@aion0/forge 0.10.44 → 0.10.46

package/RELEASE_NOTES.md

@@ -1,11 +1,49 @@
-# Forge v0.10.44
+# Forge v0.10.46
 
 Released: 2026-06-08
 
-## Changes since v0.10.43
+## Changes since v0.10.45
 
-### Bug Fixes
-- fix: mantis bug link uses bug_view_page.php?bug_id=N
+### Features
+- feat: unified-auth Phase 2 — Web Sessions sweep in EnterpriseBadge
+- feat: unified-auth Phase 1 — GitLab SSH 2FA verify from EnterpriseBadge
 
+### Other
+- feat(ui): move Browser + Help into user dropdown menu
+- feat(scratch): auto-cleanup files older than scratchRetentionDays (default 7)
+- feat(chat): save_scratch_file builtin tool — direct file write + download link
+- fix(chat): listMessages returns the LAST N, not the first N
+- fix(chat-standalone): bump default session GET limit 500 -> 2000
+- fix(server): spawn next with --use-system-ca for corp SSL inspection
+- feat(migration): one-shot disk rename for renamed connector setting keys
+- feat(chat): autolink scratch/<file> paths to /api/scratch download endpoint
+- diag(dispatch): drop temp default-fill logs
+- diag(dispatch): log default keys + arg state to forge.log (TEMP)
+- fix(connector alias): mantis default_project rename — drop legacy key
+- fix(install.sh --local): wipe .next + Turbopack cache before pnpm build
+- fix(dispatcher): two-pass default fill + per-connector legacy aliases
+- feat(idp-login): opt-in encrypted credential save
+- feat(idp-login): show/hide toggle on password input
+- feat(idp-login): per-entry selectors / username override / timeout; UI prefills username from email
+- feat(idp-login): surface trigger URL on per-IdP failure for manual login
+- feat(idp-login): trigger_url override + transcript-based failure detection
+- feat(idp-login): show manual command line when terminal-keystroke fails
+- feat(idp-login): multi-IdP support — _idp accepts array
+- ui: remove standalone GitLab 2FA section from EnterpriseBadge
+- feat(unified-auth): template-driven post_login_terminal commands
+- fix(gitlab-2fa keystroke): split OK/FAIL into separate atomic markers
+- fix(gitlab-2fa keystroke): only match prompt in NEW Terminal output
+- fix(gitlab-2fa keystroke): clipboard+paste instead of keystroke-char-by-char
+- simplify(gitlab-2fa): bare ssh, drop noisy options
+- fix(gitlab-2fa keystroke): wait for OTP prompt before typing OTP
+- feat(gitlab-2fa): keystroke fallback via macOS Terminal + System Events
+- feat(unified-auth): read IdP host + SAML SPs from wizard template _idp
+- fix(unified-auth): only use SAML SPs as IdP trigger (drop gitlab/teams)
+- feat(unified-auth): Phase 3 — one-shot SAML IdP login
+- feat(gitlab-2fa): manual fallback for FortiClient per-process VPN block
+- fix(gitlab-2fa): bump ConnectTimeout 8s→30s, outer 15s→60s
+- fix(gitlab-2fa): catch 'Operation timed out' (macOS ssh) + strip echoed OTP from error
+- fix(gitlab-2fa): aggressive OTP send + surface ssh transcript on failure
 
-**Full Changelog**: https://github.com/aiwatching/forge/compare/v0.10.43...v0.10.44
+
+**Full Changelog**: https://github.com/aiwatching/forge/compare/v0.10.45...v0.10.46

package/app/api/auth/gitlab-2fa/route.ts

@@ -0,0 +1,98 @@
+/**
+ * GitLab SSH 2FA verify API.
+ *
+ *   GET  /api/auth/gitlab-2fa
+ *     → { host, verifiedAt: string | null, seconds_left: number }
+ *
+ *   POST /api/auth/gitlab-2fa
+ *     body: { otp: "123456" }
+ *     → { ok: true, verifiedAt, seconds_left, host } |
+ *       { ok: false, error, transcript? }
+ *
+ * verifiedAt is persisted in settings.gitlab2fa so dropdown survives a
+ * page refresh.
+ */
+
+import { NextResponse } from 'next/server';
+import { loadSettings, saveSettings } from '@/lib/settings';
+import {
+  verifyGitlab2FA,
+  verifyGitlab2FAViaKeystroke,
+  getGitlabSshHost,
+  secondsLeft,
+  GITLAB_2FA_VALID_MS,
+} from '@/lib/auth/gitlab-2fa';
+
+export async function GET() {
+  const settings = loadSettings();
+  const host = getGitlabSshHost();
+  const recorded = settings.gitlab2fa;
+  // Drop the stamp if host changed (user pointed gitlab elsewhere)
+  const valid = recorded && (!host || recorded.host === host);
+  const verifiedAt = valid ? recorded?.verifiedAt ?? null : null;
+  return NextResponse.json({
+    host,
+    verifiedAt,
+    seconds_left: secondsLeft(verifiedAt ?? undefined),
+    validity_seconds: Math.floor(GITLAB_2FA_VALID_MS / 1000),
+  });
+}
+
+export async function POST(req: Request) {
+  let body: any = {};
+  try { body = await req.json(); } catch {}
+
+  // Manual mode: caller already ran `ssh git@host 2fa_verify` in their
+  // own terminal (necessary when corp VPN like FortiClient does per-
+  // process tunnel filtering — node-spawned ssh can't reach the host).
+  // Forge just stamps verifiedAt so the 55-minute clock starts.
+  if (body?.manual === true) {
+    const host = getGitlabSshHost();
+    if (!host) {
+      return NextResponse.json({ ok: false, error: 'GitLab connector not configured' }, { status: 400 });
+    }
+    const verifiedAt = new Date().toISOString();
+    const settings = loadSettings();
+    settings.gitlab2fa = { verifiedAt, host };
+    saveSettings(settings);
+    return NextResponse.json({
+      ok: true,
+      verifiedAt,
+      host,
+      seconds_left: Math.floor(GITLAB_2FA_VALID_MS / 1000),
+      mode: 'manual',
+    });
+  }
+
+  const otp = String(body?.otp || '').trim();
+  if (!otp) {
+    return NextResponse.json({ ok: false, error: 'otp is required' }, { status: 400 });
+  }
+
+  // Mode selector: 'keystroke' uses osascript+System Events to type
+  // into the user's frontmost Terminal — required in environments
+  // where the corp VPN blocks Forge-spawned ssh (FortiClient).
+  // Default is the direct node-pty path (works for non-filtered envs).
+  const mode = String(body?.mode || 'direct');
+  const r = mode === 'keystroke'
+    ? await verifyGitlab2FAViaKeystroke(otp)
+    : await verifyGitlab2FA(otp);
+  if (!r.ok) {
+    return NextResponse.json(
+      { ok: false, error: r.error || 'verify failed', transcript: r.transcript },
+      { status: 400 },
+    );
+  }
+
+  // Persist for the dropdown's "X min left" rendering.
+  const settings = loadSettings();
+  settings.gitlab2fa = { verifiedAt: r.verifiedAt!, host: r.host! };
+  saveSettings(settings);
+
+  return NextResponse.json({
+    ok: true,
+    verifiedAt: r.verifiedAt,
+    host: r.host,
+    seconds_left: Math.floor(GITLAB_2FA_VALID_MS / 1000),
+  });
+}

package/app/api/auth/idp-credentials/route.ts

@@ -0,0 +1,41 @@
+/**
+ * GET    /api/auth/idp-credentials → { username, password }   (decrypted)
+ * POST   /api/auth/idp-credentials   body: { username, password }
+ * DELETE /api/auth/idp-credentials
+ *
+ * Read/write the EnterpriseBadge's saved unified-login credentials.
+ * Password lives in SECRET_FIELDS so it's AES-256-GCM encrypted at rest;
+ * this endpoint hands it back in plaintext for the local UI to prefill
+ * (Forge is single-user, runs on localhost — equivalent threat surface
+ * to the user's own keychain). OTP is never persisted — it's TOTP.
+ */
+
+import { NextResponse } from 'next/server';
+import { loadSettings, saveSettings } from '@/lib/settings';
+
+export async function GET() {
+  const s = loadSettings() as unknown as Record<string, unknown>;
+  return NextResponse.json({
+    username: (s.idpSavedUsername as string) || '',
+    password: (s.idpSavedPassword as string) || '',
+  });
+}
+
+export async function POST(req: Request) {
+  let body: { username?: string; password?: string } = {};
+  try { body = await req.json(); } catch { /* empty body */ }
+  const username = String(body.username || '').trim();
+  const password = String(body.password || '');
+  if (!username || !password) {
+    return NextResponse.json({ ok: false, error: 'username and password are required' }, { status: 400 });
+  }
+  const current = loadSettings() as unknown as Record<string, unknown>;
+  saveSettings({ ...current, idpSavedUsername: username, idpSavedPassword: password } as never);
+  return NextResponse.json({ ok: true });
+}
+
+export async function DELETE() {
+  const current = loadSettings() as unknown as Record<string, unknown>;
+  saveSettings({ ...current, idpSavedUsername: '', idpSavedPassword: '' } as never);
+  return NextResponse.json({ ok: true });
+}

package/app/api/auth/idp-login/route.ts

@@ -0,0 +1,22 @@
+/**
+ * POST /api/auth/idp-login
+ *   body: { username, password, otp }
+ *   → { ok, idp_logins: [{idp_host, ok, steps_completed?, final_url?, error?, post_login_terminal?}], error? }
+ *
+ * Drives one or more SAML IdP logins (template `_idp` may be array) via
+ * the extension. Secrets stay in this request — never persisted.
+ */
+
+import { NextResponse } from 'next/server';
+import { performIdpLogin } from '@/lib/auth/idp-login';
+
+export async function POST(req: Request) {
+  let body: any = {};
+  try { body = await req.json(); } catch {}
+  const r = await performIdpLogin({
+    username: String(body?.username || '').trim(),
+    password: String(body?.password || ''),
+    otp: String(body?.otp || '').trim(),
+  });
+  return NextResponse.json(r, { status: r.ok ? 200 : 400 });
+}

package/app/api/enterprise-keys/route.ts

@@ -28,7 +28,7 @@ import {
   removeEnterpriseKey,
   updateEnterpriseKey,
 } from '@/lib/enterprise';
-import { syncRegistry, getLastSync } from '@/lib/connectors/sync';
+import { syncRegistry, getLastSync, probeEnterpriseKey } from '@/lib/connectors/sync';
 import { syncMarketplace as syncWorkflows } from '@/lib/workflow-marketplace';
 import { syncSkills } from '@/lib/skills';
 
@@ -121,6 +121,13 @@ export async function POST(req: Request) {
   const key = String(body?.key || '').trim();
   if (!key) return NextResponse.json({ ok: false, error: 'key is required' }, { status: 400 });
 
+  // Probe BEFORE persisting — a key whose PAT is wrong / expired or whose
+  // repo we can't reach should never land on disk. Surfaces the real
+  // 401/403/404/network error to the user instead of silently failing
+  // later inside the best-effort sync.
+  const probe = await probeEnterpriseKey(key);
+  if (!probe.ok) return NextResponse.json({ ok: false, error: probe.error }, { status: 400 });
+
   const r = addEnterpriseKey(key);
   if (!r.ok) return NextResponse.json(r, { status: 400 });
 
@@ -176,6 +183,9 @@ export async function PATCH(req: Request) {
   const key = String(body?.key || '').trim();
   if (!key) return NextResponse.json({ ok: false, error: 'key is required' }, { status: 400 });
 
+  const probe = await probeEnterpriseKey(key);
+  if (!probe.ok) return NextResponse.json({ ok: false, error: probe.error }, { status: 400 });
+
   const r = updateEnterpriseKey(tenant_id, key);
   if (!r.ok) return NextResponse.json(r, { status: 400 });
 

package/app/api/scratch/[...path]/route.ts

@@ -0,0 +1,78 @@
+/**
+ * GET /api/scratch/<path...>
+ *   ?download=1   → force Content-Disposition: attachment
+ *
+ * Serves files from `<dataDir>/scratch/` so chat-emitted paths like
+ * `scratch/report-2026-06-08.md` can be clicked open from the chat UI.
+ * Path-traversal protected: any segment containing `..` or any resolved
+ * path escaping the scratch root is rejected.
+ *
+ * Auth-gated by Forge's proxy middleware just like every other /api/*.
+ */
+
+import { NextResponse } from 'next/server';
+import { existsSync, readFileSync, statSync } from 'node:fs';
+import { join, resolve, extname } from 'node:path';
+import { getDataDir } from '@/lib/dirs';
+
+const MIME: Record<string, string> = {
+  '.md': 'text/markdown; charset=utf-8',
+  '.txt': 'text/plain; charset=utf-8',
+  '.json': 'application/json; charset=utf-8',
+  '.yaml': 'application/yaml; charset=utf-8',
+  '.yml': 'application/yaml; charset=utf-8',
+  '.csv': 'text/csv; charset=utf-8',
+  '.log': 'text/plain; charset=utf-8',
+  '.html': 'text/html; charset=utf-8',
+  '.pdf': 'application/pdf',
+  '.png': 'image/png',
+  '.jpg': 'image/jpeg',
+  '.jpeg': 'image/jpeg',
+  '.gif': 'image/gif',
+  '.svg': 'image/svg+xml',
+};
+
+export async function GET(
+  req: Request,
+  ctx: { params: Promise<{ path: string[] }> },
+) {
+  const { path: parts } = await ctx.params;
+  if (!parts || parts.length === 0) {
+    return NextResponse.json({ ok: false, error: 'missing path' }, { status: 400 });
+  }
+  // Reject explicit traversal attempts before path construction.
+  for (const seg of parts) {
+    if (seg === '..' || seg.startsWith('..')) {
+      return NextResponse.json({ ok: false, error: 'path traversal rejected' }, { status: 400 });
+    }
+  }
+  const scratchRoot = resolve(join(getDataDir(), 'scratch'));
+  const target = resolve(join(scratchRoot, ...parts));
+  // Verify the resolved path stays under scratchRoot — handles symlink
+  // tricks the segment check above can't catch.
+  if (!target.startsWith(scratchRoot + '/') && target !== scratchRoot) {
+    return NextResponse.json({ ok: false, error: 'path traversal rejected' }, { status: 400 });
+  }
+  if (!existsSync(target)) {
+    return NextResponse.json({ ok: false, error: 'not found' }, { status: 404 });
+  }
+  const st = statSync(target);
+  if (!st.isFile()) {
+    return NextResponse.json({ ok: false, error: 'not a file' }, { status: 400 });
+  }
+  const url = new URL(req.url);
+  const download = url.searchParams.get('download') === '1';
+  const ext = extname(target).toLowerCase();
+  const mime = MIME[ext] || 'application/octet-stream';
+  const data = readFileSync(target);
+  const filename = parts[parts.length - 1];
+  return new NextResponse(new Uint8Array(data), {
+    status: 200,
+    headers: {
+      'Content-Type': mime,
+      'Content-Length': String(st.size),
+      'Content-Disposition': `${download ? 'attachment' : 'inline'}; filename="${filename.replace(/"/g, '\\"')}"`,
+      'Cache-Control': 'private, max-age=0, must-revalidate',
+    },
+  });
+}

package/bin/forge-server.mjs

@@ -656,7 +656,16 @@ function startBackground() {
   const child = spawn(nextBin, ['start', '-p', String(webPort)], {
     cwd: ROOT,
     stdio: ['ignore', logFd, logFd],
-    env: { ...process.env, FORGE_EXTERNAL_SERVICES: '1' },
+    env: {
+      ...process.env,
+      FORGE_EXTERNAL_SERVICES: '1',
+      // --use-system-ca lets Node 22+ trust the OS keychain in addition
+      // to its baked-in CA bundle. Corp networks (FortiClient SSL
+      // inspection, Zscaler, etc.) install a custom root via MDM; Node
+      // doesn't see it without this flag, so marketplace sync fails with
+      // 'self-signed certificate in certificate chain' on api.github.com.
+      NODE_OPTIONS: [process.env.NODE_OPTIONS, '--use-system-ca'].filter(Boolean).join(' '),
+    },
     detached: true,
   });
 
@@ -738,7 +747,16 @@ if (isDev) {
   const child = spawn('npx', ['next', 'dev', '--turbopack', '-p', String(webPort)], {
     cwd: ROOT,
     stdio: 'inherit',
-    env: { ...process.env, FORGE_EXTERNAL_SERVICES: '1' },
+    env: {
+      ...process.env,
+      FORGE_EXTERNAL_SERVICES: '1',
+      // --use-system-ca lets Node 22+ trust the OS keychain in addition
+      // to its baked-in CA bundle. Corp networks (FortiClient SSL
+      // inspection, Zscaler, etc.) install a custom root via MDM; Node
+      // doesn't see it without this flag, so marketplace sync fails with
+      // 'self-signed certificate in certificate chain' on api.github.com.
+      NODE_OPTIONS: [process.env.NODE_OPTIONS, '--use-system-ca'].filter(Boolean).join(' '),
+    },
   });
   child.on('exit', (code) => { stopServices(); process.exit(code || 0); });
 } else {
@@ -748,7 +766,16 @@ if (isDev) {
   const child = spawn('npx', ['next', 'start', '-p', String(webPort)], {
     cwd: ROOT,
     stdio: 'inherit',
-    env: { ...process.env, FORGE_EXTERNAL_SERVICES: '1' },
+    env: {
+      ...process.env,
+      FORGE_EXTERNAL_SERVICES: '1',
+      // --use-system-ca lets Node 22+ trust the OS keychain in addition
+      // to its baked-in CA bundle. Corp networks (FortiClient SSL
+      // inspection, Zscaler, etc.) install a custom root via MDM; Node
+      // doesn't see it without this flag, so marketplace sync fails with
+      // 'self-signed certificate in certificate chain' on api.github.com.
+      NODE_OPTIONS: [process.env.NODE_OPTIONS, '--use-system-ca'].filter(Boolean).join(' '),
+    },
   });
   child.on('exit', (code) => { stopServices(); process.exit(code || 0); });
 }

package/components/Dashboard.tsx

@@ -481,56 +481,7 @@ export default function Dashboard({ user }: { user: any }) {
         </div>
         <div className="flex items-center gap-2.5">
           {/* (Automation context actions moved to the secondary toolbar row below) */}
-          {/* Help */}
-          <button
-            onClick={() => setShowHelp(v => !v)}
-            className={`text-[10px] px-2 py-0.5 border rounded transition-colors ${
-              showHelp
-                ? 'border-[var(--accent)] text-[var(--accent)]'
-                : 'border-[var(--border)] text-[var(--text-secondary)] hover:text-[var(--text-primary)] hover:border-[var(--text-secondary)]'
-            }`}
-          >?</button>
-          <div className="relative">
-            <button
-              onClick={() => setShowBrowserMenu(v => !v)}
-              className={`text-[10px] px-2 py-0.5 border rounded transition-colors ${
-                browserMode !== 'none'
-                  ? 'border-blue-500 text-blue-400'
-                  : 'border-[var(--border)] text-[var(--text-secondary)] hover:text-[var(--text-primary)] hover:border-[var(--text-secondary)]'
-              }`}
-            >
-              Browser
-            </button>
-            {showBrowserMenu && (
-              <>
-              <div className="fixed inset-0 z-40" onClick={() => setShowBrowserMenu(false)} />
-              <div className="absolute top-full right-0 mt-1 z-50 bg-[var(--bg-secondary)] border border-[var(--border)] rounded shadow-lg py-1 min-w-[140px]">
-                {browserMode !== 'none' && (
-                  <button onClick={() => { setBrowserMode('none'); setShowBrowserMenu(false); }} className="w-full text-left px-3 py-1.5 text-[10px] text-red-400 hover:bg-[var(--bg-tertiary)]">
-                    Close Browser
-                  </button>
-                )}
-                <button onClick={() => { setBrowserMode('float'); setShowBrowserMenu(false); }} className={`w-full text-left px-3 py-1.5 text-[10px] hover:bg-[var(--bg-tertiary)] ${browserMode === 'float' ? 'text-[var(--accent)]' : 'text-[var(--text-primary)]'}`}>
-                  Floating Window
-                </button>
-                <button onClick={() => { setBrowserMode('right'); setShowBrowserMenu(false); }} className={`w-full text-left px-3 py-1.5 text-[10px] hover:bg-[var(--bg-tertiary)] ${browserMode === 'right' ? 'text-[var(--accent)]' : 'text-[var(--text-primary)]'}`}>
-                  Right Side
-                </button>
-                <button onClick={() => { setBrowserMode('left'); setShowBrowserMenu(false); }} className={`w-full text-left px-3 py-1.5 text-[10px] hover:bg-[var(--bg-tertiary)] ${browserMode === 'left' ? 'text-[var(--accent)]' : 'text-[var(--text-primary)]'}`}>
-                  Left Side
-                </button>
-                <button onClick={() => {
-                  const url = localStorage.getItem('forge-browser-url');
-                  if (url) window.open(url, '_blank');
-                  else { const u = prompt('Enter URL to open:'); if (u) window.open(u.trim(), '_blank'); }
-                  setShowBrowserMenu(false);
-                }} className="w-full text-left px-3 py-1.5 text-[10px] text-[var(--text-primary)] hover:bg-[var(--bg-tertiary)]">
-                  New Tab
-                </button>
-              </div>
-              </>
-            )}
-          </div>
+          {/* Help / Browser moved into the user dropdown — see below. */}
           <Suspense fallback={null}><TunnelToggle /></Suspense>
           {onlineCount.total > 0 && (
             <span className="text-[10px] text-[var(--text-secondary)] flex items-center gap-1" title={`${onlineCount.total} online${onlineCount.remote > 0 ? `, ${onlineCount.remote} remote` : ''}`}>
@@ -742,7 +693,49 @@ export default function Dashboard({ user }: { user: any }) {
                     <span className="flex-1">Mobile View</span>
                     <span className="text-[9px] text-[var(--text-secondary)]">↗</span>
                   </a>
+                  {/* Browser — toggling reveals the layout options inline so the
+                      sub-menu lives inside the user dropdown (no nested popup). */}
+                  <button
+                    onClick={() => setShowBrowserMenu(v => !v)}
+                    className="w-full text-left text-[11px] px-3 py-1.5 text-[var(--text-secondary)] hover:text-[var(--text-primary)] hover:bg-[var(--bg-tertiary)] flex items-center gap-2"
+                  >
+                    <span className="w-3 text-center">🌐</span>
+                    <span className="flex-1">Browser{browserMode !== 'none' ? ` · ${browserMode}` : ''}</span>
+                    <span className="text-[9px] text-[var(--text-secondary)]">{showBrowserMenu ? '▾' : '▸'}</span>
+                  </button>
+                  {showBrowserMenu && (
+                    <div className="pl-6 pr-1 py-0.5 border-l border-[var(--border)] ml-3 mb-1">
+                      <button onClick={() => { setBrowserMode('float'); setShowBrowserMenu(false); setShowUserMenu(false); }} className={`w-full text-left px-2 py-1 text-[10px] hover:bg-[var(--bg-tertiary)] ${browserMode === 'float' ? 'text-[var(--accent)]' : 'text-[var(--text-primary)]'}`}>
+                        Floating Window
+                      </button>
+                      <button onClick={() => { setBrowserMode('right'); setShowBrowserMenu(false); setShowUserMenu(false); }} className={`w-full text-left px-2 py-1 text-[10px] hover:bg-[var(--bg-tertiary)] ${browserMode === 'right' ? 'text-[var(--accent)]' : 'text-[var(--text-primary)]'}`}>
+                        Right Side
+                      </button>
+                      <button onClick={() => { setBrowserMode('left'); setShowBrowserMenu(false); setShowUserMenu(false); }} className={`w-full text-left px-2 py-1 text-[10px] hover:bg-[var(--bg-tertiary)] ${browserMode === 'left' ? 'text-[var(--accent)]' : 'text-[var(--text-primary)]'}`}>
+                        Left Side
+                      </button>
+                      <button onClick={() => {
+                        const url = localStorage.getItem('forge-browser-url');
+                        if (url) window.open(url, '_blank');
+                        else { const u = prompt('Enter URL to open:'); if (u) window.open(u.trim(), '_blank'); }
+                        setShowBrowserMenu(false); setShowUserMenu(false);
+                      }} className="w-full text-left px-2 py-1 text-[10px] text-[var(--text-primary)] hover:bg-[var(--bg-tertiary)]">
+                        New Tab
+                      </button>
+                      {browserMode !== 'none' && (
+                        <button onClick={() => { setBrowserMode('none'); setShowBrowserMenu(false); setShowUserMenu(false); }} className="w-full text-left px-2 py-1 text-[10px] text-red-400 hover:bg-[var(--bg-tertiary)]">
+                          Close Browser
+                        </button>
+                      )}
+                    </div>
+                  )}
                   <div className="border-t border-[var(--border)] my-1" />
+                  <button
+                    onClick={() => { setShowHelp(v => !v); setShowUserMenu(false); }}
+                    className="w-full text-left text-[11px] px-3 py-1.5 text-[var(--text-secondary)] hover:text-[var(--text-primary)] hover:bg-[var(--bg-tertiary)] flex items-center gap-2"
+                  >
+                    <span className="w-3 text-center">?</span><span>Help</span>
+                  </button>
                   <button
                     onClick={() => signOut({ callbackUrl: '/login' })}
                     className="w-full text-left text-[11px] px-3 py-1.5 text-[var(--text-secondary)] hover:text-[var(--red)] hover:bg-[var(--bg-tertiary)] flex items-center gap-2"