@cat-factory/app 0.26.6 → 0.27.0

package/app/components/board/AgentFailureCard.vue

@@ -12,7 +12,6 @@ const props = withDefaults(
 )
 
 const agentRuns = useAgentRunsStore()
-const toast = useToast()
 
 const compact = computed(() => props.variant === 'compact')
 const failure = computed(() => props.run.failure)
@@ -26,13 +25,9 @@ async function retry() {
   if (retrying.value) return
   retrying.value = true
   try {
+    // The store surfaces any failure as an actionable toast (incl. the no-provider 409),
+    // so we only need to clear the in-flight guard here.
     await agentRuns.retry(props.run.runId)
-  } catch (e) {
-    toast.add({
-      title: 'Retry failed',
-      description: e instanceof Error ? e.message : String(e),
-      color: 'error',
-    })
   } finally {
     retrying.value = false
   }

package/app/components/board/nodes/TaskCard.vue

@@ -77,21 +77,11 @@ async function run() {
     return
   }
   starting.value = true
-  try {
-    // false ⇒ the user cancelled the personal-password prompt; revert quietly (the run
-    // never started). On success the button unmounts once the stream pushes in_progress.
-    const started = await execution.start(props.taskId, pipeline)
-    if (!started) starting.value = false
-  } catch (e) {
-    // Real confirmation came back as a failure — revert the optimistic state.
-    starting.value = false
-    toast.add({
-      title: 'Failed to start',
-      description: e instanceof Error ? e.message : String(e),
-      color: 'error',
-      icon: 'i-lucide-alert-triangle',
-    })
-  }
+  // false ⇒ the run never started (the user cancelled the personal-password prompt, or
+  // the start was refused — the store surfaces the actionable toast itself). Revert the
+  // optimistic state; on success the button unmounts once the stream pushes in_progress.
+  const started = await execution.start(props.taskId, pipeline)
+  if (!started) starting.value = false
 }
 
 function review() {

package/app/components/layout/AccountDeploymentSettings.vue

@@ -0,0 +1,236 @@
+<script setup lang="ts">
+import { computed, onMounted, reactive, ref } from 'vue'
+
+// Deployment integration secrets for an account (admin only): the Slack app OAuth
+// credentials and the container web-search upstream keys — both moved out of env into
+// the per-account settings store, sealed at rest. Secrets are write-only: the panel only
+// ever shows whether each integration is configured (the `summary`), never the values;
+// blank inputs leave a configured secret unchanged. Hidden when the settings store isn't
+// wired (no ENCRYPTION_KEY).
+const props = defineProps<{ accountId: string }>()
+
+const store = useAccountSettingsStore()
+const toast = useToast()
+
+const slack = reactive({ clientId: '', clientSecret: '', redirectUrl: '' })
+const web = reactive({ braveApiKey: '', searxngUrl: '', searxngApiKey: '' })
+const savingSlack = ref(false)
+const savingWeb = ref(false)
+
+const summary = computed(() => store.view?.summary ?? null)
+
+onMounted(async () => {
+  try {
+    await store.load(props.accountId)
+  } catch (e) {
+    toast.add({
+      title: 'Could not load deployment settings',
+      description: e instanceof Error ? e.message : String(e),
+      icon: 'i-lucide-triangle-alert',
+      color: 'error',
+    })
+  }
+})
+
+async function saveSlack() {
+  if (!slack.clientId.trim() || !slack.clientSecret.trim() || !slack.redirectUrl.trim()) {
+    toast.add({ title: 'Enter the client id, secret and redirect URL', color: 'error' })
+    return
+  }
+  savingSlack.value = true
+  try {
+    await store.save(props.accountId, {
+      secrets: {
+        slackOAuth: {
+          clientId: slack.clientId.trim(),
+          clientSecret: slack.clientSecret.trim(),
+          redirectUrl: slack.redirectUrl.trim(),
+        },
+      },
+    })
+    slack.clientId = ''
+    slack.clientSecret = ''
+    slack.redirectUrl = ''
+    toast.add({ title: 'Slack OAuth saved', icon: 'i-lucide-check', color: 'success' })
+  } catch (e) {
+    toast.add({
+      title: 'Could not save Slack OAuth',
+      description: e instanceof Error ? e.message : String(e),
+      color: 'error',
+    })
+  } finally {
+    savingSlack.value = false
+  }
+}
+
+async function clearSlack() {
+  savingSlack.value = true
+  try {
+    await store.save(props.accountId, { secrets: { slackOAuth: null } })
+    toast.add({ title: 'Slack OAuth cleared', icon: 'i-lucide-check', color: 'success' })
+  } catch (e) {
+    toast.add({
+      title: 'Could not clear Slack OAuth',
+      description: e instanceof Error ? e.message : String(e),
+      color: 'error',
+    })
+  } finally {
+    savingSlack.value = false
+  }
+}
+
+async function saveWeb() {
+  const brave = web.braveApiKey.trim()
+  const searxng = web.searxngUrl.trim()
+  if (!brave && !searxng) {
+    toast.add({ title: 'Enter a Brave key or a SearXNG URL', color: 'error' })
+    return
+  }
+  savingWeb.value = true
+  try {
+    await store.save(props.accountId, {
+      secrets: {
+        webSearch: {
+          ...(brave ? { braveApiKey: brave } : {}),
+          ...(searxng ? { searxngUrl: searxng } : {}),
+          ...(web.searxngApiKey.trim() ? { searxngApiKey: web.searxngApiKey.trim() } : {}),
+        },
+      },
+    })
+    web.braveApiKey = ''
+    web.searxngUrl = ''
+    web.searxngApiKey = ''
+    toast.add({ title: 'Web search keys saved', icon: 'i-lucide-check', color: 'success' })
+  } catch (e) {
+    toast.add({
+      title: 'Could not save web search keys',
+      description: e instanceof Error ? e.message : String(e),
+      color: 'error',
+    })
+  } finally {
+    savingWeb.value = false
+  }
+}
+
+async function clearWeb() {
+  savingWeb.value = true
+  try {
+    await store.save(props.accountId, { secrets: { webSearch: null } })
+    toast.add({ title: 'Web search keys cleared', icon: 'i-lucide-check', color: 'success' })
+  } catch (e) {
+    toast.add({
+      title: 'Could not clear web search keys',
+      description: e instanceof Error ? e.message : String(e),
+      color: 'error',
+    })
+  } finally {
+    savingWeb.value = false
+  }
+}
+</script>
+
+<template>
+  <div v-if="store.available !== false" class="space-y-6">
+    <div>
+      <h3 class="mb-1 font-semibold text-white">Deployment integrations</h3>
+      <p class="text-[11px] text-slate-400">
+        Credentials shared by every workspace in this account, sealed at rest. Values are never
+        shown after saving; leave a field blank to keep the stored secret.
+      </p>
+    </div>
+
+    <!-- Slack app OAuth -->
+    <section class="space-y-2">
+      <div class="flex items-center gap-2">
+        <h4 class="text-sm font-semibold text-slate-200">Slack app (OAuth)</h4>
+        <UBadge
+          :color="summary?.slackOAuthConfigured ? 'success' : 'neutral'"
+          variant="subtle"
+          size="xs"
+        >
+          {{ summary?.slackOAuthConfigured ? 'Configured' : 'Not set' }}
+        </UBadge>
+      </div>
+      <p class="text-[11px] text-slate-400">
+        Enables the "Add to Slack" OAuth flow. Without it, workspaces can still connect Slack by
+        pasting a bot token.
+      </p>
+      <div class="grid grid-cols-1 gap-2 sm:grid-cols-3">
+        <UInput v-model="slack.clientId" placeholder="Client ID" size="sm" />
+        <UInput
+          v-model="slack.clientSecret"
+          type="password"
+          placeholder="Client secret"
+          size="sm"
+        />
+        <UInput v-model="slack.redirectUrl" placeholder="Redirect URL" size="sm" />
+      </div>
+      <div class="flex gap-2">
+        <UButton
+          color="primary"
+          size="xs"
+          icon="i-lucide-save"
+          :loading="savingSlack"
+          @click="saveSlack"
+        >
+          Save
+        </UButton>
+        <UButton
+          v-if="summary?.slackOAuthConfigured"
+          color="neutral"
+          variant="ghost"
+          size="xs"
+          :loading="savingSlack"
+          @click="clearSlack"
+        >
+          Clear
+        </UButton>
+      </div>
+    </section>
+
+    <!-- Web search keys -->
+    <section class="space-y-2 border-t border-slate-800 pt-6">
+      <div class="flex items-center gap-2">
+        <h4 class="text-sm font-semibold text-slate-200">Container web search</h4>
+        <UBadge :color="summary?.webSearch ? 'success' : 'neutral'" variant="subtle" size="xs">
+          {{ summary?.webSearch ? `Configured (${summary.webSearch})` : 'Not set' }}
+        </UBadge>
+      </div>
+      <p class="text-[11px] text-slate-400">
+        The search upstream container agents reach through the backend proxy. Set a Brave key
+        (recommended), or a self-hosted SearXNG URL (with an optional bearer key).
+      </p>
+      <div class="grid grid-cols-1 gap-2 sm:grid-cols-3">
+        <UInput v-model="web.braveApiKey" type="password" placeholder="Brave API key" size="sm" />
+        <UInput v-model="web.searxngUrl" placeholder="SearXNG URL" size="sm" />
+        <UInput
+          v-model="web.searxngApiKey"
+          type="password"
+          placeholder="SearXNG key (optional)"
+          size="sm"
+        />
+      </div>
+      <div class="flex gap-2">
+        <UButton
+          color="primary"
+          size="xs"
+          icon="i-lucide-save"
+          :loading="savingWeb"
+          @click="saveWeb"
+        >
+          Save
+        </UButton>
+        <UButton
+          v-if="summary?.webSearch"
+          color="neutral"
+          variant="ghost"
+          size="xs"
+          :loading="savingWeb"
+          @click="clearWeb"
+        >
+          Clear
+        </UButton>
+      </div>
+    </section>
+  </div>
+</template>

package/app/components/layout/AccountTeamSettings.vue

@@ -1,6 +1,7 @@
 <script setup lang="ts">
 import { computed, onMounted, ref } from 'vue'
 import type { AccountRole } from '~/types/domain'
+import AccountDeploymentSettings from '~/components/layout/AccountDeploymentSettings.vue'
 
 // Team settings for an org account: the member roster (with combinable admin /
 // developer / product roles), pending email invitations, and the per-account
@@ -236,5 +237,10 @@ async function disconnectEmail() {
         <ProvidersApiKeysSection :account-id="accountId" category="proxy" />
       </div>
     </section>
+
+    <!-- deployment integration secrets (admin-only): Slack OAuth app + web-search keys -->
+    <section v-if="isAdmin">
+      <AccountDeploymentSettings :account-id="accountId" />
+    </section>
   </div>
 </template>

package/app/components/settings/ObservabilityConnectionPanel.vue

@@ -25,6 +25,12 @@ const provider = ref<ObservabilityProviderKind>('datadog')
 const datadog = reactive({ site: 'datadoghq.com', apiKey: '', appKey: '' })
 const busy = ref(false)
 
+// Incident enrichment (PagerDuty + incident.io) — write-only secrets; blank leaves the
+// stored value unchanged. Paired with observability since it acts on the same regression.
+const pagerDuty = reactive({ apiToken: '', fromEmail: '' })
+const incidentIo = reactive({ apiKey: '' })
+const incidentBusy = ref(false)
+
 function notifyError(title: string, e: unknown) {
   toast.add({
     title,
@@ -41,11 +47,50 @@ watch(open, async (isOpen) => {
     if (store.connection.provider) provider.value = store.connection.provider
     const site = store.connection.summary?.site
     if (site) datadog.site = site
+    await store.loadIncident()
   } catch (e) {
     notifyError('Could not load observability settings', e)
   }
 })
 
+async function saveIncident() {
+  incidentBusy.value = true
+  try {
+    const input: Parameters<typeof store.saveIncident>[0] = {}
+    if (pagerDuty.apiToken.trim() && pagerDuty.fromEmail.trim()) {
+      input.pagerDuty = {
+        apiToken: pagerDuty.apiToken.trim(),
+        fromEmail: pagerDuty.fromEmail.trim(),
+      }
+    }
+    if (incidentIo.apiKey.trim()) input.incidentIo = { apiKey: incidentIo.apiKey.trim() }
+    if (!input.pagerDuty && !input.incidentIo) {
+      toast.add({ title: 'Enter PagerDuty or incident.io credentials', color: 'error' })
+      return
+    }
+    await store.saveIncident(input)
+    pagerDuty.apiToken = ''
+    pagerDuty.fromEmail = ''
+    incidentIo.apiKey = ''
+    toast.add({ title: 'Incident enrichment saved', icon: 'i-lucide-check', color: 'success' })
+  } catch (e) {
+    notifyError('Could not save incident enrichment', e)
+  } finally {
+    incidentBusy.value = false
+  }
+}
+
+async function disconnectIncident() {
+  incidentBusy.value = true
+  try {
+    await store.removeIncident()
+  } catch (e) {
+    notifyError('Could not disconnect incident enrichment', e)
+  } finally {
+    incidentBusy.value = false
+  }
+}
+
 async function saveConnection() {
   busy.value = true
   try {
@@ -145,6 +190,53 @@ const connectedLabel = computed(() => {
             </UButton>
           </div>
         </section>
+
+        <!-- Incident enrichment (optional): annotate an incident PagerDuty / incident.io
+             already opened from the same monitors/SLOs. -->
+        <section
+          v-if="store.incidentAvailable !== false"
+          class="space-y-3 rounded-lg border border-slate-700 p-3"
+        >
+          <div class="flex items-center justify-between">
+            <h3 class="text-sm font-semibold">Incident enrichment</h3>
+            <UBadge :color="store.incident.connected ? 'success' : 'neutral'" variant="soft">
+              {{ store.incident.connected ? 'Configured' : 'Not set' }}
+            </UBadge>
+          </div>
+          <p class="text-[11px] text-slate-400">
+            Optional. On a regression, the on-call investigation is posted onto an incident these
+            systems ALREADY opened from the same signals (annotate, never re-alert). Secrets are
+            write-only — blank leaves a stored value unchanged.
+          </p>
+
+          <UFormField label="PagerDuty API token">
+            <UInput v-model="pagerDuty.apiToken" type="password" class="w-full" />
+          </UFormField>
+          <UFormField label="PagerDuty From email">
+            <UInput
+              v-model="pagerDuty.fromEmail"
+              type="email"
+              placeholder="oncall@example.com"
+              class="w-full"
+            />
+          </UFormField>
+          <UFormField label="incident.io API key">
+            <UInput v-model="incidentIo.apiKey" type="password" class="w-full" />
+          </UFormField>
+
+          <div class="flex gap-2">
+            <UButton :loading="incidentBusy" @click="saveIncident">Save</UButton>
+            <UButton
+              v-if="store.incident.connected"
+              color="error"
+              variant="soft"
+              :loading="incidentBusy"
+              @click="disconnectIncident"
+            >
+              Clear
+            </UButton>
+          </div>
+        </section>
       </div>
     </template>
   </UModal>

package/app/components/settings/WorkspaceSettingsPanel.vue

@@ -8,7 +8,7 @@
 // The latter three are body-only section components rendered in tabs here (no longer
 // standalone modals).
 import { reactive, ref, watch } from 'vue'
-import type { CreateTaskType, TaskLimitMode } from '~/types/domain'
+import type { CreateTaskType, TaskLimitMode, WorkspaceSettings } from '~/types/domain'
 import MergeThresholdsPanel from '~/components/settings/MergeThresholdsPanel.vue'
 import IssueTrackerPanel from '~/components/settings/IssueTrackerPanel.vue'
 import ServiceFragmentDefaultsPanel from '~/components/settings/ServiceFragmentDefaultsPanel.vue'
@@ -36,6 +36,7 @@ const tabs = [
     icon: 'i-lucide-sliders-horizontal',
     slot: 'workspace',
   },
+  { value: 'budget', label: 'Budget', icon: 'i-lucide-wallet', slot: 'budget' },
   { value: 'merge', label: 'Merge thresholds', icon: 'i-lucide-git-merge', slot: 'merge' },
   {
     value: 'tracker',
@@ -64,6 +65,10 @@ const draft = reactive({
   taskLimitMode: 'off' as TaskLimitMode,
   taskLimitShared: 5 as number,
   perType: {} as Record<CreateTaskType, number>,
+  // Budget: empty string ⇒ "use the built-in default" (null on the wire).
+  spendCurrency: '',
+  spendMonthlyLimit: '',
+  spendModelPrices: '',
 })
 
 function hydrate() {
@@ -73,6 +78,9 @@ function hydrate() {
   draft.taskLimitShared = s.taskLimitShared ?? 5
   const pt = s.taskLimitPerType ?? {}
   for (const t of TASK_TYPES) draft.perType[t] = pt[t] ?? 3
+  draft.spendCurrency = s.spendCurrency ?? ''
+  draft.spendMonthlyLimit = s.spendMonthlyLimit == null ? '' : String(s.spendMonthlyLimit)
+  draft.spendModelPrices = s.spendModelPrices ? JSON.stringify(s.spendModelPrices, null, 2) : ''
 }
 
 watch(() => store.settings, hydrate, { immediate: true, deep: true })
@@ -109,6 +117,45 @@ async function save() {
     saving.value = false
   }
 }
+
+const savingBudget = ref(false)
+
+async function saveBudget() {
+  // Parse the optional per-model price overrides JSON (blank ⇒ no overrides).
+  let prices: WorkspaceSettings['spendModelPrices'] = null
+  const raw = draft.spendModelPrices.trim()
+  if (raw) {
+    try {
+      prices = JSON.parse(raw)
+    } catch {
+      toast.add({
+        title: 'Per-model prices must be valid JSON',
+        icon: 'i-lucide-triangle-alert',
+        color: 'error',
+      })
+      return
+    }
+  }
+  savingBudget.value = true
+  try {
+    await store.update({
+      spendCurrency: draft.spendCurrency.trim() ? draft.spendCurrency.trim().toUpperCase() : null,
+      spendMonthlyLimit:
+        draft.spendMonthlyLimit.trim() === '' ? null : Number(draft.spendMonthlyLimit),
+      spendModelPrices: prices,
+    })
+    toast.add({ title: 'Budget saved', icon: 'i-lucide-check', color: 'success' })
+  } catch (e) {
+    toast.add({
+      title: 'Could not save budget',
+      description: e instanceof Error ? e.message : String(e),
+      icon: 'i-lucide-triangle-alert',
+      color: 'error',
+    })
+  } finally {
+    savingBudget.value = false
+  }
+}
 </script>
 
 <template>
@@ -195,6 +242,74 @@ async function save() {
           </div>
         </template>
 
+        <!-- Budget -->
+        <template #budget>
+          <div class="space-y-6">
+            <section class="space-y-2">
+              <h3 class="text-sm font-semibold text-slate-200">Monthly spend budget</h3>
+              <p class="text-[11px] text-slate-400">
+                Token usage is metered per LLM call, priced, and gated by this budget — when
+                reached, runs in this workspace pause and the board shows a warning. Leave blank to
+                inherit the built-in default (~100&nbsp;EUR/month).
+              </p>
+              <div class="grid grid-cols-2 gap-3">
+                <label class="block">
+                  <span class="mb-1 block text-[10px] uppercase tracking-wide text-slate-500">
+                    Monthly limit
+                  </span>
+                  <UInput
+                    v-model="draft.spendMonthlyLimit"
+                    type="number"
+                    :min="0"
+                    placeholder="Default"
+                    size="sm"
+                  />
+                </label>
+                <label class="block">
+                  <span class="mb-1 block text-[10px] uppercase tracking-wide text-slate-500">
+                    Currency (ISO 4217)
+                  </span>
+                  <UInput
+                    v-model="draft.spendCurrency"
+                    placeholder="EUR"
+                    maxlength="3"
+                    size="sm"
+                    class="uppercase"
+                  />
+                </label>
+              </div>
+            </section>
+
+            <section class="space-y-2">
+              <h3 class="text-sm font-semibold text-slate-200">Per-model price overrides</h3>
+              <p class="text-[11px] text-slate-400">
+                Optional. JSON object of <code>"provider:model"</code> (or a bare
+                <code>"provider"</code>) → <code>{ inputPerMillion, outputPerMillion }</code>,
+                overlaid on the built-in price table. Leave blank to use the defaults.
+              </p>
+              <UTextarea
+                v-model="draft.spendModelPrices"
+                :rows="6"
+                size="sm"
+                class="w-full font-mono text-[11px]"
+                placeholder='{"openai:gpt-4o":{"inputPerMillion":2.3,"outputPerMillion":9.2}}'
+              />
+            </section>
+
+            <div class="flex justify-end">
+              <UButton
+                color="primary"
+                icon="i-lucide-save"
+                size="sm"
+                :loading="savingBudget"
+                @click="saveBudget"
+              >
+                Save budget
+              </UButton>
+            </div>
+          </div>
+        </template>
+
         <!-- Merge thresholds -->
         <template #merge>
           <MergeThresholdsPanel />

package/app/composables/api/accounts.ts

@@ -7,6 +7,7 @@ import type {
   EmailConnection,
   UpdateAccountInput,
 } from '~/types/domain'
+import type { AccountSettingsView, UpdateAccountSettingsInput } from '~/types/accountSettings'
 import type { ApiContext } from './context'
 
 /** Account (tenancy) management: orgs, members, invitations + the email sender. */
@@ -77,5 +78,16 @@ export function accountsApi({ http }: ApiContext) {
         method: 'POST',
         body: { to },
       }),
+
+    // Per-account deployment settings (admin only): integration secrets (Slack OAuth +
+    // web-search keys), sealed at rest. Read returns config + non-secret summary only.
+    getAccountSettings: (accountId: string) =>
+      http<AccountSettingsView>(`/accounts/${encodeURIComponent(accountId)}/settings`),
+
+    updateAccountSettings: (accountId: string, body: UpdateAccountSettingsInput) =>
+      http<AccountSettingsView>(`/accounts/${encodeURIComponent(accountId)}/settings`, {
+        method: 'PUT',
+        body,
+      }),
   }
 }

package/app/composables/api/releaseHealth.ts

@@ -4,6 +4,10 @@ import type {
   UpsertObservabilityConnectionInput,
   UpsertReleaseHealthConfigInput,
 } from '~/types/releaseHealth'
+import type {
+  IncidentEnrichmentView,
+  UpsertIncidentEnrichmentInput,
+} from '~/types/incidentEnrichment'
 import type { ApiContext } from './context'
 
 /** Post-release-health: the observability connection + per-block monitor/SLO mapping. */
@@ -40,5 +44,18 @@ export function releaseHealthApi({ http, ws }: ApiContext) {
       http(`${ws(workspaceId)}/release-health-configs/${encodeURIComponent(blockId)}`, {
         method: 'DELETE',
       }),
+
+    // ---- Incident enrichment (PagerDuty + incident.io, write-only secrets) --
+    getIncidentEnrichment: (workspaceId: string) =>
+      http<IncidentEnrichmentView>(`${ws(workspaceId)}/incident-enrichment`),
+
+    setIncidentEnrichment: (workspaceId: string, body: UpsertIncidentEnrichmentInput) =>
+      http<IncidentEnrichmentView>(`${ws(workspaceId)}/incident-enrichment`, {
+        method: 'PUT',
+        body,
+      }),
+
+    deleteIncidentEnrichment: (workspaceId: string) =>
+      http(`${ws(workspaceId)}/incident-enrichment`, { method: 'DELETE' }),
   }
 }

package/app/composables/usePipelineErrorToast.ts

@@ -0,0 +1,100 @@
+/**
+ * Turn a failed run-control API call (start / restart / retry / merge) into an actionable
+ * toast. The backend tags every 409 conflict with a distinct, machine-readable
+ * `error.details.reason` (kernel `ConflictReason`), so we can word each case precisely
+ * instead of dumping the raw message — and, for `providers_unconfigured`, surface the
+ * SAME guidance + "Configure AI" jump as the no-AI-provider startup banner.
+ */
+
+/** The parsed shape of a backend conflict (`{ error: { code: 'conflict', details } }`). */
+interface ConflictDetails {
+  reason?: string
+  models?: string[]
+  [key: string]: unknown
+}
+
+/** Pull a 409 conflict's `{ reason, message, details }` out of a thrown fetch error, else null. */
+export function parseConflict(
+  error: unknown,
+): { reason?: string; message: string; details: ConflictDetails } | null {
+  const body = (
+    error as { data?: { error?: { code?: string; message?: string; details?: ConflictDetails } } }
+  )?.data?.error
+  if (body?.code !== 'conflict') return null
+  const details = body.details ?? {}
+  return {
+    reason: typeof details.reason === 'string' ? details.reason : undefined,
+    message: body.message ?? 'This action conflicts with the current state.',
+    details,
+  }
+}
+
+/** Per-reason toast titles for conflicts that don't get bespoke handling below. */
+const CONFLICT_TITLES: Record<string, string> = {
+  dependencies_unmet: 'Blocked by dependencies',
+  task_limit_reached: 'Concurrency limit reached',
+  tester_infra_unsupported: 'Test infrastructure not configured',
+  run_not_retryable: 'Run can’t be retried',
+  no_pr_to_merge: 'No PR to merge',
+  github_not_connected: 'GitHub not connected',
+  bootstrap_not_retryable: 'Bootstrap can’t be retried',
+  bootstrap_reference_missing: 'Reference architecture is gone',
+}
+
+export function usePipelineErrorToast() {
+  const toast = useToast()
+  const ui = useUiStore()
+
+  /**
+   * Present `error` as a toast. `fallbackTitle` is used for non-conflict failures and any
+   * conflict reason without a dedicated title.
+   */
+  function present(error: unknown, fallbackTitle = 'Action failed'): void {
+    const conflict = parseConflict(error)
+
+    // The headline case: a pipeline step's model has no usable provider. Name the
+    // offending model(s), explain no provider is available, and offer the one-click jump
+    // to the AI setup — the same remedy the startup "No AI model configured" banner gives.
+    if (conflict?.reason === 'providers_unconfigured') {
+      const models = Array.isArray(conflict.details.models) ? conflict.details.models : []
+      const list = models.join(', ')
+      toast.add({
+        title: 'No AI provider for this model',
+        description: list
+          ? `No provider is configured for ${list}. Add a provider key, connect a subscription, ` +
+            'or enable Cloudflare AI to run it.'
+          : conflict.message,
+        color: 'error',
+        icon: 'i-lucide-cpu',
+        actions: [
+          {
+            label: 'Configure AI',
+            icon: 'i-lucide-settings',
+            onClick: () => ui.openAiProviderSetup(),
+          },
+        ],
+      })
+      return
+    }
+
+    if (conflict) {
+      toast.add({
+        title: CONFLICT_TITLES[conflict.reason ?? ''] ?? fallbackTitle,
+        description: conflict.message,
+        color: 'warning',
+        icon: 'i-lucide-triangle-alert',
+      })
+      return
+    }
+
+    // Not a conflict (a 4xx/5xx or a network fault) — surface its message plainly.
+    toast.add({
+      title: fallbackTitle,
+      description: error instanceof Error ? error.message : String(error),
+      color: 'error',
+      icon: 'i-lucide-triangle-alert',
+    })
+  }
+
+  return { present }
+}

package/app/stores/accountSettings.ts

@@ -0,0 +1,49 @@
+import { defineStore } from 'pinia'
+import { ref } from 'vue'
+import type { AccountSettingsView, UpdateAccountSettingsInput } from '~/types/accountSettings'
+
+/**
+ * Per-account deployment settings (admin only): the integration secrets — Slack app OAuth
+ * credentials + the web-search upstream keys — sealed at rest in the DB. Secrets are
+ * write-only: this store only ever holds the non-secret `summary` (which integrations are
+ * configured), never the values. `available` mirrors the backend opt-in: a 503 (no
+ * ENCRYPTION_KEY) hides the panel. Loaded on demand from the account-settings panel.
+ */
+export const useAccountSettingsStore = defineStore('accountSettings', () => {
+  const api = useApi()
+
+  const view = ref<AccountSettingsView | null>(null)
+  const loading = ref(false)
+  const available = ref<boolean | null>(null)
+
+  async function load(accountId: string) {
+    loading.value = true
+    try {
+      view.value = await api.getAccountSettings(accountId)
+      available.value = true
+    } catch (e) {
+      // 503 ⇒ the settings store isn't wired (no ENCRYPTION_KEY) ⇒ hide the panel.
+      if (
+        e &&
+        typeof e === 'object' &&
+        'statusCode' in e &&
+        (e as { statusCode?: number }).statusCode === 503
+      ) {
+        available.value = false
+        view.value = null
+      } else {
+        throw e
+      }
+    } finally {
+      loading.value = false
+    }
+  }
+
+  async function save(accountId: string, input: UpdateAccountSettingsInput) {
+    view.value = await api.updateAccountSettings(accountId, input)
+    available.value = true
+    return view.value
+  }
+
+  return { view, loading, available, load, save }
+})

package/app/stores/agentRuns.ts

@@ -37,6 +37,10 @@ export interface AgentRunSummary {
 export const useAgentRunsStore = defineStore('agentRuns', () => {
   const api = useApi()
   const execution = useExecutionStore()
+  // Same actionable-toast handling as the execution store: a retry refused with a tagged
+  // 409 (e.g. the run is no longer in a retryable state, or the model has no provider) is
+  // surfaced here so every retry surface (board card, inspector, task panel) is identical.
+  const runErrors = usePipelineErrorToast()
 
   /** Bootstrap runs for this workspace, newest-first. */
   const bootstrapJobs = ref<BootstrapJob[]>([])
@@ -99,10 +103,14 @@ export const useAgentRunsStore = defineStore('agentRuns', () => {
     const personal = usePersonalSubscriptionsStore()
     // A failed run on a Claude-pinned block needs the retrying user's personal password;
     // supplied from cache and prompted (then retried) on a 428, exactly like start.
-    await personal.withCredential(async (password) => {
-      await api.retryAgentRun(ws.requireId(), runId, password)
-      await ws.refresh()
-    })
+    try {
+      await personal.withCredential(async (password) => {
+        await api.retryAgentRun(ws.requireId(), runId, password)
+        await ws.refresh()
+      })
+    } catch (e) {
+      runErrors.present(e, 'Retry failed')
+    }
   }
 
   /**

package/app/stores/execution.ts

@@ -18,6 +18,11 @@ import { useWorkspaceStore } from '~/stores/workspace'
  */
 export const useExecutionStore = defineStore('execution', () => {
   const api = useApi()
+  // Centralised actionable toasts for run-control failures: a 409 with no configured
+  // provider opens the AI setup; the other tagged conflicts get worded titles. Living
+  // in the store means every caller (board card, drag-drop, menus, restart controls)
+  // gets identical handling, including the fire-and-forget ones that never caught.
+  const runErrors = usePipelineErrorToast()
   const instances = ref<ExecutionInstance[]>([])
 
   /** Replace the cached executions with a server snapshot. */
@@ -109,12 +114,18 @@ export const useExecutionStore = defineStore('execution', () => {
   async function start(blockId: string, pipeline: Pipeline): Promise<boolean> {
     const ws = useWorkspaceStore()
     const personal = usePersonalSubscriptionsStore()
-    // Returns false when the user cancels the personal-password prompt (the run never
-    // started), so an optimistic caller can revert its "Starting…" state.
-    return personal.withCredential(async (password) => {
-      await api.startExecution(ws.requireId(), blockId, { pipelineId: pipeline.id }, password)
-      await ws.refresh()
-    })
+    // Returns false when the user cancels the personal-password prompt OR the start was
+    // refused (a 409 conflict, surfaced as an actionable toast here), so an optimistic
+    // caller can revert its "Starting…" state without its own error handling.
+    try {
+      return await personal.withCredential(async (password) => {
+        await api.startExecution(ws.requireId(), blockId, { pipelineId: pipeline.id }, password)
+        await ws.refresh()
+      })
+    } catch (e) {
+      runErrors.present(e, 'Failed to start')
+      return false
+    }
   }
 
   // Interacting with a running individual-usage run (resolve/approve/request-changes) rides
@@ -207,8 +218,12 @@ export const useExecutionStore = defineStore('execution', () => {
   /** Merge an open PR (a task in `pr_ready`) — the server completes the task. */
   async function mergePr(blockId: string) {
     const ws = useWorkspaceStore()
-    await api.mergeBlock(ws.requireId(), blockId)
-    await ws.refresh()
+    try {
+      await api.mergeBlock(ws.requireId(), blockId)
+      await ws.refresh()
+    } catch (e) {
+      runErrors.present(e, 'Failed to merge')
+    }
   }
 
   /**
@@ -222,10 +237,15 @@ export const useExecutionStore = defineStore('execution', () => {
   async function restartFromStep(instanceId: string, stepIndex: number): Promise<boolean> {
     const ws = useWorkspaceStore()
     const personal = usePersonalSubscriptionsStore()
-    return personal.withCredential(async (password) => {
-      await api.restartFromStep(ws.requireId(), instanceId, stepIndex, password)
-      await ws.refresh()
-    })
+    try {
+      return await personal.withCredential(async (password) => {
+        await api.restartFromStep(ws.requireId(), instanceId, stepIndex, password)
+        await ws.refresh()
+      })
+    } catch (e) {
+      runErrors.present(e, 'Failed to restart')
+      return false
+    }
   }
 
   /** Cancel the execution running against a block and reset it to planned. */

package/app/stores/releaseHealth.ts

@@ -6,6 +6,10 @@ import type {
   UpsertObservabilityConnectionInput,
   UpsertReleaseHealthConfigInput,
 } from '~/types/releaseHealth'
+import type {
+  IncidentEnrichmentView,
+  UpsertIncidentEnrichmentInput,
+} from '~/types/incidentEnrichment'
 import { useWorkspaceStore } from '~/stores/workspace'
 
 /**
@@ -23,6 +27,10 @@ export const useReleaseHealthStore = defineStore('releaseHealth', () => {
     summary: null,
   })
   const configs = ref<ReleaseHealthConfig[]>([])
+  // Incident-enrichment (PagerDuty + incident.io) connection — write-only secrets, the
+  // store only ever holds the presence summary. Wired alongside observability.
+  const incident = ref<IncidentEnrichmentView>({ connected: false, summary: null })
+  const incidentAvailable = ref<boolean | null>(null)
   const loading = ref(false)
   // Mirrors the backend's opt-in gate (`OBSERVABILITY_ENABLED`): `null` until first
   // probed, then `true`/`false`. The hub + inspector hide their observability entry
@@ -95,9 +103,35 @@ export const useReleaseHealthStore = defineStore('releaseHealth', () => {
     configs.value = configs.value.filter((c) => c.blockId !== blockId)
   }
 
+  /** Load the incident-enrichment connection (separate opt-in gate from observability). */
+  async function loadIncident() {
+    const ws = useWorkspaceStore()
+    try {
+      incident.value = await api.getIncidentEnrichment(ws.requireId())
+      incidentAvailable.value = true
+    } catch {
+      incidentAvailable.value = false
+      incident.value = { connected: false, summary: null }
+    }
+  }
+
+  async function saveIncident(input: UpsertIncidentEnrichmentInput) {
+    const ws = useWorkspaceStore()
+    incident.value = await api.setIncidentEnrichment(ws.requireId(), input)
+    incidentAvailable.value = true
+  }
+
+  async function removeIncident() {
+    const ws = useWorkspaceStore()
+    await api.deleteIncidentEnrichment(ws.requireId())
+    incident.value = { connected: false, summary: null }
+  }
+
   return {
     connection,
     configs,
+    incident,
+    incidentAvailable,
     loading,
     available,
     load,
@@ -107,5 +141,8 @@ export const useReleaseHealthStore = defineStore('releaseHealth', () => {
     configForBlock,
     saveConfig,
     removeConfig,
+    loadIncident,
+    saveIncident,
+    removeIncident,
   }
 })

package/app/stores/workspaceSettings.ts

@@ -9,6 +9,9 @@ const DEFAULTS: WorkspaceSettings = {
   taskLimitMode: 'off',
   taskLimitShared: null,
   taskLimitPerType: null,
+  spendCurrency: null,
+  spendMonthlyLimit: null,
+  spendModelPrices: null,
 }
 
 /**

package/app/types/accountSettings.ts

@@ -0,0 +1,39 @@
+// Per-account (deployment-wide) integration settings. Mirrors
+// `@cat-factory/contracts` accountSettings. Secrets are write-only — the read view
+// returns only `config` + a non-secret presence `summary`.
+
+export interface SlackOAuthSecret {
+  clientId: string
+  clientSecret: string
+  redirectUrl: string
+}
+
+export interface WebSearchSecret {
+  braveApiKey?: string
+  searxngUrl?: string
+  searxngApiKey?: string
+}
+
+/** Non-secret per-account config (empty today; reserved for forward-compatible tuning). */
+export type AccountSettingsConfig = Record<string, never>
+
+export interface AccountSettingsSummary {
+  slackOAuthConfigured: boolean
+  webSearch: 'brave' | 'searxng' | null
+}
+
+export interface AccountSettingsView {
+  config: AccountSettingsConfig
+  summary: AccountSettingsSummary
+}
+
+/**
+ * Admin write. Each secrets group: omit ⇒ leave unchanged, `null` ⇒ clear, value ⇒ set.
+ */
+export interface UpdateAccountSettingsInput {
+  config?: AccountSettingsConfig
+  secrets?: {
+    slackOAuth?: SlackOAuthSecret | null
+    webSearch?: WebSearchSecret | null
+  }
+}

package/app/types/domain.ts

@@ -493,6 +493,12 @@ export interface WorkspaceSettings {
   taskLimitShared: number | null
   /** The per-type caps, when `taskLimitMode` is `per_type` (type → cap). */
   taskLimitPerType: Partial<Record<CreateTaskType, number>> | null
+  /** Spend budget currency (ISO 4217). Null ⇒ the built-in default (`EUR`). */
+  spendCurrency: string | null
+  /** Monthly spend budget in `spendCurrency`. Null ⇒ the built-in default. */
+  spendMonthlyLimit: number | null
+  /** Per-model price overrides (`provider:model` → per-1M rates). Null ⇒ none. */
+  spendModelPrices: Record<string, { inputPerMillion: number; outputPerMillion: number }> | null
 }
 
 /** Patch a workspace's settings (only the supplied fields change). */
@@ -501,6 +507,9 @@ export interface UpdateWorkspaceSettingsInput {
   taskLimitMode?: TaskLimitMode
   taskLimitShared?: number | null
   taskLimitPerType?: Partial<Record<CreateTaskType, number>> | null
+  spendCurrency?: string | null
+  spendMonthlyLimit?: number | null
+  spendModelPrices?: Record<string, { inputPerMillion: number; outputPerMillion: number }> | null
 }
 
 /**

package/app/types/incidentEnrichment.ts

@@ -0,0 +1,28 @@
+// Per-workspace incident-enrichment connection (PagerDuty + incident.io). Mirrors
+// `@cat-factory/contracts` incident-enrichment. Credentials are write-only — the view
+// returns only a presence `summary`.
+
+export interface PagerDutyCredentials {
+  apiToken: string
+  fromEmail: string
+}
+
+export interface IncidentIoCredentials {
+  apiKey: string
+}
+
+/** Write input — set one or both providers; an omitted group is left unchanged. */
+export interface UpsertIncidentEnrichmentInput {
+  pagerDuty?: PagerDutyCredentials
+  incidentIo?: IncidentIoCredentials
+}
+
+export interface IncidentEnrichmentSummary {
+  pagerDuty: boolean
+  incidentIo: boolean
+}
+
+export interface IncidentEnrichmentView {
+  connected: boolean
+  summary: IncidentEnrichmentSummary | null
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cat-factory/app",
-  "version": "0.26.6",
+  "version": "0.27.0",
   "description": "Reusable Nuxt layer for the Agent Architecture Board SPA (components, stores, composables, pages). Consume it from a thin deployment app via `extends: ['@cat-factory/app']` and point it at your backend with NUXT_PUBLIC_API_BASE. See deploy/frontend for an example.",
   "repository": {
     "type": "git",