mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases 2 Wiki Activity

feat(api): GET /api/workspaces/:id/stats endpoint

Browse Source
This commit is contained in:
Jason Woltje
2026-03-01 15:35:02 -06:00
commit fe87122179
41 changed files with 8471 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
workers/ms22-audit-prompt.txt Normal file
View File

@@ -0,0 +1,57 @@
You are performing a mandatory code review and security audit of MS22 Phase 1 modules in ~/src/mosaic-stack.
## Objective
Audit all MS22 modules for correctness, missing dependencies, and security issues. Produce a written report regardless of findings. If nothing needs fixing, that is itself a valid result — document it.
## MS22 Modules to Audit
- apps/api/src/container-lifecycle/
- apps/api/src/crypto/
- apps/api/src/agent-config/
- apps/api/src/onboarding/
- apps/api/src/fleet-settings/
- apps/api/src/chat-proxy/
## What to Check
### 1. NestJS Module Dependency Audit
For each *.module.ts file:
- Does it import every module whose services/guards are used in its controllers/services?
- Are all providers listed that are used?
- Are exports correct?
### 2. Security Review
- fleet-settings: are admin-only routes properly guarded? Can a non-admin access provider secrets?
- agent-config: is the bearer token guard timing-safe? Is the internal route isolated?
- onboarding: can onboarding be re-run after completion?
- crypto: is AES-256-GCM implemented correctly? IV uniqueness, auth tag verification?
- chat-proxy: can a user proxy to another user's container?
### 3. Input Validation
- Are DTOs using class-validator decorators?
- Any unvalidated inputs?
### 4. Error Handling
- Are errors leaking sensitive data?
- Are Prisma errors caught before reaching HTTP layer?
## Process — MANDATORY, follow exactly
1. git checkout main && git pull --ff-only origin main
2. Read each module file carefully
3. Create branch: fix/ms22-audit
4. Write a report file at docs/audits/ms22-phase1-audit.md documenting:
- Each module reviewed
- Findings (or "no issues found") per module
- Security assessment
- Changes made (if any)
5. If you found issues: fix them, include fixes in the same commit
6. If no issues found: still commit the report file
7. Run quality gates: pnpm turbo lint typecheck --filter=@mosaic/api
8. Commit: "fix(api): MS22 Phase 1 audit report and fixes"
9. Push: git push origin fix/ms22-audit
10. Create PR: ~/.config/mosaic/tools/git/pr-create.sh -t "fix(api): MS22 Phase 1 post-coding audit" -b "Mandatory post-coding audit of all MS22 Phase 1 modules. Report at docs/audits/ms22-phase1-audit.md."
DO NOT exit without pushing and creating a PR. The audit report is required even if all modules are clean.
When completely finished:
openclaw system event --text "Done: MS22 audit PR ready — check docs/audits/ms22-phase1-audit.md" --mode now