@aion0/forge 0.10.39 → 0.10.41

package/components/Dashboard.tsx

@@ -26,6 +26,7 @@ const SettingsModal = lazy(() => import('./SettingsModal'));
 const MonitorPanel = lazy(() => import('./MonitorPanel'));
 const LoginStatusPanel = lazy(() => import('./LoginStatusPanel'));
 const ActivityPanel = lazy(() => import('./ActivityPanel'));
+const EnterpriseBadge = lazy(() => import('./EnterpriseBadge'));
 const WorkspaceView = lazy(() => import('./WorkspaceView'));
 // WorkspaceTree moved into ProjectDetail — no longer needed at Dashboard level
 import { OnboardingBanner, OnboardingDrawer } from './OnboardingWizard';
@@ -136,12 +137,27 @@ export default function Dashboard({ user }: { user: any }) {
   const [showSettings, setShowSettings] = useState(false);
   const [needsOnboarding, setNeedsOnboarding] = useState(false);
   const [showOnboarding, setShowOnboarding] = useState(false);
+  // E4: when EnterpriseBadge fires forge:open-onboarding after a fresh
+  // key add, the source id rides along so the wizard scopes to that
+  // new tenant immediately instead of resolving the priority chain.
+  const [onboardingSourceId, setOnboardingSourceId] = useState<string | null>(null);
+  useEffect(() => {
+    const handler = (e: Event) => {
+      const detail = (e as CustomEvent).detail || {};
+      setOnboardingSourceId(detail.source_id || null);
+      setShowOnboarding(true);
+    };
+    window.addEventListener('forge:open-onboarding', handler);
+    return () => window.removeEventListener('forge:open-onboarding', handler);
+  }, []);
   useEffect(() => {
     fetch('/api/onboarding').then(r => r.json()).then(j => {
       const need = !!(j?.ok && !j.onboardingCompleted);
       setNeedsOnboarding(need);
-      // Auto-open the drawer when setup is needed — saves the user a click.
-      // They can still click "Skip" inside the drawer to dismiss.
+      // Auto-open the drawer when setup is needed — saves the user a
+      // click. When there's no enterprise yet, the wizard's first page
+      // is a splash asking "Add enterprise key, or continue with
+      // public?" so opt-out is one click away.
       if (need) setShowOnboarding(true);
     }).catch(() => {});
   }, []);
@@ -161,6 +177,7 @@ export default function Dashboard({ user }: { user: any }) {
   const [showUserMenu, setShowUserMenu] = useState(false);
   const [theme, setTheme] = useState<'dark' | 'light'>('dark');
   const [displayName, setDisplayName] = useState(user?.name || 'Forge');
+  const [profileDept, setProfileDept] = useState('');
   const terminalRef = useRef<WebTerminalHandle>(null);
 
   // Theme: load from localStorage + apply
@@ -182,7 +199,10 @@ export default function Dashboard({ user }: { user: any }) {
   // Fetch display name from settings
   const refreshDisplayName = useCallback(() => {
     fetch('/api/settings').then(r => r.json())
-      .then((s: any) => { if (s.displayName) setDisplayName(s.displayName); })
+      .then((s: any) => {
+        if (s.displayName) setDisplayName(s.displayName);
+        if (typeof s.dept === 'string') setProfileDept(s.dept);
+      })
       .catch(() => {});
   }, []);
   useEffect(() => { refreshDisplayName(); }, [refreshDisplayName]);
@@ -228,17 +248,24 @@ export default function Dashboard({ user }: { user: any }) {
     return () => clearInterval(id);
   }, []);
 
-  // Login status badge — load cached results on mount so the user
-  // dropdown shows the red dot count without forcing a check.
+  // Login status badge — poll cached results on a 10s interval so the
+  // red-dot count picks up changes from the Test button / wizard apply /
+  // Reinstall without forcing the user to open + close the full panel.
+  // GET is cheap (reads JSON file, no probe), so this is fine.
   useEffect(() => {
-    fetch('/api/login-status')
-      .then((r) => r.json())
-      .then((j) => {
-        const rows = (j.rows || []) as Array<{ result: { ok: boolean } | null }>;
-        const broken = rows.filter((r) => r.result && !r.result.ok).length;
-        setLoginBadge({ broken, total: rows.length });
-      })
-      .catch(() => {});
+    const refresh = () => {
+      fetch('/api/login-status')
+        .then((r) => r.json())
+        .then((j) => {
+          const rows = (j.rows || []) as Array<{ result: { ok: boolean } | null }>;
+          const broken = rows.filter((r) => r.result && !r.result.ok).length;
+          setLoginBadge({ broken, total: rows.length });
+        })
+        .catch(() => {});
+    };
+    refresh();
+    const id = setInterval(refresh, 10_000);
+    return () => clearInterval(id);
   }, []);
 
   // Notifications: poll unread count at 30s, full fetch when panel opens
@@ -312,9 +339,11 @@ export default function Dashboard({ user }: { user: any }) {
       )}
       {showOnboarding && (
         <OnboardingDrawer
-          onClose={() => setShowOnboarding(false)}
+          initialSourceId={onboardingSourceId}
+          onClose={() => { setShowOnboarding(false); setOnboardingSourceId(null); }}
           onComplete={() => {
             setShowOnboarding(false);
+            setOnboardingSourceId(null);
             setNeedsOnboarding(false);
             // Reload settings so chat picks up new API profile etc.
             fetchData();
@@ -353,9 +382,13 @@ export default function Dashboard({ user }: { user: any }) {
       <header className="h-12 border-b-2 border-[var(--border)] flex items-center justify-between px-4 shrink-0 bg-[var(--bg-secondary)]">
         <div className="flex items-center gap-4">
           <img src="/icon.png" alt="Forge" width={28} height={28} className="rounded" />
-          <span className="text-sm font-bold text-[var(--accent)]">
-            Forge{displayName && displayName !== 'Forge' ? ` · ${displayName}` : ''}
-          </span>
+          <span className="text-sm font-bold text-[var(--accent)]">Forge</span>
+          {/* Enterprise sources — popover with per-tenant Re-sync / Reinstall /
+              Remove rows + inline Add tenant. Sits where the displayName used
+              to be so it's the first signal you see on cold open. */}
+          <Suspense fallback={null}>
+            <EnterpriseBadge onOpenSettings={() => setShowSettings(true)} />
+          </Suspense>
           {versionInfo && (
             <span className="flex items-center gap-1.5">
               <span className="text-[10px] text-[var(--text-secondary)]">v{versionInfo.current}</span>
@@ -638,6 +671,11 @@ export default function Dashboard({ user }: { user: any }) {
               onClick={() => { setShowUserMenu(v => !v); setShowNotifications(false); }}
               className="text-[10px] text-[var(--text-secondary)] hover:text-[var(--text-primary)] flex items-center gap-1 px-1"
             >
+              {profileDept && (
+                <span className="text-[9px] px-1 py-[1px] rounded bg-emerald-500/15 text-emerald-500 border border-emerald-500/30 mr-1" title="Active department">
+                  {profileDept}
+                </span>
+              )}
               {displayName} <span className="text-[8px]">▾</span>
             </button>
             {showUserMenu && (

package/components/DocTerminal.tsx

@@ -30,11 +30,17 @@ export default function DocTerminal({ docRoot, agent }: { docRoot: string; agent
     fetch('/api/settings').then(r => r.json())
       .then((s: any) => { if (s.skipPermissions) skipPermRef.current = true; })
       .catch(() => {});
+    // Resolve via ?resolve= so derived agents (forti-k2 base: claude
+    // with no own path) inherit the base's absolute path. The plain
+    // /api/agents list returns the row's literal `path`, which is
+    // empty for derived agents and gives a useless fallback.
     fetch('/api/agents').then(r => r.json())
-      .then(data => {
+      .then(async (data: any) => {
         const targetId = agent || data.defaultAgent || 'claude';
-        const found = (data.agents || []).find((a: any) => a.id === targetId);
-        if (found?.path) agentCmdRef.current = found.path;
+        try {
+          const info = await fetch(`/api/agents?resolve=${encodeURIComponent(targetId)}`).then(r => r.ok ? r.json() : null);
+          if (info?.cliCmd) agentCmdRef.current = info.cliCmd;
+        } catch {}
       })
       .catch(() => {});
   }, []);
@@ -97,7 +103,7 @@ export default function DocTerminal({ docRoot, agent }: { docRoot: string; agent
               setTimeout(() => {
                 if (socket.readyState === WebSocket.OPEN) {
                   const sf = skipPermRef.current ? ' --dangerously-skip-permissions' : '';
-                  socket.send(JSON.stringify({ type: 'input', data: `cd "${docRootRef.current}" && ${agentCmdRef.current} -c${sf}\n` }));
+                  socket.send(JSON.stringify({ type: 'input', data: `cd "${docRootRef.current}" && "${agentCmdRef.current}" -c${sf}\n` }));
                 }
               }, 300);
             }
@@ -166,13 +172,13 @@ export default function DocTerminal({ docRoot, agent }: { docRoot: string; agent
         </span>
         <div className="ml-auto flex items-center gap-1">
           <button
-            onClick={() => { const sf = skipPermRef.current ? ' --dangerously-skip-permissions' : ''; runCommand(`cd "${docRoot}" && ${agentCmdRef.current}${sf}`); }}
+            onClick={() => { const sf = skipPermRef.current ? ' --dangerously-skip-permissions' : ''; runCommand(`cd "${docRoot}" && "${agentCmdRef.current}"${sf}`); }}
             className="text-[10px] px-2 py-0.5 text-[var(--accent)] hover:bg-[#2a2a4a] rounded"
           >
             New
           </button>
           <button
-            onClick={() => { const sf = skipPermRef.current ? ' --dangerously-skip-permissions' : ''; runCommand(`cd "${docRoot}" && ${agentCmdRef.current} -c${sf}`); }}
+            onClick={() => { const sf = skipPermRef.current ? ' --dangerously-skip-permissions' : ''; runCommand(`cd "${docRoot}" && "${agentCmdRef.current}" -c${sf}`); }}
             className="text-[10px] px-2 py-0.5 text-gray-400 hover:text-white hover:bg-[#2a2a4a] rounded"
           >
             Resume

package/components/EnterpriseBadge.tsx

@@ -0,0 +1,420 @@
+/**
+ * Dashboard top-nav chip listing active enterprise marketplace sources.
+ *
+ *   - No keys configured → renders a single dim '+ Enterprise' button
+ *     that opens the Add-tenant form. Most non-enterprise users won't
+ *     even notice it.
+ *   - 1+ keys           → '🔒 Fortinet' (single) or '🔒 Fortinet +1'
+ *     (collapsed badge). Click opens a popover with the full list,
+ *     per-tenant Re-sync / Reinstall / Remove buttons, sync status,
+ *     and an inline 'Add another tenant' input.
+ *
+ * Replaces the old behaviour of jumping into Settings — most enterprise
+ * lifecycle actions (resync, reinstall, add, remove, see status) now
+ * live in this single popover, which is where users instinctively look
+ * once they've spotted the 🔒 chip.
+ */
+
+import { useEffect, useRef, useState } from 'react';
+
+interface SourceView {
+  tenant_id: string;
+  display_name: string;
+  repo_url: string;
+  priority: number;
+  pat_preview: string;
+  last_sync?: { ok: boolean; error?: string; fetched_at: string } | null;
+  departments?: Array<{ id: string; display_name: string; has_template?: boolean }>;
+  active_dept?: string | null;
+}
+
+export default function EnterpriseBadge({ onOpenSettings: _onOpenSettings }: { onOpenSettings: () => void }) {
+  const [sources, setSources] = useState<SourceView[]>([]);
+  const [open, setOpen] = useState(false);
+  const [busy, setBusy] = useState<'resync' | 'reinstall' | string | null>(null);
+  const [status, setStatus] = useState('');
+  const [error, setError] = useState('');
+  const [showAddInline, setShowAddInline] = useState(false);
+  const [newKey, setNewKey] = useState('');
+  // Edit-key flow: `editTenant` is the tenant_id currently being edited
+  // (null when not editing). `editKey` is the new PAT/long-form key the
+  // user is typing. Kept separate from add-flow state so the row's
+  // pencil button doesn't collide with the bottom + Add tenant input.
+  const [editTenant, setEditTenant] = useState<string | null>(null);
+  const [editKey, setEditKey] = useState('');
+  const popoverRef = useRef<HTMLDivElement>(null);
+
+  const load = async () => {
+    try {
+      const r = await fetch('/api/enterprise-keys');
+      if (!r.ok) return;
+      const data = await r.json();
+      setSources((data?.sources || []) as SourceView[]);
+    } catch {
+      // Network blip — leave previous state.
+    }
+  };
+
+  useEffect(() => {
+    load();
+    const onFocus = () => { load(); };
+    window.addEventListener('focus', onFocus);
+    return () => window.removeEventListener('focus', onFocus);
+  }, []);
+
+  // Close popover on outside click.
+  useEffect(() => {
+    if (!open) return;
+    const onClick = (e: MouseEvent) => {
+      if (popoverRef.current && !popoverRef.current.contains(e.target as Node)) {
+        setOpen(false);
+      }
+    };
+    window.addEventListener('mousedown', onClick);
+    return () => window.removeEventListener('mousedown', onClick);
+  }, [open]);
+
+  const reset = () => { setStatus(''); setError(''); };
+
+  // Single Re-sync: pulls registry.json AND re-fetches installed
+  // connector manifests when their version changes. The old
+  // "Reinstall all" button (force-overwrite regardless of version)
+  // was removed — too many footguns; rare cases can re-run the wizard
+  // or use the per-row ↻ in the connectors panel.
+  const handleResync = async () => {
+    reset();
+    setBusy('resync');
+    try {
+      const r = await fetch('/api/enterprise-keys', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ action: 'resync', refreshInstalled: true }),
+      });
+      const data = await r.json();
+      if (!data.ok) { setError(data.error || 'resync failed'); }
+      else {
+        const result = data.result || {};
+        const okN = (result.sources || []).filter((s: any) => s.ok).length;
+        const total = (result.sources || []).length;
+        const refreshed = result.manifests_refreshed || 0;
+        setStatus(`✓ Re-synced ${okN}/${total} sources${refreshed ? ` · refreshed ${refreshed} manifests` : ''}`);
+      }
+      await load();
+    } catch (e) {
+      setError(e instanceof Error ? e.message : String(e));
+    } finally {
+      setBusy(null);
+    }
+  };
+
+  const handleEdit = async (tenant_id: string, display_name: string) => {
+    const key = editKey.trim();
+    if (!key) return;
+    reset();
+    setBusy(`edit:${tenant_id}`);
+    try {
+      const r = await fetch(`/api/enterprise-keys?tenant_id=${encodeURIComponent(tenant_id)}`, {
+        method: 'PATCH',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ key }),
+      });
+      const data = await r.json();
+      if (!data.ok) setError(data.error || 'edit failed');
+      else {
+        setStatus(`✓ Updated ${display_name} — key rotated`);
+        setEditTenant(null);
+        setEditKey('');
+      }
+      await load();
+    } catch (e) {
+      setError(e instanceof Error ? e.message : String(e));
+    } finally {
+      setBusy(null);
+    }
+  };
+
+  const handleRemove = async (tenant_id: string, display_name: string) => {
+    if (!confirm(`Remove enterprise source "${display_name}"?\n\nInstalled connectors stay on disk; they just stop receiving updates.`)) return;
+    reset();
+    setBusy(`remove:${tenant_id}`);
+    try {
+      const r = await fetch(`/api/enterprise-keys?tenant_id=${encodeURIComponent(tenant_id)}`, { method: 'DELETE' });
+      const data = await r.json();
+      if (!data.ok) setError(data.error || 'remove failed');
+      else setStatus(`✓ Removed ${display_name}`);
+      await load();
+    } catch (e) {
+      setError(e instanceof Error ? e.message : String(e));
+    } finally {
+      setBusy(null);
+    }
+  };
+
+  const handleAdd = async () => {
+    const key = newKey.trim();
+    if (!key) return;
+    reset();
+    setBusy('add');
+    try {
+      const r = await fetch('/api/enterprise-keys', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ key }),
+      });
+      const data = await r.json();
+      if (!data.ok) setError(data.error || 'failed to add key');
+      else {
+        setNewKey('');
+        setShowAddInline(false);
+        // E4: when the new tenant landed a wizard template on disk, hand
+        // off to the onboarding wizard scoped to this source so the user
+        // can apply its defaults right away. Dispatched via the existing
+        // forge:open-onboarding event so SettingsModal isn't a required
+        // intermediate. Falls back to the status pill when no template
+        // is available (public-only tenant).
+        if (data.has_wizard_template && data.source_id) {
+          setStatus(`✓ Added ${data.tenant_id} — opening wizard…`);
+          window.dispatchEvent(new CustomEvent('forge:open-onboarding', {
+            detail: { source_id: data.source_id },
+          }));
+          setOpen(false);
+        } else {
+          setStatus(`✓ Added ${data.tenant_id} — marketplace synced`);
+        }
+      }
+      await load();
+    } catch (e) {
+      setError(e instanceof Error ? e.message : String(e));
+    } finally {
+      setBusy(null);
+    }
+  };
+
+  // When there are no keys, render a compact "+ Enterprise" chip so the
+  // entry point still exists for power users. Non-enterprise people can
+  // ignore it.
+  if (sources.length === 0) {
+    return (
+      <div className="relative" ref={popoverRef}>
+        <button
+          onClick={() => { setOpen(v => !v); setShowAddInline(true); }}
+          title="Add a private enterprise marketplace key"
+          className="text-[10px] px-2 py-0.5 rounded border border-dashed border-[var(--text-secondary)]/30 text-[var(--text-secondary)] hover:border-[var(--text-primary)]/40 hover:text-[var(--text-primary)] transition-colors"
+        >
+          + Enterprise
+        </button>
+        {open && <AddTenantPopover newKey={newKey} setNewKey={setNewKey} onSubmit={handleAdd} onCancel={() => setOpen(false)} busy={busy === 'add'} error={error} status={status} />}
+      </div>
+    );
+  }
+
+  const first = sources[0];
+  const extra = sources.length - 1;
+
+  return (
+    <div className="relative" ref={popoverRef}>
+      <button
+        onClick={() => setOpen(v => !v)}
+        title="Click for enterprise actions (re-sync, reinstall, add tenant)"
+        className="text-[10px] px-2 py-0.5 rounded bg-amber-500/15 text-amber-400 hover:bg-amber-500/25 transition-colors flex items-center gap-1"
+      >
+        <span>🔒</span>
+        <span className="font-medium">{first.display_name}</span>
+        {extra > 0 && <span className="opacity-70">+{extra}</span>}
+        <span className="opacity-60 text-[9px]">▾</span>
+      </button>
+      {open && (
+        <div className="absolute left-0 top-full mt-1 w-[360px] z-50 bg-[var(--bg-secondary)] border border-[var(--border)] rounded shadow-lg p-2 space-y-2">
+          <div className="text-[10px] text-[var(--text-secondary)] uppercase tracking-wider px-1">
+            Enterprise tenants ({sources.length})
+          </div>
+
+          {/* Per-tenant rows */}
+          <div className="space-y-1">
+            {sources.map(s => {
+              const sync = s.last_sync;
+              const ok = sync?.ok;
+              const failed = sync && !sync.ok;
+              return (
+                <div key={s.tenant_id} className="border border-[var(--border)] rounded px-2 py-1.5 space-y-1">
+                  <div className="flex items-center gap-1.5">
+                    <span className="text-[10px] px-1.5 py-0.5 rounded bg-amber-500/15 text-amber-400 shrink-0">
+                      🔒 {s.display_name}
+                    </span>
+                    <span className="text-[9px] text-[var(--text-secondary)] ml-auto">
+                      priority {s.priority}
+                    </span>
+                  </div>
+                  <div className="text-[9px] font-mono text-[var(--text-secondary)] truncate" title={s.repo_url}>
+                    {s.repo_url}
+                  </div>
+                  <div className="text-[9px] text-[var(--text-secondary)] flex items-center gap-2">
+                    <span>PAT {s.pat_preview}</span>
+                    {ok && <span className="text-emerald-500">● synced</span>}
+                    {failed && <span className="text-red-400">✗ failed</span>}
+                    {!sync && <span className="italic">(not yet)</span>}
+                  </div>
+                  {/* Dept lives in Settings → Identity (profile field).
+                      No longer shown on the tenant row. */}
+                  {failed && sync?.error && (
+                    <div className="text-[9px] text-red-300 border border-red-500/30 bg-red-500/5 rounded px-1.5 py-1 leading-snug whitespace-pre-wrap break-words">
+                      {sync.error}
+                    </div>
+                  )}
+                  {editTenant === s.tenant_id ? (
+                    <div className="space-y-1 pt-1 border-t border-[var(--border)]">
+                      <input
+                        type="password"
+                        value={editKey}
+                        onChange={(e) => setEditKey(e.target.value)}
+                        placeholder="new PAT or full <pat>@<repo>"
+                        className="w-full text-[10px] px-1.5 py-1 rounded border border-[var(--border)] bg-[var(--bg-tertiary)] text-[var(--text-primary)]"
+                        autoFocus
+                      />
+                      <div className="flex gap-1 justify-end">
+                        <button
+                          onClick={() => { setEditTenant(null); setEditKey(''); }}
+                          className="text-[9px] px-1.5 py-0.5 rounded text-[var(--text-secondary)] hover:text-[var(--text-primary)]"
+                        >
+                          Cancel
+                        </button>
+                        <button
+                          onClick={() => handleEdit(s.tenant_id, s.display_name)}
+                          disabled={!editKey.trim() || busy === `edit:${s.tenant_id}`}
+                          className="text-[9px] px-1.5 py-0.5 rounded border border-[var(--accent)]/40 text-[var(--accent)] hover:bg-[var(--accent)]/10 disabled:opacity-40"
+                        >
+                          {busy === `edit:${s.tenant_id}` ? 'Saving…' : 'Save'}
+                        </button>
+                      </div>
+                    </div>
+                  ) : (
+                    <div className="flex justify-end gap-1">
+                      <button
+                        onClick={() => { setEditTenant(s.tenant_id); setEditKey(''); reset(); }}
+                        className="text-[9px] px-1.5 py-0.5 rounded border border-[var(--border)] text-[var(--text-secondary)] hover:text-[var(--text-primary)]"
+                        title="Rotate the PAT for this tenant in place"
+                      >
+                        ✎ Edit
+                      </button>
+                      <button
+                        onClick={() => handleRemove(s.tenant_id, s.display_name)}
+                        disabled={busy === `remove:${s.tenant_id}`}
+                        className="text-[9px] px-1.5 py-0.5 rounded border border-red-500/30 text-red-400 hover:bg-red-500/10 disabled:opacity-40"
+                      >
+                        Remove
+                      </button>
+                    </div>
+                  )}
+                </div>
+              );
+            })}
+          </div>
+
+          {/* Actions (apply to ALL tenants) */}
+          <div className="flex gap-1.5 pt-1 border-t border-[var(--border)]">
+            <button
+              onClick={() => handleResync()}
+              disabled={!!busy}
+              className="text-[10px] px-2 py-1 rounded border border-[var(--border)] text-[var(--text-primary)] hover:bg-[var(--bg-tertiary)] disabled:opacity-40"
+              title="Re-fetch registry.json from every source AND re-pull installed connector manifests when their version changed."
+            >
+              {busy === 'resync' ? 'Syncing…' : '↻ Re-sync'}
+            </button>
+            {!showAddInline && (
+              <button
+                onClick={() => setShowAddInline(true)}
+                className="text-[10px] px-2 py-1 rounded text-[var(--text-secondary)] hover:text-[var(--text-primary)] ml-auto"
+              >
+                + Add tenant
+              </button>
+            )}
+          </div>
+
+          {/* Inline add */}
+          {showAddInline && (
+            <div className="border-t border-[var(--border)] pt-2 space-y-1.5">
+              <label className="text-[9px] text-[var(--text-secondary)] block">
+                Add another enterprise tenant
+              </label>
+              <input
+                type="text"
+                placeholder="acme:github_pat_xxx"
+                value={newKey}
+                onChange={(e) => setNewKey(e.target.value)}
+                onKeyDown={(e) => { if (e.key === 'Enter' && !busy) handleAdd(); }}
+                className="w-full text-[10px] font-mono px-2 py-1 rounded bg-[var(--bg-primary)] border border-[var(--border)] text-[var(--text-primary)] placeholder:text-[var(--text-secondary)]/50"
+              />
+              <div className="flex gap-1.5">
+                <button
+                  onClick={handleAdd}
+                  disabled={busy === 'add' || !newKey.trim()}
+                  className="text-[10px] px-2 py-1 rounded bg-[var(--accent)] text-white hover:opacity-90 disabled:opacity-40"
+                >
+                  {busy === 'add' ? 'Adding…' : 'Add'}
+                </button>
+                <button
+                  onClick={() => { setShowAddInline(false); setNewKey(''); }}
+                  className="text-[10px] px-2 py-1 text-[var(--text-secondary)] hover:text-[var(--text-primary)]"
+                >
+                  Cancel
+                </button>
+              </div>
+            </div>
+          )}
+
+          {/* Status / error */}
+          {error && (
+            <div className="text-[9px] text-red-400 border border-red-500/30 bg-red-500/5 rounded px-1.5 py-1">
+              {error}
+            </div>
+          )}
+          {status && !error && (
+            <div className="text-[9px] text-emerald-400">{status}</div>
+          )}
+        </div>
+      )}
+    </div>
+  );
+}
+
+function AddTenantPopover({
+  newKey, setNewKey, onSubmit, onCancel, busy, error, status,
+}: {
+  newKey: string;
+  setNewKey: (s: string) => void;
+  onSubmit: () => void;
+  onCancel: () => void;
+  busy: boolean;
+  error: string;
+  status: string;
+}) {
+  return (
+    <div className="absolute left-0 top-full mt-1 w-[320px] z-50 bg-[var(--bg-secondary)] border border-[var(--border)] rounded shadow-lg p-2 space-y-1.5">
+      <div className="text-[10px] text-[var(--text-secondary)]">
+        Add a private enterprise marketplace key. Forge will sync immediately after.
+      </div>
+      <input
+        type="text"
+        placeholder="fortinet:github_pat_xxx"
+        value={newKey}
+        onChange={(e) => setNewKey(e.target.value)}
+        onKeyDown={(e) => { if (e.key === 'Enter' && !busy) onSubmit(); }}
+        className="w-full text-[10px] font-mono px-2 py-1 rounded bg-[var(--bg-primary)] border border-[var(--border)] text-[var(--text-primary)] placeholder:text-[var(--text-secondary)]/50"
+      />
+      <div className="flex gap-1.5">
+        <button
+          onClick={onSubmit}
+          disabled={busy || !newKey.trim()}
+          className="text-[10px] px-2 py-1 rounded bg-[var(--accent)] text-white hover:opacity-90 disabled:opacity-40"
+        >
+          {busy ? 'Adding…' : 'Add'}
+        </button>
+        <button onClick={onCancel} className="text-[10px] px-2 py-1 text-[var(--text-secondary)] hover:text-[var(--text-primary)]">
+          Cancel
+        </button>
+      </div>
+      {error && <div className="text-[9px] text-red-400">{error}</div>}
+      {status && !error && <div className="text-[9px] text-emerald-400">{status}</div>}
+    </div>
+  );
+}

package/components/LoginStatusPanel.tsx

@@ -57,7 +57,21 @@ export default function LoginStatusPanel({ onClose }: { onClose: () => void }) {
       .catch(() => {});
   }, []);
 
-  useEffect(() => { loadCached(); }, [loadCached]);
+  // On mount: force a fresh probe (POST) so the panel never shows a stale
+  // cached 401 after the user fixed the token in another tab. After that,
+  // poll the cache (GET) every 5s — refresh-via-curl actions update the
+  // cache and we pick them up without re-probing every poll cycle.
+  useEffect(() => {
+    (async () => {
+      try {
+        const r = await fetch('/api/login-status', { method: 'POST' });
+        const j = await r.json();
+        setRows(j.rows || []);
+      } catch { loadCached(); }
+    })();
+    const t = setInterval(loadCached, 5000);
+    return () => clearInterval(t);
+  }, [loadCached]);
 
   const checkAll = async () => {
     setBusyAll(true);