@aion0/forge 0.10.26 → 0.10.27

package/RELEASE_NOTES.md

@@ -1,19 +1,14 @@
-# Forge v0.10.26
+# Forge v0.10.27
 
 Released: 2026-06-02
 
-## Changes since v0.10.25
+## Changes since v0.10.26
 
 ### Other
-- feat(http-auth): bearer-token-exchange — 2-step API token → cached JWT
-- fix(login-status): 2FA probe = passive SSH greet, not interactive 2fa_verify
-- fix(login-status): derive 2FA host from gitlab connector + skip uninstalled sources
-- fix(login-status): expand host_match settings tokens for open-login URL
-- fix(login-status): probe via lib, not self-fetch — fixes all-401 results
-- feat(login-status): central panel for all expirable auth credentials
-- feat(http): capture_response_headers + chrome-mcp.sh helper
-- fix(http): use undici.fetch for verify_tls path (v8 Agent incompatible with Node 22 bundled fetch)
-- feat(http): connector-level http.verify_tls knob for self-signed appliances
+- fix(chat): atomic tool_use+tool_result cap + raise budget 8k→32k
+- fix(http): scope slash-collapse to pathname only (don't touch query/fragment)
+- fix(http): collapse double-slash in URLs (base_url trailing-slash bug)
+- fix(connector-test): wrap applyAuth + route handler so errors come back as JSON
 
 
-**Full Changelog**: https://github.com/aiwatching/forge/compare/v0.10.25...v0.10.26
+**Full Changelog**: https://github.com/aiwatching/forge/compare/v0.10.26...v0.10.27

package/app/api/connectors/[id]/test/route.ts

@@ -11,7 +11,16 @@ import { runConnectorTest } from '@/lib/connectors/test-runner';
 
 export async function POST(_req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params;
-  const r = await runConnectorTest(id);
-  const { code, ...body } = r;
-  return NextResponse.json(body, code ? { status: code } : undefined);
+  try {
+    const r = await runConnectorTest(id);
+    const { code, ...body } = r;
+    return NextResponse.json(body, code ? { status: code } : undefined);
+  } catch (e) {
+    // Belt-and-suspenders: never let an uncaught exception bubble to
+    // Next's HTML 500 page — the browser would then choke on JSON parse.
+    return NextResponse.json(
+      { ok: false, error: `internal error: ${(e as Error).message}` },
+      { status: 500 },
+    );
+  }
 }

package/lib/chat/agent-loop.ts

@@ -48,7 +48,10 @@ const MAX_TOKENS = 16000;
 // raw is summarized by the memory-standalone Temper Summary sub-task
 // and recalled via buildMemoryContext as compact blocks instead.
 const HISTORY_MSG_BUDGET = 60;
-const HISTORY_TOKEN_BUDGET = 8000;
+// Bumped 8000 → 32000 — modern models all ≥ 200k context; 8000 was
+// stripping single oversized tool results (e.g. mantis.search_bugs
+// returning 20k chars), leaving history empty after orphan-trim.
+const HISTORY_TOKEN_BUDGET = 32000;
 // Hard cap on a single tool_result stored into the conversation (chars).
 // A giant result (e.g. a connector returning a full test tree) would
 // otherwise blow the whole HISTORY_TOKEN_BUDGET, push its paired

package/lib/chat/protocols/http.ts

@@ -122,13 +122,33 @@ function expandUrlPath(
   return out;
 }
 
+/**
+ * Collapse consecutive slashes in the URL's pathname only — fixes the
+ * `https://host//api/...` artifact when settings.base_url has a trailing
+ * slash AND the manifest path starts with `/`. Query string and fragment
+ * are NOT touched (a query value like `?url=//foo` is left alone).
+ *
+ * If `url` doesn't parse, returns it unchanged.
+ */
+function collapsePathSlashes(url: string): string {
+  try {
+    const u = new URL(url);
+    u.pathname = u.pathname.replace(/\/{2,}/g, '/');
+    return u.toString();
+  } catch {
+    return url;
+  }
+}
+
 function buildUrl(
   spec: HttpRequestSpec,
   settings: Record<string, any>,
   args: Record<string, any>,
   paramSchemas?: Record<string, ConnectorFieldSchema>,
 ): string {
-  const base = expandUrlPath(spec.url, settings, args, paramSchemas);
+  const base = collapsePathSlashes(
+    expandUrlPath(spec.url, settings, args, paramSchemas),
+  );
   if (!spec.query) return base;
   const url = new URL(base);
   for (const [k, raw] of Object.entries(spec.query)) {
@@ -175,7 +195,9 @@ async function exchangeBearerToken(
   const exp = (s: string | undefined) =>
     s == null ? '' : expandAllTokens(String(s), settings, args);
   const apiToken = exp(auth.api_token);
-  const exchangeUrl = exp(auth.exchange_url);
+  // Same pathname-only collapse as buildUrl — guards against trailing
+  // slash on settings.base_url producing `host//api/...`.
+  const exchangeUrl = collapsePathSlashes(exp(auth.exchange_url));
   if (!apiToken) throw new Error('bearer-token-exchange: api_token is empty');
   if (!exchangeUrl) throw new Error('bearer-token-exchange: exchange_url is empty');
   const key = `${apiToken}|${exchangeUrl}`;

package/lib/chat/session-store.ts

@@ -299,19 +299,42 @@ export function listMessagesCapped(
     SELECT * FROM chat_messages WHERE session_id = ?
     ORDER BY ts DESC LIMIT ?
   `).all(session_id, cap) as MessageRow[];
-  const newestFirst = rows.map(rowToMessage);
+  const chrono = rows.map(rowToMessage).reverse();
 
-  // Now apply tokenBudget walking newest → oldest. Always keep at
-  // least one (so an oversized last message doesn't strand the loop).
-  const kept: Message[] = [];
+  // Group messages so that an assistant `tool_use` message and its
+  // paired user `tool_result` reply are an indivisible unit. Without
+  // this, the token-budget walk can keep the oversized tool_result
+  // but drop the tool_use that produced it — leading to the
+  // tool_result being treated as an orphan and stripped, leaving an
+  // empty history. Each group is chronological.
+  const groups: Message[][] = [];
+  for (let i = 0; i < chrono.length; i++) {
+    const m = chrono[i];
+    const hasToolUse = m.role === 'assistant' && m.blocks.some((b) => b.type === 'tool_use');
+    const next = chrono[i + 1];
+    const nextHasToolResult =
+      next && next.role === 'user' && next.blocks.some((b) => b.type === 'tool_result');
+    if (hasToolUse && nextHasToolResult) {
+      groups.push([m, next]);
+      i++; // skip the partner — we just consumed it
+    } else {
+      groups.push([m]);
+    }
+  }
+
+  // Walk groups newest-first, applying the token budget. Always keep
+  // at least one group so an oversized last group doesn't strand the
+  // loop (provider will see a single message — still valid).
+  const keptGroups: Message[][] = [];
   let used = 0;
-  for (const m of newestFirst) {
-    const cost = estimateTokens(m);
-    if (kept.length > 0 && used + cost > tokenBudget) break;
-    kept.push(m);
+  for (let i = groups.length - 1; i >= 0; i--) {
+    const g = groups[i];
+    const cost = g.reduce((s, m) => s + estimateTokens(m), 0);
+    if (keptGroups.length > 0 && used + cost > tokenBudget) break;
+    keptGroups.unshift(g);
     used += cost;
   }
-  return kept.reverse();
+  return keptGroups.flat();
 }
 
 export function deleteMessage(id: string): boolean {

package/lib/connectors/test-runner.ts

@@ -116,7 +116,11 @@ async function runHttpProbe(
   if (body != null && contentType && !headers.has('content-type')) {
     headers.set('content-type', contentType);
   }
-  url = await applyAuth(url, headers, def.auth, effectiveSettings);
+  try {
+    url = await applyAuth(url, headers, def.auth, effectiveSettings);
+  } catch (e) {
+    return { ok: false, error: `auth setup failed: ${(e as Error).message}` };
+  }
 
   const timeoutMs = test.timeout_ms || DEFAULT_TIMEOUT_MS;
   const okStatus = test.ok_status?.length ? test.ok_status : [200];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aion0/forge",
-  "version": "0.10.26",
+  "version": "0.10.27",
   "description": "Unified AI workflow platform — multi-model task orchestration, persistent sessions, web terminal, remote access",
   "type": "module",
   "scripts": {