@aion0/forge 0.10.25 → 0.10.27

package/RELEASE_NOTES.md

@@ -1,11 +1,14 @@
-# Forge v0.10.25
+# Forge v0.10.27
 
-Released: 2026-06-01
+Released: 2026-06-02
 
-## Changes since v0.10.24
+## Changes since v0.10.26
 
 ### Other
-- refactor(settings): drop unused taskModel / pipelineModel / telegramModel
+- fix(chat): atomic tool_use+tool_result cap + raise budget 8k→32k
+- fix(http): scope slash-collapse to pathname only (don't touch query/fragment)
+- fix(http): collapse double-slash in URLs (base_url trailing-slash bug)
+- fix(connector-test): wrap applyAuth + route handler so errors come back as JSON
 
 
-**Full Changelog**: https://github.com/aiwatching/forge/compare/v0.10.24...v0.10.25
+**Full Changelog**: https://github.com/aiwatching/forge/compare/v0.10.26...v0.10.27

package/app/api/connectors/[id]/test/route.ts

@@ -1,283 +1,26 @@
 /**
  * POST /api/connectors/[id]/test
  *
- * Reachability probe for a connector. Runs the manifest's `test:`
- * block (an HTTP request) against the user's saved settings, returns
- * a structured result for the Settings → Connectors UI to render.
- *
- *   {
- *     ok: true,
- *     status: 200,
- *     message: "Authenticated as zliu (Zhen Liu)",
- *     duration_ms: 152
- *   }
- *
- * On failure:
- *
- *   {
- *     ok: false,
- *     status: 401,
- *     error: "Token was revoked. You have to re-authorize from the user.",
- *     body_preview: "{...}"
- *   }
- *
- * The probe is HTTP-only — connectors that need a different mechanism
- * (browser DOM, shell exec) simply omit `test:` and the UI hides the
- * button.
+ * Thin HTTP wrapper around lib/connectors/test-runner. All probe logic
+ * lives in the lib so server-side callers (Login Status) can use it
+ * without bouncing through this route (which would hit auth middleware).
  */
 
 import { NextResponse } from 'next/server';
-import {
-  getConnector,
-  getConnectorEntries,
-  getInstalledConnector,
-} from '@/lib/connectors/registry';
-import { expandSettingsTokens, expandAllTokens } from '@/lib/plugins/templates';
-import { bridgeRpc } from '@/lib/chat/bridge-client';
-import { applyAuth } from '@/lib/chat/protocols/http';
-import type { ConnectorDefinition, ConnectorTest, HttpRequestSpec } from '@/lib/connectors/types';
-
-const DEFAULT_TIMEOUT_MS = 15_000;
-const MAX_BODY_PREVIEW = 1024;
-
-function expandString(s: string, settings: Record<string, unknown>): string {
-  return expandAllTokens(s, settings as Record<string, any>, {});
-}
-
-function buildUrl(spec: HttpRequestSpec, settings: Record<string, unknown>): string {
-  let url = expandString(spec.url, settings);
-  if (spec.query) {
-    const u = new URL(url);
-    for (const [k, raw] of Object.entries(spec.query)) {
-      u.searchParams.set(k, expandString(String(raw), settings));
-    }
-    url = u.toString();
-  }
-  return url;
-}
-
-function buildHeaders(spec: HttpRequestSpec, settings: Record<string, unknown>): Headers {
-  const h = new Headers();
-  if (spec.headers) {
-    for (const [k, raw] of Object.entries(spec.headers)) {
-      h.set(k, expandString(String(raw), settings));
-    }
-  }
-  return h;
-}
+import { runConnectorTest } from '@/lib/connectors/test-runner';
 
-function buildBody(
-  spec: HttpRequestSpec,
-  settings: Record<string, unknown>,
-): { body?: string; contentType?: string } {
-  if (spec.body == null) return {};
-  if (typeof spec.body === 'string') {
-    return { body: expandString(spec.body, settings) };
-  }
-  const out: Record<string, unknown> = {};
-  for (const [k, v] of Object.entries(spec.body)) {
-    out[k] = typeof v === 'string' ? expandString(v, settings) : v;
-  }
-  return { body: JSON.stringify(out), contentType: 'application/json' };
-}
-
-/**
- * Render `{{path.to.value}}` placeholders against a parsed JSON body.
- * Missing paths render as "?", non-string scalars get stringified.
- */
-function renderTemplate(template: string, body: unknown): string {
-  return template.replace(/\{\{([^{}]+)\}\}/g, (_match, expr) => {
-    const path = String(expr).trim().split('.').filter(Boolean);
-    let cur: any = body;
-    for (const p of path) {
-      if (cur && typeof cur === 'object' && p in cur) cur = cur[p];
-      else return '?';
-    }
-    if (cur == null) return '?';
-    return typeof cur === 'string' ? cur : JSON.stringify(cur);
-  });
-}
-
-interface TestResult {
-  ok: boolean;
-  status?: number;
-  message?: string;
-  error?: string;
-  duration_ms?: number;
-  body_preview?: string;
-}
-
-async function runHttpProbe(test: ConnectorTest, settings: Record<string, unknown>, def: ConnectorDefinition): Promise<TestResult> {
-  const spec = test.request;
-  if (!spec?.url) return { ok: false, error: 'test.request.url is required for http probe' };
-
-  // Multi-instance overlay: test probe always uses the first instance
-  // (same guard as tool-dispatcher — only kicks in when instances is a
-  // well-formed array, so single-instance connectors are unaffected).
-  let effectiveSettings = settings as Record<string, any>;
-  let instances = effectiveSettings?.instances;
-  // type: json fields persist as strings — parse before checking.
-  if (typeof instances === 'string') {
-    try { instances = JSON.parse(instances); } catch { instances = null; }
-  }
-  if (
-    Array.isArray(instances) &&
-    instances.length > 0 &&
-    instances.every((i: any) => i && typeof i === 'object' && typeof i.name === 'string')
-  ) {
-    effectiveSettings = { ...effectiveSettings, ...instances[0] };
-  }
-
-  const method = (spec.method || 'GET').toUpperCase();
-  let url = buildUrl(spec, effectiveSettings);
-  const headers = buildHeaders(spec, effectiveSettings);
-  const { body, contentType } = buildBody(spec, effectiveSettings);
-  if (body != null && contentType && !headers.has('content-type')) {
-    headers.set('content-type', contentType);
-  }
-  // Apply connector-level auth so the test probe uses the same scheme
-  // as live tool calls (e.g. Basic auth for Jenkins). Manifests that
-  // hand-craft Authorization in test.request.headers still work — the
-  // auth scheme would just overwrite the header.
-  url = applyAuth(url, headers, def.auth, effectiveSettings);
-
-  const timeoutMs = test.timeout_ms || DEFAULT_TIMEOUT_MS;
-  const okStatus = test.ok_status?.length ? test.ok_status : [200];
-
-  const ctrl = new AbortController();
-  const timer = setTimeout(() => ctrl.abort(), timeoutMs);
-  const t0 = Date.now();
-  let res: Response;
-  try {
-    res = await fetch(url, { method, headers, body, signal: ctrl.signal });
-  } catch (e) {
-    clearTimeout(timer);
-    const err = e as Error & { cause?: unknown };
-    const cause = err.cause instanceof Error ? `: ${err.cause.message}` : '';
-    return {
-      ok: false,
-      error: `request failed: ${err.message}${cause}`,
-      duration_ms: Date.now() - t0,
-    };
-  }
-  clearTimeout(timer);
-
-  const duration = Date.now() - t0;
-  const text = await res.text().catch(() => '');
-  const preview = text.length > MAX_BODY_PREVIEW ? text.slice(0, MAX_BODY_PREVIEW) + '…' : text;
-
-  if (!okStatus.includes(res.status)) {
-    let errMsg = `HTTP ${res.status} ${res.statusText}`;
-    try {
-      const j = JSON.parse(text);
-      if (typeof j?.error === 'string') errMsg += `: ${j.error}`;
-      else if (typeof j?.message === 'string') errMsg += `: ${j.message}`;
-      else if (typeof j?.error_description === 'string') errMsg += `: ${j.error_description}`;
-    } catch {}
-    return {
-      ok: false,
-      status: res.status,
-      error: errMsg,
-      duration_ms: duration,
-      body_preview: preview,
-    };
-  }
-
-  let parsedBody: unknown = null;
-  try { parsedBody = JSON.parse(text); } catch {}
-  const message = test.ok_template
-    ? renderTemplate(test.ok_template, parsedBody)
-    : `OK (HTTP ${res.status})`;
-  return {
-    ok: true,
-    status: res.status,
-    message,
-    duration_ms: duration,
-  };
-}
-
-/**
- * Browser probe: ask the paired extension to land on the connector's
- * host_match URL and report whether `login_redirect` was hit.
- *
- * The extension implements `connector.probe` (see
- * lib/help-docs/21-build-connector.md for the wire contract). On
- * sites the user is logged in to, it returns
- *   { ok: true, url: '<final tab URL>' }
- * On a redirect to the login page it returns
- *   { ok: false, error: 'login required', url: '<login url>' }
- * On extension absence we throw, caller surfaces it.
- */
-async function runBrowserProbe(
-  def: ConnectorDefinition,
-  settings: Record<string, unknown>,
-): Promise<TestResult> {
-  const entries = getConnectorEntries(def);
-  const entry = entries[0];
-  const hostMatch = def.host_match || entry?.host_match;
-  const loginRedirect = def.login_redirect || entry?.login_redirect;
-  if (!hostMatch) {
-    return { ok: false, error: 'browser probe requires host_match on the manifest' };
-  }
-  const expandedHost = expandSettingsTokens(hostMatch, settings as any);
-  const expandedLoginRedirect = loginRedirect
-    ? expandSettingsTokens(loginRedirect, settings as any)
-    : undefined;
-
-  const t0 = Date.now();
-  let value: unknown;
+export async function POST(_req: Request, { params }: { params: Promise<{ id: string }> }) {
+  const { id } = await params;
   try {
-    value = await bridgeRpc('connector.probe', {
-      pluginId: def.id,
-      host_match: expandedHost,
-      login_redirect: expandedLoginRedirect,
-      runner: def.runner || entry?.runner || 'main',
-      timeout_ms: def.test?.timeout_ms || 30_000,
-    });
+    const r = await runConnectorTest(id);
+    const { code, ...body } = r;
+    return NextResponse.json(body, code ? { status: code } : undefined);
   } catch (e) {
-    const raw = (e as Error).message || String(e);
-    let friendly = raw;
-    if (raw.includes('unknown method: connector.probe')) {
-      friendly =
-        'Your Forge browser extension is out of date — it doesn\'t know how to run browser probes yet. ' +
-        'Rebuild the extension (pnpm ext in forge-browser-extension), then chrome://extensions → Reload, and try Test again.';
-    } else if (raw.includes('bridge') && raw.includes('unreachable')) {
-      friendly =
-        'Forge browser bridge is unreachable on port 8407. Restart Forge (forge server restart) or check that the browser-bridge standalone is running.';
-    } else if (raw.includes('no paired extensions') || raw.includes('no connected')) {
-      friendly =
-        'Forge browser extension not connected. Install the extension from forge-browser-extension/dist, pin it, and sign in with your Forge URL + admin password.';
-    }
-    return {
-      ok: false,
-      error: friendly,
-      duration_ms: Date.now() - t0,
-    };
+    // Belt-and-suspenders: never let an uncaught exception bubble to
+    // Next's HTML 500 page — the browser would then choke on JSON parse.
+    return NextResponse.json(
+      { ok: false, error: `internal error: ${(e as Error).message}` },
+      { status: 500 },
+    );
   }
-  const r = (value || {}) as { ok?: boolean; url?: string; error?: string };
-  return {
-    ok: !!r.ok,
-    message: r.ok ? `Session active${r.url ? ` · ${r.url}` : ''}` : undefined,
-    error: r.ok ? undefined : (r.error || 'login required'),
-    duration_ms: Date.now() - t0,
-  };
-}
-
-export async function POST(req: Request, { params }: { params: Promise<{ id: string }> }) {
-  const { id } = await params;
-  const def = getConnector(id);
-  if (!def) return NextResponse.json({ ok: false, error: 'connector not found' }, { status: 404 });
-  if (!def.test) {
-    return NextResponse.json({ ok: false, error: 'connector has no test block' }, { status: 400 });
-  }
-  const inst = getInstalledConnector(id);
-  if (!inst) {
-    return NextResponse.json({ ok: false, error: 'connector not installed' }, { status: 400 });
-  }
-
-  const probe = def.test.probe || 'http';
-  const r = probe === 'browser'
-    ? await runBrowserProbe(def, inst.config)
-    : await runHttpProbe(def.test, inst.config, def);
-  return NextResponse.json(r);
 }

package/app/api/login-status/[id]/check/route.ts

@@ -0,0 +1,22 @@
+/**
+ * POST /api/login-status/[id]/check — run one source's check, update cache.
+ */
+import { NextResponse } from 'next/server';
+import { listSources, checkSource } from '@/lib/auth/login-status';
+
+export async function POST(_req: Request, { params }: { params: Promise<{ id: string }> }) {
+  const { id } = await params;
+  const source = listSources().find((s) => s.id === id);
+  if (!source) {
+    return NextResponse.json({ ok: false, error: `unknown source: ${id}` }, { status: 404 });
+  }
+  try {
+    const result = await checkSource(source);
+    return NextResponse.json({ source, result });
+  } catch (e) {
+    return NextResponse.json(
+      { ok: false, error: `check failed: ${(e as Error).message}` },
+      { status: 500 },
+    );
+  }
+}

package/app/api/login-status/route.ts

@@ -0,0 +1,36 @@
+/**
+ * GET  /api/login-status              → list all sources + their cached
+ *                                       last-check result
+ * POST /api/login-status              → run all checks in parallel,
+ *                                       return fresh results
+ */
+
+import { NextResponse } from 'next/server';
+import { listSources, listStatus, checkSource } from '@/lib/auth/login-status';
+
+export async function GET() {
+  return NextResponse.json({ rows: listStatus() });
+}
+
+export async function POST() {
+  const sources = listSources();
+  const results = await Promise.all(
+    sources.map(async (s) => {
+      try {
+        const r = await checkSource(s);
+        return { source: s, result: r };
+      } catch (e) {
+        return {
+          source: s,
+          result: {
+            ok: false,
+            message: `check error: ${(e as Error).message}`,
+            checked_at: Date.now(),
+            duration_ms: 0,
+          },
+        };
+      }
+    }),
+  );
+  return NextResponse.json({ rows: results });
+}

package/components/Dashboard.tsx

@@ -24,6 +24,7 @@ const SessionView = lazy(() => import('./SessionView'));
 const NewTaskModal = lazy(() => import('./NewTaskModal'));
 const SettingsModal = lazy(() => import('./SettingsModal'));
 const MonitorPanel = lazy(() => import('./MonitorPanel'));
+const LoginStatusPanel = lazy(() => import('./LoginStatusPanel'));
 const WorkspaceView = lazy(() => import('./WorkspaceView'));
 // WorkspaceTree moved into ProjectDetail — no longer needed at Dashboard level
 
@@ -132,6 +133,8 @@ export default function Dashboard({ user }: { user: any }) {
   const [showNewTask, setShowNewTask] = useState(false);
   const [showSettings, setShowSettings] = useState(false);
   const [showMonitor, setShowMonitor] = useState(false);
+  const [showLoginStatus, setShowLoginStatus] = useState(false);
+  const [loginBadge, setLoginBadge] = useState<{ broken: number; total: number } | null>(null);
   const [showHelp, setShowHelp] = useState(false);
   const [usage, setUsage] = useState<UsageSummary[]>([]);
   const [providers, setProviders] = useState<ProviderInfo[]>([]);
@@ -212,6 +215,19 @@ export default function Dashboard({ user }: { user: any }) {
     return () => clearInterval(id);
   }, []);
 
+  // Login status badge — load cached results on mount so the user
+  // dropdown shows the red dot count without forcing a check.
+  useEffect(() => {
+    fetch('/api/login-status')
+      .then((r) => r.json())
+      .then((j) => {
+        const rows = (j.rows || []) as Array<{ result: { ok: boolean } | null }>;
+        const broken = rows.filter((r) => r.result && !r.result.ok).length;
+        setLoginBadge({ broken, total: rows.length });
+      })
+      .catch(() => {});
+  }, []);
+
   // Notifications: poll unread count at 30s, full fetch when panel opens
   const fetchNotifications = useCallback(() => {
     fetch('/api/notifications').then(r => r.json()).then(data => {
@@ -609,6 +625,15 @@ export default function Dashboard({ user }: { user: any }) {
                   >
                     Monitor
                   </button>
+                  <button
+                    onClick={() => { setShowLoginStatus(true); setShowUserMenu(false); }}
+                    className="w-full text-left text-[11px] px-3 py-1.5 text-[var(--text-secondary)] hover:text-[var(--text-primary)] hover:bg-[var(--bg-tertiary)] flex items-center justify-between"
+                  >
+                    <span>Login Status</span>
+                    {loginBadge && loginBadge.broken > 0 && (
+                      <span className="text-[9px] text-red-400">🔴 {loginBadge.broken}/{loginBadge.total}</span>
+                    )}
+                  </button>
                   <button
                     onClick={() => { setShowSettings(true); setShowUserMenu(false); }}
                     className="w-full text-left text-[11px] px-3 py-1.5 text-[var(--text-secondary)] hover:text-[var(--text-primary)] hover:bg-[var(--bg-tertiary)]"
@@ -908,6 +933,7 @@ export default function Dashboard({ user }: { user: any }) {
       )}
 
       {showMonitor && <Suspense fallback={null}><MonitorPanel onClose={() => setShowMonitor(false)} /></Suspense>}
+      {showLoginStatus && <Suspense fallback={null}><LoginStatusPanel onClose={() => { setShowLoginStatus(false); /* refresh badge after panel actions */ fetch('/api/login-status').then(r => r.json()).then(j => { const rows = j.rows || []; const broken = rows.filter((r: any) => r.result && !r.result.ok).length; setLoginBadge({ broken, total: rows.length }); }).catch(() => {}); }} /></Suspense>}
 
       {showSettings && (
         <Suspense fallback={null}>

package/components/LoginStatusPanel.tsx

@@ -0,0 +1,223 @@
+'use client';
+
+import { useState, useEffect, useCallback } from 'react';
+
+type LoginCategory = 'browser' | 'token' | 'external';
+
+type RefreshHint =
+  | { kind: 'open-url'; url: string; description?: string }
+  | { kind: 'show-command'; command: string; description: string }
+  | { kind: 'open-settings'; section: string };
+
+interface LoginSource {
+  id: string;
+  label: string;
+  category: LoginCategory;
+  detail?: string;
+  refresh: RefreshHint;
+}
+
+interface LoginCheckResult {
+  ok: boolean;
+  message?: string;
+  landed_url?: string;
+  checked_at: number;
+  duration_ms: number;
+}
+
+interface Row {
+  source: LoginSource;
+  result: LoginCheckResult | null;
+}
+
+const CATEGORY_LABEL: Record<LoginCategory, string> = {
+  browser: 'Browser Sessions',
+  token: 'API Tokens',
+  external: 'External Auth',
+};
+
+function timeAgo(ts: number): string {
+  const s = Math.round((Date.now() - ts) / 1000);
+  if (s < 60) return `${s}s ago`;
+  if (s < 3600) return `${Math.round(s / 60)}m ago`;
+  if (s < 86400) return `${Math.round(s / 3600)}h ago`;
+  return `${Math.round(s / 86400)}d ago`;
+}
+
+export default function LoginStatusPanel({ onClose }: { onClose: () => void }) {
+  const [rows, setRows] = useState<Row[] | null>(null);
+  const [busyAll, setBusyAll] = useState(false);
+  const [busyIds, setBusyIds] = useState<Set<string>>(new Set());
+  const [showCmd, setShowCmd] = useState<{ command: string; description: string } | null>(null);
+
+  const loadCached = useCallback(() => {
+    fetch('/api/login-status')
+      .then((r) => r.json())
+      .then((j) => setRows(j.rows || []))
+      .catch(() => {});
+  }, []);
+
+  useEffect(() => { loadCached(); }, [loadCached]);
+
+  const checkAll = async () => {
+    setBusyAll(true);
+    try {
+      const r = await fetch('/api/login-status', { method: 'POST' });
+      const j = await r.json();
+      setRows(j.rows || []);
+    } finally {
+      setBusyAll(false);
+    }
+  };
+
+  const checkOne = async (id: string) => {
+    setBusyIds((s) => new Set(s).add(id));
+    try {
+      const r = await fetch(`/api/login-status/${encodeURIComponent(id)}/check`, { method: 'POST' });
+      const j = await r.json();
+      if (j.source && j.result) {
+        setRows((prev) =>
+          (prev || []).map((row) => (row.source.id === id ? { source: j.source, result: j.result } : row)),
+        );
+      }
+    } finally {
+      setBusyIds((s) => {
+        const next = new Set(s); next.delete(id); return next;
+      });
+    }
+  };
+
+  const refresh = (source: LoginSource) => {
+    const r = source.refresh;
+    if (r.kind === 'open-url') {
+      window.open(r.url, '_blank', 'noopener');
+    } else if (r.kind === 'show-command') {
+      setShowCmd({ command: r.command, description: r.description });
+    } else if (r.kind === 'open-settings') {
+      window.dispatchEvent(new CustomEvent('forge:open-settings', { detail: { section: r.section } }));
+      onClose();
+    }
+  };
+
+  const grouped: Record<LoginCategory, Row[]> = { browser: [], token: [], external: [] };
+  (rows || []).forEach((row) => grouped[row.source.category].push(row));
+
+  return (
+    <div className="fixed inset-0 z-50 flex items-center justify-center bg-black/50" onClick={onClose}>
+      <div
+        className="bg-[var(--bg-secondary)] border border-[var(--border)] rounded-lg w-[560px] max-h-[85vh] overflow-y-auto shadow-xl"
+        onClick={(e) => e.stopPropagation()}
+      >
+        <div className="px-4 py-3 border-b border-[var(--border)] flex items-center justify-between">
+          <h2 className="text-sm font-bold text-[var(--text-primary)]">Login Status</h2>
+          <div className="flex items-center gap-2">
+            <button
+              onClick={checkAll}
+              disabled={busyAll || rows === null}
+              className="text-[10px] px-2 py-0.5 rounded border border-[var(--border)] text-[var(--text-secondary)] hover:text-[var(--text-primary)] disabled:opacity-50"
+            >
+              {busyAll ? 'Checking…' : 'Check all'}
+            </button>
+            <button onClick={onClose} className="text-[10px] text-[var(--text-secondary)] hover:text-[var(--text-primary)]">
+              Close
+            </button>
+          </div>
+        </div>
+
+        {rows === null ? (
+          <div className="p-6 text-center text-xs text-[var(--text-secondary)]">Loading…</div>
+        ) : rows.length === 0 ? (
+          <div className="p-6 text-center text-xs text-[var(--text-secondary)]">
+            No login sources registered. Add a connector with a <code>test:</code> block or set <code>gitlab2faProbeRepo</code> in Settings.
+          </div>
+        ) : (
+          <div className="p-4 space-y-5">
+            {(['browser', 'token', 'external'] as LoginCategory[]).map((cat) => {
+              const items = grouped[cat];
+              if (!items.length) return null;
+              return (
+                <div key={cat}>
+                  <h3 className="text-[10px] font-semibold text-[var(--text-secondary)] uppercase mb-2">
+                    {CATEGORY_LABEL[cat]} ({items.length})
+                  </h3>
+                  <div className="space-y-1.5">
+                    {items.map(({ source, result }) => {
+                      const busy = busyIds.has(source.id);
+                      const dot = !result ? '⚪' : result.ok ? '🟢' : '🔴';
+                      return (
+                        <div key={source.id} className="flex items-start gap-2 text-xs">
+                          <span className="mt-0.5">{dot}</span>
+                          <div className="flex-1 min-w-0">
+                            <div className="flex items-center gap-2 flex-wrap">
+                              <span className="text-[var(--text-primary)] font-medium">{source.label}</span>
+                              {result ? (
+                                <span className="text-[10px] text-[var(--text-secondary)]">{timeAgo(result.checked_at)}</span>
+                              ) : (
+                                <span className="text-[10px] text-gray-500">not checked</span>
+                              )}
+                              <div className="flex items-center gap-1 ml-auto">
+                                <button
+                                  onClick={() => checkOne(source.id)}
+                                  disabled={busy || busyAll}
+                                  className="text-[10px] px-1.5 py-0.5 rounded border border-[var(--border)] text-[var(--text-secondary)] hover:text-[var(--text-primary)] disabled:opacity-50"
+                                >
+                                  {busy ? '…' : 'Check'}
+                                </button>
+                                <button
+                                  onClick={() => refresh(source)}
+                                  className="text-[10px] px-1.5 py-0.5 rounded border border-[var(--border)] text-[var(--text-secondary)] hover:text-[var(--text-primary)]"
+                                >
+                                  {source.refresh.kind === 'open-url' ? 'Open login' :
+                                   source.refresh.kind === 'show-command' ? 'Refresh' :
+                                   'Configure'}
+                                </button>
+                              </div>
+                            </div>
+                            {result?.message && (
+                              <div className={`text-[10px] mt-0.5 ${result.ok ? 'text-[var(--text-secondary)]' : 'text-red-400'}`}>
+                                {result.message}
+                              </div>
+                            )}
+                            {source.detail && !result?.message && (
+                              <div className="text-[10px] text-gray-500 mt-0.5">{source.detail}</div>
+                            )}
+                          </div>
+                        </div>
+                      );
+                    })}
+                  </div>
+                </div>
+              );
+            })}
+          </div>
+        )}
+
+        {showCmd && (
+          <div className="fixed inset-0 z-50 flex items-center justify-center bg-black/60" onClick={() => setShowCmd(null)}>
+            <div className="bg-[var(--bg-secondary)] border border-[var(--border)] rounded-lg p-4 w-[480px] shadow-xl" onClick={(e) => e.stopPropagation()}>
+              <h3 className="text-sm font-bold mb-2 text-[var(--text-primary)]">Run this in a terminal</h3>
+              <div className="text-[11px] text-[var(--text-secondary)] mb-2">{showCmd.description}</div>
+              <pre className="bg-[var(--bg-tertiary)] p-2 rounded text-xs text-[var(--text-primary)] font-mono whitespace-pre-wrap break-all">
+                {showCmd.command}
+              </pre>
+              <div className="mt-3 flex items-center justify-end gap-2">
+                <button
+                  onClick={() => { navigator.clipboard.writeText(showCmd.command); }}
+                  className="text-[10px] px-2 py-1 rounded border border-[var(--border)] text-[var(--text-secondary)] hover:text-[var(--text-primary)]"
+                >
+                  Copy
+                </button>
+                <button
+                  onClick={() => setShowCmd(null)}
+                  className="text-[10px] px-2 py-1 rounded border border-[var(--border)] text-[var(--text-secondary)] hover:text-[var(--text-primary)]"
+                >
+                  Close
+                </button>
+              </div>
+            </div>
+          </div>
+        )}
+      </div>
+    </div>
+  );
+}