- Add validateWebSocketSecurity() to warn when using ws:// in production
- Add connect_error event handler to capture connection failures
- Expose connectionError state to consumers via hook and provider
- Add comprehensive tests for WSS enforcement and error handling
Refs #338
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add error logging for auth check failures in development mode
- Distinguish network/backend errors from normal unauthenticated state
- Expose authError state to UI (network | backend | null)
- Add comprehensive tests for error handling scenarios
Refs #338
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create ComingSoon component for production placeholders
- Federation connections page shows Coming Soon in production
- Workspaces settings page shows Coming Soon in production
- Teams page shows Coming Soon in production
- Add comprehensive tests for environment-based rendering
Refs #338
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace raw fetch() with apiPost/apiPatch/apiDelete in:
- ImportExportActions.tsx: POST for file imports
- KanbanBoard.tsx: PATCH for task status updates
- ActiveProjectsWidget.tsx: POST for widget data fetches
- useLayouts.ts: POST/PATCH/DELETE for layout management
- Add apiPostFormData() method to API client for FormData uploads
- Ensures CSRF token is included in all state-changing requests
- Update tests to mock CSRF token fetch for API client usage
Refs #338
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add federation.config.ts with UUID v4 validation for DEFAULT_WORKSPACE_ID
- Validate at module initialization (fail fast if misconfigured)
- Replace hardcoded "default" fallback with proper validation
- Add 18 tests covering valid UUIDs, invalid formats, and missing values
- Clear error messages with expected UUID format
Refs #338
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Apply restrictive rate limits (10 req/min) to prevent brute-force attacks
- Log requests with path and client IP for monitoring and debugging
- Extract client IP handling for proxy setups (X-Forwarded-For)
- Add comprehensive tests for rate limiting and logging behavior
Refs #338
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace workspace ownership check with explicit SYSTEM_ADMIN_IDS env var
- System admin access is now explicit and configurable via environment
- Workspace owners no longer automatically get system admin privileges
- Add 15 unit tests verifying security separation
- Add SYSTEM_ADMIN_IDS documentation to .env.example
Refs #338
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New package providing CLI tools that work with both Gitea and GitHub:
Commands:
- mosaic-issue-{create,list,view,assign,edit,close,reopen,comment}
- mosaic-pr-{create,list,view,merge,review,close}
- mosaic-milestone-{create,list,close}
Features:
- Auto-detects platform (Gitea vs GitHub) from git remote
- Unified interface regardless of platform
- Available via `pnpm exec mosaic-*` in monorepo context
Updated docs/claude/orchestrator.md:
- Added CLI Tools section with usage examples
- Updated issue creation to use package commands
This makes Mosaic Stack fully self-contained for orchestration tooling.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Log at ERROR level when falling back to in-memory storage
- Track and expose degraded mode status for health checks
- Add isUsingFallback() method to check fallback state
- Add getHealthStatus() method for health check endpoints
- Add comprehensive tests for fallback behavior and health status
Refs #338
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Token now includes HMAC binding to session ID
- Validates session binding on verification
- Adds CSRF_SECRET configuration requirement
- Requires authentication for CSRF token endpoint
- 51 new tests covering session binding security
Security: CSRF tokens are now cryptographically tied to user sessions,
preventing token reuse across sessions and mitigating session fixation
attacks.
Token format: {random_part}:{hmac(random_part + user_id, secret)}
Refs #338
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace console.error with NestJS Logger
- Include entry ID and workspace ID in error context
- Easier to track and debug embedding issues
Refs #338
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Skip client initialization when OPENAI_API_KEY not configured
- Set openai property to null instead of creating with dummy key
- Methods return gracefully when embeddings not available
- Updated tests to verify client is not instantiated without key
Refs #338
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Verify tasks.service includes workspaceId in all queries
- Verify knowledge.service includes workspaceId in all queries
- Verify projects.service includes workspaceId in all queries
- Verify events.service includes workspaceId in all queries
- Add 39 tests covering create, findAll, findOne, update, remove operations
- Document security concern: findAll accepts empty query without workspaceId
- Ensures tenant isolation is maintained at query level
Refs #337
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
QA automation reports in docs/reports/qa-automation/ are ephemeral and
should not be committed. They are cleaned up by the orchestrator after
task completion.
- Nullish coalescing (??) doesn't work with booleans as expected
- When readOnly=false, ?? never evaluates right side (!selectedNode)
- Changed to logical OR (||) for correct disabled state calculation
- Added comprehensive tests verifying the fix:
* readOnly=false with no selection: editing disabled
* readOnly=false with selection: editing enabled
* readOnly=true: editing always disabled
- Removed unused eslint-disable directive
Refs #337
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use OIDC_ISSUER and OIDC_CLIENT_ID from environment for JWT validation
- Federation OIDC properly configured from environment variables
- Fail fast with clear error when OIDC config is missing
- Handle trailing slash normalization for issuer URL
- Add tests verifying env var usage and missing config error handling
Refs #337
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Validate error against allowlist of OAuth error codes
- Unknown errors map to generic message
- Encode all URL parameters
Refs #337
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Created Zod schemas for TaskState, AgentState, and OrchestratorEvent
- Added ValkeyValidationError class for detailed error context
- Validate task and agent state data after JSON.parse
- Validate events in subscribeToEvents handler
- Corrupted/tampered data now rejected with clear errors including:
- Key name for context
- Data snippet (truncated to 100 chars)
- Underlying Zod validation error
- Prevents silent propagation of invalid data (SEC-ORCH-6)
- Added 20 new tests for validation scenarios
Refs #337
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use SCAN with cursor for non-blocking iteration
- Prevents Redis DoS under high key counts
- Same API, safer implementation
Refs #337
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add COORDINATOR_API_KEY config option to orchestrator.config.ts
- Include X-API-Key header in coordinator requests when configured
- Log security warning if COORDINATOR_API_KEY not configured in production
- Log security warning if coordinator URL uses HTTP in production
- Add tests verifying API key inclusion in requests and warning behavior
Refs #337
- Sandbox now enabled by default for security
- Logs prominent warning when explicitly disabled
- Agents run in containers unless SANDBOX_ENABLED=false
Refs #337
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add OIDC_ENABLED environment variable to control OIDC authentication
- Validate required OIDC env vars (OIDC_ISSUER, OIDC_CLIENT_ID, OIDC_CLIENT_SECRET)
are present when OIDC is enabled
- Validate OIDC_ISSUER ends with trailing slash for correct discovery URL
- Throw descriptive error at startup if configuration is invalid
- Skip OIDC plugin registration when OIDC is disabled
- Add comprehensive tests for validation logic (17 test cases)
Refs #337
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
SEC-API-2: WorkspaceGuard now propagates database errors as 500s instead of
returning "access denied". Only Prisma P2025 (record not found) is treated
as "user not a member".
SEC-API-3: PermissionGuard now propagates database errors as 500s instead of
returning null role (which caused permission denied). Only Prisma P2025 is
treated as "not a member".
This prevents connection timeouts, pool exhaustion, and other infrastructure
errors from being misreported to users as authorization failures.
Refs #337
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add scanError field and scannedSuccessfully flag to SecretScanResult
- File read errors no longer falsely report as "clean"
- Callers can distinguish clean files from scan failures
- Update getScanSummary to track filesWithErrors count
- SecretsDetectedError now reports files that couldn't be scanned
- Add tests verifying error handling behavior for file access issues
Refs #337
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add OrchestratorApiKeyGuard to protect agent management endpoints (spawn,
kill, kill-all, status) from unauthorized access. Uses X-API-Key header
with constant-time comparison to prevent timing attacks.
- Create apps/orchestrator/src/common/guards/api-key.guard.ts
- Add comprehensive tests for all guard scenarios
- Apply guard to AgentsController (controller-level protection)
- Document ORCHESTRATOR_API_KEY in .env.example files
- Health endpoints remain unauthenticated for monitoring
Security: Prevents unauthorized users from draining API credits or
killing all agents via unprotected endpoints.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update CLAUDE.md to point to universal orchestrator guide
- Add docs/tasks.md with 28 tasks across 4 phases:
- Phase 1: Critical Security (MS-SEC-001 to MS-SEC-010)
- Phase 2: High Security (MS-HIGH-001 to MS-HIGH-006)
- Phase 3: Code Quality (MS-CQ-001 to MS-CQ-007)
- Phase 4: Test Coverage (MS-TEST-001 to MS-TEST-005)
- Add project-specific task-tracking.md reference
Based on comprehensive codebase review (124 findings).
- Fix CRITICAL: Correct 5 environment variable names to match actual config
(VALKEY_HOST not ORCHESTRATOR_VALKEY_HOST, CLAUDE_API_KEY not ORCHESTRATOR_CLAUDE_API_KEY, etc.)
- Fix CRITICAL: Correct quality gate profiles table to match actual gate-config service
(minimal = tests only, not typecheck+lint; add agent type defaults)
- Fix IMPORTANT: Add missing gateProfile optional field to spawn request docs
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix CRITICAL: Increase single-spawn threshold from 10ms to 50ms (CI flakiness)
- Fix CRITICAL: Replace no-op validation test with real backoff scale tests
- Fix IMPORTANT: Add warmup iterations before all timed measurements
- Fix IMPORTANT: Increase scan position ratio tolerance to 10x for sub-ms noise
- Refactored queue perf tests to use actual service methods (calculateBackoffDelay)
- Helper function to reduce spawn request duplication
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
