Compare commits
1 Commits
feat/ms22-
...
chore/ms22
| Author | SHA1 | Date | |
|---|---|---|---|
| fab833a710 |
@@ -39,7 +39,6 @@ import { JobStepsModule } from "./job-steps/job-steps.module";
|
||||
import { CoordinatorIntegrationModule } from "./coordinator-integration/coordinator-integration.module";
|
||||
import { FederationModule } from "./federation/federation.module";
|
||||
import { CredentialsModule } from "./credentials/credentials.module";
|
||||
import { CryptoModule } from "./crypto/crypto.module";
|
||||
import { MosaicTelemetryModule } from "./mosaic-telemetry";
|
||||
import { SpeechModule } from "./speech/speech.module";
|
||||
import { DashboardModule } from "./dashboard/dashboard.module";
|
||||
@@ -112,7 +111,6 @@ import { RlsContextInterceptor } from "./common/interceptors/rls-context.interce
|
||||
CoordinatorIntegrationModule,
|
||||
FederationModule,
|
||||
CredentialsModule,
|
||||
CryptoModule,
|
||||
MosaicTelemetryModule,
|
||||
SpeechModule,
|
||||
DashboardModule,
|
||||
|
||||
@@ -1,10 +0,0 @@
|
||||
import { Module } from "@nestjs/common";
|
||||
import { ConfigModule } from "@nestjs/config";
|
||||
import { CryptoService } from "./crypto.service";
|
||||
|
||||
@Module({
|
||||
imports: [ConfigModule],
|
||||
providers: [CryptoService],
|
||||
exports: [CryptoService],
|
||||
})
|
||||
export class CryptoModule {}
|
||||
@@ -1,71 +0,0 @@
|
||||
import { describe, it, expect, beforeEach } from "vitest";
|
||||
import { ConfigService } from "@nestjs/config";
|
||||
import { CryptoService } from "./crypto.service";
|
||||
|
||||
function createConfigService(secret?: string): ConfigService {
|
||||
return {
|
||||
get: (key: string) => {
|
||||
if (key === "MOSAIC_SECRET_KEY") {
|
||||
return secret;
|
||||
}
|
||||
return undefined;
|
||||
},
|
||||
} as unknown as ConfigService;
|
||||
}
|
||||
|
||||
describe("CryptoService", () => {
|
||||
let service: CryptoService;
|
||||
|
||||
beforeEach(() => {
|
||||
service = new CryptoService(createConfigService("this-is-a-test-secret-key-with-32+chars"));
|
||||
});
|
||||
|
||||
it("encrypt -> decrypt roundtrip", () => {
|
||||
const plaintext = "my-secret-api-key";
|
||||
|
||||
const encrypted = service.encrypt(plaintext);
|
||||
const decrypted = service.decrypt(encrypted);
|
||||
|
||||
expect(encrypted.startsWith("enc:")).toBe(true);
|
||||
expect(decrypted).toBe(plaintext);
|
||||
});
|
||||
|
||||
it("decrypt rejects tampered ciphertext", () => {
|
||||
const encrypted = service.encrypt("sensitive-token");
|
||||
const payload = encrypted.slice(4);
|
||||
const bytes = Buffer.from(payload, "base64");
|
||||
|
||||
bytes[bytes.length - 1] = bytes[bytes.length - 1]! ^ 0xff;
|
||||
|
||||
const tampered = `enc:${bytes.toString("base64")}`;
|
||||
|
||||
expect(() => service.decrypt(tampered)).toThrow();
|
||||
});
|
||||
|
||||
it("decrypt rejects non-encrypted string", () => {
|
||||
expect(() => service.decrypt("plain-text-value")).toThrow();
|
||||
});
|
||||
|
||||
it("isEncrypted detects prefix correctly", () => {
|
||||
expect(service.isEncrypted("enc:abc")).toBe(true);
|
||||
expect(service.isEncrypted("ENC:abc")).toBe(false);
|
||||
expect(service.isEncrypted("plain-text")).toBe(false);
|
||||
});
|
||||
|
||||
it("generateToken returns 64-char hex string", () => {
|
||||
const token = service.generateToken();
|
||||
|
||||
expect(token).toMatch(/^[0-9a-f]{64}$/);
|
||||
});
|
||||
|
||||
it("different plaintexts produce different ciphertexts (random IV)", () => {
|
||||
const encryptedA = service.encrypt("value-a");
|
||||
const encryptedB = service.encrypt("value-b");
|
||||
|
||||
expect(encryptedA).not.toBe(encryptedB);
|
||||
});
|
||||
|
||||
it("missing MOSAIC_SECRET_KEY throws on construction", () => {
|
||||
expect(() => new CryptoService(createConfigService(undefined))).toThrow();
|
||||
});
|
||||
});
|
||||
@@ -1,82 +0,0 @@
|
||||
import { Injectable } from "@nestjs/common";
|
||||
import { ConfigService } from "@nestjs/config";
|
||||
import { createCipheriv, createDecipheriv, hkdfSync, randomBytes } from "crypto";
|
||||
|
||||
const ALGORITHM = "aes-256-gcm";
|
||||
const ENCRYPTED_PREFIX = "enc:";
|
||||
const IV_LENGTH = 12;
|
||||
const AUTH_TAG_LENGTH = 16;
|
||||
const DERIVED_KEY_LENGTH = 32;
|
||||
const HKDF_SALT = "mosaic.crypto.v1";
|
||||
const HKDF_INFO = "mosaic-db-secret-encryption";
|
||||
|
||||
@Injectable()
|
||||
export class CryptoService {
|
||||
private readonly key: Buffer;
|
||||
|
||||
constructor(private readonly config: ConfigService) {
|
||||
const secret = this.config.get<string>("MOSAIC_SECRET_KEY");
|
||||
|
||||
if (!secret) {
|
||||
throw new Error("MOSAIC_SECRET_KEY environment variable is required");
|
||||
}
|
||||
|
||||
if (secret.length < 32) {
|
||||
throw new Error("MOSAIC_SECRET_KEY must be at least 32 characters");
|
||||
}
|
||||
|
||||
this.key = Buffer.from(
|
||||
hkdfSync(
|
||||
"sha256",
|
||||
Buffer.from(secret, "utf8"),
|
||||
Buffer.from(HKDF_SALT, "utf8"),
|
||||
Buffer.from(HKDF_INFO, "utf8"),
|
||||
DERIVED_KEY_LENGTH
|
||||
)
|
||||
);
|
||||
}
|
||||
|
||||
encrypt(plaintext: string): string {
|
||||
const iv = randomBytes(IV_LENGTH);
|
||||
const cipher = createCipheriv(ALGORITHM, this.key, iv);
|
||||
const ciphertext = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
|
||||
const authTag = cipher.getAuthTag();
|
||||
const payload = Buffer.concat([iv, ciphertext, authTag]).toString("base64");
|
||||
|
||||
return `${ENCRYPTED_PREFIX}${payload}`;
|
||||
}
|
||||
|
||||
decrypt(encrypted: string): string {
|
||||
if (!this.isEncrypted(encrypted)) {
|
||||
throw new Error("Value is not encrypted");
|
||||
}
|
||||
|
||||
const payloadBase64 = encrypted.slice(ENCRYPTED_PREFIX.length);
|
||||
|
||||
try {
|
||||
const payload = Buffer.from(payloadBase64, "base64");
|
||||
if (payload.length < IV_LENGTH + AUTH_TAG_LENGTH) {
|
||||
throw new Error("Encrypted payload is too short");
|
||||
}
|
||||
|
||||
const iv = payload.subarray(0, IV_LENGTH);
|
||||
const authTag = payload.subarray(payload.length - AUTH_TAG_LENGTH);
|
||||
const ciphertext = payload.subarray(IV_LENGTH, payload.length - AUTH_TAG_LENGTH);
|
||||
|
||||
const decipher = createDecipheriv(ALGORITHM, this.key, iv);
|
||||
decipher.setAuthTag(authTag);
|
||||
|
||||
return Buffer.concat([decipher.update(ciphertext), decipher.final()]).toString("utf8");
|
||||
} catch {
|
||||
throw new Error("Failed to decrypt value");
|
||||
}
|
||||
}
|
||||
|
||||
isEncrypted(value: string): boolean {
|
||||
return value.startsWith(ENCRYPTED_PREFIX);
|
||||
}
|
||||
|
||||
generateToken(): string {
|
||||
return randomBytes(32).toString("hex");
|
||||
}
|
||||
}
|
||||
@@ -71,3 +71,21 @@ Remaining estimate: ~143K tokens (Codex budget).
|
||||
| MS22-SKILL-001 | done | p0-knowledge | OpenClaw mosaic skill (agents read/write findings/memory) | TASKS:P0 | stack | feat/ms22-openclaw-skill | MS22-API-001,MS22-API-002 | MS22-VER-P0 | — | — | — | 15K | — | Skill in ~/.agents/skills/mosaic/ |
|
||||
| MS22-INGEST-001 | done | p0-knowledge | Session log ingestion pipeline (OpenClaw logs → ConvArchive) | TASKS:P0 | stack | feat/ms22-ingest | MS22-API-004 | MS22-VER-P0 | — | — | — | 20K | — | Script to batch-ingest existing logs |
|
||||
| MS22-VER-P0 | done | p0-knowledge | Phase 0 verification: all modules deployed + smoke tested | TASKS:P0 | stack | — | MS22-TEST-001,MS22-SKILL-001,MS22-INGEST-001,MS22-API-003 | — | — | — | — | 5K | — | |
|
||||
|
||||
## MS22 Phase 1: DB-Centric Agent Fleet (reworked)
|
||||
|
||||
Design doc: `docs/design/MS22-DB-CENTRIC-ARCHITECTURE.md`
|
||||
|
||||
| Task ID | Status | Phase | Description | Issue | Scope | Branch | Depends On | Blocks | Assigned Worker | Started | Completed | Est Tokens | Act Tokens | Notes |
|
||||
| -------- | ----------- | -------- | --------------------------------------------------------------------------------------------------------------------- | ----- | ------- | ---------------------------- | ---------- | --------------- | --------------- | ------- | --------- | ---------- | ---------- | ----- |
|
||||
| MS22-P1a | not-started | phase-1a | Prisma schema: SystemConfig, BreakglassUser, LlmProvider, UserContainer, SystemContainer, UserAgentConfig + migration | — | api | feat/ms22-p1a-schema | — | P1b,P1c,P1d,P1e | — | — | — | 20K | — | |
|
||||
| MS22-P1b | not-started | phase-1b | Encryption service (AES-256-GCM) for API keys and tokens | — | api | feat/ms22-p1b-crypto | — | P1c,P1e,P1g | — | — | — | 15K | — | |
|
||||
| MS22-P1c | not-started | phase-1c | Internal config endpoint: assemble openclaw.json from DB | — | api | feat/ms22-p1c-config-api | P1a,P1b | P1i,P1j | — | — | — | 20K | — | |
|
||||
| MS22-P1d | not-started | phase-1d | ContainerLifecycleService: Docker API (dockerode) start/stop/health/reap | — | api | feat/ms22-p1d-container-mgr | P1a | P1i,P1k | — | — | — | 25K | — | |
|
||||
| MS22-P1e | not-started | phase-1e | Onboarding API: breakglass, OIDC, provider, agents, complete | — | api | feat/ms22-p1e-onboarding-api | P1a,P1b | P1f | — | — | — | 20K | — | |
|
||||
| MS22-P1f | not-started | phase-1f | Onboarding wizard WebUI (multi-step form) | — | web | feat/ms22-p1f-onboarding-ui | P1e | — | — | — | — | 25K | — | |
|
||||
| MS22-P1g | not-started | phase-1g | Settings API: CRUD providers, agent config, OIDC, breakglass | — | api | feat/ms22-p1g-settings-api | P1a,P1b | P1h | — | — | — | 20K | — | |
|
||||
| MS22-P1h | not-started | phase-1h | Settings UI: Providers, Agent Config, Auth pages | — | web | feat/ms22-p1h-settings-ui | P1g | — | — | — | — | 25K | — | |
|
||||
| MS22-P1i | not-started | phase-1i | Chat proxy: route WebUI chat to user's OpenClaw container (SSE) | — | api+web | feat/ms22-p1i-chat-proxy | P1c,P1d | — | — | — | — | 20K | — | |
|
||||
| MS22-P1j | not-started | phase-1j | Docker entrypoint + health checks + core compose | — | docker | feat/ms22-p1j-docker | P1c | — | — | — | — | 10K | — | |
|
||||
| MS22-P1k | not-started | phase-1k | Idle reaper cron: stop inactive user containers | — | api | feat/ms22-p1k-idle-reaper | P1d | — | — | — | — | 10K | — | |
|
||||
|
||||
Reference in New Issue
Block a user