@cat-factory/app 0.37.3 → 0.39.0

package/app/components/auth/AuthGate.vue

@@ -1,10 +1,16 @@
 <script setup lang="ts">
+import { computed } from 'vue'
 import LoginScreen from '~/components/auth/LoginScreen.vue'
 
 // Resolves auth state once on mount, then either renders the app (auth off, or
 // on with a signed-in user) or the login screen. The board's own bootstrap runs
 // inside the default slot, so it only fires once the user is allowed in.
 const auth = useAuthStore()
+const route = useRoute()
+
+// The password-reset page is public: a recipient of an emailed reset link is signed
+// out, so it must render even when auth is required and there's no user.
+const isPublicRoute = computed(() => route.path === '/reset-password')
 
 onMounted(() => auth.bootstrap())
 </script>
@@ -18,6 +24,8 @@ onMounted(() => auth.bootstrap())
     <span class="text-sm">Loading…</span>
   </div>
 
+  <slot v-else-if="isPublicRoute" />
+
   <LoginScreen v-else-if="auth.required && !auth.user" />
 
   <slot v-else />

package/app/components/auth/LoginScreen.vue

@@ -12,13 +12,17 @@ const invite = computed(() => {
 })
 
 // Password form: signup creates a new user (invite or allowed-email-domain gated),
-// login authenticates an existing one. Default to login; flip to signup when invited.
-const mode = ref<'login' | 'signup'>(invite.value ? 'signup' : 'login')
+// login authenticates an existing one, forgot requests a reset link. Default to login;
+// flip to signup when invited.
+const mode = ref<'login' | 'signup' | 'forgot'>(invite.value ? 'signup' : 'login')
 const email = ref('')
 const password = ref('')
 const name = ref('')
 const error = ref<string | null>(null)
 const busy = ref(false)
+// Set once a reset link has been requested, so we can show a generic confirmation
+// (we never reveal whether the email is registered).
+const forgotSent = ref(false)
 
 async function submitPassword() {
   error.value = null
@@ -44,6 +48,27 @@ async function submitPassword() {
   }
 }
 
+async function submitForgot() {
+  error.value = null
+  busy.value = true
+  try {
+    await auth.forgotPassword(email.value)
+    forgotSent.value = true
+  } catch {
+    // The request endpoint is generic by design; only an infra error lands here.
+    error.value = 'Something went wrong. Please try again.'
+  } finally {
+    busy.value = false
+  }
+}
+
+/** Switch modes, clearing any transient form state. */
+function setMode(next: 'login' | 'signup' | 'forgot') {
+  mode.value = next
+  error.value = null
+  forgotSent.value = false
+}
+
 const showOAuthDivider = computed(
   () => auth.providers.password && (auth.providers.github || auth.providers.google),
 )
@@ -58,12 +83,15 @@ const showOAuthDivider = computed(
         <UIcon name="i-lucide-layout-dashboard" class="mx-auto mb-3 h-10 w-10 text-indigo-400" />
         <h1 class="mb-1 text-lg font-semibold text-white">Architecture Board</h1>
         <p class="text-sm text-slate-400">
-          {{ invite ? 'Accept your invitation to continue.' : 'Sign in to continue.' }}
+          <template v-if="mode === 'forgot'">Reset your password.</template>
+          <template v-else>{{
+            invite ? 'Accept your invitation to continue.' : 'Sign in to continue.'
+          }}</template>
         </p>
       </div>
 
       <!-- OAuth providers -->
-      <div class="space-y-2">
+      <div v-if="mode !== 'forgot'" class="space-y-2">
         <UButton
           v-if="auth.providers.github"
           block
@@ -87,12 +115,19 @@ const showOAuthDivider = computed(
         </UButton>
       </div>
 
-      <div v-if="showOAuthDivider" class="my-4 flex items-center gap-3 text-xs text-slate-500">
+      <div
+        v-if="showOAuthDivider && mode !== 'forgot'"
+        class="my-4 flex items-center gap-3 text-xs text-slate-500"
+      >
         <span class="h-px flex-1 bg-slate-800" /> or <span class="h-px flex-1 bg-slate-800" />
       </div>
 
       <!-- Email / password -->
-      <form v-if="auth.providers.password" class="space-y-3" @submit.prevent="submitPassword">
+      <form
+        v-if="auth.providers.password && mode !== 'forgot'"
+        class="space-y-3"
+        @submit.prevent="submitPassword"
+      >
         <UInput
           v-if="mode === 'signup'"
           v-model="name"
@@ -126,17 +161,60 @@ const showOAuthDivider = computed(
         <p class="text-center text-xs text-slate-400">
           <template v-if="mode === 'login'">
             Need an account?
-            <button type="button" class="text-indigo-400 hover:underline" @click="mode = 'signup'">
+            <button
+              type="button"
+              class="text-indigo-400 hover:underline"
+              @click="setMode('signup')"
+            >
               Sign up
             </button>
           </template>
           <template v-else>
             Already have an account?
-            <button type="button" class="text-indigo-400 hover:underline" @click="mode = 'login'">
+            <button type="button" class="text-indigo-400 hover:underline" @click="setMode('login')">
               Sign in
             </button>
           </template>
         </p>
+        <p v-if="mode === 'login'" class="text-center text-xs text-slate-400">
+          <button type="button" class="text-indigo-400 hover:underline" @click="setMode('forgot')">
+            Forgot password?
+          </button>
+        </p>
+      </form>
+
+      <!-- Forgot password: request a reset link by email -->
+      <form
+        v-if="auth.providers.password && mode === 'forgot'"
+        class="space-y-3"
+        @submit.prevent="submitForgot"
+      >
+        <template v-if="forgotSent">
+          <p class="text-sm text-slate-300">
+            If an account exists for that email, a password reset link is on its way. Check your
+            inbox.
+          </p>
+        </template>
+        <template v-else>
+          <UInput
+            v-model="email"
+            type="email"
+            required
+            placeholder="Email"
+            icon="i-lucide-at-sign"
+            size="lg"
+            class="w-full"
+          />
+          <p v-if="error" class="text-sm text-rose-400">{{ error }}</p>
+          <UButton block size="lg" color="primary" type="submit" :loading="busy">
+            Send reset link
+          </UButton>
+        </template>
+        <p class="text-center text-xs text-slate-400">
+          <button type="button" class="text-indigo-400 hover:underline" @click="setMode('login')">
+            Back to sign in
+          </button>
+        </p>
       </form>
     </div>
   </div>

package/app/components/auth/ResetPasswordScreen.vue

@@ -0,0 +1,106 @@
+<script setup lang="ts">
+import { computed, ref } from 'vue'
+
+// Standalone full-screen reset form reached from the emailed link
+// (`/reset-password?token=…`). It is a public route (see AuthGate), so a recipient who
+// is signed out can still set a new password. On success we send them to the login.
+const auth = useAuthStore()
+
+const token = computed(() => {
+  if (typeof window === 'undefined') return ''
+  return new URLSearchParams(window.location.search).get('token') || ''
+})
+
+const password = ref('')
+const confirm = ref('')
+const error = ref<string | null>(null)
+const busy = ref(false)
+const done = ref(false)
+
+async function submit() {
+  error.value = null
+  if (password.value.length < 8) {
+    error.value = 'Password must be at least 8 characters.'
+    return
+  }
+  if (password.value !== confirm.value) {
+    error.value = 'Passwords do not match.'
+    return
+  }
+  busy.value = true
+  try {
+    await auth.resetPassword(token.value, password.value)
+    done.value = true
+  } catch (e) {
+    error.value =
+      (e as { data?: { error?: { message?: string } } })?.data?.error?.message ??
+      'This password reset link is invalid or has expired.'
+  } finally {
+    busy.value = false
+  }
+}
+
+function goToLogin() {
+  if (typeof window !== 'undefined') window.location.assign('/')
+}
+</script>
+
+<template>
+  <div class="flex h-screen w-screen items-center justify-center bg-slate-950 text-slate-100">
+    <div
+      class="w-full max-w-sm rounded-xl border border-slate-800 bg-slate-900/80 p-8 backdrop-blur"
+    >
+      <div class="mb-6 text-center">
+        <UIcon name="i-lucide-key-round" class="mx-auto mb-3 h-10 w-10 text-indigo-400" />
+        <h1 class="mb-1 text-lg font-semibold text-white">Reset password</h1>
+        <p class="text-sm text-slate-400">Choose a new password for your account.</p>
+      </div>
+
+      <template v-if="done">
+        <p class="mb-4 text-sm text-slate-300">
+          Your password has been reset. You can now sign in with your new password.
+        </p>
+        <UButton block size="lg" color="primary" @click="goToLogin">Go to sign in</UButton>
+      </template>
+
+      <template v-else-if="!token">
+        <p class="mb-4 text-sm text-rose-400">
+          This reset link is missing its token. Request a new link from the sign-in screen.
+        </p>
+        <UButton block size="lg" color="neutral" variant="subtle" @click="goToLogin">
+          Back to sign in
+        </UButton>
+      </template>
+
+      <form v-else class="space-y-3" @submit.prevent="submit">
+        <UInput
+          v-model="password"
+          type="password"
+          required
+          placeholder="New password"
+          icon="i-lucide-lock"
+          size="lg"
+          class="w-full"
+        />
+        <UInput
+          v-model="confirm"
+          type="password"
+          required
+          placeholder="Confirm new password"
+          icon="i-lucide-lock"
+          size="lg"
+          class="w-full"
+        />
+        <p v-if="error" class="text-sm text-rose-400">{{ error }}</p>
+        <UButton block size="lg" color="primary" type="submit" :loading="busy">
+          Reset password
+        </UButton>
+        <p class="text-center text-xs text-slate-400">
+          <button type="button" class="text-indigo-400 hover:underline" @click="goToLogin">
+            Back to sign in
+          </button>
+        </p>
+      </form>
+    </div>
+  </div>
+</template>

package/app/components/pipeline/PipelineHealthModal.vue

@@ -0,0 +1,201 @@
+<script setup lang="ts">
+// Startup advisory for unhealthy pipelines. Opened once per session from the board page when
+// `usePipelineHealth` reports any issue. Lists:
+//   • invalid pipelines (unknown agent kind / bad shape) — DELETE a custom one, RESEED a built-in;
+//   • outdated built-ins (a newer catalog definition is available) — RESEED to adopt it.
+// Detection is client-side (see usePipelineHealth); the actions hit the pipelines store.
+const ui = useUiStore()
+const pipelines = usePipelinesStore()
+const { invalid, outdated, hasIssues } = usePipelineHealth()
+const toast = useToast()
+
+const open = computed({
+  get: () => ui.pipelineHealthOpen,
+  set: (v: boolean) => {
+    if (!v) ui.closePipelineHealth()
+  },
+})
+
+// Per-pipeline in-flight ids, so each row's button shows its own spinner.
+const busy = ref<Set<string>>(new Set())
+const isBusy = (id: string) => busy.value.has(id)
+const anyBusy = computed(() => busy.value.size > 0)
+
+async function run(id: string, action: () => Promise<unknown>, failTitle: string) {
+  busy.value = new Set(busy.value).add(id)
+  try {
+    await action()
+  } catch (e) {
+    toast.add({
+      title: failTitle,
+      description: e instanceof Error ? e.message : String(e),
+      icon: 'i-lucide-triangle-alert',
+      color: 'error',
+    })
+  } finally {
+    const next = new Set(busy.value)
+    next.delete(id)
+    busy.value = next
+  }
+}
+
+const reseed = (id: string) => run(id, () => pipelines.reseed(id), 'Could not reseed pipeline')
+const remove = (id: string) =>
+  run(id, () => pipelines.removePipeline(id), 'Could not delete pipeline')
+
+/** Reseed every reseedable pipeline (outdated built-ins + invalid built-ins) in one go. */
+async function reseedAll() {
+  const ids = [...invalid.value.filter((h) => h.pipeline.builtin), ...outdated.value].map(
+    (h) => h.pipeline.id,
+  )
+  for (const id of new Set(ids)) await reseed(id)
+}
+
+const reseedableCount = computed(
+  () =>
+    new Set([
+      ...invalid.value.filter((h) => h.pipeline.builtin).map((h) => h.pipeline.id),
+      ...outdated.value.map((h) => h.pipeline.id),
+    ]).size,
+)
+</script>
+
+<template>
+  <UModal v-model:open="open" title="Pipeline health" :ui="{ content: 'max-w-2xl' }">
+    <template #body>
+      <div v-if="!hasIssues" class="py-6 text-center text-sm text-slate-400">
+        <UIcon name="i-lucide-check-circle-2" class="mx-auto mb-2 h-8 w-8 text-emerald-400" />
+        All pipelines are valid and up to date.
+      </div>
+
+      <div v-else class="space-y-5">
+        <!-- Invalid: unknown agent kinds or a broken shape. -->
+        <section v-if="invalid.length" class="space-y-2">
+          <div class="flex items-center gap-2">
+            <UIcon name="i-lucide-triangle-alert" class="h-4 w-4 text-rose-400" />
+            <h3 class="text-sm font-semibold text-slate-200">Invalid pipelines</h3>
+          </div>
+          <p class="text-[11px] text-slate-500">
+            These reference a missing agent or are misconfigured, so they would fail (or misrun) at
+            start. Delete a custom pipeline, or reseed a built-in to restore its catalog definition.
+          </p>
+          <ul class="space-y-2">
+            <li
+              v-for="h in invalid"
+              :key="h.pipeline.id"
+              class="rounded-lg border border-slate-800 bg-slate-900/40 p-3"
+            >
+              <div class="flex items-start justify-between gap-3">
+                <div class="min-w-0">
+                  <div class="flex items-center gap-2">
+                    <span class="truncate text-sm font-medium text-slate-100">
+                      {{ h.pipeline.name }}
+                    </span>
+                    <UBadge v-if="h.pipeline.builtin" color="neutral" variant="subtle" size="xs">
+                      built-in
+                    </UBadge>
+                  </div>
+                  <ul class="mt-1 space-y-0.5">
+                    <li
+                      v-for="(p, i) in h.problems"
+                      :key="i"
+                      class="text-[11px]"
+                      :class="p.type === 'outdated' ? 'text-amber-400/80' : 'text-rose-400/90'"
+                    >
+                      {{ p.message }}
+                    </li>
+                  </ul>
+                </div>
+                <UButton
+                  v-if="h.pipeline.builtin"
+                  size="xs"
+                  color="primary"
+                  variant="subtle"
+                  icon="i-lucide-rotate-ccw"
+                  :loading="isBusy(h.pipeline.id)"
+                  :disabled="anyBusy"
+                  @click="reseed(h.pipeline.id)"
+                >
+                  Reseed
+                </UButton>
+                <UButton
+                  v-else
+                  size="xs"
+                  color="error"
+                  variant="subtle"
+                  icon="i-lucide-trash-2"
+                  :loading="isBusy(h.pipeline.id)"
+                  :disabled="anyBusy"
+                  @click="remove(h.pipeline.id)"
+                >
+                  Delete
+                </UButton>
+              </div>
+            </li>
+          </ul>
+        </section>
+
+        <!-- Outdated built-ins: a newer catalog version is available. -->
+        <section v-if="outdated.length" class="space-y-2">
+          <div class="flex items-center gap-2">
+            <UIcon name="i-lucide-arrow-up-circle" class="h-4 w-4 text-amber-400" />
+            <h3 class="text-sm font-semibold text-slate-200">Updates available</h3>
+          </div>
+          <p class="text-[11px] text-slate-500">
+            A newer version of these built-in pipelines has shipped. Reseed to adopt it (your labels
+            and archive state are kept).
+          </p>
+          <ul class="space-y-2">
+            <li
+              v-for="h in outdated"
+              :key="h.pipeline.id"
+              class="flex items-center justify-between gap-3 rounded-lg border border-slate-800 bg-slate-900/40 p-3"
+            >
+              <div class="min-w-0">
+                <span class="truncate text-sm font-medium text-slate-100">{{
+                  h.pipeline.name
+                }}</span>
+                <p class="text-[11px] text-amber-400/80">{{ h.problems[0]?.message }}</p>
+              </div>
+              <UButton
+                size="xs"
+                color="primary"
+                variant="subtle"
+                icon="i-lucide-rotate-ccw"
+                :loading="isBusy(h.pipeline.id)"
+                :disabled="anyBusy"
+                @click="reseed(h.pipeline.id)"
+              >
+                Reseed
+              </UButton>
+            </li>
+          </ul>
+        </section>
+      </div>
+    </template>
+
+    <template #footer>
+      <div class="flex w-full items-center justify-between gap-2">
+        <UButton
+          v-if="reseedableCount > 1"
+          color="primary"
+          variant="ghost"
+          icon="i-lucide-rotate-ccw"
+          :loading="anyBusy"
+          @click="reseedAll"
+        >
+          Reseed all ({{ reseedableCount }})
+        </UButton>
+        <span v-else />
+        <UButton
+          color="neutral"
+          variant="ghost"
+          :disabled="anyBusy"
+          @click="ui.closePipelineHealth()"
+        >
+          {{ hasIssues ? 'Dismiss' : 'Done' }}
+        </UButton>
+      </div>
+    </template>
+  </UModal>
+</template>

package/app/composables/api/auth.ts

@@ -1,10 +1,12 @@
 import {
   acceptInvitationContract,
   authConfigContract,
+  forgotPasswordContract,
   logoutContract,
   meContract,
   passwordLoginContract,
   peekInvitationContract,
+  resetPasswordContract,
   signupContract,
 } from '@cat-factory/contracts'
 import type { ApiContext } from './context'
@@ -25,6 +27,15 @@ export function authApi({ http, send, ws }: ApiContext) {
     passwordLogin: (body: { email: string; password: string }) =>
       send(passwordLoginContract, { pathPrefix: '/auth', body }),
 
+    // Request a reset link. Always succeeds (204) regardless of whether the email is
+    // registered, so the response can't be used to enumerate accounts.
+    forgotPassword: (body: { email: string }) =>
+      send(forgotPasswordContract, { pathPrefix: '/auth', body }),
+
+    // Redeem a reset token + set a new password (throws 400 on an invalid/expired token).
+    resetPassword: (body: { token: string; password: string }) =>
+      send(resetPasswordContract, { pathPrefix: '/auth', body }),
+
     peekInvite: (token: string) =>
       send(peekInvitationContract, { pathPrefix: '/auth', pathParams: { token } }),
 

package/app/composables/api/board.ts

@@ -13,6 +13,7 @@ import {
   organizePipelineContract,
   removeBlockContract,
   reparentBlockContract,
+  reseedPipelineContract,
   toggleDependencyContract,
   updateBlockContract,
   updatePipelineContract,
@@ -129,5 +130,10 @@ export function boardApi({ send, ws }: ApiContext) {
 
     removePipeline: (workspaceId: string, pipelineId: string) =>
       send(deletePipelineContract, { pathPrefix: ws(workspaceId), pathParams: { pipelineId } }),
+
+    // Restore a built-in pipeline to its current catalog definition (adopt an improved
+    // built-in, or repair a drifted/invalid one). Custom pipelines reject this.
+    reseedPipeline: (workspaceId: string, pipelineId: string) =>
+      send(reseedPipelineContract, { pathPrefix: ws(workspaceId), pathParams: { pipelineId } }),
   }
 }

package/app/composables/usePipelineHealth.spec.ts

@@ -0,0 +1,143 @@
+import { describe, it, expect } from 'vitest'
+import type { Pipeline } from '~/types/domain'
+import { isKnownAgentKind } from '~/utils/catalog'
+import { usePipelinesStore } from '~/stores/pipelines'
+import { usePipelineHealth } from '~/composables/usePipelineHealth'
+
+/**
+ * Guards the startup pipeline-health advisory against the failure that bit the first cut: a
+ * legitimate built-in agent kind missing from the frontend catalog made `isKnownAgentKind`
+ * return false, so a stock seeded pipeline (`pl_tech_debt`, which uses `analysis` + `tracker`)
+ * was reported "invalid" in every workspace with a Reseed action that could never fix it.
+ *
+ * The kind lists below mirror the canonical built-ins in
+ * `backend/packages/kernel/src/domain/seed.ts`; keep them in step when a seed pipeline gains a
+ * new kind. The `every built-in seed kind is known` test then fails loudly if the catalog drifts.
+ */
+
+let nextId = 0
+function builtin(agentKinds: string[], over: Partial<Pipeline> = {}): Pipeline {
+  return {
+    id: `pl_test_${nextId++}`,
+    name: 'Test',
+    agentKinds,
+    builtin: true,
+    version: 1,
+    ...over,
+  }
+}
+
+/** Seed the store with pipelines + their current catalog versions, then scan. */
+function scan(pipelines: Pipeline[], versions: Record<string, number> = {}) {
+  const store = usePipelinesStore()
+  const catalogVersions = {
+    ...Object.fromEntries(pipelines.filter((p) => p.builtin).map((p) => [p.id, p.version ?? 0])),
+    ...versions,
+  }
+  store.hydrate(pipelines, catalogVersions)
+  return usePipelineHealth()
+}
+
+// Every agent kind any built-in catalog pipeline references (mirror of seed.ts). The advisory's
+// validity oracle (`isKnownAgentKind`) must recognise all of them, or a stock pipeline is
+// falsely flagged. `analysis`/`tracker` are the two that originally regressed.
+const BUILTIN_SEED_KINDS = [
+  'requirements-review',
+  'spec-writer',
+  'architect',
+  'coder',
+  'reviewer',
+  'blueprints',
+  'mocker',
+  'tester',
+  'conflicts',
+  'ci',
+  'merger',
+  'integrator',
+  'documenter',
+  'analysis',
+  'tracker',
+  'human-test',
+  'human-review',
+]
+
+describe('isKnownAgentKind', () => {
+  it('recognises every agent kind used by the built-in seed catalog', () => {
+    const unknown = BUILTIN_SEED_KINDS.filter((k) => !isKnownAgentKind(k))
+    expect(unknown).toEqual([])
+  })
+
+  it('specifically recognises analysis + tracker (the kinds that regressed)', () => {
+    expect(isKnownAgentKind('analysis')).toBe(true)
+    expect(isKnownAgentKind('tracker')).toBe(true)
+  })
+
+  it('returns false for a genuinely unknown kind', () => {
+    expect(isKnownAgentKind('totally-made-up-kind')).toBe(false)
+  })
+})
+
+describe('usePipelineHealth', () => {
+  it('does not flag the stock tech-debt built-in (analysis + tracker) as invalid', () => {
+    const techDebt = builtin(
+      [
+        'analysis',
+        'tracker',
+        'coder',
+        'reviewer',
+        'blueprints',
+        'tester',
+        'conflicts',
+        'ci',
+        'merger',
+      ],
+      { id: 'pl_tech_debt', name: 'Tech debt' },
+    )
+    const { hasIssues, invalid, outdated } = scan([techDebt])
+    expect(hasIssues.value).toBe(false)
+    expect(invalid.value).toHaveLength(0)
+    expect(outdated.value).toHaveLength(0)
+  })
+
+  it('flags a pipeline that references an unknown agent kind', () => {
+    const broken = builtin(['coder', 'bogus-kind'])
+    const { invalid } = scan([broken])
+    expect(invalid.value).toHaveLength(1)
+    expect(invalid.value[0]!.problems.some((p) => p.type === 'unknown-kind')).toBe(true)
+  })
+
+  it('accepts a valid producer + companion chain', () => {
+    const { hasIssues } = scan([builtin(['coder', 'reviewer'])])
+    expect(hasIssues.value).toBe(false)
+  })
+
+  it('flags a companion with no preceding producer it can review (shape)', () => {
+    const { invalid } = scan([builtin(['reviewer'])])
+    expect(invalid.value).toHaveLength(1)
+    expect(invalid.value[0]!.problems.some((p) => p.type === 'shape')).toBe(true)
+  })
+
+  it('flags an estimate-gated companion with no task-estimator before it (shape)', () => {
+    const gated = builtin(['coder', 'reviewer'], {
+      gating: [null, { enabled: true, minComplexity: 0.5, onMissingEstimate: 'run' }],
+    })
+    const { invalid } = scan([gated])
+    expect(invalid.value).toHaveLength(1)
+    expect(invalid.value[0]!.problems.some((p) => p.type === 'shape')).toBe(true)
+  })
+
+  it('reports a built-in whose catalog version moved ahead as outdated (not invalid)', () => {
+    const stale = builtin(['coder', 'reviewer'], { id: 'pl_stale', version: 1 })
+    const { invalid, outdated } = scan([stale], { pl_stale: 2 })
+    expect(invalid.value).toHaveLength(0)
+    expect(outdated.value).toHaveLength(1)
+    expect(outdated.value[0]!.problems[0]!.type).toBe('outdated')
+  })
+
+  it('keeps an invalid + outdated built-in out of the outdated list (one fix, not two)', () => {
+    const both = builtin(['coder', 'bogus-kind'], { id: 'pl_both', version: 1 })
+    const { invalid, outdated } = scan([both], { pl_both: 2 })
+    expect(invalid.value).toHaveLength(1)
+    expect(outdated.value).toHaveLength(0)
+  })
+})

package/app/composables/usePipelineHealth.ts

@@ -0,0 +1,140 @@
+import { computed } from 'vue'
+import type { Pipeline } from '~/types/domain'
+import type { StepGating } from '~/types/consensus'
+import { COMPANION_FOR_PRODUCER, isKnownAgentKind, isProducerCompanion } from '~/utils/catalog'
+import { usePipelinesStore } from '~/stores/pipelines'
+
+/** Estimate-gating consults a `task-estimator` step (mirrors the backend constant). */
+const TASK_ESTIMATOR_KIND = 'task-estimator'
+
+export type PipelineProblemType = 'unknown-kind' | 'shape' | 'outdated'
+
+export interface PipelineProblem {
+  type: PipelineProblemType
+  message: string
+}
+
+export interface PipelineHealth {
+  pipeline: Pipeline
+  problems: PipelineProblem[]
+  /** Structural / unknown-kind problems — delete (custom) or reseed (built-in) to fix. */
+  invalid: boolean
+  /** A built-in whose catalog definition is newer than the stored copy — reseed to update. */
+  outdated: boolean
+}
+
+/** Producers a companion kind is allowed to review (inverse of {@link COMPANION_FOR_PRODUCER}). */
+function companionTargets(companion: string): string[] {
+  return Object.entries(COMPANION_FOR_PRODUCER)
+    .filter(([, c]) => c === companion)
+    .map(([producer]) => producer)
+}
+
+const isEnabledAt = (p: Pipeline, i: number) => p.enabled?.[i] !== false
+
+/**
+ * Client-side mirror of the backend `validatePipelineShape` (companion adjacency + estimate
+ * gating, over the ENABLED subset), collecting the first problem instead of throwing. Returns a
+ * human message, or null when the shape is valid. Kept in step with
+ * `backend/packages/orchestration/src/modules/pipelines/pipelineShape.ts`.
+ */
+function shapeProblem(p: Pipeline): string | null {
+  const kinds = p.agentKinds
+  // No enabled steps ⇒ nothing would run.
+  if (kinds.length === 0 || !kinds.some((_, i) => isEnabledAt(p, i))) {
+    return 'No enabled steps — the pipeline has nothing to run.'
+  }
+  // Companion adjacency: an enabled companion's nearest preceding enabled step must be a
+  // producer it can review.
+  for (let i = 0; i < kinds.length; i++) {
+    const kind = kinds[i]
+    if (!kind || !isProducerCompanion(kind) || !isEnabledAt(p, i)) continue
+    const targets = companionTargets(kind)
+    let predecessor: string | undefined
+    for (let j = i - 1; j >= 0; j--) {
+      if (isEnabledAt(p, j)) {
+        predecessor = kinds[j]
+        break
+      }
+    }
+    if (predecessor === undefined || !targets.includes(predecessor)) {
+      return `Companion '${kind}' must run immediately after an enabled step it can review (${targets.join(', ')}).`
+    }
+  }
+  // Estimate gating: an enabled gated step must be a companion, set ≥1 threshold, and have an
+  // enabled task-estimator earlier in the chain.
+  const gating = p.gating
+  if (gating) {
+    for (let i = 0; i < kinds.length; i++) {
+      const g = gating[i] as StepGating | null | undefined
+      if (!g?.enabled || !isEnabledAt(p, i)) continue
+      const kind = kinds[i]
+      if (!kind || !isProducerCompanion(kind)) {
+        return `Step '${kind}' cannot be estimate-gated — only companion steps may be skipped on the estimate.`
+      }
+      if (g.minComplexity === undefined && g.minRisk === undefined && g.minImpact === undefined) {
+        return `Step '${kind}' is estimate-gated but sets no threshold (complexity / risk / impact).`
+      }
+      const hasEstimator = kinds
+        .slice(0, i)
+        .some((k, j) => k === TASK_ESTIMATOR_KIND && isEnabledAt(p, j))
+      if (!hasEstimator) {
+        return `Step '${kind}' is gated on the estimate but no enabled '${TASK_ESTIMATOR_KIND}' runs before it.`
+      }
+    }
+  }
+  return null
+}
+
+/**
+ * Detect pipelines in an unhealthy state for the startup advisory: those referencing an unknown
+ * agent kind or with an invalid shape (offer to delete a custom one / reseed a built-in), and
+ * built-ins whose seeded definition has moved ahead of the stored copy (offer to reseed). Reads
+ * the pipeline library + the snapshot's catalog versions from the pipelines store. Detection runs
+ * entirely client-side because the canonical agent-kind catalog lives here (`AGENT_BY_KIND` +
+ * `SYSTEM_AGENT_META` + registered custom kinds); the version comparison uses the catalog
+ * versions the snapshot ships.
+ */
+export function usePipelineHealth() {
+  const store = usePipelinesStore()
+
+  const health = computed<PipelineHealth[]>(() => {
+    const out: PipelineHealth[] = []
+    for (const pipeline of store.pipelines) {
+      const problems: PipelineProblem[] = []
+
+      const unknown = [...new Set(pipeline.agentKinds.filter((k) => !isKnownAgentKind(k)))]
+      if (unknown.length) {
+        problems.push({
+          type: 'unknown-kind',
+          message: `References unknown agent ${unknown.length > 1 ? 'kinds' : 'kind'}: ${unknown.join(', ')}.`,
+        })
+      }
+
+      const shape = shapeProblem(pipeline)
+      if (shape) problems.push({ type: 'shape', message: shape })
+
+      const catalogVersion = pipeline.builtin ? store.catalogVersions[pipeline.id] : undefined
+      const outdated = catalogVersion !== undefined && catalogVersion > (pipeline.version ?? 0)
+      if (outdated) {
+        problems.push({
+          type: 'outdated',
+          message: `A newer version of this built-in pipeline is available (v${pipeline.version ?? 0} → v${catalogVersion}).`,
+        })
+      }
+
+      if (problems.length) {
+        out.push({ pipeline, problems, invalid: unknown.length > 0 || shape !== null, outdated })
+      }
+    }
+    return out
+  })
+
+  // An invalid built-in is reseeded (not deleted) and that also clears any "outdated" flag, so
+  // exclude it from the outdated list to avoid offering the same fix twice.
+  const invalid = computed(() => health.value.filter((h) => h.invalid))
+  const outdated = computed(() => health.value.filter((h) => h.outdated && !h.invalid))
+  const hasIssues = computed(() => health.value.length > 0)
+
+  return { health, invalid, outdated, hasIssues }
+}

package/app/pages/index.vue

@@ -49,6 +49,11 @@ const SlackPanel = defineAsyncComponent(() => import('~/components/slack/SlackPa
 const FragmentLibraryPanel = defineAsyncComponent(
   () => import('~/components/fragments/FragmentLibraryPanel.vue'),
 )
+// Startup advisory for invalid / outdated pipelines — only mounted while open (auto-opened
+// at most once per session by the watcher below), so it stays out of the initial bundle.
+const PipelineHealthModal = defineAsyncComponent(
+  () => import('~/components/pipeline/PipelineHealthModal.vue'),
+)
 const IntegrationsHub = defineAsyncComponent(
   () => import('~/components/layout/IntegrationsHub.vue'),
 )
@@ -122,11 +127,25 @@ watch(
       autoOpenedSetup.value = false
       autoOpenedPreset.value = false
       ui.resetAiOnboarding()
+      // A different board has its own pipeline library, so re-arm the once-per-session advisory.
+      ui.pipelineHealthSeen = false
     }
   },
   { immediate: true },
 )
 
+// Pipeline-health advisory: once a board is loaded, surface any invalid / outdated pipelines in
+// a startup modal (auto-opened at most once per session per board — later opens are user-driven).
+// Detection is reactive, so this fires as soon as the snapshot hydrates.
+const { hasIssues: pipelineIssues } = usePipelineHealth()
+watch(
+  () => [workspace.ready, pipelineIssues.value],
+  () => {
+    if (workspace.ready && pipelineIssues.value) ui.maybeOpenPipelineHealth()
+  },
+  { immediate: true },
+)
+
 // Auto-open the right AI-onboarding dialog once per session: the no-source prompt takes
 // precedence over the preset-mismatch prompt. Honour the per-session dismissed flags so a
 // user who closed the banner isn't re-interrupted, and only auto-open once each (later opens
@@ -242,6 +261,7 @@ watch(
       <GitHubPanel v-if="ui.githubOpen" />
       <SlackPanel v-if="ui.slackOpen" />
       <FragmentLibraryPanel v-if="ui.fragmentLibraryOpen" />
+      <PipelineHealthModal v-if="ui.pipelineHealthOpen" />
       <IntegrationsHub v-if="ui.integrationsOpen" />
       <PersonalSetupModal v-if="ui.personalSetupOpen" />
       <WorkspaceSettingsPanel v-if="ui.workspaceSettingsOpen" />

package/app/pages/reset-password.vue

@@ -0,0 +1,7 @@
+<script setup lang="ts">
+import ResetPasswordScreen from '~/components/auth/ResetPasswordScreen.vue'
+</script>
+
+<template>
+  <ResetPasswordScreen />
+</template>

package/app/stores/auth.ts

@@ -133,6 +133,16 @@ export const useAuthStore = defineStore(
       applySession(await api.passwordLogin(body))
     }
 
+    /** Request a password-reset link by email (always resolves; never reveals existence). */
+    async function forgotPassword(email: string) {
+      await api.forgotPassword({ email })
+    }
+
+    /** Redeem a reset token and set a new password. Throws on an invalid/expired token. */
+    async function resetPassword(token: string, password: string) {
+      await api.resetPassword({ token, password })
+    }
+
     /** Drop the local session (sessions are stateless server-side). */
     function logout() {
       api.logout().catch(() => {})
@@ -159,6 +169,8 @@ export const useAuthStore = defineStore(
       loginWithGoogle,
       signup,
       passwordLogin,
+      forgotPassword,
+      resetPassword,
       logout,
       handleUnauthorized,
     }

package/app/stores/pipelines.ts

@@ -31,6 +31,12 @@ function defaultConsensusConfig(): ConsensusStepConfig {
 export const usePipelinesStore = defineStore('pipelines', () => {
   const api = useApi()
   const pipelines = ref<Pipeline[]>([])
+  /**
+   * Current built-in catalog versions (`seedPipelines()`), keyed by pipeline id, from the
+   * workspace snapshot. A built-in whose stored `version` is below its catalog value here has
+   * a newer definition available (see `usePipelineHealth`).
+   */
+  const catalogVersions = ref<Record<string, number>>({})
 
   /** The chain currently being assembled in the builder. */
   const draft = ref<AgentKind[]>([])
@@ -59,9 +65,10 @@ export const usePipelinesStore = defineStore('pipelines', () => {
   /** The id of the pipeline being edited, or null when assembling a brand-new one. */
   const editingId = ref<string | null>(null)
 
-  /** Replace the cached pipelines with a server snapshot. */
-  function hydrate(next: Pipeline[]) {
+  /** Replace the cached pipelines (and the current built-in catalog versions) from a snapshot. */
+  function hydrate(next: Pipeline[], versions?: Record<string, number>) {
     pipelines.value = next
+    if (versions) catalogVersions.value = versions
   }
 
   function getPipeline(id: string) {
@@ -300,6 +307,19 @@ export const usePipelinesStore = defineStore('pipelines', () => {
     if (editingId.value === id) clearDraft()
   }
 
+  /**
+   * Reseed a built-in pipeline from the backend's current catalog definition: restores its
+   * canonical structure + version (adopting an update, or repairing a drifted/invalid copy)
+   * while preserving its labels/archive state. Replaces the pipeline in the cache.
+   */
+  async function reseed(id: string): Promise<Pipeline> {
+    const updated = await api.reseedPipeline(useWorkspaceStore().requireId(), id)
+    const i = pipelines.value.findIndex((p) => p.id === updated.id)
+    if (i >= 0) pipelines.value[i] = updated
+    if (editingId.value === id) clearDraft()
+    return updated
+  }
+
   /** Set a pipeline's organizational metadata (labels / archive). Works on built-ins too. */
   async function organize(id: string, body: { labels?: string[]; archived?: boolean }) {
     const updated = await api.organizePipeline(useWorkspaceStore().requireId(), id, body)
@@ -314,6 +334,7 @@ export const usePipelinesStore = defineStore('pipelines', () => {
 
   return {
     pipelines,
+    catalogVersions,
     draft,
     draftGates,
     draftEnabled,
@@ -344,6 +365,7 @@ export const usePipelinesStore = defineStore('pipelines', () => {
     saveDraft,
     clonePipeline,
     removePipeline,
+    reseed,
     organize,
     archive,
     unarchive,

package/app/stores/ui.ts

@@ -19,6 +19,11 @@ export const useUiStore = defineStore('ui', () => {
   const selectedBlockId = ref<string | null>(null)
   const focusBlockId = ref<string | null>(null)
   const builderOpen = ref(false)
+  // Pipeline-health startup advisory: lists invalid pipelines (delete / reseed) + built-ins
+  // with a newer catalog version (reseed). `pipelineHealthSeen` gates auto-open to once per
+  // session so it does not re-pop on every snapshot re-hydration.
+  const pipelineHealthOpen = ref(false)
+  const pipelineHealthSeen = ref(false)
   const decisionContext = ref<{ instanceId: string; decisionId: string } | null>(null)
 
   // Document-source integration modals, keyed by source. `documentImport` and
@@ -217,6 +222,22 @@ export const useUiStore = defineStore('ui', () => {
     builderOpen.value = true
   }
 
+  /** Auto-open the pipeline-health advisory once per session (no-op after it's been shown). */
+  function maybeOpenPipelineHealth() {
+    if (pipelineHealthSeen.value) return
+    pipelineHealthSeen.value = true
+    pipelineHealthOpen.value = true
+  }
+
+  function openPipelineHealth() {
+    pipelineHealthSeen.value = true
+    pipelineHealthOpen.value = true
+  }
+
+  function closePipelineHealth() {
+    pipelineHealthOpen.value = false
+  }
+
   function openDecision(instanceId: string, decisionId: string) {
     decisionContext.value = { instanceId, decisionId }
   }
@@ -600,6 +621,8 @@ export const useUiStore = defineStore('ui', () => {
     selectedBlockId,
     focusBlockId,
     builderOpen,
+    pipelineHealthOpen,
+    pipelineHealthSeen,
     decisionContext,
     documentConnect,
     documentImport,
@@ -651,6 +674,9 @@ export const useUiStore = defineStore('ui', () => {
     select,
     focus,
     openBuilder,
+    maybeOpenPipelineHealth,
+    openPipelineHealth,
+    closePipelineHealth,
     openDecision,
     closeDecision,
     openApprovalDetail,

package/app/stores/workspace.ts

@@ -82,7 +82,7 @@ export const useWorkspaceStore = defineStore(
       if (i >= 0) workspaces.value[i] = snapshot.workspace
       else workspaces.value.unshift(snapshot.workspace)
       useBoardStore().hydrate(snapshot.blocks)
-      usePipelinesStore().hydrate(snapshot.pipelines)
+      usePipelinesStore().hydrate(snapshot.pipelines, snapshot.pipelineCatalogVersions)
       useExecutionStore().hydrate(snapshot.executions)
       useAgentRunsStore().hydrate(snapshot.bootstrapJobs ?? [])
       useNotificationsStore().hydrate(snapshot.notifications ?? [])

package/app/utils/catalog.ts

@@ -303,6 +303,28 @@ export const SYSTEM_AGENT_META: Record<string, AgentArchetype> = {
     color: '#22d3ee',
     description: 'Maps the repository into the service → modules blueprint.',
   },
+  // A read-only repository audit that emits a prioritized findings report. Not a palette
+  // archetype (it is only seeded into the recurring tech-debt pipeline), so it lives here
+  // for run-timeline / saved-pipeline display rather than in AGENT_ARCHETYPES.
+  analysis: {
+    kind: 'analysis',
+    label: 'Analyst',
+    icon: 'i-lucide-search-code',
+    color: '#818cf8',
+    description:
+      'Audits the repository read-only and emits a prioritized findings report (drives the tech-debt pipeline).',
+  },
+  // A one-shot engine step that files a tracker ticket (GitHub issue / Jira) from the
+  // preceding analysis before implementation. Runs no model itself; seeded only into the
+  // tech-debt pipeline, so it is a display-metadata system kind, not a palette archetype.
+  tracker: {
+    kind: 'tracker',
+    label: 'Issue Tracker',
+    icon: 'i-lucide-ticket',
+    color: '#fb923c',
+    description:
+      'Files a tracker ticket (GitHub issue / Jira) from the analysis before work starts.',
+  },
   conflicts: {
     kind: 'conflicts',
     label: 'Conflicts Gate',
@@ -447,6 +469,18 @@ export function agentKindMeta(kind: string): AgentArchetype {
   )
 }
 
+/**
+ * Whether an agent kind is actually known to this build — a palette archetype or companion
+ * ({@link AGENT_BY_KIND}, which deployment custom kinds are merged into via
+ * `useAgentsStore().registerCustomKinds`), or an engine system/gate kind
+ * ({@link SYSTEM_AGENT_META}). Unlike {@link agentKindMeta} (which always returns a usable
+ * fallback so renderers never crash), this returns `false` for an unknown kind — used to flag
+ * a pipeline that references a nonexistent agent. Call AFTER custom kinds are registered.
+ */
+export function isKnownAgentKind(kind: string): boolean {
+  return kind in AGENT_BY_KIND || kind in SYSTEM_AGENT_META
+}
+
 type BlockTypeMeta = { label: string; icon: string; accent: string }
 
 /** Visual metadata for each architecture block type. */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cat-factory/app",
-  "version": "0.37.3",
+  "version": "0.39.0",
   "description": "Reusable Nuxt layer for the Agent Architecture Board SPA (components, stores, composables, pages). Consume it from a thin deployment app via `extends: ['@cat-factory/app']` and point it at your backend with NUXT_PUBLIC_API_BASE. See deploy/frontend for an example.",
   "repository": {
     "type": "git",
@@ -32,7 +32,7 @@
     "pinia-plugin-persistedstate": "^4.7.1",
     "vue": "^3.5.38",
     "wretch": "^3.0.9",
-    "@cat-factory/contracts": "0.36.0"
+    "@cat-factory/contracts": "0.38.0"
   },
   "devDependencies": {
     "@toad-contracts/testing": "0.3.1",