docker:dind requires privileged mode and a running daemon.
Kaniko builds containers without needing Docker daemon:
- Runs unprivileged
- Reads credentials from /kaniko/.docker/config.json
- Designed for CI environments like Woodpecker
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
The buildx plugin's credential handling doesn't work properly with
Harbor. The docker-auth-test step proved that standard docker login
works, so we switch to:
- docker:dind image
- Manual docker login before build
- Standard docker build and docker push
This bypasses buildx's separate credential store issue.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Added a docker-auth-test step that:
- Shows credential lengths (for debugging)
- Tests docker login directly with Harbor
This will help identify if the issue is with secrets injection
or with how buildx handles authentication.
Reverted to woodpeckerci/plugin-docker-buildx since plugins/docker
requires server-side WOODPECKER_PLUGINS_PRIVILEGED config.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
The repo setting should NOT include the registry prefix - the
registry setting handles that separately.
Changed repo: reg.mosaicstack.dev/mosaic/api -> repo: mosaic/api
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
The woodpeckerci/plugin-docker-buildx plugin was failing with
"insufficient_scope: authorization failed" when pushing to Harbor,
even though the same credentials worked locally.
Switched to the standard plugins/docker which uses traditional
docker login authentication that may work better with Harbor.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Add .dockerignore to exclude node_modules, dist, and build artifacts
- Add pre/post build directory listings to diagnose dist not found issue
- Disable turbo cache temporarily with --force flag
- Add --verbosity=2 for more detailed turbo output
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The docker-buildx plugin automatically prepends registry to repo,
so having the full URL caused doubled paths:
reg.mosaicstack.dev/reg.mosaicstack.dev/mosaic/api
Changed from: repo: reg.mosaicstack.dev/mosaic/api
Changed to: repo: mosaic/api
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Docker COPY replaces directory contents, so copying source code
after node_modules was wiping the deps. Reordered to:
1. Copy source code first
2. Copy node_modules second (won't be overwritten)
Fixes API build failure: "dist not found"
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add docker-build-api, docker-build-web, docker-build-postgres steps
- Images pushed to reg.diversecanvas.com/mosaic/* on main/develop
- Create docker-compose.prod.yml for production deployments
- Add .env.prod.example with production configuration
Requires Harbor secrets in Woodpecker:
- harbor_username
- harbor_password
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Modules using AuthGuard in their controllers need to import AuthModule
to make AuthService available for dependency injection.
Fixed:
- ActivityModule
- WorkspaceSettingsModule
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Issues fixed:
1. Module not found: Added missing copy of apps/{api,web}/node_modules
which contains pnpm symlinks to the root node_modules
2. Healthcheck syntax: Fixed broken quoting from prettier reformatting
Changed to CMD-SHELL with proper escaping
3. Removed obsolete version: "3.9" from docker-compose.yml
The apps need their own node_modules directories because pnpm uses
symlinks that point from apps/*/node_modules to node_modules/.pnpm/*
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fixed the mismatch between environment variables:
- docker-compose now passes PORT (what NestJS/Next.js read) instead of API_PORT
- API_PORT/WEB_PORT control host mapping, PORT controls container
Changes:
- docker-compose: Pass PORT=${API_PORT} and PORT=${WEB_PORT} to containers
- docker-compose: Dynamic port mapping on both host and container sides
- docker-compose: Traefik labels use ${API_PORT}/${WEB_PORT} variables
- docker-compose: Healthchecks use PORT env var
- Dockerfiles: Removed hardcoded port values
- Dockerfiles: Healthchecks read PORT at runtime
This allows changing ports via API_PORT/WEB_PORT environment variables
and have all components (app, healthcheck, Traefik) use the correct port.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Added cache mounts for:
- pnpm store: Caches downloaded packages between builds
- TurboRepo: Caches build outputs between builds
This significantly speeds up subsequent builds:
- First build: Full download and compile
- Subsequent builds: Only changed packages are re-downloaded/rebuilt
Requires Docker BuildKit (default in Docker 23+).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The production stage was failing because it tried to copy the public
directory which doesn't exist in the source. Added mkdir -p to ensure
the directory exists (even if empty) before the production stage
tries to copy it.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When detecting existing configuration, the setup script now shows a
detailed breakdown instead of just "Current base URL: ...":
Mode: Traefik reverse proxy
Web URL: https://app.mosaicstack.dev
API URL: https://api.mosaicstack.dev
Auth: https://auth.mosaicstack.dev
This makes it clear:
- What access mode is configured (localhost/IP/domain/Traefik)
- What each URL is used for (Web UI, API, Authentication)
- Whether to change the configuration
Added helper functions:
- detect_access_mode(): Determines mode from existing .env values
- display_access_config(): Formats the URL breakdown display
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
pnpm stores the Prisma client in the content-addressable store at
node_modules/.pnpm/.../.prisma, not at apps/api/node_modules/.prisma.
The production stage was trying to copy from the wrong location.
Additionally, running `pnpm install --prod` in production failed because:
1. The husky prepare script runs but husky is a devDependency
2. The Prisma client postinstall can't run without the prisma CLI
Fixed by copying the full node_modules from the builder stage, which
already has all dependencies properly installed and the Prisma client
generated in the correct pnpm store location.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The Docker builds were failing because they ran `pnpm build` directly
in the app directories without first building workspace dependencies
(@mosaic/shared, @mosaic/ui). CI passed because it runs TurboRepo
from the root which respects the dependency graph.
Changed both Dockerfiles to use `pnpm turbo build --filter=@mosaic/{app}`
which ensures dependencies are built in the correct order:
- Web: @mosaic/config → @mosaic/shared → @mosaic/ui → @mosaic/web
- API: @mosaic/config → @mosaic/shared → prisma:generate → @mosaic/api
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The husky prepare script was failing during Docker production builds
because husky is a devDependency and isn't available when running
`pnpm install --prod --frozen-lockfile`.
Changed from `husky install` (deprecated in v9+) to `husky || true`
which gracefully handles the case when husky isn't installed.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use index() instead of regex capture groups for key extraction
- More portable across different awk implementations
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add genericOAuth plugin to auth.config.ts with Authentik provider
- Fix LoginButton to use /auth/signin/authentik (not /auth/callback/)
- Add production URLs to trustedOrigins
- Update .env.example with correct redirect URI documentation
Redirect URI for Authentik: https://api.mosaicstack.dev/auth/callback/authentik
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add input sanitization to prevent LLM prompt injection
(escapes quotes, backslashes, replaces newlines)
- Add MaxLength(500) validation to DTO to prevent DoS
- Add entity validation to filter malicious LLM responses
- Add confidence validation to clamp values to 0.0-1.0
- Make LLM model configurable via INTENT_CLASSIFICATION_MODEL env var
- Add 12 new security tests (total: 72 tests, from 60)
Security fixes identified by code review:
- CVE-mitigated: Prompt injection via unescaped user input
- CVE-mitigated: Unvalidated entity data from LLM response
- CVE-mitigated: Missing input length validation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implement REST API endpoints for managing LLM provider instances.
Changes:
- Created DTOs for provider CRUD operations (CreateLlmProviderDto, UpdateLlmProviderDto, LlmProviderResponseDto)
- Implemented LlmProviderAdminController with full CRUD endpoints:
- GET /llm/admin/providers - List all providers
- GET /llm/admin/providers/:id - Get provider details
- POST /llm/admin/providers - Create new provider
- PATCH /llm/admin/providers/:id - Update provider
- DELETE /llm/admin/providers/:id - Delete provider
- POST /llm/admin/providers/:id/test - Test connection
- POST /llm/admin/reload - Reload from database
- Updated llm-manager.service.ts to support OpenAI and Claude providers
- Added comprehensive test suite with 97.95% coverage
- Proper validation, error handling, and type safety
All tests pass. Pre-commit hooks pass.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implement Anthropic Claude provider for Claude Opus, Sonnet, and Haiku models.
Implementation details:
- Created ClaudeProvider class implementing LlmProviderInterface
- Added @anthropic-ai/sdk npm package integration
- Implemented chat completion with streaming support
- Claude-specific message format (system prompt separate from messages)
- Static model list (Claude API doesn't provide list models endpoint)
- Embeddings throw error as Claude doesn't support native embeddings
- Added OpenTelemetry tracing with @TraceLlmCall decorator
- 100% statement, function, and line coverage (79% branch coverage)
Tests:
- Created comprehensive test suite with 20 tests
- All tests follow TDD pattern (written before implementation)
- Tests cover initialization, health checks, chat, streaming, and error handling
- Mocked Anthropic SDK client for isolated unit testing
Quality checks:
- All tests pass (1131 total tests across project)
- ESLint passes with no errors
- TypeScript type checking passes
- Follows existing code patterns from OpenAI and Ollama providers
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implement OpenAI provider for GPT-4, GPT-3.5, and other OpenAI models.
Implementation includes:
- OpenAI SDK integration with API key authentication
- Chat completion with streaming support
- Embeddings generation
- Health checks and model listing
- OpenTelemetry tracing
- Comprehensive test suite with 97% coverage
Follows TDD methodology:
- Written tests first (RED phase)
- Implemented minimal code to pass tests (GREEN phase)
- Code passes typecheck, linter, and all quality gates
Test coverage: 97.18% statements, 97.05% lines
All 22 tests passing
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add database-backed quality gate configuration for workspaces with
full CRUD operations and default gate seeding.
Schema:
- Add QualityGate model with workspace relation
- Support for custom commands and regex patterns
- Enable/disable and ordering support
Service:
- CRUD operations for quality gates
- findEnabled: Get ordered, enabled gates
- reorder: Bulk reorder with transaction
- seedDefaults: Seed 4 default gates
- toOrchestratorFormat: Convert to orchestrator interface
Endpoints:
- GET /workspaces/:id/quality-gates - List
- GET /workspaces/:id/quality-gates/:gateId - Get one
- POST /workspaces/:id/quality-gates - Create
- PATCH /workspaces/:id/quality-gates/:gateId - Update
- DELETE /workspaces/:id/quality-gates/:gateId - Delete
- POST /workspaces/:id/quality-gates/reorder
- POST /workspaces/:id/quality-gates/seed-defaults
Default gates: Build, Lint, Test, Coverage (85%)
Tests: 25 passing with 95.16% coverage
Fixes#135
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
