Compare commits
8 Commits
test/ms23-
...
fix/missio
| Author | SHA1 | Date | |
|---|---|---|---|
| e80b624ca6 | |||
| 65536fcb75 | |||
| 53915dc621 | |||
| 398ee06920 | |||
| 2182717f59 | |||
| fe55363f38 | |||
| d60165572a | |||
| ff73fbd391 |
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "@mosaic/orchestrator",
|
||||
"version": "0.0.20",
|
||||
"version": "0.0.23",
|
||||
"private": true,
|
||||
"scripts": {
|
||||
"build": "nest build",
|
||||
|
||||
@@ -1,12 +1,13 @@
|
||||
import { Module } from "@nestjs/common";
|
||||
import { PrismaModule } from "../../prisma/prisma.module";
|
||||
import { OrchestratorApiKeyGuard } from "../../common/guards/api-key.guard";
|
||||
import { EncryptionService } from "../../security/encryption.service";
|
||||
import { AgentProvidersController } from "./agent-providers.controller";
|
||||
import { AgentProvidersService } from "./agent-providers.service";
|
||||
|
||||
@Module({
|
||||
imports: [PrismaModule],
|
||||
controllers: [AgentProvidersController],
|
||||
providers: [OrchestratorApiKeyGuard, AgentProvidersService],
|
||||
providers: [OrchestratorApiKeyGuard, EncryptionService, AgentProvidersService],
|
||||
})
|
||||
export class AgentProvidersModule {}
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
import { beforeEach, describe, expect, it, vi } from "vitest";
|
||||
import { NotFoundException } from "@nestjs/common";
|
||||
import { EncryptionService } from "../../security/encryption.service";
|
||||
import { AgentProvidersService } from "./agent-providers.service";
|
||||
import { PrismaService } from "../../prisma/prisma.service";
|
||||
|
||||
@@ -14,6 +15,9 @@ describe("AgentProvidersService", () => {
|
||||
delete: ReturnType<typeof vi.fn>;
|
||||
};
|
||||
};
|
||||
let encryptionService: {
|
||||
encryptIfNeeded: ReturnType<typeof vi.fn>;
|
||||
};
|
||||
|
||||
beforeEach(() => {
|
||||
prisma = {
|
||||
@@ -26,7 +30,14 @@ describe("AgentProvidersService", () => {
|
||||
},
|
||||
};
|
||||
|
||||
service = new AgentProvidersService(prisma as unknown as PrismaService);
|
||||
encryptionService = {
|
||||
encryptIfNeeded: vi.fn((value: string) => `enc:${value}`),
|
||||
};
|
||||
|
||||
service = new AgentProvidersService(
|
||||
prisma as unknown as PrismaService,
|
||||
encryptionService as unknown as EncryptionService
|
||||
);
|
||||
});
|
||||
|
||||
it("lists all provider configs", async () => {
|
||||
@@ -111,6 +122,42 @@ describe("AgentProvidersService", () => {
|
||||
credentials: {},
|
||||
},
|
||||
});
|
||||
expect(encryptionService.encryptIfNeeded).not.toHaveBeenCalled();
|
||||
expect(result).toEqual(created);
|
||||
});
|
||||
|
||||
it("encrypts openclaw token credentials when creating provider config", async () => {
|
||||
const created = {
|
||||
id: "cfg-openclaw",
|
||||
workspaceId: "8bcd7eda-a122-4d6c-adfd-b152f6f75369",
|
||||
name: "OpenClaw",
|
||||
provider: "openclaw",
|
||||
gatewayUrl: "https://openclaw.example.com",
|
||||
credentials: { apiToken: "enc:top-secret" },
|
||||
isActive: true,
|
||||
createdAt: new Date("2026-03-07T18:00:00.000Z"),
|
||||
updatedAt: new Date("2026-03-07T18:00:00.000Z"),
|
||||
};
|
||||
prisma.agentProviderConfig.create.mockResolvedValue(created);
|
||||
|
||||
const result = await service.create({
|
||||
workspaceId: "8bcd7eda-a122-4d6c-adfd-b152f6f75369",
|
||||
name: "OpenClaw",
|
||||
provider: "openclaw",
|
||||
gatewayUrl: "https://openclaw.example.com",
|
||||
credentials: { apiToken: "top-secret" },
|
||||
});
|
||||
|
||||
expect(encryptionService.encryptIfNeeded).toHaveBeenCalledWith("top-secret");
|
||||
expect(prisma.agentProviderConfig.create).toHaveBeenCalledWith({
|
||||
data: {
|
||||
workspaceId: "8bcd7eda-a122-4d6c-adfd-b152f6f75369",
|
||||
name: "OpenClaw",
|
||||
provider: "openclaw",
|
||||
gatewayUrl: "https://openclaw.example.com",
|
||||
credentials: { apiToken: "enc:top-secret" },
|
||||
},
|
||||
});
|
||||
expect(result).toEqual(created);
|
||||
});
|
||||
|
||||
@@ -156,6 +203,47 @@ describe("AgentProvidersService", () => {
|
||||
isActive: false,
|
||||
},
|
||||
});
|
||||
expect(encryptionService.encryptIfNeeded).not.toHaveBeenCalled();
|
||||
expect(result).toEqual(updated);
|
||||
});
|
||||
|
||||
it("encrypts openclaw token credentials when updating provider config", async () => {
|
||||
prisma.agentProviderConfig.findUnique.mockResolvedValue({
|
||||
id: "cfg-openclaw",
|
||||
workspaceId: "8bcd7eda-a122-4d6c-adfd-b152f6f75369",
|
||||
name: "OpenClaw",
|
||||
provider: "openclaw",
|
||||
gatewayUrl: "https://openclaw.example.com",
|
||||
credentials: { apiToken: "enc:existing" },
|
||||
isActive: true,
|
||||
createdAt: new Date("2026-03-07T18:00:00.000Z"),
|
||||
updatedAt: new Date("2026-03-07T18:00:00.000Z"),
|
||||
});
|
||||
|
||||
const updated = {
|
||||
id: "cfg-openclaw",
|
||||
workspaceId: "8bcd7eda-a122-4d6c-adfd-b152f6f75369",
|
||||
name: "OpenClaw",
|
||||
provider: "openclaw",
|
||||
gatewayUrl: "https://openclaw.example.com",
|
||||
credentials: { apiToken: "enc:rotated-token" },
|
||||
isActive: true,
|
||||
createdAt: new Date("2026-03-07T18:00:00.000Z"),
|
||||
updatedAt: new Date("2026-03-07T19:00:00.000Z"),
|
||||
};
|
||||
prisma.agentProviderConfig.update.mockResolvedValue(updated);
|
||||
|
||||
const result = await service.update("cfg-openclaw", {
|
||||
credentials: { apiToken: "rotated-token" },
|
||||
});
|
||||
|
||||
expect(encryptionService.encryptIfNeeded).toHaveBeenCalledWith("rotated-token");
|
||||
expect(prisma.agentProviderConfig.update).toHaveBeenCalledWith({
|
||||
where: { id: "cfg-openclaw" },
|
||||
data: {
|
||||
credentials: { apiToken: "enc:rotated-token" },
|
||||
},
|
||||
});
|
||||
expect(result).toEqual(updated);
|
||||
});
|
||||
|
||||
|
||||
@@ -1,12 +1,19 @@
|
||||
import { Injectable, NotFoundException } from "@nestjs/common";
|
||||
import type { AgentProviderConfig, Prisma } from "@prisma/client";
|
||||
import { EncryptionService } from "../../security/encryption.service";
|
||||
import { PrismaService } from "../../prisma/prisma.service";
|
||||
import { CreateAgentProviderDto } from "./dto/create-agent-provider.dto";
|
||||
import { UpdateAgentProviderDto } from "./dto/update-agent-provider.dto";
|
||||
|
||||
const OPENCLAW_PROVIDER_TYPE = "openclaw";
|
||||
const OPENCLAW_TOKEN_KEYS = ["apiToken", "token", "bearerToken"] as const;
|
||||
|
||||
@Injectable()
|
||||
export class AgentProvidersService {
|
||||
constructor(private readonly prisma: PrismaService) {}
|
||||
constructor(
|
||||
private readonly prisma: PrismaService,
|
||||
private readonly encryptionService: EncryptionService
|
||||
) {}
|
||||
|
||||
async list(): Promise<AgentProviderConfig[]> {
|
||||
return this.prisma.agentProviderConfig.findMany({
|
||||
@@ -27,20 +34,23 @@ export class AgentProvidersService {
|
||||
}
|
||||
|
||||
async create(dto: CreateAgentProviderDto): Promise<AgentProviderConfig> {
|
||||
const credentials = this.sanitizeCredentials(dto.provider, dto.credentials ?? {});
|
||||
|
||||
return this.prisma.agentProviderConfig.create({
|
||||
data: {
|
||||
workspaceId: dto.workspaceId,
|
||||
name: dto.name,
|
||||
provider: dto.provider,
|
||||
gatewayUrl: dto.gatewayUrl,
|
||||
credentials: this.toJsonValue(dto.credentials ?? {}),
|
||||
credentials: this.toJsonValue(credentials),
|
||||
...(dto.isActive !== undefined ? { isActive: dto.isActive } : {}),
|
||||
},
|
||||
});
|
||||
}
|
||||
|
||||
async update(id: string, dto: UpdateAgentProviderDto): Promise<AgentProviderConfig> {
|
||||
await this.getById(id);
|
||||
const existingConfig = await this.getById(id);
|
||||
const provider = dto.provider ?? existingConfig.provider;
|
||||
|
||||
const data: Prisma.AgentProviderConfigUpdateInput = {
|
||||
...(dto.workspaceId !== undefined ? { workspaceId: dto.workspaceId } : {}),
|
||||
@@ -48,7 +58,9 @@ export class AgentProvidersService {
|
||||
...(dto.provider !== undefined ? { provider: dto.provider } : {}),
|
||||
...(dto.gatewayUrl !== undefined ? { gatewayUrl: dto.gatewayUrl } : {}),
|
||||
...(dto.isActive !== undefined ? { isActive: dto.isActive } : {}),
|
||||
...(dto.credentials !== undefined ? { credentials: this.toJsonValue(dto.credentials) } : {}),
|
||||
...(dto.credentials !== undefined
|
||||
? { credentials: this.toJsonValue(this.sanitizeCredentials(provider, dto.credentials)) }
|
||||
: {}),
|
||||
};
|
||||
|
||||
return this.prisma.agentProviderConfig.update({
|
||||
@@ -65,6 +77,25 @@ export class AgentProvidersService {
|
||||
});
|
||||
}
|
||||
|
||||
private sanitizeCredentials(
|
||||
provider: string,
|
||||
credentials: Record<string, unknown>
|
||||
): Record<string, unknown> {
|
||||
if (provider.toLowerCase() !== OPENCLAW_PROVIDER_TYPE) {
|
||||
return credentials;
|
||||
}
|
||||
|
||||
const nextCredentials: Record<string, unknown> = { ...credentials };
|
||||
for (const key of OPENCLAW_TOKEN_KEYS) {
|
||||
const tokenValue = nextCredentials[key];
|
||||
if (typeof tokenValue === "string" && tokenValue.length > 0) {
|
||||
nextCredentials[key] = this.encryptionService.encryptIfNeeded(tokenValue);
|
||||
}
|
||||
}
|
||||
|
||||
return nextCredentials;
|
||||
}
|
||||
|
||||
private toJsonValue(value: Record<string, unknown>): Prisma.InputJsonValue {
|
||||
return value as Prisma.InputJsonValue;
|
||||
}
|
||||
|
||||
@@ -146,7 +146,7 @@ export class AgentsController {
|
||||
* Return recent orchestrator events for non-streaming consumers.
|
||||
*/
|
||||
@Get("events/recent")
|
||||
@Throttle({ status: { limit: 200, ttl: 60000 } })
|
||||
@Throttle({ default: { limit: 1000, ttl: 60000 } })
|
||||
getRecentEvents(@Query("limit") limit?: string): {
|
||||
events: ReturnType<AgentEventsService["getRecentEvents"]>;
|
||||
} {
|
||||
|
||||
@@ -4,6 +4,6 @@ import { AuthGuard } from "./guards/auth.guard";
|
||||
|
||||
@Module({
|
||||
providers: [OrchestratorApiKeyGuard, AuthGuard],
|
||||
exports: [AuthGuard],
|
||||
exports: [OrchestratorApiKeyGuard, AuthGuard],
|
||||
})
|
||||
export class AuthModule {}
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
import { Injectable } from "@nestjs/common";
|
||||
import { ConfigService } from "@nestjs/config";
|
||||
import { createDecipheriv, hkdfSync } from "node:crypto";
|
||||
import { createCipheriv, createDecipheriv, hkdfSync, randomBytes } from "node:crypto";
|
||||
|
||||
const ALGORITHM = "aes-256-gcm";
|
||||
const ENCRYPTED_PREFIX = "enc:";
|
||||
@@ -16,6 +16,27 @@ export class EncryptionService {
|
||||
|
||||
constructor(private readonly configService: ConfigService) {}
|
||||
|
||||
encryptIfNeeded(value: string): string {
|
||||
if (this.isEncrypted(value)) {
|
||||
return value;
|
||||
}
|
||||
|
||||
return this.encrypt(value);
|
||||
}
|
||||
|
||||
encrypt(plaintext: string): string {
|
||||
try {
|
||||
const iv = randomBytes(IV_LENGTH);
|
||||
const cipher = createCipheriv(ALGORITHM, this.getOrCreateKey(), iv);
|
||||
const ciphertext = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
|
||||
const authTag = cipher.getAuthTag();
|
||||
const payload = Buffer.concat([iv, ciphertext, authTag]);
|
||||
return `${ENCRYPTED_PREFIX}${payload.toString("base64")}`;
|
||||
} catch {
|
||||
throw new Error("Failed to encrypt value");
|
||||
}
|
||||
}
|
||||
|
||||
decryptIfNeeded(value: string): string {
|
||||
if (!this.isEncrypted(value)) {
|
||||
return value;
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "@mosaic/web",
|
||||
"version": "0.0.20",
|
||||
"version": "0.0.23",
|
||||
"private": true,
|
||||
"scripts": {
|
||||
"build": "next build",
|
||||
|
||||
@@ -44,6 +44,25 @@ interface AuditLogResponse {
|
||||
total: number;
|
||||
page: number;
|
||||
pages: number;
|
||||
notice?: string;
|
||||
}
|
||||
|
||||
function createEmptyAuditLogResponse(page: number, notice?: string): AuditLogResponse {
|
||||
return {
|
||||
items: [],
|
||||
total: 0,
|
||||
page,
|
||||
pages: 0,
|
||||
...(notice !== undefined ? { notice } : {}),
|
||||
};
|
||||
}
|
||||
|
||||
function isRateLimitError(error: unknown): boolean {
|
||||
if (!(error instanceof Error)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return /429|rate limit|too many requests/i.test(error.message);
|
||||
}
|
||||
|
||||
function isRecord(value: unknown): value is Record<string, unknown> {
|
||||
@@ -138,7 +157,15 @@ async function fetchAuditLog(
|
||||
params.set("sessionId", normalizedSessionId);
|
||||
}
|
||||
|
||||
return apiGet<AuditLogResponse>(`/api/mission-control/audit-log?${params.toString()}`);
|
||||
try {
|
||||
return await apiGet<AuditLogResponse>(`/api/mission-control/audit-log?${params.toString()}`);
|
||||
} catch (error) {
|
||||
if (isRateLimitError(error)) {
|
||||
return createEmptyAuditLogResponse(page, "Rate limited - retrying...");
|
||||
}
|
||||
|
||||
return createEmptyAuditLogResponse(page);
|
||||
}
|
||||
}
|
||||
|
||||
export function AuditLogDrawer({ sessionId, trigger }: AuditLogDrawerProps): React.JSX.Element {
|
||||
@@ -180,11 +207,10 @@ export function AuditLogDrawer({ sessionId, trigger }: AuditLogDrawerProps): Rea
|
||||
const totalItems = auditLogQuery.data?.total ?? 0;
|
||||
const totalPages = auditLogQuery.data?.pages ?? 0;
|
||||
const items = auditLogQuery.data?.items ?? [];
|
||||
const notice = auditLogQuery.data?.notice;
|
||||
|
||||
const canGoPrevious = page > 1;
|
||||
const canGoNext = totalPages > 0 && page < totalPages;
|
||||
const errorMessage =
|
||||
auditLogQuery.error instanceof Error ? auditLogQuery.error.message : "Failed to load audit log";
|
||||
|
||||
return (
|
||||
<Sheet open={open} onOpenChange={setOpen}>
|
||||
@@ -237,10 +263,10 @@ export function AuditLogDrawer({ sessionId, trigger }: AuditLogDrawerProps): Rea
|
||||
Loading audit log...
|
||||
</td>
|
||||
</tr>
|
||||
) : auditLogQuery.error ? (
|
||||
) : notice ? (
|
||||
<tr>
|
||||
<td colSpan={5} className="px-3 py-6 text-center text-sm text-red-500">
|
||||
{errorMessage}
|
||||
<td colSpan={5} className="px-3 py-6 text-center text-sm text-muted-foreground">
|
||||
{notice}
|
||||
</td>
|
||||
</tr>
|
||||
) : items.length === 0 ? (
|
||||
|
||||
@@ -62,6 +62,39 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||
- Updated Makefile with Traefik deployment shortcuts
|
||||
- Enhanced docker-compose.override.yml.example with Traefik examples
|
||||
|
||||
## [0.0.23] - 2026-03-07
|
||||
|
||||
### Added
|
||||
|
||||
- **Mission Control Dashboard** — real-time agent orchestration UI at `/mission-control`
|
||||
- Live SSE message streams per agent (`OrchestratorPanel`)
|
||||
- Barge-in input with optional pause-before-send
|
||||
- Pause / Resume / Graceful Kill / Force Kill controls per agent panel
|
||||
- Global agent roster sidebar with tree view and per-agent kill
|
||||
- KillAllDialog with scope selector (requires typing `KILL ALL` to confirm)
|
||||
- AuditLogDrawer with paginated operator action history
|
||||
- Responsive panel grid: up to 6 panels, add/remove, full-screen expand
|
||||
- **Agent Provider Interface** — extensible `IAgentProvider` plugin system
|
||||
- `InternalAgentProvider` wrapping existing orchestrator services
|
||||
- `AgentProviderRegistry` aggregating sessions across providers
|
||||
- `AgentProviderConfig` CRUD API (`/api/agent-providers`)
|
||||
- Mission Control proxy API (`/api/mission-control/*`) with SSE proxying and audit log
|
||||
- **OpenClaw Provider Adapter** — connect external OpenClaw instances
|
||||
- `OpenClawProvider` implementing `IAgentProvider` against OpenClaw REST API
|
||||
- Dedicated `OpenClawSseBridge` with retry logic (5 retries, 2s backoff)
|
||||
- Provider config UI in Settings for registering OpenClaw gateways
|
||||
- Tokens encrypted at rest via `EncryptionService` (AES-256-GCM)
|
||||
- **OperatorAuditLog** — every inject/pause/resume/kill persisted to DB
|
||||
|
||||
### Changed
|
||||
|
||||
- Orchestrator app: extended with `AgentsModule` exports for provider registry
|
||||
- Settings navigation: added "Agent Providers" section
|
||||
|
||||
### Fixed
|
||||
|
||||
- Flaky web tests: async query timing in Kanban and OnboardingWizard tests
|
||||
|
||||
## [0.0.1] - 2026-01-28
|
||||
|
||||
### Added
|
||||
@@ -79,5 +112,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
||||
- Documentation structure (Bookstack-compatible hierarchy)
|
||||
- Development workflow and coding standards
|
||||
|
||||
[Unreleased]: https://git.mosaicstack.dev/mosaic/stack/compare/v0.0.1...HEAD
|
||||
[Unreleased]: https://git.mosaicstack.dev/mosaic/stack/compare/v0.0.23...HEAD
|
||||
[0.0.23]: https://git.mosaicstack.dev/mosaic/stack/releases/tag/v0.0.23
|
||||
[0.0.1]: https://git.mosaicstack.dev/mosaic/stack/releases/tag/v0.0.1
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# Mosaic Stack Roadmap
|
||||
|
||||
**Last Updated:** 2026-01-29
|
||||
**Last Updated:** 2026-03-07
|
||||
**Authoritative Source:** [Issues & Milestones](https://git.mosaicstack.dev/mosaic/stack/issues)
|
||||
|
||||
## Versioning Policy
|
||||
@@ -12,6 +12,20 @@
|
||||
| `0.x.y` | Pre-stable iteration, API may change with notice |
|
||||
| `1.0.0` | Stable release, public API contract |
|
||||
|
||||
## Release Track (Current)
|
||||
|
||||
### ✅ v0.0.23 — Mission Control Dashboard (Complete)
|
||||
|
||||
- Mission Control dashboard shipped at `/mission-control`
|
||||
- Agent provider plugin system and Mission Control proxy API shipped
|
||||
- OpenClaw provider adapter shipped with encrypted token storage
|
||||
- Operator audit logging persisted for inject/pause/resume/kill actions
|
||||
|
||||
### 📋 v0.0.24 — Placeholder
|
||||
|
||||
- Scope TBD (to be defined after v0.0.23 production deployment)
|
||||
- Initial release notes and roadmap breakdown pending
|
||||
|
||||
---
|
||||
|
||||
## Milestone Overview
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "mosaic-stack",
|
||||
"version": "0.0.20",
|
||||
"version": "0.0.23",
|
||||
"private": true,
|
||||
"type": "module",
|
||||
"packageManager": "pnpm@10.19.0",
|
||||
|
||||
Reference in New Issue
Block a user