@agent-team-foundation/first-tree-hub 0.10.2 → 0.10.3

package/dist/{bootstrap-Ca5Fiqz6.mjs → bootstrap-CBAVWQUT.mjs}

@@ -582,8 +582,7 @@ const serverConfigSchema = defineConfig({
 		clientSecret: field(z.string(), {
 			env: "FIRST_TREE_HUB_GITHUB_OAUTH_CLIENT_SECRET",
 			secret: true
-		}),
-		devCallbackEnabled: field(z.boolean().default(false), { env: "FIRST_TREE_HUB_GITHUB_OAUTH_DEV_CALLBACK" })
+		})
 	}) }),
 	cors: optional({ origin: field(z.string(), { env: "FIRST_TREE_HUB_CORS_ORIGIN" }) }),
 	rateLimit: optional({

package/dist/cli/index.mjs

@@ -1,10 +1,10 @@
 #!/usr/bin/env node
 import "../observability-DPyf745N-BSc8QNcR.mjs";
-import { $ as FirstTreeHubSDK, A as checkWebSocket, B as ClientRuntime, C as checkClientConfig, D as checkServerConfig, E as checkNodeVersion, G as resolveReplyToFromEnv, K as fail, M as getClientServiceStatus, N as installClientService, O as checkServerHealth, P as isServiceSupported, Q as ClientOrgMismatchError, S as checkBackgroundService, T as checkDocker, U as createOwner, V as handleClientOrgMismatch, X as setJsonMode, Y as print, _ as runHomeMigration, a as declineUpdate, b as runMigrations, c as COMMAND_VERSION, d as promptMissingFields, et as SdkError, f as formatCheckReport, g as saveOnboardState, h as onboardCreate, i as createExecuteUpdate, it as configureClientLoggerForService, j as printResults, k as checkServerReachable, l as isInteractive, m as onboardCheck, nt as cleanWorkspaces, o as promptUpdate, p as loadOnboardState, q as success, r as registerSaaSConnectCommand, rt as applyClientLoggerConfig, s as startServer, tt as SessionRegistry, u as promptAddAgent, v as createApiNameResolver, w as checkDatabase, x as checkAgentConfigs, y as migrateLocalAgentDirs, z as stopPostgres } from "../saas-connect-idjpoPTk.mjs";
+import { A as checkServerHealth, C as checkAgentConfigs, D as checkDocker, E as checkDatabase, F as installClientService, G as createOwner, H as ClientRuntime, I as isServiceSupported, J as fail, M as checkWebSocket, N as printResults, O as checkNodeVersion, P as getClientServiceStatus, Q as setJsonMode, S as runMigrations, T as checkClientConfig, U as handleClientOrgMismatch, V as stopPostgres, Y as success, Z as print, _ as onboardCreate, a as declineUpdate, at as probeCapabilities, b as createApiNameResolver, c as COMMAND_VERSION, d as isInteractive, et as ClientOrgMismatchError, f as promptAddAgent, g as onboardCheck, h as loadOnboardState, i as createExecuteUpdate, it as cleanWorkspaces, j as checkServerReachable, k as checkServerConfig, l as reconcileLocalRuntimeProviders, m as formatCheckReport, nt as SdkError, o as promptUpdate, ot as applyClientLoggerConfig, p as promptMissingFields, q as resolveReplyToFromEnv, r as registerSaaSConnectCommand, rt as SessionRegistry, s as startServer, st as configureClientLoggerForService, tt as FirstTreeHubSDK, u as uploadClientCapabilities, v as saveOnboardState, w as checkBackgroundService, x as migrateLocalAgentDirs, y as runHomeMigration } from "../saas-connect-3p-vBkuY.mjs";
 import "../logger-core-BTmvdflj-DjW8FM4T.mjs";
-import { C as serverConfigSchema, _ as loadAgents, b as resetConfig, c as saveCredentials, d as DEFAULT_HOME_DIR, f as agentConfigSchema, g as initConfig, h as getConfigValue, i as loadCredentials, l as DEFAULT_CONFIG_DIR, n as ensureFreshAccessToken, o as resolveServerUrl, p as clientConfigSchema, r as ensureFreshAdminToken, s as saveAgentConfig, u as DEFAULT_DATA_DIR, w as setConfigValue, x as resetConfigMeta, y as readConfigFile } from "../bootstrap-Ca5Fiqz6.mjs";
-import "../dist-CLiN7cVS.mjs";
-import { n as bindFeishuUser, t as bindFeishuBot } from "../feishu-FTWnoOsc.mjs";
+import { C as serverConfigSchema, _ as loadAgents, b as resetConfig, c as saveCredentials, d as DEFAULT_HOME_DIR, f as agentConfigSchema, g as initConfig, h as getConfigValue, i as loadCredentials, l as DEFAULT_CONFIG_DIR, n as ensureFreshAccessToken, o as resolveServerUrl, p as clientConfigSchema, r as ensureFreshAdminToken, s as saveAgentConfig, u as DEFAULT_DATA_DIR, w as setConfigValue, x as resetConfigMeta, y as readConfigFile } from "../bootstrap-CBAVWQUT.mjs";
+import "../dist-DUCelK3Z.mjs";
+import { n as bindFeishuUser, t as bindFeishuBot } from "../feishu-Boy3n8CT.mjs";
 import "../invitation-C_zAhB8x-8Khychlu.mjs";
 import { join } from "node:path";
 import { existsSync, mkdirSync, readFileSync, readdirSync, rmSync } from "node:fs";
@@ -349,7 +349,8 @@ function registerAgentCommands(program) {
 			const createBody = {
 				name,
 				type: options.type,
-				clientId: options.clientId
+				clientId: options.clientId,
+				runtimeProvider: options.runtime
 			};
 			if (options.displayName) createBody.displayName = options.displayName;
 			const createRes = await fetch(`${serverUrl}/api/v1/admin/agents`, {
@@ -916,6 +917,20 @@ function registerConnectCommand(parent) {
 				const msg = err instanceof Error ? err.message : String(err);
 				print.status("⚠️", `agent-dir migration skipped: ${msg}`);
 			}
+			let probedCapabilities = null;
+			try {
+				const accessToken = await ensureFreshAccessToken();
+				probedCapabilities = await probeCapabilities();
+				await reconcileLocalRuntimeProviders({
+					serverUrl: config.server.url,
+					accessToken,
+					agentsDir,
+					log: (level, msg) => print.status(level === "warn" ? "⚠️" : "•", msg)
+				});
+			} catch (err) {
+				const msg = err instanceof Error ? err.message : String(err);
+				print.status("⚠️", `runtime-provider reconcile skipped: ${msg}`);
+			}
 			const agents = loadAgents({
 				schema: agentConfigSchema,
 				agentsDir
@@ -930,6 +945,18 @@ function registerConnectCommand(parent) {
 			});
 			for (const [name, agentConfig] of agents) runtime.addAgent(name, agentConfig);
 			await runtime.start();
+			if (probedCapabilities) try {
+				const accessToken = await ensureFreshAccessToken();
+				await uploadClientCapabilities({
+					serverUrl: config.server.url,
+					accessToken,
+					clientId: config.client.id,
+					capabilities: probedCapabilities
+				});
+			} catch (err) {
+				const msg = err instanceof Error ? err.message : String(err);
+				print.status("⚠️", `capabilities upload skipped: ${msg}`);
+			}
 			runtime.watchAgentsDir(agentsDir);
 			const shutdown = async () => {
 				print.line("\n  Shutting down...\n");
@@ -989,6 +1016,20 @@ function registerClientCommands(program) {
 				const msg = err instanceof Error ? err.message : String(err);
 				print.status("⚠️", `agent-dir migration skipped: ${msg}`);
 			}
+			let probedCapabilities = null;
+			try {
+				const accessToken = await ensureFreshAccessToken();
+				probedCapabilities = await probeCapabilities();
+				await reconcileLocalRuntimeProviders({
+					serverUrl: config.server.url,
+					accessToken,
+					agentsDir,
+					log: (level, msg) => print.status(level === "warn" ? "⚠️" : "•", msg)
+				});
+			} catch (err) {
+				const msg = err instanceof Error ? err.message : String(err);
+				print.status("⚠️", `runtime-provider reconcile skipped: ${msg}`);
+			}
 			const agents = loadAgents({
 				schema: agentConfigSchema,
 				agentsDir
@@ -1005,6 +1046,18 @@ function registerClientCommands(program) {
 			});
 			for (const [name, agentConfig] of agents) runtime.addAgent(name, agentConfig);
 			await runtime.start();
+			if (probedCapabilities) try {
+				const accessToken = await ensureFreshAccessToken();
+				await uploadClientCapabilities({
+					serverUrl: config.server.url,
+					accessToken,
+					clientId: config.client.id,
+					capabilities: probedCapabilities
+				});
+			} catch (err) {
+				const msg = err instanceof Error ? err.message : String(err);
+				print.status("⚠️", `capabilities upload skipped: ${msg}`);
+			}
 			runtime.watchAgentsDir(agentsDir);
 			const shutdown = async () => {
 				print.line("\n  Shutting down...\n");
@@ -1212,13 +1265,13 @@ function isSecretField(schema, dotPath) {
 //#region src/commands/onboard.ts
 async function promptMissing(args) {
 	if (!args.server) try {
-		const { resolveServerUrl } = await import("../bootstrap-Ca5Fiqz6.mjs").then((n) => n.t);
+		const { resolveServerUrl } = await import("../bootstrap-CBAVWQUT.mjs").then((n) => n.t);
 		resolveServerUrl();
 	} catch {
 		args.server = await input({ message: "Hub server URL:" });
 		saveOnboardState(args);
 	}
-	const { loadCredentials } = await import("../bootstrap-Ca5Fiqz6.mjs").then((n) => n.t);
+	const { loadCredentials } = await import("../bootstrap-CBAVWQUT.mjs").then((n) => n.t);
 	if (!loadCredentials()) throw new Error("No saved credentials. Run `first-tree-hub client connect <server-url>` before onboarding.");
 	if (!args.id) {
 		args.id = await input({ message: "Agent ID:" });

package/dist/{dist-CLiN7cVS.mjs → dist-DUCelK3Z.mjs}

@@ -160,14 +160,16 @@ const AGENT_BIND_REJECT_REASONS = {
 	NOT_OWNED: "not_owned",
 	AGENT_SUSPENDED: "agent_suspended",
 	WRONG_ORG: "wrong_org",
-	UNKNOWN_AGENT: "unknown_agent"
+	UNKNOWN_AGENT: "unknown_agent",
+	RUNTIME_PROVIDER_MISMATCH: "runtime_provider_mismatch"
 };
 z.enum([
 	"wrong_client",
 	"not_owned",
 	"agent_suspended",
 	"wrong_org",
-	"unknown_agent"
+	"unknown_agent",
+	"runtime_provider_mismatch"
 ]);
 /** Header used on agent-scoped HTTP calls to select which managed agent the JWT acts as. */
 const AGENT_SELECTOR_HEADER = "x-agent-id";
@@ -195,6 +197,8 @@ z.object({
 	}),
 	clients: z.number().int()
 });
+const runtimeProviderSchema = z.enum(["claude-code", "codex"]);
+const DEFAULT_RUNTIME_PROVIDER = "claude-code";
 const AGENT_TYPES = {
 	HUMAN: "human",
 	PERSONAL_ASSISTANT: "personal_assistant",
@@ -254,7 +258,8 @@ const createAgentSchema = z.object({
 	visibility: agentVisibilitySchema.optional(),
 	metadata: z.record(z.string(), z.unknown()).optional(),
 	managerId: z.string().optional(),
-	clientId: z.string().min(1).max(100).optional()
+	clientId: z.string().min(1).max(100).optional(),
+	runtimeProvider: runtimeProviderSchema.optional()
 });
 const updateAgentSchema = z.object({
 	type: agentTypeSchema.optional(),
@@ -265,6 +270,18 @@ const updateAgentSchema = z.object({
 	managerId: z.string().nullable().optional(),
 	clientId: z.string().min(1).max(100).nullable().optional()
 });
+/**
+* Service-level rebind input. Admin / owner re-binds an agent to a new
+* client and/or a new runtime provider in one atomic operation.
+*
+* `force` bypasses the capability-match check (e.g. when the client is
+* offline and capabilities are stale).
+*/
+const rebindAgentSchema = z.object({
+	clientId: z.string().min(1).max(100),
+	runtimeProvider: runtimeProviderSchema,
+	force: z.boolean().optional()
+});
 z.object({
 	uuid: z.string(),
 	name: z.string().nullable(),
@@ -279,6 +296,7 @@ z.object({
 	metadata: z.record(z.string(), z.unknown()),
 	managerId: z.string().nullable(),
 	clientId: z.string().nullable(),
+	runtimeProvider: runtimeProviderSchema,
 	presenceStatus: presenceStatusSchema.optional(),
 	createdAt: z.string(),
 	updatedAt: z.string()
@@ -298,14 +316,16 @@ const agentPinnedMessageSchema = z.object({
 	agentId: z.string(),
 	name: z.string().nullable(),
 	displayName: z.string(),
-	agentType: agentTypeSchema
+	agentType: agentTypeSchema,
+	runtimeProvider: runtimeProviderSchema
 });
 /**
-* Agent runtime configuration — M1 (Claude Code only).
+* Agent runtime configuration.
 *
 * Defines the 5 user-tunable field groups that the Hub centrally manages
 * and pushes down to the client runtime: prompt append, model, MCP servers,
-* env vars, and Git repos.
+* env vars, and Git repos. Tagged by `kind` (a runtime provider) so future
+* provider-specific fields can land on a dedicated variant.
 *
 * NOTE: do not co-locate with `packages/shared/src/config/` — that namespace
 * is reserved for the local YAML config (`agent.yaml` / server / client) and
@@ -349,9 +369,11 @@ const gitRepoSchema = z.object({
 	localPath: z.string().min(1).optional()
 });
 /**
-* Base shape (no refinements) — used for `.partial()` derivations such as the
-* PATCH payload schema. Zod 4 forbids `.partial()` on a refined object, so we
-* keep refinements on a separate full schema below.
+* Untagged base shape — 5 user-tunable fields, no `kind` discriminator.
+* Used for `.partial()` derivations on the PATCH side, where `kind` is
+* pinned to `agents.runtime_provider` and never changes via config PATCH.
+* Zod 4 forbids `.partial()` on a refined object, so we keep refinements
+* on the tagged schema below.
 */
 const agentRuntimeConfigPayloadShape = z.object({
 	prompt: promptConfigSchema.default({ append: "" }),
@@ -360,6 +382,17 @@ const agentRuntimeConfigPayloadShape = z.object({
 	env: z.array(envEntrySchema).default([]),
 	gitRepos: z.array(gitRepoSchema).default([])
 });
+/**
+* Tagged variants — read-side, full payload including `kind`. Adding a new
+* provider means adding a variant here, plus a handler factory and a
+* capability probe module on the client side.
+*
+* Provider-specific fields (e.g. codex `sandboxMode`) belong on the
+* matching variant, not on the base shape.
+*/
+const claudeRuntimeConfigPayloadShape = agentRuntimeConfigPayloadShape.extend({ kind: z.literal("claude-code") });
+const codexRuntimeConfigPayloadShape = agentRuntimeConfigPayloadShape.extend({ kind: z.literal("codex") });
+const taggedPayloadUnion = z.discriminatedUnion("kind", [claudeRuntimeConfigPayloadShape, codexRuntimeConfigPayloadShape]);
 const payloadDuplicatesRefinement = (payload, ctx) => {
 	const seenMcp = /* @__PURE__ */ new Set();
 	payload.mcpServers.forEach((server, idx) => {
@@ -404,15 +437,54 @@ const payloadDuplicatesRefinement = (payload, ctx) => {
 		seenPaths.add(path);
 	});
 };
-const agentRuntimeConfigPayloadSchema = agentRuntimeConfigPayloadShape.superRefine(payloadDuplicatesRefinement);
-/** Default payload used when creating a fresh agent. */
+/**
+* Read-side full payload schema. Rows persisted before 0026 do not carry
+* `kind`; `z.preprocess` injects `"claude-code"` so they parse cleanly into
+* the claude variant. The service layer separately enforces
+* `payload.kind === agents.runtime_provider` on writes.
+*/
+const agentRuntimeConfigPayloadSchema = z.preprocess((input) => {
+	if (input && typeof input === "object" && !Array.isArray(input) && !("kind" in input)) return {
+		...input,
+		kind: "claude-code"
+	};
+	return input;
+}, taggedPayloadUnion).superRefine((payload, ctx) => {
+	payloadDuplicatesRefinement(payload, ctx);
+});
+/** Default payload used when creating a fresh claude-code agent. */
 const DEFAULT_AGENT_RUNTIME_CONFIG_PAYLOAD = {
+	kind: "claude-code",
 	prompt: { append: "" },
 	model: "opus",
 	mcpServers: [],
 	env: [],
 	gitRepos: []
 };
+/**
+* Default payload for a fresh codex agent. Same 5 fields as claude-code.
+* `model` is left empty by default so the Codex CLI picks one matching the
+* user's auth mode — `gpt-5-codex` is rejected by ChatGPT-account auth, while
+* an empty string lets the SDK fall through to its built-in default.
+*/
+const DEFAULT_CODEX_RUNTIME_CONFIG_PAYLOAD = {
+	kind: "codex",
+	prompt: { append: "" },
+	model: "",
+	mcpServers: [],
+	env: [],
+	gitRepos: []
+};
+/**
+* Default payload selector by runtime provider.
+*/
+function defaultRuntimeConfigPayload(provider) {
+	switch (provider) {
+		case "codex": return { ...DEFAULT_CODEX_RUNTIME_CONFIG_PAYLOAD };
+		case "claude-code": return { ...DEFAULT_AGENT_RUNTIME_CONFIG_PAYLOAD };
+		default: return { ...DEFAULT_AGENT_RUNTIME_CONFIG_PAYLOAD };
+	}
+}
 const agentRuntimeConfigSchema = z.object({
 	agentId: z.string(),
 	version: z.number().int().positive(),
@@ -531,6 +603,37 @@ const clientRegisterSchema = z.object({
 	os: z.string().max(50).optional(),
 	sdkVersion: z.string().max(50).optional()
 });
+const capabilityStateSchema = z.enum([
+	"ok",
+	"missing",
+	"unauthenticated",
+	"error"
+]);
+const capabilityAuthMethodSchema = z.enum([
+	"api_key",
+	"oauth",
+	"auth_json",
+	"none"
+]);
+const capabilityEntrySchema = z.object({
+	state: capabilityStateSchema,
+	available: z.boolean(),
+	authenticated: z.boolean(),
+	sdkVersion: z.string().nullable().optional(),
+	authMethod: capabilityAuthMethodSchema,
+	error: z.string().nullable().optional(),
+	detectedAt: z.string()
+});
+/**
+* Capabilities snapshot keyed by runtime provider name. Recorded as a plain
+* `Record<string, CapabilityEntry>` — every entry is optional (a client may
+* report only the runtimes it actually probed) and the key set evolves
+* naturally as new providers ship without a schema migration. Service-layer
+* lookups (`agents.runtime_provider ∈ keys(capabilities)`) treat the keys
+* as `RuntimeProvider` strings.
+*/
+const clientCapabilitiesSchema = z.record(z.string(), capabilityEntrySchema);
+const updateClientCapabilitiesSchema = z.object({ capabilities: clientCapabilitiesSchema });
 const paginationQuerySchema = z.object({
 	limit: z.coerce.number().int().min(1).max(100).default(20),
 	cursor: z.string().optional()
@@ -801,7 +904,7 @@ const githubCallbackQuerySchema = z.object({
 });
 /**
 * Dev-only callback to bypass the GitHub round-trip — sign in as a stub
-* Github user. Gated by NODE_ENV !== 'production' AND `oauth.github.devCallbackEnabled`.
+* Github user. Gated by NODE_ENV !== 'production'; production always 404s.
 */
 const githubDevCallbackQuerySchema = z.object({
 	githubId: z.string().min(1),
@@ -1147,4 +1250,4 @@ z.object({
 	serverTimeMs: z.number().int().nonnegative()
 }).passthrough();
 //#endregion
-export { sendMessageSchema as $, createOrganizationSchema as A, isRedactedEnvValue as B, connectTokenExchangeSchema as C, createChatSchema as D, createAgentSchema as E, githubCallbackQuerySchema as F, messageSourceSchema as G, joinByInvitationSchema as H, githubDevCallbackQuerySchema as I, refreshTokenSchema as J, notificationQuerySchema as K, githubStartQuerySchema as L, delegateFeishuUserSchema as M, dryRunAgentRuntimeConfigSchema as N, createMemberSchema as O, extractMentions as P, selfServiceFeishuBotSchema as Q, imageInlineContentSchema as R, clientRegisterSchema as S, createAdapterMappingSchema as T, linkTaskChatSchema as U, isReservedAgentName as V, loginSchema as W, safeRedirectPath as X, runtimeStateMessageSchema as Y, scanMentionTokens as Z, adminUpdateTaskSchema as _, AGENT_STATUSES as a, sessionStateMessageSchema as at, agentRuntimeConfigPayloadSchema as b, DEFAULT_AGENT_RUNTIME_CONFIG_PAYLOAD as c, updateAdapterConfigSchema as ct, TASK_HEALTH_SIGNALS as d, updateChatSchema as dt, sendToAgentSchema as et, TASK_STATUSES as f, updateMemberSchema as ft, adminCreateTaskSchema as g, wsAuthFrameSchema as gt, addParticipantSchema as h, updateTaskStatusSchema as ht, AGENT_SOURCES as i, sessionReconcileRequestSchema as it, createTaskSchema as j, createOrgFromMeSchema as k, SYSTEM_CONFIG_DEFAULTS as l, updateAgentRuntimeConfigSchema as lt, WS_AUTH_FRAME_TIMEOUT_MS as m, updateSystemConfigSchema as mt, AGENT_NAME_REGEX as n, sessionEventMessageSchema as nt, AGENT_TYPES as o, switchOrgSchema as ot, TASK_TERMINAL_STATUSES as p, updateOrganizationSchema as pt, paginationQuerySchema as q, AGENT_SELECTOR_HEADER as r, sessionEventSchema as rt, AGENT_VISIBILITY as s, taskListQuerySchema as st, AGENT_BIND_REJECT_REASONS as t, sessionCompletionMessageSchema as tt, TASK_CREATOR_TYPES as u, updateAgentSchema as ut, agentBindRequestSchema as v, createAdapterConfigSchema as w, agentTypeSchema as x, agentPinnedMessageSchema as y, inboxPollQuerySchema as z };
+export { safeRedirectPath as $, createOrgFromMeSchema as A, imageInlineContentSchema as B, clientRegisterSchema as C, createAgentSchema as D, createAdapterMappingSchema as E, dryRunAgentRuntimeConfigSchema as F, linkTaskChatSchema as G, isRedactedEnvValue as H, extractMentions as I, notificationQuerySchema as J, loginSchema as K, githubCallbackQuerySchema as L, createTaskSchema as M, defaultRuntimeConfigPayload as N, createChatSchema as O, delegateFeishuUserSchema as P, runtimeStateMessageSchema as Q, githubDevCallbackQuerySchema as R, clientCapabilitiesSchema as S, createAdapterConfigSchema as T, isReservedAgentName as U, inboxPollQuerySchema as V, joinByInvitationSchema as W, rebindAgentSchema as X, paginationQuerySchema as Y, refreshTokenSchema as Z, adminUpdateTaskSchema as _, updateOrganizationSchema as _t, AGENT_STATUSES as a, sessionEventMessageSchema as at, agentRuntimeConfigPayloadSchema as b, wsAuthFrameSchema as bt, DEFAULT_RUNTIME_PROVIDER as c, sessionStateMessageSchema as ct, TASK_HEALTH_SIGNALS as d, updateAdapterConfigSchema as dt, scanMentionTokens as et, TASK_STATUSES as f, updateAgentRuntimeConfigSchema as ft, adminCreateTaskSchema as g, updateMemberSchema as gt, addParticipantSchema as h, updateClientCapabilitiesSchema as ht, AGENT_SOURCES as i, sessionCompletionMessageSchema as it, createOrganizationSchema as j, createMemberSchema as k, SYSTEM_CONFIG_DEFAULTS as l, switchOrgSchema as lt, WS_AUTH_FRAME_TIMEOUT_MS as m, updateChatSchema as mt, AGENT_NAME_REGEX as n, sendMessageSchema as nt, AGENT_TYPES as o, sessionEventSchema as ot, TASK_TERMINAL_STATUSES as p, updateAgentSchema as pt, messageSourceSchema as q, AGENT_SELECTOR_HEADER as r, sendToAgentSchema as rt, AGENT_VISIBILITY as s, sessionReconcileRequestSchema as st, AGENT_BIND_REJECT_REASONS as t, selfServiceFeishuBotSchema as tt, TASK_CREATOR_TYPES as u, taskListQuerySchema as ut, agentBindRequestSchema as v, updateSystemConfigSchema as vt, connectTokenExchangeSchema as w, agentTypeSchema as x, agentPinnedMessageSchema as y, updateTaskStatusSchema as yt, githubStartQuerySchema as z };

package/dist/drizzle/0027_runtime_provider.sql

@@ -0,0 +1,10 @@
+-- Add runtime_provider to agents.
+--
+-- Tags each agent with the runtime that drives it (e.g. "claude-code", "codex").
+-- DEFAULT 'claude-code' backfills every existing row so the NOT NULL constraint
+-- is safe to land in a single step. Hub deploys are stop-migrate-restart, not
+-- rolling, so we don't need a two-phase add (nullable → backfill → not null).
+--
+-- Capabilities reporting reuses the existing `clients.metadata` jsonb column
+-- under the `capabilities` subkey (Option C); no SQL change for clients.
+ALTER TABLE "agents" ADD COLUMN "runtime_provider" text DEFAULT 'claude-code' NOT NULL;

package/dist/drizzle/0028_auth_identity_user_github_unique.sql

@@ -0,0 +1,12 @@
+-- Partial unique index: each user can hold at most one github identity.
+--
+-- Defense-in-depth. The (provider, identifier) UNIQUE catches duplicates
+-- of the SAME githubId, but does not stop a single user from collecting
+-- multiple DIFFERENT githubIds (e.g. a future "merge accounts" or
+-- "rebind" flow that misfires, or a one-off SQL migration that errs).
+-- This index makes any such double-bind fail atomically with a
+-- unique-violation at the storage layer.
+
+CREATE UNIQUE INDEX IF NOT EXISTS "uq_auth_identities_user_github"
+  ON "auth_identities" ("user_id")
+  WHERE "provider" = 'github';

package/dist/drizzle/meta/_journal.json

@@ -190,6 +190,20 @@
       "when": 1777507200000,
       "tag": "0026_saas_onboarding",
       "breakpoints": true
+    },
+    {
+      "idx": 27,
+      "version": "7",
+      "when": 1777593600000,
+      "tag": "0027_runtime_provider",
+      "breakpoints": true
+    },
+    {
+      "idx": 28,
+      "version": "7",
+      "when": 1777680000000,
+      "tag": "0028_auth_identity_user_github_unique",
+      "breakpoints": true
     }
   ]
 }

package/dist/{feishu-FTWnoOsc.mjs → feishu-Boy3n8CT.mjs}

@@ -1,5 +1,5 @@
 import { d as __exportAll } from "./esm-CYu4tXXn.mjs";
-import { r as AGENT_SELECTOR_HEADER } from "./dist-CLiN7cVS.mjs";
+import { r as AGENT_SELECTOR_HEADER } from "./dist-DUCelK3Z.mjs";
 //#region src/core/feishu.ts
 var feishu_exports = /* @__PURE__ */ __exportAll({
 	bindFeishuBot: () => bindFeishuBot,

package/dist/index.mjs

@@ -1,8 +1,8 @@
 import "./observability-DPyf745N-BSc8QNcR.mjs";
-import { $ as FirstTreeHubSDK, A as checkWebSocket, B as ClientRuntime, C as checkClientConfig, D as checkServerConfig, E as checkNodeVersion, F as resolveCliInvocation, H as rotateClientIdWithBackup, I as uninstallClientService, J as blank, L as ensurePostgres, M as getClientServiceStatus, N as installClientService, O as checkServerHealth, P as isServiceSupported, R as isDockerAvailable, T as checkDocker, U as createOwner, V as handleClientOrgMismatch, W as hasUser, Z as status, _ as runHomeMigration, b as runMigrations, d as promptMissingFields, et as SdkError, f as formatCheckReport, h as onboardCreate, j as printResults, k as checkServerReachable, l as isInteractive, m as onboardCheck, n as deriveHubUrlFromToken, s as startServer, t as HubUrlDerivationError, u as promptAddAgent, w as checkDatabase, x as checkAgentConfigs, z as stopPostgres } from "./saas-connect-idjpoPTk.mjs";
+import { $ as status, A as checkServerHealth, B as isDockerAvailable, C as checkAgentConfigs, D as checkDocker, E as checkDatabase, F as installClientService, G as createOwner, H as ClientRuntime, I as isServiceSupported, K as hasUser, L as resolveCliInvocation, M as checkWebSocket, N as printResults, O as checkNodeVersion, P as getClientServiceStatus, R as uninstallClientService, S as runMigrations, T as checkClientConfig, U as handleClientOrgMismatch, V as stopPostgres, W as rotateClientIdWithBackup, X as blank, _ as onboardCreate, d as isInteractive, f as promptAddAgent, g as onboardCheck, j as checkServerReachable, k as checkServerConfig, m as formatCheckReport, n as deriveHubUrlFromToken, nt as SdkError, p as promptMissingFields, s as startServer, t as HubUrlDerivationError, tt as FirstTreeHubSDK, y as runHomeMigration, z as ensurePostgres } from "./saas-connect-3p-vBkuY.mjs";
 import "./logger-core-BTmvdflj-DjW8FM4T.mjs";
-import { a as resolveAccessToken, n as ensureFreshAccessToken, o as resolveServerUrl, r as ensureFreshAdminToken } from "./bootstrap-Ca5Fiqz6.mjs";
-import "./dist-CLiN7cVS.mjs";
-import { n as bindFeishuUser, t as bindFeishuBot } from "./feishu-FTWnoOsc.mjs";
+import { a as resolveAccessToken, n as ensureFreshAccessToken, o as resolveServerUrl, r as ensureFreshAdminToken } from "./bootstrap-CBAVWQUT.mjs";
+import "./dist-DUCelK3Z.mjs";
+import { n as bindFeishuUser, t as bindFeishuBot } from "./feishu-Boy3n8CT.mjs";
 import "./invitation-C_zAhB8x-8Khychlu.mjs";
 export { ClientRuntime, FirstTreeHubSDK, HubUrlDerivationError, SdkError, bindFeishuBot, bindFeishuUser, blank, checkAgentConfigs, checkClientConfig, checkDatabase, checkDocker, checkNodeVersion, checkServerConfig, checkServerHealth, checkServerReachable, checkWebSocket, createOwner, deriveHubUrlFromToken, ensureFreshAccessToken, ensureFreshAdminToken, ensurePostgres, formatCheckReport, getClientServiceStatus, handleClientOrgMismatch, hasUser, installClientService, isDockerAvailable, isInteractive, isServiceSupported, onboardCheck, onboardCreate, printResults, promptAddAgent, promptMissingFields, resolveAccessToken, resolveCliInvocation, resolveServerUrl, rotateClientIdWithBackup, runHomeMigration, runMigrations, startServer, status, stopPostgres, uninstallClientService };

package/dist/{invitation-BTlGMy0o-dIoR8JRj.mjs → invitation-BTlGMy0o-Coj07kYi.mjs}

@@ -1,3 +1,3 @@
-import "./dist-CLiN7cVS.mjs";
+import "./dist-DUCelK3Z.mjs";
 import { _ as rotateInvitation, h as previewInvitation } from "./invitation-C_zAhB8x-8Khychlu.mjs";
 export { previewInvitation, rotateInvitation };