chore: release v0.0.23 — Mission Control Dashboard

apps/orchestrator/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mosaic/orchestrator",
-  "version": "0.0.20",
+  "version": "0.0.23",
   "private": true,
   "scripts": {
     "build": "nest build",

apps/orchestrator/src/api/agent-providers/agent-providers.module.ts

@@ -1,12 +1,13 @@
 import { Module } from "@nestjs/common";
 import { PrismaModule } from "../../prisma/prisma.module";
 import { OrchestratorApiKeyGuard } from "../../common/guards/api-key.guard";
+import { EncryptionService } from "../../security/encryption.service";
 import { AgentProvidersController } from "./agent-providers.controller";
 import { AgentProvidersService } from "./agent-providers.service";
 
 @Module({
   imports: [PrismaModule],
   controllers: [AgentProvidersController],
-  providers: [OrchestratorApiKeyGuard, AgentProvidersService],
+  providers: [OrchestratorApiKeyGuard, EncryptionService, AgentProvidersService],
 })
 export class AgentProvidersModule {}

apps/orchestrator/src/api/agent-providers/agent-providers.service.spec.ts

@@ -1,5 +1,6 @@
 import { beforeEach, describe, expect, it, vi } from "vitest";
 import { NotFoundException } from "@nestjs/common";
+import { EncryptionService } from "../../security/encryption.service";
 import { AgentProvidersService } from "./agent-providers.service";
 import { PrismaService } from "../../prisma/prisma.service";
 
@@ -14,6 +15,9 @@ describe("AgentProvidersService", () => {
       delete: ReturnType<typeof vi.fn>;
     };
   };
+  let encryptionService: {
+    encryptIfNeeded: ReturnType<typeof vi.fn>;
+  };
 
   beforeEach(() => {
     prisma = {
@@ -26,7 +30,14 @@ describe("AgentProvidersService", () => {
       },
     };
 
-    service = new AgentProvidersService(prisma as unknown as PrismaService);
+    encryptionService = {
+      encryptIfNeeded: vi.fn((value: string) => `enc:${value}`),
+    };
+
+    service = new AgentProvidersService(
+      prisma as unknown as PrismaService,
+      encryptionService as unknown as EncryptionService
+    );
   });
 
   it("lists all provider configs", async () => {
@@ -111,6 +122,42 @@ describe("AgentProvidersService", () => {
         credentials: {},
       },
     });
+    expect(encryptionService.encryptIfNeeded).not.toHaveBeenCalled();
+    expect(result).toEqual(created);
+  });
+
+  it("encrypts openclaw token credentials when creating provider config", async () => {
+    const created = {
+      id: "cfg-openclaw",
+      workspaceId: "8bcd7eda-a122-4d6c-adfd-b152f6f75369",
+      name: "OpenClaw",
+      provider: "openclaw",
+      gatewayUrl: "https://openclaw.example.com",
+      credentials: { apiToken: "enc:top-secret" },
+      isActive: true,
+      createdAt: new Date("2026-03-07T18:00:00.000Z"),
+      updatedAt: new Date("2026-03-07T18:00:00.000Z"),
+    };
+    prisma.agentProviderConfig.create.mockResolvedValue(created);
+
+    const result = await service.create({
+      workspaceId: "8bcd7eda-a122-4d6c-adfd-b152f6f75369",
+      name: "OpenClaw",
+      provider: "openclaw",
+      gatewayUrl: "https://openclaw.example.com",
+      credentials: { apiToken: "top-secret" },
+    });
+
+    expect(encryptionService.encryptIfNeeded).toHaveBeenCalledWith("top-secret");
+    expect(prisma.agentProviderConfig.create).toHaveBeenCalledWith({
+      data: {
+        workspaceId: "8bcd7eda-a122-4d6c-adfd-b152f6f75369",
+        name: "OpenClaw",
+        provider: "openclaw",
+        gatewayUrl: "https://openclaw.example.com",
+        credentials: { apiToken: "enc:top-secret" },
+      },
+    });
     expect(result).toEqual(created);
   });
 
@@ -156,6 +203,47 @@ describe("AgentProvidersService", () => {
         isActive: false,
       },
     });
+    expect(encryptionService.encryptIfNeeded).not.toHaveBeenCalled();
+    expect(result).toEqual(updated);
+  });
+
+  it("encrypts openclaw token credentials when updating provider config", async () => {
+    prisma.agentProviderConfig.findUnique.mockResolvedValue({
+      id: "cfg-openclaw",
+      workspaceId: "8bcd7eda-a122-4d6c-adfd-b152f6f75369",
+      name: "OpenClaw",
+      provider: "openclaw",
+      gatewayUrl: "https://openclaw.example.com",
+      credentials: { apiToken: "enc:existing" },
+      isActive: true,
+      createdAt: new Date("2026-03-07T18:00:00.000Z"),
+      updatedAt: new Date("2026-03-07T18:00:00.000Z"),
+    });
+
+    const updated = {
+      id: "cfg-openclaw",
+      workspaceId: "8bcd7eda-a122-4d6c-adfd-b152f6f75369",
+      name: "OpenClaw",
+      provider: "openclaw",
+      gatewayUrl: "https://openclaw.example.com",
+      credentials: { apiToken: "enc:rotated-token" },
+      isActive: true,
+      createdAt: new Date("2026-03-07T18:00:00.000Z"),
+      updatedAt: new Date("2026-03-07T19:00:00.000Z"),
+    };
+    prisma.agentProviderConfig.update.mockResolvedValue(updated);
+
+    const result = await service.update("cfg-openclaw", {
+      credentials: { apiToken: "rotated-token" },
+    });
+
+    expect(encryptionService.encryptIfNeeded).toHaveBeenCalledWith("rotated-token");
+    expect(prisma.agentProviderConfig.update).toHaveBeenCalledWith({
+      where: { id: "cfg-openclaw" },
+      data: {
+        credentials: { apiToken: "enc:rotated-token" },
+      },
+    });
     expect(result).toEqual(updated);
   });
 

apps/orchestrator/src/api/agent-providers/agent-providers.service.ts

@@ -1,12 +1,19 @@
 import { Injectable, NotFoundException } from "@nestjs/common";
 import type { AgentProviderConfig, Prisma } from "@prisma/client";
+import { EncryptionService } from "../../security/encryption.service";
 import { PrismaService } from "../../prisma/prisma.service";
 import { CreateAgentProviderDto } from "./dto/create-agent-provider.dto";
 import { UpdateAgentProviderDto } from "./dto/update-agent-provider.dto";
 
+const OPENCLAW_PROVIDER_TYPE = "openclaw";
+const OPENCLAW_TOKEN_KEYS = ["apiToken", "token", "bearerToken"] as const;
+
 @Injectable()
 export class AgentProvidersService {
-  constructor(private readonly prisma: PrismaService) {}
+  constructor(
+    private readonly prisma: PrismaService,
+    private readonly encryptionService: EncryptionService
+  ) {}
 
   async list(): Promise<AgentProviderConfig[]> {
     return this.prisma.agentProviderConfig.findMany({
@@ -27,20 +34,23 @@ export class AgentProvidersService {
   }
 
   async create(dto: CreateAgentProviderDto): Promise<AgentProviderConfig> {
+    const credentials = this.sanitizeCredentials(dto.provider, dto.credentials ?? {});
+
     return this.prisma.agentProviderConfig.create({
       data: {
         workspaceId: dto.workspaceId,
         name: dto.name,
         provider: dto.provider,
         gatewayUrl: dto.gatewayUrl,
-        credentials: this.toJsonValue(dto.credentials ?? {}),
+        credentials: this.toJsonValue(credentials),
         ...(dto.isActive !== undefined ? { isActive: dto.isActive } : {}),
       },
     });
   }
 
   async update(id: string, dto: UpdateAgentProviderDto): Promise<AgentProviderConfig> {
-    await this.getById(id);
+    const existingConfig = await this.getById(id);
+    const provider = dto.provider ?? existingConfig.provider;
 
     const data: Prisma.AgentProviderConfigUpdateInput = {
       ...(dto.workspaceId !== undefined ? { workspaceId: dto.workspaceId } : {}),
@@ -48,7 +58,9 @@ export class AgentProvidersService {
       ...(dto.provider !== undefined ? { provider: dto.provider } : {}),
       ...(dto.gatewayUrl !== undefined ? { gatewayUrl: dto.gatewayUrl } : {}),
       ...(dto.isActive !== undefined ? { isActive: dto.isActive } : {}),
-      ...(dto.credentials !== undefined ? { credentials: this.toJsonValue(dto.credentials) } : {}),
+      ...(dto.credentials !== undefined
+        ? { credentials: this.toJsonValue(this.sanitizeCredentials(provider, dto.credentials)) }
+        : {}),
     };
 
     return this.prisma.agentProviderConfig.update({
@@ -65,6 +77,25 @@ export class AgentProvidersService {
     });
   }
 
+  private sanitizeCredentials(
+    provider: string,
+    credentials: Record<string, unknown>
+  ): Record<string, unknown> {
+    if (provider.toLowerCase() !== OPENCLAW_PROVIDER_TYPE) {
+      return credentials;
+    }
+
+    const nextCredentials: Record<string, unknown> = { ...credentials };
+    for (const key of OPENCLAW_TOKEN_KEYS) {
+      const tokenValue = nextCredentials[key];
+      if (typeof tokenValue === "string" && tokenValue.length > 0) {
+        nextCredentials[key] = this.encryptionService.encryptIfNeeded(tokenValue);
+      }
+    }
+
+    return nextCredentials;
+  }
+
   private toJsonValue(value: Record<string, unknown>): Prisma.InputJsonValue {
     return value as Prisma.InputJsonValue;
   }

apps/orchestrator/src/security/encryption.service.ts

@@ -1,6 +1,6 @@
 import { Injectable } from "@nestjs/common";
 import { ConfigService } from "@nestjs/config";
-import { createDecipheriv, hkdfSync } from "node:crypto";
+import { createCipheriv, createDecipheriv, hkdfSync, randomBytes } from "node:crypto";
 
 const ALGORITHM = "aes-256-gcm";
 const ENCRYPTED_PREFIX = "enc:";
@@ -16,6 +16,27 @@ export class EncryptionService {
 
   constructor(private readonly configService: ConfigService) {}
 
+  encryptIfNeeded(value: string): string {
+    if (this.isEncrypted(value)) {
+      return value;
+    }
+
+    return this.encrypt(value);
+  }
+
+  encrypt(plaintext: string): string {
+    try {
+      const iv = randomBytes(IV_LENGTH);
+      const cipher = createCipheriv(ALGORITHM, this.getOrCreateKey(), iv);
+      const ciphertext = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+      const authTag = cipher.getAuthTag();
+      const payload = Buffer.concat([iv, ciphertext, authTag]);
+      return `${ENCRYPTED_PREFIX}${payload.toString("base64")}`;
+    } catch {
+      throw new Error("Failed to encrypt value");
+    }
+  }
+
   decryptIfNeeded(value: string): string {
     if (!this.isEncrypted(value)) {
       return value;

apps/web/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mosaic/web",
-  "version": "0.0.20",
+  "version": "0.0.23",
   "private": true,
   "scripts": {
     "build": "next build",

docs/CHANGELOG.md

@@ -62,6 +62,39 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Updated Makefile with Traefik deployment shortcuts
 - Enhanced docker-compose.override.yml.example with Traefik examples
 
+## [0.0.23] - 2026-03-07
+
+### Added
+
+- **Mission Control Dashboard** — real-time agent orchestration UI at `/mission-control`
+  - Live SSE message streams per agent (`OrchestratorPanel`)
+  - Barge-in input with optional pause-before-send
+  - Pause / Resume / Graceful Kill / Force Kill controls per agent panel
+  - Global agent roster sidebar with tree view and per-agent kill
+  - KillAllDialog with scope selector (requires typing `KILL ALL` to confirm)
+  - AuditLogDrawer with paginated operator action history
+  - Responsive panel grid: up to 6 panels, add/remove, full-screen expand
+- **Agent Provider Interface** — extensible `IAgentProvider` plugin system
+  - `InternalAgentProvider` wrapping existing orchestrator services
+  - `AgentProviderRegistry` aggregating sessions across providers
+  - `AgentProviderConfig` CRUD API (`/api/agent-providers`)
+  - Mission Control proxy API (`/api/mission-control/*`) with SSE proxying and audit log
+- **OpenClaw Provider Adapter** — connect external OpenClaw instances
+  - `OpenClawProvider` implementing `IAgentProvider` against OpenClaw REST API
+  - Dedicated `OpenClawSseBridge` with retry logic (5 retries, 2s backoff)
+  - Provider config UI in Settings for registering OpenClaw gateways
+  - Tokens encrypted at rest via `EncryptionService` (AES-256-GCM)
+- **OperatorAuditLog** — every inject/pause/resume/kill persisted to DB
+
+### Changed
+
+- Orchestrator app: extended with `AgentsModule` exports for provider registry
+- Settings navigation: added "Agent Providers" section
+
+### Fixed
+
+- Flaky web tests: async query timing in Kanban and OnboardingWizard tests
+
 ## [0.0.1] - 2026-01-28
 
 ### Added
@@ -79,5 +112,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Documentation structure (Bookstack-compatible hierarchy)
 - Development workflow and coding standards
 
-[Unreleased]: https://git.mosaicstack.dev/mosaic/stack/compare/v0.0.1...HEAD
+[Unreleased]: https://git.mosaicstack.dev/mosaic/stack/compare/v0.0.23...HEAD
+[0.0.23]: https://git.mosaicstack.dev/mosaic/stack/releases/tag/v0.0.23
 [0.0.1]: https://git.mosaicstack.dev/mosaic/stack/releases/tag/v0.0.1

docs/ROADMAP.md

@@ -1,6 +1,6 @@
 # Mosaic Stack Roadmap
 
-**Last Updated:** 2026-01-29  
+**Last Updated:** 2026-03-07  
 **Authoritative Source:** [Issues & Milestones](https://git.mosaicstack.dev/mosaic/stack/issues)
 
 ## Versioning Policy
@@ -12,6 +12,20 @@
 | `0.x.y` | Pre-stable iteration, API may change with notice |
 | `1.0.0` | Stable release, public API contract              |
 
+## Release Track (Current)
+
+### ✅ v0.0.23 — Mission Control Dashboard (Complete)
+
+- Mission Control dashboard shipped at `/mission-control`
+- Agent provider plugin system and Mission Control proxy API shipped
+- OpenClaw provider adapter shipped with encrypted token storage
+- Operator audit logging persisted for inject/pause/resume/kill actions
+
+### 📋 v0.0.24 — Placeholder
+
+- Scope TBD (to be defined after v0.0.23 production deployment)
+- Initial release notes and roadmap breakdown pending
+
 ---
 
 ## Milestone Overview

package.json

@@ -1,6 +1,6 @@
 {
   "name": "mosaic-stack",
-  "version": "0.0.20",
+  "version": "0.0.23",
   "private": true,
   "type": "module",
   "packageManager": "pnpm@10.19.0",