@agent-team-foundation/first-tree-hub 0.3.5 → 0.4.0

package/dist/{core-CHL_dgzu.mjs → core-CMeOAZmx.mjs}

@@ -1,4 +1,4 @@
-import { S as setConfigValue, a as getGitHubUsername, b as resolveConfigReadonly, c as DEFAULT_CONFIG_DIR, d as agentConfigSchema, f as clientConfigSchema, g as loadAgents, h as initConfig, p as collectMissingPrompts, r as checkBootstrapStatus, s as resolveServerUrl, t as bootstrapToken$1, u as DEFAULT_HOME_DIR$1, x as serverConfigSchema } from "./bootstrap-mhkpeOEc.mjs";
+import { S as setConfigValue, a as getGitHubUsername, b as resolveConfigReadonly, c as DEFAULT_CONFIG_DIR, d as agentConfigSchema, f as clientConfigSchema, g as loadAgents, h as initConfig, p as collectMissingPrompts, s as resolveServerUrl, t as bootstrapToken$1, u as DEFAULT_HOME_DIR$1, x as serverConfigSchema } from "./bootstrap-uyPaaI05.mjs";
 import { copyFileSync, existsSync, mkdirSync, readFileSync, readdirSync, renameSync, rmSync, statSync, writeFileSync } from "node:fs";
 import { dirname, join, resolve } from "node:path";
 import { EventEmitter } from "node:events";
@@ -51,12 +51,13 @@ var FirstTreeHubSDK = class {
 			displayName: agent.displayName,
 			type: agent.type,
 			delegateMention: agent.delegateMention ?? null,
+			profile: agent.profile ?? null,
 			metadata: agent.metadata ?? {}
 		};
 	}
-	/** Fetch Context Tree configuration from the server. */
+	/** Fetch Context Tree configuration from the server (public endpoint). */
 	async getContextTreeConfig() {
-		return this.requestJson("/api/v1/agent/context-tree");
+		return this.requestJson("/api/v1/context-tree/info");
 	}
 	/** Fetch pending inbox entries. */
 	async pull(limit = 10) {
@@ -433,27 +434,23 @@ defineConfig({
 			secret: true
 		})
 	},
-	contextTree: {
+	contextTree: optional({
 		repo: field(z.string(), {
 			env: "FIRST_TREE_HUB_CONTEXT_TREE_REPO",
 			prompt: { message: "Context Tree repo URL (e.g. https://github.com/org/first-tree):" }
 		}),
-		branch: field(z.string().default("main")),
-		syncInterval: field(z.number().default(60))
-	},
+		branch: field(z.string().default("main"))
+	}),
 	github: {
-		token: field(z.string(), {
+		token: field(z.string().optional(), {
 			env: "FIRST_TREE_HUB_GITHUB_TOKEN",
-			secret: true,
-			prompt: {
-				message: "GitHub token (create at https://github.com/settings/tokens → repo scope):",
-				type: "password"
-			}
+			secret: true
 		}),
 		webhookSecret: field(z.string().optional(), {
 			env: "FIRST_TREE_HUB_GITHUB_WEBHOOK_SECRET",
 			secret: true
-		})
+		}),
+		allowedOrg: field(z.string().optional(), { env: "FIRST_TREE_HUB_GITHUB_ALLOWED_ORG" })
 	},
 	cors: optional({ origin: field(z.string(), { env: "FIRST_TREE_HUB_CORS_ORIGIN" }) }),
 	rateLimit: optional({
@@ -497,14 +494,13 @@ function bootstrapWorkspace(options) {
 		contextTreePath
 	};
 	writeFileSync(join(agentDir, "identity.json"), JSON.stringify(identityData, null, 2), "utf-8");
+	if (identity.profile) writeFileSync(join(contextDir, "self.md"), identity.profile, "utf-8");
 	if (contextTreePath) {
-		const selfNodePath = join(contextTreePath, "members", identity.agentId, "NODE.md");
-		if (existsSync(selfNodePath)) copyFileSync(selfNodePath, join(contextDir, "self.md"));
 		const agentMdPath = join(contextTreePath, "AGENT.md");
 		if (existsSync(agentMdPath)) copyFileSync(agentMdPath, join(contextDir, "agent-instructions.md"));
 		const rootNodePath = join(contextTreePath, "NODE.md");
 		if (existsSync(rootNodePath)) copyFileSync(rootNodePath, join(contextDir, "domain-map.md"));
-	} else writeFileSync(join(contextDir, "degraded.md"), "Context Tree is not available for this session.\nOrganizational context, domain structure, and ownership information are not loaded.\n", "utf-8");
+	}
 	writeFileSync(join(agentDir, "tools.md"), generateToolsDoc(), "utf-8");
 }
 function generateToolsDoc() {
@@ -842,10 +838,9 @@ const createClaudeCodeHandler = (config) => {
 /**
 * Generate a CLAUDE.md file from .agent/ bootstrap data.
 *
-* Layered Bootstrap:
-*   Layer 1 (always): Agent identity + member profile + AGENT.md operating instructions
-*   Layer 2 (if available): Organization domain map from root NODE.md
-*   Layer 3 (on-demand): Agent reads specific domain nodes via contextTreePath
+* Layer 1 (always): Agent identity + profile (from Hub)
+* Layer 2 (if Context Tree configured): Operating instructions + domain map
+* Layer 3 (if Context Tree configured): Context Tree location for on-demand reading
 */
 function generateClaudeMd(workspacePath, identity, contextTreePath) {
 	const sections = [];
@@ -857,25 +852,18 @@ function generateClaudeMd(workspacePath, identity, contextTreePath) {
 	if (existsSync(selfMdPath)) {
 		const selfContent = readFileSync(selfMdPath, "utf-8");
 		sections.push(`## Your Profile\n\n${selfContent}\n`);
-	} else sections.push("## Your Profile\n\nNo member profile available. Your responsibilities are not loaded from the Context Tree.\n");
+	}
 	const agentInstructionsPath = join(contextDir, "agent-instructions.md");
 	if (existsSync(agentInstructionsPath)) {
 		const instructions = readFileSync(agentInstructionsPath, "utf-8");
-		sections.push(`## Context Tree Operating Instructions\n\n${instructions}\n`);
-	} else sections.push("## Context Tree Operating Instructions\n\nContext Tree instructions unavailable. Organizational context is not loaded for this session.\n");
+		sections.push(`## Operating Instructions\n\n${instructions}\n`);
+	}
 	const domainMapPath = join(contextDir, "domain-map.md");
 	if (existsSync(domainMapPath)) {
 		const domainMap = readFileSync(domainMapPath, "utf-8");
 		sections.push(`## Organization Domain Map\n\n${domainMap}\n`);
 	}
 	if (contextTreePath) sections.push(`## Context Tree Location\n\nThe full Context Tree is available at: \`${contextTreePath}\`\n\nRead specific domain nodes as needed following the operating instructions above.\n`);
-	else {
-		const degradedPath = join(contextDir, "degraded.md");
-		if (existsSync(degradedPath)) {
-			const degradedMsg = readFileSync(degradedPath, "utf-8");
-			sections.push(`## Context Tree Location\n\nWARNING: ${degradedMsg}\nYou can still use the SDK tools below, but you lack organizational context for decisions.\n`);
-		}
-	}
 	const toolsPath = join(workspacePath, ".agent", "tools.md");
 	if (existsSync(toolsPath)) {
 		const toolsContent = readFileSync(toolsPath, "utf-8");
@@ -1299,6 +1287,7 @@ var AgentSlot = class {
 				displayName: agent.displayName,
 				type: agent.type,
 				delegateMention: agent.delegateMention,
+				profile: agent.profile,
 				metadata: agent.metadata
 			},
 			sdk: this.connection.sdk,
@@ -2058,14 +2047,32 @@ async function onboardCheck(args) {
 				key: "server_reachable",
 				label: "Server reachable",
 				status: res.ok ? "ok" : "error",
-				value: res.ok ? "yes" : `HTTP ${res.status}`
+				value: res.ok ? "healthy" : `HTTP ${res.status}`
 			});
+			if (res.ok) try {
+				const configRes = await fetch(`${serverUrl}/api/v1/bootstrap/config`);
+				if (configRes.ok) {
+					const config = await configRes.json();
+					if (config.allowedOrg) items.push({
+						key: "allowed_org",
+						label: "GitHub org",
+						status: "ok",
+						value: config.allowedOrg
+					});
+					else items.push({
+						key: "allowed_org",
+						label: "GitHub org",
+						status: "error",
+						hint: "FIRST_TREE_HUB_GITHUB_ALLOWED_ORG not configured on server"
+					});
+				}
+			} catch {}
 		} catch {
 			items.push({
 				key: "server_reachable",
 				label: "Server reachable",
 				status: "error",
-				value: "no"
+				hint: "Cannot connect to server"
 			});
 		}
 	} catch {
@@ -2073,126 +2080,32 @@ async function onboardCheck(args) {
 			key: "server",
 			label: "Server URL",
 			status: "missing_required",
-			hint: "--server <url> or FIRST_TREE_HUB_SERVER"
-		});
-	}
-	const repoPath = await resolveContextTreeRepo(args.server);
-	if (repoPath) items.push({
-		key: "repo",
-		label: "Context Tree repo",
-		status: "ok",
-		value: repoPath
-	});
-	else {
-		const serverAvailable = items.some((i) => i.key === "server" && i.status === "ok");
-		items.push({
-			key: "repo",
-			label: "Context Tree repo",
-			status: "missing_required",
-			hint: serverAvailable ? "auto-clone failed (check server Context Tree config and gh auth)" : "configure --server first (repo will be auto-cloned from server)"
+			hint: "Provide via --server, FIRST_TREE_HUB_SERVER, or config"
 		});
 	}
-	items.push(args.id ? {
+	if (args.id) items.push({
 		key: "id",
-		label: "id",
+		label: "Agent ID",
 		status: "ok",
 		value: args.id
-	} : {
+	});
+	else items.push({
 		key: "id",
-		label: "id",
+		label: "Agent ID",
 		status: "missing_required",
-		hint: "Member directory name"
+		hint: "Provide via --id"
 	});
-	items.push(args.type ? {
+	if (args.type) items.push({
 		key: "type",
-		label: "type",
+		label: "Agent type",
 		status: "ok",
 		value: args.type
-	} : {
-		key: "type",
-		label: "type",
-		status: "missing_required",
-		hint: "human | personal_assistant | autonomous_agent"
-	});
-	items.push(args.role ? {
-		key: "role",
-		label: "role",
-		status: "ok",
-		value: args.role
-	} : {
-		key: "role",
-		label: "role",
-		status: "missing_required",
-		hint: "e.g. \"Engineer\""
-	});
-	items.push(args.domains ? {
-		key: "domains",
-		label: "domains",
-		status: "ok",
-		value: args.domains
-	} : {
-		key: "domains",
-		label: "domains",
-		status: "missing_required",
-		hint: "Comma-separated, e.g. \"backend,infra\""
-	});
-	items.push(args.displayName ? {
-		key: "display_name",
-		label: "display-name",
-		status: "ok",
-		value: args.displayName
-	} : {
-		key: "display_name",
-		label: "display-name",
-		status: "missing_optional",
-		hint: `defaults to "${args.id ?? ""}"`
-	});
-	if (args.type === "human") items.push(args.assistant ? {
-		key: "assistant",
-		label: "assistant",
-		status: "ok",
-		value: args.assistant
-	} : {
-		key: "assistant",
-		label: "assistant",
-		status: "missing_optional",
-		hint: "Also create a personal_assistant"
 	});
-	if (args.type !== "human" || args.assistant) items.push(args.feishuBotAppId ? {
-		key: "feishu_bot",
-		label: "feishu-bot-app-id",
-		status: "ok",
-		value: args.feishuBotAppId
-	} : {
-		key: "feishu_bot",
-		label: "feishu-bot-app-id",
-		status: "missing_optional",
-		hint: "Feishu bot App ID"
-	});
-	if (args.id && repoPath) if (existsSync(join(repoPath, "members", args.id))) try {
-		execSync(`git ls-files --error-unmatch members/${args.id}/NODE.md`, {
-			cwd: repoPath,
-			stdio: "pipe"
-		});
-		items.push({
-			key: "conflict",
-			label: `ID "${args.id}" availability`,
-			status: "warning",
-			value: "already exists (will overwrite)"
-		});
-	} catch {
-		items.push({
-			key: "conflict",
-			label: `ID "${args.id}" availability`,
-			status: "ok",
-			value: "resuming (local files from previous run)"
-		});
-	}
 	else items.push({
-		key: "conflict",
-		label: `ID "${args.id}" availability`,
-		status: "ok",
-		value: "available"
+		key: "type",
+		label: "Agent type",
+		status: "missing_required",
+		hint: "Provide via --type"
 	});
 	return items;
 }
@@ -2207,330 +2120,74 @@ function formatCheckReport(items) {
 	return lines.join("\n");
 }
 async function onboardCreate(args) {
-	const repoPath = await resolveContextTreeRepo(args.server);
-	if (!repoPath) throw new Error("Context Tree repo not available. Ensure --server is configured and the server is running.");
-	if (args.assistant && args.type !== "human") throw new Error(`--assistant is only valid for human agents, not ${args.type}`);
-	const ghUsername = getGitHubUsername();
-	const githubField = args.type === "human" ? ghUsername : null;
-	const humanNodePath = join(repoPath, "members", args.id, "NODE.md");
-	if (existsSync(humanNodePath) && isTrackedByGit(repoPath, join("members", args.id, "NODE.md"))) {
-		process.stderr.write(`Member "${args.id}" already exists, skipping NODE.md creation.\n`);
-		if (args.assistant) {
-			const existingContent = readFileSync(humanNodePath, "utf-8");
-			if (!existingContent.includes("delegate_mention")) {
-				writeFileSync(humanNodePath, existingContent.replace(/^(---\n[\s\S]*?)(---)/m, `$1delegate_mention: ${args.assistant}\n$2`));
-				process.stderr.write(`Updated delegate_mention → ${args.assistant}\n`);
-			}
-		}
-	} else createMemberNodeMd(repoPath, {
-		id: args.id,
-		type: args.type,
-		displayName: args.displayName ?? args.id,
-		role: args.role,
-		domains: args.domains.split(",").map((d) => d.trim()),
-		owner: ghUsername,
-		github: githubField,
-		delegateMention: args.assistant ?? args.delegateMention ?? null
-	});
-	if (args.assistant) if (existsSync(join(repoPath, "members", args.id, args.assistant, "NODE.md")) && isTrackedByGit(repoPath, join("members", args.id, args.assistant, "NODE.md"))) process.stderr.write(`Assistant "${args.assistant}" already exists, skipping.\n`);
-	else createMemberNodeMd(repoPath, {
-		parentPath: join("members", args.id),
-		id: args.assistant,
-		type: "personal_assistant",
-		displayName: args.assistant,
-		role: `Personal Assistant to ${args.id}`,
-		domains: ["message triage", "task coordination"],
-		owner: ghUsername,
-		github: null,
-		delegateMention: null
-	});
+	const serverUrl = resolveServerUrl(args.server).replace(/\/+$/, "");
+	getGitHubUsername();
+	process.stderr.write(`Bootstrapping agent "${args.id}"...\n`);
+	const metadata = {};
+	if (args.role) metadata.role = args.role;
+	if (args.domains) metadata.domains = args.domains.split(",").map((d) => d.trim());
+	let token;
 	try {
-		execSync("npx -y first-tree verify", {
-			cwd: repoPath,
-			stdio: "pipe"
-		});
+		token = (await bootstrapToken$1(serverUrl, args.id, {
+			saveTo: "agent",
+			type: args.type,
+			displayName: args.displayName ?? args.id,
+			profile: args.profile,
+			delegateMention: args.assistant ?? args.delegateMention,
+			metadata: Object.keys(metadata).length > 0 ? metadata : void 0
+		})).token;
 	} catch (err) {
-		const stderr = err instanceof Error && "stderr" in err ? err.stderr.toString() : "";
-		const stdout = err instanceof Error && "stdout" in err ? err.stdout.toString() : "";
-		const output = stderr || stdout || String(err);
-		if (output.includes("VERSION") || output.includes("AGENT.md") || output.includes("Root NODE.md")) throw new Error("Context Tree repo is not properly initialized.\nRun 'context-tree init' in the repo first, or see:\n  https://github.com/agent-team-foundation/first-tree\n\n" + output);
-		throw new Error(`Verification failed:\n${output}`);
-	}
-	const baseBranch = `onboard/${args.id}`;
-	let branch = baseBranch;
-	const branchExists = (name) => {
-		try {
-			execSync(`git rev-parse --verify ${name}`, {
-				cwd: repoPath,
-				stdio: "pipe"
-			});
-			return true;
-		} catch {
-			return false;
-		}
-	};
-	if (branchExists(branch)) branch = `${baseBranch}-${Date.now().toString(36)}`;
-	try {
-		execSync("git checkout main", {
-			cwd: repoPath,
-			stdio: "pipe"
-		});
-	} catch {
-		try {
-			execSync("git checkout master", {
-				cwd: repoPath,
-				stdio: "pipe"
-			});
-		} catch {}
-	}
-	execSync(`git checkout -b ${branch}`, {
-		cwd: repoPath,
-		stdio: "pipe"
-	});
-	execSync(`git add members/${args.id}`, {
-		cwd: repoPath,
-		stdio: "pipe"
-	});
-	execFileSync("git", [
-		"commit",
-		"-m",
-		args.assistant ? `feat: onboard ${args.id} + ${args.assistant}` : `feat: onboard ${args.id}`
-	], {
-		cwd: repoPath,
-		stdio: "pipe"
-	});
-	const pushToken = execSync("gh auth token", {
-		encoding: "utf-8",
-		stdio: "pipe"
-	}).trim();
-	const cleanRemote = execSync("git remote get-url origin", {
-		cwd: repoPath,
-		encoding: "utf-8",
-		stdio: "pipe"
-	}).trim();
-	execSync(`git remote set-url origin "${cleanRemote.replace("https://github.com/", `https://x-access-token:${pushToken}@github.com/`)}"`, {
-		cwd: repoPath,
-		stdio: "pipe"
-	});
-	try {
-		execSync(`git push -u origin ${branch}`, {
-			cwd: repoPath,
-			stdio: "pipe"
-		});
-	} finally {
-		execSync(`git remote set-url origin "${cleanRemote}"`, {
-			cwd: repoPath,
-			stdio: "pipe"
-		});
+		const msg = err instanceof Error ? err.message : String(err);
+		if (msg.includes("already has") || msg.includes("409")) throw new Error(`Agent "${args.id}" already has an active token.\nAsk an admin to revoke the existing token in the Web UI, then re-run onboard.`);
+		throw err;
 	}
-	const prOutput = execSync(`gh pr create --title "${args.assistant ? `Onboard ${args.id} + assistant` : `Onboard ${args.id}`}" --body "Automated onboard via first-tree-hub CLI"`, {
-		cwd: repoPath,
-		encoding: "utf-8"
-	}).trim();
-	const state = {
-		args,
-		branch,
-		prUrl: prOutput
-	};
-	mkdirSync(DEFAULT_HOME_DIR$1, { recursive: true });
-	writeFileSync(STATE_FILE, JSON.stringify(state, null, 2));
-	return { prUrl: prOutput };
-}
-async function onboardContinue(args) {
-	let state = null;
-	try {
-		state = JSON.parse(readFileSync(STATE_FILE, "utf-8"));
-	} catch {}
-	if (!state && !args.id) throw new Error("No onboard in progress. Run 'first-tree-hub onboard' first to start a new onboard.");
-	const mergedArgs = {
-		...state?.args,
-		...stripUndefined(args)
-	};
-	const serverUrl = resolveServerUrl(mergedArgs.server).replace(/\/+$/, "");
-	const agentToBootstrap = mergedArgs.assistant ?? mergedArgs.id;
-	if (!agentToBootstrap) throw new Error("Cannot determine which agent to bootstrap. Provide --id or run onboard first.");
-	if (!mergedArgs.id) throw new Error("Cannot determine member ID. Provide --id or run onboard first.");
-	process.stderr.write(`Waiting for agent "${agentToBootstrap}" to be synced...\n`);
-	let synced = false;
-	for (let i = 0; i < 30; i++) {
+	process.stderr.write(`Agent "${args.id}" ready.\n`);
+	if (args.assistant) {
+		process.stderr.write(`Bootstrapping assistant "${args.assistant}"...\n`);
 		try {
-			const status = await checkBootstrapStatus(serverUrl, agentToBootstrap);
-			if (status.exists && status.status === "active") {
-				synced = true;
-				break;
-			}
+			token = (await bootstrapToken$1(serverUrl, args.assistant, {
+				saveTo: "agent",
+				type: "personal_assistant",
+				displayName: args.assistant,
+				metadata: {
+					role: `Personal Assistant to ${args.id}`,
+					domains: ["message triage", "task coordination"]
+				}
+			})).token;
+			process.stderr.write(`Assistant "${args.assistant}" ready.\n`);
 		} catch (err) {
-			if (i === 0) process.stderr.write(`  (check failed: ${err instanceof Error ? err.message : String(err)})\n`);
+			const msg = err instanceof Error ? err.message : String(err);
+			process.stderr.write(`Warning: Failed to bootstrap assistant "${args.assistant}": ${msg}\n`);
 		}
-		await sleep(2e3);
-	}
-	if (!synced) throw new Error(`Agent "${agentToBootstrap}" not found after 60s. Trigger sync manually or wait for auto-sync.`);
-	process.stderr.write(`Bootstrapping token for "${agentToBootstrap}"...\n`);
-	let token;
-	try {
-		token = (await bootstrapToken$1(serverUrl, agentToBootstrap, { saveTo: "agent" })).token;
-	} catch (err) {
-		const msg = err instanceof Error ? err.message : String(err);
-		if (msg.includes("already has") || msg.includes("409")) throw new Error(`Agent "${agentToBootstrap}" already has an active token.\nAsk an admin to revoke the existing token in the Web UI, then re-run:
-  first-tree-hub onboard --continue`);
-		throw err;
 	}
+	const agentToBootstrap = args.assistant ?? args.id;
 	process.stderr.write(`Token saved to ${DEFAULT_HOME_DIR$1}/config/agents/${agentToBootstrap}/agent.yaml\n`);
-	if (mergedArgs.feishuBotAppId && mergedArgs.feishuBotAppSecret) {
+	if (args.feishuBotAppId && args.feishuBotAppSecret) {
 		const { bindFeishuBot } = await import("./feishu-Y4m2zFc3.mjs").then((n) => n.r);
 		process.stderr.write("Binding Feishu bot...\n");
-		await bindFeishuBot(serverUrl, token, mergedArgs.feishuBotAppId, mergedArgs.feishuBotAppSecret);
+		await bindFeishuBot(serverUrl, token, args.feishuBotAppId, args.feishuBotAppSecret);
 		process.stderr.write("Feishu bot bound.\n");
 	}
+	setConfigValue(join(DEFAULT_CONFIG_DIR, "client.yaml"), "server.url", serverUrl);
 	try {
 		const { unlinkSync } = await import("node:fs");
 		unlinkSync(STATE_FILE);
 	} catch {}
-	const typeLabel = mergedArgs.type === "human" ? "Human" : mergedArgs.type === "autonomous_agent" ? "Agent" : "Assistant";
+	const typeLabel = args.type === "human" ? "Human" : args.type === "autonomous_agent" ? "Agent" : "Assistant";
 	process.stderr.write("\n✅ Onboard complete!\n\n");
-	process.stderr.write(`  ${typeLabel}:${" ".repeat(Math.max(1, 10 - typeLabel.length))}${mergedArgs.id}\n`);
-	if (mergedArgs.assistant) process.stderr.write(`  Assistant: ${mergedArgs.assistant}\n`);
+	process.stderr.write(`  ${typeLabel}:${" ".repeat(Math.max(1, 10 - typeLabel.length))}${args.id}\n`);
+	if (args.assistant) process.stderr.write(`  Assistant: ${args.assistant}\n`);
 	process.stderr.write(`  Token:     ${DEFAULT_HOME_DIR$1}/config/agents/${agentToBootstrap}/agent.yaml\n`);
-	if (mergedArgs.feishuBotAppId) process.stderr.write(`  Feishu:    bot bound (${mergedArgs.feishuBotAppId})\n`);
-	setConfigValue(join(DEFAULT_CONFIG_DIR, "client.yaml"), "server.url", serverUrl);
-	if (mergedArgs.type === "human") {
+	if (args.feishuBotAppId) process.stderr.write(`  Feishu:    bot bound (${args.feishuBotAppId})\n`);
+	if (args.type === "human") {
 		process.stderr.write("\n  Next step — bind your Feishu account:\n");
-		process.stderr.write(`    Send this message to the bot in Feishu:  /bind ${mergedArgs.id}\n`);
-		if (!mergedArgs.feishuBotAppId) process.stderr.write("    (requires a Feishu bot to be configured in the system)\n");
+		process.stderr.write(`    Send this message to the bot in Feishu:  /bind ${args.id}\n`);
+		if (!args.feishuBotAppId) process.stderr.write("    (requires a Feishu bot to be configured in the system)\n");
 	}
 	process.stderr.write("\n  Start the agent:\n");
 	process.stderr.write("    first-tree-hub client start\n");
 	process.stderr.write("\n");
 }
-function createMemberNodeMd(repoPath, data) {
-	const memberDir = join(repoPath, data.parentPath ?? "members", data.id);
-	mkdirSync(memberDir, { recursive: true });
-	const domainsList = data.domains.map((d) => `  - "${d}"`).join("\n");
-	const githubLine = data.github ? `\ngithub: ${data.github}` : "";
-	const delegateLine = data.delegateMention && data.type === "human" ? `\ndelegate_mention: ${data.delegateMention}` : "";
-	const bodySections = data.type === "autonomous_agent" ? `## About
-
-## Capabilities
-
-## Current Focus
-` : `## About
-
-## Current Focus
-`;
-	const content = `---
-title: "${data.displayName}"
-owners: [${data.owner}]
-type: ${data.type}
-role: "${data.role}"
-domains:
-${domainsList}${githubLine}${delegateLine}
----
-
-# ${data.displayName}
-
-${bodySections}`;
-	writeFileSync(join(memberDir, "NODE.md"), content);
-}
-function isTrackedByGit(repoPath, filePath) {
-	try {
-		execSync(`git ls-files --error-unmatch ${filePath}`, {
-			cwd: repoPath,
-			stdio: "pipe"
-		});
-		return true;
-	} catch {
-		return false;
-	}
-}
-const CONTEXT_TREE_DIR = join(DEFAULT_HOME_DIR$1, "context-tree");
-/**
-* Resolve Context Tree to a **local path** at $FIRST_TREE_HUB_HOME/context-tree/.
-*
-* Repo URL is obtained from the Hub server. The local clone is always
-* managed in the standard location — no custom paths allowed.
-*/
-async function resolveContextTreeRepo(serverUrl) {
-	const repoUrl = await fetchRepoUrlFromServer(serverUrl);
-	if (!repoUrl) return null;
-	let ghToken;
-	try {
-		ghToken = execSync("gh auth token", {
-			encoding: "utf-8",
-			stdio: "pipe"
-		}).trim();
-	} catch {
-		return null;
-	}
-	const gitEnv = {
-		...process.env,
-		GIT_ASKPASS: "echo",
-		GIT_TERMINAL_PROMPT: "0",
-		GH_TOKEN: ghToken,
-		GITHUB_TOKEN: ghToken
-	};
-	const gitConfigArgs = `-c url."https://x-access-token:${ghToken}@github.com/".insteadOf="https://github.com/"`;
-	if (existsSync(join(CONTEXT_TREE_DIR, ".git"))) {
-		try {
-			if (execSync("git remote get-url origin", {
-				cwd: CONTEXT_TREE_DIR,
-				encoding: "utf-8",
-				stdio: "pipe"
-			}).trim().includes(repoUrl.replace(/^https?:\/\/github\.com\//, "").replace(/\.git$/, ""))) {
-				process.stderr.write("Updating Context Tree...\n");
-				execSync("git checkout main 2>/dev/null || git checkout master", {
-					cwd: CONTEXT_TREE_DIR,
-					stdio: "pipe"
-				});
-				try {
-					execSync(`git ${gitConfigArgs} pull --ff-only`, {
-						cwd: CONTEXT_TREE_DIR,
-						stdio: "pipe",
-						env: gitEnv
-					});
-				} catch {}
-				return CONTEXT_TREE_DIR;
-			}
-		} catch {}
-		const safePrefix = DEFAULT_HOME_DIR$1;
-		if (!CONTEXT_TREE_DIR.startsWith(safePrefix) || CONTEXT_TREE_DIR === safePrefix) throw new Error(`Refusing to delete unsafe path: ${CONTEXT_TREE_DIR}`);
-		execSync(`rm -rf ${CONTEXT_TREE_DIR}`);
-	}
-	try {
-		process.stderr.write(`Cloning Context Tree to ${CONTEXT_TREE_DIR}...\n`);
-		mkdirSync(DEFAULT_HOME_DIR$1, { recursive: true });
-		execSync(`git ${gitConfigArgs} clone ${repoUrl} ${CONTEXT_TREE_DIR}`, {
-			stdio: "pipe",
-			env: gitEnv
-		});
-		return CONTEXT_TREE_DIR;
-	} catch {
-		return null;
-	}
-}
-/** Query server for Context Tree repo URL. */
-async function fetchRepoUrlFromServer(serverUrl) {
-	if (!serverUrl) try {
-		serverUrl = resolveServerUrl();
-	} catch {
-		return null;
-	}
-	try {
-		const url = `${serverUrl.replace(/\/+$/, "")}/api/v1/context-tree/info`;
-		const res = await fetch(url, { signal: AbortSignal.timeout(5e3) });
-		if (!res.ok) return null;
-		return (await res.json()).repo ?? null;
-	} catch {
-		return null;
-	}
-}
-function sleep(ms) {
-	return new Promise((resolve) => setTimeout(resolve, ms));
-}
-function stripUndefined(obj) {
-	const result = {};
-	for (const [key, value] of Object.entries(obj)) if (value !== void 0) result[key] = value;
-	return result;
-}
 //#endregion
 //#region src/core/prompt.ts
 /**
@@ -2750,30 +2407,21 @@ const AGENT_STATUSES = {
 	DELETED: "deleted"
 };
 z.enum(["active", "suspended"]);
-z.object({
+const createAgentSchema = z.object({
 	id: z.string().min(1).max(100).regex(/^[a-z0-9_-]+$/, "Only lowercase alphanumeric, hyphens, and underscores").optional(),
 	type: agentTypeSchema,
 	displayName: z.string().max(200).optional(),
+	delegateMention: z.string().max(100).optional(),
+	profile: z.string().optional(),
 	organizationId: z.string().max(100).optional(),
 	metadata: z.record(z.string(), z.unknown()).optional()
 });
-z.object({
-	syncedAt: z.string(),
-	treePath: z.string(),
-	summary: z.object({
-		created: z.number(),
-		updated: z.number(),
-		suspended: z.number(),
-		unchanged: z.number(),
-		errors: z.number()
-	}),
-	created: z.array(z.string()),
-	updated: z.array(z.string()),
-	suspended: z.array(z.string()),
-	errors: z.array(z.object({
-		memberId: z.string(),
-		error: z.string()
-	}))
+const updateAgentSchema = z.object({
+	type: agentTypeSchema.optional(),
+	displayName: z.string().max(200).nullable().optional(),
+	delegateMention: z.string().max(100).nullable().optional(),
+	profile: z.string().nullable().optional(),
+	metadata: z.record(z.string(), z.unknown()).optional()
 });
 z.object({
 	id: z.string(),
@@ -2781,7 +2429,7 @@ z.object({
 	type: agentTypeSchema,
 	displayName: z.string().nullable(),
 	delegateMention: z.string().nullable(),
-	treePath: z.string().nullable(),
+	profile: z.string().nullable(),
 	inboxId: z.string(),
 	status: z.string(),
 	metadata: z.record(z.string(), z.unknown()),
@@ -2789,15 +2437,21 @@ z.object({
 	createdAt: z.string(),
 	updatedAt: z.string()
 });
-const bootstrapTokenRequestSchema = z.object({ name: z.string().max(100).optional() });
+const bootstrapTokenRequestSchema = z.object({
+	name: z.string().max(100).optional(),
+	type: agentTypeSchema.optional(),
+	displayName: z.string().max(200).optional(),
+	delegateMention: z.string().max(100).optional(),
+	profile: z.string().optional(),
+	metadata: z.record(z.string(), z.unknown()).optional()
+});
 z.object({
 	exists: z.boolean(),
 	status: z.enum(["active", "suspended"]).nullable()
 });
 z.object({
-	repo: z.string(),
-	branch: z.string(),
-	lastSync: z.string().nullable()
+	repo: z.string().nullable(),
+	branch: z.string().nullable()
 });
 const createAgentTokenSchema = z.object({
 	name: z.string().max(100).optional(),
@@ -2919,7 +2573,7 @@ const SYSTEM_CONFIG_DEFAULTS = {
 	[SYSTEM_CONFIG_KEYS.PRESENCE_CLEANUP_SECONDS]: 60
 };
 //#endregion
-//#region ../server/dist/app-CurdzcN2.mjs
+//#region ../server/dist/app-41WnR_ri.mjs
 var __defProp = Object.defineProperty;
 var __exportAll = (all, no_symbols) => {
 	let target = {};
@@ -2937,7 +2591,7 @@ const agents = pgTable("agents", {
 	type: text("type").notNull(),
 	displayName: text("display_name"),
 	delegateMention: text("delegate_mention"),
-	treePath: text("tree_path"),
+	profile: text("profile"),
 	inboxId: text("inbox_id").unique().notNull(),
 	status: text("status").notNull().default("active"),
 	metadata: jsonb("metadata").$type().notNull().default({}),
@@ -3423,289 +3077,6 @@ async function adminAdapterRoutes(app) {
 		return reply.status(204).send();
 	});
 }
-const GRAPHQL_URL = "https://api.github.com/graphql";
-const REST_API_URL = "https://api.github.com";
-/** Parse "owner/repo" or "https://github.com/owner/repo" into { owner, name }. */
-function parseRepo(input) {
-	const urlMatch = /github\.com\/([^/]+)\/([^/.]+)/.exec(input);
-	if (urlMatch) return {
-		owner: urlMatch[1] ?? "",
-		name: urlMatch[2] ?? ""
-	};
-	const parts = input.split("/");
-	return {
-		owner: parts[0] ?? "",
-		name: parts[1] ?? ""
-	};
-}
-/** Step 1: Get the tree OID of the members/ directory via GraphQL. */
-async function fetchMembersTreeOid(owner, name, branch, token) {
-	const query = `
-    query($owner: String!, $name: String!, $expr: String!) {
-      repository(owner: $owner, name: $name) {
-        object(expression: $expr) {
-          ... on Tree { oid }
-        }
-      }
-    }
-  `;
-	const res = await fetch(GRAPHQL_URL, {
-		method: "POST",
-		headers: {
-			Authorization: `Bearer ${token}`,
-			"Content-Type": "application/json"
-		},
-		body: JSON.stringify({
-			query,
-			variables: {
-				owner,
-				name,
-				expr: `${branch}:members`
-			}
-		})
-	});
-	if (!res.ok) throw new Error(`GitHub API returned ${res.status}: ${await res.text()}`);
-	const json = await res.json();
-	if (json.errors) throw new Error(`GitHub GraphQL errors: ${json.errors.map((e) => e.message).join(", ")}`);
-	return json.data?.repository?.object?.oid ?? null;
-}
-/** Step 2: Recursively list all entries under the members/ tree via REST API. */
-async function fetchRecursiveTree(owner, name, treeSha, token) {
-	const url = `${REST_API_URL}/repos/${owner}/${name}/git/trees/${treeSha}?recursive=1`;
-	const res = await fetch(url, { headers: {
-		Authorization: `Bearer ${token}`,
-		Accept: "application/vnd.github+json"
-	} });
-	if (!res.ok) throw new Error(`GitHub REST API returned ${res.status}: ${await res.text()}`);
-	const json = await res.json();
-	if (json.truncated) throw new Error("[context-tree-sync] GitHub REST tree API returned truncated response — members/ subtree is too large. Sync aborted to prevent incorrect agent suspension from partial data.");
-	return json.tree;
-}
-/**
-* Step 3: Batch-fetch NODE.md content for all member directories via GraphQL aliases.
-* Each alias fetches one NODE.md file by expression.
-*/
-async function batchFetchNodeMd(owner, name, branch, memberPaths, token) {
-	if (memberPaths.length === 0) return /* @__PURE__ */ new Map();
-	const query = `
-    query($owner: String!, $name: String!) {
-      repository(owner: $owner, name: $name) {
-        ${memberPaths.map((p, i) => {
-		const expr = `${branch}:members/${p}/NODE.md`;
-		return `m${i}: object(expression: ${JSON.stringify(expr)}) { ... on Blob { text } }`;
-	}).join("\n        ")}
-      }
-    }
-  `;
-	const res = await fetch(GRAPHQL_URL, {
-		method: "POST",
-		headers: {
-			Authorization: `Bearer ${token}`,
-			"Content-Type": "application/json"
-		},
-		body: JSON.stringify({
-			query,
-			variables: {
-				owner,
-				name
-			}
-		})
-	});
-	if (!res.ok) throw new Error(`GitHub API returned ${res.status}: ${await res.text()}`);
-	const json = await res.json();
-	if (json.errors) throw new Error(`GitHub GraphQL errors: ${json.errors.map((e) => e.message).join(", ")}`);
-	const repo = json.data?.repository ?? {};
-	const result = /* @__PURE__ */ new Map();
-	for (let i = 0; i < memberPaths.length; i++) {
-		const blob = repo[`m${i}`];
-		const path = memberPaths[i];
-		if (blob?.text && path) result.set(path, blob.text);
-	}
-	return result;
-}
-/**
-* Extract member directory paths from a recursive tree listing.
-* A directory is a member if it contains a NODE.md blob.
-*/
-function extractMemberDirs(treeEntries) {
-	const nodeMdPaths = /* @__PURE__ */ new Set();
-	for (const entry of treeEntries) if (entry.type === "blob" && entry.path.endsWith("/NODE.md")) nodeMdPaths.add(entry.path);
-	const memberDirs = [];
-	for (const entry of treeEntries) {
-		if (entry.type !== "tree") continue;
-		if (nodeMdPaths.has(`${entry.path}/NODE.md`)) memberDirs.push(entry.path);
-	}
-	return memberDirs.sort();
-}
-/**
-* Fetch all members from a Context Tree repo via GitHub API.
-* Uses 3 API calls:
-*   1. GraphQL: get members/ tree OID
-*   2. REST: recursive tree listing (scoped to members/ only)
-*   3. GraphQL: batch-fetch all NODE.md contents via aliases
-*/
-async function fetchMembers(repo, branch, token) {
-	const { owner, name } = parseRepo(repo);
-	if (!owner || !name) throw new Error(`Invalid repo format: "${repo}" — expected "owner/repo" or a GitHub URL`);
-	const treeOid = await fetchMembersTreeOid(owner, name, branch, token);
-	if (!treeOid) {
-		console.warn("[context-tree-sync] members/ directory not found in repo");
-		return [];
-	}
-	const memberDirs = extractMemberDirs(await fetchRecursiveTree(owner, name, treeOid, token));
-	if (memberDirs.length === 0) {
-		console.warn("[context-tree-sync] No member directories with NODE.md found");
-		return [];
-	}
-	const nameMap = /* @__PURE__ */ new Map();
-	for (const dir of memberDirs) {
-		const dirName = dir.split("/").pop() ?? dir;
-		const existing = nameMap.get(dirName);
-		if (existing) throw new Error(`[context-tree-sync] Duplicate member directory name '${dirName}' found at 'members/${existing}' and 'members/${dir}' — directory names must be unique across all levels under members/. Fix this in the Context Tree repo.`);
-		nameMap.set(dirName, dir);
-	}
-	const nodeContents = await batchFetchNodeMd(owner, name, branch, memberDirs, token);
-	return memberDirs.map((dir) => ({
-		name: dir.split("/").pop() ?? dir,
-		treePath: dir,
-		nodeContent: nodeContents.get(dir) ?? null
-	}));
-}
-/** Parse NODE.md frontmatter for agent metadata. */
-function parseNodeMetadata(content) {
-	const match = /^---\n([\s\S]*?)\n---/.exec(content);
-	if (!match) return {
-		type: "autonomous_agent",
-		displayName: null,
-		delegateMention: null,
-		owners: [],
-		github: null
-	};
-	const frontmatter = match[1] ?? "";
-	const getValue = (key) => {
-		const lineMatch = new RegExp(`^${key}:\\s*(.+)$`, "m").exec(frontmatter);
-		return lineMatch ? lineMatch[1]?.trim().replace(/^["']|["']$/g, "") ?? null : null;
-	};
-	const ownersRaw = getValue("owners");
-	let owners = [];
-	if (ownersRaw) {
-		const listMatch = /^\[([^\]]*)\]$/.exec(ownersRaw);
-		if (listMatch?.[1]) owners = listMatch[1].split(",").map((s) => s.trim().replace(/^["']|["']$/g, "")).filter(Boolean);
-	}
-	return {
-		type: getValue("type") ?? "autonomous_agent",
-		displayName: getValue("display_name") ?? getValue("title") ?? getValue("name"),
-		delegateMention: getValue("delegate_mention"),
-		owners,
-		github: getValue("github")
-	};
-}
-/** Stored for the /status endpoint */
-let _lastSyncResult;
-function getLastGraphQLSyncResult() {
-	return _lastSyncResult;
-}
-/**
-* Sync agents from a GitHub Context Tree repo via GraphQL.
-*
-* Lifecycle semantics:
-* - Member in tree, not in DB → create (active)
-* - Member in tree, in DB as active, fields changed → update
-* - Member in tree, in DB as active, fields unchanged → unchanged
-* - Member in tree, in DB as suspended → reactivate (set active)
-* - Agent in DB as active, NOT in tree → suspend
-*/
-async function syncFromGitHub(db, repo, branch, githubToken) {
-	const members = await fetchMembers(repo, branch, githubToken);
-	const memberNames = new Set(members.map((m) => m.name));
-	const result = {
-		created: 0,
-		updated: 0,
-		suspended: 0,
-		reactivated: 0,
-		unchanged: 0,
-		errors: 0,
-		syncedAt: (/* @__PURE__ */ new Date()).toISOString()
-	};
-	for (const member of members) try {
-		const meta = member.nodeContent ? parseNodeMetadata(member.nodeContent) : {
-			type: "autonomous_agent",
-			displayName: null,
-			delegateMention: null,
-			owners: [],
-			github: null
-		};
-		const metadataJson = JSON.stringify({
-			owners: meta.owners,
-			github: meta.github
-		});
-		const existing = await db.execute(sql`SELECT id, status, type, display_name, delegate_mention, tree_path, metadata FROM agents WHERE id = ${member.name}`);
-		if (existing.length === 0) {
-			await db.execute(sql`
-          INSERT INTO agents (id, type, display_name, delegate_mention, tree_path, status, inbox_id, metadata)
-          VALUES (${member.name}, ${meta.type}, ${meta.displayName}, ${meta.delegateMention}, ${member.treePath}, 'active', ${`inbox_${member.name}`}, ${metadataJson}::jsonb)
-        `);
-			result.created++;
-		} else {
-			const agent = existing[0];
-			const existingMeta = agent.metadata ?? {};
-			const mergedMeta = JSON.stringify({
-				...existingMeta,
-				owners: meta.owners,
-				github: meta.github
-			});
-			if (agent.status === "suspended" || agent.status === "deleted") {
-				await db.execute(sql`
-            UPDATE agents SET status = 'active', type = ${meta.type}, display_name = ${meta.displayName}, delegate_mention = ${meta.delegateMention}, tree_path = ${member.treePath}, metadata = ${mergedMeta}::jsonb
-            WHERE id = ${member.name}
-          `);
-				result.reactivated++;
-			} else if (agent.type !== meta.type || agent.display_name !== meta.displayName || agent.delegate_mention !== meta.delegateMention || agent.tree_path !== member.treePath || JSON.stringify(existingMeta.owners) !== JSON.stringify(meta.owners) || (existingMeta.github ?? null) !== (meta.github ?? null)) {
-				await db.execute(sql`
-            UPDATE agents SET type = ${meta.type}, display_name = ${meta.displayName}, delegate_mention = ${meta.delegateMention}, tree_path = ${member.treePath}, metadata = ${mergedMeta}::jsonb
-            WHERE id = ${member.name}
-          `);
-				result.updated++;
-			} else result.unchanged++;
-		}
-	} catch (err) {
-		console.error(`[context-tree-sync] Failed to sync member "${member.name}" (path: members/${member.treePath}):`, err);
-		result.errors++;
-	}
-	try {
-		const activeAgents = await db.execute(sql`SELECT id FROM agents WHERE status = 'active' AND (metadata->>'managed')::boolean IS NOT TRUE`);
-		for (const row of activeAgents) {
-			const agent = row;
-			if (!memberNames.has(agent.id)) {
-				await db.execute(sql`UPDATE agents SET status = 'suspended' WHERE id = ${agent.id}`);
-				result.suspended++;
-			}
-		}
-	} catch (err) {
-		console.error("[context-tree-sync] Failed to suspend removed agents:", err);
-		result.errors++;
-	}
-	_lastSyncResult = result;
-	return result;
-}
-async function adminAgentSyncRoutes(app) {
-	app.post("/", async (_request, reply) => {
-		const { repo, branch } = app.config.contextTree;
-		const { token } = app.config.github;
-		try {
-			const result = await syncFromGitHub(app.db, repo, branch, token);
-			return reply.send({ summary: result });
-		} catch (error) {
-			const msg = error instanceof Error ? error.message : String(error);
-			app.log.error(error, "Context Tree sync failed");
-			return reply.status(502).send({ error: msg });
-		}
-	});
-	app.get("/status", async (_request, reply) => {
-		const lastSync = getLastGraphQLSyncResult();
-		return reply.send({ lastSync: lastSync ?? null });
-	});
-}
 /** Agent online status. Tracked via WebSocket connections; stale entries are cleaned up using server_instances heartbeat. */
 const agentPresence = pgTable("agent_presence", {
 	agentId: text("agent_id").primaryKey().references(() => agents.id, { onDelete: "cascade" }),
@@ -3741,6 +3112,8 @@ async function createAgent(db, data) {
 			organizationId: data.organizationId ?? "default",
 			type: data.type,
 			displayName: data.displayName ?? null,
+			delegateMention: data.delegateMention ?? null,
+			profile: data.profile ?? null,
 			status: "active",
 			metadata: data.metadata ?? {},
 			updatedAt: /* @__PURE__ */ new Date()
@@ -3753,6 +3126,8 @@ async function createAgent(db, data) {
 		organizationId: data.organizationId ?? "default",
 		type: data.type,
 		displayName: data.displayName ?? null,
+		delegateMention: data.delegateMention ?? null,
+		profile: data.profile ?? null,
 		inboxId,
 		metadata: data.metadata ?? {}
 	}).returning();
@@ -3764,16 +3139,18 @@ async function getAgent(db, id) {
 	if (!agent) throw new NotFoundError(`Agent "${id}" not found`);
 	return agent;
 }
-async function listAgents(db, limit, cursor) {
-	const notDeleted = ne(agents.status, AGENT_STATUSES.DELETED);
-	const where = cursor ? and(notDeleted, lt(agents.createdAt, new Date(cursor))) : notDeleted;
+async function listAgents(db, limit, cursor, type) {
+	const conditions = [ne(agents.status, AGENT_STATUSES.DELETED)];
+	if (cursor) conditions.push(lt(agents.createdAt, new Date(cursor)));
+	if (type) conditions.push(eq(agents.type, type));
+	const where = and(...conditions);
 	const rows = await db.select({
 		id: agents.id,
 		organizationId: agents.organizationId,
 		type: agents.type,
 		displayName: agents.displayName,
 		delegateMention: agents.delegateMention,
-		treePath: agents.treePath,
+		profile: agents.profile,
 		inboxId: agents.inboxId,
 		status: agents.status,
 		metadata: agents.metadata,
@@ -3789,8 +3166,50 @@ async function listAgents(db, limit, cursor) {
 		nextCursor: hasMore && last ? last.createdAt.toISOString() : null
 	};
 }
+async function updateAgent(db, id, data) {
+	const agent = await getAgent(db, id);
+	const updates = { updatedAt: /* @__PURE__ */ new Date() };
+	if (data.type !== void 0) updates.type = data.type;
+	if (data.displayName !== void 0) updates.displayName = data.displayName;
+	if (data.delegateMention !== void 0) updates.delegateMention = data.delegateMention;
+	if (data.profile !== void 0) updates.profile = data.profile;
+	if (data.metadata !== void 0) updates.metadata = data.metadata;
+	const [updated] = await db.update(agents).set(updates).where(eq(agents.id, agent.id)).returning();
+	if (!updated) throw new Error("Unexpected: UPDATE RETURNING produced no row");
+	return updated;
+}
+/**
+* Reactivate a suspended agent.
+*/
+async function reactivateAgent(db, id) {
+	const [existing] = await db.select({
+		id: agents.id,
+		status: agents.status
+	}).from(agents).where(eq(agents.id, id)).limit(1);
+	if (!existing || existing.status === AGENT_STATUSES.DELETED) throw new NotFoundError(`Agent "${id}" not found`);
+	if (existing.status !== AGENT_STATUSES.SUSPENDED) throw new BadRequestError("Only suspended agents can be reactivated.");
+	const [agent] = await db.update(agents).set({
+		status: AGENT_STATUSES.ACTIVE,
+		updatedAt: /* @__PURE__ */ new Date()
+	}).where(eq(agents.id, id)).returning();
+	if (!agent) throw new Error("Unexpected: UPDATE RETURNING produced no row");
+	return agent;
+}
+/**
+* Suspend an agent. Revokes all active tokens so the agent can no longer authenticate.
+*/
+async function suspendAgent(db, id) {
+	const [agent] = await db.update(agents).set({
+		status: AGENT_STATUSES.SUSPENDED,
+		updatedAt: /* @__PURE__ */ new Date()
+	}).where(and(eq(agents.id, id), ne(agents.status, AGENT_STATUSES.DELETED))).returning();
+	if (!agent) throw new NotFoundError(`Agent "${id}" not found`);
+	await db.update(agentTokens).set({ revokedAt: /* @__PURE__ */ new Date() }).where(and(eq(agentTokens.agentId, id), isNull(agentTokens.revokedAt)));
+	return agent;
+}
 /**
-* Delete an agent. Only allowed when status is "suspended" (removed from tree).
+* Delete an agent. Only allowed when status is "suspended".
+* Suspend the agent first to revoke tokens, then delete.
 */
 async function deleteAgent(db, id) {
 	const [existing] = await db.select({
@@ -3798,7 +3217,7 @@ async function deleteAgent(db, id) {
 		status: agents.status
 	}).from(agents).where(eq(agents.id, id)).limit(1);
 	if (!existing || existing.status === AGENT_STATUSES.DELETED) throw new NotFoundError(`Agent "${id}" not found`);
-	if (existing.status !== AGENT_STATUSES.SUSPENDED) throw new BadRequestError("Only suspended agents can be deleted. Active agents are managed by Context Tree.");
+	if (existing.status !== AGENT_STATUSES.SUSPENDED) throw new BadRequestError("Only suspended agents can be deleted. Suspend the agent first.");
 	const [agent] = await db.update(agents).set({
 		status: AGENT_STATUSES.DELETED,
 		updatedAt: /* @__PURE__ */ new Date()
@@ -3809,16 +3228,41 @@ async function deleteAgent(db, id) {
 	if (!agent) throw new Error("Unexpected: UPDATE RETURNING produced no row");
 	return agent;
 }
-/**
-* Bootstrap a token for an agent using GitHub identity.
-* Only works when the agent has no active (non-revoked, non-expired) tokens.
-*/
-async function bootstrapToken(db, agentId, githubUsername, tokenName) {
-	const agent = await getAgent(db, agentId);
+async function bootstrapToken(db, agentId, githubUsername, options) {
+	let agent;
+	try {
+		agent = await getAgent(db, agentId);
+	} catch (err) {
+		if (err instanceof NotFoundError) {
+			const metadata = {
+				...options?.metadata,
+				owners: [githubUsername]
+			};
+			agent = await createAgent(db, {
+				id: agentId,
+				type: options?.type ?? "autonomous_agent",
+				displayName: options?.displayName ?? agentId,
+				delegateMention: options?.delegateMention,
+				profile: options?.profile,
+				metadata
+			});
+		} else throw err;
+	}
 	if (!(Array.isArray(agent.metadata?.owners) ? agent.metadata.owners : []).includes(githubUsername)) throw new ForbiddenError(`GitHub user "${githubUsername}" is not in the owners list for agent "${agentId}"`);
 	const activeTokens = await db.select({ id: agentTokens.id }).from(agentTokens).where(and(eq(agentTokens.agentId, agentId), isNull(agentTokens.revokedAt)));
 	if (activeTokens.length > 0) throw new ConflictError(`Agent "${agentId}" already has ${activeTokens.length} active token(s). Revoke all tokens first to re-bootstrap.`);
-	return createToken(db, agentId, { name: tokenName ?? "bootstrap" });
+	return createToken(db, agentId, { name: options?.tokenName ?? "bootstrap" });
+}
+/**
+* Check if a GitHub user belongs to a specific organization.
+*/
+async function checkGitHubOrgMembership(githubToken, org) {
+	const res = await fetch(`https://api.github.com/user/orgs`, { headers: {
+		Authorization: `Bearer ${githubToken}`,
+		Accept: "application/vnd.github+json"
+	} });
+	if (!res.ok) return false;
+	return (await res.json()).some((o) => o.login.toLowerCase() === org.toLowerCase());
 }
 async function createToken(db, agentId, data) {
 	await getAgent(db, agentId);
@@ -4255,9 +3699,11 @@ function serializeDate$1(d) {
 	return d ? d.toISOString() : null;
 }
 async function adminAgentRoutes(app) {
+	const listAgentsFilterSchema = z.object({ type: agentTypeSchema.optional() });
 	app.get("/", async (request) => {
 		const query = paginationQuerySchema.parse(request.query);
-		const result = await listAgents(app.db, query.limit, query.cursor);
+		const { type } = listAgentsFilterSchema.parse(request.query);
+		const result = await listAgents(app.db, query.limit, query.cursor, type);
 		return {
 			items: result.items.map((a) => ({
 				...a,
@@ -4268,6 +3714,24 @@ async function adminAgentRoutes(app) {
 			nextCursor: result.nextCursor
 		};
 	});
+	app.post("/", async (request, reply) => {
+		const body = createAgentSchema.parse(request.body);
+		const agent = await createAgent(app.db, body);
+		return reply.status(201).send({
+			...agent,
+			createdAt: agent.createdAt.toISOString(),
+			updatedAt: agent.updatedAt.toISOString()
+		});
+	});
+	app.patch("/:agentId", async (request) => {
+		const body = updateAgentSchema.parse(request.body);
+		const agent = await updateAgent(app.db, request.params.agentId, body);
+		return {
+			...agent,
+			createdAt: agent.createdAt.toISOString(),
+			updatedAt: agent.updatedAt.toISOString()
+		};
+	});
 	app.get("/:agentId", async (request) => {
 		const agent = await getAgent(app.db, request.params.agentId);
 		return {
@@ -4307,6 +3771,22 @@ async function adminAgentRoutes(app) {
 		await setOffline(app.db, agentId);
 		return reply.status(200).send({ disconnected: wasConnected });
 	});
+	app.post("/:agentId/suspend", async (request) => {
+		const agent = await suspendAgent(app.db, request.params.agentId);
+		return {
+			...agent,
+			createdAt: agent.createdAt.toISOString(),
+			updatedAt: agent.updatedAt.toISOString()
+		};
+	});
+	app.post("/:agentId/reactivate", async (request) => {
+		const agent = await reactivateAgent(app.db, request.params.agentId);
+		return {
+			...agent,
+			createdAt: agent.createdAt.toISOString(),
+			updatedAt: agent.updatedAt.toISOString()
+		};
+	});
 	app.delete("/:agentId", async (request, reply) => {
 		await deleteAgent(app.db, request.params.agentId);
 		return reply.status(204).send();
@@ -4702,16 +4182,6 @@ async function agentChatRoutes(app) {
 		return reply.status(204).send();
 	});
 }
-async function agentContextTreeRoutes(app) {
-	app.get("/", async (_request, reply) => {
-		const { repo, branch } = app.config.contextTree;
-		if (!repo) return reply.status(404).send({ error: "Context Tree not configured" });
-		return reply.send({
-			repo,
-			branch
-		});
-	});
-}
 async function agentFeishuBotRoutes(app) {
 	/**
 	* PUT /agent/me/feishu-bot
@@ -4995,18 +4465,37 @@ function agentWsRoutes(notifier, instanceId) {
 		});
 	};
 }
+async function bootstrapConfigRoutes(app) {
+	/** Public endpoint — returns bootstrap prerequisites for CLI auto-discovery. */
+	app.get("/config", async () => {
+		return { allowedOrg: app.config.github.allowedOrg ?? null };
+	});
+}
 async function bootstrapRoutes(app) {
 	/**
 	* POST /bootstrap/:agentId/token
 	* GitHub identity → Agent token.
+	* Auto-creates the agent if it does not exist.
 	* Only works when the agent has no active tokens.
 	*/
 	app.post("/:agentId/token", async (request, reply) => {
 		const { agentId } = request.params;
 		const githubUser = request.githubUser;
 		if (!githubUser) throw new ForbiddenError("GitHub authentication required");
+		const allowedOrg = app.config.github.allowedOrg;
+		if (!allowedOrg) throw new ForbiddenError("FIRST_TREE_HUB_GITHUB_ALLOWED_ORG is not configured. Agent registration is disabled.");
+		const githubToken = request.headers["x-github-token"];
+		if (!githubToken || typeof githubToken !== "string") throw new ForbiddenError("Missing GitHub token for org membership check");
+		if (!await checkGitHubOrgMembership(githubToken, allowedOrg)) throw new ForbiddenError(`GitHub user "${githubUser.username}" is not a member of organization "${allowedOrg}"`);
 		const body = bootstrapTokenRequestSchema.parse(request.body ?? {});
-		const result = await bootstrapToken(app.db, agentId, githubUser.username, body.name);
+		const result = await bootstrapToken(app.db, agentId, githubUser.username, {
+			tokenName: body.name,
+			type: body.type,
+			displayName: body.displayName,
+			delegateMention: body.delegateMention,
+			profile: body.profile,
+			metadata: body.metadata
+		});
 		return reply.status(201).send({
 			id: result.id,
 			agentId: result.agentId,
@@ -5018,7 +4507,7 @@ async function bootstrapRoutes(app) {
 	});
 	/**
 	* GET /bootstrap/:agentId/status
-	* Check if an agent exists and its status (for polling after PR merge + sync).
+	* Check if an agent exists and its status (for polling).
 	*/
 	app.get("/:agentId/status", async (request) => {
 		const { agentId } = request.params;
@@ -5043,11 +4532,9 @@ async function bootstrapRoutes(app) {
 async function contextTreeInfoRoutes(app) {
 	/** Public endpoint — returns Context Tree repo metadata for CLI auto-discovery. */
 	app.get("/info", async () => {
-		const { repo, branch } = app.config.contextTree;
 		return {
-			repo,
-			branch,
-			lastSync: null
+			repo: app.config.contextTree?.repo ?? null,
+			branch: app.config.contextTree?.branch ?? null
 		};
 	});
 }
@@ -6420,6 +5907,7 @@ async function buildApp(config) {
 		await api.register(githubWebhookRoutes, { prefix: "/webhooks" });
 		await api.register(adminAuthRoutes, { prefix: "/admin/auth" });
 		await api.register(contextTreeInfoRoutes, { prefix: "/context-tree" });
+		await api.register(bootstrapConfigRoutes, { prefix: "/bootstrap" });
 		await api.register(async (bootstrapApp) => {
 			bootstrapApp.addHook("onRequest", githubAuth);
 			await bootstrapApp.register(bootstrapRoutes);
@@ -6428,10 +5916,6 @@ async function buildApp(config) {
 			adminApp.addHook("onRequest", adminAuth);
 			await adminApp.register(adminAgentRoutes);
 		}, { prefix: "/admin/agents" });
-		await api.register(async (adminApp) => {
-			adminApp.addHook("onRequest", adminAuth);
-			await adminApp.register(adminAgentSyncRoutes);
-		}, { prefix: "/admin/agents/sync" });
 		await api.register(async (adminApp) => {
 			adminApp.addHook("onRequest", adminAuth);
 			await adminApp.register(adminSystemConfigRoutes);
@@ -6467,7 +5951,6 @@ async function buildApp(config) {
 			await agentApp.register(agentMessageRoutes, { prefix: "/chats" });
 			await agentApp.register(agentSendToAgentRoutes, { prefix: "/agents" });
 			await agentApp.register(agentInboxRoutes, { prefix: "/inbox" });
-			await agentApp.register(agentContextTreeRoutes, { prefix: "/context-tree" });
 			await agentApp.register(agentFeishuBotRoutes);
 			await agentApp.register(agentFeishuUserRoutes, { prefix: "/delegated" });
 			await agentApp.register(agentWsRoutes(notifier, config.instanceId), { prefix: "/ws" });
@@ -6503,19 +5986,6 @@ async function buildApp(config) {
 		backgroundTasks.start();
 		await adapterManager.reload();
 		await kaelRuntime?.reload();
-		const { repo: ctRepo, branch: ctBranch, syncInterval } = config.contextTree;
-		const { token: ghToken } = config.github;
-		try {
-			const report = await syncFromGitHub(db, ctRepo, ctBranch, ghToken);
-			app.log.info(`Context Tree sync: created=${report.created} updated=${report.updated} unchanged=${report.unchanged} errors=${report.errors}`);
-		} catch (err) {
-			app.log.error(err, "Initial Context Tree sync failed");
-		}
-		const intervalMs = syncInterval * 1e3;
-		const timer = setInterval(() => {
-			syncFromGitHub(db, ctRepo, ctBranch, ghToken).catch((err) => app.log.error(err, "Periodic Context Tree sync failed"));
-		}, intervalMs);
-		app.addHook("onClose", async () => clearInterval(timer));
 	});
 	app.addHook("onClose", async () => {
 		backgroundTasks.stop();
@@ -6635,4 +6105,4 @@ function resolveWebDist() {
 	} catch {}
 }
 //#endregion
-export { ClientRuntime as A, checkWebSocket as C, ensurePostgres as D, status as E, SessionRegistry as F, cleanWorkspaces as I, hasAdminUser as M, FirstTreeHubSDK as N, isDockerAvailable as O, SdkError as P, checkServerReachable as S, blank as T, checkDocker as _, formatCheckReport as a, checkServerConfig as b, onboardContinue as c, runMigrations as d, checkAgentConfigs as f, checkDatabase as g, checkContextTreeRepo as h, promptMissingFields as i, createAdminUser$1 as j, stopPostgres as k, onboardCreate as l, checkClientConfig as m, isInteractive as n, loadOnboardState as o, checkAgentTokens as p, promptAddAgent as r, onboardCheck as s, startServer as t, saveOnboardState as u, checkGitHubToken as v, printResults as w, checkServerHealth as x, checkNodeVersion as y };
+export { createAdminUser$1 as A, printResults as C, isDockerAvailable as D, ensurePostgres as E, cleanWorkspaces as F, FirstTreeHubSDK as M, SdkError as N, stopPostgres as O, SessionRegistry as P, checkWebSocket as S, status as T, checkGitHubToken as _, formatCheckReport as a, checkServerHealth as b, onboardCreate as c, checkAgentConfigs as d, checkAgentTokens as f, checkDocker as g, checkDatabase as h, promptMissingFields as i, hasAdminUser as j, ClientRuntime as k, saveOnboardState as l, checkContextTreeRepo as m, isInteractive as n, loadOnboardState as o, checkClientConfig as p, promptAddAgent as r, onboardCheck as s, startServer as t, runMigrations as u, checkNodeVersion as v, blank as w, checkServerReachable as x, checkServerConfig as y };