@aion0/forge 0.10.25 → 0.10.27

package/lib/connectors/test-runner.ts

@@ -0,0 +1,243 @@
+/**
+ * Connector test runner — extracted from the /api/connectors/:id/test
+ * route so both that HTTP endpoint AND server-side callers (e.g. the
+ * Login Status panel) can run probes without a self-fetch dance.
+ *
+ * Self-fetching the route from inside the server hits the auth
+ * middleware (no session cookie → 401), making every probe look
+ * "unauthorized" regardless of the real connector state. Direct
+ * function calls bypass that.
+ */
+
+import {
+  getConnector,
+  getConnectorEntries,
+  getInstalledConnector,
+} from './registry';
+import { expandSettingsTokens, expandAllTokens } from '../plugins/templates';
+import { bridgeRpc } from '../chat/bridge-client';
+import { applyAuth } from '../chat/protocols/http';
+import type { ConnectorDefinition, ConnectorTest, HttpRequestSpec } from './types';
+
+const DEFAULT_TIMEOUT_MS = 15_000;
+const MAX_BODY_PREVIEW = 1024;
+
+export interface TestResult {
+  ok: boolean;
+  status?: number;
+  message?: string;
+  error?: string;
+  duration_ms?: number;
+  body_preview?: string;
+  /** Final landed URL for browser probes — helps diagnose redirects. */
+  url?: string;
+}
+
+function expandString(s: string, settings: Record<string, unknown>): string {
+  return expandAllTokens(s, settings as Record<string, any>, {});
+}
+
+function buildUrl(spec: HttpRequestSpec, settings: Record<string, unknown>): string {
+  let url = expandString(spec.url, settings);
+  if (spec.query) {
+    const u = new URL(url);
+    for (const [k, raw] of Object.entries(spec.query)) {
+      u.searchParams.set(k, expandString(String(raw), settings));
+    }
+    url = u.toString();
+  }
+  return url;
+}
+
+function buildHeaders(spec: HttpRequestSpec, settings: Record<string, unknown>): Headers {
+  const h = new Headers();
+  if (spec.headers) {
+    for (const [k, raw] of Object.entries(spec.headers)) {
+      h.set(k, expandString(String(raw), settings));
+    }
+  }
+  return h;
+}
+
+function buildBody(
+  spec: HttpRequestSpec,
+  settings: Record<string, unknown>,
+): { body?: string; contentType?: string } {
+  if (spec.body == null) return {};
+  if (typeof spec.body === 'string') {
+    return { body: expandString(spec.body, settings) };
+  }
+  const out: Record<string, unknown> = {};
+  for (const [k, v] of Object.entries(spec.body)) {
+    out[k] = typeof v === 'string' ? expandString(v, settings) : v;
+  }
+  return { body: JSON.stringify(out), contentType: 'application/json' };
+}
+
+function renderTemplate(template: string, body: unknown): string {
+  return template.replace(/\{\{([^{}]+)\}\}/g, (_match, expr) => {
+    const path = String(expr).trim().split('.').filter(Boolean);
+    let cur: any = body;
+    for (const p of path) {
+      if (cur && typeof cur === 'object' && p in cur) cur = cur[p];
+      else return '?';
+    }
+    if (cur == null) return '?';
+    return typeof cur === 'string' ? cur : JSON.stringify(cur);
+  });
+}
+
+async function runHttpProbe(
+  test: ConnectorTest,
+  settings: Record<string, unknown>,
+  def: ConnectorDefinition,
+): Promise<TestResult> {
+  const spec = test.request;
+  if (!spec?.url) return { ok: false, error: 'test.request.url is required for http probe' };
+
+  // Multi-instance overlay: first instance only (matches tool-dispatcher).
+  let effectiveSettings = settings as Record<string, any>;
+  let instances = effectiveSettings?.instances;
+  if (typeof instances === 'string') {
+    try { instances = JSON.parse(instances); } catch { instances = null; }
+  }
+  if (
+    Array.isArray(instances) &&
+    instances.length > 0 &&
+    instances.every((i: any) => i && typeof i === 'object' && typeof i.name === 'string')
+  ) {
+    effectiveSettings = { ...effectiveSettings, ...instances[0] };
+  }
+
+  const method = (spec.method || 'GET').toUpperCase();
+  let url = buildUrl(spec, effectiveSettings);
+  const headers = buildHeaders(spec, effectiveSettings);
+  const { body, contentType } = buildBody(spec, effectiveSettings);
+  if (body != null && contentType && !headers.has('content-type')) {
+    headers.set('content-type', contentType);
+  }
+  try {
+    url = await applyAuth(url, headers, def.auth, effectiveSettings);
+  } catch (e) {
+    return { ok: false, error: `auth setup failed: ${(e as Error).message}` };
+  }
+
+  const timeoutMs = test.timeout_ms || DEFAULT_TIMEOUT_MS;
+  const okStatus = test.ok_status?.length ? test.ok_status : [200];
+
+  const ctrl = new AbortController();
+  const timer = setTimeout(() => ctrl.abort(), timeoutMs);
+  const t0 = Date.now();
+  let res: Response;
+  try {
+    res = await fetch(url, { method, headers, body, signal: ctrl.signal });
+  } catch (e) {
+    clearTimeout(timer);
+    const err = e as Error & { cause?: unknown };
+    const cause = err.cause instanceof Error ? `: ${err.cause.message}` : '';
+    return {
+      ok: false,
+      error: `request failed: ${err.message}${cause}`,
+      duration_ms: Date.now() - t0,
+    };
+  }
+  clearTimeout(timer);
+
+  const duration = Date.now() - t0;
+  const text = await res.text().catch(() => '');
+  const preview = text.length > MAX_BODY_PREVIEW ? text.slice(0, MAX_BODY_PREVIEW) + '…' : text;
+
+  if (!okStatus.includes(res.status)) {
+    let errMsg = `HTTP ${res.status} ${res.statusText}`;
+    try {
+      const j = JSON.parse(text);
+      if (typeof j?.error === 'string') errMsg += `: ${j.error}`;
+      else if (typeof j?.message === 'string') errMsg += `: ${j.message}`;
+      else if (typeof j?.error_description === 'string') errMsg += `: ${j.error_description}`;
+    } catch {}
+    return {
+      ok: false,
+      status: res.status,
+      error: errMsg,
+      duration_ms: duration,
+      body_preview: preview,
+    };
+  }
+
+  let parsedBody: unknown = null;
+  try { parsedBody = JSON.parse(text); } catch {}
+  const message = test.ok_template
+    ? renderTemplate(test.ok_template, parsedBody)
+    : `OK (HTTP ${res.status})`;
+  return { ok: true, status: res.status, message, duration_ms: duration };
+}
+
+async function runBrowserProbe(
+  def: ConnectorDefinition,
+  settings: Record<string, unknown>,
+): Promise<TestResult> {
+  const entries = getConnectorEntries(def);
+  const entry = entries[0];
+  const hostMatch = def.host_match || entry?.host_match;
+  const loginRedirect = def.login_redirect || entry?.login_redirect;
+  if (!hostMatch) {
+    return { ok: false, error: 'browser probe requires host_match on the manifest' };
+  }
+  const expandedHost = expandSettingsTokens(hostMatch, settings as any);
+  const expandedLoginRedirect = loginRedirect
+    ? expandSettingsTokens(loginRedirect, settings as any)
+    : undefined;
+
+  const t0 = Date.now();
+  let value: unknown;
+  try {
+    value = await bridgeRpc('connector.probe', {
+      pluginId: def.id,
+      host_match: expandedHost,
+      login_redirect: expandedLoginRedirect,
+      runner: def.runner || entry?.runner || 'main',
+      timeout_ms: def.test?.timeout_ms || 30_000,
+    });
+  } catch (e) {
+    const raw = (e as Error).message || String(e);
+    let friendly = raw;
+    if (raw.includes('unknown method: connector.probe')) {
+      friendly =
+        'Your Forge browser extension is out of date — it doesn\'t know how to run browser probes yet. ' +
+        'Rebuild the extension (pnpm ext in forge-browser-extension), then chrome://extensions → Reload, and try Test again.';
+    } else if (raw.includes('bridge') && raw.includes('unreachable')) {
+      friendly =
+        'Forge browser bridge is unreachable on port 8407. Restart Forge (forge server restart) or check that the browser-bridge standalone is running.';
+    } else if (raw.includes('no paired extensions') || raw.includes('no connected')) {
+      friendly =
+        'Forge browser extension not connected. Install the extension from forge-browser-extension/dist, pin it, and sign in with your Forge URL + admin password.';
+    }
+    return { ok: false, error: friendly, duration_ms: Date.now() - t0 };
+  }
+  const r = (value || {}) as { ok?: boolean; url?: string; error?: string };
+  return {
+    ok: !!r.ok,
+    message: r.ok ? `Session active${r.url ? ` · ${r.url}` : ''}` : undefined,
+    error: r.ok ? undefined : (r.error || 'login required'),
+    url: r.url,
+    duration_ms: Date.now() - t0,
+  };
+}
+
+/**
+ * Run a connector's `test:` probe. Returns a structured result. The HTTP
+ * route + Login Status panel both call this — they share the same
+ * semantics for free.
+ */
+export async function runConnectorTest(id: string): Promise<TestResult & { code?: number }> {
+  const def = getConnector(id);
+  if (!def) return { ok: false, error: 'connector not found', code: 404 };
+  if (!def.test) return { ok: false, error: 'connector has no test block', code: 400 };
+  const inst = getInstalledConnector(id);
+  if (!inst) return { ok: false, error: 'connector not installed', code: 400 };
+
+  const probe = def.test.probe || 'http';
+  return probe === 'browser'
+    ? await runBrowserProbe(def, inst.config)
+    : await runHttpProbe(def.test, inst.config, def);
+}

package/lib/connectors/types.ts

@@ -159,7 +159,36 @@ export type ConnectorAuth =
   | { type: 'basic'; username: string; password: string }
   | { type: 'bearer'; token: string }
   | { type: 'header'; name: string; value: string }
-  | { type: 'query'; name: string; value: string };
+  | { type: 'query'; name: string; value: string }
+  /**
+   * Two-step bearer-token exchange, e.g. Black Duck:
+   *   POST {exchange_url}  Authorization: {exchange_auth_header}
+   *     → { bearerToken, expiresInMilliseconds }
+   *   ...then every subsequent request gets `Authorization: Bearer <jwt>`.
+   * Forge caches the bearer in-memory keyed by (api_token, exchange_url)
+   * and refreshes when within 60s of expiry. Tool calls stay fast — only
+   * the first call per ~2h pays the exchange round-trip.
+   */
+  | {
+      type: 'bearer-token-exchange';
+      /** Long-lived API token sent to the exchange endpoint. Templated. */
+      api_token: string;
+      /** Exchange URL. Templated — usually `{base_url}/api/tokens/authenticate`. */
+      exchange_url: string;
+      /** HTTP method for the exchange. Default POST. */
+      exchange_method?: 'POST' | 'GET';
+      /**
+       * Authorization header VALUE sent to the exchange endpoint.
+       * Default `token {api_token}` (Black Duck style). Templated.
+       */
+      exchange_auth_header?: string;
+      /** Extra headers (Accept etc.) for the exchange. Values templated. */
+      exchange_headers?: Record<string, string>;
+      /** JSON path to the bearer in the exchange response. Default `bearerToken`. */
+      bearer_path?: string;
+      /** JSON path to expiry ms in the exchange response. Default `expiresInMilliseconds`. */
+      expires_path?: string;
+    };
 
 /**
  * Server-side HTTP request shape, used by `protocol: http` tools.
@@ -205,6 +234,21 @@ export interface HttpRequestSpec {
    * rather than baking them into the manifest.
    */
   body_form_inject_from?: string;
+  /**
+   * Names (case-insensitive) of response headers to surface in the
+   * truncated preamble. Default empty. Use when the connector needs
+   * a value the upstream returns via headers — typically `set-cookie`
+   * for session bootstrap, `location` for create-redirect APIs, or
+   * `x-ratelimit-remaining` for backoff logic.
+   *
+   * Headers appear between the status line and the blank line that
+   * separates preamble from body, one per line as `name: value`.
+   * Pipeline scripts can grep them with sed/awk before the body parse:
+   *   JS=$(echo "$RESP" | jq -r '.content' | sed -n 's/^set-cookie: //p' | …)
+   *
+   * Ignored when `noTruncation: true` (raw-body mode for Jobs scheduler).
+   */
+  capture_response_headers?: string[];
 }
 
 /**
@@ -432,6 +476,19 @@ export interface ConnectorDefinition {
    */
   auth?: ConnectorAuth;
 
+  /**
+   * Connector-level HTTP runtime knobs. Apply to every `protocol: http`
+   * tool in this connector unless overridden per-tool.
+   *
+   * `verify_tls: false` disables TLS cert verification — necessary for
+   * appliances that ship self-signed certs (FortiNAC, ESXi, internal
+   * services). Set this ONLY for hosts you trust by IP; turning it off
+   * means an attacker on-path could impersonate the server.
+   */
+  http?: {
+    verify_tls?: boolean;
+  };
+
   // ─── 1:N suite — list of sibling entries sharing auth ──
   connectors?: ConnectorEntry[];
 

package/lib/help-docs/18-chrome-mcp.md

@@ -25,29 +25,44 @@ chrome-devtools-mcp  ──CDP──▶  Chrome (user's real instance)
 
 ### 1. Start Chrome with remote debugging enabled
 
-Quit all Chrome windows first (so the new instance can take the debug
-port).
+**Easiest path — use the bundled script:**
+```bash
+./scripts/chrome-mcp.sh restart    # stop + start with debug port 9222
+./scripts/chrome-mcp.sh status     # check whether port is up
+```
+Subcommands: `start`, `stop`, `restart`, `status`. Use `-p PORT` to override.
+
+**Manual path** — quit all Chrome windows first (so the new instance
+can take the debug port), then:
 
 **macOS:**
 ```bash
 /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome \
   --remote-debugging-port=9222 \
-  --user-data-dir="$HOME/Library/Application Support/Google/Chrome"
+  --user-data-dir="$HOME/.chrome-mcp-profile"
 ```
 
-The `--user-data-dir` argument keeps your normal profile (and all your
-logins) — drop it only if you want a fresh profile.
+**IMPORTANT — non-default profile required.** Chrome refuses to open
+the remote debug port on the default user-data-dir (security guard, so
+localhost code can't hijack your real Chrome with all its logins). The
+error message reads: `DevTools remote debugging requires a non-default
+data directory`.
+
+Use a separate path like `$HOME/.chrome-mcp-profile`. **One-time cost:**
+this profile starts empty, so you log in to NAC / Mantis / GitLab once
+inside it. Cookies persist across restarts — wipe with
+`rm -rf "$HOME/.chrome-mcp-profile"` if you want a fresh start.
 
 **Linux:**
 ```bash
-google-chrome --remote-debugging-port=9222 --user-data-dir="$HOME/.config/google-chrome"
+google-chrome --remote-debugging-port=9222 --user-data-dir="$HOME/.chrome-mcp-profile"
 ```
 
 **Windows:**
 ```powershell
 "C:\Program Files\Google\Chrome\Application\chrome.exe" `
   --remote-debugging-port=9222 `
-  --user-data-dir="$env:LOCALAPPDATA\Google\Chrome\User Data"
+  --user-data-dir="$env:USERPROFILE\.chrome-mcp-profile"
 ```
 
 Verify it worked: open `http://localhost:9222/json/version` in the new

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aion0/forge",
-  "version": "0.10.25",
+  "version": "0.10.27",
   "description": "Unified AI workflow platform — multi-model task orchestration, persistent sessions, web terminal, remote access",
   "type": "module",
   "scripts": {
@@ -55,6 +55,7 @@
     "react-dom": "^19.2.4",
     "react-markdown": "^10.1.0",
     "remark-gfm": "^4.0.1",
+    "undici": "^8.3.0",
     "ws": "^8.19.0",
     "yaml": "^2.8.2",
     "zod": "^4.3.6"