@agent-team-foundation/first-tree-hub 0.11.1 → 0.11.3

package/dist/{saas-connect-Bd0g0v_b.mjs → saas-connect-gcT6Q10z.mjs}

@@ -1,24 +1,25 @@
 import { a as __toCommonJS, o as __toESM, t as __commonJSMin } from "./chunk-BSw8zbkd.mjs";
-import { C as withSpan, D as require_pino, E as redactUrl, S as startWsConnectionSpan, T as FIRST_TREE_HUB_ATTR, a as createLogger$1, b as stampOrgScope, d as observabilityPlugin, g as setWsConnectionAttrs, i as bodyCaptureOnSendHook, l as messageAttrs, m as rootLogger$1, n as applyLoggerConfig, o as currentTraceId, p as reportErrorToRoot, r as attachRequestContext, s as endWsConnectionSpan, t as adapterAttrs, v as stampAgentResource, w as withWsMessageSpan, y as stampChatResource } from "./observability-C3nY6Jcz-Dpsi3eFk.mjs";
-import { C as resetConfigMeta, E as setConfigValue, S as resetConfig, T as serverConfigSchema, b as migrateLegacyHome, c as resolveServerUrl, d as DEFAULT_CONFIG_DIR, f as DEFAULT_DATA_DIR$1, g as collectMissingPrompts, h as clientConfigSchema, i as ensureFreshAccessToken, l as saveAgentConfig, m as agentConfigSchema, o as loadCredentials, p as DEFAULT_HOME_DIR$1, u as saveCredentials, v as initConfig, w as resolveConfigReadonly, y as loadAgents } from "./bootstrap-TJRy0B9m.mjs";
-import { $ as paginationQuerySchema, A as createMeChatSchema, B as githubStartQuerySchema, Ct as wsAuthFrameSchema, D as createAdapterMappingSchema, E as createAdapterConfigSchema, F as delegateFeishuUserSchema, G as isRedactedEnvValue, H as inboxAckFrameSchema, I as dryRunAgentRuntimeConfigSchema, J as linkTaskChatSchema, K as isReservedAgentName$1, L as extractMentions, M as createOrgFromMeSchema, N as createTaskSchema, O as createAgentSchema, P as defaultRuntimeConfigPayload, Q as notificationQuerySchema, R as githubCallbackQuerySchema, S as agentTypeSchema$1, St as updateTaskStatusSchema, T as connectTokenExchangeSchema, U as inboxDeliverFrameSchema$1, V as imageInlineContentSchema, W as inboxPollQuerySchema, X as loginSchema, Y as listMeChatsQuerySchema, Z as messageSourceSchema$1, _ as adminCreateTaskSchema, _t as updateAgentSchema, a as AGENT_STATUSES, at as selfServiceFeishuBotSchema, b as agentPinnedMessageSchema$1, bt as updateMemberSchema, ct as sessionCompletionMessageSchema, d as TASK_HEALTH_SIGNALS, dt as sessionReconcileRequestSchema, et as rebindAgentSchema, f as TASK_STATUSES, ft as sessionStateMessageSchema, g as addParticipantSchema, gt as updateAgentRuntimeConfigSchema, h as addMeChatParticipantsSchema, ht as updateAdapterConfigSchema, i as AGENT_SOURCES, it as scanMentionTokens, j as createMemberSchema, k as createChatSchema, l as MENTION_REGEX, lt as sessionEventMessageSchema, m as WS_AUTH_FRAME_TIMEOUT_MS, mt as taskListQuerySchema, n as AGENT_NAME_REGEX$1, nt as runtimeStateMessageSchema, o as AGENT_TYPES, ot as sendMessageSchema, p as TASK_TERMINAL_STATUSES, pt as stripCode, q as joinByInvitationSchema, r as AGENT_SELECTOR_HEADER$1, rt as safeRedirectPath, s as AGENT_VISIBILITY, st as sendToAgentSchema, t as AGENT_BIND_REJECT_REASONS, tt as refreshTokenSchema, u as TASK_CREATOR_TYPES, ut as sessionEventSchema$1, v as adminUpdateTaskSchema, vt as updateChatSchema, w as clientRegisterSchema, x as agentRuntimeConfigPayloadSchema$1, xt as updateOrganizationSchema, y as agentBindRequestSchema, yt as updateClientCapabilitiesSchema, z as githubDevCallbackQuerySchema } from "./dist-BkvrONSQ.mjs";
-import { a as ConflictError, c as UnauthorizedError, i as ClientUserMismatchError$1, l as organizations, n as BadRequestError, o as ForbiddenError, r as ClientOrgMismatchError$1, s as NotFoundError, t as AppError, u as users } from "./errors-BmyRwN0Y-CIZZ_sDc.mjs";
-import { C as serverInstances, D as unbindAgent, E as touchAgent, O as updateClientCapabilities, S as retireClient, T as setRuntimeState, _ as listClientsForOrgAdmin, a as claimClient, b as members, c as clients, d as getClient, f as getOnlineCount, g as listActiveAgentsPinnedToClient, h as heartbeatInstance, i as bindAgent, l as deriveAuthState, m as heartbeatClient, n as agents, o as cleanupStaleClients, p as getPresence, r as assertClientOwner, s as cleanupStalePresence, t as agentPresence, u as disconnectClient, w as setOffline, x as registerClient, y as markStaleAgents } from "./client-BCaK653p-CZjDNcdM.mjs";
-import { n as init_esm, r as trace, t as esm_exports } from "./esm-iadMkGbV.mjs";
-import { a as invitationRedemptions, c as recordRedemption, i as getActiveInvitation, l as rotateInvitation, n as ensureActiveInvitation, o as invitations, r as findActiveByToken, t as buildInviteUrl, u as uuidv7 } from "./invitation-Dnn5gGGX-Ce7zbZpn.mjs";
+import { A as FIRST_TREE_HUB_ATTR, C as stampOrgScope, D as untrustedAttrs, E as startWsConnectionSpan, M as require_pino, O as withSpan, S as stampChatResource, _ as rootLogger$1, a as buildRateLimitError, c as currentTraceId, f as messageAttrs, g as reportErrorToRoot, i as bodyCaptureOnSendHook, j as redactUrl, k as withWsMessageSpan, l as decodeJwtForTrace, m as observabilityPlugin, n as applyLoggerConfig, o as classifyJoseError, r as attachRequestContext, s as createLogger$1, t as adapterAttrs, u as endWsConnectionSpan, x as stampAgentResource, y as setWsConnectionAttrs } from "./observability-BAScT_5S-gw1ODB_o.mjs";
+import { C as resetConfigMeta, E as setConfigValue, S as resetConfig, T as serverConfigSchema, b as migrateLegacyHome, c as resolveServerUrl, d as DEFAULT_CONFIG_DIR, f as DEFAULT_DATA_DIR$1, g as collectMissingPrompts, h as clientConfigSchema, i as ensureFreshAccessToken, l as saveAgentConfig, m as agentConfigSchema, o as loadCredentials, p as DEFAULT_HOME_DIR$1, u as saveCredentials, v as initConfig, w as resolveConfigReadonly, y as loadAgents } from "./bootstrap-D4rdqM2F.mjs";
+import { a as print, i as blank, n as CLI_USER_AGENT, r as COMMAND_VERSION, s as status, t as cliFetch } from "./cli-fetch--tiwKm5S.mjs";
+import { $ as notificationQuerySchema, A as createChatSchema, B as githubDevCallbackQuerySchema, Ct as updateTaskStatusSchema, D as createAdapterConfigSchema, E as contextTreeSnapshotSchema, F as defaultRuntimeConfigPayload, G as inboxPollQuerySchema, H as imageInlineContentSchema, I as delegateFeishuUserSchema, J as joinByInvitationSchema, K as isRedactedEnvValue, L as dryRunAgentRuntimeConfigSchema, M as createMemberSchema, N as createOrgFromMeSchema, O as createAdapterMappingSchema, P as createTaskSchema, Q as messageSourceSchema$1, R as extractMentions, S as agentTypeSchema$1, St as updateOrganizationSchema, T as connectTokenExchangeSchema, U as inboxAckFrameSchema, V as githubStartQuerySchema, W as inboxDeliverFrameSchema$1, X as listMeChatsQuerySchema, Y as linkTaskChatSchema, Z as loginSchema, _ as adminCreateTaskSchema, _t as updateAgentRuntimeConfigSchema, a as AGENT_STATUSES, at as scanMentionTokens, b as agentPinnedMessageSchema$1, bt as updateClientCapabilitiesSchema, ct as sendToAgentSchema, d as TASK_HEALTH_SIGNALS, dt as sessionEventSchema$1, et as paginationQuerySchema, f as TASK_STATUSES, ft as sessionReconcileRequestSchema, g as addParticipantSchema, gt as updateAdapterConfigSchema, h as addMeChatParticipantsSchema, ht as taskListQuerySchema, i as AGENT_SOURCES, it as safeRedirectPath, j as createMeChatSchema, k as createAgentSchema, l as MENTION_REGEX, lt as sessionCompletionMessageSchema, m as WS_AUTH_FRAME_TIMEOUT_MS, mt as stripCode, n as AGENT_NAME_REGEX$1, nt as refreshTokenSchema, o as AGENT_TYPES, ot as selfServiceFeishuBotSchema, p as TASK_TERMINAL_STATUSES, pt as sessionStateMessageSchema, q as isReservedAgentName$1, r as AGENT_SELECTOR_HEADER$1, rt as runtimeStateMessageSchema, s as AGENT_VISIBILITY, st as sendMessageSchema, t as AGENT_BIND_REJECT_REASONS, tt as rebindAgentSchema, u as TASK_CREATOR_TYPES, ut as sessionEventMessageSchema, v as adminUpdateTaskSchema, vt as updateAgentSchema, w as clientRegisterSchema, wt as wsAuthFrameSchema, x as agentRuntimeConfigPayloadSchema$1, xt as updateMemberSchema, y as agentBindRequestSchema, yt as updateChatSchema, z as githubCallbackQuerySchema } from "./dist-BAqGZkco.mjs";
+import { a as ConflictError, c as UnauthorizedError, i as ClientUserMismatchError$1, l as organizations, n as BadRequestError, o as ForbiddenError, r as ClientOrgMismatchError$1, s as NotFoundError, t as AppError, u as users } from "./errors-BmyRwN0Y-Dad3eV8F.mjs";
+import { C as retireClient, D as touchAgent, E as setRuntimeState, O as unbindAgent, S as registerClient, T as setOffline, _ as listClients, a as claimClient, b as markStaleAgents, c as clients, d as getClient, f as getOnlineCount, g as listActiveAgentsPinnedToClient, h as heartbeatInstance, i as bindAgent, k as updateClientCapabilities, l as deriveAuthState, m as heartbeatClient, n as agents, o as cleanupStaleClients, p as getPresence, r as assertClientOwner, s as cleanupStalePresence, t as agentPresence, u as disconnectClient, v as listClientsForOrgAdmin, w as serverInstances, x as members } from "./client-CLdRbuml-BRtalKpQ.mjs";
+import { n as init_esm, r as trace, t as esm_exports } from "./esm-Ci8E1Gtj.mjs";
+import { a as invitationRedemptions, c as recordRedemption, i as getActiveInvitation, l as rotateInvitation, n as ensureActiveInvitation, o as invitations, r as findActiveByToken, t as buildInviteUrl, u as uuidv7 } from "./invitation-Dnn5gGGX-DXryyvRG.mjs";
 import { createRequire } from "node:module";
 import { ZodError, z } from "zod";
-import { basename, delimiter, dirname, isAbsolute, join, resolve } from "node:path";
+import { basename, delimiter, dirname, extname, isAbsolute, join, normalize, relative, resolve, sep } from "node:path";
 import { Writable } from "node:stream";
 import { homedir, hostname, platform, tmpdir, userInfo } from "node:os";
 import { EventEmitter } from "node:events";
 import { closeSync, copyFileSync, existsSync, mkdirSync, openSync, readFileSync, readdirSync, realpathSync, renameSync, rmSync, statSync, unlinkSync, watch, writeFileSync, writeSync } from "node:fs";
 import { createCipheriv, createDecipheriv, createHash, createHmac, randomBytes, randomUUID, timingSafeEqual } from "node:crypto";
 import WebSocket from "ws";
-import { mkdir, writeFile } from "node:fs/promises";
+import { mkdir, readFile, readdir, stat, writeFile } from "node:fs/promises";
 import { parse, stringify } from "yaml";
 import { query } from "@anthropic-ai/claude-agent-sdk";
-import { execFileSync, execSync, spawn, spawnSync } from "node:child_process";
+import { execFile, execFileSync, execSync, spawn, spawnSync } from "node:child_process";
 import { Codex } from "@openai/codex-sdk";
 import { fileURLToPath } from "node:url";
 import * as semver from "semver";
@@ -29,12 +30,14 @@ import { drizzle } from "drizzle-orm/postgres-js";
 import postgres from "postgres";
 import { migrate } from "drizzle-orm/postgres-js/migrator";
 import { bigserial, boolean, index, integer, jsonb, pgTable, primaryKey, serial, text, timestamp, unique, uniqueIndex } from "drizzle-orm/pg-core";
+import { SignJWT, jwtVerify } from "jose";
 import cors from "@fastify/cors";
 import rateLimit from "@fastify/rate-limit";
 import fastifyStatic from "@fastify/static";
 import websocket from "@fastify/websocket";
 import Fastify from "fastify";
-import { SignJWT, jwtVerify } from "jose";
+import { promisify } from "node:util";
+import matter from "gray-matter";
 import { Client, EventDispatcher, LoggerLevel, WSClient } from "@larksuiteoapi/node-sdk";
 //#region ../client/dist/observability-B4kO005X.mjs
 var import_pino = /* @__PURE__ */ __toESM(require_pino(), 1);
@@ -832,6 +835,104 @@ z.object({
 	limit: z.coerce.number().int().min(1).max(100).default(20),
 	cursor: z.string().optional()
 });
+const contextTreeSnapshotStatusSchema = z.enum([
+	"active",
+	"stale",
+	"unavailable"
+]);
+const contextTreeStatusSeveritySchema = z.enum([
+	"ok",
+	"warning",
+	"error"
+]);
+const contextTreeStatusSchema = z.object({
+	label: z.string(),
+	detail: z.string().nullable(),
+	severity: contextTreeStatusSeveritySchema
+});
+const contextTreeNodeKindSchema = z.enum([
+	"root",
+	"domain",
+	"subdomain",
+	"leaf"
+]);
+const contextTreeChangeTypeSchema = z.enum([
+	"added",
+	"edited",
+	"removed"
+]);
+const contextTreeEdgeKindSchema = z.enum([
+	"parent",
+	"soft_link",
+	"markdown_link"
+]);
+const contextTreeRiskLevelSchema = z.enum([
+	"low",
+	"medium",
+	"high"
+]);
+const contextTreeNodeSchema = z.object({
+	id: z.string(),
+	path: z.string(),
+	sourcePath: z.string().nullable(),
+	title: z.string(),
+	kind: contextTreeNodeKindSchema,
+	owners: z.array(z.string()),
+	parentId: z.string().nullable(),
+	preview: z.string().nullable(),
+	relatedNodeIds: z.array(z.string()),
+	affectedContextArea: z.string(),
+	changeType: contextTreeChangeTypeSchema.nullable(),
+	changedAtCommit: z.string().nullable()
+});
+const contextTreeEdgeSchema = z.object({
+	source: z.string(),
+	target: z.string(),
+	kind: contextTreeEdgeKindSchema
+});
+const contextTreeChangeSchema = z.object({
+	path: z.string(),
+	nodeId: z.string().nullable(),
+	type: contextTreeChangeTypeSchema,
+	commit: z.string().nullable(),
+	changedAt: z.string().nullable(),
+	changedBy: z.string().nullable(),
+	summary: z.string().nullable()
+});
+const contextTreeUpdateSchema = z.object({
+	id: z.string(),
+	nodeId: z.string().nullable(),
+	path: z.string(),
+	title: z.string(),
+	changeType: contextTreeChangeTypeSchema,
+	affectedContextArea: z.string(),
+	reason: z.string(),
+	summary: z.string(),
+	changedBy: z.string().nullable(),
+	owners: z.array(z.string()),
+	relatedNodeIds: z.array(z.string()),
+	sourceCommit: z.string().nullable(),
+	riskLevel: contextTreeRiskLevelSchema
+});
+const contextTreeSummarySchema = z.object({
+	addedCount: z.number().int().nonnegative(),
+	editedCount: z.number().int().nonnegative(),
+	removedCount: z.number().int().nonnegative(),
+	changedNodeCount: z.number().int().nonnegative()
+});
+z.object({
+	repo: z.string().nullable(),
+	branch: z.string().nullable(),
+	headCommit: z.string().nullable(),
+	syncedAt: z.string().nullable(),
+	snapshotStatus: contextTreeSnapshotStatusSchema,
+	contextStatus: contextTreeStatusSchema,
+	summary: contextTreeSummarySchema,
+	updates: z.array(contextTreeUpdateSchema),
+	nodes: z.array(contextTreeNodeSchema),
+	edges: z.array(contextTreeEdgeSchema),
+	changes: z.array(contextTreeChangeSchema)
+});
 /**
 * MIME types the web + client image paths recognise. Kept in sync with
 * Claude's vision API (see packages/client/src/handlers/claude-code.ts).
@@ -1584,10 +1685,11 @@ defineConfig({
 		connectTokenExpiry: field(z.string().default("10m"), { env: "FIRST_TREE_HUB_AUTH_CONNECT_TOKEN_EXPIRY" })
 	},
 	contextTree: optional({
-		repo: field(z.string(), {
+		repo: field(z.string().optional(), {
 			env: "FIRST_TREE_HUB_CONTEXT_TREE_REPO",
 			prompt: { message: "Context Tree repo URL (e.g. https://github.com/org/first-tree):" }
 		}),
+		localPath: field(z.string().optional(), { env: "FIRST_TREE_HUB_CONTEXT_TREE_PATH" }),
 		branch: field(z.string().default("main"))
 	}),
 	github: {
@@ -1610,6 +1712,7 @@ defineConfig({
 		max: field(z.number().default(100), { env: "FIRST_TREE_HUB_RATE_LIMIT_MAX" }),
 		loginMax: field(z.number().default(5), { env: "FIRST_TREE_HUB_RATE_LIMIT_LOGIN_MAX" }),
 		webhookMax: field(z.number().default(60), { env: "FIRST_TREE_HUB_RATE_LIMIT_WEBHOOK_MAX" }),
+		contextTreeSnapshotMax: field(z.number().default(6), { env: "FIRST_TREE_HUB_RATE_LIMIT_CONTEXT_TREE_SNAPSHOT_MAX" }),
 		agentMessageMax: field(z.number().default(30), { env: "FIRST_TREE_HUB_RATE_LIMIT_AGENT_MESSAGE_MAX" })
 	}),
 	ws: optional({ maxPayload: field(z.number().int().min(1024).default(262144), { env: "FIRST_TREE_HUB_WS_MAX_PAYLOAD" }) }),
@@ -1706,10 +1809,12 @@ var FirstTreeHubSDK = class {
 	_baseUrl;
 	getAccessToken;
 	_agentId;
+	_userAgent;
 	constructor(config) {
 		this._baseUrl = config.serverUrl.replace(/\/+$/, "");
 		this.getAccessToken = config.getAccessToken;
 		this._agentId = config.agentId;
+		this._userAgent = config.userAgent;
 	}
 	/** Server base URL (without trailing slash). */
 	get serverUrl() {
@@ -1761,7 +1866,12 @@ var FirstTreeHubSDK = class {
 	async isHubReachable(timeoutMs = 3e3) {
 		try {
 			const url = `${this._baseUrl}/api/v1/health`;
-			return (await fetch(url, { signal: AbortSignal.timeout(timeoutMs) })).ok;
+			const headers = {};
+			if (this._userAgent) headers["User-Agent"] = this._userAgent;
+			return (await fetch(url, {
+				signal: AbortSignal.timeout(timeoutMs),
+				headers
+			})).ok;
 		} catch {
 			return false;
 		}
@@ -1820,6 +1930,7 @@ var FirstTreeHubSDK = class {
 		const url = `${this._baseUrl}${path}`;
 		const headers = { Authorization: `Bearer ${await this.getAccessToken()}` };
 		if (this._agentId) headers[AGENT_SELECTOR_HEADER] = this._agentId;
+		if (this._userAgent) headers["User-Agent"] = this._userAgent;
 		if (init?.body) headers["Content-Type"] = "application/json";
 		const timeout = AbortSignal.timeout(FETCH_TIMEOUT_MS);
 		const signal = init?.signal ? AbortSignal.any([init.signal, timeout]) : timeout;
@@ -1929,6 +2040,7 @@ var ClientConnection = class extends EventEmitter {
 	clientId;
 	serverUrl;
 	sdkVersion;
+	userAgent;
 	getAccessToken;
 	ws = null;
 	wsConnectTimer = null;
@@ -1982,6 +2094,7 @@ var ClientConnection = class extends EventEmitter {
 		this.clientId = config.clientId ?? process.env.FIRST_TREE_HUB_CLIENT_ID ?? `client_${randomUUID().slice(0, 8)}`;
 		this.serverUrl = config.serverUrl.replace(/\/+$/, "");
 		this.sdkVersion = config.sdkVersion;
+		this.userAgent = config.userAgent;
 		this.getAccessToken = config.getAccessToken;
 		this.wsLogger = createLogger("ws").child({ clientId: this.clientId });
 		this.authLogger = createLogger("auth").child({ clientId: this.clientId });
@@ -2123,7 +2236,7 @@ var ClientConnection = class extends EventEmitter {
 		return new Promise((resolve, reject) => {
 			const wsUrl = `${this.serverUrl.replace(/^http/, "ws")}/api/v1/agent/ws/client`;
 			this.wsLogger.info({ url: wsUrl }, "connecting");
-			const ws = new WebSocket(wsUrl);
+			const ws = new WebSocket(wsUrl, this.userAgent ? { headers: { "User-Agent": this.userAgent } } : void 0);
 			let settled = false;
 			const settle = (fn, value) => {
 				if (settled) return;
@@ -2274,7 +2387,8 @@ var ClientConnection = class extends EventEmitter {
 				const sdk = new FirstTreeHubSDK({
 					serverUrl: this.serverUrl,
 					getAccessToken: this.getAccessToken,
-					agentId
+					agentId,
+					userAgent: this.userAgent
 				});
 				const agent = {
 					agentId,
@@ -5960,71 +6074,6 @@ function sleep(ms) {
 	return new Promise((resolve) => setTimeout(resolve, ms));
 }
 //#endregion
-//#region src/core/output.ts
-/**
-* Print layer — the only place CLI code should write to stdout/stderr.
-*
-* Contract:
-* - `print.result(data)` / `print.fail(...)` emit machine-readable JSON on
-*   stdout / stderr respectively. Scripts pipe into `jq` and expect a clean
-*   envelope, so nothing else may touch stdout.
-* - `print.status` / `print.check` / `print.blank` / `print.line` are
-*   human-friendly and go to stderr so they never pollute a redirected stdout.
-*   In `--json` mode they are silenced — scripted consumers only care about
-*   the envelope.
-*/
-let jsonMode = false;
-function setJsonMode(enabled) {
-	jsonMode = enabled;
-}
-function result(data) {
-	process.stdout.write(`${JSON.stringify({
-		ok: true,
-		data
-	})}\n`);
-}
-function fail$1(code, message, exitCode = 1) {
-	process.stderr.write(`${JSON.stringify({
-		ok: false,
-		error: {
-			code,
-			message
-		}
-	})}\n`);
-	process.exit(exitCode);
-}
-function status(label, message) {
-	if (jsonMode) return;
-	process.stderr.write(`  ${label.padEnd(20)} ${message}\n`);
-}
-function check(pass, label, detail = "") {
-	if (jsonMode) return;
-	const icon = pass ? "✓" : "✗";
-	const tail = detail ? ` ${detail}` : "";
-	process.stderr.write(`  ${icon} ${label.padEnd(22)}${tail}\n`);
-}
-function blank() {
-	if (jsonMode) return;
-	process.stderr.write("\n");
-}
-/**
-* Generic stderr writer for pre-formatted human text (multi-line tables,
-* interactive prompts). Prefer `status` / `check` when the text fits; this
-* exists so the `--json` mode gate can silence arbitrary human chatter.
-*/
-function line(text) {
-	if (jsonMode) return;
-	process.stderr.write(text);
-}
-const print = {
-	result,
-	fail: fail$1,
-	status,
-	check,
-	blank,
-	line
-};
-//#endregion
 //#region src/cli/output.ts
 /**
 * CLI output re-exports. The underlying implementation lives in
@@ -6389,6 +6438,7 @@ var ClientRuntime = class {
 			serverUrl,
 			clientId,
 			sdkVersion: options.currentVersion,
+			userAgent: CLI_USER_AGENT,
 			getAccessToken: (opts) => ensureFreshAccessToken(opts)
 		});
 		registerBuiltinHandlers();
@@ -7543,7 +7593,7 @@ async function checkServerHealth() {
 	const port = get(config, "server.port") ?? 8e3;
 	const url = `http://${host}:${port}/healthz`;
 	try {
-		const res = await fetch(url, { signal: AbortSignal.timeout(3e3) });
+		const res = await cliFetch(url, { signal: AbortSignal.timeout(3e3) });
 		if (res.ok) return {
 			label: "Server Health",
 			ok: true,
@@ -7594,7 +7644,7 @@ async function checkServerReachable() {
 		detail: "not configured (FIRST_TREE_HUB_SERVER_URL or config file)"
 	};
 	try {
-		const res = await fetch(`${serverUrl}/healthz`, { signal: AbortSignal.timeout(5e3) });
+		const res = await cliFetch(`${serverUrl}/healthz`, { signal: AbortSignal.timeout(5e3) });
 		if (res.ok) return {
 			label: "Server URL",
 			ok: true,
@@ -7739,7 +7789,7 @@ async function checkWebSocket() {
 	};
 	const wsUrl = serverUrl.replace(/^http/, "ws");
 	try {
-		if ((await fetch(`${serverUrl}/healthz`, { signal: AbortSignal.timeout(3e3) })).ok) return {
+		if ((await cliFetch(`${serverUrl}/healthz`, { signal: AbortSignal.timeout(3e3) })).ok) return {
 			label: "WebSocket",
 			ok: true,
 			detail: `${wsUrl} (server reachable)`
@@ -7829,7 +7879,7 @@ function createApiNameResolver(serverUrl, getAccessToken) {
 		if (cache) return cache;
 		const token = await getAccessToken();
 		const map = /* @__PURE__ */ new Map();
-		const res = await fetch(`${serverUrl}/api/v1/me/managed-agents`, {
+		const res = await cliFetch(`${serverUrl}/api/v1/me/managed-agents`, {
 			method: "GET",
 			headers: { Authorization: `Bearer ${token}` },
 			signal: AbortSignal.timeout(1e4)
@@ -8061,7 +8111,7 @@ async function onboardCheck(args) {
 			value: serverUrl
 		});
 		try {
-			const res = await fetch(`${serverUrl}/api/v1/health`);
+			const res = await cliFetch(`${serverUrl}/api/v1/health`);
 			items.push({
 				key: "server_reachable",
 				label: "Server reachable",
@@ -8133,7 +8183,7 @@ function formatCheckReport(items) {
 	return lines.join("\n");
 }
 async function resolveDefaultOrgId$1(serverUrl, accessToken) {
-	const res = await fetch(`${serverUrl}/api/v1/me`, {
+	const res = await cliFetch(`${serverUrl}/api/v1/me`, {
 		headers: { Authorization: `Bearer ${accessToken}` },
 		signal: AbortSignal.timeout(1e4)
 	});
@@ -8145,7 +8195,7 @@ async function resolveDefaultOrgId$1(serverUrl, accessToken) {
 	throw new Error("Multiple organizations — pass --org explicitly to onboard");
 }
 async function createAgentViaAdmin(serverUrl, accessToken, orgId, body) {
-	const res = await fetch(`${serverUrl}/api/v1/orgs/${encodeURIComponent(orgId)}/agents`, {
+	const res = await cliFetch(`${serverUrl}/api/v1/orgs/${encodeURIComponent(orgId)}/agents`, {
 		method: "POST",
 		headers: {
 			Authorization: `Bearer ${accessToken}`,
@@ -8204,7 +8254,7 @@ async function onboardCreate(args) {
 	}
 	const runtimeAgent = args.type === "human" ? args.assistant : args.id;
 	if (args.feishuBotAppId && args.feishuBotAppSecret) {
-		const { bindFeishuBot } = await import("./feishu-AEMHwT6L.mjs").then((n) => n.r);
+		const { bindFeishuBot } = await import("./feishu-Th_-ivJ7.mjs").then((n) => n.r);
 		const targetAgentUuid = args.type === "human" ? assistantUuid : primary.uuid;
 		if (!targetAgentUuid) print.line(`Warning: Cannot bind Feishu bot — no runtime agent available for "${args.id}".\n`);
 		else {
@@ -8304,7 +8354,7 @@ async function promptAddAgent(opts = {}) {
 		validate: (v) => v.length > 0 ? true : "Agent UUID is required"
 	});
 	const token = await ensureFreshAccessToken();
-	const res = await fetch(`${serverUrl}/api/v1/agents/${encodeURIComponent(agentId)}`, {
+	const res = await cliFetch(`${serverUrl}/api/v1/agents/${encodeURIComponent(agentId)}`, {
 		headers: { Authorization: `Bearer ${token}` },
 		signal: AbortSignal.timeout(1e4)
 	});
@@ -8376,7 +8426,7 @@ function setNestedByDot(obj, dotPath, value) {
 * value (the in-band repair path catches any remaining drift on first bind).
 */
 async function reconcileLocalRuntimeProviders(opts) {
-	const res = await fetch(`${opts.serverUrl}/api/v1/me/pinned-agents`, { headers: { Authorization: `Bearer ${opts.accessToken}` } });
+	const res = await cliFetch(`${opts.serverUrl}/api/v1/me/pinned-agents`, { headers: { Authorization: `Bearer ${opts.accessToken}` } });
 	if (!res.ok) throw new Error(`hub returned ${res.status} on /clients/me/agents`);
 	const items = await res.json();
 	const byAgentId = new Map(items.map((it) => [it.agentId, it]));
@@ -8416,7 +8466,7 @@ async function reconcileLocalRuntimeProviders(opts) {
 * client startup since capabilities only matter for UI / admin checks.
 */
 async function uploadClientCapabilities(opts) {
-	const res = await fetch(`${opts.serverUrl}/api/v1/clients/${encodeURIComponent(opts.clientId)}/capabilities`, {
+	const res = await cliFetch(`${opts.serverUrl}/api/v1/clients/${encodeURIComponent(opts.clientId)}/capabilities`, {
 		method: "PATCH",
 		headers: {
 			Authorization: `Bearer ${opts.accessToken}`,
@@ -8960,7 +9010,7 @@ function formatErrorTraces(traces) {
 	].join("\n");
 }
 const SUBSCRIBERS_PATH = "subscribers.json";
-function normalize(email) {
+function normalize$1(email) {
 	return email.toLowerCase().trim();
 }
 async function readSubscribers(config, branch) {
@@ -8993,7 +9043,7 @@ async function writeSubscribers(config, branch, data, sha, message) {
 */
 async function addSubscriber(config, issueNumber, email, options = {}) {
 	const branch = options.branch ?? "hearback-data";
-	const normalized = normalize(email);
+	const normalized = normalize$1(email);
 	const key = String(issueNumber);
 	await ensureBranch(config, branch);
 	for (let attempt = 0; attempt < 2; attempt++) {
@@ -9417,7 +9467,7 @@ function createFeedbackHandler(config) {
 	return { handle };
 }
 //#endregion
-//#region ../server/dist/app-CsaZ6IX8.mjs
+//#region ../server/dist/app-EvpSNDM6.mjs
 var import_fastify_opentelemetry = /* @__PURE__ */ __toESM(require_fastify_opentelemetry(), 1);
 init_esm();
 var __defProp = Object.defineProperty;
@@ -13551,8 +13601,12 @@ function clientWsRoutes(notifier, instanceId) {
 	return async (app) => {
 		const jwtSecretBytes = new TextEncoder().encode(app.config.secrets.jwtSecret);
 		const inboxMaxInFlightPerAgent = app.config.inbox?.maxInFlightPerAgent ?? DEFAULT_INBOX_MAX_IN_FLIGHT_PER_AGENT;
-		app.get("/client", { websocket: true }, async (socket) => {
-			startWsConnectionSpan(socket);
+		app.get("/client", { websocket: true }, async (socket, request) => {
+			const ua = request.headers["user-agent"];
+			startWsConnectionSpan(socket, {
+				remoteIp: request.ip,
+				userAgent: typeof ua === "string" ? ua.slice(0, 200) : void 0
+			});
 			let session = null;
 			let jwtDefaultOrgId = null;
 			let clientId = null;
@@ -14464,8 +14518,12 @@ async function refreshAccessToken(db, refreshToken, jwtSecretKey, expiries) {
 	try {
 		const { payload: p } = await jwtVerify(refreshToken, secret);
 		payload = p;
-	} catch {
-		throw new UnauthorizedError("Invalid or expired refresh token", { "auth.refresh.reason": "jwt_verify_failed" });
+	} catch (err) {
+		const untrusted = decodeJwtForTrace(refreshToken);
+		throw new UnauthorizedError("Invalid or expired refresh token", {
+			"auth.refresh.reason": classifyJoseError(err),
+			...untrustedAttrs("auth.refresh", untrusted)
+		});
 	}
 	if (payload.type !== "refresh" || !payload.sub) throw new UnauthorizedError("Invalid token type", {
 		"auth.refresh.reason": "wrong_token_type",
@@ -14516,10 +14574,17 @@ async function exchangeConnectToken(db, connectToken, jwtSecretKey, expiries) {
 	try {
 		const { payload: p } = await jwtVerify(connectToken, secret);
 		payload = p;
-	} catch {
-		throw new UnauthorizedError("Invalid or expired connect token");
+	} catch (err) {
+		const untrusted = decodeJwtForTrace(connectToken);
+		throw new UnauthorizedError("Invalid or expired connect token", {
+			"auth.connect.reason": classifyJoseError(err),
+			...untrustedAttrs("auth.connect", untrusted)
+		});
 	}
-	if (payload.type !== "connect" || !payload.sub) throw new UnauthorizedError("Invalid token type — expected connect token");
+	if (payload.type !== "connect" || !payload.sub) throw new UnauthorizedError("Invalid token type — expected connect token", {
+		"auth.connect.reason": "wrong_token_type",
+		"auth.connect.actual_type": String(payload.type ?? "<missing>")
+	});
 	const jti = payload.jti;
 	if (jti) {
 		if (consumedConnectJtis.has(jti)) throw new UnauthorizedError("Connect token has already been used");
@@ -15934,6 +15999,707 @@ async function contextTreeInfoRoutes(app) {
 		};
 	});
 }
+const execFileAsync = promisify(execFile);
+const ROOT_NODE_ID = "root";
+const NODE_FILE = "NODE.md";
+const EMPTY_TREE_COMMIT = "4b825dc642cb6eb9a060e54bf8d69288fbee4904";
+const MAX_DIFF_ENTRIES = 200;
+const MAX_MARKDOWN_FILES = 1e3;
+const MAX_MARKDOWN_FILE_BYTES = 512 * 1024;
+const SNAPSHOT_CACHE_TTL_MS = 3e4;
+const GIT_TIMEOUT_MS = 5e3;
+const GIT_MAX_BUFFER = 10 * 1024 * 1024;
+const GIT_LOG_RECORD_SEPARATOR = "";
+const CONTEXT_TREE_SNAPSHOT_WINDOWS = {
+	ONE_DAY: "1d",
+	SEVEN_DAYS: "7d",
+	THIRTY_DAYS: "30d"
+};
+const WINDOW_DAYS = {
+	"1d": 1,
+	"7d": 7,
+	"30d": 30
+};
+const snapshotCache = /* @__PURE__ */ new Map();
+async function getContextTreeSnapshot(config, window = CONTEXT_TREE_SNAPSHOT_WINDOWS.SEVEN_DAYS) {
+	const repo = config.contextTree?.repo ?? null;
+	const branch = config.contextTree?.branch ?? null;
+	const resolved = resolveContextTreeRoot(repo, config.contextTree?.localPath);
+	if (!resolved.root) return unavailableSnapshot(repo, branch, resolved.reason);
+	const now = (/* @__PURE__ */ new Date()).toISOString();
+	try {
+		const headCommit = await gitOutput(resolved.root, ["rev-parse", "HEAD"]);
+		const actualBranch = await safeGitOutput(resolved.root, [
+			"rev-parse",
+			"--abbrev-ref",
+			"HEAD"
+		]);
+		if (branch && actualBranch && actualBranch !== branch) return unavailableSnapshot(repo, actualBranch, `Context Tree checkout is on branch "${actualBranch}", but server config expects "${branch}".`);
+		const comparisonBaseCommit = await comparisonBaseForWindow(resolved.root, window);
+		const cacheKey = snapshotCacheKey(resolved.root, actualBranch ?? branch, headCommit, comparisonBaseCommit, window);
+		const cached = snapshotCache.get(cacheKey);
+		if (cached && cached.expiresAt > Date.now()) return {
+			...cached.snapshot,
+			syncedAt: now
+		};
+		const tree = buildTree(await readMarkdownFiles(resolved.root));
+		const diffResult = comparisonBaseCommit ? await readDiffEntries(resolved.root, comparisonBaseCommit, headCommit) : {
+			entries: [],
+			truncated: false
+		};
+		const changes = buildChanges(diffResult.entries, tree);
+		const nodesWithGhosts = addRemovedGhostNodes(applyChangesToNodes(tree.nodes, changes), changes);
+		const summary = summarizeChanges(changes);
+		const updates = buildUpdates(changes, nodesWithGhosts);
+		const statusWarning = contextStatusWarning(diffResult.truncated);
+		const snapshot = {
+			repo,
+			branch: actualBranch ?? branch,
+			headCommit,
+			syncedAt: now,
+			snapshotStatus: "active",
+			contextStatus: {
+				label: statusWarning ? "Team context needs attention" : "Team context is current",
+				detail: statusWarning ?? "Agents have a synced team context snapshot available.",
+				severity: statusWarning ? "warning" : "ok"
+			},
+			summary,
+			updates,
+			nodes: nodesWithGhosts,
+			edges: tree.edges,
+			changes
+		};
+		snapshotCache.set(cacheKey, {
+			expiresAt: Date.now() + SNAPSHOT_CACHE_TTL_MS,
+			snapshot
+		});
+		return snapshot;
+	} catch (error) {
+		return unavailableSnapshot(repo, branch, error instanceof Error ? error.message : "Unable to read Context Tree snapshot");
+	}
+}
+function snapshotCacheKey(root, branch, headCommit, comparisonBase, window) {
+	return [
+		root,
+		branch ?? "unknown",
+		headCommit,
+		comparisonBase ?? "none",
+		window
+	].join(":");
+}
+function contextStatusWarning(truncated) {
+	if (truncated) return `Showing the first ${MAX_DIFF_ENTRIES} changed files.`;
+	return null;
+}
+function resolveContextTreeRoot(repo, localPath) {
+	const candidate = localPath && localPath.trim().length > 0 ? localPath : repo;
+	if (!candidate) return {
+		root: null,
+		reason: "Context Tree is not configured."
+	};
+	const normalized = candidate.startsWith("file://") ? candidate.slice(7) : candidate;
+	const root = isAbsolute(normalized) ? normalize(normalized) : resolve(process.cwd(), normalized);
+	if (existsSync(root)) return {
+		root,
+		reason: "ok"
+	};
+	if (/^https?:\/\//.test(normalized) || /^[^/]+\/[^/]+$/.test(normalized)) return {
+		root: null,
+		reason: "Context Tree repo is configured as a remote URL. Set FIRST_TREE_HUB_CONTEXT_TREE_PATH to a readable local checkout for this version."
+	};
+	return {
+		root: null,
+		reason: `Context Tree checkout not found at ${root}.`
+	};
+}
+function unavailableSnapshot(repo, branch, detail) {
+	return {
+		repo,
+		branch,
+		headCommit: null,
+		syncedAt: null,
+		snapshotStatus: "unavailable",
+		contextStatus: {
+			label: "Team context unavailable",
+			detail,
+			severity: "error"
+		},
+		summary: {
+			addedCount: 0,
+			editedCount: 0,
+			removedCount: 0,
+			changedNodeCount: 0
+		},
+		updates: [],
+		nodes: [],
+		edges: [],
+		changes: []
+	};
+}
+async function gitOutput(cwd, args) {
+	const { stdout } = await execFileAsync("git", args, {
+		cwd,
+		timeout: GIT_TIMEOUT_MS,
+		maxBuffer: GIT_MAX_BUFFER
+	});
+	return stdout.trim();
+}
+async function safeGitOutput(cwd, args) {
+	try {
+		return await gitOutput(cwd, args);
+	} catch {
+		return null;
+	}
+}
+async function readMarkdownFiles(root) {
+	const paths = (await walkMarkdown(root, root)).slice(0, MAX_MARKDOWN_FILES);
+	return (await Promise.all(paths.map(async (path) => {
+		const absolutePath = join(root, path);
+		if ((await stat(absolutePath)).size > MAX_MARKDOWN_FILE_BYTES) return null;
+		return {
+			relativePath: path,
+			parsed: parseMarkdown(await readFile(absolutePath, "utf8"))
+		};
+	}))).filter((file) => file !== null);
+}
+function parseMarkdown(raw) {
+	try {
+		const parsed = matter(raw);
+		return {
+			content: parsed.content,
+			data: parsed.data
+		};
+	} catch {
+		return parseMarkdownFallback(raw);
+	}
+}
+function parseMarkdownFallback(raw) {
+	const match = /^---\r?\n([\s\S]*?)\r?\n---\r?\n?/.exec(raw);
+	if (!match) return {
+		content: raw,
+		data: {}
+	};
+	const frontmatter = match[1] ?? "";
+	const data = {};
+	for (const line of frontmatter.split(/\r?\n/)) {
+		const field = /^([A-Za-z0-9_-]+):\s*(.*)$/.exec(line.trim());
+		if (!field) continue;
+		const key = field[1];
+		const value = field[2] ?? "";
+		if (key === "title") {
+			data.title = value.replace(/^["']|["']$/g, "");
+			continue;
+		}
+		if (key === "owners" || key === "soft_links") data[key] = parseInlineStringList(value);
+	}
+	return {
+		content: raw.slice(match[0].length),
+		data
+	};
+}
+function parseInlineStringList(value) {
+	const trimmed = value.trim();
+	if (!trimmed.startsWith("[") || !trimmed.endsWith("]")) return [];
+	return trimmed.slice(1, -1).split(",").map((item) => item.trim().replace(/^["']|["']$/g, "")).filter((item) => item.length > 0);
+}
+async function walkMarkdown(root, current) {
+	const entries = await readdir(current, { withFileTypes: true });
+	const paths = [];
+	for (const entry of entries) {
+		if (entry.name === ".git" || entry.name === "node_modules") continue;
+		const absolute = join(current, entry.name);
+		if (entry.isDirectory()) {
+			paths.push(...await walkMarkdown(root, absolute));
+			continue;
+		}
+		if (entry.isFile() && extname(entry.name).toLowerCase() === ".md") paths.push(toPosix(relative(root, absolute)));
+	}
+	paths.sort((a, b) => a.localeCompare(b));
+	return paths;
+}
+function buildTree(files) {
+	const nodeBySourcePath = /* @__PURE__ */ new Map();
+	const nodeByTreePath = /* @__PURE__ */ new Map();
+	const dirNodeContent = /* @__PURE__ */ new Map();
+	const leafFiles = [];
+	const directories = new Set([""]);
+	for (const file of files) {
+		const dir = sourceDir(file.relativePath);
+		addDirectoryAncestors(directories, dir);
+		if (file.relativePath.endsWith(`/${NODE_FILE}`) || file.relativePath === NODE_FILE) dirNodeContent.set(dir, file);
+		else leafFiles.push(file);
+	}
+	const rootNode = {
+		id: ROOT_NODE_ID,
+		path: "",
+		sourcePath: NODE_FILE,
+		title: titleFromFile(dirNodeContent.get("")?.parsed.data, "Context Tree"),
+		kind: "root",
+		owners: ownersFromFile(dirNodeContent.get("")?.parsed.data),
+		parentId: null,
+		preview: previewFromContent(dirNodeContent.get("")?.parsed.content ?? ""),
+		relatedNodeIds: [],
+		affectedContextArea: "root",
+		changeType: null,
+		changedAtCommit: null
+	};
+	const nodes = [rootNode];
+	nodeByTreePath.set("", rootNode);
+	if (dirNodeContent.has("")) nodeBySourcePath.set(NODE_FILE, rootNode);
+	const sortedDirs = [...directories].filter((dir) => dir.length > 0).sort((a, b) => a.localeCompare(b));
+	for (const dir of sortedDirs) {
+		const source = dirNodeContent.get(dir);
+		const node = {
+			id: dirNodeId(dir),
+			path: dir,
+			sourcePath: source?.relativePath ?? null,
+			title: titleFromFile(source?.parsed.data, titleFromPath(dir)),
+			kind: kindForDirectory(dir),
+			owners: ownersFromFile(source?.parsed.data),
+			parentId: parentDir(dir) ? dirNodeId(parentDir(dir)) : ROOT_NODE_ID,
+			preview: previewFromContent(source?.parsed.content ?? ""),
+			relatedNodeIds: [],
+			affectedContextArea: contextAreaFromPath(dir),
+			changeType: null,
+			changedAtCommit: null
+		};
+		nodes.push(node);
+		nodeByTreePath.set(dir, node);
+		if (source) nodeBySourcePath.set(source.relativePath, node);
+	}
+	for (const file of leafFiles) {
+		const treePath = stripMarkdownExtension(file.relativePath);
+		const dir = sourceDir(file.relativePath);
+		const node = {
+			id: fileNodeId(file.relativePath),
+			path: treePath,
+			sourcePath: file.relativePath,
+			title: titleFromFile(file.parsed.data, titleFromPath(treePath)),
+			kind: "leaf",
+			owners: ownersFromFile(file.parsed.data),
+			parentId: dir ? dirNodeId(dir) : ROOT_NODE_ID,
+			preview: previewFromContent(file.parsed.content),
+			relatedNodeIds: [],
+			affectedContextArea: contextAreaFromPath(treePath),
+			changeType: null,
+			changedAtCommit: null
+		};
+		nodes.push(node);
+		nodeByTreePath.set(treePath, node);
+		nodeBySourcePath.set(file.relativePath, node);
+	}
+	const edges = parentEdges(nodes);
+	const relatedEdges = relatedEdgesForFiles(files, nodeByTreePath, nodeBySourcePath);
+	const relatedByNode = /* @__PURE__ */ new Map();
+	for (const edge of relatedEdges) {
+		if (!relatedByNode.has(edge.source)) relatedByNode.set(edge.source, /* @__PURE__ */ new Set());
+		relatedByNode.get(edge.source)?.add(edge.target);
+	}
+	return {
+		nodes: nodes.map((node) => ({
+			...node,
+			relatedNodeIds: [...relatedByNode.get(node.id) ?? /* @__PURE__ */ new Set()]
+		})),
+		edges: [...edges, ...relatedEdges],
+		nodeBySourcePath,
+		nodeByTreePath
+	};
+}
+function parentEdges(nodes) {
+	return nodes.filter((node) => node.parentId).map((node) => ({
+		source: node.parentId ?? ROOT_NODE_ID,
+		target: node.id,
+		kind: "parent"
+	}));
+}
+function relatedEdgesForFiles(files, nodeByTreePath, nodeBySourcePath) {
+	const edges = [];
+	const seen = /* @__PURE__ */ new Set();
+	for (const file of files) {
+		const sourceNode = nodeBySourcePath.get(file.relativePath);
+		if (!sourceNode) continue;
+		const softLinks = stringArrayField(file.parsed.data, "soft_links");
+		for (const link of softLinks) {
+			const target = resolveLinkedNode(link, file.relativePath, nodeByTreePath);
+			if (!target) continue;
+			const key = `${sourceNode.id}:soft_link:${target.id}`;
+			if (seen.has(key)) continue;
+			seen.add(key);
+			edges.push({
+				source: sourceNode.id,
+				target: target.id,
+				kind: "soft_link"
+			});
+		}
+		for (const link of markdownLinks(file.parsed.content)) {
+			const target = resolveLinkedNode(link, file.relativePath, nodeByTreePath);
+			if (!target) continue;
+			const key = `${sourceNode.id}:markdown_link:${target.id}`;
+			if (seen.has(key)) continue;
+			seen.add(key);
+			edges.push({
+				source: sourceNode.id,
+				target: target.id,
+				kind: "markdown_link"
+			});
+		}
+	}
+	return edges;
+}
+async function comparisonBaseForWindow(root, window) {
+	const commitBeforeWindow = await safeGitOutput(root, [
+		"rev-list",
+		"-1",
+		`--before=${(/* @__PURE__ */ new Date(Date.now() - WINDOW_DAYS[window] * 24 * 60 * 60 * 1e3)).toISOString()}`,
+		"HEAD"
+	]);
+	return commitBeforeWindow && commitBeforeWindow.length > 0 ? commitBeforeWindow : EMPTY_TREE_COMMIT;
+}
+async function readDiffEntries(root, comparisonBase, headCommit) {
+	if (!isSafeCommit(comparisonBase) || !isSafeCommit(headCommit)) return {
+		entries: [],
+		truncated: false
+	};
+	try {
+		const output = await gitOutput(root, [
+			"diff",
+			"--name-status",
+			"-M",
+			comparisonBase,
+			"HEAD",
+			"--",
+			"*.md"
+		]);
+		if (!output) return {
+			entries: [],
+			truncated: false
+		};
+		const pendingEntries = [];
+		for (const line of output.split("\n")) {
+			if (pendingEntries.length >= MAX_DIFF_ENTRIES) break;
+			const parts = line.split("	").filter(Boolean);
+			const status = parts[0];
+			if (!status) continue;
+			if (status.startsWith("R")) {
+				const oldPath = parts[1];
+				const newPath = parts[2];
+				if (oldPath) pendingEntries.push({
+					type: "removed",
+					path: toPosix(oldPath)
+				});
+				if (pendingEntries.length >= MAX_DIFF_ENTRIES) break;
+				if (newPath) pendingEntries.push({
+					type: "added",
+					path: toPosix(newPath)
+				});
+				continue;
+			}
+			const path = parts[1];
+			if (!path) continue;
+			if (status === "A") pendingEntries.push({
+				type: "added",
+				path: toPosix(path)
+			});
+			if (status === "M") pendingEntries.push({
+				type: "edited",
+				path: toPosix(path)
+			});
+			if (status === "D") pendingEntries.push({
+				type: "removed",
+				path: toPosix(path)
+			});
+		}
+		const metadataByPath = await readChangeMetadataByPath(root, comparisonBase, headCommit, pendingEntries.map((entry) => entry.path));
+		const entries = pendingEntries.map((entry) => ({
+			...entry,
+			...metadataByPath.get(entry.path) ?? fallbackChangeMetadata(headCommit)
+		}));
+		return {
+			entries,
+			truncated: output.split("\n").filter(Boolean).length > entries.length
+		};
+	} catch {
+		return {
+			entries: [],
+			truncated: false
+		};
+	}
+}
+async function readChangeMetadataByPath(root, comparisonBase, headCommit, paths) {
+	const uniquePaths = [...new Set(paths)];
+	const metadataByPath = /* @__PURE__ */ new Map();
+	if (uniquePaths.length === 0) return metadataByPath;
+	const output = await safeGitOutput(root, [
+		"log",
+		"--name-only",
+		`--format=${GIT_LOG_RECORD_SEPARATOR}%H%x00%cI%x00%an%x00%s`,
+		`${comparisonBase}..HEAD`,
+		"--",
+		...uniquePaths
+	]);
+	if (!output) return metadataByPath;
+	for (const rawRecord of output.split(GIT_LOG_RECORD_SEPARATOR)) {
+		const record = rawRecord.trim();
+		if (!record) continue;
+		const newlineIndex = record.indexOf("\n");
+		const header = newlineIndex === -1 ? record : record.slice(0, newlineIndex);
+		const changedPaths = newlineIndex === -1 ? [] : record.slice(newlineIndex + 1).split("\n").map((path) => toPosix(path.trim())).filter((path) => path.length > 0);
+		const fields = header.split("\0");
+		const commit = fields[0];
+		if (!commit || !isSafeCommit(commit)) continue;
+		const metadata = {
+			commit,
+			changedAt: fields[1] && fields[1].length > 0 ? fields[1] : null,
+			changedBy: fields[2] && fields[2].length > 0 ? fields[2] : null,
+			summary: cleanCommitSubject(fields[3] ?? null)
+		};
+		for (const changedPath of changedPaths) if (!metadataByPath.has(changedPath)) metadataByPath.set(changedPath, metadata);
+	}
+	for (const path of uniquePaths) if (!metadataByPath.has(path)) metadataByPath.set(path, fallbackChangeMetadata(headCommit));
+	return metadataByPath;
+}
+function fallbackChangeMetadata(headCommit) {
+	return {
+		commit: headCommit,
+		changedAt: null,
+		changedBy: null,
+		summary: null
+	};
+}
+function isSafeCommit(value) {
+	return /^[0-9a-f]{40}$/i.test(value);
+}
+function cleanCommitSubject(subject) {
+	if (!subject) return null;
+	const cleaned = subject.trim().replace(/^(feat|fix|docs|chore|refactor|test|style|perf|ci|build)(\([^)]+\))?:\s*/i, "").replace(/\s+/g, " ");
+	if (cleaned.length < 12) return null;
+	if (cleaned.length > 140) return `${cleaned.slice(0, 137)}...`;
+	if (/^(merge|wip|update|updated|change|changes)$/i.test(cleaned)) return null;
+	return cleaned;
+}
+function buildChanges(entries, tree) {
+	return entries.map((entry) => {
+		const node = tree.nodeBySourcePath.get(entry.path) ?? tree.nodeByTreePath.get(stripMarkdownExtension(entry.path));
+		return {
+			path: entry.path,
+			nodeId: node?.id ?? ghostNodeId(entry.path),
+			type: entry.type,
+			commit: entry.commit,
+			changedAt: entry.changedAt,
+			changedBy: entry.changedBy,
+			summary: entry.summary
+		};
+	});
+}
+function applyChangesToNodes(nodes, changes) {
+	const changeByNode = /* @__PURE__ */ new Map();
+	for (const change of changes) if (change.nodeId) changeByNode.set(change.nodeId, change);
+	return nodes.map((node) => {
+		const change = changeByNode.get(node.id);
+		if (!change) return node;
+		return {
+			...node,
+			changeType: change.type,
+			changedAtCommit: change.commit
+		};
+	});
+}
+function addRemovedGhostNodes(nodes, changes) {
+	const nodeIds = new Set(nodes.map((node) => node.id));
+	const ghosts = [];
+	for (const change of changes) {
+		if (change.type !== "removed" || !change.nodeId || nodeIds.has(change.nodeId)) continue;
+		const treePath = stripMarkdownExtension(change.path);
+		const dir = sourceDir(change.path);
+		const parentNodeId = dir ? dirNodeId(dir) : ROOT_NODE_ID;
+		ghosts.push({
+			id: change.nodeId,
+			path: treePath,
+			sourcePath: change.path,
+			title: titleFromPath(treePath),
+			kind: "leaf",
+			owners: [],
+			parentId: nodeIds.has(parentNodeId) ? parentNodeId : ROOT_NODE_ID,
+			preview: null,
+			relatedNodeIds: [],
+			affectedContextArea: contextAreaFromPath(treePath),
+			changeType: "removed",
+			changedAtCommit: change.commit
+		});
+	}
+	return [...nodes, ...ghosts];
+}
+function summarizeChanges(changes) {
+	let addedCount = 0;
+	let editedCount = 0;
+	let removedCount = 0;
+	for (const change of changes) {
+		if (change.type === "added") addedCount += 1;
+		if (change.type === "edited") editedCount += 1;
+		if (change.type === "removed") removedCount += 1;
+	}
+	return {
+		addedCount,
+		editedCount,
+		removedCount,
+		changedNodeCount: changes.length
+	};
+}
+function buildUpdates(changes, nodes) {
+	const nodeById = new Map(nodes.map((node) => [node.id, node]));
+	const updates = changes.map((change) => {
+		const node = change.nodeId ? nodeById.get(change.nodeId) : void 0;
+		const path = node?.path ?? stripMarkdownExtension(change.path);
+		const title = node?.title ?? titleFromPath(path);
+		const affectedContextArea = node?.affectedContextArea ?? contextAreaFromPath(path);
+		return {
+			id: `update:${change.type}:${change.path}`,
+			nodeId: change.nodeId,
+			path,
+			title,
+			changeType: change.type,
+			affectedContextArea,
+			reason: reasonForUpdate(change.type, affectedContextArea),
+			summary: changeSummaryForUpdate(change, node),
+			changedBy: change.changedBy,
+			owners: node?.owners ?? [],
+			relatedNodeIds: node?.relatedNodeIds ?? [],
+			sourceCommit: change.commit,
+			riskLevel: riskLevelForChange(change.type, node?.kind)
+		};
+	});
+	updates.sort((a, b) => updateRank(a) - updateRank(b) || a.path.localeCompare(b.path));
+	return updates;
+}
+function changeSummaryForUpdate(change, node) {
+	if (change.summary) return change.summary;
+	if (change.type === "added") return "added this team knowledge";
+	if (change.type === "removed") return "removed this team knowledge";
+	return node ? `updated ${node.title}` : "updated this team knowledge";
+}
+function updateRank(update) {
+	const depth = update.path.split("/").filter(Boolean).length;
+	const specificityRank = depth >= 2 ? 0 : depth === 1 ? 1 : 2;
+	const typeRank = update.changeType === "removed" ? 0 : update.changeType === "added" ? 1 : 2;
+	return specificityRank * 10 + typeRank;
+}
+function riskLevelForChange(changeType, kind) {
+	if (changeType === "removed") return "high";
+	if (kind === "root" || kind === "domain" || kind === "subdomain") return "medium";
+	return "low";
+}
+function reasonForUpdate(changeType, affectedContextArea) {
+	if (changeType === "added") return `Agents can use new team knowledge when working on ${affectedContextArea}.`;
+	if (changeType === "removed") return `Agents should stop using the old team knowledge for ${affectedContextArea}.`;
+	return `Agents can use updated team knowledge when working on ${affectedContextArea}.`;
+}
+function titleFromFile(data, fallback) {
+	return stringField(data, "title") ?? fallback;
+}
+function ownersFromFile(data) {
+	return stringArrayField(data, "owners");
+}
+function stringField(data, key) {
+	if (!isRecord$1(data)) return null;
+	const value = data[key];
+	return typeof value === "string" && value.trim().length > 0 ? value.trim() : null;
+}
+function stringArrayField(data, key) {
+	if (!isRecord$1(data)) return [];
+	const value = data[key];
+	if (!Array.isArray(value)) return [];
+	return value.filter((item) => typeof item === "string" && item.trim().length > 0);
+}
+function isRecord$1(value) {
+	return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function previewFromContent(content) {
+	const normalized = content.split("\n").map((line) => line.trim()).filter((line) => line.length > 0 && !line.startsWith("#")).join(" ");
+	if (!normalized) return null;
+	return normalized.length > 240 ? `${normalized.slice(0, 237)}...` : normalized;
+}
+function markdownLinks(content) {
+	const links = [];
+	const re = /\[[^\]]+\]\(([^)]+)\)/g;
+	let match = re.exec(content);
+	while (match) {
+		const target = match[1];
+		if (target && !/^https?:\/\//.test(target) && !target.startsWith("#")) links.push(target.split("#")[0] ?? target);
+		match = re.exec(content);
+	}
+	return links;
+}
+function resolveLinkedNode(link, fromSourcePath, nodeByTreePath) {
+	const withoutAnchor = link.split("#")[0] ?? link;
+	if (!withoutAnchor) return null;
+	const baseDir = sourceDir(fromSourcePath);
+	const cleaned = (withoutAnchor.startsWith("/") ? withoutAnchor.slice(1) : toPosix(normalize(join(baseDir, withoutAnchor)))).replace(/^\.\//, "");
+	const candidates = [
+		stripMarkdownExtension(cleaned),
+		stripMarkdownExtension(cleaned.replace(/\/NODE\.md$/i, "")),
+		cleaned.replace(/\/$/g, "")
+	].filter((candidate) => candidate.length > 0);
+	for (const candidate of candidates) {
+		const node = nodeByTreePath.get(candidate);
+		if (node) return node;
+	}
+	return null;
+}
+function addDirectoryAncestors(directories, dir) {
+	if (!dir) return;
+	const parts = dir.split("/");
+	for (let i = 1; i <= parts.length; i += 1) directories.add(parts.slice(0, i).join("/"));
+}
+function kindForDirectory(dir) {
+	return dir.includes("/") ? "subdomain" : "domain";
+}
+function sourceDir(path) {
+	const dir = toPosix(dirname(path));
+	return dir === "." ? "" : dir;
+}
+function parentDir(dir) {
+	const parent = toPosix(dirname(dir));
+	return parent === "." ? "" : parent;
+}
+function stripMarkdownExtension(path) {
+	return path.replace(/\/NODE\.md$/i, "").replace(/\.md$/i, "");
+}
+function titleFromPath(path) {
+	return (path.split("/").filter(Boolean).at(-1) ?? "Context Tree").replace(/[-_]+/g, " ").replace(/\b\w/g, (char) => char.toUpperCase()).trim();
+}
+function contextAreaFromPath(path) {
+	const parts = path.split("/").filter(Boolean);
+	if (parts.length === 0) return "root";
+	return parts.map((part) => part.replace(/[-_]+/g, " ")).join(" / ");
+}
+function dirNodeId(dir) {
+	return dir ? `dir:${dir}` : ROOT_NODE_ID;
+}
+function fileNodeId(path) {
+	return `file:${path}`;
+}
+function ghostNodeId(path) {
+	return `removed:${path}`;
+}
+function toPosix(path) {
+	return sep === "/" ? path : path.split(sep).join("/");
+}
+const querySchema = z.object({ window: z.enum([
+	"1d",
+	"7d",
+	"30d"
+]).optional() }).strict();
+async function contextTreeSnapshotRoutes(app) {
+	app.get("/snapshot", { config: { rateLimit: {
+		max: app.config.rateLimit?.contextTreeSnapshotMax ?? 6,
+		timeWindow: "1 minute",
+		keyGenerator: (request) => request.user?.userId ?? request.ip
+	} } }, async (request) => {
+		const query = querySchema.parse(request.query);
+		const snapshot = await getContextTreeSnapshot(app.config, query.window ?? "7d");
+		return contextTreeSnapshotSchema.parse(snapshot);
+	});
+}
 /**
 * Resolve the client IP for rate-limit attribution.
 *
@@ -16035,7 +16801,7 @@ async function healthzRoutes(app) {
 * `api/orgs/invitations.ts` (Class B, admin-gated).
 */
 async function publicInvitationRoutes(app) {
-	const { previewInvitation } = await import("./invitation-DWlyNb8x-DZTW9I26.mjs");
+	const { previewInvitation } = await import("./invitation-DWlyNb8x-D3zjZSwI.mjs");
 	app.get("/:token/preview", async (request, reply) => {
 		if (!request.params.token) throw new UnauthorizedError("Token required");
 		const preview = await previewInvitation(app.db, request.params.token);
@@ -16132,9 +16898,35 @@ async function meRoutes(app) {
 	*/
 	app.get("/me/pinned-agents", async (request) => {
 		const { userId } = requireUser(request);
-		const { listMyPinnedAgents } = await import("./client-m1OM4Iag-HKWgB3Yk.mjs");
+		const { listMyPinnedAgents } = await import("./client-By1K4VVT-C5K7WZo6.mjs");
 		return listMyPinnedAgents(app.db, { userId });
 	});
+	/**
+	* GET /me/clients — cross-org list of every client owned by the caller.
+	* A client is owned by exactly one user (clients.user_id) and the same
+	* machine can carry agents from any org the user belongs to, so this
+	* surface is org-agnostic — Class A by the decision tree in
+	* `docs/http-path-conventions.md`. Powers Settings → Computers in the
+	* web UI; the org-admin audit view (`/orgs/:orgId/clients`) stays for
+	* a future "team device audit" surface.
+	*/
+	app.get("/me/clients", async (request) => {
+		const { userId } = requireUser(request);
+		const list = await listClients(app.db, { userId });
+		const refreshExpirySeconds = expiryToSeconds(app.config.auth.refreshTokenExpiry);
+		return list.map((c) => ({
+			id: c.id,
+			userId: c.userId,
+			status: c.status,
+			authState: deriveAuthState(c, refreshExpirySeconds),
+			sdkVersion: c.sdkVersion,
+			hostname: c.hostname,
+			os: c.os,
+			agentCount: c.agentCount,
+			connectedAt: serializeDate(c.connectedAt),
+			lastSeenAt: c.lastSeenAt.toISOString()
+		}));
+	});
 	app.get("/me/organizations", async (request) => {
 		const { userId } = requireUser(request);
 		return (await listActiveMemberships(app.db, userId)).map((r) => ({
@@ -16931,7 +17723,11 @@ function orgWsRoutes(notifier, jwtSecret) {
 	}
 	return async (app) => {
 		app.get("/", { websocket: true }, async (socket, request) => {
-			startWsConnectionSpan(socket, { remoteIp: request.ip });
+			const ua = request.headers["user-agent"];
+			startWsConnectionSpan(socket, {
+				remoteIp: request.ip,
+				userAgent: typeof ua === "string" ? ua.slice(0, 200) : void 0
+			});
 			const orgIdFromPath = request.params.orgId;
 			const token = request.query.token;
 			if (!token || !orgIdFromPath) {
@@ -17702,8 +18498,12 @@ function userAuthHook(db, jwtSecret) {
 		try {
 			const { payload: p } = await jwtVerify(token, secret);
 			payload = p;
-		} catch {
-			throw new UnauthorizedError("Invalid or expired token", { "auth.failure_reason": "jwt_verify_failed" });
+		} catch (err) {
+			const untrusted = decodeJwtForTrace(token);
+			throw new UnauthorizedError("Invalid or expired token", {
+				"auth.failure_reason": classifyJoseError(err),
+				...untrustedAttrs("auth", untrusted)
+			});
 		}
 		if (payload.type !== "access" || !payload.sub) throw new UnauthorizedError("Invalid token type", {
 			"auth.failure_reason": "wrong_token_type",
@@ -18907,7 +19707,7 @@ function createPulseAggregator(options) {
 * Returning a string (rather than undefined) keeps the welcome frame well-
 * formed — the client treats the value advisorily.
 */
-function resolveCommandVersion$1(injected) {
+function resolveCommandVersion(injected) {
 	if (injected && injected.trim().length > 0) return injected;
 	try {
 		const pkg = createRequire(import.meta.url)("../package.json");
@@ -18999,7 +19799,7 @@ async function buildApp(config) {
 	const db = connectDatabase(config.database.url);
 	app.decorate("db", db);
 	app.decorate("config", config);
-	const commandVersion = resolveCommandVersion$1(config.commandVersion);
+	const commandVersion = resolveCommandVersion(config.commandVersion);
 	app.decorate("commandVersion", commandVersion);
 	app.log.info({ commandVersion }, "Hub server advertising command version");
 	const listenClient = postgres(config.database.url, { max: 1 });
@@ -19014,7 +19814,8 @@ async function buildApp(config) {
 	await app.register(rateLimit, {
 		max: config.rateLimit?.max ?? 100,
 		timeWindow: "1 minute",
-		hook: "preHandler"
+		hook: "preHandler",
+		errorResponseBuilder: buildRateLimitError
 	});
 	app.addHook("onSend", bodyCaptureOnSendHook);
 	const userAuth = userAuthHook(db, config.secrets.jwtSecret);
@@ -19088,6 +19889,9 @@ async function buildApp(config) {
 		await api.register(publicInvitationRoutes, { prefix: "/invitations" });
 		await api.register(contextTreeInfoRoutes, { prefix: "/context-tree" });
 		await api.register(bootstrapConfigRoutes, { prefix: "/bootstrap" });
+		await api.register(userScope("contextTreeScope", async (scope) => {
+			await scope.register(contextTreeSnapshotRoutes);
+		}), { prefix: "/context-tree" });
 		await api.register(userScope("meRoutesScope", async (scope) => {
 			await scope.register(meRoutes);
 		}), { prefix: "" });
@@ -19151,12 +19955,11 @@ async function buildApp(config) {
 	if (webDistPath) {
 		const webRoot = resolve(webDistPath);
 		if (existsSync(webRoot)) {
-			await app.register(fastifyStatic, {
-				root: webRoot,
-				wildcard: false
-			});
+			await app.register(fastifyStatic, { root: webRoot });
 			app.setNotFoundHandler((request, reply) => {
 				if (request.url.startsWith("/api/")) return reply.status(404).send({ error: "Not found" });
+				const requestPath = request.url.split("?")[0] ?? request.url;
+				if (requestPath.startsWith("/assets/") || extname(requestPath).length > 0) return reply.status(404).send({ error: "Not found" });
 				return reply.sendFile("index.html");
 			});
 		}
@@ -19211,58 +20014,6 @@ async function buildApp(config) {
 	return app;
 }
 //#endregion
-//#region src/core/version.ts
-/**
-* Version of the consumer-facing `@agent-team-foundation/first-tree-hub`
-* package. Read once at module load so the CLI, client runtime, and server
-* bootstrap all quote the same string.
-*
-* Path-based lookups (`require("../../package.json")`) do not survive the
-* tsdown bundle: the source lives at `src/core/version.ts` but every
-* emitted chunk lands in `dist/` — shifting the relative depth by one and
-* pointing at `packages/package.json` instead of our own manifest (the
-* v0.9.1 "Cannot find module ../../package.json" crash). Walk up from this
-* module's URL and accept the first `package.json` whose `name` matches, so
-* dev runs (`tsx src/cli/index.ts`) and the published bundle
-* (`dist/cli/index.mjs`) both resolve the same file.
-*/
-const PACKAGE_NAME$1 = "@agent-team-foundation/first-tree-hub";
-/**
-* Sentinel returned when the walker exhausts every parent directory without
-* finding our manifest. Deliberately NOT valid SemVer so the client-side
-* `UpdateManager` drops into its `semver.valid(current) === false` warn-and-
-* skip branch instead of treating it as `< target` and triggering a spurious
-* self-update loop (the scenario where the startup crash this module fixes
-* would otherwise quietly reincarnate as repeated `npm install -g @latest`).
-*/
-const UNRESOLVED_VERSION = "unknown";
-/**
-* Exported for tests. Walks up from `moduleUrl`'s directory looking for a
-* `package.json` whose `name` field equals {@link PACKAGE_NAME}. Returns
-* {@link UNRESOLVED_VERSION} as a last-resort fallback so the CLI never
-* crashes on a missing manifest.
-*/
-function resolveCommandVersion(moduleUrl = import.meta.url) {
-	let dir = dirname(fileURLToPath(moduleUrl));
-	for (let i = 0; i < 10; i++) {
-		try {
-			const pkg = JSON.parse(readFileSync(resolve(dir, "package.json"), "utf8"));
-			if (pkg.name === PACKAGE_NAME$1 && typeof pkg.version === "string" && pkg.version.length > 0) return pkg.version;
-		} catch (err) {
-			const code = err.code;
-			if (code !== "ENOENT" && code !== "ENOTDIR") {
-				const message = err instanceof Error ? err.message : String(err);
-				print.line(`[first-tree-hub] warning: could not read ${dir}/package.json: ${message}\n`);
-			}
-		}
-		const parent = dirname(dir);
-		if (parent === dir) break;
-		dir = parent;
-	}
-	return UNRESOLVED_VERSION;
-}
-const COMMAND_VERSION = resolveCommandVersion();
-//#endregion
 //#region src/core/server.ts
 /**
 * Full server start orchestration:
@@ -19317,7 +20068,7 @@ async function startServer(options) {
 		instanceId: `srv_${randomUUID().slice(0, 8)}`,
 		commandVersion: COMMAND_VERSION
 	};
-	const { initTelemetry, shutdownTelemetry } = await import("./observability-Co8OO0og.mjs");
+	const { initTelemetry, shutdownTelemetry } = await import("./observability-CYsdAcoF.mjs");
 	await initTelemetry(serverConfig.observability.tracing, config.instanceId);
 	const app = await buildApp(config);
 	const SHUTDOWN_FORCE_EXIT_MS = 8e3;
@@ -19678,7 +20429,7 @@ async function promptReplaceOrCancel(newMemberId) {
 	}) === "replace" ? "proceed" : "cancel";
 }
 async function exchangeToken(url, token) {
-	const res = await fetch(`${url}/api/v1/auth/connect-token`, {
+	const res = await cliFetch(`${url}/api/v1/auth/connect-token`, {
 		method: "POST",
 		headers: { "Content-Type": "application/json" },
 		body: JSON.stringify({ token }),
@@ -19790,4 +20541,4 @@ function registerSaaSConnectCommand(program) {
 	});
 }
 //#endregion
-export { findStaleAliases as $, checkDatabase as A, installClientService as B, runHomeMigration as C, checkAgentConfigs as D, runMigrations as E, checkServerReachable as F, stopClientService as G, resolveCliInvocation as H, checkWebSocket as I, isDockerAvailable as J, uninstallClientService as K, printResults as L, checkNodeVersion as M, checkServerConfig as N, checkBackgroundService as O, checkServerHealth as P, rotateClientIdWithBackup as Q, reconcileAgentConfigs as R, saveOnboardState as S, migrateLocalAgentDirs as T, restartClientService as U, isServiceSupported as V, startClientService as W, ClientRuntime as X, stopPostgres as Y, handleClientOrgMismatch as Z, promptMissingFields as _, probeCapabilities as _t, declineUpdate as a, fail as at, onboardCheck as b, detectInstallMode as c, print as ct, startServer as d, ClientOrgMismatchError as dt, formatStaleReason as et, COMMAND_VERSION as f, ClientUserMismatchError as ft, promptAddAgent as g, cleanWorkspaces as gt, isInteractive as h, SessionRegistry as ht, createExecuteUpdate as i, resolveReplyToFromEnv as it, checkDocker as j, checkClientConfig as k, fetchLatestVersion as l, setJsonMode as lt, uploadClientCapabilities as m, SdkError as mt, deriveHubUrlFromToken as n, createOwner as nt, promptUpdate as o, success as ot, reconcileLocalRuntimeProviders as p, FirstTreeHubSDK as pt, ensurePostgres as q, registerSaaSConnectCommand as r, hasUser as rt, PACKAGE_NAME as s, blank as st, HubUrlDerivationError as t, removeLocalAgent as tt, installGlobalLatest as u, status as ut, formatCheckReport as v, applyClientLoggerConfig as vt, createApiNameResolver as w, onboardCreate as x, loadOnboardState as y, configureClientLoggerForService as yt, getClientServiceStatus as z };
+export { formatStaleReason as $, checkDocker as A, isServiceSupported as B, createApiNameResolver as C, checkBackgroundService as D, checkAgentConfigs as E, checkWebSocket as F, uninstallClientService as G, restartClientService as H, printResults as I, stopPostgres as J, ensurePostgres as K, reconcileAgentConfigs as L, checkServerConfig as M, checkServerHealth as N, checkClientConfig as O, checkServerReachable as P, findStaleAliases as Q, getClientServiceStatus as R, runHomeMigration as S, runMigrations as T, startClientService as U, resolveCliInvocation as V, stopClientService as W, handleClientOrgMismatch as X, ClientRuntime as Y, rotateClientIdWithBackup as Z, formatCheckReport as _, declineUpdate as a, success as at, onboardCreate as b, detectInstallMode as c, FirstTreeHubSDK as ct, startServer as d, cleanWorkspaces as dt, removeLocalAgent as et, reconcileLocalRuntimeProviders as f, probeCapabilities as ft, promptMissingFields as g, promptAddAgent as h, createExecuteUpdate as i, fail as it, checkNodeVersion as j, checkDatabase as k, fetchLatestVersion as l, SdkError as lt, isInteractive as m, configureClientLoggerForService as mt, deriveHubUrlFromToken as n, hasUser as nt, promptUpdate as o, ClientOrgMismatchError as ot, uploadClientCapabilities as p, applyClientLoggerConfig as pt, isDockerAvailable as q, registerSaaSConnectCommand as r, resolveReplyToFromEnv as rt, PACKAGE_NAME as s, ClientUserMismatchError as st, HubUrlDerivationError as t, createOwner as tt, installGlobalLatest as u, SessionRegistry as ut, loadOnboardState as v, migrateLocalAgentDirs as w, saveOnboardState as x, onboardCheck as y, installClientService as z };