npm - @agent-team-foundation/first-tree-hub - Versions diffs - 0.3.0 → 0.3.1 - Mend

@agent-team-foundation/first-tree-hub 0.3.0 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/bootstrap-B9JsJR3Z.mjs +583 -0
package/dist/cli/index.mjs +191 -1
package/dist/{core-uG-Hkr9K.mjs → core-D-c9r7D6.mjs} +854 -488
package/dist/feishu-Y4m2zFc3.mjs +51 -0
package/dist/index.mjs +4 -2
package/dist/rolldown-runtime-twds-ZHy.mjs +14 -0
package/dist/web/assets/{index-B8NgnD3u.js → index-B1dQmYGJ.js} +23 -23
package/dist/web/index.html +1 -1
package/package.json +1 -1

package/dist/{core-uG-Hkr9K.mjs → core-D-c9r7D6.mjs} RENAMED Viewed

@@ -1,13 +1,15 @@
+import { a as getGitHubUsername, b as serverConfigSchema, c as DEFAULT_CONFIG_DIR, d as clientConfigSchema, f as collectMissingPrompts, h as loadAgents, m as initConfig, r as checkBootstrapStatus, s as resolveServerUrl, t as bootstrapToken$1, u as agentConfigSchema, x as setConfigValue, y as resolveConfigReadonly } from "./bootstrap-B9JsJR3Z.mjs";
 import { ZodError, z } from "zod";
 import { copyFileSync, existsSync, mkdirSync, readFileSync, readdirSync, renameSync, rmSync, statSync, writeFileSync } from "node:fs";
 import { dirname, join, resolve } from "node:path";
-import { parse, stringify } from "yaml";
+import { parse } from "yaml";
 import { createCipheriv, createDecipheriv, createHash, createHmac, randomBytes, randomUUID, timingSafeEqual } from "node:crypto";
 import { homedir } from "node:os";
 import bcrypt from "bcrypt";
 import { and, desc, eq, gt, inArray, isNotNull, isNull, lt, ne, sql } from "drizzle-orm";
 import { drizzle } from "drizzle-orm/postgres-js";
 import postgres from "postgres";
+import { execFileSync, execSync } from "node:child_process";
 import { EventEmitter } from "node:events";
 import WebSocket$1 from "ws";
 import { dirname as dirname$1, join as join$1 } from "path";
@@ -22,7 +24,6 @@ import { cwd } from "process";
 import * as r from "fs";
 import { realpathSync } from "fs";
 import { promisify } from "util";
-import { execFileSync, execSync } from "node:child_process";
 import { fileURLToPath as fileURLToPath$1 } from "node:url";
 import { migrate } from "drizzle-orm/postgres-js/migrator";
 import { input, password, select } from "@inquirer/prompts";
@@ -34,463 +35,6 @@ import Fastify from "fastify";
 import { bigserial, index, integer, jsonb, pgTable, primaryKey, serial, text, timestamp, unique } from "drizzle-orm/pg-core";
 import { SignJWT, jwtVerify } from "jose";
 import { Client, EventDispatcher, LoggerLevel, WSClient } from "@larksuiteoapi/node-sdk";
-//#region ../shared/dist/config/index.mjs
-/** Declare a config field with a Zod schema and optional metadata. */
-function field$1(schema, options) {
-	return {
-		_tag: "field",
-		_type: void 0,
-		schema,
-		options: options ?? {}
-	};
-}
-/** Mark a config group as optional — present only when at least one field has an explicit value. */
-function optional$1(shape) {
-	return {
-		_tag: "optional",
-		shape
-	};
-}
-/** Define a config shape. Identity function used for type inference. */
-function defineConfig$1(shape) {
-	return shape;
-}
-const agentConfigSchema = defineConfig$1({
-	token: field$1(z.string(), { secret: true }),
-	type: field$1(z.string().default("claude-code")),
-	concurrency: field$1(z.number().int().positive().default(5)),
-	session: {
-		idle_timeout: field$1(z.number().int().positive().default(300)),
-		max_sessions: field$1(z.number().int().positive().default(10))
-	}
-});
-/** Store the resolved config as a singleton. Called by initConfig(). */
-function setConfig(config) {}
-/** Reset the config singleton. For testing only. */
-function resetConfig() {}
-const clientConfigSchema = defineConfig$1({
-	server: { url: field$1(z.string(), {
-		env: "FIRST_TREE_HUB_SERVER_URL",
-		prompt: {
-			message: "Server URL:",
-			default: "http://localhost:8000"
-		}
-	}) },
-	logLevel: field$1(z.enum([
-		"debug",
-		"info",
-		"warn",
-		"error"
-	]).default("info"), { env: "FIRST_TREE_HUB_LOG_LEVEL" })
-});
-const DEFAULT_HOME_DIR$1 = join(homedir(), ".first-tree-hub");
-const DEFAULT_CONFIG_DIR = join(DEFAULT_HOME_DIR$1, "config");
-const DEFAULT_DATA_DIR$1 = join(DEFAULT_HOME_DIR$1, "data");
-function isFieldDef(value) {
-	return typeof value === "object" && value !== null && "_tag" in value && value._tag === "field";
-}
-function isOptionalGroup(value) {
-	return typeof value === "object" && value !== null && "_tag" in value && value._tag === "optional";
-}
-function getByPath(obj, path) {
-	let current = obj;
-	for (const key of path) {
-		if (current === null || current === void 0 || typeof current !== "object") return;
-		current = current[key];
-	}
-	return current;
-}
-function setByPath(obj, path, value) {
-	let current = obj;
-	for (let i = 0; i < path.length - 1; i++) {
-		const key = path[i];
-		if (key === void 0) continue;
-		if (!(key in current) || typeof current[key] !== "object" || current[key] === null) current[key] = {};
-		current = current[key];
-	}
-	const lastKey = path.at(-1);
-	if (lastKey !== void 0) current[lastKey] = value;
-}
-/** Unwrap ZodDefault / ZodOptional to get the inner type for coercion. */
-function unwrapZodType(schema) {
-	if (schema instanceof z.ZodDefault) return unwrapZodType(schema._def.innerType);
-	if (schema instanceof z.ZodOptional) return unwrapZodType(schema._def.innerType);
-	return schema;
-}
-/** Coerce a string env var to the JS type expected by the Zod schema. */
-function coerceEnvValue(value, schema) {
-	const inner = unwrapZodType(schema);
-	if (inner instanceof z.ZodNumber) {
-		const num = Number(value);
-		return Number.isNaN(num) ? value : num;
-	}
-	if (inner instanceof z.ZodBoolean) {
-		if (value === "true" || value === "1") return true;
-		if (value === "false" || value === "0") return false;
-		return value;
-	}
-	return value;
-}
-function builtinAutoGenerate(strategy) {
-	const match = /^random:(\w+):(\d+)$/.exec(strategy);
-	if (!match) throw new Error(`Unknown auto-generation strategy: ${strategy}`);
-	const encoding = match[1];
-	const bytes = Number(match[2]);
-	if (!encoding) throw new Error(`Invalid auto-generation strategy: ${strategy}`);
-	if (encoding === "base64url") return randomBytes(bytes).toString("base64url");
-	if (encoding === "hex") return randomBytes(bytes).toString("hex");
-	throw new Error(`Unknown random encoding: ${encoding}`);
-}
-function ensureDir(dir) {
-	if (!existsSync(dir)) mkdirSync(dir, {
-		recursive: true,
-		mode: 448
-	});
-}
-function deepMerge(target, source) {
-	const result = { ...target };
-	for (const [key, value] of Object.entries(source)) if (typeof value === "object" && value !== null && !Array.isArray(value) && typeof result[key] === "object" && result[key] !== null && !Array.isArray(result[key])) result[key] = deepMerge(result[key], value);
-	else result[key] = value;
-	return result;
-}
-function deepFreeze(obj) {
-	if (typeof obj !== "object" || obj === null) return obj;
-	Object.freeze(obj);
-	for (const value of Object.values(obj)) deepFreeze(value);
-	return obj;
-}
-function collectFields(shape, path = [], optionalGroupPath = null) {
-	const fields = [];
-	for (const [key, value] of Object.entries(shape)) {
-		const currentPath = [...path, key];
-		if (isFieldDef(value)) fields.push({
-			path: currentPath,
-			fieldDef: value,
-			optionalGroupPath
-		});
-		else if (isOptionalGroup(value)) fields.push(...collectFields(value.shape, currentPath, currentPath));
-		else if (typeof value === "object" && value !== null) fields.push(...collectFields(value, currentPath, optionalGroupPath));
-	}
-	return fields;
-}
-/** Build a Zod object schema from the config shape for validation. */
-function buildZodSchema(shape) {
-	const zodShape = {};
-	for (const [key, value] of Object.entries(shape)) if (isFieldDef(value)) zodShape[key] = value.schema;
-	else if (isOptionalGroup(value)) zodShape[key] = buildZodSchema(value.shape).optional();
-	else if (typeof value === "object" && value !== null) zodShape[key] = buildZodSchema(value).default({});
-	return z.object(zodShape);
-}
-function resetConfigMeta() {}
-const CONFIG_HEADER = "# Generated by first-tree-hub. Edit as needed.\n# https://github.com/agent-team-foundation/first-tree-hub\n\n";
-/**
-* Initialize config from the priority chain:
-*   CLI args > env vars > YAML file > auto-generated > Zod defaults
-*
-* Auto-generated values are written back to the YAML file.
-* Result is frozen and stored as a singleton accessible via getConfig().
-*/
-async function initConfig(options) {
-	const { schema, role, cliArgs = {}, autoGenerators = {} } = options;
-	const configPath = join(options.configDir ?? DEFAULT_CONFIG_DIR, `${role}.yaml`);
-	let fileValues = {};
-	if (existsSync(configPath)) {
-		const raw = parse(readFileSync(configPath, "utf-8"));
-		if (typeof raw === "object" && raw !== null) fileValues = raw;
-	}
-	const fields = collectFields(schema);
-	const resolved = {};
-	const meta = /* @__PURE__ */ new Map();
-	const autoGenerated = {};
-	const activeOptionalGroups = /* @__PURE__ */ new Set();
-	for (const { path, fieldDef, optionalGroupPath } of fields) {
-		if (!optionalGroupPath) continue;
-		const groupKey = optionalGroupPath.join(".");
-		if (activeOptionalGroups.has(groupKey)) continue;
-		if (getByPath(cliArgs, path) !== void 0) {
-			activeOptionalGroups.add(groupKey);
-			continue;
-		}
-		if (fieldDef.options.env) {
-			const envValue = process.env[fieldDef.options.env];
-			if (envValue !== void 0 && envValue !== "") {
-				activeOptionalGroups.add(groupKey);
-				continue;
-			}
-		}
-		if (getByPath(fileValues, path) !== void 0) activeOptionalGroups.add(groupKey);
-	}
-	for (const { path, fieldDef, optionalGroupPath } of fields) {
-		const dotPath = path.join(".");
-		if (optionalGroupPath && !activeOptionalGroups.has(optionalGroupPath.join("."))) continue;
-		const cliValue = getByPath(cliArgs, path);
-		if (cliValue !== void 0) {
-			setByPath(resolved, path, cliValue);
-			meta.set(dotPath, {
-				value: cliValue,
-				source: "cli",
-				secret: fieldDef.options.secret ?? false
-			});
-			continue;
-		}
-		if (fieldDef.options.env) {
-			const envValue = process.env[fieldDef.options.env];
-			if (envValue !== void 0 && envValue !== "") {
-				const coerced = coerceEnvValue(envValue, fieldDef.schema);
-				setByPath(resolved, path, coerced);
-				meta.set(dotPath, {
-					value: coerced,
-					source: "env",
-					secret: fieldDef.options.secret ?? false
-				});
-				continue;
-			}
-		}
-		const fileValue = getByPath(fileValues, path);
-		if (fileValue !== void 0) {
-			setByPath(resolved, path, fileValue);
-			meta.set(dotPath, {
-				value: fileValue,
-				source: "file",
-				secret: fieldDef.options.secret ?? false
-			});
-			continue;
-		}
-		if (fieldDef.options.auto) {
-			const strategy = fieldDef.options.auto;
-			const customGen = autoGenerators[strategy];
-			let generated;
-			if (customGen) generated = await customGen();
-			else generated = builtinAutoGenerate(strategy);
-			setByPath(resolved, path, generated);
-			setByPath(autoGenerated, path, generated);
-			meta.set(dotPath, {
-				value: generated,
-				source: "auto",
-				secret: fieldDef.options.secret ?? false
-			});
-			continue;
-		}
-		meta.set(dotPath, {
-			value: void 0,
-			source: "default",
-			secret: fieldDef.options.secret ?? false
-		});
-	}
-	const result = buildZodSchema(schema).safeParse(resolved);
-	if (!result.success) {
-		const issues = result.error.issues.map((i) => `  ${i.path.join(".")}: ${i.message}`).join("\n");
-		throw new Error(`Configuration validation failed:\n${issues}`);
-	}
-	const config = result.data;
-	for (const { path, fieldDef } of fields) {
-		const dotPath = path.join(".");
-		if (meta.get(dotPath)?.value === void 0) {
-			const val = getByPath(config, path);
-			if (val !== void 0) meta.set(dotPath, {
-				value: val,
-				source: "default",
-				secret: fieldDef.options.secret ?? false
-			});
-		}
-	}
-	if (Object.keys(autoGenerated).length > 0) {
-		const merged = deepMerge(fileValues, autoGenerated);
-		ensureDir(dirname(configPath));
-		writeFileSync(configPath, CONFIG_HEADER + stringify(merged), { mode: 384 });
-	}
-	const frozen = deepFreeze(config);
-	setConfig(frozen);
-	return frozen;
-}
-/** Set a value in a YAML config file by dot-path. */
-function setConfigValue(configPath, dotPath, value) {
-	let fileValues = {};
-	if (existsSync(configPath)) {
-		const raw = parse(readFileSync(configPath, "utf-8"));
-		if (typeof raw === "object" && raw !== null) fileValues = raw;
-	}
-	setByPath(fileValues, dotPath.split("."), value);
-	ensureDir(dirname(configPath));
-	writeFileSync(configPath, CONFIG_HEADER + stringify(fileValues), { mode: 384 });
-}
-/** Get a value from a YAML config file by dot-path. */
-function getConfigValue(configPath, dotPath) {
-	if (!existsSync(configPath)) return void 0;
-	const raw = parse(readFileSync(configPath, "utf-8"));
-	if (typeof raw !== "object" || raw === null) return void 0;
-	return getByPath(raw, dotPath.split("."));
-}
-/** Read all values from a YAML config file. */
-function readConfigFile(configPath) {
-	if (!existsSync(configPath)) return {};
-	const raw = parse(readFileSync(configPath, "utf-8"));
-	if (typeof raw !== "object" || raw === null) return {};
-	return raw;
-}
-/**
-* Scan a config schema and return fields that:
-* 1. Have a `prompt` definition
-* 2. Don't have a value from CLI args, env vars, or the config file
-* 3. Don't have an `auto` strategy (auto-gen fields don't need prompting)
-*
-* Used by CLI to show interactive prompts before calling initConfig().
-*/
-function collectMissingPrompts(options) {
-	const { schema, role, cliArgs = {} } = options;
-	const configPath = join(options.configDir ?? DEFAULT_CONFIG_DIR, `${role}.yaml`);
-	let fileValues = {};
-	if (existsSync(configPath)) {
-		const raw = parse(readFileSync(configPath, "utf-8"));
-		if (typeof raw === "object" && raw !== null) fileValues = raw;
-	}
-	const fields = collectFields(schema);
-	const missing = [];
-	for (const { path, fieldDef, optionalGroupPath } of fields) {
-		if (optionalGroupPath) continue;
-		if (!fieldDef.options.prompt) continue;
-		if (getByPath(cliArgs, path) !== void 0) continue;
-		if (fieldDef.options.env) {
-			const envValue = process.env[fieldDef.options.env];
-			if (envValue !== void 0 && envValue !== "") continue;
-		}
-		if (getByPath(fileValues, path) !== void 0) continue;
-		missing.push({
-			dotPath: path.join("."),
-			prompt: fieldDef.options.prompt
-		});
-	}
-	return missing;
-}
-/**
-* Resolve config values through the same priority chain as initConfig()
-* (env vars > YAML file > Zod defaults), but **without side effects**:
-* - No auto-generation
-* - No file writes
-* - No singleton mutation
-* - Partial results (unresolvable fields are omitted, no validation error)
-*
-* Returns the best-effort resolved config as a plain object.
-*/
-function resolveConfigReadonly(options) {
-	const { schema, role } = options;
-	const configPath = join(options.configDir ?? DEFAULT_CONFIG_DIR, `${role}.yaml`);
-	let fileValues = {};
-	if (existsSync(configPath)) {
-		const raw = parse(readFileSync(configPath, "utf-8"));
-		if (typeof raw === "object" && raw !== null) fileValues = raw;
-	}
-	const fields = collectFields(schema);
-	const resolved = {};
-	for (const { path, fieldDef } of fields) {
-		if (fieldDef.options.env) {
-			const envValue = process.env[fieldDef.options.env];
-			if (envValue !== void 0 && envValue !== "") {
-				setByPath(resolved, path, coerceEnvValue(envValue, fieldDef.schema));
-				continue;
-			}
-		}
-		const fileValue = getByPath(fileValues, path);
-		if (fileValue !== void 0) {
-			setByPath(resolved, path, fileValue);
-			continue;
-		}
-		const defaultResult = fieldDef.schema.safeParse(void 0);
-		if (defaultResult.success && defaultResult.data !== void 0) setByPath(resolved, path, defaultResult.data);
-	}
-	return resolved;
-}
-/**
-* Scan an agents directory and load each agent's config.
-*
-* Expected structure:
-*   {agentsDir}/
-*     code-reviewer/agent.yaml
-*     scheduler/agent.yaml
-*
-* Returns a Map keyed by directory name (agent name).
-*/
-function loadAgents(options) {
-	const { schema, agentsDir } = options;
-	const result = /* @__PURE__ */ new Map();
-	if (!existsSync(agentsDir)) return result;
-	const zodSchema = buildZodSchema(schema);
-	for (const entry of readdirSync(agentsDir)) {
-		const agentDir = join(agentsDir, entry);
-		if (!statSync(agentDir).isDirectory()) continue;
-		const configPath = join(agentDir, "agent.yaml");
-		if (!existsSync(configPath)) continue;
-		const raw = parse(readFileSync(configPath, "utf-8"));
-		const parsed = zodSchema.parse(raw);
-		result.set(entry, parsed);
-	}
-	return result;
-}
-const serverConfigSchema = defineConfig$1({
-	database: {
-		url: field$1(z.string(), {
-			env: "FIRST_TREE_HUB_DATABASE_URL",
-			auto: "docker-pg",
-			prompt: {
-				message: "PostgreSQL:",
-				type: "select",
-				choices: [{
-					name: "Auto-provision via Docker",
-					value: "__auto__"
-				}, {
-					name: "Provide connection URL",
-					value: "__input__"
-				}]
-			}
-		}),
-		provider: field$1(z.enum(["docker", "external"]).default("docker"))
-	},
-	server: {
-		port: field$1(z.number().default(8e3), { env: "FIRST_TREE_HUB_PORT" }),
-		host: field$1(z.string().default("127.0.0.1"), { env: "FIRST_TREE_HUB_HOST" })
-	},
-	secrets: {
-		jwtSecret: field$1(z.string(), {
-			env: "FIRST_TREE_HUB_JWT_SECRET",
-			auto: "random:base64url:32",
-			secret: true
-		}),
-		encryptionKey: field$1(z.string(), {
-			env: "FIRST_TREE_HUB_ENCRYPTION_KEY",
-			auto: "random:hex:32",
-			secret: true
-		})
-	},
-	contextTree: {
-		repo: field$1(z.string(), {
-			env: "FIRST_TREE_HUB_CONTEXT_TREE_REPO",
-			prompt: { message: "Context Tree repo URL (e.g. https://github.com/org/first-tree):" }
-		}),
-		branch: field$1(z.string().default("main")),
-		syncInterval: field$1(z.number().default(60))
-	},
-	github: {
-		token: field$1(z.string(), {
-			env: "FIRST_TREE_HUB_GITHUB_TOKEN",
-			secret: true,
-			prompt: {
-				message: "GitHub token (create at https://github.com/settings/tokens → repo scope):",
-				type: "password"
-			}
-		}),
-		webhookSecret: field$1(z.string().optional(), {
-			env: "FIRST_TREE_HUB_GITHUB_WEBHOOK_SECRET",
-			secret: true
-		})
-	},
-	cors: optional$1({ origin: field$1(z.string(), { env: "FIRST_TREE_HUB_CORS_ORIGIN" }) }),
-	rateLimit: optional$1({
-		max: field$1(z.number().default(100), { env: "FIRST_TREE_HUB_RATE_LIMIT_MAX" }),
-		loginMax: field$1(z.number().default(5), { env: "FIRST_TREE_HUB_RATE_LIMIT_LOGIN_MAX" }),
-		webhookMax: field$1(z.number().default(60), { env: "FIRST_TREE_HUB_RATE_LIMIT_WEBHOOK_MAX" })
-	})
-});
-//#endregion
 //#region src/core/admin.ts
 /**
 * Check if any admin user exists.
@@ -23284,7 +22828,7 @@ defineConfig({
 		webhookMax: field(z.number().default(60), { env: "FIRST_TREE_HUB_RATE_LIMIT_WEBHOOK_MAX" })
 	})
 });
-const CONTEXT_TREE_DIR = join(DEFAULT_DATA_DIR, "context-tree");
+const CONTEXT_TREE_DIR$1 = join(DEFAULT_DATA_DIR, "context-tree");
 /**
 * Sync the shared Context Tree git clone.
 *
@@ -23312,77 +22856,77 @@ async function syncContextTree(serverUrl, token, log) {
 		return null;
 	}
 	try {
-		if (existsSync(join(CONTEXT_TREE_DIR, ".git"))) {
+		if (existsSync(join(CONTEXT_TREE_DIR$1, ".git"))) {
 			if (execFileSync("git", [
 				"rev-parse",
 				"--abbrev-ref",
 				"HEAD"
 			], {
-				cwd: CONTEXT_TREE_DIR,
+				cwd: CONTEXT_TREE_DIR$1,
 				encoding: "utf-8",
 				timeout: 5e3
 			}).trim() !== branch) {
 				execFileSync("git", ["checkout", branch], {
-					cwd: CONTEXT_TREE_DIR,
+					cwd: CONTEXT_TREE_DIR$1,
 					stdio: "pipe",
 					timeout: 1e4
 				});
 				log(`Context Tree switched to branch ${branch}`);
 			}
 			execFileSync("git", ["pull", "--ff-only"], {
-				cwd: CONTEXT_TREE_DIR,
+				cwd: CONTEXT_TREE_DIR$1,
 				stdio: "pipe",
 				timeout: 3e4
 			});
 			log(`Context Tree updated (pull)`);
 		} else {
-			mkdirSync(CONTEXT_TREE_DIR, { recursive: true });
+			mkdirSync(CONTEXT_TREE_DIR$1, { recursive: true });
 			execFileSync("git", [
 				"clone",
 				"--branch",
 				branch,
 				"--single-branch",
 				repo,
-				CONTEXT_TREE_DIR
+				CONTEXT_TREE_DIR$1
 			], {
 				stdio: "pipe",
 				timeout: 6e4
 			});
 			log(`Context Tree cloned from ${repo} (branch: ${branch})`);
 		}
-		return CONTEXT_TREE_DIR;
+		return CONTEXT_TREE_DIR$1;
 	} catch (err) {
 		const msg = err instanceof Error ? err.message : String(err);
 		log(`Context Tree sync failed: ${msg}`);
 		log("Check that git credentials (SSH key or credential helper) are configured for this repo");
-		if ((msg.includes("cannot fast-forward") || msg.includes("not possible to fast-forward") || msg.includes("CONFLICT")) && existsSync(join(CONTEXT_TREE_DIR, ".git"))) {
+		if ((msg.includes("cannot fast-forward") || msg.includes("not possible to fast-forward") || msg.includes("CONFLICT")) && existsSync(join(CONTEXT_TREE_DIR$1, ".git"))) {
 			log("Diverged history detected, attempting fresh clone...");
 			try {
-				rmSync(CONTEXT_TREE_DIR, {
+				rmSync(CONTEXT_TREE_DIR$1, {
 					recursive: true,
 					force: true
 				});
-				mkdirSync(CONTEXT_TREE_DIR, { recursive: true });
+				mkdirSync(CONTEXT_TREE_DIR$1, { recursive: true });
 				execFileSync("git", [
 					"clone",
 					"--branch",
 					branch,
 					"--single-branch",
 					repo,
-					CONTEXT_TREE_DIR
+					CONTEXT_TREE_DIR$1
 				], {
 					stdio: "pipe",
 					timeout: 6e4
 				});
 				log("Context Tree re-cloned successfully");
-				return CONTEXT_TREE_DIR;
+				return CONTEXT_TREE_DIR$1;
 			} catch {
 				log("Context Tree re-clone also failed, continuing without context");
 			}
 		}
-		if (existsSync(join(CONTEXT_TREE_DIR, ".git"))) {
+		if (existsSync(join(CONTEXT_TREE_DIR$1, ".git"))) {
 			log("Using existing Context Tree clone despite sync failure");
-			return CONTEXT_TREE_DIR;
+			return CONTEXT_TREE_DIR$1;
 		}
 		return null;
 	}
@@ -24974,6 +24518,517 @@ async function runMigrations(databaseUrl) {
 	}
 }
 //#endregion
+//#region src/core/onboard.ts
+const STATE_FILE = join(homedir(), ".first-tree-hub", ".onboard-state.json");
+/** Save current onboard args to state file for resume. */
+function saveOnboardState(args) {
+	mkdirSync(join(homedir(), ".first-tree-hub"), { recursive: true });
+	writeFileSync(STATE_FILE, JSON.stringify({ args }, null, 2));
+}
+/** Load saved onboard args from state file. */
+function loadOnboardState() {
+	try {
+		return JSON.parse(readFileSync(STATE_FILE, "utf-8")).args;
+	} catch {
+		return null;
+	}
+}
+async function onboardCheck(args) {
+	const items = [];
+	let ghUsername = null;
+	try {
+		ghUsername = getGitHubUsername();
+		items.push({
+			key: "github_cli",
+			label: "GitHub CLI",
+			status: "ok",
+			value: `authenticated as ${ghUsername}`
+		});
+	} catch {
+		items.push({
+			key: "github_cli",
+			label: "GitHub CLI",
+			status: "missing_required",
+			hint: "Install and authenticate: gh auth login"
+		});
+	}
+	try {
+		const serverUrl = resolveServerUrl(args.server);
+		items.push({
+			key: "server",
+			label: "Server URL",
+			status: "ok",
+			value: serverUrl
+		});
+		try {
+			const res = await fetch(`${serverUrl}/api/v1/health`);
+			items.push({
+				key: "server_reachable",
+				label: "Server reachable",
+				status: res.ok ? "ok" : "error",
+				value: res.ok ? "yes" : `HTTP ${res.status}`
+			});
+		} catch {
+			items.push({
+				key: "server_reachable",
+				label: "Server reachable",
+				status: "error",
+				value: "no"
+			});
+		}
+	} catch {
+		items.push({
+			key: "server",
+			label: "Server URL",
+			status: "missing_required",
+			hint: "--server <url> or FIRST_TREE_HUB_SERVER"
+		});
+	}
+	const repoPath = await resolveContextTreeRepo(args.server);
+	if (repoPath) items.push({
+		key: "repo",
+		label: "Context Tree repo",
+		status: "ok",
+		value: repoPath
+	});
+	else {
+		const serverAvailable = items.some((i) => i.key === "server" && i.status === "ok");
+		items.push({
+			key: "repo",
+			label: "Context Tree repo",
+			status: "missing_required",
+			hint: serverAvailable ? "auto-clone failed (check server Context Tree config and gh auth)" : "configure --server first (repo will be auto-cloned from server)"
+		});
+	}
+	items.push(args.id ? {
+		key: "id",
+		label: "id",
+		status: "ok",
+		value: args.id
+	} : {
+		key: "id",
+		label: "id",
+		status: "missing_required",
+		hint: "Member directory name"
+	});
+	items.push(args.type ? {
+		key: "type",
+		label: "type",
+		status: "ok",
+		value: args.type
+	} : {
+		key: "type",
+		label: "type",
+		status: "missing_required",
+		hint: "human | personal_assistant | autonomous_agent"
+	});
+	items.push(args.role ? {
+		key: "role",
+		label: "role",
+		status: "ok",
+		value: args.role
+	} : {
+		key: "role",
+		label: "role",
+		status: "missing_required",
+		hint: "e.g. \"Engineer\""
+	});
+	items.push(args.domains ? {
+		key: "domains",
+		label: "domains",
+		status: "ok",
+		value: args.domains
+	} : {
+		key: "domains",
+		label: "domains",
+		status: "missing_required",
+		hint: "Comma-separated, e.g. \"backend,infra\""
+	});
+	items.push(args.displayName ? {
+		key: "display_name",
+		label: "display-name",
+		status: "ok",
+		value: args.displayName
+	} : {
+		key: "display_name",
+		label: "display-name",
+		status: "missing_optional",
+		hint: `defaults to "${args.id ?? ""}"`
+	});
+	items.push(args.assistant ? {
+		key: "assistant",
+		label: "assistant",
+		status: "ok",
+		value: args.assistant
+	} : {
+		key: "assistant",
+		label: "assistant",
+		status: "missing_optional",
+		hint: "Also create a personal_assistant"
+	});
+	items.push(args.feishuBotAppId ? {
+		key: "feishu_bot",
+		label: "feishu-bot-app-id",
+		status: "ok",
+		value: args.feishuBotAppId
+	} : {
+		key: "feishu_bot",
+		label: "feishu-bot-app-id",
+		status: "missing_optional",
+		hint: "Feishu bot App ID for assistant"
+	});
+	if (args.id && repoPath) if (existsSync(join(repoPath, "members", args.id))) try {
+		execSync(`git ls-files --error-unmatch members/${args.id}/NODE.md`, {
+			cwd: repoPath,
+			stdio: "pipe"
+		});
+		items.push({
+			key: "conflict",
+			label: `ID "${args.id}" availability`,
+			status: "warning",
+			value: "already exists (will overwrite)"
+		});
+	} catch {
+		items.push({
+			key: "conflict",
+			label: `ID "${args.id}" availability`,
+			status: "ok",
+			value: "resuming (local files from previous run)"
+		});
+	}
+	else items.push({
+		key: "conflict",
+		label: `ID "${args.id}" availability`,
+		status: "ok",
+		value: "available"
+	});
+	return items;
+}
+function formatCheckReport(items) {
+	const lines = [];
+	for (const item of items) {
+		const icon = item.status === "ok" ? "✅" : item.status === "missing_required" ? "❌" : item.status === "error" ? "❌" : item.status === "warning" ? "⚠️" : "⬜";
+		const valueStr = item.value ? `  ${item.value}` : "";
+		const hintStr = item.hint ? `  (${item.hint})` : "";
+		lines.push(`  ${icon} ${item.label.padEnd(20)}${valueStr}${hintStr}`);
+	}
+	return lines.join("\n");
+}
+async function onboardCreate(args) {
+	const repoPath = await resolveContextTreeRepo(args.server);
+	if (!repoPath) throw new Error("Context Tree repo not available. Ensure --server is configured and the server is running.");
+	const ghUsername = getGitHubUsername();
+	const githubField = args.type === "human" ? ghUsername : null;
+	const humanNodePath = join(repoPath, "members", args.id, "NODE.md");
+	if (existsSync(humanNodePath) && isTrackedByGit(repoPath, join("members", args.id, "NODE.md"))) {
+		process.stderr.write(`Member "${args.id}" already exists, skipping NODE.md creation.\n`);
+		if (args.assistant) {
+			const existingContent = readFileSync(humanNodePath, "utf-8");
+			if (!existingContent.includes("delegate_mention")) {
+				writeFileSync(humanNodePath, existingContent.replace(/^(---\n[\s\S]*?)(---)/m, `$1delegate_mention: ${args.assistant}\n$2`));
+				process.stderr.write(`Updated delegate_mention → ${args.assistant}\n`);
+			}
+		}
+	} else createMemberNodeMd(repoPath, {
+		id: args.id,
+		type: args.type,
+		displayName: args.displayName ?? args.id,
+		role: args.role,
+		domains: args.domains.split(",").map((d) => d.trim()),
+		owner: ghUsername,
+		github: githubField,
+		delegateMention: args.assistant ?? args.delegateMention ?? null
+	});
+	if (args.assistant) if (existsSync(join(repoPath, "members", args.id, args.assistant, "NODE.md")) && isTrackedByGit(repoPath, join("members", args.id, args.assistant, "NODE.md"))) process.stderr.write(`Assistant "${args.assistant}" already exists, skipping.\n`);
+	else createMemberNodeMd(repoPath, {
+		parentPath: join("members", args.id),
+		id: args.assistant,
+		type: "personal_assistant",
+		displayName: args.assistant,
+		role: `Personal Assistant to ${args.id}`,
+		domains: ["message triage", "task coordination"],
+		owner: ghUsername,
+		github: null,
+		delegateMention: null
+	});
+	try {
+		execSync("npx -y first-tree verify", {
+			cwd: repoPath,
+			stdio: "pipe"
+		});
+	} catch (err) {
+		const stderr = err instanceof Error && "stderr" in err ? err.stderr.toString() : "";
+		const stdout = err instanceof Error && "stdout" in err ? err.stdout.toString() : "";
+		const output = stderr || stdout || String(err);
+		if (output.includes("VERSION") || output.includes("AGENT.md") || output.includes("Root NODE.md")) throw new Error("Context Tree repo is not properly initialized.\nRun 'context-tree init' in the repo first, or see:\n  https://github.com/agent-team-foundation/first-tree\n\n" + output);
+		throw new Error(`Verification failed:\n${output}`);
+	}
+	const baseBranch = `onboard/${args.id}`;
+	let branch = baseBranch;
+	const branchExists = (name) => {
+		try {
+			execSync(`git rev-parse --verify ${name}`, {
+				cwd: repoPath,
+				stdio: "pipe"
+			});
+			return true;
+		} catch {
+			return false;
+		}
+	};
+	if (branchExists(branch)) branch = `${baseBranch}-${Date.now().toString(36)}`;
+	try {
+		execSync("git checkout main", {
+			cwd: repoPath,
+			stdio: "pipe"
+		});
+	} catch {
+		try {
+			execSync("git checkout master", {
+				cwd: repoPath,
+				stdio: "pipe"
+			});
+		} catch {}
+	}
+	execSync(`git checkout -b ${branch}`, {
+		cwd: repoPath,
+		stdio: "pipe"
+	});
+	execSync(`git add members/${args.id}`, {
+		cwd: repoPath,
+		stdio: "pipe"
+	});
+	execFileSync("git", [
+		"commit",
+		"-m",
+		args.assistant ? `feat: onboard ${args.id} + ${args.assistant}` : `feat: onboard ${args.id}`
+	], {
+		cwd: repoPath,
+		stdio: "pipe"
+	});
+	const pushToken = execSync("gh auth token", {
+		encoding: "utf-8",
+		stdio: "pipe"
+	}).trim();
+	const cleanRemote = execSync("git remote get-url origin", {
+		cwd: repoPath,
+		encoding: "utf-8",
+		stdio: "pipe"
+	}).trim();
+	execSync(`git remote set-url origin "${cleanRemote.replace("https://github.com/", `https://x-access-token:${pushToken}@github.com/`)}"`, {
+		cwd: repoPath,
+		stdio: "pipe"
+	});
+	try {
+		execSync(`git push -u origin ${branch}`, {
+			cwd: repoPath,
+			stdio: "pipe"
+		});
+	} finally {
+		execSync(`git remote set-url origin "${cleanRemote}"`, {
+			cwd: repoPath,
+			stdio: "pipe"
+		});
+	}
+	const prOutput = execSync(`gh pr create --title "${args.assistant ? `Onboard ${args.id} + assistant` : `Onboard ${args.id}`}" --body "Automated onboard via first-tree-hub CLI"`, {
+		cwd: repoPath,
+		encoding: "utf-8"
+	}).trim();
+	const state = {
+		args,
+		branch,
+		prUrl: prOutput
+	};
+	mkdirSync(join(homedir(), ".first-tree-hub"), { recursive: true });
+	writeFileSync(STATE_FILE, JSON.stringify(state, null, 2));
+	return { prUrl: prOutput };
+}
+async function onboardContinue(args) {
+	let state = null;
+	try {
+		state = JSON.parse(readFileSync(STATE_FILE, "utf-8"));
+	} catch {}
+	if (!state && !args.id) throw new Error("No onboard in progress. Run 'first-tree-hub onboard' first to start a new onboard.");
+	const mergedArgs = {
+		...state?.args,
+		...stripUndefined(args)
+	};
+	const serverUrl = resolveServerUrl(mergedArgs.server).replace(/\/+$/, "");
+	const agentToBootstrap = mergedArgs.assistant ?? mergedArgs.id;
+	if (!agentToBootstrap) throw new Error("Cannot determine which agent to bootstrap. Provide --id or run onboard first.");
+	if (!mergedArgs.id) throw new Error("Cannot determine member ID. Provide --id or run onboard first.");
+	process.stderr.write(`Waiting for agent "${agentToBootstrap}" to be synced...\n`);
+	let synced = false;
+	for (let i = 0; i < 30; i++) {
+		try {
+			const status = await checkBootstrapStatus(serverUrl, agentToBootstrap);
+			if (status.exists && status.status === "active") {
+				synced = true;
+				break;
+			}
+		} catch (err) {
+			if (i === 0) process.stderr.write(`  (check failed: ${err instanceof Error ? err.message : String(err)})\n`);
+		}
+		await sleep(2e3);
+	}
+	if (!synced) throw new Error(`Agent "${agentToBootstrap}" not found after 60s. Trigger sync manually or wait for auto-sync.`);
+	process.stderr.write(`Bootstrapping token for "${agentToBootstrap}"...\n`);
+	let token;
+	try {
+		token = (await bootstrapToken$1(serverUrl, agentToBootstrap, { saveTo: "agent" })).token;
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		if (msg.includes("already has") || msg.includes("409")) throw new Error(`Agent "${agentToBootstrap}" already has an active token.\nAsk an admin to revoke the existing token in the Web UI, then re-run:
+  first-tree-hub onboard --continue`);
+		throw err;
+	}
+	process.stderr.write(`Token saved to ~/.first-tree-hub/agents/${agentToBootstrap}/agent.yaml\n`);
+	if (mergedArgs.feishuBotAppId && mergedArgs.feishuBotAppSecret) {
+		const { bindFeishuBot } = await import("./feishu-Y4m2zFc3.mjs").then((n) => n.r);
+		process.stderr.write("Binding Feishu bot...\n");
+		await bindFeishuBot(serverUrl, token, mergedArgs.feishuBotAppId, mergedArgs.feishuBotAppSecret);
+		process.stderr.write("Feishu bot bound.\n");
+	}
+	try {
+		const { unlinkSync } = await import("node:fs");
+		unlinkSync(STATE_FILE);
+	} catch {}
+	process.stderr.write("\n✅ Onboard complete!\n\n");
+	process.stderr.write(`  Human:     ${mergedArgs.id}\n`);
+	if (mergedArgs.assistant) process.stderr.write(`  Assistant: ${mergedArgs.assistant}\n`);
+	process.stderr.write(`  Token:     ~/.first-tree-hub/agents/${agentToBootstrap}/agent.yaml\n`);
+	if (mergedArgs.feishuBotAppId) process.stderr.write(`  Feishu:    bot bound (${mergedArgs.feishuBotAppId})\n`);
+	if (mergedArgs.type === "human") {
+		process.stderr.write("\n  Next step — bind your Feishu account:\n");
+		process.stderr.write(`    Send this message to the bot in Feishu:  /bind ${mergedArgs.id}\n`);
+		if (!mergedArgs.feishuBotAppId) process.stderr.write("    (requires a Feishu bot to be configured in the system)\n");
+	}
+	process.stderr.write("\n");
+}
+function createMemberNodeMd(repoPath, data) {
+	const memberDir = join(repoPath, data.parentPath ?? "members", data.id);
+	mkdirSync(memberDir, { recursive: true });
+	const domainsList = data.domains.map((d) => `  - "${d}"`).join("\n");
+	const githubLine = data.github ? `\ngithub: ${data.github}` : "";
+	const delegateLine = data.delegateMention ? `\ndelegate_mention: ${data.delegateMention}` : "";
+	const content = `---
+title: "${data.displayName}"
+owners: [${data.owner}]
+type: ${data.type}
+role: "${data.role}"
+domains:
+${domainsList}${githubLine}${delegateLine}
+---
+# ${data.displayName}
+## About
+## Current Focus
+`;
+	writeFileSync(join(memberDir, "NODE.md"), content);
+}
+function isTrackedByGit(repoPath, filePath) {
+	try {
+		execSync(`git ls-files --error-unmatch ${filePath}`, {
+			cwd: repoPath,
+			stdio: "pipe"
+		});
+		return true;
+	} catch {
+		return false;
+	}
+}
+const CONTEXT_TREE_DIR = join(homedir(), ".first-tree-hub", "context-tree");
+/**
+* Resolve Context Tree to a **local path** at ~/.first-tree-hub/context-tree/.
+*
+* Repo URL is obtained from the Hub server. The local clone is always
+* managed in the standard location — no custom paths allowed.
+*/
+async function resolveContextTreeRepo(serverUrl) {
+	const repoUrl = await fetchRepoUrlFromServer(serverUrl);
+	if (!repoUrl) return null;
+	let ghToken;
+	try {
+		ghToken = execSync("gh auth token", {
+			encoding: "utf-8",
+			stdio: "pipe"
+		}).trim();
+	} catch {
+		return null;
+	}
+	const gitEnv = {
+		...process.env,
+		GIT_ASKPASS: "echo",
+		GIT_TERMINAL_PROMPT: "0",
+		GH_TOKEN: ghToken,
+		GITHUB_TOKEN: ghToken
+	};
+	const gitConfigArgs = `-c url."https://x-access-token:${ghToken}@github.com/".insteadOf="https://github.com/"`;
+	if (existsSync(join(CONTEXT_TREE_DIR, ".git"))) {
+		try {
+			if (execSync("git remote get-url origin", {
+				cwd: CONTEXT_TREE_DIR,
+				encoding: "utf-8",
+				stdio: "pipe"
+			}).trim().includes(repoUrl.replace(/^https?:\/\/github\.com\//, "").replace(/\.git$/, ""))) {
+				process.stderr.write("Updating Context Tree...\n");
+				execSync("git checkout main 2>/dev/null || git checkout master", {
+					cwd: CONTEXT_TREE_DIR,
+					stdio: "pipe"
+				});
+				try {
+					execSync(`git ${gitConfigArgs} pull --ff-only`, {
+						cwd: CONTEXT_TREE_DIR,
+						stdio: "pipe",
+						env: gitEnv
+					});
+				} catch {}
+				return CONTEXT_TREE_DIR;
+			}
+		} catch {}
+		const safePrefix = join(homedir(), ".first-tree-hub");
+		if (!CONTEXT_TREE_DIR.startsWith(safePrefix) || CONTEXT_TREE_DIR === safePrefix) throw new Error(`Refusing to delete unsafe path: ${CONTEXT_TREE_DIR}`);
+		execSync(`rm -rf ${CONTEXT_TREE_DIR}`);
+	}
+	try {
+		process.stderr.write(`Cloning Context Tree to ${CONTEXT_TREE_DIR}...\n`);
+		mkdirSync(join(homedir(), ".first-tree-hub"), { recursive: true });
+		execSync(`git ${gitConfigArgs} clone ${repoUrl} ${CONTEXT_TREE_DIR}`, {
+			stdio: "pipe",
+			env: gitEnv
+		});
+		return CONTEXT_TREE_DIR;
+	} catch {
+		return null;
+	}
+}
+/** Query server for Context Tree repo URL. */
+async function fetchRepoUrlFromServer(serverUrl) {
+	if (!serverUrl) try {
+		serverUrl = resolveServerUrl();
+	} catch {
+		return null;
+	}
+	try {
+		const url = `${serverUrl.replace(/\/+$/, "")}/api/v1/context-tree/info`;
+		const res = await fetch(url, { signal: AbortSignal.timeout(5e3) });
+		if (!res.ok) return null;
+		return (await res.json()).repo ?? null;
+	} catch {
+		return null;
+	}
+}
+function sleep(ms) {
+	return new Promise((resolve) => setTimeout(resolve, ms));
+}
+function stripUndefined(obj) {
+	const result = {};
+	for (const [key, value] of Object.entries(obj)) if (value !== void 0) result[key] = value;
+	return result;
+}
+//#endregion
 //#region src/core/prompt.ts
 /**
 * Check if interactive mode is available.
@@ -25113,6 +25168,10 @@ const adapterBindMethodSchema = z.enum([
 	"oauth",
 	"manual"
 ]);
+const selfServiceFeishuBotSchema = z.object({
+	appId: z.string().min(1),
+	appSecret: z.string().min(1)
+});
 const createAdapterMappingSchema = z.object({
 	platform: adapterPlatformSchema,
 	externalUserId: z.string().min(1),
@@ -25129,6 +25188,10 @@ z.object({
 	displayName: z.string().nullable(),
 	createdAt: z.string()
 });
+const delegateFeishuUserSchema = z.object({
+	feishuUserId: z.string().min(1),
+	displayName: z.string().max(200).optional()
+});
 z.object({
 	configId: z.number(),
 	platform: z.string(),
@@ -25220,6 +25283,16 @@ z.object({
 	createdAt: z.string(),
 	updatedAt: z.string()
 });
+const bootstrapTokenRequestSchema = z.object({ name: z.string().max(100).optional() });
+z.object({
+	exists: z.boolean(),
+	status: z.enum(["active", "suspended"]).nullable()
+});
+z.object({
+	repo: z.string(),
+	branch: z.string(),
+	lastSync: z.string().nullable()
+});
 const createAgentTokenSchema = z.object({
 	name: z.string().max(100).optional(),
 	expiresAt: z.string().datetime().optional()
@@ -25340,7 +25413,7 @@ const SYSTEM_CONFIG_DEFAULTS = {
 	[SYSTEM_CONFIG_KEYS.PRESENCE_CLEANUP_SECONDS]: 60
 };
 //#endregion
-//#region ../server/dist/app-DtKgrri9.mjs
+//#region ../server/dist/app-BVTDWxJE.mjs
 var __defProp = Object.defineProperty;
 var __exportAll = (all, no_symbols) => {
 	let target = {};
@@ -25493,6 +25566,11 @@ async function findAgentByExternalUser(db, platform, externalUserId) {
 	}).from(adapterAgentMappings).where(and(eq(adapterAgentMappings.platform, platform), eq(adapterAgentMappings.externalUserId, externalUserId))).limit(1);
 	return row ?? null;
 }
+/** Look up the external user ID for an internal agent. */
+async function findExternalUserByAgent(db, platform, agentId) {
+	const [row] = await db.select({ externalUserId: adapterAgentMappings.externalUserId }).from(adapterAgentMappings).where(and(eq(adapterAgentMappings.platform, platform), eq(adapterAgentMappings.agentId, agentId))).limit(1);
+	return row ?? null;
+}
 /** Create an agent mapping. */
 async function createAgentMapping(db, data) {
 	const [row] = await db.insert(adapterAgentMappings).values({
@@ -25993,17 +26071,27 @@ function parseNodeMetadata(content) {
 	if (!match) return {
 		type: "autonomous_agent",
 		displayName: null,
-		delegateMention: null
+		delegateMention: null,
+		owners: [],
+		github: null
 	};
 	const frontmatter = match[1] ?? "";
 	const getValue = (key) => {
 		const lineMatch = new RegExp(`^${key}:\\s*(.+)$`, "m").exec(frontmatter);
 		return lineMatch ? lineMatch[1]?.trim().replace(/^["']|["']$/g, "") ?? null : null;
 	};
+	const ownersRaw = getValue("owners");
+	let owners = [];
+	if (ownersRaw) {
+		const listMatch = /^\[([^\]]*)\]$/.exec(ownersRaw);
+		if (listMatch?.[1]) owners = listMatch[1].split(",").map((s) => s.trim().replace(/^["']|["']$/g, "")).filter(Boolean);
+	}
 	return {
 		type: getValue("type") ?? "autonomous_agent",
 		displayName: getValue("display_name") ?? getValue("title") ?? getValue("name"),
-		delegateMention: getValue("delegate_mention")
+		delegateMention: getValue("delegate_mention"),
+		owners,
+		github: getValue("github")
 	};
 }
 /** Stored for the /status endpoint */
@@ -26037,26 +26125,38 @@ async function syncFromGitHub(db, repo, branch, githubToken) {
 		const meta = member.nodeContent ? parseNodeMetadata(member.nodeContent) : {
 			type: "autonomous_agent",
 			displayName: null,
-			delegateMention: null
+			delegateMention: null,
+			owners: [],
+			github: null
 		};
-		const existing = await db.execute(sql`SELECT id, status, type, display_name, delegate_mention, tree_path FROM agents WHERE id = ${member.name}`);
+		const metadataJson = JSON.stringify({
+			owners: meta.owners,
+			github: meta.github
+		});
+		const existing = await db.execute(sql`SELECT id, status, type, display_name, delegate_mention, tree_path, metadata FROM agents WHERE id = ${member.name}`);
 		if (existing.length === 0) {
 			await db.execute(sql`
-          INSERT INTO agents (id, type, display_name, delegate_mention, tree_path, status, inbox_id)
-          VALUES (${member.name}, ${meta.type}, ${meta.displayName}, ${meta.delegateMention}, ${member.treePath}, 'active', ${`inbox_${member.name}`})
+          INSERT INTO agents (id, type, display_name, delegate_mention, tree_path, status, inbox_id, metadata)
+          VALUES (${member.name}, ${meta.type}, ${meta.displayName}, ${meta.delegateMention}, ${member.treePath}, 'active', ${`inbox_${member.name}`}, ${metadataJson}::jsonb)
         `);
 			result.created++;
 		} else {
 			const agent = existing[0];
-			if (agent.status === "suspended") {
+			const existingMeta = agent.metadata ?? {};
+			const mergedMeta = JSON.stringify({
+				...existingMeta,
+				owners: meta.owners,
+				github: meta.github
+			});
+			if (agent.status === "suspended" || agent.status === "deleted") {
 				await db.execute(sql`
-            UPDATE agents SET status = 'active', type = ${meta.type}, display_name = ${meta.displayName}, delegate_mention = ${meta.delegateMention}, tree_path = ${member.treePath}
+            UPDATE agents SET status = 'active', type = ${meta.type}, display_name = ${meta.displayName}, delegate_mention = ${meta.delegateMention}, tree_path = ${member.treePath}, metadata = ${mergedMeta}::jsonb
             WHERE id = ${member.name}
           `);
 				result.reactivated++;
-			} else if (agent.type !== meta.type || agent.display_name !== meta.displayName || agent.delegate_mention !== meta.delegateMention || agent.tree_path !== member.treePath) {
+			} else if (agent.type !== meta.type || agent.display_name !== meta.displayName || agent.delegate_mention !== meta.delegateMention || agent.tree_path !== member.treePath || JSON.stringify(existingMeta.owners) !== JSON.stringify(meta.owners) || (existingMeta.github ?? null) !== (meta.github ?? null)) {
 				await db.execute(sql`
-            UPDATE agents SET type = ${meta.type}, display_name = ${meta.displayName}, delegate_mention = ${meta.delegateMention}, tree_path = ${member.treePath}
+            UPDATE agents SET type = ${meta.type}, display_name = ${meta.displayName}, delegate_mention = ${meta.delegateMention}, tree_path = ${member.treePath}, metadata = ${mergedMeta}::jsonb
             WHERE id = ${member.name}
           `);
 				result.updated++;
@@ -26203,6 +26303,17 @@ async function deleteAgent(db, id) {
 	if (!agent) throw new Error("Unexpected: UPDATE RETURNING produced no row");
 	return agent;
 }
+/**
+* Bootstrap a token for an agent using GitHub identity.
+* Only works when the agent has no active (non-revoked, non-expired) tokens.
+*/
+async function bootstrapToken(db, agentId, githubUsername, tokenName) {
+	const agent = await getAgent(db, agentId);
+	if (!(Array.isArray(agent.metadata?.owners) ? agent.metadata.owners : []).includes(githubUsername)) throw new ForbiddenError(`GitHub user "${githubUsername}" is not in the owners list for agent "${agentId}"`);
+	const activeTokens = await db.select({ id: agentTokens.id }).from(agentTokens).where(and(eq(agentTokens.agentId, agentId), isNull(agentTokens.revokedAt)));
+	if (activeTokens.length > 0) throw new ConflictError(`Agent "${agentId}" already has ${activeTokens.length} active token(s). Revoke all tokens first to re-bootstrap.`);
+	return createToken(db, agentId, { name: tokenName ?? "bootstrap" });
+}
 async function createToken(db, agentId, data) {
 	await getAgent(db, agentId);
 	const raw = `aghub_${randomBytes(32).toString("hex")}`;
@@ -27095,6 +27206,96 @@ async function agentContextTreeRoutes(app) {
 		});
 	});
 }
+async function agentFeishuBotRoutes(app) {
+	/**
+	* PUT /agent/me/feishu-bot
+	* Self-service: agent binds its own Feishu bot (upsert).
+	*/
+	app.put("/me/feishu-bot", async (request, reply) => {
+		const identity = requireAgent(request);
+		const body = selfServiceFeishuBotSchema.parse(request.body);
+		if ((await getAgent(app.db, identity.id)).type === "human") throw new BadRequestError("Human agents cannot bind Feishu bots. Use bind-user instead.");
+		const current = (await listAdapterConfigs(app.db)).find((c) => c.agentId === identity.id && c.platform === "feishu");
+		let config;
+		if (current) config = await updateAdapterConfig(app.db, current.id, {
+			credentials: {
+				app_id: body.appId,
+				app_secret: body.appSecret
+			},
+			status: "active"
+		}, app.config.secrets.encryptionKey);
+		else config = await createAdapterConfig(app.db, {
+			platform: "feishu",
+			agentId: identity.id,
+			credentials: {
+				app_id: body.appId,
+				app_secret: body.appSecret
+			},
+			status: "active"
+		}, app.config.secrets.encryptionKey);
+		app.adapterManager.reload().catch((err) => app.log.error(err, "Adapter reload failed after self-service bind"));
+		app.notifier.notifyConfigChange("adapter_configs").catch(() => {});
+		return reply.status(current ? 200 : 201).send({
+			...config,
+			createdAt: config.createdAt.toISOString(),
+			updatedAt: config.updatedAt.toISOString()
+		});
+	});
+	/**
+	* DELETE /agent/me/feishu-bot
+	* Self-service: agent unbinds its own Feishu bot.
+	*/
+	app.delete("/me/feishu-bot", async (request, reply) => {
+		const identity = requireAgent(request);
+		const current = (await listAdapterConfigs(app.db)).find((c) => c.agentId === identity.id && c.platform === "feishu");
+		if (!current) return reply.status(204).send();
+		await deleteAdapterConfig(app.db, current.id);
+		app.adapterManager.reload().catch((err) => app.log.error(err, "Adapter reload failed after self-service unbind"));
+		app.notifier.notifyConfigChange("adapter_configs").catch(() => {});
+		return reply.status(204).send();
+	});
+}
+async function agentFeishuUserRoutes(app) {
+	/**
+	* POST /agent/delegated/:humanAgentId/feishu-user
+	* Assistant binds its owner's Feishu user ID via delegate_mention authorization.
+	*/
+	app.post("/:humanAgentId/feishu-user", async (request, reply) => {
+		const identity = requireAgent(request);
+		const { humanAgentId } = request.params;
+		const body = delegateFeishuUserSchema.parse(request.body);
+		const humanAgent = await getAgent(app.db, humanAgentId);
+		if (humanAgent.type !== "human") throw new BadRequestError(`Agent "${humanAgentId}" is not a human agent`);
+		if (humanAgent.delegateMention !== identity.id) throw new ForbiddenError(`Agent "${identity.id}" is not the delegate of "${humanAgentId}". Expected delegate_mention="${identity.id}" but found "${humanAgent.delegateMention ?? "(none)"}".`);
+		const mapping = await createAgentMapping(app.db, {
+			platform: "feishu",
+			externalUserId: body.feishuUserId,
+			agentId: humanAgentId,
+			boundVia: "delegate",
+			displayName: body.displayName
+		});
+		return reply.status(201).send({
+			id: mapping.id,
+			platform: mapping.platform,
+			externalUserId: mapping.externalUserId,
+			agentId: mapping.agentId,
+			boundVia: mapping.boundVia,
+			displayName: mapping.displayName,
+			createdAt: mapping.createdAt.toISOString()
+		});
+	});
+	/**
+	* DELETE /agent/delegated/:humanAgentId/feishu-user
+	* Assistant unbinds its owner's Feishu user ID.
+	*/
+	app.delete("/:humanAgentId/feishu-user", async (request, reply) => {
+		const identity = requireAgent(request);
+		const { humanAgentId } = request.params;
+		if ((await getAgent(app.db, humanAgentId)).delegateMention !== identity.id) throw new ForbiddenError(`Agent "${identity.id}" is not the delegate of "${humanAgentId}"`);
+		await app.db.delete(adapterAgentMappings).where(and(eq(adapterAgentMappings.platform, "feishu"), eq(adapterAgentMappings.agentId, humanAgentId)));
+		return reply.status(204).send();
+	});
+}
 const DEFAULT_INBOX_TIMEOUT_SECONDS = 300;
 const DEFAULT_MAX_RETRY_COUNT = 3;
 async function pollInbox(db, inboxId, limit) {
@@ -27288,6 +27489,62 @@ function agentWsRoutes(notifier, instanceId) {
 		});
 	};
 }
+async function bootstrapRoutes(app) {
+	/**
+	* POST /bootstrap/:agentId/token
+	* GitHub identity → Agent token.
+	* Only works when the agent has no active tokens.
+	*/
+	app.post("/:agentId/token", async (request, reply) => {
+		const { agentId } = request.params;
+		const githubUser = request.githubUser;
+		if (!githubUser) throw new ForbiddenError("GitHub authentication required");
+		const body = bootstrapTokenRequestSchema.parse(request.body ?? {});
+		const result = await bootstrapToken(app.db, agentId, githubUser.username, body.name);
+		return reply.status(201).send({
+			id: result.id,
+			agentId: result.agentId,
+			name: result.name,
+			token: result.token,
+			expiresAt: result.expiresAt?.toISOString() ?? null,
+			createdAt: result.createdAt.toISOString()
+		});
+	});
+	/**
+	* GET /bootstrap/:agentId/status
+	* Check if an agent exists and its status (for polling after PR merge + sync).
+	*/
+	app.get("/:agentId/status", async (request) => {
+		const { agentId } = request.params;
+		const githubUser = request.githubUser;
+		if (!githubUser) throw new ForbiddenError("GitHub authentication required");
+		try {
+			const agent = await getAgent(app.db, agentId);
+			if (!(Array.isArray(agent.metadata?.owners) ? agent.metadata.owners : []).includes(githubUser.username)) throw new ForbiddenError(`GitHub user "${githubUser.username}" is not in the owners list for agent "${agentId}"`);
+			return {
+				exists: true,
+				status: agent.status
+			};
+		} catch (err) {
+			if (err instanceof NotFoundError) return {
+				exists: false,
+				status: null
+			};
+			throw err;
+		}
+	});
+}
+async function contextTreeInfoRoutes(app) {
+	/** Public endpoint — returns Context Tree repo metadata for CLI auto-discovery. */
+	app.get("/info", async () => {
+		const { repo, branch } = app.config.contextTree;
+		return {
+			repo,
+			branch,
+			lastSync: null
+		};
+	});
+}
 async function healthRoutes(app) {
 	app.get("/health", async () => {
 		try {
@@ -27855,6 +28112,25 @@ function agentAuthHook(db) {
 		request.agent = agent;
 	};
 }
+const GITHUB_API_URL = "https://api.github.com/user";
+/**
+* Middleware that validates a GitHub token from the `X-GitHub-Token` header.
+* On success, sets `request.githubUser = { username }`.
+*/
+function githubAuthHook() {
+	return async (request, _reply) => {
+		const token = request.headers["x-github-token"];
+		if (!token || typeof token !== "string") throw new UnauthorizedError("Missing X-GitHub-Token header");
+		const res = await fetch(GITHUB_API_URL, { headers: {
+			Authorization: `Bearer ${token}`,
+			Accept: "application/vnd.github+json"
+		} });
+		if (!res.ok) throw new UnauthorizedError("Invalid GitHub token");
+		const data = await res.json();
+		if (!data.login) throw new ForbiddenError("Could not determine GitHub username from token");
+		request.githubUser = { username: data.login };
+	};
+}
 const PROXY_ENV_KEYS = [
 	"HTTP_PROXY",
 	"HTTPS_PROXY",
@@ -28088,6 +28364,12 @@ function parseEventData(appId, data) {
 	};
 }
 async function processInboundMessage(db, event, bot, log, inboxNotifier) {
+	const messageText = extractTextContent(event);
+	const bindMatch = /^\/bind\s+(\S+)/.exec(messageText);
+	if (bindMatch?.[1]) {
+		await handleBindCommand(db, bot, event, bindMatch[1], log);
+		return;
+	}
 	const agentMapping = await findAgentByExternalUser(db, "feishu", event.senderId);
 	if (!agentMapping) {
 		await replyUnknownUser(bot, event, log);
@@ -28130,8 +28412,9 @@ async function processInboundMessage(db, event, bot, log, inboxNotifier) {
 async function replyUnknownUser(bot, event, log) {
 	const text = [
 		"Your account is not linked to First Tree Hub yet.",
-		"Please contact your admin to set up the binding.",
-		`Your user ID: ${event.senderId}`
+		"To bind, send:  /bind <your-agent-id>",
+		"",
+		"Example:  /bind alice"
 	].join("\n");
 	try {
 		await botApiCall(bot, () => bot.client.im.v1.message.create({
@@ -28149,6 +28432,81 @@ async function replyUnknownUser(bot, event, log) {
 		}, "Failed to send unknown-user reply");
 	}
 }
+/** Extract plain text from a Feishu message event. */
+function extractTextContent(event) {
+	if (typeof event.content === "object" && event.content !== null && "text" in event.content) return (event.content.text ?? "").trim();
+	return "";
+}
+/**
+* Handle `/bind <agentId>` command from Feishu.
+* Binds the sender's Feishu user ID to the specified human agent.
+*/
+async function handleBindCommand(db, bot, event, agentId, log) {
+	const reply = async (text) => {
+		try {
+			await botApiCall(bot, () => bot.client.im.v1.message.create({
+				params: { receive_id_type: "chat_id" },
+				data: {
+					receive_id: event.externalChannelId,
+					msg_type: "text",
+					content: JSON.stringify({ text })
+				}
+			}));
+		} catch (err) {
+			log.warn({ err }, "Failed to send /bind reply");
+		}
+	};
+	const existingMapping = await findAgentByExternalUser(db, "feishu", event.senderId);
+	if (existingMapping) {
+		await reply(`You are already bound to agent "${existingMapping.agentId}". Unbind first if you want to rebind.`);
+		return;
+	}
+	const [agent] = await db.select({
+		id: agents.id,
+		type: agents.type,
+		status: agents.status
+	}).from(agents).where(eq(agents.id, agentId)).limit(1);
+	if (!agent) {
+		await reply(`Agent "${agentId}" not found. Check the ID and try again.`);
+		return;
+	}
+	if (agent.status !== "active") {
+		await reply(`Agent "${agentId}" is ${agent.status}. Only active agents can be bound.`);
+		return;
+	}
+	if (agent.type !== "human") {
+		await reply(`Agent "${agentId}" is not a human agent (type: ${agent.type}). Only human agents can bind Feishu users.`);
+		return;
+	}
+	const existingAgentBinding = await findExternalUserByAgent(db, "feishu", agentId);
+	if (existingAgentBinding) {
+		await reply(`Agent "${agentId}" is already bound to Feishu user ${existingAgentBinding.externalUserId}. Unbind first if you want to rebind.`);
+		return;
+	}
+	try {
+		await createAgentMapping(db, {
+			platform: "feishu",
+			externalUserId: event.senderId,
+			agentId,
+			boundVia: "command",
+			displayName: void 0
+		});
+	} catch (err) {
+		log.error({
+			err,
+			agentId,
+			senderId: event.senderId
+		}, "/bind: failed to create mapping");
+		await reply("Binding failed due to an internal error. Please try again or contact your admin.");
+		return;
+	}
+	await reply(`Binding successful! Your Feishu account is now linked to "${agentId}".`);
+	log.info({
+		agentId,
+		senderId: event.senderId,
+		appId: bot.appId
+	}, "/bind: Feishu user bound via command");
+}
 /**
 * Process outbound messages for all feishu-bound human agents.
 * Consumes pending inbox entries for human agents that have feishu platform bindings,
@@ -28343,6 +28701,7 @@ async function buildApp(config) {
 	});
 	const agentAuth = agentAuthHook(db);
 	const adminAuth = adminAuthHook(db, config.secrets.jwtSecret);
+	const githubAuth = githubAuthHook();
 	app.setErrorHandler((error, _request, reply) => {
 		if (error instanceof AppError) return reply.status(error.statusCode).send({ error: error.message });
 		if (error instanceof ZodError) return reply.status(400).send({
@@ -28357,6 +28716,11 @@ async function buildApp(config) {
 		await api.register(healthRoutes);
 		await api.register(githubWebhookRoutes, { prefix: "/webhooks" });
 		await api.register(adminAuthRoutes, { prefix: "/admin/auth" });
+		await api.register(contextTreeInfoRoutes, { prefix: "/context-tree" });
+		await api.register(async (bootstrapApp) => {
+			bootstrapApp.addHook("onRequest", githubAuth);
+			await bootstrapApp.register(bootstrapRoutes);
+		}, { prefix: "/bootstrap" });
 		await api.register(async (adminApp) => {
 			adminApp.addHook("onRequest", adminAuth);
 			await adminApp.register(adminAgentRoutes);
@@ -28401,6 +28765,8 @@ async function buildApp(config) {
 			await agentApp.register(agentSendToAgentRoutes, { prefix: "/agents" });
 			await agentApp.register(agentInboxRoutes, { prefix: "/inbox" });
 			await agentApp.register(agentContextTreeRoutes, { prefix: "/context-tree" });
+			await agentApp.register(agentFeishuBotRoutes);
+			await agentApp.register(agentFeishuUserRoutes, { prefix: "/delegated" });
 			await agentApp.register(agentWsRoutes(notifier, config.instanceId), { prefix: "/ws" });
 		}, { prefix: "/agent" });
 	}, { prefix: "/api/v1" });
@@ -28560,4 +28926,4 @@ function resolveWebDist() {
 	} catch {}
 }
 //#endregion
-export { SessionRegistry as A, clientConfigSchema as B, stopPostgres as C, DEFAULT_WORKSPACE_TTL_MS as D, AgentSlot as E, createAdminUser$1 as F, resetConfig as G, initConfig as H, hasAdminUser as I, setConfigValue as J, resetConfigMeta as K, DEFAULT_CONFIG_DIR as L, getHandlerFactory as M, loadRuntimeConfig as N, FirstTreeHubSDK as O, registerBuiltinHandlers as P, DEFAULT_DATA_DIR$1 as R, isDockerAvailable as S, AgentRuntime as T, loadAgents as U, getConfigValue as V, readConfigFile as W, checkWebSocket as _, runMigrations as a, status as b, checkClientConfig as c, checkDocker as d, checkGitHubToken as f, checkServerReachable as g, checkServerHealth as h, promptMissingFields as i, cleanWorkspaces as j, SdkError as k, checkContextTreeRepo as l, checkServerConfig as m, isInteractive as n, checkAgentConfigs as o, checkNodeVersion as p, serverConfigSchema as q, promptAddAgent as r, checkAgentTokens as s, startServer as t, checkDatabase as u, printResults as v, ClientRuntime as w, ensurePostgres as x, blank as y, agentConfigSchema as z };
+export { ClientRuntime as A, registerBuiltinHandlers as B, checkWebSocket as C, ensurePostgres as D, status as E, SdkError as F, hasAdminUser as H, SessionRegistry as I, cleanWorkspaces as L, AgentSlot as M, DEFAULT_WORKSPACE_TTL_MS as N, isDockerAvailable as O, FirstTreeHubSDK as P, getHandlerFactory as R, checkServerReachable as S, blank as T, createAdminUser$1 as V, checkDocker as _, formatCheckReport as a, checkServerConfig as b, onboardContinue as c, runMigrations as d, checkAgentConfigs as f, checkDatabase as g, checkContextTreeRepo as h, promptMissingFields as i, AgentRuntime as j, stopPostgres as k, onboardCreate as l, checkClientConfig as m, isInteractive as n, loadOnboardState as o, checkAgentTokens as p, promptAddAgent as r, onboardCheck as s, startServer as t, saveOnboardState as u, checkGitHubToken as v, printResults as w, checkServerHealth as x, checkNodeVersion as y, loadRuntimeConfig as z };