npm - @agent-team-foundation/first-tree-hub - Versions diffs - 0.10.13 → 0.10.15 - Mend

@agent-team-foundation/first-tree-hub 0.10.13 → 0.10.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/dist/{saas-connect-DLVGb8OH.mjs → saas-connect-CebXWFF-.mjs} RENAMED Viewed

@@ -1,7 +1,7 @@
 import { m as __toESM } from "./esm-CYu4tXXn.mjs";
 import { _ as withSpan, a as endWsConnectionSpan, b as require_pino, c as messageAttrs, d as rootLogger$1, g as startWsConnectionSpan, i as currentTraceId, n as applyLoggerConfig, o as getFastifyOtelPlugin, p as setWsConnectionAttrs, r as createLogger$1, t as adapterAttrs, u as observabilityPlugin, v as withWsMessageSpan, y as FIRST_TREE_HUB_ATTR } from "./observability-DPyf745N-BSc8QNcR.mjs";
-import { C as serverConfigSchema, S as resolveConfigReadonly, _ as loadAgents, b as resetConfig, c as saveCredentials, d as DEFAULT_HOME_DIR$1, f as agentConfigSchema, g as initConfig, i as loadCredentials, l as DEFAULT_CONFIG_DIR, m as collectMissingPrompts, n as ensureFreshAccessToken, o as resolveServerUrl, p as clientConfigSchema, s as saveAgentConfig, u as DEFAULT_DATA_DIR$1, v as migrateLegacyHome, w as setConfigValue, x as resetConfigMeta } from "./bootstrap-CDeXqhkQ.mjs";
-import { $ as refreshTokenSchema, A as createOrgFromMeSchema, B as imageInlineContentSchema, C as clientRegisterSchema, D as createAgentSchema, E as createAdapterMappingSchema, F as dryRunAgentRuntimeConfigSchema, G as isReservedAgentName$1, H as inboxDeliverFrameSchema$1, I as extractMentions, J as loginSchema, K as joinByInvitationSchema, L as githubCallbackQuerySchema, M as createTaskSchema, N as defaultRuntimeConfigPayload, O as createChatSchema, P as delegateFeishuUserSchema, Q as rebindAgentSchema, R as githubDevCallbackQuerySchema, S as clientCapabilitiesSchema$1, St as wsAuthFrameSchema, T as createAdapterConfigSchema, U as inboxPollQuerySchema, V as inboxAckFrameSchema, W as isRedactedEnvValue, X as notificationQuerySchema, Y as messageSourceSchema$1, Z as paginationQuerySchema, _ as adminUpdateTaskSchema, _t as updateClientCapabilitiesSchema, a as AGENT_STATUSES, at as sendToAgentSchema, b as agentRuntimeConfigPayloadSchema$1, bt as updateSystemConfigSchema, ct as sessionEventSchema$1, d as TASK_HEALTH_SIGNALS, dt as switchOrgSchema, et as runtimeStateMessageSchema, f as TASK_STATUSES, ft as taskListQuerySchema, g as adminCreateTaskSchema, gt as updateChatSchema, h as addParticipantSchema, ht as updateAgentSchema, i as AGENT_SOURCES, it as sendMessageSchema, j as createOrganizationSchema, k as createMemberSchema, l as SYSTEM_CONFIG_DEFAULTS, lt as sessionReconcileRequestSchema, m as WS_AUTH_FRAME_TIMEOUT_MS, mt as updateAgentRuntimeConfigSchema, n as AGENT_NAME_REGEX$1, nt as scanMentionTokens, o as AGENT_TYPES, ot as sessionCompletionMessageSchema, p as TASK_TERMINAL_STATUSES, pt as updateAdapterConfigSchema, q as linkTaskChatSchema, r as AGENT_SELECTOR_HEADER$1, rt as selfServiceFeishuBotSchema, s as AGENT_VISIBILITY, st as sessionEventMessageSchema, t as AGENT_BIND_REJECT_REASONS, tt as safeRedirectPath, u as TASK_CREATOR_TYPES, ut as sessionStateMessageSchema, v as agentBindRequestSchema, vt as updateMemberSchema, w as connectTokenExchangeSchema, x as agentTypeSchema$1, xt as updateTaskStatusSchema, y as agentPinnedMessageSchema$1, yt as updateOrganizationSchema, z as githubStartQuerySchema } from "./dist-DwbhZyGi.mjs";
+import { C as resetConfigMeta, E as setConfigValue, S as resetConfig, T as serverConfigSchema, b as migrateLegacyHome, c as resolveServerUrl, d as DEFAULT_CONFIG_DIR, f as DEFAULT_DATA_DIR$1, g as collectMissingPrompts, h as clientConfigSchema, i as ensureFreshAccessToken, l as saveAgentConfig, m as agentConfigSchema, o as loadCredentials, p as DEFAULT_HOME_DIR$1, u as saveCredentials, v as initConfig, w as resolveConfigReadonly, y as loadAgents } from "./bootstrap-DUeYbwm-.mjs";
+import { $ as refreshTokenSchema, A as createOrgFromMeSchema, B as imageInlineContentSchema, C as clientRegisterSchema, D as createAgentSchema, E as createAdapterMappingSchema, F as dryRunAgentRuntimeConfigSchema, G as isReservedAgentName$1, H as inboxDeliverFrameSchema$1, I as extractMentions, J as loginSchema, K as joinByInvitationSchema, L as githubCallbackQuerySchema, M as createTaskSchema, N as defaultRuntimeConfigPayload, O as createChatSchema, P as delegateFeishuUserSchema, Q as rebindAgentSchema, R as githubDevCallbackQuerySchema, S as clientCapabilitiesSchema$1, St as wsAuthFrameSchema, T as createAdapterConfigSchema, U as inboxPollQuerySchema, V as inboxAckFrameSchema, W as isRedactedEnvValue, X as notificationQuerySchema, Y as messageSourceSchema$1, Z as paginationQuerySchema, _ as adminUpdateTaskSchema, _t as updateClientCapabilitiesSchema, a as AGENT_STATUSES, at as sendToAgentSchema, b as agentRuntimeConfigPayloadSchema$1, bt as updateSystemConfigSchema, ct as sessionEventSchema$1, d as TASK_HEALTH_SIGNALS, dt as switchOrgSchema, et as runtimeStateMessageSchema, f as TASK_STATUSES, ft as taskListQuerySchema, g as adminCreateTaskSchema, gt as updateChatSchema, h as addParticipantSchema, ht as updateAgentSchema, i as AGENT_SOURCES, it as sendMessageSchema, j as createOrganizationSchema, k as createMemberSchema, l as SYSTEM_CONFIG_DEFAULTS, lt as sessionReconcileRequestSchema, m as WS_AUTH_FRAME_TIMEOUT_MS, mt as updateAgentRuntimeConfigSchema, n as AGENT_NAME_REGEX$1, nt as scanMentionTokens, o as AGENT_TYPES, ot as sessionCompletionMessageSchema, p as TASK_TERMINAL_STATUSES, pt as updateAdapterConfigSchema, q as linkTaskChatSchema, r as AGENT_SELECTOR_HEADER$1, rt as selfServiceFeishuBotSchema, s as AGENT_VISIBILITY, st as sessionEventMessageSchema, t as AGENT_BIND_REJECT_REASONS, tt as safeRedirectPath, u as TASK_CREATOR_TYPES, ut as sessionStateMessageSchema, v as agentBindRequestSchema, vt as updateMemberSchema, w as connectTokenExchangeSchema, x as agentTypeSchema$1, xt as updateTaskStatusSchema, y as agentPinnedMessageSchema$1, yt as updateOrganizationSchema, z as githubStartQuerySchema } from "./dist-D6AOiyNg.mjs";
 import { _ as recordRedemption, a as ConflictError, b as uuidv7, c as UnauthorizedError, d as findActiveByToken, f as getActiveInvitation, h as organizations, i as ClientUserMismatchError$1, l as buildInviteUrl, m as invitations, n as BadRequestError, o as ForbiddenError, p as invitationRedemptions, r as ClientOrgMismatchError$1, s as NotFoundError, t as AppError, u as ensureActiveInvitation, y as users } from "./invitation-B1pjAyOz-BaCA9PII.mjs";
 import { createRequire } from "node:module";
 import { ZodError, z } from "zod";
@@ -21,7 +21,7 @@ import { fileURLToPath } from "node:url";
 import * as semver from "semver";
 import { confirm, input, password, select } from "@inquirer/prompts";
 import bcrypt from "bcrypt";
-import { and, asc, count, desc, eq, gt, inArray, isNotNull, isNull, lt, ne, or, sql } from "drizzle-orm";
+import { and, asc, count, desc, eq, gt, gte, inArray, isNotNull, isNull, lt, ne, or, sql } from "drizzle-orm";
 import { drizzle } from "drizzle-orm/postgres-js";
 import postgres from "postgres";
 import { migrate } from "drizzle-orm/postgres-js/migrator";
@@ -742,10 +742,25 @@ z.object({
 });
 z.object({ agentId: z.string().min(1) });
 const clientStatusSchema = z.enum(["connected", "disconnected"]);
+/**
+* Auth health channel surfaced to the Web admin dashboard. Computed
+* server-side per request from the row's offline duration vs the
+* configured refresh-token TTL — there is no DB column. See
+* `deriveAuthState` server-side.
+*
+*   - `ok`      — online, or recently offline (cached refresh token can
+*                 plausibly still mint access tokens).
+*   - `expired` — offline longer than the refresh-token TTL; the client
+*                 cannot recover on its own. The operator mints a fresh
+*                 connect token via the Web "+ New Connection" button
+*                 (or the inline Reconnect button on the row).
+*/
+const clientAuthStateSchema = z.enum(["ok", "expired"]);
 z.object({
 	id: z.string(),
 	userId: z.string().nullable(),
 	status: clientStatusSchema,
+	authState: clientAuthStateSchema,
 	sdkVersion: z.string().max(50).nullable(),
 	hostname: z.string().max(100).nullable(),
 	os: z.string().max(50).nullable(),
@@ -1517,6 +1532,11 @@ defineConfig({
 			secret: true
 		})
 	},
+	auth: {
+		accessTokenExpiry: field(z.string().default("30m"), { env: "FIRST_TREE_HUB_AUTH_ACCESS_TOKEN_EXPIRY" }),
+		refreshTokenExpiry: field(z.string().default("30d"), { env: "FIRST_TREE_HUB_AUTH_REFRESH_TOKEN_EXPIRY" }),
+		connectTokenExpiry: field(z.string().default("10m"), { env: "FIRST_TREE_HUB_AUTH_CONNECT_TOKEN_EXPIRY" })
+	},
 	contextTree: optional({
 		repo: field(z.string(), {
 			env: "FIRST_TREE_HUB_CONTEXT_TREE_REPO",
@@ -1863,6 +1883,13 @@ var ClientConnection = class extends EventEmitter {
 	/** Fires ~60s before JWT exp so we reconnect with a fresh token first. */
 	authRefreshTimer = null;
 	reconnectAttempt = 0;
+	/**
+	* If the most recent refresh attempt was rate-limited (HTTP 429), the
+	* server-suggested wait in ms — consumed by the next `scheduleReconnect`
+	* to floor its delay so we don't keep retrying inside the same 60s
+	* limiter window. Cleared after one use.
+	*/
+	nextReconnectMinDelayMs = 0;
 	closing = false;
 	registered = false;
 	/** Count of `server:welcome` frames received; drives `isReconnect` flag. */
@@ -2061,7 +2088,6 @@ var ClientConnection = class extends EventEmitter {
 			}, WS_CONNECT_TIMEOUT_MS);
 			ws.on("open", async () => {
 				this.ws = ws;
-				this.reconnectAttempt = 0;
 				this.wsLogger.debug("socket opened, sending auth");
 				try {
 					const token = await this.getAccessToken({ minValidityMs: AUTH_REFRESH_LEAD_MS + 5e3 });
@@ -2072,7 +2098,16 @@ var ClientConnection = class extends EventEmitter {
 					this.scheduleProactiveAuthRefresh(token);
 				} catch (err) {
 					this.authLogger.error({ err }, "failed to obtain access token");
-					settle(reject, err instanceof Error ? err : new Error(String(err)));
+					const e = err instanceof Error ? err : new Error(String(err));
+					if (e.name === "AuthRefreshFailedError") {
+						this.closing = true;
+						this.emit("auth:fatal", e);
+					} else if (e.name === "AuthRefreshRateLimitedError") {
+						const retryAfterMs = e.retryAfterMs ?? 3e4;
+						this.nextReconnectMinDelayMs = Math.max(this.nextReconnectMinDelayMs, retryAfterMs);
+						this.authLogger.warn({ retryAfterMs }, "refresh rate-limited; deferring reconnect");
+					}
+					settle(reject, e);
 					ws.close();
 				}
 			});
@@ -2168,6 +2203,7 @@ var ClientConnection = class extends EventEmitter {
 		if (type === "client:registered") {
 			const isReconnect = this.boundAgents.size > 0 || this.desiredBindings.size > 0;
 			this.registered = true;
+			this.reconnectAttempt = 0;
 			this.startHeartbeat();
 			this.wsLogger.info({ isReconnect }, "registered");
 			this.emit("connected");
@@ -2320,12 +2356,21 @@ var ClientConnection = class extends EventEmitter {
 		});
 	}
 	scheduleReconnect() {
+		if (this.closing) return;
 		this.reconnectAttempt++;
 		this.emit("reconnecting", this.reconnectAttempt);
-		const delay = Math.min(RECONNECT_BASE_MS * 2 ** (this.reconnectAttempt - 1), RECONNECT_MAX_MS);
+		const exponential = Math.min(RECONNECT_BASE_MS * 2 ** (this.reconnectAttempt - 1), RECONNECT_MAX_MS);
+		const floor = this.nextReconnectMinDelayMs;
+		this.nextReconnectMinDelayMs = 0;
+		let delay = Math.max(exponential, floor);
+		if (floor > 0) {
+			const jitter = delay * .2 * (Math.random() * 2 - 1);
+			delay = Math.max(0, Math.round(delay + jitter));
+		}
 		this.wsLogger.debug({
 			attempt: this.reconnectAttempt,
-			delayMs: delay
+			delayMs: delay,
+			floorMs: floor || void 0
 		}, "scheduling reconnect");
 		this.reconnectTimer = setTimeout(() => {
 			this.reconnectTimer = null;
@@ -2375,6 +2420,18 @@ var ClientConnection = class extends EventEmitter {
 	* before the server's scheduleAuthExpiry timer fires. Short-lived tokens
 	* (exp <= lead window) skip the proactive reconnect entirely — we let the
 	* server push `auth:expired` and handle that path.
+	*
+	* Order is "refresh-then-close", not "close-then-let-reconnect-refresh".
+	* The earlier shape relied on the new connection's open handler to do the
+	* `/auth/refresh` HTTP, which forced ≥1s of WS downtime per cycle even on
+	* the happy path (one base reconnect delay + the refresh round-trip) and
+	* compounded badly under 429: every retry attempt also closed/reopened the
+	* WS, holding the agent offline for 15-20s while the limiter cooled down.
+	* Refreshing first lets us swap the new token onto a still-open WS with no
+	* observable disconnect when the refresh succeeds; the original close-and-
+	* reconnect flow only runs on failure as a last-ditch fallback (it'll hit
+	* the same 429 on its next retry, but at least the Retry-After floor is
+	* now wired up so we don't pile attempts inside the same window).
 	*/
 	scheduleProactiveAuthRefresh(token) {
 		this.clearAuthRefreshTimer();
@@ -2384,12 +2441,29 @@ var ClientConnection = class extends EventEmitter {
 		if (delay <= 0) return;
 		this.authLogger.debug({ delayMs: delay }, "scheduled proactive auth refresh");
 		this.authRefreshTimer = setTimeout(() => {
-			this.authRefreshTimer = null;
-			if (this.closing) return;
-			this.authLogger.info("triggering proactive auth refresh");
-			this.ws?.close(1e3, "proactive auth refresh");
+			this.runProactiveAuthRefresh();
 		}, delay);
 	}
+	async runProactiveAuthRefresh() {
+		this.authRefreshTimer = null;
+		if (this.closing) return;
+		this.authLogger.info("triggering proactive auth refresh");
+		try {
+			await this.getAccessToken({ minValidityMs: AUTH_REFRESH_LEAD_MS + 5e3 });
+		} catch (err) {
+			const e = err instanceof Error ? err : new Error(String(err));
+			if (e.name === "AuthRefreshRateLimitedError") {
+				const retryAfterMs = e.retryAfterMs ?? 3e4;
+				this.nextReconnectMinDelayMs = Math.max(this.nextReconnectMinDelayMs, retryAfterMs);
+				this.authLogger.warn({ retryAfterMs }, "proactive refresh rate-limited; deferring reconnect");
+			} else if (e.name === "AuthRefreshFailedError") {
+				this.closing = true;
+				this.emit("auth:fatal", e);
+				return;
+			} else this.authLogger.warn({ err: e }, "proactive refresh failed; falling back to reconnect path");
+		}
+		this.ws?.close(1e3, "proactive auth refresh");
+	}
 };
 /** Built-in handler registry. Populated by handler modules. */
 const HANDLER_REGISTRY = /* @__PURE__ */ new Map();
@@ -6267,6 +6341,14 @@ var ClientRuntime = class {
 		this.connection.on("auth:expired", () => {
 			print.status("⚠️", "access token expired — reconnecting after refresh...");
 		});
+		this.connection.on("auth:fatal", (err) => {
+			print.blank();
+			print.status("✗", "auth expired — service is shutting down to break the reconnect loop.");
+			print.status("", err.message);
+			print.status("", "Recovery: get a new connect token from your Hub's Web admin");
+			print.status("", "          (Computers → + New Connection), then re-run the command shown.");
+			process.exit(75);
+		});
 		this.connection.on("error", (err) => {
 			print.status("⚠️", `client connection error: ${err.message}`);
 		});
@@ -8064,7 +8146,7 @@ async function onboardCreate(args) {
 	}
 	const runtimeAgent = args.type === "human" ? args.assistant : args.id;
 	if (args.feishuBotAppId && args.feishuBotAppSecret) {
-		const { bindFeishuBot } = await import("./feishu-viiZmwcn.mjs").then((n) => n.r);
+		const { bindFeishuBot } = await import("./feishu-DQ1l18Ah.mjs").then((n) => n.r);
 		const targetAgentUuid = args.type === "human" ? assistantUuid : primary.uuid;
 		if (!targetAgentUuid) print.line(`Warning: Cannot bind Feishu bot — no runtime agent available for "${args.id}".\n`);
 		else {
@@ -9044,7 +9126,7 @@ function createFeedbackHandler(config) {
 	return { handle };
 }
 //#endregion
-//#region ../server/dist/app-O9kCTpaF.mjs
+//#region ../server/dist/app-DFDhctwC.mjs
 var __defProp = Object.defineProperty;
 var __exportAll = (all, no_symbols) => {
 	let target = {};
@@ -9183,7 +9265,32 @@ function requireMember(request) {
 *   - Manageability distinguishes roles: admin can manage all, member only their own.
 *   - All conditions include organizationId scoping to prevent cross-org access.
 */
-/** Extract MemberScope from an authenticated request. Single definition, used by all routes. */
+/**
+* Extract MemberScope from an authenticated request. Single definition, used by all routes.
+*
+* **Org-scoped admin routes must NOT use the result of this directly for
+* data filtering.** The returned scope is keyed to the JWT default member,
+* which is whatever org `auth.login` happened to pick at issuance time —
+* not the org the user has selected in the dropdown (`localStorage.
+* selectedOrganizationId`). Pair every `memberScope(request)` in
+* `packages/server/src/api/admin/*.ts` with one of:
+*
+*   - `resolveAdminScope(db, request, baseScope, request.query.organizationId)`
+*     for routes that accept `?organizationId=` and want a uniformly rotated
+*     scope (every field keyed to the target org).
+*   - `requireMemberInOrg(db, request, orgId)` when only the membership
+*     `(memberId, role, agentId)` is needed for a specific org (e.g. the
+*     creator HUMAN in chat-create).
+*   - `assertCanManage(db, scope, agentUuid)` / `assertAgentVisible(db, scope, agentUuid)`
+*     for routes operating on a single agent — both already rebind authority
+*     to the agent's own org.
+*
+* `__tests__/admin-routes-org-scope-invariant.test.ts` pins this rule via a
+* grep over the admin route directory. If you intentionally land an admin
+* read/write route that targets only the JWT default org (no
+* cross-org switch awareness), update the whitelist there with a comment
+* explaining why.
+*/
 function memberScope(request) {
 	const m = requireMember(request);
 	return {
@@ -9300,12 +9407,14 @@ async function requireMemberInOrg(db, request, orgId) {
 	const m = requireMember(request);
 	const [row] = await db.select({
 		id: members.id,
-		role: members.role
+		role: members.role,
+		agentId: members.agentId
 	}).from(members).where(and(eq(members.userId, m.userId), eq(members.organizationId, orgId), eq(members.status, "active"))).limit(1);
 	if (!row) throw new ForbiddenError("Not an active member of the target organization");
 	return {
 		memberId: row.id,
-		role: row.role
+		role: row.role,
+		agentId: row.agentId
 	};
 }
 /**
@@ -9330,6 +9439,7 @@ async function resolveAdminScope(db, request, scope, requestedOrganizationId) {
 	return {
 		...scope,
 		memberId: probe.memberId,
+		humanAgentId: probe.agentId,
 		organizationId: requestedOrganizationId,
 		role: probe.role
 	};
@@ -11087,6 +11197,29 @@ async function listClientsForOrgAdmin(db, orgId) {
 		metadata: clients.metadata
 	}).from(clients).innerJoin(members, eq(members.userId, clients.userId)).where(and(eq(members.organizationId, orgId), eq(members.status, "active"))));
 }
+/**
+* Infer whether the client's locally-cached refresh token can plausibly
+* still mint access tokens. Used by the Web admin dashboard to render an
+* "AUTH EXPIRED" pill on rows whose offline duration has exceeded the
+* server's configured refresh-token TTL.
+*
+* Uses `lastSeenAt` (not `connectedAt`) because a healthy long-lived
+* client slides the refresh token continuously, so the absolute connect
+* time is no proxy for liveness. `lastSeenAt` is updated on register,
+* heartbeat, and the final disconnect — it lower-bounds the issue time
+* of the refresh token the client most likely still holds.
+*
+* Pure function, no DB access; the column-less design means there's no
+* server-side revocation path yet — every "expired" decision is purely
+* time-based. If we ever want admin-driven revocation, add a column
+* back and OR its value into this function.
+*/
+function deriveAuthState(row, refreshTokenExpirySeconds) {
+	if (row.status === "disconnected") {
+		if (Date.now() - row.lastSeenAt.getTime() > refreshTokenExpirySeconds * 1e3) return "expired";
+	}
+	return "ok";
+}
 async function attachAgentCounts(db, rows) {
 	const counts = await db.select({
 		clientId: agents.clientId,
@@ -11231,6 +11364,22 @@ function removeClientConnection(clientId, ws) {
 	clientConnections.delete(clientId);
 	return agentIds;
 }
+/**
+* Was `ws` the socket currently registered as `clientId`'s active connection
+* at the time of the call? Used by ws-client.ts's `socket.on("close")` to
+* decide whether to write `clients.status='disconnected'` to the DB — when a
+* fast reconnect happens, the new socket has already swapped itself in via
+* `setClientConnection`, so the old socket's late-arriving onClose must NOT
+* stamp the row back to disconnected.
+*
+* The check is "this socket equals the registered ws", not "this socket is
+* still OPEN" — the close handler runs precisely when the socket is no
+* longer OPEN, but the in-memory entry might still legitimately point at
+* us if no new connection has taken over yet.
+*/
+function isActiveClientConnection(clientId, ws) {
+	return clientConnections.get(clientId)?.ws === ws;
+}
 /** Send a message to a client's WebSocket. Returns true if delivered. */
 function sendToClient(clientId, message) {
 	const entry = clientConnections.get(clientId);
@@ -12025,13 +12174,23 @@ async function adminAgentRoutes(app) {
 			connection
 		});
 	});
-	/** POST /admin/agents/:uuid/chats — create a new workspace chat with the target agent */
+	/** POST /admin/agents/:uuid/chats — create a new workspace chat with the target agent.
+	*
+	* The chat creator is the user's HUMAN agent in the *target agent's* org,
+	* not in the JWT default org. Otherwise a multi-org user creating a chat
+	* with an agent outside their JWT default org gets `createChat`'s
+	* cross-organization guard ("Cross-organization chat not allowed: …"),
+	* even though the human is a member of the target agent's org.
+	* Symptom hit by the inline onboarding flow when the user creates a new
+	* agent in a non-default org and the auto-chat step fires.
+	*/
 	app.post("/:uuid/chats", async (request, reply) => {
 		const { uuid: targetAgentId } = request.params;
 		const scope = memberScope(request);
 		await assertAgentVisible(app.db, scope, targetAgentId);
-		const member = requireMember(request);
-		const result = await createChat(app.db, member.agentId, {
+		const targetAgent = await getAgent(app.db, targetAgentId);
+		const probe = await requireMemberInOrg(app.db, request, targetAgent.organizationId);
+		const result = await createChat(app.db, probe.agentId, {
 			type: "direct",
 			participantIds: [targetAgentId]
 		});
@@ -12353,6 +12512,167 @@ async function adminChatRoutes(app) {
 		});
 	});
 }
+/** In-memory set of consumed connect token JTIs. Entries auto-expire after 10 minutes. */
+const consumedConnectJtis = /* @__PURE__ */ new Map();
+const CONNECT_JTI_TTL_MS = 6e5;
+async function signToken(secret, payload, expiry) {
+	return new SignJWT({ ...payload }).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setJti(randomUUID()).setExpirationTime(expiry).sign(secret);
+}
+/**
+* Convert an `ms`-style expiry string (e.g. `"30m"`, `"30d"`, `"1w"`) to
+* seconds. Used to surface the connect token's `expiresIn` in the API
+* response. Mirrors the subset of `jose.setExpirationTime` we use; falls
+* through with a clear error on malformed config so a typo in the env var
+* surfaces at boot, not days later when the first token expires.
+*/
+function expiryToSeconds(expiry) {
+	const m = /^(\d+)\s*(s|m|h|d|w)$/.exec(expiry.trim());
+	if (!m) throw new Error(`Invalid expiry "${expiry}" — expected forms like "30s", "10m", "2h", "30d", "1w".`);
+	return Number(m[1]) * {
+		s: 1,
+		m: 60,
+		h: 3600,
+		d: 86400,
+		w: 604800
+	}[m[2]];
+}
+/**
+* Sign an `(access, refresh)` pair for the given member. Used by both the
+* legacy username/password login path and the SaaS GitHub OAuth callback,
+* so the issuance shape stays in one place.
+*/
+async function signTokensForMember(jwtSecretKey, member, expiries) {
+	const secret = new TextEncoder().encode(jwtSecretKey);
+	const tokenBase = {
+		sub: member.userId,
+		memberId: member.memberId,
+		organizationId: member.organizationId,
+		role: member.role
+	};
+	return {
+		accessToken: await signToken(secret, {
+			...tokenBase,
+			type: "access"
+		}, expiries.accessTokenExpiry),
+		refreshToken: await signToken(secret, {
+			...tokenBase,
+			type: "refresh"
+		}, expiries.refreshTokenExpiry)
+	};
+}
+async function login(db, username, password, jwtSecretKey, expiries) {
+	const [user] = await db.select().from(users).where(eq(users.username, username)).limit(1);
+	if (!user || user.status !== "active") throw new UnauthorizedError("Invalid username or password");
+	if (!await bcrypt.compare(password, user.passwordHash)) throw new UnauthorizedError("Invalid username or password");
+	const [member] = await db.select().from(members).where(and(eq(members.userId, user.id), eq(members.status, "active"))).orderBy(desc(members.createdAt), desc(members.id)).limit(1);
+	if (!member) throw new UnauthorizedError("No organization membership found");
+	const tokens = await signTokensForMember(jwtSecretKey, {
+		userId: user.id,
+		memberId: member.id,
+		organizationId: member.organizationId,
+		role: member.role
+	}, expiries);
+	await db.update(users).set({ updatedAt: /* @__PURE__ */ new Date() }).where(eq(users.id, user.id));
+	return tokens;
+}
+/**
+* Refresh an access token. Sliding-window: the response also carries a
+* fresh refresh token whose lifetime restarts from now, so an actively-used
+* client never hits the absolute `refreshTokenExpiry`. The previously
+* issued refresh token remains valid until its own `exp` — we deliberately
+* do **not** maintain a server-side jti revocation set. Same-process
+* concurrent refreshes therefore both succeed; the surviving refresh token
+* is whichever one the client persists last. The alternative (server-side
+* invalidation) is more defensive against token theft but introduces races
+* across systemd-supervised restarts and reconnect storms — a tradeoff
+* we're not paying for here.
+*/
+async function refreshAccessToken(db, refreshToken, jwtSecretKey, expiries) {
+	const secret = new TextEncoder().encode(jwtSecretKey);
+	let payload;
+	try {
+		const { payload: p } = await jwtVerify(refreshToken, secret);
+		payload = p;
+	} catch {
+		throw new UnauthorizedError("Invalid or expired refresh token");
+	}
+	if (payload.type !== "refresh" || !payload.sub) throw new UnauthorizedError("Invalid token type");
+	const [user] = await db.select({
+		id: users.id,
+		status: users.status
+	}).from(users).where(eq(users.id, payload.sub)).limit(1);
+	if (!user || user.status !== "active") throw new UnauthorizedError("User not found or suspended");
+	const [member] = await db.select().from(members).where(and(eq(members.id, payload.memberId), eq(members.status, "active"))).limit(1);
+	if (!member) throw new UnauthorizedError("Membership not found");
+	return signTokensForMember(jwtSecretKey, {
+		userId: user.id,
+		memberId: member.id,
+		organizationId: member.organizationId,
+		role: member.role
+	}, expiries);
+}
+/**
+* Generate a short-lived connect token for CLI authentication.
+* The connect token carries the member's identity and can be exchanged
+* for full access+refresh tokens via exchangeConnectToken().
+*
+* `iss` (when supplied) is stamped into the JWT so the CLI can derive
+* the hub URL with no additional argument. Production servers must
+* always pass it; dev callers may omit and the CLI will require an
+* explicit `--server-url` (legacy form).
+*/
+async function generateConnectToken(member, jwtSecretKey, expiries, iss) {
+	const secret = new TextEncoder().encode(jwtSecretKey);
+	const jti = randomUUID();
+	const builder = new SignJWT({
+		sub: member.userId,
+		memberId: member.memberId,
+		organizationId: member.organizationId,
+		role: member.role,
+		type: "connect"
+	}).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setJti(jti).setExpirationTime(expiries.connectTokenExpiry);
+	if (iss) builder.setIssuer(iss);
+	return {
+		token: await builder.sign(secret),
+		expiresIn: expiryToSeconds(expiries.connectTokenExpiry)
+	};
+}
+/**
+* Exchange a connect token for full access+refresh tokens.
+* Validates the connect token, verifies the user is still active,
+* and issues a fresh token pair.
+*/
+async function exchangeConnectToken(db, connectToken, jwtSecretKey, expiries) {
+	const secret = new TextEncoder().encode(jwtSecretKey);
+	let payload;
+	try {
+		const { payload: p } = await jwtVerify(connectToken, secret);
+		payload = p;
+	} catch {
+		throw new UnauthorizedError("Invalid or expired connect token");
+	}
+	if (payload.type !== "connect" || !payload.sub || !payload.memberId) throw new UnauthorizedError("Invalid token type — expected connect token");
+	const jti = payload.jti;
+	if (jti) {
+		if (consumedConnectJtis.has(jti)) throw new UnauthorizedError("Connect token has already been used");
+		consumedConnectJtis.set(jti, Date.now());
+		const cutoff = Date.now() - CONNECT_JTI_TTL_MS;
+		for (const [k, ts] of consumedConnectJtis) if (ts < cutoff) consumedConnectJtis.delete(k);
+	}
+	const [user] = await db.select({
+		id: users.id,
+		status: users.status
+	}).from(users).where(eq(users.id, payload.sub)).limit(1);
+	if (!user || user.status !== "active") throw new UnauthorizedError("User not found or suspended");
+	const [member] = await db.select().from(members).where(and(eq(members.id, payload.memberId), eq(members.status, "active"))).limit(1);
+	if (!member) throw new UnauthorizedError("Membership not found");
+	return signTokensForMember(jwtSecretKey, {
+		userId: user.id,
+		memberId: member.id,
+		organizationId: member.organizationId,
+		role: member.role
+	}, expiries);
+}
 /** Serialize a Date to ISO string, or null. */
 function serializeDate(d) {
 	return d ? d.toISOString() : null;
@@ -12362,13 +12682,16 @@ async function adminClientRoutes(app) {
 	app.get("/", async (request) => {
 		const scope = memberScope(request);
 		const { organizationId } = listClientsQuerySchema.parse(request.query);
-		return (organizationId ? await (async () => {
+		const clients = organizationId ? await (async () => {
 			if ((await requireMemberInOrg(app.db, request, organizationId)).role !== "admin") throw new ForbiddenError("Admin role required");
 			return listClientsForOrgAdmin(app.db, organizationId);
-		})() : await listClients(app.db, { userId: scope.userId })).map((c) => ({
+		})() : await listClients(app.db, { userId: scope.userId });
+		const refreshExpirySeconds = expiryToSeconds(app.config.auth.refreshTokenExpiry);
+		return clients.map((c) => ({
 			id: c.id,
 			userId: c.userId,
 			status: c.status,
+			authState: deriveAuthState(c, refreshExpirySeconds),
 			sdkVersion: c.sdkVersion,
 			hostname: c.hostname,
 			os: c.os,
@@ -12395,10 +12718,12 @@ async function adminClientRoutes(app) {
 		if (!client) throw new Error("unreachable: client missing after owner check");
 		const metadata = client.metadata ?? {};
 		const capabilities = metadata.capabilities && typeof metadata.capabilities === "object" ? metadata.capabilities : {};
+		const refreshExpirySeconds = expiryToSeconds(app.config.auth.refreshTokenExpiry);
 		return {
 			id: client.id,
 			userId: client.userId,
 			status: client.status,
+			authState: deriveAuthState(client, refreshExpirySeconds),
 			sdkVersion: client.sdkVersion,
 			hostname: client.hostname,
 			os: client.os,
@@ -12428,9 +12753,12 @@ async function adminClientRoutes(app) {
 		return reply.status(204).send();
 	});
 }
+const activityQuerySchema = z.object({ organizationId: z.string().min(1).optional() });
 async function adminActivityRoutes(app) {
 	app.get("/", async (request) => {
-		const scope = memberScope(request);
+		const baseScope = memberScope(request);
+		const { organizationId } = activityQuerySchema.parse(request.query);
+		const scope = await resolveAdminScope(app.db, request, baseScope, organizationId);
 		const overview = await getActivityOverview(app.db);
 		const runningAgents = await listAgentsWithRuntime(app.db, scope);
 		return {
@@ -14142,18 +14470,11 @@ async function pollInbox(db, inboxId, limit) {
 }
 async function pollInboxInner(db, inboxId, limit) {
 	return db.transaction(async (tx) => {
-		return bundleDeliveryWithSilentContext(tx, inboxId, await tx.execute(sql`
-      UPDATE inbox_entries
-      SET status = 'delivered', delivered_at = NOW()
-      WHERE id IN (
-        SELECT id FROM inbox_entries
-        WHERE inbox_id = ${inboxId} AND status = 'pending' AND notify = true
-        ORDER BY created_at
-        LIMIT ${limit}
-        FOR UPDATE SKIP LOCKED
-      )
-      RETURNING *
-    `));
+		const targetIds = tx.select({ id: inboxEntries.id }).from(inboxEntries).where(and(eq(inboxEntries.inboxId, inboxId), eq(inboxEntries.status, "pending"), eq(inboxEntries.notify, true))).orderBy(asc(inboxEntries.createdAt)).limit(limit).for("update", { skipLocked: true });
+		return bundleDeliveryWithSilentContext(tx, inboxId, await tx.update(inboxEntries).set({
+			status: "delivered",
+			deliveredAt: /* @__PURE__ */ new Date()
+		}).where(inArray(inboxEntries.id, targetIds)).returning());
 	});
 }
 /**
@@ -14166,7 +14487,7 @@ async function pollInboxInner(db, inboxId, limit) {
 * hub-inbox-ws-data-plane §3.2 risk #1).
 *
 * Steps:
-*   1. Sort by `created_at` ASC (PG `RETURNING` does not guarantee order).
+*   1. Sort by `createdAt` ASC (PG `RETURNING` does not guarantee order).
 *   2. For each trigger, collect silent context & bulk-ack stale silent rows.
 *   3. Fetch the trigger messages.
 *   4. Build wire payloads via the single dispatcher.
@@ -14175,16 +14496,16 @@ async function pollInboxInner(db, inboxId, limit) {
 */
 async function bundleDeliveryWithSilentContext(tx, inboxId, claimed) {
 	if (claimed.length === 0) return [];
-	claimed.sort((a, b) => a.created_at.localeCompare(b.created_at));
+	claimed.sort((a, b) => a.createdAt.getTime() - b.createdAt.getTime());
 	const precedingByEntryId = await collectPrecedingContext(tx, inboxId, claimed);
-	const messageIds = claimed.map((e) => e.message_id);
+	const messageIds = claimed.map((e) => e.messageId);
 	const msgs = await tx.select().from(messages).where(inArray(messages.id, messageIds));
 	const msgMap = new Map(msgs.map((m) => [m.id, m]));
 	const payloads = await buildClientMessagePayloadsForInbox(tx, inboxId, claimed.map((entry) => {
-		const msg = msgMap.get(entry.message_id);
-		if (!msg) throw new Error(`Unexpected: message ${entry.message_id} not found`);
+		const msg = msgMap.get(entry.messageId);
+		if (!msg) throw new Error(`Unexpected: message ${entry.messageId} not found`);
 		return {
-			entryChatId: entry.chat_id,
+			entryChatId: entry.chatId,
 			precedingMessages: precedingByEntryId.get(entry.id) ?? [],
 			message: {
 				id: msg.id,
@@ -14205,15 +14526,15 @@ async function bundleDeliveryWithSilentContext(tx, inboxId, claimed) {
 		const payload = payloads[idx];
 		if (!payload) throw new Error(`Unexpected: payload for entry ${entry.id} not built`);
 		return {
-			id: Number(entry.id),
-			inboxId: entry.inbox_id,
-			messageId: entry.message_id,
-			chatId: entry.chat_id,
+			id: entry.id,
+			inboxId: entry.inboxId,
+			messageId: entry.messageId,
+			chatId: entry.chatId,
 			status: entry.status,
-			retryCount: entry.retry_count,
-			createdAt: entry.created_at,
-			deliveredAt: entry.delivered_at ?? null,
-			ackedAt: entry.acked_at ?? null,
+			retryCount: entry.retryCount,
+			createdAt: entry.createdAt.toISOString(),
+			deliveredAt: entry.deliveredAt?.toISOString() ?? null,
+			ackedAt: entry.ackedAt?.toISOString() ?? null,
 			message: payload
 		};
 	});
@@ -14248,21 +14569,11 @@ async function claimAndBuildForPush(db, inboxId, messageId) {
 		"inbox.id": inboxId,
 		"message.id": messageId
 	}, () => db.transaction(async (tx) => {
-		return bundleDeliveryWithSilentContext(tx, inboxId, await tx.execute(sql`
-          UPDATE inbox_entries
-          SET status = 'delivered', delivered_at = NOW()
-          WHERE id IN (
-            SELECT id FROM inbox_entries
-            WHERE inbox_id = ${inboxId}
-              AND message_id = ${messageId}
-              AND status = 'pending'
-              AND notify = true
-            ORDER BY created_at
-            LIMIT ${PUSH_CLAIM_BATCH_LIMIT}
-            FOR UPDATE SKIP LOCKED
-          )
-          RETURNING *
-        `));
+		const targetIds = tx.select({ id: inboxEntries.id }).from(inboxEntries).where(and(eq(inboxEntries.inboxId, inboxId), eq(inboxEntries.messageId, messageId), eq(inboxEntries.status, "pending"), eq(inboxEntries.notify, true))).orderBy(asc(inboxEntries.createdAt)).limit(PUSH_CLAIM_BATCH_LIMIT).for("update", { skipLocked: true });
+		return bundleDeliveryWithSilentContext(tx, inboxId, await tx.update(inboxEntries).set({
+			status: "delivered",
+			deliveredAt: /* @__PURE__ */ new Date()
+		}).where(inArray(inboxEntries.id, targetIds)).returning());
 	}));
 }
 /**
@@ -14285,7 +14596,7 @@ async function claimBacklogForPush(db, inboxId, limit) {
 * `PRECEDING_CONTEXT_WINDOW_SECONDS`. Returned messages are oldest-first.
 *
 * Side effect: bulk-ack ALL silent pending rows in each chat with
-* created_at < latest_trigger.created_at — including ones that fell outside
+* createdAt < latest_trigger.createdAt — including ones that fell outside
 * the window/cap. Otherwise stale silent rows would accumulate and re-load
 * on every poll.
 */
@@ -14293,51 +14604,41 @@ async function collectPrecedingContext(tx, inboxId, triggers) {
 	const result = /* @__PURE__ */ new Map();
 	const byChat = /* @__PURE__ */ new Map();
 	for (const t of triggers) {
-		if (t.chat_id === null) continue;
-		const list = byChat.get(t.chat_id) ?? [];
+		if (t.chatId === null) continue;
+		const list = byChat.get(t.chatId) ?? [];
 		list.push(t);
-		byChat.set(t.chat_id, list);
+		byChat.set(t.chatId, list);
 	}
 	for (const [chatId, chatTriggers] of byChat) {
-		chatTriggers.sort((a, b) => a.created_at.localeCompare(b.created_at));
+		chatTriggers.sort((a, b) => a.createdAt.getTime() - b.createdAt.getTime());
 		let prevCreatedAt = null;
 		for (const trigger of chatTriggers) {
-			const preceding = (await tx.execute(sql`
-        SELECT ie.id, m.id AS message_id, m.sender_id, m.format, m.content, m.metadata,
-               m.created_at
-        FROM inbox_entries ie
-        JOIN messages m ON m.id = ie.message_id
-        WHERE ie.inbox_id = ${inboxId}
-          AND ie.chat_id = ${chatId}
-          AND ie.status = 'pending'
-          AND ie.notify = false
-          AND ie.created_at < ${trigger.created_at}
-          ${prevCreatedAt === null ? sql`` : sql`AND ie.created_at > ${prevCreatedAt}`}
-          AND ie.created_at > NOW() - make_interval(secs => ${PRECEDING_CONTEXT_WINDOW_SECONDS})
-        ORDER BY ie.created_at DESC
-        LIMIT ${50}
-        FOR UPDATE OF ie SKIP LOCKED
-      `)).map((r) => ({
-				id: r.message_id,
-				senderId: r.sender_id,
+			const preceding = (await tx.select({
+				messageId: messages.id,
+				senderId: messages.senderId,
+				format: messages.format,
+				content: messages.content,
+				metadata: messages.metadata,
+				createdAt: messages.createdAt
+			}).from(inboxEntries).innerJoin(messages, eq(messages.id, inboxEntries.messageId)).where(and(eq(inboxEntries.inboxId, inboxId), eq(inboxEntries.chatId, chatId), eq(inboxEntries.status, "pending"), eq(inboxEntries.notify, false), lt(inboxEntries.createdAt, trigger.createdAt), prevCreatedAt === null ? void 0 : gt(inboxEntries.createdAt, prevCreatedAt), sql`${inboxEntries.createdAt} > NOW() - make_interval(secs => ${PRECEDING_CONTEXT_WINDOW_SECONDS})`)).orderBy(desc(inboxEntries.createdAt)).limit(50).for("update", {
+				of: inboxEntries,
+				skipLocked: true
+			})).map((r) => ({
+				id: r.messageId,
+				senderId: r.senderId,
 				format: r.format,
 				content: r.content,
 				metadata: r.metadata ?? {},
-				createdAt: r.created_at
+				createdAt: r.createdAt.toISOString()
 			})).reverse();
 			result.set(trigger.id, preceding);
-			prevCreatedAt = trigger.created_at;
+			prevCreatedAt = trigger.createdAt;
 		}
 		const latestTrigger = chatTriggers[chatTriggers.length - 1];
-		if (latestTrigger) await tx.execute(sql`
-        UPDATE inbox_entries
-        SET status = 'acked', acked_at = NOW()
-        WHERE inbox_id = ${inboxId}
-          AND chat_id = ${chatId}
-          AND status = 'pending'
-          AND notify = false
-          AND created_at < ${latestTrigger.created_at}
-      `);
+		if (latestTrigger) await tx.update(inboxEntries).set({
+			status: "acked",
+			ackedAt: /* @__PURE__ */ new Date()
+		}).where(and(eq(inboxEntries.inboxId, inboxId), eq(inboxEntries.chatId, chatId), eq(inboxEntries.status, "pending"), eq(inboxEntries.notify, false), lt(inboxEntries.createdAt, latestTrigger.createdAt)));
 	}
 	return result;
 }
@@ -14380,23 +14681,14 @@ async function renewEntry(db, entryId, inboxId) {
 	return entry;
 }
 async function resetTimedOutEntries(db, timeoutSeconds = DEFAULT_INBOX_TIMEOUT_SECONDS, maxRetries = DEFAULT_MAX_RETRY_COUNT) {
-	const resetResult = await db.execute(sql`
-    UPDATE inbox_entries SET status = 'pending', retry_count = retry_count + 1
-    WHERE status = 'delivered'
-      AND delivered_at < NOW() - make_interval(secs => ${timeoutSeconds})
-      AND retry_count < ${maxRetries}
-    RETURNING id
-  `);
-	const failedResult = await db.execute(sql`
-    UPDATE inbox_entries SET status = 'failed'
-    WHERE status = 'delivered'
-      AND delivered_at < NOW() - make_interval(secs => ${timeoutSeconds})
-      AND retry_count >= ${maxRetries}
-    RETURNING id
-  `);
+	const reset = await db.update(inboxEntries).set({
+		status: "pending",
+		retryCount: sql`${inboxEntries.retryCount} + 1`
+	}).where(and(eq(inboxEntries.status, "delivered"), sql`${inboxEntries.deliveredAt} < NOW() - make_interval(secs => ${timeoutSeconds})`, lt(inboxEntries.retryCount, maxRetries))).returning({ id: inboxEntries.id });
+	const failed = await db.update(inboxEntries).set({ status: "failed" }).where(and(eq(inboxEntries.status, "delivered"), sql`${inboxEntries.deliveredAt} < NOW() - make_interval(secs => ${timeoutSeconds})`, gte(inboxEntries.retryCount, maxRetries))).returning({ id: inboxEntries.id });
 	return {
-		reset: resetResult.length,
-		failed: failedResult.length
+		reset: reset.length,
+		failed: failed.length
 	};
 }
 /** Default age (30 days) past which silent rows that no notify-true delivery
@@ -14415,7 +14707,7 @@ const SILENT_ROW_GC_MAX_AGE_SECONDS = 720 * 60 * 60;
 *      `(inbox_id, message_id, chat_id)` means leaving them around blocks
 *      legitimate retries with the same key.
 *
-*   2. `notify=false AND status='pending' AND created_at < NOW() - maxAge` —
+*   2. `notify=false AND status='pending' AND createdAt < NOW() - maxAge` —
 *      stale silent rows that no trigger ever caught up with. After 30
 *      days they're useless as preceding context (the @mention almost
 *      certainly already happened or the chat went dormant).
@@ -14424,22 +14716,11 @@ const SILENT_ROW_GC_MAX_AGE_SECONDS = 720 * 60 * 60;
 * can log meaningful counts.
 */
 async function pruneStaleSilentEntries(db, maxAgeSeconds = SILENT_ROW_GC_MAX_AGE_SECONDS) {
-	const ackedResult = await db.execute(sql`
-    DELETE FROM inbox_entries
-    WHERE notify = false
-      AND status = 'acked'
-    RETURNING id
-  `);
-	const staleResult = await db.execute(sql`
-    DELETE FROM inbox_entries
-    WHERE notify = false
-      AND status = 'pending'
-      AND created_at < NOW() - make_interval(secs => ${maxAgeSeconds})
-    RETURNING id
-  `);
+	const ackedDeleted = await db.delete(inboxEntries).where(and(eq(inboxEntries.notify, false), eq(inboxEntries.status, "acked"))).returning({ id: inboxEntries.id });
+	const stalePendingDeleted = await db.delete(inboxEntries).where(and(eq(inboxEntries.notify, false), eq(inboxEntries.status, "pending"), sql`${inboxEntries.createdAt} < NOW() - make_interval(secs => ${maxAgeSeconds})`)).returning({ id: inboxEntries.id });
 	return {
-		ackedDeleted: ackedResult.length,
-		stalePendingDeleted: staleResult.length
+		ackedDeleted: ackedDeleted.length,
+		stalePendingDeleted: stalePendingDeleted.length
 	};
 }
 async function agentInboxRoutes(app) {
@@ -15317,8 +15598,9 @@ function clientWsRoutes(notifier, instanceId) {
 				}
 				boundAgents.clear();
 				if (clientId) {
+					const stillActive = isActiveClientConnection(clientId, socket);
 					removeClientConnection(clientId, socket);
-					try {
+					if (stillActive) try {
 						await disconnectClient(app.db, clientId);
 					} catch {}
 				}
@@ -15326,141 +15608,6 @@ function clientWsRoutes(notifier, instanceId) {
 		});
 	};
 }
-const ACCESS_TOKEN_EXPIRY = "30m";
-const REFRESH_TOKEN_EXPIRY = "7d";
-const CONNECT_TOKEN_EXPIRY = "10m";
-/** In-memory set of consumed connect token JTIs. Entries auto-expire after 10 minutes. */
-const consumedConnectJtis = /* @__PURE__ */ new Map();
-const CONNECT_JTI_TTL_MS = 6e5;
-async function signToken(secret, payload, expiry) {
-	return new SignJWT({ ...payload }).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setExpirationTime(expiry).sign(secret);
-}
-/**
-* Sign an `(access, refresh)` pair for the given member. Used by both the
-* legacy username/password login path and the SaaS GitHub OAuth callback,
-* so the issuance shape stays in one place.
-*/
-async function signTokensForMember(jwtSecretKey, member) {
-	const secret = new TextEncoder().encode(jwtSecretKey);
-	const tokenBase = {
-		sub: member.userId,
-		memberId: member.memberId,
-		organizationId: member.organizationId,
-		role: member.role
-	};
-	return {
-		accessToken: await signToken(secret, {
-			...tokenBase,
-			type: "access"
-		}, ACCESS_TOKEN_EXPIRY),
-		refreshToken: await signToken(secret, {
-			...tokenBase,
-			type: "refresh"
-		}, REFRESH_TOKEN_EXPIRY)
-	};
-}
-async function login(db, username, password, jwtSecretKey) {
-	const [user] = await db.select().from(users).where(eq(users.username, username)).limit(1);
-	if (!user || user.status !== "active") throw new UnauthorizedError("Invalid username or password");
-	if (!await bcrypt.compare(password, user.passwordHash)) throw new UnauthorizedError("Invalid username or password");
-	const [member] = await db.select().from(members).where(and(eq(members.userId, user.id), eq(members.status, "active"))).orderBy(desc(members.createdAt), desc(members.id)).limit(1);
-	if (!member) throw new UnauthorizedError("No organization membership found");
-	const tokens = await signTokensForMember(jwtSecretKey, {
-		userId: user.id,
-		memberId: member.id,
-		organizationId: member.organizationId,
-		role: member.role
-	});
-	await db.update(users).set({ updatedAt: /* @__PURE__ */ new Date() }).where(eq(users.id, user.id));
-	return tokens;
-}
-async function refreshAccessToken(db, refreshToken, jwtSecretKey) {
-	const secret = new TextEncoder().encode(jwtSecretKey);
-	let payload;
-	try {
-		const { payload: p } = await jwtVerify(refreshToken, secret);
-		payload = p;
-	} catch {
-		throw new UnauthorizedError("Invalid or expired refresh token");
-	}
-	if (payload.type !== "refresh" || !payload.sub) throw new UnauthorizedError("Invalid token type");
-	const [user] = await db.select({
-		id: users.id,
-		status: users.status
-	}).from(users).where(eq(users.id, payload.sub)).limit(1);
-	if (!user || user.status !== "active") throw new UnauthorizedError("User not found or suspended");
-	const [member] = await db.select().from(members).where(and(eq(members.id, payload.memberId), eq(members.status, "active"))).limit(1);
-	if (!member) throw new UnauthorizedError("Membership not found");
-	return { accessToken: await signToken(secret, {
-		sub: user.id,
-		memberId: member.id,
-		organizationId: member.organizationId,
-		role: member.role,
-		type: "access"
-	}, ACCESS_TOKEN_EXPIRY) };
-}
-/**
-* Generate a short-lived connect token for CLI authentication.
-* The connect token carries the member's identity and can be exchanged
-* for full access+refresh tokens via exchangeConnectToken().
-*
-* `iss` (when supplied) is stamped into the JWT so the CLI can derive
-* the hub URL with no additional argument. Production servers must
-* always pass it; dev callers may omit and the CLI will require an
-* explicit `--server-url` (legacy form).
-*/
-async function generateConnectToken(member, jwtSecretKey, iss) {
-	const secret = new TextEncoder().encode(jwtSecretKey);
-	const jti = randomUUID();
-	const builder = new SignJWT({
-		sub: member.userId,
-		memberId: member.memberId,
-		organizationId: member.organizationId,
-		role: member.role,
-		type: "connect"
-	}).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setJti(jti).setExpirationTime(CONNECT_TOKEN_EXPIRY);
-	if (iss) builder.setIssuer(iss);
-	return {
-		token: await builder.sign(secret),
-		expiresIn: 600
-	};
-}
-/**
-* Exchange a connect token for full access+refresh tokens.
-* Validates the connect token, verifies the user is still active,
-* and issues a fresh token pair.
-*/
-async function exchangeConnectToken(db, connectToken, jwtSecretKey) {
-	const secret = new TextEncoder().encode(jwtSecretKey);
-	let payload;
-	try {
-		const { payload: p } = await jwtVerify(connectToken, secret);
-		payload = p;
-	} catch {
-		throw new UnauthorizedError("Invalid or expired connect token");
-	}
-	if (payload.type !== "connect" || !payload.sub || !payload.memberId) throw new UnauthorizedError("Invalid token type — expected connect token");
-	const jti = payload.jti;
-	if (jti) {
-		if (consumedConnectJtis.has(jti)) throw new UnauthorizedError("Connect token has already been used");
-		consumedConnectJtis.set(jti, Date.now());
-		const cutoff = Date.now() - CONNECT_JTI_TTL_MS;
-		for (const [k, ts] of consumedConnectJtis) if (ts < cutoff) consumedConnectJtis.delete(k);
-	}
-	const [user] = await db.select({
-		id: users.id,
-		status: users.status
-	}).from(users).where(eq(users.id, payload.sub)).limit(1);
-	if (!user || user.status !== "active") throw new UnauthorizedError("User not found or suspended");
-	const [member] = await db.select().from(members).where(and(eq(members.id, payload.memberId), eq(members.status, "active"))).limit(1);
-	if (!member) throw new UnauthorizedError("Membership not found");
-	return signTokensForMember(jwtSecretKey, {
-		userId: user.id,
-		memberId: member.id,
-		organizationId: member.organizationId,
-		role: member.role
-	});
-}
 /**
 * Third-party / local auth identities for a user. Models "how does this user
 * prove they are who they say they are". A single user MAY have multiple
@@ -16045,7 +16192,7 @@ async function completeOauthFlow(app, request, reply, profile, next) {
 		memberId: memberInfo.memberId,
 		organizationId: memberInfo.organizationId,
 		role: memberInfo.role
-	});
+	}, app.config.auth);
 	const fragment = new URLSearchParams({
 		access: tokens.accessToken,
 		refresh: tokens.refreshToken,
@@ -16061,7 +16208,7 @@ async function authRoutes(app) {
 		timeWindow: "1 minute"
 	} } }, async (request, reply) => {
 		const body = loginSchema.parse(request.body);
-		const result = await login(app.db, body.username, body.password, app.config.secrets.jwtSecret);
+		const result = await login(app.db, body.username, body.password, app.config.secrets.jwtSecret, app.config.auth);
 		return reply.send(result);
 	});
 	app.post("/refresh", { config: { rateLimit: {
@@ -16069,7 +16216,7 @@ async function authRoutes(app) {
 		timeWindow: "1 minute"
 	} } }, async (request, reply) => {
 		const body = refreshTokenSchema.parse(request.body);
-		const result = await refreshAccessToken(app.db, body.refreshToken, app.config.secrets.jwtSecret);
+		const result = await refreshAccessToken(app.db, body.refreshToken, app.config.secrets.jwtSecret, app.config.auth);
 		return reply.send(result);
 	});
 	app.post("/connect-token", { config: { rateLimit: {
@@ -16077,7 +16224,7 @@ async function authRoutes(app) {
 		timeWindow: "1 minute"
 	} } }, async (request, reply) => {
 		const body = connectTokenExchangeSchema.parse(request.body);
-		const result = await exchangeConnectToken(app.db, body.token, app.config.secrets.jwtSecret);
+		const result = await exchangeConnectToken(app.db, body.token, app.config.secrets.jwtSecret, app.config.auth);
 		return reply.send(result);
 	});
 }
@@ -16288,7 +16435,7 @@ async function meRoutes(app) {
 			memberId: m.memberId,
 			organizationId: m.organizationId,
 			role: m.role
-		}, app.config.secrets.jwtSecret, issuer);
+		}, app.config.secrets.jwtSecret, app.config.auth, issuer);
 		return {
 			token,
 			expiresIn,
@@ -16338,7 +16485,7 @@ async function meRoutes(app) {
 			memberId: created.memberId,
 			organizationId: created.organizationId,
 			role: "admin"
-		});
+		}, app.config.auth);
 		return reply.status(201).send({
 			organization: {
 				id: created.organizationId,
@@ -16380,7 +16527,7 @@ async function meRoutes(app) {
 			memberId: member.id,
 			organizationId: member.organizationId,
 			role: member.role
-		});
+		}, app.config.auth);
 		return reply.status(200).send({
 			organizationId: member.organizationId,
 			memberId: member.id,
@@ -16426,7 +16573,7 @@ async function inferWizardStep(app, m) {
 * landing page.
 */
 async function publicInvitePreviewRoute(app) {
-	const { previewInvitation } = await import("./invitation-CBnQyB7o-DLQyW5ek.mjs");
+	const { previewInvitation } = await import("./invitation-CBnQyB7o-Bulf3Sl7.mjs");
 	app.get("/:token/preview", async (request, reply) => {
 		if (!request.params.token) throw new UnauthorizedError("Token required");
 		const preview = await previewInvitation(app.db, request.params.token);
@@ -16456,7 +16603,7 @@ async function adminInvitationRoutes(app) {
 		const m = requireMember(request);
 		if (m.role !== "admin") throw new ForbiddenError("Admin role required");
 		if (request.params.id !== m.organizationId) throw new ForbiddenError("Cannot rotate invitations for another organization");
-		const { rotateInvitation } = await import("./invitation-CBnQyB7o-DLQyW5ek.mjs");
+		const { rotateInvitation } = await import("./invitation-CBnQyB7o-Bulf3Sl7.mjs");
 		const inv = await rotateInvitation(app.db, m.organizationId, m.userId);
 		return {
 			id: inv.id,
@@ -18331,6 +18478,14 @@ function resolveCommandVersion$1(injected) {
 	return "0.0.0";
 }
 async function buildApp(config) {
+	try {
+		expiryToSeconds(config.auth.accessTokenExpiry);
+		expiryToSeconds(config.auth.refreshTokenExpiry);
+		expiryToSeconds(config.auth.connectTokenExpiry);
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		throw new Error(`${msg} — check FIRST_TREE_HUB_AUTH_*_EXPIRY env vars (got access=${config.auth.accessTokenExpiry}, refresh=${config.auth.refreshTokenExpiry}, connect=${config.auth.connectTokenExpiry}).`);
+	}
 	applyLoggerConfig({
 		level: config.observability.logging.level,
 		format: config.observability.logging.format,