@agent-team-foundation/first-tree-hub 0.6.1 → 0.6.3

package/dist/{bootstrap-Dq_k_6ZD.mjs → bootstrap-DNL1cEwv.mjs}

@@ -1,11 +1,10 @@
 import { t as __exportAll } from "./rolldown-runtime-twds-ZHy.mjs";
-import { chmodSync, existsSync, mkdirSync, readFileSync, readdirSync, statSync, writeFileSync } from "node:fs";
+import { existsSync, mkdirSync, readFileSync, readdirSync, statSync, writeFileSync } from "node:fs";
 import { dirname, join } from "node:path";
 import { z } from "zod";
 import { parse, stringify } from "yaml";
 import { randomBytes } from "node:crypto";
 import { homedir } from "node:os";
-import { execSync } from "node:child_process";
 //#region ../shared/dist/config/index.mjs
 /** Declare a config field with a Zod schema and optional metadata. */
 function field(schema, options) {
@@ -27,8 +26,17 @@ function optional(shape) {
 function defineConfig(shape) {
 	return shape;
 }
+/**
+* Agent config layout on disk: `~/.first-tree-hub/config/agents/<name>/agent.yaml`.
+*
+* After the unified-user-token milestone the local config no longer stores an
+* agent bearer; authentication comes from the user's member JWT in
+* `credentials.json`. The config just pins the agent UUID and its runtime so
+* the runtime knows which agent to act as (via `X-Agent-Id`) and which
+* handler to instantiate.
+*/
 const agentConfigSchema = defineConfig({
-	token: field(z.string(), { secret: true }),
+	agentId: field(z.string().min(1)),
 	runtime: field(z.string().default("claude-code")),
 	concurrency: field(z.number().int().positive().default(5)),
 	session: {
@@ -36,23 +44,10 @@ const agentConfigSchema = defineConfig({
 		max_sessions: field(z.number().int().positive().default(10))
 	}
 });
-let _config;
 /** Store the resolved config as a singleton. Called by initConfig(). */
-function setConfig(config) {
-	_config = config;
-}
-/**
-* Get the resolved config singleton.
-* Must be called after initConfig().
-*/
-function getConfig() {
-	if (_config === void 0) throw new Error("Config not initialized. Call initConfig() first.");
-	return _config;
-}
+function setConfig(config) {}
 /** Reset the config singleton. For testing only. */
-function resetConfig() {
-	_config = void 0;
-}
+function resetConfig() {}
 const clientConfigSchema = defineConfig({
 	server: { url: field(z.string(), {
 		env: "FIRST_TREE_HUB_SERVER_URL",
@@ -61,6 +56,10 @@ const clientConfigSchema = defineConfig({
 			default: "http://localhost:8000"
 		}
 	}) },
+	client: { id: field(z.string().regex(/^client_[a-f0-9]{8}$/), {
+		auto: "client-id",
+		env: "FIRST_TREE_HUB_CLIENT_ID"
+	}) },
 	logLevel: field(z.enum([
 		"debug",
 		"info",
@@ -68,10 +67,6 @@ const clientConfigSchema = defineConfig({
 		"error"
 	]).default("info"), { env: "FIRST_TREE_HUB_LOG_LEVEL" })
 });
-/** Typed accessor for client configuration singleton. */
-function getClientConfig() {
-	return getConfig();
-}
 const DEFAULT_HOME_DIR = process.env.FIRST_TREE_HUB_HOME ?? join(homedir(), ".first-tree-hub");
 const DEFAULT_CONFIG_DIR = join(DEFAULT_HOME_DIR, "config");
 const DEFAULT_DATA_DIR = join(DEFAULT_HOME_DIR, "data");
@@ -121,6 +116,7 @@ function coerceEnvValue(value, schema) {
 	return value;
 }
 function builtinAutoGenerate(strategy) {
+	if (strategy === "client-id") return `client_${randomBytes(4).toString("hex")}`;
 	const match = /^random:(\w+):(\d+)$/.exec(strategy);
 	if (!match) throw new Error(`Unknown auto-generation strategy: ${strategy}`);
 	const encoding = match[1];
@@ -482,137 +478,55 @@ const serverConfigSchema = defineConfig({
 //#endregion
 //#region src/core/bootstrap.ts
 var bootstrap_exports = /* @__PURE__ */ __exportAll({
-	bootstrapToken: () => bootstrapToken,
-	checkBootstrapStatus: () => checkBootstrapStatus,
+	ensureFreshAccessToken: () => ensureFreshAccessToken,
 	ensureFreshAdminToken: () => ensureFreshAdminToken,
-	getGitHubToken: () => getGitHubToken,
-	getGitHubUsername: () => getGitHubUsername,
-	loadAgentTokenByName: () => loadAgentTokenByName,
 	loadCredentials: () => loadCredentials,
-	maskToken: () => maskToken,
-	resolveAgentToken: () => resolveAgentToken,
+	resolveAccessToken: () => resolveAccessToken,
 	resolveServerUrl: () => resolveServerUrl,
 	saveAgentConfig: () => saveAgentConfig,
 	saveCredentials: () => saveCredentials
 });
 const CREDENTIALS_PATH = join(DEFAULT_CONFIG_DIR, "credentials.json");
 /**
-* Get the current GitHub username from `gh auth status`.
-*/
-function getGitHubUsername() {
-	try {
-		const output = execSync("gh api /user --jq .login", { encoding: "utf-8" }).trim();
-		if (!output) throw new Error("Empty response");
-		return output;
-	} catch {
-		throw new Error("Failed to get GitHub username. Ensure `gh` CLI is installed and authenticated:\n  gh auth login");
-	}
-}
-/**
-* Get the GitHub auth token from `gh auth token`.
-*/
-function getGitHubToken() {
-	try {
-		const output = execSync("gh auth token", { encoding: "utf-8" }).trim();
-		if (!output) throw new Error("Empty response");
-		return output;
-	} catch {
-		throw new Error("Failed to get GitHub token. Ensure `gh` CLI is installed and authenticated:\n  gh auth login");
-	}
-}
-/**
 * Resolve Hub server URL from flag, env, or config.
+*
+* Uses resolveConfigReadonly (not the singleton getClientConfig) so CLI entry
+* points don't have to remember to call initConfig() first.
 */
 function resolveServerUrl(flagValue) {
 	if (flagValue) return flagValue;
 	if (process.env.FIRST_TREE_HUB_SERVER_URL) return process.env.FIRST_TREE_HUB_SERVER_URL;
-	try {
-		const config = getClientConfig();
-		if (config.server?.url) return config.server.url;
-	} catch {}
-	throw new Error("Server URL not configured.\n  Provide via: --server <url>, FIRST_TREE_HUB_SERVER_URL env var, or\n  first-tree-hub config set -c server.url <url>");
-}
-/**
-* Bootstrap a token for an agent using GitHub identity.
-*/
-async function bootstrapToken(serverUrl, agentName, options = {}) {
-	const githubToken = getGitHubToken();
-	const body = { name: "bootstrap" };
-	if (options.type) body.type = options.type;
-	if (options.displayName) body.displayName = options.displayName;
-	if (options.delegateMention) body.delegateMention = options.delegateMention;
-	if (options.profile) body.profile = options.profile;
-	if (options.metadata) body.metadata = options.metadata;
-	const res = await fetch(`${serverUrl}/api/v1/bootstrap/${encodeURIComponent(agentName)}/token`, {
-		method: "POST",
-		headers: {
-			"X-GitHub-Token": githubToken,
-			"Content-Type": "application/json"
-		},
-		body: JSON.stringify(body)
-	});
-	if (!res.ok) {
-		const msg = (await res.json().catch(() => ({}))).error ?? `HTTP ${res.status}`;
-		throw new Error(`Bootstrap failed for "${agentName}": ${msg}`);
-	}
-	const data = await res.json();
-	const isHuman = options.type === "human";
-	if ((options.saveTo === "agent" || !options.saveTo) && !isHuman) {
-		const configDir = join(DEFAULT_CONFIG_DIR, "agents", agentName);
-		const configPath = `${configDir}/agent.yaml`;
-		mkdirSync(configDir, {
-			recursive: true,
-			mode: 448
-		});
-		writeFileSync(configPath, `token: "${data.token}"\nruntime: claude-code\n`, { mode: 384 });
-		chmodSync(configDir, 448);
-	} else if (options.saveTo && options.saveTo !== "agent") {
-		mkdirSync(dirname(options.saveTo), { recursive: true });
-		writeFileSync(options.saveTo, data.token, { mode: 384 });
-	}
-	return data;
-}
-/**
-* Load an agent's token from `~/.first-tree-hub/agents/<agentName>/agent.yaml`.
-* Returns null if the file is missing or has no token.
-*/
-function loadAgentTokenByName(agentName) {
-	const configPath = join(DEFAULT_CONFIG_DIR, "agents", agentName, "agent.yaml");
-	if (!existsSync(configPath)) return null;
-	try {
-		const raw = parse(readFileSync(configPath, "utf-8"));
-		if (typeof raw.token === "string" && raw.token.length > 0) return raw.token;
-		return null;
-	} catch {
-		return null;
+	const server = resolveConfigReadonly({
+		schema: clientConfigSchema,
+		role: "client"
+	}).server;
+	if (server !== null && typeof server === "object") {
+		const url = Reflect.get(server, "url");
+		if (typeof url === "string" && url.length > 0) return url;
 	}
+	throw new Error("Server URL not configured.\n  Provide via: --server <url>, FIRST_TREE_HUB_SERVER_URL env var, or\n  first-tree-hub config set -c server.url <url>");
 }
 /**
-* Resolve agent token with the following precedence:
-*   1. FIRST_TREE_HUB_AGENT_TOKEN env var (explicit token; runtime or manual export)
-*   2. FIRST_TREE_HUB_AGENT env var → lookup in ~/.first-tree-hub/agents/<name>/agent.yaml
-* Throws if neither is configured or the named agent has no stored token.
+* Resolve the current member access JWT from persisted credentials.
+*
+* Unified-user-token milestone: the CLI has a single credential store and a
+* single onboarding path (`first-tree-hub client connect`). The legacy
+* `FIRST_TREE_HUB_TOKEN` env var is no longer read — callers get a clear
+* error pointing at `client connect` instead.
 */
-function resolveAgentToken() {
-	const token = process.env.FIRST_TREE_HUB_AGENT_TOKEN;
-	if (token) return token;
-	const agentName = process.env.FIRST_TREE_HUB_AGENT;
-	if (agentName) {
-		const loaded = loadAgentTokenByName(agentName);
-		if (loaded) return loaded;
-		throw new Error(`Agent "${agentName}" has no token in ${join(DEFAULT_CONFIG_DIR, "agents", agentName)}/agent.yaml.\n  Verify the agent exists locally or set FIRST_TREE_HUB_AGENT_TOKEN explicitly.`);
-	}
-	throw new Error("No agent token configured.\n  Set FIRST_TREE_HUB_AGENT_TOKEN directly, or\n  set FIRST_TREE_HUB_AGENT=<agentName> to use a stored agent config.");
+function resolveAccessToken() {
+	const creds = loadCredentials();
+	if (!creds) throw new Error("No credentials found. Run `first-tree-hub client connect <server-url>` to sign in.");
+	return creds.accessToken;
 }
 /**
-* Ensure the persisted access token is fresh. Call before any admin API request
-* when using persisted credentials. Returns the (possibly refreshed) access token.
+* Ensure the persisted access token is fresh. Call before any API request
+* when using persisted credentials. Returns the (possibly refreshed) access
+* token. Service-user API keys are out of scope for this milestone.
 */
-async function ensureFreshAdminToken() {
-	const envToken = process.env.FIRST_TREE_HUB_ADMIN_TOKEN;
-	if (envToken) return envToken;
+async function ensureFreshAccessToken() {
 	const creds = loadCredentials();
-	if (!creds) throw new Error("No credentials found.\n  Run: first-tree-hub connect <server-url>\n  Or set FIRST_TREE_HUB_ADMIN_TOKEN environment variable.");
+	if (!creds) throw new Error("No credentials found. Run `first-tree-hub client connect <server-url>` to sign in.");
 	if (!isTokenExpired(creds.accessToken)) return creds.accessToken;
 	const res = await fetch(`${creds.serverUrl}/api/v1/auth/refresh`, {
 		method: "POST",
@@ -620,7 +534,7 @@ async function ensureFreshAdminToken() {
 		body: JSON.stringify({ refreshToken: creds.refreshToken }),
 		signal: AbortSignal.timeout(1e4)
 	});
-	if (!res.ok) throw new Error("Access token expired and refresh failed.\n  Run: first-tree-hub connect <server-url>");
+	if (!res.ok) throw new Error("Access token expired and refresh failed. Run `first-tree-hub client connect <server-url>`.");
 	const data = await res.json();
 	saveCredentials({
 		...creds,
@@ -628,7 +542,8 @@ async function ensureFreshAdminToken() {
 	});
 	return data.accessToken;
 }
-/** Check if a JWT access token is expired (with 30s margin). */
+/** Back-compat alias retained so existing call sites keep compiling. */
+const ensureFreshAdminToken = ensureFreshAccessToken;
 function isTokenExpired(token) {
 	try {
 		const parts = token.split(".");
@@ -649,7 +564,7 @@ function saveCredentials(creds) {
 	writeFileSync(CREDENTIALS_PATH, JSON.stringify(creds, null, 2), { mode: 384 });
 }
 /**
-* Load persisted credentials saved by `connect` command.
+* Load persisted credentials saved by the `connect` command.
 */
 function loadCredentials() {
 	try {
@@ -661,33 +576,16 @@ function loadCredentials() {
 	}
 }
 /**
-* Check if an agent exists and is synced.
-*/
-async function checkBootstrapStatus(serverUrl, agentName) {
-	const githubToken = getGitHubToken();
-	const res = await fetch(`${serverUrl}/api/v1/bootstrap/${encodeURIComponent(agentName)}/status`, { headers: { "X-GitHub-Token": githubToken } });
-	if (!res.ok) {
-		const body = await res.json().catch(() => ({}));
-		throw new Error(body.error ?? `HTTP ${res.status}`);
-	}
-	return await res.json();
-}
-/**
-* Write agent config (token + runtime) to disk.
-* Used by `agent create`, `agent add`, bootstrap, and server-pushed provisioning.
+* Write agent config (agentId + runtime) to disk.
 */
-function saveAgentConfig(agentName, token, runtime) {
+function saveAgentConfig(agentName, agentId, runtime) {
 	const agentDir = join(DEFAULT_CONFIG_DIR, "agents", agentName);
 	mkdirSync(agentDir, {
 		recursive: true,
 		mode: 448
 	});
-	writeFileSync(join(agentDir, "agent.yaml"), `token: "${token}"\nruntime: ${runtime}\n`, { mode: 384 });
+	writeFileSync(join(agentDir, "agent.yaml"), `agentId: "${agentId}"\nruntime: ${runtime}\n`, { mode: 384 });
 	return agentDir;
 }
-/** Mask a token for display: show first 6 + last 2 chars. */
-function maskToken(token) {
-	return token.length > 8 ? `${token.slice(0, 6)}***${token.slice(-2)}` : "***";
-}
 //#endregion
-export { resetConfig as C, setConfigValue as D, serverConfigSchema as E, readConfigFile as S, resolveConfigReadonly as T, clientConfigSchema as _, getGitHubToken as a, initConfig as b, maskToken as c, saveAgentConfig as d, saveCredentials as f, agentConfigSchema as g, DEFAULT_HOME_DIR as h, ensureFreshAdminToken as i, resolveAgentToken as l, DEFAULT_DATA_DIR as m, bootstrap_exports as n, getGitHubUsername as o, DEFAULT_CONFIG_DIR as p, checkBootstrapStatus as r, loadAgentTokenByName as s, bootstrapToken as t, resolveServerUrl as u, collectMissingPrompts as v, resetConfigMeta as w, loadAgents as x, getConfigValue as y };
+export { setConfigValue as C, serverConfigSchema as S, loadAgents as _, resolveAccessToken as a, resetConfigMeta as b, saveCredentials as c, DEFAULT_HOME_DIR as d, agentConfigSchema as f, initConfig as g, getConfigValue as h, loadCredentials as i, DEFAULT_CONFIG_DIR as l, collectMissingPrompts as m, ensureFreshAccessToken as n, resolveServerUrl as o, clientConfigSchema as p, ensureFreshAdminToken as r, saveAgentConfig as s, bootstrap_exports as t, DEFAULT_DATA_DIR as u, readConfigFile as v, resolveConfigReadonly as x, resetConfig as y };