,8 @@ profiles:
     agent_sources:
       - ~/.config/codereview/agents
     review_policy:
-      major_event: comment
+      major_event: request_changes
+      resolve_threads: auto
 ```
 
 For adapter-managed LLM credentials, use `auth: subscription` and omit
@@ -490,10 +491,9 @@ profiles:
     agent_sources:
       - ~/.config/codereview/agents
     review_policy:
-      major_event: comment
+      major_event: request_changes
       allow_self_approve: false
       resolve_threads: auto
-      resolve_after: 24h
 data:
   retention:
     max_age_days: 90
@@ -751,10 +751,9 @@ Flags:
 | `--llm-api-key-from-env <env>` | Read the LLM API key from an environment variable and write `anthropic_api_key` or `openai_api_key` according to `--llm-provider`. |
 | `--secret-backend-discovery <mode>` | Interactive secrets-backend discovery mode: `full` runs active inventory probes such as 1Password account/vault lookup, `safe` uses only passive availability checks, and `off` skips backend discovery. Defaults to `full`; `CR_SECRET_BACKEND_DISCOVERY` can set the same value when the flag is omitted. |
 | `--agent-source <path>` | Add a trusted agent source directory. Repeatable. |
-| `--major-event <policy>` | `comment` or `request_changes`. Controls review event for major findings. |
+| `--major-event <policy>` | `comment` or `request_changes`. Controls review event for major findings. Defaults to `request_changes`. |
 | `--allow-self-approve` | Store profile policy allowing self approval. Live review can still require `--allow-self-approve` depending on invocation. |
-| `--resolve-threads <policy>` | `auto` or `never`. Empty leaves thread resolution unset. |
-| `--resolve-after <duration>` | Store a validated duration such as `24h` for future thread-resolution policy. Current review planning uses `resolve_threads`/`--no-resolve-threads`, not this delay. |
+| `--resolve-threads <policy>` | `auto` or `never`. Defaults to `auto`. |
 | `--overwrite` | Replace existing keyring entries written by this command. |
 | `--replace-profile` | Replace an existing profile config. |
 
diff --git a/docs/init-config-surface.md b/docs/init-config-surface.md
index e0b31a09..106b7c86 100644
--- a/docs/init-config-surface.md
+++ b/docs/init-config-surface.md
@@ -58,10 +58,9 @@ intentionally unsupported.
 | config.profiles.<name>.reviewer.github_app_installation.installation_id | Review profile composition stores an optional pinned GitHub App installation id for this profile. | Interactive review-profile flow only for now. | Empty unless installation mode is `pinned`. | Must be a decimal GitHub App installation id when present. This is profile routing data, not secret material. | GitHub App reviewer installation routing tests. |
 | config.profiles.<name>.llm_runtime | Review profile composition selects one configured LLM runtime by name. | Interactive review-profile flow only for now. Future config commands may own scripted profile composition. | New profiles require an explicit runtime choice. Existing runtime reference is pre-populated. | Must reference `config.llm_runtimes`. API-key runtime credentials must differ from Git and selected reviewer entity credentials when the store also matches. | First-class LLM-runtime reference validation tests. |
 | config.profiles.<name>.agent_sources[] | Direct trusted-directory editor shows existing profile agent-source paths in one multiline field with explanatory notes about trust and separate repo-local `.codereview/agents` discovery. | Existing `cr init --agent-source`; existing `cr config agent-source add/remove`; #186 docs sequence. | Omitted means no additional profile-specific trusted directories. Existing values are pre-populated line-by-line. | Preserve on skip. Clearing the field removes all profile-specific agent sources. Entered paths are normalized and deduped through the shared config-edit helper. | #177 extracts helper. #183 tests add/remove/reset/preserve. #289 prompt tests cover explanatory copy, multiline entry, and Back. |
-| config.profiles.<name>.review_policy.major_event | Review-policy wizard chooses comment or request_changes. | Existing `cr init --major-event`. | Current init defaults to `comment`. Existing value is pre-populated. | Preserve on skip. Set validates enum. Reset clears to normalized default `comment`. | #183 tests prompt, reset, and validation. |
+| config.profiles.<name>.review_policy.major_event | Review-policy wizard chooses request_changes or comment. | Existing `cr init --major-event`. | Current init defaults to `request_changes`. Existing value is pre-populated. | Preserve on skip. Set validates enum. Reset clears to normalized default `request_changes`. | #183 tests prompt, reset, and validation. |
 | config.profiles.<name>.review_policy.allow_self_approve | Review-policy wizard toggles durable self-approval policy. | Existing `cr init --allow-self-approve`. | Current init defaults false. Existing value is pre-populated. | Preserve on skip. Set true/false explicitly. Runtime `cr review --allow-self-approve` remains separate. | #183 tests true/false preservation. |
-| config.profiles.<name>.review_policy.resolve_threads | Review-policy wizard chooses unset, auto, or never. | Existing `cr init --resolve-threads`. | Empty means normal runtime behavior. Existing value is pre-populated. | Preserve on skip. Reset clears field. Set validates enum. Runtime `--no-resolve-threads` remains one-shot. | #183 tests unset/auto/never. |
-| config.profiles.<name>.review_policy.resolve_after | Review-policy wizard edits or clears the configured duration. | Existing `cr init --resolve-after`. | Empty means no configured delay. Existing value is pre-populated. | Preserve on skip. Reset clears field. Set validates Go duration. | #183 tests duration validation and clear. |
+| config.profiles.<name>.review_policy.resolve_threads | Review-policy wizard chooses auto or never. | Existing `cr init --resolve-threads`. | Current init defaults to `auto`. Existing value is pre-populated. | Preserve on skip. Set validates enum. Runtime `--no-resolve-threads` remains one-shot. | #183 tests auto/never. |
 | config.data.retention.max_age_days | Global retention editor shows one direct `Maximum run-data age in days` field plus explanatory run-data copy. | New `cr config retention set/reset` from #178. #187 must not add retention init flags without amending this contract. | Omitted normalizes to 90. Explicit `0` means keep forever. Existing value is pre-populated with the effective current value, including `0` for keep forever. | Preserve on skip. Blank input resets to the 90-day default. Set accepts non-negative days. `0` keeps posted-review run data indefinitely. | #178 command tests and #184 wizard tests cover omitted/default vs explicit 0. #290 prompt tests cover direct prefills, blank-to-default reset, and Back. |
 | config.data.retention.enforcement | Not shown in interactive init; retained as command-level/power-user config. | New `cr config retention set/reset` from #178. #187 must not add retention init flags without amending this contract. | Omitted normalizes to `at_write`. Existing value is preserved when init edits retention. | Interactive init preserves the current enforcement value. `cr config retention` remains the path for explicit `at_write` vs `manual_only` changes. | #178 command tests and #184 wizard tests cover reset/manual-only. #290 init tests cover preservation when editing max age. |
 
diff --git a/internal/cmd/credentialcmd/credentialcmd.go b/internal/cmd/credentialcmd/credentialcmd.go
index 6cd17680..bfd3aa17 100644
--- a/internal/cmd/credentialcmd/credentialcmd.go
+++ b/internal/cmd/credentialcmd/credentialcmd.go
@@ -170,7 +170,6 @@ type initOptions struct {
 	majorEvent          string
 	selfApprove         bool
 	resolveThreads      string
-	resolveAfter        string
 	gitTokenStdin       bool
 	gitTokenEnv         string
 	reviewerTokenStdin  bool
@@ -823,7 +822,7 @@ func newInitCommand(opts *root.Options) *cobra.Command {
 		llmProvider:      string(config.LLMProviderAnthropic),
 		llmAuth:          string(config.LLMAuthSubscription),
 		llmAdapter:       string(config.LLMAdapterClaudeCLI),
-		majorEvent:       string(config.ReviewMajorEventComment),
+		majorEvent:       string(config.ReviewMajorEventRequestChanges),
 		secretsDiscovery: string(initSecretsBackendDiscoveryModeFull),
 	}
 	cmd := &cobra.Command{
@@ -857,8 +856,7 @@ func newInitCommand(opts *root.Options) *cobra.Command {
 	cmd.Flags().StringArrayVar(&flags.agentSources, "agent-source", nil, "Agent source ref (repeatable)")
 	cmd.Flags().StringVar(&flags.majorEvent, "major-event", flags.majorEvent, "Major finding event policy")
 	cmd.Flags().BoolVar(&flags.selfApprove, "allow-self-approve", false, "Allow self approval")
-	cmd.Flags().StringVar(&flags.resolveThreads, "resolve-threads", "", "Thread resolution policy")
-	cmd.Flags().StringVar(&flags.resolveAfter, "resolve-after", "", "Duration before thread resolution")
+	cmd.Flags().StringVar(&flags.resolveThreads, "resolve-threads", string(config.ResolveThreadsAuto), "Thread resolution policy")
 	cmd.Flags().BoolVar(&flags.gitTokenStdin, "git-token-stdin", false, "Read the Git token from stdin")
 	cmd.Flags().StringVar(&flags.gitTokenEnv, "git-token-from-env", "", "Read the Git token from this environment variable")
 	cmd.Flags().BoolVar(&flags.reviewerTokenStdin, "reviewer-token-stdin", false, "Read the reviewer Git token from stdin")
@@ -1506,7 +1504,10 @@ func completeInteractiveInitProfileV2Draft(ctx initPromptContext, draft initDraf
 			draft.ReviewPolicy = ctx.ExistingProfile.ReviewPolicy
 		}
 		if draft.ReviewPolicy.MajorEvent == "" {
-			draft.ReviewPolicy.MajorEvent = config.ReviewMajorEventComment
+			draft.ReviewPolicy.MajorEvent = config.ReviewMajorEventRequestChanges
+		}
+		if draft.ReviewPolicy.ResolveThreads == "" {
+			draft.ReviewPolicy.ResolveThreads = config.ResolveThreadsAuto
 		}
 		draft.ReviewPolicySet = true
 	}
@@ -2666,39 +2667,38 @@ func (p huhInitPrompter) Run(ctx initPromptContext) (initDraft, error) {
 			agentSourceText := strings.Join(draft.AgentSources, "\n")
 			policy := draft.ReviewPolicy
 			if policy.MajorEvent == "" {
-				policy.MajorEvent = config.ReviewMajorEventComment
+				policy.MajorEvent = config.ReviewMajorEventRequestChanges
+			}
+			if policy.ResolveThreads == "" {
+				policy.ResolveThreads = config.ResolveThreadsAuto
 			}
 			majorEvent := policy.MajorEvent
 			selfApproveChoice := initReviewPolicySelfApproveChoice(policy.AllowSelfApprove)
 			resolveThreads := string(policy.ResolveThreads)
-			resolveAfter := policy.ResolveAfter
 			profileAction := initDetailActionEdit
 
 			reviewPolicyFields := []huh.Field{
 				huh.NewSelect[config.ReviewMajorEvent]().
 					Title("Major findings event").
+					Description("Blocking findings always request changes. This controls what cr does when the highest severity is major: either request changes or leave a review comment.").
 					Options(
-						huh.NewOption("Comment", config.ReviewMajorEventComment),
 						huh.NewOption("Request changes", config.ReviewMajorEventRequestChanges),
+						huh.NewOption("Comment", config.ReviewMajorEventComment),
 					).
 					Value(&majorEvent),
 				huh.NewSelect[string]().
 					Title("Allow self-approve").
+					Description("Relevant when this profile posts using a user account. If that account authored the PR, cr downgrades approval to a comment unless enabled.").
 					Options(initReviewPolicySelfApproveOptions()...).
 					Value(&selfApproveChoice),
 				huh.NewSelect[string]().
 					Title("Resolve threads").
+					Description("Controls whether cr may mark inline discussion threads as \"resolved\" when it evaluates the dialog, and determines a decision has been made. When enabled, cr treats the final comment as the cached outcome of the discussion. This removes the discussion thread from future calls to the LLM provider, saving both time and tokens.").
 					Options(
-						huh.NewOption("Use built-in default", ""),
-						huh.NewOption("Auto-resolve", string(config.ResolveThreadsAuto)),
-						huh.NewOption("Never resolve", string(config.ResolveThreadsNever)),
+						huh.NewOption("Auto-resolve (recommended)", string(config.ResolveThreadsAuto)),
+						huh.NewOption("Never resolve automatically", string(config.ResolveThreadsNever)),
 					).
 					Value(&resolveThreads),
-				huh.NewInput().
-					Title("Resolve-after duration").
-					Description("Optional. Leave blank to clear. Example: 24h or 30m.").
-					Value(&resolveAfter).
-					Validate(validateOptionalDuration),
 			}
 			if len(modelMapFields) == 0 {
 				modelMapFields = append(modelMapFields, huh.NewNote().Description("No model tiers are available to configure."))
@@ -2897,12 +2897,15 @@ func (p huhInitPrompter) Run(ctx initPromptContext) (initDraft, error) {
 			draft.ModelMap = initModelMapFromEditorValues(modelMapLLM, modelMapValues)
 			draft.AgentSourcesSet = true
 			draft.AgentSources = strings.FieldsFunc(agentSourceText, func(r rune) bool { return r == '\n' || r == '\r' })
+			allowSelfApprove := initReviewPolicyAllowSelfApprove(selfApproveChoice)
+			if initProfileV2ReviewerEntityKindForSelection(selectedReviewerEntity, ctx.ReviewerEntities) == initReviewerEntityKindGitHubApp {
+				allowSelfApprove = false
+			}
 			draft.ReviewPolicySet = true
 			draft.ReviewPolicy = config.ReviewPolicy{
 				MajorEvent:       majorEvent,
-				AllowSelfApprove: initReviewPolicyAllowSelfApprove(selfApproveChoice),
+				AllowSelfApprove: allowSelfApprove,
 				ResolveThreads:   config.ResolveThreadsPolicy(strings.TrimSpace(resolveThreads)),
-				ResolveAfter:     strings.TrimSpace(resolveAfter),
 			}
 			draft.RoutesSet = true
 			draft.Routes = routes
@@ -3982,13 +3985,15 @@ func (p huhInitReviewPolicyPrompter) EditReviewPolicy(prompt initReviewPolicyPro
 	action := initDetailActionEdit
 	policy := prompt.ReviewPolicy
 	if policy.MajorEvent == "" {
-		policy.MajorEvent = config.ReviewMajorEventComment
+		policy.MajorEvent = config.ReviewMajorEventRequestChanges
+	}
+	if policy.ResolveThreads == "" {
+		policy.ResolveThreads = config.ResolveThreadsAuto
 	}
 	majorEvent := policy.MajorEvent
 	selfApprove := policy.AllowSelfApprove
 	selfApproveChoice := initReviewPolicySelfApproveChoice(selfApprove)
 	resolveThreads := string(policy.ResolveThreads)
-	resolveAfter := policy.ResolveAfter
 	form := huh.NewForm(
 		huh.NewGroup(
 			huh.NewSelect[string]().
@@ -4002,28 +4007,25 @@ func (p huhInitReviewPolicyPrompter) EditReviewPolicy(prompt initReviewPolicyPro
 		huh.NewGroup(
 			huh.NewSelect[config.ReviewMajorEvent]().
 				Title("Major findings event").
+				Description("Blocking findings always request changes. This controls what cr does when the highest severity is major: either request changes or leave a review comment.").
 				Options(
-					huh.NewOption("Comment", config.ReviewMajorEventComment),
 					huh.NewOption("Request changes", config.ReviewMajorEventRequestChanges),
+					huh.NewOption("Comment", config.ReviewMajorEventComment),
 				).
 				Value(&majorEvent),
 			huh.NewSelect[string]().
 				Title("Allow self-approve").
+				Description("Relevant when this profile posts using a user account. If that account authored the PR, cr downgrades approval to a comment unless enabled.").
 				Options(initReviewPolicySelfApproveOptions()...).
 				Value(&selfApproveChoice),
 			huh.NewSelect[string]().
 				Title("Resolve threads").
+				Description("Controls whether cr may mark inline discussion threads as \"resolved\" when it evaluates the dialog, and determines a decision has been made. When enabled, cr treats the final comment as the cached outcome of the discussion. This removes the discussion thread from future calls to the LLM provider, saving both time and tokens.").
 				Options(
-					huh.NewOption("Use built-in default", ""),
-					huh.NewOption("Auto-resolve", string(config.ResolveThreadsAuto)),
-					huh.NewOption("Never resolve", string(config.ResolveThreadsNever)),
+					huh.NewOption("Auto-resolve (recommended)", string(config.ResolveThreadsAuto)),
+					huh.NewOption("Never resolve automatically", string(config.ResolveThreadsNever)),
 				).
 				Value(&resolveThreads),
-			huh.NewInput().
-				Title("Resolve-after duration").
-				Description("Optional. Leave blank to clear. Example: 24h or 30m.").
-				Value(&resolveAfter).
-				Validate(validateOptionalDuration),
 		).WithHideFunc(func() bool {
 			return action == initDetailActionBack
 		}).Title("Review Policy"),
@@ -4042,7 +4044,6 @@ func (p huhInitReviewPolicyPrompter) EditReviewPolicy(prompt initReviewPolicyPro
 			MajorEvent:       majorEvent,
 			AllowSelfApprove: selfApprove,
 			ResolveThreads:   config.ResolveThreadsPolicy(strings.TrimSpace(resolveThreads)),
-			ResolveAfter:     strings.TrimSpace(resolveAfter),
 		},
 	}, nil
 }
@@ -4609,7 +4610,6 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 			MajorEvent:       config.ReviewMajorEvent(flags.majorEvent),
 			AllowSelfApprove: flags.selfApprove,
 			ResolveThreads:   config.ResolveThreadsPolicy(flags.resolveThreads),
-			ResolveAfter:     flags.resolveAfter,
 		},
 	}
 	if llmRef != "" {
@@ -4643,8 +4643,7 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 		}
 		if !cmd.Flags().Changed("major-event") &&
 			!cmd.Flags().Changed("allow-self-approve") &&
-			!cmd.Flags().Changed("resolve-threads") &&
-			!cmd.Flags().Changed("resolve-after") {
+			!cmd.Flags().Changed("resolve-threads") {
 			profile.ReviewPolicy = previousProfile.ReviewPolicy
 		}
 		if !cmd.Flags().Changed("llm-reviewer-model-tier") && !flags.clearLLMReviewer {
diff --git a/internal/cmd/credentialcmd/credentialcmd_test.go b/internal/cmd/credentialcmd/credentialcmd_test.go
index ad26cbc2..2fe5de76 100644
--- a/internal/cmd/credentialcmd/credentialcmd_test.go
+++ b/internal/cmd/credentialcmd/credentialcmd_test.go
@@ -1500,7 +1500,6 @@ func TestInitDisableReviewerClearsReviewerCredentials(t *testing.T) {
 		MajorEvent:       config.ReviewMajorEventRequestChanges,
 		AllowSelfApprove: true,
 		ResolveThreads:   config.ResolveThreadsNever,
-		ResolveAfter:     "24h",
 	}
 	if err := config.Save(path, config.File{
 		Profiles: map[string]config.Profile{
@@ -1618,7 +1617,6 @@ func TestInitLLMReviewerModelTierFlags(t *testing.T) {
 			MajorEvent:       config.ReviewMajorEventRequestChanges,
 			AllowSelfApprove: true,
 			ResolveThreads:   config.ResolveThreadsNever,
-			ResolveAfter:     "24h",
 		}
 		if err := config.Save(path, config.File{
 			Profiles: map[string]config.Profile{
@@ -1683,7 +1681,6 @@ func TestInitPlanApplyPreservesUnrelatedExistingConfig(t *testing.T) {
 		MajorEvent:       config.ReviewMajorEventRequestChanges,
 		AllowSelfApprove: true,
 		ResolveThreads:   config.ResolveThreadsNever,
-		ResolveAfter:     "24h",
 	}
 	existing := config.File{
 		Keyring: config.KeyringConfig{Backend: "file"},
@@ -8754,11 +8751,10 @@ func TestHuhInitReviewPolicyPrompterAccessibleShowsFields(t *testing.T) {
 	var stderr bytes.Buffer
 	prompter := huhInitReviewPolicyPrompter{
 		stdin: strings.NewReader(strings.Join([]string{
-			"",    // Stage review-policy settings
-			"",    // keep comment
-			"",    // keep recommended self-approve false
-			"2",   // auto resolve
-			"24h", // resolve after
+			"", // Stage review-policy settings
+			"", // keep request changes
+			"", // keep recommended self-approve false
+			"", // keep auto resolve
 			"",
 		}, "\n")),
 		stderr: &stderr,
@@ -8773,16 +8769,22 @@ func TestHuhInitReviewPolicyPrompterAccessibleShowsFields(t *testing.T) {
 	if !edit.Apply {
 		t.Fatal("edit.Apply = false, want true")
 	}
-	if edit.ReviewPolicy.MajorEvent != config.ReviewMajorEventComment {
-		t.Fatalf("review policy = %#v, want default comment major_event", edit.ReviewPolicy)
+	if edit.ReviewPolicy.MajorEvent != config.ReviewMajorEventRequestChanges {
+		t.Fatalf("review policy = %#v, want default request_changes major_event", edit.ReviewPolicy)
 	}
 	if edit.ReviewPolicy.AllowSelfApprove {
 		t.Fatalf("review policy = %#v, want self-approve false on default path", edit.ReviewPolicy)
 	}
+	if edit.ReviewPolicy.ResolveThreads != config.ResolveThreadsAuto {
+		t.Fatalf("review policy = %#v, want auto resolve_threads", edit.ReviewPolicy)
+	}
 	out := stderr.String()
-	if !strings.Contains(out, "Major findings event") || !strings.Contains(out, "Resolve-after duration") {
+	if !strings.Contains(out, "Major findings event") || !strings.Contains(out, "Resolve threads") {
 		t.Fatalf("stderr = %q, want review-policy fields", out)
 	}
+	if !strings.Contains(out, "Auto-resolve (recommended)") || !strings.Contains(out, "Never resolve automatically") {
+		t.Fatalf("stderr = %q, want explicit resolve choices", out)
+	}
 	if !strings.Contains(out, "Do not allow self-approve (recommended)") || !strings.Contains(out, "Enable self-approve") {
 		t.Fatalf("stderr = %q, want explicit self-approve choices", out)
 	}
@@ -8961,7 +8963,6 @@ func TestInitInteractivePromptBuildsPlanAndPreservesOutOfScopeFields(t *testing.
 		MajorEvent:       config.ReviewMajorEventRequestChanges,
 		AllowSelfApprove: true,
 		ResolveThreads:   config.ResolveThreadsNever,
-		ResolveAfter:     "24h",
 	}
 	existing.LLM.ModelMap = config.ModelMap{"medium": "gpt-custom"}
 	existing.LLM.ReviewerModelTier = config.ModelTierLarge
@@ -9179,7 +9180,6 @@ func TestEditInteractiveInitProfileSkipsInlineProfileDetailCollectors(t *testing
 		MajorEvent:       config.ReviewMajorEventRequestChanges,
 		AllowSelfApprove: true,
 		ResolveThreads:   config.ResolveThreadsNever,
-		ResolveAfter:     "24h",
 	}
 	deps := initDeps{
 		prompter: initPrompterFunc(func(initPromptContext) (initDraft, error) {
@@ -9321,7 +9321,6 @@ func TestLoopInteractiveInitProfileV2AppliesInlineDetailDraftParity(t *testing.T
 		MajorEvent:       config.ReviewMajorEventRequestChanges,
 		AllowSelfApprove: true,
 		ResolveThreads:   config.ResolveThreadsNever,
-		ResolveAfter:     "24h",
 	}
 	deps := initDeps{
 		profileV2Prompter: initPrompterFunc(func(ctx initPromptContext) (initDraft, error) {
@@ -9565,8 +9564,8 @@ func TestCompleteInteractiveInitProfileV2DraftFillsUnsetFieldsAndDefaultsReviewP
 	if !draft.ReviewPolicySet {
 		t.Fatalf("ReviewPolicySet = false, want true")
 	}
-	if draft.ReviewPolicy.MajorEvent != config.ReviewMajorEventComment {
-		t.Fatalf("ReviewPolicy.MajorEvent = %q, want default comment", draft.ReviewPolicy.MajorEvent)
+	if draft.ReviewPolicy.MajorEvent != config.ReviewMajorEventRequestChanges {
+		t.Fatalf("ReviewPolicy.MajorEvent = %q, want default request_changes", draft.ReviewPolicy.MajorEvent)
 	}
 	if !draft.ReviewPolicy.AllowSelfApprove || draft.ReviewPolicy.ResolveThreads != config.ResolveThreadsNever {
 		t.Fatalf("ReviewPolicy = %#v, want existing fields preserved", draft.ReviewPolicy)
@@ -9653,7 +9652,6 @@ func TestInitInteractiveModelMapAddEditRemoveAndReset(t *testing.T) {
 			}
 			expected := existing
 			expected.LLM.ModelMap = copyModelMap(tt.want)
-			expected.ReviewPolicy.MajorEvent = config.ReviewMajorEventComment
 			expected = normalizeTestProfileNamed("work", expected)
 			if !reflect.DeepEqual(cfg.Profiles["work"], expected) {
 				t.Fatalf("saved profile = %#v, want %#v", cfg.Profiles["work"], expected)
@@ -9785,7 +9783,6 @@ func TestInitInteractiveAgentSourcesPreserveAddRemoveAndReset(t *testing.T) {
 				MajorEvent:       config.ReviewMajorEventRequestChanges,
 				AllowSelfApprove: true,
 				ResolveThreads:   config.ResolveThreadsNever,
-				ResolveAfter:     "24h",
 			}
 			saveCredentialTestConfig(t, path, config.File{
 				Profiles: map[string]config.Profile{"work": existing},
@@ -9893,13 +9890,11 @@ func TestInitInteractiveReviewPolicyPreserveEditAndDefaults(t *testing.T) {
 				MajorEvent:       config.ReviewMajorEventRequestChanges,
 				AllowSelfApprove: true,
 				ResolveThreads:   config.ResolveThreadsNever,
-				ResolveAfter:     "24h",
 			}},
 			want: config.ReviewPolicy{
 				MajorEvent:       config.ReviewMajorEventRequestChanges,
 				AllowSelfApprove: true,
 				ResolveThreads:   config.ResolveThreadsNever,
-				ResolveAfter:     "24h",
 			},
 		},
 		{
@@ -9908,14 +9903,14 @@ func TestInitInteractiveReviewPolicyPreserveEditAndDefaults(t *testing.T) {
 				MajorEvent:       config.ReviewMajorEventRequestChanges,
 				AllowSelfApprove: true,
 				ResolveThreads:   config.ResolveThreadsAuto,
-				ResolveAfter:     "1h",
 			},
 			edit: initReviewPolicyEdit{Apply: true, ReviewPolicy: config.ReviewPolicy{
 				MajorEvent:       config.ReviewMajorEventComment,
 				AllowSelfApprove: false,
 			}},
 			want: config.ReviewPolicy{
-				MajorEvent: config.ReviewMajorEventComment,
+				MajorEvent:     config.ReviewMajorEventComment,
+				ResolveThreads: config.ResolveThreadsAuto,
 			},
 		},
 	}
@@ -9995,14 +9990,6 @@ func TestInitInteractiveReviewPolicyRejectsInvalidEntries(t *testing.T) {
 			}},
 			want: `review_policy.resolve_threads "always" is invalid`,
 		},
-		{
-			name: "invalid resolve_after",
-			edit: initReviewPolicyEdit{Apply: true, ReviewPolicy: config.ReviewPolicy{
-				MajorEvent:   config.ReviewMajorEventComment,
-				ResolveAfter: "tomorrow",
-			}},
-			want: `review_policy.resolve_after "tomorrow" is invalid`,
-		},
 	}
 
 	for _, tt := range tests {
@@ -12968,7 +12955,6 @@ func TestInitProfileV2ReadOnlyContentRendersTargetOrderWithRealData(t *testing.T
 		MajorEvent:       config.ReviewMajorEventRequestChanges,
 		AllowSelfApprove: true,
 		ResolveThreads:   config.ResolveThreadsAuto,
-		ResolveAfter:     "24h",
 	}
 	cfg := config.File{
 		Profiles: map[string]config.Profile{
@@ -13020,9 +13006,7 @@ func TestInitProfileV2ReadOnlyContentRendersTargetOrderWithRealData(t *testing.T
 		"/opt/codereview/agents",
 		"Review policy",
 		"Request changes",
-		"Enable self-approve",
 		"Auto-resolve",
-		"24h",
 		"Profile action",
 		"Stage profile settings",
 		"Back without staging",
@@ -13031,6 +13015,9 @@ func TestInitProfileV2ReadOnlyContentRendersTargetOrderWithRealData(t *testing.T
 			t.Fatalf("content missing %q:\n%s", want, content)
 		}
 	}
+	if strings.Contains(content, "Enable self-approve") || strings.Contains(content, "Allow self-approve") {
+		t.Fatalf("content shows self-approve for GitHub App reviewer:\n%s", content)
+	}
 
 	assertContentOrder := func(parts ...string) {
 		t.Helper()
@@ -13790,8 +13777,6 @@ func TestInitProfileV2ReviewPolicyDraftsSelections(t *testing.T) {
 	model = selectInitProfileV2FieldValue(t, model, initProfileV2FieldReviewMajorEvent, string(config.ReviewMajorEventRequestChanges))
 	model = selectInitProfileV2FieldValue(t, model, initProfileV2FieldSelfApprove, initSelfApproveEnable)
 	model = selectInitProfileV2FieldValue(t, model, initProfileV2FieldResolveThreads, string(config.ResolveThreadsAuto))
-	model = focusInitProfileV2Field(t, model, initProfileV2FieldResolveAfter)
-	model = typeInitProfileV2Text(t, model, "24h")
 
 	draft, err := model.validatedDraft()
 	if err != nil {
@@ -13804,34 +13789,58 @@ func TestInitProfileV2ReviewPolicyDraftsSelections(t *testing.T) {
 		MajorEvent:       config.ReviewMajorEventRequestChanges,
 		AllowSelfApprove: true,
 		ResolveThreads:   config.ResolveThreadsAuto,
-		ResolveAfter:     "24h",
 	}
 	if !reflect.DeepEqual(draft.ReviewPolicy, want) {
 		t.Fatalf("draft.ReviewPolicy = %#v, want %#v", draft.ReviewPolicy, want)
 	}
 }
 
-func TestInitProfileV2ReviewPolicyRejectsInvalidDuration(t *testing.T) {
-	model := newInitProfileV2ReadOnlyModel(newTestInitProfileV2EditorWithReviewPolicyAndGitStorage(
-		"monit",
-		"github.com/SignalFT",
-		config.ReviewPolicy{},
-		"codereview/monit",
-		true,
-		testInitProfileV2GitScopes(),
-		testInitProfileV2GitScopeName,
-	), 160, 24)
-	model = focusInitProfileV2Field(t, model, initProfileV2FieldResolveAfter)
-	model = typeInitProfileV2Text(t, model, "tomorrow")
+func TestInitProfileV2ReviewPolicyHidesSelfApproveForGitHubAppReviewer(t *testing.T) {
+	reviewerEntities := map[string]initReviewerEntityDraft{
+		"app-reviewer": {
+			Name:            "app-reviewer",
+			Kind:            initReviewerEntityKindGitHubApp,
+			AuthMode:        config.GitAuthModeGitHubApp,
+			AppID:           "12345",
+			CredentialStore: config.LocalOSCredentialStoreID,
+			CredentialRef:   "codereview/app-reviewer",
+			DisplayName:     "App reviewer",
+		},
+	}
+	llmRuntimes := map[string]initLLMRuntimeDraft{
+		"claude-work": {
+			Name:     "claude-work",
+			Preset:   initLLMRuntimePresetClaudeCLISubscription,
+			Provider: config.LLMProviderAnthropic,
+			Auth:     config.LLMAuthSubscription,
+			Adapter:  config.LLMAdapterClaudeCLI,
+		},
+	}
+	editor := newTestInitProfileV2EditorWithSelections("monit", "github.com/SignalFT", reviewerEntities, llmRuntimes)
+	initProfileV2AppendReviewPolicySection(&editor.Document, config.ReviewPolicy{
+		MajorEvent:       config.ReviewMajorEventRequestChanges,
+		AllowSelfApprove: true,
+		ResolveThreads:   config.ResolveThreadsAuto,
+	}, false)
+	model := newInitProfileV2ReadOnlyModel(editor, 160, 40)
+	model = selectInitProfileV2FieldValue(t, model, initProfileV2FieldReviewerEntity, "app-reviewer")
 
-	if !strings.Contains(model.View(), "invalid duration") {
-		index := model.document.fieldIndexByID(initProfileV2FieldResolveAfter)
-		if index < 0 || !strings.Contains(model.document[index].Error, "invalid duration") {
-			t.Fatalf("duration field error = %q, want invalid duration", model.document[index].Error)
-		}
+	index := model.document.fieldIndexByID(initProfileV2FieldSelfApprove)
+	if index < 0 {
+		t.Fatalf("self-approve field missing")
+	}
+	if !model.document[index].Hidden {
+		t.Fatalf("self-approve hidden = false, want hidden for GitHub App reviewer")
+	}
+	if strings.Contains(model.View(), "Allow self-approve") {
+		t.Fatalf("view shows self-approve for GitHub App reviewer:\n%s", model.View())
+	}
+	draft, err := model.validatedDraft()
+	if err != nil {
+		t.Fatalf("validatedDraft: %v", err)
 	}
-	if _, err := model.validatedDraft(); err == nil || !strings.Contains(err.Error(), "invalid duration") {
-		t.Fatalf("validatedDraft error = %v, want duration validation", err)
+	if draft.ReviewPolicy.AllowSelfApprove {
+		t.Fatalf("AllowSelfApprove = true, want false for GitHub App reviewer")
 	}
 }
 
@@ -14473,7 +14482,7 @@ func newTestInitProfileV2EditorWithReviewPolicyAndGitStorage(profileName string,
 	if selectedGitScope != "" && selectedGitScope != initCustomGitScopeSelection {
 		initProfileV2AppendGitScopeSection(&document, selectedGitScope, initGitScopeOptions(gitScopes), draft, true)
 	}
-	initProfileV2AppendReviewPolicySection(&document, policy)
+	initProfileV2AppendReviewPolicySection(&document, policy, false)
 	initProfileV2AppendGitStorageSection(&document, storeOptions, config.LocalOSCredentialStoreID, gitStorageLabel)
 	return initProfileV2Editor{
 		Draft:                      draft,
@@ -15593,7 +15602,6 @@ func TestInitInteractiveMenuFocusedLLMRuntimePreservesUnrelatedProfileState(t *t
 		MajorEvent:       config.ReviewMajorEventRequestChanges,
 		AllowSelfApprove: true,
 		ResolveThreads:   config.ResolveThreadsNever,
-		ResolveAfter:     "24h",
 	}
 	wantRoutes := []config.RepositoryProfile{{
 		Profile: "work",
@@ -15758,7 +15766,6 @@ func TestInitInteractiveMenuFocusedLLMRuntimeNoOpSkipsStoreOnSaveAndPersistsGlob
 	if cfg.Data.Retention.MaxAgeDaysValue() != 14 || cfg.Data.Retention.Enforcement != config.RetentionAtWrite {
 		t.Fatalf("retention = %#v, want 14/at_write", cfg.Data.Retention)
 	}
-	wantProfile.ReviewPolicy.MajorEvent = config.ReviewMajorEventComment
 	if !reflect.DeepEqual(cfg.Profiles["work"], wantProfile) {
 		t.Fatalf("profile = %#v, want unchanged %#v", cfg.Profiles["work"], wantProfile)
 	}
diff --git a/internal/cmd/credentialcmd/init_profile_v2.go b/internal/cmd/credentialcmd/init_profile_v2.go
index 4e66a47d..641da8cd 100644
--- a/internal/cmd/credentialcmd/init_profile_v2.go
+++ b/internal/cmd/credentialcmd/init_profile_v2.go
@@ -389,7 +389,7 @@ func initProfileV2ReadOnlyEditor(ctx initPromptContext, selection string) (initP
 	}
 	document.addEditableInput(initProfileV2FieldProfileName, "Profile name", "Human-friendly name for this review profile.", profileNameInput, profileNameValidate)
 	initProfileV2AppendAgentSourcesSection(&document, draft.AgentSources)
-	initProfileV2AppendReviewPolicySection(&document, draft.ReviewPolicy)
+	initProfileV2AppendReviewPolicySection(&document, draft.ReviewPolicy, initProfileV2ReviewerEntityKindForSelection(selectedReviewerEntity, ctx.ReviewerEntities) == initReviewerEntityKindGitHubApp)
 	initProfileV2AppendProfileActionSection(&document)
 	return initProfileV2Editor{
 		Draft:                  draft,
@@ -455,7 +455,6 @@ const (
 	initProfileV2FieldReviewMajorEvent                     initProfileV2FieldID = "review_major_event"
 	initProfileV2FieldSelfApprove                          initProfileV2FieldID = "self_approve"
 	initProfileV2FieldResolveThreads                       initProfileV2FieldID = "resolve_threads"
-	initProfileV2FieldResolveAfter                         initProfileV2FieldID = "resolve_after"
 	initProfileV2FieldGitCredentialStore                   initProfileV2FieldID = "git_credential_store" // #nosec G101 -- this is a field ID, not a secret value.
 	initProfileV2FieldGitCredentialName                    initProfileV2FieldID = "git_credential_name"  // #nosec G101 -- this is a field ID, not a secret value.
 	initProfileV2FieldLLMCredentialSection                 initProfileV2FieldID = "llm_credentials_section"
@@ -565,22 +564,23 @@ func initProfileV2AppendAgentSourcesSection(document *initProfileV2Document, sou
 	document.addEditableTextarea(initProfileV2FieldAgentSources, "Additional trusted reviewer-agent directories", "Paths are deduplicated and normalized before save.", strings.Join(sources, "\n"))
 }
 
-func initProfileV2AppendReviewPolicySection(document *initProfileV2Document, policy config.ReviewPolicy) {
+func initProfileV2AppendReviewPolicySection(document *initProfileV2Document, policy config.ReviewPolicy, hideSelfApprove bool) {
 	if policy.MajorEvent == "" {
-		policy.MajorEvent = config.ReviewMajorEventComment
+		policy.MajorEvent = config.ReviewMajorEventRequestChanges
+	}
+	if policy.ResolveThreads == "" {
+		policy.ResolveThreads = config.ResolveThreadsAuto
 	}
 	document.addSection("Review policy", "Choose how cr posts major findings and handles review threads.")
-	document.addEditableSelect(initProfileV2FieldReviewMajorEvent, "Major findings event", "", []huh.Option[string]{
-		huh.NewOption("Comment", string(config.ReviewMajorEventComment)),
+	document.addEditableSelect(initProfileV2FieldReviewMajorEvent, "Major findings event", "Blocking findings always request changes. This controls what cr does when the highest severity is major: either request changes or leave a review comment.", []huh.Option[string]{
 		huh.NewOption("Request changes", string(config.ReviewMajorEventRequestChanges)),
+		huh.NewOption("Comment", string(config.ReviewMajorEventComment)),
 	}, string(policy.MajorEvent))
-	document.addEditableSelect(initProfileV2FieldSelfApprove, "Allow self-approve", "", initReviewPolicySelfApproveOptions(), initReviewPolicySelfApproveChoice(policy.AllowSelfApprove))
-	document.addEditableSelect(initProfileV2FieldResolveThreads, "Resolve threads", "", []huh.Option[string]{
-		huh.NewOption("Use built-in default", ""),
-		huh.NewOption("Auto-resolve", string(config.ResolveThreadsAuto)),
-		huh.NewOption("Never resolve", string(config.ResolveThreadsNever)),
+	document.addEditableSelect(initProfileV2FieldSelfApprove, "Allow self-approve", "Relevant when this profile posts using a user account. If that account authored the PR, cr downgrades approval to a comment unless enabled.", initReviewPolicySelfApproveOptions(), initReviewPolicySelfApproveChoice(policy.AllowSelfApprove), initProfileV2FieldOptions{Hidden: hideSelfApprove})
+	document.addEditableSelect(initProfileV2FieldResolveThreads, "Resolve threads", "Controls whether cr may mark inline discussion threads as \"resolved\" when it evaluates the dialog, and determines a decision has been made. When enabled, cr treats the final comment as the cached outcome of the discussion. This removes the discussion thread from future calls to the LLM provider, saving both time and tokens.", []huh.Option[string]{
+		huh.NewOption("Auto-resolve (recommended)", string(config.ResolveThreadsAuto)),
+		huh.NewOption("Never resolve automatically", string(config.ResolveThreadsNever)),
 	}, string(policy.ResolveThreads))
-	document.addEditableInput(initProfileV2FieldResolveAfter, "Resolve-after duration", "Optional. Leave blank to clear. Example: 24h or 30m.", policy.ResolveAfter, validateOptionalDuration)
 }
 
 func initProfileV2AppendGitStorageSection(document *initProfileV2Document, storeOptions []huh.Option[string], storeID string, credentialName string) {
@@ -962,10 +962,14 @@ func (m *initProfileV2ReadOnlyModel) syncReviewerGitHubAppInstallationFields(res
 	m.setFieldHidden(initProfileV2FieldReviewerGitHubAppInstallationSection, !visible)
 	m.setFieldHidden(initProfileV2FieldReviewerGitHubAppInstallationMode, !visible)
 	m.setFieldHidden(initProfileV2FieldReviewerGitHubAppInstallationID, !pinned)
+	m.setFieldHidden(initProfileV2FieldSelfApprove, visible)
 	if !visible {
 		m.selectFieldValue(initProfileV2FieldReviewerGitHubAppInstallationMode, string(config.ProfileReviewerGitHubAppInstallationDiscoverFromRepository))
 		m.setFieldValue(initProfileV2FieldReviewerGitHubAppInstallationID, "")
-	} else if reset && !pinned {
+	} else {
+		m.selectFieldValue(initProfileV2FieldSelfApprove, initSelfApproveDisallow)
+	}
+	if visible && reset && !pinned {
 		m.setFieldValue(initProfileV2FieldReviewerGitHubAppInstallationID, "")
 	}
 	if m.focused >= 0 && m.focused < len(m.document) && m.document[m.focused].Hidden {
@@ -1060,17 +1064,20 @@ func initProfileV2AgentSourcesFromDocument(document initProfileV2Document) []str
 func initProfileV2ReviewPolicyFromDocument(document initProfileV2Document) (config.ReviewPolicy, error) {
 	majorEvent := config.ReviewMajorEvent(document.selectedValue(initProfileV2FieldReviewMajorEvent))
 	if majorEvent == "" {
-		majorEvent = config.ReviewMajorEventComment
+		majorEvent = config.ReviewMajorEventRequestChanges
+	}
+	resolveThreads := config.ResolveThreadsPolicy(strings.TrimSpace(document.selectedValue(initProfileV2FieldResolveThreads)))
+	if resolveThreads == "" {
+		resolveThreads = config.ResolveThreadsAuto
 	}
-	resolveAfter := strings.TrimSpace(document.fieldValue(initProfileV2FieldResolveAfter))
-	if err := validateOptionalDuration(resolveAfter); err != nil {
-		return config.ReviewPolicy{}, err
+	allowSelfApprove := initReviewPolicyAllowSelfApprove(document.selectedValue(initProfileV2FieldSelfApprove))
+	if index := document.fieldIndexByID(initProfileV2FieldSelfApprove); index >= 0 && document[index].Hidden {
+		allowSelfApprove = false
 	}
 	return config.ReviewPolicy{
 		MajorEvent:       majorEvent,
-		AllowSelfApprove: initReviewPolicyAllowSelfApprove(document.selectedValue(initProfileV2FieldSelfApprove)),
-		ResolveThreads:   config.ResolveThreadsPolicy(strings.TrimSpace(document.selectedValue(initProfileV2FieldResolveThreads))),
-		ResolveAfter:     resolveAfter,
+		AllowSelfApprove: allowSelfApprove,
+		ResolveThreads:   resolveThreads,
 	}, nil
 }
 
@@ -1241,7 +1248,6 @@ var initProfileV2HeadingSet = func() map[string]bool {
 		"Major findings event":    true,
 		"Allow self-approve":      true,
 		"Resolve threads":         true,
-		"Resolve-after duration":  true,
 		"Git credentials":         true,
 		"Git credential store":    true,
 		"Git credential name":     true,
diff --git a/internal/config/config.go b/internal/config/config.go
index 1c7832f7..a9eff587 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -396,7 +396,6 @@ type ReviewPolicy struct {
 	MajorEvent       ReviewMajorEvent     `yaml:"major_event,omitempty" json:"major_event"`
 	AllowSelfApprove bool                 `yaml:"allow_self_approve,omitempty" json:"allow_self_approve"`
 	ResolveThreads   ResolveThreadsPolicy `yaml:"resolve_threads,omitempty" json:"resolve_threads,omitempty"`
-	ResolveAfter     string               `yaml:"resolve_after,omitempty" json:"resolve_after,omitempty"`
 }
 
 // DataConfig carries non-secret durable data policy.
@@ -1130,14 +1129,9 @@ func validateProfile(cfg File, name string, profile Profile) error {
 	if !profile.ReviewPolicy.MajorEvent.Valid() {
 		return invalid("profiles.%s.review_policy.major_event %q is invalid", name, profile.ReviewPolicy.MajorEvent)
 	}
-	if profile.ReviewPolicy.ResolveThreads != "" && !profile.ReviewPolicy.ResolveThreads.Valid() {
+	if !profile.ReviewPolicy.ResolveThreads.Valid() {
 		return invalid("profiles.%s.review_policy.resolve_threads %q is invalid", name, profile.ReviewPolicy.ResolveThreads)
 	}
-	if profile.ReviewPolicy.ResolveAfter != "" {
-		if _, err := time.ParseDuration(profile.ReviewPolicy.ResolveAfter); err != nil {
-			return invalid("profiles.%s.review_policy.resolve_after %q is invalid: %v", name, profile.ReviewPolicy.ResolveAfter, err)
-		}
-	}
 	return nil
 }
 
@@ -2144,7 +2138,10 @@ func (l LLMConfig) empty() bool {
 
 func (p ReviewPolicy) normalized() ReviewPolicy {
 	if p.MajorEvent == "" {
-		p.MajorEvent = ReviewMajorEventComment
+		p.MajorEvent = ReviewMajorEventRequestChanges
+	}
+	if p.ResolveThreads == "" {
+		p.ResolveThreads = ResolveThreadsAuto
 	}
 	return p
 }
diff --git a/internal/config/config_test.go b/internal/config/config_test.go
index becf2fe1..db33b4ec 100644
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -2136,14 +2136,6 @@ func TestValidationCoversAgentSourcesReviewPolicyAndRetention(t *testing.T) {
 		t.Fatalf("bad resolve_threads Validate error = %v, want ErrInvalid", err)
 	}
 
-	cfg = validFile()
-	profile = cfg.Profiles["work"]
-	profile.ReviewPolicy.ResolveAfter = "two days"
-	cfg.Profiles["work"] = profile
-	if err := Validate(cfg); !errors.Is(err, ErrInvalid) {
-		t.Fatalf("bad resolve_after Validate error = %v, want ErrInvalid", err)
-	}
-
 	cfg = validFile()
 	cfg.Data.Retention.MaxAgeDays = intPtr(-1)
 	if err := Validate(cfg); !errors.Is(err, ErrInvalid) {
@@ -2291,7 +2283,6 @@ func validFile() File {
 					MajorEvent:       ReviewMajorEventRequestChanges,
 					AllowSelfApprove: true,
 					ResolveThreads:   ResolveThreadsNever,
-					ResolveAfter:     "48h",
 				},
 			},
 		},
diff --git a/internal/view/config.go b/internal/view/config.go
index 6516bcf4..2216b858 100644
--- a/internal/view/config.go
+++ b/internal/view/config.go
@@ -209,16 +209,21 @@ func RenderConfigText(w io.Writer, show ConfigShow) error {
 	if _, err := fmt.Fprintln(w, "Review policy:"); err != nil {
 		return err
 	}
-	if err := writeKV(w, "  Major event", string(show.Profile.ReviewPolicy.MajorEvent)); err != nil {
-		return err
+	majorEvent := show.Profile.ReviewPolicy.MajorEvent
+	if majorEvent == "" {
+		majorEvent = config.ReviewMajorEventRequestChanges
 	}
-	if err := writeKV(w, "  Allow self approve", fmt.Sprint(show.Profile.ReviewPolicy.AllowSelfApprove)); err != nil {
+	resolveThreads := show.Profile.ReviewPolicy.ResolveThreads
+	if resolveThreads == "" {
+		resolveThreads = config.ResolveThreadsAuto
+	}
+	if err := writeKV(w, "  Major event", string(majorEvent)); err != nil {
 		return err
 	}
-	if err := writeOptionalKV(w, "  Resolve threads", string(show.Profile.ReviewPolicy.ResolveThreads)); err != nil {
+	if err := writeKV(w, "  Allow self approve", fmt.Sprint(show.Profile.ReviewPolicy.AllowSelfApprove)); err != nil {
 		return err
 	}
-	if err := writeOptionalKV(w, "  Resolve after", show.Profile.ReviewPolicy.ResolveAfter); err != nil {
+	if err := writeKV(w, "  Resolve threads", string(resolveThreads)); err != nil {
 		return err
 	}
 
diff --git a/internal/view/config_test.go b/internal/view/config_test.go
index 3da99c1d..d9e67696 100644
--- a/internal/view/config_test.go
+++ b/internal/view/config_test.go
@@ -218,6 +218,7 @@ Credentials:
 Review policy:
   Major event: comment
   Allow self approve: false
+  Resolve threads: auto
 Data retention:
   Max age days: 90
   Enforcement: at_write
@@ -790,7 +791,6 @@ func workProfile() config.Profile {
 			MajorEvent:       config.ReviewMajorEventRequestChanges,
 			AllowSelfApprove: true,
 			ResolveThreads:   config.ResolveThreadsNever,
-			ResolveAfter:     "48h",
 		},
 	}
 }

From 65a30a8779c7460a28fea78ea23d1b5fe9f5b3fb Mon Sep 17 00:00:00 2001
From: Rian Stockbower <rstockbower@gmail.com>
Date: Mon, 22 Jun 2026 14:00:38 -0400
Subject: [PATCH 20/27] Normalize derived credential refs

---
 internal/cmd/credentialcmd/credentialcmd.go   |  40 +++--
 .../cmd/credentialcmd/credentialcmd_test.go   | 167 +++++++++++++++++-
 .../credentialcmd/init_llm_runtime_editor.go  |   3 +-
 internal/cmd/credentialcmd/init_profile_v2.go |  45 ++++-
 .../init_reviewer_credential_status.go        |   2 +-
 5 files changed, 234 insertions(+), 23 deletions(-)

diff --git a/internal/cmd/credentialcmd/credentialcmd.go b/internal/cmd/credentialcmd/credentialcmd.go
index bfd3aa17..4bd63f88 100644
--- a/internal/cmd/credentialcmd/credentialcmd.go
+++ b/internal/cmd/credentialcmd/credentialcmd.go
@@ -1419,7 +1419,7 @@ func stageStandaloneInteractiveInitRepositoryAccess(session initSessionDraft, dr
 		scope.CredentialStore = initCredentialStoreDefaultID()
 	}
 	if scope.CredentialRef == "" {
-		ref, err := credentials.FormatRef(name)
+		ref, err := initCredentialRefFromSeed(name)
 		if err != nil {
 			return initSessionDraft{}, exitcode.Usage(err)
 		}
@@ -1708,7 +1708,7 @@ func stageStandaloneInteractiveInitLLMRuntime(session initSessionDraft, draft in
 		name = uniqueInitLLMRuntimeName(buildInitStandaloneLLMRuntimeNameSet(working.LLMRuntimes), runtime.suggestedName())
 	}
 	if runtime.Auth == config.LLMAuthAPIKey && strings.TrimSpace(runtime.CredentialRef) == "" {
-		ref, err := credentials.FormatRef(name)
+		ref, err := initCredentialRefFromSeed(name)
 		if err != nil {
 			return initSessionDraft{}, exitcode.Usage(err)
 		}
@@ -1818,7 +1818,7 @@ func stageStandaloneInteractiveInitReviewerEntity(session initSessionDraft, flag
 		if previous != nil && strings.TrimSpace(previous.CredentialRef) != "" {
 			entity.CredentialRef = strings.TrimSpace(previous.CredentialRef)
 		} else {
-			ref, err := credentials.FormatRef(name)
+			ref, err := initCredentialRefFromSeed(name)
 			if err != nil {
 				return initSessionDraft{}, exitcode.Usage(err)
 			}
@@ -2537,7 +2537,7 @@ func initReviewerEntityInventoryRows(ctx initPromptContext) []initInventoryRow {
 }
 
 func standardReviewerCredentialRef(profileName string) (string, error) {
-	return credentials.FormatRef(profileName + "-reviewer")
+	return initCredentialRefFromSeed(profileName + "-reviewer")
 }
 
 func standardReviewerCredentialRefForEntity(entity initReviewerEntityDraft) (string, error) {
@@ -2545,7 +2545,7 @@ func standardReviewerCredentialRefForEntity(entity initReviewerEntityDraft) (str
 	if name == "" {
 		name = entity.suggestedName()
 	}
-	return credentials.FormatRef(name)
+	return initCredentialRefFromSeed(name)
 }
 
 func (p huhInitPrompter) Run(ctx initPromptContext) (initDraft, error) {
@@ -3324,6 +3324,14 @@ func initStorageLabelUsesDefault(value, standard string) bool {
 	return value == "" || value == standard
 }
 
+func initCredentialRefFromSeed(seed string) (string, error) {
+	segment := credstore.EscapeRefSegment(strings.TrimSpace(seed))
+	if segment == "" {
+		return "", fmt.Errorf("credential name seed is required")
+	}
+	return credentials.FormatRef(segment)
+}
+
 type initStorageLabelFieldState struct {
 	Value       string
 	UsesDefault bool
@@ -3341,7 +3349,7 @@ func initStandardGitCredentialRef(profileName, selection string, scopes map[stri
 			return strings.TrimSpace(scope.CredentialRef), nil
 		}
 	}
-	return credentials.FormatRef(profileName)
+	return initCredentialRefFromSeed(profileName)
 }
 
 func initReviewerStorageLabelRelevant(selection string, entities map[string]initReviewerEntityDraft) bool {
@@ -3388,7 +3396,7 @@ func initStandardLLMCredentialRef(profileName, selection string, runtimes map[st
 	if runtime, ok := runtimes[selection]; ok && strings.TrimSpace(runtime.CredentialRef) != "" {
 		return strings.TrimSpace(runtime.CredentialRef), nil
 	}
-	return credentials.FormatRef(profileName + "-llm")
+	return initCredentialRefFromSeed(profileName + "-llm")
 }
 
 func normalizeInitProfileStorageLabels(draft *initDraft, selectedGitScope, selectedReviewerEntity, selectedLLMRuntime string, scopes map[string]initGitScopeDraft, entities map[string]initReviewerEntityDraft, runtimes map[string]initLLMRuntimeDraft, labels initStorageLabelNormalizationInput) error {
@@ -4457,9 +4465,9 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 		existingCopy := existing
 		previousProfile = &existingCopy
 	}
-	defaultGitRef, err := credentials.FormatRef(profileName)
+	defaultGitRef, err := initCredentialRefFromSeed(profileName)
 	if err != nil {
-		return initPlan{}, exitcode.Usage(fmt.Errorf("profile %q cannot be used as a credential name segment: %w", profileName, err))
+		return initPlan{}, exitcode.Usage(fmt.Errorf("profile %q cannot be used as a credential name seed: %w", profileName, err))
 	}
 	gitRef := flags.gitRef
 	if gitRef == "" {
@@ -4500,7 +4508,7 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 			if previousProfile != nil && previousProfile.ReviewerCredentials != nil && previousProfile.ReviewerCredentials.CredentialRef != "" {
 				reviewerRef = previousProfile.ReviewerCredentials.CredentialRef
 			} else {
-				reviewerRef, err = credentials.FormatRef(profileName + "-reviewer")
+				reviewerRef, err = initCredentialRefFromSeed(profileName + "-reviewer")
 				if err != nil {
 					return initPlan{}, exitcode.Usage(err)
 				}
@@ -4518,7 +4526,7 @@ func buildNonInteractiveInitPlan(cmd *cobra.Command, opts *root.Options, flags i
 		if previousProfile != nil && previousProfile.LLM.Auth == config.LLMAuthAPIKey && previousProfile.LLM.CredentialRef != "" {
 			llmRef = previousProfile.LLM.CredentialRef
 		} else {
-			llmRef, err = credentials.FormatRef(profileName + "-llm")
+			llmRef, err = initCredentialRefFromSeed(profileName + "-llm")
 			if err != nil {
 				return initPlan{}, exitcode.Usage(err)
 			}
@@ -5471,7 +5479,7 @@ func initLLMConfigForReplacement(profileName string, runtime initLLMRuntimeDraft
 	if strings.TrimSpace(llm.CredentialRef) != "" {
 		return llm, nil
 	}
-	ref, err := credentials.FormatRef(profileName + "-llm")
+	ref, err := initCredentialRefFromSeed(profileName + "-llm")
 	if err != nil {
 		return config.LLMConfig{}, exitcode.Usage(err)
 	}
@@ -6082,9 +6090,9 @@ func synthesizeInteractiveProfile(flags initOptions, profileName string, previou
 		profile.LLM.Auth = config.LLMAuth(flags.llmAuth)
 		profile.LLM.Adapter = config.LLMAdapter(flags.llmAdapter)
 	}
-	defaultGitRef, err := credentials.FormatRef(profileName)
+	defaultGitRef, err := initCredentialRefFromSeed(profileName)
 	if err != nil {
-		return config.Profile{}, exitcode.Usage(fmt.Errorf("profile %q cannot be used as a credential name segment: %w", profileName, err))
+		return config.Profile{}, exitcode.Usage(fmt.Errorf("profile %q cannot be used as a credential name seed: %w", profileName, err))
 	}
 	profile.Git.Host = strings.TrimSpace(draft.GitHost)
 	profile.Git.AuthMode = config.GitAuthMode(draft.GitAuth)
@@ -6103,7 +6111,7 @@ func synthesizeInteractiveProfile(flags initOptions, profileName string, previou
 		if reviewerRef == "" {
 			// A blank draft ref means "use this profile's standard reviewer secret location";
 			// expand it here so renames and shared-entity propagation can re-derive consistently.
-			reviewerRef, err = credentials.FormatRef(profileName + "-reviewer")
+			reviewerRef, err = initCredentialRefFromSeed(profileName + "-reviewer")
 			if err != nil {
 				return config.Profile{}, exitcode.Usage(err)
 			}
@@ -6132,7 +6140,7 @@ func synthesizeInteractiveProfile(flags initOptions, profileName string, previou
 	if profile.LLM.Auth == config.LLMAuthAPIKey {
 		llmRef := strings.TrimSpace(draft.LLMCredentialRef)
 		if llmRef == "" {
-			llmRef, err = credentials.FormatRef(profileName + "-llm")
+			llmRef, err = initCredentialRefFromSeed(profileName + "-llm")
 			if err != nil {
 				return config.Profile{}, exitcode.Usage(err)
 			}
diff --git a/internal/cmd/credentialcmd/credentialcmd_test.go b/internal/cmd/credentialcmd/credentialcmd_test.go
index 2fe5de76..c6425ffb 100644
--- a/internal/cmd/credentialcmd/credentialcmd_test.go
+++ b/internal/cmd/credentialcmd/credentialcmd_test.go
@@ -515,6 +515,29 @@ func TestInitNonInteractiveWritesConfigAndSecret(t *testing.T) {
 	assertFakeStored(t, store, "default", credentials.GitTokenKey, "init-token")
 }
 
+func TestInitNonInteractiveNormalizesProfileNameCredentialRefs(t *testing.T) {
+	path := filepath.Join(t.TempDir(), "config.yml")
+	t.Setenv("CR_REVIEWER_TOKEN", "reviewer-token")
+	store := newFakeInitStore(nil)
+	flags := defaultNonInteractiveInitOptionsForTest()
+	flags.reviewerTokenEnv = "CR_REVIEWER_TOKEN"
+	_, _, err := runNonInteractiveInitWithFakeStore(t, path, "bad.profile", strings.NewReader(""), flags, store)
+	if err != nil {
+		t.Fatalf("Execute: %v", err)
+	}
+	cfg, err := config.Load(path)
+	if err != nil {
+		t.Fatalf("Load config: %v", err)
+	}
+	profile := cfg.Profiles["bad.profile"]
+	if profile.Git.CredentialRef != "codereview/bad_x2eprofile" {
+		t.Fatalf("Git.CredentialRef = %q, want normalized profile ref", profile.Git.CredentialRef)
+	}
+	if profile.ReviewerCredentials == nil || profile.ReviewerCredentials.CredentialRef != "codereview/bad_x2eprofile-reviewer" {
+		t.Fatalf("ReviewerCredentials = %#v, want normalized reviewer ref", profile.ReviewerCredentials)
+	}
+}
+
 func TestInitNonInteractiveWritesReviewerCredential(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	t.Setenv("CR_GIT_TOKEN", "git-token")
@@ -13621,6 +13644,79 @@ func TestSynthesizeInteractiveProfilePersistsPinnedGitHubAppInstallation(t *test
 	}
 }
 
+func TestInitCredentialRefFromSeedEscapesUnsafeCharacters(t *testing.T) {
+	tests := []struct {
+		name    string
+		seed    string
+		wantRef string
+	}{
+		{"plain ascii", "work", "codereview/work"},
+		{"digits and hyphen", "staging-2", "codereview/staging-2"},
+		{"underscore doubles", "github_rianjs", "codereview/github__rianjs"},
+		{"trims outer spaces", "  spaced name  ", "codereview/spaced_x20name"},
+		{"slash", "open-cli-collective/rianjs-bot", "codereview/open-cli-collective_x2frianjs-bot"},
+		{"backslash", `open-cli-collective\rianjs-bot`, "codereview/open-cli-collective_x5crianjs-bot"},
+		{"ascii punctuation", "a.b:c@d#e$f%g^h&i*j+k=1", "codereview/a_x2eb_x3ac_x40d_x23e_x24f_x25g_x5eh_x26i_x2aj_x2bk_x3d1"},
+		{"control characters", "line\nbreak\ttab", "codereview/line_x0abreak_x09tab"},
+		{"colon run", "foo::::::::::::::-bar", "codereview/foo" + strings.Repeat("_x3a", 14) + "-bar"},
+		{"accent and cjk", "Rían/机器人", "codereview/R_xc3_xadan_x2f_xe6_x9c_xba_xe5_x99_xa8_xe4_xba_xba"},
+		{"emoji", "reviewer 🤖🔥", "codereview/reviewer_x20_xf0_x9f_xa4_x96_xf0_x9f_x94_xa5"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := initCredentialRefFromSeed(tt.seed)
+			if err != nil {
+				t.Fatalf("initCredentialRefFromSeed(%q): %v", tt.seed, err)
+			}
+			if got != tt.wantRef {
+				t.Fatalf("initCredentialRefFromSeed(%q) = %q, want %q", tt.seed, got, tt.wantRef)
+			}
+			if _, err := credentials.ParseRef(got); err != nil {
+				t.Fatalf("normalized ref %q failed ParseRef: %v", got, err)
+			}
+		})
+	}
+}
+
+func TestInitCredentialRefFromSeedRejectsEmptySeed(t *testing.T) {
+	for _, seed := range []string{"", "   ", "\n\t"} {
+		t.Run(fmt.Sprintf("%q", seed), func(t *testing.T) {
+			if got, err := initCredentialRefFromSeed(seed); err == nil {
+				t.Fatalf("initCredentialRefFromSeed(%q) = %q, want error", seed, got)
+			}
+		})
+	}
+}
+
+func TestSynthesizeInteractiveProfileNormalizesProfileNameCredentialRefs(t *testing.T) {
+	draft := initDraft{
+		ProfileName:             "open-cli-collective/rianjs-bot",
+		GitHost:                 "github.com",
+		GitAuth:                 string(config.GitAuthModePAT),
+		GitCredentialStore:      config.LocalOSCredentialStoreID,
+		ReviewerEnabled:         true,
+		ReviewerAuth:            string(config.GitAuthModePAT),
+		ReviewerCredentialStore: config.LocalOSCredentialStoreID,
+		LLMProvider:             string(config.LLMProviderOpenAI),
+		LLMAuth:                 string(config.LLMAuthAPIKey),
+		LLMAdapter:              string(config.LLMAdapterOpenAIAPI),
+		LLMCredentialStore:      config.LocalOSCredentialStoreID,
+	}
+	profile, err := synthesizeInteractiveProfile(initOptions{gitHost: "github.com"}, "open-cli-collective/rianjs-bot", nil, draft)
+	if err != nil {
+		t.Fatalf("synthesizeInteractiveProfile: %v", err)
+	}
+	if profile.Git.CredentialRef != "codereview/open-cli-collective_x2frianjs-bot" {
+		t.Fatalf("Git.CredentialRef = %q, want normalized profile ref", profile.Git.CredentialRef)
+	}
+	if profile.ReviewerCredentials == nil || profile.ReviewerCredentials.CredentialRef != "codereview/open-cli-collective_x2frianjs-bot-reviewer" {
+		t.Fatalf("ReviewerCredentials = %#v, want normalized reviewer ref", profile.ReviewerCredentials)
+	}
+	if profile.LLM.CredentialRef != "codereview/open-cli-collective_x2frianjs-bot-llm" {
+		t.Fatalf("LLM.CredentialRef = %q, want normalized LLM ref", profile.LLM.CredentialRef)
+	}
+}
+
 func TestInitProfileV2NoRuntimeBootstrapRequestsExistingFlow(t *testing.T) {
 	model := newInitProfileV2ReadOnlyModel(newTestInitProfileV2EditorWithSelections("monit", "github.com/SignalFT", nil, nil), 160, 40)
 	model = focusInitProfileV2Field(t, model, initProfileV2FieldLLMRuntime)
@@ -13879,6 +13975,76 @@ func TestInitProfileV2GitCredentialNameFollowsChangedScopeDefaultWhenUnedited(t
 	}
 }
 
+func TestInitProfileV2ProfileNameUpdatesAutoManagedLLMCredentialName(t *testing.T) {
+	llmRuntimes := map[string]initLLMRuntimeDraft{
+		"openai-work": {
+			Name:            "openai-work",
+			Preset:          initLLMRuntimePresetOpenAIAPIKey,
+			Provider:        config.LLMProviderOpenAI,
+			Auth:            config.LLMAuthAPIKey,
+			Adapter:         config.LLMAdapterOpenAIAPI,
+			CredentialStore: config.LocalOSCredentialStoreID,
+		},
+	}
+	model := newInitProfileV2ReadOnlyModel(newTestInitProfileV2EditorWithRuntimeAndModelMap(
+		"work",
+		"github.com/SignalFT",
+		llmRuntimes,
+		"openai-work",
+	), 160, 40)
+	if got := model.document.fieldValue(initProfileV2FieldLLMCredentialName); got != "codereview/work-llm" {
+		t.Fatalf("initial LLM credential name = %q, want auto-managed work ref", got)
+	}
+	refIndex := model.document.fieldIndexByID(initProfileV2FieldLLMCredentialName)
+	if refIndex < 0 || !model.document[refIndex].AutoManaged {
+		t.Fatalf("LLM credential name AutoManaged = false, want true")
+	}
+
+	model = focusInitProfileV2Field(t, model, initProfileV2FieldProfileName)
+	model = updateInitProfileV2ReadOnlyModel(t, model, tea.KeyMsg{Type: tea.KeyCtrlU})
+	model = typeInitProfileV2Text(t, model, "open-cli-collective/rianjs-bot")
+
+	if got := model.document.fieldValue(initProfileV2FieldLLMCredentialName); got != "codereview/open-cli-collective_x2frianjs-bot-llm" {
+		t.Fatalf("LLM credential name after profile edit = %q, want normalized profile-derived ref", got)
+	}
+	draft, err := model.validatedDraft()
+	if err != nil {
+		t.Fatalf("validatedDraft: %v", err)
+	}
+	if draft.LLMCredentialRef != "codereview/open-cli-collective_x2frianjs-bot-llm" {
+		t.Fatalf("draft.LLMCredentialRef = %q, want normalized profile-derived ref", draft.LLMCredentialRef)
+	}
+}
+
+func TestInitProfileV2ManualLLMCredentialNameStopsProfileNameAutoUpdate(t *testing.T) {
+	llmRuntimes := map[string]initLLMRuntimeDraft{
+		"openai-work": {
+			Name:            "openai-work",
+			Preset:          initLLMRuntimePresetOpenAIAPIKey,
+			Provider:        config.LLMProviderOpenAI,
+			Auth:            config.LLMAuthAPIKey,
+			Adapter:         config.LLMAdapterOpenAIAPI,
+			CredentialStore: config.LocalOSCredentialStoreID,
+		},
+	}
+	model := newInitProfileV2ReadOnlyModel(newTestInitProfileV2EditorWithRuntimeAndModelMap(
+		"work",
+		"github.com/SignalFT",
+		llmRuntimes,
+		"openai-work",
+	), 160, 40)
+	model = focusInitProfileV2Field(t, model, initProfileV2FieldLLMCredentialName)
+	model = updateInitProfileV2ReadOnlyModel(t, model, tea.KeyMsg{Type: tea.KeyCtrlU})
+	model = typeInitProfileV2Text(t, model, "codereview/custom-llm")
+	model = focusInitProfileV2Field(t, model, initProfileV2FieldProfileName)
+	model = updateInitProfileV2ReadOnlyModel(t, model, tea.KeyMsg{Type: tea.KeyCtrlU})
+	model = typeInitProfileV2Text(t, model, "open-cli-collective/rianjs-bot")
+
+	if got := model.document.fieldValue(initProfileV2FieldLLMCredentialName); got != "codereview/custom-llm" {
+		t.Fatalf("manual LLM credential name = %q, want profile edit not to overwrite it", got)
+	}
+}
+
 func TestInitProfileV2ProfileActionStagesValidatedDraft(t *testing.T) {
 	editor := newTestInitProfileV2Editor("monit", "github.com/SignalFT")
 	initProfileV2AppendProfileActionSection(&editor.Document)
@@ -21264,7 +21430,6 @@ func TestInitRejectsInvalidSecretAndProfileInputs(t *testing.T) {
 	}{
 		{name: "two stdin secrets", args: []string{"init", "--non-interactive", "--git-token-stdin", "--llm-api-key-stdin"}},
 		{name: "git and reviewer stdin secrets", args: []string{"init", "--non-interactive", "--git-token-stdin", "--reviewer-token-stdin"}},
-		{name: "invalid profile segment", args: []string{"--profile", "bad.profile", "init", "--non-interactive"}},
 		{name: "reviewer ref matches git ref", args: []string{"init", "--non-interactive", "--reviewer-credential-ref", "codereview/default"}},
 		{name: "unsupported git auth", args: []string{"init", "--non-interactive", "--git-auth-mode", string(config.GitAuthModeOAuthDevice)}},
 		{name: "git token ingress under github app", args: []string{"init", "--non-interactive", "--git-auth-mode", string(config.GitAuthModeGitHubApp), "--git-token-from-env", "CR_GIT_TOKEN"}},
diff --git a/internal/cmd/credentialcmd/init_llm_runtime_editor.go b/internal/cmd/credentialcmd/init_llm_runtime_editor.go
index 5d534e49..061a43c5 100644
--- a/internal/cmd/credentialcmd/init_llm_runtime_editor.go
+++ b/internal/cmd/credentialcmd/init_llm_runtime_editor.go
@@ -10,7 +10,6 @@ import (
 	"github.com/charmbracelet/huh"
 
 	"github.com/open-cli-collective/codereview-cli/internal/config"
-	"github.com/open-cli-collective/codereview-cli/internal/credentials"
 )
 
 type initLLMRuntimeEditorRunner func(initLinearEditor, io.Reader, io.Writer) (initLinearEditorModel, error)
@@ -488,7 +487,7 @@ func initLLMRuntimeDefaultCredentialName(ctx initPromptContext, draft initDraft,
 	if _, configured := ctx.LLMRuntimes[selection]; configured {
 		nameSeed = strings.TrimSpace(selection)
 	}
-	ref, err := credentials.FormatRef(nameSeed)
+	ref, err := initCredentialRefFromSeed(nameSeed)
 	if err != nil {
 		return ""
 	}
diff --git a/internal/cmd/credentialcmd/init_profile_v2.go b/internal/cmd/credentialcmd/init_profile_v2.go
index 641da8cd..618468f5 100644
--- a/internal/cmd/credentialcmd/init_profile_v2.go
+++ b/internal/cmd/credentialcmd/init_profile_v2.go
@@ -13,7 +13,6 @@ import (
 
 	"github.com/open-cli-collective/codereview-cli/internal/cmd/root"
 	"github.com/open-cli-collective/codereview-cli/internal/config"
-	"github.com/open-cli-collective/codereview-cli/internal/credentials"
 )
 
 type bubbleTeaInitProfileV2Prompter struct {
@@ -370,6 +369,7 @@ func initProfileV2ReadOnlyEditor(ctx initPromptContext, selection string) (initP
 	if strings.TrimSpace(draft.LLMCredentialRef) == "" {
 		draft.LLMCredentialRef = standardLLMCredentialRef
 	}
+	llmCredentialAutoManaged := strings.TrimSpace(draft.LLMCredentialRef) != "" && strings.TrimSpace(draft.LLMCredentialRef) == strings.TrimSpace(standardLLMCredentialRef)
 	storeOptions := initCredentialStoreOptions(ctx.ExistingConfig)
 
 	var document initProfileV2Document
@@ -391,6 +391,9 @@ func initProfileV2ReadOnlyEditor(ctx initPromptContext, selection string) (initP
 	initProfileV2AppendAgentSourcesSection(&document, draft.AgentSources)
 	initProfileV2AppendReviewPolicySection(&document, draft.ReviewPolicy, initProfileV2ReviewerEntityKindForSelection(selectedReviewerEntity, ctx.ReviewerEntities) == initReviewerEntityKindGitHubApp)
 	initProfileV2AppendProfileActionSection(&document)
+	if index := document.fieldIndexByID(initProfileV2FieldLLMCredentialName); index >= 0 {
+		document[index].AutoManaged = llmCredentialAutoManaged
+	}
 	return initProfileV2Editor{
 		Draft:                  draft,
 		GitScopes:              maps.Clone(ctx.GitScopes),
@@ -773,6 +776,13 @@ func (m *initProfileV2ReadOnlyModel) afterFieldChange(index int) {
 		m.syncGitScopeFields()
 		return
 	}
+	if id == initProfileV2FieldProfileName {
+		m.syncProfileNameDerivedCredentialFields()
+		return
+	}
+	if id == initProfileV2FieldLLMCredentialName {
+		m.document[index].AutoManaged = false
+	}
 	if id == initProfileV2FieldReviewerEntity {
 		m.syncReviewerGitHubAppInstallationFields(true)
 		return
@@ -920,6 +930,25 @@ func (m initProfileV2ReadOnlyModel) normalizeStorageLabels(*initDraft, string, s
 	return nil
 }
 
+func (m *initProfileV2ReadOnlyModel) syncProfileNameDerivedCredentialFields() {
+	index := m.document.fieldIndexByID(initProfileV2FieldLLMCredentialName)
+	if index < 0 || m.document[index].Hidden || !m.document[index].AutoManaged {
+		return
+	}
+	ref, err := initStandardLLMCredentialRef(
+		m.document.fieldValue(initProfileV2FieldProfileName),
+		m.document.selectedValue(initProfileV2FieldLLMRuntime),
+		m.llmRuntimes,
+	)
+	if err == nil && strings.TrimSpace(ref) != "" {
+		m.setFieldValue(initProfileV2FieldLLMCredentialName, ref)
+		if index = m.document.fieldIndexByID(initProfileV2FieldLLMCredentialName); index >= 0 {
+			m.document[index].AutoManaged = true
+		}
+	}
+	m.validateField(m.document.fieldIndexByID(initProfileV2FieldLLMCredentialName))
+}
+
 func (m *initProfileV2ReadOnlyModel) syncGitScopeFields() {
 	selectedGitScope := m.document.selectedValue(initProfileV2FieldGitScope)
 	if selectedGitScope == "" {
@@ -996,15 +1025,25 @@ func (m *initProfileV2ReadOnlyModel) syncLLMCredentialFields(reset bool) {
 	if !needsCredential {
 		return
 	}
-	if reset {
+	credentialNameIndex := m.document.fieldIndexByID(initProfileV2FieldLLMCredentialName)
+	shouldPopulate := reset
+	if !shouldPopulate && credentialNameIndex >= 0 && strings.TrimSpace(m.document[credentialNameIndex].Value) == "" {
+		shouldPopulate = true
+	}
+	if shouldPopulate {
+		autoManaged := false
 		if strings.TrimSpace(draft.LLMCredentialRef) == "" {
-			ref, err := credentials.FormatRef(strings.TrimSpace(m.document.fieldValue(initProfileV2FieldProfileName)) + "-llm")
+			ref, err := initStandardLLMCredentialRef(m.document.fieldValue(initProfileV2FieldProfileName), selectedLLMRuntime, m.llmRuntimes)
 			if err == nil {
 				draft.LLMCredentialRef = ref
+				autoManaged = true
 			}
 		}
 		m.selectFieldValue(initProfileV2FieldLLMCredentialStore, initCredentialStoreDraftValue(draft.LLMCredentialStore))
 		m.setFieldValue(initProfileV2FieldLLMCredentialName, draft.LLMCredentialRef)
+		if credentialNameIndex = m.document.fieldIndexByID(initProfileV2FieldLLMCredentialName); credentialNameIndex >= 0 {
+			m.document[credentialNameIndex].AutoManaged = autoManaged
+		}
 	}
 	m.validateField(m.document.fieldIndexByID(initProfileV2FieldLLMCredentialName))
 }
diff --git a/internal/cmd/credentialcmd/init_reviewer_credential_status.go b/internal/cmd/credentialcmd/init_reviewer_credential_status.go
index bda457dc..457c0611 100644
--- a/internal/cmd/credentialcmd/init_reviewer_credential_status.go
+++ b/internal/cmd/credentialcmd/init_reviewer_credential_status.go
@@ -186,7 +186,7 @@ func appendSelectableReviewerCredentialPlanEntries(session initSessionDraft, pro
 	for _, entry := range entries {
 		seen[initCredentialEntryKey(entry.Ref)] = struct{}{}
 	}
-	if standardRef, err := credentials.FormatRef(session.workspace.profileName + "-reviewer"); err == nil {
+	if standardRef, err := initCredentialRefFromSeed(session.workspace.profileName + "-reviewer"); err == nil {
 		entries = appendReviewerCredentialPlanEntry(entries, seen, resolved, plannedWriteKeys, config.CredentialRef{
 			Purpose: "reviewer_credentials",
 			Store:   reviewerStoreID,

From 3988c29cf95df8fbfe7f58f955d4585356cb7a56 Mon Sep 17 00:00:00 2001
From: Rian Stockbower <rstockbower@gmail.com>
Date: Mon, 22 Jun 2026 14:11:14 -0400
Subject: [PATCH 21/27] Keep spacebar editing focused init inputs

---
 .../cmd/credentialcmd/credentialcmd_test.go   | 39 +++++++++++++++++++
 .../cmd/credentialcmd/init_linear_editor.go   |  6 +++
 internal/cmd/credentialcmd/init_profile_v2.go |  6 +++
 3 files changed, 51 insertions(+)

diff --git a/internal/cmd/credentialcmd/credentialcmd_test.go b/internal/cmd/credentialcmd/credentialcmd_test.go
index c6425ffb..892cadee 100644
--- a/internal/cmd/credentialcmd/credentialcmd_test.go
+++ b/internal/cmd/credentialcmd/credentialcmd_test.go
@@ -10404,6 +10404,26 @@ func TestInitLinearEditorArrowKeysDoNotScrollFocusedInput(t *testing.T) {
 	}
 }
 
+func TestInitLinearEditorSpaceKeyEditsFocusedInputInsteadOfPagingDown(t *testing.T) {
+	const inputField initLinearFieldID = "input"
+	var document initLinearDocument
+	document.addEditableInput(inputField, "Input", "", "value", nil)
+	for i := 0; i < 20; i++ {
+		document.addSection(fmt.Sprintf("Section %02d", i), "Context line")
+	}
+	model := newInitLinearEditorModel(initLinearEditor{Document: document}, 120, 5)
+	beforeOffset := model.viewport.YOffset
+
+	model = updateInitLinearEditorModel(t, model, tea.KeyMsg{Type: tea.KeySpace})
+
+	if got, want := model.document.fieldValue(inputField), "value "; got != want {
+		t.Fatalf("input field value = %q, want %q", got, want)
+	}
+	if got := model.viewport.YOffset; got != beforeOffset {
+		t.Fatalf("viewport YOffset after input space = %d, want unchanged %d", got, beforeOffset)
+	}
+}
+
 func TestInitLinearEditorOnlyFocusedSelectedFieldShowsCaret(t *testing.T) {
 	const firstField initLinearFieldID = "first"
 	const secondField initLinearFieldID = "second"
@@ -13185,6 +13205,25 @@ func TestInitProfileV2ArrowKeysDoNotScrollFocusedInput(t *testing.T) {
 	}
 }
 
+func TestInitProfileV2SpaceKeyEditsFocusedInputInsteadOfPagingDown(t *testing.T) {
+	model := newInitProfileV2ReadOnlyModel(newTestInitProfileV2EditorWithSelections("monit", "github.com/rianjs", nil, nil), 120, 8)
+	model = focusInitProfileV2Field(t, model, initProfileV2FieldRoutes)
+	beforeOffset := model.viewport.YOffset
+	beforeFocus := model.focused
+
+	model = updateInitProfileV2ReadOnlyModel(t, model, tea.KeyMsg{Type: tea.KeySpace})
+
+	if model.focused != beforeFocus {
+		t.Fatalf("focused field = %d, want unchanged %d", model.focused, beforeFocus)
+	}
+	if got, want := model.document.fieldValue(initProfileV2FieldRoutes), "github.com/rianjs "; got != want {
+		t.Fatalf("route field value = %q, want %q", got, want)
+	}
+	if got := model.viewport.YOffset; got != beforeOffset {
+		t.Fatalf("viewport YOffset after input space = %d, want unchanged %d", got, beforeOffset)
+	}
+}
+
 func TestInitProfileV2OnlyFocusedSelectedFieldShowsCaret(t *testing.T) {
 	const firstField initProfileV2FieldID = "first"
 	const secondField initProfileV2FieldID = "second"
diff --git a/internal/cmd/credentialcmd/init_linear_editor.go b/internal/cmd/credentialcmd/init_linear_editor.go
index 3e7a2bac..4d6426e3 100644
--- a/internal/cmd/credentialcmd/init_linear_editor.go
+++ b/internal/cmd/credentialcmd/init_linear_editor.go
@@ -444,6 +444,12 @@ func (m *initLinearEditorModel) handleFocusedInputKey(msg tea.KeyMsg) bool {
 		}
 		field.Value = initLinearInsertRunes(field.Value, field.Cursor, key.Runes)
 		field.Cursor += len(key.Runes)
+	case tea.KeySpace:
+		if msg.Alt {
+			return false
+		}
+		field.Value = initLinearInsertRunes(field.Value, field.Cursor, []rune{' '})
+		field.Cursor++
 	case tea.KeyBackspace, tea.KeyCtrlH:
 		field.Value, field.Cursor = initLinearDeleteBeforeCursor(field.Value, field.Cursor)
 	case tea.KeyDelete, tea.KeyCtrlD:
diff --git a/internal/cmd/credentialcmd/init_profile_v2.go b/internal/cmd/credentialcmd/init_profile_v2.go
index 618468f5..fad32a56 100644
--- a/internal/cmd/credentialcmd/init_profile_v2.go
+++ b/internal/cmd/credentialcmd/init_profile_v2.go
@@ -658,6 +658,12 @@ func (m *initProfileV2ReadOnlyModel) handleFocusedInputKey(msg tea.KeyMsg) bool
 		}
 		field.Value = initProfileV2InsertRunes(field.Value, field.Cursor, key.Runes)
 		field.Cursor += len(key.Runes)
+	case tea.KeySpace:
+		if msg.Alt {
+			return false
+		}
+		field.Value = initProfileV2InsertRunes(field.Value, field.Cursor, []rune{' '})
+		field.Cursor++
 	case tea.KeyBackspace, tea.KeyCtrlH:
 		field.Value, field.Cursor = initProfileV2DeleteBeforeCursor(field.Value, field.Cursor)
 	case tea.KeyDelete, tea.KeyCtrlD:

From de2f3f5404e02018ec9ba53aa39e033bed380be2 Mon Sep 17 00:00:00 2001
From: Rian Stockbower <rstockbower@gmail.com>
Date: Mon, 22 Jun 2026 14:23:01 -0400
Subject: [PATCH 22/27] Clarify GitHub App installation pinning

---
 README.md                                        | 10 ++++++----
 internal/cmd/credentialcmd/credentialcmd_test.go | 12 ++++++++++--
 internal/cmd/credentialcmd/init_profile_v2.go    |  8 ++++----
 3 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index 4b46d76a..7be20081 100644
--- a/README.md
+++ b/README.md
@@ -228,8 +228,10 @@ matching are case-sensitive after trimming whitespace. An explicit `--profile`
 bypasses repository routing. Route targets still use the profile's configured
 auth mode. Passing `--profile ""` is invalid.
 For GitHub App reviewer entities, the review profile chooses whether `cr review`
-discovers the installation from the PR owner/repo or uses a pinned installation
-ID stored in profile config.
+discovers the installation from each PR owner/repo or uses one pinned
+installation ID stored in profile config. Discovery is the normal choice for
+profiles routed to multiple organizations or users; pinning is only appropriate
+when every route for that profile uses the same installation.
 
 Add or replace one credential later:
 
@@ -406,8 +408,8 @@ outside init. Example:
 
 GitHub App reviewer credentials store the App ID and private key only. The
 review profile stores installation routing: `discover_from_repository` for PR
-context lookup, or `pinned` with a numeric installation ID when commands without
-repository context should use one known installation.
+context lookup, or `pinned` with one numeric installation ID when every route for
+that profile shares the same installation.
 
 ```bash
 cr --profile work init --non-interactive \
diff --git a/internal/cmd/credentialcmd/credentialcmd_test.go b/internal/cmd/credentialcmd/credentialcmd_test.go
index 892cadee..d9c47216 100644
--- a/internal/cmd/credentialcmd/credentialcmd_test.go
+++ b/internal/cmd/credentialcmd/credentialcmd_test.go
@@ -13592,8 +13592,16 @@ func TestInitProfileV2GitHubAppInstallationFieldsFollowReviewerSelection(t *test
 	if model.document[idIndex].Hidden != true {
 		t.Fatalf("installation ID visible for discover mode:\n%s", model.View())
 	}
-	if !strings.Contains(model.View(), "Discover from PR repository at review time") {
-		t.Fatalf("view missing discovery option:\n%s", model.View())
+	for _, want := range []string{
+		"Discover from PR repository at review time (recommended)",
+		"Pin one installation ID (advanced)",
+		"supports profiles",
+		"routed to multiple organizations or users",
+		"every route for this profile uses the same installation",
+	} {
+		if !strings.Contains(model.View(), want) {
+			t.Fatalf("view missing GitHub App installation copy %q:\n%s", want, model.View())
+		}
 	}
 	draft, err := model.validatedDraft()
 	if err != nil {
diff --git a/internal/cmd/credentialcmd/init_profile_v2.go b/internal/cmd/credentialcmd/init_profile_v2.go
index fad32a56..8728f7a3 100644
--- a/internal/cmd/credentialcmd/init_profile_v2.go
+++ b/internal/cmd/credentialcmd/init_profile_v2.go
@@ -511,7 +511,7 @@ func initProfileV2AppendReviewerGitHubAppInstallationSection(document *initProfi
 	document.addSectionField(
 		initProfileV2FieldReviewerGitHubAppInstallationSection,
 		"GitHub App installation",
-		"Choose how cr finds the GitHub App installation for this review profile.",
+		"Choose how cr finds the GitHub App installation for this review profile. Discovery resolves the installation from each PR repository and supports profiles routed to multiple organizations or users. Pinning is only appropriate when every route for this profile uses the same installation.",
 		initProfileV2FieldOptions{Hidden: hidden},
 	)
 	document.addEditableSelect(
@@ -525,7 +525,7 @@ func initProfileV2AppendReviewerGitHubAppInstallationSection(document *initProfi
 	document.addEditableInput(
 		initProfileV2FieldReviewerGitHubAppInstallationID,
 		"Installation ID",
-		"Required when you pin an installation. Use the numeric GitHub App installation ID.",
+		"Required when pinning. Use one numeric GitHub App installation ID only when all routes for this profile share that installation.",
 		strings.TrimSpace(draft.ReviewerGitHubAppInstallationID),
 		validateOptionalGitHubAppInstallationID,
 		initProfileV2FieldOptions{Hidden: hidden || !pinned},
@@ -534,8 +534,8 @@ func initProfileV2AppendReviewerGitHubAppInstallationSection(document *initProfi
 
 func initProfileV2ReviewerGitHubAppInstallationModeOptions() []huh.Option[string] {
 	return []huh.Option[string]{
-		huh.NewOption("Discover from PR repository at review time", string(config.ProfileReviewerGitHubAppInstallationDiscoverFromRepository)),
-		huh.NewOption("Pin an installation ID", string(config.ProfileReviewerGitHubAppInstallationPinned)),
+		huh.NewOption("Discover from PR repository at review time (recommended)", string(config.ProfileReviewerGitHubAppInstallationDiscoverFromRepository)),
+		huh.NewOption("Pin one installation ID (advanced)", string(config.ProfileReviewerGitHubAppInstallationPinned)),
 	}
 }
 

From 41e2bca4e1941cef9ec705356f950304bece9a31 Mon Sep 17 00:00:00 2001
From: Rian Stockbower <rstockbower@gmail.com>
Date: Mon, 22 Jun 2026 14:46:57 -0400
Subject: [PATCH 23/27] Keep profile flow from prompting for Git credentials

---
 internal/cmd/credentialcmd/credentialcmd.go   |   2 +-
 .../cmd/credentialcmd/credentialcmd_test.go   | 117 ++++++++++++++++--
 2 files changed, 106 insertions(+), 13 deletions(-)

diff --git a/internal/cmd/credentialcmd/credentialcmd.go b/internal/cmd/credentialcmd/credentialcmd.go
index 4bd63f88..453ecc8b 100644
--- a/internal/cmd/credentialcmd/credentialcmd.go
+++ b/internal/cmd/credentialcmd/credentialcmd.go
@@ -1617,7 +1617,7 @@ func applyInteractiveInitProfileDraft(cmd *cobra.Command, opts *root.Options, fl
 	session.requestedProfileName = workspace.profileName
 	session = recordTouchedProfile(session, workspace.profileName, draft.OriginalProfileName)
 	if deps.menuPrompter != nil || deps.prompter == nil {
-		session, err = collectInteractiveInitSessionWorkspaceSecrets(opts, deps, session, []string{"git", "reviewer_credentials", "llm"})
+		session, err = collectInteractiveInitSessionWorkspaceSecrets(opts, deps, session, []string{"reviewer_credentials", "llm"})
 		if errors.Is(err, errInitNavigateBack) {
 			return session, false, nil
 		}
diff --git a/internal/cmd/credentialcmd/credentialcmd_test.go b/internal/cmd/credentialcmd/credentialcmd_test.go
index d9c47216..2ad3cd52 100644
--- a/internal/cmd/credentialcmd/credentialcmd_test.go
+++ b/internal/cmd/credentialcmd/credentialcmd_test.go
@@ -9318,6 +9318,95 @@ func TestLoopInteractiveInitProfileV2StagesDraftIntoSessionBeforeReentry(t *test
 	}
 }
 
+func TestLoopInteractiveInitProfileV2DoesNotPromptForSelectedRepositoryAccessCredential(t *testing.T) {
+	path := filepath.Join(t.TempDir(), "config.yml")
+	repositoryAccessRef := "codereview/github-rianjs"
+	cfg := config.Normalize(config.File{
+		RepositoryAccess: map[string]config.RepositoryAccessConfig{
+			"github-rianjs": {
+				DisplayName: "github-rianjs",
+				Git: config.GitConfig{
+					Host:          "github.com",
+					AuthMode:      config.GitAuthModePAT,
+					Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: repositoryAccessRef},
+					CredentialRef: repositoryAccessRef,
+				},
+			},
+		},
+		LLMRuntimes: map[string]config.LLMConfig{
+			"claude-cli": {
+				Provider: config.LLMProviderAnthropic,
+				Auth:     config.LLMAuthSubscription,
+				Adapter:  config.LLMAdapterClaudeCLI,
+			},
+		},
+		Profiles: map[string]config.Profile{},
+	})
+	opts := &root.Options{
+		Stdin:      strings.NewReader(""),
+		Stdout:     &bytes.Buffer{},
+		Stderr:     &bytes.Buffer{},
+		ConfigPath: path,
+	}
+	session := initSessionDraft{
+		path:                 path,
+		originalCfg:          cloneInitConfigFile(cfg),
+		cfg:                  cloneInitConfigFile(cfg),
+		requestedProfileName: "rianjs",
+	}
+	calls := 0
+	secretPrompter := &fakeInitSecretPrompter{}
+	deps := initDeps{
+		profileV2Prompter: initPrompterFunc(func(ctx initPromptContext) (initDraft, error) {
+			calls++
+			if calls == 2 {
+				return initDraft{}, errInitNavigateBack
+			}
+			draft := seedInteractiveInitDraft("rianjs", "", nil)
+			applyGitScopeSelection(&draft, "github-rianjs", ctx.GitScopes)
+			applyReviewerEntitySelection(&draft, string(initReviewerEntityKindUseGitIdentity))
+			applyLLMRuntimeInventorySelection(&draft, "claude-cli", ctx.LLMRuntimes)
+			draft.RoutesSet = true
+			draft.Routes = []configedit.RepositoryRouteSpec{{
+				Host:      "github.com",
+				Namespace: "rianjs",
+			}}
+			draft.ModelMapSet = true
+			draft.AgentSourcesSet = true
+			draft.ReviewPolicySet = true
+			draft.ReviewPolicy = config.ReviewPolicy{
+				MajorEvent:     config.ReviewMajorEventRequestChanges,
+				ResolveThreads: config.ResolveThreadsAuto,
+			}
+			return draft, nil
+		}),
+		secretPrompter:     secretPrompter,
+		clipboardSupported: func() bool { return false },
+		openStore: func(string, bool, config.File) (initStore, error) {
+			t.Fatal("openStore should not be called for profile-owned prompts when repository access owns the PAT")
+			return nil, nil
+		},
+	}
+
+	next, err := loopInteractiveInitProfileV2(&cobra.Command{}, opts, initOptions{}, deps, session)
+	if err != nil {
+		t.Fatalf("loopInteractiveInitProfileV2: %v", err)
+	}
+	if calls != 2 {
+		t.Fatalf("profile v2 calls = %d, want stage then reentry", calls)
+	}
+	if len(secretPrompter.actionPrompts) != 0 || len(secretPrompter.sourcePrompts) != 0 {
+		t.Fatalf("secret prompts = actions:%d sources:%d, want profile staging to skip repository-access credentials", len(secretPrompter.actionPrompts), len(secretPrompter.sourcePrompts))
+	}
+	profile := next.cfg.Profiles["rianjs"]
+	if profile.RepositoryAccess != "github-rianjs" {
+		t.Fatalf("repository_access = %q, want github-rianjs", profile.RepositoryAccess)
+	}
+	if profile.Git.CredentialRef != repositoryAccessRef {
+		t.Fatalf("git credential ref = %q, want selected repository access ref %q", profile.Git.CredentialRef, repositoryAccessRef)
+	}
+}
+
 func TestLoopInteractiveInitProfileV2AppliesInlineDetailDraftParity(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	existing := basicProfile("work")
@@ -19617,10 +19706,14 @@ func TestInitInteractiveFinalizationKeyringOpenFailure(t *testing.T) {
 		Stderr:     &bytes.Buffer{},
 		ConfigPath: filepath.Join(t.TempDir(), "config.yml"),
 	}
+	resolved, err := credentials.ResolveCredentialStore(config.File{}, config.LocalOSCredentialStoreID)
+	if err != nil {
+		t.Fatalf("ResolveCredentialStore: %v", err)
+	}
 	deps := initDeps{
 		menuPrompter: &fakeInitMenuPrompter{
 			actions: []initMenuAction{
-				initMenuActionReviewProfiles,
+				initMenuActionRepositoryAccess,
 				initMenuActionSave,
 			},
 		},
@@ -19628,19 +19721,19 @@ func TestInitInteractiveFinalizationKeyringOpenFailure(t *testing.T) {
 			t.Fatal("finalize prompt should not run after keyring open failure")
 			return "", nil
 		}),
-		profileV2Prompter: initPrompterFunc(func(initPromptContext) (initDraft, error) {
+		repositoryPrompter: initRepositoryAccessPrompterFunc(func(initRepositoryAccessPrompt) (initDraft, error) {
 			return initDraft{
-				ProfileName: "default",
-				GitHost:     "github.com",
-				GitAuth:     string(config.GitAuthModePAT),
-				LLMProvider: string(config.LLMProviderAnthropic),
-				LLMAuth:     string(config.LLMAuthSubscription),
-				LLMAdapter:  string(config.LLMAdapterClaudeCLI),
+				RepositoryAccessName:    "github-rianjs",
+				GitHost:                 "github.com",
+				GitAuth:                 string(config.GitAuthModePAT),
+				GitCredentialStore:      config.LocalOSCredentialStoreID,
+				GitCredentialRef:        "codereview/github-rianjs",
+				GitCredentialWriteRef:   "codereview/github-rianjs",
+				GitCredentialWriteStore: resolved,
+				GitCredentialWrites:     map[string]string{credentials.GitTokenKey: "github-token"},
+				GitCredentialSatisfied:  true,
 			}, nil
 		}),
-		secretPrompter: &fakeInitSecretPrompter{
-			actions: []initCredentialSecretAction{initCredentialSecretActionSetNow},
-		},
 		openStore: func(string, bool, config.File) (initStore, error) {
 			return nil, errors.New("open failed")
 		},
@@ -19654,7 +19747,7 @@ func TestInitInteractiveFinalizationKeyringOpenFailure(t *testing.T) {
 		},
 	}
 
-	err := runInitWithDeps(&cobra.Command{}, opts, initOptions{}, deps)
+	err = runInitWithDeps(&cobra.Command{}, opts, initOptions{}, deps)
 	if err == nil || !strings.Contains(err.Error(), "open failed") {
 		t.Fatalf("error = %v, want keyring open failure", err)
 	}

From 77fc8ab7a5668f800bd1902cb9e6143734de45bb Mon Sep 17 00:00:00 2001
From: Rian Stockbower <rstockbower@gmail.com>
Date: Mon, 22 Jun 2026 14:54:56 -0400
Subject: [PATCH 24/27] Stop profile staging from prompting for primitive
 secrets

---
 internal/cmd/credentialcmd/credentialcmd.go   |  9 -----
 .../cmd/credentialcmd/credentialcmd_test.go   | 40 +++++++++++++++----
 2 files changed, 32 insertions(+), 17 deletions(-)

diff --git a/internal/cmd/credentialcmd/credentialcmd.go b/internal/cmd/credentialcmd/credentialcmd.go
index 453ecc8b..dd0304aa 100644
--- a/internal/cmd/credentialcmd/credentialcmd.go
+++ b/internal/cmd/credentialcmd/credentialcmd.go
@@ -1616,15 +1616,6 @@ func applyInteractiveInitProfileDraft(cmd *cobra.Command, opts *root.Options, fl
 	session.cfg = cloneInitConfigFile(workspace.cfg)
 	session.requestedProfileName = workspace.profileName
 	session = recordTouchedProfile(session, workspace.profileName, draft.OriginalProfileName)
-	if deps.menuPrompter != nil || deps.prompter == nil {
-		session, err = collectInteractiveInitSessionWorkspaceSecrets(opts, deps, session, []string{"reviewer_credentials", "llm"})
-		if errors.Is(err, errInitNavigateBack) {
-			return session, false, nil
-		}
-		if err != nil {
-			return initSessionDraft{}, false, err
-		}
-	}
 	return session, true, nil
 }
 
diff --git a/internal/cmd/credentialcmd/credentialcmd_test.go b/internal/cmd/credentialcmd/credentialcmd_test.go
index 2ad3cd52..6b6181eb 100644
--- a/internal/cmd/credentialcmd/credentialcmd_test.go
+++ b/internal/cmd/credentialcmd/credentialcmd_test.go
@@ -9318,9 +9318,11 @@ func TestLoopInteractiveInitProfileV2StagesDraftIntoSessionBeforeReentry(t *test
 	}
 }
 
-func TestLoopInteractiveInitProfileV2DoesNotPromptForSelectedRepositoryAccessCredential(t *testing.T) {
+func TestLoopInteractiveInitProfileV2DoesNotPromptForSelectedPrimitiveCredentials(t *testing.T) {
 	path := filepath.Join(t.TempDir(), "config.yml")
 	repositoryAccessRef := "codereview/github-rianjs"
+	reviewerRef := "codereview/rianjs-bot-reviewer"
+	llmRef := "codereview/openai-runtime"
 	cfg := config.Normalize(config.File{
 		RepositoryAccess: map[string]config.RepositoryAccessConfig{
 			"github-rianjs": {
@@ -9333,11 +9335,23 @@ func TestLoopInteractiveInitProfileV2DoesNotPromptForSelectedRepositoryAccessCre
 				},
 			},
 		},
+		ReviewerEntities: map[string]config.ReviewerEntity{
+			"rianjs-bot": {
+				Host:          "github.com",
+				AuthMode:      config.GitAuthModeGitHubApp,
+				Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: reviewerRef},
+				CredentialRef: reviewerRef,
+				GitHubApp:     &config.GitHubAppConfig{AppID: "12345"},
+				DisplayName:   "rianjs-bot",
+			},
+		},
 		LLMRuntimes: map[string]config.LLMConfig{
-			"claude-cli": {
-				Provider: config.LLMProviderAnthropic,
-				Auth:     config.LLMAuthSubscription,
-				Adapter:  config.LLMAdapterClaudeCLI,
+			"openai-api": {
+				Provider:      config.LLMProviderOpenAI,
+				Auth:          config.LLMAuthAPIKey,
+				Adapter:       config.LLMAdapterOpenAIAPI,
+				Credential:    config.CredentialLocation{Store: config.LocalOSCredentialStoreID, Name: llmRef},
+				CredentialRef: llmRef,
 			},
 		},
 		Profiles: map[string]config.Profile{},
@@ -9364,8 +9378,9 @@ func TestLoopInteractiveInitProfileV2DoesNotPromptForSelectedRepositoryAccessCre
 			}
 			draft := seedInteractiveInitDraft("rianjs", "", nil)
 			applyGitScopeSelection(&draft, "github-rianjs", ctx.GitScopes)
-			applyReviewerEntitySelection(&draft, string(initReviewerEntityKindUseGitIdentity))
-			applyLLMRuntimeInventorySelection(&draft, "claude-cli", ctx.LLMRuntimes)
+			applyReviewerEntityInventorySelection(&draft, "rianjs-bot", ctx.ReviewerEntities)
+			applyReviewerEntitySelection(&draft, string(initReviewerEntityDraftFromSeedDraft(draft).Kind))
+			applyLLMRuntimeInventorySelection(&draft, "openai-api", ctx.LLMRuntimes)
 			draft.RoutesSet = true
 			draft.Routes = []configedit.RepositoryRouteSpec{{
 				Host:      "github.com",
@@ -9396,7 +9411,7 @@ func TestLoopInteractiveInitProfileV2DoesNotPromptForSelectedRepositoryAccessCre
 		t.Fatalf("profile v2 calls = %d, want stage then reentry", calls)
 	}
 	if len(secretPrompter.actionPrompts) != 0 || len(secretPrompter.sourcePrompts) != 0 {
-		t.Fatalf("secret prompts = actions:%d sources:%d, want profile staging to skip repository-access credentials", len(secretPrompter.actionPrompts), len(secretPrompter.sourcePrompts))
+		t.Fatalf("secret prompts = actions:%d sources:%d, want profile staging to skip selected primitive credentials", len(secretPrompter.actionPrompts), len(secretPrompter.sourcePrompts))
 	}
 	profile := next.cfg.Profiles["rianjs"]
 	if profile.RepositoryAccess != "github-rianjs" {
@@ -9405,6 +9420,15 @@ func TestLoopInteractiveInitProfileV2DoesNotPromptForSelectedRepositoryAccessCre
 	if profile.Git.CredentialRef != repositoryAccessRef {
 		t.Fatalf("git credential ref = %q, want selected repository access ref %q", profile.Git.CredentialRef, repositoryAccessRef)
 	}
+	if profile.Reviewer.Kind != config.ProfileReviewerKindEntity || profile.Reviewer.Entity != "rianjs-bot" {
+		t.Fatalf("reviewer = %#v, want selected rianjs-bot reviewer entity", profile.Reviewer)
+	}
+	if profile.ReviewerCredentials == nil || profile.ReviewerCredentials.CredentialRef != reviewerRef {
+		t.Fatalf("reviewer credentials = %#v, want selected reviewer ref %q", profile.ReviewerCredentials, reviewerRef)
+	}
+	if profile.LLMRuntime != "openai-api" || profile.LLM.CredentialRef != llmRef {
+		t.Fatalf("llm runtime/ref = %q/%q, want openai-api/%q", profile.LLMRuntime, profile.LLM.CredentialRef, llmRef)
+	}
 }
 
 func TestLoopInteractiveInitProfileV2AppliesInlineDetailDraftParity(t *testing.T) {

From 776fa4bb394d9b049fa1192faed2ca36ad950b55 Mon Sep 17 00:00:00 2001
From: Rian Stockbower <rstockbower@gmail.com>
Date: Mon, 22 Jun 2026 15:02:30 -0400
Subject: [PATCH 25/27] Restore profile deletion in v2 init flow

---
 .../cmd/credentialcmd/credentialcmd_test.go   | 69 +++++++++++++++++++
 .../cmd/credentialcmd/init_inventory_test.go  | 24 +++++++
 internal/cmd/credentialcmd/init_profile_v2.go | 19 ++---
 3 files changed, 104 insertions(+), 8 deletions(-)

diff --git a/internal/cmd/credentialcmd/credentialcmd_test.go b/internal/cmd/credentialcmd/credentialcmd_test.go
index 6b6181eb..8cb55d4c 100644
--- a/internal/cmd/credentialcmd/credentialcmd_test.go
+++ b/internal/cmd/credentialcmd/credentialcmd_test.go
@@ -14312,6 +14312,75 @@ func TestBubbleTeaInitProfileV2PrompterReturnsStagedDraft(t *testing.T) {
 	}
 }
 
+func TestBubbleTeaInitProfileV2PrompterCanStageProfileDelete(t *testing.T) {
+	profile := basicProfile("work")
+	prompter := bubbleTeaInitProfileV2Prompter{
+		inventoryRunner: func(_ initInventoryPrompt, _ io.Reader, _ io.Writer) (initInventoryResult, error) {
+			return initInventoryResult{
+				Action: initInventoryActionStageDelete,
+				Row: initInventoryRow{
+					ID:    "work",
+					Title: "work",
+				},
+			}, nil
+		},
+		profileEditorRunner: func(initProfileV2Editor) (initProfileV2EditorResult, error) {
+			t.Fatal("profile editor should not open for delete action")
+			return initProfileV2EditorResult{}, nil
+		},
+	}
+
+	draft, err := prompter.Run(initPromptContext{
+		RequestedProfileName: "work",
+		ExistingProfileName:  "work",
+		ExistingProfile:      &profile,
+		ExistingProfileNames: []string{"work"},
+		ExistingConfig:       config.File{Profiles: map[string]config.Profile{"work": profile}},
+	})
+	if err != nil {
+		t.Fatalf("Run: %v", err)
+	}
+	if draft.Action != initDraftActionDeleteProfile || draft.ActionTarget != "work" {
+		t.Fatalf("draft delete action = %#v, want delete work", draft)
+	}
+}
+
+func TestBubbleTeaInitProfileV2PrompterCanRestoreProfileDelete(t *testing.T) {
+	profile := basicProfile("home")
+	prompter := bubbleTeaInitProfileV2Prompter{
+		inventoryRunner: func(_ initInventoryPrompt, _ io.Reader, _ io.Writer) (initInventoryResult, error) {
+			return initInventoryResult{
+				Action: initInventoryActionRestore,
+				Row: initInventoryRow{
+					ID:    "work",
+					Title: "work (Staged for deletion)",
+				},
+			}, nil
+		},
+		profileEditorRunner: func(initProfileV2Editor) (initProfileV2EditorResult, error) {
+			t.Fatal("profile editor should not open for restore action")
+			return initProfileV2EditorResult{}, nil
+		},
+	}
+
+	draft, err := prompter.Run(initPromptContext{
+		RequestedProfileName: "home",
+		ExistingProfileName:  "home",
+		ExistingProfile:      &profile,
+		ExistingProfileNames: []string{"home"},
+		ExistingConfig:       config.File{Profiles: map[string]config.Profile{"home": profile}},
+		PendingProfileDeletes: map[string]initPendingProfileDelete{
+			"work": {ProfileName: "work"},
+		},
+	})
+	if err != nil {
+		t.Fatalf("Run: %v", err)
+	}
+	if draft.Action != initDraftActionUndoDeleteProfile || draft.ActionTarget != "work" {
+		t.Fatalf("draft restore action = %#v, want restore work", draft)
+	}
+}
+
 func TestBubbleTeaInitProfileV2PrompterSkipsChooserWhenNoProfilesExist(t *testing.T) {
 	inventoryCalled := false
 	editorCalls := 0
diff --git a/internal/cmd/credentialcmd/init_inventory_test.go b/internal/cmd/credentialcmd/init_inventory_test.go
index 74f814e9..b6182569 100644
--- a/internal/cmd/credentialcmd/init_inventory_test.go
+++ b/internal/cmd/credentialcmd/init_inventory_test.go
@@ -497,6 +497,30 @@ func TestInitProfileInventoryRowsSetExpectedCapabilities(t *testing.T) {
 	}
 }
 
+func TestInitProfileV2InventoryRowsKeepDeleteCapabilities(t *testing.T) {
+	rows := initProfileV2InventoryRows(initPromptContext{
+		ExistingProfileNames: []string{"home"},
+		ExistingConfig: config.File{
+			Profiles: map[string]config.Profile{
+				"home": {Git: config.GitConfig{Host: "github.com"}},
+			},
+		},
+		PendingProfileDeletes: map[string]initPendingProfileDelete{
+			"work": {ProfileName: "work"},
+		},
+	})
+
+	if len(rows) != 4 {
+		t.Fatalf("len(rows) = %d, want 4", len(rows))
+	}
+	if got := rows[0]; got.ID != "home" || !got.Deletable || got.Restorable {
+		t.Fatalf("active v2 row = %#v, want deletable home profile", got)
+	}
+	if got := rows[1]; got.ID != "work" || got.Deletable || !got.Restorable {
+		t.Fatalf("pending v2 row = %#v, want restorable work profile", got)
+	}
+}
+
 func TestInitProfileInventoryRowsShowRoutesAndSortBySpecificity(t *testing.T) {
 	rows := initProfileInventoryRows(initPromptContext{
 		ExistingProfileNames: []string{"default", "unrouted", "namespace", "repo"},
diff --git a/internal/cmd/credentialcmd/init_profile_v2.go b/internal/cmd/credentialcmd/init_profile_v2.go
index 8728f7a3..9389f5bd 100644
--- a/internal/cmd/credentialcmd/init_profile_v2.go
+++ b/internal/cmd/credentialcmd/init_profile_v2.go
@@ -57,6 +57,16 @@ func (p bubbleTeaInitProfileV2Prompter) Run(ctx initPromptContext) (initDraft, e
 		switch result.Action {
 		case initInventoryActionBack:
 			return initDraft{}, errInitNavigateBack
+		case initInventoryActionRestore:
+			return initDraft{
+				Action:       initDraftActionUndoDeleteProfile,
+				ActionTarget: result.Row.ID,
+			}, nil
+		case initInventoryActionStageDelete:
+			return initDraft{
+				Action:       initDraftActionDeleteProfile,
+				ActionTarget: result.Row.ID,
+			}, nil
 		case initInventoryActionEdit, initInventoryActionCommand:
 			draft, staged, err := p.runProfileEditor(ctx, result.Row.ID)
 			if err != nil {
@@ -67,8 +77,6 @@ func (p bubbleTeaInitProfileV2Prompter) Run(ctx initPromptContext) (initDraft, e
 			}
 		case initInventoryActionNone:
 			continue
-		case initInventoryActionRestore, initInventoryActionStageDelete:
-			continue
 		default:
 			return initDraft{}, fmt.Errorf("unsupported profile v2 inventory action %q", result.Action)
 		}
@@ -164,12 +172,7 @@ func (p bubbleTeaInitProfileV2Prompter) runReadOnlyEditor(editor initProfileV2Ed
 }
 
 func initProfileV2InventoryRows(ctx initPromptContext) []initInventoryRow {
-	rows := initProfileInventoryRows(ctx)
-	for i := range rows {
-		rows[i].Deletable = false
-		rows[i].Restorable = false
-	}
-	return rows
+	return initProfileInventoryRows(ctx)
 }
 
 type initProfileV2ReadOnlyModel struct {

From 23038cec7ab11cf027941f1285cc4188da290bc6 Mon Sep 17 00:00:00 2001
From: Rian Stockbower <rstockbower@gmail.com>
Date: Tue, 23 Jun 2026 15:06:52 -0400
Subject: [PATCH 26/27] Respect max agents during selection

---
 internal/pipeline/pipeline.go      | 44 ++++++++++++++---------
 internal/pipeline/pipeline_test.go | 58 +++++++++++++++++++++++++++---
 2 files changed, 80 insertions(+), 22 deletions(-)

diff --git a/internal/pipeline/pipeline.go b/internal/pipeline/pipeline.go
index dd1f641d..79f10e74 100644
--- a/internal/pipeline/pipeline.go
+++ b/internal/pipeline/pipeline.go
@@ -791,7 +791,7 @@ func runSelectionPhase(ctx context.Context, opts Options, req selectionPhaseRequ
 	}
 	model, effort := runtimeConfig.model, runtimeConfig.effort
 
-	selectionPrompt, err := buildSelectionPrompt(req.ReviewPR, req.Catalog, req.ParsedDiff.Patches, req.Threads, req.SelectionPromptInstructions)
+	selectionPrompt, err := buildSelectionPrompt(req.ReviewPR, req.Catalog, req.ParsedDiff.Patches, req.Threads, req.MaxAgents, req.SelectionPromptInstructions)
 	if err != nil {
 		return llm.Selection{}, sessionDraft{}, err
 	}
@@ -812,12 +812,19 @@ func runSelectionPhase(ctx context.Context, opts Options, req selectionPhaseRequ
 	if err != nil {
 		return llm.Selection{}, selectionSession, err
 	}
-	if len(selection.SelectedAgents) > req.MaxAgents {
-		return llm.Selection{}, selectionSession, fmt.Errorf("pipeline: selected agents %d exceeds max %d", len(selection.SelectedAgents), req.MaxAgents)
-	}
+	selection = opts.capSelectionAgents(selection, req.MaxAgents)
 	return selection, selectionSession, nil
 }
 
+func (opts Options) capSelectionAgents(selection llm.Selection, maxAgents int) llm.Selection {
+	if maxAgents <= 0 || len(selection.SelectedAgents) <= maxAgents {
+		return selection
+	}
+	opts.emitWarning(fmt.Sprintf("orchestrator selected %d agents; using first %d due to max-agents", len(selection.SelectedAgents), maxAgents))
+	selection.SelectedAgents = append([]llm.SelectedAgent(nil), selection.SelectedAgents[:maxAgents]...)
+	return selection
+}
+
 func getReviewDiff(ctx context.Context, provider ReadProvider, ref gitprovider.PRRef, baseSHA, headSHA string, pinned bool) (gitprovider.UnifiedDiff, error) {
 	if !pinned {
 		return provider.GetDiff(ctx, ref)
@@ -1426,15 +1433,16 @@ func fetchFileOptional(ctx context.Context, provider ReadProvider, ref gitprovid
 
 const defaultSelectionTask = "select reviewer agents and thread actions; return selection JSON only"
 
-func buildSelectionPrompt(pr gitprovider.PR, catalog agents.Catalog, patches []FilePatch, threads []gitprovider.InlineThread, selectionInstructions string) (string, error) {
+func buildSelectionPrompt(pr gitprovider.PR, catalog agents.Catalog, patches []FilePatch, threads []gitprovider.InlineThread, maxAgents int, selectionInstructions string) (string, error) {
 	payload := map[string]any{
-		"task":            defaultSelectionTask,
-		"output_contract": selectionOutputContract(catalog.Agents, patches, threads),
-		"schema":          "selection",
-		"pr":              pr,
-		"agents":          selectionAgentPromptsFromCatalog(catalog),
-		"changed_files":   patchPaths(patches),
-		"threads":         threads,
+		"task":                defaultSelectionTask,
+		"output_contract":     selectionOutputContract(catalog.Agents, patches, threads, maxAgents),
+		"schema":              "selection",
+		"max_selected_agents": maxAgents,
+		"pr":                  pr,
+		"agents":              selectionAgentPromptsFromCatalog(catalog),
+		"changed_files":       patchPaths(patches),
+		"threads":             threads,
 	}
 	if instructions := strings.TrimSpace(selectionInstructions); instructions != "" {
 		payload["selection_instructions"] = instructions
@@ -1521,7 +1529,7 @@ type outputContract struct {
 	Example        any      `json:"example"`
 }
 
-func selectionOutputContract(agents []agents.Agent, patches []FilePatch, threads []gitprovider.InlineThread) outputContract {
+func selectionOutputContract(agents []agents.Agent, patches []FilePatch, threads []gitprovider.InlineThread, maxAgents int) outputContract {
 	agentIDs := make([]string, 0, len(agents))
 	for _, agent := range agents {
 		agentIDs = append(agentIDs, agent.ID)
@@ -1548,6 +1556,7 @@ func selectionOutputContract(agents []agents.Agent, patches []FilePatch, threads
 			"schema_version must be 1.",
 			"selected_agents[].agent_id must be one of the allowed_agent_ids.",
 			"selected_agents[].files must contain only paths from changed_files.",
+			"selected_agents must contain at most max_selected_agents entries, ordered from highest to lowest review value.",
 			"thread_actions must be an empty array when there are no threads.",
 		},
 		ResponseSchema: map[string]any{
@@ -1557,10 +1566,11 @@ func selectionOutputContract(agents []agents.Agent, patches []FilePatch, threads
 			"reasoning":       "string",
 		},
 		AllowedValues: map[string]any{
-			"allowed_agent_ids": agentIDs,
-			"changed_files":     changedFiles,
-			"known_thread_ids":  threadIDs,
-			"thread_decisions":  []string{"skip", "summarize_only", "summarize_and_resolve"},
+			"allowed_agent_ids":   agentIDs,
+			"changed_files":       changedFiles,
+			"known_thread_ids":    threadIDs,
+			"max_selected_agents": maxAgents,
+			"thread_decisions":    []string{"skip", "summarize_only", "summarize_and_resolve"},
 		},
 		Example: example,
 	}
diff --git a/internal/pipeline/pipeline_test.go b/internal/pipeline/pipeline_test.go
index 07c5053c..e98476b5 100644
--- a/internal/pipeline/pipeline_test.go
+++ b/internal/pipeline/pipeline_test.go
@@ -561,7 +561,7 @@ func TestSelectionOnlyRejectsInvalidSelection(t *testing.T) {
 	}
 }
 
-func TestSelectionOnlyEnforcesMaxAgents(t *testing.T) {
+func TestSelectionOnlyCapsMaxAgents(t *testing.T) {
 	ctx := context.Background()
 	provider, req := dryRunHarness(t)
 	dir := t.TempDir()
@@ -570,6 +570,7 @@ func TestSelectionOnlyEnforcesMaxAgents(t *testing.T) {
 	trustCurrentTempFixtures(t)
 	req.Profile.AgentSources = []string{dir}
 	adapter := &llm.FakeAdapter{NameValue: "fake-llm"}
+	var warnings bytes.Buffer
 	adapter.Queue(fakeLLMResult("selection-session", `{
 		"schema_version": 1,
 		"selected_agents": [
@@ -580,14 +581,28 @@ func TestSelectionOnlyEnforcesMaxAgents(t *testing.T) {
 		"reasoning": "too many"
 	}`, 10, 2))
 
-	_, err := SelectionOnly(ctx, Options{
+	result, err := SelectionOnly(ctx, Options{
 		Provider:  provider,
 		Adapter:   adapter,
 		Now:       fixedNow,
 		MaxAgents: 1,
+		Warnings:  &warnings,
 	}, selectionRequestFromReview(req, t.TempDir()))
-	if err == nil || !strings.Contains(err.Error(), "selected agents 2 exceeds max 1") {
-		t.Fatalf("SelectionOnly error = %v, want max-agent rejection", err)
+	if err != nil {
+		t.Fatalf("SelectionOnly: %v", err)
+	}
+	if len(result.Selection.SelectedAgents) != 1 || result.Selection.SelectedAgents[0].AgentID != "harness:alpha" {
+		t.Fatalf("selected agents = %#v, want first selected agent only", result.Selection.SelectedAgents)
+	}
+	if got := warnings.String(); !strings.Contains(got, "orchestrator selected 2 agents; using first 1 due to max-agents") {
+		t.Fatalf("warnings = %q, want max-agent cap warning", got)
+	}
+	requests := adapter.Requests()
+	if len(requests) != 1 {
+		t.Fatalf("adapter requests = %#v, want one selection request", requests)
+	}
+	if !strings.Contains(requests[0].Prompt, `"max_selected_agents": 1`) {
+		t.Fatalf("selection prompt = %q, want max_selected_agents", requests[0].Prompt)
 	}
 }
 
@@ -2228,7 +2243,7 @@ func TestDryRunRejectsSelfReviewWhenReviewerCredentialsMatchAuthor(t *testing.T)
 }
 
 func TestSelectionOutputContractExampleHasNoAgentsWhenCatalogEmpty(t *testing.T) {
-	contract := selectionOutputContract(nil, []FilePatch{{Path: "main.go"}}, nil)
+	contract := selectionOutputContract(nil, []FilePatch{{Path: "main.go"}}, nil, 3)
 	example, ok := contract.Example.(map[string]any)
 	if !ok {
 		t.Fatalf("Example = %#v, want map", contract.Example)
@@ -2242,6 +2257,39 @@ func TestSelectionOutputContractExampleHasNoAgentsWhenCatalogEmpty(t *testing.T)
 	}
 }
 
+func TestSelectionPromptIncludesMaxSelectedAgentsContract(t *testing.T) {
+	prompt, err := buildSelectionPrompt(
+		gitprovider.PR{},
+		agents.Catalog{Agents: []agents.Agent{{ID: "agent-1"}}},
+		[]FilePatch{{Path: "main.go"}},
+		nil,
+		3,
+		"",
+	)
+	if err != nil {
+		t.Fatalf("buildSelectionPrompt: %v", err)
+	}
+	var payload struct {
+		MaxSelectedAgents int `json:"max_selected_agents"`
+		OutputContract    struct {
+			Instructions  []string       `json:"instructions"`
+			AllowedValues map[string]any `json:"allowed_values"`
+		} `json:"output_contract"`
+	}
+	if err := json.Unmarshal([]byte(prompt), &payload); err != nil {
+		t.Fatalf("Unmarshal prompt: %v", err)
+	}
+	if payload.MaxSelectedAgents != 3 {
+		t.Fatalf("max_selected_agents = %d, want 3", payload.MaxSelectedAgents)
+	}
+	if got := payload.OutputContract.AllowedValues["max_selected_agents"]; got != float64(3) {
+		t.Fatalf("allowed max_selected_agents = %#v, want 3", got)
+	}
+	if !strings.Contains(strings.Join(payload.OutputContract.Instructions, "\n"), "at most max_selected_agents") {
+		t.Fatalf("instructions = %#v, want max-selected-agents guidance", payload.OutputContract.Instructions)
+	}
+}
+
 func TestFindingsOutputContractScopesAnchorToFindingItems(t *testing.T) {
 	contract := findingsOutputContract("agent-1", []string{"main.go"})
 	schema, ok := contract.ResponseSchema.(map[string]any)

From 7aec2eb5cf4c8736475067b1893670a26667d142 Mon Sep 17 00:00:00 2001
From: Rian Stockbower <rstockbower@gmail.com>
Date: Tue, 23 Jun 2026 15:16:22 -0400
Subject: [PATCH 27/27] Fix lint blockers

---
 internal/cmd/credentialcmd/credentialcmd.go   | 38 ++-----------------
 .../cmd/credentialcmd/credentialcmd_test.go   | 13 +++----
 internal/cmd/credentialcmd/init_inventory.go  | 14 -------
 .../init_repository_access_editor.go          | 18 +++------
 internal/config/config.go                     |  2 +
 internal/gitprovider/github/app_auth_test.go  |  2 +-
 6 files changed, 16 insertions(+), 71 deletions(-)

diff --git a/internal/cmd/credentialcmd/credentialcmd.go b/internal/cmd/credentialcmd/credentialcmd.go
index dd0304aa..246022e4 100644
--- a/internal/cmd/credentialcmd/credentialcmd.go
+++ b/internal/cmd/credentialcmd/credentialcmd.go
@@ -1739,7 +1739,7 @@ func loopInteractiveInitReviewerEntity(cmd *cobra.Command, opts *root.Options, f
 	}
 }
 
-func editInteractiveInitReviewerEntityStep(cmd *cobra.Command, opts *root.Options, flags initOptions, deps initDeps, session initSessionDraft) (initSessionDraft, bool, error) {
+func editInteractiveInitReviewerEntityStep(_ *cobra.Command, opts *root.Options, flags initOptions, deps initDeps, session initSessionDraft) (initSessionDraft, bool, error) {
 	prompter := deps.reviewerPrompter
 	if prompter == nil {
 		prompter = newHuhInitReviewerEntityPrompter(opts)
@@ -1981,38 +1981,6 @@ func filterInitCredentialWritesForDraftReviewerMode(writes map[string]string, dr
 	return filtered
 }
 
-func propagateSharedReviewerEntityChanges(priorCfg config.File, updatedCfg config.File, activeProfileName string, previousEntity initReviewerEntityDraft, nextEntity initReviewerEntityDraft) config.File {
-	if previousEntity.Kind == initReviewerEntityKindUseGitIdentity || previousEntity.identityKey() == "" {
-		return updatedCfg
-	}
-	identityKey := previousEntity.identityKey()
-	displayName := normalizeOptionalDisplayName(nextEntity.DisplayName)
-	credentialStore := initCredentialStoreDraftValue(nextEntity.CredentialStore)
-	credentialRef := strings.TrimSpace(nextEntity.CredentialRef)
-	for profileName, previousProfile := range priorCfg.Profiles {
-		if profileName == activeProfileName {
-			continue
-		}
-		if initReviewerEntityDraftFromConfig(previousProfile).identityKey() != identityKey {
-			continue
-		}
-		profile, ok := updatedCfg.Profiles[profileName]
-		if !ok || profile.ReviewerCredentials == nil {
-			continue
-		}
-		if initReviewerEntityDraftFromConfig(profile).identityKey() != identityKey {
-			continue
-		}
-		profile.ReviewerCredentials.AuthMode = nextEntity.AuthMode
-		profile.ReviewerCredentials.GitHubApp = initGitHubAppConfigForAuth(nextEntity.AuthMode, nextEntity.AppID)
-		profile.ReviewerCredentials.Credential = initCredentialLocation(credentialStore, credentialRef)
-		profile.ReviewerCredentials.CredentialRef = credentialRef
-		profile.ReviewerCredentials.DisplayName = displayName
-		updatedCfg.Profiles[profileName] = profile
-	}
-	return updatedCfg
-}
-
 func editInteractiveInitGlobalSettings(_ *cobra.Command, opts *root.Options, deps initDeps, session initSessionDraft) (initSessionDraft, error) {
 	cfg, err := collectInteractiveInitRetentionConfig(opts, deps, cloneInitConfigFile(session.cfg))
 	if errors.Is(err, errInitNavigateBack) {
@@ -2080,7 +2048,7 @@ func (p huhInitMenuPrompter) ChooseAction(prompt initMenuPrompt) (initMenuAction
 	return action, nil
 }
 
-func initMenuInitialAction(prompt initMenuPrompt) initMenuAction {
+func initMenuInitialAction(_ initMenuPrompt) initMenuAction {
 	return initMenuActionSecretsManagement
 }
 
@@ -5385,7 +5353,7 @@ func deleteInteractiveInitLLMRuntime(session initSessionDraft, runtimeName strin
 		}
 	}
 	addedReplacement := false
-	replacementLLM := config.LLMConfig{}
+	var replacementLLM config.LLMConfig
 	if replacementName != "" {
 		replacementLLM = session.cfg.LLMRuntimes[replacementName]
 	} else {
diff --git a/internal/cmd/credentialcmd/credentialcmd_test.go b/internal/cmd/credentialcmd/credentialcmd_test.go
index 8cb55d4c..03d30cc8 100644
--- a/internal/cmd/credentialcmd/credentialcmd_test.go
+++ b/internal/cmd/credentialcmd/credentialcmd_test.go
@@ -13616,7 +13616,7 @@ func TestInitProfileV2GitScopeRejectsRoutesForDifferentHost(t *testing.T) {
 func TestInitProfileV2SelectsDraftReviewerRuntimeAndModelTier(t *testing.T) {
 	// #nosec G101 -- test fixture credential reference, not a secret.
 	reviewerEntities := map[string]initReviewerEntityDraft{
-		"app-reviewer": {
+		"app-reviewer": { // #nosec G101 -- test fixture name, not credential material.
 			Kind:            initReviewerEntityKindGitHubApp,
 			AuthMode:        config.GitAuthModeGitHubApp,
 			CredentialStore: config.LocalOSCredentialStoreID,
@@ -13665,7 +13665,7 @@ func TestInitProfileV2SelectsDraftReviewerRuntimeAndModelTier(t *testing.T) {
 
 func TestInitProfileV2GitHubAppInstallationFieldsFollowReviewerSelection(t *testing.T) {
 	reviewerEntities := map[string]initReviewerEntityDraft{
-		"app-reviewer": {
+		"app-reviewer": { // #nosec G101 -- test fixture name, not credential material.
 			Kind:            initReviewerEntityKindGitHubApp,
 			AuthMode:        config.GitAuthModeGitHubApp,
 			CredentialStore: config.LocalOSCredentialStoreID,
@@ -13753,6 +13753,7 @@ func TestInitProfileV2GitHubAppInstallationFieldsFollowReviewerSelection(t *test
 
 func TestInitProfileV2GitHubAppInstallationPinnedIDValidation(t *testing.T) {
 	reviewerEntities := map[string]initReviewerEntityDraft{
+		// #nosec G101 -- test fixture name, not credential material.
 		"app-reviewer": {
 			Kind:            initReviewerEntityKindGitHubApp,
 			AuthMode:        config.GitAuthModeGitHubApp,
@@ -14053,7 +14054,7 @@ func TestInitProfileV2ReviewPolicyDraftsSelections(t *testing.T) {
 
 func TestInitProfileV2ReviewPolicyHidesSelfApproveForGitHubAppReviewer(t *testing.T) {
 	reviewerEntities := map[string]initReviewerEntityDraft{
-		"app-reviewer": {
+		"app-reviewer": { // #nosec G101 -- test fixture name, not credential material.
 			Name:            "app-reviewer",
 			Kind:            initReviewerEntityKindGitHubApp,
 			AuthMode:        config.GitAuthModeGitHubApp,
@@ -15356,7 +15357,7 @@ func TestInitInteractiveMenuWritesStandaloneRepositoryAccessPAT(t *testing.T) {
 				initMenuActionSave,
 			},
 		},
-		repositoryPrompter: initRepositoryAccessPrompterFunc(func(prompt initRepositoryAccessPrompt) (initDraft, error) {
+		repositoryPrompter: initRepositoryAccessPrompterFunc(func(_ initRepositoryAccessPrompt) (initDraft, error) {
 			return initDraft{
 				RepositoryAccessName:    "work-git",
 				GitHost:                 "github.company.com",
@@ -22527,10 +22528,6 @@ func basicProfile(profile string) config.Profile {
 	}
 }
 
-func normalizeTestProfile(profile config.Profile) config.Profile {
-	return normalizeTestProfileNamed("test", profile)
-}
-
 func normalizeTestProfileNamed(name string, profile config.Profile) config.Profile {
 	cfg := config.Normalize(config.File{
 		Profiles: map[string]config.Profile{
diff --git a/internal/cmd/credentialcmd/init_inventory.go b/internal/cmd/credentialcmd/init_inventory.go
index a56d1f76..8e9b0937 100644
--- a/internal/cmd/credentialcmd/init_inventory.go
+++ b/internal/cmd/credentialcmd/init_inventory.go
@@ -400,20 +400,6 @@ func (m initInventoryModel) selectedRow() (initInventoryRow, bool) {
 	return item.row, true
 }
 
-func (m initInventoryModel) helpBindings() []key.Binding {
-	bindings := []key.Binding{m.keys.Select}
-	if row, ok := m.selectedRow(); ok {
-		if row.Deletable {
-			bindings = append(bindings, m.keys.Delete)
-		}
-		if row.Restorable {
-			bindings = append(bindings, m.keys.Restore)
-		}
-	}
-	bindings = append(bindings, m.keys.Back)
-	return bindings
-}
-
 func (r initInventoryRow) primaryAction() initInventoryAction {
 	if r.PrimaryAction != initInventoryActionNone {
 		return r.PrimaryAction
diff --git a/internal/cmd/credentialcmd/init_repository_access_editor.go b/internal/cmd/credentialcmd/init_repository_access_editor.go
index 324097d9..eede39b5 100644
--- a/internal/cmd/credentialcmd/init_repository_access_editor.go
+++ b/internal/cmd/credentialcmd/init_repository_access_editor.go
@@ -37,7 +37,7 @@ const initConfigureNewRepositoryAccessSelection = "__configure_new_repository_ac
 const initRepositoryAccessRestoreSelectionPrefix = "__restore_repository_access__:"
 
 var initRepositoryAccessGitConfigValue = func(key string) string {
-	out, err := exec.Command("git", "config", "--get", key).Output()
+	out, err := exec.Command("git", "config", "--get", key).Output() // #nosec G204 -- callers pass fixed git config keys only.
 	if err != nil {
 		return ""
 	}
@@ -88,7 +88,7 @@ func (p huhInitRepositoryAccessPrompter) runRepositoryAccessEditor(editor initLi
 	return model, nil
 }
 
-func initRepositoryAccessLinearEditor(ctx initPromptContext, seed initDraft) initLinearEditor {
+func initRepositoryAccessLinearEditor(ctx initPromptContext, _ initDraft) initLinearEditor {
 	options := initRepositoryAccessSelectionOptionsForContext(ctx)
 	selection := initRepositoryAccessDefaultSelection(ctx, options)
 	scope := initRepositoryAccessScopeForSelection(ctx, selection)
@@ -120,6 +120,7 @@ func initRepositoryAccessLinearEditor(ctx initPromptContext, seed initDraft) ini
 			if index < 0 || index >= len(model.document) {
 				return
 			}
+			//nolint:exhaustive // This repository-access editor reacts only to fields that affect derived repository-access state.
 			switch model.document[index].ID {
 			case initRepositoryAccessFieldSelection:
 				initRepositoryAccessSyncFields(model, ctx)
@@ -138,6 +139,8 @@ func initRepositoryAccessLinearEditor(ctx initPromptContext, seed initDraft) ini
 				initRepositoryAccessRefreshCredentialStatus(model, ctx)
 			case initRepositoryAccessFieldGitToken, initRepositoryAccessFieldGitHubAppPrivateKey:
 				initRepositoryAccessRefreshCredentialStatus(model, ctx)
+			default:
+				return
 			}
 		},
 		OnEnter: func(model *initLinearEditorModel) (bool, tea.Cmd) {
@@ -370,17 +373,6 @@ func initRepositoryAccessClearCredentialFieldValues(model *initLinearEditorModel
 	}
 }
 
-func initRepositoryAccessCredentialFieldKey(id initLinearFieldID) string {
-	switch id {
-	case initRepositoryAccessFieldGitToken:
-		return credentials.GitTokenKey
-	case initRepositoryAccessFieldGitHubAppPrivateKey:
-		return credentials.GitHubAppPrivateKeyKey
-	default:
-		return ""
-	}
-}
-
 func initRepositoryAccessCredentialFieldID(key string) initLinearFieldID {
 	switch key {
 	case credentials.GitTokenKey:
diff --git a/internal/config/config.go b/internal/config/config.go
index a9eff587..549461cb 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -1833,6 +1833,8 @@ func suggestedReviewerEntityName(profileName string, entity ReviewerEntity) stri
 		return "reviewer-github-app"
 	case GitAuthModePAT:
 		return "reviewer-pat"
+	case GitAuthModeOAuthDevice:
+		return "reviewer-oauth-device"
 	}
 	return "reviewer-entity"
 }
diff --git a/internal/gitprovider/github/app_auth_test.go b/internal/gitprovider/github/app_auth_test.go
index ef7bcb17..09c3e4ee 100644
--- a/internal/gitprovider/github/app_auth_test.go
+++ b/internal/gitprovider/github/app_auth_test.go
@@ -307,7 +307,7 @@ func githubAppGitConfigWithAppID(ref string, appID string) config.GitConfig {
 	}
 }
 
-func githubAppStore(_ *testing.T, profile, appID, privateKey string) tokenStore {
+func githubAppStore(_ *testing.T, profile, _ string, privateKey string) tokenStore {
 	values := map[string]string{
 		credentials.GitHubAppPrivateKeyKey: privateKey,
 	}