@agent-team-foundation/first-tree-hub 0.12.3 → 0.12.5

package/dist/{saas-connect-_lNV0Liy.mjs → saas-connect-DYjvx5yr.mjs}

@@ -2,10 +2,10 @@ import { a as __toCommonJS, o as __toESM, t as __commonJSMin } from "./chunk-BSw
 import { A as FIRST_TREE_HUB_ATTR, C as stampOrgScope, D as untrustedAttrs, E as startWsConnectionSpan, M as require_pino, O as withSpan, S as stampChatResource, _ as rootLogger$1, a as buildRateLimitError, c as currentTraceId, g as reportErrorToRoot, i as bodyCaptureOnSendHook, j as redactUrl, k as withWsMessageSpan, l as decodeJwtForTrace, m as observabilityPlugin, n as applyLoggerConfig, o as classifyJoseError, r as attachRequestContext, s as createLogger$1, t as adapterAttrs, u as endWsConnectionSpan, x as stampAgentResource, y as setWsConnectionAttrs } from "./observability-BAScT_5S-BcW9HgkG.mjs";
 import { C as resetConfigMeta, E as setConfigValue, S as resetConfig, T as serverConfigSchema, b as migrateLegacyHome, c as resolveServerUrl, d as DEFAULT_CONFIG_DIR, f as DEFAULT_DATA_DIR$1, g as collectMissingPrompts, h as clientConfigSchema, i as ensureFreshAccessToken, l as saveAgentConfig, m as agentConfigSchema, o as loadCredentials, p as DEFAULT_HOME_DIR$1, u as saveCredentials, v as initConfig, w as resolveConfigReadonly, y as loadAgents } from "./bootstrap-C_K2CKXC.mjs";
 import { a as print, i as blank, n as CLI_USER_AGENT, r as COMMAND_VERSION, s as status, t as cliFetch } from "./cli-fetch--tiwKm5S.mjs";
-import { $ as loginSchema, A as createAgentSchema, At as updateTaskStatusSchema, B as githubCallbackQuerySchema, C as agentTypeSchema$1, Ct as updateAdapterConfigSchema, D as contextTreeSnapshotSchema, Dt as updateClientCapabilitiesSchema, E as connectTokenExchangeSchema, Et as updateChatSchema, F as createTaskSchema, G as inboxDeliverFrameSchema$1, H as githubStartQuerySchema, I as defaultRuntimeConfigPayload, J as isRedactedEnvValue, K as inboxPollQuerySchema, L as delegateFeishuUserSchema, M as createMeChatSchema, N as createMemberSchema, O as createAdapterConfigSchema, Ot as updateMemberSchema, P as createOrgFromMeSchema, Q as listMeChatsQuerySchema, R as dryRunAgentRuntimeConfigSchema, S as agentRuntimeConfigPayloadSchema$1, St as taskListQuerySchema, T as clientRegisterSchema, Tt as updateAgentSchema, U as imageInlineContentSchema, V as githubDevCallbackQuerySchema, W as inboxAckFrameSchema, X as joinByInvitationSchema, Y as isReservedAgentName$1, Z as linkTaskChatSchema, _ as addParticipantSchema, _t as sessionEventSchema$1, a as AGENT_STATUSES, b as agentBindRequestSchema, bt as stripCode, ct as refreshTokenSchema, d as TASK_CREATOR_TYPES, et as messageSourceSchema$1, f as TASK_HEALTH_SIGNALS, ft as selfServiceFeishuBotSchema, g as addMeChatParticipantsSchema, gt as sessionEventMessageSchema, h as WS_AUTH_FRAME_TIMEOUT_MS, ht as sessionCompletionMessageSchema, i as AGENT_SOURCES, it as patchOnboardingSchema, j as createChatSchema, jt as wsAuthFrameSchema, k as createAdapterMappingSchema, kt as updateOrganizationSchema, l as MENTION_REGEX, lt as runtimeStateMessageSchema, m as TASK_TERMINAL_STATUSES, mt as sendToAgentSchema, n as AGENT_NAME_REGEX$1, nt as onboardingEventSchema, o as AGENT_TYPES, p as TASK_STATUSES, pt as sendMessageSchema, q as isOrgSettingNamespace, r as AGENT_SELECTOR_HEADER$1, rt as paginationQuerySchema, s as AGENT_VISIBILITY, st as rebindAgentSchema, t as AGENT_BIND_REJECT_REASONS, tt as notificationQuerySchema, u as ORG_SETTINGS_NAMESPACES$1, ut as safeRedirectPath, v as adminCreateTaskSchema, vt as sessionReconcileRequestSchema, wt as updateAgentRuntimeConfigSchema, x as agentPinnedMessageSchema$1, xt as submitQuestionAnswerSchema, y as adminUpdateTaskSchema, yt as sessionStateMessageSchema } from "./dist-DHHd2dar.mjs";
+import { $ as refreshTokenSchema, A as dryRunAgentRuntimeConfigSchema, B as isRedactedEnvValue, C as createAgentSchema, D as createOrgFromMeSchema, E as createMemberSchema, F as imageInlineContentSchema, G as messageSourceSchema$1, H as joinByInvitationSchema, I as inboxAckFrameSchema, J as paginationQuerySchema, K as notificationQuerySchema, L as inboxDeliverFrameSchema$1, M as githubCallbackQuerySchema, N as githubDevCallbackQuerySchema, O as defaultRuntimeConfigPayload, P as githubStartQuerySchema, Q as rebindAgentSchema, R as inboxPollQuerySchema, S as createAdapterMappingSchema, T as createMeChatSchema, U as listMeChatsQuerySchema, V as isReservedAgentName$1, W as loginSchema, Y as patchOnboardingSchema, _t as updateClientCapabilitiesSchema, a as AGENT_VISIBILITY, at as sendToAgentSchema, b as contextTreeSnapshotSchema, bt as wsAuthFrameSchema, c as ORG_SETTINGS_NAMESPACES$1, ct as sessionEventSchema$1, d as addParticipantSchema, dt as stripCode, et as runtimeStateMessageSchema, f as agentBindRequestSchema, ft as submitQuestionAnswerSchema, g as chatMetadataSchema$1, gt as updateChatSchema, h as agentTypeSchema$1, ht as updateAgentSchema, i as AGENT_STATUSES, it as sendMessageSchema, k as delegateFeishuUserSchema, l as WS_AUTH_FRAME_TIMEOUT_MS, lt as sessionReconcileRequestSchema, m as agentRuntimeConfigPayloadSchema$1, mt as updateAgentRuntimeConfigSchema, n as AGENT_NAME_REGEX$1, ot as sessionCompletionMessageSchema, p as agentPinnedMessageSchema$1, pt as updateAdapterConfigSchema, q as onboardingEventSchema, r as AGENT_SELECTOR_HEADER$1, rt as selfServiceFeishuBotSchema, s as MENTION_REGEX, st as sessionEventMessageSchema, t as AGENT_BIND_REJECT_REASONS, tt as safeRedirectPath, u as addMeChatParticipantsSchema, ut as sessionStateMessageSchema, v as clientRegisterSchema, vt as updateMemberSchema, w as createChatSchema, x as createAdapterConfigSchema, y as connectTokenExchangeSchema, yt as updateOrganizationSchema, z as isOrgSettingNamespace } from "./dist-BwPlBZWi.mjs";
 import { a as ConflictError, c as UnauthorizedError, i as ClientUserMismatchError$1, l as organizations, n as BadRequestError, o as ForbiddenError, r as ClientOrgMismatchError$1, s as NotFoundError, t as AppError, u as users } from "./errors-CF5evtJt-B0NTIVPt.mjs";
 import { n as init_esm, r as trace, t as esm_exports } from "./esm-iadMkGbV.mjs";
-import { $ as pendingQuestions, A as heartbeatClient, B as listAgentsWithRuntime, C as findOrCreateDirectChat, D as getClient, E as getChatDetail, F as joinChat, G as listClientsForOrgAdmin, H as listChats, I as leaveAsParticipant, J as markStaleAgents, K as listMessages, L as leaveChat, M as inboxEntries, N as invalidateChatAudience, O as getOnlineCount, P as joinAsParticipant, Q as notifyRecipients, R as listActiveAgentsPinnedToClient, S as ensureParticipant$1, T as getCachedAudience, U as listChatsForMember, V as listChatParticipantsWithNames, W as listClients, X as members, Y as markSupersededByChat, Z as messages, _ as createNotifier, _t as updateClientCapabilities, a as agents, at as removeParticipant, b as editMessage, c as bindAgent, ct as retireClient, d as chats, dt as serverInstances, et as recomputeChatWatchers, f as claimClient, ft as setOffline, g as createChat, gt as unbindAgent, h as clients, ht as touchAgent, i as agentVisibilityCondition, it as registerClient, j as heartbeatInstance, k as getPresence, l as chatParticipants, lt as sendMessage, m as cleanupStalePresence, mt as submitAnswer, n as agentChatSessions, nt as recomputeWatchersForMember, o as assertClientOwner, ot as resetActivity, p as cleanupStaleClients, pt as setRuntimeState, r as agentPresence, rt as registerChatMessageDispatcher, s as assertParticipant, st as resolveChatMembership, t as addParticipant, tt as recomputeWatchersForAgent, u as chatSubscriptions, ut as sendToAgent$1, v as deriveAuthState, vt as upsertSessionState, w as getActivityOverview, x as ensureCanJoin, y as disconnectClient, z as listAgentsManagedByUser } from "./client-D1TDiik_-gxtXN9bj.mjs";
+import { $ as pendingQuestions, A as heartbeatClient, B as listAgentsWithRuntime, C as findOrCreateDirectChat, D as getClient, E as getChatDetail, F as joinChat, G as listClientsForOrgAdmin, H as listChats, I as leaveAsParticipant, J as markStaleAgents, K as listMessages, L as leaveChat, M as inboxEntries, N as invalidateChatAudience, O as getOnlineCount, P as joinAsParticipant, Q as notifyRecipients, R as listActiveAgentsPinnedToClient, S as ensureParticipant$1, T as getCachedAudience, U as listChatsForMember, V as listChatParticipantsWithNames, W as listClients, X as members, Y as markSupersededByChat, Z as messages, _ as createNotifier, _t as updateClientCapabilities, a as agents, at as removeParticipant, b as editMessage, c as bindAgent, ct as retireClient, d as chats, dt as serverInstances, et as recomputeChatWatchers, f as claimClient, ft as setOffline, g as createChat, gt as unbindAgent, h as clients, ht as touchAgent, i as agentVisibilityCondition, it as registerClient, j as heartbeatInstance, k as getPresence, l as chatParticipants, lt as sendMessage, m as cleanupStalePresence, mt as submitAnswer, n as agentChatSessions, nt as recomputeWatchersForMember, o as assertClientOwner, ot as resetActivity, p as cleanupStaleClients, pt as setRuntimeState, r as agentPresence, rt as registerChatMessageDispatcher, s as assertParticipant, st as resolveChatMembership, t as addParticipant, tt as recomputeWatchersForAgent, u as chatSubscriptions, ut as sendToAgent$1, v as deriveAuthState, vt as upsertSessionState, w as getActivityOverview, x as ensureCanJoin, y as disconnectClient, z as listAgentsManagedByUser } from "./client-DL5vHhvQ-CnYGq2x-.mjs";
 import { a as invitationRedemptions, c as recordRedemption, i as getActiveInvitation, l as rotateInvitation, n as ensureActiveInvitation, o as invitations, r as findActiveByToken, t as buildInviteUrl, u as uuidv7 } from "./invitation-Bg0TRiyx-BsZH4GCS.mjs";
 import { createRequire } from "node:module";
 import { ZodError, z } from "zod";
@@ -730,6 +730,30 @@ z.object({
 	expiresIn: z.number(),
 	command: z.string()
 });
+const githubEntityTypeSchema = z.enum([
+	"issue",
+	"pull_request",
+	"discussion",
+	"commit"
+]);
+const githubChatMetadataSchema = z.object({
+	source: z.literal("github"),
+	entityType: githubEntityTypeSchema,
+	entityKey: z.string().min(1),
+	entityUrl: z.string().url().optional()
+});
+const feishuChatMetadataSchema = z.object({
+	source: z.literal("feishu"),
+	externalChannelId: z.string().min(1)
+});
+const chatMetadataSchema = z.discriminatedUnion("source", [githubChatMetadataSchema, feishuChatMetadataSchema]);
+/**
+* `createChat` callers may not set metadata at all (admin-created group chats,
+* me-chats, …), so the input schema accepts either an empty object or one of
+* the typed variants. The empty `{}` arm is `.strict()` so a caller cannot
+* sneak through `{ source: "github" }` without the required fields.
+*/
+const optionalChatMetadataSchema = z.union([z.object({}).strict(), chatMetadataSchema]);
 const chatTypeSchema = z.enum([
 	"direct",
 	"group",
@@ -739,7 +763,7 @@ z.object({
 	type: chatTypeSchema,
 	topic: z.string().max(500).optional(),
 	participantIds: z.array(z.string()).min(1),
-	metadata: z.record(z.string(), z.unknown()).optional()
+	metadata: optionalChatMetadataSchema.optional()
 });
 const chatParticipantSchema = z.object({
 	agentId: z.string(),
@@ -1015,7 +1039,6 @@ const messageFormatSchema = z.enum([
 	"card",
 	"reference",
 	"file",
-	"task",
 	"question",
 	"question_answer"
 ]);
@@ -1199,9 +1222,7 @@ const meChatRowSchema = z.object({
 	lastMessageAt: z.string().nullable(),
 	lastMessagePreview: z.string().nullable(),
 	unreadMentionCount: z.number().int(),
-	canReply: z.boolean(),
-	taskId: z.string().nullable(),
-	taskStatus: z.string().nullable()
+	canReply: z.boolean()
 });
 z.object({
 	rows: z.array(meChatRowSchema),
@@ -1677,94 +1698,6 @@ z.object({
 	totalMessages: z.number(),
 	byOrganization: z.array(orgStatsSchema)
 });
-const taskStatusSchema = z.enum([
-	"pending",
-	"assigned",
-	"working",
-	"completed",
-	"failed",
-	"cancelled"
-]);
-const taskCreatorTypeSchema = z.enum(["agent", "admin"]);
-const taskMessageEventSchema = z.enum([
-	"assigned",
-	"status_changed",
-	"cancelled"
-]);
-z.object({
-	taskId: z.string(),
-	event: taskMessageEventSchema,
-	title: z.string(),
-	body: z.string().default(""),
-	status: taskStatusSchema,
-	fromStatus: taskStatusSchema.optional(),
-	originRef: z.string().nullable().optional()
-});
-z.object({
-	title: z.string().min(1).max(500),
-	body: z.string().optional(),
-	assigneeAgentId: z.string().optional(),
-	originRef: z.string().max(500).optional(),
-	metadata: z.record(z.string(), z.unknown()).optional()
-}).extend({ organizationId: z.string().optional() });
-z.object({
-	status: z.enum([
-		"working",
-		"completed",
-		"failed"
-	]),
-	result: z.string().optional()
-});
-z.object({
-	assigneeAgentId: z.string().nullable().optional(),
-	status: taskStatusSchema.optional(),
-	result: z.string().optional()
-});
-z.object({ chatId: z.string().min(1) });
-const taskSchema = z.object({
-	id: z.string(),
-	organizationId: z.string(),
-	title: z.string(),
-	body: z.string(),
-	status: taskStatusSchema,
-	assigneeAgentId: z.string().nullable(),
-	createdByType: taskCreatorTypeSchema,
-	createdById: z.string(),
-	originRef: z.string().nullable(),
-	result: z.string().nullable(),
-	metadata: z.record(z.string(), z.unknown()),
-	createdAt: z.string(),
-	updatedAt: z.string(),
-	cancelledAt: z.string().nullable(),
-	cancelledByType: taskCreatorTypeSchema.nullable(),
-	cancelledById: z.string().nullable()
-});
-const taskChatLinkSchema = z.object({
-	taskId: z.string(),
-	chatId: z.string(),
-	linkedByAgentId: z.string().nullable(),
-	linkedAt: z.string()
-});
-taskSchema.extend({ chats: z.array(taskChatLinkSchema) });
-z.object({
-	status: taskStatusSchema.optional(),
-	assigneeAgentId: z.string().optional(),
-	originRef: z.string().optional(),
-	limit: z.coerce.number().int().min(1).max(100).default(20),
-	cursor: z.string().optional()
-});
-const taskHealthSignalSchema = z.enum([
-	"normal",
-	"idle_island",
-	"awaiting_reply",
-	"no_chat",
-	"not_applicable"
-]);
-z.object({
-	taskId: z.string(),
-	signal: taskHealthSignalSchema,
-	reason: z.string()
-});
 const userStatusSchema = z.enum(["active", "suspended"]);
 z.object({
 	id: z.string(),
@@ -2876,7 +2809,126 @@ function getHandlerFactory(type) {
 	}
 	return factory;
 }
-join(DEFAULT_DATA_DIR, "context-tree");
+const CONTEXT_TREE_DIR = join(DEFAULT_DATA_DIR, "context-tree");
+/**
+* Sync the shared Context Tree git clone.
+*
+* Clones on first run, pulls on subsequent runs.
+* Returns the binding on success, null on failure (graceful degradation).
+*/
+async function syncContextTree(serverUrl, getAccessToken, log, userAgent) {
+	try {
+		execFileSync("git", ["--version"], { stdio: "ignore" });
+	} catch {
+		log("Context Tree sync skipped: git is not installed");
+		return null;
+	}
+	let repo;
+	let branch;
+	try {
+		const config = await new FirstTreeHubSDK({
+			serverUrl,
+			getAccessToken,
+			userAgent
+		}).getContextTreeConfig();
+		if (!config.repo) {
+			log("Context Tree sync skipped: not configured on server");
+			return null;
+		}
+		repo = config.repo;
+		branch = config.branch ?? "main";
+	} catch (err) {
+		log(`Context Tree sync skipped: failed to fetch config from server (${err instanceof Error ? err.message : String(err)})`);
+		return null;
+	}
+	try {
+		if (existsSync(join(CONTEXT_TREE_DIR, ".git"))) {
+			if (execFileSync("git", [
+				"rev-parse",
+				"--abbrev-ref",
+				"HEAD"
+			], {
+				cwd: CONTEXT_TREE_DIR,
+				encoding: "utf-8",
+				timeout: 5e3
+			}).trim() !== branch) {
+				execFileSync("git", ["checkout", branch], {
+					cwd: CONTEXT_TREE_DIR,
+					stdio: "pipe",
+					timeout: 1e4
+				});
+				log(`Context Tree switched to branch ${branch}`);
+			}
+			execFileSync("git", ["pull", "--ff-only"], {
+				cwd: CONTEXT_TREE_DIR,
+				stdio: "pipe",
+				timeout: 3e4
+			});
+			log(`Context Tree updated (pull)`);
+		} else {
+			mkdirSync(CONTEXT_TREE_DIR, { recursive: true });
+			execFileSync("git", [
+				"clone",
+				"--branch",
+				branch,
+				"--single-branch",
+				repo,
+				CONTEXT_TREE_DIR
+			], {
+				stdio: "pipe",
+				timeout: 6e4
+			});
+			log(`Context Tree cloned from ${repo} (branch: ${branch})`);
+		}
+		return {
+			path: CONTEXT_TREE_DIR,
+			repoUrl: repo,
+			branch
+		};
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		log(`Context Tree sync failed: ${msg}`);
+		log("Check that git credentials (SSH key or credential helper) are configured for this repo");
+		if ((msg.includes("cannot fast-forward") || msg.includes("not possible to fast-forward") || msg.includes("CONFLICT")) && existsSync(join(CONTEXT_TREE_DIR, ".git"))) {
+			log("Diverged history detected, attempting fresh clone...");
+			try {
+				rmSync(CONTEXT_TREE_DIR, {
+					recursive: true,
+					force: true
+				});
+				mkdirSync(CONTEXT_TREE_DIR, { recursive: true });
+				execFileSync("git", [
+					"clone",
+					"--branch",
+					branch,
+					"--single-branch",
+					repo,
+					CONTEXT_TREE_DIR
+				], {
+					stdio: "pipe",
+					timeout: 6e4
+				});
+				log("Context Tree re-cloned successfully");
+				return {
+					path: CONTEXT_TREE_DIR,
+					repoUrl: repo,
+					branch
+				};
+			} catch {
+				log("Context Tree re-clone also failed, continuing without context");
+			}
+		}
+		if (existsSync(join(CONTEXT_TREE_DIR, ".git"))) {
+			log("Using existing Context Tree clone despite sync failure");
+			return {
+				path: CONTEXT_TREE_DIR,
+				repoUrl: repo,
+				branch
+			};
+		}
+		return null;
+	}
+}
 /**
 * Marker file written into every workspace so the Codex CLI's project-root
 * detection (configured via `project_root_markers: ["first-tree-workspace"]`)
@@ -3003,7 +3055,8 @@ function generateToolsDoc() {
 You are running inside **Agent Hub**, a messaging platform for agent teams.
 
 - Messages from other team members arrive as your prompt input
-- Each message includes a \`[From: sender-id]\` header so you know who sent it
+- Each message includes a \`[From: <agent-name>]\` header — that name is also
+  what you pass back to \`agent send\` to reply to or address that agent
 - **Your final text response is automatically delivered** to the chat — just respond normally
 - For **proactive communication** (sending to other agents, other chats, or structured data),
   use the \`first-tree-hub\` CLI below
@@ -3018,8 +3071,8 @@ These are injected automatically when the agent process starts:
 |----------|-------------|
 | \`FIRST_TREE_HUB_SERVER_URL\` | Server address for API calls |
 | \`FIRST_TREE_HUB_ACCESS_TOKEN\` | User member access JWT (short-lived) |
-| \`FIRST_TREE_HUB_AGENT_ID\` | Your agent UUID — send as \`X-Agent-Id\` |
-| \`FIRST_TREE_HUB_CHAT_ID\` | Current chat context ID |
+| \`FIRST_TREE_HUB_AGENT_ID\` | YOUR own agent UUID. The CLI reads it to identify you as the sender — never pass it as a \`send\` target. |
+| \`FIRST_TREE_HUB_CHAT_ID\` | The chat this session is currently bound to. The CLI uses it to route messages — you don't need to pass it manually. |
 
 The \`first-tree-hub\` CLI reads these automatically — no extra setup needed.
 
@@ -3029,13 +3082,18 @@ Use the \`first-tree-hub agent send\` CLI — it reads the env vars above and
 attaches the \`Authorization\` + \`X-Agent-Id\` headers automatically:
 
 \`\`\`bash
-# Send to another agent — target is the agent NAME, NOT a uuid.
-# Names are stable (set on creation, immutable, unique in the org).
+# Send to another agent — first positional argument is the recipient's NAME
+# (NOT a uuid; uuids in chat history / participant lists are not accepted).
 # Run \`first-tree-hub agent list\` to see available names.
+#
+# Routing: if the recipient is a participant of your current chat (typically
+# the case in a group chat where someone @-mentioned you to talk to them),
+# the message stays in that chat. Otherwise it falls back to a direct chat
+# between you and the recipient. You don't need to think about which.
 first-tree-hub agent send <agentName> "your message"
 
-# Send to a chat (target is a chat UUID; use this when replying into a
-# specific chat, e.g. a group where you were mentioned)
+# Send into a specific chat by id — use this only when you explicitly want
+# to address a chat your current session is NOT bound to.
 first-tree-hub agent send --chat <chatId> "your message"
 
 # Send markdown (default format is text)
@@ -6894,6 +6952,36 @@ function resolveReplyToFromEnv(env, override) {
 		replyToChat: override.replyToChat ?? (envComplete ? envChatId : void 0)
 	};
 }
+function resolveSenderName(input) {
+	const { override, envAgentId, agents } = input;
+	if (agents.size === 0) return { kind: "none" };
+	if (override) return {
+		kind: "ok",
+		name: override
+	};
+	if (envAgentId) {
+		for (const [name, cfg] of agents) if (cfg.agentId === envAgentId) return {
+			kind: "ok",
+			name
+		};
+		return {
+			kind: "envMismatch",
+			envAgentId,
+			available: [...agents.keys()]
+		};
+	}
+	if (agents.size === 1) {
+		const [only] = [...agents.keys()];
+		if (only) return {
+			kind: "ok",
+			name: only
+		};
+	}
+	return {
+		kind: "ambiguous",
+		available: [...agents.keys()]
+	};
+}
 //#endregion
 //#region src/core/admin.ts
 /**
@@ -7213,6 +7301,14 @@ var ClientRuntime = class {
 	watcher = null;
 	debounceTimer = null;
 	/**
+	* Per-org Context Tree binding resolved at `start()`. Threaded through every
+	* `slot.start()` so handlers can copy `AGENT.md` / root `NODE.md` into the
+	* agent workspace's `.agent/context/` and install the first-tree skill.
+	* `null` when the user has no primary org, the org has no tree configured,
+	* or git sync failed — handlers degrade gracefully (empty context dir).
+	*/
+	contextTreeBinding = null;
+	/**
 	* Directory we write auto-registered agent configs into (same path that
 	* `first-tree-hub agent add` uses). Set by `watchAgentsDir` so the
 	* `agent:pinned` handler knows where to materialise new configs.
@@ -7272,6 +7368,7 @@ var ClientRuntime = class {
 		this.agentIds.add(config.agentId);
 	}
 	async start() {
+		this.contextTreeBinding = await syncContextTree(this.serverUrl, (opts) => ensureFreshAccessToken(opts), (msg) => print.status("[context-tree]", msg), CLI_USER_AGENT);
 		if (this.options.currentVersion && this.options.update) this.updateManager = UpdateManager.attach(this.connection, {
 			currentVersion: this.options.currentVersion,
 			...this.options.update,
@@ -7290,7 +7387,7 @@ var ClientRuntime = class {
 		}
 		await Promise.allSettled(this.agents.map(async (agent) => {
 			try {
-				const identity = await agent.slot.start();
+				const identity = await agent.slot.start(this.contextTreeBinding);
 				print.check(true, `${agent.name}: connected`, `agent: ${identity.displayName ?? identity.agentId}`);
 			} catch (error) {
 				const msg = error instanceof Error ? error.message : String(error);
@@ -7417,7 +7514,7 @@ var ClientRuntime = class {
 	startAgent(name) {
 		const entry = this.agents.find((a) => a.name === name);
 		if (!entry) return;
-		entry.slot.start().then((identity) => {
+		entry.slot.start(this.contextTreeBinding).then((identity) => {
 			print.check(true, `${name}: connected`, `agent: ${identity.displayName ?? identity.agentId}`);
 		}).catch((err) => {
 			const msg = err instanceof Error ? err.message : String(err);
@@ -9054,7 +9151,7 @@ async function onboardCreate(args) {
 	}
 	const runtimeAgent = args.type === "human" ? args.assistant : args.id;
 	if (args.feishuBotAppId && args.feishuBotAppSecret) {
-		const { bindFeishuBot } = await import("./feishu-fLnwqCOs.mjs").then((n) => n.r);
+		const { bindFeishuBot } = await import("./feishu-CKGzIamp.mjs").then((n) => n.r);
 		const targetAgentUuid = args.type === "human" ? assistantUuid : primary.uuid;
 		if (!targetAgentUuid) print.line(`Warning: Cannot bind Feishu bot — no runtime agent available for "${args.id}".\n`);
 		else {
@@ -10267,7 +10364,7 @@ function createFeedbackHandler(config) {
 	return { handle };
 }
 //#endregion
-//#region ../server/dist/app-BXdU2BzM.mjs
+//#region ../server/dist/app-kJNM9Cf1.mjs
 var import_fastify_opentelemetry = /* @__PURE__ */ __toESM(require_fastify_opentelemetry(), 1);
 init_esm();
 var __defProp = Object.defineProperty;
@@ -10292,50 +10389,6 @@ const adapterAgentMappings = pgTable("adapter_agent_mappings", {
 	createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow()
 }, (table) => [unique("uq_adapter_agent_mapping").on(table.platform, table.externalUserId)]);
 /**
-* Tasks — lightweight work units. Process descriptors, not tickets.
-* Immutable status state machine: pending → assigned → working → (completed | failed | cancelled).
-* Sub-tasks (parent_task_id) are deferred to a later phase.
-*
-* Referential integrity (org / assignee / chat) is enforced at the service layer,
-* not via DB foreign keys — see `services/task.ts`.
-*/
-const tasks = pgTable("tasks", {
-	id: text("id").primaryKey(),
-	organizationId: text("organization_id").notNull(),
-	title: text("title").notNull(),
-	body: text("body").notNull().default(""),
-	status: text("status").$type().notNull(),
-	assigneeAgentId: text("assignee_agent_id"),
-	createdByType: text("created_by_type").$type().notNull(),
-	createdById: text("created_by_id").notNull(),
-	originRef: text("origin_ref"),
-	result: text("result"),
-	metadata: jsonb("metadata").$type().notNull().default({}),
-	createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow(),
-	updatedAt: timestamp("updated_at", { withTimezone: true }).notNull().defaultNow(),
-	cancelledAt: timestamp("cancelled_at", { withTimezone: true }),
-	cancelledByType: text("cancelled_by_type").$type(),
-	cancelledById: text("cancelled_by_id")
-}, (table) => [
-	index("idx_tasks_org_status").on(table.organizationId, table.status),
-	index("idx_tasks_assignee_status").on(table.assigneeAgentId, table.status),
-	index("idx_tasks_origin_ref").on(table.originRef),
-	index("idx_tasks_org_created_at").on(table.organizationId, table.createdAt)
-]);
-/**
-* Task ↔ Chat association (M:N). A task may be executed across multiple chats;
-* a chat may host work for multiple tasks over its lifetime.
-*
-* No FK constraints — when a task or chat is deleted, the service layer is
-* responsible for deleting linked rows here first.
-*/
-const taskChats = pgTable("task_chats", {
-	taskId: text("task_id").notNull(),
-	chatId: text("chat_id").notNull(),
-	linkedByAgentId: text("linked_by_agent_id"),
-	linkedAt: timestamp("linked_at", { withTimezone: true }).notNull().defaultNow()
-}, (table) => [primaryKey({ columns: [table.taskId, table.chatId] }), index("idx_task_chats_chat").on(table.chatId)]);
-/**
 * Pull the JWT-verified `UserScope` off the request. The `userAuthHook`
 * middleware populates `request.user` synchronously before any handler
 * runs; this helper just narrows the optional and throws a clean 401 if
@@ -10470,31 +10523,6 @@ async function assertAgentManageableByUser(db, userId, agentUuid) {
 	return scope;
 }
 /**
-* Gate access to a task. Allowed for any active member of the task's org —
-* mirrors the original inline gate in `api/tasks.ts` that this helper
-* replaces. Returns both the task's org row and the caller's resolved
-* `OrgScope`, so handlers can read `scope.memberId` for audit fields.
-*/
-async function requireTaskAccess(request, db) {
-	const { userId } = requireUser(request);
-	const { taskId } = request.params;
-	const [task] = await db.select({ organizationId: tasks.organizationId }).from(tasks).where(eq(tasks.id, taskId)).limit(1);
-	if (!task) throw new NotFoundError(`Task "${taskId}" not found`);
-	const caller = await resolveCallerInOrg(db, userId, task.organizationId);
-	const scope = {
-		userId,
-		organizationId: task.organizationId,
-		memberId: caller.memberId,
-		role: caller.role,
-		humanAgentId: caller.humanAgentId
-	};
-	stampOrgScope(request, scope);
-	return {
-		task,
-		scope
-	};
-}
-/**
 * Assert every agent in `agentIds` is visible to `scope` and lives in
 * `scope.organizationId`. Used by chat-create to keep visibility rules out of
 * the service layer's signature.
@@ -10930,10 +10958,9 @@ async function ensureDefaultOrganization(db) {
 	return org ?? existing;
 }
 /**
-* Names beginning with `__` are reserved for Hub-internal pseudo agents
-* (e.g. the task notifier). User-facing creation must not be able to
-* squat on them, otherwise internal traffic could be routed through a
-* real account.
+* Names beginning with `__` are reserved for Hub-internal pseudo agents.
+* User-facing creation must not be able to squat on them, otherwise
+* internal traffic could be routed through a real account.
 */
 const RESERVED_AGENT_NAME_PREFIX = "__";
 /**
@@ -11503,16 +11530,17 @@ async function findOrCreateChatForChannel(db, data) {
 	return db.transaction(async (tx) => {
 		const [botAgent] = await tx.select({ organizationId: agents.organizationId }).from(agents).where(eq(agents.uuid, data.botAgentId)).limit(1);
 		const orgId = botAgent?.organizationId ?? await resolveDefaultOrgId(db);
+		const metadata = chatMetadataSchema$1.parse({
+			source: data.platform,
+			externalChannelId: data.externalChannelId
+		});
 		await tx.insert(chats).values({
 			id: chatId,
 			organizationId: orgId,
 			type: internalType,
 			topic: data.topic ?? null,
 			lifecyclePolicy: "adapter_managed",
-			metadata: {
-				source: data.platform,
-				externalChannelId: data.externalChannelId
-			}
+			metadata
 		});
 		const participants = data.botAgentId === data.senderAgentId ? [{
 			chatId,
@@ -12143,462 +12171,6 @@ async function agentSendToAgentRoutes(app) {
 		});
 	});
 }
-/** Legal status transitions. Service enforces; API maps violations to 400. */
-const STATUS_TRANSITIONS = {
-	pending: ["assigned", "cancelled"],
-	assigned: ["working", "cancelled"],
-	working: [
-		"completed",
-		"failed",
-		"cancelled"
-	],
-	completed: [],
-	failed: [],
-	cancelled: []
-};
-function isLegalTransition(from, to) {
-	return STATUS_TRANSITIONS[from]?.includes(to) ?? false;
-}
-function isTerminal(status) {
-	return TASK_TERMINAL_STATUSES.includes(status);
-}
-/**
-* Reserved name for the hub-owned task notifier pseudo agent. The `__` prefix
-* is rejected by `createAgent`, so real users cannot squat on this identity.
-*/
-const SYSTEM_TASKS_AGENT_NAME = "__hub_system_tasks";
-/**
-* Ensure a task-notifier pseudo agent exists in the given organization and
-* return its UUID. Used as the sender for task notification messages so they
-* flow through the normal chat/inbox pipeline. Idempotent under concurrent
-* creation via the unique `(organization_id, name)` constraint.
-*/
-async function ensureSystemTasksAgent(db, organizationId) {
-	const [existing] = await db.select({ uuid: agents.uuid }).from(agents).where(and(eq(agents.organizationId, organizationId), eq(agents.name, SYSTEM_TASKS_AGENT_NAME), ne(agents.status, AGENT_STATUSES.DELETED))).limit(1);
-	if (existing) return existing.uuid;
-	const uuid = uuidv7();
-	const inboxId = `inbox_${uuid}`;
-	const [adminMember] = await db.select({ id: members.id }).from(members).where(and(eq(members.organizationId, organizationId), eq(members.role, "admin"))).orderBy(asc(members.createdAt)).limit(1);
-	if (!adminMember) throw new ConflictError(`Cannot create system tasks agent in organization "${organizationId}" — no admin member exists.`);
-	try {
-		const [created] = await db.insert(agents).values({
-			uuid,
-			name: SYSTEM_TASKS_AGENT_NAME,
-			organizationId,
-			type: AGENT_TYPES.AUTONOMOUS_AGENT,
-			displayName: "System · Tasks",
-			inboxId,
-			status: AGENT_STATUSES.ACTIVE,
-			source: AGENT_SOURCES.ADMIN_API,
-			metadata: {
-				system: true,
-				role: "task-notifier"
-			},
-			managerId: adminMember.id
-		}).returning({ uuid: agents.uuid });
-		if (created) return created.uuid;
-	} catch (err) {
-		if ((err?.code ?? err?.cause?.code ?? "") !== "23505") throw err;
-	}
-	const [row] = await db.select({ uuid: agents.uuid }).from(agents).where(and(eq(agents.organizationId, organizationId), eq(agents.name, SYSTEM_TASKS_AGENT_NAME))).limit(1);
-	if (!row) throw new Error("ensureSystemTasksAgent: agent missing after conflict");
-	return row.uuid;
-}
-function resolveCreator(actor) {
-	if (actor.type === "agent") return {
-		type: TASK_CREATOR_TYPES.AGENT,
-		id: actor.agentId
-	};
-	return {
-		type: TASK_CREATOR_TYPES.ADMIN,
-		id: actor.adminId
-	};
-}
-/**
-* Assert the task allows the given agent actor to mutate its chat associations.
-* Only the creator or assignee (for agents) or any admin may do so.
-*/
-function assertCanMutateTaskChats(task, actor) {
-	if (actor.type === "admin") return;
-	const isAssignee = task.assigneeAgentId === actor.agentId;
-	const isCreator = task.createdByType === TASK_CREATOR_TYPES.AGENT && task.createdById === actor.agentId;
-	if (!isAssignee && !isCreator) throw new ForbiddenError("Only the task creator or assignee may modify its chat associations");
-}
-async function loadAssigneeOrThrow(db, assigneeAgentId, expectedOrgId) {
-	const [assignee] = await db.select({
-		uuid: agents.uuid,
-		organizationId: agents.organizationId,
-		status: agents.status
-	}).from(agents).where(eq(agents.uuid, assigneeAgentId)).limit(1);
-	if (!assignee || assignee.status === AGENT_STATUSES.DELETED) throw new BadRequestError(`Assignee agent "${assigneeAgentId}" not found`);
-	if (assignee.organizationId !== expectedOrgId) throw new BadRequestError("Assignee agent belongs to a different organization");
-	if (assignee.status === AGENT_STATUSES.SUSPENDED) throw new BadRequestError(`Assignee agent "${assigneeAgentId}" is suspended`);
-	return assignee;
-}
-/**
-* Create a task.
-*
-* Initial status is determined by assignee:
-*   - no assignee → "pending"
-*   - assignee is an agent and equals the creator → "working" (work-first; no notification)
-*   - assignee set and differs from creator → "assigned" (task-first; notification dispatched)
-*
-* Task-first notifications go through the regular message+inbox pipeline via a per-org
-* task-notifier pseudo agent. The caller is responsible for triggering notifier fan-out
-* using the returned notification recipients.
-*/
-async function createTask(db, actor, input) {
-	const [org] = await db.select({ id: organizations.id }).from(organizations).where(eq(organizations.id, input.organizationId)).limit(1);
-	if (!org) throw new NotFoundError(`Organization "${input.organizationId}" not found`);
-	if (input.assigneeAgentId) await loadAssigneeOrThrow(db, input.assigneeAgentId, input.organizationId);
-	if (actor.type === "agent" && actor.organizationId !== input.organizationId) throw new ForbiddenError("Cannot create tasks in a different organization");
-	const creator = resolveCreator(actor);
-	const selfAssigned = input.assigneeAgentId !== void 0 && actor.type === "agent" && input.assigneeAgentId === actor.agentId;
-	let initialStatus;
-	if (!input.assigneeAgentId) initialStatus = TASK_STATUSES.PENDING;
-	else if (selfAssigned) initialStatus = TASK_STATUSES.WORKING;
-	else initialStatus = TASK_STATUSES.ASSIGNED;
-	const taskId = uuidv7();
-	const [task] = await db.insert(tasks).values({
-		id: taskId,
-		organizationId: input.organizationId,
-		title: input.title,
-		body: input.body ?? "",
-		status: initialStatus,
-		assigneeAgentId: input.assigneeAgentId ?? null,
-		createdByType: creator.type,
-		createdById: creator.id,
-		originRef: input.originRef ?? null,
-		metadata: input.metadata ?? {}
-	}).returning();
-	if (!task) throw new Error("Unexpected: INSERT RETURNING produced no row");
-	let notification;
-	if (initialStatus === TASK_STATUSES.ASSIGNED && task.assigneeAgentId) notification = await dispatchTaskSystemMessage(db, task, "assigned");
-	return {
-		task,
-		notification
-	};
-}
-/** Compose and send a system message describing a task state change to the assignee's chat. */
-async function dispatchTaskSystemMessage(db, task, event, fromStatus) {
-	if (!task.assigneeAgentId) return void 0;
-	const systemAgentId = await ensureSystemTasksAgent(db, task.organizationId);
-	if (systemAgentId === task.assigneeAgentId) return void 0;
-	const chat = await findOrCreateDirectChat(db, systemAgentId, task.assigneeAgentId);
-	const content = {
-		taskId: task.id,
-		event,
-		title: task.title,
-		body: task.body,
-		status: task.status,
-		...fromStatus ? { fromStatus } : {},
-		originRef: task.originRef
-	};
-	return sendMessage(db, chat.id, systemAgentId, {
-		format: "task",
-		content,
-		metadata: {
-			taskId: task.id,
-			event,
-			mentions: [task.assigneeAgentId]
-		}
-	});
-}
-/**
-* Fetch a task, optionally asserting it belongs to `expectedOrgId`. Cross-org
-* access is reported as NotFound so we don't leak existence across tenants.
-*/
-async function getTask(db, taskId, expectedOrgId) {
-	const [task] = await db.select().from(tasks).where(eq(tasks.id, taskId)).limit(1);
-	if (!task) throw new NotFoundError(`Task "${taskId}" not found`);
-	if (expectedOrgId !== void 0 && task.organizationId !== expectedOrgId) throw new NotFoundError(`Task "${taskId}" not found`);
-	return task;
-}
-async function getTaskDetail(db, taskId, expectedOrgId) {
-	const task = await getTask(db, taskId, expectedOrgId);
-	const links = await db.select().from(taskChats).where(eq(taskChats.taskId, taskId));
-	return {
-		...task,
-		chats: links.map((c) => ({
-			taskId: c.taskId,
-			chatId: c.chatId,
-			linkedByAgentId: c.linkedByAgentId,
-			linkedAt: c.linkedAt.toISOString()
-		}))
-	};
-}
-async function listTasks(db, organizationId, query) {
-	const conditions = [eq(tasks.organizationId, organizationId)];
-	if (query.status) conditions.push(eq(tasks.status, query.status));
-	if (query.assigneeAgentId) conditions.push(eq(tasks.assigneeAgentId, query.assigneeAgentId));
-	if (query.originRef) conditions.push(eq(tasks.originRef, query.originRef));
-	if (query.cursor) conditions.push(lt(tasks.createdAt, new Date(query.cursor)));
-	const rows = await db.select().from(tasks).where(and(...conditions)).orderBy(desc(tasks.createdAt)).limit(query.limit + 1);
-	const hasMore = rows.length > query.limit;
-	const items = hasMore ? rows.slice(0, query.limit) : rows;
-	const last = items[items.length - 1];
-	return {
-		items,
-		nextCursor: hasMore && last ? last.createdAt.toISOString() : null
-	};
-}
-/** Agent self-report: working / completed / failed. */
-async function updateTaskStatus(db, taskId, actor, data) {
-	const existing = await getTask(db, taskId);
-	if (actor.type !== "agent") throw new ForbiddenError("updateTaskStatus is for agent self-report; use adminUpdateTask for admin actions");
-	if (existing.assigneeAgentId !== actor.agentId) throw new ForbiddenError("Only the assignee may update this task");
-	const from = existing.status;
-	const to = data.status;
-	if (!isLegalTransition(from, to)) throw new BadRequestError(`Illegal status transition: ${from} → ${to}`);
-	if (to === TASK_STATUSES.COMPLETED && data.result === void 0) throw new BadRequestError("Completion requires a result (may be an empty string)");
-	const updates = {
-		status: to,
-		updatedAt: /* @__PURE__ */ new Date()
-	};
-	if (data.result !== void 0) updates.result = data.result;
-	const [updated] = await db.update(tasks).set(updates).where(eq(tasks.id, taskId)).returning();
-	if (!updated) throw new Error("Unexpected: UPDATE RETURNING produced no row");
-	return { task: updated };
-}
-/** Admin-facing update: may re-assign while pending, or force a status transition (still gated by state machine). */
-async function adminUpdateTask(db, taskId, actor, data) {
-	if (actor.type !== "admin") throw new ForbiddenError("adminUpdateTask requires admin actor");
-	const existing = await getTask(db, taskId);
-	if (data.status === TASK_STATUSES.CANCELLED) {
-		if (isTerminal(existing.status)) throw new ConflictError(`Task is already in terminal state "${existing.status}"`);
-		return cancelTask(db, taskId, actor);
-	}
-	const updates = { updatedAt: /* @__PURE__ */ new Date() };
-	let notify = false;
-	if (data.assigneeAgentId !== void 0) {
-		if (existing.status !== TASK_STATUSES.PENDING && data.assigneeAgentId !== existing.assigneeAgentId) throw new BadRequestError("Cannot reassign a task that is not pending");
-		if (data.assigneeAgentId !== null) {
-			await loadAssigneeOrThrow(db, data.assigneeAgentId, existing.organizationId);
-			updates.assigneeAgentId = data.assigneeAgentId;
-			updates.status = TASK_STATUSES.ASSIGNED;
-			notify = true;
-		} else {
-			updates.assigneeAgentId = null;
-			updates.status = TASK_STATUSES.PENDING;
-		}
-	}
-	if (data.status !== void 0 && data.status !== existing.status) {
-		const from = updates.status ?? existing.status;
-		if (!isLegalTransition(from, data.status)) throw new BadRequestError(`Illegal status transition: ${from} → ${data.status}`);
-		updates.status = data.status;
-	}
-	if (data.result !== void 0) updates.result = data.result;
-	const resolvedStatus = updates.status ?? existing.status;
-	const resolvedAssignee = updates.assigneeAgentId === void 0 ? existing.assigneeAgentId : updates.assigneeAgentId;
-	if (resolvedStatus === TASK_STATUSES.ASSIGNED && !resolvedAssignee) throw new BadRequestError("Cannot set status to \"assigned\" without an assignee");
-	const [updated] = await db.update(tasks).set(updates).where(eq(tasks.id, taskId)).returning();
-	if (!updated) throw new Error("Unexpected: UPDATE RETURNING produced no row");
-	let notification;
-	if (notify && updated.assigneeAgentId) notification = await dispatchTaskSystemMessage(db, updated, "assigned");
-	return {
-		task: updated,
-		notification
-	};
-}
-async function cancelTask(db, taskId, actor) {
-	const existing = await getTask(db, taskId);
-	if (isTerminal(existing.status)) throw new ConflictError(`Task is already in terminal state "${existing.status}"`);
-	if (actor.type === "agent") {
-		const isAssignee = existing.assigneeAgentId === actor.agentId;
-		const isCreator = existing.createdByType === TASK_CREATOR_TYPES.AGENT && existing.createdById === actor.agentId;
-		if (!isAssignee && !isCreator) throw new ForbiddenError("Only the assignee or creator may cancel this task");
-	}
-	const now = /* @__PURE__ */ new Date();
-	const { type: cancelType, id: cancelId } = resolveCreator(actor);
-	const [updated] = await db.update(tasks).set({
-		status: TASK_STATUSES.CANCELLED,
-		cancelledAt: now,
-		cancelledByType: cancelType,
-		cancelledById: cancelId,
-		updatedAt: now
-	}).where(eq(tasks.id, taskId)).returning();
-	if (!updated) throw new Error("Unexpected: UPDATE RETURNING produced no row");
-	let notification;
-	if (updated.assigneeAgentId && !(actor.type === "agent" && actor.agentId === updated.assigneeAgentId)) notification = await dispatchTaskSystemMessage(db, updated, "cancelled", existing.status);
-	return {
-		task: updated,
-		notification
-	};
-}
-async function linkChatToTask(db, taskId, chatId, actor) {
-	const task = await getTask(db, taskId);
-	if (actor.type === "agent" && task.organizationId !== actor.organizationId) throw new NotFoundError(`Task "${taskId}" not found`);
-	assertCanMutateTaskChats(task, actor);
-	const [chat] = await db.select({ organizationId: chats.organizationId }).from(chats).where(eq(chats.id, chatId)).limit(1);
-	if (!chat) throw new NotFoundError(`Chat "${chatId}" not found`);
-	if (chat.organizationId !== task.organizationId) throw new BadRequestError("Chat belongs to a different organization");
-	if (actor.type === "agent") await assertParticipant(db, chatId, actor.agentId);
-	const linkedBy = actor.type === "agent" ? actor.agentId : null;
-	await db.insert(taskChats).values({
-		taskId,
-		chatId,
-		linkedByAgentId: linkedBy
-	}).onConflictDoNothing();
-}
-async function unlinkChatFromTask(db, taskId, chatId, actor) {
-	const task = await getTask(db, taskId);
-	if (actor.type === "agent" && task.organizationId !== actor.organizationId) throw new NotFoundError(`Task "${taskId}" not found`);
-	assertCanMutateTaskChats(task, actor);
-	if ((await db.delete(taskChats).where(and(eq(taskChats.taskId, taskId), eq(taskChats.chatId, chatId))).returning({ chatId: taskChats.chatId })).length === 0) throw new NotFoundError(`Chat "${chatId}" is not linked to task "${taskId}"`);
-}
-/**
-* Derive a health signal for a task. Only meaningful for `working` tasks.
-* See hub-task-design Section 9 for the rules this implements.
-*
-* Algorithm (per linked chat for the assignee):
-*   1. No session row OR state != 'active' → idle_island candidate
-*   2. Session active, last message from assignee → awaiting_reply candidate
-*   3. Session active, last message from other → normal candidate
-* Across all linked chats, normal wins over awaiting_reply, which wins over idle_island.
-*/
-async function getTaskHealth(db, taskId, expectedOrgId) {
-	const task = await getTask(db, taskId, expectedOrgId);
-	if (task.status !== TASK_STATUSES.WORKING) return {
-		taskId,
-		signal: TASK_HEALTH_SIGNALS.NOT_APPLICABLE,
-		reason: `Task status is "${task.status}" — health is only computed for working tasks`
-	};
-	if (!task.assigneeAgentId) return {
-		taskId,
-		signal: TASK_HEALTH_SIGNALS.NO_CHAT,
-		reason: "Task has no assignee"
-	};
-	const linked = await db.select({
-		chatId: taskChats.chatId,
-		sessionState: agentChatSessions.state
-	}).from(taskChats).leftJoin(agentChatSessions, and(eq(agentChatSessions.chatId, taskChats.chatId), eq(agentChatSessions.agentId, task.assigneeAgentId))).where(eq(taskChats.taskId, taskId));
-	if (linked.length === 0) return {
-		taskId,
-		signal: TASK_HEALTH_SIGNALS.NO_CHAT,
-		reason: "Task has no linked chats"
-	};
-	const chatSignals = [];
-	for (const row of linked) {
-		if (row.sessionState !== "active") {
-			chatSignals.push(TASK_HEALTH_SIGNALS.IDLE_ISLAND);
-			continue;
-		}
-		const [last] = await db.select({ senderId: messages.senderId }).from(messages).where(eq(messages.chatId, row.chatId)).orderBy(desc(messages.createdAt)).limit(1);
-		if (!last) {
-			chatSignals.push(TASK_HEALTH_SIGNALS.IDLE_ISLAND);
-			continue;
-		}
-		if (last.senderId === task.assigneeAgentId) chatSignals.push(TASK_HEALTH_SIGNALS.AWAITING_REPLY);
-		else chatSignals.push(TASK_HEALTH_SIGNALS.NORMAL);
-	}
-	if (chatSignals.includes(TASK_HEALTH_SIGNALS.NORMAL)) return {
-		taskId,
-		signal: TASK_HEALTH_SIGNALS.NORMAL,
-		reason: "At least one linked chat is actively progressing"
-	};
-	if (chatSignals.includes(TASK_HEALTH_SIGNALS.AWAITING_REPLY)) return {
-		taskId,
-		signal: TASK_HEALTH_SIGNALS.AWAITING_REPLY,
-		reason: "Assignee sent the last message and is waiting for a reply"
-	};
-	return {
-		taskId,
-		signal: TASK_HEALTH_SIGNALS.IDLE_ISLAND,
-		reason: "No active session found for the assignee in any linked chat"
-	};
-}
-/** Serialize a task row for API output. */
-function serializeTask(task) {
-	return {
-		...task,
-		createdAt: task.createdAt.toISOString(),
-		updatedAt: task.updatedAt.toISOString(),
-		cancelledAt: task.cancelledAt ? task.cancelledAt.toISOString() : null
-	};
-}
-function dispatch$2(notifier, result) {
-	if (!result) return;
-	notifyRecipients(notifier, result.recipients, result.message.id);
-}
-async function agentTaskRoutes(app) {
-	/** Create a task. Agent creator; assignee defaults to self (work-first) if omitted. */
-	app.post("/", async (request, reply) => {
-		const identity = requireAgent(request);
-		const body = createTaskSchema.parse(request.body);
-		const { task, notification } = await createTask(app.db, {
-			type: "agent",
-			agentId: identity.uuid,
-			organizationId: identity.organizationId
-		}, {
-			...body,
-			organizationId: identity.organizationId
-		});
-		dispatch$2(app.notifier, notification);
-		return reply.status(201).send(serializeTask(task));
-	});
-	app.get("/", async (request) => {
-		const identity = requireAgent(request);
-		const query = taskListQuerySchema.parse(request.query);
-		const result = await listTasks(app.db, identity.organizationId, query);
-		return {
-			items: result.items.map((t) => serializeTask(t)),
-			nextCursor: result.nextCursor
-		};
-	});
-	app.get("/:taskId", async (request) => {
-		const identity = requireAgent(request);
-		const detail = await getTaskDetail(app.db, request.params.taskId, identity.organizationId);
-		return {
-			...serializeTask(detail),
-			chats: detail.chats
-		};
-	});
-	/** Agent self-report: working / completed / failed. */
-	app.patch("/:taskId", async (request) => {
-		const identity = requireAgent(request);
-		const body = updateTaskStatusSchema.parse(request.body);
-		const { task } = await updateTaskStatus(app.db, request.params.taskId, {
-			type: "agent",
-			agentId: identity.uuid,
-			organizationId: identity.organizationId
-		}, body);
-		return serializeTask(task);
-	});
-	app.post("/:taskId/cancel", async (request) => {
-		const identity = requireAgent(request);
-		const { task, notification } = await cancelTask(app.db, request.params.taskId, {
-			type: "agent",
-			agentId: identity.uuid,
-			organizationId: identity.organizationId
-		});
-		dispatch$2(app.notifier, notification);
-		return serializeTask(task);
-	});
-	app.post("/:taskId/chats", async (request, reply) => {
-		const identity = requireAgent(request);
-		const body = linkTaskChatSchema.parse(request.body);
-		await linkChatToTask(app.db, request.params.taskId, body.chatId, {
-			type: "agent",
-			agentId: identity.uuid,
-			organizationId: identity.organizationId
-		});
-		return reply.status(204).send();
-	});
-	app.delete("/:taskId/chats/:chatId", async (request, reply) => {
-		const identity = requireAgent(request);
-		await unlinkChatFromTask(app.db, request.params.taskId, request.params.chatId, {
-			type: "agent",
-			agentId: identity.uuid,
-			organizationId: identity.organizationId
-		});
-		return reply.status(204).send();
-	});
-	/** Task health signal — only meaningful while task.status === "working". */
-	app.get("/:taskId/health", async (request) => {
-		const identity = requireAgent(request);
-		return getTaskHealth(app.db, request.params.taskId, identity.organizationId);
-	});
-}
 /** WS close code: agent already connected from another client. */
 const WS_CLOSE_ALREADY_CONNECTED = 4009;
 /** Track active WS connections per agentId. At most one entry per agent. */
@@ -15174,9 +14746,7 @@ async function listMeChats(db, humanAgentId, organizationId, query) {
 				lastMessageAt: toDate(r.last_message_at)?.toISOString() ?? null,
 				lastMessagePreview: r.last_message_preview,
 				unreadMentionCount: r.unread_mention_count,
-				canReply: r.membership_kind === "participant",
-				taskId: null,
-				taskStatus: null
+				canReply: r.membership_kind === "participant"
 			};
 		}),
 		nextCursor
@@ -16894,7 +16464,7 @@ async function healthzRoutes(app) {
 * `api/orgs/invitations.ts` (Class B, admin-gated).
 */
 async function publicInvitationRoutes(app) {
-	const { previewInvitation } = await import("./invitation-C299fxkP-B89eqDos.mjs");
+	const { previewInvitation } = await import("./invitation-C299fxkP-Dts66QTU.mjs");
 	app.get("/:token/preview", async (request, reply) => {
 		if (!request.params.token) throw new UnauthorizedError("Token required");
 		const preview = await previewInvitation(app.db, request.params.token);
@@ -17074,7 +16644,7 @@ async function meRoutes(app) {
 	*/
 	app.get("/me/pinned-agents", async (request) => {
 		const { userId } = requireUser(request);
-		const { listMyPinnedAgents } = await import("./client-0RrgrMjR-DPyuu6Ls.mjs");
+		const { listMyPinnedAgents } = await import("./client-DSM_opoz-BH5eegXb.mjs");
 		return listMyPinnedAgents(app.db, { userId });
 	});
 	/**
@@ -17887,39 +17457,6 @@ function enrichOutput(namespace, out, orgId, publicUrl) {
 	}
 	return out;
 }
-function dispatch$1(notifier, result) {
-	if (!result) return;
-	notifyRecipients(notifier, result.recipients, result.message.id);
-}
-/** Class B — `/api/v1/orgs/:orgId/tasks`. Per-task ops live in api/tasks.ts. */
-async function orgTaskRoutes(app) {
-	app.get("/", async (request) => {
-		const scope = await requireOrgMembership(request, app.db);
-		const query = taskListQuerySchema.parse(request.query);
-		const result = await listTasks(app.db, scope.organizationId, query);
-		return {
-			items: result.items.map((t) => serializeTask(t)),
-			nextCursor: result.nextCursor
-		};
-	});
-	app.post("/", async (request, reply) => {
-		const scope = await requireOrgMembership(request, app.db);
-		const body = adminCreateTaskSchema.parse(request.body);
-		const { task, notification } = await createTask(app.db, {
-			type: "admin",
-			adminId: scope.memberId
-		}, {
-			title: body.title,
-			body: body.body,
-			...body.assigneeAgentId !== void 0 ? { assigneeAgentId: body.assigneeAgentId } : {},
-			...body.originRef !== void 0 ? { originRef: body.originRef } : {},
-			...body.metadata !== void 0 ? { metadata: body.metadata } : {},
-			organizationId: scope.organizationId
-		});
-		dispatch$1(app.notifier, notification);
-		return reply.status(201).send(serializeTask(task));
-	});
-}
 async function loadVisibleAgentIds(db, organizationId, memberId) {
 	const rows = await db.select({ id: agents.uuid }).from(agents).where(and(eq(agents.organizationId, organizationId), ne(agents.status, AGENT_STATUSES.DELETED), or(eq(agents.visibility, AGENT_VISIBILITY.ORGANIZATION), eq(agents.managerId, memberId))));
 	return new Set(rows.map((r) => r.id));
@@ -18140,97 +17677,380 @@ async function sessionRoutes(app) {
 		});
 	});
 }
-function dispatch(notifier, result) {
-	if (!result) return;
-	notifyRecipients(notifier, result.recipients, result.message.id);
+function isRecord(value) {
+	return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+/** Pull `repository.full_name` ("owner/repo") from a webhook payload, or null. */
+function repoFullName(payload) {
+	if (!isRecord(payload)) return null;
+	const repo = isRecord(payload.repository) ? payload.repository : null;
+	return typeof repo?.full_name === "string" && repo.full_name.length > 0 ? repo.full_name : null;
+}
+function readNumber(value) {
+	return typeof value === "number" && Number.isFinite(value) ? value : null;
+}
+function readString(value) {
+	return typeof value === "string" && value.length > 0 ? value : null;
+}
+/**
+* Resolve the entity that a GitHub webhook event belongs to.
+*
+* Returns `null` when the event isn't a clustering candidate (event type
+* outside the §4.1 "core" list, malformed payload). Caller is expected to
+* skip such events.
+*
+* Notes
+* - `commit_comment` falls back to a `commit` entity keyed on `<repo>@<sha>`
+*   when no associated PR is in the payload — the design hedges on "optionally
+*   resolve to a PR", but doing so requires an extra GitHub API call which we
+*   defer to Phase 1+.
+*/
+function extractEventEntity(eventType, payload) {
+	if (!isRecord(payload)) return null;
+	const repo = repoFullName(payload);
+	if (!repo) return null;
+	switch (eventType) {
+		case "issues":
+		case "issue_comment": {
+			const issue = isRecord(payload.issue) ? payload.issue : null;
+			const number = readNumber(issue?.number);
+			if (number === null) return null;
+			return {
+				type: "issue",
+				key: `${repo}#${number}`,
+				title: readString(issue?.title) ?? void 0,
+				url: readString(issue?.html_url) ?? void 0
+			};
+		}
+		case "pull_request":
+		case "pull_request_review":
+		case "pull_request_review_comment": {
+			const pr = isRecord(payload.pull_request) ? payload.pull_request : null;
+			const number = readNumber(pr?.number);
+			if (number === null) return null;
+			return {
+				type: "pull_request",
+				key: `${repo}#${number}`,
+				title: readString(pr?.title) ?? void 0,
+				url: readString(pr?.html_url) ?? void 0
+			};
+		}
+		case "discussion":
+		case "discussion_comment": {
+			const disc = isRecord(payload.discussion) ? payload.discussion : null;
+			const number = readNumber(disc?.number);
+			if (number === null) return null;
+			return {
+				type: "discussion",
+				key: `${repo}#discussion-${number}`,
+				title: readString(disc?.title) ?? void 0,
+				url: readString(disc?.html_url) ?? void 0
+			};
+		}
+		case "commit_comment": {
+			const comment = isRecord(payload.comment) ? payload.comment : null;
+			const sha = readString(comment?.commit_id);
+			if (!sha) return null;
+			return {
+				type: "commit",
+				key: `${repo}@${sha}`,
+				url: readString(comment?.html_url) ?? void 0
+			};
+		}
+		default: return null;
+	}
+}
+/**
+* Closing-keyword regex from
+* https://docs.github.com/en/issues/tracking-your-work-with-issues/using-issues/linking-a-pull-request-to-an-issue
+* — `close[sd]? | fix(es|ed)? | resolve[sd]?`. Cross-repo `org/repo#N` is
+* deliberately excluded (out of scope for Phase 0; see §4.5).
+*/
+const FIXES_KEYWORDS_RE = /\b(?:close[sd]?|fix(?:es|ed)?|resolve[sd]?)\s+#(\d+)\b/gi;
+/**
+* Parse `Fixes #N` / `Closes #N` / `Resolves #N` references out of a PR body.
+* Returns ordered, deduplicated entity references for issues in the same repo
+* (cross-repo refs ignored per §4.5).
+*
+* Caller is expected to pass `repoFullName` so we can build the entity key.
+*/
+function parseFixesRefs(text, repoFullName) {
+	if (!text) return [];
+	const seen = /* @__PURE__ */ new Set();
+	const out = [];
+	for (const match of text.matchAll(FIXES_KEYWORDS_RE)) {
+		const num = match[1];
+		if (!num) continue;
+		const key = `${repoFullName}#${num}`;
+		if (seen.has(key)) continue;
+		seen.add(key);
+		out.push({
+			type: "issue",
+			key
+		});
+	}
+	return out;
+}
+/**
+* Pick a chat-title prefix from (entity, eventType, action).
+*
+* PR review-flow events (`pull_request.review_requested`,
+* `pull_request_review.*`, `pull_request_review_comment.*`) collapse into a
+* single "PR Review" prefix so a chat first-touched by a review event is
+* visibly distinct from one first-touched by `pull_request.opened`. Everything
+* else just renders the entity type.
+*
+* Note: chat titles are written once at chat creation (see
+* `github-entity-chat.ts::createEntityChat`) — subsequent events for the same
+* entity reuse the existing title even if their (event, action) maps to a
+* different prefix. This matches the "entity is the container" semantic.
+*/
+function entityTitlePrefix(entity, eventType, action) {
+	if (eventType === "pull_request" && action === "review_requested") return "PR Review";
+	if (eventType === "pull_request_review") return "PR Review";
+	if (eventType === "pull_request_review_comment") return "PR Review";
+	switch (entity.type) {
+		case "issue": return "Issue";
+		case "pull_request": return "PR";
+		case "discussion": return "Discussion";
+		case "commit": return "Commit";
+	}
+}
+/**
+* Strip the leading `owner/` segment from an entity key so the chat title
+* stays compact. `owner/repo#42` → `repo#42`; `owner/repo@abc1234` →
+* `repo@abc1234`. The full `owner/repo#N` form is still used as the
+* clustering primary key (`github_entity_chat_mappings.entity_key`); only the
+* display string is shortened.
+*/
+function shortEntityKey(key) {
+	const slash = key.indexOf("/");
+	return slash === -1 ? key : key.slice(slash + 1);
+}
+/**
+* Render a chat topic from an entity. Used as the chat title; kept short so
+* the chat-list row doesn't truncate aggressively.
+*
+*   formatEntityTitle({ type: "pull_request", key: "owner/repo#307", title: "Improve overview" }, "pull_request", "opened")
+*     → "PR repo#307: Improve overview"
+*   formatEntityTitle(<same>, "pull_request", "review_requested")
+*     → "PR Review repo#307: Improve overview"
+*/
+function formatEntityTitle(entity, eventType, action) {
+	const head = `${entityTitlePrefix(entity, eventType, action)} ${shortEntityKey(entity.key)}`;
+	if (entity.title && entity.title.length > 0) return `${head}: ${entity.title}`;
+	return head;
+}
+const SILENT_EVENT_TYPES = new Set([
+	"workflow_run",
+	"workflow_job",
+	"check_run",
+	"check_suite",
+	"status",
+	"push",
+	"create",
+	"delete",
+	"fork",
+	"watch",
+	"release",
+	"label",
+	"label_created",
+	"label_deleted",
+	"reaction",
+	"member",
+	"membership",
+	"team",
+	"team_add",
+	"organization",
+	"org_block",
+	"project",
+	"project_card",
+	"project_column"
+]);
+/**
+* Per-event-type action-level filters. Frequent low-signal actions that would
+* otherwise spam an entity chat. `synchronize` (PR branch push) is the most
+* common offender — it fires on every commit push to a PR branch and never
+* carries new conversation.
+*/
+const SILENT_ACTIONS = {
+	issues: new Set([
+		"labeled",
+		"unlabeled",
+		"milestoned",
+		"demilestoned",
+		"pinned",
+		"unpinned"
+	]),
+	pull_request: new Set([
+		"labeled",
+		"unlabeled",
+		"auto_merge_enabled",
+		"auto_merge_disabled",
+		"synchronize"
+	])
+};
+/** True iff the event should be silently 200-OKed without further routing. */
+function shouldSilent(eventType, payload) {
+	if (SILENT_EVENT_TYPES.has(eventType)) return true;
+	if (!isRecord(payload)) return false;
+	if (readString((isRecord(payload.sender) ? payload.sender : null)?.type) === "Bot") return true;
+	const action = readString(payload.action);
+	if (!action) return false;
+	return SILENT_ACTIONS[eventType]?.has(action) ?? false;
 }
-/** Class C — `/api/v1/tasks/:taskId`. The task's `organizationId` locates the org. */
-async function taskRoutes(app) {
-	app.get("/:taskId", async (request) => {
-		await requireTaskAccess(request, app.db);
-		const detail = await getTaskDetail(app.db, request.params.taskId);
+/**
+* GitHub-specific webhook entity → chat clustering (Phase 0).
+*
+* Each `(organization, human_agent, delegate_agent, entity)` tuple resolves to
+* exactly one chat. Future external sources (Linear, Slack, …) get their own
+* tables — their entity models differ enough that a generic table would slip
+* back into untyped jsonb.
+*
+* `bound_via` distinguishes the first-touch row (`direct`) from a row written
+* by the `Fixes #N` linker (`fixes_link`). Routing logic ignores the
+* distinction; it exists for audit and future strategy tweaks.
+*/
+const githubEntityChatMappings = pgTable("github_entity_chat_mappings", {
+	organizationId: text("organization_id").notNull().references(() => organizations.id),
+	humanAgentId: text("human_agent_id").notNull().references(() => agents.uuid, { onDelete: "cascade" }),
+	delegateAgentId: text("delegate_agent_id").notNull().references(() => agents.uuid, { onDelete: "cascade" }),
+	entityType: text("entity_type").notNull(),
+	entityKey: text("entity_key").notNull(),
+	chatId: text("chat_id").notNull().references(() => chats.id, { onDelete: "cascade" }),
+	boundAt: timestamp("bound_at", { withTimezone: true }).notNull().defaultNow(),
+	boundVia: text("bound_via").notNull()
+}, (table) => [primaryKey({ columns: [
+	table.organizationId,
+	table.humanAgentId,
+	table.delegateAgentId,
+	table.entityType,
+	table.entityKey
+] }), index("idx_github_entity_chat_mappings_chat").on(table.chatId)]);
+/**
+* Resolve which chat a GitHub event for (human, delegate, entity) belongs to.
+*
+* Three-step strategy from docs/webhook-routing-design.md §4.4:
+*   a. Direct hit — entity already bound; reuse that chat.
+*   b. Fixes-link — any related entity (parsed from `Fixes #N` in a PR body)
+*      already bound; write a `fixes_link` row for this entity pointing at
+*      the same chat, return it.
+*   c. Miss — create a fresh chat via the canonical `createChat` entrypoint
+*      and write a `direct` mapping row.
+*
+* Concurrent webhook deliveries for a never-before-seen entity race on (c);
+* the composite primary key + ON CONFLICT DO NOTHING ensures only one row
+* survives. The losing caller falls back to a re-read so the chat stays
+* unique.
+*/
+async function resolveTargetChat(db, params) {
+	const { organizationId, humanAgentId, delegateAgentId, entity, relatedEntities, eventType, action } = params;
+	const direct = await lookupMapping(db, organizationId, humanAgentId, delegateAgentId, entity);
+	if (direct) return {
+		chatId: direct.chatId,
+		created: false,
+		boundVia: direct.boundVia
+	};
+	for (const ref of relatedEntities) {
+		const linked = await lookupMapping(db, organizationId, humanAgentId, delegateAgentId, ref);
+		if (!linked) continue;
+		const inserted = await insertMappingIfAbsent(db, {
+			organizationId,
+			humanAgentId,
+			delegateAgentId,
+			entity,
+			chatId: linked.chatId,
+			boundVia: "fixes_link"
+		});
 		return {
-			...serializeTask(detail),
-			chats: detail.chats
+			chatId: inserted.chatId,
+			created: false,
+			boundVia: inserted.boundVia
 		};
+	}
+	const chat = await createEntityChat(db, humanAgentId, delegateAgentId, entity, eventType, action);
+	const inserted = await insertMappingIfAbsent(db, {
+		organizationId,
+		humanAgentId,
+		delegateAgentId,
+		entity,
+		chatId: chat.id,
+		boundVia: "direct"
 	});
-	app.patch("/:taskId", async (request) => {
-		const { scope } = await requireTaskAccess(request, app.db);
-		const body = adminUpdateTaskSchema.parse(request.body);
-		const { task, notification } = await adminUpdateTask(app.db, request.params.taskId, {
-			type: "admin",
-			adminId: scope.memberId
-		}, body);
-		dispatch(app.notifier, notification);
-		return serializeTask(task);
-	});
-	app.post("/:taskId/cancel", async (request) => {
-		const { scope } = await requireTaskAccess(request, app.db);
-		const { task, notification } = await cancelTask(app.db, request.params.taskId, {
-			type: "admin",
-			adminId: scope.memberId
-		});
-		dispatch(app.notifier, notification);
-		return serializeTask(task);
+	return {
+		chatId: inserted.chatId,
+		created: inserted.chatId === chat.id,
+		boundVia: inserted.boundVia
+	};
+}
+async function lookupMapping(db, organizationId, humanAgentId, delegateAgentId, entity) {
+	const [row] = await db.select({
+		chatId: githubEntityChatMappings.chatId,
+		boundVia: githubEntityChatMappings.boundVia
+	}).from(githubEntityChatMappings).where(and(eq(githubEntityChatMappings.organizationId, organizationId), eq(githubEntityChatMappings.humanAgentId, humanAgentId), eq(githubEntityChatMappings.delegateAgentId, delegateAgentId), eq(githubEntityChatMappings.entityType, entity.type), eq(githubEntityChatMappings.entityKey, entity.key))).limit(1);
+	if (!row) return null;
+	return {
+		chatId: row.chatId,
+		boundVia: row.boundVia === "fixes_link" ? "fixes_link" : "direct"
+	};
+}
+async function insertMappingIfAbsent(db, params) {
+	const [inserted] = await db.insert(githubEntityChatMappings).values({
+		organizationId: params.organizationId,
+		humanAgentId: params.humanAgentId,
+		delegateAgentId: params.delegateAgentId,
+		entityType: params.entity.type,
+		entityKey: params.entity.key,
+		chatId: params.chatId,
+		boundVia: params.boundVia
+	}).onConflictDoNothing({ target: [
+		githubEntityChatMappings.organizationId,
+		githubEntityChatMappings.humanAgentId,
+		githubEntityChatMappings.delegateAgentId,
+		githubEntityChatMappings.entityType,
+		githubEntityChatMappings.entityKey
+	] }).returning({
+		chatId: githubEntityChatMappings.chatId,
+		boundVia: githubEntityChatMappings.boundVia
 	});
-	app.get("/:taskId/health", async (request) => {
-		await requireTaskAccess(request, app.db);
-		return getTaskHealth(app.db, request.params.taskId);
+	if (inserted) return {
+		chatId: inserted.chatId,
+		boundVia: inserted.boundVia === "fixes_link" ? "fixes_link" : "direct"
+	};
+	const winner = await lookupMapping(db, params.organizationId, params.humanAgentId, params.delegateAgentId, params.entity);
+	if (!winner) throw new Error("Unexpected: mapping insert conflicted but row not visible on re-read");
+	return winner;
+}
+/**
+* Create a fresh chat for a (human, delegate, entity) tuple. Goes through the
+* canonical `createChat` so:
+*   - cross-org participants are rejected (BadRequestError)
+*   - direct agent-only chats automatically get `mode=mention_only`
+*   - watcher rows are recomputed
+*   - a future addParticipant call would upgrade the chat to `group` via
+*     `maybeUpgradeDirectToGroup` instead of raw INSERT shortcuts
+*/
+async function createEntityChat(db, humanAgentId, delegateAgentId, entity, eventType, action) {
+	const metadata = chatMetadataSchema$1.parse({
+		source: "github",
+		entityType: entity.type,
+		entityKey: entity.key,
+		...entity.url ? { entityUrl: entity.url } : {}
 	});
+	return { id: (await createChat(db, humanAgentId, {
+		type: "direct",
+		participantIds: [delegateAgentId],
+		topic: formatEntityTitle(entity, eventType, action),
+		metadata
+	})).id };
 }
 const log$1 = createLogger$1("GithubWebhook");
-const GITHUB_ADAPTER_ID = "github-adapter";
 function verifySignature(secret, rawBody, signatureHeader) {
 	const expected = `sha256=${createHmac("sha256", secret).update(rawBody).digest("hex")}`;
 	const expectedBuf = Buffer.from(expected, "utf8");
 	const receivedBuf = Buffer.from(signatureHeader, "utf8");
 	if (expectedBuf.length !== receivedBuf.length || !timingSafeEqual(expectedBuf, receivedBuf)) throw new UnauthorizedError("Invalid webhook signature");
 }
-async function ensureGitHubAdapterAgent(db, organizationId) {
-	const [existing] = await db.select({ uuid: agents.uuid }).from(agents).where(and(eq(agents.organizationId, organizationId), eq(agents.name, GITHUB_ADAPTER_ID))).limit(1);
-	if (existing) return existing.uuid;
-	try {
-		return (await createAgent(db, {
-			name: GITHUB_ADAPTER_ID,
-			type: "autonomous_agent",
-			displayName: "GitHub Adapter",
-			organizationId,
-			metadata: {
-				source: "github",
-				managed: true
-			}
-		})).uuid;
-	} catch (err) {
-		if (err instanceof ConflictError) {
-			const [created] = await db.select({ uuid: agents.uuid }).from(agents).where(and(eq(agents.organizationId, organizationId), eq(agents.name, GITHUB_ADAPTER_ID))).limit(1);
-			if (created) return created.uuid;
-		}
-		throw err;
-	}
-}
-async function findTargetAgent(db, organizationId, repoFullName) {
-	const allAgents = await db.select({
-		id: agents.uuid,
-		name: agents.name,
-		metadata: agents.metadata,
-		type: agents.type
-	}).from(agents).where(and(eq(agents.organizationId, organizationId), eq(agents.status, "active")));
-	for (const agent of allAgents) {
-		if (agent.name === GITHUB_ADAPTER_ID) continue;
-		const meta = agent.metadata;
-		if (meta && typeof meta === "object" && "github" in meta) {
-			const github = meta.github;
-			if (isRecord(github) && "repos" in github) {
-				const repos = github.repos;
-				if (Array.isArray(repos) && repos.includes(repoFullName)) return agent.id;
-			}
-		}
-	}
-	return null;
-}
-function isRecord(value) {
-	return typeof value === "object" && value !== null && !Array.isArray(value);
-}
 /** Extract unique @mentions from text. Returns lowercase usernames.
 * Excludes email patterns (user@example.com) and team mentions (@org/team). */
 function extractMentions$1(text) {
@@ -18270,10 +18090,18 @@ function evaluateDelegateTarget(target, sourceOrgId) {
 }
 /**
 * Route @mentions to delegate agents.
-* For each mentioned user who has delegate_mention configured,
-* send a card message from the mentioned user to their delegate.
+*
+* For each mentioned GitHub user who maps to an agent with `delegate_mention`
+* configured, resolve which chat the event belongs to (via §4.4's
+* entity-clustering rules) and post a card from the human-bound agent to its
+* delegate.
+*
+* The entity argument is the §4.2 entity for the current event; `relatedRefs`
+* is the parsed `Fixes #N` list (empty for non-PR events). Both are
+* pre-computed by the caller so the heavy parsing doesn't run once per
+* mention.
 */
-async function routeMentionDelegations(app, organizationId, mentionedNames, ctx) {
+async function routeMentionDelegations(app, organizationId, mentionedNames, ctx, entity, relatedRefs) {
 	if (mentionedNames.length === 0) return 0;
 	const delegates = await app.db.select({
 		id: agents.uuid,
@@ -18302,8 +18130,24 @@ async function routeMentionDelegations(app, organizationId, mentionedNames, ctx)
 			continue;
 		}
 		try {
-			const chat = await findOrCreateDirectChat(app.db, agent.id, agent.delegateMention);
-			const { message: msg, recipients } = await sendMessage(app.db, chat.id, agent.id, {
+			const resolved = await resolveTargetChat(app.db, {
+				organizationId,
+				humanAgentId: agent.id,
+				delegateAgentId: agent.delegateMention,
+				entity,
+				relatedEntities: relatedRefs,
+				eventType: ctx.event,
+				action: ctx.action ?? ""
+			});
+			log$1.info({
+				chatId: resolved.chatId,
+				entityType: entity.type,
+				entityKey: entity.key,
+				boundVia: resolved.boundVia,
+				created: resolved.created,
+				humanAgent: agent.name
+			}, "resolved entity chat");
+			const { message: msg, recipients } = await sendMessage(app.db, resolved.chatId, agent.id, {
 				format: "card",
 				content: {
 					type: "github_mention",
@@ -18314,13 +18158,20 @@ async function routeMentionDelegations(app, organizationId, mentionedNames, ctx)
 					sender: ctx.sender,
 					title: ctx.title,
 					body: ctx.body,
-					url: ctx.url
+					url: ctx.url,
+					entity: {
+						type: entity.type,
+						key: entity.key,
+						url: entity.url ?? null
+					}
 				},
 				metadata: {
 					source: "github",
 					event: "mention_delegation",
 					mentionedUser: agent.name,
-					action: ctx.action
+					action: ctx.action,
+					entityType: entity.type,
+					entityKey: entity.key
 				}
 			});
 			notifyRecipients(app.notifier, recipients, msg.id);
@@ -18335,43 +18186,6 @@ async function routeMentionDelegations(app, organizationId, mentionedNames, ctx)
 	}
 	return routed;
 }
-function parseIssuesPayload(body) {
-	if (!isRecord(body)) throw new BadRequestError("Invalid payload: expected object");
-	if (typeof body.action !== "string") throw new BadRequestError("Invalid payload: missing action");
-	if (!isRecord(body.issue)) throw new BadRequestError("Invalid payload: missing issue");
-	if (!isRecord(body.repository)) throw new BadRequestError("Invalid payload: missing repository");
-	if (!isRecord(body.sender)) throw new BadRequestError("Invalid payload: missing sender");
-	const issue = body.issue;
-	const labels = Array.isArray(issue.labels) ? issue.labels.filter((l) => isRecord(l) && typeof l.name === "string") : [];
-	return {
-		action: body.action,
-		issue: {
-			number: typeof issue.number === "number" ? issue.number : 0,
-			title: typeof issue.title === "string" ? issue.title : "",
-			body: typeof issue.body === "string" ? issue.body : null,
-			html_url: typeof issue.html_url === "string" ? issue.html_url : "",
-			labels,
-			state: typeof issue.state === "string" ? issue.state : "open"
-		},
-		repository: { full_name: typeof body.repository.full_name === "string" ? body.repository.full_name : "" },
-		sender: { login: typeof body.sender.login === "string" ? body.sender.login : "" }
-	};
-}
-function parseIssueCommentPayload(body) {
-	const base = parseIssuesPayload(body);
-	if (!isRecord(body)) throw new BadRequestError("Invalid payload: expected object");
-	if (!isRecord(body.comment)) throw new BadRequestError("Invalid payload: missing comment");
-	const comment = body.comment;
-	const commentUser = isRecord(comment.user) ? comment.user : { login: "" };
-	return {
-		...base,
-		comment: {
-			body: typeof comment.body === "string" ? comment.body : "",
-			html_url: typeof comment.html_url === "string" ? comment.html_url : "",
-			user: { login: typeof commentUser.login === "string" ? commentUser.login : "" }
-		}
-	};
-}
 async function githubWebhookRoutes(app) {
 	app.addContentTypeParser("application/json", { parseAs: "buffer" }, (_request, body, done) => {
 		done(null, body);
@@ -18401,6 +18215,11 @@ async function githubWebhookRoutes(app) {
 			ok: true,
 			event: "ping"
 		});
+		if (shouldSilent(eventType, payload)) return reply.status(200).send({
+			ok: true,
+			event: eventType,
+			silent: true
+		});
 		const deliveryHeader = request.headers["x-github-delivery"];
 		const deliveryId = typeof deliveryHeader === "string" && deliveryHeader.length > 0 ? deliveryHeader : null;
 		if (deliveryId) {
@@ -18417,16 +18236,17 @@ async function githubWebhookRoutes(app) {
 			}
 		}
 		try {
-			if (eventType === "issues") return await handleIssuesEvent(app, orgId, eventType, payload, reply);
-			if (eventType === "issue_comment") return await handleIssueCommentEvent(app, orgId, eventType, payload, reply);
-			let mentionsRouted = 0;
-			const allowedActions = MENTION_ACTIONS[eventType];
 			const action = isRecord(payload) && typeof payload.action === "string" ? payload.action : void 0;
-			if (allowedActions && action && allowedActions.includes(action)) mentionsRouted = await handleMentionDelegation(app, orgId, eventType, payload);
+			const allowedActions = MENTION_ACTIONS[eventType];
+			if (!allowedActions || !action || !allowedActions.includes(action)) return reply.status(200).send({
+				ok: true,
+				event: eventType,
+				handled: false
+			});
+			const mentionsRouted = await handleMentionDelegation(app, orgId, eventType, payload);
 			return reply.status(200).send({
 				ok: true,
 				event: eventType,
-				handled: mentionsRouted > 0,
 				mentionsRouted
 			});
 		} catch (err) {
@@ -18598,9 +18418,15 @@ async function handleMentionDelegation(app, organizationId, eventType, payload)
 	const textMentions = extractMentions$1(extractEventText(eventType, payload));
 	const structuralMentions = extractStructuralMentions(eventType, payload);
 	const mentions = [...new Set([...textMentions, ...structuralMentions])];
-	const mentionCtx = extractEventContext(eventType, payload);
-	if (mentions.length > 0 && mentionCtx) return routeMentionDelegations(app, organizationId, mentions, mentionCtx);
-	return 0;
+	if (mentions.length === 0) return 0;
+	const ctx = extractEventContext(eventType, payload);
+	if (!ctx) return 0;
+	const entity = extractEventEntity(eventType, payload);
+	if (!entity) {
+		log$1.warn({ eventType }, "mention extracted but no entity resolvable; skipping fan-out");
+		return 0;
+	}
+	return routeMentionDelegations(app, organizationId, mentions, ctx, entity, eventType === "pull_request" && ctx.repository.length > 0 ? parseFixesRefs(ctx.body, ctx.repository) : []);
 }
 /** Actions that represent new/changed content (worth scanning for @mentions).
 * Note: `pull_request.review_requested` doesn't carry an @mention in any
@@ -18621,124 +18447,6 @@ const MENTION_ACTIONS = {
 	discussion_comment: ["created"],
 	commit_comment: ["created"]
 };
-async function handleIssuesEvent(app, organizationId, eventType, payload, reply) {
-	const data = parseIssuesPayload(payload);
-	if (MENTION_ACTIONS.issues?.includes(data.action)) await handleMentionDelegation(app, organizationId, eventType, payload);
-	if (![
-		"opened",
-		"edited",
-		"labeled"
-	].includes(data.action)) return reply.status(200).send({
-		ok: true,
-		event: "issues",
-		action: data.action,
-		handled: false
-	});
-	const [senderId, targetAgentId] = await Promise.all([ensureGitHubAdapterAgent(app.db, organizationId), findTargetAgent(app.db, organizationId, data.repository.full_name)]);
-	if (!targetAgentId) {
-		log$1.warn({
-			repo: data.repository.full_name,
-			event: "issue"
-		}, "no target agent found for GitHub event");
-		return reply.status(200).send({
-			ok: true,
-			event: "issues",
-			action: data.action,
-			routed: false
-		});
-	}
-	const content = {
-		type: "github_issue",
-		action: data.action,
-		issue: {
-			number: data.issue.number,
-			title: data.issue.title,
-			body: data.issue.body,
-			url: data.issue.html_url,
-			labels: data.issue.labels.map((l) => l.name),
-			state: data.issue.state
-		},
-		repository: data.repository.full_name,
-		sender: data.sender.login
-	};
-	const metadata = {
-		source: "github",
-		event: "issues",
-		action: data.action
-	};
-	const chat = await findOrCreateDirectChat(app.db, senderId, targetAgentId);
-	const { message: msg, recipients } = await sendMessage(app.db, chat.id, senderId, {
-		format: "card",
-		content,
-		metadata
-	});
-	notifyRecipients(app.notifier, recipients, msg.id);
-	return reply.status(200).send({
-		ok: true,
-		event: "issues",
-		action: data.action,
-		routed: true
-	});
-}
-async function handleIssueCommentEvent(app, organizationId, eventType, payload, reply) {
-	const data = parseIssueCommentPayload(payload);
-	if (MENTION_ACTIONS.issue_comment?.includes(data.action)) await handleMentionDelegation(app, organizationId, eventType, payload);
-	if (data.action !== "created") return reply.status(200).send({
-		ok: true,
-		event: "issue_comment",
-		action: data.action,
-		handled: false
-	});
-	const [senderId, targetAgentId] = await Promise.all([ensureGitHubAdapterAgent(app.db, organizationId), findTargetAgent(app.db, organizationId, data.repository.full_name)]);
-	if (!targetAgentId) {
-		log$1.warn({
-			repo: data.repository.full_name,
-			event: "issue_comment"
-		}, "no target agent found for GitHub event");
-		return reply.status(200).send({
-			ok: true,
-			event: "issue_comment",
-			action: data.action,
-			routed: false
-		});
-	}
-	const content = {
-		type: "github_issue_comment",
-		action: data.action,
-		issue: {
-			number: data.issue.number,
-			title: data.issue.title,
-			url: data.issue.html_url,
-			labels: data.issue.labels.map((l) => l.name),
-			state: data.issue.state
-		},
-		comment: {
-			body: data.comment.body,
-			url: data.comment.html_url,
-			author: data.comment.user.login
-		},
-		repository: data.repository.full_name,
-		sender: data.sender.login
-	};
-	const metadata = {
-		source: "github",
-		event: "issue_comment",
-		action: data.action
-	};
-	const chat = await findOrCreateDirectChat(app.db, senderId, targetAgentId);
-	const { message: msg, recipients } = await sendMessage(app.db, chat.id, senderId, {
-		format: "card",
-		content,
-		metadata
-	});
-	notifyRecipients(app.notifier, recipients, msg.id);
-	return reply.status(200).send({
-		ok: true,
-		event: "issue_comment",
-		action: data.action,
-		routed: true
-	});
-}
 var schema_exports = /* @__PURE__ */ __exportAll({
 	adapterAgentMappings: () => adapterAgentMappings,
 	adapterChatMappings: () => adapterChatMappings,
@@ -18753,6 +18461,7 @@ var schema_exports = /* @__PURE__ */ __exportAll({
 	chatSubscriptions: () => chatSubscriptions,
 	chats: () => chats,
 	clients: () => clients,
+	githubEntityChatMappings: () => githubEntityChatMappings,
 	inboxEntries: () => inboxEntries,
 	invitationRedemptions: () => invitationRedemptions,
 	invitations: () => invitations,
@@ -18764,8 +18473,6 @@ var schema_exports = /* @__PURE__ */ __exportAll({
 	pendingQuestions: () => pendingQuestions,
 	serverInstances: () => serverInstances,
 	sessionEvents: () => sessionEvents,
-	taskChats: () => taskChats,
-	tasks: () => tasks,
 	users: () => users
 });
 function connectDatabase(url) {
@@ -20258,7 +19965,6 @@ async function buildApp(config) {
 			await scope.register(orgAdapterStatusRoutes, { prefix: "/adapters/status" });
 			await scope.register(orgOverviewRoutes, { prefix: "/overview" });
 			await scope.register(orgActivityRoutes, { prefix: "/activity" });
-			await scope.register(orgTaskRoutes, { prefix: "/tasks" });
 			await scope.register(orgSessionRoutes, { prefix: "/sessions" });
 			await scope.register(orgNotificationRoutes, { prefix: "/notifications" });
 			await scope.register(orgClientRoutes, { prefix: "/clients" });
@@ -20274,7 +19980,6 @@ async function buildApp(config) {
 			await scope.register(agentActivityRoutes, { prefix: "/agents" });
 			await scope.register(sessionRoutes, { prefix: "/agents" });
 			await scope.register(chatRoutes, { prefix: "/chats" });
-			await scope.register(taskRoutes, { prefix: "/tasks" });
 			await scope.register(adapterRoutes, { prefix: "/adapters" });
 			await scope.register(adapterMappingRoutes, { prefix: "/adapter-mappings" });
 			await scope.register(clientRoutes, { prefix: "/clients" });
@@ -20286,7 +19991,6 @@ async function buildApp(config) {
 			await scope.register(agentSendToAgentRoutes, { prefix: "/agents" });
 			await scope.register(agentInboxRoutes, { prefix: "/inbox" });
 			await scope.register(agentConfigRoutes$1);
-			await scope.register(agentTaskRoutes, { prefix: "/tasks" });
 			await scope.register(agentFeishuBotRoutes);
 			await scope.register(agentFeishuUserRoutes, { prefix: "/delegated" });
 		}), { prefix: "/agent" });
@@ -20897,4 +20601,4 @@ function registerSaaSConnectCommand(program) {
 	});
 }
 //#endregion
-export { formatStaleReason as $, checkDocker as A, isServiceSupported as B, createApiNameResolver as C, checkBackgroundService as D, checkAgentConfigs as E, checkWebSocket as F, uninstallClientService as G, restartClientService as H, printResults as I, stopPostgres as J, ensurePostgres as K, reconcileAgentConfigs as L, checkServerConfig as M, checkServerHealth as N, checkClientConfig as O, checkServerReachable as P, findStaleAliases as Q, getClientServiceStatus as R, runHomeMigration as S, runMigrations as T, startClientService as U, resolveCliInvocation as V, stopClientService as W, handleClientOrgMismatch as X, ClientRuntime as Y, rotateClientIdWithBackup as Z, formatCheckReport as _, declineUpdate as a, success as at, onboardCreate as b, detectInstallMode as c, FirstTreeHubSDK as ct, startServer as d, cleanWorkspaces as dt, removeLocalAgent as et, reconcileLocalRuntimeProviders as f, probeCapabilities as ft, promptMissingFields as g, promptAddAgent as h, createExecuteUpdate as i, fail as it, checkNodeVersion as j, checkDatabase as k, fetchLatestVersion as l, SdkError as lt, isInteractive as m, configureClientLoggerForService as mt, deriveHubUrlFromToken as n, hasUser as nt, promptUpdate as o, ClientOrgMismatchError as ot, uploadClientCapabilities as p, applyClientLoggerConfig as pt, isDockerAvailable as q, registerSaaSConnectCommand as r, resolveReplyToFromEnv as rt, PACKAGE_NAME as s, ClientUserMismatchError as st, HubUrlDerivationError as t, createOwner as tt, installGlobalLatest as u, SessionRegistry as ut, loadOnboardState as v, migrateLocalAgentDirs as w, saveOnboardState as x, onboardCheck as y, installClientService as z };
+export { formatStaleReason as $, checkDocker as A, isServiceSupported as B, createApiNameResolver as C, checkBackgroundService as D, checkAgentConfigs as E, checkWebSocket as F, uninstallClientService as G, restartClientService as H, printResults as I, stopPostgres as J, ensurePostgres as K, reconcileAgentConfigs as L, checkServerConfig as M, checkServerHealth as N, checkClientConfig as O, checkServerReachable as P, findStaleAliases as Q, getClientServiceStatus as R, runHomeMigration as S, runMigrations as T, startClientService as U, resolveCliInvocation as V, stopClientService as W, handleClientOrgMismatch as X, ClientRuntime as Y, rotateClientIdWithBackup as Z, formatCheckReport as _, declineUpdate as a, fail as at, onboardCreate as b, detectInstallMode as c, ClientUserMismatchError as ct, startServer as d, SessionRegistry as dt, removeLocalAgent as et, reconcileLocalRuntimeProviders as f, cleanWorkspaces as ft, promptMissingFields as g, promptAddAgent as h, configureClientLoggerForService as ht, createExecuteUpdate as i, resolveSenderName as it, checkNodeVersion as j, checkDatabase as k, fetchLatestVersion as l, FirstTreeHubSDK as lt, isInteractive as m, applyClientLoggerConfig as mt, deriveHubUrlFromToken as n, hasUser as nt, promptUpdate as o, success as ot, uploadClientCapabilities as p, probeCapabilities as pt, isDockerAvailable as q, registerSaaSConnectCommand as r, resolveReplyToFromEnv as rt, PACKAGE_NAME as s, ClientOrgMismatchError as st, HubUrlDerivationError as t, createOwner as tt, installGlobalLatest as u, SdkError as ut, loadOnboardState as v, migrateLocalAgentDirs as w, saveOnboardState as x, onboardCheck as y, installClientService as z };