feat(ui): populate agent env from connection envMappings on grant

When a user grants a connection (e.g. Google Drive) in the Configure
Agent dialog, any envMappings OneCLI declared for that app get appended
to the agent's editable env list. The user can then edit or remove the
entries like any other custom env var. On ungrant, entries that are
still untouched (name + value match the declared mapping) and not
required by any other still-granted app are removed automatically.

Requires OneCLI 0.0.20+ which adds `envMappings` as a first-class field
on the app registry and returns it on `GET /api/connections`
(kagenti/onecli#16).

Why this over storing envs on the connection itself: envs belong with
the agent (that's the K8s resource that consumes them), and users may
reasonably want to tweak the env name or remove a mapping for a
specific agent without losing the grant. Humr has zero provider
knowledge — the env-injection contract lives in OneCLI next to the
OAuth config for each app.

- api-server-api: `AppConnectionView.envMappings?` for UI consumption
- api-server: passes through OneCLI's joined envMappings verbatim on
  `connections.list`; tests use a fictional provider fixture so they
  don't couple to any specific provider
- ui: `EditAgentSecretsDialog.toggleApp` appends new app's envMappings
  to the agent env list on first grant (dedupe by env name — user-set
  wins); on ungrant removes entries only if they match the declared
  mapping and no other still-granted app declares the same envName
- ui: `ConnectorsView` displays env names on each connection row so
  users can see what a grant will contribute
- deploy: bump OneCLI image to 0.0.20
- docs: google-workspace README describes the new grant-time flow

Signed-off-by: Matous Havlena <havlenma@gmail.com>

Author: matoushavlena

deploy/helm/humr/values.yaml

@@ -40,7 +40,7 @@ postgres:
 # -- OneCLI (credential proxy — gateway + web run in a single container)
 onecli:
   # Single Docker image containing both Rust gateway and Node.js web app
-  image: ghcr.io/kagenti/onecli:0.0.19
+  image: ghcr.io/kagenti/onecli:0.0.20
   replicas: 1
 
   # -- Override the external hostname for OneCLI (empty = onecli.{{ domain }}).

packages/agents/google-workspace/README.md

@@ -42,13 +42,13 @@ A Humr agent template with the [Google Workspace CLI (`gws`)](https://github.com
 
 The agent authenticates to Google APIs through Humr's credential injection:
 
-1. The agent template sets `GOOGLE_WORKSPACE_CLI_TOKEN=humr:sentinel` in the pod environment
+1. When you grant a `gmail` or `google-drive` connection in the agent's Configure dialog, Humr auto-populates `GOOGLE_WORKSPACE_CLI_TOKEN=humr:sentinel` into the agent's editable env list. You can edit or remove it like any custom env var.
 2. When `gws` makes a request to `*.googleapis.com`, it sends `Authorization: Bearer humr:sentinel`
 3. The request goes through OneCLI's MITM proxy (`HTTPS_PROXY`)
 4. OneCLI recognizes the sentinel and replaces it with the real Bearer token
 5. Google receives a valid access token
 
-The agent never sees your real Google credentials.
+The agent never sees your real Google credentials. OneCLI's app registry declares which env var each provider needs; Humr reads it and populates the agent env on grant.
 
 ## Token Lifecycle
 

packages/api-server-api/src/modules/connections/types.ts

@@ -1,3 +1,5 @@
+import type { EnvMapping } from "../secrets/types.js";
+
 export type AppConnectionStatus =
   | "connected"
   | "expired"
@@ -12,6 +14,12 @@ export interface AppConnectionView {
   identity?: string;
   scopes?: string[];
   connectedAt?: string;
+  /**
+   * Pod envs contributed by this connection. Declared by OneCLI's app
+   * registry (see the matching `AppDefinition.envMappings` field) and
+   * returned verbatim on `GET /api/connections` — Humr never writes this.
+   */
+  envMappings?: EnvMapping[];
 }
 
 export interface AgentAppConnections {

packages/api-server/src/__tests__/unit/connections-service.test.ts

@@ -73,40 +73,64 @@ describe("extractIdentity", () => {
 });
 
 describe("ConnectionsService.list", () => {
+  // Fixture uses a fictional provider — this service is provider-agnostic and
+  // just passes OneCLI's joined fields through to the view shape.
   const conn: OnecliAppConnection = {
     id: "c-1",
-    provider: "gmail",
-    providerName: "Gmail",
+    provider: "acme-app",
+    providerName: "Acme App",
     label: "user@example.com",
     status: "connected",
-    scopes: ["openid"],
+    scopes: ["read"],
     metadata: { email: "user@example.com" },
     connectedAt: "2026-04-17T00:00:00Z",
+    envMappings: [{ envName: "ACME_TOKEN", placeholder: "test-placeholder" }],
   };
 
-  it("uses OneCLI's providerName as the label, with identity as subtitle", async () => {
+  it("uses OneCLI's providerName as the label, with identity as subtitle, and passes through envMappings", async () => {
     const svc = createConnectionsService({
       port: makePort({ listAppConnections: async () => [conn] }),
     });
     const rows = await svc.list();
     expect(rows).toEqual([
       {
         id: "c-1",
-        provider: "gmail",
-        label: "Gmail",
+        provider: "acme-app",
+        label: "Acme App",
         status: "connected",
         identity: "user@example.com",
-        scopes: ["openid"],
+        scopes: ["read"],
         connectedAt: "2026-04-17T00:00:00Z",
+        envMappings: [{ envName: "ACME_TOKEN", placeholder: "test-placeholder" }],
       },
     ]);
   });
 
+  it("omits envMappings when the OneCLI response has none (provider lacks declared envs)", async () => {
+    const svc = createConnectionsService({
+      port: makePort({
+        listAppConnections: async () => [{ ...conn, envMappings: null }],
+      }),
+    });
+    const rows = await svc.list();
+    expect(rows[0]).not.toHaveProperty("envMappings");
+  });
+
+  it("omits envMappings when the array is empty", async () => {
+    const svc = createConnectionsService({
+      port: makePort({
+        listAppConnections: async () => [{ ...conn, envMappings: [] }],
+      }),
+    });
+    const rows = await svc.list();
+    expect(rows[0]).not.toHaveProperty("envMappings");
+  });
+
   it("falls back to OneCLI label then provider id when providerName is missing", async () => {
     const svc = createConnectionsService({
       port: makePort({
         listAppConnections: async () => [
-          // older OneCLI (<0.0.14) — providerName absent entirely
+          // older OneCLI — providerName absent entirely
           { ...conn, providerName: undefined, label: "user@example.com" },
           // registry orphan — providerName explicitly null
           { ...conn, id: "c-2", providerName: null, label: null },
@@ -117,8 +141,8 @@ describe("ConnectionsService.list", () => {
     });
     const rows = await svc.list();
     expect(rows[0].label).toBe("user@example.com");
-    expect(rows[1].label).toBe("gmail");
-    expect(rows[2].label).toBe("gmail");
+    expect(rows[1].label).toBe("acme-app");
+    expect(rows[2].label).toBe("acme-app");
   });
 
   it("omits optional scopes and connectedAt when absent", async () => {

packages/api-server/src/modules/connections/infrastructure/onecli-connections-port.ts

@@ -1,10 +1,11 @@
+import type { EnvMapping } from "api-server-api";
 import type { OnecliClient } from "../../../onecli.js";
 
 /**
- * Row shape of OneCLI's `GET /api/connections` (>= onecli 0.0.14). Optional
- * fields are not narrowed — the service layer normalizes. `providerName` is
- * the app's display name from the registry (e.g. "Google Drive"); `label` is
- * the user's *identity* (email/username from metadata).
+ * Row shape of OneCLI's `GET /api/connections`. Optional fields are not
+ * narrowed — the service layer normalizes. `providerName` and `envMappings`
+ * are both joined server-side from OneCLI's app registry (display name +
+ * pod-env contract); the consumer never writes them.
  */
 export interface OnecliAppConnection {
   id: string;
@@ -15,6 +16,7 @@ export interface OnecliAppConnection {
   scopes?: string[] | null;
   connectedAt?: string | null;
   metadata?: Record<string, unknown> | null;
+  envMappings?: EnvMapping[] | null;
 }
 
 export interface OnecliAgent {

packages/api-server/src/modules/connections/services/connections-service.ts

@@ -42,9 +42,8 @@ export function createConnectionsService(deps: {
 }): ConnectionsService {
   return {
     async list() {
-      // OneCLI >= 0.0.14 returns `providerName` populated from the app
-      // registry (e.g. "Google Drive"). `label` is the user's identity
-      // (email/username) — correct as a subtitle, wrong as a title.
+      // OneCLI returns `providerName` and `envMappings` joined from the app
+      // registry — provider-specific knowledge lives there, not here.
       const raw = await deps.port.listAppConnections();
       return raw
         .filter((c) => typeof c.id === "string" && typeof c.provider === "string")
@@ -56,6 +55,9 @@ export function createConnectionsService(deps: {
           identity: extractIdentity(c.metadata) || c.label?.trim() || undefined,
           ...(c.scopes ? { scopes: c.scopes } : {}),
           ...(c.connectedAt ? { connectedAt: c.connectedAt } : {}),
+          ...(c.envMappings && c.envMappings.length > 0
+            ? { envMappings: c.envMappings }
+            : {}),
         }));
     },
 

packages/ui/src/dialogs/edit-agent-secrets-dialog.tsx

@@ -90,7 +90,50 @@ export function EditAgentSecretsDialog({
   const toggleApp = (id: string) =>
     setAssignedAppIds((p) => {
       const n = new Set(p);
-      n.has(id) ? n.delete(id) : n.add(id);
+      const app = apps.find((a) => a.id === id);
+      if (n.has(id)) {
+        n.delete(id);
+        // On ungrant, remove envs this app contributed *only if* they're still
+        // untouched (name + value match the declared mapping) AND no other
+        // still-granted app declares the same envName. Either condition failing
+        // means we must keep the entry: edited values are user intent; shared
+        // envs (e.g. Gmail + Drive both want GOOGLE_WORKSPACE_CLI_TOKEN) are
+        // still needed by the remaining grant.
+        const mappings = app?.envMappings ?? [];
+        if (mappings.length > 0) {
+          const stillNeededNames = new Set(
+            apps
+              .filter((a) => n.has(a.id))
+              .flatMap((a) => a.envMappings ?? [])
+              .map((m) => m.envName),
+          );
+          const removable = new Map(
+            mappings
+              .filter((m) => !stillNeededNames.has(m.envName))
+              .map((m) => [m.envName, m.placeholder] as const),
+          );
+          if (removable.size > 0) {
+            setEnvVars((prev) =>
+              prev.filter(
+                (e) => !(removable.has(e.name) && removable.get(e.name) === e.value),
+              ),
+            );
+          }
+        }
+      } else {
+        n.add(id);
+        // On first grant, copy the app's declared envMappings into the editable
+        // env list so the user can see what's being injected and adjust if
+        // needed. Skip entries whose name is already present (user-set wins).
+        const existing = new Set(envVars.map((e) => e.name));
+        const toAdd = (app?.envMappings ?? []).filter((m) => !existing.has(m.envName));
+        if (toAdd.length > 0) {
+          setEnvVars((prev) => [
+            ...prev,
+            ...toAdd.map((m) => ({ name: m.envName, value: m.placeholder })),
+          ]);
+        }
+      }
       return n;
     });
 

packages/ui/src/views/connections-view.tsx

@@ -223,6 +223,14 @@ export function ConnectionsView() {
                         : c.connectedAt
                           ? `Connected ${new Date(c.connectedAt).toLocaleDateString()}`
                           : c.provider}
+                      {c.envMappings && c.envMappings.length > 0 && (
+                        <>
+                          {" · "}
+                          <span className="text-accent">
+                            {c.envMappings.map((m) => m.envName).join(", ")}
+                          </span>
+                        </>
+                      )}
                     </div>
                   </div>
                   <AppStatusPill status={c.status} size="md" />