The Swarm deployment uses docker-compose.swarm.portainer.yml, not the
root docker-compose.yml. Add NEXT_PUBLIC_APP_URL, NEXT_PUBLIC_API_URL,
and TRUSTED_ORIGINS to the API service environment. Also log trusted
origins at startup for easier CORS debugging.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Kaniko fundamentally cannot run apt-get update on bookworm (Debian 12)
due to GPG signature verification failures during filesystem snapshots.
Neither --snapshot-mode=redo nor clearing /var/lib/apt/lists/* resolves
this.
Changes:
- Replace apt-get install dumb-init with ADD from GitHub releases
(static x86_64 binary) in api, web, and orchestrator Dockerfiles
- Switch coordinator builder from python:3.11-slim to python:3.11
(full image includes build tools, avoids 336MB build-essential)
- Replace wget healthcheck with node-based check in orchestrator
(wget no longer installed)
- Exclude telemetry lifecycle integration tests in CI (fail due to
runner disk pressure on PostgreSQL, not code issues)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add MOSAIC_TELEMETRY_* variables to .env.example with descriptions
- Pass telemetry env vars to api service in production compose
- Pass telemetry env vars to coordinator service in dev and swarm composes
- Swarm composes default to production URL (https://tel-api.mosaicstack.dev)
- Dev compose includes commented-out telemetry-api service placeholder
- All compose files default MOSAIC_TELEMETRY_ENABLED to false for safety
Refs #374
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Added CSRF_SECRET to docker-compose.swarm.portainer.yml (the active
Portainer deployment) and both example compose files. Also added
ENCRYPTION_KEY to the example files where it was missing.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
BullMQ requires noeviction to prevent silent job data loss. With
allkeys-lru, Valkey could evict keys BullMQ depends on for job tracking.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Pass BETTER_AUTH_SECRET through all 6 docker-compose files to API container
- Fix BullModule to parse VALKEY_URL instead of VALKEY_HOST/VALKEY_PORT,
matching all other Redis consumers in the codebase
- Migrate Prisma encryption from removed $use() middleware to $extends()
client extensions (Prisma 6.x compatibility), keeping extends PrismaClient
pattern with only account and llmProviderInstance getters overridden
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The gosu 1.19 binary bundled in the postgres base image was compiled
with Go 1.24.6, which contains CVE-2025-68121 (CRITICAL) and 5 HIGH
severity Go stdlib vulnerabilities. Since upstream gosu has not released
a version built with patched Go (1.24.13+ / 1.25.7+), this adds a
multi-stage Docker build that recompiles gosu from source using Go 1.26.
Changes:
- Pin postgres base image to 17.7-alpine3.22 for reproducibility
- Add golang:1.26-alpine3.22 builder stage to compile gosu v1.19
- Replace bundled gosu binary with freshly built version
- Pin all postgres:17-alpine references across compose files and CI
CVEs fixed:
- CVE-2025-68121 (CRITICAL): Go crypto/tls vulnerability
- CVE-2025-58183 (HIGH): Go archive/tar unbounded allocation
- CVE-2025-61726 (HIGH): Go net/url memory exhaustion
- CVE-2025-61728 (HIGH): Go archive/zip CPU exhaustion
- CVE-2025-61729 (HIGH): Go crypto/x509 DoS
- CVE-2025-61730 (HIGH): Go TLS 1.3 handshake vulnerability
Fixes#363
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add coordinator service to docker-compose.swarm.portainer.yml and
docker-compose.swarm.yml with full environment config and healthcheck
- Add ANTHROPIC_API_KEY and coordinator settings to .env.swarm.example
- Move docker-compose.override.yml.example and docker-compose.prod.yml
into docker/ directory
- Add *.bak to .gitignore
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
