@agent-team-foundation/first-tree-hub 0.6.0 → 0.6.1

package/dist/{core-B9bH7EjM.mjs → core-Dt3yNBTm.mjs}

@@ -1,4 +1,4 @@
-import { E as setConfigValue, T as serverConfigSchema, _ as collectMissingPrompts, b as loadAgents, f as DEFAULT_CONFIG_DIR, g as clientConfigSchema, h as agentConfigSchema, l as resolveServerUrl, m as DEFAULT_HOME_DIR$1, o as getGitHubUsername, p as DEFAULT_DATA_DIR$1, t as bootstrapToken$1, u as saveAgentConfig, w as resolveConfigReadonly, y as initConfig } from "./bootstrap-BnlTKa0H.mjs";
+import { D as setConfigValue, E as serverConfigSchema, T as resolveConfigReadonly, _ as clientConfigSchema, b as initConfig, d as saveAgentConfig, g as agentConfigSchema, h as DEFAULT_HOME_DIR$1, m as DEFAULT_DATA_DIR$1, o as getGitHubUsername, p as DEFAULT_CONFIG_DIR, t as bootstrapToken$1, u as resolveServerUrl, v as collectMissingPrompts, x as loadAgents } from "./bootstrap-Dq_k_6ZD.mjs";
 import { copyFileSync, existsSync, mkdirSync, readFileSync, readdirSync, renameSync, rmSync, statSync, watch, writeFileSync } from "node:fs";
 import { dirname, join, resolve } from "node:path";
 import { ZodError, z } from "zod";
@@ -10,7 +10,7 @@ import WebSocket from "ws";
 import { query } from "@anthropic-ai/claude-agent-sdk";
 import { execFileSync, execSync } from "node:child_process";
 import bcrypt from "bcrypt";
-import { and, count, desc, eq, gt, inArray, isNotNull, isNull, lt, ne, sql } from "drizzle-orm";
+import { and, count, desc, eq, gt, inArray, isNotNull, isNull, lt, ne, or, sql } from "drizzle-orm";
 import { drizzle } from "drizzle-orm/postgres-js";
 import postgres from "postgres";
 import { fileURLToPath } from "node:url";
@@ -816,7 +816,7 @@ You are running inside **Agent Hub**, a messaging platform for agent teams.
 - Each message includes a \`[From: sender-id]\` header so you know who sent it
 - **Your final text response is automatically delivered** to the chat — just respond normally
 - For **proactive communication** (sending to other agents, other chats, or structured data),
-  use the curl API endpoints below
+  use the \`first-tree-hub\` CLI below
 - **Use your judgment about when to respond.** Not every message requires a reply.
   Your role and responsibilities (defined in your profile above) guide your behavior
 
@@ -831,23 +831,30 @@ These are injected automatically when the agent process starts:
 | \`FIRST_TREE_HUB_CHAT_ID\` | Current chat context ID |
 | \`FIRST_TREE_HUB_AGENT_ID\` | Your agent ID |
 
+The \`first-tree-hub\` CLI reads these automatically — no extra setup needed.
+
 ## Sending Messages
 
-Use curl or any HTTP client with the bearer token:
+Use the \`first-tree-hub agent send\` CLI:
 
 \`\`\`bash
-# Reply in current chat
-curl -X POST "$FIRST_TREE_HUB_SERVER_URL/api/v1/agent/chats/$FIRST_TREE_HUB_CHAT_ID/messages" \\
-  -H "Authorization: Bearer $FIRST_TREE_HUB_AGENT_TOKEN" \\
-  -H "Content-Type: application/json" \\
-  -d '{"format": "text", "content": "your message"}'
+# Send to another agent (target = agent ID)
+first-tree-hub agent send <agentId> "your message"
+
+# Send to a chat (target = chat ID)
+first-tree-hub agent send --chat <chatId> "your message"
+
+# Send markdown (default format is text)
+first-tree-hub agent send <agentId> -f markdown "**bold** message"
 
-# Send to another agent directly
-curl -X POST "$FIRST_TREE_HUB_SERVER_URL/api/v1/agent/agents/{agentId}/messages" \\
-  -H "Authorization: Bearer $FIRST_TREE_HUB_AGENT_TOKEN" \\
-  -H "Content-Type: application/json" \\
-  -d '{"format": "text", "content": "your message"}'
+# Reply to a specific message
+first-tree-hub agent send <agentId> --reply-to <messageId> "reply content"
+
+# Pipe long content via stdin (recommended for special characters)
+echo "long message body" | first-tree-hub agent send <agentId>
 \`\`\`
+
+For content with quotes, \`$\`, backticks, or newlines, prefer stdin to avoid shell escaping issues.
 `;
 }
 /**
@@ -2710,7 +2717,7 @@ async function onboardCheck(args) {
 			key: "server",
 			label: "Server URL",
 			status: "missing_required",
-			hint: "Provide via --server, FIRST_TREE_HUB_SERVER, or config"
+			hint: "Provide via --server, FIRST_TREE_HUB_SERVER_URL, or config"
 		});
 	}
 	if (args.id) items.push({
@@ -3052,6 +3059,11 @@ const agentTypeSchema = z.enum([
 	"personal_assistant",
 	"autonomous_agent"
 ]);
+const AGENT_VISIBILITY = {
+	PRIVATE: "private",
+	ORGANIZATION: "organization"
+};
+const agentVisibilitySchema = z.enum(["private", "organization"]);
 const AGENT_STATUSES = {
 	ACTIVE: "active",
 	SUSPENDED: "suspended",
@@ -3076,7 +3088,7 @@ const createAgentSchema = z.object({
 	profile: z.string().optional(),
 	organizationId: z.string().max(100).optional(),
 	source: agentSourceSchema.optional(),
-	public: z.boolean().default(false).optional(),
+	visibility: agentVisibilitySchema.optional(),
 	metadata: z.record(z.string(), z.unknown()).optional(),
 	managerId: z.string().optional()
 });
@@ -3085,6 +3097,7 @@ const updateAgentSchema = z.object({
 	displayName: z.string().max(200).nullable().optional(),
 	delegateMention: z.string().max(100).nullable().optional(),
 	profile: z.string().nullable().optional(),
+	visibility: agentVisibilitySchema.optional(),
 	metadata: z.record(z.string(), z.unknown()).optional()
 });
 z.object({
@@ -3099,7 +3112,7 @@ z.object({
 	status: z.string(),
 	source: z.string().nullable().optional(),
 	cloudUserId: z.string().nullable().optional(),
-	public: z.boolean().optional(),
+	visibility: agentVisibilitySchema,
 	metadata: z.record(z.string(), z.unknown()),
 	managerId: z.string().nullable(),
 	presenceStatus: presenceStatusSchema.optional(),
@@ -3536,7 +3549,7 @@ z.object({
 	password: z.string().min(8).max(200).optional()
 });
 //#endregion
-//#region ../server/dist/app-BiwJFSON.mjs
+//#region ../server/dist/app-DjL7uA1H.mjs
 var __defProp = Object.defineProperty;
 var __exportAll = (all, no_symbols) => {
 	let target = {};
@@ -3571,7 +3584,7 @@ const agents = pgTable("agents", {
 	status: text("status").notNull().default("active"),
 	source: text("source"),
 	cloudUserId: text("cloud_user_id"),
-	public: boolean("public").notNull().default(false),
+	visibility: text("visibility").notNull().default("private"),
 	metadata: jsonb("metadata").$type().notNull().default({}),
 	managerId: text("manager_id"),
 	createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow(),
@@ -3579,6 +3592,7 @@ const agents = pgTable("agents", {
 }, (table) => [
 	index("idx_agents_org").on(table.organizationId),
 	index("idx_agents_manager").on(table.managerId),
+	index("idx_agents_visibility_org").on(table.organizationId, table.visibility),
 	unique("uq_agents_org_name").on(table.organizationId, table.name)
 ]);
 /** Maps external user identities to internal Agents. */
@@ -3649,6 +3663,96 @@ const chatParticipants = pgTable("chat_participants", {
 	mode: text("mode").notNull().default("full"),
 	joinedAt: timestamp("joined_at", { withTimezone: true }).notNull().defaultNow()
 }, (table) => [primaryKey({ columns: [table.chatId, table.agentId] }), index("idx_participants_agent").on(table.agentId)]);
+function requireAgent(request) {
+	const agent = request.agent;
+	if (!agent) throw new UnauthorizedError("Agent authentication required");
+	return agent;
+}
+function requireMember(request) {
+	const member = request.member;
+	if (!member) throw new UnauthorizedError("Member authentication required");
+	return member;
+}
+/**
+* Centralized access control for member-facing APIs.
+*
+* Three independent decisions:
+*   1. assertAgentVisible  — can this member see this agent?
+*   2. assertChatAccess    — can this member access this chat?
+*   3. assertCanManage     — can this member manage (configure/delete) this agent?
+*
+* Plus a SQL condition builder for list queries:
+*   agentVisibilityCondition — WHERE clause for "agents visible to this member"
+*
+* Rules:
+*   - Visibility is role-independent: admin sees the same agents as member.
+*     Admin privilege is expressed through manageability, not visibility.
+*     This means an admin cannot see private agents they don't manage —
+*     this is intentional and matches the design principle
+*     "roster is transparent, workspace is private".
+*   - Manageability distinguishes roles: admin can manage all, member only their own.
+*   - All conditions include organizationId scoping to prevent cross-org access.
+*/
+/** Extract MemberScope from an authenticated request. Single definition, used by all routes. */
+function memberScope(request) {
+	const m = requireMember(request);
+	return {
+		memberId: m.memberId,
+		humanAgentId: m.agentId,
+		organizationId: m.organizationId,
+		role: m.role
+	};
+}
+/**
+* SQL WHERE conditions for agents visible to a member.
+* Visibility is the same for all roles:
+*   same org + not deleted + (organization-visible OR managerId = self)
+*/
+function agentVisibilityCondition(scope) {
+	return and(eq(agents.organizationId, scope.organizationId), ne(agents.status, AGENT_STATUSES.DELETED), or(eq(agents.visibility, AGENT_VISIBILITY.ORGANIZATION), eq(agents.managerId, scope.memberId)));
+}
+/**
+* Assert a single agent is visible to the member.
+* Single query — returns 404 for both "not found" and "not visible"
+* to prevent UUID enumeration.
+*/
+async function assertAgentVisible(db, scope, agentUuid) {
+	const [row] = await db.select({ uuid: agents.uuid }).from(agents).where(and(eq(agents.uuid, agentUuid), agentVisibilityCondition(scope))).limit(1);
+	if (!row) throw new NotFoundError(`Agent "${agentUuid}" not found`);
+}
+/**
+* Assert the member can access a chat (read detail, read messages).
+* Verifies chat exists (404 if not), then checks:
+*   - The member's human agent is a participant, OR
+*   - Any agent managed by this member is a participant (supervision)
+* Returns 404 for inaccessible chats to prevent enumeration.
+*/
+async function assertChatAccess(db, scope, chatId) {
+	const [chat] = await db.select({ id: chats.id }).from(chats).where(eq(chats.id, chatId)).limit(1);
+	if (!chat) throw new NotFoundError(`Chat "${chatId}" not found`);
+	const [direct] = await db.select({ chatId: chatParticipants.chatId }).from(chatParticipants).where(and(eq(chatParticipants.chatId, chatId), eq(chatParticipants.agentId, scope.humanAgentId))).limit(1);
+	if (direct) return;
+	const participantRows = await db.select({ agentId: chatParticipants.agentId }).from(chatParticipants).where(eq(chatParticipants.chatId, chatId));
+	if (participantRows.length === 0) throw new NotFoundError(`Chat "${chatId}" not found`);
+	const participantIds = participantRows.map((p) => p.agentId);
+	const [managed] = await db.select({ uuid: agents.uuid }).from(agents).where(and(inArray(agents.uuid, participantIds), eq(agents.managerId, scope.memberId))).limit(1);
+	if (!managed) throw new NotFoundError(`Chat "${chatId}" not found`);
+}
+/**
+* Assert the member can manage (update/delete/token/suspend) an agent.
+* Admin can manage all agents in their org. Non-admin can only manage agents where managerId = self.
+* Always verifies the agent exists and belongs to the same org (throws 404 if not).
+*/
+async function assertCanManage(db, scope, agentUuid) {
+	const [agent] = await db.select({
+		uuid: agents.uuid,
+		managerId: agents.managerId,
+		organizationId: agents.organizationId
+	}).from(agents).where(and(eq(agents.uuid, agentUuid), ne(agents.status, AGENT_STATUSES.DELETED))).limit(1);
+	if (!agent || agent.organizationId !== scope.organizationId) throw new NotFoundError(`Agent "${agentUuid}" not found`);
+	if (scope.role === "admin") return;
+	if (agent.managerId !== scope.memberId) throw new NotFoundError(`Agent "${agentUuid}" not found`);
+}
 /**
 * Maps internal Chats to external IM platform channels.
 * NOTE: The unique constraint uses COALESCE(thread_id, '') which cannot be
@@ -3960,6 +4064,8 @@ async function adminAdapterMappingRoutes(app) {
 	});
 	app.post("/", async (request, reply) => {
 		const body = createAdapterMappingSchema.parse(request.body);
+		const scope = memberScope(request);
+		await assertCanManage(app.db, scope, body.agentId);
 		const [agent] = await app.db.select({
 			id: agents.uuid,
 			type: agents.type,
@@ -3986,8 +4092,11 @@ async function adminAdapterMappingRoutes(app) {
 	});
 	app.delete("/:id", async (request, reply) => {
 		const id = parseId$1(request.params.id);
-		const [row] = await app.db.delete(adapterAgentMappings).where(eq(adapterAgentMappings.id, id)).returning();
-		if (!row) throw new NotFoundError(`Adapter mapping "${id}" not found`);
+		const [existing] = await app.db.select().from(adapterAgentMappings).where(eq(adapterAgentMappings.id, id)).limit(1);
+		if (!existing) throw new NotFoundError(`Adapter mapping "${id}" not found`);
+		const scope = memberScope(request);
+		await assertCanManage(app.db, scope, existing.agentId);
+		await app.db.delete(adapterAgentMappings).where(eq(adapterAgentMappings.id, id));
 		return reply.status(204).send();
 	});
 }
@@ -4139,6 +4248,8 @@ async function adminAdapterRoutes(app) {
 	});
 	app.post("/", async (request, reply) => {
 		const body = createAdapterConfigSchema.parse(request.body);
+		const scope = memberScope(request);
+		await assertCanManage(app.db, scope, body.agentId);
 		const config = await createAdapterConfig(app.db, body, app.config.secrets.encryptionKey);
 		app.adapterManager.reload().catch((err) => app.log.error(err, "Adapter reload failed after create"));
 		app.notifier.notifyConfigChange("adapter_configs").catch(() => {});
@@ -4160,6 +4271,9 @@ async function adminAdapterRoutes(app) {
 	app.patch("/:id", async (request) => {
 		const body = updateAdapterConfigSchema.parse(request.body);
 		const id = parseId(request.params.id);
+		const scope = memberScope(request);
+		const existing = await getAdapterConfig(app.db, id);
+		await assertCanManage(app.db, scope, existing.agentId);
 		const config = await updateAdapterConfig(app.db, id, body, app.config.secrets.encryptionKey);
 		app.adapterManager.reload().catch((err) => app.log.error(err, "Adapter reload failed after update"));
 		app.notifier.notifyConfigChange("adapter_configs").catch(() => {});
@@ -4171,22 +4285,15 @@ async function adminAdapterRoutes(app) {
 	});
 	app.delete("/:id", async (request, reply) => {
 		const id = parseId(request.params.id);
+		const scope = memberScope(request);
+		const existing = await getAdapterConfig(app.db, id);
+		await assertCanManage(app.db, scope, existing.agentId);
 		await deleteAdapterConfig(app.db, id);
 		app.adapterManager.reload().catch((err) => app.log.error(err, "Adapter reload failed after delete"));
 		app.notifier.notifyConfigChange("adapter_configs").catch(() => {});
 		return reply.status(204).send();
 	});
 }
-function requireAgent(request) {
-	const agent = request.agent;
-	if (!agent) throw new UnauthorizedError("Agent authentication required");
-	return agent;
-}
-function requireMember(request) {
-	const member = request.member;
-	if (!member) throw new UnauthorizedError("Member authentication required");
-	return member;
-}
 /** Client connections. A client is a single SDK process (AgentRuntime) that may host multiple agents. */
 const clients = pgTable("clients", {
 	id: text("id").primaryKey(),
@@ -4240,6 +4347,15 @@ function serializeDate(d) {
 * real account.
 */
 const RESERVED_AGENT_NAME_PREFIX = "__";
+/** Default visibility per agent type. */
+function defaultVisibility(type) {
+	switch (type) {
+		case "human":
+		case "autonomous_agent": return AGENT_VISIBILITY.ORGANIZATION;
+		case "personal_assistant": return AGENT_VISIBILITY.PRIVATE;
+		default: return AGENT_VISIBILITY.PRIVATE;
+	}
+}
 async function createAgent(db, data) {
 	const uuid = uuidv7();
 	const name = data.name ?? null;
@@ -4261,7 +4377,7 @@ async function createAgent(db, data) {
 			profile: data.profile ?? null,
 			inboxId,
 			source: data.source ?? null,
-			public: data.public ?? false,
+			visibility: data.visibility ?? defaultVisibility(data.type),
 			metadata: data.metadata ?? {},
 			managerId: data.managerId ?? null
 		}).returning();
@@ -4282,8 +4398,12 @@ async function getAgentByName(db, orgId, name) {
 	if (!agent) throw new NotFoundError(`Agent "${name}" not found in organization "${orgId}"`);
 	return agent;
 }
-async function listAgents(db, orgId, limit, cursor, type) {
-	const conditions = [ne(agents.status, AGENT_STATUSES.DELETED), eq(agents.organizationId, orgId)];
+/**
+* List agents visible to a specific member.
+* Uses agentVisibilityCondition from access-control (same rules for all roles).
+*/
+async function listAgentsForMember(db, scope, limit, cursor, type) {
+	const conditions = [agentVisibilityCondition(scope)];
 	if (cursor) conditions.push(lt(agents.createdAt, new Date(cursor)));
 	if (type) conditions.push(eq(agents.type, type));
 	const where = and(...conditions);
@@ -4298,7 +4418,7 @@ async function listAgents(db, orgId, limit, cursor, type) {
 		inboxId: agents.inboxId,
 		status: agents.status,
 		cloudUserId: agents.cloudUserId,
-		public: agents.public,
+		visibility: agents.visibility,
 		metadata: agents.metadata,
 		managerId: agents.managerId,
 		createdAt: agents.createdAt,
@@ -4324,6 +4444,7 @@ async function updateAgent(db, uuid, data) {
 	if (data.displayName !== void 0) updates.displayName = data.displayName;
 	if (data.delegateMention !== void 0) updates.delegateMention = data.delegateMention;
 	if (data.profile !== void 0) updates.profile = data.profile;
+	if (data.visibility !== void 0) updates.visibility = data.visibility;
 	if (data.metadata !== void 0) updates.metadata = data.metadata;
 	const [updated] = await db.update(agents).set(updates).where(eq(agents.uuid, agent.uuid)).returning();
 	if (!updated) throw new Error("Unexpected: UPDATE RETURNING produced no row");
@@ -4563,6 +4684,111 @@ async function removeParticipant(db, chatId, requesterId, targetAgentId) {
 	if (!removed) throw new NotFoundError(`Agent "${targetAgentId}" is not a participant of this chat`);
 	return db.select().from(chatParticipants).where(eq(chatParticipants.chatId, chatId));
 }
+/**
+* List chats visible to a member, grouped by agent.
+* A member sees chats where:
+*   1. Their human agent is a participant, OR
+*   2. Any agent they manage (managerId = memberId) is a participant (supervision)
+*/
+async function listChatsForMember(db, memberId, humanAgentId) {
+	const managedAgents = await db.select({
+		uuid: agents.uuid,
+		name: agents.name,
+		type: agents.type,
+		displayName: agents.displayName
+	}).from(agents).where(eq(agents.managerId, memberId));
+	const agentMap = /* @__PURE__ */ new Map();
+	for (const a of managedAgents) agentMap.set(a.uuid, a);
+	if (!agentMap.has(humanAgentId)) {
+		const [ha] = await db.select({
+			uuid: agents.uuid,
+			name: agents.name,
+			type: agents.type,
+			displayName: agents.displayName
+		}).from(agents).where(eq(agents.uuid, humanAgentId)).limit(1);
+		if (ha) agentMap.set(ha.uuid, ha);
+	}
+	const agentIds = [...agentMap.keys()];
+	if (agentIds.length === 0) return [];
+	const participations = await db.select({
+		chatId: chatParticipants.chatId,
+		agentId: chatParticipants.agentId,
+		role: chatParticipants.role,
+		mode: chatParticipants.mode
+	}).from(chatParticipants).where(inArray(chatParticipants.agentId, agentIds));
+	if (participations.length === 0) return [];
+	const chatIds = [...new Set(participations.map((p) => p.chatId))];
+	const agentChatMap = /* @__PURE__ */ new Map();
+	for (const p of participations) {
+		const list = agentChatMap.get(p.agentId) ?? [];
+		list.push(p.chatId);
+		agentChatMap.set(p.agentId, list);
+	}
+	const chatRows = await db.select({
+		id: chats.id,
+		type: chats.type,
+		topic: chats.topic,
+		metadata: chats.metadata,
+		createdAt: chats.createdAt,
+		updatedAt: chats.updatedAt,
+		participantCount: sql`(SELECT count(*)::int FROM chat_participants WHERE chat_id = ${chats.id})`
+	}).from(chats).where(inArray(chats.id, chatIds)).orderBy(desc(chats.updatedAt));
+	const chatMap = new Map(chatRows.map((c) => [c.id, c]));
+	const humanParticipantChatIds = new Set(participations.filter((p) => p.agentId === humanAgentId).map((p) => p.chatId));
+	const result = [];
+	for (const [agentId, agentChatIds] of agentChatMap) {
+		const agentInfo = agentMap.get(agentId);
+		if (!agentInfo) continue;
+		const agentChats = agentChatIds.map((chatId) => {
+			const chat = chatMap.get(chatId);
+			if (!chat) return null;
+			const isSupervisionOnly = agentId !== humanAgentId && !humanParticipantChatIds.has(chatId);
+			return {
+				id: chat.id,
+				type: chat.type,
+				topic: chat.topic,
+				participantCount: chat.participantCount,
+				isSupervisionOnly,
+				createdAt: chat.createdAt.toISOString(),
+				updatedAt: chat.updatedAt.toISOString()
+			};
+		}).filter((c) => c !== null);
+		if (agentChats.length > 0) result.push({
+			agent: agentInfo,
+			chats: agentChats
+		});
+	}
+	return result;
+}
+/**
+* Manager joins a chat. Adds their human agent as a participant.
+* Requires the member to have supervision rights (manages at least one existing participant).
+*/
+async function joinChat(db, chatId, memberId, humanAgentId) {
+	const chat = await getChat(db, chatId);
+	const participantAgentIds = (await db.select().from(chatParticipants).where(eq(chatParticipants.chatId, chatId))).map((p) => p.agentId);
+	if (participantAgentIds.length === 0) throw new NotFoundError("Chat has no participants");
+	if (participantAgentIds.includes(humanAgentId)) throw new ConflictError("Already a participant in this chat");
+	if ((await db.select({ uuid: agents.uuid }).from(agents).where(and(inArray(agents.uuid, participantAgentIds), eq(agents.managerId, memberId)))).length === 0) throw new ForbiddenError("You can only join chats where you manage at least one participant");
+	const [humanAgent] = await db.select({ organizationId: agents.organizationId }).from(agents).where(eq(agents.uuid, humanAgentId)).limit(1);
+	if (!humanAgent || humanAgent.organizationId !== chat.organizationId) throw new BadRequestError("Agent does not belong to the same organization as the chat");
+	await db.insert(chatParticipants).values({
+		chatId,
+		agentId: humanAgentId,
+		role: "member",
+		mode: "full"
+	});
+	return db.select().from(chatParticipants).where(eq(chatParticipants.chatId, chatId));
+}
+/**
+* Manager leaves a chat. Removes their human agent from participants.
+* Only allowed if the human agent is a participant.
+*/
+async function leaveChat(db, chatId, humanAgentId) {
+	const [removed] = await db.delete(chatParticipants).where(and(eq(chatParticipants.chatId, chatId), eq(chatParticipants.agentId, humanAgentId))).returning();
+	if (!removed) throw new NotFoundError("Not a participant of this chat");
+	return db.select().from(chatParticipants).where(eq(chatParticipants.chatId, chatId));
+}
 async function findOrCreateDirectChat(db, agentAId, agentBId) {
 	const aChats = await db.select({ chatId: chatParticipants.chatId }).from(chatParticipants).where(eq(chatParticipants.agentId, agentAId));
 	const bChats = await db.select({ chatId: chatParticipants.chatId }).from(chatParticipants).where(eq(chatParticipants.agentId, agentBId));
@@ -5154,11 +5380,8 @@ async function adminAgentRoutes(app) {
 	app.get("/", async (request) => {
 		const query = paginationQuerySchema.parse(request.query);
 		const { type } = listAgentsFilterSchema.parse(request.query);
-		const orgParam = request.query.org;
-		let org;
-		if (orgParam) org = (await resolveOrganization(app.db, orgParam)).id;
-		else org = await resolveDefaultOrgId(app.db);
-		const result = await listAgents(app.db, org, query.limit, query.cursor, type);
+		const scope = memberScope(request);
+		const result = await listAgentsForMember(app.db, scope, query.limit, query.cursor, type);
 		return {
 			items: result.items.map((a) => ({
 				...a,
@@ -5175,8 +5398,9 @@ async function adminAgentRoutes(app) {
 		};
 	});
 	app.post("/", async (request, reply) => {
+		const scope = memberScope(request);
 		const body = createAgentSchema.parse(request.body);
-		const managerId = request.member?.role === "admin" ? body.managerId ?? request.member.memberId : request.member?.memberId;
+		const managerId = scope.role === "admin" ? body.managerId ?? scope.memberId : scope.memberId;
 		const agent = await createAgent(app.db, {
 			...body,
 			source: body.source ?? "admin-api",
@@ -5189,6 +5413,8 @@ async function adminAgentRoutes(app) {
 		});
 	});
 	app.patch("/:uuid", async (request) => {
+		const scope = memberScope(request);
+		await assertCanManage(app.db, scope, request.params.uuid);
 		const body = updateAgentSchema.parse(request.body);
 		const agent = await updateAgent(app.db, request.params.uuid, body);
 		return {
@@ -5198,6 +5424,8 @@ async function adminAgentRoutes(app) {
 		};
 	});
 	app.get("/:uuid", async (request) => {
+		const scope = memberScope(request);
+		await assertAgentVisible(app.db, scope, request.params.uuid);
 		const agent = await getAgent(app.db, request.params.uuid);
 		return {
 			...agent,
@@ -5206,6 +5434,8 @@ async function adminAgentRoutes(app) {
 		};
 	});
 	app.post("/:uuid/tokens", async (request, reply) => {
+		const scope = memberScope(request);
+		await assertCanManage(app.db, scope, request.params.uuid);
 		const body = createAgentTokenSchema.parse(request.body);
 		const result = await createToken(app.db, request.params.uuid, body);
 		return reply.status(201).send({
@@ -5217,6 +5447,8 @@ async function adminAgentRoutes(app) {
 		});
 	});
 	app.get("/:uuid/tokens", async (request) => {
+		const scope = memberScope(request);
+		await assertCanManage(app.db, scope, request.params.uuid);
 		return (await listTokens(app.db, request.params.uuid)).map((t) => ({
 			...t,
 			expiresAt: serializeDate(t.expiresAt),
@@ -5226,22 +5458,25 @@ async function adminAgentRoutes(app) {
 		}));
 	});
 	app.delete("/:uuid/tokens/:tokenId", async (request, reply) => {
+		const scope = memberScope(request);
+		await assertCanManage(app.db, scope, request.params.uuid);
 		await revokeToken(app.db, request.params.uuid, request.params.tokenId);
 		return reply.status(204).send();
 	});
 	app.post("/:uuid/disconnect", async (request, reply) => {
 		const { uuid } = request.params;
-		await getAgent(app.db, uuid);
+		const scope = memberScope(request);
+		await assertCanManage(app.db, scope, uuid);
 		const wasConnected = forceDisconnect(uuid);
 		await setOffline(app.db, uuid);
 		return reply.status(200).send({ disconnected: wasConnected });
 	});
 	app.post("/:uuid/provision", async (request, reply) => {
 		const { uuid } = request.params;
-		const member = requireMember(request);
+		const scope = memberScope(request);
+		await assertCanManage(app.db, scope, uuid);
 		const body = z.object({ clientId: z.string().min(1) }).parse(request.body);
 		const agent = await getAgent(app.db, uuid);
-		if (agent.organizationId !== member.organizationId) throw new ForbiddenError("Agent does not belong to your organization");
 		if (!hasClientConnection(body.clientId)) return reply.status(409).send({ error: "Client is not connected" });
 		const tokenResult = await createToken(app.db, uuid, { name: "provision" });
 		if (!sendToClient(body.clientId, {
@@ -5256,6 +5491,8 @@ async function adminAgentRoutes(app) {
 		});
 	});
 	app.post("/:uuid/suspend", async (request) => {
+		const scope = memberScope(request);
+		await assertCanManage(app.db, scope, request.params.uuid);
 		const agent = await suspendAgent(app.db, request.params.uuid);
 		return {
 			...agent,
@@ -5264,6 +5501,8 @@ async function adminAgentRoutes(app) {
 		};
 	});
 	app.post("/:uuid/reactivate", async (request) => {
+		const scope = memberScope(request);
+		await assertCanManage(app.db, scope, request.params.uuid);
 		const agent = await reactivateAgent(app.db, request.params.uuid);
 		return {
 			...agent,
@@ -5272,12 +5511,16 @@ async function adminAgentRoutes(app) {
 		};
 	});
 	app.delete("/:uuid", async (request, reply) => {
+		const scope = memberScope(request);
+		await assertCanManage(app.db, scope, request.params.uuid);
 		await deleteAgent(app.db, request.params.uuid);
 		return reply.status(204).send();
 	});
 	app.post("/:uuid/test", async (request, reply) => {
 		const { uuid } = request.params;
-		const [, presence] = await Promise.all([getAgent(app.db, uuid), getPresence(app.db, uuid)]);
+		const scope = memberScope(request);
+		await assertCanManage(app.db, scope, uuid);
+		const presence = await getPresence(app.db, uuid);
 		const wsConnected = hasActiveConnection(uuid);
 		const clientId = getAgentClientId(uuid) ?? presence?.clientId ?? null;
 		const STALE_THRESHOLD_MS = 6e4;
@@ -5359,8 +5602,9 @@ async function adminAgentRoutes(app) {
 	/** POST /admin/agents/:uuid/chats — create a new workspace chat with the target agent */
 	app.post("/:uuid/chats", async (request, reply) => {
 		const { uuid: targetAgentId } = request.params;
+		const scope = memberScope(request);
+		await assertAgentVisible(app.db, scope, targetAgentId);
 		const member = requireMember(request);
-		if ((await getAgent(app.db, targetAgentId)).organizationId !== member.organizationId) throw new ForbiddenError("Agent does not belong to your organization");
 		const result = await createChat(app.db, member.agentId, {
 			type: "direct",
 			participantIds: [targetAgentId]
@@ -5379,9 +5623,74 @@ async function adminAgentRoutes(app) {
 		});
 	});
 }
+/** User accounts. Passwords are stored as bcrypt hashes. */
+const users = pgTable("users", {
+	id: text("id").primaryKey(),
+	username: text("username").unique().notNull(),
+	passwordHash: text("password_hash").notNull(),
+	displayName: text("display_name").notNull(),
+	avatarUrl: text("avatar_url"),
+	status: text("status").notNull().default("active"),
+	createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow(),
+	updatedAt: timestamp("updated_at", { withTimezone: true }).notNull().defaultNow()
+});
+/** Organization membership. Links a user to an org with a role and a 1:1 human agent. */
+const members = pgTable("members", {
+	id: text("id").primaryKey(),
+	userId: text("user_id").notNull().references(() => users.id),
+	organizationId: text("organization_id").notNull().references(() => organizations.id),
+	agentId: text("agent_id").unique().notNull().references(() => agents.uuid),
+	role: text("role").notNull(),
+	createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow()
+}, (table) => [
+	unique("uq_members_user_org").on(table.userId, table.organizationId),
+	index("idx_members_user").on(table.userId),
+	index("idx_members_org").on(table.organizationId)
+]);
+function memberAuthHook(db, jwtSecret) {
+	const secret = new TextEncoder().encode(jwtSecret);
+	return async (request, _reply) => {
+		const header = request.headers.authorization;
+		if (!header?.startsWith("Bearer ")) throw new UnauthorizedError("Missing or invalid Authorization header");
+		const token = header.slice(7);
+		let payload;
+		try {
+			const { payload: p } = await jwtVerify(token, secret);
+			payload = p;
+		} catch {
+			throw new UnauthorizedError("Invalid or expired token");
+		}
+		if (payload.type !== "access" || !payload.sub || !payload.memberId) throw new UnauthorizedError("Invalid token type");
+		const [user] = await db.select({
+			id: users.id,
+			status: users.status
+		}).from(users).where(eq(users.id, payload.sub)).limit(1);
+		if (!user || user.status !== "active") throw new UnauthorizedError("User not found or suspended");
+		const [member] = await db.select({
+			id: members.id,
+			organizationId: members.organizationId,
+			role: members.role,
+			agentId: members.agentId
+		}).from(members).where(eq(members.id, payload.memberId)).limit(1);
+		if (!member) throw new UnauthorizedError("Membership not found");
+		request.member = {
+			userId: user.id,
+			memberId: member.id,
+			organizationId: member.organizationId,
+			role: member.role,
+			agentId: member.agentId
+		};
+	};
+}
+/** Additional hook that requires admin role. Use after memberAuthHook. */
+function requireAdminRoleHook() {
+	return async (request, _reply) => {
+		if (request.member?.role !== "admin") throw new ForbiddenError("Admin role required");
+	};
+}
 async function adminChatRoutes(app) {
-	/** List chats with participant count */
-	app.get("/", async (request) => {
+	/** List all chats in org (admin-only, for audit). Members should use GET /mine. */
+	app.get("/", { preHandler: requireAdminRoleHook() }, async (request) => {
 		const query = paginationQuerySchema.parse(request.query);
 		const orgParam = request.query.org;
 		let orgId;
@@ -5422,11 +5731,13 @@ async function adminChatRoutes(app) {
 			nextCursor
 		};
 	});
-	/** Get chat detail with participants */
+	/** Get chat detail with participants (requires participation or supervision) */
 	app.get("/:chatId", async (request) => {
 		const { chatId } = request.params;
+		const scope = memberScope(request);
+		await assertChatAccess(app.db, scope, chatId);
 		const [chat] = await app.db.select().from(chats).where(eq(chats.id, chatId)).limit(1);
-		if (!chat) throw new BadRequestError(`Chat "${chatId}" not found`);
+		if (!chat) throw new Error("Unexpected: chat missing after access check");
 		const participants = await app.db.select().from(chatParticipants).where(eq(chatParticipants.chatId, chatId));
 		return {
 			...chat,
@@ -5440,9 +5751,11 @@ async function adminChatRoutes(app) {
 			}))
 		};
 	});
-	/** List messages in a chat with delivery status (for admin audit + read receipts) */
+	/** List messages in a chat with delivery status (requires participation or supervision) */
 	app.get("/:chatId/messages", async (request) => {
 		const { chatId } = request.params;
+		const scope = memberScope(request);
+		await assertChatAccess(app.db, scope, chatId);
 		const query = paginationQuerySchema.parse(request.query);
 		const where = query.cursor ? and(eq(messages.chatId, chatId), lt(messages.createdAt, new Date(query.cursor))) : eq(messages.chatId, chatId);
 		const rows = await app.db.select({
@@ -5488,12 +5801,51 @@ async function adminChatRoutes(app) {
 			nextCursor
 		};
 	});
-	/** POST /admin/chats/:chatId/messages — admin sends a message as their linked human agent */
+	/**
+	* GET /admin/chats/mine — member-scoped chat listing grouped by agent.
+	* Returns only chats where the member's agents participate or are supervised.
+	*/
+	app.get("/mine", async (request) => {
+		const member = requireMember(request);
+		return listChatsForMember(app.db, member.memberId, member.agentId);
+	});
+	/** POST /admin/chats/:chatId/join — manager joins a chat (adds human agent as participant) */
+	app.post("/:chatId/join", async (request, reply) => {
+		const { chatId } = request.params;
+		const member = requireMember(request);
+		const participants = await joinChat(app.db, chatId, member.memberId, member.agentId);
+		return reply.status(200).send({
+			chatId,
+			participants: participants.map((p) => ({
+				agentId: p.agentId,
+				role: p.role,
+				mode: p.mode,
+				joinedAt: p.joinedAt.toISOString()
+			}))
+		});
+	});
+	/** POST /admin/chats/:chatId/leave — manager leaves a chat (removes human agent from participants) */
+	app.post("/:chatId/leave", async (request, reply) => {
+		const { chatId } = request.params;
+		const member = requireMember(request);
+		const participants = await leaveChat(app.db, chatId, member.agentId);
+		return reply.status(200).send({
+			chatId,
+			participants: participants.map((p) => ({
+				agentId: p.agentId,
+				role: p.role,
+				mode: p.mode,
+				joinedAt: p.joinedAt.toISOString()
+			}))
+		});
+	});
+	/** POST /admin/chats/:chatId/messages — member sends a message as their linked human agent */
 	app.post("/:chatId/messages", async (request, reply) => {
 		const { chatId } = request.params;
-		const member = request.member;
-		if (!member) throw new BadRequestError("Member identity not available");
+		const scope = memberScope(request);
+		const member = requireMember(request);
 		const body = sendMessageSchema.parse(request.body);
+		await assertChatAccess(app.db, scope, chatId);
 		await ensureParticipant(app.db, chatId, member.agentId);
 		const result = await sendMessage(app.db, chatId, member.agentId, {
 			...body,
@@ -5577,8 +5929,26 @@ async function getActivityOverview(db) {
 		clients: clientCounts?.count ?? 0
 	};
 }
-async function listAgentsWithRuntime(db) {
-	return db.select().from(agentPresence).where(isNotNull(agentPresence.runtimeState));
+/**
+* List agents with active runtime state.
+* When scope is provided, filters to agents visible to the member.
+*/
+async function listAgentsWithRuntime(db, scope) {
+	if (!scope) return db.select().from(agentPresence).where(isNotNull(agentPresence.runtimeState));
+	return db.select({
+		agentId: agentPresence.agentId,
+		status: agentPresence.status,
+		instanceId: agentPresence.instanceId,
+		connectedAt: agentPresence.connectedAt,
+		lastSeenAt: agentPresence.lastSeenAt,
+		clientId: agentPresence.clientId,
+		runtimeType: agentPresence.runtimeType,
+		runtimeVersion: agentPresence.runtimeVersion,
+		runtimeState: agentPresence.runtimeState,
+		activeSessions: agentPresence.activeSessions,
+		totalSessions: agentPresence.totalSessions,
+		runtimeUpdatedAt: agentPresence.runtimeUpdatedAt
+	}).from(agentPresence).innerJoin(agents, eq(agentPresence.agentId, agents.uuid)).where(and(isNotNull(agentPresence.runtimeState), agentVisibilityCondition(scope)));
 }
 /**
 * Clean up stale session rows from agent_chat_sessions.
@@ -5634,9 +6004,10 @@ async function adminClientRoutes(app) {
 	});
 }
 async function adminActivityRoutes(app) {
-	app.get("/", async () => {
+	app.get("/", async (request) => {
+		const scope = memberScope(request);
 		const overview = await getActivityOverview(app.db);
-		const runningAgents = await listAgentsWithRuntime(app.db);
+		const runningAgents = await listAgentsWithRuntime(app.db, scope);
 		return {
 			...overview,
 			agents: runningAgents.map((a) => ({
@@ -5995,6 +6366,18 @@ async function listAllSessions(db, limit, cursor, filters) {
 	};
 }
 /**
+* Filter sessions to only those where the given agent is also a participant in the chat.
+* Used when a non-manager views sessions of an org-visible agent — they should only see
+* sessions for chats they participate in.
+*/
+async function filterSessionsByParticipant(db, sessions, participantAgentId) {
+	if (sessions.length === 0) return [];
+	const chatIds = sessions.map((s) => s.chatId);
+	const participantRows = await db.select({ chatId: chatParticipants.chatId }).from(chatParticipants).where(and(inArray(chatParticipants.chatId, chatIds), eq(chatParticipants.agentId, participantAgentId)));
+	const allowedChatIds = new Set(participantRows.map((r) => r.chatId));
+	return sessions.filter((s) => allowedChatIds.has(s.chatId));
+}
+/**
 * Session outputs — aggregated text output from agent sessions.
 * One row per (agent, chat) session. Content is appended as the agent works.
 * Cleaned up when the session is evicted.
@@ -6056,11 +6439,6 @@ const globalSessionFilterSchema = paginationQuerySchema.extend({
 	]).optional(),
 	agentId: z.string().optional()
 });
-/** Verify the agent belongs to the caller's organization. */
-async function assertAgentInOrg(app, request, agentId) {
-	const member = requireMember(request);
-	if ((await getAgent(app.db, agentId)).organizationId !== member.organizationId) throw new ForbiddenError("Agent does not belong to your organization");
-}
 async function adminSessionRoutes(app) {
 	/** GET /admin/sessions — global session list, scoped to caller's org */
 	app.get("/", async (request) => {
@@ -6072,20 +6450,25 @@ async function adminSessionRoutes(app) {
 			organizationId: member.organizationId
 		});
 	});
-	/** GET /admin/sessions/agents/:agentId — sessions for a specific agent */
+	/** GET /admin/sessions/agents/:agentId — sessions for a specific agent.
+	*  Manager sees all sessions. Non-manager sees only sessions where their human agent is also a participant. */
 	app.get("/agents/:agentId", async (request) => {
-		await assertAgentInOrg(app, request, request.params.agentId);
+		const scope = memberScope(request);
+		await assertAgentVisible(app.db, scope, request.params.agentId);
 		const filters = sessionFilterSchema.parse(request.query);
-		return listAgentSessions(app.db, request.params.agentId, filters);
+		const isManager = (await getAgent(app.db, request.params.agentId)).managerId === scope.memberId;
+		const sessions = await listAgentSessions(app.db, request.params.agentId, filters);
+		if (isManager) return sessions;
+		return filterSessionsByParticipant(app.db, sessions, scope.humanAgentId);
 	});
 	/** GET /admin/sessions/agents/:agentId/:chatId — single session detail */
 	app.get("/agents/:agentId/:chatId", async (request) => {
-		await assertAgentInOrg(app, request, request.params.agentId);
+		await assertAgentVisible(app.db, memberScope(request), request.params.agentId);
 		return getSession(app.db, request.params.agentId, request.params.chatId);
 	});
 	/** GET /admin/sessions/agents/:agentId/:chatId/output — session output text */
 	app.get("/agents/:agentId/:chatId/output", async (request) => {
-		await assertAgentInOrg(app, request, request.params.agentId);
+		await assertAgentVisible(app.db, memberScope(request), request.params.agentId);
 		return await getOutput(app.db, request.params.agentId, request.params.chatId) ?? {
 			content: "",
 			updatedAt: null
@@ -6094,7 +6477,7 @@ async function adminSessionRoutes(app) {
 	/** POST /admin/sessions/agents/:agentId/:chatId/suspend — suspend a session */
 	app.post("/agents/:agentId/:chatId/suspend", async (request, reply) => {
 		const { agentId, chatId } = request.params;
-		await assertAgentInOrg(app, request, agentId);
+		await assertCanManage(app.db, memberScope(request), agentId);
 		if (!sendToAgent$1(agentId, {
 			type: "session:suspend",
 			chatId
@@ -6109,7 +6492,7 @@ async function adminSessionRoutes(app) {
 	/** POST /admin/sessions/agents/:agentId/:chatId/resume — resume a session */
 	app.post("/agents/:agentId/:chatId/resume", async (request, reply) => {
 		const { agentId, chatId } = request.params;
-		await assertAgentInOrg(app, request, agentId);
+		await assertCanManage(app.db, memberScope(request), agentId);
 		if (!sendToAgent$1(agentId, {
 			type: "session:resume",
 			chatId
@@ -6124,7 +6507,7 @@ async function adminSessionRoutes(app) {
 	/** POST /admin/sessions/agents/:agentId/:chatId/terminate — terminate a session */
 	app.post("/agents/:agentId/:chatId/terminate", async (request, reply) => {
 		const { agentId, chatId } = request.params;
-		await assertAgentInOrg(app, request, agentId);
+		await assertCanManage(app.db, memberScope(request), agentId);
 		if (!sendToAgent$1(agentId, {
 			type: "session:terminate",
 			chatId
@@ -7408,30 +7791,6 @@ function clientWsRoutes(notifier, instanceId) {
 		});
 	};
 }
-/** User accounts. Passwords are stored as bcrypt hashes. */
-const users = pgTable("users", {
-	id: text("id").primaryKey(),
-	username: text("username").unique().notNull(),
-	passwordHash: text("password_hash").notNull(),
-	displayName: text("display_name").notNull(),
-	avatarUrl: text("avatar_url"),
-	status: text("status").notNull().default("active"),
-	createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow(),
-	updatedAt: timestamp("updated_at", { withTimezone: true }).notNull().defaultNow()
-});
-/** Organization membership. Links a user to an org with a role and a 1:1 human agent. */
-const members = pgTable("members", {
-	id: text("id").primaryKey(),
-	userId: text("user_id").notNull().references(() => users.id),
-	organizationId: text("organization_id").notNull().references(() => organizations.id),
-	agentId: text("agent_id").unique().notNull().references(() => agents.uuid),
-	role: text("role").notNull(),
-	createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow()
-}, (table) => [
-	unique("uq_members_user_org").on(table.userId, table.organizationId),
-	index("idx_members_user").on(table.userId),
-	index("idx_members_org").on(table.organizationId)
-]);
 const ACCESS_TOKEN_EXPIRY = "30m";
 const REFRESH_TOKEN_EXPIRY = "7d";
 const CONNECT_TOKEN_EXPIRY = "10m";
@@ -7876,36 +8235,6 @@ async function memberRoutes(app) {
 		return reply.status(204).send();
 	});
 }
-/** Public agent discovery — returns only agents with public=true. No auth required. */
-async function publicAgentRoutes(app) {
-	app.get("/", async (request) => {
-		const query = paginationQuerySchema.parse(request.query);
-		const orgParam = request.query.org;
-		const conditions = [eq(agents.public, true), eq(agents.status, "active")];
-		if (orgParam) {
-			const resolved = await resolveOrganization(app.db, orgParam);
-			conditions.push(eq(agents.organizationId, resolved.id));
-		}
-		if (query.cursor) conditions.push(lt(agents.createdAt, new Date(query.cursor)));
-		const where = and(...conditions);
-		const rows = await app.db.select({
-			uuid: agents.uuid,
-			name: agents.name,
-			organizationId: agents.organizationId,
-			type: agents.type,
-			displayName: agents.displayName,
-			profile: agents.profile,
-			createdAt: agents.createdAt
-		}).from(agents).where(where).orderBy(desc(agents.createdAt)).limit(query.limit + 1);
-		const hasMore = rows.length > query.limit;
-		const items = hasMore ? rows.slice(0, query.limit) : rows;
-		const last = items[items.length - 1];
-		return {
-			items,
-			nextCursor: hasMore && last ? last.createdAt.toISOString() : null
-		};
-	});
-}
 const GITHUB_ADAPTER_ID = "github-adapter";
 function verifySignature(secret, rawBody, signatureHeader) {
 	const expected = `sha256=${createHmac("sha256", secret).update(rawBody).digest("hex")}`;
@@ -8450,47 +8779,6 @@ function githubAuthHook() {
 		request.githubUser = { username: data.login };
 	};
 }
-function memberAuthHook(db, jwtSecret) {
-	const secret = new TextEncoder().encode(jwtSecret);
-	return async (request, _reply) => {
-		const header = request.headers.authorization;
-		if (!header?.startsWith("Bearer ")) throw new UnauthorizedError("Missing or invalid Authorization header");
-		const token = header.slice(7);
-		let payload;
-		try {
-			const { payload: p } = await jwtVerify(token, secret);
-			payload = p;
-		} catch {
-			throw new UnauthorizedError("Invalid or expired token");
-		}
-		if (payload.type !== "access" || !payload.sub || !payload.memberId) throw new UnauthorizedError("Invalid token type");
-		const [user] = await db.select({
-			id: users.id,
-			status: users.status
-		}).from(users).where(eq(users.id, payload.sub)).limit(1);
-		if (!user || user.status !== "active") throw new UnauthorizedError("User not found or suspended");
-		const [member] = await db.select({
-			id: members.id,
-			organizationId: members.organizationId,
-			role: members.role,
-			agentId: members.agentId
-		}).from(members).where(eq(members.id, payload.memberId)).limit(1);
-		if (!member) throw new UnauthorizedError("Membership not found");
-		request.member = {
-			userId: user.id,
-			memberId: member.id,
-			organizationId: member.organizationId,
-			role: member.role,
-			agentId: member.agentId
-		};
-	};
-}
-/** Additional hook that requires admin role. Use after memberAuthHook. */
-function requireAdminRoleHook() {
-	return async (request, _reply) => {
-		if (request.member?.role !== "admin") throw new ForbiddenError("Admin role required");
-	};
-}
 const PROXY_ENV_KEYS = [
 	"HTTP_PROXY",
 	"HTTPS_PROXY",
@@ -9384,7 +9672,6 @@ async function buildApp(config) {
 			adminApp.addHook("onRequest", memberAuth);
 			await adminApp.register(adminNotificationRoutes);
 		}, { prefix: "/admin/notifications" });
-		await api.register(publicAgentRoutes, { prefix: "/public/agents" });
 		await api.register(async (agentApp) => {
 			agentApp.addHook("onRequest", agentAuth);
 			await agentApp.register(agentMeRoutes);