npm - @growthub/cli - Versions diffs - 0.14.1 → 0.14.2 - Mend

@growthub/cli 0.14.1 → 0.14.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (30) hide show

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/data-model/components/SandboxAgentAuthPanel.jsx CHANGED Viewed

@@ -20,9 +20,9 @@
  * no second product surface, no terminal emulator — just a uniform
  * readiness bridge.
  *
- * Status values stamped on the row are intentionally distinct between
- * confirmed-authenticated ("active") and merely-installed ("reachable")
- * so the pill cannot overclaim auth from a `--version` probe.
+ * The pill represents selected local host readiness. Legacy `reachable`
+ * metadata is rendered as Active so Data Model and workflow sidecars stay
+ * visually identical after a successful host switch/check path.
  */
 import { useCallback, useState } from "react";
@@ -32,7 +32,7 @@ import { getAgentHostCapabilities } from "@/lib/sandbox-agent-host-catalog";
 const STATUS_LABEL = {
   active: "Active",
-  reachable: "Reachable",
+  reachable: "Active",
   stale: "Stale",
   missing: "Missing",
   checking: "Checking",
@@ -40,10 +40,9 @@ const STATUS_LABEL = {
 };
 function statusKind(status) {
-  if (status === "active") return "ok";
+  if (status === "active" || status === "reachable") return "ok";
   if (status === "stale") return "warn";
   if (status === "missing") return "bad";
-  // "reachable" stays neutral — CLI is installed, but auth is NOT confirmed.
   return "";
 }
@@ -62,15 +61,28 @@ export function SandboxAgentAuthPanel({ objectId, rowName, draft, disabled, onPa
   const [busy, setBusy] = useState(null); // "status" | "login" | "logout" | null
   const [output, setOutput] = useState(null);
   const [message, setMessage] = useState("");
+  const [localAuthState, setLocalAuthState] = useState(null);
   const capabilities = getAgentHostCapabilities(draft);
   const providerMatchesHost = String(draft?.agentAuthProvider || "").trim() === String(draft?.agentHost || "").trim();
+  const localMatchesHost =
+    localAuthState?.provider &&
+    String(localAuthState.provider || "").trim() === String(capabilities?.slug || "").trim();
   const currentStatus =
-    providerMatchesHost && typeof draft?.agentAuthStatus === "string" && draft.agentAuthStatus.trim()
-      ? draft.agentAuthStatus.trim()
-      : "unknown";
-  const lastChecked = providerMatchesHost ? draft?.agentAuthLastChecked || "" : "";
-  const lastMessage = providerMatchesHost ? draft?.agentAuthLastMessage || "" : "";
+    localMatchesHost && typeof localAuthState?.status === "string" && localAuthState.status.trim()
+      ? localAuthState.status.trim()
+      : providerMatchesHost && typeof draft?.agentAuthStatus === "string" && draft.agentAuthStatus.trim()
+        ? draft.agentAuthStatus.trim()
+        : "unknown";
+  const lastChecked = localMatchesHost && localAuthState?.checkedAt
+    ? localAuthState.checkedAt
+    : providerMatchesHost
+      ? draft?.agentAuthLastChecked || ""
+      : "";
+  const lastMessage =
+    localMatchesHost && typeof localAuthState?.message === "string"
+      ? localAuthState.message
+      : providerMatchesHost ? draft?.agentAuthLastMessage || "" : "";
   const displayMessage = normalizeAuthMessage(message || lastMessage, capabilities?.label)
     || (currentStatus === "unknown" ? "Run Check or Login to verify this local agent host." : "");
@@ -85,15 +97,23 @@ export function SandboxAgentAuthPanel({ objectId, rowName, draft, disabled, onPa
         const res = await fetch(endpoint, {
           method: "POST",
           headers: { "content-type": "application/json" },
-          body: JSON.stringify({ objectId, name: rowName })
+          body: JSON.stringify({ objectId, name: rowName, agentHost: capabilities.slug })
         });
         const payload = await res.json();
         setOutput(payload);
         setMessage(payload.message || (payload.ok ? "Done" : payload.error || "Failed"));
+        if (payload.status) {
+          setLocalAuthState({
+            status: payload.status,
+            provider: payload.provider || capabilities.slug,
+            checkedAt: payload.checkedAt || new Date().toISOString(),
+            message: payload.message || ""
+          });
+        }
         if (typeof onPatchDraft === "function" && payload.status) {
           onPatchDraft({
             agentAuthStatus: payload.status,
-            agentAuthProvider: payload.provider || draft?.agentHost || "unknown",
+            agentAuthProvider: payload.provider || capabilities.slug,
             agentAuthLastChecked: payload.checkedAt || new Date().toISOString(),
             agentAuthLastExitCode:
               typeof payload.exitCode === "number" ? payload.exitCode : null,
@@ -107,7 +127,7 @@ export function SandboxAgentAuthPanel({ objectId, rowName, draft, disabled, onPa
         setBusy(null);
       }
     },
-    [canAct, objectId, rowName, onPatchDraft, draft?.agentHost]
+    [canAct, objectId, rowName, onPatchDraft, capabilities?.slug]
   );
   const onCheckStatus = () =>

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/globals.css CHANGED Viewed

@@ -6253,9 +6253,16 @@ body.workspace-rail-collapsed .workspace-builder.dm-workflow-page {
 .dm-sandbox-config > .dm-cockpit { width: 100%; margin: 12px 0 8px; box-sizing: border-box; }
 .dm-radio-row { display: grid; gap: 8px; }
 .dm-radio-row label, .dm-check-row { display: grid; grid-template-columns: 16px minmax(0,1fr); align-items: start; column-gap: 8px; color: #1f2937; font-size: 12px; line-height: 1.35; }
+.dm-check-row-compact { grid-template-columns: 16px max-content 22px; align-items: center; width: fit-content; max-width: 100%; }
 .dm-radio-row input[type="radio"], .dm-check-row input[type="checkbox"] { width: 14px; height: 14px; margin: 1px 0 0; padding: 0; box-shadow: none; accent-color: #111827; }
 .dm-radio-row span, .dm-check-row span { color: #1f2937; font-size: 12px; font-weight: 500; }
 .dm-check-row { cursor: pointer; }
+.dm-check-row-compact > label { color: #1f2937; font-size: 12px; font-weight: 500; cursor: pointer; }
+.dm-help-wrap { position: relative; display: inline-flex; align-items: center; min-width: 0; }
+.dm-icon-help { width: 18px; height: 18px; display: inline-flex; align-items: center; justify-content: center; border: 0; border-radius: 4px; background: transparent; color: #64748b; padding: 0; cursor: help; }
+.dm-icon-help:hover, .dm-icon-help:focus-visible { background: #f1f5f9; color: #334155; outline: none; }
+.dm-help-bubble { position: absolute; z-index: 80; left: 22px; top: 50%; transform: translateY(-50%); width: min(280px, calc(100vw - 48px)); display: none; border: 1px solid #cbd5e1; border-radius: 6px; background: #fff; box-shadow: 0 12px 30px rgba(15,23,42,.16); color: #334155; font-size: 11px; font-weight: 500; line-height: 1.4; padding: 8px 9px; }
+.dm-help-wrap:hover .dm-help-bubble, .dm-help-bubble.is-open { display: block; }
 .dm-select { position: relative; width: 100%; min-width: 0; font-size: 11px; }
 .dm-select-trigger { width: 100%; min-height: 32px; display: flex; align-items: center; justify-content: space-between; gap: 8px; border: 1px solid #cbd5e1; border-radius: 7px; background: #fff; color: #111827; box-shadow: 0 1px 2px rgba(15,23,42,.05); font: inherit; font-size: 11px; padding: 6px 10px; text-align: left; cursor: pointer; transition: border-color .12s, box-shadow .12s, background .12s; }
 .dm-select-trigger:hover:not(:disabled) { border-color: #94a3b8; box-shadow: 0 2px 8px rgba(15,23,42,.08); }

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/workflows/WorkflowSurface.jsx CHANGED Viewed

@@ -912,6 +912,7 @@ export default function WorkflowSurface() {
       })
     : null;
   const isServerlessWorkflow = Boolean(serverlessState?.isServerless);
+  const showServerlessUpgrade = String(sandboxRow?.adapter || "").trim() !== "local-intelligence";
   async function patchSandboxAndPersist(fields) {
     if (resolved.rowIndex < 0 || !objectId || !workspaceConfig) return;
@@ -1013,7 +1014,7 @@ export default function WorkflowSurface() {
             >
               <ArrowUp size={13} />
             </button>
-            {sandboxRow && (
+            {sandboxRow && showServerlessUpgrade && (
               <button
                 type="button"
                 className={"dm-workflow-icon-btn dm-workflow-upgrade-btn" + (isServerlessWorkflow ? " is-serverless" : (upgradeState.showOnboarding ? " is-pulse" : ""))}
@@ -1051,7 +1052,13 @@ export default function WorkflowSurface() {
                 <Power size={13} /> {publishing ? "Publishing" : "Publish"}
               </button>
             )}
-            <button type="button" className="dm-workflow-chip-btn" disabled={!sandboxRow} onClick={openTraceMode}>
+            <button
+              type="button"
+              className="dm-workflow-chip-btn"
+              onClick={() => {
+                if (sandboxRow) openTraceMode();
+              }}
+            >
               <History size={13} /> See Runs
             </button>
             {sidecarMode === "trace" && (
@@ -1093,7 +1100,7 @@ export default function WorkflowSurface() {
         {/* One-time serverless upgrade onboarding — shows only when the operator
             has workflows but none are serverless, and hasn't dismissed it. */}
-        {sandboxRow && !upgradeOpen && upgradeState.showOnboarding ? (
+        {sandboxRow && showServerlessUpgrade && !upgradeOpen && upgradeState.showOnboarding ? (
           <div className="workspace-template-context-banner dm-workflow-upgrade-nudge" role="note">
             <div>
               <strong>{upgradeState.headline}</strong>
@@ -1111,7 +1118,7 @@ export default function WorkflowSurface() {
         {/* Serverless cockpit — same derivation + cockpit interface as the API
             Registry and sandbox lanes. Toggles patch the sandbox row; deep config
             (scheduler/adapter) routes to the object's Data Model drawer. */}
-        {sandboxRow && upgradeOpen && serverlessState ? (
+        {sandboxRow && showServerlessUpgrade && upgradeOpen && serverlessState ? (
           <div className="dm-workflow-upgrade-panel">
             <div className="dm-workflow-upgrade-panel-head">
               <span className="dm-api-action-card-eyebrow">Persistence &amp; scheduling</span>
@@ -1233,6 +1240,8 @@ export default function WorkflowSurface() {
                     graph={orchestrationGraph}
                     objectId={objectId}
                     rowName={rowId}
+                    sandboxRow={sandboxRow}
+                    onSandboxRowPatch={patchSandboxRuntimeFields}
                     disabled={false}
                     onGraphChange={(updater) => {
                       setOrchestrationGraph((g) => (typeof updater === "function" ? updater(g) : updater));

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/docs/sandbox-environment-primitive.md CHANGED Viewed

@@ -23,6 +23,32 @@ Agents and streamed APIs elsewhere in the sandbox stay orthogonal: serverless sw
 Sandbox rows reference **`authRef` / named env refs** — never literals in browser or config records. Scheduling uses the referenced API Registry row’s **`authRef`** merge rules identical to **`/api/workspace/test-source`**.
+## Browser access (`browserAccess`)
+`browserAccess` is a first-class boolean column on the sandbox row, surfaced as a single toggle in the record sidecar's **Environment & Network** section. It is locality-agnostic and agent-host-agnostic: the saved record carries the capability, and each execution path grants it through the mechanism that path actually understands.
+**Deterministic normalization** — browser access implies outbound network. The sidecar toggle stamps `networkAllow: "true"` when browser access is switched on, and `POST /api/workspace/sandbox-run` enforces the same implication server-side (`networkAllow || browserAccess`), so rows patched via the API behave identically to rows saved in the UI.
+**This is the product's existing agent browser primitive, surfaced — not a new system.** The upstream Paperclip server already grants any agent browser access through one boolean: the agent config's `chrome` primitive (`ui/src/components/agent-config-primitives.tsx` — "Enable Claude's Chrome integration by passing --chrome"), gated by the chrome-lease service (`server/src/services/chrome-lease.ts`) before `adapter.execute()`. The CMS profile contract likewise speaks `allowBrowserBridge` and execution mode `"browser"`. `browserAccess` is the same bit on the governed sandbox row, so rows stay portable to the upstream adapter registry without translation — exactly like the host slugs.
+**Local (`local-agent-host`)** — when the row's bit is on, each host engages its **first-party** browser integration; the adapter never invents flags or writes host config it cannot verify against the upstream tool (the same rule the auth catalog follows for login subcommands):
+| Lane | Hosts | Mechanism |
+| --- | --- | --- |
+| `native-flag` | Claude Code | `--chrome` — Claude's own Chrome integration, the same flag the upstream server adapter passes for the agent `chrome` primitive. |
+| `native-flag` | Codex | `--enable browser_use --enable in_app_browser` (with `--sandbox workspace-write`). |
+| `env-signal` | Cursor, Gemini, Qwen, OpenCode, Pi, Hermes, OpenClaw Gateway | The host receives `GROWTHUB_SANDBOX_BROWSER_ACCESS=1` (mirroring the upstream browser-isolation context); whatever browser integration the operator has configured in that host honors the row's setting. |
+The lane engaged for a run is recorded in `adapterMeta.browserLane`, and the run-console record projection surfaces `context.browserAccess` plus the full `adapterMeta`, so every run shows its browser proof. No host-global config (`~/.claude`, `~/.codex`, …) is ever mutated.
+**Orchestration graph** — this is why browser access is node-level and host-agnostic with zero extra configuration: `thinAdapter` and `ai-agent` nodes execute through this same host catalog, so every node inherits the row's browser grant no matter which host runs it (subagent nodes through the existing node-level Network gate; orchestrator and synthesis phases directly).
+One deliberate decision, stated explicitly: **Codex `workspace-write` on `networkAllow` alone is intentional.** Codex's `read-only` sandbox blocks all outbound network, so `workspace-write` is the least-privileged Codex mode where the row's network grant can take effect — and writes are confined to the sealed ephemeral workdir the adapter spawns into, never the operator's repo. Browser flags remain gated on `browserAccess` only; network alone never opens a browser.
+**Local (`local-process`)** and every other adapter — the sealed RunRequest carries `browserAccess: boolean`, and the env contract publishes `GROWTHUB_SANDBOX_BROWSER_ACCESS=1|0` alongside `GROWTHUB_SANDBOX_NET_ALLOW(LIST)`, so any script or drop-zone adapter honors the row's setting without knowing about specific hosts.
+**Serverless** — the `growthub-sandbox-run-v1` envelope carries `sandbox.browserAccess` (plus `networkAllow` / `allowList`), so a workflow upgraded from local to serverless keeps the identical capability contract: the Edge/QStash/cron handler reads one boolean and grants its own runtime's browser (e.g. a remote browser pool or hosted agent's browser tool). No host-specific knowledge crosses the wire — slugs and booleans only, never secrets.
 ## Not a widget source
 Workspace Builder excludes **`sandbox-environment`** from View widget bindings (execution records, not tabular KPI sources). See **`data-sources-api-registry.md`** in this folder.