mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity
613 Commits 68 Branches 4 Tags
2ab795a95db7208848a26847dc51f3f2ba626fcd
Commit Graph

5 Commits

Author SHA1 Message Date
Jason Woltje
dce975bf4e fix(#363): Update OpenBao image to fix CRITICAL CVE-2025-68121 + 4 HIGH CVEs 
Pin OpenBao base image from unpinned :2 tag to :2.5.0 (latest stable,
released 2026-02-04) in both the Dockerfile and the dev docker-compose.

CVEs resolved:
- CVE-2025-68121 (CRITICAL): Go stdlib crypto/tls session resumption
- CVE-2024-8185 (HIGH): DoS via Raft join requests
- CVE-2024-9180 (HIGH): Root namespace privilege escalation
- CVE-2025-59043 (HIGH): DoS via malicious JSON
- CVE-2025-64761 (HIGH): Identity group root escalation

All fixed in OpenBao >= 2.4.4; v2.5.0 includes all patches plus new
features (horizontal read scalability, OCI plugin distribution).

Files changed:
- docker/openbao/Dockerfile: FROM tag 2 -> 2.5.0
- docker/docker-compose.yml: openbao + openbao-init image tags 2 -> 2.5.0

The production/swarm compose files use the custom-built
git.mosaicstack.dev/mosaic/stack-openbao image which is built FROM
this Dockerfile, so they inherit the fix on next CI build.

Fixes #363
 2026-02-12 12:36:08 -06:00
Jason Woltje
b3c0f51dc9 fix(devops): enable OpenBao in Swarm and fix healthchecks 
- Enable OpenBao + init sidecar in Swarm compose (was commented out)
- Fix healthcheck to accept uninitialized/sealed vault states
  (add ?uninitcode=200&sealedcode=200 to /v1/sys/health)
- Replace nc-based healthcheck with wget in dev compose
- Add ORCHESTRATOR_URL env var to API service in Swarm compose
- Uncomment OpenBao volumes in Swarm compose

The healthcheck was returning HTTP 501 for uninitialized vault,
causing Swarm to restart OpenBao before init sidecar could run.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-11 19:38:34 -06:00
Jason Woltje
d4d1e59885 feat(#357): Add OpenBao to Docker Compose with turnkey setup
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details 
Implements secure credential storage using OpenBao Transit encryption.

Features:
- Auto-initialization on first run (1-of-1 Shamir key for dev)
- Auto-unseal on container restart with verification and retry logic
- Transit secrets engine with 4 named encryption keys
- AppRole authentication with Transit-only policy
- Localhost-only API binding for security
- Comprehensive integration test suite (22 tests, all passing)

Security:
- API bound to 127.0.0.1 (localhost only, no external access)
- Unseal verification with 3-attempt retry logic
- Sanitized error messages in tests (no secret leakage)
- Volume-based secret reading (doesn't require running container)

Files:
- docker/openbao/config.hcl: Server configuration
- docker/openbao/init.sh: Auto-init/unseal script
- docker/docker-compose.yml: OpenBao and init services
- tests/integration/openbao.test.ts: Full test coverage
- .env.example: OpenBao configuration variables

Closes #357

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-07 15:40:24 -06:00
Jason Woltje
e23c09f1f2 feat(#157): Set up webhook receiver endpoint 
Implement FastAPI webhook receiver for Gitea issue assignment events
with HMAC SHA256 signature verification and event routing.

Implementation details:
- FastAPI application with /webhook/gitea POST endpoint
- HMAC SHA256 signature verification in security.py
- Event routing for assigned, unassigned, closed actions
- Comprehensive logging for all webhook events
- Health check endpoint at /health
- Docker containerization with health checks
- 91% test coverage (exceeds 85% requirement)

TDD workflow followed:
- Wrote 16 tests first (RED phase)
- Implemented features to pass tests (GREEN phase)
- All tests passing with 91% coverage
- Type checking with mypy: success
- Linting with ruff: success

Files created:
- apps/coordinator/src/main.py - FastAPI application
- apps/coordinator/src/webhook.py - Webhook handlers
- apps/coordinator/src/security.py - HMAC verification
- apps/coordinator/src/config.py - Configuration management
- apps/coordinator/tests/ - Comprehensive test suite
- apps/coordinator/Dockerfile - Production container
- apps/coordinator/pyproject.toml - Python project config

Configuration:
- Updated .env.example with GITEA_WEBHOOK_SECRET
- Updated docker-compose.yml with coordinator service

Testing:
- 16 unit and integration tests
- Security tests for signature verification
- Event handler tests for all supported actions
- Health check endpoint tests
- All tests passing with 91% coverage

This unblocks issue #158 (issue parser).

Fixes #157

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-02-01 17:41:46 -06:00
Jason Woltje
99afde4f99 feat(#2): Implement PostgreSQL 17 + pgvector database schema 
Establishes multi-tenant database layer with vector similarity search for AI-powered memory features. Includes Docker infrastructure, Prisma ORM integration, NestJS services, and shared types across the monorepo.

Key changes:
- Docker: PostgreSQL 17 + pgvector v0.7.4, Valkey cache
- Schema: 8 models (User, Workspace, Task, Event, Project, ActivityLog, MemoryEmbedding) with RLS preparation
- NestJS: PrismaModule, DatabaseModule, EmbeddingsService
- Shared: Type-safe enums, constants, and database types

Fixes #2

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-01-28 16:06:34 -06:00