@growthub/cli 0.14.3 → 0.14.5

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/api/resolvers/[integrationId]/route.js

@@ -0,0 +1,157 @@
+/**
+ * GET /api/resolvers/[integrationId]
+ *
+ * CMS SDK v1.5.1 — the governed, addressable endpoint every registered resolver
+ * is exposed at. A resolver is the workspace's provider-agnostic "API → governed
+ * rows" abstraction; this makes it a real, hittable Next.js route inside the
+ * monorepo, so other apps and external callers consume governed records by
+ * integrationId. One dynamic route serves every resolver (a projection of the
+ * unified registry) — runtime-agnostic and drift-free by construction.
+ *
+ * Identity: the path segment is matched canonically. The governed record keeps
+ * its human integrationId; the resolver registers under either the raw id
+ * (config-driven/Nango) or the slug (generated), so lookup tries the raw value
+ * then the slug — `/api/resolvers/my-crm` and `/api/resolvers/asana` both resolve.
+ *
+ * Same-level governance as every mutation/execution route (Governed Application
+ * Control Plane V1): `x-growthub-app-scope` is runtime-enforced, scope rejections
+ * emit a canonical outcome receipt, and under a scope the 404 body does NOT leak
+ * the list of other registered integrations. Secret-safe: tokens never leave the
+ * server, and error messages are redacted.
+ *
+ * Response — success: { ok, integrationId, resolverId, recordRef, connectorKind, recordCount, records }
+ * Response — no resolver: 404 { ok:false, reason:"no-resolver", registeredResolvers? }
+ * Response — scope violation: 422 AppScopeViolation
+ * Response — resolver error: 502 { ok:false, reason:"fetch-error", error }
+ */
+
+import { NextResponse } from "next/server";
+import { requireAppScope, checkScopedRegistryAccess } from "@/lib/workspace-app-registry";
+import { readWorkspaceConfig } from "@/lib/workspace-config";
+import { appendOutcomeReceipt } from "@/lib/workspace-outcome-receipts";
+import { readAdapterConfig } from "@/lib/adapters/env";
+import { listGovernedWorkspaceIntegrations } from "@/lib/adapters/integrations";
+import { loadAllResolvers } from "@/lib/adapters/integrations/resolver-loader";
+import { getSourceResolver, listRegisteredResolvers } from "@/lib/adapters/integrations/source-resolver-registry";
+import { slugifyIntegrationId } from "@/lib/unified-resolver-registry";
+
+const MAX_LIMIT = 200;
+const DEFAULT_LIMIT = 50;
+
+/** Strip anything secret-shaped from an error string before it leaves the server. */
+function redact(message) {
+  return String(message || "")
+    .replace(/(authorization|bearer|api[_-]?key|token|secret|password)\s*[:=]\s*\S+/gi, "$1 [redacted]")
+    .replace(/\bBearer\s+[A-Za-z0-9._-]+/gi, "Bearer [redacted]")
+    .slice(0, 300);
+}
+
+/** Find the governed api-registry row backing an integrationId (raw or slug). */
+function findRecordRef(workspaceConfig, integrationId) {
+  const objects = Array.isArray(workspaceConfig?.dataModel?.objects) ? workspaceConfig.dataModel.objects : [];
+  const wantSlug = slugifyIntegrationId(integrationId, "");
+  for (const object of objects) {
+    if (object?.objectType !== "api-registry") continue;
+    for (const row of Array.isArray(object.rows) ? object.rows : []) {
+      const id = String(row?.integrationId || "").trim();
+      if (!id) continue;
+      if (id === integrationId || slugifyIntegrationId(id, "") === wantSlug) {
+        return { objectId: String(object.id || ""), rowName: String(row.Name || id), integrationId: id };
+      }
+    }
+  }
+  return null;
+}
+
+async function GET(request, context) {
+  const params = await context?.params;
+  const rawId = String(params?.integrationId || "").trim();
+  if (!rawId) {
+    return NextResponse.json({ ok: false, reason: "bad-request", error: "integrationId is required" }, { status: 400 });
+  }
+  const slugId = slugifyIntegrationId(rawId, "");
+
+  const workspaceConfig = await readWorkspaceConfig().catch(() => ({}));
+
+  // App-scope gate — data-plane isolation. Checked against both forms so a scoped
+  // agent cannot dodge scope by varying slug/raw. The 404 path below is also
+  // scope-aware so it never leaks the registered-integration list under a scope.
+  const scope = requireAppScope(request, workspaceConfig);
+  if (scope.scoped) {
+    const violation =
+      scope.violation ||
+      checkScopedRegistryAccess(scope.context, rawId) && checkScopedRegistryAccess(scope.context, slugId);
+    if (violation) {
+      await appendOutcomeReceipt({
+        kind: "agent-outcome",
+        lane: "untrusted-direct",
+        outcomeStatus: "blocked",
+        appId: violation.appScope || scope.appId,
+        summary: `resolver endpoint rejected (422 app scope): ${violation.violationType}`,
+        nextActions: violation.repairPlan,
+      });
+      return NextResponse.json(violation, { status: 422 });
+    }
+  }
+
+  await loadAllResolvers();
+  const resolver = getSourceResolver(rawId) || (slugId ? getSourceResolver(slugId) : null);
+  if (!resolver) {
+    const body = { ok: false, reason: "no-resolver", integrationId: rawId, resolverId: slugId };
+    // Only an UNSCOPED caller gets the discovery aid — under a scope this would
+    // leak other apps' integration ids.
+    if (!scope.scoped) {
+      body.registeredResolvers = listRegisteredResolvers();
+      if (slugId && slugId !== rawId && body.registeredResolvers.includes(slugId)) {
+        body.hint = `No resolver for "${rawId}". Did you mean the canonical id "${slugId}"?`;
+      } else {
+        body.hint = "Register this API in the Data Model API Registry cockpit and construct its resolver, then re-call this endpoint.";
+      }
+    }
+    return NextResponse.json(body, { status: 404 });
+  }
+
+  const { searchParams } = new URL(request.url);
+  const limitRaw = Number(searchParams.get("limit"));
+  const limit = Number.isFinite(limitRaw) && limitRaw > 0 ? Math.min(limitRaw, MAX_LIMIT) : DEFAULT_LIMIT;
+
+  const adapterConfig = readAdapterConfig();
+  let connection = null;
+  try {
+    const integrations = await listGovernedWorkspaceIntegrations();
+    connection = integrations.find((i) => i.provider === rawId || i.id === rawId || i.provider === slugId) || null;
+  } catch {
+    // Non-fatal — resolver falls back to env-only auth.
+  }
+
+  let records;
+  try {
+    records = await resolver.fetchRecords(adapterConfig, connection, {});
+  } catch (err) {
+    return NextResponse.json(
+      { ok: false, reason: "fetch-error", integrationId: rawId, error: redact(err?.message) || "resolver.fetchRecords threw" },
+      { status: 502 },
+    );
+  }
+
+  if (!Array.isArray(records)) {
+    return NextResponse.json(
+      { ok: false, reason: "bad-resolver-response", integrationId: rawId, error: "resolver.fetchRecords must return an array" },
+      { status: 502 },
+    );
+  }
+
+  return NextResponse.json({
+    ok: true,
+    integrationId: rawId,
+    resolverId: slugId,
+    // Downstream apps/agents know exactly which governed row they consumed.
+    recordRef: findRecordRef(workspaceConfig, rawId),
+    source: "resolver-endpoint",
+    connectorKind: typeof resolver.connectorKind === "string" ? resolver.connectorKind : null,
+    recordCount: records.length,
+    records: records.slice(0, limit),
+  });
+}
+
+export { GET };

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/api/workspace/env-status/route.js

@@ -9,7 +9,7 @@
  */
 
 import { NextResponse } from "next/server";
-import { readWorkspaceConfig } from "@/lib/workspace-config";
+import { readWorkspaceConfig, describePersistenceMode } from "@/lib/workspace-config";
 import { computeConfiguredEnvRefs, listPersistenceAdapterReadiness } from "@/lib/env-status";
 
 async function GET() {
@@ -21,10 +21,14 @@ async function GET() {
   }
   const configuredEnvRefs = computeConfiguredEnvRefs(workspaceConfig, process.env);
   const persistenceAdapters = listPersistenceAdapterReadiness(process.env);
+  // Persistence mode + canSave so the scheduler provisioning cockpit can honestly
+  // gate the "set it up for me" action (server-file writes need a writable runtime).
+  const persistence = describePersistenceMode();
   return NextResponse.json({
     kind: "growthub-env-status-v1",
     configuredEnvRefs,
     persistenceAdapters,
+    persistence: { mode: persistence.mode, canSave: persistence.canSave === true },
   });
 }
 

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/api/workspace/helper/apply/route.js

@@ -56,6 +56,10 @@ import {
   findSwarmRunRows,
   summarizeSwarmRunProposal,
 } from "@/lib/workspace-swarm-proposal";
+import {
+  CEO_BOOTSTRAP_COMPLETE_PROPOSAL_TYPE,
+  buildCeoBootstrapCompletion,
+} from "@/lib/ceo-bootstrap-console";
 
 const HELPER_APPLY_SOURCE_KEY = "helper:apply:receipts";
 
@@ -267,8 +271,14 @@ async function POST(request) {
   );
   const resolverProposals = normalizedProposals.filter((p) => p?.type === RESOLVER_PROPOSAL_TYPE);
   const swarmProposals = normalizedProposals.filter((p) => SWARM_PROPOSAL_TYPES.includes(p?.type));
+  const ceoBootstrapProposals = normalizedProposals.filter(
+    (p) => p?.type === CEO_BOOTSTRAP_COMPLETE_PROPOSAL_TYPE
+  );
   const configProposals = normalizedProposals.filter(
-    (p) => p?.type !== RESOLVER_PROPOSAL_TYPE && !SWARM_PROPOSAL_TYPES.includes(p?.type)
+    (p) =>
+      p?.type !== RESOLVER_PROPOSAL_TYPE &&
+      !SWARM_PROPOSAL_TYPES.includes(p?.type) &&
+      p?.type !== CEO_BOOTSTRAP_COMPLETE_PROPOSAL_TYPE
   );
 
   for (const proposal of resolverProposals) {
@@ -310,6 +320,28 @@ async function POST(request) {
     });
   }
 
+  // CEO bootstrap lane — stamps the "CEO setup complete" marker onto the
+  // well-known workspace-helper sandbox row in the EXISTING dataModel patch
+  // field. The builder refuses unless the loop is config-provably done (a
+  // ready swarm with a completed run), so completion is evidence, not a
+  // client assertion. No new object, no execution.
+  for (const proposal of ceoBootstrapProposals) {
+    const result = buildCeoBootstrapCompletion({
+      workspaceConfig: workingConfig,
+      completedAt: appliedAt,
+      completedBy: reviewedBy || "user",
+    });
+    if (!result.ok) {
+      skipped.push({ proposal, reason: result.error || "CEO bootstrap not ready to complete" });
+      continue;
+    }
+    workingConfig = result.config;
+    applied.push({
+      ...buildApplyReceipt({ ...proposal, affectedField: "dataModel" }, appliedAt, reviewedBy, sessionId),
+      summary: "CEO setup marked complete",
+    });
+  }
+
   for (const proposal of configProposals) {
     if (
       !proposal ||

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/api/workspace/resolvers/route.js

@@ -6,6 +6,13 @@
  * Used by the generic resolver management panel and ResolverControlPanel in the
  * widget inspector. No provider names appear in the response shape.
  *
+ * CMS SDK v1.5.1 — additionally returns `registry`: the Unified API Resolver
+ * Registry index that correlates every governed `api-registry` record to its
+ * resolver (provenance, file, registered/tested state, response shape, score,
+ * next action, governed endpoint). The legacy fields are preserved verbatim.
+ * When the runtime is writable, the externalized index + endpoint manifest
+ * artifacts are written through so agents can read one file out of band.
+ *
  * Response:
  *   {
  *     files:         string[],
@@ -16,25 +23,100 @@
  *       hasListEntities: boolean,
  *       configSchema:    SchemaField[] | null
  *     }[],
- *     canUpload: boolean
+ *     canUpload: boolean,
+ *     registry:  ResolverRegistryIndex   // @growthub/api-contract/resolver-registry
  *   }
  */
 
 import { NextResponse } from "next/server";
 import { loadAllResolvers, listResolverFiles } from "@/lib/adapters/integrations/resolver-loader";
 import { describeRegisteredResolvers } from "@/lib/adapters/integrations/source-resolver-registry";
-import { describePersistenceMode } from "@/lib/workspace-config";
+import { describePersistenceMode, readWorkspaceConfig, readWorkspaceSourceRecords } from "@/lib/workspace-config";
+import { appendOutcomeReceipt } from "@/lib/workspace-outcome-receipts";
+import { computeConfiguredEnvRefs } from "@/lib/env-status";
+import { deriveResolverRegistry } from "@/lib/unified-resolver-registry";
+import { readResolverFileMeta, persistResolverRegistryArtifacts } from "@/lib/server-resolver-registry";
 
 async function GET() {
   await loadAllResolvers();
   const files = await listResolverFiles();
   const resolvers = describeRegisteredResolvers();
   const persistence = describePersistenceMode();
+  const registeredIds = resolvers.map((r) => r.integrationId);
+
+  // Unified registry derivation — correlate every governed record to its
+  // resolver. All IO happens here; the deriver stays pure. Derivation failure is
+  // NEVER silently hidden: the response carries an explicit `registryStatus` so
+  // an agent/client can distinguish "no entries" from "registry failed", and a
+  // writable runtime's artifact-write outcome is reported, not swallowed.
+  let registry = null;
+  let registryStatus = "ok";
+  let registryError = null;
+  let artifactWritten = false;
+  let artifactReason = null;
+  try {
+    const [workspaceConfig, sourceRecords, fileMeta] = await Promise.all([
+      readWorkspaceConfig().catch(() => ({})),
+      readWorkspaceSourceRecords().then((r) => r || {}).catch(() => ({})),
+      readResolverFileMeta().catch(() => ({})),
+    ]);
+    let configuredEnvRefs = [];
+    try {
+      configuredEnvRefs = computeConfiguredEnvRefs(workspaceConfig) || [];
+    } catch {
+      configuredEnvRefs = [];
+    }
+    registry = deriveResolverRegistry({
+      workspaceConfig,
+      files,
+      registeredIds,
+      fileMeta,
+      sourceRecords,
+      runtime: { configuredEnvRefs },
+    });
+    // Write-through the externalized artifacts when writable. On a writable
+    // runtime a failed write is a real problem (stale projections) — surface it
+    // and emit a governance receipt; on read-only it is expected (live-only).
+    if (persistence.canSave) {
+      const result = await persistResolverRegistryArtifacts(registry).catch((err) => ({
+        written: false,
+        reason: err?.message || "artifact write threw",
+      }));
+      artifactWritten = Boolean(result?.written);
+      artifactReason = result?.reason || null;
+      if (!artifactWritten) {
+        await appendOutcomeReceipt({
+          kind: "agent-outcome",
+          lane: "server-authoritative",
+          outcomeStatus: "failed",
+          summary: `resolver registry artifact write failed: ${artifactReason || "unknown"}`,
+        }).catch(() => {});
+      }
+    } else {
+      artifactReason = persistence.reason || "read-only runtime — registry is live-only";
+    }
+  } catch (err) {
+    registry = null;
+    registryStatus = "degraded";
+    registryError = { reason: "derivation-failed", message: String(err?.message || err).slice(0, 300) };
+    await appendOutcomeReceipt({
+      kind: "agent-outcome",
+      lane: "server-authoritative",
+      outcomeStatus: "failed",
+      summary: `resolver registry derivation failed: ${registryError.message}`,
+    }).catch(() => {});
+  }
+
   return NextResponse.json({
     files,
-    registeredIds: resolvers.map((r) => r.integrationId),
+    registeredIds,
     resolvers,
-    canUpload: persistence.canSave
+    canUpload: persistence.canSave,
+    registry,
+    registryStatus,
+    registryError,
+    artifactWritten,
+    artifactReason,
   });
 }
 

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/data-model/components/ApiRegistryCreationCockpit.jsx

@@ -56,14 +56,17 @@ export function ApiRegistryCreationCockpit({
   onCollapsedChange,
 }) {
   const [collapsed, setCollapsed] = useState(defaultCollapsed);
+  const hasVisibleAction = Array.isArray(state?.steps) && state.steps.some((step) => step?.action);
+  const shouldHide = Boolean(hideWhenComplete && state?.complete && !hasVisibleAction);
   useEffect(() => {
-    setCollapsed(defaultCollapsed || Boolean(hideWhenComplete && state?.complete));
-  }, [defaultCollapsed, hideWhenComplete, state?.complete, state?.integrationId]);
+    setCollapsed(defaultCollapsed || Boolean(hideWhenComplete && state?.complete && !hasVisibleAction));
+  }, [defaultCollapsed, hideWhenComplete, state?.complete, state?.integrationId, hasVisibleAction]);
   if (!state || !Array.isArray(state.steps)) return null;
-  if (hideWhenComplete && state.complete) return null;
+  if (shouldHide) return null;
   const candidates = profile?.candidates || {};
   const candidateEntries = Object.entries(candidates).filter(([, v]) => v);
   const previewRow = dataSourcePreview?.row || null;
+  const workflowAction = state?.workflowAction || null;
   const toggleCollapsed = () => {
     const next = !collapsed;
     setCollapsed(next);
@@ -77,6 +80,28 @@ export function ApiRegistryCreationCockpit({
     onAction?.(action);
   };
 
+  if (hideWhenComplete && state.complete && workflowAction) {
+    return (
+      <section className="dm-api-action-card dm-api-action-card-workflow" aria-label="Workflow canvas">
+        <div className="dm-api-action-card-body">
+          <p className="dm-api-action-card-eyebrow">Workflow canvas</p>
+          <h3>Use this API in a workflow</h3>
+          <p>{workflowAction.description}</p>
+        </div>
+        <div className="dm-api-action-card-actions">
+          <button
+            type="button"
+            className="dm-btn-outline dm-api-action-card-cta"
+            disabled={disabled || Boolean(busyAction)}
+            onClick={() => runAction(workflowAction)}
+          >
+            {busyAction === `workflow:${workflowAction.id}` ? "Opening…" : workflowAction.label}
+          </button>
+        </div>
+      </section>
+    );
+  }
+
   return (
     <section className={`dm-api-action-card dm-cockpit${collapsed ? " is-collapsed" : ""}`} aria-label="API creation journey">
       <button
@@ -180,11 +205,11 @@ export function ApiRegistryCreationCockpit({
         </div>
       ) : null}
 
-      {!collapsed && Array.isArray(receipts) && receipts.length ? (
+      {!collapsed && Array.isArray(receipts) && receipts.some((r) => r.ok) ? (
         <div className="dm-cockpit-receipts">
           <p className="dm-api-action-card-eyebrow">Receipts</p>
           <ul>
-            {receipts.slice(0, 6).map((r, i) => (
+            {receipts.filter((r) => r.ok).slice(0, 6).map((r, i) => (
               <li key={`${r.at}-${i}`} className="dm-cockpit-receipt">
                 <StatusChip mod={r.ok ? "ok" : "bad"} className="dm-cockpit-receipt-chip">{r.kind}</StatusChip>
                 <span className="dm-cockpit-receipt-text">{r.detail}</span>

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/data-model/components/ApiRegistryReviewModal.jsx

@@ -4,7 +4,7 @@ import { CheckCircle2, X } from "lucide-react";
 
 /**
  * Read-only summary of a successfully tested API Registry row.
- * Shown at the top of the sandbox-tool draft flow (not a blocking modal).
+ * Shown at the top of the workflow draft flow (not a blocking modal).
  */
 export function ApiRegistryReviewModal({ registryRow, onClose = null }) {
   if (!registryRow) return null;
@@ -22,7 +22,7 @@ export function ApiRegistryReviewModal({ registryRow, onClose = null }) {
         <p className="dm-api-review-banner-eyebrow">Connected API</p>
         <h3>{registryRow.Name || integrationId}</h3>
         <p>
-          This endpoint returned a valid response. You can now turn it into a sandbox tool.
+          This endpoint returned a valid response. You can now use it in a workflow canvas.
         </p>
         <code className="dm-api-review-banner-route">
           {method} {baseUrl && endpoint ? `${baseUrl.replace(/\/+$/, "")}/${endpoint.replace(/^\/+/, "")}` : endpoint || baseUrl}