51ce32cc76
docs( #346 ): Add credential security architecture design document
...
Comprehensive design document for M7-CredentialSecurity milestone covering
hybrid OpenBao Transit + PostgreSQL encryption approach, threat model,
UserCredential data model, API design, RLS enforcement strategy, turnkey
OpenBao Docker integration, and 5-phase implementation plan.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
2026-02-07 11:15:58 -06:00
bed440dc36
docs(m6): Add Usage Budget Management section
...
ci/woodpecker/push/woodpecker Pipeline failed
Add comprehensive usage budget management design to M6
orchestration architecture.
FEATURES:
- Real-time usage tracking across agents
- Budget allocation per task/milestone/project
- Usage projection and burn rate calculation
- Throttling decisions to prevent budget exhaustion
- Model tier optimization (Haiku/Sonnet/Opus)
- Pre-commit usage validation
DATA MODEL:
- usage_budgets table (allocated/consumed/remaining)
- agent_usage_logs table (per-agent tracking)
- Valkey keys for real-time state
BUDGET CHECKPOINTS:
1. Task assignment - can afford this task?
2. Agent spawn - verify budget headroom
3. Checkpoint intervals - periodic compliance
4. Pre-commit validation - usage efficiency
PRIORITY: MVP (M6 Phase 3) for basic tracking, Phase 5 for
advanced projection and optimization.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
2026-02-07 09:55:21 -06:00
Jason Woltje
12abdfe81d
feat( #93 ): implement agent spawn via federation
...
Implements FED-010: Agent Spawn via Federation feature that enables
spawning and managing Claude agents on remote federated Mosaic Stack
instances via COMMAND message type.
Features:
- Federation agent command types (spawn, status, kill)
- FederationAgentService for handling agent operations
- Integration with orchestrator's agent spawner/lifecycle services
- API endpoints for spawning, querying status, and killing agents
- Full command routing through federation COMMAND infrastructure
- Comprehensive test coverage (12/12 tests passing)
Architecture:
- Hub → Spoke: Spawn agents on remote instances
- Command flow: FederationController → FederationAgentService →
CommandService → Remote Orchestrator
- Response handling: Remote orchestrator returns agent status/results
- Security: Connection validation, signature verification
Files created:
- apps/api/src/federation/types/federation-agent.types.ts
- apps/api/src/federation/federation-agent.service.ts
- apps/api/src/federation/federation-agent.service.spec.ts
Files modified:
- apps/api/src/federation/command.service.ts (agent command routing)
- apps/api/src/federation/federation.controller.ts (agent endpoints)
- apps/api/src/federation/federation.module.ts (service registration)
- apps/orchestrator/src/api/agents/agents.controller.ts (status endpoint)
- apps/orchestrator/src/api/agents/agents.module.ts (lifecycle integration)
Testing:
- 12/12 tests passing for FederationAgentService
- All command service tests passing
- TypeScript compilation successful
- Linting passed
Refs #93
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com >
2026-02-03 14:37:06 -06:00
Jason Woltje
82a09373e0
docs: add Federation Architecture design document
...
Captures:
- Peer-to-peer federation model (master/spoke)
- Agent Federation Protocol (CONNECT, QUERY, COMMAND, EVENT, DISCONNECT)
- Authentik integration for enterprise SSO and RBAC
- Data sovereignty principles (query, don't replicate)
- RBAC model with workspace/team hierarchy
- Implementation phases targeting 0.1.0 MVP
- Versioning policy (0.0.x dev, 0.1.0 MVP, 1.0.0 stable)
2026-01-29 17:25:57 -06:00
Jason Woltje
4729f964f1
docs: add M2 database layer completion report
2026-01-29 16:14:20 -06:00
Jason Woltje
f07f04404d
feat(knowledge): add tag management API (KNOW-003)
...
- Add Tag DTOs (CreateTagDto, UpdateTagDto) with validation
- Implement TagsService with CRUD operations
- Add TagsController with authenticated endpoints
- Support automatic slug generation from tag names
- Add workspace isolation for tags
- Include entry count in tag responses
- Add findOrCreateTags method for entry creation/update
- Implement comprehensive test coverage (29 tests passing)
Endpoints:
- GET /api/knowledge/tags - List workspace tags
- POST /api/knowledge/tags - Create tag
- GET /api/knowledge/tags/:slug - Get tag by slug
- PUT /api/knowledge/tags/:slug - Update tag
- DELETE /api/knowledge/tags/:slug - Delete tag
- GET /api/knowledge/tags/:slug/entries - List entries with tag
Related: KNOW-003
2026-01-29 16:13:40 -06:00
Jason Woltje
244e50c806
feat(multi-tenant): add Team model and RLS policies
...
Implements #9 , #10
- Team model with workspace membership
- TeamMember model with role-based access (OWNER, ADMIN, MEMBER)
- Row-Level Security policies for tenant isolation on 19 tables
- Helper functions: current_user_id(), is_workspace_member(), is_workspace_admin()
- Developer utilities in src/lib/db-context.ts for easy RLS integration
- Comprehensive documentation in docs/design/multi-tenant-rls.md
Database migrations:
- 20260129220941_add_team_model: Adds Team and TeamMember tables
- 20260129221004_add_rls_policies: Enables RLS and creates policies
Security features:
- Complete database-level tenant isolation
- Automatic query filtering based on workspace membership
- Defense-in-depth security with application and database layers
- Performance-optimized with indexes on workspace_id
2026-01-29 16:13:09 -06:00
Jason Woltje
9b7e1f926f
docs(adr): add ADR-001 API-first agent-agnostic design
...
Key decision: Mosaic Stack exposes APIs first, agent skills are thin wrappers.
Platform works standalone, agent layer is swappable.
2026-01-29 16:05:09 -06:00
Jason Woltje
91399f597f
docs(design): add Knowledge Module design and implementation plan
...
- Full design document with architecture, data model, API specs
- 28 implementation issues across 5 phases (~127h total)
- Wiki-link syntax, semantic search, graph visualization
- Integration points for agent access
Ref: memory/2025-01-29-agent-orchestration.md
2026-01-29 15:38:50 -06:00
