mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity
636 Commits 67 Branches 4 Tags
6e4236b359b8bbb1b68fe12fc4bcc4eb48cb4faa
Commit Graph

5 Commits

Author SHA1 Message Date
Jason Woltje
dfe89b7a3b fix(devops): add CSRF_SECRET to all compose files
All checks were successful
ci/woodpecker/push/infra Pipeline was successful
Details 
Added CSRF_SECRET to docker-compose.swarm.portainer.yml (the active
Portainer deployment) and both example compose files. Also added
ENCRYPTION_KEY to the example files where it was missing.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-15 01:44:45 -06:00
Jason Woltje
899faba7e2 fix(devops): set Valkey maxmemory-policy to noeviction for BullMQ
Some checks failed
ci/woodpecker/push/infra Pipeline was successful
Details
ci/woodpecker/manual/infra Pipeline was successful
Details
ci/woodpecker/manual/coordinator Pipeline failed
Details
ci/woodpecker/manual/web Pipeline failed
Details
ci/woodpecker/manual/orchestrator Pipeline failed
Details
ci/woodpecker/manual/api Pipeline failed
Details 
BullMQ requires noeviction to prevent silent job data loss. With
allkeys-lru, Valkey could evict keys BullMQ depends on for job tracking.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-14 16:51:42 -06:00
Jason Woltje
0ca3945061 fix(api): resolve Docker startup failures (secrets, Redis, Prisma) 
- Pass BETTER_AUTH_SECRET through all 6 docker-compose files to API container
- Fix BullModule to parse VALKEY_URL instead of VALKEY_HOST/VALKEY_PORT,
  matching all other Redis consumers in the codebase
- Migrate Prisma encryption from removed $use() middleware to $extends()
  client extensions (Prisma 6.x compatibility), keeping extends PrismaClient
  pattern with only account and llmProviderInstance getters overridden

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-14 11:04:04 -06:00
Jason Woltje
429cf85f87 fix(#363): rebuild gosu from source with Go 1.26 to fix CRITICAL CVEs 
The gosu 1.19 binary bundled in the postgres base image was compiled
with Go 1.24.6, which contains CVE-2025-68121 (CRITICAL) and 5 HIGH
severity Go stdlib vulnerabilities. Since upstream gosu has not released
a version built with patched Go (1.24.13+ / 1.25.7+), this adds a
multi-stage Docker build that recompiles gosu from source using Go 1.26.

Changes:
- Pin postgres base image to 17.7-alpine3.22 for reproducibility
- Add golang:1.26-alpine3.22 builder stage to compile gosu v1.19
- Replace bundled gosu binary with freshly built version
- Pin all postgres:17-alpine references across compose files and CI

CVEs fixed:
- CVE-2025-68121 (CRITICAL): Go crypto/tls vulnerability
- CVE-2025-58183 (HIGH): Go archive/tar unbounded allocation
- CVE-2025-61726 (HIGH): Go net/url memory exhaustion
- CVE-2025-61728 (HIGH): Go archive/zip CPU exhaustion
- CVE-2025-61729 (HIGH): Go crypto/x509 DoS
- CVE-2025-61730 (HIGH): Go TLS 1.3 handshake vulnerability

Fixes #363

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-12 12:38:33 -06:00
Jason Woltje
f3694592cc feat(swarm): add coordinator service and reorganize compose files 
- Add coordinator service to docker-compose.swarm.portainer.yml and
  docker-compose.swarm.yml with full environment config and healthcheck
- Add ANTHROPIC_API_KEY and coordinator settings to .env.swarm.example
- Move docker-compose.override.yml.example and docker-compose.prod.yml
  into docker/ directory
- Add *.bak to .gitignore

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-09 22:04:55 -06:00