@agent-team-foundation/first-tree-hub 0.11.0 → 0.11.1

package/dist/dist-BLY7Bu-l.mjs

@@ -0,0 +1,430 @@
+import { i as __require, t as __commonJSMin } from "./chunk-BSw8zbkd.mjs";
+import { t as require_src } from "./src-DNBS5Yjj.mjs";
+//#region ../../node_modules/.pnpm/agent-base@7.1.4/node_modules/agent-base/dist/helpers.js
+var require_helpers = /* @__PURE__ */ __commonJSMin(((exports) => {
+	var __createBinding = exports && exports.__createBinding || (Object.create ? (function(o, m, k, k2) {
+		if (k2 === void 0) k2 = k;
+		var desc = Object.getOwnPropertyDescriptor(m, k);
+		if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) desc = {
+			enumerable: true,
+			get: function() {
+				return m[k];
+			}
+		};
+		Object.defineProperty(o, k2, desc);
+	}) : (function(o, m, k, k2) {
+		if (k2 === void 0) k2 = k;
+		o[k2] = m[k];
+	}));
+	var __setModuleDefault = exports && exports.__setModuleDefault || (Object.create ? (function(o, v) {
+		Object.defineProperty(o, "default", {
+			enumerable: true,
+			value: v
+		});
+	}) : function(o, v) {
+		o["default"] = v;
+	});
+	var __importStar = exports && exports.__importStar || function(mod) {
+		if (mod && mod.__esModule) return mod;
+		var result = {};
+		if (mod != null) {
+			for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+		}
+		__setModuleDefault(result, mod);
+		return result;
+	};
+	Object.defineProperty(exports, "__esModule", { value: true });
+	exports.req = exports.json = exports.toBuffer = void 0;
+	const http$1 = __importStar(__require("http"));
+	const https = __importStar(__require("https"));
+	async function toBuffer(stream) {
+		let length = 0;
+		const chunks = [];
+		for await (const chunk of stream) {
+			length += chunk.length;
+			chunks.push(chunk);
+		}
+		return Buffer.concat(chunks, length);
+	}
+	exports.toBuffer = toBuffer;
+	async function json(stream) {
+		const str = (await toBuffer(stream)).toString("utf8");
+		try {
+			return JSON.parse(str);
+		} catch (_err) {
+			const err = _err;
+			err.message += ` (input: ${str})`;
+			throw err;
+		}
+	}
+	exports.json = json;
+	function req(url, opts = {}) {
+		const req = ((typeof url === "string" ? url : url.href).startsWith("https:") ? https : http$1).request(url, opts);
+		const promise = new Promise((resolve, reject) => {
+			req.once("response", resolve).once("error", reject).end();
+		});
+		req.then = promise.then.bind(promise);
+		return req;
+	}
+	exports.req = req;
+}));
+//#endregion
+//#region ../../node_modules/.pnpm/agent-base@7.1.4/node_modules/agent-base/dist/index.js
+var require_dist$1 = /* @__PURE__ */ __commonJSMin(((exports) => {
+	var __createBinding = exports && exports.__createBinding || (Object.create ? (function(o, m, k, k2) {
+		if (k2 === void 0) k2 = k;
+		var desc = Object.getOwnPropertyDescriptor(m, k);
+		if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) desc = {
+			enumerable: true,
+			get: function() {
+				return m[k];
+			}
+		};
+		Object.defineProperty(o, k2, desc);
+	}) : (function(o, m, k, k2) {
+		if (k2 === void 0) k2 = k;
+		o[k2] = m[k];
+	}));
+	var __setModuleDefault = exports && exports.__setModuleDefault || (Object.create ? (function(o, v) {
+		Object.defineProperty(o, "default", {
+			enumerable: true,
+			value: v
+		});
+	}) : function(o, v) {
+		o["default"] = v;
+	});
+	var __importStar = exports && exports.__importStar || function(mod) {
+		if (mod && mod.__esModule) return mod;
+		var result = {};
+		if (mod != null) {
+			for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+		}
+		__setModuleDefault(result, mod);
+		return result;
+	};
+	var __exportStar = exports && exports.__exportStar || function(m, exports$1) {
+		for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports$1, p)) __createBinding(exports$1, m, p);
+	};
+	Object.defineProperty(exports, "__esModule", { value: true });
+	exports.Agent = void 0;
+	const net$1 = __importStar(__require("net"));
+	const http = __importStar(__require("http"));
+	const https_1 = __require("https");
+	__exportStar(require_helpers(), exports);
+	const INTERNAL = Symbol("AgentBaseInternalState");
+	var Agent = class extends http.Agent {
+		constructor(opts) {
+			super(opts);
+			this[INTERNAL] = {};
+		}
+		/**
+		* Determine whether this is an `http` or `https` request.
+		*/
+		isSecureEndpoint(options) {
+			if (options) {
+				if (typeof options.secureEndpoint === "boolean") return options.secureEndpoint;
+				if (typeof options.protocol === "string") return options.protocol === "https:";
+			}
+			const { stack } = /* @__PURE__ */ new Error();
+			if (typeof stack !== "string") return false;
+			return stack.split("\n").some((l) => l.indexOf("(https.js:") !== -1 || l.indexOf("node:https:") !== -1);
+		}
+		incrementSockets(name) {
+			if (this.maxSockets === Infinity && this.maxTotalSockets === Infinity) return null;
+			if (!this.sockets[name]) this.sockets[name] = [];
+			const fakeSocket = new net$1.Socket({ writable: false });
+			this.sockets[name].push(fakeSocket);
+			this.totalSocketCount++;
+			return fakeSocket;
+		}
+		decrementSockets(name, socket) {
+			if (!this.sockets[name] || socket === null) return;
+			const sockets = this.sockets[name];
+			const index = sockets.indexOf(socket);
+			if (index !== -1) {
+				sockets.splice(index, 1);
+				this.totalSocketCount--;
+				if (sockets.length === 0) delete this.sockets[name];
+			}
+		}
+		getName(options) {
+			if (this.isSecureEndpoint(options)) return https_1.Agent.prototype.getName.call(this, options);
+			return super.getName(options);
+		}
+		createSocket(req, options, cb) {
+			const connectOpts = {
+				...options,
+				secureEndpoint: this.isSecureEndpoint(options)
+			};
+			const name = this.getName(connectOpts);
+			const fakeSocket = this.incrementSockets(name);
+			Promise.resolve().then(() => this.connect(req, connectOpts)).then((socket) => {
+				this.decrementSockets(name, fakeSocket);
+				if (socket instanceof http.Agent) try {
+					return socket.addRequest(req, connectOpts);
+				} catch (err) {
+					return cb(err);
+				}
+				this[INTERNAL].currentSocket = socket;
+				super.createSocket(req, options, cb);
+			}, (err) => {
+				this.decrementSockets(name, fakeSocket);
+				cb(err);
+			});
+		}
+		createConnection() {
+			const socket = this[INTERNAL].currentSocket;
+			this[INTERNAL].currentSocket = void 0;
+			if (!socket) throw new Error("No socket was returned in the `connect()` function");
+			return socket;
+		}
+		get defaultPort() {
+			return this[INTERNAL].defaultPort ?? (this.protocol === "https:" ? 443 : 80);
+		}
+		set defaultPort(v) {
+			if (this[INTERNAL]) this[INTERNAL].defaultPort = v;
+		}
+		get protocol() {
+			return this[INTERNAL].protocol ?? (this.isSecureEndpoint() ? "https:" : "http:");
+		}
+		set protocol(v) {
+			if (this[INTERNAL]) this[INTERNAL].protocol = v;
+		}
+	};
+	exports.Agent = Agent;
+}));
+//#endregion
+//#region ../../node_modules/.pnpm/https-proxy-agent@7.0.6/node_modules/https-proxy-agent/dist/parse-proxy-response.js
+var require_parse_proxy_response = /* @__PURE__ */ __commonJSMin(((exports) => {
+	var __importDefault = exports && exports.__importDefault || function(mod) {
+		return mod && mod.__esModule ? mod : { "default": mod };
+	};
+	Object.defineProperty(exports, "__esModule", { value: true });
+	exports.parseProxyResponse = void 0;
+	const debug = (0, __importDefault(require_src()).default)("https-proxy-agent:parse-proxy-response");
+	function parseProxyResponse(socket) {
+		return new Promise((resolve, reject) => {
+			let buffersLength = 0;
+			const buffers = [];
+			function read() {
+				const b = socket.read();
+				if (b) ondata(b);
+				else socket.once("readable", read);
+			}
+			function cleanup() {
+				socket.removeListener("end", onend);
+				socket.removeListener("error", onerror);
+				socket.removeListener("readable", read);
+			}
+			function onend() {
+				cleanup();
+				debug("onend");
+				reject(/* @__PURE__ */ new Error("Proxy connection ended before receiving CONNECT response"));
+			}
+			function onerror(err) {
+				cleanup();
+				debug("onerror %o", err);
+				reject(err);
+			}
+			function ondata(b) {
+				buffers.push(b);
+				buffersLength += b.length;
+				const buffered = Buffer.concat(buffers, buffersLength);
+				const endOfHeaders = buffered.indexOf("\r\n\r\n");
+				if (endOfHeaders === -1) {
+					debug("have not received end of HTTP headers yet...");
+					read();
+					return;
+				}
+				const headerParts = buffered.slice(0, endOfHeaders).toString("ascii").split("\r\n");
+				const firstLine = headerParts.shift();
+				if (!firstLine) {
+					socket.destroy();
+					return reject(/* @__PURE__ */ new Error("No header received from proxy CONNECT response"));
+				}
+				const firstLineParts = firstLine.split(" ");
+				const statusCode = +firstLineParts[1];
+				const statusText = firstLineParts.slice(2).join(" ");
+				const headers = {};
+				for (const header of headerParts) {
+					if (!header) continue;
+					const firstColon = header.indexOf(":");
+					if (firstColon === -1) {
+						socket.destroy();
+						return reject(/* @__PURE__ */ new Error(`Invalid header from proxy CONNECT response: "${header}"`));
+					}
+					const key = header.slice(0, firstColon).toLowerCase();
+					const value = header.slice(firstColon + 1).trimStart();
+					const current = headers[key];
+					if (typeof current === "string") headers[key] = [current, value];
+					else if (Array.isArray(current)) current.push(value);
+					else headers[key] = value;
+				}
+				debug("got proxy server response: %o %o", firstLine, headers);
+				cleanup();
+				resolve({
+					connect: {
+						statusCode,
+						statusText,
+						headers
+					},
+					buffered
+				});
+			}
+			socket.on("error", onerror);
+			socket.on("end", onend);
+			read();
+		});
+	}
+	exports.parseProxyResponse = parseProxyResponse;
+}));
+//#endregion
+//#region ../../node_modules/.pnpm/https-proxy-agent@7.0.6/node_modules/https-proxy-agent/dist/index.js
+var require_dist = /* @__PURE__ */ __commonJSMin(((exports) => {
+	var __createBinding = exports && exports.__createBinding || (Object.create ? (function(o, m, k, k2) {
+		if (k2 === void 0) k2 = k;
+		var desc = Object.getOwnPropertyDescriptor(m, k);
+		if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) desc = {
+			enumerable: true,
+			get: function() {
+				return m[k];
+			}
+		};
+		Object.defineProperty(o, k2, desc);
+	}) : (function(o, m, k, k2) {
+		if (k2 === void 0) k2 = k;
+		o[k2] = m[k];
+	}));
+	var __setModuleDefault = exports && exports.__setModuleDefault || (Object.create ? (function(o, v) {
+		Object.defineProperty(o, "default", {
+			enumerable: true,
+			value: v
+		});
+	}) : function(o, v) {
+		o["default"] = v;
+	});
+	var __importStar = exports && exports.__importStar || function(mod) {
+		if (mod && mod.__esModule) return mod;
+		var result = {};
+		if (mod != null) {
+			for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+		}
+		__setModuleDefault(result, mod);
+		return result;
+	};
+	var __importDefault = exports && exports.__importDefault || function(mod) {
+		return mod && mod.__esModule ? mod : { "default": mod };
+	};
+	Object.defineProperty(exports, "__esModule", { value: true });
+	exports.HttpsProxyAgent = void 0;
+	const net = __importStar(__require("net"));
+	const tls = __importStar(__require("tls"));
+	const assert_1 = __importDefault(__require("assert"));
+	const debug_1 = __importDefault(require_src());
+	const agent_base_1 = require_dist$1();
+	const url_1 = __require("url");
+	const parse_proxy_response_1 = require_parse_proxy_response();
+	const debug = (0, debug_1.default)("https-proxy-agent");
+	const setServernameFromNonIpHost = (options) => {
+		if (options.servername === void 0 && options.host && !net.isIP(options.host)) return {
+			...options,
+			servername: options.host
+		};
+		return options;
+	};
+	/**
+	* The `HttpsProxyAgent` implements an HTTP Agent subclass that connects to
+	* the specified "HTTP(s) proxy server" in order to proxy HTTPS requests.
+	*
+	* Outgoing HTTP requests are first tunneled through the proxy server using the
+	* `CONNECT` HTTP request method to establish a connection to the proxy server,
+	* and then the proxy server connects to the destination target and issues the
+	* HTTP request from the proxy server.
+	*
+	* `https:` requests have their socket connection upgraded to TLS once
+	* the connection to the proxy server has been established.
+	*/
+	var HttpsProxyAgent = class extends agent_base_1.Agent {
+		constructor(proxy, opts) {
+			super(opts);
+			this.options = { path: void 0 };
+			this.proxy = typeof proxy === "string" ? new url_1.URL(proxy) : proxy;
+			this.proxyHeaders = opts?.headers ?? {};
+			debug("Creating new HttpsProxyAgent instance: %o", this.proxy.href);
+			const host = (this.proxy.hostname || this.proxy.host).replace(/^\[|\]$/g, "");
+			const port = this.proxy.port ? parseInt(this.proxy.port, 10) : this.proxy.protocol === "https:" ? 443 : 80;
+			this.connectOpts = {
+				ALPNProtocols: ["http/1.1"],
+				...opts ? omit(opts, "headers") : null,
+				host,
+				port
+			};
+		}
+		/**
+		* Called when the node-core HTTP client library is creating a
+		* new HTTP request.
+		*/
+		async connect(req, opts) {
+			const { proxy } = this;
+			if (!opts.host) throw new TypeError("No \"host\" provided");
+			let socket;
+			if (proxy.protocol === "https:") {
+				debug("Creating `tls.Socket`: %o", this.connectOpts);
+				socket = tls.connect(setServernameFromNonIpHost(this.connectOpts));
+			} else {
+				debug("Creating `net.Socket`: %o", this.connectOpts);
+				socket = net.connect(this.connectOpts);
+			}
+			const headers = typeof this.proxyHeaders === "function" ? this.proxyHeaders() : { ...this.proxyHeaders };
+			const host = net.isIPv6(opts.host) ? `[${opts.host}]` : opts.host;
+			let payload = `CONNECT ${host}:${opts.port} HTTP/1.1\r\n`;
+			if (proxy.username || proxy.password) {
+				const auth = `${decodeURIComponent(proxy.username)}:${decodeURIComponent(proxy.password)}`;
+				headers["Proxy-Authorization"] = `Basic ${Buffer.from(auth).toString("base64")}`;
+			}
+			headers.Host = `${host}:${opts.port}`;
+			if (!headers["Proxy-Connection"]) headers["Proxy-Connection"] = this.keepAlive ? "Keep-Alive" : "close";
+			for (const name of Object.keys(headers)) payload += `${name}: ${headers[name]}\r\n`;
+			const proxyResponsePromise = (0, parse_proxy_response_1.parseProxyResponse)(socket);
+			socket.write(`${payload}\r\n`);
+			const { connect, buffered } = await proxyResponsePromise;
+			req.emit("proxyConnect", connect);
+			this.emit("proxyConnect", connect, req);
+			if (connect.statusCode === 200) {
+				req.once("socket", resume);
+				if (opts.secureEndpoint) {
+					debug("Upgrading socket connection to TLS");
+					return tls.connect({
+						...omit(setServernameFromNonIpHost(opts), "host", "path", "port"),
+						socket
+					});
+				}
+				return socket;
+			}
+			socket.destroy();
+			const fakeSocket = new net.Socket({ writable: false });
+			fakeSocket.readable = true;
+			req.once("socket", (s) => {
+				debug("Replaying proxy buffer for failed request");
+				(0, assert_1.default)(s.listenerCount("data") > 0);
+				s.push(buffered);
+				s.push(null);
+			});
+			return fakeSocket;
+		}
+	};
+	HttpsProxyAgent.protocols = ["http", "https"];
+	exports.HttpsProxyAgent = HttpsProxyAgent;
+	function resume(socket) {
+		socket.resume();
+	}
+	function omit(obj, ...keys) {
+		const ret = {};
+		let key;
+		for (key in obj) if (!keys.includes(key)) ret[key] = obj[key];
+		return ret;
+	}
+}));
+//#endregion
+export default require_dist();
+export {};

package/dist/{dist-BoHl9HwW.mjs → dist-BkvrONSQ.mjs}

@@ -956,8 +956,6 @@ const createOrgFromMeSchema = z.object({
 	name: z.string().min(2).max(50).regex(/^[a-z0-9][a-z0-9-]*$/),
 	displayName: z.string().min(1).max(200)
 });
-/** Body for `POST /auth/switch-org`. */
-const switchOrgSchema = z.object({ organizationId: z.string().min(1) });
 z.object({
 	id: z.string(),
 	organizationId: z.string(),
@@ -1045,7 +1043,7 @@ const githubDevCallbackQuerySchema = z.object({
 	next: z.string().max(256).optional()
 });
 const UUID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
-const createOrganizationSchema = z.object({
+z.object({
 	name: z.string().min(2).max(50).regex(/^[a-z0-9][a-z0-9-]*$/, "Must start with a letter or digit and contain only lowercase alphanumeric and hyphens").refine((v) => !UUID_PATTERN.test(v), "Name must not be a UUID format"),
 	displayName: z.string().min(1).max(200),
 	maxAgents: z.number().int().min(0).default(0),
@@ -1200,24 +1198,6 @@ z.object({
 	totalMessages: z.number(),
 	byOrganization: z.array(orgStatsSchema)
 });
-z.object({
-	key: z.string(),
-	value: z.unknown(),
-	updatedAt: z.string()
-});
-const updateSystemConfigSchema = z.record(z.string(), z.unknown());
-const SYSTEM_CONFIG_KEYS = {
-	INBOX_TIMEOUT_SECONDS: "inbox_timeout_seconds",
-	MAX_RETRY_COUNT: "max_retry_count",
-	POLLING_INTERVAL_SECONDS: "polling_interval_seconds",
-	PRESENCE_CLEANUP_SECONDS: "presence_cleanup_seconds"
-};
-const SYSTEM_CONFIG_DEFAULTS = {
-	[SYSTEM_CONFIG_KEYS.INBOX_TIMEOUT_SECONDS]: 300,
-	[SYSTEM_CONFIG_KEYS.MAX_RETRY_COUNT]: 3,
-	[SYSTEM_CONFIG_KEYS.POLLING_INTERVAL_SECONDS]: 5,
-	[SYSTEM_CONFIG_KEYS.PRESENCE_CLEANUP_SECONDS]: 60
-};
 /** Fixed 5-state machine. No custom statuses. */
 const TASK_STATUSES = {
 	PENDING: "pending",
@@ -1389,4 +1369,4 @@ z.object({
 	capabilities: serverCapabilitiesSchema.optional()
 }).passthrough();
 //#endregion
-export { messageSourceSchema as $, createChatSchema as A, githubCallbackQuerySchema as B, agentTypeSchema as C, updateMemberSchema as Ct, createAdapterConfigSchema as D, wsAuthFrameSchema as Dt, connectTokenExchangeSchema as E, updateTaskStatusSchema as Et, createTaskSchema as F, inboxDeliverFrameSchema as G, githubStartQuerySchema as H, defaultRuntimeConfigPayload as I, isReservedAgentName as J, inboxPollQuerySchema as K, delegateFeishuUserSchema as L, createMemberSchema as M, createOrgFromMeSchema as N, createAdapterMappingSchema as O, createOrganizationSchema as P, loginSchema as Q, dryRunAgentRuntimeConfigSchema as R, agentRuntimeConfigPayloadSchema as S, updateClientCapabilitiesSchema as St, clientRegisterSchema as T, updateSystemConfigSchema as Tt, imageInlineContentSchema as U, githubDevCallbackQuerySchema as V, inboxAckFrameSchema as W, linkTaskChatSchema as X, joinByInvitationSchema as Y, listMeChatsQuerySchema as Z, addParticipantSchema as _, taskListQuerySchema as _t, AGENT_STATUSES as a, safeRedirectPath as at, agentBindRequestSchema as b, updateAgentSchema as bt, DEFAULT_RUNTIME_PROVIDER as c, sendMessageSchema as ct, TASK_CREATOR_TYPES as d, sessionEventMessageSchema as dt, notificationQuerySchema as et, TASK_HEALTH_SIGNALS as f, sessionEventSchema as ft, addMeChatParticipantsSchema as g, switchOrgSchema as gt, WS_AUTH_FRAME_TIMEOUT_MS as h, stripCode as ht, AGENT_SOURCES as i, runtimeStateMessageSchema as it, createMeChatSchema as j, createAgentSchema as k, MENTION_REGEX as l, sendToAgentSchema as lt, TASK_TERMINAL_STATUSES as m, sessionStateMessageSchema as mt, AGENT_NAME_REGEX as n, rebindAgentSchema as nt, AGENT_TYPES as o, scanMentionTokens as ot, TASK_STATUSES as p, sessionReconcileRequestSchema as pt, isRedactedEnvValue as q, AGENT_SELECTOR_HEADER as r, refreshTokenSchema as rt, AGENT_VISIBILITY as s, selfServiceFeishuBotSchema as st, AGENT_BIND_REJECT_REASONS as t, paginationQuerySchema as tt, SYSTEM_CONFIG_DEFAULTS as u, sessionCompletionMessageSchema as ut, adminCreateTaskSchema as v, updateAdapterConfigSchema as vt, clientCapabilitiesSchema as w, updateOrganizationSchema as wt, agentPinnedMessageSchema as x, updateChatSchema as xt, adminUpdateTaskSchema as y, updateAgentRuntimeConfigSchema as yt, extractMentions as z };
+export { paginationQuerySchema as $, createMeChatSchema as A, githubStartQuerySchema as B, clientCapabilitiesSchema as C, wsAuthFrameSchema as Ct, createAdapterMappingSchema as D, createAdapterConfigSchema as E, delegateFeishuUserSchema as F, isRedactedEnvValue as G, inboxAckFrameSchema as H, dryRunAgentRuntimeConfigSchema as I, linkTaskChatSchema as J, isReservedAgentName as K, extractMentions as L, createOrgFromMeSchema as M, createTaskSchema as N, createAgentSchema as O, defaultRuntimeConfigPayload as P, notificationQuerySchema as Q, githubCallbackQuerySchema as R, agentTypeSchema as S, updateTaskStatusSchema as St, connectTokenExchangeSchema as T, inboxDeliverFrameSchema as U, imageInlineContentSchema as V, inboxPollQuerySchema as W, loginSchema as X, listMeChatsQuerySchema as Y, messageSourceSchema as Z, adminCreateTaskSchema as _, updateAgentSchema as _t, AGENT_STATUSES as a, selfServiceFeishuBotSchema as at, agentPinnedMessageSchema as b, updateMemberSchema as bt, DEFAULT_RUNTIME_PROVIDER as c, sessionCompletionMessageSchema as ct, TASK_HEALTH_SIGNALS as d, sessionReconcileRequestSchema as dt, rebindAgentSchema as et, TASK_STATUSES as f, sessionStateMessageSchema as ft, addParticipantSchema as g, updateAgentRuntimeConfigSchema as gt, addMeChatParticipantsSchema as h, updateAdapterConfigSchema as ht, AGENT_SOURCES as i, scanMentionTokens as it, createMemberSchema as j, createChatSchema as k, MENTION_REGEX as l, sessionEventMessageSchema as lt, WS_AUTH_FRAME_TIMEOUT_MS as m, taskListQuerySchema as mt, AGENT_NAME_REGEX as n, runtimeStateMessageSchema as nt, AGENT_TYPES as o, sendMessageSchema as ot, TASK_TERMINAL_STATUSES as p, stripCode as pt, joinByInvitationSchema as q, AGENT_SELECTOR_HEADER as r, safeRedirectPath as rt, AGENT_VISIBILITY as s, sendToAgentSchema as st, AGENT_BIND_REJECT_REASONS as t, refreshTokenSchema as tt, TASK_CREATOR_TYPES as u, sessionEventSchema as ut, adminUpdateTaskSchema as v, updateChatSchema as vt, clientRegisterSchema as w, agentRuntimeConfigPayloadSchema as x, updateOrganizationSchema as xt, agentBindRequestSchema as y, updateClientCapabilitiesSchema as yt, githubDevCallbackQuerySchema as z };

package/dist/drizzle/0031_drop_system_configs.sql

@@ -0,0 +1,11 @@
+-- Drop the `system_configs` table — replaced by deployment-level env
+-- vars (FIRST_TREE_HUB_INBOX_TIMEOUT_SECONDS, FIRST_TREE_HUB_MAX_RETRY_COUNT,
+-- FIRST_TREE_HUB_POLLING_INTERVAL_SECONDS, FIRST_TREE_HUB_PRESENCE_CLEANUP_SECONDS,
+-- FIRST_TREE_HUB_NOTIFICATION_WEBHOOK_URL).
+--
+-- See proposals/hub-strip-jwt-ambient-scope.20260508.md §3.5 + §6.3.
+-- The table held tunables that were never customer-configurable; promoting
+-- them to env vars closes the multi-tenant security gap where any org admin
+-- could mutate cross-org runtime behavior.
+
+DROP TABLE IF EXISTS "system_configs";

package/dist/drizzle/meta/_journal.json

@@ -218,6 +218,13 @@
       "when": 1777852800000,
       "tag": "0030_chat_first_workspace",
       "breakpoints": true
+    },
+    {
+      "idx": 31,
+      "version": "7",
+      "when": 1777939200000,
+      "tag": "0031_drop_system_configs",
+      "breakpoints": true
     }
   ]
 }

package/dist/errors-BmyRwN0Y-CIZZ_sDc.mjs

@@ -0,0 +1,92 @@
+import { integer, jsonb, pgTable, text, timestamp } from "drizzle-orm/pg-core";
+//#region ../server/dist/errors-BmyRwN0Y.mjs
+/** Organization entity. Agents and chats belong to exactly one organization. */
+const organizations = pgTable("organizations", {
+	id: text("id").primaryKey(),
+	name: text("name").unique().notNull(),
+	displayName: text("display_name").notNull(),
+	maxAgents: integer("max_agents").notNull().default(0),
+	maxMessagesPerMinute: integer("max_messages_per_minute").notNull().default(0),
+	features: jsonb("features").$type().notNull().default({}),
+	createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow(),
+	updatedAt: timestamp("updated_at", { withTimezone: true }).notNull().defaultNow()
+});
+/** User accounts. Passwords are stored as bcrypt hashes. */
+const users = pgTable("users", {
+	id: text("id").primaryKey(),
+	username: text("username").unique().notNull(),
+	passwordHash: text("password_hash").notNull(),
+	displayName: text("display_name").notNull(),
+	avatarUrl: text("avatar_url"),
+	status: text("status").notNull().default("active"),
+	createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow(),
+	updatedAt: timestamp("updated_at", { withTimezone: true }).notNull().defaultNow()
+});
+var AppError = class extends Error {
+	constructor(statusCode, message, attrs) {
+		super(message);
+		this.statusCode = statusCode;
+		this.attrs = attrs;
+		this.name = "AppError";
+	}
+};
+var NotFoundError = class extends AppError {
+	constructor(message = "Not found", attrs) {
+		super(404, message, attrs);
+		this.name = "NotFoundError";
+	}
+};
+var UnauthorizedError = class extends AppError {
+	constructor(message = "Unauthorized", attrs) {
+		super(401, message, attrs);
+		this.name = "UnauthorizedError";
+	}
+};
+var ForbiddenError = class extends AppError {
+	constructor(message = "Forbidden", attrs) {
+		super(403, message, attrs);
+		this.name = "ForbiddenError";
+	}
+};
+var ConflictError = class extends AppError {
+	constructor(message = "Conflict", attrs) {
+		super(409, message, attrs);
+		this.name = "ConflictError";
+	}
+};
+var BadRequestError = class extends AppError {
+	constructor(message = "Bad request", attrs) {
+		super(400, message, attrs);
+		this.name = "BadRequestError";
+	}
+};
+/**
+* Thrown when an operation targets a client whose organization does not match
+* the caller's authenticated organization. Retained for wire compatibility:
+* the read paths that produced this error were retired in
+* decouple-client-from-identity §4.1, so the server itself no longer raises
+* it. SDK consumers may still pattern-match the `code` field on legacy
+* payloads.
+*/
+var ClientOrgMismatchError = class extends AppError {
+	code = "CLIENT_ORG_MISMATCH";
+	constructor(message = "Client belongs to a different organization", attrs) {
+		super(403, message, attrs);
+		this.name = "ClientOrgMismatchError";
+	}
+};
+/**
+* Thrown when a client.yaml is presented with a JWT whose user_id does not
+* match the row's owner. The CLI responds by guiding the operator through
+* `first-tree-hub client claim --confirm` to take over ownership, which
+* unpins the previous owner's agents from this machine.
+*/
+var ClientUserMismatchError = class extends AppError {
+	code = "CLIENT_USER_MISMATCH";
+	constructor(message = "Client belongs to a different user", attrs) {
+		super(403, message, attrs);
+		this.name = "ClientUserMismatchError";
+	}
+};
+//#endregion
+export { ConflictError as a, UnauthorizedError as c, ClientUserMismatchError as i, organizations as l, BadRequestError as n, ForbiddenError as o, ClientOrgMismatchError as r, NotFoundError as s, AppError as t, users as u };

package/dist/{esm-CYu4tXXn.mjs → esm-iadMkGbV.mjs}

@@ -1,39 +1,4 @@
-import { createRequire } from "node:module";
-//#region \0rolldown/runtime.js
-var __create = Object.create;
-var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __esmMin = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
-var __commonJSMin = (cb, mod) => () => (mod || cb((mod = { exports: {} }).exports, mod), mod.exports);
-var __exportAll = (all, no_symbols) => {
-	let target = {};
-	for (var name in all) __defProp(target, name, {
-		get: all[name],
-		enumerable: true
-	});
-	if (!no_symbols) __defProp(target, Symbol.toStringTag, { value: "Module" });
-	return target;
-};
-var __copyProps = (to, from, except, desc) => {
-	if (from && typeof from === "object" || typeof from === "function") for (var keys = __getOwnPropNames(from), i = 0, n = keys.length, key; i < n; i++) {
-		key = keys[i];
-		if (!__hasOwnProp.call(to, key) && key !== except) __defProp(to, key, {
-			get: ((k) => from[k]).bind(null, key),
-			enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable
-		});
-	}
-	return to;
-};
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", {
-	value: mod,
-	enumerable: true
-}) : target, mod));
-var __toCommonJS = (mod) => __hasOwnProp.call(mod, "module.exports") ? mod["module.exports"] : __copyProps(__defProp({}, "__esModule", { value: true }), mod);
-var __require = /* @__PURE__ */ createRequire(import.meta.url);
-//#endregion
+import { n as __esmMin, r as __exportAll } from "./chunk-BSw8zbkd.mjs";
 //#region ../../node_modules/.pnpm/@opentelemetry+api@1.9.1/node_modules/@opentelemetry/api/build/esm/version.js
 var VERSION;
 var init_version = __esmMin((() => {
@@ -1548,4 +1513,4 @@ var init_esm = __esmMin((() => {
 	};
 }));
 //#endregion
-export { diag as a, SpanKind as c, __exportAll as d, __require as f, propagation as i, __commonJSMin as l, __toESM as m, init_esm as n, context as o, __toCommonJS as p, trace as r, SpanStatusCode as s, esm_exports as t, __esmMin as u };
+export { metrics as a, SpanStatusCode as c, createContextKey as d, DiagLogLevel as f, propagation as i, SpanKind as l, init_esm as n, diag as o, trace as r, context as s, esm_exports as t, DiagConsoleLogger as u };

package/dist/execAsync-CCyouKZM.mjs

@@ -0,0 +1,10 @@
+import { i as __require, t as __commonJSMin } from "./chunk-BSw8zbkd.mjs";
+//#region ../../node_modules/.pnpm/@opentelemetry+resources@2.7.1_@opentelemetry+api@1.9.1/node_modules/@opentelemetry/resources/build/src/detectors/platform/node/machine-id/execAsync.js
+var require_execAsync = /* @__PURE__ */ __commonJSMin(((exports) => {
+	Object.defineProperty(exports, "__esModule", { value: true });
+	exports.execAsync = void 0;
+	const child_process = __require("child_process");
+	exports.execAsync = __require("util").promisify(child_process.exec);
+}));
+//#endregion
+export { require_execAsync as t };

package/dist/{execAsync-XMc-nFn-.mjs → execAsync-pImxPKN5.mjs}

@@ -1,4 +1,4 @@
-import { f as __require, l as __commonJSMin } from "./esm-CYu4tXXn.mjs";
+import { i as __require, t as __commonJSMin } from "./chunk-BSw8zbkd.mjs";
 //#region ../../node_modules/.pnpm/@opentelemetry+resources@2.7.0_@opentelemetry+api@1.9.1/node_modules/@opentelemetry/resources/build/src/detectors/platform/node/machine-id/execAsync.js
 var require_execAsync = /* @__PURE__ */ __commonJSMin(((exports) => {
 	Object.defineProperty(exports, "__esModule", { value: true });

package/dist/{feishu-Dxk6ArOK.mjs → feishu-AEMHwT6L.mjs}

@@ -1,5 +1,5 @@
-import { d as __exportAll } from "./esm-CYu4tXXn.mjs";
-import { r as AGENT_SELECTOR_HEADER } from "./dist-BoHl9HwW.mjs";
+import { r as __exportAll } from "./chunk-BSw8zbkd.mjs";
+import { r as AGENT_SELECTOR_HEADER } from "./dist-BkvrONSQ.mjs";
 //#region src/core/feishu.ts
 var feishu_exports = /* @__PURE__ */ __exportAll({
 	bindFeishuBot: () => bindFeishuBot,