@aion0/forge 0.10.40 → 0.10.41

package/CLAUDE.md

@@ -70,7 +70,7 @@ Each forked service is spawned with a `--forge-port=<webPort>` instance tag. `fo
 ### Dev mode vs production mode
 - `FORGE_EXTERNAL_SERVICES=1` tells Next.js (`lib/init.ts`) **not** to spawn terminal/telegram/workspace — `forge-server.mjs` manages them. This is set automatically by `forge-server.mjs` in prod/background/dev.
 - Plain `pnpm dev` (or `./dev-test.sh`) sets it to `0` — `lib/init.ts` becomes the process supervisor and spawns the standalones itself. Use this when iterating on Next.js only.
-- `FORGE_DEV=1` (set by `./start.sh dev`) **bypasses login in `middleware.ts`** — never set in production.
+- `FORGE_DEV=1` (set by `./start.sh dev`) **bypasses login in `proxy.ts`** (Next.js 16+ convention; the file was `middleware.ts` pre-16) — never set in production.
 
 ### Data layout (`lib/dirs.ts`)
 - `getConfigDir()` → `~/.forge/` — shared across instances, holds `bin/` (cloudflared).

package/RELEASE_NOTES.md

@@ -1,11 +1,89 @@
-# Forge v0.10.40
+# Forge v0.10.41
 
-Released: 2026-06-05
+Released: 2026-06-07
 
-## Changes since v0.10.39
+## Changes since v0.10.40
+
+### Features
+- fix: agent path resolution + wizard writes self-contained settings
+- feat: pipelines auto-install on Reinstall + monitor self-detect
+
+### Bug Fixes
+- fix: agent path resolution + wizard writes self-contained settings
 
 ### Other
-- fix(server): portable port-pid lookup so Linux without lsof can stop (#33)
+- chat: guard against silent project guessing for ambiguous MR / bug ids
+- feat(marketplace): single unified Sync all — covers every type + every source
+- ui: restore Re-sync registry button in Enterprise section
+- ui: consolidate sync into Marketplace Connectors → Refresh
+- ui(settings): per-source ↻ Sync button on each enterprise row
+- ui(settings): re-run wizard moves next to Re-sync, shorter copy
+- fix(settings): remove "Reinstall all" button — too many footguns
+- fix(login-status,reinstall): badge polls, Reinstall force-overwrites instance fields
+- fix(login-status): panel re-probes on mount, drops stale-cache UX
+- fix(login-status): Test button writes result to login-status cache
+- feat(wizard,pipeline): temper auto-provision + scratch-first project resolution + login-status cache invalidate
+- fix(wizard): sequential section numbers + always show Pipelines
+- feat(wizard): show template-baked defaults under each connector
+- fix(wizard): profile-as-defaults — open with user's company+dept
+- revert(wizard): drop settings.company override on source default
+- fix(wizard): tenant selector defaults to settings.company
+- fix(wizard): revert force-apply complexity, dept default reads settings.dept
+- fix(wizard): re-run with different dept actually rotates defaults
+- ui(profile): dept edit just updates label, no template re-apply
+- feat(profile): company + dept as user-profile fields
+- ui(enterprise): dept chip is display-only, picker lives in wizard
+- feat(enterprise): dept chip becomes a one-click selector
+- feat(wizard): support template-less department entries
+- ui(enterprise): show single active dept, not the full list
+- feat(enterprise): highlight currently-active dept chip
+- feat(enterprise): surface dept list under each tenant
+- ui(settings): merge Onboarding into Enterprise section at top
+- fix(wizard): default dept picker to last-applied dept
+- fix(wizard): restore auto-open + add cold-boot tenant splash
+- fix(wizard): hasCache check accepts multi-dept index too
+- fix(wizard): priority chain reads multi-dept cache, not just legacy file
+- feat(wizard): add-key → wizard handoff + cold-boot auto-open gate (E4)
+- feat(wizard): multi-department templates per source (E3)
+- feat(wizard): tenant-scoped wizard via ?source_id (E2)
+- feat(enterprise): editable keys (E1 of wizard redesign)
+- feat(chat): surface connector defaults + stem-match arg fallback
+- fix(ui): anchor enterprise popover to left edge
+- fix(ui): drop displayName suffix from top-left title
+- feat(ui): enterprise badge popover next to Forge title + settings reorder
+- ui(settings): split 'Add tenant' from sync/reinstall actions
+- feat(marketplace): Reinstall also applies template defaults to connector configs
+- feat(dispatcher): auto-fill missing tool args from settings.default_<name>
+- fix(http): expand tokens in body_form_inject_from values + keys
+- fix(onboarding): fall back to displayName when email is empty for {user.login}
+- feat(api): /api/bridge-info — expose browser-bridge port for the extension
+- feat(auth): first-time admin password setup — no current-password required
+- cli: forge --reset-password forwards trailing args (so --dir picks target instance)
+- fix(onboarding): synchronously sync enterprise template on first launch
+- fix(db): silence expected 'no such table' on fresh DB init
+- onboarding: orphan instance rows drop unconditionally — template is canonical
+- fix(connectors): cross-ref regex must also accept single-token refs like {base_url}
+- fix(connectors): jenkins template — preserve cross-refs, refill empty, drop orphans
+- feat(chat): preflight required connector settings with wizard prompt URL
+- template: drop hardcoded default-jenkins from bundled fallback
+- fix(onboarding): bake {user.X} tokens into persisted connector config
+- marketplace: surface enterprise availability even when versions match
+- fix(marketplace): surface update_source_id so Update button shows where it pulls from
+- feat(marketplace): Reinstall-all button — force-flip installed connectors to enterprise
+- feat(connectors): {user.*} global identity tokens + instances merge by name
+- fix(wizard): minimal mode no longer hides required-prompt connector cards
+- feat(marketplace): per-source sync status + PAT-scope diagnostic
+- feat(onboarding): _wizard.minimal flag — hide non-required steps
+- fix(enterprise): dedupe sources, scope monitor, tighten browser probe, default chat agent
+- feat(wizard): data-driven UI — collapse hardcoded sections when template fills them
+- feat(templates): {connector:id.field} cross-ref + _derive in wizard apply
+- refactor(enterprise): unify ftnt → fortinet + dev-test passthrough + secret-scan guard
+- feat(enterprise): obfuscated secrets + _agents preset in wizard template
+- docs(help): enterprise marketplace + multi-source connector flow
+- feat(wizard): per-enterprise onboarding template via resolver chain
+- feat(enterprise): Dashboard badge + add_enterprise_key chat tool
+- feat(ui): enterprise sources in marketplace + Settings panel
+- feat(marketplace): multi-source connector + workflow registries (enterprise keys)
 
 
-**Full Changelog**: https://github.com/aiwatching/forge/compare/v0.10.39...v0.10.40
+**Full Changelog**: https://github.com/aiwatching/forge/compare/v0.10.40...v0.10.41

package/app/api/bridge-info/route.ts

@@ -0,0 +1,34 @@
+/**
+ * Bridge-info — exposes the browser-bridge port so the Forge extension
+ * can derive the right WebSocket URL when connecting to a non-default
+ * Forge instance.
+ *
+ * The default prod port is 8407, but dev-test (4007) or any custom
+ * deployment (--port + offset) lives on a different one. The extension
+ * used to hardcode 8407, which silently routed all WS traffic to a
+ * neighbouring Forge instance whenever the user pointed at port 4000.
+ *
+ * Public read endpoint — no auth required. The bridge port is not a
+ * secret; the bridge itself still requires a valid Forge token on the
+ * WS hello frame before serving traffic.
+ */
+
+import { NextResponse } from 'next/server';
+
+export const runtime = 'nodejs';
+export const dynamic = 'force-dynamic';
+
+export function GET(req: Request) {
+  const url = new URL(req.url);
+  const port = Number(process.env.BRIDGE_PORT) || 8407;
+  // Caller-visible host: prefer the host header so extensions get the
+  // right address whether they reached Forge via localhost, IP, or
+  // tunnel hostname. Strip the original port — the WS host stays the
+  // same, only the port changes.
+  const host = (req.headers.get('host') || url.host).split(':')[0];
+  const proto = url.protocol === 'https:' ? 'wss:' : 'ws:';
+  return NextResponse.json({
+    bridge_port: port,
+    ws_url: `${proto}//${host}:${port}/ws`,
+  });
+}

package/app/api/connectors/[id]/test/route.ts

@@ -8,12 +8,26 @@
 
 import { NextResponse } from 'next/server';
 import { runConnectorTest } from '@/lib/connectors/test-runner';
+import { setCachedResult } from '@/lib/auth/login-status';
 
 export async function POST(_req: Request, { params }: { params: Promise<{ id: string }> }) {
   const { id } = await params;
   try {
     const r = await runConnectorTest(id);
     const { code, ...body } = r;
+    // Mirror the fresh probe into the login-status cache so the panel
+    // doesn't keep showing a stale 401 after the user fixed the token.
+    // Test button = manual user-triggered probe of the same auth surface
+    // Login Status renders, so they should agree.
+    try {
+      setCachedResult(`connector:${id}`, {
+        ok: !!body.ok,
+        message: body.ok ? (body.message || 'ok') : (body.error || `HTTP ${body.status || '?'}`),
+        landed_url: body.url,
+        checked_at: Date.now(),
+        duration_ms: body.duration_ms ?? 0,
+      });
+    } catch { /* best-effort; cache write failure shouldn't fail the Test response */ }
     return NextResponse.json(body, code ? { status: code } : undefined);
   } catch (e) {
     // Belt-and-suspenders: never let an uncaught exception bubble to

package/app/api/connectors/import-config-template/route.ts

@@ -26,7 +26,6 @@
  */
 
 import { NextResponse } from 'next/server';
-import { existsSync, readFileSync } from 'node:fs';
 import { join } from 'node:path';
 import { getDataDir } from '@/lib/dirs';
 import { loadSettings } from '@/lib/settings';
@@ -37,22 +36,33 @@ import {
   setConnectorEnabled,
 } from '@/lib/connectors/registry';
 import { installFromRegistry } from '@/lib/connectors/sync';
+import { resolveWizardTemplate } from '@/lib/connectors/wizard-template';
+import { decryptDeep } from '@/lib/enterprise-secret';
+import type { AgentEntry } from '@/lib/settings';
+import { saveSettings } from '@/lib/settings';
 // Bundled fallback — shipped with Forge so the "Import Template" button
-// works out of the box without any extra setup. Users can override by
-// dropping their own at <dataDir>/config-template.json.
+// works out of the box without any extra setup. The shared resolver
+// handles the user-override + enterprise + public tiers; this stays as
+// the final safety net when none of those have a cached template.
 import bundledTemplate from '@/templates/connector-config-template.json';
 
 const LOCAL_TEMPLATE_FILE = 'config-template.json';
 
-/** Resolve template source: user override in dataDir wins, else bundled. */
-function resolveTemplate(): { source: 'local' | 'bundled'; template: any; path: string | null } {
-  const userPath = join(getDataDir(), LOCAL_TEMPLATE_FILE);
-  if (existsSync(userPath)) {
-    try {
-      return { source: 'local', template: JSON.parse(readFileSync(userPath, 'utf-8')), path: userPath };
-    } catch {
-      // Fall through to bundled if user file is malformed.
-    }
+/**
+ * Resolve template source through the cross-marketplace resolver, then
+ * fall back to the bundled JSON. The legacy `source` tag (`local | bundled`)
+ * is broadened to also surface `enterprise-<tenant>` / `public` so the
+ * UI can tell users which source provided the wizard.
+ */
+function resolveTemplate(): { source: string; template: any; path: string | null } {
+  const resolved = resolveWizardTemplate();
+  if (resolved) {
+    // Map the resolver's 'user' tag back to the legacy 'local' name so
+    // existing UI that switches on it keeps working. Enterprise / public
+    // pass through unchanged.
+    const sourceTag = resolved.source === 'user' ? 'local' : resolved.source;
+    const path = resolved.source === 'user' ? join(getDataDir(), LOCAL_TEMPLATE_FILE) : null;
+    return { source: sourceTag, template: resolved.template, path };
   }
   return { source: 'bundled', template: bundledTemplate, path: null };
 }
@@ -145,9 +155,20 @@ function analyze(template: any): {
   pending: PendingPrompt[];
   static_apply_targets: string[];
   missing_manifests: string[];
+  agents_preview?: Array<{ id: string; tool?: string; has_secret: boolean }>;
 } {
   const promptsDict: Record<string, PromptDef> = template._prompts || {};
 
+  // Agents preview — what the import will add to settings.agents
+  const agentsPreview: Array<{ id: string; tool?: string; has_secret: boolean }> = [];
+  if (template._agents && typeof template._agents === 'object') {
+    for (const [agentId, raw] of Object.entries(template._agents as Record<string, any>)) {
+      const env = (raw?.env ?? {}) as Record<string, unknown>;
+      const has_secret = Object.values(env).some((v) => typeof v === 'string' && v.startsWith('ent:'));
+      agentsPreview.push({ id: agentId, tool: raw?.tool, has_secret });
+    }
+  }
+
   // Map: placeholder_key → Set of "connector.field_path"
   const usage = new Map<string, Set<string>>();
   const staticTargets: string[] = [];
@@ -185,7 +206,7 @@ function analyze(template: any): {
     || a.label.localeCompare(b.label),
   );
 
-  return { pending, static_apply_targets: staticTargets, missing_manifests: missing };
+  return { pending, static_apply_targets: staticTargets, missing_manifests: missing, agents_preview: agentsPreview.length ? agentsPreview : undefined };
 }
 
 // ─── Apply ────────────────────────────────────────────────
@@ -197,6 +218,7 @@ async function apply(template: any, values: Record<string, string>): Promise<{
   skipped_missing_manifest: string[];
   fields_preserved: Array<{ connector: string; field: string; reason: string }>;
   fields_left_empty: Array<{ connector: string; field: string }>;
+  agents_applied?: string[];
 }> {
   // Auto-inject user identity from settings so connectors (e.g. tp.username)
   // can use {user_name} / {user_email} without prompting the user again.
@@ -208,6 +230,45 @@ async function apply(template: any, values: Record<string, string>): Promise<{
     ...values,
   };
 
+  // _derive — compute extra values from existing ones, so the template can
+  // reference them like any other ${placeholder}. Each entry maps:
+  //   "derived_key": "source_key"             → derive from values[source_key]
+  //   "derived_key": { from: "x", op: "email_local" } → fancier
+  //
+  // Built-in op: 'email_local' = split @, take first half. Default op
+  // (when value is a bare string) is also 'email_local' if the source
+  // contains '@', otherwise a verbatim copy. Keeps template authors
+  // honest — no full eval, just a couple of recipes.
+  const deriveDict = (template?._derive ?? {}) as Record<string, unknown>;
+  for (const [derivedKey, spec] of Object.entries(deriveDict)) {
+    if (values[derivedKey]) continue; // user already provided → respect it
+    let sourceKey: string;
+    let op = 'auto';
+    if (typeof spec === 'string') {
+      sourceKey = spec;
+    } else if (spec && typeof spec === 'object' && typeof (spec as any).from === 'string') {
+      sourceKey = (spec as any).from;
+      op = String((spec as any).op || 'auto');
+    } else {
+      continue;
+    }
+    const raw = values[sourceKey] ?? '';
+    if (!raw) continue;
+    let derived = raw;
+    if (op === 'email_local' || (op === 'auto' && raw.includes('@'))) {
+      derived = raw.split('@')[0];
+    }
+    values[derivedKey] = derived;
+  }
+
+  // Decrypt any `ent:…` blobs anywhere in the template up front. Enterprise
+  // templates declare their key name via `_enterprise_name` (e.g. "fortinet");
+  // anything below uses the plaintext as if it had been there all along.
+  const enterpriseName = (template?._enterprise_name as string | undefined) || '';
+  if (enterpriseName) {
+    template = decryptDeep(template, enterpriseName);
+  }
+
   const applied: string[] = [];
   const installedFromRegistry: string[] = [];
   const enabledChanged: string[] = [];
@@ -270,6 +331,34 @@ async function apply(template: any, values: Record<string, string>): Promise<{
     }
   }
 
+  // ─── _agents block — pre-baked CLI agent presets ───────────
+  //
+  // Enterprise templates can declare claude-code / codex / aider
+  // agent entries (with env vars, custom flags) that get merged into
+  // `settings.agents`. Existing entries with the same id are kept
+  // unless the template forces an overwrite by setting `_overwrite: true`
+  // on that agent — by default we preserve user customisation.
+  const agentsApplied: string[] = [];
+  const agentsDict = template._agents as Record<string, any> | undefined;
+  if (agentsDict && typeof agentsDict === 'object') {
+    const freshSettings = loadSettings();
+    const currentAgents = { ...(freshSettings.agents || {}) };
+    let changed = false;
+    for (const [agentId, raw] of Object.entries(agentsDict)) {
+      if (!raw || typeof raw !== 'object') continue;
+      const existing = currentAgents[agentId];
+      const overwrite = (raw as any)._overwrite === true;
+      if (existing && !overwrite) continue; // preserve user's tweaks
+      const { _overwrite, ...entry } = raw as Record<string, unknown>;
+      currentAgents[agentId] = entry as AgentEntry;
+      agentsApplied.push(agentId);
+      changed = true;
+    }
+    if (changed) {
+      saveSettings({ ...freshSettings, agents: currentAgents });
+    }
+  }
+
   return {
     applied,
     installed_from_registry: installedFromRegistry,
@@ -277,6 +366,7 @@ async function apply(template: any, values: Record<string, string>): Promise<{
     skipped_missing_manifest: missing,
     fields_preserved: preserved,
     fields_left_empty: leftEmpty,
+    agents_applied: agentsApplied,
   };
 }
 

package/app/api/enterprise-keys/route.ts

@@ -0,0 +1,204 @@
+/**
+ * Enterprise Keys API — manage marketplace source overlays.
+ *
+ *   GET  /api/enterprise-keys
+ *     → { sources: [{ tenant_id, display_name, repo_url, priority, pat_preview }] }
+ *     Read-only view. PATs are masked.
+ *
+ *   POST /api/enterprise-keys
+ *     body: { key: string }   ← short `<tenant>:<pat>` or long `<pat>@<repo>`
+ *     → { ok: true, tenant_id } or { ok: false, error }
+ *     Persists the new key and triggers a one-shot connector + workflow sync
+ *     so the marketplace immediately reflects the new source.
+ *
+ *   DELETE /api/enterprise-keys?tenant_id=<id>
+ *     → { ok: true } or { ok: false, error }
+ *     Removes the key. Installed connectors/workflows STAY on disk (with
+ *     their last-known manifests) — the user still has them, just no more
+ *     updates from this source.
+ *
+ * Auth handled by middleware. All operations are local; the key value is
+ * encrypted at rest with .encrypt-key. Never log raw keys.
+ */
+
+import { NextResponse } from 'next/server';
+import {
+  listEnterpriseSources,
+  addEnterpriseKey,
+  removeEnterpriseKey,
+  updateEnterpriseKey,
+} from '@/lib/enterprise';
+import { syncRegistry, getLastSync } from '@/lib/connectors/sync';
+import { syncMarketplace as syncWorkflows } from '@/lib/workflow-marketplace';
+import { syncSkills } from '@/lib/skills';
+
+function patPreview(pat: string): string {
+  if (!pat) return '';
+  if (pat.length <= 12) return pat.slice(0, 4) + '…';
+  return pat.slice(0, 7) + '…' + pat.slice(-4);
+}
+
+// Enterprise source id is `enterprise-<tenant_id>` per lib/enterprise.ts.
+// Keep this lookup in sync with that convention.
+function sourceIdFor(tenantId: string): string {
+  return `enterprise-${tenantId}`;
+}
+
+export async function GET() {
+  // E3: per-tenant dept list so the Settings UI can show
+  // "fortinet · FortiNAC, FortiADC" instead of just the tenant name.
+  // listSourceDepartments reads <sourceId>/wizards/_index.json which
+  // sync writes when the registry advertises wizard_templates.
+  const { listSourceDepartments } = await import('@/lib/connectors/wizard-template');
+  const { listInstalledConnectors } = await import('@/lib/connectors/registry');
+  // Active dept = the dept stamped on any connector installed from
+  // this tenant (setConnectorDept writes _department_name during
+  // applyConnectors). All connectors from one apply share the same
+  // dept; using the first hit per tenant is fine.
+  const installed = listInstalledConnectors();
+  const activeDeptByTenant: Record<string, string> = {};
+  for (const c of installed) {
+    if (!c.installed_source_id || !c.installed_dept) continue;
+    if (!activeDeptByTenant[c.installed_source_id]) {
+      activeDeptByTenant[c.installed_source_id] = c.installed_dept;
+    }
+  }
+  const sources = listEnterpriseSources().map((s) => {
+    const sourceId = sourceIdFor(s.tenant_id);
+    const last = getLastSync(sourceId);
+    const departments = listSourceDepartments(sourceId);
+    const activeDeptName = activeDeptByTenant[sourceId] || null;
+    const active_dept = activeDeptName
+      ? departments.find(d => d.display_name === activeDeptName || d.id === activeDeptName.toLowerCase())?.id ?? null
+      : null;
+    return {
+      tenant_id: s.tenant_id,
+      display_name: s.display_name,
+      repo_url: s.repo_url,
+      priority: s.priority,
+      pat_preview: patPreview(s.github_pat),
+      last_sync: last,
+      departments,
+      active_dept,
+    };
+  });
+  return NextResponse.json({ sources });
+}
+
+export async function POST(req: Request) {
+  let body: any = {};
+  try { body = await req.json(); } catch {}
+
+  // action=resync — re-run syncRegistry against all sources and return the
+  // per-source result so the panel can flag stuck sources without waiting
+  // for the next marketplace fetch.
+  if (body?.action === 'resync') {
+    // refreshInstalled=true → also re-pull each installed connector's
+    // manifest from the highest-priority source. force=true → re-pull
+    // even when the cached registry version matches the installed one
+    // (the only way to flip a connector from public→enterprise when
+    // both sources publish the same version string).
+    const refreshInstalled = !!body?.refreshInstalled;
+    const force = !!body?.force;
+    try {
+      // Re-sync covers ALL data kinds from every source so the user
+      // doesn't have to chase per-tab sync buttons:
+      //   - connectors: registry.json + (when refreshInstalled) manifests
+      //   - workflows: pipelines + recipes
+      //   - skills: registry + per-skill metadata
+      // syncWorkflows / syncSkills are best-effort — a flaky upstream
+      // shouldn't fail the whole resync.
+      const result = await syncRegistry({ refreshInstalled, force });
+      try { await syncWorkflows(); } catch (e) { console.warn('[enterprise-keys] workflows sync after resync failed:', e); }
+      try { await syncSkills(); } catch (e) { console.warn('[enterprise-keys] skills sync after resync failed:', e); }
+
+      return NextResponse.json({ ok: true, result });
+    } catch (e) {
+      return NextResponse.json({ ok: false, error: e instanceof Error ? e.message : String(e) }, { status: 500 });
+    }
+  }
+
+  const key = String(body?.key || '').trim();
+  if (!key) return NextResponse.json({ ok: false, error: 'key is required' }, { status: 400 });
+
+  const r = addEnterpriseKey(key);
+  if (!r.ok) return NextResponse.json(r, { status: 400 });
+
+  // Trigger sync so the newly-added source is reflected in the marketplace
+  // without the user having to click Refresh. Best-effort: ignore errors —
+  // a network blip shouldn't fail the key-add itself.
+  try {
+    await syncRegistry({ refreshInstalled: false });
+    await syncWorkflows();
+  } catch (e) {
+    console.warn('[enterprise-keys] post-add sync failed (best-effort):', e);
+  }
+
+  // E4: detect whether the newly-added source landed a wizard template
+  // on disk so the frontend can hand off to /onboarding scoped to this
+  // tenant. existsSync against both the legacy single-template file and
+  // the multi-dept index covers the E3 split.
+  const sourceId = `enterprise-${r.tenant_id}`;
+  let hasWizardTemplate = false;
+  try {
+    const { existsSync } = await import('node:fs');
+    const { join } = await import('node:path');
+    const { getDataDir } = await import('@/lib/dirs');
+    const base = join(getDataDir(), 'connectors', 'sources', sourceId);
+    hasWizardTemplate = existsSync(join(base, 'wizard-template.json'))
+      || existsSync(join(base, 'wizards', '_index.json'));
+  } catch {}
+
+  return NextResponse.json({
+    ok: true,
+    tenant_id: r.tenant_id,
+    source_id: sourceId,
+    has_wizard_template: hasWizardTemplate,
+  });
+}
+
+/**
+ *   PATCH /api/enterprise-keys?tenant_id=<id>
+ *     body: { key: string }
+ *     → { ok: true } or { ok: false, error }
+ *     Replaces the key for `tenant_id` in place (the new key's parsed
+ *     tenant_id must match). Useful for PAT rotation without losing
+ *     priority/order. Re-syncs after success so the new auth is used
+ *     immediately.
+ */
+export async function PATCH(req: Request) {
+  const url = new URL(req.url);
+  const tenant_id = (url.searchParams.get('tenant_id') || '').trim();
+  if (!tenant_id) return NextResponse.json({ ok: false, error: 'tenant_id is required' }, { status: 400 });
+
+  let body: any = {};
+  try { body = await req.json(); } catch {}
+  const key = String(body?.key || '').trim();
+  if (!key) return NextResponse.json({ ok: false, error: 'key is required' }, { status: 400 });
+
+  const r = updateEnterpriseKey(tenant_id, key);
+  if (!r.ok) return NextResponse.json(r, { status: 400 });
+
+  try {
+    await syncRegistry({ refreshInstalled: false });
+    await syncWorkflows();
+  } catch (e) {
+    console.warn('[enterprise-keys] post-update sync failed (best-effort):', e);
+  }
+
+  return NextResponse.json({ ok: true });
+}
+
+export async function DELETE(req: Request) {
+  const url = new URL(req.url);
+  const tenant_id = (url.searchParams.get('tenant_id') || '').trim();
+  if (!tenant_id) return NextResponse.json({ ok: false, error: 'tenant_id is required' }, { status: 400 });
+  const removed = removeEnterpriseKey(tenant_id);
+  if (!removed) return NextResponse.json({ ok: false, error: `no key for tenant '${tenant_id}'` }, { status: 404 });
+
+  // No re-sync on delete — installed manifests stay valid; UI's next refresh
+  // will repopulate the cache list. Skipping the network call keeps Remove
+  // snappy.
+
+  return NextResponse.json({ ok: true });
+}

package/app/api/marketplace/sync-all/route.ts

@@ -0,0 +1,28 @@
+/**
+ * POST /api/marketplace/sync-all
+ *
+ * Single entry point that refreshes every kind of marketplace data
+ * from every configured source (public + each enterprise tenant):
+ *   - connector registry + manifests + wizard templates
+ *   - workflows (pipelines + recipes)
+ *   - skills
+ *
+ * Replaces the per-tab Sync buttons that each only refreshed one type
+ * (and silently skipped enterprise sources for skills). Settings →
+ * Re-sync registry calls this same endpoint.
+ */
+
+import { NextResponse } from 'next/server';
+import { syncAll } from '@/lib/marketplace-sync';
+
+export async function POST() {
+  try {
+    const r = await syncAll();
+    return NextResponse.json(r, { status: r.ok ? 200 : 207 });
+  } catch (e) {
+    return NextResponse.json(
+      { ok: false, error: (e as Error).message },
+      { status: 500 },
+    );
+  }
+}

package/app/api/monitor/route.ts

@@ -7,25 +7,48 @@ function run(cmd: string): string {
   } catch { return ''; }
 }
 
+// Scope every ps grep to THIS instance — standalones spawned by init.ts
+// (or forge-server.mjs) carry `--forge-port=<webPort>` so dev-test on
+// port 4000 doesn't surface the production Forge processes from 8403
+// and vice versa.
+const INSTANCE_TAG = `--forge-port=${process.env.PORT || 8403}`;
+
 function countProcess(pattern: string): { count: number; pid: string; startedAt: string } {
-  const out = run(`ps aux | grep '${pattern}' | grep -v grep | head -1`);
+  // grep BOTH the binary pattern AND the per-instance tag. Excludes the
+  // grep processes themselves via `grep -v grep`.
+  const filter = `ps aux | grep '${pattern}' | grep -F -- '${INSTANCE_TAG}' | grep -v grep`;
+  const out = run(`${filter} | head -1`);
+  const pid = out ? out.split(/\s+/)[1] || '' : '';
+  const count = out ? run(`${filter} | wc -l`).trim() : '0';
+  const startedAt = pid ? run(`ps -o lstart= -p ${pid} 2>/dev/null`).trim() : '';
+  return { count: parseInt(count), pid, startedAt };
+}
+
+// Processes that don't carry --forge-port in their command line:
+//   - next-server: bare "next-server (vX.Y.Z)" — we ARE next-server when
+//     this handler runs, so reporting it as down would always be a lie.
+//   - cloudflared: third-party binary, no tag.
+// For these, fall back to a tag-less ps grep so the panel reflects reality.
+function countProcessUntagged(pattern: string): { count: number; pid: string; startedAt: string } {
+  const filter = `ps aux | grep '${pattern}' | grep -v grep`;
+  const out = run(`${filter} | head -1`);
   const pid = out ? out.split(/\s+/)[1] || '' : '';
-  const count = out ? run(`ps aux | grep '${pattern}' | grep -v grep | wc -l`).trim() : '0';
-  // Get start time from ps
+  const count = out ? run(`${filter} | wc -l`).trim() : '0';
   const startedAt = pid ? run(`ps -o lstart= -p ${pid} 2>/dev/null`).trim() : '';
   return { count: parseInt(count), pid, startedAt };
 }
 
 export async function GET() {
-  // Processes
-  const nextjs = countProcess('next-server');
+  // next-server: we ARE next-server when this runs — report self.
+  const nextjs = { count: 1, pid: String(process.pid), startedAt: '' };
   const terminal = countProcess('terminal-standalone');
   const telegram = countProcess('telegram-standalone');
   const workspace = countProcess('workspace-standalone');
   const chat = countProcess('chat-standalone');
   const browserBridge = countProcess('browser-bridge-standalone');
   const memoryWorker = countProcess('memory-standalone');
-  const tunnel = countProcess('cloudflared tunnel');
+  // cloudflared has no --forge-port tag — fall back to global grep.
+  const tunnel = countProcessUntagged('cloudflared tunnel');
 
   // Chat backend health (port 8408 — process can be alive but crashed)
   let chatStatus: { running: boolean; sessions: number; port: number } = {