@growthub/cli 0.14.9 → 0.14.11

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/api/workspace/add-ons/upstash/sync/route.js

@@ -0,0 +1,197 @@
+import { NextResponse } from "next/server";
+import { readWorkspaceConfig, writeWorkspaceConfig } from "@/lib/workspace-config";
+import {
+  getUpstashProduct,
+  listUpstashProductReadiness,
+  UPSTASH_REGION_OPTIONS,
+  withUpstashProductRegistry
+} from "@/lib/workspace-add-ons";
+import { appendOutcomeReceipt } from "@/lib/workspace-outcome-receipts";
+import { readEnvVar, resolveRequiredEnv } from "@/lib/server-secrets";
+
+const PROBE_TIMEOUT_MS = 8000;
+
+function jsonError(message, status = 400, extra = {}) {
+  return NextResponse.json({ error: message, ...extra }, { status });
+}
+
+function clean(value) {
+  return String(value == null ? "" : value).trim();
+}
+
+// Canonical concrete-key read — same contract as readiness + schedule runtime.
+function envValue(key) {
+  return clean(readEnvVar(key, process.env)?.value || "");
+}
+
+function selectedQstashRegion(region) {
+  return UPSTASH_REGION_OPTIONS.find((option) => option.id === region) || UPSTASH_REGION_OPTIONS[0];
+}
+
+async function fetchWithTimeout(url, init = {}) {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), PROBE_TIMEOUT_MS);
+  try {
+    return await fetch(url, { ...init, signal: controller.signal, cache: "no-store" });
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+
+async function readProbeText(response) {
+  try {
+    return clean(await response.text()).slice(0, 240);
+  } catch {
+    return "";
+  }
+}
+
+function safeUrl(baseUrl, path) {
+  const base = clean(baseUrl).replace(/\/+$/, "");
+  const suffix = clean(path).startsWith("/") ? clean(path) : `/${clean(path)}`;
+  return `${base}${suffix}`;
+}
+
+async function probeJsonPaths({ baseUrl, token, paths, label }) {
+  let last = null;
+  for (const path of paths) {
+    const url = safeUrl(baseUrl, path);
+    const response = await fetchWithTimeout(url, {
+      method: "GET",
+      headers: { authorization: `Bearer ${token}` },
+    });
+    const text = await readProbeText(response);
+    last = { status: response.status, path, text };
+    if (response.ok) {
+      return {
+        ok: true,
+        baseUrl,
+        testedAt: new Date().toISOString(),
+        proof: `${label} probe ${path} returned HTTP ${response.status}`,
+        summary: `${label} sync verified with a read-only REST probe (${path}).`,
+      };
+    }
+  }
+  const details = last ? `${last.path} returned HTTP ${last.status}` : "no endpoint returned";
+  return {
+    ok: false,
+    baseUrl,
+    testedAt: new Date().toISOString(),
+    proof: `${label} probe failed: ${details}`,
+    summary: `${label} REST probe failed: ${details}.`,
+  };
+}
+
+async function probeUpstashProduct(productId, region) {
+  const product = getUpstashProduct(productId);
+  if (!product) {
+    return { ok: false, status: 400, error: "unknown Upstash product" };
+  }
+  const readiness = listUpstashProductReadiness(process.env).find((item) => item.productId === product.productId);
+  const requiredEnv = resolveRequiredEnv(product.requiredEnv, process.env);
+  if (!readiness?.configured || !requiredEnv.ok) {
+    return {
+      ok: false,
+      status: 422,
+      error: `${product.label} provider credentials are not connected`,
+      missingEnv: requiredEnv.missing.length ? requiredEnv.missing : (readiness?.missingEnv || product.requiredEnv),
+      resolvedEnv: requiredEnv.resolvedKeys,
+      summary: `${product.label} provider credentials are not connected. Complete provider setup, then sync again.`,
+    };
+  }
+
+  const probe = product.probe || {};
+  if (!probe.baseUrlEnv || !probe.tokenEnv || !Array.isArray(probe.paths) || !probe.paths.length) {
+    return { ok: false, status: 400, error: "unsupported Upstash product probe" };
+  }
+  const regionOption = selectedQstashRegion(region);
+  const configuredUrl = envValue(probe.baseUrlEnv) || (probe.fallbackRegionBaseUrl ? regionOption.baseUrl : "");
+  const result = await probeJsonPaths({
+    baseUrl: configuredUrl,
+    token: envValue(probe.tokenEnv),
+    paths: probe.paths,
+    label: product.label,
+  });
+  return {
+    ...result,
+    resolvedEnv: requiredEnv.resolvedKeys,
+  };
+}
+
+async function POST(request) {
+  let body = {};
+  try {
+    body = await request.json();
+  } catch {
+    return jsonError("invalid json body", 400);
+  }
+
+  const productId = clean(body.productId || "upstash-qstash");
+  const region = clean(body.region || "us-east-1");
+  const plan = clean(body.plan || "free");
+  const product = getUpstashProduct(productId);
+  if (!product) return jsonError("unknown Upstash product", 400, { productId });
+
+  const syncResult = await probeUpstashProduct(product.productId, region);
+  if (!syncResult.ok) {
+    await appendOutcomeReceipt({
+      kind: "workspace-add-on-sync",
+      lane: "server-authoritative",
+      outcomeStatus: "blocked",
+      actor: "workspace-marketplace",
+      objectRefs: [{ objectId: "api-registry", objectType: "api-registry", rowName: product.label }],
+      summary: syncResult.summary || syncResult.error || `${product.label} sync failed`,
+      policyVerdict: { ok: false, violationCodes: syncResult.missingEnv?.length ? ["provider_product_not_connected"] : ["provider_probe_failed"] },
+      nextActions: syncResult.missingEnv?.length
+        ? [`Complete ${product.label} setup from the provider marketplace flow, then sync again.`]
+        : [`Open the ${product.label} provider console, verify the product connection, then retry sync.`]
+    });
+    return jsonError(syncResult.error || syncResult.summary || "Upstash sync failed", syncResult.status || 502, {
+      productId: product.productId,
+      missingEnv: syncResult.missingEnv || [],
+      sync: {
+        ok: false,
+        proof: syncResult.proof || "",
+        summary: syncResult.summary || "",
+      }
+    });
+  }
+
+  const currentConfig = await readWorkspaceConfig();
+  const nextConfig = withUpstashProductRegistry(currentConfig, {
+    productId: product.productId,
+    region,
+    plan,
+    syncResult,
+  });
+  const persisted = await writeWorkspaceConfig({ dataModel: nextConfig.dataModel });
+  const { receipt } = await appendOutcomeReceipt({
+    kind: "workspace-add-on-sync",
+    lane: "server-authoritative",
+    outcomeStatus: "published",
+    actor: "workspace-marketplace",
+    objectRefs: [{ objectId: "api-registry", objectType: "api-registry", rowName: product.label }],
+    changedFields: ["dataModel.api-registry"],
+    policyVerdict: { ok: true },
+    schemaVerdict: { ok: true },
+    summary: `${product.label} installed after provider sync probe.`,
+    nextActions: product.productId === "upstash-qstash"
+      ? ["Workflow Canvas can now bind QStash/Workflow from the installed product card."]
+      : ["Use this workspace add-on from the relevant data/retrieval surfaces."]
+  });
+
+  return NextResponse.json({
+    ok: true,
+    productId: product.productId,
+    workspaceConfig: persisted,
+    sync: {
+      ok: true,
+      proof: syncResult.proof,
+      summary: syncResult.summary,
+      testedAt: syncResult.testedAt,
+    },
+    receiptId: receipt.receiptId,
+  });
+}
+
+export { POST };

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/api/workspace/apps/route.js

@@ -68,7 +68,7 @@ function safeRuntime(warnings) {
 
 // Mirrors the CLI probe (cli/src/commands/workspace-surface.ts) so detection
 // lives inside the artifact too — the bridge roadmap Item 4 called for.
-const KNOWN_APP_DIRS = ["apps/workspace"];
+const KNOWN_APP_DIRS = ["apps/workspace", "apps/agency-portal", "apps/portal", "studio", "app", "src"];
 
 function detectFramework(absPath) {
   try {

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/api/workspace/patch/preflight/route.js

@@ -35,6 +35,38 @@ import {
 } from "@/lib/workspace-patch-policy";
 import { evaluateAppScope, requireAppScope } from "@/lib/workspace-app-registry";
 import { appendOutcomeReceipt } from "@/lib/workspace-outcome-receipts";
+import { readWorkspaceSourceRecords } from "@/lib/workspace-config";
+import { buildWorkspaceMetadataStore } from "@/lib/workspace-metadata-store";
+import { buildWorkspaceMetadataGraph } from "@/lib/workspace-metadata-graph";
+import { derivePatchImpact } from "@/lib/workspace-patch-impact";
+
+/**
+ * Report the blast radius of a proposed patch BEFORE the write — the S1
+ * spine's intended preflight consumption. Builds the metadata graph from the
+ * MERGED config (what the workspace becomes if this patch lands), maps the
+ * patched dataModel objects / dashboards to their graph node ids, and runs the
+ * pure `deriveStaleSurfaces` seed path over them. Pure, additive, never
+ * throws — on any failure the preflight verdict is unaffected and `impact`
+ * is simply omitted.
+ */
+async function computePatchImpact(currentConfig, mergedConfig, patch) {
+  try {
+    if (!patch || typeof patch !== "object" || Array.isArray(patch)) return null;
+    let sourceRecords = {};
+    try { sourceRecords = (await readWorkspaceSourceRecords()) || {}; } catch { sourceRecords = {}; }
+    // Build BOTH graphs so the impact deriver can report not just added/modified
+    // (on the merged graph) but also REMOVED objects/dashboards (whose downstream
+    // lived in the current graph). One shared, unit-tested deriver does the diff.
+    const buildGraph = (cfg) => buildWorkspaceMetadataGraph(buildWorkspaceMetadataStore({ workspaceConfig: cfg || {}, workspaceSourceRecords: sourceRecords }));
+    const currentGraph = buildGraph(currentConfig);
+    const mergedGraph = buildGraph(mergedConfig);
+    const impact = derivePatchImpact(currentGraph, mergedGraph, currentConfig || {}, mergedConfig || {});
+    if (!impact.total && !impact.removed.length) return null;
+    return impact;
+  } catch {
+    return null;
+  }
+}
 
 async function POST(request) {
   let patch;
@@ -66,12 +98,14 @@ async function POST(request) {
   // PATCH about the merged result. Skipped when the body is not a plain
   // object (policy already reports that).
   let schema = { ok: true, errors: [] };
+  let mergedConfig = null;
   if (patch && typeof patch === "object" && !Array.isArray(patch)) {
     const sanitized = {};
     for (const key of WORKSPACE_PATCH_ALLOWED_FIELDS) {
       if (Object.prototype.hasOwnProperty.call(patch, key)) sanitized[key] = patch[key];
     }
     const merged = applyWorkspaceConfigPatch(currentConfig || {}, sanitized);
+    mergedConfig = merged;
     try {
       validateWorkspaceConfig({
         dashboards: merged.dashboards,
@@ -103,6 +137,9 @@ async function POST(request) {
     }
   }
 
+  // Blast radius of this patch BEFORE the write (additive; never blocks).
+  const impact = await computePatchImpact(currentConfig, mergedConfig, patch);
+
   const persistence = describePersistenceMode();
   const ok = policy.ok && schema.ok && (appScopeVerdict ? appScopeVerdict.allowed : true);
   const repairPlan = repairPlanForViolations(policy.violations);
@@ -140,6 +177,7 @@ async function POST(request) {
     schema,
     repairPlan,
     ...(appScopeVerdict ? { appScopeVerdict } : {}),
+    ...(impact ? { impact } : {}),
     ...(safeNextStep ? { safeNextStep } : {}),
     persistence: {
       mode: persistence.mode,

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/api/workspace/sandbox-run/route.js

@@ -88,26 +88,9 @@ import {
   validateRunInputsEnvelope,
   summarizeRunInputs
 } from "@/lib/orchestration-run-inputs";
-
-function envKeyCandidates(ref) {
-  const token = String(ref || "")
-    .trim()
-    .replace(/[^a-z0-9]+/gi, "_")
-    .replace(/^_+|_+$/g, "")
-    .toUpperCase();
-  return Array.from(new Set([
-    token,
-    token ? `${token}_API_KEY` : "",
-    token ? `${token}_TOKEN` : ""
-  ].filter(Boolean)));
-}
-
-function readServerSecret(authRef) {
-  for (const key of envKeyCandidates(authRef)) {
-    if (process.env[key]) return { key, value: process.env[key] };
-  }
-  return null;
-}
+// Single canonical secret resolver — shared with the serverless add-on lane so
+// both run lanes resolve stored env tokens identically (no copy-pasted logic).
+import { readServerSecret } from "@/lib/server-secrets";
 
 function coerceBoolean(value) {
   if (value === true || value === false) return value;

package/assets/worker-kits/growthub-custom-workspace-starter-v1/apps/workspace/app/api/workspace/test-api-record/route.js

@@ -1,5 +1,6 @@
 import { NextResponse } from "next/server";
 import { readWorkspaceConfig } from "@/lib/workspace-config";
+import { readServerSecret } from "@/lib/server-secrets";
 
 const DEFAULT_TIMEOUT_MS = 15000;
 
@@ -18,25 +19,7 @@ function buildUrl(record) {
   return `${baseUrl.replace(/\/+$/, "")}/${endpoint.replace(/^\/+/, "")}`;
 }
 
-function envKeyCandidates(ref) {
-  const token = String(ref || "")
-    .trim()
-    .replace(/[^a-z0-9]+/gi, "_")
-    .replace(/^_+|_+$/g, "")
-    .toUpperCase();
-  return Array.from(new Set([
-    token,
-    token ? `${token}_API_KEY` : "",
-    token ? `${token}_TOKEN` : "",
-  ].filter(Boolean)));
-}
-
-function readServerSecret(authRef) {
-  for (const key of envKeyCandidates(authRef)) {
-    if (process.env[key]) return process.env[key];
-  }
-  return "";
-}
+// Secret resolution uses the single canonical resolver from lib/server-secrets.js.
 
 function findRegistryRecord(workspaceConfig, registryId) {
   const id = String(registryId || "").trim();
@@ -86,7 +69,7 @@ async function POST(request) {
 
   const method = normalizeMethod(record.method);
   const authRef = record.authRef || record.integrationId || dataSourceRecord?.registryId;
-  const secret = readServerSecret(authRef);
+  const secret = readServerSecret(authRef)?.value || "";
   const controller = new AbortController();
   const timeout = setTimeout(() => controller.abort(), DEFAULT_TIMEOUT_MS);