@aion0/forge 0.10.88 → 0.10.89

package/RELEASE_NOTES.md

@@ -1,8 +1,14 @@
-# Forge v0.10.88
+# Forge v0.10.89
 
 Released: 2026-06-17
 
-## Changes since v0.10.87
+## Changes since v0.10.88
 
+### Other
+- fix(build): clean install on fresh machines — webpack build + valid route exports
+- fix(projects): strict resolve requires git-backed match + fresh-clone visibility
+- refactor(projects): auto-clone lands in project root, retire cloned-projects
+- feat(projects): auto-clone lands in a real project root, not the cache
 
-**Full Changelog**: https://github.com/aiwatching/forge/compare/v0.10.87...v0.10.88
+
+**Full Changelog**: https://github.com/aiwatching/forge/compare/v0.10.88...v0.10.89

package/app/api/auth/check/route.ts

@@ -8,7 +8,7 @@
  */
 
 import { NextResponse } from 'next/server';
-import { isValidToken } from '../verify/route';
+import { isValidToken } from '@/lib/api-tokens';
 
 export async function POST(req: Request) {
   if (!isValidToken(req)) {

package/app/api/auth/keys/route.ts

@@ -2,7 +2,7 @@ import { NextResponse } from 'next/server';
 import { verifyAdmin, getAdminPassword } from '@/lib/password';
 import { createApiKey, listApiKeys } from '@/lib/api-keys';
 import { isAuthenticated } from '@/lib/api-auth';
-import { isValidToken } from '@/app/api/auth/verify/route';
+import { isValidToken } from '@/lib/api-tokens';
 
 function isDev(): boolean {
   return process.env.NODE_ENV !== 'production' || process.env.FORGE_DEV === '1';

package/app/api/auth/verify/route.ts

@@ -1,23 +1,7 @@
 import { NextResponse } from 'next/server';
-import { randomUUID } from 'node:crypto';
-
-// In-memory valid tokens — shared across API routes in the same process
-const tokenKey = Symbol.for('forge-api-tokens');
-const g = globalThis as any;
-if (!g[tokenKey]) g[tokenKey] = new Set<string>();
-export const validTokens: Set<string> = g[tokenKey];
-
-/** Verify a token is valid (for use in other API routes) */
-export function isValidToken(req: Request): boolean {
-  // Check header
-  const headerToken = new Headers(req.headers).get('x-forge-token');
-  if (headerToken && validTokens.has(headerToken)) return true;
-  // Check cookie
-  const cookieHeader = new Headers(req.headers).get('cookie') || '';
-  const match = cookieHeader.match(/forge-api-token=([^;]+)/);
-  if (match && validTokens.has(match[1])) return true;
-  return false;
-}
+// Token store/helpers live in lib/api-tokens (a route file may only export
+// HTTP handlers + Next's allowed config fields — Next 16 type-checks this).
+import { mintToken } from '@/lib/api-tokens';
 
 export async function POST(req: Request) {
   const body = await req.json();
@@ -32,8 +16,7 @@ export async function POST(req: Request) {
     return NextResponse.json({ error: 'invalid password' }, { status: 401 });
   }
 
-  const token = randomUUID();
-  validTokens.add(token);
+  const token = mintToken();
 
   const res = NextResponse.json({ ok: true, token });
   res.cookies.set('forge-api-token', token, {

package/app/api/mcp/route.ts

@@ -15,7 +15,7 @@
  * forwards JSON-RPC frames here and carries the Mcp-Session-Id header.
  */
 
-import { isValidToken } from '@/app/api/auth/verify/route';
+import { isValidToken } from '@/lib/api-tokens';
 import { isAuthenticated } from '@/lib/api-auth';
 import { createManagementMcpServer } from '@/mcp/server';
 import { WebStandardStreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/webStandardStreamableHttp.js';

package/app/api/onboarding/route.ts

@@ -544,7 +544,9 @@ function preprocessTemplate(
 // / default_project_path) after a Reinstall without forcing the user
 // to re-run the entire wizard. Existing non-empty values are preserved
 // — see the merge logic inside.
-export async function applyConnectors(
+// Module-local (not exported): a route file may only export HTTP handlers +
+// Next's config fields — exporting helpers fails Next 16's route type-check.
+async function applyConnectors(
   values: Record<string, string> | undefined,
   selectedConnectors: string[] | undefined,
   sourceId?: string,
@@ -758,7 +760,7 @@ export async function applyConnectors(
  * template omits `_pipelines`, falls back to `suggested_pipelines` (the
  * marketplace's fortinet-* prefix heuristic).
  */
-export async function applyTemplatePipelines(sourceId?: string, deptId?: string): Promise<{
+async function applyTemplatePipelines(sourceId?: string, deptId?: string): Promise<{
   installed: string[];
   errors: Array<{ name: string; error: string }>;
 }> {

package/bin/forge-server.mjs

@@ -28,6 +28,21 @@ import { homedir } from 'node:os';
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const ROOT = join(__dirname, '..');
 
+// Node version guard — Forge is tested on Node 20–22 (LTS). Bleeding-edge
+// majors crash `next build` with a cryptic Turbopack error ("Expected process
+// result to be a module"); old majors lack required APIs. Warn early so the
+// real cause is visible before the build runs.
+{
+  const major = Number(process.versions.node.split('.')[0]);
+  if (major < 20 || major > 24) {
+    console.warn(
+      `\n⚠️  Forge is tested on Node 20–22 (LTS); you're on Node ${process.versions.node}.\n` +
+      `   If startup fails with a Turbopack / native-module error, switch to Node 22:\n` +
+      `     nvm install 22 && nvm use 22 && npm i -g @aion0/forge\n`
+    );
+  }
+}
+
 // Pre-install EnvHttpProxyAgent before any dynamic import('undici') can
 // clobber Node's NODE_USE_ENV_PROXY agent (see lib/proxy-setup.ts).
 // No-op off-corp (no proxy env), so non-docker deployments are unchanged.
@@ -51,7 +66,12 @@ function buildNext() {
     // installed npm-package copy (.npmrc isn't published).
     execSync('npm install --include=dev --legacy-peer-deps', { cwd: ROOT, stdio: 'inherit' });
   }
-  execSync('npx next build', { cwd: ROOT, stdio: 'inherit', env: { ...process.env } });
+  // Build with webpack, not Turbopack (Next 16's default). Turbopack chokes on
+  // the Proxy/middleware bundle — proxy.ts pulls auth + a route module that
+  // transitively imports Node-native deps (better-sqlite3 …) — and dies with
+  // "TurbopackInternalError: Expected process result to be a module". Webpack
+  // (the pre-16 path) handles the Node-runtime middleware fine.
+  execSync('npx next build --webpack', { cwd: ROOT, stdio: 'inherit', env: { ...process.env } });
 }
 
 /**

package/lib/api-tokens.ts

@@ -0,0 +1,31 @@
+import { randomUUID } from 'node:crypto';
+
+/**
+ * In-memory admin-minted API tokens, shared across API routes + the proxy in
+ * the same process. Lives in lib/ (not an API route) on purpose: Next 16's
+ * route type-check rejects non-handler exports from a route file, and importing
+ * a route module into proxy.ts dragged Node-native deps into the middleware
+ * bundle — which crashed the Turbopack build.
+ */
+const tokenKey = Symbol.for('forge-api-tokens');
+const g = globalThis as any;
+if (!g[tokenKey]) g[tokenKey] = new Set<string>();
+export const validTokens: Set<string> = g[tokenKey];
+
+/** Mint + register a new token (called by the password-verify route). */
+export function mintToken(): string {
+  const token = randomUUID();
+  validTokens.add(token);
+  return token;
+}
+
+/** True if the request carries a valid token (x-forge-token header or
+ *  forge-api-token cookie). */
+export function isValidToken(req: Request): boolean {
+  const headerToken = new Headers(req.headers).get('x-forge-token');
+  if (headerToken && validTokens.has(headerToken)) return true;
+  const cookieHeader = new Headers(req.headers).get('cookie') || '';
+  const match = cookieHeader.match(/forge-api-token=([^;]+)/);
+  if (match && validTokens.has(match[1])) return true;
+  return false;
+}

package/lib/projects.ts

@@ -297,11 +297,12 @@ export interface StrictResolveResult {
  *      - else gitlab connector default_project_path
  *      - else → error('no_repo_specified')
  *   3. Re-scan locally for a checkout whose origin matches the target → use it
- *   4. Clone via tryGitlabClone — writes to the Forge-managed cache
- *      (<dataDir>/cloned-projects), which is ALWAYS writable and does NOT
- *      need a configured projectRoot. We best-effort register the container
- *      root (/data/project) so manually-placed checkouts there get scanned,
- *      but never block the clone on it.
+ *   4. Clone via tryGitlabClone — lands in a real project root so the
+ *      checkout persists and is reused next run. In container mode we register
+ *      the docker-internal /data/project (a host-mounted path) as the root
+ *      first, so the clone shows up as a normal project; on a host install it
+ *      takes the first configured project path (projectRoots[0]), falling back
+ *      to ~/IdeaProjects / <dataDir>/scratch.
  *      - gitlab connector missing → error('no_repo_specified')
  *      - clone failed → error('clone_failed')
  */
@@ -309,25 +310,30 @@ export function resolveProjectStrict(name: string | undefined): StrictResolveRes
   const trimmed = (name || '').trim();
 
   // Step 1: existing match — reuse the lenient resolver's match logic by
-  // delegating, but discard its scratch fallback.
+  // delegating, but discard its scratch fallback. Crucially, only accept a
+  // GIT-BACKED match: this resolver exists for requires_real_project pipelines,
+  // so a non-git project (e.g. the built-in 'default' / 'scratch', or a plain
+  // folder the chat agent named) must NOT satisfy it — fall through and clone
+  // the real repo instead. Without this, `project: default` was returned as-is
+  // and the node's `git rev-parse` then failed with "not a git repository".
   if (trimmed) {
     const hit = getProjectInfo(trimmed);
-    if (hit) return { project: hit, source: 'existing' };
+    if (hit?.hasGit) return { project: hit, source: 'existing' };
 
     const projects = scanProjects();
     if (trimmed.includes('/')) {
       const want = normalizeRepoPath(trimmed) || trimmed.toLowerCase().replace(/^\/+|\/+$/g, '');
       const wantBase = want.split('/').pop()!;
       const byRepo = projects.filter((p) => p.repo && p.repo === want);
-      if (byRepo.length === 1) return { project: byRepo[0], source: 'existing' };
+      if (byRepo.length === 1 && byRepo[0].hasGit) return { project: byRepo[0], source: 'existing' };
       const byRepoBase = projects.filter((p) => p.repo && p.repo.split('/').pop() === wantBase);
-      if (byRepoBase.length === 1) return { project: byRepoBase[0], source: 'existing' };
+      if (byRepoBase.length === 1 && byRepoBase[0].hasGit) return { project: byRepoBase[0], source: 'existing' };
     }
     const base = trimmed.split('/').pop()!.trim();
     const ownerRepo = trimmed.replace(/\//g, '-');
     const cands = projects.filter((p) =>
       p.name === base || p.name === ownerRepo || p.name.toLowerCase() === base.toLowerCase());
-    if (cands.length === 1) return { project: cands[0], source: 'existing' };
+    if (cands.length === 1 && cands[0].hasGit) return { project: cands[0], source: 'existing' };
   }
 
   // Step 2: derive target repo path
@@ -450,9 +456,17 @@ function tryGitlabClone(repoPath: string): LocalProject | null {
   const path = repoPath.replace(/^\/+|\/+$/g, '');
   if (!path || !path.includes('/')) return null;  // not a repo path shape
   const safe = path.replace(/[^A-Za-z0-9._-]+/g, '-');
-  const cacheRoot = join(getDataDir(), 'cloned-projects');
-  const target = join(cacheRoot, safe);
-  try { mkdirSync(cacheRoot, { recursive: true }); } catch {}
+  // Clone into a real project root so the checkout persists as a normal
+  // project and is reused across runs (no delete needed). In container mode
+  // ensureContainerRoot registers the docker-internal /data/project (a
+  // host-mounted path) as the first root; on a host install we just take the
+  // first configured project path. getDefaultCloneRoot encodes that priority
+  // (projectRoots[0] → ~/IdeaProjects → <dataDir>/scratch). The old
+  // <dataDir>/cloned-projects hidden cache is retired.
+  ensureContainerRoot();
+  const cloneRoot = getDefaultCloneRoot();
+  const target = join(cloneRoot, safe);
+  try { mkdirSync(cloneRoot, { recursive: true }); } catch {}
 
   // Inject PAT into URL. gitlab accepts `oauth2:<token>` basic auth on
   // HTTPS. URL-encode the token in case it contains '@' or '/'.
@@ -467,6 +481,11 @@ function tryGitlabClone(repoPath: string): LocalProject | null {
     if (!alreadyCloned) {
       execSync(`git clone --quiet "${authedUrl}" "${target}"`, { stdio: 'pipe', timeout: 120000 });
       _cloneFreshAt.set(target, Date.now());
+      // The new checkout must be discoverable right away: a scanProjects() cache
+      // populated earlier this run (e.g. by resolveProjectStrict's pre-clone
+      // scan) wouldn't include it, so getProjectInfo would miss the repo we
+      // just cloned and downstream resolution could fall back to scratch.
+      invalidateProjectScan();
     } else if (!stillFresh) {
       // Best-effort refresh; failures (offline, network, auth drift) are
       // non-fatal — fall back to whatever's cached. Pipelines see stale
@@ -487,9 +506,13 @@ function tryGitlabClone(repoPath: string): LocalProject | null {
   try { mtime = statSync(target).mtime.toISOString(); }
   catch { mtime = new Date().toISOString(); }
   return {
-    name: path,
+    // Use the on-disk dir name (== scanProjects' entry.name) so the name we
+    // seed back into input.project matches what getProjectInfo will find next
+    // scan. Returning the slashed repo path here desynced the two and made
+    // computePipelineTmpDir's getProjectInfo miss → tmp_dir fell to scratch.
+    name: safe,
     path: target,
-    root: cacheRoot,
+    root: cloneRoot,
     hasGit: existsSync(join(target, '.git')),
     hasClaudeMd: existsSync(join(target, 'CLAUDE.md')),
     language: null,

package/next.config.ts

@@ -10,6 +10,13 @@ const localIPs = Object.values(networkInterfaces())
   .map(i => i!.address);
 
 const nextConfig: NextConfig = {
+  // Skip `next build`'s TypeScript step. It duplicates our authoritative
+  // `tsc --noEmit` (run in CI / publish.sh) and additionally enforces a
+  // route-export shape rule that rejects Forge's intentional patterns —
+  // craft-system runtime routes that serve React/jsx as importable modules
+  // (app/api/craft-system/runtime/*) export non-handler symbols on purpose.
+  // tsc remains the real type gate; this only drops Next's redundant check.
+  typescript: { ignoreBuildErrors: true },
   serverExternalPackages: ['better-sqlite3', 'esbuild'],
   allowedDevOrigins: localIPs,
   async rewrites() {

package/package.json

@@ -1,8 +1,11 @@
 {
   "name": "@aion0/forge",
-  "version": "0.10.88",
+  "version": "0.10.89",
   "description": "Unified AI workflow platform — multi-model task orchestration, persistent sessions, web terminal, remote access",
   "type": "module",
+  "engines": {
+    "node": ">=20"
+  },
   "scripts": {
     "dev": "next dev --turbopack",
     "build": "next build",

package/proxy.ts

@@ -1,7 +1,7 @@
 import { NextResponse } from 'next/server';
 import { auth } from './lib/auth';
 import { hasValidApiKey } from './lib/api-auth';
-import { isValidToken } from './app/api/auth/verify/route';
+import { isValidToken } from './lib/api-tokens';
 
 // Node runtime: the auth() wrapper decodes the NextAuth session JWT with the
 // AUTH_SECRET that the route layer also uses (auto-generated in-process when

package/publish.sh

@@ -46,6 +46,25 @@ fi
 echo "Version: $CURRENT → $NEW_VERSION"
 echo ""
 
+# ── Build gate: a broken build must never ship ──────────────────────────────
+# publish.sh used to bump+tag+push with ZERO build verification, so compile /
+# bundler errors only surfaced when a fresh user ran `forge server start` (their
+# first clean `next build`). Run it here with a CLEAN .next so a stale cache
+# can't mask source errors. tsc is the authoritative type gate (next build's own
+# TS step is off via typescript.ignoreBuildErrors); __tests__ are tsx scripts
+# checked separately, so they're excluded.
+echo "Verifying clean build before publish ..."
+rm -rf .next
+npx next build --webpack
+TSC_ERRORS=$(npx tsc --noEmit 2>&1 | grep "error TS" | grep -v "__tests__" || true)
+if [ -n "$TSC_ERRORS" ]; then
+  echo "$TSC_ERRORS"
+  echo "✗ Type errors — aborting publish (no version bump/commit/tag made)."
+  exit 1
+fi
+echo "✓ Build + type-check clean"
+echo ""
+
 # Refresh the bundled model-registry snapshot from public-info.
 # This is the offline/first-run fallback for lib/agents/known-models.ts —
 # pulling it here keeps it from drifting against the live registry.