chore(orchestrator): mark all MS22 Phase 1 tasks done (11/11)

2026-03-01 10:32:57 -06:00
6 changed files with 3 additions and 28 deletions
--- a/apps/api/src/chat-proxy/chat-proxy.module.ts
+++ b/apps/api/src/chat-proxy/chat-proxy.module.ts
@@ -1,5 +1,4 @@
 import { Module } from "@nestjs/common";
-import { AuthModule } from "../auth/auth.module";
 import { AgentConfigModule } from "../agent-config/agent-config.module";
 import { ContainerLifecycleModule } from "../container-lifecycle/container-lifecycle.module";
 import { PrismaModule } from "../prisma/prisma.module";
@@ -7,7 +6,7 @@ import { ChatProxyController } from "./chat-proxy.controller";
 import { ChatProxyService } from "./chat-proxy.service";

@Module({
-  imports: [AuthModule, PrismaModule, ContainerLifecycleModule, AgentConfigModule],
+  imports: [PrismaModule, ContainerLifecycleModule, AgentConfigModule],
  controllers: [ChatProxyController],
  providers: [ChatProxyService],
  exports: [ChatProxyService],
--- a/apps/api/src/common/guards/csrf.guard.spec.ts
+++ b/apps/api/src/common/guards/csrf.guard.spec.ts
@@ -87,17 +87,6 @@ describe("CsrfGuard", () => {
  });

  describe("State-changing methods requiring CSRF", () => {
-    it("should allow POST with Bearer auth without CSRF token", () => {
-      const context = createContext(
-        "POST",
-        {},
-        { authorization: "Bearer api-token" },
-        false,
-        "user-123"
-      );
-      expect(guard.canActivate(context)).toBe(true);
-    });
-
    it("should reject POST without CSRF token", () => {
      const context = createContext("POST", {}, {}, false, "user-123");
      expect(() => guard.canActivate(context)).toThrow(ForbiddenException);
--- a/apps/api/src/common/guards/csrf.guard.ts
+++ b/apps/api/src/common/guards/csrf.guard.ts
@@ -57,11 +57,6 @@ export class CsrfGuard implements CanActivate {
      return true;
    }

-    const authHeader = request.headers.authorization;
-    if (typeof authHeader === "string" && authHeader.startsWith("Bearer ")) {
-      return true;
-    }
-
    // Get CSRF token from cookie and header
    const cookies = request.cookies as Record<string, string> | undefined;
    const cookieToken = cookies?.["csrf-token"];
--- a/apps/api/src/container-lifecycle/container-lifecycle.module.ts
+++ b/apps/api/src/container-lifecycle/container-lifecycle.module.ts
@@ -1,11 +1,10 @@
 import { Module } from "@nestjs/common";
-import { ConfigModule } from "@nestjs/config";
 import { PrismaModule } from "../prisma/prisma.module";
 import { CryptoModule } from "../crypto/crypto.module";
 import { ContainerLifecycleService } from "./container-lifecycle.service";

@Module({
-  imports: [ConfigModule, PrismaModule, CryptoModule],
+  imports: [PrismaModule, CryptoModule],
  providers: [ContainerLifecycleService],
  exports: [ContainerLifecycleService],
 })
--- a/apps/api/src/fleet-settings/fleet-settings.module.ts
+++ b/apps/api/src/fleet-settings/fleet-settings.module.ts
@@ -1,12 +1,11 @@
 import { Module } from "@nestjs/common";
-import { AuthModule } from "../auth/auth.module";
 import { PrismaModule } from "../prisma/prisma.module";
 import { CryptoModule } from "../crypto/crypto.module";
 import { FleetSettingsController } from "./fleet-settings.controller";
 import { FleetSettingsService } from "./fleet-settings.service";

@Module({
-  imports: [AuthModule, PrismaModule, CryptoModule],
+  imports: [PrismaModule, CryptoModule],
  controllers: [FleetSettingsController],
  providers: [FleetSettingsService],
  exports: [FleetSettingsService],
--- a/docker-compose.swarm.portainer.yml
+++ b/docker-compose.swarm.portainer.yml
@@ -121,10 +121,6 @@ services:
      OLLAMA_ENDPOINT: ${OLLAMA_ENDPOINT}
      OPENBAO_ADDR: ${OPENBAO_ADDR}
      ENCRYPTION_KEY: ${ENCRYPTION_KEY}
-      # MS22: fleet encryption key (AES-256-GCM for provider API keys, agent tokens)
-      MOSAIC_SECRET_KEY: ${MOSAIC_SECRET_KEY}
-      # MS22: Docker socket for per-user container lifecycle (optional: set DOCKER_HOST for TCP)
-      DOCKER_HOST: ${DOCKER_HOST:-}
      # Matrix bridge (optional — configure after Synapse is running)
      MATRIX_HOMESERVER_URL: ${MATRIX_HOMESERVER_URL:-http://synapse:8008}
      MATRIX_ACCESS_TOKEN: ${MATRIX_ACCESS_TOKEN:-}
@@ -146,8 +142,6 @@ services:
      NEXT_PUBLIC_APP_URL: ${NEXT_PUBLIC_APP_URL}
      NEXT_PUBLIC_API_URL: ${NEXT_PUBLIC_API_URL}
      TRUSTED_ORIGINS: ${TRUSTED_ORIGINS:-}
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock:ro
    healthcheck:
      test:
        [