@aion0/forge 0.10.67 → 0.10.69

package/RELEASE_NOTES.md

@@ -1,8 +1,13 @@
-# Forge v0.10.67
+# Forge v0.10.69
 
-Released: 2026-06-10
+Released: 2026-06-11
 
-## Changes since v0.10.66
+## Changes since v0.10.68
 
+### Other
+- fix(idp): decouple probe host from IdP login host (probe_host)
+- fix(terminal): resolve absolute claude binary on tab restore
+- feat(pipeline): git OTP/2FA preflight + auth-blocked alerts
 
-**Full Changelog**: https://github.com/aiwatching/forge/compare/v0.10.66...v0.10.67
+
+**Full Changelog**: https://github.com/aiwatching/forge/compare/v0.10.68...v0.10.69

package/components/EnterpriseBadge.tsx

@@ -98,7 +98,6 @@ export default function EnterpriseBadge({ onOpenSettings: _onOpenSettings }: { o
   // creds and prefill so the user only types OTP.
   const [idpSaveCreds, setIdpSaveCreds] = useState(false);
   const [idpHasSaved, setIdpHasSaved] = useState(false);
-  const [idpOtp, setIdpOtp] = useState('');
   const [idpBusy, setIdpBusy] = useState(false);
   const [idpErr, setIdpErr] = useState('');
   const [idpStatus, setIdpStatus] = useState('');
@@ -190,8 +189,8 @@ export default function EnterpriseBadge({ onOpenSettings: _onOpenSettings }: { o
 
   const handleIdpLogin = async () => {
     if (idpBusy) return;
-    if (!idpUser.trim() || !idpPass || !idpOtp.trim()) {
-      setIdpErr('Username, password, and OTP are all required');
+    if (!idpUser.trim() || !idpPass) {
+      setIdpErr('Username and password are required');
       return;
     }
     setIdpBusy(true); setIdpErr(''); setIdpStatus(''); setIdpManualCommands([]); setIdpManualUrls([]);
@@ -199,7 +198,10 @@ export default function EnterpriseBadge({ onOpenSettings: _onOpenSettings }: { o
       const r = await fetch('/api/auth/idp-login', {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
-        body: JSON.stringify({ username: idpUser.trim(), password: idpPass, otp: idpOtp.trim() }),
+        // No OTP field — FortiToken push: the IdP prompts the user's phone
+        // and the extension/terminal wait for the approval (or a manually
+        // typed code) instead of Forge pasting one.
+        body: JSON.stringify({ username: idpUser.trim(), password: idpPass }),
       });
       const data = await r.json();
       // Template may declare multiple IdPs (e.g. FAC for mantis/pmdb/tp +
@@ -253,9 +255,6 @@ export default function EnterpriseBadge({ onOpenSettings: _onOpenSettings }: { o
           setIdpHasSaved(true);
         } catch { /* non-fatal */ }
       }
-      // Only wipe OTP after success — keep password for follow-up Login
-      // All Sites within the same session (OTP is single-use anyway).
-      setIdpOtp('');
       if (!idpSaveCreds) setIdpPass('');
       setIdpStatus(`${parts.join(' · ')}. Re-probing sessions…`);
       await handleCheckAllWeb();
@@ -485,26 +484,16 @@ export default function EnterpriseBadge({ onOpenSettings: _onOpenSettings }: { o
                   </button>
                 </div>
               </div>
-              <div className="flex gap-1">
-                <input
-                  type="text"
-                  inputMode="numeric"
-                  pattern="\d*"
-                  autoComplete="one-time-code"
-                  maxLength={8}
-                  placeholder="6-digit OTP"
-                  value={idpOtp}
-                  onChange={(e) => setIdpOtp(e.target.value.replace(/\D/g, ''))}
-                  onKeyDown={(e) => { if (e.key === 'Enter') handleIdpLogin(); }}
-                  className="flex-1 text-xs px-2 py-1 bg-[var(--bg)] border border-[var(--border)] rounded font-mono tracking-wider"
-                  disabled={idpBusy}
-                />
+              <div className="flex items-center gap-1.5">
+                <span className="flex-1 text-[9px] text-[var(--text-secondary)]">
+                  OTP via phone push — approve on your FortiToken when prompted
+                </span>
                 <button
                   onClick={handleIdpLogin}
-                  disabled={idpBusy || !idpUser.trim() || !idpPass || !idpOtp.trim()}
+                  disabled={idpBusy || !idpUser.trim() || !idpPass}
                   className="text-[10px] px-2 py-1 rounded bg-amber-500/20 text-amber-400 hover:bg-amber-500/30 disabled:opacity-40 disabled:cursor-not-allowed"
                 >
-                  {idpBusy ? '…' : 'Login all sites'}
+                  {idpBusy ? 'Waiting for approval…' : 'Login all sites'}
                 </button>
               </div>
               <div className="flex items-center gap-2 text-[10px] text-[var(--text-secondary)]">

package/components/ScheduleCreateModal.tsx

@@ -148,6 +148,9 @@ export default function ScheduleCreateModal({ onClose, onCreated, existing }: Pr
       ? String(existing.action_config?.body_template ?? '{body_output}')
       : '{body_output}'
   );
+  const [emailTransport, setEmailTransport] = useState<'smtp' | 'owa'>(
+    existing?.action_kind === 'email' && existing.action_config?.transport === 'owa' ? 'owa' : 'smtp'
+  );
   const [telegramChatId, setTelegramChatId] = useState(
     existing?.action_kind === 'telegram' ? String(existing.action_config?.chat_id ?? '') : ''
   );
@@ -340,6 +343,7 @@ export default function ScheduleCreateModal({ onClose, onCreated, existing }: Pr
         action_config.to = to.length > 1 ? to : (to[0] || '');
         if (emailSubjectTpl) action_config.subject_template = emailSubjectTpl;
         if (emailBodyTpl) action_config.body_template = emailBodyTpl;
+        action_config.transport = emailTransport;
       } else if (actionKind === 'telegram') {
         if (telegramChatId.trim()) action_config.chat_id = telegramChatId.trim();
         if (telegramPrefix) action_config.prefix = telegramPrefix;
@@ -437,6 +441,7 @@ export default function ScheduleCreateModal({ onClose, onCreated, existing }: Pr
               emailTo={emailTo} onEmailTo={setEmailTo}
               emailSubjectTpl={emailSubjectTpl} onEmailSubjectTpl={setEmailSubjectTpl}
               emailBodyTpl={emailBodyTpl} onEmailBodyTpl={setEmailBodyTpl}
+              emailTransport={emailTransport} onEmailTransport={setEmailTransport}
               telegramChatId={telegramChatId} onTelegramChatId={setTelegramChatId}
               telegramPrefix={telegramPrefix} onTelegramPrefix={setTelegramPrefix}
             />
@@ -855,6 +860,7 @@ function Step3({
   emailTo, onEmailTo,
   emailSubjectTpl, onEmailSubjectTpl,
   emailBodyTpl, onEmailBodyTpl,
+  emailTransport, onEmailTransport,
   telegramChatId, onTelegramChatId,
   telegramPrefix, onTelegramPrefix,
 }: {
@@ -871,6 +877,7 @@ function Step3({
   emailTo: string; onEmailTo: (v: string) => void;
   emailSubjectTpl: string; onEmailSubjectTpl: (v: string) => void;
   emailBodyTpl: string; onEmailBodyTpl: (v: string) => void;
+  emailTransport: 'smtp' | 'owa'; onEmailTransport: (v: 'smtp' | 'owa') => void;
   telegramChatId: string; onTelegramChatId: (v: string) => void;
   telegramPrefix: string; onTelegramPrefix: (v: string) => void;
 }) {
@@ -962,7 +969,7 @@ function Step3({
         )}
         <label className="flex items-center gap-2 cursor-pointer">
           <input type="radio" name="action" checked={actionKind === 'email'} onChange={() => onActionKind('email')} />
-          <span className="text-[11px] w-44">Send Email (SMTP)</span>
+          <span className="text-[11px] w-44">Send Email</span>
           <input
             type="text"
             value={emailTo}
@@ -974,6 +981,20 @@ function Step3({
         </label>
         {actionKind === 'email' && (
           <>
+            <label className="flex items-center gap-2">
+              <span className="text-[11px] w-44 ml-6">transport</span>
+              <select
+                value={emailTransport}
+                onChange={(e) => onEmailTransport(e.target.value as 'smtp' | 'owa')}
+                className="text-[11px] px-2 py-0.5 border border-[var(--border)] rounded bg-[var(--bg-secondary)]"
+              >
+                <option value="smtp">SMTP (Settings → SMTP)</option>
+                <option value="owa">OWA connector (your mailbox, no SMTP)</option>
+              </select>
+              {emailTransport === 'owa' && (
+                <span className="text-[10px] text-[var(--text-secondary)]">needs the browser extension connected</span>
+              )}
+            </label>
             <label className="flex items-center gap-2">
               <span className="text-[11px] w-44 ml-6">subject template</span>
               <input

package/components/WebTerminal.tsx

@@ -1572,26 +1572,31 @@ const MemoTerminalPane = memo(function TerminalPane({
             if (isNewlyCreated && projectPathRef.current && !pendingCommands.has(id)) {
               isNewlyCreated = false;
               const pp = projectPathRef.current;
-              import('@/lib/session-utils').then(({ resolveFixedSession, buildResumeFlag, getMcpFlag }) => {
-                // Resolve the agent's absolute claude path — bare
-                // `claude` rides on the tmux pane PATH, which on a
-                // fresh-install machine still points at the user's
-                // stale global @anthropic-ai/claude-code (e.g.
-                // /opt/homebrew/...) and crashes on resume.
-                Promise.all([
-                  resolveFixedSession(pp),
-                  getMcpFlag(pp),
-                  fetch('/api/agents?resolve=').then(r => r.ok ? r.json() : null).catch(() => null),
-                ]).then(([fixedId, mcpFlag, agentInfo]) => {
-                  const resumeFlag = buildResumeFlag(fixedId, true);
-                  const skipFlag = skipPermRef.current ? ' --dangerously-skip-permissions' : '';
-                  const claudeCmd = `"${agentInfo?.cliCmd || 'claude'}"`;
-                  setTimeout(() => {
-                    if (!disposed && ws?.readyState === WebSocket.OPEN) {
-                      ws.send(JSON.stringify({ type: 'input', data: `cd "${pp}" && ${claudeCmd}${resumeFlag}${skipFlag}${mcpFlag}\n` }));
-                    }
-                  }, 300);
-                });
+              import('@/lib/session-utils').then(async ({ resolveFixedSession, buildResumeFlag, getMcpFlag }) => {
+                const [fixedId, mcpFlag] = await Promise.all([resolveFixedSession(pp), getMcpFlag(pp)]);
+                // Resolve the agent's ABSOLUTE claude binary. Bare `claude`
+                // rides the tmux pane PATH, which on this machine can hit a
+                // stale global @anthropic-ai/claude-code (e.g. /opt/homebrew,
+                // conda base) that fails on --resume. On restart the resolve
+                // can lose a race with worker boot, so retry a few times
+                // rather than launching bare claude — launching the wrong
+                // binary is the actual restart-failure bug.
+                let agentCmd = 'claude';
+                for (let i = 0; i < 3; i++) {
+                  try {
+                    const info = await fetch('/api/agents?resolve=').then(r => r.ok ? r.json() : null);
+                    if (info?.cliCmd) { agentCmd = info.cliCmd; break; }
+                  } catch {}
+                  await new Promise(res => setTimeout(res, 400));
+                }
+                const resumeFlag = buildResumeFlag(fixedId, true);
+                const skipFlag = skipPermRef.current ? ' --dangerously-skip-permissions' : '';
+                const claudeCmd = `"${agentCmd}"`;
+                setTimeout(() => {
+                  if (!disposed && ws?.readyState === WebSocket.OPEN) {
+                    ws.send(JSON.stringify({ type: 'input', data: `cd "${pp}" && ${claudeCmd}${resumeFlag}${skipFlag}${mcpFlag}\n` }));
+                  }
+                }, 300);
               });
             }
             isNewlyCreated = false;

package/lib/auth/idp-login.ts

@@ -56,6 +56,14 @@ export interface IdpTemplateBlock {
    *  `https://<host>/`. Override when the IdP's logged-in landing page
    *  is at a specific path (e.g. `/saml-idp/portal/` for FAC). */
   probe_url?: string;
+  /** Hostname the Login Status probe expects to land on when signed in.
+   *  Defaults to `host`. Set when login and logged-in detection live on
+   *  DIFFERENT hosts: e.g. the SCAP SP logs in via the sso.frval IdP form
+   *  (host = sso.frval, where the extension fills credentials) but a
+   *  signed-in probe of scap.fortinet.com lands back on scap
+   *  (probe_host = scap.fortinet.com). Without this the host-only probe
+   *  would mismatch and falsely report "not signed in". */
+  probe_host?: string;
   /** DOM selector present ONLY on the login page (e.g. 'input[type=password]').
    *  Required for IdPs that serve their login form on the SAME host as the
    *  logged-in page (sso.frval.fortinet-emea.com) — without it the host-only
@@ -223,8 +231,11 @@ async function runOneIdp(block: IdpTemplateBlock, req: IdpLoginRequest): Promise
 }
 
 export async function performIdpLogin(req: IdpLoginRequest): Promise<IdpLoginResult> {
-  if (!req.username || !req.password || !req.otp) {
-    return { ok: false, idp_logins: [], error: 'username, password, and otp are all required' };
+  // OTP is optional: when absent, the extension waits for the user to
+  // approve the FortiToken push (or type the code by hand) instead of
+  // Forge pasting one — see token_push_wait in the extension's idpLogin.
+  if (!req.username || !req.password) {
+    return { ok: false, idp_logins: [], error: 'username and password are required' };
   }
   const blocks = readIdpBlocks();
   if (blocks.length === 0) {

package/lib/auth/login-status.ts

@@ -234,8 +234,12 @@ async function checkIdp(
 ): Promise<Omit<LoginCheckResult, 'checked_at' | 'duration_ms'>> {
   const block = readIdpBlocks().find((b) => b.host === host);
   const probe_url = block ? idpProbeUrl(block) : `https://${host}/`;
+  // Host the signed-in probe should land on — defaults to the IdP host,
+  // but SP-fronted IdPs (login at host, logged-in lands on the SP) set
+  // probe_host to the SP so hostnameMatch doesn't falsely fail.
+  const expectHost = (block?.probe_host && block.probe_host.trim()) || host;
   try {
-    const r = await runBrowserUrlProbe({ id: `idp:${host}`, host, probe_url, auth_required_selector: block?.auth_required_selector });
+    const r = await runBrowserUrlProbe({ id: `idp:${host}`, host: expectHost, probe_url, auth_required_selector: block?.auth_required_selector });
     return {
       ok: !!r.ok,
       message: r.ok ? (r.message || 'ok') : (r.error || `HTTP ${r.status || '?'}`),

package/lib/auth/terminal-keystroke.ts

@@ -74,7 +74,13 @@ export async function runTerminalKeystroke(
   if (process.platform !== 'darwin') {
     return { name: spec.name, command: spec.command, ok: false, error: 'Keystroke mode is macOS-only.' };
   }
-  if (spec.needs_otp) {
+  // OTP is optional: absent on a needs_otp command → "push mode". We type
+  // the command and then WAIT for the human to finish it — approve the
+  // FortiToken push on their phone, or type the code into the Terminal
+  // themselves. Completion is still detected via the OK/FAIL echo markers,
+  // so it works regardless of how the prompt gets satisfied.
+  const pushMode = !!spec.needs_otp && !String(otp || '').trim();
+  if (spec.needs_otp && !pushMode) {
     const cleaned = String(otp || '').replace(/\s+/g, '');
     if (!/^\d{6,8}$/.test(cleaned)) {
       return { name: spec.name, command: spec.command, ok: false, error: 'OTP must be 6–8 digits' };
@@ -115,7 +121,7 @@ export async function runTerminalKeystroke(
     'end tell',
   ];
 
-  if (spec.needs_otp) {
+  if (spec.needs_otp && !pushMode) {
     lines.push(
       'set promptDeadline to (current date) + 20',
       'set sawPrompt to false',
@@ -153,12 +159,15 @@ export async function runTerminalKeystroke(
     );
   }
 
+  // Push mode waits for a human (phone approve / manual code entry), so
+  // give it minutes, not seconds. Normal mode keeps the snappy 30s cap.
+  const waitSecs = pushMode ? 180 : 30;
   lines.push(
     'set t0 to current date',
     'set verdict to "timeout"',
     'set tail to ""',
     'repeat',
-    '  if ((current date) - t0) > 30 then exit repeat',
+    `  if ((current date) - t0) > ${waitSecs} then exit repeat`,
     '  delay 0.4',
     '  try',
     '    tell application "Terminal"',
@@ -193,7 +202,7 @@ export async function runTerminalKeystroke(
     'return verdict & "|" & tail',
   );
 
-  const r = await runAppleScript(lines.join('\n'), 60_000);
+  const r = await runAppleScript(lines.join('\n'), (waitSecs + 40) * 1000);
   const out = (r.stdout || '').trim();
   if (r.code !== 0) {
     const err = (r.stderr || '').trim();
@@ -241,5 +250,12 @@ export async function runTerminalKeystroke(
   if (verdict === 'fail') return { name: spec.name, command: spec.command, ok: false, error: 'command exited non-zero', transcript: tail };
   if (verdict === 'noprompt') return { name: spec.name, command: spec.command, ok: false, error: tail || 'No prompt appeared' };
   if (verdict.startsWith('error:')) return { name: spec.name, command: spec.command, ok: false, error: verdict.slice(6) };
-  return { name: spec.name, command: spec.command, ok: false, error: 'timed out reading Terminal' };
+  return {
+    name: spec.name,
+    command: spec.command,
+    ok: false,
+    error: pushMode
+      ? `No completion after ${waitSecs}s — approve the push on your phone or type the code in the Terminal, then retry`
+      : 'timed out reading Terminal',
+  };
 }

package/lib/help-docs/05-pipelines.md

@@ -49,6 +49,48 @@ nodes:
     prompt: "Review the changes"
 ```
 
+## Git OTP / 2FA preflight (`git_push: true`)
+
+Pipelines that push to git (open MRs, push fixup commits) can declare a
+top-level `git_push: true`. When set, Forge runs a **preflight** at pipeline
+start — a lightweight `git ls-remote --heads origin` (no object transfer) on
+the resolved project's repo:
+
+```yaml
+name: my-fix-and-mr
+version: "1.0.0"
+git_push: true        # <-- enables the OTP/2FA preflight
+input: { ... }
+nodes: { ... }
+```
+
+- If the remote demands OTP/2FA (e.g. Fortinet's
+  `ssh git@<host> 2fa_verify`), the **entire run aborts immediately**, before
+  any code work — so a 2FA wall never wastes a full fix pass that can't push.
+- The pipeline is marked `failed` with the exact `2fa_verify` command in its
+  error, and an **auth alert** is fired (see below).
+- Scratch / non-git projects and unrelated remote errors (network, no origin)
+  are ignored — only a genuine OTP marker blocks. Those still surface at push
+  time as before.
+
+## Auth-required alerts (git OTP + expired connector logins)
+
+When a `git_push` pipeline hits the OTP wall, **or** any pipeline fails on an
+expired connector login (Mantis / Teams / OWA session lapsed), Forge fires one
+"auth required" alert across every channel it can, so you can fix it and re-run
+without digging through logs:
+
+1. **In-app notification** (always).
+2. **Telegram** — if `telegramBotToken` + `telegramChatId` are set (Settings →
+   Telegram).
+3. **Email to yourself** — sent to your own mailbox (your **`displayEmail`** from
+   Settings → Identity, i.e. `{user.email}`) via the OWA connector, if that's
+   configured. No SMTP or extra recipient setting needed.
+
+The connector-login case is detected heuristically from the failed node's
+error/output (login-page / "session expired" / "请登录" markers), one alert per
+pipeline.
+
 ## Node Options
 
 | Field | Description | Default |

package/lib/help-docs/07-projects.md

@@ -4,6 +4,37 @@
 
 Add project directories in Settings → **Project Roots** (e.g. `~/Projects`). Forge scans subdirectories automatically.
 
+## How a project is resolved (pipelines / MR review / bug fix)
+
+When a pipeline (or chat-dispatched MR review / bug fix) needs a project, Forge
+resolves the given name in this order — first hit wins:
+
+1. **Exact project name** — a scanned project whose directory name equals the
+   value passed in.
+2. **Git repo match** — when the value looks like an `owner/repo` path (e.g.
+   derived from a GitLab MR URL), Forge compares it against each project's
+   **git `origin` remote**, which it auto-detects from `.git/config` during the
+   scan (no subprocess). Full path first, then the repo basename. This is how
+   "review this MR" finds the right local checkout even when the directory is
+   named differently — you don't need to type the project. Only an
+   **unambiguous single match** is accepted; if two local clones share the same
+   origin, Forge skips this step rather than guess.
+3. **Fuzzy name** — basename / `owner-repo` variants of the value.
+4. **Auto-clone** — if a GitLab connector is configured, clone the repo into
+   `<dataDir>/cloned-projects/<owner>-<repo>/` and reuse it next time.
+5. **Scratch** — the always-writable `<dataDir>/scratch` fallback for flows
+   that don't need a real checkout.
+
+Notes:
+- The detected repo is internal (not shown in Settings) — it's derived live
+  from each project's git origin on every scan, so existing projects work with
+  no migration.
+- Override detection (rare: wrong/missing origin) via
+  `settings.projectRepos: { "<projectPath>": "owner/repo" }`.
+- Auto-cloned repos under `cloned-projects/` are swept after
+  `clonedProjectKeepDays` (default 30) of disuse, unless a running pipeline
+  still has a worktree there.
+
 ## Features
 
 ### Code Tab

package/lib/init.ts

@@ -220,7 +220,7 @@ export function ensureInitialized() {
   // expired (failed/cancelled past retention). Interval from settings,
   // clamped to >= 1h to avoid runaway IO. Runs in background only.
   try {
-    const { gcPipelineTmp } = require('./pipeline-gc');
+    const { gcPipelineTmp, gcClonedProjects } = require('./pipeline-gc');
     const { loadSettings: ls } = require('./settings');
     const hours = Math.max(1, Number(ls().pipelineTmpGcIntervalHours) || 6);
     setInterval(() => {
@@ -228,6 +228,11 @@ export function ensureInitialized() {
         const r = gcPipelineTmp();
         if (r.removed.length) console.log(`[pipeline-gc] swept ${r.removed.length}/${r.scanned} dir(s)`);
       } catch (e) { console.warn('[pipeline-gc] sweep failed:', (e as Error).message); }
+      // Also sweep the auto-clone cache (long retention; conservative).
+      try {
+        const c = gcClonedProjects();
+        if (c.removed.length) console.log(`[pipeline-gc] swept ${c.removed.length}/${c.scanned} cloned repo(s)`);
+      } catch (e) { console.warn('[pipeline-gc] cloned-projects sweep failed:', (e as Error).message); }
     }, hours * 60 * 60 * 1000);
   } catch (e) { console.warn('[pipeline-gc] setup failed:', (e as Error).message); }
 

package/lib/notify.ts

@@ -76,6 +76,59 @@ export async function notifyTaskFailed(task: Task) {
   );
 }
 
+/**
+ * Fan-out alert for a blocking auth wall (git OTP/2FA, expired connector
+ * login). "Notify as loudly as possible" — fires all three channels
+ * best-effort and independently; one failing never blocks the others:
+ *   1. in-app alert (always)
+ *   2. Telegram (if bot token + chat id configured)
+ *   3. email to the user's own mailbox via OWA (if idpSavedUsername set)
+ * The action line (e.g. the `ssh ... 2fa_verify` command) is carried so the
+ * user can resolve it from the notification alone.
+ */
+export async function notifyAuthBlocked(opts: {
+  title: string;
+  body: string;
+  /** Optional shell command the user can run to clear the block. */
+  action?: string;
+  refId?: string;
+}): Promise<void> {
+  const settings = loadSettings();
+  const fullBody = opts.action ? `${opts.body}\n\nRun: ${opts.action}` : opts.body;
+
+  try {
+    addNotification('auth_blocked', opts.title, fullBody, opts.refId);
+  } catch {}
+
+  await sendTelegram(
+    `🔐 *Auth Required*\n\n` +
+    `${esc(opts.title)}\n\n` +
+    `${esc(opts.body)}` +
+    (opts.action ? `\n\n\`${esc(opts.action)}\`` : '')
+  ).catch(() => {});
+
+  // Email to self via the logged-in OWA mailbox. Recipient is the user's
+  // own email from Settings → Identity (displayEmail / {user.email}) — read,
+  // not inferred. No SMTP config or extra notifyEmail setting needed.
+  const self = (settings.displayEmail || '').trim();
+  if (self && self.includes('@')) {
+    try {
+      const { dispatchTool } = await import('./chat/tool-dispatcher');
+      await dispatchTool({
+        id: `auth-blocked-${Date.now()}`,
+        name: 'owa.send_mail',
+        input: {
+          to: self,
+          subject: `[Forge] ${opts.title}`,
+          body: fullBody,
+        },
+      });
+    } catch (e) {
+      console.warn('[notify] auth-blocked email failed:', (e as Error).message);
+    }
+  }
+}
+
 async function sendTelegram(text: string) {
   const settings = loadSettings();
   const { telegramBotToken, telegramChatId } = settings;

package/lib/pipeline-gc.ts

@@ -24,6 +24,7 @@ import { scanProjects, getProjectWorktreeRoot } from './projects';
 import { join } from 'node:path';
 import { getPipeline } from './pipeline';
 import { loadSettings } from './settings';
+import { getDataDir } from './dirs';
 
 export interface GcResult {
   scanned: number;
@@ -106,3 +107,64 @@ export function gcPipelineTmp(opts: { dryRun?: boolean } = {}): GcResult {
 
   return { scanned, removed, kept };
 }
+
+/**
+ * GC the auto-cloned repo cache at <dataDir>/cloned-projects/<owner>-<repo>/.
+ * These are full git clones Forge makes when a pipeline runs without a local
+ * project (resolveOrCloneProject). They're reused across runs, so we keep
+ * them a long time and only sweep ones untouched for clonedProjectKeepDays
+ * (default 30). Conservative on purpose:
+ *   - default 30d, and 0/negative disables the sweep entirely;
+ *   - never deletes a clone that still has a worktree for a non-terminal
+ *     (running/started) pipeline under it.
+ * Uses the newest mtime across the repo dir + its .forge/worktrees so an
+ * actively-used clone (recent worktree) is never considered stale.
+ */
+export function gcClonedProjects(opts: { dryRun?: boolean } = {}): GcResult {
+  const settings = loadSettings();
+  const keepDays = (settings as { clonedProjectKeepDays?: number }).clonedProjectKeepDays ?? 30;
+  const removed: GcResult['removed'] = [];
+  const kept: GcResult['kept'] = [];
+  let scanned = 0;
+  if (!keepDays || keepDays <= 0) return { scanned, removed, kept }; // disabled
+
+  const keepMs = keepDays * 86400_000;
+  const now = Date.now();
+  const root = join(getDataDir(), 'cloned-projects');
+  let entries: string[];
+  try { entries = readdirSync(root); } catch { return { scanned, removed, kept }; }
+
+  for (const entry of entries) {
+    const repoDir = join(root, entry);
+    let st: ReturnType<typeof statSync>;
+    try { st = statSync(repoDir); } catch { continue; }
+    if (!st.isDirectory()) continue;
+    scanned++;
+
+    // Newest signal across the repo dir + its worktree root.
+    let newest = st.mtimeMs;
+    const wtRoot = join(repoDir, '.forge', 'worktrees');
+    let liveWorktree = false;
+    try {
+      for (const wt of readdirSync(wtRoot)) {
+        const wtPath = join(wtRoot, wt);
+        try { newest = Math.max(newest, statSync(wtPath).mtimeMs); } catch {}
+        if (wt.startsWith('pipeline-')) {
+          const p = getPipeline(wt.slice('pipeline-'.length));
+          if (p && p.status !== 'done' && p.status !== 'failed' && p.status !== 'cancelled') {
+            liveWorktree = true;
+          }
+        }
+      }
+    } catch { /* no worktrees dir */ }
+
+    if (liveWorktree) { kept.push({ path: repoDir, reason: 'in-use (running pipeline worktree)' }); continue; }
+    if (now - newest > keepMs) {
+      if (!opts.dryRun) { try { rmSync(repoDir, { recursive: true, force: true }); } catch {} }
+      removed.push({ path: repoDir, reason: `clone unused >${keepDays}d` });
+    } else {
+      kept.push({ path: repoDir, reason: 'fresh' });
+    }
+  }
+  return { scanned, removed, kept };
+}

package/lib/pipeline.ts

@@ -11,11 +11,12 @@ import { execSync } from 'node:child_process';
 import { join } from 'node:path';
 import YAML from 'yaml';
 import { createTask, getTask, onTaskEvent, taskModelOverrides, taskAppendSystemPromptOverrides, cancelTask } from './task-manager';
-import { getProjectInfo, resolveOrCloneProject, getProjectWorktreeRoot } from './projects';
+import { getProjectInfo, resolveOrCloneProject, getProjectWorktreeRoot, ensureScratchProject } from './projects';
 import { loadSettings } from './settings';
 import { getAgent, listAgents } from './agents';
 import type { Task } from '../src/types';
 import { getDataDir } from './dirs';
+import { notifyAuthBlocked } from './notify';
 
 const PIPELINES_DIR = join(getDataDir(), 'pipelines');
 const WORKFLOWS_DIR = join(getDataDir(), 'flows');
@@ -164,6 +165,9 @@ export interface Workflow {
   nodes: Record<string, WorkflowNode>;
   /** Loop over a list — each iteration runs the full DAG once. See ForEachSpec. */
   for_each?: ForEachSpec;
+  /** Declares the pipeline pushes to git. Enables an up-front OTP/2FA preflight
+   *  so a 2fa_verify wall aborts BEFORE any code work instead of at push time. */
+  git_push?: boolean;
   // Conversation mode fields (only when type === 'conversation')
   conversation?: ConversationConfig;
 }
@@ -233,6 +237,9 @@ export interface Pipeline {
   nodeOrder: string[];  // for UI display
   createdAt: string;
   completedAt?: string;
+  /** Pipeline-level failure reason (e.g. git OTP preflight abort) — distinct
+   *  from per-node errors. Set when the run is settled outside a node. */
+  error?: string;
   /**
    * Skill names from the forge-skills registry to make available to
    * every task this pipeline spawns. Composed into the task's
@@ -747,16 +754,22 @@ export function resolveTemplate(template: string, ctx: {
 // ─── Per-run scratch dir (`{{run.tmp_dir}}`) ────────────────
 
 /**
- * Compute the absolute scratch-dir path for a pipeline run. Returns
- * empty string if input.project doesn't resolve. Does NOT mkdir.
+ * Compute the absolute scratch-dir path for a pipeline run. Falls back to
+ * the scratch project's worktree root when input.project is missing or
+ * unresolvable — NEVER returns '' (an empty {{run.tmp_dir}} made YAML like
+ * `mkdir -p {{run.tmp_dir}}/mr-${IID}` resolve to `/mr-NNN`, i.e. the
+ * read-only filesystem root — that was the "mkdir: /mr-14949: Read-only
+ * file system" crash). Does NOT mkdir.
  */
 function computePipelineTmpDir(pipeline: Pipeline): string {
   const name = pipeline.input?.project;
-  if (!name) return '';
-  const proj = getProjectInfo(name);
-  if (!proj) return '';
-  // Worktree root differs for scratch vs real projects — see getProjectWorktreeRoot.
-  return join(getProjectWorktreeRoot(proj), `pipeline-${pipeline.id}`);
+  const proj = name ? getProjectInfo(name) : null;
+  if (proj) {
+    // Worktree root differs for scratch vs real projects — see getProjectWorktreeRoot.
+    return join(getProjectWorktreeRoot(proj), `pipeline-${pipeline.id}`);
+  }
+  // No / unresolved project → writable scratch base under <dataDir>/scratch.
+  return join(ensureScratchProject(), 'worktrees', `pipeline-${pipeline.id}`);
 }
 
 /**
@@ -764,6 +777,21 @@ function computePipelineTmpDir(pipeline: Pipeline): string {
  * non-fatal — `tmpDir` stays unset and `{{run.tmp_dir}}` renders empty.
  */
 function ensurePipelineTmpDir(pipeline: Pipeline): void {
+  // Align run.tmp_dir with the project the nodes will actually use. When no
+  // project was given, resolve it through the same three-tier path the nodes
+  // use (existing → gitlab clone → scratch) and write the concrete name back
+  // to input.project, so tmp_dir lands inside that (possibly cloned) repo and
+  // downstream resolveOrCloneProject finds it as 'existing' (no double clone).
+  // Every node already calls resolveOrCloneProject, so this adds no NEW clone
+  // — it just happens once up front. Never throws (falls back to scratch).
+  if (!pipeline.input?.project) {
+    try {
+      const r = resolveOrCloneProject('');
+      if (r?.project?.name) {
+        pipeline.input = { ...(pipeline.input || {}), project: r.project.name };
+      }
+    } catch { /* leave empty → computePipelineTmpDir's scratch fallback */ }
+  }
   const dir = computePipelineTmpDir(pipeline);
   if (!dir) return;
   try {
@@ -788,6 +816,83 @@ export function cleanupPipelineTmpDir(pipeline: Pipeline): void {
   }
 }
 
+// ─── git auth preflight ───────────────────────────────────
+
+/** Marker patterns in git's stderr that mean an OTP/2FA wall blocks pushes. */
+const GIT_OTP_MARKER = /2fa_verify|OTP verification is required|two-factor|2fa/i;
+
+/**
+ * For pipelines that declare `git_push: true`, probe remote access up front
+ * with a lightweight `git ls-remote` (no object transfer). If the remote
+ * demands OTP/2FA the probe fails with the marker text — we return the human
+ * message + the command to clear it, so startPipeline can abort the whole run
+ * before any expensive code work. Returns null when access is fine, the repo
+ * is scratch/unknown, or the probe itself errors for unrelated reasons (we do
+ * not block on ambiguous failures — those surface at push time as before).
+ */
+function preflightGitAuth(pipeline: Pipeline): { message: string; action?: string } | null {
+  let projectPath: string;
+  try {
+    const resolved = resolveOrCloneProject(pipeline.input?.project || '');
+    if (resolved.source === 'scratch') return null; // no real repo to push to
+    projectPath = resolved.project.path;
+  } catch {
+    return null;
+  }
+  if (!existsSync(join(projectPath, '.git'))) return null;
+
+  try {
+    execSync('git ls-remote --heads origin', {
+      cwd: projectPath,
+      stdio: 'pipe',
+      timeout: 15_000,
+      encoding: 'utf8',
+    });
+    return null; // remote reachable, no OTP wall
+  } catch (e) {
+    const err = e as { stderr?: Buffer | string; stdout?: Buffer | string; message?: string };
+    const out = `${err.stderr || ''}${err.stdout || ''}${err.message || ''}`;
+    const m = out.match(/ssh\s+git@\S+\s+2fa_verify/i);
+    if (GIT_OTP_MARKER.test(out)) {
+      return {
+        message: 'Git remote requires OTP/2FA verification before pushes are allowed. ' +
+          'Aborting before any code work to avoid wasted effort.',
+        action: m ? m[0] : 'ssh git@<git-host> 2fa_verify',
+      };
+    }
+    // Other failures (network, no origin, etc.) — don't block; let nodes handle.
+    return null;
+  }
+}
+
+/** Markers in a failed node's error/output that mean a connector hit an auth
+ *  wall (expired login, sign-in page) — e.g. Mantis/Teams/OWA session lapsed. */
+const CONNECTOR_AUTH_MARKER =
+  /not logged in|please (?:log|sign) ?in|sign[- ]?in (?:page|required)|login (?:page|required|expired)|session (?:expired|timed out)|authentication required|unauthor(?:ized|ised)|需要登录|未登录|登录(?:已)?(?:失效|过期)|请(?:重新)?登录/i;
+
+/**
+ * Scan a settled-failed pipeline for a connector auth wall. Heuristic text
+ * match over each failed node's error + its task output (the agent's report).
+ * Returns the matching node id + a snippet, or null. Used by finalizePipeline
+ * to fire one auth alert per pipeline so an expired Mantis/Teams/OWA login is
+ * surfaced loudly instead of buried in a generic "node failed".
+ */
+function detectConnectorAuthBlock(pipeline: Pipeline): { nodeId: string; snippet: string } | null {
+  for (const [nodeId, node] of Object.entries(pipeline.nodes)) {
+    if (node.status !== 'failed') continue;
+    let text = node.error || '';
+    if (node.taskId) {
+      const t = getTask(node.taskId);
+      if (t) text += `\n${t.error || ''}\n${t.resultSummary || ''}`;
+    }
+    if (CONNECTOR_AUTH_MARKER.test(text)) {
+      const m = text.match(CONNECTOR_AUTH_MARKER);
+      return { nodeId, snippet: (m ? text.slice(Math.max(0, (m.index ?? 0) - 40), (m.index ?? 0) + 120) : text).trim() };
+    }
+  }
+  return null;
+}
+
 // ─── for_each: source resolution ──────────────────────────
 
 /**
@@ -954,6 +1059,25 @@ export function startPipeline(
 
   ensurePipelineTmpDir(pipeline);
 
+  // Git OTP/2FA preflight — abort the whole run up front so a push wall never
+  // wastes a full code-fix pass. Only for pipelines that declare git_push.
+  if (workflow.git_push) {
+    const blocked = preflightGitAuth(pipeline);
+    if (blocked) {
+      pipeline.status = 'failed';
+      pipeline.error = `${blocked.message}${blocked.action ? `\nRun: ${blocked.action}` : ''}`;
+      pipeline.completedAt = new Date().toISOString();
+      savePipeline(pipeline);
+      void notifyAuthBlocked({
+        title: `Pipeline aborted — git auth required (${workflowName})`,
+        body: blocked.message,
+        action: blocked.action,
+        refId: pipeline.id,
+      });
+      return pipeline;
+    }
+  }
+
   // Empty for_each source → nothing to iterate; settle done immediately.
   // (E.g. user submitted `bug_ids: ""` or an empty array; not an error.)
   // Deferred (with `before:`) skips this — items get resolved post-setup.
@@ -2116,6 +2240,20 @@ function finalizePipeline(pipeline: Pipeline) {
 
   notifyPipelineComplete(pipeline);
 
+  // Connector auth wall (expired Mantis/Teams/OWA login etc.) — fire a loud
+  // auth alert once per failed pipeline so it's not buried in a generic error.
+  if (pipeline.status === 'failed') {
+    const authBlock = detectConnectorAuthBlock(pipeline);
+    if (authBlock) {
+      void notifyAuthBlocked({
+        title: `Pipeline failed — connector login required (${pipeline.workflowName})`,
+        body: `Node "${authBlock.nodeId}" hit an authentication wall — a connector session has expired. ` +
+          `Re-login to the affected service and re-run.\n\n${authBlock.snippet}`,
+        refId: pipeline.id,
+      });
+    }
+  }
+
   // Sync run status to project pipeline runs. Dynamic import avoids the
   // circular dep (pipeline-scheduler imports from pipeline.ts at its top).
   import('./pipeline-scheduler').then(({ syncRunStatus }) => {

package/lib/projects.ts

@@ -13,6 +13,46 @@ export interface LocalProject {
   hasClaudeMd: boolean;
   language: string | null;
   lastModified: string;
+  /** Normalized "owner/repo" derived from the git origin remote (or a
+   *  settings.projectRepos override). Lets MR/bug pipelines map a repo
+   *  path back to this local checkout. Undefined when not a git repo /
+   *  no origin. */
+  repo?: string;
+}
+
+/** Normalize a git remote URL to an "owner/repo" path (lowercased), so it
+ *  can be matched against a gitlab MR path. Handles ssh + https forms:
+ *    git@host:owner/repo.git        → owner/repo
+ *    https://host/owner/repo.git    → owner/repo
+ *    https://host/group/sub/repo    → group/sub/repo
+ *  Returns '' if it can't parse one. */
+function normalizeRepoPath(url: string): string {
+  let s = (url || '').trim();
+  if (!s) return '';
+  s = s.replace(/\.git$/i, '');
+  // scp-style: git@host:owner/repo
+  const scp = s.match(/^[^@]+@[^:]+:(.+)$/);
+  if (scp) return scp[1].replace(/^\/+|\/+$/g, '').toLowerCase();
+  // url-style: scheme://[user@]host/owner/repo
+  const m = s.match(/^[a-z][a-z0-9+.-]*:\/\/[^/]+\/(.+)$/i);
+  if (m) return m[1].replace(/^\/+|\/+$/g, '').toLowerCase();
+  return '';
+}
+
+/** Read a project's origin remote from .git/config WITHOUT spawning git
+ *  (scanProjects runs often; a subprocess per project would be costly).
+ *  Returns the normalized "owner/repo" or '' . */
+function readGitOriginRepo(projectPath: string): string {
+  try {
+    const cfg = readFileSync(join(projectPath, '.git', 'config'), 'utf-8');
+    // Find the [remote "origin"] section then its `url = ...` line.
+    const sec = cfg.match(/\[remote "origin"\]([\s\S]*?)(?:\n\[|$)/);
+    if (!sec) return '';
+    const u = sec[1].match(/^\s*url\s*=\s*(.+)\s*$/m);
+    return u ? normalizeRepoPath(u[1]) : '';
+  } catch {
+    return '';
+  }
 }
 
 /** Reserved name for the synthetic "scratch" project that lives under
@@ -112,6 +152,13 @@ export function scanProjects(): LocalProject[] {
         const language = detectLanguage(projectPath);
         const stat = statSync(projectPath);
 
+        // repo: manual settings.projectRepos override wins; else auto-detect
+        // from the git origin remote. Cheap (file read, no subprocess).
+        const repoOverride = (settings.projectRepos || {})[projectPath];
+        const repo = (typeof repoOverride === 'string' && repoOverride.trim())
+          ? normalizeRepoPath(repoOverride) || repoOverride.trim().toLowerCase()
+          : (hasGit ? readGitOriginRepo(projectPath) : '');
+
         projects.push({
           name: entry.name,
           path: projectPath,
@@ -120,6 +167,7 @@ export function scanProjects(): LocalProject[] {
           hasClaudeMd,
           language,
           lastModified: stat.mtime.toISOString(),
+          repo: repo || undefined,
         });
       } catch {
         // Skip inaccessible directories
@@ -301,6 +349,34 @@ export function resolveOrCloneProject(name: string | undefined): ResolveResult {
   if (trimmed) {
     const hit = getProjectInfo(trimmed);
     if (hit) return { project: hit, source: 'existing' };
+
+    const projects = scanProjects();
+
+    // Repo match (best signal): when the caller passes an "owner/repo" path
+    // (e.g. derived from an MR URL), match it against each project's git
+    // origin remote (LocalProject.repo, auto-detected in scanProjects).
+    // This is how "review this MR" finds the right local checkout without
+    // the user naming the project. Compares full path then basename; only
+    // an UNAMBIGUOUS single match wins.
+    if (trimmed.includes('/')) {
+      const want = normalizeRepoPath(trimmed) || trimmed.toLowerCase().replace(/^\/+|\/+$/g, '');
+      const wantBase = want.split('/').pop()!;
+      const byRepo = projects.filter((p) => p.repo && p.repo === want);
+      if (byRepo.length === 1) return { project: byRepo[0], source: 'existing' };
+      const byRepoBase = projects.filter((p) => p.repo && p.repo.split('/').pop() === wantBase);
+      if (byRepoBase.length === 1) return { project: byRepoBase[0], source: 'existing' };
+    }
+
+    // Fuzzy name match across the configured project roots before cloning:
+    // the caller may pass a gitlab path ("owner/repo") or the cloned-projects
+    // dir name ("owner-repo") while the local checkout is just "repo". Try
+    // the basename and the owner-repo form; only accept an UNAMBIGUOUS
+    // single match so we never silently pick the wrong repo.
+    const base = trimmed.split('/').pop()!.trim();
+    const ownerRepo = trimmed.replace(/\//g, '-');
+    const cands = projects.filter((p) =>
+      p.name === base || p.name === ownerRepo || p.name.toLowerCase() === base.toLowerCase());
+    if (cands.length === 1) return { project: cands[0], source: 'existing' };
   }
 
   // Fallback to gitlab connector when no local match. Two cases worth

package/lib/schedules/action-runner.ts

@@ -155,9 +155,6 @@ async function runChatAction(schedule: Schedule, run: ScheduleRun, output: strin
  */
 async function runEmailAction(schedule: Schedule, _run: ScheduleRun, output: string): Promise<void> {
   const settings = loadSettings();
-  if (!settings.smtpHost) {
-    throw new Error('SMTP not configured (Settings → SMTP)');
-  }
   const cfg = schedule.action_config || {};
   const toRaw = cfg.to;
   const to = Array.isArray(toRaw)
@@ -178,6 +175,30 @@ async function runEmailAction(schedule: Schedule, _run: ScheduleRun, output: str
   const bodyText = bodyTpl.replace('{date}', today).replace('{body_output}', output);
   const asHtml = !!cfg.html;
 
+  // Transport: 'smtp' (default, nodemailer) or 'owa' (send via the OWA
+  // browser connector through the extension bridge — no SMTP server needed,
+  // rides the user's logged-in mailbox; requires the extension connected,
+  // same as any browser connector in a scheduled run).
+  const emailTransport = String(cfg.transport || 'smtp').toLowerCase();
+  if (emailTransport === 'owa') {
+    const { dispatchTool } = await import('../chat/tool-dispatcher');
+    const r = await dispatchTool({
+      id: `sched-email-${Date.now()}`,
+      name: 'owa.send_mail',
+      input: { to: to.join(', '), subject, body: bodyText, body_html: asHtml },
+    });
+    let parsed: any = r.content;
+    try { parsed = JSON.parse(r.content); } catch { /* keep string */ }
+    if (r.is_error || (parsed && parsed.error)) {
+      throw new Error(`OWA send failed: ${(parsed && parsed.error) || r.content}`);
+    }
+    return;
+  }
+
+  if (!settings.smtpHost) {
+    throw new Error("SMTP not configured (Settings → SMTP). For mailbox send without SMTP, set action_config.transport='owa'.");
+  }
+
   // Lazy import keeps the SMTP client out of the main bundle until the
   // first email action actually fires.
   const nodemailer = (await import('nodemailer')).default;

package/lib/settings.ts

@@ -93,6 +93,11 @@ export interface McpServerConfig {
 
 export interface Settings {
   projectRoots: string[];
+  /** Optional per-project repo override: { <projectPath>: "owner/repo" }.
+   *  Normally the repo is auto-detected from the project's git origin remote
+   *  (see lib/projects.ts); this only overrides when detection is wrong or
+   *  the checkout has no origin. */
+  projectRepos?: Record<string, string>;
   docRoots: string[];
   claudePath: string;
   // claudeHome removed in 0.10.10 — was a never-UI-exposed override that

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aion0/forge",
-  "version": "0.10.67",
+  "version": "0.10.69",
   "description": "Unified AI workflow platform — multi-model task orchestration, persistent sessions, web terminal, remote access",
   "type": "module",
   "scripts": {