@aion0/forge 0.10.39 → 0.10.41

package/components/SkillsPanel.tsx

@@ -142,7 +142,7 @@ export default function SkillsPanel({ projectFilter }: { projectFilter?: string
   const [syncing, setSyncing] = useState(false);
   const [loading, setLoading] = useState(true);
   const [installTarget, setInstallTarget] = useState<{ skill: string; show: boolean }>({ skill: '', show: false });
-  const [typeFilter, setTypeFilter] = useState<'all' | 'skill' | 'command' | 'local' | 'rules' | 'plugins' | 'connectors' | 'crafts' | 'recipes' | 'pipelines'>('pipelines');
+  const [typeFilter, setTypeFilter] = useState<'all' | 'skill' | 'command' | 'local' | 'rules' | 'plugins' | 'connectors' | 'crafts' | 'recipes' | 'pipelines'>('connectors');
   const [localItems, setLocalItems] = useState<{ name: string; type: string; scope: string; fileCount: number; projectPath?: string }[]>([]);
   // Rules (CLAUDE.md templates)
   const [rulesTemplates, setRulesTemplates] = useState<{ id: string; name: string; description: string; tags: string[]; builtin: boolean; isDefault: boolean; content: string }[]>([]);
@@ -246,6 +246,8 @@ export default function SkillsPanel({ projectFilter }: { projectFilter?: string
   };
 
   const [syncProgress, setSyncProgress] = useState('');
+  const [syncingGroup, setSyncingGroup] = useState<string>('');
+  const [templatesSyncTick, setTemplatesSyncTick] = useState(0);
   const [uploading, setUploading] = useState(false);
   const skillUploadRef = useRef<HTMLInputElement | null>(null);
 
@@ -278,31 +280,24 @@ export default function SkillsPanel({ projectFilter }: { projectFilter?: string
     } finally { setUploading(false); }
   }
 
+  // Unified marketplace sync — replaces the old skills-only loop. Covers
+  // every kind from every source (public + each enterprise tenant):
+  //   - connectors (registry + manifests + wizard templates)
+  //   - workflows (pipelines + recipes)
+  //   - skills
+  // The old per-tab Sync buttons were confusing — users couldn't tell
+  // whether they covered enterprise sources or just public. One button,
+  // one trip to the server.
   const sync = async () => {
     setSyncing(true);
     setSyncProgress('');
     try {
-      let enrichedTotal = 0;
-      let total = 0;
-      // Loop: each call enriches a batch of info.json, continue until all done
-      for (let round = 0; round < 20; round++) { // safety limit
-        setSyncProgress(total > 0 ? `${Math.min(enrichedTotal, total)}/${total}` : '');
-        const res = await fetch('/api/skills', {
-          method: 'POST',
-          headers: { 'Content-Type': 'application/json' },
-          body: JSON.stringify({ action: 'sync' }),
-        });
-        const data = await res.json();
-        if (data.error) {
-          alert(`Sync error: ${data.error}`);
-          break;
-        }
-        total = data.total || 0;
-        enrichedTotal += data.enriched || 0;
-        await fetchSkills();
-        // If remaining is 0 or enriched nothing, we're done
-        if (!data.remaining || data.enriched === 0) break;
+      const res = await fetch('/api/marketplace/sync-all', { method: 'POST' });
+      const data = await res.json();
+      if (!data.ok && data.error) {
+        alert(`Sync failed: ${data.error}`);
       }
+      await fetchSkills();
     } catch (err: any) {
       alert(`Sync failed: ${err.message || 'Network error'}`);
     } finally {
@@ -311,6 +306,37 @@ export default function SkillsPanel({ projectFilter }: { projectFilter?: string
     }
   };
 
+  // Per-group sync — hits only the relevant endpoint, faster + clearer
+  // than the catch-all sync-all when the user is staring at one category.
+  // Each endpoint already walks every enterprise source for that kind.
+  const syncGroup = async (group: 'extensions' | 'catalog' | 'templates') => {
+    setSyncingGroup(group);
+    try {
+      const url = group === 'extensions'
+        ? '/api/connectors/marketplace'
+        : group === 'catalog'
+          ? '/api/skills'
+          : '/api/workflows/marketplace';
+      const res = await fetch(url, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ action: 'sync' }),
+      });
+      const data = await res.json().catch(() => ({}));
+      if (res.ok && data.ok === false && data.error) {
+        alert(`Sync failed: ${data.error}`);
+      } else if (!res.ok) {
+        alert(`Sync failed: HTTP ${res.status}`);
+      }
+      await fetchSkills();
+      if (group === 'templates') setTemplatesSyncTick(t => t + 1);
+    } catch (err: any) {
+      alert(`Sync failed: ${err.message || 'Network error'}`);
+    } finally {
+      setSyncingGroup('');
+    }
+  };
+
   const install = async (name: string, target: string) => {
     await fetch('/api/skills', {
       method: 'POST',
@@ -421,55 +447,73 @@ export default function SkillsPanel({ projectFilter }: { projectFilter?: string
               group label as a placeholder. Picking from any sets the
               single global typeFilter. */}
           {(() => {
-            const groups: Array<{ label: string; opts: Array<{ value: typeof typeFilter; label: string }> }> = [
-              { label: 'Templates', opts: [
-                { value: 'pipelines',  label: 'Pipelines' },
-              ]},
-              { label: 'Extensions', opts: [
-                { value: 'connectors', label: 'Connectors' },
-                { value: 'plugins',    label: 'Plugins' },
-                { value: 'crafts',     label: 'Crafts' },
-              ]},
-              { label: 'Catalog', opts: [
-                { value: 'all',     label: `All (${skills.length})` },
-                { value: 'skill',   label: `Skills (${skillCount})` },
-                { value: 'command', label: `Commands (${commandCount})` },
-                { value: 'local',   label: `Local (${localCount})` },
-                { value: 'rules',   label: 'Rules' },
-              ]},
+            // Display order: Extensions (Connectors) → Catalog (Skills) →
+            // Templates (Pipelines). Each group is an independent
+            // switcher with its OWN sync button — the syncs cover
+            // disjoint endpoints so users don't have to wait for the
+            // catch-all sync-all to refresh just one category.
+            const groups: Array<{
+              key: 'extensions' | 'catalog' | 'templates';
+              label: string;
+              syncTitle: string;
+              opts: Array<{ value: typeof typeFilter; label: string }>;
+            }> = [
+              { key: 'extensions', label: 'Extensions', syncTitle: 'Sync connectors (manifests + registry) from every source',
+                opts: [
+                  { value: 'connectors', label: 'Connectors' },
+                  { value: 'plugins',    label: 'Plugins' },
+                  { value: 'crafts',     label: 'Crafts' },
+                ]},
+              { key: 'catalog', label: 'Catalog', syncTitle: 'Sync skills & commands from every source',
+                opts: [
+                  { value: 'all',     label: `All (${skills.length})` },
+                  { value: 'skill',   label: `Skills (${skillCount})` },
+                  { value: 'command', label: `Commands (${commandCount})` },
+                  { value: 'local',   label: `Local (${localCount})` },
+                  { value: 'rules',   label: 'Rules' },
+                ]},
+              { key: 'templates', label: 'Templates', syncTitle: 'Sync pipelines & recipes from every source',
+                opts: [
+                  { value: 'pipelines',  label: 'Pipelines' },
+                ]},
             ];
             return groups.map((g) => {
               const isActive = g.opts.some((o) => o.value === typeFilter);
-              if (g.opts.length === 1) {
-                const only = g.opts[0];
-                return (
-                  <button
-                    key={g.label}
-                    onClick={() => setTypeFilter(only.value)}
-                    className={`text-[10px] px-2 py-1 rounded border ${
-                      isActive
-                        ? 'border-[var(--accent)] text-[var(--accent)] bg-[var(--accent)]/10'
-                        : 'border-[var(--border)] text-[var(--text-primary)] bg-[var(--bg-tertiary)] hover:border-[var(--text-secondary)]'
-                    }`}
-                  >{only.label}</button>
-                );
-              }
+              const groupSyncing = syncingGroup === g.key;
               return (
-                <select
-                  key={g.label}
-                  value={isActive ? (typeFilter as string) : ''}
-                  onChange={(e) => { if (e.target.value) setTypeFilter(e.target.value as typeof typeFilter); }}
-                  className={`text-[10px] px-2 py-1 rounded bg-[var(--bg-tertiary)] border focus:outline-none ${
-                    isActive
-                      ? 'border-[var(--accent)] text-[var(--accent)]'
-                      : 'border-[var(--border)] text-[var(--text-primary)] focus:border-[var(--accent)]'
-                  }`}
-                >
-                  <option value="" disabled hidden>{g.label}</option>
-                  {g.opts.map((o) => (
-                    <option key={o.value} value={o.value as string}>{o.label}</option>
-                  ))}
-                </select>
+                <div key={g.key} className="flex items-center gap-0.5">
+                  {g.opts.length === 1 ? (
+                    <button
+                      onClick={() => setTypeFilter(g.opts[0].value)}
+                      className={`text-[10px] px-2 py-1 rounded border ${
+                        isActive
+                          ? 'border-[var(--accent)] text-[var(--accent)] bg-[var(--accent)]/10'
+                          : 'border-[var(--border)] text-[var(--text-primary)] bg-[var(--bg-tertiary)] hover:border-[var(--text-secondary)]'
+                      }`}
+                    >{g.opts[0].label}</button>
+                  ) : (
+                    <select
+                      value={isActive ? (typeFilter as string) : ''}
+                      onChange={(e) => { if (e.target.value) setTypeFilter(e.target.value as typeof typeFilter); }}
+                      className={`text-[10px] px-2 py-1 rounded bg-[var(--bg-tertiary)] border focus:outline-none ${
+                        isActive
+                          ? 'border-[var(--accent)] text-[var(--accent)]'
+                          : 'border-[var(--border)] text-[var(--text-primary)] focus:border-[var(--accent)]'
+                      }`}
+                    >
+                      <option value="" disabled hidden>{g.label}</option>
+                      {g.opts.map((o) => (
+                        <option key={o.value} value={o.value as string}>{o.label}</option>
+                      ))}
+                    </select>
+                  )}
+                  <button
+                    onClick={() => void syncGroup(g.key)}
+                    disabled={groupSyncing || syncing}
+                    title={g.syncTitle}
+                    className="text-[10px] px-1.5 py-1 rounded border border-[var(--border)] text-[var(--text-secondary)] hover:border-[var(--text-primary)] hover:text-[var(--text-primary)] transition-colors disabled:opacity-40"
+                  >{groupSyncing ? '…' : '↻'}</button>
+                </div>
               );
             });
           })()}
@@ -498,9 +542,10 @@ export default function SkillsPanel({ projectFilter }: { projectFilter?: string
         <button
           onClick={sync}
           disabled={syncing}
+          title="Sync EVERYTHING from every source (public + each enterprise tenant): connectors + workflows + skills + wizard templates."
           className="text-[9px] text-[var(--text-secondary)] hover:text-[var(--text-primary)] disabled:opacity-50"
         >
-          {syncing ? `Syncing${syncProgress ? ` ${syncProgress}` : '...'}` : 'Sync'}
+          {syncing ? 'Syncing…' : '↻ Sync all'}
         </button>
       </div>
       {/* Search — hide on rules tab */}
@@ -1114,7 +1159,7 @@ export default function SkillsPanel({ projectFilter }: { projectFilter?: string
           local copy / instantiate" action. This page exists for
           discovery only. */}
       {(typeFilter === 'recipes' || typeFilter === 'pipelines') && (
-        <WorkflowMarketplaceBrowser kind={typeFilter === 'recipes' ? 'recipe' : 'pipeline'} searchQuery={searchQuery} />
+        <WorkflowMarketplaceBrowser kind={typeFilter === 'recipes' ? 'recipe' : 'pipeline'} searchQuery={searchQuery} reloadTick={templatesSyncTick} />
       )}
     </div>
   );
@@ -1139,9 +1184,8 @@ interface MarketRow {
   has_update?: boolean;
 }
 
-function WorkflowMarketplaceBrowser({ kind, searchQuery }: { kind: 'recipe' | 'pipeline'; searchQuery: string }) {
+function WorkflowMarketplaceBrowser({ kind, searchQuery, reloadTick = 0 }: { kind: 'recipe' | 'pipeline'; searchQuery: string; reloadTick?: number }) {
   const [rows, setRows] = useState<MarketRow[] | null>(null);
-  const [busy, setBusy] = useState(false);
   const [err, setErr] = useState<string>('');
 
   const useInLocation = kind === 'recipe' ? 'Jobs tab' : 'Pipelines tab';
@@ -1157,22 +1201,7 @@ function WorkflowMarketplaceBrowser({ kind, searchQuery }: { kind: 'recipe' | 'p
     }
   };
 
-  const sync = async () => {
-    setBusy(true);
-    setErr('');
-    try {
-      const res = await fetch('/api/workflows/marketplace', {
-        method: 'POST', headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify({ action: 'sync' }),
-      });
-      const data = await res.json();
-      if (!data.ok) setErr(data.error || 'sync failed');
-      await load();
-    } catch (e) { setErr(e instanceof Error ? e.message : String(e)); }
-    finally { setBusy(false); }
-  };
-
-  useEffect(() => { void load(); }, [kind]);
+  useEffect(() => { void load(); }, [kind, reloadTick]);
 
   const q = searchQuery.toLowerCase();
   const filtered = (rows || []).filter(r => !q
@@ -1187,12 +1216,8 @@ function WorkflowMarketplaceBrowser({ kind, searchQuery }: { kind: 'recipe' | 'p
         <span className="text-[10px] text-[var(--text-secondary)] flex-1">
           {kind === 'recipe' ? 'Job recipes' : 'Pipeline templates'} from <code className="font-mono">aiwatching/forge-workflow</code>
           {' · '}use them from the {useInLocation}
+          {' · '}sync via the ↻ next to Pipelines above
         </span>
-        <button
-          onClick={() => void sync()}
-          disabled={busy}
-          className="text-[9px] px-2 py-1 border border-[var(--border)] text-[var(--text-secondary)] rounded hover:text-[var(--text-primary)] disabled:opacity-50"
-        >{busy ? 'Syncing…' : 'Sync'}</button>
       </div>
       {err && (
         <div className="px-4 py-2 text-[10px] text-[var(--red)] border-b border-[var(--border)]">{err}</div>

package/components/WebTerminal.tsx

@@ -369,11 +369,17 @@ const WebTerminal = forwardRef<WebTerminalHandle, WebTerminalProps>(function Web
       const sf = skipPermissions ? ' --dangerously-skip-permissions' : '';
       let mcpFlag = '';
       try { const { getMcpFlag } = await import('@/lib/session-utils'); mcpFlag = await getMcpFlag(projectPath); } catch {}
-      // Use the cached default-agent cliCmd. Pre-fetched on mount above;
-      // if still 'claude' (fetch slow / pending), we use bare claude — old
-      // behavior, wrong if conda-base shadows the real one, but at least
-      // doesn't block the command from appearing.
-      const agentCmd = defaultAgentCmdRef.current;
+      // Default-agent cliCmd: prefer the on-mount pre-fetch, but if the
+      // race lost (ref still 'claude') await one explicit resolve here
+      // — bare `claude` on a tmux pane PATH with conda-base or stale
+      // homebrew install crashes on resume.
+      if (defaultAgentCmdRef.current === 'claude') {
+        try {
+          const info = await fetch('/api/agents?resolve=').then(r => r.ok ? r.json() : null);
+          if (info?.cliCmd) defaultAgentCmdRef.current = info.cliCmd;
+        } catch {}
+      }
+      const agentCmd = `"${defaultAgentCmdRef.current}"`;
       const cmd = `cd "${projectPath}" && ${agentCmd} --resume ${sessionId}${sf}${mcpFlag}\n`;
       pendingCommands.set(paneId, cmd);
       const projectName = projectPath.split('/').pop() || 'Terminal';
@@ -442,18 +448,25 @@ const WebTerminal = forwardRef<WebTerminalHandle, WebTerminalProps>(function Web
         : '';
       const envPrefix = envExports ? envExports + ' && ' : '';
 
-      // Skip-permissions flag
+      // Skip-permissions flag. agent === 'claude' means the agent ID is
+      // the base claude — not the resolved path. The check must compare
+      // ID, not cliCmd (which is an absolute path).
       let sf = '';
       if (skipPermissions) {
-        sf = agentSkipFlag ? ` ${agentSkipFlag}` : (agentCmd === 'claude' ? ' --dangerously-skip-permissions' : '');
+        sf = agentSkipFlag ? ` ${agentSkipFlag}` : (agent === 'claude' ? ' --dangerously-skip-permissions' : '');
       }
 
-      // MCP config for claude-code agents
+      // MCP config for claude-code agents — gate on agent ID / derived
+      // from claude, not on agentCmd which is an absolute path.
       let mcpFlag = '';
-      if (agentCmd === 'claude' && projectPath) {
+      const isClaudeCode = agent === 'claude' || agentCmd.endsWith('/claude') || agentCmd.endsWith('\\claude');
+      if (isClaudeCode && projectPath) {
         try { const { getMcpFlag } = await import('@/lib/session-utils'); mcpFlag = await getMcpFlag(projectPath); } catch {}
       }
 
+      // Quote the resolved path — defensive for paths with spaces.
+      const quotedCmd = `"${agentCmd}"`;
+
       let targetTabId: number | null = null;
 
       setTabs(prev => {
@@ -465,10 +478,10 @@ const WebTerminal = forwardRef<WebTerminalHandle, WebTerminalProps>(function Web
         }
         const tree = makeTerminal(undefined, projectPath);
         const paneId = firstTerminalId(tree);
-        pendingCommands.set(paneId, `${envPrefix}cd "${projectPath}" && ${agentCmd}${resumeFlag}${modelFlag}${sf}${mcpFlag}\n`);
+        pendingCommands.set(paneId, `${envPrefix}cd "${projectPath}" && ${quotedCmd}${resumeFlag}${modelFlag}${sf}${mcpFlag}\n`);
         const newTab: TabState = {
           id: nextId++,
-          label: agent !== 'claude' ? `${projectName} (${agentCmd})` : projectName,
+          label: agent !== 'claude' ? `${projectName} (${agent})` : projectName,
           tree,
           ratios: {},
           activeId: paneId,
@@ -1560,12 +1573,22 @@ const MemoTerminalPane = memo(function TerminalPane({
               isNewlyCreated = false;
               const pp = projectPathRef.current;
               import('@/lib/session-utils').then(({ resolveFixedSession, buildResumeFlag, getMcpFlag }) => {
-                Promise.all([resolveFixedSession(pp), getMcpFlag(pp)]).then(([fixedId, mcpFlag]) => {
+                // Resolve the agent's absolute claude path — bare
+                // `claude` rides on the tmux pane PATH, which on a
+                // fresh-install machine still points at the user's
+                // stale global @anthropic-ai/claude-code (e.g.
+                // /opt/homebrew/...) and crashes on resume.
+                Promise.all([
+                  resolveFixedSession(pp),
+                  getMcpFlag(pp),
+                  fetch('/api/agents?resolve=').then(r => r.ok ? r.json() : null).catch(() => null),
+                ]).then(([fixedId, mcpFlag, agentInfo]) => {
                   const resumeFlag = buildResumeFlag(fixedId, true);
                   const skipFlag = skipPermRef.current ? ' --dangerously-skip-permissions' : '';
+                  const claudeCmd = `"${agentInfo?.cliCmd || 'claude'}"`;
                   setTimeout(() => {
                     if (!disposed && ws?.readyState === WebSocket.OPEN) {
-                      ws.send(JSON.stringify({ type: 'input', data: `cd "${pp}" && claude${resumeFlag}${skipFlag}${mcpFlag}\n` }));
+                      ws.send(JSON.stringify({ type: 'input', data: `cd "${pp}" && ${claudeCmd}${resumeFlag}${skipFlag}${mcpFlag}\n` }));
                     }
                   }, 300);
                 });

package/dev-test.sh

@@ -1,5 +1,38 @@
 #!/bin/bash
 # dev-test.sh — Start Forge test instance (port 4000, data ~/.forge-test)
+#
+# Usage:
+#   ./dev-test.sh                                            # plain start
+#   ./dev-test.sh --enterprise-key=fortinet:github_pat_xxx       # + persist enterprise key(s)
+#   ./dev-test.sh --enterprise-key=fortinet:p1 --enterprise-key=acme:p2
+
+set -e
 
 mkdir -p ~/.forge-test
-PORT=4000 TERMINAL_PORT=4001 FORGE_DATA_DIR=~/.forge-test FORGE_EXTERNAL_SERVICES=0 npx next dev --turbopack -p 4000
+
+# Persist any --enterprise-key=... args BEFORE next dev starts so the
+# server boots with sources already wired. forge-server.mjs's
+# --add-enterprise-key mode is a one-shot persist + exit.
+ENT_KEYS=()
+for arg in "$@"; do
+  case "$arg" in
+    --enterprise-key=*) ENT_KEYS+=("$arg") ;;
+  esac
+done
+
+if [ ${#ENT_KEYS[@]} -gt 0 ]; then
+  echo "[dev-test] Registering ${#ENT_KEYS[@]} enterprise key(s) → ~/.forge-test/.enterprise-keys.json"
+  node bin/forge-server.mjs --add-enterprise-key "${ENT_KEYS[@]}" --dir ~/.forge-test
+fi
+
+# All standalones default to 84xx ports (matching production). dev-test
+# overrides every one so it can coexist with a real Forge on 8403.
+PORT=4000 \
+  TERMINAL_PORT=4001 \
+  WORKSPACE_PORT=4005 \
+  BRIDGE_PORT=4007 \
+  CHAT_PORT=4008 \
+  MEMORY_PORT=4009 \
+  FORGE_DATA_DIR=~/.forge-test \
+  FORGE_EXTERNAL_SERVICES=0 \
+  npx next dev --turbopack -p 4000

package/install.sh

@@ -2,11 +2,28 @@
 # install.sh — Install Forge globally, ready to run
 #
 # Usage:
-#   ./install.sh          # from npm
-#   ./install.sh local    # from local source
+#   ./install.sh                                                # from npm
+#   ./install.sh local                                          # from local source
+#   ./install.sh --enterprise-key=fortinet:github_pat_xxx           # + persist one enterprise key
+#   ./install.sh --enterprise-key=fortinet:pat --enterprise-key=…   # multiple keys
+#
+# Enterprise keys are encrypted with AES-256-GCM and stored in
+# `<dataDir>/.enterprise-keys.json` — see Phase 1 of
+# forge-enterprise-improvements design doc for the marketplace model.
 
 set -e
 
+# Collect enterprise keys + leave non-key args in $@ for downstream parsing.
+ENTERPRISE_KEY_ARGS=()
+NEW_ARGS=()
+for arg in "$@"; do
+  case "$arg" in
+    --enterprise-key=*) ENTERPRISE_KEY_ARGS+=("$arg") ;;
+    *) NEW_ARGS+=("$arg") ;;
+  esac
+done
+set -- "${NEW_ARGS[@]:-}"
+
 # tmux is required for browser terminals — warn early if missing
 if ! command -v tmux >/dev/null 2>&1; then
   echo "[forge] ⚠️  tmux not found — Forge terminals won't work without it."
@@ -106,6 +123,16 @@ else
 fi
 
 echo ""
+
+# Persist any enterprise keys collected from CLI args (encrypted on disk;
+# server doesn't need to be running for this).
+if [ ${#ENTERPRISE_KEY_ARGS[@]} -gt 0 ]; then
+  echo "[forge] Registering ${#ENTERPRISE_KEY_ARGS[@]} enterprise key(s)..."
+  forge --add-enterprise-key "${ENTERPRISE_KEY_ARGS[@]}" || \
+    echo "[forge] ⚠️  Enterprise-key registration failed — you can retry later via Settings → Marketplace Providers."
+  echo ""
+fi
+
 echo "[forge] Done."
 forge --version
 echo "Run: forge server start"

package/lib/agents/claude-adapter.ts

@@ -83,11 +83,18 @@ export function createClaudeAdapter(config: AgentConfig): AgentAdapter {
     buildTerminalCommand(opts) {
       const flag = config.skipPermissionsFlag || '--dangerously-skip-permissions';
       const skipFlag = opts.skipPermissions && flag ? ` ${flag}` : '';
+      // MUST use the agent-configured path, not the literal "claude" on
+      // $PATH — Forge ships its own pinned binary at <dataDir>/local-bin/claude,
+      // and tmux PATH on a first-install machine often still points at a
+      // stale global @anthropic-ai/claude-code (e.g. /opt/homebrew/...).
+      // Bare "claude" would silently fall through to that older version
+      // and throw on resume. Quote in case the path has spaces.
+      const claudeCmd = `"${config.path}"`;
       if (opts.sessionId) {
-        return `cd "${opts.projectPath}" && claude --resume ${opts.sessionId}${skipFlag}\n`;
+        return `cd "${opts.projectPath}" && ${claudeCmd} --resume ${opts.sessionId}${skipFlag}\n`;
       }
       const resumeFlag = opts.resume ? ' -c' : '';
-      return `cd "${opts.projectPath}" && claude${resumeFlag}${skipFlag}\n`;
+      return `cd "${opts.projectPath}" && ${claudeCmd}${resumeFlag}${skipFlag}\n`;
     },
   };
 }
@@ -97,11 +104,18 @@ export function detectClaude(customPath?: string): AgentConfig | null {
   const paths = customPath ? [customPath] : ['claude'];
   for (const p of paths) {
     try {
-      execSync(`which ${p}`, { encoding: 'utf-8', timeout: 3000, stdio: ['pipe', 'pipe', 'pipe'] });
+      // Resolve to absolute path — storing the literal `'claude'` is
+      // useless: every terminal launch then becomes a bare `claude` on
+      // tmux pane PATH, which on first-install machines silently
+      // resolves to a stale global @anthropic-ai/claude-code (e.g.
+      // /opt/homebrew/lib/node_modules/...) and crashes on resume.
+      // If the user passed an absolute path already, keep it as-is.
+      const which = execSync(`which ${p}`, { encoding: 'utf-8', timeout: 3000, stdio: ['pipe', 'pipe', 'pipe'] }).trim();
+      const resolved = (p.startsWith('/') || !which) ? p : which;
       return {
         id: 'claude',
         name: 'Claude Code',
-        path: p,
+        path: resolved,
         enabled: true,
         type: 'claude-code',
         capabilities: CAPABILITIES,

package/lib/agents/index.ts

@@ -3,8 +3,26 @@
  * Agents coexist (not mutually exclusive). Each entry point can select any agent.
  */
 
-import { execFileSync } from 'node:child_process';
+import { execFileSync, execSync } from 'node:child_process';
 import { loadSettings } from '../settings';
+
+// Cache absolute-path resolution per command — `which <cmd>` is cheap
+// but resolveTerminalLaunch is on the hot path for every chat tool call.
+const _whichCache = new Map<string, string>();
+function resolveAbsoluteBin(cmd: string): string {
+  if (!cmd || cmd.startsWith('/')) return cmd;
+  const cached = _whichCache.get(cmd);
+  if (cached !== undefined) return cached;
+  try {
+    const out = execSync(`which ${cmd}`, { encoding: 'utf-8', timeout: 3000, stdio: ['pipe', 'pipe', 'pipe'] }).trim();
+    const resolved = out || cmd;
+    _whichCache.set(cmd, resolved);
+    return resolved;
+  } catch {
+    _whichCache.set(cmd, cmd);
+    return cmd;
+  }
+}
 import type { AgentAdapter, AgentConfig, AgentId } from './types';
 import { createClaudeAdapter, detectClaude } from './claude-adapter';
 import { createGenericAdapter, detectAgent } from './generic-adapter';
@@ -243,8 +261,12 @@ export interface TerminalLaunchInfo {
 export function resolveTerminalLaunch(agentId?: string, scene: 'terminal' | 'task' | 'telegram' | 'help' | 'mobile' = 'terminal'): TerminalLaunchInfo {
   const settings = loadSettings();
   const agentCfg = settings.agents?.[agentId || 'claude'] || {};
-  // Resolve cliType: own cliType → base agent's cliType → base agent name guessing → agentId name guessing
-  const baseId = agentCfg.base;
+  // Resolve cliType: own cliType → base agent's cliType → base agent name guessing → agentId name guessing.
+  // Wizard-generated agents use `tool: claude` instead of `base: claude` —
+  // listAgents handles both, but the old resolveTerminalLaunch only looked
+  // at `base`, so wizard-installed forti-k2 / forti-coder were missing the
+  // inherited path and falling back to bare `claude`.
+  const baseId = agentCfg.base || (agentCfg.tool && agentCfg.tool !== agentId ? agentCfg.tool : undefined);
   const baseCfg = baseId ? (settings.agents?.[baseId] || {}) : {};
   const cliType = agentCfg.cliType || baseCfg.cliType
     || (baseId === 'codex' ? 'codex' : baseId === 'aider' ? 'aider' : undefined)
@@ -286,7 +308,14 @@ export function resolveTerminalLaunch(agentId?: string, scene: 'terminal' | 'tas
     // + forge-server's inherited PATH can pick a different/older install than
     // the user's interactive shell, and an old claude crashes resuming a
     // session a newer claude wrote. An absolute path bypasses PATH entirely.
-    cliCmd: agentCfg.path || cli.cmd,
+    // Derived agents (base: 'claude' with no own path — e.g. forti-k2) must
+    // inherit the base agent's resolved path, otherwise launching them falls
+    // back to bare `claude` even though the base IS configured.
+    // If the result is still a bare command name (e.g. legacy settings have
+    // `path: 'claude'` because old detectClaude stored the input literally),
+    // resolve to an absolute path via `which` so tmux pane PATH can't shadow
+    // it with a stale global install.
+    cliCmd: resolveAbsoluteBin(agentCfg.path || baseCfg.path || cli.cmd),
     cliType,
     supportsSession: cli.session,
     resumeFlag: agentCfg.resumeFlag || cli.resume,

package/lib/auth/login-status.ts

@@ -95,6 +95,20 @@ export function setCachedResult(sourceId: string, r: LoginCheckResult): void {
   persistCache();
 }
 
+/**
+ * Drop the cached probe result for a single source. Called by
+ * `setConnectorConfig` so the panel auto-re-probes after the user
+ * (or a wizard apply) just rewrote creds — otherwise a stale 401
+ * from the no-token state lingers until the user clicks Refresh.
+ */
+export function invalidateCachedResult(sourceId: string): void {
+  const c = loadCache();
+  if (sourceId in c) {
+    delete c[sourceId];
+    persistCache();
+  }
+}
+
 // ─── Source enumeration ─────────────────────────────────────────────
 
 /**

package/lib/chat/agent-loop.ts

@@ -334,6 +334,27 @@ function buildConnectorCatalog(openSet: Set<string>): string[] {
       const sample = sampleNames.join(', ');
       lines.push(`▸ ${def.id}${status}: ${toolCount} tools (e.g. ${sample}${toolCount > 5 ? ', …' : ''})`);
     }
+    // User defaults — surface so the LLM doesn't ask "which project?" /
+    // "which job?" when the wizard already baked one. Looks at both the
+    // connector root and the first row of any `instances` array (Jenkins).
+    const defaultEntries: string[] = [];
+    const seen = new Set<string>();
+    const collect = (obj: any) => {
+      if (!obj || typeof obj !== 'object') return;
+      for (const [k, v] of Object.entries(obj)) {
+        if (!k.startsWith('default_')) continue;
+        if (typeof v !== 'string' || !v.trim()) continue;
+        if (seen.has(k)) continue;
+        seen.add(k);
+        defaultEntries.push(`${k.slice('default_'.length)}=${v}`);
+      }
+    };
+    collect(inst.config);
+    const instances = (inst.config as any)?.instances;
+    if (Array.isArray(instances)) for (const row of instances) collect(row);
+    if (defaultEntries.length > 0) {
+      lines.push(`    defaults: ${defaultEntries.join(', ')} — use when the user omits the matching arg`);
+    }
   }
   return lines;
 }
@@ -369,13 +390,14 @@ function buildSystemPrompt(
     '  Don\'t explain how to do something manually before trying the tool. The connector tools run inside the user\'s actual logged-in browser session — they CAN do things you might think only the user can do manually.',
     '- For Teams in particular: send_message can target any chat by name; if the chat doesn\'t exist yet, the tool will return a specific error and THEN you can advise. Don\'t pre-judge.',
     '- If a tool call fails, read its error carefully — it usually tells you what to fix (wrong arg, missing setting, login required). Retry with the fix. Only give up after the tool explicitly says it cannot do the task.',
-    '- For trigger_pipeline / dispatch_task: when the user names a "project" (e.g. "FortiNAC"), pass it as input.project verbatim. The names in the "Forge projects" list below ARE the valid values. Call list_forge_context only if you need paths / agents / skills.',
+    '- For trigger_pipeline / dispatch_task: `input.project` refers to a FORGE project — names from the "Forge projects" list below (typically just `scratch` unless the user added directories). It is NOT a GitLab / Mantis project name. When in doubt OMIT `input.project` entirely — Forge defaults to `scratch` (an internal scratch dir Forge fully manages). Pass repo coordinates via workflow-specific fields like `mr_url` / `project_path` / `bug_id`.',
     '',
     'trigger_pipeline specifics — these are easy to get wrong, READ CAREFULLY:',
     '- FIRST call this session: call trigger_pipeline() with NO arguments. The response lists every workflow + which input fields are required (*) vs have defaults. Field names are EXACT, snake_case (e.g. bug_id), declared by the workflow yaml. They are NOT the same as bash variable names inside pipeline scripts (BUG_ID / BASE / PROJECT_PATH are wrong). DO NOT pass uppercase / made-up names.',
     '- For optional fields with defaults (mr_body_template / user_prompt / teams_message_template / etc.), OMIT them — let the default apply. NEVER pass empty strings or invented placeholder values.',
     '- If the response says "Unknown input fields", "Missing required", or "0 iterations" — the pipeline did NOT do what the user asked. Fix the input and retry. Optionally save a pinned memory rule via memory_remember_block({pinned: true, ...}) so the lesson sticks for future sessions.',
     '- DO NOT trust earlier assistant messages in this conversation that claim a pipeline "already ran" — those may be wrong. If the user re-asks, fire fresh; verify only by re-checking the actual target system (e.g. mantis.get_bug for status).',
+    '- AMBIGUOUS IDs (e.g. user says "review mr 14904" or "fix bug 1234567" — just an iid/number, no project / no URL): DO NOT silently fill in a project from the gitlab connector\'s `default_project_path` or guess. An enterprise tenant typically has many repos and the iid is only unique within one repo. Either (a) ask the user "which project? — fortinac/FortiNAC? fortios? something else?", or (b) state the assumption explicitly in your reply ("Assuming fortinac/FortiNAC since that\'s your gitlab default — say otherwise to redirect.") BEFORE calling trigger_pipeline. The wrong choice fires a doomed run that the user then has to cancel + retry.',
     '',
     '- Reply without tools ONLY when no system + no time question is involved.',
     '',