npm - @growthub/cli - Versions diffs - 0.14.1 → 0.14.2 - Mend

@growthub/cli 0.14.1 → 0.14.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (30) hide show

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/api/workspace/sandbox-agent-auth/login/route.js CHANGED Viewed

@@ -15,7 +15,7 @@
  * NEVER written to `growthub.config.json`.
  *
  * Request body:
- *   { objectId: string, name: string }
+ *   { objectId: string, name: string, agentHost?: string }
  *
  * Response:
  *   {
@@ -49,6 +49,7 @@ async function POST(request) {
   const objectId = typeof body?.objectId === "string" ? body.objectId.trim() : "";
   const name = typeof body?.name === "string" ? body.name.trim() : "";
+  const agentHost = typeof body?.agentHost === "string" ? body.agentHost.trim() : "";
   if (!objectId || !name) {
     return NextResponse.json(
       { ok: false, error: "objectId and name are required" },
@@ -57,7 +58,7 @@ async function POST(request) {
   }
   try {
-    const result = await runAgentLogin({ objectId, name });
+    const result = await runAgentLogin({ objectId, name, agentHost });
     return NextResponse.json(result);
   } catch (error) {
     return NextResponse.json(

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/api/workspace/sandbox-agent-auth/logout/route.js CHANGED Viewed

@@ -10,7 +10,7 @@
  * host's `notes` string.
  *
  * Request body:
- *   { objectId: string, name: string }
+ *   { objectId: string, name: string, agentHost?: string }
  *
  * Response:
  *   {
@@ -42,6 +42,7 @@ async function POST(request) {
   const objectId = typeof body?.objectId === "string" ? body.objectId.trim() : "";
   const name = typeof body?.name === "string" ? body.name.trim() : "";
+  const agentHost = typeof body?.agentHost === "string" ? body.agentHost.trim() : "";
   if (!objectId || !name) {
     return NextResponse.json(
       { ok: false, error: "objectId and name are required" },
@@ -50,7 +51,7 @@ async function POST(request) {
   }
   try {
-    const result = await runAgentLogout({ objectId, name });
+    const result = await runAgentLogout({ objectId, name, agentHost });
     return NextResponse.json(result);
   } catch (error) {
     return NextResponse.json(

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/api/workspace/sandbox-agent-auth/status/route.js CHANGED Viewed

@@ -20,7 +20,7 @@
  * load.
  *
  * Request body:
- *   { objectId: string, name: string }
+ *   { objectId: string, name: string, agentHost?: string }
  *
  * Response (success):
  *   {
@@ -52,6 +52,7 @@ async function POST(request) {
   const objectId = typeof body?.objectId === "string" ? body.objectId.trim() : "";
   const name = typeof body?.name === "string" ? body.name.trim() : "";
+  const agentHost = typeof body?.agentHost === "string" ? body.agentHost.trim() : "";
   if (!objectId || !name) {
     return NextResponse.json(
       { ok: false, error: "objectId and name are required" },
@@ -60,7 +61,7 @@ async function POST(request) {
   }
   try {
-    const result = await checkAgentStatus({ objectId, name });
+    const result = await checkAgentStatus({ objectId, name, agentHost });
     return NextResponse.json(result);
   } catch (error) {
     return NextResponse.json(

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/api/workspace/sandbox-run/route.js CHANGED Viewed

@@ -43,6 +43,7 @@
  *       envRefsMissing:  string[],
  *       networkAllow:    boolean,
  *       allowList:       string[],
+ *       browserAccess:   boolean,                // first-class browser capability (implies networkAllow)
  *       adapterMeta?:    Record<string, unknown>
  *     }
  *   }
@@ -173,6 +174,7 @@ async function runServerlessScheduler({
   timeoutMs,
   networkAllow,
   allowList,
+  browserAccess,
   envRefSlugs,
   envRefsResolved,
   envRefsMissing
@@ -251,6 +253,7 @@ async function runServerlessScheduler({
       timeoutMs,
       networkAllow,
       allowList,
+      browserAccess,
       envRefSlugs,
       envRefsResolved,
       envRefsMissing
@@ -353,6 +356,7 @@ function buildRunResponse({
   envRefsMissing,
   networkAllow,
   allowList,
+  browserAccess,
   result,
   timeoutMs,
   row,
@@ -384,6 +388,7 @@ function buildRunResponse({
     envRefsMissing,
     networkAllow,
     allowList,
+    browserAccess,
     adapterMeta: result.adapterMeta || null
   };
   if (row && (row.resolverTemplateId || row.connectorKind || row.executionLane)) {
@@ -497,7 +502,11 @@ async function executeSandboxRun(body, { emit } = {}) {
   let adapterId = (typeof rowForRun.adapter === "string" && rowForRun.adapter.trim()) ? rowForRun.adapter.trim() : DEFAULT_SANDBOX_ADAPTER;
   const agentHost = typeof rowForRun.agentHost === "string" ? rowForRun.agentHost.trim() : "";
   const schedulerRegistryId = typeof rowForRun.schedulerRegistryId === "string" ? rowForRun.schedulerRegistryId.trim() : "";
-  const networkAllow = coerceBoolean(rowForRun.networkAllow);
+  const browserAccess = coerceBoolean(rowForRun.browserAccess);
+  // Browser access implies outbound network — the same deterministic
+  // normalization the sidecar toggle applies, enforced server-side so
+  // rows patched via the API behave identically to rows saved in the UI.
+  const networkAllow = coerceBoolean(rowForRun.networkAllow) || browserAccess;
   const allowList = parseSandboxAllowList(rowForRun.allowList);
   const envRefSlugs = parseSandboxEnvRefs(rowForRun.envRefs);
   const command = typeof rowForRun.command === "string" ? rowForRun.command : "";
@@ -576,6 +585,7 @@ async function executeSandboxRun(body, { emit } = {}) {
         envRefsResolved,
         networkAllow,
         allowList,
+        browserAccess,
         instructions,
         command,
         timeoutMs,
@@ -607,6 +617,7 @@ async function executeSandboxRun(body, { emit } = {}) {
       timeoutMs,
       networkAllow,
       allowList,
+      browserAccess,
       envRefSlugs,
       envRefsResolved,
       envRefsMissing
@@ -640,6 +651,7 @@ async function executeSandboxRun(body, { emit } = {}) {
         timeoutMs,
         networkAllow,
         allowList,
+        browserAccess,
         env,
         envRefSlugs,
         envRefsMissing,
@@ -680,6 +692,7 @@ async function executeSandboxRun(body, { emit } = {}) {
     envRefsMissing,
     networkAllow,
     allowList,
+    browserAccess,
     result,
     timeoutMs,
     row: rowForRun,

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/components/WorkspaceHelperSetupModal.jsx CHANGED Viewed

@@ -255,7 +255,7 @@ function WorkspaceHelperSetupModal({ workspaceConfig, open, onClose, onSaved })
                 />
                 serverless
               </label>
-              <small>Local uses process sandbox or Paperclip agent host on this machine. Serverless delegates to an API Registry URL.</small>
+              <small>Choose local execution or a scheduled serverless run.</small>
             </div>
             <div className="workspace-helper-setup-field-stack">
               <label>

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/data-model/components/AgentSwarmPanel.jsx CHANGED Viewed

@@ -3,6 +3,17 @@
 import { useMemo } from "react";
 import { Check, Plus, Trash2 } from "lucide-react";
 import { HOST_AUTH_CATALOG } from "@/lib/sandbox-agent-host-catalog";
+import { SandboxAgentAuthPanel } from "./SandboxAgentAuthPanel.jsx";
+import { isSandboxLocalAgentHost } from "@/lib/sandbox-agent-auth-eligibility";
+const EMPTY_AGENT_AUTH_PATCH = {
+  agentAuthStatus: "",
+  agentAuthProvider: "",
+  agentAuthLastChecked: "",
+  agentAuthLastExitCode: "",
+  agentAuthLastMessage: "",
+  agentAuthLastLoginUrl: ""
+};
 function getHostOptions() {
   return Object.entries(HOST_AUTH_CATALOG || {}).map(([slug, host]) => ({
@@ -26,6 +37,17 @@ function withRecordRef(patch, objectId, rowName, nodeId) {
   };
 }
+function buildSubagentAuthDraft(sandboxRow, config) {
+  const agentHost = String(config?.agentHost || sandboxRow?.agentHost || "").trim();
+  if (!agentHost) return null;
+  return {
+    ...(sandboxRow || {}),
+    runLocality: "local",
+    adapter: "local-agent-host",
+    agentHost
+  };
+}
 function WorkflowCheckbox({ checked, disabled, onChange, children, title }) {
   return (
     <label className="dm-orchestration-config__field dm-orchestration-config__field-inline dm-workflow-check" title={title}>
@@ -139,7 +161,7 @@ function patchSwarmConfig(graph, patch) {
   return { ...graph, swarm: { ...base, ...patch } };
 }
-export function AgentSwarmPanel({ graph, objectId, rowName, onGraphChange, disabled }) {
+export function AgentSwarmPanel({ graph, objectId, rowName, sandboxRow, onSandboxRowPatch, onGraphChange, disabled }) {
   const hostOptions = useMemo(getHostOptions, []);
   if (!graph || typeof graph !== "object") return null;
@@ -154,6 +176,21 @@ export function AgentSwarmPanel({ graph, objectId, rowName, onGraphChange, disab
     onGraphChange?.(updater);
   }
+  function patchSubagentHost(nodeId, agentHost) {
+    const nextHost = String(agentHost || "").trim();
+    patchGraph((g) => patchSubagent(g, nodeId, {
+      agentHost: nextHost,
+      ...(nextHost ? { adapter: "local-agent-host" } : {})
+    }, objectId, rowName));
+    if (nextHost && typeof onSandboxRowPatch === "function") {
+      onSandboxRowPatch({
+        adapter: "local-agent-host",
+        agentHost: nextHost,
+        ...EMPTY_AGENT_AUTH_PATCH
+      });
+    }
+  }
   return (
     <div className="dm-orchestration-config dm-agent-swarm-panel">
       <div className="dm-orchestration-config__pane">
@@ -187,6 +224,7 @@ export function AgentSwarmPanel({ graph, objectId, rowName, onGraphChange, disab
           )}
           {subagents.map((node) => {
             const cfg = node.config || {};
+            const subagentAuthDraft = buildSubagentAuthDraft(sandboxRow, cfg);
             return (
               <div key={node.id} className="dm-agent-swarm-panel__subagent">
                 <div className="dm-agent-swarm-panel__row">
@@ -252,7 +290,7 @@ export function AgentSwarmPanel({ graph, objectId, rowName, onGraphChange, disab
                   <select
                     value={cfg.agentHost || ""}
                     disabled={disabled}
-                    onChange={(e) => patchGraph((g) => patchSubagent(g, node.id, { agentHost: e.target.value }, objectId, rowName))}
+                    onChange={(e) => patchSubagentHost(node.id, e.target.value)}
                   >
                     <option value="">Inherit</option>
                     {hostOptions.map((opt) => (
@@ -260,6 +298,15 @@ export function AgentSwarmPanel({ graph, objectId, rowName, onGraphChange, disab
                     ))}
                   </select>
                 </label>
+                {subagentAuthDraft && isSandboxLocalAgentHost(subagentAuthDraft) && (
+                  <SandboxAgentAuthPanel
+                    objectId={objectId}
+                    rowName={rowName}
+                    draft={subagentAuthDraft}
+                    disabled={disabled || typeof onSandboxRowPatch !== "function"}
+                    onPatchDraft={onSandboxRowPatch}
+                  />
+                )}
                 <WorkflowCheckbox
                   checked={cfg.required !== false}
                   disabled={disabled}

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/data-model/components/DataModelShell.jsx CHANGED Viewed

@@ -647,6 +647,14 @@ function SandboxTraceFieldButton({ label, value, disabled, onOpen }) {
   );
 }
+// Human labels for the per-host browser lanes declared in the
+// local-agent-host catalog — surfaced so the operator's mental model matches
+// exactly what the adapter does under the hood when browserAccess is on.
+const BROWSER_LANE_LABELS = {
+  "native-flag": "browser enabled through the host CLI's first-party browser integration flags.",
+  "env-signal": "host receives GROWTHUB_SANDBOX_BROWSER_ACCESS=1 — its own configured browser integration honors this setting."
+};
 function SandboxRecordFields({
   draft,
   setDraft,
@@ -705,8 +713,21 @@ function SandboxRecordFields({
     return { ...fields, ...EMPTY_AGENT_AUTH_PATCH };
   }
+  function defaultSchedulerRegistryId() {
+    const objects = Array.isArray(workspaceConfig?.dataModel?.objects) ? workspaceConfig.dataModel.objects : [];
+    for (const object of objects) {
+      if (object?.objectType !== "api-registry") continue;
+      const row = (object.rows || []).find((r) => String(r?.integrationId || "").trim());
+      if (row) return String(row.integrationId || "").trim();
+    }
+    return "";
+  }
   function setRunLocality(next) {
     const fields = { runLocality: next };
+    if (next === "serverless") {
+      fields.schedulerRegistryId = String(draft.schedulerRegistryId || "").trim() || defaultSchedulerRegistryId();
+    }
     if (next === "serverless" && ["local-agent-host", "local-intelligence"].includes(String(draft.adapter || "").trim())) {
       fields.adapter = "local-process";
       fields.agentHost = "";
@@ -724,6 +745,8 @@ function SandboxRecordFields({
   }
   const netOn = ["true", "1", "on", "yes"].includes(String(draft.networkAllow || "").trim().toLowerCase());
+  const browserOn = ["true", "1", "on", "yes"].includes(String(draft.browserAccess || "").trim().toLowerCase());
+  const browserHostMeta = (selectedAdapterMeta?.hostCatalog || []).find((h) => h.slug === String(draft.agentHost || "").trim());
   // Same cockpit interface + mental model as the API Registry lane, driven by
   // the serverless/scheduling/persistence derivation. Steps are status-only
@@ -735,6 +758,7 @@ function SandboxRecordFields({
     persistenceAdapters: serverlessSignals.persistenceAdapters,
     inlineEditing: true,
   });
+  const showServerlessUpgrade = String(draft.adapter || "").trim() !== "local-intelligence";
   function handleServerlessAction(action) {
     if (!action) return;
     if (action.id === "toggle-locality") setRunLocality(serverlessState.isServerless ? "local" : "serverless");
@@ -743,12 +767,14 @@ function SandboxRecordFields({
   return (
     <div className="dm-sandbox-config">
-      <ApiRegistryCreationCockpit
-        state={serverlessState}
-        onAction={handleServerlessAction}
-        disabled={!table.mutable || saving}
-        eyebrow={serverlessState.isServerless ? "Serverless workflow" : "Workflow runtime"}
-      />
+      {showServerlessUpgrade && (
+        <ApiRegistryCreationCockpit
+          state={serverlessState}
+          onAction={handleServerlessAction}
+          disabled={!table.mutable || saving}
+          eyebrow={serverlessState.isServerless ? "Serverless workflow" : "Workflow runtime"}
+        />
+      )}
       <DrawerSection title="Identity & Mode">
         <label className="dm-record-field">
           <span>Name</span>
@@ -791,7 +817,7 @@ function SandboxRecordFields({
           onChange={setRunLocality}
         />
         <p className="dm-cell-empty" style={{ fontSize: 11, marginTop: 6 }}>
-          Local uses process sandbox or Paperclip agent host on this machine. Serverless delegates to an API Registry URL (no local agent CLI).
+          Choose local execution or a scheduled serverless run.
         </p>
         {locality === "serverless" && table.objectId && (
@@ -883,7 +909,7 @@ function SandboxRecordFields({
             </label>
             <p className="dm-cell-empty" style={{ fontSize: 11, marginTop: 0 }}>
-              Uses <strong>Instructions</strong> + <strong>Command</strong> as the task payload. Tool intents in the JSON response are proposals only and are not executed by the workspace.
+              Uses <strong>Instructions</strong> + <strong>Command</strong> as the task payload. With browser access off, tool intents stay proposals. With browser access on, browser tool intents execute through the local browser bridge before the final JSON response is returned.
             </p>
           </div>
         )}
@@ -921,10 +947,12 @@ function SandboxRecordFields({
         </div>
         <ToggleField
-          checked={netOn}
-          disabled={!table.mutable || saving}
+          checked={netOn || browserOn}
+          disabled={!table.mutable || saving || (browserOn && !netOn)}
           label="Network allow-list mode"
-          description="When enabled, local runs honor GROWTHUB_SANDBOX_NET_* and the allow list below."
+          description={browserOn && !netOn
+            ? "Network enabled by browser access — the run route grants it even though this row's networkAllow is off. Turn browser access off to control network independently."
+            : "When enabled, local runs honor GROWTHUB_SANDBOX_NET_* and the allow list below."}
           onChange={(on) => patchFields({ networkAllow: on ? "true" : "false" })}
         />
@@ -937,6 +965,21 @@ function SandboxRecordFields({
             onBlur={(event) => patchFields({ allowList: event.target.value })}
           />
         </label>
+        <ToggleField
+          checked={browserOn}
+          disabled={!table.mutable || saving}
+          label="Browser access"
+          description="Allows this sandbox to use a real browser. Also enables network. Local intelligence uses the Playwright browser bridge; Codex/Claude use their native browser modes."
+          onChange={(on) => patchFields(on
+            ? { browserAccess: "true", networkAllow: "true" }
+            : { browserAccess: "false" })}
+        />
+        {browserOn && String(draft.adapter || "").trim() === "local-agent-host" && browserHostMeta && (
+          <p className="dm-cell-empty" style={{ fontSize: 11, marginTop: 4 }}>
+            {browserHostMeta.label}: {BROWSER_LANE_LABELS[browserHostMeta.browserLane] || BROWSER_LANE_LABELS["env-signal"]}
+          </p>
+        )}
       </DrawerSection>
       <DrawerSection title="Prompt & Limits">

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/data-model/components/OrchestrationNodeConfigPanel.jsx CHANGED Viewed

@@ -20,6 +20,12 @@ const LOCAL_AGENT_ADAPTERS = [
   { value: "local-agent-host", label: "Local agent host" },
   { value: "local-intelligence", label: "Local intelligence" }
 ];
+const LOCAL_INTELLIGENCE_MODE_OPTIONS = [
+  { value: "ollama", label: "ollama (OLLAMA_BASE_URL + /v1/chat/completions)" },
+  { value: "lmstudio", label: "lmstudio (LMSTUDIO_BASE_URL)" },
+  { value: "vllm", label: "vllm (VLLM_BASE_URL required)" },
+  { value: "custom-openai-compatible", label: "custom (use Chat completions URL above)" }
+];
 const EMPTY_AGENT_AUTH_PATCH = {
   agentAuthStatus: "",
   agentAuthProvider: "",
@@ -427,9 +433,9 @@ function LocalAgentHostControls({
   onSandboxRowPatch
 }) {
   const row = sandboxRow && typeof sandboxRow === "object" ? sandboxRow : {};
-  const runLocality = String(row.runLocality || "local").trim().toLowerCase() === "serverless" ? "serverless" : "local";
   const adapter = String(row.adapter || "local-process").trim() || "local-process";
   const agentHost = String(row.agentHost || "").trim();
+  const browserOn = ["true", "1", "on", "yes"].includes(String(row.browserAccess || "").trim().toLowerCase());
   const hostOptions = getAgentHostOptions();
   const canPatch = typeof onSandboxRowPatch === "function";
@@ -444,36 +450,9 @@ function LocalAgentHostControls({
   return (
     <div className="dm-orchestration-config__section dm-workflow-agent-runtime">
       <span>Local agent runtime</span>
-      <div className="dm-sandbox-locality-toggle" role="group" aria-label="Run locality">
-        {["local", "serverless"].map((mode) => (
-          <button
-            key={mode}
-            type="button"
-            className={runLocality === mode ? "is-active" : ""}
-            disabled={disabled || !canPatch}
-            onClick={() => {
-              const fields = { runLocality: mode };
-              if (mode === "serverless" && ["local-agent-host", "local-intelligence"].includes(adapter)) {
-                fields.adapter = "local-process";
-                fields.agentHost = "";
-                patchWithClearedAgentAuth(fields);
-                return;
-              }
-              patch(fields);
-            }}
-          >
-            {mode === "local" ? "Local" : "Serverless"}
-          </button>
-        ))}
-      </div>
       <p className="dm-orchestration-config__hint">
         Same runtime fields as the Data Model sandbox sidecar. Local agent host uses the Paperclip thin adapter on this machine.
       </p>
-      {runLocality === "serverless" && (
-        <p className="dm-orchestration-config__hint">
-          Serverless delegates execution to the configured scheduler/API Registry row; local CLI auth is not used.
-        </p>
-      )}
       <label className="dm-orchestration-config__field">
         <span>Execution adapter</span>
         <select
@@ -482,6 +461,7 @@ function LocalAgentHostControls({
           onChange={(event) => {
             const nextAdapter = event.target.value;
             patchWithClearedAgentAuth({
+              runLocality: "local",
               adapter: nextAdapter,
               agentHost: nextAdapter === "local-agent-host" ? (agentHost || "claude_local") : ""
             });
@@ -492,13 +472,17 @@ function LocalAgentHostControls({
           ))}
         </select>
       </label>
-      {runLocality === "local" && adapter === "local-agent-host" && (
+      {adapter === "local-agent-host" && (
         <label className="dm-orchestration-config__field">
           <span>Agent host (Paperclip)</span>
           <select
             value={agentHost}
             disabled={disabled || !canPatch}
-            onChange={(event) => patchWithClearedAgentAuth({ agentHost: event.target.value })}
+            onChange={(event) => patchWithClearedAgentAuth({
+              runLocality: "local",
+              adapter: "local-agent-host",
+              agentHost: event.target.value
+            })}
           >
             <option value="">Select host...</option>
             {hostOptions.map((item) => (
@@ -507,7 +491,7 @@ function LocalAgentHostControls({
           </select>
         </label>
       )}
-      {runLocality === "local" && adapter === "local-agent-host" && isSandboxLocalAgentHost(row) && (
+      {adapter === "local-agent-host" && isSandboxLocalAgentHost(row) && (
         <SandboxAgentAuthPanel
           objectId={objectId}
           rowName={rowName}
@@ -516,10 +500,63 @@ function LocalAgentHostControls({
           onPatchDraft={patch}
         />
       )}
+      {adapter === "local-intelligence" && (
+        <div className="dm-sandbox-local-intel">
+          <label className="dm-orchestration-config__field">
+            <span>Concrete model id</span>
+            <input
+              value={row.localModel || ""}
+              disabled={disabled || !canPatch}
+              placeholder="gemma3:4b"
+              onChange={(event) => patch({ runLocality: "local", localModel: event.target.value })}
+            />
+          </label>
+          <label className="dm-orchestration-config__field">
+            <span>Chat completions URL (optional)</span>
+            <input
+              value={row.localEndpoint || ""}
+              disabled={disabled || !canPatch}
+              placeholder="http://127.0.0.1:11434/v1/chat/completions"
+              onChange={(event) => patch({ runLocality: "local", localEndpoint: event.target.value })}
+            />
+          </label>
+          <label className="dm-orchestration-config__field">
+            <span>Resolver mode</span>
+            <select
+              value={String(row.intelligenceAdapterMode || "ollama").trim().toLowerCase()}
+              disabled={disabled || !canPatch}
+              onChange={(event) => patch({ runLocality: "local", intelligenceAdapterMode: event.target.value })}
+            >
+              {LOCAL_INTELLIGENCE_MODE_OPTIONS.map((item) => (
+                <option key={item.value} value={item.value}>{item.label}</option>
+              ))}
+            </select>
+          </label>
+          <p className="dm-orchestration-config__hint">
+            Uses Instructions + Command as the task payload. With sandbox browser access off, tool intents stay proposals. With browser access on, browser tool intents execute through the local browser bridge before the final JSON response is returned.
+          </p>
+          {browserOn && (
+            <p className="dm-orchestration-config__hint">
+              This workflow's AI-agent nodes inherit browser access only when their node-level Network permission is enabled.
+            </p>
+          )}
+        </div>
+      )}
     </div>
   );
 }
+function buildNodeAgentAuthDraft(sandboxRow, config) {
+  const agentHost = String(config?.agentHost || sandboxRow?.agentHost || "").trim();
+  if (!agentHost) return null;
+  return {
+    ...(sandboxRow || {}),
+    runLocality: "local",
+    adapter: "local-agent-host",
+    agentHost
+  };
+}
 export function OrchestrationNodeConfigPanel({
   node,
   onConfigChange,
@@ -577,6 +614,28 @@ export function OrchestrationNodeConfigPanel({
   const registryConnected = isApiRegistryTestSuccessful(registryRow);
   const responseMode = config.responseMode || config.mode || "json";
+  const nodeAgentAuthDraft = type === "ai-agent" ? buildNodeAgentAuthDraft(sandboxRow, config) : null;
+  const canPatchSandboxRow = typeof onSandboxRowPatch === "function";
+  const sandboxBrowserOn = ["true", "1", "on", "yes"].includes(String(sandboxRow?.browserAccess || "").trim().toLowerCase());
+  const sandboxAdapter = String(sandboxRow?.adapter || "").trim();
+  const nodeAdapter = String(config.adapter || "").trim() || sandboxAdapter;
+  const nodeUsesLocalIntelligence = nodeAdapter === "local-intelligence";
+  function patchNodeAgentHost(agentHost) {
+    const nextHost = String(agentHost || "").trim();
+    patchConfig({
+      agentHost: nextHost,
+      ...(nextHost ? { adapter: "local-agent-host" } : {})
+    });
+    if (nextHost && canPatchSandboxRow) {
+      onSandboxRowPatch({
+        runLocality: "local",
+        adapter: "local-agent-host",
+        agentHost: nextHost,
+        ...EMPTY_AGENT_AUTH_PATCH
+      });
+    }
+  }
   return (
     <div className="dm-orchestration-config">
@@ -964,7 +1023,7 @@ export function OrchestrationNodeConfigPanel({
             <select
               value={config.agentHost || ""}
               disabled={disabled}
-              onChange={(e) => patchConfig({ agentHost: e.target.value })}
+              onChange={(e) => patchNodeAgentHost(e.target.value)}
             >
               <option value="">Inherit</option>
               {Object.entries(HOST_AUTH_CATALOG || {}).map(([slug, host]) => (
@@ -972,6 +1031,15 @@ export function OrchestrationNodeConfigPanel({
               ))}
             </select>
           </label>
+          {nodeAgentAuthDraft && isSandboxLocalAgentHost(nodeAgentAuthDraft) && (
+            <SandboxAgentAuthPanel
+              objectId={objectId}
+              rowName={rowName}
+              draft={nodeAgentAuthDraft}
+              disabled={disabled || !canPatchSandboxRow}
+              onPatchDraft={onSandboxRowPatch}
+            />
+          )}
           <WorkflowCheckbox
             checked={config.required !== false}
             disabled={disabled}
@@ -982,10 +1050,12 @@ export function OrchestrationNodeConfigPanel({
           <WorkflowCheckbox
             checked={config.networkAccess === true}
             disabled={disabled}
-            title="Network is granted only when both this and the row's networkAllow are on."
+            title={sandboxBrowserOn && nodeUsesLocalIntelligence
+              ? "Network and browser are granted only when this node permission is on and the sandbox row has browser access on."
+              : "Network is granted only when both this and the row's networkAllow are on. The row's browser access inherits through the same gate."}
             onChange={(checked) => patchConfig({ networkAccess: checked })}
           >
-            Network
+            {sandboxBrowserOn && nodeUsesLocalIntelligence ? "Network + browser" : "Network"}
           </WorkflowCheckbox>
         </div>
       )}
@@ -1025,8 +1095,15 @@ export function OrchestrationNodeConfigPanel({
             <WorkflowCheckbox checked={config.canWriteDraft === true} disabled={disabled} onChange={(checked) => patchConfig({ canWriteDraft: checked })}>
               Write draft changes only
             </WorkflowCheckbox>
-            <WorkflowCheckbox checked={config.networkAccess === true} disabled={disabled} onChange={(checked) => patchConfig({ networkAccess: checked })}>
-              Allow network access
+            <WorkflowCheckbox
+              checked={config.networkAccess === true}
+              disabled={disabled}
+              title={sandboxBrowserOn && nodeUsesLocalIntelligence
+                ? "This node gets browser access only when this permission and the sandbox row Browser access toggle are both on."
+                : undefined}
+              onChange={(checked) => patchConfig({ networkAccess: checked })}
+            >
+              {sandboxBrowserOn && nodeUsesLocalIntelligence ? "Allow network + browser access" : "Allow network access"}
             </WorkflowCheckbox>
           </div>
           <KeyValueRows