@agent-team-foundation/first-tree-hub 0.11.2 → 0.11.3

package/dist/index.mjs

@@ -1,11 +1,12 @@
-import "./observability-C3nY6Jcz-Bk7FX689.mjs";
-import { A as checkDatabase, B as installClientService, C as runHomeMigration, D as checkAgentConfigs, E as runMigrations, F as checkServerReachable, G as stopClientService, H as resolveCliInvocation, I as checkWebSocket, J as isDockerAvailable, K as uninstallClientService, L as printResults, M as checkNodeVersion, N as checkServerConfig, P as checkServerHealth, Q as rotateClientIdWithBackup, U as restartClientService, V as isServiceSupported, W as startClientService, X as ClientRuntime, Y as stopPostgres, Z as handleClientOrgMismatch, _ as promptMissingFields, b as onboardCheck, d as startServer, g as promptAddAgent, h as isInteractive, j as checkDocker, k as checkClientConfig, mt as SdkError, n as deriveHubUrlFromToken, nt as createOwner, pt as FirstTreeHubSDK, q as ensurePostgres, rt as hasUser, st as blank, t as HubUrlDerivationError, ut as status, v as formatCheckReport, x as onboardCreate, z as getClientServiceStatus } from "./saas-connect-Df2CVAGp.mjs";
+import "./observability-BAScT_5S-gw1ODB_o.mjs";
+import { A as checkDocker, B as isServiceSupported, E as checkAgentConfigs, F as checkWebSocket, G as uninstallClientService, H as restartClientService, I as printResults, J as stopPostgres, K as ensurePostgres, M as checkServerConfig, N as checkServerHealth, O as checkClientConfig, P as checkServerReachable, R as getClientServiceStatus, S as runHomeMigration, T as runMigrations, U as startClientService, V as resolveCliInvocation, W as stopClientService, X as handleClientOrgMismatch, Y as ClientRuntime, Z as rotateClientIdWithBackup, _ as formatCheckReport, b as onboardCreate, ct as FirstTreeHubSDK, d as startServer, g as promptMissingFields, h as promptAddAgent, j as checkNodeVersion, k as checkDatabase, lt as SdkError, m as isInteractive, n as deriveHubUrlFromToken, nt as hasUser, q as isDockerAvailable, t as HubUrlDerivationError, tt as createOwner, y as onboardCheck, z as installClientService } from "./saas-connect-gcT6Q10z.mjs";
 import "./logger-core-BTmvdflj-DjW8FM4T.mjs";
-import { a as ensureFreshAdminToken, c as resolveServerUrl, i as ensureFreshAccessToken, n as AuthRefreshRateLimitedError, s as resolveAccessToken, t as AuthRefreshFailedError } from "./bootstrap-B-FRMuvL.mjs";
-import "./dist-FuUBFTEB.mjs";
-import { n as bindFeishuUser, t as bindFeishuBot } from "./feishu-GvFABWW5.mjs";
-import "./errors-BmyRwN0Y-CIZZ_sDc.mjs";
-import "./client-CLdRbuml-B416INrm.mjs";
-import "./src-DNBS5Yjj.mjs";
-import "./invitation-Dnn5gGGX-Ce7zbZpn.mjs";
+import { a as ensureFreshAdminToken, c as resolveServerUrl, i as ensureFreshAccessToken, n as AuthRefreshRateLimitedError, s as resolveAccessToken, t as AuthRefreshFailedError } from "./bootstrap-D4rdqM2F.mjs";
+import { i as blank, s as status } from "./cli-fetch--tiwKm5S.mjs";
+import "./dist-BAqGZkco.mjs";
+import { n as bindFeishuUser, t as bindFeishuBot } from "./feishu-Th_-ivJ7.mjs";
+import "./errors-BmyRwN0Y-Dad3eV8F.mjs";
+import "./client-CLdRbuml-BRtalKpQ.mjs";
+import "./src-aJMV60mR.mjs";
+import "./invitation-Dnn5gGGX-DXryyvRG.mjs";
 export { AuthRefreshFailedError, AuthRefreshRateLimitedError, ClientRuntime, FirstTreeHubSDK, HubUrlDerivationError, SdkError, bindFeishuBot, bindFeishuUser, blank, checkAgentConfigs, checkClientConfig, checkDatabase, checkDocker, checkNodeVersion, checkServerConfig, checkServerHealth, checkServerReachable, checkWebSocket, createOwner, deriveHubUrlFromToken, ensureFreshAccessToken, ensureFreshAdminToken, ensurePostgres, formatCheckReport, getClientServiceStatus, handleClientOrgMismatch, hasUser, installClientService, isDockerAvailable, isInteractive, isServiceSupported, onboardCheck, onboardCreate, printResults, promptAddAgent, promptMissingFields, resolveAccessToken, resolveCliInvocation, resolveServerUrl, restartClientService, rotateClientIdWithBackup, runHomeMigration, runMigrations, startClientService, startServer, status, stopClientService, stopPostgres, uninstallClientService };

package/dist/invitation-DWlyNb8x-D3zjZSwI.mjs

@@ -0,0 +1,4 @@
+import "./dist-BAqGZkco.mjs";
+import "./errors-BmyRwN0Y-Dad3eV8F.mjs";
+import { s as previewInvitation } from "./invitation-Dnn5gGGX-DXryyvRG.mjs";
+export { previewInvitation };

package/dist/{invitation-Dnn5gGGX-Ce7zbZpn.mjs → invitation-Dnn5gGGX-DXryyvRG.mjs}

@@ -1,4 +1,4 @@
-import { l as organizations, s as NotFoundError, u as users } from "./errors-BmyRwN0Y-CIZZ_sDc.mjs";
+import { l as organizations, s as NotFoundError, u as users } from "./errors-BmyRwN0Y-Dad3eV8F.mjs";
 import { randomBytes } from "node:crypto";
 import { and, desc, eq, gt, isNull, or } from "drizzle-orm";
 import { index, pgTable, text, timestamp } from "drizzle-orm/pg-core";

package/dist/{multipart-parser-BIksYTkk.mjs → multipart-parser-QRu3OKK4.mjs}

@@ -1,5 +1,5 @@
 import { n as __esmMin } from "./chunk-BSw8zbkd.mjs";
-import { a as File, i as init_esm_min, n as FormData, t as init_from } from "./from-CaD373S1.mjs";
+import { a as File, i as init_esm_min, n as FormData, t as init_from } from "./from-DQ7eNRwu.mjs";
 //#region ../../node_modules/.pnpm/node-fetch@3.3.2/node_modules/node-fetch/src/utils/multipart-parser.js
 function _fileName(headerValue) {
 	const m = headerValue.match(/\bfilename=("(.*?)"|([^()<>@,;:\\"/[\]?={}\s\t]+))($|;\s)/i);

package/dist/{observability-C3nY6Jcz-Bk7FX689.mjs → observability-BAScT_5S-gw1ODB_o.mjs}

@@ -1,11 +1,12 @@
 import { a as __toCommonJS, i as __require, n as __esmMin, o as __toESM, r as __exportAll, t as __commonJSMin } from "./chunk-BSw8zbkd.mjs";
 import { a as formatLocalTime, c as parseLogLevel, i as createLoggerOutputStream, n as LOG_REDACT_PATHS, r as SKIP_KEYS, t as LOG_REDACT_CENSOR } from "./logger-core-BTmvdflj-DjW8FM4T.mjs";
-import { a as metrics, c as SpanStatusCode, d as createContextKey, f as DiagLogLevel, n as init_esm$2, o as diag, r as trace, s as context, t as esm_exports$2, u as DiagConsoleLogger } from "./esm-iadMkGbV.mjs";
-import { t as require_src$85 } from "./src-DNBS5Yjj.mjs";
+import { a as metrics, c as SpanStatusCode, d as createContextKey, f as DiagLogLevel, n as init_esm$2, o as diag, r as trace, s as context, t as esm_exports$2, u as DiagConsoleLogger } from "./esm-Ci8E1Gtj.mjs";
+import { t as require_src$85 } from "./src-aJMV60mR.mjs";
 import { z } from "zod";
 import { Writable } from "node:stream";
 import * as fs$5 from "fs";
 import * as path$2 from "path";
+import { decodeJwt } from "jose";
 import { Readable } from "stream";
 import * as zlib$2 from "zlib";
 //#region ../../node_modules/.pnpm/pino-std-serializers@7.1.0/node_modules/pino-std-serializers/lib/err-helpers.js
@@ -8162,19 +8163,19 @@ var require_getMachineId$1 = /* @__PURE__ */ __commonJSMin(((exports) => {
 	async function getMachineId() {
 		if (!getMachineIdImpl) switch (process$3.platform) {
 			case "darwin":
-				getMachineIdImpl = (await import("./getMachineId-darwin-B6WCAhc4.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
+				getMachineIdImpl = (await import("./getMachineId-darwin-DKgI8b1d.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
 				break;
 			case "linux":
-				getMachineIdImpl = (await import("./getMachineId-linux-BeWHG1gK.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
+				getMachineIdImpl = (await import("./getMachineId-linux-cT7EbP10.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
 				break;
 			case "freebsd":
-				getMachineIdImpl = (await import("./getMachineId-bsd-DjLgZlll.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
+				getMachineIdImpl = (await import("./getMachineId-bsd-DyySs8xz.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
 				break;
 			case "win32":
-				getMachineIdImpl = (await import("./getMachineId-win-CdgcrzCW.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
+				getMachineIdImpl = (await import("./getMachineId-win-Chl03TYe.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
 				break;
 			default:
-				getMachineIdImpl = (await import("./getMachineId-unsupported-BMJQItvF.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
+				getMachineIdImpl = (await import("./getMachineId-unsupported-CkX-YOG1.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
 				break;
 		}
 		return getMachineIdImpl();
@@ -33763,12 +33764,12 @@ var require_gaxios = /* @__PURE__ */ __commonJSMin(((exports) => {
 		* @returns A proxy agent
 		*/
 		static async #getProxyAgent() {
-			this.#proxyAgent ||= (await import("./dist-BLY7Bu-l.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).HttpsProxyAgent;
+			this.#proxyAgent ||= (await import("./dist-BQtAQNRD.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).HttpsProxyAgent;
 			return this.#proxyAgent;
 		}
 		static async #getFetch() {
 			const hasWindow = typeof window !== "undefined" && !!window;
-			this.#fetch ||= hasWindow ? window.fetch : (await import("./src-CzQ5KF6D.mjs")).default;
+			this.#fetch ||= hasWindow ? window.fetch : (await import("./src-DFlbpJfU.mjs")).default;
 			return this.#fetch;
 		}
 		/**
@@ -41932,19 +41933,19 @@ var require_getMachineId = /* @__PURE__ */ __commonJSMin(((exports) => {
 	async function getMachineId() {
 		if (!getMachineIdImpl) switch (process$1.platform) {
 			case "darwin":
-				getMachineIdImpl = (await import("./getMachineId-darwin-CaD2juTg.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
+				getMachineIdImpl = (await import("./getMachineId-darwin-Cl7TSzgO.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
 				break;
 			case "linux":
-				getMachineIdImpl = (await import("./getMachineId-linux-Dk3gWdQK.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
+				getMachineIdImpl = (await import("./getMachineId-linux-1OIMWfdh.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
 				break;
 			case "freebsd":
-				getMachineIdImpl = (await import("./getMachineId-bsd-DR4-Dysy.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
+				getMachineIdImpl = (await import("./getMachineId-bsd-c2VImogj.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
 				break;
 			case "win32":
-				getMachineIdImpl = (await import("./getMachineId-win-vJ6VfDRI.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
+				getMachineIdImpl = (await import("./getMachineId-win-C2cM60YT.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
 				break;
 			default:
-				getMachineIdImpl = (await import("./getMachineId-unsupported-Bgz_Je1J.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
+				getMachineIdImpl = (await import("./getMachineId-unsupported-CmVlhzIo.mjs").then((m) => /* @__PURE__ */ __toESM(m.default))).getMachineId;
 				break;
 		}
 		return getMachineIdImpl();
@@ -95375,7 +95376,7 @@ const vr = {
 	warning: Ne$2
 };
 //#endregion
-//#region ../server/dist/observability-C3nY6Jcz.mjs
+//#region ../server/dist/observability-BAScT_5S.mjs
 init_esm$2();
 var import_pino = /* @__PURE__ */ __toESM(require_pino(), 1);
 const initialLevel = parseLogLevel(process.env.FIRST_TREE_HUB_LOG_LEVEL);
@@ -95764,6 +95765,70 @@ const observabilityPlugin = async (app) => {
 	});
 };
 /**
+* Map a thrown jose error to a stable failure-reason bucket. Unknown shapes
+* fall through to `jwt_verify_failed` so the span attribute always has a
+* value (callers can then refine the mapping without coordinating a deploy
+* with the trace backend).
+*/
+function classifyJoseError(err) {
+	if (typeof err !== "object" || err === null) return "jwt_verify_failed";
+	const code = err.code;
+	if (typeof code !== "string") return "jwt_verify_failed";
+	switch (code) {
+		case "ERR_JWT_EXPIRED": return "jwt_expired";
+		case "ERR_JWS_SIGNATURE_VERIFICATION_FAILED": return "jwt_signature_invalid";
+		case "ERR_JWT_INVALID":
+		case "ERR_JWS_INVALID":
+		case "ERR_JWT_CLAIM_VALIDATION_FAILED": return "jwt_malformed";
+		default: return "jwt_verify_failed";
+	}
+}
+/**
+* Best-effort decode of a JWT *without* signature verification, for the sole
+* purpose of stamping its `sub` / `jti` / `exp` onto a failure trace.
+*
+* Returns `null` when the token is malformed enough that even base64 decode
+* fails — callers should treat absence as "no untrusted claims to record"
+* and continue without trace decoration.
+*
+* **Do not call from any code path that grants access.**
+*/
+function decodeJwtForTrace(token) {
+	try {
+		const claims = decodeJwt(token);
+		const out = {};
+		if (typeof claims.sub === "string") out.sub = claims.sub;
+		if (typeof claims.exp === "number") out.exp = claims.exp;
+		if (typeof claims.iat === "number") out.iat = claims.iat;
+		if (typeof claims.jti === "string") out.jti = claims.jti;
+		if (typeof claims.type === "string") out.type = claims.type;
+		return out;
+	} catch {
+		return null;
+	}
+}
+/**
+* Spread-helper that turns untrusted claims into the `<prefix>.untrusted.*`
+* attribute keys used on auth failure spans. Keeps the call sites short:
+*
+*   throw new UnauthorizedError("...", {
+*     "auth.refresh.reason": reason,
+*     ...untrustedAttrs("auth.refresh", untrusted),
+*   });
+*
+* Returns `{}` when `claims` is null so callers don't have to branch.
+*/
+function untrustedAttrs(prefix, claims) {
+	if (!claims) return {};
+	const out = {};
+	if (claims.sub !== void 0) out[`${prefix}.untrusted.sub`] = claims.sub;
+	if (claims.exp !== void 0) out[`${prefix}.untrusted.exp`] = claims.exp;
+	if (claims.iat !== void 0) out[`${prefix}.untrusted.iat`] = claims.iat;
+	if (claims.jti !== void 0) out[`${prefix}.untrusted.jti`] = claims.jti;
+	if (claims.type !== void 0) out[`${prefix}.untrusted.type`] = claims.type;
+	return out;
+}
+/**
 * Logfire / OpenTelemetry bootstrap.
 *
 * This module replaces a previous hand-rolled `NodeTracerProvider` +
@@ -95891,6 +95956,63 @@ async function shutdownTelemetry() {
 	_enabled = false;
 }
 /**
+* Routes whose request body contains a JWT in `refreshToken` / `token`.
+* Used to gate the body-sniff in {@link buildRateLimitError} so unrelated
+* routes that happen to add a `token` field in the future won't get their
+* 429 trace polluted with bogus untrusted-decode attempts.
+*/
+const TOKEN_BODY_ROUTES = new Set(["/api/v1/auth/refresh", "/api/v1/auth/connect-token"]);
+/**
+* Constructs the `Error` instance that `@fastify/rate-limit` will throw on
+* a 429. Two side effects happen here that aren't trivial to express via
+* the limiter's default builder:
+*
+*   1. Stamp `rate_limit.{max,ttl_ms}` onto the active root span. The
+*      limiter short-circuits before our handler runs, so without this
+*      the 429 trace has no rate-limit metadata at all (issue #246).
+*   2. For `/auth/refresh` and `/auth/connect-token` only, opportunistically
+*      decode the JWT in the request body (without verifying signature)
+*      and stamp `auth.untrusted.sub` onto the same span — gives operators
+*      the same `sub` pivot they get on a matching 401, so 429 storms can
+*      be answered "1 looping client or N independent clients?".
+*
+* The returned value MUST be an `Error` instance — `@fastify/rate-limit`
+* throws it, and our `setErrorHandler` only honours the `statusCode`
+* branch when `error instanceof Error`. A plain object falls through to
+* the 500 generic branch.
+*
+* `exception.type` / `exception.message` are NOT stamped here: when our
+* `setErrorHandler` catches this, `reportErrorToRoot` calls
+* `span.recordException(err)` which sets those (OTel SDK convention)
+* using `error.name` / `error.message`. Stamping them here too would be
+* either redundant (same value) or overwritten (different value).
+*/
+function buildRateLimitError(request, context) {
+	const span = request.openTelemetry().activeSpan;
+	if (span) stampRateLimitAttrs(span, request, context);
+	const message = `Rate limit exceeded, retry in ${Math.ceil(context.ttl / 1e3)} seconds`;
+	const err = new Error(message);
+	err.name = "RateLimitError";
+	Object.assign(err, { statusCode: 429 });
+	return err;
+}
+/**
+* Exported for unit testing. Pure side-effect function on `span` —
+* everything observable is the set of `setAttribute` calls.
+*/
+function stampRateLimitAttrs(span, request, context) {
+	span.setAttribute("rate_limit.max", context.max);
+	span.setAttribute("rate_limit.ttl_ms", context.ttl);
+	const route = request.routeOptions?.url;
+	if (!route || !TOKEN_BODY_ROUTES.has(route)) return;
+	const body = request.body;
+	if (!body || typeof body !== "object") return;
+	const candidate = "refreshToken" in body && typeof body.refreshToken === "string" ? body.refreshToken : "token" in body && typeof body.token === "string" ? body.token : null;
+	if (!candidate) return;
+	const untrusted = decodeJwtForTrace(candidate);
+	for (const [k, v] of Object.entries(untrustedAttrs("auth", untrusted))) span.setAttribute(k, v);
+}
+/**
 * Helpers that turn domain objects (messages, inbox entries, chats, agents,
 * adapters) into a consistent set of span attribute records.
 *
@@ -95943,7 +96065,8 @@ function startWsConnectionSpan(socket, attrs = {}) {
 	const span = startTrackedSpan("ws.connection", {
 		[FIRST_TREE_HUB_ATTR.CLIENT_ID]: attrs.clientId,
 		[FIRST_TREE_HUB_ATTR.ORGANIZATION_ID]: attrs.organizationId,
-		[FIRST_TREE_HUB_ATTR.WS_REMOTE_IP]: attrs.remoteIp
+		[FIRST_TREE_HUB_ATTR.WS_REMOTE_IP]: attrs.remoteIp,
+		[FIRST_TREE_HUB_ATTR.HTTP_USER_AGENT]: attrs.userAgent
 	});
 	if (!span) return;
 	const ctx = trace.setSpan(context.active(), span);
@@ -96003,4 +96126,4 @@ async function withWsMessageSpan(socket, type, attrs, fn) {
 	}));
 }
 //#endregion
-export { withSpan as C, require_pino as D, redactUrl as E, startWsConnectionSpan as S, FIRST_TREE_HUB_ATTR as T, shutdownTelemetry as _, createLogger as a, stampOrgScope as b, initTelemetry as c, observabilityPlugin as d, parseHeaderString as f, setWsConnectionAttrs as g, setErrorSink as h, bodyCaptureOnSendHook as i, messageAttrs as l, rootLogger as m, applyLoggerConfig as n, currentTraceId as o, reportErrorToRoot as p, attachRequestContext as r, endWsConnectionSpan as s, adapterAttrs as t, normalizeAttrs as u, stampAgentResource as v, withWsMessageSpan as w, startTrackedSpan as x, stampChatResource as y };
+export { FIRST_TREE_HUB_ATTR as A, stampOrgScope as C, untrustedAttrs as D, startWsConnectionSpan as E, require_pino as M, withSpan as O, stampChatResource as S, startTrackedSpan as T, rootLogger as _, buildRateLimitError as a, shutdownTelemetry as b, currentTraceId as c, initTelemetry as d, messageAttrs as f, reportErrorToRoot as g, parseHeaderString as h, bodyCaptureOnSendHook as i, redactUrl as j, withWsMessageSpan as k, decodeJwtForTrace as l, observabilityPlugin as m, applyLoggerConfig as n, classifyJoseError as o, normalizeAttrs as p, attachRequestContext as r, createLogger as s, adapterAttrs as t, endWsConnectionSpan as u, setErrorSink as v, stampRateLimitAttrs as w, stampAgentResource as x, setWsConnectionAttrs as y };

package/dist/observability-CYsdAcoF.mjs

@@ -0,0 +1,5 @@
+import { b as shutdownTelemetry, d as initTelemetry } from "./observability-BAScT_5S-gw1ODB_o.mjs";
+import "./logger-core-BTmvdflj-DjW8FM4T.mjs";
+import "./esm-Ci8E1Gtj.mjs";
+import "./src-aJMV60mR.mjs";
+export { initTelemetry, shutdownTelemetry };