@agent-team-foundation/first-tree-hub 0.4.0 → 0.6.0

package/dist/{bootstrap-uyPaaI05.mjs → bootstrap-BnlTKa0H.mjs}

@@ -1,11 +1,11 @@
 import { t as __exportAll } from "./rolldown-runtime-twds-ZHy.mjs";
 import { chmodSync, existsSync, mkdirSync, readFileSync, readdirSync, statSync, writeFileSync } from "node:fs";
 import { dirname, join } from "node:path";
-import { randomBytes } from "node:crypto";
-import { execSync } from "node:child_process";
 import { z } from "zod";
 import { parse, stringify } from "yaml";
+import { randomBytes } from "node:crypto";
 import { homedir } from "node:os";
+import { execSync } from "node:child_process";
 //#region ../shared/dist/config/index.mjs
 /** Declare a config field with a Zod schema and optional metadata. */
 function field(schema, options) {
@@ -29,7 +29,7 @@ function defineConfig(shape) {
 }
 const agentConfigSchema = defineConfig({
 	token: field(z.string(), { secret: true }),
-	type: field(z.string().default("claude-code")),
+	runtime: field(z.string().default("claude-code")),
 	concurrency: field(z.number().int().positive().default(5)),
 	session: {
 		idle_timeout: field(z.number().int().positive().default(300)),
@@ -458,10 +458,6 @@ const serverConfigSchema = defineConfig({
 		branch: field(z.string().default("main"))
 	}),
 	github: {
-		token: field(z.string().optional(), {
-			env: "FIRST_TREE_HUB_GITHUB_TOKEN",
-			secret: true
-		}),
 		webhookSecret: field(z.string().optional(), {
 			env: "FIRST_TREE_HUB_GITHUB_WEBHOOK_SECRET",
 			secret: true
@@ -488,11 +484,17 @@ const serverConfigSchema = defineConfig({
 var bootstrap_exports = /* @__PURE__ */ __exportAll({
 	bootstrapToken: () => bootstrapToken,
 	checkBootstrapStatus: () => checkBootstrapStatus,
+	ensureFreshAdminToken: () => ensureFreshAdminToken,
 	getGitHubToken: () => getGitHubToken,
 	getGitHubUsername: () => getGitHubUsername,
+	loadCredentials: () => loadCredentials,
+	maskToken: () => maskToken,
 	resolveAgentToken: () => resolveAgentToken,
-	resolveServerUrl: () => resolveServerUrl
+	resolveServerUrl: () => resolveServerUrl,
+	saveAgentConfig: () => saveAgentConfig,
+	saveCredentials: () => saveCredentials
 });
+const CREDENTIALS_PATH = join(DEFAULT_CONFIG_DIR, "credentials.json");
 /**
 * Get the current GitHub username from `gh auth status`.
 */
@@ -532,7 +534,7 @@ function resolveServerUrl(flagValue) {
 /**
 * Bootstrap a token for an agent using GitHub identity.
 */
-async function bootstrapToken(serverUrl, agentId, options = {}) {
+async function bootstrapToken(serverUrl, agentName, options = {}) {
 	const githubToken = getGitHubToken();
 	const body = { name: "bootstrap" };
 	if (options.type) body.type = options.type;
@@ -540,7 +542,7 @@ async function bootstrapToken(serverUrl, agentId, options = {}) {
 	if (options.delegateMention) body.delegateMention = options.delegateMention;
 	if (options.profile) body.profile = options.profile;
 	if (options.metadata) body.metadata = options.metadata;
-	const res = await fetch(`${serverUrl}/api/v1/bootstrap/${encodeURIComponent(agentId)}/token`, {
+	const res = await fetch(`${serverUrl}/api/v1/bootstrap/${encodeURIComponent(agentName)}/token`, {
 		method: "POST",
 		headers: {
 			"X-GitHub-Token": githubToken,
@@ -550,19 +552,20 @@ async function bootstrapToken(serverUrl, agentId, options = {}) {
 	});
 	if (!res.ok) {
 		const msg = (await res.json().catch(() => ({}))).error ?? `HTTP ${res.status}`;
-		throw new Error(`Bootstrap failed for "${agentId}": ${msg}`);
+		throw new Error(`Bootstrap failed for "${agentName}": ${msg}`);
 	}
 	const data = await res.json();
-	if (options.saveTo === "agent" || !options.saveTo) {
-		const configDir = join(DEFAULT_CONFIG_DIR, "agents", agentId);
+	const isHuman = options.type === "human";
+	if ((options.saveTo === "agent" || !options.saveTo) && !isHuman) {
+		const configDir = join(DEFAULT_CONFIG_DIR, "agents", agentName);
 		const configPath = `${configDir}/agent.yaml`;
 		mkdirSync(configDir, {
 			recursive: true,
 			mode: 448
 		});
-		writeFileSync(configPath, `token: "${data.token}"\ntype: claude-code\n`, { mode: 384 });
+		writeFileSync(configPath, `token: "${data.token}"\nruntime: claude-code\n`, { mode: 384 });
 		chmodSync(configDir, 448);
-	} else if (options.saveTo) {
+	} else if (options.saveTo && options.saveTo !== "agent") {
 		mkdirSync(dirname(options.saveTo), { recursive: true });
 		writeFileSync(options.saveTo, data.token, { mode: 384 });
 	}
@@ -578,16 +581,89 @@ function resolveAgentToken() {
 	return token;
 }
 /**
+* Ensure the persisted access token is fresh. Call before any admin API request
+* when using persisted credentials. Returns the (possibly refreshed) access token.
+*/
+async function ensureFreshAdminToken() {
+	const envToken = process.env.FIRST_TREE_HUB_ADMIN_TOKEN;
+	if (envToken) return envToken;
+	const creds = loadCredentials();
+	if (!creds) throw new Error("No credentials found.\n  Run: first-tree-hub connect <server-url>\n  Or set FIRST_TREE_HUB_ADMIN_TOKEN environment variable.");
+	if (!isTokenExpired(creds.accessToken)) return creds.accessToken;
+	const res = await fetch(`${creds.serverUrl}/api/v1/auth/refresh`, {
+		method: "POST",
+		headers: { "Content-Type": "application/json" },
+		body: JSON.stringify({ refreshToken: creds.refreshToken }),
+		signal: AbortSignal.timeout(1e4)
+	});
+	if (!res.ok) throw new Error("Access token expired and refresh failed.\n  Run: first-tree-hub connect <server-url>");
+	const data = await res.json();
+	saveCredentials({
+		...creds,
+		accessToken: data.accessToken
+	});
+	return data.accessToken;
+}
+/** Check if a JWT access token is expired (with 30s margin). */
+function isTokenExpired(token) {
+	try {
+		const parts = token.split(".");
+		if (parts.length !== 3 || !parts[1]) return true;
+		const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString());
+		if (!payload.exp) return false;
+		return payload.exp * 1e3 < Date.now() - 3e4;
+	} catch {
+		return true;
+	}
+}
+/** Persist credentials to disk. */
+function saveCredentials(creds) {
+	mkdirSync(dirname(CREDENTIALS_PATH), {
+		recursive: true,
+		mode: 448
+	});
+	writeFileSync(CREDENTIALS_PATH, JSON.stringify(creds, null, 2), { mode: 384 });
+}
+/**
+* Load persisted credentials saved by `connect` command.
+*/
+function loadCredentials() {
+	try {
+		const data = JSON.parse(readFileSync(CREDENTIALS_PATH, "utf-8"));
+		if (data.accessToken && data.refreshToken && data.serverUrl) return data;
+		return null;
+	} catch {
+		return null;
+	}
+}
+/**
 * Check if an agent exists and is synced.
 */
-async function checkBootstrapStatus(serverUrl, agentId) {
+async function checkBootstrapStatus(serverUrl, agentName) {
 	const githubToken = getGitHubToken();
-	const res = await fetch(`${serverUrl}/api/v1/bootstrap/${encodeURIComponent(agentId)}/status`, { headers: { "X-GitHub-Token": githubToken } });
+	const res = await fetch(`${serverUrl}/api/v1/bootstrap/${encodeURIComponent(agentName)}/status`, { headers: { "X-GitHub-Token": githubToken } });
 	if (!res.ok) {
 		const body = await res.json().catch(() => ({}));
 		throw new Error(body.error ?? `HTTP ${res.status}`);
 	}
 	return await res.json();
 }
+/**
+* Write agent config (token + runtime) to disk.
+* Used by `agent create`, `agent add`, bootstrap, and server-pushed provisioning.
+*/
+function saveAgentConfig(agentName, token, runtime) {
+	const agentDir = join(DEFAULT_CONFIG_DIR, "agents", agentName);
+	mkdirSync(agentDir, {
+		recursive: true,
+		mode: 448
+	});
+	writeFileSync(join(agentDir, "agent.yaml"), `token: "${token}"\nruntime: ${runtime}\n`, { mode: 384 });
+	return agentDir;
+}
+/** Mask a token for display: show first 6 + last 2 chars. */
+function maskToken(token) {
+	return token.length > 8 ? `${token.slice(0, 6)}***${token.slice(-2)}` : "***";
+}
 //#endregion
-export { setConfigValue as S, readConfigFile as _, getGitHubUsername as a, resolveConfigReadonly as b, DEFAULT_CONFIG_DIR as c, agentConfigSchema as d, clientConfigSchema as f, loadAgents as g, initConfig as h, getGitHubToken as i, DEFAULT_DATA_DIR as l, getConfigValue as m, bootstrap_exports as n, resolveAgentToken as o, collectMissingPrompts as p, checkBootstrapStatus as r, resolveServerUrl as s, bootstrapToken as t, DEFAULT_HOME_DIR as u, resetConfig as v, serverConfigSchema as x, resetConfigMeta as y };
+export { resetConfigMeta as C, setConfigValue as E, resetConfig as S, serverConfigSchema as T, collectMissingPrompts as _, getGitHubToken as a, loadAgents as b, resolveAgentToken as c, saveCredentials as d, DEFAULT_CONFIG_DIR as f, clientConfigSchema as g, agentConfigSchema as h, ensureFreshAdminToken as i, resolveServerUrl as l, DEFAULT_HOME_DIR as m, bootstrap_exports as n, getGitHubUsername as o, DEFAULT_DATA_DIR as p, checkBootstrapStatus as r, maskToken as s, bootstrapToken as t, saveAgentConfig as u, getConfigValue as v, resolveConfigReadonly as w, readConfigFile as x, initConfig as y };