npm - @agent-team-foundation/first-tree-hub - Versions diffs - 0.10.13 → 0.10.14 - Mend

@agent-team-foundation/first-tree-hub 0.10.13 → 0.10.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/{saas-connect-DLVGb8OH.mjs → saas-connect-DWcxHtjX.mjs} RENAMED Viewed

@@ -1,7 +1,7 @@
 import { m as __toESM } from "./esm-CYu4tXXn.mjs";
 import { _ as withSpan, a as endWsConnectionSpan, b as require_pino, c as messageAttrs, d as rootLogger$1, g as startWsConnectionSpan, i as currentTraceId, n as applyLoggerConfig, o as getFastifyOtelPlugin, p as setWsConnectionAttrs, r as createLogger$1, t as adapterAttrs, u as observabilityPlugin, v as withWsMessageSpan, y as FIRST_TREE_HUB_ATTR } from "./observability-DPyf745N-BSc8QNcR.mjs";
-import { C as serverConfigSchema, S as resolveConfigReadonly, _ as loadAgents, b as resetConfig, c as saveCredentials, d as DEFAULT_HOME_DIR$1, f as agentConfigSchema, g as initConfig, i as loadCredentials, l as DEFAULT_CONFIG_DIR, m as collectMissingPrompts, n as ensureFreshAccessToken, o as resolveServerUrl, p as clientConfigSchema, s as saveAgentConfig, u as DEFAULT_DATA_DIR$1, v as migrateLegacyHome, w as setConfigValue, x as resetConfigMeta } from "./bootstrap-CDeXqhkQ.mjs";
-import { $ as refreshTokenSchema, A as createOrgFromMeSchema, B as imageInlineContentSchema, C as clientRegisterSchema, D as createAgentSchema, E as createAdapterMappingSchema, F as dryRunAgentRuntimeConfigSchema, G as isReservedAgentName$1, H as inboxDeliverFrameSchema$1, I as extractMentions, J as loginSchema, K as joinByInvitationSchema, L as githubCallbackQuerySchema, M as createTaskSchema, N as defaultRuntimeConfigPayload, O as createChatSchema, P as delegateFeishuUserSchema, Q as rebindAgentSchema, R as githubDevCallbackQuerySchema, S as clientCapabilitiesSchema$1, St as wsAuthFrameSchema, T as createAdapterConfigSchema, U as inboxPollQuerySchema, V as inboxAckFrameSchema, W as isRedactedEnvValue, X as notificationQuerySchema, Y as messageSourceSchema$1, Z as paginationQuerySchema, _ as adminUpdateTaskSchema, _t as updateClientCapabilitiesSchema, a as AGENT_STATUSES, at as sendToAgentSchema, b as agentRuntimeConfigPayloadSchema$1, bt as updateSystemConfigSchema, ct as sessionEventSchema$1, d as TASK_HEALTH_SIGNALS, dt as switchOrgSchema, et as runtimeStateMessageSchema, f as TASK_STATUSES, ft as taskListQuerySchema, g as adminCreateTaskSchema, gt as updateChatSchema, h as addParticipantSchema, ht as updateAgentSchema, i as AGENT_SOURCES, it as sendMessageSchema, j as createOrganizationSchema, k as createMemberSchema, l as SYSTEM_CONFIG_DEFAULTS, lt as sessionReconcileRequestSchema, m as WS_AUTH_FRAME_TIMEOUT_MS, mt as updateAgentRuntimeConfigSchema, n as AGENT_NAME_REGEX$1, nt as scanMentionTokens, o as AGENT_TYPES, ot as sessionCompletionMessageSchema, p as TASK_TERMINAL_STATUSES, pt as updateAdapterConfigSchema, q as linkTaskChatSchema, r as AGENT_SELECTOR_HEADER$1, rt as selfServiceFeishuBotSchema, s as AGENT_VISIBILITY, st as sessionEventMessageSchema, t as AGENT_BIND_REJECT_REASONS, tt as safeRedirectPath, u as TASK_CREATOR_TYPES, ut as sessionStateMessageSchema, v as agentBindRequestSchema, vt as updateMemberSchema, w as connectTokenExchangeSchema, x as agentTypeSchema$1, xt as updateTaskStatusSchema, y as agentPinnedMessageSchema$1, yt as updateOrganizationSchema, z as githubStartQuerySchema } from "./dist-DwbhZyGi.mjs";
+import { C as resolveConfigReadonly, S as resetConfigMeta, T as setConfigValue, _ as initConfig, a as loadCredentials, c as saveAgentConfig, d as DEFAULT_DATA_DIR$1, f as DEFAULT_HOME_DIR$1, h as collectMissingPrompts, l as saveCredentials, m as clientConfigSchema, p as agentConfigSchema, r as ensureFreshAccessToken, s as resolveServerUrl, u as DEFAULT_CONFIG_DIR, v as loadAgents, w as serverConfigSchema, x as resetConfig, y as migrateLegacyHome } from "./bootstrap-B2x4TTyJ.mjs";
+import { $ as refreshTokenSchema, A as createOrgFromMeSchema, B as imageInlineContentSchema, C as clientRegisterSchema, D as createAgentSchema, E as createAdapterMappingSchema, F as dryRunAgentRuntimeConfigSchema, G as isReservedAgentName$1, H as inboxDeliverFrameSchema$1, I as extractMentions, J as loginSchema, K as joinByInvitationSchema, L as githubCallbackQuerySchema, M as createTaskSchema, N as defaultRuntimeConfigPayload, O as createChatSchema, P as delegateFeishuUserSchema, Q as rebindAgentSchema, R as githubDevCallbackQuerySchema, S as clientCapabilitiesSchema$1, St as wsAuthFrameSchema, T as createAdapterConfigSchema, U as inboxPollQuerySchema, V as inboxAckFrameSchema, W as isRedactedEnvValue, X as notificationQuerySchema, Y as messageSourceSchema$1, Z as paginationQuerySchema, _ as adminUpdateTaskSchema, _t as updateClientCapabilitiesSchema, a as AGENT_STATUSES, at as sendToAgentSchema, b as agentRuntimeConfigPayloadSchema$1, bt as updateSystemConfigSchema, ct as sessionEventSchema$1, d as TASK_HEALTH_SIGNALS, dt as switchOrgSchema, et as runtimeStateMessageSchema, f as TASK_STATUSES, ft as taskListQuerySchema, g as adminCreateTaskSchema, gt as updateChatSchema, h as addParticipantSchema, ht as updateAgentSchema, i as AGENT_SOURCES, it as sendMessageSchema, j as createOrganizationSchema, k as createMemberSchema, l as SYSTEM_CONFIG_DEFAULTS, lt as sessionReconcileRequestSchema, m as WS_AUTH_FRAME_TIMEOUT_MS, mt as updateAgentRuntimeConfigSchema, n as AGENT_NAME_REGEX$1, nt as scanMentionTokens, o as AGENT_TYPES, ot as sessionCompletionMessageSchema, p as TASK_TERMINAL_STATUSES, pt as updateAdapterConfigSchema, q as linkTaskChatSchema, r as AGENT_SELECTOR_HEADER$1, rt as selfServiceFeishuBotSchema, s as AGENT_VISIBILITY, st as sessionEventMessageSchema, t as AGENT_BIND_REJECT_REASONS, tt as safeRedirectPath, u as TASK_CREATOR_TYPES, ut as sessionStateMessageSchema, v as agentBindRequestSchema, vt as updateMemberSchema, w as connectTokenExchangeSchema, x as agentTypeSchema$1, xt as updateTaskStatusSchema, y as agentPinnedMessageSchema$1, yt as updateOrganizationSchema, z as githubStartQuerySchema } from "./dist-D6AOiyNg.mjs";
 import { _ as recordRedemption, a as ConflictError, b as uuidv7, c as UnauthorizedError, d as findActiveByToken, f as getActiveInvitation, h as organizations, i as ClientUserMismatchError$1, l as buildInviteUrl, m as invitations, n as BadRequestError, o as ForbiddenError, p as invitationRedemptions, r as ClientOrgMismatchError$1, s as NotFoundError, t as AppError, u as ensureActiveInvitation, y as users } from "./invitation-B1pjAyOz-BaCA9PII.mjs";
 import { createRequire } from "node:module";
 import { ZodError, z } from "zod";
@@ -742,10 +742,25 @@ z.object({
 });
 z.object({ agentId: z.string().min(1) });
 const clientStatusSchema = z.enum(["connected", "disconnected"]);
+/**
+* Auth health channel surfaced to the Web admin dashboard. Computed
+* server-side per request from the row's offline duration vs the
+* configured refresh-token TTL — there is no DB column. See
+* `deriveAuthState` server-side.
+*
+*   - `ok`      — online, or recently offline (cached refresh token can
+*                 plausibly still mint access tokens).
+*   - `expired` — offline longer than the refresh-token TTL; the client
+*                 cannot recover on its own. The operator mints a fresh
+*                 connect token via the Web "+ New Connection" button
+*                 (or the inline Reconnect button on the row).
+*/
+const clientAuthStateSchema = z.enum(["ok", "expired"]);
 z.object({
 	id: z.string(),
 	userId: z.string().nullable(),
 	status: clientStatusSchema,
+	authState: clientAuthStateSchema,
 	sdkVersion: z.string().max(50).nullable(),
 	hostname: z.string().max(100).nullable(),
 	os: z.string().max(50).nullable(),
@@ -1517,6 +1532,11 @@ defineConfig({
 			secret: true
 		})
 	},
+	auth: {
+		accessTokenExpiry: field(z.string().default("30m"), { env: "FIRST_TREE_HUB_AUTH_ACCESS_TOKEN_EXPIRY" }),
+		refreshTokenExpiry: field(z.string().default("30d"), { env: "FIRST_TREE_HUB_AUTH_REFRESH_TOKEN_EXPIRY" }),
+		connectTokenExpiry: field(z.string().default("10m"), { env: "FIRST_TREE_HUB_AUTH_CONNECT_TOKEN_EXPIRY" })
+	},
 	contextTree: optional({
 		repo: field(z.string(), {
 			env: "FIRST_TREE_HUB_CONTEXT_TREE_REPO",
@@ -2061,7 +2081,6 @@ var ClientConnection = class extends EventEmitter {
 			}, WS_CONNECT_TIMEOUT_MS);
 			ws.on("open", async () => {
 				this.ws = ws;
-				this.reconnectAttempt = 0;
 				this.wsLogger.debug("socket opened, sending auth");
 				try {
 					const token = await this.getAccessToken({ minValidityMs: AUTH_REFRESH_LEAD_MS + 5e3 });
@@ -2072,7 +2091,12 @@ var ClientConnection = class extends EventEmitter {
 					this.scheduleProactiveAuthRefresh(token);
 				} catch (err) {
 					this.authLogger.error({ err }, "failed to obtain access token");
-					settle(reject, err instanceof Error ? err : new Error(String(err)));
+					const e = err instanceof Error ? err : new Error(String(err));
+					if (e.name === "AuthRefreshFailedError") {
+						this.closing = true;
+						this.emit("auth:fatal", e);
+					}
+					settle(reject, e);
 					ws.close();
 				}
 			});
@@ -2168,6 +2192,7 @@ var ClientConnection = class extends EventEmitter {
 		if (type === "client:registered") {
 			const isReconnect = this.boundAgents.size > 0 || this.desiredBindings.size > 0;
 			this.registered = true;
+			this.reconnectAttempt = 0;
 			this.startHeartbeat();
 			this.wsLogger.info({ isReconnect }, "registered");
 			this.emit("connected");
@@ -2320,6 +2345,7 @@ var ClientConnection = class extends EventEmitter {
 		});
 	}
 	scheduleReconnect() {
+		if (this.closing) return;
 		this.reconnectAttempt++;
 		this.emit("reconnecting", this.reconnectAttempt);
 		const delay = Math.min(RECONNECT_BASE_MS * 2 ** (this.reconnectAttempt - 1), RECONNECT_MAX_MS);
@@ -6267,6 +6293,14 @@ var ClientRuntime = class {
 		this.connection.on("auth:expired", () => {
 			print.status("⚠️", "access token expired — reconnecting after refresh...");
 		});
+		this.connection.on("auth:fatal", (err) => {
+			print.blank();
+			print.status("✗", "auth expired — service is shutting down to break the reconnect loop.");
+			print.status("", err.message);
+			print.status("", "Recovery: get a new connect token from your Hub's Web admin");
+			print.status("", "          (Computers → + New Connection), then re-run the command shown.");
+			process.exit(75);
+		});
 		this.connection.on("error", (err) => {
 			print.status("⚠️", `client connection error: ${err.message}`);
 		});
@@ -8064,7 +8098,7 @@ async function onboardCreate(args) {
 	}
 	const runtimeAgent = args.type === "human" ? args.assistant : args.id;
 	if (args.feishuBotAppId && args.feishuBotAppSecret) {
-		const { bindFeishuBot } = await import("./feishu-viiZmwcn.mjs").then((n) => n.r);
+		const { bindFeishuBot } = await import("./feishu-DQ1l18Ah.mjs").then((n) => n.r);
 		const targetAgentUuid = args.type === "human" ? assistantUuid : primary.uuid;
 		if (!targetAgentUuid) print.line(`Warning: Cannot bind Feishu bot — no runtime agent available for "${args.id}".\n`);
 		else {
@@ -9044,7 +9078,7 @@ function createFeedbackHandler(config) {
 	return { handle };
 }
 //#endregion
-//#region ../server/dist/app-O9kCTpaF.mjs
+//#region ../server/dist/app-Le92-WQA.mjs
 var __defProp = Object.defineProperty;
 var __exportAll = (all, no_symbols) => {
 	let target = {};
@@ -9183,7 +9217,32 @@ function requireMember(request) {
 *   - Manageability distinguishes roles: admin can manage all, member only their own.
 *   - All conditions include organizationId scoping to prevent cross-org access.
 */
-/** Extract MemberScope from an authenticated request. Single definition, used by all routes. */
+/**
+* Extract MemberScope from an authenticated request. Single definition, used by all routes.
+*
+* **Org-scoped admin routes must NOT use the result of this directly for
+* data filtering.** The returned scope is keyed to the JWT default member,
+* which is whatever org `auth.login` happened to pick at issuance time —
+* not the org the user has selected in the dropdown (`localStorage.
+* selectedOrganizationId`). Pair every `memberScope(request)` in
+* `packages/server/src/api/admin/*.ts` with one of:
+*
+*   - `resolveAdminScope(db, request, baseScope, request.query.organizationId)`
+*     for routes that accept `?organizationId=` and want a uniformly rotated
+*     scope (every field keyed to the target org).
+*   - `requireMemberInOrg(db, request, orgId)` when only the membership
+*     `(memberId, role, agentId)` is needed for a specific org (e.g. the
+*     creator HUMAN in chat-create).
+*   - `assertCanManage(db, scope, agentUuid)` / `assertAgentVisible(db, scope, agentUuid)`
+*     for routes operating on a single agent — both already rebind authority
+*     to the agent's own org.
+*
+* `__tests__/admin-routes-org-scope-invariant.test.ts` pins this rule via a
+* grep over the admin route directory. If you intentionally land an admin
+* read/write route that targets only the JWT default org (no
+* cross-org switch awareness), update the whitelist there with a comment
+* explaining why.
+*/
 function memberScope(request) {
 	const m = requireMember(request);
 	return {
@@ -9300,12 +9359,14 @@ async function requireMemberInOrg(db, request, orgId) {
 	const m = requireMember(request);
 	const [row] = await db.select({
 		id: members.id,
-		role: members.role
+		role: members.role,
+		agentId: members.agentId
 	}).from(members).where(and(eq(members.userId, m.userId), eq(members.organizationId, orgId), eq(members.status, "active"))).limit(1);
 	if (!row) throw new ForbiddenError("Not an active member of the target organization");
 	return {
 		memberId: row.id,
-		role: row.role
+		role: row.role,
+		agentId: row.agentId
 	};
 }
 /**
@@ -9330,6 +9391,7 @@ async function resolveAdminScope(db, request, scope, requestedOrganizationId) {
 	return {
 		...scope,
 		memberId: probe.memberId,
+		humanAgentId: probe.agentId,
 		organizationId: requestedOrganizationId,
 		role: probe.role
 	};
@@ -11087,6 +11149,29 @@ async function listClientsForOrgAdmin(db, orgId) {
 		metadata: clients.metadata
 	}).from(clients).innerJoin(members, eq(members.userId, clients.userId)).where(and(eq(members.organizationId, orgId), eq(members.status, "active"))));
 }
+/**
+* Infer whether the client's locally-cached refresh token can plausibly
+* still mint access tokens. Used by the Web admin dashboard to render an
+* "AUTH EXPIRED" pill on rows whose offline duration has exceeded the
+* server's configured refresh-token TTL.
+*
+* Uses `lastSeenAt` (not `connectedAt`) because a healthy long-lived
+* client slides the refresh token continuously, so the absolute connect
+* time is no proxy for liveness. `lastSeenAt` is updated on register,
+* heartbeat, and the final disconnect — it lower-bounds the issue time
+* of the refresh token the client most likely still holds.
+*
+* Pure function, no DB access; the column-less design means there's no
+* server-side revocation path yet — every "expired" decision is purely
+* time-based. If we ever want admin-driven revocation, add a column
+* back and OR its value into this function.
+*/
+function deriveAuthState(row, refreshTokenExpirySeconds) {
+	if (row.status === "disconnected") {
+		if (Date.now() - row.lastSeenAt.getTime() > refreshTokenExpirySeconds * 1e3) return "expired";
+	}
+	return "ok";
+}
 async function attachAgentCounts(db, rows) {
 	const counts = await db.select({
 		clientId: agents.clientId,
@@ -12025,13 +12110,23 @@ async function adminAgentRoutes(app) {
 			connection
 		});
 	});
-	/** POST /admin/agents/:uuid/chats — create a new workspace chat with the target agent */
+	/** POST /admin/agents/:uuid/chats — create a new workspace chat with the target agent.
+	*
+	* The chat creator is the user's HUMAN agent in the *target agent's* org,
+	* not in the JWT default org. Otherwise a multi-org user creating a chat
+	* with an agent outside their JWT default org gets `createChat`'s
+	* cross-organization guard ("Cross-organization chat not allowed: …"),
+	* even though the human is a member of the target agent's org.
+	* Symptom hit by the inline onboarding flow when the user creates a new
+	* agent in a non-default org and the auto-chat step fires.
+	*/
 	app.post("/:uuid/chats", async (request, reply) => {
 		const { uuid: targetAgentId } = request.params;
 		const scope = memberScope(request);
 		await assertAgentVisible(app.db, scope, targetAgentId);
-		const member = requireMember(request);
-		const result = await createChat(app.db, member.agentId, {
+		const targetAgent = await getAgent(app.db, targetAgentId);
+		const probe = await requireMemberInOrg(app.db, request, targetAgent.organizationId);
+		const result = await createChat(app.db, probe.agentId, {
 			type: "direct",
 			participantIds: [targetAgentId]
 		});
@@ -12353,6 +12448,167 @@ async function adminChatRoutes(app) {
 		});
 	});
 }
+/** In-memory set of consumed connect token JTIs. Entries auto-expire after 10 minutes. */
+const consumedConnectJtis = /* @__PURE__ */ new Map();
+const CONNECT_JTI_TTL_MS = 6e5;
+async function signToken(secret, payload, expiry) {
+	return new SignJWT({ ...payload }).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setJti(randomUUID()).setExpirationTime(expiry).sign(secret);
+}
+/**
+* Convert an `ms`-style expiry string (e.g. `"30m"`, `"30d"`, `"1w"`) to
+* seconds. Used to surface the connect token's `expiresIn` in the API
+* response. Mirrors the subset of `jose.setExpirationTime` we use; falls
+* through with a clear error on malformed config so a typo in the env var
+* surfaces at boot, not days later when the first token expires.
+*/
+function expiryToSeconds(expiry) {
+	const m = /^(\d+)\s*(s|m|h|d|w)$/.exec(expiry.trim());
+	if (!m) throw new Error(`Invalid expiry "${expiry}" — expected forms like "30s", "10m", "2h", "30d", "1w".`);
+	return Number(m[1]) * {
+		s: 1,
+		m: 60,
+		h: 3600,
+		d: 86400,
+		w: 604800
+	}[m[2]];
+}
+/**
+* Sign an `(access, refresh)` pair for the given member. Used by both the
+* legacy username/password login path and the SaaS GitHub OAuth callback,
+* so the issuance shape stays in one place.
+*/
+async function signTokensForMember(jwtSecretKey, member, expiries) {
+	const secret = new TextEncoder().encode(jwtSecretKey);
+	const tokenBase = {
+		sub: member.userId,
+		memberId: member.memberId,
+		organizationId: member.organizationId,
+		role: member.role
+	};
+	return {
+		accessToken: await signToken(secret, {
+			...tokenBase,
+			type: "access"
+		}, expiries.accessTokenExpiry),
+		refreshToken: await signToken(secret, {
+			...tokenBase,
+			type: "refresh"
+		}, expiries.refreshTokenExpiry)
+	};
+}
+async function login(db, username, password, jwtSecretKey, expiries) {
+	const [user] = await db.select().from(users).where(eq(users.username, username)).limit(1);
+	if (!user || user.status !== "active") throw new UnauthorizedError("Invalid username or password");
+	if (!await bcrypt.compare(password, user.passwordHash)) throw new UnauthorizedError("Invalid username or password");
+	const [member] = await db.select().from(members).where(and(eq(members.userId, user.id), eq(members.status, "active"))).orderBy(desc(members.createdAt), desc(members.id)).limit(1);
+	if (!member) throw new UnauthorizedError("No organization membership found");
+	const tokens = await signTokensForMember(jwtSecretKey, {
+		userId: user.id,
+		memberId: member.id,
+		organizationId: member.organizationId,
+		role: member.role
+	}, expiries);
+	await db.update(users).set({ updatedAt: /* @__PURE__ */ new Date() }).where(eq(users.id, user.id));
+	return tokens;
+}
+/**
+* Refresh an access token. Sliding-window: the response also carries a
+* fresh refresh token whose lifetime restarts from now, so an actively-used
+* client never hits the absolute `refreshTokenExpiry`. The previously
+* issued refresh token remains valid until its own `exp` — we deliberately
+* do **not** maintain a server-side jti revocation set. Same-process
+* concurrent refreshes therefore both succeed; the surviving refresh token
+* is whichever one the client persists last. The alternative (server-side
+* invalidation) is more defensive against token theft but introduces races
+* across systemd-supervised restarts and reconnect storms — a tradeoff
+* we're not paying for here.
+*/
+async function refreshAccessToken(db, refreshToken, jwtSecretKey, expiries) {
+	const secret = new TextEncoder().encode(jwtSecretKey);
+	let payload;
+	try {
+		const { payload: p } = await jwtVerify(refreshToken, secret);
+		payload = p;
+	} catch {
+		throw new UnauthorizedError("Invalid or expired refresh token");
+	}
+	if (payload.type !== "refresh" || !payload.sub) throw new UnauthorizedError("Invalid token type");
+	const [user] = await db.select({
+		id: users.id,
+		status: users.status
+	}).from(users).where(eq(users.id, payload.sub)).limit(1);
+	if (!user || user.status !== "active") throw new UnauthorizedError("User not found or suspended");
+	const [member] = await db.select().from(members).where(and(eq(members.id, payload.memberId), eq(members.status, "active"))).limit(1);
+	if (!member) throw new UnauthorizedError("Membership not found");
+	return signTokensForMember(jwtSecretKey, {
+		userId: user.id,
+		memberId: member.id,
+		organizationId: member.organizationId,
+		role: member.role
+	}, expiries);
+}
+/**
+* Generate a short-lived connect token for CLI authentication.
+* The connect token carries the member's identity and can be exchanged
+* for full access+refresh tokens via exchangeConnectToken().
+*
+* `iss` (when supplied) is stamped into the JWT so the CLI can derive
+* the hub URL with no additional argument. Production servers must
+* always pass it; dev callers may omit and the CLI will require an
+* explicit `--server-url` (legacy form).
+*/
+async function generateConnectToken(member, jwtSecretKey, expiries, iss) {
+	const secret = new TextEncoder().encode(jwtSecretKey);
+	const jti = randomUUID();
+	const builder = new SignJWT({
+		sub: member.userId,
+		memberId: member.memberId,
+		organizationId: member.organizationId,
+		role: member.role,
+		type: "connect"
+	}).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setJti(jti).setExpirationTime(expiries.connectTokenExpiry);
+	if (iss) builder.setIssuer(iss);
+	return {
+		token: await builder.sign(secret),
+		expiresIn: expiryToSeconds(expiries.connectTokenExpiry)
+	};
+}
+/**
+* Exchange a connect token for full access+refresh tokens.
+* Validates the connect token, verifies the user is still active,
+* and issues a fresh token pair.
+*/
+async function exchangeConnectToken(db, connectToken, jwtSecretKey, expiries) {
+	const secret = new TextEncoder().encode(jwtSecretKey);
+	let payload;
+	try {
+		const { payload: p } = await jwtVerify(connectToken, secret);
+		payload = p;
+	} catch {
+		throw new UnauthorizedError("Invalid or expired connect token");
+	}
+	if (payload.type !== "connect" || !payload.sub || !payload.memberId) throw new UnauthorizedError("Invalid token type — expected connect token");
+	const jti = payload.jti;
+	if (jti) {
+		if (consumedConnectJtis.has(jti)) throw new UnauthorizedError("Connect token has already been used");
+		consumedConnectJtis.set(jti, Date.now());
+		const cutoff = Date.now() - CONNECT_JTI_TTL_MS;
+		for (const [k, ts] of consumedConnectJtis) if (ts < cutoff) consumedConnectJtis.delete(k);
+	}
+	const [user] = await db.select({
+		id: users.id,
+		status: users.status
+	}).from(users).where(eq(users.id, payload.sub)).limit(1);
+	if (!user || user.status !== "active") throw new UnauthorizedError("User not found or suspended");
+	const [member] = await db.select().from(members).where(and(eq(members.id, payload.memberId), eq(members.status, "active"))).limit(1);
+	if (!member) throw new UnauthorizedError("Membership not found");
+	return signTokensForMember(jwtSecretKey, {
+		userId: user.id,
+		memberId: member.id,
+		organizationId: member.organizationId,
+		role: member.role
+	}, expiries);
+}
 /** Serialize a Date to ISO string, or null. */
 function serializeDate(d) {
 	return d ? d.toISOString() : null;
@@ -12362,13 +12618,16 @@ async function adminClientRoutes(app) {
 	app.get("/", async (request) => {
 		const scope = memberScope(request);
 		const { organizationId } = listClientsQuerySchema.parse(request.query);
-		return (organizationId ? await (async () => {
+		const clients = organizationId ? await (async () => {
 			if ((await requireMemberInOrg(app.db, request, organizationId)).role !== "admin") throw new ForbiddenError("Admin role required");
 			return listClientsForOrgAdmin(app.db, organizationId);
-		})() : await listClients(app.db, { userId: scope.userId })).map((c) => ({
+		})() : await listClients(app.db, { userId: scope.userId });
+		const refreshExpirySeconds = expiryToSeconds(app.config.auth.refreshTokenExpiry);
+		return clients.map((c) => ({
 			id: c.id,
 			userId: c.userId,
 			status: c.status,
+			authState: deriveAuthState(c, refreshExpirySeconds),
 			sdkVersion: c.sdkVersion,
 			hostname: c.hostname,
 			os: c.os,
@@ -12395,10 +12654,12 @@ async function adminClientRoutes(app) {
 		if (!client) throw new Error("unreachable: client missing after owner check");
 		const metadata = client.metadata ?? {};
 		const capabilities = metadata.capabilities && typeof metadata.capabilities === "object" ? metadata.capabilities : {};
+		const refreshExpirySeconds = expiryToSeconds(app.config.auth.refreshTokenExpiry);
 		return {
 			id: client.id,
 			userId: client.userId,
 			status: client.status,
+			authState: deriveAuthState(client, refreshExpirySeconds),
 			sdkVersion: client.sdkVersion,
 			hostname: client.hostname,
 			os: client.os,
@@ -12428,9 +12689,12 @@ async function adminClientRoutes(app) {
 		return reply.status(204).send();
 	});
 }
+const activityQuerySchema = z.object({ organizationId: z.string().min(1).optional() });
 async function adminActivityRoutes(app) {
 	app.get("/", async (request) => {
-		const scope = memberScope(request);
+		const baseScope = memberScope(request);
+		const { organizationId } = activityQuerySchema.parse(request.query);
+		const scope = await resolveAdminScope(app.db, request, baseScope, organizationId);
 		const overview = await getActivityOverview(app.db);
 		const runningAgents = await listAgentsWithRuntime(app.db, scope);
 		return {
@@ -15326,141 +15590,6 @@ function clientWsRoutes(notifier, instanceId) {
 		});
 	};
 }
-const ACCESS_TOKEN_EXPIRY = "30m";
-const REFRESH_TOKEN_EXPIRY = "7d";
-const CONNECT_TOKEN_EXPIRY = "10m";
-/** In-memory set of consumed connect token JTIs. Entries auto-expire after 10 minutes. */
-const consumedConnectJtis = /* @__PURE__ */ new Map();
-const CONNECT_JTI_TTL_MS = 6e5;
-async function signToken(secret, payload, expiry) {
-	return new SignJWT({ ...payload }).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setExpirationTime(expiry).sign(secret);
-}
-/**
-* Sign an `(access, refresh)` pair for the given member. Used by both the
-* legacy username/password login path and the SaaS GitHub OAuth callback,
-* so the issuance shape stays in one place.
-*/
-async function signTokensForMember(jwtSecretKey, member) {
-	const secret = new TextEncoder().encode(jwtSecretKey);
-	const tokenBase = {
-		sub: member.userId,
-		memberId: member.memberId,
-		organizationId: member.organizationId,
-		role: member.role
-	};
-	return {
-		accessToken: await signToken(secret, {
-			...tokenBase,
-			type: "access"
-		}, ACCESS_TOKEN_EXPIRY),
-		refreshToken: await signToken(secret, {
-			...tokenBase,
-			type: "refresh"
-		}, REFRESH_TOKEN_EXPIRY)
-	};
-}
-async function login(db, username, password, jwtSecretKey) {
-	const [user] = await db.select().from(users).where(eq(users.username, username)).limit(1);
-	if (!user || user.status !== "active") throw new UnauthorizedError("Invalid username or password");
-	if (!await bcrypt.compare(password, user.passwordHash)) throw new UnauthorizedError("Invalid username or password");
-	const [member] = await db.select().from(members).where(and(eq(members.userId, user.id), eq(members.status, "active"))).orderBy(desc(members.createdAt), desc(members.id)).limit(1);
-	if (!member) throw new UnauthorizedError("No organization membership found");
-	const tokens = await signTokensForMember(jwtSecretKey, {
-		userId: user.id,
-		memberId: member.id,
-		organizationId: member.organizationId,
-		role: member.role
-	});
-	await db.update(users).set({ updatedAt: /* @__PURE__ */ new Date() }).where(eq(users.id, user.id));
-	return tokens;
-}
-async function refreshAccessToken(db, refreshToken, jwtSecretKey) {
-	const secret = new TextEncoder().encode(jwtSecretKey);
-	let payload;
-	try {
-		const { payload: p } = await jwtVerify(refreshToken, secret);
-		payload = p;
-	} catch {
-		throw new UnauthorizedError("Invalid or expired refresh token");
-	}
-	if (payload.type !== "refresh" || !payload.sub) throw new UnauthorizedError("Invalid token type");
-	const [user] = await db.select({
-		id: users.id,
-		status: users.status
-	}).from(users).where(eq(users.id, payload.sub)).limit(1);
-	if (!user || user.status !== "active") throw new UnauthorizedError("User not found or suspended");
-	const [member] = await db.select().from(members).where(and(eq(members.id, payload.memberId), eq(members.status, "active"))).limit(1);
-	if (!member) throw new UnauthorizedError("Membership not found");
-	return { accessToken: await signToken(secret, {
-		sub: user.id,
-		memberId: member.id,
-		organizationId: member.organizationId,
-		role: member.role,
-		type: "access"
-	}, ACCESS_TOKEN_EXPIRY) };
-}
-/**
-* Generate a short-lived connect token for CLI authentication.
-* The connect token carries the member's identity and can be exchanged
-* for full access+refresh tokens via exchangeConnectToken().
-*
-* `iss` (when supplied) is stamped into the JWT so the CLI can derive
-* the hub URL with no additional argument. Production servers must
-* always pass it; dev callers may omit and the CLI will require an
-* explicit `--server-url` (legacy form).
-*/
-async function generateConnectToken(member, jwtSecretKey, iss) {
-	const secret = new TextEncoder().encode(jwtSecretKey);
-	const jti = randomUUID();
-	const builder = new SignJWT({
-		sub: member.userId,
-		memberId: member.memberId,
-		organizationId: member.organizationId,
-		role: member.role,
-		type: "connect"
-	}).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setJti(jti).setExpirationTime(CONNECT_TOKEN_EXPIRY);
-	if (iss) builder.setIssuer(iss);
-	return {
-		token: await builder.sign(secret),
-		expiresIn: 600
-	};
-}
-/**
-* Exchange a connect token for full access+refresh tokens.
-* Validates the connect token, verifies the user is still active,
-* and issues a fresh token pair.
-*/
-async function exchangeConnectToken(db, connectToken, jwtSecretKey) {
-	const secret = new TextEncoder().encode(jwtSecretKey);
-	let payload;
-	try {
-		const { payload: p } = await jwtVerify(connectToken, secret);
-		payload = p;
-	} catch {
-		throw new UnauthorizedError("Invalid or expired connect token");
-	}
-	if (payload.type !== "connect" || !payload.sub || !payload.memberId) throw new UnauthorizedError("Invalid token type — expected connect token");
-	const jti = payload.jti;
-	if (jti) {
-		if (consumedConnectJtis.has(jti)) throw new UnauthorizedError("Connect token has already been used");
-		consumedConnectJtis.set(jti, Date.now());
-		const cutoff = Date.now() - CONNECT_JTI_TTL_MS;
-		for (const [k, ts] of consumedConnectJtis) if (ts < cutoff) consumedConnectJtis.delete(k);
-	}
-	const [user] = await db.select({
-		id: users.id,
-		status: users.status
-	}).from(users).where(eq(users.id, payload.sub)).limit(1);
-	if (!user || user.status !== "active") throw new UnauthorizedError("User not found or suspended");
-	const [member] = await db.select().from(members).where(and(eq(members.id, payload.memberId), eq(members.status, "active"))).limit(1);
-	if (!member) throw new UnauthorizedError("Membership not found");
-	return signTokensForMember(jwtSecretKey, {
-		userId: user.id,
-		memberId: member.id,
-		organizationId: member.organizationId,
-		role: member.role
-	});
-}
 /**
 * Third-party / local auth identities for a user. Models "how does this user
 * prove they are who they say they are". A single user MAY have multiple
@@ -16045,7 +16174,7 @@ async function completeOauthFlow(app, request, reply, profile, next) {
 		memberId: memberInfo.memberId,
 		organizationId: memberInfo.organizationId,
 		role: memberInfo.role
-	});
+	}, app.config.auth);
 	const fragment = new URLSearchParams({
 		access: tokens.accessToken,
 		refresh: tokens.refreshToken,
@@ -16061,7 +16190,7 @@ async function authRoutes(app) {
 		timeWindow: "1 minute"
 	} } }, async (request, reply) => {
 		const body = loginSchema.parse(request.body);
-		const result = await login(app.db, body.username, body.password, app.config.secrets.jwtSecret);
+		const result = await login(app.db, body.username, body.password, app.config.secrets.jwtSecret, app.config.auth);
 		return reply.send(result);
 	});
 	app.post("/refresh", { config: { rateLimit: {
@@ -16069,7 +16198,7 @@ async function authRoutes(app) {
 		timeWindow: "1 minute"
 	} } }, async (request, reply) => {
 		const body = refreshTokenSchema.parse(request.body);
-		const result = await refreshAccessToken(app.db, body.refreshToken, app.config.secrets.jwtSecret);
+		const result = await refreshAccessToken(app.db, body.refreshToken, app.config.secrets.jwtSecret, app.config.auth);
 		return reply.send(result);
 	});
 	app.post("/connect-token", { config: { rateLimit: {
@@ -16077,7 +16206,7 @@ async function authRoutes(app) {
 		timeWindow: "1 minute"
 	} } }, async (request, reply) => {
 		const body = connectTokenExchangeSchema.parse(request.body);
-		const result = await exchangeConnectToken(app.db, body.token, app.config.secrets.jwtSecret);
+		const result = await exchangeConnectToken(app.db, body.token, app.config.secrets.jwtSecret, app.config.auth);
 		return reply.send(result);
 	});
 }
@@ -16288,7 +16417,7 @@ async function meRoutes(app) {
 			memberId: m.memberId,
 			organizationId: m.organizationId,
 			role: m.role
-		}, app.config.secrets.jwtSecret, issuer);
+		}, app.config.secrets.jwtSecret, app.config.auth, issuer);
 		return {
 			token,
 			expiresIn,
@@ -16338,7 +16467,7 @@ async function meRoutes(app) {
 			memberId: created.memberId,
 			organizationId: created.organizationId,
 			role: "admin"
-		});
+		}, app.config.auth);
 		return reply.status(201).send({
 			organization: {
 				id: created.organizationId,
@@ -16380,7 +16509,7 @@ async function meRoutes(app) {
 			memberId: member.id,
 			organizationId: member.organizationId,
 			role: member.role
-		});
+		}, app.config.auth);
 		return reply.status(200).send({
 			organizationId: member.organizationId,
 			memberId: member.id,
@@ -16426,7 +16555,7 @@ async function inferWizardStep(app, m) {
 * landing page.
 */
 async function publicInvitePreviewRoute(app) {
-	const { previewInvitation } = await import("./invitation-CBnQyB7o-DLQyW5ek.mjs");
+	const { previewInvitation } = await import("./invitation-CBnQyB7o-Bulf3Sl7.mjs");
 	app.get("/:token/preview", async (request, reply) => {
 		if (!request.params.token) throw new UnauthorizedError("Token required");
 		const preview = await previewInvitation(app.db, request.params.token);
@@ -16456,7 +16585,7 @@ async function adminInvitationRoutes(app) {
 		const m = requireMember(request);
 		if (m.role !== "admin") throw new ForbiddenError("Admin role required");
 		if (request.params.id !== m.organizationId) throw new ForbiddenError("Cannot rotate invitations for another organization");
-		const { rotateInvitation } = await import("./invitation-CBnQyB7o-DLQyW5ek.mjs");
+		const { rotateInvitation } = await import("./invitation-CBnQyB7o-Bulf3Sl7.mjs");
 		const inv = await rotateInvitation(app.db, m.organizationId, m.userId);
 		return {
 			id: inv.id,
@@ -18331,6 +18460,14 @@ function resolveCommandVersion$1(injected) {
 	return "0.0.0";
 }
 async function buildApp(config) {
+	try {
+		expiryToSeconds(config.auth.accessTokenExpiry);
+		expiryToSeconds(config.auth.refreshTokenExpiry);
+		expiryToSeconds(config.auth.connectTokenExpiry);
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		throw new Error(`${msg} — check FIRST_TREE_HUB_AUTH_*_EXPIRY env vars (got access=${config.auth.accessTokenExpiry}, refresh=${config.auth.refreshTokenExpiry}, connect=${config.auth.connectTokenExpiry}).`);
+	}
 	applyLoggerConfig({
 		level: config.observability.logging.level,
 		format: config.observability.logging.format,