@rigkit/provider-freestyle 0.2.10 → 0.2.11

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Rigkit contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/package.json

@@ -1,6 +1,7 @@
 {
   "name": "@rigkit/provider-freestyle",
-  "version": "0.2.10",
+  "version": "0.2.11",
+  "license": "MIT",
   "type": "module",
   "repository": {
     "type": "git",
@@ -17,9 +18,9 @@
   ],
   "dependencies": {
     "zod": "^4",
-    "@rigkit/sdk": "0.2.10",
-    "@rigkit/engine": "0.2.10",
-    "@rigkit/provider-cmux": "0.2.10"
+    "@rigkit/sdk": "0.2.11",
+    "@rigkit/engine": "0.2.11",
+    "@rigkit/provider-cmux": "0.2.11"
   },
   "peerDependencies": {
     "freestyle": "^0.1.52"

package/src/host-auth.test.ts

@@ -1,6 +1,7 @@
 import { afterEach, describe, expect, test } from "bun:test";
 import type {
   JsonValue,
+  ProviderCheckContext,
   ProviderRuntimeContext,
   ProviderStorage,
   ProviderStorageRecord,
@@ -92,8 +93,8 @@ describe("Freestyle provider host auth", () => {
       });
 
       expect(projectStorage.entries()).toEqual([]);
-      expect(hostStorage.entries("identity:")).toHaveLength(1);
-      expect(requests).toHaveLength(2);
+      expect(hostStorage.entries("identity:")).toHaveLength(0);
+      expect(requests).toHaveLength(0);
 
       const runtime = await (controller as WorkflowProviderController<FreestyleRuntime>).runtime(providerContext([]));
 
@@ -174,6 +175,8 @@ describe("Freestyle provider host auth", () => {
         },
       });
 
+      await controller.checks?.(providerCheckContext("require"));
+
       expect(opened).toEqual([
         "https://dash.freestyle.sh/handler/cli-auth-confirm?login_code=login-code",
       ]);
@@ -222,6 +225,147 @@ describe("Freestyle provider host auth", () => {
     }
   });
 
+  test("reports a required browser auth check during plan without starting OAuth", async () => {
+    delete process.env.FREESTYLE_API_KEY;
+    delete process.env.FREESTYLE_TEAM_ID;
+
+    const projectStorage = new MemoryProviderStorage(FREESTYLE_PROVIDER_ID);
+    const hostStorage = new MemoryProviderStorage(FREESTYLE_PROVIDER_ID);
+    const previousFetch = globalThis.fetch;
+    globalThis.fetch = testFetch(async () =>
+      Response.json({ error: "plan should not fetch" }, { status: 500 })
+    );
+
+    try {
+      const controller = await freestyleProviderPlugin.createProvider({
+        provider: {
+          providerId: FREESTYLE_PROVIDER_ID,
+          config: {},
+        },
+        storage: projectStorage,
+        hostStorage,
+        local: { open: async () => {} },
+      });
+
+      expect(await controller.checks?.(providerCheckContext("plan"))).toEqual([{
+        id: "auth",
+        label: "Freestyle auth",
+        status: "required",
+        value: "login required",
+        message: "Run rig apply, rig create, or rig run to authenticate with Freestyle.",
+        fingerprint: "browser:default:auth:missing",
+      }]);
+      expect(hostStorage.entries()).toEqual([]);
+    } finally {
+      globalThis.fetch = previousFetch;
+    }
+  });
+
+  test("prompts for and persists a Freestyle team when browser auth has multiple teams", async () => {
+    delete process.env.FREESTYLE_API_KEY;
+    delete process.env.FREESTYLE_TEAM_ID;
+
+    const projectStorage = new MemoryProviderStorage(FREESTYLE_PROVIDER_ID);
+    const hostStorage = new MemoryProviderStorage(FREESTYLE_PROVIDER_ID);
+    const selectPrompts: unknown[] = [];
+    const proxyRequests: unknown[] = [];
+    const previousFetch = globalThis.fetch;
+    globalThis.fetch = testFetch(async (resource, init) => {
+      const url = resourceUrl(resource);
+      if (url.href === "https://api.stack-auth.com/api/v1/auth/cli") {
+        return Response.json({ polling_code: "poll-code", login_code: "login-code" });
+      }
+      if (url.href === "https://api.stack-auth.com/api/v1/auth/cli/poll") {
+        return Response.json({ status: "completed", refresh_token: "refresh-token" });
+      }
+      if (url.href === "https://api.stack-auth.com/api/v1/auth/sessions/current/refresh") {
+        return Response.json({ access_token: "stack-access-token", refresh_token: "refresh-token" });
+      }
+      if (url.href === "https://dash.freestyle.sh/api/cli/teams") {
+        return Response.json([
+          { id: "team_alpha", displayName: "Alpha" },
+          { id: "team_beta", displayName: "Beta", sandboxAccountId: "sandbox-beta" },
+        ]);
+      }
+      if (url.href === "https://dash.freestyle.sh/api/proxy/request") {
+        const body = JSON.parse(String(init?.body));
+        proxyRequests.push(body);
+        if (body.data.path === "identity/v1/identities") {
+          return Response.json({ id: "identity-browser" });
+        }
+        if (body.data.path === "identity/v1/identities/identity-browser/tokens") {
+          return Response.json({ id: "token-id-browser", token: "ssh-token-browser" });
+        }
+      }
+      return Response.json({ error: "unexpected request", url: url.href }, { status: 500 });
+    });
+
+    try {
+      const controller = await freestyleProviderPlugin.createProvider({
+        provider: {
+          providerId: FREESTYLE_PROVIDER_ID,
+          config: {},
+        },
+        storage: projectStorage,
+        hostStorage,
+        local: {
+          open: async () => {},
+          prompt: {
+            message: async () => {},
+            text: async () => "",
+            confirm: async () => true,
+            select: async (prompt) => {
+              selectPrompts.push(prompt);
+              return "team_beta";
+            },
+          },
+        },
+      });
+      const checks = await controller.checks?.(providerCheckContext("require"));
+
+      expect(selectPrompts).toEqual([{
+        message: "Choose Freestyle team",
+        options: [
+          { value: "team_alpha", label: "Alpha (team_alpha)", description: undefined },
+          { value: "team_beta", label: "Beta (team_beta)", description: "sandbox sandbox-beta" },
+        ],
+      }]);
+      expect(hostStorage.entries("stack-auth:")[0]?.value).toMatchObject({
+        refreshToken: "refresh-token",
+        accessToken: "stack-access-token",
+        defaultTeamId: "team_beta",
+        defaultTeamName: "Beta",
+      });
+      expect(proxyRequests).toEqual([
+        expect.objectContaining({
+          data: expect.objectContaining({
+            teamId: "team_beta",
+            path: "identity/v1/identities",
+          }),
+        }),
+        expect.objectContaining({
+          data: expect.objectContaining({
+            teamId: "team_beta",
+            path: "identity/v1/identities/identity-browser/tokens",
+          }),
+        }),
+      ]);
+      expect(checks).toContainEqual(expect.objectContaining({
+        id: "team",
+        label: "Freestyle team",
+        status: "ok",
+        value: "Beta (team_beta)",
+        detail: "team_beta",
+        metadata: {
+          teamId: "team_beta",
+          teamName: "Beta",
+        },
+      }));
+    } finally {
+      globalThis.fetch = previousFetch;
+    }
+  });
+
   test("ignores ambient FREESTYLE_API_KEY unless API-key auth is configured", async () => {
     process.env.FREESTYLE_API_KEY = "stale-api-key";
     delete process.env.FREESTYLE_TEAM_ID;
@@ -265,7 +409,7 @@ describe("Freestyle provider host auth", () => {
     });
 
     try {
-      await freestyleProviderPlugin.createProvider({
+      const controller = await freestyleProviderPlugin.createProvider({
         provider: {
           providerId: FREESTYLE_PROVIDER_ID,
           config: {},
@@ -278,6 +422,7 @@ describe("Freestyle provider host auth", () => {
           },
         },
       });
+      await controller.checks?.(providerCheckContext("require"));
 
       expect(opened).toEqual([
         "https://dash.freestyle.sh/handler/cli-auth-confirm?login_code=login-code",
@@ -560,6 +705,14 @@ function providerContext(
   };
 }
 
+function providerCheckContext(mode: "plan" | "require"): ProviderCheckContext {
+  return {
+    mode,
+    workflow: "workflow",
+    local: providerContext([]).local,
+  };
+}
+
 function testFetch(
   handler: (
     resource: Parameters<typeof fetch>[0],

package/src/host-auth.ts

@@ -1,6 +1,6 @@
 import { createHash } from "node:crypto";
 import { Freestyle } from "freestyle";
-import type { LocalWorkspaceRuntime, ProviderStorage } from "@rigkit/engine";
+import type { LocalWorkspaceRuntime, ProviderStorage, WorkflowProviderCheckResult } from "@rigkit/engine";
 import type { JsonValue } from "@rigkit/sdk";
 import { freestyleIdentityId, freestyleToken, freestyleTokenId } from "./auth.ts";
 import { createFreestyleStore } from "./store.ts";
@@ -29,6 +29,7 @@ export type FreestyleAuthenticatedClient = {
   identityId: ReturnType<typeof freestyleIdentityId>;
   tokenId: ReturnType<typeof freestyleTokenId>;
   token: ReturnType<typeof freestyleToken>;
+  team?: FreestyleResolvedTeam;
 };
 
 type CreateFreestyleAuthenticatedClientInput = {
@@ -43,6 +44,7 @@ type CreateFreestyleAuthenticatedClientInput = {
 type ResolvedClientAuth = {
   client: Freestyle;
   identityKey: string;
+  team?: FreestyleResolvedTeam;
 };
 
 type StackAuthConfig = {
@@ -58,6 +60,7 @@ type StackAuthState = {
   refreshToken: string;
   updatedAt: number;
   defaultTeamId?: string;
+  defaultTeamName?: string;
   accessToken?: string;
   accessTokenUpdatedAt?: number;
 };
@@ -73,6 +76,11 @@ type FreestyleTeam = {
   sandboxAccountId?: string | null;
 };
 
+export type FreestyleResolvedTeam = {
+  id: string;
+  displayName?: string;
+};
+
 export async function createFreestyleAuthenticatedClient(
   input: CreateFreestyleAuthenticatedClientInput,
 ): Promise<FreestyleAuthenticatedClient> {
@@ -85,6 +93,7 @@ export async function createFreestyleAuthenticatedClient(
       identityId: savedIdentity.identityId,
       tokenId: savedIdentity.tokenId,
       token: savedIdentity.token,
+      team: auth.team,
     };
   }
 
@@ -102,9 +111,103 @@ export async function createFreestyleAuthenticatedClient(
     identityId: createdIdentity.identityId,
     tokenId: createdIdentity.tokenId,
     token: createdIdentity.token,
+    team: auth.team,
   };
 }
 
+export function checkFreestyleProviderAuth(input: {
+  config?: FreestyleProviderConfig;
+  hostStorage: ProviderStorage;
+}): WorkflowProviderCheckResult[] {
+  const apiKey = nonEmpty(input.config?.apiKey);
+  const apiUrl = nonEmpty(input.config?.apiUrl) ?? nonEmpty(process.env.FREESTYLE_API_URL);
+  const store = createFreestyleStore(input.hostStorage);
+
+  if (apiKey) {
+    const identityKey = apiKeyIdentityKey({ apiUrl, apiKey });
+    return [{
+      id: "auth",
+      label: "Freestyle auth",
+      status: "ok",
+      value: "API key",
+      fingerprint: providerIdentityFingerprint(identityKey, store.getIdentity(identityKey)),
+    }];
+  }
+
+  const stack = resolveStackAuthConfig(input.config);
+  const stored = readStackAuthState(input.hostStorage.get(stackAuthStateKey(stack))?.value);
+  const configuredTeamId = nonEmpty(input.config?.teamId) ?? nonEmpty(process.env.FREESTYLE_TEAM_ID);
+
+  if (!stored?.refreshToken) {
+    return [{
+      id: "auth",
+      label: "Freestyle auth",
+      status: "required",
+      value: "login required",
+      message: "Run rig apply, rig create, or rig run to authenticate with Freestyle.",
+      fingerprint: `browser:${stack.profile}:auth:missing`,
+    }];
+  }
+
+  const teamId = configuredTeamId ?? stored.defaultTeamId;
+  if (!teamId) {
+    return [{
+      id: "team",
+      label: "Freestyle team",
+      status: "required",
+      value: "team selection required",
+      message: "Run rig apply, rig create, or rig run to choose a Freestyle team.",
+      fingerprint: `browser:${stack.profile}:team:missing`,
+    }];
+  }
+
+  const identityKey = browserIdentityKey({
+    apiUrl,
+    dashboardUrl: stack.dashboardUrl,
+    profile: stack.profile,
+    teamId,
+  });
+  const storedTeamName = teamId === stored.defaultTeamId ? stored.defaultTeamName : undefined;
+  return [{
+    id: "team",
+    label: "Freestyle team",
+    status: "ok",
+    value: formatFreestyleTeam({ id: teamId, displayName: storedTeamName }),
+    detail: teamId,
+    fingerprint: providerIdentityFingerprint(identityKey, store.getIdentity(identityKey)),
+    metadata: {
+      teamId,
+      ...(storedTeamName ? { teamName: storedTeamName } : {}),
+    },
+  }];
+}
+
+export function freestyleProviderChecksFromAuthenticated(
+  auth: FreestyleAuthenticatedClient,
+): WorkflowProviderCheckResult[] {
+  if (auth.team) {
+    return [{
+      id: "team",
+      label: "Freestyle team",
+      status: "ok",
+      value: formatFreestyleTeam(auth.team),
+      detail: auth.team.id,
+      fingerprint: `identity:${auth.identityId}`,
+      metadata: {
+        teamId: auth.team.id,
+        ...(auth.team.displayName ? { teamName: auth.team.displayName } : {}),
+      },
+    }];
+  }
+  return [{
+    id: "auth",
+    label: "Freestyle auth",
+    status: "ok",
+    value: "API key",
+    fingerprint: `identity:${auth.identityId}`,
+  }];
+}
+
 export function createFreestyleProxyFetch(input: {
   dashboardUrl: string;
   accessToken: string;
@@ -213,7 +316,7 @@ async function resolveClientAuth(input: CreateFreestyleAuthenticatedClientInput)
         ...(apiUrl ? { baseUrl: apiUrl } : {}),
         fetch: createFreestyleSdkFetch(fetchFn),
       }),
-      identityKey: `api-key:${fingerprint({ apiUrl: apiUrl ?? "default", apiKey })}`,
+      identityKey: apiKeyIdentityKey({ apiUrl, apiKey }),
     };
   }
 
@@ -230,7 +333,7 @@ async function resolveClientAuth(input: CreateFreestyleAuthenticatedClientInput)
     timeoutMs: input.timeoutMs ?? DEFAULT_CLI_AUTH_TIMEOUT_MILLIS,
     pollIntervalMs: input.pollIntervalMs ?? DEFAULT_POLL_INTERVAL_MILLIS,
   });
-  const teamId = await resolveTeamId({
+  const team = await resolveTeam({
     configuredTeamId: input.config?.teamId,
     stored: readStackAuthState(input.hostStorage.get(stackStateKey)?.value) ?? stored,
     accessToken: refreshed.accessToken,
@@ -238,6 +341,7 @@ async function resolveClientAuth(input: CreateFreestyleAuthenticatedClientInput)
     storage: input.hostStorage,
     storageKey: stackStateKey,
     fetch: fetchFn,
+    local: input.local,
   });
   const client = new Freestyle({
     apiKey: "rigkit-browser-auth",
@@ -245,19 +349,20 @@ async function resolveClientAuth(input: CreateFreestyleAuthenticatedClientInput)
     fetch: createFreestyleProxyFetch({
       dashboardUrl: stack.dashboardUrl,
       accessToken: refreshed.accessToken,
-      teamId,
+      teamId: team.id,
       fetch: fetchFn,
     }),
   });
 
   return {
     client,
-    identityKey: `browser:${fingerprint({
-      apiUrl: apiUrl ?? "default",
+    identityKey: browserIdentityKey({
+      apiUrl,
       dashboardUrl: stack.dashboardUrl,
       profile: stack.profile,
-      teamId,
-    })}`,
+      teamId: team.id,
+    }),
+    team,
   };
 }
 
@@ -470,6 +575,7 @@ async function resolveStackAccessToken(input: {
     saveStackAuthState(input.storage, input.storageKey, {
       refreshToken,
       defaultTeamId: input.stored?.defaultTeamId,
+      defaultTeamName: input.stored?.defaultTeamName,
       updatedAt: Date.now(),
     });
   }
@@ -481,6 +587,7 @@ async function resolveStackAccessToken(input: {
     saveStackAuthState(input.storage, input.storageKey, {
       refreshToken,
       defaultTeamId: input.stored?.defaultTeamId,
+      defaultTeamName: input.stored?.defaultTeamName,
       updatedAt: Date.now(),
     });
     refreshed = await refreshStackAccessToken(input.config, refreshToken, input.fetch);
@@ -494,6 +601,7 @@ async function resolveStackAccessToken(input: {
   saveStackAuthState(input.storage, input.storageKey, {
     refreshToken: nextRefreshToken,
     defaultTeamId: input.stored?.defaultTeamId,
+    defaultTeamName: input.stored?.defaultTeamName,
     accessToken: refreshed.accessToken,
     accessTokenUpdatedAt: Date.now(),
     updatedAt: Date.now(),
@@ -589,7 +697,7 @@ async function refreshStackAccessToken(
   };
 }
 
-async function resolveTeamId(input: {
+async function resolveTeam(input: {
   configuredTeamId: string | undefined;
   stored: StackAuthState | undefined;
   accessToken: string;
@@ -597,19 +705,27 @@ async function resolveTeamId(input: {
   storage: ProviderStorage;
   storageKey: string;
   fetch: typeof fetch;
-}): Promise<string> {
+  local: LocalWorkspaceRuntime;
+}): Promise<FreestyleResolvedTeam> {
   const teamId =
     nonEmpty(input.configuredTeamId) ??
       nonEmpty(process.env.FREESTYLE_TEAM_ID) ??
       nonEmpty(input.stored?.defaultTeamId);
   if (teamId) {
+    const storedTeamName = teamId === input.stored?.defaultTeamId
+      ? input.stored?.defaultTeamName
+      : undefined;
     saveStackAuthState(input.storage, input.storageKey, {
       ...input.stored,
       refreshToken: input.stored?.refreshToken ?? "",
       defaultTeamId: teamId,
+      defaultTeamName: storedTeamName,
       updatedAt: Date.now(),
     });
-    return teamId;
+    return {
+      id: teamId,
+      ...(storedTeamName ? { displayName: storedTeamName } : {}),
+    };
   }
 
   const teams = await listTeams(input.config, input.accessToken, input.fetch);
@@ -619,19 +735,68 @@ async function resolveTeamId(input: {
       ...input.stored,
       refreshToken: input.stored?.refreshToken ?? "",
       defaultTeamId: onlyTeam.id,
+      defaultTeamName: nonEmpty(onlyTeam.displayName),
       updatedAt: Date.now(),
     });
-    return onlyTeam.id;
+    return freestyleResolvedTeam(onlyTeam);
   }
 
   if (teams.length === 0) {
     throw new Error("Freestyle authentication succeeded, but no teams were available for this account.");
   }
 
-  const choices = teams.map((team) => `${team.displayName ?? team.id} (${team.id})`).join(", ");
-  throw new Error(
-    `Freestyle authentication found multiple teams. Set freestyle.provider({ teamId }) or FREESTYLE_TEAM_ID. Teams: ${choices}`,
-  );
+  const selectedTeamId = await selectFreestyleTeam(input.local, teams);
+  const selectedTeam = teams.find((team) => team.id === selectedTeamId);
+  if (!selectedTeam) {
+    throw new Error(`Freestyle team selection returned unknown team ${selectedTeamId}.`);
+  }
+  saveStackAuthState(input.storage, input.storageKey, {
+    ...input.stored,
+    refreshToken: input.stored?.refreshToken ?? "",
+    defaultTeamId: selectedTeam.id,
+    defaultTeamName: nonEmpty(selectedTeam.displayName),
+    updatedAt: Date.now(),
+  });
+  return freestyleResolvedTeam(selectedTeam);
+}
+
+async function selectFreestyleTeam(
+  local: LocalWorkspaceRuntime,
+  teams: FreestyleTeam[],
+): Promise<string> {
+  if (!local.prompt?.select) {
+    const choices = teams.map((team) => `${team.displayName ?? team.id} (${team.id})`).join(", ");
+    throw new Error(
+      `Freestyle authentication found multiple teams. Set freestyle.provider({ teamId }) or FREESTYLE_TEAM_ID. Teams: ${choices}`,
+    );
+  }
+  return await local.prompt.select({
+    message: "Choose Freestyle team",
+    options: teams.map((team) => ({
+      value: team.id,
+      label: team.displayName ? `${team.displayName} (${team.id})` : team.id,
+      description: team.sandboxAccountId ? `sandbox ${team.sandboxAccountId}` : undefined,
+    })),
+  });
+}
+
+function freestyleResolvedTeam(team: FreestyleTeam): FreestyleResolvedTeam {
+  const displayName = nonEmpty(team.displayName);
+  return {
+    id: team.id,
+    ...(displayName ? { displayName } : {}),
+  };
+}
+
+function formatFreestyleTeam(team: FreestyleResolvedTeam): string {
+  return team.displayName ? `${team.displayName} (${team.id})` : team.id;
+}
+
+function providerIdentityFingerprint(
+  identityKey: string,
+  identity: { identityId: string } | undefined,
+): string {
+  return `${identityKey}:${identity?.identityId ?? "missing-identity"}`;
 }
 
 async function listTeams(config: StackAuthConfig, accessToken: string, fetchFn: typeof fetch): Promise<FreestyleTeam[]> {
@@ -672,6 +837,24 @@ function stackAuthStateKey(config: StackAuthConfig): string {
   })}`;
 }
 
+function apiKeyIdentityKey(input: { apiUrl: string | undefined; apiKey: string }): string {
+  return `api-key:${fingerprint({ apiUrl: input.apiUrl ?? "default", apiKey: input.apiKey })}`;
+}
+
+function browserIdentityKey(input: {
+  apiUrl: string | undefined;
+  dashboardUrl: string;
+  profile: string;
+  teamId: string;
+}): string {
+  return `browser:${fingerprint({
+    apiUrl: input.apiUrl ?? "default",
+    dashboardUrl: input.dashboardUrl,
+    profile: input.profile,
+    teamId: input.teamId,
+  })}`;
+}
+
 function readStackAuthState(value: JsonValue | undefined): StackAuthState | undefined {
   if (!isRecord(value)) return undefined;
   const refreshToken = typeof value.refreshToken === "string" ? value.refreshToken : undefined;
@@ -680,6 +863,7 @@ function readStackAuthState(value: JsonValue | undefined): StackAuthState | unde
     refreshToken,
     updatedAt: typeof value.updatedAt === "number" ? value.updatedAt : Date.now(),
     defaultTeamId: typeof value.defaultTeamId === "string" ? value.defaultTeamId : undefined,
+    defaultTeamName: typeof value.defaultTeamName === "string" ? value.defaultTeamName : undefined,
     accessToken: typeof value.accessToken === "string" ? value.accessToken : undefined,
     accessTokenUpdatedAt: typeof value.accessTokenUpdatedAt === "number" ? value.accessTokenUpdatedAt : undefined,
   };
@@ -691,6 +875,7 @@ function saveStackAuthState(storage: ProviderStorage, key: string, state: StackA
     refreshToken: state.refreshToken,
     updatedAt: state.updatedAt,
     ...(state.defaultTeamId ? { defaultTeamId: state.defaultTeamId } : {}),
+    ...(state.defaultTeamName ? { defaultTeamName: state.defaultTeamName } : {}),
     ...(state.accessToken ? { accessToken: state.accessToken } : {}),
     ...(state.accessTokenUpdatedAt ? { accessTokenUpdatedAt: state.accessTokenUpdatedAt } : {}),
   });

package/src/index.ts

@@ -6,13 +6,16 @@ import type { BaseProviderPlugin } from "@rigkit/engine";
 import * as z from "zod/v4-mini";
 import { freestyleIdentityId, freestyleToken, freestyleTokenId } from "./auth.ts";
 import {
+  checkFreestyleProviderAuth,
   createFreestyleAuthenticatedClient,
   createFreestyleProxyFetch,
+  freestyleProviderChecksFromAuthenticated,
   type FreestyleProviderConfig,
 } from "./host-auth.ts";
 import {
   FREESTYLE_PROVIDER_ID,
   FREESTYLE_TERMINAL_PROVIDER_ID,
+  createLazyFreestyleWorkflowController,
   createFreestyleTerminalController,
   createFreestyleWorkflowProvider,
 } from "./provider.ts";
@@ -65,15 +68,20 @@ export const freestyleProviderPlugin: BaseProviderPlugin = {
   providerId: FREESTYLE_PROVIDER_ID,
   async createProvider({ provider, hostStorage, local }) {
     const config = parseFreestyleProviderConfig(provider.config);
-    const authenticated = await createFreestyleAuthenticatedClient({
+    let authenticated: ReturnType<typeof createFreestyleAuthenticatedClient> | undefined;
+    const authenticate = () => authenticated ??= createFreestyleAuthenticatedClient({
       config,
       hostStorage,
       local,
     });
-    return createFreestyleWorkflowProvider({
-      client: authenticated.client,
-      identityId: authenticated.identityId,
-      token: authenticated.token,
+    return createLazyFreestyleWorkflowController({
+      authenticate,
+      checks: async ({ mode }) => {
+        if (mode === "require") {
+          return freestyleProviderChecksFromAuthenticated(await authenticate());
+        }
+        return checkFreestyleProviderAuth({ config, hostStorage });
+      },
     });
   },
 };
@@ -86,9 +94,11 @@ export const freestyleTerminalPlugin: BaseProviderPlugin = {
 };
 
 export {
+  checkFreestyleProviderAuth,
   createFreestyleAuthenticatedClient,
   createFreestyleProxyFetch,
   createFreestyleSdkFetch,
+  freestyleProviderChecksFromAuthenticated,
 } from "./host-auth.ts";
 export {
   freestyleIdentityId,
@@ -102,6 +112,7 @@ export {
   FREESTYLE_PROVIDER_ID,
   FREESTYLE_TERMINAL_PROVIDER_ID,
   createFreestyleTerminalController,
+  createLazyFreestyleWorkflowController,
   createFreestyleWorkflowController,
   createFreestyleWorkflowProvider,
 } from "./provider.ts";
@@ -120,6 +131,7 @@ export type {
   FreestyleVscodeUrlOptions,
 } from "./provider.ts";
 export type { FreestyleGitRelationship, FreestyleIdentity } from "./store.ts";
+export type { FreestyleResolvedTeam } from "./host-auth.ts";
 
 function parseFreestyleProviderConfig(value: unknown): FreestyleProviderConfig {
   const result = z.safeParse(freestyleProviderConfigSchema, normalizeFreestyleProviderOptions(value));

package/src/provider.ts

@@ -2,10 +2,12 @@ import { Freestyle } from "freestyle";
 import type {
   SshConnection,
   SshOptions,
+  WorkflowProviderCheckResult,
   WorkflowProviderController,
 } from "@rigkit/engine";
 import type { CmuxOpenSshInput } from "@rigkit/provider-cmux";
 import type { FreestyleIdentityId, FreestyleToken } from "./auth.ts";
+import type { FreestyleResolvedTeam } from "./host-auth.ts";
 import { createFreestyleTerminalSession } from "./terminal-session.ts";
 
 export const FREESTYLE_PROVIDER_ID = "freestyle";
@@ -55,6 +57,7 @@ export function createFreestyleWorkflowProvider(input: {
   client: Freestyle;
   identityId: FreestyleIdentityId;
   token: FreestyleToken;
+  team?: FreestyleResolvedTeam;
 }): WorkflowProviderController<FreestyleRuntime> {
   return createFreestyleWorkflowController(input);
 }
@@ -63,15 +66,50 @@ export function createFreestyleWorkflowController(input: {
   client: Freestyle;
   identityId: FreestyleIdentityId;
   token: FreestyleToken;
+  team?: FreestyleResolvedTeam;
 }): WorkflowProviderController<FreestyleRuntime> {
   return {
     providerId: FREESTYLE_PROVIDER_ID,
+    checks() {
+      if (!input.team) return undefined;
+      return {
+        id: "team",
+        label: "Freestyle team",
+        status: "ok",
+        value: formatFreestyleTeam(input.team),
+        detail: input.team.id,
+        fingerprint: `identity:${input.identityId}`,
+        metadata: {
+          teamId: input.team.id,
+          ...(input.team.displayName ? { teamName: input.team.displayName } : {}),
+        },
+      };
+    },
     runtime() {
       return createFreestyleRuntime(input);
     },
   };
 }
 
+export function createLazyFreestyleWorkflowController(input: {
+  authenticate(): Promise<{
+    client: Freestyle;
+    identityId: FreestyleIdentityId;
+    token: FreestyleToken;
+    team?: FreestyleResolvedTeam;
+  }>;
+  checks(context: { mode: "plan" | "require" }): Promise<WorkflowProviderCheckResult[]>;
+}): WorkflowProviderController<FreestyleRuntime> {
+  return {
+    providerId: FREESTYLE_PROVIDER_ID,
+    checks: input.checks,
+    async runtime() {
+      const authenticated = await input.authenticate();
+      return createFreestyleRuntime(authenticated);
+    },
+  };
+}
+
 export function createFreestyleTerminalController(): WorkflowProviderController<FreestyleTerminalRuntime> {
   return {
     providerId: FREESTYLE_TERMINAL_PROVIDER_ID,
@@ -140,6 +178,10 @@ function createFreestyleRuntime(input: {
 
 const defaultFreestyleVmUser = "root";
 
+function formatFreestyleTeam(team: FreestyleResolvedTeam): string {
+  return team.displayName ? `${team.displayName} (${team.id})` : team.id;
+}
+
 function freestyleSshConnection(vmId: string, token: FreestyleToken, user: string | undefined): SshConnection {
   const userPart = `+${user ?? defaultFreestyleVmUser}`;
   const username = `${vmId}${userPart}`;

package/src/version.ts

@@ -1 +1 @@
-export const RIGKIT_PROVIDER_FREESTYLE_VERSION = "0.2.10";
+export const RIGKIT_PROVIDER_FREESTYLE_VERSION = "0.2.11";