agor-live 0.21.2 → 0.22.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (431) hide show
  1. package/dist/cli/commands/branch/env/restart.js +1 -1
  2. package/dist/cli/commands/branch/env/start.js +1 -1
  3. package/dist/cli/commands/branch/env/stop.js +1 -1
  4. package/dist/core/api/index.cjs +5 -1
  5. package/dist/core/api/index.d.ts +6 -1
  6. package/dist/core/api/index.d.ts.map +1 -1
  7. package/dist/core/api/index.js +5 -1
  8. package/dist/core/claude/index.cjs +162 -14
  9. package/dist/core/claude/index.js +166 -18
  10. package/dist/core/client/index.cjs +43 -3
  11. package/dist/core/client/index.js +37 -3
  12. package/dist/core/config/browser.cjs +2 -2
  13. package/dist/core/config/browser.js +2 -2
  14. package/dist/core/config/config-manager.d.ts.map +1 -1
  15. package/dist/core/config/constants.d.ts +1 -1
  16. package/dist/core/config/index.cjs +174 -20
  17. package/dist/core/config/index.js +178 -24
  18. package/dist/core/config/types.d.ts +8 -0
  19. package/dist/core/config/types.d.ts.map +1 -1
  20. package/dist/core/db/index.cjs +495 -86
  21. package/dist/core/db/index.js +482 -75
  22. package/dist/core/db/repositories/artifacts.d.ts.map +1 -1
  23. package/dist/core/db/repositories/branches.d.ts +13 -1
  24. package/dist/core/db/repositories/branches.d.ts.map +1 -1
  25. package/dist/core/db/repositories/gateway-channels.d.ts.map +1 -1
  26. package/dist/core/db/repositories/index.d.ts +1 -0
  27. package/dist/core/db/repositories/index.d.ts.map +1 -1
  28. package/dist/core/db/repositories/session-relationships.d.ts +30 -0
  29. package/dist/core/db/repositories/session-relationships.d.ts.map +1 -0
  30. package/dist/core/db/repositories/users.d.ts +11 -0
  31. package/dist/core/db/repositories/users.d.ts.map +1 -1
  32. package/dist/core/db/schema.d.ts +421 -4
  33. package/dist/core/db/schema.d.ts.map +1 -1
  34. package/dist/core/db/schema.postgres.d.ts +226 -2
  35. package/dist/core/db/schema.postgres.d.ts.map +1 -1
  36. package/dist/core/db/schema.sqlite.d.ts +228 -2
  37. package/dist/core/db/schema.sqlite.d.ts.map +1 -1
  38. package/dist/core/drizzle/postgres/0050_artifact_source_session.sql +3 -0
  39. package/dist/core/drizzle/postgres/0051_session_relationships.sql +26 -0
  40. package/dist/core/drizzle/postgres/meta/_journal.json +14 -0
  41. package/dist/core/drizzle/sqlite/0059_artifact_source_session.sql +2 -0
  42. package/dist/core/drizzle/sqlite/0060_session_relationships.sql +23 -0
  43. package/dist/core/drizzle/sqlite/meta/_journal.json +14 -0
  44. package/dist/core/gateway/connector-registry.d.ts.map +1 -1
  45. package/dist/core/gateway/connector.d.ts +22 -0
  46. package/dist/core/gateway/connector.d.ts.map +1 -1
  47. package/dist/core/gateway/connectors/slack.d.ts +35 -3
  48. package/dist/core/gateway/connectors/slack.d.ts.map +1 -1
  49. package/dist/core/gateway/connectors/teams.d.ts +107 -0
  50. package/dist/core/gateway/connectors/teams.d.ts.map +1 -0
  51. package/dist/core/gateway/context.d.ts.map +1 -1
  52. package/dist/core/gateway/index.cjs +552 -52
  53. package/dist/core/gateway/index.d.ts +3 -2
  54. package/dist/core/gateway/index.d.ts.map +1 -1
  55. package/dist/core/gateway/index.js +544 -52
  56. package/dist/core/gateway/system-message.d.ts +21 -0
  57. package/dist/core/gateway/system-message.d.ts.map +1 -1
  58. package/dist/core/index.cjs +616 -127
  59. package/dist/core/index.js +597 -116
  60. package/dist/core/mcp/index.cjs +146 -9
  61. package/dist/core/mcp/index.js +146 -9
  62. package/dist/core/mcp/template-resolver.d.ts.map +1 -1
  63. package/dist/core/seed/index.cjs +375 -59
  64. package/dist/core/seed/index.js +378 -62
  65. package/dist/core/sessions/index.cjs +19 -0
  66. package/dist/core/sessions/index.js +19 -0
  67. package/dist/core/templates/agor-system-prompt.md +21 -53
  68. package/dist/core/templates/session-context.cjs +2 -73
  69. package/dist/core/templates/session-context.d.ts +9 -53
  70. package/dist/core/templates/session-context.d.ts.map +1 -1
  71. package/dist/core/templates/session-context.js +2 -72
  72. package/dist/core/tools/mcp/jwt-auth.cjs +2 -20
  73. package/dist/core/tools/mcp/jwt-auth.d.ts.map +1 -1
  74. package/dist/core/tools/mcp/jwt-auth.js +2 -20
  75. package/dist/core/tools/mcp/oauth-mcp-transport.cjs +2 -15
  76. package/dist/core/tools/mcp/oauth-mcp-transport.d.ts.map +1 -1
  77. package/dist/core/tools/mcp/oauth-mcp-transport.js +2 -15
  78. package/dist/core/tools/mcp/oauth-refresh.cjs +167 -19
  79. package/dist/core/tools/mcp/oauth-refresh.js +167 -19
  80. package/dist/core/types/artifact.d.ts +5 -1
  81. package/dist/core/types/artifact.d.ts.map +1 -1
  82. package/dist/core/types/branch.d.ts +14 -0
  83. package/dist/core/types/branch.d.ts.map +1 -1
  84. package/dist/core/types/gateway.d.ts +1 -1
  85. package/dist/core/types/gateway.d.ts.map +1 -1
  86. package/dist/core/types/id.d.ts +1 -0
  87. package/dist/core/types/id.d.ts.map +1 -1
  88. package/dist/core/types/index.cjs +36 -0
  89. package/dist/core/types/index.js +30 -0
  90. package/dist/core/types/session.d.ts +65 -1
  91. package/dist/core/types/session.d.ts.map +1 -1
  92. package/dist/core/types/task.d.ts +9 -0
  93. package/dist/core/types/task.d.ts.map +1 -1
  94. package/dist/core/unix/index.cjs +371 -55
  95. package/dist/core/unix/index.js +374 -58
  96. package/dist/core/unix/unix-integration-service.d.ts +10 -7
  97. package/dist/core/unix/unix-integration-service.d.ts.map +1 -1
  98. package/dist/core/utils/permission-mode-mapper.cjs +19 -0
  99. package/dist/core/utils/permission-mode-mapper.js +19 -0
  100. package/dist/daemon/declarations.d.ts +7 -0
  101. package/dist/daemon/declarations.d.ts.map +1 -1
  102. package/dist/daemon/hooks/gateway-route.d.ts.map +1 -1
  103. package/dist/daemon/hooks/gateway-route.js +53 -1
  104. package/dist/daemon/index.js +3760 -2107
  105. package/dist/daemon/main.js +3760 -2107
  106. package/dist/daemon/mcp/server.js +155 -17
  107. package/dist/daemon/mcp/tools/analytics.js +6 -7
  108. package/dist/daemon/mcp/tools/artifacts.d.ts.map +1 -1
  109. package/dist/daemon/mcp/tools/artifacts.js +7 -7
  110. package/dist/daemon/mcp/tools/boards.js +6 -7
  111. package/dist/daemon/mcp/tools/branches.js +6 -7
  112. package/dist/daemon/mcp/tools/card-types.js +6 -7
  113. package/dist/daemon/mcp/tools/cards.js +6 -7
  114. package/dist/daemon/mcp/tools/environment.d.ts.map +1 -1
  115. package/dist/daemon/mcp/tools/environment.js +19 -12
  116. package/dist/daemon/mcp/tools/knowledge.js +6 -7
  117. package/dist/daemon/mcp/tools/mcp-servers.js +6 -7
  118. package/dist/daemon/mcp/tools/messages.js +6 -7
  119. package/dist/daemon/mcp/tools/proxies.js +6 -7
  120. package/dist/daemon/mcp/tools/repos.js +6 -7
  121. package/dist/daemon/mcp/tools/schedules.js +6 -7
  122. package/dist/daemon/mcp/tools/search.js +6 -7
  123. package/dist/daemon/mcp/tools/sessions.d.ts.map +1 -1
  124. package/dist/daemon/mcp/tools/sessions.js +140 -11
  125. package/dist/daemon/mcp/tools/tasks.js +6 -7
  126. package/dist/daemon/mcp/tools/users.js +6 -7
  127. package/dist/daemon/mcp/tools/widgets.js +7 -8
  128. package/dist/daemon/register-hooks.d.ts +5 -1
  129. package/dist/daemon/register-hooks.d.ts.map +1 -1
  130. package/dist/daemon/register-hooks.js +404 -179
  131. package/dist/daemon/register-routes.d.ts.map +1 -1
  132. package/dist/daemon/register-routes.js +360 -162
  133. package/dist/daemon/register-services.d.ts.map +1 -1
  134. package/dist/daemon/register-services.js +1928 -671
  135. package/dist/daemon/services/artifacts.d.ts +10 -1
  136. package/dist/daemon/services/artifacts.d.ts.map +1 -1
  137. package/dist/daemon/services/artifacts.js +25 -1
  138. package/dist/daemon/services/branches.d.ts +11 -1
  139. package/dist/daemon/services/branches.d.ts.map +1 -1
  140. package/dist/daemon/services/branches.js +470 -184
  141. package/dist/daemon/services/claude-models.js +879 -339
  142. package/dist/daemon/services/gateway.d.ts +58 -2
  143. package/dist/daemon/services/gateway.d.ts.map +1 -1
  144. package/dist/daemon/services/gateway.js +590 -47
  145. package/dist/daemon/services/groups.d.ts +2 -0
  146. package/dist/daemon/services/groups.d.ts.map +1 -1
  147. package/dist/daemon/services/groups.js +56 -0
  148. package/dist/daemon/services/mcp-servers.d.ts.map +1 -1
  149. package/dist/daemon/services/mcp-servers.js +0 -6
  150. package/dist/daemon/services/scheduler.d.ts.map +1 -1
  151. package/dist/daemon/services/scheduler.js +6 -2
  152. package/dist/daemon/services/sessions.d.ts +11 -3
  153. package/dist/daemon/services/sessions.d.ts.map +1 -1
  154. package/dist/daemon/services/sessions.js +68 -7
  155. package/dist/daemon/services/tasks.d.ts +13 -2
  156. package/dist/daemon/services/tasks.d.ts.map +1 -1
  157. package/dist/daemon/services/tasks.js +42 -26
  158. package/dist/daemon/startup.js +6 -2
  159. package/dist/daemon/utils/session-stop.d.ts +43 -0
  160. package/dist/daemon/utils/session-stop.d.ts.map +1 -0
  161. package/dist/daemon/utils/session-stop.js +102 -0
  162. package/dist/daemon/utils/session-task-state.d.ts +7 -2
  163. package/dist/daemon/utils/session-task-state.d.ts.map +1 -1
  164. package/dist/daemon/utils/session-task-state.js +9 -3
  165. package/dist/daemon/utils/session-tasks.d.ts +4 -4
  166. package/dist/daemon/utils/session-tasks.d.ts.map +1 -1
  167. package/dist/daemon/utils/session-tasks.js +4 -8
  168. package/dist/executor/commands/environment.d.ts +13 -0
  169. package/dist/executor/commands/environment.d.ts.map +1 -0
  170. package/dist/executor/commands/environment.js +287 -0
  171. package/dist/executor/commands/index.d.ts.map +1 -1
  172. package/dist/executor/commands/index.js +5 -1
  173. package/dist/executor/commands/unix.d.ts +8 -1
  174. package/dist/executor/commands/unix.d.ts.map +1 -1
  175. package/dist/executor/commands/unix.js +157 -2
  176. package/dist/executor/payload-types.d.ts +201 -5
  177. package/dist/executor/payload-types.d.ts.map +1 -1
  178. package/dist/executor/payload-types.js +98 -0
  179. package/dist/executor/sdk-handlers/base/mcp-scoping.d.ts.map +1 -1
  180. package/dist/executor/sdk-handlers/base/mcp-scoping.js +14 -0
  181. package/dist/executor/sdk-handlers/claude/message-processor.d.ts.map +1 -1
  182. package/dist/executor/sdk-handlers/claude/message-processor.js +0 -1
  183. package/dist/executor/sdk-handlers/claude/query-builder.d.ts +1 -0
  184. package/dist/executor/sdk-handlers/claude/query-builder.d.ts.map +1 -1
  185. package/dist/executor/sdk-handlers/claude/query-builder.js +91 -39
  186. package/dist/executor/sdk-handlers/codex/prompt-service.d.ts +12 -5
  187. package/dist/executor/sdk-handlers/codex/prompt-service.d.ts.map +1 -1
  188. package/dist/executor/sdk-handlers/codex/prompt-service.js +72 -30
  189. package/dist/executor/sdk-handlers/copilot/prompt-service.d.ts +2 -4
  190. package/dist/executor/sdk-handlers/copilot/prompt-service.d.ts.map +1 -1
  191. package/dist/executor/sdk-handlers/copilot/prompt-service.js +4 -13
  192. package/dist/executor/sdk-handlers/gemini/prompt-service.d.ts +2 -4
  193. package/dist/executor/sdk-handlers/gemini/prompt-service.d.ts.map +1 -1
  194. package/dist/executor/sdk-handlers/gemini/prompt-service.js +4 -13
  195. package/dist/ui/assets/App-DcEY8Ota.js +3 -0
  196. package/dist/ui/assets/App-DcEY8Ota.js.gz +0 -0
  197. package/dist/ui/assets/{ArtifactConsentModal-ParNk5kW.js → ArtifactConsentModal-CiCbK9iv.js} +1 -1
  198. package/dist/ui/assets/ArtifactConsentModal-CiCbK9iv.js.gz +0 -0
  199. package/dist/ui/assets/ArtifactFullscreenPage-CfsTEGKd.js +9 -0
  200. package/dist/ui/assets/ArtifactFullscreenPage-CfsTEGKd.js.gz +0 -0
  201. package/dist/ui/assets/AutocompleteTextarea-BAFFH_5e.js +18 -0
  202. package/dist/ui/assets/AutocompleteTextarea-BAFFH_5e.js.gz +0 -0
  203. package/dist/ui/assets/BoardObjectNodes-D-O6bZIG.js +34 -0
  204. package/dist/ui/assets/BoardObjectNodes-D-O6bZIG.js.gz +0 -0
  205. package/dist/ui/assets/{CodeEditor.inner-D51Z_CLQ.js → CodeEditor.inner-DBgsP4tn.js} +2 -2
  206. package/dist/ui/assets/CodeEditor.inner-DBgsP4tn.js.gz +0 -0
  207. package/dist/ui/assets/ConversationView-CUWR0gR6.js +1 -0
  208. package/dist/ui/assets/ConversationView-CUWR0gR6.js.gz +0 -0
  209. package/dist/ui/assets/KnowledgePage-B2bzlXfn.js +24 -0
  210. package/dist/ui/assets/KnowledgePage-B2bzlXfn.js.gz +0 -0
  211. package/dist/ui/assets/MarketingScreenshotPage-9Qd7eZsm.css +1 -0
  212. package/dist/ui/assets/MarketingScreenshotPage-zv5RUCuV.js +143 -0
  213. package/dist/ui/assets/MarketingScreenshotPage-zv5RUCuV.js.gz +0 -0
  214. package/dist/ui/assets/MobileApp-VgVnsnsN.js +1 -0
  215. package/dist/ui/assets/MobileApp-VgVnsnsN.js.gz +0 -0
  216. package/dist/ui/assets/SessionCanvas-f1-1Gbcw.js +20 -0
  217. package/dist/ui/assets/SessionCanvas-f1-1Gbcw.js.gz +0 -0
  218. package/dist/ui/assets/{App-BAdBsEnV.css → SessionCanvas-mEmYGZhC.css} +1 -1
  219. package/dist/ui/assets/SessionCanvas-mEmYGZhC.css.gz +0 -0
  220. package/dist/ui/assets/{StreamdownDemoPage-B9wbgp2s.js → StreamdownDemoPage-wzWaqWwr.js} +1 -1
  221. package/dist/ui/assets/StreamdownDemoPage-wzWaqWwr.js.gz +0 -0
  222. package/dist/ui/assets/{ThemeSwitcher-ubn6IOz9.js → ThemeSwitcher-Dly2y9pi.js} +1 -1
  223. package/dist/ui/assets/ThemeSwitcher-Dly2y9pi.js.gz +0 -0
  224. package/dist/ui/assets/antd-CfbbHJOz.js +401 -0
  225. package/dist/ui/assets/antd-CfbbHJOz.js.gz +0 -0
  226. package/dist/ui/assets/architecture-U656AL7Q-CykGFbQU.js +1 -0
  227. package/dist/ui/assets/{architectureDiagram-VXUJARFQ-ChmZt3zk.js → architectureDiagram-VXUJARFQ-C8HXAenz.js} +1 -1
  228. package/dist/ui/assets/architectureDiagram-VXUJARFQ-C8HXAenz.js.gz +0 -0
  229. package/dist/ui/assets/{blockDiagram-VD42YOAC-CzGHAHao.js → blockDiagram-VD42YOAC-BhZaEN19.js} +1 -1
  230. package/dist/ui/assets/blockDiagram-VD42YOAC-BhZaEN19.js.gz +0 -0
  231. package/dist/ui/assets/{c4Diagram-YG6GDRKO-DscJyaWN.js → c4Diagram-YG6GDRKO-Dk_UH-sY.js} +1 -1
  232. package/dist/ui/assets/c4Diagram-YG6GDRKO-Dk_UH-sY.js.gz +0 -0
  233. package/dist/ui/assets/channel-D6_nUWlW.js +1 -0
  234. package/dist/ui/assets/{chunk-4BX2VUAB-DoWpTvP8.js → chunk-4BX2VUAB-XprbG2TG.js} +1 -1
  235. package/dist/ui/assets/chunk-55IACEB6-ByzqIgSb.js +1 -0
  236. package/dist/ui/assets/{chunk-ABZYJK2D-RzDCrjE6.js → chunk-ABZYJK2D-BJcrryHK.js} +1 -1
  237. package/dist/ui/assets/chunk-ABZYJK2D-BJcrryHK.js.gz +0 -0
  238. package/dist/ui/assets/{chunk-AGHRB4JF-jidCS5Of.js → chunk-AGHRB4JF-DvxmfbM0.js} +1 -1
  239. package/dist/ui/assets/chunk-AGHRB4JF-DvxmfbM0.js.gz +0 -0
  240. package/dist/ui/assets/{chunk-ATLVNIR6-BEIIfJtC.js → chunk-ATLVNIR6-DbeJ0OrR.js} +1 -1
  241. package/dist/ui/assets/chunk-ATLVNIR6-DbeJ0OrR.js.gz +0 -0
  242. package/dist/ui/assets/{chunk-B4BG7PRW-B8b6dQQ2.js → chunk-B4BG7PRW-C53q2ggf.js} +1 -1
  243. package/dist/ui/assets/chunk-B4BG7PRW-C53q2ggf.js.gz +0 -0
  244. package/dist/ui/assets/{chunk-CVBHYZKI-D-mQAfrk.js → chunk-CVBHYZKI-B3EBSlb3.js} +1 -1
  245. package/dist/ui/assets/{chunk-DI55MBZ5-BfATX3V8.js → chunk-DI55MBZ5-vIyNEQN-.js} +1 -1
  246. package/dist/ui/assets/chunk-DI55MBZ5-vIyNEQN-.js.gz +0 -0
  247. package/dist/ui/assets/chunk-EXTU4WIE-B3ObkuOm.js +1 -0
  248. package/dist/ui/assets/{chunk-FMBD7UC4-fqXscNvc.js → chunk-FMBD7UC4-rddmfK-Z.js} +1 -1
  249. package/dist/ui/assets/{chunk-HN2XXSSU-BCHvD80g.js → chunk-HN2XXSSU-Dttqcg3b.js} +1 -1
  250. package/dist/ui/assets/chunk-HN2XXSSU-Dttqcg3b.js.gz +0 -0
  251. package/dist/ui/assets/{chunk-JA3XYJ7Z-Cp6dqHnY.js → chunk-JA3XYJ7Z-DbNDev3D.js} +1 -1
  252. package/dist/ui/assets/chunk-JA3XYJ7Z-DbNDev3D.js.gz +0 -0
  253. package/dist/ui/assets/{chunk-JZLCHNYA-cKMooY3y.js → chunk-JZLCHNYA-EUmx2y4H.js} +1 -1
  254. package/dist/ui/assets/chunk-JZLCHNYA-EUmx2y4H.js.gz +0 -0
  255. package/dist/ui/assets/{chunk-MI3HLSF2-BlzO5wOE.js → chunk-MI3HLSF2-65n9Mkyc.js} +1 -1
  256. package/dist/ui/assets/chunk-MI3HLSF2-65n9Mkyc.js.gz +0 -0
  257. package/dist/ui/assets/chunk-N4CR4FBY-mv5koXqW.js +2 -0
  258. package/dist/ui/assets/chunk-N4CR4FBY-mv5koXqW.js.gz +0 -0
  259. package/dist/ui/assets/{chunk-QN33PNHL-DIHGQ_pd.js → chunk-QN33PNHL-DsRKK6NR.js} +1 -1
  260. package/dist/ui/assets/{chunk-QXUST7PY-C9l0muI0.js → chunk-QXUST7PY-BCYnMiS3.js} +1 -1
  261. package/dist/ui/assets/chunk-QXUST7PY-BCYnMiS3.js.gz +0 -0
  262. package/dist/ui/assets/chunk-QZHKN3VN-HucAw4xW.js +1 -0
  263. package/dist/ui/assets/{chunk-S3R3BYOJ-VJiLzt2o.js → chunk-S3R3BYOJ-CWMEa9Dc.js} +1 -1
  264. package/dist/ui/assets/chunk-S3R3BYOJ-CWMEa9Dc.js.gz +0 -0
  265. package/dist/ui/assets/{chunk-TZMSLE5B-DZwI0C_2.js → chunk-TZMSLE5B-BuQUQcTr.js} +1 -1
  266. package/dist/ui/assets/chunk-TZMSLE5B-BuQUQcTr.js.gz +0 -0
  267. package/dist/ui/assets/classDiagram-2ON5EDUG-CUT3rPTB.js +1 -0
  268. package/dist/ui/assets/classDiagram-v2-WZHVMYZB-CUT3rPTB.js +1 -0
  269. package/dist/ui/assets/{cose-bilkent-S5V4N54A-Ipik-oSD.js → cose-bilkent-S5V4N54A-CnPB3ARO.js} +1 -1
  270. package/dist/ui/assets/cose-bilkent-S5V4N54A-CnPB3ARO.js.gz +0 -0
  271. package/dist/ui/assets/cursor-QEb7m-rN.png +0 -0
  272. package/dist/ui/assets/{dagre-6UL2VRFP-BDpyWQnh.js → dagre-6UL2VRFP-DhS-k_Se.js} +1 -1
  273. package/dist/ui/assets/dagre-6UL2VRFP-DhS-k_Se.js.gz +0 -0
  274. package/dist/ui/assets/{dagre-CgA4KhUX.js → dagre-KgLoHEuy.js} +1 -1
  275. package/dist/ui/assets/dagre-KgLoHEuy.js.gz +0 -0
  276. package/dist/ui/assets/{diagram-PSM6KHXK-B4GRzxLJ.js → diagram-PSM6KHXK-BZg3MJmb.js} +1 -1
  277. package/dist/ui/assets/diagram-PSM6KHXK-BZg3MJmb.js.gz +0 -0
  278. package/dist/ui/assets/{diagram-QEK2KX5R-BWPW28XI.js → diagram-QEK2KX5R-BPCitvbo.js} +1 -1
  279. package/dist/ui/assets/diagram-QEK2KX5R-BPCitvbo.js.gz +0 -0
  280. package/dist/ui/assets/{diagram-S2PKOQOG-BIHhcGoV.js → diagram-S2PKOQOG-NW4uK6sx.js} +1 -1
  281. package/dist/ui/assets/diagram-S2PKOQOG-NW4uK6sx.js.gz +0 -0
  282. package/dist/ui/assets/{editor-C-HJ7Yw0.js → editor-CzFWIUw2.js} +1 -1
  283. package/dist/ui/assets/editor-CzFWIUw2.js.gz +0 -0
  284. package/dist/ui/assets/{emoji-D8F6B62m.js → emoji-Dkz4Zzv_.js} +1 -1
  285. package/dist/ui/assets/emoji-Dkz4Zzv_.js.gz +0 -0
  286. package/dist/ui/assets/{erDiagram-Q2GNP2WA-ubTaAFcK.js → erDiagram-Q2GNP2WA-me1fboaf.js} +1 -1
  287. package/dist/ui/assets/erDiagram-Q2GNP2WA-me1fboaf.js.gz +0 -0
  288. package/dist/ui/assets/{flowDiagram-NV44I4VS-BHLCTYjI.js → flowDiagram-NV44I4VS-DzE8dGsh.js} +1 -1
  289. package/dist/ui/assets/flowDiagram-NV44I4VS-DzE8dGsh.js.gz +0 -0
  290. package/dist/ui/assets/{ganttDiagram-LVOFAZNH-ClC3pay1.js → ganttDiagram-LVOFAZNH-CFQD09Mi.js} +2 -2
  291. package/dist/ui/assets/ganttDiagram-LVOFAZNH-CFQD09Mi.js.gz +0 -0
  292. package/dist/ui/assets/{gitGraph-F6HP7TQM-DghoobE6.js → gitGraph-F6HP7TQM-CfFE_uAC.js} +1 -1
  293. package/dist/ui/assets/{gitGraphDiagram-NY62KEGX-Clqpiswu.js → gitGraphDiagram-NY62KEGX-CaVoxU4C.js} +1 -1
  294. package/dist/ui/assets/gitGraphDiagram-NY62KEGX-CaVoxU4C.js.gz +0 -0
  295. package/dist/ui/assets/index-BN5_Qq7R.js +324 -0
  296. package/dist/ui/assets/index-BN5_Qq7R.js.gz +0 -0
  297. package/dist/ui/assets/index-DxuPq13l.css +1 -0
  298. package/dist/ui/assets/index-DxuPq13l.css.gz +0 -0
  299. package/dist/ui/assets/{info-NVLQJR56-0ZldEXPQ.js → info-NVLQJR56-i_xHYg3f.js} +1 -1
  300. package/dist/ui/assets/{infoDiagram-ER5ION4S-DMmPX-il.js → infoDiagram-ER5ION4S-2NL93b78.js} +1 -1
  301. package/dist/ui/assets/{journeyDiagram-XKPGCS4Q-CrVickA2.js → journeyDiagram-XKPGCS4Q-CZF-2DHU.js} +1 -1
  302. package/dist/ui/assets/journeyDiagram-XKPGCS4Q-CZF-2DHU.js.gz +0 -0
  303. package/dist/ui/assets/{kanban-definition-3W4ZIXB7-C_BsdHYL.js → kanban-definition-3W4ZIXB7-CfvJIOny.js} +1 -1
  304. package/dist/ui/assets/kanban-definition-3W4ZIXB7-CfvJIOny.js.gz +0 -0
  305. package/dist/ui/assets/{line-CfBP7Yic.js → line-DDv8kOJk.js} +1 -1
  306. package/dist/ui/assets/{linear-BsjageUB.js → linear-Daef-l29.js} +1 -1
  307. package/dist/ui/assets/linear-Daef-l29.js.gz +0 -0
  308. package/dist/ui/assets/{mermaid-parser.core-DZdP-NFq.js → mermaid-parser.core-CdK9QgYV.js} +2 -2
  309. package/dist/ui/assets/mermaid-parser.core-CdK9QgYV.js.gz +0 -0
  310. package/dist/ui/assets/{mermaid.core-TNrI0pHG.js → mermaid.core-D6GS9mU-.js} +3 -3
  311. package/dist/ui/assets/mermaid.core-D6GS9mU-.js.gz +0 -0
  312. package/dist/ui/assets/message-SqLqNYcv.js +36 -0
  313. package/dist/ui/assets/message-SqLqNYcv.js.gz +0 -0
  314. package/dist/ui/assets/{mindmap-definition-VGOIOE7T-BbmaUjMY.js → mindmap-definition-VGOIOE7T-Cb3QMflX.js} +1 -1
  315. package/dist/ui/assets/mindmap-definition-VGOIOE7T-Cb3QMflX.js.gz +0 -0
  316. package/dist/ui/assets/{packet-BFZMPI3H-D_ZhkXuT.js → packet-BFZMPI3H-Bm2uwz4i.js} +1 -1
  317. package/dist/ui/assets/{particles-Dv28pjOd.js → particles-DsJFOarW.js} +1 -1
  318. package/dist/ui/assets/particles-DsJFOarW.js.gz +0 -0
  319. package/dist/ui/assets/{pie-7BOR55EZ-Dn0Q3qNx.js → pie-7BOR55EZ-5i17tVnF.js} +1 -1
  320. package/dist/ui/assets/{pieDiagram-ADFJNKIX-BbyjfYu8.js → pieDiagram-ADFJNKIX-BxIwQWvw.js} +1 -1
  321. package/dist/ui/assets/pieDiagram-ADFJNKIX-BxIwQWvw.js.gz +0 -0
  322. package/dist/ui/assets/{quadrantDiagram-AYHSOK5B-Bc3GqMKz.js → quadrantDiagram-AYHSOK5B-B5HPe4ga.js} +1 -1
  323. package/dist/ui/assets/quadrantDiagram-AYHSOK5B-B5HPe4ga.js.gz +0 -0
  324. package/dist/ui/assets/{radar-NHE76QYJ-BHwoAy1q.js → radar-NHE76QYJ-BTn-tq0k.js} +1 -1
  325. package/dist/ui/assets/{reactflow-BVYPxNhc.js → reactflow-Bf74ngoo.js} +2 -2
  326. package/dist/ui/assets/reactflow-Bf74ngoo.js.gz +0 -0
  327. package/dist/ui/assets/{requirementDiagram-UZGBJVZJ-BQaKKL09.js → requirementDiagram-UZGBJVZJ-YfI6llkX.js} +1 -1
  328. package/dist/ui/assets/requirementDiagram-UZGBJVZJ-YfI6llkX.js.gz +0 -0
  329. package/dist/ui/assets/{sandpack-BQW_FQ7G.js → sandpack-D7koO5op.js} +1 -1
  330. package/dist/ui/assets/sandpack-D7koO5op.js.gz +0 -0
  331. package/dist/ui/assets/{sankeyDiagram-TZEHDZUN-DiJvDvhb.js → sankeyDiagram-TZEHDZUN-DOk_B10B.js} +1 -1
  332. package/dist/ui/assets/sankeyDiagram-TZEHDZUN-DOk_B10B.js.gz +0 -0
  333. package/dist/ui/assets/{sequenceDiagram-WL72ISMW-Dw32824o.js → sequenceDiagram-WL72ISMW-DAe4Um17.js} +1 -1
  334. package/dist/ui/assets/sequenceDiagram-WL72ISMW-DAe4Um17.js.gz +0 -0
  335. package/dist/ui/assets/{stateDiagram-FKZM4ZOC-BCOpNdHV.js → stateDiagram-FKZM4ZOC-CCesDu_C.js} +1 -1
  336. package/dist/ui/assets/stateDiagram-FKZM4ZOC-CCesDu_C.js.gz +0 -0
  337. package/dist/ui/assets/stateDiagram-v2-4FDKWEC3-CMlIrsoO.js +1 -0
  338. package/dist/ui/assets/{syntax-VJrU5BEu.js → syntax-C-M-8jOU.js} +1 -1
  339. package/dist/ui/assets/syntax-C-M-8jOU.js.gz +0 -0
  340. package/dist/ui/assets/{theme-DZtFA8b4.js → theme-BQZdiqwv.js} +1 -1
  341. package/dist/ui/assets/{timeline-definition-IT6M3QCI-Jh_WZzXv.js → timeline-definition-IT6M3QCI-D6P5txjT.js} +1 -1
  342. package/dist/ui/assets/timeline-definition-IT6M3QCI-D6P5txjT.js.gz +0 -0
  343. package/dist/ui/assets/{treemap-KMMF4GRG-CPYIgjxE.js → treemap-KMMF4GRG-Bitm3gy4.js} +1 -1
  344. package/dist/ui/assets/{knowledgeRoutes-CivaUqha.js → useUserLocalStorage-Ckb8HsIw.js} +1 -1
  345. package/dist/ui/assets/useUserLocalStorage-Ckb8HsIw.js.gz +0 -0
  346. package/dist/ui/assets/{xychartDiagram-PRI3JC2R-CERc7Rdb.js → xychartDiagram-PRI3JC2R-CsybjUbd.js} +1 -1
  347. package/dist/ui/assets/xychartDiagram-PRI3JC2R-CsybjUbd.js.gz +0 -0
  348. package/dist/ui/index.html +13 -11
  349. package/dist/ui/index.html.gz +0 -0
  350. package/package.json +10 -9
  351. package/dist/ui/assets/App-9s2WHM6S.js +0 -22
  352. package/dist/ui/assets/App-9s2WHM6S.js.gz +0 -0
  353. package/dist/ui/assets/App-BAdBsEnV.css.gz +0 -0
  354. package/dist/ui/assets/ArtifactConsentModal-ParNk5kW.js.gz +0 -0
  355. package/dist/ui/assets/ArtifactFullscreenPage-VQxLMCiN.js +0 -9
  356. package/dist/ui/assets/ArtifactFullscreenPage-VQxLMCiN.js.gz +0 -0
  357. package/dist/ui/assets/AutocompleteTextarea-3RchrIgk.js +0 -18
  358. package/dist/ui/assets/AutocompleteTextarea-3RchrIgk.js.gz +0 -0
  359. package/dist/ui/assets/CodeEditor.inner-D51Z_CLQ.js.gz +0 -0
  360. package/dist/ui/assets/ConversationView-Dyddw2b1.js +0 -34
  361. package/dist/ui/assets/ConversationView-Dyddw2b1.js.gz +0 -0
  362. package/dist/ui/assets/KnowledgePage-CdftslnF.js +0 -24
  363. package/dist/ui/assets/KnowledgePage-CdftslnF.js.gz +0 -0
  364. package/dist/ui/assets/MobileApp-BdBMpnJ1.js +0 -1
  365. package/dist/ui/assets/MobileApp-BdBMpnJ1.js.gz +0 -0
  366. package/dist/ui/assets/StreamdownDemoPage-B9wbgp2s.js.gz +0 -0
  367. package/dist/ui/assets/ThemeSwitcher-ubn6IOz9.js.gz +0 -0
  368. package/dist/ui/assets/antd-C-HfEC4E.js +0 -400
  369. package/dist/ui/assets/antd-C-HfEC4E.js.gz +0 -0
  370. package/dist/ui/assets/architecture-U656AL7Q-dkBewUpN.js +0 -1
  371. package/dist/ui/assets/architectureDiagram-VXUJARFQ-ChmZt3zk.js.gz +0 -0
  372. package/dist/ui/assets/blockDiagram-VD42YOAC-CzGHAHao.js.gz +0 -0
  373. package/dist/ui/assets/c4Diagram-YG6GDRKO-DscJyaWN.js.gz +0 -0
  374. package/dist/ui/assets/channel-DvRQqEqC.js +0 -1
  375. package/dist/ui/assets/chunk-55IACEB6-DojF2pZN.js +0 -1
  376. package/dist/ui/assets/chunk-ABZYJK2D-RzDCrjE6.js.gz +0 -0
  377. package/dist/ui/assets/chunk-AGHRB4JF-jidCS5Of.js.gz +0 -0
  378. package/dist/ui/assets/chunk-ATLVNIR6-BEIIfJtC.js.gz +0 -0
  379. package/dist/ui/assets/chunk-B4BG7PRW-B8b6dQQ2.js.gz +0 -0
  380. package/dist/ui/assets/chunk-DI55MBZ5-BfATX3V8.js.gz +0 -0
  381. package/dist/ui/assets/chunk-EXTU4WIE-BKt6lPJM.js +0 -1
  382. package/dist/ui/assets/chunk-HN2XXSSU-BCHvD80g.js.gz +0 -0
  383. package/dist/ui/assets/chunk-JA3XYJ7Z-Cp6dqHnY.js.gz +0 -0
  384. package/dist/ui/assets/chunk-JZLCHNYA-cKMooY3y.js.gz +0 -0
  385. package/dist/ui/assets/chunk-MI3HLSF2-BlzO5wOE.js.gz +0 -0
  386. package/dist/ui/assets/chunk-N4CR4FBY-pASDorUx.js +0 -2
  387. package/dist/ui/assets/chunk-N4CR4FBY-pASDorUx.js.gz +0 -0
  388. package/dist/ui/assets/chunk-QXUST7PY-C9l0muI0.js.gz +0 -0
  389. package/dist/ui/assets/chunk-QZHKN3VN-CZskCFCf.js +0 -1
  390. package/dist/ui/assets/chunk-S3R3BYOJ-VJiLzt2o.js.gz +0 -0
  391. package/dist/ui/assets/chunk-TZMSLE5B-DZwI0C_2.js.gz +0 -0
  392. package/dist/ui/assets/classDiagram-2ON5EDUG-BFASUbmZ.js +0 -1
  393. package/dist/ui/assets/classDiagram-v2-WZHVMYZB-BFASUbmZ.js +0 -1
  394. package/dist/ui/assets/cose-bilkent-S5V4N54A-Ipik-oSD.js.gz +0 -0
  395. package/dist/ui/assets/dagre-6UL2VRFP-BDpyWQnh.js.gz +0 -0
  396. package/dist/ui/assets/dagre-CgA4KhUX.js.gz +0 -0
  397. package/dist/ui/assets/diagram-PSM6KHXK-B4GRzxLJ.js.gz +0 -0
  398. package/dist/ui/assets/diagram-QEK2KX5R-BWPW28XI.js.gz +0 -0
  399. package/dist/ui/assets/diagram-S2PKOQOG-BIHhcGoV.js.gz +0 -0
  400. package/dist/ui/assets/editor-C-HJ7Yw0.js.gz +0 -0
  401. package/dist/ui/assets/emoji-D8F6B62m.js.gz +0 -0
  402. package/dist/ui/assets/erDiagram-Q2GNP2WA-ubTaAFcK.js.gz +0 -0
  403. package/dist/ui/assets/flowDiagram-NV44I4VS-BHLCTYjI.js.gz +0 -0
  404. package/dist/ui/assets/ganttDiagram-LVOFAZNH-ClC3pay1.js.gz +0 -0
  405. package/dist/ui/assets/gitGraphDiagram-NY62KEGX-Clqpiswu.js.gz +0 -0
  406. package/dist/ui/assets/index-D9OElx9A.css +0 -1
  407. package/dist/ui/assets/index-D9OElx9A.css.gz +0 -0
  408. package/dist/ui/assets/index-DxPuzG7E.js +0 -350
  409. package/dist/ui/assets/index-DxPuzG7E.js.gz +0 -0
  410. package/dist/ui/assets/journeyDiagram-XKPGCS4Q-CrVickA2.js.gz +0 -0
  411. package/dist/ui/assets/kanban-definition-3W4ZIXB7-C_BsdHYL.js.gz +0 -0
  412. package/dist/ui/assets/knowledgeRoutes-CivaUqha.js.gz +0 -0
  413. package/dist/ui/assets/linear-BsjageUB.js.gz +0 -0
  414. package/dist/ui/assets/mermaid-parser.core-DZdP-NFq.js.gz +0 -0
  415. package/dist/ui/assets/mermaid.core-TNrI0pHG.js.gz +0 -0
  416. package/dist/ui/assets/message-BtWWJ9Af.js +0 -36
  417. package/dist/ui/assets/message-BtWWJ9Af.js.gz +0 -0
  418. package/dist/ui/assets/mindmap-definition-VGOIOE7T-BbmaUjMY.js.gz +0 -0
  419. package/dist/ui/assets/particles-Dv28pjOd.js.gz +0 -0
  420. package/dist/ui/assets/pieDiagram-ADFJNKIX-BbyjfYu8.js.gz +0 -0
  421. package/dist/ui/assets/quadrantDiagram-AYHSOK5B-Bc3GqMKz.js.gz +0 -0
  422. package/dist/ui/assets/reactflow-BVYPxNhc.js.gz +0 -0
  423. package/dist/ui/assets/requirementDiagram-UZGBJVZJ-BQaKKL09.js.gz +0 -0
  424. package/dist/ui/assets/sandpack-BQW_FQ7G.js.gz +0 -0
  425. package/dist/ui/assets/sankeyDiagram-TZEHDZUN-DiJvDvhb.js.gz +0 -0
  426. package/dist/ui/assets/sequenceDiagram-WL72ISMW-Dw32824o.js.gz +0 -0
  427. package/dist/ui/assets/stateDiagram-FKZM4ZOC-BCOpNdHV.js.gz +0 -0
  428. package/dist/ui/assets/stateDiagram-v2-4FDKWEC3-Cuqwvgfg.js +0 -1
  429. package/dist/ui/assets/syntax-VJrU5BEu.js.gz +0 -0
  430. package/dist/ui/assets/timeline-definition-IT6M3QCI-Jh_WZzXv.js.gz +0 -0
  431. package/dist/ui/assets/xychartDiagram-PRI3JC2R-CERc7Rdb.js.gz +0 -0
@@ -8,6 +8,14 @@ var __export = (target, all) => {
8
8
  __defProp(target, name, { get: all[name], enumerable: true });
9
9
  };
10
10
 
11
+ // src/adapters/drizzle.ts
12
+ import { NotFoundError } from "@agor/core/utils/errors";
13
+ var init_drizzle = __esm({
14
+ "src/adapters/drizzle.ts"() {
15
+ "use strict";
16
+ }
17
+ });
18
+
11
19
  // src/auth/runtime-tokens.ts
12
20
  import jwt from "jsonwebtoken";
13
21
  function issueRuntimeToken(payload, jwtSecret, expiresIn, options = {}) {
@@ -592,12 +600,12 @@ var init_spawn_executor = __esm({
592
600
  });
593
601
 
594
602
  // src/utils/mcp-token-authorization.ts
595
- import { hasMinimumRole as hasMinimumRole5, ROLES as ROLES5 } from "@agor/core/types";
603
+ import { hasMinimumRole as hasMinimumRole5, ROLES as ROLES6 } from "@agor/core/types";
596
604
  function canReceiveMcpTokenForSession(params) {
597
605
  const { callerUserId, callerRole, sessionCreatedBy } = params;
598
- const isSuperadmin = hasMinimumRole5(callerRole, ROLES5.SUPERADMIN);
606
+ const isSuperadmin = hasMinimumRole5(callerRole, ROLES6.SUPERADMIN);
599
607
  const isServiceExecutor = callerRole === "service";
600
- const isCreatorMember = !!callerUserId && callerUserId === sessionCreatedBy && hasMinimumRole5(callerRole, ROLES5.MEMBER);
608
+ const isCreatorMember = !!callerUserId && callerUserId === sessionCreatedBy && hasMinimumRole5(callerRole, ROLES6.MEMBER);
601
609
  return isCreatorMember || isSuperadmin || isServiceExecutor;
602
610
  }
603
611
  var init_mcp_token_authorization = __esm({
@@ -618,7 +626,7 @@ __export(tokens_exports, {
618
626
  validateSessionToken: () => validateSessionToken
619
627
  });
620
628
  import { MCP_TOKEN } from "@agor/core/config";
621
- import { generateId as generateId2, SessionRepository, shortId as shortId3 } from "@agor/core/db";
629
+ import { generateId as generateId2, SessionRepository as SessionRepository2, shortId as shortId3 } from "@agor/core/db";
622
630
  import {
623
631
  MCP_TOKEN_AUDIENCE,
624
632
  MCP_TOKEN_ISSUER
@@ -642,7 +650,7 @@ function initMcpTokens(options) {
642
650
  const expirationMs = options.expirationMs ?? MCP_TOKEN.DEFAULT_EXPIRATION_MS;
643
651
  const now = options.now ?? (() => Date.now());
644
652
  _state = {
645
- sessionRepo: new SessionRepository(options.db),
653
+ sessionRepo: new SessionRepository2(options.db),
646
654
  expirationMs,
647
655
  now,
648
656
  tokenCache: /* @__PURE__ */ new Map(),
@@ -753,14 +761,6 @@ var init_tokens = __esm({
753
761
  }
754
762
  });
755
763
 
756
- // src/adapters/drizzle.ts
757
- import { NotFoundError } from "@agor/core/utils/errors";
758
- var init_drizzle = __esm({
759
- "src/adapters/drizzle.ts"() {
760
- "use strict";
761
- }
762
- });
763
-
764
764
  // src/utils/build-initial-user-message.ts
765
765
  import { generateId as generateId3 } from "@agor/core/db";
766
766
  import { MessageRole } from "@agor/core/types";
@@ -1197,13 +1197,13 @@ import {
1197
1197
  } from "@agor/core/claude-cli";
1198
1198
  import {
1199
1199
  generateId as generateId4,
1200
- SessionRepository as SessionRepository2,
1200
+ SessionRepository as SessionRepository3,
1201
1201
  shortId as shortId4,
1202
1202
  TaskRepository
1203
1203
  } from "@agor/core/db";
1204
1204
  import {
1205
- SessionStatus,
1206
- TaskStatus
1205
+ SessionStatus as SessionStatus3,
1206
+ TaskStatus as TaskStatus2
1207
1207
  } from "@agor/core/types";
1208
1208
  import {
1209
1209
  getHomedirFromUsername,
@@ -1217,7 +1217,7 @@ function getDb(app) {
1217
1217
  async function persistActiveTurnSnapshot(app, sessionId, turn) {
1218
1218
  const db = getDb(app);
1219
1219
  if (!db) return;
1220
- const repo = new SessionRepository2(db);
1220
+ const repo = new SessionRepository3(db);
1221
1221
  const row = await repo.findById(sessionId);
1222
1222
  if (!row) {
1223
1223
  throw new Error(`persistActiveTurnSnapshot: session not found: ${shortId4(sessionId)}`);
@@ -1238,7 +1238,7 @@ async function clearActiveTurnSnapshot(app, sessionId) {
1238
1238
  const db = getDb(app);
1239
1239
  if (!db) return;
1240
1240
  try {
1241
- const repo = new SessionRepository2(db);
1241
+ const repo = new SessionRepository3(db);
1242
1242
  const patch = {
1243
1243
  cli_state: { active_turn: null }
1244
1244
  };
@@ -1320,7 +1320,7 @@ function buildCliPersister(app) {
1320
1320
  async saveOffset(sessionId, update2) {
1321
1321
  const db = getDb(app);
1322
1322
  if (!db) return;
1323
- const repo = new SessionRepository2(db);
1323
+ const repo = new SessionRepository3(db);
1324
1324
  const row = await repo.findById(sessionId).catch(() => null);
1325
1325
  if (!row) return;
1326
1326
  const existing = row.cli_state ?? {};
@@ -1353,7 +1353,7 @@ function buildCliEventSink(app) {
1353
1353
  indexBySession.set(sessionId, 1);
1354
1354
  return 0;
1355
1355
  }
1356
- const repo = new SessionRepository2(db);
1356
+ const repo = new SessionRepository3(db);
1357
1357
  const count = await repo.countMessages(sessionId).catch(() => 0) ?? 0;
1358
1358
  indexBySession.set(sessionId, count + 1);
1359
1359
  return count;
@@ -1375,7 +1375,7 @@ function buildCliEventSink(app) {
1375
1375
  const db = getDb(app);
1376
1376
  if (!db) return null;
1377
1377
  try {
1378
- const sessionRepo = new SessionRepository2(db);
1378
+ const sessionRepo = new SessionRepository3(db);
1379
1379
  const session = await sessionRepo.findById(sessionId).catch(() => null);
1380
1380
  if (!session) return null;
1381
1381
  const taskRepo = new TaskRepository(db);
@@ -1383,7 +1383,7 @@ function buildCliEventSink(app) {
1383
1383
  session_id: sessionId,
1384
1384
  created_by: session.created_by,
1385
1385
  full_prompt: prompt,
1386
- status: TaskStatus.RUNNING,
1386
+ status: TaskStatus2.RUNNING,
1387
1387
  started_at: timestamp,
1388
1388
  message_range: {
1389
1389
  start_index: userMessageIndex,
@@ -1400,7 +1400,7 @@ function buildCliEventSink(app) {
1400
1400
  });
1401
1401
  app.service("tasks").emit("created", task);
1402
1402
  await app.service("sessions").patch(sessionId, {
1403
- status: SessionStatus.RUNNING,
1403
+ status: SessionStatus3.RUNNING,
1404
1404
  ready_for_prompt: false,
1405
1405
  tasks: [...session.tasks, task.task_id]
1406
1406
  }).catch((err) => {
@@ -1654,7 +1654,7 @@ function buildCliEventSink(app) {
1654
1654
  const computedContextWindow = lastTurn?.usage ? (lastTurn.usage.input_tokens ?? 0) + (lastTurn.usage.cache_creation_input_tokens ?? 0) + (lastTurn.usage.cache_read_input_tokens ?? 0) : void 0;
1655
1655
  try {
1656
1656
  await app.service("tasks").patch(active.taskId, {
1657
- status: TaskStatus.COMPLETED,
1657
+ status: TaskStatus2.COMPLETED,
1658
1658
  completed_at: ts,
1659
1659
  message_range: {
1660
1660
  start_index: active.userMessageIndex,
@@ -1677,7 +1677,7 @@ function buildCliEventSink(app) {
1677
1677
  }
1678
1678
  try {
1679
1679
  const patch = {
1680
- status: SessionStatus.IDLE,
1680
+ status: SessionStatus3.IDLE,
1681
1681
  ready_for_prompt: true
1682
1682
  };
1683
1683
  if (computedContextWindow !== void 0) {
@@ -1918,7 +1918,7 @@ async function onCliSessionCreated(app, session, branchCwd) {
1918
1918
  try {
1919
1919
  const db = getDb(app);
1920
1920
  if (db) {
1921
- const repo = new SessionRepository2(db);
1921
+ const repo = new SessionRepository3(db);
1922
1922
  const row = await repo.findById(session.session_id).catch(() => null);
1923
1923
  if (row) {
1924
1924
  const patch = {
@@ -1978,7 +1978,7 @@ async function onCliSessionEnded(app, sessionId) {
1978
1978
  async function rehydrateCliWatchers(app, branchCwdLookup) {
1979
1979
  const db = getDb(app);
1980
1980
  if (!db) return;
1981
- const repo = new SessionRepository2(db);
1981
+ const repo = new SessionRepository3(db);
1982
1982
  const all = await repo.findAll().catch(() => []);
1983
1983
  const reg = getCliWatcherRegistry(app);
1984
1984
  let rehydrated = 0;
@@ -2050,7 +2050,7 @@ import {
2050
2050
  validateRenderedManagedEnvUrlFields,
2051
2051
  validateRepoEnvironmentLifecyclePolicy
2052
2052
  } from "@agor/core/environment/webhook";
2053
- import { BadRequest as BadRequest3, Forbidden as Forbidden7, NotAuthenticated as NotAuthenticated7 } from "@agor/core/feathers";
2053
+ import { BadRequest as BadRequest3, Forbidden as Forbidden8, NotAuthenticated as NotAuthenticated7 } from "@agor/core/feathers";
2054
2054
  import {
2055
2055
  boardCommentQueryValidator,
2056
2056
  boardObjectQueryValidator,
@@ -2063,7 +2063,7 @@ import {
2063
2063
  typedValidateQuery,
2064
2064
  userQueryValidator
2065
2065
  } from "@agor/core/lib/feathers-validation";
2066
- import { hasMinimumRole as hasMinimumRole8, ROLES as ROLES8 } from "@agor/core/types";
2066
+ import { hasMinimumRole as hasMinimumRole8, ROLES as ROLES9 } from "@agor/core/types";
2067
2067
 
2068
2068
  // src/auth/executor-runtime-scope.ts
2069
2069
  import { Forbidden } from "@agor/core/feathers";
@@ -2318,11 +2318,64 @@ function extractText(content) {
2318
2318
  }
2319
2319
  return "";
2320
2320
  }
2321
+ function isGatewayThinkingPlaceholder(text) {
2322
+ return /^thinking\s*\.{3}$/i.test(text.trim());
2323
+ }
2324
+ function extractLatestToolUse(content) {
2325
+ if (!Array.isArray(content)) return null;
2326
+ for (let i = content.length - 1; i >= 0; i--) {
2327
+ const block = content[i];
2328
+ if (block.type !== "tool_use") continue;
2329
+ if (typeof block.name !== "string") continue;
2330
+ const input = block.input && typeof block.input === "object" && !Array.isArray(block.input) ? block.input : {};
2331
+ return { name: block.name, input };
2332
+ }
2333
+ return null;
2334
+ }
2335
+ function extractLatestToolUseFromMessage(message) {
2336
+ const fromContent = extractLatestToolUse(message.content);
2337
+ if (fromContent) return fromContent;
2338
+ const toolUses = message.tool_uses;
2339
+ if (!Array.isArray(toolUses) || toolUses.length === 0) return null;
2340
+ const latest = toolUses[toolUses.length - 1];
2341
+ if (!latest || typeof latest.name !== "string") return null;
2342
+ return {
2343
+ name: latest.name,
2344
+ input: latest.input && typeof latest.input === "object" && !Array.isArray(latest.input) ? latest.input : {}
2345
+ };
2346
+ }
2321
2347
  var gatewayRouteHook = async (context) => {
2322
2348
  const message = context.result;
2349
+ const gatewayService = context.app.service("gateway");
2323
2350
  let shouldRoute = false;
2324
2351
  let messageText = extractText(message.content);
2352
+ const latestToolUse = extractLatestToolUseFromMessage(message);
2353
+ if (latestToolUse) {
2354
+ try {
2355
+ void gatewayService.updateProgress({
2356
+ session_id: message.session_id,
2357
+ state: "working",
2358
+ task_id: message.task_id,
2359
+ tool_name: latestToolUse.name,
2360
+ tool_input: latestToolUse.input
2361
+ });
2362
+ } catch (error) {
2363
+ console.warn("[gateway-route] Failed to route tool progress:", error);
2364
+ }
2365
+ if (!messageText) {
2366
+ return context;
2367
+ }
2368
+ }
2369
+ if (!messageText && message.role === "assistant" && typeof message.content_preview === "string") {
2370
+ messageText = message.content_preview;
2371
+ }
2372
+ if (message.role === "assistant" && messageText && isGatewayThinkingPlaceholder(messageText)) {
2373
+ return context;
2374
+ }
2325
2375
  if (message.role === "assistant") {
2376
+ if (gatewayService.wasMessageStreamedToSlack?.(message.message_id) || gatewayService.wasTaskStreamedToSlack?.(message.task_id)) {
2377
+ return context;
2378
+ }
2326
2379
  shouldRoute = true;
2327
2380
  } else if (message.role === "user") {
2328
2381
  const source = message.metadata?.source;
@@ -2350,7 +2403,6 @@ var gatewayRouteHook = async (context) => {
2350
2403
  return context;
2351
2404
  }
2352
2405
  try {
2353
- const gatewayService = context.app.service("gateway");
2354
2406
  gatewayService.routeMessage({
2355
2407
  session_id: message.session_id,
2356
2408
  message: messageText
@@ -3119,6 +3171,30 @@ var groupMembershipsHooks = {
3119
3171
  }
3120
3172
  };
3121
3173
 
3174
+ // src/services/sessions.ts
3175
+ init_drizzle();
3176
+ import { PAGINATION } from "@agor/core/config";
3177
+ import {
3178
+ BranchRepository,
3179
+ SessionEnvSelectionRepository,
3180
+ SessionMCPServerRepository,
3181
+ SessionRelationshipRepository,
3182
+ SessionRepository,
3183
+ UsersRepository
3184
+ } from "@agor/core/db";
3185
+ import { Forbidden as Forbidden4 } from "@agor/core/feathers";
3186
+ import { formatModelToolMismatchWarning, lintModelToolMatch } from "@agor/core/models";
3187
+ import { resolveChildSessionConfig } from "@agor/core/sessions";
3188
+ import { ROLES as ROLES3, SessionStatus } from "@agor/core/types";
3189
+ var remoteRelationshipsEnrichedResults = /* @__PURE__ */ new WeakSet();
3190
+ function markRemoteRelationshipsEnrichedResult(result) {
3191
+ remoteRelationshipsEnrichedResults.add(result);
3192
+ return result;
3193
+ }
3194
+ function isRemoteRelationshipsEnrichedResult(result) {
3195
+ return typeof result === "object" && result !== null && remoteRelationshipsEnrichedResults.has(result);
3196
+ }
3197
+
3122
3198
  // src/services/users.ts
3123
3199
  import { generateId } from "@agor/core";
3124
3200
  import {
@@ -3141,13 +3217,13 @@ import {
3141
3217
  update,
3142
3218
  users
3143
3219
  } from "@agor/core/db";
3144
- import { Forbidden as Forbidden4, NotAuthenticated as NotAuthenticated3 } from "@agor/core/feathers";
3220
+ import { Forbidden as Forbidden5, NotAuthenticated as NotAuthenticated3 } from "@agor/core/feathers";
3145
3221
  import { isLikelyGitToken } from "@agor/core/git";
3146
3222
  import {
3147
3223
  extractAgenticToolsPublicValues,
3148
3224
  hasMinimumRole as hasMinimumRole3,
3149
3225
  normalizeRole,
3150
- ROLES as ROLES3,
3226
+ ROLES as ROLES4,
3151
3227
  toAgenticToolsStatus
3152
3228
  } from "@agor/core/types";
3153
3229
  var LOCAL_AUTH_LOOKUP_PARAM = Symbol("agor.users.local-auth-lookup");
@@ -3222,8 +3298,8 @@ function applySessionConfigDefaults(opts = {}) {
3222
3298
  }
3223
3299
 
3224
3300
  // src/utils/authorization.ts
3225
- import { Forbidden as Forbidden5, NotAuthenticated as NotAuthenticated4 } from "@agor/core/feathers";
3226
- import { hasMinimumRole as hasMinimumRole4, ROLES as ROLES4 } from "@agor/core/types";
3301
+ import { Forbidden as Forbidden6, NotAuthenticated as NotAuthenticated4 } from "@agor/core/feathers";
3302
+ import { hasMinimumRole as hasMinimumRole4, ROLES as ROLES5 } from "@agor/core/types";
3227
3303
  function ensureMinimumRole(params, minimumRole, action = "perform this action") {
3228
3304
  if (!params?.provider) {
3229
3305
  return;
@@ -3235,7 +3311,7 @@ function ensureMinimumRole(params, minimumRole, action = "perform this action")
3235
3311
  return;
3236
3312
  }
3237
3313
  if (!hasMinimumRole4(params.user.role, minimumRole)) {
3238
- throw new Forbidden5(`You need ${minimumRole} access to ${action}`);
3314
+ throw new Forbidden6(`You need ${minimumRole} access to ${action}`);
3239
3315
  }
3240
3316
  }
3241
3317
  function requireMinimumRole(minimumRole, action) {
@@ -3244,7 +3320,7 @@ function requireMinimumRole(minimumRole, action) {
3244
3320
  return context;
3245
3321
  };
3246
3322
  }
3247
- var DEFAULT_MANAGED_ENVS_MINIMUM_ROLE = ROLES4.MEMBER;
3323
+ var DEFAULT_MANAGED_ENVS_MINIMUM_ROLE = ROLES5.MEMBER;
3248
3324
  var ENV_COMMAND_FIELDS = [
3249
3325
  "environment",
3250
3326
  // Repo-level: v2 named variants (source of truth)
@@ -3272,7 +3348,7 @@ function requireAdminForEnvConfig() {
3272
3348
  }
3273
3349
  ensureMinimumRole(
3274
3350
  context.params,
3275
- ROLES4.ADMIN,
3351
+ ROLES5.ADMIN,
3276
3352
  "modify environment commands (up_command, down_command, etc.)"
3277
3353
  );
3278
3354
  return context;
@@ -3325,7 +3401,7 @@ async function inspectBranchViaExecutor(app, branchId, options = {}) {
3325
3401
 
3326
3402
  // src/utils/executor-read-impersonation.ts
3327
3403
  import { loadConfigSync as loadConfigSync2 } from "@agor/core/config";
3328
- import { UsersRepository } from "@agor/core/db";
3404
+ import { UsersRepository as UsersRepository2 } from "@agor/core/db";
3329
3405
  async function resolveExecutorReadAsUser(db, userOrId) {
3330
3406
  const config = loadConfigSync2();
3331
3407
  const unixMode = config.execution?.unix_user_mode ?? "simple";
@@ -3334,7 +3410,7 @@ async function resolveExecutorReadAsUser(db, userOrId) {
3334
3410
  }
3335
3411
  let user;
3336
3412
  if (typeof userOrId === "string") {
3337
- user = await new UsersRepository(db).findById(userOrId);
3413
+ user = await new UsersRepository2(db).findById(userOrId);
3338
3414
  } else {
3339
3415
  user = userOrId;
3340
3416
  }
@@ -3533,7 +3609,7 @@ var RealtimeAccessCache = class {
3533
3609
 
3534
3610
  // src/utils/realtime-publish.ts
3535
3611
  import { shortId as shortId2 } from "@agor/core/db";
3536
- import { hasMinimumRole as hasMinimumRole6, ROLES as ROLES6 } from "@agor/core/types";
3612
+ import { hasMinimumRole as hasMinimumRole6, ROLES as ROLES7 } from "@agor/core/types";
3537
3613
  var DEBUG_REALTIME_PUBLISH = process.env.AGOR_DEBUG_REALTIME_PUBLISH === "1" || process.env.DEBUG?.includes("realtime-publish");
3538
3614
  function realtimePublishDebug(...args) {
3539
3615
  if (DEBUG_REALTIME_PUBLISH) {
@@ -3600,7 +3676,7 @@ function isServiceConnection(connection) {
3600
3676
  }
3601
3677
  function isAdminConnection(connection, allowSuperadmin) {
3602
3678
  const user = userFromConnection(connection);
3603
- if (!user?._isServiceAccount && user?.role && hasMinimumRole6(user.role, ROLES6.ADMIN)) {
3679
+ if (!user?._isServiceAccount && user?.role && hasMinimumRole6(user.role, ROLES7.ADMIN)) {
3604
3680
  return true;
3605
3681
  }
3606
3682
  return isSuperAdmin(user?.role, allowSuperadmin);
@@ -3757,8 +3833,8 @@ function configureRealtimePublish(options) {
3757
3833
  }
3758
3834
 
3759
3835
  // src/utils/schedule-hooks.ts
3760
- import { BadRequest as BadRequest2, Forbidden as Forbidden6, NotAuthenticated as NotAuthenticated6 } from "@agor/core/feathers";
3761
- import { hasMinimumRole as hasMinimumRole7, ROLES as ROLES7 } from "@agor/core/types";
3836
+ import { BadRequest as BadRequest2, Forbidden as Forbidden7, NotAuthenticated as NotAuthenticated6 } from "@agor/core/feathers";
3837
+ import { hasMinimumRole as hasMinimumRole7, ROLES as ROLES8 } from "@agor/core/types";
3762
3838
  function ensureCurrentScheduleLoaded(scheduleRepo) {
3763
3839
  return async (context) => {
3764
3840
  if (context.method !== "patch") return context;
@@ -3813,14 +3889,14 @@ function ensureScheduleRunsAsCaller(options) {
3813
3889
  }
3814
3890
  const data = context.data;
3815
3891
  if (data?.created_by !== void 0 && data.created_by !== schedule.created_by) {
3816
- throw new Forbidden6("Cannot change the user a schedule runs as.");
3892
+ throw new Forbidden7("Cannot change the user a schedule runs as.");
3817
3893
  }
3818
3894
  const allowSuperadmin = options?.allowSuperadmin ?? true;
3819
- if (allowSuperadmin && hasMinimumRole7(user.role, ROLES7.SUPERADMIN)) {
3895
+ if (allowSuperadmin && hasMinimumRole7(user.role, ROLES8.SUPERADMIN)) {
3820
3896
  return context;
3821
3897
  }
3822
3898
  if (schedule.created_by !== user.user_id) {
3823
- throw new Forbidden6(
3899
+ throw new Forbidden7(
3824
3900
  "Schedules run as the user who created them. You can only modify or run schedules you created."
3825
3901
  );
3826
3902
  }
@@ -3857,6 +3933,17 @@ function recomputeNextRunAt() {
3857
3933
  };
3858
3934
  }
3859
3935
 
3936
+ // src/utils/session-task-state.ts
3937
+ import {
3938
+ isTerminalTaskStatus,
3939
+ SessionStatus as SessionStatus2,
3940
+ sessionCanStartTask,
3941
+ TaskStatus
3942
+ } from "@agor/core/types";
3943
+ function isTerminalQueueProcessingSuppressed(params) {
3944
+ return params?.suppressTerminalQueueProcessing === true;
3945
+ }
3946
+
3860
3947
  // src/register-hooks.ts
3861
3948
  init_spawn_executor();
3862
3949
  var DEBUG_MCP_TOKENS2 = process.env.AGOR_DEBUG_MCP_TOKENS === "1" || process.env.DEBUG?.includes("mcp-tokens");
@@ -3876,6 +3963,9 @@ var BRANCH_ENV_FIELDS = [
3876
3963
  function itemHasAnyField(item, fields) {
3877
3964
  return fields.some((field) => Object.hasOwn(item, field));
3878
3965
  }
3966
+ function shouldValidateRepoEnvironmentPayload(value) {
3967
+ return value !== void 0 && value !== null;
3968
+ }
3879
3969
  async function getManagedEnvExecutionMode() {
3880
3970
  const config = await loadConfig();
3881
3971
  return config.execution?.managed_envs_execution_mode ?? MANAGED_ENV_EXECUTION_MODE_DEFAULT;
@@ -3885,7 +3975,7 @@ function validateRepoEnvPolicyHook() {
3885
3975
  const mode = await getManagedEnvExecutionMode();
3886
3976
  const items = Array.isArray(context.data) ? context.data : [context.data];
3887
3977
  for (const item of items) {
3888
- if (Object.hasOwn(item, "environment") && item.environment !== null) {
3978
+ if (Object.hasOwn(item, "environment") && shouldValidateRepoEnvironmentPayload(item.environment)) {
3889
3979
  try {
3890
3980
  const env = validateRepoEnvironment(item.environment);
3891
3981
  validateRepoEnvironmentLifecyclePolicy(env, mode);
@@ -3893,7 +3983,7 @@ function validateRepoEnvPolicyHook() {
3893
3983
  throw new BadRequest3(error instanceof Error ? error.message : "Invalid repo environment");
3894
3984
  }
3895
3985
  }
3896
- if (Object.hasOwn(item, "environment_config") && item.environment_config !== null) {
3986
+ if (Object.hasOwn(item, "environment_config") && shouldValidateRepoEnvironmentPayload(item.environment_config)) {
3897
3987
  try {
3898
3988
  const env = wrapV1AsV2(item.environment_config);
3899
3989
  if (env) validateRepoEnvironmentLifecyclePolicy(env, mode, "legacy repo environment");
@@ -3961,6 +4051,24 @@ function isPromptFlowPatchOnly(data) {
3961
4051
  if (keys.length === 0) return false;
3962
4052
  return keys.every((key) => PROMPT_FLOW_PATCH_FIELDS.includes(key));
3963
4053
  }
4054
+ function shouldRunSessionPostTurnHooks(session) {
4055
+ return sessionCanStartTask(session.status, session.ready_for_prompt);
4056
+ }
4057
+ function shouldDrainQueueAfterSessionPostTurnPatch(session, params) {
4058
+ return shouldRunSessionPostTurnHooks(session) && session.ready_for_prompt === true && !isTerminalQueueProcessingSuppressed(params);
4059
+ }
4060
+ async function enrichSessionFindResultWithRemoteRelationships(result, sessionsService) {
4061
+ if (isRemoteRelationshipsEnrichedResult(result)) return result;
4062
+ if (Array.isArray(result)) {
4063
+ return markRemoteRelationshipsEnrichedResult(
4064
+ await sessionsService.enrichRemoteRelationships(result)
4065
+ );
4066
+ }
4067
+ return markRemoteRelationshipsEnrichedResult({
4068
+ ...result,
4069
+ data: await sessionsService.enrichRemoteRelationships(result.data)
4070
+ });
4071
+ }
3964
4072
  function registerHooks(ctx) {
3965
4073
  const {
3966
4074
  db,
@@ -4006,6 +4114,65 @@ function registerHooks(ctx) {
4006
4114
  await invalidateRealtimeBranchAccess(context.params.route?.id);
4007
4115
  return context;
4008
4116
  };
4117
+ const syncBranchUnixAccess = (branchId, logPrefix) => {
4118
+ if (!jwtSecret) return;
4119
+ const serviceToken = createServiceToken(jwtSecret, void 0, {
4120
+ branch_id: branchId,
4121
+ command: "unix.sync-branch"
4122
+ });
4123
+ spawnExecutorFireAndForget(
4124
+ {
4125
+ command: "unix.sync-branch",
4126
+ sessionToken: serviceToken,
4127
+ daemonUrl: getDaemonUrl(),
4128
+ params: {
4129
+ branchId,
4130
+ daemonUser: config.daemon?.unix_user
4131
+ }
4132
+ },
4133
+ { logPrefix }
4134
+ );
4135
+ };
4136
+ const syncUnixAccessForBoardAlignedBranches = async (boardId, logPrefix) => {
4137
+ if (!jwtSecret || typeof boardId !== "string" || boardId.length === 0) return;
4138
+ const alignedBranches = await branchRepository.findBoardAlignedBranches(boardId);
4139
+ if (alignedBranches.length === 0) return;
4140
+ console.log(
4141
+ `[Unix Integration] Queueing board permission sync for ${alignedBranches.length} board-aligned branch(es) on board ${shortId5(boardId)}`
4142
+ );
4143
+ for (const branch of alignedBranches) {
4144
+ await invalidateRealtimeBranchAccess(branch.branch_id);
4145
+ }
4146
+ const serviceToken = createServiceToken(jwtSecret, void 0, {
4147
+ board_id: boardId,
4148
+ command: "unix.sync-board"
4149
+ });
4150
+ spawnExecutorFireAndForget(
4151
+ {
4152
+ command: "unix.sync-board",
4153
+ sessionToken: serviceToken,
4154
+ daemonUrl: getDaemonUrl(),
4155
+ params: {
4156
+ boardId,
4157
+ daemonUser: config.daemon?.unix_user
4158
+ }
4159
+ },
4160
+ { logPrefix }
4161
+ );
4162
+ };
4163
+ const syncUnixAccessForBoardFromRoute = async (context, logPrefix) => {
4164
+ await syncUnixAccessForBoardAlignedBranches(context.params.route?.id, logPrefix);
4165
+ return context;
4166
+ };
4167
+ const syncUnixAccessForAllBranches = async (context, logPrefix) => {
4168
+ if (!jwtSecret) return context;
4169
+ const branches = await branchRepository.findAll({ includeArchived: false });
4170
+ for (const branch of branches) {
4171
+ syncBranchUnixAccess(branch.branch_id, logPrefix);
4172
+ await invalidateRealtimeBranchAccess(branch.branch_id);
4173
+ }
4174
+ return context;
4175
+ };
4009
4176
  const clearRealtimeBranchVisibility = (context) => {
4010
4177
  realtimeAccessCache.clearVisibility();
4011
4178
  return context;
@@ -4030,7 +4197,7 @@ function registerHooks(ctx) {
4030
4197
  ] : []
4031
4198
  ],
4032
4199
  create: [
4033
- requireMinimumRole(ROLES8.MEMBER, "create messages"),
4200
+ requireMinimumRole(ROLES9.MEMBER, "create messages"),
4034
4201
  ...branchRbacEnabled ? [
4035
4202
  resolveSessionContext(),
4036
4203
  loadSession(sessionsService),
@@ -4042,7 +4209,7 @@ function registerHooks(ctx) {
4042
4209
  ] : []
4043
4210
  ],
4044
4211
  patch: [
4045
- requireMinimumRole(ROLES8.MEMBER, "update messages"),
4212
+ requireMinimumRole(ROLES9.MEMBER, "update messages"),
4046
4213
  ...branchRbacEnabled ? [
4047
4214
  resolveSessionContext(),
4048
4215
  loadSession(sessionsService),
@@ -4052,7 +4219,7 @@ function registerHooks(ctx) {
4052
4219
  ] : []
4053
4220
  ],
4054
4221
  remove: [
4055
- requireMinimumRole(ROLES8.MEMBER, "delete messages"),
4222
+ requireMinimumRole(ROLES9.MEMBER, "delete messages"),
4056
4223
  ...branchRbacEnabled ? [
4057
4224
  resolveSessionContext(),
4058
4225
  loadSession(sessionsService),
@@ -4092,7 +4259,7 @@ function registerHooks(ctx) {
4092
4259
  all: [
4093
4260
  typedValidateQuery(boardObjectQueryValidator),
4094
4261
  requireAuth,
4095
- requireMinimumRole(ROLES8.MEMBER, "manage board objects")
4262
+ requireMinimumRole(ROLES9.MEMBER, "manage board objects")
4096
4263
  ],
4097
4264
  // NOTE: We deliberately do NOT add the generic scopeFindToAccessibleBranches here.
4098
4265
  // Board-objects may reference `branch_id` (branch cards) OR `card_id`
@@ -4193,17 +4360,17 @@ function registerHooks(ctx) {
4193
4360
  safeService("card-types")?.hooks({
4194
4361
  before: {
4195
4362
  all: [requireAuth],
4196
- create: [requireMinimumRole(ROLES8.MEMBER, "create card types")],
4197
- patch: [requireMinimumRole(ROLES8.MEMBER, "update card types")],
4198
- remove: [requireMinimumRole(ROLES8.MEMBER, "delete card types")]
4363
+ create: [requireMinimumRole(ROLES9.MEMBER, "create card types")],
4364
+ patch: [requireMinimumRole(ROLES9.MEMBER, "update card types")],
4365
+ remove: [requireMinimumRole(ROLES9.MEMBER, "delete card types")]
4199
4366
  }
4200
4367
  });
4201
4368
  safeService("cards")?.hooks({
4202
4369
  before: {
4203
4370
  all: [requireAuth],
4204
- create: [requireMinimumRole(ROLES8.MEMBER, "create cards"), injectCreatedBy()],
4205
- patch: [requireMinimumRole(ROLES8.MEMBER, "update cards")],
4206
- remove: [requireMinimumRole(ROLES8.MEMBER, "delete cards")]
4371
+ create: [requireMinimumRole(ROLES9.MEMBER, "create cards"), injectCreatedBy()],
4372
+ patch: [requireMinimumRole(ROLES9.MEMBER, "update cards")],
4373
+ remove: [requireMinimumRole(ROLES9.MEMBER, "delete cards")]
4207
4374
  }
4208
4375
  });
4209
4376
  const ensureArtifactOwnerOrAdmin = () => async (context) => {
@@ -4211,16 +4378,16 @@ function registerHooks(ctx) {
4211
4378
  const user = context.params?.user;
4212
4379
  if (!user) throw new NotAuthenticated7("Authentication required");
4213
4380
  if (user._isServiceAccount) return context;
4214
- if (hasMinimumRole8(user.role, ROLES8.ADMIN)) return context;
4381
+ if (hasMinimumRole8(user.role, ROLES9.ADMIN)) return context;
4215
4382
  const artifactId = context.id;
4216
4383
  if (artifactId === void 0 || artifactId === null) return context;
4217
4384
  const artifactRepo = new ArtifactRepository(db);
4218
4385
  const artifact = await artifactRepo.findById(String(artifactId));
4219
4386
  if (!artifact) {
4220
- throw new Forbidden7(`Artifact ${artifactId} not found or not accessible`);
4387
+ throw new Forbidden8(`Artifact ${artifactId} not found or not accessible`);
4221
4388
  }
4222
4389
  if (artifact.created_by && artifact.created_by === user.user_id) return context;
4223
- throw new Forbidden7(
4390
+ throw new Forbidden8(
4224
4391
  "Only the artifact's creator or an admin may modify it. Use agor_artifacts_publish to create your own copy."
4225
4392
  );
4226
4393
  };
@@ -4235,9 +4402,9 @@ function registerHooks(ctx) {
4235
4402
  // board-scoped queries.
4236
4403
  ...branchRbacEnabled ? [scopeFindToAccessibleBranches(branchRepository, superadminOpts)] : []
4237
4404
  ],
4238
- create: [requireMinimumRole(ROLES8.MEMBER, "create artifacts"), injectCreatedBy()],
4239
- patch: [requireMinimumRole(ROLES8.MEMBER, "update artifacts"), ensureArtifactOwnerOrAdmin()],
4240
- remove: [requireMinimumRole(ROLES8.MEMBER, "delete artifacts"), ensureArtifactOwnerOrAdmin()]
4405
+ create: [requireMinimumRole(ROLES9.MEMBER, "create artifacts"), injectCreatedBy()],
4406
+ patch: [requireMinimumRole(ROLES9.MEMBER, "update artifacts"), ensureArtifactOwnerOrAdmin()],
4407
+ remove: [requireMinimumRole(ROLES9.MEMBER, "delete artifacts"), ensureArtifactOwnerOrAdmin()]
4241
4408
  }
4242
4409
  });
4243
4410
  if (svcEnabled("artifacts")) {
@@ -4252,7 +4419,7 @@ function registerHooks(ctx) {
4252
4419
  return artifactsService.getPayload(artifactId, _params.user?.user_id);
4253
4420
  }
4254
4421
  },
4255
- { find: { role: ROLES8.VIEWER, action: "get artifact payload" } },
4422
+ { find: { role: ROLES9.VIEWER, action: "get artifact payload" } },
4256
4423
  requireAuth
4257
4424
  );
4258
4425
  registerAuthenticatedRoute(
@@ -4279,7 +4446,7 @@ function registerHooks(ctx) {
4279
4446
  }
4280
4447
  },
4281
4448
  {
4282
- create: { role: ROLES8.MEMBER, action: "post artifact console logs" }
4449
+ create: { role: ROLES9.MEMBER, action: "post artifact console logs" }
4283
4450
  },
4284
4451
  requireAuth
4285
4452
  );
@@ -4308,7 +4475,7 @@ function registerHooks(ctx) {
4308
4475
  }
4309
4476
  },
4310
4477
  {
4311
- create: { role: ROLES8.MEMBER, action: "post artifact sandpack error" }
4478
+ create: { role: ROLES9.MEMBER, action: "post artifact sandpack error" }
4312
4479
  },
4313
4480
  requireAuth
4314
4481
  );
@@ -4349,7 +4516,7 @@ function registerHooks(ctx) {
4349
4516
  }
4350
4517
  },
4351
4518
  {
4352
- create: { role: ROLES8.MEMBER, action: "post artifact runtime response" }
4519
+ create: { role: ROLES9.MEMBER, action: "post artifact runtime response" }
4353
4520
  },
4354
4521
  requireAuth
4355
4522
  );
@@ -4371,7 +4538,7 @@ function registerHooks(ctx) {
4371
4538
  }
4372
4539
  },
4373
4540
  {
4374
- create: { role: ROLES8.MEMBER, action: "create artifact trust grant" }
4541
+ create: { role: ROLES9.MEMBER, action: "create artifact trust grant" }
4375
4542
  },
4376
4543
  requireAuth
4377
4544
  );
@@ -4395,8 +4562,8 @@ function registerHooks(ctx) {
4395
4562
  }
4396
4563
  },
4397
4564
  {
4398
- find: { role: ROLES8.VIEWER, action: "list artifact trust grants" },
4399
- remove: { role: ROLES8.MEMBER, action: "revoke artifact trust grant" }
4565
+ find: { role: ROLES9.VIEWER, action: "list artifact trust grants" },
4566
+ remove: { role: ROLES9.MEMBER, action: "revoke artifact trust grant" }
4400
4567
  },
4401
4568
  requireAuth
4402
4569
  );
@@ -4404,9 +4571,9 @@ function registerHooks(ctx) {
4404
4571
  safeService("board-comments")?.hooks({
4405
4572
  before: {
4406
4573
  all: [typedValidateQuery(boardCommentQueryValidator), requireAuth],
4407
- create: [requireMinimumRole(ROLES8.MEMBER, "create board comments"), injectCreatedBy()],
4408
- patch: [requireMinimumRole(ROLES8.MEMBER, "update board comments")],
4409
- remove: [requireMinimumRole(ROLES8.MEMBER, "delete board comments")]
4574
+ create: [requireMinimumRole(ROLES9.MEMBER, "create board comments"), injectCreatedBy()],
4575
+ patch: [requireMinimumRole(ROLES9.MEMBER, "update board comments")],
4576
+ remove: [requireMinimumRole(ROLES9.MEMBER, "delete board comments")]
4410
4577
  }
4411
4578
  });
4412
4579
  app.service("repos").hooks({
@@ -4414,24 +4581,24 @@ function registerHooks(ctx) {
4414
4581
  all: [
4415
4582
  typedValidateQuery(repoQueryValidator),
4416
4583
  requireAuth,
4417
- requireMinimumRole(ROLES8.MEMBER, "access repositories")
4584
+ requireMinimumRole(ROLES9.MEMBER, "access repositories")
4418
4585
  ],
4419
4586
  create: [
4420
- requireMinimumRole(ROLES8.MEMBER, "create repositories"),
4587
+ requireMinimumRole(ROLES9.MEMBER, "create repositories"),
4421
4588
  requireAdminForEnvConfig(),
4422
4589
  validateRepoEnvPolicyHook()
4423
4590
  ],
4424
4591
  update: [
4425
- requireMinimumRole(ROLES8.MEMBER, "update repositories"),
4592
+ requireMinimumRole(ROLES9.MEMBER, "update repositories"),
4426
4593
  requireAdminForEnvConfig(),
4427
4594
  validateRepoEnvPolicyHook()
4428
4595
  ],
4429
4596
  patch: [
4430
- requireMinimumRole(ROLES8.MEMBER, "update repositories"),
4597
+ requireMinimumRole(ROLES9.MEMBER, "update repositories"),
4431
4598
  requireAdminForEnvConfig(),
4432
4599
  validateRepoEnvPolicyHook()
4433
4600
  ],
4434
- remove: [requireMinimumRole(ROLES8.MEMBER, "delete repositories")]
4601
+ remove: [requireMinimumRole(ROLES9.MEMBER, "delete repositories")]
4435
4602
  },
4436
4603
  after: {
4437
4604
  patch: [realignRepoOriginAfterPatchHook()]
@@ -4443,7 +4610,7 @@ function registerHooks(ctx) {
4443
4610
  typedValidateQuery(branchQueryValidator),
4444
4611
  requireAuth,
4445
4612
  executorRuntimeScopeGuard(),
4446
- requireMinimumRole(ROLES8.MEMBER, "access branches")
4613
+ requireMinimumRole(ROLES9.MEMBER, "access branches")
4447
4614
  ],
4448
4615
  find: [
4449
4616
  // RBAC: compose an accessible branch_id filter and let BranchesService.find()
@@ -4458,13 +4625,13 @@ function registerHooks(ctx) {
4458
4625
  ] : []
4459
4626
  ],
4460
4627
  create: [
4461
- requireMinimumRole(ROLES8.MEMBER, "create branches"),
4628
+ requireMinimumRole(ROLES9.MEMBER, "create branches"),
4462
4629
  requireAdminForEnvConfig(),
4463
4630
  validateBranchEnvPolicyHook(),
4464
4631
  injectCreatedBy()
4465
4632
  ],
4466
4633
  update: [
4467
- requireMinimumRole(ROLES8.MEMBER, "update branches"),
4634
+ requireMinimumRole(ROLES9.MEMBER, "update branches"),
4468
4635
  requireAdminForEnvConfig(),
4469
4636
  validateBranchEnvPolicyHook()
4470
4637
  ],
@@ -4600,28 +4767,28 @@ function registerHooks(ctx) {
4600
4767
  safeService("kb/namespaces")?.hooks({
4601
4768
  before: {
4602
4769
  all: [requireAuth],
4603
- create: [requireMinimumRole(ROLES8.MEMBER, "create knowledge namespaces")],
4604
- patch: [requireMinimumRole(ROLES8.MEMBER, "update knowledge namespaces")],
4605
- update: [requireMinimumRole(ROLES8.MEMBER, "update knowledge namespaces")],
4606
- remove: [requireMinimumRole(ROLES8.MEMBER, "delete knowledge namespaces")],
4607
- saveWithAcl: [requireMinimumRole(ROLES8.MEMBER, "save knowledge namespace permissions")],
4608
- listAcl: [requireMinimumRole(ROLES8.MEMBER, "manage knowledge namespace permissions")],
4609
- setAcl: [requireMinimumRole(ROLES8.MEMBER, "manage knowledge namespace permissions")],
4610
- removeAcl: [requireMinimumRole(ROLES8.MEMBER, "manage knowledge namespace permissions")]
4770
+ create: [requireMinimumRole(ROLES9.MEMBER, "create knowledge namespaces")],
4771
+ patch: [requireMinimumRole(ROLES9.MEMBER, "update knowledge namespaces")],
4772
+ update: [requireMinimumRole(ROLES9.MEMBER, "update knowledge namespaces")],
4773
+ remove: [requireMinimumRole(ROLES9.MEMBER, "delete knowledge namespaces")],
4774
+ saveWithAcl: [requireMinimumRole(ROLES9.MEMBER, "save knowledge namespace permissions")],
4775
+ listAcl: [requireMinimumRole(ROLES9.MEMBER, "manage knowledge namespace permissions")],
4776
+ setAcl: [requireMinimumRole(ROLES9.MEMBER, "manage knowledge namespace permissions")],
4777
+ removeAcl: [requireMinimumRole(ROLES9.MEMBER, "manage knowledge namespace permissions")]
4611
4778
  }
4612
4779
  });
4613
4780
  safeService("kb/documents")?.hooks({
4614
4781
  before: {
4615
4782
  all: [requireAuth],
4616
- create: [requireMinimumRole(ROLES8.MEMBER, "create knowledge documents")],
4617
- patch: [requireMinimumRole(ROLES8.MEMBER, "update knowledge documents")],
4618
- update: [requireMinimumRole(ROLES8.MEMBER, "update knowledge documents")],
4619
- remove: [requireMinimumRole(ROLES8.MEMBER, "delete knowledge documents")]
4783
+ create: [requireMinimumRole(ROLES9.MEMBER, "create knowledge documents")],
4784
+ patch: [requireMinimumRole(ROLES9.MEMBER, "update knowledge documents")],
4785
+ update: [requireMinimumRole(ROLES9.MEMBER, "update knowledge documents")],
4786
+ remove: [requireMinimumRole(ROLES9.MEMBER, "delete knowledge documents")]
4620
4787
  }
4621
4788
  });
4622
4789
  safeService("kb/document-edits")?.hooks({
4623
4790
  before: {
4624
- all: [requireAuth, requireMinimumRole(ROLES8.MEMBER, "edit knowledge documents")]
4791
+ all: [requireAuth, requireMinimumRole(ROLES9.MEMBER, "edit knowledge documents")]
4625
4792
  }
4626
4793
  });
4627
4794
  safeService("kb/versions")?.hooks({
@@ -4636,35 +4803,30 @@ function registerHooks(ctx) {
4636
4803
  });
4637
4804
  safeService("kb/settings")?.hooks({
4638
4805
  before: {
4639
- all: [requireAuth, requireMinimumRole(ROLES8.ADMIN, "configure Knowledge semantic search")]
4806
+ all: [requireAuth, requireMinimumRole(ROLES9.ADMIN, "configure Knowledge semantic search")]
4640
4807
  }
4641
4808
  });
4642
4809
  safeService("kb/indexing/status")?.hooks({
4643
4810
  before: {
4644
- all: [requireAuth, requireMinimumRole(ROLES8.ADMIN, "view Knowledge indexing status")]
4811
+ all: [requireAuth, requireMinimumRole(ROLES9.ADMIN, "view Knowledge indexing status")]
4645
4812
  }
4646
4813
  });
4647
4814
  safeService("kb/indexing/reindex")?.hooks({
4648
4815
  before: {
4649
- all: [requireAuth, requireMinimumRole(ROLES8.ADMIN, "reindex Knowledge embeddings")]
4816
+ all: [requireAuth, requireMinimumRole(ROLES9.ADMIN, "reindex Knowledge embeddings")]
4650
4817
  }
4651
4818
  });
4652
4819
  safeService("kb/graph")?.hooks?.({
4653
4820
  before: {
4654
4821
  all: [requireAuth],
4655
- create: [requireMinimumRole(ROLES8.MEMBER, "link knowledge graph nodes")],
4656
- link: [requireMinimumRole(ROLES8.MEMBER, "link knowledge graph nodes")]
4822
+ create: [requireMinimumRole(ROLES9.MEMBER, "link knowledge graph nodes")],
4823
+ link: [requireMinimumRole(ROLES9.MEMBER, "link knowledge graph nodes")]
4657
4824
  }
4658
4825
  });
4659
4826
  const injectPerUserOAuthTokens = async (context) => {
4660
4827
  const queryForUserId = context.params?.query?.forUserId;
4661
4828
  const userId = context.params?.user?.user_id || queryForUserId;
4662
- const source = context.params?.user?.user_id ? "socket-auth" : queryForUserId ? "query-param" : "none";
4663
- console.log(
4664
- `[MCP OAuth] injectPerUserOAuthTokens called - userId: ${userId || "NONE"}, source: ${source}, provider: ${context.params?.provider || "internal"}, method: ${context.method}, resultCount: ${Array.isArray(context.result) ? context.result.length : 1}`
4665
- );
4666
4829
  if (!userId) {
4667
- console.log("[MCP OAuth] No user ID - skipping token injection");
4668
4830
  return context;
4669
4831
  }
4670
4832
  const injectToken = async (server) => {
@@ -4677,9 +4839,6 @@ function registerHooks(ctx) {
4677
4839
  const userTokenRepo = new UserMCPOAuthTokenRepository(db);
4678
4840
  const row = await userTokenRepo.getToken(tokenUserId, server.mcp_server_id);
4679
4841
  if (!row) {
4680
- console.log(
4681
- `[MCP OAuth] No token row for user=${tokenUserId ?? "<shared>"} server=${server.name}`
4682
- );
4683
4842
  return server;
4684
4843
  }
4685
4844
  let accessToken = row.oauth_access_token;
@@ -4749,9 +4908,9 @@ function registerHooks(ctx) {
4749
4908
  safeService("mcp-servers")?.hooks({
4750
4909
  before: {
4751
4910
  all: [typedValidateQuery(mcpServerQueryValidator), requireAuth],
4752
- create: [requireMinimumRole(ROLES8.ADMIN, "create MCP servers")],
4753
- patch: [requireMinimumRole(ROLES8.ADMIN, "update MCP servers")],
4754
- remove: [requireMinimumRole(ROLES8.ADMIN, "delete MCP servers")]
4911
+ create: [requireMinimumRole(ROLES9.ADMIN, "create MCP servers")],
4912
+ patch: [requireMinimumRole(ROLES9.ADMIN, "update MCP servers")],
4913
+ remove: [requireMinimumRole(ROLES9.ADMIN, "delete MCP servers")]
4755
4914
  },
4756
4915
  after: {
4757
4916
  find: [injectPerUserOAuthTokens, redactMCPServerSecretFields],
@@ -4765,7 +4924,7 @@ function registerHooks(ctx) {
4765
4924
  before: {
4766
4925
  all: [requireAuth],
4767
4926
  find: [
4768
- requireMinimumRole(ROLES8.MEMBER, "list session MCP servers"),
4927
+ requireMinimumRole(ROLES9.MEMBER, "list session MCP servers"),
4769
4928
  // RBAC: Scope to sessions the caller can access.
4770
4929
  ...branchRbacEnabled ? [scopeFindToAccessibleSessions(sessionsRepository, superadminOpts)] : []
4771
4930
  ]
@@ -4778,7 +4937,7 @@ function registerHooks(ctx) {
4778
4937
  before: {
4779
4938
  all: [requireAuth],
4780
4939
  find: [
4781
- requireMinimumRole(ROLES8.MEMBER, "list session env selections"),
4940
+ requireMinimumRole(ROLES9.MEMBER, "list session env selections"),
4782
4941
  // RBAC: Scope to sessions the caller can access.
4783
4942
  ...branchRbacEnabled ? [scopeFindToAccessibleSessions(sessionsRepository, superadminOpts)] : []
4784
4943
  ]
@@ -4811,7 +4970,7 @@ function registerHooks(ctx) {
4811
4970
  before: {
4812
4971
  all: [requireAuth],
4813
4972
  create: [
4814
- requireMinimumRole(ROLES8.ADMIN, "create gateway channels"),
4973
+ requireMinimumRole(ROLES9.ADMIN, "create gateway channels"),
4815
4974
  injectCreatedBy(),
4816
4975
  // Encrypt env var values at rest (same pattern as user env vars / API keys)
4817
4976
  async (context) => {
@@ -4829,7 +4988,7 @@ function registerHooks(ctx) {
4829
4988
  }
4830
4989
  ],
4831
4990
  patch: [
4832
- requireMinimumRole(ROLES8.ADMIN, "update gateway channels"),
4991
+ requireMinimumRole(ROLES9.ADMIN, "update gateway channels"),
4833
4992
  // Resolve redacted env var sentinel values ('••••••••') back to real
4834
4993
  // values from the database. Uses the repository directly to bypass
4835
4994
  // the after-hook redaction that the service layer applies.
@@ -4894,7 +5053,7 @@ function registerHooks(ctx) {
4894
5053
  return context;
4895
5054
  }
4896
5055
  ],
4897
- remove: [requireMinimumRole(ROLES8.ADMIN, "delete gateway channels")]
5056
+ remove: [requireMinimumRole(ROLES9.ADMIN, "delete gateway channels")]
4898
5057
  },
4899
5058
  after: {
4900
5059
  all: [
@@ -4944,9 +5103,9 @@ function registerHooks(ctx) {
4944
5103
  app.service("config").hooks({
4945
5104
  before: {
4946
5105
  all: [requireAuth],
4947
- find: [requireMinimumRole(ROLES8.ADMIN, "view configuration")],
4948
- get: [requireMinimumRole(ROLES8.ADMIN, "view configuration")],
4949
- patch: [requireMinimumRole(ROLES8.ADMIN, "update configuration")]
5106
+ find: [requireMinimumRole(ROLES9.ADMIN, "view configuration")],
5107
+ get: [requireMinimumRole(ROLES9.ADMIN, "view configuration")],
5108
+ patch: [requireMinimumRole(ROLES9.ADMIN, "update configuration")]
4950
5109
  }
4951
5110
  });
4952
5111
  safeService("context")?.hooks({
@@ -4958,7 +5117,7 @@ function registerHooks(ctx) {
4958
5117
  before: {
4959
5118
  all: [
4960
5119
  requireAuth,
4961
- requireMinimumRole(ROLES8.MEMBER, "search files"),
5120
+ requireMinimumRole(ROLES9.MEMBER, "search files"),
4962
5121
  // RBAC: files service takes a sessionId query param and returns files
4963
5122
  // from that session's branch. Verify the caller can at least 'view'
4964
5123
  // that branch before running git ls-files. If sessionId is missing
@@ -4985,7 +5144,7 @@ function registerHooks(ctx) {
4985
5144
  before: {
4986
5145
  all: [
4987
5146
  requireAuth,
4988
- requireMinimumRole(ROLES8.MEMBER, "read files"),
5147
+ requireMinimumRole(ROLES9.MEMBER, "read files"),
4989
5148
  ...branchRbacEnabled ? [loadBranch(branchRepository, "branch_id"), ensureCanView(superadminOpts)] : []
4990
5149
  ]
4991
5150
  }
@@ -4997,13 +5156,13 @@ function registerHooks(ctx) {
4997
5156
  requireAuth,
4998
5157
  (context) => {
4999
5158
  if (!webTerminalEnabled) {
5000
- throw new Forbidden7(
5159
+ throw new Forbidden8(
5001
5160
  "Web terminal is disabled on this instance. Ask an administrator to unset or enable execution.allow_web_terminal in the daemon config."
5002
5161
  );
5003
5162
  }
5004
5163
  return context;
5005
5164
  },
5006
- requireMinimumRole(ROLES8.MEMBER, "access terminals")
5165
+ requireMinimumRole(ROLES9.MEMBER, "access terminals")
5007
5166
  ]
5008
5167
  }
5009
5168
  });
@@ -5017,8 +5176,14 @@ function registerHooks(ctx) {
5017
5176
  safeService("group-memberships")?.hooks(groupMembershipsHooks);
5018
5177
  safeService("group-memberships")?.hooks({
5019
5178
  after: {
5020
- create: [clearRealtimeBranchVisibility],
5021
- remove: [clearRealtimeBranchVisibility]
5179
+ create: [
5180
+ clearRealtimeBranchVisibility,
5181
+ (context) => syncUnixAccessForAllBranches(context, "[Executor/group-memberships.create]")
5182
+ ],
5183
+ remove: [
5184
+ clearRealtimeBranchVisibility,
5185
+ (context) => syncUnixAccessForAllBranches(context, "[Executor/group-memberships.remove]")
5186
+ ]
5022
5187
  }
5023
5188
  });
5024
5189
  safeService("branches/:id/owners")?.hooks({
@@ -5029,22 +5194,64 @@ function registerHooks(ctx) {
5029
5194
  });
5030
5195
  safeService("branches/:id/group-grants")?.hooks({
5031
5196
  after: {
5032
- create: [invalidateRealtimeBranchFromRoute],
5033
- patch: [invalidateRealtimeBranchFromRoute],
5034
- remove: [invalidateRealtimeBranchFromRoute]
5197
+ create: [
5198
+ invalidateRealtimeBranchFromRoute,
5199
+ (context) => {
5200
+ const branchId = context.params.route?.id;
5201
+ if (typeof branchId === "string") {
5202
+ syncBranchUnixAccess(branchId, "[Executor/branch-group-grants.create]");
5203
+ }
5204
+ return context;
5205
+ }
5206
+ ],
5207
+ patch: [
5208
+ invalidateRealtimeBranchFromRoute,
5209
+ (context) => {
5210
+ const branchId = context.params.route?.id;
5211
+ if (typeof branchId === "string") {
5212
+ syncBranchUnixAccess(branchId, "[Executor/branch-group-grants.patch]");
5213
+ }
5214
+ return context;
5215
+ }
5216
+ ],
5217
+ remove: [
5218
+ invalidateRealtimeBranchFromRoute,
5219
+ (context) => {
5220
+ const branchId = context.params.route?.id;
5221
+ if (typeof branchId === "string") {
5222
+ syncBranchUnixAccess(branchId, "[Executor/branch-group-grants.remove]");
5223
+ }
5224
+ return context;
5225
+ }
5226
+ ]
5035
5227
  }
5036
5228
  });
5037
5229
  safeService("boards/:id/owners")?.hooks({
5038
5230
  after: {
5039
- create: [clearRealtimeBranchVisibility],
5040
- remove: [clearRealtimeBranchVisibility]
5231
+ create: [
5232
+ clearRealtimeBranchVisibility,
5233
+ (context) => syncUnixAccessForBoardFromRoute(context, "[Executor/board-owners.create]")
5234
+ ],
5235
+ remove: [
5236
+ clearRealtimeBranchVisibility,
5237
+ (context) => syncUnixAccessForBoardFromRoute(context, "[Executor/board-owners.remove]")
5238
+ ]
5041
5239
  }
5042
5240
  });
5043
5241
  safeService("boards/:id/group-grants")?.hooks({
5044
5242
  after: {
5045
- create: [clearRealtimeBranchVisibility],
5046
- patch: [clearRealtimeBranchVisibility],
5047
- remove: [clearRealtimeBranchVisibility]
5243
+ create: [
5244
+ clearRealtimeBranchVisibility,
5245
+ (context) => syncUnixAccessForBoardFromRoute(context, "[Executor/board-group-grants.create]")
5246
+ ],
5247
+ patch: [
5248
+ clearRealtimeBranchVisibility,
5249
+ (context) => syncUnixAccessForBoardFromRoute(context, "[Executor/board-group-grants.patch]")
5250
+ ],
5251
+ remove: [
5252
+ clearRealtimeBranchVisibility,
5253
+ (context) => syncUnixAccessForBoardFromRoute(context, "[Executor/board-group-grants.remove]")
5254
+ ]
5048
5255
  }
5049
5256
  });
5050
5257
  app.service("users").hooks({
@@ -5057,7 +5264,7 @@ function registerHooks(ctx) {
5057
5264
  return context;
5058
5265
  }
5059
5266
  if (params.user) {
5060
- ensureMinimumRole(params, ROLES8.MEMBER, "list users");
5267
+ ensureMinimumRole(params, ROLES9.MEMBER, "list users");
5061
5268
  return context;
5062
5269
  }
5063
5270
  const query = params.query || {};
@@ -5070,7 +5277,7 @@ function registerHooks(ctx) {
5070
5277
  ],
5071
5278
  get: [
5072
5279
  (context) => {
5073
- ensureMinimumRole(context.params, ROLES8.MEMBER, "view users");
5280
+ ensureMinimumRole(context.params, ROLES9.MEMBER, "view users");
5074
5281
  return context;
5075
5282
  }
5076
5283
  ],
@@ -5082,13 +5289,13 @@ function registerHooks(ctx) {
5082
5289
  }
5083
5290
  const existing = await usersService.find({ query: { $limit: 1 } });
5084
5291
  if (existing.total > 0) {
5085
- ensureMinimumRole(params, ROLES8.ADMIN, "create users");
5292
+ ensureMinimumRole(params, ROLES9.ADMIN, "create users");
5086
5293
  }
5087
5294
  const data = context.data;
5088
- if (hasMinimumRole8(data?.role, ROLES8.SUPERADMIN)) {
5295
+ if (hasMinimumRole8(data?.role, ROLES9.SUPERADMIN)) {
5089
5296
  const callerRole = params.user?.role;
5090
- if (!hasMinimumRole8(callerRole, ROLES8.SUPERADMIN)) {
5091
- throw new Forbidden7("Only superadmins can create superadmin users");
5297
+ if (!hasMinimumRole8(callerRole, ROLES9.SUPERADMIN)) {
5298
+ throw new Forbidden8("Only superadmins can create superadmin users");
5092
5299
  }
5093
5300
  }
5094
5301
  return context;
@@ -5099,28 +5306,28 @@ function registerHooks(ctx) {
5099
5306
  const params = context.params;
5100
5307
  const userId = context.id;
5101
5308
  const callerRole = params.user?.role;
5102
- const callerIsAdmin = hasMinimumRole8(callerRole, ROLES8.ADMIN);
5309
+ const callerIsAdmin = hasMinimumRole8(callerRole, ROLES9.ADMIN);
5103
5310
  if (!Array.isArray(context.data)) {
5104
5311
  if (context.data?.unix_username !== void 0) {
5105
5312
  if (!callerIsAdmin) {
5106
- throw new Forbidden7("Only admins can modify unix_username");
5313
+ throw new Forbidden8("Only admins can modify unix_username");
5107
5314
  }
5108
5315
  }
5109
5316
  if (context.data?.role !== void 0) {
5110
5317
  if (!callerIsAdmin) {
5111
- throw new Forbidden7("Only admins can modify user roles");
5318
+ throw new Forbidden8("Only admins can modify user roles");
5112
5319
  }
5113
- if (hasMinimumRole8(context.data.role, ROLES8.SUPERADMIN) && !hasMinimumRole8(callerRole, ROLES8.SUPERADMIN)) {
5320
+ if (hasMinimumRole8(context.data.role, ROLES9.SUPERADMIN) && !hasMinimumRole8(callerRole, ROLES9.SUPERADMIN)) {
5114
5321
  const allUsers = await usersService.find({});
5115
- const hasSuperadmin = allUsers.data.some((u) => u.role === ROLES8.SUPERADMIN);
5322
+ const hasSuperadmin = allUsers.data.some((u) => u.role === ROLES9.SUPERADMIN);
5116
5323
  if (hasSuperadmin) {
5117
- throw new Forbidden7("Only superadmins can assign the superadmin role");
5324
+ throw new Forbidden8("Only superadmins can assign the superadmin role");
5118
5325
  }
5119
5326
  }
5120
5327
  }
5121
5328
  if (context.data?.must_change_password !== void 0) {
5122
5329
  if (!callerIsAdmin) {
5123
- throw new Forbidden7("Only admins can force password changes");
5330
+ throw new Forbidden8("Only admins can force password changes");
5124
5331
  }
5125
5332
  }
5126
5333
  }
@@ -5133,16 +5340,16 @@ function registerHooks(ctx) {
5133
5340
  if (!context.params.provider && params.trustedEnvVarWrite === true) {
5134
5341
  const keys = Object.keys(context.data ?? {});
5135
5342
  if (!keys.every((k) => k === "env_vars" || k === "env_var_scopes")) {
5136
- throw new Forbidden7(
5343
+ throw new Forbidden8(
5137
5344
  "trustedEnvVarWrite only permits env_vars and env_var_scopes updates"
5138
5345
  );
5139
5346
  }
5140
5347
  return context;
5141
5348
  }
5142
- throw new Forbidden7("You can only update your own profile");
5349
+ throw new Forbidden8("You can only update your own profile");
5143
5350
  }
5144
5351
  ],
5145
- remove: [requireMinimumRole(ROLES8.ADMIN, "delete users")]
5352
+ remove: [requireMinimumRole(ROLES9.ADMIN, "delete users")]
5146
5353
  },
5147
5354
  after: {
5148
5355
  // After user create/patch: optionally ensure Unix user exists and sync password
@@ -5249,7 +5456,7 @@ function registerHooks(ctx) {
5249
5456
  ] : []
5250
5457
  ],
5251
5458
  create: [
5252
- requireMinimumRole(ROLES8.MEMBER, "create sessions"),
5459
+ requireMinimumRole(ROLES9.MEMBER, "create sessions"),
5253
5460
  ...branchRbacEnabled ? [
5254
5461
  setSessionUnixUsername(usersRepository),
5255
5462
  // Stamp session with creator's unix_username (MUST run first)
@@ -5260,7 +5467,7 @@ function registerHooks(ctx) {
5260
5467
  try {
5261
5468
  const branch = await branchRepository.findById(data.branch_id);
5262
5469
  if (!branch) {
5263
- throw new Forbidden7(`Branch not found: ${data.branch_id}`);
5470
+ throw new Forbidden8(`Branch not found: ${data.branch_id}`);
5264
5471
  }
5265
5472
  await cacheBranchAccess(context.params, branchRepository, branch);
5266
5473
  } catch (error) {
@@ -5318,7 +5525,8 @@ function registerHooks(ctx) {
5318
5525
  `\u2705 Auto-populated git_state from branch: ref=${currentRef}, sha=${currentSha.substring(0, 8)}`
5319
5526
  );
5320
5527
  } catch (gitError) {
5321
- console.warn("Failed to auto-populate git_state from branch:", gitError);
5528
+ const message = gitError instanceof Error ? gitError.message : String(gitError);
5529
+ console.warn(`Failed to auto-populate git_state from branch: ${message}`);
5322
5530
  }
5323
5531
  }
5324
5532
  }
@@ -5392,6 +5600,15 @@ function registerHooks(ctx) {
5392
5600
  ]
5393
5601
  },
5394
5602
  after: {
5603
+ find: [
5604
+ async (context) => {
5605
+ context.result = await enrichSessionFindResultWithRemoteRelationships(
5606
+ context.result,
5607
+ sessionsService
5608
+ );
5609
+ return context;
5610
+ }
5611
+ ],
5395
5612
  get: [
5396
5613
  async (context) => {
5397
5614
  if (config.daemon?.mcpEnabled === false) {
@@ -5459,7 +5676,7 @@ function registerHooks(ctx) {
5459
5676
  return context;
5460
5677
  }
5461
5678
  const callerRole = context.params.user?.role;
5462
- if (!hasMinimumRole8(callerRole, ROLES8.MEMBER)) {
5679
+ if (!hasMinimumRole8(callerRole, ROLES9.MEMBER)) {
5463
5680
  return context;
5464
5681
  }
5465
5682
  const { generateSessionToken: generateSessionToken3 } = await Promise.resolve().then(() => (init_tokens(), tokens_exports));
@@ -5535,23 +5752,27 @@ function registerHooks(ctx) {
5535
5752
  patch: [
5536
5753
  async (context) => {
5537
5754
  const session = Array.isArray(context.result) ? context.result[0] : context.result;
5538
- if (session && session.status === "idle") {
5755
+ if (session && shouldRunSessionPostTurnHooks(session)) {
5539
5756
  setImmediate(async () => {
5540
5757
  try {
5541
5758
  const gatewayService = context.app.service("gateway");
5542
5759
  await gatewayService.flushGitHubBuffer(session.session_id);
5760
+ await gatewayService.updateProgress({
5761
+ session_id: session.session_id,
5762
+ state: "done"
5763
+ });
5543
5764
  } catch (error) {
5544
5765
  console.warn(
5545
- `[gateway] Failed to flush GitHub buffer for session ${shortId5(session.session_id)}:`,
5766
+ `[gateway] Failed to flush gateway buffers/status for session ${shortId5(session.session_id)}:`,
5546
5767
  error
5547
5768
  );
5548
5769
  }
5549
5770
  });
5550
- if (session.ready_for_prompt) {
5771
+ if (shouldDrainQueueAfterSessionPostTurnPatch(session, context.params)) {
5551
5772
  setImmediate(async () => {
5552
5773
  try {
5553
5774
  console.log(
5554
- `\u{1F504} [SessionsService.after.patch] Session ${shortId5(session.session_id)} became IDLE, checking for queued tasks...`
5775
+ `\u{1F504} [SessionsService.after.patch] Session ${shortId5(session.session_id)} became promptable (${session.status}), checking for queued tasks...`
5555
5776
  );
5556
5777
  await sessionsService.triggerQueueProcessing(session.session_id, context.params);
5557
5778
  } catch (error) {
@@ -5589,14 +5810,14 @@ function registerHooks(ctx) {
5589
5810
  ] : []
5590
5811
  ],
5591
5812
  create: [
5592
- requireMinimumRole(ROLES8.MEMBER, "create schedules"),
5813
+ requireMinimumRole(ROLES9.MEMBER, "create schedules"),
5593
5814
  ...branchRbacEnabled ? [loadBranch(branchRepository, "branch_id"), ensureCanCreateSession(superadminOpts)] : [],
5594
5815
  injectCreatedBy(),
5595
5816
  validateScheduleConfig(),
5596
5817
  recomputeNextRunAt()
5597
5818
  ],
5598
5819
  patch: [
5599
- requireMinimumRole(ROLES8.MEMBER, "update schedules"),
5820
+ requireMinimumRole(ROLES9.MEMBER, "update schedules"),
5600
5821
  ...branchRbacEnabled ? [
5601
5822
  loadScheduleAndBranch(scheduleRepository, branchRepository),
5602
5823
  ensureCanModifySchedule(superadminOpts)
@@ -5611,7 +5832,7 @@ function registerHooks(ctx) {
5611
5832
  recomputeNextRunAt()
5612
5833
  ],
5613
5834
  remove: [
5614
- requireMinimumRole(ROLES8.MEMBER, "delete schedules"),
5835
+ requireMinimumRole(ROLES9.MEMBER, "delete schedules"),
5615
5836
  ...branchRbacEnabled ? [
5616
5837
  loadScheduleAndBranch(scheduleRepository, branchRepository),
5617
5838
  ensureBranchPermission("all", "delete schedule", superadminOpts)
@@ -5636,7 +5857,7 @@ function registerHooks(ctx) {
5636
5857
  ] : []
5637
5858
  ],
5638
5859
  create: [
5639
- requireMinimumRole(ROLES8.MEMBER, "create tasks"),
5860
+ requireMinimumRole(ROLES9.MEMBER, "create tasks"),
5640
5861
  ...branchRbacEnabled ? [
5641
5862
  resolveSessionContext(),
5642
5863
  loadSession(sessionsService),
@@ -5658,7 +5879,7 @@ function registerHooks(ctx) {
5658
5879
  ] : []
5659
5880
  ],
5660
5881
  remove: [
5661
- requireMinimumRole(ROLES8.MEMBER, "delete tasks"),
5882
+ requireMinimumRole(ROLES9.MEMBER, "delete tasks"),
5662
5883
  // RBAC: deleting a task requires 'all' permission on the branch
5663
5884
  // (mirrors sessions.remove). Without this, any member with 'session'
5664
5885
  // access could delete tasks owned by other users on shared branches.
@@ -5679,7 +5900,7 @@ function registerHooks(ctx) {
5679
5900
  if (!user) throw new NotAuthenticated7("Authentication required");
5680
5901
  if (user._isServiceAccount) return context;
5681
5902
  const allowSuperadmin = superadminOpts?.allowSuperadmin ?? true;
5682
- if (user.role === ROLES8.ADMIN || allowSuperadmin && user.role === ROLES8.SUPERADMIN) {
5903
+ if (user.role === ROLES9.ADMIN || allowSuperadmin && user.role === ROLES9.SUPERADMIN) {
5683
5904
  return context;
5684
5905
  }
5685
5906
  const args = context.arguments;
@@ -5687,10 +5908,10 @@ function registerHooks(ctx) {
5687
5908
  const id = typeof context.id === "string" ? context.id : typeof context.params.route?.id === "string" ? context.params.route.id : typeof firstArg === "string" ? firstArg : firstArg && typeof firstArg === "object" ? firstArg.boardId ?? firstArg.id ?? firstArg.slug : void 0;
5688
5909
  if (!id) throw new BadRequest3("Board ID is required");
5689
5910
  const board = await boardRepository.findBySlugOrId(id);
5690
- if (!board) throw new Forbidden7(`Board not found: ${id}`);
5911
+ if (!board) throw new Forbidden8(`Board not found: ${id}`);
5691
5912
  const allowed = mode === "view" ? await boardRepository.canView(board.board_id, user.user_id) : await boardRepository.canMutate(board.board_id, user.user_id);
5692
5913
  if (!allowed) {
5693
- throw new Forbidden7(
5914
+ throw new Forbidden8(
5694
5915
  mode === "view" ? `You need board access to ${action}` : `You need board owner or board group 'all' access to ${action}`
5695
5916
  );
5696
5917
  }
@@ -5711,9 +5932,9 @@ function registerHooks(ctx) {
5711
5932
  get: [ensureCanViewBoard("view this board")],
5712
5933
  findBySlug: [ensureCanViewBoard("view this board")],
5713
5934
  findBySlugOrId: [ensureCanViewBoard("view this board")],
5714
- create: [requireMinimumRole(ROLES8.MEMBER, "create boards"), injectCreatedBy()],
5935
+ create: [requireMinimumRole(ROLES9.MEMBER, "create boards"), injectCreatedBy()],
5715
5936
  patch: [
5716
- requireMinimumRole(ROLES8.MEMBER, "update boards"),
5937
+ requireMinimumRole(ROLES9.MEMBER, "update boards"),
5717
5938
  ensureCanMutateBoard("update this board"),
5718
5939
  async (context) => {
5719
5940
  const contextData = context.data || {};
@@ -5780,30 +6001,30 @@ function registerHooks(ctx) {
5780
6001
  }
5781
6002
  ],
5782
6003
  remove: [
5783
- requireMinimumRole(ROLES8.MEMBER, "delete boards"),
6004
+ requireMinimumRole(ROLES9.MEMBER, "delete boards"),
5784
6005
  ensureCanMutateBoard("delete this board")
5785
6006
  ],
5786
6007
  toBlob: [
5787
- requireMinimumRole(ROLES8.MEMBER, "export boards"),
6008
+ requireMinimumRole(ROLES9.MEMBER, "export boards"),
5788
6009
  ensureCanViewBoard("export boards")
5789
6010
  ],
5790
6011
  toYaml: [
5791
- requireMinimumRole(ROLES8.MEMBER, "export boards"),
6012
+ requireMinimumRole(ROLES9.MEMBER, "export boards"),
5792
6013
  ensureCanViewBoard("export boards")
5793
6014
  ],
5794
- fromBlob: [requireMinimumRole(ROLES8.MEMBER, "import boards")],
5795
- fromYaml: [requireMinimumRole(ROLES8.MEMBER, "import boards")],
5796
- clone: [requireMinimumRole(ROLES8.MEMBER, "clone boards"), ensureCanViewBoard("clone boards")],
6015
+ fromBlob: [requireMinimumRole(ROLES9.MEMBER, "import boards")],
6016
+ fromYaml: [requireMinimumRole(ROLES9.MEMBER, "import boards")],
6017
+ clone: [requireMinimumRole(ROLES9.MEMBER, "clone boards"), ensureCanViewBoard("clone boards")],
5797
6018
  setPrimaryAssistant: [
5798
- requireMinimumRole(ROLES8.MEMBER, "set primary assistant"),
6019
+ requireMinimumRole(ROLES9.MEMBER, "set primary assistant"),
5799
6020
  ensureCanMutateBoard("set primary assistant")
5800
6021
  ],
5801
6022
  clearPrimaryAssistant: [
5802
- requireMinimumRole(ROLES8.MEMBER, "clear primary assistant"),
6023
+ requireMinimumRole(ROLES9.MEMBER, "clear primary assistant"),
5803
6024
  ensureCanMutateBoard("clear primary assistant")
5804
6025
  ],
5805
6026
  ensureAssistantWelcomeNote: [
5806
- requireMinimumRole(ROLES8.MEMBER, "create assistant welcome note"),
6027
+ requireMinimumRole(ROLES9.MEMBER, "create assistant welcome note"),
5807
6028
  ensureCanMutateBoard("create assistant welcome note")
5808
6029
  ]
5809
6030
  },
@@ -5944,7 +6165,7 @@ function registerHooks(ctx) {
5944
6165
  before: {
5945
6166
  create: [
5946
6167
  requireAuth,
5947
- requireMinimumRole(ROLES8.MEMBER, "archive boards"),
6168
+ requireMinimumRole(ROLES9.MEMBER, "archive boards"),
5948
6169
  ensureCanMutateBoard("archive this board")
5949
6170
  ]
5950
6171
  },
@@ -5961,7 +6182,7 @@ function registerHooks(ctx) {
5961
6182
  before: {
5962
6183
  create: [
5963
6184
  requireAuth,
5964
- requireMinimumRole(ROLES8.MEMBER, "unarchive boards"),
6185
+ requireMinimumRole(ROLES9.MEMBER, "unarchive boards"),
5965
6186
  ensureCanMutateBoard("unarchive this board")
5966
6187
  ]
5967
6188
  },
@@ -5971,6 +6192,10 @@ function registerHooks(ctx) {
5971
6192
  }
5972
6193
  export {
5973
6194
  PROMPT_FLOW_PATCH_FIELDS,
6195
+ enrichSessionFindResultWithRemoteRelationships,
5974
6196
  isPromptFlowPatchOnly,
5975
- registerHooks
6197
+ registerHooks,
6198
+ shouldDrainQueueAfterSessionPostTurnPatch,
6199
+ shouldRunSessionPostTurnHooks,
6200
+ shouldValidateRepoEnvironmentPayload
5976
6201
  };