@agent-team-foundation/first-tree-hub 0.14.2 → 0.14.4

package/dist/{saas-connect-DgCSZ8Yk.mjs → saas-connect-Da55XxRX.mjs}

@@ -1,11 +1,11 @@
 import { a as __toCommonJS, o as __toESM, t as __commonJSMin } from "./chunk-BSw8zbkd.mjs";
 import { A as FIRST_TREE_HUB_ATTR, C as stampOrgScope, D as untrustedAttrs, E as startWsConnectionSpan, M as require_pino, O as withSpan, S as stampChatResource, _ as rootLogger$1, a as buildRateLimitError, c as currentTraceId, g as reportErrorToRoot, i as bodyCaptureOnSendHook, j as redactUrl, k as withWsMessageSpan, l as decodeJwtForTrace, m as observabilityPlugin, n as applyLoggerConfig, o as classifyJoseError, r as attachRequestContext, s as createLogger$1, t as adapterAttrs, u as endWsConnectionSpan, x as stampAgentResource, y as setWsConnectionAttrs } from "./observability-BAScT_5S-BcW9HgkG.mjs";
-import { C as resetConfigMeta, E as setConfigValue, S as resetConfig, T as serverConfigSchema, b as migrateLegacyHome, c as resolveServerUrl, d as DEFAULT_CONFIG_DIR, f as DEFAULT_DATA_DIR$1, g as collectMissingPrompts, h as clientConfigSchema, i as ensureFreshAccessToken, l as saveAgentConfig, m as agentConfigSchema, o as loadCredentials, p as DEFAULT_HOME_DIR$1, u as saveCredentials, v as initConfig, w as resolveConfigReadonly, y as loadAgents } from "./bootstrap-C15ZBOCC.mjs";
+import { C as resetConfigMeta, E as setConfigValue, S as resetConfig, T as serverConfigSchema, b as migrateLegacyHome, c as resolveServerUrl, d as DEFAULT_CONFIG_DIR, f as DEFAULT_DATA_DIR$1, g as collectMissingPrompts, h as clientConfigSchema, i as ensureFreshAccessToken, l as saveAgentConfig, m as agentConfigSchema, o as loadCredentials, p as DEFAULT_HOME_DIR$1, u as saveCredentials, v as initConfig, w as resolveConfigReadonly, y as loadAgents } from "./bootstrap-CQQGgIx1.mjs";
 import { a as print, i as blank, n as CLI_USER_AGENT, r as COMMAND_VERSION, s as status, t as cliFetch } from "./cli-fetch--tiwKm5S.mjs";
-import { $ as listMeChatSourceCountsQuerySchema, A as createMeChatSchema, At as updateOrganizationSchema, B as githubAppInstallationClaimBodySchema, C as clientRegisterSchema, Ct as submitQuestionAnswerSchema, D as createAdapterMappingSchema, Dt as updateChatSchema, E as createAdapterConfigSchema, Et as updateAgentSchema, F as delegateFeishuUserSchema, G as imageInlineContentSchema, H as githubCallbackQuerySchema, I as dryRunAgentRuntimeConfigSchema, J as inboxPollQuerySchema, K as inboxAckFrameSchema, M as createOrgFromMeSchema, O as createAgentSchema, Ot as updateClientCapabilitiesSchema, Q as joinByInvitationSchema, R as getMeDocResponseSchema, T as contextTreeSnapshotSchema, Tt as updateAgentRuntimeConfigSchema, U as githubDevCallbackQuerySchema, V as githubAppInstallationPermissionsSchema$1, W as githubStartQuerySchema, X as isRedactedEnvValue, Y as isOrgSettingNamespace, _ as agentBindRequestSchema, _t as sendToAgentSchema, at as paginationQuerySchema, b as agentTypeSchema$1, bt as sessionReconcileRequestSchema, dt as refreshTokenSchema, et as listMeChatsQuerySchema, f as NOTIFICATION_TYPES, ft as runtimeStateMessageSchema, g as addParticipantSchema, gt as sendMessageSchema, h as addMeChatParticipantsSchema, ht as selfServiceFeishuBotSchema, i as AGENT_STATUSES, it as onboardingEventSchema, j as createMemberSchema, jt as wsAuthFrameSchema, k as createChatSchema, kt as updateMemberSchema, m as WS_AUTH_FRAME_TIMEOUT_MS, o as AGENT_VISIBILITY, ot as patchChatEngagementSchema, p as ORG_SETTINGS_NAMESPACES$1, pt as safeRedirectPath, q as inboxDeliverFrameSchema$1, r as AGENT_SELECTOR_HEADER$1, rt as notificationQuerySchema, s as CHAT_ENGAGEMENT_STATUSES, st as patchOnboardingSchema, t as AGENT_BIND_REJECT_REASONS, tt as loginSchema, ut as rebindAgentSchema, v as agentPinnedMessageSchema$1, vt as sessionEventMessageSchema, w as connectTokenExchangeSchema, wt as updateAdapterConfigSchema, x as chatMetadataSchema$1, xt as sessionStateMessageSchema, y as agentRuntimeConfigPayloadSchema$1, yt as sessionEventSchema$1, z as getMeDocSchema } from "./dist-DmYxT5Kb.mjs";
+import { $ as listMeChatSourceCountsQuerySchema, A as createMeChatSchema, At as updateOrganizationSchema, B as githubAppInstallationClaimBodySchema, C as clientRegisterSchema, Ct as submitQuestionAnswerSchema, D as createAdapterMappingSchema, Dt as updateChatSchema, E as createAdapterConfigSchema, Et as updateAgentSchema, F as delegateFeishuUserSchema, G as imageInlineContentSchema, H as githubCallbackQuerySchema, I as dryRunAgentRuntimeConfigSchema, J as inboxPollQuerySchema, K as inboxAckFrameSchema, M as createOrgFromMeSchema, O as createAgentSchema, Ot as updateClientCapabilitiesSchema, Q as joinByInvitationSchema, R as getMeDocResponseSchema, T as contextTreeSnapshotSchema, Tt as updateAgentRuntimeConfigSchema, U as githubDevCallbackQuerySchema, V as githubAppInstallationPermissionsSchema$1, W as githubStartQuerySchema, X as isRedactedEnvValue, Y as isOrgSettingNamespace, _ as agentBindRequestSchema, _t as sendToAgentSchema, at as paginationQuerySchema, b as agentTypeSchema$1, bt as sessionReconcileRequestSchema, dt as refreshTokenSchema, et as listMeChatsQuerySchema, f as NOTIFICATION_TYPES, ft as runtimeStateMessageSchema, g as addParticipantSchema, gt as sendMessageSchema, h as addMeChatParticipantsSchema, ht as selfServiceFeishuBotSchema, i as AGENT_STATUSES, it as onboardingEventSchema, j as createMemberSchema, jt as wsAuthFrameSchema, k as createChatSchema, kt as updateMemberSchema, m as WS_AUTH_FRAME_TIMEOUT_MS, o as AGENT_VISIBILITY, ot as patchChatEngagementSchema, p as ORG_SETTINGS_NAMESPACES$1, pt as safeRedirectPath, q as inboxDeliverFrameSchema$1, r as AGENT_SELECTOR_HEADER$1, rt as notificationQuerySchema, s as CHAT_ENGAGEMENT_STATUSES, st as patchOnboardingSchema, t as AGENT_BIND_REJECT_REASONS, tt as loginSchema, ut as rebindAgentSchema, v as agentPinnedMessageSchema$1, vt as sessionEventMessageSchema, w as connectTokenExchangeSchema, wt as updateAdapterConfigSchema, x as chatMetadataSchema$1, xt as sessionStateMessageSchema, y as agentRuntimeConfigPayloadSchema$1, yt as sessionEventSchema$1, z as getMeDocSchema } from "./dist-CrdnqZjv.mjs";
 import { a as ClientUserMismatchError$1, c as NotFoundError, d as users, f as uuidv7, i as ClientOrgMismatchError$1, l as UnauthorizedError, n as AppError, o as ConflictError, r as BadRequestError, s as ForbiddenError, u as organizations } from "./uuid-DbS_4vFh-iFghv4zA.mjs";
 import { n as init_esm, r as trace, t as esm_exports } from "./esm-iadMkGbV.mjs";
-import { $ as getSession, $t as suspendSession, A as createAgent, At as pollInbox, B as extractSummary, Bt as resetTimedOutEntries, C as claimAndBuildForPush, Ct as markMeChatRead, D as cleanupStalePresence, Dt as messages, E as cleanupStaleClients, Et as members, F as deriveAuthState, Ft as registerChatMessageDispatcher, G as getAgentAvatarImage, Gt as sendToAgent$1, H as findOrCreateDirectChat, Ht as resolveDefaultOrgId$1, I as disconnectClient, It as registerClient, J as getChatDetail, Jt as setChatEngagement, K as getCachedAudience, Kt as serverInstances, L as editMessage, Lt as removeParticipant, M as createMeChat, Mt as reactivateAgent, N as createNotifier, Nt as rebindAgent, O as clearAgentAvatarImage, Ot as notifyRecipients, P as deleteAgent, Pt as recomputeWatchersForMember, Q as getPresence, Qt as suspendAgent, R as ensureDefaultOrganization, Rt as renewEntry, S as checkAgentNameAvailability, T as claimClient, Tt as markStaleAgents, U as getActivityOverview, Ut as retireClient, V as filterSessionsByParticipant, Vt as resolveChatTitle, W as getAgent, Wt as sendMessage, X as getOnlineCount, Xt as setRuntimeState, Y as getClient, Yt as setOffline, Z as getOrganization, Zt as submitAnswer, _ as assertParticipant, _t as listClients, a as adapterAgentMappings, an as upsertSessionState, at as leaveChat, b as chatUserState, bt as listMeChats, c as addMeChatParticipants, ct as listAgentSessions, d as agentChatSessions, dt as listAgentsManagedByUser, en as touchAgent, et as heartbeatClient, f as agentConfigs, ft as listAgentsWithRuntime, g as assertClientOwner, gt as listChatsForMember, h as archiveSession, ht as listChats, i as ackEntryByIdForBoundAgents, in as updateOrganization, it as joinMeChat, j as createChat, jt as pruneStaleSilentEntries, k as clients, kt as pendingQuestions, l as addParticipant, lt as listAgentsForAdmin, m as agents, mt as listChatParticipantsWithNames, n as SUPPORTED_AVATAR_IMAGE_MIMES, nn as updateAgent, nt as inboxEntries, o as adapterConfigs, ot as leaveMeChat, p as agentPresence, pt as listAllSessions, q as getCallerEngagement, qt as setAgentAvatarImage, r as ackEntry$2, rn as updateClientCapabilities, rt as joinChat, s as addChatParticipants, st as listActiveAgentsPinnedToClient, t as MAX_AVATAR_IMAGE_BYTES, tn as unbindAgent, tt as heartbeatInstance, u as agentAvatarImageUrl, ut as listAgentsForMember, v as bindAgent, vt as listClientsForOrgAdmin, w as claimBacklogForPush, wt as markMeChatUnread, x as chats, xt as listMessages, y as chatMembership, yt as listMeChatSourceCounts, z as ensureParticipant, zt as resetActivity } from "./client-CZ_VnbEc-CBF46cJd.mjs";
+import { $ as getSession, $t as suspendSession, A as createChat, At as pollInbox, B as fetchUserAvatarForHumanAgent, Bt as resolveAvatarImageUrl, C as claimBacklogForPush, Ct as markMeChatRead, D as clearAgentAvatarImage, Dt as messages, E as cleanupStalePresence, Et as members, F as disconnectClient, Ft as registerChatMessageDispatcher, G as getAgentAvatarImage, Gt as sendToAgent$1, H as findOrCreateDirectChat, Ht as resolveDefaultOrgId$1, I as editMessage, It as registerClient, J as getChatDetail, Jt as setChatEngagement, K as getCachedAudience, Kt as serverInstances, L as ensureDefaultOrganization, Lt as removeParticipant, M as createNotifier, Mt as reactivateAgent, N as deleteAgent, Nt as rebindAgent, O as clients, Ot as notifyRecipients, P as deriveAuthState, Pt as recomputeWatchersForMember, Q as getPresence, Qt as suspendAgent, R as ensureParticipant, Rt as resetActivity, S as claimAndBuildForPush, T as cleanupStaleClients, Tt as markStaleAgents, U as getActivityOverview, Ut as retireClient, V as filterSessionsByParticipant, Vt as resolveChatTitle, W as getAgent, Wt as sendMessage, X as getOnlineCount, Xt as setRuntimeState, Y as getClient, Yt as setOffline, Z as getOrganization, Zt as submitAnswer, _ as bindAgent, _t as listClients, a as adapterConfigs, an as upsertSessionState, at as leaveChat, b as chats, bt as listMeChats, c as addParticipant, ct as listAgentSessions, d as agentConfigs, dt as listAgentsManagedByUser, en as touchAgent, et as heartbeatClient, f as agentPresence, ft as listAgentsWithRuntime, g as assertParticipant, gt as listChatsForMember, h as assertClientOwner, ht as listChats, i as adapterAgentMappings, in as updateOrganization, it as joinMeChat, j as createMeChat, jt as pruneStaleSilentEntries, k as createAgent, kt as pendingQuestions, l as agentAvatarImageUrl, lt as listAgentsForAdmin, m as archiveSession, mt as listChatParticipantsWithNames, n as SUPPORTED_AVATAR_IMAGE_MIMES, nn as updateAgent, nt as inboxEntries, o as addChatParticipants, ot as leaveMeChat, p as agents, pt as listAllSessions, q as getCallerEngagement, qt as setAgentAvatarImage, r as ackEntryByIdForBoundAgents, rn as updateClientCapabilities, rt as joinChat, s as addMeChatParticipants, st as listActiveAgentsPinnedToClient, t as MAX_AVATAR_IMAGE_BYTES, tn as unbindAgent, tt as heartbeatInstance, u as agentChatSessions, ut as listAgentsForMember, v as chatMembership, vt as listClientsForOrgAdmin, w as claimClient, wt as markMeChatUnread, x as checkAgentNameAvailability, xt as listMessages, y as chatUserState, yt as listMeChatSourceCounts, z as extractSummary, zt as resetTimedOutEntries } from "./client-BPRIfrOT-CoV_2o7e.mjs";
 import { a as invitationRedemptions, c as recordRedemption, i as getActiveInvitation, l as rotateInvitation, n as ensureActiveInvitation, o as invitations, r as findActiveByToken, t as buildInviteUrl } from "./invitation-D_ENPHyj-5ETiae5r.mjs";
 import { createRequire } from "node:module";
 import { ZodError, z } from "zod";
@@ -850,7 +850,8 @@ z.object({
 	participants: z.array(chatParticipantDetailSchema),
 	title: z.string(),
 	firstMessagePreview: z.string().nullable(),
-	engagementStatus: chatEngagementStatusSchema
+	engagementStatus: chatEngagementStatusSchema,
+	viewerMembershipKind: z.enum(["participant", "watching"]).nullable()
 });
 z.object({ topic: z.string().trim().max(500).nullable() });
 z.object({ agentId: z.string().min(1) });
@@ -887,9 +888,13 @@ z.object({
 * Optional opt-in flags the client carries on `client:register` to advertise
 * which negotiable wire-protocol features it implements. Distinct from
 * `clientCapabilitiesSchema` (per-runtime-provider availability — different
-* concept). Older clients omit the field; the server treats every unset flag
-* as `false` and falls back to the legacy path. See proposal
-* hub-inbox-ws-data-plane §3.6.
+* concept).
+*
+* 0.10.4 ~ 0.14.2 clients still send this block (with `wsInboxDeliver: true`
+* hard-coded). The 0.14.3+ runtime omits it. The schema is retained so that
+* middle-version `client:register` frames still parse, even though the
+* server no longer reads any of these fields — the WS inbox data plane is
+* mandatory on this server build.
 */
 const clientWireCapabilitiesSchema = z.object({ wsInboxDeliver: z.boolean().default(false) }).partial();
 z.object({
@@ -1114,8 +1119,8 @@ z.object({
 });
 /**
 * Server → client WS frame carrying the full image bytes for an image
-* message. Pushed before the corresponding `new_message` notification so
-* the client has the file on disk by the time it polls the message.
+* message. Pushed before the corresponding `inbox:deliver` frame so the
+* client has the file on disk by the time it renders the message.
 *
 * Best-effort: if the target client WS lives on a different server
 * instance (or is offline), the frame is lost and the reference message
@@ -1276,14 +1281,11 @@ z.object({
 }).extend({ message: clientMessageSchema });
 z.object({ limit: z.coerce.number().int().min(1).max(50).default(10) });
 /**
-* server → client: a single inbox entry pushed over the active WS connection,
-* replacing the legacy `new_message` doorbell + HTTP `/inbox` poll round-trip.
+* server → client: a single inbox entry pushed over the active WS connection.
 *
 * `entryId` is the server-side `inbox_entries.id` the client must echo back
-* in `inbox:ack`. `message` is exactly what the legacy poll path returned —
-* `clientMessageSchema` already carries `precedingMessages`, so the client-
-* side dispatch logic is reused verbatim (see proposal
-* hub-inbox-ws-data-plane §3.1).
+* in `inbox:ack`. `clientMessageSchema` carries `precedingMessages`, so the
+* client-side dispatch logic handles the silent-context bundle uniformly.
 *
 * `.passthrough()` so a forward-rolling server may extend the frame without
 * breaking older clients that validate strictly. Older clients drop unknown
@@ -2015,8 +2017,13 @@ z.object({
 /**
 * Negotiable wire-protocol features the server advertises in its `welcome`
 * frame. Older clients drop the `capabilities` field silently because the
-* frame is `.passthrough()`. New clients gate optional code paths on it —
-* absent ⇒ feature off, never assumed.
+* frame is `.passthrough()`.
+*
+* Required by clients in the 0.10.4 ~ 0.14.2 range: those builds read
+* `wsInboxDeliver` here to decide whether to skip the local HTTP poll loop
+* and rely on `inbox:deliver` push frames. The 0.14.3+ runtime ignores the
+* field (push is the only path) but the server still emits it so middle-
+* version clients keep working.
 */
 const serverCapabilitiesSchema = z.object({ wsInboxDeliver: z.boolean().default(false) }).partial();
 /**
@@ -2145,13 +2152,6 @@ defineConfig({
 		refreshTokenExpiry: field(z.string().default("30d"), { env: "FIRST_TREE_HUB_AUTH_REFRESH_TOKEN_EXPIRY" }),
 		connectTokenExpiry: field(z.string().default("10m"), { env: "FIRST_TREE_HUB_AUTH_CONNECT_TOKEN_EXPIRY" })
 	},
-	contextTreeSync: optional({
-		githubToken: field(z.string(), {
-			env: "FIRST_TREE_HUB_CONTEXT_TREE_GITHUB_TOKEN",
-			secret: true
-		}),
-		githubTokenRepos: field(z.string().optional(), { env: "FIRST_TREE_HUB_CONTEXT_TREE_GITHUB_TOKEN_REPOS" })
-	}),
 	oauth: optional({ githubApp: optional({
 		appId: field(z.string().min(1), { env: "FIRST_TREE_HUB_GITHUB_APP_ID" }),
 		clientId: field(z.string().min(1), { env: "FIRST_TREE_HUB_GITHUB_APP_CLIENT_ID" }),
@@ -2407,15 +2407,6 @@ var FirstTreeHubSDK = class {
 			return false;
 		}
 	}
-	async pull(limit = 10) {
-		return { entries: await this.requestJson(`/api/v1/agent/inbox?limit=${limit}`) };
-	}
-	async ack(entryId) {
-		await this.requestVoid(`/api/v1/agent/inbox/${entryId}/ack`, { method: "POST" });
-	}
-	async renew(entryId) {
-		await this.requestVoid(`/api/v1/agent/inbox/${entryId}/renew`, { method: "POST" });
-	}
 	async sendMessage(chatId, data) {
 		return this.requestJson(`/api/v1/agent/chats/${chatId}/messages`, {
 			method: "POST",
@@ -2583,17 +2574,6 @@ const RECONNECT_MAX_MS = 3e4;
 const WS_CONNECT_TIMEOUT_MS = 1e4;
 const HEARTBEAT_INTERVAL_MS = 3e4;
 /**
-* Client-side opt-in for the WS inbox data plane. Gates BOTH the
-* `wireCapabilities.wsInboxDeliver` flag we declare on `client:register`
-* AND how we interpret the server's welcome capability — without this AND,
-* a future client kill-switch could land in a half-state where we tell the
-* server "no thanks" but still treat welcome's `wsInboxDeliver:true` as
-* authoritative and stop the 5s HTTP poll, leaving messages stuck if a
-* NOTIFY ever drops. Hard-coded `true` for now; flip to a config knob if
-* you need a runtime kill-switch.
-*/
-const WS_INBOX_DELIVER_OPT_IN = true;
-/**
 * Unified-user-token C5: reconnect PROACTIVELY this many ms before the JWT's
 * `exp` claim so the client rotates to a fresh JWT without ever hitting the
 * server-side `auth:expired` push. The provider's next `getAccessToken()` call
@@ -2653,15 +2633,6 @@ var ClientConnection = class extends EventEmitter {
 	/** Count of `server:welcome` frames received; drives `isReconnect` flag. */
 	welcomeFramesReceived = 0;
 	/**
-	* Whether the most recent `server:welcome` frame advertised
-	* `capabilities.wsInboxDeliver`. The runtime (AgentSlot) reads this
-	* (via {@link supportsWsInboxDeliver}) to decide whether to keep the
-	* legacy 5s HTTP poll or rely entirely on `inbox:deliver` push frames.
-	* Re-evaluated on every reconnect — the welcome frame is the source of
-	* truth, never assumed sticky across connections.
-	*/
-	wsInboxDeliverActive = false;
-	/**
 	* Last handshake error, stashed for the `close` handler to surface a typed
 	* reason (e.g. {@link ClientOrgMismatchError}) instead of a generic
 	* "closed before ready" when `connect()` is pending.
@@ -2674,11 +2645,11 @@ var ClientConnection = class extends EventEmitter {
 	desiredBindings = /* @__PURE__ */ new Map();
 	pendingBinds = /* @__PURE__ */ new Map();
 	/**
-	* In-flight image writes from recent `image_payload` frames. The server
-	* pushes `image_payload` immediately before firing the `new_message`
-	* notification, but WS message handlers run through EventEmitter (sync
-	* dispatch, no await), so the disk write can still race the HTTP poll
-	* that follows. Defer `new_message` emission until these settle.
+	* In-flight image writes from recent `image_payload` frames. `image_payload`
+	* arrives on the WS just before `inbox:deliver` for the same message, but
+	* the EventEmitter dispatch is sync — so without gating, the deliver
+	* handler can fire before the image bytes hit disk. Block `inbox:deliver`
+	* emission until these settle.
 	*/
 	pendingImageWrites = /* @__PURE__ */ new Set();
 	constructor(config) {
@@ -2699,24 +2670,21 @@ var ClientConnection = class extends EventEmitter {
 		return this.boundAgents;
 	}
 	/**
-	* True when the current connection's `server:welcome` advertised
-	* `capabilities.wsInboxDeliver` — meaning the server will push
-	* `inbox:deliver` frames and accept `inbox:ack` frames over this WS.
-	* Resets to false on every reconnect until the new welcome arrives.
-	*/
-	get supportsWsInboxDeliver() {
-		return this.wsInboxDeliverActive;
-	}
-	/**
-	* Ack a delivered inbox entry over the WS data plane. Replaces the legacy
-	* `sdk.ack()` HTTP call when the connection has negotiated
-	* `wsInboxDeliver`. Safe to call when the WS is closed — the frame is
-	* dropped silently and the entry will time out and re-deliver on
-	* reconnect, mirroring how the legacy timeout reaper handles HTTP
-	* ack-loss.
+	* Ack a delivered inbox entry over the WS data plane. Safe to call when the
+	* WS is closed — the frame is dropped (logged) and the entry will time out
+	* server-side and re-deliver on reconnect. The handler has by then already
+	* started processing, so reaper-driven redelivery surfaces as a duplicate
+	* dispatch on the next connect; SessionManager's dedupe key
+	* `(chatId, messageId)` collapses it.
 	*/
 	sendInboxAck(entryId) {
-		if (!this.ws || this.ws.readyState !== WebSocket.OPEN) return;
+		if (!this.ws || this.ws.readyState !== WebSocket.OPEN) {
+			this.wsLogger.warn({
+				entryId,
+				readyState: this.ws?.readyState
+			}, "inbox:ack dropped — socket not OPEN");
+			return;
+		}
 		this.ws.send(JSON.stringify({
 			type: "inbox:ack",
 			entryId
@@ -2873,7 +2841,6 @@ var ClientConnection = class extends EventEmitter {
 				this.clearAuthRefreshTimer();
 				const wasRegistered = this.registered;
 				this.registered = false;
-				this.wsInboxDeliverActive = false;
 				this.rejectAllPendingBinds("WebSocket closed");
 				if (!settled) {
 					this.wsLogger.warn({ code }, "closed before ready");
@@ -2909,8 +2876,7 @@ var ClientConnection = class extends EventEmitter {
 				clientId: this.clientId,
 				hostname: hostname(),
 				os: platform(),
-				sdkVersion: this.sdkVersion,
-				wireCapabilities: { wsInboxDeliver: WS_INBOX_DELIVER_OPT_IN }
+				sdkVersion: this.sdkVersion
 			}));
 			return;
 		}
@@ -2920,7 +2886,6 @@ var ClientConnection = class extends EventEmitter {
 				this.wsLogger.warn({ issues: parsed.error.issues.map((i) => i.message) }, "ignoring malformed server:welcome frame");
 				return;
 			}
-			this.wsInboxDeliverActive = parsed.data.capabilities?.wsInboxDeliver === true && WS_INBOX_DELIVER_OPT_IN;
 			const isReconnect = this.welcomeFramesReceived > 0;
 			this.welcomeFramesReceived++;
 			this.emit("server:welcome", {
@@ -3058,15 +3023,6 @@ var ClientConnection = class extends EventEmitter {
 			write.finally(() => this.pendingImageWrites.delete(write));
 			return;
 		}
-		if (type === "new_message") {
-			const inboxId = msg.inboxId;
-			if (!inboxId) return;
-			if (this.pendingImageWrites.size > 0) Promise.all([...this.pendingImageWrites]).finally(() => {
-				this.emit("agent:message", inboxId, msg);
-			});
-			else this.emit("agent:message", inboxId, msg);
-			return;
-		}
 		if (type === "inbox:deliver") {
 			const parsed = inboxDeliverFrameSchema.safeParse(msg);
 			if (!parsed.success) {
@@ -6812,18 +6768,13 @@ var SessionManager = class {
 		this.config.onStateChange(chatId, state);
 	}
 	/**
-	* ACK an inbox entry — delayed until handler starts processing.
-	*
-	* Routes through `config.ackEntry` when set (WS push path) or falls back to
-	* `sdk.ack` (HTTP poll path). One ack per entry, one channel per slot —
-	* mixing channels in one slot would leak the server's per-agent in-flight
-	* counter (proposal hub-inbox-ws-data-plane §3.5).
+	* ACK an inbox entry — delayed until handler starts processing. Routes
+	* through `config.ackEntry`, which is wired to the WS data plane.
 	*/
 	async ackEntry(entryId, chatId) {
 		if (entryId === void 0) return;
 		try {
-			if (this.config.ackEntry) await this.config.ackEntry(entryId);
-			else await this.config.sdk.ack(entryId);
+			await this.config.ackEntry(entryId);
 		} catch {
 			this.config.log.warn({
 				chatId,
@@ -6976,9 +6927,7 @@ var AgentSlot = class {
 	sessionManager = null;
 	config;
 	logger;
-	sdk = null;
 	agentConfigCache = null;
-	pollingTimer = null;
 	reconcileTimer = null;
 	listeners = [];
 	/**
@@ -7016,7 +6965,6 @@ var AgentSlot = class {
 	}
 	async start(contextTreeBinding) {
 		const sdk = (await this.clientConnection.bindAgent(this.config.agentId, this.config.runtimeType ?? this.config.type, this.config.runtimeVersion)).sdk;
-		this.sdk = sdk;
 		const agent = await sdk.register();
 		this.logger.info({ displayName: agent.displayName }, "agent bound");
 		if (agent.type === "human") {
@@ -7036,9 +6984,6 @@ var AgentSlot = class {
 			throw new Error(`Hub unreachable while loading agent config: ${msg}`);
 		}
 		this.inboxId = agent.inboxId;
-		const onMessage = (agentId) => {
-			if (agentId === this.config.agentId) this.pullAndDispatch();
-		};
 		const onInboxDeliver = (inboxId, frame) => {
 			if (inboxId !== this.inboxId) return;
 			this.dispatchPushedFrame(frame).catch((err) => {
@@ -7057,14 +7002,10 @@ var AgentSlot = class {
 		const onReconcileResult = (result) => {
 			if (result.agentId === this.config.agentId && this.sessionManager) this.sessionManager.applyStaleChatIds(result.staleChatIds);
 		};
-		this.clientConnection.on("agent:message", onMessage);
 		this.clientConnection.on("inbox:deliver", onInboxDeliver);
 		this.clientConnection.on("agent:bound", onBound);
 		this.clientConnection.on("session:reconcile:result", onReconcileResult);
 		this.listeners.push({
-			event: "agent:message",
-			fn: onMessage
-		}, {
 			event: "inbox:deliver",
 			fn: onInboxDeliver
 		}, {
@@ -7082,10 +7023,10 @@ var AgentSlot = class {
 				agentId: this.config.agentId
 			})
 		});
-		const ackEntry = this.clientConnection.supportsWsInboxDeliver ? (entryId) => {
+		const ackEntry = (entryId) => {
 			this.clientConnection.sendInboxAck(entryId);
 			return Promise.resolve();
-		} : void 0;
+		};
 		this.sessionManager = new SessionManager({
 			session: this.config.session,
 			concurrency: this.config.concurrency,
@@ -7128,24 +7069,15 @@ var AgentSlot = class {
 			event: "session:command",
 			fn: onCommand
 		});
-		this.startPolling();
 		this.startReconcileLoop();
 		return agent;
 	}
 	async stop() {
-		if (this.pollingTimer) {
-			clearInterval(this.pollingTimer);
-			this.pollingTimer = null;
-		}
 		if (this.reconcileTimer) {
 			clearInterval(this.reconcileTimer);
 			this.reconcileTimer = null;
 		}
-		for (const entry of this.listeners) if (entry.event === "agent:message") this.clientConnection.off(entry.event, entry.fn);
-		else if (entry.event === "inbox:deliver") this.clientConnection.off(entry.event, entry.fn);
-		else if (entry.event === "agent:bound") this.clientConnection.off(entry.event, entry.fn);
-		else if (entry.event === "session:reconcile:result") this.clientConnection.off(entry.event, entry.fn);
-		else this.clientConnection.off(entry.event, entry.fn);
+		for (const entry of this.listeners) this.clientConnection.off(entry.event, entry.fn);
 		this.listeners = [];
 		await this.clientConnection.unbindAgent(this.config.agentId);
 		await this.sessionManager?.shutdown();
@@ -7166,31 +7098,18 @@ var AgentSlot = class {
 		const runtimeState = this.sessionManager.getAggregateRuntimeState();
 		if (runtimeState) this.clientConnection.reportRuntimeState(this.config.agentId, runtimeState);
 	}
-	startPolling() {
-		if (this.clientConnection.supportsWsInboxDeliver) {
-			this.logger.info("WS inbox data plane active — skipping 5s HTTP poll");
-			return;
-		}
-		this.pollingTimer = setInterval(() => {
-			this.pullAndDispatch();
-		}, 5e3);
-		this.pullAndDispatch();
-	}
 	/**
 	* Translate an `inbox:deliver` push frame into the {@link InboxEntryWithMessage}
 	* shape `SessionManager.dispatch` expects, then dispatch.
 	*
 	* Ack happens INSIDE `dispatch` via the `ackEntry` callback we pinned at
-	* construction time — for push slots that's `clientConnection.sendInboxAck`,
-	* for poll slots it stays the legacy `sdk.ack`. Sending an additional ack
-	* here would double-ack: HTTP first (`delivered → acked`) followed by a
-	* WS frame the server can no longer match against any `delivered` row,
-	* which leaks the server's per-agent in-flight counter and stalls push
-	* after `inboxMaxInFlightPerAgent` messages.
+	* construction time — `clientConnection.sendInboxAck`. Sending an additional
+	* ack here would double-ack: a WS frame the server cannot match against any
+	* `delivered` row, which leaks the server's per-agent in-flight counter and
+	* stalls push after `inboxMaxInFlightPerAgent` messages.
 	*
 	* Dispatch errors propagate up; the entry stays `delivered` server-side
-	* and the 300s timeout reaper rolls it back to `pending` for replay
-	* (proposal §3.7).
+	* and the 300s timeout reaper rolls it back to `pending` for replay.
 	*/
 	async dispatchPushedFrame(frame) {
 		if (!this.sessionManager) return;
@@ -7218,15 +7137,6 @@ var AgentSlot = class {
 		if (chatIds.length === 0) return;
 		this.clientConnection.sendSessionReconcile(this.config.agentId, chatIds);
 	}
-	async pullAndDispatch() {
-		if (!this.sdk || !this.sessionManager) return;
-		try {
-			const { entries } = await this.sdk.pull(10);
-			for (const entry of entries) await this.sessionManager.dispatch(entry);
-		} catch (err) {
-			this.logger.warn({ err }, "poll error");
-		}
-	}
 };
 /**
 * Top-level marker file Claude Code writes after a successful OAuth login.
@@ -9853,7 +9763,7 @@ async function onboardCreate(args) {
 	}
 	const runtimeAgent = args.type === "human" ? args.assistant : args.id;
 	if (args.feishuBotAppId && args.feishuBotAppSecret) {
-		const { bindFeishuBot } = await import("./feishu-CCWd-JE4.mjs").then((n) => n.r);
+		const { bindFeishuBot } = await import("./feishu-DNoBroKK.mjs").then((n) => n.r);
 		const targetAgentUuid = args.type === "human" ? assistantUuid : primary.uuid;
 		if (!targetAgentUuid) print.line(`Warning: Cannot bind Feishu bot — no runtime agent available for "${args.id}".\n`);
 		else {
@@ -11066,7 +10976,7 @@ function createFeedbackHandler(config) {
 	return { handle };
 }
 //#endregion
-//#region ../server/dist/app-Cv337jed.mjs
+//#region ../server/dist/app-D4mz6WSP.mjs
 var import_fastify_opentelemetry = /* @__PURE__ */ __toESM(require_fastify_opentelemetry(), 1);
 init_esm();
 var __defProp = Object.defineProperty;
@@ -11844,18 +11754,6 @@ async function agentInboxRoutes(app) {
 		const query = inboxPollQuerySchema.parse(request.query);
 		return await pollInbox(app.db, identity.inboxId, query.limit);
 	});
-	app.post("/:entryId/ack", async (request, reply) => {
-		const identity = requireAgent(request);
-		const entryId = Number(request.params.entryId);
-		await ackEntry$2(app.db, entryId, identity.inboxId);
-		return reply.status(204).send();
-	});
-	app.post("/:entryId/renew", async (request, reply) => {
-		const identity = requireAgent(request);
-		const entryId = Number(request.params.entryId);
-		await renewEntry(app.db, entryId, identity.inboxId);
-		return reply.status(204).send();
-	});
 }
 async function agentMeRoutes(app) {
 	app.get("/me", async (request) => {
@@ -11887,11 +11785,11 @@ async function agentMeRoutes(app) {
 *      {imageId, mimeType, filename, size}
 *
 * The push is fire-and-forget: `ws.send()` queues the frame into the socket's
-* send buffer synchronously, which is the only ordering guarantee we need
-* — the subsequent `new_message` notification travels a strictly slower PG
-* NOTIFY round trip, so the image lands first on the wire. Awaiting the TCP
-* flush here would put a slow subscriber's backpressure on the sender's
-* HTTP response for a feature that is already best-effort.
+* send buffer synchronously, which is the only ordering guarantee we need —
+* the subsequent `inbox:deliver` frame is driven by a PG NOTIFY round trip,
+* so the image lands first on the wire. Awaiting the TCP flush here would
+* put a slow subscriber's backpressure on the sender's HTTP response for a
+* feature that is already best-effort.
 *
 * Non-image messages are returned unchanged. Missing-subscriber / wrong-
 * instance cases are acceptable loss per the image-out-of-messages design
@@ -12588,8 +12486,7 @@ async function summarizeContextTreeUsage(db, organizationId, windowDays) {
 /**
 * Default per-agent in-flight cap when `server.inbox.maxInFlightPerAgent` is
 * unset. Mirrors the schema default so a hub running without an explicit
-* `inbox` block still gets reasonable backpressure once `wsDataPlane` is
-* flipped on. See proposal hub-inbox-ws-data-plane §3.5.
+* `inbox` block still gets reasonable backpressure.
 */
 const DEFAULT_INBOX_MAX_IN_FLIGHT_PER_AGENT = 32;
 /**
@@ -12634,23 +12531,12 @@ function clientWsRoutes(notifier, instanceId) {
 			let authExpiryTimer = null;
 			const boundAgents = /* @__PURE__ */ new Map();
 			/**
-			* Whether the connected client opted into the WS inbox data plane via
-			* `client:register.wireCapabilities.wsInboxDeliver`. Set per-socket
-			* because client SDKs are upgraded independently — an old client
-			* connecting to a new server must keep receiving the legacy
-			* `new_message` doorbell + HTTP poll path (proposal §3.6).
-			*/
-			let clientWantsWsInboxDeliver = false;
-			/**
 			* Per-agent in-flight `inbox:deliver` counter for backpressure. Lives on
 			* the socket — when the WS closes it goes with it; that's intentional,
 			* because re-counting on a fresh connection would bias the cap against
-			* a healthy reconnect (proposal §3.5).
+			* a healthy reconnect.
 			*/
 			const inboxInFlight = /* @__PURE__ */ new Map();
-			function pushUseWsDataPlane() {
-				return clientWantsWsInboxDeliver;
-			}
 			/**
 			* Returns `false` when the socket has already moved out of `OPEN` —
 			* the only failure mode the caller can observe synchronously.
@@ -12893,7 +12779,6 @@ function clientWsRoutes(notifier, instanceId) {
 					try {
 						if (type === "client:register") {
 							const data = clientRegisterSchema.parse(msg);
-							clientWantsWsInboxDeliver = data.wireCapabilities?.wsInboxDeliver === true;
 							let placeholderOrgId = jwtDefaultOrgId;
 							if (!placeholderOrgId) {
 								const [m] = await app.db.select({ organizationId: members.organizationId }).from(members).where(and(eq(members.userId, session.userId), eq(members.status, "active"))).orderBy(desc(members.createdAt), desc(members.id)).limit(1);
@@ -13031,9 +12916,7 @@ function clientWsRoutes(notifier, instanceId) {
 								inboxId: agent.inboxId,
 								organizationId: agent.organizationId
 							});
-							const wsPushActive = pushUseWsDataPlane();
-							if (wsPushActive) notifier.subscribe(agent.inboxId, socket, makeInboxPushHandler(agent.id, agent.inboxId));
-							else notifier.subscribe(agent.inboxId, socket);
+							notifier.subscribe(agent.inboxId, socket, makeInboxPushHandler(agent.id, agent.inboxId));
 							socket.send(JSON.stringify({
 								type: "agent:bound",
 								ref,
@@ -13041,7 +12924,7 @@ function clientWsRoutes(notifier, instanceId) {
 								displayName: agent.displayName,
 								agentType: agent.type
 							}));
-							if (wsPushActive) drainBacklogForAgent(agent.id, agent.inboxId).catch((err) => {
+							drainBacklogForAgent(agent.id, agent.inboxId).catch((err) => {
 								app.log.error({
 									err,
 									agentId: agent.id
@@ -13162,6 +13045,14 @@ function clientWsRoutes(notifier, instanceId) {
 						} else if (type === "inbox:ack") {
 							const payloadResult = inboxAckFrameSchema.safeParse(msg);
 							if (!payloadResult.success) {
+								app.log.warn({
+									clientId,
+									issues: payloadResult.error.issues.map((i) => ({
+										path: i.path.join("."),
+										code: i.code,
+										message: i.message
+									}))
+								}, "malformed inbox:ack frame — replying error");
 								socket.send(JSON.stringify({
 									type: "error",
 									message: "Malformed inbox:ack frame"
@@ -13171,7 +13062,14 @@ function clientWsRoutes(notifier, instanceId) {
 							const { entryId } = payloadResult.data;
 							try {
 								const ackedEntry = await ackEntryByIdForBoundAgents(app.db, entryId, [...boundAgents.values()].map((a) => a.inboxId));
-								if (!ackedEntry) return;
+								if (!ackedEntry) {
+									app.log.debug({
+										clientId,
+										entryId,
+										boundInboxes: boundAgents.size
+									}, "inbox:ack matched no row — stale ack or reaper race");
+									return;
+								}
 								const owner = [...boundAgents.values()].find((a) => a.inboxId === ackedEntry.inboxId);
 								if (owner) {
 									inboxInFlight.set(owner.agentId, Math.max(0, (inboxInFlight.get(owner.agentId) ?? 1) - 1));
@@ -13237,17 +13135,23 @@ async function agentActivityRoutes(app) {
 /**
 * Project a DB agent row into its wire shape. Strips the inline image
 * `avatarImageData` (large bytea, only meant for the image-serve route)
-* and synthesises the public `avatarImageUrl` from the upload timestamp.
-* `createdAt`/`updatedAt` are coerced to ISO strings so the response is
-* pure JSON.
+* and synthesises the public `avatarImageUrl` via {@link resolveAvatarImageUrl}
+* so human agents fall back to the backing user's external avatar URL
+* (e.g. GitHub) when no upload exists. `createdAt`/`updatedAt` are
+* coerced to ISO strings so the response is pure JSON.
 */
-function serializeAgent(agent) {
+function serializeAgent(agent, userAvatarUrl) {
 	const { avatarImageData: _data, avatarImageMime: _mime, avatarImageUpdatedAt, createdAt, updatedAt, ...rest } = agent;
 	return {
 		...rest,
 		createdAt: createdAt.toISOString(),
 		updatedAt: updatedAt.toISOString(),
-		avatarImageUrl: agentAvatarImageUrl(agent.uuid, avatarImageUpdatedAt ?? null)
+		avatarImageUrl: resolveAvatarImageUrl({
+			uuid: agent.uuid,
+			type: agent.type,
+			avatarImageUpdatedAt,
+			userAvatarUrl
+		})
 	};
 }
 /**
@@ -13279,7 +13183,7 @@ async function agentRoutes(app) {
 	}
 	app.get("/:uuid", async (request) => {
 		const { agent } = await requireAgentAccess(request, app.db, "visible");
-		return serializeAgent(agent);
+		return serializeAgent(agent, await fetchUserAvatarForHumanAgent(app.db, agent));
 	});
 	app.patch("/:uuid", { config: { otelRecordBody: true } }, async (request) => {
 		const { scope } = await requireAgentAccess(request, app.db, "manage");
@@ -13288,14 +13192,14 @@ async function agentRoutes(app) {
 		const before = body.clientId !== void 0 ? await getAgent(app.db, request.params.uuid) : null;
 		const agent = await updateAgent(app.db, request.params.uuid, body);
 		if (before && before.clientId === null && agent.clientId !== null) notifyClientAgentPinned(agent);
-		return serializeAgent(agent);
+		return serializeAgent(agent, await fetchUserAvatarForHumanAgent(app.db, agent));
 	});
 	app.patch("/:uuid/rebind", { config: { otelRecordBody: true } }, async (request) => {
 		await requireAgentAccess(request, app.db, "manage");
 		const body = rebindAgentSchema.parse(request.body);
 		const agent = await rebindAgent(app.db, request.params.uuid, body);
 		notifyClientAgentPinned(agent);
-		return serializeAgent(agent);
+		return serializeAgent(agent, await fetchUserAvatarForHumanAgent(app.db, agent));
 	});
 	app.post("/:uuid/disconnect", async (request, reply) => {
 		await requireAgentAccess(request, app.db, "manage");
@@ -13305,11 +13209,13 @@ async function agentRoutes(app) {
 	});
 	app.post("/:uuid/suspend", async (request) => {
 		await requireAgentAccess(request, app.db, "manage");
-		return serializeAgent(await suspendAgent(app.db, request.params.uuid));
+		const agent = await suspendAgent(app.db, request.params.uuid);
+		return serializeAgent(agent, await fetchUserAvatarForHumanAgent(app.db, agent));
 	});
 	app.post("/:uuid/reactivate", async (request) => {
 		await requireAgentAccess(request, app.db, "manage");
-		return serializeAgent(await reactivateAgent(app.db, request.params.uuid));
+		const agent = await reactivateAgent(app.db, request.params.uuid);
+		return serializeAgent(agent, await fetchUserAvatarForHumanAgent(app.db, agent));
 	});
 	app.delete("/:uuid", async (request, reply) => {
 		await requireAgentAccess(request, app.db, "manage");
@@ -13859,6 +13765,7 @@ const APP_JWT_EXPIRY = "9m";
 * caller's side; the docs recommend 60 seconds. We mirror that.
 */
 const APP_JWT_IAT_SKEW_SECONDS = 60;
+const APP_INSTALLATION_TOKEN_URL = (id) => `https://api.github.com/app/installations/${id}/access_tokens`;
 const APP_INSTALLATION_URL = (id) => `https://api.github.com/app/installations/${id}`;
 const OAUTH_TOKEN_URL = "https://github.com/login/oauth/access_token";
 const OAUTH_AUTHORIZE_URL = "https://github.com/login/oauth/authorize";
@@ -13963,6 +13870,39 @@ async function listUserAccessibleInstallationIds(userAccessToken, opts = {}) {
 	return out;
 }
 /**
+* Mint a per-installation token (server-to-server). The token is cheap
+* (one signature + one HTTP round-trip) and the upstream TTL is ~1h, so
+* the recommended caller pattern is "mint per request" rather than caching
+* — caching forces the caller to also track expiry, suspended state, and
+* GitHub-side permission churn, which the design explicitly punts to Phase
+* 4. We give callers a typed result and let them cache if profiling shows
+* the round-trip is hot.
+*
+* Throws `GithubAppApiError` on non-2xx. 401 means the App JWT is bad or
+* the App's key has been rotated upstream; 404 means the installation
+* was uninstalled. Callers SHOULD persist the suspension state when 403
+* comes back with `suspended` (the design tracks this as `suspended_at`
+* on `github_app_installations`).
+*/
+async function mintInstallationToken(appJwt, installationId, opts = {}) {
+	const res = await (opts.fetcher ?? fetch)(APP_INSTALLATION_TOKEN_URL(installationId), {
+		method: "POST",
+		headers: {
+			Authorization: `Bearer ${appJwt}`,
+			Accept: "application/vnd.github+json",
+			"X-GitHub-Api-Version": "2022-11-28"
+		}
+	});
+	if (!res.ok) throw new GithubAppApiError(res.status, `GitHub App installation-token request failed (${res.status})`);
+	const body = await res.json();
+	return {
+		token: body.token,
+		expiresAt: body.expires_at,
+		permissions: body.permissions ?? {},
+		repositorySelection: body.repository_selection ?? "all"
+	};
+}
+/**
 * Trade an expiring user-to-server access token for a fresh pair using
 * its refresh token. Thrown on:
 *   - Network / 5xx           — `GithubAppApiError(status, …)`
@@ -15068,11 +15008,14 @@ async function chatRoutes(app) {
 		}));
 		const title = resolveChatTitle(chat.topic, firstMessagePreview, participantsForTitle, scope.humanAgentId);
 		const engagementStatus = await getCallerEngagement(app.db, chat.id, scope.humanAgentId);
+		const [callerMembership] = await app.db.select({ accessMode: chatMembership.accessMode }).from(chatMembership).where(and(eq(chatMembership.chatId, chat.id), eq(chatMembership.agentId, scope.humanAgentId))).limit(1);
+		const viewerMembershipKind = callerMembership ? callerMembership.accessMode === "speaker" ? "participant" : "watching" : null;
 		return {
 			...chat,
 			title,
 			firstMessagePreview,
 			engagementStatus,
+			viewerMembershipKind,
 			createdAt: chat.createdAt.toISOString(),
 			updatedAt: chat.updatedAt.toISOString(),
 			participants: participants.map((p) => ({
@@ -15695,6 +15638,26 @@ function normalizeRemoteRepoUrl(value) {
 	if (/^[A-Za-z0-9_.-]+\/[A-Za-z0-9_.-]+(?:\.git)?$/.test(value)) return `https://github.com/${value}`;
 	return value;
 }
+/**
+* Whether this binding actually drives a GitHub-hosted remote fetch — the
+* only case where minting a GitHub App installation token is meaningful.
+*
+* Returns false when:
+*  - `localPath` is set (sync code short-circuits to the local checkout
+*    before ever looking at `repo`)
+*  - `repo` is missing
+*  - `repo` is a file:// URL, a non-GitHub HTTPS URL, or otherwise
+*    unparseable
+*
+* Used by the snapshot routes to gate the "install the GitHub App"
+* guidance — without this gate, every unavailable snapshot (missing repo,
+* bad branch, …) gets a misleading App-install hint appended.
+*/
+function isGithubRemoteBinding(binding) {
+	if (binding.localPath && binding.localPath.trim().length > 0) return false;
+	if (!binding.repo) return false;
+	return isGithubHttpsRepo(normalizeRemoteRepoUrl(binding.repo));
+}
 function managedContextTreeCacheRoot() {
 	return join(DEFAULT_DATA_DIR$1, "context-tree-repos");
 }
@@ -15868,7 +15831,7 @@ function errorMessage(error) {
 	return redactSecret(error.message.trim().split("\n")[0] ?? "");
 }
 function redactSecret(message) {
-	return message.replace(/(https?:\/\/)[^/@\s]+@/g, "$1[redacted]@").replace(/\bghp_[A-Za-z0-9_]+/g, "[redacted]").replace(/\bgithub_pat_[A-Za-z0-9_]+/g, "[redacted]");
+	return message.replace(/(https?:\/\/)[^/@\s]+@/g, "$1[redacted]@").replace(/\b(?:ghp|ghs|ghu|gho|ghr)_[A-Za-z0-9_]+/g, "[redacted]").replace(/\bgithub_pat_[A-Za-z0-9_]+/g, "[redacted]");
 }
 function unavailableSnapshot(repo, branch, detail) {
 	return {
@@ -16448,6 +16411,80 @@ function ghostNodeId(path) {
 function toPosix(path) {
 	return sep === "/" ? path : path.split(sep).join("/");
 }
+/**
+* Mint a short-lived GitHub App installation token for the given installation.
+* Returns `ok: false` (with a precise reason) when the org has no App
+* configured, no installation row, the installation is suspended, or GitHub
+* rejects the mint — callers fall back to unauthenticated git fetch (public
+* repos still resolve; private repos surface as an unavailable snapshot
+* with a remediation message).
+*
+* Takes the `installation` row directly so the helper has no DB dependency
+* — route handlers do the `findInstallationByOrg` lookup themselves. Keeps
+* this module a pure transform that's trivial to unit-test.
+*
+* Credentials use the narrow `GithubAppCredentials` shape so the helper
+* isn't coupled to the broader OAuth config surface; callers pass
+* `config.oauth?.githubApp`, which structurally satisfies it.
+*/
+async function mintContextTreeInstallationToken(installation, appCredentials, options = {}) {
+	if (!appCredentials) return {
+		ok: false,
+		reason: "no-app-config"
+	};
+	if (!installation) return {
+		ok: false,
+		reason: "no-installation"
+	};
+	if (installation.suspendedAt) return {
+		ok: false,
+		reason: "suspended"
+	};
+	try {
+		return {
+			ok: true,
+			token: (await mintInstallationToken(await createAppJwt({
+				appId: appCredentials.appId,
+				privateKeyPem: appCredentials.privateKeyPem
+			}), installation.installationId, { fetcher: options.fetcher })).token
+		};
+	} catch (error) {
+		return {
+			ok: false,
+			reason: "mint-failed",
+			detail: error instanceof GithubAppApiError ? `GitHub returned ${error.status} when minting an installation token.` : "Hub could not mint a GitHub App installation token."
+		};
+	}
+}
+/**
+* Append a remediation hint to an unavailable snapshot's `contextStatus.detail`
+* when the underlying cause is a missing / suspended / failed GitHub App token
+* mint. Public-repo snapshots (mint reason `no-app-config`) are left untouched
+* — the deployment may legitimately have no App configured.
+*
+* Gated on `isGithubRemoteBinding(binding)` so unrelated unavailable
+* reasons (no repo configured, localPath missing, illegal branch name,
+* public-repo fetch error) don't get a misleading "install the GitHub
+* App" hint appended.
+*
+* Lives next to `mintContextTreeInstallationToken` so the two routes that
+* call mint share one shaping function; the snapshot service itself stays
+* token-agnostic.
+*/
+function decorateSnapshotWithMintGuidance(snapshot, binding, mintResult) {
+	if (mintResult.ok) return snapshot;
+	if (snapshot.snapshotStatus !== "unavailable") return snapshot;
+	if (mintResult.reason === "no-app-config") return snapshot;
+	if (!isGithubRemoteBinding(binding)) return snapshot;
+	const guidance = mintResult.reason === "no-installation" ? "Install the First Tree GitHub App from Team Settings and grant it access to this repo." : mintResult.reason === "suspended" ? "The GitHub App installation is suspended — unsuspend it from your GitHub account settings." : `Hub could not mint a GitHub App installation token.${mintResult.detail ? ` ${mintResult.detail}` : ""}`;
+	return {
+		...snapshot,
+		contextStatus: {
+			...snapshot.contextStatus,
+			detail: `${snapshot.contextStatus.detail} ${guidance}`
+		}
+	};
+}
 const querySchema$1 = z.object({ window: z.enum([
 	"1d",
 	"7d",
@@ -16463,12 +16500,15 @@ async function contextTreeSnapshotRoutes(app) {
 		const { userId } = requireUser(request);
 		const orgId = await resolveUserPrimaryOrgId(app.db, userId);
 		const binding = orgId ? await getOrgContextTree(app.db, orgId) : {};
-		const githubToken = contextTreeGithubTokenForRepo(binding.repo, app.config.contextTreeSync);
+		let mintResult = null;
+		if (orgId && isGithubRemoteBinding(binding)) mintResult = await mintContextTreeInstallationToken(await findInstallationByOrg(app.db, orgId), app.config.oauth?.githubApp);
+		const githubToken = mintResult?.ok ? mintResult.token : void 0;
 		const window = query.window ?? "7d";
-		const snapshot = await getContextTreeSnapshot({
+		const rawSnapshot = await getContextTreeSnapshot({
 			...binding,
 			githubToken
 		}, window);
+		const snapshot = mintResult ? decorateSnapshotWithMintGuidance(rawSnapshot, binding, mintResult) : rawSnapshot;
 		const usage = orgId ? await summarizeContextTreeUsage(app.db, orgId, contextTreeSnapshotWindowDays(window)) : snapshot.usage;
 		return contextTreeSnapshotSchema.parse({
 			...snapshot,
@@ -16476,31 +16516,6 @@ async function contextTreeSnapshotRoutes(app) {
 		});
 	});
 }
-function contextTreeGithubTokenForRepo(repo, syncConfig) {
-	if (!repo || !syncConfig?.githubToken) return void 0;
-	const repoKey = githubRepoKey(repo);
-	if (!repoKey) return void 0;
-	return new Set((syncConfig.githubTokenRepos ?? "").split(",").map((entry) => normalizeGithubRepoKey(entry)).filter((entry) => entry !== null)).has(repoKey) ? syncConfig.githubToken : void 0;
-}
-function githubRepoKey(value) {
-	const shorthand = normalizeGithubRepoKey(value);
-	if (shorthand) return shorthand;
-	let url;
-	try {
-		url = new URL(value);
-	} catch {
-		return null;
-	}
-	if (url.protocol !== "https:" || url.hostname.toLowerCase() !== "github.com") return null;
-	if (url.username || url.password) return null;
-	return normalizeGithubRepoKey(url.pathname.replace(/^\/+/, ""));
-}
-function normalizeGithubRepoKey(value) {
-	const trimmed = value.trim().replace(/^\/+/, "").replace(/\.git$/i, "");
-	const match = /^([A-Za-z0-9_.-]+)\/([A-Za-z0-9_.-]+)$/.exec(trimmed);
-	if (!match) return null;
-	return `${match[1]?.toLowerCase()}/${match[2]?.toLowerCase()}`;
-}
 /**
 * Resolve the client IP for rate-limit attribution.
 *
@@ -16602,7 +16617,7 @@ async function healthzRoutes(app) {
 * `api/orgs/invitations.ts` (Class B, admin-gated).
 */
 async function publicInvitationRoutes(app) {
-	const { previewInvitation } = await import("./invitation-C9m2gQx4-CkwWteA3.mjs");
+	const { previewInvitation } = await import("./invitation-C9m2gQx4-C_4f5VTs.mjs");
 	app.get("/:token/preview", async (request, reply) => {
 		if (!request.params.token) throw new UnauthorizedError("Token required");
 		const preview = await previewInvitation(app.db, request.params.token);
@@ -16881,7 +16896,13 @@ async function meRoutes(app) {
 			inboxId: r.inboxId,
 			visibility: r.visibility,
 			runtimeProvider: r.runtimeProvider,
-			clientId: r.clientId
+			clientId: r.clientId,
+			avatarImageUrl: resolveAvatarImageUrl({
+				uuid: r.uuid,
+				type: r.type,
+				avatarImageUpdatedAt: r.avatarImageUpdatedAt,
+				userAvatarUrl: r.userAvatarUrl
+			})
 		}));
 	});
 	/**
@@ -16891,7 +16912,7 @@ async function meRoutes(app) {
 	*/
 	app.get("/me/pinned-agents", async (request) => {
 		const { userId } = requireUser(request);
-		const { listMyPinnedAgents } = await import("./client-CDw0f-kN-BPzOVd8L.mjs");
+		const { listMyPinnedAgents } = await import("./client-CEdYVnoj-BGiGcJbH.mjs");
 		return listMyPinnedAgents(app.db, { userId });
 	});
 	/**
@@ -17275,7 +17296,7 @@ async function orgAgentRoutes(app) {
 		const { type } = listAgentsFilterSchema.parse(request.query);
 		const result = await listAgentsForMember(app.db, scope, query.limit, query.cursor, type);
 		return {
-			items: result.items.map(({ avatarImageUpdatedAt, ...a }) => ({
+			items: result.items.map(({ avatarImageUpdatedAt, userAvatarUrl, ...a }) => ({
 				...a,
 				managerId: a.managerId ?? null,
 				presenceStatus: a.presenceStatus ?? "offline",
@@ -17285,7 +17306,12 @@ async function orgAgentRoutes(app) {
 				runtimeType: a.runtimeType ?? null,
 				runtimeState: a.runtimeState ?? null,
 				activeSessions: a.activeSessions ?? null,
-				avatarImageUrl: agentAvatarImageUrl(a.uuid, avatarImageUpdatedAt)
+				avatarImageUrl: resolveAvatarImageUrl({
+					uuid: a.uuid,
+					type: a.type,
+					avatarImageUpdatedAt,
+					userAvatarUrl
+				})
 			})),
 			nextCursor: result.nextCursor
 		};
@@ -17301,7 +17327,7 @@ async function orgAgentRoutes(app) {
 		const query = paginationQuerySchema.parse(request.query);
 		const result = await listAgentsForAdmin(app.db, scope, query.limit, query.cursor);
 		return {
-			items: result.items.map(({ avatarImageUpdatedAt, ...a }) => ({
+			items: result.items.map(({ avatarImageUpdatedAt, userAvatarUrl, ...a }) => ({
 				...a,
 				managerId: a.managerId ?? null,
 				presenceStatus: a.presenceStatus ?? "offline",
@@ -17311,7 +17337,12 @@ async function orgAgentRoutes(app) {
 				runtimeType: a.runtimeType ?? null,
 				runtimeState: a.runtimeState ?? null,
 				activeSessions: a.activeSessions ?? null,
-				avatarImageUrl: agentAvatarImageUrl(a.uuid, avatarImageUpdatedAt)
+				avatarImageUrl: resolveAvatarImageUrl({
+					uuid: a.uuid,
+					type: a.type,
+					avatarImageUpdatedAt,
+					userAvatarUrl
+				})
 			})),
 			nextCursor: result.nextCursor
 		};
@@ -17467,12 +17498,15 @@ async function orgContextTreeSnapshotRoutes(app) {
 		const query = querySchema.parse(request.query);
 		const scope = await requireOrgMembership(request, app.db);
 		const binding = await getOrgContextTree(app.db, scope.organizationId);
-		const githubToken = contextTreeGithubTokenForRepo(binding.repo, app.config.contextTreeSync);
+		let mintResult = null;
+		if (isGithubRemoteBinding(binding)) mintResult = await mintContextTreeInstallationToken(await findInstallationByOrg(app.db, scope.organizationId), app.config.oauth?.githubApp);
+		const githubToken = mintResult?.ok ? mintResult.token : void 0;
 		const window = query.window ?? "7d";
-		const snapshot = await getContextTreeSnapshot({
+		const rawSnapshot = await getContextTreeSnapshot({
 			...binding,
 			githubToken
 		}, window);
+		const snapshot = mintResult ? decorateSnapshotWithMintGuidance(rawSnapshot, binding, mintResult) : rawSnapshot;
 		const usage = await summarizeContextTreeUsage(app.db, scope.organizationId, contextTreeSnapshotWindowDays(window));
 		return contextTreeSnapshotSchema.parse({
 			...snapshot,
@@ -21226,7 +21260,7 @@ function detectInstallMode(argv1 = process.argv[1] ?? "") {
 		resolvedArgv1 = argv1;
 	}
 	const start = dirname(resolve(resolvedArgv1));
-	{
+	if (!/(?:^|[\\/])node_modules[\\/]/.test(resolvedArgv1)) {
 		let dir = start;
 		for (let i = 0; i < 10; i++) {
 			if (existsSync(resolve(dir, ".git"))) return "source";