mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

chore: MS23-P4-001 QA gate — lint/typecheck/test all green #739

Merged
jason.woltje merged 1 commits from chore/ms23-p4-qa into main 2026-03-07 22:57:07 +00:00
Conversation 0 Commits 1 Files Changed 4 +148 -7
jason.woltje commented 2026-03-07 22:56:36 +00:00
Owner
Copy Link

Summary

  • run full QA gate for MS23 Phase 4 (lint, typecheck, scoped test) in isolated worktree branch
  • fix security gap found during P4-002 spot-check: OpenClaw provider tokens were not being encrypted on write
  • keep runtime compatibility by continuing to decrypt in OpenClaw provider path

QA Gate Evidence

All commands completed successfully with SKIP_ENV_VALIDATION=true:

  • pnpm turbo lint
  • pnpm turbo typecheck
  • pnpm turbo test --filter=@mosaic/web --filter=@mosaic/orchestrator --filter=@mosaic/api

Security Review (P4-002)

  1. Mission Control endpoint auth: PASS
    • MissionControlController is class-guarded with @UseGuards(AuthGuard).
  2. Barge-in rate limiting: KNOWN GAP (non-blocking for this gate)
    • POST /api/mission-control/sessions/:sessionId/inject has auth + validation but no throttling decorator/guard override.
  3. Audit log delete protection: PASS
    • No @Delete endpoint exists for Mission Control audit log routes.
  4. OpenClaw token encryption at rest: PASS (fixed in this PR)
    • OpenClaw credential token keys are encrypted on create/update in AgentProvidersService via EncryptionService.encryptIfNeeded.
    • OpenClaw runtime still decrypts via OpenClawProvider/OpenClawProviderFactory.

Notes

  • Initial lint failures in a fresh worktree were caused by missing generated Prisma client types; resolved by running pnpm --filter @mosaic/orchestrator prisma:generate before QA reruns.

Closes #697

## Summary - run full QA gate for MS23 Phase 4 (`lint`, `typecheck`, scoped `test`) in isolated worktree branch - fix security gap found during P4-002 spot-check: OpenClaw provider tokens were not being encrypted on write - keep runtime compatibility by continuing to decrypt in OpenClaw provider path ## QA Gate Evidence All commands completed successfully with `SKIP_ENV_VALIDATION=true`: - `pnpm turbo lint` - `pnpm turbo typecheck` - `pnpm turbo test --filter=@mosaic/web --filter=@mosaic/orchestrator --filter=@mosaic/api` ## Security Review (P4-002) 1. Mission Control endpoint auth: PASS - `MissionControlController` is class-guarded with `@UseGuards(AuthGuard)`. 2. Barge-in rate limiting: KNOWN GAP (non-blocking for this gate) - `POST /api/mission-control/sessions/:sessionId/inject` has auth + validation but no throttling decorator/guard override. 3. Audit log delete protection: PASS - No `@Delete` endpoint exists for Mission Control audit log routes. 4. OpenClaw token encryption at rest: PASS (fixed in this PR) - OpenClaw credential token keys are encrypted on create/update in `AgentProvidersService` via `EncryptionService.encryptIfNeeded`. - OpenClaw runtime still decrypts via `OpenClawProvider`/`OpenClawProviderFactory`. ## Notes - Initial lint failures in a fresh worktree were caused by missing generated Prisma client types; resolved by running `pnpm --filter @mosaic/orchestrator prisma:generate` before QA reruns. Closes #697
jason.woltje added 1 commit 2026-03-07 22:56:37 +00:00
fix(orchestrator): encrypt OpenClaw provider tokens at rest
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
d60165572a
jason.woltje merged commit fe55363f38 into main 2026-03-07 22:57:07 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
ai
AI/LLM integration
 api
Backend/API work
 api
auth
Authentication
 database
database
Database/schema work
 devops
Docker/deployment
 docs
Documentation
 frontend
graph
knowledge-module
migration
Data migration
 orchestrator
Orchestrator service (apps/orchestrator/)
 p0
Critical priority
 p1
High priority
 p2
Medium priority
 p3
Low priority
 performance
Performance work
 phase-1
phase-2
phase-3
phase-4
phase-5
plugin
MoltBot plugin work
 search
security
Security-related
 setup
Initial setup
 testing
Testing/QA
 web
Frontend work
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
jason.woltje
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: mosaic/stack#739
Delete Branch "chore/ms23-p4-qa"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?