Teams feature + orchestrator availability UX

- Team-scoped data model and authorization: instances, shared folders, backup schedules, and LLM providers are now associated with teams; handlers enforce team membership on all relevant routes
- Frontend: TeamSelector + InstanceTeamPicker, Teams/Members/Providers settings tabs, team-aware queries across pages
- Backend unavailable handling: orchestrator watcher hook, OrchestratorDownToast, BackendUnavailablePage, and shared `utils/http` helper
- Browser image and agent Dockerfile updates (rename to `claworc/<browser>-browser`), helm chart and CI workflow tweaks
- Misc UI polish on Backups, SharedFolders, Skills, Login, Settings, Sidebar, Layout, and Usage pages

Author: Stan Misiurev

.github/workflows/control-plane.yml

@@ -7,6 +7,42 @@ on:
       - '.github/workflows/control-plane.yml'
 
 jobs:
+  migration-check:
+    name: Migration Drift Check
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # need history for the git-diff guard below
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: control-plane/go.mod
+          cache-dependency-path: control-plane/go.sum
+
+      - name: Run migrationcheck (verify migrations cover all models)
+        working-directory: control-plane
+        run: go run ./cmd/migrationcheck
+
+      - name: Guard against model changes without a new migration
+        if: github.event_name == 'pull_request' || github.event_name == 'push'
+        run: |
+          set -euo pipefail
+          # Compare against the merge base on PRs; against the previous commit on push.
+          if [ -n "${GITHUB_BASE_REF:-}" ]; then
+            base="origin/${GITHUB_BASE_REF}"
+            git fetch --no-tags --depth=1 origin "${GITHUB_BASE_REF}"
+          else
+            base="HEAD~1"
+          fi
+          changed_models=$(git diff --name-only "$base"...HEAD -- 'control-plane/internal/database/models/*.go' || true)
+          new_migrations=$(git diff --name-only --diff-filter=A "$base"...HEAD -- 'control-plane/internal/database/migrations/migration_*.go' || true)
+          if [ -n "$changed_models" ] && [ -z "$new_migrations" ]; then
+            echo "ERROR: models.go changed but no new migration_*.go was added."
+            echo "       Run 'make migration' from control-plane/ to author one."
+            exit 1
+          fi
+
   unit:
     name: Unit Tests
     runs-on: ubuntu-latest
@@ -112,7 +148,7 @@ jobs:
   push-manifest:
     name: Push Manifest
     if: github.ref == 'refs/heads/main'
-    needs: [unit, integration, build-amd64, build-arm64]
+    needs: [migration-check, unit, integration, build-amd64, build-arm64]
     runs-on: ubuntu-latest
     steps:
       - uses: docker/setup-buildx-action@v3

agent/browser/Dockerfile.base

@@ -8,15 +8,15 @@ ARG NOVNC_VERSION=1.4.0
 ARG WEBSOCKIFY_VERSION=0.12.0
 
 # Browser-only base image: Xvfb + TigerVNC + noVNC + openbox + stealth
-# extension + sshd. NO OpenClaw, NO cron — those live in glukw/claworc-agent.
+# extension + sshd. NO OpenClaw, NO cron — those live in claworc/openclaw.
 #
 # CDP listens on 127.0.0.1:9222 and noVNC on 127.0.0.1:3000 (loopback only —
 # Chromium 134+ silently refuses non-loopback DevTools binding). Externally,
 # the only reachable port is sshd on 22; the control plane SSHes in and uses
 # ssh.Client.Dial to reach 127.0.0.1:9222 / 127.0.0.1:3000.
 #
-# Published as glukw/claworc-browser-base:latest. The variant images
-# (glukw/claworc-browser-{chromium,chrome,brave}) FROM this and add the
+# Published as claworc/base-browser:latest. The variant images
+# (claworc/{chromium,chrome,brave}-browser) FROM this and add the
 # specific browser package.
 
 RUN useradd -m -u 1000 -s /bin/bash claworc

agent/browser/Dockerfile.brave

@@ -1,4 +1,4 @@
-ARG BASE_IMAGE=glukw/claworc-browser-base:latest
+ARG BASE_IMAGE=claworc/base-browser:latest
 FROM ${BASE_IMAGE}
 
 # brave-browser is amd64-only on Linux. Fail fast on other arches.

agent/browser/Dockerfile.chrome

@@ -1,4 +1,4 @@
-ARG BASE_IMAGE=glukw/claworc-browser-base:latest
+ARG BASE_IMAGE=claworc/base-browser:latest
 FROM ${BASE_IMAGE}
 
 # google-chrome-stable is amd64-only on Linux. Fail fast on other arches so

agent/browser/Dockerfile.chromium

@@ -1,4 +1,4 @@
-ARG BASE_IMAGE=glukw/claworc-browser-base:latest
+ARG BASE_IMAGE=claworc/base-browser:latest
 FROM ${BASE_IMAGE}
 
 RUN apt-get update && \

agent/instance/Dockerfile

@@ -6,11 +6,11 @@ ARG USE_CHINA_MIRRORS=false
 ARG OPENCLAW_VERSION=latest
 
 # Slim agent image: OpenClaw + sshd + cron only. The browser (Chromium /
-# Chrome / Brave) and the VNC stack live in glukw/claworc-browser-* images
+# Chrome / Brave) and the VNC stack live in claworc/<browser>-browser images
 # launched on demand by the control plane; this image has none of those
 # packages.
 #
-# Published as glukw/claworc-agent:latest. New instances created via the
+# Published as claworc/openclaw:latest. New instances created via the
 # control-plane API default to this image; legacy instances continue to pull
 # the old combined glukw/openclaw-vnc-* images already in the registry.
 

control-plane/frontend/src/App.tsx

@@ -5,6 +5,7 @@ import CreateInstancePage from "./pages/CreateInstancePage";
 import InstanceDetailPage from "./pages/InstanceDetailPage";
 import SettingsPage from "./pages/SettingsPage";
 import LoginPage from "./pages/LoginPage";
+import BackendUnavailablePage from "./pages/BackendUnavailablePage";
 import UsersPage from "./pages/UsersPage";
 import TeamsPage from "./pages/TeamsPage";
 import UsagePage from "./pages/UsagePage";
@@ -18,30 +19,40 @@ import KanbanPage from "./pages/KanbanPage";
 import { useAuth } from "./contexts/AuthContext";
 
 function ProtectedRoute({ children }: { children: React.ReactNode }) {
-  const { user, isLoading } = useAuth();
+  const { user, isLoading, isBackendUnavailable } = useAuth();
   if (isLoading) return null;
+  if (isBackendUnavailable) return <BackendUnavailablePage />;
   if (!user) return <Navigate to="/login" replace />;
   return <>{children}</>;
 }
 
 function AdminRoute({ children }: { children: React.ReactNode }) {
-  const { isAdmin, isLoading } = useAuth();
+  const { isAdmin, isLoading, isBackendUnavailable } = useAuth();
   if (isLoading) return null;
+  if (isBackendUnavailable) return <BackendUnavailablePage />;
   if (!isAdmin) return <Navigate to="/" replace />;
   return <>{children}</>;
 }
 
+function LoginRoute() {
+  const { isBackendUnavailable, isLoading } = useAuth();
+  if (isLoading) return null;
+  if (isBackendUnavailable) return <BackendUnavailablePage />;
+  return <LoginPage />;
+}
+
 function InstanceCreatorRoute({ children }: { children: React.ReactNode }) {
-  const { canCreateInstances, isLoading } = useAuth();
+  const { canCreateInstances, isLoading, isBackendUnavailable } = useAuth();
   if (isLoading) return null;
+  if (isBackendUnavailable) return <BackendUnavailablePage />;
   if (!canCreateInstances) return <Navigate to="/" replace />;
   return <>{children}</>;
 }
 
 export default function App() {
   return (
     <Routes>
-      <Route path="/login" element={<LoginPage />} />
+      <Route path="/login" element={<LoginRoute />} />
       <Route
         path="/instances/:id/vnc"
         element={
@@ -113,9 +124,9 @@ export default function App() {
         <Route
           path="/skills"
           element={
-            <AdminRoute>
+            <ProtectedRoute>
               <SkillsPage />
-            </AdminRoute>
+            </ProtectedRoute>
           }
         />
         <Route

control-plane/frontend/src/api/backups.ts

@@ -28,8 +28,17 @@ export async function fetchInstanceBackups(
   return data;
 }
 
-export async function fetchAllBackups(): Promise<Backup[]> {
-  const { data } = await client.get<Backup[]>("/backups");
+export interface BackupsPage {
+  backups: Backup[];
+  total: number;
+  limit: number;
+  offset: number;
+}
+
+export async function fetchAllBackups(
+  params: { limit: number; offset: number; instance?: string },
+): Promise<BackupsPage> {
+  const { data } = await client.get<BackupsPage>("/backups", { params });
   return data;
 }
 

control-plane/frontend/src/api/health.ts

@@ -1,9 +1,35 @@
 import axios from "axios";
 
-interface HealthResponse {
+export type OrchestratorReason =
+  | "daemon_unreachable"
+  | "client_error"
+  | "config_missing"
+  | "namespace_missing"
+  | "invalid_setting"
+  | "unavailable"
+  | "unknown"
+  | "";
+
+export interface BackendAttempt {
+  backend: string;
+  ok: boolean;
+  reason?: OrchestratorReason;
+  message?: string;
+  at: string;
+}
+
+export interface OrchestratorStatus {
+  backend: "kubernetes" | "docker" | "none";
+  available: boolean;
+  last_attempt: string;
+  attempts?: BackendAttempt[];
+}
+
+export interface HealthResponse {
   status: string;
   orchestrator: "connected" | "disconnected";
   orchestrator_backend: "kubernetes" | "docker" | "none";
+  orchestrator_status?: OrchestratorStatus;
   database: string;
   build_date?: string;
 }
@@ -12,3 +38,10 @@ export async function fetchHealth(): Promise<HealthResponse> {
   const { data } = await axios.get<HealthResponse>("/health");
   return data;
 }
+
+export async function reinitializeOrchestrator(): Promise<OrchestratorStatus> {
+  const { data } = await axios.post<OrchestratorStatus>(
+    "/api/v1/orchestrator/reinitialize",
+  );
+  return data;
+}

control-plane/frontend/src/api/sharedFolders.ts

@@ -6,6 +6,7 @@ export interface SharedFolder {
   mount_path: string;
   owner_id: number;
   instance_ids: number[];
+  team_ids: number[];
   created_at: string;
 }
 
@@ -29,7 +30,12 @@ export async function getSharedFolder(id: number): Promise<SharedFolder> {
 
 export async function updateSharedFolder(
   id: number,
-  data: { name?: string; mount_path?: string; instance_ids?: number[] },
+  data: {
+    name?: string;
+    mount_path?: string;
+    instance_ids?: number[];
+    team_ids?: number[];
+  },
 ): Promise<void> {
   await client.put(`/shared-folders/${id}`, data);
 }