npm - @agent-team-foundation/first-tree-hub - Versions diffs - 0.11.3 → 0.11.4 - Mend

@agent-team-foundation/first-tree-hub 0.11.3 → 0.11.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/dist/{saas-connect-gcT6Q10z.mjs → saas-connect-CVoRK0Ex.mjs} RENAMED Viewed

@@ -1,10 +1,10 @@
 import { a as __toCommonJS, o as __toESM, t as __commonJSMin } from "./chunk-BSw8zbkd.mjs";
 import { A as FIRST_TREE_HUB_ATTR, C as stampOrgScope, D as untrustedAttrs, E as startWsConnectionSpan, M as require_pino, O as withSpan, S as stampChatResource, _ as rootLogger$1, a as buildRateLimitError, c as currentTraceId, f as messageAttrs, g as reportErrorToRoot, i as bodyCaptureOnSendHook, j as redactUrl, k as withWsMessageSpan, l as decodeJwtForTrace, m as observabilityPlugin, n as applyLoggerConfig, o as classifyJoseError, r as attachRequestContext, s as createLogger$1, t as adapterAttrs, u as endWsConnectionSpan, x as stampAgentResource, y as setWsConnectionAttrs } from "./observability-BAScT_5S-gw1ODB_o.mjs";
-import { C as resetConfigMeta, E as setConfigValue, S as resetConfig, T as serverConfigSchema, b as migrateLegacyHome, c as resolveServerUrl, d as DEFAULT_CONFIG_DIR, f as DEFAULT_DATA_DIR$1, g as collectMissingPrompts, h as clientConfigSchema, i as ensureFreshAccessToken, l as saveAgentConfig, m as agentConfigSchema, o as loadCredentials, p as DEFAULT_HOME_DIR$1, u as saveCredentials, v as initConfig, w as resolveConfigReadonly, y as loadAgents } from "./bootstrap-D4rdqM2F.mjs";
+import { C as resetConfigMeta, E as setConfigValue, S as resetConfig, T as serverConfigSchema, b as migrateLegacyHome, c as resolveServerUrl, d as DEFAULT_CONFIG_DIR, f as DEFAULT_DATA_DIR$1, g as collectMissingPrompts, h as clientConfigSchema, i as ensureFreshAccessToken, l as saveAgentConfig, m as agentConfigSchema, o as loadCredentials, p as DEFAULT_HOME_DIR$1, u as saveCredentials, v as initConfig, w as resolveConfigReadonly, y as loadAgents } from "./bootstrap-D-Yf8yOc.mjs";
 import { a as print, i as blank, n as CLI_USER_AGENT, r as COMMAND_VERSION, s as status, t as cliFetch } from "./cli-fetch--tiwKm5S.mjs";
-import { $ as notificationQuerySchema, A as createChatSchema, B as githubDevCallbackQuerySchema, Ct as updateTaskStatusSchema, D as createAdapterConfigSchema, E as contextTreeSnapshotSchema, F as defaultRuntimeConfigPayload, G as inboxPollQuerySchema, H as imageInlineContentSchema, I as delegateFeishuUserSchema, J as joinByInvitationSchema, K as isRedactedEnvValue, L as dryRunAgentRuntimeConfigSchema, M as createMemberSchema, N as createOrgFromMeSchema, O as createAdapterMappingSchema, P as createTaskSchema, Q as messageSourceSchema$1, R as extractMentions, S as agentTypeSchema$1, St as updateOrganizationSchema, T as connectTokenExchangeSchema, U as inboxAckFrameSchema, V as githubStartQuerySchema, W as inboxDeliverFrameSchema$1, X as listMeChatsQuerySchema, Y as linkTaskChatSchema, Z as loginSchema, _ as adminCreateTaskSchema, _t as updateAgentRuntimeConfigSchema, a as AGENT_STATUSES, at as scanMentionTokens, b as agentPinnedMessageSchema$1, bt as updateClientCapabilitiesSchema, ct as sendToAgentSchema, d as TASK_HEALTH_SIGNALS, dt as sessionEventSchema$1, et as paginationQuerySchema, f as TASK_STATUSES, ft as sessionReconcileRequestSchema, g as addParticipantSchema, gt as updateAdapterConfigSchema, h as addMeChatParticipantsSchema, ht as taskListQuerySchema, i as AGENT_SOURCES, it as safeRedirectPath, j as createMeChatSchema, k as createAgentSchema, l as MENTION_REGEX, lt as sessionCompletionMessageSchema, m as WS_AUTH_FRAME_TIMEOUT_MS, mt as stripCode, n as AGENT_NAME_REGEX$1, nt as refreshTokenSchema, o as AGENT_TYPES, ot as selfServiceFeishuBotSchema, p as TASK_TERMINAL_STATUSES, pt as sessionStateMessageSchema, q as isReservedAgentName$1, r as AGENT_SELECTOR_HEADER$1, rt as runtimeStateMessageSchema, s as AGENT_VISIBILITY, st as sendMessageSchema, t as AGENT_BIND_REJECT_REASONS, tt as rebindAgentSchema, u as TASK_CREATOR_TYPES, ut as sessionEventMessageSchema, v as adminUpdateTaskSchema, vt as updateAgentSchema, w as clientRegisterSchema, wt as wsAuthFrameSchema, x as agentRuntimeConfigPayloadSchema$1, xt as updateMemberSchema, y as agentBindRequestSchema, yt as updateChatSchema, z as githubCallbackQuerySchema } from "./dist-BAqGZkco.mjs";
+import { $ as loginSchema, A as createAgentSchema, B as githubCallbackQuerySchema, C as agentTypeSchema$1, Ct as updateMemberSchema, D as contextTreeSnapshotSchema, E as connectTokenExchangeSchema, Et as wsAuthFrameSchema, F as createTaskSchema, G as inboxDeliverFrameSchema$1, H as githubStartQuerySchema, I as defaultRuntimeConfigPayload, J as isRedactedEnvValue, K as inboxPollQuerySchema, L as delegateFeishuUserSchema, M as createMeChatSchema, N as createMemberSchema, O as createAdapterConfigSchema, P as createOrgFromMeSchema, Q as listMeChatsQuerySchema, R as dryRunAgentRuntimeConfigSchema, S as agentRuntimeConfigPayloadSchema$1, St as updateClientCapabilitiesSchema, T as clientRegisterSchema, Tt as updateTaskStatusSchema, U as imageInlineContentSchema, V as githubDevCallbackQuerySchema, W as inboxAckFrameSchema, X as joinByInvitationSchema, Y as isReservedAgentName$1, Z as linkTaskChatSchema, _ as addParticipantSchema, _t as taskListQuerySchema, a as AGENT_STATUSES, at as runtimeStateMessageSchema, b as agentBindRequestSchema, bt as updateAgentSchema, ct as selfServiceFeishuBotSchema, d as TASK_CREATOR_TYPES, dt as sessionCompletionMessageSchema, et as messageSourceSchema$1, f as TASK_HEALTH_SIGNALS, ft as sessionEventMessageSchema, g as addMeChatParticipantsSchema, gt as stripCode, h as WS_AUTH_FRAME_TIMEOUT_MS, ht as sessionStateMessageSchema, i as AGENT_SOURCES, it as refreshTokenSchema, j as createChatSchema, k as createAdapterMappingSchema, l as MENTION_REGEX, lt as sendMessageSchema, m as TASK_TERMINAL_STATUSES, mt as sessionReconcileRequestSchema, n as AGENT_NAME_REGEX$1, nt as paginationQuerySchema, o as AGENT_TYPES, ot as safeRedirectPath, p as TASK_STATUSES, pt as sessionEventSchema$1, q as isOrgSettingNamespace, r as AGENT_SELECTOR_HEADER$1, rt as rebindAgentSchema, s as AGENT_VISIBILITY, st as scanMentionTokens, t as AGENT_BIND_REJECT_REASONS, tt as notificationQuerySchema, u as ORG_SETTINGS_NAMESPACES$1, ut as sendToAgentSchema, v as adminCreateTaskSchema, vt as updateAdapterConfigSchema, wt as updateOrganizationSchema, x as agentPinnedMessageSchema$1, xt as updateChatSchema, y as adminUpdateTaskSchema, yt as updateAgentRuntimeConfigSchema, z as extractMentions } from "./dist-ClFs4WMj.mjs";
 import { a as ConflictError, c as UnauthorizedError, i as ClientUserMismatchError$1, l as organizations, n as BadRequestError, o as ForbiddenError, r as ClientOrgMismatchError$1, s as NotFoundError, t as AppError, u as users } from "./errors-BmyRwN0Y-Dad3eV8F.mjs";
-import { C as retireClient, D as touchAgent, E as setRuntimeState, O as unbindAgent, S as registerClient, T as setOffline, _ as listClients, a as claimClient, b as markStaleAgents, c as clients, d as getClient, f as getOnlineCount, g as listActiveAgentsPinnedToClient, h as heartbeatInstance, i as bindAgent, k as updateClientCapabilities, l as deriveAuthState, m as heartbeatClient, n as agents, o as cleanupStaleClients, p as getPresence, r as assertClientOwner, s as cleanupStalePresence, t as agentPresence, u as disconnectClient, v as listClientsForOrgAdmin, w as serverInstances, x as members } from "./client-CLdRbuml-BRtalKpQ.mjs";
+import { C as retireClient, D as touchAgent, E as setRuntimeState, O as unbindAgent, S as registerClient, T as setOffline, _ as listClients, a as claimClient, b as markStaleAgents, c as clients, d as getClient, f as getOnlineCount, g as listActiveAgentsPinnedToClient, h as heartbeatInstance, i as bindAgent, k as updateClientCapabilities, l as deriveAuthState, m as heartbeatClient, n as agents, o as cleanupStaleClients, p as getPresence, r as assertClientOwner, s as cleanupStalePresence, t as agentPresence, u as disconnectClient, v as listClientsForOrgAdmin, w as serverInstances, x as members } from "./client-CLdRbuml-svTO0Eat.mjs";
 import { n as init_esm, r as trace, t as esm_exports } from "./esm-Ci8E1Gtj.mjs";
 import { a as invitationRedemptions, c as recordRedemption, i as getActiveInvitation, l as rotateInvitation, n as ensureActiveInvitation, o as invitations, r as findActiveByToken, t as buildInviteUrl, u as uuidv7 } from "./invitation-Dnn5gGGX-DXryyvRG.mjs";
 import { createRequire } from "node:module";
@@ -1292,6 +1292,57 @@ z.object({
 	displayName: z.string().optional(),
 	next: z.string().max(256).optional()
 });
+/**
+* Per-organization settings — schemas, namespaces, and the registry that
+* dispatches `(orgId, namespace)` lookups to the right validator.
+*
+* Each namespace has three schemas:
+*   - `storage` — what is persisted in `organization_settings.value`. For
+*     namespaces with secrets, the storage schema names the *cipher* field
+*     (e.g. `webhookSecretCipher`); plaintext never touches the row.
+*   - `input`   — what the admin API accepts in PUT bodies. For namespaces
+*     with secrets, `webhookSecret` is plaintext; the service layer
+*     encrypts it before merging into storage.
+*   - `output`  — what GET returns. Secrets are replaced by a boolean
+*     `…Configured` flag — plaintext is never echoed.
+*
+* Adding a new per-org config group:
+*   1. Define three schemas (storage / input / output).
+*   2. Add a key to `ORG_SETTINGS_NAMESPACES`.
+*   3. Done. No DB migration, no new API route.
+*/
+const orgContextTreeStorageSchema = z.object({
+	repo: z.string().url().optional(),
+	branch: z.string().default("main")
+});
+const orgContextTreeInputSchema = z.object({
+	repo: z.string().url().min(1).nullish(),
+	branch: z.string().min(1).nullish()
+});
+const orgContextTreeOutputSchema = z.object({
+	repo: z.string().optional(),
+	branch: z.string().optional()
+});
+const orgGithubIntegrationStorageSchema = z.object({ webhookSecretCipher: z.string().optional() });
+const orgGithubIntegrationInputSchema = z.object({ webhookSecret: z.string().min(1).nullish() });
+const orgGithubIntegrationOutputSchema = z.object({
+	webhookSecretConfigured: z.boolean(),
+	webhookUrl: z.string()
+});
+const ORG_SETTINGS_NAMESPACES = {
+	context_tree: {
+		storage: orgContextTreeStorageSchema,
+		input: orgContextTreeInputSchema,
+		output: orgContextTreeOutputSchema
+	},
+	github_integration: {
+		storage: orgGithubIntegrationStorageSchema,
+		input: orgGithubIntegrationInputSchema,
+		output: orgGithubIntegrationOutputSchema
+	}
+};
+const ORG_SETTINGS_NAMESPACE_KEYS = Object.keys(ORG_SETTINGS_NAMESPACES);
+z.enum(ORG_SETTINGS_NAMESPACE_KEYS);
 const UUID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 z.object({
 	name: z.string().min(2).max(50).regex(/^[a-z0-9][a-z0-9-]*$/, "Must start with a letter or digit and contain only lowercase alphanumeric and hyphens").refine((v) => !UUID_PATTERN.test(v), "Name must not be a UUID format"),
@@ -1684,21 +1735,6 @@ defineConfig({
 		refreshTokenExpiry: field(z.string().default("30d"), { env: "FIRST_TREE_HUB_AUTH_REFRESH_TOKEN_EXPIRY" }),
 		connectTokenExpiry: field(z.string().default("10m"), { env: "FIRST_TREE_HUB_AUTH_CONNECT_TOKEN_EXPIRY" })
 	},
-	contextTree: optional({
-		repo: field(z.string().optional(), {
-			env: "FIRST_TREE_HUB_CONTEXT_TREE_REPO",
-			prompt: { message: "Context Tree repo URL (e.g. https://github.com/org/first-tree):" }
-		}),
-		localPath: field(z.string().optional(), { env: "FIRST_TREE_HUB_CONTEXT_TREE_PATH" }),
-		branch: field(z.string().default("main"))
-	}),
-	github: {
-		webhookSecret: field(z.string().optional(), {
-			env: "FIRST_TREE_HUB_GITHUB_WEBHOOK_SECRET",
-			secret: true
-		}),
-		allowedOrg: field(z.string().optional(), { env: "FIRST_TREE_HUB_GITHUB_ALLOWED_ORG" })
-	},
 	oauth: optional({ github: optional({
 		clientId: field(z.string(), { env: "FIRST_TREE_HUB_GITHUB_OAUTH_CLIENT_ID" }),
 		clientSecret: field(z.string(), {
@@ -7820,6 +7856,12 @@ function printResults(results) {
 }
 //#endregion
 //#region src/core/migrate.ts
+function sslOptions$1(url) {
+	try {
+		if (new URL(url).hostname.endsWith(".rds.amazonaws.com")) return { ssl: { rejectUnauthorized: false } };
+	} catch {}
+	return {};
+}
 /**
 * Resolve the drizzle migrations directory.
 * 1. npm install: embedded at dist/drizzle/ (relative to the built CLI)
@@ -7853,14 +7895,21 @@ function validateJournalOrder(migrationsFolder) {
 async function runMigrations(databaseUrl) {
 	const migrationsFolder = resolveMigrationsFolder();
 	validateJournalOrder(migrationsFolder);
-	const client = postgres(databaseUrl, { max: 1 });
+	const ssl = sslOptions$1(databaseUrl);
+	const client = postgres(databaseUrl, {
+		max: 1,
+		...ssl
+	});
 	const db = drizzle(client);
 	try {
 		await migrate(db, { migrationsFolder });
 	} finally {
 		await client.end();
 	}
-	const countClient = postgres(databaseUrl, { max: 1 });
+	const countClient = postgres(databaseUrl, {
+		max: 1,
+		...ssl
+	});
 	try {
 		return (await countClient`
       SELECT count(*)::int AS count
@@ -8254,7 +8303,7 @@ async function onboardCreate(args) {
 	}
 	const runtimeAgent = args.type === "human" ? args.assistant : args.id;
 	if (args.feishuBotAppId && args.feishuBotAppSecret) {
-		const { bindFeishuBot } = await import("./feishu-Th_-ivJ7.mjs").then((n) => n.r);
+		const { bindFeishuBot } = await import("./feishu-AI3pwmqN.mjs").then((n) => n.r);
 		const targetAgentUuid = args.type === "human" ? assistantUuid : primary.uuid;
 		if (!targetAgentUuid) print.line(`Warning: Cannot bind Feishu bot — no runtime agent available for "${args.id}".\n`);
 		else {
@@ -9467,7 +9516,7 @@ function createFeedbackHandler(config) {
 	return { handle };
 }
 //#endregion
-//#region ../server/dist/app-EvpSNDM6.mjs
+//#region ../server/dist/app-B8Ncyl76.mjs
 var import_fastify_opentelemetry = /* @__PURE__ */ __toESM(require_fastify_opentelemetry(), 1);
 init_esm();
 var __defProp = Object.defineProperty;
@@ -15218,10 +15267,18 @@ async function authRoutes(app) {
 		return reply.send(result);
 	});
 }
-async function bootstrapConfigRoutes(app) {
-	/** Public endpoint — returns bootstrap prerequisites for CLI auto-discovery. */
-	app.get("/config", async () => {
-		return { allowedOrg: app.config.github.allowedOrg ?? null };
+async function bootstrapConfigRoutes(_app) {
+	/**
+	* Public endpoint — returns bootstrap prerequisites for CLI auto-discovery.
+	*
+	* `allowedOrg` used to surface here from the global `github.allowedOrg`
+	* config; it is now a per-org setting (see issue #255). A public bootstrap
+	* endpoint can't resolve an org without a caller, so the field is
+	* surfaced as `null` and consumers should fetch the per-org value via
+	* `/api/v1/orgs/:orgId/settings/github_integration` after auth.
+	*/
+	_app.get("/config", async () => {
+		return { allowedOrg: null };
 	});
 }
 /** Extract a plain-text summary from a message's JSONB content field.
@@ -15990,12 +16047,212 @@ async function clientRoutes(app) {
 		});
 	});
 }
+/**
+* Per-organization settings, keyed by `(organization_id, namespace)`.
+*
+* One row holds an entire group of related config as a JSONB blob — schema
+* for each namespace lives in `@agent-team-foundation/first-tree-hub-shared`
+* (`ORG_SETTINGS_NAMESPACES`) and is enforced by the service layer on every
+* read/write. Adding a new config group means registering a new namespace +
+* Zod schema in shared; the DB does not change.
+*
+* `version` is reserved for future optimistic locking (PUT with If-Match)
+* and is currently set unconditionally. We keep it on the table from day
+* one so tightening to compare-and-swap later is a code-only change.
+*
+* Sensitive fields inside `value` (e.g. `github_integration.webhookSecret`)
+* are AES-256-GCM-encrypted at the service layer using `crypto.ts`'s
+* `encryptValue` / `decryptValue` — same pattern as `adapter_configs`.
+*/
+const organizationSettings = pgTable("organization_settings", {
+	organizationId: text("organization_id").notNull().references(() => organizations.id, { onDelete: "cascade" }),
+	namespace: text("namespace").notNull(),
+	value: jsonb("value").$type().notNull().default({}),
+	version: integer("version").notNull().default(0),
+	updatedBy: text("updated_by").references(() => users.id, { onDelete: "set null" }),
+	updatedAt: timestamp("updated_at", { withTimezone: true }).notNull().defaultNow()
+}, (table) => [primaryKey({ columns: [table.organizationId, table.namespace] }), index("idx_org_settings_namespace").on(table.namespace)]);
+/**
+* Per-organization settings, keyed by `(organizationId, namespace)`. The
+* registry of valid namespaces and their storage / input / output schemas
+* lives in `@agent-team-foundation/first-tree-hub-shared`.
+*
+* Read path:  storage row → decrypt secrets → output (mask)
+* Write path: input → validate → encrypt secrets → merge with current storage → upsert (in tx)
+*
+* The generic getter returns the masked output. Callers needing plaintext
+* for a specific secret use a purpose-built helper (e.g.
+* `getDecryptedGithubWebhookSecret`) rather than the generic storage shape
+* — this avoids a `…Cipher` field name silently holding plaintext at
+* call-sites and limits secret exposure to one explicit code path per
+* secret. (#4)
+*/
+function assertNamespace(ns) {
+	if (!isOrgSettingNamespace(ns)) throw new BadRequestError(`Unknown organization-settings namespace: "${ns}"`);
+}
+async function fetchStorageRow(db, orgId, namespace) {
+	const [row] = await db.select({ value: organizationSettings.value }).from(organizationSettings).where(and(eq(organizationSettings.organizationId, orgId), eq(organizationSettings.namespace, namespace))).limit(1);
+	if (!row) return null;
+	return ORG_SETTINGS_NAMESPACES$1[namespace].storage.parse(row.value);
+}
+function emptyStorage(namespace) {
+	return ORG_SETTINGS_NAMESPACES$1[namespace].storage.parse({});
+}
+function ensureEncrypted(value, encryptionKey) {
+	return isEncryptedValue(value) ? value : encryptValue(value, encryptionKey);
+}
+/**
+* Merge a validated input into the current storage row for a namespace.
+* Secret fields are encrypted here.
+*
+* Input semantics per nullish field:
+*   `undefined` → unchanged
+*   `null`      → cleared
+*   value       → set / replace (already validated as non-empty by the input schema)
+*/
+function applyInputDelta(namespace, current, input, encryptionKey) {
+	if (namespace === "context_tree") {
+		const cur = current;
+		const inp = input;
+		return {
+			repo: inp.repo === void 0 ? cur.repo : inp.repo ?? void 0,
+			branch: inp.branch === void 0 ? cur.branch : inp.branch ?? "main"
+		};
+	}
+	if (namespace === "github_integration") {
+		const cur = current;
+		const inp = input;
+		return { webhookSecretCipher: inp.webhookSecret === void 0 ? cur.webhookSecretCipher : inp.webhookSecret === null ? void 0 : ensureEncrypted(inp.webhookSecret, encryptionKey) };
+	}
+	return namespace;
+}
+/**
+* Project the storage row into the API output for a namespace, masking
+* any secret fields. `webhookUrl` for `github_integration` is left as an
+* empty string here — the route layer enriches it with the resolved
+* `server.publicUrl` (the service stays config-agnostic).
+*/
+function toOutput(namespace, storage) {
+	if (namespace === "context_tree") {
+		const s = storage;
+		return {
+			repo: s.repo,
+			branch: s.branch
+		};
+	}
+	if (namespace === "github_integration") {
+		const s = storage;
+		return {
+			webhookSecretConfigured: typeof s.webhookSecretCipher === "string" && s.webhookSecretCipher.length > 0,
+			webhookUrl: ""
+		};
+	}
+	return namespace;
+}
+/**
+* Read a setting masked for the API. Missing rows → namespace defaults
+* (parse `{}` against the storage schema).
+*/
+async function getOrgSetting(db, orgId, namespace) {
+	assertNamespace(namespace);
+	return toOutput(namespace, await fetchStorageRow(db, orgId, namespace) ?? emptyStorage(namespace));
+}
+/**
+* Read the per-org Context Tree binding for server-internal consumers
+* (`/context-tree/info`, snapshot service). No secrets in this namespace,
+* so the storage shape is safe to expose directly. Missing row → defaults.
+*/
+async function getOrgContextTree(db, orgId) {
+	return await fetchStorageRow(db, orgId, "context_tree") ?? emptyStorage("context_tree");
+}
+/**
+* Decrypt and return the plaintext GitHub webhook secret for an org.
+* Returns `null` when the org has not configured one. The only intended
+* caller is the webhook route's signature verifier — the result must
+* never leak through HTTP responses or logs. (#4)
+*/
+async function getDecryptedGithubWebhookSecret(db, orgId, encryptionKey) {
+	const cipher = (await fetchStorageRow(db, orgId, "github_integration"))?.webhookSecretCipher;
+	if (!cipher) return null;
+	return isEncryptedValue(cipher) ? decryptValue(cipher, encryptionKey) : cipher;
+}
+/**
+* Upsert a setting. Returns the masked output of the resulting row.
+*
+* The fetch + merge + upsert sequence runs inside a single transaction so
+* two concurrent admin writes can't both base their delta on the same
+* pre-image and silently lose each other's fields. Optimistic locking
+* (the `version` column) remains reserved for a future If-Match flip.
+* (#6)
+*/
+async function putOrgSetting(db, orgId, namespace, rawInput, options) {
+	assertNamespace(namespace);
+	const input = ORG_SETTINGS_NAMESPACES$1[namespace].input.parse(rawInput);
+	return db.transaction(async (tx) => {
+		const txDb = tx;
+		const [org] = await txDb.select({ id: organizations.id }).from(organizations).where(eq(organizations.id, orgId)).limit(1);
+		if (!org) throw new NotFoundError(`Organization "${orgId}" not found`);
+		const merged = applyInputDelta(namespace, await fetchStorageRow(txDb, orgId, namespace) ?? emptyStorage(namespace), input, options.encryptionKey);
+		const validated = ORG_SETTINGS_NAMESPACES$1[namespace].storage.parse(merged);
+		await tx.insert(organizationSettings).values({
+			organizationId: orgId,
+			namespace,
+			value: validated,
+			version: 1,
+			updatedBy: options.updatedBy,
+			updatedAt: /* @__PURE__ */ new Date()
+		}).onConflictDoUpdate({
+			target: [organizationSettings.organizationId, organizationSettings.namespace],
+			set: {
+				value: validated,
+				version: sql`${organizationSettings.version} + 1`,
+				updatedBy: options.updatedBy,
+				updatedAt: /* @__PURE__ */ new Date()
+			}
+		});
+		return toOutput(namespace, validated);
+	});
+}
+/**
+* Delete a namespace row; subsequent GETs return defaults.
+*/
+async function deleteOrgSetting(db, orgId, namespace) {
+	assertNamespace(namespace);
+	await db.delete(organizationSettings).where(and(eq(organizationSettings.organizationId, orgId), eq(organizationSettings.namespace, namespace)));
+}
+/**
+* Resolve the caller's "primary org" — the earliest-joined active
+* membership for the given user. Used by user-scoped routes that
+* historically didn't take an `:orgId` (e.g. `/context-tree/info`) so
+* the SDK call shape doesn't have to change while the per-tenant lookup
+* still happens correctly.
+*
+* Returns `null` for users with no active membership. Tightening to
+* "explicit org selector" is a future change-once-multi-org-clients-arrive
+* concern. (#7)
+*/
+async function resolveUserPrimaryOrgId(db, userId) {
+	const [row] = await db.select({ organizationId: members.organizationId }).from(members).where(and(eq(members.userId, userId), eq(members.status, "active"))).orderBy(asc(members.createdAt)).limit(1);
+	return row?.organizationId ?? null;
+}
 async function contextTreeInfoRoutes(app) {
-	/** Public endpoint — returns Context Tree repo metadata for CLI auto-discovery. */
-	app.get("/info", async () => {
+	/**
+	* Class A — `/api/v1/context-tree/info`. Returns the caller's
+	* organization-scoped Context Tree binding for CLI auto-discovery.
+	* Responds with `{ repo: null, branch: null }` when the user is not in
+	* any org or the org hasn't configured a tree yet.
+	*/
+	app.get("/info", async (request) => {
+		const { userId } = requireUser(request);
+		const orgId = await resolveUserPrimaryOrgId(app.db, userId);
+		if (!orgId) return {
+			repo: null,
+			branch: null
+		};
+		const tree = await getOrgContextTree(app.db, orgId);
 		return {
-			repo: app.config.contextTree?.repo ?? null,
-			branch: app.config.contextTree?.branch ?? null
+			repo: tree.repo ?? null,
+			branch: tree.branch ?? null
 		};
 	});
 }
@@ -16021,10 +16278,10 @@ const WINDOW_DAYS = {
 	"30d": 30
 };
 const snapshotCache = /* @__PURE__ */ new Map();
-async function getContextTreeSnapshot(config, window = CONTEXT_TREE_SNAPSHOT_WINDOWS.SEVEN_DAYS) {
-	const repo = config.contextTree?.repo ?? null;
-	const branch = config.contextTree?.branch ?? null;
-	const resolved = resolveContextTreeRoot(repo, config.contextTree?.localPath);
+async function getContextTreeSnapshot(binding, window = CONTEXT_TREE_SNAPSHOT_WINDOWS.SEVEN_DAYS) {
+	const repo = binding.repo ?? null;
+	const branch = binding.branch ?? null;
+	const resolved = resolveContextTreeRoot(repo, binding.localPath);
 	if (!resolved.root) return unavailableSnapshot(repo, branch, resolved.reason);
 	const now = (/* @__PURE__ */ new Date()).toISOString();
 	try {
@@ -16696,7 +16953,9 @@ async function contextTreeSnapshotRoutes(app) {
 		keyGenerator: (request) => request.user?.userId ?? request.ip
 	} } }, async (request) => {
 		const query = querySchema.parse(request.query);
-		const snapshot = await getContextTreeSnapshot(app.config, query.window ?? "7d");
+		const { userId } = requireUser(request);
+		const orgId = await resolveUserPrimaryOrgId(app.db, userId);
+		const snapshot = await getContextTreeSnapshot(orgId ? await getOrgContextTree(app.db, orgId) : {}, query.window ?? "7d");
 		return contextTreeSnapshotSchema.parse(snapshot);
 	});
 }
@@ -16801,7 +17060,7 @@ async function healthzRoutes(app) {
 * `api/orgs/invitations.ts` (Class B, admin-gated).
 */
 async function publicInvitationRoutes(app) {
-	const { previewInvitation } = await import("./invitation-DWlyNb8x-D3zjZSwI.mjs");
+	const { previewInvitation } = await import("./invitation-DWlyNb8x-BvXubk24.mjs");
 	app.get("/:token/preview", async (request, reply) => {
 		if (!request.params.token) throw new UnauthorizedError("Token required");
 		const preview = await previewInvitation(app.db, request.params.token);
@@ -16898,7 +17157,7 @@ async function meRoutes(app) {
 	*/
 	app.get("/me/pinned-agents", async (request) => {
 		const { userId } = requireUser(request);
-		const { listMyPinnedAgents } = await import("./client-By1K4VVT-C5K7WZo6.mjs");
+		const { listMyPinnedAgents } = await import("./client-By1K4VVT-DuI6EnSh.mjs");
 		return listMyPinnedAgents(app.db, { userId });
 	});
 	/**
@@ -17621,6 +17880,64 @@ async function orgSessionRoutes(app) {
 		});
 	});
 }
+/**
+* Class B — `/api/v1/orgs/:orgId/settings/:namespace`.
+*
+* Generic per-org settings surface. The `:namespace` URL parameter is
+* dispatched against `ORG_SETTINGS_NAMESPACES` (in the shared package);
+* adding a new config group only requires registering it there — no new
+* route file.
+*
+* All three verbs are admin-only. Even GET, because the masked output
+* still leaks "configured / not-configured" booleans for secret fields,
+* which we don't want to expose to non-admin members.
+*/
+async function orgSettingsRoutes(app) {
+	app.get("/:namespace", async (request) => {
+		const scope = await requireOrgAdmin(request, app.db);
+		const namespace = parseNamespace(request.params.namespace);
+		return enrichOutput(namespace, await getOrgSetting(app.db, scope.organizationId, namespace), scope.organizationId, app.config.server.publicUrl);
+	});
+	app.put("/:namespace", { config: { otelRecordBody: true } }, async (request) => {
+		const scope = await requireOrgAdmin(request, app.db);
+		const namespace = parseNamespace(request.params.namespace);
+		return enrichOutput(namespace, await putOrgSetting(app.db, scope.organizationId, namespace, request.body, {
+			updatedBy: scope.userId,
+			encryptionKey: app.config.secrets.encryptionKey
+		}), scope.organizationId, app.config.server.publicUrl);
+	});
+	app.delete("/:namespace", async (request, reply) => {
+		const scope = await requireOrgAdmin(request, app.db);
+		const namespace = parseNamespace(request.params.namespace);
+		await deleteOrgSetting(app.db, scope.organizationId, namespace);
+		reply.status(204).send();
+	});
+}
+function parseNamespace(raw) {
+	if (!isOrgSettingNamespace(raw)) throw new BadRequestError(`Unknown organization-settings namespace: "${raw}"`);
+	return raw;
+}
+/**
+* Resolve namespace-specific server-config-derived fields. The service
+* layer stays config-agnostic — namespace knowledge that needs `app.config`
+* lives here. Currently only `github_integration.webhookUrl` qualifies.
+*
+* If `server.publicUrl` is unset on the Hub, `webhookUrl` is left as `""`
+* so the UI can render a "contact your site administrator" notice rather
+* than fall back to `window.location.origin` (which is wrong behind a
+* reverse proxy). (#12)
+*/
+function enrichOutput(namespace, out, orgId, publicUrl) {
+	if (namespace === "github_integration") {
+		const o = out;
+		const webhookUrl = publicUrl ? `${publicUrl.replace(/\/+$/, "")}/api/v1/webhooks/github/${orgId}` : "";
+		return {
+			...o,
+			webhookUrl
+		};
+	}
+	return out;
+}
 function dispatch$1(notifier, result) {
 	if (!result) return;
 	notifyRecipients(notifier, result.recipients, result.message.id);
@@ -17920,16 +18237,15 @@ function verifySignature(secret, rawBody, signatureHeader) {
 	const receivedBuf = Buffer.from(signatureHeader, "utf8");
 	if (expectedBuf.length !== receivedBuf.length || !timingSafeEqual(expectedBuf, receivedBuf)) throw new UnauthorizedError("Invalid webhook signature");
 }
-async function ensureGitHubAdapterAgent(db) {
-	const defaultOrgId = await resolveDefaultOrgId(db);
-	const [existing] = await db.select({ uuid: agents.uuid }).from(agents).where(and(eq(agents.organizationId, defaultOrgId), eq(agents.name, GITHUB_ADAPTER_ID))).limit(1);
+async function ensureGitHubAdapterAgent(db, organizationId) {
+	const [existing] = await db.select({ uuid: agents.uuid }).from(agents).where(and(eq(agents.organizationId, organizationId), eq(agents.name, GITHUB_ADAPTER_ID))).limit(1);
 	if (existing) return existing.uuid;
 	try {
 		return (await createAgent(db, {
 			name: GITHUB_ADAPTER_ID,
 			type: "autonomous_agent",
 			displayName: "GitHub Adapter",
-			organizationId: defaultOrgId,
+			organizationId,
 			metadata: {
 				source: "github",
 				managed: true
@@ -17937,19 +18253,19 @@ async function ensureGitHubAdapterAgent(db) {
 		})).uuid;
 	} catch (err) {
 		if (err instanceof ConflictError) {
-			const [created] = await db.select({ uuid: agents.uuid }).from(agents).where(and(eq(agents.organizationId, defaultOrgId), eq(agents.name, GITHUB_ADAPTER_ID))).limit(1);
+			const [created] = await db.select({ uuid: agents.uuid }).from(agents).where(and(eq(agents.organizationId, organizationId), eq(agents.name, GITHUB_ADAPTER_ID))).limit(1);
 			if (created) return created.uuid;
 		}
 		throw err;
 	}
 }
-async function findTargetAgent(db, repoFullName) {
+async function findTargetAgent(db, organizationId, repoFullName) {
 	const allAgents = await db.select({
 		id: agents.uuid,
 		name: agents.name,
 		metadata: agents.metadata,
 		type: agents.type
-	}).from(agents).where(eq(agents.status, "active"));
+	}).from(agents).where(and(eq(agents.organizationId, organizationId), eq(agents.status, "active")));
 	for (const agent of allAgents) {
 		if (agent.name === GITHUB_ADAPTER_ID) continue;
 		const meta = agent.metadata;
@@ -17983,14 +18299,14 @@ function extractMentions$1(text) {
 * For each mentioned user who has delegate_mention configured,
 * send a card message from the mentioned user to their delegate.
 */
-async function routeMentionDelegations(app, mentionedNames, ctx) {
+async function routeMentionDelegations(app, organizationId, mentionedNames, ctx) {
 	if (mentionedNames.length === 0) return 0;
 	const delegates = await app.db.select({
 		id: agents.uuid,
 		name: agents.name,
 		delegateMention: agents.delegateMention,
 		status: agents.status
-	}).from(agents).where(and(inArray(agents.name, mentionedNames), isNotNull(agents.delegateMention)));
+	}).from(agents).where(and(eq(agents.organizationId, organizationId), inArray(agents.name, mentionedNames), isNotNull(agents.delegateMention)));
 	let routed = 0;
 	for (const agent of delegates) {
 		if (agent.status !== "active" || !agent.delegateMention) continue;
@@ -18078,13 +18394,14 @@ async function githubWebhookRoutes(app) {
 	app.addContentTypeParser("application/json", { parseAs: "buffer" }, (_request, body, done) => {
 		done(null, body);
 	});
-	const webhookSecret = app.config.github.webhookSecret;
 	const webhookMax = app.config.rateLimit?.webhookMax ?? 60;
-	app.post("/github", { config: { rateLimit: {
+	app.post("/github/:orgId", { config: { rateLimit: {
 		max: webhookMax,
 		timeWindow: "1 minute"
 	} } }, async (request, reply) => {
-		if (!webhookSecret) return reply.status(501).send({ error: "GitHub webhook is not configured. Set FIRST_TREE_HUB_GITHUB_WEBHOOK_SECRET to enable." });
+		const { orgId } = request.params;
+		const webhookSecret = await getDecryptedGithubWebhookSecret(app.db, orgId, app.config.secrets.encryptionKey);
+		if (!webhookSecret) return reply.status(501).send({ error: "GitHub webhook is not configured for this organization. An admin must set the webhook secret in Team settings." });
 		const rawBody = request.body;
 		if (!Buffer.isBuffer(rawBody)) throw new BadRequestError("Expected raw body buffer");
 		const signatureHeader = request.headers["x-hub-signature-256"];
@@ -18102,12 +18419,12 @@ async function githubWebhookRoutes(app) {
 			ok: true,
 			event: "ping"
 		});
-		if (eventType === "issues") return handleIssuesEvent(app, eventType, payload, reply);
-		if (eventType === "issue_comment") return handleIssueCommentEvent(app, eventType, payload, reply);
+		if (eventType === "issues") return handleIssuesEvent(app, orgId, eventType, payload, reply);
+		if (eventType === "issue_comment") return handleIssueCommentEvent(app, orgId, eventType, payload, reply);
 		let mentionsRouted = 0;
 		const allowedActions = MENTION_ACTIONS[eventType];
 		const action = isRecord(payload) && typeof payload.action === "string" ? payload.action : void 0;
-		if (allowedActions && action && allowedActions.includes(action)) mentionsRouted = await handleMentionDelegation(app, eventType, payload);
+		if (allowedActions && action && allowedActions.includes(action)) mentionsRouted = await handleMentionDelegation(app, orgId, eventType, payload);
 		return reply.status(200).send({
 			ok: true,
 			event: eventType,
@@ -18261,10 +18578,10 @@ function extractEventContext(eventType, payload) {
 * Run mention delegation for a given event type and payload.
 * Only called after action gating confirms this is a "new content" event.
 */
-async function handleMentionDelegation(app, eventType, payload) {
+async function handleMentionDelegation(app, organizationId, eventType, payload) {
 	const mentions = extractMentions$1(extractEventText(eventType, payload));
 	const mentionCtx = extractEventContext(eventType, payload);
-	if (mentions.length > 0 && mentionCtx) return routeMentionDelegations(app, mentions, mentionCtx);
+	if (mentions.length > 0 && mentionCtx) return routeMentionDelegations(app, organizationId, mentions, mentionCtx);
 	return 0;
 }
 /** Actions that represent new/changed content (worth scanning for @mentions). */
@@ -18278,9 +18595,9 @@ const MENTION_ACTIONS = {
 	discussion_comment: ["created"],
 	commit_comment: ["created"]
 };
-async function handleIssuesEvent(app, eventType, payload, reply) {
+async function handleIssuesEvent(app, organizationId, eventType, payload, reply) {
 	const data = parseIssuesPayload(payload);
-	if (MENTION_ACTIONS.issues?.includes(data.action)) await handleMentionDelegation(app, eventType, payload);
+	if (MENTION_ACTIONS.issues?.includes(data.action)) await handleMentionDelegation(app, organizationId, eventType, payload);
 	if (![
 		"opened",
 		"edited",
@@ -18291,7 +18608,7 @@ async function handleIssuesEvent(app, eventType, payload, reply) {
 		action: data.action,
 		handled: false
 	});
-	const [senderId, targetAgentId] = await Promise.all([ensureGitHubAdapterAgent(app.db), findTargetAgent(app.db, data.repository.full_name)]);
+	const [senderId, targetAgentId] = await Promise.all([ensureGitHubAdapterAgent(app.db, organizationId), findTargetAgent(app.db, organizationId, data.repository.full_name)]);
 	if (!targetAgentId) {
 		log$1.warn({
 			repo: data.repository.full_name,
@@ -18337,16 +18654,16 @@ async function handleIssuesEvent(app, eventType, payload, reply) {
 		routed: true
 	});
 }
-async function handleIssueCommentEvent(app, eventType, payload, reply) {
+async function handleIssueCommentEvent(app, organizationId, eventType, payload, reply) {
 	const data = parseIssueCommentPayload(payload);
-	if (MENTION_ACTIONS.issue_comment?.includes(data.action)) await handleMentionDelegation(app, eventType, payload);
+	if (MENTION_ACTIONS.issue_comment?.includes(data.action)) await handleMentionDelegation(app, organizationId, eventType, payload);
 	if (data.action !== "created") return reply.status(200).send({
 		ok: true,
 		event: "issue_comment",
 		action: data.action,
 		handled: false
 	});
-	const [senderId, targetAgentId] = await Promise.all([ensureGitHubAdapterAgent(app.db), findTargetAgent(app.db, data.repository.full_name)]);
+	const [senderId, targetAgentId] = await Promise.all([ensureGitHubAdapterAgent(app.db, organizationId), findTargetAgent(app.db, organizationId, data.repository.full_name)]);
 	if (!targetAgentId) {
 		log$1.warn({
 			repo: data.repository.full_name,
@@ -18416,6 +18733,7 @@ var schema_exports = /* @__PURE__ */ __exportAll({
 	members: () => members,
 	messages: () => messages,
 	notifications: () => notifications,
+	organizationSettings: () => organizationSettings,
 	organizations: () => organizations,
 	serverInstances: () => serverInstances,
 	sessionEvents: () => sessionEvents,
@@ -18424,10 +18742,16 @@ var schema_exports = /* @__PURE__ */ __exportAll({
 	users: () => users
 });
 function connectDatabase(url) {
-	const client = postgres(url);
+	const client = postgres(url, sslOptions(url));
 	const db = drizzle(client, { schema: schema_exports });
 	return Object.assign(db, { end: () => client.end() });
 }
+function sslOptions(url) {
+	try {
+		if (new URL(url).hostname.endsWith(".rds.amazonaws.com")) return { ssl: { rejectUnauthorized: false } };
+	} catch {}
+	return {};
+}
 /**
 * Agent-scoped HTTP authentication hook. Must run **after** userAuthHook
 * so `request.user` is populated.
@@ -19802,7 +20126,10 @@ async function buildApp(config) {
 	const commandVersion = resolveCommandVersion(config.commandVersion);
 	app.decorate("commandVersion", commandVersion);
 	app.log.info({ commandVersion }, "Hub server advertising command version");
-	const listenClient = postgres(config.database.url, { max: 1 });
+	const listenClient = postgres(config.database.url, {
+		max: 1,
+		...sslOptions(config.database.url)
+	});
 	const notifier = createNotifier(listenClient);
 	await app.register(websocket, { options: { maxPayload: config.ws?.maxPayload ?? 65536 } });
 	const corsOrigin = config.cors?.origin;
@@ -19887,9 +20214,9 @@ async function buildApp(config) {
 		await api.register(authRoutes, { prefix: "/auth" });
 		await api.register(githubOauthRoutes, { prefix: "/auth/github" });
 		await api.register(publicInvitationRoutes, { prefix: "/invitations" });
-		await api.register(contextTreeInfoRoutes, { prefix: "/context-tree" });
 		await api.register(bootstrapConfigRoutes, { prefix: "/bootstrap" });
 		await api.register(userScope("contextTreeScope", async (scope) => {
+			await scope.register(contextTreeInfoRoutes);
 			await scope.register(contextTreeSnapshotRoutes);
 		}), { prefix: "/context-tree" });
 		await api.register(userScope("meRoutesScope", async (scope) => {
@@ -19910,6 +20237,7 @@ async function buildApp(config) {
 			await scope.register(orgClientRoutes, { prefix: "/clients" });
 			await scope.register(orgInvitationRoutes, { prefix: "/invitations" });
 			await scope.register(orgMemberRoutes, { prefix: "/members" });
+			await scope.register(orgSettingsRoutes, { prefix: "/settings" });
 		}), { prefix: "/orgs/:orgId" });
 		await api.register(orgWsRoutes(notifier, config.secrets.jwtSecret), { prefix: "/orgs/:orgId/ws" });
 		await api.register(userScope("resourcesScope", async (scope) => {