release: merge develop into main for v0.32.3

Author: DavidsonGomes

CHANGELOG.md

@@ -5,6 +5,25 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.32.3] - 2026-04-25
+
+Patch release fixing a long-standing Workspace UI bug where folders refused to open and the dev console flooded with `400 Path is a directory` requests, plus a small UX win on the file share dialog (reuse existing share links instead of generating a new token every time). Also includes the upstream PR #51 (private-repo plugin update flow + ClickUp webhook compat + DetachedInstanceError).
+
+### Fixed
+
+- **`dashboard/frontend/src/App.tsx`** — section-stable `routeKey` for the `SectionBoundary`. Previously every `navigate({replace:true})` inside `/workspace/*`, `/agents/:name`, `/tickets/:id`, `/skills/:name` and `/docs` produced a new `location.key`, which changed the boundary's React `key` and remounted the entire page. In the Workspace this wiped `selectedPath`, `expanded` state in `TreeItem`, and refs on every folder click — folders never stayed open and the URL→state effect re-fired the file probe (`GET /api/workspace/file?path=workspace/development` → 400) on every mount. Now subpaths within the same section share one stable key; the boundary still resets between sections.
+- **`dashboard/frontend/src/components/workspace/FileTree.tsx`** — split the toggle in `TreeItem.handleClick` into explicit open / close branches. The previous `setExpanded(prev => !prev)` toggle was vulnerable to any re-trigger flipping a freshly-opened folder back closed.
+- **`dashboard/frontend/src/pages/Workspace.tsx`** — added `knownDirsRef` so the URL→`selectedPath` deep-link effect can skip the redundant `GET /api/workspace/file?path=…` probe when the path is already known to be a directory (e.g. user just clicked it). The probe used to 400 on every directory navigation, polluting server logs and racing with `setSelectedPath` re-renders.
+
+### Changed
+
+- **`dashboard/backend/routes/shares.py`** — new `GET /api/shares/by-path?path=X` endpoint returning the most recent **active** (enabled + non-expired) share for a path, or 404. Same permission gate (`workspace.manage`) and folder-access check as `POST /api/shares`.
+- **`dashboard/frontend/src/components/workspace/ShareDialog.tsx`** — on open, probe `by-path` and reuse any existing active share instead of always minting a new token. The dialog now shows the existing link with formatted expiry, view counter, and a destructive **Revoke and regenerate** action when you actually want to rotate the link. New share creation only happens when there isn't one already.
+
+### Included from PR #51
+
+- **Plugins + triggers** — private-repo update flow, ClickUp webhook compatibility, and a `DetachedInstanceError` fix landed via PR #51 ahead of this patch.
+
 ## [0.32.2] - 2026-04-24
 
 Patch release working around a bug in `@anthropic-ai/claude-agent-sdk` (v0.2.104+) where Linux auto-discovery tries the `-musl` platform package before glibc regardless of the host's actual libc. On glibc VPS installs (Ubuntu / Debian) with both platform packages present in `node_modules`, the SDK spawned the musl binary and failed with `Claude Code native binary not found` because the musl dynamic loader was absent — breaking every chat session on the affected VPS with no local repro. See upstream [issue #296](https://github.com/anthropics/claude-agent-sdk-typescript/issues/296).

cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@evoapi/evo-nexus",
-  "version": "0.32.2",
+  "version": "0.32.3",
   "description": "Unofficial open source toolkit for Claude Code — AI-powered business operating system",
   "keywords": [
     "claude-code",

dashboard/backend/app.py

@@ -834,6 +834,7 @@ def auth_middleware():
 from routes.mempalace import bp as mempalace_bp
 from routes.tasks import bp as tasks_bp
 from routes.triggers import bp as triggers_bp
+from routes.terminal_proxy import bp as terminal_proxy_bp, register_websocket_proxy as _register_terminal_ws
 from routes.backups import bp as backups_bp
 from routes.providers import bp as providers_bp
 from routes.settings import bp as settings_bp
@@ -887,6 +888,25 @@ def auth_middleware():
 app.register_blueprint(mempalace_bp)
 app.register_blueprint(tasks_bp)
 app.register_blueprint(triggers_bp)
+app.register_blueprint(terminal_proxy_bp)
+
+# Mount the terminal-server WebSocket proxy on the same Sock instance the
+# rest of the app uses. Done after the blueprint is registered so route
+# names are unique. Without this, browsers connecting from a host other
+# than the one running the Node terminal-server (LAN, Tailscale Funnel,
+# SSH tunnel without the dynamic port forwarded) cannot reach it directly
+# due to CORS preflight + private-network-access policies.
+try:
+    from flask_sock import Sock as _Sock
+    _terminal_sock = _Sock(app)
+    _register_terminal_ws(_terminal_sock)
+except Exception as _exc:
+    import logging as _logging
+    _logging.getLogger(__name__).warning(
+        "terminal_proxy: failed to mount WebSocket proxy: %s — terminal "
+        "interactions will require direct access to the terminal-server port.",
+        _exc,
+    )
 app.register_blueprint(backups_bp)
 app.register_blueprint(providers_bp)
 app.register_blueprint(settings_bp)

dashboard/backend/plugin_loader.py

@@ -290,10 +290,23 @@ def resolve_source(source_url: str, auth_token: str | None = None) -> Path:
             staging_slug = f"{owner}-{repo}-{ref}".replace("/", "-")
             try:
                 return PluginInstaller.fetch_from_tarball(tar_url, staging_slug, auth_token=auth_token)
-            except RuntimeError:
-                # fallback: try as tag ref
+            except RuntimeError as branch_err:
+                # fallback: try as tag ref. If that also fails, surface a
+                # unified error so the caller knows both branch and tag
+                # namespaces were tried — otherwise the bare
+                # "refs/tags/<ref>: 404" message is misleading when the ref
+                # was actually a branch name.
                 tar_url_tag = f"https://codeload.github.com/{owner}/{repo}/tar.gz/refs/tags/{ref}"
-                return PluginInstaller.fetch_from_tarball(tar_url_tag, staging_slug, auth_token=auth_token)
+                try:
+                    return PluginInstaller.fetch_from_tarball(
+                        tar_url_tag, staging_slug, auth_token=auth_token
+                    )
+                except RuntimeError as tag_err:
+                    raise RuntimeError(
+                        f"ref '{ref}' not found in {owner}/{repo} "
+                        f"(tried branches and tags). "
+                        f"Branch: {branch_err}. Tag: {tag_err}."
+                    ) from tag_err
 
         if s.startswith("https://"):
             # Use a safe staging slug derived from the URL
@@ -477,12 +490,23 @@ def resolve_source_with_sha(
                     tar_url, staging_slug, auth_token=auth_token
                 )
                 return path, sha
-            except RuntimeError:
+            except RuntimeError as branch_err:
                 tar_url_tag = f"https://codeload.github.com/{owner}/{repo}/tar.gz/refs/tags/{ref}"
-                path, sha = PluginInstaller.fetch_from_tarball_with_sha(
-                    tar_url_tag, staging_slug, auth_token=auth_token
-                )
-                return path, sha
+                try:
+                    path, sha = PluginInstaller.fetch_from_tarball_with_sha(
+                        tar_url_tag, staging_slug, auth_token=auth_token
+                    )
+                    return path, sha
+                except RuntimeError as tag_err:
+                    # Both branch and tag namespaces exhausted — raise a
+                    # unified error rather than the bare tag 404 so callers
+                    # can distinguish ref-not-found from private-repo auth
+                    # failures. Kept in sync with ``resolve_source`` above.
+                    raise RuntimeError(
+                        f"ref '{ref}' not found in {owner}/{repo} "
+                        f"(tried branches and tags). "
+                        f"Branch: {branch_err}. Tag: {tag_err}."
+                    ) from tag_err
 
         # Plain https:// tarball
         staging_slug = re.sub(r"[^a-zA-Z0-9_-]+", "-", s)[-80:]

dashboard/backend/routes/plugins.py

@@ -2158,7 +2158,10 @@ def serve_widget(slug: str, subpath: str):
 # ---------------------------------------------------------------------------
 
 # Module-level preview cache: key=(slug, source_url), value=(fetched_at_float, result_dict)
-_PREVIEW_CACHE: dict[tuple[str, str], tuple[float, dict]] = {}
+# Cache key: (slug, source_url, has_auth_token). has_auth_token flag prevents
+# leaking private-repo previews to unauthenticated callers — the value of the
+# token is deliberately not part of the key (no secrets in memory indices).
+_PREVIEW_CACHE: dict[tuple[str, str, bool], tuple[float, dict]] = {}
 _PREVIEW_CACHE_LOCK = threading.Lock()
 _PREVIEW_CACHE_TTL = 300  # seconds
 
@@ -2264,7 +2267,9 @@ def _extract_ids_and_entries(manifest: dict) -> dict[str, dict[str, Any]]:
     return added, removed, modified
 
 
-def _compute_preview(slug: str, source_url: str) -> dict:
+def _compute_preview(
+    slug: str, source_url: str, auth_token: str | None = None
+) -> dict:
     """Fetch candidate manifest and compute diff against installed manifest.
 
     Pure read-only: no DB writes, no file writes to plugins/{slug}/.
@@ -2273,6 +2278,12 @@ def _compute_preview(slug: str, source_url: str) -> dict:
     tarball_sha7 derivation: SHA256 of sorted manifest.files SHAs concatenated.
     If manifest.files is empty, falls back to SHA256 of serialized manifest JSON.
     First 7 chars of the hex digest are returned (deterministic, no re-download needed).
+
+    Args:
+        slug: Installed plugin slug.
+        source_url: Candidate source (github:..., https://...).
+        auth_token: Optional GitHub PAT — required for private repos. Sent as
+            ``Authorization: token <pat>`` header by ``resolve_source``.
     """
     from plugin_schema import load_plugin_manifest
     from plugin_loader import PluginInstaller, _parse_version
@@ -2316,7 +2327,7 @@ def _compute_preview(slug: str, source_url: str) -> dict:
 
     # Resolve candidate source (may hit network / tmp — outside the lock)
     try:
-        new_plugin_dir = PluginInstaller.resolve_source(source_url)
+        new_plugin_dir = PluginInstaller.resolve_source(source_url, auth_token=auth_token)
     except ValueError as exc:
         raise ValueError(f"invalid_source: {exc}") from exc
     except RuntimeError as exc:
@@ -2422,6 +2433,11 @@ def preview_plugin_update(slug: str):
     """Read-only diff preview before applying an update.
 
     Query param: ?source=<url>  (defaults to installed source_url when omitted)
+    Optional header ``X-Plugin-Auth-Token``: GitHub PAT required to fetch
+    candidate from a private repository (same semantics as ``auth_token`` on
+    ``POST /api/plugins/preview``). Kept out of the query string so it does
+    not leak into access logs.
+
     Returns 200 with diff JSON (or up_to_date: true).
     Never writes to disk or DB.
     """
@@ -2440,7 +2456,12 @@ def preview_plugin_update(slug: str):
     if not source_url:
         return jsonify({"error": "invalid_source", "message": "No source URL provided and none stored"}), 400
 
-    cache_key = (slug, source_url)
+    # Optional GitHub PAT for private repos (header only — never logged)
+    auth_token = request.headers.get("X-Plugin-Auth-Token") or None
+
+    # Cache key includes auth_token presence (not value) to avoid sharing
+    # private-repo results across unauthenticated requests.
+    cache_key = (slug, source_url, bool(auth_token))
 
     # Cache read — lock only around dict access, not network I/O
     with _PREVIEW_CACHE_LOCK:
@@ -2452,7 +2473,7 @@ def preview_plugin_update(slug: str):
 
     # Cache miss — compute outside lock
     try:
-        result = _compute_preview(slug, source_url)
+        result = _compute_preview(slug, source_url, auth_token=auth_token)
     except ValueError as exc:
         msg = str(exc)
         if msg.startswith("invalid_source:"):
@@ -2543,10 +2564,21 @@ def update_plugin(slug: str):
         data = request.get_json(force=True, silent=True) or {}
         source_url = data.get("source_url", installed_source)
 
+        # Optional GitHub PAT for private repos. Mirrors /api/plugins/install —
+        # body field first, falling back to ``X-Plugin-Auth-Token`` header for
+        # callers that reuse the same header they sent to update/preview.
+        auth_token = (
+            data.get("auth_token")
+            or request.headers.get("X-Plugin-Auth-Token")
+            or None
+        )
+
         # 3. Resolve new plugin source (accepts local path, github:..., https://...)
         from plugin_loader import PluginInstaller
         try:
-            new_plugin_dir = PluginInstaller.resolve_source(source_url)
+            new_plugin_dir = PluginInstaller.resolve_source(
+                source_url, auth_token=auth_token
+            )
         except ValueError as exc:
             return jsonify({"error": "invalid_source", "message": str(exc)}), 400
         except RuntimeError as exc:

dashboard/backend/routes/shares.py

@@ -130,6 +130,41 @@ def list_shares():
     return jsonify({"shares": [s.to_dict() for s in shares]})
 
 
+@bp.route("/api/shares/by-path", methods=["GET"])
+@login_required
+@require_permission("workspace", "manage")
+def get_active_share_by_path():
+    """Return the most recent ACTIVE (enabled + not expired) share for a path,
+    so the UI can reuse it instead of generating a new token every time."""
+    path = (request.args.get("path") or "").strip()
+    if not path:
+        return jsonify({"error": "path is required", "code": "bad_path"}), 400
+
+    if not has_workspace_folder_access(current_user.role, path):
+        return jsonify({"error": "Access to this workspace folder is restricted", "code": "forbidden"}), 403
+
+    now = datetime.now(timezone.utc)
+    candidates = (
+        FileShare.query
+        .filter_by(path=path, enabled=True)
+        .order_by(FileShare.created_at.desc())
+        .all()
+    )
+    for share in candidates:
+        if share.expires_at is not None:
+            expires = share.expires_at
+            if expires.tzinfo is None:
+                expires = expires.replace(tzinfo=timezone.utc)
+            if now > expires:
+                continue
+        base_url = request.host_url.rstrip("/")
+        return jsonify({
+            **share.to_dict(),
+            "url": f"{base_url}/share/{share.token}",
+        })
+    return jsonify({"error": "No active share for this path", "code": "not_found"}), 404
+
+
 @bp.route("/api/shares/<token>", methods=["DELETE"])
 @login_required
 @require_permission("workspace", "manage")