@agent-team-foundation/first-tree-hub 0.12.0 → 0.12.2

package/dist/{saas-connect-Drn9g6cR.mjs → saas-connect-_2M4kfPR.mjs}

@@ -2,10 +2,10 @@ import { a as __toCommonJS, o as __toESM, t as __commonJSMin } from "./chunk-BSw
 import { A as FIRST_TREE_HUB_ATTR, C as stampOrgScope, D as untrustedAttrs, E as startWsConnectionSpan, M as require_pino, O as withSpan, S as stampChatResource, _ as rootLogger$1, a as buildRateLimitError, c as currentTraceId, g as reportErrorToRoot, i as bodyCaptureOnSendHook, j as redactUrl, k as withWsMessageSpan, l as decodeJwtForTrace, m as observabilityPlugin, n as applyLoggerConfig, o as classifyJoseError, r as attachRequestContext, s as createLogger$1, t as adapterAttrs, u as endWsConnectionSpan, x as stampAgentResource, y as setWsConnectionAttrs } from "./observability-BAScT_5S-BcW9HgkG.mjs";
 import { C as resetConfigMeta, E as setConfigValue, S as resetConfig, T as serverConfigSchema, b as migrateLegacyHome, c as resolveServerUrl, d as DEFAULT_CONFIG_DIR, f as DEFAULT_DATA_DIR$1, g as collectMissingPrompts, h as clientConfigSchema, i as ensureFreshAccessToken, l as saveAgentConfig, m as agentConfigSchema, o as loadCredentials, p as DEFAULT_HOME_DIR$1, u as saveCredentials, v as initConfig, w as resolveConfigReadonly, y as loadAgents } from "./bootstrap-C_K2CKXC.mjs";
 import { a as print, i as blank, n as CLI_USER_AGENT, r as COMMAND_VERSION, s as status, t as cliFetch } from "./cli-fetch--tiwKm5S.mjs";
-import { $ as loginSchema, A as createAgentSchema, At as updateTaskStatusSchema, B as githubCallbackQuerySchema, C as agentTypeSchema$1, Ct as updateAdapterConfigSchema, D as contextTreeSnapshotSchema, Dt as updateClientCapabilitiesSchema, E as connectTokenExchangeSchema, Et as updateChatSchema, F as createTaskSchema, G as inboxDeliverFrameSchema$1, H as githubStartQuerySchema, I as defaultRuntimeConfigPayload, J as isRedactedEnvValue, K as inboxPollQuerySchema, L as delegateFeishuUserSchema, M as createMeChatSchema, N as createMemberSchema, O as createAdapterConfigSchema, Ot as updateMemberSchema, P as createOrgFromMeSchema, Q as listMeChatsQuerySchema, R as dryRunAgentRuntimeConfigSchema, S as agentRuntimeConfigPayloadSchema$1, St as taskListQuerySchema, T as clientRegisterSchema, Tt as updateAgentSchema, U as imageInlineContentSchema, V as githubDevCallbackQuerySchema, W as inboxAckFrameSchema, X as joinByInvitationSchema, Y as isReservedAgentName$1, Z as linkTaskChatSchema, _ as addParticipantSchema, _t as sessionEventSchema$1, a as AGENT_STATUSES, b as agentBindRequestSchema, bt as stripCode, ct as refreshTokenSchema, d as TASK_CREATOR_TYPES, et as messageSourceSchema$1, f as TASK_HEALTH_SIGNALS, ft as selfServiceFeishuBotSchema, g as addMeChatParticipantsSchema, gt as sessionEventMessageSchema, h as WS_AUTH_FRAME_TIMEOUT_MS, ht as sessionCompletionMessageSchema, i as AGENT_SOURCES, it as patchOnboardingSchema, j as createChatSchema, jt as wsAuthFrameSchema, k as createAdapterMappingSchema, kt as updateOrganizationSchema, l as MENTION_REGEX, lt as runtimeStateMessageSchema, m as TASK_TERMINAL_STATUSES, mt as sendToAgentSchema, n as AGENT_NAME_REGEX$1, nt as onboardingEventSchema, o as AGENT_TYPES, p as TASK_STATUSES, pt as sendMessageSchema, q as isOrgSettingNamespace, r as AGENT_SELECTOR_HEADER$1, rt as paginationQuerySchema, s as AGENT_VISIBILITY, st as rebindAgentSchema, t as AGENT_BIND_REJECT_REASONS, tt as notificationQuerySchema, u as ORG_SETTINGS_NAMESPACES$1, ut as safeRedirectPath, v as adminCreateTaskSchema, vt as sessionReconcileRequestSchema, wt as updateAgentRuntimeConfigSchema, x as agentPinnedMessageSchema$1, xt as submitQuestionAnswerSchema, y as adminUpdateTaskSchema, yt as sessionStateMessageSchema } from "./dist-UOZ6vMUW.mjs";
+import { $ as loginSchema, A as createAgentSchema, At as updateTaskStatusSchema, B as githubCallbackQuerySchema, C as agentTypeSchema$1, Ct as updateAdapterConfigSchema, D as contextTreeSnapshotSchema, Dt as updateClientCapabilitiesSchema, E as connectTokenExchangeSchema, Et as updateChatSchema, F as createTaskSchema, G as inboxDeliverFrameSchema$1, H as githubStartQuerySchema, I as defaultRuntimeConfigPayload, J as isRedactedEnvValue, K as inboxPollQuerySchema, L as delegateFeishuUserSchema, M as createMeChatSchema, N as createMemberSchema, O as createAdapterConfigSchema, Ot as updateMemberSchema, P as createOrgFromMeSchema, Q as listMeChatsQuerySchema, R as dryRunAgentRuntimeConfigSchema, S as agentRuntimeConfigPayloadSchema$1, St as taskListQuerySchema, T as clientRegisterSchema, Tt as updateAgentSchema, U as imageInlineContentSchema, V as githubDevCallbackQuerySchema, W as inboxAckFrameSchema, X as joinByInvitationSchema, Y as isReservedAgentName$1, Z as linkTaskChatSchema, _ as addParticipantSchema, _t as sessionEventSchema$1, a as AGENT_STATUSES, b as agentBindRequestSchema, bt as stripCode, ct as refreshTokenSchema, d as TASK_CREATOR_TYPES, et as messageSourceSchema$1, f as TASK_HEALTH_SIGNALS, ft as selfServiceFeishuBotSchema, g as addMeChatParticipantsSchema, gt as sessionEventMessageSchema, h as WS_AUTH_FRAME_TIMEOUT_MS, ht as sessionCompletionMessageSchema, i as AGENT_SOURCES, it as patchOnboardingSchema, j as createChatSchema, jt as wsAuthFrameSchema, k as createAdapterMappingSchema, kt as updateOrganizationSchema, l as MENTION_REGEX, lt as runtimeStateMessageSchema, m as TASK_TERMINAL_STATUSES, mt as sendToAgentSchema, n as AGENT_NAME_REGEX$1, nt as onboardingEventSchema, o as AGENT_TYPES, p as TASK_STATUSES, pt as sendMessageSchema, q as isOrgSettingNamespace, r as AGENT_SELECTOR_HEADER$1, rt as paginationQuerySchema, s as AGENT_VISIBILITY, st as rebindAgentSchema, t as AGENT_BIND_REJECT_REASONS, tt as notificationQuerySchema, u as ORG_SETTINGS_NAMESPACES$1, ut as safeRedirectPath, v as adminCreateTaskSchema, vt as sessionReconcileRequestSchema, wt as updateAgentRuntimeConfigSchema, x as agentPinnedMessageSchema$1, xt as submitQuestionAnswerSchema, y as adminUpdateTaskSchema, yt as sessionStateMessageSchema } from "./dist-DHHd2dar.mjs";
 import { a as ConflictError, c as UnauthorizedError, i as ClientUserMismatchError$1, l as organizations, n as BadRequestError, o as ForbiddenError, r as ClientOrgMismatchError$1, s as NotFoundError, t as AppError, u as users } from "./errors-CF5evtJt-B0NTIVPt.mjs";
 import { n as init_esm, r as trace, t as esm_exports } from "./esm-iadMkGbV.mjs";
-import { $ as pendingQuestions, A as heartbeatClient, B as listAgentsWithRuntime, C as findOrCreateDirectChat, D as getClient, E as getChatDetail, F as joinChat, G as listClientsForOrgAdmin, H as listChats, I as leaveAsParticipant, J as markStaleAgents, K as listMessages, L as leaveChat, M as inboxEntries, N as invalidateChatAudience, O as getOnlineCount, P as joinAsParticipant, Q as notifyRecipients, R as listActiveAgentsPinnedToClient, S as ensureParticipant$1, T as getCachedAudience, U as listChatsForMember, V as listChatParticipantsWithNames, W as listClients, X as members, Y as markSupersededByChat, Z as messages, _ as createNotifier, _t as updateClientCapabilities, a as agents, at as removeParticipant, b as editMessage, c as bindAgent, ct as retireClient, d as chats, dt as serverInstances, et as recomputeChatWatchers, f as claimClient, ft as setOffline, g as createChat, gt as unbindAgent, h as clients, ht as touchAgent, i as agentVisibilityCondition, it as registerClient, j as heartbeatInstance, k as getPresence, l as chatParticipants, lt as sendMessage, m as cleanupStalePresence, mt as submitAnswer, n as agentChatSessions, nt as recomputeWatchersForMember, o as assertClientOwner, ot as resetActivity, p as cleanupStaleClients, pt as setRuntimeState, r as agentPresence, rt as registerChatMessageDispatcher, s as assertParticipant, st as resolveChatMembership, t as addParticipant, tt as recomputeWatchersForAgent, u as chatSubscriptions, ut as sendToAgent$1, v as deriveAuthState, vt as upsertSessionState, w as getActivityOverview, x as ensureCanJoin, y as disconnectClient, z as listAgentsManagedByUser } from "./client-BPUdUaZT-CyCrpCTP.mjs";
+import { $ as pendingQuestions, A as heartbeatClient, B as listAgentsWithRuntime, C as findOrCreateDirectChat, D as getClient, E as getChatDetail, F as joinChat, G as listClientsForOrgAdmin, H as listChats, I as leaveAsParticipant, J as markStaleAgents, K as listMessages, L as leaveChat, M as inboxEntries, N as invalidateChatAudience, O as getOnlineCount, P as joinAsParticipant, Q as notifyRecipients, R as listActiveAgentsPinnedToClient, S as ensureParticipant$1, T as getCachedAudience, U as listChatsForMember, V as listChatParticipantsWithNames, W as listClients, X as members, Y as markSupersededByChat, Z as messages, _ as createNotifier, _t as updateClientCapabilities, a as agents, at as removeParticipant, b as editMessage, c as bindAgent, ct as retireClient, d as chats, dt as serverInstances, et as recomputeChatWatchers, f as claimClient, ft as setOffline, g as createChat, gt as unbindAgent, h as clients, ht as touchAgent, i as agentVisibilityCondition, it as registerClient, j as heartbeatInstance, k as getPresence, l as chatParticipants, lt as sendMessage, m as cleanupStalePresence, mt as submitAnswer, n as agentChatSessions, nt as recomputeWatchersForMember, o as assertClientOwner, ot as resetActivity, p as cleanupStaleClients, pt as setRuntimeState, r as agentPresence, rt as registerChatMessageDispatcher, s as assertParticipant, st as resolveChatMembership, t as addParticipant, tt as recomputeWatchersForAgent, u as chatSubscriptions, ut as sendToAgent$1, v as deriveAuthState, vt as upsertSessionState, w as getActivityOverview, x as ensureCanJoin, y as disconnectClient, z as listAgentsManagedByUser } from "./client-DHCSQ8kg-DjlSmE9q.mjs";
 import { a as invitationRedemptions, c as recordRedemption, i as getActiveInvitation, l as rotateInvitation, n as ensureActiveInvitation, o as invitations, r as findActiveByToken, t as buildInviteUrl, u as uuidv7 } from "./invitation-Bg0TRiyx-BsZH4GCS.mjs";
 import { createRequire } from "node:module";
 import { ZodError, z } from "zod";
@@ -1365,26 +1365,51 @@ z.object({
 *   2. Add a key to `ORG_SETTINGS_NAMESPACES`.
 *   3. Done. No DB migration, no new API route.
 */
-const httpsRepoUrlSchema = z.string().url().refine((value) => {
+const SCP_LIKE_SSH_RE = /^(?:[A-Za-z0-9_.-]+@)?[A-Za-z0-9.-]+:(?!\d+(?:\/|$))[^/:@\s][^:@\s]*$/;
+function isScpLikeSshUrl(value) {
+	if (value.includes("://")) return false;
+	return SCP_LIKE_SSH_RE.test(value);
+}
+const repoUrlSchema = z.string().min(1).superRefine((value, ctx) => {
+	if (isScpLikeSshUrl(value)) return;
+	let url;
 	try {
-		return new URL(value).protocol === "https:";
+		url = new URL(value);
 	} catch {
-		return false;
+		ctx.addIssue({
+			code: z.ZodIssueCode.custom,
+			message: "Repo URL must be HTTPS, SSH (ssh://...), or scp-like (git@host:path)."
+		});
+		return;
 	}
-}, { message: "Repo URL must use HTTPS." }).refine((value) => {
-	try {
-		const url = new URL(value);
-		return url.username.length === 0 && url.password.length === 0;
-	} catch {
-		return false;
+	if (url.protocol !== "https:" && url.protocol !== "ssh:") {
+		ctx.addIssue({
+			code: z.ZodIssueCode.custom,
+			message: "Repo URL must use HTTPS or SSH."
+		});
+		return;
+	}
+	if (url.password.length > 0) {
+		ctx.addIssue({
+			code: z.ZodIssueCode.custom,
+			message: "Repo URL must not include credentials."
+		});
+		return;
+	}
+	if (url.protocol === "https:" && url.username.length > 0) {
+		ctx.addIssue({
+			code: z.ZodIssueCode.custom,
+			message: "Repo URL must not include credentials."
+		});
+		return;
 	}
-}, { message: "Repo URL must not include credentials." });
+});
 const orgContextTreeStorageSchema = z.object({
-	repo: httpsRepoUrlSchema.optional(),
+	repo: repoUrlSchema.optional(),
 	branch: z.string().default("main")
 });
 const orgContextTreeInputSchema = z.object({
-	repo: httpsRepoUrlSchema.nullish(),
+	repo: repoUrlSchema.nullish(),
 	branch: z.string().min(1).nullish()
 });
 const orgContextTreeOutputSchema = z.object({
@@ -1398,11 +1423,11 @@ const orgGithubIntegrationOutputSchema = z.object({
 	webhookUrl: z.string()
 });
 const orgSourceReposStorageSchema = z.object({ repos: z.array(z.object({
-	url: httpsRepoUrlSchema,
+	url: repoUrlSchema,
 	defaultBranch: z.string().optional()
 })).default([]) });
 const orgSourceReposInputSchema = z.object({ repos: z.array(z.object({
-	url: httpsRepoUrlSchema,
+	url: repoUrlSchema,
 	defaultBranch: z.string().min(1).optional()
 })).optional() });
 const orgSourceReposOutputSchema = z.object({ repos: z.array(z.object({
@@ -3029,8 +3054,65 @@ For content with quotes, \`$\`, backticks, or newlines, prefer stdin to avoid sh
 const DEFAULT_CLONE_TIMEOUT_MS = 300 * 1e3;
 const FETCH_REFSPEC = "+refs/heads/*:refs/remotes/origin/*";
 const SESSION_BRANCH_PREFIX = "hub-session";
+/**
+* Hash a repo URL into the mirror directory name.
+*
+* The hash is computed over a *canonical* form (host + path, lowercased
+* host, no `.git` suffix, no leading/trailing slash, no protocol, no
+* `user@` prefix), so the same upstream repo addressed via any of the
+* accepted forms (HTTPS, `ssh://`, or scp-like) all land in the same
+* mirror dir. That matters because:
+*   - admins may write any of those three forms into `source_repos[].url`
+*     (the schema accepts all of them)
+*   - the `fetchOrigin` fallback below transparently swaps protocols when
+*     credentials are missing — without canonical hashing, the fallback
+*     would silently maintain a second mirror dir
+*
+* Migration cost: pre-existing mirrors created before this change use the
+* raw-URL hash and will be orphaned after the upgrade. `gcMirrors` removes
+* them on the next run; the next fetch repopulates the canonical-keyed
+* mirror. No data loss — mirror is a cache, not state.
+*/
 function hashUrl(url) {
-	return createHash("sha256").update(url).digest("hex").slice(0, 32);
+	return createHash("sha256").update(canonicalizeRepoUrl(url)).digest("hex").slice(0, 32);
+}
+/**
+* Reduce a repo URL to `<host[:port]>/<path-without-.git>`. Used as the
+* input to the mirror dir hash and exposed for unit testing.
+*
+*   `https://github.com/foo/bar.git`         → `github.com/foo/bar`
+*   `git@github.com:foo/bar.git`             → `github.com/foo/bar`
+*   `ssh://git@github.com/foo/bar.git`       → `github.com/foo/bar`
+*   `ssh://git@gitlab.example.com:2222/x/y`  → `gitlab.example.com:2222/x/y`
+*
+* Falls back to the raw input for un-parseable strings — better to keep
+* a stable mirror than to throw mid-bootstrap.
+*/
+function canonicalizeRepoUrl(url) {
+	if (!url.includes("://")) {
+		const m = url.match(/^(?:[A-Za-z0-9_.-]+@)?([A-Za-z0-9.-]+):([^/@:\s][^@:\s]*)$/);
+		const host = m?.[1];
+		const rawPath = m?.[2];
+		if (host && rawPath && !/^\d+(?:\/|$)/.test(rawPath)) {
+			const path = normalizePath(rawPath);
+			return `${host.toLowerCase()}/${path}`;
+		}
+	}
+	try {
+		const parsed = new URL(url);
+		const host = parsed.hostname.toLowerCase();
+		return `${parsed.port === "" || parsed.protocol === "https:" && parsed.port === "443" || parsed.protocol === "ssh:" && parsed.port === "22" ? host : `${host}:${parsed.port}`}/${normalizePath(parsed.pathname)}`;
+	} catch {
+		return url;
+	}
+}
+/**
+* Strip leading slashes, trailing slashes, and a trailing `.git`. Used by
+* `canonicalizeRepoUrl` so that `…/foo/bar`, `…/foo/bar/`, and `…/foo/bar.git`
+* all collapse to the same canonical path (and therefore the same mirror dir).
+*/
+function normalizePath(rawPath) {
+	return rawPath.replace(/^\/+/, "").replace(/\/+$/, "").replace(/\.git$/i, "");
 }
 function shortHash(input) {
 	return createHash("sha256").update(input).digest("hex").slice(0, 8);
@@ -3067,10 +3149,14 @@ function createGitMirrorManager(opts) {
 	}
 	async function git(args, cwd, timeoutMs, env) {
 		const start = Date.now();
+		const finalEnv = {
+			GIT_TERMINAL_PROMPT: "0",
+			...env ?? process.env
+		};
 		return await new Promise((resolveExec, rejectExec) => {
 			const proc = spawn("git", args, {
 				cwd: cwd ?? void 0,
-				env: env ?? process.env,
+				env: finalEnv,
 				stdio: [
 					"ignore",
 					"pipe",
@@ -3114,6 +3200,116 @@ function createGitMirrorManager(opts) {
 		}
 	}
 	/**
+	* `git fetch --prune origin` with one-shot bidirectional protocol fallback.
+	*
+	* Decides direction from `originUrl`'s protocol:
+	*   - HTTPS origin → on credential-shaped failure, retry as SSH
+	*   - SSH   origin → on credential-shaped failure, retry as HTTPS
+	* The fallback fires only when **all** hold:
+	*   1. The first attempt failed with a credential-shaped error in the
+	*      direction-appropriate sense (`isLikelyHttpsAuthFailure` /
+	*      `isLikelySshAuthFailure`). Network failures, missing-ref errors,
+	*      and TLS/host-key surprises propagate as-is — those won't be cured
+	*      by switching transports and silently retrying would mask real bugs.
+	*   2. The origin URL maps to a usable peer-protocol form
+	*      (see `httpsToSshBaseRewrite` / `sshToHttpsBaseRewrite`). Custom
+	*      ports beyond the protocol default disable the rewrite — there's no
+	*      universal mapping between `https://host:8443` and an SSH peer.
+	*
+	* Implementation: the retry uses `git -c url.<peer-base>.insteadOf=<origin-base>`
+	* — git resolves origin's URL through that rewrite for the duration of
+	* one subprocess and never persists anything to disk. The mirror's
+	* `remote.origin.url` stays as configured, so the next fetch starts back
+	* at the original protocol unless this fallback fires again.
+	*/
+	/**
+	* `remote set-head --auto` is a remote-talking op too — under the same
+	* credential rules as `fetch`. If we don't apply the same fallback,
+	* mirrors whose HTTPS creds are missing end up with `refs/remotes/origin/HEAD`
+	* unset, which then breaks `resolveBase()` for callers without an explicit
+	* `ref` (the default-branch lookup throws).
+	*
+	* Strategy mirrors `fetchOrigin`: try the configured protocol first, fall
+	* back to the peer protocol once via `-c url.<peer>.insteadOf=<origin>`.
+	* Returns true on either success, false if both attempts failed (which
+	* mirrors the historical `gitOk` semantics — non-fatal). No `GitMirrorAuthError`
+	* here: callers that need origin/HEAD already get a clear
+	* `GitMirrorError("Cannot resolve default branch …")` if both attempts fail.
+	*/
+	async function setHeadAuto(mirrorPath, originUrl) {
+		if (await gitOk([
+			"remote",
+			"set-head",
+			"origin",
+			"--auto"
+		], mirrorPath, 3e4)) return true;
+		const direction = pickFallbackDirection(originUrl);
+		if (!direction) return false;
+		return await gitOk([
+			"-c",
+			`url.${direction.peerBase}.insteadOf=${direction.originBase}`,
+			"remote",
+			"set-head",
+			"origin",
+			"--auto"
+		], mirrorPath, 3e4);
+	}
+	async function readOriginUrl(mirrorPath) {
+		try {
+			const { stdout } = await git([
+				"config",
+				"--get",
+				"remote.origin.url"
+			], mirrorPath, 1e4);
+			return stdout.trim() || null;
+		} catch {
+			return null;
+		}
+	}
+	async function fetchOrigin(mirrorPath, originUrl) {
+		const direction = pickFallbackDirection(originUrl);
+		try {
+			const { elapsedMs } = await git([
+				"fetch",
+				"--prune",
+				"origin"
+			], mirrorPath, cloneTimeoutMs);
+			return {
+				elapsedMs,
+				usedFallback: false
+			};
+		} catch (primaryErr) {
+			const primaryMessage = primaryErr instanceof Error ? primaryErr.message : String(primaryErr);
+			if (!direction || !direction.shouldRetry(primaryMessage)) throw primaryErr;
+			log?.info({
+				gitUrl: originUrl,
+				fromProtocol: direction.fromProtocol,
+				toProtocol: direction.toProtocol,
+				peerBase: direction.peerBase
+			}, "fetch failed with credential-shaped error; retrying with peer-protocol insteadOf rewrite");
+			try {
+				const { elapsedMs } = await git([
+					"-c",
+					`url.${direction.peerBase}.insteadOf=${direction.originBase}`,
+					"fetch",
+					"--prune",
+					"origin"
+				], mirrorPath, cloneTimeoutMs);
+				log?.info({
+					gitUrl: originUrl,
+					toProtocol: direction.toProtocol
+				}, "protocol-fallback fetch succeeded");
+				return {
+					elapsedMs,
+					usedFallback: true
+				};
+			} catch (peerErr) {
+				const peerMessage = peerErr instanceof Error ? peerErr.message : String(peerErr);
+				throw new GitMirrorAuthError(`Could not fetch ${originUrl} over ${direction.fromProtocol.toUpperCase()} or ${direction.toProtocol.toUpperCase()}. ${direction.fromProtocol.toUpperCase()} attempt failed: ${truncate(primaryMessage)} ${direction.toProtocol.toUpperCase()} retry (${direction.peerBase}) failed: ${truncate(peerMessage)}`);
+			}
+		}
+	}
+	/**
 	* Bring the mirror's config to the invariant expected by this module:
 	* fetch refspec = `+refs/heads/*:refs/remotes/origin/*`, `remote.origin.mirror`
 	* absent, `refs/remotes/origin/HEAD` resolvable.
@@ -3181,17 +3377,8 @@ function createGitMirrorManager(opts) {
 			migrated = true;
 		}
 		if (migrated) {
-			await git([
-				"fetch",
-				"--prune",
-				"origin"
-			], mirrorPath, cloneTimeoutMs);
-			await gitOk([
-				"remote",
-				"set-head",
-				"origin",
-				"--auto"
-			], mirrorPath, 3e4);
+			await fetchOrigin(mirrorPath, url);
+			await setHeadAuto(mirrorPath, url);
 			log?.info({ gitUrl: url }, "mirror config migrated");
 		}
 		return { migrated };
@@ -3221,17 +3408,8 @@ function createGitMirrorManager(opts) {
 			"remote.origin.fetch",
 			FETCH_REFSPEC
 		], mirrorPath, 1e4);
-		await git([
-			"fetch",
-			"--prune",
-			"origin"
-		], mirrorPath, cloneTimeoutMs);
-		await gitOk([
-			"remote",
-			"set-head",
-			"origin",
-			"--auto"
-		], mirrorPath, 3e4);
+		await fetchOrigin(mirrorPath, url);
+		await setHeadAuto(mirrorPath, url);
 	}
 	async function branchExists(mirrorPath, branchName) {
 		return await gitOk([
@@ -3257,6 +3435,21 @@ function createGitMirrorManager(opts) {
 				"--quiet",
 				"refs/remotes/origin/HEAD"
 			], mirrorPath, 1e4)) return "refs/remotes/origin/HEAD";
+			const url = await readOriginUrl(mirrorPath);
+			if (url && await setHeadAuto(mirrorPath, url)) {
+				if (await gitOk([
+					"rev-parse",
+					"--verify",
+					"--quiet",
+					"refs/remotes/origin/HEAD"
+				], mirrorPath, 1e4)) {
+					log?.info({
+						mirrorPath,
+						gitUrl: url
+					}, "origin/HEAD self-healed via setHeadAuto");
+					return "refs/remotes/origin/HEAD";
+				}
+			}
 			throw new GitMirrorError("Cannot resolve default branch: refs/remotes/origin/HEAD is missing. Re-run with an explicit `ref`.");
 		}
 		if (looksLikeCommitSha(ref)) {
@@ -3325,16 +3518,12 @@ function createGitMirrorManager(opts) {
 				const path = mirrorDir(url);
 				if (!existsSync(join(path, "HEAD"))) throw new GitMirrorError(`Cannot fetch — no mirror exists for "${url}"`);
 				try {
-					const { elapsedMs } = await git([
-						"fetch",
-						"--prune",
-						"origin"
-					], path, cloneTimeoutMs);
+					const { elapsedMs } = await fetchOrigin(path, url);
 					return { elapsedMs };
 				} catch (err) {
 					log?.warn({
 						gitUrl: url,
-						errorCode: err instanceof GitMirrorError ? "git-failed" : "unknown",
+						errorCode: err instanceof GitMirrorAuthError ? "auth-failed" : err instanceof GitMirrorTimeoutError ? "timeout" : err instanceof GitMirrorError ? "git-failed" : "unknown",
 						stderr: err instanceof Error ? err.message.slice(0, 1024) : String(err).slice(0, 1024)
 					}, "mirror fetch failed");
 					throw err;
@@ -3472,6 +3661,166 @@ var GitMirrorWorktreeConflictError = class extends GitMirrorError {
 	}
 };
 /**
+* Thrown when both the HTTPS fetch and the SSH fallback fail. The message
+* carries trimmed stderr from both attempts so the operator can see whether
+* the host's HTTPS credentials are missing, the SSH key is missing, or both.
+*/
+var GitMirrorAuthError = class extends GitMirrorError {
+	constructor(message) {
+		super(message);
+		this.name = "GitMirrorAuthError";
+	}
+};
+/**
+* Heuristic for HTTPS-side credential failures. Matches the indicators git
+* itself emits over libcurl / git-credential helpers, regardless of platform.
+*
+* Negative space (intentionally NOT matched): network errors
+* (`Could not resolve host`, `connection refused`), repo errors
+* (`Repository not found`, `couldn't find remote ref`), TLS errors
+* (`SSL certificate problem`). Those won't be cured by switching transports
+* and silently retrying would mask the real bug.
+*
+* Exported for unit testing.
+*/
+function isLikelyHttpsAuthFailure(message) {
+	if (!message) return false;
+	return /could not read Username/i.test(message) || /could not read Password/i.test(message) || /Authentication failed/i.test(message) || /terminal prompts disabled/i.test(message) || /HTTP\s*(?:Basic:\s*)?Access denied/i.test(message) || /\bHTTP[/ ]?(1\.[01]|2|2\.0)?\s*40[13]\b/i.test(message) || /\bfatal:\s*unable to access\b.*\b(401|403)\b/i.test(message) || /\bremote: Invalid username or password\b/i.test(message);
+}
+/**
+* Heuristic for SSH-side credential failures (no key on disk, key not
+* accepted by remote, agent has nothing usable, host key mismatch).
+*
+* Negative space (intentionally NOT matched): SSH-level network errors
+* (`Could not resolve hostname`, `Connection refused`, `Connection timed out`).
+* Those are network reachability issues — switching to HTTPS won't help
+* unless the network policy specifically blocks port 22, which is rare
+* enough that we'd rather surface the original error than guess.
+*
+* Exported for unit testing.
+*/
+function isLikelySshAuthFailure(message) {
+	if (!message) return false;
+	return /Permission denied\s*(?:\(|,)/i.test(message) || /Could not read from remote repository/i.test(message) || /Host key verification failed/i.test(message) || /no matching host key type/i.test(message) || /no mutual signature algorithm/i.test(message);
+}
+/**
+* Map an HTTPS git URL to the `insteadOf` rewrite needed to make git resolve
+* it through SSH. Returns *base* strings (suitable for
+* `git -c url.<sshBase>.insteadOf=<httpsBase>`) — git's `insteadOf` is a
+* prefix match, so we only need the host segment.
+*
+*   `https://github.com/owner/repo.git` → `git@github.com:` / `https://github.com/`
+*
+* Returns `null` for inputs that should NOT trigger fallback:
+*   - non-HTTPS URLs (already SSH, `git://`, `file://`, etc.)
+*   - URLs with embedded credentials (schema rejects these on input;
+*     belt-and-braces — never silently downgrade auth strength)
+*   - HTTPS URLs with a non-default port — there is no portable mapping to
+*     an SSH port (HTTPS:8443 ↔ SSH:???), so we refuse to guess
+*   - URLs that fail to parse
+*
+* Exported for unit testing.
+*/
+function httpsToSshBaseRewrite(url) {
+	if (!url || !/^https:\/\//i.test(url)) return null;
+	let parsed;
+	try {
+		parsed = new URL(url);
+	} catch {
+		return null;
+	}
+	if (parsed.protocol !== "https:") return null;
+	if (parsed.username.length > 0 || parsed.password.length > 0) return null;
+	if (!parsed.hostname) return null;
+	if (parsed.port && parsed.port !== "443") return null;
+	return {
+		httpsBase: `https://${parsed.hostname}/`,
+		sshBase: `git@${parsed.hostname}:`
+	};
+}
+/**
+* Map an SSH git URL (either `ssh://` or scp-like `[user@]host:path`) to the
+* `insteadOf` rewrite for resolving via HTTPS. Mirror of
+* `httpsToSshBaseRewrite`.
+*
+*   `git@github.com:owner/repo.git`           → `git@github.com:` / `https://github.com/`
+*   `ssh://git@github.com/owner/repo.git`     → `ssh://git@github.com/` / `https://github.com/`
+*   `ssh://git@gitlab.example.com:22/x/y.git` → `ssh://git@gitlab.example.com:22/` / `https://gitlab.example.com/`
+*
+* Returns `null` when:
+*   - URL is not SSH-shaped
+*   - URL has an embedded password (`user:pass@`)
+*   - SSH URL has a non-default port (≠ 22) — no portable mapping to HTTPS
+*
+* Exported for unit testing.
+*/
+function sshToHttpsBaseRewrite(url) {
+	if (!url) return null;
+	if (!url.includes("://")) {
+		const m = url.match(/^((?:[A-Za-z0-9_.-]+@)?)([A-Za-z0-9.-]+):([^/@:\s][^@:\s]*)$/);
+		const userAt = m?.[1];
+		const host = m?.[2];
+		const path = m?.[3];
+		if (userAt === void 0 || !host || !path) return null;
+		if (/^\d+(?:\/|$)/.test(path)) return null;
+		return {
+			sshBase: `${userAt}${host}:`,
+			httpsBase: `https://${host}/`
+		};
+	}
+	let parsed;
+	try {
+		parsed = new URL(url);
+	} catch {
+		return null;
+	}
+	if (parsed.protocol !== "ssh:") return null;
+	if (parsed.password.length > 0) return null;
+	if (!parsed.hostname) return null;
+	if (parsed.port && parsed.port !== "22") return null;
+	const userAt = parsed.username.length > 0 ? `${parsed.username}@` : "";
+	return {
+		sshBase: parsed.port ? `ssh://${userAt}${parsed.hostname}:${parsed.port}/` : `ssh://${userAt}${parsed.hostname}/`,
+		httpsBase: `https://${parsed.hostname}/`
+	};
+}
+/**
+* Same shape as `SCP_LIKE_SSH_RE` in the shared schema — kept in sync so
+* what the schema accepts is exactly what we route through the SSH-side
+* fallback. Single source of truth would be ideal, but cross-package import
+* for a regex isn't worth the build coupling.
+*/
+const SCP_LIKE_RE = /^(?:[A-Za-z0-9_.-]+@)?[A-Za-z0-9.-]+:(?!\d+(?:\/|$))[^/:@\s][^:@\s]*$/;
+function pickFallbackDirection(originUrl) {
+	if (/^https:\/\//i.test(originUrl)) {
+		const r = httpsToSshBaseRewrite(originUrl);
+		if (!r) return null;
+		return {
+			fromProtocol: "https",
+			toProtocol: "ssh",
+			originBase: r.httpsBase,
+			peerBase: r.sshBase,
+			shouldRetry: isLikelyHttpsAuthFailure
+		};
+	}
+	if (/^ssh:\/\//i.test(originUrl) || SCP_LIKE_RE.test(originUrl)) {
+		const r = sshToHttpsBaseRewrite(originUrl);
+		if (!r) return null;
+		return {
+			fromProtocol: "ssh",
+			toProtocol: "https",
+			originBase: r.sshBase,
+			peerBase: r.httpsBase,
+			shouldRetry: isLikelySshAuthFailure
+		};
+	}
+	return null;
+}
+function truncate(text, max = 512) {
+	if (text.length <= max) return text;
+	return `${text.slice(0, max)}…[truncated]`;
+}
+/**
 * InputController — push-based async iterable bridge.
 *
 * Bridges imperative `push()` calls to the `AsyncIterable` that
@@ -8680,7 +9029,7 @@ async function onboardCreate(args) {
 	}
 	const runtimeAgent = args.type === "human" ? args.assistant : args.id;
 	if (args.feishuBotAppId && args.feishuBotAppSecret) {
-		const { bindFeishuBot } = await import("./feishu-C6qlhju2.mjs").then((n) => n.r);
+		const { bindFeishuBot } = await import("./feishu-fLnwqCOs.mjs").then((n) => n.r);
 		const targetAgentUuid = args.type === "human" ? assistantUuid : primary.uuid;
 		if (!targetAgentUuid) print.line(`Warning: Cannot bind Feishu bot — no runtime agent available for "${args.id}".\n`);
 		else {
@@ -9893,7 +10242,7 @@ function createFeedbackHandler(config) {
 	return { handle };
 }
 //#endregion
-//#region ../server/dist/app-CVe_gn9M.mjs
+//#region ../server/dist/app-CkYiQS_D.mjs
 var import_fastify_opentelemetry = /* @__PURE__ */ __toESM(require_fastify_opentelemetry(), 1);
 init_esm();
 var __defProp = Object.defineProperty;
@@ -15388,19 +15737,26 @@ async function deleteOrgSetting(db, orgId, namespace) {
 	await db.delete(organizationSettings).where(and(eq(organizationSettings.organizationId, orgId), eq(organizationSettings.namespace, namespace)));
 }
 /**
-* Resolve the caller's "primary org" — the earliest-joined active
-* membership for the given user. Used by user-scoped routes that
-* historically didn't take an `:orgId` (e.g. `/context-tree/info`) so
-* the SDK call shape doesn't have to change while the per-tenant lookup
-* still happens correctly.
+* Resolve the caller's "primary org" for user-scoped routes that
+* historically didn't take an `:orgId` (e.g. `/context-tree/info`,
+* `/context-tree/snapshot`).
+*
+* Uses the same `pickDefaultMembership` helper that `/me` uses to compute
+* `defaultOrganizationId` (most-recently-active membership, id desc tie-break).
+* That guarantees the org `/me` reports as the default is the same org these
+* server-internal lookups read from — earlier the two sides used opposite
+* orderings (`/me` desc, this fn asc), so multi-org users saw `/info`
+* resolve to a different (often unconfigured) org than the one Team Settings
+* was edited for.
 *
-* Returns `null` for users with no active membership. Tightening to
-* "explicit org selector" is a future change-once-multi-org-clients-arrive
-* concern. (#7)
+* Returns `null` for users with no active membership.
 */
 async function resolveUserPrimaryOrgId(db, userId) {
-	const [row] = await db.select({ organizationId: members.organizationId }).from(members).where(and(eq(members.userId, userId), eq(members.status, "active"))).orderBy(asc(members.createdAt)).limit(1);
-	return row?.organizationId ?? null;
+	return pickDefaultMembership(await db.select({
+		id: members.id,
+		organizationId: members.organizationId,
+		createdAt: members.createdAt
+	}).from(members).where(and(eq(members.userId, userId), eq(members.status, "active"))))?.organizationId ?? null;
 }
 async function contextTreeInfoRoutes(app) {
 	/**
@@ -16333,7 +16689,7 @@ function ghostNodeId(path) {
 function toPosix(path) {
 	return sep === "/" ? path : path.split(sep).join("/");
 }
-const querySchema = z.object({ window: z.enum([
+const querySchema$1 = z.object({ window: z.enum([
 	"1d",
 	"7d",
 	"30d"
@@ -16344,7 +16700,7 @@ async function contextTreeSnapshotRoutes(app) {
 		timeWindow: "1 minute",
 		keyGenerator: (request) => request.user?.userId ?? request.ip
 	} } }, async (request) => {
-		const query = querySchema.parse(request.query);
+		const query = querySchema$1.parse(request.query);
 		const { userId } = requireUser(request);
 		const orgId = await resolveUserPrimaryOrgId(app.db, userId);
 		const binding = orgId ? await getOrgContextTree(app.db, orgId) : {};
@@ -16482,7 +16838,7 @@ async function healthzRoutes(app) {
 * `api/orgs/invitations.ts` (Class B, admin-gated).
 */
 async function publicInvitationRoutes(app) {
-	const { previewInvitation } = await import("./invitation-C299fxkP-KyCNax4T.mjs");
+	const { previewInvitation } = await import("./invitation-C299fxkP-B89eqDos.mjs");
 	app.get("/:token/preview", async (request, reply) => {
 		if (!request.params.token) throw new UnauthorizedError("Token required");
 		const preview = await previewInvitation(app.db, request.params.token);
@@ -16662,7 +17018,7 @@ async function meRoutes(app) {
 	*/
 	app.get("/me/pinned-agents", async (request) => {
 		const { userId } = requireUser(request);
-		const { listMyPinnedAgents } = await import("./client-BhCtO2df-BGOu-rRN.mjs");
+		const { listMyPinnedAgents } = await import("./client-WubcgX-W-B2bOvgJ1.mjs");
 		return listMyPinnedAgents(app.db, { userId });
 	});
 	/**
@@ -17136,6 +17492,34 @@ async function orgClientRoutes(app) {
 		}));
 	});
 }
+const querySchema = z.object({ window: z.enum([
+	"1d",
+	"7d",
+	"30d"
+]).optional() }).strict();
+async function orgContextTreeSnapshotRoutes(app) {
+	app.get("/snapshot", { config: { rateLimit: {
+		max: app.config.rateLimit?.contextTreeSnapshotMax ?? 6,
+		timeWindow: "1 minute",
+		keyGenerator: (request) => `${request.user?.userId ?? request.ip}:${orgIdParam(request.params) ?? "unknown-org"}`
+	} } }, async (request) => {
+		const query = querySchema.parse(request.query);
+		const scope = await requireOrgMembership(request, app.db);
+		const binding = await getOrgContextTree(app.db, scope.organizationId);
+		const githubToken = contextTreeGithubTokenForRepo(binding.repo, app.config.contextTreeSync);
+		const snapshot = await getContextTreeSnapshot({
+			...binding,
+			githubToken
+		}, query.window ?? "7d");
+		return contextTreeSnapshotSchema.parse(snapshot);
+	});
+}
+function orgIdParam(params) {
+	if (!params || typeof params !== "object") return null;
+	if (!("orgId" in params)) return null;
+	const orgId = params.orgId;
+	return typeof orgId === "string" ? orgId : null;
+}
 /**
 * Class B — `/api/v1/orgs/:orgId` itself: read & rename the org row.
 * Replaces the deleted `/admin/organizations/:id` GET/PATCH pair.
@@ -17928,18 +18312,43 @@ async function githubWebhookRoutes(app) {
 			ok: true,
 			event: "ping"
 		});
-		if (eventType === "issues") return handleIssuesEvent(app, orgId, eventType, payload, reply);
-		if (eventType === "issue_comment") return handleIssueCommentEvent(app, orgId, eventType, payload, reply);
-		let mentionsRouted = 0;
-		const allowedActions = MENTION_ACTIONS[eventType];
-		const action = isRecord(payload) && typeof payload.action === "string" ? payload.action : void 0;
-		if (allowedActions && action && allowedActions.includes(action)) mentionsRouted = await handleMentionDelegation(app, orgId, eventType, payload);
-		return reply.status(200).send({
-			ok: true,
-			event: eventType,
-			handled: mentionsRouted > 0,
-			mentionsRouted
-		});
+		const deliveryHeader = request.headers["x-github-delivery"];
+		const deliveryId = typeof deliveryHeader === "string" && deliveryHeader.length > 0 ? deliveryHeader : null;
+		if (deliveryId) {
+			if (!await claimEvent(app.db, deliveryId, "github")) {
+				log$1.info({
+					deliveryId,
+					eventType
+				}, "duplicate GitHub delivery, skipping");
+				return reply.status(200).send({
+					ok: true,
+					event: eventType,
+					deduped: true
+				});
+			}
+		}
+		try {
+			if (eventType === "issues") return await handleIssuesEvent(app, orgId, eventType, payload, reply);
+			if (eventType === "issue_comment") return await handleIssueCommentEvent(app, orgId, eventType, payload, reply);
+			let mentionsRouted = 0;
+			const allowedActions = MENTION_ACTIONS[eventType];
+			const action = isRecord(payload) && typeof payload.action === "string" ? payload.action : void 0;
+			if (allowedActions && action && allowedActions.includes(action)) mentionsRouted = await handleMentionDelegation(app, orgId, eventType, payload);
+			return reply.status(200).send({
+				ok: true,
+				event: eventType,
+				handled: mentionsRouted > 0,
+				mentionsRouted
+			});
+		} catch (err) {
+			if (deliveryId) await unclaimEvent(app.db, deliveryId, "github").catch((unclaimErr) => {
+				log$1.error({
+					err: unclaimErr,
+					deliveryId
+				}, "failed to unclaim GitHub delivery after handler error");
+			});
+			throw err;
+		}
 	});
 }
 /** Extract text body from any GitHub webhook event for @mention scanning. */
@@ -19748,6 +20157,7 @@ async function buildApp(config) {
 			await scope.register(orgInvitationRoutes, { prefix: "/invitations" });
 			await scope.register(orgMemberRoutes, { prefix: "/members" });
 			await scope.register(orgSettingsRoutes, { prefix: "/settings" });
+			await scope.register(orgContextTreeSnapshotRoutes, { prefix: "/context-tree" });
 		}), { prefix: "/orgs/:orgId" });
 		await api.register(orgWsRoutes(notifier, config.secrets.jwtSecret), { prefix: "/orgs/:orgId/ws" });
 		await api.register(userScope("resourcesScope", async (scope) => {