npm - @fideliosai/server - Versions diffs - 2026.331.0-canary.0 - Mend

@fideliosai/server 2026.331.0-canary.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (753) hide show

package/LICENSE +22 -0
package/dist/adapters/codex-models.d.ts +4 -0
package/dist/adapters/codex-models.d.ts.map +1 -0
package/dist/adapters/codex-models.js +98 -0
package/dist/adapters/codex-models.js.map +1 -0
package/dist/adapters/cursor-models.d.ts +13 -0
package/dist/adapters/cursor-models.d.ts.map +1 -0
package/dist/adapters/cursor-models.js +148 -0
package/dist/adapters/cursor-models.js.map +1 -0
package/dist/adapters/http/execute.d.ts +3 -0
package/dist/adapters/http/execute.d.ts.map +1 -0
package/dist/adapters/http/execute.js +39 -0
package/dist/adapters/http/execute.js.map +1 -0
package/dist/adapters/http/index.d.ts +3 -0
package/dist/adapters/http/index.d.ts.map +1 -0
package/dist/adapters/http/index.js +20 -0
package/dist/adapters/http/index.js.map +1 -0
package/dist/adapters/http/test.d.ts +3 -0
package/dist/adapters/http/test.d.ts.map +1 -0
package/dist/adapters/http/test.js +106 -0
package/dist/adapters/http/test.js.map +1 -0
package/dist/adapters/index.d.ts +4 -0
package/dist/adapters/index.d.ts.map +1 -0
package/dist/adapters/index.js +3 -0
package/dist/adapters/index.js.map +1 -0
package/dist/adapters/process/execute.d.ts +3 -0
package/dist/adapters/process/execute.d.ts.map +1 -0
package/dist/adapters/process/execute.js +63 -0
package/dist/adapters/process/execute.js.map +1 -0
package/dist/adapters/process/index.d.ts +3 -0
package/dist/adapters/process/index.d.ts.map +1 -0
package/dist/adapters/process/index.js +23 -0
package/dist/adapters/process/index.js.map +1 -0
package/dist/adapters/process/test.d.ts +3 -0
package/dist/adapters/process/test.d.ts.map +1 -0
package/dist/adapters/process/test.js +77 -0
package/dist/adapters/process/test.js.map +1 -0
package/dist/adapters/registry.d.ts +14 -0
package/dist/adapters/registry.d.ts.map +1 -0
package/dist/adapters/registry.js +164 -0
package/dist/adapters/registry.js.map +1 -0
package/dist/adapters/types.d.ts +2 -0
package/dist/adapters/types.d.ts.map +1 -0
package/dist/adapters/types.js +2 -0
package/dist/adapters/types.js.map +1 -0
package/dist/adapters/utils.d.ts +10 -0
package/dist/adapters/utils.d.ts.map +1 -0
package/dist/adapters/utils.js +14 -0
package/dist/adapters/utils.js.map +1 -0
package/dist/agent-auth-jwt.d.ts +14 -0
package/dist/agent-auth-jwt.d.ts.map +1 -0
package/dist/agent-auth-jwt.js +117 -0
package/dist/agent-auth-jwt.js.map +1 -0
package/dist/app.d.ts +25 -0
package/dist/app.d.ts.map +1 -0
package/dist/app.js +265 -0
package/dist/app.js.map +1 -0
package/dist/attachment-types.d.ts +33 -0
package/dist/attachment-types.d.ts.map +1 -0
package/dist/attachment-types.js +67 -0
package/dist/attachment-types.js.map +1 -0
package/dist/auth/better-auth.d.ts +24 -0
package/dist/auth/better-auth.d.ts.map +1 -0
package/dist/auth/better-auth.js +108 -0
package/dist/auth/better-auth.js.map +1 -0
package/dist/board-claim.d.ts +23 -0
package/dist/board-claim.d.ts.map +1 -0
package/dist/board-claim.js +115 -0
package/dist/board-claim.js.map +1 -0
package/dist/config-file.d.ts +3 -0
package/dist/config-file.d.ts.map +1 -0
package/dist/config-file.js +16 -0
package/dist/config-file.js.map +1 -0
package/dist/config.d.ts +45 -0
package/dist/config.d.ts.map +1 -0
package/dist/config.js +171 -0
package/dist/config.js.map +1 -0
package/dist/dev-server-status.d.ts +27 -0
package/dist/dev-server-status.d.ts.map +1 -0
package/dist/dev-server-status.js +70 -0
package/dist/dev-server-status.js.map +1 -0
package/dist/dev-watch-ignore.d.ts +2 -0
package/dist/dev-watch-ignore.d.ts.map +1 -0
package/dist/dev-watch-ignore.js +33 -0
package/dist/dev-watch-ignore.js.map +1 -0
package/dist/errors.d.ts +12 -0
package/dist/errors.d.ts.map +1 -0
package/dist/errors.js +28 -0
package/dist/errors.js.map +1 -0
package/dist/home-paths.d.ts +17 -0
package/dist/home-paths.d.ts.map +1 -0
package/dist/home-paths.js +75 -0
package/dist/home-paths.js.map +1 -0
package/dist/index.d.ts +10 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +642 -0
package/dist/index.js.map +1 -0
package/dist/log-redaction.d.ts +11 -0
package/dist/log-redaction.d.ts.map +1 -0
package/dist/log-redaction.js +118 -0
package/dist/log-redaction.js.map +1 -0
package/dist/middleware/auth.d.ts +12 -0
package/dist/middleware/auth.d.ts.map +1 -0
package/dist/middleware/auth.js +144 -0
package/dist/middleware/auth.js.map +1 -0
package/dist/middleware/board-mutation-guard.d.ts +3 -0
package/dist/middleware/board-mutation-guard.d.ts.map +1 -0
package/dist/middleware/board-mutation-guard.js +59 -0
package/dist/middleware/board-mutation-guard.js.map +1 -0
package/dist/middleware/error-handler.d.ts +17 -0
package/dist/middleware/error-handler.d.ts.map +1 -0
package/dist/middleware/error-handler.js +37 -0
package/dist/middleware/error-handler.js.map +1 -0
package/dist/middleware/index.d.ts +4 -0
package/dist/middleware/index.d.ts.map +1 -0
package/dist/middleware/index.js +4 -0
package/dist/middleware/index.js.map +1 -0
package/dist/middleware/logger.d.ts +4 -0
package/dist/middleware/logger.d.ts.map +1 -0
package/dist/middleware/logger.js +87 -0
package/dist/middleware/logger.js.map +1 -0
package/dist/middleware/private-hostname-guard.d.ts +11 -0
package/dist/middleware/private-hostname-guard.d.ts.map +1 -0
package/dist/middleware/private-hostname-guard.js +78 -0
package/dist/middleware/private-hostname-guard.js.map +1 -0
package/dist/middleware/validate.d.ts +4 -0
package/dist/middleware/validate.d.ts.map +1 -0
package/dist/middleware/validate.js +7 -0
package/dist/middleware/validate.js.map +1 -0
package/dist/onboarding-assets/ceo/AGENTS.md +54 -0
package/dist/onboarding-assets/ceo/HEARTBEAT.md +72 -0
package/dist/onboarding-assets/ceo/SOUL.md +33 -0
package/dist/onboarding-assets/ceo/TOOLS.md +3 -0
package/dist/onboarding-assets/default/AGENTS.md +3 -0
package/dist/paths.d.ts +3 -0
package/dist/paths.d.ts.map +1 -0
package/dist/paths.js +31 -0
package/dist/paths.js.map +1 -0
package/dist/realtime/live-events-ws.d.ts +28 -0
package/dist/realtime/live-events-ws.d.ts.map +1 -0
package/dist/realtime/live-events-ws.js +187 -0
package/dist/realtime/live-events-ws.js.map +1 -0
package/dist/redaction.d.ts +4 -0
package/dist/redaction.d.ts.map +1 -0
package/dist/redaction.js +63 -0
package/dist/redaction.js.map +1 -0
package/dist/routes/access.d.ts +61 -0
package/dist/routes/access.d.ts.map +1 -0
package/dist/routes/access.js +2265 -0
package/dist/routes/access.js.map +1 -0
package/dist/routes/activity.d.ts +3 -0
package/dist/routes/activity.d.ts.map +1 -0
package/dist/routes/activity.js +78 -0
package/dist/routes/activity.js.map +1 -0
package/dist/routes/agents.d.ts +3 -0
package/dist/routes/agents.d.ts.map +1 -0
package/dist/routes/agents.js +1828 -0
package/dist/routes/agents.js.map +1 -0
package/dist/routes/approvals.d.ts +3 -0
package/dist/routes/approvals.d.ts.map +1 -0
package/dist/routes/approvals.js +275 -0
package/dist/routes/approvals.js.map +1 -0
package/dist/routes/assets.d.ts +4 -0
package/dist/routes/assets.d.ts.map +1 -0
package/dist/routes/assets.js +309 -0
package/dist/routes/assets.js.map +1 -0
package/dist/routes/authz.d.ts +16 -0
package/dist/routes/authz.d.ts.map +1 -0
package/dist/routes/authz.js +47 -0
package/dist/routes/authz.js.map +1 -0
package/dist/routes/companies.d.ts +4 -0
package/dist/routes/companies.d.ts.map +1 -0
package/dist/routes/companies.js +303 -0
package/dist/routes/companies.js.map +1 -0
package/dist/routes/company-skills.d.ts +3 -0
package/dist/routes/company-skills.d.ts.map +1 -0
package/dist/routes/company-skills.js +228 -0
package/dist/routes/company-skills.js.map +1 -0
package/dist/routes/costs.d.ts +3 -0
package/dist/routes/costs.d.ts.map +1 -0
package/dist/routes/costs.js +268 -0
package/dist/routes/costs.js.map +1 -0
package/dist/routes/dashboard.d.ts +3 -0
package/dist/routes/dashboard.d.ts.map +1 -0
package/dist/routes/dashboard.js +15 -0
package/dist/routes/dashboard.js.map +1 -0
package/dist/routes/execution-workspaces.d.ts +3 -0
package/dist/routes/execution-workspaces.d.ts.map +1 -0
package/dist/routes/execution-workspaces.js +165 -0
package/dist/routes/execution-workspaces.js.map +1 -0
package/dist/routes/goals.d.ts +3 -0
package/dist/routes/goals.d.ts.map +1 -0
package/dist/routes/goals.js +95 -0
package/dist/routes/goals.js.map +1 -0
package/dist/routes/health.d.ts +9 -0
package/dist/routes/health.d.ts.map +1 -0
package/dist/routes/health.js +69 -0
package/dist/routes/health.js.map +1 -0
package/dist/routes/index.d.ts +18 -0
package/dist/routes/index.d.ts.map +1 -0
package/dist/routes/index.js +18 -0
package/dist/routes/index.js.map +1 -0
package/dist/routes/instance-settings.d.ts +3 -0
package/dist/routes/instance-settings.d.ts.map +1 -0
package/dist/routes/instance-settings.js +71 -0
package/dist/routes/instance-settings.js.map +1 -0
package/dist/routes/issues-checkout-wakeup.d.ts +9 -0
package/dist/routes/issues-checkout-wakeup.d.ts.map +1 -0
package/dist/routes/issues-checkout-wakeup.js +12 -0
package/dist/routes/issues-checkout-wakeup.js.map +1 -0
package/dist/routes/issues.d.ts +4 -0
package/dist/routes/issues.d.ts.map +1 -0
package/dist/routes/issues.js +1520 -0
package/dist/routes/issues.js.map +1 -0
package/dist/routes/llms.d.ts +3 -0
package/dist/routes/llms.d.ts.map +1 -0
package/dist/routes/llms.js +78 -0
package/dist/routes/llms.js.map +1 -0
package/dist/routes/org-chart-svg.d.ts +25 -0
package/dist/routes/org-chart-svg.d.ts.map +1 -0
package/dist/routes/org-chart-svg.js +657 -0
package/dist/routes/org-chart-svg.js.map +1 -0
package/dist/routes/plugin-ui-static.d.ts +69 -0
package/dist/routes/plugin-ui-static.d.ts.map +1 -0
package/dist/routes/plugin-ui-static.js +411 -0
package/dist/routes/plugin-ui-static.js.map +1 -0
package/dist/routes/plugins.d.ts +120 -0
package/dist/routes/plugins.d.ts.map +1 -0
package/dist/routes/plugins.js +1784 -0
package/dist/routes/plugins.js.map +1 -0
package/dist/routes/projects.d.ts +3 -0
package/dist/routes/projects.d.ts.map +1 -0
package/dist/routes/projects.js +257 -0
package/dist/routes/projects.js.map +1 -0
package/dist/routes/routines.d.ts +3 -0
package/dist/routes/routines.d.ts.map +1 -0
package/dist/routes/routines.js +277 -0
package/dist/routes/routines.js.map +1 -0
package/dist/routes/secrets.d.ts +3 -0
package/dist/routes/secrets.d.ts.map +1 -0
package/dist/routes/secrets.js +128 -0
package/dist/routes/secrets.js.map +1 -0
package/dist/routes/sidebar-badges.d.ts +3 -0
package/dist/routes/sidebar-badges.d.ts.map +1 -0
package/dist/routes/sidebar-badges.js +45 -0
package/dist/routes/sidebar-badges.js.map +1 -0
package/dist/secrets/external-stub-providers.d.ts +5 -0
package/dist/secrets/external-stub-providers.d.ts.map +1 -0
package/dist/secrets/external-stub-providers.js +21 -0
package/dist/secrets/external-stub-providers.js.map +1 -0
package/dist/secrets/local-encrypted-provider.d.ts +3 -0
package/dist/secrets/local-encrypted-provider.d.ts.map +1 -0
package/dist/secrets/local-encrypted-provider.js +116 -0
package/dist/secrets/local-encrypted-provider.js.map +1 -0
package/dist/secrets/provider-registry.d.ts +5 -0
package/dist/secrets/provider-registry.d.ts.map +1 -0
package/dist/secrets/provider-registry.js +20 -0
package/dist/secrets/provider-registry.js.map +1 -0
package/dist/secrets/types.d.ts +21 -0
package/dist/secrets/types.d.ts.map +1 -0
package/dist/secrets/types.js +2 -0
package/dist/secrets/types.js.map +1 -0
package/dist/services/access.d.ts +113 -0
package/dist/services/access.d.ts.map +1 -0
package/dist/services/access.js +247 -0
package/dist/services/access.js.map +1 -0
package/dist/services/activity-log.d.ts +17 -0
package/dist/services/activity-log.d.ts.map +1 -0
package/dist/services/activity-log.js +74 -0
package/dist/services/activity-log.js.map +1 -0
package/dist/services/activity.d.ts +764 -0
package/dist/services/activity.d.ts.map +1 -0
package/dist/services/activity.js +105 -0
package/dist/services/activity.js.map +1 -0
package/dist/services/agent-instructions.d.ts +91 -0
package/dist/services/agent-instructions.d.ts.map +1 -0
package/dist/services/agent-instructions.js +580 -0
package/dist/services/agent-instructions.js.map +1 -0
package/dist/services/agent-permissions.d.ts +6 -0
package/dist/services/agent-permissions.d.ts.map +1 -0
package/dist/services/agent-permissions.js +18 -0
package/dist/services/agent-permissions.js.map +1 -0
package/dist/services/agents.d.ts +1670 -0
package/dist/services/agents.d.ts.map +1 -0
package/dist/services/agents.js +566 -0
package/dist/services/agents.js.map +1 -0
package/dist/services/approvals.d.ts +546 -0
package/dist/services/approvals.d.ts.map +1 -0
package/dist/services/approvals.js +212 -0
package/dist/services/approvals.js.map +1 -0
package/dist/services/assets.d.ts +33 -0
package/dist/services/assets.d.ts.map +1 -0
package/dist/services/assets.js +17 -0
package/dist/services/assets.js.map +1 -0
package/dist/services/board-auth.d.ts +234 -0
package/dist/services/board-auth.d.ts.map +1 -0
package/dist/services/board-auth.js +295 -0
package/dist/services/board-auth.js.map +1 -0
package/dist/services/budgets.d.ts +38 -0
package/dist/services/budgets.d.ts.map +1 -0
package/dist/services/budgets.js +784 -0
package/dist/services/budgets.js.map +1 -0
package/dist/services/companies.d.ts +124 -0
package/dist/services/companies.d.ts.map +1 -0
package/dist/services/companies.js +256 -0
package/dist/services/companies.js.map +1 -0
package/dist/services/company-export-readme.d.ts +17 -0
package/dist/services/company-export-readme.d.ts.map +1 -0
package/dist/services/company-export-readme.js +148 -0
package/dist/services/company-export-readme.js.map +1 -0
package/dist/services/company-portability.d.ts +23 -0
package/dist/services/company-portability.d.ts.map +1 -0
package/dist/services/company-portability.js +3739 -0
package/dist/services/company-portability.js.map +1 -0
package/dist/services/company-skills.d.ts +77 -0
package/dist/services/company-skills.d.ts.map +1 -0
package/dist/services/company-skills.js +2042 -0
package/dist/services/company-skills.js.map +1 -0
package/dist/services/costs.d.ts +114 -0
package/dist/services/costs.d.ts.map +1 -0
package/dist/services/costs.js +294 -0
package/dist/services/costs.js.map +1 -0
package/dist/services/cron.d.ts +80 -0
package/dist/services/cron.d.ts.map +1 -0
package/dist/services/cron.js +300 -0
package/dist/services/cron.js.map +1 -0
package/dist/services/dashboard.d.ts +26 -0
package/dist/services/dashboard.d.ts.map +1 -0
package/dist/services/dashboard.js +98 -0
package/dist/services/dashboard.js.map +1 -0
package/dist/services/default-agent-instructions.d.ts +9 -0
package/dist/services/default-agent-instructions.d.ts.map +1 -0
package/dist/services/default-agent-instructions.js +20 -0
package/dist/services/default-agent-instructions.js.map +1 -0
package/dist/services/documents.d.ts +164 -0
package/dist/services/documents.d.ts.map +1 -0
package/dist/services/documents.js +382 -0
package/dist/services/documents.js.map +1 -0
package/dist/services/execution-workspace-policy.d.ts +21 -0
package/dist/services/execution-workspace-policy.d.ts.map +1 -0
package/dist/services/execution-workspace-policy.js +177 -0
package/dist/services/execution-workspace-policy.js.map +1 -0
package/dist/services/execution-workspaces.d.ts +19 -0
package/dist/services/execution-workspaces.d.ts.map +1 -0
package/dist/services/execution-workspaces.js +87 -0
package/dist/services/execution-workspaces.js.map +1 -0
package/dist/services/finance.d.ts +93 -0
package/dist/services/finance.d.ts.map +1 -0
package/dist/services/finance.js +120 -0
package/dist/services/finance.js.map +1 -0
package/dist/services/goals.d.ts +433 -0
package/dist/services/goals.d.ts.map +1 -0
package/dist/services/goals.js +54 -0
package/dist/services/goals.js.map +1 -0
package/dist/services/heartbeat-run-summary.d.ts +2 -0
package/dist/services/heartbeat-run-summary.d.ts.map +1 -0
package/dist/services/heartbeat-run-summary.js +30 -0
package/dist/services/heartbeat-run-summary.js.map +1 -0
package/dist/services/heartbeat.d.ts +812 -0
package/dist/services/heartbeat.d.ts.map +1 -0
package/dist/services/heartbeat.js +3156 -0
package/dist/services/heartbeat.js.map +1 -0
package/dist/services/hire-hook.d.ts +14 -0
package/dist/services/hire-hook.d.ts.map +1 -0
package/dist/services/hire-hook.js +85 -0
package/dist/services/hire-hook.js.map +1 -0
package/dist/services/index.d.ts +33 -0
package/dist/services/index.d.ts.map +1 -0
package/dist/services/index.js +33 -0
package/dist/services/index.js.map +1 -0
package/dist/services/instance-settings.d.ts +11 -0
package/dist/services/instance-settings.d.ts.map +1 -0
package/dist/services/instance-settings.js +116 -0
package/dist/services/instance-settings.js.map +1 -0
package/dist/services/issue-approvals.d.ts +56 -0
package/dist/services/issue-approvals.d.ts.map +1 -0
package/dist/services/issue-approvals.js +153 -0
package/dist/services/issue-approvals.js.map +1 -0
package/dist/services/issue-assignment-wakeup.d.ts +29 -0
package/dist/services/issue-assignment-wakeup.d.ts.map +1 -0
package/dist/services/issue-assignment-wakeup.js +22 -0
package/dist/services/issue-assignment-wakeup.js.map +1 -0
package/dist/services/issue-goal-fallback.d.ts +18 -0
package/dist/services/issue-goal-fallback.d.ts.map +1 -0
package/dist/services/issue-goal-fallback.js +33 -0
package/dist/services/issue-goal-fallback.js.map +1 -0
package/dist/services/issues.d.ts +560 -0
package/dist/services/issues.d.ts.map +1 -0
package/dist/services/issues.js +1478 -0
package/dist/services/issues.js.map +1 -0
package/dist/services/live-events.d.ts +17 -0
package/dist/services/live-events.d.ts.map +1 -0
package/dist/services/live-events.js +33 -0
package/dist/services/live-events.js.map +1 -0
package/dist/services/plugin-capability-validator.d.ts +108 -0
package/dist/services/plugin-capability-validator.d.ts.map +1 -0
package/dist/services/plugin-capability-validator.js +268 -0
package/dist/services/plugin-capability-validator.js.map +1 -0
package/dist/services/plugin-config-validator.d.ts +26 -0
package/dist/services/plugin-config-validator.d.ts.map +1 -0
package/dist/services/plugin-config-validator.js +41 -0
package/dist/services/plugin-config-validator.js.map +1 -0
package/dist/services/plugin-dev-watcher.d.ts +30 -0
package/dist/services/plugin-dev-watcher.d.ts.map +1 -0
package/dist/services/plugin-dev-watcher.js +241 -0
package/dist/services/plugin-dev-watcher.js.map +1 -0
package/dist/services/plugin-event-bus.d.ts +149 -0
package/dist/services/plugin-event-bus.d.ts.map +1 -0
package/dist/services/plugin-event-bus.js +258 -0
package/dist/services/plugin-event-bus.js.map +1 -0
package/dist/services/plugin-host-service-cleanup.d.ts +14 -0
package/dist/services/plugin-host-service-cleanup.d.ts.map +1 -0
package/dist/services/plugin-host-service-cleanup.js +37 -0
package/dist/services/plugin-host-service-cleanup.js.map +1 -0
package/dist/services/plugin-host-services.d.ts +13 -0
package/dist/services/plugin-host-services.d.ts.map +1 -0
package/dist/services/plugin-host-services.js +969 -0
package/dist/services/plugin-host-services.js.map +1 -0
package/dist/services/plugin-job-coordinator.d.ts +81 -0
package/dist/services/plugin-job-coordinator.d.ts.map +1 -0
package/dist/services/plugin-job-coordinator.js +172 -0
package/dist/services/plugin-job-coordinator.js.map +1 -0
package/dist/services/plugin-job-scheduler.d.ts +163 -0
package/dist/services/plugin-job-scheduler.d.ts.map +1 -0
package/dist/services/plugin-job-scheduler.js +454 -0
package/dist/services/plugin-job-scheduler.js.map +1 -0
package/dist/services/plugin-job-store.d.ts +208 -0
package/dist/services/plugin-job-store.d.ts.map +1 -0
package/dist/services/plugin-job-store.js +350 -0
package/dist/services/plugin-job-store.js.map +1 -0
package/dist/services/plugin-lifecycle.d.ts +203 -0
package/dist/services/plugin-lifecycle.d.ts.map +1 -0
package/dist/services/plugin-lifecycle.js +476 -0
package/dist/services/plugin-lifecycle.js.map +1 -0
package/dist/services/plugin-loader.d.ts +441 -0
package/dist/services/plugin-loader.d.ts.map +1 -0
package/dist/services/plugin-loader.js +1192 -0
package/dist/services/plugin-loader.js.map +1 -0
package/dist/services/plugin-log-retention.d.ts +20 -0
package/dist/services/plugin-log-retention.d.ts.map +1 -0
package/dist/services/plugin-log-retention.js +63 -0
package/dist/services/plugin-log-retention.js.map +1 -0
package/dist/services/plugin-manifest-validator.d.ts +79 -0
package/dist/services/plugin-manifest-validator.d.ts.map +1 -0
package/dist/services/plugin-manifest-validator.js +84 -0
package/dist/services/plugin-manifest-validator.js.map +1 -0
package/dist/services/plugin-registry.d.ts +2542 -0
package/dist/services/plugin-registry.d.ts.map +1 -0
package/dist/services/plugin-registry.js +539 -0
package/dist/services/plugin-registry.js.map +1 -0
package/dist/services/plugin-runtime-sandbox.d.ts +40 -0
package/dist/services/plugin-runtime-sandbox.d.ts.map +1 -0
package/dist/services/plugin-runtime-sandbox.js +154 -0
package/dist/services/plugin-runtime-sandbox.js.map +1 -0
package/dist/services/plugin-secrets-handler.d.ts +81 -0
package/dist/services/plugin-secrets-handler.d.ts.map +1 -0
package/dist/services/plugin-secrets-handler.js +275 -0
package/dist/services/plugin-secrets-handler.js.map +1 -0
package/dist/services/plugin-state-store.d.ts +92 -0
package/dist/services/plugin-state-store.d.ts.map +1 -0
package/dist/services/plugin-state-store.js +190 -0
package/dist/services/plugin-state-store.js.map +1 -0
package/dist/services/plugin-stream-bus.d.ts +29 -0
package/dist/services/plugin-stream-bus.d.ts.map +1 -0
package/dist/services/plugin-stream-bus.js +48 -0
package/dist/services/plugin-stream-bus.js.map +1 -0
package/dist/services/plugin-tool-dispatcher.d.ts +180 -0
package/dist/services/plugin-tool-dispatcher.d.ts.map +1 -0
package/dist/services/plugin-tool-dispatcher.js +224 -0
package/dist/services/plugin-tool-dispatcher.js.map +1 -0
package/dist/services/plugin-tool-registry.d.ts +192 -0
package/dist/services/plugin-tool-registry.d.ts.map +1 -0
package/dist/services/plugin-tool-registry.js +224 -0
package/dist/services/plugin-tool-registry.js.map +1 -0
package/dist/services/plugin-worker-manager.d.ts +260 -0
package/dist/services/plugin-worker-manager.d.ts.map +1 -0
package/dist/services/plugin-worker-manager.js +835 -0
package/dist/services/plugin-worker-manager.js.map +1 -0
package/dist/services/projects.d.ts +87 -0
package/dist/services/projects.d.ts.map +1 -0
package/dist/services/projects.js +656 -0
package/dist/services/projects.js.map +1 -0
package/dist/services/quota-windows.d.ts +9 -0
package/dist/services/quota-windows.d.ts.map +1 -0
package/dist/services/quota-windows.js +56 -0
package/dist/services/quota-windows.js.map +1 -0
package/dist/services/routines.d.ts +135 -0
package/dist/services/routines.d.ts.map +1 -0
package/dist/services/routines.js +1105 -0
package/dist/services/routines.js.map +1 -0
package/dist/services/run-log-store.d.ts +34 -0
package/dist/services/run-log-store.d.ts.map +1 -0
package/dist/services/run-log-store.js +109 -0
package/dist/services/run-log-store.js.map +1 -0
package/dist/services/secrets.d.ts +511 -0
package/dist/services/secrets.d.ts.map +1 -0
package/dist/services/secrets.js +289 -0
package/dist/services/secrets.js.map +1 -0
package/dist/services/sidebar-badges.d.ts +9 -0
package/dist/services/sidebar-badges.d.ts.map +1 -0
package/dist/services/sidebar-badges.js +33 -0
package/dist/services/sidebar-badges.js.map +1 -0
package/dist/services/work-products.d.ts +14 -0
package/dist/services/work-products.d.ts.map +1 -0
package/dist/services/work-products.js +100 -0
package/dist/services/work-products.js.map +1 -0
package/dist/services/workspace-operation-log-store.d.ts +33 -0
package/dist/services/workspace-operation-log-store.d.ts.map +1 -0
package/dist/services/workspace-operation-log-store.js +110 -0
package/dist/services/workspace-operation-log-store.js.map +1 -0
package/dist/services/workspace-operations.d.ts +44 -0
package/dist/services/workspace-operations.d.ts.map +1 -0
package/dist/services/workspace-operations.js +211 -0
package/dist/services/workspace-operations.js.map +1 -0
package/dist/services/workspace-runtime.d.ts +164 -0
package/dist/services/workspace-runtime.d.ts.map +1 -0
package/dist/services/workspace-runtime.js +1235 -0
package/dist/services/workspace-runtime.js.map +1 -0
package/dist/startup-banner.d.ts +31 -0
package/dist/startup-banner.d.ts.map +1 -0
package/dist/startup-banner.js +117 -0
package/dist/startup-banner.js.map +1 -0
package/dist/storage/index.d.ts +6 -0
package/dist/storage/index.d.ts.map +1 -0
package/dist/storage/index.js +29 -0
package/dist/storage/index.js.map +1 -0
package/dist/storage/local-disk-provider.d.ts +3 -0
package/dist/storage/local-disk-provider.d.ts.map +1 -0
package/dist/storage/local-disk-provider.js +79 -0
package/dist/storage/local-disk-provider.js.map +1 -0
package/dist/storage/provider-registry.d.ts +4 -0
package/dist/storage/provider-registry.d.ts.map +1 -0
package/dist/storage/provider-registry.js +15 -0
package/dist/storage/provider-registry.js.map +1 -0
package/dist/storage/s3-provider.d.ts +11 -0
package/dist/storage/s3-provider.d.ts.map +1 -0
package/dist/storage/s3-provider.js +123 -0
package/dist/storage/s3-provider.js.map +1 -0
package/dist/storage/service.d.ts +3 -0
package/dist/storage/service.d.ts.map +1 -0
package/dist/storage/service.js +120 -0
package/dist/storage/service.js.map +1 -0
package/dist/storage/types.d.ts +55 -0
package/dist/storage/types.d.ts.map +1 -0
package/dist/storage/types.js +2 -0
package/dist/storage/types.js.map +1 -0
package/dist/ui-branding.d.ts +13 -0
package/dist/ui-branding.d.ts.map +1 -0
package/dist/ui-branding.js +188 -0
package/dist/ui-branding.js.map +1 -0
package/dist/version.d.ts +2 -0
package/dist/version.d.ts.map +1 -0
package/dist/version.js +5 -0
package/dist/version.js.map +1 -0
package/dist/worktree-config.d.ts +19 -0
package/dist/worktree-config.d.ts.map +1 -0
package/dist/worktree-config.js +365 -0
package/dist/worktree-config.js.map +1 -0
package/package.json +90 -0
package/skills/fidelios/SKILL.md +365 -0
package/skills/fidelios/references/api-reference.md +647 -0
package/skills/fidelios/references/company-skills.md +193 -0
package/skills/fidelios-create-agent/SKILL.md +142 -0
package/skills/fidelios-create-agent/references/api-reference.md +105 -0
package/skills/fidelios-create-plugin/SKILL.md +101 -0
package/skills/para-memory-files/SKILL.md +104 -0
package/skills/para-memory-files/references/schemas.md +35 -0
package/ui-dist/android-chrome-192x192.png +0 -0
package/ui-dist/android-chrome-512x512.png +0 -0
package/ui-dist/apple-touch-icon.png +0 -0
package/ui-dist/assets/_basePickBy-DDS8rFE9.js +1 -0
package/ui-dist/assets/_baseUniq-BTIdqnfJ.js +1 -0
package/ui-dist/assets/apl-B4CMkyY2.js +1 -0
package/ui-dist/assets/arc-CER6ytAf.js +1 -0
package/ui-dist/assets/architectureDiagram-VXUJARFQ-CrJvVSPh.js +36 -0
package/ui-dist/assets/asciiarmor-Df11BRmG.js +1 -0
package/ui-dist/assets/asn1-EdZsLKOL.js +1 -0
package/ui-dist/assets/asterisk-B-8jnY81.js +1 -0
package/ui-dist/assets/blockDiagram-VD42YOAC-p-DB7nkA.js +122 -0
package/ui-dist/assets/brainfuck-C4LP7Hcl.js +1 -0
package/ui-dist/assets/c4Diagram-YG6GDRKO-D1K75fYz.js +10 -0
package/ui-dist/assets/channel-B1viE-VZ.js +1 -0
package/ui-dist/assets/chunk-4BX2VUAB-C1J-fCaK.js +1 -0
package/ui-dist/assets/chunk-55IACEB6-CjEOgVYA.js +1 -0
package/ui-dist/assets/chunk-B4BG7PRW-CGZwFaze.js +165 -0
package/ui-dist/assets/chunk-DI55MBZ5-Dp2ZahPN.js +220 -0
package/ui-dist/assets/chunk-FMBD7UC4-nXC1OkzD.js +15 -0
package/ui-dist/assets/chunk-QN33PNHL-D_uFCkMK.js +1 -0
package/ui-dist/assets/chunk-QZHKN3VN-CG3WK_AN.js +1 -0
package/ui-dist/assets/chunk-TZMSLE5B-COlBSWdP.js +1 -0
package/ui-dist/assets/classDiagram-2ON5EDUG-Cs4NEMXI.js +1 -0
package/ui-dist/assets/classDiagram-v2-WZHVMYZB-Cs4NEMXI.js +1 -0
package/ui-dist/assets/clike-B9uivgTg.js +1 -0
package/ui-dist/assets/clojure-BMjYHr_A.js +1 -0
package/ui-dist/assets/clone-CGwZV8ud.js +1 -0
package/ui-dist/assets/cmake-BQqOBYOt.js +1 -0
package/ui-dist/assets/cobol-CWcv1MsR.js +1 -0
package/ui-dist/assets/coffeescript-S37ZYGWr.js +1 -0
package/ui-dist/assets/commonlisp-DBKNyK5s.js +1 -0
package/ui-dist/assets/cose-bilkent-S5V4N54A-B9XYqCMb.js +1 -0
package/ui-dist/assets/crystal-SjHAIU92.js +1 -0
package/ui-dist/assets/css-BnMrqG3P.js +1 -0
package/ui-dist/assets/cypher-C_CwsFkJ.js +1 -0
package/ui-dist/assets/cytoscape.esm-BQaXIfA_.js +331 -0
package/ui-dist/assets/d-pRatUO7H.js +1 -0
package/ui-dist/assets/dagre-6UL2VRFP-DcCdBLC7.js +4 -0
package/ui-dist/assets/defaultLocale-DX6XiGOO.js +1 -0
package/ui-dist/assets/diagram-PSM6KHXK-np1kLquy.js +24 -0
package/ui-dist/assets/diagram-QEK2KX5R-C-b4qIN1.js +43 -0
package/ui-dist/assets/diagram-S2PKOQOG-Ba-173Ug.js +24 -0
package/ui-dist/assets/diff-DbItnlRl.js +1 -0
package/ui-dist/assets/dockerfile-BKs6k2Af.js +1 -0
package/ui-dist/assets/dtd-DF_7sFjM.js +1 -0
package/ui-dist/assets/dylan-DwRh75JA.js +1 -0
package/ui-dist/assets/ebnf-CDyGwa7X.js +1 -0
package/ui-dist/assets/ecl-Cabwm37j.js +1 -0
package/ui-dist/assets/eiffel-CnydiIhH.js +1 -0
package/ui-dist/assets/elm-vLlmbW-K.js +1 -0
package/ui-dist/assets/erDiagram-Q2GNP2WA-BBmkHiJP.js +60 -0
package/ui-dist/assets/erlang-BNw1qcRV.js +1 -0
package/ui-dist/assets/factor-kuTfRLto.js +1 -0
package/ui-dist/assets/fcl-Kvtd6kyn.js +1 -0
package/ui-dist/assets/flowDiagram-NV44I4VS-Dj_iTDkp.js +162 -0
package/ui-dist/assets/forth-Ffai-XNe.js +1 -0
package/ui-dist/assets/fortran-DYz_wnZ1.js +1 -0
package/ui-dist/assets/ganttDiagram-JELNMOA3-Bn1hanTg.js +267 -0
package/ui-dist/assets/gas-Bneqetm1.js +1 -0
package/ui-dist/assets/gherkin-heZmZLOM.js +1 -0
package/ui-dist/assets/gitGraphDiagram-V2S2FVAM-BjmRpty0.js +65 -0
package/ui-dist/assets/graph-CWBOAGTW.js +1 -0
package/ui-dist/assets/groovy-D9Dt4D0W.js +1 -0
package/ui-dist/assets/haskell-Cw1EW3IL.js +1 -0
package/ui-dist/assets/haxe-H-WmDvRZ.js +1 -0
package/ui-dist/assets/http-DBlCnlav.js +1 -0
package/ui-dist/assets/idl-BEugSyMb.js +1 -0
package/ui-dist/assets/index-B52MtqBm.js +1 -0
package/ui-dist/assets/index-BEBYIFOJ.js +1 -0
package/ui-dist/assets/index-BIvl9YFB.js +1 -0
package/ui-dist/assets/index-BNyP1gwD.js +1 -0
package/ui-dist/assets/index-BRW6bV_B.js +6 -0
package/ui-dist/assets/index-BcQTWaKH.js +1 -0
package/ui-dist/assets/index-BfKYbH5T.js +13 -0
package/ui-dist/assets/index-BhX49pA0.js +1 -0
package/ui-dist/assets/index-BoFaTgOC.js +2 -0
package/ui-dist/assets/index-C-Es83iE.js +7 -0
package/ui-dist/assets/index-C3LG8kvr.js +1 -0
package/ui-dist/assets/index-C5Z9j0rD.js +1 -0
package/ui-dist/assets/index-CFlEF-gp.js +1 -0
package/ui-dist/assets/index-Cjm12V39.js +1 -0
package/ui-dist/assets/index-Cp84QmJD.css +1 -0
package/ui-dist/assets/index-D2t01AH0.js +1 -0
package/ui-dist/assets/index-DEt1jkxJ.js +1 -0
package/ui-dist/assets/index-DeAKBJuz.js +3 -0
package/ui-dist/assets/index-Du65R_Zq.js +1 -0
package/ui-dist/assets/index-WUHteAuP.js +1 -0
package/ui-dist/assets/index-Y_jO6IK_.js +1180 -0
package/ui-dist/assets/index-ZQU9QA5y.js +1 -0
package/ui-dist/assets/index-f6wRGThx.js +1 -0
package/ui-dist/assets/index-hMuLlvYa.js +1 -0
package/ui-dist/assets/infoDiagram-HS3SLOUP-CVMKJlmV.js +2 -0
package/ui-dist/assets/init-Gi6I4Gst.js +1 -0
package/ui-dist/assets/javascript-iXu5QeM3.js +1 -0
package/ui-dist/assets/journeyDiagram-XKPGCS4Q-FrNTHHMi.js +139 -0
package/ui-dist/assets/julia-DuME0IfC.js +1 -0
package/ui-dist/assets/kanban-definition-3W4ZIXB7-BQYKwdVh.js +89 -0
package/ui-dist/assets/katex-O9d3_IXG.js +261 -0
package/ui-dist/assets/layout-BxccZ6zb.js +1 -0
package/ui-dist/assets/linear-Db-Yv5jO.js +1 -0
package/ui-dist/assets/livescript-BwQOo05w.js +1 -0
package/ui-dist/assets/lua-BgMRiT3U.js +1 -0
package/ui-dist/assets/mathematica-DTrFuWx2.js +1 -0
package/ui-dist/assets/mbox-CNhZ1qSd.js +1 -0
package/ui-dist/assets/mermaid.core-BCE9tDOe.js +256 -0
package/ui-dist/assets/mindmap-definition-VGOIOE7T-ZWLuqirD.js +68 -0
package/ui-dist/assets/mirc-CjQqDB4T.js +1 -0
package/ui-dist/assets/mllike-CXdrOF99.js +1 -0
package/ui-dist/assets/modelica-Dc1JOy9r.js +1 -0
package/ui-dist/assets/mscgen-BA5vi2Kp.js +1 -0
package/ui-dist/assets/mumps-BT43cFF4.js +1 -0
package/ui-dist/assets/nginx-DdIZxoE0.js +1 -0
package/ui-dist/assets/nsis-LdVXkNf5.js +1 -0
package/ui-dist/assets/ntriples-BfvgReVJ.js +1 -0
package/ui-dist/assets/octave-Ck1zUtKM.js +1 -0
package/ui-dist/assets/ordinal-Cboi1Yqb.js +1 -0
package/ui-dist/assets/oz-BzwKVEFT.js +1 -0
package/ui-dist/assets/pascal--L3eBynH.js +1 -0
package/ui-dist/assets/perl-CdXCOZ3F.js +1 -0
package/ui-dist/assets/pieDiagram-ADFJNKIX-D01HRHJF.js +30 -0
package/ui-dist/assets/pig-CevX1Tat.js +1 -0
package/ui-dist/assets/powershell-CFHJl5sT.js +1 -0
package/ui-dist/assets/properties-C78fOPTZ.js +1 -0
package/ui-dist/assets/protobuf-ChK-085T.js +1 -0
package/ui-dist/assets/pug-DeIclll2.js +1 -0
package/ui-dist/assets/puppet-DMA9R1ak.js +1 -0
package/ui-dist/assets/python-BuPzkPfP.js +1 -0
package/ui-dist/assets/q-pXgVlZs6.js +1 -0
package/ui-dist/assets/quadrantDiagram-AYHSOK5B-lAmOPnB4.js +7 -0
package/ui-dist/assets/r-B6wPVr8A.js +1 -0
package/ui-dist/assets/requirementDiagram-UZGBJVZJ-ByNWbh-O.js +64 -0
package/ui-dist/assets/rpm-CTu-6PCP.js +1 -0
package/ui-dist/assets/ruby-B2Rjki9n.js +1 -0
package/ui-dist/assets/sankeyDiagram-TZEHDZUN-Cf_Gq84u.js +10 -0
package/ui-dist/assets/sas-B4kiWyti.js +1 -0
package/ui-dist/assets/scheme-C41bIUwD.js +1 -0
package/ui-dist/assets/sequenceDiagram-WL72ISMW-Bx2VZbdr.js +145 -0
package/ui-dist/assets/shell-CjFT_Tl9.js +1 -0
package/ui-dist/assets/sieve-C3Gn_uJK.js +1 -0
package/ui-dist/assets/simple-mode-GW_nhZxv.js +1 -0
package/ui-dist/assets/smalltalk-CnHTOXQT.js +1 -0
package/ui-dist/assets/solr-DehyRSwq.js +1 -0
package/ui-dist/assets/sparql-DkYu6x3z.js +1 -0
package/ui-dist/assets/spreadsheet-BCZA_wO0.js +1 -0
package/ui-dist/assets/sql-D0XecflT.js +1 -0
package/ui-dist/assets/stateDiagram-FKZM4ZOC-vP7G7A65.js +1 -0
package/ui-dist/assets/stateDiagram-v2-4FDKWEC3-C2xpsAAO.js +1 -0
package/ui-dist/assets/stex-C3f8Ysf7.js +1 -0
package/ui-dist/assets/stylus-B533Al4x.js +1 -0
package/ui-dist/assets/swift-BzpIVaGY.js +1 -0
package/ui-dist/assets/tcl-DVfN8rqt.js +1 -0
package/ui-dist/assets/textile-CnDTJFAw.js +1 -0
package/ui-dist/assets/tiddlywiki-DO-Gjzrf.js +1 -0
package/ui-dist/assets/tiki-DGYXhP31.js +1 -0
package/ui-dist/assets/timeline-definition-IT6M3QCI-BJww-sEp.js +61 -0
package/ui-dist/assets/toml-Bm5Em-hy.js +1 -0
package/ui-dist/assets/treemap-GDKQZRPO-DUux14NY.js +162 -0
package/ui-dist/assets/troff-wAsdV37c.js +1 -0
package/ui-dist/assets/ttcn-CfJYG6tj.js +1 -0
package/ui-dist/assets/ttcn-cfg-B9xdYoR4.js +1 -0
package/ui-dist/assets/turtle-B1tBg_DP.js +1 -0
package/ui-dist/assets/vb-CmGdzxic.js +1 -0
package/ui-dist/assets/vbscript-BuJXcnF6.js +1 -0
package/ui-dist/assets/velocity-D8B20fx6.js +1 -0
package/ui-dist/assets/verilog-C6RDOZhf.js +1 -0
package/ui-dist/assets/vhdl-lSbBsy5d.js +1 -0
package/ui-dist/assets/webidl-ZXfAyPTL.js +1 -0
package/ui-dist/assets/xquery-DzFWVndE.js +1 -0
package/ui-dist/assets/xychartDiagram-PRI3JC2R-AU5ZOwAw.js +7 -0
package/ui-dist/assets/yacas-BJ4BC0dw.js +1 -0
package/ui-dist/assets/z80-Hz9HOZM7.js +1 -0
package/ui-dist/brands/opencode-logo-dark-square.svg +18 -0
package/ui-dist/brands/opencode-logo-light-square.svg +18 -0
package/ui-dist/favicon-16x16.png +0 -0
package/ui-dist/favicon-32x32.png +0 -0
package/ui-dist/favicon-96x96.png +0 -0
package/ui-dist/favicon.ico +0 -0
package/ui-dist/favicon.svg +3 -0
package/ui-dist/index.html +48 -0
package/ui-dist/site.webmanifest +21 -0
package/ui-dist/sw.js +42 -0
package/ui-dist/worktree-favicon-16x16.png +0 -0
package/ui-dist/worktree-favicon-32x32.png +0 -0
package/ui-dist/worktree-favicon.ico +0 -0
package/ui-dist/worktree-favicon.svg +3 -0

package/dist/routes/access.js ADDED Viewed

@@ -0,0 +1,2265 @@
+import { createHash, generateKeyPairSync, randomBytes, timingSafeEqual } from "node:crypto";
+import fs from "node:fs";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+import { Router } from "express";
+import { and, eq, isNull, desc } from "drizzle-orm";
+import { agentApiKeys, authUsers, invites, joinRequests } from "@fideliosai/db";
+import { acceptInviteSchema, createCliAuthChallengeSchema, claimJoinRequestApiKeySchema, createCompanyInviteSchema, createOpenClawInvitePromptSchema, listJoinRequestsQuerySchema, resolveCliAuthChallengeSchema, updateMemberPermissionsSchema, updateUserCompanyAccessSchema, PERMISSION_KEYS } from "@fideliosai/shared";
+import { forbidden, conflict, notFound, unauthorized, badRequest } from "../errors.js";
+import { logger } from "../middleware/logger.js";
+import { validate } from "../middleware/validate.js";
+import { accessService, agentService, boardAuthService, deduplicateAgentName, logActivity, notifyHireApproved } from "../services/index.js";
+import { assertCompanyAccess } from "./authz.js";
+import { claimBoardOwnership, inspectBoardClaimChallenge } from "../board-claim.js";
+function hashToken(token) {
+    return createHash("sha256").update(token).digest("hex");
+}
+const INVITE_TOKEN_PREFIX = "pcp_invite_";
+const INVITE_TOKEN_ALPHABET = "abcdefghijklmnopqrstuvwxyz0123456789";
+const INVITE_TOKEN_SUFFIX_LENGTH = 8;
+const INVITE_TOKEN_MAX_RETRIES = 5;
+const COMPANY_INVITE_TTL_MS = 10 * 60 * 1000;
+function createInviteToken() {
+    const bytes = randomBytes(INVITE_TOKEN_SUFFIX_LENGTH);
+    let suffix = "";
+    for (let idx = 0; idx < INVITE_TOKEN_SUFFIX_LENGTH; idx += 1) {
+        suffix += INVITE_TOKEN_ALPHABET[bytes[idx] % INVITE_TOKEN_ALPHABET.length];
+    }
+    return `${INVITE_TOKEN_PREFIX}${suffix}`;
+}
+function createClaimSecret() {
+    return `pcp_claim_${randomBytes(24).toString("hex")}`;
+}
+export function companyInviteExpiresAt(nowMs = Date.now()) {
+    return new Date(nowMs + COMPANY_INVITE_TTL_MS);
+}
+function tokenHashesMatch(left, right) {
+    const leftBytes = Buffer.from(left, "utf8");
+    const rightBytes = Buffer.from(right, "utf8");
+    return (leftBytes.length === rightBytes.length &&
+        timingSafeEqual(leftBytes, rightBytes));
+}
+function requestBaseUrl(req) {
+    const forwardedProto = req.header("x-forwarded-proto");
+    const proto = forwardedProto?.split(",")[0]?.trim() || req.protocol || "http";
+    const host = req.header("x-forwarded-host")?.split(",")[0]?.trim() || req.header("host");
+    if (!host)
+        return "";
+    return `${proto}://${host}`;
+}
+function buildCliAuthApprovalPath(challengeId, token) {
+    return `/cli-auth/${challengeId}?token=${encodeURIComponent(token)}`;
+}
+function readSkillMarkdown(skillName) {
+    const normalized = skillName.trim().toLowerCase();
+    if (normalized !== "fidelios" &&
+        normalized !== "fidelios-create-agent" &&
+        normalized !== "fidelios-create-plugin" &&
+        normalized !== "para-memory-files")
+        return null;
+    const moduleDir = path.dirname(fileURLToPath(import.meta.url));
+    const candidates = [
+        path.resolve(moduleDir, "../../skills", normalized, "SKILL.md"), // published: dist/routes/ -> <pkg>/skills/
+        path.resolve(process.cwd(), "skills", normalized, "SKILL.md"), // cwd (e.g. monorepo root)
+        path.resolve(moduleDir, "../../../skills", normalized, "SKILL.md") // dev: src/routes/ -> repo root/skills/
+    ];
+    for (const skillPath of candidates) {
+        try {
+            return fs.readFileSync(skillPath, "utf8");
+        }
+        catch {
+            // Continue to next candidate.
+        }
+    }
+    return null;
+}
+/** Resolve the FideliOS repo skills directory (built-in / managed skills). */
+function resolveFideliOSSkillsDir() {
+    const moduleDir = path.dirname(fileURLToPath(import.meta.url));
+    const candidates = [
+        path.resolve(moduleDir, "../../skills"), // published
+        path.resolve(process.cwd(), "skills"), // cwd (monorepo root)
+        path.resolve(moduleDir, "../../../skills"), // dev
+    ];
+    for (const candidate of candidates) {
+        try {
+            if (fs.statSync(candidate).isDirectory())
+                return candidate;
+        }
+        catch { /* skip */ }
+    }
+    return null;
+}
+/** Parse YAML frontmatter from a SKILL.md file to extract the description. */
+function parseSkillFrontmatter(markdown) {
+    const match = markdown.match(/^---\n([\s\S]*?)\n---/);
+    if (!match)
+        return { description: "" };
+    const yaml = match[1];
+    // Extract description — handles both single-line and multi-line YAML values
+    const descMatch = yaml.match(/^description:\s*(?:>\s*\n((?:\s{2,}[^\n]*\n?)+)|[|]\s*\n((?:\s{2,}[^\n]*\n?)+)|["']?(.*?)["']?\s*$)/m);
+    if (!descMatch)
+        return { description: "" };
+    const raw = descMatch[1] ?? descMatch[2] ?? descMatch[3] ?? "";
+    return {
+        description: raw
+            .split("\n")
+            .map((l) => l.trim())
+            .filter(Boolean)
+            .join(" ")
+            .trim(),
+    };
+}
+/** Discover all available Claude Code skills from ~/.claude/skills/. */
+function listAvailableSkills() {
+    const homeDir = process.env.HOME || process.env.USERPROFILE || "";
+    const claudeSkillsDir = path.join(homeDir, ".claude", "skills");
+    const fideliosSkillsDir = resolveFideliOSSkillsDir();
+    // Build set of FideliOS-managed skill names
+    const fideliosSkillNames = new Set();
+    if (fideliosSkillsDir) {
+        try {
+            for (const entry of fs.readdirSync(fideliosSkillsDir, { withFileTypes: true })) {
+                if (entry.isDirectory())
+                    fideliosSkillNames.add(entry.name);
+            }
+        }
+        catch { /* skip */ }
+    }
+    const skills = [];
+    try {
+        const entries = fs.readdirSync(claudeSkillsDir, { withFileTypes: true });
+        for (const entry of entries) {
+            if (!entry.isDirectory() && !entry.isSymbolicLink())
+                continue;
+            if (entry.name.startsWith("."))
+                continue;
+            const skillMdPath = path.join(claudeSkillsDir, entry.name, "SKILL.md");
+            let description = "";
+            try {
+                const md = fs.readFileSync(skillMdPath, "utf8");
+                description = parseSkillFrontmatter(md).description;
+            }
+            catch { /* no SKILL.md or unreadable */ }
+            skills.push({
+                name: entry.name,
+                description,
+                isFideliOSManaged: fideliosSkillNames.has(entry.name),
+            });
+        }
+    }
+    catch { /* ~/.claude/skills/ doesn't exist */ }
+    skills.sort((a, b) => a.name.localeCompare(b.name));
+    return skills;
+}
+function toJoinRequestResponse(row) {
+    const { claimSecretHash: _claimSecretHash, ...safe } = row;
+    return safe;
+}
+function isPlainObject(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function isLoopbackHost(hostname) {
+    const value = hostname.trim().toLowerCase();
+    return value === "localhost" || value === "127.0.0.1" || value === "::1";
+}
+function normalizeHostname(value) {
+    if (!value)
+        return null;
+    const trimmed = value.trim();
+    if (!trimmed)
+        return null;
+    if (trimmed.startsWith("[")) {
+        const end = trimmed.indexOf("]");
+        return end > 1
+            ? trimmed.slice(1, end).toLowerCase()
+            : trimmed.toLowerCase();
+    }
+    const firstColon = trimmed.indexOf(":");
+    if (firstColon > -1)
+        return trimmed.slice(0, firstColon).toLowerCase();
+    return trimmed.toLowerCase();
+}
+function normalizeHeaderValue(value, depth = 0) {
+    const direct = nonEmptyTrimmedString(value);
+    if (direct)
+        return direct;
+    if (!isPlainObject(value) || depth >= 3)
+        return null;
+    const candidateKeys = [
+        "value",
+        "token",
+        "secret",
+        "apiKey",
+        "api_key",
+        "auth",
+        "authToken",
+        "auth_token",
+        "accessToken",
+        "access_token",
+        "authorization",
+        "bearer",
+        "header",
+        "raw",
+        "text",
+        "string"
+    ];
+    for (const key of candidateKeys) {
+        if (!Object.prototype.hasOwnProperty.call(value, key))
+            continue;
+        const normalized = normalizeHeaderValue(value[key], depth + 1);
+        if (normalized)
+            return normalized;
+    }
+    const entries = Object.entries(value);
+    if (entries.length === 1) {
+        const [singleKey, singleValue] = entries[0];
+        const normalizedKey = singleKey.trim().toLowerCase();
+        if (normalizedKey !== "type" &&
+            normalizedKey !== "version" &&
+            normalizedKey !== "secretid" &&
+            normalizedKey !== "secret_id") {
+            const normalized = normalizeHeaderValue(singleValue, depth + 1);
+            if (normalized)
+                return normalized;
+        }
+    }
+    return null;
+}
+function extractHeaderEntries(input) {
+    if (isPlainObject(input)) {
+        return Object.entries(input);
+    }
+    if (!Array.isArray(input)) {
+        return [];
+    }
+    const entries = [];
+    for (const item of input) {
+        if (Array.isArray(item)) {
+            const key = nonEmptyTrimmedString(item[0]);
+            if (!key)
+                continue;
+            entries.push([key, item[1]]);
+            continue;
+        }
+        if (!isPlainObject(item))
+            continue;
+        const mapped = item;
+        const explicitKey = nonEmptyTrimmedString(mapped.key) ??
+            nonEmptyTrimmedString(mapped.name) ??
+            nonEmptyTrimmedString(mapped.header);
+        if (explicitKey) {
+            const explicitValue = Object.prototype.hasOwnProperty.call(mapped, "value")
+                ? mapped.value
+                : Object.prototype.hasOwnProperty.call(mapped, "token")
+                    ? mapped.token
+                    : Object.prototype.hasOwnProperty.call(mapped, "secret")
+                        ? mapped.secret
+                        : mapped;
+            entries.push([explicitKey, explicitValue]);
+            continue;
+        }
+        const singleEntry = Object.entries(mapped);
+        if (singleEntry.length === 1) {
+            entries.push(singleEntry[0]);
+        }
+    }
+    return entries;
+}
+function normalizeHeaderMap(input) {
+    const entries = extractHeaderEntries(input);
+    if (entries.length === 0)
+        return undefined;
+    const out = {};
+    for (const [key, value] of entries) {
+        const normalizedValue = normalizeHeaderValue(value);
+        if (!normalizedValue)
+            continue;
+        const trimmedKey = key.trim();
+        const trimmedValue = normalizedValue.trim();
+        if (!trimmedKey || !trimmedValue)
+            continue;
+        out[trimmedKey] = trimmedValue;
+    }
+    return Object.keys(out).length > 0 ? out : undefined;
+}
+function nonEmptyTrimmedString(value) {
+    if (typeof value !== "string")
+        return null;
+    const trimmed = value.trim();
+    return trimmed.length > 0 ? trimmed : null;
+}
+function headerMapHasKeyIgnoreCase(headers, targetKey) {
+    const normalizedTarget = targetKey.trim().toLowerCase();
+    return Object.keys(headers).some((key) => key.trim().toLowerCase() === normalizedTarget);
+}
+function headerMapGetIgnoreCase(headers, targetKey) {
+    const normalizedTarget = targetKey.trim().toLowerCase();
+    const key = Object.keys(headers).find((candidate) => candidate.trim().toLowerCase() === normalizedTarget);
+    if (!key)
+        return null;
+    const value = headers[key];
+    return typeof value === "string" ? value : null;
+}
+function tokenFromAuthorizationHeader(rawHeader) {
+    const trimmed = nonEmptyTrimmedString(rawHeader);
+    if (!trimmed)
+        return null;
+    const bearerMatch = trimmed.match(/^bearer\s+(.+)$/i);
+    if (bearerMatch?.[1]) {
+        return nonEmptyTrimmedString(bearerMatch[1]);
+    }
+    return trimmed;
+}
+function parseBooleanLike(value) {
+    if (typeof value === "boolean")
+        return value;
+    if (typeof value !== "string")
+        return null;
+    const normalized = value.trim().toLowerCase();
+    if (normalized === "true" || normalized === "1")
+        return true;
+    if (normalized === "false" || normalized === "0")
+        return false;
+    return null;
+}
+function generateEd25519PrivateKeyPem() {
+    const generated = generateKeyPairSync("ed25519");
+    return generated.privateKey
+        .export({ type: "pkcs8", format: "pem" })
+        .toString();
+}
+export function buildJoinDefaultsPayloadForAccept(input) {
+    if (input.adapterType !== "openclaw_gateway") {
+        return input.defaultsPayload;
+    }
+    const merged = isPlainObject(input.defaultsPayload)
+        ? { ...input.defaultsPayload }
+        : {};
+    if (!nonEmptyTrimmedString(merged.fideliosApiUrl)) {
+        const legacyFideliOSApiUrl = nonEmptyTrimmedString(input.fideliosApiUrl);
+        if (legacyFideliOSApiUrl)
+            merged.fideliosApiUrl = legacyFideliOSApiUrl;
+    }
+    const mergedHeaders = normalizeHeaderMap(merged.headers) ?? {};
+    const inboundOpenClawAuthHeader = nonEmptyTrimmedString(input.inboundOpenClawAuthHeader);
+    const inboundOpenClawTokenHeader = nonEmptyTrimmedString(input.inboundOpenClawTokenHeader);
+    if (inboundOpenClawTokenHeader &&
+        !headerMapHasKeyIgnoreCase(mergedHeaders, "x-openclaw-token")) {
+        mergedHeaders["x-openclaw-token"] = inboundOpenClawTokenHeader;
+    }
+    if (inboundOpenClawAuthHeader &&
+        !headerMapHasKeyIgnoreCase(mergedHeaders, "x-openclaw-auth")) {
+        mergedHeaders["x-openclaw-auth"] = inboundOpenClawAuthHeader;
+    }
+    if (Object.keys(mergedHeaders).length > 0) {
+        merged.headers = mergedHeaders;
+    }
+    else {
+        delete merged.headers;
+    }
+    const discoveredToken = headerMapGetIgnoreCase(mergedHeaders, "x-openclaw-token") ??
+        headerMapGetIgnoreCase(mergedHeaders, "x-openclaw-auth") ??
+        tokenFromAuthorizationHeader(headerMapGetIgnoreCase(mergedHeaders, "authorization"));
+    if (discoveredToken &&
+        !headerMapHasKeyIgnoreCase(mergedHeaders, "x-openclaw-token")) {
+        mergedHeaders["x-openclaw-token"] = discoveredToken;
+    }
+    return Object.keys(merged).length > 0 ? merged : null;
+}
+export function mergeJoinDefaultsPayloadForReplay(existingDefaultsPayload, nextDefaultsPayload) {
+    if (!isPlainObject(existingDefaultsPayload) &&
+        !isPlainObject(nextDefaultsPayload)) {
+        return nextDefaultsPayload ?? existingDefaultsPayload;
+    }
+    if (!isPlainObject(existingDefaultsPayload)) {
+        return nextDefaultsPayload;
+    }
+    if (!isPlainObject(nextDefaultsPayload)) {
+        return existingDefaultsPayload;
+    }
+    const merged = {
+        ...existingDefaultsPayload,
+        ...nextDefaultsPayload
+    };
+    const existingHeaders = normalizeHeaderMap(existingDefaultsPayload.headers);
+    const nextHeaders = normalizeHeaderMap(nextDefaultsPayload.headers);
+    if (existingHeaders || nextHeaders) {
+        merged.headers = {
+            ...(existingHeaders ?? {}),
+            ...(nextHeaders ?? {})
+        };
+    }
+    else if (Object.prototype.hasOwnProperty.call(merged, "headers")) {
+        delete merged.headers;
+    }
+    return merged;
+}
+export function canReplayOpenClawGatewayInviteAccept(input) {
+    if (input.requestType !== "agent" ||
+        input.adapterType !== "openclaw_gateway") {
+        return false;
+    }
+    if (!input.existingJoinRequest) {
+        return false;
+    }
+    if (input.existingJoinRequest.requestType !== "agent" ||
+        input.existingJoinRequest.adapterType !== "openclaw_gateway") {
+        return false;
+    }
+    return (input.existingJoinRequest.status === "pending_approval" ||
+        input.existingJoinRequest.status === "approved");
+}
+function summarizeSecretForLog(value) {
+    const trimmed = nonEmptyTrimmedString(value);
+    if (!trimmed)
+        return null;
+    return {
+        present: true,
+        length: trimmed.length,
+        sha256Prefix: hashToken(trimmed).slice(0, 12)
+    };
+}
+function summarizeOpenClawGatewayDefaultsForLog(defaultsPayload) {
+    const defaults = isPlainObject(defaultsPayload)
+        ? defaultsPayload
+        : null;
+    const headers = defaults ? normalizeHeaderMap(defaults.headers) : undefined;
+    const gatewayTokenValue = headers
+        ? headerMapGetIgnoreCase(headers, "x-openclaw-token") ??
+            headerMapGetIgnoreCase(headers, "x-openclaw-auth") ??
+            tokenFromAuthorizationHeader(headerMapGetIgnoreCase(headers, "authorization"))
+        : null;
+    return {
+        present: Boolean(defaults),
+        keys: defaults ? Object.keys(defaults).sort() : [],
+        url: defaults ? nonEmptyTrimmedString(defaults.url) : null,
+        fideliosApiUrl: defaults
+            ? nonEmptyTrimmedString(defaults.fideliosApiUrl)
+            : null,
+        headerKeys: headers ? Object.keys(headers).sort() : [],
+        sessionKeyStrategy: defaults
+            ? nonEmptyTrimmedString(defaults.sessionKeyStrategy)
+            : null,
+        disableDeviceAuth: defaults
+            ? parseBooleanLike(defaults.disableDeviceAuth)
+            : null,
+        waitTimeoutMs: defaults && typeof defaults.waitTimeoutMs === "number"
+            ? defaults.waitTimeoutMs
+            : null,
+        devicePrivateKeyPem: defaults
+            ? summarizeSecretForLog(defaults.devicePrivateKeyPem)
+            : null,
+        gatewayToken: summarizeSecretForLog(gatewayTokenValue)
+    };
+}
+export function normalizeAgentDefaultsForJoin(input) {
+    const fatalErrors = [];
+    const diagnostics = [];
+    if (input.adapterType !== "openclaw_gateway") {
+        const normalized = isPlainObject(input.defaultsPayload)
+            ? input.defaultsPayload
+            : null;
+        return { normalized, diagnostics, fatalErrors };
+    }
+    if (!isPlainObject(input.defaultsPayload)) {
+        diagnostics.push({
+            code: "openclaw_gateway_defaults_missing",
+            level: "warn",
+            message: "No OpenClaw gateway config was provided in agentDefaultsPayload.",
+            hint: "Include agentDefaultsPayload.url and headers.x-openclaw-token for OpenClaw gateway joins."
+        });
+        fatalErrors.push("agentDefaultsPayload is required for adapterType=openclaw_gateway");
+        return {
+            normalized: null,
+            diagnostics,
+            fatalErrors
+        };
+    }
+    const defaults = input.defaultsPayload;
+    const normalized = {};
+    let gatewayUrl = null;
+    const rawGatewayUrl = nonEmptyTrimmedString(defaults.url);
+    if (!rawGatewayUrl) {
+        diagnostics.push({
+            code: "openclaw_gateway_url_missing",
+            level: "warn",
+            message: "OpenClaw gateway URL is missing.",
+            hint: "Set agentDefaultsPayload.url to ws:// or wss:// gateway URL."
+        });
+        fatalErrors.push("agentDefaultsPayload.url is required");
+    }
+    else {
+        try {
+            gatewayUrl = new URL(rawGatewayUrl);
+            if (gatewayUrl.protocol !== "ws:" && gatewayUrl.protocol !== "wss:") {
+                diagnostics.push({
+                    code: "openclaw_gateway_url_protocol",
+                    level: "warn",
+                    message: `OpenClaw gateway URL must use ws:// or wss:// (got ${gatewayUrl.protocol}).`
+                });
+                fatalErrors.push("agentDefaultsPayload.url must use ws:// or wss:// for openclaw_gateway");
+            }
+            else {
+                normalized.url = gatewayUrl.toString();
+                diagnostics.push({
+                    code: "openclaw_gateway_url_configured",
+                    level: "info",
+                    message: `Gateway endpoint set to ${gatewayUrl.toString()}`
+                });
+            }
+        }
+        catch {
+            diagnostics.push({
+                code: "openclaw_gateway_url_invalid",
+                level: "warn",
+                message: `Invalid OpenClaw gateway URL: ${rawGatewayUrl}`
+            });
+            fatalErrors.push("agentDefaultsPayload.url is not a valid URL");
+        }
+    }
+    const headers = normalizeHeaderMap(defaults.headers) ?? {};
+    const gatewayToken = headerMapGetIgnoreCase(headers, "x-openclaw-token") ??
+        headerMapGetIgnoreCase(headers, "x-openclaw-auth") ??
+        tokenFromAuthorizationHeader(headerMapGetIgnoreCase(headers, "authorization"));
+    if (gatewayToken && !headerMapHasKeyIgnoreCase(headers, "x-openclaw-token")) {
+        headers["x-openclaw-token"] = gatewayToken;
+    }
+    if (Object.keys(headers).length > 0) {
+        normalized.headers = headers;
+    }
+    if (!gatewayToken) {
+        diagnostics.push({
+            code: "openclaw_gateway_auth_header_missing",
+            level: "warn",
+            message: "Gateway auth token is missing from agent defaults.",
+            hint: "Set agentDefaultsPayload.headers.x-openclaw-token (or legacy x-openclaw-auth)."
+        });
+        fatalErrors.push("agentDefaultsPayload.headers.x-openclaw-token (or x-openclaw-auth) is required");
+    }
+    else if (gatewayToken.trim().length < 16) {
+        diagnostics.push({
+            code: "openclaw_gateway_auth_header_too_short",
+            level: "warn",
+            message: `Gateway auth token appears too short (${gatewayToken.trim().length} chars).`,
+            hint: "Use the full gateway auth token from ~/.openclaw/openclaw.json (typically long random string)."
+        });
+        fatalErrors.push("agentDefaultsPayload.headers.x-openclaw-token is too short; expected a full gateway token");
+    }
+    else {
+        diagnostics.push({
+            code: "openclaw_gateway_auth_header_configured",
+            level: "info",
+            message: "Gateway auth token configured."
+        });
+    }
+    if (isPlainObject(defaults.payloadTemplate)) {
+        normalized.payloadTemplate = defaults.payloadTemplate;
+    }
+    const parsedDisableDeviceAuth = parseBooleanLike(defaults.disableDeviceAuth);
+    const disableDeviceAuth = parsedDisableDeviceAuth === true;
+    if (parsedDisableDeviceAuth !== null) {
+        normalized.disableDeviceAuth = parsedDisableDeviceAuth;
+    }
+    const configuredDevicePrivateKeyPem = nonEmptyTrimmedString(defaults.devicePrivateKeyPem);
+    if (configuredDevicePrivateKeyPem) {
+        normalized.devicePrivateKeyPem = configuredDevicePrivateKeyPem;
+        diagnostics.push({
+            code: "openclaw_gateway_device_key_configured",
+            level: "info",
+            message: "Gateway device key configured. Pairing approvals should persist for this agent."
+        });
+    }
+    else if (!disableDeviceAuth) {
+        try {
+            normalized.devicePrivateKeyPem = generateEd25519PrivateKeyPem();
+            diagnostics.push({
+                code: "openclaw_gateway_device_key_generated",
+                level: "info",
+                message: "Generated persistent gateway device key for this join. Pairing approvals should persist for this agent."
+            });
+        }
+        catch (err) {
+            diagnostics.push({
+                code: "openclaw_gateway_device_key_generate_failed",
+                level: "warn",
+                message: `Failed to generate gateway device key: ${err instanceof Error ? err.message : String(err)}`,
+                hint: "Set agentDefaultsPayload.devicePrivateKeyPem explicitly or set disableDeviceAuth=true."
+            });
+            fatalErrors.push("Failed to generate gateway device key. Set devicePrivateKeyPem or disableDeviceAuth=true.");
+        }
+    }
+    const waitTimeoutMs = typeof defaults.waitTimeoutMs === "number" &&
+        Number.isFinite(defaults.waitTimeoutMs)
+        ? Math.floor(defaults.waitTimeoutMs)
+        : typeof defaults.waitTimeoutMs === "string"
+            ? Number.parseInt(defaults.waitTimeoutMs.trim(), 10)
+            : NaN;
+    if (Number.isFinite(waitTimeoutMs) && waitTimeoutMs > 0) {
+        normalized.waitTimeoutMs = waitTimeoutMs;
+    }
+    const timeoutSec = typeof defaults.timeoutSec === "number" && Number.isFinite(defaults.timeoutSec)
+        ? Math.floor(defaults.timeoutSec)
+        : typeof defaults.timeoutSec === "string"
+            ? Number.parseInt(defaults.timeoutSec.trim(), 10)
+            : NaN;
+    if (Number.isFinite(timeoutSec) && timeoutSec > 0) {
+        normalized.timeoutSec = timeoutSec;
+    }
+    const sessionKeyStrategy = nonEmptyTrimmedString(defaults.sessionKeyStrategy);
+    if (sessionKeyStrategy === "fixed" ||
+        sessionKeyStrategy === "issue" ||
+        sessionKeyStrategy === "run") {
+        normalized.sessionKeyStrategy = sessionKeyStrategy;
+    }
+    const sessionKey = nonEmptyTrimmedString(defaults.sessionKey);
+    if (sessionKey) {
+        normalized.sessionKey = sessionKey;
+    }
+    const role = nonEmptyTrimmedString(defaults.role);
+    if (role) {
+        normalized.role = role;
+    }
+    if (Array.isArray(defaults.scopes)) {
+        const scopes = defaults.scopes
+            .filter((entry) => typeof entry === "string")
+            .map((entry) => entry.trim())
+            .filter(Boolean);
+        if (scopes.length > 0) {
+            normalized.scopes = scopes;
+        }
+    }
+    const rawFideliOSApiUrl = typeof defaults.fideliosApiUrl === "string"
+        ? defaults.fideliosApiUrl.trim()
+        : "";
+    if (rawFideliOSApiUrl) {
+        try {
+            const parsedFideliOSApiUrl = new URL(rawFideliOSApiUrl);
+            if (parsedFideliOSApiUrl.protocol !== "http:" &&
+                parsedFideliOSApiUrl.protocol !== "https:") {
+                diagnostics.push({
+                    code: "openclaw_gateway_fidelios_api_url_protocol",
+                    level: "warn",
+                    message: `fideliosApiUrl must use http:// or https:// (got ${parsedFideliOSApiUrl.protocol}).`
+                });
+            }
+            else {
+                normalized.fideliosApiUrl = parsedFideliOSApiUrl.toString();
+                diagnostics.push({
+                    code: "openclaw_gateway_fidelios_api_url_configured",
+                    level: "info",
+                    message: `fideliosApiUrl set to ${parsedFideliOSApiUrl.toString()}`
+                });
+            }
+        }
+        catch {
+            diagnostics.push({
+                code: "openclaw_gateway_fidelios_api_url_invalid",
+                level: "warn",
+                message: `Invalid fideliosApiUrl: ${rawFideliOSApiUrl}`
+            });
+        }
+    }
+    return { normalized, diagnostics, fatalErrors };
+}
+function toInviteSummaryResponse(req, token, invite) {
+    const baseUrl = requestBaseUrl(req);
+    const onboardingPath = `/api/invites/${token}/onboarding`;
+    const onboardingTextPath = `/api/invites/${token}/onboarding.txt`;
+    const inviteMessage = extractInviteMessage(invite);
+    return {
+        id: invite.id,
+        companyId: invite.companyId,
+        inviteType: invite.inviteType,
+        allowedJoinTypes: invite.allowedJoinTypes,
+        expiresAt: invite.expiresAt,
+        onboardingPath,
+        onboardingUrl: baseUrl ? `${baseUrl}${onboardingPath}` : onboardingPath,
+        onboardingTextPath,
+        onboardingTextUrl: baseUrl
+            ? `${baseUrl}${onboardingTextPath}`
+            : onboardingTextPath,
+        skillIndexPath: "/api/skills/index",
+        skillIndexUrl: baseUrl
+            ? `${baseUrl}/api/skills/index`
+            : "/api/skills/index",
+        inviteMessage
+    };
+}
+function buildOnboardingDiscoveryDiagnostics(input) {
+    const diagnostics = [];
+    let apiHost = null;
+    if (input.apiBaseUrl) {
+        try {
+            apiHost = normalizeHostname(new URL(input.apiBaseUrl).hostname);
+        }
+        catch {
+            apiHost = null;
+        }
+    }
+    const bindHost = normalizeHostname(input.bindHost);
+    const allowSet = new Set(input.allowedHostnames
+        .map((entry) => normalizeHostname(entry))
+        .filter((entry) => Boolean(entry)));
+    if (apiHost && isLoopbackHost(apiHost)) {
+        diagnostics.push({
+            code: "openclaw_onboarding_api_loopback",
+            level: "warn",
+            message: "Onboarding URL resolves to loopback hostname. Remote OpenClaw agents cannot reach localhost on your FideliOS host.",
+            hint: "Use a reachable hostname/IP (for example Tailscale hostname, Docker host alias, or public domain)."
+        });
+    }
+    if (input.deploymentMode === "authenticated" &&
+        input.deploymentExposure === "private" &&
+        (!bindHost || isLoopbackHost(bindHost))) {
+        diagnostics.push({
+            code: "openclaw_onboarding_private_loopback_bind",
+            level: "warn",
+            message: "FideliOS is bound to loopback in authenticated/private mode.",
+            hint: "Run with a reachable bind host or use pnpm dev --tailscale-auth for private-network onboarding."
+        });
+    }
+    if (input.deploymentMode === "authenticated" &&
+        input.deploymentExposure === "private" &&
+        apiHost &&
+        !isLoopbackHost(apiHost) &&
+        allowSet.size > 0 &&
+        !allowSet.has(apiHost)) {
+        diagnostics.push({
+            code: "openclaw_onboarding_private_host_not_allowed",
+            level: "warn",
+            message: `Onboarding host "${apiHost}" is not in allowed hostnames for authenticated/private mode.`,
+            hint: `Run pnpm fidelios allowed-hostname ${apiHost}`
+        });
+    }
+    return diagnostics;
+}
+function buildOnboardingConnectionCandidates(input) {
+    let base = null;
+    try {
+        if (input.apiBaseUrl) {
+            base = new URL(input.apiBaseUrl);
+        }
+    }
+    catch {
+        base = null;
+    }
+    const protocol = base?.protocol ?? "http:";
+    const port = base?.port ? `:${base.port}` : "";
+    const candidates = new Set();
+    if (base) {
+        candidates.add(base.origin);
+    }
+    const bindHost = normalizeHostname(input.bindHost);
+    if (bindHost && !isLoopbackHost(bindHost)) {
+        candidates.add(`${protocol}//${bindHost}${port}`);
+    }
+    for (const rawHost of input.allowedHostnames) {
+        const host = normalizeHostname(rawHost);
+        if (!host)
+            continue;
+        candidates.add(`${protocol}//${host}${port}`);
+    }
+    if (base && isLoopbackHost(base.hostname)) {
+        candidates.add(`${protocol}//host.docker.internal${port}`);
+    }
+    return Array.from(candidates);
+}
+function buildInviteOnboardingManifest(req, token, invite, opts) {
+    const baseUrl = requestBaseUrl(req);
+    const skillPath = "/api/skills/fidelios";
+    const skillUrl = baseUrl ? `${baseUrl}${skillPath}` : skillPath;
+    const registrationEndpointPath = `/api/invites/${token}/accept`;
+    const registrationEndpointUrl = baseUrl
+        ? `${baseUrl}${registrationEndpointPath}`
+        : registrationEndpointPath;
+    const onboardingTextPath = `/api/invites/${token}/onboarding.txt`;
+    const onboardingTextUrl = baseUrl
+        ? `${baseUrl}${onboardingTextPath}`
+        : onboardingTextPath;
+    const discoveryDiagnostics = buildOnboardingDiscoveryDiagnostics({
+        apiBaseUrl: baseUrl,
+        deploymentMode: opts.deploymentMode,
+        deploymentExposure: opts.deploymentExposure,
+        bindHost: opts.bindHost,
+        allowedHostnames: opts.allowedHostnames
+    });
+    const connectionCandidates = buildOnboardingConnectionCandidates({
+        apiBaseUrl: baseUrl,
+        bindHost: opts.bindHost,
+        allowedHostnames: opts.allowedHostnames
+    });
+    return {
+        invite: toInviteSummaryResponse(req, token, invite),
+        onboarding: {
+            instructions: "Join as an OpenClaw Gateway agent, save your one-time claim secret, wait for board approval, then claim your API key. Save the claim response token to ~/.openclaw/workspace/fidelios-claimed-api-key.json and load FIDELIOS_API_KEY from that file before starting heartbeat loops. You MUST submit adapterType='openclaw_gateway', set agentDefaultsPayload.url to your ws:// or wss:// OpenClaw gateway endpoint, and include agentDefaultsPayload.headers.x-openclaw-token (or legacy x-openclaw-auth).",
+            inviteMessage: extractInviteMessage(invite),
+            recommendedAdapterType: "openclaw_gateway",
+            requiredFields: {
+                requestType: "agent",
+                agentName: "Display name for this agent",
+                adapterType: "Use 'openclaw_gateway' for OpenClaw Gateway agents",
+                capabilities: "Optional capability summary",
+                agentDefaultsPayload: "Adapter config for OpenClaw gateway. MUST include url (ws:// or wss://) and headers.x-openclaw-token (or legacy x-openclaw-auth). Optional fields: fideliosApiUrl, waitTimeoutMs, sessionKeyStrategy, sessionKey, role, scopes, disableDeviceAuth, devicePrivateKeyPem."
+            },
+            registrationEndpoint: {
+                method: "POST",
+                path: registrationEndpointPath,
+                url: registrationEndpointUrl
+            },
+            claimEndpointTemplate: {
+                method: "POST",
+                path: "/api/join-requests/{requestId}/claim-api-key",
+                body: {
+                    claimSecret: "one-time claim secret returned when the join request is created"
+                }
+            },
+            connectivity: {
+                deploymentMode: opts.deploymentMode,
+                deploymentExposure: opts.deploymentExposure,
+                bindHost: opts.bindHost,
+                allowedHostnames: opts.allowedHostnames,
+                connectionCandidates,
+                diagnostics: discoveryDiagnostics,
+                guidance: opts.deploymentMode === "authenticated" &&
+                    opts.deploymentExposure === "private"
+                    ? "If OpenClaw runs on another machine, ensure the FideliOS hostname is reachable and allowed via `pnpm fidelios allowed-hostname <host>`."
+                    : "Ensure OpenClaw can reach this FideliOS API base URL for invite, claim, and skill bootstrap calls."
+            },
+            textInstructions: {
+                path: onboardingTextPath,
+                url: onboardingTextUrl,
+                contentType: "text/plain"
+            },
+            skill: {
+                name: "fidelios",
+                path: skillPath,
+                url: skillUrl,
+                installPath: "~/.openclaw/skills/fidelios/SKILL.md"
+            }
+        }
+    };
+}
+export function buildInviteOnboardingTextDocument(req, token, invite, opts) {
+    const manifest = buildInviteOnboardingManifest(req, token, invite, opts);
+    const onboarding = manifest.onboarding;
+    const diagnostics = Array.isArray(onboarding.connectivity?.diagnostics)
+        ? onboarding.connectivity.diagnostics
+        : [];
+    const lines = [];
+    const appendBlock = (block) => {
+        const trimmed = block.replace(/^\n/, "").replace(/\n\s*$/, "");
+        const lineIndentation = trimmed
+            .split("\n")
+            .filter((line) => line.trim().length > 0)
+            .map((line) => line.match(/^(\s*)/)?.[0].length ?? 0);
+        const minIndent = lineIndentation.length > 0 ? Math.min(...lineIndentation) : 0;
+        for (const line of trimmed.split("\n")) {
+            lines.push(line.slice(minIndent));
+        }
+    };
+    appendBlock(`
+    # FideliOS OpenClaw Gateway Onboarding
+    This document is meant to be readable by both humans and agents.
+    ## Invite
+    - inviteType: ${invite.inviteType}
+    - allowedJoinTypes: ${invite.allowedJoinTypes}
+    - expiresAt: ${invite.expiresAt.toISOString()}
+  `);
+    if (onboarding.inviteMessage) {
+        appendBlock(`
+      ## Message from inviter
+      ${onboarding.inviteMessage}
+    `);
+    }
+    appendBlock(`
+    ## Step 0
+    Get the OpenClaw gateway auth token (THIS MUST BE SENT)
+    Token lives in:
+    ~/.openclaw/openclaw.json -> gateway.auth.token
+    Extract:
+    TOKEN="$(node -p 'require(process.env.HOME+\"/.openclaw/openclaw.json\").gateway.auth.token')"
+    test -n "$TOKEN" || (echo "Missing TOKEN" && exit 1)
+    test "\${#TOKEN}" -ge 16 || (echo "Gateway token unexpectedly short (\${#TOKEN})" && exit 1)
+    3) IMPORTANT: Don't accidentally drop the token when generating JSON
+    If you build JSON with Node, pass the token explicitly (argv), don't rely on an un-exported env var.
+    Safe payload build looks sort of like this (substitute where necessary):
+    BODY="$(node -e '
+      const token = process.argv[1];
+      if (!token) process.exit(2);
+      const body = {
+        requestType: "agent",
+        agentName: "OpenClaw",
+        adapterType: "openclaw_gateway",
+        capabilities: "OpenClaw agent adapter",
+        agentDefaultsPayload: {
+          url: "ws://127.0.0.1:18789",
+          fideliosApiUrl: "http://host.docker.internal:3100",
+          headers: { "x-openclaw-token": token },
+          waitTimeoutMs: 120000,
+          sessionKeyStrategy: "issue",
+          role: "operator",
+          scopes: ["operator.admin"]
+        }
+      };
+      process.stdout.write(JSON.stringify(body));
+    ' "$TOKEN")"
+    ## Step 1: Submit agent join request
+    ${onboarding.registrationEndpoint.method} ${onboarding.registrationEndpoint.url}
+    IMPORTANT: You MUST include agentDefaultsPayload.headers.x-openclaw-token with your gateway token.
+    Legacy x-openclaw-auth is also accepted, but x-openclaw-token is preferred.
+    Use adapterType "openclaw_gateway" and a ws:// or wss:// gateway URL.
+    Pairing mode requirement:
+    - Keep device auth enabled (recommended). If devicePrivateKeyPem is omitted, FideliOS generates and persists one during join so pairing approvals are stable.
+    - You may set disableDeviceAuth=true only for special environments that cannot support pairing.
+    - First run may return "pairing required" once; approve the pending pairing request in OpenClaw, then retry.
+    Do NOT use /v1/responses or /hooks/* in this gateway join flow.
+    Body (JSON):
+    {
+      "requestType": "agent",
+      "agentName": "My OpenClaw Agent",
+      "adapterType": "openclaw_gateway",
+      "capabilities": "Optional summary",
+      "agentDefaultsPayload": {
+        "url": "wss://your-openclaw-gateway.example",
+        "fideliosApiUrl": "https://fidelios-hostname-your-agent-can-reach:3100",
+        "headers": { "x-openclaw-token": "replace-me" },
+        "waitTimeoutMs": 120000,
+        "sessionKeyStrategy": "issue",
+        "role": "operator",
+        "scopes": ["operator.admin"]
+      }
+    }
+    Expected response includes:
+    - request id
+    - one-time claimSecret
+    - claimApiKeyPath
+    ## Step 2: Wait for board approval
+    The board approves the join request in FideliOS before key claim is allowed.
+    ## Step 3: Claim API key (one-time)
+    ${onboarding.claimEndpointTemplate.method} /api/join-requests/{requestId}/claim-api-key
+    Body (JSON):
+    {
+      "claimSecret": "<one-time-claim-secret>"
+    }
+    On successful claim, save the full JSON response to:
+    - ~/.openclaw/workspace/fidelios-claimed-api-key.json
+    chmod 600 ~/.openclaw/workspace/fidelios-claimed-api-key.json
+    And set the FIDELIOS_API_KEY and FIDELIOS_API_URL in your environment variables as specified here:
+    https://docs.openclaw.ai/help/environment
+    e.g.
+    {
+      env: {
+        FIDELIOS_API_KEY: "...",
+        FIDELIOS_API_URL: "...",
+      },
+    }
+    Then set FIDELIOS_API_KEY and FIDELIOS_API_URL from the saved token field for every heartbeat run.
+    Important:
+    - claim secrets expire
+    - claim secrets are single-use
+    - claim fails before board approval
+    ## Step 4: Install FideliOS skill in OpenClaw
+    GET ${onboarding.skill.url}
+    Install path: ${onboarding.skill.installPath}
+    Be sure to prepend your FIDELIOS_API_URL to the top of your skill and note the path to your FIDELIOS_API_URL
+    ## Text onboarding URL
+    ${onboarding.textInstructions.url}
+    ## Connectivity guidance
+    ${onboarding.connectivity?.guidance ??
+        "Ensure FideliOS is reachable from your OpenClaw runtime."}
+  `);
+    const connectionCandidates = Array.isArray(onboarding.connectivity?.connectionCandidates)
+        ? onboarding.connectivity.connectionCandidates.filter((entry) => Boolean(entry))
+        : [];
+    if (connectionCandidates.length > 0) {
+        lines.push("## Suggested FideliOS base URLs to try");
+        for (const candidate of connectionCandidates) {
+            lines.push(`- ${candidate}`);
+        }
+        appendBlock(`
+      Test each candidate with:
+      - GET <candidate>/api/health
+      - set the first reachable candidate as agentDefaultsPayload.fideliosApiUrl when submitting your join request
+      If none are reachable: ask your human operator for a reachable hostname/address and help them update network configuration.
+      For authenticated/private mode, they may need:
+      - pnpm fidelios allowed-hostname <host>
+      - then restart FideliOS and retry onboarding.
+    `);
+    }
+    if (diagnostics.length > 0) {
+        lines.push("## Connectivity diagnostics");
+        for (const diag of diagnostics) {
+            lines.push(`- [${diag.level}] ${diag.message}`);
+            if (diag.hint)
+                lines.push(`  hint: ${diag.hint}`);
+        }
+    }
+    appendBlock(`
+    ## Helpful endpoints
+    ${onboarding.registrationEndpoint.path}
+    ${onboarding.claimEndpointTemplate.path}
+    ${onboarding.skill.path}
+    ${manifest.invite.onboardingPath}
+  `);
+    return `${lines.join("\n")}\n`;
+}
+function extractInviteMessage(invite) {
+    const rawDefaults = invite.defaultsPayload;
+    if (!rawDefaults ||
+        typeof rawDefaults !== "object" ||
+        Array.isArray(rawDefaults)) {
+        return null;
+    }
+    const rawMessage = rawDefaults.agentMessage;
+    if (typeof rawMessage !== "string") {
+        return null;
+    }
+    const trimmed = rawMessage.trim();
+    return trimmed.length ? trimmed : null;
+}
+function mergeInviteDefaults(defaultsPayload, agentMessage) {
+    const merged = defaultsPayload && typeof defaultsPayload === "object"
+        ? { ...defaultsPayload }
+        : {};
+    if (agentMessage) {
+        merged.agentMessage = agentMessage;
+    }
+    return Object.keys(merged).length ? merged : null;
+}
+function requestIp(req) {
+    const forwarded = req.header("x-forwarded-for");
+    if (forwarded) {
+        const first = forwarded.split(",")[0]?.trim();
+        if (first)
+            return first;
+    }
+    return req.ip || "unknown";
+}
+function inviteExpired(invite) {
+    return invite.expiresAt.getTime() <= Date.now();
+}
+function isLocalImplicit(req) {
+    return req.actor.type === "board" && req.actor.source === "local_implicit";
+}
+async function resolveActorEmail(db, req) {
+    if (isLocalImplicit(req))
+        return "local@fidelios.local";
+    const userId = req.actor.userId;
+    if (!userId)
+        return null;
+    const user = await db
+        .select({ email: authUsers.email })
+        .from(authUsers)
+        .where(eq(authUsers.id, userId))
+        .then((rows) => rows[0] ?? null);
+    return user?.email ?? null;
+}
+function grantsFromDefaults(defaultsPayload, key) {
+    if (!defaultsPayload || typeof defaultsPayload !== "object")
+        return [];
+    const scoped = defaultsPayload[key];
+    if (!scoped || typeof scoped !== "object")
+        return [];
+    const grants = scoped.grants;
+    if (!Array.isArray(grants))
+        return [];
+    const validPermissionKeys = new Set(PERMISSION_KEYS);
+    const result = [];
+    for (const item of grants) {
+        if (!item || typeof item !== "object")
+            continue;
+        const record = item;
+        if (typeof record.permissionKey !== "string")
+            continue;
+        if (!validPermissionKeys.has(record.permissionKey))
+            continue;
+        result.push({
+            permissionKey: record.permissionKey,
+            scope: record.scope &&
+                typeof record.scope === "object" &&
+                !Array.isArray(record.scope)
+                ? record.scope
+                : null
+        });
+    }
+    return result;
+}
+export function agentJoinGrantsFromDefaults(defaultsPayload) {
+    const grants = grantsFromDefaults(defaultsPayload, "agent");
+    if (grants.some((grant) => grant.permissionKey === "tasks:assign")) {
+        return grants;
+    }
+    return [
+        ...grants,
+        {
+            permissionKey: "tasks:assign",
+            scope: null
+        }
+    ];
+}
+export function resolveJoinRequestAgentManagerId(candidates) {
+    const ceoCandidates = candidates.filter((candidate) => candidate.role === "ceo");
+    if (ceoCandidates.length === 0)
+        return null;
+    const rootCeo = ceoCandidates.find((candidate) => candidate.reportsTo === null);
+    return (rootCeo ?? ceoCandidates[0] ?? null)?.id ?? null;
+}
+function isInviteTokenHashCollisionError(error) {
+    const candidates = [
+        error,
+        error?.cause ?? null
+    ];
+    for (const candidate of candidates) {
+        if (!candidate || typeof candidate !== "object")
+            continue;
+        const code = "code" in candidate && typeof candidate.code === "string"
+            ? candidate.code
+            : null;
+        const message = "message" in candidate && typeof candidate.message === "string"
+            ? candidate.message
+            : "";
+        const constraint = "constraint" in candidate && typeof candidate.constraint === "string"
+            ? candidate.constraint
+            : null;
+        if (code !== "23505")
+            continue;
+        if (constraint === "invites_token_hash_unique_idx")
+            return true;
+        if (message.includes("invites_token_hash_unique_idx"))
+            return true;
+    }
+    return false;
+}
+function isAbortError(error) {
+    return error instanceof Error && error.name === "AbortError";
+}
+async function probeInviteResolutionTarget(url, timeoutMs) {
+    const startedAt = Date.now();
+    const controller = new AbortController();
+    const timeout = setTimeout(() => controller.abort(), timeoutMs);
+    try {
+        const response = await fetch(url, {
+            method: "HEAD",
+            redirect: "manual",
+            signal: controller.signal
+        });
+        const durationMs = Date.now() - startedAt;
+        if (response.ok ||
+            response.status === 401 ||
+            response.status === 403 ||
+            response.status === 404 ||
+            response.status === 405 ||
+            response.status === 422 ||
+            response.status === 500 ||
+            response.status === 501) {
+            return {
+                status: "reachable",
+                method: "HEAD",
+                durationMs,
+                httpStatus: response.status,
+                message: `Webhook endpoint responded to HEAD with HTTP ${response.status}.`
+            };
+        }
+        return {
+            status: "unreachable",
+            method: "HEAD",
+            durationMs,
+            httpStatus: response.status,
+            message: `Webhook endpoint probe returned HTTP ${response.status}.`
+        };
+    }
+    catch (error) {
+        const durationMs = Date.now() - startedAt;
+        if (isAbortError(error)) {
+            return {
+                status: "timeout",
+                method: "HEAD",
+                durationMs,
+                httpStatus: null,
+                message: `Webhook endpoint probe timed out after ${timeoutMs}ms.`
+            };
+        }
+        return {
+            status: "unreachable",
+            method: "HEAD",
+            durationMs,
+            httpStatus: null,
+            message: error instanceof Error
+                ? error.message
+                : "Webhook endpoint probe failed."
+        };
+    }
+    finally {
+        clearTimeout(timeout);
+    }
+}
+export function accessRoutes(db, opts) {
+    const router = Router();
+    const access = accessService(db);
+    const boardAuth = boardAuthService(db);
+    const agents = agentService(db);
+    async function assertInstanceAdmin(req) {
+        if (req.actor.type !== "board")
+            throw unauthorized();
+        if (isLocalImplicit(req))
+            return;
+        const allowed = await access.isInstanceAdmin(req.actor.userId);
+        if (!allowed)
+            throw forbidden("Instance admin required");
+    }
+    router.get("/board-claim/:token", async (req, res) => {
+        const token = req.params.token.trim();
+        const code = typeof req.query.code === "string" ? req.query.code.trim() : undefined;
+        if (!token)
+            throw notFound("Board claim challenge not found");
+        const challenge = inspectBoardClaimChallenge(token, code);
+        if (challenge.status === "invalid")
+            throw notFound("Board claim challenge not found");
+        res.json(challenge);
+    });
+    router.post("/board-claim/:token/claim", async (req, res) => {
+        const token = req.params.token.trim();
+        const code = typeof req.body?.code === "string" ? req.body.code.trim() : undefined;
+        if (!token)
+            throw notFound("Board claim challenge not found");
+        if (!code)
+            throw badRequest("Claim code is required");
+        if (req.actor.type !== "board" ||
+            req.actor.source !== "session" ||
+            !req.actor.userId) {
+            throw unauthorized("Sign in before claiming board ownership");
+        }
+        const claimed = await claimBoardOwnership(db, {
+            token,
+            code,
+            userId: req.actor.userId
+        });
+        if (claimed.status === "invalid")
+            throw notFound("Board claim challenge not found");
+        if (claimed.status === "expired")
+            throw conflict("Board claim challenge expired. Restart server to generate a new one.");
+        if (claimed.status === "claimed") {
+            res.json({
+                claimed: true,
+                userId: claimed.claimedByUserId ?? req.actor.userId
+            });
+            return;
+        }
+        throw conflict("Board claim challenge is no longer available");
+    });
+    router.post("/cli-auth/challenges", validate(createCliAuthChallengeSchema), async (req, res) => {
+        const created = await boardAuth.createCliAuthChallenge(req.body);
+        const approvalPath = buildCliAuthApprovalPath(created.challenge.id, created.challengeSecret);
+        const baseUrl = requestBaseUrl(req);
+        res.status(201).json({
+            id: created.challenge.id,
+            token: created.challengeSecret,
+            boardApiToken: created.pendingBoardToken,
+            approvalPath,
+            approvalUrl: baseUrl ? `${baseUrl}${approvalPath}` : null,
+            pollPath: `/cli-auth/challenges/${created.challenge.id}`,
+            expiresAt: created.challenge.expiresAt.toISOString(),
+            suggestedPollIntervalMs: 1000,
+        });
+    });
+    router.get("/cli-auth/challenges/:id", async (req, res) => {
+        const id = req.params.id.trim();
+        const token = typeof req.query.token === "string" ? req.query.token.trim() : "";
+        if (!id || !token)
+            throw notFound("CLI auth challenge not found");
+        const challenge = await boardAuth.describeCliAuthChallenge(id, token);
+        if (!challenge)
+            throw notFound("CLI auth challenge not found");
+        const isSignedInBoardUser = req.actor.type === "board" &&
+            (req.actor.source === "session" || isLocalImplicit(req)) &&
+            Boolean(req.actor.userId);
+        const canApprove = isSignedInBoardUser &&
+            (challenge.requestedAccess !== "instance_admin_required" ||
+                isLocalImplicit(req) ||
+                Boolean(req.actor.isInstanceAdmin));
+        res.json({
+            ...challenge,
+            requiresSignIn: !isSignedInBoardUser,
+            canApprove,
+            currentUserId: req.actor.type === "board" ? req.actor.userId ?? null : null,
+        });
+    });
+    router.post("/cli-auth/challenges/:id/approve", validate(resolveCliAuthChallengeSchema), async (req, res) => {
+        const id = req.params.id.trim();
+        if (req.actor.type !== "board" ||
+            (!req.actor.userId && !isLocalImplicit(req))) {
+            throw unauthorized("Sign in before approving CLI access");
+        }
+        const userId = req.actor.userId ?? "local-board";
+        const approved = await boardAuth.approveCliAuthChallenge(id, req.body.token, userId);
+        if (approved.status === "approved") {
+            const companyIds = await boardAuth.resolveBoardActivityCompanyIds({
+                userId,
+                requestedCompanyId: approved.challenge.requestedCompanyId,
+                boardApiKeyId: approved.challenge.boardApiKeyId,
+            });
+            for (const companyId of companyIds) {
+                await logActivity(db, {
+                    companyId,
+                    actorType: "user",
+                    actorId: userId,
+                    action: "board_api_key.created",
+                    entityType: "user",
+                    entityId: userId,
+                    details: {
+                        boardApiKeyId: approved.challenge.boardApiKeyId,
+                        requestedAccess: approved.challenge.requestedAccess,
+                        requestedCompanyId: approved.challenge.requestedCompanyId,
+                        challengeId: approved.challenge.id,
+                    },
+                });
+            }
+        }
+        res.json({
+            approved: approved.status === "approved",
+            status: approved.status,
+            userId,
+            keyId: approved.challenge.boardApiKeyId ?? null,
+            expiresAt: approved.challenge.expiresAt.toISOString(),
+        });
+    });
+    router.post("/cli-auth/challenges/:id/cancel", validate(resolveCliAuthChallengeSchema), async (req, res) => {
+        const id = req.params.id.trim();
+        const cancelled = await boardAuth.cancelCliAuthChallenge(id, req.body.token);
+        res.json({
+            status: cancelled.status,
+            cancelled: cancelled.status === "cancelled",
+        });
+    });
+    router.get("/cli-auth/me", async (req, res) => {
+        if (req.actor.type !== "board" || !req.actor.userId) {
+            throw unauthorized("Board authentication required");
+        }
+        const accessSnapshot = await boardAuth.resolveBoardAccess(req.actor.userId);
+        res.json({
+            user: accessSnapshot.user,
+            userId: req.actor.userId,
+            isInstanceAdmin: accessSnapshot.isInstanceAdmin,
+            companyIds: accessSnapshot.companyIds,
+            source: req.actor.source ?? "none",
+            keyId: req.actor.source === "board_key" ? req.actor.keyId ?? null : null,
+        });
+    });
+    router.post("/cli-auth/revoke-current", async (req, res) => {
+        if (req.actor.type !== "board" || req.actor.source !== "board_key") {
+            throw badRequest("Current board API key context is required");
+        }
+        const key = await boardAuth.assertCurrentBoardKey(req.actor.keyId, req.actor.userId);
+        await boardAuth.revokeBoardApiKey(key.id);
+        const companyIds = await boardAuth.resolveBoardActivityCompanyIds({
+            userId: key.userId,
+            boardApiKeyId: key.id,
+        });
+        for (const companyId of companyIds) {
+            await logActivity(db, {
+                companyId,
+                actorType: "user",
+                actorId: key.userId,
+                action: "board_api_key.revoked",
+                entityType: "user",
+                entityId: key.userId,
+                details: {
+                    boardApiKeyId: key.id,
+                    revokedVia: "cli_auth_logout",
+                },
+            });
+        }
+        res.json({ revoked: true, keyId: key.id });
+    });
+    async function assertCompanyPermission(req, companyId, permissionKey) {
+        assertCompanyAccess(req, companyId);
+        if (req.actor.type === "agent") {
+            if (!req.actor.agentId)
+                throw forbidden();
+            const allowed = await access.hasPermission(companyId, "agent", req.actor.agentId, permissionKey);
+            if (!allowed)
+                throw forbidden("Permission denied");
+            return;
+        }
+        if (req.actor.type !== "board")
+            throw unauthorized();
+        if (isLocalImplicit(req))
+            return;
+        const allowed = await access.canUser(companyId, req.actor.userId, permissionKey);
+        if (!allowed)
+            throw forbidden("Permission denied");
+    }
+    async function assertCanGenerateOpenClawInvitePrompt(req, companyId) {
+        assertCompanyAccess(req, companyId);
+        if (req.actor.type === "agent") {
+            if (!req.actor.agentId)
+                throw forbidden("Agent authentication required");
+            const actorAgent = await agents.getById(req.actor.agentId);
+            if (!actorAgent || actorAgent.companyId !== companyId) {
+                throw forbidden("Agent key cannot access another company");
+            }
+            if (actorAgent.role !== "ceo") {
+                throw forbidden("Only CEO agents can generate OpenClaw invite prompts");
+            }
+            return;
+        }
+        if (req.actor.type !== "board")
+            throw unauthorized();
+        if (isLocalImplicit(req))
+            return;
+        const allowed = await access.canUser(companyId, req.actor.userId, "users:invite");
+        if (!allowed)
+            throw forbidden("Permission denied");
+    }
+    async function createCompanyInviteForCompany(input) {
+        const normalizedAgentMessage = typeof input.agentMessage === "string"
+            ? input.agentMessage.trim() || null
+            : null;
+        const insertValues = {
+            companyId: input.companyId,
+            inviteType: "company_join",
+            allowedJoinTypes: input.allowedJoinTypes,
+            defaultsPayload: mergeInviteDefaults(input.defaultsPayload ?? null, normalizedAgentMessage),
+            expiresAt: companyInviteExpiresAt(),
+            invitedByUserId: input.req.actor.userId ?? null
+        };
+        let token = null;
+        let created = null;
+        for (let attempt = 0; attempt < INVITE_TOKEN_MAX_RETRIES; attempt += 1) {
+            const candidateToken = createInviteToken();
+            try {
+                const row = await db
+                    .insert(invites)
+                    .values({
+                    ...insertValues,
+                    tokenHash: hashToken(candidateToken)
+                })
+                    .returning()
+                    .then((rows) => rows[0]);
+                token = candidateToken;
+                created = row;
+                break;
+            }
+            catch (error) {
+                if (!isInviteTokenHashCollisionError(error)) {
+                    throw error;
+                }
+            }
+        }
+        if (!token || !created) {
+            throw conflict("Failed to generate a unique invite token. Please retry.");
+        }
+        return { token, created, normalizedAgentMessage };
+    }
+    router.get("/skills/available", (_req, res) => {
+        res.json({ skills: listAvailableSkills() });
+    });
+    router.get("/skills/index", (_req, res) => {
+        res.json({
+            skills: [
+                { name: "fidelios", path: "/api/skills/fidelios" },
+                {
+                    name: "para-memory-files",
+                    path: "/api/skills/para-memory-files"
+                },
+                {
+                    name: "fidelios-create-agent",
+                    path: "/api/skills/fidelios-create-agent"
+                }
+            ]
+        });
+    });
+    router.get("/skills/:skillName", (req, res) => {
+        const skillName = req.params.skillName.trim().toLowerCase();
+        const markdown = readSkillMarkdown(skillName);
+        if (!markdown)
+            throw notFound("Skill not found");
+        res.type("text/markdown").send(markdown);
+    });
+    router.post("/companies/:companyId/invites", validate(createCompanyInviteSchema), async (req, res) => {
+        const companyId = req.params.companyId;
+        await assertCompanyPermission(req, companyId, "users:invite");
+        const { token, created, normalizedAgentMessage } = await createCompanyInviteForCompany({
+            req,
+            companyId,
+            allowedJoinTypes: req.body.allowedJoinTypes,
+            defaultsPayload: req.body.defaultsPayload ?? null,
+            agentMessage: req.body.agentMessage ?? null
+        });
+        await logActivity(db, {
+            companyId,
+            actorType: req.actor.type === "agent" ? "agent" : "user",
+            actorId: req.actor.type === "agent"
+                ? req.actor.agentId ?? "unknown-agent"
+                : req.actor.userId ?? "board",
+            action: "invite.created",
+            entityType: "invite",
+            entityId: created.id,
+            details: {
+                inviteType: created.inviteType,
+                allowedJoinTypes: created.allowedJoinTypes,
+                expiresAt: created.expiresAt.toISOString(),
+                hasAgentMessage: Boolean(normalizedAgentMessage)
+            }
+        });
+        const inviteSummary = toInviteSummaryResponse(req, token, created);
+        res.status(201).json({
+            ...created,
+            token,
+            inviteUrl: `/invite/${token}`,
+            onboardingTextPath: inviteSummary.onboardingTextPath,
+            onboardingTextUrl: inviteSummary.onboardingTextUrl,
+            inviteMessage: inviteSummary.inviteMessage
+        });
+    });
+    router.post("/companies/:companyId/openclaw/invite-prompt", validate(createOpenClawInvitePromptSchema), async (req, res) => {
+        const companyId = req.params.companyId;
+        await assertCanGenerateOpenClawInvitePrompt(req, companyId);
+        const { token, created, normalizedAgentMessage } = await createCompanyInviteForCompany({
+            req,
+            companyId,
+            allowedJoinTypes: "agent",
+            defaultsPayload: null,
+            agentMessage: req.body.agentMessage ?? null
+        });
+        await logActivity(db, {
+            companyId,
+            actorType: req.actor.type === "agent" ? "agent" : "user",
+            actorId: req.actor.type === "agent"
+                ? req.actor.agentId ?? "unknown-agent"
+                : req.actor.userId ?? "board",
+            action: "invite.openclaw_prompt_created",
+            entityType: "invite",
+            entityId: created.id,
+            details: {
+                inviteType: created.inviteType,
+                allowedJoinTypes: created.allowedJoinTypes,
+                expiresAt: created.expiresAt.toISOString(),
+                hasAgentMessage: Boolean(normalizedAgentMessage)
+            }
+        });
+        const inviteSummary = toInviteSummaryResponse(req, token, created);
+        res.status(201).json({
+            ...created,
+            token,
+            inviteUrl: `/invite/${token}`,
+            onboardingTextPath: inviteSummary.onboardingTextPath,
+            onboardingTextUrl: inviteSummary.onboardingTextUrl,
+            inviteMessage: inviteSummary.inviteMessage
+        });
+    });
+    router.get("/invites/:token", async (req, res) => {
+        const token = req.params.token.trim();
+        if (!token)
+            throw notFound("Invite not found");
+        const invite = await db
+            .select()
+            .from(invites)
+            .where(eq(invites.tokenHash, hashToken(token)))
+            .then((rows) => rows[0] ?? null);
+        if (!invite ||
+            invite.revokedAt ||
+            invite.acceptedAt ||
+            inviteExpired(invite)) {
+            throw notFound("Invite not found");
+        }
+        res.json(toInviteSummaryResponse(req, token, invite));
+    });
+    router.get("/invites/:token/onboarding", async (req, res) => {
+        const token = req.params.token.trim();
+        if (!token)
+            throw notFound("Invite not found");
+        const invite = await db
+            .select()
+            .from(invites)
+            .where(eq(invites.tokenHash, hashToken(token)))
+            .then((rows) => rows[0] ?? null);
+        if (!invite || invite.revokedAt || inviteExpired(invite)) {
+            throw notFound("Invite not found");
+        }
+        res.json(buildInviteOnboardingManifest(req, token, invite, opts));
+    });
+    router.get("/invites/:token/onboarding.txt", async (req, res) => {
+        const token = req.params.token.trim();
+        if (!token)
+            throw notFound("Invite not found");
+        const invite = await db
+            .select()
+            .from(invites)
+            .where(eq(invites.tokenHash, hashToken(token)))
+            .then((rows) => rows[0] ?? null);
+        if (!invite || invite.revokedAt || inviteExpired(invite)) {
+            throw notFound("Invite not found");
+        }
+        res
+            .type("text/plain; charset=utf-8")
+            .send(buildInviteOnboardingTextDocument(req, token, invite, opts));
+    });
+    router.get("/invites/:token/test-resolution", async (req, res) => {
+        const token = req.params.token.trim();
+        if (!token)
+            throw notFound("Invite not found");
+        const invite = await db
+            .select()
+            .from(invites)
+            .where(eq(invites.tokenHash, hashToken(token)))
+            .then((rows) => rows[0] ?? null);
+        if (!invite || invite.revokedAt || inviteExpired(invite)) {
+            throw notFound("Invite not found");
+        }
+        const rawUrl = typeof req.query.url === "string" ? req.query.url.trim() : "";
+        if (!rawUrl)
+            throw badRequest("url query parameter is required");
+        let target;
+        try {
+            target = new URL(rawUrl);
+        }
+        catch {
+            throw badRequest("url must be an absolute http(s) URL");
+        }
+        if (target.protocol !== "http:" && target.protocol !== "https:") {
+            throw badRequest("url must use http or https");
+        }
+        const parsedTimeoutMs = typeof req.query.timeoutMs === "string"
+            ? Number(req.query.timeoutMs)
+            : NaN;
+        const timeoutMs = Number.isFinite(parsedTimeoutMs)
+            ? Math.max(1000, Math.min(15000, Math.floor(parsedTimeoutMs)))
+            : 5000;
+        const probe = await probeInviteResolutionTarget(target, timeoutMs);
+        res.json({
+            inviteId: invite.id,
+            testResolutionPath: `/api/invites/${token}/test-resolution`,
+            requestedUrl: target.toString(),
+            timeoutMs,
+            ...probe
+        });
+    });
+    router.post("/invites/:token/accept", validate(acceptInviteSchema), async (req, res) => {
+        const token = req.params.token.trim();
+        if (!token)
+            throw notFound("Invite not found");
+        const invite = await db
+            .select()
+            .from(invites)
+            .where(eq(invites.tokenHash, hashToken(token)))
+            .then((rows) => rows[0] ?? null);
+        if (!invite || invite.revokedAt || inviteExpired(invite)) {
+            throw notFound("Invite not found");
+        }
+        const inviteAlreadyAccepted = Boolean(invite.acceptedAt);
+        const existingJoinRequestForInvite = inviteAlreadyAccepted
+            ? await db
+                .select()
+                .from(joinRequests)
+                .where(eq(joinRequests.inviteId, invite.id))
+                .then((rows) => rows[0] ?? null)
+            : null;
+        if (invite.inviteType === "bootstrap_ceo") {
+            if (inviteAlreadyAccepted)
+                throw notFound("Invite not found");
+            if (req.body.requestType !== "human") {
+                throw badRequest("Bootstrap invite requires human request type");
+            }
+            if (req.actor.type !== "board" ||
+                (!req.actor.userId && !isLocalImplicit(req))) {
+                throw unauthorized("Authenticated user required for bootstrap acceptance");
+            }
+            const userId = req.actor.userId ?? "local-board";
+            const existingAdmin = await access.isInstanceAdmin(userId);
+            if (!existingAdmin) {
+                await access.promoteInstanceAdmin(userId);
+            }
+            const updatedInvite = await db
+                .update(invites)
+                .set({ acceptedAt: new Date(), updatedAt: new Date() })
+                .where(eq(invites.id, invite.id))
+                .returning()
+                .then((rows) => rows[0] ?? invite);
+            res.status(202).json({
+                inviteId: updatedInvite.id,
+                inviteType: updatedInvite.inviteType,
+                bootstrapAccepted: true,
+                userId
+            });
+            return;
+        }
+        const requestType = req.body.requestType;
+        const companyId = invite.companyId;
+        if (!companyId)
+            throw conflict("Invite is missing company scope");
+        if (invite.allowedJoinTypes !== "both" &&
+            invite.allowedJoinTypes !== requestType) {
+            throw badRequest(`Invite does not allow ${requestType} joins`);
+        }
+        if (requestType === "human" && req.actor.type !== "board") {
+            throw unauthorized("Human invite acceptance requires authenticated user");
+        }
+        if (requestType === "human" &&
+            !req.actor.userId &&
+            !isLocalImplicit(req)) {
+            throw unauthorized("Authenticated user is required");
+        }
+        if (requestType === "agent" && !req.body.agentName) {
+            if (!inviteAlreadyAccepted ||
+                !existingJoinRequestForInvite?.agentName) {
+                throw badRequest("agentName is required for agent join requests");
+            }
+        }
+        const adapterType = req.body.adapterType ?? null;
+        if (inviteAlreadyAccepted &&
+            !canReplayOpenClawGatewayInviteAccept({
+                requestType,
+                adapterType,
+                existingJoinRequest: existingJoinRequestForInvite
+            })) {
+            throw notFound("Invite not found");
+        }
+        const replayJoinRequestId = inviteAlreadyAccepted
+            ? existingJoinRequestForInvite?.id ?? null
+            : null;
+        if (inviteAlreadyAccepted && !replayJoinRequestId) {
+            throw conflict("Join request not found");
+        }
+        const replayMergedDefaults = inviteAlreadyAccepted
+            ? mergeJoinDefaultsPayloadForReplay(existingJoinRequestForInvite?.agentDefaultsPayload ?? null, req.body.agentDefaultsPayload ?? null)
+            : req.body.agentDefaultsPayload ?? null;
+        const gatewayDefaultsPayload = requestType === "agent"
+            ? buildJoinDefaultsPayloadForAccept({
+                adapterType,
+                defaultsPayload: replayMergedDefaults,
+                fideliosApiUrl: req.body.fideliosApiUrl ?? null,
+                inboundOpenClawAuthHeader: req.header("x-openclaw-auth") ?? null,
+                inboundOpenClawTokenHeader: req.header("x-openclaw-token") ?? null
+            })
+            : null;
+        const joinDefaults = requestType === "agent"
+            ? normalizeAgentDefaultsForJoin({
+                adapterType,
+                defaultsPayload: gatewayDefaultsPayload,
+                deploymentMode: opts.deploymentMode,
+                deploymentExposure: opts.deploymentExposure,
+                bindHost: opts.bindHost,
+                allowedHostnames: opts.allowedHostnames
+            })
+            : {
+                normalized: null,
+                diagnostics: [],
+                fatalErrors: []
+            };
+        if (requestType === "agent" && joinDefaults.fatalErrors.length > 0) {
+            throw badRequest(joinDefaults.fatalErrors.join("; "));
+        }
+        if (requestType === "agent" && adapterType === "openclaw_gateway") {
+            logger.info({
+                inviteId: invite.id,
+                joinRequestDiagnostics: joinDefaults.diagnostics.map((diag) => ({
+                    code: diag.code,
+                    level: diag.level
+                })),
+                normalizedAgentDefaults: summarizeOpenClawGatewayDefaultsForLog(joinDefaults.normalized)
+            }, "invite accept normalized OpenClaw gateway defaults");
+        }
+        const claimSecret = requestType === "agent" && !inviteAlreadyAccepted
+            ? createClaimSecret()
+            : null;
+        const claimSecretHash = claimSecret ? hashToken(claimSecret) : null;
+        const claimSecretExpiresAt = claimSecret
+            ? new Date(Date.now() + 7 * 24 * 60 * 60 * 1000)
+            : null;
+        const actorEmail = requestType === "human" ? await resolveActorEmail(db, req) : null;
+        const created = !inviteAlreadyAccepted
+            ? await db.transaction(async (tx) => {
+                await tx
+                    .update(invites)
+                    .set({ acceptedAt: new Date(), updatedAt: new Date() })
+                    .where(and(eq(invites.id, invite.id), isNull(invites.acceptedAt), isNull(invites.revokedAt)));
+                const row = await tx
+                    .insert(joinRequests)
+                    .values({
+                    inviteId: invite.id,
+                    companyId,
+                    requestType,
+                    status: "pending_approval",
+                    requestIp: requestIp(req),
+                    requestingUserId: requestType === "human"
+                        ? req.actor.userId ?? "local-board"
+                        : null,
+                    requestEmailSnapshot: requestType === "human" ? actorEmail : null,
+                    agentName: requestType === "agent" ? req.body.agentName : null,
+                    adapterType: requestType === "agent" ? adapterType : null,
+                    capabilities: requestType === "agent"
+                        ? req.body.capabilities ?? null
+                        : null,
+                    agentDefaultsPayload: requestType === "agent" ? joinDefaults.normalized : null,
+                    claimSecretHash,
+                    claimSecretExpiresAt
+                })
+                    .returning()
+                    .then((rows) => rows[0]);
+                return row;
+            })
+            : await db
+                .update(joinRequests)
+                .set({
+                requestIp: requestIp(req),
+                agentName: requestType === "agent"
+                    ? req.body.agentName ??
+                        existingJoinRequestForInvite?.agentName ??
+                        null
+                    : null,
+                capabilities: requestType === "agent"
+                    ? req.body.capabilities ??
+                        existingJoinRequestForInvite?.capabilities ??
+                        null
+                    : null,
+                adapterType: requestType === "agent" ? adapterType : null,
+                agentDefaultsPayload: requestType === "agent" ? joinDefaults.normalized : null,
+                updatedAt: new Date()
+            })
+                .where(eq(joinRequests.id, replayJoinRequestId))
+                .returning()
+                .then((rows) => rows[0]);
+        if (!created) {
+            throw conflict("Join request not found");
+        }
+        if (inviteAlreadyAccepted &&
+            requestType === "agent" &&
+            adapterType === "openclaw_gateway" &&
+            created.status === "approved" &&
+            created.createdAgentId) {
+            const existingAgent = await agents.getById(created.createdAgentId);
+            if (!existingAgent) {
+                throw conflict("Approved join request agent not found");
+            }
+            const existingAdapterConfig = isPlainObject(existingAgent.adapterConfig)
+                ? existingAgent.adapterConfig
+                : {};
+            const nextAdapterConfig = {
+                ...existingAdapterConfig,
+                ...(joinDefaults.normalized ?? {})
+            };
+            const updatedAgent = await agents.update(created.createdAgentId, {
+                adapterType,
+                adapterConfig: nextAdapterConfig
+            });
+            if (!updatedAgent) {
+                throw conflict("Approved join request agent not found");
+            }
+            await logActivity(db, {
+                companyId,
+                actorType: req.actor.type === "agent" ? "agent" : "user",
+                actorId: req.actor.type === "agent"
+                    ? req.actor.agentId ?? "invite-agent"
+                    : req.actor.userId ?? "board",
+                action: "agent.updated_from_join_replay",
+                entityType: "agent",
+                entityId: updatedAgent.id,
+                details: { inviteId: invite.id, joinRequestId: created.id }
+            });
+        }
+        if (requestType === "agent" && adapterType === "openclaw_gateway") {
+            const expectedDefaults = summarizeOpenClawGatewayDefaultsForLog(joinDefaults.normalized);
+            const persistedDefaults = summarizeOpenClawGatewayDefaultsForLog(created.agentDefaultsPayload);
+            const missingPersistedFields = [];
+            if (expectedDefaults.url && !persistedDefaults.url)
+                missingPersistedFields.push("url");
+            if (expectedDefaults.fideliosApiUrl &&
+                !persistedDefaults.fideliosApiUrl) {
+                missingPersistedFields.push("fideliosApiUrl");
+            }
+            if (expectedDefaults.gatewayToken && !persistedDefaults.gatewayToken) {
+                missingPersistedFields.push("headers.x-openclaw-token");
+            }
+            if (expectedDefaults.devicePrivateKeyPem &&
+                !persistedDefaults.devicePrivateKeyPem) {
+                missingPersistedFields.push("devicePrivateKeyPem");
+            }
+            if (expectedDefaults.headerKeys.length > 0 &&
+                persistedDefaults.headerKeys.length === 0) {
+                missingPersistedFields.push("headers");
+            }
+            logger.info({
+                inviteId: invite.id,
+                joinRequestId: created.id,
+                joinRequestStatus: created.status,
+                expectedDefaults,
+                persistedDefaults,
+                diagnostics: joinDefaults.diagnostics.map((diag) => ({
+                    code: diag.code,
+                    level: diag.level,
+                    message: diag.message,
+                    hint: diag.hint ?? null
+                }))
+            }, "invite accept persisted OpenClaw gateway join request");
+            if (missingPersistedFields.length > 0) {
+                logger.warn({
+                    inviteId: invite.id,
+                    joinRequestId: created.id,
+                    missingPersistedFields
+                }, "invite accept detected missing persisted OpenClaw gateway defaults");
+            }
+        }
+        await logActivity(db, {
+            companyId,
+            actorType: req.actor.type === "agent" ? "agent" : "user",
+            actorId: req.actor.type === "agent"
+                ? req.actor.agentId ?? "invite-agent"
+                : req.actor.userId ??
+                    (requestType === "agent" ? "invite-anon" : "board"),
+            action: inviteAlreadyAccepted
+                ? "join.request_replayed"
+                : "join.requested",
+            entityType: "join_request",
+            entityId: created.id,
+            details: {
+                requestType,
+                requestIp: created.requestIp,
+                inviteReplay: inviteAlreadyAccepted
+            }
+        });
+        const response = toJoinRequestResponse(created);
+        if (claimSecret) {
+            const onboardingManifest = buildInviteOnboardingManifest(req, token, invite, opts);
+            res.status(202).json({
+                ...response,
+                claimSecret,
+                claimApiKeyPath: `/api/join-requests/${created.id}/claim-api-key`,
+                onboarding: onboardingManifest.onboarding,
+                diagnostics: joinDefaults.diagnostics
+            });
+            return;
+        }
+        res.status(202).json({
+            ...response,
+            ...(joinDefaults.diagnostics.length > 0
+                ? { diagnostics: joinDefaults.diagnostics }
+                : {})
+        });
+    });
+    router.post("/invites/:inviteId/revoke", async (req, res) => {
+        const id = req.params.inviteId;
+        const invite = await db
+            .select()
+            .from(invites)
+            .where(eq(invites.id, id))
+            .then((rows) => rows[0] ?? null);
+        if (!invite)
+            throw notFound("Invite not found");
+        if (invite.inviteType === "bootstrap_ceo") {
+            await assertInstanceAdmin(req);
+        }
+        else {
+            if (!invite.companyId)
+                throw conflict("Invite is missing company scope");
+            await assertCompanyPermission(req, invite.companyId, "users:invite");
+        }
+        if (invite.acceptedAt)
+            throw conflict("Invite already consumed");
+        if (invite.revokedAt)
+            return res.json(invite);
+        const revoked = await db
+            .update(invites)
+            .set({ revokedAt: new Date(), updatedAt: new Date() })
+            .where(eq(invites.id, id))
+            .returning()
+            .then((rows) => rows[0]);
+        if (invite.companyId) {
+            await logActivity(db, {
+                companyId: invite.companyId,
+                actorType: req.actor.type === "agent" ? "agent" : "user",
+                actorId: req.actor.type === "agent"
+                    ? req.actor.agentId ?? "unknown-agent"
+                    : req.actor.userId ?? "board",
+                action: "invite.revoked",
+                entityType: "invite",
+                entityId: id
+            });
+        }
+        res.json(revoked);
+    });
+    router.get("/companies/:companyId/join-requests", async (req, res) => {
+        const companyId = req.params.companyId;
+        await assertCompanyPermission(req, companyId, "joins:approve");
+        const query = listJoinRequestsQuerySchema.parse(req.query);
+        const all = await db
+            .select()
+            .from(joinRequests)
+            .where(eq(joinRequests.companyId, companyId))
+            .orderBy(desc(joinRequests.createdAt));
+        const filtered = all.filter((row) => {
+            if (query.status && row.status !== query.status)
+                return false;
+            if (query.requestType && row.requestType !== query.requestType)
+                return false;
+            return true;
+        });
+        res.json(filtered.map(toJoinRequestResponse));
+    });
+    router.post("/companies/:companyId/join-requests/:requestId/approve", async (req, res) => {
+        const companyId = req.params.companyId;
+        const requestId = req.params.requestId;
+        await assertCompanyPermission(req, companyId, "joins:approve");
+        const existing = await db
+            .select()
+            .from(joinRequests)
+            .where(and(eq(joinRequests.companyId, companyId), eq(joinRequests.id, requestId)))
+            .then((rows) => rows[0] ?? null);
+        if (!existing)
+            throw notFound("Join request not found");
+        if (existing.status !== "pending_approval")
+            throw conflict("Join request is not pending");
+        const invite = await db
+            .select()
+            .from(invites)
+            .where(eq(invites.id, existing.inviteId))
+            .then((rows) => rows[0] ?? null);
+        if (!invite)
+            throw notFound("Invite not found");
+        let createdAgentId = existing.createdAgentId ?? null;
+        if (existing.requestType === "human") {
+            if (!existing.requestingUserId)
+                throw conflict("Join request missing user identity");
+            await access.ensureMembership(companyId, "user", existing.requestingUserId, "member", "active");
+            const grants = grantsFromDefaults(invite.defaultsPayload, "human");
+            await access.setPrincipalGrants(companyId, "user", existing.requestingUserId, grants, req.actor.userId ?? null);
+        }
+        else {
+            const existingAgents = await agents.list(companyId);
+            const managerId = resolveJoinRequestAgentManagerId(existingAgents);
+            if (!managerId) {
+                throw conflict("Join request cannot be approved because this company has no active CEO");
+            }
+            const agentName = deduplicateAgentName(existing.agentName ?? "New Agent", existingAgents.map((a) => ({
+                id: a.id,
+                name: a.name,
+                status: a.status
+            })));
+            const created = await agents.create(companyId, {
+                name: agentName,
+                role: "general",
+                title: null,
+                status: "idle",
+                reportsTo: managerId,
+                capabilities: existing.capabilities ?? null,
+                adapterType: existing.adapterType ?? "process",
+                adapterConfig: existing.agentDefaultsPayload &&
+                    typeof existing.agentDefaultsPayload === "object"
+                    ? existing.agentDefaultsPayload
+                    : {},
+                runtimeConfig: {},
+                budgetMonthlyCents: 0,
+                spentMonthlyCents: 0,
+                permissions: {},
+                lastHeartbeatAt: null,
+                metadata: null
+            });
+            createdAgentId = created.id;
+            await access.ensureMembership(companyId, "agent", created.id, "member", "active");
+            const grants = agentJoinGrantsFromDefaults(invite.defaultsPayload);
+            await access.setPrincipalGrants(companyId, "agent", created.id, grants, req.actor.userId ?? null);
+        }
+        const approved = await db
+            .update(joinRequests)
+            .set({
+            status: "approved",
+            approvedByUserId: req.actor.userId ?? (isLocalImplicit(req) ? "local-board" : null),
+            approvedAt: new Date(),
+            createdAgentId,
+            updatedAt: new Date()
+        })
+            .where(eq(joinRequests.id, requestId))
+            .returning()
+            .then((rows) => rows[0]);
+        await logActivity(db, {
+            companyId,
+            actorType: "user",
+            actorId: req.actor.userId ?? "board",
+            action: "join.approved",
+            entityType: "join_request",
+            entityId: requestId,
+            details: { requestType: existing.requestType, createdAgentId }
+        });
+        if (createdAgentId) {
+            void notifyHireApproved(db, {
+                companyId,
+                agentId: createdAgentId,
+                source: "join_request",
+                sourceId: requestId,
+                approvedAt: new Date()
+            }).catch(() => { });
+        }
+        res.json(toJoinRequestResponse(approved));
+    });
+    router.post("/companies/:companyId/join-requests/:requestId/reject", async (req, res) => {
+        const companyId = req.params.companyId;
+        const requestId = req.params.requestId;
+        await assertCompanyPermission(req, companyId, "joins:approve");
+        const existing = await db
+            .select()
+            .from(joinRequests)
+            .where(and(eq(joinRequests.companyId, companyId), eq(joinRequests.id, requestId)))
+            .then((rows) => rows[0] ?? null);
+        if (!existing)
+            throw notFound("Join request not found");
+        if (existing.status !== "pending_approval")
+            throw conflict("Join request is not pending");
+        const rejected = await db
+            .update(joinRequests)
+            .set({
+            status: "rejected",
+            rejectedByUserId: req.actor.userId ?? (isLocalImplicit(req) ? "local-board" : null),
+            rejectedAt: new Date(),
+            updatedAt: new Date()
+        })
+            .where(eq(joinRequests.id, requestId))
+            .returning()
+            .then((rows) => rows[0]);
+        await logActivity(db, {
+            companyId,
+            actorType: "user",
+            actorId: req.actor.userId ?? "board",
+            action: "join.rejected",
+            entityType: "join_request",
+            entityId: requestId,
+            details: { requestType: existing.requestType }
+        });
+        res.json(toJoinRequestResponse(rejected));
+    });
+    router.post("/join-requests/:requestId/claim-api-key", validate(claimJoinRequestApiKeySchema), async (req, res) => {
+        const requestId = req.params.requestId;
+        const presentedClaimSecretHash = hashToken(req.body.claimSecret);
+        const joinRequest = await db
+            .select()
+            .from(joinRequests)
+            .where(eq(joinRequests.id, requestId))
+            .then((rows) => rows[0] ?? null);
+        if (!joinRequest)
+            throw notFound("Join request not found");
+        if (joinRequest.requestType !== "agent")
+            throw badRequest("Only agent join requests can claim API keys");
+        if (joinRequest.status !== "approved")
+            throw conflict("Join request must be approved before key claim");
+        if (!joinRequest.createdAgentId)
+            throw conflict("Join request has no created agent");
+        if (!joinRequest.claimSecretHash)
+            throw conflict("Join request is missing claim secret metadata");
+        if (!tokenHashesMatch(joinRequest.claimSecretHash, presentedClaimSecretHash)) {
+            throw forbidden("Invalid claim secret");
+        }
+        if (joinRequest.claimSecretExpiresAt &&
+            joinRequest.claimSecretExpiresAt.getTime() <= Date.now()) {
+            throw conflict("Claim secret expired");
+        }
+        if (joinRequest.claimSecretConsumedAt)
+            throw conflict("Claim secret already used");
+        const existingKey = await db
+            .select({ id: agentApiKeys.id })
+            .from(agentApiKeys)
+            .where(eq(agentApiKeys.agentId, joinRequest.createdAgentId))
+            .then((rows) => rows[0] ?? null);
+        if (existingKey)
+            throw conflict("API key already claimed");
+        const consumed = await db
+            .update(joinRequests)
+            .set({ claimSecretConsumedAt: new Date(), updatedAt: new Date() })
+            .where(and(eq(joinRequests.id, requestId), isNull(joinRequests.claimSecretConsumedAt)))
+            .returning({ id: joinRequests.id })
+            .then((rows) => rows[0] ?? null);
+        if (!consumed)
+            throw conflict("Claim secret already used");
+        const created = await agents.createApiKey(joinRequest.createdAgentId, "initial-join-key");
+        await logActivity(db, {
+            companyId: joinRequest.companyId,
+            actorType: "system",
+            actorId: "join-claim",
+            action: "agent_api_key.claimed",
+            entityType: "agent_api_key",
+            entityId: created.id,
+            details: {
+                agentId: joinRequest.createdAgentId,
+                joinRequestId: requestId
+            }
+        });
+        res.status(201).json({
+            keyId: created.id,
+            token: created.token,
+            agentId: joinRequest.createdAgentId,
+            createdAt: created.createdAt
+        });
+    });
+    router.get("/companies/:companyId/members", async (req, res) => {
+        const companyId = req.params.companyId;
+        await assertCompanyPermission(req, companyId, "users:manage_permissions");
+        const members = await access.listMembers(companyId);
+        res.json(members);
+    });
+    router.patch("/companies/:companyId/members/:memberId/permissions", validate(updateMemberPermissionsSchema), async (req, res) => {
+        const companyId = req.params.companyId;
+        const memberId = req.params.memberId;
+        await assertCompanyPermission(req, companyId, "users:manage_permissions");
+        const updated = await access.setMemberPermissions(companyId, memberId, req.body.grants ?? [], req.actor.userId ?? null);
+        if (!updated)
+            throw notFound("Member not found");
+        res.json(updated);
+    });
+    router.post("/admin/users/:userId/promote-instance-admin", async (req, res) => {
+        await assertInstanceAdmin(req);
+        const userId = req.params.userId;
+        const result = await access.promoteInstanceAdmin(userId);
+        res.status(201).json(result);
+    });
+    router.post("/admin/users/:userId/demote-instance-admin", async (req, res) => {
+        await assertInstanceAdmin(req);
+        const userId = req.params.userId;
+        const removed = await access.demoteInstanceAdmin(userId);
+        if (!removed)
+            throw notFound("Instance admin role not found");
+        res.json(removed);
+    });
+    router.get("/admin/users/:userId/company-access", async (req, res) => {
+        await assertInstanceAdmin(req);
+        const userId = req.params.userId;
+        const memberships = await access.listUserCompanyAccess(userId);
+        res.json(memberships);
+    });
+    router.put("/admin/users/:userId/company-access", validate(updateUserCompanyAccessSchema), async (req, res) => {
+        await assertInstanceAdmin(req);
+        const userId = req.params.userId;
+        const memberships = await access.setUserCompanyAccess(userId, req.body.companyIds ?? []);
+        res.json(memberships);
+    });
+    return router;
+}
+//# sourceMappingURL=access.js.map