@aion0/forge 0.8.4 → 0.8.6

package/lib/pipeline.ts

@@ -252,615 +252,6 @@ nodes:
     outputs:
       - name: result
         extract: stdout
-`,
-  'mantis-bug-fix-and-mr': `
-name: mantis-bug-fix-and-mr
-description: "Fetch Mantis bug context → worktree → fix code via headless Claude → push branch → open GitLab MR via glab CLI → notify assignee + reporter on Teams."
-input:
-  bug_id: "Mantis bug id (number)"
-  project: "Forge project name"
-  base_branch: "Target branch the MR will be opened against (e.g. release/25.4). Required — set in the Job's input_template from the bug's product_version or target_branch field."
-  summary: "Bug summary (one line)"
-  description: "Full bug description (free text)"
-  priority: "Bug priority (optional)"
-  category: "Bug category (optional)"
-  reporter: "Mantis reporter username — used to notify them on Teams"
-  assignee: "Mantis assignee username — used to notify them on Teams"
-  extra_context: "Extra hints for Claude (optional)"
-  mr_title_template: "MR title template. Vars: {bug_id} {summary}. Default: 'Fix Mantis #{bug_id}: {summary}'"
-  mr_body_template: "MR body. Vars: {bug_id} {summary} {description} {claude_summary}. Default closes-reference + Claude summary."
-  teams_message_template: "Teams DM template. Vars: {bug_id} {summary} {mr_url} {role}. Default: '🤖 Mantis #{bug_id} fixed — review MR: {mr_url}'"
-nodes:
-  resolve:
-    mode: shell
-    project: "{{input.project}}"
-    worktree: false
-    prompt: |
-      set -e
-      cd "$(git rev-parse --show-toplevel)"
-      command -v glab >/dev/null || { echo "ERROR: glab CLI not installed. brew install glab && glab auth login" >&2; exit 1; }
-      BUG_ID="{{input.bug_id}}"
-      BASE="{{input.base_branch}}"
-      [ -z "$BUG_ID" ] && { echo "ERROR: bug_id is required" >&2; exit 1; }
-      [ -z "$BASE" ] && { echo "ERROR: base_branch is required (set via Job input_template)" >&2; exit 1; }
-      REMOTE=$(git remote get-url origin)
-      RAW=$(echo "$REMOTE" | sed -E 's#^(https?://[^/]+/|git@[^:]+:)##; s#\\.git$##')
-      HOST=$(echo "$REMOTE" | sed -E 's#^https?://##; s#git@##; s#[:/].*##')
-      PROJECT_PATH="$RAW"
-      echo "HOST=$HOST"
-      echo "PROJECT_PATH=$PROJECT_PATH"
-      echo "BUG_ID=$BUG_ID"
-      echo "BASE=$BASE"
-      git fetch origin "$BASE" --quiet 2>/dev/null || true
-    outputs:
-      - name: info
-        extract: stdout
-  worktree-setup:
-    mode: shell
-    project: "{{input.project}}"
-    worktree: false
-    depends_on: [resolve]
-    prompt: |
-      set -e
-      INFO=$'{{nodes.resolve.outputs.info}}'
-      eval "$(echo "$INFO" | grep -E '^[A-Za-z_][A-Za-z0-9_]*=' | sed 's/^/export /')"
-      # worktree: false above keeps us in the project root, so this is fine.
-      # Falls back to FORGE_PROJECT_ROOT just in case auto-worktree gets
-      # re-enabled in the future.
-      ROOT="\${FORGE_PROJECT_ROOT:-$(git rev-parse --show-toplevel)}"
-      cd "$ROOT"
-      WORKTREE_DIR="$ROOT/.forge/worktrees/mantis-$BUG_ID"
-      BRANCH="fix/mantis-\${BUG_ID}"
-
-      # ALL the noisy git operations route to stderr — downstream nodes
-      # consume \`wt\` via \`eval "$(echo … | grep -E '^[A-Za-z_][A-Za-z0-9_]*=' | sed 's/^/export /')"\` inside
-      # \`$'…'\` quoting. ANY apostrophe / paren / space-ID-paren in the
-      # captured stdout (e.g. "Deleted branch fix/X (was abc1234).",
-      # "Preparing worktree (resetting branch 'X')") breaks bash with
-      # "syntax error near unexpected token '('".
-      {
-        # 1. Remove the on-disk worktree for THIS bug (idempotent).
-        if [ -d "$WORKTREE_DIR" ]; then
-          git worktree remove --force "$WORKTREE_DIR" 2>/dev/null || rm -rf "$WORKTREE_DIR"
-        fi
-        # 2. Drop stale worktree registrations + any other worktree pinning
-        #    our branch. Without (3), "fatal: <branch> already used by
-        #    worktree at <path>" can fire on the next add.
-        git worktree prune
-        git worktree list --porcelain | awk -v b="refs/heads/$BRANCH" '
-          /^worktree /{w=$2}
-          $0=="branch "b{print w}
-        ' | while read w; do
-          [ -n "$w" ] && git worktree remove --force "$w" 2>/dev/null || true
-        done
-        git branch -D "$BRANCH" 2>/dev/null || true
-        mkdir -p "$ROOT/.forge/worktrees"
-        # -B (capital) = create-or-reset; --force lets us reuse an existing dir.
-        git worktree add --force -B "$BRANCH" "$WORKTREE_DIR" "origin/$BASE"
-      } 1>&2
-
-      # IMPORTANT: emit ONLY the worktree path on stdout — nothing else.
-      # fix-code uses \`workdir: {{nodes.worktree-setup.outputs.wt}}\` and the
-      # task runner needs a clean path. If we echo'd "WORKTREE=…\\nBRANCH=…"
-      # the multi-line string became an invalid workdir → Claude silently
-      # ran in the pipeline's parent worktree, made its changes there, and
-      # nothing showed up in the inner branch when push-and-mr cd'd in.
-      # Downstream nodes get the branch by asking git from inside the
-      # worktree (git symbolic-ref --short HEAD) — no out-of-band passing.
-      echo "$WORKTREE_DIR"
-    outputs:
-      - name: wt
-        extract: stdout
-  fetch-bug-details:
-    mode: shell
-    project: "{{input.project}}"
-    worktree: false
-    depends_on: [resolve]
-    prompt: |
-      # Pull the FULL mantis bug — summary, description, additional_information,
-      # reproducibility, all notes with author/date, history — via Forge's
-      # loopback connector-tool endpoint. search_bugs (when used as the Job
-      # source) only returns list-page columns; this node fills the gap so
-      # fix-code has every field it could possibly want.
-      set -e
-      INFO=$'{{nodes.resolve.outputs.info}}'
-      eval "$(echo "$INFO" | grep -E '^[A-Za-z_][A-Za-z0-9_]*=' | sed 's/^/export /')"
-      PAYLOAD="{\\"plugin_id\\":\\"mantis\\",\\"tool\\":\\"get_bug\\",\\"input\\":{\\"id\\":$BUG_ID}}"
-      RESP=$(curl -sS -X POST http://127.0.0.1:8403/api/connector-tool \\
-        -H 'content-type: application/json' --data "$PAYLOAD")
-      IS_ERR=$(echo "$RESP" | jq -r '.is_error // false')
-      if [ "$IS_ERR" = "true" ]; then
-        echo "WARN: mantis.get_bug failed: $(echo "$RESP" | jq -r '.content // .error // "(unknown)"' | head -c 300)" >&2
-        echo "BUG_ID=$BUG_ID"
-        echo "BUG_JSON_B64="
-        echo "SUMMARY="
-        echo "CATEGORY="
-        echo "DESCRIPTION_B64="
-        echo "ADDITIONAL_INFO_B64="
-        echo "NOTES_B64="
-        exit 0
-      fi
-      # .content is itself a JSON string (the bug object); decode once.
-      BUG=$(echo "$RESP" | jq -r '.content' | jq -c '.')
-
-      # Whole bug as base64 — gives fix-code an escape hatch to read any
-      # field we didn't bother to enumerate (history, _fields_raw, etc).
-      BUG_JSON_B64=$(echo -n "$BUG" | base64 | tr -d '\\n')
-
-      # Convenience extracts. Multi-line fields (description, notes,
-      # additional_information) → base64'd so newlines / quotes / shell
-      # metachars survive transport. Single-line stays plain for the
-      # KEY=value eval pattern downstream nodes already use.
-      SUMMARY=$(echo "$BUG" | jq -r '.summary // ""' | head -c 500 | tr -d '\\n')
-      CAT=$(echo "$BUG" | jq -r '.category // ""' | tr -d '\\n')
-      REPRO=$(echo "$BUG" | jq -r '.reproducibility // ""' | tr -d '\\n')
-      DESC_B64=$(echo "$BUG" | jq -r '.description // ""' | base64 | tr -d '\\n')
-      ADDL_B64=$(echo "$BUG" | jq -r '.additional_information // ""' | base64 | tr -d '\\n')
-      # Notes with author + date + body, separated by ─── for readability.
-      NOTES_B64=$(echo "$BUG" | jq -r '[.notes[]? | "[\\(.author // "?") @ \\(.date // "?")]\\n\\(.body // "")"] | join("\\n\\n─────────────\\n\\n")' 2>/dev/null | base64 | tr -d '\\n')
-
-      echo "BUG_ID=$BUG_ID"
-      echo "SUMMARY=$SUMMARY"
-      echo "CATEGORY=$CAT"
-      echo "REPRODUCIBILITY=$REPRO"
-      echo "DESCRIPTION_B64=$DESC_B64"
-      echo "ADDITIONAL_INFO_B64=$ADDL_B64"
-      echo "NOTES_B64=$NOTES_B64"
-      echo "BUG_JSON_B64=$BUG_JSON_B64"
-
-      # ── Human-readable preview to stderr ──
-      # Goes into the task log so the user can see what we actually got
-      # from Mantis without having to manually base64 -d. Truncated at
-      # 800 chars per field to keep the log tractable. Stdout above keeps
-      # the clean KEY=value pairs downstream nodes parse.
-      DESC_PLAIN=$(echo "$BUG" | jq -r '.description // ""')
-      ADDL_PLAIN=$(echo "$BUG" | jq -r '.additional_information // ""')
-      NOTES_COUNT=$(echo "$BUG" | jq -r '.notes | length // 0')
-      NOTES_FIRST=$(echo "$BUG" | jq -r '.notes[0]? | "[\\(.author // "?") @ \\(.date // "?")] \\(.body // "")"' 2>/dev/null | head -c 400)
-      NOTES_LAST=$(echo "$BUG" | jq -r '.notes[-1]? | "[\\(.author // "?") @ \\(.date // "?")] \\(.body // "")"' 2>/dev/null | head -c 400)
-      DESC_LEN=$(printf %s "$DESC_PLAIN" | wc -c | tr -d ' ')
-      ADDL_LEN=$(printf %s "$ADDL_PLAIN" | wc -c | tr -d ' ')
-      {
-        echo ""
-        echo "─── fetch-bug-details — what we got from Mantis #$BUG_ID ───"
-        echo "Summary:        $SUMMARY"
-        echo "Category:       $CAT"
-        echo "Reproducibility:$REPRO"
-        echo ""
-        echo "Description (\${DESC_LEN} chars, showing first 800):"
-        printf %s "$DESC_PLAIN" | head -c 800
-        [ "$DESC_LEN" -gt 800 ] && echo "… [truncated]"
-        echo ""
-        echo ""
-        echo "Additional Information (\${ADDL_LEN} chars, showing first 800):"
-        printf %s "$ADDL_PLAIN" | head -c 800
-        [ "$ADDL_LEN" -gt 800 ] && echo "… [truncated]"
-        echo ""
-        echo ""
-        echo "Notes: $NOTES_COUNT total"
-        if [ "$NOTES_COUNT" -gt 0 ]; then
-          echo "  First: $NOTES_FIRST"
-          [ "$NOTES_COUNT" -gt 1 ] && echo "  Last:  $NOTES_LAST"
-        fi
-        echo "──────────────────────────────────────────────────────"
-      } >&2
-    outputs:
-      - name: details
-        extract: stdout
-  download-attachments:
-    mode: shell
-    project: "{{input.project}}"
-    worktree: false
-    depends_on: [resolve, worktree-setup]
-    prompt: |
-      # Download all Attached Files from the Mantis bug into the worktree's
-      # .attachments/ directory so fix-code (Claude with vision) can read
-      # screenshots, logs, and any other supporting material. Skips files
-      # larger than 5 MB (see download_attachment's max_size_bytes default).
-      set -e
-      INFO=$'{{nodes.resolve.outputs.info}}'
-      eval "$(echo "$INFO" | grep -E '^[A-Za-z_][A-Za-z0-9_]*=' | sed 's/^/export /')"
-      WORKTREE_DIR=$'{{nodes.worktree-setup.outputs.wt}}'
-      WORKTREE_DIR=$(echo "$WORKTREE_DIR" | head -1 | tr -d '[:space:]')
-      ATTACH_DIR="$WORKTREE_DIR/.attachments"
-      mkdir -p "$ATTACH_DIR"
-
-      # 1. List attachments.
-      LIST=$(curl -sS -X POST http://127.0.0.1:8403/api/connector-tool \\
-        -H 'content-type: application/json' \\
-        --data "{\\"plugin_id\\":\\"mantis\\",\\"tool\\":\\"list_attachments\\",\\"input\\":{\\"id\\":$BUG_ID,\\"bug_id\\":$BUG_ID}}" )
-      IS_ERR=$(echo "$LIST" | jq -r '.is_error // false')
-      if [ "$IS_ERR" = "true" ]; then
-        echo "ATTACH_COUNT=0"
-        echo "ATTACH_DIR=$ATTACH_DIR"
-        echo "WARN: list_attachments failed: $(echo "$LIST" | jq -r '.content' | head -c 200)" >&2
-        exit 0
-      fi
-      ATTACHMENTS=$(echo "$LIST" | jq -r '.content' | jq -c '.attachments // []')
-      TOTAL=$(echo "$ATTACHMENTS" | jq 'length')
-      echo "Found $TOTAL attachment(s) on bug $BUG_ID"
-
-      COUNT=0
-      SKIPPED=0
-      # 2. Iterate + download each. jq stream the ids/filenames.
-      echo "$ATTACHMENTS" | jq -c '.[]' | while read -r ATT; do
-        FID=$(echo "$ATT" | jq -r '.file_id')
-        FN=$(echo "$ATT" | jq -r '.filename')
-        SZ=$(echo "$ATT" | jq -r '.size')
-        # Sanitize filename to avoid path traversal.
-        SAFE=$(echo "$FN" | tr -d '\\\\/:*?"<>|' | head -c 200)
-        [ -z "$SAFE" ] && SAFE="file-$FID"
-        echo "  → $SAFE ($SZ bytes)"
-        RESP=$(curl -sS -X POST http://127.0.0.1:8403/api/connector-tool \\
-          -H 'content-type: application/json' \\
-          --data "{\\"plugin_id\\":\\"mantis\\",\\"tool\\":\\"download_attachment\\",\\"input\\":{\\"file_id\\":$FID}}")
-        if [ "$(echo "$RESP" | jq -r '.is_error // false')" = "true" ]; then
-          echo "    WARN: download failed for $SAFE" >&2
-          continue
-        fi
-        BODY=$(echo "$RESP" | jq -r '.content')
-        SKIP=$(echo "$BODY" | jq -r '.skipped // false')
-        if [ "$SKIP" = "true" ]; then
-          REASON=$(echo "$BODY" | jq -r '.reason // ""')
-          echo "    SKIPPED $SAFE — $REASON" >&2
-          SKIPPED=$((SKIPPED+1))
-          continue
-        fi
-        B64=$(echo "$BODY" | jq -r '.content_b64')
-        [ -z "$B64" ] && { echo "    WARN: empty content_b64 for $SAFE" >&2; continue; }
-        echo "$B64" | base64 -d > "$ATTACH_DIR/$SAFE"
-        COUNT=$((COUNT+1))
-      done
-
-      echo "ATTACH_COUNT=$COUNT"
-      echo "ATTACH_SKIPPED=$SKIPPED"
-      echo "ATTACH_DIR=$ATTACH_DIR"
-
-      # Human-readable directory listing into stderr so the log shows
-      # what's actually on disk for the next node.
-      {
-        echo ""
-        echo "─── download-attachments — files in $ATTACH_DIR ───"
-        if [ -d "$ATTACH_DIR" ] && [ -n "$(ls -A "$ATTACH_DIR" 2>/dev/null)" ]; then
-          ls -lhS "$ATTACH_DIR" 2>/dev/null | tail -n +2
-        else
-          echo "(no files)"
-        fi
-        echo "──────────────────────────────────────────────────────"
-      } >&2
-    outputs:
-      - name: attach
-        extract: stdout
-  fix-code:
-    project: "{{input.project}}"
-    worktree: false
-    depends_on: [worktree-setup, fetch-bug-details, download-attachments]
-    workdir: "{{nodes.worktree-setup.outputs.wt}}"
-    prompt: |
-      A Mantis bug needs to be fixed in this worktree (already checked out
-      from the target base branch). You are running headless — make the fix
-      yourself, stage + commit.
-
-      ## Bug
-      ID: {{input.bug_id}}
-      Priority: {{input.priority}}
-      Category (from get_bug, full): see DETAILS below
-      Assignee: {{input.assignee}}
-      Reporter: {{input.reporter}}
-
-      ## Summary
-      {{input.summary}}
-
-      ## Full bug details (fetched via mantis.get_bug)
-      The fetch-bug-details node ran \`mantis.get_bug\` and exported these
-      key=value lines. _B64 fields are base64-encoded multi-line strings:
-
-      {{nodes.fetch-bug-details.outputs.details}}
-
-      Decode any _B64 field with:
-        \`echo "<value>" | base64 -d\`
-
-      Available fields (READ ALL of them before deciding on a fix):
-        SUMMARY               one-line title (plain)
-        CATEGORY              Mantis category (plain)
-        REPRODUCIBILITY       always / sometimes / random / N/A (plain)
-        DESCRIPTION_B64       full bug description (base64; often the most
-                              important field — repro steps live here)
-        ADDITIONAL_INFO_B64   "Additional Information" custom field —
-                              often holds stack traces, env details, log
-                              snippets. Decode + read.
-        NOTES_B64             all comments concatenated, with author + date
-                              headers ([author @ date]). Use to see what
-                              QA + reporter already discussed.
-        BUG_JSON_B64          escape hatch — the whole bug object as JSON
-                              (decoded, this has every field including
-                              history[] and _fields_raw if you need it).
-
-      ## Description (search_bugs-supplied, may be empty)
-      {{input.description}}
-
-      ## Attached Files
-      {{nodes.download-attachments.outputs.attach}}
-
-      Files (if any) were saved under \`.attachments/\` in this worktree.
-      List them with \`ls -la .attachments/\`. For images, USE THE READ
-      TOOL on the file — your vision can analyze screenshots / error
-      dialogs / network diagrams directly. For text-like attachments
-      (log snippets, .txt, .json, small .pcap text exports) just open
-      them. Files larger than 5 MB were skipped — if a critical one is
-      missing, mention it in your fix notes; don't try to re-fetch.
-
-      ## Extra context
-      {{input.extra_context}}
-
-      ## HARD RULES — read before tool use
-      - **Never call mcp__* tools.** Pipeline tasks do not have interactive
-        auth; any MCP call that needs SSO/TOTP (mantis_auth, gitlab, pmdb,
-        …) will hang and fail the pipeline. The bug context above is the
-        only Mantis data you get.
-      - If a field above is empty or truncated, **work with what is given**.
-        Do NOT try to fetch more from Mantis. The pipeline owns Mantis access
-        upstream — re-running mantis lookup here is wasted effort and breaks
-        the design contract (Job → Pipeline data flow).
-      - If you ABSOLUTELY need supplemental data from another Forge connector
-        (rare), use the Forge HTTP API instead of MCP. POST
-        http://127.0.0.1:8403/api/connector-tool with JSON body
-        {"plugin_id":"<plugin>","tool":"<tool>","input":{...}}
-
-      ## Steps
-      1. Read the bug carefully — identify the affected component.
-      2. Find the relevant file(s) via git grep + reading the code.
-      3. Implement a minimal fix.
-      4. Add tests if the codebase has a test suite.
-      5. Stage + commit with message: 'Fix Mantis #{{input.bug_id}}: <one-line>'.
-         **DO NOT add a "Co-Authored-By: Claude …" or "Generated with Claude
-         Code" trailer.** Plain commit message only — the MR is going into a
-         corporate repo and the AI co-authorship attribution is not wanted.
-
-      Do NOT push — the next pipeline node handles push + MR.
-    outputs:
-      - name: summary
-        extract: result
-      - name: diff
-        extract: git_diff
-  push-and-mr:
-    mode: shell
-    project: "{{input.project}}"
-    worktree: false
-    workdir: "{{nodes.worktree-setup.outputs.wt}}"
-    depends_on: [fix-code]
-    prompt: |
-      set -e
-      INFO=$'{{nodes.resolve.outputs.info}}'
-      eval "$(echo "$INFO" | grep -E '^[A-Za-z_][A-Za-z0-9_]*=' | sed 's/^/export /')"
-      # workdir already cd'd us into the mantis worktree. Derive BRANCH.
-      BRANCH=$(git symbolic-ref --short HEAD)
-      # Bail if Claude didn't actually commit anything
-      AHEAD=$(git rev-list --count "origin/$BASE..HEAD" 2>/dev/null || echo 0)
-      if [ "$AHEAD" -lt 1 ]; then
-        echo "NO_CHANGES — Claude did not commit; aborting MR creation"
-        echo "MR_URL="
-        exit 0
-      fi
-      git push -u origin "$BRANCH" --force-with-lease 2>&1
-      # Heredoc keeps Claude's summary intact (apostrophes, parens, $, …).
-      SUMMARY=$(cat <<'FORGE_SUMMARY_EOF'
-      {{nodes.fix-code.outputs.summary}}
-      FORGE_SUMMARY_EOF
-      )
-      # ALL pipeline-templated values must enter via \`$'…'\` ANSI-C quoting,
-      # NOT plain "…". The pipeline engine ANSI-C-escapes substituted values
-      # (\\n / \\t / \\' etc.); inside "…" bash treats those as literal text
-      # and the MR description ends up showing "\\n" instead of real
-      # newlines, breaking the markdown.
-      TITLE_TPL=$'{{input.mr_title_template}}'
-      [ -z "$TITLE_TPL" ] && TITLE_TPL="Fix Mantis #{bug_id}: {summary}"
-      BODY_TPL=$'{{input.mr_body_template}}'
-      [ -z "$BODY_TPL" ] && BODY_TPL="Auto-fix for Mantis bug #{bug_id}.
-
-      ## Summary
-      {summary}
-
-      ## Original description
-      {description}
-
-      ## Claude's fix notes
-      {claude_summary}
-
-      ## Files changed
-      {diff_stat}
-
-      _Opened by Forge mantis-bug-fix-and-mr pipeline._"
-      BUG_ID_VAR=$'{{input.bug_id}}'
-      SUMMARY_VAR=$'{{input.summary}}'
-      DESCRIPTION_VAR=$'{{input.description}}'
-      # Compact list of files touched. --stat gives "N files changed, X+/Y-"
-      # which is small but tells the reviewer what's in the MR at a glance.
-      DIFF_STAT=$(git diff --stat "origin/$BASE..HEAD" 2>/dev/null || echo "")
-      MR_TITLE=$(python3 - "$TITLE_TPL" "$BUG_ID_VAR" "$SUMMARY_VAR" <<'PY'
-      import sys
-      tpl, bug_id, summary = sys.argv[1], sys.argv[2], sys.argv[3]
-      print(tpl.replace('{bug_id}', bug_id).replace('{summary}', summary))
-      PY
-      )
-      MR_BODY=$(python3 - "$BODY_TPL" "$BUG_ID_VAR" "$SUMMARY_VAR" "$DESCRIPTION_VAR" "$SUMMARY" "$DIFF_STAT" <<'PY'
-      import sys
-      tpl, bug_id, summary, description, claude, diff_stat = sys.argv[1:7]
-      out = (tpl.replace('{bug_id}', bug_id)
-                .replace('{summary}', summary)
-                .replace('{description}', description)
-                .replace('{claude_summary}', claude)
-                .replace('{diff_stat}', diff_stat))
-      print(out)
-      PY
-      )
-      # Force glab to use the Forge-managed GitLab PAT. Forge injects
-      # GITLAB_TOKEN from the gitlab connector's config; without
-      # rewriting it here, glab can stick to its stale per-host token
-      # in ~/.config/glab-cli/config.yml and 401 with "Token was
-      # revoked" — even when the env is set. glab auth login --token
-      # is idempotent and writes the right host config in 100 ms.
-      if [ -n "$GITLAB_TOKEN" ]; then
-        REMOTE_HOST_FOR_AUTH=$(git -C "$PROJECT_PATH" config --get remote.origin.url 2>/dev/null \\
-          | sed -E 's#^(https?://)?(git@)?([^:/]+).*#\\3#')
-        if [ -n "$REMOTE_HOST_FOR_AUTH" ]; then
-          echo "Refreshing glab auth for $REMOTE_HOST_FOR_AUTH from Forge connector token"
-          echo "$GITLAB_TOKEN" | glab auth login --hostname "$REMOTE_HOST_FOR_AUTH" --token-stdin >/dev/null 2>&1 || \\
-            echo "(glab auth login refresh failed — falling through; will likely 401)" >&2
-        fi
-      fi
-
-      # Bug assignee → MR reviewer. Mantis assignee comes as "Jane Doe (jdoe)";
-      # extract the (username) and pass to glab. If parens absent or empty,
-      # skip the flag — glab errors on --reviewer "" .
-      ASSIGNEE_RAW=$'{{input.assignee}}'
-      REVIEWER_USERNAME=$(echo "$ASSIGNEE_RAW" | grep -oE '\\(([a-zA-Z0-9._-]+)\\)' | tail -1 | tr -d '()')
-      REVIEWER_FLAGS=()
-      if [ -n "$REVIEWER_USERNAME" ]; then
-        REVIEWER_FLAGS+=(--reviewer "$REVIEWER_USERNAME")
-        echo "Setting MR reviewer: $REVIEWER_USERNAME (from assignee '$ASSIGNEE_RAW')"
-      else
-        echo "No (username) found in assignee '$ASSIGNEE_RAW' — skipping --reviewer"
-      fi
-      # Capture glab output AND exit code so we can debug failures. Old
-      # pipeline that just grep'd for the URL ate everything if the
-      # regex didn't match — leaving MR_URL empty with no clue why
-      # (auth refresh needed, reviewer username wrong, MR already exists
-      # at a non-canonical URL, etc).
-      set +e
-      GLAB_OUT=$(glab mr create -R "$PROJECT_PATH" --target-branch "$BASE" --source-branch "$BRANCH" \\
-        --title "$MR_TITLE" --description "$MR_BODY" \\
-        "\${REVIEWER_FLAGS[@]}" \\
-        --yes 2>&1)
-      GLAB_RC=$?
-      set -e
-      # Surface glab's output to the task log (truncated) so a failed
-      # retry doesn't disappear into the void.
-      echo "--- glab mr create (rc=$GLAB_RC) ---"
-      echo "$GLAB_OUT" | head -50
-      echo "--- end glab output ---"
-
-      # Common, very actionable failure: corp GitLab revoked the
-      # token. Forge already pushes the connector PAT here via
-      # GITLAB_TOKEN + a glab auth login --token-stdin refresh
-      # earlier in this step, so the only way to land here is if the
-      # connector PAT itself is wrong/revoked. Point the user at
-      # Settings, not at glab auth login.
-      if echo "$GLAB_OUT" | grep -qE '401|invalid_token|Token was revoked|unauthorized'; then
-        REMOTE_HOST=$(git config --get remote.origin.url 2>/dev/null | sed -E 's#^(https?://)?(git@)?([^:/]+).*#\\3#')
-        echo "ERROR: GitLab rejected the token for \${REMOTE_HOST:-this GitLab server}." >&2
-        echo "Fix: open Forge → Settings → Skills → Connectors tab → GitLab, paste a fresh Personal Access Token, click Save + Test." >&2
-        echo "Then retry this node from the pipeline UI — Forge will push the new token to glab automatically." >&2
-      fi
-
-      MR_URL=$(echo "$GLAB_OUT" | grep -oE 'https://[^[:space:]]+/-/merge_requests/[0-9]+' | head -1)
-
-      # If glab succeeded but we didn't parse a URL (output format
-      # variant), OR if the MR already existed (glab errors on conflict),
-      # fall back to looking up the MR by source branch.
-      if [ -z "$MR_URL" ]; then
-        echo "Fallback: looking up existing MR for branch $BRANCH"
-        MR_URL=$(glab mr view "$BRANCH" -R "$PROJECT_PATH" --output json 2>/dev/null | jq -r '.web_url // empty')
-        if [ -z "$MR_URL" ]; then
-          # Last resort: glab mr list with our source branch.
-          MR_URL=$(glab mr list -R "$PROJECT_PATH" --source-branch "$BRANCH" --output json 2>/dev/null \\
-            | jq -r '.[0].web_url // empty')
-        fi
-      fi
-
-      if [ -z "$MR_URL" ]; then
-        echo "ERROR: could not create OR find MR for $BRANCH. See glab output above." >&2
-        # Don't fail the node hard — push succeeded, the user can create
-        # the MR manually via the GitLab "create MR" hint in the push
-        # output. notify-teams will see empty MR_URL and skip.
-      fi
-
-      echo "MR_URL=$MR_URL"
-      echo "REVIEWER=$REVIEWER_USERNAME"
-    outputs:
-      - name: mr
-        extract: stdout
-  notify-teams:
-    mode: shell
-    project: "{{input.project}}"
-    worktree: false
-    depends_on: [push-and-mr]
-    prompt: |
-      set -e
-      MR_OUT=$'{{nodes.push-and-mr.outputs.mr}}'
-      eval "$(echo "$MR_OUT" | grep -E '^[A-Za-z_][A-Za-z0-9_]*=' | sed 's/^/export /')"
-      if [ -z "$MR_URL" ]; then
-        echo "SKIP — no MR URL (Claude likely made no changes)"
-        exit 0
-      fi
-      MSG_TPL="{{input.teams_message_template}}"
-      [ -z "$MSG_TPL" ] && MSG_TPL="🤖 Mantis #{bug_id} fixed — please review MR: {mr_url}"$'\\n'"Bug: {summary}"
-      # Forge exposes /api/connector-tool on loopback (no auth) — pipelines
-      # call connector tools through it. teams.send_message takes name (fuzzy
-      # match against any chat the user is in) + text.
-      send_to() {
-        local who="$1"
-        local role="$2"
-        if [ -z "$who" ]; then echo "SKIP — no $role name"; return 0; fi
-        # Render template + build JSON payload in one Python invocation so we
-        # never have to worry about shell quoting of summary / description /
-        # MR URL when they contain |, $, backticks, etc.
-        local payload
-        payload=$(python3 - "$MSG_TPL" "{{input.bug_id}}" "{{input.summary}}" "$role" "$MR_URL" "$who" <<'PY'
-      import json, sys
-      tpl, bug_id, summary, role, mr_url, who = sys.argv[1:7]
-      text = (tpl.replace('{bug_id}', bug_id)
-                 .replace('{summary}', summary)
-                 .replace('{role}', role)
-                 .replace('{mr_url}', mr_url))
-      print(json.dumps({'plugin_id': 'teams', 'tool': 'send_message',
-                        'input': {'name': who, 'text': text}}))
-      PY
-      )
-        echo "Sending to Teams chat '$who' ($role)…"
-        curl -sS -X POST http://127.0.0.1:8403/api/connector-tool \\
-          -H 'content-type: application/json' \\
-          --data-binary "$payload" \\
-          | jq .
-      }
-      send_to "{{input.assignee}}" "assignee"
-      send_to "{{input.reporter}}"  "reporter"
-      echo "DONE — MR: $MR_URL"
-    outputs:
-      - name: result
-        extract: stdout
-  cleanup:
-    mode: shell
-    project: "{{input.project}}"
-    worktree: false
-    depends_on: [notify-teams]
-    prompt: |
-      # Best-effort cleanup so the project working tree doesn't pile up
-      # one full checkout per fixed bug. Runs only after notify-teams
-      # succeeded — if anything upstream failed, the worktree is kept
-      # for inspection. The remote branch + MR still live on GitLab.
-      set +e
-      WORKTREE_DIR=$'{{nodes.worktree-setup.outputs.wt}}'
-      WORKTREE_DIR=$(echo "$WORKTREE_DIR" | head -1 | tr -d '[:space:]')
-      # Derive BRANCH from inside the worktree before we delete it.
-      BRANCH=$(git -C "$WORKTREE_DIR" symbolic-ref --short HEAD 2>/dev/null)
-      cd "$(git rev-parse --show-toplevel 2>/dev/null || echo .)"
-      ROOT=$(git rev-parse --show-toplevel 2>/dev/null)
-      [ -z "$ROOT" ] && { echo "SKIP — not in a git repo"; exit 0; }
-      # Paranoia — only clean under our .forge/worktrees/.
-      case "$WORKTREE_DIR" in
-        "$ROOT/.forge/worktrees/"*) : ;;
-        *) echo "SKIP — WORKTREE_DIR=$WORKTREE_DIR not under .forge/worktrees/"; exit 0 ;;
-      esac
-      echo "removing worktree $WORKTREE_DIR …"
-      git worktree remove --force "$WORKTREE_DIR" 2>&1 || rm -rf "$WORKTREE_DIR"
-      git worktree prune
-      # Drop the local branch too — remote copy is on GitLab + the MR.
-      [ -n "$BRANCH" ] && git branch -D "$BRANCH" 2>/dev/null && echo "deleted local branch $BRANCH"
-      echo "cleanup done"
-    outputs:
-      - name: result
-        extract: stdout
 `,
   'multi-agent-collaboration': `
 name: multi-agent-collaboration
@@ -2070,7 +1461,11 @@ async function scheduleReadyNodes(pipeline: Pipeline, workflow: Workflow) {
     // Shell steps receive env vars: FORGE_WORKTREE, FORGE_WORKTREE_BRANCH, FORGE_PROJECT_ROOT.
     // Set worktree: false on a node to skip (e.g. read-only gh commands that don't need isolation).
     let effectivePath = projectInfo.path;
-    const useWorktree = nodeDef.worktree !== false;
+    // `workdir:` always wins (sets effectivePath at the bottom). If it's
+    // declared, skip the auto-worktree creation entirely — otherwise we
+    // produce dead `.forge/worktrees/pipeline-<id>` directories that
+    // nothing ever uses but pile up on disk per pipeline run.
+    const useWorktree = nodeDef.worktree !== false && !nodeDef.workdir;
     const branchName = nodeDef.branch ? resolveTemplate(nodeDef.branch, ctx) : `pipeline/${pipeline.id.slice(0, 8)}`;
     if (useWorktree) try {
       const { execSync } = require('node:child_process');

package/lib/settings.ts

@@ -71,6 +71,11 @@ export interface Settings {
    * (offline only). Default: `aiwatching/forge-connectors`.
    */
   connectorsRepoUrl: string;
+  /**
+   * Remote registry for workflow templates (recipes + pipelines). Same
+   * shape as connectorsRepoUrl. Default: `aiwatching/forge-workflow`.
+   */
+  workflowRepoUrl: string;
   displayName: string;
   displayEmail: string;
   favoriteProjects: string[];
@@ -126,6 +131,7 @@ const defaults: Settings = {
   notificationRetentionDays: 30,
   skillsRepoUrl: 'https://raw.githubusercontent.com/aiwatching/forge-skills/main',
   connectorsRepoUrl: 'https://raw.githubusercontent.com/aiwatching/forge-connectors/main',
+  workflowRepoUrl: 'https://raw.githubusercontent.com/aiwatching/forge-workflow/main',
   displayName: 'Forge',
   displayEmail: '',
   favoriteProjects: [],