npm - @growthub/cli - Versions diffs - 0.14.4 → 0.14.5 - Mend

@growthub/cli 0.14.4 → 0.14.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/api/resolvers/[integrationId]/route.js ADDED Viewed

@@ -0,0 +1,157 @@
+/**
+ * GET /api/resolvers/[integrationId]
+ *
+ * CMS SDK v1.5.1 — the governed, addressable endpoint every registered resolver
+ * is exposed at. A resolver is the workspace's provider-agnostic "API → governed
+ * rows" abstraction; this makes it a real, hittable Next.js route inside the
+ * monorepo, so other apps and external callers consume governed records by
+ * integrationId. One dynamic route serves every resolver (a projection of the
+ * unified registry) — runtime-agnostic and drift-free by construction.
+ *
+ * Identity: the path segment is matched canonically. The governed record keeps
+ * its human integrationId; the resolver registers under either the raw id
+ * (config-driven/Nango) or the slug (generated), so lookup tries the raw value
+ * then the slug — `/api/resolvers/my-crm` and `/api/resolvers/asana` both resolve.
+ *
+ * Same-level governance as every mutation/execution route (Governed Application
+ * Control Plane V1): `x-growthub-app-scope` is runtime-enforced, scope rejections
+ * emit a canonical outcome receipt, and under a scope the 404 body does NOT leak
+ * the list of other registered integrations. Secret-safe: tokens never leave the
+ * server, and error messages are redacted.
+ *
+ * Response — success: { ok, integrationId, resolverId, recordRef, connectorKind, recordCount, records }
+ * Response — no resolver: 404 { ok:false, reason:"no-resolver", registeredResolvers? }
+ * Response — scope violation: 422 AppScopeViolation
+ * Response — resolver error: 502 { ok:false, reason:"fetch-error", error }
+ */
+import { NextResponse } from "next/server";
+import { requireAppScope, checkScopedRegistryAccess } from "@/lib/workspace-app-registry";
+import { readWorkspaceConfig } from "@/lib/workspace-config";
+import { appendOutcomeReceipt } from "@/lib/workspace-outcome-receipts";
+import { readAdapterConfig } from "@/lib/adapters/env";
+import { listGovernedWorkspaceIntegrations } from "@/lib/adapters/integrations";
+import { loadAllResolvers } from "@/lib/adapters/integrations/resolver-loader";
+import { getSourceResolver, listRegisteredResolvers } from "@/lib/adapters/integrations/source-resolver-registry";
+import { slugifyIntegrationId } from "@/lib/unified-resolver-registry";
+const MAX_LIMIT = 200;
+const DEFAULT_LIMIT = 50;
+/** Strip anything secret-shaped from an error string before it leaves the server. */
+function redact(message) {
+  return String(message || "")
+    .replace(/(authorization|bearer|api[_-]?key|token|secret|password)\s*[:=]\s*\S+/gi, "$1 [redacted]")
+    .replace(/\bBearer\s+[A-Za-z0-9._-]+/gi, "Bearer [redacted]")
+    .slice(0, 300);
+}
+/** Find the governed api-registry row backing an integrationId (raw or slug). */
+function findRecordRef(workspaceConfig, integrationId) {
+  const objects = Array.isArray(workspaceConfig?.dataModel?.objects) ? workspaceConfig.dataModel.objects : [];
+  const wantSlug = slugifyIntegrationId(integrationId, "");
+  for (const object of objects) {
+    if (object?.objectType !== "api-registry") continue;
+    for (const row of Array.isArray(object.rows) ? object.rows : []) {
+      const id = String(row?.integrationId || "").trim();
+      if (!id) continue;
+      if (id === integrationId || slugifyIntegrationId(id, "") === wantSlug) {
+        return { objectId: String(object.id || ""), rowName: String(row.Name || id), integrationId: id };
+      }
+    }
+  }
+  return null;
+}
+async function GET(request, context) {
+  const params = await context?.params;
+  const rawId = String(params?.integrationId || "").trim();
+  if (!rawId) {
+    return NextResponse.json({ ok: false, reason: "bad-request", error: "integrationId is required" }, { status: 400 });
+  }
+  const slugId = slugifyIntegrationId(rawId, "");
+  const workspaceConfig = await readWorkspaceConfig().catch(() => ({}));
+  // App-scope gate — data-plane isolation. Checked against both forms so a scoped
+  // agent cannot dodge scope by varying slug/raw. The 404 path below is also
+  // scope-aware so it never leaks the registered-integration list under a scope.
+  const scope = requireAppScope(request, workspaceConfig);
+  if (scope.scoped) {
+    const violation =
+      scope.violation ||
+      checkScopedRegistryAccess(scope.context, rawId) && checkScopedRegistryAccess(scope.context, slugId);
+    if (violation) {
+      await appendOutcomeReceipt({
+        kind: "agent-outcome",
+        lane: "untrusted-direct",
+        outcomeStatus: "blocked",
+        appId: violation.appScope || scope.appId,
+        summary: `resolver endpoint rejected (422 app scope): ${violation.violationType}`,
+        nextActions: violation.repairPlan,
+      });
+      return NextResponse.json(violation, { status: 422 });
+    }
+  }
+  await loadAllResolvers();
+  const resolver = getSourceResolver(rawId) || (slugId ? getSourceResolver(slugId) : null);
+  if (!resolver) {
+    const body = { ok: false, reason: "no-resolver", integrationId: rawId, resolverId: slugId };
+    // Only an UNSCOPED caller gets the discovery aid — under a scope this would
+    // leak other apps' integration ids.
+    if (!scope.scoped) {
+      body.registeredResolvers = listRegisteredResolvers();
+      if (slugId && slugId !== rawId && body.registeredResolvers.includes(slugId)) {
+        body.hint = `No resolver for "${rawId}". Did you mean the canonical id "${slugId}"?`;
+      } else {
+        body.hint = "Register this API in the Data Model API Registry cockpit and construct its resolver, then re-call this endpoint.";
+      }
+    }
+    return NextResponse.json(body, { status: 404 });
+  }
+  const { searchParams } = new URL(request.url);
+  const limitRaw = Number(searchParams.get("limit"));
+  const limit = Number.isFinite(limitRaw) && limitRaw > 0 ? Math.min(limitRaw, MAX_LIMIT) : DEFAULT_LIMIT;
+  const adapterConfig = readAdapterConfig();
+  let connection = null;
+  try {
+    const integrations = await listGovernedWorkspaceIntegrations();
+    connection = integrations.find((i) => i.provider === rawId || i.id === rawId || i.provider === slugId) || null;
+  } catch {
+    // Non-fatal — resolver falls back to env-only auth.
+  }
+  let records;
+  try {
+    records = await resolver.fetchRecords(adapterConfig, connection, {});
+  } catch (err) {
+    return NextResponse.json(
+      { ok: false, reason: "fetch-error", integrationId: rawId, error: redact(err?.message) || "resolver.fetchRecords threw" },
+      { status: 502 },
+    );
+  }
+  if (!Array.isArray(records)) {
+    return NextResponse.json(
+      { ok: false, reason: "bad-resolver-response", integrationId: rawId, error: "resolver.fetchRecords must return an array" },
+      { status: 502 },
+    );
+  }
+  return NextResponse.json({
+    ok: true,
+    integrationId: rawId,
+    resolverId: slugId,
+    // Downstream apps/agents know exactly which governed row they consumed.
+    recordRef: findRecordRef(workspaceConfig, rawId),
+    source: "resolver-endpoint",
+    connectorKind: typeof resolver.connectorKind === "string" ? resolver.connectorKind : null,
+    recordCount: records.length,
+    records: records.slice(0, limit),
+  });
+}
+export { GET };

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/api/workspace/env-status/route.js CHANGED Viewed

@@ -9,7 +9,7 @@
  */
 import { NextResponse } from "next/server";
-import { readWorkspaceConfig } from "@/lib/workspace-config";
+import { readWorkspaceConfig, describePersistenceMode } from "@/lib/workspace-config";
 import { computeConfiguredEnvRefs, listPersistenceAdapterReadiness } from "@/lib/env-status";
 async function GET() {
@@ -21,10 +21,14 @@ async function GET() {
   }
   const configuredEnvRefs = computeConfiguredEnvRefs(workspaceConfig, process.env);
   const persistenceAdapters = listPersistenceAdapterReadiness(process.env);
+  // Persistence mode + canSave so the scheduler provisioning cockpit can honestly
+  // gate the "set it up for me" action (server-file writes need a writable runtime).
+  const persistence = describePersistenceMode();
   return NextResponse.json({
     kind: "growthub-env-status-v1",
     configuredEnvRefs,
     persistenceAdapters,
+    persistence: { mode: persistence.mode, canSave: persistence.canSave === true },
   });
 }

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/api/workspace/resolvers/route.js CHANGED Viewed

@@ -6,6 +6,13 @@
  * Used by the generic resolver management panel and ResolverControlPanel in the
  * widget inspector. No provider names appear in the response shape.
  *
+ * CMS SDK v1.5.1 — additionally returns `registry`: the Unified API Resolver
+ * Registry index that correlates every governed `api-registry` record to its
+ * resolver (provenance, file, registered/tested state, response shape, score,
+ * next action, governed endpoint). The legacy fields are preserved verbatim.
+ * When the runtime is writable, the externalized index + endpoint manifest
+ * artifacts are written through so agents can read one file out of band.
+ *
  * Response:
  *   {
  *     files:         string[],
@@ -16,25 +23,100 @@
  *       hasListEntities: boolean,
  *       configSchema:    SchemaField[] | null
  *     }[],
- *     canUpload: boolean
+ *     canUpload: boolean,
+ *     registry:  ResolverRegistryIndex   // @growthub/api-contract/resolver-registry
  *   }
  */
 import { NextResponse } from "next/server";
 import { loadAllResolvers, listResolverFiles } from "@/lib/adapters/integrations/resolver-loader";
 import { describeRegisteredResolvers } from "@/lib/adapters/integrations/source-resolver-registry";
-import { describePersistenceMode } from "@/lib/workspace-config";
+import { describePersistenceMode, readWorkspaceConfig, readWorkspaceSourceRecords } from "@/lib/workspace-config";
+import { appendOutcomeReceipt } from "@/lib/workspace-outcome-receipts";
+import { computeConfiguredEnvRefs } from "@/lib/env-status";
+import { deriveResolverRegistry } from "@/lib/unified-resolver-registry";
+import { readResolverFileMeta, persistResolverRegistryArtifacts } from "@/lib/server-resolver-registry";
 async function GET() {
   await loadAllResolvers();
   const files = await listResolverFiles();
   const resolvers = describeRegisteredResolvers();
   const persistence = describePersistenceMode();
+  const registeredIds = resolvers.map((r) => r.integrationId);
+  // Unified registry derivation — correlate every governed record to its
+  // resolver. All IO happens here; the deriver stays pure. Derivation failure is
+  // NEVER silently hidden: the response carries an explicit `registryStatus` so
+  // an agent/client can distinguish "no entries" from "registry failed", and a
+  // writable runtime's artifact-write outcome is reported, not swallowed.
+  let registry = null;
+  let registryStatus = "ok";
+  let registryError = null;
+  let artifactWritten = false;
+  let artifactReason = null;
+  try {
+    const [workspaceConfig, sourceRecords, fileMeta] = await Promise.all([
+      readWorkspaceConfig().catch(() => ({})),
+      readWorkspaceSourceRecords().then((r) => r || {}).catch(() => ({})),
+      readResolverFileMeta().catch(() => ({})),
+    ]);
+    let configuredEnvRefs = [];
+    try {
+      configuredEnvRefs = computeConfiguredEnvRefs(workspaceConfig) || [];
+    } catch {
+      configuredEnvRefs = [];
+    }
+    registry = deriveResolverRegistry({
+      workspaceConfig,
+      files,
+      registeredIds,
+      fileMeta,
+      sourceRecords,
+      runtime: { configuredEnvRefs },
+    });
+    // Write-through the externalized artifacts when writable. On a writable
+    // runtime a failed write is a real problem (stale projections) — surface it
+    // and emit a governance receipt; on read-only it is expected (live-only).
+    if (persistence.canSave) {
+      const result = await persistResolverRegistryArtifacts(registry).catch((err) => ({
+        written: false,
+        reason: err?.message || "artifact write threw",
+      }));
+      artifactWritten = Boolean(result?.written);
+      artifactReason = result?.reason || null;
+      if (!artifactWritten) {
+        await appendOutcomeReceipt({
+          kind: "agent-outcome",
+          lane: "server-authoritative",
+          outcomeStatus: "failed",
+          summary: `resolver registry artifact write failed: ${artifactReason || "unknown"}`,
+        }).catch(() => {});
+      }
+    } else {
+      artifactReason = persistence.reason || "read-only runtime — registry is live-only";
+    }
+  } catch (err) {
+    registry = null;
+    registryStatus = "degraded";
+    registryError = { reason: "derivation-failed", message: String(err?.message || err).slice(0, 300) };
+    await appendOutcomeReceipt({
+      kind: "agent-outcome",
+      lane: "server-authoritative",
+      outcomeStatus: "failed",
+      summary: `resolver registry derivation failed: ${registryError.message}`,
+    }).catch(() => {});
+  }
   return NextResponse.json({
     files,
-    registeredIds: resolvers.map((r) => r.integrationId),
+    registeredIds,
     resolvers,
-    canUpload: persistence.canSave
+    canUpload: persistence.canSave,
+    registry,
+    registryStatus,
+    registryError,
+    artifactWritten,
+    artifactReason,
   });
 }

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/data-model/components/ApiRegistryCreationCockpit.jsx CHANGED Viewed

@@ -56,14 +56,17 @@ export function ApiRegistryCreationCockpit({
   onCollapsedChange,
 }) {
   const [collapsed, setCollapsed] = useState(defaultCollapsed);
+  const hasVisibleAction = Array.isArray(state?.steps) && state.steps.some((step) => step?.action);
+  const shouldHide = Boolean(hideWhenComplete && state?.complete && !hasVisibleAction);
   useEffect(() => {
-    setCollapsed(defaultCollapsed || Boolean(hideWhenComplete && state?.complete));
-  }, [defaultCollapsed, hideWhenComplete, state?.complete, state?.integrationId]);
+    setCollapsed(defaultCollapsed || Boolean(hideWhenComplete && state?.complete && !hasVisibleAction));
+  }, [defaultCollapsed, hideWhenComplete, state?.complete, state?.integrationId, hasVisibleAction]);
   if (!state || !Array.isArray(state.steps)) return null;
-  if (hideWhenComplete && state.complete) return null;
+  if (shouldHide) return null;
   const candidates = profile?.candidates || {};
   const candidateEntries = Object.entries(candidates).filter(([, v]) => v);
   const previewRow = dataSourcePreview?.row || null;
+  const workflowAction = state?.workflowAction || null;
   const toggleCollapsed = () => {
     const next = !collapsed;
     setCollapsed(next);
@@ -77,6 +80,28 @@ export function ApiRegistryCreationCockpit({
     onAction?.(action);
   };
+  if (hideWhenComplete && state.complete && workflowAction) {
+    return (
+      <section className="dm-api-action-card dm-api-action-card-workflow" aria-label="Workflow canvas">
+        <div className="dm-api-action-card-body">
+          <p className="dm-api-action-card-eyebrow">Workflow canvas</p>
+          <h3>Use this API in a workflow</h3>
+          <p>{workflowAction.description}</p>
+        </div>
+        <div className="dm-api-action-card-actions">
+          <button
+            type="button"
+            className="dm-btn-outline dm-api-action-card-cta"
+            disabled={disabled || Boolean(busyAction)}
+            onClick={() => runAction(workflowAction)}
+          >
+            {busyAction === `workflow:${workflowAction.id}` ? "Opening…" : workflowAction.label}
+          </button>
+        </div>
+      </section>
+    );
+  }
   return (
     <section className={`dm-api-action-card dm-cockpit${collapsed ? " is-collapsed" : ""}`} aria-label="API creation journey">
       <button
@@ -180,11 +205,11 @@ export function ApiRegistryCreationCockpit({
         </div>
       ) : null}
-      {!collapsed && Array.isArray(receipts) && receipts.length ? (
+      {!collapsed && Array.isArray(receipts) && receipts.some((r) => r.ok) ? (
         <div className="dm-cockpit-receipts">
           <p className="dm-api-action-card-eyebrow">Receipts</p>
           <ul>
-            {receipts.slice(0, 6).map((r, i) => (
+            {receipts.filter((r) => r.ok).slice(0, 6).map((r, i) => (
               <li key={`${r.at}-${i}`} className="dm-cockpit-receipt">
                 <StatusChip mod={r.ok ? "ok" : "bad"} className="dm-cockpit-receipt-chip">{r.kind}</StatusChip>
                 <span className="dm-cockpit-receipt-text">{r.detail}</span>

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/data-model/components/ApiRegistryReviewModal.jsx CHANGED Viewed

@@ -4,7 +4,7 @@ import { CheckCircle2, X } from "lucide-react";
 /**
  * Read-only summary of a successfully tested API Registry row.
- * Shown at the top of the sandbox-tool draft flow (not a blocking modal).
+ * Shown at the top of the workflow draft flow (not a blocking modal).
  */
 export function ApiRegistryReviewModal({ registryRow, onClose = null }) {
   if (!registryRow) return null;
@@ -22,7 +22,7 @@ export function ApiRegistryReviewModal({ registryRow, onClose = null }) {
         <p className="dm-api-review-banner-eyebrow">Connected API</p>
         <h3>{registryRow.Name || integrationId}</h3>
         <p>
-          This endpoint returned a valid response. You can now turn it into a sandbox tool.
+          This endpoint returned a valid response. You can now use it in a workflow canvas.
         </p>
         <code className="dm-api-review-banner-route">
           {method} {baseUrl && endpoint ? `${baseUrl.replace(/\/+$/, "")}/${endpoint.replace(/^\/+/, "")}` : endpoint || baseUrl}