@growthub/cli 0.14.1 → 0.14.3

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/data-model/components/AgentSwarmPanel.jsx

@@ -3,6 +3,17 @@
 import { useMemo } from "react";
 import { Check, Plus, Trash2 } from "lucide-react";
 import { HOST_AUTH_CATALOG } from "@/lib/sandbox-agent-host-catalog";
+import { SandboxAgentAuthPanel } from "./SandboxAgentAuthPanel.jsx";
+import { isSandboxLocalAgentHost } from "@/lib/sandbox-agent-auth-eligibility";
+
+const EMPTY_AGENT_AUTH_PATCH = {
+  agentAuthStatus: "",
+  agentAuthProvider: "",
+  agentAuthLastChecked: "",
+  agentAuthLastExitCode: "",
+  agentAuthLastMessage: "",
+  agentAuthLastLoginUrl: ""
+};
 
 function getHostOptions() {
   return Object.entries(HOST_AUTH_CATALOG || {}).map(([slug, host]) => ({
@@ -26,6 +37,17 @@ function withRecordRef(patch, objectId, rowName, nodeId) {
   };
 }
 
+function buildSubagentAuthDraft(sandboxRow, config) {
+  const agentHost = String(config?.agentHost || sandboxRow?.agentHost || "").trim();
+  if (!agentHost) return null;
+  return {
+    ...(sandboxRow || {}),
+    runLocality: "local",
+    adapter: "local-agent-host",
+    agentHost
+  };
+}
+
 function WorkflowCheckbox({ checked, disabled, onChange, children, title }) {
   return (
     <label className="dm-orchestration-config__field dm-orchestration-config__field-inline dm-workflow-check" title={title}>
@@ -139,7 +161,7 @@ function patchSwarmConfig(graph, patch) {
   return { ...graph, swarm: { ...base, ...patch } };
 }
 
-export function AgentSwarmPanel({ graph, objectId, rowName, onGraphChange, disabled }) {
+export function AgentSwarmPanel({ graph, objectId, rowName, sandboxRow, onSandboxRowPatch, onGraphChange, disabled }) {
   const hostOptions = useMemo(getHostOptions, []);
   if (!graph || typeof graph !== "object") return null;
 
@@ -154,6 +176,21 @@ export function AgentSwarmPanel({ graph, objectId, rowName, onGraphChange, disab
     onGraphChange?.(updater);
   }
 
+  function patchSubagentHost(nodeId, agentHost) {
+    const nextHost = String(agentHost || "").trim();
+    patchGraph((g) => patchSubagent(g, nodeId, {
+      agentHost: nextHost,
+      ...(nextHost ? { adapter: "local-agent-host" } : {})
+    }, objectId, rowName));
+    if (nextHost && typeof onSandboxRowPatch === "function") {
+      onSandboxRowPatch({
+        adapter: "local-agent-host",
+        agentHost: nextHost,
+        ...EMPTY_AGENT_AUTH_PATCH
+      });
+    }
+  }
+
   return (
     <div className="dm-orchestration-config dm-agent-swarm-panel">
       <div className="dm-orchestration-config__pane">
@@ -187,6 +224,7 @@ export function AgentSwarmPanel({ graph, objectId, rowName, onGraphChange, disab
           )}
           {subagents.map((node) => {
             const cfg = node.config || {};
+            const subagentAuthDraft = buildSubagentAuthDraft(sandboxRow, cfg);
             return (
               <div key={node.id} className="dm-agent-swarm-panel__subagent">
                 <div className="dm-agent-swarm-panel__row">
@@ -252,7 +290,7 @@ export function AgentSwarmPanel({ graph, objectId, rowName, onGraphChange, disab
                   <select
                     value={cfg.agentHost || ""}
                     disabled={disabled}
-                    onChange={(e) => patchGraph((g) => patchSubagent(g, node.id, { agentHost: e.target.value }, objectId, rowName))}
+                    onChange={(e) => patchSubagentHost(node.id, e.target.value)}
                   >
                     <option value="">Inherit</option>
                     {hostOptions.map((opt) => (
@@ -260,6 +298,15 @@ export function AgentSwarmPanel({ graph, objectId, rowName, onGraphChange, disab
                     ))}
                   </select>
                 </label>
+                {subagentAuthDraft && isSandboxLocalAgentHost(subagentAuthDraft) && (
+                  <SandboxAgentAuthPanel
+                    objectId={objectId}
+                    rowName={rowName}
+                    draft={subagentAuthDraft}
+                    disabled={disabled || typeof onSandboxRowPatch !== "function"}
+                    onPatchDraft={onSandboxRowPatch}
+                  />
+                )}
                 <WorkflowCheckbox
                   checked={cfg.required !== false}
                   disabled={disabled}

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/data-model/components/DataModelShell.jsx

@@ -647,6 +647,14 @@ function SandboxTraceFieldButton({ label, value, disabled, onOpen }) {
   );
 }
 
+// Human labels for the per-host browser lanes declared in the
+// local-agent-host catalog — surfaced so the operator's mental model matches
+// exactly what the adapter does under the hood when browserAccess is on.
+const BROWSER_LANE_LABELS = {
+  "native-flag": "browser enabled through the host CLI's first-party browser integration flags.",
+  "env-signal": "host receives GROWTHUB_SANDBOX_BROWSER_ACCESS=1 — its own configured browser integration honors this setting."
+};
+
 function SandboxRecordFields({
   draft,
   setDraft,
@@ -705,8 +713,21 @@ function SandboxRecordFields({
     return { ...fields, ...EMPTY_AGENT_AUTH_PATCH };
   }
 
+  function defaultSchedulerRegistryId() {
+    const objects = Array.isArray(workspaceConfig?.dataModel?.objects) ? workspaceConfig.dataModel.objects : [];
+    for (const object of objects) {
+      if (object?.objectType !== "api-registry") continue;
+      const row = (object.rows || []).find((r) => String(r?.integrationId || "").trim());
+      if (row) return String(row.integrationId || "").trim();
+    }
+    return "";
+  }
+
   function setRunLocality(next) {
     const fields = { runLocality: next };
+    if (next === "serverless") {
+      fields.schedulerRegistryId = String(draft.schedulerRegistryId || "").trim() || defaultSchedulerRegistryId();
+    }
     if (next === "serverless" && ["local-agent-host", "local-intelligence"].includes(String(draft.adapter || "").trim())) {
       fields.adapter = "local-process";
       fields.agentHost = "";
@@ -724,6 +745,8 @@ function SandboxRecordFields({
   }
 
   const netOn = ["true", "1", "on", "yes"].includes(String(draft.networkAllow || "").trim().toLowerCase());
+  const browserOn = ["true", "1", "on", "yes"].includes(String(draft.browserAccess || "").trim().toLowerCase());
+  const browserHostMeta = (selectedAdapterMeta?.hostCatalog || []).find((h) => h.slug === String(draft.agentHost || "").trim());
 
   // Same cockpit interface + mental model as the API Registry lane, driven by
   // the serverless/scheduling/persistence derivation. Steps are status-only
@@ -735,6 +758,7 @@ function SandboxRecordFields({
     persistenceAdapters: serverlessSignals.persistenceAdapters,
     inlineEditing: true,
   });
+  const showServerlessUpgrade = String(draft.adapter || "").trim() !== "local-intelligence";
   function handleServerlessAction(action) {
     if (!action) return;
     if (action.id === "toggle-locality") setRunLocality(serverlessState.isServerless ? "local" : "serverless");
@@ -743,12 +767,14 @@ function SandboxRecordFields({
 
   return (
     <div className="dm-sandbox-config">
-      <ApiRegistryCreationCockpit
-        state={serverlessState}
-        onAction={handleServerlessAction}
-        disabled={!table.mutable || saving}
-        eyebrow={serverlessState.isServerless ? "Serverless workflow" : "Workflow runtime"}
-      />
+      {showServerlessUpgrade && (
+        <ApiRegistryCreationCockpit
+          state={serverlessState}
+          onAction={handleServerlessAction}
+          disabled={!table.mutable || saving}
+          eyebrow={serverlessState.isServerless ? "Serverless workflow" : "Workflow runtime"}
+        />
+      )}
       <DrawerSection title="Identity & Mode">
         <label className="dm-record-field">
           <span>Name</span>
@@ -791,7 +817,7 @@ function SandboxRecordFields({
           onChange={setRunLocality}
         />
         <p className="dm-cell-empty" style={{ fontSize: 11, marginTop: 6 }}>
-          Local uses process sandbox or Paperclip agent host on this machine. Serverless delegates to an API Registry URL (no local agent CLI).
+          Choose local execution or a scheduled serverless run.
         </p>
 
         {locality === "serverless" && table.objectId && (
@@ -883,7 +909,7 @@ function SandboxRecordFields({
             </label>
 
             <p className="dm-cell-empty" style={{ fontSize: 11, marginTop: 0 }}>
-              Uses <strong>Instructions</strong> + <strong>Command</strong> as the task payload. Tool intents in the JSON response are proposals only and are not executed by the workspace.
+              Uses <strong>Instructions</strong> + <strong>Command</strong> as the task payload. With browser access off, tool intents stay proposals. With browser access on, browser tool intents execute through the local browser bridge before the final JSON response is returned.
             </p>
           </div>
         )}
@@ -921,10 +947,12 @@ function SandboxRecordFields({
         </div>
 
         <ToggleField
-          checked={netOn}
-          disabled={!table.mutable || saving}
+          checked={netOn || browserOn}
+          disabled={!table.mutable || saving || (browserOn && !netOn)}
           label="Network allow-list mode"
-          description="When enabled, local runs honor GROWTHUB_SANDBOX_NET_* and the allow list below."
+          description={browserOn && !netOn
+            ? "Network enabled by browser access — the run route grants it even though this row's networkAllow is off. Turn browser access off to control network independently."
+            : "When enabled, local runs honor GROWTHUB_SANDBOX_NET_* and the allow list below."}
           onChange={(on) => patchFields({ networkAllow: on ? "true" : "false" })}
         />
 
@@ -937,6 +965,21 @@ function SandboxRecordFields({
             onBlur={(event) => patchFields({ allowList: event.target.value })}
           />
         </label>
+
+        <ToggleField
+          checked={browserOn}
+          disabled={!table.mutable || saving}
+          label="Browser access"
+          description="Allows this sandbox to use a real browser. Also enables network. Local intelligence uses the Playwright browser bridge; Codex/Claude use their native browser modes."
+          onChange={(on) => patchFields(on
+            ? { browserAccess: "true", networkAllow: "true" }
+            : { browserAccess: "false" })}
+        />
+        {browserOn && String(draft.adapter || "").trim() === "local-agent-host" && browserHostMeta && (
+          <p className="dm-cell-empty" style={{ fontSize: 11, marginTop: 4 }}>
+            {browserHostMeta.label}: {BROWSER_LANE_LABELS[browserHostMeta.browserLane] || BROWSER_LANE_LABELS["env-signal"]}
+          </p>
+        )}
       </DrawerSection>
 
       <DrawerSection title="Prompt & Limits">

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/data-model/components/OrchestrationNodeConfigPanel.jsx

@@ -20,6 +20,12 @@ const LOCAL_AGENT_ADAPTERS = [
   { value: "local-agent-host", label: "Local agent host" },
   { value: "local-intelligence", label: "Local intelligence" }
 ];
+const LOCAL_INTELLIGENCE_MODE_OPTIONS = [
+  { value: "ollama", label: "ollama (OLLAMA_BASE_URL + /v1/chat/completions)" },
+  { value: "lmstudio", label: "lmstudio (LMSTUDIO_BASE_URL)" },
+  { value: "vllm", label: "vllm (VLLM_BASE_URL required)" },
+  { value: "custom-openai-compatible", label: "custom (use Chat completions URL above)" }
+];
 const EMPTY_AGENT_AUTH_PATCH = {
   agentAuthStatus: "",
   agentAuthProvider: "",
@@ -427,9 +433,9 @@ function LocalAgentHostControls({
   onSandboxRowPatch
 }) {
   const row = sandboxRow && typeof sandboxRow === "object" ? sandboxRow : {};
-  const runLocality = String(row.runLocality || "local").trim().toLowerCase() === "serverless" ? "serverless" : "local";
   const adapter = String(row.adapter || "local-process").trim() || "local-process";
   const agentHost = String(row.agentHost || "").trim();
+  const browserOn = ["true", "1", "on", "yes"].includes(String(row.browserAccess || "").trim().toLowerCase());
   const hostOptions = getAgentHostOptions();
   const canPatch = typeof onSandboxRowPatch === "function";
 
@@ -444,36 +450,9 @@ function LocalAgentHostControls({
   return (
     <div className="dm-orchestration-config__section dm-workflow-agent-runtime">
       <span>Local agent runtime</span>
-      <div className="dm-sandbox-locality-toggle" role="group" aria-label="Run locality">
-        {["local", "serverless"].map((mode) => (
-          <button
-            key={mode}
-            type="button"
-            className={runLocality === mode ? "is-active" : ""}
-            disabled={disabled || !canPatch}
-            onClick={() => {
-              const fields = { runLocality: mode };
-              if (mode === "serverless" && ["local-agent-host", "local-intelligence"].includes(adapter)) {
-                fields.adapter = "local-process";
-                fields.agentHost = "";
-                patchWithClearedAgentAuth(fields);
-                return;
-              }
-              patch(fields);
-            }}
-          >
-            {mode === "local" ? "Local" : "Serverless"}
-          </button>
-        ))}
-      </div>
       <p className="dm-orchestration-config__hint">
         Same runtime fields as the Data Model sandbox sidecar. Local agent host uses the Paperclip thin adapter on this machine.
       </p>
-      {runLocality === "serverless" && (
-        <p className="dm-orchestration-config__hint">
-          Serverless delegates execution to the configured scheduler/API Registry row; local CLI auth is not used.
-        </p>
-      )}
       <label className="dm-orchestration-config__field">
         <span>Execution adapter</span>
         <select
@@ -482,6 +461,7 @@ function LocalAgentHostControls({
           onChange={(event) => {
             const nextAdapter = event.target.value;
             patchWithClearedAgentAuth({
+              runLocality: "local",
               adapter: nextAdapter,
               agentHost: nextAdapter === "local-agent-host" ? (agentHost || "claude_local") : ""
             });
@@ -492,13 +472,17 @@ function LocalAgentHostControls({
           ))}
         </select>
       </label>
-      {runLocality === "local" && adapter === "local-agent-host" && (
+      {adapter === "local-agent-host" && (
         <label className="dm-orchestration-config__field">
           <span>Agent host (Paperclip)</span>
           <select
             value={agentHost}
             disabled={disabled || !canPatch}
-            onChange={(event) => patchWithClearedAgentAuth({ agentHost: event.target.value })}
+            onChange={(event) => patchWithClearedAgentAuth({
+              runLocality: "local",
+              adapter: "local-agent-host",
+              agentHost: event.target.value
+            })}
           >
             <option value="">Select host...</option>
             {hostOptions.map((item) => (
@@ -507,7 +491,7 @@ function LocalAgentHostControls({
           </select>
         </label>
       )}
-      {runLocality === "local" && adapter === "local-agent-host" && isSandboxLocalAgentHost(row) && (
+      {adapter === "local-agent-host" && isSandboxLocalAgentHost(row) && (
         <SandboxAgentAuthPanel
           objectId={objectId}
           rowName={rowName}
@@ -516,10 +500,63 @@ function LocalAgentHostControls({
           onPatchDraft={patch}
         />
       )}
+      {adapter === "local-intelligence" && (
+        <div className="dm-sandbox-local-intel">
+          <label className="dm-orchestration-config__field">
+            <span>Concrete model id</span>
+            <input
+              value={row.localModel || ""}
+              disabled={disabled || !canPatch}
+              placeholder="gemma3:4b"
+              onChange={(event) => patch({ runLocality: "local", localModel: event.target.value })}
+            />
+          </label>
+          <label className="dm-orchestration-config__field">
+            <span>Chat completions URL (optional)</span>
+            <input
+              value={row.localEndpoint || ""}
+              disabled={disabled || !canPatch}
+              placeholder="http://127.0.0.1:11434/v1/chat/completions"
+              onChange={(event) => patch({ runLocality: "local", localEndpoint: event.target.value })}
+            />
+          </label>
+          <label className="dm-orchestration-config__field">
+            <span>Resolver mode</span>
+            <select
+              value={String(row.intelligenceAdapterMode || "ollama").trim().toLowerCase()}
+              disabled={disabled || !canPatch}
+              onChange={(event) => patch({ runLocality: "local", intelligenceAdapterMode: event.target.value })}
+            >
+              {LOCAL_INTELLIGENCE_MODE_OPTIONS.map((item) => (
+                <option key={item.value} value={item.value}>{item.label}</option>
+              ))}
+            </select>
+          </label>
+          <p className="dm-orchestration-config__hint">
+            Uses Instructions + Command as the task payload. With sandbox browser access off, tool intents stay proposals. With browser access on, browser tool intents execute through the local browser bridge before the final JSON response is returned.
+          </p>
+          {browserOn && (
+            <p className="dm-orchestration-config__hint">
+              This workflow's AI-agent nodes inherit browser access only when their node-level Network permission is enabled.
+            </p>
+          )}
+        </div>
+      )}
     </div>
   );
 }
 
+function buildNodeAgentAuthDraft(sandboxRow, config) {
+  const agentHost = String(config?.agentHost || sandboxRow?.agentHost || "").trim();
+  if (!agentHost) return null;
+  return {
+    ...(sandboxRow || {}),
+    runLocality: "local",
+    adapter: "local-agent-host",
+    agentHost
+  };
+}
+
 export function OrchestrationNodeConfigPanel({
   node,
   onConfigChange,
@@ -577,6 +614,28 @@ export function OrchestrationNodeConfigPanel({
 
   const registryConnected = isApiRegistryTestSuccessful(registryRow);
   const responseMode = config.responseMode || config.mode || "json";
+  const nodeAgentAuthDraft = type === "ai-agent" ? buildNodeAgentAuthDraft(sandboxRow, config) : null;
+  const canPatchSandboxRow = typeof onSandboxRowPatch === "function";
+  const sandboxBrowserOn = ["true", "1", "on", "yes"].includes(String(sandboxRow?.browserAccess || "").trim().toLowerCase());
+  const sandboxAdapter = String(sandboxRow?.adapter || "").trim();
+  const nodeAdapter = String(config.adapter || "").trim() || sandboxAdapter;
+  const nodeUsesLocalIntelligence = nodeAdapter === "local-intelligence";
+
+  function patchNodeAgentHost(agentHost) {
+    const nextHost = String(agentHost || "").trim();
+    patchConfig({
+      agentHost: nextHost,
+      ...(nextHost ? { adapter: "local-agent-host" } : {})
+    });
+    if (nextHost && canPatchSandboxRow) {
+      onSandboxRowPatch({
+        runLocality: "local",
+        adapter: "local-agent-host",
+        agentHost: nextHost,
+        ...EMPTY_AGENT_AUTH_PATCH
+      });
+    }
+  }
 
   return (
     <div className="dm-orchestration-config">
@@ -964,7 +1023,7 @@ export function OrchestrationNodeConfigPanel({
             <select
               value={config.agentHost || ""}
               disabled={disabled}
-              onChange={(e) => patchConfig({ agentHost: e.target.value })}
+              onChange={(e) => patchNodeAgentHost(e.target.value)}
             >
               <option value="">Inherit</option>
               {Object.entries(HOST_AUTH_CATALOG || {}).map(([slug, host]) => (
@@ -972,6 +1031,15 @@ export function OrchestrationNodeConfigPanel({
               ))}
             </select>
           </label>
+          {nodeAgentAuthDraft && isSandboxLocalAgentHost(nodeAgentAuthDraft) && (
+            <SandboxAgentAuthPanel
+              objectId={objectId}
+              rowName={rowName}
+              draft={nodeAgentAuthDraft}
+              disabled={disabled || !canPatchSandboxRow}
+              onPatchDraft={onSandboxRowPatch}
+            />
+          )}
           <WorkflowCheckbox
             checked={config.required !== false}
             disabled={disabled}
@@ -982,10 +1050,12 @@ export function OrchestrationNodeConfigPanel({
           <WorkflowCheckbox
             checked={config.networkAccess === true}
             disabled={disabled}
-            title="Network is granted only when both this and the row's networkAllow are on."
+            title={sandboxBrowserOn && nodeUsesLocalIntelligence
+              ? "Network and browser are granted only when this node permission is on and the sandbox row has browser access on."
+              : "Network is granted only when both this and the row's networkAllow are on. The row's browser access inherits through the same gate."}
             onChange={(checked) => patchConfig({ networkAccess: checked })}
           >
-            Network
+            {sandboxBrowserOn && nodeUsesLocalIntelligence ? "Network + browser" : "Network"}
           </WorkflowCheckbox>
         </div>
       )}
@@ -1025,8 +1095,15 @@ export function OrchestrationNodeConfigPanel({
             <WorkflowCheckbox checked={config.canWriteDraft === true} disabled={disabled} onChange={(checked) => patchConfig({ canWriteDraft: checked })}>
               Write draft changes only
             </WorkflowCheckbox>
-            <WorkflowCheckbox checked={config.networkAccess === true} disabled={disabled} onChange={(checked) => patchConfig({ networkAccess: checked })}>
-              Allow network access
+            <WorkflowCheckbox
+              checked={config.networkAccess === true}
+              disabled={disabled}
+              title={sandboxBrowserOn && nodeUsesLocalIntelligence
+                ? "This node gets browser access only when this permission and the sandbox row Browser access toggle are both on."
+                : undefined}
+              onChange={(checked) => patchConfig({ networkAccess: checked })}
+            >
+              {sandboxBrowserOn && nodeUsesLocalIntelligence ? "Allow network + browser access" : "Allow network access"}
             </WorkflowCheckbox>
           </div>
           <KeyValueRows

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/data-model/components/SandboxAgentAuthPanel.jsx

@@ -20,9 +20,9 @@
  * no second product surface, no terminal emulator — just a uniform
  * readiness bridge.
  *
- * Status values stamped on the row are intentionally distinct between
- * confirmed-authenticated ("active") and merely-installed ("reachable")
- * so the pill cannot overclaim auth from a `--version` probe.
+ * The pill represents selected local host readiness. Legacy `reachable`
+ * metadata is rendered as Active so Data Model and workflow sidecars stay
+ * visually identical after a successful host switch/check path.
  */
 
 import { useCallback, useState } from "react";
@@ -32,7 +32,7 @@ import { getAgentHostCapabilities } from "@/lib/sandbox-agent-host-catalog";
 
 const STATUS_LABEL = {
   active: "Active",
-  reachable: "Reachable",
+  reachable: "Active",
   stale: "Stale",
   missing: "Missing",
   checking: "Checking",
@@ -40,10 +40,9 @@ const STATUS_LABEL = {
 };
 
 function statusKind(status) {
-  if (status === "active") return "ok";
+  if (status === "active" || status === "reachable") return "ok";
   if (status === "stale") return "warn";
   if (status === "missing") return "bad";
-  // "reachable" stays neutral — CLI is installed, but auth is NOT confirmed.
   return "";
 }
 
@@ -62,15 +61,28 @@ export function SandboxAgentAuthPanel({ objectId, rowName, draft, disabled, onPa
   const [busy, setBusy] = useState(null); // "status" | "login" | "logout" | null
   const [output, setOutput] = useState(null);
   const [message, setMessage] = useState("");
+  const [localAuthState, setLocalAuthState] = useState(null);
 
   const capabilities = getAgentHostCapabilities(draft);
   const providerMatchesHost = String(draft?.agentAuthProvider || "").trim() === String(draft?.agentHost || "").trim();
+  const localMatchesHost =
+    localAuthState?.provider &&
+    String(localAuthState.provider || "").trim() === String(capabilities?.slug || "").trim();
   const currentStatus =
-    providerMatchesHost && typeof draft?.agentAuthStatus === "string" && draft.agentAuthStatus.trim()
-      ? draft.agentAuthStatus.trim()
-      : "unknown";
-  const lastChecked = providerMatchesHost ? draft?.agentAuthLastChecked || "" : "";
-  const lastMessage = providerMatchesHost ? draft?.agentAuthLastMessage || "" : "";
+    localMatchesHost && typeof localAuthState?.status === "string" && localAuthState.status.trim()
+      ? localAuthState.status.trim()
+      : providerMatchesHost && typeof draft?.agentAuthStatus === "string" && draft.agentAuthStatus.trim()
+        ? draft.agentAuthStatus.trim()
+        : "unknown";
+  const lastChecked = localMatchesHost && localAuthState?.checkedAt
+    ? localAuthState.checkedAt
+    : providerMatchesHost
+      ? draft?.agentAuthLastChecked || ""
+      : "";
+  const lastMessage =
+    localMatchesHost && typeof localAuthState?.message === "string"
+      ? localAuthState.message
+      : providerMatchesHost ? draft?.agentAuthLastMessage || "" : "";
   const displayMessage = normalizeAuthMessage(message || lastMessage, capabilities?.label)
     || (currentStatus === "unknown" ? "Run Check or Login to verify this local agent host." : "");
 
@@ -85,15 +97,23 @@ export function SandboxAgentAuthPanel({ objectId, rowName, draft, disabled, onPa
         const res = await fetch(endpoint, {
           method: "POST",
           headers: { "content-type": "application/json" },
-          body: JSON.stringify({ objectId, name: rowName })
+          body: JSON.stringify({ objectId, name: rowName, agentHost: capabilities.slug })
         });
         const payload = await res.json();
         setOutput(payload);
         setMessage(payload.message || (payload.ok ? "Done" : payload.error || "Failed"));
+        if (payload.status) {
+          setLocalAuthState({
+            status: payload.status,
+            provider: payload.provider || capabilities.slug,
+            checkedAt: payload.checkedAt || new Date().toISOString(),
+            message: payload.message || ""
+          });
+        }
         if (typeof onPatchDraft === "function" && payload.status) {
           onPatchDraft({
             agentAuthStatus: payload.status,
-            agentAuthProvider: payload.provider || draft?.agentHost || "unknown",
+            agentAuthProvider: payload.provider || capabilities.slug,
             agentAuthLastChecked: payload.checkedAt || new Date().toISOString(),
             agentAuthLastExitCode:
               typeof payload.exitCode === "number" ? payload.exitCode : null,
@@ -107,7 +127,7 @@ export function SandboxAgentAuthPanel({ objectId, rowName, draft, disabled, onPa
         setBusy(null);
       }
     },
-    [canAct, objectId, rowName, onPatchDraft, draft?.agentHost]
+    [canAct, objectId, rowName, onPatchDraft, capabilities?.slug]
   );
 
   const onCheckStatus = () =>

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/globals.css

@@ -6253,9 +6253,16 @@ body.workspace-rail-collapsed .workspace-builder.dm-workflow-page {
 .dm-sandbox-config > .dm-cockpit { width: 100%; margin: 12px 0 8px; box-sizing: border-box; }
 .dm-radio-row { display: grid; gap: 8px; }
 .dm-radio-row label, .dm-check-row { display: grid; grid-template-columns: 16px minmax(0,1fr); align-items: start; column-gap: 8px; color: #1f2937; font-size: 12px; line-height: 1.35; }
+.dm-check-row-compact { grid-template-columns: 16px max-content 22px; align-items: center; width: fit-content; max-width: 100%; }
 .dm-radio-row input[type="radio"], .dm-check-row input[type="checkbox"] { width: 14px; height: 14px; margin: 1px 0 0; padding: 0; box-shadow: none; accent-color: #111827; }
 .dm-radio-row span, .dm-check-row span { color: #1f2937; font-size: 12px; font-weight: 500; }
 .dm-check-row { cursor: pointer; }
+.dm-check-row-compact > label { color: #1f2937; font-size: 12px; font-weight: 500; cursor: pointer; }
+.dm-help-wrap { position: relative; display: inline-flex; align-items: center; min-width: 0; }
+.dm-icon-help { width: 18px; height: 18px; display: inline-flex; align-items: center; justify-content: center; border: 0; border-radius: 4px; background: transparent; color: #64748b; padding: 0; cursor: help; }
+.dm-icon-help:hover, .dm-icon-help:focus-visible { background: #f1f5f9; color: #334155; outline: none; }
+.dm-help-bubble { position: absolute; z-index: 80; left: 22px; top: 50%; transform: translateY(-50%); width: min(280px, calc(100vw - 48px)); display: none; border: 1px solid #cbd5e1; border-radius: 6px; background: #fff; box-shadow: 0 12px 30px rgba(15,23,42,.16); color: #334155; font-size: 11px; font-weight: 500; line-height: 1.4; padding: 8px 9px; }
+.dm-help-wrap:hover .dm-help-bubble, .dm-help-bubble.is-open { display: block; }
 .dm-select { position: relative; width: 100%; min-width: 0; font-size: 11px; }
 .dm-select-trigger { width: 100%; min-height: 32px; display: flex; align-items: center; justify-content: space-between; gap: 8px; border: 1px solid #cbd5e1; border-radius: 7px; background: #fff; color: #111827; box-shadow: 0 1px 2px rgba(15,23,42,.05); font: inherit; font-size: 11px; padding: 6px 10px; text-align: left; cursor: pointer; transition: border-color .12s, box-shadow .12s, background .12s; }
 .dm-select-trigger:hover:not(:disabled) { border-color: #94a3b8; box-shadow: 0 2px 8px rgba(15,23,42,.08); }