fix(#411): complete auth/frontend remediation and review hardening #421

Merged

jason.woltje merged 8 commits from fix/auth-frontend-remediation into develop 2026-02-17 21:24:14 +00:00

Conversation 0 Commits 8 Files Changed 45 +949 -1229

jason.woltje commented 2026-02-17 20:23:46 +00:00

Owner

Copy Link

Summary

• complete the 2026-02-17 remediation sweep across code review, security, and QA findings (REV-2026-001..REV-2026-008), including RLS boundary enforcement in TasksService, orchestrator agent BFF proxying in web, test hermeticity fixes, and deterministic frontend test cleanup
• harden production dependency tree with patched transitive overrides (request -> @cypress/request, qs, tough-cookie, ajv) and refresh lockfile to clear audit findings
• apply orchestrator/runtime hardening and repo rails alignment (sandbox default network none, session lifecycle hooks, standards path normalization) plus Node 24 baseline updates included on this branch

Verification

• pnpm lint
• pnpm typecheck
• pnpm test
• pnpm audit --prod --json

All commands pass on this branch.

## Summary - complete the 2026-02-17 remediation sweep across code review, security, and QA findings (REV-2026-001..REV-2026-008), including RLS boundary enforcement in TasksService, orchestrator agent BFF proxying in web, test hermeticity fixes, and deterministic frontend test cleanup - harden production dependency tree with patched transitive overrides (`request` -> `@cypress/request`, `qs`, `tough-cookie`, `ajv`) and refresh lockfile to clear audit findings - apply orchestrator/runtime hardening and repo rails alignment (sandbox default network `none`, session lifecycle hooks, standards path normalization) plus Node 24 baseline updates included on this branch ## Verification - `pnpm lint` - `pnpm typecheck` - `pnpm test` - `pnpm audit --prod --json` All commands pass on this branch.

jason.woltje added 5 commits 2026-02-17 20:23:46 +00:00

chore: upgrade Node.js runtime to v24 across codebase ... 8961f5b18c

- Update .woodpecker/codex-review.yml: node:22-slim → node:24-slim
- Update packages/cli-tools engines: >=18 → >=24.0.0
- Update README.md, CONTRIBUTING.md, prerequisites docs to reference Node 24+
- Rename eslint.config.js → eslint.config.mjs to eliminate Node 24
  MODULE_TYPELESS_PACKAGE_JSON warnings (ESM detection overhead)
- Add .nvmrc targeting Node 24
- Fix pre-existing no-unsafe-return lint error in matrix-room.service.ts
- Add Campsite Rule to CLAUDE.md
- Regenerate Prisma client for Node 24 compatibility

All Dockerfiles and main CI pipelines already used node:24. This commit
aligns the remaining stragglers (codex-review CI, cli-tools engines,
documentation) and resolves Node 24 ESM module detection warnings.

Quality gates: lint ✅ typecheck ✅ tests ✅ (6 pre-existing API failures)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

bootstrap repo to mosaic standards layer ddf6851bfd

add repo lifecycle hooks for mosaic-stack sessions 254f85369b

fix(#411): complete 2026-02-17 remediation sweep ... cab8d690ab

Apply RLS context at task service boundaries, harden orchestrator/web integration and session startup behavior, re-enable targeted frontend tests, and lock vulnerable transitive dependencies so QA and security gates pass cleanly.

docs(#411): normalize AGENTS standards paths ad428598a9

jason.woltje added the apiapiauthorchestratorsecuritytestingweb labels 2026-02-17 20:24:29 +00:00

jason.woltje self-assigned this 2026-02-17 20:24:30 +00:00

jason.woltje added this to the MVP-Migration (0.1.0 MVP) milestone 2026-02-17 20:24:30 +00:00

jason.woltje added 1 commit 2026-02-17 20:29:07 +00:00

fix(#411): resolve CI lint crash from ajv override ... 57d0f5d2a3

Drop the global ajv override that forced ESLint onto an incompatible major, then move @mosaic/config lint tooling deps to devDependencies so production audit stays clean without impacting runtime deps.

jason.woltje added 1 commit 2026-02-17 20:36:02 +00:00

Merge branch 'develop' into fix/auth-frontend-remediation af113707d9

jason.woltje added 1 commit 2026-02-17 21:17:11 +00:00

fix(web-tests): stabilize async auth and usage page assertions 758b2a839b

jason.woltje merged commit 35dd623ab5 into develop 2026-02-17 21:24:14 +00:00

jason.woltje deleted branch fix/auth-frontend-remediation 2026-02-17 21:24:14 +00:00

jason.woltje referenced this issue from a commit 2026-02-17 21:24:16 +00:00

Merge pull request 'fix(#411): complete auth/frontend remediation and review hardening' (#421) from fix/auth-frontend-remediation into develop

jason.woltje referenced this issue from a commit 2026-02-21 20:43:13 +00:00

Merge develop into main

jason.woltje referenced this issue from a commit 2026-02-21 20:52:48 +00:00

Merge develop into main

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

ai

AI/LLM integration

api

Backend/API work

api

auth

Authentication

database

database

Database/schema work

devops

Docker/deployment

docs

Documentation

frontend

graph

knowledge-module

migration

Data migration

orchestrator

Orchestrator service (apps/orchestrator/)

p0

Critical priority

p1

High priority

p2

Medium priority

p3

Low priority

performance

Performance work

phase-1

phase-2

phase-3

phase-4

phase-5

plugin

MoltBot plugin work

search

security

Security-related

setup

Initial setup

testing

Testing/QA

web

Frontend work

No Label api api auth orchestrator security testing web

Milestone

No items

No Milestone MVP-Migration (0.1.0 MVP)

Projects

Clear projects

No project

Assignees

Clear assignees

jason.woltje

No Assignees jason.woltje

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaic/stack#421