fix(api): use TRUSTED_ORIGINS for socket.io gateway CORS; add createTask API client

apps/api/src/activity/activity.controller.ts

@@ -1,7 +1,7 @@
 import { Controller, Get, Query, Param, UseGuards } from "@nestjs/common";
 import { ActivityService } from "./activity.service";
 import { EntityType } from "@prisma/client";
-import { QueryActivityLogDto } from "./dto";
+import type { QueryActivityLogDto } from "./dto";
 import { AuthGuard } from "../auth/guards/auth.guard";
 import { WorkspaceGuard, PermissionGuard } from "../common/guards";
 import { Workspace, Permission, RequirePermission } from "../common/decorators";

apps/api/src/common/guards/csrf.guard.ts

@@ -111,9 +111,14 @@ export class CsrfGuard implements CanActivate {
 
         throw new ForbiddenException("CSRF token not bound to session");
       }
+    } else {
+      this.logger.debug({
+        event: "CSRF_SKIP_SESSION_BINDING",
+        method: request.method,
+        path: request.path,
+        reason: "User context not yet available (global guard runs before AuthGuard)",
+      });
     }
-    // Note: when userId is absent, the double-submit cookie check above is
-    // sufficient CSRF protection. AuthGuard populates request.user afterward.
 
     return true;
   }

apps/api/src/dashboard/dashboard.controller.ts

@@ -3,7 +3,7 @@ import { DashboardService } from "./dashboard.service";
 import { AuthGuard } from "../auth/guards/auth.guard";
 import { WorkspaceGuard, PermissionGuard } from "../common/guards";
 import { Workspace, Permission, RequirePermission } from "../common/decorators";
-import { DashboardSummaryDto } from "./dto";
+import type { DashboardSummaryDto } from "./dto";
 
 /**
  * Controller for dashboard endpoints.

apps/api/src/fleet-settings/fleet-settings.controller.ts

@@ -15,7 +15,7 @@ import type { AuthUser } from "@mosaic/shared";
 import { CurrentUser } from "../auth/decorators/current-user.decorator";
 import { AdminGuard } from "../auth/guards/admin.guard";
 import { AuthGuard } from "../auth/guards/auth.guard";
-import {
+import type {
   CreateProviderDto,
   ResetPasswordDto,
   UpdateAgentConfigDto,

apps/api/src/llm-usage/llm-usage.controller.ts

@@ -1,7 +1,7 @@
 import { Controller, Get, Param, Query } from "@nestjs/common";
 import type { LlmUsageLog } from "@prisma/client";
 import { LlmUsageService } from "./llm-usage.service";
-import { UsageAnalyticsQueryDto, UsageAnalyticsResponseDto } from "./dto";
+import type { UsageAnalyticsQueryDto, UsageAnalyticsResponseDto } from "./dto";
 
 /**
  * LLM Usage Controller

apps/api/src/widgets/widgets.controller.ts

@@ -4,7 +4,7 @@ import { WidgetsService } from "./widgets.service";
 import { WidgetDataService } from "./widget-data.service";
 import { AuthGuard } from "../auth/guards/auth.guard";
 import { WorkspaceGuard } from "../common/guards/workspace.guard";
-import { StatCardQueryDto, ChartQueryDto, ListQueryDto, CalendarPreviewQueryDto } from "./dto";
+import type { StatCardQueryDto, ChartQueryDto, ListQueryDto, CalendarPreviewQueryDto } from "./dto";
 import type { RequestWithWorkspace } from "../common/types/user.types";
 
 /**

apps/api/src/workspaces/workspaces.controller.ts

@@ -6,7 +6,7 @@ import { WorkspaceGuard, PermissionGuard } from "../common/guards";
 import { Permission, RequirePermission } from "../common/decorators";
 import type { WorkspaceMember } from "@prisma/client";
 import type { AuthenticatedUser } from "../common/types/user.types";
-import { AddMemberDto, UpdateMemberRoleDto, WorkspaceResponseDto } from "./dto";
+import type { AddMemberDto, UpdateMemberRoleDto, WorkspaceResponseDto } from "./dto";
 
 /**
  * User-scoped workspace operations.

docker-compose.swarm.portainer.yml

@@ -128,8 +128,6 @@ services:
       # Matrix bridge (optional — configure after Synapse is running)
       MATRIX_HOMESERVER_URL: ${MATRIX_HOMESERVER_URL:-http://synapse:8008}
       MATRIX_ACCESS_TOKEN: ${MATRIX_ACCESS_TOKEN:-}
-      # System admin IDs (comma-separated user UUIDs) for auth settings access
-      SYSTEM_ADMIN_IDS: ${SYSTEM_ADMIN_IDS:-}
       MATRIX_BOT_USER_ID: ${MATRIX_BOT_USER_ID:-}
       MATRIX_CONTROL_ROOM_ID: ${MATRIX_CONTROL_ROOM_ID:-}
       MATRIX_WORKSPACE_ID: ${MATRIX_WORKSPACE_ID:-}