@agent-team-foundation/first-tree-hub 0.8.4 → 0.8.5

package/dist/{core-VW2Qfs73.mjs → core-DoIprl2f.mjs}

@@ -1,7 +1,7 @@
 import { m as __toESM } from "./esm-CYu4tXXn.mjs";
 import { C as setConfigValue, S as serverConfigSchema, _ as loadAgents, d as DEFAULT_HOME_DIR$1, f as agentConfigSchema, g as initConfig, i as loadCredentials, l as DEFAULT_CONFIG_DIR, m as collectMissingPrompts, n as ensureFreshAccessToken, o as resolveServerUrl, p as clientConfigSchema, s as saveAgentConfig, u as DEFAULT_DATA_DIR$1, x as resolveConfigReadonly } from "./bootstrap-99vUYmLs.mjs";
 import { _ as withSpan, a as endWsConnectionSpan, b as require_pino, c as messageAttrs, d as rootLogger$1, g as startWsConnectionSpan, i as currentTraceId, n as applyLoggerConfig, o as getFastifyOtelPlugin, p as setWsConnectionAttrs, r as createLogger, t as adapterAttrs, u as observabilityPlugin, v as withWsMessageSpan, y as FIRST_TREE_HUB_ATTR } from "./observability-CJzDFY_G-CmvgUuzc.mjs";
-import { $ as updateAgentRuntimeConfigSchema, A as createMemberSchema, B as notificationQuerySchema, C as agentTypeSchema$1, D as createAdapterMappingSchema, E as createAdapterConfigSchema, F as inboxPollQuerySchema, G as sendMessageSchema, H as refreshTokenSchema, I as isRedactedEnvValue, J as sessionEventMessageSchema, K as sendToAgentSchema, L as linkTaskChatSchema, M as createTaskSchema, N as delegateFeishuUserSchema, O as createAgentSchema, P as dryRunAgentRuntimeConfigSchema, Q as updateAdapterConfigSchema, R as loginSchema, S as agentRuntimeConfigPayloadSchema$1, T as connectTokenExchangeSchema, U as runtimeStateMessageSchema, V as paginationQuerySchema, W as selfServiceFeishuBotSchema, X as sessionStateMessageSchema, Y as sessionEventSchema$1, Z as taskListQuerySchema, _ as addParticipantSchema, a as AGENT_SELECTOR_HEADER$1, at as wsAuthFrameSchema, b as agentBindRequestSchema, c as AGENT_TYPES, d as SYSTEM_CONFIG_DEFAULTS, et as updateAgentSchema, f as TASK_CREATOR_TYPES, g as WS_AUTH_FRAME_TIMEOUT_MS, h as TASK_TERMINAL_STATUSES, i as AGENT_BIND_REJECT_REASONS, it as updateTaskStatusSchema, j as createOrganizationSchema, k as createChatSchema, l as AGENT_VISIBILITY, m as TASK_STATUSES, nt as updateOrganizationSchema, o as AGENT_SOURCES, p as TASK_HEALTH_SIGNALS, q as sessionCompletionMessageSchema, rt as updateSystemConfigSchema, s as AGENT_STATUSES, tt as updateMemberSchema, u as DEFAULT_AGENT_RUNTIME_CONFIG_PAYLOAD, v as adminCreateTaskSchema, w as clientRegisterSchema, x as agentPinnedMessageSchema$1, y as adminUpdateTaskSchema, z as messageSourceSchema$1 } from "./feishu-OezhDY7x.mjs";
+import { $ as updateAdapterConfigSchema, A as createMemberSchema, B as notificationQuerySchema, C as agentTypeSchema$1, D as createAdapterMappingSchema, E as createAdapterConfigSchema, F as inboxPollQuerySchema, G as sendMessageSchema, H as refreshTokenSchema, I as isRedactedEnvValue, J as sessionEventMessageSchema, K as sendToAgentSchema, L as linkTaskChatSchema, M as createTaskSchema, N as delegateFeishuUserSchema, O as createAgentSchema, P as dryRunAgentRuntimeConfigSchema, Q as taskListQuerySchema, R as loginSchema, S as agentRuntimeConfigPayloadSchema$1, T as connectTokenExchangeSchema, U as runtimeStateMessageSchema, V as paginationQuerySchema, W as selfServiceFeishuBotSchema, X as sessionReconcileRequestSchema, Y as sessionEventSchema$1, Z as sessionStateMessageSchema, _ as addParticipantSchema, a as AGENT_SELECTOR_HEADER$1, at as updateSystemConfigSchema, b as agentBindRequestSchema, c as AGENT_TYPES, d as SYSTEM_CONFIG_DEFAULTS, et as updateAgentRuntimeConfigSchema, f as TASK_CREATOR_TYPES, g as WS_AUTH_FRAME_TIMEOUT_MS, h as TASK_TERMINAL_STATUSES, i as AGENT_BIND_REJECT_REASONS, it as updateOrganizationSchema, j as createOrganizationSchema, k as createChatSchema, l as AGENT_VISIBILITY, m as TASK_STATUSES, nt as updateChatSchema, o as AGENT_SOURCES, ot as updateTaskStatusSchema, p as TASK_HEALTH_SIGNALS, q as sessionCompletionMessageSchema, rt as updateMemberSchema, s as AGENT_STATUSES, st as wsAuthFrameSchema, tt as updateAgentSchema, u as DEFAULT_AGENT_RUNTIME_CONFIG_PAYLOAD, v as adminCreateTaskSchema, w as clientRegisterSchema, x as agentPinnedMessageSchema$1, y as adminUpdateTaskSchema, z as messageSourceSchema$1 } from "./feishu-n9Y2yGTT.mjs";
 import { copyFileSync, existsSync, mkdirSync, readFileSync, readdirSync, realpathSync, renameSync, rmSync, statSync, watch, writeFileSync } from "node:fs";
 import { dirname, isAbsolute, join, resolve } from "node:path";
 import { ZodError, z } from "zod";
@@ -230,14 +230,16 @@ const runtimeStateSchema = z.enum([
 	"blocked",
 	"error"
 ]);
-const sessionStateSchema = z.enum([
+z.enum([
 	"active",
 	"suspended",
 	"evicted"
 ]);
+/** Wire-level states a client may report. `evicted` from a stale client is rejected. */
+const clientSessionStateSchema = z.enum(["active", "suspended"]);
 z.object({
 	chatId: z.string().min(1),
-	state: sessionStateSchema
+	state: clientSessionStateSchema
 });
 z.object({ runtimeState: runtimeStateSchema });
 z.object({
@@ -526,6 +528,7 @@ z.object({
 	createdAt: z.string(),
 	updatedAt: z.string()
 }).extend({ participants: z.array(chatParticipantSchema) });
+z.object({ topic: z.string().trim().max(500).nullable() });
 z.object({
 	agentId: z.string().min(1),
 	mode: z.enum(["full", "mention_only"]).default("full")
@@ -641,7 +644,10 @@ z.object({
 	displayName: z.string().min(1).max(200),
 	role: memberRoleSchema.default("member")
 });
-z.object({ role: memberRoleSchema.optional() });
+z.object({
+	role: memberRoleSchema.optional(),
+	displayName: z.string().min(1).max(200).optional()
+});
 memberSchema.extend({
 	username: z.string(),
 	displayName: z.string(),
@@ -807,6 +813,16 @@ z.object({
 	agentId: z.string(),
 	chatId: z.string()
 });
+z.object({
+	type: z.literal("session:reconcile"),
+	agentId: z.string().min(1),
+	chatIds: z.array(z.string().min(1)).max(500)
+});
+z.object({
+	type: z.literal("session:reconcile:result"),
+	agentId: z.string().min(1),
+	staleChatIds: z.array(z.string().min(1))
+});
 const orgStatsSchema = z.object({
 	organizationId: z.string(),
 	agentCount: z.number(),
@@ -1195,6 +1211,15 @@ var ClientConnection = class extends EventEmitter {
 			chatId
 		}));
 	}
+	/** Ask the server which of the supplied chatIds the client should drop. */
+	sendSessionReconcile(agentId, chatIds) {
+		if (!this.ws || this.ws.readyState !== WebSocket.OPEN) return;
+		this.ws.send(JSON.stringify({
+			type: "session:reconcile",
+			agentId,
+			chatIds
+		}));
+	}
 	async disconnect() {
 		this.closing = true;
 		this.clearTimers();
@@ -1372,7 +1397,7 @@ var ClientConnection = class extends EventEmitter {
 			}
 			return;
 		}
-		if (type === "session:suspend" || type === "session:resume" || type === "session:terminate") {
+		if (type === "session:suspend" || type === "session:terminate") {
 			const agentId = msg.agentId;
 			const chatId = msg.chatId;
 			if (agentId && chatId) this.emit("session:command", {
@@ -1382,6 +1407,15 @@ var ClientConnection = class extends EventEmitter {
 			});
 			return;
 		}
+		if (type === "session:reconcile:result") {
+			const agentId = msg.agentId;
+			const staleChatIds = Array.isArray(msg.staleChatIds) ? msg.staleChatIds : null;
+			if (agentId && staleChatIds) this.emit("session:reconcile:result", {
+				agentId,
+				staleChatIds
+			});
+			return;
+		}
 		if (type === "new_message") {
 			const inboxId = msg.inboxId;
 			if (inboxId) this.emit("agent:message", inboxId, msg);
@@ -3134,39 +3168,49 @@ var SessionManager = class {
 		const message = this.extractMessage(entry);
 		await this.routeMessage(chatId, message, entry.id);
 	}
-	/** Handle a session command from the server (suspend/resume/terminate). */
+	/** Handle a server-issued session command. Terminate drops all local state without reporting back. */
 	async handleCommand(chatId, command) {
-		const session = this.sessions.get(chatId);
 		if (command === "session:suspend") {
+			const session = this.sessions.get(chatId);
 			if (session?.status === "active") {
 				this.config.log(`Session ${chatId}: suspend command received`);
 				this.suspendSession(session);
 			}
-		} else if (command === "session:resume") {
-			if (session?.status === "suspended") {
-				this.config.log(`Session ${chatId}: resume command received`);
-				await this.resumeSession(session, null);
-			}
-		} else if (command === "session:terminate") {
-			if (session) {
-				this.config.log(`Session ${chatId}: terminate command received`);
-				if (session.status === "active") {
-					this._activeCount--;
-					await session.handler.shutdown();
-				}
-				this.addEvictedMapping(chatId, {
-					claudeSessionId: session.claudeSessionId,
-					lastActivity: session.lastActivity
-				});
-				this.sessions.delete(chatId);
-				this.sessionRuntimeStates.delete(chatId);
-				this.recomputeRuntimeState();
-				this.notifySessionState(chatId, "evicted");
-				this.persistRegistry();
-				this.drainPendingQueue();
+			return;
+		}
+		if (command === "session:terminate") {
+			const session = this.sessions.get(chatId);
+			const hadMapping = this.evictedMappings.has(chatId);
+			if (!session && !hadMapping) return;
+			this.config.log(`Session ${chatId}: terminate command received`);
+			if (session?.status === "active") {
+				this._activeCount--;
+				await session.handler.shutdown().catch(() => {});
 			}
+			this.sessions.delete(chatId);
+			this.evictedMappings.delete(chatId);
+			this.sessionRuntimeStates.delete(chatId);
+			this.lastReportedStates.delete(chatId);
+			for (let i = this.pendingQueue.length - 1; i >= 0; i--) if (this.pendingQueue[i]?.chatId === chatId) this.pendingQueue.splice(i, 1);
+			this.recomputeRuntimeState();
+			this.persistRegistry();
+			this.drainPendingQueue();
 		}
 	}
+	/** Chat IDs this client still holds locally (sessions + evictedMappings). */
+	getHeldChatIds() {
+		const ids = /* @__PURE__ */ new Set();
+		for (const id of this.sessions.keys()) ids.add(id);
+		for (const id of this.evictedMappings.keys()) ids.add(id);
+		return [...ids];
+	}
+	/**
+	* Apply a server-declared stale list from `session:reconcile:result` — treat
+	* each chatId as if a `session:terminate` command had arrived.
+	*/
+	applyStaleChatIds(staleChatIds) {
+		for (const id of staleChatIds) this.handleCommand(id, "session:terminate");
+	}
 	/** Shut down all sessions gracefully. */
 	async shutdown() {
 		if (this.idleTimer) {
@@ -3367,8 +3411,6 @@ var SessionManager = class {
 				this._activeCount--;
 				candidate.session.handler.shutdown().catch(() => {});
 			}
-			candidate.session.status = "evicted";
-			this.notifySessionState(candidate.key, "evicted");
 			this.sessions.delete(candidate.key);
 			this.sessionRuntimeStates.delete(candidate.key);
 			this.recomputeRuntimeState();
@@ -3505,6 +3547,7 @@ var AgentSlot = class {
 	sdk = null;
 	agentConfigCache = null;
 	pollingTimer = null;
+	reconcileTimer = null;
 	listeners = [];
 	constructor(config) {
 		this.config = config;
@@ -3540,16 +3583,26 @@ var AgentSlot = class {
 			if (agentId === this.config.agentId) this.pullAndDispatch();
 		};
 		const onBound = (boundAgent) => {
-			if (boundAgent.agentId === this.config.agentId) this.fullStateSync();
+			if (boundAgent.agentId === this.config.agentId) {
+				this.fullStateSync();
+				setTimeout(() => this.reconcileNow(), 5e3);
+			}
+		};
+		const onReconcileResult = (result) => {
+			if (result.agentId === this.config.agentId && this.sessionManager) this.sessionManager.applyStaleChatIds(result.staleChatIds);
 		};
 		this.clientConnection.on("agent:message", onMessage);
 		this.clientConnection.on("agent:bound", onBound);
+		this.clientConnection.on("session:reconcile:result", onReconcileResult);
 		this.listeners.push({
 			event: "agent:message",
 			fn: onMessage
 		}, {
 			event: "agent:bound",
 			fn: onBound
+		}, {
+			event: "session:reconcile:result",
+			fn: onReconcileResult
 		});
 		const registryPath = join(DEFAULT_DATA_DIR, "sessions", `${this.config.name}.json`);
 		const gitMirrorManager = createGitMirrorManager({
@@ -3592,6 +3645,7 @@ var AgentSlot = class {
 			fn: onCommand
 		});
 		this.startPolling();
+		this.startReconcileLoop();
 		return agent;
 	}
 	async stop() {
@@ -3599,8 +3653,13 @@ var AgentSlot = class {
 			clearInterval(this.pollingTimer);
 			this.pollingTimer = null;
 		}
+		if (this.reconcileTimer) {
+			clearInterval(this.reconcileTimer);
+			this.reconcileTimer = null;
+		}
 		for (const entry of this.listeners) if (entry.event === "agent:message") this.clientConnection.off(entry.event, entry.fn);
 		else if (entry.event === "agent:bound") this.clientConnection.off(entry.event, entry.fn);
+		else if (entry.event === "session:reconcile:result") this.clientConnection.off(entry.event, entry.fn);
 		else this.clientConnection.off(entry.event, entry.fn);
 		this.listeners = [];
 		await this.clientConnection.unbindAgent(this.config.agentId);
@@ -3631,6 +3690,16 @@ var AgentSlot = class {
 		}, 5e3);
 		this.pullAndDispatch();
 	}
+	startReconcileLoop() {
+		const intervalSec = this.config.session.reconcile_interval_seconds ?? 300;
+		this.reconcileTimer = setInterval(() => this.reconcileNow(), intervalSec * 1e3);
+	}
+	reconcileNow() {
+		if (!this.sessionManager) return;
+		const chatIds = this.sessionManager.getHeldChatIds();
+		if (chatIds.length === 0) return;
+		this.clientConnection.sendSessionReconcile(this.config.agentId, chatIds);
+	}
 	async pullAndDispatch() {
 		if (!this.sdk || !this.sessionManager) return;
 		try {
@@ -3659,7 +3728,8 @@ z.object({
 }).passthrough();
 const sessionConfigSchema = z.object({
 	idle_timeout: z.number().int().positive().default(IDLE_TIMEOUT_MS / 1e3),
-	max_sessions: z.number().int().positive().default(50)
+	max_sessions: z.number().int().positive().default(50),
+	reconcile_interval_seconds: z.number().int().min(30).max(3600).default(300)
 }).passthrough();
 const agentSlotConfigSchema = z.object({
 	agentId: z.string().min(1),
@@ -3808,7 +3878,8 @@ var ClientRuntime = class {
 			handlerFactory,
 			session: {
 				idle_timeout: config.session.idle_timeout,
-				max_sessions: config.session.max_sessions
+				max_sessions: config.session.max_sessions,
+				reconcile_interval_seconds: 300
 			},
 			concurrency: config.concurrency,
 			clientConnection: this.connection
@@ -4602,7 +4673,7 @@ async function onboardCreate(args) {
 	}
 	const runtimeAgent = args.type === "human" ? args.assistant : args.id;
 	if (args.feishuBotAppId && args.feishuBotAppSecret) {
-		const { bindFeishuBot } = await import("./feishu-OezhDY7x.mjs").then((n) => n.r);
+		const { bindFeishuBot } = await import("./feishu-n9Y2yGTT.mjs").then((n) => n.r);
 		const targetAgentUuid = args.type === "human" ? assistantUuid : primary.uuid;
 		if (!targetAgentUuid) process.stderr.write(`Warning: Cannot bind Feishu bot — no runtime agent available for "${args.id}".\n`);
 		else {
@@ -4743,7 +4814,7 @@ function setNestedByDot(obj, dotPath, value) {
 	if (lastKey !== void 0) current[lastKey] = value;
 }
 //#endregion
-//#region ../server/dist/app-BGneEeZO.mjs
+//#region ../server/dist/app-C6y-ySN9.mjs
 var __defProp = Object.defineProperty;
 var __exportAll = (all, no_symbols) => {
 	let target = {};
@@ -5280,6 +5351,8 @@ function parseId$1(raw) {
 async function adminAdapterMappingRoutes(app) {
 	app.get("/", async (request) => {
 		const scope = memberScope(request);
+		const conditions = [eq(agents.organizationId, scope.organizationId)];
+		if (scope.role !== "admin") conditions.push(eq(agents.managerId, scope.memberId));
 		return (await app.db.select({
 			id: adapterAgentMappings.id,
 			platform: adapterAgentMappings.platform,
@@ -5288,7 +5361,7 @@ async function adminAdapterMappingRoutes(app) {
 			boundVia: adapterAgentMappings.boundVia,
 			displayName: adapterAgentMappings.displayName,
 			createdAt: adapterAgentMappings.createdAt
-		}).from(adapterAgentMappings).innerJoin(agents, eq(agents.uuid, adapterAgentMappings.agentId)).where(eq(agents.organizationId, scope.organizationId)).orderBy(desc(adapterAgentMappings.createdAt))).map((r) => ({
+		}).from(adapterAgentMappings).innerJoin(agents, eq(agents.uuid, adapterAgentMappings.agentId)).where(and(...conditions)).orderBy(desc(adapterAgentMappings.createdAt))).map((r) => ({
 			id: r.id,
 			platform: r.platform,
 			externalUserId: r.externalUserId,
@@ -5336,11 +5409,6 @@ async function adminAdapterMappingRoutes(app) {
 		return reply.status(204).send();
 	});
 }
-async function adminAdapterStatusRoutes(app) {
-	app.get("/", async () => {
-		return app.adapterManager.getBotStatuses();
-	});
-}
 /** Bot credentials for external platform adapters. Credentials are encrypted at application layer (AES-256-GCM). */
 const adapterConfigs = pgTable("adapter_configs", {
 	id: serial("id").primaryKey(),
@@ -5351,6 +5419,17 @@ const adapterConfigs = pgTable("adapter_configs", {
 	createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow(),
 	updatedAt: timestamp("updated_at", { withTimezone: true }).notNull().defaultNow()
 }, (t) => [unique("uq_adapter_configs_agent_platform").on(t.agentId, t.platform)]);
+async function adminAdapterStatusRoutes(app) {
+	app.get("/", async (request) => {
+		const scope = memberScope(request);
+		const conditions = [eq(agents.organizationId, scope.organizationId), ne(agents.status, "deleted")];
+		if (scope.role !== "admin") conditions.push(eq(agents.managerId, scope.memberId));
+		const visibleRows = await app.db.select({ id: adapterConfigs.id }).from(adapterConfigs).innerJoin(agents, eq(agents.uuid, adapterConfigs.agentId)).where(and(...conditions));
+		const visibleIds = new Set(visibleRows.map((r) => r.id));
+		if (visibleIds.size === 0) return [];
+		return app.adapterManager.getBotStatuses().filter((s) => visibleIds.has(s.configId));
+	});
+}
 const ALGORITHM = "aes-256-gcm";
 const IV_LENGTH = 12;
 const AUTH_TAG_LENGTH = 16;
@@ -5464,6 +5543,30 @@ function toResponse(row) {
 async function listAdapterConfigs(db) {
 	return (await db.select().from(adapterConfigs).orderBy(desc(adapterConfigs.createdAt))).map(toResponse);
 }
+/**
+* Scoped variant used by the member-facing admin route.
+*
+*   - admin: every adapter config whose agent belongs to the caller's org.
+*   - non-admin: only adapter configs bound to agents the caller manages
+*     (Rule: bindings follow manageability).
+*
+* Kept as a separate function so internal self-service callers
+* (`agent/feishu-bot.ts`) that only need a raw read don't accidentally pay
+* for the join.
+*/
+async function listAdapterConfigsForMember(db, scope) {
+	const conditions = [eq(agents.organizationId, scope.organizationId), ne(agents.status, "deleted")];
+	if (scope.role !== "admin") conditions.push(eq(agents.managerId, scope.memberId));
+	return (await db.select({
+		id: adapterConfigs.id,
+		platform: adapterConfigs.platform,
+		agentId: adapterConfigs.agentId,
+		credentials: adapterConfigs.credentials,
+		status: adapterConfigs.status,
+		createdAt: adapterConfigs.createdAt,
+		updatedAt: adapterConfigs.updatedAt
+	}).from(adapterConfigs).innerJoin(agents, eq(agents.uuid, adapterConfigs.agentId)).where(and(...conditions)).orderBy(desc(adapterConfigs.createdAt))).map(toResponse);
+}
 async function getAdapterConfig(db, id) {
 	const [row] = await db.select().from(adapterConfigs).where(eq(adapterConfigs.id, id)).limit(1);
 	if (!row) throw new NotFoundError(`Adapter config "${id}" not found`);
@@ -5513,8 +5616,9 @@ function parseId(raw) {
 	return id;
 }
 async function adminAdapterRoutes(app) {
-	app.get("/", async () => {
-		return (await listAdapterConfigs(app.db)).map((c) => ({
+	app.get("/", async (request) => {
+		const scope = memberScope(request);
+		return (await listAdapterConfigsForMember(app.db, scope)).map((c) => ({
 			...c,
 			createdAt: c.createdAt.toISOString(),
 			updatedAt: c.updatedAt.toISOString()
@@ -5776,6 +5880,47 @@ async function getAgent(db, uuid) {
 	return agent;
 }
 /**
+* Admin-only variant: return every non-deleted agent in the org, ignoring
+* the visibility filter. Used by the `/admin` "All Agents" view so a team
+* admin can see and act on private agents owned by other members. The
+* route layer is responsible for gating this to admin callers — the
+* service does not enforce role by itself, but it does enforce org scope
+* and the not-deleted predicate.
+*/
+async function listAgentsForAdmin(db, scope, limit, cursor) {
+	const conditions = [eq(agents.organizationId, scope.organizationId), ne(agents.status, AGENT_STATUSES.DELETED)];
+	if (cursor) conditions.push(lt(agents.createdAt, new Date(cursor)));
+	const where = and(...conditions);
+	const rows = await db.select({
+		uuid: agents.uuid,
+		name: agents.name,
+		organizationId: agents.organizationId,
+		type: agents.type,
+		displayName: agents.displayName,
+		delegateMention: agents.delegateMention,
+		inboxId: agents.inboxId,
+		status: agents.status,
+		cloudUserId: agents.cloudUserId,
+		visibility: agents.visibility,
+		metadata: agents.metadata,
+		managerId: agents.managerId,
+		clientId: agents.clientId,
+		createdAt: agents.createdAt,
+		updatedAt: agents.updatedAt,
+		presenceStatus: agentPresence.status,
+		runtimeType: agentPresence.runtimeType,
+		runtimeState: agentPresence.runtimeState,
+		activeSessions: agentPresence.activeSessions
+	}).from(agents).leftJoin(agentPresence, eq(agents.uuid, agentPresence.agentId)).where(where).orderBy(desc(agents.createdAt)).limit(limit + 1);
+	const hasMore = rows.length > limit;
+	const items = hasMore ? rows.slice(0, limit) : rows;
+	const last = items[items.length - 1];
+	return {
+		items,
+		nextCursor: hasMore && last ? last.createdAt.toISOString() : null
+	};
+}
+/**
 * List agents visible to a specific member.
 * Uses agentVisibilityCondition from access-control (same rules for all roles).
 */
@@ -6271,17 +6416,31 @@ async function cleanupStalePresence(db, staleSeconds = 60) {
   `)).length;
 }
 /**
-* Assert the caller's user owns this client. Throws 404 for both "not found"
+* Assert the caller can act on this client. Throws 404 for both "not found"
 * and "not yours" to prevent UUID enumeration across org/user boundaries.
-* Used by management routes (disconnect, retire, single GET) so a cross-org
-* admin cannot operate on another user's client.
+*
+*   - member: owner match (`row.user_id == scope.userId`).
+*   - admin: any client whose owner is a member of the admin's own org.
+*
+* Legacy unclaimed rows (`user_id IS NULL`) have no org association we can
+* verify — we explicitly refuse to grant admin access to them so a
+* cross-tenant admin can't operate on another org's orphan rows. These
+* orphans are surfaced for self-service re-registration only; the owning
+* operator must claim the row via `first-tree-hub connect` before any
+* admin action becomes available.
 */
-async function assertClientOwner(db, clientId, userId) {
+async function assertClientOwner(db, clientId, scope) {
 	const [row] = await db.select({
 		id: clients.id,
 		userId: clients.userId
 	}).from(clients).where(eq(clients.id, clientId)).limit(1);
-	if (!row || row.userId !== userId) throw new NotFoundError(`Client "${clientId}" not found`);
+	if (!row) throw new NotFoundError(`Client "${clientId}" not found`);
+	if (row.userId === scope.userId) return;
+	if (scope.role === "admin" && row.userId !== null) {
+		const [sibling] = await db.select({ id: members.id }).from(members).where(and(eq(members.userId, row.userId), eq(members.organizationId, scope.organizationId))).limit(1);
+		if (sibling) return;
+	}
+	throw new NotFoundError(`Client "${clientId}" not found`);
 }
 /**
 * Upsert the clients row for a given `client_id` under an authenticated user.
@@ -6361,8 +6520,32 @@ async function listActiveAgentsPinnedToClient(db, clientId) {
 		type: agents.type
 	}).from(agents).where(and(eq(agents.clientId, clientId), ne(agents.status, "deleted")));
 }
-async function listClients(db, userId) {
-	const rows = await db.select().from(clients).where(eq(clients.userId, userId));
+/**
+* Scope-aware client listing.
+*
+*   - member: only rows where `user_id = scope.userId`.
+*   - admin: every claimed row whose owner is a member of the caller's
+*     organization.
+*
+* Legacy unclaimed rows (`user_id IS NULL`) are intentionally hidden from
+* both roles — the `clients` table has no org column, so we cannot verify
+* which org an orphan belongs to. Exposing them to admin would leak
+* orphans across tenants. The owning operator reclaims the row via
+* `first-tree-hub connect`, after which it appears in their list.
+*/
+async function listClients(db, scope) {
+	const rows = scope.role === "admin" ? await db.selectDistinct({
+		id: clients.id,
+		userId: clients.userId,
+		status: clients.status,
+		sdkVersion: clients.sdkVersion,
+		hostname: clients.hostname,
+		os: clients.os,
+		instanceId: clients.instanceId,
+		connectedAt: clients.connectedAt,
+		lastSeenAt: clients.lastSeenAt,
+		metadata: clients.metadata
+	}).from(clients).innerJoin(members, eq(members.userId, clients.userId)).where(eq(members.organizationId, scope.organizationId)) : await db.select().from(clients).where(eq(clients.userId, scope.userId));
 	const counts = await db.select({
 		clientId: agents.clientId,
 		count: sql`count(*)::int`
@@ -6827,6 +7010,33 @@ async function adminAgentRoutes(app) {
 			nextCursor: result.nextCursor
 		};
 	});
+	/**
+	* Admin-only: every agent in the caller's org, skipping the visibility
+	* filter applied on the regular `/agents` list. Private agents owned by
+	* other members show up here so an admin can reassign or troubleshoot.
+	* Role gating is enforced here — the parent route group does NOT add
+	* adminOnly because the member-facing `GET /` is shared.
+	*/
+	app.get("/all", async (request) => {
+		const scope = memberScope(request);
+		if (scope.role !== "admin") throw new ForbiddenError("Admin role required");
+		const query = paginationQuerySchema.parse(request.query);
+		const result = await listAgentsForAdmin(app.db, scope, query.limit, query.cursor);
+		return {
+			items: result.items.map((a) => ({
+				...a,
+				managerId: a.managerId ?? null,
+				presenceStatus: a.presenceStatus ?? "offline",
+				createdAt: a.createdAt.toISOString(),
+				updatedAt: a.updatedAt.toISOString(),
+				clientId: a.clientId ?? null,
+				runtimeType: a.runtimeType ?? null,
+				runtimeState: a.runtimeState ?? null,
+				activeSessions: a.activeSessions ?? null
+			})),
+			nextCursor: result.nextCursor
+		};
+	});
 	app.post("/", async (request, reply) => {
 		const scope = memberScope(request);
 		const body = createAgentSchema.parse(request.body);
@@ -7113,6 +7323,24 @@ async function adminChatRoutes(app) {
 			}))
 		};
 	});
+	/** Rename (or clear) a chat's topic. Requires participation or supervision — same gate as reading it. */
+	app.patch("/:chatId", async (request) => {
+		const { chatId } = request.params;
+		const scope = memberScope(request);
+		await assertChatAccess(app.db, scope, chatId);
+		const body = updateChatSchema.parse(request.body);
+		const nextTopic = body.topic && body.topic.length > 0 ? body.topic : null;
+		const [updated] = await app.db.update(chats).set({
+			topic: nextTopic,
+			updatedAt: /* @__PURE__ */ new Date()
+		}).where(eq(chats.id, chatId)).returning();
+		if (!updated) throw new Error("Unexpected: chat missing after update");
+		return {
+			...updated,
+			createdAt: updated.createdAt.toISOString(),
+			updatedAt: updated.updatedAt.toISOString()
+		};
+	});
 	/** List messages in a chat with delivery status (requires participation or supervision) */
 	app.get("/:chatId/messages", async (request) => {
 		const { chatId } = request.params;
@@ -7232,10 +7460,18 @@ const agentChatSessions = pgTable("agent_chat_sessions", {
 	state: text("state").notNull(),
 	updatedAt: timestamp("updated_at", { withTimezone: true }).notNull().defaultNow()
 }, (table) => [primaryKey({ columns: [table.agentId, table.chatId] })]);
-/** Upsert a session state, refresh materialized aggregates on agent_presence, and emit org-scoped NOTIFY. */
+/**
+* Upsert session state + refresh presence aggregates + NOTIFY.
+*
+* Revival defense: an admin-terminated (`evicted`) row is immutable; a client
+* report for the same chatId is silently dropped after the FOR UPDATE check.
+*/
 async function upsertSessionState(db, agentId, chatId, state, organizationId, notifier) {
 	const now = /* @__PURE__ */ new Date();
+	let wrote = false;
 	await db.transaction(async (tx) => {
+		const [existing] = await tx.select({ state: agentChatSessions.state }).from(agentChatSessions).where(and(eq(agentChatSessions.agentId, agentId), eq(agentChatSessions.chatId, chatId))).for("update");
+		if (existing?.state === "evicted") return;
 		await tx.insert(agentChatSessions).values({
 			agentId,
 			chatId,
@@ -7259,8 +7495,9 @@ async function upsertSessionState(db, agentId, chatId, state, organizationId, no
 			totalSessions,
 			lastSeenAt: now
 		}).where(eq(agentPresence.agentId, agentId));
+		wrote = true;
 	});
-	if (notifier) notifier.notifySessionStateChange(agentId, chatId, state, organizationId).catch(() => {});
+	if (wrote && notifier) notifier.notifySessionStateChange(agentId, chatId, state, organizationId).catch(() => {});
 }
 async function resetActivity(db, agentId) {
 	const now = /* @__PURE__ */ new Date();
@@ -7313,22 +7550,6 @@ async function listAgentsWithRuntime(db, scope) {
 		type: agents.type
 	}).from(agentPresence).innerJoin(agents, eq(agentPresence.agentId, agents.uuid)).where(and(isNotNull(agentPresence.runtimeState), agentVisibilityCondition(scope)));
 }
-/**
-* Clean up stale session rows from agent_chat_sessions.
-* Removes evicted rows older than staleSeconds and suspended rows older than staleSeconds.
-* Returns the number of rows deleted.
-*/
-async function cleanupStaleSessions(db, staleSeconds = 604800) {
-	return (await db.execute(sql`
-    WITH deleted AS (
-      DELETE FROM agent_chat_sessions
-      WHERE state IN ('evicted', 'suspended')
-      AND updated_at < NOW() - make_interval(secs => ${staleSeconds})
-      RETURNING 1
-    )
-    SELECT count(*)::int AS cnt FROM deleted
-  `))[0]?.cnt ?? 0;
-}
 /** Serialize a Date to ISO string, or null. */
 function serializeDate(d) {
 	return d ? d.toISOString() : null;
@@ -7336,7 +7557,11 @@ function serializeDate(d) {
 async function adminClientRoutes(app) {
 	app.get("/", async (request) => {
 		const scope = memberScope(request);
-		return (await listClients(app.db, scope.userId)).map((c) => ({
+		return (await listClients(app.db, {
+			userId: scope.userId,
+			organizationId: scope.organizationId,
+			role: scope.role
+		})).map((c) => ({
 			id: c.id,
 			userId: c.userId,
 			status: c.status,
@@ -7350,7 +7575,7 @@ async function adminClientRoutes(app) {
 	});
 	app.get("/:clientId", async (request) => {
 		const scope = memberScope(request);
-		await assertClientOwner(app.db, request.params.clientId, scope.userId);
+		await assertClientOwner(app.db, request.params.clientId, scope);
 		const client = await getClient(app.db, request.params.clientId);
 		if (!client) throw new Error("unreachable: client missing after owner check");
 		return {
@@ -7367,7 +7592,7 @@ async function adminClientRoutes(app) {
 	app.post("/:clientId/disconnect", async (request) => {
 		const scope = memberScope(request);
 		const { clientId } = request.params;
-		await assertClientOwner(app.db, clientId, scope.userId);
+		await assertClientOwner(app.db, clientId, scope);
 		const agentIds = forceDisconnectClient(clientId);
 		await disconnectClient(app.db, clientId);
 		return {
@@ -7378,7 +7603,7 @@ async function adminClientRoutes(app) {
 	app.delete("/:clientId", async (request, reply) => {
 		const scope = memberScope(request);
 		const { clientId } = request.params;
-		await assertClientOwner(app.db, clientId, scope.userId);
+		await assertClientOwner(app.db, clientId, scope);
 		await retireClient(app.db, clientId);
 		forceDisconnectClient(clientId);
 		await disconnectClient(app.db, clientId);
@@ -7658,16 +7883,26 @@ async function adminOverviewRoutes(app) {
 		};
 	});
 }
+const SUMMARY_MAX_LENGTH = 50;
+/** Extract a plain-text summary from a message's JSONB content field. */
+function extractSummary(content, maxLen = SUMMARY_MAX_LENGTH) {
+	let text = "";
+	if (typeof content === "object" && content !== null && "text" in content) text = String(content.text ?? "");
+	else if (typeof content === "string") text = content;
+	return text ? text.slice(0, maxLen) : null;
+}
 /** List sessions for a specific agent, with optional state filters. */
 async function listAgentSessions(db, agentId, filters) {
 	const conditions = [eq(agentChatSessions.agentId, agentId)];
 	if (filters?.state) conditions.push(eq(agentChatSessions.state, filters.state));
+	else conditions.push(ne(agentChatSessions.state, "evicted"));
 	const rows = await db.select({
 		agentId: agentChatSessions.agentId,
 		chatId: agentChatSessions.chatId,
 		state: agentChatSessions.state,
 		updatedAt: agentChatSessions.updatedAt,
-		chatCreatedAt: chats.createdAt
+		chatCreatedAt: chats.createdAt,
+		chatTopic: chats.topic
 	}).from(agentChatSessions).innerJoin(chats, eq(agentChatSessions.chatId, chats.id)).where(and(...conditions)).orderBy(desc(agentChatSessions.updatedAt));
 	const [presence] = await db.select({ runtimeState: agentPresence.runtimeState }).from(agentPresence).where(eq(agentPresence.agentId, agentId)).limit(1);
 	const agentRuntimeState = presence?.runtimeState ?? null;
@@ -7678,6 +7913,15 @@ async function listAgentSessions(db, agentId, filters) {
 		count: sql`count(*)::int`
 	}).from(inboxEntries).where(and(eq(inboxEntries.inboxId, sql`(SELECT inbox_id FROM agents WHERE uuid = ${agentId})`), inArray(inboxEntries.chatId, chatIds))).groupBy(inboxEntries.chatId) : [];
 	const countMap = new Map(messageCounts.map((r) => [r.chatId, r.count]));
+	const firstMessages = chatIds.length > 0 ? await db.selectDistinctOn([messages.chatId], {
+		chatId: messages.chatId,
+		content: messages.content
+	}).from(messages).where(inArray(messages.chatId, chatIds)).orderBy(messages.chatId, messages.createdAt) : [];
+	const summaryMap = /* @__PURE__ */ new Map();
+	for (const row of firstMessages) {
+		const summary = extractSummary(row.content);
+		if (summary) summaryMap.set(row.chatId, summary);
+	}
 	return rows.map((r) => ({
 		agentId: r.agentId,
 		chatId: r.chatId,
@@ -7685,7 +7929,9 @@ async function listAgentSessions(db, agentId, filters) {
 		runtimeState: agentRuntimeState,
 		startedAt: r.chatCreatedAt.toISOString(),
 		lastActivityAt: r.updatedAt.toISOString(),
-		messageCount: countMap.get(r.chatId) ?? 0
+		messageCount: countMap.get(r.chatId) ?? 0,
+		summary: summaryMap.get(r.chatId) ?? null,
+		topic: r.chatTopic ?? null
 	}));
 }
 /** Get a single session's detail. */
@@ -7695,11 +7941,14 @@ async function getSession(db, agentId, chatId) {
 		chatId: agentChatSessions.chatId,
 		state: agentChatSessions.state,
 		updatedAt: agentChatSessions.updatedAt,
-		chatCreatedAt: chats.createdAt
+		chatCreatedAt: chats.createdAt,
+		chatTopic: chats.topic
 	}).from(agentChatSessions).innerJoin(chats, eq(agentChatSessions.chatId, chats.id)).where(and(eq(agentChatSessions.agentId, agentId), eq(agentChatSessions.chatId, chatId))).limit(1);
 	if (!row) throw new NotFoundError(`Session (${agentId}, ${chatId}) not found`);
 	const [presence] = await db.select({ runtimeState: agentPresence.runtimeState }).from(agentPresence).where(eq(agentPresence.agentId, agentId)).limit(1);
 	const [countRow] = await db.select({ count: sql`count(*)::int` }).from(inboxEntries).where(and(eq(inboxEntries.inboxId, sql`(SELECT inbox_id FROM agents WHERE uuid = ${agentId})`), eq(inboxEntries.chatId, chatId)));
+	const firstMsg = (await db.execute(sql`SELECT content FROM messages WHERE chat_id = ${chatId} ORDER BY created_at ASC LIMIT 1`))[0];
+	const summary = firstMsg ? extractSummary(firstMsg.content) : null;
 	return {
 		agentId: row.agentId,
 		chatId: row.chatId,
@@ -7707,13 +7956,16 @@ async function getSession(db, agentId, chatId) {
 		runtimeState: presence?.runtimeState ?? null,
 		startedAt: row.chatCreatedAt.toISOString(),
 		lastActivityAt: row.updatedAt.toISOString(),
-		messageCount: countRow?.count ?? 0
+		messageCount: countRow?.count ?? 0,
+		summary,
+		topic: row.chatTopic ?? null
 	};
 }
 /** List all sessions across all agents, with pagination. Scoped to organization. */
 async function listAllSessions(db, limit, cursor, filters) {
 	const conditions = [];
 	if (filters?.state) conditions.push(eq(agentChatSessions.state, filters.state));
+	else conditions.push(ne(agentChatSessions.state, "evicted"));
 	if (filters?.agentId) conditions.push(eq(agentChatSessions.agentId, filters.agentId));
 	if (filters?.organizationId) conditions.push(eq(agents.organizationId, filters.organizationId));
 	if (cursor) conditions.push(sql`${agentChatSessions.updatedAt} < ${new Date(cursor)}`);
@@ -7742,11 +7994,54 @@ async function listAllSessions(db, limit, cursor, filters) {
 			runtimeState: runtimeMap.get(r.agentId) ?? null,
 			startedAt: r.chatCreatedAt.toISOString(),
 			lastActivityAt: r.updatedAt.toISOString(),
-			messageCount: 0
+			messageCount: 0,
+			summary: null,
+			topic: null
 		})),
 		nextCursor
 	};
 }
+/** Commit `active → suspended`. No-op on suspended/evicted. Throws if row is missing. */
+async function suspendSession(db, agentId, chatId, organizationId, notifier) {
+	return transitionSessionState(db, agentId, chatId, "suspended", ["active"], organizationId, notifier);
+}
+/** Commit `suspended → evicted` (terminal — listings hide it, revival defense blocks resurrection). */
+async function archiveSession(db, agentId, chatId, organizationId, notifier) {
+	return transitionSessionState(db, agentId, chatId, "evicted", ["suspended"], organizationId, notifier);
+}
+async function transitionSessionState(db, agentId, chatId, target, from, organizationId, notifier) {
+	const now = /* @__PURE__ */ new Date();
+	let finalState = null;
+	let transitioned = false;
+	await db.transaction(async (tx) => {
+		const [existing] = await tx.select({ state: agentChatSessions.state }).from(agentChatSessions).where(and(eq(agentChatSessions.agentId, agentId), eq(agentChatSessions.chatId, chatId))).for("update");
+		if (!existing) return;
+		const current = existing.state;
+		finalState = current;
+		if (!from.includes(current)) return;
+		await tx.update(agentChatSessions).set({
+			state: target,
+			updatedAt: now
+		}).where(and(eq(agentChatSessions.agentId, agentId), eq(agentChatSessions.chatId, chatId)));
+		const [counts] = await tx.select({
+			active: sql`count(*) FILTER (WHERE ${agentChatSessions.state} = 'active')::int`,
+			total: sql`count(*) FILTER (WHERE ${agentChatSessions.state} != 'evicted')::int`
+		}).from(agentChatSessions).where(eq(agentChatSessions.agentId, agentId));
+		await tx.update(agentPresence).set({
+			activeSessions: counts?.active ?? 0,
+			totalSessions: counts?.total ?? 0,
+			lastSeenAt: now
+		}).where(eq(agentPresence.agentId, agentId));
+		finalState = target;
+		transitioned = true;
+	});
+	if (finalState === null) throw new NotFoundError(`Session (${agentId}, ${chatId}) not found`);
+	if (transitioned && notifier) notifier.notifySessionStateChange(agentId, chatId, target, organizationId).catch(() => {});
+	return {
+		state: finalState,
+		transitioned
+	};
+}
 /**
 * Filter sessions to only those where the given agent is also a participant in the chat.
 * Used when a non-manager views sessions of an org-visible agent — they should only see
@@ -7927,49 +8222,41 @@ async function adminSessionRoutes(app) {
 			direction
 		});
 	});
-	/** POST /admin/sessions/agents/:agentId/:chatId/suspend — suspend a session */
+	/** POST /admin/sessions/agents/:agentId/:chatId/suspend — commit first, WS-send best-effort. */
 	app.post("/agents/:agentId/:chatId/suspend", async (request, reply) => {
 		const { agentId, chatId } = request.params;
 		await assertCanManage(app.db, memberScope(request), agentId);
-		if (!sendToAgent$1(agentId, {
+		const member = requireMember(request);
+		const result = await suspendSession(app.db, agentId, chatId, member.organizationId, app.notifier);
+		if (result.transitioned) sendToAgent$1(agentId, {
 			type: "session:suspend",
 			chatId
-		})) throw new ConflictError("Agent is not connected — session command requires a live connection");
-		return reply.status(202).send({
-			status: "sent",
-			command: "suspend",
-			agentId,
-			chatId
 		});
-	});
-	/** POST /admin/sessions/agents/:agentId/:chatId/resume — resume a session */
-	app.post("/agents/:agentId/:chatId/resume", async (request, reply) => {
-		const { agentId, chatId } = request.params;
-		await assertCanManage(app.db, memberScope(request), agentId);
-		if (!sendToAgent$1(agentId, {
-			type: "session:resume",
-			chatId
-		})) throw new ConflictError("Agent is not connected — session command requires a live connection");
-		return reply.status(202).send({
-			status: "sent",
-			command: "resume",
+		return reply.status(200).send({
 			agentId,
-			chatId
+			chatId,
+			state: result.state,
+			transitioned: result.transitioned
 		});
 	});
-	/** POST /admin/sessions/agents/:agentId/:chatId/terminate — terminate a session */
+	/** POST /admin/sessions/agents/:agentId/:chatId/terminate — archive; clear events + best-effort WS. */
 	app.post("/agents/:agentId/:chatId/terminate", async (request, reply) => {
 		const { agentId, chatId } = request.params;
 		await assertCanManage(app.db, memberScope(request), agentId);
-		if (!sendToAgent$1(agentId, {
-			type: "session:terminate",
-			chatId
-		})) throw new ConflictError("Agent is not connected — session command requires a live connection");
-		return reply.status(202).send({
-			status: "sent",
-			command: "terminate",
+		const member = requireMember(request);
+		const result = await archiveSession(app.db, agentId, chatId, member.organizationId, app.notifier);
+		if (result.transitioned) {
+			clearEvents(app.db, agentId, chatId).catch(() => {});
+			sendToAgent$1(agentId, {
+				type: "session:terminate",
+				chatId
+			});
+		}
+		return reply.status(200).send({
 			agentId,
-			chatId
+			chatId,
+			state: result.state,
+			transitioned: result.transitioned
 		});
 	});
 }
@@ -9418,9 +9705,47 @@ function clientWsRoutes(notifier, instanceId) {
 								}));
 								return;
 							}
-							const payload = sessionStateMessageSchema.parse(msg);
-							if (payload.state === "evicted") chainSessionOp(agentId, payload.chatId, () => clearEvents(app.db, agentId, payload.chatId).catch(() => {}));
-							await upsertSessionState(app.db, agentId, payload.chatId, payload.state, session.organizationId, notifier);
+							const payloadResult = sessionStateMessageSchema.safeParse(msg);
+							if (!payloadResult.success) {
+								socket.send(JSON.stringify({
+									type: "error",
+									message: "Unsupported session state from client; client upgrade required"
+								}));
+								const rawState = msg.state;
+								app.log.warn({
+									clientId,
+									agentId,
+									rawState
+								}, "session:state rejected — stale client wire");
+								return;
+							}
+							await upsertSessionState(app.db, agentId, payloadResult.data.chatId, payloadResult.data.state, session.organizationId, notifier);
+						} else if (type === "session:reconcile") {
+							const agentId = parsed.data.agentId;
+							if (!agentId || !boundAgents.has(agentId)) {
+								socket.send(JSON.stringify({
+									type: "error",
+									message: "Agent not bound"
+								}));
+								return;
+							}
+							const payloadResult = sessionReconcileRequestSchema.safeParse(msg);
+							if (!payloadResult.success) {
+								socket.send(JSON.stringify({
+									type: "error",
+									message: "Malformed session:reconcile frame"
+								}));
+								return;
+							}
+							const { chatIds } = payloadResult.data;
+							const aliveRows = chatIds.length ? await app.db.select({ chatId: agentChatSessions.chatId }).from(agentChatSessions).where(and(eq(agentChatSessions.agentId, agentId), inArray(agentChatSessions.chatId, chatIds), ne(agentChatSessions.state, "evicted"))) : [];
+							const alive = new Set(aliveRows.map((r) => r.chatId));
+							const staleChatIds = chatIds.filter((id) => !alive.has(id));
+							socket.send(JSON.stringify({
+								type: "session:reconcile:result",
+								agentId,
+								staleChatIds
+							}));
 						} else if (type === "runtime:state") {
 							const agentId = parsed.data.agentId;
 							if (!agentId || !boundAgents.has(agentId)) {
@@ -9839,14 +10164,18 @@ async function getMember(db, id) {
 		createdAt: row.createdAt.toISOString()
 	};
 }
-async function updateMember(db, id, data) {
-	if (!data.role) return getMember(db, id);
-	if (data.role === "member") {
-		const member = await getMember(db, id);
-		if (member.role === "admin") await assertNotLastAdmin(db, member.organizationId, id);
-	}
-	const [row] = await db.update(members).set({ role: data.role }).where(eq(members.id, id)).returning();
-	if (!row) throw new NotFoundError(`Member "${id}" not found`);
+async function updateMember(db, id, data, callerOrgId) {
+	if (data.role === void 0 && data.displayName === void 0) return getMember(db, id);
+	const current = await getMember(db, id);
+	if (callerOrgId && current.organizationId !== callerOrgId) throw new NotFoundError(`Member "${id}" not found`);
+	if (data.role === "member" && current.role === "admin") await assertNotLastAdmin(db, current.organizationId, id);
+	await db.transaction(async (tx) => {
+		if (data.role !== void 0 && data.role !== current.role) await tx.update(members).set({ role: data.role }).where(eq(members.id, id));
+		if (data.displayName !== void 0 && data.displayName !== current.displayName) {
+			await tx.update(users).set({ displayName: data.displayName }).where(eq(users.id, current.userId));
+			await tx.update(agents).set({ displayName: data.displayName }).where(eq(agents.uuid, current.agentId));
+		}
+	});
 	return getMember(db, id);
 }
 async function deleteMember(db, id) {
@@ -9884,7 +10213,8 @@ async function memberRoutes(app) {
 	app.patch("/:id", async (request) => {
 		requireAdmin(request);
 		const body = updateMemberSchema.parse(request.body);
-		return updateMember(app.db, request.params.id, body);
+		const m = requireMember(request);
+		return updateMember(app.db, request.params.id, body, m.organizationId);
 	});
 	app.delete("/:id", async (request, reply) => {
 		requireAdmin(request);
@@ -10965,7 +11295,6 @@ function createBackgroundTasks(app, instanceId, adapterManager, kaelRuntime) {
 	let heartbeatTimer = null;
 	let adapterOutboundTimer = null;
 	let kaelOutboundTimer = null;
-	let sessionCleanupTimer = null;
 	return {
 		start() {
 			inboxTimer = setInterval(async () => {
@@ -11010,14 +11339,6 @@ function createBackgroundTasks(app, instanceId, adapterManager, kaelRuntime) {
 					log.error({ err }, "kael outbound processing failed");
 				}
 			}, 5e3);
-			sessionCleanupTimer = setInterval(async () => {
-				try {
-					const deleted = await cleanupStaleSessions(app.db);
-					if (deleted > 0) log.info({ count: deleted }, "cleaned up stale sessions");
-				} catch (err) {
-					log.error({ err }, "failed to clean up stale sessions");
-				}
-			}, 36e5);
 			heartbeatInstance(app.db, instanceId).catch((err) => {
 				log.error({ err }, "failed initial heartbeat");
 			});
@@ -11039,10 +11360,6 @@ function createBackgroundTasks(app, instanceId, adapterManager, kaelRuntime) {
 				clearInterval(kaelOutboundTimer);
 				kaelOutboundTimer = null;
 			}
-			if (sessionCleanupTimer) {
-				clearInterval(sessionCleanupTimer);
-				sessionCleanupTimer = null;
-			}
 		}
 	};
 }
@@ -11659,17 +11976,14 @@ async function buildApp(config) {
 		}, { prefix: "/admin/overview" });
 		await api.register(async (adminApp) => {
 			adminApp.addHook("onRequest", memberAuth);
-			adminApp.addHook("onRequest", adminOnly);
 			await adminApp.register(adminAdapterRoutes);
 		}, { prefix: "/admin/adapters" });
 		await api.register(async (adminApp) => {
 			adminApp.addHook("onRequest", memberAuth);
-			adminApp.addHook("onRequest", adminOnly);
 			await adminApp.register(adminAdapterMappingRoutes);
 		}, { prefix: "/admin/adapter-mappings" });
 		await api.register(async (adminApp) => {
 			adminApp.addHook("onRequest", memberAuth);
-			adminApp.addHook("onRequest", adminOnly);
 			await adminApp.register(adminAdapterStatusRoutes);
 		}, { prefix: "/admin/adapters/status" });
 		await api.register(async (memberApp) => {