@agent-team-foundation/first-tree-hub 0.11.2 → 0.11.4

package/dist/{bootstrap-B-FRMuvL.mjs → bootstrap-D-Yf8yOc.mjs}

@@ -1,5 +1,6 @@
 import { r as __exportAll } from "./chunk-BSw8zbkd.mjs";
 import { o as logFormatSchema, s as logLevelSchema } from "./logger-core-BTmvdflj-DjW8FM4T.mjs";
+import { t as cliFetch } from "./cli-fetch--tiwKm5S.mjs";
 import { z } from "zod";
 import { dirname, join } from "node:path";
 import { homedir } from "node:os";
@@ -568,21 +569,6 @@ const serverConfigSchema = defineConfig({
 		refreshTokenExpiry: field(z.string().default("30d"), { env: "FIRST_TREE_HUB_AUTH_REFRESH_TOKEN_EXPIRY" }),
 		connectTokenExpiry: field(z.string().default("10m"), { env: "FIRST_TREE_HUB_AUTH_CONNECT_TOKEN_EXPIRY" })
 	},
-	contextTree: optional({
-		repo: field(z.string().optional(), {
-			env: "FIRST_TREE_HUB_CONTEXT_TREE_REPO",
-			prompt: { message: "Context Tree repo URL (e.g. https://github.com/org/first-tree):" }
-		}),
-		localPath: field(z.string().optional(), { env: "FIRST_TREE_HUB_CONTEXT_TREE_PATH" }),
-		branch: field(z.string().default("main"))
-	}),
-	github: {
-		webhookSecret: field(z.string().optional(), {
-			env: "FIRST_TREE_HUB_GITHUB_WEBHOOK_SECRET",
-			secret: true
-		}),
-		allowedOrg: field(z.string().optional(), { env: "FIRST_TREE_HUB_GITHUB_ALLOWED_ORG" })
-	},
 	oauth: optional({ github: optional({
 		clientId: field(z.string(), { env: "FIRST_TREE_HUB_GITHUB_OAUTH_CLIENT_ID" }),
 		clientSecret: field(z.string(), {
@@ -784,7 +770,7 @@ async function ensureFreshAccessToken(opts) {
 	if (!isTokenStale(creds.accessToken, minValidityMs)) return creds.accessToken;
 	if (inflightRefresh) return inflightRefresh;
 	inflightRefresh = (async () => {
-		const res = await fetch(`${creds.serverUrl}/api/v1/auth/refresh`, {
+		const res = await cliFetch(`${creds.serverUrl}/api/v1/auth/refresh`, {
 			method: "POST",
 			headers: { "Content-Type": "application/json" },
 			body: JSON.stringify({ refreshToken: creds.refreshToken }),

package/dist/cli/index.mjs

@@ -1,14 +1,15 @@
 #!/usr/bin/env node
-import "../observability-C3nY6Jcz-Bk7FX689.mjs";
-import { $ as findStaleAliases, A as checkDatabase, B as installClientService, C as runHomeMigration, D as checkAgentConfigs, E as runMigrations, F as checkServerReachable, G as stopClientService, I as checkWebSocket, L as printResults, M as checkNodeVersion, N as checkServerConfig, O as checkBackgroundService, P as checkServerHealth, R as reconcileAgentConfigs, S as saveOnboardState, T as migrateLocalAgentDirs, U as restartClientService, V as isServiceSupported, W as startClientService, X as ClientRuntime, Y as stopPostgres, Z as handleClientOrgMismatch, _ as promptMissingFields, _t as probeCapabilities, a as declineUpdate, at as fail, b as onboardCheck, c as detectInstallMode, ct as print, d as startServer, dt as ClientOrgMismatchError, et as formatStaleReason, f as COMMAND_VERSION, ft as ClientUserMismatchError, g as promptAddAgent, gt as cleanWorkspaces, h as isInteractive, ht as SessionRegistry, i as createExecuteUpdate, it as resolveReplyToFromEnv, j as checkDocker, k as checkClientConfig, l as fetchLatestVersion, lt as setJsonMode, m as uploadClientCapabilities, mt as SdkError, nt as createOwner, o as promptUpdate, ot as success, p as reconcileLocalRuntimeProviders, pt as FirstTreeHubSDK, r as registerSaaSConnectCommand, s as PACKAGE_NAME, tt as removeLocalAgent, u as installGlobalLatest, v as formatCheckReport, vt as applyClientLoggerConfig, w as createApiNameResolver, x as onboardCreate, y as loadOnboardState, yt as configureClientLoggerForService, z as getClientServiceStatus } from "../saas-connect-Df2CVAGp.mjs";
+import "../observability-BAScT_5S-gw1ODB_o.mjs";
+import { $ as formatStaleReason, A as checkDocker, B as isServiceSupported, C as createApiNameResolver, D as checkBackgroundService, E as checkAgentConfigs, F as checkWebSocket, H as restartClientService, I as printResults, J as stopPostgres, L as reconcileAgentConfigs, M as checkServerConfig, N as checkServerHealth, O as checkClientConfig, P as checkServerReachable, Q as findStaleAliases, R as getClientServiceStatus, S as runHomeMigration, T as runMigrations, U as startClientService, W as stopClientService, X as handleClientOrgMismatch, Y as ClientRuntime, _ as formatCheckReport, a as declineUpdate, at as success, b as onboardCreate, c as detectInstallMode, ct as FirstTreeHubSDK, d as startServer, dt as cleanWorkspaces, et as removeLocalAgent, f as reconcileLocalRuntimeProviders, ft as probeCapabilities, g as promptMissingFields, h as promptAddAgent, i as createExecuteUpdate, it as fail, j as checkNodeVersion, k as checkDatabase, l as fetchLatestVersion, lt as SdkError, m as isInteractive, mt as configureClientLoggerForService, o as promptUpdate, ot as ClientOrgMismatchError, p as uploadClientCapabilities, pt as applyClientLoggerConfig, r as registerSaaSConnectCommand, rt as resolveReplyToFromEnv, s as PACKAGE_NAME, st as ClientUserMismatchError, tt as createOwner, u as installGlobalLatest, ut as SessionRegistry, v as loadOnboardState, w as migrateLocalAgentDirs, x as saveOnboardState, y as onboardCheck, z as installClientService } from "../saas-connect-CVoRK0Ex.mjs";
 import "../logger-core-BTmvdflj-DjW8FM4T.mjs";
-import { C as resetConfigMeta, E as setConfigValue, S as resetConfig, T as serverConfigSchema, _ as getConfigValue, a as ensureFreshAdminToken, c as resolveServerUrl, d as DEFAULT_CONFIG_DIR, f as DEFAULT_DATA_DIR, h as clientConfigSchema, i as ensureFreshAccessToken, l as saveAgentConfig, m as agentConfigSchema, o as loadCredentials, p as DEFAULT_HOME_DIR, u as saveCredentials, v as initConfig, w as resolveConfigReadonly, x as readConfigFile, y as loadAgents } from "../bootstrap-B-FRMuvL.mjs";
-import "../dist-FuUBFTEB.mjs";
-import { n as bindFeishuUser, t as bindFeishuBot } from "../feishu-GvFABWW5.mjs";
-import "../errors-BmyRwN0Y-CIZZ_sDc.mjs";
-import "../client-CLdRbuml-B416INrm.mjs";
-import "../src-DNBS5Yjj.mjs";
-import "../invitation-Dnn5gGGX-Ce7zbZpn.mjs";
+import { C as resetConfigMeta, E as setConfigValue, S as resetConfig, T as serverConfigSchema, _ as getConfigValue, a as ensureFreshAdminToken, c as resolveServerUrl, d as DEFAULT_CONFIG_DIR, f as DEFAULT_DATA_DIR, h as clientConfigSchema, i as ensureFreshAccessToken, l as saveAgentConfig, m as agentConfigSchema, o as loadCredentials, p as DEFAULT_HOME_DIR, u as saveCredentials, v as initConfig, w as resolveConfigReadonly, x as readConfigFile, y as loadAgents } from "../bootstrap-D-Yf8yOc.mjs";
+import { a as print, n as CLI_USER_AGENT, o as setJsonMode, r as COMMAND_VERSION, t as cliFetch } from "../cli-fetch--tiwKm5S.mjs";
+import "../dist-ClFs4WMj.mjs";
+import { n as bindFeishuUser, t as bindFeishuBot } from "../feishu-AI3pwmqN.mjs";
+import "../errors-BmyRwN0Y-Dad3eV8F.mjs";
+import "../client-CLdRbuml-svTO0Eat.mjs";
+import "../src-aJMV60mR.mjs";
+import "../invitation-Dnn5gGGX-DXryyvRG.mjs";
 import { join } from "node:path";
 import { existsSync, mkdirSync, readFileSync, readdirSync } from "node:fs";
 import * as semver from "semver";
@@ -16,7 +17,7 @@ import { Command } from "commander";
 import { confirm, input, password, select } from "@inquirer/prompts";
 //#region src/commands/agent-config.ts
 async function resolveAgentRecord(serverUrl, adminToken, agentName) {
-	const res = await fetch(`${serverUrl}/api/v1/me/managed-agents`, {
+	const res = await cliFetch(`${serverUrl}/api/v1/me/managed-agents`, {
 		headers: { Authorization: `Bearer ${adminToken}` },
 		signal: AbortSignal.timeout(1e4)
 	});
@@ -27,7 +28,7 @@ async function resolveAgentRecord(serverUrl, adminToken, agentName) {
 }
 async function adminFetch(url, init) {
 	const { adminToken, headers, ...rest } = init;
-	const res = await fetch(url, {
+	const res = await cliFetch(url, {
 		...rest,
 		headers: {
 			Authorization: `Bearer ${adminToken}`,
@@ -240,7 +241,8 @@ function createSdk(agentName) {
 	return new FirstTreeHubSDK({
 		serverUrl,
 		getAccessToken: (opts) => ensureFreshAccessToken(opts),
-		agentId
+		agentId,
+		userAgent: CLI_USER_AGENT
 	});
 }
 function handleSdkError(error) {
@@ -276,7 +278,7 @@ function readStdin() {
 	});
 }
 async function resolveAgent(serverUrl, adminToken, agentName) {
-	const res = await fetch(`${serverUrl}/api/v1/me/managed-agents`, {
+	const res = await cliFetch(`${serverUrl}/api/v1/me/managed-agents`, {
 		headers: { Authorization: `Bearer ${adminToken}` },
 		signal: AbortSignal.timeout(1e4)
 	});
@@ -339,7 +341,8 @@ function registerAgentCommands(program) {
 			const clientId = readClientId();
 			const sdk = new FirstTreeHubSDK({
 				serverUrl,
-				getAccessToken: (opts) => ensureFreshAccessToken(opts)
+				getAccessToken: (opts) => ensureFreshAccessToken(opts),
+				userAgent: CLI_USER_AGENT
 			});
 			const stale = await findStaleAliases({
 				clientId,
@@ -406,7 +409,7 @@ function registerAgentCommands(program) {
 		try {
 			const serverUrl = resolveServerUrl(options.server);
 			const token = await ensureFreshAccessToken();
-			const res = await fetch(`${serverUrl}/api/v1/me/managed-agents`, {
+			const res = await cliFetch(`${serverUrl}/api/v1/me/managed-agents`, {
 				headers: { Authorization: `Bearer ${token}` },
 				signal: AbortSignal.timeout(1e4)
 			});
@@ -433,7 +436,7 @@ function registerAgentCommands(program) {
 				Authorization: `Bearer ${adminToken}`,
 				"Content-Type": "application/json"
 			};
-			const meRes = await fetch(`${serverUrl}/api/v1/me`, {
+			const meRes = await cliFetch(`${serverUrl}/api/v1/me`, {
 				headers: { Authorization: `Bearer ${adminToken}` },
 				signal: AbortSignal.timeout(1e4)
 			});
@@ -456,7 +459,7 @@ function registerAgentCommands(program) {
 				runtimeProvider: options.runtime
 			};
 			if (options.displayName) createBody.displayName = options.displayName;
-			const createRes = await fetch(`${serverUrl}/api/v1/orgs/${encodeURIComponent(orgId)}/agents`, {
+			const createRes = await cliFetch(`${serverUrl}/api/v1/orgs/${encodeURIComponent(orgId)}/agents`, {
 				method: "POST",
 				headers,
 				body: JSON.stringify(createBody),
@@ -476,14 +479,14 @@ function registerAgentCommands(program) {
 		try {
 			const serverUrl = resolveServerUrl(options.server);
 			const accessToken = await ensureFreshAccessToken();
-			const meRes = await fetch(`${serverUrl}/api/v1/me`, {
+			const meRes = await cliFetch(`${serverUrl}/api/v1/me`, {
 				headers: { Authorization: `Bearer ${accessToken}` },
 				signal: AbortSignal.timeout(1e4)
 			});
 			if (!meRes.ok) fail("ME_ERROR", `Failed to fetch current member (HTTP ${meRes.status})`, 1);
 			const me = await meRes.json();
 			const target = await resolveAgent(serverUrl, accessToken, agentName);
-			const patchRes = await fetch(`${serverUrl}/api/v1/agents/${target.uuid}`, {
+			const patchRes = await cliFetch(`${serverUrl}/api/v1/agents/${target.uuid}`, {
 				method: "PATCH",
 				headers: {
 					Authorization: `Bearer ${accessToken}`,
@@ -526,7 +529,7 @@ function registerAgentCommands(program) {
 			const serverUrl = resolveServerUrl(options.server);
 			const accessToken = await ensureFreshAccessToken();
 			const target = await resolveAgent(serverUrl, accessToken, agentName);
-			const patchRes = await fetch(`${serverUrl}/api/v1/agents/${target.uuid}`, {
+			const patchRes = await cliFetch(`${serverUrl}/api/v1/agents/${target.uuid}`, {
 				method: "PATCH",
 				headers: {
 					Authorization: `Bearer ${accessToken}`,
@@ -636,7 +639,7 @@ function registerAgentCommands(program) {
 		try {
 			const serverUrl = resolveServerUrl(options?.server);
 			const accessToken = await ensureFreshAccessToken();
-			const meRes = await fetch(`${serverUrl}/api/v1/me`, {
+			const meRes = await cliFetch(`${serverUrl}/api/v1/me`, {
 				headers: { Authorization: `Bearer ${accessToken}` },
 				signal: AbortSignal.timeout(1e4)
 			});
@@ -655,7 +658,7 @@ function registerAgentCommands(program) {
 				agents: []
 			};
 			for (const m of me.memberships) {
-				const r = await fetch(`${serverUrl}/api/v1/orgs/${encodeURIComponent(m.organizationId)}/activity`, {
+				const r = await cliFetch(`${serverUrl}/api/v1/orgs/${encodeURIComponent(m.organizationId)}/activity`, {
 					headers: { Authorization: `Bearer ${accessToken}` },
 					signal: AbortSignal.timeout(1e4)
 				});
@@ -704,8 +707,7 @@ function registerAgentCommands(program) {
 	});
 	agent.command("reset <name>").description("Reset agent error state to idle").option("--server <url>", "Hub server URL").action(async (name, options) => {
 		try {
-			const serverUrl = resolveServerUrl(options.server);
-			const response = await fetch(`${serverUrl}/api/v1/agents/${name}/reset-activity`, {
+			const response = await cliFetch(`${resolveServerUrl(options.server)}/api/v1/agents/${name}/reset-activity`, {
 				method: "POST",
 				headers: { Authorization: `Bearer ${await ensureFreshAccessToken()}` },
 				signal: AbortSignal.timeout(1e4)
@@ -721,8 +723,7 @@ function registerAgentCommands(program) {
 			const serverUrl = resolveServerUrl(options.server);
 			const adminToken = await ensureFreshAccessToken();
 			const agentId = (await resolveAgent(serverUrl, adminToken, agentName)).uuid;
-			const qs = options.state ? `?state=${options.state}` : "";
-			const response = await fetch(`${serverUrl}/api/v1/agents/${agentId}/sessions${qs}`, {
+			const response = await cliFetch(`${serverUrl}/api/v1/agents/${agentId}/sessions${options.state ? `?state=${options.state}` : ""}`, {
 				headers: { Authorization: `Bearer ${adminToken}` },
 				signal: AbortSignal.timeout(1e4)
 			});
@@ -751,7 +752,7 @@ function registerAgentCommands(program) {
 			const serverUrl = resolveServerUrl(options.server);
 			const adminToken = await ensureFreshAccessToken();
 			const agentId = (await resolveAgent(serverUrl, adminToken, agentName)).uuid;
-			const response = await fetch(`${serverUrl}/api/v1/agents/${agentId}/sessions/${chatId}/${cmd}`, {
+			const response = await cliFetch(`${serverUrl}/api/v1/agents/${agentId}/sessions/${chatId}/${cmd}`, {
 				method: "POST",
 				headers: { Authorization: `Bearer ${adminToken}` },
 				signal: AbortSignal.timeout(1e4)
@@ -774,7 +775,7 @@ function registerAgentCommands(program) {
 				"Content-Type": "application/json"
 			};
 			const targetAgent = await resolveAgent(serverUrl, adminToken, agentName);
-			const dmRes = await fetch(`${serverUrl}/api/v1/agents/${targetAgent.uuid}/chats`, {
+			const dmRes = await cliFetch(`${serverUrl}/api/v1/agents/${targetAgent.uuid}/chats`, {
 				method: "POST",
 				headers,
 				signal: AbortSignal.timeout(1e4)
@@ -796,7 +797,7 @@ function registerAgentCommands(program) {
 			const pollMessages = async () => {
 				try {
 					const qs = lastSeenAt ? `?limit=50` : `?limit=10`;
-					const msgRes = await fetch(`${serverUrl}/api/v1/chats/${dm.id}/messages${qs}`, {
+					const msgRes = await cliFetch(`${serverUrl}/api/v1/chats/${dm.id}/messages${qs}`, {
 						headers,
 						signal: AbortSignal.timeout(1e4)
 					});
@@ -827,7 +828,7 @@ function registerAgentCommands(program) {
 					return;
 				}
 				try {
-					const sendRes = await fetch(`${serverUrl}/api/v1/chats/${dm.id}/messages`, {
+					const sendRes = await cliFetch(`${serverUrl}/api/v1/chats/${dm.id}/messages`, {
 						method: "POST",
 						headers,
 						body: JSON.stringify({
@@ -963,7 +964,7 @@ function printIsolationGuide(newServerUrl) {
 * Authenticate via connect token — exchange for full JWT credentials.
 */
 async function authenticateWithToken(url, token) {
-	const res = await fetch(`${url}/api/v1/auth/connect-token`, {
+	const res = await cliFetch(`${url}/api/v1/auth/connect-token`, {
 		method: "POST",
 		headers: { "Content-Type": "application/json" },
 		body: JSON.stringify({ token }),
@@ -979,7 +980,7 @@ async function authenticateInteractive(url) {
 	print.line("\n  Log in to Hub:\n");
 	const username = await input({ message: "  Username:" });
 	const pw = await password({ message: "  Password:" });
-	const loginRes = await fetch(`${url}/api/v1/auth/login`, {
+	const loginRes = await cliFetch(`${url}/api/v1/auth/login`, {
 		method: "POST",
 		headers: { "Content-Type": "application/json" },
 		body: JSON.stringify({
@@ -1270,7 +1271,8 @@ function registerClientCommands(program) {
 			});
 			const sdk = new FirstTreeHubSDK({
 				serverUrl,
-				getAccessToken: (opts) => ensureFreshAccessToken(opts)
+				getAccessToken: (opts) => ensureFreshAccessToken(opts),
+				userAgent: CLI_USER_AGENT
 			});
 			agentCheck = await reconcileAgentConfigs({
 				clientId: cfg.client.id,
@@ -1396,7 +1398,7 @@ function registerClientCommands(program) {
 		try {
 			const serverUrl = resolveServerUrl(options.server);
 			const token = await ensureFreshAccessToken();
-			const meRes = await fetch(`${serverUrl}/api/v1/me`, {
+			const meRes = await cliFetch(`${serverUrl}/api/v1/me`, {
 				headers: { Authorization: `Bearer ${token}` },
 				signal: AbortSignal.timeout(1e4)
 			});
@@ -1404,7 +1406,7 @@ function registerClientCommands(program) {
 			const adminOrgs = (await meRes.json()).memberships.filter((m) => m.role === "admin");
 			const clients = [];
 			for (const m of adminOrgs) {
-				const r = await fetch(`${serverUrl}/api/v1/orgs/${encodeURIComponent(m.organizationId)}/clients`, {
+				const r = await cliFetch(`${serverUrl}/api/v1/orgs/${encodeURIComponent(m.organizationId)}/clients`, {
 					headers: { Authorization: `Bearer ${token}` },
 					signal: AbortSignal.timeout(1e4)
 				});
@@ -1453,7 +1455,7 @@ function registerClientCommands(program) {
 				}
 			}
 			const token = await ensureFreshAccessToken();
-			const response = await fetch(`${serverUrl}/api/v1/clients/${encodeURIComponent(clientId)}/claim`, {
+			const response = await cliFetch(`${serverUrl}/api/v1/clients/${encodeURIComponent(clientId)}/claim`, {
 				method: "POST",
 				headers: {
 					Authorization: `Bearer ${token}`,
@@ -1471,7 +1473,8 @@ function registerClientCommands(program) {
 			try {
 				const sdk = new FirstTreeHubSDK({
 					serverUrl,
-					getAccessToken: (opts) => ensureFreshAccessToken(opts)
+					getAccessToken: (opts) => ensureFreshAccessToken(opts),
+					userAgent: CLI_USER_AGENT
 				});
 				const stale = await findStaleAliases({
 					clientId,
@@ -1520,7 +1523,7 @@ function registerClientCommands(program) {
 		try {
 			const serverUrl = resolveServerUrl(options.server);
 			const token = await ensureFreshAccessToken();
-			const response = await fetch(`${serverUrl}/api/v1/clients/${encodeURIComponent(clientId)}/disconnect`, {
+			const response = await cliFetch(`${serverUrl}/api/v1/clients/${encodeURIComponent(clientId)}/disconnect`, {
 				method: "POST",
 				headers: { Authorization: `Bearer ${token}` },
 				signal: AbortSignal.timeout(1e4)
@@ -1667,13 +1670,13 @@ function isSecretField(schema, dotPath) {
 //#region src/commands/onboard.ts
 async function promptMissing(args) {
 	if (!args.server) try {
-		const { resolveServerUrl } = await import("../bootstrap-B-FRMuvL.mjs").then((n) => n.r);
+		const { resolveServerUrl } = await import("../bootstrap-D-Yf8yOc.mjs").then((n) => n.r);
 		resolveServerUrl();
 	} catch {
 		args.server = await input({ message: "Hub server URL:" });
 		saveOnboardState(args);
 	}
-	const { loadCredentials } = await import("../bootstrap-B-FRMuvL.mjs").then((n) => n.r);
+	const { loadCredentials } = await import("../bootstrap-D-Yf8yOc.mjs").then((n) => n.r);
 	if (!loadCredentials()) throw new Error("No saved credentials. Run `first-tree-hub client connect <server-url>` before onboarding.");
 	if (!args.id) {
 		args.id = await input({ message: "Agent ID:" });
@@ -1833,7 +1836,7 @@ function registerServerCommands(program) {
 	server.command("status").description("Show server health and status").action(async () => {
 		const url = process.env.FIRST_TREE_HUB_SERVER_URL ?? "http://localhost:8000";
 		try {
-			const res = await fetch(`${url}/api/v1/health`);
+			const res = await cliFetch(`${url}/api/v1/health`);
 			if (res.ok) {
 				const data = await res.json();
 				process.stdout.write(`${JSON.stringify(data, null, 2)}\n`);

package/dist/cli-fetch--tiwKm5S.mjs

@@ -0,0 +1,167 @@
+import { dirname, resolve } from "node:path";
+import { readFileSync } from "node:fs";
+import { fileURLToPath } from "node:url";
+//#region src/core/output.ts
+/**
+* Print layer — the only place CLI code should write to stdout/stderr.
+*
+* Contract:
+* - `print.result(data)` / `print.fail(...)` emit machine-readable JSON on
+*   stdout / stderr respectively. Scripts pipe into `jq` and expect a clean
+*   envelope, so nothing else may touch stdout.
+* - `print.status` / `print.check` / `print.blank` / `print.line` are
+*   human-friendly and go to stderr so they never pollute a redirected stdout.
+*   In `--json` mode they are silenced — scripted consumers only care about
+*   the envelope.
+*/
+let jsonMode = false;
+function setJsonMode(enabled) {
+	jsonMode = enabled;
+}
+function result(data) {
+	process.stdout.write(`${JSON.stringify({
+		ok: true,
+		data
+	})}\n`);
+}
+function fail(code, message, exitCode = 1) {
+	process.stderr.write(`${JSON.stringify({
+		ok: false,
+		error: {
+			code,
+			message
+		}
+	})}\n`);
+	process.exit(exitCode);
+}
+function status(label, message) {
+	if (jsonMode) return;
+	process.stderr.write(`  ${label.padEnd(20)} ${message}\n`);
+}
+function check(pass, label, detail = "") {
+	if (jsonMode) return;
+	const icon = pass ? "✓" : "✗";
+	const tail = detail ? ` ${detail}` : "";
+	process.stderr.write(`  ${icon} ${label.padEnd(22)}${tail}\n`);
+}
+function blank() {
+	if (jsonMode) return;
+	process.stderr.write("\n");
+}
+/**
+* Generic stderr writer for pre-formatted human text (multi-line tables,
+* interactive prompts). Prefer `status` / `check` when the text fits; this
+* exists so the `--json` mode gate can silence arbitrary human chatter.
+*/
+function line(text) {
+	if (jsonMode) return;
+	process.stderr.write(text);
+}
+const print = {
+	result,
+	fail,
+	status,
+	check,
+	blank,
+	line
+};
+//#endregion
+//#region src/core/version.ts
+/**
+* Version of the consumer-facing `@agent-team-foundation/first-tree-hub`
+* package. Read once at module load so the CLI, client runtime, and server
+* bootstrap all quote the same string.
+*
+* Path-based lookups (`require("../../package.json")`) do not survive the
+* tsdown bundle: the source lives at `src/core/version.ts` but every
+* emitted chunk lands in `dist/` — shifting the relative depth by one and
+* pointing at `packages/package.json` instead of our own manifest (the
+* v0.9.1 "Cannot find module ../../package.json" crash). Walk up from this
+* module's URL and accept the first `package.json` whose `name` matches, so
+* dev runs (`tsx src/cli/index.ts`) and the published bundle
+* (`dist/cli/index.mjs`) both resolve the same file.
+*/
+const PACKAGE_NAME = "@agent-team-foundation/first-tree-hub";
+/**
+* Sentinel returned when the walker exhausts every parent directory without
+* finding our manifest. Deliberately NOT valid SemVer so the client-side
+* `UpdateManager` drops into its `semver.valid(current) === false` warn-and-
+* skip branch instead of treating it as `< target` and triggering a spurious
+* self-update loop (the scenario where the startup crash this module fixes
+* would otherwise quietly reincarnate as repeated `npm install -g @latest`).
+*/
+const UNRESOLVED_VERSION = "unknown";
+/**
+* Exported for tests. Walks up from `moduleUrl`'s directory looking for a
+* `package.json` whose `name` field equals {@link PACKAGE_NAME}. Returns
+* {@link UNRESOLVED_VERSION} as a last-resort fallback so the CLI never
+* crashes on a missing manifest.
+*/
+function resolveCommandVersion(moduleUrl = import.meta.url) {
+	let dir = dirname(fileURLToPath(moduleUrl));
+	for (let i = 0; i < 10; i++) {
+		try {
+			const pkg = JSON.parse(readFileSync(resolve(dir, "package.json"), "utf8"));
+			if (pkg.name === PACKAGE_NAME && typeof pkg.version === "string" && pkg.version.length > 0) return pkg.version;
+		} catch (err) {
+			const code = err.code;
+			if (code !== "ENOENT" && code !== "ENOTDIR") {
+				const message = err instanceof Error ? err.message : String(err);
+				print.line(`[first-tree-hub] warning: could not read ${dir}/package.json: ${message}\n`);
+			}
+		}
+		const parent = dirname(dir);
+		if (parent === dir) break;
+		dir = parent;
+	}
+	return UNRESOLVED_VERSION;
+}
+const COMMAND_VERSION = resolveCommandVersion();
+/**
+* `User-Agent` string sent on every CLI-originated HTTP request (SDK fetches,
+* `/auth/refresh`, etc.). Without this Node defaults to `User-Agent: node`,
+* which hides install / version / platform context from server-side trace
+* backends — see issue #246. The format follows RFC 7231 §5.5.3 conventions
+* (`product/version (comment)`).
+*/
+const CLI_USER_AGENT = `first-tree-hub-cli/${COMMAND_VERSION} (${process.platform} ${process.arch})`;
+//#endregion
+//#region src/core/cli-fetch.ts
+/**
+* Drop-in `fetch` wrapper that stamps `User-Agent: first-tree-hub-cli/<version> (<platform> <arch>)`
+* on every request.
+*
+* Issue #246: every CLI-originated HTTP request must carry a stable
+* `User-Agent` so trace backends can group failures (401 / 429 / 5xx) by
+* install. Plain `globalThis.fetch` defaults to `User-Agent: node`, which
+* collapses every install into a single bucket. Centralising the header
+* here means new direct-fetch sites pick the right UA up automatically —
+* no need to remember at each call site.
+*
+* SDK-routed requests stamp UA via {@link FirstTreeHubSDK} (see
+* `packages/client/src/sdk.ts`). This helper is for the
+* direct-`fetch` paths the SDK doesn't cover (auth bootstrap,
+* doctor probes, raw admin calls).
+*
+* Header precedence: caller-provided `User-Agent` in `init.headers` wins,
+* so callers can override (e.g. tests injecting a deterministic UA).
+*/
+function cliFetch(input, init) {
+	const merged = mergeHeaders(init?.headers);
+	return fetch(input, {
+		...init,
+		headers: merged
+	});
+}
+function mergeHeaders(provided) {
+	const out = {};
+	if (provided) if (provided instanceof Headers) provided.forEach((v, k) => {
+		out[k] = v;
+	});
+	else if (Array.isArray(provided)) for (const [k, v] of provided) out[k] = v;
+	else Object.assign(out, provided);
+	if (!Object.keys(out).some((k) => k.toLowerCase() === "user-agent")) out["User-Agent"] = CLI_USER_AGENT;
+	return out;
+}
+//#endregion
+export { print as a, blank as i, CLI_USER_AGENT as n, setJsonMode as o, COMMAND_VERSION as r, status as s, cliFetch as t };

package/dist/client-By1K4VVT-DuI6EnSh.mjs

@@ -0,0 +1,4 @@
+import "./dist-ClFs4WMj.mjs";
+import "./errors-BmyRwN0Y-Dad3eV8F.mjs";
+import { y as listMyPinnedAgents } from "./client-CLdRbuml-svTO0Eat.mjs";
+export { listMyPinnedAgents };

package/dist/{client-CLdRbuml-B416INrm.mjs → client-CLdRbuml-svTO0Eat.mjs}

@@ -1,5 +1,5 @@
-import { C as clientCapabilitiesSchema } from "./dist-FuUBFTEB.mjs";
-import { a as ConflictError, i as ClientUserMismatchError, l as organizations, n as BadRequestError, s as NotFoundError, u as users } from "./errors-BmyRwN0Y-CIZZ_sDc.mjs";
+import { w as clientCapabilitiesSchema } from "./dist-ClFs4WMj.mjs";
+import { a as ConflictError, i as ClientUserMismatchError, l as organizations, n as BadRequestError, s as NotFoundError, u as users } from "./errors-BmyRwN0Y-Dad3eV8F.mjs";
 import { and, eq, inArray, ne, sql } from "drizzle-orm";
 import { index, integer, jsonb, pgTable, text, timestamp, unique } from "drizzle-orm/pg-core";
 //#region ../server/dist/client-CLdRbuml.mjs

package/dist/{dist-BLY7Bu-l.mjs → dist-BQtAQNRD.mjs}

@@ -1,5 +1,5 @@
 import { i as __require, t as __commonJSMin } from "./chunk-BSw8zbkd.mjs";
-import { t as require_src } from "./src-DNBS5Yjj.mjs";
+import { t as require_src } from "./src-aJMV60mR.mjs";
 //#region ../../node_modules/.pnpm/agent-base@7.1.4/node_modules/agent-base/dist/helpers.js
 var require_helpers = /* @__PURE__ */ __commonJSMin(((exports) => {
 	var __createBinding = exports && exports.__createBinding || (Object.create ? (function(o, m, k, k2) {

package/dist/{dist-FuUBFTEB.mjs → dist-ClFs4WMj.mjs}

@@ -1140,6 +1140,60 @@ const githubDevCallbackQuerySchema = z.object({
 	displayName: z.string().optional(),
 	next: z.string().max(256).optional()
 });
+/**
+* Per-organization settings — schemas, namespaces, and the registry that
+* dispatches `(orgId, namespace)` lookups to the right validator.
+*
+* Each namespace has three schemas:
+*   - `storage` — what is persisted in `organization_settings.value`. For
+*     namespaces with secrets, the storage schema names the *cipher* field
+*     (e.g. `webhookSecretCipher`); plaintext never touches the row.
+*   - `input`   — what the admin API accepts in PUT bodies. For namespaces
+*     with secrets, `webhookSecret` is plaintext; the service layer
+*     encrypts it before merging into storage.
+*   - `output`  — what GET returns. Secrets are replaced by a boolean
+*     `…Configured` flag — plaintext is never echoed.
+*
+* Adding a new per-org config group:
+*   1. Define three schemas (storage / input / output).
+*   2. Add a key to `ORG_SETTINGS_NAMESPACES`.
+*   3. Done. No DB migration, no new API route.
+*/
+const orgContextTreeStorageSchema = z.object({
+	repo: z.string().url().optional(),
+	branch: z.string().default("main")
+});
+const orgContextTreeInputSchema = z.object({
+	repo: z.string().url().min(1).nullish(),
+	branch: z.string().min(1).nullish()
+});
+const orgContextTreeOutputSchema = z.object({
+	repo: z.string().optional(),
+	branch: z.string().optional()
+});
+const orgGithubIntegrationStorageSchema = z.object({ webhookSecretCipher: z.string().optional() });
+const orgGithubIntegrationInputSchema = z.object({ webhookSecret: z.string().min(1).nullish() });
+const orgGithubIntegrationOutputSchema = z.object({
+	webhookSecretConfigured: z.boolean(),
+	webhookUrl: z.string()
+});
+const ORG_SETTINGS_NAMESPACES = {
+	context_tree: {
+		storage: orgContextTreeStorageSchema,
+		input: orgContextTreeInputSchema,
+		output: orgContextTreeOutputSchema
+	},
+	github_integration: {
+		storage: orgGithubIntegrationStorageSchema,
+		input: orgGithubIntegrationInputSchema,
+		output: orgGithubIntegrationOutputSchema
+	}
+};
+const ORG_SETTINGS_NAMESPACE_KEYS = Object.keys(ORG_SETTINGS_NAMESPACES);
+z.enum(ORG_SETTINGS_NAMESPACE_KEYS);
+function isOrgSettingNamespace(value) {
+	return typeof value === "string" && ORG_SETTINGS_NAMESPACE_KEYS.includes(value);
+}
 const UUID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 z.object({
 	name: z.string().min(2).max(50).regex(/^[a-z0-9][a-z0-9-]*$/, "Must start with a letter or digit and contain only lowercase alphanumeric and hyphens").refine((v) => !UUID_PATTERN.test(v), "Name must not be a UUID format"),
@@ -1467,4 +1521,4 @@ z.object({
 	capabilities: serverCapabilitiesSchema.optional()
 }).passthrough();
 //#endregion
-export { notificationQuerySchema as $, createChatSchema as A, githubDevCallbackQuerySchema as B, clientCapabilitiesSchema as C, updateTaskStatusSchema as Ct, createAdapterConfigSchema as D, contextTreeSnapshotSchema as E, defaultRuntimeConfigPayload as F, inboxPollQuerySchema as G, imageInlineContentSchema as H, delegateFeishuUserSchema as I, joinByInvitationSchema as J, isRedactedEnvValue as K, dryRunAgentRuntimeConfigSchema as L, createMemberSchema as M, createOrgFromMeSchema as N, createAdapterMappingSchema as O, createTaskSchema as P, messageSourceSchema as Q, extractMentions as R, agentTypeSchema as S, updateOrganizationSchema as St, connectTokenExchangeSchema as T, inboxAckFrameSchema as U, githubStartQuerySchema as V, inboxDeliverFrameSchema as W, listMeChatsQuerySchema as X, linkTaskChatSchema as Y, loginSchema as Z, adminCreateTaskSchema as _, updateAgentRuntimeConfigSchema as _t, AGENT_STATUSES as a, scanMentionTokens as at, agentPinnedMessageSchema as b, updateClientCapabilitiesSchema as bt, DEFAULT_RUNTIME_PROVIDER as c, sendToAgentSchema as ct, TASK_HEALTH_SIGNALS as d, sessionEventSchema as dt, paginationQuerySchema as et, TASK_STATUSES as f, sessionReconcileRequestSchema as ft, addParticipantSchema as g, updateAdapterConfigSchema as gt, addMeChatParticipantsSchema as h, taskListQuerySchema as ht, AGENT_SOURCES as i, safeRedirectPath as it, createMeChatSchema as j, createAgentSchema as k, MENTION_REGEX as l, sessionCompletionMessageSchema as lt, WS_AUTH_FRAME_TIMEOUT_MS as m, stripCode as mt, AGENT_NAME_REGEX as n, refreshTokenSchema as nt, AGENT_TYPES as o, selfServiceFeishuBotSchema as ot, TASK_TERMINAL_STATUSES as p, sessionStateMessageSchema as pt, isReservedAgentName as q, AGENT_SELECTOR_HEADER as r, runtimeStateMessageSchema as rt, AGENT_VISIBILITY as s, sendMessageSchema as st, AGENT_BIND_REJECT_REASONS as t, rebindAgentSchema as tt, TASK_CREATOR_TYPES as u, sessionEventMessageSchema as ut, adminUpdateTaskSchema as v, updateAgentSchema as vt, clientRegisterSchema as w, wsAuthFrameSchema as wt, agentRuntimeConfigPayloadSchema as x, updateMemberSchema as xt, agentBindRequestSchema as y, updateChatSchema as yt, githubCallbackQuerySchema as z };
+export { loginSchema as $, createAgentSchema as A, githubCallbackQuerySchema as B, agentTypeSchema as C, updateMemberSchema as Ct, contextTreeSnapshotSchema as D, connectTokenExchangeSchema as E, wsAuthFrameSchema as Et, createTaskSchema as F, inboxDeliverFrameSchema as G, githubStartQuerySchema as H, defaultRuntimeConfigPayload as I, isRedactedEnvValue as J, inboxPollQuerySchema as K, delegateFeishuUserSchema as L, createMeChatSchema as M, createMemberSchema as N, createAdapterConfigSchema as O, createOrgFromMeSchema as P, listMeChatsQuerySchema as Q, dryRunAgentRuntimeConfigSchema as R, agentRuntimeConfigPayloadSchema as S, updateClientCapabilitiesSchema as St, clientRegisterSchema as T, updateTaskStatusSchema as Tt, imageInlineContentSchema as U, githubDevCallbackQuerySchema as V, inboxAckFrameSchema as W, joinByInvitationSchema as X, isReservedAgentName as Y, linkTaskChatSchema as Z, addParticipantSchema as _, taskListQuerySchema as _t, AGENT_STATUSES as a, runtimeStateMessageSchema as at, agentBindRequestSchema as b, updateAgentSchema as bt, DEFAULT_RUNTIME_PROVIDER as c, selfServiceFeishuBotSchema as ct, TASK_CREATOR_TYPES as d, sessionCompletionMessageSchema as dt, messageSourceSchema as et, TASK_HEALTH_SIGNALS as f, sessionEventMessageSchema as ft, addMeChatParticipantsSchema as g, stripCode as gt, WS_AUTH_FRAME_TIMEOUT_MS as h, sessionStateMessageSchema as ht, AGENT_SOURCES as i, refreshTokenSchema as it, createChatSchema as j, createAdapterMappingSchema as k, MENTION_REGEX as l, sendMessageSchema as lt, TASK_TERMINAL_STATUSES as m, sessionReconcileRequestSchema as mt, AGENT_NAME_REGEX as n, paginationQuerySchema as nt, AGENT_TYPES as o, safeRedirectPath as ot, TASK_STATUSES as p, sessionEventSchema as pt, isOrgSettingNamespace as q, AGENT_SELECTOR_HEADER as r, rebindAgentSchema as rt, AGENT_VISIBILITY as s, scanMentionTokens as st, AGENT_BIND_REJECT_REASONS as t, notificationQuerySchema as tt, ORG_SETTINGS_NAMESPACES as u, sendToAgentSchema as ut, adminCreateTaskSchema as v, updateAdapterConfigSchema as vt, clientCapabilitiesSchema as w, updateOrganizationSchema as wt, agentPinnedMessageSchema as x, updateChatSchema as xt, adminUpdateTaskSchema as y, updateAgentRuntimeConfigSchema as yt, extractMentions as z };

package/dist/drizzle/0032_organization_settings.sql

@@ -0,0 +1,36 @@
+-- Per-organization settings, keyed by (organization_id, namespace).
+--
+-- Each row holds an entire group of related config as a JSONB blob; the
+-- schema for each namespace lives in @agent-team-foundation/first-tree-hub-shared
+-- (ORG_SETTINGS_NAMESPACES) and is enforced by the service layer on every
+-- read/write. Adding a new config group means registering a new namespace +
+-- Zod schema in shared — the DB does not change.
+--
+-- `version` is reserved for future optimistic locking (PUT with If-Match).
+-- We keep the column from day one so tightening to compare-and-swap later
+-- is a code-only change with no migration.
+--
+-- Sensitive fields inside `value` (e.g. github_integration.webhookSecret)
+-- are AES-256-GCM-encrypted at the service layer using crypto.ts's
+-- encryptValue / decryptValue — same pattern as adapter_configs.
+--
+-- ON DELETE CASCADE on organization_id: settings have no independent
+-- lifecycle, deleting an org must drop them. updated_by is SET NULL so a
+-- user deletion does not cascade-clobber unrelated config rows.
+
+CREATE TABLE IF NOT EXISTS "organization_settings" (
+  "organization_id" text NOT NULL,
+  "namespace"       text NOT NULL,
+  "value"           jsonb NOT NULL DEFAULT '{}'::jsonb,
+  "version"         integer NOT NULL DEFAULT 0,
+  "updated_by"      text,
+  "updated_at"      timestamp with time zone NOT NULL DEFAULT now(),
+  CONSTRAINT "organization_settings_pkey" PRIMARY KEY ("organization_id", "namespace"),
+  CONSTRAINT "organization_settings_organization_id_organizations_id_fk"
+    FOREIGN KEY ("organization_id") REFERENCES "organizations"("id") ON DELETE CASCADE,
+  CONSTRAINT "organization_settings_updated_by_users_id_fk"
+    FOREIGN KEY ("updated_by") REFERENCES "users"("id") ON DELETE SET NULL
+);
+
+CREATE INDEX IF NOT EXISTS "idx_org_settings_namespace"
+  ON "organization_settings" ("namespace");

package/dist/drizzle/meta/_journal.json

@@ -225,6 +225,13 @@
       "when": 1777939200000,
       "tag": "0031_drop_system_configs",
       "breakpoints": true
+    },
+    {
+      "idx": 32,
+      "version": "7",
+      "when": 1778198400000,
+      "tag": "0032_organization_settings",
+      "breakpoints": true
     }
   ]
-}
+}