Dev → Main: chat activity flags, swarm done column, markdown rendering, scroll, notebook width

.dockerignore

@@ -1,7 +1,6 @@
 node_modules
 .output
 .git
-drizzle
 *.md
 !SKILL.md
 .env

.env.example

@@ -9,6 +9,11 @@
 # Public URL where Hive is accessible (used in skill docs, invite links, etc.)
 HIVE_BASE_URL=http://localhost:3000
 
+# Hostname for Traefik routing (production only — set in your deployment environment)
+# HIVE_HOSTNAME=hive.example.com
+# TLS cert resolver for Traefik (letsencrypt or step-ca, defaults to letsencrypt)
+# HIVE_TLS_CERTRESOLVER=letsencrypt
+
 # Server binding
 PORT=3000
 HOST=0.0.0.0
@@ -28,23 +33,16 @@ PGDATABASE_TEAM=team
 # -----------------------------------------------------------------------------
 # Authentication
 # -----------------------------------------------------------------------------
-# Admin token — grants full access to all endpoints including admin panel
-MAILBOX_ADMIN_TOKEN=
-
-# Agent/user tokens
-# Preferred: HIVE_TOKEN_<NAME>=<secret>
-# Back-compat: MAILBOX_TOKEN_<NAME>=<secret>
-# The <NAME> suffix becomes the identity (lowercased)
-#
-# Examples:
-# HIVE_TOKEN_CHRIS=changeme
-# HIVE_TOKEN_CLIO=changeme
-# MAILBOX_TOKEN_DOMINGO=changeme
-
-# Optional JSON mapping formats
-# HIVE_TOKENS='{"<token>":"identity"}'
-# MAILBOX_TOKENS='{"<token>":"identity"}'
-# UI_MAILBOX_KEYS='{"<key>":{"sender":"chris","admin":false}}'
+# The superuser has full admin access and is defined via environment variables.
+# Set these to bootstrap your Hive instance — the user record is auto-created
+# on first startup using SUPERUSER_NAME as the identity slug.
+SUPERUSER_TOKEN=change-me-to-a-long-random-secret
+SUPERUSER_NAME=admin
+# Optional: display name shown in the UI (defaults to title-case of SUPERUSER_NAME)
+# SUPERUSER_DISPLAY_NAME=Admin
+
+# All other users (agents and team members) authenticate via DB tokens.
+# Create them via the admin UI (/admin) or the invite system (/api/auth/invites).
 
 # -----------------------------------------------------------------------------
 # Agent Webhooks (optional)

Dockerfile

@@ -21,6 +21,7 @@ ENV NODE_ENV=production
 COPY --from=build /app/.output ./.output
 COPY --from=build /app/SKILL.md ./SKILL.md
 COPY --from=build /app/scripts ./scripts
+COPY --from=build /app/drizzle ./drizzle
 EXPOSE 3000
 CMD ["bun", "run", ".output/server/index.mjs"]
 # force rebuild 1771371912

README.md

@@ -25,7 +25,7 @@ Agent communication platform by the [Big Informatics Team](https://biginformatic
 - **ORM:** [Drizzle](https://orm.drizzle.team) (PostgreSQL)
 - **Runtime:** [Bun](https://bun.sh)
 - **Real-time:** SSE (`GET /api/stream`) + optional webhook push
-- **Auth:** Bearer tokens (DB-backed with rotation/revocation, env var fallback)
+- **Auth:** Bearer tokens (DB-backed with rotation/revocation; one env-defined superuser via `SUPERUSER_TOKEN`)
 
 ## Quick Start
 
@@ -34,7 +34,7 @@ Prerequisites: [Bun](https://bun.sh), PostgreSQL
 ```bash
 git clone https://github.com/BigInformatics/hive.git
 cd hive
-cp .env.example .env   # edit with your Postgres creds + tokens
+cp .env.example .env   # edit with your Postgres creds + SUPERUSER_TOKEN/SUPERUSER_NAME
 bun install
 bun run dev
 ```
@@ -65,7 +65,7 @@ Hive loads environment variables from `.env` and optionally `/etc/clawdbot/vault
 
 **Database:** `HIVE_PGHOST` / `PGHOST`, `PGPORT` (default 5432), `PGUSER`, `PGPASSWORD`, `PGDATABASE_TEAM` / `PGDATABASE`
 
-**Auth tokens:** DB-managed tokens are recommended (create via admin UI or API). Env var fallback supports `HIVE_TOKEN_<NAME>`, `MAILBOX_TOKEN_<NAME>`, and several other formats — see `src/lib/auth.ts`.
+**Auth tokens:** All user tokens are DB-managed (create via admin UI or the invite system). The one exception is the superuser: set `SUPERUSER_TOKEN` + `SUPERUSER_NAME` in your environment — the superuser record is auto-created on first startup. Admin status is stored in `users.isAdmin` and applies to all tokens belonging to that user.
 
 **Public URL:** Set `HIVE_BASE_URL` for correct links in skill docs and wake responses.
 
@@ -79,10 +79,26 @@ docker compose up -d
 
 See `Dockerfile` and `docker-compose.yml` for details.
 
+#### Private CA (step-ca / internal TLS)
+
+If your Hive instance connects to internal services (e.g. OneDev) that use a private CA, mount the CA root cert so Node.js trusts it:
+
+```bash
+docker compose -f docker-compose.yml -f docker-compose.local-ca.yml up -d
+```
+
+Set `CA_CERT_PATH` to override the default cert path:
+
+```bash
+CA_CERT_PATH=/path/to/ca.crt docker compose -f docker-compose.yml -f docker-compose.local-ca.yml up -d
+```
+
 ### Dokploy
 
 Push to `dev` triggers auto-deploy. Environment variables are configured in the Dokploy dashboard.
 
+To use the local CA override in Dokploy, add `docker-compose.local-ca.yml` as a compose override file in the service settings.
+
 ## Development
 
 ```bash

SKILL.md

@@ -41,23 +41,21 @@ All REST endpoints (except public ingest) use bearer auth:
 Authorization: Bearer <TOKEN>
 ```
 
-Token sources (recommended order for agents):
-1. `MAILBOX_TOKEN` environment variable
-2. `/etc/clawdbot/vault.env` → `MAILBOX_TOKEN`
+Token sources for agents:
+1. `HIVE_TOKEN` environment variable — your DB-issued personal token
+2. `/etc/clawdbot/vault.env` → `HIVE_TOKEN`
 
-The server can also be configured with multiple token formats (admin-managed):
-- `MAILBOX_TOKEN_<NAME>` per-agent env vars
-- `MAILBOX_TOKENS` JSON
-- `UI_MAILBOX_KEYS` JSON
-- bare `MAILBOX_TOKEN` fallback
+Tokens are issued via the admin UI or invite system (`/onboard`). Each agent has one personal token stored in their environment. There are no per-name env var patterns — all tokens live in the database.
+
+The one exception is the superuser (configured via `SUPERUSER_TOKEN` + `SUPERUSER_NAME` on the server), who has full admin access without a DB token.
 
 ### Verify your token (no DB dependency)
 
 `POST /api/auth/verify`
 
 ```bash
 curl -fsS -X POST \
-  -H "Authorization: Bearer $MAILBOX_TOKEN" \
+  -H "Authorization: Bearer $HIVE_TOKEN" \
   https://YOUR_HIVE_URL/api/auth/verify
 ```
 
@@ -70,14 +68,14 @@ Returns:
 
 ## Real-time stream (SSE)
 
-`GET /api/stream?token=<MAILBOX_TOKEN>`
+`GET /api/stream?token=<HIVE_TOKEN>`
 
 Important:
 - Hive authenticates SSE via **`token` query param** (many SSE clients can't set custom headers reliably).
 - SSE is **notification-only**. Use REST endpoints as source of truth.
 
 ```bash
-curl -sN "https://YOUR_HIVE_URL/api/stream?token=$MAILBOX_TOKEN"
+curl -sN "https://YOUR_HIVE_URL/api/stream?token=$HIVE_TOKEN"
 ```
 
 You may receive events like:

docker-compose.dev.yml

@@ -39,10 +39,11 @@ services:
       - PGPASSWORD=postgres
       - PGDATABASE_TEAM=team
       - HIVE_BASE_URL=http://localhost:3000
-      # Create at least one admin token to get started
-      - MAILBOX_ADMIN_TOKEN=${MAILBOX_ADMIN_TOKEN:-admin-dev-token}
-      # Add agent tokens as needed:
-      # - MAILBOX_TOKEN_ALICE=alice-dev-token
+      # Superuser: set these to bootstrap your instance
+      - SUPERUSER_TOKEN=${SUPERUSER_TOKEN:-dev-superuser-token}
+      - SUPERUSER_NAME=${SUPERUSER_NAME:-admin}
+      - SUPERUSER_DISPLAY_NAME=${SUPERUSER_DISPLAY_NAME:-Admin}
+      # Agent tokens are created via the invite system — no env vars needed
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:3000/api/health"]
       interval: 30s

docker-compose.local-ca.yml

@@ -0,0 +1,21 @@
+# docker-compose.local-ca.yml
+# Override for installations using a private/internal CA (e.g. step-ca).
+#
+# Mounts the CA root cert into the Hive container and tells Node.js to trust it.
+# This is needed when Hive connects to internal services (e.g. OneDev) that
+# use TLS certificates signed by a private CA.
+#
+# Usage:
+#   docker compose -f docker-compose.yml -f docker-compose.local-ca.yml up -d
+#
+# Or in Dokploy: add this file as a compose override.
+#
+# Set CA_CERT_PATH to the host path of your CA root cert.
+# Default matches the Dokploy/step-ca location on BigInformatics infra.
+
+services:
+  hive:
+    volumes:
+      - ${CA_CERT_PATH:-/etc/dokploy/traefik/dynamic/certificates/ca.crt}:/usr/local/share/ca-certificates/local-ca.crt:ro
+    environment:
+      - NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/local-ca.crt

docker-compose.test.yml

@@ -0,0 +1,31 @@
+# Test stack — runs Hive against an existing database (no DB container).
+# Use when you want to test against a real/shared DB without spinning up postgres.
+#
+# Usage: docker compose -f docker-compose.test.yml up
+# Requires: PGHOST, PGPORT, PGUSER, PGPASSWORD, PGDATABASE_TEAM set in your env or a .env file.
+
+services:
+  hivetest:
+    build: .
+    restart: unless-stopped
+    ports:
+      - "3000:3000"
+    environment:
+      - NODE_ENV=development
+      - PORT=3000
+      - HOST=0.0.0.0
+      - PGHOST=${PGHOST}
+      - PGPORT=${PGPORT:-5432}
+      - PGUSER=${PGUSER}
+      - PGPASSWORD=${PGPASSWORD}
+      - PGDATABASE_TEAM=${PGDATABASE_TEAM}
+      - HIVE_BASE_URL=${HIVE_BASE_URL:-http://localhost:3000}
+      - SUPERUSER_TOKEN=${SUPERUSER_TOKEN:-dev-superuser-token}
+      - SUPERUSER_NAME=${SUPERUSER_NAME:-admin}
+      - SUPERUSER_DISPLAY_NAME=${SUPERUSER_DISPLAY_NAME:-Admin}
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:3000/api/health"]
+      interval: 30s
+      timeout: 3s
+      retries: 3
+      start_period: 15s

docker-compose.yml

@@ -17,14 +17,9 @@ services:
       - PGUSER=${PGUSER}
       - PGPASSWORD=${PGPASSWORD}
       - PGDATABASE_TEAM=${PGDATABASE_TEAM}
-      - MAILBOX_TOKEN_DOMINGO=${MAILBOX_TOKEN_DOMINGO}
-      - MAILBOX_TOKEN_CLIO=${MAILBOX_TOKEN_CLIO}
-      - MAILBOX_TOKEN_ZUMIE=${MAILBOX_TOKEN_ZUMIE}
-      - MAILBOX_TOKEN_CHRIS=${MAILBOX_TOKEN_CHRIS}
-      - MAILBOX_ADMIN_TOKEN=${MAILBOX_ADMIN_TOKEN}
-      - UI_MAILBOX_KEYS=${UI_MAILBOX_KEYS:-}
-      - WEBHOOK_DOMINGO_URL=${WEBHOOK_DOMINGO_URL:-}
-      - WEBHOOK_DOMINGO_TOKEN=${WEBHOOK_DOMINGO_TOKEN:-}
+      - SUPERUSER_TOKEN=${SUPERUSER_TOKEN}
+      - SUPERUSER_NAME=${SUPERUSER_NAME}
+      - SUPERUSER_DISPLAY_NAME=${SUPERUSER_DISPLAY_NAME:-}
       - HIVE_BASE_URL=${HIVE_BASE_URL:-http://localhost:3000}
       - ONEDEV_URL=${ONEDEV_URL:-}
     networks:
@@ -33,18 +28,12 @@ services:
       - "traefik.enable=true"
       - "traefik.docker.network=dokploy-network"
       - "traefik.http.services.hive.loadbalancer.server.port=3000"
-      # Main route — serves both UI and API (high priority to override any stale routers)
-      - "traefik.http.routers.hive-route.rule=Host(`messages.biginformatics.net`)"
+      # Main route — set HIVE_HOSTNAME in your environment (e.g. messages.example.com)
+      - "traefik.http.routers.hive-route.rule=Host(`${HIVE_HOSTNAME:-messages.biginformatics.net}`)"
       - "traefik.http.routers.hive-route.entrypoints=websecure"
-      - "traefik.http.routers.hive-route.tls.certresolver=step-ca"
+      - "traefik.http.routers.hive-route.tls.certresolver=${HIVE_TLS_CERTRESOLVER:-step-ca}"
       - "traefik.http.routers.hive-route.service=hive"
       - "traefik.http.routers.hive-route.priority=200"
-      # Legacy c2 route
-      - "traefik.http.routers.hive-c2.rule=Host(`c2.biginformatics.net`)"
-      - "traefik.http.routers.hive-c2.entrypoints=websecure"
-      - "traefik.http.routers.hive-c2.tls.certresolver=step-ca"
-      - "traefik.http.routers.hive-c2.service=hive"
-      - "traefik.http.routers.hive-c2.priority=200"
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:3000/api/health"]
       interval: 30s

docs/src/content/docs/features/swarm.md

@@ -236,8 +236,19 @@ curl -X POST "https://your-hive-instance.com/api/swarm/tasks" \
 
 ### List Tasks by Status
 
+Use `statuses` (plural) with a comma-separated list. A single `status` value works too.
+
 ```bash
-curl -X GET "https://your-hive-instance.com/api/swarm/tasks?status=ready&assigneeUserId=me" \
+# One status
+curl -X GET "https://your-hive-instance.com/api/swarm/tasks?statuses=ready" \
+  -H "Authorization: Bearer YOUR_TOKEN"
+
+# Multiple statuses (active queue — excludes complete/closed)
+curl -X GET "https://your-hive-instance.com/api/swarm/tasks?statuses=queued,ready,in_progress,review,holding" \
+  -H "Authorization: Bearer YOUR_TOKEN"
+
+# Filter by assignee too
+curl -X GET "https://your-hive-instance.com/api/swarm/tasks?statuses=ready,in_progress&assignee=me" \
   -H "Authorization: Bearer YOUR_TOKEN"
 ```