feat: join request claim secrets, onboarding API, and company branding

Add secure claim secret flow for agent join requests with timing-safe
comparison, expiry, and one-time use. Expose machine-readable onboarding
manifests and skill index API endpoints. Add company brand color with
hex validation, pattern icon generation, and settings page integration.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

packages/shared/src/index.ts

@@ -181,6 +181,7 @@ export {
   createCompanyInviteSchema,
   acceptInviteSchema,
   listJoinRequestsQuerySchema,
+  claimJoinRequestApiKeySchema,
   updateMemberPermissionsSchema,
   updateUserCompanyAccessSchema,
   type CreateCostEvent,
@@ -189,6 +190,7 @@ export {
   type CreateCompanyInvite,
   type AcceptInvite,
   type ListJoinRequestsQuery,
+  type ClaimJoinRequestApiKey,
   type UpdateMemberPermissions,
   type UpdateUserCompanyAccess,
 } from "./validators/index.js";

packages/shared/src/types/access.ts

@@ -1,4 +1,5 @@
 import type {
+  AgentAdapterType,
   InstanceUserRole,
   InviteJoinType,
   InviteType,
@@ -57,9 +58,11 @@ export interface JoinRequest {
   requestingUserId: string | null;
   requestEmailSnapshot: string | null;
   agentName: string | null;
-  adapterType: string | null;
+  adapterType: AgentAdapterType | null;
   capabilities: string | null;
   agentDefaultsPayload: Record<string, unknown> | null;
+  claimSecretExpiresAt: Date | null;
+  claimSecretConsumedAt: Date | null;
   createdAgentId: string | null;
   approvedByUserId: string | null;
   approvedAt: Date | null;

packages/shared/src/types/company.ts

@@ -10,6 +10,7 @@ export interface Company {
   budgetMonthlyCents: number;
   spentMonthlyCents: number;
   requireBoardApprovalForNewAgents: boolean;
+  brandColor: string | null;
   createdAt: Date;
   updatedAt: Date;
 }

packages/shared/src/validators/access.ts

@@ -1,5 +1,6 @@
 import { z } from "zod";
 import {
+  AGENT_ADAPTER_TYPES,
   INVITE_JOIN_TYPES,
   JOIN_REQUEST_STATUSES,
   JOIN_REQUEST_TYPES,
@@ -17,7 +18,7 @@ export type CreateCompanyInvite = z.infer<typeof createCompanyInviteSchema>;
 export const acceptInviteSchema = z.object({
   requestType: z.enum(JOIN_REQUEST_TYPES),
   agentName: z.string().min(1).max(120).optional(),
-  adapterType: z.string().min(1).max(120).optional(),
+  adapterType: z.enum(AGENT_ADAPTER_TYPES).optional(),
   capabilities: z.string().max(4000).optional().nullable(),
   agentDefaultsPayload: z.record(z.string(), z.unknown()).optional().nullable(),
 });
@@ -31,6 +32,12 @@ export const listJoinRequestsQuerySchema = z.object({
 
 export type ListJoinRequestsQuery = z.infer<typeof listJoinRequestsQuerySchema>;
 
+export const claimJoinRequestApiKeySchema = z.object({
+  claimSecret: z.string().min(16).max(256),
+});
+
+export type ClaimJoinRequestApiKey = z.infer<typeof claimJoinRequestApiKeySchema>;
+
 export const updateMemberPermissionsSchema = z.object({
   grants: z.array(
     z.object({

packages/shared/src/validators/company.ts

@@ -15,6 +15,7 @@ export const updateCompanySchema = createCompanySchema
     status: z.enum(COMPANY_STATUSES).optional(),
     spentMonthlyCents: z.number().int().nonnegative().optional(),
     requireBoardApprovalForNewAgents: z.boolean().optional(),
+    brandColor: z.string().regex(/^#[0-9a-fA-F]{6}$/).nullable().optional(),
   });
 
 export type UpdateCompany = z.infer<typeof updateCompanySchema>;

packages/shared/src/validators/index.ts

@@ -102,11 +102,13 @@ export {
   createCompanyInviteSchema,
   acceptInviteSchema,
   listJoinRequestsQuerySchema,
+  claimJoinRequestApiKeySchema,
   updateMemberPermissionsSchema,
   updateUserCompanyAccessSchema,
   type CreateCompanyInvite,
   type AcceptInvite,
   type ListJoinRequestsQuery,
+  type ClaimJoinRequestApiKey,
   type UpdateMemberPermissions,
   type UpdateUserCompanyAccess,
 } from "./access.js";