mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases 2 Wiki Activity

Compare commits

base: mosaic:HEAD
Branches Tags
mosaic:main mosaic:feat/ms-gate-001-gatekeeper mosaic:chore/ms24-ver-done mosaic:chore/ms24-tasks-correction mosaic:feat/ms24-ci-webhook mosaic:chore/ms24-api-002-task mosaic:chore/ms24-tasks-done mosaic:feat/ms24-queue-ui mosaic:feat/ms24-queue-api mosaic:fix/mission-control-proxy mosaic:fix/mission-control-proxy-routes mosaic:fix/compose-network-alias-consistency mosaic:fix/deploy-missing-env-and-networks mosaic:fix/mission-control-query-provider mosaic:fix/audit-drawer-format mosaic:fix/mission-control-ratelimit mosaic:fix/orchestrator-guard-import mosaic:chore/ms23-v0.0.23-release mosaic:chore/ms23-p4-qa mosaic:test/ms23-p3 mosaic:feat/ms23-p3-openclaw-bridge mosaic:feat/ms23-p3-config-ui mosaic:feat/ms23-p3-openclaw-provider mosaic:test/ms23-p2 mosaic:fix/ms23-p2-main mosaic:feat/ms23-p2-grid mosaic:feat/ms23-p2-audit mosaic:feat/ms23-p2-controls mosaic:feat/ms23-p2-barge mosaic:feat/ms23-p2-killall mosaic:feat/ms23-p2-roster mosaic:feat/ms23-p2-panel mosaic:feat/ms23-p2-page mosaic:test/ms23-p1 mosaic:feat/ms23-p1-proxy mosaic:feat/ms23-p1-provider-api mosaic:feat/ms23-p1-registry mosaic:feat/ms23-p1-internal-provider mosaic:feat/ms23-p1-interface mosaic:chore/ms23-tasks-p0-complete mosaic:test/ms23-p0 mosaic:chore/ms23-tasks-p005-006 mosaic:feat/ms23-p0-tree mosaic:chore/ms23-tasks-p004-005 mosaic:feat/ms23-p0-controls mosaic:chore/ms23-tasks-p0-002-004 mosaic:feat/ms23-p0-stream mosaic:fix/ms23-prisma-rm-symlink mosaic:fix/ms23-prisma-kaniko-symlink mosaic:fix/ms23-prisma-script-path mosaic:fix/ms23-prisma-docker-vs-ci mosaic:fix/ms23-prisma-schema-local mosaic:fix/ms23-prisma-api-pkg mosaic:fix/ms23-prisma-cli mosaic:fix/ms23-orchestrator-prisma-generate mosaic:feat/ms23-p0-ingestion mosaic:chore/tasks-p0-001-done mosaic:feat/ms23-p0-schema mosaic:chore/ms23-bootstrap mosaic:fix/user-agent-auth-module mosaic:fix/agent-template-auth-module mosaic:feat/ms22-p2-discord-router mosaic:test/ms22-p2-agent-tests mosaic:chore/ms22-p2-docs-update mosaic:feat/ms22-p2-agent-ui mosaic:feat/ms22-p2-agent-routing mosaic:chore/ms22-p2-update-docs mosaic:feat/ms22-p2-user-agents mosaic:feat/ms22-p2-agent-crud mosaic:fix/security-audit-multer mosaic:ci/portainer-v2 mosaic:fix/chat-complete mosaic:ci/portainer-deploy mosaic:fix/chat-configmodule mosaic:feature/chat-guest-mode mosaic:fix/ms21-missing-user-auth-migration mosaic:infra/fix-mosaic-db-init-extensions mosaic:infra/migrate-to-openbrain-db mosaic:fix/flaky-queue-test mosaic:fix/deploy-service-names mosaic:fix/deploy-service-update mosaic:fix/deploy-user-v2 mosaic:fix/deploy-user mosaic:feat/ci-auto-deploy mosaic:fix/orchestrator-widget-endpoints mosaic:fix/dashboard-widget-mock-data mosaic:fix/ci-glibc-image mosaic:fix/dockerfile-npmrc mosaic:fix/matrix-native-binary mosaic:fix/kaniko-cache mosaic:fix/base-image-kaniko-v2 mosaic:fix/base-image-kaniko mosaic:feat/custom-base-image mosaic:ci/pnpm-cache mosaic:fix/interceptor-tests mosaic:fix/kanban-tests mosaic:feat/wire-chat mosaic:feat/usage-widget mosaic:fix/security-hardening mosaic:fix/project-domain-v2 mosaic:feat/kanban-add-task mosaic:fix/project-domain-attach mosaic:fix/logs-page-clean mosaic:fix/workspace-members mosaic:fix/ci-lint-632 mosaic:fix/file-manager-tags mosaic:fix/csrf-debug-log mosaic:fix/controller-type-imports mosaic:fix/system-admin-env mosaic:fix/gateway-cors-trusted-origins mosaic:feat/project-detail-page mosaic:fix/fleet-provider-form-dto-v2 mosaic:fix/ms22-audit mosaic:fix/orchestrator-widgets mosaic:fix/fleet-provider-form-dto mosaic:fix/csrf-bearer-bypass mosaic:fix/ms22-missing-authmodule-imports mosaic:fix/container-lifecycle-config-module mosaic:fix/swarm-compose-ms22-vars mosaic:chore/ms22-p1-complete mosaic:feat/ms22-p1h-settings-ui mosaic:feat/ms22-p1f-onboarding-ui mosaic:feat/ms22-p1i-chat-proxy mosaic:feat/ms22-p1k-idle-reaper mosaic:feat/ms22-p1j-docker mosaic:feat/ms22-p1e-onboarding-api mosaic:feat/ms22-p1g-settings-api mosaic:feat/ms22-p1d-container-mgr mosaic:feat/ms22-p1c-config-api mosaic:chore/ms22-prd-tracking mosaic:feat/ms22-p1a-schema mosaic:feat/ms22-p1b-crypto mosaic:chore/ms22-p1-tasks mosaic:docs/ms22-architecture mosaic:feat/ms22-openclaw-docker mosaic:feat/ms22-openclaw-gateway-module mosaic:chore/ms21-complete mosaic:chore/ms21-final-tasks-done mosaic:fix/ms21-ui-001-qa mosaic:test/ms21-ui-tests mosaic:chore/ms21-tasks-sync mosaic:chore/ms22-phase0-complete mosaic:feat/ms22-ingest-clean mosaic:feat/ms21-ui-users-members mosaic:feat/ms22-task-agent mosaic:chore/tasks-final mosaic:chore/tasks-update mosaic:feat/ms21-session-invalidation mosaic:feat/ms21-rbac-settings mosaic:feat/ms21-teams-page mosaic:feat/ms21-users-page mosaic:feat/ms19-terminal-persistence
mosaic:v0.0.24 mosaic:v0.0.23 mosaic:v0.0.22-ms22-p2 mosaic:v0.0.21 mosaic:v0.20.0 mosaic:v0.0.15 mosaic:v0.0.2
..
compare: mosaic:test/ms23-p2
Branches Tags
mosaic:main mosaic:feat/ms-gate-001-gatekeeper mosaic:chore/ms24-ver-done mosaic:chore/ms24-tasks-correction mosaic:feat/ms24-ci-webhook mosaic:chore/ms24-api-002-task mosaic:chore/ms24-tasks-done mosaic:feat/ms24-queue-ui mosaic:feat/ms24-queue-api mosaic:fix/mission-control-proxy mosaic:fix/mission-control-proxy-routes mosaic:fix/compose-network-alias-consistency mosaic:fix/deploy-missing-env-and-networks mosaic:fix/mission-control-query-provider mosaic:fix/audit-drawer-format mosaic:fix/mission-control-ratelimit mosaic:fix/orchestrator-guard-import mosaic:chore/ms23-v0.0.23-release mosaic:chore/ms23-p4-qa mosaic:test/ms23-p3 mosaic:feat/ms23-p3-openclaw-bridge mosaic:feat/ms23-p3-config-ui mosaic:feat/ms23-p3-openclaw-provider mosaic:test/ms23-p2 mosaic:fix/ms23-p2-main mosaic:feat/ms23-p2-grid mosaic:feat/ms23-p2-audit mosaic:feat/ms23-p2-controls mosaic:feat/ms23-p2-barge mosaic:feat/ms23-p2-killall mosaic:feat/ms23-p2-roster mosaic:feat/ms23-p2-panel mosaic:feat/ms23-p2-page mosaic:test/ms23-p1 mosaic:feat/ms23-p1-proxy mosaic:feat/ms23-p1-provider-api mosaic:feat/ms23-p1-registry mosaic:feat/ms23-p1-internal-provider mosaic:feat/ms23-p1-interface mosaic:chore/ms23-tasks-p0-complete mosaic:test/ms23-p0 mosaic:chore/ms23-tasks-p005-006 mosaic:feat/ms23-p0-tree mosaic:chore/ms23-tasks-p004-005 mosaic:feat/ms23-p0-controls mosaic:chore/ms23-tasks-p0-002-004 mosaic:feat/ms23-p0-stream mosaic:fix/ms23-prisma-rm-symlink mosaic:fix/ms23-prisma-kaniko-symlink mosaic:fix/ms23-prisma-script-path mosaic:fix/ms23-prisma-docker-vs-ci mosaic:fix/ms23-prisma-schema-local mosaic:fix/ms23-prisma-api-pkg mosaic:fix/ms23-prisma-cli mosaic:fix/ms23-orchestrator-prisma-generate mosaic:feat/ms23-p0-ingestion mosaic:chore/tasks-p0-001-done mosaic:feat/ms23-p0-schema mosaic:chore/ms23-bootstrap mosaic:fix/user-agent-auth-module mosaic:fix/agent-template-auth-module mosaic:feat/ms22-p2-discord-router mosaic:test/ms22-p2-agent-tests mosaic:chore/ms22-p2-docs-update mosaic:feat/ms22-p2-agent-ui mosaic:feat/ms22-p2-agent-routing mosaic:chore/ms22-p2-update-docs mosaic:feat/ms22-p2-user-agents mosaic:feat/ms22-p2-agent-crud mosaic:fix/security-audit-multer mosaic:ci/portainer-v2 mosaic:fix/chat-complete mosaic:ci/portainer-deploy mosaic:fix/chat-configmodule mosaic:feature/chat-guest-mode mosaic:fix/ms21-missing-user-auth-migration mosaic:infra/fix-mosaic-db-init-extensions mosaic:infra/migrate-to-openbrain-db mosaic:fix/flaky-queue-test mosaic:fix/deploy-service-names mosaic:fix/deploy-service-update mosaic:fix/deploy-user-v2 mosaic:fix/deploy-user mosaic:feat/ci-auto-deploy mosaic:fix/orchestrator-widget-endpoints mosaic:fix/dashboard-widget-mock-data mosaic:fix/ci-glibc-image mosaic:fix/dockerfile-npmrc mosaic:fix/matrix-native-binary mosaic:fix/kaniko-cache mosaic:fix/base-image-kaniko-v2 mosaic:fix/base-image-kaniko mosaic:feat/custom-base-image mosaic:ci/pnpm-cache mosaic:fix/interceptor-tests mosaic:fix/kanban-tests mosaic:feat/wire-chat mosaic:feat/usage-widget mosaic:fix/security-hardening mosaic:fix/project-domain-v2 mosaic:feat/kanban-add-task mosaic:fix/project-domain-attach mosaic:fix/logs-page-clean mosaic:fix/workspace-members mosaic:fix/ci-lint-632 mosaic:fix/file-manager-tags mosaic:fix/csrf-debug-log mosaic:fix/controller-type-imports mosaic:fix/system-admin-env mosaic:fix/gateway-cors-trusted-origins mosaic:feat/project-detail-page mosaic:fix/fleet-provider-form-dto-v2 mosaic:fix/ms22-audit mosaic:fix/orchestrator-widgets mosaic:fix/fleet-provider-form-dto mosaic:fix/csrf-bearer-bypass mosaic:fix/ms22-missing-authmodule-imports mosaic:fix/container-lifecycle-config-module mosaic:fix/swarm-compose-ms22-vars mosaic:chore/ms22-p1-complete mosaic:feat/ms22-p1h-settings-ui mosaic:feat/ms22-p1f-onboarding-ui mosaic:feat/ms22-p1i-chat-proxy mosaic:feat/ms22-p1k-idle-reaper mosaic:feat/ms22-p1j-docker mosaic:feat/ms22-p1e-onboarding-api mosaic:feat/ms22-p1g-settings-api mosaic:feat/ms22-p1d-container-mgr mosaic:feat/ms22-p1c-config-api mosaic:chore/ms22-prd-tracking mosaic:feat/ms22-p1a-schema mosaic:feat/ms22-p1b-crypto mosaic:chore/ms22-p1-tasks mosaic:docs/ms22-architecture mosaic:feat/ms22-openclaw-docker mosaic:feat/ms22-openclaw-gateway-module mosaic:chore/ms21-complete mosaic:chore/ms21-final-tasks-done mosaic:fix/ms21-ui-001-qa mosaic:test/ms21-ui-tests mosaic:chore/ms21-tasks-sync mosaic:chore/ms22-phase0-complete mosaic:feat/ms22-ingest-clean mosaic:feat/ms21-ui-users-members mosaic:feat/ms22-task-agent mosaic:chore/tasks-final mosaic:chore/tasks-update mosaic:feat/ms21-session-invalidation mosaic:feat/ms21-rbac-settings mosaic:feat/ms21-teams-page mosaic:feat/ms21-users-page mosaic:feat/ms19-terminal-persistence
mosaic:v0.0.24 mosaic:v0.0.23 mosaic:v0.0.22-ms22-p2 mosaic:v0.0.21 mosaic:v0.20.0 mosaic:v0.0.15 mosaic:v0.0.2

1 Commits
HEAD ... test/ms23-

Author SHA1 Message Date
Jason Woltje
762277585d test(web): add Mission Control phase 2 test suite
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
2026-03-07 15:38:55 -06:00
87 changed files with 571 additions and 6577 deletions
Expand all files Collapse all files

5
.env.example
View File

@@ -292,11 +292,6 @@ GITEA_REPO_NAME=stack
# Configure in Gitea: Repository Settings → Webhooks → Add Webhook # Configure in Gitea: Repository Settings → Webhooks → Add Webhook
GITEA_WEBHOOK_SECRET=REPLACE_WITH_RANDOM_WEBHOOK_SECRET GITEA_WEBHOOK_SECRET=REPLACE_WITH_RANDOM_WEBHOOK_SECRET
# Gatekeeper merge automation
# Uses the same Gitea host to validate PR webhooks and to merge approved PRs after green CI.
GITEA_API_TOKEN=REPLACE_WITH_GATEKEEPER_GITEA_API_TOKEN
GATEKEEPER_ENABLED=true
# Coordinator API Key (service-to-service authentication) # Coordinator API Key (service-to-service authentication)
# CRITICAL: Generate a random API key with at least 32 characters # CRITICAL: Generate a random API key with at least 32 characters
# Example: openssl rand -base64 32 # Example: openssl rand -base64 32

20
.woodpecker/ci.yml
View File

@@ -271,26 +271,6 @@ steps:
depends_on: depends_on:
- docker-build-orchestrator - docker-build-orchestrator
notify-webhook:
image: curlimages/curl:8.6.0
environment:
MOSAIC_WEBHOOK_URL:
from_secret: mosaic_webhook_url
WOODPECKER_WEBHOOK_SECRET:
from_secret: woodpecker_webhook_secret
commands:
- |
BODY="{\"branch\":\"${CI_COMMIT_BRANCH}\",\"status\":\"${CI_PIPELINE_STATUS}\",\"buildUrl\":\"${CI_PIPELINE_LINK}\",\"repo\":\"${CI_REPO}\",\"prNumber\":${CI_COMMIT_PULL_REQUEST:-null},\"headSha\":\"${CI_COMMIT_SHA}\"}"
SIG=$(echo -n "$BODY" | openssl dgst -sha256 -hmac "$WOODPECKER_WEBHOOK_SECRET" | awk '{print $2}')
curl -s -o /dev/null -w "%{http_code}" -X POST "${MOSAIC_WEBHOOK_URL}/api/webhooks/woodpecker" \
-H "Content-Type: application/json" \
-H "X-Woodpecker-Signature: ${SIG}" \
-d "$BODY" || true
when:
- status: [success, failure]
depends_on:
- build
security-trivy-web: security-trivy-web:
image: aquasec/trivy:latest image: aquasec/trivy:latest
environment: environment:

5
apps/api/.env.example
View File

@@ -24,11 +24,6 @@ ENCRYPTION_KEY=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
# In development, a random key is generated if not set # In development, a random key is generated if not set
CSRF_SECRET=fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210 CSRF_SECRET=fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210
# Gatekeeper merge automation
GITEA_WEBHOOK_SECRET=replace-with-gitea-webhook-secret
GITEA_API_TOKEN=replace-with-gitea-api-token
GATEKEEPER_ENABLED=true
# OpenTelemetry Configuration # OpenTelemetry Configuration
# Enable/disable OpenTelemetry tracing (default: true) # Enable/disable OpenTelemetry tracing (default: true)
OTEL_ENABLED=true OTEL_ENABLED=true

3
apps/api/package.json
View File

@@ -12,7 +12,7 @@
"lint:fix": "eslint \"src/**/*.ts\" --fix", "lint:fix": "eslint \"src/**/*.ts\" --fix",
"typecheck": "tsc --noEmit", "typecheck": "tsc --noEmit",
"clean": "rm -rf dist", "clean": "rm -rf dist",
"test": "node scripts/vitest-runner.mjs", "test": "vitest run",
"test:watch": "vitest", "test:watch": "vitest",
"test:coverage": "vitest run --coverage", "test:coverage": "vitest run --coverage",
"test:e2e": "vitest run --config ./vitest.e2e.config.ts", "test:e2e": "vitest run --config ./vitest.e2e.config.ts",
@@ -56,7 +56,6 @@
"bcryptjs": "^3.0.3", "bcryptjs": "^3.0.3",
"better-auth": "^1.4.17", "better-auth": "^1.4.17",
"bullmq": "^5.67.2", "bullmq": "^5.67.2",
"chokidar": "^4.0.3",
"class-transformer": "^0.5.1", "class-transformer": "^0.5.1",
"class-validator": "^0.14.3", "class-validator": "^0.14.3",
"cookie-parser": "^1.4.7", "cookie-parser": "^1.4.7",

14
apps/api/prisma/migrations/20260310120000_AddPendingMerges/migration.sql
View File

@@ -1,14 +0,0 @@
CREATE TABLE "pending_merges" (
"id" UUID PRIMARY KEY DEFAULT gen_random_uuid(),
"repo" TEXT NOT NULL,
"pr_number" INTEGER NOT NULL,
"head_sha" TEXT NOT NULL,
"state" TEXT NOT NULL DEFAULT 'pending',
"review_result" JSONB,
"ci_status" TEXT,
"requester" TEXT,
"gitea_merge_url" TEXT,
"created_at" TIMESTAMPTZ NOT NULL DEFAULT NOW(),
"updated_at" TIMESTAMPTZ NOT NULL DEFAULT NOW(),
CONSTRAINT "pending_merges_repo_pr_sha_key" UNIQUE ("repo", "pr_number", "head_sha")
);

17
apps/api/prisma/schema.prisma
View File

@@ -261,23 +261,6 @@ model User {
@@map("users") @@map("users")
} }
model PendingMerge {
id String @id @default(dbgenerated("gen_random_uuid()")) @db.Uuid
repo String
prNumber Int @map("pr_number")
headSha String @map("head_sha")
state String @default("pending")
reviewResult Json? @map("review_result")
ciStatus String? @map("ci_status")
requester String?
giteaMergeUrl String? @map("gitea_merge_url")
createdAt DateTime @default(now()) @map("created_at") @db.Timestamptz
updatedAt DateTime @updatedAt @map("updated_at") @db.Timestamptz
@@unique([repo, prNumber, headSha])
@@map("pending_merges")
}
model UserPreference { model UserPreference {
id String @id @default(uuid()) @db.Uuid id String @id @default(uuid()) @db.Uuid
userId String @unique @map("user_id") @db.Uuid userId String @unique @map("user_id") @db.Uuid

36
apps/api/scripts/vitest-runner.mjs
View File

@@ -1,36 +0,0 @@
import { spawnSync } from "node:child_process";
import { join } from "node:path";
const rawArgs = process.argv.slice(2);
const passthroughArgs = [];
for (let index = 0; index < rawArgs.length; index += 1) {
const arg = rawArgs[index];
if (arg === "--testPathPattern") {
const value = rawArgs[index + 1];
if (value) {
passthroughArgs.push(value);
index += 1;
}
continue;
}
if (arg.startsWith("--testPathPattern=")) {
passthroughArgs.push(arg.slice("--testPathPattern=".length));
continue;
}
passthroughArgs.push(arg);
}
const vitestBin = join(process.cwd(), "node_modules", ".bin", "vitest");
const result = spawnSync(vitestBin, ["run", ...passthroughArgs], {
stdio: "inherit",
});
if (result.error) {
throw result.error;
}
process.exit(result.status ?? 1);

4
apps/api/src/admin/admin.service.spec.ts
View File

@@ -346,9 +346,7 @@ describe("AdminService", () => {
data: { deactivatedAt: expect.any(Date) }, data: { deactivatedAt: expect.any(Date) },
}) })
); );
expect(mockPrismaService.session.deleteMany).toHaveBeenCalledWith({ expect(mockPrismaService.session.deleteMany).toHaveBeenCalledWith({ where: { userId: mockUserId } });
where: { userId: mockUserId },
});
}); });
it("should throw NotFoundException if user does not exist", async () => { it("should throw NotFoundException if user does not exist", async () => {

6
apps/api/src/app.module.ts
View File

@@ -60,10 +60,7 @@ import { ContainerReaperModule } from "./container-reaper/container-reaper.modul
import { FleetSettingsModule } from "./fleet-settings/fleet-settings.module"; import { FleetSettingsModule } from "./fleet-settings/fleet-settings.module";
import { OnboardingModule } from "./onboarding/onboarding.module"; import { OnboardingModule } from "./onboarding/onboarding.module";
import { ChatProxyModule } from "./chat-proxy/chat-proxy.module"; import { ChatProxyModule } from "./chat-proxy/chat-proxy.module";
import { MissionControlProxyModule } from "./mission-control-proxy/mission-control-proxy.module";
import { OrchestratorModule } from "./orchestrator/orchestrator.module"; import { OrchestratorModule } from "./orchestrator/orchestrator.module";
import { QueueNotificationsModule } from "./queue-notifications/queue-notifications.module";
import { GatekeeperModule } from "./gatekeeper/gatekeeper.module";
@Module({ @Module({
imports: [ imports: [
@@ -145,10 +142,7 @@ import { GatekeeperModule } from "./gatekeeper/gatekeeper.module";
FleetSettingsModule, FleetSettingsModule,
OnboardingModule, OnboardingModule,
ChatProxyModule, ChatProxyModule,
MissionControlProxyModule,
OrchestratorModule, OrchestratorModule,
GatekeeperModule,
QueueNotificationsModule,
], ],
controllers: [AppController, CsrfController], controllers: [AppController, CsrfController],
providers: [ providers: [

20
apps/api/src/auth/guards/auth.guard.spec.ts
View File

@@ -211,7 +211,9 @@ describe("AuthGuard", () => {
}); });
await expect(guard.canActivate(context)).rejects.toThrow(UnauthorizedException); await expect(guard.canActivate(context)).rejects.toThrow(UnauthorizedException);
await expect(guard.canActivate(context)).rejects.toThrow("Invalid user data in session"); await expect(guard.canActivate(context)).rejects.toThrow(
"Invalid user data in session"
);
}); });
it("should throw UnauthorizedException when user is missing email", async () => { it("should throw UnauthorizedException when user is missing email", async () => {
@@ -225,7 +227,9 @@ describe("AuthGuard", () => {
}); });
await expect(guard.canActivate(context)).rejects.toThrow(UnauthorizedException); await expect(guard.canActivate(context)).rejects.toThrow(UnauthorizedException);
await expect(guard.canActivate(context)).rejects.toThrow("Invalid user data in session"); await expect(guard.canActivate(context)).rejects.toThrow(
"Invalid user data in session"
);
}); });
it("should throw UnauthorizedException when user is missing name", async () => { it("should throw UnauthorizedException when user is missing name", async () => {
@@ -239,7 +243,9 @@ describe("AuthGuard", () => {
}); });
await expect(guard.canActivate(context)).rejects.toThrow(UnauthorizedException); await expect(guard.canActivate(context)).rejects.toThrow(UnauthorizedException);
await expect(guard.canActivate(context)).rejects.toThrow("Invalid user data in session"); await expect(guard.canActivate(context)).rejects.toThrow(
"Invalid user data in session"
);
}); });
it("should throw UnauthorizedException when user is a string", async () => { it("should throw UnauthorizedException when user is a string", async () => {
@@ -253,7 +259,9 @@ describe("AuthGuard", () => {
}); });
await expect(guard.canActivate(context)).rejects.toThrow(UnauthorizedException); await expect(guard.canActivate(context)).rejects.toThrow(UnauthorizedException);
await expect(guard.canActivate(context)).rejects.toThrow("Invalid user data in session"); await expect(guard.canActivate(context)).rejects.toThrow(
"Invalid user data in session"
);
}); });
it("should reject when user is null (typeof null === 'object' causes TypeError on 'in' operator)", async () => { it("should reject when user is null (typeof null === 'object' causes TypeError on 'in' operator)", async () => {
@@ -269,7 +277,9 @@ describe("AuthGuard", () => {
}); });
await expect(guard.canActivate(context)).rejects.toThrow(TypeError); await expect(guard.canActivate(context)).rejects.toThrow(TypeError);
await expect(guard.canActivate(context)).rejects.not.toBeInstanceOf(UnauthorizedException); await expect(guard.canActivate(context)).rejects.not.toBeInstanceOf(
UnauthorizedException
);
}); });
}); });

16
apps/api/src/coordinator-integration/coordinator-integration.service.spec.ts
View File

@@ -154,7 +154,9 @@ describe("CoordinatorIntegrationService", () => {
// Mock transaction that passes through the callback // Mock transaction that passes through the callback
mockPrismaService.$transaction.mockImplementation(async (callback) => { mockPrismaService.$transaction.mockImplementation(async (callback) => {
const mockTx = { const mockTx = {
$queryRaw: vi.fn().mockResolvedValue([ $queryRaw: vi
.fn()
.mockResolvedValue([
{ {
id: mockJob.id, id: mockJob.id,
status: mockJob.status, status: mockJob.status,
@@ -202,7 +204,9 @@ describe("CoordinatorIntegrationService", () => {
// Mock transaction with completed job // Mock transaction with completed job
mockPrismaService.$transaction.mockImplementation(async (callback) => { mockPrismaService.$transaction.mockImplementation(async (callback) => {
const mockTx = { const mockTx = {
$queryRaw: vi.fn().mockResolvedValue([ $queryRaw: vi
.fn()
.mockResolvedValue([
{ {
id: mockJob.id, id: mockJob.id,
status: RunnerJobStatus.COMPLETED, status: RunnerJobStatus.COMPLETED,
@@ -267,7 +271,9 @@ describe("CoordinatorIntegrationService", () => {
// Mock transaction with running job // Mock transaction with running job
mockPrismaService.$transaction.mockImplementation(async (callback) => { mockPrismaService.$transaction.mockImplementation(async (callback) => {
const mockTx = { const mockTx = {
$queryRaw: vi.fn().mockResolvedValue([ $queryRaw: vi
.fn()
.mockResolvedValue([
{ {
id: mockJob.id, id: mockJob.id,
status: RunnerJobStatus.RUNNING, status: RunnerJobStatus.RUNNING,
@@ -309,7 +315,9 @@ describe("CoordinatorIntegrationService", () => {
// Mock transaction with running job // Mock transaction with running job
mockPrismaService.$transaction.mockImplementation(async (callback) => { mockPrismaService.$transaction.mockImplementation(async (callback) => {
const mockTx = { const mockTx = {
$queryRaw: vi.fn().mockResolvedValue([ $queryRaw: vi
.fn()
.mockResolvedValue([
{ {
id: mockJob.id, id: mockJob.id,
status: RunnerJobStatus.RUNNING, status: RunnerJobStatus.RUNNING,

113
apps/api/src/gatekeeper/dto/gitea-pr-webhook.dto.ts
View File

@@ -1,113 +0,0 @@
import {
IsArray,
IsIn,
IsInt,
IsObject,
IsOptional,
IsString,
MaxLength,
Min,
MinLength,
ValidateNested,
} from "class-validator";
import { Type } from "class-transformer";
class GiteaLabelDto {
@IsString()
@MinLength(1)
@MaxLength(255)
name!: string;
}
class GiteaRepoDto {
@IsString()
@MinLength(1)
@MaxLength(512)
full_name!: string;
}
class GiteaBranchRefDto {
@IsString()
@MinLength(1)
@MaxLength(255)
ref!: string;
}
class GiteaHeadDto {
@IsString()
@MinLength(7)
@MaxLength(128)
sha!: string;
}
class GiteaPullRequestDto {
@IsInt()
@Min(1)
number!: number;
@IsOptional()
@IsString()
body?: string;
@ValidateNested()
@Type(() => GiteaBranchRefDto)
base!: GiteaBranchRefDto;
@ValidateNested()
@Type(() => GiteaHeadDto)
head!: GiteaHeadDto;
@IsArray()
@ValidateNested({ each: true })
@Type(() => GiteaLabelDto)
labels!: GiteaLabelDto[];
@IsOptional()
@IsString()
html_url?: string;
@IsOptional()
@IsString()
url?: string;
}
class GiteaSenderDto {
@IsString()
@MinLength(1)
@MaxLength(255)
login!: string;
}
export class GiteaPrWebhookDto {
@IsString()
@IsIn(["pull_request"])
@MaxLength(64)
type!: string;
@IsString()
@IsIn(["opened", "labeled", "synchronize"])
@MaxLength(64)
action!: "opened" | "labeled" | "synchronize";
@ValidateNested()
@Type(() => GiteaRepoDto)
repository!: GiteaRepoDto;
@ValidateNested()
@Type(() => GiteaPullRequestDto)
pull_request!: GiteaPullRequestDto;
@IsOptional()
@ValidateNested()
@Type(() => GiteaLabelDto)
label?: GiteaLabelDto;
@IsOptional()
@ValidateNested()
@Type(() => GiteaSenderDto)
sender?: GiteaSenderDto;
@IsOptional()
@IsObject()
review_result?: Record<string, unknown>;
}

98
apps/api/src/gatekeeper/gatekeeper.controller.spec.ts
View File

@@ -1,98 +0,0 @@
import { createHmac } from "node:crypto";
import { Logger } from "@nestjs/common";
import { ConfigService } from "@nestjs/config";
import { Test, type TestingModule } from "@nestjs/testing";
import type { Request } from "express";
import { beforeEach, describe, expect, it, vi } from "vitest";
import { GatekeeperController } from "./gatekeeper.controller";
import { GatekeeperService } from "./gatekeeper.service";
describe("GatekeeperController", () => {
let controller: GatekeeperController;
const gatekeeperService = {
handlePrEvent: vi.fn(),
};
const configService = {
get: vi.fn(),
};
const payload = {
type: "pull_request",
action: "labeled",
label: { name: "auto-merge" },
repository: { full_name: "mosaic/stack" },
sender: { login: "jason" },
pull_request: {
number: 7,
body: "ready",
base: { ref: "main" },
head: { sha: "abcdef1234567890" },
labels: [{ name: "auto-merge" }],
},
};
beforeEach(async () => {
vi.clearAllMocks();
configService.get.mockImplementation((key: string) => {
if (key === "GITEA_WEBHOOK_SECRET") {
return "secret";
}
return undefined;
});
gatekeeperService.handlePrEvent.mockResolvedValue(undefined);
const module: TestingModule = await Test.createTestingModule({
controllers: [GatekeeperController],
providers: [
{ provide: GatekeeperService, useValue: gatekeeperService },
{ provide: ConfigService, useValue: configService },
],
}).compile();
controller = module.get(GatekeeperController);
});
it("accepts a valid signature and schedules processing", async () => {
const signature = createHmac("sha256", "secret").update(JSON.stringify(payload)).digest("hex");
await expect(
controller.handleWebhook(
{ rawBody: Buffer.from(JSON.stringify(payload)) } as Request,
payload,
signature
)
).resolves.toEqual({ ok: true });
expect(gatekeeperService.handlePrEvent).toHaveBeenCalledWith(payload);
});
it("ignores invalid signatures", async () => {
const warnSpy = vi.spyOn(Logger.prototype, "warn").mockImplementation(() => undefined);
await expect(controller.handleWebhook({} as Request, payload, "bad")).resolves.toEqual({
ok: true,
});
expect(gatekeeperService.handlePrEvent).not.toHaveBeenCalled();
expect(warnSpy).toHaveBeenCalledWith(
expect.stringContaining("invalid Gitea webhook signature")
);
});
it("accepts requests without validation when no secret is configured", async () => {
const warnSpy = vi.spyOn(Logger.prototype, "warn").mockImplementation(() => undefined);
configService.get.mockReturnValue(undefined);
await expect(controller.handleWebhook({} as Request, payload, "")).resolves.toEqual({
ok: true,
});
expect(gatekeeperService.handlePrEvent).toHaveBeenCalledWith(payload);
expect(warnSpy).toHaveBeenCalledWith(
expect.stringContaining("GITEA_WEBHOOK_SECRET is not configured")
);
});
});

67
apps/api/src/gatekeeper/gatekeeper.controller.ts
View File

@@ -1,67 +0,0 @@
import { Body, Controller, Headers, Logger, Post, Req, type RawBodyRequest } from "@nestjs/common";
import { ConfigService } from "@nestjs/config";
import { createHmac, timingSafeEqual } from "node:crypto";
import type { Request } from "express";
import { SkipCsrf } from "../common/decorators/skip-csrf.decorator";
import { GiteaPrWebhookDto } from "./dto/gitea-pr-webhook.dto";
import { GatekeeperService } from "./gatekeeper.service";
@Controller("gatekeeper/webhook")
export class GatekeeperController {
private readonly logger = new Logger(GatekeeperController.name);
constructor(
private readonly gatekeeperService: GatekeeperService,
private readonly configService: ConfigService
) {}
@SkipCsrf()
@Post("gitea")
handleWebhook(
@Req() req: RawBodyRequest<Request>,
@Body() body: GiteaPrWebhookDto,
@Headers("x-gitea-signature") signature: string | undefined
): Promise<{ ok: boolean }> {
const secret = this.configService.get<string>("GITEA_WEBHOOK_SECRET");
if (secret && !this.isValidSignature(this.getRequestBody(req, body), signature, secret)) {
this.logger.warn("Received invalid Gitea webhook signature");
return Promise.resolve({ ok: true });
}
if (!secret) {
this.logger.warn("GITEA_WEBHOOK_SECRET is not configured; accepting Gitea webhook");
}
void this.gatekeeperService.handlePrEvent(body).catch((error: unknown) => {
const message = error instanceof Error ? error.message : String(error);
this.logger.error(`Failed to process Gitea PR webhook: ${message}`);
});
return Promise.resolve({ ok: true });
}
private getRequestBody(req: RawBodyRequest<Request>, body: GiteaPrWebhookDto): Buffer {
if (Buffer.isBuffer(req.rawBody)) {
return req.rawBody;
}
return Buffer.from(JSON.stringify(body));
}
private isValidSignature(body: Buffer, signature: string | undefined, secret: string): boolean {
if (!signature) {
return false;
}
const expected = createHmac("sha256", secret).update(body).digest("hex");
const actual = Buffer.from(signature);
const expectedBuffer = Buffer.from(expected);
if (actual.length !== expectedBuffer.length) {
return false;
}
return timingSafeEqual(actual, expectedBuffer);
}
}

12
apps/api/src/gatekeeper/gatekeeper.module.ts
View File

@@ -1,12 +0,0 @@
import { Module } from "@nestjs/common";
import { ConfigModule } from "@nestjs/config";
import { GatekeeperController } from "./gatekeeper.controller";
import { GatekeeperService } from "./gatekeeper.service";
@Module({
imports: [ConfigModule],
controllers: [GatekeeperController],
providers: [GatekeeperService],
exports: [GatekeeperService],
})
export class GatekeeperModule {}

199
apps/api/src/gatekeeper/gatekeeper.service.spec.ts
View File

@@ -1,199 +0,0 @@
import { Logger } from "@nestjs/common";
import { ConfigService } from "@nestjs/config";
import { Test, type TestingModule } from "@nestjs/testing";
import { describe, beforeEach, expect, it, vi } from "vitest";
import { PrismaService } from "../prisma/prisma.service";
import type { GiteaPrWebhookDto } from "./dto/gitea-pr-webhook.dto";
import { GatekeeperService } from "./gatekeeper.service";
describe("GatekeeperService", () => {
let service: GatekeeperService;
const prisma = {
pendingMerge: {
upsert: vi.fn(),
update: vi.fn(),
findFirst: vi.fn(),
findUnique: vi.fn(),
},
};
const config = {
get: vi.fn(),
};
const basePayload: GiteaPrWebhookDto = {
type: "pull_request",
action: "labeled",
repository: { full_name: "mosaic/stack" },
label: { name: "auto-merge" },
sender: { login: "jason" },
pull_request: {
number: 42,
body: "Implements Gatekeeper",
base: { ref: "main" },
head: { sha: "abcdef1234567890" },
labels: [{ name: "auto-merge" }],
url: "https://git.mosaicstack.dev/api/v1/repos/mosaic/stack/pulls/42",
html_url: "https://git.mosaicstack.dev/mosaic/stack/pulls/42",
},
};
beforeEach(async () => {
vi.clearAllMocks();
config.get.mockImplementation((key: string) => {
switch (key) {
case "GATEKEEPER_ENABLED":
return "true";
case "GITEA_API_TOKEN":
return "token";
default:
return undefined;
}
});
const module: TestingModule = await Test.createTestingModule({
providers: [
GatekeeperService,
{ provide: PrismaService, useValue: prisma },
{ provide: ConfigService, useValue: config },
],
}).compile();
service = module.get(GatekeeperService);
});
it("moves labeled auto-merge PRs into awaiting_ci when review passes", async () => {
prisma.pendingMerge.upsert.mockResolvedValue({ id: "merge-1" });
prisma.pendingMerge.update.mockResolvedValue({});
await service.handlePrEvent(basePayload);
expect(prisma.pendingMerge.upsert).toHaveBeenCalledWith(
expect.objectContaining({
where: {
repo_prNumber_headSha: {
repo: "mosaic/stack",
prNumber: 42,
headSha: "abcdef1234567890",
},
},
})
);
expect(prisma.pendingMerge.update).toHaveBeenNthCalledWith(
1,
expect.objectContaining({ data: expect.objectContaining({ state: "reviewing" }) })
);
expect(prisma.pendingMerge.update).toHaveBeenNthCalledWith(
2,
expect.objectContaining({
data: expect.objectContaining({
state: "awaiting_ci",
reviewResult: { passed: true, issues: [] },
}),
})
);
});
it("rejects review failures and records the reason", async () => {
prisma.pendingMerge.upsert.mockResolvedValue({ id: "merge-2" });
prisma.pendingMerge.findUnique.mockResolvedValue({
id: "merge-2",
repo: "mosaic/stack",
prNumber: 42,
headSha: "abcdef1234567890",
});
prisma.pendingMerge.update.mockResolvedValue({});
const commentSpy = vi
.spyOn(
service as unknown as {
postPullRequestComment: (repo: string, prNumber: number, body: string) => Promise<void>;
},
"postPullRequestComment"
)
.mockResolvedValue();
await service.handlePrEvent({
...basePayload,
pull_request: {
...basePayload.pull_request,
body: "",
},
});
expect(prisma.pendingMerge.update).toHaveBeenCalledWith(
expect.objectContaining({
where: { id: "merge-2" },
data: {
state: "rejected",
reviewResult: {
passed: false,
issues: ["PR description must not be empty"],
},
},
})
);
expect(commentSpy).toHaveBeenCalledWith(
"mosaic/stack",
42,
expect.stringContaining("PR description must not be empty")
);
});
it("attempts merge on green CI for awaiting_ci records", async () => {
prisma.pendingMerge.findFirst.mockResolvedValue({
id: "merge-3",
repo: "mosaic/stack",
prNumber: 42,
headSha: "abcdef1234567890",
state: "awaiting_ci",
giteaMergeUrl: "https://git.mosaicstack.dev/api/v1/repos/mosaic/stack/pulls/42",
});
prisma.pendingMerge.update.mockResolvedValue({});
const mergeSpy = vi.spyOn(service, "attemptMerge").mockResolvedValue();
await service.handleCiEvent("mosaic/stack", 42, "abcdef1234567890", "success");
expect(prisma.pendingMerge.update).toHaveBeenCalledWith(
expect.objectContaining({
where: { id: "merge-3" },
data: expect.objectContaining({ ciStatus: "success" }),
})
);
expect(mergeSpy).toHaveBeenCalledWith("merge-3");
});
it("rejects failed CI results", async () => {
prisma.pendingMerge.findFirst.mockResolvedValue({
id: "merge-4",
repo: "mosaic/stack",
prNumber: 42,
headSha: "abcdef1234567890",
state: "awaiting_ci",
});
prisma.pendingMerge.update.mockResolvedValue({});
const rejectSpy = vi.spyOn(service, "rejectMerge").mockResolvedValue();
await service.handleCiEvent("mosaic/stack", 42, "abcdef1234567890", "failure");
expect(rejectSpy).toHaveBeenCalledWith("merge-4", "CI reported failure");
});
it("skips all work when Gatekeeper is disabled", async () => {
const warnSpy = vi.spyOn(Logger.prototype, "warn").mockImplementation(() => undefined);
config.get.mockImplementation((key: string) => {
if (key === "GATEKEEPER_ENABLED") {
return "false";
}
return undefined;
});
await service.handlePrEvent(basePayload);
await service.handleCiEvent("mosaic/stack", 42, "abcdef1234567890", "success");
expect(prisma.pendingMerge.upsert).not.toHaveBeenCalled();
expect(prisma.pendingMerge.findFirst).not.toHaveBeenCalled();
expect(warnSpy).toHaveBeenCalledWith(expect.stringContaining("Gatekeeper is disabled"));
});
});

311
apps/api/src/gatekeeper/gatekeeper.service.ts
View File

@@ -1,311 +0,0 @@
import { Injectable, Logger } from "@nestjs/common";
import { ConfigService } from "@nestjs/config";
import { Prisma } from "@prisma/client";
import { PrismaService } from "../prisma/prisma.service";
import type { GiteaPrWebhookDto } from "./dto/gitea-pr-webhook.dto";
export interface ReviewResult {
passed: boolean;
issues: string[];
}
@Injectable()
export class GatekeeperService {
private readonly logger = new Logger(GatekeeperService.name);
private get giteaApiBaseUrl(): string {
return `${this.configService.getOrThrow<string>("GITEA_URL")}/api/v1`;
}
constructor(
private readonly prisma: PrismaService,
private readonly configService: ConfigService
) {}
async handlePrEvent(payload: GiteaPrWebhookDto): Promise<void> {
if (!this.isEnabled()) {
return;
}
if (payload.type !== "pull_request") {
return;
}
const action = payload.action;
const hasAutoMergeLabel = this.hasAutoMergeLabel(payload);
if (!["opened", "labeled", "synchronize"].includes(action)) {
return;
}
if (action === "labeled" && payload.label?.name !== "auto-merge") {
return;
}
const merge = await this.prisma.pendingMerge.upsert({
where: {
repo_prNumber_headSha: {
repo: payload.repository.full_name,
prNumber: payload.pull_request.number,
headSha: payload.pull_request.head.sha,
},
},
create: {
repo: payload.repository.full_name,
prNumber: payload.pull_request.number,
headSha: payload.pull_request.head.sha,
...(payload.sender?.login ? { requester: payload.sender.login } : {}),
giteaMergeUrl:
payload.pull_request.url ??
`${this.giteaApiBaseUrl}/repos/${payload.repository.full_name}/pulls/${String(payload.pull_request.number)}`,
},
update: {
headSha: payload.pull_request.head.sha,
...(payload.sender?.login ? { requester: payload.sender.login } : {}),
giteaMergeUrl:
payload.pull_request.url ??
`${this.giteaApiBaseUrl}/repos/${payload.repository.full_name}/pulls/${String(payload.pull_request.number)}`,
},
});
if (action === "synchronize") {
await this.prisma.pendingMerge.update({
where: { id: merge.id },
data: {
state: hasAutoMergeLabel ? "pending" : "rejected",
ciStatus: null,
reviewResult: Prisma.DbNull,
},
});
if (hasAutoMergeLabel) {
await this.runReview(merge.id, payload);
}
return;
}
if (hasAutoMergeLabel) {
await this.runReview(merge.id, payload);
}
}
async handleCiEvent(
repo: string,
prNumber: number,
headSha: string,
status: "success" | "failure"
): Promise<void> {
if (!this.isEnabled()) {
return;
}
const merge = await this.prisma.pendingMerge.findFirst({
where: {
repo,
prNumber,
headSha,
},
orderBy: {
createdAt: "desc",
},
});
if (!merge) {
this.logger.debug(`No pending merge found for ${repo}#${String(prNumber)} @ ${headSha}`);
return;
}
await this.prisma.pendingMerge.update({
where: { id: merge.id },
data: {
ciStatus: status,
},
});
if (status === "failure") {
await this.rejectMerge(merge.id, "CI reported failure");
return;
}
if (merge.state === "awaiting_ci") {
await this.attemptMerge(merge.id);
}
}
reviewPr(payload: GiteaPrWebhookDto): Promise<ReviewResult> {
const issues: string[] = [];
if (!this.hasAutoMergeLabel(payload)) {
issues.push("PR must have the auto-merge label");
}
if (!payload.pull_request.body?.trim()) {
issues.push("PR description must not be empty");
}
if (payload.pull_request.base.ref !== "main") {
issues.push("PR base branch must be main");
}
if (!/^[0-9a-f]{7,128}$/i.test(payload.pull_request.head.sha)) {
issues.push("PR head SHA must be a valid git commit hash");
}
return Promise.resolve({
passed: issues.length === 0,
issues,
});
}
async attemptMerge(mergeId: string): Promise<void> {
const merge = await this.prisma.pendingMerge.findUnique({
where: { id: mergeId },
});
if (!merge) {
return;
}
const token = this.configService.get<string>("GITEA_API_TOKEN");
if (!token) {
await this.rejectMerge(merge.id, "GITEA_API_TOKEN is not configured");
return;
}
await this.prisma.pendingMerge.update({
where: { id: merge.id },
data: { state: "merging" },
});
const mergeUrl =
merge.giteaMergeUrl ??
`${this.giteaApiBaseUrl}/repos/${merge.repo}/pulls/${String(merge.prNumber)}`;
const response = await fetch(`${mergeUrl}/merge`, {
method: "POST",
headers: {
"Content-Type": "application/json",
Authorization: `token ${token}`,
},
body: JSON.stringify({
Do: "merge",
force_merge: true,
merge_message_field: "Auto-merged by Gatekeeper",
}),
});
if (!response.ok) {
const reason = await response.text();
await this.rejectMerge(
merge.id,
`Gitea merge API rejected the request: ${String(response.status)} ${reason}`
);
return;
}
await this.prisma.pendingMerge.update({
where: { id: merge.id },
data: { state: "merged" },
});
}
async rejectMerge(mergeId: string, reason: string): Promise<void> {
const merge = await this.prisma.pendingMerge.findUnique({
where: { id: mergeId },
});
if (!merge) {
return;
}
await this.prisma.pendingMerge.update({
where: { id: merge.id },
data: {
state: "rejected",
reviewResult: {
passed: false,
issues: [reason],
},
},
});
await this.postPullRequestComment(
merge.repo,
merge.prNumber,
`Gatekeeper rejected auto-merge for \`${merge.headSha}\`: ${reason}`
);
}
private async runReview(mergeId: string, payload: GiteaPrWebhookDto): Promise<void> {
await this.prisma.pendingMerge.update({
where: { id: mergeId },
data: { state: "reviewing" },
});
const result = await this.reviewPr(payload);
if (!result.passed) {
await this.rejectMerge(mergeId, result.issues.join("; "));
return;
}
const reviewResult: Prisma.InputJsonValue = {
passed: result.passed,
issues: result.issues,
};
await this.prisma.pendingMerge.update({
where: { id: mergeId },
data: {
state: "awaiting_ci",
reviewResult,
},
});
}
private hasAutoMergeLabel(payload: GiteaPrWebhookDto): boolean {
return payload.pull_request.labels.some((label) => label.name === "auto-merge");
}
private async postPullRequestComment(
repo: string,
prNumber: number,
body: string
): Promise<void> {
const token = this.configService.get<string>("GITEA_API_TOKEN");
if (!token) {
this.logger.warn(
`Skipping PR comment for ${repo}#${String(prNumber)}; GITEA_API_TOKEN is missing`
);
return;
}
const response = await fetch(
`${this.giteaApiBaseUrl}/repos/${repo}/issues/${String(prNumber)}/comments`,
{
method: "POST",
headers: {
"Content-Type": "application/json",
Authorization: `token ${token}`,
},
body: JSON.stringify({ body }),
}
);
if (!response.ok) {
this.logger.warn(
`Failed to post Gatekeeper PR comment for ${repo}#${String(prNumber)}: ${String(response.status)}`
);
}
}
private isEnabled(): boolean {
const raw = this.configService.get<string>("GATEKEEPER_ENABLED");
const enabled = raw !== "false";
if (!enabled) {
this.logger.warn("Gatekeeper is disabled via GATEKEEPER_ENABLED");
}
return enabled;
}
}

286
apps/api/src/mission-control-proxy/mission-control-proxy.controller.ts
View File

@@ -1,286 +0,0 @@
import {
Body,
Controller,
Get,
Logger,
Param,
Post,
Req,
Res,
ServiceUnavailableException,
UseGuards,
} from "@nestjs/common";
import type { Request, Response } from "express";
import { AuthGuard } from "../auth/guards/auth.guard";
const ORCHESTRATOR_URL_KEY = "ORCHESTRATOR_URL";
const ORCHESTRATOR_API_KEY = "ORCHESTRATOR_API_KEY";
@Controller("mission-control")
@UseGuards(AuthGuard)
export class MissionControlProxyController {
private readonly logger = new Logger(MissionControlProxyController.name);
private readonly orchestratorUrl: string;
private readonly orchestratorApiKey: string;
constructor() {
this.orchestratorUrl = this.requireEnv(ORCHESTRATOR_URL_KEY);
this.orchestratorApiKey = this.requireEnv(ORCHESTRATOR_API_KEY);
}
@Get("sessions")
proxySessions(@Req() req: Request, @Res() res: Response): Promise<void> {
return this.proxyRequest("GET", "sessions", req, res);
}
@Get("sessions/:sessionId")
proxySession(
@Param("sessionId") sessionId: string,
@Req() req: Request,
@Res() res: Response
): Promise<void> {
return this.proxyRequest("GET", `sessions/${sessionId}`, req, res);
}
@Get("sessions/:sessionId/messages")
proxyMessages(
@Param("sessionId") sessionId: string,
@Req() req: Request,
@Res() res: Response
): Promise<void> {
return this.proxyRequest("GET", `sessions/${sessionId}/messages`, req, res);
}
@Get("audit-log")
proxyAuditLog(@Req() req: Request, @Res() res: Response): Promise<void> {
return this.proxyRequest("GET", "audit-log", req, res);
}
@Post("sessions/:sessionId/inject")
proxyInject(
@Param("sessionId") sessionId: string,
@Body() body: unknown,
@Req() req: Request,
@Res() res: Response
): Promise<void> {
return this.proxyRequest("POST", `sessions/${sessionId}/inject`, req, res, body);
}
@Post("sessions/:sessionId/pause")
proxyPause(
@Param("sessionId") sessionId: string,
@Req() req: Request,
@Res() res: Response
): Promise<void> {
return this.proxyRequest("POST", `sessions/${sessionId}/pause`, req, res);
}
@Post("sessions/:sessionId/resume")
proxyResume(
@Param("sessionId") sessionId: string,
@Req() req: Request,
@Res() res: Response
): Promise<void> {
return this.proxyRequest("POST", `sessions/${sessionId}/resume`, req, res);
}
@Post("sessions/:sessionId/kill")
proxyKill(
@Param("sessionId") sessionId: string,
@Body() body: unknown,
@Req() req: Request,
@Res() res: Response
): Promise<void> {
return this.proxyRequest("POST", `sessions/${sessionId}/kill`, req, res, body);
}
@Get("sessions/:sessionId/stream")
async proxySessionStream(
@Param("sessionId") sessionId: string,
@Req() req: Request,
@Res() res: Response
): Promise<void> {
const abortController = new AbortController();
req.once("close", () => {
abortController.abort();
});
try {
const upstream = await this.fetchUpstream(
"GET",
`sessions/${sessionId}/stream`,
req.query,
undefined,
abortController.signal
);
if (!upstream.ok || !upstream.body) {
await this.sendStandardResponse(upstream, res);
return;
}
res.status(upstream.status);
this.copyHeaderIfPresent(upstream, res, "content-type");
this.copyHeaderIfPresent(upstream, res, "cache-control");
this.copyHeaderIfPresent(upstream, res, "connection");
res.setHeader("X-Accel-Buffering", "no");
if (typeof res.flushHeaders === "function") {
res.flushHeaders();
}
for await (const chunk of upstream.body as unknown as AsyncIterable<Uint8Array>) {
if (res.writableEnded || res.destroyed) {
break;
}
res.write(Buffer.from(chunk));
}
if (!res.writableEnded && !res.destroyed) {
res.end();
}
} catch (error: unknown) {
if (this.isAbortError(error)) {
return;
}
const message = error instanceof Error ? error.message : String(error);
this.logger.warn(`Mission Control stream proxy request failed: ${message}`);
if (!res.headersSent) {
res.status(503).json({ message: "Failed to proxy Mission Control request" });
} else if (!res.writableEnded && !res.destroyed) {
res.end();
}
}
}
private async proxyRequest(
method: "GET" | "POST",
path: string,
req: Request,
res: Response,
body?: unknown
): Promise<void> {
const abortController = new AbortController();
req.once("close", () => {
abortController.abort();
});
try {
const upstream = await this.fetchUpstream(
method,
path,
req.query,
body,
abortController.signal
);
await this.sendStandardResponse(upstream, res);
} catch (error: unknown) {
if (this.isAbortError(error)) {
return;
}
this.handleProxyError(error);
}
}
private async fetchUpstream(
method: "GET" | "POST",
path: string,
query: Request["query"],
body: unknown,
signal: AbortSignal
): Promise<globalThis.Response> {
const url = new URL(`/api/mission-control/${path}`, this.orchestratorUrl);
this.appendQueryParams(url.searchParams, query);
const headers: Record<string, string> = {
"X-API-Key": this.orchestratorApiKey,
};
const requestInit: RequestInit = {
method,
headers,
signal,
};
if (method === "POST" && body !== undefined) {
headers["Content-Type"] = "application/json";
requestInit.body = JSON.stringify(body);
}
return fetch(url.toString(), requestInit);
}
private appendQueryParams(searchParams: URLSearchParams, query: Request["query"]): void {
for (const [key, value] of Object.entries(query)) {
this.appendQueryValue(searchParams, key, value);
}
}
private appendQueryValue(searchParams: URLSearchParams, key: string, value: unknown): void {
if (value === undefined || value === null) {
return;
}
if (Array.isArray(value)) {
for (const item of value) {
this.appendQueryValue(searchParams, key, item);
}
return;
}
if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
searchParams.append(key, String(value));
}
}
private async sendStandardResponse(upstream: globalThis.Response, res: Response): Promise<void> {
res.status(upstream.status);
this.copyHeaderIfPresent(upstream, res, "content-type");
this.copyHeaderIfPresent(upstream, res, "cache-control");
this.copyHeaderIfPresent(upstream, res, "location");
const responseText = await upstream.text();
if (responseText.length === 0) {
res.end();
return;
}
res.send(responseText);
}
private copyHeaderIfPresent(
upstream: globalThis.Response,
res: Response,
headerName: string
): void {
const value = upstream.headers.get(headerName);
if (value) {
res.setHeader(headerName, value);
}
}
private handleProxyError(error: unknown): never {
const message = error instanceof Error ? error.message : String(error);
this.logger.warn(`Mission Control proxy request failed: ${message}`);
throw new ServiceUnavailableException("Failed to proxy Mission Control request");
}
private isAbortError(error: unknown): boolean {
return error instanceof Error && error.name === "AbortError";
}
private requireEnv(key: string): string {
const value = process.env[key];
if (typeof value !== "string" || value.trim().length === 0) {
throw new Error(`@mosaic/api: ${key} is required. Set it in your config or via ${key}.`);
}
return value;
}
}

9
apps/api/src/mission-control-proxy/mission-control-proxy.module.ts
View File

@@ -1,9 +0,0 @@
import { Module } from "@nestjs/common";
import { AuthModule } from "../auth/auth.module";
import { MissionControlProxyController } from "./mission-control-proxy.controller";
@Module({
imports: [AuthModule],
controllers: [MissionControlProxyController],
})
export class MissionControlProxyModule {}

120
apps/api/src/queue-notifications/queue-notifications.controller.spec.ts
View File

@@ -1,120 +0,0 @@
import { beforeEach, describe, expect, it, vi } from "vitest";
import { NotFoundException } from "@nestjs/common";
import type { Response } from "express";
import { ConfigService } from "@nestjs/config";
import { Test, type TestingModule } from "@nestjs/testing";
import { QueueNotificationsController } from "./queue-notifications.controller";
import { QueueNotificationsService } from "./queue-notifications.service";
import { ApiKeyGuard } from "../common/guards/api-key.guard";
describe("QueueNotificationsController", () => {
let controller: QueueNotificationsController;
const mockService = {
listNotifications: vi.fn(),
streamNotifications: vi.fn(),
ackNotification: vi.fn(),
listTasks: vi.fn(),
};
const mockConfigService = {
get: vi.fn().mockReturnValue("coordinator-api-key"),
};
beforeEach(async () => {
vi.clearAllMocks();
const module: TestingModule = await Test.createTestingModule({
controllers: [QueueNotificationsController],
providers: [
{ provide: QueueNotificationsService, useValue: mockService },
{ provide: ConfigService, useValue: mockConfigService },
],
})
.overrideGuard(ApiKeyGuard)
.useValue({ canActivate: () => true })
.compile();
controller = module.get<QueueNotificationsController>(QueueNotificationsController);
});
it("returns notification objects", async () => {
mockService.listNotifications.mockResolvedValue([
{
id: "notif-1",
agent: "mosaic",
filename: "notif-1.json",
payload: { type: "task.ready" },
createdAt: new Date("2026-03-08T22:00:00.000Z"),
},
]);
await expect(controller.getNotifications()).resolves.toEqual([
expect.objectContaining({
id: "notif-1",
agent: "mosaic",
filename: "notif-1.json",
payload: { type: "task.ready" },
}),
]);
});
it("streams notifications through the response object", async () => {
const res = {
setHeader: vi.fn(),
flushHeaders: vi.fn(),
write: vi.fn(),
on: vi.fn(),
end: vi.fn(),
} as unknown as Response;
mockService.streamNotifications.mockResolvedValue(undefined);
await controller.streamNotifications(res);
expect(mockService.streamNotifications).toHaveBeenCalledWith(res);
});
it("acks a notification by id", async () => {
mockService.ackNotification.mockResolvedValue({ success: true, id: "notif-2" });
await expect(controller.ackNotification("notif-2")).resolves.toEqual({
success: true,
id: "notif-2",
});
});
it("surfaces ack errors", async () => {
mockService.ackNotification.mockRejectedValue(new NotFoundException("missing"));
await expect(controller.ackNotification("missing")).rejects.toThrow(NotFoundException);
});
it("returns parsed queue tasks", async () => {
mockService.listTasks.mockResolvedValue([
{
id: "task-1",
project: "mosaic-stack",
taskId: "MS24-API-001",
status: "pending",
description: "Build queue notifications module",
},
]);
await expect(controller.getTasks()).resolves.toEqual([
{
id: "task-1",
project: "mosaic-stack",
taskId: "MS24-API-001",
status: "pending",
description: "Build queue notifications module",
},
]);
});
it("uses ApiKeyGuard at the controller level", () => {
const guards = Reflect.getMetadata("__guards__", QueueNotificationsController) as unknown[];
expect(guards).toContain(ApiKeyGuard);
});
});

36
apps/api/src/queue-notifications/queue-notifications.controller.ts
View File

@@ -1,36 +0,0 @@
import { Controller, Get, Param, Post, Res, UseGuards } from "@nestjs/common";
import type { Response } from "express";
import { SkipCsrf } from "../common/decorators/skip-csrf.decorator";
import { ApiKeyGuard } from "../common/guards/api-key.guard";
import {
QueueNotificationsService,
type QueueNotification,
type QueueTask,
} from "./queue-notifications.service";
@Controller("queue")
@UseGuards(ApiKeyGuard)
export class QueueNotificationsController {
constructor(private readonly queueNotificationsService: QueueNotificationsService) {}
@Get("notifications")
async getNotifications(): Promise<QueueNotification[]> {
return this.queueNotificationsService.listNotifications();
}
@Get("notifications/stream")
async streamNotifications(@Res() res: Response): Promise<void> {
await this.queueNotificationsService.streamNotifications(res);
}
@SkipCsrf()
@Post("notifications/:id/ack")
async ackNotification(@Param("id") id: string): Promise<{ success: true; id: string }> {
return this.queueNotificationsService.ackNotification(id);
}
@Get("tasks")
async getTasks(): Promise<QueueTask[]> {
return this.queueNotificationsService.listTasks();
}
}

16
apps/api/src/queue-notifications/queue-notifications.module.ts
View File

@@ -1,16 +0,0 @@
import { Module } from "@nestjs/common";
import { ConfigModule } from "@nestjs/config";
import { AuthModule } from "../auth/auth.module";
import { ApiKeyGuard } from "../common/guards/api-key.guard";
import { GatekeeperModule } from "../gatekeeper/gatekeeper.module";
import { QueueNotificationsController } from "./queue-notifications.controller";
import { QueueNotificationsService } from "./queue-notifications.service";
import { WoodpeckerWebhookController } from "./woodpecker-webhook.controller";
@Module({
imports: [ConfigModule, AuthModule, GatekeeperModule],
controllers: [QueueNotificationsController, WoodpeckerWebhookController],
providers: [QueueNotificationsService, ApiKeyGuard],
exports: [QueueNotificationsService],
})
export class QueueNotificationsModule {}

268
apps/api/src/queue-notifications/queue-notifications.service.spec.ts
View File

@@ -1,268 +0,0 @@
import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
import { ConfigService } from "@nestjs/config";
import { Logger, NotFoundException } from "@nestjs/common";
import { mkdtemp, mkdir, readFile, readdir, rm, writeFile } from "node:fs/promises";
import { tmpdir } from "node:os";
import { join } from "node:path";
import { execFile } from "node:child_process";
import { QueueNotificationsService } from "./queue-notifications.service";
vi.mock("node:child_process", () => ({
execFile: vi.fn(),
}));
describe("QueueNotificationsService", () => {
let service: QueueNotificationsService;
let inboxDir: string;
let agentStateDir: string;
let configService: ConfigService;
beforeEach(async () => {
vi.clearAllMocks();
inboxDir = await mkdtemp(join(tmpdir(), "queue-notifications-"));
agentStateDir = await mkdtemp(join(tmpdir(), "agent-state-"));
configService = {
get: vi.fn((key: string) => {
if (key === "MOSAIC_QUEUE_INBOX_DIR") {
return inboxDir;
}
if (key === "MOSAIC_AGENT_STATE_DIR") {
return agentStateDir;
}
if (key === "MOSAIC_QUEUE_CLI") {
return "/tmp/mosaic-queue-cli.js";
}
return undefined;
}),
} as unknown as ConfigService;
service = new QueueNotificationsService(configService);
});
afterEach(async () => {
vi.restoreAllMocks();
await rm(inboxDir, { recursive: true, force: true });
await rm(agentStateDir, { recursive: true, force: true });
});
describe("onModuleInit", () => {
it("logs a warning when the inbox directory does not exist", async () => {
await rm(inboxDir, { recursive: true, force: true });
const warnSpy = vi.spyOn(Logger.prototype, "warn").mockImplementation(() => undefined);
await service.onModuleInit();
expect(warnSpy).toHaveBeenCalledWith(
expect.stringContaining("Queue notifications inbox directory does not exist")
);
});
});
describe("listNotifications", () => {
it("returns parsed notifications from agent inbox directories", async () => {
await mkdir(join(inboxDir, "mosaic"), { recursive: true });
await mkdir(join(inboxDir, "mosaic", "_acked"), { recursive: true });
await mkdir(join(inboxDir, "sage"), { recursive: true });
await writeFile(
join(inboxDir, "mosaic", "notif-1.json"),
JSON.stringify({ type: "task.ready", taskId: "MS24-API-001" })
);
await writeFile(
join(inboxDir, "mosaic", "_acked", "notif-ignored.json"),
JSON.stringify({ ignored: true })
);
await writeFile(join(inboxDir, "sage", "notif-2.json"), JSON.stringify({ type: "done" }));
const notifications = await service.listNotifications();
expect(notifications).toHaveLength(2);
expect(notifications).toEqual(
expect.arrayContaining([
expect.objectContaining({
id: "notif-1",
agent: "mosaic",
filename: "notif-1.json",
payload: { type: "task.ready", taskId: "MS24-API-001" },
}),
expect.objectContaining({
id: "notif-2",
agent: "sage",
filename: "notif-2.json",
payload: { type: "done" },
}),
])
);
});
it("returns an empty array when the inbox directory is missing", async () => {
await rm(inboxDir, { recursive: true, force: true });
await expect(service.listNotifications()).resolves.toEqual([]);
});
});
describe("ackNotification", () => {
it("executes the queue CLI with node and ack args", async () => {
await mkdir(join(inboxDir, "mosaic"), { recursive: true });
await writeFile(join(inboxDir, "mosaic", "notif-3.json"), JSON.stringify({ ok: true }));
vi.mocked(execFile).mockImplementation(
(
_command: string,
_args: readonly string[],
callback: (error: Error | null, stdout: string, stderr: string) => void
) => callback(null, "acked", "")
);
await expect(service.ackNotification("notif-3")).resolves.toEqual({
success: true,
id: "notif-3",
});
expect(execFile).toHaveBeenCalledWith(
"node",
["/tmp/mosaic-queue-cli.js", "ack", "notif-3"],
expect.any(Function)
);
});
it("throws NotFoundException when the notification does not exist", async () => {
await expect(service.ackNotification("missing")).rejects.toThrow(NotFoundException);
expect(execFile).not.toHaveBeenCalled();
});
});
describe("listTasks", () => {
it("parses tab-separated CLI output", async () => {
vi.mocked(execFile).mockImplementation(
(
_command: string,
_args: readonly string[],
callback: (error: Error | null, stdout: string, stderr: string) => void
) =>
callback(
null,
[
"task-1\tmosaic-stack/MS24-API-001\t[pending]\tBuild queue notifications module",
"task-2\tmosaic-stack/MS24-API-002\t[done]\tWrite tests",
].join("\n"),
""
)
);
await expect(service.listTasks()).resolves.toEqual([
{
id: "task-1",
project: "mosaic-stack",
taskId: "MS24-API-001",
status: "pending",
description: "Build queue notifications module",
},
{
id: "task-2",
project: "mosaic-stack",
taskId: "MS24-API-002",
status: "done",
description: "Write tests",
},
]);
expect(execFile).toHaveBeenCalledWith(
"node",
["/tmp/mosaic-queue-cli.js", "list", "mosaic-stack"],
expect.any(Function)
);
});
});
describe("notifyAgentCiResult", () => {
it("writes one notification per active agent-state record matching the branch", async () => {
await mkdir(join(agentStateDir, "active"), { recursive: true });
await writeFile(
join(agentStateDir, "active", "sage-landing-page.json"),
JSON.stringify({
taskId: "sage-landing-page",
status: "spawned",
startedAt: "2026-03-08T22:47:20Z",
lastUpdated: "2026-03-08T23:15:11.726Z",
agent: "sage",
branch: "feature/landing-page",
description: "Create apps/landing marketing site",
})
);
await writeFile(
join(agentStateDir, "active", "pixels-other.json"),
JSON.stringify({
taskId: "pixels-other",
status: "spawned",
startedAt: "2026-03-08T22:47:20Z",
lastUpdated: "2026-03-08T23:15:11.726Z",
agent: "pixels",
branch: "feature/something-else",
description: "Unrelated",
})
);
await expect(
service.notifyAgentCiResult({
branch: "feature/landing-page",
status: "success",
buildUrl: "https://ci.example/build/123",
repo: "mosaic/stack",
})
).resolves.toEqual({ notified: 1 });
const inboxFiles = await readdir(join(inboxDir, "sage"));
expect(inboxFiles).toHaveLength(1);
const notification = JSON.parse(
await readFile(join(inboxDir, "sage", inboxFiles[0]!), "utf8")
) as Record<string, unknown>;
expect(notification).toMatchObject({
taskId: "sage-landing-page",
event: "completed",
targetAgent: "sage",
fromAgent: "mosaic-api",
retries: 0,
maxRetries: 3,
ttlSeconds: 600,
payload: {
branch: "feature/landing-page",
buildUrl: "https://ci.example/build/123",
repo: "mosaic/stack",
ciStatus: "success",
},
});
expect(typeof notification.id).toBe("string");
expect(typeof notification.createdAt).toBe("string");
});
it("returns zero when no active agent-state branch matches the webhook payload", async () => {
await mkdir(join(agentStateDir, "active"), { recursive: true });
await writeFile(
join(agentStateDir, "active", "mosaic-task.json"),
JSON.stringify({
taskId: "mosaic-task",
status: "spawned",
startedAt: "2026-03-08T22:47:20Z",
lastUpdated: "2026-03-08T23:15:11.726Z",
agent: "mosaic",
branch: "feature/not-this-one",
description: "Unrelated",
})
);
await expect(
service.notifyAgentCiResult({
branch: "feature/landing-page",
status: "failure",
buildUrl: "https://ci.example/build/456",
repo: "mosaic/stack",
})
).resolves.toEqual({ notified: 0 });
});
});
});

341
apps/api/src/queue-notifications/queue-notifications.service.ts
View File

@@ -1,341 +0,0 @@
import {
Injectable,
InternalServerErrorException,
Logger,
NotFoundException,
OnModuleInit,
} from "@nestjs/common";
import { ConfigService } from "@nestjs/config";
import { randomUUID } from "node:crypto";
import { execFile } from "node:child_process";
import { access, mkdir, readdir, readFile, stat, writeFile } from "node:fs/promises";
import { homedir } from "node:os";
import { basename, join } from "node:path";
import type { Response } from "express";
import chokidar from "chokidar";
export interface QueueNotification {
id: string;
agent: string;
filename: string;
payload: unknown;
createdAt: Date;
}
export interface QueueTask {
id: string;
project: string;
taskId: string;
status: string;
description: string;
}
interface AgentStateRecord {
taskId: string;
agent: string;
branch: string;
}
interface AgentCiNotification {
id: string;
taskId: string;
event: "completed" | "failed";
targetAgent: string;
fromAgent: string;
payload: {
branch: string;
buildUrl: string;
repo: string;
ciStatus: "success" | "failure";
};
createdAt: string;
retries: number;
maxRetries: number;
ttlSeconds: number;
}
@Injectable()
export class QueueNotificationsService implements OnModuleInit {
private readonly logger = new Logger(QueueNotificationsService.name);
constructor(private readonly configService: ConfigService) {}
async onModuleInit(): Promise<void> {
if (!(await this.inboxDirExists())) {
this.logger.warn(`Queue notifications inbox directory does not exist: ${this.getInboxDir()}`);
}
}
async listNotifications(): Promise<QueueNotification[]> {
const inboxDir = this.getInboxDir();
if (!(await this.inboxDirExists())) {
return [];
}
// Paths come from controlled config plus directory entries under the inbox root.
// eslint-disable-next-line security/detect-non-literal-fs-filename
const agentEntries = await readdir(inboxDir, { withFileTypes: true });
const notifications: QueueNotification[] = [];
for (const agentEntry of agentEntries) {
if (!agentEntry.isDirectory() || this.isIgnoredDirectory(agentEntry.name)) {
continue;
}
const agentDir = join(inboxDir, agentEntry.name);
// eslint-disable-next-line security/detect-non-literal-fs-filename
const files = await readdir(agentDir, { withFileTypes: true });
for (const fileEntry of files) {
if (!fileEntry.isFile() || !fileEntry.name.endsWith(".json")) {
continue;
}
const filePath = join(agentDir, fileEntry.name);
const [rawPayload, fileStats] = await Promise.all([
// eslint-disable-next-line security/detect-non-literal-fs-filename
readFile(filePath, "utf8"),
// eslint-disable-next-line security/detect-non-literal-fs-filename
stat(filePath),
]);
notifications.push({
id: basename(fileEntry.name, ".json"),
agent: agentEntry.name,
filename: fileEntry.name,
payload: JSON.parse(rawPayload) as unknown,
createdAt: fileStats.birthtime,
});
}
}
return notifications.sort(
(left, right) => right.createdAt.getTime() - left.createdAt.getTime()
);
}
async streamNotifications(res: Response): Promise<void> {
res.setHeader("Content-Type", "text/event-stream");
res.setHeader("Cache-Control", "no-cache");
res.setHeader("Connection", "keep-alive");
res.setHeader("X-Accel-Buffering", "no");
if (typeof res.flushHeaders === "function") {
res.flushHeaders();
}
const emitNotifications = async (): Promise<void> => {
try {
const notifications = await this.listNotifications();
res.write(`data: ${JSON.stringify(notifications)}\n\n`);
} catch (error: unknown) {
const message = error instanceof Error ? error.message : String(error);
res.write(`event: error\n`);
res.write(`data: ${JSON.stringify({ error: message })}\n\n`);
}
};
await emitNotifications();
const watcher = chokidar.watch(this.getInboxDir(), {
ignoreInitial: true,
persistent: true,
ignored: (watchedPath: string) => {
return watchedPath.includes("/_acked/") || watchedPath.includes("/_dead-letter/");
},
});
watcher.on("add", () => {
void emitNotifications();
});
watcher.on("unlink", () => {
void emitNotifications();
});
res.on("close", () => {
void watcher.close();
res.end();
});
}
async ackNotification(id: string): Promise<{ success: true; id: string }> {
const notification = (await this.listNotifications()).find((entry) => entry.id === id);
if (!notification) {
throw new NotFoundException(`Queue notification ${id} not found`);
}
await this.execQueueCli(["ack", notification.id]);
return {
success: true,
id: notification.id,
};
}
async listTasks(): Promise<QueueTask[]> {
const stdout = await this.execQueueCli(["list", "mosaic-stack"]);
return stdout
.split(/\r?\n/)
.map((line) => line.trim())
.filter((line) => line.length > 0)
.map((line) => {
const [rawId = "", projectTaskId = "", rawStatus = "", description = ""] = line.split("\t");
const [project = "", taskId = ""] = projectTaskId.split("/");
return {
id: rawId,
project,
taskId,
status: rawStatus.replace(/^\[/, "").replace(/\]$/, ""),
description,
};
});
}
async notifyAgentCiResult(opts: {
branch: string;
status: "success" | "failure";
buildUrl: string;
repo: string;
}): Promise<{ notified: number }> {
const activeRecords = await this.listActiveAgentStateRecords();
const matches = activeRecords.filter((record) => record.branch === opts.branch);
await Promise.all(
matches.map(async (record) => {
const notification: AgentCiNotification = {
id: randomUUID(),
taskId: record.taskId,
event: opts.status === "success" ? "completed" : "failed",
targetAgent: record.agent,
fromAgent: "mosaic-api",
payload: {
branch: opts.branch,
buildUrl: opts.buildUrl,
repo: opts.repo,
ciStatus: opts.status,
},
createdAt: new Date().toISOString(),
retries: 0,
maxRetries: 3,
ttlSeconds: 600,
};
const agentDir = join(this.getInboxDir(), record.agent);
// Path is built from the configured inbox root plus validated agent-state entries.
// eslint-disable-next-line security/detect-non-literal-fs-filename
await mkdir(agentDir, { recursive: true });
// Path is built from the configured inbox root plus validated agent-state entries.
// eslint-disable-next-line security/detect-non-literal-fs-filename
await writeFile(
join(agentDir, `${notification.id}.json`),
JSON.stringify(notification, null, 2),
"utf8"
);
})
);
return { notified: matches.length };
}
private async execQueueCli(args: string[]): Promise<string> {
const cliPath = this.getQueueCliPath();
return new Promise<string>((resolve, reject) => {
execFile("node", [cliPath, ...args], (error, stdout, stderr) => {
if (error) {
this.logger.error(
`Queue CLI command failed: node ${cliPath} ${args.join(" ")} | ${stderr || error.message}`
);
reject(
new InternalServerErrorException(`Queue CLI command failed: ${stderr || error.message}`)
);
return;
}
resolve(stdout);
});
});
}
private getInboxDir(): string {
return this.expandHomePath(
this.configService.get<string>("MOSAIC_QUEUE_INBOX_DIR") ??
"~/.openclaw/workspace/agent-inbox"
);
}
private getAgentStateDir(): string {
return this.expandHomePath(
this.configService.get<string>("MOSAIC_AGENT_STATE_DIR") ?? "~/.openclaw/workspace/agents"
);
}
private getQueueCliPath(): string {
return this.expandHomePath(
this.configService.get<string>("MOSAIC_QUEUE_CLI") ?? "~/src/mosaic-queue/dist/cli.js"
);
}
private expandHomePath(value: string): string {
if (value === "~") {
return homedir();
}
if (value.startsWith("~/")) {
return join(homedir(), value.slice(2));
}
return value;
}
private async inboxDirExists(): Promise<boolean> {
try {
await access(this.getInboxDir());
return true;
} catch {
return false;
}
}
private isIgnoredDirectory(name: string): boolean {
return name === "_acked" || name === "_dead-letter";
}
private async listActiveAgentStateRecords(): Promise<AgentStateRecord[]> {
const activeDir = join(this.getAgentStateDir(), "active");
try {
// Path comes from controlled config and a fixed "active" subdirectory.
// eslint-disable-next-line security/detect-non-literal-fs-filename
const entries = await readdir(activeDir, { withFileTypes: true });
const records = await Promise.all(
entries
.filter((entry) => entry.isFile() && entry.name.endsWith(".json"))
.map(async (entry) => {
const filePath = join(activeDir, entry.name);
// Path comes from controlled config plus directory entries under the active root.
// eslint-disable-next-line security/detect-non-literal-fs-filename
const rawRecord = await readFile(filePath, "utf8");
return JSON.parse(rawRecord) as AgentStateRecord;
})
);
return records.filter((record) => {
return (
typeof record.taskId === "string" &&
typeof record.agent === "string" &&
typeof record.branch === "string"
);
});
} catch (error: unknown) {
const message = error instanceof Error ? error.message : String(error);
this.logger.warn(`Unable to read active agent-state records from ${activeDir}: ${message}`);
return [];
}
}
}

163
apps/api/src/queue-notifications/woodpecker-webhook.controller.spec.ts
View File

@@ -1,163 +0,0 @@
import { createHmac } from "node:crypto";
import { Logger } from "@nestjs/common";
import { ConfigService } from "@nestjs/config";
import { Test, type TestingModule } from "@nestjs/testing";
import type { Request } from "express";
import { describe, beforeEach, expect, it, vi } from "vitest";
import { GatekeeperService } from "../gatekeeper/gatekeeper.service";
import { QueueNotificationsService } from "./queue-notifications.service";
import {
type WoodpeckerWebhookPayload,
WoodpeckerWebhookController,
} from "./woodpecker-webhook.controller";
function signPayload(payload: WoodpeckerWebhookPayload, secret: string): string {
return createHmac("sha256", secret).update(JSON.stringify(payload)).digest("hex");
}
describe("WoodpeckerWebhookController", () => {
let controller: WoodpeckerWebhookController;
const mockService = {
notifyAgentCiResult: vi.fn(),
};
const mockGatekeeperService = {
handleCiEvent: vi.fn(),
};
const mockConfigService = {
get: vi.fn(),
};
beforeEach(async () => {
vi.clearAllMocks();
mockConfigService.get.mockImplementation((key: string) => {
if (key === "WOODPECKER_WEBHOOK_SECRET") {
return "test-secret";
}
return undefined;
});
const module: TestingModule = await Test.createTestingModule({
controllers: [WoodpeckerWebhookController],
providers: [
{ provide: QueueNotificationsService, useValue: mockService },
{ provide: GatekeeperService, useValue: mockGatekeeperService },
{ provide: ConfigService, useValue: mockConfigService },
],
}).compile();
controller = module.get<WoodpeckerWebhookController>(WoodpeckerWebhookController);
});
it("accepts a valid signature and forwards the payload to the service", async () => {
const payload: WoodpeckerWebhookPayload = {
branch: "feat/ms24-ci-webhook",
status: "success",
buildUrl: "https://ci.example/build/123",
repo: "mosaic/stack",
prNumber: 42,
headSha: "abcdef1234567890",
};
const signature = signPayload(payload, "test-secret");
mockService.notifyAgentCiResult.mockResolvedValue({ notified: 2 });
await expect(
controller.handleWebhook(
{ rawBody: Buffer.from(JSON.stringify(payload)) } as Request,
payload,
signature
)
).resolves.toEqual({ ok: true, notified: 2 });
expect(mockService.notifyAgentCiResult).toHaveBeenCalledWith(payload);
expect(mockGatekeeperService.handleCiEvent).toHaveBeenCalledWith(
"mosaic/stack",
42,
"abcdef1234567890",
"success"
);
});
it("returns ok without notifying when the signature is invalid", async () => {
const warnSpy = vi.spyOn(Logger.prototype, "warn").mockImplementation(() => undefined);
const payload: WoodpeckerWebhookPayload = {
branch: "feat/ms24-ci-webhook",
status: "failure",
buildUrl: "https://ci.example/build/123",
repo: "mosaic/stack",
};
await expect(
controller.handleWebhook(
{ rawBody: Buffer.from(JSON.stringify(payload)) } as Request,
payload,
"bad-signature"
)
).resolves.toEqual({ ok: true, notified: 0 });
expect(mockService.notifyAgentCiResult).not.toHaveBeenCalled();
expect(warnSpy).toHaveBeenCalledWith(
expect.stringContaining("invalid Woodpecker webhook signature")
);
});
it("accepts the payload when the webhook secret is missing", async () => {
const warnSpy = vi.spyOn(Logger.prototype, "warn").mockImplementation(() => undefined);
const payload: WoodpeckerWebhookPayload = {
branch: "feat/ms24-ci-webhook",
status: "success",
buildUrl: "https://ci.example/build/123",
repo: "mosaic/stack",
};
mockConfigService.get.mockReturnValue(undefined);
mockService.notifyAgentCiResult.mockResolvedValue({ notified: 1 });
await expect(controller.handleWebhook({} as Request, payload, "")).resolves.toEqual({
ok: true,
notified: 1,
});
expect(mockService.notifyAgentCiResult).toHaveBeenCalledWith(payload);
expect(warnSpy).toHaveBeenCalledWith(
expect.stringContaining("WOODPECKER_WEBHOOK_SECRET is not configured")
);
});
it("returns zero notifications when no active branch matches", async () => {
const payload: WoodpeckerWebhookPayload = {
branch: "feat/ms24-ci-webhook",
status: "success",
buildUrl: "https://ci.example/build/999",
repo: "mosaic/stack",
};
mockService.notifyAgentCiResult.mockResolvedValue({ notified: 0 });
await expect(
controller.handleWebhook(
{ rawBody: Buffer.from(JSON.stringify(payload)) } as Request,
payload,
signPayload(payload, "test-secret")
)
).resolves.toEqual({ ok: true, notified: 0 });
});
it("does not call Gatekeeper when the PR metadata is missing", async () => {
const payload: WoodpeckerWebhookPayload = {
branch: "feat/ms24-ci-webhook",
status: "success",
buildUrl: "https://ci.example/build/555",
repo: "mosaic/stack",
};
mockService.notifyAgentCiResult.mockResolvedValue({ notified: 1 });
await controller.handleWebhook(
{ rawBody: Buffer.from(JSON.stringify(payload)) } as Request,
payload,
signPayload(payload, "test-secret")
);
expect(mockGatekeeperService.handleCiEvent).not.toHaveBeenCalled();
});
});

90
apps/api/src/queue-notifications/woodpecker-webhook.controller.ts
View File

@@ -1,90 +0,0 @@
import { Body, Controller, Headers, Logger, Post, Req, type RawBodyRequest } from "@nestjs/common";
import { ConfigService } from "@nestjs/config";
import { createHmac, timingSafeEqual } from "node:crypto";
import type { Request } from "express";
import { SkipCsrf } from "../common/decorators/skip-csrf.decorator";
import { GatekeeperService } from "../gatekeeper/gatekeeper.service";
import { QueueNotificationsService } from "./queue-notifications.service";
export interface WoodpeckerWebhookPayload {
branch: string;
status: "success" | "failure";
buildUrl: string;
repo: string;
prNumber?: number;
headSha?: string;
}
@Controller("webhooks")
export class WoodpeckerWebhookController {
private readonly logger = new Logger(WoodpeckerWebhookController.name);
constructor(
private readonly queueService: QueueNotificationsService,
private readonly gatekeeperService: GatekeeperService,
private readonly configService: ConfigService
) {}
@SkipCsrf()
@Post("woodpecker")
async handleWebhook(
@Req() req: RawBodyRequest<Request>,
@Body() body: WoodpeckerWebhookPayload,
@Headers("x-woodpecker-signature") signature: string
): Promise<{ ok: boolean; notified: number }> {
const secret = this.configService.get<string>("WOODPECKER_WEBHOOK_SECRET");
if (!secret) {
this.logger.warn("WOODPECKER_WEBHOOK_SECRET is not configured; accepting Woodpecker webhook");
const result = await this.queueService.notifyAgentCiResult(body);
await this.forwardCiStatusToGatekeeper(body);
return { ok: true, notified: result.notified };
}
if (!this.isValidSignature(this.getRequestBody(req, body), signature, secret)) {
this.logger.warn("Received invalid Woodpecker webhook signature");
return { ok: true, notified: 0 };
}
const result = await this.queueService.notifyAgentCiResult(body);
await this.forwardCiStatusToGatekeeper(body);
return { ok: true, notified: result.notified };
}
private async forwardCiStatusToGatekeeper(body: WoodpeckerWebhookPayload): Promise<void> {
if (typeof body.prNumber === "number" && typeof body.headSha === "string") {
await this.gatekeeperService.handleCiEvent(
body.repo,
body.prNumber,
body.headSha,
body.status
);
}
}
private getRequestBody(req: RawBodyRequest<Request>, body: WoodpeckerWebhookPayload): Buffer {
const rawBody = req.rawBody;
if (Buffer.isBuffer(rawBody)) {
return rawBody;
}
return Buffer.from(JSON.stringify(body));
}
private isValidSignature(body: Buffer, signature: string | undefined, secret: string): boolean {
if (!signature) {
return false;
}
const expected = createHmac("sha256", secret).update(body).digest("hex");
const signatureBuffer = Buffer.from(signature);
const expectedBuffer = Buffer.from(expected);
if (signatureBuffer.length !== expectedBuffer.length) {
return false;
}
return timingSafeEqual(signatureBuffer, expectedBuffer);
}
}

5
apps/orchestrator/package.json
View File

@@ -1,6 +1,6 @@
{ {
"name": "@mosaic/orchestrator", "name": "@mosaic/orchestrator",
"version": "0.0.23", "version": "0.0.20",
"private": true, "private": true,
"scripts": { "scripts": {
"build": "nest build", "build": "nest build",
@@ -22,7 +22,6 @@
"@anthropic-ai/sdk": "^0.72.1", "@anthropic-ai/sdk": "^0.72.1",
"@mosaic/config": "workspace:*", "@mosaic/config": "workspace:*",
"@mosaic/shared": "workspace:*", "@mosaic/shared": "workspace:*",
"@nestjs/axios": "^4.0.1",
"@nestjs/bullmq": "^11.0.4", "@nestjs/bullmq": "^11.0.4",
"@nestjs/common": "^11.1.12", "@nestjs/common": "^11.1.12",
"@nestjs/config": "^4.0.2", "@nestjs/config": "^4.0.2",
@@ -37,7 +36,7 @@
"ioredis": "^5.9.2", "ioredis": "^5.9.2",
"reflect-metadata": "^0.2.2", "reflect-metadata": "^0.2.2",
"rxjs": "^7.8.1", "rxjs": "^7.8.1",
"simple-git": "^3.32.3", "simple-git": "^3.27.0",
"zod": "^3.24.1" "zod": "^3.24.1"
}, },
"devDependencies": { "devDependencies": {

3
apps/orchestrator/src/api/agent-providers/agent-providers.module.ts
View File

@@ -1,13 +1,12 @@
import { Module } from "@nestjs/common"; import { Module } from "@nestjs/common";
import { PrismaModule } from "../../prisma/prisma.module"; import { PrismaModule } from "../../prisma/prisma.module";
import { OrchestratorApiKeyGuard } from "../../common/guards/api-key.guard"; import { OrchestratorApiKeyGuard } from "../../common/guards/api-key.guard";
import { EncryptionService } from "../../security/encryption.service";
import { AgentProvidersController } from "./agent-providers.controller"; import { AgentProvidersController } from "./agent-providers.controller";
import { AgentProvidersService } from "./agent-providers.service"; import { AgentProvidersService } from "./agent-providers.service";
@Module({ @Module({
imports: [PrismaModule], imports: [PrismaModule],
controllers: [AgentProvidersController], controllers: [AgentProvidersController],
providers: [OrchestratorApiKeyGuard, EncryptionService, AgentProvidersService], providers: [OrchestratorApiKeyGuard, AgentProvidersService],
}) })
export class AgentProvidersModule {} export class AgentProvidersModule {}

90
apps/orchestrator/src/api/agent-providers/agent-providers.service.spec.ts
View File

@@ -1,6 +1,5 @@
import { beforeEach, describe, expect, it, vi } from "vitest"; import { beforeEach, describe, expect, it, vi } from "vitest";
import { NotFoundException } from "@nestjs/common"; import { NotFoundException } from "@nestjs/common";
import { EncryptionService } from "../../security/encryption.service";
import { AgentProvidersService } from "./agent-providers.service"; import { AgentProvidersService } from "./agent-providers.service";
import { PrismaService } from "../../prisma/prisma.service"; import { PrismaService } from "../../prisma/prisma.service";
@@ -15,9 +14,6 @@ describe("AgentProvidersService", () => {
delete: ReturnType<typeof vi.fn>; delete: ReturnType<typeof vi.fn>;
}; };
}; };
let encryptionService: {
encryptIfNeeded: ReturnType<typeof vi.fn>;
};
beforeEach(() => { beforeEach(() => {
prisma = { prisma = {
@@ -30,14 +26,7 @@ describe("AgentProvidersService", () => {
}, },
}; };
encryptionService = { service = new AgentProvidersService(prisma as unknown as PrismaService);
encryptIfNeeded: vi.fn((value: string) => `enc:${value}`),
};
service = new AgentProvidersService(
prisma as unknown as PrismaService,
encryptionService as unknown as EncryptionService
);
}); });
it("lists all provider configs", async () => { it("lists all provider configs", async () => {
@@ -122,42 +111,6 @@ describe("AgentProvidersService", () => {
credentials: {}, credentials: {},
}, },
}); });
expect(encryptionService.encryptIfNeeded).not.toHaveBeenCalled();
expect(result).toEqual(created);
});
it("encrypts openclaw token credentials when creating provider config", async () => {
const created = {
id: "cfg-openclaw",
workspaceId: "8bcd7eda-a122-4d6c-adfd-b152f6f75369",
name: "OpenClaw",
provider: "openclaw",
gatewayUrl: "https://openclaw.example.com",
credentials: { apiToken: "enc:top-secret" },
isActive: true,
createdAt: new Date("2026-03-07T18:00:00.000Z"),
updatedAt: new Date("2026-03-07T18:00:00.000Z"),
};
prisma.agentProviderConfig.create.mockResolvedValue(created);
const result = await service.create({
workspaceId: "8bcd7eda-a122-4d6c-adfd-b152f6f75369",
name: "OpenClaw",
provider: "openclaw",
gatewayUrl: "https://openclaw.example.com",
credentials: { apiToken: "top-secret" },
});
expect(encryptionService.encryptIfNeeded).toHaveBeenCalledWith("top-secret");
expect(prisma.agentProviderConfig.create).toHaveBeenCalledWith({
data: {
workspaceId: "8bcd7eda-a122-4d6c-adfd-b152f6f75369",
name: "OpenClaw",
provider: "openclaw",
gatewayUrl: "https://openclaw.example.com",
credentials: { apiToken: "enc:top-secret" },
},
});
expect(result).toEqual(created); expect(result).toEqual(created);
}); });
@@ -203,47 +156,6 @@ describe("AgentProvidersService", () => {
isActive: false, isActive: false,
}, },
}); });
expect(encryptionService.encryptIfNeeded).not.toHaveBeenCalled();
expect(result).toEqual(updated);
});
it("encrypts openclaw token credentials when updating provider config", async () => {
prisma.agentProviderConfig.findUnique.mockResolvedValue({
id: "cfg-openclaw",
workspaceId: "8bcd7eda-a122-4d6c-adfd-b152f6f75369",
name: "OpenClaw",
provider: "openclaw",
gatewayUrl: "https://openclaw.example.com",
credentials: { apiToken: "enc:existing" },
isActive: true,
createdAt: new Date("2026-03-07T18:00:00.000Z"),
updatedAt: new Date("2026-03-07T18:00:00.000Z"),
});
const updated = {
id: "cfg-openclaw",
workspaceId: "8bcd7eda-a122-4d6c-adfd-b152f6f75369",
name: "OpenClaw",
provider: "openclaw",
gatewayUrl: "https://openclaw.example.com",
credentials: { apiToken: "enc:rotated-token" },
isActive: true,
createdAt: new Date("2026-03-07T18:00:00.000Z"),
updatedAt: new Date("2026-03-07T19:00:00.000Z"),
};
prisma.agentProviderConfig.update.mockResolvedValue(updated);
const result = await service.update("cfg-openclaw", {
credentials: { apiToken: "rotated-token" },
});
expect(encryptionService.encryptIfNeeded).toHaveBeenCalledWith("rotated-token");
expect(prisma.agentProviderConfig.update).toHaveBeenCalledWith({
where: { id: "cfg-openclaw" },
data: {
credentials: { apiToken: "enc:rotated-token" },
},
});
expect(result).toEqual(updated); expect(result).toEqual(updated);
}); });

39
apps/orchestrator/src/api/agent-providers/agent-providers.service.ts
View File

@@ -1,19 +1,12 @@
import { Injectable, NotFoundException } from "@nestjs/common"; import { Injectable, NotFoundException } from "@nestjs/common";
import type { AgentProviderConfig, Prisma } from "@prisma/client"; import type { AgentProviderConfig, Prisma } from "@prisma/client";
import { EncryptionService } from "../../security/encryption.service";
import { PrismaService } from "../../prisma/prisma.service"; import { PrismaService } from "../../prisma/prisma.service";
import { CreateAgentProviderDto } from "./dto/create-agent-provider.dto"; import { CreateAgentProviderDto } from "./dto/create-agent-provider.dto";
import { UpdateAgentProviderDto } from "./dto/update-agent-provider.dto"; import { UpdateAgentProviderDto } from "./dto/update-agent-provider.dto";
const OPENCLAW_PROVIDER_TYPE = "openclaw";
const OPENCLAW_TOKEN_KEYS = ["apiToken", "token", "bearerToken"] as const;
@Injectable() @Injectable()
export class AgentProvidersService { export class AgentProvidersService {
constructor( constructor(private readonly prisma: PrismaService) {}
private readonly prisma: PrismaService,
private readonly encryptionService: EncryptionService
) {}
async list(): Promise<AgentProviderConfig[]> { async list(): Promise<AgentProviderConfig[]> {
return this.prisma.agentProviderConfig.findMany({ return this.prisma.agentProviderConfig.findMany({
@@ -34,23 +27,20 @@ export class AgentProvidersService {
} }
async create(dto: CreateAgentProviderDto): Promise<AgentProviderConfig> { async create(dto: CreateAgentProviderDto): Promise<AgentProviderConfig> {
const credentials = this.sanitizeCredentials(dto.provider, dto.credentials ?? {});
return this.prisma.agentProviderConfig.create({ return this.prisma.agentProviderConfig.create({
data: { data: {
workspaceId: dto.workspaceId, workspaceId: dto.workspaceId,
name: dto.name, name: dto.name,
provider: dto.provider, provider: dto.provider,
gatewayUrl: dto.gatewayUrl, gatewayUrl: dto.gatewayUrl,
credentials: this.toJsonValue(credentials), credentials: this.toJsonValue(dto.credentials ?? {}),
...(dto.isActive !== undefined ? { isActive: dto.isActive } : {}), ...(dto.isActive !== undefined ? { isActive: dto.isActive } : {}),
}, },
}); });
} }
async update(id: string, dto: UpdateAgentProviderDto): Promise<AgentProviderConfig> { async update(id: string, dto: UpdateAgentProviderDto): Promise<AgentProviderConfig> {
const existingConfig = await this.getById(id); await this.getById(id);
const provider = dto.provider ?? existingConfig.provider;
const data: Prisma.AgentProviderConfigUpdateInput = { const data: Prisma.AgentProviderConfigUpdateInput = {
...(dto.workspaceId !== undefined ? { workspaceId: dto.workspaceId } : {}), ...(dto.workspaceId !== undefined ? { workspaceId: dto.workspaceId } : {}),
@@ -58,9 +48,7 @@ export class AgentProvidersService {
...(dto.provider !== undefined ? { provider: dto.provider } : {}), ...(dto.provider !== undefined ? { provider: dto.provider } : {}),
...(dto.gatewayUrl !== undefined ? { gatewayUrl: dto.gatewayUrl } : {}), ...(dto.gatewayUrl !== undefined ? { gatewayUrl: dto.gatewayUrl } : {}),
...(dto.isActive !== undefined ? { isActive: dto.isActive } : {}), ...(dto.isActive !== undefined ? { isActive: dto.isActive } : {}),
...(dto.credentials !== undefined ...(dto.credentials !== undefined ? { credentials: this.toJsonValue(dto.credentials) } : {}),
? { credentials: this.toJsonValue(this.sanitizeCredentials(provider, dto.credentials)) }
: {}),
}; };
return this.prisma.agentProviderConfig.update({ return this.prisma.agentProviderConfig.update({
@@ -77,25 +65,6 @@ export class AgentProvidersService {
}); });
} }
private sanitizeCredentials(
provider: string,
credentials: Record<string, unknown>
): Record<string, unknown> {
if (provider.toLowerCase() !== OPENCLAW_PROVIDER_TYPE) {
return credentials;
}
const nextCredentials: Record<string, unknown> = { ...credentials };
for (const key of OPENCLAW_TOKEN_KEYS) {
const tokenValue = nextCredentials[key];
if (typeof tokenValue === "string" && tokenValue.length > 0) {
nextCredentials[key] = this.encryptionService.encryptIfNeeded(tokenValue);
}
}
return nextCredentials;
}
private toJsonValue(value: Record<string, unknown>): Prisma.InputJsonValue { private toJsonValue(value: Record<string, unknown>): Prisma.InputJsonValue {
return value as Prisma.InputJsonValue; return value as Prisma.InputJsonValue;
} }

2
apps/orchestrator/src/api/agents/agents.controller.ts
View File

@@ -146,7 +146,7 @@ export class AgentsController {
* Return recent orchestrator events for non-streaming consumers. * Return recent orchestrator events for non-streaming consumers.
*/ */
@Get("events/recent") @Get("events/recent")
@Throttle({ default: { limit: 1000, ttl: 60000 } }) @Throttle({ status: { limit: 200, ttl: 60000 } })
getRecentEvents(@Query("limit") limit?: string): { getRecentEvents(@Query("limit") limit?: string): {
events: ReturnType<AgentEventsService["getRecentEvents"]>; events: ReturnType<AgentEventsService["getRecentEvents"]>;
} { } {

145
apps/orchestrator/src/api/providers/openclaw/openclaw-sse.bridge.spec.ts
View File

@@ -1,145 +0,0 @@
import type { HttpService } from "@nestjs/axios";
import type { AgentMessage } from "@mosaic/shared";
import { Readable } from "node:stream";
import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
import { OpenClawSseBridge } from "./openclaw-sse.bridge";
describe("OpenClawSseBridge", () => {
let bridge: OpenClawSseBridge;
let httpService: {
axiosRef: {
get: ReturnType<typeof vi.fn>;
};
};
beforeEach(() => {
httpService = {
axiosRef: {
get: vi.fn(),
},
};
bridge = new OpenClawSseBridge(httpService as unknown as HttpService);
});
afterEach(() => {
vi.useRealTimers();
});
it("maps message and status events, and skips heartbeats", async () => {
httpService.axiosRef.get.mockResolvedValue({
data: Readable.from([
'event: message\ndata: {"id":"msg-1","role":"assistant","content":"hello","timestamp":"2026-03-07T16:00:00.000Z"}\n\n',
"event: heartbeat\ndata: {}\n\n",
'event: status\ndata: {"status":"paused","timestamp":"2026-03-07T16:00:01.000Z"}\n\n',
"data: [DONE]\n\n",
]),
});
const messages = await collectMessages(
bridge.streamSession("https://gateway.example.com/", "session-1", {
Authorization: "Bearer test-token",
})
);
expect(httpService.axiosRef.get).toHaveBeenCalledWith(
"https://gateway.example.com/api/sessions/session-1/stream",
{
headers: {
Authorization: "Bearer test-token",
Accept: "text/event-stream",
},
responseType: "stream",
}
);
expect(messages).toHaveLength(2);
expect(messages[0]).toEqual({
id: "msg-1",
sessionId: "session-1",
role: "assistant",
content: "hello",
timestamp: new Date("2026-03-07T16:00:00.000Z"),
});
expect(messages[1]).toEqual({
id: expect.any(String),
sessionId: "session-1",
role: "system",
content: "Session status changed to paused",
timestamp: new Date("2026-03-07T16:00:01.000Z"),
metadata: {
status: "paused",
timestamp: "2026-03-07T16:00:01.000Z",
},
});
});
it("retries after disconnect and resumes streaming", async () => {
vi.useFakeTimers();
httpService.axiosRef.get
.mockResolvedValueOnce({
data: Readable.from([
'event: message\ndata: {"id":"msg-1","content":"first","timestamp":"2026-03-07T16:10:00.000Z"}\n\n',
]),
})
.mockResolvedValueOnce({
data: Readable.from(["data: [DONE]\n\n"]),
});
const consumePromise = collectMessages(
bridge.streamSession("https://gateway.example.com", "session-1", {
Authorization: "Bearer test-token",
})
);
await vi.advanceTimersByTimeAsync(2000);
const messages = await consumePromise;
expect(httpService.axiosRef.get).toHaveBeenCalledTimes(2);
expect(messages).toEqual([
{
id: "msg-1",
sessionId: "session-1",
role: "user",
content: "first",
timestamp: new Date("2026-03-07T16:10:00.000Z"),
},
]);
});
it("throws after exhausting reconnect retries", async () => {
vi.useFakeTimers();
httpService.axiosRef.get.mockRejectedValue(new Error("socket closed"));
const consumePromise = collectMessages(
bridge.streamSession("https://gateway.example.com", "session-1", {
Authorization: "Bearer test-token",
})
);
const rejection = expect(consumePromise).rejects.toThrow(
"Failed to reconnect OpenClaw stream for session session-1 after 5 retries: socket closed"
);
for (let attempt = 0; attempt < 5; attempt += 1) {
await vi.advanceTimersByTimeAsync(2000);
}
await rejection;
expect(httpService.axiosRef.get).toHaveBeenCalledTimes(6);
});
});
async function collectMessages(stream: AsyncIterable<AgentMessage>): Promise<AgentMessage[]> {
const messages: AgentMessage[] = [];
for await (const message of stream) {
messages.push(message);
}
return messages;
}

420
apps/orchestrator/src/api/providers/openclaw/openclaw-sse.bridge.ts
View File

@@ -1,420 +0,0 @@
import { HttpService } from "@nestjs/axios";
import { Injectable } from "@nestjs/common";
import type { AgentMessage, AgentMessageRole } from "@mosaic/shared";
import { randomUUID } from "node:crypto";
const STREAM_RETRY_DELAY_MS = 2000;
const STREAM_MAX_RETRIES = 5;
type JsonRecord = Record<string, unknown>;
type AsyncChunkStream = AsyncIterable<string | Uint8Array | Buffer>;
type ParsedStreamEvent =
| {
type: "message";
message: AgentMessage;
}
| {
type: "done";
};
@Injectable()
export class OpenClawSseBridge {
constructor(private readonly httpService: HttpService) {}
async *streamSession(
baseUrl: string,
sessionId: string,
headers: Record<string, string>
): AsyncIterable<AgentMessage> {
let retryCount = 0;
let lastError: unknown = new Error("OpenClaw stream disconnected");
while (retryCount <= STREAM_MAX_RETRIES) {
try {
const response = await this.httpService.axiosRef.get(
this.buildStreamUrl(baseUrl, sessionId),
{
headers: {
...headers,
Accept: "text/event-stream",
},
responseType: "stream",
}
);
const stream = this.asAsyncChunkStream(response.data);
if (stream === null) {
throw new Error("OpenClaw stream response is not readable");
}
retryCount = 0;
let streamCompleted = false;
for await (const event of this.parseStream(stream, sessionId)) {
if (event.type === "done") {
streamCompleted = true;
break;
}
yield event.message;
}
if (streamCompleted) {
return;
}
lastError = new Error("OpenClaw stream disconnected");
} catch (error) {
lastError = error;
}
if (retryCount >= STREAM_MAX_RETRIES) {
throw new Error(
`Failed to reconnect OpenClaw stream for session ${sessionId} after ${String(STREAM_MAX_RETRIES)} retries: ${this.toErrorMessage(lastError)}`
);
}
retryCount += 1;
await this.delay(STREAM_RETRY_DELAY_MS);
}
}
private async *parseStream(
stream: AsyncChunkStream,
sessionId: string
): AsyncGenerator<ParsedStreamEvent> {
const decoder = new TextDecoder();
let buffer = "";
for await (const chunk of stream) {
const textChunk = typeof chunk === "string" ? chunk : decoder.decode(chunk, { stream: true });
buffer += textChunk.replace(/\r\n/gu, "\n");
const rawEvents = buffer.split("\n\n");
buffer = rawEvents.pop() ?? "";
for (const rawEvent of rawEvents) {
const parsedEvent = this.parseRawEvent(rawEvent);
if (parsedEvent === null) {
continue;
}
if (parsedEvent.data === "[DONE]") {
yield {
type: "done",
};
return;
}
const payload = this.tryParseJson(parsedEvent.data) ?? parsedEvent.data;
const message = this.mapEventToMessage(parsedEvent.type, payload, sessionId);
if (message !== null) {
yield {
type: "message",
message,
};
}
}
}
buffer += decoder.decode();
const trailingEvent = this.parseRawEvent(buffer.trim());
if (trailingEvent === null) {
return;
}
if (trailingEvent.data === "[DONE]") {
yield {
type: "done",
};
return;
}
const payload = this.tryParseJson(trailingEvent.data) ?? trailingEvent.data;
const message = this.mapEventToMessage(trailingEvent.type, payload, sessionId);
if (message !== null) {
yield {
type: "message",
message,
};
}
}
private parseRawEvent(rawEvent: string): { type: string; data: string } | null {
if (rawEvent.trim().length === 0) {
return null;
}
let type = "message";
const dataLines: string[] = [];
for (const line of rawEvent.split("\n")) {
const trimmedLine = line.trimEnd();
if (trimmedLine.length === 0 || trimmedLine.startsWith(":")) {
continue;
}
if (trimmedLine.startsWith("event:")) {
type = trimmedLine.slice(6).trim().toLowerCase();
continue;
}
if (trimmedLine.startsWith("data:")) {
dataLines.push(trimmedLine.slice(5).trimStart());
}
}
if (dataLines.length > 0) {
return {
type,
data: dataLines.join("\n").trim(),
};
}
const trimmedEvent = rawEvent.trim();
if (trimmedEvent.startsWith("{") || trimmedEvent.startsWith("[")) {
return {
type,
data: trimmedEvent,
};
}
return null;
}
private mapEventToMessage(
eventType: string,
payload: unknown,
fallbackSessionId: string
): AgentMessage | null {
switch (eventType) {
case "heartbeat":
return null;
case "status":
return this.toStatusMessage(payload, fallbackSessionId);
case "message":
default:
return this.toAgentMessage(payload, fallbackSessionId);
}
}
private toStatusMessage(value: unknown, sessionId: string): AgentMessage | null {
if (typeof value === "string") {
const status = value.trim();
if (status.length === 0) {
return null;
}
return {
id: randomUUID(),
sessionId,
role: "system",
content: `Session status changed to ${status}`,
timestamp: new Date(),
metadata: {
status,
},
};
}
if (!this.isRecord(value)) {
return null;
}
const status = this.readString(value.status);
if (!status) {
return null;
}
return {
id: randomUUID(),
sessionId,
role: "system",
content: `Session status changed to ${status}`,
timestamp: this.parseDate(value.timestamp ?? value.updatedAt),
metadata: value,
};
}
private toAgentMessage(value: unknown, fallbackSessionId: string): AgentMessage | null {
if (typeof value === "string") {
const content = value.trim();
if (content.length === 0) {
return null;
}
return {
id: randomUUID(),
sessionId: fallbackSessionId,
role: "assistant",
content,
timestamp: new Date(),
};
}
let candidate: JsonRecord | null = null;
if (this.isRecord(value) && this.isRecord(value.message)) {
candidate = value.message;
} else if (this.isRecord(value)) {
candidate = value;
}
if (candidate === null) {
return null;
}
const sessionId = this.readString(candidate.sessionId) ?? fallbackSessionId;
if (!sessionId) {
return null;
}
const content = this.extractMessageContent(
candidate.content ?? candidate.text ?? candidate.message
);
if (content.length === 0) {
return null;
}
const metadata = this.toMetadata(candidate.metadata);
return {
id: this.readString(candidate.id) ?? this.readString(candidate.messageId) ?? randomUUID(),
sessionId,
role: this.toMessageRole(this.readString(candidate.role) ?? this.readString(candidate.type)),
content,
timestamp: this.parseDate(candidate.timestamp ?? candidate.createdAt),
...(metadata !== undefined ? { metadata } : {}),
};
}
private extractMessageContent(content: unknown): string {
if (typeof content === "string") {
return content.trim();
}
if (Array.isArray(content)) {
const parts: string[] = [];
for (const part of content) {
if (typeof part === "string") {
const trimmed = part.trim();
if (trimmed.length > 0) {
parts.push(trimmed);
}
continue;
}
if (!this.isRecord(part)) {
continue;
}
const text = this.readString(part.text) ?? this.readString(part.content);
if (text !== undefined && text.trim().length > 0) {
parts.push(text.trim());
}
}
return parts.join("\n\n").trim();
}
if (this.isRecord(content)) {
const text = this.readString(content.text) ?? this.readString(content.content);
return text?.trim() ?? "";
}
return "";
}
private toMessageRole(role?: string): AgentMessageRole {
switch (role?.toLowerCase()) {
case "assistant":
case "agent":
return "assistant";
case "system":
return "system";
case "tool":
return "tool";
case "operator":
case "user":
default:
return "user";
}
}
private parseDate(value: unknown, fallback = new Date()): Date {
if (value instanceof Date) {
return value;
}
if (typeof value === "string" || typeof value === "number") {
const parsed = new Date(value);
if (!Number.isNaN(parsed.getTime())) {
return parsed;
}
}
return fallback;
}
private toMetadata(value: unknown): Record<string, unknown> | undefined {
if (this.isRecord(value)) {
return value;
}
return undefined;
}
private buildStreamUrl(baseUrl: string, sessionId: string): string {
const normalizedBaseUrl = baseUrl.replace(/\/$/u, "");
return new URL(
`/api/sessions/${encodeURIComponent(sessionId)}/stream`,
`${normalizedBaseUrl}/`
).toString();
}
private tryParseJson(value: string): unknown {
try {
return JSON.parse(value) as unknown;
} catch {
return null;
}
}
private asAsyncChunkStream(value: unknown): AsyncChunkStream | null {
if (value !== null && typeof value === "object" && Symbol.asyncIterator in value) {
return value as AsyncChunkStream;
}
return null;
}
private isRecord(value: unknown): value is JsonRecord {
return typeof value === "object" && value !== null && !Array.isArray(value);
}
private readString(value: unknown): string | undefined {
if (typeof value !== "string") {
return undefined;
}
const trimmed = value.trim();
return trimmed.length > 0 ? trimmed : undefined;
}
private async delay(ms: number): Promise<void> {
await new Promise((resolve) => {
setTimeout(resolve, ms);
});
}
private toErrorMessage(error: unknown): string {
if (error instanceof Error) {
return error.message;
}
return String(error);
}
}

24
apps/orchestrator/src/api/providers/openclaw/openclaw.provider-factory.ts
View File

@@ -1,24 +0,0 @@
import { HttpService } from "@nestjs/axios";
import { Injectable } from "@nestjs/common";
import type { AgentProviderConfig } from "@prisma/client";
import { EncryptionService } from "../../../security/encryption.service";
import { OpenClawSseBridge } from "./openclaw-sse.bridge";
import { OpenClawProvider } from "./openclaw.provider";
@Injectable()
export class OpenClawProviderFactory {
constructor(
private readonly encryptionService: EncryptionService,
private readonly httpService: HttpService,
private readonly openClawSseBridge: OpenClawSseBridge
) {}
createProvider(config: AgentProviderConfig): OpenClawProvider {
return new OpenClawProvider(
config,
this.encryptionService,
this.httpService,
this.openClawSseBridge
);
}
}

183
apps/orchestrator/src/api/providers/openclaw/openclaw.provider.integration.spec.ts
View File

@@ -1,183 +0,0 @@
import type { HttpService } from "@nestjs/axios";
import { ServiceUnavailableException } from "@nestjs/common";
import type { AgentMessage } from "@mosaic/shared";
import type { AgentProviderConfig } from "@prisma/client";
import { Readable } from "node:stream";
import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
import { EncryptionService } from "../../../security/encryption.service";
import { OpenClawSseBridge } from "./openclaw-sse.bridge";
import { OpenClawProvider } from "./openclaw.provider";
describe("Phase 3 gate: OpenClaw provider config registered in DB → provider loaded on boot → sessions returned from /api/mission-control/sessions → inject/pause/kill proxied to gateway", () => {
let provider: OpenClawProvider;
let httpService: {
axiosRef: {
get: ReturnType<typeof vi.fn>;
post: ReturnType<typeof vi.fn>;
};
};
let encryptionService: {
decryptIfNeeded: ReturnType<typeof vi.fn>;
};
const config: AgentProviderConfig = {
id: "cfg-openclaw-1",
workspaceId: "workspace-1",
name: "openclaw-home",
provider: "openclaw",
gatewayUrl: "https://gateway.example.com",
credentials: {
apiToken: "enc:token",
},
isActive: true,
createdAt: new Date("2026-03-07T15:00:00.000Z"),
updatedAt: new Date("2026-03-07T15:00:00.000Z"),
};
beforeEach(() => {
httpService = {
axiosRef: {
get: vi.fn(),
post: vi.fn(),
},
};
encryptionService = {
decryptIfNeeded: vi.fn().mockReturnValue("plain-token"),
};
provider = new OpenClawProvider(
config,
encryptionService as unknown as EncryptionService,
httpService as unknown as HttpService,
new OpenClawSseBridge(httpService as unknown as HttpService)
);
});
afterEach(() => {
vi.useRealTimers();
});
it("maps listSessions from mocked OpenClaw gateway HTTP responses", async () => {
httpService.axiosRef.get.mockResolvedValue({
data: {
sessions: [
{
id: "session-1",
status: "running",
createdAt: "2026-03-07T15:01:00.000Z",
updatedAt: "2026-03-07T15:02:00.000Z",
},
],
total: 1,
},
});
await expect(provider.listSessions()).resolves.toEqual({
sessions: [
{
id: "session-1",
providerId: "openclaw-home",
providerType: "openclaw",
status: "active",
createdAt: new Date("2026-03-07T15:01:00.000Z"),
updatedAt: new Date("2026-03-07T15:02:00.000Z"),
},
],
total: 1,
});
expect(httpService.axiosRef.get).toHaveBeenCalledWith(
"https://gateway.example.com/api/sessions",
{
headers: {
Authorization: "Bearer plain-token",
},
params: {
limit: 50,
},
}
);
});
it("maps streamMessages from mock SSE events into AgentMessage output", async () => {
httpService.axiosRef.get.mockResolvedValue({
data: Readable.from([
'event: message\ndata: {"id":"msg-1","role":"assistant","content":"hello from stream","timestamp":"2026-03-07T15:03:00.000Z"}\n\n',
'event: status\ndata: {"status":"paused","timestamp":"2026-03-07T15:04:00.000Z"}\n\n',
"data: [DONE]\n\n",
]),
});
const messages = await collectMessages(provider.streamMessages("session-1"));
expect(messages).toEqual([
{
id: "msg-1",
sessionId: "session-1",
role: "assistant",
content: "hello from stream",
timestamp: new Date("2026-03-07T15:03:00.000Z"),
},
{
id: expect.any(String),
sessionId: "session-1",
role: "system",
content: "Session status changed to paused",
timestamp: new Date("2026-03-07T15:04:00.000Z"),
metadata: {
status: "paused",
timestamp: "2026-03-07T15:04:00.000Z",
},
},
]);
});
it("handles unavailable gateway errors", async () => {
httpService.axiosRef.get.mockRejectedValue(new Error("gateway unavailable"));
await expect(provider.listSessions()).rejects.toBeInstanceOf(ServiceUnavailableException);
await expect(provider.listSessions()).rejects.toThrow("gateway unavailable");
});
it("handles bad token decryption errors", async () => {
encryptionService.decryptIfNeeded.mockImplementation(() => {
throw new Error("bad token");
});
await expect(provider.listSessions()).rejects.toBeInstanceOf(ServiceUnavailableException);
await expect(provider.listSessions()).rejects.toThrow("Failed to decrypt API token");
});
it("handles malformed SSE stream responses", async () => {
vi.useFakeTimers();
httpService.axiosRef.get.mockResolvedValue({
data: {
malformed: true,
},
});
const streamPromise = collectMessages(provider.streamMessages("session-malformed"));
const rejection = expect(streamPromise).rejects.toThrow(
"OpenClaw provider openclaw-home failed to stream messages for session session-malformed"
);
for (let attempt = 0; attempt < 5; attempt += 1) {
await vi.advanceTimersByTimeAsync(2000);
}
await rejection;
expect(httpService.axiosRef.get).toHaveBeenCalledTimes(6);
});
});
async function collectMessages(stream: AsyncIterable<AgentMessage>): Promise<AgentMessage[]> {
const messages: AgentMessage[] = [];
for await (const message of stream) {
messages.push(message);
}
return messages;
}

271
apps/orchestrator/src/api/providers/openclaw/openclaw.provider.spec.ts
View File

@@ -1,271 +0,0 @@
import type { HttpService } from "@nestjs/axios";
import { ServiceUnavailableException } from "@nestjs/common";
import type { AgentProviderConfig } from "@prisma/client";
import { beforeEach, describe, expect, it, vi } from "vitest";
import { EncryptionService } from "../../../security/encryption.service";
import { OpenClawSseBridge } from "./openclaw-sse.bridge";
import { OpenClawProvider } from "./openclaw.provider";
describe("OpenClawProvider", () => {
let provider: OpenClawProvider;
let httpService: {
axiosRef: {
get: ReturnType<typeof vi.fn>;
post: ReturnType<typeof vi.fn>;
};
};
let encryptionService: {
decryptIfNeeded: ReturnType<typeof vi.fn>;
};
let sseBridge: {
streamSession: ReturnType<typeof vi.fn>;
};
const config: AgentProviderConfig = {
id: "cfg-openclaw-1",
workspaceId: "workspace-1",
name: "openclaw-home",
provider: "openclaw",
gatewayUrl: "https://gateway.example.com/",
credentials: {
apiToken: "enc:token-value",
displayName: "Home OpenClaw",
},
isActive: true,
createdAt: new Date("2026-03-07T15:00:00.000Z"),
updatedAt: new Date("2026-03-07T15:00:00.000Z"),
};
beforeEach(() => {
httpService = {
axiosRef: {
get: vi.fn(),
post: vi.fn(),
},
};
encryptionService = {
decryptIfNeeded: vi.fn().mockReturnValue("plain-token"),
};
sseBridge = {
streamSession: vi.fn(),
};
provider = new OpenClawProvider(
config,
encryptionService as unknown as EncryptionService,
httpService as unknown as HttpService,
sseBridge as unknown as OpenClawSseBridge
);
});
it("maps listSessions from OpenClaw API", async () => {
httpService.axiosRef.get.mockResolvedValue({
data: {
sessions: [
{
id: "session-1",
status: "running",
createdAt: "2026-03-07T15:01:00.000Z",
updatedAt: "2026-03-07T15:02:00.000Z",
},
],
total: 1,
cursor: "next-cursor",
},
});
const result = await provider.listSessions("cursor-1", 25);
expect(httpService.axiosRef.get).toHaveBeenCalledWith(
"https://gateway.example.com/api/sessions",
{
headers: {
Authorization: "Bearer plain-token",
},
params: {
cursor: "cursor-1",
limit: 25,
},
}
);
expect(result).toEqual({
sessions: [
{
id: "session-1",
providerId: "openclaw-home",
providerType: "openclaw",
status: "active",
createdAt: new Date("2026-03-07T15:01:00.000Z"),
updatedAt: new Date("2026-03-07T15:02:00.000Z"),
},
],
total: 1,
cursor: "next-cursor",
});
expect(encryptionService.decryptIfNeeded).toHaveBeenCalledWith("enc:token-value");
});
it("returns null from getSession when OpenClaw returns 404", async () => {
httpService.axiosRef.get.mockRejectedValue({
response: {
status: 404,
},
});
await expect(provider.getSession("missing-session")).resolves.toBeNull();
});
it("maps getMessages response", async () => {
httpService.axiosRef.get.mockResolvedValue({
data: {
messages: [
{
id: "message-1",
sessionId: "session-1",
role: "agent",
content: "hello",
timestamp: "2026-03-07T15:03:00.000Z",
metadata: {
tokens: 128,
},
},
],
},
});
const result = await provider.getMessages("session-1", 20, "before-cursor");
expect(httpService.axiosRef.get).toHaveBeenCalledWith(
"https://gateway.example.com/api/messages",
{
headers: {
Authorization: "Bearer plain-token",
},
params: {
sessionId: "session-1",
limit: 20,
before: "before-cursor",
},
}
);
expect(result).toEqual([
{
id: "message-1",
sessionId: "session-1",
role: "assistant",
content: "hello",
timestamp: new Date("2026-03-07T15:03:00.000Z"),
metadata: {
tokens: 128,
},
},
]);
});
it("maps inject and control endpoints", async () => {
httpService.axiosRef.post
.mockResolvedValueOnce({
data: {
accepted: true,
messageId: "message-2",
},
})
.mockResolvedValueOnce({ data: {} })
.mockResolvedValueOnce({ data: {} })
.mockResolvedValueOnce({ data: {} });
await expect(provider.injectMessage("session-1", "barge in")).resolves.toEqual({
accepted: true,
messageId: "message-2",
});
await provider.pauseSession("session-1");
await provider.resumeSession("session-1");
await provider.killSession("session-1", false);
expect(httpService.axiosRef.post).toHaveBeenNthCalledWith(
1,
"https://gateway.example.com/api/sessions/session-1/inject",
{ content: "barge in" },
{
headers: {
Authorization: "Bearer plain-token",
},
}
);
expect(httpService.axiosRef.post).toHaveBeenNthCalledWith(
2,
"https://gateway.example.com/api/sessions/session-1/pause",
{},
{
headers: {
Authorization: "Bearer plain-token",
},
}
);
expect(httpService.axiosRef.post).toHaveBeenNthCalledWith(
3,
"https://gateway.example.com/api/sessions/session-1/resume",
{},
{
headers: {
Authorization: "Bearer plain-token",
},
}
);
expect(httpService.axiosRef.post).toHaveBeenNthCalledWith(
4,
"https://gateway.example.com/api/sessions/session-1/kill",
{ force: false },
{
headers: {
Authorization: "Bearer plain-token",
},
}
);
});
it("delegates streaming to OpenClawSseBridge", async () => {
const streamedMessage = {
id: "message-stream",
sessionId: "session-stream",
role: "assistant",
content: "stream hello",
timestamp: new Date("2026-03-07T16:00:00.000Z"),
};
sseBridge.streamSession.mockReturnValue(
(async function* () {
yield streamedMessage;
})()
);
const messages: Array<unknown> = [];
for await (const message of provider.streamMessages("session-stream")) {
messages.push(message);
}
expect(sseBridge.streamSession).toHaveBeenCalledWith(
"https://gateway.example.com",
"session-stream",
{
Authorization: "Bearer plain-token",
}
);
expect(messages).toEqual([streamedMessage]);
});
it("throws ServiceUnavailableException for request failures", async () => {
httpService.axiosRef.get.mockRejectedValue(new Error("gateway unreachable"));
await expect(provider.listSessions()).rejects.toBeInstanceOf(ServiceUnavailableException);
});
it("returns false from isAvailable when gateway check fails", async () => {
httpService.axiosRef.get.mockRejectedValue(new Error("gateway unreachable"));
await expect(provider.isAvailable()).resolves.toBe(false);
});
});

613
apps/orchestrator/src/api/providers/openclaw/openclaw.provider.ts
View File

@@ -1,613 +0,0 @@
import { HttpService } from "@nestjs/axios";
import { Injectable, ServiceUnavailableException } from "@nestjs/common";
import type {
AgentMessage,
AgentMessageRole,
AgentSession,
AgentSessionList,
AgentSessionStatus,
IAgentProvider,
InjectResult,
} from "@mosaic/shared";
import type { AgentProviderConfig } from "@prisma/client";
import { randomUUID } from "node:crypto";
import { EncryptionService } from "../../../security/encryption.service";
import { OpenClawSseBridge } from "./openclaw-sse.bridge";
const DEFAULT_SESSION_LIMIT = 50;
const DEFAULT_MESSAGE_LIMIT = 50;
const MAX_MESSAGE_LIMIT = 200;
const OPENCLAW_PROVIDER_TYPE = "openclaw";
const API_TOKEN_KEYS = ["apiToken", "token", "bearerToken"] as const;
const DISPLAY_NAME_KEYS = ["displayName", "label"] as const;
type JsonRecord = Record<string, unknown>;
interface HttpErrorWithResponse {
response?: {
status?: number;
};
}
@Injectable()
export class OpenClawProvider implements IAgentProvider {
readonly providerId: string;
readonly providerType = OPENCLAW_PROVIDER_TYPE;
readonly displayName: string;
constructor(
private readonly config: AgentProviderConfig,
private readonly encryptionService: EncryptionService,
private readonly httpService: HttpService,
private readonly sseBridge: OpenClawSseBridge
) {
this.providerId = this.config.name;
this.displayName = this.resolveDisplayName();
}
validateBaseUrl(): void {
void this.resolveBaseUrl();
}
validateToken(): void {
void this.resolveApiToken();
}
async listSessions(cursor?: string, limit = DEFAULT_SESSION_LIMIT): Promise<AgentSessionList> {
const safeLimit = this.normalizeLimit(limit, DEFAULT_SESSION_LIMIT);
const params: Record<string, number | string> = { limit: safeLimit };
if (typeof cursor === "string" && cursor.length > 0) {
params.cursor = cursor;
}
try {
const response = await this.httpService.axiosRef.get(this.buildUrl("/api/sessions"), {
headers: this.authHeaders(),
params,
});
const page = this.extractSessionPage(response.data);
const sessions = page.records
.map((record) => this.toAgentSession(record))
.filter((session): session is AgentSession => session !== null);
return {
sessions,
total: page.total ?? sessions.length,
...(page.cursor !== undefined ? { cursor: page.cursor } : {}),
};
} catch (error) {
throw this.toServiceUnavailable("list sessions", error);
}
}
async getSession(sessionId: string): Promise<AgentSession | null> {
try {
const response = await this.httpService.axiosRef.get(
this.buildUrl(`/api/sessions/${encodeURIComponent(sessionId)}`),
{
headers: this.authHeaders(),
}
);
const payload = this.unwrapContainer(response.data, ["session", "data"]);
return this.toAgentSession(payload);
} catch (error) {
if (this.getHttpStatus(error) === 404) {
return null;
}
throw this.toServiceUnavailable(`get session ${sessionId}`, error);
}
}
async getMessages(
sessionId: string,
limit = DEFAULT_MESSAGE_LIMIT,
before?: string
): Promise<AgentMessage[]> {
const safeLimit = this.normalizeLimit(limit, DEFAULT_MESSAGE_LIMIT);
const params: Record<string, number | string> = {
sessionId,
limit: safeLimit,
};
if (typeof before === "string" && before.length > 0) {
params.before = before;
}
try {
const response = await this.httpService.axiosRef.get(this.buildUrl("/api/messages"), {
headers: this.authHeaders(),
params,
});
return this.extractMessageRecords(response.data)
.map((record) => this.toAgentMessage(record, sessionId))
.filter((message): message is AgentMessage => message !== null);
} catch (error) {
throw this.toServiceUnavailable(`get messages for session ${sessionId}`, error);
}
}
async injectMessage(sessionId: string, content: string): Promise<InjectResult> {
try {
const response = await this.httpService.axiosRef.post(
this.buildUrl(`/api/sessions/${encodeURIComponent(sessionId)}/inject`),
{ content },
{
headers: this.authHeaders(),
}
);
const payload = this.isRecord(response.data) ? response.data : {};
return {
accepted: typeof payload.accepted === "boolean" ? payload.accepted : true,
...(this.readString(payload.messageId) !== undefined
? { messageId: this.readString(payload.messageId) }
: {}),
};
} catch (error) {
throw this.toServiceUnavailable(`inject message into session ${sessionId}`, error);
}
}
async pauseSession(sessionId: string): Promise<void> {
try {
await this.httpService.axiosRef.post(
this.buildUrl(`/api/sessions/${encodeURIComponent(sessionId)}/pause`),
{},
{
headers: this.authHeaders(),
}
);
} catch (error) {
throw this.toServiceUnavailable(`pause session ${sessionId}`, error);
}
}
async resumeSession(sessionId: string): Promise<void> {
try {
await this.httpService.axiosRef.post(
this.buildUrl(`/api/sessions/${encodeURIComponent(sessionId)}/resume`),
{},
{
headers: this.authHeaders(),
}
);
} catch (error) {
throw this.toServiceUnavailable(`resume session ${sessionId}`, error);
}
}
async killSession(sessionId: string, force = true): Promise<void> {
try {
await this.httpService.axiosRef.post(
this.buildUrl(`/api/sessions/${encodeURIComponent(sessionId)}/kill`),
{ force },
{
headers: this.authHeaders(),
}
);
} catch (error) {
throw this.toServiceUnavailable(`kill session ${sessionId}`, error);
}
}
async *streamMessages(sessionId: string): AsyncIterable<AgentMessage> {
try {
yield* this.sseBridge.streamSession(this.resolveBaseUrl(), sessionId, this.authHeaders());
} catch (error) {
throw this.toServiceUnavailable(`stream messages for session ${sessionId}`, error);
}
}
async isAvailable(): Promise<boolean> {
try {
this.validateBaseUrl();
this.validateToken();
await this.httpService.axiosRef.get(this.buildUrl("/api/sessions"), {
headers: this.authHeaders(),
params: { limit: 1 },
});
return true;
} catch {
return false;
}
}
private extractSessionPage(payload: unknown): {
records: unknown[];
total?: number;
cursor?: string;
} {
if (Array.isArray(payload)) {
return {
records: payload,
total: payload.length,
};
}
if (!this.isRecord(payload)) {
return {
records: [],
};
}
let records: unknown[] = [];
if (Array.isArray(payload.sessions)) {
records = payload.sessions;
} else if (Array.isArray(payload.items)) {
records = payload.items;
} else if (Array.isArray(payload.data)) {
records = payload.data;
}
const total = typeof payload.total === "number" ? payload.total : undefined;
const cursor = this.readString(payload.cursor) ?? this.readString(payload.nextCursor);
return {
records,
total,
...(cursor !== undefined ? { cursor } : {}),
};
}
private extractMessageRecords(payload: unknown): unknown[] {
if (Array.isArray(payload)) {
return payload;
}
if (!this.isRecord(payload)) {
return [];
}
if (Array.isArray(payload.messages)) {
return payload.messages;
}
if (Array.isArray(payload.items)) {
return payload.items;
}
if (Array.isArray(payload.data)) {
return payload.data;
}
return [];
}
private unwrapContainer(payload: unknown, keys: string[]): unknown {
if (!this.isRecord(payload)) {
return payload;
}
for (const key of keys) {
if (key in payload) {
return payload[key];
}
}
return payload;
}
private toAgentSession(record: unknown): AgentSession | null {
if (!this.isRecord(record)) {
return null;
}
const id =
this.readString(record.id) ??
this.readString(record.sessionId) ??
this.readString(record.key);
if (!id) {
return null;
}
const createdAt = this.parseDate(record.createdAt ?? record.spawnedAt ?? record.startedAt);
const updatedAt = this.parseDate(
record.updatedAt ?? record.completedAt ?? record.lastActivityAt ?? record.endedAt,
createdAt
);
const label =
this.readString(record.label) ??
this.readString(record.title) ??
this.readString(record.name) ??
undefined;
const parentSessionId = this.readString(record.parentSessionId) ?? undefined;
const metadata = this.toMetadata(record.metadata);
return {
id,
providerId: this.providerId,
providerType: this.providerType,
...(label !== undefined ? { label } : {}),
status: this.toSessionStatus(this.readString(record.status)),
...(parentSessionId !== undefined ? { parentSessionId } : {}),
createdAt,
updatedAt,
...(metadata !== undefined ? { metadata } : {}),
};
}
private toAgentMessage(value: unknown, fallbackSessionId?: string): AgentMessage | null {
if (typeof value === "string") {
const content = value.trim();
if (content.length === 0 || fallbackSessionId === undefined) {
return null;
}
return {
id: randomUUID(),
sessionId: fallbackSessionId,
role: "assistant",
content,
timestamp: new Date(),
};
}
let candidate: JsonRecord | null = null;
if (this.isRecord(value) && this.isRecord(value.message)) {
candidate = value.message;
} else if (this.isRecord(value)) {
candidate = value;
}
if (candidate === null) {
return null;
}
const sessionId = this.readString(candidate.sessionId) ?? fallbackSessionId;
if (!sessionId) {
return null;
}
const content = this.extractMessageContent(
candidate.content ?? candidate.text ?? candidate.message
);
if (content.length === 0) {
return null;
}
const metadata = this.toMetadata(candidate.metadata);
return {
id: this.readString(candidate.id) ?? this.readString(candidate.messageId) ?? randomUUID(),
sessionId,
role: this.toMessageRole(this.readString(candidate.role) ?? this.readString(candidate.type)),
content,
timestamp: this.parseDate(candidate.timestamp ?? candidate.createdAt),
...(metadata !== undefined ? { metadata } : {}),
};
}
private extractMessageContent(content: unknown): string {
if (typeof content === "string") {
return content.trim();
}
if (Array.isArray(content)) {
const parts: string[] = [];
for (const part of content) {
if (typeof part === "string") {
const trimmed = part.trim();
if (trimmed.length > 0) {
parts.push(trimmed);
}
continue;
}
if (!this.isRecord(part)) {
continue;
}
const text = this.readString(part.text) ?? this.readString(part.content);
if (text !== undefined && text.trim().length > 0) {
parts.push(text.trim());
}
}
return parts.join("\n\n").trim();
}
if (this.isRecord(content)) {
const text = this.readString(content.text) ?? this.readString(content.content);
return text?.trim() ?? "";
}
return "";
}
private toSessionStatus(status?: string): AgentSessionStatus {
switch (status?.toLowerCase()) {
case "active":
case "running":
return "active";
case "paused":
return "paused";
case "completed":
case "done":
case "succeeded":
return "completed";
case "failed":
case "error":
case "killed":
case "terminated":
case "cancelled":
return "failed";
case "idle":
case "pending":
case "queued":
default:
return "idle";
}
}
private toMessageRole(role?: string): AgentMessageRole {
switch (role?.toLowerCase()) {
case "assistant":
case "agent":
return "assistant";
case "system":
return "system";
case "tool":
return "tool";
case "operator":
case "user":
default:
return "user";
}
}
private normalizeLimit(value: number, fallback: number): number {
const normalized = Number.isFinite(value) ? Math.trunc(value) : fallback;
if (normalized < 1) {
return 1;
}
return Math.min(normalized, MAX_MESSAGE_LIMIT);
}
private parseDate(value: unknown, fallback = new Date()): Date {
if (value instanceof Date) {
return value;
}
if (typeof value === "string" || typeof value === "number") {
const parsed = new Date(value);
if (!Number.isNaN(parsed.getTime())) {
return parsed;
}
}
return fallback;
}
private toMetadata(value: unknown): Record<string, unknown> | undefined {
if (this.isRecord(value)) {
return value;
}
return undefined;
}
private resolveDisplayName(): string {
const credentials = this.readCredentials();
for (const key of DISPLAY_NAME_KEYS) {
const value = this.readString(credentials[key]);
if (value !== undefined) {
return value;
}
}
return this.config.name;
}
private resolveBaseUrl(): string {
const configRecord = this.config as unknown as JsonRecord;
const rawBaseUrl =
this.readString(this.config.gatewayUrl) ?? this.readString(configRecord.baseUrl);
if (rawBaseUrl === undefined) {
throw new Error(`OpenClaw provider ${this.providerId} is missing gateway URL`);
}
try {
const parsed = new URL(rawBaseUrl);
return parsed.toString().replace(/\/$/u, "");
} catch {
throw new Error(`OpenClaw provider ${this.providerId} has invalid gateway URL`);
}
}
private resolveApiToken(): string {
const configRecord = this.config as unknown as JsonRecord;
const credentials = this.readCredentials();
const rawToken =
this.readString(configRecord.apiToken) ??
this.readString(configRecord.token) ??
this.readString(configRecord.bearerToken) ??
this.findFirstString(credentials, API_TOKEN_KEYS);
if (rawToken === undefined) {
throw new Error(`OpenClaw provider ${this.providerId} is missing apiToken credentials`);
}
try {
return this.encryptionService.decryptIfNeeded(rawToken);
} catch (error) {
throw new Error(`Failed to decrypt API token: ${this.toErrorMessage(error)}`);
}
}
private readCredentials(): JsonRecord {
return this.isRecord(this.config.credentials) ? this.config.credentials : {};
}
private findFirstString(record: JsonRecord, keys: readonly string[]): string | undefined {
for (const key of keys) {
const value = this.readString(record[key]);
if (value !== undefined) {
return value;
}
}
return undefined;
}
private authHeaders(extraHeaders: Record<string, string> = {}): Record<string, string> {
return {
Authorization: `Bearer ${this.resolveApiToken()}`,
...extraHeaders,
};
}
private buildUrl(path: string): string {
return new URL(path, `${this.resolveBaseUrl()}/`).toString();
}
private isRecord(value: unknown): value is JsonRecord {
return typeof value === "object" && value !== null && !Array.isArray(value);
}
private readString(value: unknown): string | undefined {
if (typeof value !== "string") {
return undefined;
}
const trimmed = value.trim();
return trimmed.length > 0 ? trimmed : undefined;
}
private getHttpStatus(error: unknown): number | undefined {
if (typeof error !== "object" || error === null || !("response" in error)) {
return undefined;
}
const response = (error as HttpErrorWithResponse).response;
return typeof response?.status === "number" ? response.status : undefined;
}
private toServiceUnavailable(operation: string, error: unknown): ServiceUnavailableException {
return new ServiceUnavailableException(
`OpenClaw provider ${this.providerId} failed to ${operation}: ${this.toErrorMessage(error)}`
);
}
private toErrorMessage(error: unknown): string {
if (error instanceof Error) {
return error.message;
}
return String(error);
}
}

131
apps/orchestrator/src/api/providers/providers.module.spec.ts
View File

@@ -1,131 +0,0 @@
import { Logger } from "@nestjs/common";
import type { AgentProviderConfig } from "@prisma/client";
import { beforeEach, describe, expect, it, vi } from "vitest";
import { PrismaService } from "../../prisma/prisma.service";
import { AgentProviderRegistry } from "../agents/agent-provider.registry";
import { OpenClawProviderFactory } from "./openclaw/openclaw.provider-factory";
import { ProvidersModule } from "./providers.module";
type MockOpenClawProvider = {
providerId: string;
validateBaseUrl: ReturnType<typeof vi.fn>;
validateToken: ReturnType<typeof vi.fn>;
isAvailable: ReturnType<typeof vi.fn>;
};
describe("ProvidersModule", () => {
let moduleRef: ProvidersModule;
let prisma: {
agentProviderConfig: {
findMany: ReturnType<typeof vi.fn>;
};
};
let registry: {
registerProvider: ReturnType<typeof vi.fn>;
};
let factory: {
createProvider: ReturnType<typeof vi.fn>;
};
const config: AgentProviderConfig = {
id: "cfg-openclaw-1",
workspaceId: "workspace-1",
name: "openclaw-home",
provider: "openclaw",
gatewayUrl: "https://gateway.example.com",
credentials: { apiToken: "enc:token-value" },
isActive: true,
createdAt: new Date("2026-03-07T15:00:00.000Z"),
updatedAt: new Date("2026-03-07T15:00:00.000Z"),
};
beforeEach(() => {
prisma = {
agentProviderConfig: {
findMany: vi.fn(),
},
};
registry = {
registerProvider: vi.fn(),
};
factory = {
createProvider: vi.fn(),
};
moduleRef = new ProvidersModule(
prisma as unknown as PrismaService,
registry as unknown as AgentProviderRegistry,
factory as unknown as OpenClawProviderFactory
);
});
it("registers reachable OpenClaw providers", async () => {
const provider: MockOpenClawProvider = {
providerId: "openclaw-home",
validateBaseUrl: vi.fn(),
validateToken: vi.fn(),
isAvailable: vi.fn().mockResolvedValue(true),
};
prisma.agentProviderConfig.findMany.mockResolvedValue([config]);
factory.createProvider.mockReturnValue(provider);
await moduleRef.onModuleInit();
expect(prisma.agentProviderConfig.findMany).toHaveBeenCalledWith({
where: {
provider: "openclaw",
isActive: true,
},
orderBy: [{ createdAt: "asc" }, { id: "asc" }],
});
expect(factory.createProvider).toHaveBeenCalledWith(config);
expect(provider.validateBaseUrl).toHaveBeenCalledTimes(1);
expect(provider.validateToken).toHaveBeenCalledTimes(1);
expect(provider.isAvailable).toHaveBeenCalledTimes(1);
expect(registry.registerProvider).toHaveBeenCalledWith(provider);
});
it("skips provider registration when gateway is unreachable", async () => {
const warnSpy = vi.spyOn(Logger.prototype, "warn").mockImplementation(() => undefined);
const provider: MockOpenClawProvider = {
providerId: "openclaw-home",
validateBaseUrl: vi.fn(),
validateToken: vi.fn(),
isAvailable: vi.fn().mockResolvedValue(false),
};
prisma.agentProviderConfig.findMany.mockResolvedValue([config]);
factory.createProvider.mockReturnValue(provider);
await moduleRef.onModuleInit();
expect(registry.registerProvider).not.toHaveBeenCalled();
expect(warnSpy).toHaveBeenCalledWith(
expect.stringContaining("Skipping OpenClaw provider openclaw-home")
);
});
it("skips provider registration when token decryption fails", async () => {
const errorSpy = vi.spyOn(Logger.prototype, "error").mockImplementation(() => undefined);
const provider: MockOpenClawProvider = {
providerId: "openclaw-home",
validateBaseUrl: vi.fn(),
validateToken: vi.fn().mockImplementation(() => {
throw new Error("Failed to decrypt API token");
}),
isAvailable: vi.fn().mockResolvedValue(true),
};
prisma.agentProviderConfig.findMany.mockResolvedValue([config]);
factory.createProvider.mockReturnValue(provider);
await moduleRef.onModuleInit();
expect(registry.registerProvider).not.toHaveBeenCalled();
expect(errorSpy).toHaveBeenCalledWith(expect.stringContaining("token decryption failed"));
expect(provider.isAvailable).not.toHaveBeenCalled();
});
});

95
apps/orchestrator/src/api/providers/providers.module.ts
View File

@@ -1,95 +0,0 @@
import { HttpModule } from "@nestjs/axios";
import { Logger, Module, OnModuleInit } from "@nestjs/common";
import type { AgentProviderConfig } from "@prisma/client";
import { PrismaModule } from "../../prisma/prisma.module";
import { PrismaService } from "../../prisma/prisma.service";
import { EncryptionService } from "../../security/encryption.service";
import { AgentProviderRegistry } from "../agents/agent-provider.registry";
import { AgentsModule } from "../agents/agents.module";
import { OpenClawProviderFactory } from "./openclaw/openclaw.provider-factory";
import { OpenClawSseBridge } from "./openclaw/openclaw-sse.bridge";
const OPENCLAW_PROVIDER_TYPE = "openclaw";
@Module({
imports: [
AgentsModule,
PrismaModule,
HttpModule.register({
timeout: 10000,
maxRedirects: 5,
}),
],
providers: [EncryptionService, OpenClawSseBridge, OpenClawProviderFactory],
})
export class ProvidersModule implements OnModuleInit {
private readonly logger = new Logger(ProvidersModule.name);
constructor(
private readonly prisma: PrismaService,
private readonly registry: AgentProviderRegistry,
private readonly openClawProviderFactory: OpenClawProviderFactory
) {}
async onModuleInit(): Promise<void> {
const configs = await this.prisma.agentProviderConfig.findMany({
where: {
provider: OPENCLAW_PROVIDER_TYPE,
isActive: true,
},
orderBy: [{ createdAt: "asc" }, { id: "asc" }],
});
for (const config of configs) {
await this.registerProvider(config);
}
}
private async registerProvider(config: AgentProviderConfig): Promise<void> {
const provider = this.openClawProviderFactory.createProvider(config);
try {
provider.validateBaseUrl();
} catch (error) {
this.logger.warn(
`Skipping OpenClaw provider ${config.name}: invalid configuration (${this.toErrorMessage(error)})`
);
return;
}
try {
provider.validateToken();
} catch (error) {
this.logger.error(
`Skipping OpenClaw provider ${config.name}: token decryption failed (${this.toErrorMessage(error)})`
);
return;
}
try {
const available = await provider.isAvailable();
if (!available) {
this.logger.warn(
`Skipping OpenClaw provider ${config.name}: gateway ${config.gatewayUrl} is unreachable`
);
return;
}
} catch (error) {
this.logger.warn(
`Skipping OpenClaw provider ${config.name}: gateway ${config.gatewayUrl} is unreachable (${this.toErrorMessage(error)})`
);
return;
}
this.registry.registerProvider(provider);
this.logger.log(`Registered OpenClaw provider ${provider.providerId}`);
}
private toErrorMessage(error: unknown): string {
if (error instanceof Error) {
return error.message;
}
return String(error);
}
}

2
apps/orchestrator/src/app.module.ts
View File

@@ -7,7 +7,6 @@ import { AgentsModule } from "./api/agents/agents.module";
import { MissionControlModule } from "./api/mission-control/mission-control.module"; import { MissionControlModule } from "./api/mission-control/mission-control.module";
import { QueueApiModule } from "./api/queue/queue-api.module"; import { QueueApiModule } from "./api/queue/queue-api.module";
import { AgentProvidersModule } from "./api/agent-providers/agent-providers.module"; import { AgentProvidersModule } from "./api/agent-providers/agent-providers.module";
import { ProvidersModule } from "./api/providers/providers.module";
import { CoordinatorModule } from "./coordinator/coordinator.module"; import { CoordinatorModule } from "./coordinator/coordinator.module";
import { BudgetModule } from "./budget/budget.module"; import { BudgetModule } from "./budget/budget.module";
import { CIModule } from "./ci"; import { CIModule } from "./ci";
@@ -55,7 +54,6 @@ import { orchestratorConfig } from "./config/orchestrator.config";
HealthModule, HealthModule,
AgentsModule, AgentsModule,
AgentProvidersModule, AgentProvidersModule,
ProvidersModule,
MissionControlModule, MissionControlModule,
QueueApiModule, QueueApiModule,
CoordinatorModule, CoordinatorModule,

2
apps/orchestrator/src/auth/auth.module.ts
View File

@@ -4,6 +4,6 @@ import { AuthGuard } from "./guards/auth.guard";
@Module({ @Module({
providers: [OrchestratorApiKeyGuard, AuthGuard], providers: [OrchestratorApiKeyGuard, AuthGuard],
exports: [OrchestratorApiKeyGuard, AuthGuard], exports: [AuthGuard],
}) })
export class AuthModule {} export class AuthModule {}

106
apps/orchestrator/src/security/encryption.service.ts
View File

@@ -1,106 +0,0 @@
import { Injectable } from "@nestjs/common";
import { ConfigService } from "@nestjs/config";
import { createCipheriv, createDecipheriv, hkdfSync, randomBytes } from "node:crypto";
const ALGORITHM = "aes-256-gcm";
const ENCRYPTED_PREFIX = "enc:";
const IV_LENGTH = 12;
const AUTH_TAG_LENGTH = 16;
const DERIVED_KEY_LENGTH = 32;
const HKDF_SALT = "mosaic.crypto.v1";
const HKDF_INFO = "mosaic-db-secret-encryption";
@Injectable()
export class EncryptionService {
private key: Buffer | null = null;
constructor(private readonly configService: ConfigService) {}
encryptIfNeeded(value: string): string {
if (this.isEncrypted(value)) {
return value;
}
return this.encrypt(value);
}
encrypt(plaintext: string): string {
try {
const iv = randomBytes(IV_LENGTH);
const cipher = createCipheriv(ALGORITHM, this.getOrCreateKey(), iv);
const ciphertext = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
const authTag = cipher.getAuthTag();
const payload = Buffer.concat([iv, ciphertext, authTag]);
return `${ENCRYPTED_PREFIX}${payload.toString("base64")}`;
} catch {
throw new Error("Failed to encrypt value");
}
}
decryptIfNeeded(value: string): string {
if (!this.isEncrypted(value)) {
return value;
}
return this.decrypt(value);
}
decrypt(encrypted: string): string {
if (!this.isEncrypted(encrypted)) {
throw new Error("Value is not encrypted");
}
const payloadBase64 = encrypted.slice(ENCRYPTED_PREFIX.length);
try {
const payload = Buffer.from(payloadBase64, "base64");
if (payload.length < IV_LENGTH + AUTH_TAG_LENGTH) {
throw new Error("Encrypted payload is too short");
}
const iv = payload.subarray(0, IV_LENGTH);
const authTag = payload.subarray(payload.length - AUTH_TAG_LENGTH);
const ciphertext = payload.subarray(IV_LENGTH, payload.length - AUTH_TAG_LENGTH);
const decipher = createDecipheriv(ALGORITHM, this.getOrCreateKey(), iv);
decipher.setAuthTag(authTag);
return Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString("utf8");
} catch {
throw new Error("Failed to decrypt value");
}
}
isEncrypted(value: string): boolean {
return value.startsWith(ENCRYPTED_PREFIX);
}
private getOrCreateKey(): Buffer {
if (this.key !== null) {
return this.key;
}
const secret = this.configService.get<string>("MOSAIC_SECRET_KEY");
if (!secret) {
throw new Error(
"orchestrator: MOSAIC_SECRET_KEY is required. Set it in your config or via MOSAIC_SECRET_KEY."
);
}
if (secret.length < 32) {
throw new Error("MOSAIC_SECRET_KEY must be at least 32 characters");
}
this.key = Buffer.from(
hkdfSync(
"sha256",
Buffer.from(secret, "utf8"),
Buffer.from(HKDF_SALT, "utf8"),
Buffer.from(HKDF_INFO, "utf8"),
DERIVED_KEY_LENGTH
)
);
return this.key;
}
}

315
apps/orchestrator/tests/integration/ms23-p3-gate.spec.ts
View File

@@ -1,315 +0,0 @@
import type { HttpService } from "@nestjs/axios";
import type {
AgentMessage,
AgentSession,
AgentSessionList,
IAgentProvider,
InjectResult,
} from "@mosaic/shared";
import type { AgentProviderConfig } from "@prisma/client";
import { beforeEach, describe, expect, it, vi } from "vitest";
import type { InternalAgentProvider } from "../../src/api/agents/internal-agent.provider";
import { AgentProviderRegistry } from "../../src/api/agents/agent-provider.registry";
import { MissionControlController } from "../../src/api/mission-control/mission-control.controller";
import { MissionControlService } from "../../src/api/mission-control/mission-control.service";
import { OpenClawProviderFactory } from "../../src/api/providers/openclaw/openclaw.provider-factory";
import { OpenClawSseBridge } from "../../src/api/providers/openclaw/openclaw-sse.bridge";
import { ProvidersModule } from "../../src/api/providers/providers.module";
import type { PrismaService } from "../../src/prisma/prisma.service";
import type { EncryptionService } from "../../src/security/encryption.service";
type MockProvider = IAgentProvider & {
listSessions: ReturnType<typeof vi.fn>;
getSession: ReturnType<typeof vi.fn>;
injectMessage: ReturnType<typeof vi.fn>;
pauseSession: ReturnType<typeof vi.fn>;
killSession: ReturnType<typeof vi.fn>;
};
type MockPrisma = {
agentProviderConfig: {
create: ReturnType<typeof vi.fn>;
findMany: ReturnType<typeof vi.fn>;
};
operatorAuditLog: {
create: ReturnType<typeof vi.fn>;
};
};
const emptyMessageStream = async function* (): AsyncIterable<AgentMessage> {
return;
};
describe("MS23-P3-004 API integration", () => {
let controller: MissionControlController;
let providersModule: ProvidersModule;
let registry: AgentProviderRegistry;
let prisma: MockPrisma;
let httpService: {
axiosRef: {
get: ReturnType<typeof vi.fn>;
post: ReturnType<typeof vi.fn>;
};
};
const gatewayUrl = "https://openclaw-gateway.example.com";
const internalSession: AgentSession = {
id: "session-internal-1",
providerId: "internal",
providerType: "internal",
status: "active",
createdAt: new Date("2026-03-07T16:00:00.000Z"),
updatedAt: new Date("2026-03-07T16:02:00.000Z"),
};
const openClawGatewaySession = {
id: "session-openclaw-1",
status: "running",
createdAt: "2026-03-07T16:01:00.000Z",
updatedAt: "2026-03-07T16:03:00.000Z",
};
const createInternalProvider = (session: AgentSession): MockProvider => ({
providerId: "internal",
providerType: "internal",
displayName: "Internal",
listSessions: vi.fn().mockResolvedValue({ sessions: [session], total: 1 } as AgentSessionList),
getSession: vi.fn().mockImplementation(async (sessionId: string) => {
return sessionId === session.id ? session : null;
}),
getMessages: vi.fn().mockResolvedValue([]),
injectMessage: vi.fn().mockResolvedValue({ accepted: true } as InjectResult),
pauseSession: vi.fn().mockResolvedValue(undefined),
resumeSession: vi.fn().mockResolvedValue(undefined),
killSession: vi.fn().mockResolvedValue(undefined),
streamMessages: vi.fn().mockReturnValue(emptyMessageStream()),
isAvailable: vi.fn().mockResolvedValue(true),
});
beforeEach(() => {
const providerConfigs: AgentProviderConfig[] = [];
prisma = {
agentProviderConfig: {
create: vi.fn().mockImplementation(async (args: { data: Record<string, unknown> }) => {
const now = new Date("2026-03-07T15:00:00.000Z");
const record: AgentProviderConfig = {
id: `cfg-${String(providerConfigs.length + 1)}`,
workspaceId: String(args.data.workspaceId),
name: String(args.data.name),
provider: String(args.data.provider),
gatewayUrl: String(args.data.gatewayUrl),
credentials: (args.data.credentials ?? {}) as AgentProviderConfig["credentials"],
isActive: args.data.isActive !== false,
createdAt: now,
updatedAt: now,
};
providerConfigs.push(record);
return record;
}),
findMany: vi
.fn()
.mockImplementation(
async (args: { where?: { provider?: string; isActive?: boolean } }) => {
const where = args.where ?? {};
return providerConfigs.filter((config) => {
if (where.provider !== undefined && config.provider !== where.provider) {
return false;
}
if (where.isActive !== undefined && config.isActive !== where.isActive) {
return false;
}
return true;
});
}
),
},
operatorAuditLog: {
create: vi.fn().mockResolvedValue(undefined),
},
};
httpService = {
axiosRef: {
get: vi.fn().mockImplementation(async (url: string) => {
if (url === `${gatewayUrl}/api/sessions`) {
return {
data: {
sessions: [openClawGatewaySession],
total: 1,
},
};
}
if (url === `${gatewayUrl}/api/sessions/${openClawGatewaySession.id}`) {
return {
data: {
session: openClawGatewaySession,
},
};
}
throw new Error(`Unexpected GET ${url}`);
}),
post: vi.fn().mockImplementation(async (url: string) => {
if (url.endsWith("/inject")) {
return { data: { accepted: true, messageId: "msg-inject-1" } };
}
if (url.endsWith("/pause") || url.endsWith("/kill")) {
return { data: {} };
}
throw new Error(`Unexpected POST ${url}`);
}),
},
};
const internalProvider = createInternalProvider(internalSession);
registry = new AgentProviderRegistry(internalProvider as unknown as InternalAgentProvider);
registry.onModuleInit();
const encryptionService = {
decryptIfNeeded: vi.fn().mockReturnValue("plain-openclaw-token"),
};
const sseBridge = new OpenClawSseBridge(httpService as unknown as HttpService);
const openClawProviderFactory = new OpenClawProviderFactory(
encryptionService as unknown as EncryptionService,
httpService as unknown as HttpService,
sseBridge
);
providersModule = new ProvidersModule(
prisma as unknown as PrismaService,
registry,
openClawProviderFactory
);
const missionControlService = new MissionControlService(
registry,
prisma as unknown as PrismaService
);
controller = new MissionControlController(missionControlService);
});
it("Phase 3 gate: OpenClaw provider config registered in DB → provider loaded on boot → sessions returned from /api/mission-control/sessions → inject/pause/kill proxied to gateway", async () => {
await prisma.agentProviderConfig.create({
data: {
workspaceId: "workspace-ms23",
name: "openclaw-home",
provider: "openclaw",
gatewayUrl,
credentials: {
apiToken: "enc:test-openclaw-token",
},
isActive: true,
},
});
await providersModule.onModuleInit();
// Equivalent to GET /api/mission-control/sessions
const sessionsResponse = await controller.listSessions();
expect(sessionsResponse.sessions.map((session) => session.id)).toEqual([
"session-openclaw-1",
"session-internal-1",
]);
expect(sessionsResponse.sessions).toEqual(
expect.arrayContaining([
expect.objectContaining({
id: "session-internal-1",
providerId: "internal",
}),
expect.objectContaining({
id: "session-openclaw-1",
providerId: "openclaw-home",
providerType: "openclaw",
}),
])
);
const operatorRequest = {
user: {
id: "operator-ms23",
},
};
await expect(
controller.injectMessage(
"session-openclaw-1",
{
message: "Ship it",
},
operatorRequest
)
).resolves.toEqual({ accepted: true, messageId: "msg-inject-1" });
await expect(controller.pauseSession("session-openclaw-1", operatorRequest)).resolves.toEqual({
message: "Session session-openclaw-1 paused",
});
await expect(
controller.killSession(
"session-openclaw-1",
{
force: false,
},
operatorRequest
)
).resolves.toEqual({ message: "Session session-openclaw-1 killed" });
expect(httpService.axiosRef.post).toHaveBeenNthCalledWith(
1,
`${gatewayUrl}/api/sessions/session-openclaw-1/inject`,
{ content: "Ship it" },
{
headers: {
Authorization: "Bearer plain-openclaw-token",
},
}
);
expect(httpService.axiosRef.post).toHaveBeenNthCalledWith(
2,
`${gatewayUrl}/api/sessions/session-openclaw-1/pause`,
{},
{
headers: {
Authorization: "Bearer plain-openclaw-token",
},
}
);
expect(httpService.axiosRef.post).toHaveBeenNthCalledWith(
3,
`${gatewayUrl}/api/sessions/session-openclaw-1/kill`,
{ force: false },
{
headers: {
Authorization: "Bearer plain-openclaw-token",
},
}
);
expect(prisma.operatorAuditLog.create).toHaveBeenNthCalledWith(1, {
data: {
sessionId: "session-openclaw-1",
userId: "operator-ms23",
provider: "openclaw-home",
action: "inject",
content: "Ship it",
metadata: {
payload: {
message: "Ship it",
},
},
},
});
});
});

2
apps/orchestrator/tests/integration/vitest.config.ts
View File

@@ -4,7 +4,7 @@ export default defineConfig({
test: { test: {
globals: true, globals: true,
environment: "node", environment: "node",
include: ["tests/integration/**/*.e2e-spec.ts", "tests/integration/**/*.spec.ts"], include: ["**/*.e2e-spec.ts"],
testTimeout: 30000, testTimeout: 30000,
}, },
}); });

2
apps/web/package.json
View File

@@ -1,6 +1,6 @@
{ {
"name": "@mosaic/web", "name": "@mosaic/web",
"version": "0.0.23", "version": "0.0.20",
"private": true, "private": true,
"scripts": { "scripts": {
"build": "next build", "build": "next build",

528
apps/web/src/app/(authenticated)/settings/agent-providers/page.tsx
View File

@@ -1,528 +0,0 @@
"use client";
import {
useCallback,
useEffect,
useState,
type ChangeEvent,
type ReactElement,
type SyntheticEvent,
} from "react";
import { Pencil, Trash2 } from "lucide-react";
import { FleetSettingsNav } from "@/components/settings/FleetSettingsNav";
import {
createAgentProvider,
deleteAgentProvider,
fetchAgentProviders,
updateAgentProvider,
type AgentProviderConfig,
type CreateAgentProviderRequest,
type UpdateAgentProviderRequest,
} from "@/lib/api/agent-providers";
import {
AlertDialog,
AlertDialogAction,
AlertDialogCancel,
AlertDialogContent,
AlertDialogDescription,
AlertDialogFooter,
AlertDialogHeader,
AlertDialogTitle,
} from "@/components/ui/alert-dialog";
import { Badge } from "@/components/ui/badge";
import { Button } from "@/components/ui/button";
import { Card, CardContent, CardDescription, CardHeader, CardTitle } from "@/components/ui/card";
import {
Dialog,
DialogContent,
DialogDescription,
DialogFooter,
DialogHeader,
DialogTitle,
} from "@/components/ui/dialog";
import { Input } from "@/components/ui/input";
import { Label } from "@/components/ui/label";
import {
Select,
SelectContent,
SelectItem,
SelectTrigger,
SelectValue,
} from "@/components/ui/select";
import { Switch } from "@/components/ui/switch";
interface ProviderFormData {
name: string;
provider: "openclaw";
gatewayUrl: string;
apiToken: string;
isActive: boolean;
}
const NAME_PATTERN = /^[a-zA-Z0-9-]+$/;
const INITIAL_FORM: ProviderFormData = {
name: "",
provider: "openclaw",
gatewayUrl: "",
apiToken: "",
isActive: true,
};
function getErrorMessage(error: unknown, fallback: string): string {
if (error instanceof Error && error.message.trim().length > 0) {
return error.message;
}
return fallback;
}
function isValidHttpsUrl(value: string): boolean {
try {
const parsed = new URL(value);
return parsed.protocol === "https:";
} catch {
return false;
}
}
function formatCreatedDate(value: string): string {
const parsed = new Date(value);
if (Number.isNaN(parsed.getTime())) {
return "Unknown";
}
return new Intl.DateTimeFormat(undefined, {
year: "numeric",
month: "short",
day: "numeric",
}).format(parsed);
}
function validateForm(form: ProviderFormData, isEditing: boolean): string | null {
const name = form.name.trim();
if (name.length === 0) {
return "Name is required.";
}
if (!NAME_PATTERN.test(name)) {
return "Name must contain only letters, numbers, and hyphens.";
}
const gatewayUrl = form.gatewayUrl.trim();
if (gatewayUrl.length === 0) {
return "Gateway URL is required.";
}
if (!isValidHttpsUrl(gatewayUrl)) {
return "Gateway URL must be a valid https:// URL.";
}
if (!isEditing && form.apiToken.trim().length === 0) {
return "API token is required when creating a provider.";
}
return null;
}
export default function AgentProvidersSettingsPage(): ReactElement {
const [providers, setProviders] = useState<AgentProviderConfig[]>([]);
const [isLoading, setIsLoading] = useState<boolean>(true);
const [isRefreshing, setIsRefreshing] = useState<boolean>(false);
const [error, setError] = useState<string | null>(null);
const [successMessage, setSuccessMessage] = useState<string | null>(null);
const [isDialogOpen, setIsDialogOpen] = useState<boolean>(false);
const [editingProvider, setEditingProvider] = useState<AgentProviderConfig | null>(null);
const [form, setForm] = useState<ProviderFormData>(INITIAL_FORM);
const [formError, setFormError] = useState<string | null>(null);
const [isSaving, setIsSaving] = useState<boolean>(false);
const [deleteTarget, setDeleteTarget] = useState<AgentProviderConfig | null>(null);
const [isDeleting, setIsDeleting] = useState<boolean>(false);
const loadProviders = useCallback(async (showLoadingState: boolean): Promise<void> => {
if (showLoadingState) {
setIsLoading(true);
} else {
setIsRefreshing(true);
}
try {
const data = await fetchAgentProviders();
setProviders(data);
setError(null);
} catch (loadError: unknown) {
setError(getErrorMessage(loadError, "Failed to load agent providers."));
} finally {
setIsLoading(false);
setIsRefreshing(false);
}
}, []);
useEffect(() => {
void loadProviders(true);
}, [loadProviders]);
function openCreateDialog(): void {
setEditingProvider(null);
setForm(INITIAL_FORM);
setFormError(null);
setIsDialogOpen(true);
}
function openEditDialog(provider: AgentProviderConfig): void {
setEditingProvider(provider);
setForm({
name: provider.name,
provider: "openclaw",
gatewayUrl: provider.gatewayUrl,
apiToken: "",
isActive: provider.isActive,
});
setFormError(null);
setIsDialogOpen(true);
}
function closeDialog(): void {
if (isSaving) {
return;
}
setIsDialogOpen(false);
setEditingProvider(null);
setForm(INITIAL_FORM);
setFormError(null);
}
async function handleSubmit(event: SyntheticEvent): Promise<void> {
event.preventDefault();
setFormError(null);
setSuccessMessage(null);
const validationError = validateForm(form, editingProvider !== null);
if (validationError !== null) {
setFormError(validationError);
return;
}
const name = form.name.trim();
const gatewayUrl = form.gatewayUrl.trim();
const apiToken = form.apiToken.trim();
try {
setIsSaving(true);
if (editingProvider) {
const updatePayload: UpdateAgentProviderRequest = {
name,
provider: form.provider,
gatewayUrl,
isActive: form.isActive,
};
if (apiToken.length > 0) {
updatePayload.credentials = { apiToken };
}
await updateAgentProvider(editingProvider.id, updatePayload);
setSuccessMessage(`Updated provider "${name}".`);
} else {
const createPayload: CreateAgentProviderRequest = {
name,
provider: form.provider,
gatewayUrl,
credentials: { apiToken },
isActive: form.isActive,
};
await createAgentProvider(createPayload);
setSuccessMessage(`Added provider "${name}".`);
}
setIsDialogOpen(false);
setEditingProvider(null);
setForm(INITIAL_FORM);
await loadProviders(false);
} catch (saveError: unknown) {
setFormError(getErrorMessage(saveError, "Unable to save agent provider."));
} finally {
setIsSaving(false);
}
}
async function handleDeleteProvider(): Promise<void> {
if (!deleteTarget) {
return;
}
try {
setIsDeleting(true);
await deleteAgentProvider(deleteTarget.id);
setSuccessMessage(`Deleted provider "${deleteTarget.name}".`);
setDeleteTarget(null);
await loadProviders(false);
} catch (deleteError: unknown) {
setError(getErrorMessage(deleteError, "Failed to delete agent provider."));
} finally {
setIsDeleting(false);
}
}
return (
<div className="max-w-6xl mx-auto p-6 space-y-6">
<div className="space-y-4">
<div>
<h1 className="text-3xl font-bold">Agent Providers</h1>
<p className="text-muted-foreground mt-1">
Register OpenClaw gateways and API tokens used for external agent sessions.
</p>
</div>
<FleetSettingsNav />
</div>
<Card>
<CardHeader className="flex flex-col gap-3 sm:flex-row sm:items-center sm:justify-between">
<div>
<CardTitle>OpenClaw Gateways</CardTitle>
<CardDescription>
Add one or more OpenClaw gateway endpoints and control which ones are active.
</CardDescription>
</div>
<div className="flex items-center gap-2">
<Button
variant="outline"
onClick={() => {
void loadProviders(false);
}}
disabled={isLoading || isRefreshing}
>
{isRefreshing ? "Refreshing..." : "Refresh"}
</Button>
<Button onClick={openCreateDialog}>Add Provider</Button>
</div>
</CardHeader>
<CardContent className="space-y-3">
{error ? (
<p className="text-sm text-destructive" role="alert">
{error}
</p>
) : null}
{successMessage ? <p className="text-sm text-emerald-600">{successMessage}</p> : null}
{isLoading ? (
<p className="text-sm text-muted-foreground">Loading agent providers...</p>
) : providers.length === 0 ? (
<p className="text-sm text-muted-foreground">
No agent providers configured yet. Add one to register an OpenClaw gateway.
</p>
) : (
providers.map((provider) => (
<div
key={provider.id}
className="rounded-lg border p-4 flex flex-col gap-4 md:flex-row md:items-start md:justify-between"
>
<div className="space-y-2 min-w-0">
<div className="flex items-center gap-2 flex-wrap">
<p className="font-semibold truncate">{provider.name}</p>
<Badge variant={provider.isActive ? "default" : "secondary"}>
{provider.isActive ? "Active" : "Inactive"}
</Badge>
<Badge variant="outline">{provider.provider}</Badge>
</div>
<p className="text-sm text-muted-foreground break-all">
Gateway URL: {provider.gatewayUrl}
</p>
<p className="text-sm text-muted-foreground">
Created: {formatCreatedDate(provider.createdAt)}
</p>
</div>
<div className="flex items-center gap-2">
<Button
variant="outline"
size="sm"
onClick={() => {
openEditDialog(provider);
}}
>
<Pencil className="h-4 w-4 mr-2" />
Edit
</Button>
<Button
variant="destructive"
size="sm"
onClick={() => {
setDeleteTarget(provider);
}}
>
<Trash2 className="h-4 w-4 mr-2" />
Delete
</Button>
</div>
</div>
))
)}
</CardContent>
</Card>
<Dialog
open={isDialogOpen}
onOpenChange={(nextOpen) => {
if (!nextOpen) {
closeDialog();
return;
}
setIsDialogOpen(true);
}}
>
<DialogContent>
<DialogHeader>
<DialogTitle>
{editingProvider ? "Edit Agent Provider" : "Add Agent Provider"}
</DialogTitle>
<DialogDescription>
Configure an OpenClaw gateway URL and API token for agent provider registration.
</DialogDescription>
</DialogHeader>
<form onSubmit={(event) => void handleSubmit(event)} className="space-y-4">
<div className="space-y-2">
<Label htmlFor="agent-provider-name">Name</Label>
<Input
id="agent-provider-name"
value={form.name}
onChange={(event: ChangeEvent<HTMLInputElement>) => {
setForm((previous) => ({ ...previous, name: event.target.value }));
}}
placeholder="openclaw-primary"
maxLength={100}
disabled={isSaving}
required
/>
<p className="text-xs text-muted-foreground">
Use letters, numbers, and hyphens only.
</p>
</div>
<div className="space-y-2">
<Label htmlFor="agent-provider-type">Provider Type</Label>
<Select
value={form.provider}
onValueChange={(value) => {
if (value === "openclaw") {
setForm((previous) => ({ ...previous, provider: value }));
}
}}
disabled={isSaving}
>
<SelectTrigger id="agent-provider-type">
<SelectValue placeholder="Select provider type" />
</SelectTrigger>
<SelectContent>
<SelectItem value="openclaw">openclaw</SelectItem>
</SelectContent>
</Select>
</div>
<div className="space-y-2">
<Label htmlFor="agent-provider-gateway-url">Gateway URL</Label>
<Input
id="agent-provider-gateway-url"
value={form.gatewayUrl}
onChange={(event: ChangeEvent<HTMLInputElement>) => {
setForm((previous) => ({ ...previous, gatewayUrl: event.target.value }));
}}
placeholder="https://my-openclaw.example.com"
disabled={isSaving}
required
/>
</div>
<div className="space-y-2">
<Label htmlFor="agent-provider-api-token">API Token</Label>
<Input
id="agent-provider-api-token"
type="password"
value={form.apiToken}
onChange={(event: ChangeEvent<HTMLInputElement>) => {
setForm((previous) => ({ ...previous, apiToken: event.target.value }));
}}
placeholder={
editingProvider ? "Leave blank to keep existing token" : "Enter API token"
}
autoComplete="new-password"
disabled={isSaving}
/>
<p className="text-xs text-muted-foreground">
{editingProvider
? "Leave blank to keep the currently stored token."
: "Required when creating a provider."}
</p>
</div>
<div className="flex items-center justify-between rounded-md border px-3 py-2">
<div>
<Label htmlFor="agent-provider-active">Provider Status</Label>
<p className="text-xs text-muted-foreground">
Inactive providers remain saved but are excluded from routing.
</p>
</div>
<Switch
id="agent-provider-active"
checked={form.isActive}
onCheckedChange={(checked) => {
setForm((previous) => ({ ...previous, isActive: checked }));
}}
disabled={isSaving}
/>
</div>
{formError ? (
<p className="text-sm text-destructive" role="alert">
{formError}
</p>
) : null}
<DialogFooter>
<Button type="button" variant="outline" onClick={closeDialog} disabled={isSaving}>
Cancel
</Button>
<Button type="submit" disabled={isSaving}>
{isSaving ? "Saving..." : editingProvider ? "Save Changes" : "Create Provider"}
</Button>
</DialogFooter>
</form>
</DialogContent>
</Dialog>
<AlertDialog
open={deleteTarget !== null}
onOpenChange={(open) => {
if (!open && !isDeleting) {
setDeleteTarget(null);
}
}}
>
<AlertDialogContent>
<AlertDialogHeader>
<AlertDialogTitle>Delete Agent Provider</AlertDialogTitle>
<AlertDialogDescription>
Delete provider "{deleteTarget?.name}"? This permanently removes its gateway and token
configuration.
</AlertDialogDescription>
</AlertDialogHeader>
<AlertDialogFooter>
<AlertDialogCancel disabled={isDeleting}>Cancel</AlertDialogCancel>
<AlertDialogAction onClick={handleDeleteProvider} disabled={isDeleting}>
{isDeleting ? "Deleting..." : "Delete Provider"}
</AlertDialogAction>
</AlertDialogFooter>
</AlertDialogContent>
</AlertDialog>
</div>
);
}

27
apps/web/src/app/(authenticated)/settings/page.tsx
View File

@@ -227,33 +227,6 @@ const categories: CategoryConfig[] = [
</svg> </svg>
), ),
}, },
{
title: "Agent Providers",
description:
"Register OpenClaw gateway URLs and API tokens for external agent provider routing.",
href: "/settings/agent-providers",
accent: "var(--ms-blue-400)",
iconBg: "rgba(47, 128, 255, 0.12)",
icon: (
<svg
width="20"
height="20"
viewBox="0 0 20 20"
fill="none"
stroke="currentColor"
strokeWidth="1.5"
strokeLinecap="round"
strokeLinejoin="round"
aria-hidden="true"
>
<path d="M4 6.5h12" />
<path d="M6.5 10h7" />
<path d="M4 13.5h12" />
<circle cx="5.5" cy="10" r="1.5" />
<circle cx="14.5" cy="10" r="1.5" />
</svg>
),
},
{ {
title: "Agent Config", title: "Agent Config",
description: "Choose primary and fallback models, plus optional personality/SOUL instructions.", description: "Choose primary and fallback models, plus optional personality/SOUL instructions.",

93
apps/web/src/app/api/orchestrator/[...path]/route.ts
View File

@@ -1,93 +0,0 @@
import { type NextRequest, NextResponse } from "next/server";
const DEFAULT_ORCHESTRATOR_URL = "http://localhost:3001";
function getOrchestratorUrl(): string {
return (
process.env.ORCHESTRATOR_URL ??
process.env.NEXT_PUBLIC_ORCHESTRATOR_URL ??
process.env.NEXT_PUBLIC_API_URL ??
DEFAULT_ORCHESTRATOR_URL
);
}
/**
* Generic catch-all proxy for orchestrator API routes.
*
* Forwards any request to /api/orchestrator/<path> → ORCHESTRATOR_URL/<path>
* with the ORCHESTRATOR_API_KEY injected server-side so it never reaches the browser.
*
* Supports GET, POST, PATCH, DELETE, PUT.
*
* Example:
* GET /api/orchestrator/mission-control/sessions
* → GET ORCHESTRATOR_URL/api/mission-control/sessions
* POST /api/orchestrator/mission-control/sessions/abc/kill
* → POST ORCHESTRATOR_URL/api/mission-control/sessions/abc/kill
*/
async function proxyToOrchestrator(
request: NextRequest,
context: { params: Promise<{ path: string[] }> }
): Promise<NextResponse> {
const orchestratorApiKey = process.env.ORCHESTRATOR_API_KEY;
if (!orchestratorApiKey) {
return NextResponse.json(
{ error: "ORCHESTRATOR_API_KEY is not configured on the web server." },
{ status: 503 }
);
}
const { path } = await context.params;
const upstreamPath = `/${path.join("/")}`;
const search = request.nextUrl.search;
const upstreamUrl = `${getOrchestratorUrl()}${upstreamPath}${search}`;
const controller = new AbortController();
const timeout = setTimeout(() => {
controller.abort();
}, 30_000);
try {
const headers: Record<string, string> = {
"X-API-Key": orchestratorApiKey,
};
const contentType = request.headers.get("Content-Type");
if (contentType) {
headers["Content-Type"] = contentType;
}
const hasBody = request.method !== "GET" && request.method !== "HEAD";
const body = hasBody ? await request.text() : null;
const upstream = await fetch(upstreamUrl, {
method: request.method,
headers,
...(body !== null ? { body } : {}),
cache: "no-store",
signal: controller.signal,
});
const responseText = await upstream.text();
return new NextResponse(responseText, {
status: upstream.status,
headers: {
"Content-Type": upstream.headers.get("Content-Type") ?? "application/json",
},
});
} catch (error) {
const message =
error instanceof Error && error.name === "AbortError"
? "Orchestrator request timed out."
: "Unable to reach orchestrator.";
return NextResponse.json({ error: message }, { status: 502 });
} finally {
clearTimeout(timeout);
}
}
export const GET = proxyToOrchestrator;
export const POST = proxyToOrchestrator;
export const PATCH = proxyToOrchestrator;
export const PUT = proxyToOrchestrator;
export const DELETE = proxyToOrchestrator;

57
apps/web/src/app/api/orchestrator/queue/notifications/stream/route.ts
View File

@@ -1,57 +0,0 @@
import { NextResponse } from "next/server";
const DEFAULT_ORCHESTRATOR_URL = "http://localhost:3001";
function getOrchestratorUrl(): string {
return (
process.env.ORCHESTRATOR_URL ??
process.env.NEXT_PUBLIC_ORCHESTRATOR_URL ??
process.env.NEXT_PUBLIC_API_URL ??
DEFAULT_ORCHESTRATOR_URL
);
}
export const dynamic = "force-dynamic";
export async function GET(): Promise<NextResponse> {
const orchestratorApiKey = process.env.ORCHESTRATOR_API_KEY;
if (!orchestratorApiKey) {
return NextResponse.json(
{ error: "ORCHESTRATOR_API_KEY is not configured on the web server." },
{ status: 503 }
);
}
try {
const upstream = await fetch(`${getOrchestratorUrl()}/api/queue/notifications/stream`, {
method: "GET",
headers: {
"X-API-Key": orchestratorApiKey,
Accept: "text/event-stream",
},
cache: "no-store",
});
if (!upstream.ok || upstream.body === null) {
const message = await upstream.text();
return new NextResponse(message || "Failed to connect to queue notifications stream", {
status: upstream.status || 502,
headers: {
"Content-Type": upstream.headers.get("Content-Type") ?? "text/plain; charset=utf-8",
},
});
}
return new NextResponse(upstream.body, {
status: upstream.status,
headers: {
"Content-Type": "text/event-stream",
"Cache-Control": "no-cache, no-transform",
Connection: "keep-alive",
"X-Accel-Buffering": "no",
},
});
} catch {
return NextResponse.json({ error: "Unable to reach orchestrator." }, { status: 502 });
}
}

3
apps/web/src/app/layout.tsx
View File

@@ -4,7 +4,6 @@ import { Outfit, Fira_Code } from "next/font/google";
import { AuthProvider } from "@/lib/auth/auth-context"; import { AuthProvider } from "@/lib/auth/auth-context";
import { ErrorBoundary } from "@/components/error-boundary"; import { ErrorBoundary } from "@/components/error-boundary";
import { ThemeProvider } from "@/providers/ThemeProvider"; import { ThemeProvider } from "@/providers/ThemeProvider";
import { ReactQueryProvider } from "@/providers/ReactQueryProvider";
import "./globals.css"; import "./globals.css";
export const dynamic = "force-dynamic"; export const dynamic = "force-dynamic";
@@ -57,11 +56,9 @@ export default function RootLayout({ children }: { children: ReactNode }): React
</head> </head>
<body> <body>
<ThemeProvider> <ThemeProvider>
<ReactQueryProvider>
<ErrorBoundary> <ErrorBoundary>
<AuthProvider>{children}</AuthProvider> <AuthProvider>{children}</AuthProvider>
</ErrorBoundary> </ErrorBoundary>
</ReactQueryProvider>
</ThemeProvider> </ThemeProvider>
</body> </body>
</html> </html>

74
apps/web/src/components/layout/AppSidebar.tsx
View File

@@ -1,6 +1,6 @@
"use client"; "use client";
import { useEffect, useMemo, useState } from "react"; import { useEffect, useState } from "react";
import Link from "next/link"; import Link from "next/link";
import { usePathname } from "next/navigation"; import { usePathname } from "next/navigation";
import Image from "next/image"; import Image from "next/image";
@@ -29,10 +29,6 @@ interface NavGroup {
items: NavItemConfig[]; items: NavItemConfig[];
} }
interface QueueNotification {
id: string;
}
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
// SVG Icons (16x16 viewBox, stroke="currentColor", strokeWidth="1.5") // SVG Icons (16x16 viewBox, stroke="currentColor", strokeWidth="1.5")
// --------------------------------------------------------------------------- // ---------------------------------------------------------------------------
@@ -689,72 +685,6 @@ function CollapseToggle({ collapsed, onToggle }: CollapseToggleProps): React.JSX
export function AppSidebar(): React.JSX.Element { export function AppSidebar(): React.JSX.Element {
const pathname = usePathname(); const pathname = usePathname();
const { collapsed, toggleCollapsed, mobileOpen, setMobileOpen, isMobile } = useSidebar(); const { collapsed, toggleCollapsed, mobileOpen, setMobileOpen, isMobile } = useSidebar();
const [missionControlBadgeCount, setMissionControlBadgeCount] = useState<number>(0);
useEffect(() => {
let isActive = true;
const loadNotificationCount = async (): Promise<void> => {
try {
const response = await fetch("/api/orchestrator/api/queue/notifications", {
method: "GET",
});
if (!response.ok) {
return;
}
const payload = (await response.json()) as QueueNotification[];
if (isActive) {
setMissionControlBadgeCount(Array.isArray(payload) ? payload.length : 0);
}
} catch {
// Ignore badge failures in the nav.
}
};
void loadNotificationCount();
if (typeof EventSource === "undefined") {
return (): void => {
isActive = false;
};
}
const source = new EventSource("/api/orchestrator/queue/notifications/stream");
source.onmessage = (event: MessageEvent<string>): void => {
try {
const payload = JSON.parse(event.data) as QueueNotification[];
if (isActive) {
setMissionControlBadgeCount(Array.isArray(payload) ? payload.length : 0);
}
} catch {
// Ignore malformed badge updates.
}
};
return (): void => {
isActive = false;
source.close();
};
}, []);
const navGroups = useMemo(
() =>
NAV_GROUPS.map((group) => ({
...group,
items: group.items.map((item) =>
item.href === "/mission-control" && missionControlBadgeCount > 0
? {
...item,
badge: { label: String(missionControlBadgeCount) },
}
: item
),
})),
[missionControlBadgeCount]
);
return ( return (
<> <>
@@ -792,7 +722,7 @@ export function AppSidebar(): React.JSX.Element {
}} }}
aria-label="Main navigation" aria-label="Main navigation"
> >
{navGroups.map((group) => ( {NAV_GROUPS.map((group) => (
<div key={group.label} style={{ marginBottom: "18px" }}> <div key={group.label} style={{ marginBottom: "18px" }}>
{/* Group label — hidden when collapsed */} {/* Group label — hidden when collapsed */}
{!collapsed && ( {!collapsed && (

43
apps/web/src/components/mission-control/AuditLogDrawer.tsx
View File

@@ -44,25 +44,6 @@ interface AuditLogResponse {
total: number; total: number;
page: number; page: number;
pages: number; pages: number;
notice?: string;
}
function createEmptyAuditLogResponse(page: number, notice?: string): AuditLogResponse {
return {
items: [],
total: 0,
page,
pages: 0,
...(notice !== undefined ? { notice } : {}),
};
}
function isRateLimitError(error: unknown): boolean {
if (!(error instanceof Error)) {
return false;
}
return /429|rate limit|too many requests/i.test(error.message);
} }
function isRecord(value: unknown): value is Record<string, unknown> { function isRecord(value: unknown): value is Record<string, unknown> {
@@ -157,17 +138,7 @@ async function fetchAuditLog(
params.set("sessionId", normalizedSessionId); params.set("sessionId", normalizedSessionId);
} }
try { return apiGet<AuditLogResponse>(`/api/mission-control/audit-log?${params.toString()}`);
return await apiGet<AuditLogResponse>(
`/api/orchestrator/api/mission-control/audit-log?${params.toString()}`
);
} catch (error) {
if (isRateLimitError(error)) {
return createEmptyAuditLogResponse(page, "Rate limited - retrying...");
}
return createEmptyAuditLogResponse(page);
}
} }
export function AuditLogDrawer({ sessionId, trigger }: AuditLogDrawerProps): React.JSX.Element { export function AuditLogDrawer({ sessionId, trigger }: AuditLogDrawerProps): React.JSX.Element {
@@ -209,10 +180,11 @@ export function AuditLogDrawer({ sessionId, trigger }: AuditLogDrawerProps): Rea
const totalItems = auditLogQuery.data?.total ?? 0; const totalItems = auditLogQuery.data?.total ?? 0;
const totalPages = auditLogQuery.data?.pages ?? 0; const totalPages = auditLogQuery.data?.pages ?? 0;
const items = auditLogQuery.data?.items ?? []; const items = auditLogQuery.data?.items ?? [];
const notice = auditLogQuery.data?.notice;
const canGoPrevious = page > 1; const canGoPrevious = page > 1;
const canGoNext = totalPages > 0 && page < totalPages; const canGoNext = totalPages > 0 && page < totalPages;
const errorMessage =
auditLogQuery.error instanceof Error ? auditLogQuery.error.message : "Failed to load audit log";
return ( return (
<Sheet open={open} onOpenChange={setOpen}> <Sheet open={open} onOpenChange={setOpen}>
@@ -265,13 +237,10 @@ export function AuditLogDrawer({ sessionId, trigger }: AuditLogDrawerProps): Rea
Loading audit log... Loading audit log...
</td> </td>
</tr> </tr>
) : notice ? ( ) : auditLogQuery.error ? (
<tr> <tr>
<td <td colSpan={5} className="px-3 py-6 text-center text-sm text-red-500">
colSpan={5} {errorMessage}
className="px-3 py-6 text-center text-sm text-muted-foreground"
>
{notice}
</td> </td>
</tr> </tr>
) : items.length === 0 ? ( ) : items.length === 0 ? (

26
apps/web/src/components/mission-control/BargeInInput.test.tsx
View File

@@ -59,12 +59,9 @@ describe("BargeInInput", (): void => {
await user.click(screen.getByRole("button", { name: "Send" })); await user.click(screen.getByRole("button", { name: "Send" }));
await waitFor((): void => { await waitFor((): void => {
expect(mockApiPost).toHaveBeenCalledWith( expect(mockApiPost).toHaveBeenCalledWith("/api/mission-control/sessions/session-1/inject", {
"/api/orchestrator/api/mission-control/sessions/session-1/inject",
{
content: "execute plan", content: "execute plan",
} });
);
}); });
expect(onSent).toHaveBeenCalledTimes(1); expect(onSent).toHaveBeenCalledTimes(1);
@@ -86,18 +83,12 @@ describe("BargeInInput", (): void => {
const calls = mockApiPost.mock.calls as [string, unknown?][]; const calls = mockApiPost.mock.calls as [string, unknown?][];
expect(calls[0]).toEqual([ expect(calls[0]).toEqual(["/api/mission-control/sessions/session-2/pause", undefined]);
"/api/orchestrator/api/mission-control/sessions/session-2/pause",
undefined,
]);
expect(calls[1]).toEqual([ expect(calls[1]).toEqual([
"/api/orchestrator/api/mission-control/sessions/session-2/inject", "/api/mission-control/sessions/session-2/inject",
{ content: "hello world" }, { content: "hello world" },
]); ]);
expect(calls[2]).toEqual([ expect(calls[2]).toEqual(["/api/mission-control/sessions/session-2/resume", undefined]);
"/api/orchestrator/api/mission-control/sessions/session-2/resume",
undefined,
]);
}); });
it("submits with Enter and does not submit on Shift+Enter", async (): Promise<void> => { it("submits with Enter and does not submit on Shift+Enter", async (): Promise<void> => {
@@ -114,12 +105,9 @@ describe("BargeInInput", (): void => {
fireEvent.keyDown(textarea, { key: "Enter", code: "Enter", shiftKey: false }); fireEvent.keyDown(textarea, { key: "Enter", code: "Enter", shiftKey: false });
await waitFor((): void => { await waitFor((): void => {
expect(mockApiPost).toHaveBeenCalledWith( expect(mockApiPost).toHaveBeenCalledWith("/api/mission-control/sessions/session-3/inject", {
"/api/orchestrator/api/mission-control/sessions/session-3/inject",
{
content: "first", content: "first",
} });
);
}); });
}); });

2
apps/web/src/components/mission-control/BargeInInput.tsx
View File

@@ -39,7 +39,7 @@ export function BargeInInput({ sessionId, onSent }: BargeInInputProps): React.JS
} }
const encodedSessionId = encodeURIComponent(sessionId); const encodedSessionId = encodeURIComponent(sessionId);
const baseEndpoint = `/api/orchestrator/api/mission-control/sessions/${encodedSessionId}`; const baseEndpoint = `/api/mission-control/sessions/${encodedSessionId}`;
let didPause = false; let didPause = false;
let didInject = false; let didInject = false;

7
apps/web/src/components/mission-control/GlobalAgentRoster.test.tsx
View File

@@ -177,12 +177,9 @@ describe("GlobalAgentRoster", (): void => {
fireEvent.click(screen.getByRole("button", { name: "Kill session killme12" })); fireEvent.click(screen.getByRole("button", { name: "Kill session killme12" }));
await waitFor((): void => { await waitFor((): void => {
expect(mockApiPost).toHaveBeenCalledWith( expect(mockApiPost).toHaveBeenCalledWith("/api/mission-control/sessions/killme123456/kill", {
"/api/orchestrator/api/mission-control/sessions/killme123456/kill",
{
force: false, force: false,
} });
);
}); });
}); });

9
apps/web/src/components/mission-control/GlobalAgentRoster.tsx
View File

@@ -83,7 +83,7 @@ function groupByProvider(sessions: MissionControlSession[]): ProviderSessionGrou
async function fetchSessions(): Promise<MissionControlSession[]> { async function fetchSessions(): Promise<MissionControlSession[]> {
const payload = await apiGet<MissionControlSession[] | SessionsPayload>( const payload = await apiGet<MissionControlSession[] | SessionsPayload>(
"/api/orchestrator/api/mission-control/sessions" "/api/mission-control/sessions"
); );
return Array.isArray(payload) ? payload : payload.sessions; return Array.isArray(payload) ? payload : payload.sessions;
} }
@@ -118,12 +118,9 @@ export function GlobalAgentRoster({
const killMutation = useMutation({ const killMutation = useMutation({
mutationFn: async (sessionId: string): Promise<string> => { mutationFn: async (sessionId: string): Promise<string> => {
await apiPost<{ message: string }>( await apiPost<{ message: string }>(`/api/mission-control/sessions/${sessionId}/kill`, {
`/api/orchestrator/api/mission-control/sessions/${sessionId}/kill`,
{
force: false, force: false,
} });
);
return sessionId; return sessionId;
}, },
onSuccess: (): void => { onSuccess: (): void => {

28
apps/web/src/components/mission-control/KillAllDialog.test.tsx
View File

@@ -112,20 +112,14 @@ describe("KillAllDialog", (): void => {
await user.click(screen.getByRole("button", { name: "Kill All Agents" })); await user.click(screen.getByRole("button", { name: "Kill All Agents" }));
await waitFor((): void => { await waitFor((): void => {
expect(mockApiPost).toHaveBeenCalledWith( expect(mockApiPost).toHaveBeenCalledWith("/api/mission-control/sessions/internal-1/kill", {
"/api/orchestrator/api/mission-control/sessions/internal-1/kill",
{
force: true, force: true,
} });
);
}); });
expect(mockApiPost).not.toHaveBeenCalledWith( expect(mockApiPost).not.toHaveBeenCalledWith("/api/mission-control/sessions/external-1/kill", {
"/api/orchestrator/api/mission-control/sessions/external-1/kill",
{
force: true, force: true,
} });
);
expect(onComplete).toHaveBeenCalledTimes(1); expect(onComplete).toHaveBeenCalledTimes(1);
}); });
@@ -147,18 +141,12 @@ describe("KillAllDialog", (): void => {
await user.click(screen.getByRole("button", { name: "Kill All Agents" })); await user.click(screen.getByRole("button", { name: "Kill All Agents" }));
await waitFor((): void => { await waitFor((): void => {
expect(mockApiPost).toHaveBeenCalledWith( expect(mockApiPost).toHaveBeenCalledWith("/api/mission-control/sessions/internal-2/kill", {
"/api/orchestrator/api/mission-control/sessions/internal-2/kill",
{
force: true, force: true,
} });
); expect(mockApiPost).toHaveBeenCalledWith("/api/mission-control/sessions/external-2/kill", {
expect(mockApiPost).toHaveBeenCalledWith(
"/api/orchestrator/api/mission-control/sessions/external-2/kill",
{
force: true, force: true,
} });
);
}); });
}); });

7
apps/web/src/components/mission-control/KillAllDialog.tsx
View File

@@ -96,12 +96,9 @@ export function KillAllDialog({ sessions, onComplete }: KillAllDialogProps): Rea
const killRequests = targetSessions.map(async (session) => { const killRequests = targetSessions.map(async (session) => {
try { try {
await apiPost<{ message: string }>( await apiPost<{ message: string }>(`/api/mission-control/sessions/${session.id}/kill`, {
`/api/orchestrator/api/mission-control/sessions/${session.id}/kill`,
{
force: true, force: true,
} });
);
return true; return true;
} catch { } catch {
return false; return false;

9
apps/web/src/components/mission-control/MissionControlLayout.test.tsx
View File

@@ -8,7 +8,6 @@ interface MockButtonProps extends ButtonHTMLAttributes<HTMLButtonElement> {
const mockGlobalAgentRoster = vi.fn(); const mockGlobalAgentRoster = vi.fn();
const mockMissionControlPanel = vi.fn(); const mockMissionControlPanel = vi.fn();
const mockQueueNotificationFeed = vi.fn();
vi.mock("@/components/mission-control/AuditLogDrawer", () => ({ vi.mock("@/components/mission-control/AuditLogDrawer", () => ({
AuditLogDrawer: ({ trigger }: { trigger: ReactNode }): React.JSX.Element => ( AuditLogDrawer: ({ trigger }: { trigger: ReactNode }): React.JSX.Element => (
@@ -32,13 +31,6 @@ vi.mock("@/components/mission-control/MissionControlPanel", () => ({
MIN_PANEL_COUNT: 1, MIN_PANEL_COUNT: 1,
})); }));
vi.mock("@/components/mission-control/QueueNotificationFeed", () => ({
QueueNotificationFeed: (props: unknown): React.JSX.Element => {
mockQueueNotificationFeed(props);
return <div data-testid="queue-notification-feed" />;
},
}));
vi.mock("@/components/ui/button", () => ({ vi.mock("@/components/ui/button", () => ({
Button: ({ children, ...props }: MockButtonProps): React.JSX.Element => ( Button: ({ children, ...props }: MockButtonProps): React.JSX.Element => (
<button {...props}>{children}</button> <button {...props}>{children}</button>
@@ -74,6 +66,5 @@ describe("MissionControlLayout", (): void => {
expect(region.querySelector("main")).toBeInTheDocument(); expect(region.querySelector("main")).toBeInTheDocument();
expect(screen.getByTestId("global-agent-roster")).toBeInTheDocument(); expect(screen.getByTestId("global-agent-roster")).toBeInTheDocument();
expect(screen.getByTestId("mission-control-panel")).toBeInTheDocument(); expect(screen.getByTestId("mission-control-panel")).toBeInTheDocument();
expect(screen.getByTestId("queue-notification-feed")).toBeInTheDocument();
}); });
}); });

6
apps/web/src/components/mission-control/MissionControlLayout.tsx
View File

@@ -9,7 +9,6 @@ import {
MissionControlPanel, MissionControlPanel,
type PanelConfig, type PanelConfig,
} from "@/components/mission-control/MissionControlPanel"; } from "@/components/mission-control/MissionControlPanel";
import { QueueNotificationFeed } from "@/components/mission-control/QueueNotificationFeed";
import { Button } from "@/components/ui/button"; import { Button } from "@/components/ui/button";
const INITIAL_PANELS: PanelConfig[] = [{}]; const INITIAL_PANELS: PanelConfig[] = [{}];
@@ -95,7 +94,7 @@ export function MissionControlLayout(): React.JSX.Element {
/> />
</header> </header>
<div className="grid min-h-0 flex-1 gap-4 xl:grid-cols-[280px_minmax(0,1fr)_320px]"> <div className="grid min-h-0 flex-1 gap-4 xl:grid-cols-[280px_minmax(0,1fr)]">
<aside className="h-full min-h-0"> <aside className="h-full min-h-0">
<GlobalAgentRoster <GlobalAgentRoster
onSelectSession={handleSelectSession} onSelectSession={handleSelectSession}
@@ -110,9 +109,6 @@ export function MissionControlLayout(): React.JSX.Element {
onExpandPanel={handleExpandPanel} onExpandPanel={handleExpandPanel}
/> />
</main> </main>
<aside className="h-full min-h-0">
<QueueNotificationFeed />
</aside>
</div> </div>
</section> </section>
); );

16
apps/web/src/components/mission-control/PanelControls.test.tsx
View File

@@ -89,7 +89,7 @@ describe("PanelControls", (): void => {
await waitFor((): void => { await waitFor((): void => {
expect(mockApiPost).toHaveBeenCalledWith( expect(mockApiPost).toHaveBeenCalledWith(
"/api/orchestrator/api/mission-control/sessions/session%20with%20space/pause", "/api/mission-control/sessions/session%20with%20space/pause",
undefined undefined
); );
}); });
@@ -114,12 +114,9 @@ describe("PanelControls", (): void => {
await user.click(screen.getByRole("button", { name: "Confirm" })); await user.click(screen.getByRole("button", { name: "Confirm" }));
await waitFor((): void => { await waitFor((): void => {
expect(mockApiPost).toHaveBeenCalledWith( expect(mockApiPost).toHaveBeenCalledWith("/api/mission-control/sessions/session-4/kill", {
"/api/orchestrator/api/mission-control/sessions/session-4/kill",
{
force: false, force: false,
} });
);
}); });
expect(onStatusChange).toHaveBeenCalledWith("killed"); expect(onStatusChange).toHaveBeenCalledWith("killed");
@@ -140,12 +137,9 @@ describe("PanelControls", (): void => {
await user.click(screen.getByRole("button", { name: "Confirm" })); await user.click(screen.getByRole("button", { name: "Confirm" }));
await waitFor((): void => { await waitFor((): void => {
expect(mockApiPost).toHaveBeenCalledWith( expect(mockApiPost).toHaveBeenCalledWith("/api/mission-control/sessions/session-5/kill", {
"/api/orchestrator/api/mission-control/sessions/session-5/kill",
{
force: true, force: true,
} });
);
}); });
expect(onStatusChange).toHaveBeenCalledWith("killed"); expect(onStatusChange).toHaveBeenCalledWith("killed");

8
apps/web/src/components/mission-control/PanelControls.tsx
View File

@@ -50,23 +50,23 @@ export function PanelControls({
switch (action) { switch (action) {
case "pause": case "pause":
await apiPost<{ message: string }>( await apiPost<{ message: string }>(
`/api/orchestrator/api/mission-control/sessions/${encodeURIComponent(sessionId)}/pause` `/api/mission-control/sessions/${encodeURIComponent(sessionId)}/pause`
); );
return { nextStatus: "paused" }; return { nextStatus: "paused" };
case "resume": case "resume":
await apiPost<{ message: string }>( await apiPost<{ message: string }>(
`/api/orchestrator/api/mission-control/sessions/${encodeURIComponent(sessionId)}/resume` `/api/mission-control/sessions/${encodeURIComponent(sessionId)}/resume`
); );
return { nextStatus: "active" }; return { nextStatus: "active" };
case "graceful-kill": case "graceful-kill":
await apiPost<{ message: string }>( await apiPost<{ message: string }>(
`/api/orchestrator/api/mission-control/sessions/${encodeURIComponent(sessionId)}/kill`, `/api/mission-control/sessions/${encodeURIComponent(sessionId)}/kill`,
{ force: false } { force: false }
); );
return { nextStatus: "killed" }; return { nextStatus: "killed" };
case "force-kill": case "force-kill":
await apiPost<{ message: string }>( await apiPost<{ message: string }>(
`/api/orchestrator/api/mission-control/sessions/${encodeURIComponent(sessionId)}/kill`, `/api/mission-control/sessions/${encodeURIComponent(sessionId)}/kill`,
{ force: true } { force: true }
); );
return { nextStatus: "killed" }; return { nextStatus: "killed" };

225
apps/web/src/components/mission-control/QueueNotificationFeed.test.tsx
View File

@@ -1,225 +0,0 @@
import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
import { act, render, screen, waitFor } from "@testing-library/react";
import userEvent from "@testing-library/user-event";
import type { ButtonHTMLAttributes, HTMLAttributes, ReactNode } from "react";
vi.mock("date-fns", () => ({
formatDistanceToNow: (): string => "5 minutes ago",
}));
interface MockButtonProps extends ButtonHTMLAttributes<HTMLButtonElement> {
children: ReactNode;
}
interface MockContainerProps extends HTMLAttributes<HTMLElement> {
children: ReactNode;
}
interface MockEventSourceInstance {
url: string;
onerror: ((event: Event) => void) | null;
onmessage: ((event: MessageEvent<string>) => void) | null;
close: ReturnType<typeof vi.fn>;
emitMessage: (payload: unknown) => void;
}
interface QueueNotification {
id: string;
agent: string;
filename: string;
payload: unknown;
createdAt: string;
}
const mockApiGet = vi.fn<(endpoint: string) => Promise<QueueNotification[]>>();
const mockApiPost = vi.fn<(endpoint: string) => Promise<{ success: true; id: string }>>();
const mockShowToast = vi.fn<(message: string, variant?: string) => void>();
let mockEventSourceInstances: MockEventSourceInstance[] = [];
const MockEventSource = vi.fn(function (this: MockEventSourceInstance, url: string): void {
this.url = url;
this.onerror = null;
this.onmessage = null;
this.close = vi.fn();
this.emitMessage = (payload: unknown): void => {
this.onmessage?.(new MessageEvent("message", { data: JSON.stringify(payload) }));
};
mockEventSourceInstances.push(this);
});
vi.mock("@/lib/api/client", () => ({
apiGet: (endpoint: string): Promise<QueueNotification[]> => mockApiGet(endpoint),
apiPost: (endpoint: string): Promise<{ success: true; id: string }> => mockApiPost(endpoint),
}));
vi.mock("@mosaic/ui", () => ({
useToast: (): { showToast: typeof mockShowToast; removeToast: ReturnType<typeof vi.fn> } => ({
showToast: mockShowToast,
removeToast: vi.fn(),
}),
}));
vi.mock("@/components/ui/button", () => ({
Button: ({ children, ...props }: MockButtonProps): React.JSX.Element => (
<button {...props}>{children}</button>
),
}));
vi.mock("@/components/ui/badge", () => ({
Badge: ({ children, ...props }: MockContainerProps): React.JSX.Element => (
<span {...props}>{children}</span>
),
}));
vi.mock("@/components/ui/card", () => ({
Card: ({ children, ...props }: MockContainerProps): React.JSX.Element => (
<section {...props}>{children}</section>
),
CardHeader: ({ children, ...props }: MockContainerProps): React.JSX.Element => (
<header {...props}>{children}</header>
),
CardContent: ({ children, ...props }: MockContainerProps): React.JSX.Element => (
<div {...props}>{children}</div>
),
CardTitle: ({ children, ...props }: MockContainerProps): React.JSX.Element => (
<h2 {...props}>{children}</h2>
),
}));
vi.mock("@/components/ui/collapsible", () => ({
Collapsible: ({ children }: MockContainerProps): React.JSX.Element => <div>{children}</div>,
}));
vi.mock("@/components/ui/scroll-area", () => ({
ScrollArea: ({ children, ...props }: MockContainerProps): React.JSX.Element => (
<div {...props}>{children}</div>
),
}));
vi.mock("@/components/ui/skeleton", () => ({
Skeleton: (props: HTMLAttributes<HTMLDivElement>): React.JSX.Element => <div {...props} />,
}));
import { QueueNotificationFeed } from "./QueueNotificationFeed";
function latestEventSource(): MockEventSourceInstance {
const instance = mockEventSourceInstances[mockEventSourceInstances.length - 1];
if (!instance) {
throw new Error("Expected an EventSource instance");
}
return instance;
}
function makeNotification(overrides: Partial<QueueNotification>): QueueNotification {
return {
id: "notif-1",
agent: "mosaic",
filename: "notif-1.json",
payload: {
taskId: "MS24-WEB-001",
eventType: "task.ready",
},
createdAt: "2026-03-08T23:00:00.000Z",
...overrides,
};
}
describe("QueueNotificationFeed", (): void => {
beforeEach((): void => {
vi.clearAllMocks();
vi.stubGlobal("EventSource", MockEventSource);
vi.stubGlobal("fetch", vi.fn());
mockEventSourceInstances = [];
mockApiGet.mockResolvedValue([]);
mockApiPost.mockResolvedValue({ success: true, id: "notif-1" });
});
afterEach((): void => {
vi.unstubAllGlobals();
});
it("loads and renders notifications grouped by agent", async (): Promise<void> => {
mockApiGet.mockResolvedValue([
makeNotification({ id: "notif-1", agent: "mosaic" }),
makeNotification({
id: "notif-2",
agent: "dyor",
payload: { taskId: "MS24-WEB-002", eventType: "task.blocked" },
}),
]);
render(<QueueNotificationFeed />);
await waitFor((): void => {
expect(mockApiGet).toHaveBeenCalledWith("/api/orchestrator/api/queue/notifications");
});
expect(screen.getByText("mosaic")).toBeInTheDocument();
expect(screen.getByText("dyor")).toBeInTheDocument();
expect(screen.getByText("MS24-WEB-001")).toBeInTheDocument();
expect(screen.getByText("task.ready")).toBeInTheDocument();
expect(screen.getAllByText("5 minutes ago")).toHaveLength(2);
expect(MockEventSource).toHaveBeenCalledWith("/api/orchestrator/queue/notifications/stream");
});
it("acknowledges a notification and removes it from the list", async (): Promise<void> => {
const user = userEvent.setup();
mockApiGet.mockResolvedValue([makeNotification({ id: "notif-ack" })]);
render(<QueueNotificationFeed />);
await waitFor((): void => {
expect(screen.getByText("MS24-WEB-001")).toBeInTheDocument();
});
await user.click(screen.getByRole("button", { name: "ACK notification MS24-WEB-001" }));
await waitFor((): void => {
expect(mockApiPost).toHaveBeenCalledWith(
"/api/orchestrator/api/queue/notifications/notif-ack/ack"
);
});
await waitFor((): void => {
expect(screen.getByText("No pending notifications")).toBeInTheDocument();
});
});
it("renders the empty state when there are no notifications", async (): Promise<void> => {
mockApiGet.mockResolvedValue([]);
render(<QueueNotificationFeed />);
await waitFor((): void => {
expect(screen.getByText("No pending notifications")).toBeInTheDocument();
});
});
it("refreshes the list when an SSE message arrives", async (): Promise<void> => {
mockApiGet.mockResolvedValue([makeNotification({ id: "notif-before" })]);
render(<QueueNotificationFeed />);
await waitFor((): void => {
expect(screen.getByText("MS24-WEB-001")).toBeInTheDocument();
});
act(() => {
latestEventSource().emitMessage([
makeNotification({
id: "notif-after",
agent: "sage",
payload: { taskId: "MS24-WEB-003", eventType: "task.failed" },
}),
]);
});
await waitFor((): void => {
expect(screen.getByText("sage")).toBeInTheDocument();
expect(screen.getByText("MS24-WEB-003")).toBeInTheDocument();
expect(screen.getByText("task.failed")).toBeInTheDocument();
});
});
});

332
apps/web/src/components/mission-control/QueueNotificationFeed.tsx
View File

@@ -1,332 +0,0 @@
"use client";
import { useCallback, useEffect, useMemo, useState } from "react";
import { formatDistanceToNow } from "date-fns";
import { BellOff, ChevronLeft, ChevronRight, Loader2 } from "lucide-react";
import { useToast } from "@mosaic/ui";
import { Badge } from "@/components/ui/badge";
import { Button } from "@/components/ui/button";
import { Card, CardContent, CardHeader, CardTitle } from "@/components/ui/card";
import { Collapsible } from "@/components/ui/collapsible";
import { ScrollArea } from "@/components/ui/scroll-area";
import { Skeleton } from "@/components/ui/skeleton";
import { apiGet, apiPost } from "@/lib/api/client";
export interface QueueNotificationFeedProps {
className?: string;
}
interface QueueNotification {
id: string;
agent: string;
filename: string;
payload: unknown;
createdAt: string;
}
interface QueuePayloadRecord {
taskId?: unknown;
type?: unknown;
eventType?: unknown;
event?: unknown;
}
interface NotificationGroup {
agent: string;
notifications: QueueNotification[];
}
const NOTIFICATIONS_ENDPOINT = "/api/orchestrator/api/queue/notifications";
const NOTIFICATIONS_STREAM_ENDPOINT = "/api/orchestrator/queue/notifications/stream";
function joinClasses(...classes: (string | undefined)[]): string {
return classes.filter((value) => typeof value === "string" && value.length > 0).join(" ");
}
function asPayloadRecord(payload: unknown): QueuePayloadRecord | null {
if (payload === null || typeof payload !== "object" || Array.isArray(payload)) {
return null;
}
return payload as QueuePayloadRecord;
}
function getNotificationTaskId(notification: QueueNotification): string {
const payload = asPayloadRecord(notification.payload);
return typeof payload?.taskId === "string" && payload.taskId.trim().length > 0
? payload.taskId
: notification.id;
}
function getNotificationEventType(notification: QueueNotification): string {
const payload = asPayloadRecord(notification.payload);
const candidates = [payload?.eventType, payload?.type, payload?.event];
for (const candidate of candidates) {
if (typeof candidate === "string" && candidate.trim().length > 0) {
return candidate;
}
}
return "notification";
}
function formatNotificationAge(createdAt: string): string {
const parsedDate = new Date(createdAt);
if (Number.isNaN(parsedDate.getTime())) {
return "just now";
}
return formatDistanceToNow(parsedDate, { addSuffix: true });
}
function groupNotificationsByAgent(notifications: QueueNotification[]): NotificationGroup[] {
const grouped = new Map<string, QueueNotification[]>();
for (const notification of notifications) {
const current = grouped.get(notification.agent) ?? [];
current.push(notification);
grouped.set(notification.agent, current);
}
return Array.from(grouped.entries())
.sort(([leftAgent], [rightAgent]) => leftAgent.localeCompare(rightAgent))
.map(([agent, items]) => ({
agent,
notifications: [...items].sort(
(left, right) => new Date(right.createdAt).getTime() - new Date(left.createdAt).getTime()
),
}));
}
export function QueueNotificationFeed({
className,
}: QueueNotificationFeedProps): React.JSX.Element {
const { showToast } = useToast();
const [notifications, setNotifications] = useState<QueueNotification[]>([]);
const [isLoading, setIsLoading] = useState(true);
const [errorMessage, setErrorMessage] = useState<string | null>(null);
const [acknowledgingIds, setAcknowledgingIds] = useState<Record<string, boolean>>({});
const [isCollapsed, setIsCollapsed] = useState(false);
const [now, setNow] = useState(Date.now());
const refreshNotifications = useCallback(async (): Promise<void> => {
try {
const payload = await apiGet<QueueNotification[]>(NOTIFICATIONS_ENDPOINT);
setNotifications(payload);
setErrorMessage(null);
} catch (error) {
const message =
error instanceof Error && error.message.trim().length > 0
? error.message
: "Failed to load queue notifications.";
setErrorMessage(message);
} finally {
setIsLoading(false);
}
}, []);
useEffect(() => {
void refreshNotifications();
}, [refreshNotifications]);
useEffect(() => {
if (typeof EventSource === "undefined") {
return undefined;
}
const source = new EventSource(NOTIFICATIONS_STREAM_ENDPOINT);
source.onmessage = (event: MessageEvent<string>): void => {
try {
const payload = JSON.parse(event.data) as QueueNotification[];
setNotifications(payload);
setErrorMessage(null);
setIsLoading(false);
} catch {
setErrorMessage("Received an invalid notification stream payload.");
}
};
source.onerror = (): void => {
setErrorMessage((current) => current ?? "Queue notification stream disconnected.");
};
return (): void => {
source.close();
};
}, []);
useEffect(() => {
const intervalId = window.setInterval(() => {
setNow(Date.now());
}, 60_000);
return (): void => {
window.clearInterval(intervalId);
};
}, []);
const groupedNotifications = useMemo(
() => groupNotificationsByAgent(notifications),
[notifications]
);
const pendingCount = notifications.length;
const handleAck = useCallback(
async (notificationId: string): Promise<void> => {
setAcknowledgingIds((current) => ({
...current,
[notificationId]: true,
}));
try {
await apiPost<{ success: true; id: string }>(
`/api/orchestrator/api/queue/notifications/${encodeURIComponent(notificationId)}/ack`
);
setNotifications((current) => current.filter((item) => item.id !== notificationId));
} catch (error) {
const message =
error instanceof Error && error.message.trim().length > 0
? error.message
: "Failed to acknowledge notification.";
showToast(message, "error");
} finally {
setAcknowledgingIds((current) => {
const { [notificationId]: _omitted, ...remaining } = current;
return remaining;
});
}
},
[showToast]
);
return (
<Card className={joinClasses("flex h-full min-h-0 flex-col", className)}>
<CardHeader className="pb-2">
<div className="flex items-start justify-between gap-2">
<div className="flex min-w-0 items-center gap-2">
<CardTitle className="text-base">Queue Notifications</CardTitle>
<Badge variant={pendingCount > 0 ? "status-info" : "secondary"}>{pendingCount}</Badge>
</div>
<Button
type="button"
variant="ghost"
size="icon"
className="h-7 w-7"
onClick={() => {
setIsCollapsed((current) => !current);
}}
aria-label={isCollapsed ? "Expand queue notifications" : "Collapse queue notifications"}
title={isCollapsed ? "Expand queue notifications" : "Collapse queue notifications"}
>
{isCollapsed ? (
<ChevronLeft className="h-4 w-4" aria-hidden="true" />
) : (
<ChevronRight className="h-4 w-4" aria-hidden="true" />
)}
</Button>
</div>
</CardHeader>
<Collapsible open={!isCollapsed} className="min-h-0 flex-1">
{!isCollapsed ? (
<CardContent className="min-h-0 flex-1 px-3 pb-3">
{isLoading ? (
<ScrollArea className="h-full">
<div className="space-y-2 pr-1">
{Array.from({ length: 6 }).map((_, index) => (
<Skeleton
key={`queue-notification-skeleton-${String(index)}`}
className="h-14 w-full"
/>
))}
</div>
</ScrollArea>
) : errorMessage && notifications.length === 0 ? (
<div className="flex h-full items-center justify-center px-4 text-center text-sm text-red-500">
{errorMessage}
</div>
) : groupedNotifications.length === 0 ? (
<div className="flex h-full flex-col items-center justify-center gap-2 text-center text-sm text-muted-foreground">
<BellOff className="h-5 w-5" aria-hidden="true" />
<span>No pending notifications</span>
</div>
) : (
<ScrollArea className="h-full">
<div className="space-y-4 pr-1">
{groupedNotifications.map((group) => (
<section key={group.agent} className="space-y-2">
<div className="flex items-center justify-between gap-2">
<h3 className="text-sm font-semibold text-foreground">{group.agent}</h3>
<span className="text-xs text-muted-foreground">
{group.notifications.length}
</span>
</div>
<div className="space-y-2">
{group.notifications.map((notification) => {
const taskId = getNotificationTaskId(notification);
const eventType = getNotificationEventType(notification);
const isAcknowledging = acknowledgingIds[notification.id] ?? false;
return (
<article
key={notification.id}
className="rounded-lg border border-border/70 bg-card px-3 py-2"
>
<div className="flex items-start justify-between gap-3">
<div className="min-w-0 space-y-1">
<div className="flex flex-wrap items-center gap-2">
<span className="font-mono text-xs text-foreground">
{taskId}
</span>
<Badge variant="secondary">{eventType}</Badge>
</div>
<time
className="block text-xs text-muted-foreground"
dateTime={notification.createdAt}
>
{formatNotificationAge(notification.createdAt)}
</time>
</div>
<Button
type="button"
variant="outline"
size="sm"
disabled={isAcknowledging}
onClick={() => {
void handleAck(notification.id);
}}
aria-label={`ACK notification ${taskId}`}
>
{isAcknowledging ? (
<span className="flex items-center gap-2">
<Loader2
className="h-4 w-4 animate-spin"
aria-hidden="true"
/>
ACK
</span>
) : (
"ACK"
)}
</Button>
</div>
</article>
);
})}
</div>
</section>
))}
</div>
</ScrollArea>
)}
</CardContent>
) : null}
</Collapsible>
<span className="sr-only" aria-live="polite">
{pendingCount} pending notifications, refreshed at {new Date(now).toISOString()}
</span>
</Card>
);
}

133
apps/web/src/components/mission-control/__tests__/GlobalAgentRoster.test.tsx Normal file
View File

@@ -0,0 +1,133 @@
import type { ReactElement } from "react";
import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
import { render, screen, waitFor } from "@testing-library/react";
import userEvent from "@testing-library/user-event";
import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
import { GlobalAgentRoster } from "../GlobalAgentRoster";
const { mockApiGet, mockApiPost } = vi.hoisted(() => ({
mockApiGet: vi.fn(),
mockApiPost: vi.fn(),
}));
vi.mock("@/lib/api/client", () => ({
apiGet: mockApiGet,
apiPost: mockApiPost,
}));
function renderWithQueryClient(ui: ReactElement): void {
const queryClient = new QueryClient({
defaultOptions: {
queries: { retry: false, gcTime: 0 },
mutations: { retry: false },
},
});
render(<QueryClientProvider client={queryClient}>{ui}</QueryClientProvider>);
}
describe("GlobalAgentRoster (__tests__)", () => {
beforeEach(() => {
vi.clearAllMocks();
vi.stubGlobal("fetch", vi.fn());
mockApiGet.mockReset();
mockApiPost.mockReset();
});
afterEach(() => {
vi.unstubAllGlobals();
});
it("renders empty state when no sessions", async () => {
mockApiGet.mockResolvedValueOnce([]);
renderWithQueryClient(<GlobalAgentRoster />);
expect(await screen.findByText("No active agents")).toBeInTheDocument();
});
it("renders session rows grouped by provider", async () => {
mockApiGet.mockResolvedValueOnce([
{
id: "sess-int-123456",
providerId: "internal",
providerType: "internal",
status: "active",
createdAt: "2026-03-07T19:00:00.000Z",
updatedAt: "2026-03-07T19:00:00.000Z",
},
{
id: "sess-rem-654321",
providerId: "remote-a",
providerType: "remote",
status: "paused",
createdAt: "2026-03-07T19:00:00.000Z",
updatedAt: "2026-03-07T19:00:00.000Z",
},
]);
renderWithQueryClient(<GlobalAgentRoster />);
expect(await screen.findByText("internal")).toBeInTheDocument();
expect(screen.getByText("remote-a (remote)")).toBeInTheDocument();
expect(screen.getByText("sess-int")).toBeInTheDocument();
expect(screen.getByText("sess-rem")).toBeInTheDocument();
});
it("kill button per row calls the API", async () => {
const user = userEvent.setup();
mockApiGet.mockResolvedValueOnce([
{
id: "killme123456",
providerId: "internal",
providerType: "internal",
status: "active",
createdAt: "2026-03-07T19:00:00.000Z",
updatedAt: "2026-03-07T19:00:00.000Z",
},
]);
mockApiPost.mockResolvedValue({ message: "ok" });
renderWithQueryClient(<GlobalAgentRoster />);
const killButton = await screen.findByRole("button", { name: "Kill session killme12" });
await user.click(killButton);
await waitFor(() => {
expect(mockApiPost).toHaveBeenCalledWith("/api/mission-control/sessions/killme123456/kill", {
force: false,
});
});
});
it("onSelectSession callback fires on row click", async () => {
const user = userEvent.setup();
const onSelectSession = vi.fn();
mockApiGet.mockResolvedValueOnce([
{
id: "selectme123456",
providerId: "internal",
providerType: "internal",
status: "active",
createdAt: "2026-03-07T19:00:00.000Z",
updatedAt: "2026-03-07T19:00:00.000Z",
},
]);
renderWithQueryClient(<GlobalAgentRoster onSelectSession={onSelectSession} />);
const sessionLabel = await screen.findByText("selectme");
const row = sessionLabel.closest('[role="button"]');
if (!row) {
throw new Error("Expected session row for selectme123456");
}
await user.click(row);
expect(onSelectSession).toHaveBeenCalledWith("selectme123456");
});
});

96
apps/web/src/components/mission-control/__tests__/KillAllDialog.test.tsx Normal file
View File

@@ -0,0 +1,96 @@
import { render, screen, waitFor } from "@testing-library/react";
import userEvent from "@testing-library/user-event";
import { beforeEach, describe, expect, it, vi } from "vitest";
import type { AgentSession } from "@mosaic/shared";
import { KillAllDialog } from "../KillAllDialog";
import * as apiClient from "@/lib/api/client";
vi.mock("@/lib/api/client", () => ({
apiPost: vi.fn(),
}));
const mockApiPost = vi.mocked(apiClient.apiPost);
const baseDate = new Date("2026-03-07T14:00:00.000Z");
const sessions: AgentSession[] = [
{
id: "session-internal-1",
providerId: "provider-internal-1",
providerType: "internal",
status: "active",
createdAt: baseDate,
updatedAt: baseDate,
},
{
id: "session-internal-2",
providerId: "provider-internal-2",
providerType: "internal",
status: "paused",
createdAt: baseDate,
updatedAt: baseDate,
},
{
id: "session-external-1",
providerId: "provider-openclaw-1",
providerType: "openclaw",
status: "active",
createdAt: baseDate,
updatedAt: baseDate,
},
];
describe("KillAllDialog (__tests__)", () => {
beforeEach(() => {
vi.clearAllMocks();
vi.stubGlobal("fetch", vi.fn());
mockApiPost.mockResolvedValue({ message: "killed" } as never);
});
it('Confirm button disabled until "KILL ALL" typed exactly', async () => {
const user = userEvent.setup();
render(<KillAllDialog sessions={sessions} />);
await user.click(screen.getByRole("button", { name: "Kill All" }));
const input = screen.getByLabelText("Type KILL ALL to confirm");
const confirmButton = screen.getByRole("button", { name: "Kill All Agents" });
expect(confirmButton).toBeDisabled();
await user.type(input, "kill all");
expect(confirmButton).toBeDisabled();
await user.clear(input);
await user.type(input, "KILL ALL");
expect(confirmButton).toBeEnabled();
});
it("fires kill API for each session on confirm", async () => {
const user = userEvent.setup();
render(<KillAllDialog sessions={sessions} />);
await user.click(screen.getByRole("button", { name: "Kill All" }));
await user.click(screen.getByLabelText("All providers (3)"));
await user.type(screen.getByLabelText("Type KILL ALL to confirm"), "KILL ALL");
await user.click(screen.getByRole("button", { name: "Kill All Agents" }));
await waitFor(() => {
expect(mockApiPost).toHaveBeenCalledTimes(3);
});
expect(mockApiPost).toHaveBeenCalledWith(
"/api/mission-control/sessions/session-internal-1/kill",
{ force: true }
);
expect(mockApiPost).toHaveBeenCalledWith(
"/api/mission-control/sessions/session-internal-2/kill",
{ force: true }
);
expect(mockApiPost).toHaveBeenCalledWith(
"/api/mission-control/sessions/session-external-1/kill",
{ force: true }
);
});
});

93
apps/web/src/components/mission-control/__tests__/OrchestratorPanel.test.tsx Normal file
View File

@@ -0,0 +1,93 @@
import { render, screen } from "@testing-library/react";
import { beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
import { OrchestratorPanel } from "../OrchestratorPanel";
import * as missionControlHooks from "@/hooks/useMissionControl";
vi.mock("@/hooks/useMissionControl", () => ({
useSessionStream: vi.fn(),
useSessions: vi.fn(),
}));
vi.mock("@/components/mission-control/PanelControls", () => ({
PanelControls: (): React.JSX.Element => <div data-testid="panel-controls" />,
}));
vi.mock("@/components/mission-control/BargeInInput", () => ({
BargeInInput: ({ sessionId }: { sessionId: string }): React.JSX.Element => (
<div data-testid="barge-in-input">barge-in:{sessionId}</div>
),
}));
vi.mock("date-fns", () => ({
formatDistanceToNow: (): string => "moments ago",
}));
const mockUseSessionStream = vi.mocked(missionControlHooks.useSessionStream);
const mockUseSessions = vi.mocked(missionControlHooks.useSessions);
beforeAll(() => {
Object.defineProperty(window.HTMLElement.prototype, "scrollIntoView", {
configurable: true,
value: vi.fn(),
});
});
describe("OrchestratorPanel (__tests__)", () => {
beforeEach(() => {
vi.clearAllMocks();
mockUseSessionStream.mockReturnValue({
messages: [],
status: "connected",
error: null,
});
mockUseSessions.mockReturnValue({
sessions: [],
loading: false,
error: null,
});
});
it("renders empty state when no sessionId", () => {
render(<OrchestratorPanel />);
expect(screen.getByText("Select an agent to view its stream")).toBeInTheDocument();
});
it("renders connection indicator", () => {
const { container } = render(<OrchestratorPanel sessionId="session-1" />);
expect(screen.getByText("Connected")).toBeInTheDocument();
expect(container.querySelector(".bg-emerald-500")).toBeInTheDocument();
});
it("renders message list when messages are present", () => {
mockUseSessionStream.mockReturnValue({
messages: [
{
id: "msg-1",
sessionId: "session-1",
role: "assistant",
content: "Mission update one",
timestamp: "2026-03-07T21:00:00.000Z",
},
{
id: "msg-2",
sessionId: "session-1",
role: "tool",
content: "Mission update two",
timestamp: "2026-03-07T21:00:01.000Z",
},
],
status: "connected",
error: null,
});
render(<OrchestratorPanel sessionId="session-1" />);
expect(screen.getByText("Mission update one")).toBeInTheDocument();
expect(screen.getByText("Mission update two")).toBeInTheDocument();
expect(screen.queryByText("Waiting for messages...")).not.toBeInTheDocument();
});
});

70
apps/web/src/components/mission-control/__tests__/PanelControls.test.tsx Normal file
View File

@@ -0,0 +1,70 @@
import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
import { render, screen, waitFor } from "@testing-library/react";
import userEvent from "@testing-library/user-event";
import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
import { PanelControls } from "../PanelControls";
import * as apiClient from "@/lib/api/client";
vi.mock("@/lib/api/client", () => ({
apiPost: vi.fn(),
}));
const mockApiPost = vi.mocked(apiClient.apiPost);
function renderPanelControls(status: string): void {
const queryClient = new QueryClient({
defaultOptions: {
queries: { retry: false },
mutations: { retry: false },
},
});
render(
<QueryClientProvider client={queryClient}>
<PanelControls sessionId="session-1" status={status} />
</QueryClientProvider>
);
}
describe("PanelControls (__tests__)", () => {
beforeEach(() => {
vi.clearAllMocks();
vi.stubGlobal("fetch", vi.fn());
mockApiPost.mockResolvedValue({ message: "ok" } as never);
});
afterEach(() => {
vi.unstubAllGlobals();
});
it("Pause button disabled when status=paused", () => {
renderPanelControls("paused");
expect(screen.getByRole("button", { name: "Pause session" })).toBeDisabled();
});
it("Resume button disabled when status=active", () => {
renderPanelControls("active");
expect(screen.getByRole("button", { name: "Resume session" })).toBeDisabled();
});
it("Kill buttons disabled when status=killed", () => {
renderPanelControls("killed");
expect(screen.getByRole("button", { name: "Gracefully kill session" })).toBeDisabled();
expect(screen.getByRole("button", { name: "Force kill session" })).toBeDisabled();
});
it("clicking pause calls the API", async () => {
const user = userEvent.setup();
renderPanelControls("active");
await user.click(screen.getByRole("button", { name: "Pause session" }));
await waitFor(() => {
expect(mockApiPost).toHaveBeenCalledWith("/api/mission-control/sessions/session-1/pause");
});
});
});

34
apps/web/src/components/mission-control/__tests__/mission-control-phase2.gate.test.tsx Normal file
View File

@@ -0,0 +1,34 @@
import type { ReactNode } from "react";
import { render, screen } from "@testing-library/react";
import { describe, expect, it, vi } from "vitest";
import { MissionControlLayout } from "../MissionControlLayout";
vi.mock("@/components/mission-control/AuditLogDrawer", () => ({
AuditLogDrawer: ({ trigger }: { trigger: ReactNode }): React.JSX.Element => (
<div data-testid="audit-log-drawer">{trigger}</div>
),
}));
vi.mock("@/components/mission-control/GlobalAgentRoster", () => ({
GlobalAgentRoster: (): React.JSX.Element => <div data-testid="global-agent-roster" />,
}));
vi.mock("@/components/mission-control/MissionControlPanel", () => ({
MissionControlPanel: (): React.JSX.Element => <div data-testid="mission-control-panel" />,
MIN_PANEL_COUNT: 1,
MAX_PANEL_COUNT: 6,
}));
describe("Mission Control Phase 2 Gate", () => {
it("Phase 2 gate: MissionControlLayout renders with all components present", () => {
const consoleErrorSpy = vi.spyOn(console, "error").mockImplementation((..._args) => undefined);
render(<MissionControlLayout />);
expect(screen.getByTestId("global-agent-roster")).toBeInTheDocument();
expect(screen.getByTestId("mission-control-panel")).toBeInTheDocument();
expect(consoleErrorSpy).not.toHaveBeenCalled();
consoleErrorSpy.mockRestore();
});
});

1
apps/web/src/components/settings/FleetSettingsNav.tsx
View File

@@ -11,7 +11,6 @@ interface FleetSettingsLink {
const FLEET_SETTINGS_LINKS: FleetSettingsLink[] = [ const FLEET_SETTINGS_LINKS: FleetSettingsLink[] = [
{ href: "/settings/providers", label: "Providers" }, { href: "/settings/providers", label: "Providers" },
{ href: "/settings/agent-providers", label: "Agent Providers" },
{ href: "/settings/agent-config", label: "Agent Config" }, { href: "/settings/agent-config", label: "Agent Config" },
{ href: "/settings/auth", label: "Authentication" }, { href: "/settings/auth", label: "Authentication" },
]; ];

79
apps/web/src/lib/api/agent-providers.test.ts
View File

@@ -1,79 +0,0 @@
import { beforeEach, describe, expect, it, vi } from "vitest";
import * as client from "./client";
import {
createAgentProvider,
deleteAgentProvider,
fetchAgentProviders,
updateAgentProvider,
} from "./agent-providers";
vi.mock("./client");
beforeEach((): void => {
vi.clearAllMocks();
});
describe("fetchAgentProviders", (): void => {
it("calls provider list endpoint", async (): Promise<void> => {
vi.mocked(client.apiGet).mockResolvedValueOnce([] as never);
await fetchAgentProviders();
expect(client.apiGet).toHaveBeenCalledWith("/api/agent-providers");
});
});
describe("createAgentProvider", (): void => {
it("posts create payload", async (): Promise<void> => {
vi.mocked(client.apiPost).mockResolvedValueOnce({ id: "provider-1" } as never);
await createAgentProvider({
name: "openclaw-primary",
provider: "openclaw",
gatewayUrl: "https://openclaw.example.com",
credentials: {
apiToken: "top-secret",
},
isActive: true,
});
expect(client.apiPost).toHaveBeenCalledWith("/api/agent-providers", {
name: "openclaw-primary",
provider: "openclaw",
gatewayUrl: "https://openclaw.example.com",
credentials: {
apiToken: "top-secret",
},
isActive: true,
});
});
});
describe("updateAgentProvider", (): void => {
it("sends PUT request with update payload", async (): Promise<void> => {
vi.mocked(client.apiRequest).mockResolvedValueOnce({ id: "provider-1" } as never);
await updateAgentProvider("provider-1", {
gatewayUrl: "https://new-openclaw.example.com",
isActive: false,
});
expect(client.apiRequest).toHaveBeenCalledWith("/api/agent-providers/provider-1", {
method: "PUT",
body: JSON.stringify({
gatewayUrl: "https://new-openclaw.example.com",
isActive: false,
}),
});
});
});
describe("deleteAgentProvider", (): void => {
it("calls delete endpoint", async (): Promise<void> => {
vi.mocked(client.apiDelete).mockResolvedValueOnce(undefined as never);
await deleteAgentProvider("provider-1");
expect(client.apiDelete).toHaveBeenCalledWith("/api/agent-providers/provider-1");
});
});

61
apps/web/src/lib/api/agent-providers.ts
View File

@@ -1,61 +0,0 @@
import { apiDelete, apiGet, apiPost, apiRequest } from "./client";
export type AgentProviderType = "openclaw";
export interface AgentProviderCredentials {
apiToken?: string;
}
export interface AgentProviderConfig {
id: string;
workspaceId: string;
name: string;
provider: AgentProviderType;
gatewayUrl: string;
credentials: AgentProviderCredentials | null;
isActive: boolean;
createdAt: string;
updatedAt: string;
}
export interface CreateAgentProviderRequest {
name: string;
provider: AgentProviderType;
gatewayUrl: string;
credentials: {
apiToken: string;
};
isActive: boolean;
}
export interface UpdateAgentProviderRequest {
name?: string;
provider?: AgentProviderType;
gatewayUrl?: string;
credentials?: AgentProviderCredentials;
isActive?: boolean;
}
export async function fetchAgentProviders(): Promise<AgentProviderConfig[]> {
return apiGet<AgentProviderConfig[]>("/api/agent-providers");
}
export async function createAgentProvider(
data: CreateAgentProviderRequest
): Promise<AgentProviderConfig> {
return apiPost<AgentProviderConfig>("/api/agent-providers", data);
}
export async function updateAgentProvider(
providerId: string,
data: UpdateAgentProviderRequest
): Promise<AgentProviderConfig> {
return apiRequest<AgentProviderConfig>(`/api/agent-providers/${providerId}`, {
method: "PUT",
body: JSON.stringify(data),
});
}
export async function deleteAgentProvider(providerId: string): Promise<void> {
await apiDelete<unknown>(`/api/agent-providers/${providerId}`);
}

1
apps/web/src/lib/api/index.ts
View File

@@ -18,5 +18,4 @@ export * from "./projects";
export * from "./workspaces"; export * from "./workspaces";
export * from "./admin"; export * from "./admin";
export * from "./fleet-settings"; export * from "./fleet-settings";
export * from "./agent-providers";
export * from "./activity"; export * from "./activity";

28
apps/web/src/providers/ReactQueryProvider.tsx
View File

@@ -1,28 +0,0 @@
"use client";
import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
import { useState, type ReactNode } from "react";
interface ReactQueryProviderProps {
children: ReactNode;
}
export function ReactQueryProvider({ children }: ReactQueryProviderProps): React.JSX.Element {
// Create a stable QueryClient per component mount (one per app session)
const [queryClient] = useState(
() =>
new QueryClient({
defaultOptions: {
queries: {
// Don't refetch on window focus in a dashboard context
refetchOnWindowFocus: false,
// Stale time of 30s — short enough for live data, avoids hammering
staleTime: 30_000,
retry: 1,
},
},
})
);
return <QueryClientProvider client={queryClient}>{children}</QueryClientProvider>;
}

4
docker-compose.swarm.portainer.yml
View File

@@ -316,8 +316,6 @@ services:
SANDBOX_ENABLED: "true" SANDBOX_ENABLED: "true"
# API key for authenticating requests from the web proxy # API key for authenticating requests from the web proxy
ORCHESTRATOR_API_KEY: ${ORCHESTRATOR_API_KEY} ORCHESTRATOR_API_KEY: ${ORCHESTRATOR_API_KEY}
# Prisma database connection (uses the shared openbrain postgres)
DATABASE_URL: postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@openbrain_brain-db:5432/${POSTGRES_DB:-mosaic}
volumes: volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro - /var/run/docker.sock:/var/run/docker.sock:ro
- orchestrator_workspace:/workspace - orchestrator_workspace:/workspace
@@ -333,7 +331,6 @@ services:
start_period: 40s start_period: 40s
networks: networks:
- internal - internal
- openbrain-brain-internal
cap_drop: cap_drop:
- ALL - ALL
cap_add: cap_add:
@@ -406,7 +403,6 @@ services:
networks: networks:
- internal - internal
- traefik-public - traefik-public
- openbrain-brain-internal
deploy: deploy:
restart_policy: restart_policy:
condition: on-failure condition: on-failure

3
docker-compose.yml
View File

@@ -385,9 +385,6 @@ services:
NEXT_PUBLIC_APP_URL: ${NEXT_PUBLIC_APP_URL:-http://localhost:3000} NEXT_PUBLIC_APP_URL: ${NEXT_PUBLIC_APP_URL:-http://localhost:3000}
NEXT_PUBLIC_API_URL: ${NEXT_PUBLIC_API_URL:-http://localhost:3001} NEXT_PUBLIC_API_URL: ${NEXT_PUBLIC_API_URL:-http://localhost:3001}
TRUSTED_ORIGINS: ${TRUSTED_ORIGINS:-} TRUSTED_ORIGINS: ${TRUSTED_ORIGINS:-}
GITEA_WEBHOOK_SECRET: ${GITEA_WEBHOOK_SECRET:-}
GITEA_API_TOKEN: ${GITEA_API_TOKEN:-}
GATEKEEPER_ENABLED: ${GATEKEEPER_ENABLED:-true}
volumes: volumes:
- openbao_init:/openbao/init:ro - openbao_init:/openbao/init:ro
ports: ports:

15
docs/1-getting-started/3-configuration/1-environment.md
View File

@@ -94,21 +94,6 @@ OIDC_REDIRECT_URI=http://localhost:3001/auth/oauth2/callback/authentik
See [Authentik Setup](2-authentik.md) for complete OIDC configuration. See [Authentik Setup](2-authentik.md) for complete OIDC configuration.
## Webhooks and Merge Automation
```bash
# Gitea webhook validation secret for /api/gatekeeper/webhook/gitea
GITEA_WEBHOOK_SECRET=your-random-webhook-secret
# Personal access token used by Gatekeeper to comment on and merge PRs
GITEA_API_TOKEN=your-gitea-api-token
# Master switch for the Gatekeeper auto-merge workflow
GATEKEEPER_ENABLED=true
```
Use a dedicated Gitea token with the minimum repository scope needed to comment on pull requests and perform merges.
## Cache and Storage ## Cache and Storage
### Valkey (Redis-compatible) ### Valkey (Redis-compatible)

36
docs/CHANGELOG.md
View File

@@ -62,39 +62,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Updated Makefile with Traefik deployment shortcuts - Updated Makefile with Traefik deployment shortcuts
- Enhanced docker-compose.override.yml.example with Traefik examples - Enhanced docker-compose.override.yml.example with Traefik examples
## [0.0.23] - 2026-03-07
### Added
- **Mission Control Dashboard** — real-time agent orchestration UI at `/mission-control`
- Live SSE message streams per agent (`OrchestratorPanel`)
- Barge-in input with optional pause-before-send
- Pause / Resume / Graceful Kill / Force Kill controls per agent panel
- Global agent roster sidebar with tree view and per-agent kill
- KillAllDialog with scope selector (requires typing `KILL ALL` to confirm)
- AuditLogDrawer with paginated operator action history
- Responsive panel grid: up to 6 panels, add/remove, full-screen expand
- **Agent Provider Interface** — extensible `IAgentProvider` plugin system
- `InternalAgentProvider` wrapping existing orchestrator services
- `AgentProviderRegistry` aggregating sessions across providers
- `AgentProviderConfig` CRUD API (`/api/agent-providers`)
- Mission Control proxy API (`/api/mission-control/*`) with SSE proxying and audit log
- **OpenClaw Provider Adapter** — connect external OpenClaw instances
- `OpenClawProvider` implementing `IAgentProvider` against OpenClaw REST API
- Dedicated `OpenClawSseBridge` with retry logic (5 retries, 2s backoff)
- Provider config UI in Settings for registering OpenClaw gateways
- Tokens encrypted at rest via `EncryptionService` (AES-256-GCM)
- **OperatorAuditLog** — every inject/pause/resume/kill persisted to DB
### Changed
- Orchestrator app: extended with `AgentsModule` exports for provider registry
- Settings navigation: added "Agent Providers" section
### Fixed
- Flaky web tests: async query timing in Kanban and OnboardingWizard tests
## [0.0.1] - 2026-01-28 ## [0.0.1] - 2026-01-28
### Added ### Added
@@ -112,6 +79,5 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Documentation structure (Bookstack-compatible hierarchy) - Documentation structure (Bookstack-compatible hierarchy)
- Development workflow and coding standards - Development workflow and coding standards
[Unreleased]: https://git.mosaicstack.dev/mosaic/stack/compare/v0.0.23...HEAD [Unreleased]: https://git.mosaicstack.dev/mosaic/stack/compare/v0.0.1...HEAD
[0.0.23]: https://git.mosaicstack.dev/mosaic/stack/releases/tag/v0.0.23
[0.0.1]: https://git.mosaicstack.dev/mosaic/stack/releases/tag/v0.0.1 [0.0.1]: https://git.mosaicstack.dev/mosaic/stack/releases/tag/v0.0.1

16
docs/ROADMAP.md
View File

@@ -1,6 +1,6 @@
# Mosaic Stack Roadmap # Mosaic Stack Roadmap
**Last Updated:** 2026-03-07 **Last Updated:** 2026-01-29
**Authoritative Source:** [Issues & Milestones](https://git.mosaicstack.dev/mosaic/stack/issues) **Authoritative Source:** [Issues & Milestones](https://git.mosaicstack.dev/mosaic/stack/issues)
## Versioning Policy ## Versioning Policy
@@ -12,20 +12,6 @@
| `0.x.y` | Pre-stable iteration, API may change with notice | | `0.x.y` | Pre-stable iteration, API may change with notice |
| `1.0.0` | Stable release, public API contract | | `1.0.0` | Stable release, public API contract |
## Release Track (Current)
### ✅ v0.0.23 — Mission Control Dashboard (Complete)
- Mission Control dashboard shipped at `/mission-control`
- Agent provider plugin system and Mission Control proxy API shipped
- OpenClaw provider adapter shipped with encrypted token storage
- Operator audit logging persisted for inject/pause/resume/kill actions
### 📋 v0.0.24 — Placeholder
- Scope TBD (to be defined after v0.0.23 production deployment)
- Initial release notes and roadmap breakdown pending
--- ---
## Milestone Overview ## Milestone Overview

28
docs/TASKS.md
View File

@@ -120,7 +120,7 @@ Target version: `v0.0.23`
### Phase 0 — Backend Core (Foundation) ### Phase 0 — Backend Core (Foundation)
| id | status | milestone | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | notes | | id | status | milestone | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | notes |
| ----------- | ------ | ------------- | ------------------------------------------------------------------------------------------------ | ----- | ------------ | ---------------------- | ----------------------------------------------- | ----------------------------------------------------------- | ----- | ---------- | ------------ | -------- | ---- | --------------------------------------------- | | ----------- | ----------- | ------------- | ------------------------------------------------------------------------------------------------ | ----- | ------------ | ---------------------- | ----------------------------------------------- | ----------------------------------------------------------- | ----- | ---------- | ------------ | -------- | ---- | --------------------------------------------- |
| MS23-P0-001 | done | p0-foundation | Prisma schema: AgentConversationMessage, AgentSessionTree, AgentProviderConfig, OperatorAuditLog | #693 | api | feat/ms23-p0-schema | — | MS23-P0-002,MS23-P0-003,MS23-P0-004,MS23-P0-005,MS23-P1-001 | codex | 2026-03-06 | 2026-03-06 | 15K | — | taskSource field per mosaic-queue note in PRD | | MS23-P0-001 | done | p0-foundation | Prisma schema: AgentConversationMessage, AgentSessionTree, AgentProviderConfig, OperatorAuditLog | #693 | api | feat/ms23-p0-schema | — | MS23-P0-002,MS23-P0-003,MS23-P0-004,MS23-P0-005,MS23-P1-001 | codex | 2026-03-06 | 2026-03-06 | 15K | — | taskSource field per mosaic-queue note in PRD |
| MS23-P0-002 | done | p0-foundation | Agent message ingestion: wire spawner/lifecycle to write messages to DB | #693 | orchestrator | feat/ms23-p0-ingestion | MS23-P0-001 | MS23-P0-006 | codex | 2026-03-06 | 2026-03-07 | 20K | — | | | MS23-P0-002 | done | p0-foundation | Agent message ingestion: wire spawner/lifecycle to write messages to DB | #693 | orchestrator | feat/ms23-p0-ingestion | MS23-P0-001 | MS23-P0-006 | codex | 2026-03-06 | 2026-03-07 | 20K | — | |
| MS23-P0-003 | done | p0-foundation | Orchestrator API: GET /agents/:id/messages + SSE stream endpoint | #693 | orchestrator | feat/ms23-p0-stream | MS23-P0-001 | MS23-P0-006 | codex | 2026-03-06 | 2026-03-07 | 20K | — | | | MS23-P0-003 | done | p0-foundation | Orchestrator API: GET /agents/:id/messages + SSE stream endpoint | #693 | orchestrator | feat/ms23-p0-stream | MS23-P0-001 | MS23-P0-006 | codex | 2026-03-06 | 2026-03-07 | 20K | — | |
@@ -183,29 +183,3 @@ Target version: `v0.0.23`
| **Total** | **29** | **~478K** | | **Total** | **29** | **~478K** |
Recommended dispatch: Codex for Phase 2 UI + routine API tasks; Sonnet for complex streaming logic (P0-003, P1-005, P3-002). Recommended dispatch: Codex for Phase 2 UI + routine API tasks; Sonnet for complex streaming logic (P0-003, P1-005, P3-002).
---
## MS24 — Queue Integration in Mission Control
PRD: Issue #749
Milestone: `0.0.24`
Target version: `v0.0.24`
> Single-writer: orchestrator (Jarvis/OpenClaw) only. Workers read but never modify.
| id | status | milestone | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | notes |
| ------------ | ------ | --------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----- | ----- | -------------------- | ------------ | ------------ | ----- | ---------- | ------------ | -------- | ---- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
| MS24-API-001 | done | p0-api | QueueNotificationsModule: GET /notifications, GET /notifications/stream (SSE), POST /notifications/:id/ack, GET /tasks. Auth: ApiKeyGuard. Unit tests included. | #749 | api | feat/ms24-queue-api | — | MS24-WEB-001 | — | — | — | 25K | — | Guard: ApiKeyGuard from src/common/guards/api-key.guard.ts (COORDINATOR_API_KEY). SSE via raw express Response + chokidar. Fail-soft if inbox dir missing. |
| MS24-API-002 | done | p0-api | Woodpecker CI webhook → agent notification: POST /api/webhooks/woodpecker, HMAC-SHA256 verify, scan agent-state active dir, fire mosaic-queue notification to matched agent | #749 | api | feat/ms24-ci-webhook | MS24-API-001 | MS24-VER-001 | codex | 2026-03-08 | — | 15K | — | event: completed/failed. @SkipCsrf, no auth guard. Also adds notify-webhook step to .woodpecker/ci.yml |
| MS24-WEB-001 | done | p0-ui | QueueNotificationFeed component + MissionControlLayout wiring (right sidebar panel, badge count) | #749 | web | feat/ms24-queue-ui | MS24-API-001 | MS24-VER-001 | — | — | — | 20K | — | SSE to /api/queue/notifications/stream. ACK button. Collapsible panel in MissionControlLayout.tsx. |
| MS24-VER-001 | done | p0-verify | CI green, no regressions, deploy to prod, tag v0.0.24 | #749 | stack | — | MS24-WEB-001 | — | — | — | — | 5K | — | |
### MS24 Budget Summary
| Phase | Tasks | Estimate |
| --------- | ----- | -------- |
| API | 1 | ~25K |
| UI | 1 | ~20K |
| Verify | 1 | ~5K |
| **Total** | **3** | **~50K** |

2
docs/harbor-tag-retention-policy.md
View File

@@ -14,7 +14,7 @@ Images are tagged based on branch and event type:
### Tag Meanings ### Tag Meanings
| Tag | Purpose | Stability | | Tag | Purpose | Stability |
| -------------------------- | -------------------------------- | --------- | | -------------------------- | ---------------------------------- | --------- |
| `latest` | Current build from `main` | Latest | | `latest` | Current build from `main` | Latest |
| `v*` (e.g., `v1.0.0`) | Versioned release | Immutable | | `v*` (e.g., `v1.0.0`) | Versioned release | Immutable |
| `{sha}` (e.g., `658ec077`) | Specific commit for traceability | Immutable | | `{sha}` (e.g., `658ec077`) | Specific commit for traceability | Immutable |

18
docs/scratchpads/272-rate-limiting.md
View File

@@ -3,7 +3,6 @@
## Objective ## Objective
Implement rate limiting on all federation endpoints to prevent denial-of-service (DoS) attacks. Federation endpoints currently have no rate limiting, allowing attackers to: Implement rate limiting on all federation endpoints to prevent denial-of-service (DoS) attacks. Federation endpoints currently have no rate limiting, allowing attackers to:
- Overwhelm the server with connection requests - Overwhelm the server with connection requests
- Flood token validation endpoints - Flood token validation endpoints
- Exhaust system resources - Exhaust system resources
@@ -13,7 +12,6 @@ Implement rate limiting on all federation endpoints to prevent denial-of-service
**Severity:** P0 (Critical) - Blocks production deployment **Severity:** P0 (Critical) - Blocks production deployment
**Attack Vector:** Unauthenticated public endpoints allow unlimited requests **Attack Vector:** Unauthenticated public endpoints allow unlimited requests
**Risk:** System can be brought down by flooding requests to: **Risk:** System can be brought down by flooding requests to:
1. `POST /api/v1/federation/incoming/connect` (Public, no auth) 1. `POST /api/v1/federation/incoming/connect` (Public, no auth)
2. `POST /api/v1/federation/auth/validate` (Public, no auth) 2. `POST /api/v1/federation/auth/validate` (Public, no auth)
3. All other endpoints (authenticated, but can be abused) 3. All other endpoints (authenticated, but can be abused)
@@ -21,19 +19,15 @@ Implement rate limiting on all federation endpoints to prevent denial-of-service
## Approach ## Approach
### 1. Install @nestjs/throttler ### 1. Install @nestjs/throttler
Use NestJS's official rate limiting package which integrates with the framework's guard system. Use NestJS's official rate limiting package which integrates with the framework's guard system.
### 2. Configure Rate Limits ### 2. Configure Rate Limits
Tiered rate limiting strategy: Tiered rate limiting strategy:
- **Public endpoints:** Strict limits (5 req/min per IP) - **Public endpoints:** Strict limits (5 req/min per IP)
- **Authenticated endpoints:** Moderate limits (20 req/min per user) - **Authenticated endpoints:** Moderate limits (20 req/min per user)
- **Admin endpoints:** Higher limits (50 req/min per user) - **Admin endpoints:** Higher limits (50 req/min per user)
### 3. Implementation Strategy ### 3. Implementation Strategy
1. Add `@nestjs/throttler` dependency 1. Add `@nestjs/throttler` dependency
2. Configure ThrottlerModule globally 2. Configure ThrottlerModule globally
3. Apply custom rate limits per endpoint using decorators 3. Apply custom rate limits per endpoint using decorators
@@ -59,7 +53,6 @@ Tiered rate limiting strategy:
**COMPLETE** - Rate limiting successfully implemented on all federation endpoints. **COMPLETE** - Rate limiting successfully implemented on all federation endpoints.
**Security Impact:** MITIGATED **Security Impact:** MITIGATED
- DoS vulnerability eliminated via rate limiting - DoS vulnerability eliminated via rate limiting
- Public endpoints protected with strict limits (3 req/sec) - Public endpoints protected with strict limits (3 req/sec)
- Authenticated endpoints have moderate limits (20 req/min) - Authenticated endpoints have moderate limits (20 req/min)
@@ -68,7 +61,6 @@ Tiered rate limiting strategy:
## Baseline Quality Status ## Baseline Quality Status
**Pre-existing Technical Debt** (NOT introduced by this fix): **Pre-existing Technical Debt** (NOT introduced by this fix):
- 29 TypeScript errors in apps/api (federation + runner-jobs) - 29 TypeScript errors in apps/api (federation + runner-jobs)
- Federation: Missing Prisma schema types (`FederationConnectionStatus`, `Instance`, `federatedIdentity`) - Federation: Missing Prisma schema types (`FederationConnectionStatus`, `Instance`, `federatedIdentity`)
- Runner Jobs: Missing `version` field in schema - Runner Jobs: Missing `version` field in schema
@@ -76,7 +68,6 @@ Tiered rate limiting strategy:
- **My changes introduced 0 new errors** - **My changes introduced 0 new errors**
**Quality Assessment:** **Quality Assessment:**
- ✅ Tier 1 (Baseline): No regression (error count unchanged) - ✅ Tier 1 (Baseline): No regression (error count unchanged)
- ✅ Tier 2 (Modified Files): 0 new errors in files I touched - ✅ Tier 2 (Modified Files): 0 new errors in files I touched
- ✅ Tier 3 (New Code): Rate limiting configuration is syntactically correct - ✅ Tier 3 (New Code): Rate limiting configuration is syntactically correct
@@ -84,7 +75,6 @@ Tiered rate limiting strategy:
## Testing Status ## Testing Status
**Blocked:** Federation module tests cannot run until Prisma schema is added. Pre-existing error: **Blocked:** Federation module tests cannot run until Prisma schema is added. Pre-existing error:
``` ```
TypeError: Cannot read properties of undefined (reading 'PENDING') TypeError: Cannot read properties of undefined (reading 'PENDING')
FederationConnectionStatus is undefined FederationConnectionStatus is undefined
@@ -93,7 +83,6 @@ FederationConnectionStatus is undefined
This is NOT caused by my changes - it's pre-existing technical debt from incomplete M7 federation implementation. This is NOT caused by my changes - it's pre-existing technical debt from incomplete M7 federation implementation.
**Manual Verification:** **Manual Verification:**
- TypeScript compilation: No new errors introduced - TypeScript compilation: No new errors introduced
- Rate limiting decorators: Correctly applied to all endpoints - Rate limiting decorators: Correctly applied to all endpoints
- ThrottlerModule: Properly configured with 3 tiers - ThrottlerModule: Properly configured with 3 tiers
@@ -102,7 +91,6 @@ This is NOT caused by my changes - it's pre-existing technical debt from incompl
## Testing ## Testing
### Rate Limit Tests ### Rate Limit Tests
1. Public endpoint exceeds limit → 429 Too Many Requests 1. Public endpoint exceeds limit → 429 Too Many Requests
2. Authenticated endpoint exceeds limit → 429 Too Many Requests 2. Authenticated endpoint exceeds limit → 429 Too Many Requests
3. Within limits → 200 OK 3. Within limits → 200 OK
@@ -111,7 +99,6 @@ This is NOT caused by my changes - it's pre-existing technical debt from incompl
6. Different users have independent limits 6. Different users have independent limits
### Security Tests ### Security Tests
1. Cannot bypass rate limit with different user agents 1. Cannot bypass rate limit with different user agents
2. Cannot bypass rate limit with different headers 2. Cannot bypass rate limit with different headers
3. Rate limit counter resets after time window 3. Rate limit counter resets after time window
@@ -120,7 +107,6 @@ This is NOT caused by my changes - it's pre-existing technical debt from incompl
## Federation Endpoints Requiring Rate Limiting ## Federation Endpoints Requiring Rate Limiting
### FederationController (`/api/v1/federation`) ### FederationController (`/api/v1/federation`)
- `GET /instance` - Public (5 req/min per IP) - `GET /instance` - Public (5 req/min per IP)
- `POST /instance/regenerate-keys` - Admin (10 req/min per user) - `POST /instance/regenerate-keys` - Admin (10 req/min per user)
- `POST /connections/initiate` - Auth (10 req/min per user) - `POST /connections/initiate` - Auth (10 req/min per user)
@@ -132,7 +118,6 @@ This is NOT caused by my changes - it's pre-existing technical debt from incompl
- `POST /incoming/connect` - **Public (3 req/min per IP)** ← CRITICAL - `POST /incoming/connect` - **Public (3 req/min per IP)** ← CRITICAL
### FederationAuthController (`/api/v1/federation/auth`) ### FederationAuthController (`/api/v1/federation/auth`)
- `POST /initiate` - Auth (10 req/min per user) - `POST /initiate` - Auth (10 req/min per user)
- `POST /link` - Auth (5 req/min per user) - `POST /link` - Auth (5 req/min per user)
- `GET /identities` - Auth (30 req/min per user) - `GET /identities` - Auth (30 req/min per user)
@@ -142,21 +127,18 @@ This is NOT caused by my changes - it's pre-existing technical debt from incompl
## Notes ## Notes
### Design Decisions ### Design Decisions
- Use IP-based rate limiting for public endpoints - Use IP-based rate limiting for public endpoints
- Use user-based rate limiting for authenticated endpoints - Use user-based rate limiting for authenticated endpoints
- Store rate limit state in Valkey (Redis-compatible) for scalability - Store rate limit state in Valkey (Redis-compatible) for scalability
- Include rate limit headers in responses (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset) - Include rate limit headers in responses (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset)
### Attack Vectors Mitigated ### Attack Vectors Mitigated
1. **Connection Request Flooding:** Attacker sends unlimited connection requests to `/incoming/connect` 1. **Connection Request Flooding:** Attacker sends unlimited connection requests to `/incoming/connect`
2. **Token Validation Abuse:** Attacker floods `/auth/validate` to exhaust resources 2. **Token Validation Abuse:** Attacker floods `/auth/validate` to exhaust resources
3. **Authenticated User Abuse:** Compromised credentials used to flood authenticated endpoints 3. **Authenticated User Abuse:** Compromised credentials used to flood authenticated endpoints
4. **Resource Exhaustion:** Prevents CPU/memory exhaustion from processing excessive requests 4. **Resource Exhaustion:** Prevents CPU/memory exhaustion from processing excessive requests
### Future Enhancements (Not in Scope) ### Future Enhancements (Not in Scope)
- Circuit breaker pattern for failing instances - Circuit breaker pattern for failing instances
- Geographic rate limiting - Geographic rate limiting
- Adaptive rate limiting based on system load - Adaptive rate limiting based on system load

9
docs/scratchpads/86-authentik-oidc-integration-security-fixes.md
View File

@@ -7,13 +7,11 @@ The initial implementation (commit 6878d57) was high quality but included placeh
## Security-Critical Issues ## Security-Critical Issues
### 1. JWT Token Validation (CRITICAL) ### 1. JWT Token Validation (CRITICAL)
**Problem**: `validateToken()` always returns `valid: false` **Problem**: `validateToken()` always returns `valid: false`
**Risk**: Cannot verify authenticity of federated tokens **Risk**: Cannot verify authenticity of federated tokens
**Solution**: Implement proper JWT validation with signature verification **Solution**: Implement proper JWT validation with signature verification
### 2. OIDC Discovery (CRITICAL) ### 2. OIDC Discovery (CRITICAL)
**Problem**: `generateAuthUrl()` returns hardcoded placeholder URL **Problem**: `generateAuthUrl()` returns hardcoded placeholder URL
**Risk**: Cannot initiate real federated authentication flows **Risk**: Cannot initiate real federated authentication flows
**Solution**: Implement OIDC discovery and proper authorization URL generation **Solution**: Implement OIDC discovery and proper authorization URL generation
@@ -21,11 +19,9 @@ The initial implementation (commit 6878d57) was high quality but included placeh
## Implementation Plan ## Implementation Plan
### 1. Add Dependencies ### 1. Add Dependencies
- [x] Add `jose` library for JWT handling (industry-standard, secure) - [x] Add `jose` library for JWT handling (industry-standard, secure)
### 2. Implement JWT Validation ### 2. Implement JWT Validation
- [ ] Fetch OIDC discovery metadata from issuer - [ ] Fetch OIDC discovery metadata from issuer
- [ ] Cache JWKS (JSON Web Key Set) for performance - [ ] Cache JWKS (JSON Web Key Set) for performance
- [ ] Verify JWT signature using remote public key - [ ] Verify JWT signature using remote public key
@@ -35,7 +31,6 @@ The initial implementation (commit 6878d57) was high quality but included placeh
- [ ] Return proper validation results - [ ] Return proper validation results
### 3. Implement OIDC Discovery ### 3. Implement OIDC Discovery
- [ ] Fetch `.well-known/openid-configuration` from remote instance - [ ] Fetch `.well-known/openid-configuration` from remote instance
- [ ] Cache discovery metadata - [ ] Cache discovery metadata
- [ ] Generate proper OAuth2 authorization URL - [ ] Generate proper OAuth2 authorization URL
@@ -44,7 +39,6 @@ The initial implementation (commit 6878d57) was high quality but included placeh
- [ ] Support standard OIDC scopes (openid, profile, email) - [ ] Support standard OIDC scopes (openid, profile, email)
### 4. Update Tests ### 4. Update Tests
- [ ] Replace mock-based tests with real behavior tests - [ ] Replace mock-based tests with real behavior tests
- [ ] Test valid JWT validation - [ ] Test valid JWT validation
- [ ] Test expired/invalid token rejection - [ ] Test expired/invalid token rejection
@@ -53,7 +47,6 @@ The initial implementation (commit 6878d57) was high quality but included placeh
- [ ] Maintain 85%+ test coverage - [ ] Maintain 85%+ test coverage
### 5. Security Considerations ### 5. Security Considerations
- Cache JWKS to avoid excessive network calls - Cache JWKS to avoid excessive network calls
- Validate token expiration strictly - Validate token expiration strictly
- Use PKCE to prevent authorization code interception - Use PKCE to prevent authorization code interception
@@ -64,7 +57,6 @@ The initial implementation (commit 6878d57) was high quality but included placeh
## Implementation Notes ## Implementation Notes
**PKCE Flow**: **PKCE Flow**:
1. Generate random code_verifier (base64url-encoded random bytes) 1. Generate random code_verifier (base64url-encoded random bytes)
2. Generate code_challenge = base64url(SHA256(code_verifier)) 2. Generate code_challenge = base64url(SHA256(code_verifier))
3. Store code_verifier in session/database 3. Store code_verifier in session/database
@@ -72,7 +64,6 @@ The initial implementation (commit 6878d57) was high quality but included placeh
5. Send code_verifier in token exchange 5. Send code_verifier in token exchange
**JWT Validation Flow**: **JWT Validation Flow**:
1. Parse JWT without verification to get header 1. Parse JWT without verification to get header
2. Fetch JWKS from issuer (cache for 1 hour) 2. Fetch JWKS from issuer (cache for 1 hour)
3. Find matching key by kid (key ID) 3. Find matching key by kid (key ID)

31
docs/scratchpads/90-event-subscriptions-summary.md
View File

@@ -12,7 +12,6 @@ Successfully implemented EVENT message type for federation, enabling pub/sub eve
## What Was Implemented ## What Was Implemented
### Database Schema ### Database Schema
- **FederationEventSubscription Model**: New table for storing event subscriptions - **FederationEventSubscription Model**: New table for storing event subscriptions
- Fields: id, workspaceId, connectionId, eventType, metadata, isActive, timestamps - Fields: id, workspaceId, connectionId, eventType, metadata, isActive, timestamps
- Unique constraint on (workspaceId, connectionId, eventType) - Unique constraint on (workspaceId, connectionId, eventType)
@@ -22,7 +21,6 @@ Successfully implemented EVENT message type for federation, enabling pub/sub eve
### Core Services ### Core Services
**EventService** (`event.service.ts`) **EventService** (`event.service.ts`)
- `subscribeToEventType()`: Subscribe to events from remote instance - `subscribeToEventType()`: Subscribe to events from remote instance
- `unsubscribeFromEventType()`: Remove event subscription - `unsubscribeFromEventType()`: Remove event subscription
- `publishEvent()`: Publish events to all subscribed connections - `publishEvent()`: Publish events to all subscribed connections
@@ -37,7 +35,6 @@ Successfully implemented EVENT message type for federation, enabling pub/sub eve
**EventController** (`event.controller.ts`) **EventController** (`event.controller.ts`)
**Authenticated Endpoints (require AuthGuard):** **Authenticated Endpoints (require AuthGuard):**
- `POST /api/v1/federation/events/subscribe` - Subscribe to event type - `POST /api/v1/federation/events/subscribe` - Subscribe to event type
- `POST /api/v1/federation/events/unsubscribe` - Unsubscribe from event type - `POST /api/v1/federation/events/unsubscribe` - Unsubscribe from event type
- `POST /api/v1/federation/events/publish` - Publish event to subscribers - `POST /api/v1/federation/events/publish` - Publish event to subscribers
@@ -46,14 +43,12 @@ Successfully implemented EVENT message type for federation, enabling pub/sub eve
- `GET /api/v1/federation/events/messages/:id` - Get single event message - `GET /api/v1/federation/events/messages/:id` - Get single event message
**Public Endpoints (signature-verified):** **Public Endpoints (signature-verified):**
- `POST /api/v1/federation/incoming/event` - Receive event from remote instance - `POST /api/v1/federation/incoming/event` - Receive event from remote instance
- `POST /api/v1/federation/incoming/event/ack` - Receive event acknowledgment - `POST /api/v1/federation/incoming/event/ack` - Receive event acknowledgment
### Type Definitions ### Type Definitions
**Added to `message.types.ts`:** **Added to `message.types.ts`:**
- `EventMessage`: Outgoing event structure - `EventMessage`: Outgoing event structure
- `EventAck`: Event acknowledgment structure - `EventAck`: Event acknowledgment structure
- `EventMessageDetails`: Event message response type - `EventMessageDetails`: Event message response type
@@ -62,7 +57,6 @@ Successfully implemented EVENT message type for federation, enabling pub/sub eve
### Data Transfer Objects ### Data Transfer Objects
**event.dto.ts:** **event.dto.ts:**
- `SubscribeToEventDto`: Subscribe request - `SubscribeToEventDto`: Subscribe request
- `UnsubscribeFromEventDto`: Unsubscribe request - `UnsubscribeFromEventDto`: Unsubscribe request
- `PublishEventDto`: Publish event request - `PublishEventDto`: Publish event request
@@ -72,14 +66,12 @@ Successfully implemented EVENT message type for federation, enabling pub/sub eve
## Testing ## Testing
### Test Coverage ### Test Coverage
- **EventService**: 18 unit tests, **89.09% coverage** - **EventService**: 18 unit tests, **89.09% coverage**
- **EventController**: 11 unit tests, **83.87% coverage** - **EventController**: 11 unit tests, **83.87% coverage**
- **Total**: 29 tests, all passing - **Total**: 29 tests, all passing
- **Coverage**: Exceeds 85% minimum requirement - **Coverage**: Exceeds 85% minimum requirement
### Test Scenarios Covered ### Test Scenarios Covered
- Subscription creation and deletion - Subscription creation and deletion
- Event publishing to multiple subscribers - Event publishing to multiple subscribers
- Failed delivery handling - Failed delivery handling
@@ -92,21 +84,17 @@ Successfully implemented EVENT message type for federation, enabling pub/sub eve
## Design Patterns ## Design Patterns
### Consistency with Existing Code ### Consistency with Existing Code
- Follows patterns from `QueryService` and `CommandService` - Follows patterns from `QueryService` and `CommandService`
- Reuses existing `SignatureService` for message verification - Reuses existing `SignatureService` for message verification
- Reuses existing `FederationService` for instance identity - Reuses existing `FederationService` for instance identity
- Uses existing `FederationMessage` model with new `eventType` field - Uses existing `FederationMessage` model with new `eventType` field
### Event Type Naming Convention ### Event Type Naming Convention
Hierarchical dot-notation: Hierarchical dot-notation:
- `entity.action` (e.g., "task.created", "user.updated") - `entity.action` (e.g., "task.created", "user.updated")
- `entity.action.detail` (e.g., "task.status.changed") - `entity.action.detail` (e.g., "task.status.changed")
### Security Features ### Security Features
- All events signature-verified (RSA) - All events signature-verified (RSA)
- Timestamp validation (prevents replay attacks) - Timestamp validation (prevents replay attacks)
- Connection status validation (only active connections) - Connection status validation (only active connections)
@@ -115,18 +103,14 @@ Hierarchical dot-notation:
## Technical Details ## Technical Details
### Database Migration ### Database Migration
File: `20260203_add_federation_event_subscriptions/migration.sql` File: `20260203_add_federation_event_subscriptions/migration.sql`
- Adds `eventType` column to `federation_messages` - Adds `eventType` column to `federation_messages`
- Creates `federation_event_subscriptions` table - Creates `federation_event_subscriptions` table
- Adds appropriate indexes for performance - Adds appropriate indexes for performance
- Establishes foreign key relationships - Establishes foreign key relationships
### Integration ### Integration
Updated `federation.module.ts`: Updated `federation.module.ts`:
- Added `EventService` to providers - Added `EventService` to providers
- Added `EventController` to controllers - Added `EventController` to controllers
- Exported `EventService` for use by other modules - Exported `EventService` for use by other modules
@@ -142,7 +126,6 @@ Updated `federation.module.ts`:
## Files Created/Modified ## Files Created/Modified
### New Files (7) ### New Files (7)
- `apps/api/src/federation/event.service.ts` (470 lines) - `apps/api/src/federation/event.service.ts` (470 lines)
- `apps/api/src/federation/event.service.spec.ts` (1,088 lines) - `apps/api/src/federation/event.service.spec.ts` (1,088 lines)
- `apps/api/src/federation/event.controller.ts` (199 lines) - `apps/api/src/federation/event.controller.ts` (199 lines)
@@ -152,13 +135,11 @@ Updated `federation.module.ts`:
- `docs/scratchpads/90-event-subscriptions.md` (185 lines) - `docs/scratchpads/90-event-subscriptions.md` (185 lines)
### Modified Files (3) ### Modified Files (3)
- `apps/api/src/federation/types/message.types.ts` (+118 lines) - `apps/api/src/federation/types/message.types.ts` (+118 lines)
- `apps/api/src/federation/federation.module.ts` (+3 lines) - `apps/api/src/federation/federation.module.ts` (+3 lines)
- `apps/api/prisma/schema.prisma` (+27 lines) - `apps/api/prisma/schema.prisma` (+27 lines)
### Total Changes ### Total Changes
- **2,395 lines added** - **2,395 lines added**
- **5 lines removed** - **5 lines removed**
- **10 files changed** - **10 files changed**
@@ -166,25 +147,20 @@ Updated `federation.module.ts`:
## Key Features ## Key Features
### Server-Side Event Filtering ### Server-Side Event Filtering
Events are only sent to instances with active subscriptions for that event type. This prevents unnecessary network traffic and processing. Events are only sent to instances with active subscriptions for that event type. This prevents unnecessary network traffic and processing.
### Acknowledgment Protocol ### Acknowledgment Protocol
Simple ACK pattern confirms event delivery: Simple ACK pattern confirms event delivery:
1. Publisher sends event 1. Publisher sends event
2. Receiver processes and returns ACK 2. Receiver processes and returns ACK
3. Publisher updates delivery status 3. Publisher updates delivery status
### Error Handling ### Error Handling
- Failed deliveries marked as FAILED with error message - Failed deliveries marked as FAILED with error message
- Connection errors logged but don't crash the system - Connection errors logged but don't crash the system
- Invalid signatures rejected immediately - Invalid signatures rejected immediately
### Subscription Management ### Subscription Management
- Subscriptions persist in database - Subscriptions persist in database
- Can be activated/deactivated without deletion - Can be activated/deactivated without deletion
- Support for metadata (extensibility) - Support for metadata (extensibility)
@@ -192,7 +168,6 @@ Simple ACK pattern confirms event delivery:
## Future Enhancements (Not Implemented) ## Future Enhancements (Not Implemented)
These were considered but deferred to future issues: These were considered but deferred to future issues:
- Event replay/history - Event replay/history
- Event filtering by payload fields - Event filtering by payload fields
- Webhook support for event delivery - Webhook support for event delivery
@@ -204,13 +179,11 @@ These were considered but deferred to future issues:
## Performance Considerations ## Performance Considerations
### Scalability ### Scalability
- Database indexes on eventType, connectionId, workspaceId - Database indexes on eventType, connectionId, workspaceId
- Efficient queries with proper WHERE clauses - Efficient queries with proper WHERE clauses
- Server-side filtering reduces network overhead - Server-side filtering reduces network overhead
### Monitoring ### Monitoring
- All operations logged with appropriate level - All operations logged with appropriate level
- Failed deliveries tracked in database - Failed deliveries tracked in database
- Delivery timestamps recorded for analytics - Delivery timestamps recorded for analytics
@@ -218,14 +191,12 @@ These were considered but deferred to future issues:
## Documentation ## Documentation
### Inline Documentation ### Inline Documentation
- JSDoc comments on all public methods - JSDoc comments on all public methods
- Clear parameter descriptions - Clear parameter descriptions
- Return type documentation - Return type documentation
- Usage examples in comments - Usage examples in comments
### Scratchpad Documentation ### Scratchpad Documentation
- Complete implementation plan - Complete implementation plan
- Design decisions documented - Design decisions documented
- Testing strategy outlined - Testing strategy outlined
@@ -234,7 +205,6 @@ These were considered but deferred to future issues:
## Integration Testing Recommendations ## Integration Testing Recommendations
While unit tests are comprehensive, recommend integration testing: While unit tests are comprehensive, recommend integration testing:
1. Set up two federated instances 1. Set up two federated instances
2. Subscribe from Instance A to Instance B events 2. Subscribe from Instance A to Instance B events
3. Publish event from Instance B 3. Publish event from Instance B
@@ -244,7 +214,6 @@ While unit tests are comprehensive, recommend integration testing:
## Conclusion ## Conclusion
FED-007 (EVENT Subscriptions) is **complete and ready for code review**. The implementation: FED-007 (EVENT Subscriptions) is **complete and ready for code review**. The implementation:
- ✅ Follows TDD principles - ✅ Follows TDD principles
- ✅ Meets 85%+ code coverage requirement - ✅ Meets 85%+ code coverage requirement
- ✅ Passes all quality gates (lint, typecheck, tests) - ✅ Passes all quality gates (lint, typecheck, tests)

40
docs/scratchpads/ms-gate-001-gatekeeper.md
View File

@@ -1,40 +0,0 @@
# MS-GATE-001 Scratchpad
## Objective
Build the API Gatekeeper module for PR auto-merge orchestration using Gitea PR webhooks, Woodpecker CI webhooks, and a `pending_merges` Prisma model.
## Constraints
- Work in `/home/jwoltje/src/mosaic-stack-worktrees/gate-001`
- Do not merge or deploy
- Must pass:
- `pnpm format:check`
- `SKIP_ENV_VALIDATION=true pnpm turbo typecheck`
- `SKIP_ENV_VALIDATION=true pnpm turbo lint`
- `SKIP_ENV_VALIDATION=true pnpm turbo test --filter=@mosaic/api -- --testPathPattern="gatekeeper"`
## ASSUMPTION
- Woodpecker PR pipelines expose `CI_COMMIT_PULL_REQUEST` and `CI_COMMIT_SHA`, so the webhook notifier can send `prNumber` and `headSha`.
- Rationale: Gatekeeper needs an exact PR/head tuple to safely match CI back to `pending_merges`.
## Plan
1. Add Prisma model + SQL migration for `pending_merges`
2. Add Gatekeeper NestJS module/controller/service/DTO/tests
3. Wire Woodpecker webhook -> Gatekeeper CI handler
4. Add env/config documentation and compose variables
5. Run quality gates, review, remediate, push, open PR
## Progress
- [x] Context loaded
- [ ] Tests added first
- [ ] Implementation complete
- [ ] Quality gates green
- [ ] Push + PR opened
## Verification
- Pending

2
package.json
View File

@@ -1,6 +1,6 @@
{ {
"name": "mosaic-stack", "name": "mosaic-stack",
"version": "0.0.23", "version": "0.0.20",
"private": true, "private": true,
"type": "module", "type": "module",
"packageManager": "pnpm@10.19.0", "packageManager": "pnpm@10.19.0",

17
pnpm-lock.yaml generated
View File

@@ -162,9 +162,6 @@ importers:
bullmq: bullmq:
specifier: ^5.67.2 specifier: ^5.67.2
version: 5.67.2 version: 5.67.2
chokidar:
specifier: ^4.0.3
version: 4.0.3
class-transformer: class-transformer:
specifier: ^0.5.1 specifier: ^0.5.1
version: 0.5.1 version: 0.5.1
@@ -322,9 +319,6 @@ importers:
'@mosaic/shared': '@mosaic/shared':
specifier: workspace:* specifier: workspace:*
version: link:../../packages/shared version: link:../../packages/shared
'@nestjs/axios':
specifier: ^4.0.1
version: 4.0.1(@nestjs/common@11.1.12(class-transformer@0.5.1)(class-validator@0.14.3)(reflect-metadata@0.2.2)(rxjs@7.8.2))(axios@1.13.5)(rxjs@7.8.2)
'@nestjs/bullmq': '@nestjs/bullmq':
specifier: ^11.0.4 specifier: ^11.0.4
version: 11.0.4(@nestjs/common@11.1.12(class-transformer@0.5.1)(class-validator@0.14.3)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@11.1.12)(bullmq@5.67.2) version: 11.0.4(@nestjs/common@11.1.12(class-transformer@0.5.1)(class-validator@0.14.3)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@11.1.12)(bullmq@5.67.2)
@@ -368,8 +362,8 @@ importers:
specifier: ^7.8.1 specifier: ^7.8.1
version: 7.8.2 version: 7.8.2
simple-git: simple-git:
specifier: ^3.32.3 specifier: ^3.27.0
version: 3.33.0 version: 3.30.0
zod: zod:
specifier: ^3.24.1 specifier: ^3.24.1
version: 3.25.76 version: 3.25.76
@@ -5179,7 +5173,6 @@ packages:
glob@10.5.0: glob@10.5.0:
resolution: {integrity: sha512-DfXN8DfhJ7NH3Oe7cFmu3NCu1wKbkReJ8TorzSAFbSKrlNaQSKfIzqYqVY8zlbs2NLBbWpRiU52GX2PbaBVNkg==} resolution: {integrity: sha512-DfXN8DfhJ7NH3Oe7cFmu3NCu1wKbkReJ8TorzSAFbSKrlNaQSKfIzqYqVY8zlbs2NLBbWpRiU52GX2PbaBVNkg==}
deprecated: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
hasBin: true hasBin: true
glob@13.0.0: glob@13.0.0:
@@ -6795,8 +6788,8 @@ packages:
simple-get@4.0.1: simple-get@4.0.1:
resolution: {integrity: sha512-brv7p5WgH0jmQJr1ZDDfKDOSeWWg+OVypG99A/5vYGPqJ6pxiaHLy8nxtFjBA7oMa01ebA9gfh1uMCFqOuXxvA==} resolution: {integrity: sha512-brv7p5WgH0jmQJr1ZDDfKDOSeWWg+OVypG99A/5vYGPqJ6pxiaHLy8nxtFjBA7oMa01ebA9gfh1uMCFqOuXxvA==}
simple-git@3.33.0: simple-git@3.30.0:
resolution: {integrity: sha512-D4V/tGC2sjsoNhoMybKyGoE+v8A60hRawKQ1iFRA1zwuDgGZCBJ4ByOzZ5J8joBbi4Oam0qiPH+GhzmSBwbJng==} resolution: {integrity: sha512-q6lxyDsCmEal/MEGhP1aVyQ3oxnagGlBDOVSIB4XUVLl1iZh0Pah6ebC9V4xBap/RfgP2WlI8EKs0WS0rMEJHg==}
sisteransi@1.0.5: sisteransi@1.0.5:
resolution: {integrity: sha512-bLGGlR1QxBcynn2d5YmDX4MGjlZvy2MRBDRNHLJ8VI6l6+9FUiyTFNJ0IveOSP0bcXgVDPRcfGqA0pjaqUpfVg==} resolution: {integrity: sha512-bLGGlR1QxBcynn2d5YmDX4MGjlZvy2MRBDRNHLJ8VI6l6+9FUiyTFNJ0IveOSP0bcXgVDPRcfGqA0pjaqUpfVg==}
@@ -14530,7 +14523,7 @@ snapshots:
once: 1.4.0 once: 1.4.0
simple-concat: 1.0.1 simple-concat: 1.0.1
simple-git@3.33.0: simple-git@3.30.0:
dependencies: dependencies:
'@kwsites/file-exists': 1.1.1 '@kwsites/file-exists': 1.1.1
'@kwsites/promise-deferred': 1.1.1 '@kwsites/promise-deferred': 1.1.1