@aion0/forge 0.10.40 → 0.10.42

package/components/OnboardingWizard.tsx

@@ -55,6 +55,10 @@ interface OnboardingState {
     default_enabled: boolean;
     has_prompts: boolean;
     already_installed: boolean;
+    /** Template-baked field values for this connector (excluding ${...}
+     *  prompts, which appear in section 3). Secrets are masked to
+     *  '••••••••'. Instances arrays are flattened to '<name>.<field>'. */
+    defaults?: Array<{ field: string; value: string; is_secret: boolean }>;
   }>;
   template_prompts: Record<string, PromptDef>;
   /** Per ${key} prompt: true = at least one target field already has a real value;
@@ -62,7 +66,51 @@ interface OnboardingState {
   prompt_values_set: Record<string, boolean>;
   /** Per ${key}: which connector.field references it (for UI hint). */
   prompt_targets: Record<string, Array<{ connector: string; field: string }>>;
+  /** Pre-baked CLI agents the template will install (from `_agents`). */
+  template_agents_preview?: Array<{ id: string; tool?: string; has_secret: boolean }>;
+  /** Pre-baked API profiles the template will install (from `_apiProfiles`). */
+  template_api_profiles_preview?: Array<{ id: string; provider?: string; model?: string; has_secret: boolean }>;
+  /** Keys the template auto-derives from other prompts (e.g. user_email_local). */
+  template_derive_keys?: string[];
+  /** Lowercased enterprise name when the template is enterprise-sourced. */
+  template_enterprise_name?: string;
+  /** Wizard layout knobs declared by template._wizard — controls how much of
+   *  the wizard's collapsing/hiding logic kicks in. Enterprise templates with
+   *  nearly-everything baked set minimal:true so the user only sees Identity
+   *  + required prompts + preview. */
+  template_wizard?: {
+    minimal: boolean;
+    hide_connectors: boolean;
+    hide_pipelines: boolean;
+    required_only: boolean;
+  };
+  /** When the template ships a `_temperAdmin: {url, token}` block (or the user
+   *  set temperAdminToken manually), Forge will auto-provision a Temper memory
+   *  account on Apply. `provisioned` reflects whether settings.temperKey is
+   *  already populated (= no re-provision will happen). */
+  memory_auto_provision?: {
+    url: string;
+    provisioned: boolean;
+  };
   suggested_pipelines: string[];
+  /** E2: list of source ids the wizard can switch between. Powers the
+   *  tenant selector at the top. `public` always present; user override
+   *  + each enterprise tenant appear when configured. */
+  available_sources?: Array<{ id: string; display_name: string; has_template: boolean }>;
+  /** Source id that actually fed the rendered template — null when none
+   *  cached (bundled fallback in use). */
+  resolved_source?: string | null;
+  /** The source_id the GET request asked for (null when none requested). */
+  requested_source_id?: string | null;
+  /** E3: dept picker — list of departments within the currently-scoped
+   *  source. Empty = single-template source, no picker shown. */
+  available_departments?: Array<{ id: string; display_name: string }>;
+  /** Dept id actually rendered (defaults to first dept when none requested). */
+  resolved_dept?: string | null;
+  requested_dept_id?: string | null;
+  /** Template's self-declared `_department_name`. Surfaced for the
+   *  breadcrumb so the user sees what {dept.name} resolves to. */
+  template_department_name?: string;
 }
 
 interface ApplyResultPhase {
@@ -111,6 +159,13 @@ export function OnboardingBanner({ onOpen }: { onOpen: () => void }) {
 
 const inputCls = 'w-full text-[11px] bg-[var(--bg-tertiary)] border border-[var(--border)] rounded px-2 py-1 text-[var(--text-primary)] focus:outline-none focus:border-[var(--accent)]';
 
+function buildOnboardingUrl(sourceId: string | null, deptId: string | null): string {
+  const q = new URLSearchParams();
+  if (sourceId) q.set('source_id', sourceId);
+  if (deptId) q.set('dept', deptId);
+  return q.size ? `/api/onboarding?${q.toString()}` : '/api/onboarding';
+}
+
 const PROVIDER_DEFAULTS: Record<string, { baseUrl: string; model: string }> = {
   anthropic: { baseUrl: 'https://api.anthropic.com', model: 'claude-sonnet-4-6' },
   deepseek: { baseUrl: 'https://api.deepseek.com', model: 'deepseek-chat' },
@@ -121,8 +176,19 @@ const PROVIDER_DEFAULTS: Record<string, { baseUrl: string; model: string }> = {
   litellm: { baseUrl: 'http://127.0.0.1:4000/v1', model: 'gpt-4o-mini' },
 };
 
-export function OnboardingDrawer({ onClose, onComplete }: { onClose: () => void; onComplete: () => void }) {
+export function OnboardingDrawer({ onClose, onComplete, initialSourceId }: { onClose: () => void; onComplete: () => void; initialSourceId?: string | null }) {
   const [state, setState] = useState<OnboardingState | null>(null);
+  // E2: which source's template is currently scoped to. null = use the
+  // default priority chain (server's resolveTemplate decides). Changing
+  // this triggers a refetch + re-render of the entire wizard so prompts
+  // and connector lists swap to the chosen tenant's template.
+  // E4: when EnterpriseBadge hands off after a fresh key add, the
+  // source id arrives via prop so the wizard renders scoped from the
+  // first mount.
+  const [currentSource, setCurrentSource] = useState<string | null>(initialSourceId ?? null);
+  // E3: which dept within `currentSource`. null = use the source's first
+  // dept. Changing this re-fetches the wizard state.
+  const [currentDept, setCurrentDept] = useState<string | null>(null);
 
   // Section 1: Identity
   const [displayName, setDisplayName] = useState('');
@@ -192,7 +258,15 @@ export function OnboardingDrawer({ onClose, onComplete }: { onClose: () => void;
   // backend monitor probes — so users see what's actually live before
   // we dismiss the wizard.
   type CheckState = { status: 'pending' | 'running' | 'ok' | 'fail' | 'skipped'; message?: string; detail?: any };
-  const [phase, setPhase] = useState<'form' | 'checks'>('form');
+  // 'splash' is the cold-boot choose-tenant gate: shown when there's no
+  // enterprise source yet so the user picks between adding an enterprise
+  // key or continuing with the public template. Skipped entirely when
+  // the wizard launches scoped to an existing source (e.g. handoff from
+  // EnterpriseBadge add) or when enterprise is already configured.
+  const [phase, setPhase] = useState<'splash' | 'form' | 'checks'>('form');
+  const [splashAddKey, setSplashAddKey] = useState('');
+  const [splashBusy, setSplashBusy] = useState(false);
+  const [splashError, setSplashError] = useState('');
   const [checks, setChecks] = useState<Record<string, CheckState>>({
     glabCli: { status: 'pending' },
     loginStatus: { status: 'pending' },
@@ -293,7 +367,8 @@ export function OnboardingDrawer({ onClose, onComplete }: { onClose: () => void;
         return;
       }
       // Pull fresh onboarding state (which re-computes suggested_pipelines).
-      const s = await fetch('/api/onboarding').then(x => x.json()) as OnboardingState;
+      const url = buildOnboardingUrl(currentSource, currentDept);
+      const s = await fetch(url).then(x => x.json()) as OnboardingState;
       setState(s);
       // Auto-select fortinet-* (existing user selections preserved).
       setSelectedPipelines(prev => {
@@ -312,13 +387,27 @@ export function OnboardingDrawer({ onClose, onComplete }: { onClose: () => void;
   // so the main state arrives instantly, CLI list fills in shortly
   // after. Avoids blocking the wizard mount on `which claude` etc.
   useEffect(() => {
+    // E2/E3: re-runs whenever `currentSource` or `currentDept` changes,
+    // so switching either dropdown pulls a fresh template + prompts.
+    // detect-cli is scope-agnostic, only re-fetch on mount.
+    const url = buildOnboardingUrl(currentSource, currentDept);
     Promise.all([
-      fetch('/api/onboarding').then(r => r.json()),
+      fetch(url).then(r => r.json()),
       fetch('/api/onboarding/detect-cli').then(r => r.json()).catch(() => ({ detected: [] })),
     ]).then(([s, d]: [OnboardingState, { detected: typeof s.detected_cli }]) => {
       // Merge probe results into state
       s.detected_cli = d.detected || [];
       setState(s);
+      // Cold-boot gate: no enterprise sources AND no explicit scope from
+      // the EnterpriseBadge handoff → show the choose-tenant splash.
+      // Once user picks (add enterprise OR continue with public), we
+      // flip to 'form' and the load effect re-runs with the choice
+      // baked in.
+      const hasEnterpriseSource = Array.isArray(s.available_sources)
+        && s.available_sources.some(src => src.id !== 'public' && src.id !== 'user' && src.has_template);
+      if (!hasEnterpriseSource && !currentSource && !initialSourceId) {
+        setPhase('splash');
+      }
       setDisplayName(s.current.displayName);
       setDisplayEmail(s.current.displayEmail);
       setSelectedPipelines(new Set(s.suggested_pipelines));
@@ -377,7 +466,7 @@ export function OnboardingDrawer({ onClose, onComplete }: { onClose: () => void;
       current: { displayName: '', displayEmail: '', apiProfileIds: [], apiProfile: null, chatAgent: '', defaultAgent: '', agents: [], projectRoots: [] },
       detected_cli: [], template_connectors: [], template_prompts: {}, prompt_values_set: {}, prompt_targets: {}, suggested_pipelines: [],
     }));
-  }, []);
+  }, [currentSource, currentDept]);
 
   // Quick provider preset switch
   function setProviderPreset(key: keyof typeof PROVIDER_DEFAULTS) {
@@ -388,6 +477,36 @@ export function OnboardingDrawer({ onClose, onComplete }: { onClose: () => void;
     setApiProvider(key === 'anthropic' ? 'anthropic' : 'openai-compatible');
   }
 
+  async function splashAddEnterprise() {
+    const key = splashAddKey.trim();
+    if (!key || splashBusy) return;
+    setSplashBusy(true); setSplashError('');
+    try {
+      const r = await fetch('/api/enterprise-keys', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ key }),
+      });
+      const data = await r.json();
+      if (!data.ok) { setSplashError(data.error || 'failed to add key'); return; }
+      // Hand off to the scoped wizard. Setting currentSource fires the
+      // load effect which re-fetches the rendered template, prompts,
+      // dept list etc. for the new tenant. `phase` flips to 'form' so
+      // the splash is gone on next render.
+      if (data.source_id) setCurrentSource(data.source_id);
+      setPhase('form');
+    } catch (e) {
+      setSplashError(e instanceof Error ? e.message : String(e));
+    } finally {
+      setSplashBusy(false);
+    }
+  }
+
+  function splashUsePublic() {
+    setCurrentSource(null);  // priority chain → public falls through
+    setPhase('form');
+  }
+
   async function apply() {
     if (applying) return;
     setApplying(true); setResult(null);
@@ -407,6 +526,11 @@ export function OnboardingDrawer({ onClose, onComplete }: { onClose: () => void;
         selectedConnectors: Array.from(selectedConnectors),
         pipelines: Array.from(selectedPipelines),
         projectRoots: projectInput.split(/[\n,]/).map(s => s.trim()).filter(Boolean),
+        // E2/E3: apply against the same template GET rendered. Use
+        // state.resolved_* as fallback so an untouched dropdown still
+        // sends what was rendered (server's default lookup matches).
+        ...(currentSource || state?.resolved_source ? { sourceId: currentSource || state?.resolved_source } : {}),
+        ...(currentDept || state?.resolved_dept ? { deptId: currentDept || state?.resolved_dept } : {}),
       };
       // Send apiProfile if a key was typed OR if we're re-confirming an
       // existing profile (apiKeyExisting=true and user changed any field).
@@ -477,6 +601,62 @@ export function OnboardingDrawer({ onClose, onComplete }: { onClose: () => void;
     if (!dirty || confirm('Close without saving? Your unsaved inputs will be lost.')) onClose();
   };
 
+  if (phase === 'splash') {
+    return (
+      <DrawerShell onClose={onClose}>
+        <div className="overflow-y-auto flex-1 p-5 space-y-4">
+          <h2 className="text-sm font-medium text-[var(--text-primary)]">Welcome to Forge</h2>
+          <p className="text-[11px] text-[var(--text-secondary)] leading-snug">
+            Start with an enterprise template (Fortinet, etc. — pre-baked
+            tokens, agents, and pipelines for your org), or continue with
+            the public template (you wire each connector by hand).
+          </p>
+
+          <div className="border border-[var(--accent)]/30 bg-[var(--accent)]/5 rounded p-3 space-y-2">
+            <div className="text-[11px] font-medium text-[var(--text-primary)]">🔒 Add enterprise key</div>
+            <div className="text-[10px] text-[var(--text-secondary)] leading-snug">
+              Paste a key like <code>fortinet:&lt;PAT&gt;</code> or the long form
+              <code> &lt;PAT&gt;@github.com/org/repo</code>. After validation the
+              wizard reloads scoped to that tenant.
+            </div>
+            <input
+              type="password"
+              value={splashAddKey}
+              onChange={(e) => setSplashAddKey(e.target.value)}
+              placeholder="enterprise key"
+              autoFocus
+              className={inputCls}
+              onKeyDown={(e) => { if (e.key === 'Enter') splashAddEnterprise(); }}
+            />
+            {splashError && (
+              <div className="text-[10px] text-red-400">{splashError}</div>
+            )}
+            <button
+              onClick={splashAddEnterprise}
+              disabled={splashBusy || !splashAddKey.trim()}
+              className="text-[11px] px-3 py-1 rounded bg-[var(--accent)] text-white hover:opacity-90 disabled:opacity-40"
+            >
+              {splashBusy ? 'Adding…' : 'Add + continue →'}
+            </button>
+          </div>
+
+          <div className="text-center text-[10px] text-[var(--text-secondary)]">or</div>
+
+          <button
+            onClick={splashUsePublic}
+            className="w-full text-[11px] px-3 py-2 rounded border border-[var(--border)] text-[var(--text-primary)] hover:bg-[var(--bg-tertiary)]"
+          >
+            Continue with public template →
+          </button>
+
+          <p className="text-[9px] text-[var(--text-secondary)] italic">
+            You can always add an enterprise key later from the badge in the top-left.
+          </p>
+        </div>
+      </DrawerShell>
+    );
+  }
+
   if (phase === 'checks') {
     return (
       <DrawerShell onClose={onClose}>
@@ -580,6 +760,12 @@ export function OnboardingDrawer({ onClose, onComplete }: { onClose: () => void;
     );
   }
 
+  // Section numbers are computed render-time so they stay sequential even
+  // when the template auto-installs API profile / agents (which hides sections
+  // 2 and 3) and minimal-mode pipelines stay visible.
+  let step = 0;
+  const stepN = () => ++step;
+
   return (
     <DrawerShell onClose={guardedClose}>
       <div className="overflow-y-auto flex-1 p-4 space-y-5">
@@ -587,19 +773,117 @@ export function OnboardingDrawer({ onClose, onComplete }: { onClose: () => void;
         <p className="text-[11px] text-[var(--text-secondary)] -mt-3">
           Fill in once. Re-runnable from Settings → "Re-run Onboarding".
         </p>
+        {/* E2: tenant selector — only renders when there's more than one
+            source to pick from (typical user has 1 enterprise + public).
+            `resolved_source` is highlighted with ✓; sources that haven't
+            cached a template yet show greyed out with "(not synced)". */}
+        {((state.available_sources && state.available_sources.filter(s => s.has_template).length > 1)
+          || (state.available_departments && state.available_departments.length > 1)) && (
+          <div className="flex items-center gap-2 text-[11px] -mt-2 flex-wrap">
+            <span className="text-[var(--text-secondary)]">Wizard for:</span>
+            {state.available_sources && state.available_sources.filter(s => s.has_template).length > 1 && (
+              <select
+                value={currentSource ?? (state.resolved_source ?? '')}
+                onChange={(e) => {
+                  // Source switch resets the dept choice — the new tenant's
+                  // depts are a different namespace, so let the server pick
+                  // the default again rather than mis-mapping the slug.
+                  setCurrentSource(e.target.value || null);
+                  setCurrentDept(null);
+                }}
+                className="text-[11px] bg-[var(--bg-tertiary)] border border-[var(--border)] rounded px-1.5 py-0.5 text-[var(--text-primary)] focus:outline-none focus:border-[var(--accent)]"
+              >
+                {state.available_sources.map(s => (
+                  <option key={s.id} value={s.id} disabled={!s.has_template}>
+                    {s.display_name}{!s.has_template ? ' (not synced)' : ''}{s.id === state.resolved_source ? ' ✓' : ''}
+                  </option>
+                ))}
+              </select>
+            )}
+            {state.available_departments && state.available_departments.length > 1 && (
+              <>
+                <span className="text-[var(--text-secondary)]">·</span>
+                <select
+                  value={currentDept ?? (state.resolved_dept ?? '')}
+                  onChange={(e) => setCurrentDept(e.target.value || null)}
+                  className="text-[11px] bg-[var(--bg-tertiary)] border border-[var(--border)] rounded px-1.5 py-0.5 text-[var(--text-primary)] focus:outline-none focus:border-[var(--accent)]"
+                >
+                  {state.available_departments.map(d => (
+                    <option key={d.id} value={d.id}>
+                      {d.display_name}{d.id === state.resolved_dept ? ' ✓' : ''}
+                    </option>
+                  ))}
+                </select>
+              </>
+            )}
+            {state.template_department_name && (
+              <span className="text-[10px] text-[var(--text-secondary)] italic">
+                {`{dept.name} = "${state.template_department_name}"`}
+              </span>
+            )}
+          </div>
+        )}
 
-        {/* ── 1. Identity ──────────────────────────────────────── */}
-        <Section title="1. Identity" hint="Used as your name in pipeline/connector contexts; referenceable later as {user.name} / {user.email}.">
+        {/* ── Identity ─────────────────────────────────────────── */}
+        <Section title={`${stepN()}. Identity`} hint="Used as your name in pipeline/connector contexts; referenceable later as {user.name} / {user.email}. Forge derives things like jenkins username from the email's local-part.">
           <Field label="Display name">
             <input className={inputCls} value={displayName} onChange={e => setDisplayName(e.target.value)} placeholder="Zhen Liu" />
           </Field>
           <Field label="Email">
             <input className={inputCls} value={displayEmail} onChange={e => setDisplayEmail(e.target.value)} placeholder="zliu@fortinet.com" />
           </Field>
+          {state.template_derive_keys?.length ? (
+            <p className="text-[9px] text-[var(--text-secondary)] italic">
+              Auto-derived from your email: {state.template_derive_keys.join(', ')}.
+            </p>
+          ) : null}
         </Section>
 
-        {/* ── 2. API Profile ───────────────────────────────────── */}
-        <Section title="2. Chat API key" hint="The LLM Forge's chat agent talks to. DeepSeek / Anthropic / OpenAI / Qwen / LiteLLM-compatible. Key encrypted at rest.">
+        {/* ── Template pre-baked items ─────────────────────────── */}
+        {(state.template_agents_preview?.length || state.template_api_profiles_preview?.length) && (
+          <Section
+            title={`${stepN()}. ${state.template_enterprise_name
+              ? `🔒 ${state.template_enterprise_name} — auto-installed`
+              : '🔒 Template — auto-installed'}`}
+            hint="The enterprise template pre-bakes these on your behalf. Tokens are encrypted in git and decrypted locally. You can edit / disable any of them in Settings after onboarding."
+          >
+            {state.template_agents_preview?.length ? (
+              <div>
+                <div className="text-[10px] uppercase tracking-wider text-[var(--text-secondary)] mb-1">CLI agents</div>
+                <ul className="space-y-0.5">
+                  {state.template_agents_preview.map((a) => (
+                    <li key={a.id} className="text-[11px] font-mono flex items-center gap-1.5">
+                      <span className="text-emerald-500">✓</span>
+                      <span className="text-[var(--text-primary)]">{a.id}</span>
+                      {a.tool && <span className="text-[9px] text-[var(--text-secondary)]">{a.tool}</span>}
+                      {a.has_secret && <span className="text-[9px] text-amber-500">🔐 secret</span>}
+                    </li>
+                  ))}
+                </ul>
+              </div>
+            ) : null}
+            {state.template_api_profiles_preview?.length ? (
+              <div className="mt-2">
+                <div className="text-[10px] uppercase tracking-wider text-[var(--text-secondary)] mb-1">Chat profiles</div>
+                <ul className="space-y-0.5">
+                  {state.template_api_profiles_preview.map((p) => (
+                    <li key={p.id} className="text-[11px] font-mono flex items-center gap-1.5">
+                      <span className="text-emerald-500">✓</span>
+                      <span className="text-[var(--text-primary)]">{p.id}</span>
+                      {p.provider && <span className="text-[9px] text-[var(--text-secondary)]">{p.provider}</span>}
+                      {p.model && <span className="text-[9px] text-[var(--text-secondary)]">{p.model}</span>}
+                      {p.has_secret && <span className="text-[9px] text-amber-500">🔐 secret</span>}
+                    </li>
+                  ))}
+                </ul>
+              </div>
+            ) : null}
+          </Section>
+        )}
+
+        {/* ── 2. API Profile (hidden when template provides one) ─ */}
+        {!state.template_api_profiles_preview?.length && (
+        <Section title={`${stepN()}. Chat API key`} hint="The LLM Forge's chat agent talks to. DeepSeek / Anthropic / OpenAI / Qwen / LiteLLM-compatible. Key encrypted at rest.">
           <div className="flex gap-1 mb-1 flex-wrap">
             {(['deepseek', 'anthropic', 'openai', 'qwen', 'litellm'] as const).map(p => (
               <button
@@ -631,9 +915,11 @@ export function OnboardingDrawer({ onClose, onComplete }: { onClose: () => void;
             Use this profile as the default chat agent
           </label>
         </Section>
+        )}
 
-        {/* ── 2.5. CLI Agent ──────────────────────────────────── */}
-        <Section title="3. CLI Agent" hint="The CLI tool Forge launches for terminal / task sessions (claude-code / codex / aider). Detected on PATH below.">
+        {/* ── 2.5. CLI Agent (hidden when template provides _agents) ─ */}
+        {!state.template_agents_preview?.length && (
+        <Section title={`${stepN()}. CLI Agent`} hint="The CLI tool Forge launches for terminal / task sessions (claude-code / codex / aider). Detected on PATH below.">
           {state.detected_cli.length === 0 && state.current.agents.length === 0 && (
             <p className="text-[10px] text-amber-500">
               No CLI agents detected on PATH. Install one (e.g. <code>npm i -g @anthropic-ai/claude-code</code>) and re-run onboarding.
@@ -682,20 +968,73 @@ export function OnboardingDrawer({ onClose, onComplete }: { onClose: () => void;
             </label>
           )}
         </Section>
+        )}
+
+        {/* ── 3. Connectors ──────────────────────────────────────
+            In minimal mode we drop the bulk selector AND filter the connector
+            list to ones that still need user input — anything fully baked or
+            already-set silently rides along on the pre-selected set. */}
+        {(() => {
+          const w = state.template_wizard;
+          const minimal = !!w?.minimal;
+          const hideConnectors = !!w?.hide_connectors;
+          const requiredOnly = !!w?.required_only;
+          const allConnectors = state.template_connectors || [];
+          const promptsByKey = state.template_prompts || {};
+          const valuesSet = state.prompt_values_set || {};
+
+          // Which prompts to show for a given connector under the current
+          // visibility rules. In `requiredOnly` mode: drop non-required ones,
+          // but ALWAYS keep required prompts visible (set or not) so the user
+          // can re-enter a password / rotate a token without leaving minimal
+          // mode. The "● currently set" badge plus "leave blank to keep"
+          // placeholder already communicates that they don't have to touch it.
+          const visiblePromptsFor = (connectorId: string): string[] => {
+            const keys = (promptGroups.find(([c]) => c === connectorId)?.[1]) || [];
+            if (!requiredOnly) return keys;
+            return keys.filter(k => promptsByKey[k]?.required);
+          };
 
-        {/* ── 3. Connectors ────────────────────────────────────── */}
-        <Section title="3. Connector tokens" hint="Pick which connectors to install. Default = team-recommended set. Shared keys (e.g. GitLab PAT also used by Jenkins) only asked once.">
-          {(state.template_connectors || []).length === 0 && (
+          // Show every connector that has SOMETHING to display — either
+          // user-visible prompts or template-baked defaults. Even in
+          // minimal mode we no longer hide connectors with no prompts:
+          // the user explicitly wants visibility into what the template
+          // installs (e.g. mantis base_url, pmdb base_url).
+          const visibleConnectors = hideConnectors
+            ? []
+            : (minimal
+              ? allConnectors.filter(({ id, has_prompts, defaults }) =>
+                  (has_prompts && visiblePromptsFor(id).length > 0)
+                  || (Array.isArray(defaults) && defaults.length > 0))
+              : allConnectors);
+          return (
+        <Section
+          title={`${stepN()}. Required tokens`}
+          hint={minimal
+            ? "Only fields you must fill in are shown. Everything else (defaults, presets) is auto-installed."
+            : "Pick which connectors to install. Default = team-recommended set. Shared keys (e.g. GitLab PAT also used by Jenkins) only asked once."}
+        >
+          {allConnectors.length === 0 && (
             <p className="text-[10px] text-amber-500">
               No template loaded. Make sure the marketplace has been synced (Settings → Connectors → Sync).
             </p>
           )}
-          {/* Bulk select/deselect */}
-          {(state.template_connectors || []).length > 0 && (
+          {hideConnectors && allConnectors.length > 0 && visibleConnectors.length === 0 && (
+            <p className="text-[10px] text-[var(--text-secondary)]">
+              ✓ All connectors are pre-configured by your template. Nothing to fill in here.
+            </p>
+          )}
+          {!hideConnectors && minimal && allConnectors.length > 0 && visibleConnectors.length === 0 && (
+            <p className="text-[10px] text-[var(--text-secondary)]">
+              ✓ All required tokens already set. You can re-enter values to overwrite them.
+            </p>
+          )}
+          {/* Bulk select/deselect — hidden in minimal mode (all pre-selected) */}
+          {!minimal && allConnectors.length > 0 && (
             <div className="flex items-center gap-1.5 text-[10px] text-[var(--text-secondary)]">
               <button
                 type="button"
-                onClick={() => setSelectedConnectors(new Set((state.template_connectors || []).map(c => c.id)))}
+                onClick={() => setSelectedConnectors(new Set(allConnectors.map(c => c.id)))}
                 className="px-1.5 py-0.5 border border-[var(--border)] rounded hover:border-[var(--text-primary)]"
               >Select all</button>
               <button
@@ -703,12 +1042,12 @@ export function OnboardingDrawer({ onClose, onComplete }: { onClose: () => void;
                 onClick={() => setSelectedConnectors(new Set())}
                 className="px-1.5 py-0.5 border border-[var(--border)] rounded hover:border-[var(--text-primary)]"
               >Deselect all</button>
-              <span className="ml-auto">{selectedConnectors.size}/{(state.template_connectors || []).length} selected</span>
+              <span className="ml-auto">{selectedConnectors.size}/{allConnectors.length} selected</span>
             </div>
           )}
-          {(state.template_connectors || []).map(({ id: connector, has_prompts, already_installed }) => {
+          {visibleConnectors.map(({ id: connector, has_prompts, already_installed, defaults }) => {
             const checked = selectedConnectors.has(connector);
-            const promptKeys = (promptGroups.find(([c]) => c === connector)?.[1]) || [];
+            const promptKeys = visiblePromptsFor(connector);
             const toggle = () => {
               setSelectedConnectors(prev => {
                 const next = new Set(prev);
@@ -759,13 +1098,41 @@ export function OnboardingDrawer({ onClose, onComplete }: { onClose: () => void;
                     </div>
                   );
                 })}
+                {/* Template-baked defaults — what lands on Apply for the
+                    fields the user doesn't fill in. Distinct from the
+                    italic gray hint text by being monospace + chip-style.
+                    Auto-collapsed; click to expand. */}
+                {checked && defaults && defaults.length > 0 && (
+                  <details className="ml-5">
+                    <summary className="text-[9px] text-[var(--text-secondary)] cursor-pointer hover:text-[var(--text-primary)]">
+                      Template defaults ({defaults.length})
+                    </summary>
+                    <div className="mt-1 space-y-0.5">
+                      {defaults.map(d => (
+                        <div key={d.field} className="flex items-baseline gap-1.5 text-[10px] font-mono leading-relaxed">
+                          <span className="text-[var(--text-secondary)] shrink-0">{d.field}</span>
+                          <span className="text-[var(--text-secondary)]">=</span>
+                          <span className={
+                            d.is_secret
+                              ? 'px-1 rounded bg-amber-500/10 text-amber-400 border border-amber-500/20 break-all'
+                              : 'px-1 rounded bg-[var(--bg-tertiary)] text-[var(--text-primary)] border border-[var(--border)] break-all'
+                          }>
+                            {d.value}
+                          </span>
+                        </div>
+                      ))}
+                    </div>
+                  </details>
+                )}
               </div>
             );
           })}
         </Section>
+          );
+        })()}
 
-        {/* ── 4. Pipelines ─────────────────────────────────────── */}
-        <Section title="4. Pipelines" hint="Installs from the workflow marketplace. fortinet-* default-selected.">
+        {/* ── Pipelines ───────────────────────────────────────── */}
+        <Section title={`${stepN()}. Pipelines`} hint="Installs from the workflow marketplace. fortinet-* default-selected.">
           <div className="flex items-center gap-2 mb-1">
             <button
               type="button"
@@ -798,12 +1165,16 @@ export function OnboardingDrawer({ onClose, onComplete }: { onClose: () => void;
           ))}
         </Section>
 
-        {/* ── 5. Projects ──────────────────────────────────────── */}
-        <Section title="5. Project roots (optional)" hint="Directories Forge can run agents in. Pick from filesystem or type/paste paths (one per line).">
-          {state.current.projectRoots.length > 0 && (
+        {/* ── Projects ────────────────────────────────────────── */}
+        <Section title={`${stepN()}. Project roots (optional)`} hint="Directories Forge can run agents in. Pick from filesystem or type/paste paths (one per line).">
+          {state.current.projectRoots.length > 0 ? (
             <p className="text-[10px] text-[var(--text-secondary)]">
               Existing: <span className="font-mono">{state.current.projectRoots.join(', ')}</span> (new entries appended)
             </p>
+          ) : (
+            <p className="text-[10px] text-amber-400/90">
+              No project roots yet. Pipelines first try to auto-clone the GitLab connector's <span className="font-mono">default_project_path</span>; if that's not set or clone fails, they fall back to <span className="font-mono">&lt;dataDir&gt;/scratch</span> so they still run (worktrees land inside scratch).
+            </p>
           )}
           <div className="flex items-center gap-2">
             <button
@@ -868,12 +1239,28 @@ export function OnboardingDrawer({ onClose, onComplete }: { onClose: () => void;
           )}
         </Section>
 
-        {/* ── 6. Memory (info only) ────────────────────────────── */}
-        <Section title="6. Memory">
-          <p className="text-[10px] text-[var(--text-secondary)]">
-            Defaults to local SQLite — no setup needed. Want team-shared memory?
-            Configure Temper later in Settings → Memory.
-          </p>
+        {/* ── Memory (info only) ──────────────────────────────── */}
+        <Section title={`${stepN()}. Memory`}>
+          {state.memory_auto_provision ? (
+            <div className="space-y-1">
+              <div className="text-[11px] px-2 py-1.5 rounded border border-emerald-500/40 bg-emerald-500/10 text-emerald-300">
+                <strong>Auto:</strong>{' '}
+                {state.memory_auto_provision.provisioned
+                  ? <>Temper account already provisioned — chat memory backed by <span className="font-mono">{state.memory_auto_provision.url}</span>.</>
+                  : <>On <strong>Apply</strong>, Forge will provision a Temper account at <span className="font-mono">{state.memory_auto_provision.url}</span> using your identity above and wire chat memory to it.</>
+                }
+              </div>
+              <p className="text-[10px] text-[var(--text-secondary)]">
+                Prefer local-only memory? Switch to <strong>Local</strong> in Settings → Memory after onboarding —
+                Forge falls back to a local SQLite store and your Temper credentials remain inert.
+              </p>
+            </div>
+          ) : (
+            <p className="text-[10px] text-[var(--text-secondary)]">
+              Defaults to local SQLite — no setup needed. Want team-shared memory?
+              Configure Temper later in Settings → Memory.
+            </p>
+          )}
         </Section>
       </div>