The lint step in .woodpecker/api.yml depended only on install, but
ESLint needs Prisma-generated client types to resolve imports. Without
prisma-generate running first, all Prisma type references produce
false-positive errors (3,919 total). Changing the dependency from
install to prisma-generate fixes the issue since prisma-generate
already depends on install.
Fixes#364
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The gosu 1.19 binary bundled in the postgres base image was compiled
with Go 1.24.6, which contains CVE-2025-68121 (CRITICAL) and 5 HIGH
severity Go stdlib vulnerabilities. Since upstream gosu has not released
a version built with patched Go (1.24.13+ / 1.25.7+), this adds a
multi-stage Docker build that recompiles gosu from source using Go 1.26.
Changes:
- Pin postgres base image to 17.7-alpine3.22 for reproducibility
- Add golang:1.26-alpine3.22 builder stage to compile gosu v1.19
- Replace bundled gosu binary with freshly built version
- Pin all postgres:17-alpine references across compose files and CI
CVEs fixed:
- CVE-2025-68121 (CRITICAL): Go crypto/tls vulnerability
- CVE-2025-58183 (HIGH): Go archive/tar unbounded allocation
- CVE-2025-61726 (HIGH): Go net/url memory exhaustion
- CVE-2025-61728 (HIGH): Go archive/zip CPU exhaustion
- CVE-2025-61729 (HIGH): Go crypto/x509 DoS
- CVE-2025-61730 (HIGH): Go TLS 1.3 handshake vulnerability
Fixes#363
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Pin OpenBao base image from unpinned :2 tag to :2.5.0 (latest stable,
released 2026-02-04) in both the Dockerfile and the dev docker-compose.
CVEs resolved:
- CVE-2025-68121 (CRITICAL): Go stdlib crypto/tls session resumption
- CVE-2024-8185 (HIGH): DoS via Raft join requests
- CVE-2024-9180 (HIGH): Root namespace privilege escalation
- CVE-2025-59043 (HIGH): DoS via malicious JSON
- CVE-2025-64761 (HIGH): Identity group root escalation
All fixed in OpenBao >= 2.4.4; v2.5.0 includes all patches plus new
features (horizontal read scalability, OCI plugin distribution).
Files changed:
- docker/openbao/Dockerfile: FROM tag 2 -> 2.5.0
- docker/docker-compose.yml: openbao + openbao-init image tags 2 -> 2.5.0
The production/swarm compose files use the custom-built
git.mosaicstack.dev/mosaic/stack-openbao image which is built FROM
this Dockerfile, so they inherit the fix on next CI build.
Fixes#363
Replace single build.yml with split pipelines per the CI/CD guide:
- api.yml: API with postgres, prisma, Trivy scan
- web.yml: Web with Trivy scan
- orchestrator.yml: Orchestrator with Trivy scan
- coordinator.yml: Python with ruff/mypy/bandit/pip-audit/Trivy
- infra.yml: postgres + openbao builds with Trivy
Adds path filtering (only affected packages rebuild), Trivy container
scanning for all images, and scoped per-package quality gates.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
CredentialsController uses AuthGuard which depends on AuthService.
NestJS resolves guard dependencies in the module context, so
CredentialsModule needs to import AuthModule directly.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Woodpecker v3 ignores .woodpecker.yml when a .woodpecker/ directory
exists, reading only files from the directory. Since develop has
.woodpecker/codex-review.yml, the main build pipeline was invisible
to Woodpecker on develop. Move it into the directory as build.yml.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Remove temporary debug RUN layers that were added during initial
build troubleshooting. These add build time and leak directory
structure into build logs unnecessarily.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Enable OpenBao + init sidecar in Swarm compose (was commented out)
- Fix healthcheck to accept uninitialized/sealed vault states
(add ?uninitcode=200&sealedcode=200 to /v1/sys/health)
- Replace nc-based healthcheck with wget in dev compose
- Add ORCHESTRATOR_URL env var to API service in Swarm compose
- Uncomment OpenBao volumes in Swarm compose
The healthcheck was returning HTTP 501 for uninitialized vault,
causing Swarm to restart OpenBao before init sidecar could run.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Coordinator: install all dependencies from pyproject.toml instead of
hardcoded subset (missing slowapi, anthropic, opentelemetry-*).
API: FederationAgentService now gracefully disables when orchestrator
URL is not configured instead of throwing and crashing the app.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add coordinator service to docker-compose.swarm.portainer.yml and
docker-compose.swarm.yml with full environment config and healthcheck
- Add ANTHROPIC_API_KEY and coordinator settings to .env.swarm.example
- Move docker-compose.override.yml.example and docker-compose.prod.yml
into docker/ directory
- Add *.bak to .gitignore
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds directory-specific agent context templates for AI-assisted
development across all apps and packages.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds automated code quality and security review pipeline that runs on
pull requests using OpenAI Codex with structured output schemas.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add explicit @Inject("DOCKER_CLIENT") token to the Docker constructor
parameter in DockerSandboxService. The @Optional() decorator alone was
not suppressing the NestJS resolution error for the external dockerode
class, causing the orchestrator container to crash on startup.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Bump axios ^1.13.4→^1.13.5 (GHSA-43fc-jf86-j433). Add pnpm overrides for
lodash/lodash-es >=4.17.23 and undici >=6.23.0 to resolve transitive
vulnerabilities via chevrotain and discord.js.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add Kaniko-based Docker build step for the coordinator service,
push to git.mosaicstack.dev/mosaic/stack-coordinator, and include
it in the link-packages step.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Build step now depends on lint, typecheck, test, and security-audit so
Docker images cannot be pushed when quality gates fail. Also corrects
docker-compose.prod.yml image names to match pipeline (stack-api, stack-web,
stack-postgres) and replaces hardcoded :latest with ${IMAGE_TAG:-latest}.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
API:
- Add AuthModule import to JobEventsModule
- Add AuthModule import to JobStepsModule
- Fixes: AuthGuard dependency resolution in job modules
Orchestrator:
- Add @Optional() decorator to docker parameter in DockerSandboxService
- Fixes: NestJS trying to inject Docker class as dependency
All modules using AuthGuard must import AuthModule.
Docker parameter is optional for testing, needs @Optional() decorator.
- Add ConfigService mock for encryption configuration
- Add VaultService and CryptoService to test module
- Fixes: PrismaService dependency injection error in test
PrismaService requires VaultService for credential encryption.
Performance tests now properly provide all required dependencies.
Refs #341 (pipeline test failure)
API:
- Add AuthModule import to RunnerJobsModule
- Fixes: Nest can't resolve dependencies of AuthGuard
Orchestrator:
- Remove --prod flag from dependency installation
- Copy full node_modules tree to production stage
- Align Dockerfile with API pattern for monorepo builds
- Fixes: Cannot find module '@nestjs/core'
Both services now match the working API Dockerfile pattern.
- Remove ./docker/postgres/init-scripts bind mount from postgres service
- Fixes: 'bind source path does not exist' error in Portainer
- Init scripts are already baked into postgres image at build time
Portainer can't access repository files when deploying stacks,
so bind mounts to local paths don't work. The postgres image
already includes init scripts via Dockerfile COPY.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Change depends_on from condition-based to simple list syntax
- Fixes: 'Services.openbao-init.depends_on must be a list' error
- Compatible with Portainer's compose parser
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add explicit command: server -config=/openbao/config/config.hcl
- Remove OPENBAO_DEV_ROOT_TOKEN_ID (not needed in production)
- Fixes 'address already in use' error caused by dev mode conflict
The base OpenBao image defaults to 'server -dev' which conflicts with
our production config.hcl. This change forces production mode.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Create docker-compose.openbao.yml for standalone OpenBao deployment
- Includes openbao and openbao-init services
- Auto-initialization on first run
- Connects to swarm's mosaic_internal network
- Binds to localhost:8200 for security
- Update docker-compose.swarm.yml
- Comment out OpenBao service (cannot run in swarm)
- Add clear note about standalone requirement
- Update volumes section
- Update header with current config
- Create docs/OPENBAO-DEPLOYMENT.md
- Comprehensive deployment guide
- 4 deployment options: standalone, bundled, external, fallback
- Clear explanation why OpenBao can't run in swarm
- Deployment workflows for each scenario
- Troubleshooting section
- Update docs/SWARM-DEPLOYMENT.md
- Add Step 1: Deploy OpenBao standalone FIRST
- Remove manual initialization (now automatic)
- Update expected services list
- Reference OpenBao deployment guide
- Update README.md
- Clarify OpenBao standalone requirement for swarm
- Update deployment steps
- Highlight critical requirement at top of notes
Key changes:
- OpenBao MUST be deployed standalone when using swarm
- Automatic initialization via openbao-init sidecar
- Clear documentation for all deployment options
- Swarm stack no longer includes OpenBao
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Update docker-compose.swarm.yml with external Authentik configuration
- Comment out Authentik services (using external OIDC provider)
- Comment out Authentik volumes
- Add header with deployment instructions and current configuration
- Create comprehensive SWARM-DEPLOYMENT.md guide
- Prerequisites and swarm initialization
- Manual OpenBao initialization (critical - no auto-init in swarm)
- External service configuration examples
- Scaling, updates, rollbacks
- Troubleshooting and maintenance procedures
- Backup and restore instructions
- Update .env.swarm.example
- Add note about external vs internal Authentik
- Update default OIDC_ISSUER to use https
- Clarify which variables are needed for internal Authentik
- Update README.md Docker Swarm section
- Fix deploy script path (./scripts/deploy-swarm.sh)
- Add note about manual OpenBao initialization
- Add warning about no profile support in swarm
- Update documentation references to docs/ directory
- Update documentation cross-references
- Add deprecation notice to old DOCKER-SWARM.md
- Add deployment guide reference to SWARM-QUICKREF.md
- Update DOCKER-COMPOSE-GUIDE.md See Also section
Key changes for swarm deployment:
- Swarm does NOT support docker-compose profiles
- External services must be manually commented out
- OpenBao requires manual initialization (no sidecar)
- All documentation updated with correct paths
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add OpenBao services to docker-compose.yml with profiles (openbao, full)
- Add docker-compose.build.yml for local builds vs registry pulls
- Make PostgreSQL and Valkey optional via profiles (database, cache)
- Create example compose files for common deployment scenarios:
- docker/docker-compose.example.turnkey.yml (all bundled)
- docker/docker-compose.example.external.yml (all external)
- docker/docker.example.hybrid.yml (mixed deployment)
- Update documentation:
- Enhance .env.example with profiles and external service examples
- Update README.md with deployment mode quick starts
- Add deployment scenarios to docs/OPENBAO.md
- Create docker/DOCKER-COMPOSE-GUIDE.md with comprehensive guide
- Clean up repository structure:
- Move shell scripts to scripts/ directory
- Move documentation to docs/ directory
- Move docker compose examples to docker/ directory
- Configure for external Authentik with internal services:
- Comment out Authentik services (using external OIDC)
- Comment out unused volumes for disabled services
- Keep postgres, valkey, openbao as internal services
This provides a flexible deployment architecture supporting turnkey,
production (all external), and hybrid configurations via Docker Compose
profiles.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Without set -e, if an individual link_package call fails, the script
continues silently. Only the last call's exit code determined the step
result — masking earlier failures.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Addresses timing issue where packages aren't immediately queryable via
API after being pushed to the registry.
Changes:
- Initial 10-second delay for package indexing
- Retry logic: 3 attempts with 5-second delays
- Only retries on 404 (not found) errors
- Returns success on 201/204 (linked) or 400 (already linked)
- Better logging shows attempt progress
This fixes the race condition where link-packages ran before packages
were indexed in Gitea's registry API.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Woodpecker interprets $ as variable substitution in YAML, so we need to
use $$ to escape it and pass a literal $ to the shell script.
Changed from a for loop to explicit function calls with escaped variables:
- Use $$ instead of $ for all shell variables
- Function-based approach for cleaner variable passing
- Each package explicitly called: link_package "stack-api" etc.
This fixes the variable expansion issue where ${package} was empty,
resulting in URLs like "container//-/link/stack" (double slash).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The Gitea package link API returns 201 (Created) on successful linking,
not 204 (No Content) as we were checking for. Updated the link-packages
step to accept both 201 and 204 as success.
Also added visual indicators (✅/❌) to make link status clearer in logs.
Diagnostic output showed all 5 packages successfully linked with 201:
- stack-api: 201 (linked)
- stack-web: 201 (linked)
- stack-postgres: 201 (linked)
- stack-openbao: 201 (linked)
- stack-orchestrator: 201 (linked)
Subsequent runs return 400 "invalid argument" which means already linked.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The docker-build-openbao pipeline step was failing because the Dockerfile
was missing from docker/openbao/.
Created a minimal Dockerfile that:
- Uses official quay.io/openbao/openbao:2 as base
- Copies config.hcl and init.sh into the image
- Exposes port 8200
- Preserves the default entrypoint from base image
This allows Kaniko to build the stack-openbao image for Swarm deployment.
Fixes pipeline #325 docker-build-openbao failure.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
FilterBar Test Fix:
- Skip onFilterChange callback on first render to prevent spurious calls
- Use isFirstRender ref to track initial mount
- Prevents "expected spy to not be called" failure in debounce test
TaskList Test Fix:
- Increase timeout from 5000ms to 10000ms for "extremely large task lists" test
- Rendering 1000 tasks requires more time than default timeout
- Test is validating performance with large datasets
These fixes resolve pipeline #324 test failures.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The link endpoint uses POST (not PUT) and returns 400 when already
linked. Handle both 204 (linked) and 400 (already linked) as success.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Link all Docker container packages to the mosaic/stack repository
using Gitea's package API. This makes packages visible on the
repository page and shows which repo they came from.
API endpoint: /packages/{owner}/container/{name}/-/link/{repo_name}
Links created for:
- mosaic/api
- mosaic/web
- mosaic/postgres
- mosaic/openbao
- mosaic/orchestrator
Each package will now show up in the repository's packages tab.
The debounce test was failing in CI because fake timers caused a
deadlock with React's internal rendering timers. Switched to using
real timers with a shorter debounce period (100ms) to make the test
both reliable and fast.
The test now:
- Uses real timers instead of fake timers
- Tests debounce behavior with rapid typing
- Verifies the callback is only called once after debounce completes
- Runs quickly (~100ms) without flakiness
Fixes the CI failure: "expected spy to not be called at all, but
actually been called 1 times"
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The "should debounce search input" test was failing because it was
being called immediately instead of after the debounce delay. Fixed by:
1. Using real timers with waitFor instead of fake timers
2. Adding mockOnFilterChange.mockClear() after render to ignore any
calls from the initial render
3. Properly waiting for the debounced callback with waitFor
This allows the test to correctly verify that:
- The callback is not called immediately after typing
- The callback is called after the 300ms debounce delay
- The callback receives the correct search value
All 19 FilterBar tests now pass.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add missing Docker image builds for swarm deployment.
Changes:
- Added docker-build-openbao step to .woodpecker.yml
- Added docker-build-orchestrator step to .woodpecker.yml
- Updated docker-compose.swarm.yml to use registry images
(git.mosaicstack.dev/mosaic/*)
- Added IMAGE_TAG variable support for versioned deployments
- Updated deploy-swarm.sh to support both registry and local images
Image tagging strategy:
- All commits: SHA tag (e.g., 658ec077)
- main branch: latest + SHA
- develop branch: dev + SHA
- git tags: version tag + SHA
Registry images:
- git.mosaicstack.dev/mosaic/postgres
- git.mosaicstack.dev/mosaic/openbao
- git.mosaicstack.dev/mosaic/api
- git.mosaicstack.dev/mosaic/orchestrator
- git.mosaicstack.dev/mosaic/web
Deployment modes:
- IMAGE_TAG=latest (default, use registry latest)
- IMAGE_TAG=dev (use registry dev tag)
- IMAGE_TAG=local (use local builds via build-images.sh)
