@aion0/forge 0.10.40 → 0.10.41

package/app/api/projects/clone/route.ts

@@ -0,0 +1,51 @@
+/**
+ * POST /api/projects/clone
+ *
+ *   Body: { name?: string }
+ *
+ * Trigger the same auto-clone path the pipeline orchestrator uses: tries to
+ * clone the GitLab connector's default_project_path under projectRoots[0]
+ * (or ~/IdeaProjects), refreshes projectRoots, and returns the resolved
+ * project. Used by the onboarding wizard's empty-state banner and by the
+ * chat UI when a pipeline fails with "Project not found".
+ */
+
+import { NextResponse } from 'next/server';
+import { resolveOrCloneProject, getDefaultCloneRoot } from '@/lib/projects';
+import { getInstalledConnector } from '@/lib/connectors/registry';
+
+export async function POST(req: Request) {
+  let body: any = {};
+  try { body = await req.json(); } catch { /* empty body is fine */ }
+  const name = typeof body?.name === 'string' ? body.name.trim() : '';
+
+  const r = resolveOrCloneProject(name);
+  // Scratch fallback isn't really a "success" for the caller — they asked for
+  // a real clone. Surface why we couldn't do it so the UI can prompt the user
+  // to fix the underlying gap (e.g. set gitlab default_project_path).
+  if (r.source === 'scratch') {
+    const gl = getInstalledConnector('gitlab');
+    const path = String(gl?.config?.default_project_path || '').trim();
+    const base = String(gl?.config?.base_url || '').trim();
+    const reason = !gl ? 'gitlab_connector_missing'
+      : !path ? 'gitlab_default_project_path_missing'
+      : !base ? 'gitlab_base_url_missing'
+      : 'clone_failed';
+    return NextResponse.json({
+      ok: false,
+      reason,
+      fallback_project: { name: r.project.name, path: r.project.path },
+      target_root: getDefaultCloneRoot(),
+      hint: reason === 'clone_failed'
+        ? 'git clone failed — see server log. Pipelines will still run inside <dataDir>/scratch as a fallback.'
+        : 'set gitlab default_project_path under Settings → Connectors → gitlab; meanwhile pipelines run inside <dataDir>/scratch.',
+    }, { status: 200 });
+  }
+
+  return NextResponse.json({
+    ok: true,
+    project: { name: r.project.name, path: r.project.path },
+    source: r.source,
+    clone_url: r.clone_url,
+  });
+}

package/app/api/settings/route.ts

@@ -24,8 +24,17 @@ export async function PUT(req: Request) {
       return NextResponse.json({ ok: false, error: 'Invalid field' }, { status: 400 });
     }
 
-    // Verify admin password
-    if (!verifyAdmin(adminPassword)) {
+    // First-time admin-password set bypass: when the user is setting the
+    // admin password itself AND no existing password is stored, accept
+    // without verifyAdmin (there's nothing to verify against). After the
+    // initial set, normal "verify current password" flow applies.
+    const existingSettings = loadSettings();
+    const isFirstAdminSet =
+      field === 'telegramTunnelPassword'
+      && !existingSettings.telegramTunnelPassword
+      && !!newValue;
+
+    if (!isFirstAdminSet && !verifyAdmin(adminPassword)) {
       return NextResponse.json({ ok: false, error: 'Wrong password' }, { status: 403 });
     }
 

package/bin/forge-server.mjs

@@ -93,6 +93,28 @@ const isRestart = process.argv.includes('--restart');
 const isRebuild = process.argv.includes('--rebuild');
 const resetTerminal = process.argv.includes('--reset-terminal');
 const resetPassword = process.argv.includes('--reset-password');
+const addEnterpriseKeyOnly = process.argv.includes('--add-enterprise-key');
+
+// ── Enterprise keys (--enterprise-key=…) ──
+//
+// Collected here so they're seen at startup and (when --add-enterprise-key
+// is also passed) we can persist + exit without spinning up the server.
+// Supports both `--enterprise-key=foo` and `--enterprise-key foo` forms;
+// repeat for multiple keys.
+function collectEnterpriseKeys() {
+  const keys = [];
+  for (let i = 0; i < process.argv.length; i++) {
+    const arg = process.argv[i];
+    if (arg.startsWith('--enterprise-key=')) {
+      keys.push(arg.slice('--enterprise-key='.length));
+    } else if (arg === '--enterprise-key' && i + 1 < process.argv.length) {
+      keys.push(process.argv[i + 1]);
+      i += 1;
+    }
+  }
+  return keys.map((k) => k.trim()).filter(Boolean);
+}
+const enterpriseKeysFromArgv = collectEnterpriseKeys();
 
 const webPort = parseInt(getArg('--port')) || 8403;
 const terminalPort = parseInt(getArg('--terminal-port')) || (webPort + 1);
@@ -221,7 +243,9 @@ process.env.WORKSPACE_PORT = String(workspacePort);
 process.env.FORGE_DATA_DIR = DATA_DIR;
 
 // ── Password setup (first run or --reset-password) ──
-if (!isStop) {
+// Skipped in --add-enterprise-key persist-and-exit mode: registering a
+// key from install.sh must not block on an interactive prompt.
+if (!isStop && !addEnterpriseKeyOnly) {
   const YAML = await import('yaml');
   const settingsFile = join(DATA_DIR, 'settings.yaml');
   let settings = {};
@@ -289,6 +313,79 @@ if (!isStop) {
   }
 }
 
+// ── Enterprise keys (--enterprise-key=…) ──
+//
+// Each key is encrypted with AES-256-GCM via the same `.encrypt-key`
+// file the password uses, then appended to `<dataDir>/.enterprise-keys.json`
+// as `{ v: 1, keys: ["enc:…"] }`. lib/enterprise.ts reads + decrypts on
+// the runtime side. Duplicate-by-tenant dedup happens lazily on first
+// listEnterpriseSources(); this layer just appends.
+if (!isStop && (enterpriseKeysFromArgv.length > 0 || addEnterpriseKeyOnly)) {
+  if (addEnterpriseKeyOnly && enterpriseKeysFromArgv.length === 0) {
+    console.error('[forge] --add-enterprise-key requires at least one --enterprise-key=<value>');
+    process.exit(1);
+  }
+  const crypto = await import('node:crypto');
+  const ENC_KEY_FILE = join(DATA_DIR, '.encrypt-key');
+  const KEYS_FILE = join(DATA_DIR, '.enterprise-keys.json');
+  let encKey;
+  if (existsSync(ENC_KEY_FILE)) {
+    encKey = Buffer.from(readFileSync(ENC_KEY_FILE, 'utf-8').trim(), 'hex');
+  } else {
+    encKey = crypto.randomBytes(32);
+    if (!existsSync(DATA_DIR)) mkdirSync(DATA_DIR, { recursive: true });
+    writeFileSync(ENC_KEY_FILE, encKey.toString('hex'), { mode: 0o600 });
+  }
+  const encryptOne = (plain) => {
+    const iv = crypto.randomBytes(12);
+    const cipher = crypto.createCipheriv('aes-256-gcm', encKey, iv);
+    const enc = Buffer.concat([cipher.update(plain, 'utf-8'), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return `enc:${iv.toString('base64')}.${tag.toString('base64')}.${enc.toString('base64')}`;
+  };
+  const decryptOne = (blob) => {
+    if (!blob.startsWith('enc:')) return blob;
+    try {
+      const [ivB64, tagB64, dataB64] = blob.slice(4).split('.');
+      const iv = Buffer.from(ivB64, 'base64');
+      const tag = Buffer.from(tagB64, 'base64');
+      const data = Buffer.from(dataB64, 'base64');
+      const d = crypto.createDecipheriv('aes-256-gcm', encKey, iv);
+      d.setAuthTag(tag);
+      return Buffer.concat([d.update(data), d.final()]).toString('utf-8');
+    } catch { return ''; }
+  };
+  let existing = { v: 1, keys: [] };
+  if (existsSync(KEYS_FILE)) {
+    try {
+      const parsed = JSON.parse(readFileSync(KEYS_FILE, 'utf-8'));
+      if (parsed && Array.isArray(parsed.keys)) existing = { v: 1, keys: parsed.keys };
+    } catch {
+      // Corrupt — start fresh; runtime will surface its own diagnostics if
+      // anything was meaningful there.
+    }
+  }
+  // Dedup against existing plaintexts so a second run of
+  //   ./dev-test.sh --enterprise-key=…
+  // doesn't quietly append a duplicate and grow the file forever.
+  const existingPlaintexts = new Set(existing.keys.map(decryptOne).filter(Boolean));
+  let added = 0;
+  for (const k of enterpriseKeysFromArgv) {
+    if (existingPlaintexts.has(k)) continue;
+    existing.keys.push(encryptOne(k));
+    existingPlaintexts.add(k);
+    added += 1;
+  }
+  if (!existsSync(DATA_DIR)) mkdirSync(DATA_DIR, { recursive: true });
+  writeFileSync(KEYS_FILE, JSON.stringify(existing, null, 2), { mode: 0o600 });
+  const skipped = enterpriseKeysFromArgv.length - added;
+  console.log(`[forge] Persisted ${added} new enterprise key(s)${skipped ? `, skipped ${skipped} duplicate` : ''} → ${KEYS_FILE}`);
+
+  if (addEnterpriseKeyOnly) {
+    process.exit(0);
+  }
+}
+
 // ── Find pids listening on a TCP port (portable) ──
 // macOS ships lsof; minimal Linux containers (RHEL/CentOS/Alpine) often
 // don't. Try lsof → ss (iproute2, ~universal on modern Linux) → fuser

package/cli/mw.mjs

@@ -741,6 +741,7 @@ __export(dirs_exports, {
   getClaudeDir: () => getClaudeDir,
   getConfigDir: () => getConfigDir,
   getDataDir: () => getDataDir,
+  getEnterpriseKeysPath: () => getEnterpriseKeysPath,
   migrateDataDir: () => migrateDataDir
 });
 import { homedir as homedir2 } from "node:os";
@@ -796,6 +797,9 @@ function migrateDataDir() {
   }
   console.log("[forge] Migration complete. Old files kept as backup.");
 }
+function getEnterpriseKeysPath() {
+  return join3(getDataDir(), ".enterprise-keys.json");
+}
 function getClaudeDir() {
   return process.env.CLAUDE_HOME || join3(homedir2(), ".claude");
 }
@@ -874,16 +878,22 @@ async function main() {
     process.exit(0);
   }
   if (cmd === "--reset-password") {
-    const { execSync: execSync2 } = await import("node:child_process");
+    const { spawnSync: spawnSync2 } = await import("node:child_process");
     const { join: join4, dirname } = await import("node:path");
     const { fileURLToPath } = await import("node:url");
     const serverScript = join4(dirname(fileURLToPath(import.meta.url)), "..", "bin", "forge-server.mjs");
-    try {
-      execSync2(`node ${serverScript} --reset-password`, { stdio: "inherit" });
-    } catch {
-    }
+    const passthru = process.argv.slice(3);
+    spawnSync2("node", [serverScript, "--reset-password", ...passthru], { stdio: "inherit" });
     process.exit(0);
   }
+  if (cmd === "--add-enterprise-key") {
+    const { spawnSync: spawnSync2 } = await import("node:child_process");
+    const { join: join4, dirname } = await import("node:path");
+    const { fileURLToPath } = await import("node:url");
+    const serverScript = join4(dirname(fileURLToPath(import.meta.url)), "..", "bin", "forge-server.mjs");
+    const r = spawnSync2("node", [serverScript, "--add-enterprise-key", ...args], { stdio: "inherit" });
+    process.exit(r.status ?? 1);
+  }
   switch (cmd) {
     case "chat":
     case "c": {
@@ -1418,7 +1428,7 @@ Options for 'forge server start':
 Shortcuts: c=chat, j=jobs, wt=worktree, t=task, ls=tasks, w=watch, s=status, l=log, f=flows, p=projects, pw=password`);
   }
 }
-var skipUpdateCheck = ["upgrade", "uninstall", "--version", "-v", "--reset-password"];
+var skipUpdateCheck = ["upgrade", "uninstall", "--version", "-v", "--reset-password", "--add-enterprise-key"];
 main().then(() => {
   if (!skipUpdateCheck.includes(cmd)) return checkForUpdate();
 }).catch((err) => {

package/cli/mw.ts

@@ -74,17 +74,30 @@ async function main() {
   }
 
   if (cmd === '--reset-password') {
-    // Shortcut: delegate to forge-server.mjs --reset-password
-    const { execSync } = await import('node:child_process');
+    // Shortcut: delegate to forge-server.mjs --reset-password.
+    // Forward any trailing args so `--dir <path>` targets a specific
+    // instance — e.g. `forge --reset-password --dir ~/.forge-test`.
+    const { spawnSync } = await import('node:child_process');
     const { join, dirname } = await import('node:path');
     const { fileURLToPath } = await import('node:url');
     const serverScript = join(dirname(fileURLToPath(import.meta.url)), '..', 'bin', 'forge-server.mjs');
-    try {
-      execSync(`node ${serverScript} --reset-password`, { stdio: 'inherit' });
-    } catch {}
+    const passthru = process.argv.slice(3);
+    spawnSync('node', [serverScript, '--reset-password', ...passthru], { stdio: 'inherit' });
     process.exit(0);
   }
 
+  if (cmd === '--add-enterprise-key') {
+    // Shortcut: delegate persist-and-exit to forge-server.mjs. Caller is
+    // expected to also pass one or more `--enterprise-key=<value>`
+    //   forge --add-enterprise-key --enterprise-key=fortinet:github_pat_xxx
+    const { spawnSync } = await import('node:child_process');
+    const { join, dirname } = await import('node:path');
+    const { fileURLToPath } = await import('node:url');
+    const serverScript = join(dirname(fileURLToPath(import.meta.url)), '..', 'bin', 'forge-server.mjs');
+    const r = spawnSync('node', [serverScript, '--add-enterprise-key', ...args], { stdio: 'inherit' });
+    process.exit(r.status ?? 1);
+  }
+
   switch (cmd) {
     case 'chat':
     case 'c': {
@@ -624,7 +637,7 @@ Shortcuts: c=chat, j=jobs, wt=worktree, t=task, ls=tasks, w=watch, s=status, l=l
   }
 }
 
-const skipUpdateCheck = ['upgrade', 'uninstall', '--version', '-v', '--reset-password'];
+const skipUpdateCheck = ['upgrade', 'uninstall', '--version', '-v', '--reset-password', '--add-enterprise-key'];
 main().then(() => { if (!skipUpdateCheck.includes(cmd)) return checkForUpdate(); }).catch(err => {
   console.error(err.message);
   process.exit(1);

package/components/ConnectorsPanel.tsx

@@ -27,8 +27,36 @@ interface MarketEntry {
   author?: string;
   installed_version?: string;
   update_available?: boolean;
+  /** Source that publishes the proposed update — may differ from
+   *  source_id (the installed origin). E.g. public is installed, then
+   *  the user adds an enterprise source that publishes a higher version. */
+  update_source_id?: string;
   compatible: boolean;
   source: 'registry' | 'local';
+  /** Which marketplace source provided the winning entry:
+   *  `public` | `enterprise-<tenant>` | undefined for local-only. */
+  source_id?: string;
+  /** Lower-priority sources that also list this id but were outranked. */
+  hidden_sources?: { source_id: string; display_name: string; version: string }[];
+}
+
+/** Compact badge describing a source. `enterprise-…` → 🔒 + name; `public` → 🌐;
+ *  install-local (no registry source) → 📦 local. Tooltip carries full id. */
+function SourceBadge({ entry, size = 'sm' }: { entry: Pick<MarketEntry, 'source' | 'source_id' | 'hidden_sources'>; size?: 'xs' | 'sm' }) {
+  const px = size === 'xs' ? 'text-[8px] px-1 py-0.5' : 'text-[9px] px-1.5 py-0.5';
+  if (entry.source === 'local' || !entry.source_id) {
+    return <span className={`${px} rounded bg-[var(--accent)]/15 text-[var(--accent)]`} title="Installed locally, not from any registry">📦 local</span>;
+  }
+  if (entry.source_id === 'public') {
+    return <span className={`${px} rounded bg-[var(--bg-tertiary)] text-[var(--text-secondary)]`} title="Public marketplace">🌐 public</span>;
+  }
+  // enterprise-<tenant>
+  const tenant = entry.source_id.replace(/^enterprise-/, '');
+  const hiddenCount = entry.hidden_sources?.length || 0;
+  const title = hiddenCount > 0
+    ? `Enterprise source: ${tenant} (overrides ${hiddenCount} lower-priority source${hiddenCount > 1 ? 's' : ''})`
+    : `Enterprise source: ${tenant}`;
+  return <span className={`${px} rounded bg-amber-500/15 text-amber-400`} title={title}>🔒 {tenant}</span>;
 }
 
 interface MarketState {
@@ -499,13 +527,9 @@ export default function ConnectorsPanel() {
         >
           {uploading ? 'Installing…' : '+ Upload'}
         </button>
-        <button
-          onClick={sync}
-          disabled={syncing}
-          className="text-[10px] px-2.5 py-0.5 border border-[var(--accent)] text-[var(--accent)] rounded hover:bg-[var(--accent)] hover:text-white transition-colors disabled:opacity-40"
-        >
-          {syncing ? 'Syncing…' : 'Refresh'}
-        </button>
+        {/* Per-tab Sync removed — use Marketplace top → "↻ Sync all"
+            which covers every type (connectors + workflows + skills)
+            from every source (public + enterprise) in one trip. */}
       </div>
 
       {dragOver && (
@@ -550,9 +574,7 @@ export default function ConnectorsPanel() {
                         {update && (
                           <span className="text-[8px] px-1 py-0.5 rounded bg-yellow-500/10 text-yellow-400">update</span>
                         )}
-                        {e.source === 'local' && (
-                          <span className="text-[8px] px-1 py-0.5 rounded bg-[var(--accent)]/15 text-[var(--accent)]">local</span>
-                        )}
+                        <SourceBadge entry={e} size="xs" />
                       </div>
                       <div className="flex items-center gap-1.5 mt-0.5">
                         <span className="text-[9px] text-[var(--text-secondary)]">
@@ -601,9 +623,15 @@ export default function ConnectorsPanel() {
                           update available · v{me.installed_version} → v{me.version}
                         </span>
                       )}
-                      {me.source === 'local' && (
-                        <span className="text-[9px] px-1.5 py-0.5 rounded bg-[var(--accent)]/15 text-[var(--accent)]">
-                          local · not in registry
+                      <SourceBadge entry={me} />
+                      {installed && me.update_source_id && me.update_source_id !== me.source_id && (
+                        <span
+                          className="text-[9px] px-1.5 py-0.5 rounded bg-amber-500/10 text-amber-400"
+                          title={`Installed manifest comes from ${me.source_id}, but ${me.update_source_id} also publishes this connector at a higher priority. Reinstall to switch.`}
+                        >
+                          ↻ also in {me.update_source_id === 'public'
+                            ? 'public'
+                            : me.update_source_id.replace(/^enterprise-/, '')}
                         </span>
                       )}
                     </div>
@@ -630,6 +658,16 @@ export default function ConnectorsPanel() {
                         {busyId === me.id ? '…' : 'Update'}
                       </button>
                     )}
+                    {installed && !update && (
+                      <button
+                        onClick={() => act('update', me.id)}
+                        disabled={busyId === me.id}
+                        title="Re-pull this connector's manifest from the highest-priority source (force, even if version matches). Use this when you bumped the manifest version but the marketplace top-level Sync doesn't seem to have picked it up."
+                        className="text-[10px] px-2 py-1 rounded border border-[var(--border)] text-[var(--text-secondary)] hover:border-[var(--text-primary)] hover:text-[var(--text-primary)] transition-colors disabled:opacity-40"
+                      >
+                        {busyId === me.id ? '…' : '↻'}
+                      </button>
+                    )}
                     {installed && (
                       <button
                         onClick={() => act('uninstall', me.id)}
@@ -642,6 +680,40 @@ export default function ConnectorsPanel() {
                   </div>
                 </div>
 
+                {/* Sources — surface enterprise winner + outranked rows so
+                    the user can see "this mantis comes from fortinet, public
+                    has one too but it's hidden". Hide entirely for the boring
+                    case (public winner with no overlap). */}
+                {(() => {
+                  const isEnterpriseWinner = me.source_id && me.source_id !== 'public' && me.source !== 'local';
+                  const hasHidden = !!me.hidden_sources?.length;
+                  if (!isEnterpriseWinner && !hasHidden) return null;
+                  return (
+                    <div>
+                      <h3 className="text-[11px] font-semibold text-[var(--text-primary)] mb-1.5">
+                        Sources <span className="text-[9px] text-[var(--text-secondary)] font-normal">· higher priority first</span>
+                      </h3>
+                      <div className="rounded border border-[var(--border)] divide-y divide-[var(--border)] bg-[var(--bg-tertiary)]">
+                        <div className="px-2.5 py-1.5 flex items-center gap-2">
+                          <SourceBadge entry={me} size="xs" />
+                          <span className="text-[10px] font-mono text-[var(--text-primary)]">v{me.version}</span>
+                          <span className="text-[9px] text-green-400 ml-auto">in use</span>
+                        </div>
+                        {me.hidden_sources?.map((hs) => (
+                          <div key={hs.source_id} className="px-2.5 py-1.5 flex items-center gap-2 opacity-60">
+                            <SourceBadge
+                              entry={{ source: 'registry', source_id: hs.source_id }}
+                              size="xs"
+                            />
+                            <span className="text-[10px] font-mono text-[var(--text-secondary)]">v{hs.version}</span>
+                            <span className="text-[9px] text-[var(--text-secondary)] ml-auto">hidden</span>
+                          </div>
+                        ))}
+                      </div>
+                    </div>
+                  );
+                })()}
+
                 {/* Tools — only when manifest is on disk */}
                 {installed && detail && (
                   <div>

package/components/CraftTerminal.tsx

@@ -139,7 +139,7 @@ export default function CraftTerminal({
               ws.send(JSON.stringify({ type: 'create', sessionName: activeSessionRef.current, cols: term.cols, rows: term.rows }));
               // After creation, cd into craft dir and start the chosen agent
               // Wait until agents fetch settles so we can pick the right CLI + resume flag
-              const tryLaunch = (attempt = 0) => {
+              const tryLaunch = async (attempt = 0) => {
                 if (ws.readyState !== WebSocket.OPEN) return;
                 const list = agentsRef.current;
                 const id = agentIdRef.current;
@@ -148,11 +148,20 @@ export default function CraftTerminal({
                   return;
                 }
                 const a = list.find(x => x.id === id) || list[0];
-                const cli = a?.path || a?.id || 'claude';
+                // Resolve cliCmd via the API so derived agents (e.g.
+                // forti-k2 base: claude) inherit the base's absolute
+                // path instead of falling back to bare a.id / 'claude'.
+                let cli = a?.path || 'claude';
+                const targetId = a?.id || 'claude';
+                try {
+                  const info = await fetch(`/api/agents?resolve=${encodeURIComponent(targetId)}`).then(r => r.ok ? r.json() : null);
+                  if (info?.cliCmd) cli = info.cliCmd;
+                } catch {}
+                const quotedCli = `"${cli}"`;
                 const isClaude = (a?.id === 'claude') || (a as any)?.cliType === 'claude-code';
                 const sf = (isClaude && skipPermRef.current) ? ' --dangerously-skip-permissions' : '';
                 const resume = resumeIdRef.current && isClaude ? ` --resume ${resumeIdRef.current}` : '';
-                ws.send(JSON.stringify({ type: 'input', data: `cd "${craftDir}" && ${cli}${sf}${resume}\n` }));
+                ws.send(JSON.stringify({ type: 'input', data: `cd "${craftDir}" && ${quotedCli}${sf}${resume}\n` }));
               };
               setTimeout(() => tryLaunch(), 500);
             }

package/components/Dashboard.tsx

@@ -26,6 +26,7 @@ const SettingsModal = lazy(() => import('./SettingsModal'));
 const MonitorPanel = lazy(() => import('./MonitorPanel'));
 const LoginStatusPanel = lazy(() => import('./LoginStatusPanel'));
 const ActivityPanel = lazy(() => import('./ActivityPanel'));
+const EnterpriseBadge = lazy(() => import('./EnterpriseBadge'));
 const WorkspaceView = lazy(() => import('./WorkspaceView'));
 // WorkspaceTree moved into ProjectDetail — no longer needed at Dashboard level
 import { OnboardingBanner, OnboardingDrawer } from './OnboardingWizard';
@@ -136,12 +137,27 @@ export default function Dashboard({ user }: { user: any }) {
   const [showSettings, setShowSettings] = useState(false);
   const [needsOnboarding, setNeedsOnboarding] = useState(false);
   const [showOnboarding, setShowOnboarding] = useState(false);
+  // E4: when EnterpriseBadge fires forge:open-onboarding after a fresh
+  // key add, the source id rides along so the wizard scopes to that
+  // new tenant immediately instead of resolving the priority chain.
+  const [onboardingSourceId, setOnboardingSourceId] = useState<string | null>(null);
+  useEffect(() => {
+    const handler = (e: Event) => {
+      const detail = (e as CustomEvent).detail || {};
+      setOnboardingSourceId(detail.source_id || null);
+      setShowOnboarding(true);
+    };
+    window.addEventListener('forge:open-onboarding', handler);
+    return () => window.removeEventListener('forge:open-onboarding', handler);
+  }, []);
   useEffect(() => {
     fetch('/api/onboarding').then(r => r.json()).then(j => {
       const need = !!(j?.ok && !j.onboardingCompleted);
       setNeedsOnboarding(need);
-      // Auto-open the drawer when setup is needed — saves the user a click.
-      // They can still click "Skip" inside the drawer to dismiss.
+      // Auto-open the drawer when setup is needed — saves the user a
+      // click. When there's no enterprise yet, the wizard's first page
+      // is a splash asking "Add enterprise key, or continue with
+      // public?" so opt-out is one click away.
       if (need) setShowOnboarding(true);
     }).catch(() => {});
   }, []);
@@ -161,6 +177,7 @@ export default function Dashboard({ user }: { user: any }) {
   const [showUserMenu, setShowUserMenu] = useState(false);
   const [theme, setTheme] = useState<'dark' | 'light'>('dark');
   const [displayName, setDisplayName] = useState(user?.name || 'Forge');
+  const [profileDept, setProfileDept] = useState('');
   const terminalRef = useRef<WebTerminalHandle>(null);
 
   // Theme: load from localStorage + apply
@@ -182,7 +199,10 @@ export default function Dashboard({ user }: { user: any }) {
   // Fetch display name from settings
   const refreshDisplayName = useCallback(() => {
     fetch('/api/settings').then(r => r.json())
-      .then((s: any) => { if (s.displayName) setDisplayName(s.displayName); })
+      .then((s: any) => {
+        if (s.displayName) setDisplayName(s.displayName);
+        if (typeof s.dept === 'string') setProfileDept(s.dept);
+      })
       .catch(() => {});
   }, []);
   useEffect(() => { refreshDisplayName(); }, [refreshDisplayName]);
@@ -228,17 +248,24 @@ export default function Dashboard({ user }: { user: any }) {
     return () => clearInterval(id);
   }, []);
 
-  // Login status badge — load cached results on mount so the user
-  // dropdown shows the red dot count without forcing a check.
+  // Login status badge — poll cached results on a 10s interval so the
+  // red-dot count picks up changes from the Test button / wizard apply /
+  // Reinstall without forcing the user to open + close the full panel.
+  // GET is cheap (reads JSON file, no probe), so this is fine.
   useEffect(() => {
-    fetch('/api/login-status')
-      .then((r) => r.json())
-      .then((j) => {
-        const rows = (j.rows || []) as Array<{ result: { ok: boolean } | null }>;
-        const broken = rows.filter((r) => r.result && !r.result.ok).length;
-        setLoginBadge({ broken, total: rows.length });
-      })
-      .catch(() => {});
+    const refresh = () => {
+      fetch('/api/login-status')
+        .then((r) => r.json())
+        .then((j) => {
+          const rows = (j.rows || []) as Array<{ result: { ok: boolean } | null }>;
+          const broken = rows.filter((r) => r.result && !r.result.ok).length;
+          setLoginBadge({ broken, total: rows.length });
+        })
+        .catch(() => {});
+    };
+    refresh();
+    const id = setInterval(refresh, 10_000);
+    return () => clearInterval(id);
   }, []);
 
   // Notifications: poll unread count at 30s, full fetch when panel opens
@@ -312,9 +339,11 @@ export default function Dashboard({ user }: { user: any }) {
       )}
       {showOnboarding && (
         <OnboardingDrawer
-          onClose={() => setShowOnboarding(false)}
+          initialSourceId={onboardingSourceId}
+          onClose={() => { setShowOnboarding(false); setOnboardingSourceId(null); }}
           onComplete={() => {
             setShowOnboarding(false);
+            setOnboardingSourceId(null);
             setNeedsOnboarding(false);
             // Reload settings so chat picks up new API profile etc.
             fetchData();
@@ -353,9 +382,13 @@ export default function Dashboard({ user }: { user: any }) {
       <header className="h-12 border-b-2 border-[var(--border)] flex items-center justify-between px-4 shrink-0 bg-[var(--bg-secondary)]">
         <div className="flex items-center gap-4">
           <img src="/icon.png" alt="Forge" width={28} height={28} className="rounded" />
-          <span className="text-sm font-bold text-[var(--accent)]">
-            Forge{displayName && displayName !== 'Forge' ? ` · ${displayName}` : ''}
-          </span>
+          <span className="text-sm font-bold text-[var(--accent)]">Forge</span>
+          {/* Enterprise sources — popover with per-tenant Re-sync / Reinstall /
+              Remove rows + inline Add tenant. Sits where the displayName used
+              to be so it's the first signal you see on cold open. */}
+          <Suspense fallback={null}>
+            <EnterpriseBadge onOpenSettings={() => setShowSettings(true)} />
+          </Suspense>
           {versionInfo && (
             <span className="flex items-center gap-1.5">
               <span className="text-[10px] text-[var(--text-secondary)]">v{versionInfo.current}</span>
@@ -638,6 +671,11 @@ export default function Dashboard({ user }: { user: any }) {
               onClick={() => { setShowUserMenu(v => !v); setShowNotifications(false); }}
               className="text-[10px] text-[var(--text-secondary)] hover:text-[var(--text-primary)] flex items-center gap-1 px-1"
             >
+              {profileDept && (
+                <span className="text-[9px] px-1 py-[1px] rounded bg-emerald-500/15 text-emerald-500 border border-emerald-500/30 mr-1" title="Active department">
+                  {profileDept}
+                </span>
+              )}
               {displayName} <span className="text-[8px]">▾</span>
             </button>
             {showUserMenu && (

package/components/DocTerminal.tsx

@@ -30,11 +30,17 @@ export default function DocTerminal({ docRoot, agent }: { docRoot: string; agent
     fetch('/api/settings').then(r => r.json())
       .then((s: any) => { if (s.skipPermissions) skipPermRef.current = true; })
       .catch(() => {});
+    // Resolve via ?resolve= so derived agents (forti-k2 base: claude
+    // with no own path) inherit the base's absolute path. The plain
+    // /api/agents list returns the row's literal `path`, which is
+    // empty for derived agents and gives a useless fallback.
     fetch('/api/agents').then(r => r.json())
-      .then(data => {
+      .then(async (data: any) => {
         const targetId = agent || data.defaultAgent || 'claude';
-        const found = (data.agents || []).find((a: any) => a.id === targetId);
-        if (found?.path) agentCmdRef.current = found.path;
+        try {
+          const info = await fetch(`/api/agents?resolve=${encodeURIComponent(targetId)}`).then(r => r.ok ? r.json() : null);
+          if (info?.cliCmd) agentCmdRef.current = info.cliCmd;
+        } catch {}
       })
       .catch(() => {});
   }, []);
@@ -97,7 +103,7 @@ export default function DocTerminal({ docRoot, agent }: { docRoot: string; agent
               setTimeout(() => {
                 if (socket.readyState === WebSocket.OPEN) {
                   const sf = skipPermRef.current ? ' --dangerously-skip-permissions' : '';
-                  socket.send(JSON.stringify({ type: 'input', data: `cd "${docRootRef.current}" && ${agentCmdRef.current} -c${sf}\n` }));
+                  socket.send(JSON.stringify({ type: 'input', data: `cd "${docRootRef.current}" && "${agentCmdRef.current}" -c${sf}\n` }));
                 }
               }, 300);
             }
@@ -166,13 +172,13 @@ export default function DocTerminal({ docRoot, agent }: { docRoot: string; agent
         </span>
         <div className="ml-auto flex items-center gap-1">
           <button
-            onClick={() => { const sf = skipPermRef.current ? ' --dangerously-skip-permissions' : ''; runCommand(`cd "${docRoot}" && ${agentCmdRef.current}${sf}`); }}
+            onClick={() => { const sf = skipPermRef.current ? ' --dangerously-skip-permissions' : ''; runCommand(`cd "${docRoot}" && "${agentCmdRef.current}"${sf}`); }}
             className="text-[10px] px-2 py-0.5 text-[var(--accent)] hover:bg-[#2a2a4a] rounded"
           >
             New
           </button>
           <button
-            onClick={() => { const sf = skipPermRef.current ? ' --dangerously-skip-permissions' : ''; runCommand(`cd "${docRoot}" && ${agentCmdRef.current} -c${sf}`); }}
+            onClick={() => { const sf = skipPermRef.current ? ' --dangerously-skip-permissions' : ''; runCommand(`cd "${docRoot}" && "${agentCmdRef.current}" -c${sf}`); }}
             className="text-[10px] px-2 py-0.5 text-gray-400 hover:text-white hover:bg-[#2a2a4a] rounded"
           >
             Resume