Added bullmq@^5.67.2 and @nestjs/bullmq@^11.0.4 to support job queue
management for the M4.2 Infrastructure milestone. BullMQ provides job
progress tracking, automatic retry, rate limiting, and job dependencies
over plain Valkey, complementing the existing ioredis setup.
Verified:
- pnpm install succeeds with no conflicts
- pnpm build completes successfully
- All packages resolve correctly in pnpm-lock.yaml
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Updated pnpm version from 10.19.0 to 10.27.0 to fix HIGH severity
vulnerabilities (CVE-2025-69262, CVE-2025-69263, CVE-2025-6926).
Changes:
- apps/api/Dockerfile: line 8
- apps/web/Dockerfile: lines 8 and 81
Fixes#180
Implement session rotation that spawns fresh agents when context reaches
95% threshold.
TDD Process:
1. RED: Write comprehensive tests (all initially fail)
2. GREEN: Implement trigger_rotation method (all tests pass)
Changes:
- Add SessionRotation dataclass to track rotation metrics
- Implement trigger_rotation method in ContextMonitor
- Add 6 new unit tests covering all acceptance criteria
Rotation process:
1. Get current context usage metrics
2. Close current agent session
3. Spawn new agent with same type
4. Transfer next issue to new agent
5. Log rotation event with metrics
Test Results:
- All 47 tests pass (34 context_monitor + 13 context_compaction)
- 97% coverage on context_monitor.py (exceeds 85% requirement)
- 97% coverage on context_compaction.py (exceeds 85% requirement)
Prevents context exhaustion by starting fresh when compaction is insufficient.
Acceptance Criteria (All Met):
✓ Rotation triggered at 95% context threshold
✓ Current session closed cleanly
✓ New agent spawned with same type
✓ Next issue transferred to new agent
✓ Rotation logged with session IDs and context metrics
✓ Unit tests with 85%+ coverage
Fixes#152
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add comprehensive tests for context compaction functionality:
- Request summary from agent of completed work
- Replace conversation history with summary
- Measure context reduction achieved
- Integration with ContextMonitor
Tests cover:
- Summary generation and prompt validation
- Conversation history replacement
- Context reduction metrics (target: 40-50%)
- Error handling and failure cases
- Integration with context monitoring
Coverage: 100% for context_compaction module
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implement the main orchestration loop that coordinates all components:
- Queue processing with priority sorting (issues by number)
- Integration with ContextMonitor for tracking agent context usage
- Integration with QualityOrchestrator for running quality gates
- Integration with ForcedContinuationService for rejection prompts
- Metrics tracking (processed_count, success_count, rejection_count)
- Graceful start/stop with proper lifecycle management
- Error handling at all levels (spawn, context, quality, continuation)
The OrchestrationLoop flow:
1. Read issue queue (priority sorted by issue number)
2. Mark issue as in progress
3. Spawn agent (stub implementation for Phase 0)
4. Check context usage via ContextMonitor
5. Run quality gates via QualityOrchestrator
6. On approval: mark complete, increment success count
7. On rejection: generate continuation prompt, increment rejection count
99% test coverage for coordinator.py (183 statements, 2 missed).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add comprehensive test suite for OrchestrationLoop class that integrates:
- Queue processing with priority sorting
- Agent assignment (50% rule)
- Quality gate verification on completion claims
- Rejection handling with forced continuation prompts
- Context monitoring during agent execution
- Lifecycle management (start/stop)
- Error handling for all edge cases
- Metrics tracking (processed, success, rejection counts)
33 new tests covering all acceptance criteria.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fixed code review findings:
- Removed unused imports (AsyncMock, MagicMock)
- Fixed line length violation in test_forced_continuation.py
All 15 tests still passing after fixes.
Implement comprehensive test suite for four core quality gates:
- BuildGate: Tests mypy type checking enforcement
- LintGate: Tests ruff linting with warnings as failures
- TestGate: Tests pytest execution requiring 100% pass rate
- CoverageGate: Tests coverage enforcement with 85% minimum
All tests follow TDD methodology - written before implementation.
Total: 36 tests covering success, failure, and edge cases.
Related to #147
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Add comprehensive cost optimization test scenarios and validation report.
Test Scenarios Added (10 new tests):
- Low difficulty assigns to MiniMax/GLM (free agents)
- Medium difficulty assigns to GLM when within capacity
- High difficulty assigns to Opus (only capable agent)
- Oversized issues rejected with actionable error
- Boundary conditions at capacity limits
- Aggregate cost optimization across all scenarios
Results:
- All 33 tests passing (23 existing + 10 new)
- 100% coverage of agent_assignment.py (36/36 statements)
- Cost savings validation: 50%+ in aggregate scenarios
- Real-world projection: 70%+ savings with typical workload
Documentation:
- Created cost-optimization-validation.md with detailed analysis
- Documents cost savings for each scenario
- Validates all acceptance criteria from COORD-006
Completes Phase 2 (M4.1-Coordinator) testing requirements.
Fixes#146
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Implements the Coordinator class with main orchestration loop:
- Async loop architecture with configurable poll interval
- process_queue() method gets next ready issue and spawns agent (stub)
- Graceful shutdown handling with stop() method
- Error handling that allows loop to continue after failures
- Logging for all actions (start, stop, processing, errors)
- Integration with QueueManager from #159
- Active agent tracking for future agent management
Configuration settings added:
- COORDINATOR_POLL_INTERVAL (default: 5.0s)
- COORDINATOR_MAX_CONCURRENT_AGENTS (default: 10)
- COORDINATOR_ENABLED (default: true)
Tests: 27 new tests covering all acceptance criteria
Coverage: 92% overall (100% for coordinator.py)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Capability enum (HIGH, MEDIUM, LOW) for agent difficulty levels
- Add AgentName enum for all 5 agents (opus, sonnet, haiku, glm, minimax)
- Implement AgentProfile data structure with validation
- context_limit: max tokens for context window
- cost_per_mtok: cost per million tokens (0 for self-hosted)
- capabilities: list of difficulty levels the agent handles
- best_for: description of optimal use cases
- Define profiles for all 5 agents with specifications:
- Anthropic models (opus, sonnet, haiku): 200K context, various costs
- Self-hosted models (glm, minimax): 128K context, free
- Implement get_agent_profile() function for profile lookup
- Add comprehensive test suite (37 tests, 100% coverage)
- Profile data structure validation
- All 5 predefined profiles exist and are correct
- Capability enum and AgentName enum tests
- Best_for validation and capability matching
- Consistency checks across profiles
Fixes#144
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Implements ContextMonitor class with real-time token usage tracking:
- COMPACT_THRESHOLD at 0.80 (80% triggers compaction)
- ROTATE_THRESHOLD at 0.95 (95% triggers rotation)
- Poll Claude API for context usage
- Return appropriate ContextAction based on thresholds
- Background monitoring loop (10-second polling)
- Log usage over time
- Error handling and recovery
Added ContextUsage model for tracking agent token consumption.
Tests:
- 25 test cases covering all functionality
- 100% coverage for context_monitor.py and models.py
- Mocked API responses for different usage levels
- Background monitoring and threshold detection
- Error handling verification
Quality gates:
- Type checking: PASS (mypy)
- Linting: PASS (ruff)
- Tests: PASS (25/25)
- Coverage: 100% for new files, 95.43% overall
Fixes#155
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
- Add .dockerignore to exclude node_modules, dist, and build artifacts
- Add pre/post build directory listings to diagnose dist not found issue
- Disable turbo cache temporarily with --force flag
- Add --verbosity=2 for more detailed turbo output
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Docker COPY replaces directory contents, so copying source code
after node_modules was wiping the deps. Reordered to:
1. Copy source code first
2. Copy node_modules second (won't be overwritten)
Fixes API build failure: "dist not found"
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Modules using AuthGuard in their controllers need to import AuthModule
to make AuthService available for dependency injection.
Fixed:
- ActivityModule
- WorkspaceSettingsModule
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Issues fixed:
1. Module not found: Added missing copy of apps/{api,web}/node_modules
which contains pnpm symlinks to the root node_modules
2. Healthcheck syntax: Fixed broken quoting from prettier reformatting
Changed to CMD-SHELL with proper escaping
3. Removed obsolete version: "3.9" from docker-compose.yml
The apps need their own node_modules directories because pnpm uses
symlinks that point from apps/*/node_modules to node_modules/.pnpm/*
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fixed the mismatch between environment variables:
- docker-compose now passes PORT (what NestJS/Next.js read) instead of API_PORT
- API_PORT/WEB_PORT control host mapping, PORT controls container
Changes:
- docker-compose: Pass PORT=${API_PORT} and PORT=${WEB_PORT} to containers
- docker-compose: Dynamic port mapping on both host and container sides
- docker-compose: Traefik labels use ${API_PORT}/${WEB_PORT} variables
- docker-compose: Healthchecks use PORT env var
- Dockerfiles: Removed hardcoded port values
- Dockerfiles: Healthchecks read PORT at runtime
This allows changing ports via API_PORT/WEB_PORT environment variables
and have all components (app, healthcheck, Traefik) use the correct port.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Added cache mounts for:
- pnpm store: Caches downloaded packages between builds
- TurboRepo: Caches build outputs between builds
This significantly speeds up subsequent builds:
- First build: Full download and compile
- Subsequent builds: Only changed packages are re-downloaded/rebuilt
Requires Docker BuildKit (default in Docker 23+).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The production stage was failing because it tried to copy the public
directory which doesn't exist in the source. Added mkdir -p to ensure
the directory exists (even if empty) before the production stage
tries to copy it.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
pnpm stores the Prisma client in the content-addressable store at
node_modules/.pnpm/.../.prisma, not at apps/api/node_modules/.prisma.
The production stage was trying to copy from the wrong location.
Additionally, running `pnpm install --prod` in production failed because:
1. The husky prepare script runs but husky is a devDependency
2. The Prisma client postinstall can't run without the prisma CLI
Fixed by copying the full node_modules from the builder stage, which
already has all dependencies properly installed and the Prisma client
generated in the correct pnpm store location.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The Docker builds were failing because they ran `pnpm build` directly
in the app directories without first building workspace dependencies
(@mosaic/shared, @mosaic/ui). CI passed because it runs TurboRepo
from the root which respects the dependency graph.
Changed both Dockerfiles to use `pnpm turbo build --filter=@mosaic/{app}`
which ensures dependencies are built in the correct order:
- Web: @mosaic/config → @mosaic/shared → @mosaic/ui → @mosaic/web
- API: @mosaic/config → @mosaic/shared → prisma:generate → @mosaic/api
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add genericOAuth plugin to auth.config.ts with Authentik provider
- Fix LoginButton to use /auth/signin/authentik (not /auth/callback/)
- Add production URLs to trustedOrigins
- Update .env.example with correct redirect URI documentation
Redirect URI for Authentik: https://api.mosaicstack.dev/auth/callback/authentik
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add input sanitization to prevent LLM prompt injection
(escapes quotes, backslashes, replaces newlines)
- Add MaxLength(500) validation to DTO to prevent DoS
- Add entity validation to filter malicious LLM responses
- Add confidence validation to clamp values to 0.0-1.0
- Make LLM model configurable via INTENT_CLASSIFICATION_MODEL env var
- Add 12 new security tests (total: 72 tests, from 60)
Security fixes identified by code review:
- CVE-mitigated: Prompt injection via unescaped user input
- CVE-mitigated: Unvalidated entity data from LLM response
- CVE-mitigated: Missing input length validation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implement REST API endpoints for managing LLM provider instances.
Changes:
- Created DTOs for provider CRUD operations (CreateLlmProviderDto, UpdateLlmProviderDto, LlmProviderResponseDto)
- Implemented LlmProviderAdminController with full CRUD endpoints:
- GET /llm/admin/providers - List all providers
- GET /llm/admin/providers/:id - Get provider details
- POST /llm/admin/providers - Create new provider
- PATCH /llm/admin/providers/:id - Update provider
- DELETE /llm/admin/providers/:id - Delete provider
- POST /llm/admin/providers/:id/test - Test connection
- POST /llm/admin/reload - Reload from database
- Updated llm-manager.service.ts to support OpenAI and Claude providers
- Added comprehensive test suite with 97.95% coverage
- Proper validation, error handling, and type safety
All tests pass. Pre-commit hooks pass.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implement Anthropic Claude provider for Claude Opus, Sonnet, and Haiku models.
Implementation details:
- Created ClaudeProvider class implementing LlmProviderInterface
- Added @anthropic-ai/sdk npm package integration
- Implemented chat completion with streaming support
- Claude-specific message format (system prompt separate from messages)
- Static model list (Claude API doesn't provide list models endpoint)
- Embeddings throw error as Claude doesn't support native embeddings
- Added OpenTelemetry tracing with @TraceLlmCall decorator
- 100% statement, function, and line coverage (79% branch coverage)
Tests:
- Created comprehensive test suite with 20 tests
- All tests follow TDD pattern (written before implementation)
- Tests cover initialization, health checks, chat, streaming, and error handling
- Mocked Anthropic SDK client for isolated unit testing
Quality checks:
- All tests pass (1131 total tests across project)
- ESLint passes with no errors
- TypeScript type checking passes
- Follows existing code patterns from OpenAI and Ollama providers
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implement OpenAI provider for GPT-4, GPT-3.5, and other OpenAI models.
Implementation includes:
- OpenAI SDK integration with API key authentication
- Chat completion with streaming support
- Embeddings generation
- Health checks and model listing
- OpenTelemetry tracing
- Comprehensive test suite with 97% coverage
Follows TDD methodology:
- Written tests first (RED phase)
- Implemented minimal code to pass tests (GREEN phase)
- Code passes typecheck, linter, and all quality gates
Test coverage: 97.18% statements, 97.05% lines
All 22 tests passing
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add database-backed quality gate configuration for workspaces with
full CRUD operations and default gate seeding.
Schema:
- Add QualityGate model with workspace relation
- Support for custom commands and regex patterns
- Enable/disable and ordering support
Service:
- CRUD operations for quality gates
- findEnabled: Get ordered, enabled gates
- reorder: Bulk reorder with transaction
- seedDefaults: Seed 4 default gates
- toOrchestratorFormat: Convert to orchestrator interface
Endpoints:
- GET /workspaces/:id/quality-gates - List
- GET /workspaces/:id/quality-gates/:gateId - Get one
- POST /workspaces/:id/quality-gates - Create
- PATCH /workspaces/:id/quality-gates/:gateId - Update
- DELETE /workspaces/:id/quality-gates/:gateId - Delete
- POST /workspaces/:id/quality-gates/reorder
- POST /workspaces/:id/quality-gates/seed-defaults
Default gates: Build, Lint, Test, Coverage (85%)
Tests: 25 passing with 95.16% coverage
Fixes#135
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implement MCP Phase 1 infrastructure for agent tool integration with
central hub, tool registry, and STDIO transport layers.
Components:
- McpHubService: Central registry for MCP server lifecycle
- StdioTransport: STDIO process communication with JSON-RPC 2.0
- ToolRegistryService: Tool catalog management
- McpController: REST API for MCP management
Endpoints:
- GET/POST /mcp/servers - List/register servers
- POST /mcp/servers/:id/start|stop - Lifecycle control
- DELETE /mcp/servers/:id - Unregister
- GET /mcp/tools - List tools
- POST /mcp/tools/:name/invoke - Invoke tool
Features:
- Full JSON-RPC 2.0 protocol support
- Process lifecycle management
- Buffered message parsing
- Type-safe with no explicit any types
- Proper cleanup on shutdown
Tests: 85 passing with 90.9% coverage
Fixes#132
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
