@growthub/cli 0.14.1 → 0.14.3

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/workflows/WorkflowSurface.jsx

@@ -44,6 +44,11 @@ import {
   validateOrchestrationGraph
 } from "@/lib/orchestration-graph";
 import { resolveConnectorAction } from "@/lib/orchestration-sidecar-routing";
+import {
+  nodeSandboxRecordRef,
+  patchSandboxRowInConfig,
+  withGraphSandboxRecordRefs
+} from "@/lib/orchestration-publish";
 import { OrchestrationGraphCanvas } from "../data-model/components/OrchestrationGraphCanvas.jsx";
 import { OrchestrationGraphEmptyCanvas } from "../data-model/components/OrchestrationGraphEmptyCanvas.jsx";
 import { OrchestrationNodeConfigPanel } from "../data-model/components/OrchestrationNodeConfigPanel.jsx";
@@ -117,47 +122,6 @@ function resolveRegistryRefForSandbox(workspaceConfig, sandboxRow) {
   return firstRegistryRow ? { object: firstRegistryObject, row: firstRegistryRow } : null;
 }
 
-function patchSandboxRowInConfig(workspaceConfig, objectId, rowIndex, fields) {
-  const objects = Array.isArray(workspaceConfig?.dataModel?.objects) ? workspaceConfig.dataModel.objects : [];
-  return {
-    ...workspaceConfig,
-    dataModel: {
-      ...workspaceConfig.dataModel,
-      objects: objects.map((object) => {
-        if (object?.id !== objectId) return object;
-        const rows = Array.isArray(object.rows) ? object.rows : [];
-        return {
-          ...object,
-          rows: rows.map((row, index) => (index === rowIndex ? { ...row, ...fields } : row)),
-        };
-      }),
-    },
-  };
-}
-
-function nodeSandboxRecordRef(objectId, rowName, nodeId) {
-  return {
-    objectId: String(objectId || "").trim(),
-    rowName: String(rowName || "").trim(),
-    nodeId: String(nodeId || "").trim()
-  };
-}
-
-function withGraphSandboxRecordRefs(graph, objectId, rowName) {
-  const parsed = parseOrchestrationGraph(graph) || graph;
-  if (!parsed || typeof parsed !== "object") return parsed;
-  return {
-    ...parsed,
-    nodes: (Array.isArray(parsed.nodes) ? parsed.nodes : []).map((node) => ({
-      ...node,
-      config: {
-        ...(node?.config || {}),
-        sandboxRecordRef: nodeSandboxRecordRef(objectId, rowName, node?.id)
-      }
-    }))
-  };
-}
-
 const WORKFLOW_ACTION_GROUPS = [
   {
     label: "Data",
@@ -201,90 +165,6 @@ function getWorkspaceObjectOptions(workspaceConfig) {
     }));
 }
 
-function normalizeDeltaTags(tags) {
-  return Array.from(new Set((Array.isArray(tags) ? tags : [])
-    .map((tag) => String(tag || "").trim().toLowerCase())
-    .filter(Boolean)));
-}
-
-function inferDeltaTagsForWorkflowNode(node, config) {
-  const tags = [];
-  const type = String(node?.type || "").trim();
-  const action = String(config?.action || node?.id || "").trim();
-  if (type === "thinAdapter") tags.push("model", "prompt", "routing");
-  if (type === "ai-agent") tags.push("model", "prompt", "output");
-  if (type === "data-action" || type === "data-trigger") tags.push("input", "output");
-  if (type === "flow-control") tags.push("routing");
-  if (type === "core-action") tags.push("runtime");
-  if (type === "human-input") tags.push("input");
-  if (action.includes("search") || action.includes("filter")) tags.push("evaluation", "guardrail");
-  if (action.includes("delete") || config?.confirmationRequired) tags.push("guardrail");
-  if (action.includes("http") || config?.url || config?.method) tags.push("routing", "input", "output");
-  if (action.includes("email")) tags.push("input", "output");
-  if (action.includes("delay") || config?.duration || config?.unit) tags.push("runtime");
-  if (config?.objectId || config?.fieldMap || config?.filters) tags.push("input", "output");
-  if (config?.model || config?.prompt) tags.push("model", "prompt");
-  return normalizeDeltaTags(tags);
-}
-
-function getNodeDeltaRecords(previousGraph, nextGraph) {
-  const previousNodes = new Map(
-    (Array.isArray(previousGraph?.nodes) ? previousGraph.nodes : [])
-      .map((node) => [String(node?.id || ""), node])
-      .filter(([id]) => id)
-  );
-
-  return (Array.isArray(nextGraph?.nodes) ? nextGraph.nodes : [])
-    .map((node) => {
-      const nodeId = String(node?.id || "").trim();
-      if (!nodeId) return null;
-      const previous = previousNodes.get(nodeId);
-      const config = node?.config && typeof node.config === "object" && !Array.isArray(node.config) ? node.config : {};
-      const previousConfig = previous?.config && typeof previous.config === "object" && !Array.isArray(previous.config)
-        ? previous.config
-        : {};
-      const currentComparable = JSON.stringify({
-        type: node?.type || "",
-        sandbox: node?.sandbox || "",
-        label: node?.label || "",
-        subtitle: node?.subtitle || "",
-        config
-      });
-      const previousComparable = JSON.stringify({
-        type: previous?.type || "",
-        sandbox: previous?.sandbox || "",
-        label: previous?.label || "",
-        subtitle: previous?.subtitle || "",
-        config: previousConfig
-      });
-      const explicitTags = normalizeDeltaTags(config.deltaTags);
-      const deltaTags = explicitTags.length > 0 ? explicitTags : inferDeltaTagsForWorkflowNode(node, config);
-      const changeReason = String(config.changeReason || "").trim();
-      const changed = currentComparable !== previousComparable;
-      if (!changed && !changeReason && deltaTags.length === 0) return null;
-      return {
-        nodeId,
-        nodeType: String(node?.type || ""),
-        label: String(node?.label || node?.sandbox || nodeId),
-        sandboxRecordRef: config.sandboxRecordRef || null,
-        changeReason,
-        deltaTags,
-        requiresRetest: config.requiresRetest !== false,
-        previous: previous ? {
-          type: String(previous.type || ""),
-          sandbox: String(previous.sandbox || ""),
-          label: String(previous.label || "")
-        } : null,
-        next: {
-          type: String(node.type || ""),
-          sandbox: String(node.sandbox || ""),
-          label: String(node.label || "")
-        }
-      };
-    })
-    .filter(Boolean);
-}
-
 function makeWorkflowNode(action, workspaceConfig, graph) {
   const baseId = String(action.id || action.type || "step").replace(/[^a-zA-Z0-9_-]+/g, "-");
   const existingIds = new Set((Array.isArray(graph?.nodes) ? graph.nodes : []).map((node) => String(node.id)));
@@ -606,54 +486,31 @@ export default function WorkflowSurface() {
 
   async function publishGraph() {
     if (resolved.rowIndex < 0 || !objectId) return;
+    // Publish is server-authoritative: POST /api/workspace/workflow/publish
+    // verifies the saved draft + passing test against the persisted row and
+    // owns the version bump, delta record, and draft → live promotion.
+    // Direct PATCH of live workflow fields is rejected by the runtime policy.
     const serialized = serializeCurrentGraph();
-    const draftPassed = sandboxRow?.orchestrationDraftTestPassed === true || String(sandboxRow?.orchestrationDraftTestPassed || "") === "true";
-    const testedConfig = String(sandboxRow?.orchestrationDraftTestedConfig || "");
-    if (!draftPassed || testedConfig !== serialized) {
-      setSaveMessage("Publish blocked. Save and test this exact draft successfully before publishing.");
+    const savedDraft = String(sandboxRow?.[draftFieldName] || "");
+    if (dirty || serialized !== savedDraft) {
+      setSaveMessage("Publish blocked. Save this draft first — publish promotes the saved, tested draft.");
       return;
     }
     setPublishing(true);
     setSaveMessage("");
     try {
-      const currentVersion = Number(sandboxRow?.version || 1);
-      const nextVersion = Number.isFinite(currentVersion) ? String(currentVersion + 1) : "1";
-      const previousDeltas = Array.isArray(sandboxRow?.orchestrationDeltas) ? sandboxRow.orchestrationDeltas : [];
-      const previousPublishedGraph = parseOrchestrationGraph(sandboxRow?.[effectiveFieldName]);
-      const graphWithRefs = withGraphSandboxRecordRefs(orchestrationGraph, objectId, rowId);
-      const nodeDeltas = getNodeDeltaRecords(previousPublishedGraph, graphWithRefs);
-      const deltaTags = normalizeDeltaTags(nodeDeltas.flatMap((delta) => delta.deltaTags));
-      const changeReason = nodeDeltas.map((delta) => delta.changeReason).filter(Boolean).join("\n");
-      const next = patchSandboxRowInConfig(workspaceConfig, objectId, resolved.rowIndex, {
-        [effectiveFieldName]: serialized,
-        [draftFieldName]: "",
-        version: nextVersion,
-        lifecycleStatus: "live",
-        orchestrationDraftStatus: "published",
-        orchestrationDraftTestPassed: false,
-        orchestrationDraftTestedConfig: "",
-        orchestrationPublishedAt: new Date().toISOString(),
-        orchestrationDeltas: [
-          ...previousDeltas,
-          {
-            at: new Date().toISOString(),
-            version: nextVersion,
-            field: effectiveFieldName,
-            action: "publish",
-            previousVersion: String(sandboxRow?.version || "1"),
-            draftTestedAt: sandboxRow?.orchestrationDraftLastTested || "",
-            draftRunId: sandboxRow?.orchestrationDraftLastRunId || "",
-            changeReason,
-            deltaTags,
-            nodeDeltas,
-            nodeCount: Array.isArray(orchestrationGraph?.nodes) ? orchestrationGraph.nodes.length : 0,
-            edgeCount: Array.isArray(orchestrationGraph?.edges) ? orchestrationGraph.edges.length : 0
-          }
-        ]
+      const res = await fetch("/api/workspace/workflow/publish", {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ objectId, name: rowId, field: effectiveFieldName }),
       });
-      await persistWorkspace(next);
+      const payload = await res.json();
+      if (!res.ok || !payload.ok) {
+        throw new Error(payload.error || "Publish failed");
+      }
+      setWorkspaceConfig(payload.workspaceConfig || workspaceConfig);
       setDirty(false);
-      setSaveMessage(`Published orchestration config v${nextVersion}.`);
+      setSaveMessage(`Published orchestration config v${payload.version}.`);
     } catch (err) {
       setSaveMessage(err.message || "Publish failed");
     } finally {
@@ -912,6 +769,7 @@ export default function WorkflowSurface() {
       })
     : null;
   const isServerlessWorkflow = Boolean(serverlessState?.isServerless);
+  const showServerlessUpgrade = String(sandboxRow?.adapter || "").trim() !== "local-intelligence";
 
   async function patchSandboxAndPersist(fields) {
     if (resolved.rowIndex < 0 || !objectId || !workspaceConfig) return;
@@ -1013,7 +871,7 @@ export default function WorkflowSurface() {
             >
               <ArrowUp size={13} />
             </button>
-            {sandboxRow && (
+            {sandboxRow && showServerlessUpgrade && (
               <button
                 type="button"
                 className={"dm-workflow-icon-btn dm-workflow-upgrade-btn" + (isServerlessWorkflow ? " is-serverless" : (upgradeState.showOnboarding ? " is-pulse" : ""))}
@@ -1051,7 +909,13 @@ export default function WorkflowSurface() {
                 <Power size={13} /> {publishing ? "Publishing" : "Publish"}
               </button>
             )}
-            <button type="button" className="dm-workflow-chip-btn" disabled={!sandboxRow} onClick={openTraceMode}>
+            <button
+              type="button"
+              className="dm-workflow-chip-btn"
+              onClick={() => {
+                if (sandboxRow) openTraceMode();
+              }}
+            >
               <History size={13} /> See Runs
             </button>
             {sidecarMode === "trace" && (
@@ -1093,7 +957,7 @@ export default function WorkflowSurface() {
 
         {/* One-time serverless upgrade onboarding — shows only when the operator
             has workflows but none are serverless, and hasn't dismissed it. */}
-        {sandboxRow && !upgradeOpen && upgradeState.showOnboarding ? (
+        {sandboxRow && showServerlessUpgrade && !upgradeOpen && upgradeState.showOnboarding ? (
           <div className="workspace-template-context-banner dm-workflow-upgrade-nudge" role="note">
             <div>
               <strong>{upgradeState.headline}</strong>
@@ -1111,7 +975,7 @@ export default function WorkflowSurface() {
         {/* Serverless cockpit — same derivation + cockpit interface as the API
             Registry and sandbox lanes. Toggles patch the sandbox row; deep config
             (scheduler/adapter) routes to the object's Data Model drawer. */}
-        {sandboxRow && upgradeOpen && serverlessState ? (
+        {sandboxRow && showServerlessUpgrade && upgradeOpen && serverlessState ? (
           <div className="dm-workflow-upgrade-panel">
             <div className="dm-workflow-upgrade-panel-head">
               <span className="dm-api-action-card-eyebrow">Persistence &amp; scheduling</span>
@@ -1233,6 +1097,8 @@ export default function WorkflowSurface() {
                     graph={orchestrationGraph}
                     objectId={objectId}
                     rowName={rowId}
+                    sandboxRow={sandboxRow}
+                    onSandboxRowPatch={patchSandboxRuntimeFields}
                     disabled={false}
                     onGraphChange={(updater) => {
                       setOrchestrationGraph((g) => (typeof updater === "function" ? updater(g) : updater));

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/docs/sandbox-environment-primitive.md

@@ -23,6 +23,32 @@ Agents and streamed APIs elsewhere in the sandbox stay orthogonal: serverless sw
 
 Sandbox rows reference **`authRef` / named env refs** — never literals in browser or config records. Scheduling uses the referenced API Registry row’s **`authRef`** merge rules identical to **`/api/workspace/test-source`**.
 
+## Browser access (`browserAccess`)
+
+`browserAccess` is a first-class boolean column on the sandbox row, surfaced as a single toggle in the record sidecar's **Environment & Network** section. It is locality-agnostic and agent-host-agnostic: the saved record carries the capability, and each execution path grants it through the mechanism that path actually understands.
+
+**Deterministic normalization** — browser access implies outbound network. The sidecar toggle stamps `networkAllow: "true"` when browser access is switched on, and `POST /api/workspace/sandbox-run` enforces the same implication server-side (`networkAllow || browserAccess`), so rows patched via the API behave identically to rows saved in the UI.
+
+**This is the product's existing agent browser primitive, surfaced — not a new system.** The upstream Paperclip server already grants any agent browser access through one boolean: the agent config's `chrome` primitive (`ui/src/components/agent-config-primitives.tsx` — "Enable Claude's Chrome integration by passing --chrome"), gated by the chrome-lease service (`server/src/services/chrome-lease.ts`) before `adapter.execute()`. The CMS profile contract likewise speaks `allowBrowserBridge` and execution mode `"browser"`. `browserAccess` is the same bit on the governed sandbox row, so rows stay portable to the upstream adapter registry without translation — exactly like the host slugs.
+
+**Local (`local-agent-host`)** — when the row's bit is on, each host engages its **first-party** browser integration; the adapter never invents flags or writes host config it cannot verify against the upstream tool (the same rule the auth catalog follows for login subcommands):
+
+| Lane | Hosts | Mechanism |
+| --- | --- | --- |
+| `native-flag` | Claude Code | `--chrome` — Claude's own Chrome integration, the same flag the upstream server adapter passes for the agent `chrome` primitive. |
+| `native-flag` | Codex | `--enable browser_use --enable in_app_browser` (with `--sandbox workspace-write`). |
+| `env-signal` | Cursor, Gemini, Qwen, OpenCode, Pi, Hermes, OpenClaw Gateway | The host receives `GROWTHUB_SANDBOX_BROWSER_ACCESS=1` (mirroring the upstream browser-isolation context); whatever browser integration the operator has configured in that host honors the row's setting. |
+
+The lane engaged for a run is recorded in `adapterMeta.browserLane`, and the run-console record projection surfaces `context.browserAccess` plus the full `adapterMeta`, so every run shows its browser proof. No host-global config (`~/.claude`, `~/.codex`, …) is ever mutated.
+
+**Orchestration graph** — this is why browser access is node-level and host-agnostic with zero extra configuration: `thinAdapter` and `ai-agent` nodes execute through this same host catalog, so every node inherits the row's browser grant no matter which host runs it (subagent nodes through the existing node-level Network gate; orchestrator and synthesis phases directly).
+
+One deliberate decision, stated explicitly: **Codex `workspace-write` on `networkAllow` alone is intentional.** Codex's `read-only` sandbox blocks all outbound network, so `workspace-write` is the least-privileged Codex mode where the row's network grant can take effect — and writes are confined to the sealed ephemeral workdir the adapter spawns into, never the operator's repo. Browser flags remain gated on `browserAccess` only; network alone never opens a browser.
+
+**Local (`local-process`)** and every other adapter — the sealed RunRequest carries `browserAccess: boolean`, and the env contract publishes `GROWTHUB_SANDBOX_BROWSER_ACCESS=1|0` alongside `GROWTHUB_SANDBOX_NET_ALLOW(LIST)`, so any script or drop-zone adapter honors the row's setting without knowing about specific hosts.
+
+**Serverless** — the `growthub-sandbox-run-v1` envelope carries `sandbox.browserAccess` (plus `networkAllow` / `allowList`), so a workflow upgraded from local to serverless keeps the identical capability contract: the Edge/QStash/cron handler reads one boolean and grants its own runtime's browser (e.g. a remote browser pool or hosted agent's browser tool). No host-specific knowledge crosses the wire — slugs and booleans only, never secrets.
+
 ## Not a widget source
 
 Workspace Builder excludes **`sandbox-environment`** from View widget bindings (execution records, not tabular KPI sources). See **`data-sources-api-registry.md`** in this folder.