@aion0/forge 0.10.39 → 0.10.41

package/app/api/projects/clone/route.ts

@@ -0,0 +1,51 @@
+/**
+ * POST /api/projects/clone
+ *
+ *   Body: { name?: string }
+ *
+ * Trigger the same auto-clone path the pipeline orchestrator uses: tries to
+ * clone the GitLab connector's default_project_path under projectRoots[0]
+ * (or ~/IdeaProjects), refreshes projectRoots, and returns the resolved
+ * project. Used by the onboarding wizard's empty-state banner and by the
+ * chat UI when a pipeline fails with "Project not found".
+ */
+
+import { NextResponse } from 'next/server';
+import { resolveOrCloneProject, getDefaultCloneRoot } from '@/lib/projects';
+import { getInstalledConnector } from '@/lib/connectors/registry';
+
+export async function POST(req: Request) {
+  let body: any = {};
+  try { body = await req.json(); } catch { /* empty body is fine */ }
+  const name = typeof body?.name === 'string' ? body.name.trim() : '';
+
+  const r = resolveOrCloneProject(name);
+  // Scratch fallback isn't really a "success" for the caller — they asked for
+  // a real clone. Surface why we couldn't do it so the UI can prompt the user
+  // to fix the underlying gap (e.g. set gitlab default_project_path).
+  if (r.source === 'scratch') {
+    const gl = getInstalledConnector('gitlab');
+    const path = String(gl?.config?.default_project_path || '').trim();
+    const base = String(gl?.config?.base_url || '').trim();
+    const reason = !gl ? 'gitlab_connector_missing'
+      : !path ? 'gitlab_default_project_path_missing'
+      : !base ? 'gitlab_base_url_missing'
+      : 'clone_failed';
+    return NextResponse.json({
+      ok: false,
+      reason,
+      fallback_project: { name: r.project.name, path: r.project.path },
+      target_root: getDefaultCloneRoot(),
+      hint: reason === 'clone_failed'
+        ? 'git clone failed — see server log. Pipelines will still run inside <dataDir>/scratch as a fallback.'
+        : 'set gitlab default_project_path under Settings → Connectors → gitlab; meanwhile pipelines run inside <dataDir>/scratch.',
+    }, { status: 200 });
+  }
+
+  return NextResponse.json({
+    ok: true,
+    project: { name: r.project.name, path: r.project.path },
+    source: r.source,
+    clone_url: r.clone_url,
+  });
+}

package/app/api/settings/route.ts

@@ -24,8 +24,17 @@ export async function PUT(req: Request) {
       return NextResponse.json({ ok: false, error: 'Invalid field' }, { status: 400 });
     }
 
-    // Verify admin password
-    if (!verifyAdmin(adminPassword)) {
+    // First-time admin-password set bypass: when the user is setting the
+    // admin password itself AND no existing password is stored, accept
+    // without verifyAdmin (there's nothing to verify against). After the
+    // initial set, normal "verify current password" flow applies.
+    const existingSettings = loadSettings();
+    const isFirstAdminSet =
+      field === 'telegramTunnelPassword'
+      && !existingSettings.telegramTunnelPassword
+      && !!newValue;
+
+    if (!isFirstAdminSet && !verifyAdmin(adminPassword)) {
       return NextResponse.json({ ok: false, error: 'Wrong password' }, { status: 403 });
     }
 

package/bin/forge-server.mjs

@@ -93,6 +93,28 @@ const isRestart = process.argv.includes('--restart');
 const isRebuild = process.argv.includes('--rebuild');
 const resetTerminal = process.argv.includes('--reset-terminal');
 const resetPassword = process.argv.includes('--reset-password');
+const addEnterpriseKeyOnly = process.argv.includes('--add-enterprise-key');
+
+// ── Enterprise keys (--enterprise-key=…) ──
+//
+// Collected here so they're seen at startup and (when --add-enterprise-key
+// is also passed) we can persist + exit without spinning up the server.
+// Supports both `--enterprise-key=foo` and `--enterprise-key foo` forms;
+// repeat for multiple keys.
+function collectEnterpriseKeys() {
+  const keys = [];
+  for (let i = 0; i < process.argv.length; i++) {
+    const arg = process.argv[i];
+    if (arg.startsWith('--enterprise-key=')) {
+      keys.push(arg.slice('--enterprise-key='.length));
+    } else if (arg === '--enterprise-key' && i + 1 < process.argv.length) {
+      keys.push(process.argv[i + 1]);
+      i += 1;
+    }
+  }
+  return keys.map((k) => k.trim()).filter(Boolean);
+}
+const enterpriseKeysFromArgv = collectEnterpriseKeys();
 
 const webPort = parseInt(getArg('--port')) || 8403;
 const terminalPort = parseInt(getArg('--terminal-port')) || (webPort + 1);
@@ -221,7 +243,9 @@ process.env.WORKSPACE_PORT = String(workspacePort);
 process.env.FORGE_DATA_DIR = DATA_DIR;
 
 // ── Password setup (first run or --reset-password) ──
-if (!isStop) {
+// Skipped in --add-enterprise-key persist-and-exit mode: registering a
+// key from install.sh must not block on an interactive prompt.
+if (!isStop && !addEnterpriseKeyOnly) {
   const YAML = await import('yaml');
   const settingsFile = join(DATA_DIR, 'settings.yaml');
   let settings = {};
@@ -289,17 +313,132 @@ if (!isStop) {
   }
 }
 
+// ── Enterprise keys (--enterprise-key=…) ──
+//
+// Each key is encrypted with AES-256-GCM via the same `.encrypt-key`
+// file the password uses, then appended to `<dataDir>/.enterprise-keys.json`
+// as `{ v: 1, keys: ["enc:…"] }`. lib/enterprise.ts reads + decrypts on
+// the runtime side. Duplicate-by-tenant dedup happens lazily on first
+// listEnterpriseSources(); this layer just appends.
+if (!isStop && (enterpriseKeysFromArgv.length > 0 || addEnterpriseKeyOnly)) {
+  if (addEnterpriseKeyOnly && enterpriseKeysFromArgv.length === 0) {
+    console.error('[forge] --add-enterprise-key requires at least one --enterprise-key=<value>');
+    process.exit(1);
+  }
+  const crypto = await import('node:crypto');
+  const ENC_KEY_FILE = join(DATA_DIR, '.encrypt-key');
+  const KEYS_FILE = join(DATA_DIR, '.enterprise-keys.json');
+  let encKey;
+  if (existsSync(ENC_KEY_FILE)) {
+    encKey = Buffer.from(readFileSync(ENC_KEY_FILE, 'utf-8').trim(), 'hex');
+  } else {
+    encKey = crypto.randomBytes(32);
+    if (!existsSync(DATA_DIR)) mkdirSync(DATA_DIR, { recursive: true });
+    writeFileSync(ENC_KEY_FILE, encKey.toString('hex'), { mode: 0o600 });
+  }
+  const encryptOne = (plain) => {
+    const iv = crypto.randomBytes(12);
+    const cipher = crypto.createCipheriv('aes-256-gcm', encKey, iv);
+    const enc = Buffer.concat([cipher.update(plain, 'utf-8'), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return `enc:${iv.toString('base64')}.${tag.toString('base64')}.${enc.toString('base64')}`;
+  };
+  const decryptOne = (blob) => {
+    if (!blob.startsWith('enc:')) return blob;
+    try {
+      const [ivB64, tagB64, dataB64] = blob.slice(4).split('.');
+      const iv = Buffer.from(ivB64, 'base64');
+      const tag = Buffer.from(tagB64, 'base64');
+      const data = Buffer.from(dataB64, 'base64');
+      const d = crypto.createDecipheriv('aes-256-gcm', encKey, iv);
+      d.setAuthTag(tag);
+      return Buffer.concat([d.update(data), d.final()]).toString('utf-8');
+    } catch { return ''; }
+  };
+  let existing = { v: 1, keys: [] };
+  if (existsSync(KEYS_FILE)) {
+    try {
+      const parsed = JSON.parse(readFileSync(KEYS_FILE, 'utf-8'));
+      if (parsed && Array.isArray(parsed.keys)) existing = { v: 1, keys: parsed.keys };
+    } catch {
+      // Corrupt — start fresh; runtime will surface its own diagnostics if
+      // anything was meaningful there.
+    }
+  }
+  // Dedup against existing plaintexts so a second run of
+  //   ./dev-test.sh --enterprise-key=…
+  // doesn't quietly append a duplicate and grow the file forever.
+  const existingPlaintexts = new Set(existing.keys.map(decryptOne).filter(Boolean));
+  let added = 0;
+  for (const k of enterpriseKeysFromArgv) {
+    if (existingPlaintexts.has(k)) continue;
+    existing.keys.push(encryptOne(k));
+    existingPlaintexts.add(k);
+    added += 1;
+  }
+  if (!existsSync(DATA_DIR)) mkdirSync(DATA_DIR, { recursive: true });
+  writeFileSync(KEYS_FILE, JSON.stringify(existing, null, 2), { mode: 0o600 });
+  const skipped = enterpriseKeysFromArgv.length - added;
+  console.log(`[forge] Persisted ${added} new enterprise key(s)${skipped ? `, skipped ${skipped} duplicate` : ''} → ${KEYS_FILE}`);
+
+  if (addEnterpriseKeyOnly) {
+    process.exit(0);
+  }
+}
+
+// ── Find pids listening on a TCP port (portable) ──
+// macOS ships lsof; minimal Linux containers (RHEL/CentOS/Alpine) often
+// don't. Try lsof → ss (iproute2, ~universal on modern Linux) → fuser
+// (psmisc) in order. Empty result means no listener, period.
+//
+// Without this, `forge server stop` on Linux silently leaked next-server
+// because `lsof -ti:8403` threw ENOENT and the whole stop path was
+// wrapped in try/catch — the port lookup just disappeared.
+function findPortPids(port) {
+  // 1) lsof
+  try {
+    const out = execSync(`lsof -ti:${port}`, {
+      encoding: 'utf-8', timeout: 3000, stdio: ['pipe', 'pipe', 'pipe'],
+    }).trim();
+    if (out) return [...new Set(out.split('\n').map(s => s.trim()).filter(Boolean))];
+  } catch { /* fall through */ }
+  // 2) ss -tlnp — line looks like:
+  //    LISTEN 0 511 *:8403 ... users:(("next-server",pid=903438,fd=14))
+  try {
+    const out = execSync(`ss -tlnp 2>/dev/null`, {
+      encoding: 'utf-8', timeout: 3000, stdio: ['pipe', 'pipe', 'pipe'],
+    });
+    const pids = new Set();
+    for (const line of out.split('\n')) {
+      // Match port at end of local-address field, before either whitespace
+      // (IPv4 `*:8403 `) or end-of-field (IPv6 `[::]:8403 `).
+      if (!new RegExp(`:${port}\\b`).test(line)) continue;
+      for (const m of line.matchAll(/pid=(\d+)/g)) pids.add(m[1]);
+    }
+    if (pids.size) return [...pids];
+  } catch { /* fall through */ }
+  // 3) fuser
+  try {
+    const out = execSync(`fuser ${port}/tcp 2>/dev/null`, {
+      encoding: 'utf-8', timeout: 3000, stdio: ['pipe', 'pipe', 'pipe'],
+    });
+    const pids = out.trim().split(/\s+/).filter(p => /^\d+$/.test(p));
+    if (pids.length) return [...new Set(pids)];
+  } catch { /* nothing more */ }
+  return [];
+}
+
 // ── Reset terminal server (kill port + tmux sessions) ──
 if (resetTerminal) {
   console.log(`[forge] Resetting terminal server (port ${terminalPort})...`);
-  try {
-    const pids = execSync(`lsof -ti:${terminalPort}`, { encoding: 'utf-8' }).trim();
-    for (const pid of pids.split('\n').filter(Boolean)) {
-      try { execSync(`kill ${pid.trim()}`); } catch {}
+  const pids = findPortPids(terminalPort);
+  if (pids.length === 0) {
+    console.log(`[forge] No process on port ${terminalPort}`);
+  } else {
+    for (const pid of pids) {
+      try { process.kill(parseInt(pid), 'SIGTERM'); } catch {}
     }
     console.log(`[forge] Killed terminal server on port ${terminalPort}`);
-  } catch {
-    console.log(`[forge] No process on port ${terminalPort}`);
   }
 }
 
@@ -338,14 +477,10 @@ function cleanupOrphans() {
   try {
     // Kill processes on our ports
     for (const port of [webPort, terminalPort]) {
-      try {
-        const pids = execSync(`lsof -ti:${port}`, { encoding: 'utf-8', timeout: 5000, stdio: ['pipe', 'pipe', 'pipe'] }).trim();
-        for (const pid of pids.split('\n').filter(Boolean)) {
-          const p = pid.trim();
-          if (p === myPid || protectedPids.has(p)) continue;
-          try { process.kill(parseInt(p), 'SIGTERM'); } catch {}
-        }
-      } catch {}
+      for (const p of findPortPids(port)) {
+        if (p === myPid || protectedPids.has(p)) continue;
+        try { process.kill(parseInt(p), 'SIGTERM'); } catch {}
+      }
     }
     // Kill standalone processes: our instance's + orphans without any tag
     try {
@@ -365,11 +500,25 @@ function cleanupOrphans() {
     // imported lib/task-manager (directly or via lib/pipeline) starts its
     // own setInterval task runner that never exits — those run in parallel
     // with the real runner and silently steal tasks. Detect via lsof on
-    // workflow.db, exclude our own next-server + standalones.
+    // workflow.db (Mac), with a fuser fallback for lsof-less Linux.
     try {
       const dbPath = join(DATA_DIR, 'workflow.db');
-      const lsofOut = execSync(`lsof -t "${dbPath}"`, { encoding: 'utf-8', timeout: 5000, stdio: ['pipe', 'pipe', 'pipe'] }).trim();
-      for (const pid of lsofOut.split('\n').map(s => s.trim()).filter(Boolean)) {
+      let holders = [];
+      try {
+        const out = execSync(`lsof -t "${dbPath}"`, {
+          encoding: 'utf-8', timeout: 5000, stdio: ['pipe', 'pipe', 'pipe'],
+        }).trim();
+        holders = out.split('\n').map(s => s.trim()).filter(Boolean);
+      } catch {
+        try {
+          // `fuser <file>` writes pids to stderr, not stdout. Merge streams.
+          const out = execSync(`fuser "${dbPath}" 2>&1`, {
+            encoding: 'utf-8', timeout: 5000, stdio: ['pipe', 'pipe', 'pipe'],
+          });
+          holders = out.replace(/^.*?:/, '').trim().split(/\s+/).filter(p => /^\d+$/.test(p));
+        } catch { /* both unavailable — zombie scan disabled */ }
+      }
+      for (const pid of holders) {
         if (pid === myPid || protectedPids.has(pid)) continue;
         let cmd = '';
         try {
@@ -458,25 +607,35 @@ async function stopServer() {
   } catch {}
   try { unlinkSync(PID_FILE); } catch {}
 
-  // Also kill by port (in case PID file is stale)
-  const portPids = [];
-  try {
-    const pids = execSync(`lsof -ti:${webPort}`, { encoding: 'utf-8', timeout: 3000 }).trim();
-    for (const p of pids.split('\n').filter(Boolean)) {
-      const pid = parseInt(p.trim());
-      try { process.kill(pid, 'SIGTERM'); stopped = true; portPids.push(pid); } catch {}
-    }
-    if (pids) console.log(`[forge] Killed processes on port ${webPort}`);
-  } catch {}
+  // Also kill by port (in case PID file is stale). Use findPortPids
+  // so Linux-without-lsof still works.
+  const portPids = findPortPids(webPort);
+  for (const p of portPids) {
+    const pid = parseInt(p);
+    try { process.kill(pid, 'SIGTERM'); stopped = true; } catch {}
+  }
+  if (portPids.length > 0) console.log(`[forge] Killed processes on port ${webPort}`);
 
-  // Force kill after 2 seconds if SIGTERM didn't work
+  // Force kill survivors after 2 seconds.
   if (portPids.length > 0) {
     await new Promise(r => setTimeout(r, 2000));
     for (const pid of portPids) {
-      try { process.kill(pid, 'SIGKILL'); } catch {}
+      try { process.kill(parseInt(pid), 'SIGKILL'); } catch {}
     }
   }
 
+  // Final verify — if anything still listens on the port (e.g. a child
+  // re-bound, or our SIGKILL hit EPERM), surface it loudly. Silent leak
+  // is exactly the bug we're fixing.
+  const survivors = findPortPids(webPort);
+  if (survivors.length > 0) {
+    console.warn(
+      `[forge] WARNING: port ${webPort} still bound by pid(s) ${survivors.join(', ')} after stop. ` +
+      `Likely a different user / cron-launched / sudo'd instance. ` +
+      `Run: kill ${survivors.join(' ')}  (or with sudo) to free it.`,
+    );
+  }
+
   if (!stopped) {
     console.log('[forge] No running server found');
   }

package/cli/mw.mjs

@@ -741,6 +741,7 @@ __export(dirs_exports, {
   getClaudeDir: () => getClaudeDir,
   getConfigDir: () => getConfigDir,
   getDataDir: () => getDataDir,
+  getEnterpriseKeysPath: () => getEnterpriseKeysPath,
   migrateDataDir: () => migrateDataDir
 });
 import { homedir as homedir2 } from "node:os";
@@ -796,6 +797,9 @@ function migrateDataDir() {
   }
   console.log("[forge] Migration complete. Old files kept as backup.");
 }
+function getEnterpriseKeysPath() {
+  return join3(getDataDir(), ".enterprise-keys.json");
+}
 function getClaudeDir() {
   return process.env.CLAUDE_HOME || join3(homedir2(), ".claude");
 }
@@ -874,16 +878,22 @@ async function main() {
     process.exit(0);
   }
   if (cmd === "--reset-password") {
-    const { execSync: execSync2 } = await import("node:child_process");
+    const { spawnSync: spawnSync2 } = await import("node:child_process");
     const { join: join4, dirname } = await import("node:path");
     const { fileURLToPath } = await import("node:url");
     const serverScript = join4(dirname(fileURLToPath(import.meta.url)), "..", "bin", "forge-server.mjs");
-    try {
-      execSync2(`node ${serverScript} --reset-password`, { stdio: "inherit" });
-    } catch {
-    }
+    const passthru = process.argv.slice(3);
+    spawnSync2("node", [serverScript, "--reset-password", ...passthru], { stdio: "inherit" });
     process.exit(0);
   }
+  if (cmd === "--add-enterprise-key") {
+    const { spawnSync: spawnSync2 } = await import("node:child_process");
+    const { join: join4, dirname } = await import("node:path");
+    const { fileURLToPath } = await import("node:url");
+    const serverScript = join4(dirname(fileURLToPath(import.meta.url)), "..", "bin", "forge-server.mjs");
+    const r = spawnSync2("node", [serverScript, "--add-enterprise-key", ...args], { stdio: "inherit" });
+    process.exit(r.status ?? 1);
+  }
   switch (cmd) {
     case "chat":
     case "c": {
@@ -1418,7 +1428,7 @@ Options for 'forge server start':
 Shortcuts: c=chat, j=jobs, wt=worktree, t=task, ls=tasks, w=watch, s=status, l=log, f=flows, p=projects, pw=password`);
   }
 }
-var skipUpdateCheck = ["upgrade", "uninstall", "--version", "-v", "--reset-password"];
+var skipUpdateCheck = ["upgrade", "uninstall", "--version", "-v", "--reset-password", "--add-enterprise-key"];
 main().then(() => {
   if (!skipUpdateCheck.includes(cmd)) return checkForUpdate();
 }).catch((err) => {

package/cli/mw.ts

@@ -74,17 +74,30 @@ async function main() {
   }
 
   if (cmd === '--reset-password') {
-    // Shortcut: delegate to forge-server.mjs --reset-password
-    const { execSync } = await import('node:child_process');
+    // Shortcut: delegate to forge-server.mjs --reset-password.
+    // Forward any trailing args so `--dir <path>` targets a specific
+    // instance — e.g. `forge --reset-password --dir ~/.forge-test`.
+    const { spawnSync } = await import('node:child_process');
     const { join, dirname } = await import('node:path');
     const { fileURLToPath } = await import('node:url');
     const serverScript = join(dirname(fileURLToPath(import.meta.url)), '..', 'bin', 'forge-server.mjs');
-    try {
-      execSync(`node ${serverScript} --reset-password`, { stdio: 'inherit' });
-    } catch {}
+    const passthru = process.argv.slice(3);
+    spawnSync('node', [serverScript, '--reset-password', ...passthru], { stdio: 'inherit' });
     process.exit(0);
   }
 
+  if (cmd === '--add-enterprise-key') {
+    // Shortcut: delegate persist-and-exit to forge-server.mjs. Caller is
+    // expected to also pass one or more `--enterprise-key=<value>`
+    //   forge --add-enterprise-key --enterprise-key=fortinet:github_pat_xxx
+    const { spawnSync } = await import('node:child_process');
+    const { join, dirname } = await import('node:path');
+    const { fileURLToPath } = await import('node:url');
+    const serverScript = join(dirname(fileURLToPath(import.meta.url)), '..', 'bin', 'forge-server.mjs');
+    const r = spawnSync('node', [serverScript, '--add-enterprise-key', ...args], { stdio: 'inherit' });
+    process.exit(r.status ?? 1);
+  }
+
   switch (cmd) {
     case 'chat':
     case 'c': {
@@ -624,7 +637,7 @@ Shortcuts: c=chat, j=jobs, wt=worktree, t=task, ls=tasks, w=watch, s=status, l=l
   }
 }
 
-const skipUpdateCheck = ['upgrade', 'uninstall', '--version', '-v', '--reset-password'];
+const skipUpdateCheck = ['upgrade', 'uninstall', '--version', '-v', '--reset-password', '--add-enterprise-key'];
 main().then(() => { if (!skipUpdateCheck.includes(cmd)) return checkForUpdate(); }).catch(err => {
   console.error(err.message);
   process.exit(1);

package/components/ConnectorsPanel.tsx

@@ -27,8 +27,36 @@ interface MarketEntry {
   author?: string;
   installed_version?: string;
   update_available?: boolean;
+  /** Source that publishes the proposed update — may differ from
+   *  source_id (the installed origin). E.g. public is installed, then
+   *  the user adds an enterprise source that publishes a higher version. */
+  update_source_id?: string;
   compatible: boolean;
   source: 'registry' | 'local';
+  /** Which marketplace source provided the winning entry:
+   *  `public` | `enterprise-<tenant>` | undefined for local-only. */
+  source_id?: string;
+  /** Lower-priority sources that also list this id but were outranked. */
+  hidden_sources?: { source_id: string; display_name: string; version: string }[];
+}
+
+/** Compact badge describing a source. `enterprise-…` → 🔒 + name; `public` → 🌐;
+ *  install-local (no registry source) → 📦 local. Tooltip carries full id. */
+function SourceBadge({ entry, size = 'sm' }: { entry: Pick<MarketEntry, 'source' | 'source_id' | 'hidden_sources'>; size?: 'xs' | 'sm' }) {
+  const px = size === 'xs' ? 'text-[8px] px-1 py-0.5' : 'text-[9px] px-1.5 py-0.5';
+  if (entry.source === 'local' || !entry.source_id) {
+    return <span className={`${px} rounded bg-[var(--accent)]/15 text-[var(--accent)]`} title="Installed locally, not from any registry">📦 local</span>;
+  }
+  if (entry.source_id === 'public') {
+    return <span className={`${px} rounded bg-[var(--bg-tertiary)] text-[var(--text-secondary)]`} title="Public marketplace">🌐 public</span>;
+  }
+  // enterprise-<tenant>
+  const tenant = entry.source_id.replace(/^enterprise-/, '');
+  const hiddenCount = entry.hidden_sources?.length || 0;
+  const title = hiddenCount > 0
+    ? `Enterprise source: ${tenant} (overrides ${hiddenCount} lower-priority source${hiddenCount > 1 ? 's' : ''})`
+    : `Enterprise source: ${tenant}`;
+  return <span className={`${px} rounded bg-amber-500/15 text-amber-400`} title={title}>🔒 {tenant}</span>;
 }
 
 interface MarketState {
@@ -499,13 +527,9 @@ export default function ConnectorsPanel() {
         >
           {uploading ? 'Installing…' : '+ Upload'}
         </button>
-        <button
-          onClick={sync}
-          disabled={syncing}
-          className="text-[10px] px-2.5 py-0.5 border border-[var(--accent)] text-[var(--accent)] rounded hover:bg-[var(--accent)] hover:text-white transition-colors disabled:opacity-40"
-        >
-          {syncing ? 'Syncing…' : 'Refresh'}
-        </button>
+        {/* Per-tab Sync removed — use Marketplace top → "↻ Sync all"
+            which covers every type (connectors + workflows + skills)
+            from every source (public + enterprise) in one trip. */}
       </div>
 
       {dragOver && (
@@ -550,9 +574,7 @@ export default function ConnectorsPanel() {
                         {update && (
                           <span className="text-[8px] px-1 py-0.5 rounded bg-yellow-500/10 text-yellow-400">update</span>
                         )}
-                        {e.source === 'local' && (
-                          <span className="text-[8px] px-1 py-0.5 rounded bg-[var(--accent)]/15 text-[var(--accent)]">local</span>
-                        )}
+                        <SourceBadge entry={e} size="xs" />
                       </div>
                       <div className="flex items-center gap-1.5 mt-0.5">
                         <span className="text-[9px] text-[var(--text-secondary)]">
@@ -601,9 +623,15 @@ export default function ConnectorsPanel() {
                           update available · v{me.installed_version} → v{me.version}
                         </span>
                       )}
-                      {me.source === 'local' && (
-                        <span className="text-[9px] px-1.5 py-0.5 rounded bg-[var(--accent)]/15 text-[var(--accent)]">
-                          local · not in registry
+                      <SourceBadge entry={me} />
+                      {installed && me.update_source_id && me.update_source_id !== me.source_id && (
+                        <span
+                          className="text-[9px] px-1.5 py-0.5 rounded bg-amber-500/10 text-amber-400"
+                          title={`Installed manifest comes from ${me.source_id}, but ${me.update_source_id} also publishes this connector at a higher priority. Reinstall to switch.`}
+                        >
+                          ↻ also in {me.update_source_id === 'public'
+                            ? 'public'
+                            : me.update_source_id.replace(/^enterprise-/, '')}
                         </span>
                       )}
                     </div>
@@ -630,6 +658,16 @@ export default function ConnectorsPanel() {
                         {busyId === me.id ? '…' : 'Update'}
                       </button>
                     )}
+                    {installed && !update && (
+                      <button
+                        onClick={() => act('update', me.id)}
+                        disabled={busyId === me.id}
+                        title="Re-pull this connector's manifest from the highest-priority source (force, even if version matches). Use this when you bumped the manifest version but the marketplace top-level Sync doesn't seem to have picked it up."
+                        className="text-[10px] px-2 py-1 rounded border border-[var(--border)] text-[var(--text-secondary)] hover:border-[var(--text-primary)] hover:text-[var(--text-primary)] transition-colors disabled:opacity-40"
+                      >
+                        {busyId === me.id ? '…' : '↻'}
+                      </button>
+                    )}
                     {installed && (
                       <button
                         onClick={() => act('uninstall', me.id)}
@@ -642,6 +680,40 @@ export default function ConnectorsPanel() {
                   </div>
                 </div>
 
+                {/* Sources — surface enterprise winner + outranked rows so
+                    the user can see "this mantis comes from fortinet, public
+                    has one too but it's hidden". Hide entirely for the boring
+                    case (public winner with no overlap). */}
+                {(() => {
+                  const isEnterpriseWinner = me.source_id && me.source_id !== 'public' && me.source !== 'local';
+                  const hasHidden = !!me.hidden_sources?.length;
+                  if (!isEnterpriseWinner && !hasHidden) return null;
+                  return (
+                    <div>
+                      <h3 className="text-[11px] font-semibold text-[var(--text-primary)] mb-1.5">
+                        Sources <span className="text-[9px] text-[var(--text-secondary)] font-normal">· higher priority first</span>
+                      </h3>
+                      <div className="rounded border border-[var(--border)] divide-y divide-[var(--border)] bg-[var(--bg-tertiary)]">
+                        <div className="px-2.5 py-1.5 flex items-center gap-2">
+                          <SourceBadge entry={me} size="xs" />
+                          <span className="text-[10px] font-mono text-[var(--text-primary)]">v{me.version}</span>
+                          <span className="text-[9px] text-green-400 ml-auto">in use</span>
+                        </div>
+                        {me.hidden_sources?.map((hs) => (
+                          <div key={hs.source_id} className="px-2.5 py-1.5 flex items-center gap-2 opacity-60">
+                            <SourceBadge
+                              entry={{ source: 'registry', source_id: hs.source_id }}
+                              size="xs"
+                            />
+                            <span className="text-[10px] font-mono text-[var(--text-secondary)]">v{hs.version}</span>
+                            <span className="text-[9px] text-[var(--text-secondary)] ml-auto">hidden</span>
+                          </div>
+                        ))}
+                      </div>
+                    </div>
+                  );
+                })()}
+
                 {/* Tools — only when manifest is on disk */}
                 {installed && detail && (
                   <div>

package/components/CraftTerminal.tsx

@@ -139,7 +139,7 @@ export default function CraftTerminal({
               ws.send(JSON.stringify({ type: 'create', sessionName: activeSessionRef.current, cols: term.cols, rows: term.rows }));
               // After creation, cd into craft dir and start the chosen agent
               // Wait until agents fetch settles so we can pick the right CLI + resume flag
-              const tryLaunch = (attempt = 0) => {
+              const tryLaunch = async (attempt = 0) => {
                 if (ws.readyState !== WebSocket.OPEN) return;
                 const list = agentsRef.current;
                 const id = agentIdRef.current;
@@ -148,11 +148,20 @@ export default function CraftTerminal({
                   return;
                 }
                 const a = list.find(x => x.id === id) || list[0];
-                const cli = a?.path || a?.id || 'claude';
+                // Resolve cliCmd via the API so derived agents (e.g.
+                // forti-k2 base: claude) inherit the base's absolute
+                // path instead of falling back to bare a.id / 'claude'.
+                let cli = a?.path || 'claude';
+                const targetId = a?.id || 'claude';
+                try {
+                  const info = await fetch(`/api/agents?resolve=${encodeURIComponent(targetId)}`).then(r => r.ok ? r.json() : null);
+                  if (info?.cliCmd) cli = info.cliCmd;
+                } catch {}
+                const quotedCli = `"${cli}"`;
                 const isClaude = (a?.id === 'claude') || (a as any)?.cliType === 'claude-code';
                 const sf = (isClaude && skipPermRef.current) ? ' --dangerously-skip-permissions' : '';
                 const resume = resumeIdRef.current && isClaude ? ` --resume ${resumeIdRef.current}` : '';
-                ws.send(JSON.stringify({ type: 'input', data: `cd "${craftDir}" && ${cli}${sf}${resume}\n` }));
+                ws.send(JSON.stringify({ type: 'input', data: `cd "${craftDir}" && ${quotedCli}${sf}${resume}\n` }));
               };
               setTimeout(() => tryLaunch(), 500);
             }