@agent-team-foundation/first-tree-hub 0.10.12 → 0.10.14

package/dist/{bootstrap-CDeXqhkQ.mjs → bootstrap-B2x4TTyJ.mjs}

@@ -563,6 +563,11 @@ const serverConfigSchema = defineConfig({
 			secret: true
 		})
 	},
+	auth: {
+		accessTokenExpiry: field(z.string().default("30m"), { env: "FIRST_TREE_HUB_AUTH_ACCESS_TOKEN_EXPIRY" }),
+		refreshTokenExpiry: field(z.string().default("30d"), { env: "FIRST_TREE_HUB_AUTH_REFRESH_TOKEN_EXPIRY" }),
+		connectTokenExpiry: field(z.string().default("10m"), { env: "FIRST_TREE_HUB_AUTH_CONNECT_TOKEN_EXPIRY" })
+	},
 	contextTree: optional({
 		repo: field(z.string(), {
 			env: "FIRST_TREE_HUB_CONTEXT_TREE_REPO",
@@ -644,6 +649,7 @@ const serverConfigSchema = defineConfig({
 //#endregion
 //#region src/core/bootstrap.ts
 var bootstrap_exports = /* @__PURE__ */ __exportAll({
+	AuthRefreshFailedError: () => AuthRefreshFailedError,
 	ensureFreshAccessToken: () => ensureFreshAccessToken,
 	ensureFreshAdminToken: () => ensureFreshAdminToken,
 	loadCredentials: () => loadCredentials,
@@ -686,6 +692,20 @@ function resolveAccessToken() {
 	return creds.accessToken;
 }
 /**
+* Thrown when `/auth/refresh` returns 401 — i.e. the persisted refresh
+* token has expired or been revoked, so no amount of retrying will get
+* us back online without operator action. Callers (the WS reconnect
+* loop in particular) catch this distinctly from generic network/HTTP
+* errors so they can stop the 1Hz reconnect-and-fail thrash and ask
+* systemd/launchd to back off.
+*/
+var AuthRefreshFailedError = class extends Error {
+	constructor(message) {
+		super(message);
+		this.name = "AuthRefreshFailedError";
+	}
+};
+/**
 * In-flight refresh promise. Multiple callers (WS handshake, proactive
 * refresh timer, every SDK request) can see an expired token within the same
 * millisecond — without dedupe each would fire an independent `/auth/refresh`
@@ -704,6 +724,14 @@ const DEFAULT_MIN_VALIDITY_MS = 3e4;
 * token has less than that much life left. The WS proactive-refresh path
 * passes a value that overlaps its lead window so it never receives a
 * token already inside the "about to expire" zone.
+*
+* Sliding-window note: the server now rotates the refresh token on every
+* successful `/auth/refresh`. We persist the rotated token alongside the
+* new access token so an actively-used client never hits the absolute
+* `refreshTokenExpiry` ceiling. If the response omits `refreshToken`
+* (i.e. an older server) we keep the existing one — the cost is just
+* losing the sliding behaviour against that backend, not a correctness
+* regression.
 */
 async function ensureFreshAccessToken(opts) {
 	const minValidityMs = opts?.minValidityMs ?? DEFAULT_MIN_VALIDITY_MS;
@@ -718,11 +746,13 @@ async function ensureFreshAccessToken(opts) {
 			body: JSON.stringify({ refreshToken: creds.refreshToken }),
 			signal: AbortSignal.timeout(1e4)
 		});
-		if (!res.ok) throw new Error("Access token expired and refresh failed. Run `first-tree-hub client connect <server-url>`.");
+		if (res.status === 401) throw new AuthRefreshFailedError("Refresh token rejected by server. Re-run `first-tree-hub connect <token>` (get a fresh token from the Web Computers page → New Connection).");
+		if (!res.ok) throw new Error(`Refresh request failed with status ${res.status}.`);
 		const data = await res.json();
 		saveCredentials({
 			...creds,
-			accessToken: data.accessToken
+			accessToken: data.accessToken,
+			refreshToken: data.refreshToken ?? creds.refreshToken
 		});
 		return data.accessToken;
 	})();
@@ -778,4 +808,4 @@ function saveAgentConfig(agentName, agentId, runtime) {
 	return agentDir;
 }
 //#endregion
-export { serverConfigSchema as C, resolveConfigReadonly as S, loadAgents as _, resolveAccessToken as a, resetConfig as b, saveCredentials as c, DEFAULT_HOME_DIR as d, agentConfigSchema as f, initConfig as g, getConfigValue as h, loadCredentials as i, DEFAULT_CONFIG_DIR as l, collectMissingPrompts as m, ensureFreshAccessToken as n, resolveServerUrl as o, clientConfigSchema as p, ensureFreshAdminToken as r, saveAgentConfig as s, bootstrap_exports as t, DEFAULT_DATA_DIR as u, migrateLegacyHome as v, setConfigValue as w, resetConfigMeta as x, readConfigFile as y };
+export { resolveConfigReadonly as C, resetConfigMeta as S, setConfigValue as T, initConfig as _, loadCredentials as a, readConfigFile as b, saveAgentConfig as c, DEFAULT_DATA_DIR as d, DEFAULT_HOME_DIR as f, getConfigValue as g, collectMissingPrompts as h, ensureFreshAdminToken as i, saveCredentials as l, clientConfigSchema as m, bootstrap_exports as n, resolveAccessToken as o, agentConfigSchema as p, ensureFreshAccessToken as r, resolveServerUrl as s, AuthRefreshFailedError as t, DEFAULT_CONFIG_DIR as u, loadAgents as v, serverConfigSchema as w, resetConfig as x, migrateLegacyHome as y };

package/dist/cli/index.mjs

@@ -1,10 +1,10 @@
 #!/usr/bin/env node
 import "../observability-DPyf745N-BSc8QNcR.mjs";
-import { $ as findStaleAliases, A as checkDatabase, B as installClientService, C as runHomeMigration, D as checkAgentConfigs, E as runMigrations, F as checkServerReachable, G as stopClientService, I as checkWebSocket, L as printResults, M as checkNodeVersion, N as checkServerConfig, O as checkBackgroundService, P as checkServerHealth, R as reconcileAgentConfigs, S as saveOnboardState, T as migrateLocalAgentDirs, U as restartClientService, V as isServiceSupported, W as startClientService, X as ClientRuntime, Y as stopPostgres, Z as handleClientOrgMismatch, _ as promptMissingFields, _t as probeCapabilities, a as declineUpdate, at as fail, b as onboardCheck, c as detectInstallMode, ct as print, d as startServer, dt as ClientOrgMismatchError, et as formatStaleReason, f as COMMAND_VERSION, ft as ClientUserMismatchError, g as promptAddAgent, gt as cleanWorkspaces, h as isInteractive, ht as SessionRegistry, i as createExecuteUpdate, it as resolveReplyToFromEnv, j as checkDocker, k as checkClientConfig, l as fetchLatestVersion, lt as setJsonMode, m as uploadClientCapabilities, mt as SdkError, nt as createOwner, o as promptUpdate, ot as success, p as reconcileLocalRuntimeProviders, pt as FirstTreeHubSDK, r as registerSaaSConnectCommand, s as PACKAGE_NAME, tt as removeLocalAgent, u as installGlobalLatest, v as formatCheckReport, vt as applyClientLoggerConfig, w as createApiNameResolver, x as onboardCreate, y as loadOnboardState, yt as configureClientLoggerForService, z as getClientServiceStatus } from "../saas-connect-DLVGb8OH.mjs";
+import { $ as findStaleAliases, A as checkDatabase, B as installClientService, C as runHomeMigration, D as checkAgentConfigs, E as runMigrations, F as checkServerReachable, G as stopClientService, I as checkWebSocket, L as printResults, M as checkNodeVersion, N as checkServerConfig, O as checkBackgroundService, P as checkServerHealth, R as reconcileAgentConfigs, S as saveOnboardState, T as migrateLocalAgentDirs, U as restartClientService, V as isServiceSupported, W as startClientService, X as ClientRuntime, Y as stopPostgres, Z as handleClientOrgMismatch, _ as promptMissingFields, _t as probeCapabilities, a as declineUpdate, at as fail, b as onboardCheck, c as detectInstallMode, ct as print, d as startServer, dt as ClientOrgMismatchError, et as formatStaleReason, f as COMMAND_VERSION, ft as ClientUserMismatchError, g as promptAddAgent, gt as cleanWorkspaces, h as isInteractive, ht as SessionRegistry, i as createExecuteUpdate, it as resolveReplyToFromEnv, j as checkDocker, k as checkClientConfig, l as fetchLatestVersion, lt as setJsonMode, m as uploadClientCapabilities, mt as SdkError, nt as createOwner, o as promptUpdate, ot as success, p as reconcileLocalRuntimeProviders, pt as FirstTreeHubSDK, r as registerSaaSConnectCommand, s as PACKAGE_NAME, tt as removeLocalAgent, u as installGlobalLatest, v as formatCheckReport, vt as applyClientLoggerConfig, w as createApiNameResolver, x as onboardCreate, y as loadOnboardState, yt as configureClientLoggerForService, z as getClientServiceStatus } from "../saas-connect-DWcxHtjX.mjs";
 import "../logger-core-BTmvdflj-DjW8FM4T.mjs";
-import { C as serverConfigSchema, S as resolveConfigReadonly, _ as loadAgents, b as resetConfig, c as saveCredentials, d as DEFAULT_HOME_DIR, f as agentConfigSchema, g as initConfig, h as getConfigValue, i as loadCredentials, l as DEFAULT_CONFIG_DIR, n as ensureFreshAccessToken, o as resolveServerUrl, p as clientConfigSchema, r as ensureFreshAdminToken, s as saveAgentConfig, u as DEFAULT_DATA_DIR, w as setConfigValue, x as resetConfigMeta, y as readConfigFile } from "../bootstrap-CDeXqhkQ.mjs";
-import "../dist-DwbhZyGi.mjs";
-import { n as bindFeishuUser, t as bindFeishuBot } from "../feishu-viiZmwcn.mjs";
+import { C as resolveConfigReadonly, S as resetConfigMeta, T as setConfigValue, _ as initConfig, a as loadCredentials, b as readConfigFile, c as saveAgentConfig, d as DEFAULT_DATA_DIR, f as DEFAULT_HOME_DIR, g as getConfigValue, i as ensureFreshAdminToken, l as saveCredentials, m as clientConfigSchema, p as agentConfigSchema, r as ensureFreshAccessToken, s as resolveServerUrl, u as DEFAULT_CONFIG_DIR, v as loadAgents, w as serverConfigSchema, x as resetConfig } from "../bootstrap-B2x4TTyJ.mjs";
+import "../dist-D6AOiyNg.mjs";
+import { n as bindFeishuUser, t as bindFeishuBot } from "../feishu-DQ1l18Ah.mjs";
 import "../invitation-B1pjAyOz-BaCA9PII.mjs";
 import { join } from "node:path";
 import { existsSync, mkdirSync, readFileSync, readdirSync } from "node:fs";
@@ -1308,6 +1308,24 @@ function registerClientCommands(program) {
 			print.line(`  Hub:      (could not read ${clientYaml}: ${msg.slice(0, 60)})\n`);
 		}
 		else print.line("  Hub:      (not configured — run `first-tree-hub client connect <url>`)\n");
+		const creds = loadCredentials();
+		if (creds) {
+			const exp = decodeJwtExpSeconds(creds.refreshToken);
+			if (exp == null) print.line("  Auth:     ⚠ could not parse refresh token (corrupt credentials)\n");
+			else {
+				const remainingSec = exp - Math.floor(Date.now() / 1e3);
+				if (remainingSec <= 0) {
+					print.line("  Auth:     ✗ refresh token EXPIRED — re-run `first-tree-hub connect <token>`\n");
+					print.line("              (get a fresh token from your Hub's Web admin → Computers → New Connection)\n");
+				} else if (remainingSec < 2 * 86400) {
+					const hours = Math.floor(remainingSec / 3600);
+					print.line(`  Auth:     ⚠ refresh token expires in ~${hours}h — reclaim soon to stay online\n`);
+				} else {
+					const days = Math.floor(remainingSec / 86400);
+					print.line(`  Auth:     ✓ refresh token valid for ~${days}d\n`);
+				}
+			}
+		} else print.line("  Auth:     (no credentials — run `first-tree-hub client connect <url>`)\n");
 		const agentsDir = join(DEFAULT_CONFIG_DIR, "agents");
 		try {
 			const agents = loadAgents({
@@ -1474,6 +1492,25 @@ function getNested(obj, path) {
 	}
 	return typeof cur === "string" ? cur : null;
 }
+/**
+* Pull the `exp` claim (in seconds since epoch) out of a JWT without
+* verifying the signature — the `client status` auth-health line just
+* needs the wall-clock countdown, not a trust decision. Returns null
+* for malformed tokens so the caller can render a friendly fallback
+* instead of crashing.
+*/
+function decodeJwtExpSeconds(token) {
+	const parts = token.split(".");
+	if (parts.length < 2 || !parts[1]) return null;
+	try {
+		const b64 = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+		const pad = b64.length % 4 === 0 ? "" : "=".repeat(4 - b64.length % 4);
+		const payload = JSON.parse(Buffer.from(b64 + pad, "base64").toString("utf-8"));
+		return typeof payload.exp === "number" ? payload.exp : null;
+	} catch {
+		return null;
+	}
+}
 //#endregion
 //#region src/commands/config.ts
 function resolveConfigPath(flags) {
@@ -1571,13 +1608,13 @@ function isSecretField(schema, dotPath) {
 //#region src/commands/onboard.ts
 async function promptMissing(args) {
 	if (!args.server) try {
-		const { resolveServerUrl } = await import("../bootstrap-CDeXqhkQ.mjs").then((n) => n.t);
+		const { resolveServerUrl } = await import("../bootstrap-B2x4TTyJ.mjs").then((n) => n.n);
 		resolveServerUrl();
 	} catch {
 		args.server = await input({ message: "Hub server URL:" });
 		saveOnboardState(args);
 	}
-	const { loadCredentials } = await import("../bootstrap-CDeXqhkQ.mjs").then((n) => n.t);
+	const { loadCredentials } = await import("../bootstrap-B2x4TTyJ.mjs").then((n) => n.n);
 	if (!loadCredentials()) throw new Error("No saved credentials. Run `first-tree-hub client connect <server-url>` before onboarding.");
 	if (!args.id) {
 		args.id = await input({ message: "Agent ID:" });

package/dist/{dist-DwbhZyGi.mjs → dist-D6AOiyNg.mjs}

@@ -585,10 +585,25 @@ const addParticipantSchema = z.object({
 });
 z.object({ agentId: z.string().min(1) });
 const clientStatusSchema = z.enum(["connected", "disconnected"]);
+/**
+* Auth health channel surfaced to the Web admin dashboard. Computed
+* server-side per request from the row's offline duration vs the
+* configured refresh-token TTL — there is no DB column. See
+* `deriveAuthState` server-side.
+*
+*   - `ok`      — online, or recently offline (cached refresh token can
+*                 plausibly still mint access tokens).
+*   - `expired` — offline longer than the refresh-token TTL; the client
+*                 cannot recover on its own. The operator mints a fresh
+*                 connect token via the Web "+ New Connection" button
+*                 (or the inline Reconnect button on the row).
+*/
+const clientAuthStateSchema = z.enum(["ok", "expired"]);
 z.object({
 	id: z.string(),
 	userId: z.string().nullable(),
 	status: clientStatusSchema,
+	authState: clientAuthStateSchema,
 	sdkVersion: z.string().max(50).nullable(),
 	hostname: z.string().max(100).nullable(),
 	os: z.string().max(50).nullable(),

package/dist/{feishu-viiZmwcn.mjs → feishu-DQ1l18Ah.mjs}

@@ -1,5 +1,5 @@
 import { d as __exportAll } from "./esm-CYu4tXXn.mjs";
-import { r as AGENT_SELECTOR_HEADER } from "./dist-DwbhZyGi.mjs";
+import { r as AGENT_SELECTOR_HEADER } from "./dist-D6AOiyNg.mjs";
 //#region src/core/feishu.ts
 var feishu_exports = /* @__PURE__ */ __exportAll({
 	bindFeishuBot: () => bindFeishuBot,

package/dist/index.mjs

@@ -1,8 +1,8 @@
 import "./observability-DPyf745N-BSc8QNcR.mjs";
-import { A as checkDatabase, B as installClientService, C as runHomeMigration, D as checkAgentConfigs, E as runMigrations, F as checkServerReachable, G as stopClientService, H as resolveCliInvocation, I as checkWebSocket, J as isDockerAvailable, K as uninstallClientService, L as printResults, M as checkNodeVersion, N as checkServerConfig, P as checkServerHealth, Q as rotateClientIdWithBackup, U as restartClientService, V as isServiceSupported, W as startClientService, X as ClientRuntime, Y as stopPostgres, Z as handleClientOrgMismatch, _ as promptMissingFields, b as onboardCheck, d as startServer, g as promptAddAgent, h as isInteractive, j as checkDocker, k as checkClientConfig, mt as SdkError, n as deriveHubUrlFromToken, nt as createOwner, pt as FirstTreeHubSDK, q as ensurePostgres, rt as hasUser, st as blank, t as HubUrlDerivationError, ut as status, v as formatCheckReport, x as onboardCreate, z as getClientServiceStatus } from "./saas-connect-DLVGb8OH.mjs";
+import { A as checkDatabase, B as installClientService, C as runHomeMigration, D as checkAgentConfigs, E as runMigrations, F as checkServerReachable, G as stopClientService, H as resolveCliInvocation, I as checkWebSocket, J as isDockerAvailable, K as uninstallClientService, L as printResults, M as checkNodeVersion, N as checkServerConfig, P as checkServerHealth, Q as rotateClientIdWithBackup, U as restartClientService, V as isServiceSupported, W as startClientService, X as ClientRuntime, Y as stopPostgres, Z as handleClientOrgMismatch, _ as promptMissingFields, b as onboardCheck, d as startServer, g as promptAddAgent, h as isInteractive, j as checkDocker, k as checkClientConfig, mt as SdkError, n as deriveHubUrlFromToken, nt as createOwner, pt as FirstTreeHubSDK, q as ensurePostgres, rt as hasUser, st as blank, t as HubUrlDerivationError, ut as status, v as formatCheckReport, x as onboardCreate, z as getClientServiceStatus } from "./saas-connect-DWcxHtjX.mjs";
 import "./logger-core-BTmvdflj-DjW8FM4T.mjs";
-import { a as resolveAccessToken, n as ensureFreshAccessToken, o as resolveServerUrl, r as ensureFreshAdminToken } from "./bootstrap-CDeXqhkQ.mjs";
-import "./dist-DwbhZyGi.mjs";
-import { n as bindFeishuUser, t as bindFeishuBot } from "./feishu-viiZmwcn.mjs";
+import { i as ensureFreshAdminToken, o as resolveAccessToken, r as ensureFreshAccessToken, s as resolveServerUrl, t as AuthRefreshFailedError } from "./bootstrap-B2x4TTyJ.mjs";
+import "./dist-D6AOiyNg.mjs";
+import { n as bindFeishuUser, t as bindFeishuBot } from "./feishu-DQ1l18Ah.mjs";
 import "./invitation-B1pjAyOz-BaCA9PII.mjs";
-export { ClientRuntime, FirstTreeHubSDK, HubUrlDerivationError, SdkError, bindFeishuBot, bindFeishuUser, blank, checkAgentConfigs, checkClientConfig, checkDatabase, checkDocker, checkNodeVersion, checkServerConfig, checkServerHealth, checkServerReachable, checkWebSocket, createOwner, deriveHubUrlFromToken, ensureFreshAccessToken, ensureFreshAdminToken, ensurePostgres, formatCheckReport, getClientServiceStatus, handleClientOrgMismatch, hasUser, installClientService, isDockerAvailable, isInteractive, isServiceSupported, onboardCheck, onboardCreate, printResults, promptAddAgent, promptMissingFields, resolveAccessToken, resolveCliInvocation, resolveServerUrl, restartClientService, rotateClientIdWithBackup, runHomeMigration, runMigrations, startClientService, startServer, status, stopClientService, stopPostgres, uninstallClientService };
+export { AuthRefreshFailedError, ClientRuntime, FirstTreeHubSDK, HubUrlDerivationError, SdkError, bindFeishuBot, bindFeishuUser, blank, checkAgentConfigs, checkClientConfig, checkDatabase, checkDocker, checkNodeVersion, checkServerConfig, checkServerHealth, checkServerReachable, checkWebSocket, createOwner, deriveHubUrlFromToken, ensureFreshAccessToken, ensureFreshAdminToken, ensurePostgres, formatCheckReport, getClientServiceStatus, handleClientOrgMismatch, hasUser, installClientService, isDockerAvailable, isInteractive, isServiceSupported, onboardCheck, onboardCreate, printResults, promptAddAgent, promptMissingFields, resolveAccessToken, resolveCliInvocation, resolveServerUrl, restartClientService, rotateClientIdWithBackup, runHomeMigration, runMigrations, startClientService, startServer, status, stopClientService, stopPostgres, uninstallClientService };

package/dist/{invitation-CBnQyB7o-DLQyW5ek.mjs → invitation-CBnQyB7o-Bulf3Sl7.mjs}

@@ -1,3 +1,3 @@
-import "./dist-DwbhZyGi.mjs";
+import "./dist-D6AOiyNg.mjs";
 import { g as previewInvitation, v as rotateInvitation } from "./invitation-B1pjAyOz-BaCA9PII.mjs";
 export { previewInvitation, rotateInvitation };