diff --git a/README.md b/README.md
index a05972d..5fb3141 100644
--- a/README.md
+++ b/README.md
@@ -37,6 +37,10 @@ browser acts as the runtime host for render, lint, and typecheck flows.
 - Live IDE: https://knightedcodemonkey.github.io/develop/
 - Source repository: https://github.com/knightedcodemonkey/develop
 
+## BYOT Guide
+
+- GitHub PAT setup and usage: [docs/byot.md](docs/byot.md)
+
 ## License
 
 MIT
diff --git a/docs/byot.md b/docs/byot.md
new file mode 100644
index 0000000..41a4c86
--- /dev/null
+++ b/docs/byot.md
@@ -0,0 +1,67 @@
+# BYOT Setup for GitHub in @knighted/develop
+
+This guide explains how to create and use a fine-grained GitHub Personal Access Token (PAT) for the BYOT flow in `@knighted/develop`.
+
+## What BYOT does in the app
+
+When the AI/BYOT feature is enabled, the token is used to:
+
+- authenticate GitHub API requests
+- load repositories where you have write access
+- let you choose which repository to work with
+
+As additional AI/PR features roll out, the same token is also used for model and repository operations that require the configured permissions.
+
+## Privacy and storage behavior
+
+- Your token is stored only in your browser `localStorage`.
+- The token is never sent to any service except the GitHub endpoints required by the feature.
+- You can remove it at any time using the delete button in the BYOT controls.
+
+## Enable the BYOT feature
+
+Use one of these options:
+
+1. Add `?feature-ai=true` to the app URL.
+2. Set `localStorage` key `knighted:develop:feature:ai-assistant` to `true`.
+
+## Create a fine-grained PAT
+
+Create a fine-grained PAT in GitHub settings and grant the permissions below.
+
+- Repository permissions screenshot: [docs/media/byot-repo-perms.png](docs/media/byot-repo-perms.png)
+- Models permission screenshot: [docs/media/byot-model-perms.png](docs/media/byot-model-perms.png)
+
+<img src="media/byot-repo-perms.png" alt="Repository PAT permissions" width="560" />
+<img src="media/byot-model-perms.png" alt="Models PAT permission" width="560" />
+
+### Repository permissions
+
+- Contents: Read and write
+- Pull requests: Read and write
+- Metadata: Read-only (required)
+
+### Account permissions
+
+- Models: Read-only
+
+### Repository access scope
+
+Use either of these scopes depending on your needs:
+
+- Only select repositories
+- All repositories
+
+`@knighted/develop` will only show repositories where your token has write access.
+
+## Recommended setup flow
+
+1. Create token with the permissions above.
+2. Open `@knighted/develop` with `?feature-ai=true`.
+3. Paste token into the BYOT input and click add.
+4. Verify repository list loads.
+5. Select your target repository.
+
+## Screenshots
+
+The screenshots above show the recommended repository and account permission settings.
diff --git a/docs/media/byot-model-perms.png b/docs/media/byot-model-perms.png
new file mode 100644
index 0000000..e29ebf2
Binary files /dev/null and b/docs/media/byot-model-perms.png differ
diff --git a/docs/media/byot-repo-perms.png b/docs/media/byot-repo-perms.png
new file mode 100644
index 0000000..e9f4631
Binary files /dev/null and b/docs/media/byot-repo-perms.png differ
diff --git a/docs/next-steps.md b/docs/next-steps.md
index 9a32b0a..fd76952 100644
--- a/docs/next-steps.md
+++ b/docs/next-steps.md
@@ -18,3 +18,19 @@ Focused follow-up work for `@knighted/develop`.
    - Ensure the deterministic lane still exercises the same user-facing flows (render, typecheck, lint, diagnostics drawer/button states), only swapping the source of runtime artifacts.
    - Suggested implementation prompt:
      - "Add a deterministic E2E execution mode for `@knighted/develop` that serves pinned runtime artifacts locally (instead of live CDN fetches) and wire it into CI as a required check on every PR. Keep a separate lightweight CDN-smoke E2E check for real-network coverage. Validate with `npm run lint`, deterministic Playwright PR checks, and one CDN-smoke Playwright run."
+
+4. **Issue #18 continuation (resume from Phase 2)**
+   - Continue the GitHub AI assistant rollout after completed Phases 0-1:
+     - Phase 0 complete: feature flag + scaffolding.
+     - Phase 1 complete: BYOT token flow, localStorage persistence, writable repo discovery/filtering.
+   - Implement the next slice first:
+     - Phase 2: chat drawer UX with streaming responses first, plus non-streaming fallback.
+     - Add selected repository state plumbing now so Phase 4 (PR write flow) can reuse it.
+     - Add README documentation for fine-grained PAT setup (reuse existing screenshots referenced in docs/byot.md).
+   - Keep behavior and constraints aligned with current implementation:
+     - Keep everything behind the existing browser-only AI feature flag.
+     - Preserve BYOT token semantics (localStorage persistence until user deletes).
+     - Keep CDN-first runtime behavior and existing fallback model.
+     - Do not add dependencies without explicit approval.
+   - Suggested implementation prompt:
+     - "Continue Issue #18 in @knighted/develop from the current Phase 1 baseline. Implement Phase 2 by adding a separate AI chat drawer with streaming response rendering (primary) and a non-streaming fallback path. Wire selected repository state as shared app state for upcoming Phase 4 PR actions. Update README with a concise fine-grained PAT setup section that links to existing BYOT screenshot assets/docs. Keep all AI/BYOT UI and behavior behind the existing browser-only feature flag, preserve current token persistence and repo filtering behavior, and validate with npm run lint plus targeted Playwright coverage for chat drawer visibility, streaming/fallback behavior, and repo-context selection plumbing."
diff --git a/playwright/app.spec.ts b/playwright/app.spec.ts
index d56316f..eb4fdb0 100644
--- a/playwright/app.spec.ts
+++ b/playwright/app.spec.ts
@@ -4,13 +4,17 @@ import type { Page } from '@playwright/test'
 const webServerMode = process.env.PLAYWRIGHT_WEB_SERVER_MODE ?? 'dev'
 const appEntryPath = webServerMode === 'preview' ? '/index.html' : '/src/index.html'
 
-const waitForInitialRender = async (page: Page) => {
-  await page.goto(appEntryPath)
+const waitForAppReady = async (page: Page, path = appEntryPath) => {
+  await page.goto(path)
   await expect(page.getByRole('heading', { name: '@knighted/develop' })).toBeVisible()
-  await expect(page.locator('#status')).toHaveText('Rendered')
   await expect(page.locator('#cdn-loading')).toHaveAttribute('hidden', '')
 }
 
+const waitForInitialRender = async (page: Page) => {
+  await waitForAppReady(page)
+  await expect(page.locator('#status')).toHaveText('Rendered')
+}
+
 const expectPreviewHasRenderedContent = async (page: Page) => {
   const previewHost = page.locator('#preview-host')
   await expect(previewHost.locator('pre')).toHaveCount(0)
@@ -126,6 +130,70 @@ const expectCollapseButtonState = async (
   }
 }
 
+test('BYOT controls stay hidden when feature flag is disabled', async ({ page }) => {
+  await waitForAppReady(page)
+
+  const byotControls = page.locator('#github-ai-controls')
+  await expect(byotControls).toHaveAttribute('hidden', '')
+  await expect(byotControls).toBeHidden()
+})
+
+test('BYOT controls render when feature flag is enabled by query param', async ({
+  page,
+}) => {
+  await waitForAppReady(page, `${appEntryPath}?feature-ai=true`)
+
+  const byotControls = page.locator('#github-ai-controls')
+  await expect(byotControls).toBeVisible()
+  await expect(page.locator('#github-token-input')).toBeVisible()
+  await expect(page.locator('#github-token-add')).toBeVisible()
+})
+
+test('BYOT remembers selected repository across reloads', async ({ page }) => {
+  await page.route('https://api.github.com/user/repos**', async route => {
+    await route.fulfill({
+      status: 200,
+      contentType: 'application/json',
+      body: JSON.stringify([
+        {
+          id: 2,
+          owner: { login: 'knightedcodemonkey' },
+          name: 'develop',
+          full_name: 'knightedcodemonkey/develop',
+          default_branch: 'main',
+          permissions: { push: true },
+        },
+        {
+          id: 1,
+          owner: { login: 'knightedcodemonkey' },
+          name: 'css',
+          full_name: 'knightedcodemonkey/css',
+          default_branch: 'main',
+          permissions: { push: true },
+        },
+      ]),
+    })
+  })
+
+  await waitForAppReady(page, `${appEntryPath}?feature-ai=true`)
+
+  await page.locator('#github-token-input').fill('github_pat_fake_1234567890')
+  await page.locator('#github-token-add').click()
+
+  const repoSelect = page.locator('#github-repo-select')
+  await expect(repoSelect).toBeEnabled()
+  await expect(page.locator('#status')).toHaveText('Loaded 2 writable repositories')
+
+  await repoSelect.selectOption('knightedcodemonkey/develop')
+  await expect(repoSelect).toHaveValue('knightedcodemonkey/develop')
+
+  await page.reload()
+  await expect(page.getByRole('heading', { name: '@knighted/develop' })).toBeVisible()
+  await expect(page.locator('#github-token-add')).toBeHidden()
+  await expect(page.locator('#github-token-delete')).toBeVisible()
+  await expect(repoSelect).toHaveValue('knightedcodemonkey/develop')
+})
+
 test('renders default playground preview', async ({ page }) => {
   await waitForInitialRender(page)
 
diff --git a/src/app.js b/src/app.js
index 9926d41..03bd803 100644
--- a/src/app.js
+++ b/src/app.js
@@ -7,6 +7,8 @@ import {
 import { createCodeMirrorEditor } from './modules/editor-codemirror.js'
 import { defaultCss, defaultJsx, defaultReactJsx } from './modules/defaults.js'
 import { createDiagnosticsUiController } from './modules/diagnostics-ui.js'
+import { isAiAssistantFeatureEnabled } from './modules/feature-flags.js'
+import { createGitHubByotControls } from './modules/github-byot-controls.js'
 import { createLayoutThemeController } from './modules/layout-theme.js'
 import { createLintDiagnosticsController } from './modules/lint-diagnostics.js'
 import { createPreviewBackgroundController } from './modules/preview-background.js'
@@ -15,6 +17,13 @@ import { createTypeDiagnosticsController } from './modules/type-diagnostics.js'
 
 const statusNode = document.getElementById('status')
 const appGrid = document.querySelector('.app-grid')
+const githubAiControls = document.getElementById('github-ai-controls')
+const githubTokenInput = document.getElementById('github-token-input')
+const githubTokenInfo = document.getElementById('github-token-info')
+const githubTokenAdd = document.getElementById('github-token-add')
+const githubTokenDelete = document.getElementById('github-token-delete')
+const githubRepoWrap = document.getElementById('github-repo-wrap')
+const githubRepoSelect = document.getElementById('github-repo-select')
 const appGridLayoutButtons = document.querySelectorAll('[data-app-grid-layout]')
 const appThemeButtons = document.querySelectorAll('[data-app-theme]')
 const editorToolsButtons = document.querySelectorAll('[data-editor-tools-toggle]')
@@ -384,6 +393,21 @@ const {
   updateUiIssueIndicators,
 } = diagnosticsUi
 
+const aiAssistantFeatureEnabled = isAiAssistantFeatureEnabled()
+
+createGitHubByotControls({
+  featureEnabled: aiAssistantFeatureEnabled,
+  controlsRoot: githubAiControls,
+  tokenInput: githubTokenInput,
+  tokenInfoButton: githubTokenInfo,
+  tokenAddButton: githubTokenAdd,
+  tokenDeleteButton: githubTokenDelete,
+  repoSelect: githubRepoSelect,
+  repoWrap: githubRepoWrap,
+  onRepositoryChange: () => {},
+  setStatus,
+})
+
 const getStyleEditorLanguage = mode => {
   if (mode === 'less') return 'less'
   if (mode === 'sass') return 'sass'
diff --git a/src/index.html b/src/index.html
index 9af6208..b5d4def 100644
--- a/src/index.html
+++ b/src/index.html
@@ -33,6 +33,78 @@ <h1>
 
     <main class="app-grid">
       <div class="app-grid-layout-controls" role="group" aria-label="App grid layout">
+        <div
+          class="app-grid-ai-controls"
+          id="github-ai-controls"
+          role="group"
+          aria-label="GitHub AI controls"
+          hidden
+        >
+          <div class="github-token-control-wrap">
+            <button
+              class="hint-icon shadow-hint github-token-info"
+              id="github-token-info"
+              type="button"
+              aria-label="About GitHub token"
+              aria-describedby="github-token-privacy-note"
+              data-tooltip="This token is stored only in your browser and is sent only to GitHub APIs you invoke."
+            >
+              i
+            </button>
+            <label class="sr-only" for="github-token-input">GitHub token</label>
+            <input
+              class="github-token-input"
+              id="github-token-input"
+              type="text"
+              autocomplete="off"
+              autocapitalize="off"
+              spellcheck="false"
+              placeholder="GitHub BYOT"
+              aria-label="GitHub token"
+              aria-describedby="github-token-privacy-note"
+            />
+            <span class="sr-only" id="github-token-privacy-note"
+              >This token is stored only in your browser and is sent only to GitHub APIs
+              you invoke.</span
+            >
+            <button
+              class="layout-toggle github-token-add"
+              id="github-token-add"
+              type="button"
+              aria-label="Add GitHub token"
+              title="Add GitHub token"
+            >
+              <svg viewBox="0 0 24 24" aria-hidden="true">
+                <path d="M12 5v14"></path>
+                <path d="M5 12h14"></path>
+              </svg>
+            </button>
+            <button
+              class="layout-toggle github-token-delete"
+              id="github-token-delete"
+              type="button"
+              aria-label="Delete GitHub token"
+              title="Delete GitHub token"
+              hidden
+            >
+              <svg viewBox="0 0 24 24" aria-hidden="true">
+                <path d="M4 7h16"></path>
+                <path d="M10 11v6"></path>
+                <path d="M14 11v6"></path>
+                <path d="M6 7l1 12a2 2 0 0 0 2 2h6a2 2 0 0 0 2-2l1-12"></path>
+                <path d="M9 7V4a1 1 0 0 1 1-1h4a1 1 0 0 1 1 1v3"></path>
+              </svg>
+            </button>
+          </div>
+
+          <div class="github-repo-wrap" id="github-repo-wrap" hidden>
+            <label class="sr-only" for="github-repo-select">Repository</label>
+            <select id="github-repo-select" aria-label="Repository" disabled>
+              <option selected>Connect a token to load repositories</option>
+            </select>
+          </div>
+        </div>
+
         <div class="app-grid-diagnostics-controls" role="group" aria-label="Diagnostics">
           <button
             class="diagnostics-toggle"
diff --git a/src/modules/feature-flags.js b/src/modules/feature-flags.js
new file mode 100644
index 0000000..6cdda16
--- /dev/null
+++ b/src/modules/feature-flags.js
@@ -0,0 +1,64 @@
+const aiFeatureStorageKey = 'knighted:develop:feature:ai-assistant'
+const aiFeatureQueryKey = 'feature-ai'
+
+const parseBooleanLikeValue = value => {
+  if (typeof value !== 'string') {
+    return null
+  }
+
+  const normalized = value.trim().toLowerCase()
+
+  if (['1', 'true', 'on', 'yes', 'enabled'].includes(normalized)) {
+    return true
+  }
+
+  if (['0', 'false', 'off', 'no', 'disabled'].includes(normalized)) {
+    return false
+  }
+
+  return null
+}
+
+const readBooleanFromLocalStorage = key => {
+  try {
+    const storedValue = localStorage.getItem(key)
+    return parseBooleanLikeValue(storedValue)
+  } catch {
+    return null
+  }
+}
+
+const readBooleanFromQueryParam = key => {
+  if (typeof window === 'undefined') {
+    return null
+  }
+
+  const params = new URLSearchParams(window.location.search)
+  if (!params.has(key)) {
+    return null
+  }
+
+  return parseBooleanLikeValue(params.get(key))
+}
+
+export const isAiAssistantFeatureEnabled = () => {
+  const queryValue = readBooleanFromQueryParam(aiFeatureQueryKey)
+  if (queryValue !== null) {
+    return queryValue
+  }
+
+  const localStorageValue = readBooleanFromLocalStorage(aiFeatureStorageKey)
+  if (localStorageValue !== null) {
+    return localStorageValue
+  }
+
+  return false
+}
+
+export const setAiAssistantFeatureEnabled = isEnabled => {
+  try {
+    localStorage.setItem(aiFeatureStorageKey, isEnabled ? 'true' : 'false')
+  } catch {
+    /* noop */
+  }
+}
diff --git a/src/modules/github-api.js b/src/modules/github-api.js
new file mode 100644
index 0000000..f9e34cb
--- /dev/null
+++ b/src/modules/github-api.js
@@ -0,0 +1,140 @@
+const githubApiBaseUrl = 'https://api.github.com'
+
+const parseNextPageUrlFromLinkHeader = linkHeader => {
+  if (typeof linkHeader !== 'string' || !linkHeader.trim()) {
+    return null
+  }
+
+  const segments = linkHeader.split(',')
+
+  for (const segment of segments) {
+    const parts = segment
+      .trim()
+      .split(';')
+      .map(part => part.trim())
+    if (parts.length < 2) {
+      continue
+    }
+
+    const urlPart = parts[0]
+    const relPart = parts[1]
+
+    if (!urlPart.startsWith('<') || !urlPart.endsWith('>')) {
+      continue
+    }
+
+    if (relPart !== 'rel="next"') {
+      continue
+    }
+
+    return urlPart.slice(1, -1)
+  }
+
+  return null
+}
+
+const normalizeRepo = repo => {
+  const owner = repo?.owner?.login
+  const name = repo?.name
+  const fullName = repo?.full_name
+
+  if (
+    typeof owner !== 'string' ||
+    typeof name !== 'string' ||
+    typeof fullName !== 'string'
+  ) {
+    return null
+  }
+
+  return {
+    id: repo.id,
+    owner,
+    name,
+    fullName,
+    defaultBranch: typeof repo.default_branch === 'string' ? repo.default_branch : 'main',
+    permissions: repo.permissions ?? {},
+    htmlUrl: typeof repo.html_url === 'string' ? repo.html_url : null,
+  }
+}
+
+const hasWritePermission = permissions => Boolean(permissions && permissions.push)
+
+const buildRequestHeaders = token => ({
+  Accept: 'application/vnd.github+json',
+  Authorization: `Bearer ${token}`,
+  'X-GitHub-Api-Version': '2022-11-28',
+})
+
+const parseErrorMessage = async response => {
+  try {
+    const body = await response.json()
+    if (body && typeof body.message === 'string' && body.message.trim()) {
+      return body.message
+    }
+  } catch {
+    /* noop */
+  }
+
+  return `GitHub API request failed with status ${response.status}`
+}
+
+const fetchJson = async ({ token, url, signal }) => {
+  const response = await fetch(url, {
+    method: 'GET',
+    headers: buildRequestHeaders(token),
+    signal,
+  })
+
+  if (!response.ok) {
+    throw new Error(await parseErrorMessage(response))
+  }
+
+  return {
+    data: await response.json(),
+    nextPageUrl: parseNextPageUrlFromLinkHeader(response.headers.get('link')),
+  }
+}
+
+const listReposPage = async ({ token, url, signal }) => {
+  const { data, nextPageUrl } = await fetchJson({ token, url, signal })
+
+  if (!Array.isArray(data)) {
+    throw new Error('Unexpected response while loading repositories from GitHub.')
+  }
+
+  return {
+    repos: data.map(normalizeRepo).filter(Boolean),
+    nextPageUrl,
+  }
+}
+
+export const listWritableRepositories = async ({ token, signal }) => {
+  if (typeof token !== 'string' || token.trim().length === 0) {
+    throw new Error('A GitHub token is required to load repositories.')
+  }
+
+  const writableRepos = []
+  const dedupeById = new Set()
+  let nextPageUrl = `${githubApiBaseUrl}/user/repos?sort=updated&per_page=100`
+  let remainingPageBudget = 10
+
+  while (nextPageUrl && remainingPageBudget > 0) {
+    /* GitHub pagination is cursor-like via Link headers, so each request depends on the previous page. */
+    // eslint-disable-next-line no-await-in-loop
+    const page = await listReposPage({ token, url: nextPageUrl, signal })
+    for (const repo of page.repos) {
+      if (!hasWritePermission(repo.permissions) || dedupeById.has(repo.id)) {
+        continue
+      }
+      dedupeById.add(repo.id)
+      writableRepos.push(repo)
+    }
+
+    nextPageUrl = page.nextPageUrl
+    remainingPageBudget -= 1
+  }
+
+  writableRepos.sort((left, right) => left.fullName.localeCompare(right.fullName))
+
+  return writableRepos
+}
diff --git a/src/modules/github-byot-controls.js b/src/modules/github-byot-controls.js
new file mode 100644
index 0000000..ad00c3e
--- /dev/null
+++ b/src/modules/github-byot-controls.js
@@ -0,0 +1,454 @@
+import {
+  clearGitHubToken,
+  loadGitHubToken,
+  maskGitHubToken,
+  saveGitHubToken,
+} from './github-token-store.js'
+import { listWritableRepositories } from './github-api.js'
+
+const selectedRepositoryStorageKey = 'knighted:develop:github-repository'
+
+const loadSelectedRepository = () => {
+  try {
+    return localStorage.getItem(selectedRepositoryStorageKey)
+  } catch {
+    return null
+  }
+}
+
+const saveSelectedRepository = fullName => {
+  try {
+    localStorage.setItem(selectedRepositoryStorageKey, fullName)
+  } catch {
+    /* noop */
+  }
+}
+
+const clearSelectedRepository = () => {
+  try {
+    localStorage.removeItem(selectedRepositoryStorageKey)
+  } catch {
+    /* noop */
+  }
+}
+
+const createDefaultRepoOption = ({
+  label,
+  disabled = false,
+  selected = true,
+  value = '',
+}) => {
+  const option = document.createElement('option')
+  option.value = value
+  option.textContent = label
+  option.disabled = disabled
+  option.selected = selected
+  return option
+}
+
+export const createGitHubByotControls = ({
+  featureEnabled,
+  controlsRoot,
+  tokenInput,
+  tokenInfoButton,
+  tokenAddButton,
+  tokenDeleteButton,
+  repoSelect,
+  repoWrap,
+  onRepositoryChange,
+  setStatus,
+}) => {
+  if (!featureEnabled) {
+    controlsRoot?.setAttribute('hidden', '')
+    return {
+      getSelectedRepository: () => null,
+      getToken: () => null,
+    }
+  }
+
+  let savedToken = loadGitHubToken()
+  let currentRepoRequestAbortController = null
+  let displayingMaskedToken = false
+  let writableRepos = []
+  let addButtonResetTimer = null
+  let lastSelectedRepository = loadSelectedRepository()
+
+  const tokenAddPlusIcon = `
+    <svg viewBox="0 0 24 24" aria-hidden="true">
+      <path d="M12 5v14"></path>
+      <path d="M5 12h14"></path>
+    </svg>
+  `
+
+  const tokenAddCheckIcon = `
+    <svg viewBox="0 0 24 24" aria-hidden="true">
+      <path d="m5 13 4 4L19 7"></path>
+    </svg>
+  `
+
+  const clearAddButtonResetTimer = () => {
+    if (addButtonResetTimer) {
+      clearTimeout(addButtonResetTimer)
+      addButtonResetTimer = null
+    }
+  }
+
+  const setTokenFieldLockState = isLocked => {
+    if (!tokenInput) {
+      return
+    }
+
+    tokenInput.readOnly = isLocked
+    tokenInput.disabled = isLocked
+    tokenInput.dataset.tokenState = isLocked ? 'locked' : 'editable'
+  }
+
+  const updateTokenActionVisibility = () => {
+    const hasProvidedToken =
+      typeof savedToken === 'string' && savedToken.trim().length > 0
+
+    if (tokenAddButton instanceof HTMLButtonElement) {
+      tokenAddButton.hidden = hasProvidedToken
+    }
+
+    if (tokenDeleteButton instanceof HTMLButtonElement) {
+      tokenDeleteButton.hidden = !hasProvidedToken
+    }
+  }
+
+  const setTokenAddButtonState = state => {
+    if (!(tokenAddButton instanceof HTMLButtonElement)) {
+      return
+    }
+
+    tokenAddButton.dataset.state = state
+
+    if (state === 'success') {
+      tokenAddButton.innerHTML = tokenAddCheckIcon
+      tokenAddButton.setAttribute('aria-label', 'GitHub token added')
+      tokenAddButton.setAttribute('title', 'GitHub token added')
+      return
+    }
+
+    tokenAddButton.innerHTML = tokenAddPlusIcon
+    tokenAddButton.setAttribute('aria-label', 'Add GitHub token')
+    tokenAddButton.setAttribute('title', 'Add GitHub token')
+  }
+
+  const updateTokenAddButtonState = () => {
+    if (!(tokenAddButton instanceof HTMLButtonElement) || !tokenInput) {
+      return
+    }
+
+    if (tokenAddButton.hidden) {
+      tokenAddButton.disabled = true
+      return
+    }
+
+    if (tokenAddButton.dataset.state === 'loading') {
+      tokenAddButton.disabled = true
+      return
+    }
+
+    tokenAddButton.disabled =
+      displayingMaskedToken || tokenInput.value.trim().length === 0
+  }
+
+  const setTokenFieldToMasked = ({ locked }) => {
+    if (!tokenInput || !savedToken) {
+      return
+    }
+
+    displayingMaskedToken = true
+    tokenInput.value = maskGitHubToken(savedToken)
+    tokenInput.setAttribute('aria-label', 'GitHub token saved. Delete token to replace')
+    setTokenFieldLockState(locked)
+    updateTokenAddButtonState()
+  }
+
+  const clearRepoOptions = placeholderLabel => {
+    if (!(repoSelect instanceof HTMLSelectElement)) {
+      return
+    }
+
+    repoSelect.replaceChildren(createDefaultRepoOption({ label: placeholderLabel }))
+    repoSelect.disabled = true
+  }
+
+  const showRepoControl = shouldShow => {
+    if (!repoWrap) {
+      return
+    }
+
+    repoWrap.hidden = !shouldShow
+  }
+
+  const renderRepoOptions = repos => {
+    if (!(repoSelect instanceof HTMLSelectElement)) {
+      return
+    }
+
+    if (repos.length === 0) {
+      repoSelect.replaceChildren(
+        createDefaultRepoOption({
+          label: 'No writable repositories available',
+          disabled: true,
+        }),
+      )
+      repoSelect.disabled = true
+      return
+    }
+
+    const hasStoredSelection =
+      typeof lastSelectedRepository === 'string' &&
+      repos.some(repo => repo.fullName === lastSelectedRepository)
+
+    const selectedRepositoryFullName = hasStoredSelection
+      ? lastSelectedRepository
+      : repos[0].fullName
+
+    const options = repos.map(repo => {
+      const option = document.createElement('option')
+      option.value = repo.fullName
+      option.textContent = repo.fullName
+      option.dataset.owner = repo.owner
+      option.dataset.name = repo.name
+      option.dataset.defaultBranch = repo.defaultBranch
+      option.selected = repo.fullName === selectedRepositoryFullName
+      return option
+    })
+
+    repoSelect.replaceChildren(...options)
+    repoSelect.disabled = false
+    repoSelect.value = selectedRepositoryFullName
+    lastSelectedRepository = selectedRepositoryFullName
+    saveSelectedRepository(selectedRepositoryFullName)
+  }
+
+  const abortInFlightRepoRequest = () => {
+    currentRepoRequestAbortController?.abort()
+    currentRepoRequestAbortController = null
+  }
+
+  const emitSelectedRepository = () => {
+    if (
+      typeof onRepositoryChange !== 'function' ||
+      !(repoSelect instanceof HTMLSelectElement)
+    ) {
+      return
+    }
+
+    const selectedOption = repoSelect.selectedOptions[0]
+    if (!selectedOption || !selectedOption.value) {
+      onRepositoryChange(null)
+      clearSelectedRepository()
+      lastSelectedRepository = null
+      return
+    }
+
+    saveSelectedRepository(selectedOption.value)
+    lastSelectedRepository = selectedOption.value
+
+    onRepositoryChange({
+      fullName: selectedOption.value,
+      owner: selectedOption.dataset.owner ?? '',
+      name: selectedOption.dataset.name ?? '',
+      defaultBranch: selectedOption.dataset.defaultBranch ?? 'main',
+    })
+  }
+
+  const loadWritableRepos = async token => {
+    abortInFlightRepoRequest()
+    const requestAbortController = new AbortController()
+    currentRepoRequestAbortController = requestAbortController
+    clearAddButtonResetTimer()
+    setTokenAddButtonState('loading')
+
+    clearRepoOptions('Loading writable repositories...')
+    showRepoControl(true)
+    setStatus('Loading writable repositories from GitHub...', 'pending')
+
+    try {
+      const repos = await listWritableRepositories({
+        token,
+        signal: requestAbortController.signal,
+      })
+
+      if (currentRepoRequestAbortController !== requestAbortController) {
+        return { ok: false, repos: [] }
+      }
+
+      writableRepos = repos
+      renderRepoOptions(repos)
+      emitSelectedRepository()
+      setTokenAddButtonState('success')
+      clearAddButtonResetTimer()
+      addButtonResetTimer = setTimeout(() => {
+        setTokenAddButtonState('idle')
+        updateTokenActionVisibility()
+        setTokenFieldLockState(true)
+        updateTokenAddButtonState()
+      }, 1600)
+
+      if (repos.length > 0) {
+        setStatus(`Loaded ${repos.length} writable repositories`, 'neutral')
+      } else {
+        setStatus('Token is valid, but no writable repositories were found', 'error')
+      }
+
+      return { ok: true, repos }
+    } catch (error) {
+      if (requestAbortController.signal.aborted) {
+        return { ok: false, repos: [] }
+      }
+
+      writableRepos = []
+      renderRepoOptions([])
+      showRepoControl(false)
+      setStatus(
+        error instanceof Error
+          ? `GitHub token validation failed: ${error.message}`
+          : 'GitHub token validation failed',
+        'error',
+      )
+      setTokenAddButtonState('idle')
+      updateTokenActionVisibility()
+      setTokenFieldLockState(false)
+      updateTokenAddButtonState()
+
+      return { ok: false, repos: [] }
+    }
+  }
+
+  const syncSavedTokenUi = () => {
+    if (!tokenInput) {
+      return
+    }
+
+    if (savedToken) {
+      updateTokenActionVisibility()
+      setTokenFieldToMasked({ locked: true })
+      showRepoControl(false)
+      return
+    }
+
+    displayingMaskedToken = false
+    tokenInput.value = ''
+    tokenInput.setAttribute('aria-label', 'GitHub token')
+    setTokenFieldLockState(false)
+    updateTokenActionVisibility()
+    showRepoControl(false)
+    clearRepoOptions('Connect a token to load repositories')
+    updateTokenAddButtonState()
+  }
+
+  const persistAndLoadToken = async token => {
+    if (displayingMaskedToken) {
+      setStatus('Delete the saved token before adding a new one', 'neutral')
+      return
+    }
+
+    const trimmedToken = token.trim()
+
+    if (!trimmedToken) {
+      setStatus('Enter a GitHub token before adding it', 'error')
+      return
+    }
+
+    const previousToken = savedToken
+    const result = await loadWritableRepos(trimmedToken)
+
+    if (!result.ok) {
+      savedToken = previousToken
+      displayingMaskedToken = false
+      setTokenFieldLockState(false)
+      updateTokenAddButtonState()
+      return
+    }
+
+    const tokenSaved = saveGitHubToken(trimmedToken)
+    if (!tokenSaved) {
+      setStatus(
+        'Token is valid, but could not be saved in this browser context. You can still continue for this session.',
+        'error',
+      )
+      savedToken = previousToken
+      displayingMaskedToken = false
+      tokenInput.value = trimmedToken
+      tokenInput.setAttribute('aria-label', 'GitHub token')
+      setTokenFieldLockState(false)
+      updateTokenActionVisibility()
+      updateTokenAddButtonState()
+      return
+    }
+
+    savedToken = trimmedToken
+    setTokenFieldToMasked({ locked: true })
+  }
+
+  tokenInput?.addEventListener('input', () => {
+    updateTokenAddButtonState()
+  })
+
+  tokenAddButton?.addEventListener('click', () => {
+    void persistAndLoadToken(tokenInput?.value ?? '')
+  })
+
+  tokenInput?.addEventListener('keydown', event => {
+    if (event.key !== 'Enter') {
+      return
+    }
+
+    event.preventDefault()
+    void persistAndLoadToken(tokenInput.value)
+  })
+
+  tokenDeleteButton?.addEventListener('click', () => {
+    abortInFlightRepoRequest()
+    clearAddButtonResetTimer()
+    setTokenAddButtonState('idle')
+    savedToken = null
+    writableRepos = []
+    clearSelectedRepository()
+    lastSelectedRepository = null
+    clearGitHubToken()
+    onRepositoryChange?.(null)
+    syncSavedTokenUi()
+    setStatus('GitHub token removed', 'neutral')
+  })
+
+  tokenInfoButton?.setAttribute('aria-expanded', 'false')
+  updateTokenActionVisibility()
+  setTokenAddButtonState('idle')
+  setTokenFieldLockState(false)
+  updateTokenAddButtonState()
+
+  repoSelect?.addEventListener('change', () => {
+    emitSelectedRepository()
+  })
+
+  controlsRoot?.removeAttribute('hidden')
+  syncSavedTokenUi()
+
+  if (savedToken) {
+    setTokenFieldToMasked({ locked: true })
+    void loadWritableRepos(savedToken).then(result => {
+      if (!result.ok) {
+        savedToken = null
+        clearGitHubToken()
+        syncSavedTokenUi()
+      }
+    })
+  }
+
+  return {
+    getSelectedRepository: () => {
+      const fullName = repoSelect?.value
+      if (!fullName) {
+        return null
+      }
+      return writableRepos.find(repo => repo.fullName === fullName) ?? null
+    },
+    getToken: () => savedToken,
+  }
+}
diff --git a/src/modules/github-token-store.js b/src/modules/github-token-store.js
new file mode 100644
index 0000000..969f1c3
--- /dev/null
+++ b/src/modules/github-token-store.js
@@ -0,0 +1,60 @@
+const githubTokenStorageKey = 'knighted:develop:github-pat'
+
+const safelyGetItem = key => {
+  try {
+    return localStorage.getItem(key)
+  } catch {
+    return null
+  }
+}
+
+const safelySetItem = (key, value) => {
+  try {
+    localStorage.setItem(key, value)
+    return true
+  } catch {
+    return false
+  }
+}
+
+const safelyRemoveItem = key => {
+  try {
+    localStorage.removeItem(key)
+  } catch {
+    /* noop */
+  }
+}
+
+export const loadGitHubToken = () => safelyGetItem(githubTokenStorageKey)
+
+export const saveGitHubToken = token => {
+  if (typeof token !== 'string') {
+    return false
+  }
+
+  const normalizedToken = token.trim()
+  if (!normalizedToken) {
+    return false
+  }
+
+  return safelySetItem(githubTokenStorageKey, normalizedToken)
+}
+
+export const clearGitHubToken = () => {
+  safelyRemoveItem(githubTokenStorageKey)
+}
+
+export const maskGitHubToken = token => {
+  if (typeof token !== 'string') {
+    return ''
+  }
+
+  const normalizedToken = token.trim()
+  if (normalizedToken.length <= 8) {
+    return '*'.repeat(Math.max(0, normalizedToken.length))
+  }
+
+  return `${normalizedToken.slice(0, 4)}${'*'.repeat(
+    normalizedToken.length - 8,
+  )}${normalizedToken.slice(-4)}`
+}
diff --git a/src/styles.css b/src/styles.css
index 2e03fee..6cc0351 100644
--- a/src/styles.css
+++ b/src/styles.css
@@ -1,5 +1,6 @@
 @import './styles/base.css';
 @import './styles/layout-shell.css';
+@import './styles/ai-controls.css';
 @import './styles/panels-editor.css';
 @import './styles/diagnostics.css';
 @import './styles/preview-controls.css';
diff --git a/src/styles/ai-controls.css b/src/styles/ai-controls.css
new file mode 100644
index 0000000..56a82b3
--- /dev/null
+++ b/src/styles/ai-controls.css
@@ -0,0 +1,181 @@
+.app-grid-layout-controls {
+  flex-wrap: wrap;
+  position: relative;
+  z-index: 40;
+}
+
+.app-grid-ai-controls {
+  display: inline-flex;
+  align-items: center;
+  gap: 10px;
+  margin-right: 6px;
+  padding-right: 12px;
+  border-right: 1px solid var(--border-subtle);
+}
+
+.app-grid-ai-controls[hidden] {
+  display: none !important;
+}
+
+.app-grid-ai-controls .layout-toggle[hidden] {
+  display: none !important;
+}
+
+.github-token-control-wrap {
+  position: relative;
+  display: inline-flex;
+  align-items: center;
+  gap: 8px;
+}
+
+.github-token-input {
+  width: 170px;
+  min-width: 0;
+  border: 1px solid color-mix(in srgb, var(--border-control) 72%, white 28%);
+  border-radius: 10px;
+  background: color-mix(in srgb, var(--surface-select) 74%, white 16%);
+  color: var(--select-text);
+  padding: 8px 10px;
+  font-size: 0.8rem;
+  box-shadow: inset 0 1px 0 color-mix(in srgb, var(--border-subtle) 70%, transparent);
+}
+
+.github-token-input[data-token-state='editable'] {
+  background: color-mix(in srgb, var(--surface-select) 74%, white 16%);
+  border-color: color-mix(in srgb, var(--border-control) 72%, white 28%);
+  color: var(--select-text);
+}
+
+.github-token-input[data-token-state='locked'] {
+  background: color-mix(in srgb, var(--surface-control) 82%, var(--surface-panel-header));
+  border-color: color-mix(in srgb, var(--border-control) 88%, transparent);
+  color: color-mix(in srgb, var(--text-muted) 78%, var(--panel-text));
+  box-shadow: none;
+}
+
+.github-token-input:disabled {
+  opacity: 1;
+  cursor: not-allowed;
+}
+
+.github-token-input::placeholder {
+  color: color-mix(in srgb, var(--text-muted) 88%, transparent);
+}
+
+.github-token-input:focus-visible {
+  outline: 2px solid var(--focus-ring);
+  outline-offset: 1px;
+}
+
+.github-token-delete {
+  width: 32px;
+  height: 32px;
+}
+
+.github-token-add {
+  width: 28px;
+  height: 32px;
+  border-radius: 9px;
+}
+
+.github-token-info {
+  align-self: flex-start;
+}
+
+.github-token-delete svg {
+  width: 14px;
+  height: 14px;
+}
+
+.github-token-add svg {
+  width: 14px;
+  height: 14px;
+}
+
+.github-token-info.shadow-hint::after {
+  right: auto;
+  left: 0;
+  z-index: 80;
+}
+
+.github-token-add[data-state='loading'] svg {
+  opacity: 0.75;
+}
+
+.github-token-add[data-state='success'] {
+  border-color: color-mix(in srgb, #22c55e 62%, var(--border-control));
+  background: color-mix(in srgb, #22c55e 16%, transparent);
+  color: color-mix(in srgb, #22c55e 85%, var(--panel-text));
+}
+
+.github-token-add[data-state='success'] svg {
+  animation: github-token-success-pop 260ms ease-out;
+}
+
+@keyframes github-token-success-pop {
+  0% {
+    transform: scale(0.8);
+    opacity: 0.4;
+  }
+
+  65% {
+    transform: scale(1.12);
+    opacity: 1;
+  }
+
+  100% {
+    transform: scale(1);
+    opacity: 1;
+  }
+}
+
+.github-repo-wrap select {
+  appearance: none;
+  -webkit-appearance: none;
+  background-color: var(--surface-select);
+  background-image: url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='10' height='6' viewBox='0 0 10 6'%3E%3Cpath fill='currentColor' d='M1.2 0 5 3.8 8.8 0 10 1.2 5 6 0 1.2z'/%3E%3C/svg%3E");
+  background-repeat: no-repeat;
+  background-position: right 10px center;
+  color: var(--select-text);
+  border: 1px solid var(--border-control);
+  border-radius: 8px;
+  padding: 6px 30px 6px 10px;
+  color-scheme: var(--control-color-scheme);
+  min-width: 240px;
+  max-width: min(360px, 40vw);
+}
+
+.github-repo-wrap select:focus-visible {
+  outline: 2px solid var(--focus-ring);
+  outline-offset: 1px;
+}
+
+.github-repo-wrap select option,
+.github-repo-wrap select optgroup {
+  background: var(--surface-select-option);
+  color: var(--select-option-text);
+}
+
+.github-repo-wrap select option:disabled {
+  color: var(--select-option-disabled);
+}
+
+@media (max-width: 900px) {
+  .app-grid-ai-controls {
+    margin-right: 8px;
+    padding-right: 8px;
+    border-right: 1px solid var(--border-subtle);
+    width: 100%;
+    justify-content: flex-start;
+    order: 3;
+  }
+
+  .github-token-input {
+    width: min(56vw, 220px);
+  }
+
+  .github-repo-wrap select {
+    min-width: min(84vw, 320px);
+    max-width: min(84vw, 320px);
+  }
+}
diff --git a/src/styles/diagnostics.css b/src/styles/diagnostics.css
index 225cf7f..ee8e1e2 100644
--- a/src/styles/diagnostics.css
+++ b/src/styles/diagnostics.css
@@ -155,7 +155,7 @@
   box-shadow: 0 20px 40px var(--shadow-elev-1);
   backdrop-filter: blur(8px);
   overflow: auto;
-  z-index: 25;
+  z-index: 90;
 }
 
 .diagnostics-drawer__header {