@agent-team-foundation/first-tree-hub 0.11.2 → 0.11.3

package/dist/{saas-connect-Df2CVAGp.mjs → saas-connect-gcT6Q10z.mjs}

@@ -1,11 +1,12 @@
 import { a as __toCommonJS, o as __toESM, t as __commonJSMin } from "./chunk-BSw8zbkd.mjs";
-import { C as withSpan, D as require_pino, E as redactUrl, S as startWsConnectionSpan, T as FIRST_TREE_HUB_ATTR, a as createLogger$1, b as stampOrgScope, d as observabilityPlugin, g as setWsConnectionAttrs, i as bodyCaptureOnSendHook, l as messageAttrs, m as rootLogger$1, n as applyLoggerConfig, o as currentTraceId, p as reportErrorToRoot, r as attachRequestContext, s as endWsConnectionSpan, t as adapterAttrs, v as stampAgentResource, w as withWsMessageSpan, y as stampChatResource } from "./observability-C3nY6Jcz-Bk7FX689.mjs";
-import { C as resetConfigMeta, E as setConfigValue, S as resetConfig, T as serverConfigSchema, b as migrateLegacyHome, c as resolveServerUrl, d as DEFAULT_CONFIG_DIR, f as DEFAULT_DATA_DIR$1, g as collectMissingPrompts, h as clientConfigSchema, i as ensureFreshAccessToken, l as saveAgentConfig, m as agentConfigSchema, o as loadCredentials, p as DEFAULT_HOME_DIR$1, u as saveCredentials, v as initConfig, w as resolveConfigReadonly, y as loadAgents } from "./bootstrap-B-FRMuvL.mjs";
-import { $ as notificationQuerySchema, A as createChatSchema, B as githubDevCallbackQuerySchema, Ct as updateTaskStatusSchema, D as createAdapterConfigSchema, E as contextTreeSnapshotSchema, F as defaultRuntimeConfigPayload, G as inboxPollQuerySchema, H as imageInlineContentSchema, I as delegateFeishuUserSchema, J as joinByInvitationSchema, K as isRedactedEnvValue, L as dryRunAgentRuntimeConfigSchema, M as createMemberSchema, N as createOrgFromMeSchema, O as createAdapterMappingSchema, P as createTaskSchema, Q as messageSourceSchema$1, R as extractMentions, S as agentTypeSchema$1, St as updateOrganizationSchema, T as connectTokenExchangeSchema, U as inboxAckFrameSchema, V as githubStartQuerySchema, W as inboxDeliverFrameSchema$1, X as listMeChatsQuerySchema, Y as linkTaskChatSchema, Z as loginSchema, _ as adminCreateTaskSchema, _t as updateAgentRuntimeConfigSchema, a as AGENT_STATUSES, at as scanMentionTokens, b as agentPinnedMessageSchema$1, bt as updateClientCapabilitiesSchema, ct as sendToAgentSchema, d as TASK_HEALTH_SIGNALS, dt as sessionEventSchema$1, et as paginationQuerySchema, f as TASK_STATUSES, ft as sessionReconcileRequestSchema, g as addParticipantSchema, gt as updateAdapterConfigSchema, h as addMeChatParticipantsSchema, ht as taskListQuerySchema, i as AGENT_SOURCES, it as safeRedirectPath, j as createMeChatSchema, k as createAgentSchema, l as MENTION_REGEX, lt as sessionCompletionMessageSchema, m as WS_AUTH_FRAME_TIMEOUT_MS, mt as stripCode, n as AGENT_NAME_REGEX$1, nt as refreshTokenSchema, o as AGENT_TYPES, ot as selfServiceFeishuBotSchema, p as TASK_TERMINAL_STATUSES, pt as sessionStateMessageSchema, q as isReservedAgentName$1, r as AGENT_SELECTOR_HEADER$1, rt as runtimeStateMessageSchema, s as AGENT_VISIBILITY, st as sendMessageSchema, t as AGENT_BIND_REJECT_REASONS, tt as rebindAgentSchema, u as TASK_CREATOR_TYPES, ut as sessionEventMessageSchema, v as adminUpdateTaskSchema, vt as updateAgentSchema, w as clientRegisterSchema, wt as wsAuthFrameSchema, x as agentRuntimeConfigPayloadSchema$1, xt as updateMemberSchema, y as agentBindRequestSchema, yt as updateChatSchema, z as githubCallbackQuerySchema } from "./dist-FuUBFTEB.mjs";
-import { a as ConflictError, c as UnauthorizedError, i as ClientUserMismatchError$1, l as organizations, n as BadRequestError, o as ForbiddenError, r as ClientOrgMismatchError$1, s as NotFoundError, t as AppError, u as users } from "./errors-BmyRwN0Y-CIZZ_sDc.mjs";
-import { C as retireClient, D as touchAgent, E as setRuntimeState, O as unbindAgent, S as registerClient, T as setOffline, _ as listClients, a as claimClient, b as markStaleAgents, c as clients, d as getClient, f as getOnlineCount, g as listActiveAgentsPinnedToClient, h as heartbeatInstance, i as bindAgent, k as updateClientCapabilities, l as deriveAuthState, m as heartbeatClient, n as agents, o as cleanupStaleClients, p as getPresence, r as assertClientOwner, s as cleanupStalePresence, t as agentPresence, u as disconnectClient, v as listClientsForOrgAdmin, w as serverInstances, x as members } from "./client-CLdRbuml-B416INrm.mjs";
-import { n as init_esm, r as trace, t as esm_exports } from "./esm-iadMkGbV.mjs";
-import { a as invitationRedemptions, c as recordRedemption, i as getActiveInvitation, l as rotateInvitation, n as ensureActiveInvitation, o as invitations, r as findActiveByToken, t as buildInviteUrl, u as uuidv7 } from "./invitation-Dnn5gGGX-Ce7zbZpn.mjs";
+import { A as FIRST_TREE_HUB_ATTR, C as stampOrgScope, D as untrustedAttrs, E as startWsConnectionSpan, M as require_pino, O as withSpan, S as stampChatResource, _ as rootLogger$1, a as buildRateLimitError, c as currentTraceId, f as messageAttrs, g as reportErrorToRoot, i as bodyCaptureOnSendHook, j as redactUrl, k as withWsMessageSpan, l as decodeJwtForTrace, m as observabilityPlugin, n as applyLoggerConfig, o as classifyJoseError, r as attachRequestContext, s as createLogger$1, t as adapterAttrs, u as endWsConnectionSpan, x as stampAgentResource, y as setWsConnectionAttrs } from "./observability-BAScT_5S-gw1ODB_o.mjs";
+import { C as resetConfigMeta, E as setConfigValue, S as resetConfig, T as serverConfigSchema, b as migrateLegacyHome, c as resolveServerUrl, d as DEFAULT_CONFIG_DIR, f as DEFAULT_DATA_DIR$1, g as collectMissingPrompts, h as clientConfigSchema, i as ensureFreshAccessToken, l as saveAgentConfig, m as agentConfigSchema, o as loadCredentials, p as DEFAULT_HOME_DIR$1, u as saveCredentials, v as initConfig, w as resolveConfigReadonly, y as loadAgents } from "./bootstrap-D4rdqM2F.mjs";
+import { a as print, i as blank, n as CLI_USER_AGENT, r as COMMAND_VERSION, s as status, t as cliFetch } from "./cli-fetch--tiwKm5S.mjs";
+import { $ as notificationQuerySchema, A as createChatSchema, B as githubDevCallbackQuerySchema, Ct as updateTaskStatusSchema, D as createAdapterConfigSchema, E as contextTreeSnapshotSchema, F as defaultRuntimeConfigPayload, G as inboxPollQuerySchema, H as imageInlineContentSchema, I as delegateFeishuUserSchema, J as joinByInvitationSchema, K as isRedactedEnvValue, L as dryRunAgentRuntimeConfigSchema, M as createMemberSchema, N as createOrgFromMeSchema, O as createAdapterMappingSchema, P as createTaskSchema, Q as messageSourceSchema$1, R as extractMentions, S as agentTypeSchema$1, St as updateOrganizationSchema, T as connectTokenExchangeSchema, U as inboxAckFrameSchema, V as githubStartQuerySchema, W as inboxDeliverFrameSchema$1, X as listMeChatsQuerySchema, Y as linkTaskChatSchema, Z as loginSchema, _ as adminCreateTaskSchema, _t as updateAgentRuntimeConfigSchema, a as AGENT_STATUSES, at as scanMentionTokens, b as agentPinnedMessageSchema$1, bt as updateClientCapabilitiesSchema, ct as sendToAgentSchema, d as TASK_HEALTH_SIGNALS, dt as sessionEventSchema$1, et as paginationQuerySchema, f as TASK_STATUSES, ft as sessionReconcileRequestSchema, g as addParticipantSchema, gt as updateAdapterConfigSchema, h as addMeChatParticipantsSchema, ht as taskListQuerySchema, i as AGENT_SOURCES, it as safeRedirectPath, j as createMeChatSchema, k as createAgentSchema, l as MENTION_REGEX, lt as sessionCompletionMessageSchema, m as WS_AUTH_FRAME_TIMEOUT_MS, mt as stripCode, n as AGENT_NAME_REGEX$1, nt as refreshTokenSchema, o as AGENT_TYPES, ot as selfServiceFeishuBotSchema, p as TASK_TERMINAL_STATUSES, pt as sessionStateMessageSchema, q as isReservedAgentName$1, r as AGENT_SELECTOR_HEADER$1, rt as runtimeStateMessageSchema, s as AGENT_VISIBILITY, st as sendMessageSchema, t as AGENT_BIND_REJECT_REASONS, tt as rebindAgentSchema, u as TASK_CREATOR_TYPES, ut as sessionEventMessageSchema, v as adminUpdateTaskSchema, vt as updateAgentSchema, w as clientRegisterSchema, wt as wsAuthFrameSchema, x as agentRuntimeConfigPayloadSchema$1, xt as updateMemberSchema, y as agentBindRequestSchema, yt as updateChatSchema, z as githubCallbackQuerySchema } from "./dist-BAqGZkco.mjs";
+import { a as ConflictError, c as UnauthorizedError, i as ClientUserMismatchError$1, l as organizations, n as BadRequestError, o as ForbiddenError, r as ClientOrgMismatchError$1, s as NotFoundError, t as AppError, u as users } from "./errors-BmyRwN0Y-Dad3eV8F.mjs";
+import { C as retireClient, D as touchAgent, E as setRuntimeState, O as unbindAgent, S as registerClient, T as setOffline, _ as listClients, a as claimClient, b as markStaleAgents, c as clients, d as getClient, f as getOnlineCount, g as listActiveAgentsPinnedToClient, h as heartbeatInstance, i as bindAgent, k as updateClientCapabilities, l as deriveAuthState, m as heartbeatClient, n as agents, o as cleanupStaleClients, p as getPresence, r as assertClientOwner, s as cleanupStalePresence, t as agentPresence, u as disconnectClient, v as listClientsForOrgAdmin, w as serverInstances, x as members } from "./client-CLdRbuml-BRtalKpQ.mjs";
+import { n as init_esm, r as trace, t as esm_exports } from "./esm-Ci8E1Gtj.mjs";
+import { a as invitationRedemptions, c as recordRedemption, i as getActiveInvitation, l as rotateInvitation, n as ensureActiveInvitation, o as invitations, r as findActiveByToken, t as buildInviteUrl, u as uuidv7 } from "./invitation-Dnn5gGGX-DXryyvRG.mjs";
 import { createRequire } from "node:module";
 import { ZodError, z } from "zod";
 import { basename, delimiter, dirname, extname, isAbsolute, join, normalize, relative, resolve, sep } from "node:path";
@@ -29,12 +30,12 @@ import { drizzle } from "drizzle-orm/postgres-js";
 import postgres from "postgres";
 import { migrate } from "drizzle-orm/postgres-js/migrator";
 import { bigserial, boolean, index, integer, jsonb, pgTable, primaryKey, serial, text, timestamp, unique, uniqueIndex } from "drizzle-orm/pg-core";
+import { SignJWT, jwtVerify } from "jose";
 import cors from "@fastify/cors";
 import rateLimit from "@fastify/rate-limit";
 import fastifyStatic from "@fastify/static";
 import websocket from "@fastify/websocket";
 import Fastify from "fastify";
-import { SignJWT, jwtVerify } from "jose";
 import { promisify } from "node:util";
 import matter from "gray-matter";
 import { Client, EventDispatcher, LoggerLevel, WSClient } from "@larksuiteoapi/node-sdk";
@@ -1808,10 +1809,12 @@ var FirstTreeHubSDK = class {
 	_baseUrl;
 	getAccessToken;
 	_agentId;
+	_userAgent;
 	constructor(config) {
 		this._baseUrl = config.serverUrl.replace(/\/+$/, "");
 		this.getAccessToken = config.getAccessToken;
 		this._agentId = config.agentId;
+		this._userAgent = config.userAgent;
 	}
 	/** Server base URL (without trailing slash). */
 	get serverUrl() {
@@ -1863,7 +1866,12 @@ var FirstTreeHubSDK = class {
 	async isHubReachable(timeoutMs = 3e3) {
 		try {
 			const url = `${this._baseUrl}/api/v1/health`;
-			return (await fetch(url, { signal: AbortSignal.timeout(timeoutMs) })).ok;
+			const headers = {};
+			if (this._userAgent) headers["User-Agent"] = this._userAgent;
+			return (await fetch(url, {
+				signal: AbortSignal.timeout(timeoutMs),
+				headers
+			})).ok;
 		} catch {
 			return false;
 		}
@@ -1922,6 +1930,7 @@ var FirstTreeHubSDK = class {
 		const url = `${this._baseUrl}${path}`;
 		const headers = { Authorization: `Bearer ${await this.getAccessToken()}` };
 		if (this._agentId) headers[AGENT_SELECTOR_HEADER] = this._agentId;
+		if (this._userAgent) headers["User-Agent"] = this._userAgent;
 		if (init?.body) headers["Content-Type"] = "application/json";
 		const timeout = AbortSignal.timeout(FETCH_TIMEOUT_MS);
 		const signal = init?.signal ? AbortSignal.any([init.signal, timeout]) : timeout;
@@ -2031,6 +2040,7 @@ var ClientConnection = class extends EventEmitter {
 	clientId;
 	serverUrl;
 	sdkVersion;
+	userAgent;
 	getAccessToken;
 	ws = null;
 	wsConnectTimer = null;
@@ -2084,6 +2094,7 @@ var ClientConnection = class extends EventEmitter {
 		this.clientId = config.clientId ?? process.env.FIRST_TREE_HUB_CLIENT_ID ?? `client_${randomUUID().slice(0, 8)}`;
 		this.serverUrl = config.serverUrl.replace(/\/+$/, "");
 		this.sdkVersion = config.sdkVersion;
+		this.userAgent = config.userAgent;
 		this.getAccessToken = config.getAccessToken;
 		this.wsLogger = createLogger("ws").child({ clientId: this.clientId });
 		this.authLogger = createLogger("auth").child({ clientId: this.clientId });
@@ -2225,7 +2236,7 @@ var ClientConnection = class extends EventEmitter {
 		return new Promise((resolve, reject) => {
 			const wsUrl = `${this.serverUrl.replace(/^http/, "ws")}/api/v1/agent/ws/client`;
 			this.wsLogger.info({ url: wsUrl }, "connecting");
-			const ws = new WebSocket(wsUrl);
+			const ws = new WebSocket(wsUrl, this.userAgent ? { headers: { "User-Agent": this.userAgent } } : void 0);
 			let settled = false;
 			const settle = (fn, value) => {
 				if (settled) return;
@@ -2376,7 +2387,8 @@ var ClientConnection = class extends EventEmitter {
 				const sdk = new FirstTreeHubSDK({
 					serverUrl: this.serverUrl,
 					getAccessToken: this.getAccessToken,
-					agentId
+					agentId,
+					userAgent: this.userAgent
 				});
 				const agent = {
 					agentId,
@@ -6062,71 +6074,6 @@ function sleep(ms) {
 	return new Promise((resolve) => setTimeout(resolve, ms));
 }
 //#endregion
-//#region src/core/output.ts
-/**
-* Print layer — the only place CLI code should write to stdout/stderr.
-*
-* Contract:
-* - `print.result(data)` / `print.fail(...)` emit machine-readable JSON on
-*   stdout / stderr respectively. Scripts pipe into `jq` and expect a clean
-*   envelope, so nothing else may touch stdout.
-* - `print.status` / `print.check` / `print.blank` / `print.line` are
-*   human-friendly and go to stderr so they never pollute a redirected stdout.
-*   In `--json` mode they are silenced — scripted consumers only care about
-*   the envelope.
-*/
-let jsonMode = false;
-function setJsonMode(enabled) {
-	jsonMode = enabled;
-}
-function result(data) {
-	process.stdout.write(`${JSON.stringify({
-		ok: true,
-		data
-	})}\n`);
-}
-function fail$1(code, message, exitCode = 1) {
-	process.stderr.write(`${JSON.stringify({
-		ok: false,
-		error: {
-			code,
-			message
-		}
-	})}\n`);
-	process.exit(exitCode);
-}
-function status(label, message) {
-	if (jsonMode) return;
-	process.stderr.write(`  ${label.padEnd(20)} ${message}\n`);
-}
-function check(pass, label, detail = "") {
-	if (jsonMode) return;
-	const icon = pass ? "✓" : "✗";
-	const tail = detail ? ` ${detail}` : "";
-	process.stderr.write(`  ${icon} ${label.padEnd(22)}${tail}\n`);
-}
-function blank() {
-	if (jsonMode) return;
-	process.stderr.write("\n");
-}
-/**
-* Generic stderr writer for pre-formatted human text (multi-line tables,
-* interactive prompts). Prefer `status` / `check` when the text fits; this
-* exists so the `--json` mode gate can silence arbitrary human chatter.
-*/
-function line(text) {
-	if (jsonMode) return;
-	process.stderr.write(text);
-}
-const print = {
-	result,
-	fail: fail$1,
-	status,
-	check,
-	blank,
-	line
-};
-//#endregion
 //#region src/cli/output.ts
 /**
 * CLI output re-exports. The underlying implementation lives in
@@ -6491,6 +6438,7 @@ var ClientRuntime = class {
 			serverUrl,
 			clientId,
 			sdkVersion: options.currentVersion,
+			userAgent: CLI_USER_AGENT,
 			getAccessToken: (opts) => ensureFreshAccessToken(opts)
 		});
 		registerBuiltinHandlers();
@@ -7645,7 +7593,7 @@ async function checkServerHealth() {
 	const port = get(config, "server.port") ?? 8e3;
 	const url = `http://${host}:${port}/healthz`;
 	try {
-		const res = await fetch(url, { signal: AbortSignal.timeout(3e3) });
+		const res = await cliFetch(url, { signal: AbortSignal.timeout(3e3) });
 		if (res.ok) return {
 			label: "Server Health",
 			ok: true,
@@ -7696,7 +7644,7 @@ async function checkServerReachable() {
 		detail: "not configured (FIRST_TREE_HUB_SERVER_URL or config file)"
 	};
 	try {
-		const res = await fetch(`${serverUrl}/healthz`, { signal: AbortSignal.timeout(5e3) });
+		const res = await cliFetch(`${serverUrl}/healthz`, { signal: AbortSignal.timeout(5e3) });
 		if (res.ok) return {
 			label: "Server URL",
 			ok: true,
@@ -7841,7 +7789,7 @@ async function checkWebSocket() {
 	};
 	const wsUrl = serverUrl.replace(/^http/, "ws");
 	try {
-		if ((await fetch(`${serverUrl}/healthz`, { signal: AbortSignal.timeout(3e3) })).ok) return {
+		if ((await cliFetch(`${serverUrl}/healthz`, { signal: AbortSignal.timeout(3e3) })).ok) return {
 			label: "WebSocket",
 			ok: true,
 			detail: `${wsUrl} (server reachable)`
@@ -7931,7 +7879,7 @@ function createApiNameResolver(serverUrl, getAccessToken) {
 		if (cache) return cache;
 		const token = await getAccessToken();
 		const map = /* @__PURE__ */ new Map();
-		const res = await fetch(`${serverUrl}/api/v1/me/managed-agents`, {
+		const res = await cliFetch(`${serverUrl}/api/v1/me/managed-agents`, {
 			method: "GET",
 			headers: { Authorization: `Bearer ${token}` },
 			signal: AbortSignal.timeout(1e4)
@@ -8163,7 +8111,7 @@ async function onboardCheck(args) {
 			value: serverUrl
 		});
 		try {
-			const res = await fetch(`${serverUrl}/api/v1/health`);
+			const res = await cliFetch(`${serverUrl}/api/v1/health`);
 			items.push({
 				key: "server_reachable",
 				label: "Server reachable",
@@ -8235,7 +8183,7 @@ function formatCheckReport(items) {
 	return lines.join("\n");
 }
 async function resolveDefaultOrgId$1(serverUrl, accessToken) {
-	const res = await fetch(`${serverUrl}/api/v1/me`, {
+	const res = await cliFetch(`${serverUrl}/api/v1/me`, {
 		headers: { Authorization: `Bearer ${accessToken}` },
 		signal: AbortSignal.timeout(1e4)
 	});
@@ -8247,7 +8195,7 @@ async function resolveDefaultOrgId$1(serverUrl, accessToken) {
 	throw new Error("Multiple organizations — pass --org explicitly to onboard");
 }
 async function createAgentViaAdmin(serverUrl, accessToken, orgId, body) {
-	const res = await fetch(`${serverUrl}/api/v1/orgs/${encodeURIComponent(orgId)}/agents`, {
+	const res = await cliFetch(`${serverUrl}/api/v1/orgs/${encodeURIComponent(orgId)}/agents`, {
 		method: "POST",
 		headers: {
 			Authorization: `Bearer ${accessToken}`,
@@ -8306,7 +8254,7 @@ async function onboardCreate(args) {
 	}
 	const runtimeAgent = args.type === "human" ? args.assistant : args.id;
 	if (args.feishuBotAppId && args.feishuBotAppSecret) {
-		const { bindFeishuBot } = await import("./feishu-GvFABWW5.mjs").then((n) => n.r);
+		const { bindFeishuBot } = await import("./feishu-Th_-ivJ7.mjs").then((n) => n.r);
 		const targetAgentUuid = args.type === "human" ? assistantUuid : primary.uuid;
 		if (!targetAgentUuid) print.line(`Warning: Cannot bind Feishu bot — no runtime agent available for "${args.id}".\n`);
 		else {
@@ -8406,7 +8354,7 @@ async function promptAddAgent(opts = {}) {
 		validate: (v) => v.length > 0 ? true : "Agent UUID is required"
 	});
 	const token = await ensureFreshAccessToken();
-	const res = await fetch(`${serverUrl}/api/v1/agents/${encodeURIComponent(agentId)}`, {
+	const res = await cliFetch(`${serverUrl}/api/v1/agents/${encodeURIComponent(agentId)}`, {
 		headers: { Authorization: `Bearer ${token}` },
 		signal: AbortSignal.timeout(1e4)
 	});
@@ -8478,7 +8426,7 @@ function setNestedByDot(obj, dotPath, value) {
 * value (the in-band repair path catches any remaining drift on first bind).
 */
 async function reconcileLocalRuntimeProviders(opts) {
-	const res = await fetch(`${opts.serverUrl}/api/v1/me/pinned-agents`, { headers: { Authorization: `Bearer ${opts.accessToken}` } });
+	const res = await cliFetch(`${opts.serverUrl}/api/v1/me/pinned-agents`, { headers: { Authorization: `Bearer ${opts.accessToken}` } });
 	if (!res.ok) throw new Error(`hub returned ${res.status} on /clients/me/agents`);
 	const items = await res.json();
 	const byAgentId = new Map(items.map((it) => [it.agentId, it]));
@@ -8518,7 +8466,7 @@ async function reconcileLocalRuntimeProviders(opts) {
 * client startup since capabilities only matter for UI / admin checks.
 */
 async function uploadClientCapabilities(opts) {
-	const res = await fetch(`${opts.serverUrl}/api/v1/clients/${encodeURIComponent(opts.clientId)}/capabilities`, {
+	const res = await cliFetch(`${opts.serverUrl}/api/v1/clients/${encodeURIComponent(opts.clientId)}/capabilities`, {
 		method: "PATCH",
 		headers: {
 			Authorization: `Bearer ${opts.accessToken}`,
@@ -9519,7 +9467,7 @@ function createFeedbackHandler(config) {
 	return { handle };
 }
 //#endregion
-//#region ../server/dist/app-Cbgqlj0e.mjs
+//#region ../server/dist/app-EvpSNDM6.mjs
 var import_fastify_opentelemetry = /* @__PURE__ */ __toESM(require_fastify_opentelemetry(), 1);
 init_esm();
 var __defProp = Object.defineProperty;
@@ -13653,8 +13601,12 @@ function clientWsRoutes(notifier, instanceId) {
 	return async (app) => {
 		const jwtSecretBytes = new TextEncoder().encode(app.config.secrets.jwtSecret);
 		const inboxMaxInFlightPerAgent = app.config.inbox?.maxInFlightPerAgent ?? DEFAULT_INBOX_MAX_IN_FLIGHT_PER_AGENT;
-		app.get("/client", { websocket: true }, async (socket) => {
-			startWsConnectionSpan(socket);
+		app.get("/client", { websocket: true }, async (socket, request) => {
+			const ua = request.headers["user-agent"];
+			startWsConnectionSpan(socket, {
+				remoteIp: request.ip,
+				userAgent: typeof ua === "string" ? ua.slice(0, 200) : void 0
+			});
 			let session = null;
 			let jwtDefaultOrgId = null;
 			let clientId = null;
@@ -14566,8 +14518,12 @@ async function refreshAccessToken(db, refreshToken, jwtSecretKey, expiries) {
 	try {
 		const { payload: p } = await jwtVerify(refreshToken, secret);
 		payload = p;
-	} catch {
-		throw new UnauthorizedError("Invalid or expired refresh token", { "auth.refresh.reason": "jwt_verify_failed" });
+	} catch (err) {
+		const untrusted = decodeJwtForTrace(refreshToken);
+		throw new UnauthorizedError("Invalid or expired refresh token", {
+			"auth.refresh.reason": classifyJoseError(err),
+			...untrustedAttrs("auth.refresh", untrusted)
+		});
 	}
 	if (payload.type !== "refresh" || !payload.sub) throw new UnauthorizedError("Invalid token type", {
 		"auth.refresh.reason": "wrong_token_type",
@@ -14618,10 +14574,17 @@ async function exchangeConnectToken(db, connectToken, jwtSecretKey, expiries) {
 	try {
 		const { payload: p } = await jwtVerify(connectToken, secret);
 		payload = p;
-	} catch {
-		throw new UnauthorizedError("Invalid or expired connect token");
+	} catch (err) {
+		const untrusted = decodeJwtForTrace(connectToken);
+		throw new UnauthorizedError("Invalid or expired connect token", {
+			"auth.connect.reason": classifyJoseError(err),
+			...untrustedAttrs("auth.connect", untrusted)
+		});
 	}
-	if (payload.type !== "connect" || !payload.sub) throw new UnauthorizedError("Invalid token type — expected connect token");
+	if (payload.type !== "connect" || !payload.sub) throw new UnauthorizedError("Invalid token type — expected connect token", {
+		"auth.connect.reason": "wrong_token_type",
+		"auth.connect.actual_type": String(payload.type ?? "<missing>")
+	});
 	const jti = payload.jti;
 	if (jti) {
 		if (consumedConnectJtis.has(jti)) throw new UnauthorizedError("Connect token has already been used");
@@ -16838,7 +16801,7 @@ async function healthzRoutes(app) {
 * `api/orgs/invitations.ts` (Class B, admin-gated).
 */
 async function publicInvitationRoutes(app) {
-	const { previewInvitation } = await import("./invitation-DWlyNb8x-BEgoZ9k1.mjs");
+	const { previewInvitation } = await import("./invitation-DWlyNb8x-D3zjZSwI.mjs");
 	app.get("/:token/preview", async (request, reply) => {
 		if (!request.params.token) throw new UnauthorizedError("Token required");
 		const preview = await previewInvitation(app.db, request.params.token);
@@ -16935,7 +16898,7 @@ async function meRoutes(app) {
 	*/
 	app.get("/me/pinned-agents", async (request) => {
 		const { userId } = requireUser(request);
-		const { listMyPinnedAgents } = await import("./client-By1K4VVT-nVOhsXBy.mjs");
+		const { listMyPinnedAgents } = await import("./client-By1K4VVT-C5K7WZo6.mjs");
 		return listMyPinnedAgents(app.db, { userId });
 	});
 	/**
@@ -17760,7 +17723,11 @@ function orgWsRoutes(notifier, jwtSecret) {
 	}
 	return async (app) => {
 		app.get("/", { websocket: true }, async (socket, request) => {
-			startWsConnectionSpan(socket, { remoteIp: request.ip });
+			const ua = request.headers["user-agent"];
+			startWsConnectionSpan(socket, {
+				remoteIp: request.ip,
+				userAgent: typeof ua === "string" ? ua.slice(0, 200) : void 0
+			});
 			const orgIdFromPath = request.params.orgId;
 			const token = request.query.token;
 			if (!token || !orgIdFromPath) {
@@ -18531,8 +18498,12 @@ function userAuthHook(db, jwtSecret) {
 		try {
 			const { payload: p } = await jwtVerify(token, secret);
 			payload = p;
-		} catch {
-			throw new UnauthorizedError("Invalid or expired token", { "auth.failure_reason": "jwt_verify_failed" });
+		} catch (err) {
+			const untrusted = decodeJwtForTrace(token);
+			throw new UnauthorizedError("Invalid or expired token", {
+				"auth.failure_reason": classifyJoseError(err),
+				...untrustedAttrs("auth", untrusted)
+			});
 		}
 		if (payload.type !== "access" || !payload.sub) throw new UnauthorizedError("Invalid token type", {
 			"auth.failure_reason": "wrong_token_type",
@@ -19736,7 +19707,7 @@ function createPulseAggregator(options) {
 * Returning a string (rather than undefined) keeps the welcome frame well-
 * formed — the client treats the value advisorily.
 */
-function resolveCommandVersion$1(injected) {
+function resolveCommandVersion(injected) {
 	if (injected && injected.trim().length > 0) return injected;
 	try {
 		const pkg = createRequire(import.meta.url)("../package.json");
@@ -19828,7 +19799,7 @@ async function buildApp(config) {
 	const db = connectDatabase(config.database.url);
 	app.decorate("db", db);
 	app.decorate("config", config);
-	const commandVersion = resolveCommandVersion$1(config.commandVersion);
+	const commandVersion = resolveCommandVersion(config.commandVersion);
 	app.decorate("commandVersion", commandVersion);
 	app.log.info({ commandVersion }, "Hub server advertising command version");
 	const listenClient = postgres(config.database.url, { max: 1 });
@@ -19843,7 +19814,8 @@ async function buildApp(config) {
 	await app.register(rateLimit, {
 		max: config.rateLimit?.max ?? 100,
 		timeWindow: "1 minute",
-		hook: "preHandler"
+		hook: "preHandler",
+		errorResponseBuilder: buildRateLimitError
 	});
 	app.addHook("onSend", bodyCaptureOnSendHook);
 	const userAuth = userAuthHook(db, config.secrets.jwtSecret);
@@ -20042,58 +20014,6 @@ async function buildApp(config) {
 	return app;
 }
 //#endregion
-//#region src/core/version.ts
-/**
-* Version of the consumer-facing `@agent-team-foundation/first-tree-hub`
-* package. Read once at module load so the CLI, client runtime, and server
-* bootstrap all quote the same string.
-*
-* Path-based lookups (`require("../../package.json")`) do not survive the
-* tsdown bundle: the source lives at `src/core/version.ts` but every
-* emitted chunk lands in `dist/` — shifting the relative depth by one and
-* pointing at `packages/package.json` instead of our own manifest (the
-* v0.9.1 "Cannot find module ../../package.json" crash). Walk up from this
-* module's URL and accept the first `package.json` whose `name` matches, so
-* dev runs (`tsx src/cli/index.ts`) and the published bundle
-* (`dist/cli/index.mjs`) both resolve the same file.
-*/
-const PACKAGE_NAME$1 = "@agent-team-foundation/first-tree-hub";
-/**
-* Sentinel returned when the walker exhausts every parent directory without
-* finding our manifest. Deliberately NOT valid SemVer so the client-side
-* `UpdateManager` drops into its `semver.valid(current) === false` warn-and-
-* skip branch instead of treating it as `< target` and triggering a spurious
-* self-update loop (the scenario where the startup crash this module fixes
-* would otherwise quietly reincarnate as repeated `npm install -g @latest`).
-*/
-const UNRESOLVED_VERSION = "unknown";
-/**
-* Exported for tests. Walks up from `moduleUrl`'s directory looking for a
-* `package.json` whose `name` field equals {@link PACKAGE_NAME}. Returns
-* {@link UNRESOLVED_VERSION} as a last-resort fallback so the CLI never
-* crashes on a missing manifest.
-*/
-function resolveCommandVersion(moduleUrl = import.meta.url) {
-	let dir = dirname(fileURLToPath(moduleUrl));
-	for (let i = 0; i < 10; i++) {
-		try {
-			const pkg = JSON.parse(readFileSync(resolve(dir, "package.json"), "utf8"));
-			if (pkg.name === PACKAGE_NAME$1 && typeof pkg.version === "string" && pkg.version.length > 0) return pkg.version;
-		} catch (err) {
-			const code = err.code;
-			if (code !== "ENOENT" && code !== "ENOTDIR") {
-				const message = err instanceof Error ? err.message : String(err);
-				print.line(`[first-tree-hub] warning: could not read ${dir}/package.json: ${message}\n`);
-			}
-		}
-		const parent = dirname(dir);
-		if (parent === dir) break;
-		dir = parent;
-	}
-	return UNRESOLVED_VERSION;
-}
-const COMMAND_VERSION = resolveCommandVersion();
-//#endregion
 //#region src/core/server.ts
 /**
 * Full server start orchestration:
@@ -20148,7 +20068,7 @@ async function startServer(options) {
 		instanceId: `srv_${randomUUID().slice(0, 8)}`,
 		commandVersion: COMMAND_VERSION
 	};
-	const { initTelemetry, shutdownTelemetry } = await import("./observability-DttujCqj.mjs");
+	const { initTelemetry, shutdownTelemetry } = await import("./observability-CYsdAcoF.mjs");
 	await initTelemetry(serverConfig.observability.tracing, config.instanceId);
 	const app = await buildApp(config);
 	const SHUTDOWN_FORCE_EXIT_MS = 8e3;
@@ -20509,7 +20429,7 @@ async function promptReplaceOrCancel(newMemberId) {
 	}) === "replace" ? "proceed" : "cancel";
 }
 async function exchangeToken(url, token) {
-	const res = await fetch(`${url}/api/v1/auth/connect-token`, {
+	const res = await cliFetch(`${url}/api/v1/auth/connect-token`, {
 		method: "POST",
 		headers: { "Content-Type": "application/json" },
 		body: JSON.stringify({ token }),
@@ -20621,4 +20541,4 @@ function registerSaaSConnectCommand(program) {
 	});
 }
 //#endregion
-export { findStaleAliases as $, checkDatabase as A, installClientService as B, runHomeMigration as C, checkAgentConfigs as D, runMigrations as E, checkServerReachable as F, stopClientService as G, resolveCliInvocation as H, checkWebSocket as I, isDockerAvailable as J, uninstallClientService as K, printResults as L, checkNodeVersion as M, checkServerConfig as N, checkBackgroundService as O, checkServerHealth as P, rotateClientIdWithBackup as Q, reconcileAgentConfigs as R, saveOnboardState as S, migrateLocalAgentDirs as T, restartClientService as U, isServiceSupported as V, startClientService as W, ClientRuntime as X, stopPostgres as Y, handleClientOrgMismatch as Z, promptMissingFields as _, probeCapabilities as _t, declineUpdate as a, fail as at, onboardCheck as b, detectInstallMode as c, print as ct, startServer as d, ClientOrgMismatchError as dt, formatStaleReason as et, COMMAND_VERSION as f, ClientUserMismatchError as ft, promptAddAgent as g, cleanWorkspaces as gt, isInteractive as h, SessionRegistry as ht, createExecuteUpdate as i, resolveReplyToFromEnv as it, checkDocker as j, checkClientConfig as k, fetchLatestVersion as l, setJsonMode as lt, uploadClientCapabilities as m, SdkError as mt, deriveHubUrlFromToken as n, createOwner as nt, promptUpdate as o, success as ot, reconcileLocalRuntimeProviders as p, FirstTreeHubSDK as pt, ensurePostgres as q, registerSaaSConnectCommand as r, hasUser as rt, PACKAGE_NAME as s, blank as st, HubUrlDerivationError as t, removeLocalAgent as tt, installGlobalLatest as u, status as ut, formatCheckReport as v, applyClientLoggerConfig as vt, createApiNameResolver as w, onboardCreate as x, loadOnboardState as y, configureClientLoggerForService as yt, getClientServiceStatus as z };
+export { formatStaleReason as $, checkDocker as A, isServiceSupported as B, createApiNameResolver as C, checkBackgroundService as D, checkAgentConfigs as E, checkWebSocket as F, uninstallClientService as G, restartClientService as H, printResults as I, stopPostgres as J, ensurePostgres as K, reconcileAgentConfigs as L, checkServerConfig as M, checkServerHealth as N, checkClientConfig as O, checkServerReachable as P, findStaleAliases as Q, getClientServiceStatus as R, runHomeMigration as S, runMigrations as T, startClientService as U, resolveCliInvocation as V, stopClientService as W, handleClientOrgMismatch as X, ClientRuntime as Y, rotateClientIdWithBackup as Z, formatCheckReport as _, declineUpdate as a, success as at, onboardCreate as b, detectInstallMode as c, FirstTreeHubSDK as ct, startServer as d, cleanWorkspaces as dt, removeLocalAgent as et, reconcileLocalRuntimeProviders as f, probeCapabilities as ft, promptMissingFields as g, promptAddAgent as h, createExecuteUpdate as i, fail as it, checkNodeVersion as j, checkDatabase as k, fetchLatestVersion as l, SdkError as lt, isInteractive as m, configureClientLoggerForService as mt, deriveHubUrlFromToken as n, hasUser as nt, promptUpdate as o, ClientOrgMismatchError as ot, uploadClientCapabilities as p, applyClientLoggerConfig as pt, isDockerAvailable as q, registerSaaSConnectCommand as r, resolveReplyToFromEnv as rt, PACKAGE_NAME as s, ClientUserMismatchError as st, HubUrlDerivationError as t, createOwner as tt, installGlobalLatest as u, SessionRegistry as ut, loadOnboardState as v, migrateLocalAgentDirs as w, saveOnboardState as x, onboardCheck as y, installClientService as z };

package/dist/{src-CzQ5KF6D.mjs → src-DFlbpJfU.mjs}

@@ -1,5 +1,5 @@
 import { n as __esmMin } from "./chunk-BSw8zbkd.mjs";
-import { i as init_esm_min, n as FormData, o as Blob, r as formDataToBlob, s as init_fetch_blob, t as init_from } from "./from-CaD373S1.mjs";
+import { i as init_esm_min, n as FormData, o as Blob, r as formDataToBlob, s as init_fetch_blob, t as init_from } from "./from-DQ7eNRwu.mjs";
 import Stream, { PassThrough, pipeline } from "node:stream";
 import { format } from "node:url";
 import { deprecate, promisify, types } from "node:util";
@@ -209,7 +209,7 @@ var init_body = __esmMin((() => {
 				for (const [name, value] of parameters) formData.append(name, value);
 				return formData;
 			}
-			const { toFormData } = await import("./multipart-parser-BIksYTkk.mjs");
+			const { toFormData } = await import("./multipart-parser-QRu3OKK4.mjs");
 			return toFormData(this.body, ct);
 		}
 		/**

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agent-team-foundation/first-tree-hub",
-  "version": "0.11.2",
+  "version": "0.11.3",
   "type": "module",
   "description": "First Tree Hub — unified CLI for server, client, and agent management",
   "exports": {

package/dist/client-By1K4VVT-nVOhsXBy.mjs

@@ -1,4 +0,0 @@
-import "./dist-FuUBFTEB.mjs";
-import "./errors-BmyRwN0Y-CIZZ_sDc.mjs";
-import { y as listMyPinnedAgents } from "./client-CLdRbuml-B416INrm.mjs";
-export { listMyPinnedAgents };

package/dist/invitation-DWlyNb8x-BEgoZ9k1.mjs

@@ -1,4 +0,0 @@
-import "./dist-FuUBFTEB.mjs";
-import "./errors-BmyRwN0Y-CIZZ_sDc.mjs";
-import { s as previewInvitation } from "./invitation-Dnn5gGGX-Ce7zbZpn.mjs";
-export { previewInvitation };

package/dist/observability-DttujCqj.mjs

@@ -1,5 +0,0 @@
-import { _ as shutdownTelemetry, c as initTelemetry } from "./observability-C3nY6Jcz-Bk7FX689.mjs";
-import "./logger-core-BTmvdflj-DjW8FM4T.mjs";
-import "./esm-iadMkGbV.mjs";
-import "./src-DNBS5Yjj.mjs";
-export { initTelemetry, shutdownTelemetry };