@aion0/forge 0.10.49 → 0.10.50

package/RELEASE_NOTES.md

@@ -1,11 +1,8 @@
-# Forge v0.10.49
+# Forge v0.10.50
 
 Released: 2026-06-09
 
-## Changes since v0.10.48
+## Changes since v0.10.49
 
-### Other
-- fix(idp-login): pick a failing SP as the SAML trigger, not the first one
 
-
-**Full Changelog**: https://github.com/aiwatching/forge/compare/v0.10.48...v0.10.49
+**Full Changelog**: https://github.com/aiwatching/forge/compare/v0.10.49...v0.10.50

package/app/api/web-sessions/route.ts

@@ -0,0 +1,38 @@
+/**
+ * GET  /api/web-sessions  → IdP-consolidated rows + cached statuses
+ * POST /api/web-sessions  → re-probe every IdP in parallel
+ *
+ * Distinct from /api/login-status (per-connector): this endpoint is used
+ * by the Enterprise badge "Web sessions" section, which wants one row
+ * per IdP block rather than one row per SAML SP.
+ */
+
+import { NextResponse } from 'next/server';
+import { listIdpSources, listIdpStatus, checkSource } from '@/lib/auth/login-status';
+
+export async function GET() {
+  return NextResponse.json({ rows: listIdpStatus() });
+}
+
+export async function POST() {
+  const sources = listIdpSources();
+  const results = await Promise.all(
+    sources.map(async (s) => {
+      try {
+        const r = await checkSource(s);
+        return { source: s, result: r };
+      } catch (e) {
+        return {
+          source: s,
+          result: {
+            ok: false,
+            message: `check error: ${(e as Error).message}`,
+            checked_at: Date.now(),
+            duration_ms: 0,
+          },
+        };
+      }
+    }),
+  );
+  return NextResponse.json({ rows: results });
+}

package/components/EnterpriseBadge.tsx

@@ -143,7 +143,7 @@ export default function EnterpriseBadge({ onOpenSettings: _onOpenSettings }: { o
 
   const loadWebSessions = async () => {
     try {
-      const r = await fetch('/api/login-status');
+      const r = await fetch('/api/web-sessions');
       if (!r.ok) return;
       const data = await r.json();
       ingestLoginRows((data?.rows || []) as LoginRow[]);
@@ -154,7 +154,7 @@ export default function EnterpriseBadge({ onOpenSettings: _onOpenSettings }: { o
     if (webBusy) return;
     setWebBusy(true); setWebErr('');
     try {
-      const r = await fetch('/api/login-status', { method: 'POST' });
+      const r = await fetch('/api/web-sessions', { method: 'POST' });
       const data = await r.json();
       if (!r.ok || data?.error) {
         setWebErr(data?.error || `HTTP ${r.status}`);

package/lib/agents/index.ts

@@ -15,11 +15,17 @@ function resolveAbsoluteBin(cmd: string): string {
   if (cached !== undefined) return cached;
   try {
     const out = execSync(`which ${cmd}`, { encoding: 'utf-8', timeout: 3000, stdio: ['pipe', 'pipe', 'pipe'] }).trim();
-    const resolved = out || cmd;
-    _whichCache.set(cmd, resolved);
-    return resolved;
-  } catch {
-    _whichCache.set(cmd, cmd);
+    if (out) {
+      _whichCache.set(cmd, out);
+      return out;
+    }
+    // `which` exited 0 but printed nothing — don't poison cache, retry next call.
+    return cmd;
+  } catch (e) {
+    // Restart-window contention can blow past the 3s timeout. Caching the
+    // failure here would pin bare `cmd` for the rest of the process — let
+    // the next call retry instead.
+    console.warn(`[agents] which ${cmd} failed:`, (e as Error).message);
     return cmd;
   }
 }
@@ -225,6 +231,10 @@ export function getAgent(id?: AgentId): AgentAdapter {
 /** Clear adapter cache (call after settings change) */
 export function clearAgentCache(): void {
   adapterCache.clear();
+  // Also drop the `which <bin>` resolution cache. Without this, a failed
+  // resolution during the restart window stayed in cache and every later
+  // terminal-launch returned bare `claude`.
+  _whichCache.clear();
 }
 
 /** Auto-detect all available agents (called on startup) */

package/lib/auth/idp-login.ts

@@ -47,8 +47,15 @@ export interface IdpLoginResult {
   error?: string;
 }
 
-interface IdpTemplateBlock {
+export interface IdpTemplateBlock {
   host?: string;
+  /** Optional display name override for the Login Status panel.
+   *  Falls back to `host` when missing. */
+  display_name?: string;
+  /** Optional explicit URL the Login Status probe opens. Defaults to
+   *  `https://<host>/`. Override when the IdP's logged-in landing page
+   *  is at a specific path (e.g. `/saml-idp/portal/` for FAC). */
+  probe_url?: string;
   /** Optional alt hostnames the IdP also uses (e.g. regional SAML servers). */
   alt_hosts?: string[];
   saml_sps?: string[];
@@ -83,7 +90,7 @@ interface IdpTemplateBlock {
  * (legacy) or an array of objects (multi-IdP). Returns normalized
  * array of valid blocks.
  */
-function readIdpBlocks(): IdpTemplateBlock[] {
+export function readIdpBlocks(): IdpTemplateBlock[] {
   const tryRead = (sourceId?: string): IdpTemplateBlock[] | null => {
     const t = resolveWizardTemplate(sourceId);
     const raw = (t?.template as { _idp?: IdpTemplateBlock | IdpTemplateBlock[] } | undefined)?._idp;
@@ -109,13 +116,8 @@ function readIdpBlocks(): IdpTemplateBlock[] {
  *   1. A SP whose login-status cache currently shows ✗ — opening it forces
  *      a SAML redirect to the IdP, which is exactly what we want when the
  *      IdP cookie has expired even though some sibling SPs still have a
- *      valid session cookie (Mantis can be ✓ while pmdb/tp are ✗ because
- *      per-SP cookies are independent of the IdP SSO state).
- *   2. Otherwise first installed SP with a base_url (legacy fallback).
- *
- *  Without (1) the IdP login flow would open Mantis (first in saml_sps),
- *  see the cookie still good, declare "no form needed", and exit — leaving
- *  the broken siblings unrefreshed.
+ *      valid session cookie.
+ *   2. Otherwise first installed SP with a base_url.
  */
 function pickTriggerUrl(saml_sps: string[]): string | null {
   // eslint-disable-next-line @typescript-eslint/no-require-imports

package/lib/auth/login-status.ts

@@ -20,10 +20,10 @@
 import { existsSync, readFileSync, writeFileSync } from 'node:fs';
 import { join } from 'node:path';
 import { getDataDir } from '../dirs';
+import { runConnectorTest, runBrowserUrlProbe } from '../connectors/test-runner';
 import { listConnectorIds, getConnector, getInstalledConnector } from '../connectors/registry';
-import { runConnectorTest } from '../connectors/test-runner';
 import { expandSettingsTokens } from '../plugins/templates';
-import type { ConnectorDefinition } from '../connectors/types';
+import { readIdpBlocks, type IdpTemplateBlock } from './idp-login';
 
 export type LoginCategory = 'browser' | 'token' | 'external';
 
@@ -112,20 +112,14 @@ export function invalidateCachedResult(sourceId: string): void {
 // ─── Source enumeration ─────────────────────────────────────────────
 
 /**
- * Build the canonical list of LoginSources. Browser/HTTP sources come
- * from connector manifests; external sources are hardcoded here.
- *
- * Connector-derived rows are filtered to those with `test:` declared —
- * connectors without a test block (e.g. `nac` which uses per-call SSH
- * password) are intentionally omitted.
+ * Build the canonical list of LoginSources from connector manifests.
+ * Connector-derived rows are filtered to those with `test:` declared and
+ * actually installed (so an uninstalled connector with empty creds
+ * doesn't pollute the panel with permanent 401s).
  */
 export function listSources(): LoginSource[] {
   const out: LoginSource[] = [];
 
-  // 1. Connector-derived — skip any connector the user hasn't installed
-  //    (no entry in connector-configs.json). An un-installed connector
-  //    would just probe with default/empty settings and always fail,
-  //    polluting the panel.
   for (const id of listConnectorIds()) {
     const def = getConnector(id);
     if (!def || !def.test) continue;
@@ -133,25 +127,17 @@ export function listSources(): LoginSource[] {
     const probe = def.test.probe || 'http';
     const category: LoginCategory = probe === 'browser' ? 'browser' : 'token';
 
-    // Refresh hint per category
     let refresh: RefreshHint;
     if (probe === 'browser') {
-      // For browser sources, host_match (e.g. "{base_url}/*") needs
-      // settings tokens expanded — the user-saved {base_url} lives in
-      // the connector's installed config, not in plain settings.
       const rawHm = def.host_match || def.connectors?.[0]?.host_match || '';
       const inst = getInstalledConnector(id);
       const expanded = inst ? expandSettingsTokens(rawHm, inst.config as any) : rawHm;
-      // Strip Chrome match-pattern suffix like `/*`
       const url = expanded.replace(/\/\*$/, '/');
-      // Heuristic: if expansion left literal `{...}` tokens behind,
-      // settings are incomplete — fall back to opening Settings.
       const stillUnresolved = /\{[^}]+\}/.test(url) || !/^https?:\/\//.test(url);
       refresh = stillUnresolved
         ? { kind: 'open-settings', section: 'connectors' }
         : { kind: 'open-url', url, description: 'Open in a new tab to log in' };
     } else {
-      // HTTP/token — fix by editing connector settings (PAT, API token)
       refresh = { kind: 'open-settings', section: 'connectors' };
     }
 
@@ -164,12 +150,6 @@ export function listSources(): LoginSource[] {
     });
   }
 
-  // GitLab 2FA used to be an external row here, but `2fa_verify` is
-  // interactive auth (not a probe) and bare SSH greet doesn't catch
-  // expiry. Removed in favour of a static hint on the GitLab
-  // connector itself — user copies the command when they actually
-  // hit a 2FA expiry instead of being nagged proactively.
-
   return out;
 }
 
@@ -185,6 +165,8 @@ export async function checkSource(source: LoginSource): Promise<LoginCheckResult
 
   if (source.id.startsWith('connector:')) {
     r = await checkConnector(source.id.slice('connector:'.length));
+  } else if (source.id.startsWith('idp:')) {
+    r = await checkIdp(source.id.slice('idp:'.length));
   } else {
     r = { ok: false, message: `unknown source ${source.id}` };
   }
@@ -201,8 +183,6 @@ export async function checkSource(source: LoginSource): Promise<LoginCheckResult
 async function checkConnector(
   connectorId: string,
 ): Promise<Omit<LoginCheckResult, 'checked_at' | 'duration_ms'>> {
-  // Direct lib call — self-fetching the route hits the auth middleware
-  // (no session cookie) and would return "unauthorized" for every probe.
   try {
     const r = await runConnectorTest(connectorId);
     return {
@@ -215,6 +195,57 @@ async function checkConnector(
   }
 }
 
+// ─── IdP-consolidated sources (Enterprise badge "Web sessions") ────
+// The right-side panel iterates per-connector via listSources(); the
+// Enterprise badge wants a coarser view that asks "is the IdP cookie
+// still alive?" — one row per _idp block, not one per SP.
+
+function idpProbeUrl(block: IdpTemplateBlock): string {
+  return (block.probe_url && block.probe_url.trim()) || `https://${block.host}/`;
+}
+
+export function listIdpSources(): LoginSource[] {
+  const out: LoginSource[] = [];
+  for (const block of readIdpBlocks()) {
+    if (!block.host) continue;
+    out.push({
+      id: `idp:${block.host}`,
+      label: block.display_name || block.host,
+      category: 'browser',
+      detail: block.saml_sps?.length
+        ? `IdP for: ${block.saml_sps.join(', ')}`
+        : 'Identity provider',
+      refresh: {
+        kind: 'open-url',
+        url: idpProbeUrl(block),
+        description: 'Open IdP portal to re-authenticate',
+      },
+    });
+  }
+  return out;
+}
+
+export function listIdpStatus(): LoginStatusRow[] {
+  return listIdpSources().map((source) => ({ source, result: getCachedResult(source.id) }));
+}
+
+async function checkIdp(
+  host: string,
+): Promise<Omit<LoginCheckResult, 'checked_at' | 'duration_ms'>> {
+  const block = readIdpBlocks().find((b) => b.host === host);
+  const probe_url = block ? idpProbeUrl(block) : `https://${host}/`;
+  try {
+    const r = await runBrowserUrlProbe({ id: `idp:${host}`, host, probe_url });
+    return {
+      ok: !!r.ok,
+      message: r.ok ? (r.message || 'ok') : (r.error || `HTTP ${r.status || '?'}`),
+      landed_url: r.url,
+    };
+  } catch (e) {
+    return { ok: false, message: `probe error: ${(e as Error).message}` };
+  }
+}
+
 // ─── Bulk view ──────────────────────────────────────────────────────
 
 export function listStatus(): LoginStatusRow[] {

package/lib/connectors/test-runner.ts

@@ -270,6 +270,54 @@ async function runBrowserProbe(
   };
 }
 
+/**
+ * Run a browser probe against an ad-hoc URL — used by the Login Status
+ * panel's IdP rows (no connector backing them). Reuses the same
+ * `connector.probe` bridge RPC as runBrowserProbe — the extension
+ * opens host_match in a tab, waits for navigation, returns landed URL.
+ * If the landed URL host matches `expected_host`, the user is still
+ * signed in. If it redirected to a login page (different host or path),
+ * not signed in.
+ */
+export async function runBrowserUrlProbe(opts: {
+  id: string;            // identifier for telemetry, e.g. 'idp:fac.corp.fortinet.com'
+  host: string;          // expected host (e.g. 'fac.corp.fortinet.com')
+  probe_url: string;     // URL to navigate to (e.g. 'https://fac.corp.fortinet.com/saml-idp/portal/')
+  timeout_ms?: number;
+}): Promise<TestResult> {
+  const t0 = Date.now();
+  let value: unknown;
+  try {
+    value = await bridgeRpc('connector.probe', {
+      pluginId: opts.id,
+      host_match: opts.probe_url,    // extension navigates to this URL directly
+      runner: 'main',
+      timeout_ms: opts.timeout_ms || 15_000,
+    });
+  } catch (e) {
+    return { ok: false, error: (e as Error).message || 'probe error', duration_ms: Date.now() - t0 };
+  }
+  const r = (value || {}) as { ok?: boolean; url?: string; error?: string };
+  const landed = r.url || '';
+  const failedNetwork = !landed || landed.startsWith('chrome-error://') || landed.startsWith('about:');
+  // Pass if landed host matches expected. A redirect to a different host
+  // (e.g. fac.corp.fortinet.com → ms-login.fortinet.com when SSO expired)
+  // means the user needs to re-authenticate.
+  let onExpected = false;
+  try { onExpected = !failedNetwork && new URL(landed).hostname.toLowerCase() === opts.host.toLowerCase(); } catch { /* bad url */ }
+  return {
+    ok: onExpected,
+    message: onExpected ? `Session active · ${landed}` : undefined,
+    error: onExpected
+      ? undefined
+      : (failedNetwork
+        ? `Network unreachable — ${landed || '(no url)'}. VPN / hostname / firewall?`
+        : `Not signed in — redirected to ${landed}`),
+    url: landed,
+    duration_ms: Date.now() - t0,
+  };
+}
+
 /**
  * Run a connector's `test:` probe. Returns a structured result. The HTTP
  * route + Login Status panel both call this — they share the same

package/lib/workspace-standalone.ts

@@ -306,7 +306,11 @@ async function handleAgentsPost(id: string, body: any, res: ServerResponse): Pro
           const { resolveTerminalLaunch, clearAgentCache } = await import('./agents/index.js');
           clearAgentCache(); // ensure fresh settings are read
           launchInfo = resolveTerminalLaunch(agentConfig.agentId);
-        } catch {}
+        } catch (e) {
+          // Silent fallback used to leak bare `claude` to the UI on restart.
+          // Log loudly so future regressions surface in forge.log.
+          console.warn(`[workspace] open_terminal: resolveTerminalLaunch failed, falling back to bare 'claude':`, (e as Error).message);
+        }
 
         // resolveOnly: return launch info + current session ID (no side effects)
         if (body.resolveOnly) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aion0/forge",
-  "version": "0.10.49",
+  "version": "0.10.50",
   "description": "Unified AI workflow platform — multi-model task orchestration, persistent sessions, web terminal, remote access",
   "type": "module",
   "scripts": {