mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix(#180): Update pnpm to 10.27.0 in Dockerfiles

Browse Source 
Updated pnpm version from 10.19.0 to 10.27.0 to fix HIGH severity
vulnerabilities (CVE-2025-69262, CVE-2025-69263, CVE-2025-6926).

Changes:
- apps/api/Dockerfile: line 8
- apps/web/Dockerfile: lines 8 and 81

Fixes #180
This commit is contained in:
Jason Woltje
2026-02-01 20:52:43 -06:00
parent 6c065a79e6
commit a5416e4a66
15 changed files with 7175 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

186
docs/reports/m4.2-implementation-plan.md Normal file
View File

@@ -0,0 +1,186 @@
# M4.2-Infrastructure Implementation Plan
**Milestone:** M4.2-Infrastructure (0.0.4)
**Date:** 2026-02-01
**Orchestrator:** Claude Opus 4.5
## Issue Summary
| Issue | Title | Phase | Priority | Depends On | Est. Tokens | Model |
| ----- | ------------------------------------------------- | ----- | -------- | ---------- | ----------- | ------ |
| #162 | [EPIC] Mosaic Component Architecture | - | - | All | 0 | manual |
| #163 | [INFRA-001] Add BullMQ dependencies | 1 | p0 | none | 15,000 | haiku |
| #164 | [INFRA-002] Database schema for job tracking | 1 | p0 | none | 40,000 | sonnet |
| #165 | [INFRA-003] BullMQ module setup | 1 | p0 | #163 | 45,000 | sonnet |
| #166 | [INFRA-004] Stitcher module structure | 2 | p0 | #165 | 50,000 | sonnet |
| #167 | [INFRA-005] Runner jobs CRUD and queue submission | 2 | p0 | #164, #165 | 55,000 | sonnet |
| #168 | [INFRA-006] Job steps tracking | 2 | p0 | #164, #167 | 45,000 | sonnet |
| #169 | [INFRA-007] Job events and audit logging | 2 | p0 | #164, #167 | 55,000 | sonnet |
| #170 | [INFRA-008] mosaic-bridge module for Discord | 3 | p1 | #166 | 55,000 | sonnet |
| #171 | [INFRA-009] Chat command parsing | 3 | p1 | #170 | 40,000 | sonnet |
| #172 | [INFRA-010] Herald status updates | 3 | p1 | #169, #170 | 50,000 | sonnet |
| #173 | [INFRA-011] WebSocket gateway for job events | 4 | p1 | #169 | 45,000 | sonnet |
| #174 | [INFRA-012] SSE endpoint for CLI consumers | 4 | p1 | #169 | 40,000 | sonnet |
| #175 | [INFRA-013] End-to-end test harness | 5 | p0 | Phase 1-4 | 65,000 | sonnet |
| #176 | [INFRA-014] Integration with M4.1 coordinator | 5 | p0 | All M4.2 | 75,000 | opus |
| #179 | fix(security): Update Node.js dependencies | - | HIGH | none | 12,000 | haiku |
| #180 | fix(security): Update pnpm in Dockerfiles | - | HIGH | none | 10,000 | haiku |
| #181 | fix(security): Update Go stdlib in postgres | - | HIGH | none | 15,000 | haiku |
**Total Estimated Tokens:** ~712,000
## Dependency Graph
```
Phase 1: Core Infrastructure (Foundation)
┌───────────────────────────────────────────────────────────────┐
│ │
│ #163 BullMQ deps ──────┬──► #165 BullMQ module │
│ │ │
│ #164 Database schema ──┼──────────────────────────────────►│
│ │ │
│ #179,#180,#181 ◄───────┴─── Security (parallel anytime) │
│ │
└───────────────────────────────────────────────────────────────┘
Phase 2: Stitcher Service
┌───────────────────────────────────────────────────────────────┐
│ │
│ #165 ──► #166 Stitcher module ──────────────────────────► │
│ │
│ #164,#165 ──► #167 Runner jobs CRUD ──┬──► #168 Job steps │
│ │ │
│ └──► #169 Job events │
│ │
└───────────────────────────────────────────────────────────────┘
Phase 3: Chat Integration Phase 4: Real-time Status
┌──────────────────────────┐ ┌────────────────────────────┐
│ │ │ │
│ #166 ──► #170 Bridge │ │ #169 ──► #173 WebSocket │
│ │ │ │ │ │
│ ▼ │ │ └──► #174 SSE │
│ #171 Parser │ │ │
│ │ │ │ │
│ └──┬──► #172 │ │ │
│ #169 ─────┘ Herald │ │ │
│ │ │ │
└──────────────────────────┘ └────────────────────────────┘
Phase 5: Integration
┌───────────────────────────────────────────────────────────────┐
│ │
│ All Phase 1-4 ──► #175 E2E test harness │
│ │
│ All M4.2 ──► #176 Integration with M4.1 coordinator │
│ │
│ All complete ──► #162 EPIC (close) │
│ │
└───────────────────────────────────────────────────────────────┘
```
## Execution Plan (2 Parallel Agents Max)
### Wave 0: Security (Can run first, independent)
| Agent A | Agent B |
| ----------------- | --------------------- |
| #179 Node.js deps | #180 pnpm Dockerfiles |
| #181 Go stdlib | - |
### Wave 1: Foundation (Phase 1)
| Agent A | Agent B |
| ------------------ | -------------------- |
| #163 BullMQ deps | #164 Database schema |
| #165 BullMQ module | (wait for #163) |
### Wave 2: Stitcher Core (Phase 2, Part 1)
| Agent A | Agent B |
| -------------------- | --------------------- |
| #166 Stitcher module | #167 Runner jobs CRUD |
### Wave 3: Stitcher Events (Phase 2, Part 2)
| Agent A | Agent B |
| -------------- | --------------- |
| #168 Job steps | #169 Job events |
### Wave 4: Chat + Real-time (Phase 3 + 4)
| Agent A | Agent B |
| ------------------- | ---------------------- |
| #170 Bridge module | #173 WebSocket gateway |
| #171 Command parser | #174 SSE endpoint |
### Wave 5: Herald + E2E Setup
| Agent A | Agent B |
| ------------------- | ----------------------------- |
| #172 Herald updates | #175 E2E test harness (start) |
### Wave 6: Integration (Phase 5)
| Agent A | Agent B |
| ----------------- | --------------------- |
| #175 E2E complete | #176 M4.1 integration |
### Wave 7: Closure
| Agent A | Agent B |
| --------------- | ------------------ |
| Close #162 EPIC | Final verification |
## Quality Gates (Mandatory - Cannot Be Bypassed)
Every issue must pass:
1. **Unit Tests** - TDD required, minimum 85% coverage
2. **Type Check** - `pnpm typecheck` must pass
3. **Lint** - `pnpm lint` must pass
4. **Build** - `pnpm build` must pass
5. **Code Review** - Independent agent review before merge
6. **QA Verification** - Functional testing by separate agent
## Agent Protocol
1. **Before starting:** Read issue details, check dependencies are complete
2. **Create scratchpad:** `docs/scratchpads/{issue#}-{short-name}.md`
3. **Follow TDD:** Write tests first (RED), implement (GREEN), refactor
4. **Commit format:** `<type>(#{issue}): description`
5. **Quality gates:** Run all gates before marking complete
6. **Code review:** Request independent review
7. **Close issue:** Add completion comment with summary
## Orchestrator Checkpoints
- [ ] Wave 0 complete (security)
- [ ] Wave 1 complete (foundation)
- [ ] Wave 2 complete (stitcher core)
- [ ] Wave 3 complete (stitcher events)
- [ ] Wave 4 complete (chat + real-time)
- [ ] Wave 5 complete (herald + E2E setup)
- [ ] Wave 6 complete (integration)
- [ ] Wave 7 complete (closure)
- [ ] All issues closed
- [ ] EPIC #162 closed
- [ ] Token tracking report finalized
## Risk Mitigation
1. **Dependency conflicts:** BullMQ + existing ioredis - Agent must verify compatibility
2. **Schema migrations:** Test on dev database before production
3. **Discord API rate limits:** Implement proper throttling in bridge module
4. **WebSocket scaling:** Design for horizontal scaling from start
5. **Integration complexity:** Phase 5 may require opus-level reasoning
## Notes
- Maximum 2 parallel agents to prevent merge conflicts
- All agents must pull latest before starting work
- Coordinate via git commits, not direct communication
- Security issues are HIGH priority but don't block feature work

316
docs/reports/m4.2-token-tracking.md Normal file
View File

@@ -0,0 +1,316 @@
# M4.2-Infrastructure Token Usage Tracking
**Milestone:** M4.2-Infrastructure (0.0.4)
**Total Issues:** 18 (1 EPIC, 3 security, 14 implementation)
**Total Estimated Budget:** ~712,000 tokens
## Individual Issue Tracking
### Issue 162 - [EPIC] Mosaic Component Architecture
- **Estimate:** 0 tokens (tracker only)
- **Actual:** N/A
- **Variance:** N/A
- **Agent ID:** manual
- **Status:** pending (closes when all child issues complete)
- **Notes:** Parent issue tracking all INFRA issues
---
### Issue 163 - [INFRA-001] Add BullMQ dependencies
- **Estimate:** 15,000 tokens (haiku)
- **Actual:** _pending_
- **Variance:** _pending_
- **Agent ID:** _pending_
- **Status:** pending
- **Dependencies:** none
- **Notes:** Simple dependency addition, verify compatibility with ioredis/Valkey
---
### Issue 164 - [INFRA-002] Database schema for job tracking
- **Estimate:** 40,000 tokens (sonnet)
- **Actual:** _pending_
- **Variance:** _pending_
- **Agent ID:** _pending_
- **Status:** pending
- **Dependencies:** none
- **Notes:** Prisma schema for runner_jobs, job_steps, job_events
---
### Issue 165 - [INFRA-003] BullMQ module setup
- **Estimate:** 45,000 tokens (sonnet)
- **Actual:** _pending_
- **Variance:** _pending_
- **Agent ID:** _pending_
- **Status:** pending
- **Dependencies:** #163
- **Notes:** Configure BullMQ to use VALKEY_URL, create queue definitions
---
### Issue 166 - [INFRA-004] Stitcher module structure
- **Estimate:** 50,000 tokens (sonnet)
- **Actual:** _pending_
- **Variance:** _pending_
- **Agent ID:** _pending_
- **Status:** pending
- **Dependencies:** #165
- **Notes:** Workflow orchestration wrapper for OpenClaw
---
### Issue 167 - [INFRA-005] Runner jobs CRUD and queue submission
- **Estimate:** 55,000 tokens (sonnet)
- **Actual:** _pending_
- **Variance:** _pending_
- **Agent ID:** _pending_
- **Status:** pending
- **Dependencies:** #164, #165
- **Notes:** Job lifecycle management, BullMQ queue submission
---
### Issue 168 - [INFRA-006] Job steps tracking
- **Estimate:** 45,000 tokens (sonnet)
- **Actual:** _pending_
- **Variance:** _pending_
- **Agent ID:** _pending_
- **Status:** pending
- **Dependencies:** #164, #167
- **Notes:** Granular step tracking within jobs (SETUP, EXECUTION, VALIDATION, CLEANUP)
---
### Issue 169 - [INFRA-007] Job events and audit logging
- **Estimate:** 55,000 tokens (sonnet)
- **Actual:** _pending_
- **Variance:** _pending_
- **Agent ID:** _pending_
- **Status:** pending
- **Dependencies:** #164, #167
- **Notes:** Event sourcing pattern, PostgreSQL + Valkey Streams + Pub/Sub
---
### Issue 170 - [INFRA-008] mosaic-bridge module for Discord
- **Estimate:** 55,000 tokens (sonnet)
- **Actual:** _pending_
- **Variance:** _pending_
- **Agent ID:** _pending_
- **Status:** pending
- **Dependencies:** #166
- **Notes:** Discord.js bot connection, command forwarding, thread management
---
### Issue 171 - [INFRA-009] Chat command parsing
- **Estimate:** 40,000 tokens (sonnet)
- **Actual:** _pending_
- **Variance:** _pending_
- **Agent ID:** _pending_
- **Status:** pending
- **Dependencies:** #170
- **Notes:** Command grammar parsing, shared across Discord/Mattermost/Slack
---
### Issue 172 - [INFRA-010] Herald status updates
- **Estimate:** 50,000 tokens (sonnet)
- **Actual:** _pending_
- **Variance:** _pending_
- **Agent ID:** _pending_
- **Status:** pending
- **Dependencies:** #169, #170
- **Notes:** Status reporting via bridge to chat channels, PR comments
---
### Issue 173 - [INFRA-011] WebSocket gateway for job events
- **Estimate:** 45,000 tokens (sonnet)
- **Actual:** _pending_
- **Variance:** _pending_
- **Agent ID:** _pending_
- **Status:** pending
- **Dependencies:** #169
- **Notes:** Extend existing WebSocket gateway, subscription management
---
### Issue 174 - [INFRA-012] SSE endpoint for CLI consumers
- **Estimate:** 40,000 tokens (sonnet)
- **Actual:** _pending_
- **Variance:** _pending_
- **Agent ID:** _pending_
- **Status:** pending
- **Dependencies:** #169
- **Notes:** Server-Sent Events for CLI, Valkey Pub/Sub integration
---
### Issue 175 - [INFRA-013] End-to-end test harness
- **Estimate:** 65,000 tokens (sonnet)
- **Actual:** _pending_
- **Variance:** _pending_
- **Agent ID:** _pending_
- **Status:** pending
- **Dependencies:** All Phase 1-4
- **Notes:** Happy path, error handling, chat integration tests
---
### Issue 176 - [INFRA-014] Integration with M4.1 coordinator
- **Estimate:** 75,000 tokens (opus)
- **Actual:** _pending_
- **Variance:** _pending_
- **Agent ID:** _pending_
- **Status:** pending
- **Dependencies:** All M4.2 issues
- **Notes:** Complex integration requiring opus-level reasoning
---
### Issue 179 - fix(security): Update Node.js dependencies
- **Estimate:** 12,000 tokens (haiku)
- **Actual:** _pending_
- **Variance:** _pending_
- **Agent ID:** _pending_
- **Status:** pending
- **Dependencies:** none
- **Notes:** cross-spawn, glob, tar vulnerabilities (HIGH)
---
### Issue 180 - fix(security): Update pnpm in Dockerfiles
- **Estimate:** 10,000 tokens (haiku)
- **Actual:** _pending_
- **Variance:** _pending_
- **Agent ID:** _pending_
- **Status:** pending
- **Dependencies:** none
- **Notes:** pnpm 10.19.0 -> 10.27.0 (HIGH)
---
### Issue 181 - fix(security): Update Go stdlib in postgres image
- **Estimate:** 15,000 tokens (haiku)
- **Actual:** _pending_
- **Variance:** _pending_
- **Agent ID:** _pending_
- **Status:** pending
- **Dependencies:** none
- **Notes:** Go stdlib vulnerabilities, may require investigation
---
## Phase Summaries
### Security Issues (Wave 0)
- **Estimated:** 37,000 tokens
- **Actual:** _pending_
- **Variance:** _pending_
- **Issues:** #179, #180, #181
### Phase 1: Core Infrastructure
- **Estimated:** 100,000 tokens
- **Actual:** _pending_
- **Variance:** _pending_
- **Issues:** #163, #164, #165
### Phase 2: Stitcher Service
- **Estimated:** 205,000 tokens
- **Actual:** _pending_
- **Variance:** _pending_
- **Issues:** #166, #167, #168, #169
### Phase 3: Chat Integration
- **Estimated:** 145,000 tokens
- **Actual:** _pending_
- **Variance:** _pending_
- **Issues:** #170, #171, #172
### Phase 4: Real-time Status
- **Estimated:** 85,000 tokens
- **Actual:** _pending_
- **Variance:** _pending_
- **Issues:** #173, #174
### Phase 5: Integration
- **Estimated:** 140,000 tokens
- **Actual:** _pending_
- **Variance:** _pending_
- **Issues:** #175, #176
### EPIC Tracker
- **Estimated:** 0 tokens (manual)
- **Actual:** N/A
- **Variance:** N/A
- **Issues:** #162
## Overall Summary
- **Total Estimated:** 712,000 tokens
- **Total Actual:** _pending_
- **Overall Variance:** _pending_
- **Estimation Accuracy:** _pending_
## Code Review & QA Tracking
| Issue | Code Review Agent | QA Agent | Review Status | QA Status |
| ----- | ----------------- | --------- | ------------- | --------- |
| #163 | _pending_ | _pending_ | _pending_ | _pending_ |
| #164 | _pending_ | _pending_ | _pending_ | _pending_ |
| #165 | _pending_ | _pending_ | _pending_ | _pending_ |
| #166 | _pending_ | _pending_ | _pending_ | _pending_ |
| #167 | _pending_ | _pending_ | _pending_ | _pending_ |
| #168 | _pending_ | _pending_ | _pending_ | _pending_ |
| #169 | _pending_ | _pending_ | _pending_ | _pending_ |
| #170 | _pending_ | _pending_ | _pending_ | _pending_ |
| #171 | _pending_ | _pending_ | _pending_ | _pending_ |
| #172 | _pending_ | _pending_ | _pending_ | _pending_ |
| #173 | _pending_ | _pending_ | _pending_ | _pending_ |
| #174 | _pending_ | _pending_ | _pending_ | _pending_ |
| #175 | _pending_ | _pending_ | _pending_ | _pending_ |
| #176 | _pending_ | _pending_ | _pending_ | _pending_ |
| #179 | _pending_ | _pending_ | _pending_ | _pending_ |
| #180 | _pending_ | _pending_ | _pending_ | _pending_ |
| #181 | _pending_ | _pending_ | _pending_ | _pending_ |
## Execution Log
_Execution events will be logged here as work progresses._
```
[2026-02-01 HH:MM] Orchestrator initialized
[2026-02-01 HH:MM] Implementation plan created
[2026-02-01 HH:MM] Token tracking initialized
```
## Notes
_Observations and learnings will be recorded here._

20
docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-activity-activity.module.ts_20260201-0147_1_remediation_needed.md Normal file
View File

@@ -0,0 +1,20 @@
# QA Remediation Report
**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/activity/activity.module.ts
**Tool Used:** Edit
**Epic:** general
**Iteration:** 1
**Generated:** 2026-02-01 01:47:10
## Status
Pending QA validation
## Next Steps
This report was created by the QA automation hook.
To process this report, run:
```bash
claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-activity-activity.module.ts_20260201-0147_1_remediation_needed.md"
```

20
docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-workspace-settings-workspace-settings.module.ts_20260201-0147_1_remediation_needed.md Normal file
View File

@@ -0,0 +1,20 @@
# QA Remediation Report
**File:** /home/jwoltje/src/mosaic-stack/apps/api/src/workspace-settings/workspace-settings.module.ts
**Tool Used:** Edit
**Epic:** general
**Iteration:** 1
**Generated:** 2026-02-01 01:47:41
## Status
Pending QA validation
## Next Steps
This report was created by the QA automation hook.
To process this report, run:
```bash
claude -p "Use Task tool to launch universal-qa-agent for report: /home/jwoltje/src/mosaic-stack/docs/reports/qa-automation/pending/home-jwoltje-src-mosaic-stack-apps-api-src-workspace-settings-workspace-settings.module.ts_20260201-0147_1_remediation_needed.md"
```