@aion0/forge 0.10.41 → 0.10.43

package/RELEASE_NOTES.md

@@ -1,89 +1,11 @@
-# Forge v0.10.41
+# Forge v0.10.43
 
 Released: 2026-06-07
 
-## Changes since v0.10.40
-
-### Features
-- fix: agent path resolution + wizard writes self-contained settings
-- feat: pipelines auto-install on Reinstall + monitor self-detect
-
-### Bug Fixes
-- fix: agent path resolution + wizard writes self-contained settings
+## Changes since v0.10.42
 
 ### Other
-- chat: guard against silent project guessing for ambiguous MR / bug ids
-- feat(marketplace): single unified Sync all — covers every type + every source
-- ui: restore Re-sync registry button in Enterprise section
-- ui: consolidate sync into Marketplace Connectors → Refresh
-- ui(settings): per-source ↻ Sync button on each enterprise row
-- ui(settings): re-run wizard moves next to Re-sync, shorter copy
-- fix(settings): remove "Reinstall all" button — too many footguns
-- fix(login-status,reinstall): badge polls, Reinstall force-overwrites instance fields
-- fix(login-status): panel re-probes on mount, drops stale-cache UX
-- fix(login-status): Test button writes result to login-status cache
-- feat(wizard,pipeline): temper auto-provision + scratch-first project resolution + login-status cache invalidate
-- fix(wizard): sequential section numbers + always show Pipelines
-- feat(wizard): show template-baked defaults under each connector
-- fix(wizard): profile-as-defaults — open with user's company+dept
-- revert(wizard): drop settings.company override on source default
-- fix(wizard): tenant selector defaults to settings.company
-- fix(wizard): revert force-apply complexity, dept default reads settings.dept
-- fix(wizard): re-run with different dept actually rotates defaults
-- ui(profile): dept edit just updates label, no template re-apply
-- feat(profile): company + dept as user-profile fields
-- ui(enterprise): dept chip is display-only, picker lives in wizard
-- feat(enterprise): dept chip becomes a one-click selector
-- feat(wizard): support template-less department entries
-- ui(enterprise): show single active dept, not the full list
-- feat(enterprise): highlight currently-active dept chip
-- feat(enterprise): surface dept list under each tenant
-- ui(settings): merge Onboarding into Enterprise section at top
-- fix(wizard): default dept picker to last-applied dept
-- fix(wizard): restore auto-open + add cold-boot tenant splash
-- fix(wizard): hasCache check accepts multi-dept index too
-- fix(wizard): priority chain reads multi-dept cache, not just legacy file
-- feat(wizard): add-key → wizard handoff + cold-boot auto-open gate (E4)
-- feat(wizard): multi-department templates per source (E3)
-- feat(wizard): tenant-scoped wizard via ?source_id (E2)
-- feat(enterprise): editable keys (E1 of wizard redesign)
-- feat(chat): surface connector defaults + stem-match arg fallback
-- fix(ui): anchor enterprise popover to left edge
-- fix(ui): drop displayName suffix from top-left title
-- feat(ui): enterprise badge popover next to Forge title + settings reorder
-- ui(settings): split 'Add tenant' from sync/reinstall actions
-- feat(marketplace): Reinstall also applies template defaults to connector configs
-- feat(dispatcher): auto-fill missing tool args from settings.default_<name>
-- fix(http): expand tokens in body_form_inject_from values + keys
-- fix(onboarding): fall back to displayName when email is empty for {user.login}
-- feat(api): /api/bridge-info — expose browser-bridge port for the extension
-- feat(auth): first-time admin password setup — no current-password required
-- cli: forge --reset-password forwards trailing args (so --dir picks target instance)
-- fix(onboarding): synchronously sync enterprise template on first launch
-- fix(db): silence expected 'no such table' on fresh DB init
-- onboarding: orphan instance rows drop unconditionally — template is canonical
-- fix(connectors): cross-ref regex must also accept single-token refs like {base_url}
-- fix(connectors): jenkins template — preserve cross-refs, refill empty, drop orphans
-- feat(chat): preflight required connector settings with wizard prompt URL
-- template: drop hardcoded default-jenkins from bundled fallback
-- fix(onboarding): bake {user.X} tokens into persisted connector config
-- marketplace: surface enterprise availability even when versions match
-- fix(marketplace): surface update_source_id so Update button shows where it pulls from
-- feat(marketplace): Reinstall-all button — force-flip installed connectors to enterprise
-- feat(connectors): {user.*} global identity tokens + instances merge by name
-- fix(wizard): minimal mode no longer hides required-prompt connector cards
-- feat(marketplace): per-source sync status + PAT-scope diagnostic
-- feat(onboarding): _wizard.minimal flag — hide non-required steps
-- fix(enterprise): dedupe sources, scope monitor, tighten browser probe, default chat agent
-- feat(wizard): data-driven UI — collapse hardcoded sections when template fills them
-- feat(templates): {connector:id.field} cross-ref + _derive in wizard apply
-- refactor(enterprise): unify ftnt → fortinet + dev-test passthrough + secret-scan guard
-- feat(enterprise): obfuscated secrets + _agents preset in wizard template
-- docs(help): enterprise marketplace + multi-source connector flow
-- feat(wizard): per-enterprise onboarding template via resolver chain
-- feat(enterprise): Dashboard badge + add_enterprise_key chat tool
-- feat(ui): enterprise sources in marketplace + Settings panel
-- feat(marketplace): multi-source connector + workflow registries (enterprise keys)
+- wizard: required fields + email pattern + skip means skip + dedup
 
 
-**Full Changelog**: https://github.com/aiwatching/forge/compare/v0.10.40...v0.10.41
+**Full Changelog**: https://github.com/aiwatching/forge/compare/v0.10.42...v0.10.43

package/app/api/onboarding/route.ts

@@ -449,7 +449,15 @@ function preprocessTemplate(
     if (changed) saveSettings({ ...fresh, agents: current });
   }
 
-  // _apiProfiles — same shape rules
+  // _apiProfiles — same shape rules + dedup-by-backend.
+  //
+  // Dedup: if the user already has an apiProfile pointing at the same
+  // (baseUrl, model) tuple, skip the template entry even when the IDs
+  // differ. This handles wizard-template rename scenarios — e.g. the
+  // template changed `forti-k2-chat` (provider: anthropic) into
+  // `fortinac-qwen-chat` (provider: litellm). Without this check we'd
+  // add the renamed entry alongside the user's existing one, leaving
+  // two profiles for the same backend.
   const profilesApplied: string[] = [];
   const profilesDict = template._apiProfiles as Record<string, any> | undefined;
   if (profilesDict && typeof profilesDict === 'object') {
@@ -457,12 +465,27 @@ function preprocessTemplate(
     const current = { ...(fresh.apiProfiles || {}) };
     let changed = false;
     let defaultPick: string | undefined;
+    // Build (baseUrl|model) → existing id index for dedup lookup.
+    const backendKey = (p: any): string =>
+      `${String(p?.baseUrl || '').toLowerCase().replace(/\/+$/, '')}|${String(p?.model || '').toLowerCase()}`;
+    const existingByBackend = new Map<string, string>();
+    for (const [id, p] of Object.entries(current)) {
+      const k = backendKey(p);
+      if (k !== '|') existingByBackend.set(k, id);
+    }
     for (const [profileId, raw] of Object.entries(profilesDict)) {
       if (!raw || typeof raw !== 'object') continue;
       const overwrite = (raw as any)._overwrite === true;
       if (current[profileId] && !overwrite) continue;
+      // Skip if a different-id profile already targets the same (baseUrl, model).
+      const tplKey = backendKey(raw);
+      if (!overwrite && tplKey !== '|' && existingByBackend.has(tplKey)
+          && existingByBackend.get(tplKey) !== profileId) {
+        continue;
+      }
       const { _overwrite, _default, ...entry } = raw as Record<string, unknown>;
       current[profileId] = entry as unknown as ApiProfile;
+      existingByBackend.set(tplKey, profileId);
       profilesApplied.push(profileId);
       changed = true;
       // First entry flagged `_default: true` (or the first applied entry
@@ -1248,6 +1271,14 @@ export async function GET(req: Request) {
     // {dept.name} substitution and surfaced in the UI breadcrumb.
     template_department_name:
       typeof template._department_name === 'string' ? template._department_name : undefined,
+    // Per-template identity validation. Currently just an email regex —
+    // e.g. `_identity.email_pattern: "^[^@]+@fortinet(-[a-z]+)?\\.com$"`
+    // lets the fortinac template enforce @fortinet.com / @fortinet-us.com
+    // suffixes. Surfaced raw so the client can show the pattern in error
+    // messages.
+    template_identity: (template._identity && typeof template._identity === 'object')
+      ? template._identity as Record<string, unknown>
+      : undefined,
   });
 }
 
@@ -1265,6 +1296,19 @@ export async function POST(req: Request) {
     return NextResponse.json({ ok: true });
   }
 
+  // 'skip' — user closes the wizard without applying. Just flip the
+  // gate; do NOT run any of the apply phases (identity / template
+  // _agents / _apiProfiles / connectors / pipelines / temper). The old
+  // behaviour reused action=apply with payload={} which still ran the
+  // template-side writes (applyConnectors → applyTemplateAgentsAndProfiles),
+  // so Skip silently committed the template even though the user said no.
+  if (action === 'skip') {
+    const settings = loadSettings();
+    settings.onboardingCompleted = true;
+    saveSettings(settings);
+    return NextResponse.json({ ok: true, skipped: true });
+  }
+
   if (action !== 'apply') {
     return NextResponse.json({ ok: false, error: 'unknown action' }, { status: 400 });
   }
@@ -1272,6 +1316,32 @@ export async function POST(req: Request) {
   const payload = (body?.payload || {}) as OnboardingPayload;
   const phases: Array<{ phase: string; ok: boolean; error?: string; detail?: any }> = [];
 
+  // Server-side enforcement of template's identity rules. The wizard
+  // also blocks at the client, but a malformed POST (curl / older client /
+  // dev-tools edit) can bypass that. Reject before any phase runs — no
+  // partial writes.
+  try {
+    const tpl = resolveTemplate(payload.sourceId, payload.deptId);
+    const idCfg = (tpl && typeof tpl._identity === 'object') ? tpl._identity as any : null;
+    const patternStr = idCfg?.email_pattern as string | undefined;
+    const email = payload.identity?.displayEmail?.trim();
+    if (patternStr && email) {
+      let pat: RegExp | null = null;
+      try { pat = new RegExp(patternStr); } catch { pat = null; }
+      if (pat && !pat.test(email)) {
+        const hint = (idCfg.email_pattern_hint as string | undefined)
+          || `Must match: ${patternStr}`;
+        return NextResponse.json({
+          ok: false,
+          error: `email "${email}" does not match the template's required pattern. ${hint}`,
+        }, { status: 400 });
+      }
+    }
+  } catch {
+    // Template resolution failure → fall through; client validation
+    // already covers the happy path.
+  }
+
   try {
     const e1 = applyIdentity(payload.identity);
     phases.push({ phase: 'identity', ok: !e1, ...(e1 ? { error: e1 } : {}) });

package/app/chat/page.tsx

@@ -19,7 +19,7 @@
 
 'use client';
 
-import { useCallback, useEffect, useMemo, useRef, useState } from 'react';
+import { memo, useCallback, useEffect, useMemo, useRef, useState } from 'react';
 import MarkdownContent from '@/components/MarkdownContent';
 import WatchesPanel from '@/components/WatchesPanel';
 import type { ContentBlock, Message, Session } from '@/lib/chat/types';
@@ -497,7 +497,10 @@ function RoleBlock({ role, ts, children }: { role: 'user' | 'assistant'; ts?: nu
   );
 }
 
-function MessageView({ m }: { m: Message }) {
+// Memoized — keystroke in the composer re-renders the page, and without
+// memo every prior message re-runs its markdown parse → typing in a long
+// chat became visibly laggy.
+const MessageView = memo(function MessageView({ m }: { m: Message }) {
   return (
     <RoleBlock role={m.role} ts={m.ts}>
       {m.blocks.map((b, i) => (
@@ -510,9 +513,9 @@ function MessageView({ m }: { m: Message }) {
       )}
     </RoleBlock>
   );
-}
+});
 
-function BlockView({ b, role }: { b: ContentBlock; role?: 'user' | 'assistant' }) {
+const BlockView = memo(function BlockView({ b, role }: { b: ContentBlock; role?: 'user' | 'assistant' }) {
   if (b.type === 'text') {
     return <MarkdownContent content={b.text} linkify={role === 'assistant'} />;
   }
@@ -524,7 +527,7 @@ function BlockView({ b, role }: { b: ContentBlock; role?: 'user' | 'assistant' }
     return <ToolResultBlockView content={txt} isError={!!b.is_error} />;
   }
   return null;
-}
+});
 
 function ToolUseBlockView({ name, input }: { name: string; input: unknown }) {
   const [open, setOpen] = useState(false);

package/bin/forge-server.mjs

@@ -119,6 +119,10 @@ const enterpriseKeysFromArgv = collectEnterpriseKeys();
 const webPort = parseInt(getArg('--port')) || 8403;
 const terminalPort = parseInt(getArg('--terminal-port')) || (webPort + 1);
 const workspacePort = parseInt(getArg('--workspace-port')) || (webPort + 2);
+// MCP server (inside workspace-standalone) was hardcoded to 8406, so a
+// second instance (dev-test on a different webPort) collided with the
+// main instance. Offset from webPort like every other service.
+const mcpPort = parseInt(getArg('--mcp-port')) || (webPort + 3);
 const DATA_DIR = getArg('--dir')?.replace(/^~/, homedir()) || join(homedir(), '.forge', 'data');
 
 const PID_FILE = join(DATA_DIR, 'forge.pid');
@@ -240,6 +244,7 @@ if (existsSync(envFile)) {
 process.env.PORT = String(webPort);
 process.env.TERMINAL_PORT = String(terminalPort);
 process.env.WORKSPACE_PORT = String(workspacePort);
+process.env.MCP_PORT = String(mcpPort);
 process.env.FORGE_DATA_DIR = DATA_DIR;
 
 // ── Password setup (first run or --reset-password) ──

package/components/OnboardingWizard.tsx

@@ -111,6 +111,13 @@ interface OnboardingState {
   /** Template's self-declared `_department_name`. Surfaced for the
    *  breadcrumb so the user sees what {dept.name} resolves to. */
   template_department_name?: string;
+  /** Per-template identity validation. Currently supports
+   *  `email_pattern` (JS-compatible regex) — e.g. fortinet enforces
+   *  ^[^@]+@fortinet(-[a-z]+)?\.com$. Optional. */
+  template_identity?: {
+    email_pattern?: string;
+    email_pattern_hint?: string;
+  };
 }
 
 interface ApplyResultPhase {
@@ -509,6 +516,51 @@ export function OnboardingDrawer({ onClose, onComplete, initialSourceId }: { onC
 
   async function apply() {
     if (applying) return;
+    // Identity is required — display name + email are referenced via
+    // {user.name} / {user.email} all over the template (jenkins username,
+    // gitlab commit author, etc.). Empty values produce silently-broken
+    // configs that surface much later.
+    const missing: string[] = [];
+    if (!displayName.trim()) missing.push('Display name');
+    if (!displayEmail.trim()) missing.push('Email');
+    // Template-side email pattern (e.g. fortinet template restricts to
+    // @fortinet.com / @fortinet-us.com / @fortinet-*.com). Skip when no
+    // pattern is declared. Compile-on-demand — pattern is a string from
+    // JSON so an invalid regex falls back to "accept all" rather than
+    // crashing the user's Apply flow.
+    const emailPatternStr = state?.template_identity?.email_pattern;
+    if (displayEmail.trim() && emailPatternStr) {
+      let pat: RegExp | null = null;
+      try { pat = new RegExp(emailPatternStr); } catch { pat = null; }
+      if (pat && !pat.test(displayEmail.trim())) {
+        const hint = state?.template_identity?.email_pattern_hint;
+        alert(`Email "${displayEmail.trim()}" doesn't match the required pattern.\n\n${hint || `Must match: ${emailPatternStr}`}`);
+        return;
+      }
+    }
+    // Required connector prompts (e.g. gitlab_token_name, gitlab_pat).
+    // Only check when their owning connector is selected AND the value
+    // isn't already saved from a prior wizard run (prompt_values_set).
+    if (state) {
+      const prompts = state.template_prompts || {};
+      const valuesSet = state.prompt_values_set || {};
+      const targets = state.prompt_targets || {};
+      for (const [key, def] of Object.entries(prompts)) {
+        if (!def.required) continue;
+        if (valuesSet[key]) continue;                       // already saved
+        const owners = targets[key] || [];
+        const owningConnectorSelected = owners.length === 0
+          || owners.some(t => selectedConnectors.has(t.connector));
+        if (!owningConnectorSelected) continue;             // unrelated to selected connectors
+        if (!(connectorValues[key] || '').trim()) {
+          missing.push(def.label || key);
+        }
+      }
+    }
+    if (missing.length > 0) {
+      alert(`Required field${missing.length > 1 ? 's' : ''} missing:\n\n• ${missing.join('\n• ')}`);
+      return;
+    }
     setApplying(true); setResult(null);
     try {
       // Strip values whose target connector got unchecked — keeping them
@@ -826,11 +878,36 @@ export function OnboardingDrawer({ onClose, onComplete, initialSourceId }: { onC
 
         {/* ── Identity ─────────────────────────────────────────── */}
         <Section title={`${stepN()}. Identity`} hint="Used as your name in pipeline/connector contexts; referenceable later as {user.name} / {user.email}. Forge derives things like jenkins username from the email's local-part.">
-          <Field label="Display name">
-            <input className={inputCls} value={displayName} onChange={e => setDisplayName(e.target.value)} placeholder="Zhen Liu" />
+          <Field label={<><span>Display name</span> <span className="text-red-400 font-bold ml-0.5">*</span></>}>
+            <input
+              className={inputCls + (displayName.trim() ? '' : ' !border-red-500 !border-2 ring-1 ring-red-500/40 bg-red-500/5')}
+              value={displayName}
+              onChange={e => setDisplayName(e.target.value)}
+              placeholder="Zhen Liu (required)"
+              required
+            />
           </Field>
-          <Field label="Email">
-            <input className={inputCls} value={displayEmail} onChange={e => setDisplayEmail(e.target.value)} placeholder="zliu@fortinet.com" />
+          <Field label={<><span>Email</span> <span className="text-red-400 font-bold ml-0.5">*</span></>}>
+            <input
+              className={inputCls + (() => {
+                if (!displayEmail.trim()) return ' !border-red-500 !border-2 ring-1 ring-red-500/40 bg-red-500/5';
+                const pat = state.template_identity?.email_pattern;
+                if (pat) {
+                  try { if (!new RegExp(pat).test(displayEmail.trim())) return ' !border-red-500 !border-2 ring-1 ring-red-500/40 bg-red-500/5'; } catch {}
+                }
+                return '';
+              })()}
+              value={displayEmail}
+              onChange={e => setDisplayEmail(e.target.value)}
+              placeholder="zliu@fortinet.com (required)"
+              required
+            />
+            {state.template_identity?.email_pattern && (
+              <p className="text-[9px] text-[var(--text-secondary)] italic">
+                {state.template_identity.email_pattern_hint
+                  || `Must match: ${state.template_identity.email_pattern}`}
+              </p>
+            )}
           </Field>
           {state.template_derive_keys?.length ? (
             <p className="text-[9px] text-[var(--text-secondary)] italic">
@@ -839,13 +916,91 @@ export function OnboardingDrawer({ onClose, onComplete, initialSourceId }: { onC
           ) : null}
         </Section>
 
-        {/* ── Template pre-baked items ─────────────────────────── */}
+        {/* ── Project roots — moved up so users address it before
+            the template-installed sections (which most just glance at). */}
+        <Section title={`${stepN()}. Project roots`} hint="Directories Forge can run agents in. Pick from filesystem or type/paste paths (one per line). Optional — pipelines fall back to <dataDir>/scratch when none configured.">
+          {state.current.projectRoots.length > 0 ? (
+            <p className="text-[10px] text-[var(--text-secondary)]">
+              Existing: <span className="font-mono">{state.current.projectRoots.join(', ')}</span> (new entries appended)
+            </p>
+          ) : (
+            <p className="text-[10px] text-amber-400/90">
+              No project roots yet. Pipelines first try to auto-clone the GitLab connector's <span className="font-mono">default_project_path</span>; if that's not set or clone fails, they fall back to <span className="font-mono">&lt;dataDir&gt;/scratch</span> so they still run (worktrees land inside scratch).
+            </p>
+          )}
+          <div className="flex items-center gap-2">
+            <button
+              type="button"
+              onClick={() => openPicker()}
+              className="text-[10px] px-2 py-0.5 border border-[var(--accent)] text-[var(--accent)] rounded hover:bg-[var(--accent)] hover:text-white"
+            >
+              📁 Pick folder…
+            </button>
+            <span className="text-[9px] text-[var(--text-secondary)]">or type below</span>
+          </div>
+          <textarea
+            rows={2}
+            className={inputCls + ' font-mono'}
+            value={projectInput}
+            onChange={e => setProjectInput(e.target.value)}
+            placeholder="/Users/you/IdeaProjects"
+          />
+
+          {pickerOpen && (
+            <div className="border border-[var(--border)] rounded p-2 bg-[var(--bg-tertiary)] space-y-1">
+              <div className="flex items-center gap-1 text-[10px] font-mono text-[var(--text-secondary)] truncate">
+                {pickerParent && (
+                  <button onClick={() => openPicker(pickerParent!)} className="text-[var(--accent)] hover:underline">..</button>
+                )}
+                <span className="truncate">{pickerPath || '(loading)'}</span>
+                <button
+                  onClick={() => setPickerOpen(false)}
+                  className="ml-auto text-[var(--text-secondary)] hover:text-[var(--text-primary)]"
+                >✕</button>
+              </div>
+              <div className="max-h-40 overflow-y-auto space-y-0.5">
+                {pickerEntries.length === 0 && (
+                  <p className="text-[10px] text-[var(--text-secondary)] italic">no subdirectories</p>
+                )}
+                {pickerEntries.map(e => (
+                  <div key={e.path} className="flex items-center gap-1 text-[10px] font-mono">
+                    <button
+                      onClick={() => openPicker(e.path)}
+                      className="text-[var(--text-primary)] hover:text-[var(--accent)] flex-1 text-left truncate"
+                      title="Drill into this folder"
+                    >
+                      📁 {e.name}
+                    </button>
+                    <button
+                      onClick={() => addPickedPath(e.path)}
+                      className="text-[9px] text-[var(--accent)] hover:underline px-1"
+                      title="Add this folder to project roots"
+                    >+ pick</button>
+                  </div>
+                ))}
+              </div>
+              {pickerPath && (
+                <button
+                  onClick={() => addPickedPath(pickerPath)}
+                  className="text-[10px] px-2 py-0.5 bg-[var(--accent)] text-white rounded w-full"
+                >
+                  Use current folder: <span className="font-mono">{pickerPath}</span>
+                </button>
+              )}
+            </div>
+          )}
+        </Section>
+
+        {/* ── Template pre-baked items ─────────────────────────────
+            Collapsed by default — once the template's installed there's
+            nothing to do here, click to expand to inspect. */}
         {(state.template_agents_preview?.length || state.template_api_profiles_preview?.length) && (
           <Section
             title={`${stepN()}. ${state.template_enterprise_name
               ? `🔒 ${state.template_enterprise_name} — auto-installed`
               : '🔒 Template — auto-installed'}`}
             hint="The enterprise template pre-bakes these on your behalf. Tokens are encrypted in git and decrypted locally. You can edit / disable any of them in Settings after onboarding."
+            defaultCollapsed
           >
             {state.template_agents_preview?.length ? (
               <div>
@@ -881,9 +1036,14 @@ export function OnboardingDrawer({ onClose, onComplete, initialSourceId }: { onC
           </Section>
         )}
 
-        {/* ── 2. API Profile (hidden when template provides one) ─ */}
+        {/* ── 2. API Profile (hidden when template provides one) ─
+            Auto-collapse when user already has a chat profile configured. */}
         {!state.template_api_profiles_preview?.length && (
-        <Section title={`${stepN()}. Chat API key`} hint="The LLM Forge's chat agent talks to. DeepSeek / Anthropic / OpenAI / Qwen / LiteLLM-compatible. Key encrypted at rest.">
+        <Section
+          title={`${stepN()}. Chat API key`}
+          hint="The LLM Forge's chat agent talks to. DeepSeek / Anthropic / OpenAI / Qwen / LiteLLM-compatible. Key encrypted at rest."
+          defaultCollapsed={!!state.current.apiProfile || apiKeyExisting}
+        >
           <div className="flex gap-1 mb-1 flex-wrap">
             {(['deepseek', 'anthropic', 'openai', 'qwen', 'litellm'] as const).map(p => (
               <button
@@ -917,9 +1077,14 @@ export function OnboardingDrawer({ onClose, onComplete, initialSourceId }: { onC
         </Section>
         )}
 
-        {/* ── 2.5. CLI Agent (hidden when template provides _agents) ─ */}
+        {/* ── 2.5. CLI Agent (hidden when template provides _agents) ─
+            Auto-collapse when user already has CLI agents configured. */}
         {!state.template_agents_preview?.length && (
-        <Section title={`${stepN()}. CLI Agent`} hint="The CLI tool Forge launches for terminal / task sessions (claude-code / codex / aider). Detected on PATH below.">
+        <Section
+          title={`${stepN()}. CLI Agent`}
+          hint="The CLI tool Forge launches for terminal / task sessions (claude-code / codex / aider). Detected on PATH below."
+          defaultCollapsed={state.current.agents.length > 0}
+        >
           {state.detected_cli.length === 0 && state.current.agents.length === 0 && (
             <p className="text-[10px] text-amber-500">
               No CLI agents detected on PATH. Install one (e.g. <code>npm i -g @anthropic-ai/claude-code</code>) and re-run onboarding.
@@ -1090,7 +1255,11 @@ export function OnboardingDrawer({ onClose, onComplete, initialSourceId }: { onC
                       )}
                       <input
                         type={p.secret ? 'password' : 'text'}
-                        className={inputCls + ' font-mono'}
+                        className={inputCls + ' font-mono' + (
+                          p.required && !isSet && !v.trim()
+                            ? ' !border-red-500 !border-2 ring-1 ring-red-500/40 bg-red-500/5'
+                            : ''
+                        )}
                         value={v}
                         onChange={e => setConnectorValues({ ...connectorValues, [key]: e.target.value })}
                         placeholder={isSet ? '•••••••• (leave blank to keep current)' : (p.required ? 'required' : 'leave blank')}
@@ -1165,79 +1334,7 @@ export function OnboardingDrawer({ onClose, onComplete, initialSourceId }: { onC
           ))}
         </Section>
 
-        {/* ── Projects ────────────────────────────────────────── */}
-        <Section title={`${stepN()}. Project roots (optional)`} hint="Directories Forge can run agents in. Pick from filesystem or type/paste paths (one per line).">
-          {state.current.projectRoots.length > 0 ? (
-            <p className="text-[10px] text-[var(--text-secondary)]">
-              Existing: <span className="font-mono">{state.current.projectRoots.join(', ')}</span> (new entries appended)
-            </p>
-          ) : (
-            <p className="text-[10px] text-amber-400/90">
-              No project roots yet. Pipelines first try to auto-clone the GitLab connector's <span className="font-mono">default_project_path</span>; if that's not set or clone fails, they fall back to <span className="font-mono">&lt;dataDir&gt;/scratch</span> so they still run (worktrees land inside scratch).
-            </p>
-          )}
-          <div className="flex items-center gap-2">
-            <button
-              type="button"
-              onClick={() => openPicker()}
-              className="text-[10px] px-2 py-0.5 border border-[var(--accent)] text-[var(--accent)] rounded hover:bg-[var(--accent)] hover:text-white"
-            >
-              📁 Pick folder…
-            </button>
-            <span className="text-[9px] text-[var(--text-secondary)]">or type below</span>
-          </div>
-          <textarea
-            rows={2}
-            className={inputCls + ' font-mono'}
-            value={projectInput}
-            onChange={e => setProjectInput(e.target.value)}
-            placeholder="/Users/you/IdeaProjects"
-          />
-
-          {pickerOpen && (
-            <div className="border border-[var(--border)] rounded p-2 bg-[var(--bg-tertiary)] space-y-1">
-              <div className="flex items-center gap-1 text-[10px] font-mono text-[var(--text-secondary)] truncate">
-                {pickerParent && (
-                  <button onClick={() => openPicker(pickerParent!)} className="text-[var(--accent)] hover:underline">..</button>
-                )}
-                <span className="truncate">{pickerPath || '(loading)'}</span>
-                <button
-                  onClick={() => setPickerOpen(false)}
-                  className="ml-auto text-[var(--text-secondary)] hover:text-[var(--text-primary)]"
-                >✕</button>
-              </div>
-              <div className="max-h-40 overflow-y-auto space-y-0.5">
-                {pickerEntries.length === 0 && (
-                  <p className="text-[10px] text-[var(--text-secondary)] italic">no subdirectories</p>
-                )}
-                {pickerEntries.map(e => (
-                  <div key={e.path} className="flex items-center gap-1 text-[10px] font-mono">
-                    <button
-                      onClick={() => openPicker(e.path)}
-                      className="text-[var(--text-primary)] hover:text-[var(--accent)] flex-1 text-left truncate"
-                      title="Drill into this folder"
-                    >
-                      📁 {e.name}
-                    </button>
-                    <button
-                      onClick={() => addPickedPath(e.path)}
-                      className="text-[9px] text-[var(--accent)] hover:underline px-1"
-                      title="Add this folder to project roots"
-                    >+ pick</button>
-                  </div>
-                ))}
-              </div>
-              {pickerPath && (
-                <button
-                  onClick={() => addPickedPath(pickerPath)}
-                  className="text-[10px] px-2 py-0.5 bg-[var(--accent)] text-white rounded w-full"
-                >
-                  Use current folder: <span className="font-mono">{pickerPath}</span>
-                </button>
-              )}
-            </div>
-          )}
-        </Section>
+        {/* Project roots — moved up to step 2 (after Identity). */}
 
         {/* ── Memory (info only) ──────────────────────────────── */}
         <Section title={`${stepN()}. Memory`}>
@@ -1284,11 +1381,14 @@ export function OnboardingDrawer({ onClose, onComplete, initialSourceId }: { onC
         <button
           onClick={async () => {
             if (dirty && !confirm('Skip setup? Your unsaved inputs will be discarded. (Banner will not appear again.)')) return;
-            // Mark onboarding completed without applying anything — empty payload.
+            // action:'skip' — server only flips onboardingCompleted, does
+            // NOT run any apply phases. Previously this was action:'apply'
+            // with empty payload, which still wrote template _agents /
+            // _apiProfiles via the connectors phase.
             await fetch('/api/onboarding', {
               method: 'POST',
               headers: { 'Content-Type': 'application/json' },
-              body: JSON.stringify({ action: 'apply', payload: {} }),
+              body: JSON.stringify({ action: 'skip' }),
             });
             onComplete();
           }}
@@ -1324,12 +1424,29 @@ function DrawerShell({ onClose, children }: { onClose: () => void; children: Rea
   );
 }
 
-function Section({ title, hint, children }: { title: string; hint?: string; children: React.ReactNode }) {
+function Section({ title, hint, children, defaultCollapsed }: { title: string; hint?: string; children: React.ReactNode; defaultCollapsed?: boolean }) {
+  const [open, setOpen] = useState(!defaultCollapsed);
+  const collapsible = defaultCollapsed !== undefined;
   return (
     <div className="space-y-1.5 pb-3 border-b border-[var(--border)]/40">
-      <h3 className="text-[12px] font-medium text-[var(--text-primary)]">{title}</h3>
-      {hint && <p className="text-[10px] text-[var(--text-secondary)] leading-snug">{hint}</p>}
-      {children}
+      <h3 className="text-[12px] font-medium text-[var(--text-primary)] flex items-center gap-1">
+        {collapsible && (
+          <button
+            type="button"
+            onClick={() => setOpen(o => !o)}
+            className="text-[10px] text-[var(--text-secondary)] hover:text-[var(--text-primary)] w-3 inline-flex items-center justify-center"
+            title={open ? 'Collapse' : 'Expand'}
+          >
+            {open ? '▾' : '▸'}
+          </button>
+        )}
+        <span
+          onClick={collapsible ? () => setOpen(o => !o) : undefined}
+          className={collapsible ? 'cursor-pointer flex-1' : 'flex-1'}
+        >{title}</span>
+      </h3>
+      {open && hint && <p className="text-[10px] text-[var(--text-secondary)] leading-snug">{hint}</p>}
+      {open && children}
     </div>
   );
 }
@@ -1379,10 +1496,10 @@ function CheckRow({
   );
 }
 
-function Field({ label, children }: { label: string; children: React.ReactNode }) {
+function Field({ label, children }: { label: React.ReactNode; children: React.ReactNode }) {
   return (
     <div className="space-y-0.5">
-      <label className="text-[10px] text-[var(--text-secondary)]">{label}</label>
+      <label className="text-[10px] text-[var(--text-secondary)] inline-flex items-center">{label}</label>
       {children}
     </div>
   );

package/dev-test.sh

@@ -30,6 +30,7 @@ fi
 PORT=4000 \
   TERMINAL_PORT=4001 \
   WORKSPACE_PORT=4005 \
+  MCP_PORT=4006 \
   BRIDGE_PORT=4007 \
   CHAT_PORT=4008 \
   MEMORY_PORT=4009 \

package/lib/chat/llm/anthropic.ts

@@ -167,7 +167,12 @@ export const anthropicAdapter: LlmAdapter = {
     const content: ContentBlock[] = [];
     let textBuf = '';
     for await (const part of result.fullStream) {
-      if (part.type === 'text-delta') {
+      if (part.type === 'text-delta' || part.type === 'reasoning-delta') {
+        // Treat reasoning-delta the same as text-delta — Fortinet
+        // relay endpoints (forti-k2, forti-coder, etc.) return their
+        // entire response as reasoning blocks instead of regular text.
+        // Without this branch the model output silently disappears
+        // (assistant message saved with blocks=[]).
         textBuf += part.text;
         cb.onTextDelta(part.text);
       } else if (part.type === 'tool-call') {

package/next-env.d.ts

@@ -1,6 +1,6 @@
 /// <reference types="next" />
 /// <reference types="next/image-types/global" />
-import "./.next/types/routes.d.ts";
+import "./.next/dev/types/routes.d.ts";
 
 // NOTE: This file should not be edited
 // see https://nextjs.org/docs/app/api-reference/config/typescript for more information.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aion0/forge",
-  "version": "0.10.41",
+  "version": "0.10.43",
   "description": "Unified AI workflow platform — multi-model task orchestration, persistent sessions, web terminal, remote access",
   "type": "module",
   "scripts": {