@aion0/forge 0.10.26 → 0.10.28

package/RELEASE_NOTES.md

@@ -1,19 +1,11 @@
-# Forge v0.10.26
+# Forge v0.10.28
 
 Released: 2026-06-02
 
-## Changes since v0.10.25
+## Changes since v0.10.27
 
 ### Other
-- feat(http-auth): bearer-token-exchange — 2-step API token → cached JWT
-- fix(login-status): 2FA probe = passive SSH greet, not interactive 2fa_verify
-- fix(login-status): derive 2FA host from gitlab connector + skip uninstalled sources
-- fix(login-status): expand host_match settings tokens for open-login URL
-- fix(login-status): probe via lib, not self-fetch — fixes all-401 results
-- feat(login-status): central panel for all expirable auth credentials
-- feat(http): capture_response_headers + chrome-mcp.sh helper
-- fix(http): use undici.fetch for verify_tls path (v8 Agent incompatible with Node 22 bundled fetch)
-- feat(http): connector-level http.verify_tls knob for self-signed appliances
+- fix(login-status): remove GitLab 2FA row — 2fa_verify is interactive, can't probe
 
 
-**Full Changelog**: https://github.com/aiwatching/forge/compare/v0.10.25...v0.10.26
+**Full Changelog**: https://github.com/aiwatching/forge/compare/v0.10.27...v0.10.28

package/app/api/connectors/[id]/test/route.ts

@@ -11,7 +11,16 @@ import { runConnectorTest } from '@/lib/connectors/test-runner';
 
 export async function POST(_req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params;
-  const r = await runConnectorTest(id);
-  const { code, ...body } = r;
-  return NextResponse.json(body, code ? { status: code } : undefined);
+  try {
+    const r = await runConnectorTest(id);
+    const { code, ...body } = r;
+    return NextResponse.json(body, code ? { status: code } : undefined);
+  } catch (e) {
+    // Belt-and-suspenders: never let an uncaught exception bubble to
+    // Next's HTML 500 page — the browser would then choke on JSON parse.
+    return NextResponse.json(
+      { ok: false, error: `internal error: ${(e as Error).message}` },
+      { status: 500 },
+    );
+  }
 }

package/lib/auth/login-status.ts

@@ -19,7 +19,6 @@
 
 import { existsSync, readFileSync, writeFileSync } from 'node:fs';
 import { join } from 'node:path';
-import { spawn } from 'node:child_process';
 import { getDataDir } from '../dirs';
 import { listConnectorIds, getConnector, getInstalledConnector } from '../connectors/registry';
 import { runConnectorTest } from '../connectors/test-runner';
@@ -151,40 +150,15 @@ export function listSources(): LoginSource[] {
     });
   }
 
-  // 2. External: GitLab 2FA — derive SSH host from the gitlab
-  //    connector. Only surface this row if gitlab connector is
-  //    installed; otherwise it's noise.
-  const gitlabHost = getGitLabHost();
-  if (gitlabHost) {
-    out.push({
-      id: 'ext:gitlab-2fa',
-      label: 'GitLab 2FA',
-      category: 'external',
-      detail: `ssh git@${gitlabHost} 2fa_verify (BatchMode)`,
-      refresh: {
-        kind: 'show-command',
-        command: `ssh git@${gitlabHost} 2fa_verify`,
-        description:
-          'Run in a terminal — it will prompt for your 2FA token. Once accepted, future git fetch/push work for a while.',
-      },
-    });
-  }
+  // GitLab 2FA used to be an external row here, but `2fa_verify` is
+  // interactive auth (not a probe) and bare SSH greet doesn't catch
+  // expiry. Removed in favour of a static hint on the GitLab
+  // connector itself — user copies the command when they actually
+  // hit a 2FA expiry instead of being nagged proactively.
 
   return out;
 }
 
-/** Pull the gitlab connector's host from its installed base_url, if any. */
-function getGitLabHost(): string | null {
-  try {
-    const inst = getInstalledConnector('gitlab');
-    const baseUrl = (inst?.config as any)?.base_url as string | undefined;
-    if (!baseUrl) return null;
-    return new URL(baseUrl).hostname || null;
-  } catch {
-    return null;
-  }
-}
-
 // ─── Checks ─────────────────────────────────────────────────────────
 
 /**
@@ -197,8 +171,6 @@ export async function checkSource(source: LoginSource): Promise<LoginCheckResult
 
   if (source.id.startsWith('connector:')) {
     r = await checkConnector(source.id.slice('connector:'.length));
-  } else if (source.id === 'ext:gitlab-2fa') {
-    r = await checkGitLab2fa();
   } else {
     r = { ok: false, message: `unknown source ${source.id}` };
   }
@@ -229,58 +201,6 @@ async function checkConnector(
   }
 }
 
-async function checkGitLab2fa(): Promise<Omit<LoginCheckResult, 'checked_at' | 'duration_ms'>> {
-  const host = getGitLabHost();
-  if (!host) {
-    return {
-      ok: false,
-      message: 'gitlab connector not installed or base_url empty',
-    };
-  }
-  // Passive probe: SSH to the host with NO command. gitlab-shell prints
-  // "Welcome to GitLab, @user!" then closes — only triggers SSH key auth,
-  // never the interactive 2fa_verify push. Used here purely to confirm
-  // the SSH path + key + server are all reachable; if your setup gates
-  // git operations behind a separate 2FA window, this won't catch that
-  // (no known passive 2FA-status command).
-  return new Promise((resolve) => {
-    const proc = spawn(
-      'ssh',
-      ['-o', 'BatchMode=yes', '-o', 'ConnectTimeout=30', `git@${host}`],
-      { stdio: ['ignore', 'pipe', 'pipe'] },
-    );
-    let stdout = '';
-    let stderr = '';
-    const timer = setTimeout(() => {
-      try { proc.kill('SIGTERM'); } catch {}
-      resolve({ ok: false, message: 'timeout after 35s — host unreachable' });
-    }, 35_000);
-    proc.stdout?.on('data', (b) => { stdout += b.toString('utf-8'); });
-    proc.stderr?.on('data', (b) => { stderr += b.toString('utf-8'); });
-    proc.on('close', (code) => {
-      clearTimeout(timer);
-      const combined = (stdout + '\n' + stderr).trim().replace(/\s+/g, ' ');
-      // gitlab-shell exits 0 on greeting; "Welcome to GitLab" is the
-      // success marker regardless of exit code (some setups exit 1 with
-      // PTY warnings on stderr but still authenticate).
-      const welcomed = /Welcome to GitLab/i.test(combined);
-      if (welcomed) {
-        const m = combined.match(/Welcome to GitLab,?\s*@?[\w.-]+!?/i);
-        resolve({ ok: true, message: m ? m[0] : 'gitlab-shell greeted ok' });
-      } else {
-        resolve({
-          ok: false,
-          message: `exit ${code}: ${combined.slice(0, 400) || '(no output)'}`,
-        });
-      }
-    });
-    proc.on('error', (e) => {
-      clearTimeout(timer);
-      resolve({ ok: false, message: e.message });
-    });
-  });
-}
-
 // ─── Bulk view ──────────────────────────────────────────────────────
 
 export function listStatus(): LoginStatusRow[] {

package/lib/chat/agent-loop.ts

@@ -48,7 +48,10 @@ const MAX_TOKENS = 16000;
 // raw is summarized by the memory-standalone Temper Summary sub-task
 // and recalled via buildMemoryContext as compact blocks instead.
 const HISTORY_MSG_BUDGET = 60;
-const HISTORY_TOKEN_BUDGET = 8000;
+// Bumped 8000 → 32000 — modern models all ≥ 200k context; 8000 was
+// stripping single oversized tool results (e.g. mantis.search_bugs
+// returning 20k chars), leaving history empty after orphan-trim.
+const HISTORY_TOKEN_BUDGET = 32000;
 // Hard cap on a single tool_result stored into the conversation (chars).
 // A giant result (e.g. a connector returning a full test tree) would
 // otherwise blow the whole HISTORY_TOKEN_BUDGET, push its paired

package/lib/chat/protocols/http.ts

@@ -122,13 +122,33 @@ function expandUrlPath(
   return out;
 }
 
+/**
+ * Collapse consecutive slashes in the URL's pathname only — fixes the
+ * `https://host//api/...` artifact when settings.base_url has a trailing
+ * slash AND the manifest path starts with `/`. Query string and fragment
+ * are NOT touched (a query value like `?url=//foo` is left alone).
+ *
+ * If `url` doesn't parse, returns it unchanged.
+ */
+function collapsePathSlashes(url: string): string {
+  try {
+    const u = new URL(url);
+    u.pathname = u.pathname.replace(/\/{2,}/g, '/');
+    return u.toString();
+  } catch {
+    return url;
+  }
+}
+
 function buildUrl(
   spec: HttpRequestSpec,
   settings: Record<string, any>,
   args: Record<string, any>,
   paramSchemas?: Record<string, ConnectorFieldSchema>,
 ): string {
-  const base = expandUrlPath(spec.url, settings, args, paramSchemas);
+  const base = collapsePathSlashes(
+    expandUrlPath(spec.url, settings, args, paramSchemas),
+  );
   if (!spec.query) return base;
   const url = new URL(base);
   for (const [k, raw] of Object.entries(spec.query)) {
@@ -175,7 +195,9 @@ async function exchangeBearerToken(
   const exp = (s: string | undefined) =>
     s == null ? '' : expandAllTokens(String(s), settings, args);
   const apiToken = exp(auth.api_token);
-  const exchangeUrl = exp(auth.exchange_url);
+  // Same pathname-only collapse as buildUrl — guards against trailing
+  // slash on settings.base_url producing `host//api/...`.
+  const exchangeUrl = collapsePathSlashes(exp(auth.exchange_url));
   if (!apiToken) throw new Error('bearer-token-exchange: api_token is empty');
   if (!exchangeUrl) throw new Error('bearer-token-exchange: exchange_url is empty');
   const key = `${apiToken}|${exchangeUrl}`;

package/lib/chat/session-store.ts

@@ -299,19 +299,42 @@ export function listMessagesCapped(
     SELECT * FROM chat_messages WHERE session_id = ?
     ORDER BY ts DESC LIMIT ?
   `).all(session_id, cap) as MessageRow[];
-  const newestFirst = rows.map(rowToMessage);
+  const chrono = rows.map(rowToMessage).reverse();
 
-  // Now apply tokenBudget walking newest → oldest. Always keep at
-  // least one (so an oversized last message doesn't strand the loop).
-  const kept: Message[] = [];
+  // Group messages so that an assistant `tool_use` message and its
+  // paired user `tool_result` reply are an indivisible unit. Without
+  // this, the token-budget walk can keep the oversized tool_result
+  // but drop the tool_use that produced it — leading to the
+  // tool_result being treated as an orphan and stripped, leaving an
+  // empty history. Each group is chronological.
+  const groups: Message[][] = [];
+  for (let i = 0; i < chrono.length; i++) {
+    const m = chrono[i];
+    const hasToolUse = m.role === 'assistant' && m.blocks.some((b) => b.type === 'tool_use');
+    const next = chrono[i + 1];
+    const nextHasToolResult =
+      next && next.role === 'user' && next.blocks.some((b) => b.type === 'tool_result');
+    if (hasToolUse && nextHasToolResult) {
+      groups.push([m, next]);
+      i++; // skip the partner — we just consumed it
+    } else {
+      groups.push([m]);
+    }
+  }
+
+  // Walk groups newest-first, applying the token budget. Always keep
+  // at least one group so an oversized last group doesn't strand the
+  // loop (provider will see a single message — still valid).
+  const keptGroups: Message[][] = [];
   let used = 0;
-  for (const m of newestFirst) {
-    const cost = estimateTokens(m);
-    if (kept.length > 0 && used + cost > tokenBudget) break;
-    kept.push(m);
+  for (let i = groups.length - 1; i >= 0; i--) {
+    const g = groups[i];
+    const cost = g.reduce((s, m) => s + estimateTokens(m), 0);
+    if (keptGroups.length > 0 && used + cost > tokenBudget) break;
+    keptGroups.unshift(g);
     used += cost;
   }
-  return kept.reverse();
+  return keptGroups.flat();
 }
 
 export function deleteMessage(id: string): boolean {

package/lib/connectors/test-runner.ts

@@ -116,7 +116,11 @@ async function runHttpProbe(
   if (body != null && contentType && !headers.has('content-type')) {
     headers.set('content-type', contentType);
   }
-  url = await applyAuth(url, headers, def.auth, effectiveSettings);
+  try {
+    url = await applyAuth(url, headers, def.auth, effectiveSettings);
+  } catch (e) {
+    return { ok: false, error: `auth setup failed: ${(e as Error).message}` };
+  }
 
   const timeoutMs = test.timeout_ms || DEFAULT_TIMEOUT_MS;
   const okStatus = test.ok_status?.length ? test.ok_status : [200];

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aion0/forge",
-  "version": "0.10.26",
+  "version": "0.10.28",
   "description": "Unified AI workflow platform — multi-model task orchestration, persistent sessions, web terminal, remote access",
   "type": "module",
   "scripts": {