feat(manager): gate Agentic Studio access

[lumberman]

Summary

Adds Manager-gated access to Agentic Studio without exposing the Studio service as a public app. Manager now owns /dashboard/agentic-studio and /api/agentic-studio/[[...path]], verifies Manager sessions, requires the Manager role, strips browser auth/forwarding headers, injects AGENTIC_OPERATOR_API_KEY server-side, and fails closed when Studio proxy config is missing.

The proxy also hardens the embedded Studio path: private production origins are restricted to agentic-studio.railway.internal, HTML/JSON/JS responses are rewritten away from internal/public Agentic origins, upstream redirects are safely rewritten, upstream cookies are dropped, authenticated responses are private, no-store, and Studio frame subrequests use a short-lived signed frame token instead of exposing the operator key.

What changed

• Added the Manager Studio dashboard iframe and shell navigation entry.
• Added the Agentic Studio reverse proxy route and proxy helper.
• Added Manager env vars for AGENTIC_STUDIO_ORIGIN and AGENTIC_OPERATOR_API_KEY.
• Documented the private Railway agentic-studio service and no-public-domain deployment model.
• Added roadmap/plan coverage, including the required Red/Green TDD and user smoke-test expectations.
• Added follow-up feat-121 for deeper browser-enforced Studio frame isolation hardening.

Validation

• pnpm --filter @forge/manager test -- src/config/env.test.ts src/lib/agentic-studio-proxy.test.ts src/lib/agentic-automation-dry-run.test.ts src/lib/agentic-subtitle-enrichment.test.ts 'src/app/api/agentic-studio/[[...path]]/route.test.ts' src/app/dashboard/agentic-studio/page.test.ts
• pnpm --filter @forge/manager typecheck
• pnpm --filter @forge/manager lint
• pnpm --filter @forge/manager build
• pnpm --filter @forge/agentic test
• pnpm --filter @forge/agentic typecheck
• pnpm --filter @forge/agentic lint
• pnpm --filter @forge/agentic build
• git diff --check

Browser smoke

Using agent-browser against local Manager mock mode and a fake private Studio upstream:

• Logged-out /dashboard/agentic-studio redirected to /login.
• Logged-in Manager reached /dashboard/agentic-studio.
• The embedded Studio loaded through /api/agentic-studio.
• Studio iframe GET and POST requests both reached the private Studio upstream through the Manager proxy.
• The browser DOM did not contain AGENTIC_OPERATOR_API_KEY.

Local screenshot evidence: output/playwright/manager-agentic-studio-smoke.png.

🤖 Generated with Compound Engineering

[railway-app]

🚅 Deployed to the forge-pr-917 environment in forge

Service	Status	Web	Updated (UTC)
@forge/manager	✅ Success (View Logs)		May 8, 2026 at 9:28 pm
@forge/roadmap	✅ Success (View Logs)		May 8, 2026 at 9:27 pm
@forge/cms	✅ Success (View Logs)		May 8, 2026 at 9:23 pm

5 services not affected by this PR

• @forge/admin/redis
• @forge/admin/db
• @forge/web
• @forge/admin
• @forge/agentic