@agent-team-foundation/first-tree-hub 0.6.2 → 0.7.0

package/dist/{core-RXUUKkCO.mjs → core-4nvleGlC.mjs}

@@ -1,5 +1,5 @@
-import { C as setConfigValue, S as serverConfigSchema, _ as loadAgents, d as DEFAULT_HOME_DIR$1, f as agentConfigSchema, g as initConfig, i as loadCredentials, l as DEFAULT_CONFIG_DIR, m as collectMissingPrompts, n as ensureFreshAccessToken, o as resolveServerUrl, p as clientConfigSchema, s as saveAgentConfig, u as DEFAULT_DATA_DIR$1, x as resolveConfigReadonly } from "./bootstrap-DW7aIpmE.mjs";
-import { $ as updateOrganizationSchema, A as createOrganizationSchema, B as paginationQuerySchema, C as clientRegisterSchema, D as createAgentSchema, E as createAdapterMappingSchema, F as isRedactedEnvValue, G as sendToAgentSchema, H as runtimeStateMessageSchema, I as linkTaskChatSchema, J as taskListQuerySchema, K as sessionOutputMessageSchema, L as loginSchema, M as delegateFeishuUserSchema, N as dryRunAgentRuntimeConfigSchema, O as createChatSchema, P as inboxPollQuerySchema, Q as updateMemberSchema, R as messageSourceSchema$1, S as agentTypeSchema$1, T as createAdapterConfigSchema, U as selfServiceFeishuBotSchema, V as refreshTokenSchema, W as sendMessageSchema, X as updateAgentRuntimeConfigSchema, Y as updateAdapterConfigSchema, Z as updateAgentSchema, _ as addParticipantSchema, a as AGENT_SELECTOR_HEADER$1, b as agentBindRequestSchema, c as AGENT_TYPES, d as SYSTEM_CONFIG_DEFAULTS, et as updateSystemConfigSchema, f as TASK_CREATOR_TYPES, g as WS_AUTH_FRAME_TIMEOUT_MS, h as TASK_TERMINAL_STATUSES, i as AGENT_BIND_REJECT_REASONS, j as createTaskSchema, k as createMemberSchema, l as AGENT_VISIBILITY, m as TASK_STATUSES, nt as wsAuthFrameSchema, o as AGENT_SOURCES, p as TASK_HEALTH_SIGNALS, q as sessionStateMessageSchema, s as AGENT_STATUSES, tt as updateTaskStatusSchema, u as DEFAULT_AGENT_RUNTIME_CONFIG_PAYLOAD, v as adminCreateTaskSchema, w as connectTokenExchangeSchema, x as agentRuntimeConfigPayloadSchema$1, y as adminUpdateTaskSchema, z as notificationQuerySchema } from "./feishu-BZ8pnMrQ.mjs";
+import { C as setConfigValue, S as serverConfigSchema, _ as loadAgents, d as DEFAULT_HOME_DIR$1, f as agentConfigSchema, g as initConfig, i as loadCredentials, l as DEFAULT_CONFIG_DIR, m as collectMissingPrompts, n as ensureFreshAccessToken, o as resolveServerUrl, p as clientConfigSchema, s as saveAgentConfig, u as DEFAULT_DATA_DIR$1, x as resolveConfigReadonly } from "./bootstrap-CRDR6NwE.mjs";
+import { $ as updateAgentSchema, A as createOrganizationSchema, B as paginationQuerySchema, C as clientRegisterSchema, D as createAgentSchema, E as createAdapterMappingSchema, F as isRedactedEnvValue, G as sendToAgentSchema, H as runtimeStateMessageSchema, I as linkTaskChatSchema, J as sessionEventSchema$1, K as sessionCompletionMessageSchema, L as loginSchema, M as delegateFeishuUserSchema, N as dryRunAgentRuntimeConfigSchema, O as createChatSchema, P as inboxPollQuerySchema, Q as updateAgentRuntimeConfigSchema, R as messageSourceSchema$1, S as agentTypeSchema$1, T as createAdapterConfigSchema, U as selfServiceFeishuBotSchema, V as refreshTokenSchema, W as sendMessageSchema, X as taskListQuerySchema, Y as sessionStateMessageSchema, Z as updateAdapterConfigSchema, _ as addParticipantSchema, a as AGENT_SELECTOR_HEADER$1, b as agentBindRequestSchema, c as AGENT_TYPES, d as SYSTEM_CONFIG_DEFAULTS, et as updateMemberSchema, f as TASK_CREATOR_TYPES, g as WS_AUTH_FRAME_TIMEOUT_MS, h as TASK_TERMINAL_STATUSES, i as AGENT_BIND_REJECT_REASONS, it as wsAuthFrameSchema, j as createTaskSchema, k as createMemberSchema, l as AGENT_VISIBILITY, m as TASK_STATUSES, nt as updateSystemConfigSchema, o as AGENT_SOURCES, p as TASK_HEALTH_SIGNALS, q as sessionEventMessageSchema, rt as updateTaskStatusSchema, s as AGENT_STATUSES, tt as updateOrganizationSchema, u as DEFAULT_AGENT_RUNTIME_CONFIG_PAYLOAD, v as adminCreateTaskSchema, w as connectTokenExchangeSchema, x as agentRuntimeConfigPayloadSchema$1, y as adminUpdateTaskSchema, z as notificationQuerySchema } from "./feishu-CJ08ntOD.mjs";
 import { copyFileSync, existsSync, mkdirSync, readFileSync, readdirSync, renameSync, rmSync, statSync, watch, writeFileSync } from "node:fs";
 import { dirname, join, resolve } from "node:path";
 import { ZodError, z } from "zod";
@@ -11,7 +11,7 @@ import WebSocket from "ws";
 import { query } from "@anthropic-ai/claude-agent-sdk";
 import { execFileSync, execSync, spawn } from "node:child_process";
 import bcrypt from "bcrypt";
-import { and, asc, count, desc, eq, gt, inArray, isNotNull, lt, ne, or, sql } from "drizzle-orm";
+import { and, asc, count, desc, eq, gt, inArray, isNotNull, isNull, lt, ne, or, sql } from "drizzle-orm";
 import { drizzle } from "drizzle-orm/postgres-js";
 import postgres from "postgres";
 import { fileURLToPath } from "node:url";
@@ -22,7 +22,7 @@ import rateLimit from "@fastify/rate-limit";
 import fastifyStatic from "@fastify/static";
 import websocket from "@fastify/websocket";
 import Fastify from "fastify";
-import { bigserial, boolean, index, integer, jsonb, pgTable, primaryKey, serial, text, timestamp, unique } from "drizzle-orm/pg-core";
+import { bigserial, boolean, index, integer, jsonb, pgTable, primaryKey, serial, text, timestamp, unique, uniqueIndex } from "drizzle-orm/pg-core";
 import { SignJWT, jwtVerify } from "jose";
 import { Client, EventDispatcher, LoggerLevel, WSClient } from "@larksuiteoapi/node-sdk";
 //#region ../client/dist/index.mjs
@@ -172,7 +172,7 @@ z.object({
 	visibility: agentVisibilitySchema.optional(),
 	metadata: z.record(z.string(), z.unknown()).optional(),
 	managerId: z.string().nullable().optional(),
-	clientId: z.string().optional()
+	clientId: z.string().min(1).max(100).nullable().optional()
 });
 z.object({
 	uuid: z.string(),
@@ -559,17 +559,60 @@ z.object({
 	createdAt: z.string(),
 	updatedAt: z.string()
 });
+const pulseBucketSchema = z.object({
+	workingCount: z.number().int().nonnegative(),
+	errorMask: z.boolean()
+});
+z.object({
+	type: z.literal("pulse:tick"),
+	organizationId: z.string(),
+	agents: z.record(z.string(), z.array(pulseBucketSchema).length(32))
+});
+const sessionEventKind = z.enum(["tool_call", "error"]);
+const toolCallEventPayload = z.object({
+	toolUseId: z.string(),
+	name: z.string(),
+	args: z.unknown(),
+	status: z.enum([
+		"pending",
+		"ok",
+		"error"
+	]),
+	durationMs: z.number().int().nonnegative().optional(),
+	resultPreview: z.string().max(400).optional()
+});
+const errorEventPayload = z.object({
+	source: z.enum([
+		"sdk",
+		"runtime",
+		"tool"
+	]),
+	message: z.string().max(2e3)
+});
+const sessionEventSchema = z.discriminatedUnion("kind", [z.object({
+	kind: z.literal("tool_call"),
+	payload: toolCallEventPayload
+}), z.object({
+	kind: z.literal("error"),
+	payload: errorEventPayload
+})]);
 z.object({
 	id: z.string(),
 	agentId: z.string(),
 	chatId: z.string(),
-	content: z.string(),
-	updatedAt: z.string()
+	seq: z.number().int().positive(),
+	kind: sessionEventKind,
+	payload: z.union([toolCallEventPayload, errorEventPayload]),
+	createdAt: z.string()
 });
 z.object({
 	agentId: z.string(),
 	chatId: z.string(),
-	content: z.string().max(5e4)
+	event: sessionEventSchema
+});
+z.object({
+	agentId: z.string(),
+	chatId: z.string()
 });
 const orgStatsSchema = z.object({
 	organizationId: z.string(),
@@ -941,13 +984,21 @@ var ClientConnection = class extends EventEmitter {
 			runtimeState
 		}));
 	}
-	reportSessionOutput(agentId, chatId, content) {
+	reportSessionEvent(agentId, chatId, event) {
 		if (!this.ws || this.ws.readyState !== WebSocket.OPEN) return;
 		this.ws.send(JSON.stringify({
-			type: "session:output",
+			type: "session:event",
 			agentId,
 			chatId,
-			content
+			event
+		}));
+	}
+	reportSessionCompletion(agentId, chatId) {
+		if (!this.ws || this.ws.readyState !== WebSocket.OPEN) return;
+		this.ws.send(JSON.stringify({
+			type: "session:completion",
+			agentId,
+			chatId
 		}));
 	}
 	async disconnect() {
@@ -1277,6 +1328,10 @@ defineConfig({
 			default: "http://localhost:8000"
 		}
 	}) },
+	client: { id: field(z.string().regex(/^client_[a-f0-9]{8}$/), {
+		auto: "client-id",
+		env: "FIRST_TREE_HUB_CLIENT_ID"
+	}) },
 	logLevel: field(z.enum([
 		"debug",
 		"info",
@@ -1534,6 +1589,95 @@ function cleanWorkspaces(workspaceRoot, activeChatIds, ttlMs = DEFAULT_WORKSPACE
 	return removed;
 }
 const MAX_RETRIES = 2;
+const TOOL_RESULT_PREVIEW_LIMIT = 400;
+function extractContentBlocks(message) {
+	if (!message || typeof message !== "object") return [];
+	const inner = message.message;
+	if (!inner || typeof inner !== "object") return [];
+	const content = inner.content;
+	return Array.isArray(content) ? content : [];
+}
+function isToolUseBlock(block) {
+	if (!block || typeof block !== "object") return false;
+	const b = block;
+	return b.type === "tool_use" && typeof b.id === "string" && typeof b.name === "string";
+}
+function isToolResultBlock(block) {
+	if (!block || typeof block !== "object") return false;
+	const b = block;
+	return b.type === "tool_result" && typeof b.tool_use_id === "string";
+}
+function isResultMessage(message) {
+	if (!message || typeof message !== "object") return false;
+	const m = message;
+	return m.type === "result" && typeof m.subtype === "string";
+}
+function extractToolResultText(content) {
+	if (typeof content === "string") return content;
+	if (!Array.isArray(content)) return "";
+	const parts = [];
+	for (const part of content) {
+		if (!part || typeof part !== "object") continue;
+		const p = part;
+		if (p.type === "text" && typeof p.text === "string") parts.push(p.text);
+	}
+	return parts.join("\n");
+}
+function createToolCallProcessor(emit) {
+	const pending = /* @__PURE__ */ new Map();
+	function pairResult(block) {
+		const entry = pending.get(block.tool_use_id);
+		if (!entry) return;
+		const status = block.is_error === true ? "error" : "ok";
+		const durationMs = Date.now() - entry.startedAt;
+		const previewRaw = extractToolResultText(block.content);
+		const resultPreview = previewRaw.length > 0 ? previewRaw.slice(0, TOOL_RESULT_PREVIEW_LIMIT) : void 0;
+		emit({
+			kind: "tool_call",
+			payload: {
+				toolUseId: entry.toolUseId,
+				name: entry.name,
+				args: entry.args,
+				status,
+				durationMs,
+				...resultPreview !== void 0 ? { resultPreview } : {}
+			}
+		});
+		pending.delete(block.tool_use_id);
+	}
+	return {
+		onMessage(message) {
+			if (!message || typeof message !== "object") return;
+			const type = message.type;
+			if (type === "assistant") for (const block of extractContentBlocks(message)) {
+				if (!isToolUseBlock(block)) continue;
+				pending.set(block.id, {
+					toolUseId: block.id,
+					name: block.name,
+					args: block.input,
+					startedAt: Date.now()
+				});
+			}
+			else if (type === "user") {
+				for (const block of extractContentBlocks(message)) if (isToolResultBlock(block)) pairResult(block);
+			}
+		},
+		flush() {
+			if (pending.size === 0) return;
+			for (const entry of pending.values()) emit({
+				kind: "tool_call",
+				payload: {
+					toolUseId: entry.toolUseId,
+					name: entry.name,
+					args: entry.args,
+					status: "pending",
+					durationMs: Date.now() - entry.startedAt
+				}
+			});
+			pending.clear();
+		}
+	};
+}
 /**
 * Map a payload's MCP server list to the SDK's record type. Handles all three
 * transports (stdio/http/sse) defined in the M1 schema.
@@ -1721,57 +1865,84 @@ const createClaudeCodeHandler = (config) => {
 		return true;
 	}
 	async function consumeOutput(sessionCtx) {
-		while (true) {
-			if (!currentQuery) return;
-			try {
-				sessionCtx.setRuntimeState("working");
-				for await (const message of currentQuery) {
-					sessionCtx.touch();
-					if (message.type === "result") {
-						const result = message;
-						if (result.subtype === "success") {
-							retryCount = 0;
-							if (result.result && sessionCtx.chatId) {
-								sessionCtx.appendOutput(result.result);
-								sessionCtx.sdk.sendMessage(sessionCtx.chatId, {
-									format: "text",
-									content: result.result
-								}).then(() => sessionCtx.log("Result forwarded to chat")).catch((err) => sessionCtx.log(`Failed to forward result: ${err instanceof Error ? err.message : String(err)}`));
+		const toolCallProcessor = createToolCallProcessor((event) => sessionCtx.emitEvent(event));
+		try {
+			while (true) {
+				if (!currentQuery) return;
+				try {
+					sessionCtx.setRuntimeState("working");
+					for await (const message of currentQuery) {
+						sessionCtx.touch();
+						toolCallProcessor.onMessage(message);
+						if (isResultMessage(message)) {
+							if (message.subtype === "success") {
+								retryCount = 0;
+								if (message.result && sessionCtx.chatId) {
+									const resultText = message.result;
+									sessionCtx.sdk.sendMessage(sessionCtx.chatId, {
+										format: "text",
+										content: resultText
+									}).then(() => {
+										sessionCtx.log("Result forwarded to chat");
+										sessionCtx.reportSessionCompletion();
+									}).catch((err) => {
+										const reason = err instanceof Error ? err.message : String(err);
+										sessionCtx.log(`Failed to forward result: ${reason}`);
+										const message = `Result forward failed: ${reason}\n---\n${resultText.slice(0, 1500)}`.slice(0, 2e3);
+										sessionCtx.emitEvent({
+											kind: "error",
+											payload: {
+												source: "runtime",
+												message
+											}
+										});
+									});
+								}
+							} else {
+								const errors = message.errors ? message.errors.join("; ") : message.subtype;
+								const errorLog = `Query result error: ${errors} (subtype=${message.subtype}, turns=${message.num_turns ?? "?"}, duration=${message.duration_ms ?? "?"}ms)`;
+								sessionCtx.log(errorLog);
+								sessionCtx.emitEvent({
+									kind: "error",
+									payload: {
+										source: "sdk",
+										message: errors
+									}
+								});
 							}
-						} else {
-							const errorLog = `Query result error: ${result.errors ? result.errors.join("; ") : result.subtype} (subtype=${result.subtype}, turns=${result.num_turns ?? "?"}, duration=${result.duration_ms ?? "?"}ms)`;
-							sessionCtx.log(errorLog);
-							sessionCtx.appendOutput(`[ERROR] ${errorLog}`);
+							sessionCtx.setRuntimeState("idle");
 						}
-						sessionCtx.setRuntimeState("idle");
 					}
-				}
-				sessionCtx.setRuntimeState("idle");
-				return;
-			} catch (err) {
-				const errMsg = err instanceof Error ? err.message : String(err);
-				sessionCtx.log(`Query error: ${errMsg}`);
-				if (err instanceof Error) {
-					if (err.cause) sessionCtx.log(`  cause: ${err.cause instanceof Error ? err.cause.message : String(err.cause)}`);
-					if ("exitCode" in err) sessionCtx.log(`  exitCode: ${err.exitCode}`);
-					if ("stderr" in err) sessionCtx.log(`  stderr: ${err.stderr}`);
-					if ("code" in err) sessionCtx.log(`  code: ${err.code}`);
-					if (err.stack) sessionCtx.log(`  stack: ${err.stack.split("\n").slice(1, 4).join(" | ")}`);
-				}
-				if (retryCount >= MAX_RETRIES || !claudeSessionId) {
-					sessionCtx.log("Exhausted retries, session will be suspended");
-					sessionCtx.setRuntimeState("error");
-					return;
-				}
-				retryCount++;
-				sessionCtx.log(`Attempting auto-resume (retry ${retryCount}/${MAX_RETRIES})`);
-				try {
-					respawnQuery(claudeSessionId, sessionCtx);
-				} catch (resumeErr) {
-					sessionCtx.log(`Auto-resume failed: ${resumeErr instanceof Error ? resumeErr.message : String(resumeErr)}`);
+					sessionCtx.setRuntimeState("idle");
 					return;
+				} catch (err) {
+					const errMsg = err instanceof Error ? err.message : String(err);
+					sessionCtx.log(`Query error: ${errMsg}`);
+					if (err instanceof Error) {
+						if (err.cause) sessionCtx.log(`  cause: ${err.cause instanceof Error ? err.cause.message : String(err.cause)}`);
+						if ("exitCode" in err) sessionCtx.log(`  exitCode: ${err.exitCode}`);
+						if ("stderr" in err) sessionCtx.log(`  stderr: ${err.stderr}`);
+						if ("code" in err) sessionCtx.log(`  code: ${err.code}`);
+						if (err.stack) sessionCtx.log(`  stack: ${err.stack.split("\n").slice(1, 4).join(" | ")}`);
+					}
+					if (retryCount >= MAX_RETRIES || !claudeSessionId) {
+						sessionCtx.log("Exhausted retries, session will be suspended");
+						sessionCtx.setRuntimeState("error");
+						return;
+					}
+					toolCallProcessor.flush();
+					retryCount++;
+					sessionCtx.log(`Attempting auto-resume (retry ${retryCount}/${MAX_RETRIES})`);
+					try {
+						respawnQuery(claudeSessionId, sessionCtx);
+					} catch (resumeErr) {
+						sessionCtx.log(`Auto-resume failed: ${resumeErr instanceof Error ? resumeErr.message : String(resumeErr)}`);
+						return;
+					}
 				}
 			}
+		} finally {
+			toolCallProcessor.flush();
 		}
 	}
 	const contextTreePath = config.contextTreePath ?? null;
@@ -2701,8 +2872,11 @@ var SessionManager = class {
 			setRuntimeState: (state) => {
 				this.setSessionRuntimeState(chatId, state);
 			},
-			appendOutput: (content) => {
-				this.config.onSessionOutput?.(chatId, content);
+			emitEvent: (event) => {
+				this.config.onSessionEvent?.(chatId, event);
+			},
+			reportSessionCompletion: () => {
+				this.config.onSessionCompletion?.(chatId);
 			}
 		};
 	}
@@ -2846,7 +3020,8 @@ var AgentSlot = class {
 			agentConfigCache: this.agentConfigCache,
 			onStateChange: (chatId, state) => this.reportSessionState(chatId, state),
 			onRuntimeStateChange: (state) => this.reportRuntimeState(state),
-			onSessionOutput: (chatId, content) => this.reportSessionOutput(chatId, content)
+			onSessionEvent: (chatId, event) => this.reportSessionEvent(chatId, event),
+			onSessionCompletion: (chatId) => this.reportSessionCompletion(chatId)
 		});
 		const onCommand = (cmd) => {
 			if (cmd.agentId === this.config.agentId && this.sessionManager) this.sessionManager.handleCommand(cmd.chatId, cmd.type).catch((err) => {
@@ -2880,8 +3055,11 @@ var AgentSlot = class {
 	reportRuntimeState(state) {
 		this.clientConnection.reportRuntimeState(this.config.agentId, state);
 	}
-	reportSessionOutput(chatId, content) {
-		this.clientConnection.reportSessionOutput(this.config.agentId, chatId, content);
+	reportSessionEvent(chatId, event) {
+		this.clientConnection.reportSessionEvent(this.config.agentId, chatId, event);
+	}
+	reportSessionCompletion(chatId) {
+		this.clientConnection.reportSessionCompletion(this.config.agentId, chatId);
 	}
 	fullStateSync() {
 		if (!this.sessionManager) return;
@@ -3036,10 +3214,11 @@ var ClientRuntime = class {
 	agentNames = /* @__PURE__ */ new Set();
 	watcher = null;
 	debounceTimer = null;
-	constructor(serverUrl) {
+	constructor(serverUrl, clientId) {
 		this.serverUrl = serverUrl;
 		this.connection = new ClientConnection({
 			serverUrl,
+			clientId,
 			getAccessToken: () => ensureFreshAccessToken()
 		});
 		registerBuiltinHandlers();
@@ -3655,7 +3834,7 @@ async function onboardCheck(args) {
 		key: "connect",
 		label: "Signed in",
 		status: "missing_required",
-		hint: "Run `first-tree-hub connect <server-url>` first"
+		hint: "Run `first-tree-hub client connect <server-url>` first"
 	});
 	try {
 		const serverUrl = resolveServerUrl(args.server);
@@ -3713,11 +3892,17 @@ async function onboardCheck(args) {
 		status: "missing_required",
 		hint: "Provide via --type"
 	});
-	if (args.type && args.type !== "human" && !args.clientId) items.push({
+	if (args.type && args.type !== "human") if (args.clientId) items.push({
 		key: "client",
 		label: "Target client",
-		status: "missing_required",
-		hint: "Non-human agents must pin a client via --client-id <id>"
+		status: "ok",
+		value: args.clientId
+	});
+	else items.push({
+		key: "client",
+		label: "Target client",
+		status: "ok",
+		value: "(unbound — claimed on first WS connect)"
 	});
 	return items;
 }
@@ -3788,7 +3973,7 @@ async function onboardCreate(args) {
 	}
 	const runtimeAgent = args.type === "human" ? args.assistant : args.id;
 	if (args.feishuBotAppId && args.feishuBotAppSecret) {
-		const { bindFeishuBot } = await import("./feishu-BZ8pnMrQ.mjs").then((n) => n.r);
+		const { bindFeishuBot } = await import("./feishu-CJ08ntOD.mjs").then((n) => n.r);
 		const targetAgentUuid = args.type === "human" ? assistantUuid : primary.uuid;
 		if (!targetAgentUuid) process.stderr.write(`Warning: Cannot bind Feishu bot — no runtime agent available for "${args.id}".\n`);
 		else {
@@ -3929,7 +4114,7 @@ function setNestedByDot(obj, dotPath, value) {
 	if (lastKey !== void 0) current[lastKey] = value;
 }
 //#endregion
-//#region ../server/dist/app-C7MR8S4r.mjs
+//#region ../server/dist/app-nJ9jSQtv.mjs
 var __defProp = Object.defineProperty;
 var __exportAll = (all, no_symbols) => {
 	let target = {};
@@ -4852,18 +5037,20 @@ function defaultVisibility(type) {
 /**
 * Resolve + validate the client that will own the new agent.
 *
-* Rule (unified-user-token M1):
-*   - Non-human agents MUST pin a client at creation time. The pinned client
-*     must belong to the manager's user (Rule R-RUN upstream).
-*   - Human agents represent the member themselves and have no runtime, so a
-*     missing `clientId` is allowed and the column stays NULL.
+* Rule (unified-user-token, post-first-bind relaxation):
+*   - Human agents represent the member themselves and have no runtime; a
+*     missing `clientId` is required and the column stays NULL.
+*   - Non-human agents MAY omit `clientId` at creation; the row stays NULL
+*     and is claimed on the first WS bind (see `api/agent/ws-client.ts`).
+*   - When a non-human agent IS created with a `clientId`, the pinned client
+*     must already be owned by the manager's user (Rule R-RUN).
 */
 async function resolveAgentClient(db, data) {
 	if (data.type === "human") {
 		if (data.clientId) throw new BadRequestError("Human agents cannot be pinned to a client");
 		return null;
 	}
-	if (!data.clientId) throw new BadRequestError("clientId is required — every non-human agent must be pinned to a client at creation time. Run `first-tree-hub connect` on the target machine first.");
+	if (!data.clientId) return null;
 	const [manager] = await db.select({ userId: members.userId }).from(members).where(eq(members.id, data.managerId)).limit(1);
 	if (!manager) throw new BadRequestError(`Manager "${data.managerId}" not found`);
 	const [client] = await db.select({
@@ -4871,7 +5058,7 @@ async function resolveAgentClient(db, data) {
 		userId: clients.userId
 	}).from(clients).where(eq(clients.id, data.clientId)).limit(1);
 	if (!client) throw new BadRequestError(`Client "${data.clientId}" not found`);
-	if (!client.userId) throw new BadRequestError(`Client "${data.clientId}" has not been claimed by a user yet. Have the operator run \`first-tree-hub connect\` on that machine before pinning an agent to it.`);
+	if (!client.userId) throw new BadRequestError(`Client "${data.clientId}" has not been claimed by a user yet. Have the operator run \`first-tree-hub client connect\` on that machine before pinning an agent to it.`);
 	if (client.userId !== manager.userId) throw new ForbiddenError(`Client "${data.clientId}" is not owned by the manager's user — pick a client belonging to that user.`);
 	return client.id;
 }
@@ -4973,8 +5160,11 @@ async function listAgentsForMember(db, scope, limit, cursor, type) {
 	};
 }
 async function updateAgent(db, uuid, data) {
-	if (data.clientId !== void 0) throw new BadRequestError("clientId is immutable in this milestone — delete and re-create the agent on the target client to move it");
 	const agent = await getAgent(db, uuid);
+	if (data.clientId !== void 0) {
+		if (data.clientId === null) throw new BadRequestError("clientId cannot be cleared — once bound, an agent stays bound to its client");
+		if (agent.clientId !== null && agent.clientId !== data.clientId) throw new BadRequestError("clientId is immutable once set — delete and re-create the agent on the target client to move it");
+	}
 	const updates = { updatedAt: /* @__PURE__ */ new Date() };
 	if (data.type !== void 0) updates.type = data.type;
 	if (data.displayName !== void 0) updates.displayName = data.displayName;
@@ -4991,6 +5181,14 @@ async function updateAgent(db, uuid, data) {
 		if (manager.organizationId !== agent.organizationId) throw new BadRequestError("Manager must belong to the same organization as the agent");
 		updates.managerId = data.managerId;
 	}
+	if (data.clientId !== void 0 && data.clientId !== null && agent.clientId === null) {
+		const resolvedClientId = await resolveAgentClient(db, {
+			clientId: data.clientId,
+			managerId: updates.managerId ?? agent.managerId,
+			type: agent.type
+		});
+		if (resolvedClientId !== null) updates.clientId = resolvedClientId;
+	}
 	const [updated] = await db.update(agents).set(updates).where(eq(agents.uuid, agent.uuid)).returning();
 	if (!updated) throw new Error("Unexpected: UPDATE RETURNING produced no row");
 	return updated;
@@ -5354,14 +5552,20 @@ async function unbindAgent(db, agentId) {
 		...runtimeFieldsReset(now)
 	}).where(eq(agentPresence.agentId, agentId));
 }
-/** Set runtime state directly from client-reported value. */
-async function setRuntimeState(db, agentId, runtimeState) {
+/** Set runtime state directly from client-reported value.
+*
+* When an org-scoped notifier is provided, emit a PG NOTIFY on the
+* `runtime_state_changes` channel so the pulse aggregator (and any future
+* admin-side consumers) can observe the transition. Fire-and-forget to match
+* notifier semantics elsewhere in this module. */
+async function setRuntimeState(db, agentId, runtimeState, options) {
 	const now = /* @__PURE__ */ new Date();
 	await db.update(agentPresence).set({
 		runtimeState,
 		runtimeUpdatedAt: now,
 		lastSeenAt: now
 	}).where(eq(agentPresence.agentId, agentId));
+	if (options?.notifier && options.organizationId) options.notifier.notifyRuntimeStateChange(agentId, runtimeState, options.organizationId).catch(() => {});
 }
 /** Touch agent last_seen_at on heartbeat (per-agent liveness). */
 async function touchAgent(db, agentId) {
@@ -5487,9 +5691,7 @@ async function getClient(db, clientId) {
 	return row ?? null;
 }
 async function listClients(db, userId) {
-	const conditions = [eq(clients.status, "connected")];
-	if (userId) conditions.push(eq(clients.userId, userId));
-	const rows = await db.select().from(clients).where(conditions.length === 1 ? conditions[0] : and(...conditions));
+	const rows = await db.select().from(clients).where(eq(clients.userId, userId));
 	const counts = await db.select({
 		clientId: agents.clientId,
 		count: sql`count(*)::int`
@@ -5754,13 +5956,16 @@ async function listMessages(db, chatId, limit, cursor) {
 const INBOX_CHANNEL = "inbox_notifications";
 const CONFIG_CHANNEL = "config_changes";
 const SESSION_STATE_CHANNEL = "session_state_changes";
+const RUNTIME_STATE_CHANNEL = "runtime_state_changes";
 function createNotifier(listenClient) {
 	const subscriptions = /* @__PURE__ */ new Map();
 	const configChangeHandlers = [];
 	const sessionStateChangeHandlers = [];
+	const runtimeStateChangeHandlers = [];
 	let unlistenInboxFn = null;
 	let unlistenConfigFn = null;
 	let unlistenSessionStateFn = null;
+	let unlistenRuntimeStateFn = null;
 	function handleNotification(payload) {
 		const sepIdx = payload.indexOf(":");
 		if (sepIdx === -1) return;
@@ -5801,9 +6006,14 @@ function createNotifier(listenClient) {
 				await listenClient`SELECT pg_notify(${CONFIG_CHANNEL}, ${configType})`;
 			} catch {}
 		},
-		async notifySessionStateChange(agentId, chatId, state) {
+		async notifySessionStateChange(agentId, chatId, state, organizationId) {
+			try {
+				await listenClient`SELECT pg_notify(${SESSION_STATE_CHANNEL}, ${`${agentId}:${chatId}:${state}:${organizationId}`})`;
+			} catch {}
+		},
+		async notifyRuntimeStateChange(agentId, state, organizationId) {
 			try {
-				await listenClient`SELECT pg_notify(${SESSION_STATE_CHANNEL}, ${`${agentId}:${chatId}:${state}`})`;
+				await listenClient`SELECT pg_notify(${RUNTIME_STATE_CHANNEL}, ${`${agentId}:${state}:${organizationId}`})`;
 			} catch {}
 		},
 		onConfigChange(handler) {
@@ -5812,6 +6022,9 @@ function createNotifier(listenClient) {
 		onSessionStateChange(handler) {
 			sessionStateChangeHandlers.push(handler);
 		},
+		onRuntimeStateChange(handler) {
+			runtimeStateChangeHandlers.push(handler);
+		},
 		async start() {
 			unlistenInboxFn = (await listenClient.listen(INBOX_CHANNEL, (payload) => {
 				if (payload) handleNotification(payload);
@@ -5823,14 +6036,33 @@ function createNotifier(listenClient) {
 				if (payload) {
 					const firstSep = payload.indexOf(":");
 					const secondSep = payload.indexOf(":", firstSep + 1);
-					if (firstSep > 0 && secondSep > firstSep) {
+					const thirdSep = payload.indexOf(":", secondSep + 1);
+					if (firstSep > 0 && secondSep > firstSep && thirdSep > secondSep) {
 						const agentId = payload.slice(0, firstSep);
 						const chatId = payload.slice(firstSep + 1, secondSep);
-						const state = payload.slice(secondSep + 1);
+						const state = payload.slice(secondSep + 1, thirdSep);
+						const organizationId = payload.slice(thirdSep + 1);
 						for (const handler of sessionStateChangeHandlers) handler({
 							agentId,
 							chatId,
-							state
+							state,
+							organizationId
+						});
+					}
+				}
+			})).unlisten;
+			unlistenRuntimeStateFn = (await listenClient.listen(RUNTIME_STATE_CHANNEL, (payload) => {
+				if (payload) {
+					const firstSep = payload.indexOf(":");
+					const secondSep = payload.indexOf(":", firstSep + 1);
+					if (firstSep > 0 && secondSep > firstSep) {
+						const agentId = payload.slice(0, firstSep);
+						const state = payload.slice(firstSep + 1, secondSep);
+						const organizationId = payload.slice(secondSep + 1);
+						for (const handler of runtimeStateChangeHandlers) handler({
+							agentId,
+							state,
+							organizationId
 						});
 					}
 				}
@@ -5849,6 +6081,10 @@ function createNotifier(listenClient) {
 				await unlistenSessionStateFn();
 				unlistenSessionStateFn = null;
 			}
+			if (unlistenRuntimeStateFn) {
+				await unlistenRuntimeStateFn();
+				unlistenRuntimeStateFn = null;
+			}
 		}
 	};
 }
@@ -5982,7 +6218,7 @@ async function adminAgentRoutes(app) {
 		};
 		if (health === "disconnected") return reply.status(200).send({
 			status: "offline",
-			message: "Agent is not connected. Start the client with: first-tree-hub connect <server-url>",
+			message: "Agent is not connected. Start the client with: first-tree-hub client connect <server-url>",
 			connection
 		});
 		if (health === "stale") return reply.status(200).send({
@@ -6280,8 +6516,8 @@ const agentChatSessions = pgTable("agent_chat_sessions", {
 	state: text("state").notNull(),
 	updatedAt: timestamp("updated_at", { withTimezone: true }).notNull().defaultNow()
 }, (table) => [primaryKey({ columns: [table.agentId, table.chatId] })]);
-/** Upsert a session state and update materialized aggregates on agent_presence. */
-async function upsertSessionState(db, agentId, chatId, state, notifier) {
+/** Upsert a session state, refresh materialized aggregates on agent_presence, and emit org-scoped NOTIFY. */
+async function upsertSessionState(db, agentId, chatId, state, organizationId, notifier) {
 	const now = /* @__PURE__ */ new Date();
 	await db.transaction(async (tx) => {
 		await tx.insert(agentChatSessions).values({
@@ -6308,7 +6544,7 @@ async function upsertSessionState(db, agentId, chatId, state, notifier) {
 			lastSeenAt: now
 		}).where(eq(agentPresence.agentId, agentId));
 	});
-	if (notifier) notifier.notifySessionStateChange(agentId, chatId, state).catch(() => {});
+	if (notifier) notifier.notifySessionStateChange(agentId, chatId, state, organizationId).catch(() => {});
 }
 async function resetActivity(db, agentId) {
 	const now = /* @__PURE__ */ new Date();
@@ -6357,7 +6593,8 @@ async function listAgentsWithRuntime(db, scope) {
 		runtimeState: agentPresence.runtimeState,
 		activeSessions: agentPresence.activeSessions,
 		totalSessions: agentPresence.totalSessions,
-		runtimeUpdatedAt: agentPresence.runtimeUpdatedAt
+		runtimeUpdatedAt: agentPresence.runtimeUpdatedAt,
+		type: agents.type
 	}).from(agentPresence).innerJoin(agents, eq(agentPresence.agentId, agents.uuid)).where(and(isNotNull(agentPresence.runtimeState), agentVisibilityCondition(scope)));
 }
 /**
@@ -6446,7 +6683,8 @@ async function adminActivityRoutes(app) {
 				runtimeState: a.runtimeState,
 				activeSessions: a.activeSessions,
 				totalSessions: a.totalSessions,
-				runtimeUpdatedAt: a.runtimeUpdatedAt?.toISOString() ?? null
+				runtimeUpdatedAt: a.runtimeUpdatedAt?.toISOString() ?? null,
+				type: "type" in a ? a.type : null
 			}))
 		};
 	});
@@ -6475,6 +6713,16 @@ const notifications = pgTable("notifications", {
 	index("idx_notifications_agent").on(table.agentId),
 	index("idx_notifications_org_read").on(table.organizationId, table.read)
 ]);
+let registered = null;
+function registerAdminBroadcaster(fn) {
+	registered = fn;
+}
+function broadcastToAdmins(payload) {
+	if (!registered) return;
+	try {
+		registered(payload);
+	} catch {}
+}
 /** Runtime system configuration (key-value JSONB). Dynamically modifiable via Admin API; controls inbox timeout, retry count, etc. */
 const systemConfigs = pgTable("system_configs", {
 	key: text("key").primaryKey(),
@@ -6507,15 +6755,6 @@ async function updateConfigs(db, updates) {
 	});
 	return getAllConfigs(db);
 }
-/**
-* Push channels: Admin WS, Webhook, Feishu.
-* Set at app startup via `setAdminWsBroadcast` and reloaded from system_configs.
-*/
-let adminWsBroadcast = null;
-/** Register the admin WS broadcast function (called once at app startup). */
-function setAdminWsBroadcast(fn) {
-	adminWsBroadcast = fn;
-}
 /** Create a notification, persist it, and fire-and-forget push to all channels. */
 async function createNotification(db, data) {
 	const id = uuidv7();
@@ -6599,13 +6838,11 @@ async function notifyAgentEvent(db, agentId, type, severity, message, chatId) {
 	} catch {}
 }
 function pushToAdminWs(notification) {
-	if (!adminWsBroadcast) return;
-	try {
-		adminWsBroadcast({
-			type: "notification",
-			data: notification
-		});
-	} catch {}
+	broadcastToAdmins({
+		type: "notification",
+		organizationId: notification.organizationId,
+		data: notification
+	});
 }
 async function pushToWebhook(db, notification) {
 	const webhookUrl = await getConfig(db, "notification_webhook_url");
@@ -6807,46 +7044,97 @@ async function filterSessionsByParticipant(db, sessions, participantAgentId) {
 	return sessions.filter((s) => allowedChatIds.has(s.chatId));
 }
 /**
-* Session outputs — aggregated text output from agent sessions.
-* One row per (agent, chat) session. Content is appended as the agent works.
-* Cleaned up when the session is evicted.
+* Session events — structured event stream per (agent, chat) session.
+* `kind` is 'tool_call' | 'error'; the payload shape is enforced by the
+* service layer via Zod (no FK / CHECK on this table per project rule).
+*
+* `seq` is monotonic per (agent_id, chat_id). The single-writer invariant
+* in the client-side session-manager guarantees ordering; the service wraps
+* the insert in a MAX(seq)+1 retry loop to recover from restart-overlap
+* windows.
+*
+* Cleanup: rows are dropped when the session is evicted or terminated —
+* see sessionEventService.clearEvents.
 */
-const sessionOutputs = pgTable("session_outputs", {
+const sessionEvents = pgTable("session_events", {
 	id: text("id").primaryKey(),
 	agentId: text("agent_id").notNull(),
 	chatId: text("chat_id").notNull(),
-	content: text("content").notNull().default(""),
-	updatedAt: timestamp("updated_at", { withTimezone: true }).notNull().defaultNow()
-}, (table) => [unique("uq_session_outputs_agent_chat").on(table.agentId, table.chatId), index("idx_session_outputs_agent_chat").on(table.agentId, table.chatId)]);
-/** Append text content to a session's output buffer. Upserts atomically via ON CONFLICT. */
-async function appendOutput(db, agentId, chatId, content) {
-	const now = /* @__PURE__ */ new Date();
-	await db.insert(sessionOutputs).values({
-		id: uuidv7(),
-		agentId,
-		chatId,
-		content,
-		updatedAt: now
-	}).onConflictDoUpdate({
-		target: [sessionOutputs.agentId, sessionOutputs.chatId],
-		set: {
-			content: sql`${sessionOutputs.content} || ${content}`,
-			updatedAt: now
-		}
-	});
+	seq: integer("seq").notNull(),
+	kind: text("kind").notNull(),
+	payload: jsonb("payload").notNull(),
+	createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow()
+}, (table) => [uniqueIndex("uq_session_events_chat_seq").on(table.agentId, table.chatId, table.seq), index("idx_session_events_chat_created").on(table.agentId, table.chatId, table.createdAt.desc())]);
+const DEFAULT_LIMIT = 200;
+const MAX_LIMIT = 1e3;
+const MAX_SEQ_RETRIES = 3;
+function rowToEvent(row) {
+	return {
+		id: row.id,
+		agentId: row.agentId,
+		chatId: row.chatId,
+		seq: row.seq,
+		kind: row.kind,
+		payload: row.payload,
+		createdAt: row.createdAt.toISOString()
+	};
 }
-/** Get session output for a specific (agent, chat) pair. Returns null if no output. */
-async function getOutput(db, agentId, chatId) {
-	const [row] = await db.select({
-		content: sessionOutputs.content,
-		updatedAt: sessionOutputs.updatedAt
-	}).from(sessionOutputs).where(and(eq(sessionOutputs.agentId, agentId), eq(sessionOutputs.chatId, chatId))).limit(1);
-	if (!row) return null;
+/** Append one event; throws after MAX_SEQ_RETRIES on persistent seq contention. */
+async function appendEvent(db, agentId, chatId, event) {
+	const validated = sessionEventSchema$1.parse(event);
+	for (let attempt = 0; attempt < MAX_SEQ_RETRIES; attempt++) {
+		const id = uuidv7();
+		const payloadJson = JSON.stringify(validated.payload);
+		const row = (await db.execute(sql`
+      INSERT INTO session_events (id, agent_id, chat_id, seq, kind, payload)
+      SELECT ${id}, ${agentId}, ${chatId},
+             COALESCE(MAX(seq), 0) + 1, ${validated.kind}, ${payloadJson}::jsonb
+        FROM session_events
+       WHERE agent_id = ${agentId} AND chat_id = ${chatId}
+      ON CONFLICT (agent_id, chat_id, seq) DO NOTHING
+      RETURNING id, agent_id, chat_id, seq, kind, payload, created_at
+    `))[0];
+		if (row) return rowToEvent({
+			id: row.id,
+			agentId: row.agent_id,
+			chatId: row.chat_id,
+			seq: row.seq,
+			kind: row.kind,
+			payload: row.payload,
+			createdAt: row.created_at instanceof Date ? row.created_at : new Date(row.created_at)
+		});
+	}
+	throw new Error(`session_events seq contention on ${agentId}/${chatId}`);
+}
+/**
+* List events for a session in `seq asc` order with cursor pagination.
+* `cursor` is the last seen `seq`; pass it as-is on the next page.
+*/
+async function listEvents(db, agentId, chatId, options) {
+	const limit = Math.min(Math.max(options?.limit ?? DEFAULT_LIMIT, 1), MAX_LIMIT);
+	const conditions = [eq(sessionEvents.agentId, agentId), eq(sessionEvents.chatId, chatId)];
+	if (options?.cursor !== void 0) conditions.push(gt(sessionEvents.seq, options.cursor));
+	const rows = await db.select({
+		id: sessionEvents.id,
+		agentId: sessionEvents.agentId,
+		chatId: sessionEvents.chatId,
+		seq: sessionEvents.seq,
+		kind: sessionEvents.kind,
+		payload: sessionEvents.payload,
+		createdAt: sessionEvents.createdAt
+	}).from(sessionEvents).where(and(...conditions)).orderBy(asc(sessionEvents.seq)).limit(limit + 1);
+	const hasMore = rows.length > limit;
+	const items = (hasMore ? rows.slice(0, limit) : rows).map(rowToEvent);
+	const last = items[items.length - 1];
 	return {
-		content: row.content,
-		updatedAt: row.updatedAt.toISOString()
+		items,
+		nextCursor: hasMore && last ? last.seq : null
 	};
 }
+/** Delete all events for a session — called on eviction / termination. */
+async function clearEvents(db, agentId, chatId) {
+	await db.delete(sessionEvents).where(and(eq(sessionEvents.agentId, agentId), eq(sessionEvents.chatId, chatId)));
+}
 const sessionFilterSchema = z.object({
 	state: z.enum([
 		"active",
@@ -6892,16 +7180,22 @@ async function adminSessionRoutes(app) {
 	});
 	/** GET /admin/sessions/agents/:agentId/:chatId — single session detail */
 	app.get("/agents/:agentId/:chatId", async (request) => {
-		await assertAgentVisible(app.db, memberScope(request), request.params.agentId);
+		const scope = memberScope(request);
+		await assertAgentVisible(app.db, scope, request.params.agentId);
+		await assertChatAccess(app.db, scope, request.params.chatId);
 		return getSession(app.db, request.params.agentId, request.params.chatId);
 	});
-	/** GET /admin/sessions/agents/:agentId/:chatId/output — session output text */
-	app.get("/agents/:agentId/:chatId/output", async (request) => {
-		await assertAgentVisible(app.db, memberScope(request), request.params.agentId);
-		return await getOutput(app.db, request.params.agentId, request.params.chatId) ?? {
-			content: "",
-			updatedAt: null
-		};
+	/** GET /admin/sessions/agents/:agentId/:chatId/events — session event stream, paged by `seq` */
+	app.get("/agents/:agentId/:chatId/events", async (request) => {
+		const scope = memberScope(request);
+		await assertAgentVisible(app.db, scope, request.params.agentId);
+		await assertChatAccess(app.db, scope, request.params.chatId);
+		const limit = request.query.limit !== void 0 ? Number.parseInt(request.query.limit, 10) : void 0;
+		const cursor = request.query.cursor !== void 0 ? Number.parseInt(request.query.cursor, 10) : void 0;
+		return listEvents(app.db, request.params.agentId, request.params.chatId, {
+			limit: Number.isFinite(limit) ? limit : void 0,
+			cursor: Number.isFinite(cursor) ? cursor : void 0
+		});
 	});
 	/** POST /admin/sessions/agents/:agentId/:chatId/suspend — suspend a session */
 	app.post("/agents/:agentId/:chatId/suspend", async (request, reply) => {
@@ -7508,30 +7802,40 @@ async function adminTaskRoutes(app) {
 		return getTaskHealth(app.db, request.params.taskId);
 	});
 }
-/**
-* Admin WebSocket: real-time push channel for Dashboard, scoped by organization.
-*
-* Protocol:
-*   1. Client connects with JWT token via query param `?token=<jwt>`
-*   2. Server validates JWT, extracts organizationId, and registers the connection
-*   3. Server pushes notifications and session state changes filtered by org
-*   4. No client→server messages expected (read-only channel)
-*/
+async function loadVisibleAgentIds(db, organizationId, memberId) {
+	const rows = await db.select({ id: agents.uuid }).from(agents).where(and(eq(agents.organizationId, organizationId), ne(agents.status, AGENT_STATUSES.DELETED), or(eq(agents.visibility, AGENT_VISIBILITY.ORGANIZATION), eq(agents.managerId, memberId))));
+	return new Set(rows.map((r) => r.id));
+}
+function filterPulseAgents(agentsMap, visible) {
+	const out = {};
+	for (const [agentId, buckets] of Object.entries(agentsMap)) if (visible.has(agentId)) out[agentId] = buckets;
+	return out;
+}
 function adminWsRoutes(notifier, jwtSecret) {
 	const adminSockets = /* @__PURE__ */ new Map();
 	const secret = new TextEncoder().encode(jwtSecret);
-	setAdminWsBroadcast((payload) => {
+	function broadcastOrgScoped(payload) {
 		const orgId = payload.organizationId;
-		const data = JSON.stringify(payload);
-		for (const [ws, meta] of adminSockets) if (ws.readyState === 1 && (!orgId || meta.organizationId === orgId)) ws.send(data);
-	});
+		if (typeof orgId !== "string" || orgId.length === 0) return;
+		const isPulseTick = payload.type === "pulse:tick" && typeof payload.agents === "object" && payload.agents !== null;
+		const sharedData = isPulseTick ? null : JSON.stringify(payload);
+		for (const [ws, meta] of adminSockets) {
+			if (ws.readyState !== 1 || meta.organizationId !== orgId) continue;
+			if (isPulseTick) {
+				const filtered = filterPulseAgents(payload.agents, meta.visibleAgentIds);
+				ws.send(JSON.stringify({
+					...payload,
+					agents: filtered
+				}));
+			} else ws.send(sharedData);
+		}
+	}
+	registerAdminBroadcaster(broadcastOrgScoped);
 	notifier.onSessionStateChange((payload) => {
-		const data = JSON.stringify({
+		broadcastOrgScoped({
 			type: "session:state",
 			...payload
 		});
-		const orgId = payload.organizationId;
-		for (const [ws, meta] of adminSockets) if (ws.readyState === 1 && (!orgId || meta.organizationId === orgId)) ws.send(data);
 	});
 	return async (app) => {
 		app.get("/admin", { websocket: true }, async (socket, request) => {
@@ -7545,9 +7849,10 @@ function adminWsRoutes(notifier, jwtSecret) {
 				return;
 			}
 			let organizationId;
+			let memberId;
 			try {
 				const { payload } = await jwtVerify(token, secret);
-				if (payload.type !== "access" || !payload.sub || !payload.organizationId) {
+				if (payload.type !== "access" || !payload.sub || typeof payload.organizationId !== "string" || typeof payload.memberId !== "string") {
 					socket.send(JSON.stringify({
 						type: "error",
 						message: "Invalid token type"
@@ -7556,6 +7861,7 @@ function adminWsRoutes(notifier, jwtSecret) {
 					return;
 				}
 				organizationId = payload.organizationId;
+				memberId = payload.memberId;
 			} catch {
 				socket.send(JSON.stringify({
 					type: "error",
@@ -7564,7 +7870,12 @@ function adminWsRoutes(notifier, jwtSecret) {
 				socket.close(4001, "Auth failed");
 				return;
 			}
-			adminSockets.set(socket, { organizationId });
+			const visibleAgentIds = await loadVisibleAgentIds(app.db, organizationId, memberId);
+			adminSockets.set(socket, {
+				organizationId,
+				memberId,
+				visibleAgentIds
+			});
 			socket.send(JSON.stringify({ type: "admin:connected" }));
 			socket.on("close", () => {
 				adminSockets.delete(socket);
@@ -8048,7 +8359,7 @@ const wsMessageSchema = z.object({
 *      Failure ⇒ server sends `auth:rejected` and closes (code 4401).
 *   2. `client:register` — bind the client_id to the authenticated user.
 *   3. `agent:bind` — run Rule R-RUN (no token); populate presence.
-*   4. `session:state` / `runtime:state` / `session:output` / `heartbeat`.
+*   4. `session:state` / `runtime:state` / `session:event` / `session:completion` / `heartbeat`.
 *   5. `agent:unbind` — stop multiplexing for a specific agent.
 *
 * When the JWT is about to expire the server sends `auth:expired` so the
@@ -8083,6 +8394,15 @@ function clientWsRoutes(notifier, instanceId) {
 			let clientId = null;
 			let authExpiryTimer = null;
 			const boundAgents = /* @__PURE__ */ new Map();
+			const sessionOpQueues = /* @__PURE__ */ new Map();
+			function chainSessionOp(agentId, chatId, op) {
+				const key = `${agentId}:${chatId}`;
+				const next = (sessionOpQueues.get(key) ?? Promise.resolve()).then(op, op);
+				sessionOpQueues.set(key, next.finally(() => {
+					if (sessionOpQueues.get(key) === next) sessionOpQueues.delete(key);
+				}));
+				return next;
+			}
 			const authTimeout = setTimeout(() => {
 				if (!session) {
 					try {
@@ -8226,8 +8546,9 @@ function clientWsRoutes(notifier, instanceId) {
 							inboxId: agents.inboxId,
 							status: agents.status,
 							clientId: agents.clientId,
-							clientUserId: clients.userId
-						}).from(agents).leftJoin(clients, eq(agents.clientId, clients.id)).where(and(eq(agents.uuid, bindRequest.agentId))).limit(1);
+							clientUserId: clients.userId,
+							managerUserId: members.userId
+						}).from(agents).leftJoin(clients, eq(agents.clientId, clients.id)).leftJoin(members, eq(agents.managerId, members.id)).where(and(eq(agents.uuid, bindRequest.agentId))).limit(1);
 						if (!agent) {
 							sendRejected(socket, ref, AGENT_BIND_REJECT_REASONS.UNKNOWN_AGENT);
 							return;
@@ -8240,11 +8561,22 @@ function clientWsRoutes(notifier, instanceId) {
 							sendRejected(socket, ref, AGENT_BIND_REJECT_REASONS.AGENT_SUSPENDED);
 							return;
 						}
-						if (!agent.clientId || agent.clientId !== clientId) {
+						if (agent.clientId === null) {
+							if (!agent.managerUserId || agent.managerUserId !== session.userId) {
+								sendRejected(socket, ref, AGENT_BIND_REJECT_REASONS.NOT_OWNED);
+								return;
+							}
+							if ((await app.db.update(agents).set({
+								clientId,
+								updatedAt: /* @__PURE__ */ new Date()
+							}).where(and(eq(agents.uuid, agent.id), isNull(agents.clientId))).returning({ uuid: agents.uuid })).length === 0) {
+								sendRejected(socket, ref, AGENT_BIND_REJECT_REASONS.WRONG_CLIENT);
+								return;
+							}
+						} else if (agent.clientId !== clientId) {
 							sendRejected(socket, ref, AGENT_BIND_REJECT_REASONS.WRONG_CLIENT);
 							return;
-						}
-						if (!agent.clientUserId || agent.clientUserId !== session.userId) {
+						} else if (!agent.clientUserId || agent.clientUserId !== session.userId) {
 							sendRejected(socket, ref, AGENT_BIND_REJECT_REASONS.NOT_OWNED);
 							return;
 						}
@@ -8295,7 +8627,8 @@ function clientWsRoutes(notifier, instanceId) {
 							return;
 						}
 						const payload = sessionStateMessageSchema.parse(msg);
-						await upsertSessionState(app.db, agentId, payload.chatId, payload.state, notifier);
+						if (payload.state === "evicted") chainSessionOp(agentId, payload.chatId, () => clearEvents(app.db, agentId, payload.chatId).catch(() => {}));
+						await upsertSessionState(app.db, agentId, payload.chatId, payload.state, session.organizationId, notifier);
 					} else if (type === "runtime:state") {
 						const agentId = parsed.data.agentId;
 						if (!agentId || !boundAgents.has(agentId)) {
@@ -8306,10 +8639,33 @@ function clientWsRoutes(notifier, instanceId) {
 							return;
 						}
 						const payload = runtimeStateMessageSchema.parse(msg);
-						await setRuntimeState(app.db, agentId, payload.runtimeState);
+						await setRuntimeState(app.db, agentId, payload.runtimeState, {
+							organizationId: session.organizationId,
+							notifier
+						});
 						if (payload.runtimeState === "error" && shouldNotify(agentId, "agent_error")) notifyAgentEvent(app.db, agentId, "agent_error", "high", `Agent ${agentId} entered error state`).catch(() => {});
 						else if (payload.runtimeState === "blocked" && shouldNotify(agentId, "agent_blocked")) notifyAgentEvent(app.db, agentId, "agent_blocked", "medium", `Agent ${agentId} is blocked`).catch(() => {});
-					} else if (type === "session:output") {
+					} else if (type === "session:event") {
+						const agentId = parsed.data.agentId;
+						if (!agentId || !boundAgents.has(agentId)) {
+							socket.send(JSON.stringify({
+								type: "error",
+								message: "Agent not bound"
+							}));
+							return;
+						}
+						const payload = sessionEventMessageSchema.parse(msg);
+						chainSessionOp(agentId, payload.chatId, async () => {
+							try {
+								await appendEvent(app.db, agentId, payload.chatId, payload.event);
+							} catch (err) {
+								socket.send(JSON.stringify({
+									type: "error",
+									message: `Failed to persist session event: ${err instanceof Error ? err.message : String(err)}`
+								}));
+							}
+						});
+					} else if (type === "session:completion") {
 						const agentId = parsed.data.agentId;
 						if (!agentId || !boundAgents.has(agentId)) {
 							socket.send(JSON.stringify({
@@ -8318,8 +8674,7 @@ function clientWsRoutes(notifier, instanceId) {
 							}));
 							return;
 						}
-						const payload = sessionOutputMessageSchema.parse(msg);
-						appendOutput(app.db, agentId, payload.chatId, payload.content).catch(() => {});
+						const payload = sessionCompletionMessageSchema.parse(msg);
 						if (shouldNotify(agentId, `session_completed:${payload.chatId}`)) notifyAgentEvent(app.db, agentId, "session_completed", "low", `Agent ${agentId} completed a task`, payload.chatId).catch(() => {});
 					} else if (type === "heartbeat") {
 						if (clientId) {
@@ -8601,7 +8956,7 @@ async function meRoutes(app) {
 		return {
 			token,
 			expiresIn,
-			command: `first-tree-hub connect ${`${request.headers["x-forwarded-proto"] ?? request.protocol}://${request.headers["x-forwarded-host"] ?? request.headers.host ?? request.hostname}`} --token ${token}`
+			command: `first-tree-hub client connect ${`${request.headers["x-forwarded-proto"] ?? request.protocol}://${request.headers["x-forwarded-host"] ?? request.headers.host ?? request.hostname}`} --token ${token}`
 		};
 	});
 }
@@ -9231,7 +9586,7 @@ var schema_exports = /* @__PURE__ */ __exportAll({
 	notifications: () => notifications,
 	organizations: () => organizations,
 	serverInstances: () => serverInstances,
-	sessionOutputs: () => sessionOutputs,
+	sessionEvents: () => sessionEvents,
 	systemConfigs: () => systemConfigs,
 	taskChats: () => taskChats,
 	tasks: () => tasks,
@@ -10319,6 +10674,90 @@ async function nackEntry(db, entryId) {
     WHERE id = ${entryId}
   `);
 }
+const DEFAULT_INTERVAL_MS = 5e3;
+const DEFAULT_BUCKET_COUNT = 32;
+function createPulseAggregator(options) {
+	const intervalMs = options.intervalMs ?? DEFAULT_INTERVAL_MS;
+	const bucketCount = options.bucketCount ?? DEFAULT_BUCKET_COUNT;
+	const state = /* @__PURE__ */ new Map();
+	let currentIdx = 0;
+	let running = false;
+	let intervalHandle = null;
+	function emptyBucket() {
+		return {
+			workingCount: 0,
+			errorMask: false
+		};
+	}
+	function initBuckets() {
+		return Array.from({ length: bucketCount }, emptyBucket);
+	}
+	function ensureAgent(organizationId, agentId) {
+		let orgMap = state.get(organizationId);
+		if (!orgMap) {
+			orgMap = /* @__PURE__ */ new Map();
+			state.set(organizationId, orgMap);
+		}
+		let buckets = orgMap.get(agentId);
+		if (!buckets) {
+			buckets = initBuckets();
+			orgMap.set(agentId, buckets);
+		}
+		return buckets;
+	}
+	const ingest = (payload) => {
+		if (!running) return;
+		if (!payload.organizationId || !payload.agentId) return;
+		const bucket = ensureAgent(payload.organizationId, payload.agentId)[currentIdx];
+		if (!bucket) return;
+		if (payload.state === "working") bucket.workingCount += 1;
+		else if (payload.state === "error") bucket.errorMask = true;
+	};
+	function snapshotBuckets(buckets) {
+		const out = [];
+		for (let i = 0; i < bucketCount; i++) {
+			const src = buckets[(currentIdx + 1 + i) % bucketCount] ?? emptyBucket();
+			out.push({
+				workingCount: src.workingCount,
+				errorMask: src.errorMask
+			});
+		}
+		return out;
+	}
+	function broadcastTick() {
+		for (const [organizationId, orgMap] of state) {
+			const agents = {};
+			for (const [agentId, buckets] of orgMap) agents[agentId] = snapshotBuckets(buckets);
+			options.broadcast({
+				type: "pulse:tick",
+				organizationId,
+				agents
+			});
+		}
+	}
+	function advance() {
+		broadcastTick();
+		currentIdx = (currentIdx + 1) % bucketCount;
+		for (const orgMap of state.values()) for (const buckets of orgMap.values()) buckets[currentIdx] = emptyBucket();
+	}
+	return {
+		start() {
+			if (running) return;
+			running = true;
+			options.notifier.onRuntimeStateChange(ingest);
+			intervalHandle = setInterval(advance, intervalMs);
+		},
+		stop() {
+			if (!running) return;
+			running = false;
+			if (intervalHandle) {
+				clearInterval(intervalHandle);
+				intervalHandle = null;
+			}
+		},
+		ingest
+	};
+}
 async function buildApp(config) {
 	const app = Fastify({ logger: config.logger ?? true });
 	const db = connectDatabase(config.database.url);
@@ -10408,7 +10847,7 @@ async function buildApp(config) {
 		await api.register(async (adminApp) => {
 			adminApp.addHook("onRequest", memberAuth);
 			await adminApp.register(adminClientRoutes);
-		}, { prefix: "/admin/clients" });
+		}, { prefix: "/clients" });
 		await api.register(async (adminApp) => {
 			adminApp.addHook("onRequest", memberAuth);
 			await adminApp.register(adminActivityRoutes);
@@ -10477,6 +10916,10 @@ async function buildApp(config) {
 	const contextTreeDir = join(DEFAULT_DATA_DIR$1, "context-tree");
 	const kaelRuntime = config.kael?.endpoint ? createKaelRuntime(db, config.secrets.encryptionKey, config.kael.endpoint, config.kael.apiKey, config.kael.hubPublicUrl, app.log, contextTreeDir) : void 0;
 	const backgroundTasks = createBackgroundTasks(app, config.instanceId, adapterManager, kaelRuntime);
+	const pulseAggregator = createPulseAggregator({
+		notifier,
+		broadcast: broadcastToAdmins
+	});
 	notifier.onConfigChange((configType) => {
 		if (configType === "adapter_configs") {
 			adapterManager.reload().catch((err) => app.log.error(err, "Adapter hot-reload failed (PG NOTIFY)"));
@@ -10487,10 +10930,12 @@ async function buildApp(config) {
 		await ensureDefaultOrganization(db);
 		await notifier.start();
 		backgroundTasks.start();
+		pulseAggregator.start();
 		await adapterManager.reload();
 		await kaelRuntime?.reload();
 	});
 	app.addHook("onClose", async () => {
+		pulseAggregator.stop();
 		backgroundTasks.stop();
 		adapterManager.shutdown();
 		kaelRuntime?.shutdown();