@growthub/cli 0.13.9 → 0.14.0

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/env-status.js

@@ -0,0 +1,100 @@
+/**
+ * Env Status V1 — the honest, secret-safe "which referenced env keys actually
+ * resolve right now" signal.
+ *
+ * The creation cockpit (api-registry drawer) cannot read process.env in the
+ * browser, so auth readiness must come from a server signal. This module is the
+ * pure core of `GET /api/workspace/env-status`: given the governed config and
+ * the runtime environment it returns the set of *referenced* auth/env ref slugs
+ * whose candidate keys resolve to a value — slugs only, never a value.
+ *
+ * Pure + env-injectable so it is deterministically testable.
+ */
+
+import { describePostgresAdapter } from "./adapters/persistence/postgres.js";
+import { describeQstashKvAdapter } from "./adapters/persistence/qstash-kv.js";
+import { describeProviderManagedAdapter } from "./adapters/persistence/provider-managed.js";
+
+function clean(value) {
+  return String(value == null ? "" : value).trim();
+}
+
+/** Canonical UPPER_SNAKE candidate expansion for a logical ref. */
+function envKeyCandidates(ref) {
+  const token = clean(ref).replace(/[^a-z0-9]+/gi, "_").replace(/^_+|_+$/g, "").toUpperCase();
+  if (!token) return [];
+  return Array.from(new Set([token, `${token}_API_KEY`, `${token}_TOKEN`]));
+}
+
+/**
+ * Collect every auth/env ref slug referenced by the governed config:
+ *   - api-registry rows: authRef
+ *   - data-source rows:  authRef
+ *   - sandbox-environment rows: envRefs (comma-separated)
+ * Returns the original ref strings (deduped), preserving the operator's casing
+ * so the cockpit can match them against a registry row's authRef.
+ */
+function collectReferencedRefs(workspaceConfig) {
+  const objects = Array.isArray(workspaceConfig?.dataModel?.objects) ? workspaceConfig.dataModel.objects : [];
+  const refs = new Set();
+  for (const object of objects) {
+    const rows = Array.isArray(object?.rows) ? object.rows : [];
+    if (object?.objectType === "api-registry" || object?.objectType === "data-source") {
+      for (const row of rows) {
+        const ref = clean(row?.authRef);
+        if (ref) refs.add(ref);
+      }
+    }
+    if (object?.objectType === "sandbox-environment") {
+      for (const row of rows) {
+        for (const part of clean(row?.envRefs).split(",")) {
+          const ref = clean(part);
+          if (ref) refs.add(ref);
+        }
+      }
+    }
+  }
+  return Array.from(refs);
+}
+
+/**
+ * Return the referenced refs whose candidate keys resolve in `env`.
+ * `env` is injectable (defaults to process.env). Never returns a value.
+ */
+function computeConfiguredEnvRefs(workspaceConfig, env = process.env) {
+  const source = env && typeof env === "object" ? env : {};
+  const resolves = (ref) => envKeyCandidates(ref).some((key) => Boolean(source[key]));
+  return collectReferencedRefs(workspaceConfig).filter(resolves);
+}
+
+/**
+ * Persistence/serverless adapter env-readiness — single-sourced from the real
+ * thin-adapter descriptors (postgres / qstash-kv / provider-managed). These are
+ * the durable-runtime layers a serverless workflow needs; the cockpit surfaces
+ * exactly which are env-ready so "make this workflow persistent + scheduled"
+ * has an honest, actionable signal. Slugs/booleans only — never a value.
+ */
+function listPersistenceAdapterReadiness(env = process.env) {
+  const source = env && typeof env === "object" ? env : {};
+  const descriptors = [describePostgresAdapter(), describeQstashKvAdapter(), describeProviderManagedAdapter()];
+  return descriptors.map((d) => {
+    const requiredEnv = Array.isArray(d.requiredEnv) ? d.requiredEnv : [];
+    const missingEnv = requiredEnv.filter((k) => !source[k]);
+    return {
+      id: d.id,
+      label: d.label,
+      mode: d.mode,
+      requiredEnv,
+      // provider-managed needs no env (the deploy provider owns persistence).
+      configured: requiredEnv.length === 0 ? true : missingEnv.length === 0,
+      missingEnv,
+    };
+  });
+}
+
+export {
+  envKeyCandidates,
+  collectReferencedRefs,
+  computeConfiguredEnvRefs,
+  listPersistenceAdapterReadiness,
+};

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/orchestration-graph.js

@@ -364,6 +364,67 @@ function buildSandboxRowFromApiRegistry(workspaceConfig, registryRow, options =
   };
 }
 
+/**
+ * Find existing data-source rows that already resolve through a given API
+ * Registry integration (by `registryId`). Mirrors findSandboxRowsForRegistry so
+ * the drawer can refuse to create a duplicate Data Source for the same API.
+ */
+function findDataSourceRowsForRegistry(workspaceConfig, integrationId) {
+  const id = String(integrationId || "").trim();
+  if (!id) return [];
+  const objects = Array.isArray(workspaceConfig?.dataModel?.objects) ? workspaceConfig.dataModel.objects : [];
+  const rows = [];
+  for (const object of objects) {
+    if (object?.objectType !== "data-source") continue;
+    for (const row of Array.isArray(object.rows) ? object.rows : []) {
+      if (String(row?.registryId || "").trim() === id) rows.push(row);
+    }
+  }
+  return rows;
+}
+
+/**
+ * Build a governed Data Source row from a tested API Registry row. The Data
+ * Source references the registry entry by `registryId` (the existing
+ * resolver-binding relation) and keeps auth as an `authRef` slug only — the
+ * secret never lands on the row. Shape matches the OBJECT_TYPE_PRESETS
+ * "data-source" columns so it slots straight into the data-source table.
+ */
+function buildDataSourceRowFromApiRegistry(workspaceConfig, registryRow, options = {}) {
+  const integrationId = String(registryRow?.integrationId || "").trim();
+  const baseName = String(options.name || registryRow?.Name || integrationId || "Data Source").trim();
+  const name = baseName.endsWith(" Source") ? baseName : `${baseName} Source`;
+  const entityType = String(
+    options.entityType || registryRow?.entityTypes || "records"
+  ).split(",")[0].trim() || "records";
+  const sourceId = String(
+    options.sourceId || slugifyName(`${integrationId || baseName}-${entityType}`) || slugifyName(baseName)
+  ).trim();
+  const sourceStorage = String(options.sourceStorage || "workspace-source-records").trim();
+  return {
+    Name: name,
+    slug: options.slug || slugifyName(name) || slugifyName(integrationId),
+    objectType: "data-source",
+    registryId: integrationId,
+    endpoint: String(registryRow?.endpoint || "").trim(),
+    authRef: String(options.authRef || registryRow?.authRef || integrationId).trim(),
+    baseUrl: String(registryRow?.baseUrl || "").trim(),
+    method: String(registryRow?.method || "GET").trim().toUpperCase(),
+    status: "draft",
+    lastTested: "",
+    lastResponse: "",
+    entityType,
+    sourceId,
+    sourceStorage,
+    resolverTemplateId: String(options.resolverTemplateId || registryRow?.resolverTemplateId || "").trim(),
+    description: String(
+      options.description
+        || registryRow?.description
+        || `Data Source for ${integrationId || baseName} — resolves ${entityType} through the API Registry resolver. authRef ${String(options.authRef || registryRow?.authRef || integrationId).trim()} only; secrets resolve server-side.`
+    ).trim()
+  };
+}
+
 function extractNodeByType(graph, type) {
   const parsed = parseOrchestrationGraph(graph) || graph;
   if (!parsed?.nodes) return null;
@@ -918,6 +979,8 @@ export {
   getNextCanonicalNodeId,
   addCanonicalNodeToGraph,
   buildSandboxRowFromApiRegistry,
+  buildDataSourceRowFromApiRegistry,
+  findDataSourceRowsForRegistry,
   extractApiRegistryCallNode,
   extractInputNode,
   extractTransformConfig,

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/sandbox-serverless-flow.js

@@ -0,0 +1,215 @@
+/**
+ * Sandbox Serverless Flow V1 — the governed persistence + scheduling journey for
+ * one sandbox-environment workflow row, expressed in the EXACT same step shape
+ * as the API Registry creation cockpit (lib/api-registry-creation-flow.js) so it
+ * renders through the same cockpit interface and mental model.
+ *
+ * It connects the dots that already exist:
+ *   - runLocality local|serverless toggle (sandbox row)
+ *   - execution adapter (sandbox-adapter-registry)
+ *   - schedulerRegistryId reference field → an API Registry row that delegates
+ *     the serverless run (sandbox-run's registry-delegation mode)
+ *   - the scheduler row's authRef → resolved via env-status configuredEnvRefs
+ *   - durable persistence via the real thin adapters (postgres / qstash-kv /
+ *     provider-managed) surfaced by env-status persistenceAdapters
+ *
+ * Pure + deterministic; never reads process.env, never throws. Secret-safe
+ * (slugs/ids/booleans only).
+ */
+
+function isPlainObject(value) {
+  return value !== null && typeof value === "object" && !Array.isArray(value);
+}
+
+function clean(value) {
+  return String(value == null ? "" : value).trim();
+}
+
+/** Exact env keys a ref resolves through (runtime/.env.local), surfaced so the
+ *  config loop is concrete — same model as the NANGO_SECRET_KEY activation step. */
+function envCandidates(ref) {
+  const token = clean(ref).replace(/[^a-z0-9]+/gi, "_").replace(/^_+|_+$/g, "").toUpperCase();
+  if (!token) return [];
+  return Array.from(new Set([token, `${token}_API_KEY`, `${token}_TOKEN`]));
+}
+
+const SCHEDULER_OK_STATUSES = new Set(["connected", "approved", "ok", "success", "live", "tested"]);
+const STATE_KIND = "growthub-sandbox-serverless-state-v1";
+
+function findApiRegistryRow(workspaceConfig, integrationId) {
+  const id = clean(integrationId);
+  if (!id) return null;
+  const objects = Array.isArray(workspaceConfig?.dataModel?.objects) ? workspaceConfig.dataModel.objects : [];
+  for (const object of objects) {
+    if (object?.objectType !== "api-registry") continue;
+    const match = (object.rows || []).find((r) => clean(r?.integrationId) === id);
+    if (match) return match;
+  }
+  return null;
+}
+
+/**
+ * Derive the serverless/scheduling/persistence journey for a sandbox row.
+ *
+ * @param {object} input
+ * @param {object} input.sandboxRow          the row being edited (drawer draft)
+ * @param {object} [input.workspaceConfig]   for scheduler row lookup
+ * @param {string[]} [input.configuredEnvRefs] auth/env slugs that resolve (env-status)
+ * @param {object[]} [input.persistenceAdapters] [{id,label,mode,configured,missingEnv}]
+ */
+function deriveSandboxServerlessState(input = {}) {
+  const row = isPlainObject(input.sandboxRow) ? input.sandboxRow : {};
+  const workspaceConfig = isPlainObject(input.workspaceConfig) ? input.workspaceConfig : {};
+  const configuredRefs = new Set((Array.isArray(input.configuredEnvRefs) ? input.configuredEnvRefs : []).map((s) => clean(s).toUpperCase()));
+  const adapters = Array.isArray(input.persistenceAdapters) ? input.persistenceAdapters : [];
+  // When the cockpit is rendered above the drawer's own editable fields
+  // (locality toggle, adapter picker, scheduler reference dropdown), those steps
+  // show status only — the inline field is the editor (no duplicate button).
+  const inlineEditing = input.inlineEditing === true;
+  const inline = (action) => (inlineEditing ? null : action);
+
+  const locality = clean(row.runLocality).toLowerCase() === "serverless" ? "serverless" : "local";
+  const isServerless = locality === "serverless";
+  const adapterId = clean(row.adapter);
+  const adapterChosen = Boolean(adapterId);
+
+  const schedulerId = clean(row.schedulerRegistryId);
+  const schedulerRow = isServerless ? findApiRegistryRow(workspaceConfig, schedulerId) : null;
+  const schedulerLinked = isServerless ? Boolean(schedulerId) : true;
+  const schedulerHealthy = Boolean(schedulerRow) && SCHEDULER_OK_STATUSES.has(clean(schedulerRow.status).toLowerCase());
+  const schedulerAuthRef = clean(schedulerRow?.authRef).toUpperCase();
+  const schedulerAuthConfigured = !schedulerAuthRef || configuredRefs.has(schedulerAuthRef);
+
+  // Durable persistence: any real adapter that is env-ready. provider-managed is
+  // always "ready" (the deploy provider owns persistence). qstash-kv/postgres
+  // require their env keys — surfaced honestly with the missing keys.
+  const durableAdapters = adapters.filter((a) => a && a.configured);
+  const durableReady = durableAdapters.length > 0;
+  const envBackedAdapter = durableAdapters.find((a) => Array.isArray(a.requiredEnv) && a.requiredEnv.length > 0) || durableAdapters[0] || null;
+
+  const steps = [];
+
+  steps.push({
+    id: "locality",
+    label: "Choose run locality",
+    status: isServerless ? "complete" : "active",
+    description: isServerless
+      ? "Serverless — runs are delegated to a scheduler and persist across redeploy."
+      : "Local — runs execute in-process on this machine.",
+    action: inline({ id: "toggle-locality", label: isServerless ? "Switch to local" : "Switch to serverless" }),
+  });
+
+  steps.push({
+    id: "adapter",
+    label: "Pick an execution adapter",
+    status: adapterChosen ? "complete" : "active",
+    description: adapterChosen
+      ? `Adapter "${adapterId}".`
+      : "Select the execution adapter for this workflow.",
+    action: adapterChosen ? null : inline({ id: "edit-adapter", label: "Choose adapter" }),
+  });
+
+  if (isServerless) {
+    steps.push({
+      id: "scheduler",
+      label: "Link a scheduler",
+      status: schedulerLinked ? (schedulerHealthy ? "complete" : "pending") : "active",
+      description: !schedulerLinked
+        ? "Set schedulerRegistryId to an API Registry row that delegates the serverless run."
+        : schedulerHealthy
+          ? `Scheduler "${schedulerId}" is connected.`
+          : `Scheduler "${schedulerId}" is linked but not connected yet — test that API Registry row.`,
+      hint: schedulerLinked && !schedulerRow ? "The referenced API Registry row was not found." : undefined,
+      action: inline({ id: "link-scheduler", label: schedulerLinked ? "Review scheduler" : "Link scheduler" }),
+    });
+
+    steps.push({
+      id: "scheduler-auth",
+      label: "Scheduler auth resolves",
+      status: !schedulerAuthRef
+        ? "complete"
+        : schedulerAuthConfigured
+          ? "complete"
+          : (schedulerLinked ? "pending" : "blocked"),
+      description: !schedulerAuthRef
+        ? "The scheduler needs no secret."
+        : schedulerAuthConfigured
+          ? `Scheduler secret ${schedulerAuthRef} resolves in this runtime.`
+          : `Set one of ${envCandidates(schedulerAuthRef).join(" / ")} in .env.local (or your hosted runtime), then reopen.`,
+      action: schedulerAuthRef && !schedulerAuthConfigured ? { id: "open-settings", label: "Manage in Settings", href: "/settings/apis-webhooks" } : null,
+    });
+
+    steps.push({
+      id: "persistence",
+      label: "Enable durable persistence",
+      status: durableReady ? "complete" : "active",
+      description: durableReady
+        ? `Durable store ready (${(envBackedAdapter || durableAdapters[0]).label}).`
+        : "Set a durable store's env keys in .env.local (or your hosted runtime) so serverless runs survive redeploy.",
+      // Fully surface every thin adapter + its exact env keys + readiness, so no
+      // adapter is assumed server-side without being shown to the operator.
+      hint: durableReady
+        ? undefined
+        : adapters.length
+          ? adapters.map((a) => `${a.label}: ${(a.requiredEnv || []).length ? a.requiredEnv.join(", ") : "no env"}${a.configured ? " ✓" : ""}`).join(" · ")
+          : "No persistence adapter signal yet — open env-status.",
+      action: durableReady ? null : { id: "open-settings", label: "Manage in Settings", href: "/settings" },
+    });
+  }
+
+  steps.push({
+    id: "run",
+    label: isServerless ? "Run on the scheduler" : "Run locally",
+    status: "optional",
+    description: isServerless
+      ? "Once the scheduler, auth, and store are ready, run delegates to the serverless scheduler."
+      : "Run this workflow in-process.",
+    action: inline({ id: "run-sandbox", label: "Run" }),
+  });
+
+  for (const s of steps) { if (!s.hint) delete s.hint; }
+
+  const required = steps.filter((s) => s.status !== "optional");
+  const completedCount = required.filter((s) => s.status === "complete").length;
+  const totalCount = required.length;
+  const complete = completedCount >= totalCount;
+  const nextStep = steps.find((s) => s.status === "active")
+    || steps.find((s) => s.status === "pending")
+    || steps.find((s) => s.status === "blocked")
+    || null;
+
+  // Milestone score tied to evidence.
+  let score = isServerless ? 10 : 40;
+  if (adapterChosen) score = Math.max(score, isServerless ? 25 : 70);
+  if (isServerless && schedulerLinked) score = Math.max(score, 45);
+  if (isServerless && schedulerHealthy) score = Math.max(score, 60);
+  if (isServerless && schedulerAuthConfigured && schedulerLinked) score = Math.max(score, 75);
+  if (isServerless && durableReady) score = Math.max(score, 90);
+  if (complete) score = 100;
+
+  return {
+    kind: STATE_KIND,
+    version: 1,
+    locality,
+    isServerless,
+    adapterChosen,
+    schedulerLinked,
+    schedulerHealthy,
+    schedulerAuthConfigured,
+    durableReady,
+    completedCount,
+    totalCount,
+    complete,
+    score,
+    nextStepId: nextStep ? nextStep.id : null,
+    nextAction: nextStep && nextStep.action ? { stepId: nextStep.id, ...nextStep.action } : null,
+    headline: !isServerless
+      ? "This workflow runs locally."
+      : complete
+        ? "This workflow is scheduled and durable."
+        : "Make this workflow persistent and scheduled.",
+    steps,
+  };
+}
+
+export { STATE_KIND, deriveSandboxServerlessState };

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/server-resolver-write.js

@@ -0,0 +1,67 @@
+/**
+ * Server Resolver Write V1 — the single, confined, gated fs write for resolver
+ * files. Used by the helper apply route's resolver.create lane (and available
+ * to register-resolver). Server-only.
+ *
+ * AWaC topology: writes only in filesystem mode; read-only runtimes throw a
+ * coded error with guidance (the same 409 contract the rest of the workspace
+ * uses). Path is confined to lib/adapters/integrations/resolvers — never
+ * escapes. Never logs file contents.
+ */
+
+import { promises as fs } from "node:fs";
+import path from "node:path";
+import { describePersistenceMode } from "@/lib/workspace-config";
+import { resolveResolverFilePath } from "@/lib/workspace-resolver-proposal";
+
+const MAX_RESOLVER_SIZE = 256 * 1024;
+
+/**
+ * Write a resolver file from a validated proposal. Returns
+ * { saved:true, path, filename } or throws a coded error:
+ *   - WORKSPACE_PERSISTENCE_READ_ONLY (read-only runtime; carries guidance)
+ *   - INVALID_RESOLVER_WRITE (bad path / code)
+ *   - WORKSPACE_PERSISTENCE_PATH_REFUSED (escaped the resolver dir)
+ */
+async function writeResolverProposalFile(proposal) {
+  const persistence = describePersistenceMode();
+  if (!persistence.canSave) {
+    const error = new Error(persistence.reason || "resolver write requires a writable filesystem runtime");
+    error.code = "WORKSPACE_PERSISTENCE_READ_ONLY";
+    error.guidance = persistence.guidance || "Set WORKSPACE_CONFIG_ALLOW_FS_WRITE=true or use local development mode.";
+    throw error;
+  }
+  const target = (proposal?.target && proposal.target.ok)
+    ? proposal.target
+    : resolveResolverFilePath(proposal?.payload?.integrationId);
+  if (!target || !target.ok) {
+    const error = new Error(target?.error || "invalid resolver target path");
+    error.code = "INVALID_RESOLVER_WRITE";
+    throw error;
+  }
+  const code = String(proposal?.code || "");
+  if (!code.includes("registerSourceResolver")) {
+    const error = new Error("resolver code must call registerSourceResolver()");
+    error.code = "INVALID_RESOLVER_WRITE";
+    throw error;
+  }
+  if (Buffer.byteLength(code, "utf8") > MAX_RESOLVER_SIZE) {
+    const error = new Error(`resolver file must be smaller than ${MAX_RESOLVER_SIZE / 1024} KB`);
+    error.code = "INVALID_RESOLVER_WRITE";
+    throw error;
+  }
+
+  const resolversDir = path.resolve(/*turbopackIgnore: true*/ process.cwd(), target.dir);
+  const outPath = path.join(resolversDir, target.filename);
+  if (path.dirname(outPath) !== resolversDir) {
+    const error = new Error("invalid filename — path traversal not allowed");
+    error.code = "WORKSPACE_PERSISTENCE_PATH_REFUSED";
+    throw error;
+  }
+
+  await fs.mkdir(resolversDir, { recursive: true });
+  await fs.writeFile(outPath, code, "utf8");
+  return { saved: true, path: target.path, filename: target.filename };
+}
+
+export { writeResolverProposalFile };

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/serverless-upgrade.js

@@ -0,0 +1,89 @@
+/**
+ * Serverless Upgrade Onboarding V1 — derives the one-time "upgrade your
+ * localhost workflow to a persistent, scheduled serverless workflow" nudge from
+ * the workspace configuration state, following the same one-time onboarding
+ * pattern as the lens walkthrough (workspace-ui-cache dismiss flag).
+ *
+ * It reads only the existing model: sandbox-environment rows and their
+ * `runLocality` field (already part of the governed schema). When the operator
+ * has workflows but none are serverless — and hasn't dismissed the nudge — the
+ * upgrade path shows once.
+ *
+ * Pure + deterministic; never throws. The dismiss flag is read by the caller
+ * from the governed workspace-ui-cache row and passed in.
+ */
+
+const SERVERLESS_UPGRADE_DISMISS_FLAG = "serverlessUpgradeDismissed";
+const UPGRADE_STATE_KIND = "growthub-serverless-upgrade-state-v1";
+
+function isPlainObject(value) {
+  return value !== null && typeof value === "object" && !Array.isArray(value);
+}
+
+function clean(value) {
+  return String(value == null ? "" : value).trim();
+}
+
+/** Is a sandbox row configured to run serverless? */
+function rowIsServerless(row) {
+  return isPlainObject(row) && clean(row.runLocality).toLowerCase() === "serverless";
+}
+
+/** Collect every sandbox-environment (workflow) row across the data model. */
+function collectWorkflowRows(workspaceConfig) {
+  const objects = Array.isArray(workspaceConfig?.dataModel?.objects) ? workspaceConfig.dataModel.objects : [];
+  const rows = [];
+  for (const object of objects) {
+    if (object?.objectType !== "sandbox-environment") continue;
+    for (const row of Array.isArray(object.rows) ? object.rows : []) {
+      if (isPlainObject(row)) rows.push(row);
+    }
+  }
+  return rows;
+}
+
+/**
+ * Derive the serverless-upgrade onboarding state.
+ *
+ * @param {object} workspaceConfig
+ * @param {object} [options]
+ * @param {boolean} [options.dismissed] dismiss flag from workspace-ui-cache
+ */
+function deriveServerlessUpgradeState(workspaceConfig, options = {}) {
+  const opts = isPlainObject(options) ? options : {};
+  const rows = collectWorkflowRows(workspaceConfig);
+  const serverlessCount = rows.filter(rowIsServerless).length;
+  const localCount = rows.length - serverlessCount;
+  const hasWorkflows = rows.length > 0;
+  const dismissed = opts.dismissed === true || String(opts.dismissed || "") === "true";
+  // Show the one-time path only when the operator has built workflows but none
+  // are serverless yet — the moment the upgrade mental model is most useful.
+  const showOnboarding = hasWorkflows && serverlessCount === 0 && !dismissed;
+  return {
+    kind: UPGRADE_STATE_KIND,
+    version: 1,
+    hasWorkflows,
+    workflowCount: rows.length,
+    serverlessCount,
+    localCount,
+    allLocal: hasWorkflows && serverlessCount === 0,
+    dismissed,
+    showOnboarding,
+    headline: showOnboarding
+      ? "Upgrade a workflow to serverless"
+      : serverlessCount > 0
+        ? "Serverless workflows are active"
+        : "Workflows run locally",
+    subheadline: showOnboarding
+      ? "Make it persistent and scheduled — it runs on invocation through your configured adapter, not just on this machine."
+      : "",
+  };
+}
+
+export {
+  SERVERLESS_UPGRADE_DISMISS_FLAG,
+  UPGRADE_STATE_KIND,
+  rowIsServerless,
+  collectWorkflowRows,
+  deriveServerlessUpgradeState,
+};

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/workspace-activation.js

@@ -405,9 +405,15 @@ function deriveBlankWorkspaceActivationState({ workspaceConfig, workspaceSourceR
   }, 0);
   const widgetAdded = widgetCount > 0;
 
-  const workflowMatch = findWorkflowRow(workspaceConfig, () => true);
+  const workflowMatch = findWorkflowRow(workspaceConfig, (_row, object) => safeString(object?.id).trim() !== "workspace-helper-sandbox");
   const workflowCreated = Boolean(workflowMatch?.row);
   const workflowRun = deriveLatestRunStatus(workflowMatch?.row);
+  const workflowObjectId = safeString(workflowMatch?.object?.id).trim();
+  const workflowRowName = safeString(workflowMatch?.row?.Name || workflowMatch?.row?.name || workflowMatch?.row?.slug || workflowMatch?.row?.id).trim();
+  const workflowField = workflowMatch?.row?.orchestrationConfig !== undefined ? "orchestrationConfig" : "orchestrationGraph";
+  const workflowHref = workflowObjectId && workflowRowName
+    ? `/workflows?object=${encodeURIComponent(workflowObjectId)}&row=${encodeURIComponent(workflowRowName)}&field=${encodeURIComponent(workflowField)}`
+    : "";
 
   const steps = [
     {
@@ -449,8 +455,9 @@ function deriveBlankWorkspaceActivationState({ workspaceConfig, workspaceSourceR
         ? "Sandbox workflow scaffolded."
         : "Open Workflows to assemble your first automation.",
       status: workflowCreated ? "complete" : "pending",
-      href: "/workflows",
-      cta: workflowCreated ? "Open Workflows" : "New workflow",
+      href: workflowCreated ? workflowHref : "",
+      action: workflowCreated ? "" : "create-workflow",
+      cta: workflowCreated ? "Open workflow" : "New workflow",
     },
     {
       id: "run-workflow",
@@ -461,7 +468,7 @@ function deriveBlankWorkspaceActivationState({ workspaceConfig, workspaceSourceR
           ? "Last run failed — open the trace and fix the failing node."
           : "Click Test inside the workflow to do a first run.",
       status: workflowRun.ok ? "complete" : (workflowCreated ? "pending" : "blocked"),
-      href: "/workflows",
+      href: workflowCreated ? workflowHref : "",
       hint: workflowRun.ok || workflowCreated ? "" : "Create a workflow first.",
       cta: workflowRun.ok ? "View runs" : "Open workflow",
     },

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/workspace-data-model.js

@@ -937,6 +937,13 @@ function createTypedBusinessObject(workspaceConfig, { name, objectType = "custom
       ? workspaceConfig.dataModel
       : {};
   const id = uniqueObjectId(workspaceConfig, label);
+  const relations = preset.relations
+    ? preset.relations.map((relation) => {
+        const next = { ...relation };
+        if (next.statusAllowlist == null) delete next.statusAllowlist;
+        return next;
+      })
+    : [];
   const object = {
     id,
     label,
@@ -946,7 +953,7 @@ function createTypedBusinessObject(workspaceConfig, { name, objectType = "custom
     columns,
     rows: [],
     binding: { mode: "manual", source: "Data Model" },
-    relations: preset.relations ? preset.relations.map((r) => ({ ...r })) : [],
+    relations,
     fieldSettings: normalizeFieldSettings({}, columns)
   };
   return {

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/workspace-helper.js

@@ -37,6 +37,9 @@ const WORKSPACE_HELPER_PROPOSAL_TYPES = [
   "dataModel.row.add",
   "repair.binding",
   "explain.object",
+  // Server-file lane (AWaC: NOT a config PATCH field). Routed in helper/apply to
+  // the confined, gated resolver write — never through writeWorkspaceConfig.
+  "resolver.create",
 ];
 
 const PROPOSAL_TYPE_TO_PATCH_FIELD = {
@@ -50,6 +53,9 @@ const PROPOSAL_TYPE_TO_PATCH_FIELD = {
   "dataModel.row.add": "dataModel",
   "repair.binding": "dataModel",
   "explain.object": "dataModel",
+  // Sentinel — resolver.create writes a server file, not a config field. It is
+  // explicitly excluded from the PATCH allowlist and handled by its own lane.
+  "resolver.create": "server-file",
 };
 
 const KNOWN_WIDGET_KINDS = ["chart", "view", "iframe", "rich-text"];
@@ -62,7 +68,7 @@ const INTENT_DESCRIPTIONS = {
   create_widget:
     "Suggest which widgetTypes belong on the workspace based on the object schema and target KPIs. Propose widgetType entries and canvas widget placements.",
   register_api:
-    "Draft API Registry rows (dataModel object of objectType api-registry) including integration labels, credential prompts, base URL, endpoint, auth header, and method.",
+    "Draft API Registry rows (dataModel object of objectType api-registry) including integration labels, credential prompts, base URL, endpoint, auth header, and method. When the user wants the response shaped into governed rows (a Data Source) or describes a nested/paginated response, also recommend a resolver in the `summary` and propose the matching data-source object (objectType data-source) that references the registry row by registryId — guiding them into the resolver / Data Source lane. Credentials are runtime env keys (REF / REF_API_KEY / REF_TOKEN in .env.local), never stored in config.",
   create_object:
     "Translate the user's domain language into a new dataModel object: objectType, label, columns, starter rows, and field settings that make sense for their business.",
   edit_view: