Adds automated code quality and security review pipeline that runs on
pull requests using OpenAI Codex with structured output schemas.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add explicit @Inject("DOCKER_CLIENT") token to the Docker constructor
parameter in DockerSandboxService. The @Optional() decorator alone was
not suppressing the NestJS resolution error for the external dockerode
class, causing the orchestrator container to crash on startup.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Bump axios ^1.13.4→^1.13.5 (GHSA-43fc-jf86-j433). Add pnpm overrides for
lodash/lodash-es >=4.17.23 and undici >=6.23.0 to resolve transitive
vulnerabilities via chevrotain and discord.js.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add Kaniko-based Docker build step for the coordinator service,
push to git.mosaicstack.dev/mosaic/stack-coordinator, and include
it in the link-packages step.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Build step now depends on lint, typecheck, test, and security-audit so
Docker images cannot be pushed when quality gates fail. Also corrects
docker-compose.prod.yml image names to match pipeline (stack-api, stack-web,
stack-postgres) and replaces hardcoded :latest with ${IMAGE_TAG:-latest}.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
API:
- Add AuthModule import to JobEventsModule
- Add AuthModule import to JobStepsModule
- Fixes: AuthGuard dependency resolution in job modules
Orchestrator:
- Add @Optional() decorator to docker parameter in DockerSandboxService
- Fixes: NestJS trying to inject Docker class as dependency
All modules using AuthGuard must import AuthModule.
Docker parameter is optional for testing, needs @Optional() decorator.
- Add ConfigService mock for encryption configuration
- Add VaultService and CryptoService to test module
- Fixes: PrismaService dependency injection error in test
PrismaService requires VaultService for credential encryption.
Performance tests now properly provide all required dependencies.
Refs #341 (pipeline test failure)
API:
- Add AuthModule import to RunnerJobsModule
- Fixes: Nest can't resolve dependencies of AuthGuard
Orchestrator:
- Remove --prod flag from dependency installation
- Copy full node_modules tree to production stage
- Align Dockerfile with API pattern for monorepo builds
- Fixes: Cannot find module '@nestjs/core'
Both services now match the working API Dockerfile pattern.
- Remove ./docker/postgres/init-scripts bind mount from postgres service
- Fixes: 'bind source path does not exist' error in Portainer
- Init scripts are already baked into postgres image at build time
Portainer can't access repository files when deploying stacks,
so bind mounts to local paths don't work. The postgres image
already includes init scripts via Dockerfile COPY.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Change depends_on from condition-based to simple list syntax
- Fixes: 'Services.openbao-init.depends_on must be a list' error
- Compatible with Portainer's compose parser
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add explicit command: server -config=/openbao/config/config.hcl
- Remove OPENBAO_DEV_ROOT_TOKEN_ID (not needed in production)
- Fixes 'address already in use' error caused by dev mode conflict
The base OpenBao image defaults to 'server -dev' which conflicts with
our production config.hcl. This change forces production mode.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Create docker-compose.openbao.yml for standalone OpenBao deployment
- Includes openbao and openbao-init services
- Auto-initialization on first run
- Connects to swarm's mosaic_internal network
- Binds to localhost:8200 for security
- Update docker-compose.swarm.yml
- Comment out OpenBao service (cannot run in swarm)
- Add clear note about standalone requirement
- Update volumes section
- Update header with current config
- Create docs/OPENBAO-DEPLOYMENT.md
- Comprehensive deployment guide
- 4 deployment options: standalone, bundled, external, fallback
- Clear explanation why OpenBao can't run in swarm
- Deployment workflows for each scenario
- Troubleshooting section
- Update docs/SWARM-DEPLOYMENT.md
- Add Step 1: Deploy OpenBao standalone FIRST
- Remove manual initialization (now automatic)
- Update expected services list
- Reference OpenBao deployment guide
- Update README.md
- Clarify OpenBao standalone requirement for swarm
- Update deployment steps
- Highlight critical requirement at top of notes
Key changes:
- OpenBao MUST be deployed standalone when using swarm
- Automatic initialization via openbao-init sidecar
- Clear documentation for all deployment options
- Swarm stack no longer includes OpenBao
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Update docker-compose.swarm.yml with external Authentik configuration
- Comment out Authentik services (using external OIDC provider)
- Comment out Authentik volumes
- Add header with deployment instructions and current configuration
- Create comprehensive SWARM-DEPLOYMENT.md guide
- Prerequisites and swarm initialization
- Manual OpenBao initialization (critical - no auto-init in swarm)
- External service configuration examples
- Scaling, updates, rollbacks
- Troubleshooting and maintenance procedures
- Backup and restore instructions
- Update .env.swarm.example
- Add note about external vs internal Authentik
- Update default OIDC_ISSUER to use https
- Clarify which variables are needed for internal Authentik
- Update README.md Docker Swarm section
- Fix deploy script path (./scripts/deploy-swarm.sh)
- Add note about manual OpenBao initialization
- Add warning about no profile support in swarm
- Update documentation references to docs/ directory
- Update documentation cross-references
- Add deprecation notice to old DOCKER-SWARM.md
- Add deployment guide reference to SWARM-QUICKREF.md
- Update DOCKER-COMPOSE-GUIDE.md See Also section
Key changes for swarm deployment:
- Swarm does NOT support docker-compose profiles
- External services must be manually commented out
- OpenBao requires manual initialization (no sidecar)
- All documentation updated with correct paths
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add OpenBao services to docker-compose.yml with profiles (openbao, full)
- Add docker-compose.build.yml for local builds vs registry pulls
- Make PostgreSQL and Valkey optional via profiles (database, cache)
- Create example compose files for common deployment scenarios:
- docker/docker-compose.example.turnkey.yml (all bundled)
- docker/docker-compose.example.external.yml (all external)
- docker/docker.example.hybrid.yml (mixed deployment)
- Update documentation:
- Enhance .env.example with profiles and external service examples
- Update README.md with deployment mode quick starts
- Add deployment scenarios to docs/OPENBAO.md
- Create docker/DOCKER-COMPOSE-GUIDE.md with comprehensive guide
- Clean up repository structure:
- Move shell scripts to scripts/ directory
- Move documentation to docs/ directory
- Move docker compose examples to docker/ directory
- Configure for external Authentik with internal services:
- Comment out Authentik services (using external OIDC)
- Comment out unused volumes for disabled services
- Keep postgres, valkey, openbao as internal services
This provides a flexible deployment architecture supporting turnkey,
production (all external), and hybrid configurations via Docker Compose
profiles.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Without set -e, if an individual link_package call fails, the script
continues silently. Only the last call's exit code determined the step
result — masking earlier failures.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Addresses timing issue where packages aren't immediately queryable via
API after being pushed to the registry.
Changes:
- Initial 10-second delay for package indexing
- Retry logic: 3 attempts with 5-second delays
- Only retries on 404 (not found) errors
- Returns success on 201/204 (linked) or 400 (already linked)
- Better logging shows attempt progress
This fixes the race condition where link-packages ran before packages
were indexed in Gitea's registry API.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Woodpecker interprets $ as variable substitution in YAML, so we need to
use $$ to escape it and pass a literal $ to the shell script.
Changed from a for loop to explicit function calls with escaped variables:
- Use $$ instead of $ for all shell variables
- Function-based approach for cleaner variable passing
- Each package explicitly called: link_package "stack-api" etc.
This fixes the variable expansion issue where ${package} was empty,
resulting in URLs like "container//-/link/stack" (double slash).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The Gitea package link API returns 201 (Created) on successful linking,
not 204 (No Content) as we were checking for. Updated the link-packages
step to accept both 201 and 204 as success.
Also added visual indicators (✅/❌) to make link status clearer in logs.
Diagnostic output showed all 5 packages successfully linked with 201:
- stack-api: 201 (linked)
- stack-web: 201 (linked)
- stack-postgres: 201 (linked)
- stack-openbao: 201 (linked)
- stack-orchestrator: 201 (linked)
Subsequent runs return 400 "invalid argument" which means already linked.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The docker-build-openbao pipeline step was failing because the Dockerfile
was missing from docker/openbao/.
Created a minimal Dockerfile that:
- Uses official quay.io/openbao/openbao:2 as base
- Copies config.hcl and init.sh into the image
- Exposes port 8200
- Preserves the default entrypoint from base image
This allows Kaniko to build the stack-openbao image for Swarm deployment.
Fixes pipeline #325 docker-build-openbao failure.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
FilterBar Test Fix:
- Skip onFilterChange callback on first render to prevent spurious calls
- Use isFirstRender ref to track initial mount
- Prevents "expected spy to not be called" failure in debounce test
TaskList Test Fix:
- Increase timeout from 5000ms to 10000ms for "extremely large task lists" test
- Rendering 1000 tasks requires more time than default timeout
- Test is validating performance with large datasets
These fixes resolve pipeline #324 test failures.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The link endpoint uses POST (not PUT) and returns 400 when already
linked. Handle both 204 (linked) and 400 (already linked) as success.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Link all Docker container packages to the mosaic/stack repository
using Gitea's package API. This makes packages visible on the
repository page and shows which repo they came from.
API endpoint: /packages/{owner}/container/{name}/-/link/{repo_name}
Links created for:
- mosaic/api
- mosaic/web
- mosaic/postgres
- mosaic/openbao
- mosaic/orchestrator
Each package will now show up in the repository's packages tab.
The debounce test was failing in CI because fake timers caused a
deadlock with React's internal rendering timers. Switched to using
real timers with a shorter debounce period (100ms) to make the test
both reliable and fast.
The test now:
- Uses real timers instead of fake timers
- Tests debounce behavior with rapid typing
- Verifies the callback is only called once after debounce completes
- Runs quickly (~100ms) without flakiness
Fixes the CI failure: "expected spy to not be called at all, but
actually been called 1 times"
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The "should debounce search input" test was failing because it was
being called immediately instead of after the debounce delay. Fixed by:
1. Using real timers with waitFor instead of fake timers
2. Adding mockOnFilterChange.mockClear() after render to ignore any
calls from the initial render
3. Properly waiting for the debounced callback with waitFor
This allows the test to correctly verify that:
- The callback is not called immediately after typing
- The callback is called after the 300ms debounce delay
- The callback receives the correct search value
All 19 FilterBar tests now pass.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add missing Docker image builds for swarm deployment.
Changes:
- Added docker-build-openbao step to .woodpecker.yml
- Added docker-build-orchestrator step to .woodpecker.yml
- Updated docker-compose.swarm.yml to use registry images
(git.mosaicstack.dev/mosaic/*)
- Added IMAGE_TAG variable support for versioned deployments
- Updated deploy-swarm.sh to support both registry and local images
Image tagging strategy:
- All commits: SHA tag (e.g., 658ec077)
- main branch: latest + SHA
- develop branch: dev + SHA
- git tags: version tag + SHA
Registry images:
- git.mosaicstack.dev/mosaic/postgres
- git.mosaicstack.dev/mosaic/openbao
- git.mosaicstack.dev/mosaic/api
- git.mosaicstack.dev/mosaic/orchestrator
- git.mosaicstack.dev/mosaic/web
Deployment modes:
- IMAGE_TAG=latest (default, use registry latest)
- IMAGE_TAG=dev (use registry dev tag)
- IMAGE_TAG=local (use local builds via build-images.sh)
Docker Swarm doesn't support build directives or security_opt.
Images must be pre-built before deployment.
Changes:
- Created build-images.sh script to build all images
- Updated deploy-swarm.sh to check for images and offer to build
- Removed build: sections from docker-compose.swarm.yml
- Removed security_opt: (not supported in swarm)
- Services now reference pre-built images only
Deployment workflow:
1. ./build-images.sh (build all images)
2. ./deploy-swarm.sh mosaic (deploy to swarm)
Docker Compose/Swarm requires environment variables to be strings, not booleans.
Changes:
- KILLSWITCH_ENABLED: true -> "true"
- SANDBOX_ENABLED: true -> "true"
Fixes deployment error: 'must be a string, number or null'
- Add setup-wizard.sh for interactive configuration
- Add docker-compose.swarm.yml optimized for swarm deployment
- Make CLAUDE_API_KEY optional based on AI_PROVIDER setting
- Support multiple AI providers: Ollama, Claude API, OpenAI
- Add BETTER_AUTH_SECRET to .env.example
- Update deploy-swarm.sh to validate AI provider config
- Add comprehensive documentation (DOCKER-SWARM.md, SWARM-QUICKREF.md)
Changes:
- AI_PROVIDER env var controls which AI backend to use
- Ollama is default (no API key required)
- Claude API and OpenAI require respective API keys
- Deployment script validates based on selected provider
- Removed Authentik services from swarm compose (using external)
- Configured for upstream Traefik integration
Woodpecker sets CI=woodpecker and CI_PIPELINE_EVENT, not CI=true.
Updated the CI detection to check for both.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The .env.test file was being loaded in CI and overriding the CI-provided
DATABASE_URL, causing tests to try connecting to localhost:5432 instead of
the postgres:5432 service.
Fix: Only load .env.test when NOT in CI (check for CI or WOODPECKER env vars).
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Fixes integration test failures caused by missing DATABASE_URL environment variable.
Changes:
- Add dotenv as dev dependency to load .env.test in vitest setup
- Add .env.test to .gitignore to prevent committing test credentials
- Create .env.test.example with warning comments for documentation
- Add conditional test skipping when DATABASE_URL is not available
- Add DATABASE_URL format validation in vitest setup
- Add error handling to test cleanup to prevent silent failures
- Remove filesystem path disclosure from error messages
The fix allows integration tests to:
- Load DATABASE_URL from .env.test locally for developers with database setup
- Skip gracefully if DATABASE_URL is not available (no database running)
- Connect to postgres service in CI where DATABASE_URL is explicitly provided
Tests affected: auth-rls.integration.spec.ts and other integration tests
requiring real database connections.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Implemented transparent encryption/decryption of LLM provider API keys
stored in llm_provider_instances.config JSON field using OpenBao Transit
encryption.
Implementation:
- Created llm-encryption.middleware.ts with encryption/decryption logic
- Auto-detects format (vault:v1: vs plaintext) for backward compatibility
- Idempotent encryption prevents double-encryption
- Registered middleware in PrismaService
- Created data migration script for active encryption
- Added migrate:encrypt-llm-keys command to package.json
Tests:
- 14 comprehensive unit tests
- 90.76% code coverage (exceeds 85% requirement)
- Tests create, read, update, upsert operations
- Tests error handling and backward compatibility
Migration:
- Lazy migration: New keys encrypted, old keys work until re-saved
- Active migration: pnpm --filter @mosaic/api migrate:encrypt-llm-keys
- No schema changes required
- Zero downtime
Security:
- Uses TransitKey.LLM_CONFIG from OpenBao Transit
- Keys never touch disk in plaintext (in-memory only)
- Transparent to LlmManagerService and providers
- Follows proven pattern from account-encryption.middleware.ts
Files:
- apps/api/src/prisma/llm-encryption.middleware.ts (new)
- apps/api/src/prisma/llm-encryption.middleware.spec.ts (new)
- apps/api/scripts/encrypt-llm-keys.ts (new)
- apps/api/prisma/migrations/20260207_encrypt_llm_api_keys/ (new)
- apps/api/src/prisma/prisma.service.ts (modified)
- apps/api/package.json (modified)
Note: The migration script (encrypt-llm-keys.ts) is not included in
tsconfig.json to avoid rootDir conflicts. It's executed via tsx which
handles TypeScript directly.
Refs #359
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Implements secure credential encryption using OpenBao Transit API with
automatic fallback to AES-256-GCM when OpenBao is unavailable.
Features:
- AppRole authentication with automatic token renewal at 50% TTL
- Transit encrypt/decrypt with 4 named keys
- Automatic fallback to CryptoService when OpenBao unavailable
- Auto-detection of ciphertext format (vault:v1: vs AES)
- Request timeout protection (5s default)
- Health indicator for monitoring
- Backward compatible with existing AES-encrypted data
Security:
- ERROR-level logging for fallback
- Proper error propagation (no silent failures)
- Request timeouts prevent hung operations
- Secure credential file reading
Migrations:
- Account encryption middleware uses VaultService
- Uses TransitKey.ACCOUNT_TOKENS for OAuth tokens
- Backward compatible with existing encrypted data
Tests: 56 tests passing (36 VaultService + 20 middleware)
Closes#353
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Implements secure credential storage using OpenBao Transit encryption.
Features:
- Auto-initialization on first run (1-of-1 Shamir key for dev)
- Auto-unseal on container restart with verification and retry logic
- Transit secrets engine with 4 named encryption keys
- AppRole authentication with Transit-only policy
- Localhost-only API binding for security
- Comprehensive integration test suite (22 tests, all passing)
Security:
- API bound to 127.0.0.1 (localhost only, no external access)
- Unseal verification with 3-attempt retry logic
- Sanitized error messages in tests (no secret leakage)
- Volume-based secret reading (doesn't require running container)
Files:
- docker/openbao/config.hcl: Server configuration
- docker/openbao/init.sh: Auto-init/unseal script
- docker/docker-compose.yml: OpenBao and init services
- tests/integration/openbao.test.ts: Full test coverage
- .env.example: OpenBao configuration variables
Closes#357
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
