diff --git a/.github/workflows/pr-pii-check.yml b/.github/workflows/pr-pii-check.yml
new file mode 100644
index 0000000..f038b65
--- /dev/null
+++ b/.github/workflows/pr-pii-check.yml
@@ -0,0 +1,48 @@
+name: PR PII Check
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+  pull_request_review_comment:
+    types: [created, edited]
+
+permissions:
+  pull-requests: read
+
+jobs:
+  check-pii:
+    name: Check for PII in PR
+    runs-on: ubuntu-latest
+    if: >-
+      github.event_name == 'pull_request' ||
+      github.event_name == 'pull_request_review_comment'
+    steps:
+      - name: Check PR description for PII
+        if: github.event_name == 'pull_request'
+        env:
+          PR_BODY: ${{ github.event.pull_request.body }}
+        run: |
+          echo "Checking PR description for PII patterns..."
+          printenv PR_BODY > /tmp/pr_body.txt
+          sed -i 's/\r$//' /tmp/pr_body.txt
+          # Strip system-appended footers before scanning
+          sed -i '/^Link to Devin session:/,$d' /tmp/pr_body.txt
+          sed -i '/^<!-- devin-review-badge/,$d' /tmp/pr_body.txt
+          if grep -qPi '^\s*requested\s+by\s*:\s*\S' /tmp/pr_body.txt; then
+            echo "::error::PR description contains 'Requested by' PII. Remove it before merging."
+            echo "To bulk-fix existing PRs: ./scripts/sanitize-pr-pii.sh <ORG>"
+            exit 1
+          fi
+          echo "No PII found in PR description."
+
+      - name: Check comment for PII
+        if: github.event_name == 'pull_request_review_comment'
+        env:
+          COMMENT_BODY: ${{ github.event.comment.body }}
+        run: |
+          echo "Checking comment for PII patterns..."
+          if printf '%s\n' "$COMMENT_BODY" | grep -qPi '^\s*requested\s+by\s*:\s*\S'; then
+            echo "::error::Comment contains 'Requested by' PII. Edit the comment to remove it."
+            exit 1
+          fi
+          echo "No PII found in comment."
diff --git a/README.md b/README.md
index b3a7ea5..150cff9 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,299 @@
-# bootstrap
-Mirrors Cognition Partner Workshops so you can run this yourself
+# Workshop Operator Guide
+
+Automate the provisioning and teardown of Devin Enterprise workshops using the Devin v3 API. This repo contains scripts and documentation for workshop hosts who need to stand up isolated participant environments backed by a mirror GitHub org.
+
+## Architecture Overview
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│                   Devin Enterprise                          │
+│                                                             │
+│  ┌──────────────┐   ┌──────────────┐   ┌──────────────┐   │
+│  │  Source Org   │   │  Mirror Org  │   │  Workshop Org│   │
+│  │  (Demo)       │   │  (template)  │   │  (per-event) │   │
+│  └──────┬───────┘   └──────┬───────┘   └──────┬───────┘   │
+│         │                  │                   │            │
+│         ▼                  ▼                   ▼            │
+│  Cognition-Partner-  Cognition-Partner-   Created per      │
+│  Workshops (GH org)  Workshops-mirror     workshop via API │
+│                      (GH org)                              │
+└─────────────────────────────────────────────────────────────┘
+```
+
+**Source org** (`Cognition-Partner-Workshops`) — canonical repos with workshop content.
+**Mirror org** (`Cognition-Partner-Workshops-mirror`) — GitHub org with mirrored repos that the Devin Enterprise GitHub App is installed on. Repos here are copied from the source org before each event.
+**Workshop org** — a Devin org created per workshop event via API. Participants use this org. It gets git permissions scoped to the mirror GitHub org repos, ACU limits, and environment configs set up by Devin sessions.
+
+## Prerequisites
+
+| Requirement | Description |
+|---|---|
+| **Enterprise Service User API Key** | A `cog_`-prefixed key with enterprise admin permissions (`ManageOrganizations`, `ManageGitIntegrations`, `ManageOrgSessions`, `ImpersonateOrgSessions`, `ManageAccountMembership`) |
+| **GitHub App** | The Devin GitHub App installed on `Cognition-Partner-Workshops-mirror` with access to the repos needed for the workshop |
+| **Mirror GitHub Org** | Repos from `Cognition-Partner-Workshops` mirrored into `Cognition-Partner-Workshops-mirror` |
+| **Workshop metadata** | An event README in `workshop-metadata/events/<event-dir>/` listing the repos required |
+| **jq** | JSON processor (used by all scripts) |
+| **curl** | HTTP client |
+| **gh CLI** | GitHub CLI (used by mirror and cleanup scripts; requires `repo`, `admin:org`, `pull-request` scopes) |
+
+## Quick Start
+
+```bash
+# 1. Set your API key
+export DEVIN_API_KEY="cog_your_enterprise_service_user_key"
+
+# 2. Verify authentication
+./scripts/verify-auth.sh
+
+# 3. Provision a workshop (creates org, sets permissions, invokes setup sessions)
+./scripts/provision-workshop.sh --config configs/dc-april-2026.json
+
+# 4. After the workshop, clean up the GitHub org
+./scripts/cleanup-all.sh Cognition-Partner-Workshops-mirror
+
+# 5. Tear down the Devin org
+./scripts/teardown-workshop.sh --org-id org-xxxxx
+```
+
+## Directory Structure
+
+```
+operator/
+├── README.md                          # This guide
+├── configs/
+│   ├── _template.json                 # Template for workshop event configs
+│   └── dc-april-2026.json            # Example: DC April 2026 workshop
+├── scripts/
+│   ├── verify-auth.sh                 # Verify API key and list enterprise state
+│   ├── provision-workshop.sh          # End-to-end: create org → permissions → invites → sessions
+│   ├── teardown-workshop.sh           # Remove org and clean up permissions
+│   ├── invite-participants.sh         # Invite users by email to an org
+│   ├── mirror-github-org.sh           # Mirror repos between GitHub orgs
+│   ├── cleanup-all.sh                 # Run all post-workshop cleanup tasks
+│   ├── sanitize-pr-pii.sh            # Remove "Requested by" PII from PRs
+│   ├── close-old-prs.sh              # Close open PRs older than N weeks
+│   ├── delete-stale-branches.sh       # Delete branches with no recent commits
+│   ├── deploy-pr-pii-check.sh        # Deploy PII check CI workflow to all repos
+│   └── lib/
+│       ├── common.sh                  # Shared functions (API calls, logging, config)
+│       ├── manage-org.sh             # Create/update/delete/list organizations
+│       ├── manage-repos.sh           # Git permission management (add/replace/clear)
+│       ├── manage-members.sh         # Invite users, assign to orgs
+│       └── invoke-setup.sh           # Create Devin sessions to configure env YAML
+├── .github/workflows/
+│   └── pr-pii-check.yml             # CI workflow to block PRs with PII
+└── docs/
+    └── api-reference-cheatsheet.md    # Quick reference for all v3 API endpoints used
+```
+
+## Workflow
+
+### Phase 1: Pre-Workshop Setup (1-2 days before)
+
+#### 1.1 Mirror Repos to the Mirror GitHub Org
+
+Repos from `Cognition-Partner-Workshops` must exist in `Cognition-Partner-Workshops-mirror`. Use `scripts/mirror-github-org.sh`:
+
+```bash
+# Mirror all repos (skips existing by default, strips CI workflows)
+./scripts/mirror-github-org.sh Cognition-Partner-Workshops Cognition-Partner-Workshops-mirror
+
+# Mirror only use-case repos
+./scripts/mirror-github-org.sh Cognition-Partner-Workshops Cognition-Partner-Workshops-mirror \
+  --include="uc-*"
+
+# Mirror from a workshop config file
+./scripts/mirror-github-org.sh Cognition-Partner-Workshops Cognition-Partner-Workshops-mirror \
+  --config=configs/dc-april-2026.json
+
+# Preview without creating anything
+./scripts/mirror-github-org.sh Cognition-Partner-Workshops Cognition-Partner-Workshops-mirror \
+  --dry-run
+```
+
+Options: `--include=<glob>`, `--exclude=<glob>`, `--visibility=private`, `--strip-workflows` (default), `--no-skip-existing`, `--config=<file>`.
+
+#### 1.2 Create a Workshop Config
+
+Copy `configs/_template.json` and fill in the event details:
+
+```json
+{
+  "event_name": "DC April 2026",
+  "org_name": "DC-April-2026",
+  "git_connection_id": "git-connection-f76021b797ec4a80a62f8ae9dfc1c45c",
+  "max_session_acu_limit": 250,
+  "max_cycle_acu_limit": 250,
+  "repos": [
+    "Cognition-Partner-Workshops-mirror/ts-angular-realworld-example-app",
+    "Cognition-Partner-Workshops-mirror/uc-framework-upgrade-monolith-to-microservices"
+  ],
+  "setup_as_user_id": "google-oauth2|...",
+  "setup_prompt_template": "Set up the {repo} repository from scratch: ...",
+  "emails_file": "participants/dc-april-2026.txt",
+  "enterprise_role_id": "",
+  "org_role_id": ""
+}
+```
+
+| Field | Required | Description |
+|---|---|---|
+| `event_name` | Yes | Display name for the event |
+| `org_name` | Yes | Short name used as the Devin org name |
+| `git_connection_id` | Yes | ID of the Devin GitHub App connection (enterprise-wide) |
+| `max_session_acu_limit` | Yes | ACU limit per session (must be > 0) |
+| `max_cycle_acu_limit` | Yes | ACU limit per billing cycle (must be > 0) |
+| `repos` | Yes | Array of `org/repo` paths to grant access to |
+| `setup_as_user_id` | No | User ID to impersonate when creating setup sessions |
+| `setup_prompt_template` | Yes | Prompt template for setup sessions (`{repo}` is replaced) |
+| `emails_file` | No | Path to a file with participant emails (one per line) |
+| `enterprise_role_id` | No | Enterprise role to assign when inviting participants |
+| `org_role_id` | No | Org role to assign when adding participants to the org |
+
+#### 1.3 Provision the Workshop
+
+```bash
+# Full provisioning (creates org, sets permissions, invites participants, runs setup sessions)
+./scripts/provision-workshop.sh --config configs/dc-april-2026.json
+
+# Use an existing org (updates ACU limits, re-sets permissions)
+./scripts/provision-workshop.sh --config configs/dc-april-2026.json --org-id org-existing-id
+
+# Skip sessions if env configs are already set up
+./scripts/provision-workshop.sh --config configs/dc-april-2026.json --skip-sessions
+
+# Skip invitations (do them separately later)
+./scripts/provision-workshop.sh --config configs/dc-april-2026.json --skip-invites
+
+# Override emails file from CLI
+./scripts/provision-workshop.sh --config configs/dc-april-2026.json --emails-file participants/late-adds.txt
+```
+
+This script:
+1. **Creates a new Devin org** with the configured name and ACU limits
+2. **Adds git permissions** for each repo in the config, scoped to the new org
+3. **Invites participants** from the emails file (enterprise invite + org assignment)
+4. **Invokes Devin sessions** (one per repo) to set up the environment config YAML
+5. **Outputs** the org ID, session URLs, and a summary
+
+#### 1.4 Invite Participants Separately
+
+If you skipped invitations during provisioning or need to add participants later:
+
+```bash
+./scripts/invite-participants.sh \
+  --org-id org-xxxxx \
+  --emails-file participants/dc-april-2026.txt \
+  --enterprise-role-id role-xxxxx \
+  --org-role-id role-yyyyy
+```
+
+The emails file format is one email per line; blank lines and `#` comments are ignored.
+
+#### 1.5 Deploy PII Check Workflow
+
+To prevent participant PII from leaking into PR descriptions across workshop repos:
+
+```bash
+# Deploy to all repos in the mirror org
+./scripts/deploy-pr-pii-check.sh Cognition-Partner-Workshops-mirror
+
+# Deploy to specific repos only
+./scripts/deploy-pr-pii-check.sh Cognition-Partner-Workshops-mirror --include="uc-*"
+
+# Preview
+./scripts/deploy-pr-pii-check.sh Cognition-Partner-Workshops-mirror --dry-run
+```
+
+This creates a PR in each repo adding a GitHub Actions workflow that fails if PR descriptions or review comments contain `Requested by:` PII patterns.
+
+### Phase 2: Workshop Day
+
+Participants log into the Devin Enterprise webapp for the workshop org and start sessions using prompts from the event README. The environment configs created in Phase 1 ensure their sessions start with working build environments.
+
+### Phase 3: Post-Workshop Cleanup
+
+#### 3.1 Clean Up the GitHub Org
+
+```bash
+# Run all cleanup tasks (PII sanitization + close old PRs + delete stale branches)
+./scripts/cleanup-all.sh Cognition-Partner-Workshops-mirror
+
+# Dry run first
+./scripts/cleanup-all.sh Cognition-Partner-Workshops-mirror --dry-run
+
+# Custom stale threshold (default: 3 weeks)
+./scripts/cleanup-all.sh Cognition-Partner-Workshops-mirror --stale-weeks=1
+```
+
+Individual cleanup scripts:
+
+```bash
+# Remove "Requested by" PII from all PR descriptions and comments
+./scripts/sanitize-pr-pii.sh Cognition-Partner-Workshops-mirror
+
+# Close open PRs older than 3 weeks
+./scripts/close-old-prs.sh Cognition-Partner-Workshops-mirror --older-than-weeks=3
+
+# Delete branches with no commits in 3 weeks (preserves default branch)
+./scripts/delete-stale-branches.sh Cognition-Partner-Workshops-mirror --stale-weeks=3
+```
+
+All cleanup scripts support `--dry-run` and write logs to `./cleanup-logs/`.
+
+#### 3.2 Tear Down the Devin Org
+
+```bash
+./scripts/teardown-workshop.sh --org-id org-xxxxx
+
+# Also delete the org entirely
+./scripts/teardown-workshop.sh --org-id org-xxxxx --delete-org
+```
+
+This:
+1. **Clears all git permissions** from the org
+2. **Optionally deletes the org** (with `--delete-org` flag and a 5-second confirmation delay)
+
+## API Reference Cheatsheet
+
+See [docs/api-reference-cheatsheet.md](docs/api-reference-cheatsheet.md) for a complete reference of all Devin v3 API endpoints used by these scripts.
+
+## Key Findings from API Experimentation
+
+These notes capture important behaviors discovered during live testing:
+
+1. **ACU limits must be set on org creation.** If `max_cycle_acu_limit` is 0 or null, sessions will be suspended immediately with `status_detail: "org_usage_limit_exceeded"`. Always set both `max_session_acu_limit` and `max_cycle_acu_limit` when creating or updating an org.
+
+2. **Git permissions are scoped per-org.** Each org needs its own git permissions, even if the git connection (GitHub App) is shared at the enterprise level. The git connection ID is enterprise-wide, but permissions are granted org-by-org.
+
+3. **`create_as_user_id` requires the user to be an org member.** When creating sessions on behalf of a user, that user must already be a member of the target org with `UseDevinSessions` permission.
+
+4. **Session creation is async.** The POST returns immediately with `status: "new"`. The session transitions through `claimed` → `running` → `suspended`/`exit`. Poll the GET endpoint to track progress.
+
+5. **Enterprise service users inherit org permissions.** An enterprise admin service user can call both `/v3/enterprise/*` and `/v3/organizations/{org_id}/*` endpoints across all orgs without additional role assignments.
+
+6. **Replace (PUT) is idempotent for permissions.** Use `PUT /v3/enterprise/organizations/{org_id}/git-providers/permissions` to set the exact list of repo permissions, replacing any previous state. This is safer than incremental POST for reproducible provisioning.
+
+7. **Participant invitation is two-step.** First invite to the enterprise via `POST /v3/enterprise/members/users` (returns user IDs), then assign to the specific org via `POST /v3/enterprise/organizations/{org_id}/members/users`.
+
+## Tested API Calls (Verified Working)
+
+| Operation | Method | Endpoint | Notes |
+|---|---|---|---|
+| Verify auth | GET | `/v3/self` | Returns service user identity |
+| List orgs | GET | `/v3/enterprise/organizations` | All orgs in enterprise |
+| Create org | POST | `/v3/enterprise/organizations` | Set name + ACU limits |
+| Update org | PATCH | `/v3/enterprise/organizations/{org_id}` | Update limits/name |
+| List git connections | GET | `/v3/enterprise/git-providers/connections` | Find connection IDs |
+| List git permissions | GET | `/v3/enterprise/organizations/{org_id}/git-providers/permissions` | Per-org permissions |
+| Create git permissions | POST | `/v3/enterprise/organizations/{org_id}/git-providers/permissions` | Bulk add repos |
+| Replace git permissions | PUT | `/v3/enterprise/organizations/{org_id}/git-providers/permissions` | Idempotent set |
+| Delete git permission | DELETE | `/v3/enterprise/organizations/{org_id}/git-providers/permissions/{id}` | Remove one |
+| Clear git permissions | DELETE | `/v3/enterprise/organizations/{org_id}/git-providers/permissions` | Remove all |
+| Invite to enterprise | POST | `/v3/enterprise/members/users` | Batch email invites |
+| Assign to org | POST | `/v3/enterprise/organizations/{org_id}/members/users` | With optional role |
+| Create session | POST | `/v3/organizations/{org_id}/sessions` | With `create_as_user_id` |
+| Get session | GET | `/v3/organizations/{org_id}/sessions/{session_id}` | Poll status |
+| List members | GET | `/v3/enterprise/members/users` | Enterprise-wide |
+| List org members | GET | `/v3/enterprise/organizations/{org_id}/members/users` | Per-org |
+| List service users | GET | `/v3/enterprise/members/service-users` | Enterprise SUs |
diff --git a/configs/_template.json b/configs/_template.json
new file mode 100644
index 0000000..5478339
--- /dev/null
+++ b/configs/_template.json
@@ -0,0 +1,16 @@
+{
+  "event_name": "CHANGEME — Event Name",
+  "org_name": "CHANGEME-Event-Name",
+  "git_connection_id": "git-connection-f76021b797ec4a80a62f8ae9dfc1c45c",
+  "max_session_acu_limit": 250,
+  "max_cycle_acu_limit": 250,
+  "repos": [
+    "Cognition-Partner-Workshops-mirror/REPO_NAME_1",
+    "Cognition-Partner-Workshops-mirror/REPO_NAME_2"
+  ],
+  "setup_as_user_id": "",
+  "setup_prompt_template": "Set up the {repo} repository from scratch: install dependencies, get the build and tests working. Then capture the working setup steps in the .yaml environment configuration.\n\nShould we get the app running: yes",
+  "emails_file": "",
+  "enterprise_role_id": "",
+  "org_role_id": ""
+}
diff --git a/configs/dc-april-2026.json b/configs/dc-april-2026.json
new file mode 100644
index 0000000..b7f5afc
--- /dev/null
+++ b/configs/dc-april-2026.json
@@ -0,0 +1,21 @@
+{
+  "event_name": "Hands-on Devin Workshop — Washington, DC (April 2026)",
+  "org_name": "DC-April-2026",
+  "git_connection_id": "git-connection-f76021b797ec4a80a62f8ae9dfc1c45c",
+  "max_session_acu_limit": 250,
+  "max_cycle_acu_limit": 250,
+  "repos": [
+    "Cognition-Partner-Workshops-mirror/ts-angular-realworld-example-app",
+    "Cognition-Partner-Workshops-mirror/uc-framework-upgrade-monolith-to-microservices",
+    "Cognition-Partner-Workshops-mirror/uc-legacy-modernization-cobol-to-java",
+    "Cognition-Partner-Workshops-mirror/uc-data-source-migration-legacy-to-modern",
+    "Cognition-Partner-Workshops-mirror/uc-bdd-test-generation-rest-api",
+    "Cognition-Partner-Workshops-mirror/app_petclinic-angular",
+    "Cognition-Partner-Workshops-mirror/app_timesheet"
+  ],
+  "setup_as_user_id": "google-oauth2|116326913226854769397",
+  "setup_prompt_template": "Set up the {repo} repository from scratch: install dependencies, get the build and tests working. Then capture the working setup steps in the .yaml environment configuration.\n\nShould we get the app running: yes",
+  "emails_file": "",
+  "enterprise_role_id": "",
+  "org_role_id": ""
+}
diff --git a/docs/api-reference-cheatsheet.md b/docs/api-reference-cheatsheet.md
new file mode 100644
index 0000000..8814eef
--- /dev/null
+++ b/docs/api-reference-cheatsheet.md
@@ -0,0 +1,182 @@
+# Devin v3 API Reference Cheatsheet
+
+Quick reference for all API endpoints used by the operator scripts. Full docs: https://docs.devin.ai/api-reference/overview
+
+## Base URLs
+
+| Scope | Base URL |
+|---|---|
+| Enterprise | `https://api.devin.ai/v3/enterprise/*` |
+| Organization | `https://api.devin.ai/v3/organizations/{org_id}/*` |
+
+All requests require `Authorization: Bearer cog_...` header.
+
+---
+
+## Identity & Self
+
+### Verify credentials
+```
+GET /v3/self
+```
+Returns: `{principal_type, service_user_id, service_user_name, org_id}`
+
+Enterprise service users have `org_id: null`.
+
+---
+
+## Organizations
+
+### List organizations
+```
+GET /v3/enterprise/organizations
+```
+Returns paginated list of orgs with `{org_id, name, max_session_acu_limit, max_cycle_acu_limit}`.
+
+### Create organization
+```
+POST /v3/enterprise/organizations
+```
+Body:
+```json
+{
+  "name": "Workshop-Name",
+  "max_session_acu_limit": 250,
+  "max_cycle_acu_limit": 250
+}
+```
+**Important:** `max_cycle_acu_limit` must be > 0 or sessions will be suspended with `org_usage_limit_exceeded`.
+
+### Update organization
+```
+PATCH /v3/enterprise/organizations/{org_id}
+```
+Body: `{name?, max_session_acu_limit?, max_cycle_acu_limit?}` — all fields optional.
+
+### Delete organization
+```
+DELETE /v3/enterprise/organizations/{org_id}
+```
+
+---
+
+## Git Connections
+
+### List git connections
+```
+GET /v3/enterprise/git-providers/connections
+```
+Returns: `{git_connection_id, git_provider_type, name, host}`
+
+The `git_connection_id` is needed for all permission operations. For the mirror org, this is the GitHub App connection for `Cognition-Partner-Workshops-mirror`.
+
+---
+
+## Git Permissions
+
+Permissions are per-org and reference repos via the org-wide git connection.
+
+### List permissions
+```
+GET /v3/enterprise/organizations/{org_id}/git-providers/permissions
+```
+
+### Create permissions (additive)
+```
+POST /v3/enterprise/organizations/{org_id}/git-providers/permissions
+```
+Body:
+```json
+{
+  "permissions": [
+    {"git_connection_id": "git-connection-xxx", "repo_path": "Org/repo-name"},
+    {"git_connection_id": "git-connection-xxx", "repo_path": "Org/another-repo"}
+  ]
+}
+```
+Max 200 permissions per request.
+
+### Replace permissions (idempotent)
+```
+PUT /v3/enterprise/organizations/{org_id}/git-providers/permissions
+```
+Same body format as POST. Replaces all existing permissions with exactly the provided set. Preferred for reproducible provisioning.
+
+### Delete single permission
+```
+DELETE /v3/enterprise/organizations/{org_id}/git-providers/permissions/{git_permission_id}
+```
+
+### Clear all permissions
+```
+DELETE /v3/enterprise/organizations/{org_id}/git-providers/permissions
+```
+
+---
+
+## Sessions
+
+### Create session
+```
+POST /v3/organizations/{org_id}/sessions
+```
+Body:
+```json
+{
+  "prompt": "Your task description",
+  "create_as_user_id": "google-oauth2|...",
+  "repos": ["Org/repo-name"],
+  "playbook_id": "playbook-xxx",
+  "tags": ["setup"],
+  "max_acu_limit": 50
+}
+```
+Only `prompt` is required. `create_as_user_id` requires the `ImpersonateOrgSessions` permission and the target user must be an org member.
+
+### Get session
+```
+GET /v3/organizations/{org_id}/sessions/{session_id}
+```
+Returns: `{session_id, url, status, status_detail, acus_consumed, pull_requests, ...}`
+
+Status values: `new` → `claimed` → `running` → `suspended` / `exit` / `error`
+
+### List sessions
+```
+GET /v3/organizations/{org_id}/sessions
+```
+
+---
+
+## Members
+
+### List enterprise members
+```
+GET /v3/enterprise/members/users
+```
+
+### List org members
+```
+GET /v3/enterprise/organizations/{org_id}/members/users
+```
+
+### List service users
+```
+GET /v3/enterprise/members/service-users
+```
+
+---
+
+## Permissions Reference
+
+| Permission | Scope | Grants |
+|---|---|---|
+| `ManageOrganizations` | Enterprise | Create/update/delete orgs |
+| `ManageGitIntegrations` | Enterprise | Manage git connections and permissions |
+| `ManageOrgSessions` | Org | Create/list sessions |
+| `ImpersonateOrgSessions` | Org | Create sessions as another user |
+| `UseDevinSessions` | Org | Required for target user of `create_as_user_id` |
+| `ViewAccountMetrics` | Enterprise | Read consumption and metrics |
+| `ViewAccountAuditLogs` | Enterprise | Read audit logs |
+
+Enterprise admin service users inherit all org-level permissions across all organizations.
diff --git a/scripts/cleanup-all.sh b/scripts/cleanup-all.sh
new file mode 100755
index 0000000..ccdeb1f
--- /dev/null
+++ b/scripts/cleanup-all.sh
@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+# cleanup-all.sh — Run all post-workshop cleanup tasks in sequence
+#
+# Tasks:
+#   1. Sanitize "Requested by" PII from PR descriptions and comments
+#   2. Close open PRs older than N weeks
+#   3. Delete branches with no commits in N weeks (excluding default branch)
+#
+# Usage:
+#   ./scripts/cleanup-all.sh <GITHUB_ORG> [--stale-weeks=3] [--dry-run]
+#
+# Prerequisites: gh CLI authenticated with repo + pull-request scopes
+set -euo pipefail
+
+ORG="${1:?Usage: $0 <GITHUB_ORG> [--stale-weeks=3] [--dry-run]}"
+shift
+
+STALE_WEEKS=3
+DRY_RUN=""
+for arg in "$@"; do
+  case "$arg" in
+    --stale-weeks=*) STALE_WEEKS="${arg#*=}" ;;
+    --dry-run)       DRY_RUN="--dry-run" ;;
+  esac
+done
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+echo "============================================"
+echo "  Post-Workshop Cleanup: ${ORG}"
+echo "  Stale threshold: ${STALE_WEEKS} weeks"
+echo "  Dry run: ${DRY_RUN:-false}"
+echo "============================================"
+echo
+
+echo ">>> Step 1/3: Sanitize PR PII"
+bash "${SCRIPT_DIR}/sanitize-pr-pii.sh" "$ORG" $DRY_RUN
+echo
+
+echo ">>> Step 2/3: Close old PRs"
+bash "${SCRIPT_DIR}/close-old-prs.sh" "$ORG" --older-than-weeks="$STALE_WEEKS" $DRY_RUN
+echo
+
+echo ">>> Step 3/3: Delete stale branches"
+bash "${SCRIPT_DIR}/delete-stale-branches.sh" "$ORG" --stale-weeks="$STALE_WEEKS" $DRY_RUN
+echo
+
+echo "============================================"
+echo "  All cleanup tasks complete"
+echo "  Logs: $(pwd)/cleanup-logs/"
+echo "============================================"
diff --git a/scripts/close-old-prs.sh b/scripts/close-old-prs.sh
new file mode 100755
index 0000000..e2058e0
--- /dev/null
+++ b/scripts/close-old-prs.sh
@@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+# close-old-prs.sh — Close open PRs older than N weeks
+#
+# Closes stale PRs across all repos in a GitHub org with an explanatory comment.
+# Useful for post-workshop cleanup when participants leave PRs open.
+#
+# Usage:
+#   ./scripts/close-old-prs.sh <GITHUB_ORG> [--older-than-weeks=3] [--dry-run]
+#
+# Prerequisites: gh CLI authenticated with repo + pull-request scopes
+set -euo pipefail
+
+ORG="${1:?Usage: $0 <GITHUB_ORG> [--older-than-weeks=3] [--dry-run]}"
+shift
+
+OLDER_THAN_WEEKS=3
+DRY_RUN=false
+for arg in "$@"; do
+  case "$arg" in
+    --older-than-weeks=*) OLDER_THAN_WEEKS="${arg#*=}" ;;
+    --dry-run)            DRY_RUN=true ;;
+  esac
+done
+
+LOG_DIR="$(pwd)/cleanup-logs"
+mkdir -p "$LOG_DIR"
+LOG_FILE="$LOG_DIR/close-old-prs-$(date +%Y%m%d-%H%M%S).log"
+
+log() { echo "[$(date -u +%H:%M:%S)] $*" | tee -a "$LOG_FILE"; }
+
+CUTOFF_DATE=$(date -u -d "${OLDER_THAN_WEEKS} weeks ago" +%Y-%m-%dT%H:%M:%SZ)
+log "Cutoff: ${CUTOFF_DATE} (PRs older than ${OLDER_THAN_WEEKS} weeks)"
+log "Dry run: ${DRY_RUN}"
+log ""
+
+REPOS=$(gh repo list "$ORG" --limit 500 --json name --jq '.[].name' | sort)
+TOTAL_REPOS=$(echo "$REPOS" | wc -l)
+TOTAL_CLOSED=0
+REPO_NUM=0
+
+for REPO_NAME in $REPOS; do
+  REPO_NUM=$((REPO_NUM + 1))
+  FULL_REPO="$ORG/$REPO_NAME"
+  log "[$REPO_NUM/$TOTAL_REPOS] Processing $FULL_REPO"
+
+  OPEN_PRS=$(gh pr list --repo "$FULL_REPO" --state open --limit 500 \
+    --json number,createdAt,title \
+    --jq '.[] | "\(.number)\t\(.createdAt)\t\(.title)"' 2>/dev/null || true)
+
+  [[ -z "$OPEN_PRS" ]] && continue
+
+  while IFS=$'\t' read -r PR_NUM CREATED_AT PR_TITLE; do
+    if [[ "$CREATED_AT" < "$CUTOFF_DATE" ]]; then
+      if [[ "$DRY_RUN" == true ]]; then
+        log "  [DRY-RUN] Would close PR #${PR_NUM}: ${PR_TITLE} (created: ${CREATED_AT})"
+      else
+        COMMENT="Closing: this PR is older than ${OLDER_THAN_WEEKS} weeks. Reopen if still needed."
+        if gh pr close "$PR_NUM" --repo "$FULL_REPO" --comment "$COMMENT" >/dev/null 2>&1; then
+          log "  Closed PR #${PR_NUM}: ${PR_TITLE}"
+          TOTAL_CLOSED=$((TOTAL_CLOSED + 1))
+        else
+          log "  ERROR: Failed to close PR #${PR_NUM}"
+        fi
+      fi
+    fi
+  done <<< "$OPEN_PRS"
+
+  sleep 0.5
+done
+
+log ""
+log "=== Old PR Cleanup Complete ==="
+log "Repos scanned: ${TOTAL_REPOS} | PRs closed: ${TOTAL_CLOSED}"
+log "Log: ${LOG_FILE}"
diff --git a/scripts/delete-stale-branches.sh b/scripts/delete-stale-branches.sh
new file mode 100755
index 0000000..ae96990
--- /dev/null
+++ b/scripts/delete-stale-branches.sh
@@ -0,0 +1,85 @@
+#!/usr/bin/env bash
+# delete-stale-branches.sh — Delete branches with no commits in N weeks
+#
+# Deletes remote branches whose last commit is older than the threshold.
+# Always preserves the default branch. Useful for cleaning up after workshops
+# where participants create many short-lived branches.
+#
+# Usage:
+#   ./scripts/delete-stale-branches.sh <GITHUB_ORG> [--stale-weeks=3] [--dry-run]
+#
+# Prerequisites: gh CLI authenticated with repo scope
+set -euo pipefail
+
+ORG="${1:?Usage: $0 <GITHUB_ORG> [--stale-weeks=3] [--dry-run]}"
+shift
+
+STALE_WEEKS=3
+DRY_RUN=false
+for arg in "$@"; do
+  case "$arg" in
+    --stale-weeks=*) STALE_WEEKS="${arg#*=}" ;;
+    --dry-run)       DRY_RUN=true ;;
+  esac
+done
+
+LOG_DIR="$(pwd)/cleanup-logs"
+mkdir -p "$LOG_DIR"
+LOG_FILE="$LOG_DIR/delete-stale-branches-$(date +%Y%m%d-%H%M%S).log"
+
+log() { echo "[$(date -u +%H:%M:%S)] $*" | tee -a "$LOG_FILE"; }
+
+CUTOFF_DATE=$(date -u -d "${STALE_WEEKS} weeks ago" +%Y-%m-%dT%H:%M:%SZ)
+log "Cutoff: ${CUTOFF_DATE} (branches older than ${STALE_WEEKS} weeks)"
+log "Dry run: ${DRY_RUN}"
+log ""
+
+REPOS=$(gh repo list "$ORG" --limit 500 --json name --jq '.[].name' | sort)
+TOTAL_REPOS=$(echo "$REPOS" | wc -l)
+TOTAL_DELETED=0
+REPO_NUM=0
+
+for REPO_NAME in $REPOS; do
+  REPO_NUM=$((REPO_NUM + 1))
+  FULL_REPO="$ORG/$REPO_NAME"
+  log "[$REPO_NUM/$TOTAL_REPOS] Processing $FULL_REPO"
+
+  DEFAULT_BRANCH=$(gh repo view "$FULL_REPO" --json defaultBranchRef --jq '.defaultBranchRef.name' 2>/dev/null || echo "main")
+
+  PAGE=1
+  while true; do
+    BRANCHES=$(gh api "repos/$FULL_REPO/branches?per_page=100&page=$PAGE" \
+      --jq '.[] | "\(.name)\t\(.commit.sha)"' 2>/dev/null || true)
+    [[ -z "$BRANCHES" ]] && break
+
+    while IFS=$'\t' read -r BRANCH_NAME COMMIT_SHA; do
+      [[ "$BRANCH_NAME" == "$DEFAULT_BRANCH" ]] && continue
+
+      COMMIT_DATE=$(gh api "repos/$FULL_REPO/commits/$COMMIT_SHA" \
+        --jq '.commit.committer.date' 2>/dev/null || true)
+      [[ -z "$COMMIT_DATE" ]] && continue
+
+      if [[ "$COMMIT_DATE" < "$CUTOFF_DATE" ]]; then
+        if [[ "$DRY_RUN" == true ]]; then
+          log "  [DRY-RUN] Would delete: ${BRANCH_NAME} (last commit: ${COMMIT_DATE})"
+        else
+          if gh api "repos/$FULL_REPO/git/refs/heads/$BRANCH_NAME" -X DELETE >/dev/null 2>&1; then
+            log "  Deleted: ${BRANCH_NAME} (last commit: ${COMMIT_DATE})"
+            TOTAL_DELETED=$((TOTAL_DELETED + 1))
+          else
+            log "  ERROR: Failed to delete ${BRANCH_NAME}"
+          fi
+        fi
+      fi
+    done <<< "$BRANCHES"
+
+    PAGE=$((PAGE + 1))
+  done
+
+  sleep 0.5
+done
+
+log ""
+log "=== Stale Branch Cleanup Complete ==="
+log "Repos scanned: ${TOTAL_REPOS} | Branches deleted: ${TOTAL_DELETED}"
+log "Log: ${LOG_FILE}"
diff --git a/scripts/deploy-pr-pii-check.sh b/scripts/deploy-pr-pii-check.sh
new file mode 100755
index 0000000..384b94e
--- /dev/null
+++ b/scripts/deploy-pr-pii-check.sh
@@ -0,0 +1,164 @@
+#!/usr/bin/env bash
+# deploy-pr-pii-check.sh — Deploy the PR PII check workflow to all repos in a GitHub org
+#
+# Creates a PR in each target repo adding the .github/workflows/pr-pii-check.yml
+# workflow. After merging, set up branch protection to require the check to pass.
+#
+# Usage:
+#   ./scripts/deploy-pr-pii-check.sh <GITHUB_ORG> [OPTIONS]
+#
+# Options:
+#   --dry-run           Preview what would be deployed
+#   --include=<glob>    Only deploy to repos matching this pattern
+#   --exclude=<glob>    Skip repos matching this pattern
+#   --branch=<name>     Branch name for the PR (default: add-pii-check)
+#
+# Prerequisites:
+#   - gh CLI authenticated with repo + workflow scopes
+#   - The workflow file at .github/workflows/pr-pii-check.yml in the operator repo
+set -euo pipefail
+
+ORG="${1:?Usage: $0 <GITHUB_ORG> [OPTIONS]}"
+shift
+
+DRY_RUN=false
+INCLUDE_PATTERN=""
+EXCLUDE_PATTERN=""
+BRANCH_NAME="add-pii-check"
+
+for arg in "$@"; do
+  case "$arg" in
+    --dry-run)     DRY_RUN=true ;;
+    --include=*)   INCLUDE_PATTERN="${INCLUDE_PATTERN:+$INCLUDE_PATTERN|}${arg#*=}" ;;
+    --exclude=*)   EXCLUDE_PATTERN="${EXCLUDE_PATTERN:+$EXCLUDE_PATTERN|}${arg#*=}" ;;
+    --branch=*)    BRANCH_NAME="${arg#*=}" ;;
+    -h|--help)
+      sed -n '2,/^[^#]/{ /^#/s/^# \?//p }' "$0"
+      exit 0
+      ;;
+    *) echo "Unknown option: $arg" >&2; exit 1 ;;
+  esac
+done
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+WORKFLOW_SRC="${SCRIPT_DIR}/../.github/workflows/pr-pii-check.yml"
+
+if [[ ! -f "$WORKFLOW_SRC" ]]; then
+  echo "ERROR: Workflow file not found at ${WORKFLOW_SRC}" >&2
+  exit 1
+fi
+
+LOGDIR="./deploy-logs"
+mkdir -p "$LOGDIR"
+LOGFILE="$LOGDIR/deploy-pii-check-$(date +%Y%m%d-%H%M%S).log"
+WORK_DIR=$(mktemp -d)
+trap 'rm -rf "$WORK_DIR"' EXIT
+
+log() { echo "[$(date -u +%H:%M:%S)] $*" | tee -a "$LOGFILE"; }
+
+log "Fetching repos from ${ORG}..."
+REPOS=()
+page=1
+while true; do
+  repos=$(gh api "orgs/${ORG}/repos?per_page=100&page=${page}&type=all" \
+    --jq '.[].name' 2>/dev/null) || break
+  [[ -z "$repos" ]] && break
+  while IFS= read -r r; do REPOS+=("$r"); done <<< "$repos"
+  page=$((page + 1))
+done
+log "Found ${#REPOS[@]} repos"
+
+is_filtered_out() {
+  local name="$1"
+  if [[ -n "$INCLUDE_PATTERN" ]]; then
+    # shellcheck disable=SC2254
+    case "$name" in $INCLUDE_PATTERN) ;; *) return 0 ;; esac
+  fi
+  if [[ -n "$EXCLUDE_PATTERN" ]]; then
+    # shellcheck disable=SC2254
+    case "$name" in $EXCLUDE_PATTERN) return 0 ;; esac
+  fi
+  return 1
+}
+
+deployed=0 skipped=0 failed=0
+
+for repo_name in "${REPOS[@]}"; do
+  if is_filtered_out "$repo_name"; then
+    log "SKIP (filter): ${repo_name}"
+    skipped=$((skipped + 1))
+    continue
+  fi
+
+  if [[ "$DRY_RUN" == "true" ]]; then
+    log "DRY RUN: Would deploy PII check to ${ORG}/${repo_name}"
+    deployed=$((deployed + 1))
+    continue
+  fi
+
+  log "Deploying to: ${ORG}/${repo_name}..."
+  repo_dir="${WORK_DIR}/${repo_name}"
+  default_branch=$(gh api "repos/${ORG}/${repo_name}" --jq '.default_branch' 2>/dev/null || echo "main")
+
+  if ! git clone --depth 1 "https://github.com/${ORG}/${repo_name}.git" "$repo_dir" 2>>"$LOGFILE"; then
+    log "FAIL (clone): ${repo_name}"
+    failed=$((failed + 1))
+    continue
+  fi
+
+  cd "$repo_dir"
+
+  if [[ -f ".github/workflows/pr-pii-check.yml" ]]; then
+    log "SKIP (exists): ${repo_name}"
+    skipped=$((skipped + 1))
+    cd - >/dev/null
+    rm -rf "$repo_dir"
+    continue
+  fi
+
+  git checkout -b "$BRANCH_NAME" 2>>"$LOGFILE"
+  mkdir -p .github/workflows
+  cp "$WORKFLOW_SRC" .github/workflows/pr-pii-check.yml
+  git add .github/workflows/pr-pii-check.yml
+  git commit -m "Add PR PII check workflow
+
+Adds a GitHub Actions workflow that fails if PR descriptions or comments
+contain 'Requested by' PII patterns. This enforces privacy in a
+multi-tenant workshop environment." 2>>"$LOGFILE"
+
+  if ! git push origin "$BRANCH_NAME" 2>>"$LOGFILE"; then
+    log "FAIL (push): ${repo_name}"
+    failed=$((failed + 1))
+    cd - >/dev/null
+    rm -rf "$repo_dir"
+    continue
+  fi
+
+  pr_url=$(gh pr create \
+    --repo "${ORG}/${repo_name}" \
+    --base "$default_branch" \
+    --head "$BRANCH_NAME" \
+    --title "Add PR PII check workflow" \
+    --body "Adds a GitHub Actions workflow that checks PR descriptions and comments for 'Requested by' PII patterns and fails the CI check if found.
+
+After merging, enable branch protection on \`${default_branch}\` and require the **PR PII Check** status check to pass." 2>>"$LOGFILE" || echo "")
+
+  if [[ -n "$pr_url" ]]; then
+    log "OK: ${repo_name} -> ${pr_url}"
+    deployed=$((deployed + 1))
+  else
+    log "FAIL (pr): ${repo_name}"
+    failed=$((failed + 1))
+  fi
+
+  cd - >/dev/null
+  rm -rf "$repo_dir"
+  sleep 0.5
+done
+
+log ""
+log "=== Deploy Summary ==="
+log "Deployed: ${deployed} | Skipped: ${skipped} | Failed: ${failed}"
+log "Log: ${LOGFILE}"
+log ""
+log "Next: Enable branch protection on each repo to require the 'PR PII Check' status check."
diff --git a/scripts/invite-participants.sh b/scripts/invite-participants.sh
new file mode 100755
index 0000000..3f2d456
--- /dev/null
+++ b/scripts/invite-participants.sh
@@ -0,0 +1,69 @@
+#!/usr/bin/env bash
+# invite-participants.sh — Invite users to a Devin Enterprise org
+#
+# Usage:
+#   ./invite-participants.sh --org-id <org-id> --emails-file <file> [options]
+#
+# Options:
+#   --org-id <id>              Devin org ID (required)
+#   --emails-file <file>       File with participant emails, one per line (required)
+#   --enterprise-role-id <id>  Role to assign at enterprise level
+#   --org-role-id <id>         Role to assign at org level
+#   --dry-run                  Preview invitations without sending
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "${SCRIPT_DIR}/lib/common.sh"
+source "${SCRIPT_DIR}/lib/manage-members.sh"
+
+ORG_ID=""
+EMAILS_FILE=""
+ENTERPRISE_ROLE_ID=""
+ORG_ROLE_ID=""
+DRY_RUN=false
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --org-id)              ORG_ID="$2"; shift 2 ;;
+    --emails-file)         EMAILS_FILE="$2"; shift 2 ;;
+    --enterprise-role-id)  ENTERPRISE_ROLE_ID="$2"; shift 2 ;;
+    --org-role-id)         ORG_ROLE_ID="$2"; shift 2 ;;
+    --dry-run)             DRY_RUN=true; shift ;;
+    -h|--help)
+      echo "Usage: $0 --org-id <org-id> --emails-file <file> [--enterprise-role-id <id>] [--org-role-id <id>] [--dry-run]"
+      exit 0
+      ;;
+    *) die "Unknown argument: $1" ;;
+  esac
+done
+
+[[ -z "$ORG_ID" ]] && die "Missing required --org-id"
+[[ -z "$EMAILS_FILE" ]] && die "Missing required --emails-file"
+
+mapfile -t EMAILS < <(read_emails_file "$EMAILS_FILE")
+
+if [[ ${#EMAILS[@]} -eq 0 ]]; then
+  info "No emails found in ${EMAILS_FILE}"
+  exit 0
+fi
+
+echo
+echo "============================================"
+echo "  Invite Participants"
+echo "============================================"
+echo "  Org ID   : ${ORG_ID}"
+echo "  Emails   : ${#EMAILS[@]}"
+echo "  Dry run  : ${DRY_RUN}"
+echo "============================================"
+echo
+
+if [[ "$DRY_RUN" == "true" ]]; then
+  info "DRY RUN — would invite:"
+  printf '  %s\n' "${EMAILS[@]}"
+  exit 0
+fi
+
+ROLE_ARGS=()
+[[ -n "$ENTERPRISE_ROLE_ID" ]] && ROLE_ARGS+=("--enterprise-role=${ENTERPRISE_ROLE_ID}")
+[[ -n "$ORG_ROLE_ID" ]] && ROLE_ARGS+=("--org-role=${ORG_ROLE_ID}")
+
+invite_and_assign "$ORG_ID" "${EMAILS[@]}" "${ROLE_ARGS[@]}"
diff --git a/scripts/lib/common.sh b/scripts/lib/common.sh
new file mode 100755
index 0000000..51afccb
--- /dev/null
+++ b/scripts/lib/common.sh
@@ -0,0 +1,162 @@
+#!/usr/bin/env bash
+# common.sh — Shared functions for Devin v3 API operator scripts
+set -euo pipefail
+
+# ---------------------------------------------------------------------------
+# Configuration
+# ---------------------------------------------------------------------------
+API_BASE="${DEVIN_API_BASE:-https://api.devin.ai}"
+DEVIN_API_KEY="${DEVIN_API_KEY:?DEVIN_API_KEY must be set to a cog_ enterprise service user key}"
+
+# ---------------------------------------------------------------------------
+# Logging
+# ---------------------------------------------------------------------------
+log()  { echo "[$(date -u '+%Y-%m-%d %H:%M:%S UTC')] $*"; }
+info() { log "INFO  $*"; }
+warn() { log "WARN  $*" >&2; }
+err()  { log "ERROR $*" >&2; }
+die()  { err "$@"; exit 1; }
+
+# ---------------------------------------------------------------------------
+# HTTP helpers
+# ---------------------------------------------------------------------------
+
+# Generic GET request. Returns JSON body, dies on HTTP error.
+api_get() {
+  local url="$1"
+  local response
+  response=$(curl -sS -w '\n%{http_code}' \
+    -H "Authorization: Bearer ${DEVIN_API_KEY}" \
+    -H "Accept: application/json" \
+    "${API_BASE}${url}" 2>&1) || true
+
+  local http_code body
+  http_code=$(echo "$response" | tail -1)
+  body=$(echo "$response" | sed '$d')
+
+  if [[ "$http_code" -ge 200 && "$http_code" -lt 300 ]]; then
+    echo "$body"
+  else
+    err "GET ${url} returned HTTP ${http_code}"
+    err "Response: ${body}"
+    return 1
+  fi
+}
+
+# Generic POST request. Takes URL and JSON body. Returns JSON body.
+api_post() {
+  local url="$1"
+  local data="$2"
+  local response
+  response=$(curl -sS -w '\n%{http_code}' \
+    -X POST \
+    -H "Authorization: Bearer ${DEVIN_API_KEY}" \
+    -H "Content-Type: application/json" \
+    -H "Accept: application/json" \
+    -d "$data" \
+    "${API_BASE}${url}" 2>&1) || true
+
+  local http_code body
+  http_code=$(echo "$response" | tail -1)
+  body=$(echo "$response" | sed '$d')
+
+  if [[ "$http_code" -ge 200 && "$http_code" -lt 300 ]]; then
+    echo "$body"
+  else
+    err "POST ${url} returned HTTP ${http_code}"
+    err "Response: ${body}"
+    return 1
+  fi
+}
+
+# Generic PATCH request.
+api_patch() {
+  local url="$1"
+  local data="$2"
+  local response
+  response=$(curl -sS -w '\n%{http_code}' \
+    -X PATCH \
+    -H "Authorization: Bearer ${DEVIN_API_KEY}" \
+    -H "Content-Type: application/json" \
+    -H "Accept: application/json" \
+    -d "$data" \
+    "${API_BASE}${url}" 2>&1) || true
+
+  local http_code body
+  http_code=$(echo "$response" | tail -1)
+  body=$(echo "$response" | sed '$d')
+
+  if [[ "$http_code" -ge 200 && "$http_code" -lt 300 ]]; then
+    echo "$body"
+  else
+    err "PATCH ${url} returned HTTP ${http_code}"
+    err "Response: ${body}"
+    return 1
+  fi
+}
+
+# Generic PUT request.
+api_put() {
+  local url="$1"
+  local data="$2"
+  local response
+  response=$(curl -sS -w '\n%{http_code}' \
+    -X PUT \
+    -H "Authorization: Bearer ${DEVIN_API_KEY}" \
+    -H "Content-Type: application/json" \
+    -H "Accept: application/json" \
+    -d "$data" \
+    "${API_BASE}${url}" 2>&1) || true
+
+  local http_code body
+  http_code=$(echo "$response" | tail -1)
+  body=$(echo "$response" | sed '$d')
+
+  if [[ "$http_code" -ge 200 && "$http_code" -lt 300 ]]; then
+    echo "$body"
+  else
+    err "PUT ${url} returned HTTP ${http_code}"
+    err "Response: ${body}"
+    return 1
+  fi
+}
+
+# Generic DELETE request.
+api_delete() {
+  local url="$1"
+  local response
+  response=$(curl -sS -w '\n%{http_code}' \
+    -X DELETE \
+    -H "Authorization: Bearer ${DEVIN_API_KEY}" \
+    -H "Accept: application/json" \
+    "${API_BASE}${url}" 2>&1) || true
+
+  local http_code body
+  http_code=$(echo "$response" | tail -1)
+  body=$(echo "$response" | sed '$d')
+
+  if [[ "$http_code" -ge 200 && "$http_code" -lt 300 ]]; then
+    echo "$body"
+  else
+    err "DELETE ${url} returned HTTP ${http_code}"
+    err "Response: ${body}"
+    return 1
+  fi
+}
+
+# ---------------------------------------------------------------------------
+# Config helpers
+# ---------------------------------------------------------------------------
+
+# Read a field from a JSON config file.
+# Usage: config_get <file> <jq_expression>
+config_get() {
+  local file="$1" expr="$2"
+  jq -r "$expr" "$file"
+}
+
+# Read an array from a JSON config as newline-delimited values.
+config_get_array() {
+  local file="$1" expr="$2"
+  jq -r "${expr}[]" "$file"
+}
diff --git a/scripts/lib/invoke-setup.sh b/scripts/lib/invoke-setup.sh
new file mode 100755
index 0000000..1f30f02
--- /dev/null
+++ b/scripts/lib/invoke-setup.sh
@@ -0,0 +1,112 @@
+#!/usr/bin/env bash
+# invoke-setup.sh — Create Devin sessions to set up environment configs
+# Source common.sh before using these functions.
+
+# ---------------------------------------------------------------------------
+# Create a single Devin session in an organization.
+# Usage: create_session <org_id> <prompt> [create_as_user_id]
+# Returns the session JSON response.
+# ---------------------------------------------------------------------------
+create_session() {
+  local org_id="$1"
+  local prompt="$2"
+  local user_id="${3:-}"
+
+  local payload
+  if [[ -n "$user_id" ]]; then
+    payload=$(jq -n --arg p "$prompt" --arg u "$user_id" \
+      '{prompt: $p, create_as_user_id: $u}')
+  else
+    payload=$(jq -n --arg p "$prompt" '{prompt: $p}')
+  fi
+
+  api_post "/v3/organizations/${org_id}/sessions" "$payload"
+}
+
+# ---------------------------------------------------------------------------
+# Get session status.
+# Usage: get_session <org_id> <session_id>
+# ---------------------------------------------------------------------------
+get_session() {
+  local org_id="$1"
+  local session_id="$2"
+  api_get "/v3/organizations/${org_id}/sessions/${session_id}"
+}
+
+# ---------------------------------------------------------------------------
+# Poll session until it reaches a terminal state.
+# Usage: poll_session <org_id> <session_id> [poll_interval_seconds]
+# Returns 0 if session completed (exit), 1 if error/suspended.
+# ---------------------------------------------------------------------------
+poll_session() {
+  local org_id="$1"
+  local session_id="$2"
+  local interval="${3:-30}"
+
+  info "Polling session ${session_id} every ${interval}s..."
+  while true; do
+    local session_json status status_detail
+    session_json=$(get_session "$org_id" "$session_id")
+    status=$(echo "$session_json" | jq -r '.status')
+    status_detail=$(echo "$session_json" | jq -r '.status_detail // empty')
+
+    info "Session ${session_id}: status=${status}${status_detail:+ (${status_detail})}"
+
+    case "$status" in
+      exit)
+        info "Session ${session_id} completed successfully"
+        return 0
+        ;;
+      error|suspended)
+        warn "Session ${session_id} ended with status=${status}${status_detail:+ (${status_detail})}"
+        return 1
+        ;;
+      *)
+        sleep "$interval"
+        ;;
+    esac
+  done
+}
+
+# ---------------------------------------------------------------------------
+# Create setup sessions for multiple repos.
+# Usage: invoke_setup_sessions <org_id> <prompt_template> <user_id> <repo1> [repo2] ...
+#
+# The prompt_template should contain {repo} as a placeholder, e.g.:
+#   "Set up the {repo} repository from scratch..."
+#
+# Returns a JSON array of {repo, session_id, url, status} objects.
+# ---------------------------------------------------------------------------
+invoke_setup_sessions() {
+  local org_id="$1"
+  local prompt_template="$2"
+  local user_id="$3"
+  shift 3
+  local repos=("$@")
+
+  local results="[]"
+
+  for repo in "${repos[@]}"; do
+    local prompt="${prompt_template//\{repo\}/$repo}"
+    info "Creating setup session for ${repo}..."
+
+    local session_json session_id url status
+    session_json=$(create_session "$org_id" "$prompt" "$user_id") || {
+      warn "Failed to create session for ${repo}"
+      results=$(echo "$results" | jq --arg r "$repo" \
+        '. + [{repo: $r, session_id: null, url: null, status: "failed_to_create"}]')
+      continue
+    }
+
+    session_id=$(echo "$session_json" | jq -r '.session_id')
+    url=$(echo "$session_json" | jq -r '.url')
+    status=$(echo "$session_json" | jq -r '.status')
+
+    info "  Session: ${session_id} (${url})"
+    results=$(echo "$results" | jq \
+      --arg r "$repo" --arg s "$session_id" --arg u "$url" --arg st "$status" \
+      '. + [{repo: $r, session_id: $s, url: $u, status: $st}]')
+  done
+
+  echo "$results"
+}
diff --git a/scripts/lib/manage-members.sh b/scripts/lib/manage-members.sh
new file mode 100755
index 0000000..351aa6a
--- /dev/null
+++ b/scripts/lib/manage-members.sh
@@ -0,0 +1,132 @@
+#!/usr/bin/env bash
+# manage-members.sh — Member invitation and management functions
+# Source common.sh before using these functions.
+
+# ---------------------------------------------------------------------------
+# Invite users to the enterprise by email (batch).
+# Usage: invite_enterprise_members <emails_json_array> [enterprise_role_id]
+#
+# emails_json_array: a jq-formatted JSON array of emails, e.g. '["a@b.com"]'
+# Returns the API response (array of user objects with user_id).
+# ---------------------------------------------------------------------------
+invite_enterprise_members() {
+  local emails_json="$1"
+  local role_id="${2:-}"
+
+  local payload
+  payload=$(jq -n --argjson emails "$emails_json" '{emails: $emails}')
+  if [[ -n "$role_id" ]]; then
+    payload=$(echo "$payload" | jq --arg r "$role_id" '. + {enterprise_role_id: $r}')
+  fi
+
+  api_post "/v3/enterprise/members/users" "$payload"
+}
+
+# ---------------------------------------------------------------------------
+# Assign a user to an organization.
+# Usage: assign_user_to_org <org_id> <user_id> [org_role_id]
+# ---------------------------------------------------------------------------
+assign_user_to_org() {
+  local org_id="$1"
+  local user_id="$2"
+  local role_id="${3:-}"
+
+  local payload
+  payload=$(jq -n --arg uid "$user_id" '{user_id: $uid}')
+  if [[ -n "$role_id" ]]; then
+    payload=$(echo "$payload" | jq --arg r "$role_id" '. + {org_role_id: $r}')
+  fi
+
+  api_post "/v3/enterprise/organizations/${org_id}/members/users" "$payload"
+}
+
+# ---------------------------------------------------------------------------
+# Invite a batch of emails and assign them to an org.
+# Usage: invite_and_assign <org_id> <email1> [email2] ... [--enterprise-role=<id>] [--org-role=<id>]
+#
+# Handles batching (max 50 per API call) internally.
+# Prints summary counts to stdout.
+# ---------------------------------------------------------------------------
+invite_and_assign() {
+  local org_id="$1"
+  shift
+
+  local enterprise_role=""
+  local org_role=""
+  local emails=()
+
+  for arg in "$@"; do
+    case "$arg" in
+      --enterprise-role=*) enterprise_role="${arg#*=}" ;;
+      --org-role=*)        org_role="${arg#*=}" ;;
+      *)                   emails+=("$arg") ;;
+    esac
+  done
+
+  local invited=0 assigned=0 failed=0
+  local batch_size=50
+
+  for ((i = 0; i < ${#emails[@]}; i += batch_size)); do
+    local batch=("${emails[@]:i:batch_size}")
+
+    # Build JSON array
+    local emails_json
+    emails_json=$(printf '%s\n' "${batch[@]}" | jq -R . | jq -s .)
+
+    info "Inviting ${#batch[@]} user(s) to enterprise..."
+    local result
+    result=$(invite_enterprise_members "$emails_json" "$enterprise_role") || {
+      warn "Batch invite failed"
+      failed=$((failed + ${#batch[@]}))
+      continue
+    }
+
+    # Extract user_ids and assign to org
+    local user_ids
+    user_ids=$(echo "$result" | jq -r '.[].user_id // empty' 2>/dev/null)
+
+    if [[ -z "$user_ids" ]]; then
+      warn "No user IDs returned from invite. Response: $(echo "$result" | jq -c .)"
+      failed=$((failed + ${#batch[@]}))
+      continue
+    fi
+
+    invited=$((invited + $(echo "$user_ids" | wc -l)))
+
+    while IFS= read -r user_id; do
+      [[ -z "$user_id" ]] && continue
+
+      local assign_result
+      assign_result=$(assign_user_to_org "$org_id" "$user_id" "$org_role") || {
+        warn "Failed to assign ${user_id} to org ${org_id}"
+        failed=$((failed + 1))
+        continue
+      }
+
+      if echo "$assign_result" | jq -e '.user_id' >/dev/null 2>&1; then
+        assigned=$((assigned + 1))
+      else
+        warn "Unexpected response assigning ${user_id}: $(echo "$assign_result" | jq -c .)"
+        failed=$((failed + 1))
+      fi
+    done <<< "$user_ids"
+
+    sleep 0.5
+  done
+
+  echo "Invited: ${invited} | Assigned to org: ${assigned} | Failed: ${failed}"
+}
+
+# ---------------------------------------------------------------------------
+# Read emails from a file (one per line, # comments, blank lines ignored).
+# Usage: read_emails_file <file_path>
+# Prints emails to stdout, one per line.
+# ---------------------------------------------------------------------------
+read_emails_file() {
+  local file="$1"
+  [[ ! -f "$file" ]] && { err "Emails file not found: ${file}"; return 1; }
+  while IFS= read -r line || [[ -n "$line" ]]; do
+    line=$(echo "$line" | xargs)
+    [[ -n "$line" ]] && [[ ! "$line" =~ ^# ]] && echo "$line"
+  done < "$file"
+}
diff --git a/scripts/lib/manage-org.sh b/scripts/lib/manage-org.sh
new file mode 100755
index 0000000..0c095d4
--- /dev/null
+++ b/scripts/lib/manage-org.sh
@@ -0,0 +1,98 @@
+#!/usr/bin/env bash
+# manage-org.sh — Organization lifecycle functions
+# Source common.sh before using these functions.
+
+# ---------------------------------------------------------------------------
+# List all organizations in the enterprise.
+# Prints JSON array of orgs.
+# ---------------------------------------------------------------------------
+list_orgs() {
+  api_get "/v3/enterprise/organizations" | jq '.items'
+}
+
+# ---------------------------------------------------------------------------
+# Get a single organization by ID.
+# Usage: get_org <org_id>
+# ---------------------------------------------------------------------------
+get_org() {
+  local org_id="$1"
+  api_get "/v3/enterprise/organizations" | jq --arg id "$org_id" '.items[] | select(.org_id == $id)'
+}
+
+# ---------------------------------------------------------------------------
+# Create a new organization.
+# Usage: create_org <name> [max_session_acu_limit] [max_cycle_acu_limit]
+# Returns the created org JSON.
+# ---------------------------------------------------------------------------
+create_org() {
+  local name="$1"
+  local max_session="${2:-250}"
+  local max_cycle="${3:-250}"
+
+  info "Creating organization: ${name} (session_limit=${max_session}, cycle_limit=${max_cycle})"
+  local result
+  result=$(api_post "/v3/enterprise/organizations" \
+    "$(jq -n \
+      --arg name "$name" \
+      --argjson session "$max_session" \
+      --argjson cycle "$max_cycle" \
+      '{name: $name, max_session_acu_limit: $session, max_cycle_acu_limit: $cycle}')")
+
+  local org_id
+  org_id=$(echo "$result" | jq -r '.org_id')
+  info "Created org: ${org_id} (${name})"
+  echo "$result"
+}
+
+# ---------------------------------------------------------------------------
+# Update an organization's name and/or ACU limits.
+# Usage: update_org <org_id> [name] [max_session_acu_limit] [max_cycle_acu_limit]
+# ---------------------------------------------------------------------------
+update_org() {
+  local org_id="$1"
+  local name="${2:-}"
+  local max_session="${3:-}"
+  local max_cycle="${4:-}"
+
+  local payload="{}"
+  [[ -n "$name" ]] && payload=$(echo "$payload" | jq --arg n "$name" '. + {name: $n}')
+  [[ -n "$max_session" ]] && payload=$(echo "$payload" | jq --argjson s "$max_session" '. + {max_session_acu_limit: $s}')
+  [[ -n "$max_cycle" ]] && payload=$(echo "$payload" | jq --argjson c "$max_cycle" '. + {max_cycle_acu_limit: $c}')
+
+  info "Updating org ${org_id}: ${payload}"
+  api_patch "/v3/enterprise/organizations/${org_id}" "$payload"
+}
+
+# ---------------------------------------------------------------------------
+# Delete an organization.
+# Usage: delete_org <org_id>
+# ---------------------------------------------------------------------------
+delete_org() {
+  local org_id="$1"
+  warn "Deleting organization: ${org_id}"
+  api_delete "/v3/enterprise/organizations/${org_id}"
+  info "Deleted org: ${org_id}"
+}
+
+# ---------------------------------------------------------------------------
+# List members of an organization.
+# Usage: list_org_members <org_id>
+# ---------------------------------------------------------------------------
+list_org_members() {
+  local org_id="$1"
+  api_get "/v3/enterprise/organizations/${org_id}/members/users" | jq '.items'
+}
+
+# ---------------------------------------------------------------------------
+# List all enterprise members.
+# ---------------------------------------------------------------------------
+list_enterprise_members() {
+  api_get "/v3/enterprise/members/users" | jq '.items'
+}
+
+# ---------------------------------------------------------------------------
+# List enterprise service users.
+# ---------------------------------------------------------------------------
+list_service_users() {
+  api_get "/v3/enterprise/members/service-users" | jq '.items'
+}
diff --git a/scripts/lib/manage-repos.sh b/scripts/lib/manage-repos.sh
new file mode 100755
index 0000000..35fffa3
--- /dev/null
+++ b/scripts/lib/manage-repos.sh
@@ -0,0 +1,102 @@
+#!/usr/bin/env bash
+# manage-repos.sh — Git connection and permission management functions
+# Source common.sh before using these functions.
+
+# ---------------------------------------------------------------------------
+# List all git connections (GitHub Apps, tokens, etc.) in the enterprise.
+# ---------------------------------------------------------------------------
+list_git_connections() {
+  api_get "/v3/enterprise/git-providers/connections" | jq '.items'
+}
+
+# ---------------------------------------------------------------------------
+# Find a git connection by name (e.g., "Cognition-Partner-Workshops-mirror").
+# Usage: find_git_connection <name>
+# Returns the connection JSON object, or empty if not found.
+# ---------------------------------------------------------------------------
+find_git_connection() {
+  local name="$1"
+  api_get "/v3/enterprise/git-providers/connections" | jq --arg n "$name" '.items[] | select(.name == $n)'
+}
+
+# ---------------------------------------------------------------------------
+# List git permissions for an organization.
+# Usage: list_git_permissions <org_id>
+# ---------------------------------------------------------------------------
+list_git_permissions() {
+  local org_id="$1"
+  api_get "/v3/enterprise/organizations/${org_id}/git-providers/permissions" | jq '.items'
+}
+
+# ---------------------------------------------------------------------------
+# Add git permissions for repos to an organization (incremental).
+# Usage: add_git_permissions <org_id> <git_connection_id> <repo1> [repo2] ...
+#
+# Each repo should be in "org/repo" format, e.g.:
+#   add_git_permissions org-xxx git-connection-yyy "Org/repo1" "Org/repo2"
+# ---------------------------------------------------------------------------
+add_git_permissions() {
+  local org_id="$1"
+  local conn_id="$2"
+  shift 2
+  local repos=("$@")
+
+  local permissions="[]"
+  for repo in "${repos[@]}"; do
+    permissions=$(echo "$permissions" | jq --arg c "$conn_id" --arg r "$repo" \
+      '. + [{git_connection_id: $c, repo_path: $r}]')
+  done
+
+  local payload
+  payload=$(jq -n --argjson p "$permissions" '{permissions: $p}')
+
+  info "Adding ${#repos[@]} git permission(s) to org ${org_id}"
+  api_post "/v3/enterprise/organizations/${org_id}/git-providers/permissions" "$payload"
+}
+
+# ---------------------------------------------------------------------------
+# Replace all git permissions for an organization (idempotent).
+# Usage: replace_git_permissions <org_id> <git_connection_id> <repo1> [repo2] ...
+#
+# This removes all existing permissions and sets exactly the repos provided.
+# ---------------------------------------------------------------------------
+replace_git_permissions() {
+  local org_id="$1"
+  local conn_id="$2"
+  shift 2
+  local repos=("$@")
+
+  local permissions="[]"
+  for repo in "${repos[@]}"; do
+    permissions=$(echo "$permissions" | jq --arg c "$conn_id" --arg r "$repo" \
+      '. + [{git_connection_id: $c, repo_path: $r}]')
+  done
+
+  local payload
+  payload=$(jq -n --argjson p "$permissions" '{permissions: $p}')
+
+  info "Replacing git permissions for org ${org_id} with ${#repos[@]} repo(s)"
+  api_put "/v3/enterprise/organizations/${org_id}/git-providers/permissions" "$payload"
+}
+
+# ---------------------------------------------------------------------------
+# Delete a single git permission by ID.
+# Usage: delete_git_permission <org_id> <git_permission_id>
+# ---------------------------------------------------------------------------
+delete_git_permission() {
+  local org_id="$1"
+  local perm_id="$2"
+  info "Deleting git permission ${perm_id} from org ${org_id}"
+  api_delete "/v3/enterprise/organizations/${org_id}/git-providers/permissions/${perm_id}"
+}
+
+# ---------------------------------------------------------------------------
+# Clear all git permissions from an organization.
+# Usage: clear_git_permissions <org_id>
+# ---------------------------------------------------------------------------
+clear_git_permissions() {
+  local org_id="$1"
+  warn "Clearing ALL git permissions from org ${org_id}"
+  api_delete "/v3/enterprise/organizations/${org_id}/git-providers/permissions"
+  info "Cleared all git permissions from org ${org_id}"
+}
diff --git a/scripts/mirror-github-org.sh b/scripts/mirror-github-org.sh
new file mode 100755
index 0000000..e42f875
--- /dev/null
+++ b/scripts/mirror-github-org.sh
@@ -0,0 +1,226 @@
+#!/usr/bin/env bash
+# mirror-github-org.sh — Mirror repos from one GitHub org to another.
+#
+# Creates independent copies (not forks) of each repo. Optionally strips
+# .github/workflows/ from all branches so mirrored repos don't trigger
+# unrelated CI in the target org.
+#
+# Usage:
+#   ./scripts/mirror-github-org.sh <SOURCE_ORG> <TARGET_ORG> [OPTIONS]
+#
+# Options:
+#   --dry-run              Preview without creating repos
+#   --include=<glob>       Only mirror repos matching this pattern (e.g. "uc-*")
+#   --exclude=<glob>       Skip repos matching this pattern (repeatable)
+#   --skip-existing        Skip repos that already exist in target (default)
+#   --no-skip-existing     Overwrite existing repos
+#   --visibility=<v>       Target repo visibility: public, private (default: private)
+#   --strip-workflows      Remove .github/workflows/ from all branches (default)
+#   --no-strip-workflows   Keep workflows as-is
+#   --config=<file>        Read repo list from a workshop config JSON instead of listing the source org
+#
+# Prerequisites:
+#   - gh CLI authenticated with admin:org, repo scopes for both orgs
+#   - git, jq
+#
+# Note: This creates independent copies, not git mirrors. Lab-specific changes
+# in the target org won't be overwritten by future runs (with --skip-existing).
+set -euo pipefail
+
+SOURCE_ORG="${1:?Usage: $0 <SOURCE_ORG> <TARGET_ORG> [OPTIONS]}"
+TARGET_ORG="${2:?Usage: $0 <SOURCE_ORG> <TARGET_ORG> [OPTIONS]}"
+shift 2
+
+DRY_RUN=false
+INCLUDE_PATTERN=""
+EXCLUDE_PATTERN=""
+SKIP_EXISTING=true
+VISIBILITY="private"
+STRIP_WORKFLOWS=true
+CONFIG_FILE=""
+
+for arg in "$@"; do
+  case "$arg" in
+    --dry-run)             DRY_RUN=true ;;
+    --include=*)           INCLUDE_PATTERN="${INCLUDE_PATTERN:+$INCLUDE_PATTERN|}${arg#*=}" ;;
+    --exclude=*)           EXCLUDE_PATTERN="${EXCLUDE_PATTERN:+$EXCLUDE_PATTERN|}${arg#*=}" ;;
+    --skip-existing)       SKIP_EXISTING=true ;;
+    --no-skip-existing)    SKIP_EXISTING=false ;;
+    --visibility=*)        VISIBILITY="${arg#*=}" ;;
+    --strip-workflows)     STRIP_WORKFLOWS=true ;;
+    --no-strip-workflows)  STRIP_WORKFLOWS=false ;;
+    --config=*)            CONFIG_FILE="${arg#*=}" ;;
+    -h|--help)
+      sed -n '2,/^[^#]/{ /^#/s/^# \?//p }' "$0"
+      exit 0
+      ;;
+    *) echo "Unknown option: $arg" >&2; exit 1 ;;
+  esac
+done
+
+LOGDIR="./mirror-logs"
+mkdir -p "$LOGDIR"
+LOGFILE="$LOGDIR/mirror-$(date +%Y%m%d-%H%M%S).log"
+WORK_DIR=$(mktemp -d)
+trap 'rm -rf "$WORK_DIR"' EXIT
+
+log() { echo "[$(date -u +%H:%M:%S)] $*" | tee -a "$LOGFILE"; }
+
+log "=== GitHub Org Mirror ==="
+log "Source: ${SOURCE_ORG} -> Target: ${TARGET_ORG}"
+log "Visibility: ${VISIBILITY} | Strip workflows: ${STRIP_WORKFLOWS} | Dry run: ${DRY_RUN}"
+
+# ---------------------------------------------------------------------------
+# Collect repo names
+# ---------------------------------------------------------------------------
+REPO_NAMES=()
+
+if [[ -n "$CONFIG_FILE" ]]; then
+  log "Reading repos from config: ${CONFIG_FILE}"
+  mapfile -t REPO_NAMES < <(jq -r '.repos[] | split("/") | .[1]' "$CONFIG_FILE")
+else
+  log "Fetching repos from ${SOURCE_ORG}..."
+  page=1
+  while true; do
+    repos=$(gh api "orgs/${SOURCE_ORG}/repos?per_page=100&page=${page}&type=all" \
+      --jq '.[].name' 2>/dev/null) || break
+    [[ -z "$repos" ]] && break
+    while IFS= read -r r; do REPO_NAMES+=("$r"); done <<< "$repos"
+    page=$((page + 1))
+  done
+fi
+log "Repos to process: ${#REPO_NAMES[@]}"
+
+# ---------------------------------------------------------------------------
+# Collect existing target repos (for skip logic)
+# ---------------------------------------------------------------------------
+declare -A TARGET_SET
+if [[ "$SKIP_EXISTING" == "true" ]]; then
+  log "Fetching existing repos in ${TARGET_ORG}..."
+  page=1
+  while true; do
+    repos=$(gh api "orgs/${TARGET_ORG}/repos?per_page=100&page=${page}&type=all" \
+      --jq '.[].name' 2>/dev/null) || break
+    [[ -z "$repos" ]] && break
+    while IFS= read -r r; do TARGET_SET["$r"]=1; done <<< "$repos"
+    page=$((page + 1))
+  done
+  log "Existing repos in target: ${#TARGET_SET[@]}"
+fi
+
+# ---------------------------------------------------------------------------
+# Filter helpers
+# ---------------------------------------------------------------------------
+is_filtered_out() {
+  local name="$1"
+  if [[ -n "$INCLUDE_PATTERN" ]]; then
+    # shellcheck disable=SC2254
+    case "$name" in $INCLUDE_PATTERN) ;; *) return 0 ;; esac
+  fi
+  if [[ -n "$EXCLUDE_PATTERN" ]]; then
+    # shellcheck disable=SC2254
+    case "$name" in $EXCLUDE_PATTERN) return 0 ;; esac
+  fi
+  return 1
+}
+
+# ---------------------------------------------------------------------------
+# Mirror loop
+# ---------------------------------------------------------------------------
+mirrored=0 skipped=0 failed=0
+
+for repo_name in "${REPO_NAMES[@]}"; do
+  if is_filtered_out "$repo_name"; then
+    log "SKIP (filter): ${repo_name}"
+    skipped=$((skipped + 1))
+    continue
+  fi
+
+  if [[ "$SKIP_EXISTING" == "true" && -n "${TARGET_SET[$repo_name]+x}" ]]; then
+    log "SKIP (exists): ${repo_name}"
+    skipped=$((skipped + 1))
+    continue
+  fi
+
+  default_branch=$(gh api "repos/${SOURCE_ORG}/${repo_name}" --jq '.default_branch' 2>/dev/null || echo "main")
+  description=$(gh api "repos/${SOURCE_ORG}/${repo_name}" --jq '.description // ""' 2>/dev/null || echo "")
+
+  if [[ "$DRY_RUN" == "true" ]]; then
+    log "DRY RUN: Would mirror ${repo_name} (branch: ${default_branch})"
+    mirrored=$((mirrored + 1))
+    continue
+  fi
+
+  log "Mirroring: ${repo_name}..."
+
+  clone_dir="${WORK_DIR}/${repo_name}.git"
+
+  # Clone bare from source
+  if ! git clone --bare "https://github.com/${SOURCE_ORG}/${repo_name}.git" "$clone_dir" 2>>"$LOGFILE"; then
+    log "FAIL (clone): ${repo_name}"
+    failed=$((failed + 1))
+    continue
+  fi
+
+  # Strip workflows from all branches if requested
+  if [[ "$STRIP_WORKFLOWS" == "true" ]]; then
+    local_dir="${WORK_DIR}/${repo_name}-work"
+    git clone "$clone_dir" "$local_dir" 2>>"$LOGFILE"
+    cd "$local_dir"
+
+    for remote_branch in $(git branch -r | grep -v HEAD | sed 's|origin/||' | xargs); do
+      git branch --track "$remote_branch" "origin/$remote_branch" 2>/dev/null || true
+    done
+
+    for branch in $(git branch | sed 's/^[* ]*//' | xargs); do
+      git checkout "$branch" 2>>"$LOGFILE" || continue
+      if [[ -d ".github/workflows" ]]; then
+        rm -rf ".github/workflows"
+        git add -A && git commit -m "Remove CI workflows for workshop mirror" 2>>"$LOGFILE" || true
+      fi
+    done
+
+    git checkout "$default_branch" 2>>"$LOGFILE"
+    cd - >/dev/null
+
+    rm -rf "$clone_dir"
+    git clone --bare "$local_dir" "$clone_dir" 2>>"$LOGFILE"
+    rm -rf "$local_dir"
+  fi
+
+  # Create target repo
+  if ! gh api "orgs/${TARGET_ORG}/repos" \
+    -X POST \
+    -f name="$repo_name" \
+    -f description="$description" \
+    -f visibility="$VISIBILITY" \
+    -F auto_init=false \
+    --silent 2>>"$LOGFILE"; then
+    log "FAIL (create): ${repo_name}"
+    failed=$((failed + 1))
+    rm -rf "$clone_dir"
+    continue
+  fi
+
+  # Push all branches and tags
+  cd "$clone_dir"
+  if ! git push --mirror "https://github.com/${TARGET_ORG}/${repo_name}.git" 2>>"$LOGFILE"; then
+    log "FAIL (push): ${repo_name}"
+    failed=$((failed + 1))
+    cd - >/dev/null
+    rm -rf "$clone_dir"
+    continue
+  fi
+  cd - >/dev/null
+
+  rm -rf "$clone_dir"
+  log "OK: ${repo_name}"
+  mirrored=$((mirrored + 1))
+
+  sleep 0.5
+done
+
+log ""
+log "=== Mirror Summary ==="
+log "Mirrored: ${mirrored} | Skipped: ${skipped} | Failed: ${failed}"
+log "Log: ${LOGFILE}"
diff --git a/scripts/provision-workshop.sh b/scripts/provision-workshop.sh
new file mode 100755
index 0000000..37738f9
--- /dev/null
+++ b/scripts/provision-workshop.sh
@@ -0,0 +1,184 @@
+#!/usr/bin/env bash
+# provision-workshop.sh — End-to-end workshop provisioning
+#
+# Creates a Devin org, sets git permissions for workshop repos, and invokes
+# Devin sessions to set up environment config YAMLs for each repo.
+#
+# Usage:
+#   ./provision-workshop.sh --config configs/dc-april-2026.json
+#   ./provision-workshop.sh --config configs/dc-april-2026.json --skip-sessions
+#   ./provision-workshop.sh --config configs/dc-april-2026.json --org-id org-existing-id
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "${SCRIPT_DIR}/lib/common.sh"
+source "${SCRIPT_DIR}/lib/manage-org.sh"
+source "${SCRIPT_DIR}/lib/manage-repos.sh"
+source "${SCRIPT_DIR}/lib/manage-members.sh"
+source "${SCRIPT_DIR}/lib/invoke-setup.sh"
+
+# ---------------------------------------------------------------------------
+# Parse arguments
+# ---------------------------------------------------------------------------
+CONFIG_FILE=""
+SKIP_SESSIONS=false
+SKIP_INVITES=false
+EXISTING_ORG_ID=""
+EMAILS_FILE=""
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --config)        CONFIG_FILE="$2"; shift 2 ;;
+    --skip-sessions) SKIP_SESSIONS=true; shift ;;
+    --skip-invites)  SKIP_INVITES=true; shift ;;
+    --org-id)        EXISTING_ORG_ID="$2"; shift 2 ;;
+    --emails-file)   EMAILS_FILE="$2"; shift 2 ;;
+    -h|--help)
+      echo "Usage: $0 --config <config.json> [--skip-sessions] [--skip-invites] [--org-id <org-id>] [--emails-file <file>]"
+      echo
+      echo "Options:"
+      echo "  --config <file>     Path to workshop config JSON (required)"
+      echo "  --skip-sessions     Skip invoking Devin setup sessions"
+      echo "  --skip-invites      Skip participant invitations"
+      echo "  --org-id <id>       Use an existing org instead of creating one"
+      echo "  --emails-file <f>   File with participant emails (one per line)"
+      exit 0
+      ;;
+    *) die "Unknown argument: $1" ;;
+  esac
+done
+
+[[ -z "$CONFIG_FILE" ]] && die "Missing required --config argument. Run with --help for usage."
+[[ ! -f "$CONFIG_FILE" ]] && die "Config file not found: ${CONFIG_FILE}"
+
+# ---------------------------------------------------------------------------
+# Read config
+# ---------------------------------------------------------------------------
+info "Reading config: ${CONFIG_FILE}"
+
+ORG_NAME=$(config_get "$CONFIG_FILE" '.org_name')
+GIT_CONNECTION_ID=$(config_get "$CONFIG_FILE" '.git_connection_id')
+MAX_SESSION_ACU=$(config_get "$CONFIG_FILE" '.max_session_acu_limit // 250')
+MAX_CYCLE_ACU=$(config_get "$CONFIG_FILE" '.max_cycle_acu_limit // 250')
+SETUP_USER_ID=$(config_get "$CONFIG_FILE" '.setup_as_user_id // empty')
+SETUP_PROMPT=$(config_get "$CONFIG_FILE" '.setup_prompt_template')
+ENTERPRISE_ROLE_ID=$(config_get "$CONFIG_FILE" '.enterprise_role_id // empty')
+ORG_ROLE_ID=$(config_get "$CONFIG_FILE" '.org_role_id // empty')
+
+# Use emails file from config if not overridden by CLI
+if [[ -z "$EMAILS_FILE" ]]; then
+  EMAILS_FILE=$(config_get "$CONFIG_FILE" '.emails_file // empty')
+fi
+
+mapfile -t REPOS < <(config_get_array "$CONFIG_FILE" '.repos')
+
+echo
+echo "============================================"
+echo "  Workshop Provisioning"
+echo "============================================"
+echo "  Org name       : ${ORG_NAME}"
+echo "  Git connection : ${GIT_CONNECTION_ID}"
+echo "  Repos          : ${#REPOS[@]}"
+echo "  ACU limits     : session=${MAX_SESSION_ACU}, cycle=${MAX_CYCLE_ACU}"
+echo "  Setup user     : ${SETUP_USER_ID:-none (service user)}"
+echo "  Emails file    : ${EMAILS_FILE:-none}"
+echo "  Skip sessions  : ${SKIP_SESSIONS}"
+echo "  Skip invites   : ${SKIP_INVITES}"
+echo "============================================"
+echo
+
+# ---------------------------------------------------------------------------
+# Step 1: Create or reuse organization
+# ---------------------------------------------------------------------------
+ORG_ID=""
+if [[ -n "$EXISTING_ORG_ID" ]]; then
+  info "Using existing org: ${EXISTING_ORG_ID}"
+  ORG_ID="$EXISTING_ORG_ID"
+
+  info "Updating ACU limits..."
+  update_org "$ORG_ID" "" "$MAX_SESSION_ACU" "$MAX_CYCLE_ACU" > /dev/null
+else
+  info "Creating new organization..."
+  org_json=$(create_org "$ORG_NAME" "$MAX_SESSION_ACU" "$MAX_CYCLE_ACU")
+  ORG_ID=$(echo "$org_json" | jq -r '.org_id')
+fi
+echo
+info "Org ID: ${ORG_ID}"
+echo
+
+# ---------------------------------------------------------------------------
+# Step 2: Set git permissions (idempotent replace)
+# ---------------------------------------------------------------------------
+info "Setting git permissions for ${#REPOS[@]} repo(s)..."
+replace_git_permissions "$ORG_ID" "$GIT_CONNECTION_ID" "${REPOS[@]}" > /dev/null
+echo
+
+info "Verifying permissions..."
+list_git_permissions "$ORG_ID" | jq -r '.[] | "  \(.repo_path)"'
+echo
+
+# ---------------------------------------------------------------------------
+# Step 3: Invite participants
+# ---------------------------------------------------------------------------
+if [[ "$SKIP_INVITES" == "true" ]] || [[ -z "$EMAILS_FILE" ]]; then
+  if [[ -z "$EMAILS_FILE" ]]; then
+    info "No --emails-file provided; skipping invitations"
+  else
+    info "Skipping invitations (--skip-invites)"
+  fi
+else
+  if [[ ! -f "$EMAILS_FILE" ]]; then
+    warn "Emails file not found: ${EMAILS_FILE}; skipping invitations"
+  else
+    mapfile -t PARTICIPANT_EMAILS < <(read_emails_file "$EMAILS_FILE")
+    if [[ ${#PARTICIPANT_EMAILS[@]} -gt 0 ]]; then
+      info "Inviting ${#PARTICIPANT_EMAILS[@]} participant(s)..."
+      ROLE_ARGS=()
+      [[ -n "$ENTERPRISE_ROLE_ID" ]] && ROLE_ARGS+=("--enterprise-role=${ENTERPRISE_ROLE_ID}")
+      [[ -n "$ORG_ROLE_ID" ]] && ROLE_ARGS+=("--org-role=${ORG_ROLE_ID}")
+      invite_and_assign "$ORG_ID" "${PARTICIPANT_EMAILS[@]}" "${ROLE_ARGS[@]}"
+    else
+      info "No emails found in ${EMAILS_FILE}"
+    fi
+  fi
+fi
+echo
+
+# ---------------------------------------------------------------------------
+# Step 4: Invoke Devin setup sessions (one per repo)
+# ---------------------------------------------------------------------------
+if [[ "$SKIP_SESSIONS" == "true" ]]; then
+  info "Skipping session creation (--skip-sessions)"
+else
+  info "Invoking setup sessions for ${#REPOS[@]} repo(s)..."
+  echo
+
+  sessions_json=$(invoke_setup_sessions "$ORG_ID" "$SETUP_PROMPT" "$SETUP_USER_ID" "${REPOS[@]}")
+
+  echo
+  echo "============================================"
+  echo "  Setup Sessions"
+  echo "============================================"
+  echo "$sessions_json" | jq -r '.[] | "  \(.repo)\n    Session: \(.session_id)\n    URL:     \(.url)\n    Status:  \(.status)\n"'
+fi
+
+# ---------------------------------------------------------------------------
+# Summary
+# ---------------------------------------------------------------------------
+echo
+echo "============================================"
+echo "  Provisioning Complete"
+echo "============================================"
+echo "  Org ID         : ${ORG_ID}"
+echo "  Org name       : ${ORG_NAME}"
+echo "  Repos          : ${#REPOS[@]}"
+if [[ "$SKIP_SESSIONS" != "true" ]]; then
+  echo "  Sessions       : $(echo "$sessions_json" | jq length)"
+fi
+echo
+echo "  Next steps:"
+echo "    1. Monitor setup sessions in the Devin webapp or poll via API"
+echo "    2. Once sessions complete, env config YAMLs are ready for participants"
+echo "    3. Share the workshop org URL with participants"
+echo "    4. After the workshop: ./scripts/cleanup-all.sh <GITHUB_ORG>
+    5. Tear down the org:    ./scripts/teardown-workshop.sh --org-id ${ORG_ID}"
+echo
diff --git a/scripts/sanitize-pr-pii.sh b/scripts/sanitize-pr-pii.sh
new file mode 100755
index 0000000..fbdefb6
--- /dev/null
+++ b/scripts/sanitize-pr-pii.sh
@@ -0,0 +1,141 @@
+#!/usr/bin/env bash
+# sanitize-pr-pii.sh — Remove "Requested by" PII from PR descriptions and comments
+#
+# Scans every PR (open + closed) in every repo of a GitHub org. Removes lines
+# matching "Requested by: @user" or "Requested by: email@..." from PR bodies,
+# issue comments, and review comments.
+#
+# Usage:
+#   ./scripts/sanitize-pr-pii.sh <GITHUB_ORG> [--dry-run]
+#
+# Prerequisites: gh CLI authenticated with repo + pull-request scopes, jq
+set -euo pipefail
+
+ORG="${1:?Usage: $0 <GITHUB_ORG> [--dry-run]}"
+DRY_RUN=false
+[[ "${2:-}" == "--dry-run" ]] && DRY_RUN=true
+
+LOG_DIR="$(pwd)/cleanup-logs"
+mkdir -p "$LOG_DIR"
+LOG_FILE="$LOG_DIR/sanitize-pr-pii-$(date +%Y%m%d-%H%M%S).log"
+
+log() { echo "[$(date -u +%H:%M:%S)] $*" | tee -a "$LOG_FILE"; }
+
+# Strip the system-appended footer (session link, requester) before scanning,
+# then remove any remaining "Requested by:" lines.
+sanitize_text() {
+  local text="$1"
+  echo "$text" \
+    | sed '/^Link to Devin session:/,$d' \
+    | sed '/^<!-- devin-review-badge/,$d' \
+    | sed -E '/^[[:space:]]*[Rr][Ee][Qq][Uu][Ee][Ss][Tt][Ee][Dd][[:space:]]+[Bb][Yy][[:space:]]*:[[:space:]]*.*$/d'
+}
+
+has_pii() {
+  echo "$1" | grep -qPi '^\s*requested\s+by\s*:\s*\S'
+}
+
+REPOS=$(gh repo list "$ORG" --limit 500 --json name --jq '.[].name' | sort)
+TOTAL_REPOS=$(echo "$REPOS" | wc -l)
+TOTAL_EDITS=0
+REPO_NUM=0
+
+for REPO_NAME in $REPOS; do
+  REPO_NUM=$((REPO_NUM + 1))
+  FULL_REPO="$ORG/$REPO_NAME"
+  log "[$REPO_NUM/$TOTAL_REPOS] Processing $FULL_REPO"
+
+  # --- PR descriptions ---
+  PAGE=1
+  while true; do
+    PR_JSON=$(gh api "repos/$FULL_REPO/pulls?state=all&per_page=100&page=$PAGE" 2>/dev/null || echo "[]")
+    PR_COUNT=$(echo "$PR_JSON" | jq 'length')
+    [[ "$PR_COUNT" -eq 0 ]] && break
+
+    for i in $(seq 0 $((PR_COUNT - 1))); do
+      PR_NUM=$(echo "$PR_JSON" | jq -r ".[$i].number")
+      PR_BODY=$(echo "$PR_JSON" | jq -r ".[$i].body // empty")
+
+      if [[ -n "$PR_BODY" ]] && has_pii "$PR_BODY"; then
+        NEW_BODY=$(sanitize_text "$PR_BODY")
+        if [[ "$DRY_RUN" == true ]]; then
+          log "  [DRY-RUN] Would sanitize PR #$PR_NUM description"
+        else
+          PAYLOAD=$(jq -n --arg body "$NEW_BODY" '{"body": $body}')
+          if echo "$PAYLOAD" | gh api "repos/$FULL_REPO/pulls/$PR_NUM" -X PATCH --input - >/dev/null 2>&1; then
+            log "  Sanitized PR #$PR_NUM description"
+            TOTAL_EDITS=$((TOTAL_EDITS + 1))
+          else
+            log "  ERROR: Failed to edit PR #$PR_NUM description"
+          fi
+        fi
+      fi
+    done
+    PAGE=$((PAGE + 1))
+  done
+
+  # --- Issue/PR comments ---
+  PAGE=1
+  while true; do
+    COMMENT_JSON=$(gh api "repos/$FULL_REPO/issues/comments?per_page=100&page=$PAGE" 2>/dev/null || echo "[]")
+    COMMENT_COUNT=$(echo "$COMMENT_JSON" | jq 'length')
+    [[ "$COMMENT_COUNT" -eq 0 ]] && break
+
+    for i in $(seq 0 $((COMMENT_COUNT - 1))); do
+      COMMENT_ID=$(echo "$COMMENT_JSON" | jq -r ".[$i].id")
+      COMMENT_BODY=$(echo "$COMMENT_JSON" | jq -r ".[$i].body // empty")
+
+      if [[ -n "$COMMENT_BODY" ]] && has_pii "$COMMENT_BODY"; then
+        NEW_BODY=$(sanitize_text "$COMMENT_BODY")
+        if [[ "$DRY_RUN" == true ]]; then
+          log "  [DRY-RUN] Would sanitize comment $COMMENT_ID"
+        else
+          PAYLOAD=$(jq -n --arg body "$NEW_BODY" '{"body": $body}')
+          if echo "$PAYLOAD" | gh api "repos/$FULL_REPO/issues/comments/$COMMENT_ID" -X PATCH --input - >/dev/null 2>&1; then
+            log "  Sanitized comment $COMMENT_ID"
+            TOTAL_EDITS=$((TOTAL_EDITS + 1))
+          else
+            log "  ERROR: Failed to edit comment $COMMENT_ID"
+          fi
+        fi
+      fi
+    done
+    PAGE=$((PAGE + 1))
+  done
+
+  # --- PR review comments (inline code review) ---
+  PAGE=1
+  while true; do
+    REVIEW_JSON=$(gh api "repos/$FULL_REPO/pulls/comments?per_page=100&page=$PAGE" 2>/dev/null || echo "[]")
+    REVIEW_COUNT=$(echo "$REVIEW_JSON" | jq 'length')
+    [[ "$REVIEW_COUNT" -eq 0 ]] && break
+
+    for i in $(seq 0 $((REVIEW_COUNT - 1))); do
+      REVIEW_ID=$(echo "$REVIEW_JSON" | jq -r ".[$i].id")
+      REVIEW_BODY=$(echo "$REVIEW_JSON" | jq -r ".[$i].body // empty")
+
+      if [[ -n "$REVIEW_BODY" ]] && has_pii "$REVIEW_BODY"; then
+        NEW_BODY=$(sanitize_text "$REVIEW_BODY")
+        if [[ "$DRY_RUN" == true ]]; then
+          log "  [DRY-RUN] Would sanitize review comment $REVIEW_ID"
+        else
+          PAYLOAD=$(jq -n --arg body "$NEW_BODY" '{"body": $body}')
+          if echo "$PAYLOAD" | gh api "repos/$FULL_REPO/pulls/comments/$REVIEW_ID" -X PATCH --input - >/dev/null 2>&1; then
+            log "  Sanitized review comment $REVIEW_ID"
+            TOTAL_EDITS=$((TOTAL_EDITS + 1))
+          else
+            log "  ERROR: Failed to edit review comment $REVIEW_ID"
+          fi
+        fi
+      fi
+    done
+    PAGE=$((PAGE + 1))
+  done
+
+  sleep 0.5
+done
+
+log ""
+log "=== PII Sanitization Complete ==="
+log "Repos scanned: $TOTAL_REPOS | Edits: $TOTAL_EDITS"
+log "Log: $LOG_FILE"
diff --git a/scripts/teardown-workshop.sh b/scripts/teardown-workshop.sh
new file mode 100755
index 0000000..88bd75c
--- /dev/null
+++ b/scripts/teardown-workshop.sh
@@ -0,0 +1,87 @@
+#!/usr/bin/env bash
+# teardown-workshop.sh — Post-workshop cleanup
+#
+# Clears git permissions and optionally deletes the workshop organization.
+#
+# Usage:
+#   ./teardown-workshop.sh --org-id org-xxxxx
+#   ./teardown-workshop.sh --org-id org-xxxxx --delete-org
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "${SCRIPT_DIR}/lib/common.sh"
+source "${SCRIPT_DIR}/lib/manage-org.sh"
+source "${SCRIPT_DIR}/lib/manage-repos.sh"
+
+# ---------------------------------------------------------------------------
+# Parse arguments
+# ---------------------------------------------------------------------------
+ORG_ID=""
+DELETE_ORG=false
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --org-id)     ORG_ID="$2"; shift 2 ;;
+    --delete-org) DELETE_ORG=true; shift ;;
+    -h|--help)
+      echo "Usage: $0 --org-id <org-id> [--delete-org]"
+      echo
+      echo "Options:"
+      echo "  --org-id <id>    Organization ID to tear down (required)"
+      echo "  --delete-org     Also delete the organization (default: only clear permissions)"
+      exit 0
+      ;;
+    *) die "Unknown argument: $1" ;;
+  esac
+done
+
+[[ -z "$ORG_ID" ]] && die "Missing required --org-id argument. Run with --help for usage."
+
+echo
+echo "============================================"
+echo "  Workshop Teardown"
+echo "============================================"
+echo "  Org ID     : ${ORG_ID}"
+echo "  Delete org : ${DELETE_ORG}"
+echo "============================================"
+echo
+
+# ---------------------------------------------------------------------------
+# Step 1: Show current state
+# ---------------------------------------------------------------------------
+info "Current git permissions:"
+perms=$(list_git_permissions "$ORG_ID")
+perm_count=$(echo "$perms" | jq length)
+echo "$perms" | jq -r '.[] | "  \(.repo_path)"'
+echo
+info "Found ${perm_count} permission(s)"
+echo
+
+# ---------------------------------------------------------------------------
+# Step 2: Clear git permissions
+# ---------------------------------------------------------------------------
+if [[ "$perm_count" -gt 0 ]]; then
+  info "Clearing git permissions..."
+  clear_git_permissions "$ORG_ID" > /dev/null
+  info "Cleared ${perm_count} permission(s)"
+else
+  info "No permissions to clear"
+fi
+echo
+
+# ---------------------------------------------------------------------------
+# Step 3: Optionally delete the organization
+# ---------------------------------------------------------------------------
+if [[ "$DELETE_ORG" == "true" ]]; then
+  echo
+  warn "Deleting organization ${ORG_ID}..."
+  warn "This is irreversible. Proceeding in 5 seconds (Ctrl+C to abort)..."
+  sleep 5
+  delete_org "$ORG_ID"
+else
+  info "Organization ${ORG_ID} preserved (use --delete-org to remove)"
+fi
+echo
+
+echo "============================================"
+echo "  Teardown Complete"
+echo "============================================"
diff --git a/scripts/verify-auth.sh b/scripts/verify-auth.sh
new file mode 100755
index 0000000..eeb0470
--- /dev/null
+++ b/scripts/verify-auth.sh
@@ -0,0 +1,67 @@
+#!/usr/bin/env bash
+# verify-auth.sh — Verify API authentication and display enterprise state
+set -euo pipefail
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+source "${SCRIPT_DIR}/lib/common.sh"
+source "${SCRIPT_DIR}/lib/manage-org.sh"
+source "${SCRIPT_DIR}/lib/manage-repos.sh"
+
+echo "============================================"
+echo "  Devin Enterprise — Auth Verification"
+echo "============================================"
+echo
+
+# Step 1: Verify identity
+info "Verifying API credentials..."
+self_json=$(api_get "/v3/self")
+principal_type=$(echo "$self_json" | jq -r '.principal_type')
+su_id=$(echo "$self_json" | jq -r '.service_user_id // empty')
+su_name=$(echo "$self_json" | jq -r '.service_user_name // empty')
+org_id=$(echo "$self_json" | jq -r '.org_id // "enterprise-scoped"')
+
+echo
+echo "  Principal type : ${principal_type}"
+echo "  Service user   : ${su_name} (${su_id})"
+echo "  Scope          : ${org_id}"
+echo
+
+if [[ "$principal_type" != "service_user" ]]; then
+  die "Expected principal_type=service_user, got ${principal_type}. Ensure DEVIN_API_KEY is a service user key."
+fi
+
+# Step 2: List organizations
+info "Listing organizations..."
+orgs_json=$(api_get "/v3/enterprise/organizations")
+org_count=$(echo "$orgs_json" | jq '.total')
+echo
+echo "  Organizations (${org_count}):"
+echo "$orgs_json" | jq -r '.items[] | "    \(.org_id)  \(.name)  (session=\(.max_session_acu_limit // "null"), cycle=\(.max_cycle_acu_limit // "null"))"'
+echo
+
+# Step 3: List git connections
+info "Listing git connections..."
+connections_json=$(list_git_connections)
+echo
+echo "  Git connections:"
+echo "$connections_json" | jq -r '.[] | "    \(.git_connection_id)  \(.git_provider_type)  \(.name)  (\(.host))"'
+echo
+
+# Step 4: List enterprise members
+info "Listing enterprise members..."
+members_json=$(list_enterprise_members)
+echo
+echo "  Enterprise members:"
+echo "$members_json" | jq -r '.[] | "    \(.user_id)  \(.email)  \(.name)"'
+echo
+
+# Step 5: List service users
+info "Listing service users..."
+sus_json=$(list_service_users)
+echo
+echo "  Service users:"
+echo "$sus_json" | jq -r '.[] | "    \(.service_user_id)  \(.name)  (expires: \(.expires_at // "never"))"'
+echo
+
+echo "============================================"
+echo "  Verification complete"
+echo "============================================"