@agent-team-foundation/first-tree-hub 0.5.0 → 0.6.1

package/dist/{bootstrap-BU_7B03u.mjs → bootstrap-Dq_k_6ZD.mjs}

@@ -1,11 +1,11 @@
 import { t as __exportAll } from "./rolldown-runtime-twds-ZHy.mjs";
 import { chmodSync, existsSync, mkdirSync, readFileSync, readdirSync, statSync, writeFileSync } from "node:fs";
 import { dirname, join } from "node:path";
-import { randomBytes } from "node:crypto";
-import { execSync } from "node:child_process";
 import { z } from "zod";
 import { parse, stringify } from "yaml";
+import { randomBytes } from "node:crypto";
 import { homedir } from "node:os";
+import { execSync } from "node:child_process";
 //#region ../shared/dist/config/index.mjs
 /** Declare a config field with a Zod schema and optional metadata. */
 function field(schema, options) {
@@ -29,7 +29,7 @@ function defineConfig(shape) {
 }
 const agentConfigSchema = defineConfig({
 	token: field(z.string(), { secret: true }),
-	type: field(z.string().default("claude-code")),
+	runtime: field(z.string().default("claude-code")),
 	concurrency: field(z.number().int().positive().default(5)),
 	session: {
 		idle_timeout: field(z.number().int().positive().default(300)),
@@ -458,10 +458,6 @@ const serverConfigSchema = defineConfig({
 		branch: field(z.string().default("main"))
 	}),
 	github: {
-		token: field(z.string().optional(), {
-			env: "FIRST_TREE_HUB_GITHUB_TOKEN",
-			secret: true
-		}),
 		webhookSecret: field(z.string().optional(), {
 			env: "FIRST_TREE_HUB_GITHUB_WEBHOOK_SECRET",
 			secret: true
@@ -488,11 +484,18 @@ const serverConfigSchema = defineConfig({
 var bootstrap_exports = /* @__PURE__ */ __exportAll({
 	bootstrapToken: () => bootstrapToken,
 	checkBootstrapStatus: () => checkBootstrapStatus,
+	ensureFreshAdminToken: () => ensureFreshAdminToken,
 	getGitHubToken: () => getGitHubToken,
 	getGitHubUsername: () => getGitHubUsername,
+	loadAgentTokenByName: () => loadAgentTokenByName,
+	loadCredentials: () => loadCredentials,
+	maskToken: () => maskToken,
 	resolveAgentToken: () => resolveAgentToken,
-	resolveServerUrl: () => resolveServerUrl
+	resolveServerUrl: () => resolveServerUrl,
+	saveAgentConfig: () => saveAgentConfig,
+	saveCredentials: () => saveCredentials
 });
+const CREDENTIALS_PATH = join(DEFAULT_CONFIG_DIR, "credentials.json");
 /**
 * Get the current GitHub username from `gh auth status`.
 */
@@ -522,12 +525,12 @@ function getGitHubToken() {
 */
 function resolveServerUrl(flagValue) {
 	if (flagValue) return flagValue;
-	if (process.env.FIRST_TREE_HUB_SERVER) return process.env.FIRST_TREE_HUB_SERVER;
+	if (process.env.FIRST_TREE_HUB_SERVER_URL) return process.env.FIRST_TREE_HUB_SERVER_URL;
 	try {
 		const config = getClientConfig();
 		if (config.server?.url) return config.server.url;
 	} catch {}
-	throw new Error("Server URL not configured.\n  Provide via: --server <url>, FIRST_TREE_HUB_SERVER env var, or\n  first-tree-hub config set -c server.url <url>");
+	throw new Error("Server URL not configured.\n  Provide via: --server <url>, FIRST_TREE_HUB_SERVER_URL env var, or\n  first-tree-hub config set -c server.url <url>");
 }
 /**
 * Bootstrap a token for an agent using GitHub identity.
@@ -553,29 +556,109 @@ async function bootstrapToken(serverUrl, agentName, options = {}) {
 		throw new Error(`Bootstrap failed for "${agentName}": ${msg}`);
 	}
 	const data = await res.json();
-	if (options.saveTo === "agent" || !options.saveTo) {
+	const isHuman = options.type === "human";
+	if ((options.saveTo === "agent" || !options.saveTo) && !isHuman) {
 		const configDir = join(DEFAULT_CONFIG_DIR, "agents", agentName);
 		const configPath = `${configDir}/agent.yaml`;
 		mkdirSync(configDir, {
 			recursive: true,
 			mode: 448
 		});
-		writeFileSync(configPath, `token: "${data.token}"\ntype: claude-code\n`, { mode: 384 });
+		writeFileSync(configPath, `token: "${data.token}"\nruntime: claude-code\n`, { mode: 384 });
 		chmodSync(configDir, 448);
-	} else if (options.saveTo) {
+	} else if (options.saveTo && options.saveTo !== "agent") {
 		mkdirSync(dirname(options.saveTo), { recursive: true });
 		writeFileSync(options.saveTo, data.token, { mode: 384 });
 	}
 	return data;
 }
 /**
-* Resolve agent token from FIRST_TREE_HUB_TOKEN env var.
-* Throws if not set.
+* Load an agent's token from `~/.first-tree-hub/agents/<agentName>/agent.yaml`.
+* Returns null if the file is missing or has no token.
+*/
+function loadAgentTokenByName(agentName) {
+	const configPath = join(DEFAULT_CONFIG_DIR, "agents", agentName, "agent.yaml");
+	if (!existsSync(configPath)) return null;
+	try {
+		const raw = parse(readFileSync(configPath, "utf-8"));
+		if (typeof raw.token === "string" && raw.token.length > 0) return raw.token;
+		return null;
+	} catch {
+		return null;
+	}
+}
+/**
+* Resolve agent token with the following precedence:
+*   1. FIRST_TREE_HUB_AGENT_TOKEN env var (explicit token; runtime or manual export)
+*   2. FIRST_TREE_HUB_AGENT env var → lookup in ~/.first-tree-hub/agents/<name>/agent.yaml
+* Throws if neither is configured or the named agent has no stored token.
 */
 function resolveAgentToken() {
-	const token = process.env.FIRST_TREE_HUB_TOKEN;
-	if (!token) throw new Error("FIRST_TREE_HUB_TOKEN environment variable is required.");
-	return token;
+	const token = process.env.FIRST_TREE_HUB_AGENT_TOKEN;
+	if (token) return token;
+	const agentName = process.env.FIRST_TREE_HUB_AGENT;
+	if (agentName) {
+		const loaded = loadAgentTokenByName(agentName);
+		if (loaded) return loaded;
+		throw new Error(`Agent "${agentName}" has no token in ${join(DEFAULT_CONFIG_DIR, "agents", agentName)}/agent.yaml.\n  Verify the agent exists locally or set FIRST_TREE_HUB_AGENT_TOKEN explicitly.`);
+	}
+	throw new Error("No agent token configured.\n  Set FIRST_TREE_HUB_AGENT_TOKEN directly, or\n  set FIRST_TREE_HUB_AGENT=<agentName> to use a stored agent config.");
+}
+/**
+* Ensure the persisted access token is fresh. Call before any admin API request
+* when using persisted credentials. Returns the (possibly refreshed) access token.
+*/
+async function ensureFreshAdminToken() {
+	const envToken = process.env.FIRST_TREE_HUB_ADMIN_TOKEN;
+	if (envToken) return envToken;
+	const creds = loadCredentials();
+	if (!creds) throw new Error("No credentials found.\n  Run: first-tree-hub connect <server-url>\n  Or set FIRST_TREE_HUB_ADMIN_TOKEN environment variable.");
+	if (!isTokenExpired(creds.accessToken)) return creds.accessToken;
+	const res = await fetch(`${creds.serverUrl}/api/v1/auth/refresh`, {
+		method: "POST",
+		headers: { "Content-Type": "application/json" },
+		body: JSON.stringify({ refreshToken: creds.refreshToken }),
+		signal: AbortSignal.timeout(1e4)
+	});
+	if (!res.ok) throw new Error("Access token expired and refresh failed.\n  Run: first-tree-hub connect <server-url>");
+	const data = await res.json();
+	saveCredentials({
+		...creds,
+		accessToken: data.accessToken
+	});
+	return data.accessToken;
+}
+/** Check if a JWT access token is expired (with 30s margin). */
+function isTokenExpired(token) {
+	try {
+		const parts = token.split(".");
+		if (parts.length !== 3 || !parts[1]) return true;
+		const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString());
+		if (!payload.exp) return false;
+		return payload.exp * 1e3 < Date.now() - 3e4;
+	} catch {
+		return true;
+	}
+}
+/** Persist credentials to disk. */
+function saveCredentials(creds) {
+	mkdirSync(dirname(CREDENTIALS_PATH), {
+		recursive: true,
+		mode: 448
+	});
+	writeFileSync(CREDENTIALS_PATH, JSON.stringify(creds, null, 2), { mode: 384 });
+}
+/**
+* Load persisted credentials saved by `connect` command.
+*/
+function loadCredentials() {
+	try {
+		const data = JSON.parse(readFileSync(CREDENTIALS_PATH, "utf-8"));
+		if (data.accessToken && data.refreshToken && data.serverUrl) return data;
+		return null;
+	} catch {
+		return null;
+	}
 }
 /**
 * Check if an agent exists and is synced.
@@ -589,5 +672,22 @@ async function checkBootstrapStatus(serverUrl, agentName) {
 	}
 	return await res.json();
 }
+/**
+* Write agent config (token + runtime) to disk.
+* Used by `agent create`, `agent add`, bootstrap, and server-pushed provisioning.
+*/
+function saveAgentConfig(agentName, token, runtime) {
+	const agentDir = join(DEFAULT_CONFIG_DIR, "agents", agentName);
+	mkdirSync(agentDir, {
+		recursive: true,
+		mode: 448
+	});
+	writeFileSync(join(agentDir, "agent.yaml"), `token: "${token}"\nruntime: ${runtime}\n`, { mode: 384 });
+	return agentDir;
+}
+/** Mask a token for display: show first 6 + last 2 chars. */
+function maskToken(token) {
+	return token.length > 8 ? `${token.slice(0, 6)}***${token.slice(-2)}` : "***";
+}
 //#endregion
-export { setConfigValue as S, readConfigFile as _, getGitHubUsername as a, resolveConfigReadonly as b, DEFAULT_CONFIG_DIR as c, agentConfigSchema as d, clientConfigSchema as f, loadAgents as g, initConfig as h, getGitHubToken as i, DEFAULT_DATA_DIR as l, getConfigValue as m, bootstrap_exports as n, resolveAgentToken as o, collectMissingPrompts as p, checkBootstrapStatus as r, resolveServerUrl as s, bootstrapToken as t, DEFAULT_HOME_DIR as u, resetConfig as v, serverConfigSchema as x, resetConfigMeta as y };
+export { resetConfig as C, setConfigValue as D, serverConfigSchema as E, readConfigFile as S, resolveConfigReadonly as T, clientConfigSchema as _, getGitHubToken as a, initConfig as b, maskToken as c, saveAgentConfig as d, saveCredentials as f, agentConfigSchema as g, DEFAULT_HOME_DIR as h, ensureFreshAdminToken as i, resolveAgentToken as l, DEFAULT_DATA_DIR as m, bootstrap_exports as n, getGitHubUsername as o, DEFAULT_CONFIG_DIR as p, checkBootstrapStatus as r, loadAgentTokenByName as s, bootstrapToken as t, resolveServerUrl as u, collectMissingPrompts as v, resetConfigMeta as w, loadAgents as x, getConfigValue as y };