npm - @agent-team-foundation/first-tree-hub - Versions diffs - 0.10.1 → 0.10.3 - Mend

@agent-team-foundation/first-tree-hub 0.10.1 → 0.10.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

package/dist/drizzle/0026_saas_onboarding.sql ADDED Viewed

@@ -0,0 +1,153 @@
+-- SaaS onboarding milestone — adds the data-model surface needed for
+-- public GitHub-OAuth signup, per-org invitation links, and "leave team"
+-- soft-delete. See proposals/hub-saas-onboarding.20260428.md for the full
+-- design contract.
+--
+-- Three independent additions, no destructive changes to existing tables:
+--
+--   1. `auth_identities` — third-party / local auth identities for a user.
+--      Models the "how does this user prove who they are" boundary.
+--      `(provider, identifier)` is globally unique. v1 stores the credential
+--      payload (password hash, webauthn pubkey) on the same row;
+--      v2 splits it into `auth_credentials` if multi-factor is needed
+--      (the migration is sketched in the schema file's header comment).
+--
+--   2. `invitations` + `invitation_redemptions` — org-level share links.
+--      The "one active link per org" rule is enforced by a partial UNIQUE
+--      index (Drizzle's TS DSL doesn't model partial uniques yet, so we
+--      add it directly here). Rotation = revoke prior + insert new in a
+--      single transaction. Redemptions are recorded for audit.
+--
+--   3. `members.status` — "active" | "left" soft-delete marker for the
+--      "leave team" flow. Existing rows backfill to "active" via the
+--      column DEFAULT. The auth middleware rejects tokens that resolve to
+--      a "left" member; join-by-invite flips a "left" row back to "active".
+--
+-- All three changes are append-only (new tables + new column with DEFAULT).
+-- ALTER TABLE on `members` takes a brief ACCESS EXCLUSIVE lock, which is
+-- safe on a v1 SaaS members table (small) but should be benchmarked on a
+-- large multi-tenant install before rolling.
+--
+-- See 0020_unified_user_token.sql header for why this file does NOT wrap in
+-- BEGIN;/COMMIT; — Drizzle migrator already runs every pending migration
+-- inside a single outer transaction.
+-- ---------------------------------------------------------------------------
+-- 1. auth_identities
+-- ---------------------------------------------------------------------------
+CREATE TABLE IF NOT EXISTS "auth_identities" (
+	"id"                  text PRIMARY KEY NOT NULL,
+	"user_id"             text NOT NULL,
+	"provider"            text NOT NULL,
+	"identifier"          text NOT NULL,
+	"email"               text,
+	"verified_at"         timestamp with time zone,
+	"credential_type"     text,
+	"credential_payload"  jsonb,
+	"metadata"            jsonb DEFAULT '{}'::jsonb NOT NULL,
+	"created_at"          timestamp with time zone DEFAULT now() NOT NULL,
+	"updated_at"          timestamp with time zone DEFAULT now() NOT NULL,
+	CONSTRAINT "uq_auth_identities_provider_identifier" UNIQUE ("provider", "identifier")
+);
+--> statement-breakpoint
+ALTER TABLE "auth_identities"
+	ADD CONSTRAINT "auth_identities_user_id_users_id_fk"
+	FOREIGN KEY ("user_id") REFERENCES "users"("id")
+	ON DELETE cascade ON UPDATE no action;
+--> statement-breakpoint
+CREATE INDEX IF NOT EXISTS "idx_auth_identities_user" ON "auth_identities" ("user_id");
+--> statement-breakpoint
+CREATE INDEX IF NOT EXISTS "idx_auth_identities_email" ON "auth_identities" ("email");
+-- ---------------------------------------------------------------------------
+-- 2. invitations + invitation_redemptions
+-- ---------------------------------------------------------------------------
+--> statement-breakpoint
+CREATE TABLE IF NOT EXISTS "invitations" (
+	"id"               text PRIMARY KEY NOT NULL,
+	"organization_id"  text NOT NULL,
+	"token"            text NOT NULL UNIQUE,
+	"role"             text DEFAULT 'member' NOT NULL,
+	"expires_at"       timestamp with time zone,
+	"revoked_at"       timestamp with time zone,
+	"created_by"       text NOT NULL,
+	"created_at"       timestamp with time zone DEFAULT now() NOT NULL
+);
+--> statement-breakpoint
+ALTER TABLE "invitations"
+	ADD CONSTRAINT "invitations_organization_id_organizations_id_fk"
+	FOREIGN KEY ("organization_id") REFERENCES "organizations"("id")
+	ON DELETE cascade ON UPDATE no action;
+--> statement-breakpoint
+ALTER TABLE "invitations"
+	ADD CONSTRAINT "invitations_created_by_users_id_fk"
+	FOREIGN KEY ("created_by") REFERENCES "users"("id")
+	ON DELETE no action ON UPDATE no action;
+--> statement-breakpoint
+CREATE INDEX IF NOT EXISTS "idx_invitations_token" ON "invitations" ("token");
+--> statement-breakpoint
+CREATE INDEX IF NOT EXISTS "idx_invitations_org" ON "invitations" ("organization_id");
+--> statement-breakpoint
+-- v1 enforced rule: each org may have at most one non-revoked invitation.
+-- The predicate is intentionally `revoked_at IS NULL` only — Postgres rejects
+-- `now()` in an index predicate (must be IMMUTABLE), and conflating "expired"
+-- with "no longer the active link" matches the v1 service contract anyway.
+-- The runtime "is this still usable" filter (which DOES check `expires_at`)
+-- lives in services/invitation.ts. Future "multiple links per org" relaxes by
+-- dropping this index.
+CREATE UNIQUE INDEX IF NOT EXISTS "uq_invitations_active_per_org"
+	ON "invitations" ("organization_id")
+	WHERE "revoked_at" IS NULL;
+--> statement-breakpoint
+CREATE TABLE IF NOT EXISTS "invitation_redemptions" (
+	"id"             text PRIMARY KEY NOT NULL,
+	"invitation_id"  text NOT NULL,
+	"user_id"        text NOT NULL,
+	"redeemed_at"    timestamp with time zone DEFAULT now() NOT NULL,
+	"ip"             text,
+	"user_agent"     text
+);
+--> statement-breakpoint
+ALTER TABLE "invitation_redemptions"
+	ADD CONSTRAINT "invitation_redemptions_invitation_id_invitations_id_fk"
+	FOREIGN KEY ("invitation_id") REFERENCES "invitations"("id")
+	ON DELETE cascade ON UPDATE no action;
+--> statement-breakpoint
+ALTER TABLE "invitation_redemptions"
+	ADD CONSTRAINT "invitation_redemptions_user_id_users_id_fk"
+	FOREIGN KEY ("user_id") REFERENCES "users"("id")
+	ON DELETE cascade ON UPDATE no action;
+--> statement-breakpoint
+CREATE INDEX IF NOT EXISTS "idx_invitation_redemptions_invitation"
+	ON "invitation_redemptions" ("invitation_id");
+--> statement-breakpoint
+CREATE INDEX IF NOT EXISTS "idx_invitation_redemptions_user"
+	ON "invitation_redemptions" ("user_id");
+-- ---------------------------------------------------------------------------
+-- 3. members.status — soft-delete marker for "leave team"
+-- ---------------------------------------------------------------------------
+--
+-- No partial index on `status='active'` is created in v1. Filter sites are:
+--   - middleware/member-auth.ts: lookup by members.id (already PK-indexed)
+--   - services/auth.ts (password login): WHERE user_id = ? AND status='active'
+--   - services/membership.ts (listActiveMemberships): same filter
+-- The existing `idx_members_user (user_id)` already collapses each user's
+-- members rows to ~1-5 typical, so the in-page status check is essentially
+-- free at the v1 SaaS scale (low six-digit users × low single-digit teams).
+-- A partial unique-eligible index becomes worth adding when:
+--   - members > ~100k rows AND
+--   - average rows-per-user > ~50
+-- whichever comes first. At that point the migration is a single
+-- `CREATE INDEX CONCURRENTLY ... WHERE status='active'`.
+--> statement-breakpoint
+ALTER TABLE "members"
+	ADD COLUMN IF NOT EXISTS "status" text DEFAULT 'active' NOT NULL;

package/dist/drizzle/0027_runtime_provider.sql ADDED Viewed

@@ -0,0 +1,10 @@
+-- Add runtime_provider to agents.
+--
+-- Tags each agent with the runtime that drives it (e.g. "claude-code", "codex").
+-- DEFAULT 'claude-code' backfills every existing row so the NOT NULL constraint
+-- is safe to land in a single step. Hub deploys are stop-migrate-restart, not
+-- rolling, so we don't need a two-phase add (nullable → backfill → not null).
+--
+-- Capabilities reporting reuses the existing `clients.metadata` jsonb column
+-- under the `capabilities` subkey (Option C); no SQL change for clients.
+ALTER TABLE "agents" ADD COLUMN "runtime_provider" text DEFAULT 'claude-code' NOT NULL;

package/dist/drizzle/0028_auth_identity_user_github_unique.sql ADDED Viewed

@@ -0,0 +1,12 @@
+-- Partial unique index: each user can hold at most one github identity.
+--
+-- Defense-in-depth. The (provider, identifier) UNIQUE catches duplicates
+-- of the SAME githubId, but does not stop a single user from collecting
+-- multiple DIFFERENT githubIds (e.g. a future "merge accounts" or
+-- "rebind" flow that misfires, or a one-off SQL migration that errs).
+-- This index makes any such double-bind fail atomically with a
+-- unique-violation at the storage layer.
+CREATE UNIQUE INDEX IF NOT EXISTS "uq_auth_identities_user_github"
+  ON "auth_identities" ("user_id")
+  WHERE "provider" = 'github';

package/dist/drizzle/meta/_journal.json CHANGED Viewed

@@ -183,6 +183,27 @@
       "when": 1777420800000,
       "tag": "0025_inbox_silent_entries",
       "breakpoints": true
+    },
+    {
+      "idx": 26,
+      "version": "7",
+      "when": 1777507200000,
+      "tag": "0026_saas_onboarding",
+      "breakpoints": true
+    },
+    {
+      "idx": 27,
+      "version": "7",
+      "when": 1777593600000,
+      "tag": "0027_runtime_provider",
+      "breakpoints": true
+    },
+    {
+      "idx": 28,
+      "version": "7",
+      "when": 1777680000000,
+      "tag": "0028_auth_identity_user_github_unique",
+      "breakpoints": true
     }
   ]
 }

package/dist/feishu-Boy3n8CT.mjs ADDED Viewed

@@ -0,0 +1,52 @@
+import { d as __exportAll } from "./esm-CYu4tXXn.mjs";
+import { r as AGENT_SELECTOR_HEADER } from "./dist-DUCelK3Z.mjs";
+//#region src/core/feishu.ts
+var feishu_exports = /* @__PURE__ */ __exportAll({
+	bindFeishuBot: () => bindFeishuBot,
+	bindFeishuUser: () => bindFeishuUser
+});
+/**
+* Feishu-related core operations: bind-bot, bind-user.
+*
+* All agent-scoped calls carry both the member access JWT (Authorization)
+* and the acting agent UUID (X-Agent-Id); the server's agent-selector
+* middleware enforces Rule R-RUN.
+*/
+async function bindFeishuBot(serverUrl, accessToken, agentId, appId, appSecret) {
+	const res = await fetch(`${serverUrl}/api/v1/agent/me/feishu-bot`, {
+		method: "PUT",
+		headers: {
+			Authorization: `Bearer ${accessToken}`,
+			[AGENT_SELECTOR_HEADER]: agentId,
+			"Content-Type": "application/json"
+		},
+		body: JSON.stringify({
+			appId,
+			appSecret
+		})
+	});
+	if (!res.ok) {
+		const body = await res.json().catch(() => ({}));
+		throw new Error(body.error ?? `Bind Feishu bot failed: HTTP ${res.status}`);
+	}
+}
+async function bindFeishuUser(serverUrl, accessToken, agentId, humanAgentId, feishuUserId, displayName) {
+	const res = await fetch(`${serverUrl}/api/v1/agent/delegated/${encodeURIComponent(humanAgentId)}/feishu-user`, {
+		method: "POST",
+		headers: {
+			Authorization: `Bearer ${accessToken}`,
+			[AGENT_SELECTOR_HEADER]: agentId,
+			"Content-Type": "application/json"
+		},
+		body: JSON.stringify({
+			feishuUserId,
+			displayName
+		})
+	});
+	if (!res.ok) {
+		const body = await res.json().catch(() => ({}));
+		throw new Error(body.error ?? `Bind Feishu user failed: HTTP ${res.status}`);
+	}
+}
+//#endregion
+export { bindFeishuUser as n, feishu_exports as r, bindFeishuBot as t };

package/dist/{getMachineId-bsd-BB-fnFLA.mjs → getMachineId-bsd-D0w3uAZa.mjs} RENAMED Viewed

@@ -1,5 +1,5 @@
 import { f as __require, l as __commonJSMin, n as init_esm, p as __toCommonJS, t as esm_exports } from "./esm-CYu4tXXn.mjs";
-import { t as require_execAsync } from "./execAsync-CP8iWV5b.mjs";
+import { t as require_execAsync } from "./execAsync-XMc-nFn-.mjs";
 //#region ../../node_modules/.pnpm/@opentelemetry+resources@2.7.0_@opentelemetry+api@1.9.1/node_modules/@opentelemetry/resources/build/src/detectors/platform/node/machine-id/getMachineId-bsd.js
 var require_getMachineId_bsd = /* @__PURE__ */ __commonJSMin(((exports) => {
 	Object.defineProperty(exports, "__esModule", { value: true });

package/dist/{getMachineId-darwin-DAYWNsYK.mjs → getMachineId-darwin-DOoYFb2_.mjs} RENAMED Viewed

@@ -1,5 +1,5 @@
 import { l as __commonJSMin, n as init_esm, p as __toCommonJS, t as esm_exports } from "./esm-CYu4tXXn.mjs";
-import { t as require_execAsync } from "./execAsync-CP8iWV5b.mjs";
+import { t as require_execAsync } from "./execAsync-XMc-nFn-.mjs";
 //#region ../../node_modules/.pnpm/@opentelemetry+resources@2.7.0_@opentelemetry+api@1.9.1/node_modules/@opentelemetry/resources/build/src/detectors/platform/node/machine-id/getMachineId-darwin.js
 var require_getMachineId_darwin = /* @__PURE__ */ __commonJSMin(((exports) => {
 	Object.defineProperty(exports, "__esModule", { value: true });

package/dist/{getMachineId-win-H5RT49ov.mjs → getMachineId-win-B6hY8edq.mjs} RENAMED Viewed

@@ -1,5 +1,5 @@
 import { f as __require, l as __commonJSMin, n as init_esm, p as __toCommonJS, t as esm_exports } from "./esm-CYu4tXXn.mjs";
-import { t as require_execAsync } from "./execAsync-CP8iWV5b.mjs";
+import { t as require_execAsync } from "./execAsync-XMc-nFn-.mjs";
 //#region ../../node_modules/.pnpm/@opentelemetry+resources@2.7.0_@opentelemetry+api@1.9.1/node_modules/@opentelemetry/resources/build/src/detectors/platform/node/machine-id/getMachineId-win.js
 var require_getMachineId_win = /* @__PURE__ */ __commonJSMin(((exports) => {
 	Object.defineProperty(exports, "__esModule", { value: true });

package/dist/index.mjs CHANGED Viewed

@@ -1,6 +1,8 @@
-import "./observability-DV_fQKqV-oxfXX6Z2.mjs";
-import { A as installClientService, B as createOwner, C as checkNodeVersion, D as checkWebSocket, E as checkServerReachable, F as isDockerAvailable, I as stopPostgres, J as FirstTreeHubSDK, K as status, L as ClientRuntime, M as resolveCliInvocation, N as uninstallClientService, O as printResults, P as ensurePostgres, R as handleClientOrgMismatch, S as checkDocker, T as checkServerHealth, U as blank, V as hasUser, Y as SdkError, _ as runMigrations, b as checkClientConfig, c as promptMissingFields, d as onboardCheck, f as onboardCreate, i as startServer, j as isServiceSupported, k as getClientServiceStatus, l as formatCheckReport, m as runHomeMigration, o as isInteractive, s as promptAddAgent, v as checkAgentConfigs, w as checkServerConfig, x as checkDatabase, z as rotateClientIdWithBackup } from "./core-BgiFGT7Y.mjs";
+import "./observability-DPyf745N-BSc8QNcR.mjs";
+import { $ as status, A as checkServerHealth, B as isDockerAvailable, C as checkAgentConfigs, D as checkDocker, E as checkDatabase, F as installClientService, G as createOwner, H as ClientRuntime, I as isServiceSupported, K as hasUser, L as resolveCliInvocation, M as checkWebSocket, N as printResults, O as checkNodeVersion, P as getClientServiceStatus, R as uninstallClientService, S as runMigrations, T as checkClientConfig, U as handleClientOrgMismatch, V as stopPostgres, W as rotateClientIdWithBackup, X as blank, _ as onboardCreate, d as isInteractive, f as promptAddAgent, g as onboardCheck, j as checkServerReachable, k as checkServerConfig, m as formatCheckReport, n as deriveHubUrlFromToken, nt as SdkError, p as promptMissingFields, s as startServer, t as HubUrlDerivationError, tt as FirstTreeHubSDK, y as runHomeMigration, z as ensurePostgres } from "./saas-connect-3p-vBkuY.mjs";
 import "./logger-core-BTmvdflj-DjW8FM4T.mjs";
-import { a as resolveAccessToken, n as ensureFreshAccessToken, o as resolveServerUrl, r as ensureFreshAdminToken } from "./bootstrap-CtVqQA8a.mjs";
-import { n as bindFeishuUser, t as bindFeishuBot } from "./feishu-DEmwoNn_.mjs";
-export { ClientRuntime, FirstTreeHubSDK, SdkError, bindFeishuBot, bindFeishuUser, blank, checkAgentConfigs, checkClientConfig, checkDatabase, checkDocker, checkNodeVersion, checkServerConfig, checkServerHealth, checkServerReachable, checkWebSocket, createOwner, ensureFreshAccessToken, ensureFreshAdminToken, ensurePostgres, formatCheckReport, getClientServiceStatus, handleClientOrgMismatch, hasUser, installClientService, isDockerAvailable, isInteractive, isServiceSupported, onboardCheck, onboardCreate, printResults, promptAddAgent, promptMissingFields, resolveAccessToken, resolveCliInvocation, resolveServerUrl, rotateClientIdWithBackup, runHomeMigration, runMigrations, startServer, status, stopPostgres, uninstallClientService };
+import { a as resolveAccessToken, n as ensureFreshAccessToken, o as resolveServerUrl, r as ensureFreshAdminToken } from "./bootstrap-CBAVWQUT.mjs";
+import "./dist-DUCelK3Z.mjs";
+import { n as bindFeishuUser, t as bindFeishuBot } from "./feishu-Boy3n8CT.mjs";
+import "./invitation-C_zAhB8x-8Khychlu.mjs";
+export { ClientRuntime, FirstTreeHubSDK, HubUrlDerivationError, SdkError, bindFeishuBot, bindFeishuUser, blank, checkAgentConfigs, checkClientConfig, checkDatabase, checkDocker, checkNodeVersion, checkServerConfig, checkServerHealth, checkServerReachable, checkWebSocket, createOwner, deriveHubUrlFromToken, ensureFreshAccessToken, ensureFreshAdminToken, ensurePostgres, formatCheckReport, getClientServiceStatus, handleClientOrgMismatch, hasUser, installClientService, isDockerAvailable, isInteractive, isServiceSupported, onboardCheck, onboardCreate, printResults, promptAddAgent, promptMissingFields, resolveAccessToken, resolveCliInvocation, resolveServerUrl, rotateClientIdWithBackup, runHomeMigration, runMigrations, startServer, status, stopPostgres, uninstallClientService };

package/dist/invitation-BTlGMy0o-Coj07kYi.mjs ADDED Viewed

@@ -0,0 +1,3 @@
+import "./dist-DUCelK3Z.mjs";
+import { _ as rotateInvitation, h as previewInvitation } from "./invitation-C_zAhB8x-8Khychlu.mjs";
+export { previewInvitation, rotateInvitation };

package/dist/invitation-C_zAhB8x-8Khychlu.mjs ADDED Viewed

@@ -0,0 +1,258 @@
+import { randomBytes } from "node:crypto";
+import { and, desc, eq, gt, isNull, or } from "drizzle-orm";
+import { index, integer, jsonb, pgTable, text, timestamp } from "drizzle-orm/pg-core";
+//#region ../server/dist/invitation-C_zAhB8x.mjs
+/** Organization entity. Agents and chats belong to exactly one organization. */
+const organizations = pgTable("organizations", {
+	id: text("id").primaryKey(),
+	name: text("name").unique().notNull(),
+	displayName: text("display_name").notNull(),
+	maxAgents: integer("max_agents").notNull().default(0),
+	maxMessagesPerMinute: integer("max_messages_per_minute").notNull().default(0),
+	features: jsonb("features").$type().notNull().default({}),
+	createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow(),
+	updatedAt: timestamp("updated_at", { withTimezone: true }).notNull().defaultNow()
+});
+/** User accounts. Passwords are stored as bcrypt hashes. */
+const users = pgTable("users", {
+	id: text("id").primaryKey(),
+	username: text("username").unique().notNull(),
+	passwordHash: text("password_hash").notNull(),
+	displayName: text("display_name").notNull(),
+	avatarUrl: text("avatar_url"),
+	status: text("status").notNull().default("active"),
+	createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow(),
+	updatedAt: timestamp("updated_at", { withTimezone: true }).notNull().defaultNow()
+});
+var AppError = class extends Error {
+	constructor(statusCode, message) {
+		super(message);
+		this.statusCode = statusCode;
+		this.name = "AppError";
+	}
+};
+var NotFoundError = class extends AppError {
+	constructor(message = "Not found") {
+		super(404, message);
+		this.name = "NotFoundError";
+	}
+};
+var UnauthorizedError = class extends AppError {
+	constructor(message = "Unauthorized") {
+		super(401, message);
+		this.name = "UnauthorizedError";
+	}
+};
+var ForbiddenError = class extends AppError {
+	constructor(message = "Forbidden") {
+		super(403, message);
+		this.name = "ForbiddenError";
+	}
+};
+var ConflictError = class extends AppError {
+	constructor(message = "Conflict") {
+		super(409, message);
+		this.name = "ConflictError";
+	}
+};
+var BadRequestError = class extends AppError {
+	constructor(message = "Bad request") {
+		super(400, message);
+		this.name = "BadRequestError";
+	}
+};
+/**
+* Thrown when an operation targets a client whose organization does not match
+* the caller's authenticated organization. A client is bound to exactly one
+* org for its lifetime; re-registering or operating under a different org's
+* credentials is refused. CLI consumers recognize the `code` field and
+* respond by abandoning the local clientId to register a fresh one.
+*/
+var ClientOrgMismatchError = class extends AppError {
+	code = "CLIENT_ORG_MISMATCH";
+	constructor(message = "Client belongs to a different organization") {
+		super(403, message);
+		this.name = "ClientOrgMismatchError";
+	}
+};
+/** Generate a UUID v7 (time-ordered). No external dependency. */
+function uuidv7() {
+	const now = BigInt(Date.now());
+	const bytes = new Uint8Array(16);
+	bytes[0] = Number(now >> 40n & 255n);
+	bytes[1] = Number(now >> 32n & 255n);
+	bytes[2] = Number(now >> 24n & 255n);
+	bytes[3] = Number(now >> 16n & 255n);
+	bytes[4] = Number(now >> 8n & 255n);
+	bytes[5] = Number(now & 255n);
+	const rand = randomBytes(10);
+	for (let i = 0; i < 10; i++) {
+		const b = rand[i];
+		if (b !== void 0) bytes[6 + i] = b;
+	}
+	bytes[6] = (bytes[6] ?? 0) & 15 | 112;
+	bytes[8] = (bytes[8] ?? 0) & 63 | 128;
+	const hex = Array.from(bytes, (b) => b.toString(16).padStart(2, "0")).join("");
+	return `${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20)}`;
+}
+/**
+* Org-level invitation links. v1 enforces "one active link per org" via a
+* partial UNIQUE index added in the SQL migration (Drizzle's TS DSL does not
+* yet model partial uniques). Rotating a link sets `revoked_at` on the prior
+* row and inserts a new one in the same transaction; revoked rows stay for
+* audit but no longer satisfy the partial uniqueness predicate.
+*
+* `role` is fixed to `'member'` by the v1 API but stored on the row so a
+* future "invite as admin" feature is a route change, not a schema change.
+*
+* `expires_at` is left unset by the v1 rotate flow — invite links don't
+* auto-expire. The column exists so an admin can opt into expiry later (and
+* the partial unique predicate already filters on it).
+*/
+const invitations = pgTable("invitations", {
+	id: text("id").primaryKey(),
+	organizationId: text("organization_id").notNull().references(() => organizations.id, { onDelete: "cascade" }),
+	token: text("token").notNull().unique(),
+	role: text("role").notNull().default("member"),
+	expiresAt: timestamp("expires_at", { withTimezone: true }),
+	revokedAt: timestamp("revoked_at", { withTimezone: true }),
+	createdBy: text("created_by").notNull().references(() => users.id),
+	createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow()
+}, (table) => [index("idx_invitations_token").on(table.token), index("idx_invitations_org").on(table.organizationId)]);
+/** Audit row for every successful redemption — v1 admins inspect via DB. */
+const invitationRedemptions = pgTable("invitation_redemptions", {
+	id: text("id").primaryKey(),
+	invitationId: text("invitation_id").notNull().references(() => invitations.id, { onDelete: "cascade" }),
+	userId: text("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+	redeemedAt: timestamp("redeemed_at", { withTimezone: true }).notNull().defaultNow(),
+	ip: text("ip"),
+	userAgent: text("user_agent")
+}, (table) => [index("idx_invitation_redemptions_invitation").on(table.invitationId), index("idx_invitation_redemptions_user").on(table.userId)]);
+const TOKEN_BYTES = 32;
+/**
+* Default invite-link TTL — authoritative server-side value. Tightening
+* "anyone with this link can join" to a bounded window is the primary
+* mitigation for accidental link leakage (admin pasting into a public
+* Slack channel, forwarded email chains, screen-share captures, etc).
+* 7 days mirrors what GitHub and Vercel default to; longer windows put
+* more leak surface on the same token. Admins extend by clicking Rotate
+* (which mints a fresh 7-day link in one transaction).
+*
+* The mirror constant in `@…shared/schemas/invitation.ts` exists so the
+* web UI can render "expires in 7 days" copy without an extra round-trip.
+*/
+const INVITATION_DEFAULT_TTL_MS = 10080 * 60 * 1e3;
+function generateInvitationToken() {
+	return randomBytes(TOKEN_BYTES).toString("base64url");
+}
+function defaultExpiry() {
+	return new Date(Date.now() + INVITATION_DEFAULT_TTL_MS);
+}
+/**
+* Return the *active* invitation for `orgId`, or null if none exists.
+* "Active" = not revoked AND not expired.
+*
+* Mirrors the predicate of the partial UNIQUE index `uq_invitations_active_per_org`,
+* so a successful `getActiveInvitation` is the same row the index protects.
+*/
+async function getActiveInvitation(db, orgId) {
+	const now = /* @__PURE__ */ new Date();
+	const [row] = await db.select().from(invitations).where(and(eq(invitations.organizationId, orgId), isNull(invitations.revokedAt), or(isNull(invitations.expiresAt), gt(invitations.expiresAt, now)))).orderBy(desc(invitations.createdAt)).limit(1);
+	return row ?? null;
+}
+/**
+* Get-or-create the active invitation for `orgId`. Idempotent so the admin
+* UI can call this on first render without inadvertently creating a fresh
+* link every time someone visits Settings.
+*
+* "Active" is filtered by `getActiveInvitation` (revoked_at IS NULL AND
+* not expired). When no active row exists we delegate to `rotateInvitation`
+* — that path correctly handles the case where a prior row exists but
+* has expired (`revoked_at IS NULL` but `expires_at < now()`). A naked
+* INSERT here would trip `uq_invitations_active_per_org` (the partial
+* unique index can't filter on `now()`, so it considers expired-but-not-
+* revoked rows as still occupying the slot).
+*/
+async function ensureActiveInvitation(db, orgId, createdBy) {
+	const existing = await getActiveInvitation(db, orgId);
+	if (existing) return existing;
+	return rotateInvitation(db, orgId, createdBy);
+}
+/**
+* Rotate the invitation: revoke every non-revoked row for this org (the
+* current active link AND any expired-but-not-revoked stragglers) and
+* insert a fresh one in a single transaction. Old tokens stop redeeming
+* immediately. The new row carries a default 7-day expiry; admin extends
+* by rotating again.
+*/
+async function rotateInvitation(db, orgId, createdBy) {
+	return db.transaction(async (tx) => {
+		const now = /* @__PURE__ */ new Date();
+		await tx.update(invitations).set({ revokedAt: now }).where(and(eq(invitations.organizationId, orgId), isNull(invitations.revokedAt)));
+		const id = uuidv7();
+		const token = generateInvitationToken();
+		const [row] = await tx.insert(invitations).values({
+			id,
+			organizationId: orgId,
+			token,
+			role: "member",
+			createdBy,
+			expiresAt: defaultExpiry()
+		}).returning();
+		if (!row) throw new Error("Unexpected: INSERT RETURNING produced no row");
+		return row;
+	});
+}
+/**
+* Look up an invitation by its public token. Returns null when the token
+* is unknown OR when the row exists but is no longer active. Conflating
+* "unknown" with "revoked" prevents an attacker from inferring which
+* tokens were once valid.
+*/
+async function findActiveByToken(db, token) {
+	const now = /* @__PURE__ */ new Date();
+	const [row] = await db.select().from(invitations).where(and(eq(invitations.token, token), isNull(invitations.revokedAt), or(isNull(invitations.expiresAt), gt(invitations.expiresAt, now)))).limit(1);
+	return row ?? null;
+}
+/**
+* Public preview surfaced on `/invite/:token` before the recipient signs in.
+*/
+async function previewInvitation(db, token) {
+	const inv = await findActiveByToken(db, token);
+	if (!inv) throw new NotFoundError("Invitation not found or no longer valid");
+	const [org] = await db.select({
+		id: organizations.id,
+		name: organizations.name,
+		displayName: organizations.displayName
+	}).from(organizations).where(eq(organizations.id, inv.organizationId)).limit(1);
+	if (!org) throw new NotFoundError("Invitation organization not found");
+	return {
+		organizationId: org.id,
+		organizationName: org.name,
+		organizationDisplayName: org.displayName,
+		role: inv.role
+	};
+}
+/**
+* Record a redemption row. Caller is responsible for executing the join
+* (members.insert / status='active' flip) — this is the audit trail only.
+*/
+async function recordRedemption(db, data) {
+	await db.insert(invitationRedemptions).values({
+		id: uuidv7(),
+		invitationId: data.invitationId,
+		userId: data.userId,
+		ip: data.ip ?? null,
+		userAgent: data.userAgent ?? null
+	});
+}
+/**
+* Build the invite URL surfaced to admins. `publicUrl` should be the
+* server's `server.publicUrl` config; pass the request host as fallback in
+* dev where publicUrl may be unset.
+*/
+function buildInviteUrl(publicUrl, token) {
+	return `${publicUrl.replace(/\/+$/, "")}/invite/${token}`;
+}
+//#endregion
+export { rotateInvitation as _, ForbiddenError as a, buildInviteUrl as c, getActiveInvitation as d, invitationRedemptions as f, recordRedemption as g, previewInvitation as h, ConflictError as i, ensureActiveInvitation as l, organizations as m, BadRequestError as n, NotFoundError as o, invitations as p, ClientOrgMismatchError as r, UnauthorizedError as s, AppError as t, findActiveByToken as u, users as v, uuidv7 as y };

package/dist/{observability-DDkJwSKv.mjs → observability-C08jUFsJ.mjs} RENAMED Viewed

@@ -1,4 +1,4 @@
 import "./esm-CYu4tXXn.mjs";
-import { m as shutdownTelemetry, s as initTelemetry } from "./observability-DV_fQKqV-oxfXX6Z2.mjs";
+import { m as shutdownTelemetry, s as initTelemetry } from "./observability-DPyf745N-BSc8QNcR.mjs";
 import "./logger-core-BTmvdflj-DjW8FM4T.mjs";
 export { initTelemetry, shutdownTelemetry };

package/dist/{observability-DV_fQKqV-oxfXX6Z2.mjs → observability-DPyf745N-BSc8QNcR.mjs} RENAMED Viewed

@@ -28384,19 +28384,19 @@ var require_getMachineId = /* @__PURE__ */ __commonJSMin(((exports) => {
 	async function getMachineId() {
 		if (!getMachineIdImpl) switch (process$1.platform) {
 			case "darwin":
-				getMachineIdImpl = (await import("./getMachineId-darwin-DAYWNsYK.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
+				getMachineIdImpl = (await import("./getMachineId-darwin-DOoYFb2_.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
 				break;
 			case "linux":
-				getMachineIdImpl = (await import("./getMachineId-linux-BU7Fi6S0.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
+				getMachineIdImpl = (await import("./getMachineId-linux-MlY63Zsw.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
 				break;
 			case "freebsd":
-				getMachineIdImpl = (await import("./getMachineId-bsd-BB-fnFLA.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
+				getMachineIdImpl = (await import("./getMachineId-bsd-D0w3uAZa.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
 				break;
 			case "win32":
-				getMachineIdImpl = (await import("./getMachineId-win-H5RT49ov.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
+				getMachineIdImpl = (await import("./getMachineId-win-B6hY8edq.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
 				break;
 			default:
-				getMachineIdImpl = (await import("./getMachineId-unsupported-BhWCxKBo.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
+				getMachineIdImpl = (await import("./getMachineId-unsupported-BS652RIy.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
 				break;
 		}
 		return getMachineIdImpl();
@@ -33467,7 +33467,7 @@ var require_src = /* @__PURE__ */ __commonJSMin(((exports) => {
 	});
 }));
 //#endregion
-//#region ../server/dist/observability-DV_fQKqV.mjs
+//#region ../server/dist/observability-DPyf745N.mjs
 var import_pino = /* @__PURE__ */ __toESM(require_pino(), 1);
 var import_otel = /* @__PURE__ */ __toESM(require_otel(), 1);
 init_esm$2();