mosaic/stack
1
0
Fork 0
Code Issues 14 Pull Requests 2 Actions Packages Projects Releases 2 Wiki Activity

Compare commits

base: mosaic:chore/tasks-final
Branches Tags
mosaic:main mosaic:feat/ms23-p0-stream mosaic:fix/ms23-prisma-cli mosaic:fix/ms23-orchestrator-prisma-generate mosaic:feat/ms23-p0-ingestion mosaic:chore/tasks-p0-001-done mosaic:feat/ms23-p0-schema mosaic:chore/ms23-bootstrap mosaic:fix/user-agent-auth-module mosaic:fix/agent-template-auth-module mosaic:feat/ms22-p2-discord-router mosaic:test/ms22-p2-agent-tests mosaic:chore/ms22-p2-docs-update mosaic:feat/ms22-p2-agent-ui mosaic:feat/ms22-p2-agent-routing mosaic:chore/ms22-p2-update-docs mosaic:feat/ms22-p2-user-agents mosaic:feat/ms22-p2-agent-crud mosaic:fix/security-audit-multer mosaic:ci/portainer-v2 mosaic:fix/chat-complete mosaic:ci/portainer-deploy mosaic:fix/chat-configmodule mosaic:feature/chat-guest-mode mosaic:fix/ms21-missing-user-auth-migration mosaic:infra/fix-mosaic-db-init-extensions mosaic:infra/migrate-to-openbrain-db mosaic:fix/flaky-queue-test mosaic:fix/deploy-service-names mosaic:fix/deploy-service-update mosaic:fix/deploy-user-v2 mosaic:fix/deploy-user mosaic:feat/ci-auto-deploy mosaic:fix/orchestrator-widget-endpoints mosaic:fix/dashboard-widget-mock-data mosaic:fix/ci-glibc-image mosaic:fix/dockerfile-npmrc mosaic:fix/matrix-native-binary mosaic:fix/kaniko-cache mosaic:fix/base-image-kaniko-v2 mosaic:fix/base-image-kaniko mosaic:feat/custom-base-image mosaic:ci/pnpm-cache mosaic:fix/interceptor-tests mosaic:fix/kanban-tests mosaic:feat/wire-chat mosaic:feat/usage-widget mosaic:fix/security-hardening mosaic:fix/project-domain-v2 mosaic:feat/kanban-add-task mosaic:fix/project-domain-attach mosaic:fix/logs-page-clean mosaic:fix/workspace-members mosaic:fix/ci-lint-632 mosaic:fix/file-manager-tags mosaic:fix/csrf-debug-log mosaic:fix/controller-type-imports mosaic:fix/system-admin-env mosaic:fix/gateway-cors-trusted-origins mosaic:feat/project-detail-page mosaic:fix/fleet-provider-form-dto-v2 mosaic:fix/ms22-audit mosaic:fix/orchestrator-widgets mosaic:fix/fleet-provider-form-dto mosaic:fix/csrf-bearer-bypass mosaic:fix/ms22-missing-authmodule-imports mosaic:fix/container-lifecycle-config-module mosaic:fix/swarm-compose-ms22-vars mosaic:chore/ms22-p1-complete mosaic:feat/ms22-p1h-settings-ui mosaic:feat/ms22-p1f-onboarding-ui mosaic:feat/ms22-p1i-chat-proxy mosaic:feat/ms22-p1k-idle-reaper mosaic:feat/ms22-p1j-docker mosaic:feat/ms22-p1e-onboarding-api mosaic:feat/ms22-p1g-settings-api mosaic:feat/ms22-p1d-container-mgr mosaic:feat/ms22-p1c-config-api mosaic:chore/ms22-prd-tracking mosaic:feat/ms22-p1a-schema mosaic:feat/ms22-p1b-crypto mosaic:chore/ms22-p1-tasks mosaic:docs/ms22-architecture mosaic:feat/ms22-openclaw-docker mosaic:feat/ms22-openclaw-gateway-module mosaic:chore/ms21-complete mosaic:chore/ms21-final-tasks-done mosaic:fix/ms21-ui-001-qa mosaic:test/ms21-ui-tests mosaic:chore/ms21-tasks-sync mosaic:chore/ms22-phase0-complete mosaic:feat/ms22-ingest-clean mosaic:feat/ms21-ui-users-members mosaic:feat/ms22-task-agent mosaic:chore/tasks-final mosaic:chore/tasks-update mosaic:feat/ms21-session-invalidation mosaic:feat/ms21-rbac-settings mosaic:feat/ms21-teams-page mosaic:feat/ms21-users-page mosaic:feat/ms19-terminal-persistence
mosaic:v0.0.22-ms22-p2 mosaic:v0.0.21 mosaic:v0.20.0 mosaic:v0.0.15 mosaic:v0.0.2
..
compare: mosaic:8fbb8a387ed84ad3c98d386e97af9e532389bebb
Branches Tags
mosaic:feat/ms23-p0-stream mosaic:main mosaic:fix/ms23-prisma-cli mosaic:fix/ms23-orchestrator-prisma-generate mosaic:feat/ms23-p0-ingestion mosaic:chore/tasks-p0-001-done mosaic:feat/ms23-p0-schema mosaic:chore/ms23-bootstrap mosaic:fix/user-agent-auth-module mosaic:fix/agent-template-auth-module mosaic:feat/ms22-p2-discord-router mosaic:test/ms22-p2-agent-tests mosaic:chore/ms22-p2-docs-update mosaic:feat/ms22-p2-agent-ui mosaic:feat/ms22-p2-agent-routing mosaic:chore/ms22-p2-update-docs mosaic:feat/ms22-p2-user-agents mosaic:feat/ms22-p2-agent-crud mosaic:fix/security-audit-multer mosaic:ci/portainer-v2 mosaic:fix/chat-complete mosaic:ci/portainer-deploy mosaic:fix/chat-configmodule mosaic:feature/chat-guest-mode mosaic:fix/ms21-missing-user-auth-migration mosaic:infra/fix-mosaic-db-init-extensions mosaic:infra/migrate-to-openbrain-db mosaic:fix/flaky-queue-test mosaic:fix/deploy-service-names mosaic:fix/deploy-service-update mosaic:fix/deploy-user-v2 mosaic:fix/deploy-user mosaic:feat/ci-auto-deploy mosaic:fix/orchestrator-widget-endpoints mosaic:fix/dashboard-widget-mock-data mosaic:fix/ci-glibc-image mosaic:fix/dockerfile-npmrc mosaic:fix/matrix-native-binary mosaic:fix/kaniko-cache mosaic:fix/base-image-kaniko-v2 mosaic:fix/base-image-kaniko mosaic:feat/custom-base-image mosaic:ci/pnpm-cache mosaic:fix/interceptor-tests mosaic:fix/kanban-tests mosaic:feat/wire-chat mosaic:feat/usage-widget mosaic:fix/security-hardening mosaic:fix/project-domain-v2 mosaic:feat/kanban-add-task mosaic:fix/project-domain-attach mosaic:fix/logs-page-clean mosaic:fix/workspace-members mosaic:fix/ci-lint-632 mosaic:fix/file-manager-tags mosaic:fix/csrf-debug-log mosaic:fix/controller-type-imports mosaic:fix/system-admin-env mosaic:fix/gateway-cors-trusted-origins mosaic:feat/project-detail-page mosaic:fix/fleet-provider-form-dto-v2 mosaic:fix/ms22-audit mosaic:fix/orchestrator-widgets mosaic:fix/fleet-provider-form-dto mosaic:fix/csrf-bearer-bypass mosaic:fix/ms22-missing-authmodule-imports mosaic:fix/container-lifecycle-config-module mosaic:fix/swarm-compose-ms22-vars mosaic:chore/ms22-p1-complete mosaic:feat/ms22-p1h-settings-ui mosaic:feat/ms22-p1f-onboarding-ui mosaic:feat/ms22-p1i-chat-proxy mosaic:feat/ms22-p1k-idle-reaper mosaic:feat/ms22-p1j-docker mosaic:feat/ms22-p1e-onboarding-api mosaic:feat/ms22-p1g-settings-api mosaic:feat/ms22-p1d-container-mgr mosaic:feat/ms22-p1c-config-api mosaic:chore/ms22-prd-tracking mosaic:feat/ms22-p1a-schema mosaic:feat/ms22-p1b-crypto mosaic:chore/ms22-p1-tasks mosaic:docs/ms22-architecture mosaic:feat/ms22-openclaw-docker mosaic:feat/ms22-openclaw-gateway-module mosaic:chore/ms21-complete mosaic:chore/ms21-final-tasks-done mosaic:fix/ms21-ui-001-qa mosaic:test/ms21-ui-tests mosaic:chore/ms21-tasks-sync mosaic:chore/ms22-phase0-complete mosaic:feat/ms22-ingest-clean mosaic:feat/ms21-ui-users-members mosaic:feat/ms22-task-agent mosaic:chore/tasks-final mosaic:chore/tasks-update mosaic:feat/ms21-session-invalidation mosaic:feat/ms21-rbac-settings mosaic:feat/ms21-teams-page mosaic:feat/ms21-users-page mosaic:feat/ms19-terminal-persistence
mosaic:v0.0.22-ms22-p2 mosaic:v0.0.21 mosaic:v0.20.0 mosaic:v0.0.15 mosaic:v0.0.2

1 Commits
chore/task ... 8fbb8a387e

Author SHA1 Message Date
Jason Woltje
8fbb8a387e fix(ci): suppress Next.js bundled tar/minimatch CVEs in trivy scan 
Add CVE-2026-26960 (tar) and CVE-2026-26996 (minimatch) to .trivyignore.
These are embedded in next/dist/compiled/ and cannot be fixed via pnpm
overrides — requires upstream Next.js release with updated bundles.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-21 14:31:43 -06:00
437 changed files with 7172 additions and 46602 deletions
Expand all files Collapse all files

135
.env.example
View File

@@ -15,19 +15,11 @@ WEB_PORT=3000
# ====================== # ======================
NEXT_PUBLIC_APP_URL=http://localhost:3000 NEXT_PUBLIC_APP_URL=http://localhost:3000
NEXT_PUBLIC_API_URL=http://localhost:3001 NEXT_PUBLIC_API_URL=http://localhost:3001
# Frontend auth mode:
# - real: Normal auth/session flow
# - mock: Local-only seeded user for FE development (blocked outside NODE_ENV=development)
# Use `mock` locally to continue FE work when auth flow is unstable.
# If omitted, web runtime defaults:
# - development -> mock
# - production -> real
NEXT_PUBLIC_AUTH_MODE=real
# ====================== # ======================
# PostgreSQL Database # PostgreSQL Database
# ====================== # ======================
# Bundled PostgreSQL # Bundled PostgreSQL (when database profile enabled)
# SECURITY: Change POSTGRES_PASSWORD to a strong random password in production # SECURITY: Change POSTGRES_PASSWORD to a strong random password in production
DATABASE_URL=postgresql://mosaic:REPLACE_WITH_SECURE_PASSWORD@postgres:5432/mosaic DATABASE_URL=postgresql://mosaic:REPLACE_WITH_SECURE_PASSWORD@postgres:5432/mosaic
POSTGRES_USER=mosaic POSTGRES_USER=mosaic
@@ -36,7 +28,7 @@ POSTGRES_DB=mosaic
POSTGRES_PORT=5432 POSTGRES_PORT=5432
# External PostgreSQL (managed service) # External PostgreSQL (managed service)
# To use an external instance, update DATABASE_URL above # Disable 'database' profile and point DATABASE_URL to your external instance
# Example: DATABASE_URL=postgresql://user:pass@rds.amazonaws.com:5432/mosaic # Example: DATABASE_URL=postgresql://user:pass@rds.amazonaws.com:5432/mosaic
# PostgreSQL Performance Tuning (Optional) # PostgreSQL Performance Tuning (Optional)
@@ -47,7 +39,7 @@ POSTGRES_MAX_CONNECTIONS=100
# ====================== # ======================
# Valkey Cache (Redis-compatible) # Valkey Cache (Redis-compatible)
# ====================== # ======================
# Bundled Valkey # Bundled Valkey (when cache profile enabled)
VALKEY_URL=redis://valkey:6379 VALKEY_URL=redis://valkey:6379
VALKEY_HOST=valkey VALKEY_HOST=valkey
VALKEY_PORT=6379 VALKEY_PORT=6379
@@ -55,7 +47,7 @@ VALKEY_PORT=6379
VALKEY_MAXMEMORY=256mb VALKEY_MAXMEMORY=256mb
# External Redis/Valkey (managed service) # External Redis/Valkey (managed service)
# To use an external instance, update VALKEY_URL above # Disable 'cache' profile and point VALKEY_URL to your external instance
# Example: VALKEY_URL=redis://elasticache.amazonaws.com:6379 # Example: VALKEY_URL=redis://elasticache.amazonaws.com:6379
# Example with auth: VALKEY_URL=redis://:password@redis.example.com:6379 # Example with auth: VALKEY_URL=redis://:password@redis.example.com:6379
@@ -78,9 +70,9 @@ OIDC_ISSUER=https://auth.example.com/application/o/mosaic-stack/
OIDC_CLIENT_ID=your-client-id-here OIDC_CLIENT_ID=your-client-id-here
OIDC_CLIENT_SECRET=your-client-secret-here OIDC_CLIENT_SECRET=your-client-secret-here
# Redirect URI must match what's configured in Authentik # Redirect URI must match what's configured in Authentik
# Development: http://localhost:3001/auth/oauth2/callback/authentik # Development: http://localhost:3001/auth/callback/authentik
# Production: https://mosaic-api.woltje.com/auth/oauth2/callback/authentik # Production: https://api.mosaicstack.dev/auth/callback/authentik
OIDC_REDIRECT_URI=http://localhost:3001/auth/oauth2/callback/authentik OIDC_REDIRECT_URI=http://localhost:3001/auth/callback/authentik
# Authentik PostgreSQL Database # Authentik PostgreSQL Database
AUTHENTIK_POSTGRES_USER=authentik AUTHENTIK_POSTGRES_USER=authentik
@@ -124,9 +116,6 @@ JWT_EXPIRATION=24h
# This is used by BetterAuth for session management and CSRF protection # This is used by BetterAuth for session management and CSRF protection
# Example: openssl rand -base64 32 # Example: openssl rand -base64 32
BETTER_AUTH_SECRET=REPLACE_WITH_RANDOM_SECRET_MINIMUM_32_CHARS BETTER_AUTH_SECRET=REPLACE_WITH_RANDOM_SECRET_MINIMUM_32_CHARS
# Optional explicit BetterAuth origin for callback/error URL generation.
# When empty, backend falls back to NEXT_PUBLIC_API_URL.
BETTER_AUTH_URL=
# Trusted Origins (comma-separated list of additional trusted origins for CORS and auth) # Trusted Origins (comma-separated list of additional trusted origins for CORS and auth)
# These are added to NEXT_PUBLIC_APP_URL and NEXT_PUBLIC_API_URL automatically # These are added to NEXT_PUBLIC_APP_URL and NEXT_PUBLIC_API_URL automatically
@@ -215,9 +204,11 @@ NODE_ENV=development
# Used by docker-compose.yml (pulls images) and docker-swarm.yml # Used by docker-compose.yml (pulls images) and docker-swarm.yml
# For local builds, use docker-compose.build.yml instead # For local builds, use docker-compose.build.yml instead
# Options: # Options:
# - latest: Pull latest images from registry (default, built from main branch) # - dev: Pull development images from registry (default, built from develop branch)
# - latest: Pull latest stable images from registry (built from main branch)
# - <commit-sha>: Use specific commit SHA tag (e.g., 658ec077)
# - <version>: Use specific version tag (e.g., v1.0.0) # - <version>: Use specific version tag (e.g., v1.0.0)
IMAGE_TAG=latest IMAGE_TAG=dev
# ====================== # ======================
# Docker Compose Profiles # Docker Compose Profiles
@@ -253,16 +244,12 @@ MOSAIC_API_DOMAIN=api.mosaic.local
MOSAIC_WEB_DOMAIN=mosaic.local MOSAIC_WEB_DOMAIN=mosaic.local
MOSAIC_AUTH_DOMAIN=auth.mosaic.local MOSAIC_AUTH_DOMAIN=auth.mosaic.local
# External Traefik network name (for upstream mode and swarm) # External Traefik network name (for upstream mode)
# Must match the network name of your existing Traefik instance # Must match the network name of your existing Traefik instance
TRAEFIK_NETWORK=traefik-public TRAEFIK_NETWORK=traefik-public
TRAEFIK_DOCKER_NETWORK=traefik-public
# TLS/SSL Configuration # TLS/SSL Configuration
TRAEFIK_TLS_ENABLED=true TRAEFIK_TLS_ENABLED=true
TRAEFIK_ENTRYPOINT=websecure
# Cert resolver name (leave empty if TLS is handled externally or using self-signed certs)
TRAEFIK_CERTRESOLVER=
# For Let's Encrypt (production): # For Let's Encrypt (production):
TRAEFIK_ACME_EMAIL=admin@example.com TRAEFIK_ACME_EMAIL=admin@example.com
# For self-signed certificates (development), leave TRAEFIK_ACME_EMAIL empty # For self-signed certificates (development), leave TRAEFIK_ACME_EMAIL empty
@@ -298,15 +285,6 @@ GITEA_WEBHOOK_SECRET=REPLACE_WITH_RANDOM_WEBHOOK_SECRET
# The coordinator service uses this key to authenticate with the API # The coordinator service uses this key to authenticate with the API
COORDINATOR_API_KEY=REPLACE_WITH_RANDOM_API_KEY_MINIMUM_32_CHARS COORDINATOR_API_KEY=REPLACE_WITH_RANDOM_API_KEY_MINIMUM_32_CHARS
# Anthropic API Key (used by coordinator for issue parsing)
# Get your API key from: https://console.anthropic.com/
ANTHROPIC_API_KEY=REPLACE_WITH_ANTHROPIC_API_KEY
# Coordinator tuning
COORDINATOR_POLL_INTERVAL=5.0
COORDINATOR_MAX_CONCURRENT_AGENTS=10
COORDINATOR_ENABLED=true
# ====================== # ======================
# Rate Limiting # Rate Limiting
# ====================== # ======================
@@ -314,19 +292,17 @@ COORDINATOR_ENABLED=true
# TTL is in seconds, limits are per TTL window # TTL is in seconds, limits are per TTL window
# Global rate limit (applies to all endpoints unless overridden) # Global rate limit (applies to all endpoints unless overridden)
# Time window in seconds RATE_LIMIT_TTL=60 # Time window in seconds
RATE_LIMIT_TTL=60 RATE_LIMIT_GLOBAL_LIMIT=100 # Requests per window
# Requests per window
RATE_LIMIT_GLOBAL_LIMIT=100
# Webhook endpoints (/stitcher/webhook, /stitcher/dispatch) — requests per minute # Webhook endpoints (/stitcher/webhook, /stitcher/dispatch)
RATE_LIMIT_WEBHOOK_LIMIT=60 RATE_LIMIT_WEBHOOK_LIMIT=60 # Requests per minute
# Coordinator endpoints (/coordinator/*) — requests per minute # Coordinator endpoints (/coordinator/*)
RATE_LIMIT_COORDINATOR_LIMIT=100 RATE_LIMIT_COORDINATOR_LIMIT=100 # Requests per minute
# Health check endpoints (/coordinator/health) — requests per minute (higher for monitoring) # Health check endpoints (/coordinator/health)
RATE_LIMIT_HEALTH_LIMIT=300 RATE_LIMIT_HEALTH_LIMIT=300 # Requests per minute (higher for monitoring)
# Storage backend for rate limiting (redis or memory) # Storage backend for rate limiting (redis or memory)
# redis: Uses Valkey for distributed rate limiting (recommended for production) # redis: Uses Valkey for distributed rate limiting (recommended for production)
@@ -353,34 +329,16 @@ RATE_LIMIT_STORAGE=redis
# ====================== # ======================
# Matrix bot integration for chat-based control via Matrix protocol # Matrix bot integration for chat-based control via Matrix protocol
# Requires a Matrix account with an access token for the bot user # Requires a Matrix account with an access token for the bot user
# Set these AFTER deploying Synapse and creating the bot account. # MATRIX_HOMESERVER_URL=https://matrix.example.com
# MATRIX_ACCESS_TOKEN=
# MATRIX_BOT_USER_ID=@mosaic-bot:example.com
# MATRIX_CONTROL_ROOM_ID=!roomid:example.com
# MATRIX_WORKSPACE_ID=your-workspace-uuid
# #
# SECURITY: MATRIX_WORKSPACE_ID must be a valid workspace UUID from your database. # SECURITY: MATRIX_WORKSPACE_ID must be a valid workspace UUID from your database.
# All Matrix commands will execute within this workspace context for proper # All Matrix commands will execute within this workspace context for proper
# multi-tenant isolation. Each Matrix bot instance should be configured for # multi-tenant isolation. Each Matrix bot instance should be configured for
# a single workspace. # a single workspace.
MATRIX_HOMESERVER_URL=http://synapse:8008
MATRIX_ACCESS_TOKEN=
MATRIX_BOT_USER_ID=@mosaic-bot:matrix.woltje.com
MATRIX_SERVER_NAME=matrix.woltje.com
# MATRIX_CONTROL_ROOM_ID=!roomid:matrix.woltje.com
# MATRIX_WORKSPACE_ID=your-workspace-uuid
# ======================
# Matrix / Synapse Deployment
# ======================
# Domains for Traefik routing to Matrix services
MATRIX_DOMAIN=matrix.woltje.com
ELEMENT_DOMAIN=chat.woltje.com
# Synapse database (created automatically by synapse-db-init in the swarm compose)
SYNAPSE_POSTGRES_DB=synapse
SYNAPSE_POSTGRES_USER=synapse
SYNAPSE_POSTGRES_PASSWORD=REPLACE_WITH_SECURE_SYNAPSE_DB_PASSWORD
# Image tags for Matrix services
SYNAPSE_IMAGE_TAG=latest
ELEMENT_IMAGE_TAG=latest
# ====================== # ======================
# Orchestrator Configuration # Orchestrator Configuration
@@ -392,17 +350,6 @@ ELEMENT_IMAGE_TAG=latest
# Health endpoints (/health/*) remain unauthenticated # Health endpoints (/health/*) remain unauthenticated
ORCHESTRATOR_API_KEY=REPLACE_WITH_RANDOM_API_KEY_MINIMUM_32_CHARS ORCHESTRATOR_API_KEY=REPLACE_WITH_RANDOM_API_KEY_MINIMUM_32_CHARS
# Runtime safety defaults (recommended for low-memory hosts)
MAX_CONCURRENT_AGENTS=2
SESSION_CLEANUP_DELAY_MS=30000
ORCHESTRATOR_QUEUE_NAME=orchestrator-tasks
ORCHESTRATOR_QUEUE_CONCURRENCY=1
ORCHESTRATOR_QUEUE_MAX_RETRIES=3
ORCHESTRATOR_QUEUE_BASE_DELAY_MS=1000
ORCHESTRATOR_QUEUE_MAX_DELAY_MS=60000
SANDBOX_DEFAULT_MEMORY_MB=256
SANDBOX_DEFAULT_CPU_LIMIT=1.0
# ====================== # ======================
# AI Provider Configuration # AI Provider Configuration
# ====================== # ======================
@@ -416,10 +363,11 @@ AI_PROVIDER=ollama
# For remote Ollama: http://your-ollama-server:11434 # For remote Ollama: http://your-ollama-server:11434
OLLAMA_MODEL=llama3.1:latest OLLAMA_MODEL=llama3.1:latest
# Claude API Key # Claude API Configuration (when AI_PROVIDER=claude)
# Required only when AI_PROVIDER=claude. # OPTIONAL: Only required if AI_PROVIDER=claude
# Get your API key from: https://console.anthropic.com/ # Get your API key from: https://console.anthropic.com/
CLAUDE_API_KEY=REPLACE_WITH_CLAUDE_API_KEY # Note: Claude Max subscription users should use AI_PROVIDER=ollama instead
# CLAUDE_API_KEY=sk-ant-...
# OpenAI API Configuration (when AI_PROVIDER=openai) # OpenAI API Configuration (when AI_PROVIDER=openai)
# OPTIONAL: Only required if AI_PROVIDER=openai # OPTIONAL: Only required if AI_PROVIDER=openai
@@ -457,9 +405,6 @@ TTS_PREMIUM_URL=http://chatterbox-tts:8881/v1
TTS_FALLBACK_ENABLED=false TTS_FALLBACK_ENABLED=false
TTS_FALLBACK_URL=http://openedai-speech:8000/v1 TTS_FALLBACK_URL=http://openedai-speech:8000/v1
# Whisper model for Speaches STT engine
SPEACHES_WHISPER_MODEL=Systran/faster-whisper-large-v3-turbo
# Speech Service Limits # Speech Service Limits
# Maximum upload file size in bytes (default: 25MB) # Maximum upload file size in bytes (default: 25MB)
SPEECH_MAX_UPLOAD_SIZE=25000000 SPEECH_MAX_UPLOAD_SIZE=25000000
@@ -494,6 +439,28 @@ MOSAIC_TELEMETRY_INSTANCE_ID=your-instance-uuid-here
# Useful for development and debugging telemetry payloads # Useful for development and debugging telemetry payloads
MOSAIC_TELEMETRY_DRY_RUN=false MOSAIC_TELEMETRY_DRY_RUN=false
# ======================
# Matrix Dev Environment (docker-compose.matrix.yml overlay)
# ======================
# These variables configure the local Matrix dev environment.
# Only used when running: docker compose -f docker/docker-compose.yml -f docker/docker-compose.matrix.yml up
#
# Synapse homeserver
# SYNAPSE_CLIENT_PORT=8008
# SYNAPSE_FEDERATION_PORT=8448
# SYNAPSE_POSTGRES_DB=synapse
# SYNAPSE_POSTGRES_USER=synapse
# SYNAPSE_POSTGRES_PASSWORD=synapse_dev_password
#
# Element Web client
# ELEMENT_PORT=8501
#
# Matrix bridge connection (set after running docker/matrix/scripts/setup-bot.sh)
# MATRIX_HOMESERVER_URL=http://localhost:8008
# MATRIX_ACCESS_TOKEN=<obtained from setup-bot.sh>
# MATRIX_BOT_USER_ID=@mosaic-bot:localhost
# MATRIX_SERVER_NAME=localhost
# ====================== # ======================
# Logging & Debugging # Logging & Debugging
# ====================== # ======================

66
.env.prod.example Normal file
View File

@@ -0,0 +1,66 @@
# ==============================================
# Mosaic Stack Production Environment
# ==============================================
# Copy to .env and configure for production deployment
# ======================
# PostgreSQL Database
# ======================
# CRITICAL: Use a strong, unique password
POSTGRES_USER=mosaic
POSTGRES_PASSWORD=REPLACE_WITH_SECURE_PASSWORD
POSTGRES_DB=mosaic
POSTGRES_SHARED_BUFFERS=256MB
POSTGRES_EFFECTIVE_CACHE_SIZE=1GB
POSTGRES_MAX_CONNECTIONS=100
# ======================
# Valkey Cache
# ======================
VALKEY_MAXMEMORY=256mb
# ======================
# API Configuration
# ======================
API_PORT=3001
API_HOST=0.0.0.0
# ======================
# Web Configuration
# ======================
WEB_PORT=3000
NEXT_PUBLIC_API_URL=https://api.mosaicstack.dev
# ======================
# Authentication (Authentik OIDC)
# ======================
OIDC_ISSUER=https://auth.diversecanvas.com/application/o/mosaic-stack/
OIDC_CLIENT_ID=your-client-id
OIDC_CLIENT_SECRET=your-client-secret
OIDC_REDIRECT_URI=https://api.mosaicstack.dev/auth/callback/authentik
# ======================
# JWT Configuration
# ======================
# CRITICAL: Generate a random secret (openssl rand -base64 32)
JWT_SECRET=REPLACE_WITH_RANDOM_SECRET
JWT_EXPIRATION=24h
# ======================
# Traefik Integration
# ======================
# Set to true if using external Traefik
TRAEFIK_ENABLE=true
TRAEFIK_ENTRYPOINT=websecure
TRAEFIK_TLS_ENABLED=true
TRAEFIK_DOCKER_NETWORK=traefik-public
TRAEFIK_CERTRESOLVER=letsencrypt
# Domain configuration
MOSAIC_API_DOMAIN=api.mosaicstack.dev
MOSAIC_WEB_DOMAIN=app.mosaicstack.dev
# ======================
# Optional: Ollama
# ======================
# OLLAMA_ENDPOINT=http://ollama.diversecanvas.com:11434

161
.env.swarm.example Normal file
View File

@@ -0,0 +1,161 @@
# ==============================================
# Mosaic Stack - Docker Swarm Configuration
# ==============================================
# Copy this file to .env for Docker Swarm deployment
# ======================
# Application Ports (Internal)
# ======================
API_PORT=3001
API_HOST=0.0.0.0
WEB_PORT=3000
# ======================
# Domain Configuration (Traefik)
# ======================
# These domains must be configured in your DNS or /etc/hosts
MOSAIC_API_DOMAIN=api.mosaicstack.dev
MOSAIC_WEB_DOMAIN=mosaic.mosaicstack.dev
MOSAIC_AUTH_DOMAIN=auth.mosaicstack.dev
# ======================
# Web Configuration
# ======================
# Use the Traefik domain for the API URL
NEXT_PUBLIC_APP_URL=http://mosaic.mosaicstack.dev
NEXT_PUBLIC_API_URL=http://api.mosaicstack.dev
# ======================
# PostgreSQL Database
# ======================
DATABASE_URL=postgresql://mosaic:REPLACE_WITH_SECURE_PASSWORD@postgres:5432/mosaic
POSTGRES_USER=mosaic
POSTGRES_PASSWORD=REPLACE_WITH_SECURE_PASSWORD
POSTGRES_DB=mosaic
POSTGRES_PORT=5432
# PostgreSQL Performance Tuning
POSTGRES_SHARED_BUFFERS=256MB
POSTGRES_EFFECTIVE_CACHE_SIZE=1GB
POSTGRES_MAX_CONNECTIONS=100
# ======================
# Valkey Cache
# ======================
VALKEY_URL=redis://valkey:6379
VALKEY_HOST=valkey
VALKEY_PORT=6379
VALKEY_MAXMEMORY=256mb
# Knowledge Module Cache Configuration
KNOWLEDGE_CACHE_ENABLED=true
KNOWLEDGE_CACHE_TTL=300
# ======================
# Authentication (Authentik OIDC)
# ======================
# NOTE: Authentik services are COMMENTED OUT in docker-compose.swarm.yml by default
# Uncomment those services if you want to run Authentik internally
# Otherwise, use external Authentik by configuring OIDC_* variables below
# External Authentik Configuration (default)
OIDC_ENABLED=true
OIDC_ISSUER=https://auth.example.com/application/o/mosaic-stack/
OIDC_CLIENT_ID=your-client-id-here
OIDC_CLIENT_SECRET=your-client-secret-here
OIDC_REDIRECT_URI=https://api.mosaicstack.dev/auth/callback/authentik
# Internal Authentik Configuration (only needed if uncommenting Authentik services)
# Authentik PostgreSQL Database
AUTHENTIK_POSTGRES_USER=authentik
AUTHENTIK_POSTGRES_PASSWORD=REPLACE_WITH_SECURE_PASSWORD
AUTHENTIK_POSTGRES_DB=authentik
# Authentik Server Configuration
AUTHENTIK_SECRET_KEY=REPLACE_WITH_RANDOM_SECRET_MINIMUM_50_CHARS
AUTHENTIK_ERROR_REPORTING=false
AUTHENTIK_BOOTSTRAP_PASSWORD=REPLACE_WITH_SECURE_PASSWORD
AUTHENTIK_BOOTSTRAP_EMAIL=admin@mosaicstack.dev
AUTHENTIK_COOKIE_DOMAIN=.mosaicstack.dev
# ======================
# JWT Configuration
# ======================
JWT_SECRET=REPLACE_WITH_RANDOM_SECRET_MINIMUM_32_CHARS
JWT_EXPIRATION=24h
# ======================
# Encryption (Credential Security)
# ======================
# Generate with: openssl rand -hex 32
ENCRYPTION_KEY=REPLACE_WITH_64_CHAR_HEX_STRING_GENERATE_WITH_OPENSSL_RAND_HEX_32
# ======================
# OpenBao Secrets Management
# ======================
OPENBAO_ADDR=http://openbao:8200
OPENBAO_PORT=8200
# For development only - remove in production
OPENBAO_DEV_ROOT_TOKEN_ID=root
# ======================
# Ollama (Optional AI Service)
# ======================
OLLAMA_ENDPOINT=http://ollama:11434
OLLAMA_PORT=11434
OLLAMA_EMBEDDING_MODEL=mxbai-embed-large
# Semantic Search Configuration
SEMANTIC_SEARCH_SIMILARITY_THRESHOLD=0.5
# ======================
# OpenAI API (Optional)
# ======================
# OPENAI_API_KEY=sk-...
# ======================
# Application Environment
# ======================
NODE_ENV=production
# ======================
# Gitea Integration (Coordinator)
# ======================
GITEA_URL=https://git.mosaicstack.dev
GITEA_BOT_USERNAME=mosaic
GITEA_BOT_TOKEN=REPLACE_WITH_COORDINATOR_BOT_API_TOKEN
GITEA_BOT_PASSWORD=REPLACE_WITH_COORDINATOR_BOT_PASSWORD
GITEA_REPO_OWNER=mosaic
GITEA_REPO_NAME=stack
GITEA_WEBHOOK_SECRET=REPLACE_WITH_RANDOM_WEBHOOK_SECRET
COORDINATOR_API_KEY=REPLACE_WITH_RANDOM_API_KEY_MINIMUM_32_CHARS
# ======================
# Coordinator Service
# ======================
ANTHROPIC_API_KEY=REPLACE_WITH_ANTHROPIC_API_KEY
COORDINATOR_POLL_INTERVAL=5.0
COORDINATOR_MAX_CONCURRENT_AGENTS=10
COORDINATOR_ENABLED=true
# ======================
# Rate Limiting
# ======================
RATE_LIMIT_TTL=60
RATE_LIMIT_GLOBAL_LIMIT=100
RATE_LIMIT_WEBHOOK_LIMIT=60
RATE_LIMIT_COORDINATOR_LIMIT=100
RATE_LIMIT_HEALTH_LIMIT=300
RATE_LIMIT_STORAGE=redis
# ======================
# Orchestrator Configuration
# ======================
ORCHESTRATOR_API_KEY=REPLACE_WITH_RANDOM_API_KEY_MINIMUM_32_CHARS
CLAUDE_API_KEY=REPLACE_WITH_CLAUDE_API_KEY
# ======================
# Logging & Debugging
# ======================
LOG_LEVEL=info
DEBUG=false

10
.gitignore vendored
View File

@@ -59,13 +59,3 @@ yarn-error.log*
# Orchestrator reports (generated by QA automation, cleaned up after processing) # Orchestrator reports (generated by QA automation, cleaned up after processing)
docs/reports/qa-automation/ docs/reports/qa-automation/
# Repo-local orchestrator runtime artifacts
.mosaic/orchestrator/orchestrator.pid
.mosaic/orchestrator/state.json
.mosaic/orchestrator/tasks.json
.mosaic/orchestrator/matrix_state.json
.mosaic/orchestrator/logs/*.log
.mosaic/orchestrator/results/*
!.mosaic/orchestrator/logs/.gitkeep
!.mosaic/orchestrator/results/.gitkeep

4
.mosaic/README.md
View File

@@ -4,12 +4,12 @@ This repository is attached to the machine-wide Mosaic framework.
## Load Order for Agents ## Load Order for Agents
1. `~/.config/mosaic/STANDARDS.md` 1. `~/.mosaic/STANDARDS.md`
2. `AGENTS.md` (this repository) 2. `AGENTS.md` (this repository)
3. `.mosaic/repo-hooks.sh` (repo-specific automation hooks) 3. `.mosaic/repo-hooks.sh` (repo-specific automation hooks)
## Purpose ## Purpose
- Keep universal standards in `~/.config/mosaic` - Keep universal standards in `~/.mosaic`
- Keep repo-specific behavior in this repo - Keep repo-specific behavior in this repo
- Avoid copying large runtime configs into each project - Avoid copying large runtime configs into each project

18
.mosaic/orchestrator/config.json
View File

@@ -1,18 +0,0 @@
{
"enabled": true,
"transport": "matrix",
"matrix": {
"control_room_id": "",
"workspace_id": "",
"homeserver_url": "",
"access_token": "",
"bot_user_id": ""
},
"worker": {
"runtime": "codex",
"command_template": "bash scripts/agent/orchestrator-worker.sh {task_file}",
"timeout_seconds": 7200,
"max_attempts": 1
},
"quality_gates": ["pnpm lint", "pnpm typecheck", "pnpm test"]
}

1
.mosaic/orchestrator/logs/.gitkeep
View File

@@ -1 +0,0 @@

90
.mosaic/orchestrator/mission.json
View File

@@ -1,90 +0,0 @@
{
"schema_version": 1,
"mission_id": "ms21-multi-tenant-rbac-data-migration-20260228",
"name": "MS21 Multi-Tenant RBAC Data Migration",
"description": "Build multi-tenant user/workspace/team management, break-glass auth, RBAC UI enforcement, and migrate jarvis-brain data into Mosaic Stack",
"project_path": "/home/jwoltje/src/mosaic-stack",
"created_at": "2026-02-28T17:10:22Z",
"status": "active",
"task_prefix": "MS21",
"quality_gates": "pnpm lint && pnpm build && pnpm test",
"milestone_version": "0.0.21",
"milestones": [
{
"id": "phase-1",
"name": "Schema and Admin API",
"status": "pending",
"branch": "schema-and-admin-api",
"issue_ref": "",
"started_at": "",
"completed_at": ""
},
{
"id": "phase-2",
"name": "Break-Glass Authentication",
"status": "pending",
"branch": "break-glass-authentication",
"issue_ref": "",
"started_at": "",
"completed_at": ""
},
{
"id": "phase-3",
"name": "Data Migration",
"status": "pending",
"branch": "data-migration",
"issue_ref": "",
"started_at": "",
"completed_at": ""
},
{
"id": "phase-4",
"name": "Admin UI",
"status": "pending",
"branch": "admin-ui",
"issue_ref": "",
"started_at": "",
"completed_at": ""
},
{
"id": "phase-5",
"name": "RBAC UI Enforcement",
"status": "pending",
"branch": "rbac-ui-enforcement",
"issue_ref": "",
"started_at": "",
"completed_at": ""
},
{
"id": "phase-6",
"name": "Verification",
"status": "pending",
"branch": "verification",
"issue_ref": "",
"started_at": "",
"completed_at": ""
}
],
"sessions": [
{
"session_id": "sess-001",
"runtime": "unknown",
"started_at": "2026-02-28T17:48:51Z",
"ended_at": "",
"ended_reason": "",
"milestone_at_end": "",
"tasks_completed": [],
"last_task_id": ""
},
{
"session_id": "sess-002",
"runtime": "unknown",
"started_at": "2026-02-28T20:30:13Z",
"ended_at": "",
"ended_reason": "",
"milestone_at_end": "",
"tasks_completed": [],
"last_task_id": ""
}
]
}

1
.mosaic/orchestrator/results/.gitkeep
View File

@@ -1 +0,0 @@

8
.mosaic/orchestrator/session.lock
View File

@@ -1,8 +0,0 @@
{
"session_id": "sess-002",
"runtime": "unknown",
"pid": 3178395,
"started_at": "2026-02-28T20:30:13Z",
"project_path": "/tmp/ms21-ui-001",
"milestone_id": ""
}

10
.mosaic/quality-rails.yml
View File

@@ -1,10 +0,0 @@
enabled: false
template: ""
# Set enabled: true and choose one template:
# - typescript-node
# - typescript-nextjs
# - monorepo
#
# Apply manually:
# ~/.config/mosaic/bin/mosaic-quality-apply --template <template> --target <repo>

13
.woodpecker/README.md
View File

@@ -85,11 +85,12 @@ install -> [ruff-check, mypy, security-bandit, security-pip-audit, test]
## Image Tagging ## Image Tagging
| Condition | Tag | Purpose | | Condition | Tag | Purpose |
| ------------- | -------------------------- | -------------------------- | | ---------------- | -------------------------- | -------------------------- |
| Always | `${CI_COMMIT_SHA:0:8}` | Immutable commit reference | | Always | `${CI_COMMIT_SHA:0:8}` | Immutable commit reference |
| `main` branch | `latest` | Current latest build | | `main` branch | `latest` | Current production release |
| Git tag | tag value (e.g., `v1.0.0`) | Semantic version release | | `develop` branch | `dev` | Current development build |
| Git tag | tag value (e.g., `v1.0.0`) | Semantic version release |
## Required Secrets ## Required Secrets
@@ -137,5 +138,5 @@ Fails on blockers or critical/high severity security findings.
### Pipeline runs Docker builds on pull requests ### Pipeline runs Docker builds on pull requests
- Docker build steps have `when: branch: [main]` guards - Docker build steps have `when: branch: [main, develop]` guards
- PRs only run quality gates, not Docker builds - PRs only run quality gates, not Docker builds

45
.woodpecker/api.yml
View File

@@ -15,7 +15,6 @@ when:
- "turbo.json" - "turbo.json"
- "package.json" - "package.json"
- ".woodpecker/api.yml" - ".woodpecker/api.yml"
- ".trivyignore"
variables: variables:
- &node_image "node:24-alpine" - &node_image "node:24-alpine"
@@ -24,13 +23,6 @@ variables:
pnpm install --frozen-lockfile pnpm install --frozen-lockfile
- &use_deps | - &use_deps |
corepack enable corepack enable
- &turbo_env
TURBO_API:
from_secret: turbo_api
TURBO_TOKEN:
from_secret: turbo_token
TURBO_TEAM:
from_secret: turbo_team
- &kaniko_setup | - &kaniko_setup |
mkdir -p /kaniko/.docker mkdir -p /kaniko/.docker
echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$GITEA_USER\",\"password\":\"$GITEA_TOKEN\"}}}" > /kaniko/.docker/config.json echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$GITEA_USER\",\"password\":\"$GITEA_TOKEN\"}}}" > /kaniko/.docker/config.json
@@ -59,6 +51,17 @@ steps:
depends_on: depends_on:
- install - install
lint:
image: *node_image
environment:
SKIP_ENV_VALIDATION: "true"
commands:
- *use_deps
- pnpm --filter "@mosaic/api" lint
depends_on:
- prisma-generate
- build-shared
prisma-generate: prisma-generate:
image: *node_image image: *node_image
environment: environment:
@@ -69,27 +72,26 @@ steps:
depends_on: depends_on:
- install - install
lint: build-shared:
image: *node_image image: *node_image
environment: environment:
SKIP_ENV_VALIDATION: "true" SKIP_ENV_VALIDATION: "true"
<<: *turbo_env
commands: commands:
- *use_deps - *use_deps
- pnpm turbo lint --filter=@mosaic/api - pnpm --filter "@mosaic/shared" build
depends_on: depends_on:
- prisma-generate - install
typecheck: typecheck:
image: *node_image image: *node_image
environment: environment:
SKIP_ENV_VALIDATION: "true" SKIP_ENV_VALIDATION: "true"
<<: *turbo_env
commands: commands:
- *use_deps - *use_deps
- pnpm turbo typecheck --filter=@mosaic/api - pnpm --filter "@mosaic/api" typecheck
depends_on: depends_on:
- prisma-generate - prisma-generate
- build-shared
prisma-migrate: prisma-migrate:
image: *node_image image: *node_image
@@ -110,7 +112,7 @@ steps:
ENCRYPTION_KEY: "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" ENCRYPTION_KEY: "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
commands: commands:
- *use_deps - *use_deps
- pnpm --filter "@mosaic/api" exec vitest run --exclude 'src/auth/auth-rls.integration.spec.ts' --exclude 'src/credentials/user-credential.model.spec.ts' --exclude 'src/job-events/job-events.performance.spec.ts' --exclude 'src/knowledge/services/fulltext-search.spec.ts' --exclude 'src/mosaic-telemetry/mosaic-telemetry.module.spec.ts' - pnpm --filter "@mosaic/api" exec vitest run --exclude 'src/auth/auth-rls.integration.spec.ts' --exclude 'src/credentials/user-credential.model.spec.ts' --exclude 'src/job-events/job-events.performance.spec.ts' --exclude 'src/knowledge/services/fulltext-search.spec.ts'
depends_on: depends_on:
- prisma-migrate - prisma-migrate
@@ -121,7 +123,6 @@ steps:
environment: environment:
SKIP_ENV_VALIDATION: "true" SKIP_ENV_VALIDATION: "true"
NODE_ENV: "production" NODE_ENV: "production"
<<: *turbo_env
commands: commands:
- *use_deps - *use_deps
- pnpm turbo build --filter=@mosaic/api - pnpm turbo build --filter=@mosaic/api
@@ -150,10 +151,12 @@ steps:
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-api:$CI_COMMIT_TAG" DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-api:$CI_COMMIT_TAG"
elif [ "$CI_COMMIT_BRANCH" = "main" ]; then elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-api:latest" DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-api:latest"
elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-api:dev"
fi fi
/kaniko/executor --context . --dockerfile apps/api/Dockerfile --snapshot-mode=redo $DESTINATIONS /kaniko/executor --context . --dockerfile apps/api/Dockerfile $DESTINATIONS
when: when:
- branch: [main] - branch: [main, develop]
event: [push, manual, tag] event: [push, manual, tag]
depends_on: depends_on:
- build - build
@@ -176,7 +179,7 @@ steps:
elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then
SCAN_TAG="latest" SCAN_TAG="latest"
else else
SCAN_TAG="latest" SCAN_TAG="dev"
fi fi
mkdir -p ~/.docker mkdir -p ~/.docker
echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json
@@ -184,7 +187,7 @@ steps:
--ignorefile .trivyignore \ --ignorefile .trivyignore \
git.mosaicstack.dev/mosaic/stack-api:$$SCAN_TAG git.mosaicstack.dev/mosaic/stack-api:$$SCAN_TAG
when: when:
- branch: [main] - branch: [main, develop]
event: [push, manual, tag] event: [push, manual, tag]
depends_on: depends_on:
- docker-build-api - docker-build-api
@@ -226,7 +229,7 @@ steps:
} }
link_package "stack-api" link_package "stack-api"
when: when:
- branch: [main] - branch: [main, develop]
event: [push, manual, tag] event: [push, manual, tag]
depends_on: depends_on:
- security-trivy-api - security-trivy-api

12
.woodpecker/coordinator.yml
View File

@@ -92,10 +92,12 @@ steps:
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-coordinator:$CI_COMMIT_TAG" DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-coordinator:$CI_COMMIT_TAG"
elif [ "$CI_COMMIT_BRANCH" = "main" ]; then elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-coordinator:latest" DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-coordinator:latest"
elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-coordinator:dev"
fi fi
/kaniko/executor --context apps/coordinator --dockerfile apps/coordinator/Dockerfile --snapshot-mode=redo $DESTINATIONS /kaniko/executor --context apps/coordinator --dockerfile apps/coordinator/Dockerfile $DESTINATIONS
when: when:
- branch: [main] - branch: [main, develop]
event: [push, manual, tag] event: [push, manual, tag]
depends_on: depends_on:
- ruff-check - ruff-check
@@ -122,7 +124,7 @@ steps:
elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then
SCAN_TAG="latest" SCAN_TAG="latest"
else else
SCAN_TAG="latest" SCAN_TAG="dev"
fi fi
mkdir -p ~/.docker mkdir -p ~/.docker
echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json
@@ -130,7 +132,7 @@ steps:
--ignorefile .trivyignore \ --ignorefile .trivyignore \
git.mosaicstack.dev/mosaic/stack-coordinator:$$SCAN_TAG git.mosaicstack.dev/mosaic/stack-coordinator:$$SCAN_TAG
when: when:
- branch: [main] - branch: [main, develop]
event: [push, manual, tag] event: [push, manual, tag]
depends_on: depends_on:
- docker-build-coordinator - docker-build-coordinator
@@ -172,7 +174,7 @@ steps:
} }
link_package "stack-coordinator" link_package "stack-coordinator"
when: when:
- branch: [main] - branch: [main, develop]
event: [push, manual, tag] event: [push, manual, tag]
depends_on: depends_on:
- security-trivy-coordinator - security-trivy-coordinator

22
.woodpecker/infra.yml
View File

@@ -36,10 +36,12 @@ steps:
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-postgres:$CI_COMMIT_TAG" DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-postgres:$CI_COMMIT_TAG"
elif [ "$CI_COMMIT_BRANCH" = "main" ]; then elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-postgres:latest" DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-postgres:latest"
elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-postgres:dev"
fi fi
/kaniko/executor --context docker/postgres --dockerfile docker/postgres/Dockerfile --snapshot-mode=redo $DESTINATIONS /kaniko/executor --context docker/postgres --dockerfile docker/postgres/Dockerfile $DESTINATIONS
when: when:
- branch: [main] - branch: [main, develop]
event: [push, manual, tag] event: [push, manual, tag]
docker-build-openbao: docker-build-openbao:
@@ -59,10 +61,12 @@ steps:
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-openbao:$CI_COMMIT_TAG" DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-openbao:$CI_COMMIT_TAG"
elif [ "$CI_COMMIT_BRANCH" = "main" ]; then elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-openbao:latest" DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-openbao:latest"
elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-openbao:dev"
fi fi
/kaniko/executor --context docker/openbao --dockerfile docker/openbao/Dockerfile --snapshot-mode=redo $DESTINATIONS /kaniko/executor --context docker/openbao --dockerfile docker/openbao/Dockerfile $DESTINATIONS
when: when:
- branch: [main] - branch: [main, develop]
event: [push, manual, tag] event: [push, manual, tag]
# === Container Security Scans === # === Container Security Scans ===
@@ -83,7 +87,7 @@ steps:
elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then
SCAN_TAG="latest" SCAN_TAG="latest"
else else
SCAN_TAG="latest" SCAN_TAG="dev"
fi fi
mkdir -p ~/.docker mkdir -p ~/.docker
echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json
@@ -91,7 +95,7 @@ steps:
--ignorefile .trivyignore \ --ignorefile .trivyignore \
git.mosaicstack.dev/mosaic/stack-postgres:$$SCAN_TAG git.mosaicstack.dev/mosaic/stack-postgres:$$SCAN_TAG
when: when:
- branch: [main] - branch: [main, develop]
event: [push, manual, tag] event: [push, manual, tag]
depends_on: depends_on:
- docker-build-postgres - docker-build-postgres
@@ -112,7 +116,7 @@ steps:
elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then
SCAN_TAG="latest" SCAN_TAG="latest"
else else
SCAN_TAG="latest" SCAN_TAG="dev"
fi fi
mkdir -p ~/.docker mkdir -p ~/.docker
echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json
@@ -120,7 +124,7 @@ steps:
--ignorefile .trivyignore \ --ignorefile .trivyignore \
git.mosaicstack.dev/mosaic/stack-openbao:$$SCAN_TAG git.mosaicstack.dev/mosaic/stack-openbao:$$SCAN_TAG
when: when:
- branch: [main] - branch: [main, develop]
event: [push, manual, tag] event: [push, manual, tag]
depends_on: depends_on:
- docker-build-openbao - docker-build-openbao
@@ -163,7 +167,7 @@ steps:
link_package "stack-postgres" link_package "stack-postgres"
link_package "stack-openbao" link_package "stack-openbao"
when: when:
- branch: [main] - branch: [main, develop]
event: [push, manual, tag] event: [push, manual, tag]
depends_on: depends_on:
- security-trivy-postgres - security-trivy-postgres

30
.woodpecker/orchestrator.yml
View File

@@ -15,7 +15,6 @@ when:
- "turbo.json" - "turbo.json"
- "package.json" - "package.json"
- ".woodpecker/orchestrator.yml" - ".woodpecker/orchestrator.yml"
- ".trivyignore"
variables: variables:
- &node_image "node:24-alpine" - &node_image "node:24-alpine"
@@ -24,13 +23,6 @@ variables:
pnpm install --frozen-lockfile pnpm install --frozen-lockfile
- &use_deps | - &use_deps |
corepack enable corepack enable
- &turbo_env
TURBO_API:
from_secret: turbo_api
TURBO_TOKEN:
from_secret: turbo_token
TURBO_TEAM:
from_secret: turbo_team
- &kaniko_setup | - &kaniko_setup |
mkdir -p /kaniko/.docker mkdir -p /kaniko/.docker
echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$GITEA_USER\",\"password\":\"$GITEA_TOKEN\"}}}" > /kaniko/.docker/config.json echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$GITEA_USER\",\"password\":\"$GITEA_TOKEN\"}}}" > /kaniko/.docker/config.json
@@ -55,10 +47,9 @@ steps:
image: *node_image image: *node_image
environment: environment:
SKIP_ENV_VALIDATION: "true" SKIP_ENV_VALIDATION: "true"
<<: *turbo_env
commands: commands:
- *use_deps - *use_deps
- pnpm turbo lint --filter=@mosaic/orchestrator - pnpm --filter "@mosaic/orchestrator" lint
depends_on: depends_on:
- install - install
@@ -66,10 +57,9 @@ steps:
image: *node_image image: *node_image
environment: environment:
SKIP_ENV_VALIDATION: "true" SKIP_ENV_VALIDATION: "true"
<<: *turbo_env
commands: commands:
- *use_deps - *use_deps
- pnpm turbo typecheck --filter=@mosaic/orchestrator - pnpm --filter "@mosaic/orchestrator" typecheck
depends_on: depends_on:
- install - install
@@ -77,10 +67,9 @@ steps:
image: *node_image image: *node_image
environment: environment:
SKIP_ENV_VALIDATION: "true" SKIP_ENV_VALIDATION: "true"
<<: *turbo_env
commands: commands:
- *use_deps - *use_deps
- pnpm turbo test --filter=@mosaic/orchestrator - pnpm --filter "@mosaic/orchestrator" test
depends_on: depends_on:
- install - install
@@ -91,7 +80,6 @@ steps:
environment: environment:
SKIP_ENV_VALIDATION: "true" SKIP_ENV_VALIDATION: "true"
NODE_ENV: "production" NODE_ENV: "production"
<<: *turbo_env
commands: commands:
- *use_deps - *use_deps
- pnpm turbo build --filter=@mosaic/orchestrator - pnpm turbo build --filter=@mosaic/orchestrator
@@ -120,10 +108,12 @@ steps:
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-orchestrator:$CI_COMMIT_TAG" DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-orchestrator:$CI_COMMIT_TAG"
elif [ "$CI_COMMIT_BRANCH" = "main" ]; then elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-orchestrator:latest" DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-orchestrator:latest"
elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-orchestrator:dev"
fi fi
/kaniko/executor --context . --dockerfile apps/orchestrator/Dockerfile --snapshot-mode=redo $DESTINATIONS /kaniko/executor --context . --dockerfile apps/orchestrator/Dockerfile $DESTINATIONS
when: when:
- branch: [main] - branch: [main, develop]
event: [push, manual, tag] event: [push, manual, tag]
depends_on: depends_on:
- build - build
@@ -146,7 +136,7 @@ steps:
elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then
SCAN_TAG="latest" SCAN_TAG="latest"
else else
SCAN_TAG="latest" SCAN_TAG="dev"
fi fi
mkdir -p ~/.docker mkdir -p ~/.docker
echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json
@@ -154,7 +144,7 @@ steps:
--ignorefile .trivyignore \ --ignorefile .trivyignore \
git.mosaicstack.dev/mosaic/stack-orchestrator:$$SCAN_TAG git.mosaicstack.dev/mosaic/stack-orchestrator:$$SCAN_TAG
when: when:
- branch: [main] - branch: [main, develop]
event: [push, manual, tag] event: [push, manual, tag]
depends_on: depends_on:
- docker-build-orchestrator - docker-build-orchestrator
@@ -196,7 +186,7 @@ steps:
} }
link_package "stack-orchestrator" link_package "stack-orchestrator"
when: when:
- branch: [main] - branch: [main, develop]
event: [push, manual, tag] event: [push, manual, tag]
depends_on: depends_on:
- security-trivy-orchestrator - security-trivy-orchestrator

47
.woodpecker/web.yml
View File

@@ -15,7 +15,6 @@ when:
- "turbo.json" - "turbo.json"
- "package.json" - "package.json"
- ".woodpecker/web.yml" - ".woodpecker/web.yml"
- ".trivyignore"
variables: variables:
- &node_image "node:24-alpine" - &node_image "node:24-alpine"
@@ -24,13 +23,6 @@ variables:
pnpm install --frozen-lockfile pnpm install --frozen-lockfile
- &use_deps | - &use_deps |
corepack enable corepack enable
- &turbo_env
TURBO_API:
from_secret: turbo_api
TURBO_TOKEN:
from_secret: turbo_token
TURBO_TEAM:
from_secret: turbo_team
- &kaniko_setup | - &kaniko_setup |
mkdir -p /kaniko/.docker mkdir -p /kaniko/.docker
echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$GITEA_USER\",\"password\":\"$GITEA_TOKEN\"}}}" > /kaniko/.docker/config.json echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$GITEA_USER\",\"password\":\"$GITEA_TOKEN\"}}}" > /kaniko/.docker/config.json
@@ -51,38 +43,46 @@ steps:
depends_on: depends_on:
- install - install
build-shared:
image: *node_image
environment:
SKIP_ENV_VALIDATION: "true"
commands:
- *use_deps
- pnpm --filter "@mosaic/shared" build
- pnpm --filter "@mosaic/ui" build
depends_on:
- install
lint: lint:
image: *node_image image: *node_image
environment: environment:
SKIP_ENV_VALIDATION: "true" SKIP_ENV_VALIDATION: "true"
<<: *turbo_env
commands: commands:
- *use_deps - *use_deps
- pnpm turbo lint --filter=@mosaic/web - pnpm --filter "@mosaic/web" lint
depends_on: depends_on:
- install - build-shared
typecheck: typecheck:
image: *node_image image: *node_image
environment: environment:
SKIP_ENV_VALIDATION: "true" SKIP_ENV_VALIDATION: "true"
<<: *turbo_env
commands: commands:
- *use_deps - *use_deps
- pnpm turbo typecheck --filter=@mosaic/web - pnpm --filter "@mosaic/web" typecheck
depends_on: depends_on:
- install - build-shared
test: test:
image: *node_image image: *node_image
environment: environment:
SKIP_ENV_VALIDATION: "true" SKIP_ENV_VALIDATION: "true"
<<: *turbo_env
commands: commands:
- *use_deps - *use_deps
- pnpm turbo test --filter=@mosaic/web - pnpm --filter "@mosaic/web" test
depends_on: depends_on:
- install - build-shared
# === Build === # === Build ===
@@ -91,7 +91,6 @@ steps:
environment: environment:
SKIP_ENV_VALIDATION: "true" SKIP_ENV_VALIDATION: "true"
NODE_ENV: "production" NODE_ENV: "production"
<<: *turbo_env
commands: commands:
- *use_deps - *use_deps
- pnpm turbo build --filter=@mosaic/web - pnpm turbo build --filter=@mosaic/web
@@ -120,10 +119,12 @@ steps:
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-web:$CI_COMMIT_TAG" DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-web:$CI_COMMIT_TAG"
elif [ "$CI_COMMIT_BRANCH" = "main" ]; then elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-web:latest" DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-web:latest"
elif [ "$CI_COMMIT_BRANCH" = "develop" ]; then
DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-web:dev"
fi fi
/kaniko/executor --context . --dockerfile apps/web/Dockerfile --snapshot-mode=redo --build-arg NEXT_PUBLIC_API_URL=https://api.mosaicstack.dev $DESTINATIONS /kaniko/executor --context . --dockerfile apps/web/Dockerfile --build-arg NEXT_PUBLIC_API_URL=https://api.mosaicstack.dev $DESTINATIONS
when: when:
- branch: [main] - branch: [main, develop]
event: [push, manual, tag] event: [push, manual, tag]
depends_on: depends_on:
- build - build
@@ -146,7 +147,7 @@ steps:
elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then elif [ "$$CI_COMMIT_BRANCH" = "main" ]; then
SCAN_TAG="latest" SCAN_TAG="latest"
else else
SCAN_TAG="latest" SCAN_TAG="dev"
fi fi
mkdir -p ~/.docker mkdir -p ~/.docker
echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$$GITEA_USER\",\"password\":\"$$GITEA_TOKEN\"}}}" > ~/.docker/config.json
@@ -154,7 +155,7 @@ steps:
--ignorefile .trivyignore \ --ignorefile .trivyignore \
git.mosaicstack.dev/mosaic/stack-web:$$SCAN_TAG git.mosaicstack.dev/mosaic/stack-web:$$SCAN_TAG
when: when:
- branch: [main] - branch: [main, develop]
event: [push, manual, tag] event: [push, manual, tag]
depends_on: depends_on:
- docker-build-web - docker-build-web
@@ -196,7 +197,7 @@ steps:
} }
link_package "stack-web" link_package "stack-web"
when: when:
- branch: [main] - branch: [main, develop]
event: [push, manual, tag] event: [push, manual, tag]
depends_on: depends_on:
- security-trivy-web - security-trivy-web

21
AGENTS.md
View File

@@ -3,7 +3,7 @@
## Load Order ## Load Order
1. `SOUL.md` (repo identity + behavior invariants) 1. `SOUL.md` (repo identity + behavior invariants)
2. `~/.config/mosaic/STANDARDS.md` (machine-wide standards rails) 2. `~/.mosaic/STANDARDS.md` (machine-wide standards rails)
3. `AGENTS.md` (repo-specific overlay) 3. `AGENTS.md` (repo-specific overlay)
4. `.mosaic/repo-hooks.sh` (repo lifecycle hooks) 4. `.mosaic/repo-hooks.sh` (repo lifecycle hooks)
@@ -11,7 +11,7 @@
- This file is authoritative for repo-local operations. - This file is authoritative for repo-local operations.
- `CLAUDE.md` is a compatibility pointer to `AGENTS.md`. - `CLAUDE.md` is a compatibility pointer to `AGENTS.md`.
- Follow universal rails from `~/.config/mosaic/guides/` and `~/.config/mosaic/rails/`. - Follow universal rails from `~/.mosaic/guides/` and `~/.mosaic/rails/`.
## Session Lifecycle ## Session Lifecycle
@@ -25,8 +25,6 @@ Optional:
```bash ```bash
bash scripts/agent/log-limitation.sh "Short Name" bash scripts/agent/log-limitation.sh "Short Name"
bash scripts/agent/orchestrator-daemon.sh status
bash scripts/agent/orchestrator-events.sh recent --limit 50
``` ```
## Repo Context ## Repo Context
@@ -46,21 +44,6 @@ pnpm lint
pnpm build pnpm build
``` ```
## Versioning Protocol (HARD GATE)
**This project is ALPHA. All versions MUST be `0.0.x`.**
- The `0.1.0` release is FORBIDDEN until Jason explicitly authorizes it.
- Every milestone bump increments the patch: `0.0.20``0.0.21``0.0.22`, etc.
- ALL package.json files in the monorepo MUST stay in sync at the same version.
- Use `scripts/version-bump.sh <version>` to bump — it enforces the alpha constraint and updates all packages atomically.
- The script rejects any version >= `0.1.0`.
- When creating a release tag, the tag MUST match the package version: `v0.0.x`.
**Milestone-to-version mapping** is defined in the PRD (`docs/PRD.md`) under "Delivery/Milestone Intent". Agents MUST use the version from that table when tagging a milestone release.
**Violation of this protocol is a blocking error.** If an agent attempts to set a version >= `0.1.0`, stop and escalate.
## Standards and Quality ## Standards and Quality
- Enforce strict typing and no unsafe shortcuts. - Enforce strict typing and no unsafe shortcuts.

16
CLAUDE.md
View File

@@ -1,10 +1,14 @@
# CLAUDE Compatibility Pointer # Compatibility Pointer
This file exists so Claude Code sessions load Mosaic standards. This repository uses an agent-neutral Mosaic standards model.
## MANDATORY — Read Before Any Response Authoritative repo guidance is in `AGENTS.md`.
BEFORE responding to any user message, READ `~/.config/mosaic/AGENTS.md`. Load order for Claude sessions:
That file is the universal agent configuration. Do NOT respond until you have loaded it. 1. `SOUL.md`
Then read the project-local `AGENTS.md` in this repository for project-specific guidance. 2. `~/.mosaic/STANDARDS.md`
3. `AGENTS.md`
4. `.mosaic/repo-hooks.sh`
If you were started from `CLAUDE.md`, continue by reading `AGENTS.md` now.

11
README.md
View File

@@ -232,7 +232,7 @@ docker compose -f docker-compose.openbao.yml up -d
sleep 30 # Wait for auto-initialization sleep 30 # Wait for auto-initialization
# 5. Deploy swarm stack # 5. Deploy swarm stack
IMAGE_TAG=latest ./scripts/deploy-swarm.sh mosaic IMAGE_TAG=dev ./scripts/deploy-swarm.sh mosaic
# 6. Check deployment status # 6. Check deployment status
docker stack services mosaic docker stack services mosaic
@@ -526,9 +526,10 @@ KNOWLEDGE_CACHE_TTL=300 # 5 minutes
### Branch Strategy ### Branch Strategy
- `main`Trunk branch (all development merges here) - `main`Stable releases only
- `feature/*` — Feature branches from main - `develop` — Active development (default working branch)
- `fix/*`Bug fix branches from main - `feature/*`Feature branches from develop
- `fix/*` — Bug fix branches
### Running Locally ### Running Locally
@@ -738,7 +739,7 @@ See [Type Sharing Strategy](docs/2-development/3-type-sharing/1-strategy.md) for
4. Run tests: `pnpm test` 4. Run tests: `pnpm test`
5. Build: `pnpm build` 5. Build: `pnpm build`
6. Commit with conventional format: `feat(#issue): Description` 6. Commit with conventional format: `feat(#issue): Description`
7. Push and create a pull request to `main` 7. Push and create a pull request to `develop`
### Commit Format ### Commit Format

2
SOUL.md
View File

@@ -10,7 +10,7 @@ You are Jarvis for the Mosaic Stack repository, running on the current agent run
- Be calm and clear: keep responses concise, chunked, and PDA-friendly. - Be calm and clear: keep responses concise, chunked, and PDA-friendly.
- Respect canonical sources: - Respect canonical sources:
- Repo operations and conventions: `AGENTS.md` - Repo operations and conventions: `AGENTS.md`
- Machine-wide rails: `~/.config/mosaic/STANDARDS.md` - Machine-wide rails: `~/.mosaic/STANDARDS.md`
- Repo lifecycle hooks: `.mosaic/repo-hooks.sh` - Repo lifecycle hooks: `.mosaic/repo-hooks.sh`
## Guardrails ## Guardrails

37
apps/api/Dockerfile
View File

@@ -1,3 +1,6 @@
# syntax=docker/dockerfile:1
# Enable BuildKit features for cache mounts
# Base image for all stages # Base image for all stages
# Uses Debian slim (glibc) instead of Alpine (musl) because native Node.js addons # Uses Debian slim (glibc) instead of Alpine (musl) because native Node.js addons
# (matrix-sdk-crypto-nodejs, Prisma engines) require glibc-compatible binaries. # (matrix-sdk-crypto-nodejs, Prisma engines) require glibc-compatible binaries.
@@ -18,24 +21,15 @@ COPY turbo.json ./
# ====================== # ======================
FROM base AS deps FROM base AS deps
# Install build tools for native addons (node-pty requires node-gyp compilation)
# and OpenSSL for Prisma engine detection
RUN apt-get update && apt-get install -y --no-install-recommends \
python3 make g++ openssl \
&& rm -rf /var/lib/apt/lists/*
# Copy all package.json files for workspace resolution # Copy all package.json files for workspace resolution
COPY packages/shared/package.json ./packages/shared/ COPY packages/shared/package.json ./packages/shared/
COPY packages/ui/package.json ./packages/ui/ COPY packages/ui/package.json ./packages/ui/
COPY packages/config/package.json ./packages/config/ COPY packages/config/package.json ./packages/config/
COPY apps/api/package.json ./apps/api/ COPY apps/api/package.json ./apps/api/
# Install dependencies (no cache mount — Kaniko builds are ephemeral in CI) # Install dependencies with pnpm store cache
# Then explicitly rebuild node-pty from source since pnpm may skip postinstall RUN --mount=type=cache,id=pnpm-store,target=/root/.local/share/pnpm/store \
# scripts or fail to find prebuilt binaries for this Node.js version pnpm install --frozen-lockfile
RUN pnpm install --frozen-lockfile \
&& cd node_modules/.pnpm/node-pty@*/node_modules/node-pty \
&& npx node-gyp rebuild 2>&1 || true
# ====================== # ======================
# Builder stage # Builder stage
@@ -63,18 +57,15 @@ RUN pnpm turbo build --filter=@mosaic/api --force
# ====================== # ======================
FROM node:24-slim AS production FROM node:24-slim AS production
# Install dumb-init for proper signal handling (static binary from GitHub, # Remove npm (unused in production — we use pnpm) to reduce attack surface
# avoids apt-get which fails under Kaniko with bookworm GPG signature errors) RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx
ADD https://github.com/Yelp/dumb-init/releases/download/v1.2.5/dumb-init_1.2.5_x86_64 /usr/local/bin/dumb-init
# Single RUN to minimize Kaniko filesystem snapshots (each RUN = full snapshot) # Install dumb-init for proper signal handling
# - openssl: Prisma engine detection requires libssl RUN apt-get update && apt-get install -y --no-install-recommends dumb-init \
# - No build tools needed here — native addons are compiled in the deps stage && rm -rf /var/lib/apt/lists/*
RUN apt-get update && apt-get install -y --no-install-recommends openssl \
&& rm -rf /var/lib/apt/lists/* \ # Create non-root user
&& rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx \ RUN groupadd -g 1001 nodejs && useradd -m -u 1001 -g nodejs nestjs
&& chmod 755 /usr/local/bin/dumb-init \
&& groupadd -g 1001 nodejs && useradd -m -u 1001 -g nodejs nestjs
WORKDIR /app WORKDIR /app

5
apps/api/package.json
View File

@@ -1,6 +1,6 @@
{ {
"name": "@mosaic/api", "name": "@mosaic/api",
"version": "0.0.20", "version": "0.0.1",
"private": true, "private": true,
"scripts": { "scripts": {
"build": "nest build", "build": "nest build",
@@ -52,7 +52,6 @@
"adm-zip": "^0.5.16", "adm-zip": "^0.5.16",
"archiver": "^7.0.1", "archiver": "^7.0.1",
"axios": "^1.13.5", "axios": "^1.13.5",
"bcryptjs": "^3.0.3",
"better-auth": "^1.4.17", "better-auth": "^1.4.17",
"bullmq": "^5.67.2", "bullmq": "^5.67.2",
"class-transformer": "^0.5.1", "class-transformer": "^0.5.1",
@@ -67,7 +66,6 @@
"marked-gfm-heading-id": "^4.1.3", "marked-gfm-heading-id": "^4.1.3",
"marked-highlight": "^2.2.3", "marked-highlight": "^2.2.3",
"matrix-bot-sdk": "^0.8.0", "matrix-bot-sdk": "^0.8.0",
"node-pty": "^1.0.0",
"ollama": "^0.6.3", "ollama": "^0.6.3",
"openai": "^6.17.0", "openai": "^6.17.0",
"reflect-metadata": "^0.2.2", "reflect-metadata": "^0.2.2",
@@ -86,7 +84,6 @@
"@swc/core": "^1.10.18", "@swc/core": "^1.10.18",
"@types/adm-zip": "^0.5.7", "@types/adm-zip": "^0.5.7",
"@types/archiver": "^7.0.0", "@types/archiver": "^7.0.0",
"@types/bcryptjs": "^3.0.0",
"@types/cookie-parser": "^1.4.10", "@types/cookie-parser": "^1.4.10",
"@types/express": "^5.0.1", "@types/express": "^5.0.1",
"@types/highlight.js": "^10.1.0", "@types/highlight.js": "^10.1.0",

23
apps/api/prisma/migrations/20260225000000_add_terminal_sessions/migration.sql
View File

@@ -1,23 +0,0 @@
-- CreateEnum
CREATE TYPE "TerminalSessionStatus" AS ENUM ('ACTIVE', 'CLOSED');
-- CreateTable
CREATE TABLE "terminal_sessions" (
"id" UUID NOT NULL,
"workspace_id" UUID NOT NULL,
"name" TEXT NOT NULL DEFAULT 'Terminal',
"status" "TerminalSessionStatus" NOT NULL DEFAULT 'ACTIVE',
"created_at" TIMESTAMPTZ NOT NULL DEFAULT CURRENT_TIMESTAMP,
"closed_at" TIMESTAMPTZ,
CONSTRAINT "terminal_sessions_pkey" PRIMARY KEY ("id")
);
-- CreateIndex
CREATE INDEX "terminal_sessions_workspace_id_idx" ON "terminal_sessions"("workspace_id");
-- CreateIndex
CREATE INDEX "terminal_sessions_workspace_id_status_idx" ON "terminal_sessions"("workspace_id", "status");
-- AddForeignKey
ALTER TABLE "terminal_sessions" ADD CONSTRAINT "terminal_sessions_workspace_id_fkey" FOREIGN KEY ("workspace_id") REFERENCES "workspaces"("id") ON DELETE CASCADE ON UPDATE CASCADE;

3
apps/api/prisma/migrations/20260227000000_add_personality_tone_formality/migration.sql
View File

@@ -1,3 +0,0 @@
-- AlterTable: add tone and formality_level columns to personalities
ALTER TABLE "personalities" ADD COLUMN "tone" TEXT NOT NULL DEFAULT 'neutral';
ALTER TABLE "personalities" ADD COLUMN "formality_level" "FormalityLevel" NOT NULL DEFAULT 'NEUTRAL';

39
apps/api/prisma/schema.prisma
View File

@@ -3,7 +3,6 @@
generator client { generator client {
provider = "prisma-client-js" provider = "prisma-client-js"
binaryTargets = ["native", "debian-openssl-3.0.x"]
previewFeatures = ["postgresqlExtensions"] previewFeatures = ["postgresqlExtensions"]
} }
@@ -207,11 +206,6 @@ enum CredentialScope {
SYSTEM SYSTEM
} }
enum TerminalSessionStatus {
ACTIVE
CLOSED
}
// ============================================ // ============================================
// MODELS // MODELS
// ============================================ // ============================================
@@ -227,14 +221,6 @@ model User {
createdAt DateTime @default(now()) @map("created_at") @db.Timestamptz createdAt DateTime @default(now()) @map("created_at") @db.Timestamptz
updatedAt DateTime @updatedAt @map("updated_at") @db.Timestamptz updatedAt DateTime @updatedAt @map("updated_at") @db.Timestamptz
// MS21: Admin, local auth, and invitation fields
deactivatedAt DateTime? @map("deactivated_at") @db.Timestamptz
isLocalAuth Boolean @default(false) @map("is_local_auth")
passwordHash String? @map("password_hash")
invitedBy String? @map("invited_by") @db.Uuid
invitationToken String? @unique @map("invitation_token")
invitedAt DateTime? @map("invited_at") @db.Timestamptz
// Relations // Relations
ownedWorkspaces Workspace[] @relation("WorkspaceOwner") ownedWorkspaces Workspace[] @relation("WorkspaceOwner")
workspaceMemberships WorkspaceMember[] workspaceMemberships WorkspaceMember[]
@@ -311,7 +297,6 @@ model Workspace {
federationEventSubscriptions FederationEventSubscription[] federationEventSubscriptions FederationEventSubscription[]
llmUsageLogs LlmUsageLog[] llmUsageLogs LlmUsageLog[]
userCredentials UserCredential[] userCredentials UserCredential[]
terminalSessions TerminalSession[]
@@index([ownerId]) @@index([ownerId])
@@map("workspaces") @@map("workspaces")
@@ -1076,10 +1061,6 @@ model Personality {
displayName String @map("display_name") displayName String @map("display_name")
description String? @db.Text description String? @db.Text
// Tone and formality
tone String @default("neutral")
formalityLevel FormalityLevel @default(NEUTRAL) @map("formality_level")
// System prompt // System prompt
systemPrompt String @map("system_prompt") @db.Text systemPrompt String @map("system_prompt") @db.Text
@@ -1526,23 +1507,3 @@ model LlmUsageLog {
@@index([conversationId]) @@index([conversationId])
@@map("llm_usage_logs") @@map("llm_usage_logs")
} }
// ============================================
// TERMINAL MODULE
// ============================================
model TerminalSession {
id String @id @default(uuid()) @db.Uuid
workspaceId String @map("workspace_id") @db.Uuid
name String @default("Terminal")
status TerminalSessionStatus @default(ACTIVE)
createdAt DateTime @default(now()) @map("created_at") @db.Timestamptz
closedAt DateTime? @map("closed_at") @db.Timestamptz
// Relations
workspace Workspace @relation(fields: [workspaceId], references: [id], onDelete: Cascade)
@@index([workspaceId])
@@index([workspaceId, status])
@@map("terminal_sessions")
}

130
apps/api/prisma/seed.ts
View File

@@ -65,136 +65,6 @@ async function main() {
}, },
}); });
// ============================================
// WIDGET DEFINITIONS (global, not workspace-scoped)
// ============================================
const widgetDefs = [
{
name: "TasksWidget",
displayName: "Tasks",
description: "View and manage your tasks",
component: "TasksWidget",
defaultWidth: 2,
defaultHeight: 2,
minWidth: 1,
minHeight: 2,
maxWidth: 4,
maxHeight: null,
configSchema: {},
},
{
name: "CalendarWidget",
displayName: "Calendar",
description: "View upcoming events and schedule",
component: "CalendarWidget",
defaultWidth: 2,
defaultHeight: 2,
minWidth: 2,
minHeight: 2,
maxWidth: 4,
maxHeight: null,
configSchema: {},
},
{
name: "QuickCaptureWidget",
displayName: "Quick Capture",
description: "Quickly capture notes and tasks",
component: "QuickCaptureWidget",
defaultWidth: 2,
defaultHeight: 1,
minWidth: 2,
minHeight: 1,
maxWidth: 4,
maxHeight: 2,
configSchema: {},
},
{
name: "AgentStatusWidget",
displayName: "Agent Status",
description: "Monitor agent activity and status",
component: "AgentStatusWidget",
defaultWidth: 2,
defaultHeight: 2,
minWidth: 1,
minHeight: 2,
maxWidth: 3,
maxHeight: null,
configSchema: {},
},
{
name: "ActiveProjectsWidget",
displayName: "Active Projects & Agent Chains",
description: "View active projects and running agent sessions",
component: "ActiveProjectsWidget",
defaultWidth: 2,
defaultHeight: 3,
minWidth: 2,
minHeight: 2,
maxWidth: 4,
maxHeight: null,
configSchema: {},
},
{
name: "TaskProgressWidget",
displayName: "Task Progress",
description: "Live progress of orchestrator agent tasks",
component: "TaskProgressWidget",
defaultWidth: 2,
defaultHeight: 2,
minWidth: 1,
minHeight: 2,
maxWidth: 3,
maxHeight: null,
configSchema: {},
},
{
name: "OrchestratorEventsWidget",
displayName: "Orchestrator Events",
description: "Recent orchestration events with stream/Matrix visibility",
component: "OrchestratorEventsWidget",
defaultWidth: 2,
defaultHeight: 2,
minWidth: 1,
minHeight: 2,
maxWidth: 4,
maxHeight: null,
configSchema: {},
},
];
for (const wd of widgetDefs) {
await prisma.widgetDefinition.upsert({
where: { name: wd.name },
update: {
displayName: wd.displayName,
description: wd.description,
component: wd.component,
defaultWidth: wd.defaultWidth,
defaultHeight: wd.defaultHeight,
minWidth: wd.minWidth,
minHeight: wd.minHeight,
maxWidth: wd.maxWidth,
maxHeight: wd.maxHeight,
configSchema: wd.configSchema,
},
create: {
name: wd.name,
displayName: wd.displayName,
description: wd.description,
component: wd.component,
defaultWidth: wd.defaultWidth,
defaultHeight: wd.defaultHeight,
minWidth: wd.minWidth,
minHeight: wd.minHeight,
maxWidth: wd.maxWidth,
maxHeight: wd.maxHeight,
configSchema: wd.configSchema,
},
});
}
console.log(`Seeded ${widgetDefs.length} widget definitions`);
// Use transaction for atomic seed data reset and creation // Use transaction for atomic seed data reset and creation
await prisma.$transaction(async (tx) => { await prisma.$transaction(async (tx) => {
// Delete existing seed data for idempotency (avoids duplicates on re-run) // Delete existing seed data for idempotency (avoids duplicates on re-run)

258
apps/api/src/admin/admin.controller.spec.ts
View File

@@ -1,258 +0,0 @@
import { describe, it, expect, beforeEach, vi } from "vitest";
import { Test, TestingModule } from "@nestjs/testing";
import { AdminController } from "./admin.controller";
import { AdminService } from "./admin.service";
import { AuthGuard } from "../auth/guards/auth.guard";
import { AdminGuard } from "../auth/guards/admin.guard";
import { WorkspaceMemberRole } from "@prisma/client";
import type { ExecutionContext } from "@nestjs/common";
describe("AdminController", () => {
let controller: AdminController;
let service: AdminService;
const mockAdminService = {
listUsers: vi.fn(),
inviteUser: vi.fn(),
updateUser: vi.fn(),
deactivateUser: vi.fn(),
createWorkspace: vi.fn(),
updateWorkspace: vi.fn(),
};
const mockAuthGuard = {
canActivate: vi.fn((context: ExecutionContext) => {
const request = context.switchToHttp().getRequest();
request.user = {
id: "550e8400-e29b-41d4-a716-446655440001",
email: "admin@example.com",
name: "Admin User",
};
return true;
}),
};
const mockAdminGuard = {
canActivate: vi.fn(() => true),
};
const mockAdminId = "550e8400-e29b-41d4-a716-446655440001";
const mockUserId = "550e8400-e29b-41d4-a716-446655440002";
const mockWorkspaceId = "550e8400-e29b-41d4-a716-446655440003";
const mockAdminUser = {
id: mockAdminId,
email: "admin@example.com",
name: "Admin User",
};
const mockUserResponse = {
id: mockUserId,
name: "Test User",
email: "test@example.com",
emailVerified: false,
image: null,
createdAt: new Date("2026-01-01"),
deactivatedAt: null,
isLocalAuth: false,
invitedAt: null,
invitedBy: null,
workspaceMemberships: [],
};
const mockWorkspaceResponse = {
id: mockWorkspaceId,
name: "Test Workspace",
ownerId: mockAdminId,
settings: {},
createdAt: new Date("2026-01-01"),
updatedAt: new Date("2026-01-01"),
memberCount: 1,
};
beforeEach(async () => {
const module: TestingModule = await Test.createTestingModule({
controllers: [AdminController],
providers: [
{
provide: AdminService,
useValue: mockAdminService,
},
],
})
.overrideGuard(AuthGuard)
.useValue(mockAuthGuard)
.overrideGuard(AdminGuard)
.useValue(mockAdminGuard)
.compile();
controller = module.get<AdminController>(AdminController);
service = module.get<AdminService>(AdminService);
vi.clearAllMocks();
});
it("should be defined", () => {
expect(controller).toBeDefined();
});
describe("listUsers", () => {
it("should return paginated users", async () => {
const paginatedResult = {
data: [mockUserResponse],
meta: { total: 1, page: 1, limit: 50, totalPages: 1 },
};
mockAdminService.listUsers.mockResolvedValue(paginatedResult);
const result = await controller.listUsers({ page: 1, limit: 50 });
expect(result).toEqual(paginatedResult);
expect(service.listUsers).toHaveBeenCalledWith(1, 50);
});
it("should use default pagination", async () => {
const paginatedResult = {
data: [],
meta: { total: 0, page: 1, limit: 50, totalPages: 0 },
};
mockAdminService.listUsers.mockResolvedValue(paginatedResult);
await controller.listUsers({});
expect(service.listUsers).toHaveBeenCalledWith(undefined, undefined);
});
});
describe("inviteUser", () => {
it("should invite a user", async () => {
const inviteDto = { email: "new@example.com" };
const invitationResponse = {
userId: "new-id",
invitationToken: "token",
email: "new@example.com",
invitedAt: new Date(),
};
mockAdminService.inviteUser.mockResolvedValue(invitationResponse);
const result = await controller.inviteUser(inviteDto, mockAdminUser);
expect(result).toEqual(invitationResponse);
expect(service.inviteUser).toHaveBeenCalledWith(inviteDto, mockAdminId);
});
it("should invite a user with workspace and role", async () => {
const inviteDto = {
email: "new@example.com",
workspaceId: mockWorkspaceId,
role: WorkspaceMemberRole.ADMIN,
};
mockAdminService.inviteUser.mockResolvedValue({
userId: "new-id",
invitationToken: "token",
email: "new@example.com",
invitedAt: new Date(),
});
await controller.inviteUser(inviteDto, mockAdminUser);
expect(service.inviteUser).toHaveBeenCalledWith(inviteDto, mockAdminId);
});
});
describe("updateUser", () => {
it("should update a user", async () => {
const updateDto = { name: "Updated Name" };
mockAdminService.updateUser.mockResolvedValue({
...mockUserResponse,
name: "Updated Name",
});
const result = await controller.updateUser(mockUserId, updateDto);
expect(result.name).toBe("Updated Name");
expect(service.updateUser).toHaveBeenCalledWith(mockUserId, updateDto);
});
it("should deactivate a user via update", async () => {
const deactivatedAt = "2026-02-28T00:00:00.000Z";
const updateDto = { deactivatedAt };
mockAdminService.updateUser.mockResolvedValue({
...mockUserResponse,
deactivatedAt: new Date(deactivatedAt),
});
const result = await controller.updateUser(mockUserId, updateDto);
expect(result.deactivatedAt).toEqual(new Date(deactivatedAt));
});
});
describe("deactivateUser", () => {
it("should soft-delete a user", async () => {
mockAdminService.deactivateUser.mockResolvedValue({
...mockUserResponse,
deactivatedAt: new Date(),
});
const result = await controller.deactivateUser(mockUserId);
expect(result.deactivatedAt).toBeDefined();
expect(service.deactivateUser).toHaveBeenCalledWith(mockUserId);
});
});
describe("createWorkspace", () => {
it("should create a workspace", async () => {
const createDto = { name: "New Workspace", ownerId: mockAdminId };
mockAdminService.createWorkspace.mockResolvedValue(mockWorkspaceResponse);
const result = await controller.createWorkspace(createDto);
expect(result).toEqual(mockWorkspaceResponse);
expect(service.createWorkspace).toHaveBeenCalledWith(createDto);
});
it("should create workspace with settings", async () => {
const createDto = {
name: "New Workspace",
ownerId: mockAdminId,
settings: { feature: true },
};
mockAdminService.createWorkspace.mockResolvedValue({
...mockWorkspaceResponse,
settings: { feature: true },
});
const result = await controller.createWorkspace(createDto);
expect(result.settings).toEqual({ feature: true });
});
});
describe("updateWorkspace", () => {
it("should update a workspace", async () => {
const updateDto = { name: "Updated Workspace" };
mockAdminService.updateWorkspace.mockResolvedValue({
...mockWorkspaceResponse,
name: "Updated Workspace",
});
const result = await controller.updateWorkspace(mockWorkspaceId, updateDto);
expect(result.name).toBe("Updated Workspace");
expect(service.updateWorkspace).toHaveBeenCalledWith(mockWorkspaceId, updateDto);
});
it("should update workspace settings", async () => {
const updateDto = { settings: { notifications: false } };
mockAdminService.updateWorkspace.mockResolvedValue({
...mockWorkspaceResponse,
settings: { notifications: false },
});
const result = await controller.updateWorkspace(mockWorkspaceId, updateDto);
expect(result.settings).toEqual({ notifications: false });
});
});
});

64
apps/api/src/admin/admin.controller.ts
View File

@@ -1,64 +0,0 @@
import {
Controller,
Get,
Post,
Patch,
Delete,
Body,
Param,
Query,
UseGuards,
ParseUUIDPipe,
} from "@nestjs/common";
import { AdminService } from "./admin.service";
import { AuthGuard } from "../auth/guards/auth.guard";
import { AdminGuard } from "../auth/guards/admin.guard";
import { CurrentUser } from "../auth/decorators/current-user.decorator";
import type { AuthUser } from "@mosaic/shared";
import { InviteUserDto } from "./dto/invite-user.dto";
import { UpdateUserDto } from "./dto/update-user.dto";
import { CreateWorkspaceDto } from "./dto/create-workspace.dto";
import { UpdateWorkspaceDto } from "./dto/update-workspace.dto";
import { QueryUsersDto } from "./dto/query-users.dto";
@Controller("admin")
@UseGuards(AuthGuard, AdminGuard)
export class AdminController {
constructor(private readonly adminService: AdminService) {}
@Get("users")
async listUsers(@Query() query: QueryUsersDto) {
return this.adminService.listUsers(query.page, query.limit);
}
@Post("users/invite")
async inviteUser(@Body() dto: InviteUserDto, @CurrentUser() user: AuthUser) {
return this.adminService.inviteUser(dto, user.id);
}
@Patch("users/:id")
async updateUser(
@Param("id", new ParseUUIDPipe({ version: "4" })) id: string,
@Body() dto: UpdateUserDto
) {
return this.adminService.updateUser(id, dto);
}
@Delete("users/:id")
async deactivateUser(@Param("id", new ParseUUIDPipe({ version: "4" })) id: string) {
return this.adminService.deactivateUser(id);
}
@Post("workspaces")
async createWorkspace(@Body() dto: CreateWorkspaceDto) {
return this.adminService.createWorkspace(dto);
}
@Patch("workspaces/:id")
async updateWorkspace(
@Param("id", new ParseUUIDPipe({ version: "4" })) id: string,
@Body() dto: UpdateWorkspaceDto
) {
return this.adminService.updateWorkspace(id, dto);
}
}

13
apps/api/src/admin/admin.module.ts
View File

@@ -1,13 +0,0 @@
import { Module } from "@nestjs/common";
import { AdminController } from "./admin.controller";
import { AdminService } from "./admin.service";
import { PrismaModule } from "../prisma/prisma.module";
import { AuthModule } from "../auth/auth.module";
@Module({
imports: [PrismaModule, AuthModule],
controllers: [AdminController],
providers: [AdminService],
exports: [AdminService],
})
export class AdminModule {}

477
apps/api/src/admin/admin.service.spec.ts
View File

@@ -1,477 +0,0 @@
import { describe, it, expect, beforeEach, vi } from "vitest";
import { Test, TestingModule } from "@nestjs/testing";
import { AdminService } from "./admin.service";
import { PrismaService } from "../prisma/prisma.service";
import { BadRequestException, ConflictException, NotFoundException } from "@nestjs/common";
import { WorkspaceMemberRole } from "@prisma/client";
describe("AdminService", () => {
let service: AdminService;
const mockPrismaService = {
user: {
findMany: vi.fn(),
findUnique: vi.fn(),
count: vi.fn(),
create: vi.fn(),
update: vi.fn(),
},
workspace: {
findUnique: vi.fn(),
create: vi.fn(),
update: vi.fn(),
},
workspaceMember: {
create: vi.fn(),
},
session: {
deleteMany: vi.fn(),
},
$transaction: vi.fn(async (ops) => {
if (typeof ops === "function") {
return ops(mockPrismaService);
}
return Promise.all(ops);
}),
};
const mockAdminId = "550e8400-e29b-41d4-a716-446655440001";
const mockUserId = "550e8400-e29b-41d4-a716-446655440002";
const mockWorkspaceId = "550e8400-e29b-41d4-a716-446655440003";
const mockUser = {
id: mockUserId,
name: "Test User",
email: "test@example.com",
emailVerified: false,
image: null,
createdAt: new Date("2026-01-01"),
updatedAt: new Date("2026-01-01"),
deactivatedAt: null,
isLocalAuth: false,
passwordHash: null,
invitedBy: null,
invitationToken: null,
invitedAt: null,
authProviderId: null,
preferences: {},
workspaceMemberships: [
{
workspaceId: mockWorkspaceId,
userId: mockUserId,
role: WorkspaceMemberRole.MEMBER,
joinedAt: new Date("2026-01-01"),
workspace: { id: mockWorkspaceId, name: "Test Workspace" },
},
],
};
const mockWorkspace = {
id: mockWorkspaceId,
name: "Test Workspace",
ownerId: mockAdminId,
settings: {},
createdAt: new Date("2026-01-01"),
updatedAt: new Date("2026-01-01"),
matrixRoomId: null,
};
beforeEach(async () => {
const module: TestingModule = await Test.createTestingModule({
providers: [
AdminService,
{
provide: PrismaService,
useValue: mockPrismaService,
},
],
}).compile();
service = module.get<AdminService>(AdminService);
vi.clearAllMocks();
});
it("should be defined", () => {
expect(service).toBeDefined();
});
describe("listUsers", () => {
it("should return paginated users with memberships", async () => {
mockPrismaService.user.findMany.mockResolvedValue([mockUser]);
mockPrismaService.user.count.mockResolvedValue(1);
const result = await service.listUsers(1, 50);
expect(result.data).toHaveLength(1);
expect(result.data[0]?.id).toBe(mockUserId);
expect(result.data[0]?.workspaceMemberships).toHaveLength(1);
expect(result.meta).toEqual({
total: 1,
page: 1,
limit: 50,
totalPages: 1,
});
});
it("should use default pagination when not provided", async () => {
mockPrismaService.user.findMany.mockResolvedValue([]);
mockPrismaService.user.count.mockResolvedValue(0);
await service.listUsers();
expect(mockPrismaService.user.findMany).toHaveBeenCalledWith(
expect.objectContaining({
skip: 0,
take: 50,
})
);
});
it("should calculate pagination correctly", async () => {
mockPrismaService.user.findMany.mockResolvedValue([]);
mockPrismaService.user.count.mockResolvedValue(150);
const result = await service.listUsers(3, 25);
expect(mockPrismaService.user.findMany).toHaveBeenCalledWith(
expect.objectContaining({
skip: 50,
take: 25,
})
);
expect(result.meta.totalPages).toBe(6);
});
});
describe("inviteUser", () => {
it("should create a user with invitation token", async () => {
mockPrismaService.user.findUnique.mockResolvedValue(null);
const createdUser = {
id: "new-user-id",
email: "new@example.com",
name: "new",
invitationToken: "some-token",
};
mockPrismaService.user.create.mockResolvedValue(createdUser);
const result = await service.inviteUser({ email: "new@example.com" }, mockAdminId);
expect(result.email).toBe("new@example.com");
expect(result.invitationToken).toBeDefined();
expect(result.userId).toBe("new-user-id");
expect(mockPrismaService.user.create).toHaveBeenCalledWith(
expect.objectContaining({
data: expect.objectContaining({
email: "new@example.com",
invitedBy: mockAdminId,
invitationToken: expect.any(String),
}),
})
);
});
it("should add user to workspace when workspaceId provided", async () => {
mockPrismaService.user.findUnique.mockResolvedValue(null);
mockPrismaService.workspace.findUnique.mockResolvedValue(mockWorkspace);
const createdUser = { id: "new-user-id", email: "new@example.com", name: "new" };
mockPrismaService.user.create.mockResolvedValue(createdUser);
await service.inviteUser(
{
email: "new@example.com",
workspaceId: mockWorkspaceId,
role: WorkspaceMemberRole.ADMIN,
},
mockAdminId
);
expect(mockPrismaService.workspaceMember.create).toHaveBeenCalledWith({
data: {
workspaceId: mockWorkspaceId,
userId: "new-user-id",
role: WorkspaceMemberRole.ADMIN,
},
});
});
it("should throw ConflictException if email already exists", async () => {
mockPrismaService.user.findUnique.mockResolvedValue(mockUser);
await expect(service.inviteUser({ email: "test@example.com" }, mockAdminId)).rejects.toThrow(
ConflictException
);
});
it("should throw NotFoundException if workspace does not exist", async () => {
mockPrismaService.user.findUnique.mockResolvedValue(null);
mockPrismaService.workspace.findUnique.mockResolvedValue(null);
await expect(
service.inviteUser({ email: "new@example.com", workspaceId: "non-existent" }, mockAdminId)
).rejects.toThrow(NotFoundException);
});
it("should use email prefix as default name", async () => {
mockPrismaService.user.findUnique.mockResolvedValue(null);
const createdUser = { id: "new-user-id", email: "jane.doe@example.com", name: "jane.doe" };
mockPrismaService.user.create.mockResolvedValue(createdUser);
await service.inviteUser({ email: "jane.doe@example.com" }, mockAdminId);
expect(mockPrismaService.user.create).toHaveBeenCalledWith(
expect.objectContaining({
data: expect.objectContaining({
name: "jane.doe",
}),
})
);
});
it("should use provided name when given", async () => {
mockPrismaService.user.findUnique.mockResolvedValue(null);
const createdUser = { id: "new-user-id", email: "j@example.com", name: "Jane Doe" };
mockPrismaService.user.create.mockResolvedValue(createdUser);
await service.inviteUser({ email: "j@example.com", name: "Jane Doe" }, mockAdminId);
expect(mockPrismaService.user.create).toHaveBeenCalledWith(
expect.objectContaining({
data: expect.objectContaining({
name: "Jane Doe",
}),
})
);
});
});
describe("updateUser", () => {
it("should update user fields", async () => {
mockPrismaService.user.findUnique.mockResolvedValue(mockUser);
mockPrismaService.user.update.mockResolvedValue({
...mockUser,
name: "Updated Name",
});
const result = await service.updateUser(mockUserId, { name: "Updated Name" });
expect(result.name).toBe("Updated Name");
expect(mockPrismaService.user.update).toHaveBeenCalledWith(
expect.objectContaining({
where: { id: mockUserId },
data: { name: "Updated Name" },
})
);
});
it("should set deactivatedAt when provided", async () => {
const deactivatedAt = "2026-02-28T00:00:00.000Z";
mockPrismaService.user.findUnique.mockResolvedValue(mockUser);
mockPrismaService.user.update.mockResolvedValue({
...mockUser,
deactivatedAt: new Date(deactivatedAt),
});
const result = await service.updateUser(mockUserId, { deactivatedAt });
expect(result.deactivatedAt).toEqual(new Date(deactivatedAt));
});
it("should clear deactivatedAt when set to null", async () => {
const deactivatedUser = { ...mockUser, deactivatedAt: new Date() };
mockPrismaService.user.findUnique.mockResolvedValue(deactivatedUser);
mockPrismaService.user.update.mockResolvedValue({
...deactivatedUser,
deactivatedAt: null,
});
const result = await service.updateUser(mockUserId, { deactivatedAt: null });
expect(result.deactivatedAt).toBeNull();
});
it("should throw NotFoundException if user does not exist", async () => {
mockPrismaService.user.findUnique.mockResolvedValue(null);
await expect(service.updateUser("non-existent", { name: "Test" })).rejects.toThrow(
NotFoundException
);
});
it("should update emailVerified", async () => {
mockPrismaService.user.findUnique.mockResolvedValue(mockUser);
mockPrismaService.user.update.mockResolvedValue({
...mockUser,
emailVerified: true,
});
const result = await service.updateUser(mockUserId, { emailVerified: true });
expect(result.emailVerified).toBe(true);
});
it("should update preferences", async () => {
const prefs = { theme: "dark" };
mockPrismaService.user.findUnique.mockResolvedValue(mockUser);
mockPrismaService.user.update.mockResolvedValue({
...mockUser,
preferences: prefs,
});
await service.updateUser(mockUserId, { preferences: prefs });
expect(mockPrismaService.user.update).toHaveBeenCalledWith(
expect.objectContaining({
data: expect.objectContaining({ preferences: prefs }),
})
);
});
});
describe("deactivateUser", () => {
it("should set deactivatedAt and invalidate sessions", async () => {
mockPrismaService.user.findUnique.mockResolvedValue(mockUser);
mockPrismaService.user.update.mockResolvedValue({
...mockUser,
deactivatedAt: new Date(),
});
mockPrismaService.session.deleteMany.mockResolvedValue({ count: 3 });
const result = await service.deactivateUser(mockUserId);
expect(result.deactivatedAt).toBeDefined();
expect(mockPrismaService.user.update).toHaveBeenCalledWith(
expect.objectContaining({
where: { id: mockUserId },
data: { deactivatedAt: expect.any(Date) },
})
);
expect(mockPrismaService.session.deleteMany).toHaveBeenCalledWith({ where: { userId: mockUserId } });
});
it("should throw NotFoundException if user does not exist", async () => {
mockPrismaService.user.findUnique.mockResolvedValue(null);
await expect(service.deactivateUser("non-existent")).rejects.toThrow(NotFoundException);
});
it("should throw BadRequestException if user is already deactivated", async () => {
mockPrismaService.user.findUnique.mockResolvedValue({
...mockUser,
deactivatedAt: new Date(),
});
await expect(service.deactivateUser(mockUserId)).rejects.toThrow(BadRequestException);
});
});
describe("createWorkspace", () => {
it("should create a workspace with owner membership", async () => {
mockPrismaService.user.findUnique.mockResolvedValue(mockUser);
mockPrismaService.workspace.create.mockResolvedValue(mockWorkspace);
const result = await service.createWorkspace({
name: "New Workspace",
ownerId: mockAdminId,
});
expect(result.name).toBe("Test Workspace");
expect(result.memberCount).toBe(1);
expect(mockPrismaService.workspace.create).toHaveBeenCalled();
expect(mockPrismaService.workspaceMember.create).toHaveBeenCalledWith({
data: {
workspaceId: mockWorkspace.id,
userId: mockAdminId,
role: WorkspaceMemberRole.OWNER,
},
});
});
it("should throw NotFoundException if owner does not exist", async () => {
mockPrismaService.user.findUnique.mockResolvedValue(null);
await expect(
service.createWorkspace({ name: "New Workspace", ownerId: "non-existent" })
).rejects.toThrow(NotFoundException);
});
it("should pass settings when provided", async () => {
const settings = { theme: "dark", features: ["chat"] };
mockPrismaService.user.findUnique.mockResolvedValue(mockUser);
mockPrismaService.workspace.create.mockResolvedValue({
...mockWorkspace,
settings,
});
await service.createWorkspace({
name: "New Workspace",
ownerId: mockAdminId,
settings,
});
expect(mockPrismaService.workspace.create).toHaveBeenCalledWith(
expect.objectContaining({
data: expect.objectContaining({ settings }),
})
);
});
});
describe("updateWorkspace", () => {
it("should update workspace name", async () => {
mockPrismaService.workspace.findUnique.mockResolvedValue(mockWorkspace);
mockPrismaService.workspace.update.mockResolvedValue({
...mockWorkspace,
name: "Updated Workspace",
_count: { members: 3 },
});
const result = await service.updateWorkspace(mockWorkspaceId, {
name: "Updated Workspace",
});
expect(result.name).toBe("Updated Workspace");
expect(result.memberCount).toBe(3);
});
it("should update workspace settings", async () => {
const newSettings = { notifications: true };
mockPrismaService.workspace.findUnique.mockResolvedValue(mockWorkspace);
mockPrismaService.workspace.update.mockResolvedValue({
...mockWorkspace,
settings: newSettings,
_count: { members: 1 },
});
const result = await service.updateWorkspace(mockWorkspaceId, {
settings: newSettings,
});
expect(result.settings).toEqual(newSettings);
});
it("should throw NotFoundException if workspace does not exist", async () => {
mockPrismaService.workspace.findUnique.mockResolvedValue(null);
await expect(service.updateWorkspace("non-existent", { name: "Test" })).rejects.toThrow(
NotFoundException
);
});
it("should only update provided fields", async () => {
mockPrismaService.workspace.findUnique.mockResolvedValue(mockWorkspace);
mockPrismaService.workspace.update.mockResolvedValue({
...mockWorkspace,
_count: { members: 1 },
});
await service.updateWorkspace(mockWorkspaceId, { name: "Only Name" });
expect(mockPrismaService.workspace.update).toHaveBeenCalledWith(
expect.objectContaining({
data: { name: "Only Name" },
})
);
});
});
});

309
apps/api/src/admin/admin.service.ts
View File

@@ -1,309 +0,0 @@
import {
BadRequestException,
ConflictException,
Injectable,
Logger,
NotFoundException,
} from "@nestjs/common";
import { Prisma, WorkspaceMemberRole } from "@prisma/client";
import { randomUUID } from "node:crypto";
import { PrismaService } from "../prisma/prisma.service";
import type { InviteUserDto } from "./dto/invite-user.dto";
import type { UpdateUserDto } from "./dto/update-user.dto";
import type { CreateWorkspaceDto } from "./dto/create-workspace.dto";
import type {
AdminUserResponse,
AdminWorkspaceResponse,
InvitationResponse,
PaginatedResponse,
} from "./types/admin.types";
@Injectable()
export class AdminService {
private readonly logger = new Logger(AdminService.name);
constructor(private readonly prisma: PrismaService) {}
async listUsers(page = 1, limit = 50): Promise<PaginatedResponse<AdminUserResponse>> {
const skip = (page - 1) * limit;
const [users, total] = await Promise.all([
this.prisma.user.findMany({
include: {
workspaceMemberships: {
include: {
workspace: { select: { id: true, name: true } },
},
},
},
orderBy: { createdAt: "desc" },
skip,
take: limit,
}),
this.prisma.user.count(),
]);
return {
data: users.map((user) => ({
id: user.id,
name: user.name,
email: user.email,
emailVerified: user.emailVerified,
image: user.image,
createdAt: user.createdAt,
deactivatedAt: user.deactivatedAt,
isLocalAuth: user.isLocalAuth,
invitedAt: user.invitedAt,
invitedBy: user.invitedBy,
workspaceMemberships: user.workspaceMemberships.map((m) => ({
workspaceId: m.workspaceId,
workspaceName: m.workspace.name,
role: m.role,
joinedAt: m.joinedAt,
})),
})),
meta: {
total,
page,
limit,
totalPages: Math.ceil(total / limit),
},
};
}
async inviteUser(dto: InviteUserDto, inviterId: string): Promise<InvitationResponse> {
const existing = await this.prisma.user.findUnique({
where: { email: dto.email },
});
if (existing) {
throw new ConflictException(`User with email ${dto.email} already exists`);
}
if (dto.workspaceId) {
const workspace = await this.prisma.workspace.findUnique({
where: { id: dto.workspaceId },
});
if (!workspace) {
throw new NotFoundException(`Workspace ${dto.workspaceId} not found`);
}
}
const invitationToken = randomUUID();
const now = new Date();
const user = await this.prisma.$transaction(async (tx) => {
const created = await tx.user.create({
data: {
email: dto.email,
name: dto.name ?? dto.email.split("@")[0] ?? dto.email,
emailVerified: false,
invitedBy: inviterId,
invitationToken,
invitedAt: now,
},
});
if (dto.workspaceId) {
await tx.workspaceMember.create({
data: {
workspaceId: dto.workspaceId,
userId: created.id,
role: dto.role ?? WorkspaceMemberRole.MEMBER,
},
});
}
return created;
});
this.logger.log(`User invited: ${user.email} by ${inviterId}`);
return {
userId: user.id,
invitationToken,
email: user.email,
invitedAt: now,
};
}
async updateUser(id: string, dto: UpdateUserDto): Promise<AdminUserResponse> {
const existing = await this.prisma.user.findUnique({ where: { id } });
if (!existing) {
throw new NotFoundException(`User ${id} not found`);
}
const data: Prisma.UserUpdateInput = {};
if (dto.name !== undefined) {
data.name = dto.name;
}
if (dto.emailVerified !== undefined) {
data.emailVerified = dto.emailVerified;
}
if (dto.preferences !== undefined) {
data.preferences = dto.preferences as Prisma.InputJsonValue;
}
if (dto.deactivatedAt !== undefined) {
data.deactivatedAt = dto.deactivatedAt ? new Date(dto.deactivatedAt) : null;
}
const user = await this.prisma.user.update({
where: { id },
data,
include: {
workspaceMemberships: {
include: {
workspace: { select: { id: true, name: true } },
},
},
},
});
this.logger.log(`User updated: ${id}`);
return {
id: user.id,
name: user.name,
email: user.email,
emailVerified: user.emailVerified,
image: user.image,
createdAt: user.createdAt,
deactivatedAt: user.deactivatedAt,
isLocalAuth: user.isLocalAuth,
invitedAt: user.invitedAt,
invitedBy: user.invitedBy,
workspaceMemberships: user.workspaceMemberships.map((m) => ({
workspaceId: m.workspaceId,
workspaceName: m.workspace.name,
role: m.role,
joinedAt: m.joinedAt,
})),
};
}
async deactivateUser(id: string): Promise<AdminUserResponse> {
const existing = await this.prisma.user.findUnique({ where: { id } });
if (!existing) {
throw new NotFoundException(`User ${id} not found`);
}
if (existing.deactivatedAt) {
throw new BadRequestException(`User ${id} is already deactivated`);
}
const [user] = await this.prisma.$transaction([
this.prisma.user.update({
where: { id },
data: { deactivatedAt: new Date() },
include: {
workspaceMemberships: {
include: {
workspace: { select: { id: true, name: true } },
},
},
},
}),
this.prisma.session.deleteMany({ where: { userId: id } }),
]);
this.logger.log(`User deactivated and sessions invalidated: ${id}`);
return {
id: user.id,
name: user.name,
email: user.email,
emailVerified: user.emailVerified,
image: user.image,
createdAt: user.createdAt,
deactivatedAt: user.deactivatedAt,
isLocalAuth: user.isLocalAuth,
invitedAt: user.invitedAt,
invitedBy: user.invitedBy,
workspaceMemberships: user.workspaceMemberships.map((m) => ({
workspaceId: m.workspaceId,
workspaceName: m.workspace.name,
role: m.role,
joinedAt: m.joinedAt,
})),
};
}
async createWorkspace(dto: CreateWorkspaceDto): Promise<AdminWorkspaceResponse> {
const owner = await this.prisma.user.findUnique({ where: { id: dto.ownerId } });
if (!owner) {
throw new NotFoundException(`User ${dto.ownerId} not found`);
}
const workspace = await this.prisma.$transaction(async (tx) => {
const created = await tx.workspace.create({
data: {
name: dto.name,
ownerId: dto.ownerId,
settings: dto.settings ? (dto.settings as Prisma.InputJsonValue) : {},
},
});
await tx.workspaceMember.create({
data: {
workspaceId: created.id,
userId: dto.ownerId,
role: WorkspaceMemberRole.OWNER,
},
});
return created;
});
this.logger.log(`Workspace created: ${workspace.id} with owner ${dto.ownerId}`);
return {
id: workspace.id,
name: workspace.name,
ownerId: workspace.ownerId,
settings: workspace.settings as Record<string, unknown>,
createdAt: workspace.createdAt,
updatedAt: workspace.updatedAt,
memberCount: 1,
};
}
async updateWorkspace(
id: string,
dto: { name?: string; settings?: Record<string, unknown> }
): Promise<AdminWorkspaceResponse> {
const existing = await this.prisma.workspace.findUnique({ where: { id } });
if (!existing) {
throw new NotFoundException(`Workspace ${id} not found`);
}
const data: Prisma.WorkspaceUpdateInput = {};
if (dto.name !== undefined) {
data.name = dto.name;
}
if (dto.settings !== undefined) {
data.settings = dto.settings as Prisma.InputJsonValue;
}
const workspace = await this.prisma.workspace.update({
where: { id },
data,
include: {
_count: { select: { members: true } },
},
});
this.logger.log(`Workspace updated: ${id}`);
return {
id: workspace.id,
name: workspace.name,
ownerId: workspace.ownerId,
settings: workspace.settings as Record<string, unknown>,
createdAt: workspace.createdAt,
updatedAt: workspace.updatedAt,
memberCount: workspace._count.members,
};
}
}

15
apps/api/src/admin/dto/create-workspace.dto.ts
View File

@@ -1,15 +0,0 @@
import { IsObject, IsOptional, IsString, IsUUID, MaxLength, MinLength } from "class-validator";
export class CreateWorkspaceDto {
@IsString({ message: "name must be a string" })
@MinLength(1, { message: "name must not be empty" })
@MaxLength(255, { message: "name must not exceed 255 characters" })
name!: string;
@IsUUID("4", { message: "ownerId must be a valid UUID" })
ownerId!: string;
@IsOptional()
@IsObject({ message: "settings must be an object" })
settings?: Record<string, unknown>;
}

20
apps/api/src/admin/dto/invite-user.dto.ts
View File

@@ -1,20 +0,0 @@
import { WorkspaceMemberRole } from "@prisma/client";
import { IsEmail, IsEnum, IsOptional, IsString, IsUUID, MaxLength } from "class-validator";
export class InviteUserDto {
@IsEmail({}, { message: "email must be a valid email address" })
email!: string;
@IsOptional()
@IsString({ message: "name must be a string" })
@MaxLength(255, { message: "name must not exceed 255 characters" })
name?: string;
@IsOptional()
@IsUUID("4", { message: "workspaceId must be a valid UUID" })
workspaceId?: string;
@IsOptional()
@IsEnum(WorkspaceMemberRole, { message: "role must be a valid WorkspaceMemberRole" })
role?: WorkspaceMemberRole;
}

15
apps/api/src/admin/dto/manage-member.dto.ts
View File

@@ -1,15 +0,0 @@
import { WorkspaceMemberRole } from "@prisma/client";
import { IsEnum, IsUUID } from "class-validator";
export class AddMemberDto {
@IsUUID("4", { message: "userId must be a valid UUID" })
userId!: string;
@IsEnum(WorkspaceMemberRole, { message: "role must be a valid WorkspaceMemberRole" })
role!: WorkspaceMemberRole;
}
export class UpdateMemberRoleDto {
@IsEnum(WorkspaceMemberRole, { message: "role must be a valid WorkspaceMemberRole" })
role!: WorkspaceMemberRole;
}

17
apps/api/src/admin/dto/query-users.dto.ts
View File

@@ -1,17 +0,0 @@
import { IsInt, IsOptional, Max, Min } from "class-validator";
import { Type } from "class-transformer";
export class QueryUsersDto {
@IsOptional()
@Type(() => Number)
@IsInt({ message: "page must be an integer" })
@Min(1, { message: "page must be at least 1" })
page?: number;
@IsOptional()
@Type(() => Number)
@IsInt({ message: "limit must be an integer" })
@Min(1, { message: "limit must be at least 1" })
@Max(100, { message: "limit must not exceed 100" })
limit?: number;
}

27
apps/api/src/admin/dto/update-user.dto.ts
View File

@@ -1,27 +0,0 @@
import {
IsBoolean,
IsDateString,
IsObject,
IsOptional,
IsString,
MaxLength,
} from "class-validator";
export class UpdateUserDto {
@IsOptional()
@IsString({ message: "name must be a string" })
@MaxLength(255, { message: "name must not exceed 255 characters" })
name?: string;
@IsOptional()
@IsDateString({}, { message: "deactivatedAt must be a valid ISO 8601 date string" })
deactivatedAt?: string | null;
@IsOptional()
@IsBoolean({ message: "emailVerified must be a boolean" })
emailVerified?: boolean;
@IsOptional()
@IsObject({ message: "preferences must be an object" })
preferences?: Record<string, unknown>;
}

13
apps/api/src/admin/dto/update-workspace.dto.ts
View File

@@ -1,13 +0,0 @@
import { IsObject, IsOptional, IsString, MaxLength, MinLength } from "class-validator";
export class UpdateWorkspaceDto {
@IsOptional()
@IsString({ message: "name must be a string" })
@MinLength(1, { message: "name must not be empty" })
@MaxLength(255, { message: "name must not exceed 255 characters" })
name?: string;
@IsOptional()
@IsObject({ message: "settings must be an object" })
settings?: Record<string, unknown>;
}

49
apps/api/src/admin/types/admin.types.ts
View File

@@ -1,49 +0,0 @@
import type { WorkspaceMemberRole } from "@prisma/client";
export interface AdminUserResponse {
id: string;
name: string;
email: string;
emailVerified: boolean;
image: string | null;
createdAt: Date;
deactivatedAt: Date | null;
isLocalAuth: boolean;
invitedAt: Date | null;
invitedBy: string | null;
workspaceMemberships: WorkspaceMembershipResponse[];
}
export interface WorkspaceMembershipResponse {
workspaceId: string;
workspaceName: string;
role: WorkspaceMemberRole;
joinedAt: Date;
}
export interface PaginatedResponse<T> {
data: T[];
meta: {
total: number;
page: number;
limit: number;
totalPages: number;
};
}
export interface InvitationResponse {
userId: string;
invitationToken: string;
email: string;
invitedAt: Date;
}
export interface AdminWorkspaceResponse {
id: string;
name: string;
ownerId: string;
settings: Record<string, unknown>;
createdAt: Date;
updatedAt: Date;
memberCount: number;
}

14
apps/api/src/app.module.ts
View File

@@ -39,13 +39,6 @@ import { FederationModule } from "./federation/federation.module";
import { CredentialsModule } from "./credentials/credentials.module"; import { CredentialsModule } from "./credentials/credentials.module";
import { MosaicTelemetryModule } from "./mosaic-telemetry"; import { MosaicTelemetryModule } from "./mosaic-telemetry";
import { SpeechModule } from "./speech/speech.module"; import { SpeechModule } from "./speech/speech.module";
import { DashboardModule } from "./dashboard/dashboard.module";
import { TerminalModule } from "./terminal/terminal.module";
import { PersonalitiesModule } from "./personalities/personalities.module";
import { WorkspacesModule } from "./workspaces/workspaces.module";
import { AdminModule } from "./admin/admin.module";
import { TeamsModule } from "./teams/teams.module";
import { ImportModule } from "./import/import.module";
import { RlsContextInterceptor } from "./common/interceptors/rls-context.interceptor"; import { RlsContextInterceptor } from "./common/interceptors/rls-context.interceptor";
@Module({ @Module({
@@ -108,13 +101,6 @@ import { RlsContextInterceptor } from "./common/interceptors/rls-context.interce
CredentialsModule, CredentialsModule,
MosaicTelemetryModule, MosaicTelemetryModule,
SpeechModule, SpeechModule,
DashboardModule,
TerminalModule,
PersonalitiesModule,
WorkspacesModule,
AdminModule,
TeamsModule,
ImportModule,
], ],
controllers: [AppController, CsrfController], controllers: [AppController, CsrfController],
providers: [ providers: [

9
apps/api/src/auth/auth-rls.integration.spec.ts
View File

@@ -12,10 +12,7 @@ import { PrismaClient, Prisma } from "@prisma/client";
import { randomUUID as uuid } from "crypto"; import { randomUUID as uuid } from "crypto";
import { runWithRlsClient, getRlsClient } from "../prisma/rls-context.provider"; import { runWithRlsClient, getRlsClient } from "../prisma/rls-context.provider";
const shouldRunDbIntegrationTests = describe.skipIf(!process.env.DATABASE_URL)(
process.env.RUN_DB_TESTS === "true" && Boolean(process.env.DATABASE_URL);
describe.skipIf(!shouldRunDbIntegrationTests)(
"Auth Tables RLS Policies (requires DATABASE_URL)", "Auth Tables RLS Policies (requires DATABASE_URL)",
() => { () => {
let prisma: PrismaClient; let prisma: PrismaClient;
@@ -31,7 +28,7 @@ describe.skipIf(!shouldRunDbIntegrationTests)(
beforeAll(async () => { beforeAll(async () => {
// Skip setup if DATABASE_URL is not available // Skip setup if DATABASE_URL is not available
if (!shouldRunDbIntegrationTests) { if (!process.env.DATABASE_URL) {
return; return;
} }
@@ -52,7 +49,7 @@ describe.skipIf(!shouldRunDbIntegrationTests)(
afterAll(async () => { afterAll(async () => {
// Skip cleanup if DATABASE_URL is not available or prisma not initialized // Skip cleanup if DATABASE_URL is not available or prisma not initialized
if (!shouldRunDbIntegrationTests || !prisma) { if (!process.env.DATABASE_URL || !prisma) {
return; return;
} }

139
apps/api/src/auth/auth.config.spec.ts
View File

@@ -18,13 +18,7 @@ vi.mock("better-auth/adapters/prisma", () => ({
prismaAdapter: (...args: unknown[]) => mockPrismaAdapter(...args), prismaAdapter: (...args: unknown[]) => mockPrismaAdapter(...args),
})); }));
import { import { isOidcEnabled, validateOidcConfig, createAuth, getTrustedOrigins } from "./auth.config";
isOidcEnabled,
validateOidcConfig,
createAuth,
getTrustedOrigins,
getBetterAuthBaseUrl,
} from "./auth.config";
describe("auth.config", () => { describe("auth.config", () => {
// Store original env vars to restore after each test // Store original env vars to restore after each test
@@ -38,7 +32,6 @@ describe("auth.config", () => {
delete process.env.OIDC_CLIENT_SECRET; delete process.env.OIDC_CLIENT_SECRET;
delete process.env.OIDC_REDIRECT_URI; delete process.env.OIDC_REDIRECT_URI;
delete process.env.NODE_ENV; delete process.env.NODE_ENV;
delete process.env.BETTER_AUTH_URL;
delete process.env.NEXT_PUBLIC_APP_URL; delete process.env.NEXT_PUBLIC_APP_URL;
delete process.env.NEXT_PUBLIC_API_URL; delete process.env.NEXT_PUBLIC_API_URL;
delete process.env.TRUSTED_ORIGINS; delete process.env.TRUSTED_ORIGINS;
@@ -102,7 +95,7 @@ describe("auth.config", () => {
it("should throw when OIDC_ISSUER is missing", () => { it("should throw when OIDC_ISSUER is missing", () => {
process.env.OIDC_CLIENT_ID = "test-client-id"; process.env.OIDC_CLIENT_ID = "test-client-id";
process.env.OIDC_CLIENT_SECRET = "test-client-secret"; process.env.OIDC_CLIENT_SECRET = "test-client-secret";
process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik"; process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
expect(() => validateOidcConfig()).toThrow("OIDC_ISSUER"); expect(() => validateOidcConfig()).toThrow("OIDC_ISSUER");
expect(() => validateOidcConfig()).toThrow("OIDC authentication is enabled"); expect(() => validateOidcConfig()).toThrow("OIDC authentication is enabled");
@@ -111,7 +104,7 @@ describe("auth.config", () => {
it("should throw when OIDC_CLIENT_ID is missing", () => { it("should throw when OIDC_CLIENT_ID is missing", () => {
process.env.OIDC_ISSUER = "https://auth.example.com/"; process.env.OIDC_ISSUER = "https://auth.example.com/";
process.env.OIDC_CLIENT_SECRET = "test-client-secret"; process.env.OIDC_CLIENT_SECRET = "test-client-secret";
process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik"; process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
expect(() => validateOidcConfig()).toThrow("OIDC_CLIENT_ID"); expect(() => validateOidcConfig()).toThrow("OIDC_CLIENT_ID");
}); });
@@ -119,7 +112,7 @@ describe("auth.config", () => {
it("should throw when OIDC_CLIENT_SECRET is missing", () => { it("should throw when OIDC_CLIENT_SECRET is missing", () => {
process.env.OIDC_ISSUER = "https://auth.example.com/"; process.env.OIDC_ISSUER = "https://auth.example.com/";
process.env.OIDC_CLIENT_ID = "test-client-id"; process.env.OIDC_CLIENT_ID = "test-client-id";
process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik"; process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
expect(() => validateOidcConfig()).toThrow("OIDC_CLIENT_SECRET"); expect(() => validateOidcConfig()).toThrow("OIDC_CLIENT_SECRET");
}); });
@@ -153,7 +146,7 @@ describe("auth.config", () => {
process.env.OIDC_ISSUER = " "; process.env.OIDC_ISSUER = " ";
process.env.OIDC_CLIENT_ID = "test-client-id"; process.env.OIDC_CLIENT_ID = "test-client-id";
process.env.OIDC_CLIENT_SECRET = "test-client-secret"; process.env.OIDC_CLIENT_SECRET = "test-client-secret";
process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik"; process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
expect(() => validateOidcConfig()).toThrow("OIDC_ISSUER"); expect(() => validateOidcConfig()).toThrow("OIDC_ISSUER");
}); });
@@ -162,7 +155,7 @@ describe("auth.config", () => {
process.env.OIDC_ISSUER = "https://auth.example.com/application/o/mosaic"; process.env.OIDC_ISSUER = "https://auth.example.com/application/o/mosaic";
process.env.OIDC_CLIENT_ID = "test-client-id"; process.env.OIDC_CLIENT_ID = "test-client-id";
process.env.OIDC_CLIENT_SECRET = "test-client-secret"; process.env.OIDC_CLIENT_SECRET = "test-client-secret";
process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik"; process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
expect(() => validateOidcConfig()).toThrow("OIDC_ISSUER must end with a trailing slash"); expect(() => validateOidcConfig()).toThrow("OIDC_ISSUER must end with a trailing slash");
expect(() => validateOidcConfig()).toThrow("https://auth.example.com/application/o/mosaic"); expect(() => validateOidcConfig()).toThrow("https://auth.example.com/application/o/mosaic");
@@ -172,7 +165,7 @@ describe("auth.config", () => {
process.env.OIDC_ISSUER = "https://auth.example.com/application/o/mosaic-stack/"; process.env.OIDC_ISSUER = "https://auth.example.com/application/o/mosaic-stack/";
process.env.OIDC_CLIENT_ID = "test-client-id"; process.env.OIDC_CLIENT_ID = "test-client-id";
process.env.OIDC_CLIENT_SECRET = "test-client-secret"; process.env.OIDC_CLIENT_SECRET = "test-client-secret";
process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik"; process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
expect(() => validateOidcConfig()).not.toThrow(); expect(() => validateOidcConfig()).not.toThrow();
}); });
@@ -196,30 +189,30 @@ describe("auth.config", () => {
expect(() => validateOidcConfig()).toThrow("Parse error:"); expect(() => validateOidcConfig()).toThrow("Parse error:");
}); });
it("should throw when OIDC_REDIRECT_URI path does not start with /auth/oauth2/callback", () => { it("should throw when OIDC_REDIRECT_URI path does not start with /auth/callback", () => {
process.env.OIDC_REDIRECT_URI = "https://app.example.com/oauth/callback"; process.env.OIDC_REDIRECT_URI = "https://app.example.com/oauth/callback";
expect(() => validateOidcConfig()).toThrow( expect(() => validateOidcConfig()).toThrow(
'OIDC_REDIRECT_URI path must start with "/auth/oauth2/callback"' 'OIDC_REDIRECT_URI path must start with "/auth/callback"'
); );
expect(() => validateOidcConfig()).toThrow("/oauth/callback"); expect(() => validateOidcConfig()).toThrow("/oauth/callback");
}); });
it("should accept a valid OIDC_REDIRECT_URI with /auth/oauth2/callback path", () => { it("should accept a valid OIDC_REDIRECT_URI with /auth/callback path", () => {
process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik"; process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
expect(() => validateOidcConfig()).not.toThrow(); expect(() => validateOidcConfig()).not.toThrow();
}); });
it("should accept OIDC_REDIRECT_URI with exactly /auth/oauth2/callback path", () => { it("should accept OIDC_REDIRECT_URI with exactly /auth/callback path", () => {
process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback"; process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback";
expect(() => validateOidcConfig()).not.toThrow(); expect(() => validateOidcConfig()).not.toThrow();
}); });
it("should warn but not throw when using localhost in production", () => { it("should warn but not throw when using localhost in production", () => {
process.env.NODE_ENV = "production"; process.env.NODE_ENV = "production";
process.env.OIDC_REDIRECT_URI = "http://localhost:3000/auth/oauth2/callback/authentik"; process.env.OIDC_REDIRECT_URI = "http://localhost:3000/auth/callback/authentik";
const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {}); const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
@@ -233,7 +226,7 @@ describe("auth.config", () => {
it("should warn but not throw when using 127.0.0.1 in production", () => { it("should warn but not throw when using 127.0.0.1 in production", () => {
process.env.NODE_ENV = "production"; process.env.NODE_ENV = "production";
process.env.OIDC_REDIRECT_URI = "http://127.0.0.1:3000/auth/oauth2/callback/authentik"; process.env.OIDC_REDIRECT_URI = "http://127.0.0.1:3000/auth/callback/authentik";
const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {}); const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
@@ -247,7 +240,7 @@ describe("auth.config", () => {
it("should not warn about localhost when not in production", () => { it("should not warn about localhost when not in production", () => {
process.env.NODE_ENV = "development"; process.env.NODE_ENV = "development";
process.env.OIDC_REDIRECT_URI = "http://localhost:3000/auth/oauth2/callback/authentik"; process.env.OIDC_REDIRECT_URI = "http://localhost:3000/auth/callback/authentik";
const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {}); const warnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
@@ -272,19 +265,16 @@ describe("auth.config", () => {
process.env.OIDC_ISSUER = "https://auth.example.com/application/o/mosaic-stack/"; process.env.OIDC_ISSUER = "https://auth.example.com/application/o/mosaic-stack/";
process.env.OIDC_CLIENT_ID = "test-client-id"; process.env.OIDC_CLIENT_ID = "test-client-id";
process.env.OIDC_CLIENT_SECRET = "test-client-secret"; process.env.OIDC_CLIENT_SECRET = "test-client-secret";
process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik"; process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
const mockPrisma = {} as PrismaClient; const mockPrisma = {} as PrismaClient;
createAuth(mockPrisma); createAuth(mockPrisma);
expect(mockGenericOAuth).toHaveBeenCalledOnce(); expect(mockGenericOAuth).toHaveBeenCalledOnce();
const callArgs = mockGenericOAuth.mock.calls[0][0] as { const callArgs = mockGenericOAuth.mock.calls[0][0] as {
config: Array<{ pkce?: boolean; redirectURI?: string }>; config: Array<{ pkce?: boolean }>;
}; };
expect(callArgs.config[0].pkce).toBe(true); expect(callArgs.config[0].pkce).toBe(true);
expect(callArgs.config[0].redirectURI).toBe(
"https://app.example.com/auth/oauth2/callback/authentik"
);
}); });
it("should not call genericOAuth when OIDC is disabled", () => { it("should not call genericOAuth when OIDC is disabled", () => {
@@ -300,7 +290,7 @@ describe("auth.config", () => {
process.env.OIDC_ENABLED = "true"; process.env.OIDC_ENABLED = "true";
process.env.OIDC_ISSUER = "https://auth.example.com/application/o/mosaic-stack/"; process.env.OIDC_ISSUER = "https://auth.example.com/application/o/mosaic-stack/";
process.env.OIDC_CLIENT_SECRET = "test-client-secret"; process.env.OIDC_CLIENT_SECRET = "test-client-secret";
process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik"; process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
// OIDC_CLIENT_ID deliberately not set // OIDC_CLIENT_ID deliberately not set
// validateOidcConfig will throw first, so we need to bypass it // validateOidcConfig will throw first, so we need to bypass it
@@ -317,7 +307,7 @@ describe("auth.config", () => {
process.env.OIDC_ENABLED = "true"; process.env.OIDC_ENABLED = "true";
process.env.OIDC_ISSUER = "https://auth.example.com/application/o/mosaic-stack/"; process.env.OIDC_ISSUER = "https://auth.example.com/application/o/mosaic-stack/";
process.env.OIDC_CLIENT_ID = "test-client-id"; process.env.OIDC_CLIENT_ID = "test-client-id";
process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik"; process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
// OIDC_CLIENT_SECRET deliberately not set // OIDC_CLIENT_SECRET deliberately not set
const mockPrisma = {} as PrismaClient; const mockPrisma = {} as PrismaClient;
@@ -328,7 +318,7 @@ describe("auth.config", () => {
process.env.OIDC_ENABLED = "true"; process.env.OIDC_ENABLED = "true";
process.env.OIDC_CLIENT_ID = "test-client-id"; process.env.OIDC_CLIENT_ID = "test-client-id";
process.env.OIDC_CLIENT_SECRET = "test-client-secret"; process.env.OIDC_CLIENT_SECRET = "test-client-secret";
process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/oauth2/callback/authentik"; process.env.OIDC_REDIRECT_URI = "https://app.example.com/auth/callback/authentik";
// OIDC_ISSUER deliberately not set // OIDC_ISSUER deliberately not set
const mockPrisma = {} as PrismaClient; const mockPrisma = {} as PrismaClient;
@@ -364,7 +354,8 @@ describe("auth.config", () => {
}); });
it("should parse TRUSTED_ORIGINS comma-separated values", () => { it("should parse TRUSTED_ORIGINS comma-separated values", () => {
process.env.TRUSTED_ORIGINS = "https://app.mosaicstack.dev,https://api.mosaicstack.dev"; process.env.TRUSTED_ORIGINS =
"https://app.mosaicstack.dev,https://api.mosaicstack.dev";
const origins = getTrustedOrigins(); const origins = getTrustedOrigins();
@@ -373,7 +364,8 @@ describe("auth.config", () => {
}); });
it("should trim whitespace from TRUSTED_ORIGINS entries", () => { it("should trim whitespace from TRUSTED_ORIGINS entries", () => {
process.env.TRUSTED_ORIGINS = " https://app.mosaicstack.dev , https://api.mosaicstack.dev "; process.env.TRUSTED_ORIGINS =
" https://app.mosaicstack.dev , https://api.mosaicstack.dev ";
const origins = getTrustedOrigins(); const origins = getTrustedOrigins();
@@ -524,21 +516,6 @@ describe("auth.config", () => {
expect(config.session.updateAge).toBe(7200); expect(config.session.updateAge).toBe(7200);
}); });
it("should configure BetterAuth database ID generation as UUID", () => {
const mockPrisma = {} as PrismaClient;
createAuth(mockPrisma);
expect(mockBetterAuth).toHaveBeenCalledOnce();
const config = mockBetterAuth.mock.calls[0][0] as {
advanced: {
database: {
generateId: string;
};
};
};
expect(config.advanced.database.generateId).toBe("uuid");
});
it("should set httpOnly cookie attribute to true", () => { it("should set httpOnly cookie attribute to true", () => {
const mockPrisma = {} as PrismaClient; const mockPrisma = {} as PrismaClient;
createAuth(mockPrisma); createAuth(mockPrisma);
@@ -575,7 +552,6 @@ describe("auth.config", () => {
it("should set secure cookie attribute to true in production", () => { it("should set secure cookie attribute to true in production", () => {
process.env.NODE_ENV = "production"; process.env.NODE_ENV = "production";
process.env.NEXT_PUBLIC_API_URL = "https://api.example.com";
const mockPrisma = {} as PrismaClient; const mockPrisma = {} as PrismaClient;
createAuth(mockPrisma); createAuth(mockPrisma);
@@ -648,69 +624,4 @@ describe("auth.config", () => {
expect(config.advanced.defaultCookieAttributes.domain).toBeUndefined(); expect(config.advanced.defaultCookieAttributes.domain).toBeUndefined();
}); });
}); });
describe("getBetterAuthBaseUrl", () => {
it("should prefer BETTER_AUTH_URL when set", () => {
process.env.BETTER_AUTH_URL = "https://auth-base.example.com";
process.env.NEXT_PUBLIC_API_URL = "https://api.example.com";
expect(getBetterAuthBaseUrl()).toBe("https://auth-base.example.com");
});
it("should fall back to NEXT_PUBLIC_API_URL when BETTER_AUTH_URL is not set", () => {
process.env.NEXT_PUBLIC_API_URL = "https://api.example.com";
expect(getBetterAuthBaseUrl()).toBe("https://api.example.com");
});
it("should throw when base URL is invalid", () => {
process.env.BETTER_AUTH_URL = "not-a-url";
expect(() => getBetterAuthBaseUrl()).toThrow("BetterAuth base URL must be a valid URL");
});
it("should throw when base URL is missing in production", () => {
process.env.NODE_ENV = "production";
expect(() => getBetterAuthBaseUrl()).toThrow("Missing BetterAuth base URL in production");
});
it("should throw when base URL is not https in production", () => {
process.env.NODE_ENV = "production";
process.env.BETTER_AUTH_URL = "http://api.example.com";
expect(() => getBetterAuthBaseUrl()).toThrow(
"BetterAuth base URL must use https in production"
);
});
});
describe("createAuth - baseURL wiring", () => {
beforeEach(() => {
mockBetterAuth.mockClear();
mockPrismaAdapter.mockClear();
});
it("should pass BETTER_AUTH_URL into BetterAuth config", () => {
process.env.BETTER_AUTH_URL = "https://api.mosaicstack.dev";
const mockPrisma = {} as PrismaClient;
createAuth(mockPrisma);
expect(mockBetterAuth).toHaveBeenCalledOnce();
const config = mockBetterAuth.mock.calls[0][0] as { baseURL?: string };
expect(config.baseURL).toBe("https://api.mosaicstack.dev");
});
it("should pass NEXT_PUBLIC_API_URL into BetterAuth config when BETTER_AUTH_URL is absent", () => {
process.env.NEXT_PUBLIC_API_URL = "https://api.fallback.dev";
const mockPrisma = {} as PrismaClient;
createAuth(mockPrisma);
expect(mockBetterAuth).toHaveBeenCalledOnce();
const config = mockBetterAuth.mock.calls[0][0] as { baseURL?: string };
expect(config.baseURL).toBe("https://api.fallback.dev");
});
});
}); });

65
apps/api/src/auth/auth.config.ts
View File

@@ -13,41 +13,6 @@ const REQUIRED_OIDC_ENV_VARS = [
"OIDC_REDIRECT_URI", "OIDC_REDIRECT_URI",
] as const; ] as const;
/**
* Resolve BetterAuth base URL from explicit auth URL or API URL.
* BetterAuth uses this to generate absolute callback/error URLs.
*/
export function getBetterAuthBaseUrl(): string | undefined {
const configured = process.env.BETTER_AUTH_URL ?? process.env.NEXT_PUBLIC_API_URL;
if (!configured || configured.trim() === "") {
if (process.env.NODE_ENV === "production") {
throw new Error(
"Missing BetterAuth base URL in production. Set BETTER_AUTH_URL (preferred) or NEXT_PUBLIC_API_URL."
);
}
return undefined;
}
let parsed: URL;
try {
parsed = new URL(configured);
} catch (urlError: unknown) {
const detail = urlError instanceof Error ? urlError.message : String(urlError);
throw new Error(
`BetterAuth base URL must be a valid URL. Current value: "${configured}". Parse error: ${detail}.`
);
}
if (process.env.NODE_ENV === "production" && parsed.protocol !== "https:") {
throw new Error(
`BetterAuth base URL must use https in production. Current value: "${configured}".`
);
}
return parsed.origin;
}
/** /**
* Check if OIDC authentication is enabled via environment variable * Check if OIDC authentication is enabled via environment variable
*/ */
@@ -93,17 +58,17 @@ export function validateOidcConfig(): void {
); );
} }
// Additional validation: OIDC_REDIRECT_URI must be a valid URL with /auth/oauth2/callback path // Additional validation: OIDC_REDIRECT_URI must be a valid URL with /auth/callback path
validateRedirectUri(); validateRedirectUri();
} }
/** /**
* Validates the OIDC_REDIRECT_URI environment variable. * Validates the OIDC_REDIRECT_URI environment variable.
* - Must be a parseable URL * - Must be a parseable URL
* - Path must start with /auth/oauth2/callback * - Path must start with /auth/callback
* - Warns (but does not throw) if using localhost in production * - Warns (but does not throw) if using localhost in production
* *
* @throws Error if URL is invalid or path does not start with /auth/oauth2/callback * @throws Error if URL is invalid or path does not start with /auth/callback
*/ */
function validateRedirectUri(): void { function validateRedirectUri(): void {
const redirectUri = process.env.OIDC_REDIRECT_URI; const redirectUri = process.env.OIDC_REDIRECT_URI;
@@ -120,14 +85,14 @@ function validateRedirectUri(): void {
throw new Error( throw new Error(
`OIDC_REDIRECT_URI must be a valid URL. Current value: "${redirectUri}". ` + `OIDC_REDIRECT_URI must be a valid URL. Current value: "${redirectUri}". ` +
`Parse error: ${detail}. ` + `Parse error: ${detail}. ` +
`Example: "https://api.example.com/auth/oauth2/callback/authentik".` `Example: "https://app.example.com/auth/callback/authentik".`
); );
} }
if (!parsed.pathname.startsWith("/auth/oauth2/callback")) { if (!parsed.pathname.startsWith("/auth/callback")) {
throw new Error( throw new Error(
`OIDC_REDIRECT_URI path must start with "/auth/oauth2/callback". Current path: "${parsed.pathname}". ` + `OIDC_REDIRECT_URI path must start with "/auth/callback". Current path: "${parsed.pathname}". ` +
`Example: "https://api.example.com/auth/oauth2/callback/authentik".` `Example: "https://app.example.com/auth/callback/authentik".`
); );
} }
@@ -154,7 +119,6 @@ function getOidcPlugins(): ReturnType<typeof genericOAuth>[] {
const clientId = process.env.OIDC_CLIENT_ID; const clientId = process.env.OIDC_CLIENT_ID;
const clientSecret = process.env.OIDC_CLIENT_SECRET; const clientSecret = process.env.OIDC_CLIENT_SECRET;
const issuer = process.env.OIDC_ISSUER; const issuer = process.env.OIDC_ISSUER;
const redirectUri = process.env.OIDC_REDIRECT_URI;
if (!clientId) { if (!clientId) {
throw new Error("OIDC_CLIENT_ID is required when OIDC is enabled but was not set."); throw new Error("OIDC_CLIENT_ID is required when OIDC is enabled but was not set.");
@@ -165,9 +129,6 @@ function getOidcPlugins(): ReturnType<typeof genericOAuth>[] {
if (!issuer) { if (!issuer) {
throw new Error("OIDC_ISSUER is required when OIDC is enabled but was not set."); throw new Error("OIDC_ISSUER is required when OIDC is enabled but was not set.");
} }
if (!redirectUri) {
throw new Error("OIDC_REDIRECT_URI is required when OIDC is enabled but was not set.");
}
return [ return [
genericOAuth({ genericOAuth({
@@ -177,7 +138,6 @@ function getOidcPlugins(): ReturnType<typeof genericOAuth>[] {
clientId, clientId,
clientSecret, clientSecret,
discoveryUrl: `${issuer}.well-known/openid-configuration`, discoveryUrl: `${issuer}.well-known/openid-configuration`,
redirectURI: redirectUri,
pkce: true, pkce: true,
scopes: ["openid", "profile", "email"], scopes: ["openid", "profile", "email"],
}, },
@@ -242,10 +202,7 @@ export function createAuth(prisma: PrismaClient) {
// Validate OIDC configuration at startup - fail fast if misconfigured // Validate OIDC configuration at startup - fail fast if misconfigured
validateOidcConfig(); validateOidcConfig();
const baseURL = getBetterAuthBaseUrl();
return betterAuth({ return betterAuth({
baseURL,
basePath: "/auth", basePath: "/auth",
database: prismaAdapter(prisma, { database: prismaAdapter(prisma, {
provider: "postgresql", provider: "postgresql",
@@ -254,19 +211,11 @@ export function createAuth(prisma: PrismaClient) {
enabled: true, enabled: true,
}, },
plugins: [...getOidcPlugins()], plugins: [...getOidcPlugins()],
logger: {
disabled: false,
level: "error",
},
session: { session: {
expiresIn: 60 * 60 * 24 * 7, // 7 days absolute max expiresIn: 60 * 60 * 24 * 7, // 7 days absolute max
updateAge: 60 * 60 * 2, // 2 hours — minimum session age before BetterAuth refreshes the expiry on next request updateAge: 60 * 60 * 2, // 2 hours — minimum session age before BetterAuth refreshes the expiry on next request
}, },
advanced: { advanced: {
database: {
// BetterAuth's default ID generator emits opaque strings; our auth tables use UUID PKs.
generateId: "uuid",
},
defaultCookieAttributes: { defaultCookieAttributes: {
httpOnly: true, httpOnly: true,
secure: process.env.NODE_ENV === "production", secure: process.env.NODE_ENV === "production",

100
apps/api/src/auth/auth.controller.spec.ts
View File

@@ -102,46 +102,11 @@ describe("AuthController", () => {
expect(err).toBeInstanceOf(HttpException); expect(err).toBeInstanceOf(HttpException);
expect((err as HttpException).getStatus()).toBe(HttpStatus.INTERNAL_SERVER_ERROR); expect((err as HttpException).getStatus()).toBe(HttpStatus.INTERNAL_SERVER_ERROR);
expect((err as HttpException).getResponse()).toBe( expect((err as HttpException).getResponse()).toBe(
"Unable to complete authentication. Please try again in a moment." "Unable to complete authentication. Please try again in a moment.",
); );
} }
}); });
it("should preserve better-call status and body for handler APIError", async () => {
const apiError = {
statusCode: HttpStatus.BAD_REQUEST,
message: "Invalid OAuth configuration",
body: {
message: "Invalid OAuth configuration",
code: "INVALID_OAUTH_CONFIGURATION",
},
};
mockNodeHandler.mockRejectedValueOnce(apiError);
const mockRequest = {
method: "POST",
url: "/auth/sign-in/oauth2",
headers: {},
ip: "192.168.1.10",
socket: { remoteAddress: "192.168.1.10" },
} as unknown as ExpressRequest;
const mockResponse = {
headersSent: false,
} as unknown as ExpressResponse;
try {
await controller.handleAuth(mockRequest, mockResponse);
expect.unreachable("Expected HttpException to be thrown");
} catch (err) {
expect(err).toBeInstanceOf(HttpException);
expect((err as HttpException).getStatus()).toBe(HttpStatus.BAD_REQUEST);
expect((err as HttpException).getResponse()).toMatchObject({
message: "Invalid OAuth configuration",
});
}
});
it("should log warning and not throw when handler throws after headers sent", async () => { it("should log warning and not throw when handler throws after headers sent", async () => {
const handlerError = new Error("Stream interrupted"); const handlerError = new Error("Stream interrupted");
mockNodeHandler.mockRejectedValueOnce(handlerError); mockNodeHandler.mockRejectedValueOnce(handlerError);
@@ -177,7 +142,9 @@ describe("AuthController", () => {
headersSent: false, headersSent: false,
} as unknown as ExpressResponse; } as unknown as ExpressResponse;
await expect(controller.handleAuth(mockRequest, mockResponse)).rejects.toThrow(HttpException); await expect(controller.handleAuth(mockRequest, mockResponse)).rejects.toThrow(
HttpException,
);
}); });
}); });
@@ -220,7 +187,7 @@ describe("AuthController", () => {
OIDC_CLIENT_SECRET: "test-client-secret", OIDC_CLIENT_SECRET: "test-client-secret",
OIDC_CLIENT_ID: "test-client-id", OIDC_CLIENT_ID: "test-client-id",
OIDC_ISSUER: "https://auth.test.com/", OIDC_ISSUER: "https://auth.test.com/",
OIDC_REDIRECT_URI: "https://app.test.com/auth/oauth2/callback/authentik", OIDC_REDIRECT_URI: "https://app.test.com/auth/callback/authentik",
BETTER_AUTH_SECRET: "test-better-auth-secret", BETTER_AUTH_SECRET: "test-better-auth-secret",
JWT_SECRET: "test-jwt-secret", JWT_SECRET: "test-jwt-secret",
CSRF_SECRET: "test-csrf-secret", CSRF_SECRET: "test-csrf-secret",
@@ -329,9 +296,11 @@ describe("AuthController", () => {
}, },
}; };
expect(() => controller.getSession(mockRequest as never)).toThrow(UnauthorizedException);
expect(() => controller.getSession(mockRequest as never)).toThrow( expect(() => controller.getSession(mockRequest as never)).toThrow(
"Missing authentication context" UnauthorizedException,
);
expect(() => controller.getSession(mockRequest as never)).toThrow(
"Missing authentication context",
); );
}); });
@@ -344,30 +313,37 @@ describe("AuthController", () => {
}, },
}; };
expect(() => controller.getSession(mockRequest as never)).toThrow(UnauthorizedException);
expect(() => controller.getSession(mockRequest as never)).toThrow( expect(() => controller.getSession(mockRequest as never)).toThrow(
"Missing authentication context" UnauthorizedException,
);
expect(() => controller.getSession(mockRequest as never)).toThrow(
"Missing authentication context",
); );
}); });
it("should throw UnauthorizedException when both req.user and req.session are undefined", () => { it("should throw UnauthorizedException when both req.user and req.session are undefined", () => {
const mockRequest = {}; const mockRequest = {};
expect(() => controller.getSession(mockRequest as never)).toThrow(UnauthorizedException);
expect(() => controller.getSession(mockRequest as never)).toThrow( expect(() => controller.getSession(mockRequest as never)).toThrow(
"Missing authentication context" UnauthorizedException,
);
expect(() => controller.getSession(mockRequest as never)).toThrow(
"Missing authentication context",
); );
}); });
}); });
describe("getProfile", () => { describe("getProfile", () => {
it("should return complete user profile with identity fields", () => { it("should return complete user profile with workspace fields", () => {
const mockUser: AuthUser = { const mockUser: AuthUser = {
id: "user-123", id: "user-123",
email: "test@example.com", email: "test@example.com",
name: "Test User", name: "Test User",
image: "https://example.com/avatar.jpg", image: "https://example.com/avatar.jpg",
emailVerified: true, emailVerified: true,
workspaceId: "workspace-123",
currentWorkspaceId: "workspace-456",
workspaceRole: "admin",
}; };
const result = controller.getProfile(mockUser); const result = controller.getProfile(mockUser);
@@ -378,10 +354,13 @@ describe("AuthController", () => {
name: mockUser.name, name: mockUser.name,
image: mockUser.image, image: mockUser.image,
emailVerified: mockUser.emailVerified, emailVerified: mockUser.emailVerified,
workspaceId: mockUser.workspaceId,
currentWorkspaceId: mockUser.currentWorkspaceId,
workspaceRole: mockUser.workspaceRole,
}); });
}); });
it("should return user profile with only required fields", () => { it("should return user profile with optional fields undefined", () => {
const mockUser: AuthUser = { const mockUser: AuthUser = {
id: "user-123", id: "user-123",
email: "test@example.com", email: "test@example.com",
@@ -394,11 +373,12 @@ describe("AuthController", () => {
id: mockUser.id, id: mockUser.id,
email: mockUser.email, email: mockUser.email,
name: mockUser.name, name: mockUser.name,
image: undefined,
emailVerified: undefined,
workspaceId: undefined,
currentWorkspaceId: undefined,
workspaceRole: undefined,
}); });
// Workspace fields are not included — served by GET /api/workspaces
expect(result).not.toHaveProperty("workspaceId");
expect(result).not.toHaveProperty("currentWorkspaceId");
expect(result).not.toHaveProperty("workspaceRole");
}); });
}); });
@@ -421,7 +401,9 @@ describe("AuthController", () => {
await controller.handleAuth(mockRequest, mockResponse); await controller.handleAuth(mockRequest, mockResponse);
expect(debugSpy).toHaveBeenCalledWith(expect.stringContaining("203.0.113.50")); expect(debugSpy).toHaveBeenCalledWith(
expect.stringContaining("203.0.113.50"),
);
}); });
it("should extract first IP from X-Forwarded-For with comma-separated IPs", async () => { it("should extract first IP from X-Forwarded-For with comma-separated IPs", async () => {
@@ -441,9 +423,13 @@ describe("AuthController", () => {
await controller.handleAuth(mockRequest, mockResponse); await controller.handleAuth(mockRequest, mockResponse);
expect(debugSpy).toHaveBeenCalledWith(expect.stringContaining("203.0.113.50")); expect(debugSpy).toHaveBeenCalledWith(
expect.stringContaining("203.0.113.50"),
);
// Ensure it does NOT contain the second IP in the extracted position // Ensure it does NOT contain the second IP in the extracted position
expect(debugSpy).toHaveBeenCalledWith(expect.not.stringContaining("70.41.3.18")); expect(debugSpy).toHaveBeenCalledWith(
expect.not.stringContaining("70.41.3.18"),
);
}); });
it("should extract first IP from X-Forwarded-For as array", async () => { it("should extract first IP from X-Forwarded-For as array", async () => {
@@ -463,7 +449,9 @@ describe("AuthController", () => {
await controller.handleAuth(mockRequest, mockResponse); await controller.handleAuth(mockRequest, mockResponse);
expect(debugSpy).toHaveBeenCalledWith(expect.stringContaining("203.0.113.50")); expect(debugSpy).toHaveBeenCalledWith(
expect.stringContaining("203.0.113.50"),
);
}); });
it("should fallback to req.ip when no X-Forwarded-For header", async () => { it("should fallback to req.ip when no X-Forwarded-For header", async () => {
@@ -483,7 +471,9 @@ describe("AuthController", () => {
await controller.handleAuth(mockRequest, mockResponse); await controller.handleAuth(mockRequest, mockResponse);
expect(debugSpy).toHaveBeenCalledWith(expect.stringContaining("192.168.1.100")); expect(debugSpy).toHaveBeenCalledWith(
expect.stringContaining("192.168.1.100"),
);
}); });
}); });
}); });

67
apps/api/src/auth/auth.controller.ts
View File

@@ -72,10 +72,15 @@ export class AuthController {
if (user.emailVerified !== undefined) { if (user.emailVerified !== undefined) {
profile.emailVerified = user.emailVerified; profile.emailVerified = user.emailVerified;
} }
if (user.workspaceId !== undefined) {
// Workspace context is served by GET /api/workspaces, not the auth profile. profile.workspaceId = user.workspaceId;
// The deprecated workspaceId/currentWorkspaceId/workspaceRole fields on }
// AuthUser are never populated by BetterAuth and are omitted here. if (user.currentWorkspaceId !== undefined) {
profile.currentWorkspaceId = user.currentWorkspaceId;
}
if (user.workspaceRole !== undefined) {
profile.workspaceRole = user.workspaceRole;
}
return profile; return profile;
} }
@@ -118,14 +123,6 @@ export class AuthController {
try { try {
await handler(req, res); await handler(req, res);
// BetterAuth writes responses directly — catch silent 500s that bypass NestJS error handling
if (res.statusCode >= 500) {
this.logger.error(
`BetterAuth returned ${String(res.statusCode)} for ${req.method} ${req.url} from ${clientIp}` +
` — check container stdout for '# SERVER_ERROR' details`
);
}
} catch (error: unknown) { } catch (error: unknown) {
const message = error instanceof Error ? error.message : String(error); const message = error instanceof Error ? error.message : String(error);
const stack = error instanceof Error ? error.stack : undefined; const stack = error instanceof Error ? error.stack : undefined;
@@ -136,11 +133,6 @@ export class AuthController {
); );
if (!res.headersSent) { if (!res.headersSent) {
const mappedError = this.mapToHttpException(error);
if (mappedError) {
throw mappedError;
}
throw new HttpException( throw new HttpException(
"Unable to complete authentication. Please try again in a moment.", "Unable to complete authentication. Please try again in a moment.",
HttpStatus.INTERNAL_SERVER_ERROR HttpStatus.INTERNAL_SERVER_ERROR
@@ -167,45 +159,4 @@ export class AuthController {
// Fall back to direct IP // Fall back to direct IP
return req.ip ?? req.socket.remoteAddress ?? "unknown"; return req.ip ?? req.socket.remoteAddress ?? "unknown";
} }
/**
* Preserve known HTTP errors from BetterAuth/better-call instead of converting
* every failure into a generic 500.
*/
private mapToHttpException(error: unknown): HttpException | null {
if (error instanceof HttpException) {
return error;
}
if (!error || typeof error !== "object") {
return null;
}
const statusCode = "statusCode" in error ? error.statusCode : undefined;
if (!this.isHttpStatus(statusCode)) {
return null;
}
const responseBody = "body" in error && error.body !== undefined ? error.body : undefined;
if (
responseBody !== undefined &&
responseBody !== null &&
(typeof responseBody === "string" || typeof responseBody === "object")
) {
return new HttpException(responseBody, statusCode);
}
const message =
"message" in error && typeof error.message === "string" && error.message.length > 0
? error.message
: "Authentication request failed";
return new HttpException(message, statusCode);
}
private isHttpStatus(value: unknown): value is number {
if (typeof value !== "number" || !Number.isInteger(value)) {
return false;
}
return value >= 400 && value <= 599;
}
} }

7
apps/api/src/auth/auth.module.ts
View File

@@ -3,14 +3,11 @@ import { PrismaModule } from "../prisma/prisma.module";
import { AuthService } from "./auth.service"; import { AuthService } from "./auth.service";
import { AuthController } from "./auth.controller"; import { AuthController } from "./auth.controller";
import { AuthGuard } from "./guards/auth.guard"; import { AuthGuard } from "./guards/auth.guard";
import { LocalAuthController } from "./local/local-auth.controller";
import { LocalAuthService } from "./local/local-auth.service";
import { LocalAuthEnabledGuard } from "./local/local-auth.guard";
@Module({ @Module({
imports: [PrismaModule], imports: [PrismaModule],
controllers: [AuthController, LocalAuthController], controllers: [AuthController],
providers: [AuthService, AuthGuard, LocalAuthService, LocalAuthEnabledGuard], providers: [AuthService, AuthGuard],
exports: [AuthService, AuthGuard], exports: [AuthService, AuthGuard],
}) })
export class AuthModule {} export class AuthModule {}

61
apps/api/src/auth/auth.service.spec.ts
View File

@@ -410,7 +410,7 @@ describe("AuthService", () => {
}, },
}; };
it("should validate session token using secure BetterAuth cookie header", async () => { it("should return session data for valid token", async () => {
const auth = service.getAuth(); const auth = service.getAuth();
const mockGetSession = vi.fn().mockResolvedValue(mockSessionData); const mockGetSession = vi.fn().mockResolvedValue(mockSessionData);
auth.api = { getSession: mockGetSession } as any; auth.api = { getSession: mockGetSession } as any;
@@ -418,58 +418,7 @@ describe("AuthService", () => {
const result = await service.verifySession("valid-token"); const result = await service.verifySession("valid-token");
expect(result).toEqual(mockSessionData); expect(result).toEqual(mockSessionData);
expect(mockGetSession).toHaveBeenCalledTimes(1);
expect(mockGetSession).toHaveBeenCalledWith({ expect(mockGetSession).toHaveBeenCalledWith({
headers: {
cookie: "__Secure-better-auth.session_token=valid-token",
},
});
});
it("should preserve raw cookie token value without URL re-encoding", async () => {
const auth = service.getAuth();
const mockGetSession = vi.fn().mockResolvedValue(mockSessionData);
auth.api = { getSession: mockGetSession } as any;
const result = await service.verifySession("tok/with+=chars=");
expect(result).toEqual(mockSessionData);
expect(mockGetSession).toHaveBeenCalledWith({
headers: {
cookie: "__Secure-better-auth.session_token=tok/with+=chars=",
},
});
});
it("should fall back to Authorization header when cookie-based lookups miss", async () => {
const auth = service.getAuth();
const mockGetSession = vi
.fn()
.mockResolvedValueOnce(null)
.mockResolvedValueOnce(null)
.mockResolvedValueOnce(null)
.mockResolvedValueOnce(mockSessionData);
auth.api = { getSession: mockGetSession } as any;
const result = await service.verifySession("valid-token");
expect(result).toEqual(mockSessionData);
expect(mockGetSession).toHaveBeenNthCalledWith(1, {
headers: {
cookie: "__Secure-better-auth.session_token=valid-token",
},
});
expect(mockGetSession).toHaveBeenNthCalledWith(2, {
headers: {
cookie: "better-auth.session_token=valid-token",
},
});
expect(mockGetSession).toHaveBeenNthCalledWith(3, {
headers: {
cookie: "__Host-better-auth.session_token=valid-token",
},
});
expect(mockGetSession).toHaveBeenNthCalledWith(4, {
headers: { headers: {
authorization: "Bearer valid-token", authorization: "Bearer valid-token",
}, },
@@ -568,10 +517,14 @@ describe("AuthService", () => {
it("should re-throw 'certificate has expired' as infrastructure error (not auth)", async () => { it("should re-throw 'certificate has expired' as infrastructure error (not auth)", async () => {
const auth = service.getAuth(); const auth = service.getAuth();
const mockGetSession = vi.fn().mockRejectedValue(new Error("certificate has expired")); const mockGetSession = vi
.fn()
.mockRejectedValue(new Error("certificate has expired"));
auth.api = { getSession: mockGetSession } as any; auth.api = { getSession: mockGetSession } as any;
await expect(service.verifySession("any-token")).rejects.toThrow("certificate has expired"); await expect(service.verifySession("any-token")).rejects.toThrow(
"certificate has expired"
);
}); });
it("should re-throw 'Unauthorized: Access denied for user' as infrastructure error (not auth)", async () => { it("should re-throw 'Unauthorized: Access denied for user' as infrastructure error (not auth)", async () => {

102
apps/api/src/auth/auth.service.ts
View File

@@ -21,10 +21,6 @@ interface VerifiedSession {
session: Record<string, unknown>; session: Record<string, unknown>;
} }
interface SessionHeaderCandidate {
headers: Record<string, string>;
}
@Injectable() @Injectable()
export class AuthService { export class AuthService {
private readonly logger = new Logger(AuthService.name); private readonly logger = new Logger(AuthService.name);
@@ -107,27 +103,36 @@ export class AuthService {
* Only known-safe auth errors return null; everything else propagates as 500. * Only known-safe auth errors return null; everything else propagates as 500.
*/ */
async verifySession(token: string): Promise<VerifiedSession | null> { async verifySession(token: string): Promise<VerifiedSession | null> {
let sawNonError = false; try {
// TODO(#411): BetterAuth getSession returns opaque types — replace when upstream exports typed interfaces
const session = await this.auth.api.getSession({
headers: {
authorization: `Bearer ${token}`,
},
});
for (const candidate of this.buildSessionHeaderCandidates(token)) { if (!session) {
try { return null;
// TODO(#411): BetterAuth getSession returns opaque types — replace when upstream exports typed interfaces }
const session = await this.auth.api.getSession(candidate);
if (!session) { return {
continue; user: session.user as Record<string, unknown>,
} session: session.session as Record<string, unknown>,
};
return { } catch (error: unknown) {
user: session.user as Record<string, unknown>, // Only known-safe auth errors return null
session: session.session as Record<string, unknown>, if (error instanceof Error) {
}; const msg = error.message.toLowerCase();
} catch (error: unknown) { const isExpectedAuthError =
if (error instanceof Error) { msg.includes("invalid token") ||
if (this.isExpectedAuthError(error.message)) { msg.includes("token expired") ||
continue; msg.includes("session expired") ||
} msg.includes("session not found") ||
msg.includes("invalid session") ||
msg === "unauthorized" ||
msg === "expired";
if (!isExpectedAuthError) {
// Infrastructure or unexpected — propagate as 500 // Infrastructure or unexpected — propagate as 500
const safeMessage = (error.stack ?? error.message).replace( const safeMessage = (error.stack ?? error.message).replace(
/Bearer\s+\S+/gi, /Bearer\s+\S+/gi,
@@ -136,55 +141,14 @@ export class AuthService {
this.logger.error("Session verification failed due to unexpected error", safeMessage); this.logger.error("Session verification failed due to unexpected error", safeMessage);
throw error; throw error;
} }
// Non-Error thrown values — log once for observability, treat as auth failure
if (!sawNonError) {
const errorDetail = typeof error === "string" ? error : JSON.stringify(error);
this.logger.warn("Session verification received non-Error thrown value", errorDetail);
sawNonError = true;
}
} }
// Non-Error thrown values — log for observability, treat as auth failure
if (!(error instanceof Error)) {
const errorDetail = typeof error === "string" ? error : JSON.stringify(error);
this.logger.warn("Session verification received non-Error thrown value", errorDetail);
}
return null;
} }
return null;
}
private buildSessionHeaderCandidates(token: string): SessionHeaderCandidate[] {
return [
{
headers: {
cookie: `__Secure-better-auth.session_token=${token}`,
},
},
{
headers: {
cookie: `better-auth.session_token=${token}`,
},
},
{
headers: {
cookie: `__Host-better-auth.session_token=${token}`,
},
},
{
headers: {
authorization: `Bearer ${token}`,
},
},
];
}
private isExpectedAuthError(message: string): boolean {
const normalized = message.toLowerCase();
return (
normalized.includes("invalid token") ||
normalized.includes("token expired") ||
normalized.includes("session expired") ||
normalized.includes("session not found") ||
normalized.includes("invalid session") ||
normalized === "unauthorized" ||
normalized === "expired"
);
} }
/** /**

32
apps/api/src/auth/guards/auth.guard.ts
View File

@@ -1,18 +1,10 @@
import { import { Injectable, CanActivate, ExecutionContext, UnauthorizedException } from "@nestjs/common";
Injectable,
CanActivate,
ExecutionContext,
UnauthorizedException,
Logger,
} from "@nestjs/common";
import { AuthService } from "../auth.service"; import { AuthService } from "../auth.service";
import type { AuthUser } from "@mosaic/shared"; import type { AuthUser } from "@mosaic/shared";
import type { MaybeAuthenticatedRequest } from "../types/better-auth-request.interface"; import type { MaybeAuthenticatedRequest } from "../types/better-auth-request.interface";
@Injectable() @Injectable()
export class AuthGuard implements CanActivate { export class AuthGuard implements CanActivate {
private readonly logger = new Logger(AuthGuard.name);
constructor(private readonly authService: AuthService) {} constructor(private readonly authService: AuthService) {}
async canActivate(context: ExecutionContext): Promise<boolean> { async canActivate(context: ExecutionContext): Promise<boolean> {
@@ -67,8 +59,7 @@ export class AuthGuard implements CanActivate {
} }
/** /**
* Extract token from cookie. * Extract token from cookie (BetterAuth stores session token in better-auth.session_token cookie)
* BetterAuth may prefix the cookie name with "__Secure-" when running on HTTPS.
*/ */
private extractTokenFromCookie(request: MaybeAuthenticatedRequest): string | undefined { private extractTokenFromCookie(request: MaybeAuthenticatedRequest): string | undefined {
// Express types `cookies` as `any`; cast to a known shape for type safety. // Express types `cookies` as `any`; cast to a known shape for type safety.
@@ -77,23 +68,8 @@ export class AuthGuard implements CanActivate {
return undefined; return undefined;
} }
// BetterAuth default cookie name is "better-auth.session_token" // BetterAuth uses 'better-auth.session_token' as the cookie name by default
// When Secure cookies are enabled, BetterAuth prefixes with "__Secure-". return cookies["better-auth.session_token"];
const candidates = [
"__Secure-better-auth.session_token",
"better-auth.session_token",
"__Host-better-auth.session_token",
] as const;
for (const name of candidates) {
const token = cookies[name];
if (token) {
this.logger.debug(`Session cookie found: ${name}`);
return token;
}
}
return undefined;
} }
/** /**

10
apps/api/src/auth/local/dto/local-login.dto.ts
View File

@@ -1,10 +0,0 @@
import { IsEmail, IsString, MinLength } from "class-validator";
export class LocalLoginDto {
@IsEmail({}, { message: "email must be a valid email address" })
email!: string;
@IsString({ message: "password must be a string" })
@MinLength(1, { message: "password must not be empty" })
password!: string;
}

20
apps/api/src/auth/local/dto/local-setup.dto.ts
View File

@@ -1,20 +0,0 @@
import { IsEmail, IsString, MinLength, MaxLength } from "class-validator";
export class LocalSetupDto {
@IsEmail({}, { message: "email must be a valid email address" })
email!: string;
@IsString({ message: "name must be a string" })
@MinLength(1, { message: "name must not be empty" })
@MaxLength(255, { message: "name must not exceed 255 characters" })
name!: string;
@IsString({ message: "password must be a string" })
@MinLength(12, { message: "password must be at least 12 characters" })
@MaxLength(128, { message: "password must not exceed 128 characters" })
password!: string;
@IsString({ message: "setupToken must be a string" })
@MinLength(1, { message: "setupToken must not be empty" })
setupToken!: string;
}

232
apps/api/src/auth/local/local-auth.controller.spec.ts
View File

@@ -1,232 +0,0 @@
import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
import { Test, TestingModule } from "@nestjs/testing";
import {
NotFoundException,
ForbiddenException,
UnauthorizedException,
ConflictException,
} from "@nestjs/common";
import { LocalAuthController } from "./local-auth.controller";
import { LocalAuthService } from "./local-auth.service";
import { LocalAuthEnabledGuard } from "./local-auth.guard";
describe("LocalAuthController", () => {
let controller: LocalAuthController;
let localAuthService: LocalAuthService;
const mockLocalAuthService = {
setup: vi.fn(),
login: vi.fn(),
};
const mockRequest = {
headers: { "user-agent": "TestAgent/1.0" },
ip: "127.0.0.1",
socket: { remoteAddress: "127.0.0.1" },
};
const originalEnv = {
ENABLE_LOCAL_AUTH: process.env.ENABLE_LOCAL_AUTH,
};
beforeEach(async () => {
process.env.ENABLE_LOCAL_AUTH = "true";
const module: TestingModule = await Test.createTestingModule({
controllers: [LocalAuthController],
providers: [
{
provide: LocalAuthService,
useValue: mockLocalAuthService,
},
],
})
.overrideGuard(LocalAuthEnabledGuard)
.useValue({ canActivate: () => true })
.compile();
controller = module.get<LocalAuthController>(LocalAuthController);
localAuthService = module.get<LocalAuthService>(LocalAuthService);
vi.clearAllMocks();
});
afterEach(() => {
vi.restoreAllMocks();
if (originalEnv.ENABLE_LOCAL_AUTH !== undefined) {
process.env.ENABLE_LOCAL_AUTH = originalEnv.ENABLE_LOCAL_AUTH;
} else {
delete process.env.ENABLE_LOCAL_AUTH;
}
});
describe("setup", () => {
const setupDto = {
email: "admin@example.com",
name: "Break Glass Admin",
password: "securePassword123!",
setupToken: "valid-token-123",
};
const mockSetupResult = {
user: {
id: "user-uuid-123",
email: "admin@example.com",
name: "Break Glass Admin",
isLocalAuth: true,
createdAt: new Date("2026-02-28T00:00:00Z"),
},
session: {
token: "session-token-abc",
expiresAt: new Date("2026-03-07T00:00:00Z"),
},
};
it("should create a break-glass user and return user data with session", async () => {
mockLocalAuthService.setup.mockResolvedValue(mockSetupResult);
const result = await controller.setup(setupDto, mockRequest as never);
expect(result).toEqual({
user: mockSetupResult.user,
session: mockSetupResult.session,
});
expect(mockLocalAuthService.setup).toHaveBeenCalledWith(
"admin@example.com",
"Break Glass Admin",
"securePassword123!",
"valid-token-123",
"127.0.0.1",
"TestAgent/1.0"
);
});
it("should extract client IP from x-forwarded-for header", async () => {
mockLocalAuthService.setup.mockResolvedValue(mockSetupResult);
const reqWithProxy = {
...mockRequest,
headers: {
...mockRequest.headers,
"x-forwarded-for": "203.0.113.50, 70.41.3.18",
},
};
await controller.setup(setupDto, reqWithProxy as never);
expect(mockLocalAuthService.setup).toHaveBeenCalledWith(
expect.any(String) as string,
expect.any(String) as string,
expect.any(String) as string,
expect.any(String) as string,
"203.0.113.50",
"TestAgent/1.0"
);
});
it("should propagate ForbiddenException from service", async () => {
mockLocalAuthService.setup.mockRejectedValue(new ForbiddenException("Invalid setup token"));
await expect(controller.setup(setupDto, mockRequest as never)).rejects.toThrow(
ForbiddenException
);
});
it("should propagate ConflictException from service", async () => {
mockLocalAuthService.setup.mockRejectedValue(
new ConflictException("A user with this email already exists")
);
await expect(controller.setup(setupDto, mockRequest as never)).rejects.toThrow(
ConflictException
);
});
});
describe("login", () => {
const loginDto = {
email: "admin@example.com",
password: "securePassword123!",
};
const mockLoginResult = {
user: {
id: "user-uuid-123",
email: "admin@example.com",
name: "Break Glass Admin",
},
session: {
token: "session-token-abc",
expiresAt: new Date("2026-03-07T00:00:00Z"),
},
};
it("should authenticate and return user data with session", async () => {
mockLocalAuthService.login.mockResolvedValue(mockLoginResult);
const result = await controller.login(loginDto, mockRequest as never);
expect(result).toEqual({
user: mockLoginResult.user,
session: mockLoginResult.session,
});
expect(mockLocalAuthService.login).toHaveBeenCalledWith(
"admin@example.com",
"securePassword123!",
"127.0.0.1",
"TestAgent/1.0"
);
});
it("should propagate UnauthorizedException from service", async () => {
mockLocalAuthService.login.mockRejectedValue(
new UnauthorizedException("Invalid email or password")
);
await expect(controller.login(loginDto, mockRequest as never)).rejects.toThrow(
UnauthorizedException
);
});
});
});
describe("LocalAuthEnabledGuard", () => {
let guard: LocalAuthEnabledGuard;
const originalEnv = process.env.ENABLE_LOCAL_AUTH;
beforeEach(() => {
guard = new LocalAuthEnabledGuard();
});
afterEach(() => {
if (originalEnv !== undefined) {
process.env.ENABLE_LOCAL_AUTH = originalEnv;
} else {
delete process.env.ENABLE_LOCAL_AUTH;
}
});
it("should allow access when ENABLE_LOCAL_AUTH is true", () => {
process.env.ENABLE_LOCAL_AUTH = "true";
expect(guard.canActivate()).toBe(true);
});
it("should throw NotFoundException when ENABLE_LOCAL_AUTH is not set", () => {
delete process.env.ENABLE_LOCAL_AUTH;
expect(() => guard.canActivate()).toThrow(NotFoundException);
});
it("should throw NotFoundException when ENABLE_LOCAL_AUTH is false", () => {
process.env.ENABLE_LOCAL_AUTH = "false";
expect(() => guard.canActivate()).toThrow(NotFoundException);
});
it("should throw NotFoundException when ENABLE_LOCAL_AUTH is empty", () => {
process.env.ENABLE_LOCAL_AUTH = "";
expect(() => guard.canActivate()).toThrow(NotFoundException);
});
});

81
apps/api/src/auth/local/local-auth.controller.ts
View File

@@ -1,81 +0,0 @@
import {
Controller,
Post,
Body,
UseGuards,
Req,
Logger,
HttpCode,
HttpStatus,
} from "@nestjs/common";
import { Throttle } from "@nestjs/throttler";
import type { Request as ExpressRequest } from "express";
import { SkipCsrf } from "../../common/decorators/skip-csrf.decorator";
import { LocalAuthService } from "./local-auth.service";
import { LocalAuthEnabledGuard } from "./local-auth.guard";
import { LocalLoginDto } from "./dto/local-login.dto";
import { LocalSetupDto } from "./dto/local-setup.dto";
@Controller("auth/local")
@UseGuards(LocalAuthEnabledGuard)
export class LocalAuthController {
private readonly logger = new Logger(LocalAuthController.name);
constructor(private readonly localAuthService: LocalAuthService) {}
/**
* First-time break-glass user creation.
* Requires BREAKGLASS_SETUP_TOKEN from environment.
*/
@Post("setup")
@SkipCsrf()
@Throttle({ strict: { limit: 5, ttl: 60000 } })
async setup(@Body() dto: LocalSetupDto, @Req() req: ExpressRequest) {
const ipAddress = this.getClientIp(req);
const userAgent = req.headers["user-agent"];
this.logger.log(`Break-glass setup attempt from ${ipAddress}`);
const result = await this.localAuthService.setup(
dto.email,
dto.name,
dto.password,
dto.setupToken,
ipAddress,
userAgent
);
return {
user: result.user,
session: result.session,
};
}
/**
* Break-glass login with email + password.
*/
@Post("login")
@SkipCsrf()
@HttpCode(HttpStatus.OK)
@Throttle({ strict: { limit: 10, ttl: 60000 } })
async login(@Body() dto: LocalLoginDto, @Req() req: ExpressRequest) {
const ipAddress = this.getClientIp(req);
const userAgent = req.headers["user-agent"];
const result = await this.localAuthService.login(dto.email, dto.password, ipAddress, userAgent);
return {
user: result.user,
session: result.session,
};
}
private getClientIp(req: ExpressRequest): string {
const forwardedFor = req.headers["x-forwarded-for"];
if (forwardedFor) {
const ips = Array.isArray(forwardedFor) ? forwardedFor[0] : forwardedFor;
return ips?.split(",")[0]?.trim() ?? "unknown";
}
return req.ip ?? req.socket.remoteAddress ?? "unknown";
}
}

15
apps/api/src/auth/local/local-auth.guard.ts
View File

@@ -1,15 +0,0 @@
import { Injectable, CanActivate, NotFoundException } from "@nestjs/common";
/**
* Guard that checks if local authentication is enabled via ENABLE_LOCAL_AUTH env var.
* Returns 404 when disabled so endpoints are invisible to callers.
*/
@Injectable()
export class LocalAuthEnabledGuard implements CanActivate {
canActivate(): boolean {
if (process.env.ENABLE_LOCAL_AUTH !== "true") {
throw new NotFoundException();
}
return true;
}
}

389
apps/api/src/auth/local/local-auth.service.spec.ts
View File

@@ -1,389 +0,0 @@
import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
import { Test, TestingModule } from "@nestjs/testing";
import {
ConflictException,
ForbiddenException,
InternalServerErrorException,
UnauthorizedException,
} from "@nestjs/common";
import { hash } from "bcryptjs";
import { LocalAuthService } from "./local-auth.service";
import { PrismaService } from "../../prisma/prisma.service";
describe("LocalAuthService", () => {
let service: LocalAuthService;
const mockTxSession = {
create: vi.fn(),
};
const mockTxWorkspace = {
findFirst: vi.fn(),
create: vi.fn(),
};
const mockTxWorkspaceMember = {
create: vi.fn(),
};
const mockTxUser = {
create: vi.fn(),
findUnique: vi.fn(),
};
const mockTx = {
user: mockTxUser,
workspace: mockTxWorkspace,
workspaceMember: mockTxWorkspaceMember,
session: mockTxSession,
};
const mockPrismaService = {
user: {
findUnique: vi.fn(),
},
session: {
create: vi.fn(),
},
$transaction: vi
.fn()
.mockImplementation((fn: (tx: typeof mockTx) => Promise<unknown>) => fn(mockTx)),
};
const originalEnv = {
BREAKGLASS_SETUP_TOKEN: process.env.BREAKGLASS_SETUP_TOKEN,
};
beforeEach(async () => {
const module: TestingModule = await Test.createTestingModule({
providers: [
LocalAuthService,
{
provide: PrismaService,
useValue: mockPrismaService,
},
],
}).compile();
service = module.get<LocalAuthService>(LocalAuthService);
vi.clearAllMocks();
});
afterEach(() => {
vi.restoreAllMocks();
if (originalEnv.BREAKGLASS_SETUP_TOKEN !== undefined) {
process.env.BREAKGLASS_SETUP_TOKEN = originalEnv.BREAKGLASS_SETUP_TOKEN;
} else {
delete process.env.BREAKGLASS_SETUP_TOKEN;
}
});
describe("setup", () => {
const validSetupArgs = {
email: "admin@example.com",
name: "Break Glass Admin",
password: "securePassword123!",
setupToken: "valid-token-123",
};
const mockCreatedUser = {
id: "user-uuid-123",
email: "admin@example.com",
name: "Break Glass Admin",
isLocalAuth: true,
createdAt: new Date("2026-02-28T00:00:00Z"),
};
const mockWorkspace = {
id: "workspace-uuid-123",
};
beforeEach(() => {
process.env.BREAKGLASS_SETUP_TOKEN = "valid-token-123";
mockPrismaService.user.findUnique.mockResolvedValue(null);
mockTxUser.create.mockResolvedValue(mockCreatedUser);
mockTxWorkspace.findFirst.mockResolvedValue(mockWorkspace);
mockTxWorkspaceMember.create.mockResolvedValue({});
mockTxSession.create.mockResolvedValue({});
});
it("should create a local auth user with hashed password", async () => {
const result = await service.setup(
validSetupArgs.email,
validSetupArgs.name,
validSetupArgs.password,
validSetupArgs.setupToken
);
expect(result.user).toEqual(mockCreatedUser);
expect(result.session.token).toBeDefined();
expect(result.session.token.length).toBeGreaterThan(0);
expect(result.session.expiresAt).toBeInstanceOf(Date);
expect(result.session.expiresAt.getTime()).toBeGreaterThan(Date.now());
expect(mockTxUser.create).toHaveBeenCalledWith({
data: expect.objectContaining({
email: "admin@example.com",
name: "Break Glass Admin",
isLocalAuth: true,
emailVerified: true,
passwordHash: expect.any(String) as string,
}),
select: {
id: true,
email: true,
name: true,
isLocalAuth: true,
createdAt: true,
},
});
});
it("should assign OWNER role on default workspace", async () => {
await service.setup(
validSetupArgs.email,
validSetupArgs.name,
validSetupArgs.password,
validSetupArgs.setupToken
);
expect(mockTxWorkspaceMember.create).toHaveBeenCalledWith({
data: {
workspaceId: "workspace-uuid-123",
userId: "user-uuid-123",
role: "OWNER",
},
});
});
it("should create a new workspace if none exists", async () => {
mockTxWorkspace.findFirst.mockResolvedValue(null);
mockTxWorkspace.create.mockResolvedValue({ id: "new-workspace-uuid" });
await service.setup(
validSetupArgs.email,
validSetupArgs.name,
validSetupArgs.password,
validSetupArgs.setupToken
);
expect(mockTxWorkspace.create).toHaveBeenCalledWith({
data: {
name: "Default Workspace",
ownerId: "user-uuid-123",
settings: {},
},
select: { id: true },
});
expect(mockTxWorkspaceMember.create).toHaveBeenCalledWith({
data: {
workspaceId: "new-workspace-uuid",
userId: "user-uuid-123",
role: "OWNER",
},
});
});
it("should create a BetterAuth-compatible session", async () => {
await service.setup(
validSetupArgs.email,
validSetupArgs.name,
validSetupArgs.password,
validSetupArgs.setupToken,
"192.168.1.1",
"TestAgent/1.0"
);
expect(mockTxSession.create).toHaveBeenCalledWith({
data: {
userId: "user-uuid-123",
token: expect.any(String) as string,
expiresAt: expect.any(Date) as Date,
ipAddress: "192.168.1.1",
userAgent: "TestAgent/1.0",
},
});
});
it("should reject when BREAKGLASS_SETUP_TOKEN is not set", async () => {
delete process.env.BREAKGLASS_SETUP_TOKEN;
await expect(
service.setup(
validSetupArgs.email,
validSetupArgs.name,
validSetupArgs.password,
validSetupArgs.setupToken
)
).rejects.toThrow(ForbiddenException);
});
it("should reject when BREAKGLASS_SETUP_TOKEN is empty", async () => {
process.env.BREAKGLASS_SETUP_TOKEN = "";
await expect(
service.setup(
validSetupArgs.email,
validSetupArgs.name,
validSetupArgs.password,
validSetupArgs.setupToken
)
).rejects.toThrow(ForbiddenException);
});
it("should reject when setup token does not match", async () => {
await expect(
service.setup(
validSetupArgs.email,
validSetupArgs.name,
validSetupArgs.password,
"wrong-token"
)
).rejects.toThrow(ForbiddenException);
});
it("should reject when email already exists", async () => {
mockPrismaService.user.findUnique.mockResolvedValue({
id: "existing-user",
email: "admin@example.com",
});
await expect(
service.setup(
validSetupArgs.email,
validSetupArgs.name,
validSetupArgs.password,
validSetupArgs.setupToken
)
).rejects.toThrow(ConflictException);
});
it("should return session token and expiry", async () => {
const result = await service.setup(
validSetupArgs.email,
validSetupArgs.name,
validSetupArgs.password,
validSetupArgs.setupToken
);
expect(typeof result.session.token).toBe("string");
expect(result.session.token.length).toBe(64); // 32 bytes hex
expect(result.session.expiresAt).toBeInstanceOf(Date);
});
});
describe("login", () => {
const validPasswordHash = "$2a$12$LJ3m4ys3Lz/YgP7xYz5k5uU6b5F6X1234567890abcdefghijkl";
beforeEach(async () => {
// Create a real bcrypt hash for testing
const realHash = await hash("securePassword123!", 4); // Low rounds for test speed
mockPrismaService.user.findUnique.mockResolvedValue({
id: "user-uuid-123",
email: "admin@example.com",
name: "Break Glass Admin",
isLocalAuth: true,
passwordHash: realHash,
deactivatedAt: null,
});
mockPrismaService.session.create.mockResolvedValue({});
});
it("should authenticate a valid local auth user", async () => {
const result = await service.login("admin@example.com", "securePassword123!");
expect(result.user).toEqual({
id: "user-uuid-123",
email: "admin@example.com",
name: "Break Glass Admin",
});
expect(result.session.token).toBeDefined();
expect(result.session.expiresAt).toBeInstanceOf(Date);
});
it("should create a session with ip and user agent", async () => {
await service.login("admin@example.com", "securePassword123!", "10.0.0.1", "Mozilla/5.0");
expect(mockPrismaService.session.create).toHaveBeenCalledWith({
data: {
userId: "user-uuid-123",
token: expect.any(String) as string,
expiresAt: expect.any(Date) as Date,
ipAddress: "10.0.0.1",
userAgent: "Mozilla/5.0",
},
});
});
it("should reject when user does not exist", async () => {
mockPrismaService.user.findUnique.mockResolvedValue(null);
await expect(service.login("nonexistent@example.com", "password123456")).rejects.toThrow(
UnauthorizedException
);
});
it("should reject when user is not a local auth user", async () => {
mockPrismaService.user.findUnique.mockResolvedValue({
id: "user-uuid-123",
email: "admin@example.com",
name: "OIDC User",
isLocalAuth: false,
passwordHash: null,
deactivatedAt: null,
});
await expect(service.login("admin@example.com", "password123456")).rejects.toThrow(
UnauthorizedException
);
});
it("should reject when user is deactivated", async () => {
const realHash = await hash("securePassword123!", 4);
mockPrismaService.user.findUnique.mockResolvedValue({
id: "user-uuid-123",
email: "admin@example.com",
name: "Deactivated User",
isLocalAuth: true,
passwordHash: realHash,
deactivatedAt: new Date("2026-01-01"),
});
await expect(service.login("admin@example.com", "securePassword123!")).rejects.toThrow(
new UnauthorizedException("Account has been deactivated")
);
});
it("should reject when password is incorrect", async () => {
await expect(service.login("admin@example.com", "wrongPassword123!")).rejects.toThrow(
UnauthorizedException
);
});
it("should throw InternalServerError when local auth user has no password hash", async () => {
mockPrismaService.user.findUnique.mockResolvedValue({
id: "user-uuid-123",
email: "admin@example.com",
name: "Broken User",
isLocalAuth: true,
passwordHash: null,
deactivatedAt: null,
});
await expect(service.login("admin@example.com", "securePassword123!")).rejects.toThrow(
InternalServerErrorException
);
});
it("should not reveal whether email exists in error messages", async () => {
mockPrismaService.user.findUnique.mockResolvedValue(null);
try {
await service.login("nonexistent@example.com", "password123456");
} catch (error) {
expect(error).toBeInstanceOf(UnauthorizedException);
expect((error as UnauthorizedException).message).toBe("Invalid email or password");
}
});
});
});

230
apps/api/src/auth/local/local-auth.service.ts
View File

@@ -1,230 +0,0 @@
import {
Injectable,
Logger,
ForbiddenException,
UnauthorizedException,
ConflictException,
InternalServerErrorException,
} from "@nestjs/common";
import { WorkspaceMemberRole } from "@prisma/client";
import { hash, compare } from "bcryptjs";
import { randomBytes, timingSafeEqual } from "crypto";
import { PrismaService } from "../../prisma/prisma.service";
const BCRYPT_ROUNDS = 12;
/** Session expiry: 7 days (matches BetterAuth config in auth.config.ts) */
const SESSION_EXPIRY_MS = 7 * 24 * 60 * 60 * 1000;
interface SetupResult {
user: {
id: string;
email: string;
name: string;
isLocalAuth: boolean;
createdAt: Date;
};
session: {
token: string;
expiresAt: Date;
};
}
interface LoginResult {
user: {
id: string;
email: string;
name: string;
};
session: {
token: string;
expiresAt: Date;
};
}
@Injectable()
export class LocalAuthService {
private readonly logger = new Logger(LocalAuthService.name);
constructor(private readonly prisma: PrismaService) {}
/**
* First-time break-glass user creation.
* Validates the setup token, creates a local auth user with bcrypt-hashed password,
* and assigns OWNER role on the default workspace.
*/
async setup(
email: string,
name: string,
password: string,
setupToken: string,
ipAddress?: string,
userAgent?: string
): Promise<SetupResult> {
this.validateSetupToken(setupToken);
const existing = await this.prisma.user.findUnique({ where: { email } });
if (existing) {
throw new ConflictException("A user with this email already exists");
}
const passwordHash = await hash(password, BCRYPT_ROUNDS);
const result = await this.prisma.$transaction(async (tx) => {
const user = await tx.user.create({
data: {
email,
name,
isLocalAuth: true,
passwordHash,
emailVerified: true,
},
select: {
id: true,
email: true,
name: true,
isLocalAuth: true,
createdAt: true,
},
});
// Find or create a default workspace and assign OWNER role
await this.assignDefaultWorkspace(tx, user.id);
// Create a BetterAuth-compatible session
const session = await this.createSession(tx, user.id, ipAddress, userAgent);
return { user, session };
});
this.logger.log(`Break-glass user created: ${email}`);
return result;
}
/**
* Break-glass login: verify email + password against bcrypt hash.
* Only works for users with isLocalAuth=true.
*/
async login(
email: string,
password: string,
ipAddress?: string,
userAgent?: string
): Promise<LoginResult> {
const user = await this.prisma.user.findUnique({
where: { email },
select: {
id: true,
email: true,
name: true,
isLocalAuth: true,
passwordHash: true,
deactivatedAt: true,
},
});
if (!user?.isLocalAuth) {
throw new UnauthorizedException("Invalid email or password");
}
if (user.deactivatedAt) {
throw new UnauthorizedException("Account has been deactivated");
}
if (!user.passwordHash) {
this.logger.error(`Local auth user ${email} has no password hash`);
throw new InternalServerErrorException("Account configuration error");
}
const passwordValid = await compare(password, user.passwordHash);
if (!passwordValid) {
throw new UnauthorizedException("Invalid email or password");
}
const session = await this.createSession(this.prisma, user.id, ipAddress, userAgent);
this.logger.log(`Break-glass login: ${email}`);
return {
user: { id: user.id, email: user.email, name: user.name },
session,
};
}
/**
* Validate the setup token against the environment variable.
*/
private validateSetupToken(token: string): void {
const expectedToken = process.env.BREAKGLASS_SETUP_TOKEN;
if (!expectedToken || expectedToken.trim() === "") {
throw new ForbiddenException(
"Break-glass setup is not configured. Set BREAKGLASS_SETUP_TOKEN environment variable."
);
}
const tokenBuffer = Buffer.from(token);
const expectedBuffer = Buffer.from(expectedToken);
if (
tokenBuffer.length !== expectedBuffer.length ||
!timingSafeEqual(tokenBuffer, expectedBuffer)
) {
this.logger.warn("Invalid break-glass setup token attempt");
throw new ForbiddenException("Invalid setup token");
}
}
/**
* Find the first workspace or create a default one, then assign OWNER role.
*/
private async assignDefaultWorkspace(
tx: Parameters<Parameters<PrismaService["$transaction"]>[0]>[0],
userId: string
): Promise<void> {
let workspace = await tx.workspace.findFirst({
orderBy: { createdAt: "asc" },
select: { id: true },
});
workspace ??= await tx.workspace.create({
data: {
name: "Default Workspace",
ownerId: userId,
settings: {},
},
select: { id: true },
});
await tx.workspaceMember.create({
data: {
workspaceId: workspace.id,
userId,
role: WorkspaceMemberRole.OWNER,
},
});
}
/**
* Create a BetterAuth-compatible session record.
*/
private async createSession(
tx: { session: { create: typeof PrismaService.prototype.session.create } },
userId: string,
ipAddress?: string,
userAgent?: string
): Promise<{ token: string; expiresAt: Date }> {
const token = randomBytes(32).toString("hex");
const expiresAt = new Date(Date.now() + SESSION_EXPIRY_MS);
await tx.session.create({
data: {
userId,
token,
expiresAt,
ipAddress: ipAddress ?? null,
userAgent: userAgent ?? null,
},
});
return { token, expiresAt };
}
}

2
apps/api/src/common/controllers/csrf.controller.ts
View File

@@ -16,7 +16,7 @@ interface AuthenticatedRequest extends Request {
user?: AuthenticatedUser; user?: AuthenticatedUser;
} }
@Controller("v1/csrf") @Controller("api/v1/csrf")
export class CsrfController { export class CsrfController {
constructor(private readonly csrfService: CsrfService) {} constructor(private readonly csrfService: CsrfService) {}

10
apps/api/src/common/guards/csrf.guard.spec.ts
View File

@@ -174,19 +174,17 @@ describe("CsrfGuard", () => {
}); });
describe("Session binding validation", () => { describe("Session binding validation", () => {
it("should allow when user context is not yet available (global guard ordering)", () => { it("should reject when user is not authenticated", () => {
// CsrfGuard runs as APP_GUARD before per-controller AuthGuard,
// so request.user may not be populated. Double-submit cookie match
// is sufficient protection in this case.
const token = generateValidToken("user-123"); const token = generateValidToken("user-123");
const context = createContext( const context = createContext(
"POST", "POST",
{ "csrf-token": token }, { "csrf-token": token },
{ "x-csrf-token": token }, { "x-csrf-token": token },
false false
// No userId - AuthGuard hasn't run yet // No userId - unauthenticated
); );
expect(guard.canActivate(context)).toBe(true); expect(() => guard.canActivate(context)).toThrow(ForbiddenException);
expect(() => guard.canActivate(context)).toThrow("CSRF validation requires authentication");
}); });
it("should reject token from different session", () => { it("should reject token from different session", () => {

40
apps/api/src/common/guards/csrf.guard.ts
View File

@@ -89,30 +89,30 @@ export class CsrfGuard implements CanActivate {
throw new ForbiddenException("CSRF token mismatch"); throw new ForbiddenException("CSRF token mismatch");
} }
// Validate session binding via HMAC when user context is available. // Validate session binding via HMAC
// CsrfGuard is a global guard (APP_GUARD) that runs before per-controller
// AuthGuard, so request.user may not be populated yet. In that case, the
// double-submit cookie match above is sufficient CSRF protection.
const userId = request.user?.id; const userId = request.user?.id;
if (userId) { if (!userId) {
if (!this.csrfService.validateToken(cookieToken, userId)) { this.logger.warn({
this.logger.warn({ event: "CSRF_NO_USER_CONTEXT",
event: "CSRF_SESSION_BINDING_INVALID",
method: request.method,
path: request.path,
securityEvent: true,
timestamp: new Date().toISOString(),
});
throw new ForbiddenException("CSRF token not bound to session");
}
} else {
this.logger.debug({
event: "CSRF_SKIP_SESSION_BINDING",
method: request.method, method: request.method,
path: request.path, path: request.path,
reason: "User context not yet available (global guard runs before AuthGuard)", securityEvent: true,
timestamp: new Date().toISOString(),
}); });
throw new ForbiddenException("CSRF validation requires authentication");
}
if (!this.csrfService.validateToken(cookieToken, userId)) {
this.logger.warn({
event: "CSRF_SESSION_BINDING_INVALID",
method: request.method,
path: request.path,
securityEvent: true,
timestamp: new Date().toISOString(),
});
throw new ForbiddenException("CSRF token not bound to session");
} }
return true; return true;

8
apps/api/src/common/guards/workspace.guard.ts
View File

@@ -110,10 +110,10 @@ export class WorkspaceGuard implements CanActivate {
return paramWorkspaceId; return paramWorkspaceId;
} }
// 3. Check request body (body may be undefined for GET requests despite Express typings) // 3. Check request body
const body = request.body as Record<string, unknown> | undefined; const bodyWorkspaceId = request.body.workspaceId;
if (body && typeof body.workspaceId === "string") { if (typeof bodyWorkspaceId === "string") {
return body.workspaceId; return bodyWorkspaceId;
} }
// 4. Check query string (backward compatibility for existing clients) // 4. Check query string (backward compatibility for existing clients)

6
apps/api/src/common/interceptors/rls-context.integration.spec.ts
View File

@@ -137,13 +137,13 @@ describe("RLS Context Integration", () => {
queries: ["findMany"], queries: ["findMany"],
}); });
// Verify transaction-local set_config calls were made // Verify SET LOCAL was called
expect(mockTransactionClient.$executeRaw).toHaveBeenCalledWith( expect(mockTransactionClient.$executeRaw).toHaveBeenCalledWith(
expect.arrayContaining(["SELECT set_config('app.current_user_id', ", ", true)"]), expect.arrayContaining(["SET LOCAL app.current_user_id = ", ""]),
userId userId
); );
expect(mockTransactionClient.$executeRaw).toHaveBeenCalledWith( expect(mockTransactionClient.$executeRaw).toHaveBeenCalledWith(
expect.arrayContaining(["SELECT set_config('app.current_workspace_id', ", ", true)"]), expect.arrayContaining(["SET LOCAL app.current_workspace_id = ", ""]),
workspaceId workspaceId
); );
}); });

6
apps/api/src/common/interceptors/rls-context.interceptor.spec.ts
View File

@@ -80,7 +80,7 @@ describe("RlsContextInterceptor", () => {
expect(result).toEqual({ data: "test response" }); expect(result).toEqual({ data: "test response" });
expect(mockTransactionClient.$executeRaw).toHaveBeenCalledWith( expect(mockTransactionClient.$executeRaw).toHaveBeenCalledWith(
expect.arrayContaining(["SELECT set_config('app.current_user_id', ", ", true)"]), expect.arrayContaining(["SET LOCAL app.current_user_id = ", ""]),
userId userId
); );
}); });
@@ -111,13 +111,13 @@ describe("RlsContextInterceptor", () => {
// Check that user context was set // Check that user context was set
expect(mockTransactionClient.$executeRaw).toHaveBeenNthCalledWith( expect(mockTransactionClient.$executeRaw).toHaveBeenNthCalledWith(
1, 1,
expect.arrayContaining(["SELECT set_config('app.current_user_id', ", ", true)"]), expect.arrayContaining(["SET LOCAL app.current_user_id = ", ""]),
userId userId
); );
// Check that workspace context was set // Check that workspace context was set
expect(mockTransactionClient.$executeRaw).toHaveBeenNthCalledWith( expect(mockTransactionClient.$executeRaw).toHaveBeenNthCalledWith(
2, 2,
expect.arrayContaining(["SELECT set_config('app.current_workspace_id', ", ", true)"]), expect.arrayContaining(["SET LOCAL app.current_workspace_id = ", ""]),
workspaceId workspaceId
); );
}); });

8
apps/api/src/common/interceptors/rls-context.interceptor.ts
View File

@@ -100,12 +100,12 @@ export class RlsContextInterceptor implements NestInterceptor {
this.prisma this.prisma
.$transaction( .$transaction(
async (tx) => { async (tx) => {
// Use set_config(..., true) so values are transaction-local and parameterized safely. // Set user context (always present for authenticated requests)
// Direct SET LOCAL with bind parameters produces invalid SQL on PostgreSQL. await tx.$executeRaw`SET LOCAL app.current_user_id = ${userId}`;
await tx.$executeRaw`SELECT set_config('app.current_user_id', ${userId}, true)`;
// Set workspace context (if present)
if (workspaceId) { if (workspaceId) {
await tx.$executeRaw`SELECT set_config('app.current_workspace_id', ${workspaceId}, true)`; await tx.$executeRaw`SET LOCAL app.current_workspace_id = ${workspaceId}`;
} }
// Propagate the transaction client via AsyncLocalStorage // Propagate the transaction client via AsyncLocalStorage

2
apps/api/src/common/utils/log-sanitizer.spec.ts
View File

@@ -270,7 +270,7 @@ describe("sanitizeForLogging", () => {
const duration = Date.now() - start; const duration = Date.now() - start;
expect(result.password).toBe("[REDACTED]"); expect(result.password).toBe("[REDACTED]");
expect(duration).toBeLessThan(500); // Should complete in under 500ms expect(duration).toBeLessThan(100); // Should complete in under 100ms
}); });
}); });

2
apps/api/src/coordinator-integration/coordinator-integration.rate-limit.spec.ts
View File

@@ -245,7 +245,7 @@ describe("CoordinatorIntegrationController - Rate Limiting", () => {
.set("X-API-Key", "test-coordinator-key"); .set("X-API-Key", "test-coordinator-key");
expect(response.status).toBe(HttpStatus.TOO_MANY_REQUESTS); expect(response.status).toBe(HttpStatus.TOO_MANY_REQUESTS);
}, 30000); });
}); });
describe("Per-API-Key Rate Limiting", () => { describe("Per-API-Key Rate Limiting", () => {

11
apps/api/src/credentials/user-credential.model.spec.ts
View File

@@ -15,12 +15,7 @@
import { describe, it, expect, beforeAll, afterAll } from "vitest"; import { describe, it, expect, beforeAll, afterAll } from "vitest";
import { PrismaClient, CredentialType, CredentialScope } from "@prisma/client"; import { PrismaClient, CredentialType, CredentialScope } from "@prisma/client";
const shouldRunDbIntegrationTests = describe("UserCredential Model", () => {
process.env.RUN_DB_TESTS === "true" && Boolean(process.env.DATABASE_URL);
const describeFn = shouldRunDbIntegrationTests ? describe : describe.skip;
describeFn("UserCredential Model", () => {
let prisma: PrismaClient; let prisma: PrismaClient;
let testUserId: string; let testUserId: string;
let testWorkspaceId: string; let testWorkspaceId: string;
@@ -28,8 +23,8 @@ describeFn("UserCredential Model", () => {
beforeAll(async () => { beforeAll(async () => {
// Note: These tests require a running database // Note: These tests require a running database
// They will be skipped in CI if DATABASE_URL is not set // They will be skipped in CI if DATABASE_URL is not set
if (!shouldRunDbIntegrationTests) { if (!process.env.DATABASE_URL) {
console.warn("Skipping UserCredential model tests (set RUN_DB_TESTS=true and DATABASE_URL)"); console.warn("DATABASE_URL not set, skipping UserCredential model tests");
return; return;
} }

143
apps/api/src/dashboard/dashboard.controller.spec.ts
View File

@@ -1,143 +0,0 @@
import { describe, it, expect, beforeEach, vi } from "vitest";
import { Test, TestingModule } from "@nestjs/testing";
import { DashboardController } from "./dashboard.controller";
import { DashboardService } from "./dashboard.service";
import { AuthGuard } from "../auth/guards/auth.guard";
import { WorkspaceGuard } from "../common/guards/workspace.guard";
import { PermissionGuard } from "../common/guards/permission.guard";
import type { DashboardSummaryDto } from "./dto";
describe("DashboardController", () => {
let controller: DashboardController;
let service: DashboardService;
const mockWorkspaceId = "550e8400-e29b-41d4-a716-446655440001";
const mockSummary: DashboardSummaryDto = {
metrics: {
activeAgents: 3,
tasksCompleted: 12,
totalTasks: 25,
tasksInProgress: 5,
activeProjects: 4,
errorRate: 2.5,
},
recentActivity: [
{
id: "550e8400-e29b-41d4-a716-446655440010",
action: "CREATED",
entityType: "TASK",
entityId: "550e8400-e29b-41d4-a716-446655440011",
details: { title: "New task" },
userId: "550e8400-e29b-41d4-a716-446655440002",
createdAt: "2026-02-22T12:00:00.000Z",
},
],
activeJobs: [
{
id: "550e8400-e29b-41d4-a716-446655440020",
type: "code-task",
status: "RUNNING",
progressPercent: 45,
createdAt: "2026-02-22T11:00:00.000Z",
updatedAt: "2026-02-22T11:30:00.000Z",
steps: [
{
id: "550e8400-e29b-41d4-a716-446655440030",
name: "Setup",
status: "COMPLETED",
phase: "SETUP",
},
],
},
],
tokenBudget: [
{
model: "agent-1",
used: 5000,
limit: 10000,
},
],
};
const mockDashboardService = {
getSummary: vi.fn(),
};
const mockAuthGuard = {
canActivate: vi.fn(() => true),
};
const mockWorkspaceGuard = {
canActivate: vi.fn(() => true),
};
const mockPermissionGuard = {
canActivate: vi.fn(() => true),
};
beforeEach(async () => {
const module: TestingModule = await Test.createTestingModule({
controllers: [DashboardController],
providers: [
{
provide: DashboardService,
useValue: mockDashboardService,
},
],
})
.overrideGuard(AuthGuard)
.useValue(mockAuthGuard)
.overrideGuard(WorkspaceGuard)
.useValue(mockWorkspaceGuard)
.overrideGuard(PermissionGuard)
.useValue(mockPermissionGuard)
.compile();
controller = module.get<DashboardController>(DashboardController);
service = module.get<DashboardService>(DashboardService);
vi.clearAllMocks();
});
it("should be defined", () => {
expect(controller).toBeDefined();
});
describe("getSummary", () => {
it("should return dashboard summary for workspace", async () => {
mockDashboardService.getSummary.mockResolvedValue(mockSummary);
const result = await controller.getSummary(mockWorkspaceId);
expect(result).toEqual(mockSummary);
expect(service.getSummary).toHaveBeenCalledWith(mockWorkspaceId);
});
it("should return empty arrays when no data exists", async () => {
const emptySummary: DashboardSummaryDto = {
metrics: {
activeAgents: 0,
tasksCompleted: 0,
totalTasks: 0,
tasksInProgress: 0,
activeProjects: 0,
errorRate: 0,
},
recentActivity: [],
activeJobs: [],
tokenBudget: [],
};
mockDashboardService.getSummary.mockResolvedValue(emptySummary);
const result = await controller.getSummary(mockWorkspaceId);
expect(result).toEqual(emptySummary);
expect(result.metrics.errorRate).toBe(0);
expect(result.recentActivity).toHaveLength(0);
expect(result.activeJobs).toHaveLength(0);
expect(result.tokenBudget).toHaveLength(0);
});
});
});

35
apps/api/src/dashboard/dashboard.controller.ts
View File

@@ -1,35 +0,0 @@
import { Controller, Get, UseGuards, BadRequestException } from "@nestjs/common";
import { DashboardService } from "./dashboard.service";
import { AuthGuard } from "../auth/guards/auth.guard";
import { WorkspaceGuard, PermissionGuard } from "../common/guards";
import { Workspace, Permission, RequirePermission } from "../common/decorators";
import type { DashboardSummaryDto } from "./dto";
/**
* Controller for dashboard endpoints.
* Returns aggregated summary data for the workspace dashboard.
*
* Guards are applied in order:
* 1. AuthGuard - Verifies user authentication
* 2. WorkspaceGuard - Validates workspace access and sets RLS context
* 3. PermissionGuard - Checks role-based permissions
*/
@Controller("dashboard")
@UseGuards(AuthGuard, WorkspaceGuard, PermissionGuard)
export class DashboardController {
constructor(private readonly dashboardService: DashboardService) {}
/**
* GET /api/dashboard/summary
* Returns aggregated metrics, recent activity, active jobs, and token budgets
* Requires: Any workspace member (including GUEST)
*/
@Get("summary")
@RequirePermission(Permission.WORKSPACE_ANY)
async getSummary(@Workspace() workspaceId: string | undefined): Promise<DashboardSummaryDto> {
if (!workspaceId) {
throw new BadRequestException("Workspace context required");
}
return this.dashboardService.getSummary(workspaceId);
}
}

13
apps/api/src/dashboard/dashboard.module.ts
View File

@@ -1,13 +0,0 @@
import { Module } from "@nestjs/common";
import { DashboardController } from "./dashboard.controller";
import { DashboardService } from "./dashboard.service";
import { PrismaModule } from "../prisma/prisma.module";
import { AuthModule } from "../auth/auth.module";
@Module({
imports: [PrismaModule, AuthModule],
controllers: [DashboardController],
providers: [DashboardService],
exports: [DashboardService],
})
export class DashboardModule {}

187
apps/api/src/dashboard/dashboard.service.ts
View File

@@ -1,187 +0,0 @@
import { Injectable } from "@nestjs/common";
import { AgentStatus, ProjectStatus, RunnerJobStatus, TaskStatus } from "@prisma/client";
import { PrismaService } from "../prisma/prisma.service";
import type {
DashboardSummaryDto,
ActiveJobDto,
RecentActivityDto,
TokenBudgetEntryDto,
} from "./dto";
/**
* Service for aggregating dashboard summary data.
* Executes all queries in parallel to minimize latency.
*/
@Injectable()
export class DashboardService {
constructor(private readonly prisma: PrismaService) {}
/**
* Get aggregated dashboard summary for a workspace
*/
async getSummary(workspaceId: string): Promise<DashboardSummaryDto> {
const now = new Date();
const oneDayAgo = new Date(now.getTime() - 24 * 60 * 60 * 1000);
// Execute all queries in parallel
const [
activeAgents,
tasksCompleted,
totalTasks,
tasksInProgress,
activeProjects,
failedJobsLast24h,
totalJobsLast24h,
recentActivityRows,
activeJobRows,
tokenBudgetRows,
] = await Promise.all([
// Active agents: IDLE, WORKING, WAITING
this.prisma.agent.count({
where: {
workspaceId,
status: { in: [AgentStatus.IDLE, AgentStatus.WORKING, AgentStatus.WAITING] },
},
}),
// Tasks completed
this.prisma.task.count({
where: {
workspaceId,
status: TaskStatus.COMPLETED,
},
}),
// Total tasks
this.prisma.task.count({
where: { workspaceId },
}),
// Tasks in progress
this.prisma.task.count({
where: {
workspaceId,
status: TaskStatus.IN_PROGRESS,
},
}),
// Active projects
this.prisma.project.count({
where: {
workspaceId,
status: ProjectStatus.ACTIVE,
},
}),
// Failed jobs in last 24h (for error rate)
this.prisma.runnerJob.count({
where: {
workspaceId,
status: RunnerJobStatus.FAILED,
createdAt: { gte: oneDayAgo },
},
}),
// Total jobs in last 24h (for error rate)
this.prisma.runnerJob.count({
where: {
workspaceId,
createdAt: { gte: oneDayAgo },
},
}),
// Recent activity: last 10 entries
this.prisma.activityLog.findMany({
where: { workspaceId },
orderBy: { createdAt: "desc" },
take: 10,
}),
// Active jobs: PENDING, QUEUED, RUNNING with steps
this.prisma.runnerJob.findMany({
where: {
workspaceId,
status: {
in: [RunnerJobStatus.PENDING, RunnerJobStatus.QUEUED, RunnerJobStatus.RUNNING],
},
},
include: {
steps: {
select: {
id: true,
name: true,
status: true,
phase: true,
},
orderBy: { ordinal: "asc" },
},
},
orderBy: { createdAt: "desc" },
}),
// Token budgets for workspace (active, not yet completed)
this.prisma.tokenBudget.findMany({
where: {
workspaceId,
completedAt: null,
},
select: {
agentId: true,
totalTokensUsed: true,
allocatedTokens: true,
},
}),
]);
// Compute error rate
const errorRate = totalJobsLast24h > 0 ? (failedJobsLast24h / totalJobsLast24h) * 100 : 0;
// Map recent activity
const recentActivity: RecentActivityDto[] = recentActivityRows.map((row) => ({
id: row.id,
action: row.action,
entityType: row.entityType,
entityId: row.entityId,
details: row.details as Record<string, unknown> | null,
userId: row.userId,
createdAt: row.createdAt.toISOString(),
}));
// Map active jobs (RunnerJob lacks updatedAt; use startedAt or createdAt as proxy)
const activeJobs: ActiveJobDto[] = activeJobRows.map((row) => ({
id: row.id,
type: row.type,
status: row.status,
progressPercent: row.progressPercent,
createdAt: row.createdAt.toISOString(),
updatedAt: (row.startedAt ?? row.createdAt).toISOString(),
steps: row.steps.map((step) => ({
id: step.id,
name: step.name,
status: step.status,
phase: step.phase,
})),
}));
// Map token budget entries
const tokenBudget: TokenBudgetEntryDto[] = tokenBudgetRows.map((row) => ({
model: row.agentId,
used: row.totalTokensUsed,
limit: row.allocatedTokens,
}));
return {
metrics: {
activeAgents,
tasksCompleted,
totalTasks,
tasksInProgress,
activeProjects,
errorRate: Math.round(errorRate * 100) / 100,
},
recentActivity,
activeJobs,
tokenBudget,
};
}
}

53
apps/api/src/dashboard/dto/dashboard-summary.dto.ts
View File

@@ -1,53 +0,0 @@
/**
* Dashboard Summary DTO
* Defines the response shape for the dashboard summary endpoint.
*/
export class DashboardMetricsDto {
activeAgents!: number;
tasksCompleted!: number;
totalTasks!: number;
tasksInProgress!: number;
activeProjects!: number;
errorRate!: number;
}
export class RecentActivityDto {
id!: string;
action!: string;
entityType!: string;
entityId!: string;
details!: Record<string, unknown> | null;
userId!: string;
createdAt!: string;
}
export class ActiveJobStepDto {
id!: string;
name!: string;
status!: string;
phase!: string;
}
export class ActiveJobDto {
id!: string;
type!: string;
status!: string;
progressPercent!: number;
createdAt!: string;
updatedAt!: string;
steps!: ActiveJobStepDto[];
}
export class TokenBudgetEntryDto {
model!: string;
used!: number;
limit!: number;
}
export class DashboardSummaryDto {
metrics!: DashboardMetricsDto;
recentActivity!: RecentActivityDto[];
activeJobs!: ActiveJobDto[];
tokenBudget!: TokenBudgetEntryDto[];
}

1
apps/api/src/dashboard/dto/index.ts
View File

@@ -1 +0,0 @@
export * from "./dashboard-summary.dto";

2
apps/api/src/federation/command.controller.ts
View File

@@ -12,7 +12,7 @@ import type { AuthenticatedRequest } from "../common/types/user.types";
import type { CommandMessageDetails, CommandResponse } from "./types/message.types"; import type { CommandMessageDetails, CommandResponse } from "./types/message.types";
import type { FederationMessageStatus } from "@prisma/client"; import type { FederationMessageStatus } from "@prisma/client";
@Controller("v1/federation") @Controller("api/v1/federation")
export class CommandController { export class CommandController {
private readonly logger = new Logger(CommandController.name); private readonly logger = new Logger(CommandController.name);

2
apps/api/src/federation/event.controller.ts
View File

@@ -23,7 +23,7 @@ import {
IncomingEventAckDto, IncomingEventAckDto,
} from "./dto/event.dto"; } from "./dto/event.dto";
@Controller("v1/federation") @Controller("api/v1/federation")
export class EventController { export class EventController {
private readonly logger = new Logger(EventController.name); private readonly logger = new Logger(EventController.name);

2
apps/api/src/federation/federation-auth.controller.ts
View File

@@ -18,7 +18,7 @@ import {
ValidateFederatedTokenDto, ValidateFederatedTokenDto,
} from "./dto/federated-auth.dto"; } from "./dto/federated-auth.dto";
@Controller("v1/federation/auth") @Controller("api/v1/federation/auth")
export class FederationAuthController { export class FederationAuthController {
private readonly logger = new Logger(FederationAuthController.name); private readonly logger = new Logger(FederationAuthController.name);

2
apps/api/src/federation/federation.controller.ts
View File

@@ -27,7 +27,7 @@ import {
} from "./dto/connection.dto"; } from "./dto/connection.dto";
import { FederationConnectionStatus } from "@prisma/client"; import { FederationConnectionStatus } from "@prisma/client";
@Controller("v1/federation") @Controller("api/v1/federation")
export class FederationController { export class FederationController {
private readonly logger = new Logger(FederationController.name); private readonly logger = new Logger(FederationController.name);

2
apps/api/src/federation/query.controller.ts
View File

@@ -12,7 +12,7 @@ import type { AuthenticatedRequest } from "../common/types/user.types";
import type { QueryMessageDetails, QueryResponse } from "./types/message.types"; import type { QueryMessageDetails, QueryResponse } from "./types/message.types";
import type { FederationMessageStatus } from "@prisma/client"; import type { FederationMessageStatus } from "@prisma/client";
@Controller("v1/federation") @Controller("api/v1/federation")
export class QueryController { export class QueryController {
private readonly logger = new Logger(QueryController.name); private readonly logger = new Logger(QueryController.name);

89
apps/api/src/import/dto/import-project.dto.ts
View File

@@ -1,89 +0,0 @@
import { IsNumber, IsOptional, IsString, MaxLength, MinLength } from "class-validator";
/**
* DTO for a single jarvis-brain project record.
* This matches the project object shape consumed by scripts/migrate-brain.ts.
*/
export class ImportProjectDto {
@IsString({ message: "id must be a string" })
@MinLength(1, { message: "id must not be empty" })
@MaxLength(255, { message: "id must not exceed 255 characters" })
id!: string;
@IsString({ message: "name must be a string" })
@MinLength(1, { message: "name must not be empty" })
@MaxLength(255, { message: "name must not exceed 255 characters" })
name!: string;
@IsOptional()
@IsString({ message: "description must be a string" })
description?: string | null;
@IsOptional()
@IsString({ message: "domain must be a string" })
domain?: string | null;
@IsOptional()
@IsString({ message: "status must be a string" })
status?: string | null;
// jarvis-brain project priority can be a number, string, or null
@IsOptional()
priority?: number | string | null;
@IsOptional()
@IsNumber({}, { message: "progress must be a number" })
progress?: number | null;
@IsOptional()
@IsString({ message: "repo must be a string" })
repo?: string | null;
@IsOptional()
@IsString({ message: "branch must be a string" })
branch?: string | null;
@IsOptional()
@IsString({ message: "current_milestone must be a string" })
current_milestone?: string | null;
@IsOptional()
@IsString({ message: "next_milestone must be a string" })
next_milestone?: string | null;
@IsOptional()
@IsString({ message: "blocker must be a string" })
blocker?: string | null;
@IsOptional()
@IsString({ message: "owner must be a string" })
owner?: string | null;
@IsOptional()
@IsString({ message: "docs_path must be a string" })
docs_path?: string | null;
@IsOptional()
@IsString({ message: "created must be a string" })
created?: string | null;
@IsOptional()
@IsString({ message: "updated must be a string" })
updated?: string | null;
@IsOptional()
@IsString({ message: "target_date must be a string" })
target_date?: string | null;
@IsOptional()
@IsString({ message: "notes must be a string" })
notes?: string | null;
@IsOptional()
@IsString({ message: "notes_nontechnical must be a string" })
notes_nontechnical?: string | null;
@IsOptional()
@IsString({ message: "parent must be a string" })
parent?: string | null;
}

5
apps/api/src/import/dto/import-response.dto.ts
View File

@@ -1,5 +0,0 @@
export interface ImportResponseDto {
imported: number;
skipped: number;
errors: string[];
}

76
apps/api/src/import/dto/import-task.dto.ts
View File

@@ -1,76 +0,0 @@
import { IsArray, IsNumber, IsOptional, IsString, MaxLength, MinLength } from "class-validator";
/**
* DTO for a single jarvis-brain task record.
* This matches the task object shape consumed by scripts/migrate-brain.ts.
*/
export class ImportTaskDto {
@IsString({ message: "id must be a string" })
@MinLength(1, { message: "id must not be empty" })
@MaxLength(255, { message: "id must not exceed 255 characters" })
id!: string;
@IsString({ message: "title must be a string" })
@MinLength(1, { message: "title must not be empty" })
@MaxLength(255, { message: "title must not exceed 255 characters" })
title!: string;
@IsOptional()
@IsString({ message: "domain must be a string" })
domain?: string | null;
@IsOptional()
@IsString({ message: "project must be a string" })
project?: string | null;
@IsOptional()
@IsArray({ message: "related must be an array" })
@IsString({ each: true, message: "related items must be strings" })
related?: string[];
@IsOptional()
@IsString({ message: "priority must be a string" })
priority?: string | null;
@IsOptional()
@IsString({ message: "status must be a string" })
status?: string | null;
@IsOptional()
@IsNumber({}, { message: "progress must be a number" })
progress?: number | null;
@IsOptional()
@IsString({ message: "due must be a string" })
due?: string | null;
@IsOptional()
@IsArray({ message: "blocks must be an array" })
@IsString({ each: true, message: "blocks items must be strings" })
blocks?: string[];
@IsOptional()
@IsArray({ message: "blocked_by must be an array" })
@IsString({ each: true, message: "blocked_by items must be strings" })
blocked_by?: string[];
@IsOptional()
@IsString({ message: "assignee must be a string" })
assignee?: string | null;
@IsOptional()
@IsString({ message: "created must be a string" })
created?: string | null;
@IsOptional()
@IsString({ message: "updated must be a string" })
updated?: string | null;
@IsOptional()
@IsString({ message: "notes must be a string" })
notes?: string | null;
@IsOptional()
@IsString({ message: "notes_nontechnical must be a string" })
notes_nontechnical?: string | null;
}

3
apps/api/src/import/dto/index.ts
View File

@@ -1,3 +0,0 @@
export { ImportTaskDto } from "./import-task.dto";
export { ImportProjectDto } from "./import-project.dto";
export type { ImportResponseDto } from "./import-response.dto";

33
apps/api/src/import/import.controller.ts
View File

@@ -1,33 +0,0 @@
import { Body, Controller, ParseArrayPipe, Post, UseGuards } from "@nestjs/common";
import type { AuthUser } from "@mosaic/shared";
import { CurrentUser } from "../auth/decorators/current-user.decorator";
import { AdminGuard } from "../auth/guards/admin.guard";
import { AuthGuard } from "../auth/guards/auth.guard";
import { Workspace } from "../common/decorators";
import { WorkspaceGuard } from "../common/guards";
import { ImportProjectDto, type ImportResponseDto, ImportTaskDto } from "./dto";
import { ImportService } from "./import.service";
@Controller("import")
@UseGuards(AuthGuard, WorkspaceGuard, AdminGuard)
export class ImportController {
constructor(private readonly importService: ImportService) {}
@Post("tasks")
async importTasks(
@Body(new ParseArrayPipe({ items: ImportTaskDto })) taskPayload: ImportTaskDto[],
@Workspace() workspaceId: string,
@CurrentUser() user: AuthUser
): Promise<ImportResponseDto> {
return this.importService.importTasks(workspaceId, user.id, taskPayload);
}
@Post("projects")
async importProjects(
@Body(new ParseArrayPipe({ items: ImportProjectDto })) projectPayload: ImportProjectDto[],
@Workspace() workspaceId: string,
@CurrentUser() user: AuthUser
): Promise<ImportResponseDto> {
return this.importService.importProjects(workspaceId, user.id, projectPayload);
}
}

13
apps/api/src/import/import.module.ts
View File

@@ -1,13 +0,0 @@
import { Module } from "@nestjs/common";
import { AuthModule } from "../auth/auth.module";
import { PrismaModule } from "../prisma/prisma.module";
import { ImportController } from "./import.controller";
import { ImportService } from "./import.service";
@Module({
imports: [PrismaModule, AuthModule],
controllers: [ImportController],
providers: [ImportService],
exports: [ImportService],
})
export class ImportModule {}

251
apps/api/src/import/import.service.spec.ts
View File

@@ -1,251 +0,0 @@
import { beforeEach, describe, expect, it, vi } from "vitest";
import { Test, TestingModule } from "@nestjs/testing";
import { ProjectStatus, TaskPriority, TaskStatus } from "@prisma/client";
import { ImportService } from "./import.service";
import { PrismaService } from "../prisma/prisma.service";
describe("ImportService", () => {
let service: ImportService;
const mockPrismaService = {
withWorkspaceContext: vi.fn(),
domain: {
findUnique: vi.fn(),
create: vi.fn(),
},
project: {
findFirst: vi.fn(),
create: vi.fn(),
},
task: {
findFirst: vi.fn(),
create: vi.fn(),
},
};
const workspaceId = "550e8400-e29b-41d4-a716-446655440001";
const userId = "550e8400-e29b-41d4-a716-446655440002";
beforeEach(async () => {
const module: TestingModule = await Test.createTestingModule({
providers: [
ImportService,
{
provide: PrismaService,
useValue: mockPrismaService,
},
],
}).compile();
service = module.get<ImportService>(ImportService);
vi.clearAllMocks();
mockPrismaService.withWorkspaceContext.mockImplementation(
async (_userId: string, _workspaceId: string, fn: (client: unknown) => Promise<unknown>) => {
return fn(mockPrismaService);
}
);
});
it("should be defined", () => {
expect(service).toBeDefined();
});
describe("importTasks", () => {
it("maps status/priority/domain and imports a task", async () => {
mockPrismaService.task.findFirst.mockResolvedValue(null);
mockPrismaService.domain.findUnique.mockResolvedValue(null);
mockPrismaService.domain.create.mockResolvedValue({ id: "domain-id" });
mockPrismaService.project.findFirst.mockResolvedValue(null);
mockPrismaService.task.create.mockResolvedValue({ id: "task-id" });
const result = await service.importTasks(workspaceId, userId, [
{
id: "task-1",
title: "Import me",
domain: "Platform Ops",
status: "in-progress",
priority: "critical",
project: null,
related: [],
blocks: [],
blocked_by: [],
progress: 42,
due: "2026-03-15",
created: "2026-03-01T10:00:00.000Z",
updated: "2026-03-05T12:00:00.000Z",
assignee: null,
notes: "notes",
notes_nontechnical: "non technical",
},
]);
expect(result).toEqual({ imported: 1, skipped: 0, errors: [] });
expect(mockPrismaService.task.create).toHaveBeenCalledWith(
expect.objectContaining({
data: expect.objectContaining({
title: "Import me",
status: TaskStatus.IN_PROGRESS,
priority: TaskPriority.HIGH,
domainId: "domain-id",
}),
})
);
});
it("skips existing task by brainId", async () => {
mockPrismaService.task.findFirst.mockResolvedValue({ id: "existing-task-id" });
const result = await service.importTasks(workspaceId, userId, [
{
id: "task-1",
title: "Existing",
domain: null,
status: "pending",
priority: "medium",
project: null,
related: [],
blocks: [],
blocked_by: [],
progress: null,
due: null,
created: null,
updated: null,
assignee: null,
notes: null,
notes_nontechnical: null,
},
]);
expect(result.imported).toBe(0);
expect(result.skipped).toBe(1);
expect(mockPrismaService.task.create).not.toHaveBeenCalled();
});
it("collects mapping/missing-project errors while importing", async () => {
mockPrismaService.task.findFirst.mockResolvedValue(null);
mockPrismaService.project.findFirst.mockResolvedValue(null);
mockPrismaService.task.create.mockResolvedValue({ id: "task-id" });
const result = await service.importTasks(workspaceId, userId, [
{
id: "task-1",
title: "Needs project",
domain: null,
status: "mystery-status",
priority: "mystery-priority",
project: "brain-project-1",
related: [],
blocks: [],
blocked_by: [],
progress: null,
due: null,
created: null,
updated: null,
assignee: null,
notes: null,
notes_nontechnical: null,
},
]);
expect(result.imported).toBe(1);
expect(result.errors).toEqual(
expect.arrayContaining([
expect.stringContaining('Unknown task status "mystery-status"'),
expect.stringContaining('Unknown task priority "mystery-priority"'),
expect.stringContaining('referenced project "brain-project-1" not found'),
])
);
expect(mockPrismaService.task.create).toHaveBeenCalledWith(
expect.objectContaining({
data: expect.objectContaining({
status: TaskStatus.NOT_STARTED,
priority: TaskPriority.MEDIUM,
projectId: null,
}),
})
);
});
});
describe("importProjects", () => {
it("maps status/domain and imports a project", async () => {
mockPrismaService.project.findFirst.mockResolvedValue(null);
mockPrismaService.domain.findUnique.mockResolvedValue(null);
mockPrismaService.domain.create.mockResolvedValue({ id: "domain-id" });
mockPrismaService.project.create.mockResolvedValue({ id: "project-id" });
const result = await service.importProjects(workspaceId, userId, [
{
id: "project-1",
name: "Project One",
description: "desc",
domain: "Backend",
status: "in-progress",
priority: "high",
progress: 50,
repo: "git@example.com/repo",
branch: "main",
current_milestone: "MS21",
next_milestone: "MS22",
blocker: null,
owner: "owner",
docs_path: "docs/PRD.md",
created: "2026-03-01",
updated: "2026-03-05",
target_date: "2026-04-01",
notes: "notes",
notes_nontechnical: "non tech",
parent: null,
},
]);
expect(result).toEqual({ imported: 1, skipped: 0, errors: [] });
expect(mockPrismaService.project.create).toHaveBeenCalledWith(
expect.objectContaining({
data: expect.objectContaining({
name: "Project One",
status: ProjectStatus.ACTIVE,
domainId: "domain-id",
}),
})
);
});
it("captures create failures as errors", async () => {
mockPrismaService.project.findFirst.mockResolvedValue(null);
mockPrismaService.project.create.mockRejectedValue(new Error("db failed"));
const result = await service.importProjects(workspaceId, userId, [
{
id: "project-1",
name: "Project One",
description: null,
domain: null,
status: "planning",
priority: null,
progress: null,
repo: null,
branch: null,
current_milestone: null,
next_milestone: null,
blocker: null,
owner: null,
docs_path: null,
created: null,
updated: null,
target_date: null,
notes: null,
notes_nontechnical: null,
parent: null,
},
]);
expect(result.imported).toBe(0);
expect(result.skipped).toBe(1);
expect(result.errors).toEqual([
expect.stringContaining("project project-1: failed to import: db failed"),
]);
});
});
});

496
apps/api/src/import/import.service.ts
View File

@@ -1,496 +0,0 @@
import { Injectable } from "@nestjs/common";
import { Prisma, PrismaClient, ProjectStatus, TaskPriority, TaskStatus } from "@prisma/client";
import { PrismaService } from "../prisma/prisma.service";
import type { ImportProjectDto, ImportResponseDto, ImportTaskDto } from "./dto";
interface TaskStatusMapping {
status: TaskStatus;
issue: string | null;
}
interface TaskPriorityMapping {
priority: TaskPriority;
issue: string | null;
}
interface ProjectStatusMapping {
status: ProjectStatus;
issue: string | null;
}
@Injectable()
export class ImportService {
constructor(private readonly prisma: PrismaService) {}
async importTasks(
workspaceId: string,
userId: string,
taskPayload: ImportTaskDto[]
): Promise<ImportResponseDto> {
const errors: string[] = [];
let imported = 0;
let skipped = 0;
const importTimestamp = new Date().toISOString();
const seenBrainTaskIds = new Set<string>();
const domainIdBySlug = new Map<string, string>();
const projectIdByBrainId = new Map<string, string | null>();
await this.prisma.withWorkspaceContext(userId, workspaceId, async (tx: PrismaClient) => {
for (const [index, task] of taskPayload.entries()) {
const brainId = task.id.trim();
if (seenBrainTaskIds.has(brainId)) {
skipped += 1;
errors.push(`task ${brainId}: duplicate item in request body`);
continue;
}
seenBrainTaskIds.add(brainId);
try {
const existingTask = await tx.task.findFirst({
where: {
workspaceId,
metadata: {
path: ["brainId"],
equals: brainId,
},
},
select: { id: true },
});
if (existingTask) {
skipped += 1;
continue;
}
const mappedStatus = this.mapTaskStatus(task.status ?? null);
if (mappedStatus.issue) {
errors.push(`task ${brainId}: ${mappedStatus.issue}`);
}
const mappedPriority = this.mapTaskPriority(task.priority ?? null);
if (mappedPriority.issue) {
errors.push(`task ${brainId}: ${mappedPriority.issue}`);
}
const projectBrainId = task.project?.trim() ? task.project.trim() : null;
const projectId = await this.resolveProjectId(
tx,
workspaceId,
projectBrainId,
projectIdByBrainId,
brainId,
errors
);
const domainId = await this.resolveDomainId(
tx,
workspaceId,
task.domain ?? null,
importTimestamp,
domainIdBySlug
);
const createdAt =
this.normalizeDate(task.created ?? null, `task ${brainId}.created`, errors) ??
new Date();
const updatedAt =
this.normalizeDate(task.updated ?? null, `task ${brainId}.updated`, errors) ??
createdAt;
const dueDate = this.normalizeDate(task.due ?? null, `task ${brainId}.due`, errors);
const completedAt = mappedStatus.status === TaskStatus.COMPLETED ? updatedAt : null;
const metadata = this.asJsonValue({
source: "jarvis-brain",
brainId,
brainDomain: task.domain ?? null,
brainProjectId: projectBrainId,
rawStatus: task.status ?? null,
rawPriority: task.priority ?? null,
related: task.related ?? [],
blocks: task.blocks ?? [],
blockedBy: task.blocked_by ?? [],
assignee: task.assignee ?? null,
progress: task.progress ?? null,
notes: task.notes ?? null,
notesNonTechnical: task.notes_nontechnical ?? null,
importedAt: importTimestamp,
});
await tx.task.create({
data: {
workspaceId,
title: task.title,
description: task.notes ?? null,
status: mappedStatus.status,
priority: mappedPriority.priority,
dueDate,
creatorId: userId,
projectId,
domainId,
metadata,
createdAt,
updatedAt,
completedAt,
},
});
imported += 1;
} catch (error) {
skipped += 1;
errors.push(
`task ${brainId || `index-${String(index)}`}: failed to import: ${this.getErrorMessage(error)}`
);
}
}
});
return {
imported,
skipped,
errors,
};
}
async importProjects(
workspaceId: string,
userId: string,
projectPayload: ImportProjectDto[]
): Promise<ImportResponseDto> {
const errors: string[] = [];
let imported = 0;
let skipped = 0;
const importTimestamp = new Date().toISOString();
const seenBrainProjectIds = new Set<string>();
const domainIdBySlug = new Map<string, string>();
await this.prisma.withWorkspaceContext(userId, workspaceId, async (tx: PrismaClient) => {
for (const [index, project] of projectPayload.entries()) {
const brainId = project.id.trim();
if (seenBrainProjectIds.has(brainId)) {
skipped += 1;
errors.push(`project ${brainId}: duplicate item in request body`);
continue;
}
seenBrainProjectIds.add(brainId);
try {
const existingProject = await tx.project.findFirst({
where: {
workspaceId,
metadata: {
path: ["brainId"],
equals: brainId,
},
},
select: { id: true },
});
if (existingProject) {
skipped += 1;
continue;
}
const mappedStatus = this.mapProjectStatus(project.status ?? null);
if (mappedStatus.issue) {
errors.push(`project ${brainId}: ${mappedStatus.issue}`);
}
const domainId = await this.resolveDomainId(
tx,
workspaceId,
project.domain ?? null,
importTimestamp,
domainIdBySlug
);
const createdAt =
this.normalizeDate(project.created ?? null, `project ${brainId}.created`, errors) ??
new Date();
const updatedAt =
this.normalizeDate(project.updated ?? null, `project ${brainId}.updated`, errors) ??
createdAt;
const startDate = this.normalizeDate(
project.created ?? null,
`project ${brainId}.startDate`,
errors
);
const endDate = this.normalizeDate(
project.target_date ?? null,
`project ${brainId}.target_date`,
errors
);
const metadata = this.asJsonValue({
source: "jarvis-brain",
brainId,
brainDomain: project.domain ?? null,
rawStatus: project.status ?? null,
rawPriority: project.priority ?? null,
progress: project.progress ?? null,
repo: project.repo ?? null,
branch: project.branch ?? null,
currentMilestone: project.current_milestone ?? null,
nextMilestone: project.next_milestone ?? null,
blocker: project.blocker ?? null,
owner: project.owner ?? null,
docsPath: project.docs_path ?? null,
targetDate: project.target_date ?? null,
notes: project.notes ?? null,
notesNonTechnical: project.notes_nontechnical ?? null,
parent: project.parent ?? null,
importedAt: importTimestamp,
});
await tx.project.create({
data: {
workspaceId,
name: project.name,
description: project.description ?? null,
status: mappedStatus.status,
startDate,
endDate,
creatorId: userId,
domainId,
metadata,
createdAt,
updatedAt,
},
});
imported += 1;
} catch (error) {
skipped += 1;
errors.push(
`project ${brainId || `index-${String(index)}`}: failed to import: ${this.getErrorMessage(error)}`
);
}
}
});
return {
imported,
skipped,
errors,
};
}
private async resolveProjectId(
tx: PrismaClient,
workspaceId: string,
projectBrainId: string | null,
projectIdByBrainId: Map<string, string | null>,
taskBrainId: string,
errors: string[]
): Promise<string | null> {
if (!projectBrainId) {
return null;
}
if (projectIdByBrainId.has(projectBrainId)) {
return projectIdByBrainId.get(projectBrainId) ?? null;
}
const existingProject = await tx.project.findFirst({
where: {
workspaceId,
metadata: {
path: ["brainId"],
equals: projectBrainId,
},
},
select: { id: true },
});
if (!existingProject) {
projectIdByBrainId.set(projectBrainId, null);
errors.push(`task ${taskBrainId}: referenced project "${projectBrainId}" not found`);
return null;
}
projectIdByBrainId.set(projectBrainId, existingProject.id);
return existingProject.id;
}
private async resolveDomainId(
tx: PrismaClient,
workspaceId: string,
rawDomain: string | null,
importTimestamp: string,
domainIdBySlug: Map<string, string>
): Promise<string | null> {
const domainSlug = this.normalizeDomain(rawDomain);
if (!domainSlug) {
return null;
}
const cachedId = domainIdBySlug.get(domainSlug);
if (cachedId) {
return cachedId;
}
const existingDomain = await tx.domain.findUnique({
where: {
workspaceId_slug: {
workspaceId,
slug: domainSlug,
},
},
select: { id: true },
});
if (existingDomain) {
domainIdBySlug.set(domainSlug, existingDomain.id);
return existingDomain.id;
}
const trimmedDomainName = rawDomain?.trim();
const domainName =
trimmedDomainName && trimmedDomainName.length > 0 ? trimmedDomainName : domainSlug;
const createdDomain = await tx.domain.create({
data: {
workspaceId,
slug: domainSlug,
name: domainName,
metadata: this.asJsonValue({
source: "jarvis-brain",
brainId: domainName,
sourceValues: [domainName],
importedAt: importTimestamp,
}),
},
select: { id: true },
});
domainIdBySlug.set(domainSlug, createdDomain.id);
return createdDomain.id;
}
private normalizeKey(value: string | null | undefined): string {
return value?.trim().toLowerCase() ?? "";
}
private mapTaskStatus(rawStatus: string | null): TaskStatusMapping {
const statusKey = this.normalizeKey(rawStatus);
switch (statusKey) {
case "done":
return { status: TaskStatus.COMPLETED, issue: null };
case "in-progress":
return { status: TaskStatus.IN_PROGRESS, issue: null };
case "backlog":
case "pending":
case "scheduled":
case "not-started":
case "planned":
return { status: TaskStatus.NOT_STARTED, issue: null };
case "blocked":
case "on-hold":
return { status: TaskStatus.PAUSED, issue: null };
case "cancelled":
return { status: TaskStatus.ARCHIVED, issue: null };
default:
return {
status: TaskStatus.NOT_STARTED,
issue: `Unknown task status "${rawStatus ?? "null"}" mapped to NOT_STARTED`,
};
}
}
private mapTaskPriority(rawPriority: string | null): TaskPriorityMapping {
const priorityKey = this.normalizeKey(rawPriority);
switch (priorityKey) {
case "critical":
case "high":
return { priority: TaskPriority.HIGH, issue: null };
case "medium":
return { priority: TaskPriority.MEDIUM, issue: null };
case "low":
return { priority: TaskPriority.LOW, issue: null };
default:
return {
priority: TaskPriority.MEDIUM,
issue: `Unknown task priority "${rawPriority ?? "null"}" mapped to MEDIUM`,
};
}
}
private mapProjectStatus(rawStatus: string | null): ProjectStatusMapping {
const statusKey = this.normalizeKey(rawStatus);
switch (statusKey) {
case "active":
case "in-progress":
return { status: ProjectStatus.ACTIVE, issue: null };
case "backlog":
case "planning":
return { status: ProjectStatus.PLANNING, issue: null };
case "paused":
case "blocked":
return { status: ProjectStatus.PAUSED, issue: null };
case "archived":
case "maintenance":
return { status: ProjectStatus.ARCHIVED, issue: null };
default:
return {
status: ProjectStatus.PLANNING,
issue: `Unknown project status "${rawStatus ?? "null"}" mapped to PLANNING`,
};
}
}
private normalizeDomain(rawDomain: string | null | undefined): string | null {
if (!rawDomain) {
return null;
}
const trimmed = rawDomain.trim();
if (trimmed.length === 0) {
return null;
}
const slug = trimmed
.toLowerCase()
.replace(/[^a-z0-9]+/g, "-")
.replace(/^-+|-+$/g, "");
return slug.length > 0 ? slug : null;
}
private normalizeDate(rawValue: string | null, context: string, errors: string[]): Date | null {
if (!rawValue) {
return null;
}
const trimmed = rawValue.trim();
if (trimmed.length === 0) {
return null;
}
const value = /^\d{4}-\d{2}-\d{2}$/.test(trimmed) ? `${trimmed}T00:00:00.000Z` : trimmed;
const parsedDate = new Date(value);
if (Number.isNaN(parsedDate.getTime())) {
errors.push(`${context}: invalid date "${rawValue}"`);
return null;
}
return parsedDate;
}
private asJsonValue(value: Record<string, unknown>): Prisma.InputJsonValue {
return value as Prisma.InputJsonValue;
}
private getErrorMessage(error: unknown): string {
if (error instanceof Error) {
return error.message;
}
return String(error);
}
}

4
apps/api/src/job-events/job-events.performance.spec.ts
View File

@@ -16,9 +16,7 @@ import { JOB_CREATED, JOB_STARTED, STEP_STARTED } from "./event-types";
* NOTE: These tests require a real database connection with realistic data volume. * NOTE: These tests require a real database connection with realistic data volume.
* Run with: pnpm test:api -- job-events.performance.spec.ts * Run with: pnpm test:api -- job-events.performance.spec.ts
*/ */
const shouldRunDbIntegrationTests = const describeFn = process.env.DATABASE_URL ? describe : describe.skip;
process.env.RUN_DB_TESTS === "true" && Boolean(process.env.DATABASE_URL);
const describeFn = shouldRunDbIntegrationTests ? describe : describe.skip;
describeFn("JobEventsService Performance", () => { describeFn("JobEventsService Performance", () => {
let service: JobEventsService; let service: JobEventsService;

22
apps/api/src/knowledge/dto/entry-query.dto.ts
View File

@@ -1,6 +1,6 @@
import { IsOptional, IsEnum, IsString, IsInt, IsIn, Min, Max } from "class-validator"; import { IsOptional, IsEnum, IsString, IsInt, Min, Max } from "class-validator";
import { Type } from "class-transformer"; import { Type } from "class-transformer";
import { EntryStatus, Visibility } from "@prisma/client"; import { EntryStatus } from "@prisma/client";
/** /**
* DTO for querying knowledge entries (list endpoint) * DTO for querying knowledge entries (list endpoint)
@@ -10,28 +10,10 @@ export class EntryQueryDto {
@IsEnum(EntryStatus, { message: "status must be a valid EntryStatus" }) @IsEnum(EntryStatus, { message: "status must be a valid EntryStatus" })
status?: EntryStatus; status?: EntryStatus;
@IsOptional()
@IsEnum(Visibility, { message: "visibility must be a valid Visibility" })
visibility?: Visibility;
@IsOptional() @IsOptional()
@IsString({ message: "tag must be a string" }) @IsString({ message: "tag must be a string" })
tag?: string; tag?: string;
@IsOptional()
@IsString({ message: "search must be a string" })
search?: string;
@IsOptional()
@IsIn(["updatedAt", "createdAt", "title"], {
message: "sortBy must be updatedAt, createdAt, or title",
})
sortBy?: "updatedAt" | "createdAt" | "title";
@IsOptional()
@IsIn(["asc", "desc"], { message: "sortOrder must be asc or desc" })
sortOrder?: "asc" | "desc";
@IsOptional() @IsOptional()
@Type(() => Number) @Type(() => Number)
@IsInt({ message: "page must be an integer" }) @IsInt({ message: "page must be an integer" })

22
apps/api/src/knowledge/knowledge.service.ts
View File

@@ -48,10 +48,6 @@ export class KnowledgeService {
where.status = query.status; where.status = query.status;
} }
if (query.visibility) {
where.visibility = query.visibility;
}
if (query.tag) { if (query.tag) {
where.tags = { where.tags = {
some: { some: {
@@ -62,20 +58,6 @@ export class KnowledgeService {
}; };
} }
if (query.search) {
where.OR = [
{ title: { contains: query.search, mode: "insensitive" } },
{ content: { contains: query.search, mode: "insensitive" } },
];
}
// Build orderBy
const sortField = query.sortBy ?? "updatedAt";
const sortDirection = query.sortOrder ?? "desc";
const orderBy: Prisma.KnowledgeEntryOrderByWithRelationInput = {
[sortField]: sortDirection,
};
// Get total count // Get total count
const total = await this.prisma.knowledgeEntry.count({ where }); const total = await this.prisma.knowledgeEntry.count({ where });
@@ -89,7 +71,9 @@ export class KnowledgeService {
}, },
}, },
}, },
orderBy, orderBy: {
updatedAt: "desc",
},
skip, skip,
take: limit, take: limit,
}); });

4
apps/api/src/knowledge/services/fulltext-search.spec.ts
View File

@@ -27,9 +27,7 @@ async function isFulltextSearchConfigured(prisma: PrismaClient): Promise<boolean
* Skip when DATABASE_URL is not set. Tests that require the trigger/index * Skip when DATABASE_URL is not set. Tests that require the trigger/index
* will be skipped if the database migration hasn't been applied. * will be skipped if the database migration hasn't been applied.
*/ */
const shouldRunDbIntegrationTests = const describeFn = process.env.DATABASE_URL ? describe : describe.skip;
process.env.RUN_DB_TESTS === "true" && Boolean(process.env.DATABASE_URL);
const describeFn = shouldRunDbIntegrationTests ? describe : describe.skip;
describeFn("Full-Text Search Setup (Integration)", () => { describeFn("Full-Text Search Setup (Integration)", () => {
let prisma: PrismaClient; let prisma: PrismaClient;

16
apps/api/src/main.ts
View File

@@ -1,5 +1,5 @@
import { NestFactory } from "@nestjs/core"; import { NestFactory } from "@nestjs/core";
import { RequestMethod, ValidationPipe } from "@nestjs/common"; import { ValidationPipe } from "@nestjs/common";
import cookieParser from "cookie-parser"; import cookieParser from "cookie-parser";
import { AppModule } from "./app.module"; import { AppModule } from "./app.module";
import { getTrustedOrigins } from "./auth/auth.config"; import { getTrustedOrigins } from "./auth/auth.config";
@@ -47,22 +47,10 @@ async function bootstrap() {
app.useGlobalFilters(new GlobalExceptionFilter()); app.useGlobalFilters(new GlobalExceptionFilter());
// Set global API prefix — all routes get /api/* except auth and health
// Auth routes are excluded because BetterAuth expects /auth/* paths
// Health is excluded because Docker healthchecks hit /health directly
app.setGlobalPrefix("api", {
exclude: [
{ path: "health", method: RequestMethod.GET },
{ path: "auth/(.*)", method: RequestMethod.ALL },
],
});
// Configure CORS for cookie-based authentication // Configure CORS for cookie-based authentication
// Origin list is shared with BetterAuth trustedOrigins via getTrustedOrigins() // Origin list is shared with BetterAuth trustedOrigins via getTrustedOrigins()
const trustedOrigins = getTrustedOrigins();
console.log(`[CORS] Trusted origins: ${JSON.stringify(trustedOrigins)}`);
app.enableCors({ app.enableCors({
origin: trustedOrigins, origin: getTrustedOrigins(),
credentials: true, // Required for cookie-based authentication credentials: true, // Required for cookie-based authentication
methods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"], methods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
allowedHeaders: ["Content-Type", "Authorization", "Cookie", "X-CSRF-Token", "X-Workspace-Id"], allowedHeaders: ["Content-Type", "Authorization", "Cookie", "X-CSRF-Token", "X-Workspace-Id"],

143
apps/api/src/mosaic-telemetry/mosaic-telemetry.module.spec.ts
View File

@@ -3,7 +3,6 @@ import { Test, TestingModule } from "@nestjs/testing";
import { ConfigModule } from "@nestjs/config"; import { ConfigModule } from "@nestjs/config";
import { MosaicTelemetryModule } from "./mosaic-telemetry.module"; import { MosaicTelemetryModule } from "./mosaic-telemetry.module";
import { MosaicTelemetryService } from "./mosaic-telemetry.service"; import { MosaicTelemetryService } from "./mosaic-telemetry.service";
import { PrismaService } from "../prisma/prisma.service";
// Mock the telemetry client to avoid real HTTP calls // Mock the telemetry client to avoid real HTTP calls
vi.mock("@mosaicstack/telemetry-client", async (importOriginal) => { vi.mock("@mosaicstack/telemetry-client", async (importOriginal) => {
@@ -57,30 +56,6 @@ vi.mock("@mosaicstack/telemetry-client", async (importOriginal) => {
describe("MosaicTelemetryModule", () => { describe("MosaicTelemetryModule", () => {
let module: TestingModule; let module: TestingModule;
const sharedTestEnv = {
ENCRYPTION_KEY: "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
};
const mockPrismaService = {
onModuleInit: vi.fn(),
onModuleDestroy: vi.fn(),
$connect: vi.fn(),
$disconnect: vi.fn(),
};
const buildTestModule = async (env: Record<string, string>): Promise<TestingModule> =>
Test.createTestingModule({
imports: [
ConfigModule.forRoot({
isGlobal: true,
envFilePath: [],
load: [() => ({ ...env, ...sharedTestEnv })],
}),
MosaicTelemetryModule,
],
})
.overrideProvider(PrismaService)
.useValue(mockPrismaService)
.compile();
beforeEach(() => { beforeEach(() => {
vi.clearAllMocks(); vi.clearAllMocks();
@@ -88,18 +63,40 @@ describe("MosaicTelemetryModule", () => {
describe("module initialization", () => { describe("module initialization", () => {
it("should compile the module successfully", async () => { it("should compile the module successfully", async () => {
module = await buildTestModule({ module = await Test.createTestingModule({
MOSAIC_TELEMETRY_ENABLED: "false", imports: [
}); ConfigModule.forRoot({
isGlobal: true,
envFilePath: [],
load: [
() => ({
MOSAIC_TELEMETRY_ENABLED: "false",
}),
],
}),
MosaicTelemetryModule,
],
}).compile();
expect(module).toBeDefined(); expect(module).toBeDefined();
await module.close(); await module.close();
}); });
it("should provide MosaicTelemetryService", async () => { it("should provide MosaicTelemetryService", async () => {
module = await buildTestModule({ module = await Test.createTestingModule({
MOSAIC_TELEMETRY_ENABLED: "false", imports: [
}); ConfigModule.forRoot({
isGlobal: true,
envFilePath: [],
load: [
() => ({
MOSAIC_TELEMETRY_ENABLED: "false",
}),
],
}),
MosaicTelemetryModule,
],
}).compile();
const service = module.get<MosaicTelemetryService>(MosaicTelemetryService); const service = module.get<MosaicTelemetryService>(MosaicTelemetryService);
expect(service).toBeDefined(); expect(service).toBeDefined();
@@ -109,9 +106,20 @@ describe("MosaicTelemetryModule", () => {
}); });
it("should export MosaicTelemetryService for injection in other modules", async () => { it("should export MosaicTelemetryService for injection in other modules", async () => {
module = await buildTestModule({ module = await Test.createTestingModule({
MOSAIC_TELEMETRY_ENABLED: "false", imports: [
}); ConfigModule.forRoot({
isGlobal: true,
envFilePath: [],
load: [
() => ({
MOSAIC_TELEMETRY_ENABLED: "false",
}),
],
}),
MosaicTelemetryModule,
],
}).compile();
const service = module.get(MosaicTelemetryService); const service = module.get(MosaicTelemetryService);
expect(service).toBeDefined(); expect(service).toBeDefined();
@@ -122,13 +130,24 @@ describe("MosaicTelemetryModule", () => {
describe("lifecycle integration", () => { describe("lifecycle integration", () => {
it("should initialize service on module init when enabled", async () => { it("should initialize service on module init when enabled", async () => {
module = await buildTestModule({ module = await Test.createTestingModule({
MOSAIC_TELEMETRY_ENABLED: "true", imports: [
MOSAIC_TELEMETRY_SERVER_URL: "https://tel.test.local", ConfigModule.forRoot({
MOSAIC_TELEMETRY_API_KEY: "a".repeat(64), isGlobal: true,
MOSAIC_TELEMETRY_INSTANCE_ID: "550e8400-e29b-41d4-a716-446655440000", envFilePath: [],
MOSAIC_TELEMETRY_DRY_RUN: "false", load: [
}); () => ({
MOSAIC_TELEMETRY_ENABLED: "true",
MOSAIC_TELEMETRY_SERVER_URL: "https://tel.test.local",
MOSAIC_TELEMETRY_API_KEY: "a".repeat(64),
MOSAIC_TELEMETRY_INSTANCE_ID: "550e8400-e29b-41d4-a716-446655440000",
MOSAIC_TELEMETRY_DRY_RUN: "false",
}),
],
}),
MosaicTelemetryModule,
],
}).compile();
await module.init(); await module.init();
@@ -139,9 +158,20 @@ describe("MosaicTelemetryModule", () => {
}); });
it("should not start client when disabled via env", async () => { it("should not start client when disabled via env", async () => {
module = await buildTestModule({ module = await Test.createTestingModule({
MOSAIC_TELEMETRY_ENABLED: "false", imports: [
}); ConfigModule.forRoot({
isGlobal: true,
envFilePath: [],
load: [
() => ({
MOSAIC_TELEMETRY_ENABLED: "false",
}),
],
}),
MosaicTelemetryModule,
],
}).compile();
await module.init(); await module.init();
@@ -152,13 +182,24 @@ describe("MosaicTelemetryModule", () => {
}); });
it("should cleanly shut down on module destroy", async () => { it("should cleanly shut down on module destroy", async () => {
module = await buildTestModule({ module = await Test.createTestingModule({
MOSAIC_TELEMETRY_ENABLED: "true", imports: [
MOSAIC_TELEMETRY_SERVER_URL: "https://tel.test.local", ConfigModule.forRoot({
MOSAIC_TELEMETRY_API_KEY: "a".repeat(64), isGlobal: true,
MOSAIC_TELEMETRY_INSTANCE_ID: "550e8400-e29b-41d4-a716-446655440000", envFilePath: [],
MOSAIC_TELEMETRY_DRY_RUN: "false", load: [
}); () => ({
MOSAIC_TELEMETRY_ENABLED: "true",
MOSAIC_TELEMETRY_SERVER_URL: "https://tel.test.local",
MOSAIC_TELEMETRY_API_KEY: "a".repeat(64),
MOSAIC_TELEMETRY_INSTANCE_ID: "550e8400-e29b-41d4-a716-446655440000",
MOSAIC_TELEMETRY_DRY_RUN: "false",
}),
],
}),
MosaicTelemetryModule,
],
}).compile();
await module.init(); await module.init();

69
apps/api/src/personalities/dto/create-personality.dto.ts
View File

@@ -1,38 +1,59 @@
import { FormalityLevel } from "@prisma/client"; import {
import { IsString, IsEnum, IsOptional, IsBoolean, MinLength, MaxLength } from "class-validator"; IsString,
IsOptional,
IsBoolean,
IsNumber,
IsInt,
IsUUID,
MinLength,
MaxLength,
Min,
Max,
} from "class-validator";
/** /**
* DTO for creating a new personality * DTO for creating a new personality/assistant configuration
* Field names match the frontend API contract from @mosaic/shared Personality type.
*/ */
export class CreatePersonalityDto { export class CreatePersonalityDto {
@IsString({ message: "name must be a string" }) @IsString()
@MinLength(1, { message: "name must not be empty" }) @MinLength(1)
@MaxLength(255, { message: "name must not exceed 255 characters" }) @MaxLength(100)
name!: string; name!: string; // unique identifier slug
@IsString()
@MinLength(1)
@MaxLength(200)
displayName!: string; // human-readable name
@IsOptional() @IsOptional()
@IsString({ message: "description must be a string" }) @IsString()
@MaxLength(2000, { message: "description must not exceed 2000 characters" }) @MaxLength(1000)
description?: string; description?: string;
@IsString({ message: "tone must be a string" }) @IsString()
@MinLength(1, { message: "tone must not be empty" }) @MinLength(10)
@MaxLength(100, { message: "tone must not exceed 100 characters" }) systemPrompt!: string;
tone!: string;
@IsEnum(FormalityLevel, { message: "formalityLevel must be a valid FormalityLevel" })
formalityLevel!: FormalityLevel;
@IsString({ message: "systemPromptTemplate must be a string" })
@MinLength(1, { message: "systemPromptTemplate must not be empty" })
systemPromptTemplate!: string;
@IsOptional() @IsOptional()
@IsBoolean({ message: "isDefault must be a boolean" }) @IsNumber()
@Min(0)
@Max(2)
temperature?: number; // null = use provider default
@IsOptional()
@IsInt()
@Min(1)
maxTokens?: number; // null = use provider default
@IsOptional()
@IsUUID("4")
llmProviderInstanceId?: string; // FK to LlmProviderInstance
@IsOptional()
@IsBoolean()
isDefault?: boolean; isDefault?: boolean;
@IsOptional() @IsOptional()
@IsBoolean({ message: "isActive must be a boolean" }) @IsBoolean()
isActive?: boolean; isEnabled?: boolean;
} }

1
apps/api/src/personalities/dto/index.ts
View File

@@ -1,3 +1,2 @@
export * from "./create-personality.dto"; export * from "./create-personality.dto";
export * from "./update-personality.dto"; export * from "./update-personality.dto";
export * from "./personality-query.dto";

12
apps/api/src/personalities/dto/personality-query.dto.ts
View File

@@ -1,12 +0,0 @@
import { IsBoolean, IsOptional } from "class-validator";
import { Transform } from "class-transformer";
/**
* DTO for querying/filtering personalities
*/
export class PersonalityQueryDto {
@IsOptional()
@IsBoolean({ message: "isActive must be a boolean" })
@Transform(({ value }) => value === "true" || value === true)
isActive?: boolean;
}

64
apps/api/src/personalities/dto/update-personality.dto.ts
View File

@@ -1,42 +1,62 @@
import { FormalityLevel } from "@prisma/client"; import {
import { IsString, IsEnum, IsOptional, IsBoolean, MinLength, MaxLength } from "class-validator"; IsString,
IsOptional,
IsBoolean,
IsNumber,
IsInt,
IsUUID,
MinLength,
MaxLength,
Min,
Max,
} from "class-validator";
/** /**
* DTO for updating an existing personality * DTO for updating an existing personality/assistant configuration
* All fields are optional; only provided fields are updated.
*/ */
export class UpdatePersonalityDto { export class UpdatePersonalityDto {
@IsOptional() @IsOptional()
@IsString({ message: "name must be a string" }) @IsString()
@MinLength(1, { message: "name must not be empty" }) @MinLength(1)
@MaxLength(255, { message: "name must not exceed 255 characters" }) @MaxLength(100)
name?: string; name?: string; // unique identifier slug
@IsOptional() @IsOptional()
@IsString({ message: "description must be a string" }) @IsString()
@MaxLength(2000, { message: "description must not exceed 2000 characters" }) @MinLength(1)
@MaxLength(200)
displayName?: string; // human-readable name
@IsOptional()
@IsString()
@MaxLength(1000)
description?: string; description?: string;
@IsOptional() @IsOptional()
@IsString({ message: "tone must be a string" }) @IsString()
@MinLength(1, { message: "tone must not be empty" }) @MinLength(10)
@MaxLength(100, { message: "tone must not exceed 100 characters" }) systemPrompt?: string;
tone?: string;
@IsOptional() @IsOptional()
@IsEnum(FormalityLevel, { message: "formalityLevel must be a valid FormalityLevel" }) @IsNumber()
formalityLevel?: FormalityLevel; @Min(0)
@Max(2)
temperature?: number; // null = use provider default
@IsOptional() @IsOptional()
@IsString({ message: "systemPromptTemplate must be a string" }) @IsInt()
@MinLength(1, { message: "systemPromptTemplate must not be empty" }) @Min(1)
systemPromptTemplate?: string; maxTokens?: number; // null = use provider default
@IsOptional() @IsOptional()
@IsBoolean({ message: "isDefault must be a boolean" }) @IsUUID("4")
llmProviderInstanceId?: string; // FK to LlmProviderInstance
@IsOptional()
@IsBoolean()
isDefault?: boolean; isDefault?: boolean;
@IsOptional() @IsOptional()
@IsBoolean({ message: "isActive must be a boolean" }) @IsBoolean()
isActive?: boolean; isEnabled?: boolean;
} }

36
apps/api/src/personalities/entities/personality.entity.ts
View File

@@ -1,24 +1,20 @@
import type { FormalityLevel } from "@prisma/client"; import type { Personality as PrismaPersonality } from "@prisma/client";
/** /**
* Personality response entity * Personality entity representing an assistant configuration
* Maps Prisma Personality fields to the frontend API contract.
*
* Field mapping (Prisma -> API):
* systemPrompt -> systemPromptTemplate
* isEnabled -> isActive
* (tone, formalityLevel are identical in both)
*/ */
export interface PersonalityResponse { export class Personality implements PrismaPersonality {
id: string; id!: string;
workspaceId: string; workspaceId!: string;
name: string; name!: string; // unique identifier slug
description: string | null; displayName!: string; // human-readable name
tone: string; description!: string | null;
formalityLevel: FormalityLevel; systemPrompt!: string;
systemPromptTemplate: string; temperature!: number | null; // null = use provider default
isDefault: boolean; maxTokens!: number | null; // null = use provider default
isActive: boolean; llmProviderInstanceId!: string | null; // FK to LlmProviderInstance
createdAt: Date; isDefault!: boolean;
updatedAt: Date; isEnabled!: boolean;
createdAt!: Date;
updatedAt!: Date;
} }

131
apps/api/src/personalities/personalities.controller.spec.ts
View File

@@ -2,32 +2,36 @@ import { describe, it, expect, beforeEach, vi } from "vitest";
import { Test, TestingModule } from "@nestjs/testing"; import { Test, TestingModule } from "@nestjs/testing";
import { PersonalitiesController } from "./personalities.controller"; import { PersonalitiesController } from "./personalities.controller";
import { PersonalitiesService } from "./personalities.service"; import { PersonalitiesService } from "./personalities.service";
import type { CreatePersonalityDto } from "./dto/create-personality.dto"; import { CreatePersonalityDto, UpdatePersonalityDto } from "./dto";
import type { UpdatePersonalityDto } from "./dto/update-personality.dto";
import { AuthGuard } from "../auth/guards/auth.guard"; import { AuthGuard } from "../auth/guards/auth.guard";
import { WorkspaceGuard, PermissionGuard } from "../common/guards";
import { FormalityLevel } from "@prisma/client";
describe("PersonalitiesController", () => { describe("PersonalitiesController", () => {
let controller: PersonalitiesController; let controller: PersonalitiesController;
let service: PersonalitiesService; let service: PersonalitiesService;
const mockWorkspaceId = "workspace-123"; const mockWorkspaceId = "workspace-123";
const mockUserId = "user-123";
const mockPersonalityId = "personality-123"; const mockPersonalityId = "personality-123";
/** API response shape (frontend field names) */
const mockPersonality = { const mockPersonality = {
id: mockPersonalityId, id: mockPersonalityId,
workspaceId: mockWorkspaceId, workspaceId: mockWorkspaceId,
name: "professional-assistant", name: "professional-assistant",
displayName: "Professional Assistant",
description: "A professional communication assistant", description: "A professional communication assistant",
tone: "professional", systemPrompt: "You are a professional assistant who helps with tasks.",
formalityLevel: FormalityLevel.FORMAL, temperature: 0.7,
systemPromptTemplate: "You are a professional assistant who helps with tasks.", maxTokens: 2000,
llmProviderInstanceId: "provider-123",
isDefault: true, isDefault: true,
isActive: true, isEnabled: true,
createdAt: new Date("2026-01-01"), createdAt: new Date(),
updatedAt: new Date("2026-01-01"), updatedAt: new Date(),
};
const mockRequest = {
user: { id: mockUserId },
workspaceId: mockWorkspaceId,
}; };
const mockPersonalitiesService = { const mockPersonalitiesService = {
@@ -53,54 +57,24 @@ describe("PersonalitiesController", () => {
}) })
.overrideGuard(AuthGuard) .overrideGuard(AuthGuard)
.useValue({ canActivate: () => true }) .useValue({ canActivate: () => true })
.overrideGuard(WorkspaceGuard)
.useValue({
canActivate: (ctx: {
switchToHttp: () => { getRequest: () => { workspaceId: string } };
}) => {
const req = ctx.switchToHttp().getRequest();
req.workspaceId = mockWorkspaceId;
return true;
},
})
.overrideGuard(PermissionGuard)
.useValue({ canActivate: () => true })
.compile(); .compile();
controller = module.get<PersonalitiesController>(PersonalitiesController); controller = module.get<PersonalitiesController>(PersonalitiesController);
service = module.get<PersonalitiesService>(PersonalitiesService); service = module.get<PersonalitiesService>(PersonalitiesService);
// Reset mocks
vi.clearAllMocks(); vi.clearAllMocks();
}); });
describe("findAll", () => { describe("findAll", () => {
it("should return success response with personalities list", async () => { it("should return all personalities", async () => {
const mockList = [mockPersonality]; const mockPersonalities = [mockPersonality];
mockPersonalitiesService.findAll.mockResolvedValue(mockList); mockPersonalitiesService.findAll.mockResolvedValue(mockPersonalities);
const result = await controller.findAll(mockWorkspaceId, {}); const result = await controller.findAll(mockRequest);
expect(result).toEqual({ success: true, data: mockList }); expect(result).toEqual(mockPersonalities);
expect(service.findAll).toHaveBeenCalledWith(mockWorkspaceId, {}); expect(service.findAll).toHaveBeenCalledWith(mockWorkspaceId);
});
it("should pass isActive query filter to service", async () => {
mockPersonalitiesService.findAll.mockResolvedValue([mockPersonality]);
await controller.findAll(mockWorkspaceId, { isActive: true });
expect(service.findAll).toHaveBeenCalledWith(mockWorkspaceId, { isActive: true });
});
});
describe("findDefault", () => {
it("should return the default personality", async () => {
mockPersonalitiesService.findDefault.mockResolvedValue(mockPersonality);
const result = await controller.findDefault(mockWorkspaceId);
expect(result).toEqual(mockPersonality);
expect(service.findDefault).toHaveBeenCalledWith(mockWorkspaceId);
}); });
}); });
@@ -108,29 +82,54 @@ describe("PersonalitiesController", () => {
it("should return a personality by id", async () => { it("should return a personality by id", async () => {
mockPersonalitiesService.findOne.mockResolvedValue(mockPersonality); mockPersonalitiesService.findOne.mockResolvedValue(mockPersonality);
const result = await controller.findOne(mockWorkspaceId, mockPersonalityId); const result = await controller.findOne(mockRequest, mockPersonalityId);
expect(result).toEqual(mockPersonality); expect(result).toEqual(mockPersonality);
expect(service.findOne).toHaveBeenCalledWith(mockWorkspaceId, mockPersonalityId); expect(service.findOne).toHaveBeenCalledWith(mockWorkspaceId, mockPersonalityId);
}); });
}); });
describe("findByName", () => {
it("should return a personality by name", async () => {
mockPersonalitiesService.findByName.mockResolvedValue(mockPersonality);
const result = await controller.findByName(mockRequest, "professional-assistant");
expect(result).toEqual(mockPersonality);
expect(service.findByName).toHaveBeenCalledWith(mockWorkspaceId, "professional-assistant");
});
});
describe("findDefault", () => {
it("should return the default personality", async () => {
mockPersonalitiesService.findDefault.mockResolvedValue(mockPersonality);
const result = await controller.findDefault(mockRequest);
expect(result).toEqual(mockPersonality);
expect(service.findDefault).toHaveBeenCalledWith(mockWorkspaceId);
});
});
describe("create", () => { describe("create", () => {
it("should create a new personality", async () => { it("should create a new personality", async () => {
const createDto: CreatePersonalityDto = { const createDto: CreatePersonalityDto = {
name: "casual-helper", name: "casual-helper",
displayName: "Casual Helper",
description: "A casual helper", description: "A casual helper",
tone: "casual", systemPrompt: "You are a casual assistant.",
formalityLevel: FormalityLevel.CASUAL, temperature: 0.8,
systemPromptTemplate: "You are a casual assistant.", maxTokens: 1500,
}; };
const created = { ...mockPersonality, ...createDto, isActive: true, isDefault: false }; mockPersonalitiesService.create.mockResolvedValue({
mockPersonalitiesService.create.mockResolvedValue(created); ...mockPersonality,
...createDto,
});
const result = await controller.create(mockWorkspaceId, createDto); const result = await controller.create(mockRequest, createDto);
expect(result).toMatchObject({ name: createDto.name, tone: createDto.tone }); expect(result).toMatchObject(createDto);
expect(service.create).toHaveBeenCalledWith(mockWorkspaceId, createDto); expect(service.create).toHaveBeenCalledWith(mockWorkspaceId, createDto);
}); });
}); });
@@ -139,13 +138,15 @@ describe("PersonalitiesController", () => {
it("should update a personality", async () => { it("should update a personality", async () => {
const updateDto: UpdatePersonalityDto = { const updateDto: UpdatePersonalityDto = {
description: "Updated description", description: "Updated description",
tone: "enthusiastic", temperature: 0.9,
}; };
const updated = { ...mockPersonality, ...updateDto }; mockPersonalitiesService.update.mockResolvedValue({
mockPersonalitiesService.update.mockResolvedValue(updated); ...mockPersonality,
...updateDto,
});
const result = await controller.update(mockWorkspaceId, mockPersonalityId, updateDto); const result = await controller.update(mockRequest, mockPersonalityId, updateDto);
expect(result).toMatchObject(updateDto); expect(result).toMatchObject(updateDto);
expect(service.update).toHaveBeenCalledWith(mockWorkspaceId, mockPersonalityId, updateDto); expect(service.update).toHaveBeenCalledWith(mockWorkspaceId, mockPersonalityId, updateDto);
@@ -156,7 +157,7 @@ describe("PersonalitiesController", () => {
it("should delete a personality", async () => { it("should delete a personality", async () => {
mockPersonalitiesService.delete.mockResolvedValue(undefined); mockPersonalitiesService.delete.mockResolvedValue(undefined);
await controller.delete(mockWorkspaceId, mockPersonalityId); await controller.delete(mockRequest, mockPersonalityId);
expect(service.delete).toHaveBeenCalledWith(mockWorkspaceId, mockPersonalityId); expect(service.delete).toHaveBeenCalledWith(mockWorkspaceId, mockPersonalityId);
}); });
@@ -164,10 +165,12 @@ describe("PersonalitiesController", () => {
describe("setDefault", () => { describe("setDefault", () => {
it("should set a personality as default", async () => { it("should set a personality as default", async () => {
const updated = { ...mockPersonality, isDefault: true }; mockPersonalitiesService.setDefault.mockResolvedValue({
mockPersonalitiesService.setDefault.mockResolvedValue(updated); ...mockPersonality,
isDefault: true,
});
const result = await controller.setDefault(mockWorkspaceId, mockPersonalityId); const result = await controller.setDefault(mockRequest, mockPersonalityId);
expect(result).toMatchObject({ isDefault: true }); expect(result).toMatchObject({ isDefault: true });
expect(service.setDefault).toHaveBeenCalledWith(mockWorkspaceId, mockPersonalityId); expect(service.setDefault).toHaveBeenCalledWith(mockWorkspaceId, mockPersonalityId);

109
apps/api/src/personalities/personalities.controller.ts
View File

@@ -6,122 +6,105 @@ import {
Delete, Delete,
Body, Body,
Param, Param,
Query,
UseGuards, UseGuards,
Req,
HttpCode, HttpCode,
HttpStatus, HttpStatus,
} from "@nestjs/common"; } from "@nestjs/common";
import { AuthGuard } from "../auth/guards/auth.guard"; import { AuthGuard } from "../auth/guards/auth.guard";
import { WorkspaceGuard, PermissionGuard } from "../common/guards";
import { Workspace, Permission, RequirePermission } from "../common/decorators";
import { PersonalitiesService } from "./personalities.service"; import { PersonalitiesService } from "./personalities.service";
import { CreatePersonalityDto } from "./dto/create-personality.dto"; import { CreatePersonalityDto, UpdatePersonalityDto } from "./dto";
import { UpdatePersonalityDto } from "./dto/update-personality.dto"; import { Personality } from "./entities/personality.entity";
import { PersonalityQueryDto } from "./dto/personality-query.dto";
import type { PersonalityResponse } from "./entities/personality.entity"; interface AuthenticatedRequest {
user: { id: string };
workspaceId: string;
}
/** /**
* Controller for personality CRUD endpoints. * Controller for managing personality/assistant configurations
* Route: /api/personalities
*
* Guards applied in order:
* 1. AuthGuard - verifies the user is authenticated
* 2. WorkspaceGuard - validates workspace access
* 3. PermissionGuard - checks role-based permissions
*/ */
@Controller("personalities") @Controller("personality")
@UseGuards(AuthGuard, WorkspaceGuard, PermissionGuard) @UseGuards(AuthGuard)
export class PersonalitiesController { export class PersonalitiesController {
constructor(private readonly personalitiesService: PersonalitiesService) {} constructor(private readonly personalitiesService: PersonalitiesService) {}
/** /**
* GET /api/personalities * List all personalities for the workspace
* List all personalities for the workspace.
* Supports ?isActive=true|false filter.
*/ */
@Get() @Get()
@RequirePermission(Permission.WORKSPACE_ANY) async findAll(@Req() req: AuthenticatedRequest): Promise<Personality[]> {
async findAll( return this.personalitiesService.findAll(req.workspaceId);
@Workspace() workspaceId: string,
@Query() query: PersonalityQueryDto
): Promise<{ success: true; data: PersonalityResponse[] }> {
const data = await this.personalitiesService.findAll(workspaceId, query);
return { success: true, data };
} }
/** /**
* GET /api/personalities/default * Get the default personality for the workspace
* Get the default personality for the workspace.
* Must be declared before :id to avoid route conflicts.
*/ */
@Get("default") @Get("default")
@RequirePermission(Permission.WORKSPACE_ANY) async findDefault(@Req() req: AuthenticatedRequest): Promise<Personality> {
async findDefault(@Workspace() workspaceId: string): Promise<PersonalityResponse> { return this.personalitiesService.findDefault(req.workspaceId);
return this.personalitiesService.findDefault(workspaceId);
} }
/** /**
* GET /api/personalities/:id * Get a personality by its unique name
* Get a single personality by ID. */
@Get("by-name/:name")
async findByName(
@Req() req: AuthenticatedRequest,
@Param("name") name: string
): Promise<Personality> {
return this.personalitiesService.findByName(req.workspaceId, name);
}
/**
* Get a personality by ID
*/ */
@Get(":id") @Get(":id")
@RequirePermission(Permission.WORKSPACE_ANY) async findOne(@Req() req: AuthenticatedRequest, @Param("id") id: string): Promise<Personality> {
async findOne( return this.personalitiesService.findOne(req.workspaceId, id);
@Workspace() workspaceId: string,
@Param("id") id: string
): Promise<PersonalityResponse> {
return this.personalitiesService.findOne(workspaceId, id);
} }
/** /**
* POST /api/personalities * Create a new personality
* Create a new personality.
*/ */
@Post() @Post()
@HttpCode(HttpStatus.CREATED) @HttpCode(HttpStatus.CREATED)
@RequirePermission(Permission.WORKSPACE_MEMBER)
async create( async create(
@Workspace() workspaceId: string, @Req() req: AuthenticatedRequest,
@Body() dto: CreatePersonalityDto @Body() dto: CreatePersonalityDto
): Promise<PersonalityResponse> { ): Promise<Personality> {
return this.personalitiesService.create(workspaceId, dto); return this.personalitiesService.create(req.workspaceId, dto);
} }
/** /**
* PATCH /api/personalities/:id * Update a personality
* Update an existing personality.
*/ */
@Patch(":id") @Patch(":id")
@RequirePermission(Permission.WORKSPACE_MEMBER)
async update( async update(
@Workspace() workspaceId: string, @Req() req: AuthenticatedRequest,
@Param("id") id: string, @Param("id") id: string,
@Body() dto: UpdatePersonalityDto @Body() dto: UpdatePersonalityDto
): Promise<PersonalityResponse> { ): Promise<Personality> {
return this.personalitiesService.update(workspaceId, id, dto); return this.personalitiesService.update(req.workspaceId, id, dto);
} }
/** /**
* DELETE /api/personalities/:id * Delete a personality
* Delete a personality.
*/ */
@Delete(":id") @Delete(":id")
@HttpCode(HttpStatus.NO_CONTENT) @HttpCode(HttpStatus.NO_CONTENT)
@RequirePermission(Permission.WORKSPACE_MEMBER) async delete(@Req() req: AuthenticatedRequest, @Param("id") id: string): Promise<void> {
async delete(@Workspace() workspaceId: string, @Param("id") id: string): Promise<void> { return this.personalitiesService.delete(req.workspaceId, id);
return this.personalitiesService.delete(workspaceId, id);
} }
/** /**
* POST /api/personalities/:id/set-default * Set a personality as the default
* Convenience endpoint to set a personality as the default.
*/ */
@Post(":id/set-default") @Post(":id/set-default")
@RequirePermission(Permission.WORKSPACE_MEMBER)
async setDefault( async setDefault(
@Workspace() workspaceId: string, @Req() req: AuthenticatedRequest,
@Param("id") id: string @Param("id") id: string
): Promise<PersonalityResponse> { ): Promise<Personality> {
return this.personalitiesService.setDefault(workspaceId, id); return this.personalitiesService.setDefault(req.workspaceId, id);
} }
} }

246
apps/api/src/personalities/personalities.service.spec.ts
View File

@@ -2,10 +2,8 @@ import { describe, it, expect, beforeEach, vi } from "vitest";
import { Test, TestingModule } from "@nestjs/testing"; import { Test, TestingModule } from "@nestjs/testing";
import { PersonalitiesService } from "./personalities.service"; import { PersonalitiesService } from "./personalities.service";
import { PrismaService } from "../prisma/prisma.service"; import { PrismaService } from "../prisma/prisma.service";
import type { CreatePersonalityDto } from "./dto/create-personality.dto"; import { CreatePersonalityDto, UpdatePersonalityDto } from "./dto";
import type { UpdatePersonalityDto } from "./dto/update-personality.dto";
import { NotFoundException, ConflictException } from "@nestjs/common"; import { NotFoundException, ConflictException } from "@nestjs/common";
import { FormalityLevel } from "@prisma/client";
describe("PersonalitiesService", () => { describe("PersonalitiesService", () => {
let service: PersonalitiesService; let service: PersonalitiesService;
@@ -13,39 +11,22 @@ describe("PersonalitiesService", () => {
const mockWorkspaceId = "workspace-123"; const mockWorkspaceId = "workspace-123";
const mockPersonalityId = "personality-123"; const mockPersonalityId = "personality-123";
const mockProviderId = "provider-123";
/** Raw Prisma record shape (uses Prisma field names) */ const mockPersonality = {
const mockPrismaRecord = {
id: mockPersonalityId, id: mockPersonalityId,
workspaceId: mockWorkspaceId, workspaceId: mockWorkspaceId,
name: "professional-assistant", name: "professional-assistant",
displayName: "Professional Assistant", displayName: "Professional Assistant",
description: "A professional communication assistant", description: "A professional communication assistant",
tone: "professional",
formalityLevel: FormalityLevel.FORMAL,
systemPrompt: "You are a professional assistant who helps with tasks.", systemPrompt: "You are a professional assistant who helps with tasks.",
temperature: 0.7, temperature: 0.7,
maxTokens: 2000, maxTokens: 2000,
llmProviderInstanceId: "provider-123", llmProviderInstanceId: mockProviderId,
isDefault: true, isDefault: true,
isEnabled: true, isEnabled: true,
createdAt: new Date("2026-01-01"), createdAt: new Date(),
updatedAt: new Date("2026-01-01"), updatedAt: new Date(),
};
/** Expected API response shape (uses frontend field names) */
const mockResponse = {
id: mockPersonalityId,
workspaceId: mockWorkspaceId,
name: "professional-assistant",
description: "A professional communication assistant",
tone: "professional",
formalityLevel: FormalityLevel.FORMAL,
systemPromptTemplate: "You are a professional assistant who helps with tasks.",
isDefault: true,
isActive: true,
createdAt: new Date("2026-01-01"),
updatedAt: new Date("2026-01-01"),
}; };
const mockPrismaService = { const mockPrismaService = {
@@ -56,7 +37,9 @@ describe("PersonalitiesService", () => {
create: vi.fn(), create: vi.fn(),
update: vi.fn(), update: vi.fn(),
delete: vi.fn(), delete: vi.fn(),
count: vi.fn(),
}, },
$transaction: vi.fn((callback) => callback(mockPrismaService)),
}; };
beforeEach(async () => { beforeEach(async () => {
@@ -73,54 +56,44 @@ describe("PersonalitiesService", () => {
service = module.get<PersonalitiesService>(PersonalitiesService); service = module.get<PersonalitiesService>(PersonalitiesService);
prisma = module.get<PrismaService>(PrismaService); prisma = module.get<PrismaService>(PrismaService);
// Reset mocks
vi.clearAllMocks(); vi.clearAllMocks();
}); });
describe("create", () => { describe("create", () => {
const createDto: CreatePersonalityDto = { const createDto: CreatePersonalityDto = {
name: "casual-helper", name: "casual-helper",
displayName: "Casual Helper",
description: "A casual communication helper", description: "A casual communication helper",
tone: "casual", systemPrompt: "You are a casual assistant.",
formalityLevel: FormalityLevel.CASUAL, temperature: 0.8,
systemPromptTemplate: "You are a casual assistant.", maxTokens: 1500,
isDefault: false, llmProviderInstanceId: mockProviderId,
isActive: true,
}; };
const createdRecord = { it("should create a new personality", async () => {
...mockPrismaRecord,
name: createDto.name,
description: createDto.description,
tone: createDto.tone,
formalityLevel: createDto.formalityLevel,
systemPrompt: createDto.systemPromptTemplate,
isDefault: false,
isEnabled: true,
id: "new-personality-id",
};
it("should create a new personality and return API response shape", async () => {
mockPrismaService.personality.findFirst.mockResolvedValue(null); mockPrismaService.personality.findFirst.mockResolvedValue(null);
mockPrismaService.personality.create.mockResolvedValue(createdRecord); mockPrismaService.personality.create.mockResolvedValue({
...mockPersonality,
...createDto,
id: "new-personality-id",
isDefault: false,
isEnabled: true,
});
const result = await service.create(mockWorkspaceId, createDto); const result = await service.create(mockWorkspaceId, createDto);
expect(result.name).toBe(createDto.name); expect(result).toMatchObject(createDto);
expect(result.tone).toBe(createDto.tone);
expect(result.formalityLevel).toBe(createDto.formalityLevel);
expect(result.systemPromptTemplate).toBe(createDto.systemPromptTemplate);
expect(result.isActive).toBe(true);
expect(result.isDefault).toBe(false);
expect(prisma.personality.create).toHaveBeenCalledWith({ expect(prisma.personality.create).toHaveBeenCalledWith({
data: { data: {
workspaceId: mockWorkspaceId, workspaceId: mockWorkspaceId,
name: createDto.name, name: createDto.name,
displayName: createDto.name, displayName: createDto.displayName,
description: createDto.description ?? null, description: createDto.description ?? null,
tone: createDto.tone, systemPrompt: createDto.systemPrompt,
formalityLevel: createDto.formalityLevel, temperature: createDto.temperature ?? null,
systemPrompt: createDto.systemPromptTemplate, maxTokens: createDto.maxTokens ?? null,
llmProviderInstanceId: createDto.llmProviderInstanceId ?? null,
isDefault: false, isDefault: false,
isEnabled: true, isEnabled: true,
}, },
@@ -128,73 +101,68 @@ describe("PersonalitiesService", () => {
}); });
it("should throw ConflictException when name already exists", async () => { it("should throw ConflictException when name already exists", async () => {
mockPrismaService.personality.findFirst.mockResolvedValue(mockPrismaRecord); mockPrismaService.personality.findFirst.mockResolvedValue(mockPersonality);
await expect(service.create(mockWorkspaceId, createDto)).rejects.toThrow(ConflictException); await expect(service.create(mockWorkspaceId, createDto)).rejects.toThrow(ConflictException);
}); });
it("should unset other defaults when creating a new default personality", async () => { it("should unset other defaults when creating a new default personality", async () => {
const createDefaultDto: CreatePersonalityDto = { ...createDto, isDefault: true }; const createDefaultDto = { ...createDto, isDefault: true };
const otherDefault = { ...mockPrismaRecord, id: "other-id" }; // First call to findFirst checks for name conflict (should be null)
// Second call to findFirst finds the existing default personality
mockPrismaService.personality.findFirst mockPrismaService.personality.findFirst
.mockResolvedValueOnce(null) // name conflict check .mockResolvedValueOnce(null) // No name conflict
.mockResolvedValueOnce(otherDefault); // existing default lookup .mockResolvedValueOnce(mockPersonality); // Existing default
mockPrismaService.personality.update.mockResolvedValue({ ...otherDefault, isDefault: false }); mockPrismaService.personality.update.mockResolvedValue({
...mockPersonality,
isDefault: false,
});
mockPrismaService.personality.create.mockResolvedValue({ mockPrismaService.personality.create.mockResolvedValue({
...createdRecord, ...mockPersonality,
isDefault: true, ...createDefaultDto,
}); });
await service.create(mockWorkspaceId, createDefaultDto); await service.create(mockWorkspaceId, createDefaultDto);
expect(prisma.personality.update).toHaveBeenCalledWith({ expect(prisma.personality.update).toHaveBeenCalledWith({
where: { id: "other-id" }, where: { id: mockPersonalityId },
data: { isDefault: false }, data: { isDefault: false },
}); });
}); });
}); });
describe("findAll", () => { describe("findAll", () => {
it("should return mapped response list for a workspace", async () => { it("should return all personalities for a workspace", async () => {
mockPrismaService.personality.findMany.mockResolvedValue([mockPrismaRecord]); const mockPersonalities = [mockPersonality];
mockPrismaService.personality.findMany.mockResolvedValue(mockPersonalities);
const result = await service.findAll(mockWorkspaceId); const result = await service.findAll(mockWorkspaceId);
expect(result).toHaveLength(1); expect(result).toEqual(mockPersonalities);
expect(result[0]).toEqual(mockResponse);
expect(prisma.personality.findMany).toHaveBeenCalledWith({ expect(prisma.personality.findMany).toHaveBeenCalledWith({
where: { workspaceId: mockWorkspaceId }, where: { workspaceId: mockWorkspaceId },
orderBy: [{ isDefault: "desc" }, { name: "asc" }], orderBy: [{ isDefault: "desc" }, { name: "asc" }],
}); });
}); });
it("should filter by isActive when provided", async () => {
mockPrismaService.personality.findMany.mockResolvedValue([mockPrismaRecord]);
await service.findAll(mockWorkspaceId, { isActive: true });
expect(prisma.personality.findMany).toHaveBeenCalledWith({
where: { workspaceId: mockWorkspaceId, isEnabled: true },
orderBy: [{ isDefault: "desc" }, { name: "asc" }],
});
});
}); });
describe("findOne", () => { describe("findOne", () => {
it("should return a mapped personality response by id", async () => { it("should return a personality by id", async () => {
mockPrismaService.personality.findFirst.mockResolvedValue(mockPrismaRecord); mockPrismaService.personality.findUnique.mockResolvedValue(mockPersonality);
const result = await service.findOne(mockWorkspaceId, mockPersonalityId); const result = await service.findOne(mockWorkspaceId, mockPersonalityId);
expect(result).toEqual(mockResponse); expect(result).toEqual(mockPersonality);
expect(prisma.personality.findFirst).toHaveBeenCalledWith({ expect(prisma.personality.findUnique).toHaveBeenCalledWith({
where: { id: mockPersonalityId, workspaceId: mockWorkspaceId }, where: {
id: mockPersonalityId,
workspaceId: mockWorkspaceId,
},
}); });
}); });
it("should throw NotFoundException when personality not found", async () => { it("should throw NotFoundException when personality not found", async () => {
mockPrismaService.personality.findFirst.mockResolvedValue(null); mockPrismaService.personality.findUnique.mockResolvedValue(null);
await expect(service.findOne(mockWorkspaceId, mockPersonalityId)).rejects.toThrow( await expect(service.findOne(mockWorkspaceId, mockPersonalityId)).rejects.toThrow(
NotFoundException NotFoundException
@@ -203,14 +171,17 @@ describe("PersonalitiesService", () => {
}); });
describe("findByName", () => { describe("findByName", () => {
it("should return a mapped personality response by name", async () => { it("should return a personality by name", async () => {
mockPrismaService.personality.findFirst.mockResolvedValue(mockPrismaRecord); mockPrismaService.personality.findFirst.mockResolvedValue(mockPersonality);
const result = await service.findByName(mockWorkspaceId, "professional-assistant"); const result = await service.findByName(mockWorkspaceId, "professional-assistant");
expect(result).toEqual(mockResponse); expect(result).toEqual(mockPersonality);
expect(prisma.personality.findFirst).toHaveBeenCalledWith({ expect(prisma.personality.findFirst).toHaveBeenCalledWith({
where: { workspaceId: mockWorkspaceId, name: "professional-assistant" }, where: {
workspaceId: mockWorkspaceId,
name: "professional-assistant",
},
}); });
}); });
@@ -225,11 +196,11 @@ describe("PersonalitiesService", () => {
describe("findDefault", () => { describe("findDefault", () => {
it("should return the default personality", async () => { it("should return the default personality", async () => {
mockPrismaService.personality.findFirst.mockResolvedValue(mockPrismaRecord); mockPrismaService.personality.findFirst.mockResolvedValue(mockPersonality);
const result = await service.findDefault(mockWorkspaceId); const result = await service.findDefault(mockWorkspaceId);
expect(result).toEqual(mockResponse); expect(result).toEqual(mockPersonality);
expect(prisma.personality.findFirst).toHaveBeenCalledWith({ expect(prisma.personality.findFirst).toHaveBeenCalledWith({
where: { workspaceId: mockWorkspaceId, isDefault: true, isEnabled: true }, where: { workspaceId: mockWorkspaceId, isDefault: true, isEnabled: true },
}); });
@@ -245,45 +216,41 @@ describe("PersonalitiesService", () => {
describe("update", () => { describe("update", () => {
const updateDto: UpdatePersonalityDto = { const updateDto: UpdatePersonalityDto = {
description: "Updated description", description: "Updated description",
tone: "formal", temperature: 0.9,
isActive: false,
}; };
it("should update a personality and return mapped response", async () => { it("should update a personality", async () => {
const updatedRecord = { mockPrismaService.personality.findUnique.mockResolvedValue(mockPersonality);
...mockPrismaRecord, mockPrismaService.personality.findFirst.mockResolvedValue(null);
description: updateDto.description, mockPrismaService.personality.update.mockResolvedValue({
tone: updateDto.tone, ...mockPersonality,
isEnabled: false, ...updateDto,
}; });
mockPrismaService.personality.findFirst
.mockResolvedValueOnce(mockPrismaRecord) // findOne check
.mockResolvedValueOnce(null); // name conflict check (no dto.name here)
mockPrismaService.personality.update.mockResolvedValue(updatedRecord);
const result = await service.update(mockWorkspaceId, mockPersonalityId, updateDto); const result = await service.update(mockWorkspaceId, mockPersonalityId, updateDto);
expect(result.description).toBe(updateDto.description); expect(result).toMatchObject(updateDto);
expect(result.tone).toBe(updateDto.tone); expect(prisma.personality.update).toHaveBeenCalledWith({
expect(result.isActive).toBe(false); where: { id: mockPersonalityId },
data: updateDto,
});
}); });
it("should throw NotFoundException when personality not found", async () => { it("should throw NotFoundException when personality not found", async () => {
mockPrismaService.personality.findFirst.mockResolvedValue(null); mockPrismaService.personality.findUnique.mockResolvedValue(null);
await expect(service.update(mockWorkspaceId, mockPersonalityId, updateDto)).rejects.toThrow( await expect(service.update(mockWorkspaceId, mockPersonalityId, updateDto)).rejects.toThrow(
NotFoundException NotFoundException
); );
}); });
it("should throw ConflictException when updating to an existing name", async () => { it("should throw ConflictException when updating to existing name", async () => {
const updateNameDto: UpdatePersonalityDto = { name: "existing-name" }; const updateNameDto = { name: "existing-name" };
const conflictRecord = { ...mockPrismaRecord, id: "different-id" }; mockPrismaService.personality.findUnique.mockResolvedValue(mockPersonality);
mockPrismaService.personality.findFirst.mockResolvedValue({
mockPrismaService.personality.findFirst ...mockPersonality,
.mockResolvedValueOnce(mockPrismaRecord) // findOne check id: "different-id",
.mockResolvedValueOnce(conflictRecord); // name conflict });
await expect( await expect(
service.update(mockWorkspaceId, mockPersonalityId, updateNameDto) service.update(mockWorkspaceId, mockPersonalityId, updateNameDto)
@@ -291,16 +258,14 @@ describe("PersonalitiesService", () => {
}); });
it("should unset other defaults when setting as default", async () => { it("should unset other defaults when setting as default", async () => {
const updateDefaultDto: UpdatePersonalityDto = { isDefault: true }; const updateDefaultDto = { isDefault: true };
const otherPersonality = { ...mockPrismaRecord, id: "other-id", isDefault: true }; const otherPersonality = { ...mockPersonality, id: "other-id", isDefault: true };
const updatedRecord = { ...mockPrismaRecord, isDefault: true };
mockPrismaService.personality.findFirst mockPrismaService.personality.findUnique.mockResolvedValue(mockPersonality);
.mockResolvedValueOnce(mockPrismaRecord) // findOne check mockPrismaService.personality.findFirst.mockResolvedValue(otherPersonality); // Existing default from unsetOtherDefaults
.mockResolvedValueOnce(otherPersonality); // unsetOtherDefaults lookup
mockPrismaService.personality.update mockPrismaService.personality.update
.mockResolvedValueOnce({ ...otherPersonality, isDefault: false }) .mockResolvedValueOnce({ ...otherPersonality, isDefault: false }) // Unset old default
.mockResolvedValueOnce(updatedRecord); .mockResolvedValueOnce({ ...mockPersonality, isDefault: true }); // Set new default
await service.update(mockWorkspaceId, mockPersonalityId, updateDefaultDto); await service.update(mockWorkspaceId, mockPersonalityId, updateDefaultDto);
@@ -308,12 +273,16 @@ describe("PersonalitiesService", () => {
where: { id: "other-id" }, where: { id: "other-id" },
data: { isDefault: false }, data: { isDefault: false },
}); });
expect(prisma.personality.update).toHaveBeenNthCalledWith(2, {
where: { id: mockPersonalityId },
data: updateDefaultDto,
});
}); });
}); });
describe("delete", () => { describe("delete", () => {
it("should delete a personality", async () => { it("should delete a personality", async () => {
mockPrismaService.personality.findFirst.mockResolvedValue(mockPrismaRecord); mockPrismaService.personality.findUnique.mockResolvedValue(mockPersonality);
mockPrismaService.personality.delete.mockResolvedValue(undefined); mockPrismaService.personality.delete.mockResolvedValue(undefined);
await service.delete(mockWorkspaceId, mockPersonalityId); await service.delete(mockWorkspaceId, mockPersonalityId);
@@ -324,7 +293,7 @@ describe("PersonalitiesService", () => {
}); });
it("should throw NotFoundException when personality not found", async () => { it("should throw NotFoundException when personality not found", async () => {
mockPrismaService.personality.findFirst.mockResolvedValue(null); mockPrismaService.personality.findUnique.mockResolvedValue(null);
await expect(service.delete(mockWorkspaceId, mockPersonalityId)).rejects.toThrow( await expect(service.delete(mockWorkspaceId, mockPersonalityId)).rejects.toThrow(
NotFoundException NotFoundException
@@ -334,27 +303,30 @@ describe("PersonalitiesService", () => {
describe("setDefault", () => { describe("setDefault", () => {
it("should set a personality as default", async () => { it("should set a personality as default", async () => {
const otherPersonality = { ...mockPrismaRecord, id: "other-id", isDefault: true }; const otherPersonality = { ...mockPersonality, id: "other-id", isDefault: true };
const updatedRecord = { ...mockPrismaRecord, isDefault: true }; const updatedPersonality = { ...mockPersonality, isDefault: true };
mockPrismaService.personality.findFirst mockPrismaService.personality.findUnique.mockResolvedValue(mockPersonality);
.mockResolvedValueOnce(mockPrismaRecord) // findOne check mockPrismaService.personality.findFirst.mockResolvedValue(otherPersonality);
.mockResolvedValueOnce(otherPersonality); // unsetOtherDefaults lookup
mockPrismaService.personality.update mockPrismaService.personality.update
.mockResolvedValueOnce({ ...otherPersonality, isDefault: false }) .mockResolvedValueOnce({ ...otherPersonality, isDefault: false }) // Unset old default
.mockResolvedValueOnce(updatedRecord); .mockResolvedValueOnce(updatedPersonality); // Set new default
const result = await service.setDefault(mockWorkspaceId, mockPersonalityId); const result = await service.setDefault(mockWorkspaceId, mockPersonalityId);
expect(result.isDefault).toBe(true); expect(result).toMatchObject({ isDefault: true });
expect(prisma.personality.update).toHaveBeenCalledWith({ expect(prisma.personality.update).toHaveBeenNthCalledWith(1, {
where: { id: "other-id" },
data: { isDefault: false },
});
expect(prisma.personality.update).toHaveBeenNthCalledWith(2, {
where: { id: mockPersonalityId }, where: { id: mockPersonalityId },
data: { isDefault: true }, data: { isDefault: true },
}); });
}); });
it("should throw NotFoundException when personality not found", async () => { it("should throw NotFoundException when personality not found", async () => {
mockPrismaService.personality.findFirst.mockResolvedValue(null); mockPrismaService.personality.findUnique.mockResolvedValue(null);
await expect(service.setDefault(mockWorkspaceId, mockPersonalityId)).rejects.toThrow( await expect(service.setDefault(mockWorkspaceId, mockPersonalityId)).rejects.toThrow(
NotFoundException NotFoundException

133
apps/api/src/personalities/personalities.service.ts
View File

@@ -1,17 +1,10 @@
import { Injectable, NotFoundException, ConflictException, Logger } from "@nestjs/common"; import { Injectable, NotFoundException, ConflictException, Logger } from "@nestjs/common";
import type { FormalityLevel, Personality } from "@prisma/client";
import { PrismaService } from "../prisma/prisma.service"; import { PrismaService } from "../prisma/prisma.service";
import type { CreatePersonalityDto } from "./dto/create-personality.dto"; import { CreatePersonalityDto, UpdatePersonalityDto } from "./dto";
import type { UpdatePersonalityDto } from "./dto/update-personality.dto"; import { Personality } from "./entities/personality.entity";
import type { PersonalityQueryDto } from "./dto/personality-query.dto";
import type { PersonalityResponse } from "./entities/personality.entity";
/** /**
* Service for managing personality/assistant configurations. * Service for managing personality/assistant configurations
*
* Field mapping:
* Prisma `systemPrompt` <-> API/frontend `systemPromptTemplate`
* Prisma `isEnabled` <-> API/frontend `isActive`
*/ */
@Injectable() @Injectable()
export class PersonalitiesService { export class PersonalitiesService {
@@ -19,30 +12,11 @@ export class PersonalitiesService {
constructor(private readonly prisma: PrismaService) {} constructor(private readonly prisma: PrismaService) {}
/**
* Map a Prisma Personality record to the API response shape.
*/
private toResponse(personality: Personality): PersonalityResponse {
return {
id: personality.id,
workspaceId: personality.workspaceId,
name: personality.name,
description: personality.description,
tone: personality.tone,
formalityLevel: personality.formalityLevel,
systemPromptTemplate: personality.systemPrompt,
isDefault: personality.isDefault,
isActive: personality.isEnabled,
createdAt: personality.createdAt,
updatedAt: personality.updatedAt,
};
}
/** /**
* Create a new personality * Create a new personality
*/ */
async create(workspaceId: string, dto: CreatePersonalityDto): Promise<PersonalityResponse> { async create(workspaceId: string, dto: CreatePersonalityDto): Promise<Personality> {
// Check for duplicate name within workspace // Check for duplicate name
const existing = await this.prisma.personality.findFirst({ const existing = await this.prisma.personality.findFirst({
where: { workspaceId, name: dto.name }, where: { workspaceId, name: dto.name },
}); });
@@ -51,7 +25,7 @@ export class PersonalitiesService {
throw new ConflictException(`Personality with name "${dto.name}" already exists`); throw new ConflictException(`Personality with name "${dto.name}" already exists`);
} }
// If creating as default, unset other defaults first // If creating a default personality, unset other defaults
if (dto.isDefault) { if (dto.isDefault) {
await this.unsetOtherDefaults(workspaceId); await this.unsetOtherDefaults(workspaceId);
} }
@@ -60,43 +34,36 @@ export class PersonalitiesService {
data: { data: {
workspaceId, workspaceId,
name: dto.name, name: dto.name,
displayName: dto.name, // use name as displayName since frontend doesn't send displayName separately displayName: dto.displayName,
description: dto.description ?? null, description: dto.description ?? null,
tone: dto.tone, systemPrompt: dto.systemPrompt,
formalityLevel: dto.formalityLevel, temperature: dto.temperature ?? null,
systemPrompt: dto.systemPromptTemplate, maxTokens: dto.maxTokens ?? null,
llmProviderInstanceId: dto.llmProviderInstanceId ?? null,
isDefault: dto.isDefault ?? false, isDefault: dto.isDefault ?? false,
isEnabled: dto.isActive ?? true, isEnabled: dto.isEnabled ?? true,
}, },
}); });
this.logger.log(`Created personality ${personality.id} for workspace ${workspaceId}`); this.logger.log(`Created personality ${personality.id} for workspace ${workspaceId}`);
return this.toResponse(personality); return personality;
} }
/** /**
* Find all personalities for a workspace with optional active filter * Find all personalities for a workspace
*/ */
async findAll(workspaceId: string, query?: PersonalityQueryDto): Promise<PersonalityResponse[]> { async findAll(workspaceId: string): Promise<Personality[]> {
const where: { workspaceId: string; isEnabled?: boolean } = { workspaceId }; return this.prisma.personality.findMany({
where: { workspaceId },
if (query?.isActive !== undefined) {
where.isEnabled = query.isActive;
}
const personalities = await this.prisma.personality.findMany({
where,
orderBy: [{ isDefault: "desc" }, { name: "asc" }], orderBy: [{ isDefault: "desc" }, { name: "asc" }],
}); });
return personalities.map((p) => this.toResponse(p));
} }
/** /**
* Find a specific personality by ID * Find a specific personality by ID
*/ */
async findOne(workspaceId: string, id: string): Promise<PersonalityResponse> { async findOne(workspaceId: string, id: string): Promise<Personality> {
const personality = await this.prisma.personality.findFirst({ const personality = await this.prisma.personality.findUnique({
where: { id, workspaceId }, where: { id, workspaceId },
}); });
@@ -104,13 +71,13 @@ export class PersonalitiesService {
throw new NotFoundException(`Personality with ID ${id} not found`); throw new NotFoundException(`Personality with ID ${id} not found`);
} }
return this.toResponse(personality); return personality;
} }
/** /**
* Find a personality by name slug * Find a personality by name
*/ */
async findByName(workspaceId: string, name: string): Promise<PersonalityResponse> { async findByName(workspaceId: string, name: string): Promise<Personality> {
const personality = await this.prisma.personality.findFirst({ const personality = await this.prisma.personality.findFirst({
where: { workspaceId, name }, where: { workspaceId, name },
}); });
@@ -119,13 +86,13 @@ export class PersonalitiesService {
throw new NotFoundException(`Personality with name "${name}" not found`); throw new NotFoundException(`Personality with name "${name}" not found`);
} }
return this.toResponse(personality); return personality;
} }
/** /**
* Find the default (and enabled) personality for a workspace * Find the default personality for a workspace
*/ */
async findDefault(workspaceId: string): Promise<PersonalityResponse> { async findDefault(workspaceId: string): Promise<Personality> {
const personality = await this.prisma.personality.findFirst({ const personality = await this.prisma.personality.findFirst({
where: { workspaceId, isDefault: true, isEnabled: true }, where: { workspaceId, isDefault: true, isEnabled: true },
}); });
@@ -134,18 +101,14 @@ export class PersonalitiesService {
throw new NotFoundException(`No default personality found for workspace ${workspaceId}`); throw new NotFoundException(`No default personality found for workspace ${workspaceId}`);
} }
return this.toResponse(personality); return personality;
} }
/** /**
* Update an existing personality * Update an existing personality
*/ */
async update( async update(workspaceId: string, id: string, dto: UpdatePersonalityDto): Promise<Personality> {
workspaceId: string, // Check existence
id: string,
dto: UpdatePersonalityDto
): Promise<PersonalityResponse> {
// Verify existence
await this.findOne(workspaceId, id); await this.findOne(workspaceId, id);
// Check for duplicate name if updating name // Check for duplicate name if updating name
@@ -164,43 +127,20 @@ export class PersonalitiesService {
await this.unsetOtherDefaults(workspaceId, id); await this.unsetOtherDefaults(workspaceId, id);
} }
// Build update data with field mapping
const updateData: {
name?: string;
displayName?: string;
description?: string;
tone?: string;
formalityLevel?: FormalityLevel;
systemPrompt?: string;
isDefault?: boolean;
isEnabled?: boolean;
} = {};
if (dto.name !== undefined) {
updateData.name = dto.name;
updateData.displayName = dto.name;
}
if (dto.description !== undefined) updateData.description = dto.description;
if (dto.tone !== undefined) updateData.tone = dto.tone;
if (dto.formalityLevel !== undefined) updateData.formalityLevel = dto.formalityLevel;
if (dto.systemPromptTemplate !== undefined) updateData.systemPrompt = dto.systemPromptTemplate;
if (dto.isDefault !== undefined) updateData.isDefault = dto.isDefault;
if (dto.isActive !== undefined) updateData.isEnabled = dto.isActive;
const personality = await this.prisma.personality.update({ const personality = await this.prisma.personality.update({
where: { id }, where: { id },
data: updateData, data: dto,
}); });
this.logger.log(`Updated personality ${id} for workspace ${workspaceId}`); this.logger.log(`Updated personality ${id} for workspace ${workspaceId}`);
return this.toResponse(personality); return personality;
} }
/** /**
* Delete a personality * Delete a personality
*/ */
async delete(workspaceId: string, id: string): Promise<void> { async delete(workspaceId: string, id: string): Promise<void> {
// Verify existence // Check existence
await this.findOne(workspaceId, id); await this.findOne(workspaceId, id);
await this.prisma.personality.delete({ await this.prisma.personality.delete({
@@ -211,22 +151,23 @@ export class PersonalitiesService {
} }
/** /**
* Set a personality as the default (convenience endpoint) * Set a personality as the default
*/ */
async setDefault(workspaceId: string, id: string): Promise<PersonalityResponse> { async setDefault(workspaceId: string, id: string): Promise<Personality> {
// Verify existence // Check existence
await this.findOne(workspaceId, id); await this.findOne(workspaceId, id);
// Unset other defaults // Unset other defaults
await this.unsetOtherDefaults(workspaceId, id); await this.unsetOtherDefaults(workspaceId, id);
// Set this one as default
const personality = await this.prisma.personality.update({ const personality = await this.prisma.personality.update({
where: { id }, where: { id },
data: { isDefault: true }, data: { isDefault: true },
}); });
this.logger.log(`Set personality ${id} as default for workspace ${workspaceId}`); this.logger.log(`Set personality ${id} as default for workspace ${workspaceId}`);
return this.toResponse(personality); return personality;
} }
/** /**
@@ -237,7 +178,7 @@ export class PersonalitiesService {
where: { where: {
workspaceId, workspaceId,
isDefault: true, isDefault: true,
...(excludeId !== undefined && { id: { not: excludeId } }), ...(excludeId && { id: { not: excludeId } }),
}, },
}); });

Some files were not shown because too many files have changed in this diff Show More