@aion0/forge 0.6.1 → 0.8.0

package/lib/pipeline.ts

@@ -6,7 +6,7 @@
  */
 
 import { randomUUID } from 'node:crypto';
-import { existsSync, readdirSync, readFileSync, writeFileSync, mkdirSync } from 'node:fs';
+import { existsSync, readdirSync, readFileSync, writeFileSync, mkdirSync, statSync } from 'node:fs';
 import { join } from 'node:path';
 import YAML from 'yaml';
 import { createTask, getTask, onTaskEvent, taskModelOverrides } from './task-manager';
@@ -35,6 +35,9 @@ export interface WorkflowNode {
   agent?: string;              // agent ID (default: from settings)
   branch?: string;             // auto checkout this branch before running (supports templates)
   worktree?: boolean;          // default: true. Set false to skip worktree isolation (run in project dir directly)
+  workdir?: string;            // explicit cwd override (template). Wins over auto-worktree. Use when one node
+                               // produces a worktree path that a later node needs to execute inside —
+                               // e.g. worktree-setup → fix-code via `workdir: "{{nodes.worktree-setup.outputs.wt}}"`.
   // Plugin mode fields
   plugin?: string;             // plugin ID (e.g., 'jenkins', 'docker')
   pluginAction?: string;       // action name (e.g., 'trigger', 'build'), defaults to plugin's defaultAction
@@ -242,6 +245,597 @@ nodes:
     outputs:
       - name: result
         extract: stdout
+`,
+  'mantis-bug-fix-and-mr': `
+name: mantis-bug-fix-and-mr
+description: "Fetch Mantis bug context → worktree → fix code via headless Claude → push branch → open GitLab MR via glab CLI → notify assignee + reporter on Teams."
+input:
+  bug_id: "Mantis bug id (number)"
+  project: "Forge project name"
+  base_branch: "Target branch the MR will be opened against (e.g. release/25.4). Required — set in the Job's input_template from the bug's product_version or target_branch field."
+  summary: "Bug summary (one line)"
+  description: "Full bug description (free text)"
+  priority: "Bug priority (optional)"
+  category: "Bug category (optional)"
+  reporter: "Mantis reporter username — used to notify them on Teams"
+  assignee: "Mantis assignee username — used to notify them on Teams"
+  extra_context: "Extra hints for Claude (optional)"
+  mr_title_template: "MR title template. Vars: {bug_id} {summary}. Default: 'Fix Mantis #{bug_id}: {summary}'"
+  mr_body_template: "MR body. Vars: {bug_id} {summary} {description} {claude_summary}. Default closes-reference + Claude summary."
+  teams_message_template: "Teams DM template. Vars: {bug_id} {summary} {mr_url} {role}. Default: '🤖 Mantis #{bug_id} fixed — review MR: {mr_url}'"
+nodes:
+  resolve:
+    mode: shell
+    project: "{{input.project}}"
+    worktree: false
+    prompt: |
+      set -e
+      cd "$(git rev-parse --show-toplevel)"
+      command -v glab >/dev/null || { echo "ERROR: glab CLI not installed. brew install glab && glab auth login" >&2; exit 1; }
+      BUG_ID="{{input.bug_id}}"
+      BASE="{{input.base_branch}}"
+      [ -z "$BUG_ID" ] && { echo "ERROR: bug_id is required" >&2; exit 1; }
+      [ -z "$BASE" ] && { echo "ERROR: base_branch is required (set via Job input_template)" >&2; exit 1; }
+      REMOTE=$(git remote get-url origin)
+      RAW=$(echo "$REMOTE" | sed -E 's#^(https?://[^/]+/|git@[^:]+:)##; s#\\.git$##')
+      HOST=$(echo "$REMOTE" | sed -E 's#^https?://##; s#git@##; s#[:/].*##')
+      PROJECT_PATH="$RAW"
+      echo "HOST=$HOST"
+      echo "PROJECT_PATH=$PROJECT_PATH"
+      echo "BUG_ID=$BUG_ID"
+      echo "BASE=$BASE"
+      git fetch origin "$BASE" --quiet 2>/dev/null || true
+    outputs:
+      - name: info
+        extract: stdout
+  worktree-setup:
+    mode: shell
+    project: "{{input.project}}"
+    worktree: false
+    depends_on: [resolve]
+    prompt: |
+      set -e
+      INFO=$'{{nodes.resolve.outputs.info}}'
+      eval "$(echo "$INFO" | grep -E '^[A-Za-z_][A-Za-z0-9_]*=' | sed 's/^/export /')"
+      # worktree: false above keeps us in the project root, so this is fine.
+      # Falls back to FORGE_PROJECT_ROOT just in case auto-worktree gets
+      # re-enabled in the future.
+      ROOT="\${FORGE_PROJECT_ROOT:-$(git rev-parse --show-toplevel)}"
+      cd "$ROOT"
+      WORKTREE_DIR="$ROOT/.forge/worktrees/mantis-$BUG_ID"
+      BRANCH="fix/mantis-\${BUG_ID}"
+
+      # ALL the noisy git operations route to stderr — downstream nodes
+      # consume \`wt\` via \`eval "$(echo … | grep -E '^[A-Za-z_][A-Za-z0-9_]*=' | sed 's/^/export /')"\` inside
+      # \`$'…'\` quoting. ANY apostrophe / paren / space-ID-paren in the
+      # captured stdout (e.g. "Deleted branch fix/X (was abc1234).",
+      # "Preparing worktree (resetting branch 'X')") breaks bash with
+      # "syntax error near unexpected token '('".
+      {
+        # 1. Remove the on-disk worktree for THIS bug (idempotent).
+        if [ -d "$WORKTREE_DIR" ]; then
+          git worktree remove --force "$WORKTREE_DIR" 2>/dev/null || rm -rf "$WORKTREE_DIR"
+        fi
+        # 2. Drop stale worktree registrations + any other worktree pinning
+        #    our branch. Without (3), "fatal: <branch> already used by
+        #    worktree at <path>" can fire on the next add.
+        git worktree prune
+        git worktree list --porcelain | awk -v b="refs/heads/$BRANCH" '
+          /^worktree /{w=$2}
+          $0=="branch "b{print w}
+        ' | while read w; do
+          [ -n "$w" ] && git worktree remove --force "$w" 2>/dev/null || true
+        done
+        git branch -D "$BRANCH" 2>/dev/null || true
+        mkdir -p "$ROOT/.forge/worktrees"
+        # -B (capital) = create-or-reset; --force lets us reuse an existing dir.
+        git worktree add --force -B "$BRANCH" "$WORKTREE_DIR" "origin/$BASE"
+      } 1>&2
+
+      # IMPORTANT: emit ONLY the worktree path on stdout — nothing else.
+      # fix-code uses \`workdir: {{nodes.worktree-setup.outputs.wt}}\` and the
+      # task runner needs a clean path. If we echo'd "WORKTREE=…\\nBRANCH=…"
+      # the multi-line string became an invalid workdir → Claude silently
+      # ran in the pipeline's parent worktree, made its changes there, and
+      # nothing showed up in the inner branch when push-and-mr cd'd in.
+      # Downstream nodes get the branch by asking git from inside the
+      # worktree (git symbolic-ref --short HEAD) — no out-of-band passing.
+      echo "$WORKTREE_DIR"
+    outputs:
+      - name: wt
+        extract: stdout
+  fetch-bug-details:
+    mode: shell
+    project: "{{input.project}}"
+    worktree: false
+    depends_on: [resolve]
+    prompt: |
+      # Pull the FULL mantis bug — summary, description, additional_information,
+      # reproducibility, all notes with author/date, history — via Forge's
+      # loopback connector-tool endpoint. search_bugs (when used as the Job
+      # source) only returns list-page columns; this node fills the gap so
+      # fix-code has every field it could possibly want.
+      set -e
+      INFO=$'{{nodes.resolve.outputs.info}}'
+      eval "$(echo "$INFO" | grep -E '^[A-Za-z_][A-Za-z0-9_]*=' | sed 's/^/export /')"
+      PAYLOAD="{\\"plugin_id\\":\\"mantis\\",\\"tool\\":\\"get_bug\\",\\"input\\":{\\"id\\":$BUG_ID}}"
+      RESP=$(curl -sS -X POST http://127.0.0.1:8403/api/connector-tool \\
+        -H 'content-type: application/json' --data "$PAYLOAD")
+      IS_ERR=$(echo "$RESP" | jq -r '.is_error // false')
+      if [ "$IS_ERR" = "true" ]; then
+        echo "WARN: mantis.get_bug failed: $(echo "$RESP" | jq -r '.content // .error // "(unknown)"' | head -c 300)" >&2
+        echo "BUG_ID=$BUG_ID"
+        echo "BUG_JSON_B64="
+        echo "SUMMARY="
+        echo "CATEGORY="
+        echo "DESCRIPTION_B64="
+        echo "ADDITIONAL_INFO_B64="
+        echo "NOTES_B64="
+        exit 0
+      fi
+      # .content is itself a JSON string (the bug object); decode once.
+      BUG=$(echo "$RESP" | jq -r '.content' | jq -c '.')
+
+      # Whole bug as base64 — gives fix-code an escape hatch to read any
+      # field we didn't bother to enumerate (history, _fields_raw, etc).
+      BUG_JSON_B64=$(echo -n "$BUG" | base64 | tr -d '\\n')
+
+      # Convenience extracts. Multi-line fields (description, notes,
+      # additional_information) → base64'd so newlines / quotes / shell
+      # metachars survive transport. Single-line stays plain for the
+      # KEY=value eval pattern downstream nodes already use.
+      SUMMARY=$(echo "$BUG" | jq -r '.summary // ""' | head -c 500 | tr -d '\\n')
+      CAT=$(echo "$BUG" | jq -r '.category // ""' | tr -d '\\n')
+      REPRO=$(echo "$BUG" | jq -r '.reproducibility // ""' | tr -d '\\n')
+      DESC_B64=$(echo "$BUG" | jq -r '.description // ""' | base64 | tr -d '\\n')
+      ADDL_B64=$(echo "$BUG" | jq -r '.additional_information // ""' | base64 | tr -d '\\n')
+      # Notes with author + date + body, separated by ─── for readability.
+      NOTES_B64=$(echo "$BUG" | jq -r '[.notes[]? | "[\\(.author // "?") @ \\(.date // "?")]\\n\\(.body // "")"] | join("\\n\\n─────────────\\n\\n")' 2>/dev/null | base64 | tr -d '\\n')
+
+      echo "BUG_ID=$BUG_ID"
+      echo "SUMMARY=$SUMMARY"
+      echo "CATEGORY=$CAT"
+      echo "REPRODUCIBILITY=$REPRO"
+      echo "DESCRIPTION_B64=$DESC_B64"
+      echo "ADDITIONAL_INFO_B64=$ADDL_B64"
+      echo "NOTES_B64=$NOTES_B64"
+      echo "BUG_JSON_B64=$BUG_JSON_B64"
+
+      # ── Human-readable preview to stderr ──
+      # Goes into the task log so the user can see what we actually got
+      # from Mantis without having to manually base64 -d. Truncated at
+      # 800 chars per field to keep the log tractable. Stdout above keeps
+      # the clean KEY=value pairs downstream nodes parse.
+      DESC_PLAIN=$(echo "$BUG" | jq -r '.description // ""')
+      ADDL_PLAIN=$(echo "$BUG" | jq -r '.additional_information // ""')
+      NOTES_COUNT=$(echo "$BUG" | jq -r '.notes | length // 0')
+      NOTES_FIRST=$(echo "$BUG" | jq -r '.notes[0]? | "[\\(.author // "?") @ \\(.date // "?")] \\(.body // "")"' 2>/dev/null | head -c 400)
+      NOTES_LAST=$(echo "$BUG" | jq -r '.notes[-1]? | "[\\(.author // "?") @ \\(.date // "?")] \\(.body // "")"' 2>/dev/null | head -c 400)
+      DESC_LEN=$(printf %s "$DESC_PLAIN" | wc -c | tr -d ' ')
+      ADDL_LEN=$(printf %s "$ADDL_PLAIN" | wc -c | tr -d ' ')
+      {
+        echo ""
+        echo "─── fetch-bug-details — what we got from Mantis #$BUG_ID ───"
+        echo "Summary:        $SUMMARY"
+        echo "Category:       $CAT"
+        echo "Reproducibility:$REPRO"
+        echo ""
+        echo "Description (\${DESC_LEN} chars, showing first 800):"
+        printf %s "$DESC_PLAIN" | head -c 800
+        [ "$DESC_LEN" -gt 800 ] && echo "… [truncated]"
+        echo ""
+        echo ""
+        echo "Additional Information (\${ADDL_LEN} chars, showing first 800):"
+        printf %s "$ADDL_PLAIN" | head -c 800
+        [ "$ADDL_LEN" -gt 800 ] && echo "… [truncated]"
+        echo ""
+        echo ""
+        echo "Notes: $NOTES_COUNT total"
+        if [ "$NOTES_COUNT" -gt 0 ]; then
+          echo "  First: $NOTES_FIRST"
+          [ "$NOTES_COUNT" -gt 1 ] && echo "  Last:  $NOTES_LAST"
+        fi
+        echo "──────────────────────────────────────────────────────"
+      } >&2
+    outputs:
+      - name: details
+        extract: stdout
+  download-attachments:
+    mode: shell
+    project: "{{input.project}}"
+    worktree: false
+    depends_on: [resolve, worktree-setup]
+    prompt: |
+      # Download all Attached Files from the Mantis bug into the worktree's
+      # .attachments/ directory so fix-code (Claude with vision) can read
+      # screenshots, logs, and any other supporting material. Skips files
+      # larger than 5 MB (see download_attachment's max_size_bytes default).
+      set -e
+      INFO=$'{{nodes.resolve.outputs.info}}'
+      eval "$(echo "$INFO" | grep -E '^[A-Za-z_][A-Za-z0-9_]*=' | sed 's/^/export /')"
+      WORKTREE_DIR=$'{{nodes.worktree-setup.outputs.wt}}'
+      WORKTREE_DIR=$(echo "$WORKTREE_DIR" | head -1 | tr -d '[:space:]')
+      ATTACH_DIR="$WORKTREE_DIR/.attachments"
+      mkdir -p "$ATTACH_DIR"
+
+      # 1. List attachments.
+      LIST=$(curl -sS -X POST http://127.0.0.1:8403/api/connector-tool \\
+        -H 'content-type: application/json' \\
+        --data "{\\"plugin_id\\":\\"mantis\\",\\"tool\\":\\"list_attachments\\",\\"input\\":{\\"id\\":$BUG_ID,\\"bug_id\\":$BUG_ID}}" )
+      IS_ERR=$(echo "$LIST" | jq -r '.is_error // false')
+      if [ "$IS_ERR" = "true" ]; then
+        echo "ATTACH_COUNT=0"
+        echo "ATTACH_DIR=$ATTACH_DIR"
+        echo "WARN: list_attachments failed: $(echo "$LIST" | jq -r '.content' | head -c 200)" >&2
+        exit 0
+      fi
+      ATTACHMENTS=$(echo "$LIST" | jq -r '.content' | jq -c '.attachments // []')
+      TOTAL=$(echo "$ATTACHMENTS" | jq 'length')
+      echo "Found $TOTAL attachment(s) on bug $BUG_ID"
+
+      COUNT=0
+      SKIPPED=0
+      # 2. Iterate + download each. jq stream the ids/filenames.
+      echo "$ATTACHMENTS" | jq -c '.[]' | while read -r ATT; do
+        FID=$(echo "$ATT" | jq -r '.file_id')
+        FN=$(echo "$ATT" | jq -r '.filename')
+        SZ=$(echo "$ATT" | jq -r '.size')
+        # Sanitize filename to avoid path traversal.
+        SAFE=$(echo "$FN" | tr -d '\\\\/:*?"<>|' | head -c 200)
+        [ -z "$SAFE" ] && SAFE="file-$FID"
+        echo "  → $SAFE ($SZ bytes)"
+        RESP=$(curl -sS -X POST http://127.0.0.1:8403/api/connector-tool \\
+          -H 'content-type: application/json' \\
+          --data "{\\"plugin_id\\":\\"mantis\\",\\"tool\\":\\"download_attachment\\",\\"input\\":{\\"file_id\\":$FID}}")
+        if [ "$(echo "$RESP" | jq -r '.is_error // false')" = "true" ]; then
+          echo "    WARN: download failed for $SAFE" >&2
+          continue
+        fi
+        BODY=$(echo "$RESP" | jq -r '.content')
+        SKIP=$(echo "$BODY" | jq -r '.skipped // false')
+        if [ "$SKIP" = "true" ]; then
+          REASON=$(echo "$BODY" | jq -r '.reason // ""')
+          echo "    SKIPPED $SAFE — $REASON" >&2
+          SKIPPED=$((SKIPPED+1))
+          continue
+        fi
+        B64=$(echo "$BODY" | jq -r '.content_b64')
+        [ -z "$B64" ] && { echo "    WARN: empty content_b64 for $SAFE" >&2; continue; }
+        echo "$B64" | base64 -d > "$ATTACH_DIR/$SAFE"
+        COUNT=$((COUNT+1))
+      done
+
+      echo "ATTACH_COUNT=$COUNT"
+      echo "ATTACH_SKIPPED=$SKIPPED"
+      echo "ATTACH_DIR=$ATTACH_DIR"
+
+      # Human-readable directory listing into stderr so the log shows
+      # what's actually on disk for the next node.
+      {
+        echo ""
+        echo "─── download-attachments — files in $ATTACH_DIR ───"
+        if [ -d "$ATTACH_DIR" ] && [ -n "$(ls -A "$ATTACH_DIR" 2>/dev/null)" ]; then
+          ls -lhS "$ATTACH_DIR" 2>/dev/null | tail -n +2
+        else
+          echo "(no files)"
+        fi
+        echo "──────────────────────────────────────────────────────"
+      } >&2
+    outputs:
+      - name: attach
+        extract: stdout
+  fix-code:
+    project: "{{input.project}}"
+    worktree: false
+    depends_on: [worktree-setup, fetch-bug-details, download-attachments]
+    workdir: "{{nodes.worktree-setup.outputs.wt}}"
+    prompt: |
+      A Mantis bug needs to be fixed in this worktree (already checked out
+      from the target base branch). You are running headless — make the fix
+      yourself, stage + commit.
+
+      ## Bug
+      ID: {{input.bug_id}}
+      Priority: {{input.priority}}
+      Category (from get_bug, full): see DETAILS below
+      Assignee: {{input.assignee}}
+      Reporter: {{input.reporter}}
+
+      ## Summary
+      {{input.summary}}
+
+      ## Full bug details (fetched via mantis.get_bug)
+      The fetch-bug-details node ran \`mantis.get_bug\` and exported these
+      key=value lines. _B64 fields are base64-encoded multi-line strings:
+
+      {{nodes.fetch-bug-details.outputs.details}}
+
+      Decode any _B64 field with:
+        \`echo "<value>" | base64 -d\`
+
+      Available fields (READ ALL of them before deciding on a fix):
+        SUMMARY               one-line title (plain)
+        CATEGORY              Mantis category (plain)
+        REPRODUCIBILITY       always / sometimes / random / N/A (plain)
+        DESCRIPTION_B64       full bug description (base64; often the most
+                              important field — repro steps live here)
+        ADDITIONAL_INFO_B64   "Additional Information" custom field —
+                              FortiNAC bug reports usually put stack traces,
+                              env details, log snippets here. Decode + read.
+        NOTES_B64             all comments concatenated, with author + date
+                              headers ([author @ date]). Use to see what
+                              QA + reporter already discussed.
+        BUG_JSON_B64          escape hatch — the whole bug object as JSON
+                              (decoded, this has every field including
+                              history[] and _fields_raw if you need it).
+
+      ## Description (search_bugs-supplied, may be empty)
+      {{input.description}}
+
+      ## Attached Files
+      {{nodes.download-attachments.outputs.attach}}
+
+      Files (if any) were saved under \`.attachments/\` in this worktree.
+      List them with \`ls -la .attachments/\`. For images, USE THE READ
+      TOOL on the file — your vision can analyze screenshots / error
+      dialogs / network diagrams directly. For text-like attachments
+      (log snippets, .txt, .json, small .pcap text exports) just open
+      them. Files larger than 5 MB were skipped — if a critical one is
+      missing, mention it in your fix notes; don't try to re-fetch.
+
+      ## Extra context
+      {{input.extra_context}}
+
+      ## HARD RULES — read before tool use
+      - **Never call mcp__* tools.** Pipeline tasks do not have interactive
+        auth; any MCP call that needs SSO/TOTP (mantis_auth, gitlab, pmdb,
+        …) will hang and fail the pipeline. The bug context above is the
+        only Mantis data you get.
+      - If a field above is empty or truncated, **work with what is given**.
+        Do NOT try to fetch more from Mantis. The pipeline owns Mantis access
+        upstream — re-running mantis lookup here is wasted effort and breaks
+        the design contract (Job → Pipeline data flow).
+      - If you ABSOLUTELY need supplemental data from another Forge connector
+        (rare), use the Forge HTTP API instead of MCP. POST
+        http://127.0.0.1:8403/api/connector-tool with JSON body
+        {"plugin_id":"<plugin>","tool":"<tool>","input":{...}}
+
+      ## Steps
+      1. Read the bug carefully — identify the affected component.
+      2. Find the relevant file(s) via git grep + reading the code.
+      3. Implement a minimal fix.
+      4. Add tests if the codebase has a test suite.
+      5. Stage + commit with message: 'Fix Mantis #{{input.bug_id}}: <one-line>'.
+         **DO NOT add a "Co-Authored-By: Claude …" or "Generated with Claude
+         Code" trailer.** Plain commit message only — the MR is going into a
+         corporate repo and the AI co-authorship attribution is not wanted.
+
+      Do NOT push — the next pipeline node handles push + MR.
+    outputs:
+      - name: summary
+        extract: result
+      - name: diff
+        extract: git_diff
+  push-and-mr:
+    mode: shell
+    project: "{{input.project}}"
+    worktree: false
+    workdir: "{{nodes.worktree-setup.outputs.wt}}"
+    depends_on: [fix-code]
+    prompt: |
+      set -e
+      INFO=$'{{nodes.resolve.outputs.info}}'
+      eval "$(echo "$INFO" | grep -E '^[A-Za-z_][A-Za-z0-9_]*=' | sed 's/^/export /')"
+      # workdir already cd'd us into the mantis worktree. Derive BRANCH.
+      BRANCH=$(git symbolic-ref --short HEAD)
+      # Bail if Claude didn't actually commit anything
+      AHEAD=$(git rev-list --count "origin/$BASE..HEAD" 2>/dev/null || echo 0)
+      if [ "$AHEAD" -lt 1 ]; then
+        echo "NO_CHANGES — Claude did not commit; aborting MR creation"
+        echo "MR_URL="
+        exit 0
+      fi
+      git push -u origin "$BRANCH" --force-with-lease 2>&1
+      # Heredoc keeps Claude's summary intact (apostrophes, parens, $, …).
+      SUMMARY=$(cat <<'FORGE_SUMMARY_EOF'
+      {{nodes.fix-code.outputs.summary}}
+      FORGE_SUMMARY_EOF
+      )
+      # ALL pipeline-templated values must enter via \`$'…'\` ANSI-C quoting,
+      # NOT plain "…". The pipeline engine ANSI-C-escapes substituted values
+      # (\\n / \\t / \\' etc.); inside "…" bash treats those as literal text
+      # and the MR description ends up showing "\\n" instead of real
+      # newlines, breaking the markdown.
+      TITLE_TPL=$'{{input.mr_title_template}}'
+      [ -z "$TITLE_TPL" ] && TITLE_TPL="Fix Mantis #{bug_id}: {summary}"
+      BODY_TPL=$'{{input.mr_body_template}}'
+      [ -z "$BODY_TPL" ] && BODY_TPL="Auto-fix for Mantis bug #{bug_id}.
+
+      ## Summary
+      {summary}
+
+      ## Original description
+      {description}
+
+      ## Claude's fix notes
+      {claude_summary}
+
+      ## Files changed
+      {diff_stat}
+
+      _Opened by Forge mantis-bug-fix-and-mr pipeline._"
+      BUG_ID_VAR=$'{{input.bug_id}}'
+      SUMMARY_VAR=$'{{input.summary}}'
+      DESCRIPTION_VAR=$'{{input.description}}'
+      # Compact list of files touched. --stat gives "N files changed, X+/Y-"
+      # which is small but tells the reviewer what's in the MR at a glance.
+      DIFF_STAT=$(git diff --stat "origin/$BASE..HEAD" 2>/dev/null || echo "")
+      MR_TITLE=$(python3 - "$TITLE_TPL" "$BUG_ID_VAR" "$SUMMARY_VAR" <<'PY'
+      import sys
+      tpl, bug_id, summary = sys.argv[1], sys.argv[2], sys.argv[3]
+      print(tpl.replace('{bug_id}', bug_id).replace('{summary}', summary))
+      PY
+      )
+      MR_BODY=$(python3 - "$BODY_TPL" "$BUG_ID_VAR" "$SUMMARY_VAR" "$DESCRIPTION_VAR" "$SUMMARY" "$DIFF_STAT" <<'PY'
+      import sys
+      tpl, bug_id, summary, description, claude, diff_stat = sys.argv[1:7]
+      out = (tpl.replace('{bug_id}', bug_id)
+                .replace('{summary}', summary)
+                .replace('{description}', description)
+                .replace('{claude_summary}', claude)
+                .replace('{diff_stat}', diff_stat))
+      print(out)
+      PY
+      )
+      # Bug assignee → MR reviewer. Mantis assignee comes as "Jane Doe (jdoe)";
+      # extract the (username) and pass to glab. If parens absent or empty,
+      # skip the flag — glab errors on --reviewer "" .
+      ASSIGNEE_RAW=$'{{input.assignee}}'
+      REVIEWER_USERNAME=$(echo "$ASSIGNEE_RAW" | grep -oE '\\(([a-zA-Z0-9._-]+)\\)' | tail -1 | tr -d '()')
+      REVIEWER_FLAGS=()
+      if [ -n "$REVIEWER_USERNAME" ]; then
+        REVIEWER_FLAGS+=(--reviewer "$REVIEWER_USERNAME")
+        echo "Setting MR reviewer: $REVIEWER_USERNAME (from assignee '$ASSIGNEE_RAW')"
+      else
+        echo "No (username) found in assignee '$ASSIGNEE_RAW' — skipping --reviewer"
+      fi
+      # Capture glab output AND exit code so we can debug failures. Old
+      # pipeline that just grep'd for the URL ate everything if the
+      # regex didn't match — leaving MR_URL empty with no clue why
+      # (auth refresh needed, reviewer username wrong, MR already exists
+      # at a non-canonical URL, etc).
+      set +e
+      GLAB_OUT=$(glab mr create -R "$PROJECT_PATH" --target-branch "$BASE" --source-branch "$BRANCH" \\
+        --title "$MR_TITLE" --description "$MR_BODY" \\
+        "\${REVIEWER_FLAGS[@]}" \\
+        --yes 2>&1)
+      GLAB_RC=$?
+      set -e
+      # Surface glab's output to the task log (truncated) so a failed
+      # retry doesn't disappear into the void.
+      echo "--- glab mr create (rc=$GLAB_RC) ---"
+      echo "$GLAB_OUT" | head -50
+      echo "--- end glab output ---"
+
+      # Common, very actionable failure: corp GitLab revoked the glab
+      # token. Detect + give the exact command to fix instead of making
+      # the user dig through stack-trace-like output.
+      if echo "$GLAB_OUT" | grep -qE '401|invalid_token|Token was revoked|unauthorized'; then
+        HOST=$(echo "$PROJECT_PATH" | sed -E 's#^.+@?##; s#:.*##' || true)
+        REMOTE_HOST=$(git config --get remote.origin.url 2>/dev/null | sed -E 's#^(https?://)?(git@)?([^:/]+).*#\\3#')
+        echo "ERROR: glab token revoked / expired for \${REMOTE_HOST:-this GitLab server}." >&2
+        echo "Fix: glab auth login --hostname \${REMOTE_HOST:-<gitlab-host>}" >&2
+        echo "Then retry this node from the pipeline UI." >&2
+      fi
+
+      MR_URL=$(echo "$GLAB_OUT" | grep -oE 'https://[^[:space:]]+/-/merge_requests/[0-9]+' | head -1)
+
+      # If glab succeeded but we didn't parse a URL (output format
+      # variant), OR if the MR already existed (glab errors on conflict),
+      # fall back to looking up the MR by source branch.
+      if [ -z "$MR_URL" ]; then
+        echo "Fallback: looking up existing MR for branch $BRANCH"
+        MR_URL=$(glab mr view "$BRANCH" -R "$PROJECT_PATH" --output json 2>/dev/null | jq -r '.web_url // empty')
+        if [ -z "$MR_URL" ]; then
+          # Last resort: glab mr list with our source branch.
+          MR_URL=$(glab mr list -R "$PROJECT_PATH" --source-branch "$BRANCH" --output json 2>/dev/null \\
+            | jq -r '.[0].web_url // empty')
+        fi
+      fi
+
+      if [ -z "$MR_URL" ]; then
+        echo "ERROR: could not create OR find MR for $BRANCH. See glab output above." >&2
+        # Don't fail the node hard — push succeeded, the user can create
+        # the MR manually via the GitLab "create MR" hint in the push
+        # output. notify-teams will see empty MR_URL and skip.
+      fi
+
+      echo "MR_URL=$MR_URL"
+      echo "REVIEWER=$REVIEWER_USERNAME"
+    outputs:
+      - name: mr
+        extract: stdout
+  notify-teams:
+    mode: shell
+    project: "{{input.project}}"
+    worktree: false
+    depends_on: [push-and-mr]
+    prompt: |
+      set -e
+      MR_OUT=$'{{nodes.push-and-mr.outputs.mr}}'
+      eval "$(echo "$MR_OUT" | grep -E '^[A-Za-z_][A-Za-z0-9_]*=' | sed 's/^/export /')"
+      if [ -z "$MR_URL" ]; then
+        echo "SKIP — no MR URL (Claude likely made no changes)"
+        exit 0
+      fi
+      MSG_TPL="{{input.teams_message_template}}"
+      [ -z "$MSG_TPL" ] && MSG_TPL="🤖 Mantis #{bug_id} fixed — please review MR: {mr_url}"$'\\n'"Bug: {summary}"
+      # Forge exposes /api/connector-tool on loopback (no auth) — pipelines
+      # call connector tools through it. teams.send_message takes name (fuzzy
+      # match against any chat the user is in) + text.
+      send_to() {
+        local who="$1"
+        local role="$2"
+        if [ -z "$who" ]; then echo "SKIP — no $role name"; return 0; fi
+        # Render template + build JSON payload in one Python invocation so we
+        # never have to worry about shell quoting of summary / description /
+        # MR URL when they contain |, $, backticks, etc.
+        local payload
+        payload=$(python3 - "$MSG_TPL" "{{input.bug_id}}" "{{input.summary}}" "$role" "$MR_URL" "$who" <<'PY'
+      import json, sys
+      tpl, bug_id, summary, role, mr_url, who = sys.argv[1:7]
+      text = (tpl.replace('{bug_id}', bug_id)
+                 .replace('{summary}', summary)
+                 .replace('{role}', role)
+                 .replace('{mr_url}', mr_url))
+      print(json.dumps({'plugin_id': 'teams', 'tool': 'send_message',
+                        'input': {'name': who, 'text': text}}))
+      PY
+      )
+        echo "Sending to Teams chat '$who' ($role)…"
+        curl -sS -X POST http://127.0.0.1:8403/api/connector-tool \\
+          -H 'content-type: application/json' \\
+          --data-binary "$payload" \\
+          | jq .
+      }
+      send_to "{{input.assignee}}" "assignee"
+      send_to "{{input.reporter}}"  "reporter"
+      echo "DONE — MR: $MR_URL"
+    outputs:
+      - name: result
+        extract: stdout
+  cleanup:
+    mode: shell
+    project: "{{input.project}}"
+    worktree: false
+    depends_on: [notify-teams]
+    prompt: |
+      # Best-effort cleanup so the project working tree doesn't pile up
+      # one full checkout per fixed bug. Runs only after notify-teams
+      # succeeded — if anything upstream failed, the worktree is kept
+      # for inspection. The remote branch + MR still live on GitLab.
+      set +e
+      WORKTREE_DIR=$'{{nodes.worktree-setup.outputs.wt}}'
+      WORKTREE_DIR=$(echo "$WORKTREE_DIR" | head -1 | tr -d '[:space:]')
+      # Derive BRANCH from inside the worktree before we delete it.
+      BRANCH=$(git -C "$WORKTREE_DIR" symbolic-ref --short HEAD 2>/dev/null)
+      cd "$(git rev-parse --show-toplevel 2>/dev/null || echo .)"
+      ROOT=$(git rev-parse --show-toplevel 2>/dev/null)
+      [ -z "$ROOT" ] && { echo "SKIP — not in a git repo"; exit 0; }
+      # Paranoia — only clean under our .forge/worktrees/.
+      case "$WORKTREE_DIR" in
+        "$ROOT/.forge/worktrees/"*) : ;;
+        *) echo "SKIP — WORKTREE_DIR=$WORKTREE_DIR not under .forge/worktrees/"; exit 0 ;;
+      esac
+      echo "removing worktree $WORKTREE_DIR …"
+      git worktree remove --force "$WORKTREE_DIR" 2>&1 || rm -rf "$WORKTREE_DIR"
+      git worktree prune
+      # Drop the local branch too — remote copy is on GitLab + the MR.
+      [ -n "$BRANCH" ] && git branch -D "$BRANCH" 2>/dev/null && echo "deleted local branch $BRANCH"
+      echo "cleanup done"
+    outputs:
+      - name: result
+        extract: stdout
 `,
   'multi-agent-collaboration': `
 name: multi-agent-collaboration
@@ -439,6 +1033,7 @@ function parseWorkflow(raw: string): Workflow {
       agent: n.agent || undefined,
       branch: n.branch || undefined,
       worktree: n.worktree !== undefined ? n.worktree : undefined,
+      workdir: n.workdir || undefined,
       plugin: n.plugin || undefined,
       pluginAction: n.plugin_action || n.pluginAction || undefined,
       pluginParams: n.plugin_params || n.pluginParams || n.params || undefined,
@@ -511,24 +1106,102 @@ export function deletePipeline(id: string): boolean {
     if (existsSync(filePath)) {
       const { unlinkSync } = require('node:fs');
       unlinkSync(filePath);
+      __pipelineCache.delete(filePath);
       return true;
     }
   } catch {}
   return false;
 }
 
+// Parsed-pipeline cache keyed by absolute path → { mtime, pipeline }.
+// Pipeline files only change when a pipeline run advances (savePipeline) —
+// re-reading + JSON.parse on every list call was burning 1-3s with 200
+// runs accumulated (largest file 136KB, conversation history + node
+// outputs blow up). With this cache, subsequent listPipelines() calls
+// only re-parse files whose mtime changed since the last read.
+const __pipelineCache = new Map<string, { mtimeMs: number; pipeline: Pipeline }>();
+
 export function listPipelines(): Pipeline[] {
   ensureDir();
-  return readdirSync(PIPELINES_DIR)
-    .filter(f => f.endsWith('.json'))
-    .map(f => {
-      try {
-        return JSON.parse(readFileSync(join(PIPELINES_DIR, f), 'utf-8')) as Pipeline;
-      } catch {
-        return null;
+  const files = readdirSync(PIPELINES_DIR).filter(f => f.endsWith('.json'));
+  const out: Pipeline[] = [];
+  for (const f of files) {
+    const path = join(PIPELINES_DIR, f);
+    try {
+      const stat = statSync(path);
+      const cached = __pipelineCache.get(path);
+      if (cached && cached.mtimeMs === stat.mtimeMs) {
+        out.push(cached.pipeline);
+        continue;
       }
-    })
-    .filter(Boolean) as Pipeline[];
+      const pipeline = JSON.parse(readFileSync(path, 'utf-8')) as Pipeline;
+      __pipelineCache.set(path, { mtimeMs: stat.mtimeMs, pipeline });
+      out.push(pipeline);
+    } catch { /* skip unreadable */ }
+  }
+  return out;
+}
+
+/**
+ * Light summary for the pipeline LIST UI — strips the heavy fields
+ * (node outputs, conversation message bodies, errors). The full pipeline
+ * is fetched via GET /api/pipelines/:id when the user opens a specific
+ * run. Cuts /api/pipelines payload from ~1.6MB to <50KB with 200 runs.
+ */
+export interface PipelineSummary {
+  id: string;
+  workflowName: string;
+  status: Pipeline['status'];
+  type?: Pipeline['type'];
+  createdAt: string;
+  completedAt?: string;
+  nodeOrder: string[];
+  nodes: Record<string, { status: PipelineNodeState['status']; iterations?: number }>;
+  conversation?: { currentRound?: number; config?: { maxRounds?: number } };
+  input?: Record<string, string>;
+}
+
+export interface ListPipelinesOptions {
+  /** Newest-first limit. Defaults to 100. Hard ceiling 500 (the heavy
+   *  pipeline detail view fetches one run at a time anyway, so a
+   *  five-hundred-deep list covers every practical workflow grouping). */
+  limit?: number;
+  /** Filter to a single workflow. Combine with a higher limit when the
+   *  user expands one workflow and wants its full history. */
+  workflow?: string;
+  /** Cursor for "Load more" — return runs with createdAt < before. */
+  before?: string;
+}
+
+export function listPipelinesSummary(opts: ListPipelinesOptions = {}): PipelineSummary[] {
+  const limit = Math.min(Math.max(1, opts.limit ?? 100), 500);
+  // listPipelines already builds parsed objects (cached). Sort by
+  // createdAt desc, optionally filter, then slice. Avoids serializing the
+  // hundreds of older runs the UI never shows.
+  let all = listPipelines();
+  if (opts.workflow) {
+    const target = opts.workflow;
+    all = all.filter(p => p.workflowName === target);
+  }
+  all.sort((a, b) => b.createdAt.localeCompare(a.createdAt));
+  if (opts.before) all = all.filter(p => p.createdAt < opts.before!);
+  const slice = all.slice(0, limit);
+  return slice.map(p => ({
+    id: p.id,
+    workflowName: p.workflowName,
+    status: p.status,
+    type: p.type,
+    createdAt: p.createdAt,
+    completedAt: p.completedAt,
+    nodeOrder: p.nodeOrder,
+    nodes: Object.fromEntries(
+      Object.entries(p.nodes).map(([k, v]) => [k, { status: v.status, iterations: v.iterations }]),
+    ),
+    conversation: p.conversation
+      ? { currentRound: p.conversation.currentRound, config: { maxRounds: p.conversation.config?.maxRounds } }
+      : undefined,
+    input: p.input,
+  }));
 }
 
 // ─── Template Resolution ──────────────────────────────────
@@ -1135,6 +1808,80 @@ setInterval(recoverStuckPipelines, 30_000);
 // Also run once on load
 setTimeout(recoverStuckPipelines, 5000);
 
+/**
+ * Retry a single failed node. Cascades-reset to any downstream nodes that
+ * got marked 'skipped' (because this one failed) so they re-run too. The
+ * pipeline flips back to 'running' if it had completed as failed.
+ *
+ * Use case: pipeline failed at push-and-mr because of a shell quoting bug;
+ * fix-code already produced a valid commit in the worktree. Retry push-and-mr
+ * without re-running the 15-minute fix-code.
+ *
+ * Returns { ok, error? }. Validation:
+ *   - node must exist + be in failed status
+ *   - all of the node's *dependencies* must be 'done' (we don't retry into
+ *     a broken upstream — fix the upstream first)
+ */
+export async function retryNode(pipelineId: string, nodeId: string): Promise<{ ok: boolean; error?: string }> {
+  const pipeline = getPipeline(pipelineId);
+  if (!pipeline) return { ok: false, error: 'pipeline not found' };
+
+  const nodeState = pipeline.nodes[nodeId];
+  if (!nodeState) return { ok: false, error: `node '${nodeId}' is not in this pipeline` };
+  if (nodeState.status !== 'failed') {
+    return { ok: false, error: `node is in status '${nodeState.status}' — only failed nodes can be retried` };
+  }
+
+  const workflow = getWorkflow(pipeline.workflowName);
+  if (!workflow) return { ok: false, error: `workflow '${pipeline.workflowName}' not found` };
+
+  const nodeDef = workflow.nodes[nodeId];
+  if (!nodeDef) return { ok: false, error: `node '${nodeId}' is not in workflow definition` };
+
+  for (const dep of nodeDef.dependsOn) {
+    const depState = pipeline.nodes[dep];
+    if (!depState || depState.status !== 'done') {
+      return { ok: false, error: `dependency '${dep}' is in status '${depState?.status || 'missing'}' — retry upstream first` };
+    }
+  }
+
+  // BFS downstream — any node whose chain of dependencies reaches `nodeId`
+  // needs to be reset too (it likely got marked 'skipped' when this failed).
+  const toReset = new Set<string>([nodeId]);
+  let added = true;
+  while (added) {
+    added = false;
+    for (const [otherId, otherDef] of Object.entries(workflow.nodes)) {
+      if (toReset.has(otherId)) continue;
+      if (otherDef.dependsOn.some(d => toReset.has(d))) {
+        toReset.add(otherId);
+        added = true;
+      }
+    }
+  }
+
+  for (const rid of toReset) {
+    const s = pipeline.nodes[rid];
+    if (!s) continue;
+    s.status = 'pending';
+    s.error = undefined;
+    s.taskId = undefined;
+    s.startedAt = undefined;
+    s.completedAt = undefined;
+    s.outputs = {};
+    // Don't reset s.iterations — keep monotonic so retries show up in history.
+  }
+
+  if (pipeline.status === 'failed' || pipeline.status === 'done') {
+    pipeline.status = 'running';
+    pipeline.completedAt = undefined;
+  }
+
+  savePipeline(pipeline);
+  await scheduleReadyNodes(pipeline, workflow);
+  return { ok: true };
+}
+
 export function cancelPipeline(id: string): boolean {
   const pipeline = getPipeline(id);
   if (!pipeline || pipeline.status !== 'running') return false;
@@ -1243,6 +1990,32 @@ async function scheduleReadyNodes(pipeline: Pipeline, workflow: Workflow) {
       console.warn(`[pipeline] Worktree creation failed, falling back to project dir: ${e.message}`);
     }
 
+    // Explicit workdir override — wins over auto-worktree. Use case:
+    // worktree-setup emits a path on stdout; downstream nodes (fix-code,
+    // push-and-mr) declare workdir: "{{nodes.worktree-setup.outputs.wt}}"
+    // to actually execute inside that worktree instead of the auto one.
+    // Before this support existed, the YAML's workdir was silently ignored
+    // and Claude wrote its changes into the wrong tree.
+    if (nodeDef.workdir) {
+      const resolved = resolveTemplate(nodeDef.workdir, ctx).trim();
+      // Reject empties + multi-line strings — those are signs of malformed
+      // upstream output (e.g. accidentally including KEY=value lines).
+      if (resolved && !resolved.includes('\n')) {
+        try {
+          const { statSync } = require('node:fs');
+          if (statSync(resolved).isDirectory()) {
+            effectivePath = resolved;
+          } else {
+            console.warn(`[pipeline] workdir resolved to non-directory '${resolved}', keeping ${effectivePath}`);
+          }
+        } catch (e: any) {
+          console.warn(`[pipeline] workdir '${resolved}' not accessible (${e.code || e.message}), keeping ${effectivePath}`);
+        }
+      } else if (resolved) {
+        console.warn(`[pipeline] workdir resolved to a multi-line value — ignoring (upstream likely emitted KEY=value pairs instead of a clean path)`);
+      }
+    }
+
     // ── Plugin mode: execute plugin action directly ──
     if (nodeDef.mode === 'plugin' && nodeDef.plugin) {
       nodeState.status = 'running';
@@ -1306,6 +2079,13 @@ async function scheduleReadyNodes(pipeline: Pipeline, workflow: Workflow) {
       prompt: effectivePrompt,
       mode: taskMode as any,
       agent: nodeDef.agent || undefined,
+      // Pipeline nodes always start a fresh Claude session. Without this,
+      // createTask falls back to getProjectConversationId() which returns
+      // the project's last interactive session id — but pipeline nodes
+      // often run in a per-node worktree where that session file doesn't
+      // exist, producing 'No conversation found with session ID ...' on
+      // first execution.
+      conversationId: '',
     });
     pipelineTaskIds.add(task.id);
     // Pipeline tasks use the same model selection as normal tasks: