@aion0/forge 0.8.0 → 0.8.2

package/lib/pipeline.ts

@@ -9,7 +9,7 @@ import { randomUUID } from 'node:crypto';
 import { existsSync, readdirSync, readFileSync, writeFileSync, mkdirSync, statSync } from 'node:fs';
 import { join } from 'node:path';
 import YAML from 'yaml';
-import { createTask, getTask, onTaskEvent, taskModelOverrides } from './task-manager';
+import { createTask, getTask, onTaskEvent, taskModelOverrides, taskAppendSystemPromptOverrides } from './task-manager';
 import { getProjectInfo } from './projects';
 import { loadSettings } from './settings';
 import { getAgent, listAgents } from './agents';
@@ -114,6 +114,13 @@ export interface Pipeline {
   nodeOrder: string[];  // for UI display
   createdAt: string;
   completedAt?: string;
+  /**
+   * Skill names from the forge-skills registry to make available to
+   * every task this pipeline spawns. Composed into the task's
+   * --append-system-prompt. Carried in pipeline state so retries +
+   * recovery use the same set as the original run.
+   */
+  skills?: string[];
   // Conversation mode state
   conversation?: {
     config: ConversationConfig;
@@ -687,6 +694,22 @@ nodes:
       print(out)
       PY
       )
+      # Force glab to use the Forge-managed GitLab PAT. Forge injects
+      # GITLAB_TOKEN from the gitlab connector's config; without
+      # rewriting it here, glab can stick to its stale per-host token
+      # in ~/.config/glab-cli/config.yml and 401 with "Token was
+      # revoked" — even when the env is set. glab auth login --token
+      # is idempotent and writes the right host config in 100 ms.
+      if [ -n "$GITLAB_TOKEN" ]; then
+        REMOTE_HOST_FOR_AUTH=$(git -C "$PROJECT_PATH" config --get remote.origin.url 2>/dev/null \\
+          | sed -E 's#^(https?://)?(git@)?([^:/]+).*#\\3#')
+        if [ -n "$REMOTE_HOST_FOR_AUTH" ]; then
+          echo "Refreshing glab auth for $REMOTE_HOST_FOR_AUTH from Forge connector token"
+          echo "$GITLAB_TOKEN" | glab auth login --hostname "$REMOTE_HOST_FOR_AUTH" --token-stdin >/dev/null 2>&1 || \\
+            echo "(glab auth login refresh failed — falling through; will likely 401)" >&2
+        fi
+      fi
+
       # Bug assignee → MR reviewer. Mantis assignee comes as "Jane Doe (jdoe)";
       # extract the (username) and pass to glab. If parens absent or empty,
       # skip the flag — glab errors on --reviewer "" .
@@ -717,15 +740,17 @@ nodes:
       echo "$GLAB_OUT" | head -50
       echo "--- end glab output ---"
 
-      # Common, very actionable failure: corp GitLab revoked the glab
-      # token. Detect + give the exact command to fix instead of making
-      # the user dig through stack-trace-like output.
+      # Common, very actionable failure: corp GitLab revoked the
+      # token. Forge already pushes the connector PAT here via
+      # GITLAB_TOKEN + a glab auth login --token-stdin refresh
+      # earlier in this step, so the only way to land here is if the
+      # connector PAT itself is wrong/revoked. Point the user at
+      # Settings, not at glab auth login.
       if echo "$GLAB_OUT" | grep -qE '401|invalid_token|Token was revoked|unauthorized'; then
-        HOST=$(echo "$PROJECT_PATH" | sed -E 's#^.+@?##; s#:.*##' || true)
         REMOTE_HOST=$(git config --get remote.origin.url 2>/dev/null | sed -E 's#^(https?://)?(git@)?([^:/]+).*#\\3#')
-        echo "ERROR: glab token revoked / expired for \${REMOTE_HOST:-this GitLab server}." >&2
-        echo "Fix: glab auth login --hostname \${REMOTE_HOST:-<gitlab-host>}" >&2
-        echo "Then retry this node from the pipeline UI." >&2
+        echo "ERROR: GitLab rejected the token for \${REMOTE_HOST:-this GitLab server}." >&2
+        echo "Fix: open Forge → Settings → Skills → Connectors tab → GitLab, paste a fresh Personal Access Token, click Save + Test." >&2
+        echo "Then retry this node from the pipeline UI — Forge will push the new token to glab automatically." >&2
       fi
 
       MR_URL=$(echo "$GLAB_OUT" | grep -oE 'https://[^[:space:]]+/-/merge_requests/[0-9]+' | head -1)
@@ -1273,7 +1298,25 @@ function releaseProjectLock(projectPath: string, pipelineId: string) {
 
 // ─── Pipeline Execution ───────────────────────────────────
 
-export function startPipeline(workflowName: string, input: Record<string, string>): Pipeline {
+/**
+ * Render the skills list into an --append-system-prompt block. Empty
+ * input → empty string (caller passes undefined to skip the flag).
+ */
+function renderSkillsAppendPrompt(skills: string[] | undefined): string {
+  if (!skills || skills.length === 0) return '';
+  const lines = skills.map((s) => `  /${s}`).join('\n');
+  return [
+    'For this task, the following Forge skills are available and should be used as appropriate:',
+    lines,
+    "Read each skill's SKILL.md before invoking. Prefer invoking these skills (with /<name>) over reimplementing their workflows inline.",
+  ].join('\n');
+}
+
+export function startPipeline(
+  workflowName: string,
+  input: Record<string, string>,
+  opts: { skills?: string[] } = {},
+): Pipeline {
   const workflow = getWorkflow(workflowName);
   if (!workflow) throw new Error(`Workflow not found: ${workflowName}`);
 
@@ -1303,6 +1346,7 @@ export function startPipeline(workflowName: string, input: Record<string, string
     nodes,
     nodeOrder,
     createdAt: new Date().toISOString(),
+    skills: opts.skills && opts.skills.length ? [...opts.skills] : undefined,
   };
 
   savePipeline(pipeline);
@@ -1407,6 +1451,10 @@ function scheduleNextConversationTurn(pipeline: Pipeline, contextForAgent: strin
     conversationId: '', // fresh session — no resume for conversation mode
   });
   pipelineTaskIds.add(task.id);
+  {
+    const skillsAppend = renderSkillsAppendPrompt(pipeline.skills);
+    if (skillsAppend) taskAppendSystemPromptOverrides.set(task.id, skillsAppend);
+  }
 
   // Add pending message
   const names = agentNames || resolveAgentNames(config.agents);
@@ -1803,10 +1851,60 @@ function recoverStuckPipelines() {
   }
 }
 
+/**
+ * One-shot at startup: cancel tasks that pipeline nodes think are
+ * still running. When forge dies (crash, restart, kill -9) the task
+ * row in SQLite is left as `running` even though the child process
+ * is long gone, so the existing periodic recoverStuckPipelines just
+ * sees `task.status === 'running'` and waits forever. This pass
+ * marks those tasks as cancelled, letting the next recovery tick
+ * transition the node to `failed` — at which point the user can
+ * hit Retry from the pipeline UI.
+ *
+ * Safe because by definition any forge child task from before the
+ * boot is dead: when the parent went down, the OS reaped its
+ * subtree. No race with legitimately-running tasks — the very first
+ * forge worker boot is the only moment this needs to fire.
+ */
+let reapedOrphans = false;
+function reapOrphanedPipelineTasks() {
+  if (reapedOrphans) return;
+  reapedOrphans = true;
+  try {
+    const pipelines = listPipelines().filter(p => p.status === 'running');
+    let reaped = 0;
+    for (const pipeline of pipelines) {
+      for (const node of Object.values(pipeline.nodes)) {
+        if (node.status === 'running' && node.taskId) {
+          const t = getTask(node.taskId);
+          if (t && t.status === 'running') {
+            try {
+              const { cancelTask } = require('./task-manager');
+              cancelTask(node.taskId);
+              reaped += 1;
+            } catch (err) {
+              console.warn(`[pipeline] reap orphan: cancelTask(${node.taskId}) threw:`, err);
+            }
+          }
+        }
+      }
+    }
+    if (reaped > 0) {
+      console.log(`[pipeline] reaped ${reaped} orphaned task(s) left running from a previous boot`);
+    }
+  } catch (err) {
+    console.warn('[pipeline] reapOrphanedPipelineTasks failed:', err);
+  }
+}
+
+// One-shot orphan reap on boot, then standard recovery loop.
+setTimeout(() => {
+  reapOrphanedPipelineTasks();
+  recoverStuckPipelines();
+}, 5000);
+
 // Run recovery every 30 seconds
 setInterval(recoverStuckPipelines, 30_000);
-// Also run once on load
-setTimeout(recoverStuckPipelines, 5000);
 
 /**
  * Retry a single failed node. Cascades-reset to any downstream nodes that
@@ -1828,8 +1926,23 @@ export async function retryNode(pipelineId: string, nodeId: string): Promise<{ o
 
   const nodeState = pipeline.nodes[nodeId];
   if (!nodeState) return { ok: false, error: `node '${nodeId}' is not in this pipeline` };
-  if (nodeState.status !== 'failed') {
-    return { ok: false, error: `node is in status '${nodeState.status}' — only failed nodes can be retried` };
+  // Allow retry on 'failed' OR 'running'. Running covers the
+  // forge-restart-orphaned case: the node thinks it's executing but
+  // the underlying task is dead. Anything else (pending/done/skipped)
+  // is a misclick.
+  if (nodeState.status !== 'failed' && nodeState.status !== 'running') {
+    return { ok: false, error: `node is in status '${nodeState.status}' — only failed or running nodes can be retried` };
+  }
+
+  // If the node is "running", best-effort terminate the underlying task
+  // so it doesn't keep occupying the project lock / project slot.
+  if (nodeState.status === 'running' && nodeState.taskId) {
+    try {
+      const { cancelTask } = require('./task-manager');
+      cancelTask(nodeState.taskId);
+    } catch (err) {
+      console.warn(`[pipeline] retryNode: cancelTask(${nodeState.taskId}) threw:`, err);
+    }
   }
 
   const workflow = getWorkflow(pipeline.workflowName);
@@ -2088,6 +2201,15 @@ async function scheduleReadyNodes(pipeline: Pipeline, workflow: Workflow) {
       conversationId: '',
     });
     pipelineTaskIds.add(task.id);
+
+    // Skills from the pipeline (forwarded from a job's `skills`) become
+    // an --append-system-prompt on the task's claude invocation. We
+    // attach the override BEFORE the task runner picks the task up so
+    // the first attempt sees it.
+    const skillsAppend = renderSkillsAppendPrompt(pipeline.skills);
+    if (skillsAppend) {
+      taskAppendSystemPromptOverrides.set(task.id, skillsAppend);
+    }
     // Pipeline tasks use the same model selection as normal tasks:
     // agent model > global taskModel. No separate pipelineModel override.
 

package/lib/plugins/registry.ts

@@ -14,7 +14,7 @@ import { join, dirname } from 'node:path';
 import { homedir } from 'node:os';
 import { fileURLToPath } from 'node:url';
 import YAML from 'yaml';
-import type { PluginDefinition, InstalledPlugin, PluginSource, Connector } from './types';
+import type { PluginDefinition, InstalledPlugin, PluginSource } from './types';
 import { encryptSecret, decryptSecret, isEncrypted } from '../crypto';
 
 const _filename = typeof __filename !== 'undefined' ? __filename : fileURLToPath(import.meta.url);
@@ -33,62 +33,29 @@ function loadPluginYaml(filePath: string): PluginDefinition | null {
     const raw = readFileSync(filePath, 'utf-8');
     const def = YAML.parse(raw) as PluginDefinition;
     if (!def.id || !def.name) return null;
-    // Connector plugins don't need `actions` (tools execute in the extension).
-    // Everything else must declare at least one action.
-    const isConnector = def.category === 'connector';
-    if (!isConnector && !def.actions) return null;
-    if (isConnector && !def.tools && !def.connectors?.length) return null;
-    // Defaults
+    if (!def.actions) return null;
     if (!def.config) def.config = {};
     if (!def.params) def.params = {};
-    if (!def.actions) def.actions = {};
     if (!def.icon) def.icon = '🔌';
     if (!def.version) def.version = '0.0.1';
-    if (!def.category) def.category = isConnectorByShape(def) ? 'connector' : 'pipeline-node';
-    if (!def.mode) def.mode = def.category === 'connector' ? 'browser-side' : 'server-side';
+    if (!def.category) def.category = 'pipeline-node';
+    if (!def.mode) def.mode = 'server-side';
     return def;
   } catch {
     return null;
   }
 }
 
-/** Heuristic: shape-detect a connector even if `category` is omitted. */
-function isConnectorByShape(def: PluginDefinition): boolean {
-  return Boolean(def.tools || def.connectors?.length);
-}
-
-/**
- * Normalize a plugin to its connector list.
- * - 1:1 shape (top-level `tools`) → synthesizes a single Connector with id === plugin id.
- * - 1:N shape (`connectors[]`) → returned as-is.
- * - Non-connector plugins → returns [].
- */
-export function getConnectorsForPlugin(def: PluginDefinition): Connector[] {
-  if (def.connectors?.length) return def.connectors;
-  if (def.tools) {
-    return [{
-      id: def.id,
-      host_permissions: def.host_permissions,
-      tools: def.tools,
-      settings: def.settings,
-      host_match: def.host_match,
-      login_redirect: def.login_redirect,
-      runner: def.runner,
-    }];
-  }
-  return [];
-}
-
 // ─── Config Storage ──────────────────────────────────────
 
 /**
- * Return field names declared as `type: secret` (or legacy `password`)
- * for the given plugin definition's top-level settings. Used to decide
- * which config fields are encrypted on disk.
+ * Return field names declared as `type: secret` on the plugin's
+ * top-level `config` schema. Used to decide which fields are
+ * encrypted on disk.
  */
 export function getSecretFieldNames(def: PluginDefinition | null): string[] {
-  if (!def?.settings) return [];
-  return Object.entries(def.settings)
+  if (!def?.config) return [];
+  return Object.entries(def.config)
     .filter(([, schema]) => {
       const t = String((schema as any)?.type || '');
       return t === 'secret' || t === 'password';

package/lib/plugins/types.ts

@@ -9,18 +9,12 @@
 /** Plugin action execution type */
 export type PluginActionType = 'http' | 'poll' | 'shell' | 'script';
 
-/** What kind of plugin this is — drives marketplace filtering + extension surfacing */
-export type PluginCategory = 'connector' | 'pipeline-node' | 'mcp-server' | 'tool' | 'other';
+/** What kind of plugin this is — drives marketplace filtering. */
+export type PluginCategory = 'pipeline-node' | 'mcp-server' | 'tool' | 'other';
 
 /** Where a plugin's tools execute. Default is server-side (Forge node process). */
 export type PluginMode = 'server-side' | 'browser-side' | 'hybrid';
 
-/**
- * Which execution context the Forge browser extension uses to run a
- * connector's scripts. See PluginDefinition.runner for the full rationale.
- */
-export type PluginRunner = 'main' | 'isolated';
-
 /** Schema field definition for config/params */
 export interface PluginFieldSchema {
   type: 'string' | 'number' | 'boolean' | 'secret' | 'json' | 'select';
@@ -59,106 +53,6 @@ export interface PluginAction {
   output?: Record<string, string>;  // { fieldName: "$.json.path" or "$body" or "$stdout" }
 }
 
-/**
- * Where the extension's generic runner should land the active tab before
- * executing a tool's script.
- */
-export interface ConnectorPage {
-  /** Template URL; supports {base_url}, {settings.*}, {args.*}. */
-  url: string;
-  /**
-   * Substring; if the current tab URL already contains it, skip navigation.
-   * Templated values are expanded the same way as `url` (settings server-side,
-   * args at runtime). Omit to always navigate.
-   */
-  on_target?: string;
-}
-
-/**
- * A tool a browser-side connector exposes to the extension's LLM.
- *
- * The script body runs in the user's tab via chrome.scripting.executeScript
- * (page context, has document/fetch/etc, no chrome.* APIs). The extension is
- * a generic runner — it doesn't know about Mantis or GitLab specifically.
- * Adding a new connector means dropping a manifest with `page` + `script`
- * per tool; no extension rebuild required.
- *
- * See docs/Connector-DeclarativeExtract-Spec.md.
- */
-export interface ConnectorTool {
-  description: string;
-  parameters?: Record<string, PluginFieldSchema>;
-  /** Requires user confirmation before invoking (e.g. add_comment, close_issue). */
-  destructive?: boolean;
-  /** Free-form description of the return shape — surfaced to the LLM. */
-  returns?: string;
-  /** Where to navigate before running the script. */
-  page?: ConnectorPage;
-  /**
-   * JavaScript function body. Receives `args` (the LLM's parsed parameters).
-   * Returns a JSON-serializable value. Runs in the user's tab — must be
-   * self-contained (no closures over Forge/extension code).
-   */
-  script?: string;
-
-  // ─── Phase 3: multi-protocol tools (server-side execution) ──
-  /**
-   * Where the tool runs. Default 'browser' (extension runner via bridge).
-   *   'browser' — page DOM script via chrome.scripting (legacy default)
-   *   'http'    — Forge issues an HTTP request server-side
-   *   'shell'   — Forge spawns a process (arg array, no shell:true)
-   */
-  protocol?: 'browser' | 'http' | 'shell';
-  /** http protocol: request shape. Templates {base_url}, {settings.*}, {args.*}. */
-  request?: HttpRequestSpec;
-  /** shell protocol: command + args (each templated independently — no shell injection). */
-  command?: string[];
-  /** shell protocol: working directory (templated). */
-  cwd?: string;
-  /** shell protocol: extra env vars (values templated). */
-  env?: Record<string, string>;
-  /** shell/http: timeout in milliseconds. Default 30000, max 300000. */
-  timeout_ms?: number;
-}
-
-export interface HttpRequestSpec {
-  method?: 'GET' | 'POST' | 'PUT' | 'PATCH' | 'DELETE' | 'HEAD';
-  /** Full URL. Templated. */
-  url: string;
-  /** Header values are templated. */
-  headers?: Record<string, string>;
-  /** Query params. Values templated. Appended after any existing ? on url. */
-  query?: Record<string, string>;
-  /** Body. If string: sent as-is (after templating). If object: JSON.stringify'd; values templated where strings. */
-  body?: string | Record<string, unknown>;
-}
-
-/**
- * One connector inside a plugin. Most plugins are 1:1 with a single connector
- * declared via top-level `tools`/`host_permissions`/`settings` fields on
- * PluginDefinition. Use `connectors[]` only when one auth covers multiple
- * sibling adapters (Atlassian, Google Workspace, M365).
- */
-export interface Connector {
-  id: string;
-  host_permissions?: string[];
-  tools: Record<string, ConnectorTool>;
-  /** Per-user settings (host URL, default project, etc.) — rendered as a form by the extension. */
-  settings?: Record<string, PluginFieldSchema>;
-  /**
-   * Chrome match pattern. Runner uses this to find/open authenticated tabs
-   * for this connector. Supports {base_url}, {settings.*}.
-   */
-  host_match?: string;
-  /**
-   * Substring. If the tab URL contains this after a navigation, treat as
-   * "user not logged in" and abort with loginRequired: true.
-   */
-  login_redirect?: string;
-  /** See PluginDefinition.runner. */
-  runner?: PluginRunner;
-}
-
 /** Plugin definition (loaded from plugin.yaml) */
 export interface PluginDefinition {
   id: string;
@@ -168,21 +62,12 @@ export interface PluginDefinition {
   author?: string;
   description?: string;
 
-  /** Classifies the plugin for marketplace + extension filtering. */
+  /** Classifies the plugin for marketplace filtering. */
   category?: PluginCategory;
 
-  /** Where this plugin's tools execute. Connector plugins are usually `browser-side`. */
+  /** Where this plugin's tools execute. */
   mode?: PluginMode;
 
-  /**
-   * Which extension execution context runs this connector's scripts.
-   * Default `main` for back-compat (Mantis, GitLab — permissive-CSP sites).
-   * Use `isolated` for sites with strict CSP that blocks `unsafe-eval`
-   * (Teams, github.com, banks). Per-plugin, not per-tool — a host has
-   * one CSP profile.
-   */
-  runner?: PluginRunner;
-
   /** Global config — set once when installing the plugin */
   config: Record<string, PluginFieldSchema>;
 
@@ -194,16 +79,6 @@ export interface PluginDefinition {
 
   /** Default action to run if none specified */
   defaultAction?: string;
-
-  // ─── Connector fields (category === 'connector') ─────────────────────────
-  /** 1:1 sugar — when present, treated as a single connector with id === plugin id. */
-  host_permissions?: string[];
-  tools?: Record<string, ConnectorTool>;
-  settings?: Record<string, PluginFieldSchema>;
-  host_match?: string;
-  login_redirect?: string;
-  /** 1:N escape hatch — only for same-vendor suites with shared auth. */
-  connectors?: Connector[];
 }
 
 /** Installed plugin instance (definition + user config values) */

package/lib/settings.ts

@@ -65,6 +65,12 @@ export interface Settings {
   manageClaudeConfig: boolean;
   notificationRetentionDays: number;
   skillsRepoUrl: string;
+  /**
+   * Remote registry for connector manifests. Points to the raw-content
+   * URL of a forge-connectors-style repo. Setting empty disables sync
+   * (offline only). Default: `aiwatching/forge-connectors`.
+   */
+  connectorsRepoUrl: string;
   displayName: string;
   displayEmail: string;
   favoriteProjects: string[];
@@ -119,6 +125,7 @@ const defaults: Settings = {
   manageClaudeConfig: true,
   notificationRetentionDays: 30,
   skillsRepoUrl: 'https://raw.githubusercontent.com/aiwatching/forge-skills/main',
+  connectorsRepoUrl: 'https://raw.githubusercontent.com/aiwatching/forge-connectors/main',
   displayName: 'Forge',
   displayEmail: '',
   favoriteProjects: [],

package/lib/skills.ts

@@ -27,6 +27,8 @@ interface SkillItem {
   installedVersion: string;
   hasUpdate: boolean;
   deletedRemotely: boolean;
+  /** 'registry' (synced from forge-skills) or 'local' (uploaded). */
+  source: 'registry' | 'local';
 }
 
 function db() {
@@ -118,9 +120,13 @@ export async function syncSkills(): Promise<{ synced: number; enriched: number;
     tx();
 
     // Step 3: Handle items no longer in registry
+    // Skip 'local'-source rows entirely — they were uploaded by the
+    // user via /api/skills/install-local and have no upstream
+    // counterpart, so absence from registry.json is expected.
     const registryNames = new Set(rawItems.map((s: any) => s.name));
-    const dbItems = db().prepare('SELECT name, installed_global, installed_projects FROM skills').all() as any[];
+    const dbItems = db().prepare('SELECT name, installed_global, installed_projects, source FROM skills').all() as any[];
     for (const row of dbItems) {
+      if (row.source === 'local') continue;
       if (!registryNames.has(row.name)) {
         const hasLocal = !!row.installed_global || JSON.parse(row.installed_projects || '[]').length > 0;
         if (hasLocal) {
@@ -218,6 +224,7 @@ export function listSkills(): SkillItem[] {
       installedVersion,
       hasUpdate: isInstalled && !!registryVersion && !!installedVersion && compareVersions(registryVersion, installedVersion) > 0,
       deletedRemotely: !!r.deleted_remotely,
+      source: r.source === 'local' ? 'local' : 'registry',
     };
   });
 }
@@ -299,6 +306,25 @@ export async function installGlobal(name: string): Promise<void> {
     .run(skill.version || '', name);
 }
 
+/**
+ * Idempotent: if the skill is already installed for projectPath (or
+ * globally) and the on-disk version matches the registry, do nothing.
+ * Otherwise pull a fresh copy into the project. Used by job dispatch
+ * to guarantee that any skill named in `job.skills` is reachable to
+ * the spawned task — no friction "install this first" prompt.
+ */
+export async function ensureInstalledInProject(name: string, projectPath: string): Promise<{ installed: boolean; reason: string }> {
+  const skill = db().prepare('SELECT * FROM skills WHERE name = ?').get(name) as any;
+  if (!skill) return { installed: false, reason: 'skill not found in registry' };
+  const existing = (() => { try { return JSON.parse(skill.installed_projects || '[]') as string[]; } catch { return [] as string[]; } })();
+  const upToDate = (skill.installed_version || '') === (skill.version || '');
+  if (existing.includes(projectPath) && upToDate) {
+    return { installed: true, reason: 'already installed at version ' + skill.version };
+  }
+  await installProject(name, projectPath);
+  return { installed: true, reason: existing.includes(projectPath) ? 'updated to ' + skill.version : 'installed' };
+}
+
 export async function installProject(name: string, projectPath: string): Promise<void> {
   const skill = db().prepare('SELECT * FROM skills WHERE name = ?').get(name) as any;
   if (!skill) throw new Error(`Skill "${name}" not found`);

package/lib/task-manager.ts

@@ -44,6 +44,14 @@ function db() {
 // Per-task model overrides (used by pipeline to set pipelineModel)
 export const taskModelOverrides = new Map<string, string>();
 
+/**
+ * Per-task append-system-prompt overrides. Used by Forge job/pipeline
+ * to point the agent at specific skills for this run. Keyed by task
+ * id; lives in-process (re-applied via the pipeline state on restart
+ * since we re-create the task there).
+ */
+export const taskAppendSystemPromptOverrides = new Map<string, string>();
+
 // ─── CRUD ────────────────────────────────────────────────────
 
 export function createTask(opts: {
@@ -351,6 +359,50 @@ async function processNextTask() {
   }
 }
 
+/**
+ * Surface installed-connector PATs as env vars to shell tasks. Lets
+ * pipeline shell steps (push-and-mr, gh-issue-fix, ...) use the same
+ * credential the user typed into Settings → Connectors instead of
+ * relying on `glab auth login` / `gh auth login` having been run
+ * separately (and not revoked).
+ *
+ * Only well-known connectors map to env vars. Token never leaves the
+ * server — the bash child inherits the env directly.
+ */
+function connectorEnv(): Record<string, string> {
+  try {
+    const { getInstalledConnector } = require('./connectors/registry');
+    const out: Record<string, string> = {};
+    const gitlab = getInstalledConnector('gitlab');
+    if (gitlab?.enabled) {
+      const tok = typeof gitlab.config?.token === 'string' ? gitlab.config.token.trim() : '';
+      if (tok) {
+        // glab CLI honours GITLAB_TOKEN; HTTP libs honour CI_JOB_TOKEN-style names too,
+        // but GITLAB_TOKEN covers glab + most curl-based scripts in our pipelines.
+        out.GITLAB_TOKEN = tok;
+        if (typeof gitlab.config?.base_url === 'string' && gitlab.config.base_url) {
+          // glab uses GITLAB_URI for the API host on self-hosted instances.
+          try {
+            const u = new URL(String(gitlab.config.base_url));
+            out.GITLAB_URI = u.origin;
+          } catch {}
+        }
+      }
+    }
+    const gh = getInstalledConnector('github-api');
+    if (gh?.enabled) {
+      const tok = typeof gh.config?.token === 'string' ? gh.config.token.trim() : '';
+      if (tok) {
+        out.GITHUB_TOKEN = tok;
+        out.GH_TOKEN = tok; // gh CLI honours either; set both for safety.
+      }
+    }
+    return out;
+  } catch {
+    return {};
+  }
+}
+
 function executeShellTask(task: Task): Promise<void> {
   return new Promise((resolve) => {
     updateTaskStatus(task.id, 'running');
@@ -365,7 +417,11 @@ function executeShellTask(task: Task): Promise<void> {
     const shell = process.env.SHELL && process.env.SHELL.endsWith('bash') ? process.env.SHELL : '/bin/bash';
     const child = spawn(shell, ['-c', task.prompt], {
       cwd: task.projectPath,
-      env: { ...process.env, PATH: process.env.PATH || '/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin' },
+      env: {
+        ...process.env,
+        PATH: process.env.PATH || '/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin',
+        ...connectorEnv(),
+      },
       stdio: ['ignore', 'pipe', 'pipe'],
     });
 
@@ -433,9 +489,13 @@ function executeTask(task: Task): Promise<void> {
       conversationId: task.conversationId || undefined,
       skipPermissions: true,
       outputFormat: adapter.config.capabilities?.supportsStreamJson ? 'stream-json' : undefined,
+      appendSystemPrompt: taskAppendSystemPromptOverrides.get(task.id),
     });
 
-    const env = { ...process.env, ...(spawnOpts.env || {}) };
+    // Surface connector PATs (GITLAB_TOKEN, GITHUB_TOKEN, …) so the
+    // child's Bash invocations (claude's Bash tool, gh/glab shells)
+    // pick them up automatically. Same logic as executeShellTask.
+    const env = { ...process.env, ...connectorEnv(), ...(spawnOpts.env || {}) };
     delete env.CLAUDECODE;
 
     updateTaskStatus(task.id, 'running');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@aion0/forge",
-  "version": "0.8.0",
+  "version": "0.8.2",
   "description": "Unified AI workflow platform — multi-model task orchestration, persistent sessions, web terminal, remote access",
   "type": "module",
   "scripts": {
@@ -34,12 +34,14 @@
     "@anthropic-ai/sdk": "^0.96.0",
     "@auth/core": "^0.34.3",
     "@modelcontextprotocol/sdk": "^1.28.0",
+    "@types/adm-zip": "^0.5.8",
     "@xterm/addon-fit": "^0.11.0",
     "@xterm/addon-search": "^0.16.0",
     "@xterm/addon-unicode11": "^0.9.0",
     "@xterm/addon-webgl": "^0.19.0",
     "@xterm/xterm": "^6.0.0",
     "@xyflow/react": "^12.10.1",
+    "adm-zip": "^0.5.17",
     "ai": "^6.0.116",
     "better-sqlite3": "^12.6.2",
     "esbuild": "^0.27.3",