# Tasks ## M10-Telemetry (0.0.10) — Telemetry Integration **Orchestrator:** Claude Code **Started:** 2026-02-15 **Branch:** feature/m10-telemetry **Milestone:** M10-Telemetry (0.0.10) | id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | | ------- | ------ | ------------------------------------------------------------ | ----- | ----------- | --------------------- | --------------- | ----------------------- | ----- | ----------------- | ----------------- | -------- | ---- | | TEL-001 | done | Install @mosaicstack/telemetry-client in API + NestJS module | #369 | api | feature/m10-telemetry | | TEL-004,TEL-006,TEL-007 | w-1 | 2026-02-15T10:00Z | 2026-02-15T10:37Z | 20K | 25K | | TEL-002 | done | Install mosaicstack-telemetry in Coordinator | #370 | coordinator | feature/m10-telemetry | | TEL-005,TEL-006 | w-2 | 2026-02-15T10:00Z | 2026-02-15T10:34Z | 15K | 20K | | TEL-003 | done | Add telemetry config to docker-compose and .env | #374 | devops | feature/m10-telemetry | | | w-3 | 2026-02-15T10:38Z | 2026-02-15T10:40Z | 8K | 10K | | TEL-004 | done | Track LLM task completions via Mosaic Telemetry | #371 | api | feature/m10-telemetry | TEL-001 | TEL-007 | w-4 | 2026-02-15T10:38Z | 2026-02-15T10:44Z | 25K | 30K | | TEL-005 | done | Track orchestrator agent task completions | #372 | coordinator | feature/m10-telemetry | TEL-002 | | w-5 | 2026-02-15T10:45Z | 2026-02-15T10:52Z | 20K | 25K | | TEL-006 | done | Prediction integration for cost estimation | #373 | api | feature/m10-telemetry | TEL-001,TEL-002 | TEL-007 | w-6 | 2026-02-15T10:45Z | 2026-02-15T10:51Z | 20K | 25K | | TEL-007 | done | Frontend: Token usage and cost dashboard | #375 | web | feature/m10-telemetry | TEL-004,TEL-006 | TEL-008 | w-7 | 2026-02-15T10:53Z | 2026-02-15T11:03Z | 30K | 115K | | TEL-008 | done | Documentation: Telemetry integration guide | #376 | docs | feature/m10-telemetry | TEL-007 | | w-8 | 2026-02-15T10:53Z | 2026-02-15T10:58Z | 15K | 75K | --- ## M11-CIPipeline (0.0.11) — CI Pipeline #360 Remediation **Orchestrator:** Claude Code **Started:** 2026-02-12 **Branch:** fix/ci-\* **Epic:** #360 ### CI Fix Round 6 | id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | | ----------- | ------ | -------------------------------------------------------------------------------------------- | ----- | ------------ | ---------- | ----------------------- | ----------- | ----- | ----------------- | ----------------- | -------- | ---- | | CI-FIX6-001 | done | Add @mosaic/ui build to web.yml build-shared step (fixes 10 test suites + 20 typecheck errs) | | ci | fix/ci-366 | | CI-FIX6-003 | w-14 | 2026-02-12T21:00Z | 2026-02-12T21:01Z | 3K | 3K | | CI-FIX6-002 | done | Move spec file removal to builder stage (layer-aware); add tar CVEs to .trivyignore | | orchestrator | fix/ci-366 | | CI-FIX6-004 | w-15 | 2026-02-12T21:00Z | 2026-02-12T21:15Z | 3K | 5K | | CI-FIX6-003 | done | Add React.ChangeEvent types to ~10 web files with untyped event handlers (49 lint + 19 TS) | | web | fix/ci-366 | CI-FIX6-001 | CI-FIX6-004 | w-16 | 2026-02-12T21:02Z | 2026-02-12T21:08Z | 12K | 8K | | CI-FIX6-004 | done | Verification: pnpm lint && pnpm typecheck && pnpm test on web; Dockerfile find validation | | all | fix/ci-366 | CI-FIX6-002,CI-FIX6-003 | | orch | 2026-02-12T21:08Z | 2026-02-12T21:10Z | 5K | 2K | --- ## M12-MatrixBridge (0.0.12) — Matrix/Element Bridge Integration **Orchestrator:** Claude Code **Started:** 2026-02-15 **Branch:** feature/m12-matrix-bridge **Epic:** #377 | id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | | ------ | ------ | --------------------------------------------------------------- | ----- | ------ | ------------------------- | ----------------------------------------- | ----------------------------------------- | -------- | ----------------- | ----------------- | -------- | ---- | | MB-001 | done | Install matrix-bot-sdk and create MatrixService skeleton | #378 | api | feature/m12-matrix-bridge | | MB-003,MB-004,MB-005,MB-006,MB-007,MB-008 | worker-1 | 2026-02-15T10:00Z | 2026-02-15T10:20Z | 20K | 15K | | MB-002 | done | Add Synapse + Element Web to docker-compose for dev | #384 | docker | feature/m12-matrix-bridge | | | worker-2 | 2026-02-15T10:00Z | 2026-02-15T10:15Z | 15K | 5K | | MB-003 | done | Register MatrixService in BridgeModule with conditional loading | #379 | api | feature/m12-matrix-bridge | MB-001 | MB-008 | worker-3 | 2026-02-15T10:25Z | 2026-02-15T10:35Z | 12K | 20K | | MB-004 | done | Workspace-to-Matrix-Room mapping and provisioning | #380 | api | feature/m12-matrix-bridge | MB-001 | MB-005,MB-006,MB-008 | worker-4 | 2026-02-15T10:25Z | 2026-02-15T10:35Z | 20K | 39K | | MB-005 | done | Matrix command handling — receive and dispatch commands | #381 | api | feature/m12-matrix-bridge | MB-001,MB-004 | MB-007,MB-008 | worker-5 | 2026-02-15T10:40Z | 2026-02-15T14:27Z | 20K | 27K | | MB-006 | done | Herald Service: Add Matrix output adapter | #382 | api | feature/m12-matrix-bridge | MB-001,MB-004 | MB-008 | worker-6 | 2026-02-15T10:40Z | 2026-02-15T14:25Z | 18K | 109K | | MB-007 | done | Streaming AI responses via Matrix message edits | #383 | api | feature/m12-matrix-bridge | MB-001,MB-005 | MB-008 | worker-7 | 2026-02-15T14:30Z | 2026-02-15T14:35Z | 20K | 28K | | MB-008 | done | Matrix bridge E2E integration tests | #385 | api | feature/m12-matrix-bridge | MB-001,MB-003,MB-004,MB-005,MB-006,MB-007 | MB-009 | worker-8 | 2026-02-15T14:38Z | 2026-02-15T14:40Z | 25K | 35K | | MB-009 | done | Documentation: Matrix bridge setup and architecture | #386 | docs | feature/m12-matrix-bridge | MB-008 | | worker-9 | 2026-02-15T14:38Z | 2026-02-15T14:39Z | 10K | 12K | | MB-010 | done | Sample Matrix swarm deployment compose file | #387 | docker | feature/m12-matrix-bridge | | | | | 2026-02-15 | 0 | 0 | | MB-011 | done | Remediate code review and security review findings | #377 | api | feature/m12-matrix-bridge | MB-001..MB-010 | | worker-10 | 2026-02-15T15:00Z | 2026-02-15T15:10Z | 30K | 145K | ### Phase Summary | Phase | Tasks | Description | | ---------------------- | -------------- | --------------------------------------- | | 1 - Foundation | MB-001, MB-002 | SDK install, dev infrastructure | | 2 - Module Integration | MB-003, MB-004 | Module registration, DB mapping | | 3 - Core Features | MB-005, MB-006 | Command handling, Herald adapter | | 4 - Advanced Features | MB-007 | Streaming responses | | 5 - Testing | MB-008 | E2E integration tests | | 6 - Documentation | MB-009 | Setup guide, architecture docs | | 7 - Review Remediation | MB-011 | Fix all code review + security findings | ### Review Findings Resolved (MB-011) | # | Severity | Finding | Fix | | --- | -------- | ---------------------------------------------------------- | -------------------------------------------------------------- | | 1 | CRITICAL | sendThreadMessage hardcodes controlRoomId — wrong room | Added channelId to ThreadMessageOptions, use options.channelId | | 2 | CRITICAL | void handleRoomMessage swallows ALL errors | Added .catch() with logger.error | | 3 | CRITICAL | handleFixCommand: dead thread on dispatch failure | Wrapped dispatch in try-catch with user-visible error | | 4 | CRITICAL | provisionRoom: orphaned Matrix room on DB failure | try-catch around DB update with logged warning | | 5 | HIGH | Missing MATRIX_BOT_USER_ID validation (infinite loop risk) | Added throw in connect() if missing | | 6 | HIGH | streamResponse finally block can throw/mask errors | Wrapped setTypingIndicator in nested try-catch | | 7 | HIGH | streamResponse catch editMessage can throw/mask | Wrapped editMessage in nested try-catch | | 8 | HIGH | HeraldService error log missing provider identity | Added provider.constructor.name to error log | | 9 | HIGH | MatrixRoomService uses unsafe type assertion | Replaced with public getClient() method | | 10 | HIGH | BridgeModule factory incomplete env var validation | Added warnings for missing vars when token set | | 11 | MEDIUM | setup-bot.sh JSON injection via shell variables | Replaced with jq -n for safe JSON construction | ### Notes - #387 already completed in commit 6e20fc5 - #377 is the EPIC issue — closed after all reviews remediated - 187 tests passing after remediation (41 matrix, 20 streaming, 10 room, 26 integration, 27 herald, 25 discord, + others) --- ## M13-SpeechServices (0.0.13) — TTS & STT Integration **Orchestrator:** Claude Code **Started:** 2026-02-15 **Branch:** feature/m13-speech-services **Milestone:** M13-SpeechServices (0.0.13) **Epic:** #388 ### Phase 1: Foundation (Config + Module + Providers) | id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | notes | | ---------- | ------ | ------------------------------------------------------------------------ | ----- | ---- | --------------------------- | ---------- | -------------------------------- | -------- | ----------------- | ----------------- | -------- | ---- | ----------------- | | SP-CFG-001 | done | #401: Speech services environment variables and ConfigModule integration | #401 | api | feature/m13-speech-services | | SP-MOD-001,SP-DOC-001 | worker-1 | 2026-02-15T06:00Z | 2026-02-15T06:07Z | 15K | 15K | 51 tests, 4cc43be | | SP-MOD-001 | done | #389: Create SpeechModule with provider abstraction layer | #389 | api | feature/m13-speech-services | SP-CFG-001 | SP-STT-001,SP-TTS-001,SP-MID-001 | worker-2 | 2026-02-15T06:08Z | 2026-02-15T06:14Z | 25K | 25K | 27 tests, c40373f | ### Phase 2: Providers (STT + TTS) | id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | notes | | ---------- | ------ | ---------------------------------------------------------------------- | ----- | ---- | --------------------------- | ---------- | ------------------------------------------ | -------- | ----------------- | ----------------- | -------- | ---- | ----------------- | | SP-STT-001 | done | #390: Implement STT provider with Speaches/faster-whisper integration | #390 | api | feature/m13-speech-services | SP-MOD-001 | SP-EP-001,SP-WS-001 | worker-4 | 2026-02-15T06:15Z | 2026-02-15T06:25Z | 20K | 50K | 27 tests, 3ae9e53 | | SP-TTS-001 | done | #391: Implement tiered TTS provider architecture | #391 | api | feature/m13-speech-services | SP-MOD-001 | SP-TTS-002,SP-TTS-003,SP-TTS-004,SP-EP-002 | worker-5 | 2026-02-15T06:15Z | 2026-02-15T06:25Z | 20K | 35K | 30 tests, b5edb4f | | SP-TTS-002 | done | #393: Implement Kokoro-FastAPI TTS provider (default tier) | #393 | api | feature/m13-speech-services | SP-TTS-001 | SP-EP-002 | worker-6 | 2026-02-15T06:26Z | 2026-02-15T06:33Z | 15K | 25K | 48 tests, 79b1d81 | | SP-TTS-003 | done | #394: Implement Chatterbox TTS provider (premium tier, voice cloning) | #394 | api | feature/m13-speech-services | SP-TTS-001 | SP-EP-002 | worker-7 | 2026-02-15T06:26Z | 2026-02-15T06:34Z | 15K | 25K | 26 tests, d37c78f | | SP-TTS-004 | done | #395: Implement Piper TTS provider via OpenedAI Speech (fallback tier) | #395 | api | feature/m13-speech-services | SP-TTS-001 | SP-EP-002 | worker-8 | 2026-02-15T06:35Z | 2026-02-15T06:44Z | 12K | 15K | 37 tests, 6c46556 | ### Phase 3: Middleware + REST Endpoints | id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | notes | | ---------- | ------ | ---------------------------------------------------------- | ----- | ---- | --------------------------- | ------------------------------------------- | ------------------- | --------- | ----------------- | ----------------- | -------- | ---- | ----------------- | | SP-MID-001 | done | #398: Audio format validation and preprocessing middleware | #398 | api | feature/m13-speech-services | SP-MOD-001 | SP-EP-001,SP-EP-002 | worker-9 | 2026-02-15T06:35Z | 2026-02-15T06:42Z | 15K | 25K | 36 tests, 7b4fda6 | | SP-EP-001 | done | #392: Create /api/speech/transcribe REST endpoint | #392 | api | feature/m13-speech-services | SP-STT-001,SP-MID-001 | SP-WS-001,SP-FE-001 | worker-10 | 2026-02-15T06:45Z | 2026-02-15T06:52Z | 20K | 25K | 10 tests, 527262a | | SP-EP-002 | done | #396: Create /api/speech/synthesize REST endpoint | #396 | api | feature/m13-speech-services | SP-TTS-002,SP-TTS-003,SP-TTS-004,SP-MID-001 | SP-FE-002 | worker-11 | 2026-02-15T06:45Z | 2026-02-15T06:53Z | 20K | 35K | 17 tests, 527262a | ### Phase 4: WebSocket Streaming | id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | notes | | --------- | ------ | ---------------------------------------------------------- | ----- | ---- | --------------------------- | -------------------- | --------- | --------- | ----------------- | ----------------- | -------- | ---- | ----------------- | | SP-WS-001 | done | #397: Implement WebSocket streaming transcription endpoint | #397 | api | feature/m13-speech-services | SP-STT-001,SP-EP-001 | SP-FE-001 | worker-12 | 2026-02-15T06:54Z | 2026-02-15T07:00Z | 20K | 30K | 29 tests, 28c9e6f | ### Phase 5: Docker/DevOps | id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | notes | | ---------- | ------ | -------------------------------------------------------------- | ----- | ------ | --------------------------- | ---------- | ---------- | --------- | ----------------- | ----------------- | -------- | ---- | ------- | | SP-DOC-001 | done | #399: Docker Compose dev overlay for speech services | #399 | devops | feature/m13-speech-services | SP-CFG-001 | SP-DOC-002 | worker-3 | 2026-02-15T06:08Z | 2026-02-15T06:10Z | 10K | 15K | 52553c8 | | SP-DOC-002 | done | #400: Docker Compose swarm/prod deployment for speech services | #400 | devops | feature/m13-speech-services | SP-DOC-001 | | worker-13 | 2026-02-15T06:54Z | 2026-02-15T06:56Z | 10K | 8K | b3d6d73 | ### Phase 6: Frontend | id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | notes | | --------- | ------ | ------------------------------------------------------------------------- | ----- | ---- | --------------------------- | ------------------- | ---------- | --------- | ----------------- | ----------------- | -------- | ---- | ----------------- | | SP-FE-001 | done | #402: Frontend voice input component (microphone capture + transcription) | #402 | web | feature/m13-speech-services | SP-EP-001,SP-WS-001 | SP-FE-003 | worker-14 | 2026-02-15T07:01Z | 2026-02-15T07:12Z | 25K | 50K | 34 tests, 74d6c10 | | SP-FE-002 | done | #403: Frontend audio playback component for TTS output | #403 | web | feature/m13-speech-services | SP-EP-002 | SP-FE-003 | worker-15 | 2026-02-15T07:01Z | 2026-02-15T07:11Z | 20K | 50K | 32 tests, 74d6c10 | | SP-FE-003 | done | #404: Frontend speech settings page (provider selection, voice config) | #404 | web | feature/m13-speech-services | SP-FE-001,SP-FE-002 | SP-E2E-001 | worker-16 | 2026-02-15T07:13Z | 2026-02-15T07:22Z | 20K | 35K | 30 tests, bc86947 | ### Phase 7: Testing + Documentation | id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | notes | | ----------- | ------ | ----------------------------------------------------------------------- | ----- | ---- | --------------------------- | --------------------------------------- | ----------- | --------- | ----------------- | ----------------- | -------- | ---- | ----------------- | | SP-E2E-001 | done | #405: E2E integration tests for speech services | #405 | api | feature/m13-speech-services | SP-EP-001,SP-EP-002,SP-WS-001,SP-FE-003 | SP-DOCS-001 | worker-17 | 2026-02-15T07:23Z | 2026-02-15T07:32Z | 25K | 35K | 30 tests, d2c7602 | | SP-DOCS-001 | done | #406: Documentation - Speech services architecture, API, and deployment | #406 | docs | feature/m13-speech-services | SP-E2E-001 | | worker-18 | 2026-02-15T07:23Z | 2026-02-15T07:29Z | 15K | 35K | 24065aa | --- ## Auth-Frontend-Remediation (<0.1.0) — Auth & Frontend Remediation **Orchestrator:** Claude Code **Started:** 2026-02-16 **Branch:** fix/auth-frontend-remediation **Milestone:** Auth-Frontend-Remediation (<0.1.0) **Epic:** #411 ### Phase 1: Critical Backend Fixes (#412) | id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | | -------- | ------ | ----------------------------------------------------------------- | ----- | ------ | ----------------------------- | -------------------------------------------- | -------- | ----- | ----------------- | ----------------- | -------- | ---- | | AUTH-001 | done | 1.1: Add OIDC_REDIRECT_URI to validation with URL + path checks | #412 | api | fix/auth-frontend-remediation | | AUTH-002 | w-1 | 2026-02-16T11:00Z | 2026-02-16T11:04Z | 10K | 12K | | AUTH-002 | done | 1.2: Wrap BetterAuth handler in try/catch with error logging | #412 | api | fix/auth-frontend-remediation | AUTH-001 | | w-3 | 2026-02-16T11:05Z | 2026-02-16T11:09Z | 10K | 15K | | AUTH-003 | done | 1.3: Fix docker-compose OIDC_REDIRECT_URI default | #412 | devops | fix/auth-frontend-remediation | | | w-2 | 2026-02-16T11:00Z | 2026-02-16T11:05Z | 3K | 5K | | AUTH-004 | done | 1.4: Enable PKCE in genericOAuth config | #412 | api | fix/auth-frontend-remediation | | | w-2 | 2026-02-16T11:00Z | 2026-02-16T11:05Z | 5K | 5K | | AUTH-005 | done | 1.5: Add @SkipCsrf() documentation with BetterAuth CSRF rationale | #412 | api | fix/auth-frontend-remediation | | | w-2 | 2026-02-16T11:00Z | 2026-02-16T11:05Z | 3K | 5K | | AUTH-V01 | done | Phase 1 verification: quality gates pass | #412 | all | fix/auth-frontend-remediation | AUTH-001,AUTH-002,AUTH-003,AUTH-004,AUTH-005 | AUTH-006 | orch | 2026-02-16T11:10Z | 2026-02-16T11:10Z | 5K | 2K | ### Phase 2: Auth Config Discovery (#413) | id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | | -------- | ------ | -------------------------------------------------------------------- | ----- | ------ | ----------------------------- | ----------------------------------- | -------- | ----- | ----------------- | ----------------- | -------- | ---- | | AUTH-006 | done | 2.1: Add AuthProvider and AuthConfigResponse types to @mosaic/shared | #413 | shared | fix/auth-frontend-remediation | AUTH-V01 | AUTH-007 | w-4 | 2026-02-16T11:12Z | 2026-02-16T11:13Z | 5K | 3K | | AUTH-007 | done | 2.2-2.3: Implement getAuthConfig() + GET /auth/config endpoint | #413 | api | fix/auth-frontend-remediation | AUTH-006 | AUTH-008 | w-5 | 2026-02-16T11:13Z | 2026-02-16T11:17Z | 15K | 15K | | AUTH-008 | done | 2.4: Add secret-leakage prevention test | #413 | api | fix/auth-frontend-remediation | AUTH-007 | AUTH-009 | w-6 | 2026-02-16T11:18Z | 2026-02-16T11:20Z | 8K | 8K | | AUTH-009 | done | 2.5: Implement isOidcProviderReachable() health check | #413 | api | fix/auth-frontend-remediation | AUTH-007 | | w-7 | 2026-02-16T11:18Z | 2026-02-16T11:23Z | 10K | 12K | | AUTH-V02 | done | Phase 2 verification: quality gates pass | #413 | all | fix/auth-frontend-remediation | AUTH-006,AUTH-007,AUTH-008,AUTH-009 | AUTH-010 | orch | 2026-02-16T11:24Z | 2026-02-16T11:25Z | 5K | 2K | ### Phase 3: Backend Hardening (#414) | id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | | -------- | ------ | ---------------------------------------------------------------- | ----- | ------ | ----------------------------- | ----------------------------------- | -------- | ----- | ----------------- | ----------------- | -------- | ---- | | AUTH-010 | done | 3.1: Extract trustedOrigins to getTrustedOrigins() with env vars | #414 | api | fix/auth-frontend-remediation | AUTH-V02 | AUTH-011 | w-8 | 2026-02-16T11:26Z | 2026-02-16T11:31Z | 10K | 15K | | AUTH-011 | done | 3.2: Align CORS config in main.ts with getTrustedOrigins() | #414 | api | fix/auth-frontend-remediation | AUTH-010 | | w-10 | 2026-02-16T11:32Z | 2026-02-16T11:33Z | 8K | 8K | | AUTH-012 | done | 3.3: Update session config (7d abs, 2h idle, cookie attrs) | #414 | api | fix/auth-frontend-remediation | AUTH-V02 | | w-9 | 2026-02-16T11:26Z | 2026-02-16T11:29Z | 8K | 8K | | AUTH-013 | done | 3.4: Add TRUSTED_ORIGINS, COOKIE_DOMAIN to .env.example | #414 | devops | fix/auth-frontend-remediation | AUTH-010 | | w-11 | 2026-02-16T11:32Z | 2026-02-16T11:33Z | 3K | 3K | | AUTH-V03 | done | Phase 3 verification: quality gates pass | #414 | all | fix/auth-frontend-remediation | AUTH-010,AUTH-011,AUTH-012,AUTH-013 | AUTH-014 | orch | 2026-02-16T11:34Z | 2026-02-16T11:34Z | 5K | 2K | ### Phase 4: Frontend Foundation (#415) | id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | | -------- | ------ | ---------------------------------------------------------------- | ----- | ---- | ----------------------------- | ----------------------------------------------------- | -------- | ----- | ----------------- | ----------------- | -------- | ---- | | AUTH-014 | done | 4.1: Fix theme storage key (jarvis-theme -> mosaic-theme) | #415 | web | fix/auth-frontend-remediation | AUTH-V03 | | w-12 | 2026-02-16T11:35Z | 2026-02-16T11:44Z | 5K | 5K | | AUTH-015 | done | 4.2: Create AuthErrorBanner component (PDA-friendly, blue theme) | #415 | web | fix/auth-frontend-remediation | AUTH-V03 | AUTH-020 | w-13 | 2026-02-16T11:35Z | 2026-02-16T11:44Z | 12K | 12K | | AUTH-016 | done | 4.3: Create AuthDivider component | #415 | web | fix/auth-frontend-remediation | AUTH-V03 | AUTH-020 | w-12 | 2026-02-16T11:35Z | 2026-02-16T11:44Z | 5K | 5K | | AUTH-017 | done | 4.4: Create OAuthButton component (replaces LoginButton) | #415 | web | fix/auth-frontend-remediation | AUTH-V03 | AUTH-020 | w-13 | 2026-02-16T11:35Z | 2026-02-16T11:44Z | 12K | 12K | | AUTH-018 | done | 4.5: Create LoginForm component with email/password validation | #415 | web | fix/auth-frontend-remediation | AUTH-V03 | AUTH-020 | w-13 | 2026-02-16T11:35Z | 2026-02-16T11:44Z | 15K | 15K | | AUTH-019 | done | 4.6: Create SessionExpiryWarning component | #415 | web | fix/auth-frontend-remediation | AUTH-V03 | AUTH-025 | w-12 | 2026-02-16T11:35Z | 2026-02-16T11:44Z | 10K | 10K | | AUTH-V04 | done | Phase 4 verification: quality gates pass | #415 | all | fix/auth-frontend-remediation | AUTH-014,AUTH-015,AUTH-016,AUTH-017,AUTH-018,AUTH-019 | AUTH-020 | orch | 2026-02-16T11:45Z | 2026-02-16T11:45Z | 5K | 2K | ### Phase 5: Login Page Integration (#416) | id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | | -------- | ------ | ------------------------------------------------------------ | ----- | ---- | ----------------------------- | ----------------------------------- | -------- | ----- | ----------------- | ----------------- | -------- | ---- | | AUTH-020 | done | 5.1-5.2: Fetch /auth/config and render providers dynamically | #416 | web | fix/auth-frontend-remediation | AUTH-V04,AUTH-V02 | AUTH-021 | w-14 | 2026-02-16T11:46Z | 2026-02-16T11:52Z | 20K | 15K | | AUTH-021 | done | 5.3-5.4: Error display from query params + loading states | #416 | web | fix/auth-frontend-remediation | AUTH-020 | AUTH-022 | w-15 | 2026-02-16T11:53Z | 2026-02-16T11:57Z | 12K | 12K | | AUTH-022 | done | 5.5: Delete old LoginButton.tsx and update imports | #416 | web | fix/auth-frontend-remediation | AUTH-020 | | w-16 | 2026-02-16T11:53Z | 2026-02-16T11:54Z | 5K | 4K | | AUTH-023 | done | 5.6-5.7: Responsive layout + accessibility audit | #416 | web | fix/auth-frontend-remediation | AUTH-020,AUTH-021 | | w-17 | 2026-02-16T11:58Z | 2026-02-16T12:03Z | 12K | 25K | | AUTH-V05 | done | Phase 5 verification: quality gates pass | #416 | all | fix/auth-frontend-remediation | AUTH-020,AUTH-021,AUTH-022,AUTH-023 | AUTH-024 | orch | 2026-02-16T12:04Z | 2026-02-16T12:04Z | 5K | 2K | ### Phase 6: Error Recovery & Polish (#417) | id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | | -------- | ------ | ------------------------------------------------------------------- | ----- | ---- | ----------------------------- | ----------------------------------- | -------- | ----- | ----------------- | ----------------- | -------- | ---- | | AUTH-024 | done | 6.1: Create auth-errors.ts with PDA error parsing and mapping | #417 | web | fix/auth-frontend-remediation | AUTH-V05 | AUTH-025 | w-18 | 2026-02-16T12:10Z | 2026-02-16T12:15Z | 12K | 12K | | AUTH-025 | done | 6.2: Add retry logic for network errors (3x exponential backoff) | #417 | web | fix/auth-frontend-remediation | AUTH-V05 | | w-20 | 2026-02-16T12:16Z | 2026-02-16T12:22Z | 10K | 15K | | AUTH-026 | done | 6.3-6.4: AuthProvider session-expiring state + SessionExpiryWarning | #417 | web | fix/auth-frontend-remediation | AUTH-V05,AUTH-019 | | w-19 | 2026-02-16T12:10Z | 2026-02-16T12:15Z | 15K | 20K | | AUTH-027 | done | 6.5: Update auth-client.ts error messages to PDA-friendly | #417 | web | fix/auth-frontend-remediation | AUTH-024 | | w-21 | 2026-02-16T12:16Z | 2026-02-16T12:18Z | 8K | 10K | | AUTH-V06 | done | Phase 6 verification: quality gates pass | #417 | all | fix/auth-frontend-remediation | AUTH-024,AUTH-025,AUTH-026,AUTH-027 | | orch | 2026-02-16T12:23Z | 2026-02-16T12:24Z | 5K | 2K | ### Phase 7: Review Remediation (#411) | id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | | -------- | ------ | --------------------------------------------------------------------------------- | ----- | ---- | ----------------------------- | ----------------- | -------- | ----- | ----------------- | ----------------- | -------- | ---- | | AUTH-028 | done | 7.1: Frontend fixes — wire fetchWithRetry, dedupe errors, fix OAuth/catch/signout | #411 | web | fix/auth-frontend-remediation | AUTH-V06 | AUTH-030 | w-22 | 2026-02-16T18:29Z | 2026-02-16T18:33Z | 20K | 15K | | AUTH-029 | done | 7.2: Backend fixes — COOKIE_DOMAIN, TRUSTED_ORIGINS validation, verifySession | #411 | api | fix/auth-frontend-remediation | AUTH-V06 | AUTH-030 | w-23 | 2026-02-16T18:29Z | 2026-02-16T18:31Z | 15K | 12K | | AUTH-030 | done | 7.3: Missing tests — getAccessToken, isAdmin, null cases, getClientIp | #411 | all | fix/auth-frontend-remediation | AUTH-028,AUTH-029 | AUTH-V07 | w-24 | 2026-02-16T18:34Z | 2026-02-16T18:37Z | 15K | 15K | | AUTH-V07 | done | Phase 7 verification: 191 web + 106 API tests passing | #411 | all | fix/auth-frontend-remediation | AUTH-030 | | orch | 2026-02-16T18:37Z | 2026-02-16T18:38Z | 5K | 2K | ### Phase 8: QA Remediation — Backend Error Handling (#411) | id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | | ------ | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ----- | ---- | ----------------------------- | --------------------------- | ------------- | ----- | ----------------- | ----------------- | -------- | ---- | | QA-001 | done | CRITICAL: AuthGuard — let infrastructure errors propagate instead of wrapping as 401 | #411 | api | fix/auth-frontend-remediation | | QA-V08 | w-25 | 2026-02-16T19:00Z | 2026-02-16T19:10Z | 12K | 9K | | QA-002 | done | CRITICAL+HIGH: verifySession — invert error classification (allowlist auth errors, re-throw everything else) + typed return type + health check escalation | #411 | api | fix/auth-frontend-remediation | | QA-001,QA-V08 | w-26 | 2026-02-16T19:00Z | 2026-02-16T19:15Z | 25K | 8K | | QA-003 | done | MEDIUM: auth.config.ts — replace null coalescing with throw in getOidcPlugins + include error details in getTrustedOrigins catch | #411 | api | fix/auth-frontend-remediation | | QA-V08 | w-27 | 2026-02-16T19:16Z | 2026-02-16T19:25Z | 10K | 3K | | QA-004 | done | MEDIUM: auth.controller.ts — use HttpException(401) instead of raw Error in getSession + PDA-friendly handleAuth error message | #411 | api | fix/auth-frontend-remediation | | QA-V08 | w-28 | 2026-02-16T19:16Z | 2026-02-16T19:22Z | 10K | 7K | | QA-V08 | done | Phase 8 verification: 128 auth tests pass, 2 pre-existing failures (DB/package), no regressions | #411 | all | fix/auth-frontend-remediation | QA-001,QA-002,QA-003,QA-004 | QA-005 | orch | 2026-02-16T19:26Z | 2026-02-16T19:27Z | 5K | 2K | ### Phase 9: QA Remediation — Frontend Error Handling (#411) | id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | | ------ | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------- | ----- | ---- | ----------------------------- | --------------------------- | ------------- | ----- | ----------------- | ----------------- | -------- | ---- | | QA-005 | done | CRITICAL+HIGH: auth-context.tsx — production logging, replace isBackendError with parseAuthError, fix signOut classification, add session-expired state | #411 | web | fix/auth-frontend-remediation | QA-V08 | QA-007,QA-V09 | w-29 | 2026-02-16T19:28Z | 2026-02-16T19:45Z | 25K | 85K | | QA-006 | done | MEDIUM: auth-client.ts — log JSON parse error in signInWithCredentials + add logging to getAccessToken/isAdmin silent defaults | #411 | web | fix/auth-frontend-remediation | QA-V08 | QA-V09 | w-30 | 2026-02-16T19:28Z | 2026-02-16T19:50Z | 12K | 15K | | QA-007 | done | HIGH: login/page.tsx — show explicit error state instead of silent email-only fallback when config fetch fails | #411 | web | fix/auth-frontend-remediation | QA-005 | QA-V09 | w-31 | 2026-02-16T19:51Z | 2026-02-16T19:56Z | 15K | 18K | | QA-008 | done | LOW: auth-errors.ts — derive KNOWN_CODES from Object.keys(ERROR_MESSAGES) to eliminate duplication | #411 | web | fix/auth-frontend-remediation | QA-V08 | QA-V09 | w-32 | 2026-02-16T19:51Z | 2026-02-16T19:53Z | 3K | 4K | | QA-V09 | done | Phase 9 verification: 194 auth web tests pass, no regressions | #411 | all | fix/auth-frontend-remediation | QA-005,QA-006,QA-007,QA-008 | QA-009 | orch | 2026-02-16T19:57Z | 2026-02-16T19:58Z | 5K | 2K | ### Phase 10: QA Remediation — Comment & Documentation Fixes (#411) | id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | | ------ | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----- | ------- | ----------------------------- | ------------- | ------ | ----- | ----------------- | ----------------- | -------- | ---- | | QA-009 | done | CRITICAL: Fix updateAge comment (not idle timeout — it's session refresh throttle), fix .env.example OIDC vars, fix username->email bug in signInWithCredentials | #411 | api,web | fix/auth-frontend-remediation | QA-V09 | QA-V10 | w-33 | 2026-02-16T19:59Z | 2026-02-16T20:05Z | 12K | 12K | | QA-010 | done | MINOR: Fix JSDoc issues — response.ok is 2xx not "200", remove "Automatic token refresh" claim, remove "Enable for now" comment, fix CSRF comment placement, fix 403 mapping comment | #411 | api,web | fix/auth-frontend-remediation | QA-V09 | QA-V10 | w-34 | 2026-02-16T19:59Z | 2026-02-16T20:03Z | 8K | 8K | | QA-V10 | done | Phase 10 verification: 71 tests pass, no regressions | #411 | all | fix/auth-frontend-remediation | QA-009,QA-010 | QA-011 | orch | 2026-02-16T20:06Z | 2026-02-16T20:07Z | 5K | 2K | ### Phase 11: QA Remediation — Type Design Improvements (#411) | id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | | ------ | ------ | ------------------------------------------------------------------------------------------------------------------------------------- | ----- | ---- | ----------------------------- | ------------- | ------ | ----- | ----------------- | ----------------- | -------- | ---- | | QA-011 | done | HIGH: Unify 4 request-with-user types (RequestWithSession, AuthRequest, BetterAuthRequest, RequestWithUser) into AuthenticatedRequest | #411 | api | fix/auth-frontend-remediation | QA-V10 | QA-V11 | w-35 | 2026-02-16T20:08Z | 2026-02-16T20:16Z | 20K | 15K | | QA-012 | done | LOW: Add RetryOptions value clamping (maxRetries>=0, baseDelayMs>=100, backoffFactor>=1) | #411 | web | fix/auth-frontend-remediation | QA-V10 | QA-V11 | w-36 | 2026-02-16T20:08Z | 2026-02-16T20:12Z | 5K | 4K | | QA-V11 | done | Phase 11 verification: 125 tests pass (106 API + 19 web), types compile | #411 | all | fix/auth-frontend-remediation | QA-011,QA-012 | QA-013 | orch | 2026-02-16T20:17Z | 2026-02-16T20:18Z | 5K | 2K | ### Phase 12: QA Remediation — Test Coverage Gaps (#411) | id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | | ------ | ------ | --------------------------------------------------------------------------------------------------------- | ----- | ---- | ----------------------------- | -------------------- | ------ | ----- | ----------------- | ----------------- | -------- | ---- | | QA-013 | done | Add signOut failure path test — verify user cleared + authError set to proper type on apiPost rejection | #411 | web | fix/auth-frontend-remediation | QA-V11 | QA-V12 | w-37 | 2026-02-16T20:19Z | 2026-02-16T20:26Z | 10K | 4K | | QA-014 | done | Add verifySession non-Error thrown value test — verify returns null for string/object throws | #411 | api | fix/auth-frontend-remediation | QA-V11 | QA-V12 | w-38 | 2026-02-16T20:19Z | 2026-02-16T20:23Z | 8K | 4K | | QA-015 | done | Add handleCredentialsLogin error message fallback test + fix refreshSession test to actually call refresh | #411 | web | fix/auth-frontend-remediation | QA-V11 | QA-V12 | w-39 | 2026-02-16T20:27Z | 2026-02-16T20:30Z | 12K | 7K | | QA-V12 | done | Phase 12 verification: 309 tests pass (201 web + 108 API) — final quality gate | #411 | all | fix/auth-frontend-remediation | QA-013,QA-014,QA-015 | | orch | 2026-02-16T20:31Z | 2026-02-16T20:32Z | 5K | 2K | ### Phase 13: QA Round 2 — Backend Hardening (#411) | id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | | ------- | ------ | ----------------------------------------------------------------------------------------------------------------------------------------- | ----- | ---- | ----------------------------- | ----------------------------------------------- | --------------- | ----- | ----------------- | ----------------- | -------- | ---- | | QA2-001 | done | MEDIUM: Narrow verifySession allowlist — "token expired"/"session expired" instead of bare "expired", exact match "unauthorized" | #411 | api | fix/auth-frontend-remediation | | QA2-003,QA2-V13 | w-40 | 2026-02-16T21:00Z | 2026-02-16T21:02Z | 10K | 4K | | QA2-002 | done | MEDIUM: Add runtime null checks in auth.controller getSession/getProfile — defense-in-depth for AuthenticatedRequest | #411 | api | fix/auth-frontend-remediation | | QA2-V13 | w-42 | 2026-02-16T21:03Z | 2026-02-16T21:05Z | 8K | 5K | | QA2-003 | done | MEDIUM: Sanitize Bearer tokens from logged error stacks + add logger.warn for non-Error thrown values in verifySession | #411 | api | fix/auth-frontend-remediation | QA2-001 | QA2-V13 | w-44 | 2026-02-16T21:06Z | 2026-02-16T21:08Z | 8K | 5K | | QA2-004 | done | MEDIUM: classifyAuthError — map invalid_credentials/session_expired to null instead of "backend" (don't show error banner for normal 401) | #411 | web | fix/auth-frontend-remediation | | QA2-V13 | w-41 | 2026-02-16T21:00Z | 2026-02-16T21:02Z | 10K | 5K | | QA2-005 | done | MEDIUM: Login page — route BetterAuth result.error.message through parseAuthError for PDA-friendly sanitization | #411 | web | fix/auth-frontend-remediation | | QA2-V13 | w-43 | 2026-02-16T21:03Z | 2026-02-16T21:05Z | 8K | 4K | | QA2-006 | done | LOW: AuthGuard user validation branch tests — malformed user (missing id/email/name), non-object user, string user | #411 | api | fix/auth-frontend-remediation | | QA2-V13 | w-45 | 2026-02-16T21:06Z | 2026-02-16T21:09Z | 8K | 5K | | QA2-V13 | done | Phase 13 verification: 272 tests pass (126 web + 146 API), 2 pre-existing failures, no regressions | #411 | all | fix/auth-frontend-remediation | QA2-001,QA2-002,QA2-003,QA2-004,QA2-005,QA2-006 | | orch | 2026-02-16T21:10Z | 2026-02-16T21:12Z | 5K | 2K | ### Summary | Phase | Issue | Tasks | Total Estimate | | ------------------------------- | ----- | ------ | -------------- | | 1 - Critical Backend Fixes | #412 | 6 | 36K | | 2 - Auth Config Discovery | #413 | 5 | 43K | | 3 - Backend Hardening | #414 | 5 | 34K | | 4 - Frontend Foundation | #415 | 7 | 64K | | 5 - Login Page Integration | #416 | 5 | 54K | | 6 - Error Recovery & Polish | #417 | 5 | 50K | | 7 - Review Remediation | #411 | 4 | 55K | | 8 - QA: Backend Error Handling | #411 | 5 | 62K | | 9 - QA: Frontend Error Handling | #411 | 5 | 60K | | 10 - QA: Comment Fixes | #411 | 3 | 25K | | 11 - QA: Type Design | #411 | 3 | 30K | | 12 - QA: Test Coverage | #411 | 4 | 35K | | 13 - QA R2: Hardening + Tests | #411 | 7 | 57K | | **Total** | | **64** | **605K** | --- ## 2026-02-17 Full Code/Security/QA Review **Reviewer:** Jarvis (Codex runtime) **Scope:** Monorepo code review + security review + QA verification **Branch:** `fix/auth-frontend-remediation` ### Verification Snapshot - `pnpm lint`: pass - `pnpm typecheck`: pass - `pnpm --filter @mosaic/api test -- src/mosaic-telemetry/mosaic-telemetry.module.spec.ts src/auth/auth-rls.integration.spec.ts src/credentials/user-credential.model.spec.ts src/job-events/job-events.performance.spec.ts src/knowledge/services/fulltext-search.spec.ts`: pass (DB-bound suites intentionally skipped unless `RUN_DB_TESTS=true`) - `pnpm audit --prod`: pass (0 vulnerabilities after overrides + lock refresh) ### Remediation Tasks | id | status | severity | category | description | evidence | | ------------ | ------ | -------- | ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | REV-2026-001 | done | high | security+functional | Web dashboard widgets call orchestrator `GET /agents` directly without `X-API-Key`, but orchestrator protects all `/agents` routes with `OrchestratorApiKeyGuard`. This creates a broken production path or pressures exposing a sensitive API key client-side. Add a server-side proxy/BFF route and remove direct browser calls. | `apps/web/src/app/api/orchestrator/agents/route.ts:1`, `apps/web/src/components/widgets/AgentStatusWidget.tsx:32`, `apps/web/src/components/widgets/TaskProgressWidget.tsx:103` | | REV-2026-002 | done | high | security | RLS context helpers are now applied in `TasksService` service boundaries (`create`, `findAll`, `findOne`, `update`, `remove`) with safe fallback behavior for test doubles; controller now passes user context for list/detail paths, and regression tests assert context usage. | `apps/api/src/tasks/tasks.service.ts:27`, `apps/api/src/tasks/tasks.controller.ts:54`, `apps/api/src/tasks/tasks.service.spec.ts:15` | | REV-2026-003 | done | medium | security | Docker sandbox defaults still use `bridge` networking; isolation hardening is incomplete by default. Move default to `none` and explicitly opt in to egress where required. | `apps/orchestrator/src/config/orchestrator.config.ts:32`, `apps/orchestrator/src/spawner/docker-sandbox.service.ts:115`, `apps/orchestrator/src/spawner/docker-sandbox.service.ts:265` | | REV-2026-004 | done | high | security | Production dependency chain hardened via root overrides: replaced legacy `request` with `@cypress/request`, pinned `tough-cookie` and `qs` to patched ranges, and forced patched `ajv`; lockfile updated and production audit now reports zero vulnerabilities. | `package.json:68`, `pnpm-lock.yaml:1`, `pnpm audit --prod --json` (0 vulnerabilities) | | REV-2026-005 | done | high | qa | API test suite is not hermetic for default `pnpm test`: database-backed tests run when `DATABASE_URL` exists but credentials are invalid, causing hard failures. Gate integration/perf suites behind explicit integration flag and connectivity preflight, or split commands in turbo pipeline. | `apps/api/src/credentials/user-credential.model.spec.ts:18`, `apps/api/src/knowledge/services/fulltext-search.spec.ts:30`, `apps/api/src/job-events/job-events.performance.spec.ts:19`, `apps/api/src/auth/auth-rls.integration.spec.ts:10` | | REV-2026-006 | done | medium | qa+architecture | `MosaicTelemetryModule` imports `AuthModule`, causing telemetry module tests to fail on unrelated `ENCRYPTION_KEY` auth config requirements. Decouple telemetry module dependencies or provide test-safe module overrides. | `apps/api/src/mosaic-telemetry/mosaic-telemetry.module.ts:36`, `apps/api/src/mosaic-telemetry/mosaic-telemetry.module.spec.ts:1` | | REV-2026-007 | done | medium | qa | Frontend skip cleanup completed for scoped findings: `TasksWidget`, `CalendarWidget`, and `LinkAutocomplete` coverage now runs with deterministic assertions and no stale `it.skip` markers in those suites. | `apps/web/src/components/widgets/__tests__/TasksWidget.test.tsx:1`, `apps/web/src/components/widgets/__tests__/CalendarWidget.test.tsx:1`, `apps/web/src/components/knowledge/__tests__/LinkAutocomplete.test.tsx:1` | | REV-2026-008 | done | low | tooling | Repo session bootstrap reliability issue: `scripts/agent/session-start.sh` fails due stale branch tracking ref, which can silently block required lifecycle checks. Update script to tolerate missing remote branch or self-heal branch config. | `scripts/agent/session-start.sh:10`, `scripts/agent/session-start.sh:16`, `scripts/agent/session-start.sh:34` | --- ## 2026-02-17 Orchestrator Streaming + Queue Control Follow-up **Orchestrator:** Jarvis (Codex runtime) **Branch:** `fix/auth-frontend-remediation` ### Tasks | id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | | ----------- | ------ | ------------------------------------------------------------------------------------------------------------------- | ----- | ---------------- | ----------------------------- | ------------ | ------ | ----- | ----------------- | ----------------- | -------- | ---- | | ORCH-FU-001 | done | Add orchestrator SSE event stream endpoint and service fan-out (`/agents/events`) with initial snapshot + heartbeat | #411 | orchestrator,web | fix/auth-frontend-remediation | REV-2026-001 | | orch | 2026-02-17T15:00Z | 2026-02-17T15:18Z | 20K | 24K | | ORCH-FU-002 | done | Add queue control API (`/queue/stats`, `/queue/pause`, `/queue/resume`) and web proxy routes | #411 | orchestrator,web | fix/auth-frontend-remediation | ORCH-FU-001 | | orch | 2026-02-17T15:18Z | 2026-02-17T15:24Z | 12K | 15K | | ORCH-FU-003 | done | Wire `TaskProgressWidget` and `AgentStatusWidget` to live SSE updates with polling fallback | #411 | web | fix/auth-frontend-remediation | ORCH-FU-001 | | orch | 2026-02-17T15:24Z | 2026-02-17T15:33Z | 15K | 18K | | ORCH-FU-004 | done | Persist spawned state in lifecycle + align queue state transitions/events for spawned/non-spawned paths | #411 | orchestrator | fix/auth-frontend-remediation | ORCH-FU-001 | | orch | 2026-02-17T15:33Z | 2026-02-17T15:40Z | 15K | 18K | | ORCH-FU-005 | done | Harden repo-local Mosaic linkage paths (`~/.config/mosaic`) and ignore orchestrator runtime artifacts | #411 | docs,tooling | fix/auth-frontend-remediation | ORCH-FU-004 | | orch | 2026-02-17T15:40Z | 2026-02-17T15:45Z | 8K | 6K | | ORCH-FU-V01 | done | Verification: orchestrator and web targeted test suites pass after follow-up changes | #411 | all | fix/auth-frontend-remediation | ORCH-FU-001 | | orch | 2026-02-17T15:45Z | 2026-02-17T15:48Z | 5K | 3K | ### Verification Snapshot - `pnpm --filter @mosaic/orchestrator test -- src/api/queue/queue.controller.spec.ts src/api/agents/agents.controller.spec.ts src/api/agents/agents-killswitch.controller.spec.ts src/queue/queue.service.spec.ts src/config/orchestrator.config.spec.ts`: pass (`26` files, `737` tests) - `pnpm --filter @mosaic/web test -- src/components/widgets/__tests__/TaskProgressWidget.test.tsx src/components/widgets/__tests__/AgentStatusWidget.test.tsx`: pass (`89` files, `1117` tests, `3` skipped) --- ## 2026-02-17 Orchestrator Observability Follow-up **Orchestrator:** Jarvis (Codex runtime) **Branch:** `feature/mosaic-stack-finalization` ### Tasks | id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | | ------------ | ------ | --------------------------------------------------------------------------------------------------- | ----- | ----------------- | --------------------------------- | ------------ | ------ | ----- | ----------------- | ----------------- | -------- | ---- | | ORCH-OBS-001 | done | Add recent event buffer + endpoint (`GET /agents/events/recent?limit=`) for non-SSE polling clients | #411 | orchestrator | feature/mosaic-stack-finalization | ORCH-FU-001 | | orch | 2026-02-17T16:20Z | 2026-02-17T16:28Z | 10K | 8K | | ORCH-OBS-002 | done | Add web proxy route for recent orchestrator events (`/api/orchestrator/events/recent`) | #411 | web | feature/mosaic-stack-finalization | ORCH-OBS-001 | | orch | 2026-02-17T16:28Z | 2026-02-17T16:31Z | 5K | 4K | | ORCH-OBS-003 | done | Add repo-level monitor script (`scripts/agent/orchestrator-events.sh`) for recent/watch modes | #411 | tooling | feature/mosaic-stack-finalization | ORCH-OBS-001 | | orch | 2026-02-17T16:31Z | 2026-02-17T16:36Z | 8K | 5K | | ORCH-OBS-004 | done | Add tests/docs updates for recent events and operator command usage | #411 | orchestrator,docs | feature/mosaic-stack-finalization | ORCH-OBS-001 | | orch | 2026-02-17T16:36Z | 2026-02-17T16:40Z | 8K | 6K | | ORCH-OBS-005 | done | Fix HUD widget ID generation/parsing for hyphenated widget types (`quick-capture`, `agent-status`) | #411 | web | feature/mosaic-stack-finalization | ORCH-OBS-004 | | orch | 2026-02-17T16:42Z | 2026-02-17T16:48Z | 8K | 6K | | ORCH-OBS-006 | done | Add `WidgetRenderer` regression tests for hyphenated widget IDs | #411 | web | feature/mosaic-stack-finalization | ORCH-OBS-005 | | orch | 2026-02-17T16:48Z | 2026-02-17T16:50Z | 5K | 3K | | ORCH-OBS-007 | done | Add `OrchestratorEventsWidget` for live/recent orchestration visibility with Matrix signal hints | #411 | web | feature/mosaic-stack-finalization | ORCH-OBS-002 | | orch | 2026-02-17T16:55Z | 2026-02-17T17:03Z | 12K | 9K | | ORCH-OBS-008 | done | Integrate new widget into HUD/WidgetRegistry and extend widget regression coverage | #411 | web | feature/mosaic-stack-finalization | ORCH-OBS-007 | | orch | 2026-02-17T17:03Z | 2026-02-17T17:08Z | 10K | 7K | | ORCH-OBS-009 | done | Seed default/reset local HUD layout with orchestration widgets so visibility works out-of-box | #411 | web | feature/mosaic-stack-finalization | ORCH-OBS-008 | | orch | 2026-02-17T17:10Z | 2026-02-17T17:14Z | 8K | 6K |