Provision default OpenWork Marketplace#2086
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
2 issues found across 7 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="ee/apps/den-api/src/routes/org/plugin-system/store.ts">
<violation number="1" location="ee/apps/den-api/src/routes/org/plugin-system/store.ts:1682">
P2: Lazy provisioning is racy: concurrent `listMarketplaces` calls can create duplicate default marketplace/plugins due to non-atomic check-then-insert and no unique org+name constraint.</violation>
<violation number="2" location="ee/apps/den-api/src/routes/org/plugin-system/store.ts:1694">
P1: Provisioning selects built-ins by `PluginTable.name`, which can hijack same-named custom plugins into the system marketplace and access policy.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
| .from(PluginTable) | ||
| .where(and( | ||
| eq(PluginTable.organizationId, organizationId), | ||
| eq(PluginTable.name, manifest.name), |
There was a problem hiding this comment.
P1: Provisioning selects built-ins by PluginTable.name, which can hijack same-named custom plugins into the system marketplace and access policy.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At ee/apps/den-api/src/routes/org/plugin-system/store.ts, line 1694:
<comment>Provisioning selects built-ins by `PluginTable.name`, which can hijack same-named custom plugins into the system marketplace and access policy.</comment>
<file context>
@@ -1522,6 +1652,163 @@ export async function listMarketplaces(input: { context: PluginArchActorContext;
+ .from(PluginTable)
+ .where(and(
+ eq(PluginTable.organizationId, organizationId),
+ eq(PluginTable.name, manifest.name),
+ isNull(PluginTable.deletedAt),
+ ))
</file context>
| status: "active" as const, | ||
| updatedAt: now, | ||
| } | ||
| await db.insert(MarketplaceTable).values(marketplaceRow) |
There was a problem hiding this comment.
P2: Lazy provisioning is racy: concurrent listMarketplaces calls can create duplicate default marketplace/plugins due to non-atomic check-then-insert and no unique org+name constraint.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At ee/apps/den-api/src/routes/org/plugin-system/store.ts, line 1682:
<comment>Lazy provisioning is racy: concurrent `listMarketplaces` calls can create duplicate default marketplace/plugins due to non-atomic check-then-insert and no unique org+name constraint.</comment>
<file context>
@@ -1522,6 +1652,163 @@ export async function listMarketplaces(input: { context: PluginArchActorContext;
+ status: "active" as const,
+ updatedAt: now,
+ }
+ await db.insert(MarketplaceTable).values(marketplaceRow)
+ marketplace = marketplaceRow
+ }
</file context>
There was a problem hiding this comment.
1 issue found across 4 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="ee/apps/den-web/app/(den)/_providers/den-flow-provider.tsx">
<violation number="1" location="ee/apps/den-web/app/(den)/_providers/den-flow-provider.tsx:182">
P1: `sessionHydrated` is initialized to `true`, so auth-gated routing can execute before async session refresh completes, causing premature redirects for valid sessions.</violation>
</file>
Reply with feedback, questions, or to request a fix.
Re-trigger cubic
| return token; | ||
| }); | ||
| const [sessionHydrated, setSessionHydrated] = useState(false); | ||
| const [sessionHydrated, setSessionHydrated] = useState(true); |
There was a problem hiding this comment.
P1: sessionHydrated is initialized to true, so auth-gated routing can execute before async session refresh completes, causing premature redirects for valid sessions.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At ee/apps/den-web/app/(den)/_providers/den-flow-provider.tsx, line 182:
<comment>`sessionHydrated` is initialized to `true`, so auth-gated routing can execute before async session refresh completes, causing premature redirects for valid sessions.</comment>
<file context>
@@ -179,7 +179,7 @@ export function DenFlowProvider({ children }: { children: ReactNode }) {
return token;
});
- const [sessionHydrated, setSessionHydrated] = useState(false);
+ const [sessionHydrated, setSessionHydrated] = useState(true);
const [desktopAuthRequested, setDesktopAuthRequested] = useState(false);
const [desktopAuthScheme, setDesktopAuthScheme] = useState("openwork");
</file context>
| const [sessionHydrated, setSessionHydrated] = useState(true); | |
| const [sessionHydrated, setSessionHydrated] = useState(false); |
|
Update after latest docs commit ( Fresh founder-flow artifact URL while the Daytona artifact sandbox is running: Added to
Current caveats remain unchanged:
|
There was a problem hiding this comment.
1 issue found across 4 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".opencode/skills/daytona-flow-validator/SKILL.md">
<violation number="1" location=".opencode/skills/daytona-flow-validator/SKILL.md:157">
P2: The "fail fast" screenshot command does not actually stop on picker detection because `;` allows execution to continue after a failed grep check.</violation>
</file>
Tip: Review your code locally with the cubic CLI to iterate faster.
Re-trigger cubic
| if a picker is present: | ||
|
|
||
| ```bash | ||
| daytona exec "$SANDBOX" -- 'bash -lc '\''DISPLAY=:99 wmctrl -l | tee /tmp/windows-before-shot.txt; ! grep -q "Authorize folder" /tmp/windows-before-shot.txt; DISPLAY=:99 .devcontainer/capture-daytona-screenshot.sh --output /daytona-artifacts/screenshots/<flow>/<step>.png'\''' |
There was a problem hiding this comment.
P2: The "fail fast" screenshot command does not actually stop on picker detection because ; allows execution to continue after a failed grep check.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .opencode/skills/daytona-flow-validator/SKILL.md, line 157:
<comment>The "fail fast" screenshot command does not actually stop on picker detection because `;` allows execution to continue after a failed grep check.</comment>
<file context>
@@ -144,6 +150,18 @@ new screenshot, inspect the new image, and only then share it. If bad evidence
+if a picker is present:
+
+```bash
+daytona exec "$SANDBOX" -- 'bash -lc '\''DISPLAY=:99 wmctrl -l | tee /tmp/windows-before-shot.txt; ! grep -q "Authorize folder" /tmp/windows-before-shot.txt; DISPLAY=:99 .devcontainer/capture-daytona-screenshot.sh --output /daytona-artifacts/screenshots/<flow>/<step>.png'\'''
+```
+
</file context>
| daytona exec "$SANDBOX" -- 'bash -lc '\''DISPLAY=:99 wmctrl -l | tee /tmp/windows-before-shot.txt; ! grep -q "Authorize folder" /tmp/windows-before-shot.txt; DISPLAY=:99 .devcontainer/capture-daytona-screenshot.sh --output /daytona-artifacts/screenshots/<flow>/<step>.png'\''' | |
| daytona exec "$SANDBOX" -- 'bash -lc '\''DISPLAY=:99 wmctrl -l | tee /tmp/windows-before-shot.txt && ! grep -q "Authorize folder" /tmp/windows-before-shot.txt && DISPLAY=:99 .devcontainer/capture-daytona-screenshot.sh --output /daytona-artifacts/screenshots/<flow>/<step>.png'\''' |
|
Latest validation update: the end-to-end Marketplace extension-use path now passes in Daytona. After Den onboarding and desktop Marketplace sync, I created and installed the live |
There was a problem hiding this comment.
2 issues found across 4 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="evals/den-marketplace-guided-onboarding-flow.md">
<violation number="1" location="evals/den-marketplace-guided-onboarding-flow.md:24">
P2: This guidance contradicts the repo eval convention and encourages less reliable interaction methods, which can make recordings/evals flakier.</violation>
</file>
<file name="evals/default-openwork-marketplace-onboarding-flow.md">
<violation number="1" location="evals/default-openwork-marketplace-onboarding-flow.md:33">
P2: The added instruction conflicts with existing eval conventions by preferring UID-based interactions for normal actions, which is less reliable on dynamic React screens.</violation>
</file>
Tip: Review your code locally with the cubic CLI to iterate faster.
Re-trigger cubic
| ## Demo Standard | ||
|
|
||
| - The primary eval artifact must be a full human-visible recording, not a final-state clip. | ||
| - Drive Den Web through Chrome CDP and desktop through Electron CDP using `browser_snapshot`, `browser_click`, and `browser_fill` wherever possible. |
There was a problem hiding this comment.
P2: This guidance contradicts the repo eval convention and encourages less reliable interaction methods, which can make recordings/evals flakier.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At evals/den-marketplace-guided-onboarding-flow.md, line 24:
<comment>This guidance contradicts the repo eval convention and encourages less reliable interaction methods, which can make recordings/evals flakier.</comment>
<file context>
@@ -18,6 +18,15 @@ marketplaces from the app.
+## Demo Standard
+
+- The primary eval artifact must be a full human-visible recording, not a final-state clip.
+- Drive Den Web through Chrome CDP and desktop through Electron CDP using `browser_snapshot`, `browser_click`, and `browser_fill` wherever possible.
+- Show the journey click by click: sign-up, org creation, onboarding, marketplace explanation, desktop handoff, desktop sign-in, Marketplace sync, plugin install, and chat response.
+- Use API calls only for setup that the product UI cannot perform yet, such as creating a deterministic test plugin. Immediately show the resulting plugin in the desktop UI.
</file context>
| ## Demo Standard | ||
|
|
||
| - The primary demo should be a full click-by-click recording through Chrome and Electron, not a recording of the final state after hidden setup. | ||
| - Use `browser_snapshot` UIDs with `browser_click` and `browser_fill` for normal user actions. |
There was a problem hiding this comment.
P2: The added instruction conflicts with existing eval conventions by preferring UID-based interactions for normal actions, which is less reliable on dynamic React screens.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At evals/default-openwork-marketplace-onboarding-flow.md, line 33:
<comment>The added instruction conflicts with existing eval conventions by preferring UID-based interactions for normal actions, which is less reliable on dynamic React screens.</comment>
<file context>
@@ -27,6 +27,15 @@ Marketplace containing built-in OpenWork extension capabilities.
+## Demo Standard
+
+- The primary demo should be a full click-by-click recording through Chrome and Electron, not a recording of the final state after hidden setup.
+- Use `browser_snapshot` UIDs with `browser_click` and `browser_fill` for normal user actions.
+- Use `browser_eval`, direct APIs, localStorage writes, direct URLs, or filesystem checks only when the UI cannot perform the step yet.
+- When a shortcut is used, label it as setup or a product gap and return to a visible UI state before continuing the recording.
</file context>
|
Fresh human-visible Daytona validation completed after runtime fix.\n\nEvidence:\n- Recording: https://8090-d4qz5adl3ytukpri.daytonaproxy01.net/recordings/marketplace-visible-end-to-end-demo.mp4\n- Den sign-up, org creation, guided onboarding, and default Marketplaces shown visibly.\n- Desktop visible folder path created workspace /workspace/visible-demo-workspace.\n- Desktop sign-in completed through the visible paste-link fallback, then org resources showed 2 Marketplaces.\n- Marketplace built-ins rendered as Built-in.\n- Live test plugin Visible Runtime Probe was created via Den API setup, appeared in desktop Marketplace, and installed visibly.\n- Installed skill materialized at /workspace/visible-demo-workspace/.opencode/skills/visible-runtime-probe-plugin/visible-runtime-probe-skill/SKILL.md.\n- Desktop chat runtime responded with VISIBLE_RUNTIME_PROBE_OK.\n\nFix included in this push:\n- 706f2bc fix: start local runtime during onboarding\n\nVerification run:\n- pnpm --filter @openwork/app typecheck: passed |
1 participant
Summary
OpenWork Marketplaceper org with built-in OpenWork extension entriesBuilt-inwithout install/remove actionsValidation
pnpm --filter @openwork-ee/den-api buildpnpm --filter @openwork/app typecheckpnpm --filter @openwork-ee/landing buildpnpm --filter @openwork-ee/den-web buildpnpm --filter @openwork/app exec bun test ./tests/den-extension-projection.test.tsDaytona Evidence
Clean replacement video, verified with no
Authorize foldernative picker windows present before each screenshot:Note: chat send remains blocked in this Daytona sandbox by
OpenCode request failed/ missing opencode runtime wiring. Marketplace sync, built-in display, plugin import, My Extensions state, and workspace file materialization are validated.Founder Journey E2E Recording
Final Daytona recording for the Den-to-desktop Marketplace journey. Verified no native
Authorize folderpicker before screenshots.Caveat: in Daytona, Den Web form submit/deep-link handoff is affected by proxy origin behavior, so the recording uses the validated direct Den API token to bridge from visible Den sign-in to desktop connected state. The desktop Marketplace sync, built-in rendering, live plugin install state, My Extensions state, and materialized workspace file are validated end-to-end.