fix(ci): use node:24-slim (glibc) instead of Alpine (musl) (#655 )

Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>
fix(ci): copy .npmrc before pnpm install in all Dockerfiles (#654 )
2026-03-02 01:40:37 +00:00 · 2026-03-02 01:09:22 +00:00 · 2026-03-02 00:19:41 +00:00 · 2026-03-02 00:08:15 +00:00 · 2026-03-01 23:41:46 +00:00 · 2026-03-01 23:39:41 +00:00
16 changed files with 615 additions and 72 deletions
--- a/.npmrc
+++ b/.npmrc
@@ -1 +1,3 @@
@mosaicstack:registry=https://git.mosaicstack.dev/api/packages/mosaic/npm/
 supportedArchitectures[libc][]=glibc
 supportedArchitectures[cpu][]=x64
--- a/.woodpecker/base-image.yml
+++ b/.woodpecker/base-image.yml
@@ -0,0 +1,27 @@
 when:
  - event: manual
  - event: cron
    cron: weekly-base-image
 variables:
  - &kaniko_setup |
    mkdir -p /kaniko/.docker
    echo "{\"auths\":{\"git.mosaicstack.dev\":{\"username\":\"$GITEA_USER\",\"password\":\"$GITEA_TOKEN\"}}}" > /kaniko/.docker/config.json
 steps:
  build-base:
    image: gcr.io/kaniko-project/executor:debug
    environment:
      GITEA_USER:
        from_secret: gitea_username
      GITEA_TOKEN:
        from_secret: gitea_token
    commands:
      - *kaniko_setup
      - /kaniko/executor
          --context .
          --dockerfile docker/base.Dockerfile
          --destination git.mosaicstack.dev/mosaic/node-base:24-slim
          --destination git.mosaicstack.dev/mosaic/node-base:latest
          --cache=true
          --cache-repo git.mosaicstack.dev/mosaic/node-base/cache
--- a/.woodpecker/ci.yml
+++ b/.woodpecker/ci.yml
@@ -29,9 +29,11 @@ when:
        - ".trivyignore"
 variables:
-  - &node_image "node:24-alpine"
+  - &node_image "node:24-slim"
  - &install_deps |
    corepack enable
    apt-get update && apt-get install -y --no-install-recommends python3 make g++
    pnpm config set store-dir /root/.local/share/pnpm/store
    pnpm install --frozen-lockfile
  - &use_deps |
    corepack enable
@@ -168,7 +170,7 @@ steps:
        elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-api:latest"
        fi
-        /kaniko/executor --context . --dockerfile apps/api/Dockerfile --snapshot-mode=redo $DESTINATIONS
+        /kaniko/executor --context . --dockerfile apps/api/Dockerfile --snapshot-mode=redo --cache=true --cache-repo git.mosaicstack.dev/mosaic/stack-api/cache $DESTINATIONS
    when:
      - branch: [main]
        event: [push, manual, tag]
@@ -193,7 +195,7 @@ steps:
        elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-orchestrator:latest"
        fi
-        /kaniko/executor --context . --dockerfile apps/orchestrator/Dockerfile --snapshot-mode=redo $DESTINATIONS
+        /kaniko/executor --context . --dockerfile apps/orchestrator/Dockerfile --snapshot-mode=redo --cache=true --cache-repo git.mosaicstack.dev/mosaic/stack-orchestrator/cache $DESTINATIONS
    when:
      - branch: [main]
        event: [push, manual, tag]
@@ -218,7 +220,7 @@ steps:
        elif [ "$CI_COMMIT_BRANCH" = "main" ]; then
          DESTINATIONS="--destination git.mosaicstack.dev/mosaic/stack-web:latest"
        fi
-        /kaniko/executor --context . --dockerfile apps/web/Dockerfile --snapshot-mode=redo --build-arg NEXT_PUBLIC_API_URL=https://api.mosaicstack.dev $DESTINATIONS
+        /kaniko/executor --context . --dockerfile apps/web/Dockerfile --snapshot-mode=redo --cache=true --cache-repo git.mosaicstack.dev/mosaic/stack-web/cache --build-arg NEXT_PUBLIC_API_URL=https://api.mosaicstack.dev $DESTINATIONS
    when:
      - branch: [main]
        event: [push, manual, tag]
--- a/apps/api/Dockerfile
+++ b/apps/api/Dockerfile
@@ -1,7 +1,7 @@
 # Base image for all stages
 # Uses Debian slim (glibc) instead of Alpine (musl) because native Node.js addons
 # (matrix-sdk-crypto-nodejs, Prisma engines) require glibc-compatible binaries.
-FROM node:24-slim AS base
+FROM git.mosaicstack.dev/mosaic/node-base:24-slim AS base
 # Install pnpm globally
 RUN corepack enable && corepack prepare pnpm@10.27.0 --activate
@@ -19,9 +19,9 @@ COPY turbo.json ./
 FROM base AS deps
 # Install build tools for native addons (node-pty requires node-gyp compilation)
-# and OpenSSL for Prisma engine detection
+# Note: openssl and ca-certificates pre-installed in base image
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    python3 make g++ openssl \
+    python3 make g++ \
    && rm -rf /var/lib/apt/lists/*
 # Copy all package.json files for workspace resolution
@@ -30,6 +30,9 @@ COPY packages/ui/package.json ./packages/ui/
 COPY packages/config/package.json ./packages/config/
 COPY apps/api/package.json ./apps/api/
 # Copy npm configuration for native binary architecture hints
 COPY .npmrc ./
 # Install dependencies (no cache mount — Kaniko builds are ephemeral in CI)
 # Then explicitly rebuild node-pty from source since pnpm may skip postinstall
 # scripts or fail to find prebuilt binaries for this Node.js version
@@ -61,19 +64,14 @@ RUN pnpm turbo build --filter=@mosaic/api --force
 # ======================
 # Production stage
 # ======================
-FROM node:24-slim AS production
+FROM git.mosaicstack.dev/mosaic/node-base:24-slim AS production
-# Install dumb-init for proper signal handling (static binary from GitHub,
+# dumb-init, openssl, ca-certificates pre-installed in base image
 # avoids apt-get which fails under Kaniko with bookworm GPG signature errors)
 ADD https://github.com/Yelp/dumb-init/releases/download/v1.2.5/dumb-init_1.2.5_x86_64 /usr/local/bin/dumb-init
 # Single RUN to minimize Kaniko filesystem snapshots (each RUN = full snapshot)
-# - openssl: Prisma engine detection requires libssl
+# - Remove npm/npx to reduce image size (not used in production)
-# - No build tools needed here — native addons are compiled in the deps stage
+# - Create non-root user
-RUN apt-get update && apt-get install -y --no-install-recommends openssl \
+RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx \
    && rm -rf /var/lib/apt/lists/* \
    && rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx \
    && chmod 755 /usr/local/bin/dumb-init \
    && groupadd -g 1001 nodejs && useradd -m -u 1001 -g nodejs nestjs
 WORKDIR /app
--- a/apps/api/package.json
+++ b/apps/api/package.json
@@ -62,6 +62,7 @@
    "discord.js": "^14.25.1",
    "dockerode": "^4.0.9",
    "gray-matter": "^4.0.3",
    "helmet": "^8.1.0",
    "highlight.js": "^11.11.1",
    "ioredis": "^5.9.2",
    "jose": "^6.1.3",
--- a/apps/api/src/activity/interceptors/activity-logging.interceptor.spec.ts
+++ b/apps/api/src/activity/interceptors/activity-logging.interceptor.spec.ts
@@ -384,10 +384,18 @@ describe("ActivityLoggingInterceptor", () => {
      const context = createMockExecutionContext("POST", {}, body, user);
      const next = createMockCallHandler(result);
      mockActivityService.logActivity.mockResolvedValue({
        id: "activity-123",
      });
      await new Promise<void>((resolve) => {
        interceptor.intercept(context, next).subscribe(() => {
-          // Should not call logActivity when workspaceId is missing
+          // workspaceId is now optional, so logActivity should be called without it
-          expect(mockActivityService.logActivity).not.toHaveBeenCalled();
+          expect(mockActivityService.logActivity).toHaveBeenCalled();
          const callArgs = mockActivityService.logActivity.mock.calls[0][0];
          expect(callArgs.userId).toBe("user-123");
          expect(callArgs.entityId).toBe("task-123");
          expect(callArgs.workspaceId).toBeUndefined();
          resolve();
        });
      });
@@ -412,10 +420,18 @@ describe("ActivityLoggingInterceptor", () => {
      const context = createMockExecutionContext("POST", {}, body, user);
      const next = createMockCallHandler(result);
      mockActivityService.logActivity.mockResolvedValue({
        id: "activity-123",
      });
      await new Promise<void>((resolve) => {
        interceptor.intercept(context, next).subscribe(() => {
-          // Should not call logActivity when workspaceId is missing
+          // workspaceId is now optional, so logActivity should be called without it
-          expect(mockActivityService.logActivity).not.toHaveBeenCalled();
+          expect(mockActivityService.logActivity).toHaveBeenCalled();
          const callArgs = mockActivityService.logActivity.mock.calls[0][0];
          expect(callArgs.userId).toBe("user-123");
          expect(callArgs.entityId).toBe("task-123");
          expect(callArgs.workspaceId).toBeUndefined();
          resolve();
        });
      });
--- a/apps/api/src/auth/auth.controller.ts
+++ b/apps/api/src/auth/auth.controller.ts
@@ -106,7 +106,7 @@ export class AuthController {
  // @SkipCsrf avoids double-protection conflicts.
  // See: https://www.better-auth.com/docs/reference/security
  @SkipCsrf()
-  @Throttle({ strict: { limit: 10, ttl: 60000 } })
+  @Throttle({ default: { ttl: 60_000, limit: 5 } })
  async handleAuth(@Req() req: ExpressRequest, @Res() res: ExpressResponse): Promise<void> {
    // Extract client IP for logging
    const clientIp = this.getClientIp(req);
--- a/apps/api/src/main.ts
+++ b/apps/api/src/main.ts
@@ -1,6 +1,7 @@
 import { NestFactory } from "@nestjs/core";
 import { RequestMethod, ValidationPipe } from "@nestjs/common";
 import cookieParser from "cookie-parser";
 import helmet from "helmet";
 import { AppModule } from "./app.module";
 import { getTrustedOrigins } from "./auth/auth.config";
 import { GlobalExceptionFilter } from "./filters/global-exception.filter";
@@ -33,6 +34,14 @@ async function bootstrap() {
  // Enable cookie parser for session handling
  app.use(cookieParser());
  // Enable helmet security headers
  app.use(
    helmet({
      contentSecurityPolicy: false, // Let Next.js handle CSP
      crossOriginEmbedderPolicy: false,
    })
  );
  // Enable global validation pipe with transformation
  app.useGlobalPipes(
    new ValidationPipe({
--- a/apps/orchestrator/Dockerfile
+++ b/apps/orchestrator/Dockerfile
@@ -1,6 +1,6 @@
 # Base image for all stages
 # Uses Debian slim (glibc) instead of Alpine (musl) for native addon compatibility.
-FROM node:24-slim AS base
+FROM git.mosaicstack.dev/mosaic/node-base:24-slim AS base
 # Install pnpm globally
 RUN corepack enable && corepack prepare pnpm@10.27.0 --activate
@@ -22,6 +22,9 @@ COPY packages/shared/package.json ./packages/shared/
 COPY packages/config/package.json ./packages/config/
 COPY apps/orchestrator/package.json ./apps/orchestrator/
 # Copy npm configuration for native binary architecture hints
 COPY .npmrc ./
 # Install ALL dependencies (not just production)
 # No cache mount — Kaniko builds are ephemeral in CI
 RUN pnpm install --frozen-lockfile
@@ -54,7 +57,7 @@ RUN find ./apps/orchestrator/dist \( -name '*.spec.js' -o -name '*.spec.js.map'
 # ======================
 # Production stage
 # ======================
-FROM node:24-slim AS production
+FROM git.mosaicstack.dev/mosaic/node-base:24-slim AS production
 # Add metadata labels
 LABEL maintainer="mosaic-team@mosaicstack.dev"
@@ -65,13 +68,12 @@ LABEL org.opencontainers.image.vendor="Mosaic Stack"
 LABEL org.opencontainers.image.title="Mosaic Orchestrator"
 LABEL org.opencontainers.image.description="Agent orchestration service for Mosaic Stack"
-# Install dumb-init for proper signal handling (static binary from GitHub,
+# dumb-init, ca-certificates pre-installed in base image
 # avoids apt-get which fails under Kaniko with bookworm GPG signature errors)
 ADD https://github.com/Yelp/dumb-init/releases/download/v1.2.5/dumb-init_1.2.5_x86_64 /usr/local/bin/dumb-init
 # Single RUN to minimize Kaniko filesystem snapshots (each RUN = full snapshot)
 # - Remove npm/npx to reduce image size (not used in production)
 # - Create non-root user
 RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx \
    && chmod 755 /usr/local/bin/dumb-init \
    && groupadd -g 1001 nodejs && useradd -m -u 1001 -g nodejs nestjs
 WORKDIR /app
--- a/apps/web/Dockerfile
+++ b/apps/web/Dockerfile
@@ -1,7 +1,7 @@
 # Base image for all stages
 # Uses Debian slim (glibc) for consistency with API/orchestrator and to prevent
 # future native addon compatibility issues with Alpine's musl libc.
-FROM node:24-slim AS base
+FROM git.mosaicstack.dev/mosaic/node-base:24-slim AS base
 # Install pnpm globally
 RUN corepack enable && corepack prepare pnpm@10.27.0 --activate
@@ -24,6 +24,9 @@ COPY packages/ui/package.json ./packages/ui/
 COPY packages/config/package.json ./packages/config/
 COPY apps/web/package.json ./apps/web/
 # Copy npm configuration for native binary architecture hints
 COPY .npmrc ./
 # Install dependencies (no cache mount — Kaniko builds are ephemeral in CI)
 RUN pnpm install --frozen-lockfile
@@ -38,6 +41,9 @@ COPY packages/ui/package.json ./packages/ui/
 COPY packages/config/package.json ./packages/config/
 COPY apps/web/package.json ./apps/web/
 # Copy npm configuration for native binary architecture hints
 COPY .npmrc ./
 # Install production dependencies only
 RUN pnpm install --frozen-lockfile --prod
@@ -87,15 +93,14 @@ RUN mkdir -p ./apps/web/public
 # ======================
 # Production stage
 # ======================
-FROM node:24-slim AS production
+FROM git.mosaicstack.dev/mosaic/node-base:24-slim AS production
-# Install dumb-init for proper signal handling (static binary from GitHub,
+# dumb-init, ca-certificates pre-installed in base image
 # avoids apt-get which fails under Kaniko with bookworm GPG signature errors)
 ADD https://github.com/Yelp/dumb-init/releases/download/v1.2.5/dumb-init_1.2.5_x86_64 /usr/local/bin/dumb-init
 # Single RUN to minimize Kaniko filesystem snapshots (each RUN = full snapshot)
 # - Remove npm/npx to reduce image size (not used in production)
 # - Create non-root user
 RUN rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx \
    && chmod 755 /usr/local/bin/dumb-init \
    && groupadd -g 1001 nodejs && useradd -m -u 1001 -g nodejs nextjs
 WORKDIR /app
--- a/apps/web/src/app/(authenticated)/kanban/page.tsx
+++ b/apps/web/src/app/(authenticated)/kanban/page.tsx
@@ -184,10 +184,11 @@ function TaskCard({ task, provided, snapshot, columnAccent }: TaskCardProps): Re
 interface KanbanColumnProps {
  config: ColumnConfig;
  tasks: Task[];
-  onAddTask: (status: TaskStatus, title: string) => Promise<void>;
+  onAddTask: (status: TaskStatus, title: string, projectId?: string) => Promise<void>;
  projectId?: string;
 }
-function KanbanColumn({ config, tasks, onAddTask }: KanbanColumnProps): ReactElement {
+function KanbanColumn({ config, tasks, onAddTask, projectId }: KanbanColumnProps): ReactElement {
  const [showAddForm, setShowAddForm] = useState(false);
  const [inputValue, setInputValue] = useState("");
  const [isSubmitting, setIsSubmitting] = useState(false);
@@ -208,7 +209,7 @@ function KanbanColumn({ config, tasks, onAddTask }: KanbanColumnProps): ReactEle
    setIsSubmitting(true);
    try {
-      await onAddTask(config.status, inputValue.trim());
+      await onAddTask(config.status, inputValue.trim(), projectId);
      setInputValue("");
      setShowAddForm(false);
    } catch (err) {
@@ -362,6 +363,45 @@ function KanbanColumn({ config, tasks, onAddTask }: KanbanColumnProps): ReactEle
            }}
            autoFocus
          />
          <div style={{ display: "flex", gap: 6, marginTop: 6 }}>
            <button
              type="submit"
              disabled={isSubmitting || !inputValue.trim()}
              style={{
                padding: "6px 12px",
                borderRadius: "var(--r)",
                border: "1px solid var(--primary)",
                background: "var(--primary)",
                color: "#fff",
                fontSize: "0.8rem",
                fontWeight: 500,
                cursor: isSubmitting || !inputValue.trim() ? "not-allowed" : "pointer",
                opacity: isSubmitting || !inputValue.trim() ? 0.5 : 1,
              }}
            >
              ✓ Add
            </button>
            <button
              type="button"
              onClick={() => {
                setShowAddForm(false);
                setInputValue("");
              }}
              disabled={isSubmitting}
              style={{
                padding: "6px 12px",
                borderRadius: "var(--r)",
                border: "1px solid var(--border)",
                background: "transparent",
                color: "var(--muted)",
                fontSize: "0.8rem",
                cursor: isSubmitting ? "not-allowed" : "pointer",
                opacity: isSubmitting ? 0.5 : 1,
              }}
            >
              Cancel
            </button>
          </div>
          <div style={{ marginTop: 6, fontSize: "0.75rem", color: "var(--muted)" }}>
            Press{" "}
            <kbd
@@ -745,10 +785,17 @@ export default function KanbanPage(): ReactElement {
  /* --- add task handler --- */
  const handleAddTask = useCallback(
-    async (status: TaskStatus, title: string) => {
+    async (status: TaskStatus, title: string, projectId?: string) => {
      try {
        const wsId = workspaceId ?? undefined;
-        const newTask = await createTask({ title, status }, wsId);
+        const taskData: { title: string; status: TaskStatus; projectId?: string } = {
          title,
          status,
        };
        if (projectId) {
          taskData.projectId = projectId;
        }
        const newTask = await createTask(taskData, wsId);
        // Optimistically add to local state
        setTasks((prev) => [...prev, newTask]);
      } catch (err: unknown) {
@@ -866,23 +913,8 @@ export default function KanbanPage(): ReactElement {
            Clear filters
          </button>
        </div>
      ) : tasks.length === 0 ? (
        /* Empty state */
        <div
          style={{
            background: "var(--surface)",
            border: "1px solid var(--border)",
            borderRadius: "var(--r-lg)",
            padding: 48,
            textAlign: "center",
          }}
        >
          <p style={{ color: "var(--muted)", margin: 0, fontSize: "0.9rem" }}>
            No tasks yet. Create some tasks to see them here.
          </p>
        </div>
      ) : (
-        /* Board */
+        /* Board (always render columns to allow adding first task) */
        <DragDropContext onDragEnd={handleDragEnd}>
          <div
            style={{
@@ -899,6 +931,7 @@ export default function KanbanPage(): ReactElement {
                config={col}
                tasks={grouped[col.status]}
                onAddTask={handleAddTask}
                projectId={filterProject}
              />
            ))}
          </div>
--- a/apps/web/src/components/layout/AppHeader.tsx
+++ b/apps/web/src/components/layout/AppHeader.tsx
@@ -5,6 +5,7 @@ import Link from "next/link";
 import { usePathname } from "next/navigation";
 import { useAuth } from "@/lib/auth/auth-context";
 import { ThemeToggle } from "./ThemeToggle";
 import { UsageWidget } from "@/components/ui/UsageWidget";
 import { useSidebar } from "./SidebarContext";
 /**
@@ -350,6 +351,9 @@ export function AppHeader(): React.JSX.Element {
        {/* Theme Toggle */}
        <ThemeToggle />
        {/* Usage Widget */}
        <UsageWidget />
        {/* User Avatar + Dropdown */}
        <div ref={dropdownRef} style={{ position: "relative", flexShrink: 0 }}>
          <button
--- a/apps/web/src/components/ui/UsageWidget.tsx
+++ b/apps/web/src/components/ui/UsageWidget.tsx
@@ -0,0 +1,337 @@
 "use client";
 import { useState, useEffect, useRef, useCallback } from "react";
 import { fetchUsageSummary, type UsageSummary } from "@/lib/api/telemetry";
 // ─── Types ───────────────────────────────────────────────────────────
 interface UsageTier {
  name: string;
  tokens: number;
  limit: number;
  percentage: number;
 }
 // ─── Helpers ─────────────────────────────────────────────────────────
 function getUsageColor(percentage: number): string {
  if (percentage < 60) return "var(--success)";
  if (percentage < 80) return "var(--warn)";
  return "var(--danger)";
 }
 function formatTokens(value: number): string {
  if (value >= 1_000_000) return `${(value / 1_000_000).toFixed(1)}M`;
  if (value >= 1_000) return `${(value / 1_000).toFixed(1)}K`;
  return value.toFixed(0);
 }
 // ─── Component ───────────────────────────────────────────────────────
 export function UsageWidget(): React.JSX.Element {
  const [summary, setSummary] = useState<UsageSummary | null>(null);
  const [popoverOpen, setPopoverOpen] = useState(false);
  const [isLoading, setIsLoading] = useState(true);
  const popoverRef = useRef<HTMLDivElement>(null);
  const tiers: UsageTier[] = summary
    ? [
        {
          name: "Session",
          tokens: summary.totalTokens,
          limit: 100_000,
          percentage: (summary.totalTokens / 100_000) * 100,
        },
        {
          name: "Daily",
          tokens: summary.totalTokens,
          limit: 500_000,
          percentage: (summary.totalTokens / 500_000) * 100,
        },
        {
          name: "Monthly",
          tokens: summary.totalTokens,
          limit: 2_000_000,
          percentage: (summary.totalTokens / 2_000_000) * 100,
        },
      ]
    : [];
  const currentTier = tiers[0];
  const usageColor = currentTier ? getUsageColor(currentTier.percentage) : "var(--muted)";
  const loadSummary = useCallback(async () => {
    try {
      const data = await fetchUsageSummary("30d");
      setSummary(data);
    } catch (err) {
      console.error("Failed to load usage summary:", err);
    } finally {
      setIsLoading(false);
    }
  }, []);
  useEffect(() => {
    void loadSummary();
  }, [loadSummary]);
  useEffect(() => {
    function handleClickOutside(event: MouseEvent): void {
      if (popoverRef.current && !popoverRef.current.contains(event.target as Node)) {
        setPopoverOpen(false);
      }
    }
    if (!popoverOpen) {
      return;
    }
    document.addEventListener("mousedown", handleClickOutside);
    return (): void => {
      document.removeEventListener("mousedown", handleClickOutside);
    };
  }, [popoverOpen]);
  const pct = currentTier ? Math.min(currentTier.percentage, 100) : 0;
  return (
    <div ref={popoverRef} style={{ position: "relative" }}>
      <button
        onClick={(): void => {
          setPopoverOpen((prev) => !prev);
        }}
        aria-label="Usage widget"
        aria-expanded={popoverOpen}
        aria-haspopup="true"
        className="hidden lg:flex items-center"
        style={{
          gap: 6,
          padding: "5px 10px",
          borderRadius: 6,
          background: "var(--surface)",
          border: `1px solid ${popoverOpen ? usageColor : "var(--border)"}`,
          fontSize: "0.75rem",
          fontFamily: "var(--mono)",
          color: "var(--text-2)",
          cursor: "pointer",
          transition: "border-color 0.15s, color 0.15s",
          flexShrink: 0,
        }}
        onMouseEnter={(e): void => {
          (e.currentTarget as HTMLButtonElement).style.borderColor = usageColor;
          (e.currentTarget as HTMLButtonElement).style.color = "var(--text)";
        }}
        onMouseLeave={(e): void => {
          if (!popoverOpen) {
            (e.currentTarget as HTMLButtonElement).style.borderColor = "var(--border)";
            (e.currentTarget as HTMLButtonElement).style.color = "var(--text-2)";
          }
        }}
      >
        <svg
          width="12"
          height="12"
          viewBox="0 0 16 16"
          fill="none"
          stroke="currentColor"
          strokeWidth="2"
          strokeLinecap="round"
          strokeLinejoin="round"
          style={{ color: usageColor, flexShrink: 0 }}
          aria-hidden="true"
        >
          <path d="M9 1L3 9h5l-1 6 6-8H8l1-6z" />
        </svg>
        <span style={{ fontWeight: 500, color: "var(--text-2)" }}>
          {isLoading ? "..." : summary ? formatTokens(summary.totalTokens) : "0"}
        </span>
        {!isLoading && currentTier && (
          <div
            style={{
              width: 24,
              height: 4,
              borderRadius: 2,
              background: "var(--bg-mid)",
              overflow: "hidden",
              flexShrink: 0,
            }}
            aria-hidden="true"
          >
            <div
              style={{
                width: `${String(pct)}%`,
                height: "100%",
                background: usageColor,
                borderRadius: 2,
                transition: "width 0.3s ease-out",
              }}
            />
          </div>
        )}
        {!isLoading && currentTier && (
          <span style={{ fontWeight: 600, color: usageColor, minWidth: 32, textAlign: "right" }}>
            {Math.round(currentTier.percentage)}%
          </span>
        )}
      </button>
      {popoverOpen && (
        <div
          role="dialog"
          aria-label="Usage details"
          style={{
            position: "absolute",
            top: "calc(100% + 8px)",
            right: 0,
            width: 280,
            background: "var(--surface)",
            border: "1px solid var(--border)",
            borderRadius: 8,
            padding: 12,
            boxShadow: "0 8px 32px rgba(0,0,0,0.3)",
            zIndex: 200,
          }}
        >
          <div
            style={{
              fontSize: "0.83rem",
              fontWeight: 600,
              color: "var(--text)",
              marginBottom: 12,
              paddingBottom: 8,
              borderBottom: "1px solid var(--border)",
            }}
          >
            Token Usage
          </div>
          {isLoading ? (
            <div
              style={{
                textAlign: "center",
                padding: "20px 0",
                color: "var(--muted)",
                fontSize: "0.75rem",
              }}
            >
              Loading usage data…
            </div>
          ) : summary ? (
            <>
              <div style={{ marginBottom: 12, display: "flex", flexDirection: "column", gap: 8 }}>
                <div
                  style={{ display: "flex", justifyContent: "space-between", fontSize: "0.75rem" }}
                >
                  <span style={{ color: "var(--muted)" }}>Total Tokens</span>
                  <span style={{ color: "var(--text)", fontFamily: "var(--mono)" }}>
                    {formatTokens(summary.totalTokens)}
                  </span>
                </div>
                <div
                  style={{ display: "flex", justifyContent: "space-between", fontSize: "0.75rem" }}
                >
                  <span style={{ color: "var(--muted)" }}>Estimated Cost</span>
                  <span style={{ color: "var(--text)", fontFamily: "var(--mono)" }}>
                    ${summary.totalCost.toFixed(2)}
                  </span>
                </div>
                <div
                  style={{ display: "flex", justifyContent: "space-between", fontSize: "0.75rem" }}
                >
                  <span style={{ color: "var(--muted)" }}>Tasks</span>
                  <span style={{ color: "var(--text)", fontFamily: "var(--mono)" }}>
                    {summary.taskCount}
                  </span>
                </div>
              </div>
              <div style={{ display: "flex", flexDirection: "column", gap: 10 }}>
                {tiers.map((tier) => {
                  const tierPct = Math.min(tier.percentage, 100);
                  return (
                    <div key={tier.name}>
                      <div
                        style={{
                          display: "flex",
                          justifyContent: "space-between",
                          fontSize: "0.75rem",
                          marginBottom: 4,
                        }}
                      >
                        <span style={{ color: "var(--text-2)" }}>{tier.name}</span>
                        <span
                          style={{
                            color: getUsageColor(tier.percentage),
                            fontFamily: "var(--mono)",
                            fontWeight: 500,
                          }}
                        >
                          {formatTokens(tier.tokens)} / {formatTokens(tier.limit)}
                        </span>
                      </div>
                      <div
                        style={{
                          width: "100%",
                          height: 6,
                          borderRadius: 3,
                          background: "var(--bg-mid)",
                          overflow: "hidden",
                        }}
                      >
                        <div
                          style={{
                            width: `${String(tierPct)}%`,
                            height: "100%",
                            background: getUsageColor(tier.percentage),
                            borderRadius: 3,
                            transition: "width 0.3s ease-out",
                          }}
                        />
                      </div>
                    </div>
                  );
                })}
              </div>
              <a
                href="/usage"
                onClick={(): void => {
                  setPopoverOpen(false);
                }}
                style={{
                  display: "block",
                  marginTop: 12,
                  paddingTop: 8,
                  borderTop: "1px solid var(--border)",
                  fontSize: "0.75rem",
                  color: "var(--primary)",
                  textDecoration: "none",
                  textAlign: "center",
                }}
                onMouseEnter={(e): void => {
                  (e.currentTarget as HTMLAnchorElement).style.textDecoration = "underline";
                }}
                onMouseLeave={(e): void => {
                  (e.currentTarget as HTMLAnchorElement).style.textDecoration = "none";
                }}
              >
                View detailed usage →
              </a>
            </>
          ) : (
            <div
              style={{
                textAlign: "center",
                padding: "20px 0",
                color: "var(--muted)",
                fontSize: "0.75rem",
              }}
            >
              No usage data available
            </div>
          )}
        </div>
      )}
    </div>
  );
 }
--- a/apps/web/src/lib/api/chat.ts
+++ b/apps/web/src/lib/api/chat.ts
@@ -1,6 +1,6 @@
 /**
 * Chat API client
- * Handles LLM chat interactions via /api/llm/chat
+ * Handles LLM chat interactions via /api/chat/stream (streaming) and /api/llm/chat (fallback)
 */
 import { apiPost, fetchCsrfToken, getCsrfToken } from "./client";
@@ -33,9 +33,28 @@ export interface ChatResponse {
 }
 /**
- * Parsed SSE data chunk from the LLM stream
+ * Parsed SSE data chunk from OpenAI-compatible stream
 */
-interface SseChunk {
+interface OpenAiSseChunk {
  id?: string;
  object?: string;
  created?: number;
  model?: string;
  choices?: {
    index: number;
    delta?: {
      role?: string;
      content?: string;
    };
    finish_reason?: string | null;
  }[];
  error?: string;
 }
 /**
 * Parsed SSE data chunk from legacy /api/llm/chat stream
 */
 interface LegacySseChunk {
  error?: string;
  message?: {
    role: string;
@@ -46,7 +65,17 @@ interface SseChunk {
 }
 /**
- * Send a chat message to the LLM
+ * Parsed SSE data chunk with simple token format
 */
 interface SimpleTokenChunk {
  token?: string;
  done?: boolean;
  error?: string;
 }
 /**
 * Send a chat message to the LLM (non-streaming fallback)
 * Uses /api/llm/chat endpoint which supports both streaming and non-streaming
 */
 export async function sendChatMessage(request: ChatRequest): Promise<ChatResponse> {
  return apiPost<ChatResponse>("/api/llm/chat", request);
@@ -66,11 +95,20 @@ async function ensureCsrfTokenForStream(): Promise<string> {
 /**
 * Stream a chat message from the LLM using SSE over fetch.
 *
- * The backend accepts stream: true in the request body and responds with
+ * Uses /api/chat/stream endpoint which proxies to OpenClaw.
- * Server-Sent Events:
+ * The backend responds with Server-Sent Events in one of these formats:
- *   data: {"message":{"content":"token"},...}\n\n  for each token
+ *
- *   data: [DONE]\n\n  when the stream is complete
+ * OpenAI-compatible format:
- *   data: {"error":"message"}\n\n  on error
+ *   data: {"choices":[{"delta":{"content":"token"}}],...}\n\n
 *   data: [DONE]\n\n
 *
 * Legacy format (from /api/llm/chat):
 *   data: {"message":{"content":"token"},...}\n\n
 *   data: [DONE]\n\n
 *
 * Simple token format:
 *   data: {"token":"..."}\n\n
 *   data: {"done":true}\n\n
 *
 * @param request - Chat request (stream field will be forced to true)
 * @param onChunk - Called with each token string as it arrives
@@ -89,14 +127,14 @@ export function streamChatMessage(
    try {
      const csrfToken = await ensureCsrfTokenForStream();
-      const response = await fetch(`${API_BASE_URL}/api/llm/chat`, {
+      const response = await fetch(`${API_BASE_URL}/api/chat/stream`, {
        method: "POST",
        headers: {
          "Content-Type": "application/json",
          "X-CSRF-Token": csrfToken,
        },
        credentials: "include",
-        body: JSON.stringify({ ...request, stream: true }),
+        body: JSON.stringify({ messages: request.messages, stream: true }),
        signal: signal ?? null,
      });
@@ -132,6 +170,25 @@ export function streamChatMessage(
          const trimmed = part.trim();
          if (!trimmed) continue;
          // Handle event: error format
          const eventMatch = /^event:\s*(\S+)\n/i.exec(trimmed);
          const dataMatch = /^data:\s*(.+)$/im.exec(trimmed);
          if (eventMatch?.[1] === "error" && dataMatch?.[1]) {
            try {
              const errorData = JSON.parse(dataMatch[1].trim()) as {
                error?: string;
              };
              throw new Error(errorData.error ?? "Stream error occurred");
            } catch (parseErr) {
              if (parseErr instanceof SyntaxError) {
                throw new Error("Stream error occurred");
              }
              throw parseErr;
            }
          }
          // Standard SSE format: data: {...}
          for (const line of trimmed.split("\n")) {
            if (!line.startsWith("data: ")) continue;
@@ -143,14 +200,39 @@ export function streamChatMessage(
            }
            try {
-              const parsed = JSON.parse(data) as SseChunk;
+              const parsed: unknown = JSON.parse(data);
-              if (parsed.error) {
+              // Handle OpenAI format (from /api/chat/stream via OpenClaw)
-                throw new Error(parsed.error);
+              const openAiChunk = parsed as OpenAiSseChunk;
              if (openAiChunk.choices?.[0]?.delta?.content) {
                onChunk(openAiChunk.choices[0].delta.content);
                continue;
              }
-              if (parsed.message?.content) {
+              // Handle legacy format (from /api/llm/chat)
-                onChunk(parsed.message.content);
+              const legacyChunk = parsed as LegacySseChunk;
              if (legacyChunk.message?.content) {
                onChunk(legacyChunk.message.content);
                continue;
              }
              // Handle simple token format
              const simpleChunk = parsed as SimpleTokenChunk;
              if (simpleChunk.token) {
                onChunk(simpleChunk.token);
                continue;
              }
              // Handle done flag in simple format
              if (simpleChunk.done === true) {
                onComplete();
                return;
              }
              // Handle error in any format
              const error = openAiChunk.error ?? legacyChunk.error ?? simpleChunk.error;
              if (error) {
                throw new Error(error);
              }
            } catch (parseErr) {
              if (parseErr instanceof SyntaxError) {
@@ -162,7 +244,7 @@ export function streamChatMessage(
        }
      }
-      // Natural end of stream without [DONE]
+      // Natural end of stream without [DONE] or done flag
      onComplete();
    } catch (err: unknown) {
      if (err instanceof DOMException && err.name === "AbortError") {
--- a/docker/base.Dockerfile
+++ b/docker/base.Dockerfile
@@ -0,0 +1,16 @@
 FROM node:24-slim AS base
 # Pre-bake OS updates and common packages shared across all apps.
 # Rebuild this image weekly or when base packages change.
 # Push to: git.mosaicstack.dev/mosaic/node-base:24-slim
 RUN apt-get update && apt-get upgrade -y --no-install-recommends \
    && apt-get install -y --no-install-recommends \
        openssl \
        ca-certificates \
        curl \
        dumb-init \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*
 # Enable corepack for pnpm
 RUN corepack enable
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -180,6 +180,9 @@ importers:
      gray-matter:
        specifier: ^4.0.3
        version: 4.0.3
      helmet:
        specifier: ^8.1.0
        version: 8.1.0
      highlight.js:
        specifier: ^11.11.1
        version: 11.11.1
@@ -5210,6 +5213,10 @@ packages:
    resolution: {integrity: sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==}
    engines: {node: '>= 0.4'}
  helmet@8.1.0:
    resolution: {integrity: sha512-jOiHyAZsmnr8LqoPGmCjYAaiuWwjAPLgY8ZX2XrmHawt99/u1y6RgrZMTeoPfpUbV96HOalYgz1qzkRbw54Pmg==}
    engines: {node: '>=18.0.0'}
  highlight.js@11.11.1:
    resolution: {integrity: sha512-Xwwo44whKBVCYoliBQwaPvtd/2tYFkRQtXDWj1nackaV2JPXx3L0+Jvd8/qCJ2p+ML0/XVkJ2q+Mr+UVdpJK5w==}
    engines: {node: '>=12.0.0'}
@@ -12815,6 +12822,8 @@ snapshots:
    dependencies:
      function-bind: 1.1.2
  helmet@8.1.0: {}
  highlight.js@11.11.1: {}
  html-encoding-sniffer@4.0.0:
Author	SHA1	Message	Date
Jason Woltje	a16371c6f9	fix(ci): use node:24-slim (glibc) instead of Alpine (musl) (#655 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/manual/base-image Pipeline was successful Details ci/woodpecker/manual/coordinator Pipeline was successful Details ci/woodpecker/manual/infra Pipeline was successful Details ci/woodpecker/manual/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-02 01:40:37 +00:00
Jason Woltje	51d46b2e4a	fix(ci): copy .npmrc before pnpm install in all Dockerfiles (#654 ) Some checks failed ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/manual/base-image Pipeline was successful Details ci/woodpecker/manual/infra Pipeline was successful Details ci/woodpecker/manual/coordinator Pipeline was successful Details ci/woodpecker/manual/ci Pipeline failed Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-02 01:09:22 +00:00
Jason Woltje	6582785ddd	fix: matrix native binary + Dockerfile audit (#653 ) All checks were successful ci/woodpecker/manual/base-image Pipeline was successful Details ci/woodpecker/manual/infra Pipeline was successful Details ci/woodpecker/manual/coordinator Pipeline was successful Details ci/woodpecker/manual/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-02 00:19:41 +00:00
Jason Woltje	ae0bebe2e0	ci: enable Kaniko layer caching (#652 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-02 00:08:15 +00:00
Jason Woltje	173b429c62	fix(ci): Kaniko for base image build (#651 ) All checks were successful ci/woodpecker/manual/base-image Pipeline was successful Details ci/woodpecker/manual/infra Pipeline was successful Details ci/woodpecker/manual/coordinator Pipeline was successful Details ci/woodpecker/manual/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-01 23:41:46 +00:00
Jason Woltje	7d505e75f8	feat: custom node base image (#649 ) Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-01 23:39:41 +00:00
Jason Woltje	cd1c52c506	ci: pnpm store cache (#648 ) All checks were successful ci/woodpecker/push/ci Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-01 23:26:51 +00:00
Jason Woltje	a00f1e1fd7	fix(api): activity interceptor tests (#647 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-01 23:15:16 +00:00
Jason Woltje	9305cacd4a	fix(web): kanban add-task tests (#645 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-01 23:03:21 +00:00
Jason Woltje	0d5aa5c3ae	feat: wire chat to backend (#644 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-01 22:54:48 +00:00
Jason Woltje	eb34eb8104	feat: compact usage widget in header (#643 ) Some checks failed ci/woodpecker/push/infra Pipeline was successful Details ci/woodpecker/push/ci Pipeline failed Details ci/woodpecker/push/coordinator Pipeline was successful Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-01 22:53:31 +00:00
Jason Woltje	5165a30fad	feat: compact usage widget in header (#642 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-01 22:51:50 +00:00
Jason Woltje	6eb91c9eba	fix(api): security hardening — helmet + auth rate limiting (#641 ) Some checks failed ci/woodpecker/push/ci Pipeline failed Details Co-authored-by: Jason Woltje <jason@diversecanvas.com> Co-committed-by: Jason Woltje <jason@diversecanvas.com>	2026-03-01 22:43:10 +00:00