@floless/app 0.7.0 → 0.8.0

package/dist/floless-server.cjs

@@ -51392,6 +51392,49 @@ function parseRunHandle(stdout) {
 function traceLogPath(id, instance, runId, logsRoot = LOGS_DIR) {
   return (0, import_node_path3.join)(logsRoot, id, instance, `${runId}.jsonl`);
 }
+function latestTracePath(id, logsRoot = LOGS_DIR) {
+  const appDir2 = (0, import_node_path3.join)(logsRoot, id);
+  if (!(0, import_node_fs4.existsSync)(appDir2)) return null;
+  let best = null;
+  let instances;
+  try {
+    instances = (0, import_node_fs4.readdirSync)(appDir2);
+  } catch {
+    return null;
+  }
+  for (const instance of instances) {
+    const instDir = (0, import_node_path3.join)(appDir2, instance);
+    let entries;
+    try {
+      if (!(0, import_node_fs4.statSync)(instDir).isDirectory()) continue;
+      entries = (0, import_node_fs4.readdirSync)(instDir);
+    } catch {
+      continue;
+    }
+    for (const f of entries) {
+      if (!f.endsWith(".jsonl")) continue;
+      const p = (0, import_node_path3.join)(instDir, f);
+      try {
+        const m = (0, import_node_fs4.statSync)(p).mtimeMs;
+        if (!best || m > best.mtimeMs) best = { path: p, mtimeMs: m };
+      } catch {
+      }
+    }
+  }
+  return best ? best.path : null;
+}
+function readLatestTrace(id, logsRoot = LOGS_DIR) {
+  const p = latestTracePath(id, logsRoot);
+  if (!p) return null;
+  let text;
+  try {
+    text = (0, import_node_fs4.readFileSync)(p, "utf8");
+  } catch {
+    return null;
+  }
+  const runId = p.split(/[\\/]/).pop()?.replace(/\.jsonl$/, "") ?? "";
+  return { runId, path: p, text };
+}
 function startTrigger(id, opts = {}) {
   assertId(id);
   const invoker = currentInvoker();
@@ -52053,6 +52096,9 @@ function signInUrl() {
 function updateApiBase() {
   return `${env().apiBase}/updates/releases`;
 }
+function apiBaseUrl() {
+  return env().apiBase;
+}
 async function accessToken() {
   return ensureFreshToken();
 }
@@ -52308,7 +52354,7 @@ function appVersion() {
   return resolveVersion({
     isSea: isSea2(),
     sqVersionXml: readSqVersionXml(),
-    define: true ? "0.7.0" : void 0,
+    define: true ? "0.8.0" : void 0,
     pkgVersion: readPkgVersion()
   });
 }
@@ -52318,7 +52364,7 @@ function resolveChannel(s) {
   return "dev";
 }
 function appChannel() {
-  return resolveChannel({ isSea: isSea2(), define: true ? "0.7.0" : void 0 });
+  return resolveChannel({ isSea: isSea2(), define: true ? "0.8.0" : void 0 });
 }
 
 // oauth-presets.ts
@@ -53844,6 +53890,69 @@ async function applyUpdate(check, opts) {
   return { applied: true, message: `updating to v${check.targetVersion}\u2026 the app will relaunch` };
 }
 
+// report-relay.ts
+var REPORT_TIMEOUT_MS = 15e3;
+async function reportIssue(input) {
+  let token;
+  try {
+    token = await accessToken();
+  } catch {
+    return { ok: false, error: "offline" };
+  }
+  if (!token) return { ok: false, error: "signed_out" };
+  const url = `${apiBaseUrl()}/issues`;
+  let res;
+  try {
+    res = await authedFetch(url, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(input),
+      signal: AbortSignal.timeout(REPORT_TIMEOUT_MS)
+    });
+  } catch {
+    return { ok: false, error: "offline" };
+  }
+  if (res.status === 401) return { ok: false, error: "signed_out" };
+  if (res.status === 429) return { ok: false, error: "rate_limited" };
+  if (!res.ok) return { ok: false, error: "offline" };
+  let ref = "";
+  try {
+    const b = await res.json();
+    if (typeof b.ref === "string") ref = b.ref;
+  } catch {
+  }
+  return { ok: true, ref };
+}
+
+// run-summary.ts
+var clampMsg = (s) => {
+  const t = s.trim();
+  return t.length > 1e3 ? t.slice(0, 1e3) : t;
+};
+function summarizeRun(events) {
+  const runEnd = [...events].reverse().find((e) => e.kind === "run-end");
+  const status = runEnd && typeof runEnd.status === "string" ? runEnd.status : events.length ? "unknown" : "none";
+  let errorNodeId = null;
+  let errorMessage = null;
+  for (const e of events) {
+    if (e.kind === "node-error" && typeof e.node === "string") {
+      errorNodeId = e.node;
+      const err = e.error;
+      errorMessage = typeof err === "string" && err.trim() ? clampMsg(err) : null;
+      break;
+    }
+    const data = e.data;
+    const result = data?.result ?? data;
+    if (result && result.ok === false && typeof e.node === "string") {
+      errorNodeId = e.node;
+      const err = result.error;
+      errorMessage = typeof err === "string" && err.trim() ? clampMsg(err) : null;
+      break;
+    }
+  }
+  return { status, errorNodeId, errorMessage };
+}
+
 // launch.mjs
 var import_node_child_process5 = require("node:child_process");
 var import_node_path14 = require("node:path");
@@ -54321,13 +54430,15 @@ var import_yaml5 = __toESM(require_dist6(), 1);
 // build/ship-skills.mjs
 var PRODUCT_SKILLS = [
   "floless-app-bridge",
-  //     drive the floless.app CLI / desktop bridge from the user's AI
+  //        drive the floless.app CLI / desktop bridge from the user's AI
   "floless-app-onboarding",
-  // guided, re-runnable tour of AWARE + floless.app for new users
+  //    guided, re-runnable tour of AWARE + floless.app for new users
+  "floless-app-report-issue",
+  //  file a diagnosed bug/idea/question to the private log via the floless.io relay
   "floless-app-routines",
-  //   author event-driven ("on trigger") routines
+  //      author event-driven ("on trigger") routines
   "floless-app-workflows"
-  //  author/run .flo workflows
+  //     author/run .flo workflows
 ];
 function selectShippedSkillNames(names) {
   const present = new Set(names);
@@ -56318,7 +56429,10 @@ async function startServer() {
   });
   app.addHook("onRequest", async (req, reply) => {
     if (!req.url.startsWith("/api/")) return;
-    if (req.url.startsWith("/api/health") || req.url.startsWith("/api/license/") || req.url.startsWith("/api/bootstrap/") || req.url.startsWith("/api/autostart") || req.url.startsWith("/api/update") || req.url.startsWith("/api/aware/update")) return;
+    if (req.url.startsWith("/api/health") || req.url.startsWith("/api/license/") || req.url.startsWith("/api/bootstrap/") || req.url.startsWith("/api/autostart") || // Report-an-issue is a support lifeline: a user whose subscription lapsed must still be
+    // able to report "I got locked out". It touches no workspace data and the relay still
+    // requires a valid SESSION token (so it's not open abuse — see report-relay.ts).
+    req.url.startsWith("/api/report-issue") || req.url.startsWith("/api/update") || req.url.startsWith("/api/aware/update")) return;
     const { state: state2, signInUrl: signInUrl2 } = await getLicenseStatus();
     if (state2 !== "valid" && state2 !== "offline-grace") {
       return reply.status(402).send({ ok: false, error: "subscription required", state: state2, signInUrl: signInUrl2 });
@@ -56355,6 +56469,24 @@ async function startServer() {
     logout();
     return { ok: true };
   });
+  app.post(
+    "/api/report-issue",
+    async (req, reply) => {
+      const b = req.body ?? {};
+      const category = b.category === "idea" || b.category === "question" ? b.category : "bug";
+      const title = typeof b.title === "string" ? b.title.trim() : "";
+      const body = typeof b.body === "string" ? b.body.trim() : "";
+      if (!title || !body) {
+        return reply.status(400).send({ ok: false, error: "title and body are required" });
+      }
+      const clamp = (s, n) => s.length > n ? s.slice(0, n) : s;
+      const context = b.context && typeof b.context === "object" && !Array.isArray(b.context) && JSON.stringify(b.context).length <= 16e3 ? b.context : void 0;
+      const result = await reportIssue({ category, title: clamp(title, 200), body: clamp(body, 12e3), context });
+      if (result.ok) return { ok: true, ref: result.ref };
+      const status = result.error === "signed_out" ? 401 : result.error === "rate_limited" ? 429 : 503;
+      return reply.status(status).send({ ok: false, error: result.error });
+    }
+  );
   app.get("/api/autostart", async () => {
     const supported = autostartSupported();
     return { ok: true, supported, enabled: supported ? autostartPresent() : false };
@@ -56614,6 +56746,30 @@ async function startServer() {
     broadcast({ type: "grafted", id: stage.agentId });
     return { ok: true, agentId: stage.agentId };
   });
+  async function detectCredentialIssue(id) {
+    try {
+      const app2 = readApp(id);
+      const agents = new Set(app2.nodes.map((n) => n.agent).filter((a) => !!a));
+      if (!agents.size) return null;
+      const live = await aware.connectList();
+      for (const c of live) {
+        if (agents.has(c.integration) && c.status !== "valid") {
+          return { id: c.integration, label: friendlyIntegrationName(c.integration) };
+        }
+      }
+    } catch {
+    }
+    return null;
+  }
+  function hasAuthFailure(events) {
+    for (const ev of events) {
+      const data = ev.data;
+      const result = data?.result ?? data;
+      const status = result && typeof result.status === "number" ? result.status : null;
+      if (status === 401 || status === 403) return true;
+    }
+    return false;
+  }
   app.post(
     "/api/run",
     async (req, reply) => {
@@ -56633,7 +56789,8 @@ async function startServer() {
           }
           const stderr = detail && typeof detail.stderr === "string" ? detail.stderr.trim() : "";
           app.log.warn({ detail: err.detail }, err.message);
-          return reply.send({ ok: false, error: err.message, reason: stderr || null, simulate: !!simulate });
+          const credentialIssue2 = simulate ? null : await detectCredentialIssue(id);
+          return reply.send({ ok: false, error: err.message, reason: stderr || null, simulate: !!simulate, credentialIssue: credentialIssue2 });
         }
         throw err;
       }
@@ -56642,13 +56799,26 @@ async function startServer() {
       for (const ev of events) broadcast({ type: "trace", id, event: ev });
       broadcast({ type: "run-ended", id, runId: result.runId });
       const report = extractReportHtml(events);
-      return { ok: true, runId: result.runId, tracePath: result.tracePath, events, report };
+      const credentialIssue = !simulate && hasAuthFailure(events) ? await detectCredentialIssue(id) : null;
+      return { ok: true, runId: result.runId, tracePath: result.tracePath, events, report, credentialIssue };
     }
   );
   app.post("/api/run/stop", async () => {
     const running = cancelActiveRun();
     return { ok: true, running };
   });
+  app.get("/api/latest-run/:id", async (req, reply) => {
+    const id = req.params.id;
+    if (!/^[A-Za-z0-9._-]+$/.test(id)) {
+      return reply.status(400).send({ ok: false, error: "invalid app id" });
+    }
+    const latest = readLatestTrace(id);
+    if (!latest) {
+      return { ok: true, id, runId: null, status: "none", errorNodeId: null, errorMessage: null, events: [] };
+    }
+    const events = parseTrace(latest.text);
+    return { ok: true, id, runId: latest.runId, ...summarizeRun(events), events };
+  });
   function resolveArgs(configArgs, inputs) {
     const out = {};
     for (const [k, v] of Object.entries(configArgs)) {

package/dist/skills/floless-app-report-issue/SKILL.md

@@ -0,0 +1,127 @@
+---
+name: floless-app-report-issue
+description: File a diagnosed bug / idea / question from floless.app into the PRIVATE product log via the floless.io relay. Use when the user invokes /floless-app-report-issue, clicks "Report an issue" in the floless.app UI (a queued report or a copied prompt), or says "report this", "file a bug", "something broke in floless", "send feedback / a feature idea". It READS the live run evidence first (latest run trace, failing node + error, the .flo, exec code), offers a workaround when one exists, then composes a maintainer-ready report and sends it — always showing the exact text and confirming first. Read-only: it never re-runs a workflow node.
+metadata:
+  version: 0.1.0
+---
+
+# floless.app — report an issue
+
+You are not a feedback form. You are the **on-device incident responder**: a capable AI already
+running on the user's machine, with its hands on the exact thing that broke — the workflow, the
+run trace, the `.flo`, the exec code. A report you file should arrive **diagnosed, not described**.
+
+The destination is floless.app's **private** product log. End users can't file there directly
+(it's a private repo), so the local server **relays** the report to floless.io, which files it
+on their behalf under the signed-in session. You compose + send; you never touch GitHub directly.
+
+## Preconditions
+
+- The local server is up: `curl -s http://127.0.0.1:4317/api/health` → `{"ok":true,…}` (fixed port
+  4317; override `$PORT`). It returns `appVersion`, `awareVersion`, and `license`. If it's down,
+  the user starts it from the repo (`cd server && npm run dev`).
+- A signed-in session is required to file (the relay authenticates with it). If a send returns
+  `signed_out`, tell the user to sign in (menu → the license state in the footer) and retry — do
+  not try to work around it.
+
+## Safety contract — READ-ONLY (non-negotiable)
+
+Diagnosing must never change the user's model or data.
+
+- **Never re-run an individual exec node.** Exec nodes run Roslyn C# against a **live Tekla/Trimble
+  host** and can mutate the model. There is no "re-run just this node" — don't invent one.
+- **Only** offer a *full-workflow* re-run when **all** hold: the user explicitly asks, the app is
+  `runnable`, and the latest trace shows the previous run was **non-mutating** (read-only nodes).
+  Otherwise diagnose from the evidence already on disk.
+- Everything below (`/api/health`, `/api/latest-run/:id`, `/api/app/:id`, reading the `.flo`/exec
+  source) is read-only. Stay there.
+
+## Discriminator + routing — keep the trackers clean
+
+Everything from a user funnels into the **one private floless log**; the maintainer triages and
+escalates from there. The user never has to decide "is this AWARE or floless?".
+
+- File here for: anything in the floless.app experience — the UI, a workflow/app behaving wrong, a
+  confusing result, a feature idea, a question.
+- The one exception (maintainers only): if it is *plainly* an AWARE **runtime** defect (a compiler
+  panic, a CLI bug) **and** you're operating with repo access, prefer `/aware-log-issue`
+  (→ `aware-aeco`). For an ordinary user, still file here — the maintainer escalates.
+
+## Workflow — read, diagnose, confirm, send
+
+```dot
+digraph { "health + identify app" -> "read evidence (READ-ONLY)" -> "root-cause hypothesis" ->
+  "offer workaround" -> "compose report" -> "privacy scrub + SHOW + confirm" ->
+  "POST /api/report-issue" -> "report the ref" }
+```
+
+1. **Health + identify the app.** `GET /api/health` for versions + license. Establish which app/
+   workflow the report is about (ask if unclear, or take it from a queued UI request).
+2. **Read the evidence (the killer step — READ-ONLY):**
+   - `GET /api/latest-run/<appId>` → structured trace: `runId`, `status`, `errorNodeId`,
+     `errorMessage`, `events`. This is the spine of the diagnosis.
+   - `GET /api/app/<appId>` → the normalized topology + `.flo` source + each node's `config`
+     (incl. exec `code`). Read the failing node's code; pin `file:line`.
+   - Form a concrete **root-cause hypothesis** — not "it failed", but *why*.
+3. **Offer a fix/workaround in the moment** when the evidence supports one. The user often leaves
+   already unstuck — that's the point.
+4. **Compose** the report from the template below: a diagnosed body, problem-first title.
+5. **Privacy scrub + confirm (ALWAYS).** The private log is still real: include versions + a
+   sanitized summary by default. **Ask before** attaching the `.flo`, raw logs, a screenshot, or
+   any model/company names. **Show the user the exact title + body**, then wait for an explicit
+   yes. Nothing sends without it.
+6. **Send** via the local relay:
+   ```bash
+   curl -s -X POST http://127.0.0.1:4317/api/report-issue \
+     -H 'Content-Type: application/json' \
+     -d '{"category":"bug","title":"…","body":"…","context":{ "appId":"…","appVersion":"…","awareVersion":"…","runId":"…","errorNodeId":"…" }}'
+   ```
+   → `{ "ok": true, "ref": "#123" }`. Errors: `signed_out` (sign in), `rate_limited` (wait), or
+   `offline` (check connection) — relay them plainly; the user's text is not lost.
+7. **Report** the `ref` to the user, plus any workaround you already gave. Because the repo is
+   private, there is no link to open — say so; the maintainer follows up.
+
+### Local API
+
+| Call | Purpose |
+|---|---|
+| `GET /api/health` | versions + license state |
+| `GET /api/latest-run/:id` | **read-only** structured trace of the app's most recent run |
+| `GET /api/app/:id` | normalized topology + `.flo` source + node config/exec code |
+| `POST /api/report-issue` | send the composed report through the relay → `{ ok, ref }` |
+
+## Report body template
+
+```
+**Summary** — <one line, problem-first>
+
+**Observed** (with evidence)
+- <what happened> — node `<errorNodeId>` · `<errorMessage>`
+- <file:line in the exec code, quoted, when relevant>
+
+**Root-cause hypothesis**
+- <why it happened — your diagnosis, marked as hypothesis if unconfirmed>
+
+**Repro**
+- app `<appId>` (FloLess v<appVersion>, AWARE v<awareVersion>), run `<runId>`
+- <steps / inputs>  ← attach the .flo only with consent
+
+**Expected**
+- <what AWARE/floless should have done>
+
+**Workaround given** (if any)
+- <what you told the user to do right now>
+```
+
+The local route stamps category → label and the relay adds `user-report` + the reporter id.
+
+## Guardrails
+
+- **Read-only.** Diagnose from evidence on disk; never re-run a node (live-host mutation risk).
+- **Relay only.** This skill never calls `gh` — the user has no access to the private repo; the
+  relay files on their behalf. (The maintainer `gh` runbook is the separate `floless-app-log-issue`.)
+- **Always confirm** the exact text before sending; default to versions + sanitized summary, and
+  ask before attaching anything richer.
+- **Don't invent** node ids, errors, or a fix you can't support from the evidence. A wrong-but-
+  confident diagnosis is worse than an honest "couldn't reproduce — here's what I see."
+- **One report per concern.** Don't bundle a bug and a feature idea into one.

package/dist/web/app.css

@@ -987,6 +987,9 @@
     background: var(--accent-bright);
     box-shadow: 0 0 14px var(--accent-glow);
   }
+  /* A disabled action reads as inert — never a primary that looks clickable but isn't. */
+  .modal-actions button:disabled { opacity: 0.5; cursor: default; }
+  .modal-actions button.primary:disabled:hover { background: var(--accent); box-shadow: none; }
   .modal.library {
     width: 720px;
     max-height: 82vh;
@@ -2065,6 +2068,42 @@ body {
 }
 .report-overlay .overlay-stop:disabled { opacity: 0.6; cursor: default; }
 
+/* Credential-failure reconnect card — shown in .report-overlay when a run hits a
+   rejected OAuth token. Amber-topped (recoverable, needs attention); the Reconnect
+   action keeps primary-blue (the one critical next step), Open Integrations is ghost. */
+.cred-fail-card {
+  background: var(--surface); border: 1px solid var(--border-strong); border-top: 3px solid var(--warn);
+  border-radius: 8px; padding: 22px 24px; max-width: 380px; width: 100%;
+  display: flex; flex-direction: column; gap: 14px; text-align: left;
+}
+.cred-fail-status {
+  display: flex; align-items: center; gap: 8px;
+  font-size: 10px; text-transform: uppercase; letter-spacing: 0.14em; color: var(--text-dim);
+}
+.cred-fail-icon { color: var(--warn); font-size: 16px; line-height: 1; }
+.cred-fail-headline { font-size: 15px; font-weight: 600; color: var(--text); }
+.cred-fail-body { font-size: 13px; color: var(--text-muted); line-height: 1.55; }
+.cred-fail-err { font-size: 12px; color: var(--err); }
+.cred-fail-ok { font-size: 13px; color: var(--ok); font-weight: 600; }
+.cred-fail-actions { display: flex; align-items: center; gap: 8px; margin-top: 4px; }
+.cred-fail-actions button { font-family: var(--ui); font-size: 13px; line-height: 1.2; border-radius: 4px; cursor: pointer; }
+.cred-fail-actions .cred-reconnect {
+  padding: 7px 16px; background: var(--accent); color: white; border: 1px solid var(--accent); font-weight: 600;
+}
+.cred-fail-actions .cred-reconnect:hover:not(:disabled) {
+  background: var(--accent-bright); box-shadow: 0 0 14px var(--accent-glow);
+}
+.cred-fail-actions .cred-reconnect:disabled { opacity: 0.7; cursor: default; }
+.cred-fail-actions .cred-open-integrations {
+  padding: 7px 12px; background: transparent; border: 1px solid var(--border-strong); color: var(--text-muted);
+}
+.cred-fail-actions .cred-open-integrations:hover { color: var(--text); border-color: var(--accent-dim); }
+.cred-reconnect-spinner {
+  display: inline-block; width: 12px; height: 12px; vertical-align: -2px; margin-right: 6px;
+  border: 2px solid rgba(255, 255, 255, 0.3); border-top-color: #fff; border-radius: 50%;
+  animation: spin 0.8s linear infinite;
+}
+
 /* Report + input nodes on the canvas carry a first-class action button
    ("View report ▸" / "Set inputs ▸"). Double-click still works as a shortcut. */
 .agent-card.report-node,

package/dist/web/app.js

@@ -972,6 +972,7 @@ function handleMenuAction(action) {
     case 'find':         openFind(); break;
     case 'integrations': openIntegrations(); break;
     case 'routines': openRoutines(); break;
+    case 'report-issue': openReportIssue(); break;
   }
 }
 

package/dist/web/aware.js

@@ -106,7 +106,11 @@
       ...opts,
     });
     const body = await res.json().catch(() => ({ ok: false, error: `HTTP ${res.status}` }));
-    if (!res.ok || body.ok === false) throw new Error(body.error || `HTTP ${res.status}`);
+    if (!res.ok || body.ok === false) {
+      const err = new Error(body.error || `HTTP ${res.status}`);
+      err.body = body; // preserve the in-band payload (e.g. credentialIssue) for callers
+      throw err;
+    }
     return body;
   }
 
@@ -959,6 +963,9 @@
         : await api('/api/run', { method: 'POST', body: JSON.stringify({ id: currentId, simulate: false, inputs }) });
       // Reflect the run in the Execution tab too.
       if (Array.isArray(res.events)) { liveTrace.length = 0; res.events.forEach(pushTrace); state.hasRun = true; if (state.currentTab === 'execution') renderInspect(); }
+      // A run can "succeed" yet carry a rejected token (the report would be an error
+      // body, not real data) — prompt reconnect instead of rendering the noise.
+      if (res.credentialIssue) { surfaceCredentialIssue(res.credentialIssue); return; }
       const html = res.report && res.report.html;
       if (!html) {
         $reportOverlay.innerHTML = `<div>Run completed but <code>${escapeHtml(nodeId)}</code> returned no <code>html</code>. Check the Execution tab.</div>`;
@@ -977,17 +984,115 @@
         $reportOverlay.innerHTML = `<div>Run cancelled. A node already running on the host may still finish there; click <strong>▶ Run workflow</strong> to run again.</div>`;
         showToast('Run cancelled', 'info');
       } else {
-        // Expected, recoverable failure (host not attached, stale lock, …): show it
-        // in the viewer overlay + a toast. No console.error — the server returns the
-        // failure in-band, so a failed run isn't a console-worthy fault.
-        $reportOverlay.innerHTML = `<div>Run failed: ${escapeHtml(msg)}. Check the host is attached and the lock is fresh.</div>`;
-        showToast('Run failed: ' + msg, 'warn');
+        // Expected, recoverable failure. If it was a rejected token, prompt the
+        // user to reconnect that integration (not the misleading host hint).
+        const cred = e.body && e.body.credentialIssue;
+        if (cred) {
+          surfaceCredentialIssue(cred);
+        } else {
+          // Other recoverable failures (host not attached, stale lock, …): show it
+          // in the viewer overlay + a toast. No console.error — the server returns the
+          // failure in-band, so a failed run isn't a console-worthy fault.
+          $reportOverlay.innerHTML = `<div>Run failed: ${escapeHtml(msg)}. Check the host is attached and the lock is fresh.</div>`;
+          showToast('Run failed: ' + msg, 'warn');
+        }
       }
     } finally {
       reportRunning = false;
     }
   }
 
+  // ── Credential-reconnect card ──────────────────────────────────────────────
+  // When a real run fails (or "succeeds" with a 401 body) because an integration's
+  // OAuth token was rejected, the server returns `credentialIssue: {id,label}`. We
+  // replace the misleading "check the host" message with a focused prompt to
+  // reconnect that integration — generic across Trimble, M365, any OAuth provider.
+  // Built with DOM nodes + textContent (no innerHTML) so the integration label can
+  // never inject markup.
+  let credReconnect = null; // { id, onSuccess, onFail } — latched while a card reconnect runs
+
+  function mkEl(tag, cls, text) {
+    const n = document.createElement(tag);
+    if (cls) n.className = cls;
+    if (text != null) n.textContent = text;
+    return n;
+  }
+
+  const CRED_BODY_IDLE = 'Sign in again and then run the workflow — it takes about 30 seconds.';
+
+  function showCredentialReconnect(cred) {
+    $reportFrame.srcdoc = '';
+    $reportOverlay.hidden = false;
+    $reportOverlay.replaceChildren();
+
+    const card = mkEl('div', 'cred-fail-card');
+    card.setAttribute('role', 'status');
+
+    const status = mkEl('div', 'cred-fail-status');
+    const icon = mkEl('span', 'cred-fail-icon', iconFor(cred.id));
+    icon.setAttribute('aria-hidden', 'true');
+    status.append(icon, document.createTextNode('SESSION EXPIRED'));
+
+    const headline = mkEl('div', 'cred-fail-headline', `Your ${cred.label} session expired`);
+    const body = mkEl('div', 'cred-fail-body', CRED_BODY_IDLE);
+
+    const actions = mkEl('div', 'cred-fail-actions');
+    const reconnect = mkEl('button', 'primary cred-reconnect', 'Reconnect');
+    reconnect.type = 'button';
+    const openInt = mkEl('button', 'cred-open-integrations', 'Open Integrations');
+    openInt.type = 'button';
+    actions.append(reconnect, openInt);
+
+    card.append(status, headline, body, actions);
+    $reportOverlay.append(card);
+    showModal($reportModal);
+
+    openInt.onclick = () => { hideModal($reportModal); openIntegrations(); };
+    reconnect.onclick = () => credReconnectStart(cred, card, reconnect, body);
+    reconnect.focus();
+  }
+
+  function credReconnectStart(cred, card, btn, body) {
+    const reset = (errMsg) => {
+      credReconnect = null;
+      btn.disabled = false; btn.textContent = 'Reconnect';
+      body.textContent = CRED_BODY_IDLE;
+      let e = card.querySelector('.cred-fail-err');
+      if (!e) { e = mkEl('div', 'cred-fail-err'); body.after(e); }
+      e.textContent = errMsg;
+    };
+    const oldErr = card.querySelector('.cred-fail-err'); if (oldErr) oldErr.remove();
+    btn.disabled = true;
+    btn.textContent = '';
+    const sp = mkEl('span', 'cred-reconnect-spinner'); sp.setAttribute('aria-hidden', 'true');
+    btn.append(sp, document.createTextNode('Signing in…'));
+    body.textContent = 'Opening your browser to sign in — complete it there and this will update.';
+
+    credReconnect = {
+      id: cred.id,
+      onSuccess: () => {
+        credReconnect = null;
+        const actions = card.querySelector('.cred-fail-actions'); if (actions) actions.remove();
+        body.replaceChildren(mkEl('span', 'cred-fail-ok', 'Connected — click ▶ Run workflow to continue.'));
+        setTimeout(() => {
+          if ($reportOverlay.querySelector('.cred-fail-card')) { $reportOverlay.hidden = true; $reportOverlay.replaceChildren(); }
+        }, 2000);
+      },
+      onFail: () => reset('Sign-in failed — try again, or use the device code flow in Integrations.'),
+    };
+    api(`/api/connect/${encodeURIComponent(cred.id)}`, { method: 'POST', body: '{}' })
+      .then((res) => { if (res && res.started === false) reset('Couldn’t start sign-in — open Integrations to retry.'); })
+      .catch(() => reset('Sign-in failed — try again, or use the device code flow in Integrations.'));
+  }
+
+  // Shared by both run paths: when the server flags a credential issue, show the
+  // reconnect card + a quiet toast/narration instead of the generic failure copy.
+  function surfaceCredentialIssue(cred) {
+    showCredentialReconnect(cred);
+    showToast(`Session expired — reconnect ${cred.label} to continue.`, 'warn');
+    appendNarration(`Run stopped — your <strong>${escapeHtml(cred.label)}</strong> session expired. Reconnect and run again.`);
+  }
+
   function showModal(el) { el.classList.add('show'); }
   function hideModal(el) { el.classList.remove('show'); }
 
@@ -1622,6 +1727,8 @@
       const res = await api('/api/run', { method: 'POST', body: JSON.stringify({ id: currentId, simulate, inputs: currentInputs() }) });
       // SSE usually fills liveTrace first; backfill from the response if it didn't.
       if (liveTrace.length === 0 && Array.isArray(res.events)) res.events.forEach(pushTrace);
+      // A "succeeded" run carrying a rejected token → prompt reconnect, not a result.
+      if (res.credentialIssue) { surfaceCredentialIssue(res.credentialIssue); return; }
       switchToExecution();
       const steps = liveTrace.filter((r) => r.kind === 'node-start').length;
       appendNarration(simulate
@@ -1634,12 +1741,18 @@
         showToast('Run cancelled', 'info');
         appendNarration('Run cancelled. Click <strong>▶ Run workflow</strong> to run again.');
       } else {
-        // A failed run is an expected, recoverable outcome (the server returns it
-        // in-band) — surface it as a toast + narration, not a console error.
-        showToast((simulate ? 'Simulate failed' : 'Run failed') + ': ' + msg, 'warn');
-        appendNarration(simulate
-          ? `Simulate couldn't validate <code>${escapeHtml(currentId)}</code> — it stubs each node from its output-schema, but exec nodes have none, so the cross-node templates render undefined. Use <strong>▶ Run workflow</strong> for a live run against the host.`
-          : `Run failed: ${escapeHtml(msg)}. Check the host is attached and the lock is fresh.`);
+        const cred = e.body && e.body.credentialIssue;
+        if (cred) {
+          // A rejected token — prompt reconnect for that integration, not the host hint.
+          surfaceCredentialIssue(cred);
+        } else {
+          // A failed run is an expected, recoverable outcome (the server returns it
+          // in-band) — surface it as a toast + narration, not a console error.
+          showToast((simulate ? 'Simulate failed' : 'Run failed') + ': ' + msg, 'warn');
+          appendNarration(simulate
+            ? `Simulate couldn't validate <code>${escapeHtml(currentId)}</code> — it stubs each node from its output-schema, but exec nodes have none, so the cross-node templates render undefined. Use <strong>▶ Run workflow</strong> for a live run against the host.`
+            : `Run failed: ${escapeHtml(msg)}. Check the host is attached and the lock is fresh.`);
+        }
       }
     } finally {
       state.running = false;
@@ -2215,6 +2328,12 @@
       } else if (m.type === 'trigger-session-changed') {
         applyTriggerSnapshot(m.id, m.snapshot);
       } else if (m.type === 'connect-result') {
+        // A run's credential-reconnect card may be waiting on this integration —
+        // drive its success/fail state from the same SSE result.
+        if (credReconnect && credReconnect.id === m.id) {
+          if (m.status === 'connected') credReconnect.onSuccess();
+          else credReconnect.onFail(m.error);
+        }
         // The device-code sign-in resolved. On success, refresh so the card flips
         // to Connected; otherwise surface the outcome in the integration's slot.
         connecting.delete(m.id);
@@ -3147,6 +3266,188 @@
     else if ($routinesModal.classList.contains('show')) hideModal($routinesModal);
   });
 
+  // ── Report an issue ──────────────────────────────────────────────────────────
+  // The hamburger "Report an issue" item files into the PRIVATE product log via
+  // POST /api/report-issue (the floless.io relay; report-relay.ts). The user gets a
+  // confirmation ref, not a public link (private repo). The /floless-app-report-issue
+  // skill is the richer terminal path (it reads run traces + the .flo to file a
+  // diagnosed report). Modal elements are static in index.html, present when this runs.
+  const $riModal = document.getElementById('report-issue-modal');
+  const $riForm = document.getElementById('ri-form');
+  const $riState = document.getElementById('ri-state');
+  const $riTitle = document.getElementById('ri-title');
+  const $riDesc = document.getElementById('ri-desc');
+  const $riContext = document.getElementById('ri-context');
+  const $riSend = document.getElementById('ri-send');
+  const $riCancel = document.getElementById('ri-cancel');
+  let riCategory = 'bug';
+  let riSubmitting = false;
+  let riAppVersion = ''; // captured from /api/health on open so the report actually carries
+  let riAwareVersion = ''; // the versions the modal promises ("sent automatically: …")
+
+  const riSyncSend = () => { $riSend.disabled = !($riTitle.value.trim() && $riDesc.value.trim()); };
+  const riClose = () => { if (!riSubmitting) hideModal($riModal); };
+  const riSetCategory = (cat) => {
+    riCategory = cat;
+    $riModal.querySelectorAll('#ri-category .rtn-mode-btn').forEach((b) => {
+      const on = b.dataset.cat === cat;
+      b.classList.toggle('active', on);
+      b.setAttribute('aria-pressed', String(on));
+    });
+  };
+  // Build the post-submit states with safe DOM methods (textContent, not innerHTML).
+  const riButton = (id, label, primary, onclick) => {
+    const b = document.createElement('button');
+    b.id = id;
+    if (primary) b.className = 'primary';
+    b.textContent = label;
+    b.onclick = onclick;
+    return b;
+  };
+  // A Lucide-style circle-check (stroke SVG, matching the menu icons) for the success state —
+  // it actually means "received/done", vs an ad-hoc glyph. Inherits var(--ok) via currentColor.
+  const riCheckIcon = () => {
+    const NS = 'http://www.w3.org/2000/svg';
+    const svg = document.createElementNS(NS, 'svg');
+    svg.setAttribute('viewBox', '0 0 24 24');
+    svg.setAttribute('width', '34');
+    svg.setAttribute('height', '34');
+    svg.setAttribute('fill', 'none');
+    svg.setAttribute('stroke', 'currentColor');
+    svg.setAttribute('stroke-width', '1.75');
+    svg.setAttribute('stroke-linecap', 'round');
+    svg.setAttribute('stroke-linejoin', 'round');
+    svg.style.display = 'block';
+    svg.style.margin = '0 auto';
+    const circle = document.createElementNS(NS, 'circle');
+    circle.setAttribute('cx', '12');
+    circle.setAttribute('cy', '12');
+    circle.setAttribute('r', '10');
+    const check = document.createElementNS(NS, 'path');
+    check.setAttribute('d', 'm9 12 2 2 4-4');
+    svg.append(circle, check);
+    return svg;
+  };
+  const riShowState = (...nodes) => {
+    while ($riState.firstChild) $riState.removeChild($riState.firstChild);
+    for (const n of nodes) $riState.appendChild(n);
+    $riState.hidden = false;
+    $riForm.hidden = true;
+  };
+
+  openReportIssue = function openReportIssueReal() {
+    riSubmitting = false;
+    $riForm.hidden = false;
+    $riState.hidden = true;
+    while ($riState.firstChild) $riState.removeChild($riState.firstChild);
+    $riTitle.value = '';
+    $riDesc.value = '';
+    riSetCategory('bug');
+    riAppVersion = '';
+    riAwareVersion = '';
+    $riSend.disabled = true;
+    $riSend.textContent = 'Send report';
+    // Auto-attached diagnostics line — versions + the open workflow, read fresh from health.
+    $riContext.textContent = 'Also sent automatically: app + AWARE version, and the open workflow.';
+    api('/api/health').then((h) => {
+      riAppVersion = h.appVersion || '';
+      riAwareVersion = h.awareVersion || '';
+      const app = currentId && apps.get(currentId);
+      const wf = app ? ` · workflow "${app.displayName || currentId}"` : '';
+      $riContext.textContent = `Also sent automatically: FloLess v${h.appVersion || '?'}, AWARE v${h.awareVersion || '?'}${wf}`;
+    }).catch(() => { /* keep the generic line on a health blip */ });
+    showModal($riModal);
+    setTimeout(() => $riTitle.focus(), 0);
+  };
+
+  function riRenderSuccess(ref) {
+    const wrap = document.createElement('div');
+    wrap.className = 'graft-success';
+    const icon = document.createElement('div');
+    icon.className = 'gs-icon';
+    icon.setAttribute('aria-hidden', 'true');
+    icon.appendChild(riCheckIcon());
+    const msg = document.createElement('div');
+    msg.className = 'gs-msg';
+    msg.textContent = ref
+      ? `Received — logged as ${ref} · We'll follow up privately.`
+      : "Received · We'll follow up privately.";
+    wrap.append(icon, msg);
+    const actions = document.createElement('div');
+    actions.className = 'modal-actions';
+    const done = riButton('ri-done', 'Done', true, () => hideModal($riModal));
+    actions.append(done);
+    riShowState(wrap, actions);
+    done.focus();
+  }
+
+  function riRenderSignIn() {
+    const sub = document.createElement('div');
+    sub.className = 'modal-sub';
+    sub.textContent = 'Sign in to send a report — your session has expired.';
+    const actions = document.createElement('div');
+    actions.className = 'modal-actions';
+    const close = riButton('ri-signin-close', 'Close', false, () => hideModal($riModal));
+    const signin = riButton('ri-signin-btn', 'Sign in', true, async () => {
+      try { await api('/api/license/start', { method: 'POST' }); } catch { /* surfaced via license polling */ }
+      hideModal($riModal);
+    });
+    actions.append(close, signin);
+    riShowState(sub, actions);
+  }
+
+  async function riSubmit() {
+    if (riSubmitting) return;
+    const title = $riTitle.value.trim();
+    const body = $riDesc.value.trim();
+    if (!title || !body) return;
+    riSubmitting = true;
+    $riSend.disabled = true;
+    $riSend.textContent = 'Sending…';
+    // Versions are filled by the health fetch on open; if a fast submit beat it, fetch them
+    // now so the report carries the versions the modal promised ("sent automatically: …").
+    if (!riAppVersion || !riAwareVersion) {
+      try {
+        const h = await api('/api/health');
+        riAppVersion = riAppVersion || h.appVersion || '';
+        riAwareVersion = riAwareVersion || h.awareVersion || '';
+      } catch { /* best-effort — send with whatever we have */ }
+    }
+    const app = currentId && apps.get(currentId);
+    const context = {
+      source: 'web',
+      appId: currentId || null,
+      workflow: app ? (app.displayName || currentId) : null,
+      appVersion: riAppVersion || null,
+      awareVersion: riAwareVersion || null,
+    };
+    try {
+      const r = await api('/api/report-issue', { method: 'POST', body: JSON.stringify({ category: riCategory, title, body, context }) });
+      riSubmitting = false; // response in hand — Done / Escape / backdrop may close
+      riRenderSuccess(r.ref || '');
+    } catch (e) {
+      riSubmitting = false;
+      const err = (e && e.body && e.body.error) || '';
+      if (err === 'signed_out') {
+        riRenderSignIn(); // the action isn't possible until signed in — hide the form, don't grey it out
+      } else if (err === 'rate_limited') {
+        showToast('Too many reports just now — please wait a moment and try again', 'warn');
+        $riSend.disabled = false; $riSend.textContent = 'Send report';
+      } else {
+        showToast("Couldn't send — check your connection and try again", 'err');
+        $riSend.disabled = false; $riSend.textContent = 'Send report';
+      }
+    }
+  }
+
+  $riTitle.addEventListener('input', riSyncSend);
+  $riDesc.addEventListener('input', riSyncSend);
+  $riSend.onclick = () => riSubmit();
+  $riCancel.onclick = () => riClose();
+  $riModal.onclick = (e) => { if (e.target === $riModal) riClose(); };
+  $riModal.querySelectorAll('#ri-category .rtn-mode-btn').forEach((b) => { b.onclick = () => riSetCategory(b.dataset.cat); });
+  document.addEventListener('keydown', (e) => { if (e.key === 'Escape' && $riModal.classList.contains('show')) riClose(); });
+
   // ── init (after app.js bootstrap) ────────────────────────────────────────────
   // app.js already stored the ORIGINAL functions as .onclick/.oninput before we
   // reassigned the globals; rebind via arrows so they resolve our versions at

package/dist/web/index.html

@@ -191,6 +191,11 @@
       <span class="menu-icon" aria-hidden="true"><svg viewBox="0 0 24 24"><line x1="10" x2="14" y1="2" y2="2"/><line x1="12" x2="15" y1="14" y2="11"/><circle cx="12" cy="14" r="8"/></svg></span>
       <span class="menu-label">Routines</span>
     </button>
+    <div class="menu-divider"></div>
+    <button class="menu-item" data-action="report-issue" role="menuitem">
+      <span class="menu-icon" aria-hidden="true"><svg viewBox="0 0 24 24"><path d="M4 15s1-1 4-1 5 2 8 2 4-1 4-1V3s-1 1-4 1-5-2-8-2-4 1-4 1z"/><line x1="4" x2="4" y1="22" y2="15"/></svg></span>
+      <span class="menu-label">Report an issue</span>
+    </button>
     <!-- Start-on-login + Theme are sibling machine preferences (no divider between
          them — UX review 2026-05-31). Start-on-login toggles the per-user logon
          Scheduled Task that keeps the local server alive across logins; hidden unless
@@ -428,6 +433,40 @@
     </div>
   </div>
 
+  <!-- Report an issue — files into the PRIVATE product log via POST /api/report-issue
+       (the floless.io relay; report-relay.ts). The user gets a confirmation ref, not a
+       public link (the repo is private). JS swaps #ri-form for #ri-state (success / sign-in). -->
+  <div class="modal-backdrop" id="report-issue-modal">
+    <div class="modal report-issue">
+      <div class="modal-title">Report an issue</div>
+      <div class="modal-sub">Reports go to a private log — you won't get a public link to track it. We'll follow up with you if we need more details.</div>
+      <div id="ri-form">
+        <div class="modal-field">
+          <label>Category</label>
+          <div class="rtn-mode" id="ri-category" role="group" aria-label="Report category">
+            <button type="button" class="rtn-mode-btn active" data-cat="bug" aria-pressed="true">Bug</button>
+            <button type="button" class="rtn-mode-btn" data-cat="idea" aria-pressed="false">Idea</button>
+            <button type="button" class="rtn-mode-btn" data-cat="question" aria-pressed="false">Question</button>
+          </div>
+        </div>
+        <div class="modal-field">
+          <label for="ri-title">Title</label>
+          <input id="ri-title" type="text" placeholder="Summarise the issue in a few words" autocomplete="off">
+        </div>
+        <div class="modal-field">
+          <label for="ri-desc">Description</label>
+          <textarea id="ri-desc" placeholder="What happened? What did you expect? Steps to reproduce if it's a bug."></textarea>
+        </div>
+        <div class="integrations-hint" id="ri-context"></div>
+        <div class="modal-actions">
+          <button id="ri-cancel">Cancel</button>
+          <button id="ri-send" class="primary" disabled>Send report</button>
+        </div>
+      </div>
+      <div id="ri-state" hidden></div>
+    </div>
+  </div>
+
   <!-- Routine delete confirmation — destructive, so Cancel holds focus (Enter cancels)
        and the Delete button is danger-on-hover, never the accent primary. -->
   <div class="modal-backdrop" id="rtn-delete-modal">

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@floless/app",
-  "version": "0.7.0",
+  "version": "0.8.0",
   "type": "module",
   "description": "Thin localhost host for floless.app — serves web/ and shells the aware CLI. No engine, no LLM.",
   "bin": {