@growthub/cli 0.13.1 → 0.13.4

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/workspace-data-model.js

@@ -265,10 +265,152 @@ function normalizeFieldSettings(fieldSettings, columns) {
   };
 }
 
-function deriveManualObjectTable(object) {
+/**
+ * Resolve a sidecar source-records entry for a live-backed Data Model object.
+ *
+ * The sidecar (`growthub.source-records.json`) is keyed by `sourceId` — the
+ * canonical workspace-source-records key — and the live-backed object can
+ * carry that key in three places. We try them in safe fallback order so
+ * older configs continue to hydrate without any migration:
+ *
+ *   1. `object.id`              ← refresh-sources writes use object.id as the key
+ *   2. `object.sourceId`        ← explicit column on the live-backed row
+ *   3. `object.binding.sourceId`← canonical binding-level reference
+ *
+ * Returns `null` when no records are available, so callers fall back to the
+ * config-owned `object.rows[]`.
+ */
+function findSourceRecordsForObject(object, sourceRecords) {
+  if (!sourceRecords || typeof sourceRecords !== "object" || Array.isArray(sourceRecords)) return null;
+  const candidates = [object?.id, object?.sourceId, object?.binding?.sourceId]
+    .map((value) => (typeof value === "string" ? value.trim() : ""))
+    .filter(Boolean);
+  for (const key of candidates) {
+    const entry = sourceRecords[key];
+    if (entry && Array.isArray(entry.records)) return { key, entry };
+  }
+  return null;
+}
+
+/**
+ * Infer a lightweight field type for a column from existing rows.
+ *
+ * This is a runtime projection — it does not persist anywhere and does not
+ * require a schema migration. The Chart Hydration Inspector and Twenty-style
+ * field-type-aware controls (date granularity, ratio mode, prefix/suffix)
+ * read it to decide which UI affordances to show.
+ *
+ * Returns one of: text | number | boolean | date | select | multi-value |
+ * relation-like | json.
+ *
+ * `existingTypeHints` is the per-table `fieldSettings.types` map — when
+ * present it wins over inference, so operators who have already declared a
+ * type on the Data Model object don't get overridden by the runtime guesser.
+ */
+function inferFieldType(column, rows, existingTypeHints) {
+  const hint = existingTypeHints && typeof existingTypeHints === "object" ? existingTypeHints[column] : "";
+  if (typeof hint === "string" && hint.trim()) return hint.trim();
+  if (!Array.isArray(rows) || rows.length === 0) return "text";
+
+  const lower = String(column || "").toLowerCase();
+  if (/(^|_)(id|_id)$/.test(lower) || lower.endsWith("ref") || lower === "registryid") return "relation-like";
+  if (lower.includes("date") || lower.includes("_at") || lower === "created" || lower === "updated" || lower.endsWith("at")) return "date";
+
+  let numeric = 0;
+  let boolean = 0;
+  let date = 0;
+  let multi = 0;
+  let json = 0;
+  let nonEmpty = 0;
+  const distinct = new Set();
+  for (const row of rows) {
+    const value = row?.[column];
+    if (value === undefined || value === null || value === "") continue;
+    nonEmpty += 1;
+    if (typeof value === "boolean") boolean += 1;
+    if (typeof value === "number" && Number.isFinite(value)) numeric += 1;
+    if (typeof value === "string") {
+      const trimmed = value.trim();
+      const asNumber = Number(trimmed.replace(/,/g, ""));
+      if (Number.isFinite(asNumber) && /^-?\d+(\.\d+)?$/.test(trimmed.replace(/,/g, ""))) numeric += 1;
+      if (trimmed === "true" || trimmed === "false") boolean += 1;
+      if (!Number.isNaN(Date.parse(trimmed)) && /\d{4}/.test(trimmed)) date += 1;
+      if (trimmed.includes(",") && trimmed.split(",").length > 1) multi += 1;
+      if ((trimmed.startsWith("{") && trimmed.endsWith("}")) || (trimmed.startsWith("[") && trimmed.endsWith("]"))) json += 1;
+      distinct.add(trimmed);
+    } else if (Array.isArray(value)) {
+      multi += 1;
+    } else if (typeof value === "object") {
+      json += 1;
+    }
+  }
+  if (!nonEmpty) return "text";
+  if (json / nonEmpty > 0.5) return "json";
+  if (date / nonEmpty > 0.6) return "date";
+  if (boolean / nonEmpty > 0.6) return "boolean";
+  if (numeric / nonEmpty > 0.6) return "number";
+  if (multi / nonEmpty > 0.5) return "multi-value";
+  // Low-cardinality string columns look like select fields.
+  if (nonEmpty >= 3 && distinct.size > 0 && distinct.size <= Math.max(2, Math.floor(nonEmpty / 2))) return "select";
+  return "text";
+}
+
+function buildFieldMetadata(columns, rows, existingTypeHints) {
+  return (Array.isArray(columns) ? columns : []).map((column) => {
+    const type = inferFieldType(column, rows, existingTypeHints);
+    return {
+      id: column,
+      label: column,
+      type,
+      isNumeric: type === "number",
+      isDate: type === "date",
+      isBoolean: type === "boolean",
+      isSelectLike: type === "select",
+      isMultiValue: type === "multi-value",
+      isRelationLike: type === "relation-like",
+      isJson: type === "json"
+    };
+  });
+}
+
+function deriveManualObjectTable(object, options = {}) {
   const columns = Array.isArray(object.columns) ? object.columns.filter(Boolean) : [];
-  const rows = Array.isArray(object.rows) ? object.rows.filter((row) => row && typeof row === "object" && !Array.isArray(row)) : [];
+  const configRows = Array.isArray(object.rows)
+    ? object.rows.filter((row) => row && typeof row === "object" && !Array.isArray(row))
+    : [];
   const source = object.source || object.label || object.name || "Manual object";
+
+  let hydratedRows = configRows;
+  let hydratedColumns = columns;
+  let liveSource = null;
+  const isLiveBacked = object?.binding?.sourceStorage === "workspace-source-records";
+  if (isLiveBacked) {
+    const sourceRecords = options?.sourceRecords;
+    const match = findSourceRecordsForObject(object, sourceRecords);
+    if (match) {
+      const records = match.entry.records.filter((row) => row && typeof row === "object" && !Array.isArray(row));
+      hydratedRows = records;
+      if (!columns.length && records.length) {
+        const inferred = new Set();
+        records.forEach((row) => Object.keys(row).forEach((key) => inferred.add(key)));
+        hydratedColumns = Array.from(inferred);
+      }
+      liveSource = {
+        sourceRecordKey: match.key,
+        fetchedAt: typeof match.entry.fetchedAt === "string" ? match.entry.fetchedAt : null,
+        recordCount: Number.isFinite(match.entry.recordCount) ? match.entry.recordCount : records.length,
+        integrationId: typeof match.entry.integrationId === "string" ? match.entry.integrationId : null
+      };
+    }
+  }
+
+  const fieldSettings = normalizeFieldSettings(object.fieldSettings, hydratedColumns);
+  const sourceBadge = (() => {
+    if (isLiveBacked) return "live";
+    if (object?.objectType === "data-source") return "api";
+    if (object?.objectType === "api-registry") return "api";
+    return "manual";
+  })();
   return {
     id: `manual-object:${object.id || source}`,
     label: object.label || object.name || source,
@@ -276,15 +418,18 @@ function deriveManualObjectTable(object) {
     objectType: object.objectType || "custom",
     icon: object.icon || null,
     pickerHidden: Boolean(object.pickerHidden),
-    columns,
-    rows,
+    columns: hydratedColumns,
+    rows: hydratedRows,
     binding: object.binding || { mode: "manual", source: "Data Model" },
     relations: Array.isArray(object.relations) ? object.relations : [],
     mutable: true,
     storage: "manual-object",
     objectId: object.id,
     widgetRefs: [],
-    fieldSettings: normalizeFieldSettings(object.fieldSettings, columns)
+    fieldSettings,
+    liveSource,
+    sourceBadge,
+    fieldMetadata: buildFieldMetadata(hydratedColumns, hydratedRows, fieldSettings?.types)
   };
 }
 
@@ -304,7 +449,19 @@ const HIDDEN_HELPER_OBJECT_IDS = new Set([
   "nav-folders",
 ]);
 
-function listWorkspaceDataModelTables(workspaceConfig) {
+/**
+ * List the workspace Data Model tables — the union of manual `dataModel.objects[]`
+ * and the widget-derived tables surfaced for the Data Model browser.
+ *
+ * @param {object} workspaceConfig — the persisted `growthub.config.json` shape.
+ * @param {object} [options]
+ * @param {object} [options.sourceRecords] — the sidecar map read from
+ *   `growthub.source-records.json`. Live-backed objects (binding.sourceStorage
+ *   === "workspace-source-records") use this to hydrate runtime rows without
+ *   mutating the persisted config. Pass `undefined` to disable hydration; the
+ *   config-owned `object.rows[]` is the fallback in either case.
+ */
+function listWorkspaceDataModelTables(workspaceConfig, options = {}) {
   const widgetEntries = listWidgetEntries(workspaceConfig);
   const refsByObjectId = widgetEntries.reduce((map, { widget, location }) => {
     const binding = widget?.config?.binding;
@@ -321,7 +478,7 @@ function listWorkspaceDataModelTables(workspaceConfig) {
   const manualObjects = normalizeManualObjects(workspaceConfig)
     .filter((object) => !HIDDEN_HELPER_OBJECT_IDS.has(object?.id))
     .map((object) => {
-      const table = deriveManualObjectTable(object);
+      const table = deriveManualObjectTable(object, options);
       return { ...table, widgetRefs: refsByObjectId.get(object.id) || [] };
     });
   const widgetTables = widgetEntries

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/workspace-helper.js

@@ -185,6 +185,17 @@ function buildStableSystemPrompt(intent) {
     `Known object types: ${KNOWN_OBJECT_TYPES.join(", ")}`,
     `PATCH allowlist (only these top-level keys can be mutated): ${PATCH_ALLOWLIST.join(", ")}`,
     "",
+    "## When configuring dashboard widgets",
+    "- Use Data Model objects as source authority.",
+    "- Bind widgets by objectId and source metadata.",
+    "- For charts, compute widget.config.values from rows.",
+    "- Never copy source rows into chart widget config.",
+    "- Never store secrets in widget config, Data Model rows, source records, browser state, localStorage, or exported templates.",
+    "- Use source records for live-backed data.",
+    "- Use filters, grouping, aggregation, style, and values projection as nested widget config only.",
+    "- Reset invalid axis, filter, group, and sort settings when source changes.",
+    "- Mark recomputed values as unsaved unless PATCH succeeds.",
+    "",
     "## Valid proposal types and their target patch field",
     WORKSPACE_HELPER_PROPOSAL_TYPES.map(
       (t) => `  ${t} → ${PROPOSAL_TYPE_TO_PATCH_FIELD[t]}`

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/workspace-schema.js

@@ -46,7 +46,25 @@ const KNOWN_CHART_TYPES = ["bar-vertical", "bar-horizontal", "line", "pie", "sum
 const KNOWN_FILTER_OPERATORS = ["eq", "ne", "contains", "gt", "lt", "isEmpty", "isNotEmpty"];
 const KNOWN_FILTER_CONJUNCTIONS = ["and", "or"];
 const KNOWN_SORT_DIRECTIONS = ["asc", "desc"];
-const KNOWN_AGGREGATIONS = ["sum", "avg", "count", "min", "max"];
+// Aggregation vocabulary kept in sync with `lib/workspace-chart-values.js`.
+// V1 charts use the first five; the Twenty-style row-presence operations
+// (countAll/countEmpty/countNotEmpty/countUnique, percentEmpty/percentNotEmpty)
+// are valid both as `yAxis.aggregation` (legacy key) and `yAxis.operation`
+// (preferred key going forward). The validator accepts both for back-compat.
+const KNOWN_AGGREGATIONS = [
+  "sum",
+  "avg",
+  "count",
+  "countAll",
+  "countEmpty",
+  "countNotEmpty",
+  "countUnique",
+  "percentEmpty",
+  "percentNotEmpty",
+  "min",
+  "max"
+];
+const KNOWN_DATE_GRANULARITIES = ["day", "week", "month", "quarter", "year"];
 const KNOWN_SANDBOX_RUNTIMES = ["python", "node", "bash"];
 /** Where execution is delegated: locally (process / agent-host CLI) or to a scheduler webhook (Supabase Edge, QStash, Vercel cron hitting your URL, etc.). */
 const KNOWN_SANDBOX_RUN_LOCALITY = ["local", "serverless"];
@@ -612,12 +630,26 @@ function validateChartAxis(axis, path, errors) {
   if (axis.aggregation !== undefined && !KNOWN_AGGREGATIONS.includes(axis.aggregation)) {
     errors.push(`${path}.aggregation must be one of ${KNOWN_AGGREGATIONS.join(", ")}`);
   }
+  // `operation` is the Twenty-style preferred key; accepted in addition to
+  // `aggregation` so older configs round-trip cleanly.
+  if (axis.operation !== undefined && !KNOWN_AGGREGATIONS.includes(axis.operation)) {
+    errors.push(`${path}.operation must be one of ${KNOWN_AGGREGATIONS.join(", ")}`);
+  }
   if (axis.groupBy !== undefined && typeof axis.groupBy !== "string") {
     errors.push(`${path}.groupBy must be a string`);
   }
   if (axis.omitZero !== undefined && typeof axis.omitZero !== "boolean") {
     errors.push(`${path}.omitZero must be a boolean`);
   }
+  if (axis.cumulative !== undefined && typeof axis.cumulative !== "boolean") {
+    errors.push(`${path}.cumulative must be a boolean`);
+  }
+  if (axis.splitMultiValueFields !== undefined && typeof axis.splitMultiValueFields !== "boolean") {
+    errors.push(`${path}.splitMultiValueFields must be a boolean`);
+  }
+  if (axis.dateGranularity !== undefined && !KNOWN_DATE_GRANULARITIES.includes(axis.dateGranularity)) {
+    errors.push(`${path}.dateGranularity must be one of ${KNOWN_DATE_GRANULARITIES.join(", ")}`);
+  }
   if (axis.min !== undefined && typeof axis.min !== "string" && typeof axis.min !== "number") {
     errors.push(`${path}.min must be a string or number`);
   }
@@ -635,12 +667,33 @@ function validateChartStyle(style, path, errors) {
   if (style.colors !== undefined && typeof style.colors !== "string") {
     errors.push(`${path}.colors must be a string`);
   }
+  if (style.manualColor !== undefined && typeof style.manualColor !== "string") {
+    errors.push(`${path}.manualColor must be a string`);
+  }
   if (style.axisName !== undefined && typeof style.axisName !== "string") {
     errors.push(`${path}.axisName must be a string`);
   }
   if (style.dataLabels !== undefined && typeof style.dataLabels !== "boolean") {
     errors.push(`${path}.dataLabels must be a boolean`);
   }
+  if (style.legend !== undefined && typeof style.legend !== "boolean") {
+    errors.push(`${path}.legend must be a boolean`);
+  }
+  if (style.stacked !== undefined && typeof style.stacked !== "boolean") {
+    errors.push(`${path}.stacked must be a boolean`);
+  }
+  if (style.compact !== undefined && typeof style.compact !== "boolean") {
+    errors.push(`${path}.compact must be a boolean`);
+  }
+  if (style.prefix !== undefined && typeof style.prefix !== "string") {
+    errors.push(`${path}.prefix must be a string`);
+  }
+  if (style.suffix !== undefined && typeof style.suffix !== "string") {
+    errors.push(`${path}.suffix must be a string`);
+  }
+  if (style.centerValue !== undefined && typeof style.centerValue !== "string") {
+    errors.push(`${path}.centerValue must be a string`);
+  }
 }
 
 function validateWidgetConfig(kind, config, path, errors) {
@@ -1003,6 +1056,63 @@ function validateSandboxEnvironmentRow(row, path, errors) {
       errors.push(`${path}.${traceField} must be a string when present`);
     }
   }
+  // Sandbox Local Agent Auth Onboarding V1 — governance for the safe auth
+  // metadata fields stamped by the auth helper / API routes.
+  const KNOWN_AGENT_AUTH_STATUSES_INLINE = [
+    "active",
+    "reachable",
+    "stale",
+    "missing",
+    "checking",
+    "unknown"
+  ];
+  if (row.agentAuthStatus !== undefined && row.agentAuthStatus !== "" && row.agentAuthStatus !== null) {
+    const authStatus = String(row.agentAuthStatus).trim().toLowerCase();
+    if (!KNOWN_AGENT_AUTH_STATUSES_INLINE.includes(authStatus)) {
+      errors.push(`${path}.agentAuthStatus must be one of ${KNOWN_AGENT_AUTH_STATUSES_INLINE.join(", ")}`);
+    }
+  }
+  for (const authField of [
+    "agentAuthProvider",
+    "agentAuthLastChecked",
+    "agentAuthLastMessage",
+    "agentAuthLastLoginUrl"
+  ]) {
+    const value = row[authField];
+    if (value !== undefined && value !== null && value !== "" && typeof value !== "string") {
+      errors.push(`${path}.${authField} must be a string when present`);
+    }
+  }
+  if (
+    row.agentAuthLastExitCode !== undefined
+    && row.agentAuthLastExitCode !== null
+    && row.agentAuthLastExitCode !== ""
+  ) {
+    const code = Number(row.agentAuthLastExitCode);
+    if (!Number.isFinite(code)) {
+      errors.push(`${path}.agentAuthLastExitCode must be a finite number when present`);
+    }
+  }
+  // Defensive: refuse to ever persist token-shaped field names on a sandbox
+  // row. The helper only writes the SAFE_ROW_PATCH_FIELDS whitelist, but
+  // this guard catches any out-of-band PATCH that tries to stash a secret.
+  const FORBIDDEN_AUTH_ROW_FIELDS = [
+    "token",
+    "apiKey",
+    "authToken",
+    "accessToken",
+    "refreshToken",
+    "bearer",
+    "password",
+    "secret",
+    "sessionKey",
+    "claudeToken"
+  ];
+  for (const forbidden of FORBIDDEN_AUTH_ROW_FIELDS) {
+    if (Object.prototype.hasOwnProperty.call(row, forbidden)) {
+      errors.push(`${path}.${forbidden} is not allowed on a sandbox row — auth secrets must stay in the local CLI's own store`);
+    }
+  }
 }
 
 const NAV_FOLDERS_OBJECT_ID = "nav-folders";

package/assets/worker-kits/growthub-custom-workspace-starter-v1/kit.json

@@ -88,9 +88,17 @@
     "apps/workspace/app/api/workspace/resolvers/route.js",
     "apps/workspace/app/api/workspace/sandbox-adapters/route.js",
     "apps/workspace/app/api/workspace/sandbox-run/route.js",
+    "apps/workspace/app/api/workspace/sandbox-agent-auth/status/route.js",
+    "apps/workspace/app/api/workspace/sandbox-agent-auth/login/route.js",
+    "apps/workspace/app/api/workspace/sandbox-agent-auth/logout/route.js",
     "apps/workspace/app/api/settings/integrations/route.js",
     "apps/workspace/lib/workspace-schema.js",
     "apps/workspace/lib/workspace-config.js",
+    "apps/workspace/lib/workspace-chart-values.js",
+    "apps/workspace/lib/sandbox-agent-auth.js",
+    "apps/workspace/lib/sandbox-agent-auth-eligibility.js",
+    "apps/workspace/lib/sandbox-agent-auth-redaction.js",
+    "apps/workspace/lib/sandbox-agent-host-catalog.js",
     "apps/workspace/lib/domain/portal.js",
     "apps/workspace/lib/domain/integrations.js",
     "apps/workspace/lib/adapters/env.js",
@@ -115,6 +123,7 @@
     "apps/workspace/app/data-model/page.jsx",
     "apps/workspace/app/data-model/components/DataModelShell.jsx",
     "apps/workspace/app/data-model/components/HelperSidecar.jsx",
+    "apps/workspace/app/data-model/components/SandboxAgentAuthPanel.jsx",
     "apps/workspace/app/views/[viewId]/page.jsx",
     "apps/workspace/lib/adapters/payments/index.js",
     "apps/workspace/lib/adapters/persistence/index.js",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@growthub/cli",
-  "version": "0.13.1",
+  "version": "0.13.4",
   "description": "CLI control plane for Growthub Local and Agent Workspace as Code: export, fork, inspect, operate, sync, and optionally activate governed AI workspaces.",
   "type": "module",
   "bin": {