@growthub/cli 0.13.2 → 0.13.5

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/api/workspace/metadata-graph/route.js

@@ -0,0 +1,184 @@
+/**
+ * GET /api/workspace/metadata-graph
+ *
+ * Growthub Workspace Metadata Graph V1 — read-only projection.
+ *
+ * Combines the governed workspace config and the live source-record sidecar
+ * into a typed metadata store and a node/edge graph. Consumers (the UI
+ * inspector, the workspace helper agent, and external operators) use this
+ * envelope to ask dependency questions without re-deriving widget/workflow
+ * contracts inside every component.
+ *
+ * Optional query parameters:
+ *   - staleKind: "object" | "field" | "sourceRecord" | "workflow" | "agentHost" | "widget"
+ *   - staleId:   the corresponding metadata id (for `field`, use
+ *                "<objectId>::<fieldId>")
+ *
+ *   When both are provided the response `stale.groups` and `stale.reasons`
+ *   reflect `selectStaleMetadataGroups({ kind, id })`. When omitted the
+ *   stale section returns the empty baseline.
+ *
+ * Authority invariants:
+ *   - GET only. PATCH / POST / PUT / DELETE are not exposed. Writes still
+ *     flow through the existing governed routes
+ *     (`PATCH /api/workspace`, `POST /api/workspace/refresh-sources`,
+ *     `POST /api/workspace/sandbox-run`).
+ *   - growthub.config.json remains the authoritative artifact.
+ *   - No secrets are returned. Field metadata derived from secret-shaped
+ *     column names is marked `isSecret: true` but no value is echoed.
+ *   - Failures during read OR projection fall back to an empty store with
+ *     warnings — this route never throws.
+ */
+
+import { NextResponse } from "next/server";
+import { readWorkspaceConfig, readWorkspaceSourceRecords } from "@/lib/workspace-config";
+import { buildWorkspaceMetadataStore } from "@/lib/workspace-metadata-store";
+import { buildWorkspaceMetadataGraph } from "@/lib/workspace-metadata-graph";
+import { selectStaleMetadataGroups } from "@/lib/workspace-metadata-selectors";
+
+const ENVELOPE_KIND = "growthub-workspace-metadata-graph-v1";
+const ENVELOPE_VERSION = 1;
+
+function emptyMetadataStore() {
+  return {
+    kind: "growthub-workspace-metadata-store-v1",
+    version: 1,
+    objects: [],
+    fields: [],
+    views: [],
+    filters: [],
+    sorts: [],
+    widgets: [],
+    dashboards: [],
+    workflows: [],
+    workflowNodes: [],
+    workflowActions: [],
+    runInputs: [],
+    agentHosts: [],
+    sandboxes: [],
+    integrations: [],
+    integrationEntities: [],
+    sourceRecords: [],
+    runs: [],
+    outputArtifacts: [],
+    workerKits: [],
+    pipelineHealth: [],
+    warnings: []
+  };
+}
+
+async function GET(request) {
+  const warnings = [];
+
+  let workspaceConfig = null;
+  try {
+    workspaceConfig = await readWorkspaceConfig();
+  } catch (error) {
+    warnings.push(`Failed to read workspace config: ${error?.message || "unknown error"}`);
+  }
+
+  let workspaceSourceRecords = {};
+  try {
+    workspaceSourceRecords = (await readWorkspaceSourceRecords()) || {};
+  } catch (error) {
+    warnings.push(`Failed to read source records sidecar: ${error?.message || "unknown error"}`);
+  }
+
+  // Defensive: helpers are designed to never throw on partial/unknown input,
+  // but the route must remain HTTP-200 even if an unexpected exception bubbles
+  // up (so the UI inspector and agents always get a typed envelope).
+  let metadataStore;
+  try {
+    metadataStore = buildWorkspaceMetadataStore({
+      workspaceConfig: workspaceConfig || {},
+      workspaceSourceRecords
+    });
+    warnings.push(...metadataStore.warnings);
+  } catch (error) {
+    warnings.push(`Failed to build metadata store: ${error?.message || "unknown error"}`);
+    metadataStore = emptyMetadataStore();
+  }
+
+  let graph;
+  try {
+    graph = buildWorkspaceMetadataGraph(metadataStore);
+    warnings.push(...graph.warnings);
+  } catch (error) {
+    warnings.push(`Failed to build metadata graph: ${error?.message || "unknown error"}`);
+    graph = { kind: "growthub-workspace-metadata-graph-v1", version: 1, nodes: [], edges: [], warnings: [] };
+  }
+
+  // Optional stale-group selector via query params.
+  let staleGroups = [];
+  let staleReasons = [];
+  try {
+    const url = request && request.url ? new URL(request.url) : null;
+    const staleKind = url ? (url.searchParams.get("staleKind") || "").trim() : "";
+    const staleId = url ? (url.searchParams.get("staleId") || "").trim() : "";
+    if (staleKind && staleId) {
+      const result = selectStaleMetadataGroups(metadataStore, { kind: staleKind, id: staleId });
+      staleGroups = Array.isArray(result?.groups) ? result.groups : [];
+      staleReasons = Array.isArray(result?.reasons) ? result.reasons : [];
+    }
+  } catch (error) {
+    warnings.push(`Failed to compute stale groups: ${error?.message || "unknown error"}`);
+  }
+
+  return NextResponse.json({
+    kind: ENVELOPE_KIND,
+    version: ENVELOPE_VERSION,
+    authority: {
+      config: "growthub.config.json",
+      sourceRecords: "growthub.source-records.json",
+      readOnlyProjection: true
+    },
+    metadata: {
+      objects: metadataStore.objects,
+      fields: metadataStore.fields,
+      views: metadataStore.views,
+      filters: metadataStore.filters,
+      sorts: metadataStore.sorts,
+      widgets: metadataStore.widgets,
+      dashboards: metadataStore.dashboards,
+      workflows: metadataStore.workflows,
+      workflowNodes: metadataStore.workflowNodes,
+      workflowActions: metadataStore.workflowActions,
+      runInputs: metadataStore.runInputs,
+      agentHosts: metadataStore.agentHosts,
+      sandboxes: metadataStore.sandboxes,
+      integrations: metadataStore.integrations,
+      integrationEntities: metadataStore.integrationEntities,
+      sourceRecords: metadataStore.sourceRecords,
+      runs: metadataStore.runs,
+      outputArtifacts: metadataStore.outputArtifacts,
+      workerKits: metadataStore.workerKits,
+      pipelineHealth: metadataStore.pipelineHealth
+    },
+    graph: {
+      nodes: graph.nodes,
+      edges: graph.edges
+    },
+    stale: {
+      groups: staleGroups,
+      reasons: staleReasons
+    },
+    warnings,
+    selectors: {
+      // Manifest of selectors the route honours. Only `selectStaleMetadataGroups`
+      // is wired through HTTP (via `?staleKind=&staleId=`). The remaining
+      // selectors are exposed as importable helpers for server-side consumers
+      // and the read-only inspector; they are NOT toggled through query
+      // params in V1.
+      httpEnabled: ["selectStaleMetadataGroups"],
+      helperOnly: [
+        "selectWidgetRequiredFields",
+        "selectWorkflowNodeInputSchema",
+        "selectObjectFilterableFields",
+        "selectObjectSortableFields",
+        "selectRunLineage"
+      ]
+    }
+  });
+}
+
+export { GET };

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/api/workspace/refresh-sources/route.js

@@ -119,8 +119,30 @@ async function POST(request) {
       ) || null;
       const records = await resolver.fetchRecords(adapterConfig, connection, binding);
       const fetchedAt = new Date().toISOString();
-      await writeWorkspaceSourceRecords(sourceId, records, { integrationId, fetchedAt });
-      refreshed.push({ sourceId, integrationId, recordCount: records.length, fetchedAt });
+      // Persist the records under the object's `id` (canonical sidecar key).
+      // We also include `objectId`, `objectSourceId`, and `bindingSourceId`
+      // metadata so reader-side hydration in `lib/workspace-data-model.js`
+      // can fall back across the three places that may legitimately store
+      // the same key (object.id, object.sourceId, object.binding.sourceId)
+      // without having to re-parse the object.
+      const objectSourceId = typeof obj.sourceId === "string" && obj.sourceId.trim() ? obj.sourceId.trim() : null;
+      const bindingSourceId = typeof binding.sourceId === "string" && binding.sourceId.trim() ? binding.sourceId.trim() : null;
+      await writeWorkspaceSourceRecords(sourceId, records, {
+        integrationId,
+        fetchedAt,
+        objectId: sourceId,
+        objectSourceId,
+        bindingSourceId
+      });
+      refreshed.push({
+        sourceId,
+        integrationId,
+        recordCount: records.length,
+        fetchedAt,
+        objectId: sourceId,
+        objectSourceId,
+        bindingSourceId
+      });
     } catch (err) {
       skipped.push(sourceId);
       skippedDetail.push({

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/api/workspace/route.js

@@ -9,9 +9,14 @@ import { buildPortalWorkspace, portalCapabilities } from "@/lib/domain/portal";
 import {
   describePersistenceMode,
   readWorkspaceConfig,
+  readWorkspaceSourceRecords,
   writeWorkspaceConfig
 } from "@/lib/workspace-config";
 
+// Workspace Config Contract V1 — PATCH is permanently restricted to these
+// four fields. Sidecar source records (`workspaceSourceRecords`) are exposed
+// on GET for runtime hydration only; they are deliberately NOT in this set.
+// Sidecar writes flow through POST /api/workspace/refresh-sources.
 const ALLOWED_PATCH_FIELDS = new Set(["dashboards", "widgetTypes", "canvas", "dataModel"]);
 
 async function GET() {
@@ -27,6 +32,14 @@ async function GET() {
     integrations: groupIntegrationsByLane(integrations)
   };
   const workspaceConfig = await readWorkspaceConfig();
+  // Source records hydrate live-backed Data Model objects at runtime.
+  // Missing or unreadable sidecar returns `{}` — never throws.
+  let workspaceSourceRecords = {};
+  try {
+    workspaceSourceRecords = (await readWorkspaceSourceRecords()) || {};
+  } catch {
+    workspaceSourceRecords = {};
+  }
   const persistence = describePersistenceMode();
   return NextResponse.json({
     config,
@@ -35,6 +48,7 @@ async function GET() {
     settings,
     workspace: buildPortalWorkspace({ config, adapters, integrations: settings.integrations }),
     workspaceConfig,
+    workspaceSourceRecords,
     workspaceConfigPersistence: persistence
   });
 }

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/api/workspace/sandbox-agent-auth/login/route.js

@@ -0,0 +1,74 @@
+/**
+ * POST /api/workspace/sandbox-agent-auth/login
+ *
+ * Spawns the catalog-declared login subcommand for a sandbox row whose
+ * adapter is `local-agent-host`. The actual subcommand (e.g.
+ * `claude auth login`) is read from `lib/sandbox-agent-host-catalog.js` —
+ * this route is host-agnostic.
+ *
+ * Hosts without a documented login subcommand return 400 with
+ * `code: "SANDBOX_AGENT_AUTH_LOGIN_UNSUPPORTED"` so the UI can render the
+ * host's `notes` string ("sign in via the host CLI directly").
+ *
+ * Captures stdout, stderr, login URL (if printed), exit code. Token-shaped
+ * output is redacted before crossing the response boundary. Raw tokens are
+ * NEVER written to `growthub.config.json`.
+ *
+ * Request body:
+ *   { objectId: string, name: string }
+ *
+ * Response:
+ *   {
+ *     ok: boolean,
+ *     status: "active" | "reachable" | "stale" | "missing" | "unknown",
+ *     provider: string,
+ *     label: string,
+ *     binary: string,
+ *     cwd: string,
+ *     exitCode: number | null,
+ *     timedOut: boolean,
+ *     durationMs: number,
+ *     stdout: string,
+ *     stderr: string,
+ *     loginUrl: string | null,
+ *     message: string,
+ *     checkedAt: string
+ *   }
+ */
+
+import { NextResponse } from "next/server";
+import { runAgentLogin } from "@/lib/sandbox-agent-auth";
+
+async function POST(request) {
+  let body;
+  try {
+    body = await request.json();
+  } catch {
+    return NextResponse.json({ ok: false, error: "invalid JSON body" }, { status: 400 });
+  }
+
+  const objectId = typeof body?.objectId === "string" ? body.objectId.trim() : "";
+  const name = typeof body?.name === "string" ? body.name.trim() : "";
+  if (!objectId || !name) {
+    return NextResponse.json(
+      { ok: false, error: "objectId and name are required" },
+      { status: 400 }
+    );
+  }
+
+  try {
+    const result = await runAgentLogin({ objectId, name });
+    return NextResponse.json(result);
+  } catch (error) {
+    return NextResponse.json(
+      {
+        ok: false,
+        error: error?.message || "Agent login failed",
+        code: error?.code || null
+      },
+      { status: error?.code === "SANDBOX_AGENT_AUTH_NOT_FOUND" ? 404 : 400 }
+    );
+  }
+}
+
+export { POST };

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/api/workspace/sandbox-agent-auth/logout/route.js

@@ -0,0 +1,67 @@
+/**
+ * POST /api/workspace/sandbox-agent-auth/logout
+ *
+ * Spawns the catalog-declared logout subcommand for a sandbox row whose
+ * adapter is `local-agent-host`. Host-agnostic; the actual subcommand is
+ * read from `lib/sandbox-agent-host-catalog.js`.
+ *
+ * Hosts without a documented logout subcommand return 400 with
+ * `code: "SANDBOX_AGENT_AUTH_LOGOUT_UNSUPPORTED"` so the UI can render the
+ * host's `notes` string.
+ *
+ * Request body:
+ *   { objectId: string, name: string }
+ *
+ * Response:
+ *   {
+ *     ok: boolean,
+ *     status: "stale" | "missing" | "unknown",
+ *     provider: string,
+ *     label: string,
+ *     binary: string,
+ *     cwd: string,
+ *     exitCode: number | null,
+ *     durationMs: number,
+ *     stdout: string,
+ *     stderr: string,
+ *     message: string,
+ *     checkedAt: string
+ *   }
+ */
+
+import { NextResponse } from "next/server";
+import { runAgentLogout } from "@/lib/sandbox-agent-auth";
+
+async function POST(request) {
+  let body;
+  try {
+    body = await request.json();
+  } catch {
+    return NextResponse.json({ ok: false, error: "invalid JSON body" }, { status: 400 });
+  }
+
+  const objectId = typeof body?.objectId === "string" ? body.objectId.trim() : "";
+  const name = typeof body?.name === "string" ? body.name.trim() : "";
+  if (!objectId || !name) {
+    return NextResponse.json(
+      { ok: false, error: "objectId and name are required" },
+      { status: 400 }
+    );
+  }
+
+  try {
+    const result = await runAgentLogout({ objectId, name });
+    return NextResponse.json(result);
+  } catch (error) {
+    return NextResponse.json(
+      {
+        ok: false,
+        error: error?.message || "Agent logout failed",
+        code: error?.code || null
+      },
+      { status: error?.code === "SANDBOX_AGENT_AUTH_NOT_FOUND" ? 404 : 400 }
+    );
+  }
+}
+
+export { POST };

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/api/workspace/sandbox-agent-auth/status/route.js

@@ -0,0 +1,77 @@
+/**
+ * POST /api/workspace/sandbox-agent-auth/status
+ *
+ * Probes the local agent CLI for a sandbox row whose adapter is
+ * `local-agent-host`. The probe is host-agnostic — each host's reachability
+ * + auth-status subcommand lives in `lib/sandbox-agent-host-catalog.js`.
+ *
+ * Status semantics (uniform across every host):
+ *   - "active"    a real auth probe confirmed authentication
+ *   - "reachable" CLI is callable but auth NOT yet confirmed
+ *   - "stale"    CLI reachable but auth-shaped failure detected
+ *   - "missing"  binary not on PATH
+ *   - "unknown"  indeterminate
+ *
+ * A `--version` (or equivalent) probe NEVER promotes to "active" — the
+ * next sandbox-run is the source of truth for session readiness.
+ *
+ * Side effect: stamps `agentAuthStatus` + sibling fields onto the row so
+ * the Data Model record drawer surfaces the result without a follow-up
+ * load.
+ *
+ * Request body:
+ *   { objectId: string, name: string }
+ *
+ * Response (success):
+ *   {
+ *     ok: boolean,
+ *     status: "active" | "reachable" | "stale" | "missing" | "unknown",
+ *     provider: string,
+ *     label: string,
+ *     binary: string,
+ *     cwd: string,
+ *     exitCode: number | null,
+ *     probe: "auth-status" | "version",
+ *     stdout: string,
+ *     stderr: string,
+ *     message: string,
+ *     checkedAt: string
+ *   }
+ */
+
+import { NextResponse } from "next/server";
+import { checkAgentStatus } from "@/lib/sandbox-agent-auth";
+
+async function POST(request) {
+  let body;
+  try {
+    body = await request.json();
+  } catch {
+    return NextResponse.json({ ok: false, error: "invalid JSON body" }, { status: 400 });
+  }
+
+  const objectId = typeof body?.objectId === "string" ? body.objectId.trim() : "";
+  const name = typeof body?.name === "string" ? body.name.trim() : "";
+  if (!objectId || !name) {
+    return NextResponse.json(
+      { ok: false, error: "objectId and name are required" },
+      { status: 400 }
+    );
+  }
+
+  try {
+    const result = await checkAgentStatus({ objectId, name });
+    return NextResponse.json(result);
+  } catch (error) {
+    return NextResponse.json(
+      {
+        ok: false,
+        error: error?.message || "Agent auth status check failed",
+        code: error?.code || null
+      },
+      { status: error?.code === "SANDBOX_AGENT_AUTH_NOT_FOUND" ? 404 : 400 }
+    );
+  }
+}
+
+export { POST };

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/api/workspace/sandbox-run/route.js

@@ -77,6 +77,12 @@ import {
 } from "@/lib/adapters/sandboxes";
 import { runOrchestrationGraphIfPresent } from "@/lib/orchestration-graph-runner";
 import { parseOrchestrationGraph } from "@/lib/orchestration-graph";
+import {
+  discoverRunInputSchema,
+  normalizeRunInputsEnvelope,
+  validateRunInputsEnvelope,
+  summarizeRunInputs
+} from "@/lib/orchestration-run-inputs";
 
 function envKeyCandidates(ref) {
   const token = String(ref || "")
@@ -347,7 +353,8 @@ function buildRunResponse({
   allowList,
   result,
   timeoutMs,
-  row
+  row,
+  runInputs
 }) {
   const base = {
     runId,
@@ -380,6 +387,21 @@ function buildRunResponse({
       executionLane: row.executionLane ? String(row.executionLane) : null
     };
   }
+  if (runInputs && typeof runInputs === "object") {
+    base.input = runInputs;
+    base.runInputs = runInputs;
+    base.inputSummary = summarizeRunInputs(runInputs);
+  }
+  if (result && typeof result === "object" && result.swarm && typeof result.swarm === "object") {
+    base.swarm = result.swarm;
+  }
+  if (result && typeof result === "object" && Array.isArray(result.logTree)) {
+    base.logTree = result.logTree;
+  }
+  base.exports = {
+    available: ["download-json", "copy-output", "download-stdout", "download-stderr", "download-log-node"],
+    external: []
+  };
   return base;
 }
 
@@ -448,6 +470,29 @@ async function POST(request) {
     ? { ...row, orchestrationGraph: draftGraph, orchestrationConfig: draftGraph }
     : row;
 
+  const inputSchema = discoverRunInputSchema(rowForRun.orchestrationGraph || rowForRun.orchestrationConfig);
+  let normalizedRunInputs = null;
+  if (body?.runInputs != null) {
+    const validation = validateRunInputsEnvelope(body.runInputs, inputSchema);
+    if (validation.error) {
+      return NextResponse.json({ ok: false, error: validation.error }, { status: 400 });
+    }
+    if (inputSchema.requiresInput && validation.missing.length > 0) {
+      return NextResponse.json({
+        ok: false,
+        error: `Missing required run input fields: ${validation.missing.join(", ")}`,
+        missingFields: validation.missing
+      }, { status: 400 });
+    }
+    normalizedRunInputs = normalizeRunInputsEnvelope(body.runInputs, inputSchema);
+  } else if (inputSchema.requiresInput) {
+    return NextResponse.json({
+      ok: false,
+      error: "runInputs is required for this workflow",
+      missingFields: (inputSchema.fields || []).filter((f) => f.required).map((f) => f.id)
+    }, { status: 400 });
+  }
+
   const runLocality = normalizeRunLocality(rowForRun);
   const runtime = KNOWN_SANDBOX_RUNTIMES.includes(rowForRun.runtime) ? rowForRun.runtime : "node";
   let adapterId = (typeof rowForRun.adapter === "string" && rowForRun.adapter.trim()) ? rowForRun.adapter.trim() : DEFAULT_SANDBOX_ADAPTER;
@@ -515,10 +560,32 @@ async function POST(request) {
 
   const hasNativeGraph = Boolean(parseOrchestrationGraph(rowForRun.orchestrationGraph || rowForRun.orchestrationConfig));
   if (hasNativeGraph && runLocality !== "serverless") {
-    const graphResult = await runOrchestrationGraphIfPresent({ workspaceConfig, row: rowForRun, timeoutMs });
+    const graphResult = await runOrchestrationGraphIfPresent({
+      workspaceConfig,
+      row: rowForRun,
+      timeoutMs,
+      runInputs: normalizedRunInputs,
+      executionContext: {
+        runId,
+        ranAt,
+        runtime,
+        agentHost,
+        adapterId,
+        env,
+        envRefSlugs,
+        envRefsMissing,
+        envRefsResolved,
+        networkAllow,
+        allowList,
+        instructions,
+        command,
+        timeoutMs,
+        sandboxName: rowForRun.Name || name
+      }
+    });
     if (graphResult !== null) {
       result = graphResult;
-      effectiveAdapterId = "orchestration-graph";
+      effectiveAdapterId = String(graphResult?.adapterMeta?.adapter || "").trim() || "orchestration-graph";
     }
   }
 
@@ -613,7 +680,8 @@ async function POST(request) {
     allowList,
     result,
     timeoutMs,
-    row: rowForRun
+    row: rowForRun,
+    runInputs: normalizedRunInputs
   });
 
   const sourceId = sandboxRunSourceId(objectId, row.Name || name);