@growthub/cli 0.14.10 → 0.14.11

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/api/workspace/add-ons/upstash/sync/route.js

@@ -0,0 +1,197 @@
+import { NextResponse } from "next/server";
+import { readWorkspaceConfig, writeWorkspaceConfig } from "@/lib/workspace-config";
+import {
+  getUpstashProduct,
+  listUpstashProductReadiness,
+  UPSTASH_REGION_OPTIONS,
+  withUpstashProductRegistry
+} from "@/lib/workspace-add-ons";
+import { appendOutcomeReceipt } from "@/lib/workspace-outcome-receipts";
+import { readEnvVar, resolveRequiredEnv } from "@/lib/server-secrets";
+
+const PROBE_TIMEOUT_MS = 8000;
+
+function jsonError(message, status = 400, extra = {}) {
+  return NextResponse.json({ error: message, ...extra }, { status });
+}
+
+function clean(value) {
+  return String(value == null ? "" : value).trim();
+}
+
+// Canonical concrete-key read — same contract as readiness + schedule runtime.
+function envValue(key) {
+  return clean(readEnvVar(key, process.env)?.value || "");
+}
+
+function selectedQstashRegion(region) {
+  return UPSTASH_REGION_OPTIONS.find((option) => option.id === region) || UPSTASH_REGION_OPTIONS[0];
+}
+
+async function fetchWithTimeout(url, init = {}) {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), PROBE_TIMEOUT_MS);
+  try {
+    return await fetch(url, { ...init, signal: controller.signal, cache: "no-store" });
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+
+async function readProbeText(response) {
+  try {
+    return clean(await response.text()).slice(0, 240);
+  } catch {
+    return "";
+  }
+}
+
+function safeUrl(baseUrl, path) {
+  const base = clean(baseUrl).replace(/\/+$/, "");
+  const suffix = clean(path).startsWith("/") ? clean(path) : `/${clean(path)}`;
+  return `${base}${suffix}`;
+}
+
+async function probeJsonPaths({ baseUrl, token, paths, label }) {
+  let last = null;
+  for (const path of paths) {
+    const url = safeUrl(baseUrl, path);
+    const response = await fetchWithTimeout(url, {
+      method: "GET",
+      headers: { authorization: `Bearer ${token}` },
+    });
+    const text = await readProbeText(response);
+    last = { status: response.status, path, text };
+    if (response.ok) {
+      return {
+        ok: true,
+        baseUrl,
+        testedAt: new Date().toISOString(),
+        proof: `${label} probe ${path} returned HTTP ${response.status}`,
+        summary: `${label} sync verified with a read-only REST probe (${path}).`,
+      };
+    }
+  }
+  const details = last ? `${last.path} returned HTTP ${last.status}` : "no endpoint returned";
+  return {
+    ok: false,
+    baseUrl,
+    testedAt: new Date().toISOString(),
+    proof: `${label} probe failed: ${details}`,
+    summary: `${label} REST probe failed: ${details}.`,
+  };
+}
+
+async function probeUpstashProduct(productId, region) {
+  const product = getUpstashProduct(productId);
+  if (!product) {
+    return { ok: false, status: 400, error: "unknown Upstash product" };
+  }
+  const readiness = listUpstashProductReadiness(process.env).find((item) => item.productId === product.productId);
+  const requiredEnv = resolveRequiredEnv(product.requiredEnv, process.env);
+  if (!readiness?.configured || !requiredEnv.ok) {
+    return {
+      ok: false,
+      status: 422,
+      error: `${product.label} provider credentials are not connected`,
+      missingEnv: requiredEnv.missing.length ? requiredEnv.missing : (readiness?.missingEnv || product.requiredEnv),
+      resolvedEnv: requiredEnv.resolvedKeys,
+      summary: `${product.label} provider credentials are not connected. Complete provider setup, then sync again.`,
+    };
+  }
+
+  const probe = product.probe || {};
+  if (!probe.baseUrlEnv || !probe.tokenEnv || !Array.isArray(probe.paths) || !probe.paths.length) {
+    return { ok: false, status: 400, error: "unsupported Upstash product probe" };
+  }
+  const regionOption = selectedQstashRegion(region);
+  const configuredUrl = envValue(probe.baseUrlEnv) || (probe.fallbackRegionBaseUrl ? regionOption.baseUrl : "");
+  const result = await probeJsonPaths({
+    baseUrl: configuredUrl,
+    token: envValue(probe.tokenEnv),
+    paths: probe.paths,
+    label: product.label,
+  });
+  return {
+    ...result,
+    resolvedEnv: requiredEnv.resolvedKeys,
+  };
+}
+
+async function POST(request) {
+  let body = {};
+  try {
+    body = await request.json();
+  } catch {
+    return jsonError("invalid json body", 400);
+  }
+
+  const productId = clean(body.productId || "upstash-qstash");
+  const region = clean(body.region || "us-east-1");
+  const plan = clean(body.plan || "free");
+  const product = getUpstashProduct(productId);
+  if (!product) return jsonError("unknown Upstash product", 400, { productId });
+
+  const syncResult = await probeUpstashProduct(product.productId, region);
+  if (!syncResult.ok) {
+    await appendOutcomeReceipt({
+      kind: "workspace-add-on-sync",
+      lane: "server-authoritative",
+      outcomeStatus: "blocked",
+      actor: "workspace-marketplace",
+      objectRefs: [{ objectId: "api-registry", objectType: "api-registry", rowName: product.label }],
+      summary: syncResult.summary || syncResult.error || `${product.label} sync failed`,
+      policyVerdict: { ok: false, violationCodes: syncResult.missingEnv?.length ? ["provider_product_not_connected"] : ["provider_probe_failed"] },
+      nextActions: syncResult.missingEnv?.length
+        ? [`Complete ${product.label} setup from the provider marketplace flow, then sync again.`]
+        : [`Open the ${product.label} provider console, verify the product connection, then retry sync.`]
+    });
+    return jsonError(syncResult.error || syncResult.summary || "Upstash sync failed", syncResult.status || 502, {
+      productId: product.productId,
+      missingEnv: syncResult.missingEnv || [],
+      sync: {
+        ok: false,
+        proof: syncResult.proof || "",
+        summary: syncResult.summary || "",
+      }
+    });
+  }
+
+  const currentConfig = await readWorkspaceConfig();
+  const nextConfig = withUpstashProductRegistry(currentConfig, {
+    productId: product.productId,
+    region,
+    plan,
+    syncResult,
+  });
+  const persisted = await writeWorkspaceConfig({ dataModel: nextConfig.dataModel });
+  const { receipt } = await appendOutcomeReceipt({
+    kind: "workspace-add-on-sync",
+    lane: "server-authoritative",
+    outcomeStatus: "published",
+    actor: "workspace-marketplace",
+    objectRefs: [{ objectId: "api-registry", objectType: "api-registry", rowName: product.label }],
+    changedFields: ["dataModel.api-registry"],
+    policyVerdict: { ok: true },
+    schemaVerdict: { ok: true },
+    summary: `${product.label} installed after provider sync probe.`,
+    nextActions: product.productId === "upstash-qstash"
+      ? ["Workflow Canvas can now bind QStash/Workflow from the installed product card."]
+      : ["Use this workspace add-on from the relevant data/retrieval surfaces."]
+  });
+
+  return NextResponse.json({
+    ok: true,
+    productId: product.productId,
+    workspaceConfig: persisted,
+    sync: {
+      ok: true,
+      proof: syncResult.proof,
+      summary: syncResult.summary,
+      testedAt: syncResult.testedAt,
+    },
+    receiptId: receipt.receiptId,
+  });
+}
+
+export { POST };

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/api/workspace/apps/route.js

@@ -68,7 +68,7 @@ function safeRuntime(warnings) {
 
 // Mirrors the CLI probe (cli/src/commands/workspace-surface.ts) so detection
 // lives inside the artifact too — the bridge roadmap Item 4 called for.
-const KNOWN_APP_DIRS = ["apps/workspace"];
+const KNOWN_APP_DIRS = ["apps/workspace", "apps/agency-portal", "apps/portal", "studio", "app", "src"];
 
 function detectFramework(absPath) {
   try {

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/api/workspace/metadata-graph/route.js

@@ -35,11 +35,6 @@ import { readWorkspaceConfig, readWorkspaceSourceRecords } from "@/lib/workspace
 import { buildWorkspaceMetadataStore } from "@/lib/workspace-metadata-store";
 import { buildWorkspaceMetadataGraph } from "@/lib/workspace-metadata-graph";
 import { selectStaleMetadataGroups } from "@/lib/workspace-metadata-selectors";
-import { deriveBlastRadius } from "@/lib/workspace-metadata-impact";
-import { deriveStaleSurfaces } from "@/lib/workspace-stale-surfaces";
-import { deriveWorkflowImpact } from "@/lib/workspace-workflow-impact";
-import { deriveProvenanceLineage } from "@/lib/workspace-provenance-lineage";
-import { deriveAppReadiness } from "@/lib/workspace-app-readiness";
 
 const ENVELOPE_KIND = "growthub-workspace-metadata-graph-v1";
 const ENVELOPE_VERSION = 1;
@@ -116,17 +111,10 @@ async function GET(request) {
   // Optional stale-group selector via query params.
   let staleGroups = [];
   let staleReasons = [];
-  // Parse all causal query params from one URL read.
-  let impactId = "";
-  let lineageId = "";
-  let lineageDirection = "both";
   try {
     const url = request && request.url ? new URL(request.url) : null;
     const staleKind = url ? (url.searchParams.get("staleKind") || "").trim() : "";
     const staleId = url ? (url.searchParams.get("staleId") || "").trim() : "";
-    impactId = url ? (url.searchParams.get("impactId") || "").trim() : "";
-    lineageId = url ? (url.searchParams.get("lineageId") || "").trim() : "";
-    lineageDirection = url ? (url.searchParams.get("lineageDirection") || "both").trim() : "both";
     if (staleKind && staleId) {
       const result = selectStaleMetadataGroups(metadataStore, { kind: staleKind, id: staleId });
       staleGroups = Array.isArray(result?.groups) ? result.groups : [];
@@ -136,30 +124,6 @@ async function GET(request) {
     warnings.push(`Failed to compute stale groups: ${error?.message || "unknown error"}`);
   }
 
-  // Causal derivations over the same read-only graph (Mutation → Law →
-  // Intelligence). All pure, all bounded, all secret-free. `staleSurfaces` is
-  // the unconditional freshness baseline (timestamps already in the graph);
-  // `impact` and `lineage` are computed on demand for one node.
-  let staleSurfaces = null;
-  let readiness = null;
-  let impact = null;
-  let lineage = null;
-  try {
-    staleSurfaces = deriveStaleSurfaces(graph);
-    readiness = deriveAppReadiness(graph);
-    if (impactId) {
-      impact = {
-        blastRadius: deriveBlastRadius(graph, impactId),
-        workflowImpact: deriveWorkflowImpact(graph, impactId)
-      };
-    }
-    if (lineageId) {
-      lineage = deriveProvenanceLineage(graph, lineageId, { direction: lineageDirection });
-    }
-  } catch (error) {
-    warnings.push(`Failed to compute causal derivations: ${error?.message || "unknown error"}`);
-  }
-
   return NextResponse.json({
     kind: ENVELOPE_KIND,
     version: ENVELOPE_VERSION,
@@ -199,11 +163,6 @@ async function GET(request) {
       groups: staleGroups,
       reasons: staleReasons
     },
-    // Causal intelligence layer — read-only derivations over `graph` above.
-    staleSurfaces,
-    readiness,
-    ...(impact ? { impact } : {}),
-    ...(lineage ? { lineage } : {}),
     warnings,
     selectors: {
       // Manifest of selectors the route honours. Only `selectStaleMetadataGroups`
@@ -211,14 +170,7 @@ async function GET(request) {
       // selectors are exposed as importable helpers for server-side consumers
       // and the read-only inspector; they are NOT toggled through query
       // params in V1.
-      httpEnabled: [
-        "selectStaleMetadataGroups",
-        "deriveStaleSurfaces",
-        "deriveBlastRadius",
-        "deriveWorkflowImpact",
-        "deriveProvenanceLineage",
-        "deriveAppReadiness"
-      ],
+      httpEnabled: ["selectStaleMetadataGroups"],
       helperOnly: [
         "selectWidgetRequiredFields",
         "selectWorkflowNodeInputSchema",

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/api/workspace/sandbox-run/route.js

@@ -88,26 +88,9 @@ import {
   validateRunInputsEnvelope,
   summarizeRunInputs
 } from "@/lib/orchestration-run-inputs";
-
-function envKeyCandidates(ref) {
-  const token = String(ref || "")
-    .trim()
-    .replace(/[^a-z0-9]+/gi, "_")
-    .replace(/^_+|_+$/g, "")
-    .toUpperCase();
-  return Array.from(new Set([
-    token,
-    token ? `${token}_API_KEY` : "",
-    token ? `${token}_TOKEN` : ""
-  ].filter(Boolean)));
-}
-
-function readServerSecret(authRef) {
-  for (const key of envKeyCandidates(authRef)) {
-    if (process.env[key]) return { key, value: process.env[key] };
-  }
-  return null;
-}
+// Single canonical secret resolver — shared with the serverless add-on lane so
+// both run lanes resolve stored env tokens identically (no copy-pasted logic).
+import { readServerSecret } from "@/lib/server-secrets";
 
 function coerceBoolean(value) {
   if (value === true || value === false) return value;

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/api/workspace/test-api-record/route.js

@@ -1,5 +1,6 @@
 import { NextResponse } from "next/server";
 import { readWorkspaceConfig } from "@/lib/workspace-config";
+import { readServerSecret } from "@/lib/server-secrets";
 
 const DEFAULT_TIMEOUT_MS = 15000;
 
@@ -18,25 +19,7 @@ function buildUrl(record) {
   return `${baseUrl.replace(/\/+$/, "")}/${endpoint.replace(/^\/+/, "")}`;
 }
 
-function envKeyCandidates(ref) {
-  const token = String(ref || "")
-    .trim()
-    .replace(/[^a-z0-9]+/gi, "_")
-    .replace(/^_+|_+$/g, "")
-    .toUpperCase();
-  return Array.from(new Set([
-    token,
-    token ? `${token}_API_KEY` : "",
-    token ? `${token}_TOKEN` : "",
-  ].filter(Boolean)));
-}
-
-function readServerSecret(authRef) {
-  for (const key of envKeyCandidates(authRef)) {
-    if (process.env[key]) return process.env[key];
-  }
-  return "";
-}
+// Secret resolution uses the single canonical resolver from lib/server-secrets.js.
 
 function findRegistryRecord(workspaceConfig, registryId) {
   const id = String(registryId || "").trim();
@@ -86,7 +69,7 @@ async function POST(request) {
 
   const method = normalizeMethod(record.method);
   const authRef = record.authRef || record.integrationId || dataSourceRecord?.registryId;
-  const secret = readServerSecret(authRef);
+  const secret = readServerSecret(authRef)?.value || "";
   const controller = new AbortController();
   const timeout = setTimeout(() => controller.abort(), DEFAULT_TIMEOUT_MS);