@aion0/forge 0.10.49 → 0.10.51

package/RELEASE_NOTES.md

@@ -1,11 +1,8 @@
-# Forge v0.10.49
+# Forge v0.10.51
 
 Released: 2026-06-09
 
-## Changes since v0.10.48
+## Changes since v0.10.50
 
-### Other
-- fix(idp-login): pick a failing SP as the SAML trigger, not the first one
 
-
-**Full Changelog**: https://github.com/aiwatching/forge/compare/v0.10.48...v0.10.49
+**Full Changelog**: https://github.com/aiwatching/forge/compare/v0.10.50...v0.10.51

package/app/api/cache/route.ts

@@ -0,0 +1,83 @@
+/**
+ * GET  /api/cache    → list cached cloned-project dirs + total size.
+ * DELETE /api/cache  → wipe the whole cloned-projects cache.
+ * DELETE /api/cache?name=<entry>  → wipe a single entry.
+ *
+ * Backs the "Cache" item in the user dropdown. Same data the CLI's
+ * `forge clean cache` shows, surfaced in the UI for users who don't
+ * touch the terminal.
+ */
+
+import { NextResponse } from 'next/server';
+import { existsSync, readdirSync, rmSync, statSync } from 'node:fs';
+import { join } from 'node:path';
+import { getDataDir } from '@/lib/dirs';
+
+function dirSizeBytes(p: string): number {
+  let total = 0;
+  try {
+    for (const ent of readdirSync(p, { withFileTypes: true })) {
+      const child = join(p, ent.name);
+      try {
+        if (ent.isDirectory()) total += dirSizeBytes(child);
+        else total += statSync(child).size;
+      } catch { /* skip unreadable */ }
+    }
+  } catch { /* skip unreadable */ }
+  return total;
+}
+
+function listCache(): { entries: { name: string; bytes: number }[]; total_bytes: number; root: string } {
+  const root = join(getDataDir(), 'cloned-projects');
+  if (!existsSync(root)) return { entries: [], total_bytes: 0, root };
+  const entries: { name: string; bytes: number }[] = [];
+  for (const ent of readdirSync(root, { withFileTypes: true })) {
+    if (!ent.isDirectory()) continue;
+    entries.push({ name: ent.name, bytes: dirSizeBytes(join(root, ent.name)) });
+  }
+  entries.sort((a, b) => b.bytes - a.bytes);
+  return { entries, total_bytes: entries.reduce((s, e) => s + e.bytes, 0), root };
+}
+
+export async function GET() {
+  return NextResponse.json(listCache());
+}
+
+export async function DELETE(req: Request) {
+  const url = new URL(req.url);
+  const name = url.searchParams.get('name');
+  const root = join(getDataDir(), 'cloned-projects');
+  if (!existsSync(root)) {
+    return NextResponse.json({ ok: true, deleted: 0, freed_bytes: 0 });
+  }
+  // Reject anything that escapes the cache root or contains separators —
+  // we accept ONLY a direct subdirectory name (e.g. "fortinet-fortinac-dev").
+  if (name && (name.includes('/') || name.includes('\\') || name.includes('..'))) {
+    return NextResponse.json({ ok: false, error: 'invalid name' }, { status: 400 });
+  }
+
+  const before = listCache();
+  if (name) {
+    const target = join(root, name);
+    if (!existsSync(target)) {
+      return NextResponse.json({ ok: false, error: 'not found' }, { status: 404 });
+    }
+    const hit = before.entries.find((e) => e.name === name);
+    try {
+      rmSync(target, { recursive: true, force: true });
+    } catch (e) {
+      return NextResponse.json({ ok: false, error: (e as Error).message }, { status: 500 });
+    }
+    return NextResponse.json({ ok: true, deleted: 1, freed_bytes: hit?.bytes || 0 });
+  }
+
+  // Wipe all
+  let deleted = 0;
+  for (const e of before.entries) {
+    try {
+      rmSync(join(root, e.name), { recursive: true, force: true });
+      deleted++;
+    } catch { /* skip individual failures, report partial */ }
+  }
+  return NextResponse.json({ ok: true, deleted, freed_bytes: before.total_bytes });
+}

package/app/api/web-sessions/route.ts

@@ -0,0 +1,38 @@
+/**
+ * GET  /api/web-sessions  → IdP-consolidated rows + cached statuses
+ * POST /api/web-sessions  → re-probe every IdP in parallel
+ *
+ * Distinct from /api/login-status (per-connector): this endpoint is used
+ * by the Enterprise badge "Web sessions" section, which wants one row
+ * per IdP block rather than one row per SAML SP.
+ */
+
+import { NextResponse } from 'next/server';
+import { listIdpSources, listIdpStatus, checkSource } from '@/lib/auth/login-status';
+
+export async function GET() {
+  return NextResponse.json({ rows: listIdpStatus() });
+}
+
+export async function POST() {
+  const sources = listIdpSources();
+  const results = await Promise.all(
+    sources.map(async (s) => {
+      try {
+        const r = await checkSource(s);
+        return { source: s, result: r };
+      } catch (e) {
+        return {
+          source: s,
+          result: {
+            ok: false,
+            message: `check error: ${(e as Error).message}`,
+            checked_at: Date.now(),
+            duration_ms: 0,
+          },
+        };
+      }
+    }),
+  );
+  return NextResponse.json({ rows: results });
+}

package/cli/clean.ts

@@ -0,0 +1,140 @@
+/**
+ * `forge clean` — wipe Forge's on-disk caches.
+ *
+ * Today: just `forge clean cache` which removes auto-cloned gitlab
+ * repos under `<dataDir>/cloned-projects/`. Pipelines that need them
+ * re-clone on the next dispatch (one-shot slowdown, no broken state).
+ *
+ * Add more cache targets here as they appear — keep one obvious entry
+ * point so users don't have to learn N subcommands.
+ */
+
+import { existsSync, readdirSync, rmSync, statSync } from 'node:fs';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+
+function dataDir(): string {
+  return process.env.FORGE_DATA_DIR || join(homedir(), '.forge', 'data');
+}
+
+function dirSizeBytes(p: string): number {
+  let total = 0;
+  try {
+    for (const ent of readdirSync(p, { withFileTypes: true })) {
+      const child = join(p, ent.name);
+      try {
+        if (ent.isDirectory()) total += dirSizeBytes(child);
+        else total += statSync(child).size;
+      } catch { /* skip unreadable */ }
+    }
+  } catch { /* skip unreadable */ }
+  return total;
+}
+
+function humanBytes(n: number): string {
+  if (n < 1024) return `${n} B`;
+  if (n < 1024 ** 2) return `${(n / 1024).toFixed(1)} KB`;
+  if (n < 1024 ** 3) return `${(n / 1024 ** 2).toFixed(1)} MB`;
+  return `${(n / 1024 ** 3).toFixed(1)} GB`;
+}
+
+function printHelp(): void {
+  console.log(`
+forge clean — wipe Forge caches.
+
+Subcommands:
+  forge clean cache               List cached items + sizes (dry-run).
+  forge clean cache --yes         Actually delete everything.
+  forge clean cache <name> --yes  Delete one entry (e.g. fortinet-fortinac-dev).
+
+Targets cleaned:
+  • <dataDir>/cloned-projects/    Auto-cloned gitlab repos (gitlab fallback).
+`);
+}
+
+async function cmdCache(args: string[]): Promise<void> {
+  const root = join(dataDir(), 'cloned-projects');
+  const yes = args.includes('--yes') || args.includes('-y');
+  const target = args.find((a) => !a.startsWith('-'));
+
+  if (!existsSync(root)) {
+    console.log(`Nothing to clean. ${root} does not exist.`);
+    return;
+  }
+
+  const entries: { name: string; path: string; size: number }[] = [];
+  for (const ent of readdirSync(root, { withFileTypes: true })) {
+    if (!ent.isDirectory()) continue;
+    const p = join(root, ent.name);
+    entries.push({ name: ent.name, path: p, size: dirSizeBytes(p) });
+  }
+  entries.sort((a, b) => b.size - a.size);
+
+  if (entries.length === 0) {
+    console.log(`Nothing to clean. ${root} is empty.`);
+    return;
+  }
+
+  const totalBytes = entries.reduce((s, e) => s + e.size, 0);
+
+  // Single-target mode
+  if (target) {
+    const hit = entries.find((e) => e.name === target);
+    if (!hit) {
+      console.error(`Not found: ${target}`);
+      console.error(`Available: ${entries.map(e => e.name).join(', ')}`);
+      process.exit(1);
+    }
+    console.log(`${hit.name}  ${humanBytes(hit.size)}  ${hit.path}`);
+    if (!yes) {
+      console.log('\nDry-run. Add --yes to actually delete.');
+      return;
+    }
+    try {
+      rmSync(hit.path, { recursive: true, force: true });
+      console.log(`✓ Deleted ${hit.name}`);
+    } catch (e) {
+      console.error(`Failed: ${(e as Error).message}`);
+      process.exit(1);
+    }
+    return;
+  }
+
+  // List / wipe-all mode
+  console.log(`Cached repos under ${root}:\n`);
+  for (const e of entries) {
+    console.log(`  ${e.name.padEnd(40)} ${humanBytes(e.size).padStart(10)}`);
+  }
+  console.log(`\nTotal: ${entries.length} entries, ${humanBytes(totalBytes)}`);
+
+  if (!yes) {
+    console.log('\nDry-run. Add --yes to delete everything.');
+    return;
+  }
+
+  let deleted = 0;
+  for (const e of entries) {
+    try {
+      rmSync(e.path, { recursive: true, force: true });
+      deleted++;
+    } catch (err) {
+      console.error(`Failed ${e.name}: ${(err as Error).message}`);
+    }
+  }
+  console.log(`\n✓ Deleted ${deleted} entries (${humanBytes(totalBytes)} freed).`);
+}
+
+export async function cleanCommand(args: string[]): Promise<void> {
+  const sub = args[0] || '';
+  switch (sub) {
+    case 'cache':
+      await cmdCache(args.slice(1));
+      break;
+    case '--help':
+    case '-h':
+    case '':
+    default:
+      printHelp();
+      break;
+  }
+}

package/cli/mw.mjs

@@ -758,15 +758,15 @@ function migrateDataDir() {
   migrated = true;
   if (process.env.FORGE_DATA_DIR) return;
   const configDir = getConfigDir();
-  const dataDir2 = join3(configDir, "data");
+  const dataDir3 = join3(configDir, "data");
   const oldSettings = join3(configDir, "settings.yaml");
-  const newSettings = join3(dataDir2, "settings.yaml");
+  const newSettings = join3(dataDir3, "settings.yaml");
   if (!existsSync3(oldSettings) || existsSync3(newSettings)) return;
   console.log("[forge] Migrating data from ~/.forge/ to ~/.forge/data/...");
-  if (!existsSync3(dataDir2)) mkdirSync2(dataDir2, { recursive: true });
+  if (!existsSync3(dataDir3)) mkdirSync2(dataDir3, { recursive: true });
   for (const file2 of MIGRATE_FILES) {
     const src = join3(configDir, file2);
-    const dest = join3(dataDir2, file2);
+    const dest = join3(dataDir3, file2);
     if (existsSync3(src) && !existsSync3(dest)) {
       try {
         copyFileSync(src, dest);
@@ -776,7 +776,7 @@ function migrateDataDir() {
     }
   }
   const oldDb = join3(configDir, "data.db");
-  const newDb = join3(dataDir2, "workflow.db");
+  const newDb = join3(dataDir3, "workflow.db");
   if (existsSync3(oldDb) && !existsSync3(newDb)) {
     try {
       copyFileSync(oldDb, newDb);
@@ -786,7 +786,7 @@ function migrateDataDir() {
   }
   for (const dir of MIGRATE_DIRS) {
     const src = join3(configDir, dir);
-    const dest = join3(dataDir2, dir);
+    const dest = join3(dataDir3, dir);
     if (existsSync3(src) && !existsSync3(dest)) {
       try {
         renameSync(src, dest);
@@ -1221,6 +1221,135 @@ var init_key = __esm({
   }
 });
 
+// cli/clean.ts
+var clean_exports = {};
+__export(clean_exports, {
+  cleanCommand: () => cleanCommand
+});
+import { existsSync as existsSync7, readdirSync as readdirSync2, rmSync as rmSync3, statSync as statSync3 } from "node:fs";
+import { join as join8 } from "node:path";
+import { homedir as homedir6 } from "node:os";
+function dataDir2() {
+  return process.env.FORGE_DATA_DIR || join8(homedir6(), ".forge", "data");
+}
+function dirSizeBytes2(p) {
+  let total = 0;
+  try {
+    for (const ent of readdirSync2(p, { withFileTypes: true })) {
+      const child = join8(p, ent.name);
+      try {
+        if (ent.isDirectory()) total += dirSizeBytes2(child);
+        else total += statSync3(child).size;
+      } catch {
+      }
+    }
+  } catch {
+  }
+  return total;
+}
+function humanBytes(n) {
+  if (n < 1024) return `${n} B`;
+  if (n < 1024 ** 2) return `${(n / 1024).toFixed(1)} KB`;
+  if (n < 1024 ** 3) return `${(n / 1024 ** 2).toFixed(1)} MB`;
+  return `${(n / 1024 ** 3).toFixed(1)} GB`;
+}
+function printHelp4() {
+  console.log(`
+forge clean \u2014 wipe Forge caches.
+
+Subcommands:
+  forge clean cache               List cached items + sizes (dry-run).
+  forge clean cache --yes         Actually delete everything.
+  forge clean cache <name> --yes  Delete one entry (e.g. fortinet-fortinac-dev).
+
+Targets cleaned:
+  \u2022 <dataDir>/cloned-projects/    Auto-cloned gitlab repos (gitlab fallback).
+`);
+}
+async function cmdCache(args2) {
+  const root = join8(dataDir2(), "cloned-projects");
+  const yes = args2.includes("--yes") || args2.includes("-y");
+  const target = args2.find((a) => !a.startsWith("-"));
+  if (!existsSync7(root)) {
+    console.log(`Nothing to clean. ${root} does not exist.`);
+    return;
+  }
+  const entries = [];
+  for (const ent of readdirSync2(root, { withFileTypes: true })) {
+    if (!ent.isDirectory()) continue;
+    const p = join8(root, ent.name);
+    entries.push({ name: ent.name, path: p, size: dirSizeBytes2(p) });
+  }
+  entries.sort((a, b) => b.size - a.size);
+  if (entries.length === 0) {
+    console.log(`Nothing to clean. ${root} is empty.`);
+    return;
+  }
+  const totalBytes = entries.reduce((s, e) => s + e.size, 0);
+  if (target) {
+    const hit = entries.find((e) => e.name === target);
+    if (!hit) {
+      console.error(`Not found: ${target}`);
+      console.error(`Available: ${entries.map((e) => e.name).join(", ")}`);
+      process.exit(1);
+    }
+    console.log(`${hit.name}  ${humanBytes(hit.size)}  ${hit.path}`);
+    if (!yes) {
+      console.log("\nDry-run. Add --yes to actually delete.");
+      return;
+    }
+    try {
+      rmSync3(hit.path, { recursive: true, force: true });
+      console.log(`\u2713 Deleted ${hit.name}`);
+    } catch (e) {
+      console.error(`Failed: ${e.message}`);
+      process.exit(1);
+    }
+    return;
+  }
+  console.log(`Cached repos under ${root}:
+`);
+  for (const e of entries) {
+    console.log(`  ${e.name.padEnd(40)} ${humanBytes(e.size).padStart(10)}`);
+  }
+  console.log(`
+Total: ${entries.length} entries, ${humanBytes(totalBytes)}`);
+  if (!yes) {
+    console.log("\nDry-run. Add --yes to delete everything.");
+    return;
+  }
+  let deleted = 0;
+  for (const e of entries) {
+    try {
+      rmSync3(e.path, { recursive: true, force: true });
+      deleted++;
+    } catch (err) {
+      console.error(`Failed ${e.name}: ${err.message}`);
+    }
+  }
+  console.log(`
+\u2713 Deleted ${deleted} entries (${humanBytes(totalBytes)} freed).`);
+}
+async function cleanCommand(args2) {
+  const sub = args2[0] || "";
+  switch (sub) {
+    case "cache":
+      await cmdCache(args2.slice(1));
+      break;
+    case "--help":
+    case "-h":
+    case "":
+    default:
+      printHelp4();
+      break;
+  }
+}
+var init_clean = __esm({
+  "cli/clean.ts"() {
+    "use strict";
+  }
+});
+
 // cli/mw.ts
 var _cliPort = process.argv.find((a, i) => i > 0 && process.argv[i - 1] === "--port");
 var BASE2 = process.env.MW_URL || `http://localhost:${_cliPort || "3000"}`;
@@ -1228,9 +1357,9 @@ var [, , cmd, ...args] = process.argv;
 async function checkForUpdate() {
   try {
     const { readFileSync: readFileSync5 } = await import("node:fs");
-    const { join: join8, dirname } = await import("node:path");
+    const { join: join9, dirname } = await import("node:path");
     const { fileURLToPath } = await import("node:url");
-    const pkg = JSON.parse(readFileSync5(join8(dirname(fileURLToPath(import.meta.url)), "..", "package.json"), "utf-8"));
+    const pkg = JSON.parse(readFileSync5(join9(dirname(fileURLToPath(import.meta.url)), "..", "package.json"), "utf-8"));
     const current = pkg.version;
     const controller = new AbortController();
     const timeout = setTimeout(() => controller.abort(), 3e3);
@@ -1265,10 +1394,10 @@ async function api3(path, opts) {
 async function main() {
   if (cmd === "--version" || cmd === "-v") {
     const { readFileSync: readFileSync5 } = await import("node:fs");
-    const { join: join8, dirname } = await import("node:path");
+    const { join: join9, dirname } = await import("node:path");
     const { fileURLToPath } = await import("node:url");
     try {
-      const pkg = JSON.parse(readFileSync5(join8(dirname(fileURLToPath(import.meta.url)), "..", "package.json"), "utf-8"));
+      const pkg = JSON.parse(readFileSync5(join9(dirname(fileURLToPath(import.meta.url)), "..", "package.json"), "utf-8"));
       console.log(`@aion0/forge v${pkg.version}`);
     } catch {
       console.log("forge (version unknown)");
@@ -1277,18 +1406,18 @@ async function main() {
   }
   if (cmd === "--reset-password") {
     const { spawnSync: spawnSync3 } = await import("node:child_process");
-    const { join: join8, dirname } = await import("node:path");
+    const { join: join9, dirname } = await import("node:path");
     const { fileURLToPath } = await import("node:url");
-    const serverScript = join8(dirname(fileURLToPath(import.meta.url)), "..", "bin", "forge-server.mjs");
+    const serverScript = join9(dirname(fileURLToPath(import.meta.url)), "..", "bin", "forge-server.mjs");
     const passthru = process.argv.slice(3);
     spawnSync3("node", [serverScript, "--reset-password", ...passthru], { stdio: "inherit" });
     process.exit(0);
   }
   if (cmd === "--add-enterprise-key") {
     const { spawnSync: spawnSync3 } = await import("node:child_process");
-    const { join: join8, dirname } = await import("node:path");
+    const { join: join9, dirname } = await import("node:path");
     const { fileURLToPath } = await import("node:url");
-    const serverScript = join8(dirname(fileURLToPath(import.meta.url)), "..", "bin", "forge-server.mjs");
+    const serverScript = join9(dirname(fileURLToPath(import.meta.url)), "..", "bin", "forge-server.mjs");
     const r = spawnSync3("node", [serverScript, "--add-enterprise-key", ...args], { stdio: "inherit" });
     process.exit(r.status ?? 1);
   }
@@ -1326,6 +1455,11 @@ async function main() {
       await keyCommand2(args);
       break;
     }
+    case "clean": {
+      const { cleanCommand: cleanCommand2 } = await Promise.resolve().then(() => (init_clean(), clean_exports));
+      await cleanCommand2(args);
+      break;
+    }
     case "task":
     case "t": {
       const newSession = args.includes("--new");
@@ -1606,13 +1740,13 @@ Resume in CLI:`);
     }
     case "tunnel_code":
     case "tcode": {
-      const { readFileSync: readFileSync5, existsSync: existsSync7 } = await import("node:fs");
-      const { join: join8 } = await import("node:path");
+      const { readFileSync: readFileSync5, existsSync: existsSync8 } = await import("node:fs");
+      const { join: join9 } = await import("node:path");
       const { getDataDir: _gdd } = await Promise.resolve().then(() => (init_dirs(), dirs_exports));
-      const dataDir2 = _gdd();
-      const codeFile = join8(dataDir2, "session-code.json");
+      const dataDir3 = _gdd();
+      const codeFile = join9(dataDir3, "session-code.json");
       try {
-        if (existsSync7(codeFile)) {
+        if (existsSync8(codeFile)) {
           const data = JSON.parse(readFileSync5(codeFile, "utf-8"));
           if (data.code) {
             console.log(`Session code: ${data.code}`);
@@ -1625,7 +1759,7 @@ Resume in CLI:`);
       } catch {
       }
       try {
-        const tunnelState = JSON.parse(readFileSync5(join8(dataDir2, "tunnel-state.json"), "utf-8"));
+        const tunnelState = JSON.parse(readFileSync5(join9(dataDir3, "tunnel-state.json"), "utf-8"));
         if (tunnelState.url) console.log(`Tunnel URL: ${tunnelState.url}`);
       } catch {
       }
@@ -1672,9 +1806,9 @@ ${projects.length} projects`);
     }
     case "server": {
       const { execSync: execSync2 } = await import("node:child_process");
-      const { join: join8, dirname } = await import("node:path");
+      const { join: join9, dirname } = await import("node:path");
       const { fileURLToPath } = await import("node:url");
-      const serverScript = join8(dirname(fileURLToPath(import.meta.url)), "..", "bin", "forge-server.mjs");
+      const serverScript = join9(dirname(fileURLToPath(import.meta.url)), "..", "bin", "forge-server.mjs");
       const sub = args[0] || "start";
       const serverArgs = args.slice(1);
       const flagMap = {
@@ -1747,31 +1881,31 @@ ${task.gitDiff.slice(0, 2e3)}`);
     case "upgrade": {
       const { execSync: execSync2 } = await import("node:child_process");
       const { lstatSync } = await import("node:fs");
-      const { join: join8, dirname } = await import("node:path");
+      const { join: join9, dirname } = await import("node:path");
       const { fileURLToPath } = await import("node:url");
       const cliDir = dirname(fileURLToPath(import.meta.url));
       let isLinked = false;
       try {
-        isLinked = lstatSync(join8(cliDir, "..")).isSymbolicLink();
+        isLinked = lstatSync(join9(cliDir, "..")).isSymbolicLink();
       } catch {
       }
       if (isLinked) {
         console.log("[forge] Installed via npm link (local source)");
         console.log("[forge] Pull latest and rebuild:");
-        console.log("  cd " + join8(cliDir, ".."));
+        console.log("  cd " + join9(cliDir, ".."));
         console.log("  git pull && pnpm install && pnpm build");
       } else {
         console.log("[forge] Upgrading from npm...");
         try {
-          const { homedir: homedir6 } = await import("node:os");
+          const { homedir: homedir7 } = await import("node:os");
           execSync2("npm install -g @aion0/forge@latest --prefer-online", {
             stdio: "inherit",
-            cwd: homedir6()
+            cwd: homedir7()
           });
           try {
             const { readFileSync: readFileSync5 } = await import("node:fs");
-            const globalRoot = execSync2("npm root -g", { encoding: "utf-8", cwd: homedir6() }).trim();
-            const pkg = JSON.parse(readFileSync5(join8(globalRoot, "@aion0", "forge", "package.json"), "utf-8"));
+            const globalRoot = execSync2("npm root -g", { encoding: "utf-8", cwd: homedir7() }).trim();
+            const pkg = JSON.parse(readFileSync5(join9(globalRoot, "@aion0", "forge", "package.json"), "utf-8"));
             console.log(`[forge] Upgraded to v${pkg.version}. Run: forge server restart`);
           } catch {
             console.log("[forge] Upgraded. Run: forge server restart");

package/cli/mw.ts

@@ -140,6 +140,13 @@ async function main() {
       break;
     }
 
+    case 'clean': {
+      // Wipe Forge on-disk caches (cloned gitlab repos, etc).
+      const { cleanCommand } = await import('./clean');
+      await cleanCommand(args);
+      break;
+    }
+
     case 'task':
     case 't': {
       // Parse --new flag to force a fresh session

package/components/Dashboard.tsx

@@ -176,10 +176,52 @@ export default function Dashboard({ user }: { user: any }) {
   const [expandedNotif, setExpandedNotif] = useState<string | null>(null);
   const [showUserMenu, setShowUserMenu] = useState(false);
   const [theme, setTheme] = useState<'dark' | 'light'>('dark');
+  const [cacheInfo, setCacheInfo] = useState<{ entries: { name: string; bytes: number }[]; total_bytes: number } | null>(null);
+  const [showCacheMenu, setShowCacheMenu] = useState(false);
+  const [cacheBusy, setCacheBusy] = useState(false);
   const [displayName, setDisplayName] = useState(user?.name || 'Forge');
   const [profileDept, setProfileDept] = useState('');
   const terminalRef = useRef<WebTerminalHandle>(null);
 
+  // Cache (forge-managed cloned-projects) load + clear helpers. Used by the
+  // user-menu "Cache" entry to show on-disk size and let the user wipe it
+  // without dropping to the terminal. Lazy — only fetched on menu open.
+  const loadCacheInfo = async () => {
+    try {
+      const r = await fetch('/api/cache');
+      if (!r.ok) return;
+      const data = await r.json();
+      setCacheInfo({ entries: data.entries || [], total_bytes: data.total_bytes || 0 });
+    } catch { /* leave previous */ }
+  };
+  const humanBytes = (n: number) => {
+    if (!n) return '0 B';
+    if (n < 1024) return `${n} B`;
+    if (n < 1024 ** 2) return `${(n / 1024).toFixed(1)} KB`;
+    if (n < 1024 ** 3) return `${(n / 1024 ** 2).toFixed(1)} MB`;
+    return `${(n / 1024 ** 3).toFixed(2)} GB`;
+  };
+  const clearCache = async (name?: string) => {
+    if (cacheBusy) return;
+    const ok = confirm(name ? `Delete cached repo "${name}"?` : 'Delete ALL cached repos? They will be re-cloned on next pipeline run.');
+    if (!ok) return;
+    setCacheBusy(true);
+    try {
+      const q = name ? `?name=${encodeURIComponent(name)}` : '';
+      const r = await fetch(`/api/cache${q}`, { method: 'DELETE' });
+      const data = await r.json();
+      if (data?.ok) {
+        await loadCacheInfo();
+      } else {
+        alert(`Cache clear failed: ${data?.error || `HTTP ${r.status}`}`);
+      }
+    } catch (e) {
+      alert(`Cache clear failed: ${(e as Error).message}`);
+    } finally {
+      setCacheBusy(false);
+    }
+  };
+
   // Theme: load from localStorage + apply
   useEffect(() => {
     const saved = localStorage.getItem('forge-theme') as 'dark' | 'light' | null;
@@ -621,7 +663,14 @@ export default function Dashboard({ user }: { user: any }) {
           {/* User menu */}
           <div className="relative">
             <button
-              onClick={() => { setShowUserMenu(v => !v); setShowNotifications(false); }}
+              onClick={() => {
+                const next = !showUserMenu;
+                setShowUserMenu(next);
+                setShowNotifications(false);
+                // Lazy-load cache size whenever the menu opens — keeps
+                // the cache row's "· N MB" current without polling.
+                if (next) loadCacheInfo();
+              }}
               className="text-[var(--text-secondary)] hover:text-[var(--text-primary)] flex items-center gap-1 px-1"
             >
               <span className="flex flex-col items-end leading-tight">
@@ -734,6 +783,52 @@ export default function Dashboard({ user }: { user: any }) {
                       )}
                     </div>
                   )}
+                  {/* Cache — show on-disk size of auto-cloned gitlab repos
+                      under <dataDir>/cloned-projects/, with a click-to-clear
+                      sub-menu listing each entry. Same backend as
+                      `forge clean cache` CLI. */}
+                  <button
+                    onClick={() => setShowCacheMenu(v => !v)}
+                    className="w-full text-left text-[11px] px-3 py-1.5 text-[var(--text-secondary)] hover:text-[var(--text-primary)] hover:bg-[var(--bg-tertiary)] flex items-center gap-2"
+                  >
+                    <span className="w-3 text-center">💾</span>
+                    <span className="flex-1">Cache</span>
+                    <span className="text-[9px] text-[var(--text-secondary)]">
+                      {cacheInfo ? humanBytes(cacheInfo.total_bytes) : '…'}
+                    </span>
+                    <span className="text-[9px] text-[var(--text-secondary)]">{showCacheMenu ? '▾' : '▸'}</span>
+                  </button>
+                  {showCacheMenu && (
+                    <div className="pl-6 pr-1 py-0.5 border-l border-[var(--border)] ml-3 mb-1 max-h-48 overflow-y-auto">
+                      {!cacheInfo && (
+                        <div className="text-[10px] text-[var(--text-secondary)] py-1 px-2">Loading…</div>
+                      )}
+                      {cacheInfo && cacheInfo.entries.length === 0 && (
+                        <div className="text-[10px] text-[var(--text-secondary)] py-1 px-2">Empty.</div>
+                      )}
+                      {cacheInfo?.entries.map((e) => (
+                        <button
+                          key={e.name}
+                          disabled={cacheBusy}
+                          onClick={() => clearCache(e.name)}
+                          className="w-full text-left px-2 py-1 text-[10px] text-[var(--text-primary)] hover:bg-[var(--bg-tertiary)] flex items-center gap-2 disabled:opacity-50"
+                          title={`Click to delete ${e.name}`}
+                        >
+                          <span className="flex-1 truncate">{e.name}</span>
+                          <span className="text-[9px] text-[var(--text-secondary)] flex-shrink-0">{humanBytes(e.bytes)}</span>
+                        </button>
+                      ))}
+                      {cacheInfo && cacheInfo.entries.length > 0 && (
+                        <button
+                          disabled={cacheBusy}
+                          onClick={() => clearCache()}
+                          className="w-full text-left px-2 py-1 mt-1 text-[10px] text-red-400 hover:bg-[var(--bg-tertiary)] disabled:opacity-50 border-t border-[var(--border)]"
+                        >
+                          Clear All ({humanBytes(cacheInfo.total_bytes)})
+                        </button>
+                      )}
+                    </div>
+                  )}
                   <div className="border-t border-[var(--border)] my-1" />
                   <button
                     onClick={() => { setShowHelp(v => !v); setShowUserMenu(false); }}

package/components/EnterpriseBadge.tsx

@@ -143,7 +143,7 @@ export default function EnterpriseBadge({ onOpenSettings: _onOpenSettings }: { o
 
   const loadWebSessions = async () => {
     try {
-      const r = await fetch('/api/login-status');
+      const r = await fetch('/api/web-sessions');
       if (!r.ok) return;
       const data = await r.json();
       ingestLoginRows((data?.rows || []) as LoginRow[]);
@@ -154,7 +154,7 @@ export default function EnterpriseBadge({ onOpenSettings: _onOpenSettings }: { o
     if (webBusy) return;
     setWebBusy(true); setWebErr('');
     try {
-      const r = await fetch('/api/login-status', { method: 'POST' });
+      const r = await fetch('/api/web-sessions', { method: 'POST' });
       const data = await r.json();
       if (!r.ok || data?.error) {
         setWebErr(data?.error || `HTTP ${r.status}`);

package/lib/agents/index.ts

@@ -15,11 +15,17 @@ function resolveAbsoluteBin(cmd: string): string {
   if (cached !== undefined) return cached;
   try {
     const out = execSync(`which ${cmd}`, { encoding: 'utf-8', timeout: 3000, stdio: ['pipe', 'pipe', 'pipe'] }).trim();
-    const resolved = out || cmd;
-    _whichCache.set(cmd, resolved);
-    return resolved;
-  } catch {
-    _whichCache.set(cmd, cmd);
+    if (out) {
+      _whichCache.set(cmd, out);
+      return out;
+    }
+    // `which` exited 0 but printed nothing — don't poison cache, retry next call.
+    return cmd;
+  } catch (e) {
+    // Restart-window contention can blow past the 3s timeout. Caching the
+    // failure here would pin bare `cmd` for the rest of the process — let
+    // the next call retry instead.
+    console.warn(`[agents] which ${cmd} failed:`, (e as Error).message);
     return cmd;
   }
 }
@@ -225,6 +231,10 @@ export function getAgent(id?: AgentId): AgentAdapter {
 /** Clear adapter cache (call after settings change) */
 export function clearAgentCache(): void {
   adapterCache.clear();
+  // Also drop the `which <bin>` resolution cache. Without this, a failed
+  // resolution during the restart window stayed in cache and every later
+  // terminal-launch returned bare `claude`.
+  _whichCache.clear();
 }
 
 /** Auto-detect all available agents (called on startup) */

package/lib/auth/idp-login.ts

@@ -47,8 +47,15 @@ export interface IdpLoginResult {
   error?: string;
 }
 
-interface IdpTemplateBlock {
+export interface IdpTemplateBlock {
   host?: string;
+  /** Optional display name override for the Login Status panel.
+   *  Falls back to `host` when missing. */
+  display_name?: string;
+  /** Optional explicit URL the Login Status probe opens. Defaults to
+   *  `https://<host>/`. Override when the IdP's logged-in landing page
+   *  is at a specific path (e.g. `/saml-idp/portal/` for FAC). */
+  probe_url?: string;
   /** Optional alt hostnames the IdP also uses (e.g. regional SAML servers). */
   alt_hosts?: string[];
   saml_sps?: string[];
@@ -83,7 +90,7 @@ interface IdpTemplateBlock {
  * (legacy) or an array of objects (multi-IdP). Returns normalized
  * array of valid blocks.
  */
-function readIdpBlocks(): IdpTemplateBlock[] {
+export function readIdpBlocks(): IdpTemplateBlock[] {
   const tryRead = (sourceId?: string): IdpTemplateBlock[] | null => {
     const t = resolveWizardTemplate(sourceId);
     const raw = (t?.template as { _idp?: IdpTemplateBlock | IdpTemplateBlock[] } | undefined)?._idp;
@@ -109,13 +116,8 @@ function readIdpBlocks(): IdpTemplateBlock[] {
  *   1. A SP whose login-status cache currently shows ✗ — opening it forces
  *      a SAML redirect to the IdP, which is exactly what we want when the
  *      IdP cookie has expired even though some sibling SPs still have a
- *      valid session cookie (Mantis can be ✓ while pmdb/tp are ✗ because
- *      per-SP cookies are independent of the IdP SSO state).
- *   2. Otherwise first installed SP with a base_url (legacy fallback).
- *
- *  Without (1) the IdP login flow would open Mantis (first in saml_sps),
- *  see the cookie still good, declare "no form needed", and exit — leaving
- *  the broken siblings unrefreshed.
+ *      valid session cookie.
+ *   2. Otherwise first installed SP with a base_url.
  */
 function pickTriggerUrl(saml_sps: string[]): string | null {
   // eslint-disable-next-line @typescript-eslint/no-require-imports

package/lib/auth/login-status.ts

@@ -20,10 +20,10 @@
 import { existsSync, readFileSync, writeFileSync } from 'node:fs';
 import { join } from 'node:path';
 import { getDataDir } from '../dirs';
+import { runConnectorTest, runBrowserUrlProbe } from '../connectors/test-runner';
 import { listConnectorIds, getConnector, getInstalledConnector } from '../connectors/registry';
-import { runConnectorTest } from '../connectors/test-runner';
 import { expandSettingsTokens } from '../plugins/templates';
-import type { ConnectorDefinition } from '../connectors/types';
+import { readIdpBlocks, type IdpTemplateBlock } from './idp-login';
 
 export type LoginCategory = 'browser' | 'token' | 'external';
 
@@ -112,20 +112,14 @@ export function invalidateCachedResult(sourceId: string): void {
 // ─── Source enumeration ─────────────────────────────────────────────
 
 /**
- * Build the canonical list of LoginSources. Browser/HTTP sources come
- * from connector manifests; external sources are hardcoded here.
- *
- * Connector-derived rows are filtered to those with `test:` declared —
- * connectors without a test block (e.g. `nac` which uses per-call SSH
- * password) are intentionally omitted.
+ * Build the canonical list of LoginSources from connector manifests.
+ * Connector-derived rows are filtered to those with `test:` declared and
+ * actually installed (so an uninstalled connector with empty creds
+ * doesn't pollute the panel with permanent 401s).
  */
 export function listSources(): LoginSource[] {
   const out: LoginSource[] = [];
 
-  // 1. Connector-derived — skip any connector the user hasn't installed
-  //    (no entry in connector-configs.json). An un-installed connector
-  //    would just probe with default/empty settings and always fail,
-  //    polluting the panel.
   for (const id of listConnectorIds()) {
     const def = getConnector(id);
     if (!def || !def.test) continue;
@@ -133,25 +127,17 @@ export function listSources(): LoginSource[] {
     const probe = def.test.probe || 'http';
     const category: LoginCategory = probe === 'browser' ? 'browser' : 'token';
 
-    // Refresh hint per category
     let refresh: RefreshHint;
     if (probe === 'browser') {
-      // For browser sources, host_match (e.g. "{base_url}/*") needs
-      // settings tokens expanded — the user-saved {base_url} lives in
-      // the connector's installed config, not in plain settings.
       const rawHm = def.host_match || def.connectors?.[0]?.host_match || '';
       const inst = getInstalledConnector(id);
       const expanded = inst ? expandSettingsTokens(rawHm, inst.config as any) : rawHm;
-      // Strip Chrome match-pattern suffix like `/*`
       const url = expanded.replace(/\/\*$/, '/');
-      // Heuristic: if expansion left literal `{...}` tokens behind,
-      // settings are incomplete — fall back to opening Settings.
       const stillUnresolved = /\{[^}]+\}/.test(url) || !/^https?:\/\//.test(url);
       refresh = stillUnresolved
         ? { kind: 'open-settings', section: 'connectors' }
         : { kind: 'open-url', url, description: 'Open in a new tab to log in' };
     } else {
-      // HTTP/token — fix by editing connector settings (PAT, API token)
       refresh = { kind: 'open-settings', section: 'connectors' };
     }
 
@@ -164,12 +150,6 @@ export function listSources(): LoginSource[] {
     });
   }
 
-  // GitLab 2FA used to be an external row here, but `2fa_verify` is
-  // interactive auth (not a probe) and bare SSH greet doesn't catch
-  // expiry. Removed in favour of a static hint on the GitLab
-  // connector itself — user copies the command when they actually
-  // hit a 2FA expiry instead of being nagged proactively.
-
   return out;
 }
 
@@ -185,6 +165,8 @@ export async function checkSource(source: LoginSource): Promise<LoginCheckResult
 
   if (source.id.startsWith('connector:')) {
     r = await checkConnector(source.id.slice('connector:'.length));
+  } else if (source.id.startsWith('idp:')) {
+    r = await checkIdp(source.id.slice('idp:'.length));
   } else {
     r = { ok: false, message: `unknown source ${source.id}` };
   }
@@ -201,8 +183,6 @@ export async function checkSource(source: LoginSource): Promise<LoginCheckResult
 async function checkConnector(
   connectorId: string,
 ): Promise<Omit<LoginCheckResult, 'checked_at' | 'duration_ms'>> {
-  // Direct lib call — self-fetching the route hits the auth middleware
-  // (no session cookie) and would return "unauthorized" for every probe.
   try {
     const r = await runConnectorTest(connectorId);
     return {
@@ -215,6 +195,57 @@ async function checkConnector(
   }
 }
 
+// ─── IdP-consolidated sources (Enterprise badge "Web sessions") ────
+// The right-side panel iterates per-connector via listSources(); the
+// Enterprise badge wants a coarser view that asks "is the IdP cookie
+// still alive?" — one row per _idp block, not one per SP.
+
+function idpProbeUrl(block: IdpTemplateBlock): string {
+  return (block.probe_url && block.probe_url.trim()) || `https://${block.host}/`;
+}
+
+export function listIdpSources(): LoginSource[] {
+  const out: LoginSource[] = [];
+  for (const block of readIdpBlocks()) {
+    if (!block.host) continue;
+    out.push({
+      id: `idp:${block.host}`,
+      label: block.display_name || block.host,
+      category: 'browser',
+      detail: block.saml_sps?.length
+        ? `IdP for: ${block.saml_sps.join(', ')}`
+        : 'Identity provider',
+      refresh: {
+        kind: 'open-url',
+        url: idpProbeUrl(block),
+        description: 'Open IdP portal to re-authenticate',
+      },
+    });
+  }
+  return out;
+}
+
+export function listIdpStatus(): LoginStatusRow[] {
+  return listIdpSources().map((source) => ({ source, result: getCachedResult(source.id) }));
+}
+
+async function checkIdp(
+  host: string,
+): Promise<Omit<LoginCheckResult, 'checked_at' | 'duration_ms'>> {
+  const block = readIdpBlocks().find((b) => b.host === host);
+  const probe_url = block ? idpProbeUrl(block) : `https://${host}/`;
+  try {
+    const r = await runBrowserUrlProbe({ id: `idp:${host}`, host, probe_url });
+    return {
+      ok: !!r.ok,
+      message: r.ok ? (r.message || 'ok') : (r.error || `HTTP ${r.status || '?'}`),
+      landed_url: r.url,
+    };
+  } catch (e) {
+    return { ok: false, message: `probe error: ${(e as Error).message}` };
+  }
+}
+
 // ─── Bulk view ──────────────────────────────────────────────────────
 
 export function listStatus(): LoginStatusRow[] {

package/lib/connectors/test-runner.ts

@@ -270,6 +270,54 @@ async function runBrowserProbe(
   };
 }
 
+/**
+ * Run a browser probe against an ad-hoc URL — used by the Login Status
+ * panel's IdP rows (no connector backing them). Reuses the same
+ * `connector.probe` bridge RPC as runBrowserProbe — the extension
+ * opens host_match in a tab, waits for navigation, returns landed URL.
+ * If the landed URL host matches `expected_host`, the user is still
+ * signed in. If it redirected to a login page (different host or path),
+ * not signed in.
+ */
+export async function runBrowserUrlProbe(opts: {
+  id: string;            // identifier for telemetry, e.g. 'idp:fac.corp.fortinet.com'
+  host: string;          // expected host (e.g. 'fac.corp.fortinet.com')
+  probe_url: string;     // URL to navigate to (e.g. 'https://fac.corp.fortinet.com/saml-idp/portal/')
+  timeout_ms?: number;
+}): Promise<TestResult> {
+  const t0 = Date.now();
+  let value: unknown;
+  try {
+    value = await bridgeRpc('connector.probe', {
+      pluginId: opts.id,
+      host_match: opts.probe_url,    // extension navigates to this URL directly
+      runner: 'main',
+      timeout_ms: opts.timeout_ms || 15_000,
+    });
+  } catch (e) {
+    return { ok: false, error: (e as Error).message || 'probe error', duration_ms: Date.now() - t0 };
+  }
+  const r = (value || {}) as { ok?: boolean; url?: string; error?: string };
+  const landed = r.url || '';
+  const failedNetwork = !landed || landed.startsWith('chrome-error://') || landed.startsWith('about:');
+  // Pass if landed host matches expected. A redirect to a different host
+  // (e.g. fac.corp.fortinet.com → ms-login.fortinet.com when SSO expired)
+  // means the user needs to re-authenticate.
+  let onExpected = false;
+  try { onExpected = !failedNetwork && new URL(landed).hostname.toLowerCase() === opts.host.toLowerCase(); } catch { /* bad url */ }
+  return {
+    ok: onExpected,
+    message: onExpected ? `Session active · ${landed}` : undefined,
+    error: onExpected
+      ? undefined
+      : (failedNetwork
+        ? `Network unreachable — ${landed || '(no url)'}. VPN / hostname / firewall?`
+        : `Not signed in — redirected to ${landed}`),
+    url: landed,
+    duration_ms: Date.now() - t0,
+  };
+}
+
 /**
  * Run a connector's `test:` probe. Returns a structured result. The HTTP
  * route + Login Status panel both call this — they share the same

package/lib/pipeline.ts

@@ -1792,7 +1792,13 @@ async function scheduleReadyNodes(pipeline: Pipeline, workflow: Workflow) {
     // declared, skip the auto-worktree creation entirely — otherwise we
     // produce dead `.forge/worktrees/pipeline-<id>` directories that
     // nothing ever uses but pile up on disk per pipeline run.
-    const useWorktree = nodeDef.worktree !== false && !nodeDef.workdir;
+    //
+    // Also skip on non-git projects (scratch, or any user project where
+    // `.git` is missing). Pipelines without a project bound default to
+    // the scratch project, which has hasGit:false — without this guard
+    // the worktree branch fired `git branch` / `git worktree add` on a
+    // non-repo and surfaced "fatal: not a git repository" in the run log.
+    const useWorktree = nodeDef.worktree !== false && !nodeDef.workdir && projectInfo.hasGit;
     const branchName = nodeDef.branch ? resolveTemplate(nodeDef.branch, ctx) : `pipeline/${pipeline.id.slice(0, 8)}`;
     if (useWorktree) try {
       const wtRoot = getProjectWorktreeRoot(projectInfo);

package/lib/projects.ts

@@ -1,4 +1,5 @@
 import { readdirSync, existsSync, statSync, readFileSync, mkdirSync, writeFileSync } from 'node:fs';
+import { execSync } from 'node:child_process';
 import { join, resolve, isAbsolute, parse } from 'node:path';
 import { homedir } from 'node:os';
 import { loadSettings, saveSettings } from './settings';
@@ -178,7 +179,7 @@ export function getProjectInfo(name: string): LocalProject | null {
  */
 export interface ResolveResult {
   project: LocalProject;
-  source: 'existing' | 'cloned' | 'scratch';
+  source: 'existing' | 'cloned' | 'gitlab-cloned' | 'scratch';
   clone_url?: string;
 }
 
@@ -206,6 +207,95 @@ export function getDefaultCloneRoot(): string {
   return join(getDataDir(), 'scratch');
 }
 
+/** Read the gitlab connector config without pulling in the connectors
+ *  module statically — projects.ts is imported very early by init/dirs;
+ *  going through a dynamic require keeps the dependency graph one-way.
+ *  Returns null when the connector isn't installed/configured. */
+function readGitlabConnector(): { base_url: string; token: string; default_project_path?: string } | null {
+  try {
+    // eslint-disable-next-line @typescript-eslint/no-require-imports
+    const { getInstalledConnector } = require('./connectors/registry') as typeof import('./connectors/registry');
+    const inst = getInstalledConnector('gitlab');
+    if (!inst) return null;
+    const cfg = (inst.config || {}) as { base_url?: string; token?: string; default_project_path?: string };
+    if (!cfg.base_url || !cfg.token) return null;
+    return {
+      base_url: String(cfg.base_url).replace(/\/+$/, ''),
+      token: String(cfg.token),
+      default_project_path: cfg.default_project_path,
+    };
+  } catch { return null; }
+}
+
+/** Per-process freshness cache for cloned repos. Within this window the
+ *  same repo path skips the `git fetch` step and reuses the on-disk
+ *  state. Pipelines call resolveOrCloneProject once per node per
+ *  for_each iteration — without this, a 5-node × 10-item run does 50
+ *  fetches (~50s of network) before any real work starts. */
+const CLONE_FRESH_WINDOW_MS = 5 * 60 * 1000;
+const _cloneFreshAt = new Map<string, number>();
+
+/** Try to clone (or fast-update) a gitlab project into a Forge-managed
+ *  cache dir. Returns the cached LocalProject on success, null when the
+ *  connector isn't configured or git fails. Used by resolveOrCloneProject
+ *  when no real local project matches the requested name.
+ *
+ *  Cache layout: <dataDir>/cloned-projects/<owner>-<repo>/
+ *  Within the per-process freshness window: skip network entirely.
+ *  Past it (or on first call): `git fetch` to refresh refs. */
+function tryGitlabClone(repoPath: string): LocalProject | null {
+  const gl = readGitlabConnector();
+  if (!gl) return null;
+  const path = repoPath.replace(/^\/+|\/+$/g, '');
+  if (!path || !path.includes('/')) return null;  // not a repo path shape
+  const safe = path.replace(/[^A-Za-z0-9._-]+/g, '-');
+  const cacheRoot = join(getDataDir(), 'cloned-projects');
+  const target = join(cacheRoot, safe);
+  try { mkdirSync(cacheRoot, { recursive: true }); } catch {}
+
+  // Inject PAT into URL. gitlab accepts `oauth2:<token>` basic auth on
+  // HTTPS. URL-encode the token in case it contains '@' or '/'.
+  const cloneUrl = `${gl.base_url}/${path}.git`;
+  const authedUrl = cloneUrl.replace(/^(https?:\/\/)/, `$1oauth2:${encodeURIComponent(gl.token)}@`);
+
+  const alreadyCloned = existsSync(join(target, '.git'));
+  const lastFreshAt = _cloneFreshAt.get(target) || 0;
+  const stillFresh = alreadyCloned && (Date.now() - lastFreshAt) < CLONE_FRESH_WINDOW_MS;
+
+  try {
+    if (!alreadyCloned) {
+      execSync(`git clone --quiet "${authedUrl}" "${target}"`, { stdio: 'pipe', timeout: 120000 });
+      _cloneFreshAt.set(target, Date.now());
+    } else if (!stillFresh) {
+      // Best-effort refresh; failures (offline, network, auth drift) are
+      // non-fatal — fall back to whatever's cached. Pipelines see stale
+      // code, not "fatal: not a git repo".
+      try {
+        execSync(`git -C "${target}" remote set-url origin "${authedUrl}"`, { stdio: 'pipe', timeout: 5000 });
+        execSync(`git -C "${target}" fetch --quiet origin`, { stdio: 'pipe', timeout: 30000 });
+      } catch { /* keep cached state */ }
+      _cloneFreshAt.set(target, Date.now());
+    }
+    // else: within freshness window — skip network entirely
+  } catch (e) {
+    console.warn(`[projects] gitlab clone of ${path} failed:`, (e as Error).message);
+    return null;
+  }
+
+  let mtime: string;
+  try { mtime = statSync(target).mtime.toISOString(); }
+  catch { mtime = new Date().toISOString(); }
+  return {
+    name: path,
+    path: target,
+    root: cacheRoot,
+    hasGit: existsSync(join(target, '.git')),
+    hasClaudeMd: existsSync(join(target, 'CLAUDE.md')),
+    language: null,
+    lastModified: mtime,
+  };
+}
+
 export function resolveOrCloneProject(name: string | undefined): ResolveResult {
   const trimmed = (name || '').trim();
   if (trimmed) {
@@ -213,14 +303,33 @@ export function resolveOrCloneProject(name: string | undefined): ResolveResult {
     if (hit) return { project: hit, source: 'existing' };
   }
 
-  // Default to scratch when the name doesn't match a real project root. The
-  // earlier behavior was to auto-clone from gitlab.default_project_path — but
-  // that ran a `git clone` in-band (slow, surprising, leaves dirs scattered
-  // under ~/IdeaProjects). Pipelines now always run inside Forge-managed
-  // `<dataDir>/scratch/worktrees/pipeline-<id>/` unless the user has
-  // explicitly added the named project under Settings → Project roots.
-  // Explicit clone is still available via `POST /api/projects/clone` for
-  // users who want it.
+  // Fallback to gitlab connector when no local match. Two cases worth
+  // honouring:
+  //   1. `name` itself looks like a gitlab repo path (e.g. "team/repo")
+  //      — caller meant that path literally.
+  //   2. `name` is empty / unknown — pull the gitlab connector's
+  //      `default_project_path` (e.g. "fortinet/fortinac-dev") and use
+  //      it as the fallback repo.
+  // Either way we clone into <dataDir>/cloned-projects/ and reuse on
+  // subsequent runs. The previous behaviour silently dropped to scratch
+  // and code-fix pipelines exploded with "fatal: not a git repository".
+  const gl = readGitlabConnector();
+  if (gl) {
+    const targetPath = trimmed && trimmed.includes('/')
+      ? trimmed
+      : (gl.default_project_path || '').trim();
+    if (targetPath) {
+      const cloned = tryGitlabClone(targetPath);
+      if (cloned) return { project: cloned, source: 'gitlab-cloned', clone_url: `${gl.base_url}/${targetPath.replace(/^\/+|\/+$/g, '')}.git` };
+    }
+  }
+
+  // Last resort: scratch project. Most non-code pipelines (chat
+  // dispatch, mantis-only, notifications) are fine here. Code-fix
+  // pipelines that try to run git will surface their own errors —
+  // pipeline.ts:1795 already skips framework auto-worktree, so the
+  // noise is limited to the pipeline's own shell nodes (which need
+  // a real project to make sense).
   return { project: scratchProject(), source: 'scratch' };
 }
 

package/lib/workspace-standalone.ts

@@ -306,7 +306,11 @@ async function handleAgentsPost(id: string, body: any, res: ServerResponse): Pro
           const { resolveTerminalLaunch, clearAgentCache } = await import('./agents/index.js');
           clearAgentCache(); // ensure fresh settings are read
           launchInfo = resolveTerminalLaunch(agentConfig.agentId);
-        } catch {}
+        } catch (e) {
+          // Silent fallback used to leak bare `claude` to the UI on restart.
+          // Log loudly so future regressions surface in forge.log.
+          console.warn(`[workspace] open_terminal: resolveTerminalLaunch failed, falling back to bare 'claude':`, (e as Error).message);
+        }
 
         // resolveOnly: return launch info + current session ID (no side effects)
         if (body.resolveOnly) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aion0/forge",
-  "version": "0.10.49",
+  "version": "0.10.51",
   "description": "Unified AI workflow platform — multi-model task orchestration, persistent sessions, web terminal, remote access",
   "type": "module",
   "scripts": {