@agent-team-foundation/first-tree-hub 0.11.3 → 0.11.5

package/dist/{dist-BAqGZkco.mjs → dist-CfvCT4E0.mjs}

@@ -137,195 +137,6 @@ z.object({
 	connected: z.boolean(),
 	lastActiveAt: z.string().nullable()
 });
-const presenceStatusSchema = z.enum(["online", "offline"]);
-const runtimeStateSchema = z.enum([
-	"idle",
-	"working",
-	"blocked",
-	"error"
-]);
-z.enum([
-	"active",
-	"suspended",
-	"evicted"
-]);
-/** Wire-level states a client may report. `evicted` from a stale client is rejected. */
-const clientSessionStateSchema = z.enum(["active", "suspended"]);
-const sessionStateMessageSchema = z.object({
-	chatId: z.string().min(1),
-	state: clientSessionStateSchema
-});
-/** Client-reported runtime state override (client → server, per-agent). */
-const runtimeStateMessageSchema = z.object({ runtimeState: runtimeStateSchema });
-const agentBindRequestSchema = z.object({
-	agentId: z.string().min(1),
-	runtimeType: z.string().max(50),
-	runtimeVersion: z.string().max(50).optional()
-});
-const AGENT_BIND_REJECT_REASONS = {
-	WRONG_CLIENT: "wrong_client",
-	NOT_OWNED: "not_owned",
-	AGENT_SUSPENDED: "agent_suspended",
-	WRONG_ORG: "wrong_org",
-	UNKNOWN_AGENT: "unknown_agent",
-	RUNTIME_PROVIDER_MISMATCH: "runtime_provider_mismatch"
-};
-z.enum([
-	"wrong_client",
-	"not_owned",
-	"agent_suspended",
-	"wrong_org",
-	"unknown_agent",
-	"runtime_provider_mismatch"
-]);
-/** Header used on agent-scoped HTTP calls to select which managed agent the JWT acts as. */
-const AGENT_SELECTOR_HEADER = "x-agent-id";
-z.object({
-	agentId: z.string(),
-	status: presenceStatusSchema,
-	connectedAt: z.string().nullable(),
-	lastSeenAt: z.string(),
-	clientId: z.string().nullable().optional(),
-	runtimeType: z.string().nullable().optional(),
-	runtimeVersion: z.string().nullable().optional(),
-	runtimeState: runtimeStateSchema.nullable().optional(),
-	activeSessions: z.number().int().nullable().optional(),
-	totalSessions: z.number().int().nullable().optional(),
-	runtimeUpdatedAt: z.string().nullable().optional()
-});
-z.object({
-	total: z.number().int(),
-	running: z.number().int(),
-	byState: z.object({
-		idle: z.number().int(),
-		working: z.number().int(),
-		blocked: z.number().int(),
-		error: z.number().int()
-	}),
-	clients: z.number().int()
-});
-const runtimeProviderSchema = z.enum(["claude-code", "codex"]);
-const DEFAULT_RUNTIME_PROVIDER = "claude-code";
-const AGENT_TYPES = {
-	HUMAN: "human",
-	PERSONAL_ASSISTANT: "personal_assistant",
-	AUTONOMOUS_AGENT: "autonomous_agent"
-};
-const agentTypeSchema = z.enum([
-	"human",
-	"personal_assistant",
-	"autonomous_agent"
-]);
-const AGENT_VISIBILITY = {
-	PRIVATE: "private",
-	ORGANIZATION: "organization"
-};
-const agentVisibilitySchema = z.enum(["private", "organization"]);
-const AGENT_STATUSES = {
-	ACTIVE: "active",
-	SUSPENDED: "suspended",
-	DELETED: "deleted"
-};
-const AGENT_SOURCES = {
-	ADMIN_API: "admin-api",
-	PORTAL: "portal"
-};
-const agentSourceSchema = z.enum(["admin-api", "portal"]);
-z.enum(["active", "suspended"]);
-/**
-* Agent-name rules (see docs/agent-naming-design.md §3.1):
-*   - Lowercase ASCII slug, hyphens + underscores allowed.
-*   - Must start with alphanumeric: `-` / `_` as first char collide with
-*     CLI flag parsing and markdown list syntax.
-*   - 1–64 chars — aligned with `MENTION_REGEX` so any valid name can be
-*     @-mentioned in chat. Older rows created under the previous 1–100
-*     regex are grandfathered; the tight rule only gates new creates.
-*/
-const AGENT_NAME_REGEX = /^[a-z0-9][a-z0-9_-]{0,63}$/;
-const RESERVED_AGENT_NAMES_SET = new Set([
-	"admin",
-	"agent",
-	"first-tree",
-	"hub",
-	"me",
-	"null",
-	"system",
-	"undefined"
-]);
-function isReservedAgentName(name) {
-	return RESERVED_AGENT_NAMES_SET.has(name);
-}
-const createAgentSchema = z.object({
-	name: z.string().min(1).max(64).regex(AGENT_NAME_REGEX, "Must start with a letter or digit and contain only lowercase letters, digits, hyphens (-), and underscores (_). Max 64 chars.").refine((n) => !isReservedAgentName(n), { message: "That agent name is reserved — pick a different one." }).optional(),
-	type: agentTypeSchema,
-	displayName: z.string().min(1).max(200).optional(),
-	delegateMention: z.string().max(100).optional(),
-	organizationId: z.string().min(1).max(100).optional(),
-	source: agentSourceSchema.optional(),
-	visibility: agentVisibilitySchema.optional(),
-	metadata: z.record(z.string(), z.unknown()).optional(),
-	managerId: z.string().optional(),
-	clientId: z.string().min(1).max(100).optional(),
-	runtimeProvider: runtimeProviderSchema.optional()
-});
-const updateAgentSchema = z.object({
-	type: agentTypeSchema.optional(),
-	displayName: z.string().min(1).max(200).optional(),
-	delegateMention: z.string().max(100).nullable().optional(),
-	visibility: agentVisibilitySchema.optional(),
-	metadata: z.record(z.string(), z.unknown()).optional(),
-	managerId: z.string().nullable().optional(),
-	clientId: z.string().min(1).max(100).nullable().optional()
-});
-/**
-* Service-level rebind input. Admin / owner re-binds an agent to a new
-* client and/or a new runtime provider in one atomic operation.
-*
-* `force` bypasses the capability-match check (e.g. when the client is
-* offline and capabilities are stale).
-*/
-const rebindAgentSchema = z.object({
-	clientId: z.string().min(1).max(100),
-	runtimeProvider: runtimeProviderSchema,
-	force: z.boolean().optional()
-});
-z.object({
-	uuid: z.string(),
-	name: z.string().nullable(),
-	organizationId: z.string(),
-	type: agentTypeSchema,
-	displayName: z.string(),
-	delegateMention: z.string().nullable(),
-	inboxId: z.string(),
-	status: z.string(),
-	source: z.string().nullable().optional(),
-	visibility: agentVisibilitySchema,
-	metadata: z.record(z.string(), z.unknown()),
-	managerId: z.string().nullable(),
-	clientId: z.string().nullable(),
-	runtimeProvider: runtimeProviderSchema,
-	presenceStatus: presenceStatusSchema.optional(),
-	createdAt: z.string(),
-	updatedAt: z.string()
-});
-z.object({
-	repo: z.string().nullable(),
-	branch: z.string().nullable()
-});
-/**
-* Server → client WebSocket frame announcing that an agent has just been
-* pinned to the connected client (either created with `clientId` or bound via
-* PATCH NULL → ID). The client can auto-register a local config from this so
-* the operator doesn't have to run `first-tree-hub agent add` manually.
-*/
-const agentPinnedMessageSchema = z.object({
-	type: z.literal("agent:pinned"),
-	agentId: z.string(),
-	name: z.string().nullable(),
-	displayName: z.string(),
-	agentType: agentTypeSchema,
-	runtimeProvider: runtimeProviderSchema
-});
 /**
 * Agent runtime configuration.
 *
@@ -500,6 +311,26 @@ const agentRuntimeConfigSchema = z.object({
 	updatedBy: z.string()
 });
 /**
+* Write-side shape with no `.default()` per field.
+*
+* `agentRuntimeConfigPayloadShape` carries `.default()` on every field for the
+* read path (so legacy DB rows parse cleanly). On the PATCH side those defaults
+* are actively harmful: Zod 4's `.partial()` makes a field optional but keeps
+* the inner `ZodDefault`, so a body like `{ mcpServers: [...] }` parses to a
+* fully-populated patch where the omitted fields are filled with their
+* defaults — the service layer's `patch.x ?? current.x` then sees a truthy
+* default and *replaces* the user's saved value with empty. Mirroring the 5
+* fields here without defaults keeps "field absent" → `undefined` in the
+* parsed patch, which is what the merge logic expects.
+*/
+const agentRuntimeConfigPatchShape = z.object({
+	prompt: promptConfigSchema,
+	model: z.string(),
+	mcpServers: z.array(mcpServerSchema),
+	env: z.array(envEntrySchema),
+	gitRepos: z.array(gitRepoSchema)
+}).partial();
+/**
 * Patch payload for PATCH /api/v1/admin/agents/:uuid/config.
 *
 * - `expectedVersion` enforces optimistic locking; mismatch → 409.
@@ -507,9 +338,9 @@ const agentRuntimeConfigSchema = z.object({
 */
 const updateAgentRuntimeConfigSchema = z.object({
 	expectedVersion: z.number().int().positive(),
-	payload: agentRuntimeConfigPayloadShape.partial()
+	payload: agentRuntimeConfigPatchShape
 });
-const dryRunAgentRuntimeConfigSchema = z.object({ payload: agentRuntimeConfigPayloadShape.partial() });
+const dryRunAgentRuntimeConfigSchema = z.object({ payload: agentRuntimeConfigPatchShape });
 z.object({
 	current: agentRuntimeConfigSchema,
 	next: agentRuntimeConfigPayloadSchema,
@@ -538,6 +369,196 @@ function deriveRepoLocalPath(url) {
 	if (!trimmed) return "";
 	return ((trimmed.split(/[?#]/)[0] ?? "").split(/[/:]/).filter(Boolean).pop() ?? "").replace(/\.git$/i, "");
 }
+const presenceStatusSchema = z.enum(["online", "offline"]);
+const runtimeStateSchema = z.enum([
+	"idle",
+	"working",
+	"blocked",
+	"error"
+]);
+z.enum([
+	"active",
+	"suspended",
+	"evicted"
+]);
+/** Wire-level states a client may report. `evicted` from a stale client is rejected. */
+const clientSessionStateSchema = z.enum(["active", "suspended"]);
+const sessionStateMessageSchema = z.object({
+	chatId: z.string().min(1),
+	state: clientSessionStateSchema
+});
+/** Client-reported runtime state override (client → server, per-agent). */
+const runtimeStateMessageSchema = z.object({ runtimeState: runtimeStateSchema });
+const agentBindRequestSchema = z.object({
+	agentId: z.string().min(1),
+	runtimeType: z.string().max(50),
+	runtimeVersion: z.string().max(50).optional()
+});
+const AGENT_BIND_REJECT_REASONS = {
+	WRONG_CLIENT: "wrong_client",
+	NOT_OWNED: "not_owned",
+	AGENT_SUSPENDED: "agent_suspended",
+	WRONG_ORG: "wrong_org",
+	UNKNOWN_AGENT: "unknown_agent",
+	RUNTIME_PROVIDER_MISMATCH: "runtime_provider_mismatch"
+};
+z.enum([
+	"wrong_client",
+	"not_owned",
+	"agent_suspended",
+	"wrong_org",
+	"unknown_agent",
+	"runtime_provider_mismatch"
+]);
+/** Header used on agent-scoped HTTP calls to select which managed agent the JWT acts as. */
+const AGENT_SELECTOR_HEADER = "x-agent-id";
+z.object({
+	agentId: z.string(),
+	status: presenceStatusSchema,
+	connectedAt: z.string().nullable(),
+	lastSeenAt: z.string(),
+	clientId: z.string().nullable().optional(),
+	runtimeType: z.string().nullable().optional(),
+	runtimeVersion: z.string().nullable().optional(),
+	runtimeState: runtimeStateSchema.nullable().optional(),
+	activeSessions: z.number().int().nullable().optional(),
+	totalSessions: z.number().int().nullable().optional(),
+	runtimeUpdatedAt: z.string().nullable().optional()
+});
+z.object({
+	total: z.number().int(),
+	running: z.number().int(),
+	byState: z.object({
+		idle: z.number().int(),
+		working: z.number().int(),
+		blocked: z.number().int(),
+		error: z.number().int()
+	}),
+	clients: z.number().int()
+});
+const runtimeProviderSchema = z.enum(["claude-code", "codex"]);
+const DEFAULT_RUNTIME_PROVIDER = "claude-code";
+const AGENT_TYPES = {
+	HUMAN: "human",
+	PERSONAL_ASSISTANT: "personal_assistant",
+	AUTONOMOUS_AGENT: "autonomous_agent"
+};
+const agentTypeSchema = z.enum([
+	"human",
+	"personal_assistant",
+	"autonomous_agent"
+]);
+const AGENT_VISIBILITY = {
+	PRIVATE: "private",
+	ORGANIZATION: "organization"
+};
+const agentVisibilitySchema = z.enum(["private", "organization"]);
+const AGENT_STATUSES = {
+	ACTIVE: "active",
+	SUSPENDED: "suspended",
+	DELETED: "deleted"
+};
+const AGENT_SOURCES = {
+	ADMIN_API: "admin-api",
+	PORTAL: "portal"
+};
+const agentSourceSchema = z.enum(["admin-api", "portal"]);
+z.enum(["active", "suspended"]);
+/**
+* Agent-name rules (see docs/agent-naming-design.md §3.1):
+*   - Lowercase ASCII slug, hyphens + underscores allowed.
+*   - Must start with alphanumeric: `-` / `_` as first char collide with
+*     CLI flag parsing and markdown list syntax.
+*   - 1–64 chars — aligned with `MENTION_REGEX` so any valid name can be
+*     @-mentioned in chat. Older rows created under the previous 1–100
+*     regex are grandfathered; the tight rule only gates new creates.
+*/
+const AGENT_NAME_REGEX = /^[a-z0-9][a-z0-9_-]{0,63}$/;
+const RESERVED_AGENT_NAMES_SET = new Set([
+	"admin",
+	"agent",
+	"first-tree",
+	"hub",
+	"me",
+	"null",
+	"system",
+	"undefined"
+]);
+function isReservedAgentName(name) {
+	return RESERVED_AGENT_NAMES_SET.has(name);
+}
+const createAgentSchema = z.object({
+	name: z.string().min(1).max(64).regex(AGENT_NAME_REGEX, "Must start with a letter or digit and contain only lowercase letters, digits, hyphens (-), and underscores (_). Max 64 chars.").refine((n) => !isReservedAgentName(n), { message: "That agent name is reserved — pick a different one." }).optional(),
+	type: agentTypeSchema,
+	displayName: z.string().min(1).max(200).optional(),
+	delegateMention: z.string().max(100).optional(),
+	organizationId: z.string().min(1).max(100).optional(),
+	source: agentSourceSchema.optional(),
+	visibility: agentVisibilitySchema.optional(),
+	metadata: z.record(z.string(), z.unknown()).optional(),
+	managerId: z.string().optional(),
+	clientId: z.string().min(1).max(100).optional(),
+	runtimeProvider: runtimeProviderSchema.optional(),
+	gitRepos: z.array(gitRepoSchema).optional()
+});
+const updateAgentSchema = z.object({
+	type: agentTypeSchema.optional(),
+	displayName: z.string().min(1).max(200).optional(),
+	delegateMention: z.string().max(100).nullable().optional(),
+	visibility: agentVisibilitySchema.optional(),
+	metadata: z.record(z.string(), z.unknown()).optional(),
+	managerId: z.string().nullable().optional(),
+	clientId: z.string().min(1).max(100).nullable().optional()
+});
+/**
+* Service-level rebind input. Admin / owner re-binds an agent to a new
+* client and/or a new runtime provider in one atomic operation.
+*
+* `force` bypasses the capability-match check (e.g. when the client is
+* offline and capabilities are stale).
+*/
+const rebindAgentSchema = z.object({
+	clientId: z.string().min(1).max(100),
+	runtimeProvider: runtimeProviderSchema,
+	force: z.boolean().optional()
+});
+z.object({
+	uuid: z.string(),
+	name: z.string().nullable(),
+	organizationId: z.string(),
+	type: agentTypeSchema,
+	displayName: z.string(),
+	delegateMention: z.string().nullable(),
+	inboxId: z.string(),
+	status: z.string(),
+	source: z.string().nullable().optional(),
+	visibility: agentVisibilitySchema,
+	metadata: z.record(z.string(), z.unknown()),
+	managerId: z.string().nullable(),
+	clientId: z.string().nullable(),
+	runtimeProvider: runtimeProviderSchema,
+	presenceStatus: presenceStatusSchema.optional(),
+	createdAt: z.string(),
+	updatedAt: z.string()
+});
+z.object({
+	repo: z.string().nullable(),
+	branch: z.string().nullable()
+});
+/**
+* Server → client WebSocket frame announcing that an agent has just been
+* pinned to the connected client (either created with `clientId` or bound via
+* PATCH NULL → ID). The client can auto-register a local config from this so
+* the operator doesn't have to run `first-tree-hub agent add` manually.
+*/
+const agentPinnedMessageSchema = z.object({
+	type: z.literal("agent:pinned"),
+	agentId: z.string(),
+	name: z.string().nullable(),
+	displayName: z.string(),
+	agentType: agentTypeSchema,
+	runtimeProvider: runtimeProviderSchema
+});
 const loginSchema = z.object({
 	username: z.string().min(1),
 	password: z.string().min(1)
@@ -1054,6 +1075,43 @@ const createOrgFromMeSchema = z.object({
 	name: z.string().min(2).max(50).regex(/^[a-z0-9][a-z0-9-]*$/),
 	displayName: z.string().min(1).max(200)
 });
+/**
+* Body for `PATCH /me/onboarding`. v1 only mutates `dismissed` — true to
+* hide the onboarding stepper (server stamps `users.onboarding_dismissed_at
+* = NOW()`), false to restore it. See docs/new-user-onboarding-design.md
+* §8.4.
+*/
+const patchOnboardingSchema = z.object({ dismissed: z.boolean().optional() });
+/**
+* Body for `POST /me/onboarding/events`. The web SPA reports key
+* milestones so the server can log them as a single funnel-trackable
+* stream alongside server-emitted events (`team_created`, `dismissed`).
+*
+* Server emits:
+*   - `team_created`           — at OAuth callback when joinPath === "solo"
+*   - `dismissed`              — when PATCH /me/onboarding flips dismissed
+*
+* Web reports:
+*   - `team_renamed`           — Step 1 user changed the auto-named team
+*   - `agent_created`          — Step 2 successfully created the agent
+*   - `tree_chat_started`      — Step 3 [Yes, set it up] succeeded
+*   - `tree_intro_dismissed`   — Step 3 [I'll do it later] clicked
+*/
+const onboardingEventNameSchema = z.enum([
+	"team_renamed",
+	"agent_created",
+	"tree_chat_started",
+	"tree_intro_dismissed"
+]);
+const onboardingEventSchema = z.object({
+	event: onboardingEventNameSchema,
+	attrs: z.record(z.string(), z.union([
+		z.string(),
+		z.number(),
+		z.boolean(),
+		z.null()
+	])).optional()
+});
 z.object({
 	id: z.string(),
 	organizationId: z.string(),
@@ -1140,6 +1198,74 @@ const githubDevCallbackQuerySchema = z.object({
 	displayName: z.string().optional(),
 	next: z.string().max(256).optional()
 });
+/**
+* Per-organization settings — schemas, namespaces, and the registry that
+* dispatches `(orgId, namespace)` lookups to the right validator.
+*
+* Each namespace has three schemas:
+*   - `storage` — what is persisted in `organization_settings.value`. For
+*     namespaces with secrets, the storage schema names the *cipher* field
+*     (e.g. `webhookSecretCipher`); plaintext never touches the row.
+*   - `input`   — what the admin API accepts in PUT bodies. For namespaces
+*     with secrets, `webhookSecret` is plaintext; the service layer
+*     encrypts it before merging into storage.
+*   - `output`  — what GET returns. Secrets are replaced by a boolean
+*     `…Configured` flag — plaintext is never echoed.
+*
+* Adding a new per-org config group:
+*   1. Define three schemas (storage / input / output).
+*   2. Add a key to `ORG_SETTINGS_NAMESPACES`.
+*   3. Done. No DB migration, no new API route.
+*/
+const orgContextTreeRepoUrlSchema = z.string().url().refine((value) => {
+	try {
+		return new URL(value).protocol === "https:";
+	} catch {
+		return false;
+	}
+}, { message: "Context Tree repo URL must use HTTPS." }).refine((value) => {
+	try {
+		const url = new URL(value);
+		return url.username.length === 0 && url.password.length === 0;
+	} catch {
+		return false;
+	}
+}, { message: "Context Tree repo URL must not include credentials." });
+const orgContextTreeStorageSchema = z.object({
+	repo: orgContextTreeRepoUrlSchema.optional(),
+	branch: z.string().default("main")
+});
+const orgContextTreeInputSchema = z.object({
+	repo: orgContextTreeRepoUrlSchema.nullish(),
+	branch: z.string().min(1).nullish()
+});
+const orgContextTreeOutputSchema = z.object({
+	repo: z.string().optional(),
+	branch: z.string().optional()
+});
+const orgGithubIntegrationStorageSchema = z.object({ webhookSecretCipher: z.string().optional() });
+const orgGithubIntegrationInputSchema = z.object({ webhookSecret: z.string().min(1).nullish() });
+const orgGithubIntegrationOutputSchema = z.object({
+	webhookSecretConfigured: z.boolean(),
+	webhookUrl: z.string()
+});
+const ORG_SETTINGS_NAMESPACES = {
+	context_tree: {
+		storage: orgContextTreeStorageSchema,
+		input: orgContextTreeInputSchema,
+		output: orgContextTreeOutputSchema
+	},
+	github_integration: {
+		storage: orgGithubIntegrationStorageSchema,
+		input: orgGithubIntegrationInputSchema,
+		output: orgGithubIntegrationOutputSchema
+	}
+};
+const ORG_SETTINGS_NAMESPACE_KEYS = Object.keys(ORG_SETTINGS_NAMESPACES);
+z.enum(ORG_SETTINGS_NAMESPACE_KEYS);
+function isOrgSettingNamespace(value) {
+	return typeof value === "string" && ORG_SETTINGS_NAMESPACE_KEYS.includes(value);
+}
 const UUID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
 z.object({
 	name: z.string().min(2).max(50).regex(/^[a-z0-9][a-z0-9-]*$/, "Must start with a letter or digit and contain only lowercase alphanumeric and hyphens").refine((v) => !UUID_PATTERN.test(v), "Name must not be a UUID format"),
@@ -1467,4 +1593,4 @@ z.object({
 	capabilities: serverCapabilitiesSchema.optional()
 }).passthrough();
 //#endregion
-export { notificationQuerySchema as $, createChatSchema as A, githubDevCallbackQuerySchema as B, clientCapabilitiesSchema as C, updateTaskStatusSchema as Ct, createAdapterConfigSchema as D, contextTreeSnapshotSchema as E, defaultRuntimeConfigPayload as F, inboxPollQuerySchema as G, imageInlineContentSchema as H, delegateFeishuUserSchema as I, joinByInvitationSchema as J, isRedactedEnvValue as K, dryRunAgentRuntimeConfigSchema as L, createMemberSchema as M, createOrgFromMeSchema as N, createAdapterMappingSchema as O, createTaskSchema as P, messageSourceSchema as Q, extractMentions as R, agentTypeSchema as S, updateOrganizationSchema as St, connectTokenExchangeSchema as T, inboxAckFrameSchema as U, githubStartQuerySchema as V, inboxDeliverFrameSchema as W, listMeChatsQuerySchema as X, linkTaskChatSchema as Y, loginSchema as Z, adminCreateTaskSchema as _, updateAgentRuntimeConfigSchema as _t, AGENT_STATUSES as a, scanMentionTokens as at, agentPinnedMessageSchema as b, updateClientCapabilitiesSchema as bt, DEFAULT_RUNTIME_PROVIDER as c, sendToAgentSchema as ct, TASK_HEALTH_SIGNALS as d, sessionEventSchema as dt, paginationQuerySchema as et, TASK_STATUSES as f, sessionReconcileRequestSchema as ft, addParticipantSchema as g, updateAdapterConfigSchema as gt, addMeChatParticipantsSchema as h, taskListQuerySchema as ht, AGENT_SOURCES as i, safeRedirectPath as it, createMeChatSchema as j, createAgentSchema as k, MENTION_REGEX as l, sessionCompletionMessageSchema as lt, WS_AUTH_FRAME_TIMEOUT_MS as m, stripCode as mt, AGENT_NAME_REGEX as n, refreshTokenSchema as nt, AGENT_TYPES as o, selfServiceFeishuBotSchema as ot, TASK_TERMINAL_STATUSES as p, sessionStateMessageSchema as pt, isReservedAgentName as q, AGENT_SELECTOR_HEADER as r, runtimeStateMessageSchema as rt, AGENT_VISIBILITY as s, sendMessageSchema as st, AGENT_BIND_REJECT_REASONS as t, rebindAgentSchema as tt, TASK_CREATOR_TYPES as u, sessionEventMessageSchema as ut, adminUpdateTaskSchema as v, updateAgentSchema as vt, clientRegisterSchema as w, wsAuthFrameSchema as wt, agentRuntimeConfigPayloadSchema as x, updateMemberSchema as xt, agentBindRequestSchema as y, updateChatSchema as yt, githubCallbackQuerySchema as z };
+export { loginSchema as $, createAgentSchema as A, githubCallbackQuerySchema as B, agentTypeSchema as C, updateChatSchema as Ct, contextTreeSnapshotSchema as D, updateTaskStatusSchema as Dt, connectTokenExchangeSchema as E, updateOrganizationSchema as Et, createTaskSchema as F, inboxDeliverFrameSchema as G, githubStartQuerySchema as H, defaultRuntimeConfigPayload as I, isRedactedEnvValue as J, inboxPollQuerySchema as K, delegateFeishuUserSchema as L, createMeChatSchema as M, createMemberSchema as N, createAdapterConfigSchema as O, wsAuthFrameSchema as Ot, createOrgFromMeSchema as P, listMeChatsQuerySchema as Q, dryRunAgentRuntimeConfigSchema as R, agentRuntimeConfigPayloadSchema as S, updateAgentSchema as St, clientRegisterSchema as T, updateMemberSchema as Tt, imageInlineContentSchema as U, githubDevCallbackQuerySchema as V, inboxAckFrameSchema as W, joinByInvitationSchema as X, isReservedAgentName as Y, linkTaskChatSchema as Z, addParticipantSchema as _, sessionStateMessageSchema as _t, AGENT_STATUSES as a, rebindAgentSchema as at, agentBindRequestSchema as b, updateAdapterConfigSchema as bt, DEFAULT_RUNTIME_PROVIDER as c, safeRedirectPath as ct, TASK_CREATOR_TYPES as d, sendMessageSchema as dt, messageSourceSchema as et, TASK_HEALTH_SIGNALS as f, sendToAgentSchema as ft, addMeChatParticipantsSchema as g, sessionReconcileRequestSchema as gt, WS_AUTH_FRAME_TIMEOUT_MS as h, sessionEventSchema as ht, AGENT_SOURCES as i, patchOnboardingSchema as it, createChatSchema as j, createAdapterMappingSchema as k, MENTION_REGEX as l, scanMentionTokens as lt, TASK_TERMINAL_STATUSES as m, sessionEventMessageSchema as mt, AGENT_NAME_REGEX as n, onboardingEventSchema as nt, AGENT_TYPES as o, refreshTokenSchema as ot, TASK_STATUSES as p, sessionCompletionMessageSchema as pt, isOrgSettingNamespace as q, AGENT_SELECTOR_HEADER as r, paginationQuerySchema as rt, AGENT_VISIBILITY as s, runtimeStateMessageSchema as st, AGENT_BIND_REJECT_REASONS as t, notificationQuerySchema as tt, ORG_SETTINGS_NAMESPACES as u, selfServiceFeishuBotSchema as ut, adminCreateTaskSchema as v, stripCode as vt, clientCapabilitiesSchema as w, updateClientCapabilitiesSchema as wt, agentPinnedMessageSchema as x, updateAgentRuntimeConfigSchema as xt, adminUpdateTaskSchema as y, taskListQuerySchema as yt, extractMentions as z };

package/dist/drizzle/0032_organization_settings.sql

@@ -0,0 +1,36 @@
+-- Per-organization settings, keyed by (organization_id, namespace).
+--
+-- Each row holds an entire group of related config as a JSONB blob; the
+-- schema for each namespace lives in @agent-team-foundation/first-tree-hub-shared
+-- (ORG_SETTINGS_NAMESPACES) and is enforced by the service layer on every
+-- read/write. Adding a new config group means registering a new namespace +
+-- Zod schema in shared — the DB does not change.
+--
+-- `version` is reserved for future optimistic locking (PUT with If-Match).
+-- We keep the column from day one so tightening to compare-and-swap later
+-- is a code-only change with no migration.
+--
+-- Sensitive fields inside `value` (e.g. github_integration.webhookSecret)
+-- are AES-256-GCM-encrypted at the service layer using crypto.ts's
+-- encryptValue / decryptValue — same pattern as adapter_configs.
+--
+-- ON DELETE CASCADE on organization_id: settings have no independent
+-- lifecycle, deleting an org must drop them. updated_by is SET NULL so a
+-- user deletion does not cascade-clobber unrelated config rows.
+
+CREATE TABLE IF NOT EXISTS "organization_settings" (
+  "organization_id" text NOT NULL,
+  "namespace"       text NOT NULL,
+  "value"           jsonb NOT NULL DEFAULT '{}'::jsonb,
+  "version"         integer NOT NULL DEFAULT 0,
+  "updated_by"      text,
+  "updated_at"      timestamp with time zone NOT NULL DEFAULT now(),
+  CONSTRAINT "organization_settings_pkey" PRIMARY KEY ("organization_id", "namespace"),
+  CONSTRAINT "organization_settings_organization_id_organizations_id_fk"
+    FOREIGN KEY ("organization_id") REFERENCES "organizations"("id") ON DELETE CASCADE,
+  CONSTRAINT "organization_settings_updated_by_users_id_fk"
+    FOREIGN KEY ("updated_by") REFERENCES "users"("id") ON DELETE SET NULL
+);
+
+CREATE INDEX IF NOT EXISTS "idx_org_settings_namespace"
+  ON "organization_settings" ("namespace");

package/dist/drizzle/0033_onboarding_dismissed_at.sql

@@ -0,0 +1,13 @@
+-- Onboarding stepper dismissal flag. Decoupled from the server-side
+-- `onboardingStep` enum so the stepper keeps rendering across all three
+-- UI steps (server-side onboardingStep flips to `completed` at the end of
+-- Step 2; Step 3 is purely client-driven and the stepper must keep
+-- showing during the tree-init chat).
+--
+-- See docs/new-user-onboarding-design.md §8.
+--
+-- NULL  → stepper renders
+-- value → user clicked the `✕`; stepper unmounts. Irreversible from UI v1.
+
+ALTER TABLE "users"
+  ADD COLUMN IF NOT EXISTS "onboarding_dismissed_at" timestamp with time zone;

package/dist/drizzle/meta/_journal.json

@@ -225,6 +225,20 @@
       "when": 1777939200000,
       "tag": "0031_drop_system_configs",
       "breakpoints": true
+    },
+    {
+      "idx": 32,
+      "version": "7",
+      "when": 1778198400000,
+      "tag": "0032_organization_settings",
+      "breakpoints": true
+    },
+    {
+      "idx": 33,
+      "version": "7",
+      "when": 1778284800000,
+      "tag": "0033_onboarding_dismissed_at",
+      "breakpoints": true
     }
   ]
-}
+}

package/dist/{errors-BmyRwN0Y-Dad3eV8F.mjs → errors-CF5evtJt-B0NTIVPt.mjs}

@@ -1,5 +1,5 @@
 import { integer, jsonb, pgTable, text, timestamp } from "drizzle-orm/pg-core";
-//#region ../server/dist/errors-BmyRwN0Y.mjs
+//#region ../server/dist/errors-CF5evtJt.mjs
 /** Organization entity. Agents and chats belong to exactly one organization. */
 const organizations = pgTable("organizations", {
 	id: text("id").primaryKey(),
@@ -19,6 +19,7 @@ const users = pgTable("users", {
 	displayName: text("display_name").notNull(),
 	avatarUrl: text("avatar_url"),
 	status: text("status").notNull().default("active"),
+	onboardingDismissedAt: timestamp("onboarding_dismissed_at", { withTimezone: true }),
 	createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow(),
 	updatedAt: timestamp("updated_at", { withTimezone: true }).notNull().defaultNow()
 });

package/dist/{feishu-Th_-ivJ7.mjs → feishu-DbSvp9UH.mjs}

@@ -1,6 +1,6 @@
 import { r as __exportAll } from "./chunk-BSw8zbkd.mjs";
 import { t as cliFetch } from "./cli-fetch--tiwKm5S.mjs";
-import { r as AGENT_SELECTOR_HEADER } from "./dist-BAqGZkco.mjs";
+import { r as AGENT_SELECTOR_HEADER } from "./dist-CfvCT4E0.mjs";
 //#region src/core/feishu.ts
 var feishu_exports = /* @__PURE__ */ __exportAll({
 	bindFeishuBot: () => bindFeishuBot,