@growthub/cli 0.14.1 → 0.14.3

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/sandbox-agent-auth.js

@@ -34,15 +34,14 @@
  * on-disk auth state; this module only records *readiness*, not secrets.
  *
  * The status semantics are deliberately conservative:
- *   - "active"    a real auth probe confirmed authentication (auth-status
- *                 exit 0 with auth-shaped output, or a clean login exit)
- *   - "reachable" the binary is callable (version probe exit 0) — but
- *                 authentication is NOT yet confirmed
+ *   - "active"    the selected pinned host CLI is callable and ready for the
+ *                 local agent-host bridge, or a clean login exit completed
+ *   - "reachable" legacy metadata value treated as active by the UI
  *   - "stale"    the binary printed auth-shaped failure output
  *   - "missing"  binary not found on PATH
  *
- * A `--version` probe NEVER promotes to "active". The next sandbox-run is
- * the final source of truth for session readiness.
+ * A successful host probe promotes to "active" because the sidecar represents
+ * selected local host readiness, not provider-account auth semantics.
  */
 
 import { spawn } from "node:child_process";
@@ -132,6 +131,38 @@ function assertAgentHostEligible(row, { requireLogin = false, requireLogout = fa
   return { spec, agentHost };
 }
 
+function normalizeAgentHostOverride(agentHost) {
+  const nextAgentHost = String(agentHost || "").trim();
+  if (!nextAgentHost) return "";
+  if (!getHostAuthSpec(nextAgentHost)) {
+    const error = new Error(
+      `Agent auth setup is not registered for agentHost "${nextAgentHost}"`
+    );
+    error.code = "SANDBOX_AGENT_AUTH_HOST_UNSUPPORTED";
+    throw error;
+  }
+  return nextAgentHost;
+}
+
+function applyAgentHostOverride(row, agentHost) {
+  if (!agentHost) return row;
+  return {
+    ...row,
+    runLocality: "local",
+    adapter: "local-agent-host",
+    agentHost
+  };
+}
+
+function buildAgentHostSelectionPatch(agentHost) {
+  if (!agentHost) return {};
+  return {
+    runLocality: "local",
+    adapter: "local-agent-host",
+    agentHost
+  };
+}
+
 function resolveHostBinary(row, spec) {
   const candidates = [row?.agentCommand, row?.claudeCommand];
   for (const candidate of candidates) {
@@ -205,9 +236,24 @@ function hasAny(patterns, text) {
   return patterns.some((p) => p.test(text));
 }
 
+function deriveStatusFromAuthStatusJson(text) {
+  if (!text || typeof text !== "string") return null;
+  const trimmed = text.trim();
+  if (!trimmed.startsWith("{")) return null;
+  try {
+    const parsed = JSON.parse(trimmed);
+    if (parsed && typeof parsed === "object" && typeof parsed.loggedIn === "boolean") {
+      return parsed.loggedIn ? "active" : "stale";
+    }
+  } catch {}
+  return null;
+}
+
 function deriveStatusFromAuthStatusProbe({ exitCode, stdout = "", stderr = "", spawnError }) {
   if (spawnError) return spawnError.notFound ? "missing" : null;
   const combined = `${stdout}\n${stderr}`;
+  const jsonStatus = deriveStatusFromAuthStatusJson(stdout) || deriveStatusFromAuthStatusJson(stderr);
+  if (jsonStatus) return jsonStatus;
   if (hasAny(UNKNOWN_SUBCOMMAND_PATTERNS, combined)) return null; // fall back
   if (hasAny(STALE_AUTH_PATTERNS, combined)) return "stale";
   if (exitCode === 0) return "active";
@@ -219,7 +265,7 @@ function deriveStatusFromAuthStatusProbe({ exitCode, stdout = "", stderr = "", s
 
 function deriveStatusFromVersionProbe({ exitCode, stderr, spawnError }) {
   if (spawnError) return spawnError.notFound ? "missing" : "unknown";
-  if (typeof exitCode === "number" && exitCode === 0) return "reachable";
+  if (typeof exitCode === "number" && exitCode === 0) return "active";
   const text = String(stderr || "");
   if (hasAny(STALE_AUTH_PATTERNS, text)) return "stale";
   return "unknown";
@@ -237,8 +283,8 @@ function deriveLoginStatus({ exitCode, stderr, stdout, timedOut, spawnError }) {
 function shortMessage({ status, label, exitCode, error, loginUrl }) {
   const name = label || "Local agent CLI";
   if (error) return `${name}: ${redactSecrets(String(error))}`;
-  if (status === "active") return loginUrl ? "Login completed." : "Authenticated.";
-  if (status === "reachable") return "CLI reachable. Run Login to verify authentication.";
+  if (status === "active") return loginUrl ? "Login completed." : "Active.";
+  if (status === "reachable") return "Active.";
   if (status === "stale") return "Authentication needs setup. Run Login, then run the sandbox again.";
   if (status === "missing") return `${name} not found. Install it and try again.`;
   if (status === "checking") return `Checking ${name}…`;
@@ -329,16 +375,18 @@ function runCommand({ binary, args, cwd, timeoutMs, stdin }) {
 // Public API — login / logout / status
 // ──────────────────────────────────────────────────────────────────────────
 
-async function runAgentLogin({ objectId, name }) {
+async function runAgentLogin({ objectId, name, agentHost }) {
   const workspaceConfig = await readWorkspaceConfig();
   const { object, row, rowIndex } = findSandboxRow(workspaceConfig, objectId, name);
   if (!object) throw notFoundError(`no sandbox-environment object with id ${objectId}`);
   if (!row) throw notFoundError(`no sandbox row named ${name} in object ${objectId}`);
 
-  const { spec, agentHost } = assertAgentHostEligible(row, { requireLogin: true });
+  const selectedAgentHost = normalizeAgentHostOverride(agentHost);
+  const effectiveRow = applyAgentHostOverride(row, selectedAgentHost);
+  const { spec, agentHost: effectiveAgentHost } = assertAgentHostEligible(effectiveRow, { requireLogin: true });
 
-  const binary = resolveHostBinary(row, spec);
-  const cwd = resolveCwd(row);
+  const binary = resolveHostBinary(effectiveRow, spec);
+  const cwd = resolveCwd(effectiveRow);
   const startedAt = Date.now();
 
   const result = await runCommand({
@@ -356,20 +404,21 @@ async function runAgentLogin({ objectId, name }) {
 
   const patch = buildRowPatch({
     status,
-    provider: agentHost,
+    provider: effectiveAgentHost,
     checkedAt,
     exitCode: result.exitCode,
     loginUrl,
     label: spec.label,
     spawnError: result.spawnError
   });
+  Object.assign(patch, buildAgentHostSelectionPatch(selectedAgentHost));
 
   await applyRowPatch({ workspaceConfig, object, rowIndex, patch });
 
   return {
     ok: status === "active",
     status,
-    provider: agentHost,
+    provider: effectiveAgentHost,
     label: spec.label,
     binary,
     cwd,
@@ -384,16 +433,18 @@ async function runAgentLogin({ objectId, name }) {
   };
 }
 
-async function runAgentLogout({ objectId, name }) {
+async function runAgentLogout({ objectId, name, agentHost }) {
   const workspaceConfig = await readWorkspaceConfig();
   const { object, row, rowIndex } = findSandboxRow(workspaceConfig, objectId, name);
   if (!object) throw notFoundError(`no sandbox-environment object with id ${objectId}`);
   if (!row) throw notFoundError(`no sandbox row named ${name} in object ${objectId}`);
 
-  const { spec, agentHost } = assertAgentHostEligible(row, { requireLogout: true });
+  const selectedAgentHost = normalizeAgentHostOverride(agentHost);
+  const effectiveRow = applyAgentHostOverride(row, selectedAgentHost);
+  const { spec, agentHost: effectiveAgentHost } = assertAgentHostEligible(effectiveRow, { requireLogout: true });
 
-  const binary = resolveHostBinary(row, spec);
-  const cwd = resolveCwd(row);
+  const binary = resolveHostBinary(effectiveRow, spec);
+  const cwd = resolveCwd(effectiveRow);
   const startedAt = Date.now();
 
   let exitCode = null;
@@ -422,7 +473,7 @@ async function runAgentLogout({ objectId, name }) {
 
   const patch = buildRowPatch({
     status,
-    provider: agentHost,
+    provider: effectiveAgentHost,
     checkedAt,
     exitCode,
     loginUrl: null,
@@ -432,13 +483,14 @@ async function runAgentLogout({ objectId, name }) {
   patch.agentAuthLastMessage = spawnError?.notFound
     ? shortMessage({ status: "missing", label: spec.label })
     : `${spec.label} logged out — auth will be required before next run.`;
+  Object.assign(patch, buildAgentHostSelectionPatch(selectedAgentHost));
 
   await applyRowPatch({ workspaceConfig, object, rowIndex, patch });
 
   return {
     ok: !spawnError,
     status,
-    provider: agentHost,
+    provider: effectiveAgentHost,
     label: spec.label,
     binary,
     cwd,
@@ -451,16 +503,18 @@ async function runAgentLogout({ objectId, name }) {
   };
 }
 
-async function checkAgentStatus({ objectId, name }) {
+async function checkAgentStatus({ objectId, name, agentHost }) {
   const workspaceConfig = await readWorkspaceConfig();
   const { object, row, rowIndex } = findSandboxRow(workspaceConfig, objectId, name);
   if (!object) throw notFoundError(`no sandbox-environment object with id ${objectId}`);
   if (!row) throw notFoundError(`no sandbox row named ${name} in object ${objectId}`);
 
-  const { spec, agentHost } = assertAgentHostEligible(row);
+  const selectedAgentHost = normalizeAgentHostOverride(agentHost);
+  const effectiveRow = applyAgentHostOverride(row, selectedAgentHost);
+  const { spec, agentHost: effectiveAgentHost } = assertAgentHostEligible(effectiveRow);
 
-  const binary = resolveHostBinary(row, spec);
-  const cwd = resolveCwd(row);
+  const binary = resolveHostBinary(effectiveRow, spec);
+  const cwd = resolveCwd(effectiveRow);
 
   // Two-phase probe:
   //   1. If the catalog declares an auth-status subcommand, try it first.
@@ -503,20 +557,21 @@ async function checkAgentStatus({ objectId, name }) {
 
   const patch = buildRowPatch({
     status,
-    provider: agentHost,
+    provider: effectiveAgentHost,
     checkedAt,
     exitCode: usedResult.exitCode,
     loginUrl: null,
     label: spec.label,
     spawnError: usedResult.spawnError
   });
+  Object.assign(patch, buildAgentHostSelectionPatch(selectedAgentHost));
 
   await applyRowPatch({ workspaceConfig, object, rowIndex, patch });
 
   return {
     ok: status === "active",
     status,
-    provider: agentHost,
+    provider: effectiveAgentHost,
     label: spec.label,
     binary,
     cwd,

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/sandbox-serverless-flow.js

@@ -70,6 +70,7 @@ function deriveSandboxServerlessState(input = {}) {
 
   const locality = clean(row.runLocality).toLowerCase() === "serverless" ? "serverless" : "local";
   const isServerless = locality === "serverless";
+  const browserAccess = ["true", "1", "on", "yes"].includes(clean(row.browserAccess).toLowerCase());
   const adapterId = clean(row.adapter);
   const adapterChosen = Boolean(adapterId);
 
@@ -162,8 +163,8 @@ function deriveSandboxServerlessState(input = {}) {
     label: isServerless ? "Run on the scheduler" : "Run locally",
     status: "optional",
     description: isServerless
-      ? "Once the scheduler, auth, and store are ready, run delegates to the serverless scheduler."
-      : "Run this workflow in-process.",
+      ? `Once the scheduler, auth, and store are ready, run delegates to the serverless scheduler.${browserAccess ? " Browser access travels with the run in the growthub-sandbox-run-v1 envelope (sandbox.browserAccess), so the remote handler grants the same capability as a local run." : ""}`
+      : `Run this workflow in-process.${browserAccess ? (adapterId === "local-intelligence" ? " Browser access is executed by the local-intelligence browser bridge." : " Browser access is engaged through the selected agent host's first-party browser integration.") : ""}`,
     action: inline({ id: "run-sandbox", label: "Run" }),
   });
 
@@ -192,6 +193,7 @@ function deriveSandboxServerlessState(input = {}) {
     version: 1,
     locality,
     isServerless,
+    browserAccess,
     adapterChosen,
     schedulerLinked,
     schedulerHealthy,

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/lib/workspace-activation.js

@@ -27,6 +27,10 @@
  *   - Backwards-compatible: a workspace with no `provenance` block still
  *     produces a valid (generic) activation state.
  *
+ * Sole import: lib/workspace-app-registry.js — the equally pure,
+ * dependency-free App Registry derivation module the Fleet lens reads
+ * (roadmap Item 4's runtime surface-metadata source).
+ *
  * The output shape:
  *
  *   {
@@ -54,6 +58,13 @@
  *   }
  */
 
+import {
+  APP_REGISTRY_OBJECT_ID,
+  deriveAppHealth,
+  deriveAppNextAction,
+  listAppSurfaceRows
+} from "./workspace-app-registry.js";
+
 const ACTIVATION_KIND = "growthub-workspace-activation-state-v1";
 const ACTIVATION_VERSION = 1;
 
@@ -1217,16 +1228,85 @@ function deriveAppBuildLensState(input = {}) {
   };
 }
 
+/**
+ * Fleet lens (roadmap Item 4 — now un-staged). The precondition named in
+ * docs/ROADMAP_IMPACT_ITEMS_V1.md is satisfied: the runtime surface-metadata
+ * source is the governed `workspace-app-registry` Data Model object
+ * (lib/workspace-app-registry.js). Each registered application derives one
+ * step: status from its health rollup (linked workflows/APIs/data sources +
+ * persistence/deploy flags), description from its computed next action, href
+ * into the real surface that unblocks it. Pure, no secrets, never throws.
+ */
+function deriveFleetLensState(input = {}) {
+  const cfg = isPlainObject(input?.workspaceConfig) ? input.workspaceConfig : {};
+  const records = isPlainObject(input?.workspaceSourceRecords) ? input.workspaceSourceRecords : {};
+  const dur = deriveRuntimeDurability(input?.metadataGraph);
+  const runtimeFlags = {
+    durable: dur.durable,
+    readOnly: dur.readOnly,
+    deployReady: deriveDeployLensState(input).complete
+  };
+
+  const rows = listAppSurfaceRows(cfg);
+  const steps = [];
+  if (rows.length === 0) {
+    steps.push({
+      id: "register-first-app",
+      label: "Register your first application surface",
+      description: `Create the ${APP_REGISTRY_OBJECT_ID} object (objectType "app-surface") and add one row per app — name, surfacePath, and refs to its dashboards/workflows/data sources/APIs.`,
+      status: "pending",
+      href: "/data-model",
+      cta: "Open Data Model",
+    });
+  }
+  for (const row of rows) {
+    const health = deriveAppHealth(cfg, records, row, runtimeFlags);
+    const next = deriveAppNextAction(row, health);
+    const appId = safeString(row.appId).trim() || safeString(row.Name).trim();
+    steps.push({
+      id: `app-${appId}`,
+      label: safeString(row.Name).trim(),
+      description: health.status === "ready"
+        ? `Healthy — ${health.linkedCount} linked object(s).`
+        : next.label,
+      status: health.status === "ready" ? "complete" : health.status === "blocked" ? "blocked" : "pending",
+      href: next.href,
+      hint: health.status === "blocked" ? health.blockers[0] : "",
+      cta: health.status === "ready" ? "Open app" : "Unblock app",
+    });
+  }
+  for (const step of steps) {
+    if (!step.hint) delete step.hint;
+  }
+
+  const { totalCount, completedCount, complete, nextStepId } = scoreLensSteps(steps);
+  const headline = rows.length === 0
+    ? "Register the applications this workspace operates."
+    : complete
+      ? `All ${rows.length} application(s) are healthy.`
+      : `Operating ${rows.length} application(s) — ${completedCount} healthy.`;
+  const nextStep = steps.find((s) => s.id === nextStepId);
+  return {
+    kind: LENS_STATE_KIND,
+    lensId: "fleet",
+    title: "Application fleet",
+    headline,
+    subheadline: complete
+      ? "Assign the next capability to an agent, or register another app."
+      : (nextStep ? `Next: ${nextStep.label}.` : "Resolve each app's blockers."),
+    complete,
+    completedCount,
+    totalCount,
+    nextStepId,
+    steps,
+  };
+}
+
 /**
  * The lens registry. The activation deriver is the `primary` lens (it keeps
  * its own v1 state kind for backwards compatibility); every other entry is a
  * secondary lens that plugs into the same panel and the same swarm packet.
  * Adding a roadmap item is "register a deriver" — no new surface.
- *
- * NB: a Fleet / multi-app lens (roadmap Item 4) is intentionally NOT registered
- * — the exported workspace runtime exposes no in-artifact multi-app surface
- * registry to derive from. See docs/ROADMAP_IMPACT_ITEMS_V1.md (it stays staged
- * until a runtime surface-metadata source exists).
  */
 const WORKSPACE_LENS_REGISTRY = [
   { id: "activation", title: "Activation", primary: true, derive: deriveWorkspaceActivationState },
@@ -1235,6 +1315,7 @@ const WORKSPACE_LENS_REGISTRY = [
   { id: "deploy", title: "Deploy readiness", primary: false, derive: deriveDeployLensState },
   { id: "tasks", title: "Task management", primary: false, derive: deriveTaskLensState },
   { id: "app-build", title: "Application buildout", primary: false, derive: deriveAppBuildLensState },
+  { id: "fleet", title: "Application fleet", primary: false, derive: deriveFleetLensState },
 ];
 
 function getLensEntry(lensId) {
@@ -1559,6 +1640,9 @@ export {
   deriveDeployLensState,
   deriveTaskLensState,
   deriveAppBuildLensState,
+  // Fleet / multi-app lens (roadmap Item 4 — derives from the governed
+  // workspace-app-registry object, lib/workspace-app-registry.js)
+  deriveFleetLensState,
   // Swarm-assignable condition packet (roadmap Item 8)
   deriveSwarmConditionPacket,
   // Workspace contribution graph (daily-ritual visualization)