477d0c8fdf
feat(api): idle container reaper (MS22-P1k) ( #614 )
...
ci/woodpecker/push/ci Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-03-01 15:50:34 +00:00
dc7e0c805c
feat(api): onboarding API (MS22-P1e) ( #612 )
...
ci/woodpecker/push/ci Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-03-01 15:43:43 +00:00
2b010fadda
feat(api): fleet settings API (MS22-P1g) ( #611 )
...
ci/woodpecker/push/ci Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-03-01 15:37:04 +00:00
c25e753f35
feat(api): ContainerLifecycleService (MS22-P1d) ( #610 )
...
ci/woodpecker/push/ci Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-03-01 15:24:42 +00:00
d3c8b8cadd
feat(api): internal agent config endpoint (MS22-P1c) ( #609 )
...
ci/woodpecker/push/ci Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-03-01 15:14:06 +00:00
3688f89c37
feat(api): add CryptoService for secret encryption (MS22-P1b)
ci/woodpecker/push/ci Pipeline was successful
2026-03-01 08:41:28 -06:00
0e74b03d9c
test(api): integration tests for MS22 knowledge layer modules (MS22-TEST-001) ( #594 )
...
ci/woodpecker/push/ci Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-03-01 04:54:23 +00:00
1df20f0e13
feat(api): add assigned_agent to Task model (MS22-DB-003, MS22-API-003) ( #591 )
...
ci/woodpecker/push/ci Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-03-01 03:54:28 +00:00
d07a840f25
feat(api): add conversation archive with vector search (MS22-DB-004, MS22-API-004) ( #587 )
...
ci/woodpecker/push/api Pipeline failed
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-03-01 02:20:56 +00:00
4b2e48af9c
feat(api): add agent memory module (MS22-DB-002, MS22-API-002) ( #586 )
...
ci/woodpecker/push/api Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-03-01 02:20:15 +00:00
7b390d8be2
feat(api): add findings module with vector search (MS22-DB-001, MS22-API-001) ( #585 )
...
ci/woodpecker/push/orchestrator Pipeline was successful
ci/woodpecker/push/web Pipeline was successful
ci/woodpecker/push/api Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-03-01 02:10:02 +00:00
af68f84dcd
feat(api): invalidate sessions on user deactivation (MS21-AUTH-004) ( #582 )
...
ci/woodpecker/push/api Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-02-28 23:41:11 +00:00
f99107fbfc
feat(api): add admin bulk import endpoints (MS21-MIG-004) ( #567 )
...
ci/woodpecker/push/api Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-02-28 19:55:01 +00:00
0e6734bdae
feat(api): add team management module with CRUD endpoints ( #564 )
...
ci/woodpecker/push/api Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-02-28 18:24:09 +00:00
5bcaaeddd9
fix(api): increase flaky test timeouts for CI ( #562 )
...
ci/woodpecker/push/api Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-02-28 18:20:39 +00:00
ac16d6ed88
feat(api): add break-glass local authentication module ( #559 )
...
ci/woodpecker/push/orchestrator Pipeline failed
ci/woodpecker/push/api Pipeline failed
ci/woodpecker/push/web Pipeline failed
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-02-28 18:05:19 +00:00
8388d49786
feat(api): add workspace member management endpoints ( #556 )
...
ci/woodpecker/push/api Pipeline is running
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-02-28 18:01:05 +00:00
20f914ea85
feat(api): add AdminModule with user and workspace management endpoints ( #555 )
...
ci/woodpecker/push/api Pipeline failed
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-02-28 17:56:54 +00:00
128431ba58
fix(api,web): separate workspace context from auth session ( #551 )
...
ci/woodpecker/push/orchestrator Pipeline was successful
ci/woodpecker/push/web Pipeline was successful
ci/woodpecker/push/api Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-02-28 15:14:29 +00:00
78b643a945
fix(api): use getTrustedOrigins() for WebSocket CORS ( #549 )
...
ci/woodpecker/push/api Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-02-27 12:07:51 +00:00
c0e679ab7c
fix(web,api): fix WebSocket authentication for chat real-time connection ( #547 )
...
ci/woodpecker/push/web Pipeline failed
ci/woodpecker/push/api Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-02-27 11:30:44 +00:00
833662a64f
feat(api): implement /users/me/preferences endpoint
...
ci/woodpecker/push/web Pipeline was successful
ci/woodpecker/push/api Pipeline was successful
Implements GET/PATCH/PUT /users/me/preferences. Fixes profile page 'Preferences unavailable' error by correcting the /api prefix in frontend calls and adding PATCH handler to controller.
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-02-27 10:51:28 +00:00
78b71a0ecc
feat(api): implement personalities CRUD API ( #537 )
...
ci/woodpecker/push/api Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-02-27 10:42:50 +00:00
11f22a7e96
fix(api): add sort, search, visibility to knowledge entry query DTO ( #533 )
...
ci/woodpecker/push/api Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-02-27 05:16:30 +00:00
edcff6a0e0
fix(api,web): add workspace context to widgets and auto-detect workspace ID ( #532 )
...
ci/woodpecker/push/web Pipeline was successful
ci/woodpecker/push/api Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-02-27 04:53:07 +00:00
e3cba37e8c
fix(api,web): resolve RLS context SQL error, workspace guard crash, and projects response unwrapping ( #531 )
...
ci/woodpecker/push/web Pipeline was successful
ci/woodpecker/push/api Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-02-27 04:18:35 +00:00
ad99cb9a03
fix(api): lazy-load node-pty to prevent API crash on missing native binary ( #525 )
...
ci/woodpecker/push/api Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-02-26 13:46:26 +00:00
8128eb7fbe
feat(api): add terminal session persistence with Prisma model and CRUD ( #517 )
...
ci/woodpecker/push/api Pipeline failed
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-02-26 02:49:32 +00:00
6290fc3d53
feat(api): add terminal WebSocket gateway with PTY session management ( #515 )
...
ci/woodpecker/push/web Pipeline failed
ci/woodpecker/push/orchestrator Pipeline failed
ci/woodpecker/push/api Pipeline failed
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-02-26 02:27:29 +00:00
9f4de1682f
fix(api): resolve CSRF guard ordering with global AuthGuard ( #514 )
...
ci/woodpecker/push/api Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-02-26 02:26:02 +00:00
72c64d2eeb
fix(api): add global /api prefix to resolve frontend route mismatch ( #507 )
...
ci/woodpecker/push/orchestrator Pipeline was successful
ci/woodpecker/push/api Pipeline was successful
ci/woodpecker/push/web Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-02-26 01:13:48 +00:00
5f6c520a98
fix(auth): prevent login page freeze on OAuth sign-in failure ( #506 )
...
ci/woodpecker/push/api Pipeline was successful
ci/woodpecker/push/web Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-02-25 01:59:36 +00:00
458cac7cdd
Phase 3: Agent Cycle Visibility ( #461 ) ( #462 )
...
ci/woodpecker/push/api Pipeline was successful
ci/woodpecker/push/web Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-02-23 01:07:29 +00:00
7581d26567
Phase 2: Task Ingestion Pipeline ( #459 ) ( #460 )
...
ci/woodpecker/push/api Pipeline was successful
ci/woodpecker/push/web Pipeline was successful
Co-authored-by: Jason Woltje <jason@diversecanvas.com >
Co-committed-by: Jason Woltje <jason@diversecanvas.com >
2026-02-23 00:54:55 +00:00
8424a28faa
fix(auth): use set_config for transaction-scoped RLS context
ci/woodpecker/push/api Pipeline was successful
2026-02-18 23:23:15 -06:00
d2cec04cba
fix(auth): preserve raw BetterAuth cookie token for session lookup
ci/woodpecker/push/api Pipeline was successful
2026-02-18 23:06:37 -06:00
0c2a6b14cf
fix(auth): verify BetterAuth sessions via cookie headers
2026-02-18 22:39:54 -06:00
af299abdaf
debug(auth): log session cookie source
ci/woodpecker/push/infra Pipeline was successful
ci/woodpecker/push/orchestrator Pipeline was successful
ci/woodpecker/push/api Pipeline was successful
ci/woodpecker/push/web Pipeline was successful
2026-02-18 21:36:01 -06:00
f219dd71a0
fix(auth): use UUID id generation for BetterAuth DB models
ci/woodpecker/push/api Pipeline failed
2026-02-18 18:49:16 -06:00
dedc1af080
fix(auth): restore BetterAuth OIDC flow across api/web/compose
ci/woodpecker/push/infra Pipeline was successful
ci/woodpecker/push/web Pipeline was successful
ci/woodpecker/push/api Pipeline was successful
2026-02-17 23:37:49 -06:00
af113707d9
Merge branch 'develop' into fix/auth-frontend-remediation
ci/woodpecker/push/infra Pipeline was successful
ci/woodpecker/push/orchestrator Pipeline was successful
ci/woodpecker/push/coordinator Pipeline was successful
ci/woodpecker/push/web Pipeline failed
ci/woodpecker/push/api Pipeline was successful
2026-02-17 20:35:59 +00:00
Jason Woltje
cab8d690ab
fix( #411 ): complete 2026-02-17 remediation sweep
...
Apply RLS context at task service boundaries, harden orchestrator/web integration and session startup behavior, re-enable targeted frontend tests, and lock vulnerable transitive dependencies so QA and security gates pass cleanly.
2026-02-17 14:19:15 -06:00
027fee1afa
fix: use UUID for Better Auth ID generation to match Prisma schema
...
ci/woodpecker/manual/infra Pipeline was successful
ci/woodpecker/manual/coordinator Pipeline was successful
ci/woodpecker/manual/orchestrator Pipeline was successful
ci/woodpecker/manual/web Pipeline was successful
ci/woodpecker/manual/api Pipeline was successful
ci/woodpecker/push/api Pipeline was successful
Better Auth generates nanoid-style IDs by default, but our Prisma
schema uses @db.Uuid columns for all auth tables. This caused
P2023 errors when Better Auth tried to insert non-UUID IDs into
the verification table during OAuth sign-in.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-02-16 22:48:17 -06:00
abe57621cd
fix: add CORS env vars to Swarm/Portainer compose and log trusted origins
...
The Swarm deployment uses docker-compose.swarm.portainer.yml, not the
root docker-compose.yml. Add NEXT_PUBLIC_APP_URL, NEXT_PUBLIC_API_URL,
and TRUSTED_ORIGINS to the API service environment. Also log trusted
origins at startup for easier CORS debugging.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-02-16 22:31:29 -06:00
Jason Woltje
8961f5b18c
chore: upgrade Node.js runtime to v24 across codebase
...
ci/woodpecker/push/orchestrator Pipeline was successful
ci/woodpecker/push/api Pipeline was successful
ci/woodpecker/push/web Pipeline was successful
- Update .woodpecker/codex-review.yml: node:22-slim → node:24-slim
- Update packages/cli-tools engines: >=18 → >=24.0.0
- Update README.md, CONTRIBUTING.md, prerequisites docs to reference Node 24+
- Rename eslint.config.js → eslint.config.mjs to eliminate Node 24
MODULE_TYPELESS_PACKAGE_JSON warnings (ESM detection overhead)
- Add .nvmrc targeting Node 24
- Fix pre-existing no-unsafe-return lint error in matrix-room.service.ts
- Add Campsite Rule to CLAUDE.md
- Regenerate Prisma client for Node 24 compatibility
All Dockerfiles and main CI pipelines already used node:24. This commit
aligns the remaining stragglers (codex-review CI, cli-tools engines,
documentation) and resolves Node 24 ESM module detection warnings.
Quality gates: lint ✅ typecheck ✅ tests ✅ (6 pre-existing API failures)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-02-16 17:33:26 -06:00
Jason Woltje
9d3a673e6c
fix( #411 ): resolve CI lint errors — prettier, unused directives, no-base-to-string
...
ci/woodpecker/push/web Pipeline failed
ci/woodpecker/push/api Pipeline was successful
- auth.config.ts: collapse multiline template literal to single line
- auth.controller.ts: add eslint-disable for intentional no-unnecessary-condition
- auth.service.ts: remove 5 unused eslint-disable directives (Node 24 resolves
BetterAuth types), fix prettier formatting, fix no-base-to-string
- login/page.tsx: remove unnecessary String() wrapper
- auth-context.test.tsx: fix prettier line length
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-02-16 17:00:01 -06:00
Jason Woltje
76756ad695
test( #411 ): add AuthGuard user validation branch tests — malformed/missing/null user data
...
Add 5 new tests in a "user data validation" describe block covering:
- User missing id → UnauthorizedException
- User missing email → UnauthorizedException
- User missing name → UnauthorizedException
- User is a string → UnauthorizedException
- User is null → TypeError (typeof null === "object" causes 'in' operator to throw)
Also fixes pre-existing broken DI mock setup: replaced NestJS TestingModule
with direct constructor injection so all 15 tests (10 existing + 5 new) pass.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-02-16 15:48:53 -06:00
Jason Woltje
05ee6303c2
fix( #411 ): sanitize Bearer tokens in verifySession logs + warn on non-Error thrown values
...
- Redact Bearer tokens from error stacks/messages before logging to
prevent session token leakage into server logs
- Add logger.warn for non-Error thrown values in verifySession catch
block for observability
- Add tests for token redaction and non-Error warn logging
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-02-16 15:48:10 -06:00
Jason Woltje
4d9b75994f
fix( #411 ): add runtime null checks in auth controller — defense-in-depth for AuthenticatedRequest
...
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-02-16 15:44:31 -06:00
Jason Woltje
399d5a31c8
fix( #411 ): narrow verifySession allowlist — prevent false-positive infra error classification
...
Replace broad "expired" and "unauthorized" substring matches with specific
patterns to prevent infrastructure errors from being misclassified as auth
errors:
- "expired" -> "token expired", "session expired", or exact match "expired"
- "unauthorized" -> exact match "unauthorized" only
This prevents TLS errors like "certificate has expired" and DB auth errors
like "Unauthorized: Access denied for user" from being silently swallowed
as 401 responses.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com >
2026-02-16 15:42:10 -06:00
