@agent-team-foundation/first-tree-hub 0.10.1 → 0.10.2

package/dist/invitation-C_zAhB8x-8Khychlu.mjs

@@ -0,0 +1,258 @@
+import { randomBytes } from "node:crypto";
+import { and, desc, eq, gt, isNull, or } from "drizzle-orm";
+import { index, integer, jsonb, pgTable, text, timestamp } from "drizzle-orm/pg-core";
+//#region ../server/dist/invitation-C_zAhB8x.mjs
+/** Organization entity. Agents and chats belong to exactly one organization. */
+const organizations = pgTable("organizations", {
+	id: text("id").primaryKey(),
+	name: text("name").unique().notNull(),
+	displayName: text("display_name").notNull(),
+	maxAgents: integer("max_agents").notNull().default(0),
+	maxMessagesPerMinute: integer("max_messages_per_minute").notNull().default(0),
+	features: jsonb("features").$type().notNull().default({}),
+	createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow(),
+	updatedAt: timestamp("updated_at", { withTimezone: true }).notNull().defaultNow()
+});
+/** User accounts. Passwords are stored as bcrypt hashes. */
+const users = pgTable("users", {
+	id: text("id").primaryKey(),
+	username: text("username").unique().notNull(),
+	passwordHash: text("password_hash").notNull(),
+	displayName: text("display_name").notNull(),
+	avatarUrl: text("avatar_url"),
+	status: text("status").notNull().default("active"),
+	createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow(),
+	updatedAt: timestamp("updated_at", { withTimezone: true }).notNull().defaultNow()
+});
+var AppError = class extends Error {
+	constructor(statusCode, message) {
+		super(message);
+		this.statusCode = statusCode;
+		this.name = "AppError";
+	}
+};
+var NotFoundError = class extends AppError {
+	constructor(message = "Not found") {
+		super(404, message);
+		this.name = "NotFoundError";
+	}
+};
+var UnauthorizedError = class extends AppError {
+	constructor(message = "Unauthorized") {
+		super(401, message);
+		this.name = "UnauthorizedError";
+	}
+};
+var ForbiddenError = class extends AppError {
+	constructor(message = "Forbidden") {
+		super(403, message);
+		this.name = "ForbiddenError";
+	}
+};
+var ConflictError = class extends AppError {
+	constructor(message = "Conflict") {
+		super(409, message);
+		this.name = "ConflictError";
+	}
+};
+var BadRequestError = class extends AppError {
+	constructor(message = "Bad request") {
+		super(400, message);
+		this.name = "BadRequestError";
+	}
+};
+/**
+* Thrown when an operation targets a client whose organization does not match
+* the caller's authenticated organization. A client is bound to exactly one
+* org for its lifetime; re-registering or operating under a different org's
+* credentials is refused. CLI consumers recognize the `code` field and
+* respond by abandoning the local clientId to register a fresh one.
+*/
+var ClientOrgMismatchError = class extends AppError {
+	code = "CLIENT_ORG_MISMATCH";
+	constructor(message = "Client belongs to a different organization") {
+		super(403, message);
+		this.name = "ClientOrgMismatchError";
+	}
+};
+/** Generate a UUID v7 (time-ordered). No external dependency. */
+function uuidv7() {
+	const now = BigInt(Date.now());
+	const bytes = new Uint8Array(16);
+	bytes[0] = Number(now >> 40n & 255n);
+	bytes[1] = Number(now >> 32n & 255n);
+	bytes[2] = Number(now >> 24n & 255n);
+	bytes[3] = Number(now >> 16n & 255n);
+	bytes[4] = Number(now >> 8n & 255n);
+	bytes[5] = Number(now & 255n);
+	const rand = randomBytes(10);
+	for (let i = 0; i < 10; i++) {
+		const b = rand[i];
+		if (b !== void 0) bytes[6 + i] = b;
+	}
+	bytes[6] = (bytes[6] ?? 0) & 15 | 112;
+	bytes[8] = (bytes[8] ?? 0) & 63 | 128;
+	const hex = Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+	return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20)}`;
+}
+/**
+* Org-level invitation links. v1 enforces "one active link per org" via a
+* partial UNIQUE index added in the SQL migration (Drizzle's TS DSL does not
+* yet model partial uniques). Rotating a link sets `revoked_at` on the prior
+* row and inserts a new one in the same transaction; revoked rows stay for
+* audit but no longer satisfy the partial uniqueness predicate.
+*
+* `role` is fixed to `'member'` by the v1 API but stored on the row so a
+* future "invite as admin" feature is a route change, not a schema change.
+*
+* `expires_at` is left unset by the v1 rotate flow — invite links don't
+* auto-expire. The column exists so an admin can opt into expiry later (and
+* the partial unique predicate already filters on it).
+*/
+const invitations = pgTable("invitations", {
+	id: text("id").primaryKey(),
+	organizationId: text("organization_id").notNull().references(() => organizations.id, { onDelete: "cascade" }),
+	token: text("token").notNull().unique(),
+	role: text("role").notNull().default("member"),
+	expiresAt: timestamp("expires_at", { withTimezone: true }),
+	revokedAt: timestamp("revoked_at", { withTimezone: true }),
+	createdBy: text("created_by").notNull().references(() => users.id),
+	createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow()
+}, (table) => [index("idx_invitations_token").on(table.token), index("idx_invitations_org").on(table.organizationId)]);
+/** Audit row for every successful redemption — v1 admins inspect via DB. */
+const invitationRedemptions = pgTable("invitation_redemptions", {
+	id: text("id").primaryKey(),
+	invitationId: text("invitation_id").notNull().references(() => invitations.id, { onDelete: "cascade" }),
+	userId: text("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+	redeemedAt: timestamp("redeemed_at", { withTimezone: true }).notNull().defaultNow(),
+	ip: text("ip"),
+	userAgent: text("user_agent")
+}, (table) => [index("idx_invitation_redemptions_invitation").on(table.invitationId), index("idx_invitation_redemptions_user").on(table.userId)]);
+const TOKEN_BYTES = 32;
+/**
+* Default invite-link TTL — authoritative server-side value. Tightening
+* "anyone with this link can join" to a bounded window is the primary
+* mitigation for accidental link leakage (admin pasting into a public
+* Slack channel, forwarded email chains, screen-share captures, etc).
+* 7 days mirrors what GitHub and Vercel default to; longer windows put
+* more leak surface on the same token. Admins extend by clicking Rotate
+* (which mints a fresh 7-day link in one transaction).
+*
+* The mirror constant in `@…shared/schemas/invitation.ts` exists so the
+* web UI can render "expires in 7 days" copy without an extra round-trip.
+*/
+const INVITATION_DEFAULT_TTL_MS = 10080 * 60 * 1e3;
+function generateInvitationToken() {
+	return randomBytes(TOKEN_BYTES).toString("base64url");
+}
+function defaultExpiry() {
+	return new Date(Date.now() + INVITATION_DEFAULT_TTL_MS);
+}
+/**
+* Return the *active* invitation for `orgId`, or null if none exists.
+* "Active" = not revoked AND not expired.
+*
+* Mirrors the predicate of the partial UNIQUE index `uq_invitations_active_per_org`,
+* so a successful `getActiveInvitation` is the same row the index protects.
+*/
+async function getActiveInvitation(db, orgId) {
+	const now = /* @__PURE__ */ new Date();
+	const [row] = await db.select().from(invitations).where(and(eq(invitations.organizationId, orgId), isNull(invitations.revokedAt), or(isNull(invitations.expiresAt), gt(invitations.expiresAt, now)))).orderBy(desc(invitations.createdAt)).limit(1);
+	return row ?? null;
+}
+/**
+* Get-or-create the active invitation for `orgId`. Idempotent so the admin
+* UI can call this on first render without inadvertently creating a fresh
+* link every time someone visits Settings.
+*
+* "Active" is filtered by `getActiveInvitation` (revoked_at IS NULL AND
+* not expired). When no active row exists we delegate to `rotateInvitation`
+* — that path correctly handles the case where a prior row exists but
+* has expired (`revoked_at IS NULL` but `expires_at < now()`). A naked
+* INSERT here would trip `uq_invitations_active_per_org` (the partial
+* unique index can't filter on `now()`, so it considers expired-but-not-
+* revoked rows as still occupying the slot).
+*/
+async function ensureActiveInvitation(db, orgId, createdBy) {
+	const existing = await getActiveInvitation(db, orgId);
+	if (existing) return existing;
+	return rotateInvitation(db, orgId, createdBy);
+}
+/**
+* Rotate the invitation: revoke every non-revoked row for this org (the
+* current active link AND any expired-but-not-revoked stragglers) and
+* insert a fresh one in a single transaction. Old tokens stop redeeming
+* immediately. The new row carries a default 7-day expiry; admin extends
+* by rotating again.
+*/
+async function rotateInvitation(db, orgId, createdBy) {
+	return db.transaction(async (tx) => {
+		const now = /* @__PURE__ */ new Date();
+		await tx.update(invitations).set({ revokedAt: now }).where(and(eq(invitations.organizationId, orgId), isNull(invitations.revokedAt)));
+		const id = uuidv7();
+		const token = generateInvitationToken();
+		const [row] = await tx.insert(invitations).values({
+			id,
+			organizationId: orgId,
+			token,
+			role: "member",
+			createdBy,
+			expiresAt: defaultExpiry()
+		}).returning();
+		if (!row) throw new Error("Unexpected: INSERT RETURNING produced no row");
+		return row;
+	});
+}
+/**
+* Look up an invitation by its public token. Returns null when the token
+* is unknown OR when the row exists but is no longer active. Conflating
+* "unknown" with "revoked" prevents an attacker from inferring which
+* tokens were once valid.
+*/
+async function findActiveByToken(db, token) {
+	const now = /* @__PURE__ */ new Date();
+	const [row] = await db.select().from(invitations).where(and(eq(invitations.token, token), isNull(invitations.revokedAt), or(isNull(invitations.expiresAt), gt(invitations.expiresAt, now)))).limit(1);
+	return row ?? null;
+}
+/**
+* Public preview surfaced on `/invite/:token` before the recipient signs in.
+*/
+async function previewInvitation(db, token) {
+	const inv = await findActiveByToken(db, token);
+	if (!inv) throw new NotFoundError("Invitation not found or no longer valid");
+	const [org] = await db.select({
+		id: organizations.id,
+		name: organizations.name,
+		displayName: organizations.displayName
+	}).from(organizations).where(eq(organizations.id, inv.organizationId)).limit(1);
+	if (!org) throw new NotFoundError("Invitation organization not found");
+	return {
+		organizationId: org.id,
+		organizationName: org.name,
+		organizationDisplayName: org.displayName,
+		role: inv.role
+	};
+}
+/**
+* Record a redemption row. Caller is responsible for executing the join
+* (members.insert / status='active' flip) — this is the audit trail only.
+*/
+async function recordRedemption(db, data) {
+	await db.insert(invitationRedemptions).values({
+		id: uuidv7(),
+		invitationId: data.invitationId,
+		userId: data.userId,
+		ip: data.ip ?? null,
+		userAgent: data.userAgent ?? null
+	});
+}
+/**
+* Build the invite URL surfaced to admins. `publicUrl` should be the
+* server's `server.publicUrl` config; pass the request host as fallback in
+* dev where publicUrl may be unset.
+*/
+function buildInviteUrl(publicUrl, token) {
+	return `${publicUrl.replace(/\/+$/, "")}/invite/${token}`;
+}
+//#endregion
+export { rotateInvitation as _, ForbiddenError as a, buildInviteUrl as c, getActiveInvitation as d, invitationRedemptions as f, recordRedemption as g, previewInvitation as h, ConflictError as i, ensureActiveInvitation as l, organizations as m, BadRequestError as n, NotFoundError as o, invitations as p, ClientOrgMismatchError as r, UnauthorizedError as s, AppError as t, findActiveByToken as u, users as v, uuidv7 as y };

package/dist/{observability-DDkJwSKv.mjs → observability-C08jUFsJ.mjs}

@@ -1,4 +1,4 @@
 import "./esm-CYu4tXXn.mjs";
-import { m as shutdownTelemetry, s as initTelemetry } from "./observability-DV_fQKqV-oxfXX6Z2.mjs";
+import { m as shutdownTelemetry, s as initTelemetry } from "./observability-DPyf745N-BSc8QNcR.mjs";
 import "./logger-core-BTmvdflj-DjW8FM4T.mjs";
 export { initTelemetry, shutdownTelemetry };

package/dist/{observability-DV_fQKqV-oxfXX6Z2.mjs → observability-DPyf745N-BSc8QNcR.mjs}

@@ -28384,19 +28384,19 @@ var require_getMachineId = /* @__PURE__ */ __commonJSMin(((exports) => {
 	async function getMachineId() {
 		if (!getMachineIdImpl) switch (process$1.platform) {
 			case "darwin":
-				getMachineIdImpl = (await import("./getMachineId-darwin-DAYWNsYK.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
+				getMachineIdImpl = (await import("./getMachineId-darwin-DOoYFb2_.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
 				break;
 			case "linux":
-				getMachineIdImpl = (await import("./getMachineId-linux-BU7Fi6S0.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
+				getMachineIdImpl = (await import("./getMachineId-linux-MlY63Zsw.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
 				break;
 			case "freebsd":
-				getMachineIdImpl = (await import("./getMachineId-bsd-BB-fnFLA.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
+				getMachineIdImpl = (await import("./getMachineId-bsd-D0w3uAZa.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
 				break;
 			case "win32":
-				getMachineIdImpl = (await import("./getMachineId-win-H5RT49ov.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
+				getMachineIdImpl = (await import("./getMachineId-win-B6hY8edq.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
 				break;
 			default:
-				getMachineIdImpl = (await import("./getMachineId-unsupported-BhWCxKBo.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
+				getMachineIdImpl = (await import("./getMachineId-unsupported-BS652RIy.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
 				break;
 		}
 		return getMachineIdImpl();
@@ -33467,7 +33467,7 @@ var require_src = /* @__PURE__ */ __commonJSMin(((exports) => {
 	});
 }));
 //#endregion
-//#region ../server/dist/observability-DV_fQKqV.mjs
+//#region ../server/dist/observability-DPyf745N.mjs
 var import_pino = /* @__PURE__ */ __toESM(require_pino(), 1);
 var import_otel = /* @__PURE__ */ __toESM(require_otel(), 1);
 init_esm$2();