From d1c9a747b9c89d139c792be29cb42f9da2d107d8 Mon Sep 17 00:00:00 2001
From: Jason Woltje <jason@diversecanvas.com>
Date: Tue, 3 Mar 2026 12:28:50 -0600
Subject: [PATCH 1/3] fix(chat): import ConfigModule in ChatProxyModule

---
 .woodpecker/ci.yml.new                       | 46 ++++++++++++++++++++
 apps/api/src/chat-proxy/chat-proxy.module.ts |  3 +-
 2 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 .woodpecker/ci.yml.new

diff --git a/.woodpecker/ci.yml.new b/.woodpecker/ci.yml.new
new file mode 100644
index 0000000..b2a2c0f
--- /dev/null
+++ b/.woodpecker/ci.yml.new
@@ -0,0 +1,46 @@
+# Add this at the end of the file, replacing the deploy-swarm section
+
+  deploy-swarm:
+    image: alpine:3
+    environment:
+      SSH_PRIVATE_KEY:
+        from_secret: ssh_private_key
+      SSH_KNOWN_HOSTS:
+        from_secret: ssh_known_hosts
+      PORTAINER_URL:
+        from_secret: portainer_url
+      PORTAINER_API_KEY:
+        from_secret: portainer_api_key
+    commands:
+      - apk add --no-cache curl
+      - |
+        set -e
+        echo "🚀 Deploying via Portainer API..."
+        
+        # Redeploy mosaic-stack (ID 121)
+        curl -sk -X POST \
+          -H "X-API-Key: $PORTAINER_API_KEY" \
+          "$PORTAINER_URL/api/stacks/121/git/redeploy" \
+          -H "Content-Type: application/json" \
+          -d '{"prune": false}' || \
+        
+        # Fallback: Force service updates via SSH
+        echo "Trying SSH fallback..."
+        apk add --no-cache openssh-client
+        mkdir -p ~/.ssh
+        echo "$SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts
+        chmod 600 ~/.ssh/known_hosts
+        echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
+        chmod 600 ~/.ssh/id_ed25519
+        
+        ssh -o StrictHostKeyChecking=no localadmin@10.1.1.45 \
+          "docker service update --force mosaic_api && \
+           docker service update --force mosaic_web && \
+           docker service update --force mosaic_orchestrator && \
+           docker service update --force mosaic_coordinator && \
+           echo '✅ Services updated'"
+    when:
+      - branch: [main]
+        event: [push, manual, tag]
+    depends_on:
+      - link-packages
diff --git a/apps/api/src/chat-proxy/chat-proxy.module.ts b/apps/api/src/chat-proxy/chat-proxy.module.ts
index 245a4eb..78c7938 100644
--- a/apps/api/src/chat-proxy/chat-proxy.module.ts
+++ b/apps/api/src/chat-proxy/chat-proxy.module.ts
@@ -1,4 +1,5 @@
 import { Module } from "@nestjs/common";
+import { ConfigModule } from "@nestjs/config";
 import { AuthModule } from "../auth/auth.module";
 import { AgentConfigModule } from "../agent-config/agent-config.module";
 import { ContainerLifecycleModule } from "../container-lifecycle/container-lifecycle.module";
@@ -7,7 +8,7 @@ import { ChatProxyController } from "./chat-proxy.controller";
 import { ChatProxyService } from "./chat-proxy.service";
 
 @Module({
-  imports: [AuthModule, PrismaModule, ContainerLifecycleModule, AgentConfigModule],
+  imports: [AuthModule, PrismaModule, ContainerLifecycleModule, AgentConfigModule, ConfigModule],
   controllers: [ChatProxyController],
   providers: [ChatProxyService],
   exports: [ChatProxyService],

From 5207d8c0c93a7b160d42e1097ef1994e6a80227b Mon Sep 17 00:00:00 2001
From: Jason Woltje <jason@diversecanvas.com>
Date: Tue, 3 Mar 2026 12:36:01 -0600
Subject: [PATCH 2/3] fix(chat): skip CSRF for guest endpoint

---
 apps/api/src/chat-proxy/chat-proxy.controller.ts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/apps/api/src/chat-proxy/chat-proxy.controller.ts b/apps/api/src/chat-proxy/chat-proxy.controller.ts
index 763e56d..ad38272 100644
--- a/apps/api/src/chat-proxy/chat-proxy.controller.ts
+++ b/apps/api/src/chat-proxy/chat-proxy.controller.ts
@@ -1,6 +1,7 @@
 import { Body, Controller, HttpException, Logger, Post, Req, Res, UseGuards } from "@nestjs/common";
 import type { Response } from "express";
 import { AuthGuard } from "../auth/guards/auth.guard";
+import { SkipCsrf } from "../common/decorators/skip-csrf.decorator";
 import type { MaybeAuthenticatedRequest } from "../auth/types/better-auth-request.interface";
 import { ChatStreamDto } from "./chat-proxy.dto";
 import { ChatProxyService } from "./chat-proxy.service";
@@ -14,6 +15,7 @@ export class ChatProxyController {
   // POST /api/chat/guest
   // Guest chat endpoint - no authentication required
   // Uses a shared LLM configuration for unauthenticated users
+  @SkipCsrf()
   @Post("guest")
   async guestChat(
     @Body() body: ChatStreamDto,

From 1f883c4c044b835ed5cd4c02a64d500384ce1208 Mon Sep 17 00:00:00 2001
From: Jason Woltje <jason@diversecanvas.com>
Date: Tue, 3 Mar 2026 12:58:00 -0600
Subject: [PATCH 3/3] chore: remove stray file

---
 .woodpecker/ci.yml.new | 46 ------------------------------------------
 1 file changed, 46 deletions(-)
 delete mode 100644 .woodpecker/ci.yml.new

diff --git a/.woodpecker/ci.yml.new b/.woodpecker/ci.yml.new
deleted file mode 100644
index b2a2c0f..0000000
--- a/.woodpecker/ci.yml.new
+++ /dev/null
@@ -1,46 +0,0 @@
-# Add this at the end of the file, replacing the deploy-swarm section
-
-  deploy-swarm:
-    image: alpine:3
-    environment:
-      SSH_PRIVATE_KEY:
-        from_secret: ssh_private_key
-      SSH_KNOWN_HOSTS:
-        from_secret: ssh_known_hosts
-      PORTAINER_URL:
-        from_secret: portainer_url
-      PORTAINER_API_KEY:
-        from_secret: portainer_api_key
-    commands:
-      - apk add --no-cache curl
-      - |
-        set -e
-        echo "🚀 Deploying via Portainer API..."
-        
-        # Redeploy mosaic-stack (ID 121)
-        curl -sk -X POST \
-          -H "X-API-Key: $PORTAINER_API_KEY" \
-          "$PORTAINER_URL/api/stacks/121/git/redeploy" \
-          -H "Content-Type: application/json" \
-          -d '{"prune": false}' || \
-        
-        # Fallback: Force service updates via SSH
-        echo "Trying SSH fallback..."
-        apk add --no-cache openssh-client
-        mkdir -p ~/.ssh
-        echo "$SSH_KNOWN_HOSTS" > ~/.ssh/known_hosts
-        chmod 600 ~/.ssh/known_hosts
-        echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
-        chmod 600 ~/.ssh/id_ed25519
-        
-        ssh -o StrictHostKeyChecking=no localadmin@10.1.1.45 \
-          "docker service update --force mosaic_api && \
-           docker service update --force mosaic_web && \
-           docker service update --force mosaic_orchestrator && \
-           docker service update --force mosaic_coordinator && \
-           echo '✅ Services updated'"
-    when:
-      - branch: [main]
-        event: [push, manual, tag]
-    depends_on:
-      - link-packages