@agent-team-foundation/first-tree-hub 0.10.0 → 0.10.2

package/dist/{core-BgiFGT7Y.mjs → saas-connect-idjpoPTk.mjs}

@@ -1,7 +1,8 @@
 import { m as __toESM } from "./esm-CYu4tXXn.mjs";
-import { _ as withSpan, a as endWsConnectionSpan, b as require_pino, c as messageAttrs, d as rootLogger$1, g as startWsConnectionSpan, i as currentTraceId, n as applyLoggerConfig, o as getFastifyOtelPlugin, p as setWsConnectionAttrs, r as createLogger$1, t as adapterAttrs, u as observabilityPlugin, v as withWsMessageSpan, y as FIRST_TREE_HUB_ATTR } from "./observability-DV_fQKqV-oxfXX6Z2.mjs";
-import { C as serverConfigSchema, S as resolveConfigReadonly, _ as loadAgents, d as DEFAULT_HOME_DIR$1, f as agentConfigSchema, g as initConfig, i as loadCredentials, l as DEFAULT_CONFIG_DIR, m as collectMissingPrompts, n as ensureFreshAccessToken, o as resolveServerUrl, p as clientConfigSchema, s as saveAgentConfig, u as DEFAULT_DATA_DIR$1, v as migrateLegacyHome, w as setConfigValue } from "./bootstrap-CtVqQA8a.mjs";
-import { $ as sessionEventMessageSchema, A as createChatSchema, B as isReservedAgentName$1, C as agentRuntimeConfigPayloadSchema$1, D as createAdapterConfigSchema, E as connectTokenExchangeSchema, F as dryRunAgentRuntimeConfigSchema, G as paginationQuerySchema, H as loginSchema, I as extractMentions, J as scanMentionTokens, K as refreshTokenSchema, L as imageInlineContentSchema, M as createOrganizationSchema, N as createTaskSchema, O as createAdapterMappingSchema, P as delegateFeishuUserSchema, Q as sessionCompletionMessageSchema, R as inboxPollQuerySchema, S as agentPinnedMessageSchema$1, T as clientRegisterSchema, U as messageSourceSchema$1, V as linkTaskChatSchema, W as notificationQuerySchema, X as sendMessageSchema, Y as selfServiceFeishuBotSchema, Z as sendToAgentSchema, _ as WS_AUTH_FRAME_TIMEOUT_MS, a as AGENT_NAME_REGEX$1, at as updateAgentRuntimeConfigSchema, b as adminUpdateTaskSchema, c as AGENT_STATUSES, ct as updateMemberSchema, d as DEFAULT_AGENT_RUNTIME_CONFIG_PAYLOAD, dt as updateTaskStatusSchema, et as sessionEventSchema$1, f as SYSTEM_CONFIG_DEFAULTS, ft as wsAuthFrameSchema, g as TASK_TERMINAL_STATUSES, h as TASK_STATUSES, i as AGENT_BIND_REJECT_REASONS, it as updateAdapterConfigSchema, j as createMemberSchema, k as createAgentSchema, l as AGENT_TYPES, lt as updateOrganizationSchema, m as TASK_HEALTH_SIGNALS, nt as sessionStateMessageSchema, o as AGENT_SELECTOR_HEADER$1, ot as updateAgentSchema, p as TASK_CREATOR_TYPES, q as runtimeStateMessageSchema, rt as taskListQuerySchema, s as AGENT_SOURCES, st as updateChatSchema, tt as sessionReconcileRequestSchema, u as AGENT_VISIBILITY, ut as updateSystemConfigSchema, v as addParticipantSchema, w as agentTypeSchema$1, x as agentBindRequestSchema, y as adminCreateTaskSchema, z as isRedactedEnvValue } from "./feishu-DEmwoNn_.mjs";
+import { _ as withSpan, a as endWsConnectionSpan, b as require_pino, c as messageAttrs, d as rootLogger$1, g as startWsConnectionSpan, i as currentTraceId, n as applyLoggerConfig, o as getFastifyOtelPlugin, p as setWsConnectionAttrs, r as createLogger$1, t as adapterAttrs, u as observabilityPlugin, v as withWsMessageSpan, y as FIRST_TREE_HUB_ATTR } from "./observability-DPyf745N-BSc8QNcR.mjs";
+import { C as serverConfigSchema, S as resolveConfigReadonly, _ as loadAgents, b as resetConfig, c as saveCredentials, d as DEFAULT_HOME_DIR$1, f as agentConfigSchema, g as initConfig, i as loadCredentials, l as DEFAULT_CONFIG_DIR, m as collectMissingPrompts, n as ensureFreshAccessToken, o as resolveServerUrl, p as clientConfigSchema, s as saveAgentConfig, u as DEFAULT_DATA_DIR$1, v as migrateLegacyHome, w as setConfigValue, x as resetConfigMeta } from "./bootstrap-Ca5Fiqz6.mjs";
+import { $ as sendMessageSchema, A as createOrganizationSchema, B as isRedactedEnvValue, C as connectTokenExchangeSchema, D as createChatSchema, E as createAgentSchema, F as githubCallbackQuerySchema, G as messageSourceSchema$1, H as joinByInvitationSchema, I as githubDevCallbackQuerySchema, J as refreshTokenSchema, K as notificationQuerySchema, L as githubStartQuerySchema, M as delegateFeishuUserSchema, N as dryRunAgentRuntimeConfigSchema, O as createMemberSchema, P as extractMentions, Q as selfServiceFeishuBotSchema, R as imageInlineContentSchema, S as clientRegisterSchema, T as createAdapterMappingSchema, U as linkTaskChatSchema, V as isReservedAgentName$1, W as loginSchema, X as safeRedirectPath, Y as runtimeStateMessageSchema, Z as scanMentionTokens, _ as adminUpdateTaskSchema, a as AGENT_STATUSES, at as sessionStateMessageSchema, b as agentRuntimeConfigPayloadSchema$1, c as DEFAULT_AGENT_RUNTIME_CONFIG_PAYLOAD, ct as updateAdapterConfigSchema, d as TASK_HEALTH_SIGNALS, dt as updateChatSchema, et as sendToAgentSchema, f as TASK_STATUSES, ft as updateMemberSchema, g as adminCreateTaskSchema, gt as wsAuthFrameSchema, h as addParticipantSchema, ht as updateTaskStatusSchema, i as AGENT_SOURCES, it as sessionReconcileRequestSchema, j as createTaskSchema, k as createOrgFromMeSchema, l as SYSTEM_CONFIG_DEFAULTS, lt as updateAgentRuntimeConfigSchema, m as WS_AUTH_FRAME_TIMEOUT_MS, mt as updateSystemConfigSchema, n as AGENT_NAME_REGEX$1, nt as sessionEventMessageSchema, o as AGENT_TYPES, ot as switchOrgSchema, p as TASK_TERMINAL_STATUSES, pt as updateOrganizationSchema, q as paginationQuerySchema, r as AGENT_SELECTOR_HEADER$1, rt as sessionEventSchema$1, s as AGENT_VISIBILITY, st as taskListQuerySchema, t as AGENT_BIND_REJECT_REASONS, tt as sessionCompletionMessageSchema, u as TASK_CREATOR_TYPES, ut as updateAgentSchema, v as agentBindRequestSchema, w as createAdapterConfigSchema, x as agentTypeSchema$1, y as agentPinnedMessageSchema$1, z as inboxPollQuerySchema } from "./dist-CLiN7cVS.mjs";
+import { a as ForbiddenError, c as buildInviteUrl, d as getActiveInvitation, f as invitationRedemptions, g as recordRedemption, i as ConflictError, l as ensureActiveInvitation, m as organizations, n as BadRequestError, o as NotFoundError, p as invitations, r as ClientOrgMismatchError$1, s as UnauthorizedError, t as AppError, u as findActiveByToken, v as users, y as uuidv7 } from "./invitation-C_zAhB8x-8Khychlu.mjs";
 import { createRequire } from "node:module";
 import { ZodError, z } from "zod";
 import { delimiter, dirname, isAbsolute, join, resolve } from "node:path";
@@ -23,12 +24,12 @@ import postgres from "postgres";
 import { confirm, input, password, select } from "@inquirer/prompts";
 import { fileURLToPath } from "node:url";
 import { migrate } from "drizzle-orm/postgres-js/migrator";
+import { bigserial, boolean, index, integer, jsonb, pgTable, primaryKey, serial, text, timestamp, unique, uniqueIndex } from "drizzle-orm/pg-core";
 import cors from "@fastify/cors";
 import rateLimit from "@fastify/rate-limit";
 import fastifyStatic from "@fastify/static";
 import websocket from "@fastify/websocket";
 import Fastify from "fastify";
-import { bigserial, boolean, index, integer, jsonb, pgTable, primaryKey, serial, text, timestamp, unique, uniqueIndex } from "drizzle-orm/pg-core";
 import { SignJWT, jwtVerify } from "jose";
 import { Client, EventDispatcher, LoggerLevel, WSClient } from "@larksuiteoapi/node-sdk";
 //#region ../client/dist/observability-B4kO005X.mjs
@@ -897,6 +898,39 @@ z.object({
 	ackedAt: z.string().nullable()
 }).extend({ message: clientMessageSchema });
 z.object({ limit: z.coerce.number().int().min(1).max(50).default(10) });
+z.object({
+	organizationId: z.string(),
+	organizationName: z.string(),
+	organizationDisplayName: z.string(),
+	role: z.string()
+});
+z.object({
+	id: z.string(),
+	organizationId: z.string(),
+	token: z.string(),
+	inviteUrl: z.string(),
+	role: z.string(),
+	createdAt: z.string(),
+	expiresAt: z.string().nullable()
+});
+z.object({ token: z.string().min(1) });
+z.object({}).optional();
+z.enum([
+	"connect",
+	"create_agent",
+	"completed"
+]);
+z.object({
+	id: z.string(),
+	name: z.string(),
+	displayName: z.string(),
+	role: z.enum(["admin", "member"])
+});
+z.object({
+	name: z.string().min(2).max(50).regex(/^[a-z0-9][a-z0-9-]*$/),
+	displayName: z.string().min(1).max(200)
+});
+z.object({ organizationId: z.string().min(1) });
 const memberRoleSchema = z.enum(["admin", "member"]);
 const memberSchema = z.object({
 	id: z.string(),
@@ -953,6 +987,18 @@ z.object({
 	read: z.enum(["true", "false"]).transform((v) => v === "true").optional(),
 	agentId: z.string().optional()
 });
+z.object({ next: z.string().max(256).optional() });
+z.object({
+	code: z.string().min(1),
+	state: z.string().min(1)
+});
+z.object({
+	githubId: z.string().min(1),
+	login: z.string().min(1),
+	email: z.string().email().optional(),
+	displayName: z.string().optional(),
+	next: z.string().max(256).optional()
+});
 const UUID_PATTERN$1 = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 z.object({
 	name: z.string().min(2).max(50).regex(/^[a-z0-9][a-z0-9-]*$/, "Must start with a letter or digit and contain only lowercase alphanumeric and hyphens").refine((v) => !UUID_PATTERN$1.test(v), "Name must not be a UUID format"),
@@ -1330,7 +1376,8 @@ defineConfig({
 	},
 	server: {
 		port: field(z.number().default(8e3), { env: "FIRST_TREE_HUB_PORT" }),
-		host: field(z.string().default("127.0.0.1"), { env: "FIRST_TREE_HUB_HOST" })
+		host: field(z.string().default("127.0.0.1"), { env: "FIRST_TREE_HUB_HOST" }),
+		publicUrl: field(z.string().optional(), { env: "FIRST_TREE_HUB_PUBLIC_URL" })
 	},
 	secrets: {
 		jwtSecret: field(z.string(), {
@@ -1358,6 +1405,14 @@ defineConfig({
 		}),
 		allowedOrg: field(z.string().optional(), { env: "FIRST_TREE_HUB_GITHUB_ALLOWED_ORG" })
 	},
+	oauth: optional({ github: optional({
+		clientId: field(z.string(), { env: "FIRST_TREE_HUB_GITHUB_OAUTH_CLIENT_ID" }),
+		clientSecret: field(z.string(), {
+			env: "FIRST_TREE_HUB_GITHUB_OAUTH_CLIENT_SECRET",
+			secret: true
+		}),
+		devCallbackEnabled: field(z.boolean().default(false), { env: "FIRST_TREE_HUB_GITHUB_OAUTH_DEV_CALLBACK" })
+	}) }),
 	cors: optional({ origin: field(z.string(), { env: "FIRST_TREE_HUB_CORS_ORIGIN" }) }),
 	rateLimit: optional({
 		max: field(z.number().default(100), { env: "FIRST_TREE_HUB_RATE_LIMIT_MAX" }),
@@ -1576,7 +1631,7 @@ var SdkError = class extends Error {
 * different organization. The CLI layer detects this via `instanceof` and
 * prompts the user before rotating the local clientId.
 */
-var ClientOrgMismatchError$1 = class extends Error {
+var ClientOrgMismatchError = class extends Error {
 	code = "CLIENT_ORG_MISMATCH";
 	constructor(message = "Client belongs to a different organization") {
 		super(message);
@@ -1886,7 +1941,7 @@ var ClientConnection = class extends EventEmitter {
 			const code = typeof msg.code === "string" ? msg.code : void 0;
 			const message = typeof msg.message === "string" ? msg.message : "unknown";
 			this.closing = true;
-			const err = code === "CLIENT_ORG_MISMATCH" ? new ClientOrgMismatchError$1(message) : /* @__PURE__ */ new Error(`client:register rejected: ${message}`);
+			const err = code === "CLIENT_ORG_MISMATCH" ? new ClientOrgMismatchError(message) : /* @__PURE__ */ new Error(`client:register rejected: ${message}`);
 			this.lastHandshakeError = err;
 			this.wsLogger.error({
 				code,
@@ -4802,7 +4857,7 @@ function result(data) {
 		data
 	})}\n`);
 }
-function fail(code, message, exitCode = 1) {
+function fail$1(code, message, exitCode = 1) {
 	process.stderr.write(`${JSON.stringify({
 		ok: false,
 		error: {
@@ -4837,13 +4892,26 @@ function line(text) {
 }
 const print = {
 	result,
-	fail,
+	fail: fail$1,
 	status,
 	check,
 	blank,
 	line
 };
 //#endregion
+//#region src/cli/output.ts
+/**
+* CLI output re-exports. The underlying implementation lives in
+* `core/output.ts` (the Print layer). Keep these thin wrappers so callers that
+* only depend on `cli/output.ts` keep working during the migration.
+*/
+function success(data) {
+	print.result(data);
+}
+function fail(code, message, exitCode = 1) {
+	return print.fail(code, message, exitCode);
+}
+//#endregion
 //#region src/core/agent-messaging.ts
 /**
 * Resolve `replyTo` envelope fields for `agent send`. When the CLI is invoked
@@ -6530,7 +6598,7 @@ async function onboardCreate(args) {
 	}
 	const runtimeAgent = args.type === "human" ? args.assistant : args.id;
 	if (args.feishuBotAppId && args.feishuBotAppSecret) {
-		const { bindFeishuBot } = await import("./feishu-DEmwoNn_.mjs").then((n) => n.r);
+		const { bindFeishuBot } = await import("./feishu-FTWnoOsc.mjs").then((n) => n.r);
 		const targetAgentUuid = args.type === "human" ? assistantUuid : primary.uuid;
 		if (!targetAgentUuid) print.line(`Warning: Cannot bind Feishu bot — no runtime agent available for "${args.id}".\n`);
 		else {
@@ -7450,7 +7518,7 @@ function createFeedbackHandler(config) {
 	return { handle };
 }
 //#endregion
-//#region ../server/dist/app-DugUZNsw.mjs
+//#region ../server/dist/app-BvSSa9Ak.mjs
 var __defProp = Object.defineProperty;
 var __exportAll = (all, no_symbols) => {
 	let target = {};
@@ -7461,28 +7529,6 @@ var __exportAll = (all, no_symbols) => {
 	if (!no_symbols) __defProp(target, Symbol.toStringTag, { value: "Module" });
 	return target;
 };
-/** Organization entity. Agents and chats belong to exactly one organization. */
-const organizations = pgTable("organizations", {
-	id: text("id").primaryKey(),
-	name: text("name").unique().notNull(),
-	displayName: text("display_name").notNull(),
-	maxAgents: integer("max_agents").notNull().default(0),
-	maxMessagesPerMinute: integer("max_messages_per_minute").notNull().default(0),
-	features: jsonb("features").$type().notNull().default({}),
-	createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow(),
-	updatedAt: timestamp("updated_at", { withTimezone: true }).notNull().defaultNow()
-});
-/** User accounts. Passwords are stored as bcrypt hashes. */
-const users = pgTable("users", {
-	id: text("id").primaryKey(),
-	username: text("username").unique().notNull(),
-	passwordHash: text("password_hash").notNull(),
-	displayName: text("display_name").notNull(),
-	avatarUrl: text("avatar_url"),
-	status: text("status").notNull().default("active"),
-	createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow(),
-	updatedAt: timestamp("updated_at", { withTimezone: true }).notNull().defaultNow()
-});
 /**
 * Client connections. A client is a single SDK process (AgentRuntime) that may
 * host multiple agents. From the unified-user-token milestone on, a client is
@@ -7546,57 +7592,6 @@ const adapterAgentMappings = pgTable("adapter_agent_mappings", {
 	metadata: jsonb("metadata").$type().notNull().default({}),
 	createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow()
 }, (table) => [unique("uq_adapter_agent_mapping").on(table.platform, table.externalUserId)]);
-var AppError = class extends Error {
-	constructor(statusCode, message) {
-		super(message);
-		this.statusCode = statusCode;
-		this.name = "AppError";
-	}
-};
-var NotFoundError = class extends AppError {
-	constructor(message = "Not found") {
-		super(404, message);
-		this.name = "NotFoundError";
-	}
-};
-var UnauthorizedError = class extends AppError {
-	constructor(message = "Unauthorized") {
-		super(401, message);
-		this.name = "UnauthorizedError";
-	}
-};
-var ForbiddenError = class extends AppError {
-	constructor(message = "Forbidden") {
-		super(403, message);
-		this.name = "ForbiddenError";
-	}
-};
-var ConflictError = class extends AppError {
-	constructor(message = "Conflict") {
-		super(409, message);
-		this.name = "ConflictError";
-	}
-};
-var BadRequestError = class extends AppError {
-	constructor(message = "Bad request") {
-		super(400, message);
-		this.name = "BadRequestError";
-	}
-};
-/**
-* Thrown when an operation targets a client whose organization does not match
-* the caller's authenticated organization. A client is bound to exactly one
-* org for its lifetime; re-registering or operating under a different org's
-* credentials is refused. CLI consumers recognize the `code` field and
-* respond by abandoning the local clientId to register a fresh one.
-*/
-var ClientOrgMismatchError = class extends AppError {
-	code = "CLIENT_ORG_MISMATCH";
-	constructor(message = "Client belongs to a different organization") {
-		super(403, message);
-		this.name = "ClientOrgMismatchError";
-	}
-};
 /** Communication container. All messages between agents flow within a Chat. */
 const chats = pgTable("chats", {
 	id: text("id").primaryKey(),
@@ -7747,26 +7742,6 @@ const adapterMessageReferences = pgTable("adapter_message_references", {
 	externalChannelId: text("external_channel_id").notNull(),
 	createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow()
 }, (table) => [unique("uq_adapter_message_ref").on(table.messageId, table.platform)]);
-/** Generate a UUID v7 (time-ordered). No external dependency. */
-function uuidv7() {
-	const now = BigInt(Date.now());
-	const bytes = new Uint8Array(16);
-	bytes[0] = Number(now >> 40n & 255n);
-	bytes[1] = Number(now >> 32n & 255n);
-	bytes[2] = Number(now >> 24n & 255n);
-	bytes[3] = Number(now >> 16n & 255n);
-	bytes[4] = Number(now >> 8n & 255n);
-	bytes[5] = Number(now & 255n);
-	const rand = randomBytes(10);
-	for (let i = 0; i < 10; i++) {
-		const b = rand[i];
-		if (b !== void 0) bytes[6 + i] = b;
-	}
-	bytes[6] = (bytes[6] ?? 0) & 15 | 112;
-	bytes[8] = (bytes[8] ?? 0) & 63 | 128;
-	const hex = Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
-	return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20)}`;
-}
 /** UUID v7 regex pattern for distinguishing UUIDs from name slugs. */
 const UUID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/;
 /**
@@ -8411,6 +8386,7 @@ const members = pgTable("members", {
 	organizationId: text("organization_id").notNull().references(() => organizations.id),
 	agentId: text("agent_id").unique().notNull().references(() => agents.uuid),
 	role: text("role").notNull(),
+	status: text("status").notNull().default("active"),
 	createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow()
 }, (table) => [
 	unique("uq_members_user_org").on(table.userId, table.organizationId),
@@ -9188,7 +9164,7 @@ async function registerClient(db, data) {
 		userId: clients.userId,
 		organizationId: clients.organizationId
 	}).from(clients).where(eq(clients.id, data.clientId)).limit(1);
-	if (existing && existing.organizationId !== data.organizationId) throw new ClientOrgMismatchError(`Client "${data.clientId}" is bound to a different organization. Re-register as a new client under the current org.`);
+	if (existing && existing.organizationId !== data.organizationId) throw new ClientOrgMismatchError$1(`Client "${data.clientId}" is bound to a different organization. Re-register as a new client under the current org.`);
 	if (existing?.userId && existing.userId !== data.userId) throw new ForbiddenError(`Client "${data.clientId}" is already claimed by a different user. Pick a unique client_id.`);
 	await db.insert(clients).values({
 		id: data.clientId,
@@ -10059,9 +10035,10 @@ function memberAuthHook(db, jwtSecret) {
 			id: members.id,
 			organizationId: members.organizationId,
 			role: members.role,
-			agentId: members.agentId
+			agentId: members.agentId,
+			status: members.status
 		}).from(members).where(eq(members.id, payload.memberId)).limit(1);
-		if (!member) throw new UnauthorizedError("Membership not found");
+		if (!member || member.status !== "active") throw new UnauthorizedError("Membership not found");
 		request.member = {
 			userId: user.id,
 			memberId: member.id,
@@ -12750,7 +12727,7 @@ function clientWsRoutes(notifier, instanceId) {
 								});
 							} catch (err) {
 								const message = err instanceof Error ? err.message : "client register failed";
-								const code = err instanceof ClientOrgMismatchError ? err.code : void 0;
+								const code = err instanceof ClientOrgMismatchError$1 ? err.code : void 0;
 								socket.send(JSON.stringify({
 									type: "client:register:rejected",
 									message,
@@ -13025,32 +13002,44 @@ const CONNECT_JTI_TTL_MS = 6e5;
 async function signToken(secret, payload, expiry) {
 	return new SignJWT({ ...payload }).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setExpirationTime(expiry).sign(secret);
 }
+/**
+* Sign an `(access, refresh)` pair for the given member. Used by both the
+* legacy username/password login path and the SaaS GitHub OAuth callback,
+* so the issuance shape stays in one place.
+*/
+async function signTokensForMember(jwtSecretKey, member) {
+	const secret = new TextEncoder().encode(jwtSecretKey);
+	const tokenBase = {
+		sub: member.userId,
+		memberId: member.memberId,
+		organizationId: member.organizationId,
+		role: member.role
+	};
+	return {
+		accessToken: await signToken(secret, {
+			...tokenBase,
+			type: "access"
+		}, ACCESS_TOKEN_EXPIRY),
+		refreshToken: await signToken(secret, {
+			...tokenBase,
+			type: "refresh"
+		}, REFRESH_TOKEN_EXPIRY)
+	};
+}
 async function login(db, username, password, jwtSecretKey) {
 	const [user] = await db.select().from(users).where(eq(users.username, username)).limit(1);
 	if (!user || user.status !== "active") throw new UnauthorizedError("Invalid username or password");
 	if (!await bcrypt.compare(password, user.passwordHash)) throw new UnauthorizedError("Invalid username or password");
-	const [member] = await db.select().from(members).where(eq(members.userId, user.id)).limit(1);
+	const [member] = await db.select().from(members).where(and(eq(members.userId, user.id), eq(members.status, "active"))).limit(1);
 	if (!member) throw new UnauthorizedError("No organization membership found");
-	const secret = new TextEncoder().encode(jwtSecretKey);
-	const tokenBase = {
-		sub: user.id,
+	const tokens = await signTokensForMember(jwtSecretKey, {
+		userId: user.id,
 		memberId: member.id,
 		organizationId: member.organizationId,
 		role: member.role
-	};
-	const accessToken = await signToken(secret, {
-		...tokenBase,
-		type: "access"
-	}, ACCESS_TOKEN_EXPIRY);
-	const refreshToken = await signToken(secret, {
-		...tokenBase,
-		type: "refresh"
-	}, REFRESH_TOKEN_EXPIRY);
+	});
 	await db.update(users).set({ updatedAt: /* @__PURE__ */ new Date() }).where(eq(users.id, user.id));
-	return {
-		accessToken,
-		refreshToken
-	};
+	return tokens;
 }
 async function refreshAccessToken(db, refreshToken, jwtSecretKey) {
 	const secret = new TextEncoder().encode(jwtSecretKey);
@@ -13067,7 +13056,7 @@ async function refreshAccessToken(db, refreshToken, jwtSecretKey) {
 		status: users.status
 	}).from(users).where(eq(users.id, payload.sub)).limit(1);
 	if (!user || user.status !== "active") throw new UnauthorizedError("User not found or suspended");
-	const [member] = await db.select().from(members).where(eq(members.id, payload.memberId)).limit(1);
+	const [member] = await db.select().from(members).where(and(eq(members.id, payload.memberId), eq(members.status, "active"))).limit(1);
 	if (!member) throw new UnauthorizedError("Membership not found");
 	return { accessToken: await signToken(secret, {
 		sub: user.id,
@@ -13081,18 +13070,25 @@ async function refreshAccessToken(db, refreshToken, jwtSecretKey) {
 * Generate a short-lived connect token for CLI authentication.
 * The connect token carries the member's identity and can be exchanged
 * for full access+refresh tokens via exchangeConnectToken().
+*
+* `iss` (when supplied) is stamped into the JWT so the CLI can derive
+* the hub URL with no additional argument. Production servers must
+* always pass it; dev callers may omit and the CLI will require an
+* explicit `--server-url` (legacy form).
 */
-async function generateConnectToken(member, jwtSecretKey) {
+async function generateConnectToken(member, jwtSecretKey, iss) {
 	const secret = new TextEncoder().encode(jwtSecretKey);
 	const jti = randomUUID();
+	const builder = new SignJWT({
+		sub: member.userId,
+		memberId: member.memberId,
+		organizationId: member.organizationId,
+		role: member.role,
+		type: "connect"
+	}).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setJti(jti).setExpirationTime(CONNECT_TOKEN_EXPIRY);
+	if (iss) builder.setIssuer(iss);
 	return {
-		token: await new SignJWT({
-			sub: member.userId,
-			memberId: member.memberId,
-			organizationId: member.organizationId,
-			role: member.role,
-			type: "connect"
-		}).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setJti(jti).setExpirationTime(CONNECT_TOKEN_EXPIRY).sign(secret),
+		token: await builder.sign(secret),
 		expiresIn: 600
 	};
 }
@@ -13123,25 +13119,607 @@ async function exchangeConnectToken(db, connectToken, jwtSecretKey) {
 		status: users.status
 	}).from(users).where(eq(users.id, payload.sub)).limit(1);
 	if (!user || user.status !== "active") throw new UnauthorizedError("User not found or suspended");
-	const [member] = await db.select().from(members).where(eq(members.id, payload.memberId)).limit(1);
+	const [member] = await db.select().from(members).where(and(eq(members.id, payload.memberId), eq(members.status, "active"))).limit(1);
 	if (!member) throw new UnauthorizedError("Membership not found");
-	const tokenBase = {
-		sub: user.id,
+	return signTokensForMember(jwtSecretKey, {
+		userId: user.id,
 		memberId: member.id,
 		organizationId: member.organizationId,
 		role: member.role
+	});
+}
+/**
+* Third-party / local auth identities for a user. Models "how does this user
+* prove they are who they say they are". A single user MAY have multiple
+* identities (e.g. GitHub login + future email/password) but each
+* (provider, identifier) tuple maps to exactly one user.
+*
+* v1 supported shapes:
+*   - GitHub OAuth: provider='github', identifier=<github numeric id>,
+*     email=<primary>, credential_type=null
+*   - Future Email + password: provider='email', identifier=<email>,
+*     credential_type='password', credential_payload={ hash }
+*   - Future Email + magic link: provider='email', identifier=<email>,
+*     credential_type=null
+*   - Future Webauthn / passkey: credential_type='webauthn',
+*     credential_payload={ pubkey, counter }
+*
+* v1 explicitly does NOT support multi-factor on the same identity — the
+* (provider, identifier) UNIQUE constraint precludes two credential rows for
+* the same identifier. v2 splits credential_type / credential_payload into
+* a separate auth_credentials table; the migration is recorded in the
+* proposal so the upgrade path is unambiguous.
+*
+* The legacy `users.password_hash` column is preserved for backwards-compat
+* with self-host installs created before this milestone; new SaaS users get
+* a non-functional placeholder there and a real `auth_identities` row.
+*/
+const authIdentities = pgTable("auth_identities", {
+	id: text("id").primaryKey(),
+	userId: text("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+	provider: text("provider").notNull(),
+	identifier: text("identifier").notNull(),
+	email: text("email"),
+	verifiedAt: timestamp("verified_at", { withTimezone: true }),
+	credentialType: text("credential_type"),
+	credentialPayload: jsonb("credential_payload").$type(),
+	metadata: jsonb("metadata").$type().notNull().default({}),
+	createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow(),
+	updatedAt: timestamp("updated_at", { withTimezone: true }).notNull().defaultNow()
+}, (table) => [
+	unique("uq_auth_identities_provider_identifier").on(table.provider, table.identifier),
+	index("idx_auth_identities_user").on(table.userId),
+	index("idx_auth_identities_email").on(table.email)
+]);
+/**
+* Find or create the user backing a GitHub OAuth identity. Idempotent —
+* subsequent logins by the same `githubId` reuse the prior `user_id` row.
+*
+* SaaS users have no password. The legacy `users.password_hash` column is
+* NOT NULL (preserved for self-host), so we fill it with a non-functional
+* 32-byte random string. The bcrypt comparison in `authService.login`
+* treats it as a plain string and rejects every password — that's the
+* intended behaviour: SaaS users cannot fall back to password login.
+*/
+async function findOrCreateUserFromGithub(db, profile) {
+	const [existing] = await db.select({ userId: authIdentities.userId }).from(authIdentities).where(and(eq(authIdentities.provider, "github"), eq(authIdentities.identifier, profile.githubId))).limit(1);
+	if (existing) {
+		if (profile.email) await db.update(authIdentities).set({
+			email: profile.email,
+			updatedAt: /* @__PURE__ */ new Date()
+		}).where(and(eq(authIdentities.provider, "github"), eq(authIdentities.identifier, profile.githubId)));
+		return { userId: existing.userId };
+	}
+	const userId = uuidv7();
+	const baseUsername = profile.login.toLowerCase();
+	const placeholderHash = `oauth:${randomBytes(32).toString("base64url")}`;
+	await insertWithUsernameRetry(db, baseUsername, async (tx, username) => {
+		await tx.insert(users).values({
+			id: userId,
+			username,
+			passwordHash: placeholderHash,
+			displayName: profile.displayName?.trim() || profile.login,
+			avatarUrl: profile.avatarUrl ?? null
+		});
+		await tx.insert(authIdentities).values({
+			id: uuidv7(),
+			userId,
+			provider: "github",
+			identifier: profile.githubId,
+			email: profile.email,
+			verifiedAt: /* @__PURE__ */ new Date(),
+			metadata: { login: profile.login }
+		});
+	});
+	return { userId };
+}
+/** Postgres `unique_violation` SQLSTATE — emitted when a UNIQUE constraint trips. */
+const PG_UNIQUE_VIOLATION$1 = "23505";
+/**
+* Pick a candidate username, attempt the caller's INSERT in a transaction,
+* and retry under a fresh disambiguator if the UNIQUE(users.username)
+* constraint trips. Two concurrent OAuth sign-ins for the same GitHub
+* `login` would otherwise let one INSERT win and the other 500 — the
+* race window between the pre-check `SELECT` and the `INSERT` is small but
+* non-zero in production. Retry budget is small; pathological storms fall
+* back to a fully-random suffix.
+*/
+async function insertWithUsernameRetry(db, base, insert) {
+	const [hit] = await db.select({ id: users.id }).from(users).where(eq(users.username, base)).limit(1);
+	let candidate = hit ? `${base}-${randomBytes(2).toString("hex")}` : base;
+	for (let attempt = 0; attempt < 4; attempt += 1) try {
+		await db.transaction(async (tx) => {
+			await insert(tx, candidate);
+		});
+		return;
+	} catch (err) {
+		if ((err?.code ?? err?.cause?.code) !== PG_UNIQUE_VIOLATION$1) throw err;
+		candidate = `${base}-${randomBytes(2).toString("hex")}`;
+	}
+	candidate = `${base}-${uuidv7().slice(0, 12)}`;
+	await db.transaction(async (tx) => {
+		await insert(tx, candidate);
+	});
+}
+const TOKEN_URL = "https://github.com/login/oauth/access_token";
+const USER_URL = "https://api.github.com/user";
+const USER_EMAILS_URL = "https://api.github.com/user/emails";
+/**
+* Exchange an OAuth code for an access token + fetch the user profile.
+*
+* The default `fetch` is overridable via `opts.fetcher` so tests can mock
+* the GitHub round-trip without standing up a fake server. The contract
+* the test fake must honor:
+*   - First call: POST `${TOKEN_URL}` → returns `{ access_token: string }`
+*   - Then GET `${USER_URL}` with `Authorization: Bearer …`
+*   - Then GET `${USER_EMAILS_URL}` (only if `/user` returned no email)
+*/
+async function exchangeCodeForProfile(config, code, redirectUri, opts = {}) {
+	const fetcher = opts.fetcher ?? fetch;
+	const tokenRes = await fetcher(TOKEN_URL, {
+		method: "POST",
+		headers: {
+			Accept: "application/json",
+			"Content-Type": "application/json"
+		},
+		body: JSON.stringify({
+			client_id: config.clientId,
+			client_secret: config.clientSecret,
+			code,
+			redirect_uri: redirectUri
+		})
+	});
+	if (!tokenRes.ok) throw new Error(`GitHub token exchange failed (${tokenRes.status})`);
+	const tokenJson = await tokenRes.json();
+	if (!tokenJson.access_token) throw new Error(tokenJson.error ?? "GitHub token exchange returned no access_token");
+	const userRes = await fetcher(USER_URL, { headers: {
+		Authorization: `Bearer ${tokenJson.access_token}`,
+		Accept: "application/vnd.github+json"
+	} });
+	if (!userRes.ok) throw new Error(`GitHub user fetch failed (${userRes.status})`);
+	const user = await userRes.json();
+	let email = user.email ?? null;
+	if (!email) {
+		const emailsRes = await fetcher(USER_EMAILS_URL, { headers: {
+			Authorization: `Bearer ${tokenJson.access_token}`,
+			Accept: "application/vnd.github+json"
+		} });
+		if (emailsRes.ok) {
+			const emails = await emailsRes.json();
+			email = (emails.find((e) => e.primary && e.verified) ?? emails.find((e) => e.verified))?.email ?? null;
+		}
+	}
+	return {
+		githubId: String(user.id),
+		login: user.login,
+		email,
+		displayName: user.name ?? null,
+		avatarUrl: user.avatar_url ?? null
 	};
+}
+/** Insert (or reactivate) a `members` row for `userId` in `organizationId`. */
+async function ensureMembership(db, data) {
+	const [existing] = await db.select().from(members).where(and(eq(members.userId, data.userId), eq(members.organizationId, data.organizationId))).limit(1);
+	if (existing) {
+		if (existing.status === "left") {
+			await db.update(members).set({ status: "active" }).where(eq(members.id, existing.id));
+			return {
+				...existing,
+				status: "active"
+			};
+		}
+		return existing;
+	}
+	return db.transaction(async (tx) => {
+		const memberId = uuidv7();
+		const agentName = sanitizeAgentName(data.username);
+		const inboxId = `inbox_${uuidv7()}`;
+		const agentUuid = uuidv7();
+		await tx.insert(agents).values({
+			uuid: agentUuid,
+			name: agentName,
+			organizationId: data.organizationId,
+			type: "human",
+			displayName: data.displayName,
+			inboxId,
+			source: "oauth",
+			visibility: "organization",
+			managerId: memberId
+		});
+		const [row] = await tx.insert(members).values({
+			id: memberId,
+			userId: data.userId,
+			organizationId: data.organizationId,
+			agentId: agentUuid,
+			role: data.role,
+			status: "active"
+		}).returning();
+		if (!row) throw new Error("Unexpected: INSERT RETURNING produced no row");
+		return row;
+	});
+}
+function sanitizeAgentName(login) {
+	return login.toLowerCase().replace(/[^a-z0-9_-]/g, "-").replace(/^-+|-+$/g, "").slice(0, 60) || "user";
+}
+/**
+* Create a fresh "personal team" org for a brand-new user, plus the
+* matching admin membership + 1:1 human agent. Slug strategy:
+*
+*   - First try: `${login}-personal`
+*   - On collision: append a 4-char hex disambiguator
+*
+* The display name is `{user}'s Personal Team` so it reads sensibly in the
+* UI; the user can rename via Settings later (proposal §"Personal team
+* visual降级").
+*/
+async function createPersonalTeam(db, input) {
+	const baseSlug = sanitizeOrgSlug(`${input.loginSeed}-personal`);
+	const displayName = `${input.userDisplayName}'s Personal Team`;
+	const orgId = uuidv7();
 	return {
-		accessToken: await signToken(secret, {
-			...tokenBase,
-			type: "access"
-		}, ACCESS_TOKEN_EXPIRY),
-		refreshToken: await signToken(secret, {
-			...tokenBase,
-			type: "refresh"
-		}, REFRESH_TOKEN_EXPIRY)
+		organizationId: orgId,
+		slug: await insertOrgWithSlugRetry(db, orgId, baseSlug, displayName),
+		displayName,
+		memberId: (await ensureMembership(db, {
+			userId: input.userId,
+			organizationId: orgId,
+			role: "admin",
+			displayName: input.userDisplayName,
+			username: input.loginSeed
+		})).id
+	};
+}
+function sanitizeOrgSlug(raw) {
+	return raw.toLowerCase().replace(/[^a-z0-9-]/g, "-").replace(/-+/g, "-").replace(/^-+|-+$/g, "").slice(0, 40) || "team";
+}
+/** Postgres `unique_violation` SQLSTATE — `organizations.name` UNIQUE tripping. */
+const PG_UNIQUE_VIOLATION = "23505";
+/**
+* Attempt INSERT into `organizations` with `base` slug, retrying with a
+* disambiguator on UNIQUE constraint violations. Two concurrent OAuth
+* sign-ins for the same GitHub `login` would race here without retry —
+* pre-check `SELECT` followed by `INSERT` has a TOCTOU window the unique
+* constraint catches but the catch path needs to exist. Returns the slug
+* actually used.
+*/
+async function insertOrgWithSlugRetry(db, orgId, base, displayName) {
+	const [existing] = await db.select({ id: organizations.id }).from(organizations).where(eq(organizations.name, base)).limit(1);
+	let candidate = existing ? `${base}-${randomBytes(2).toString("hex")}` : base;
+	for (let attempt = 0; attempt < 4; attempt += 1) try {
+		await db.insert(organizations).values({
+			id: orgId,
+			name: candidate,
+			displayName
+		});
+		return candidate;
+	} catch (err) {
+		if ((err?.code ?? err?.cause?.code) !== PG_UNIQUE_VIOLATION) throw err;
+		candidate = `${base}-${randomBytes(2).toString("hex")}`;
+	}
+	candidate = `${base}-${uuidv7().slice(0, 12)}`;
+	await db.insert(organizations).values({
+		id: orgId,
+		name: candidate,
+		displayName
+	});
+	return candidate;
+}
+/** List ACTIVE memberships (omit soft-deleted "left") for a user. */
+async function listActiveMemberships(db, userId) {
+	return await db.select({
+		memberId: members.id,
+		organizationId: members.organizationId,
+		role: members.role,
+		orgName: organizations.name,
+		orgDisplayName: organizations.displayName,
+		createdAt: members.createdAt
+	}).from(members).innerJoin(organizations, eq(members.organizationId, organizations.id)).where(and(eq(members.userId, userId), eq(members.status, "active"))).orderBy(desc(members.createdAt));
+}
+/**
+* Pick the most recently joined active membership — used after OAuth login
+* when the user already has at least one team but no `next` was specified.
+*/
+async function pickPrimaryMembership(db, userId) {
+	return (await listActiveMemberships(db, userId))[0] ?? null;
+}
+/**
+* Mark `members.status='left'` for the given member. v1 simplification:
+* no "must transfer admin" check — the proposal accepts the trade-off
+* (last admin allowed to leave, leaves an orphan team) and the cleanup is
+* a v2 sweep job.
+*/
+async function leaveOrganization(db, memberId) {
+	const [existing] = await db.select().from(members).where(eq(members.id, memberId)).limit(1);
+	if (!existing) throw new NotFoundError(`Membership "${memberId}" not found`);
+	if (existing.status === "left") return existing;
+	await db.update(members).set({ status: "left" }).where(eq(members.id, memberId));
+	return {
+		...existing,
+		status: "left"
+	};
+}
+/**
+* Self-service "create another team" (operator clicks "Create team" in the
+* org switcher). Caller is the new team's admin. Slug uniqueness is
+* enforced by the underlying organizations.name UNIQUE constraint.
+*/
+async function selfCreateOrganization(db, data) {
+	const [collision] = await db.select({ id: organizations.id }).from(organizations).where(eq(organizations.name, data.name)).limit(1);
+	if (collision) throw new ConflictError(`Organization "${data.name}" already exists`);
+	if (data.name === "default") throw new BadRequestError("\"default\" is a reserved organization name");
+	const orgId = uuidv7();
+	await db.insert(organizations).values({
+		id: orgId,
+		name: data.name,
+		displayName: data.displayName
+	});
+	return {
+		organizationId: orgId,
+		memberId: (await ensureMembership(db, {
+			userId: data.userId,
+			organizationId: orgId,
+			role: "admin",
+			displayName: data.userDisplayName,
+			username: data.username
+		})).id,
+		name: data.name,
+		displayName: data.displayName
+	};
+}
+/**
+* State-token signing for the GitHub OAuth dance.
+*
+* Flow:
+*   1. `/auth/github/start` mints a `state` JWT *and* an HttpOnly cookie
+*      holding the same nonce. Both ride for ~10 minutes.
+*   2. GitHub redirects back to `/auth/github/callback?code=…&state=<jwt>`.
+*   3. Callback verifies the JWT (signature + expiry) AND that the cookie
+*      nonce matches `payload.nonce`. The double check defeats the
+*      classic login-CSRF where an attacker pre-signs a `start` with their
+*      own GitHub account and tricks a victim's browser into completing
+*      the callback under that identity.
+*
+* `next` rides inside the JWT so the caller's intended landing path can't
+* be tampered with mid-flight.
+*/
+const STATE_EXPIRY = "10m";
+const NONCE_BYTES = 24;
+const OAUTH_STATE_COOKIE = "oauth_state_nonce";
+/**
+* Sign a fresh state token + return the matching cookie nonce. Caller is
+* responsible for setting the cookie (HttpOnly + Secure in prod).
+*/
+async function signOAuthState(jwtSecret, next) {
+	const nonce = randomBytes(NONCE_BYTES).toString("base64url");
+	const secret = new TextEncoder().encode(jwtSecret);
+	return {
+		token: await new SignJWT({
+			nonce,
+			next
+		}).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setExpirationTime(STATE_EXPIRY).sign(secret),
+		nonce
 	};
 }
+/**
+* Verify a state token. Returns the carried `next` on success. Throws
+* `Error` with the verification failure mode on rejection so the route
+* layer can map to 401.
+*
+* Cookie/nonce double-submit is mandatory — this is the CSRF defense.
+* `/dev-callback` does NOT call this function; it bypasses state entirely
+* (see `api/auth/github.ts`) because the dev shortcut also bypasses the
+* github.com round-trip that would have set a state cookie.
+*/
+async function verifyOAuthState(jwtSecret, token, cookieNonce) {
+	const secret = new TextEncoder().encode(jwtSecret);
+	let payload;
+	try {
+		const { payload: p } = await jwtVerify(token, secret);
+		payload = p;
+	} catch {
+		throw new Error("Invalid or expired OAuth state");
+	}
+	if (typeof payload.nonce !== "string" || typeof payload.next !== "string") throw new Error("OAuth state payload malformed");
+	if (!cookieNonce || cookieNonce !== payload.nonce) throw new Error("OAuth state nonce / cookie mismatch");
+	return { next: payload.next };
+}
+/**
+* Resolve the hub's public-facing base URL.
+*
+* Precedence:
+*   1. `app.config.server.publicUrl` — explicit configuration. Required in
+*      production (the boot check enforces it).
+*   2. The request's `Host` header (with `X-Forwarded-Proto` honored) —
+*      dev fallback so local quickstart works without extra config.
+*
+* Result is normalized to drop trailing slashes so callers can append
+* paths with a single leading `/`.
+*/
+function resolvePublicUrl(app, request) {
+	const configured = app.config.server.publicUrl;
+	if (configured && configured.length > 0) return configured.replace(/\/+$/, "");
+	return `${pickHeader(request.headers["x-forwarded-proto"]) ?? request.protocol}://${pickHeader(request.headers["x-forwarded-host"]) ?? pickHeader(request.headers.host) ?? request.hostname}`.replace(/\/+$/, "");
+}
+function pickHeader(value) {
+	if (Array.isArray(value)) return value[0];
+	return value;
+}
+/**
+* Manual cookie helpers — we don't pull in `@fastify/cookie` because the
+* SaaS onboarding flow needs exactly one cookie (the OAuth state nonce).
+* Parser tolerates the standard `name=value; name2=value2` format.
+*/
+function parseCookieHeader(header, name) {
+	if (!header) return null;
+	const raw = Array.isArray(header) ? header.join("; ") : header;
+	for (const entry of raw.split(/;\s*/)) {
+		const eq = entry.indexOf("=");
+		if (eq < 0) continue;
+		if (entry.slice(0, eq).trim() === name) return decodeURIComponent(entry.slice(eq + 1));
+	}
+	return null;
+}
+function buildCookie(opts) {
+	const sameSite = opts.sameSite ?? "Lax";
+	const parts = [
+		`${opts.name}=${encodeURIComponent(opts.value)}`,
+		"Path=/",
+		"HttpOnly",
+		`SameSite=${sameSite}`,
+		`Max-Age=${opts.maxAge}`
+	];
+	if (opts.secure) parts.push("Secure");
+	if (opts.maxAge <= 0) parts.push("Expires=Thu, 01 Jan 1970 00:00:00 GMT");
+	return parts.join("; ");
+}
+/**
+* GitHub OAuth surface. All routes are public (no member JWT required).
+*
+* Routes:
+*   - GET /auth/github/start         — sign state JWT + cookie + 302 to GitHub
+*   - GET /auth/github/callback      — verify state + exchange code → fragment
+*   - GET /auth/github/dev-callback  — dev-only stub (no GitHub round-trip)
+*/
+async function githubOauthRoutes(app) {
+	const oauthCfg = app.config.oauth?.github;
+	if (!oauthCfg) app.log.info("GitHub OAuth not configured — /auth/github/start will return 503. Set FIRST_TREE_HUB_GITHUB_OAUTH_CLIENT_ID/_SECRET to enable.");
+	app.get("/start", { config: { rateLimit: {
+		max: 20,
+		timeWindow: "1 minute"
+	} } }, async (request, reply) => {
+		const { next } = githubStartQuerySchema.parse(request.query);
+		const safeNext = safeRedirectPath(next ?? null);
+		if (!oauthCfg) return reply.status(503).send({ error: "GitHub OAuth is not configured on this hub" });
+		const { token, nonce } = await signOAuthState(app.config.secrets.jwtSecret, safeNext);
+		const isProd = process.env.NODE_ENV === "production";
+		reply.header("Set-Cookie", buildCookie({
+			name: OAUTH_STATE_COOKIE,
+			value: nonce,
+			maxAge: 600,
+			secure: isProd
+		}));
+		const redirectUri = `${resolvePublicUrl(app, request)}/api/v1/auth/github/callback`;
+		const params = new URLSearchParams({
+			client_id: oauthCfg.clientId,
+			redirect_uri: redirectUri,
+			state: token,
+			scope: "read:user user:email",
+			allow_signup: "true"
+		});
+		return reply.redirect(`https://github.com/login/oauth/authorize?${params}`, 302);
+	});
+	app.get("/callback", async (request, reply) => {
+		if (!oauthCfg) return reply.status(503).send({ error: "GitHub OAuth is not configured on this hub" });
+		const { code, state } = githubCallbackQuerySchema.parse(request.query);
+		const cookieNonce = parseCookieHeader(request.headers.cookie, OAUTH_STATE_COOKIE);
+		let next;
+		try {
+			next = (await verifyOAuthState(app.config.secrets.jwtSecret, state, cookieNonce)).next;
+		} catch (err) {
+			const msg = err instanceof Error ? err.message : "OAuth state rejected";
+			return reply.status(401).send({ error: msg });
+		}
+		reply.header("Set-Cookie", buildCookie({
+			name: OAUTH_STATE_COOKIE,
+			value: "",
+			maxAge: 0,
+			secure: process.env.NODE_ENV === "production"
+		}));
+		const redirectUri = `${resolvePublicUrl(app, request)}/api/v1/auth/github/callback`;
+		let profile;
+		try {
+			profile = await exchangeCodeForProfile({
+				clientId: oauthCfg.clientId,
+				clientSecret: oauthCfg.clientSecret
+			}, code, redirectUri);
+		} catch (err) {
+			const msg = err instanceof Error ? err.message : "GitHub exchange failed";
+			app.log.warn({ err }, "github oauth code exchange failed");
+			return reply.status(401).send({ error: msg });
+		}
+		return completeOauthFlow(app, request, reply, profile, next);
+	});
+	app.get("/dev-callback", async (request, reply) => {
+		const isProd = process.env.NODE_ENV === "production";
+		const devEnabled = oauthCfg?.devCallbackEnabled === true;
+		if (isProd || !devEnabled) return reply.status(404).send({ error: "Not found" });
+		const params = githubDevCallbackQuerySchema.parse(request.query);
+		const next = safeRedirectPath(params.next ?? null);
+		return completeOauthFlow(app, request, reply, {
+			githubId: params.githubId,
+			login: params.login,
+			email: params.email ?? null,
+			displayName: params.displayName ?? params.login,
+			avatarUrl: null
+		}, next);
+	});
+}
+async function completeOauthFlow(app, request, reply, profile, next) {
+	const { userId } = await findOrCreateUserFromGithub(app.db, profile);
+	let joinPath = "returning";
+	const inviteMatch = /^\/invite\/([^/?#]+)/.exec(next);
+	let memberInfo = null;
+	if (inviteMatch?.[1]) {
+		const token = inviteMatch[1];
+		const inv = await findActiveByToken(app.db, token);
+		if (!inv) return reply.status(404).send({ error: "Invitation not found or no longer valid" });
+		const member = await ensureMembership(app.db, {
+			userId,
+			organizationId: inv.organizationId,
+			role: inv.role === "admin" ? "admin" : "member",
+			displayName: profile.displayName?.trim() || profile.login,
+			username: profile.login
+		});
+		await recordRedemption(app.db, {
+			invitationId: inv.id,
+			userId,
+			ip: request.ip,
+			userAgent: request.headers["user-agent"] ?? null
+		});
+		memberInfo = {
+			memberId: member.id,
+			organizationId: member.organizationId,
+			role: member.role === "admin" ? "admin" : "member"
+		};
+		joinPath = "invite";
+		next = "/";
+	} else {
+		const primary = await pickPrimaryMembership(app.db, userId);
+		if (primary) memberInfo = {
+			memberId: primary.memberId,
+			organizationId: primary.organizationId,
+			role: primary.role === "admin" ? "admin" : "member"
+		};
+		else {
+			const personal = await createPersonalTeam(app.db, {
+				userId,
+				loginSeed: profile.login,
+				userDisplayName: profile.displayName?.trim() || profile.login
+			});
+			memberInfo = {
+				memberId: personal.memberId,
+				organizationId: personal.organizationId,
+				role: "admin"
+			};
+			joinPath = "solo";
+			next = "/";
+		}
+	}
+	if (!memberInfo) return reply.status(500).send({ error: "Failed to resolve membership" });
+	const tokens = await signTokensForMember(app.config.secrets.jwtSecret, {
+		userId,
+		memberId: memberInfo.memberId,
+		organizationId: memberInfo.organizationId,
+		role: memberInfo.role
+	});
+	const fragment = new URLSearchParams({
+		access: tokens.accessToken,
+		refresh: tokens.refreshToken,
+		next,
+		joinPath
+	}).toString();
+	return reply.redirect(`/auth/github/complete#${fragment}`, 302);
+}
 async function authRoutes(app) {
 	const loginMax = app.config.rateLimit?.loginMax ?? 5;
 	app.post("/login", { config: { rateLimit: {
@@ -13277,7 +13855,12 @@ async function healthzRoutes(app) {
 		}
 	});
 }
-/** GET /me — returns current user + member + agent info. */
+/**
+* `/me` and self-service organization routes (mounted under the member
+* auth hook). The legacy `GET /me` shape is preserved + extended with
+* `wizard` and `inviteUrl` (admin only) so the web SPA can derive its
+* landing UI without an extra round-trip.
+*/
 async function meRoutes(app) {
 	app.get("/me", async (request) => {
 		const m = requireMember(request);
@@ -13293,6 +13876,12 @@ async function meRoutes(app) {
 			displayName: agents.displayName,
 			inboxId: agents.inboxId
 		}).from(agents).where(eq(agents.uuid, m.agentId)).limit(1);
+		const wizardStep = await inferWizardStep(app, m);
+		let inviteUrl = null;
+		if (m.role === "admin") {
+			const inv = await getActiveInvitation(app.db, m.organizationId);
+			if (inv) inviteUrl = buildInviteUrl(resolvePublicUrl(app, request), inv.token);
+		}
 		return {
 			user: user ?? null,
 			member: {
@@ -13301,25 +13890,202 @@ async function meRoutes(app) {
 				role: m.role,
 				agentId: m.agentId
 			},
-			agent: agent ?? null
+			agent: agent ?? null,
+			wizard: { step: wizardStep },
+			inviteUrl
 		};
 	});
 	/**
 	* POST /connect-tokens — generate a short-lived connect token for CLI authentication.
-	* The token can be exchanged via POST /auth/connect-token for full credentials.
+	* Stamped with `iss = server.publicUrl` (or the request host as a dev fallback)
+	* so the CLI's `connect <token>` form can derive the hub URL with no extra arg.
+	*
+	* Rate-limited per-route at the same level as `/auth/login`: a "Copy
+	* commands" double-click in the wizard mustn't burn through token slots,
+	* but neither should a stolen access token mint unlimited connect tokens.
 	*/
-	app.post("/connect-tokens", async (request) => {
+	const loginMax = app.config.rateLimit?.loginMax ?? 5;
+	app.post("/connect-tokens", { config: { rateLimit: {
+		max: loginMax,
+		timeWindow: "1 minute"
+	} } }, async (request) => {
 		const m = requireMember(request);
+		const issuer = resolvePublicUrl(app, request);
 		const { token, expiresIn } = await generateConnectToken({
 			userId: m.userId,
 			memberId: m.memberId,
 			organizationId: m.organizationId,
 			role: m.role
-		}, app.config.secrets.jwtSecret);
+		}, app.config.secrets.jwtSecret, issuer);
 		return {
 			token,
 			expiresIn,
-			command: `first-tree-hub client connect ${`${request.headers["x-forwarded-proto"] ?? request.protocol}://${request.headers["x-forwarded-host"] ?? request.headers.host ?? request.hostname}`} --token ${token}`
+			command: `first-tree-hub connect ${token}`
+		};
+	});
+	app.get("/me/organizations", async (request) => {
+		const m = requireMember(request);
+		return (await listActiveMemberships(app.db, m.userId)).map((r) => ({
+			id: r.organizationId,
+			name: r.orgName,
+			displayName: r.orgDisplayName,
+			role: r.role
+		}));
+	});
+	app.post("/me/organizations", async (request, reply) => {
+		const m = requireMember(request);
+		const body = createOrgFromMeSchema.parse(request.body);
+		const [u] = await app.db.select({
+			username: users.username,
+			displayName: users.displayName
+		}).from(users).where(eq(users.id, m.userId)).limit(1);
+		if (!u) throw new NotFoundError("User not found");
+		const created = await selfCreateOrganization(app.db, {
+			userId: m.userId,
+			userDisplayName: u.displayName,
+			username: u.username,
+			name: body.name,
+			displayName: body.displayName
+		});
+		const tokens = await signTokensForMember(app.config.secrets.jwtSecret, {
+			userId: m.userId,
+			memberId: created.memberId,
+			organizationId: created.organizationId,
+			role: "admin"
+		});
+		return reply.status(201).send({
+			organization: {
+				id: created.organizationId,
+				name: created.name,
+				displayName: created.displayName,
+				role: "admin"
+			},
+			tokens
+		});
+	});
+	app.post("/me/organizations/join", { config: { rateLimit: {
+		max: loginMax,
+		timeWindow: "1 minute"
+	} } }, async (request, reply) => {
+		const m = requireMember(request);
+		const body = joinByInvitationSchema.parse(request.body);
+		const inv = await findActiveByToken(app.db, body.token);
+		if (!inv) return reply.status(404).send({ error: "Invitation not found or no longer valid" });
+		const [u] = await app.db.select({
+			username: users.username,
+			displayName: users.displayName
+		}).from(users).where(eq(users.id, m.userId)).limit(1);
+		if (!u) throw new NotFoundError("User not found");
+		const member = await ensureMembership(app.db, {
+			userId: m.userId,
+			organizationId: inv.organizationId,
+			role: inv.role === "admin" ? "admin" : "member",
+			displayName: u.displayName,
+			username: u.username
+		});
+		await recordRedemption(app.db, {
+			invitationId: inv.id,
+			userId: m.userId,
+			ip: request.ip,
+			userAgent: request.headers["user-agent"] ?? null
+		});
+		const tokens = await signTokensForMember(app.config.secrets.jwtSecret, {
+			userId: m.userId,
+			memberId: member.id,
+			organizationId: member.organizationId,
+			role: member.role
+		});
+		return reply.status(200).send({
+			organizationId: member.organizationId,
+			memberId: member.id,
+			role: member.role,
+			tokens
+		});
+	});
+	app.post("/me/organizations/leave", async (request, reply) => {
+		const m = requireMember(request);
+		await leaveOrganization(app.db, m.memberId);
+		return reply.status(204).send();
+	});
+	app.post("/auth/switch-org", async (request, reply) => {
+		const m = requireMember(request);
+		const body = switchOrgSchema.parse(request.body);
+		const [target] = await app.db.select().from(members).where(and(eq(members.userId, m.userId), eq(members.organizationId, body.organizationId), eq(members.status, "active"))).limit(1);
+		if (!target) throw new ForbiddenError("You do not belong to that organization");
+		const tokens = await signTokensForMember(app.config.secrets.jwtSecret, {
+			userId: m.userId,
+			memberId: target.id,
+			organizationId: target.organizationId,
+			role: target.role
+		});
+		return reply.send(tokens);
+	});
+}
+/**
+* Infer the wizard step from observable runtime state. Refer to
+* proposal §"Onboarding 状态推断" for the rationale.
+*
+* Note: we deliberately do NOT filter by `clients.status='connected'`
+* here. The original "fact-is-state" reading would have flapped between
+* `completed` and `connect` every time the user's client briefly went
+* offline — UX disaster (the onboarding modal would re-pop). "Ever
+* connected" (= a clients row exists at all for this user/org) is still
+* fact-derived: deleting the row really does rewind the wizard, and
+* that's the explicit reset path.
+*/
+async function inferWizardStep(app, m) {
+	const [hasClient] = await app.db.select({ id: clients.id }).from(clients).where(and(eq(clients.userId, m.userId), eq(clients.organizationId, m.organizationId))).limit(1);
+	if (!hasClient) return "connect";
+	const [hasAgent] = await app.db.select({ uuid: agents.uuid }).from(agents).where(and(eq(agents.managerId, m.memberId), ne(agents.type, "human"), eq(agents.status, "active"))).limit(1);
+	if (!hasAgent) return "create_agent";
+	return "completed";
+}
+/**
+* Public route exported separately so it mounts BEFORE the member auth hook.
+* Just exposes the org's display name & slug for the unauthenticated `/invite/:token`
+* landing page.
+*/
+async function publicInvitePreviewRoute(app) {
+	const { previewInvitation } = await import("./invitation-BTlGMy0o-dIoR8JRj.mjs");
+	app.get("/:token/preview", async (request, reply) => {
+		if (!request.params.token) throw new UnauthorizedError("Token required");
+		const preview = await previewInvitation(app.db, request.params.token);
+		return reply.send(preview);
+	});
+}
+/**
+* Admin-only invitation routes — mounted under `/admin/organizations/:id/invitations`.
+*/
+async function adminInvitationRoutes(app) {
+	app.get("/", async (request) => {
+		const m = requireMember(request);
+		if (m.role !== "admin") throw new ForbiddenError("Admin role required");
+		if (request.params.id !== m.organizationId) throw new ForbiddenError("Cannot inspect invitations for another organization");
+		const inv = await ensureActiveInvitation(app.db, m.organizationId, m.userId);
+		return {
+			id: inv.id,
+			organizationId: inv.organizationId,
+			token: inv.token,
+			inviteUrl: buildInviteUrl(resolvePublicUrl(app, request), inv.token),
+			role: inv.role,
+			createdAt: inv.createdAt.toISOString(),
+			expiresAt: inv.expiresAt ? inv.expiresAt.toISOString() : null
+		};
+	});
+	app.post("/rotate", async (request) => {
+		const m = requireMember(request);
+		if (m.role !== "admin") throw new ForbiddenError("Admin role required");
+		if (request.params.id !== m.organizationId) throw new ForbiddenError("Cannot rotate invitations for another organization");
+		const { rotateInvitation } = await import("./invitation-BTlGMy0o-dIoR8JRj.mjs");
+		const inv = await rotateInvitation(app.db, m.organizationId, m.userId);
+		return {
+			id: inv.id,
+			organizationId: inv.organizationId,
+			token: inv.token,
+			inviteUrl: buildInviteUrl(resolvePublicUrl(app, request), inv.token),
+			role: inv.role,
+			createdAt: inv.createdAt.toISOString(),
+			expiresAt: inv.expiresAt ? inv.expiresAt.toISOString() : null
 		};
 	});
 }
@@ -13959,10 +14725,13 @@ var schema_exports = /* @__PURE__ */ __exportAll({
 	agentConfigs: () => agentConfigs,
 	agentPresence: () => agentPresence,
 	agents: () => agents,
+	authIdentities: () => authIdentities,
 	chatParticipants: () => chatParticipants,
 	chats: () => chats,
 	clients: () => clients,
 	inboxEntries: () => inboxEntries,
+	invitationRedemptions: () => invitationRedemptions,
+	invitations: () => invitations,
 	members: () => members,
 	messages: () => messages,
 	notifications: () => notifications,
@@ -15217,6 +15986,8 @@ async function buildApp(config) {
 		await api.register(healthRoutes);
 		await api.register(githubWebhookRoutes, { prefix: "/webhooks" });
 		await api.register(authRoutes, { prefix: "/auth" });
+		await api.register(githubOauthRoutes, { prefix: "/auth/github" });
+		await api.register(publicInvitePreviewRoute, { prefix: "/invite" });
 		await api.register(contextTreeInfoRoutes, { prefix: "/context-tree" });
 		await api.register(bootstrapConfigRoutes, { prefix: "/bootstrap" });
 		await api.register(async (adminApp) => {
@@ -15277,6 +16048,10 @@ async function buildApp(config) {
 			adminApp.addHook("onRequest", adminOnly);
 			await adminApp.register(adminOrganizationRoutes);
 		}, { prefix: "/admin/organizations" });
+		await api.register(async (adminApp) => {
+			adminApp.addHook("onRequest", memberAuth);
+			await adminApp.register(adminInvitationRoutes);
+		}, { prefix: "/admin/organizations/:id/invitations" });
 		await api.register(async (adminApp) => {
 			adminApp.addHook("onRequest", memberAuth);
 			adminApp.addHook("onRequest", adminOnly);
@@ -15488,7 +16263,7 @@ async function startServer(options) {
 		instanceId: `srv_${randomUUID().slice(0, 8)}`,
 		commandVersion: COMMAND_VERSION
 	};
-	const { initTelemetry, shutdownTelemetry } = await import("./observability-DDkJwSKv.mjs");
+	const { initTelemetry, shutdownTelemetry } = await import("./observability-C08jUFsJ.mjs");
 	await initTelemetry(serverConfig.observability.tracing, config.instanceId);
 	const app = await buildApp(config);
 	const shutdown = async () => {
@@ -15714,4 +16489,187 @@ function createExecuteUpdate({ managed }) {
 	};
 }
 //#endregion
-export { configureClientLoggerForService as $, installClientService as A, createOwner as B, checkNodeVersion as C, checkWebSocket as D, checkServerReachable as E, isDockerAvailable as F, setJsonMode as G, resolveReplyToFromEnv as H, stopPostgres as I, FirstTreeHubSDK as J, status as K, ClientRuntime as L, resolveCliInvocation as M, uninstallClientService as N, printResults as O, ensurePostgres as P, applyClientLoggerConfig as Q, handleClientOrgMismatch as R, checkDocker as S, checkServerHealth as T, blank as U, hasUser as V, print as W, SessionRegistry as X, SdkError as Y, cleanWorkspaces as Z, runMigrations as _, COMMAND_VERSION as a, checkClientConfig as b, promptMissingFields as c, onboardCheck as d, onboardCreate as f, migrateLocalAgentDirs as g, createApiNameResolver as h, startServer as i, isServiceSupported as j, getClientServiceStatus as k, formatCheckReport as l, runHomeMigration as m, declineUpdate as n, isInteractive as o, saveOnboardState as p, ClientOrgMismatchError$1 as q, promptUpdate as r, promptAddAgent as s, createExecuteUpdate as t, loadOnboardState as u, checkAgentConfigs as v, checkServerConfig as w, checkDatabase as x, checkBackgroundService as y, rotateClientIdWithBackup as z };
+//#region src/commands/saas-connect.ts
+/**
+* @internal
+* Decode a JWT payload without verifying its signature. Used only by the
+* CLI's account-switch prompt and the URL-derivation helper below. Not
+* re-exported from `packages/command/src/index.ts` — external consumers
+* should call `deriveHubUrlFromToken` instead.
+*/
+function decodeJwtPayload(token) {
+	try {
+		const parts = token.split(".");
+		if (parts.length !== 3 || !parts[1]) return null;
+		const raw = Buffer.from(parts[1], "base64url").toString();
+		const obj = JSON.parse(raw);
+		if (typeof obj !== "object" || obj === null) return null;
+		return obj;
+	} catch {
+		return null;
+	}
+}
+var HubUrlDerivationError = class extends Error {
+	constructor(code, message) {
+		super(message);
+		this.code = code;
+		this.name = "HubUrlDerivationError";
+	}
+};
+/**
+* Derive the hub URL from a connect token's `iss` claim. Throws
+* `HubUrlDerivationError` when the claim is missing or malformed — we
+* *never* fall back to a default URL because that would let a stale
+* connect token from one environment silently re-target another (prod →
+* staging foot-gun).
+*
+* The action handler maps the thrown error to a `fail()` exit so this
+* function stays unit-testable without spawning a subprocess.
+*/
+function deriveHubUrlFromToken(token) {
+	const payload = decodeJwtPayload(token);
+	if (!payload) throw new HubUrlDerivationError("INVALID_TOKEN", "Connect token is not a valid JWT. Generate a new one from your Hub web console.");
+	const iss = payload.iss;
+	if (typeof iss !== "string" || iss.length === 0) throw new HubUrlDerivationError("TOKEN_MISSING_ISS", "Connect token does not carry an issuer (`iss` claim). Generate a new token from a Hub running v0.10+.");
+	if (!/^https?:\/\//i.test(iss)) throw new HubUrlDerivationError("TOKEN_BAD_ISS", `Connect token issuer "${iss}" is not an http(s) URL. Generate a new token.`);
+	return iss.replace(/\/+$/, "");
+}
+async function promptReplaceOrCancel(newMemberId) {
+	const existing = loadCredentials();
+	if (!existing) return "proceed";
+	const existingPayload = decodeJwtPayload(existing.accessToken);
+	const existingMemberId = typeof existingPayload?.memberId === "string" ? existingPayload.memberId : null;
+	if (existingMemberId && existingMemberId === newMemberId) return "proceed";
+	const existingMember = existingMemberId ? `member ${existingMemberId.slice(0, 8)}` : "unknown account";
+	const serviceStatus = getClientServiceStatus();
+	const serviceLine = serviceStatus.state === "active" ? `running (${serviceStatus.detail ?? "live"})` : serviceStatus.state === "inactive" ? `installed but not running${serviceStatus.detail ? ` — ${serviceStatus.detail}` : ""}` : "not installed";
+	print.line("\n  ⚠️  This computer is already connected under another account.\n\n");
+	print.line(`       Existing account:  ${existingMember}\n`);
+	print.line(`       Server:            ${existing.serverUrl}\n`);
+	print.line(`       Background service: ${serviceLine}\n\n`);
+	print.line("     Replacing only affects THIS computer. Server-side data is untouched.\n\n");
+	return await select({
+		message: "How would you like to continue?",
+		choices: [{
+			name: "Replace — log out the other account and set up this one",
+			value: "replace"
+		}, {
+			name: "Cancel  — keep the existing setup",
+			value: "cancel"
+		}]
+	}) === "replace" ? "proceed" : "cancel";
+}
+async function exchangeToken(url, token) {
+	const res = await fetch(`${url}/api/v1/auth/connect-token`, {
+		method: "POST",
+		headers: { "Content-Type": "application/json" },
+		body: JSON.stringify({ token }),
+		signal: AbortSignal.timeout(1e4)
+	});
+	if (!res.ok) fail("AUTH_ERROR", (await res.json().catch(() => ({}))).error ?? `Token exchange failed (HTTP ${res.status})`, 1);
+	return await res.json();
+}
+/**
+* Top-level `first-tree-hub connect <token>`. Single positional, no flags,
+* no env-var override — the connect token's `iss` claim carries the hub
+* URL so prod / staging / local environments are tagged at issuance and
+* the operator can never accidentally cross-target.
+*/
+function registerSaaSConnectCommand(program) {
+	program.command("connect <token>").description("Connect this computer to the Hub using a token from the web console").option("--no-service", "Skip background service install (runs inline until Ctrl+C)").action(async (token, options) => {
+		try {
+			let url;
+			try {
+				url = deriveHubUrlFromToken(token);
+			} catch (err) {
+				if (err instanceof HubUrlDerivationError) fail(err.code, err.message, 1);
+				throw err;
+			}
+			const payload = decodeJwtPayload(token);
+			const newMemberId = typeof payload?.memberId === "string" ? payload.memberId : null;
+			if (newMemberId) {
+				if (await promptReplaceOrCancel(newMemberId) === "cancel") {
+					print.line("\n  Cancelled. Existing setup untouched.\n");
+					return;
+				}
+			}
+			const tokens = await exchangeToken(url, token);
+			setConfigValue(join(DEFAULT_CONFIG_DIR, "client.yaml"), "server.url", url);
+			print.line(`\n  ✓ Hub: ${url}\n`);
+			saveCredentials({
+				...tokens,
+				serverUrl: url
+			});
+			print.line("  ✓ Authenticated\n");
+			resetConfig();
+			resetConfigMeta();
+			const config = await initConfig({
+				schema: clientConfigSchema,
+				role: "client"
+			});
+			print.line(`  ✓ Computer registered (id: ${config.client.id})\n`);
+			if (options.service !== false && isServiceSupported()) {
+				const info = installClientService();
+				print.line(`  ✓ Background service installed (${info.platform}) — you may close this terminal.\n`);
+				print.line(`    Logs: ${info.logDir}\n\n`);
+				return;
+			}
+			if (options.service === false) print.line("  (--no-service) running inline — Ctrl+C to stop\n");
+			else print.line(`  Background service not supported on ${process.platform}; running inline.\n`);
+			const agentsDir = join(DEFAULT_CONFIG_DIR, "agents");
+			try {
+				await migrateLocalAgentDirs({
+					agentsDir,
+					workspacesDir: join(DEFAULT_DATA_DIR$1, "workspaces"),
+					sessionsDir: join(DEFAULT_DATA_DIR$1, "sessions"),
+					resolver: createApiNameResolver(config.server.url, () => ensureFreshAccessToken())
+				});
+			} catch (err) {
+				const msg = err instanceof Error ? err.message : String(err);
+				print.status("⚠️", `agent-dir migration skipped: ${msg}`);
+			}
+			const agents = loadAgents({
+				schema: agentConfigSchema,
+				agentsDir
+			});
+			const runtime = new ClientRuntime(config.server.url, config.client.id, {
+				currentVersion: COMMAND_VERSION,
+				update: {
+					updateConfig: config.update,
+					prompt: promptUpdate,
+					executeUpdate: createExecuteUpdate({ managed: false })
+				}
+			});
+			for (const [name, agentConfig] of agents) runtime.addAgent(name, agentConfig);
+			await runtime.start();
+			runtime.watchAgentsDir(agentsDir);
+			const shutdown = async () => {
+				print.line("\n  Shutting down...\n");
+				runtime.unwatchAgentsDir();
+				await runtime.stop();
+				process.exit(0);
+			};
+			process.on("SIGINT", () => void shutdown());
+			process.on("SIGTERM", () => void shutdown());
+			await new Promise(() => {});
+		} catch (error) {
+			if (error.name === "ExitPromptError") {
+				print.line("\n  Cancelled.\n");
+				return;
+			}
+			if (error instanceof ClientOrgMismatchError) await handleClientOrgMismatch(error, {
+				managed: false,
+				configDir: DEFAULT_CONFIG_DIR,
+				rerunCommand: "first-tree-hub connect <token>"
+			});
+			const msg = error instanceof Error ? error.message : String(error);
+			print.line(`  Error: ${msg}\n`);
+			process.exit(1);
+		} finally {
+			resetConfig();
+			resetConfigMeta();
+		}
+	});
+}
+//#endregion
+export { FirstTreeHubSDK as $, checkWebSocket as A, ClientRuntime as B, checkClientConfig as C, checkServerConfig as D, checkNodeVersion as E, resolveCliInvocation as F, resolveReplyToFromEnv as G, rotateClientIdWithBackup as H, uninstallClientService as I, blank as J, fail as K, ensurePostgres as L, getClientServiceStatus as M, installClientService as N, checkServerHealth as O, isServiceSupported as P, ClientOrgMismatchError as Q, isDockerAvailable as R, checkBackgroundService as S, checkDocker as T, createOwner as U, handleClientOrgMismatch as V, hasUser as W, setJsonMode as X, print as Y, status as Z, runHomeMigration as _, declineUpdate as a, runMigrations as b, COMMAND_VERSION as c, promptMissingFields as d, SdkError as et, formatCheckReport as f, saveOnboardState as g, onboardCreate as h, createExecuteUpdate as i, configureClientLoggerForService as it, printResults as j, checkServerReachable as k, isInteractive as l, onboardCheck as m, deriveHubUrlFromToken as n, cleanWorkspaces as nt, promptUpdate as o, loadOnboardState as p, success as q, registerSaaSConnectCommand as r, applyClientLoggerConfig as rt, startServer as s, HubUrlDerivationError as t, SessionRegistry as tt, promptAddAgent as u, createApiNameResolver as v, checkDatabase as w, checkAgentConfigs as x, migrateLocalAgentDirs as y, stopPostgres as z };